Bug 455424: nssilckt.h should not define the enumeration constant 'Lock',

which conflicts with C++ code defining a 'Lock' class.  r=alexei.volkov.
Modified Files:
	cmd/tests/manifest.mn lib/util/nssilckt.h
Added Files:
	cmd/tests/conflict.c

1877 files changed, 789448 insertions, 0 deletions

diff --git a/security/nss/Makefile b/security/nss/Makefile
new file mode 100644
index 000000000..37e912ef1
--- /dev/null
+++ b/security/nss/Makefile
@@ -0,0 +1,181 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+ifeq ($(OS_TARGET),WINCE)
+DIRS	= lib	# omit cmd since wince has no command line shell
+endif
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+nss_build_all: build_coreconf build_nspr build_dbm all
+
+nss_clean_all: clobber_coreconf clobber_nspr clobber_dbm clobber
+
+build_coreconf:
+	cd $(CORE_DEPTH)/coreconf ;  $(MAKE)
+
+clobber_coreconf:
+	cd $(CORE_DEPTH)/coreconf ;  $(MAKE) clobber
+
+NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)/config.status
+NSPR_CONFIGURE = $(CORE_DEPTH)/../nsprpub/configure
+
+#
+# Translate coreconf build options to NSPR configure options.
+#
+
+ifdef BUILD_OPT
+NSPR_CONFIGURE_OPTS += --disable-debug --enable-optimize
+endif
+ifdef USE_64
+NSPR_CONFIGURE_OPTS += --enable-64bit
+endif
+ifeq ($(OS_TARGET),WIN95)
+NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95
+endif
+ifdef USE_DEBUG_RTL
+NSPR_CONFIGURE_OPTS += --enable-debug-rtl
+endif
+ifdef NS_USE_GCC
+NSPR_COMPILERS = CC=gcc CXX=g++
+endif
+
+#
+# Some pwd commands on Windows (for example, the pwd
+# command in Cygwin) return a pathname that begins
+# with a (forward) slash.  When such a pathname is
+# passed to Windows build tools (for example, cl), it
+# is mistaken as a command-line option.  If that is the case,
+# we use a relative pathname as NSPR's prefix on Windows.
+#
+
+USEABSPATH="YES"
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+ifeq (,$(findstring :,$(shell pwd)))
+USEABSPATH="NO"
+endif
+endif
+ifeq ($(USEABSPATH),"YES")
+NSPR_PREFIX = $(shell pwd)/../../dist/$(OBJDIR_NAME)
+else
+NSPR_PREFIX = $$(topsrcdir)/../dist/$(OBJDIR_NAME)
+endif
+
+$(NSPR_CONFIG_STATUS): $(NSPR_CONFIGURE)
+	$(NSINSTALL) -D $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME)
+	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; \
+	$(NSPR_COMPILERS) sh ../configure \
+	$(NSPR_CONFIGURE_OPTS) \
+	--with-dist-prefix='$(NSPR_PREFIX)' \
+	--with-dist-includedir='$(NSPR_PREFIX)/include'
+
+build_nspr: $(NSPR_CONFIG_STATUS)
+	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE)
+
+clobber_nspr: $(NSPR_CONFIG_STATUS)
+	cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE) clobber
+
+build_dbm:
+	cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs
+
+clobber_dbm:
+	cd $(CORE_DEPTH)/dbm ; $(MAKE) clobber
+
+moz_import::
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+	$(NSINSTALL) -D $(DIST)/include/nspr
+	cp $(DIST)/../include/nspr/*.h $(DIST)/include/nspr
+	cp $(DIST)/../include/* $(DIST)/include
+ifdef BUILD_OPT
+	cp $(DIST)/../WIN32_O.OBJ/lib/* $(DIST)/lib
+else
+	cp $(DIST)/../WIN32_D.OBJ/lib/* $(DIST)/lib
+endif
+	mv $(DIST)/lib/dbm32.lib $(DIST)/lib/dbm.lib
+else
+ifeq ($(OS_TARGET),OS2)
+	cp -rf $(DIST)/../include $(DIST)
+	cp -rf $(DIST)/../lib $(DIST)
+	cp -f $(DIST)/lib/libmozdbm_s.$(LIB_SUFFIX) $(DIST)/lib/libdbm.$(LIB_SUFFIX)
+else
+	$(NSINSTALL) -L ../../dist include $(DIST)
+	$(NSINSTALL) -L ../../dist lib $(DIST)
+	cp $(DIST)/lib/libmozdbm_s.$(LIB_SUFFIX) $(DIST)/lib/libdbm.$(LIB_SUFFIX)
+endif
+endif
+
+nss_RelEng_bld: build_coreconf import build_dbm all
+
+package:
+	$(MAKE) -C pkg publish
diff --git a/security/nss/cmd/.cvsignore b/security/nss/cmd/.cvsignore
new file mode 100644
index 000000000..6329db22e
--- /dev/null
+++ b/security/nss/cmd/.cvsignore
@@ -0,0 +1 @@
+.gdbinit
diff --git a/security/nss/cmd/Makefile b/security/nss/cmd/Makefile
new file mode 100644
index 000000000..ed5819847
--- /dev/null
+++ b/security/nss/cmd/Makefile
@@ -0,0 +1,61 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../..
+DEPTH = ../..
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+
+ifdef BUILD_LIBPKIX_TESTS
+DIRS += libpkix
+endif
+
+ifndef USE_SYSTEM_ZLIB
+ZLIB_SRCDIR = zlib  # Add the zlib directory to DIRS.
+endif
+
+INCLUDES += \
+	-I$(DIST)/../public/security \
+	-I./include \
+	$(NULL)
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+symbols::
+	@echo "TARGETS	= $(TARGETS)"
diff --git a/security/nss/cmd/addbuiltin/Makefile b/security/nss/cmd/addbuiltin/Makefile
new file mode 100644
index 000000000..fe7991878
--- /dev/null
+++ b/security/nss/cmd/addbuiltin/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+ 
diff --git a/security/nss/cmd/addbuiltin/addbuiltin.c b/security/nss/cmd/addbuiltin/addbuiltin.c
new file mode 100644
index 000000000..8bb99547c
--- /dev/null
+++ b/security/nss/cmd/addbuiltin/addbuiltin.c
@@ -0,0 +1,391 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Tool for converting builtin CA certs.
+ *
+ * $Id$
+ */
+
+#include "nssrenam.h"
+#include "nss.h"
+#include "cert.h"
+#include "certdb.h"
+#include "secutil.h"
+#include "pk11func.h"
+
+#if defined(WIN32)
+#include <fcntl.h>
+#include <io.h>
+#endif
+
+void dumpbytes(unsigned char *buf, int len)
+{
+    int i;
+    for (i=0; i < len; i++) {
+	if ((i !=0) && ((i & 0xf) == 0)) {
+	    printf("\n");
+	}
+	printf("\\%03o",buf[i]);
+    }
+    printf("\n");
+}
+
+char *getTrustString(unsigned int trust)
+{
+    if (trust & CERTDB_TRUSTED) {
+	if (trust & CERTDB_TRUSTED_CA) {
+		return "CKT_NETSCAPE_TRUSTED_DELEGATOR|CKT_NETSCAPE_TRUSTED";
+	} else {
+		return "CKT_NETSCAPE_TRUSTED";
+	}
+    } else {
+	if (trust & CERTDB_TRUSTED_CA) {
+		return "CKT_NETSCAPE_TRUSTED_DELEGATOR";
+	} else if (trust & CERTDB_VALID_CA) {
+		return "CKT_NETSCAPE_VALID_DELEGATOR";
+	} else {
+		return "CKT_NETSCAPE_TRUST_UNKNOWN";
+	}
+    }
+    return "CKT_NETSCAPE_TRUST_UNKNOWN"; /* not reached */
+}
+
+static const SEC_ASN1Template serialTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(CERTCertificate,serialNumber) },
+    { 0 }
+};
+
+static SECStatus
+ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)
+{
+    SECStatus rv = SECSuccess;
+    CERTCertificate *cert;
+    unsigned char sha1_hash[SHA1_LENGTH];
+    unsigned char md5_hash[MD5_LENGTH];
+    SECItem *serial = NULL;
+
+    cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname);
+    if (!cert) {
+	return SECFailure;
+    }
+    serial = SEC_ASN1EncodeItem(NULL,NULL,cert,serialTemplate);
+    if (!serial) {
+	return SECFailure;
+    }
+
+    printf("\n#\n# Certificate \"%s\"\n#\n",nickname);
+    printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n");
+    printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
+    printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
+    printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
+    printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
+    printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n");
+    printf("CKA_SUBJECT MULTILINE_OCTAL\n");
+    dumpbytes(cert->derSubject.data,cert->derSubject.len);
+    printf("END\n");
+    printf("CKA_ID UTF8 \"0\"\n");
+    printf("CKA_ISSUER MULTILINE_OCTAL\n");
+    dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
+    printf("END\n");
+    printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
+    dumpbytes(serial->data,serial->len);
+    printf("END\n");
+    printf("CKA_VALUE MULTILINE_OCTAL\n");
+    dumpbytes(sdder->data,sdder->len);
+    printf("END\n");
+
+    PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
+    PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
+    printf("\n# Trust for Certificate \"%s\"\n",nickname);
+    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST\n");
+    printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
+    printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
+    printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
+    printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
+    printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
+    dumpbytes(sha1_hash,SHA1_LENGTH);
+    printf("END\n");
+    printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
+    dumpbytes(md5_hash,MD5_LENGTH);
+    printf("END\n");
+
+    printf("CKA_ISSUER MULTILINE_OCTAL\n");
+    dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
+    printf("END\n");
+    printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
+    dumpbytes(serial->data,serial->len);
+    printf("END\n");
+    
+    printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n",
+				 getTrustString(trust->sslFlags));
+    printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n",
+				 getTrustString(trust->emailFlags));
+    printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
+				 getTrustString(trust->objectSigningFlags));
+#ifdef notdef
+    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED\n");*/
+    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+#endif
+    printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
+                trust->sslFlags & CERTDB_GOVT_APPROVED_CA ? 
+                "CK_TRUE" : "CK_FALSE");
+
+
+    PORT_Free(sdder->data);
+    return(rv);
+
+}
+
+void printheader() {
+    printf("# \n"
+"# ***** BEGIN LICENSE BLOCK *****\n"
+"# Version: MPL 1.1/GPL 2.0/LGPL 2.1\n"
+"#\n"
+"# The contents of this file are subject to the Mozilla Public License Version\n"
+"# 1.1 (the \"License\"); you may not use this file except in compliance with\n"
+"# the License. You may obtain a copy of the License at\n"
+"# http://www.mozilla.org/MPL/\n"
+"#\n"
+"# Software distributed under the License is distributed on an \"AS IS\" basis,\n"
+"# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License\n"
+"# for the specific language governing rights and limitations under the\n"
+"# License.\n"
+"#\n"
+"# The Original Code is the Netscape security libraries..\n"
+"#\n"
+"# The Initial Developer of the Original Code is\n"
+"# Netscape Communications Corporation.\n"
+"# Portions created by the Initial Developer are Copyright (C) 1994-2000\n"
+"# the Initial Developer. All Rights Reserved.\n"
+"#\n"
+"# Contributor(s):\n"
+"#\n"
+"# Alternatively, the contents of this file may be used under the terms of\n"
+"# either the GNU General Public License Version 2 or later (the \"GPL\"), or\n"
+"# the GNU Lesser General Public License Version 2.1 or later (the \"LGPL\"),\n"
+"# in which case the provisions of the GPL or the LGPL are applicable instead\n"
+"# of those above. If you wish to allow use of your version of this file only\n"
+"# under the terms of either the GPL or the LGPL, and not to allow others to\n"
+"# use your version of this file under the terms of the MPL, indicate your\n"
+"# decision by deleting the provisions above and replace them with the notice\n"
+"# and other provisions required by the GPL or the LGPL. If you do not delete\n"
+"# the provisions above, a recipient may use your version of this file under\n"
+"# the terms of any one of the MPL, the GPL or the LGPL.\n"
+"#\n"
+"# ***** END LICENSE BLOCK *****\n"
+     "#\n"
+     "CVS_ID \"@(#) $RCSfile$ $Revision$ $Date$\"\n"
+     "\n"
+     "#\n"
+     "# certdata.txt\n"
+     "#\n"
+     "# This file contains the object definitions for the certs and other\n"
+     "# information \"built into\" NSS.\n"
+     "#\n"
+     "# Object definitions:\n"
+     "#\n"
+     "#    Certificates\n"
+     "#\n"
+     "#  -- Attribute --          -- type --              -- value --\n"
+     "#  CKA_CLASS                CK_OBJECT_CLASS         CKO_CERTIFICATE\n"
+     "#  CKA_TOKEN                CK_BBOOL                CK_TRUE\n"
+     "#  CKA_PRIVATE              CK_BBOOL                CK_FALSE\n"
+     "#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE\n"
+     "#  CKA_LABEL                UTF8                    (varies)\n"
+     "#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509\n"
+     "#  CKA_SUBJECT              DER+base64              (varies)\n"
+     "#  CKA_ID                   byte array              (varies)\n"
+     "#  CKA_ISSUER               DER+base64              (varies)\n"
+     "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
+     "#  CKA_VALUE                DER+base64              (varies)\n"
+     "#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)\n"
+     "#\n"
+     "#    Trust\n"
+     "#\n"
+     "#  -- Attribute --              -- type --          -- value --\n"
+     "#  CKA_CLASS                    CK_OBJECT_CLASS     CKO_TRUST\n"
+     "#  CKA_TOKEN                    CK_BBOOL            CK_TRUE\n"
+     "#  CKA_PRIVATE                  CK_BBOOL            CK_FALSE\n"
+     "#  CKA_MODIFIABLE               CK_BBOOL            CK_FALSE\n"
+     "#  CKA_LABEL                    UTF8                (varies)\n"
+     "#  CKA_ISSUER                   DER+base64          (varies)\n"
+     "#  CKA_SERIAL_NUMBER            DER+base64          (varies)\n"
+     "#  CKA_CERT_HASH                binary+base64       (varies)\n"
+     "#  CKA_EXPIRES                  CK_DATE             (not used here)\n"
+     "#  CKA_TRUST_DIGITAL_SIGNATURE  CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_NON_REPUDIATION    CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_KEY_ENCIPHERMENT   CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_DATA_ENCIPHERMENT  CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_KEY_AGREEMENT      CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_KEY_CERT_SIGN      CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_CRL_SIGN           CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_SERVER_AUTH        CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_CLIENT_AUTH        CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_CODE_SIGNING       CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_EMAIL_PROTECTION   CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_IPSEC_END_SYSTEM   CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_IPSEC_TUNNEL       CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_IPSEC_USER         CK_TRUST            (varies)\n"
+     "#  CKA_TRUST_TIME_STAMPING      CK_TRUST            (varies)\n"
+     "#  (other trust attributes can be defined)\n"
+     "#\n"
+     "\n"
+     "#\n"
+     "# The object to tell NSS that this is a root list and we don't\n"
+     "# have to go looking for others.\n"
+     "#\n"
+     "BEGINDATA\n"
+     "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST\n"
+     "CKA_TOKEN CK_BBOOL CK_TRUE\n"
+     "CKA_PRIVATE CK_BBOOL CK_FALSE\n"
+     "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
+     "CKA_LABEL UTF8 \"Mozilla Builtin Roots\"\n");
+}
+
+static void Usage(char *progName)
+{
+    fprintf(stderr, "%s -n nickname -t trust [-i certfile]\n", progName);
+    fprintf(stderr, 
+            "\tRead a der-encoded cert from certfile or stdin, and output\n"
+            "\tit to stdout in a format suitable for the builtin root module.\n"
+            "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n"
+            "\t(pipe through atob if the cert is b64-encoded)\n", progName);
+    fprintf(stderr, "%-15s nickname to assign to builtin cert.\n", 
+                    "-n nickname");
+    fprintf(stderr, "%-15s trust flags (cCTpPuw).\n", "-t trust");
+    fprintf(stderr, "%-15s file to read (default stdin)\n", "-i certfile");
+    exit(-1);
+}
+
+enum {
+    opt_Input = 0,
+    opt_Nickname,
+    opt_Trust
+};
+
+static secuCommandFlag addbuiltin_options[] =
+{
+	{ /* opt_Input         */  'i', PR_TRUE, 0, PR_FALSE },
+	{ /* opt_Nickname      */  'n', PR_TRUE, 0, PR_FALSE },
+	{ /* opt_Trust         */  't', PR_TRUE, 0, PR_FALSE }
+};
+
+int main(int argc, char **argv)
+{
+    SECStatus rv;
+    char *nickname;
+    char *trusts;
+    char *progName;
+    PRFileDesc *infile;
+    CERTCertTrust trust = { 0 };
+    SECItem derCert = { 0 };
+
+    secuCommand addbuiltin = { 0 };
+    addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
+    addbuiltin.options = addbuiltin_options;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
+
+    if (rv != SECSuccess)
+	Usage(progName);
+
+    if (!addbuiltin.options[opt_Nickname].activated &&
+        !addbuiltin.options[opt_Trust].activated) {
+	fprintf(stderr, "%s: you must specify both a nickname and trust.\n",
+		progName);
+	Usage(progName);
+    }
+
+    if (addbuiltin.options[opt_Input].activated) {
+	infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
+	if (!infile) {
+	    fprintf(stderr, "%s: failed to open input file.\n", progName);
+	    exit(1);
+	}
+    } else {
+#if defined(WIN32)
+	/* If we're going to read binary data from stdin, we must put stdin
+	** into O_BINARY mode or else incoming \r\n's will become \n's,
+	** and latin-1 characters will be altered.
+	*/
+
+	int smrv = _setmode(_fileno(stdin), _O_BINARY);
+	if (smrv == -1) {
+	    fprintf(stderr,
+	    "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
+	            progName);
+	    exit(1);
+	}
+#endif
+	infile = PR_STDIN;
+    }
+
+    nickname = strdup(addbuiltin.options[opt_Nickname].arg);
+    trusts = strdup(addbuiltin.options[opt_Trust].arg);
+
+    NSS_NoDB_Init(NULL);
+
+    rv = CERT_DecodeTrustString(&trust, trusts);
+    if (rv) {
+	fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
+	Usage(progName);
+    }
+
+    SECU_FileToItem(&derCert, infile);
+    
+    /*printheader();*/
+
+    rv = ConvertCertificate(&derCert, nickname, &trust);
+    if (rv) {
+	fprintf(stderr, "%s: failed to convert certificate.\n", progName);
+	exit(1);
+    }
+    
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+
+    return(SECSuccess);
+}
diff --git a/security/nss/cmd/addbuiltin/manifest.mn b/security/nss/cmd/addbuiltin/manifest.mn
new file mode 100644
index 000000000..0729834a7
--- /dev/null
+++ b/security/nss/cmd/addbuiltin/manifest.mn
@@ -0,0 +1,52 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+CSRCS = \
+	addbuiltin.c \
+	$(NULL)
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd
+
+PROGRAM = addbuiltin
+
diff --git a/security/nss/cmd/atob/Makefile b/security/nss/cmd/atob/Makefile
new file mode 100644
index 000000000..61e2cb359
--- /dev/null
+++ b/security/nss/cmd/atob/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/atob/atob.c b/security/nss/cmd/atob/atob.c
new file mode 100644
index 000000000..e5fad05ec
--- /dev/null
+++ b/security/nss/cmd/atob/atob.c
@@ -0,0 +1,180 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "plgetopt.h"
+#include "secutil.h"
+#include "nssb64.h"
+#include <errno.h>
+
+#if defined(XP_WIN) || (defined(__sun) && !defined(SVR4))
+#if !defined(WIN32)
+extern int fread(char *, size_t, size_t, FILE*);
+extern int fwrite(char *, size_t, size_t, FILE*);
+extern int fprintf(FILE *, char *, ...);
+#endif
+#endif
+
+#if defined(WIN32)
+#include "fcntl.h"
+#include "io.h"
+#endif
+
+static PRInt32 
+output_binary (void *arg, const unsigned char *obuf, PRInt32 size)
+{
+    FILE *outFile = arg;
+    int nb;
+
+    nb = fwrite(obuf, 1, size, outFile);
+    if (nb != size) {
+	PORT_SetError(SEC_ERROR_IO);
+	return -1;
+    }
+
+    return nb;
+}
+
+static SECStatus
+decode_file(FILE *outFile, FILE *inFile)
+{
+    NSSBase64Decoder *cx;
+    int nb;
+    SECStatus status = SECFailure;
+    char ibuf[4096];
+
+    cx = NSSBase64Decoder_Create(output_binary, outFile);
+    if (!cx) {
+	return -1;
+    }
+
+    for (;;) {
+	if (feof(inFile)) break;
+	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
+	if (nb != sizeof(ibuf)) {
+	    if (nb == 0) {
+		if (ferror(inFile)) {
+		    PORT_SetError(SEC_ERROR_IO);
+		    goto loser;
+		}
+		/* eof */
+		break;
+	    }
+	}
+
+	status = NSSBase64Decoder_Update(cx, ibuf, nb);
+	if (status != SECSuccess) goto loser;
+    }
+
+    return NSSBase64Decoder_Destroy(cx, PR_FALSE);
+
+  loser:
+    (void) NSSBase64Decoder_Destroy(cx, PR_TRUE);
+    return status;
+}
+
+static void Usage(char *progName)
+{
+    fprintf(stderr,
+	    "Usage: %s [-i input] [-o output]\n",
+	    progName);
+    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
+	    "-i input");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    exit(-1);
+}
+
+int main(int argc, char **argv)
+{
+    char *progName;
+    SECStatus rv;
+    FILE *inFile, *outFile;
+    PLOptState *optstate;
+    PLOptStatus status;
+
+    inFile = 0;
+    outFile = 0;
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    /* Parse command line arguments */
+    optstate = PL_CreateOptState(argc, argv, "i:o:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	    Usage(progName);
+	    break;
+
+	  case 'i':
+	    inFile = fopen(optstate->value, "r");
+	    if (!inFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'o':
+	    outFile = fopen(optstate->value, "wb");
+	    if (!outFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+	}
+    }
+    if (!inFile) inFile = stdin;
+    if (!outFile) {
+#if defined(WIN32)
+	int smrv = _setmode(_fileno(stdout), _O_BINARY);
+	if (smrv == -1) {
+	    fprintf(stderr,
+	    "%s: Cannot change stdout to binary mode. Use -o option instead.\n",
+	            progName);
+	    return smrv;
+	}
+#endif
+    	outFile = stdout;
+    }
+    rv = decode_file(outFile, inFile);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "%s: lossage: error=%d errno=%d\n",
+		progName, PORT_GetError(), errno);
+	return -1;
+    }
+    return 0;
+}
diff --git a/security/nss/cmd/atob/manifest.mn b/security/nss/cmd/atob/manifest.mn
new file mode 100644
index 000000000..363cad192
--- /dev/null
+++ b/security/nss/cmd/atob/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS = atob.c
+
+PROGRAM	= atob
+
diff --git a/security/nss/cmd/bltest/Makefile b/security/nss/cmd/bltest/Makefile
new file mode 100644
index 000000000..115886cd7
--- /dev/null
+++ b/security/nss/cmd/bltest/Makefile
@@ -0,0 +1,86 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+#MKPROG = purify -cache-dir=/u/mcgreer/pcache -best-effort \
+#	-always-use-cache-dir $(CC)
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#EXTRA_SHARED_LIBS += \
+#	-L/usr/lib \
+#	-lposix4 \
+#	$(NULL)
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c
new file mode 100644
index 000000000..223c39a65
--- /dev/null
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -0,0 +1,3654 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "blapi.h"
+#include "secrng.h"
+#include "prmem.h"
+#include "prprf.h"
+#include "prtime.h"
+#include "prsystem.h"
+#include "plstr.h"
+#include "nssb64.h"
+#include "secutil.h"
+#include "plgetopt.h"
+#include "softoken.h"
+#include "nspr.h"
+#include "nss.h"
+#include "secoid.h"
+
+#ifdef NSS_ENABLE_ECC
+#include "ecl-curve.h"
+SECStatus EC_DecodeParams(const SECItem *encodedParams, 
+	ECParams **ecparams);
+SECStatus EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+	      const ECParams *srcParams);
+#endif
+
+/* Temporary - add debugging ouput on windows for RSA to track QA failure */
+#ifdef _WIN32
+#define TRACK_BLTEST_BUG
+    char __bltDBG[] = "BLTEST DEBUG";
+#endif
+
+char *progName;
+char *testdir = NULL;
+
+#define BLTEST_DEFAULT_CHUNKSIZE 4096
+
+#define WORDSIZE sizeof(unsigned long)
+
+#define CHECKERROR(rv, ln) \
+    if (rv) { \
+	PRErrorCode prerror = PR_GetError(); \
+	PR_fprintf(PR_STDERR, "%s: ERR %d (%s) at line %d.\n", progName, \
+                   prerror, SECU_Strerror(prerror), ln); \
+	exit(-1); \
+    }
+
+/* Macros for performance timing. */
+#define TIMESTART() \
+    time1 = PR_IntervalNow();
+
+#define TIMEFINISH(time, reps) \
+    time2 = (PRIntervalTime)(PR_IntervalNow() - time1); \
+    time1 = PR_IntervalToMilliseconds(time2); \
+    time = ((double)(time1))/reps;
+
+#define TIMEMARK(seconds) \
+    time1 = PR_SecondsToInterval(seconds); \
+    { \
+        PRInt64 tmp, L100; \
+        LL_I2L(L100, 100); \
+        if (time2 == 0) { \
+            time2 = 1; \
+        } \
+        LL_DIV(tmp, time1, time2); \
+        if (tmp < 10) { \
+            if (tmp == 0) { \
+                opsBetweenChecks = 1; \
+            } else { \
+                LL_L2I(opsBetweenChecks, tmp); \
+            } \
+        } else { \
+            opsBetweenChecks = 10; \
+        } \
+    } \
+    time2 = time1; \
+    time1 = PR_IntervalNow();
+
+#define TIMETOFINISH() \
+    PR_IntervalNow() - time1 >= time2
+
+static void Usage()
+{
+#define PRINTUSAGE(subject, option, predicate) \
+    fprintf(stderr, "%10s %s\t%s\n", subject, option, predicate);
+    fprintf(stderr, "\n");
+    PRINTUSAGE(progName, "[-DEHSV]", "List available cipher modes"); /* XXX */
+    fprintf(stderr, "\n");
+    PRINTUSAGE(progName, "-E -m mode ", "Encrypt a buffer");
+    PRINTUSAGE("",	"", "[-i plaintext] [-o ciphertext] [-k key] [-v iv]");
+    PRINTUSAGE("",	"", "[-b bufsize] [-g keysize] [-e exp] [-r rounds]");
+    PRINTUSAGE("",	"", "[-w wordsize] [-p repetitions | -5 time_interval]");
+    PRINTUSAGE("",	"", "[-4 th_num]");
+    PRINTUSAGE("",	"-m", "cipher mode to use");
+    PRINTUSAGE("",	"-i", "file which contains input buffer");
+    PRINTUSAGE("",	"-o", "file for output buffer");
+    PRINTUSAGE("",	"-k", "file which contains key");
+    PRINTUSAGE("",	"-v", "file which contains initialization vector");
+    PRINTUSAGE("",	"-b", "size of input buffer");
+    PRINTUSAGE("",	"-g", "key size (in bytes)");
+    PRINTUSAGE("",	"-p", "do performance test");
+    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
+    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
+    PRINTUSAGE("(rsa)", "-e", "rsa public exponent");
+    PRINTUSAGE("(rc5)", "-r", "number of rounds");
+    PRINTUSAGE("(rc5)", "-w", "wordsize (32 or 64)");
+    fprintf(stderr, "\n");
+    PRINTUSAGE(progName, "-D -m mode", "Decrypt a buffer");
+    PRINTUSAGE("",	"", "[-i plaintext] [-o ciphertext] [-k key] [-v iv]");
+    PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
+    PRINTUSAGE("",	"-m", "cipher mode to use");
+    PRINTUSAGE("",	"-i", "file which contains input buffer");
+    PRINTUSAGE("",	"-o", "file for output buffer");
+    PRINTUSAGE("",	"-k", "file which contains key");
+    PRINTUSAGE("",	"-v", "file which contains initialization vector");
+    PRINTUSAGE("",	"-p", "do performance test");
+    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
+    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
+    fprintf(stderr, "\n");
+    PRINTUSAGE(progName, "-H -m mode", "Hash a buffer");
+    PRINTUSAGE("",	"", "[-i plaintext] [-o hash]");
+    PRINTUSAGE("",	"", "[-b bufsize]");
+    PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
+    PRINTUSAGE("",	"-m", "cipher mode to use");
+    PRINTUSAGE("",	"-i", "file which contains input buffer");
+    PRINTUSAGE("",	"-o", "file for hash");
+    PRINTUSAGE("",	"-b", "size of input buffer");
+    PRINTUSAGE("",	"-p", "do performance test");
+    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
+    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
+    fprintf(stderr, "\n");
+    PRINTUSAGE(progName, "-S -m mode", "Sign a buffer");
+    PRINTUSAGE("",	"", "[-i plaintext] [-o signature] [-k key]");
+    PRINTUSAGE("",	"", "[-b bufsize]");
+#ifdef NSS_ENABLE_ECC
+    PRINTUSAGE("",	"", "[-n curvename]");
+#endif
+    PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
+    PRINTUSAGE("",	"-m", "cipher mode to use");
+    PRINTUSAGE("",	"-i", "file which contains input buffer");
+    PRINTUSAGE("",	"-o", "file for signature");
+    PRINTUSAGE("",	"-k", "file which contains key");
+#ifdef NSS_ENABLE_ECC
+    PRINTUSAGE("",	"-n", "name of curve for EC key generation; one of:");
+    PRINTUSAGE("",  "",   "  sect163k1, nistk163, sect163r1, sect163r2,");
+    PRINTUSAGE("",  "",   "  nistb163, sect193r1, sect193r2, sect233k1, nistk233,");
+    PRINTUSAGE("",  "",   "  sect233r1, nistb233, sect239k1, sect283k1, nistk283,");
+    PRINTUSAGE("",  "",   "  sect283r1, nistb283, sect409k1, nistk409, sect409r1,");
+    PRINTUSAGE("",  "",   "  nistb409, sect571k1, nistk571, sect571r1, nistb571,");
+    PRINTUSAGE("",  "",   "  secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,");
+    PRINTUSAGE("",  "",   "  nistp192, secp224k1, secp224r1, nistp224, secp256k1,");
+    PRINTUSAGE("",  "",   "  secp256r1, nistp256, secp384r1, nistp384, secp521r1,");
+    PRINTUSAGE("",  "",   "  nistp521, prime192v1, prime192v2, prime192v3,");
+    PRINTUSAGE("",  "",   "  prime239v1, prime239v2, prime239v3, c2pnb163v1,");
+    PRINTUSAGE("",  "",   "  c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,");
+    PRINTUSAGE("",  "",   "  c2tnb191v2, c2tnb191v3, c2onb191v4, c2onb191v5,");
+    PRINTUSAGE("",  "",   "  c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,");
+    PRINTUSAGE("",  "",   "  c2onb239v4, c2onb239v5, c2pnb272w1, c2pnb304w1,");
+    PRINTUSAGE("",  "",   "  c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,");
+    PRINTUSAGE("",  "",   "  secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,");
+    PRINTUSAGE("",  "",   "  sect131r1, sect131r2");
+#endif
+    PRINTUSAGE("",	"-p", "do performance test");
+    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
+    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
+    fprintf(stderr, "\n");
+    PRINTUSAGE(progName, "-V -m mode", "Verify a signed buffer");
+    PRINTUSAGE("",	"", "[-i plaintext] [-s signature] [-k key]");
+    PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
+    PRINTUSAGE("",	"-m", "cipher mode to use");
+    PRINTUSAGE("",	"-i", "file which contains input buffer");
+    PRINTUSAGE("",	"-s", "file which contains signature of input buffer");
+    PRINTUSAGE("",	"-k", "file which contains key");
+    PRINTUSAGE("",	"-p", "do performance test");
+    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
+    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
+    fprintf(stderr, "\n");
+    PRINTUSAGE(progName, "-N -m mode -b bufsize", 
+                                            "Create a nonce plaintext and key");
+    PRINTUSAGE("",      "", "[-g keysize] [-u cxreps]");
+    PRINTUSAGE("",	"-g", "key size (in bytes)");
+    PRINTUSAGE("",      "-u", "number of repetitions of context creation");
+    fprintf(stderr, "\n");
+    PRINTUSAGE(progName, "-F", "Run the FIPS self-test");
+    fprintf(stderr, "\n");
+    PRINTUSAGE(progName, "-T [-m mode1,mode2...]", "Run the BLAPI self-test");
+    fprintf(stderr, "\n");
+    exit(1);
+}
+
+/*  Helper functions for ascii<-->binary conversion/reading/writing */
+
+/* XXX argh */
+struct item_with_arena {
+    SECItem	*item;
+    PRArenaPool *arena;
+};
+
+static PRInt32
+get_binary(void *arg, const unsigned char *ibuf, PRInt32 size)
+{
+    struct item_with_arena *it = arg;
+    SECItem *binary = it->item;
+    SECItem *tmp;
+    int index;
+    if (binary->data == NULL) {
+	tmp = SECITEM_AllocItem(it->arena, NULL, size);
+	binary->data = tmp->data;
+	binary->len = tmp->len;
+	index = 0;
+    } else {
+	SECITEM_ReallocItem(NULL, binary, binary->len, binary->len + size);
+	index = binary->len;
+    }
+    PORT_Memcpy(&binary->data[index], ibuf, size);
+    return binary->len;
+}
+
+static SECStatus
+atob(SECItem *ascii, SECItem *binary, PRArenaPool *arena)
+{
+    SECStatus status;
+    NSSBase64Decoder *cx;
+    struct item_with_arena it;
+    int len;
+    binary->data = NULL;
+    binary->len = 0;
+    it.item = binary;
+    it.arena = arena;
+    len = (strncmp(&ascii->data[ascii->len-2],"\r\n",2)) ? 
+           ascii->len : ascii->len-2;
+    cx = NSSBase64Decoder_Create(get_binary, &it);
+    status = NSSBase64Decoder_Update(cx, (const char *)ascii->data, len);
+    status = NSSBase64Decoder_Destroy(cx, PR_FALSE);
+    return status;
+}
+
+static PRInt32
+output_ascii(void *arg, const char *obuf, PRInt32 size)
+{
+    PRFileDesc *outfile = arg;
+    PRInt32 nb = PR_Write(outfile, obuf, size);
+    if (nb != size) {
+	PORT_SetError(SEC_ERROR_IO);
+	return -1;
+    }
+    return nb;
+}
+
+static SECStatus
+btoa_file(SECItem *binary, PRFileDesc *outfile)
+{
+    SECStatus status;
+    NSSBase64Encoder *cx;
+    SECItem ascii;
+    ascii.data = NULL;
+    ascii.len = 0;
+    if (binary->len == 0)
+	return SECSuccess;
+    cx = NSSBase64Encoder_Create(output_ascii, outfile);
+    status = NSSBase64Encoder_Update(cx, binary->data, binary->len);
+    status = NSSBase64Encoder_Destroy(cx, PR_FALSE);
+    status = PR_Write(outfile, "\r\n", 2);
+    return status;
+}
+
+SECStatus
+hex_from_2char(unsigned char *c2, unsigned char *byteval)
+{
+    int i;
+    unsigned char offset;
+    *byteval = 0;
+    for (i=0; i<2; i++) {
+	if (c2[i] >= '0' && c2[i] <= '9') {
+	    offset = c2[i] - '0';
+	    *byteval |= offset << 4*(1-i);
+	} else if (c2[i] >= 'a' && c2[i] <= 'f') {
+	    offset = c2[i] - 'a';
+	    *byteval |= (offset + 10) << 4*(1-i);
+	} else if (c2[i] >= 'A' && c2[i] <= 'F') {
+	    offset = c2[i] - 'A';
+	    *byteval |= (offset + 10) << 4*(1-i);
+	} else {
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+char2_from_hex(unsigned char byteval, unsigned char *c2)
+{
+    int i;
+    unsigned char offset;
+    for (i=0; i<2; i++) {
+	offset = (byteval >> 4*(1-i)) & 0x0f;
+	if (offset < 10) {
+	    c2[i] = '0' + offset;
+	} else {
+	    c2[i] = 'A' + offset - 10;
+	}
+    }
+    return SECSuccess;
+}
+
+void
+serialize_key(SECItem *it, int ni, PRFileDesc *file)
+{
+    unsigned char len[4];
+    int i;
+    SECStatus status;
+    NSSBase64Encoder *cx;
+    SECItem ascii;
+    ascii.data = NULL;
+    ascii.len = 0;
+    cx = NSSBase64Encoder_Create(output_ascii, file);
+    for (i=0; i<ni; i++, it++) {
+	len[0] = (it->len >> 24) & 0xff;
+	len[1] = (it->len >> 16) & 0xff;
+	len[2] = (it->len >>  8) & 0xff;
+	len[3] = (it->len	 & 0xff);
+	status = NSSBase64Encoder_Update(cx, len, 4);
+	status = NSSBase64Encoder_Update(cx, it->data, it->len);
+    }
+    status = NSSBase64Encoder_Destroy(cx, PR_FALSE);
+    status = PR_Write(file, "\r\n", 2);
+}
+
+void
+key_from_filedata(PRArenaPool *arena, SECItem *it, int ns, int ni, SECItem *filedata)
+{
+    int fpos = 0;
+    int i, len;
+    unsigned char *buf = filedata->data;
+    for (i=0; i<ni; i++) {
+	len  = (buf[fpos++] & 0xff) << 24;
+	len |= (buf[fpos++] & 0xff) << 16;
+	len |= (buf[fpos++] & 0xff) <<  8;
+	len |= (buf[fpos++] & 0xff);
+	if (ns <= i) {
+	    if (len > 0) {
+		it->len = len;
+		it->data = PORT_ArenaAlloc(arena, it->len);
+		PORT_Memcpy(it->data, &buf[fpos], it->len);
+	    } else {
+		it->len = 0;
+		it->data = NULL;
+	    }
+	    it++;
+	}
+	fpos += len;
+    }
+}
+
+static RSAPrivateKey *
+rsakey_from_filedata(SECItem *filedata)
+{
+    RSAPrivateKey *key;
+    PRArenaPool *arena;
+    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
+    key = (RSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(RSAPrivateKey));
+    key->arena = arena;
+    key_from_filedata(arena, &key->version, 0, 9, filedata);
+    return key;
+}
+
+static PQGParams *
+pqg_from_filedata(SECItem *filedata)
+{
+    PQGParams *pqg;
+    PRArenaPool *arena;
+    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
+    pqg = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
+    pqg->arena = arena;
+    key_from_filedata(arena, &pqg->prime, 0, 3, filedata);
+    return pqg;
+}
+
+static DSAPrivateKey *
+dsakey_from_filedata(SECItem *filedata)
+{
+    DSAPrivateKey *key;
+    PRArenaPool *arena;
+    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
+    key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
+    key->params.arena = arena;
+    key_from_filedata(arena, &key->params.prime, 0, 5, filedata);
+    return key;
+}
+
+#ifdef NSS_ENABLE_ECC
+static ECPrivateKey *
+eckey_from_filedata(SECItem *filedata)
+{
+    ECPrivateKey *key;
+    PRArenaPool *arena;
+    SECStatus rv;
+    ECParams *tmpECParams = NULL;
+    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
+    key = (ECPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(ECPrivateKey));
+    /* read and convert params */
+    key->ecParams.arena = arena;
+    key_from_filedata(arena, &key->ecParams.DEREncoding, 0, 1, filedata);
+    rv = SECOID_Init();
+    CHECKERROR(rv, __LINE__);
+    rv = EC_DecodeParams(&key->ecParams.DEREncoding, &tmpECParams);
+    CHECKERROR(rv, __LINE__);
+    rv = EC_CopyParams(key->ecParams.arena, &key->ecParams, tmpECParams);
+    CHECKERROR(rv, __LINE__);
+    rv = SECOID_Shutdown();
+    CHECKERROR(rv, __LINE__);
+    PORT_FreeArena(tmpECParams->arena, PR_TRUE);
+    /* read key */
+    key_from_filedata(arena, &key->publicValue, 1, 3, filedata);
+    return key;
+}
+
+typedef struct curveNameTagPairStr {
+    char *curveName;
+    SECOidTag curveOidTag;
+} CurveNameTagPair;
+
+#define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
+/* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
+
+static CurveNameTagPair nameTagPair[] =
+{ 
+  { "sect163k1", SEC_OID_SECG_EC_SECT163K1},
+  { "nistk163", SEC_OID_SECG_EC_SECT163K1},
+  { "sect163r1", SEC_OID_SECG_EC_SECT163R1},
+  { "sect163r2", SEC_OID_SECG_EC_SECT163R2},
+  { "nistb163", SEC_OID_SECG_EC_SECT163R2},
+  { "sect193r1", SEC_OID_SECG_EC_SECT193R1},
+  { "sect193r2", SEC_OID_SECG_EC_SECT193R2},
+  { "sect233k1", SEC_OID_SECG_EC_SECT233K1},
+  { "nistk233", SEC_OID_SECG_EC_SECT233K1},
+  { "sect233r1", SEC_OID_SECG_EC_SECT233R1},
+  { "nistb233", SEC_OID_SECG_EC_SECT233R1},
+  { "sect239k1", SEC_OID_SECG_EC_SECT239K1},
+  { "sect283k1", SEC_OID_SECG_EC_SECT283K1},
+  { "nistk283", SEC_OID_SECG_EC_SECT283K1},
+  { "sect283r1", SEC_OID_SECG_EC_SECT283R1},
+  { "nistb283", SEC_OID_SECG_EC_SECT283R1},
+  { "sect409k1", SEC_OID_SECG_EC_SECT409K1},
+  { "nistk409", SEC_OID_SECG_EC_SECT409K1},
+  { "sect409r1", SEC_OID_SECG_EC_SECT409R1},
+  { "nistb409", SEC_OID_SECG_EC_SECT409R1},
+  { "sect571k1", SEC_OID_SECG_EC_SECT571K1},
+  { "nistk571", SEC_OID_SECG_EC_SECT571K1},
+  { "sect571r1", SEC_OID_SECG_EC_SECT571R1},
+  { "nistb571", SEC_OID_SECG_EC_SECT571R1},
+  { "secp160k1", SEC_OID_SECG_EC_SECP160K1},
+  { "secp160r1", SEC_OID_SECG_EC_SECP160R1},
+  { "secp160r2", SEC_OID_SECG_EC_SECP160R2},
+  { "secp192k1", SEC_OID_SECG_EC_SECP192K1},
+  { "secp192r1", SEC_OID_SECG_EC_SECP192R1},
+  { "nistp192", SEC_OID_SECG_EC_SECP192R1},
+  { "secp224k1", SEC_OID_SECG_EC_SECP224K1},
+  { "secp224r1", SEC_OID_SECG_EC_SECP224R1},
+  { "nistp224", SEC_OID_SECG_EC_SECP224R1},
+  { "secp256k1", SEC_OID_SECG_EC_SECP256K1},
+  { "secp256r1", SEC_OID_SECG_EC_SECP256R1},
+  { "nistp256", SEC_OID_SECG_EC_SECP256R1},
+  { "secp384r1", SEC_OID_SECG_EC_SECP384R1},
+  { "nistp384", SEC_OID_SECG_EC_SECP384R1},
+  { "secp521r1", SEC_OID_SECG_EC_SECP521R1},
+  { "nistp521", SEC_OID_SECG_EC_SECP521R1},
+
+  { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 },
+  { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 },
+  { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 },
+  { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 },
+  { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 },
+  { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 },
+
+  { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 },
+  { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 },
+  { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 },
+  { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 },
+  { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 },
+  { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 },
+  { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 },
+  { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 },
+  { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 },
+  { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 },
+  { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 },
+  { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 },
+  { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 },
+  { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 },
+  { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 },
+  { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 },
+  { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 },
+  { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 },
+  { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 },
+  { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 },
+
+  { "secp112r1", SEC_OID_SECG_EC_SECP112R1},
+  { "secp112r2", SEC_OID_SECG_EC_SECP112R2},
+  { "secp128r1", SEC_OID_SECG_EC_SECP128R1},
+  { "secp128r2", SEC_OID_SECG_EC_SECP128R2},
+
+  { "sect113r1", SEC_OID_SECG_EC_SECT113R1},
+  { "sect113r2", SEC_OID_SECG_EC_SECT113R2},
+  { "sect131r1", SEC_OID_SECG_EC_SECT131R1},
+  { "sect131r2", SEC_OID_SECG_EC_SECT131R2},
+};
+
+static SECKEYECParams * 
+getECParams(const char *curve)
+{
+    SECKEYECParams *ecparams;
+    SECOidData *oidData = NULL;
+    SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
+    int i, numCurves;
+
+    if (curve != NULL) {
+        numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
+	for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); 
+	     i++) {
+	    if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
+	        curveOidTag = nameTagPair[i].curveOidTag;
+	}
+    }
+
+    /* Return NULL if curve name is not recognized */
+    if ((curveOidTag == SEC_OID_UNKNOWN) || 
+	(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
+        fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
+	return NULL;
+    }
+
+    ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
+
+    /* 
+     * ecparams->data needs to contain the ASN encoding of an object ID (OID)
+     * representing the named curve. The actual OID is in 
+     * oidData->oid.data so we simply prepend 0x06 and OID length
+     */
+    ecparams->data[0] = SEC_ASN1_OBJECT_ID;
+    ecparams->data[1] = oidData->oid.len;
+    memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
+
+    return ecparams;
+}
+#endif /* NSS_ENABLE_ECC */
+
+static void
+dump_pqg(PQGParams *pqg)
+{
+    SECU_PrintInteger(stdout, &pqg->prime, "PRIME:", 0);
+    SECU_PrintInteger(stdout, &pqg->subPrime, "SUBPRIME:", 0);
+    SECU_PrintInteger(stdout, &pqg->base, "BASE:", 0);
+}
+
+static void
+dump_dsakey(DSAPrivateKey *key)
+{
+    dump_pqg(&key->params);
+    SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
+    SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
+}
+
+#ifdef NSS_ENABLE_ECC
+static void
+dump_ecp(ECParams *ecp)
+{
+    /* TODO other fields */
+    SECU_PrintInteger(stdout, &ecp->base, "BASE POINT:", 0);
+}
+
+static void
+dump_eckey(ECPrivateKey *key)
+{
+    dump_ecp(&key->ecParams);
+    SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
+    SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
+}
+#endif
+
+static void
+dump_rsakey(RSAPrivateKey *key)
+{
+    SECU_PrintInteger(stdout, &key->version, "VERSION:", 0);
+    SECU_PrintInteger(stdout, &key->modulus, "MODULUS:", 0);
+    SECU_PrintInteger(stdout, &key->publicExponent, "PUBLIC EXP:", 0);
+    SECU_PrintInteger(stdout, &key->privateExponent, "PRIVATE EXP:", 0);
+    SECU_PrintInteger(stdout, &key->prime1, "CRT PRIME 1:", 0);
+    SECU_PrintInteger(stdout, &key->prime2, "CRT PRIME 2:", 0);
+    SECU_PrintInteger(stdout, &key->exponent1, "CRT EXP 1:", 0);
+    SECU_PrintInteger(stdout, &key->exponent2, "CRT EXP 2:", 0);
+    SECU_PrintInteger(stdout, &key->coefficient, "CRT COEFFICIENT:", 0);
+}
+
+typedef enum {
+    bltestBase64Encoded,       /* Base64 encoded ASCII */
+    bltestBinary,	       /* straight binary */
+    bltestHexSpaceDelim,       /* 0x12 0x34 0xab 0xCD ... */
+    bltestHexStream 	       /* 1234abCD ... */
+} bltestIOMode;
+
+typedef struct
+{
+    SECItem	   buf;
+    SECItem	   pBuf;
+    bltestIOMode   mode;
+    PRFileDesc*	   file;
+} bltestIO;
+
+typedef SECStatus (* bltestSymmCipherFn)(void *cx,
+					 unsigned char *output,
+					 unsigned int *outputLen,
+					 unsigned int maxOutputLen,
+					 const unsigned char *input,
+					 unsigned int inputLen);
+
+typedef SECStatus (* bltestPubKeyCipherFn)(void *key,
+					   SECItem *output,
+					   const SECItem *input);
+
+typedef SECStatus (* bltestHashCipherFn)(unsigned char *dest,
+					 const unsigned char *src,
+					 uint32 src_length);
+
+typedef enum {
+    bltestINVALID = -1,
+    bltestDES_ECB,	  /* Symmetric Key Ciphers */
+    bltestDES_CBC,	  /* .			   */
+    bltestDES_EDE_ECB,	  /* .			   */
+    bltestDES_EDE_CBC,	  /* .			   */
+    bltestRC2_ECB,	  /* .			   */
+    bltestRC2_CBC,	  /* .			   */
+    bltestRC4,		  /* .			   */
+    bltestRC5_ECB,	  /* .			   */
+    bltestRC5_CBC,	  /* .			   */
+    bltestAES_ECB,        /* .                     */
+    bltestAES_CBC,        /* .                     */
+    bltestCAMELLIA_ECB,   /* .                     */
+    bltestCAMELLIA_CBC,   /* .                     */
+    bltestRSA,		  /* Public Key Ciphers	   */
+#ifdef NSS_ENABLE_ECC
+    bltestECDSA,	  /* . (Public Key Sig.)   */
+#endif
+    bltestDSA,		  /* .                     */
+    bltestMD2,		  /* Hash algorithms	   */
+    bltestMD5,		  /* .			   */
+    bltestSHA1,           /* .			   */
+    bltestSHA256,         /* .			   */
+    bltestSHA384,         /* .			   */
+    bltestSHA512,         /* .			   */
+    NUMMODES
+} bltestCipherMode;
+
+static char *mode_strings[] =
+{
+    "des_ecb",
+    "des_cbc",
+    "des3_ecb",
+    "des3_cbc",
+    "rc2_ecb",
+    "rc2_cbc",
+    "rc4",
+    "rc5_ecb",
+    "rc5_cbc",
+    "aes_ecb",
+    "aes_cbc",
+    "camellia_ecb",
+    "camellia_cbc",
+    "rsa",
+#ifdef NSS_ENABLE_ECC
+    "ecdsa",
+#endif
+    /*"pqg",*/
+    "dsa",
+    "md2",
+    "md5",
+    "sha1",
+    "sha256",
+    "sha384",
+    "sha512",
+};
+
+typedef struct
+{
+    bltestIO key;
+    bltestIO iv;
+} bltestSymmKeyParams;
+
+typedef struct
+{
+    bltestIO key;
+    bltestIO iv;
+    int	     rounds;
+    int	     wordsize;
+} bltestRC5Params;
+
+typedef struct
+{
+    bltestIO key;
+    int	     keysizeInBits;
+    RSAPrivateKey *rsakey;
+} bltestRSAParams;
+
+typedef struct
+{
+    bltestIO   key;
+    bltestIO   pqgdata;
+    unsigned int j;
+    bltestIO   keyseed;
+    bltestIO   sigseed;
+    bltestIO   sig; /* if doing verify, have additional input */
+    PQGParams *pqg;
+    DSAPrivateKey *dsakey;
+} bltestDSAParams;
+
+#ifdef NSS_ENABLE_ECC
+typedef struct
+{
+    bltestIO   key;
+    char      *curveName;
+    bltestIO   sigseed;
+    bltestIO   sig; /* if doing verify, have additional input */
+    ECPrivateKey *eckey;
+} bltestECDSAParams;
+#endif
+
+typedef struct
+{
+    bltestIO   key; /* unused */
+    PRBool     restart;
+} bltestHashParams;
+
+typedef union
+{
+    bltestIO		key;
+    bltestSymmKeyParams sk;
+    bltestRC5Params	rc5;
+    bltestRSAParams	rsa;
+    bltestDSAParams	dsa;
+#ifdef NSS_ENABLE_ECC
+    bltestECDSAParams	ecdsa;
+#endif
+    bltestHashParams	hash;
+} bltestParams;
+
+typedef struct bltestCipherInfoStr bltestCipherInfo;
+
+struct  bltestCipherInfoStr {
+    PRArenaPool *arena;
+    /* link to next in multithreaded test */
+    bltestCipherInfo *next;
+    PRThread         *cipherThread;
+
+    /* MonteCarlo test flag*/
+    PRBool mCarlo;
+    /* cipher context */
+    void *cx;
+    /* I/O streams */
+    bltestIO input;
+    bltestIO output;
+    /* Cipher-specific parameters */
+    bltestParams params;
+    /* Cipher mode */
+    bltestCipherMode  mode;
+    /* Cipher function (encrypt/decrypt/sign/verify/hash) */
+    union {
+	bltestSymmCipherFn   symmkeyCipher;
+	bltestPubKeyCipherFn pubkeyCipher;
+	bltestHashCipherFn   hashCipher;
+    } cipher;
+    /* performance testing */
+    int   repetitionsToPerfom;
+    int   seconds;
+    int	  repetitions;
+    int   cxreps;
+    double cxtime;
+    double optime;
+};
+
+PRBool
+is_symmkeyCipher(bltestCipherMode mode)
+{
+    /* change as needed! */
+    if (mode >= bltestDES_ECB && mode <= bltestCAMELLIA_CBC)
+	return PR_TRUE;
+    return PR_FALSE;
+}
+
+PRBool
+is_pubkeyCipher(bltestCipherMode mode)
+{
+    /* change as needed! */
+    if (mode >= bltestRSA && mode <= bltestDSA)
+	return PR_TRUE;
+    return PR_FALSE;
+}
+
+PRBool
+is_hashCipher(bltestCipherMode mode)
+{
+    /* change as needed! */
+    if (mode >= bltestMD2 && mode <= bltestSHA512)
+	return PR_TRUE;
+    return PR_FALSE;
+}
+
+PRBool
+is_sigCipher(bltestCipherMode mode)
+{
+    /* change as needed! */
+#ifdef NSS_ENABLE_ECC
+    if (mode >= bltestECDSA && mode <= bltestDSA)
+#else
+    if (mode >= bltestDSA && mode <= bltestDSA)
+#endif
+	return PR_TRUE;
+    return PR_FALSE;
+}
+
+PRBool
+cipher_requires_IV(bltestCipherMode mode)
+{
+    /* change as needed! */
+    if (mode == bltestDES_CBC || mode == bltestDES_EDE_CBC ||
+	mode == bltestRC2_CBC || mode == bltestRC5_CBC     ||
+        mode == bltestAES_CBC || mode == bltestCAMELLIA_CBC)
+	return PR_TRUE;
+    return PR_FALSE;
+}
+
+SECStatus finishIO(bltestIO *output, PRFileDesc *file);
+
+SECStatus
+setupIO(PRArenaPool *arena, bltestIO *input, PRFileDesc *file,
+	char *str, int numBytes)
+{
+    SECStatus rv = SECSuccess;
+    SECItem fileData;
+    SECItem *in;
+    unsigned char *tok;
+    unsigned int i, j;
+
+    if (file && (numBytes == 0 || file == PR_STDIN)) {
+	/* grabbing data from a file */
+	rv = SECU_FileToItem(&fileData, file);
+	if (rv != SECSuccess) {
+	    PR_Close(file);
+	    return SECFailure;
+	}
+	in = &fileData;
+    } else if (str) {
+	/* grabbing data from command line */
+	fileData.data = str;
+	fileData.len = PL_strlen(str);
+	in = &fileData;
+    } else if (file) {
+	/* create nonce */
+	SECITEM_AllocItem(arena, &input->buf, numBytes);
+	RNG_GenerateGlobalRandomBytes(input->buf.data, numBytes);
+	return finishIO(input, file);
+    } else {
+	return SECFailure;
+    }
+
+    switch (input->mode) {
+    case bltestBase64Encoded:
+	rv = atob(in, &input->buf, arena);
+	break;
+    case bltestBinary:
+	if (in->data[in->len-1] == '\n') --in->len;
+	if (in->data[in->len-1] == '\r') --in->len;
+	SECITEM_CopyItem(arena, &input->buf, in);
+	break;
+    case bltestHexSpaceDelim:
+	SECITEM_AllocItem(arena, &input->buf, in->len/5);
+	for (i=0, j=0; i<in->len; i+=5, j++) {
+	    tok = &in->data[i];
+	    if (tok[0] != '0' || tok[1] != 'x' || tok[4] != ' ')
+		/* bad hex token */
+		break;
+
+	    rv = hex_from_2char(&tok[2], input->buf.data + j);
+	    if (rv)
+		break;
+	}
+	break;
+    case bltestHexStream:
+	SECITEM_AllocItem(arena, &input->buf, in->len/2);
+	for (i=0, j=0; i<in->len; i+=2, j++) {
+	    tok = &in->data[i];
+	    rv = hex_from_2char(tok, input->buf.data + j);
+	    if (rv)
+		break;
+	}
+	break;
+    }
+
+    if (file)
+	SECITEM_FreeItem(&fileData, PR_FALSE);
+    return rv;
+}
+
+SECStatus
+finishIO(bltestIO *output, PRFileDesc *file)
+{
+    SECStatus rv = SECSuccess;
+    PRInt32 nb;
+    unsigned char byteval;
+    SECItem *it;
+    char hexstr[5];
+    unsigned int i;
+    if (output->pBuf.len > 0) {
+	it = &output->pBuf;
+    } else {
+	it = &output->buf;
+    }
+    switch (output->mode) {
+    case bltestBase64Encoded:
+	rv = btoa_file(it, file);
+	break;
+    case bltestBinary:
+	nb = PR_Write(file, it->data, it->len);
+	rv = (nb == (PRInt32)it->len) ? SECSuccess : SECFailure;
+	break;
+    case bltestHexSpaceDelim:
+	hexstr[0] = '0';
+	hexstr[1] = 'x';
+	hexstr[4] = ' ';
+	for (i=0; i<it->len; i++) {
+	    byteval = it->data[i];
+	    rv = char2_from_hex(byteval, hexstr + 2);
+	    nb = PR_Write(file, hexstr, 5);
+	    if (rv)
+		break;
+	}
+	PR_Write(file, "\n", 1);
+	break;
+    case bltestHexStream:
+	for (i=0; i<it->len; i++) {
+	    byteval = it->data[i];
+	    rv = char2_from_hex(byteval, hexstr);
+	    if (rv)
+		break;
+	    nb = PR_Write(file, hexstr, 2);
+	}
+	PR_Write(file, "\n", 1);
+	break;
+    }
+    return rv;
+}
+
+void
+bltestCopyIO(PRArenaPool *arena, bltestIO *dest, bltestIO *src)
+{
+    SECITEM_CopyItem(arena, &dest->buf, &src->buf);
+    if (src->pBuf.len > 0) {
+	dest->pBuf.len = src->pBuf.len;
+	dest->pBuf.data = dest->buf.data + (src->pBuf.data - src->buf.data);
+    }
+    dest->mode = src->mode;
+    dest->file = src->file;
+}
+
+void
+misalignBuffer(PRArenaPool *arena, bltestIO *io, int off)
+{
+    ptrdiff_t offset = (ptrdiff_t)io->buf.data % WORDSIZE;
+    int length = io->buf.len;
+    if (offset != off) {
+	SECITEM_ReallocItem(arena, &io->buf, length, length + 2*WORDSIZE);
+	io->buf.len = length + 2*WORDSIZE; /* why doesn't realloc do this? */
+	/* offset may have changed? */
+	offset = (ptrdiff_t)io->buf.data % WORDSIZE;
+	if (offset != off) {
+	    memmove(io->buf.data + off, io->buf.data, length);
+	    io->pBuf.data = io->buf.data + off;
+	    io->pBuf.len = length;
+	} else {
+	    io->pBuf.data = io->buf.data;
+	    io->pBuf.len = length;
+	}
+    } else {
+	io->pBuf.data = io->buf.data;
+	io->pBuf.len = length;
+    }
+}
+
+SECStatus
+des_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen, const unsigned char *input,
+            unsigned int inputLen)
+{
+    return DES_Encrypt((DESContext *)cx, output, outputLen, maxOutputLen,
+                       input, inputLen);
+}
+
+SECStatus
+des_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen, const unsigned char *input,
+            unsigned int inputLen)
+{
+    return DES_Decrypt((DESContext *)cx, output, outputLen, maxOutputLen,
+                       input, inputLen);
+}
+
+SECStatus
+rc2_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen, const unsigned char *input,
+            unsigned int inputLen)
+{
+    return RC2_Encrypt((RC2Context *)cx, output, outputLen, maxOutputLen,
+                       input, inputLen);
+}
+
+SECStatus
+rc2_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen, const unsigned char *input,
+            unsigned int inputLen)
+{
+    return RC2_Decrypt((RC2Context *)cx, output, outputLen, maxOutputLen,
+                       input, inputLen);
+}
+
+SECStatus
+rc4_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen, const unsigned char *input,
+            unsigned int inputLen)
+{
+    return RC4_Encrypt((RC4Context *)cx, output, outputLen, maxOutputLen,
+                       input, inputLen);
+}
+
+SECStatus
+rc4_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen, const unsigned char *input,
+            unsigned int inputLen)
+{
+    return RC4_Decrypt((RC4Context *)cx, output, outputLen, maxOutputLen,
+                       input, inputLen);
+}
+
+SECStatus
+aes_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen, const unsigned char *input,
+            unsigned int inputLen)
+{
+    return AES_Encrypt((AESContext *)cx, output, outputLen, maxOutputLen,
+                       input, inputLen);
+}
+
+SECStatus
+aes_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen, const unsigned char *input,
+            unsigned int inputLen)
+{
+    return AES_Decrypt((AESContext *)cx, output, outputLen, maxOutputLen,
+                       input, inputLen);
+}
+
+SECStatus
+camellia_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+		 unsigned int maxOutputLen, const unsigned char *input,
+		 unsigned int inputLen)
+{
+    return Camellia_Encrypt((CamelliaContext *)cx, output, outputLen,
+			    maxOutputLen,
+			    input, inputLen);
+}
+
+SECStatus
+camellia_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
+		 unsigned int maxOutputLen, const unsigned char *input,
+		 unsigned int inputLen)
+{
+    return Camellia_Decrypt((CamelliaContext *)cx, output, outputLen,
+			    maxOutputLen,
+			    input, inputLen);
+}
+
+SECStatus
+rsa_PublicKeyOp(void *key, SECItem *output, const SECItem *input)
+{
+    return RSA_PublicKeyOp((RSAPublicKey *)key, output->data, input->data);
+}
+
+SECStatus
+rsa_PrivateKeyOp(void *key, SECItem *output, const SECItem *input)
+{
+    return RSA_PrivateKeyOp((RSAPrivateKey *)key, output->data, input->data);
+}
+
+SECStatus
+dsa_signDigest(void *key, SECItem *output, const SECItem *input)
+{
+    return DSA_SignDigest((DSAPrivateKey *)key, output, input);
+}
+
+SECStatus
+dsa_verifyDigest(void *key, SECItem *output, const SECItem *input)
+{
+    return DSA_VerifyDigest((DSAPublicKey *)key, output, input);
+}
+
+#ifdef NSS_ENABLE_ECC
+SECStatus
+ecdsa_signDigest(void *key, SECItem *output, const SECItem *input)
+{
+    return ECDSA_SignDigest((ECPrivateKey *)key, output, input);
+}
+
+SECStatus
+ecdsa_verifyDigest(void *key, SECItem *output, const SECItem *input)
+{
+    return ECDSA_VerifyDigest((ECPublicKey *)key, output, input);
+}
+#endif
+
+SECStatus
+bltest_des_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    PRIntervalTime time1, time2;
+    bltestSymmKeyParams *desp = &cipherInfo->params.sk;
+    int minorMode;
+    int i;
+    switch (cipherInfo->mode) {
+    case bltestDES_ECB:	    minorMode = NSS_DES;	  break;
+    case bltestDES_CBC:	    minorMode = NSS_DES_CBC;	  break;
+    case bltestDES_EDE_ECB: minorMode = NSS_DES_EDE3;	  break;
+    case bltestDES_EDE_CBC: minorMode = NSS_DES_EDE3_CBC; break;
+    default:
+	return SECFailure;
+    }
+    cipherInfo->cx = (void*)DES_CreateContext(desp->key.buf.data,
+					      desp->iv.buf.data,
+					      minorMode, encrypt);
+    if (cipherInfo->cxreps > 0) {
+	DESContext **dummycx;
+	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(DESContext *));
+	TIMESTART();
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    dummycx[i] = (void*)DES_CreateContext(desp->key.buf.data,
+					          desp->iv.buf.data,
+					          minorMode, encrypt);
+	}
+	TIMEFINISH(cipherInfo->cxtime, 1.0);
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    DES_DestroyContext(dummycx[i], PR_TRUE);
+	}
+	PORT_Free(dummycx);
+    }
+    if (encrypt)
+	cipherInfo->cipher.symmkeyCipher = des_Encrypt;
+    else
+	cipherInfo->cipher.symmkeyCipher = des_Decrypt;
+    return SECSuccess;
+}
+
+SECStatus
+bltest_rc2_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    PRIntervalTime time1, time2;
+    bltestSymmKeyParams *rc2p = &cipherInfo->params.sk;
+    int minorMode;
+    int i;
+    switch (cipherInfo->mode) {
+    case bltestRC2_ECB: minorMode = NSS_RC2;	 break;
+    case bltestRC2_CBC: minorMode = NSS_RC2_CBC; break;
+    default:
+	return SECFailure;
+    }
+    cipherInfo->cx = (void*)RC2_CreateContext(rc2p->key.buf.data,
+					      rc2p->key.buf.len,
+					      rc2p->iv.buf.data,
+					      minorMode,
+					      rc2p->key.buf.len);
+    if (cipherInfo->cxreps > 0) {
+	RC2Context **dummycx;
+	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(RC2Context *));
+	TIMESTART();
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    dummycx[i] = (void*)RC2_CreateContext(rc2p->key.buf.data,
+	                                          rc2p->key.buf.len,
+	                                          rc2p->iv.buf.data,
+	                                          minorMode,
+	                                          rc2p->key.buf.len);
+	}
+	TIMEFINISH(cipherInfo->cxtime, 1.0);
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    RC2_DestroyContext(dummycx[i], PR_TRUE);
+	}
+	PORT_Free(dummycx);
+    }
+    if (encrypt)
+	cipherInfo->cipher.symmkeyCipher = rc2_Encrypt;
+    else
+	cipherInfo->cipher.symmkeyCipher = rc2_Decrypt;
+    return SECSuccess;
+}
+
+SECStatus
+bltest_rc4_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    PRIntervalTime time1, time2;
+    int i;
+    bltestSymmKeyParams *rc4p = &cipherInfo->params.sk;
+    cipherInfo->cx = (void*)RC4_CreateContext(rc4p->key.buf.data,
+					      rc4p->key.buf.len);
+    if (cipherInfo->cxreps > 0) {
+	RC4Context **dummycx;
+	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(RC4Context *));
+	TIMESTART();
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    dummycx[i] = (void*)RC4_CreateContext(rc4p->key.buf.data,
+	                                          rc4p->key.buf.len);
+	}
+	TIMEFINISH(cipherInfo->cxtime, 1.0);
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    RC4_DestroyContext(dummycx[i], PR_TRUE);
+	}
+	PORT_Free(dummycx);
+    }
+    if (encrypt)
+	cipherInfo->cipher.symmkeyCipher = rc4_Encrypt;
+    else
+	cipherInfo->cipher.symmkeyCipher = rc4_Decrypt;
+    return SECSuccess;
+}
+
+SECStatus
+bltest_rc5_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+#if NSS_SOFTOKEN_DOES_RC5
+    PRIntervalTime time1, time2;
+    bltestRC5Params *rc5p = &cipherInfo->params.rc5;
+    int minorMode;
+    switch (cipherInfo->mode) {
+    case bltestRC5_ECB: minorMode = NSS_RC5;	 break;
+    case bltestRC5_CBC: minorMode = NSS_RC5_CBC; break;
+    default:
+	return SECFailure;
+    }
+    TIMESTART();
+    cipherInfo->cx = (void*)RC5_CreateContext(&rc5p->key.buf,
+					      rc5p->rounds, rc5p->wordsize,
+					      rc5p->iv.buf.data, minorMode);
+    TIMEFINISH(cipherInfo->cxtime, 1.0);
+    if (encrypt)
+	cipherInfo->cipher.symmkeyCipher = RC5_Encrypt;
+    else
+	cipherInfo->cipher.symmkeyCipher = RC5_Decrypt;
+    return SECSuccess;
+#else
+    return SECFailure;
+#endif
+}
+
+SECStatus
+bltest_aes_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    bltestSymmKeyParams *aesp = &cipherInfo->params.sk;
+    int minorMode;
+    int i;
+    int keylen   = aesp->key.buf.len;
+    int blocklen = AES_BLOCK_SIZE; 
+    PRIntervalTime time1, time2;
+
+    switch (cipherInfo->mode) {
+    case bltestAES_ECB:	    minorMode = NSS_AES;	  break;
+    case bltestAES_CBC:	    minorMode = NSS_AES_CBC;	  break;
+    default:
+	return SECFailure;
+    }
+    cipherInfo->cx = (void*)AES_CreateContext(aesp->key.buf.data,
+					      aesp->iv.buf.data,
+					      minorMode, encrypt, 
+                                              keylen, blocklen);
+    if (cipherInfo->cxreps > 0) {
+	AESContext **dummycx;
+	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(AESContext *));
+	TIMESTART();
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    dummycx[i] = (void*)AES_CreateContext(aesp->key.buf.data,
+					          aesp->iv.buf.data,
+					          minorMode, encrypt,
+	                                          keylen, blocklen);
+	}
+	TIMEFINISH(cipherInfo->cxtime, 1.0);
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    AES_DestroyContext(dummycx[i], PR_TRUE);
+	}
+	PORT_Free(dummycx);
+    }
+    if (encrypt)
+	cipherInfo->cipher.symmkeyCipher = aes_Encrypt;
+    else
+	cipherInfo->cipher.symmkeyCipher = aes_Decrypt;
+    return SECSuccess;
+}
+
+SECStatus
+bltest_camellia_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    bltestSymmKeyParams *camelliap = &cipherInfo->params.sk;
+    int minorMode;
+    int i;
+    int keylen   = camelliap->key.buf.len;
+    int blocklen = CAMELLIA_BLOCK_SIZE; 
+    PRIntervalTime time1, time2;
+    
+    switch (cipherInfo->mode) {
+    case bltestCAMELLIA_ECB:	    minorMode = NSS_CAMELLIA;	  break;
+    case bltestCAMELLIA_CBC:	    minorMode = NSS_CAMELLIA_CBC;  break;
+    default:
+	return SECFailure;
+    }
+    cipherInfo->cx = (void*)Camellia_CreateContext(camelliap->key.buf.data,
+						   camelliap->iv.buf.data,
+						   minorMode, encrypt, 
+						   keylen);
+    if (cipherInfo->cxreps > 0) {
+	CamelliaContext **dummycx;
+	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(CamelliaContext *));
+	TIMESTART();
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    dummycx[i] = (void*)Camellia_CreateContext(camelliap->key.buf.data,
+						       camelliap->iv.buf.data,
+						       minorMode, encrypt,
+						       keylen);
+	}
+	TIMEFINISH(cipherInfo->cxtime, 1.0);
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    Camellia_DestroyContext(dummycx[i], PR_TRUE);
+	}
+	PORT_Free(dummycx);
+    }
+    if (encrypt)
+	cipherInfo->cipher.symmkeyCipher = camellia_Encrypt;
+    else
+	cipherInfo->cipher.symmkeyCipher = camellia_Decrypt;
+    return SECSuccess;
+}
+
+SECStatus
+bltest_rsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    int i;
+    RSAPrivateKey **dummyKey;
+    PRIntervalTime time1, time2;
+    bltestRSAParams *rsap = &cipherInfo->params.rsa;
+    /* RSA key gen was done during parameter setup */
+    cipherInfo->cx = cipherInfo->params.rsa.rsakey;
+    /* For performance testing */
+    if (cipherInfo->cxreps > 0) {
+	/* Create space for n private key objects */
+	dummyKey = (RSAPrivateKey **)PORT_Alloc(cipherInfo->cxreps *
+						sizeof(RSAPrivateKey *));
+	/* Time n keygens, storing in the array */
+	TIMESTART();
+	for (i=0; i<cipherInfo->cxreps; i++)
+	    dummyKey[i] = RSA_NewKey(rsap->keysizeInBits, 
+	                             &rsap->rsakey->publicExponent);
+	TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
+	/* Free the n key objects */
+	for (i=0; i<cipherInfo->cxreps; i++)
+	    PORT_FreeArena(dummyKey[i]->arena, PR_TRUE);
+	PORT_Free(dummyKey);
+    }
+    if (encrypt) {
+	/* Have to convert private key to public key.  Memory
+	 * is freed with private key's arena  */
+	RSAPublicKey *pubkey;
+	RSAPrivateKey *key = (RSAPrivateKey *)cipherInfo->cx;
+	pubkey = (RSAPublicKey *)PORT_ArenaAlloc(key->arena,
+						 sizeof(RSAPublicKey));
+	pubkey->modulus.len = key->modulus.len;
+	pubkey->modulus.data = key->modulus.data;
+	pubkey->publicExponent.len = key->publicExponent.len;
+	pubkey->publicExponent.data = key->publicExponent.data;
+	cipherInfo->cx = (void *)pubkey;
+	cipherInfo->cipher.pubkeyCipher = rsa_PublicKeyOp;
+    } else {
+	cipherInfo->cipher.pubkeyCipher = rsa_PrivateKeyOp;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+bltest_pqg_init(bltestDSAParams *dsap)
+{
+    SECStatus rv, res;
+    PQGVerify *vfy = NULL;
+    rv = PQG_ParamGen(dsap->j, &dsap->pqg, &vfy);
+    CHECKERROR(rv, __LINE__);
+    rv = PQG_VerifyParams(dsap->pqg, vfy, &res);
+    CHECKERROR(res, __LINE__);
+    CHECKERROR(rv, __LINE__);
+    return rv;
+}
+
+SECStatus
+bltest_dsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    int i;
+    DSAPrivateKey **dummyKey;
+    PQGParams *dummypqg;
+    PRIntervalTime time1, time2;
+    bltestDSAParams *dsap = &cipherInfo->params.dsa;
+    PQGVerify *ignore = NULL;
+    /* DSA key gen was done during parameter setup */
+    cipherInfo->cx = cipherInfo->params.dsa.dsakey;
+    /* For performance testing */
+    if (cipherInfo->cxreps > 0) {
+	/* Create space for n private key objects */
+	dummyKey = (DSAPrivateKey **)PORT_ZAlloc(cipherInfo->cxreps *
+	                                         sizeof(DSAPrivateKey *));
+	/* Time n keygens, storing in the array */
+	TIMESTART();
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    dummypqg = NULL;
+	    PQG_ParamGen(dsap->j, &dummypqg, &ignore);
+	    DSA_NewKey(dummypqg, &dummyKey[i]);
+	}
+	TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
+	/* Free the n key objects */
+	for (i=0; i<cipherInfo->cxreps; i++)
+	    PORT_FreeArena(dummyKey[i]->params.arena, PR_TRUE);
+	PORT_Free(dummyKey);
+    }
+    if (!dsap->pqg && dsap->pqgdata.buf.len > 0) {
+	dsap->pqg = pqg_from_filedata(&dsap->pqgdata.buf);
+    }
+    if (!cipherInfo->cx && dsap->key.buf.len > 0) {
+	cipherInfo->cx = dsakey_from_filedata(&dsap->key.buf);
+    }
+    if (encrypt) {
+	cipherInfo->cipher.pubkeyCipher = dsa_signDigest;
+    } else {
+	/* Have to convert private key to public key.  Memory
+	 * is freed with private key's arena  */
+	DSAPublicKey *pubkey;
+	DSAPrivateKey *key = (DSAPrivateKey *)cipherInfo->cx;
+	pubkey = (DSAPublicKey *)PORT_ArenaZAlloc(key->params.arena,
+						  sizeof(DSAPublicKey));
+	pubkey->params.prime.len = key->params.prime.len;
+	pubkey->params.prime.data = key->params.prime.data;
+	pubkey->params.subPrime.len = key->params.subPrime.len;
+	pubkey->params.subPrime.data = key->params.subPrime.data;
+	pubkey->params.base.len = key->params.base.len;
+	pubkey->params.base.data = key->params.base.data;
+	pubkey->publicValue.len = key->publicValue.len;
+	pubkey->publicValue.data = key->publicValue.data;
+	cipherInfo->cipher.pubkeyCipher = dsa_verifyDigest;
+    }
+    return SECSuccess;
+}
+
+#ifdef NSS_ENABLE_ECC
+SECStatus
+bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    int i;
+    ECPrivateKey **dummyKey;
+    PRIntervalTime time1, time2;
+    bltestECDSAParams *ecdsap = &cipherInfo->params.ecdsa;
+    /* ECDSA key gen was done during parameter setup */
+    cipherInfo->cx = cipherInfo->params.ecdsa.eckey;
+    /* For performance testing */
+    if (cipherInfo->cxreps > 0) {
+	/* Create space for n private key objects */
+	dummyKey = (ECPrivateKey **)PORT_ZAlloc(cipherInfo->cxreps *
+	                                         sizeof(ECPrivateKey *));
+	/* Time n keygens, storing in the array */
+	TIMESTART();
+	for (i=0; i<cipherInfo->cxreps; i++) {
+	    EC_NewKey(&ecdsap->eckey->ecParams, &dummyKey[i]);
+	}
+	TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
+	/* Free the n key objects */
+	for (i=0; i<cipherInfo->cxreps; i++)
+	    PORT_FreeArena(dummyKey[i]->ecParams.arena, PR_TRUE);
+	PORT_Free(dummyKey);
+    }
+    if (!cipherInfo->cx && ecdsap->key.buf.len > 0) {
+	cipherInfo->cx = eckey_from_filedata(&ecdsap->key.buf);
+    }
+    if (encrypt) {
+	cipherInfo->cipher.pubkeyCipher = ecdsa_signDigest;
+    } else {
+	/* Have to convert private key to public key.  Memory
+	 * is freed with private key's arena  */
+	ECPublicKey *pubkey;
+	ECPrivateKey *key = (ECPrivateKey *)cipherInfo->cx;
+	pubkey = (ECPublicKey *)PORT_ArenaZAlloc(key->ecParams.arena,
+						  sizeof(ECPublicKey));
+	pubkey->ecParams.type = key->ecParams.type;
+	pubkey->ecParams.fieldID.size = key->ecParams.fieldID.size;
+	pubkey->ecParams.fieldID.type = key->ecParams.fieldID.type;
+	pubkey->ecParams.fieldID.u.prime.len = key->ecParams.fieldID.u.prime.len;
+	pubkey->ecParams.fieldID.u.prime.data = key->ecParams.fieldID.u.prime.data;
+	pubkey->ecParams.fieldID.k1 = key->ecParams.fieldID.k1;
+	pubkey->ecParams.fieldID.k2 = key->ecParams.fieldID.k2;
+	pubkey->ecParams.fieldID.k3 = key->ecParams.fieldID.k3;
+	pubkey->ecParams.curve.a.len = key->ecParams.curve.a.len;
+	pubkey->ecParams.curve.a.data = key->ecParams.curve.a.data;
+	pubkey->ecParams.curve.b.len = key->ecParams.curve.b.len;
+	pubkey->ecParams.curve.b.data = key->ecParams.curve.b.data;
+	pubkey->ecParams.curve.seed.len = key->ecParams.curve.seed.len;
+	pubkey->ecParams.curve.seed.data = key->ecParams.curve.seed.data;
+	pubkey->ecParams.base.len = key->ecParams.base.len;
+	pubkey->ecParams.base.data = key->ecParams.base.data;
+	pubkey->ecParams.order.len = key->ecParams.order.len;
+	pubkey->ecParams.order.data = key->ecParams.order.data;
+	pubkey->ecParams.cofactor = key->ecParams.cofactor;
+	pubkey->ecParams.DEREncoding.len = key->ecParams.DEREncoding.len;
+	pubkey->ecParams.DEREncoding.data = key->ecParams.DEREncoding.data;
+	pubkey->ecParams.name= key->ecParams.name;
+	pubkey->publicValue.len = key->publicValue.len;
+	pubkey->publicValue.data = key->publicValue.data;
+	cipherInfo->cipher.pubkeyCipher = ecdsa_verifyDigest;
+    }
+    return SECSuccess;
+}
+#endif
+
+/* XXX unfortunately, this is not defined in blapi.h */
+SECStatus
+md2_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    unsigned int len;
+    MD2Context *cx = MD2_NewContext();
+    if (cx == NULL) return SECFailure;
+    MD2_Begin(cx);
+    MD2_Update(cx, src, src_length);
+    MD2_End(cx, dest, &len, MD2_LENGTH);
+    MD2_DestroyContext(cx, PR_TRUE);
+    return SECSuccess;
+}
+
+SECStatus
+md2_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    MD2Context *cx, *cx_cpy;
+    unsigned char *cxbytes;
+    unsigned int len;
+    unsigned int i, quarter;
+    SECStatus rv = SECSuccess;
+    cx = MD2_NewContext();
+    MD2_Begin(cx);
+    /* divide message by 4, restarting 3 times */
+    quarter = (src_length + 3)/ 4;
+    for (i=0; i < 4 && src_length > 0; i++) {
+	MD2_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
+	len = MD2_FlattenSize(cx);
+	cxbytes = PORT_Alloc(len);
+	MD2_Flatten(cx, cxbytes);
+	cx_cpy = MD2_Resurrect(cxbytes, NULL);
+	if (!cx_cpy) {
+	    PR_fprintf(PR_STDERR, "%s: MD2_Resurrect failed!\n", progName);
+	    goto finish;
+	}
+	rv = PORT_Memcmp(cx, cx_cpy, len);
+	if (rv) {
+	    MD2_DestroyContext(cx_cpy, PR_TRUE);
+	    PR_fprintf(PR_STDERR, "%s: MD2_restart failed!\n", progName);
+	    goto finish;
+	}
+	MD2_DestroyContext(cx_cpy, PR_TRUE);
+	PORT_Free(cxbytes);
+	src_length -= quarter;
+    }
+    MD2_End(cx, dest, &len, MD2_LENGTH);
+finish:
+    MD2_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
+md5_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SECStatus rv = SECSuccess;
+    MD5Context *cx, *cx_cpy;
+    unsigned char *cxbytes;
+    unsigned int len;
+    unsigned int i, quarter;
+    cx = MD5_NewContext();
+    MD5_Begin(cx);
+    /* divide message by 4, restarting 3 times */
+    quarter = (src_length + 3)/ 4;
+    for (i=0; i < 4 && src_length > 0; i++) {
+	MD5_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
+	len = MD5_FlattenSize(cx);
+	cxbytes = PORT_Alloc(len);
+	MD5_Flatten(cx, cxbytes);
+	cx_cpy = MD5_Resurrect(cxbytes, NULL);
+	if (!cx_cpy) {
+	    PR_fprintf(PR_STDERR, "%s: MD5_Resurrect failed!\n", progName);
+	    rv = SECFailure;
+	    goto finish;
+	}
+	rv = PORT_Memcmp(cx, cx_cpy, len);
+	if (rv) {
+	    MD5_DestroyContext(cx_cpy, PR_TRUE);
+	    PR_fprintf(PR_STDERR, "%s: MD5_restart failed!\n", progName);
+	    goto finish;
+	}
+	MD5_DestroyContext(cx_cpy, PR_TRUE);
+	PORT_Free(cxbytes);
+	src_length -= quarter;
+    }
+    MD5_End(cx, dest, &len, MD5_LENGTH);
+finish:
+    MD5_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
+sha1_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SECStatus rv = SECSuccess;
+    SHA1Context *cx, *cx_cpy;
+    unsigned char *cxbytes;
+    unsigned int len;
+    unsigned int i, quarter;
+    cx = SHA1_NewContext();
+    SHA1_Begin(cx);
+    /* divide message by 4, restarting 3 times */
+    quarter = (src_length + 3)/ 4;
+    for (i=0; i < 4 && src_length > 0; i++) {
+	SHA1_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
+	len = SHA1_FlattenSize(cx);
+	cxbytes = PORT_Alloc(len);
+	SHA1_Flatten(cx, cxbytes);
+	cx_cpy = SHA1_Resurrect(cxbytes, NULL);
+	if (!cx_cpy) {
+	    PR_fprintf(PR_STDERR, "%s: SHA1_Resurrect failed!\n", progName);
+	    rv = SECFailure;
+	    goto finish;
+	}
+	rv = PORT_Memcmp(cx, cx_cpy, len);
+	if (rv) {
+	    SHA1_DestroyContext(cx_cpy, PR_TRUE);
+	    PR_fprintf(PR_STDERR, "%s: SHA1_restart failed!\n", progName);
+	    goto finish;
+	}
+	SHA1_DestroyContext(cx_cpy, PR_TRUE);
+	PORT_Free(cxbytes);
+	src_length -= quarter;
+    }
+    SHA1_End(cx, dest, &len, MD5_LENGTH);
+finish:
+    SHA1_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
+SHA256_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SECStatus rv = SECSuccess;
+    SHA256Context *cx, *cx_cpy;
+    unsigned char *cxbytes;
+    unsigned int len;
+    unsigned int i, quarter;
+    cx = SHA256_NewContext();
+    SHA256_Begin(cx);
+    /* divide message by 4, restarting 3 times */
+    quarter = (src_length + 3)/ 4;
+    for (i=0; i < 4 && src_length > 0; i++) {
+	SHA256_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
+	len = SHA256_FlattenSize(cx);
+	cxbytes = PORT_Alloc(len);
+	SHA256_Flatten(cx, cxbytes);
+	cx_cpy = SHA256_Resurrect(cxbytes, NULL);
+	if (!cx_cpy) {
+	    PR_fprintf(PR_STDERR, "%s: SHA256_Resurrect failed!\n", progName);
+	    rv = SECFailure;
+	    goto finish;
+	}
+	rv = PORT_Memcmp(cx, cx_cpy, len);
+	if (rv) {
+	    SHA256_DestroyContext(cx_cpy, PR_TRUE);
+	    PR_fprintf(PR_STDERR, "%s: SHA256_restart failed!\n", progName);
+	    goto finish;
+	}
+	SHA256_DestroyContext(cx_cpy, PR_TRUE);
+	PORT_Free(cxbytes);
+	src_length -= quarter;
+    }
+    SHA256_End(cx, dest, &len, MD5_LENGTH);
+finish:
+    SHA256_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
+SHA384_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SECStatus rv = SECSuccess;
+    SHA384Context *cx, *cx_cpy;
+    unsigned char *cxbytes;
+    unsigned int len;
+    unsigned int i, quarter;
+    cx = SHA384_NewContext();
+    SHA384_Begin(cx);
+    /* divide message by 4, restarting 3 times */
+    quarter = (src_length + 3)/ 4;
+    for (i=0; i < 4 && src_length > 0; i++) {
+	SHA384_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
+	len = SHA384_FlattenSize(cx);
+	cxbytes = PORT_Alloc(len);
+	SHA384_Flatten(cx, cxbytes);
+	cx_cpy = SHA384_Resurrect(cxbytes, NULL);
+	if (!cx_cpy) {
+	    PR_fprintf(PR_STDERR, "%s: SHA384_Resurrect failed!\n", progName);
+	    rv = SECFailure;
+	    goto finish;
+	}
+	rv = PORT_Memcmp(cx, cx_cpy, len);
+	if (rv) {
+	    SHA384_DestroyContext(cx_cpy, PR_TRUE);
+	    PR_fprintf(PR_STDERR, "%s: SHA384_restart failed!\n", progName);
+	    goto finish;
+	}
+	SHA384_DestroyContext(cx_cpy, PR_TRUE);
+	PORT_Free(cxbytes);
+	src_length -= quarter;
+    }
+    SHA384_End(cx, dest, &len, MD5_LENGTH);
+finish:
+    SHA384_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
+SHA512_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SECStatus rv = SECSuccess;
+    SHA512Context *cx, *cx_cpy;
+    unsigned char *cxbytes;
+    unsigned int len;
+    unsigned int i, quarter;
+    cx = SHA512_NewContext();
+    SHA512_Begin(cx);
+    /* divide message by 4, restarting 3 times */
+    quarter = (src_length + 3)/ 4;
+    for (i=0; i < 4 && src_length > 0; i++) {
+	SHA512_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
+	len = SHA512_FlattenSize(cx);
+	cxbytes = PORT_Alloc(len);
+	SHA512_Flatten(cx, cxbytes);
+	cx_cpy = SHA512_Resurrect(cxbytes, NULL);
+	if (!cx_cpy) {
+	    PR_fprintf(PR_STDERR, "%s: SHA512_Resurrect failed!\n", progName);
+	    rv = SECFailure;
+	    goto finish;
+	}
+	rv = PORT_Memcmp(cx, cx_cpy, len);
+	if (rv) {
+	    SHA512_DestroyContext(cx_cpy, PR_TRUE);
+	    PR_fprintf(PR_STDERR, "%s: SHA512_restart failed!\n", progName);
+	    goto finish;
+	}
+	SHA512_DestroyContext(cx_cpy, PR_TRUE);
+	PORT_Free(cxbytes);
+	src_length -= quarter;
+    }
+    SHA512_End(cx, dest, &len, MD5_LENGTH);
+finish:
+    SHA512_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
+pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file,
+#ifdef NSS_ENABLE_ECC
+	      int keysize, int exponent, char *curveName)
+#else
+	      int keysize, int exponent)
+#endif
+{
+    int i;
+    SECStatus rv = SECSuccess;
+    bltestRSAParams *rsap;
+    bltestDSAParams *dsap;
+#ifdef NSS_ENABLE_ECC
+    bltestECDSAParams *ecdsap;
+    SECItem *tmpECParamsDER;
+    ECParams *tmpECParams = NULL;
+    SECItem ecSerialize[3];
+#endif
+    switch (cipherInfo->mode) {
+    case bltestRSA:
+	rsap = &cipherInfo->params.rsa;
+	if (keysize > 0) {
+	    SECItem expitem = { 0, 0, 0 };
+	    SECITEM_AllocItem(cipherInfo->arena, &expitem, sizeof(int));
+	    for (i = 1; i <= sizeof(int); i++)
+		expitem.data[i-1] = exponent >> (8*(sizeof(int) - i));
+	    rsap->rsakey = RSA_NewKey(keysize * 8, &expitem);
+	    serialize_key(&rsap->rsakey->version, 9, file);
+	    rsap->keysizeInBits = keysize * 8;
+	} else {
+	    setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
+	    rsap->rsakey = rsakey_from_filedata(&cipherInfo->params.key.buf);
+	    rsap->keysizeInBits = rsap->rsakey->modulus.len * 8;
+	}
+	break;
+    case bltestDSA:
+	dsap = &cipherInfo->params.dsa;
+	if (keysize > 0) {
+	    dsap->j = PQG_PBITS_TO_INDEX(8*keysize);
+	    if (!dsap->pqg)
+		bltest_pqg_init(dsap);
+	    rv = DSA_NewKey(dsap->pqg, &dsap->dsakey);
+	    CHECKERROR(rv, __LINE__);
+	    serialize_key(&dsap->dsakey->params.prime, 5, file);
+	} else {
+	    setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
+	    dsap->dsakey = dsakey_from_filedata(&cipherInfo->params.key.buf);
+	    dsap->j = PQG_PBITS_TO_INDEX(8*dsap->dsakey->params.prime.len);
+	}
+	break;
+#ifdef NSS_ENABLE_ECC
+    case bltestECDSA:
+	ecdsap = &cipherInfo->params.ecdsa;
+	if (curveName != NULL) {
+	    tmpECParamsDER = getECParams(curveName);
+	    rv = SECOID_Init();
+	    CHECKERROR(rv, __LINE__);
+	    rv = EC_DecodeParams(tmpECParamsDER, &tmpECParams) == SECFailure;
+	    CHECKERROR(rv, __LINE__);
+	    rv = EC_NewKey(tmpECParams, &ecdsap->eckey);
+	    CHECKERROR(rv, __LINE__);
+	    ecSerialize[0].type = tmpECParamsDER->type;
+	    ecSerialize[0].data = tmpECParamsDER->data;
+	    ecSerialize[0].len  = tmpECParamsDER->len;
+	    ecSerialize[1].type = ecdsap->eckey->publicValue.type;
+	    ecSerialize[1].data = ecdsap->eckey->publicValue.data;
+	    ecSerialize[1].len  = ecdsap->eckey->publicValue.len;
+	    ecSerialize[2].type = ecdsap->eckey->privateValue.type;
+	    ecSerialize[2].data = ecdsap->eckey->privateValue.data;
+	    ecSerialize[2].len  = ecdsap->eckey->privateValue.len;
+	    serialize_key(&(ecSerialize[0]), 3, file);
+	    SECITEM_FreeItem(tmpECParamsDER, PR_TRUE);
+	    PORT_FreeArena(tmpECParams->arena, PR_TRUE);
+	    rv = SECOID_Shutdown();
+	    CHECKERROR(rv, __LINE__);
+	} else {
+	    setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
+	    ecdsap->eckey = eckey_from_filedata(&cipherInfo->params.key.buf);
+	}
+	break;
+#endif
+    default:
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
+{
+    PRBool restart;
+    switch (cipherInfo->mode) {
+    case bltestDES_ECB:
+    case bltestDES_CBC:
+    case bltestDES_EDE_ECB:
+    case bltestDES_EDE_CBC:
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  cipherInfo->input.pBuf.len);
+	return bltest_des_init(cipherInfo, encrypt);
+	break;
+    case bltestRC2_ECB:
+    case bltestRC2_CBC:
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  cipherInfo->input.pBuf.len);
+	return bltest_rc2_init(cipherInfo, encrypt);
+	break;
+    case bltestRC4:
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  cipherInfo->input.pBuf.len);
+	return bltest_rc4_init(cipherInfo, encrypt);
+	break;
+    case bltestRC5_ECB:
+    case bltestRC5_CBC:
+#if NSS_SOFTOKEN_DOES_RC5
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  cipherInfo->input.pBuf.len);
+#endif
+	return bltest_rc5_init(cipherInfo, encrypt);
+	break;
+    case bltestAES_ECB:
+    case bltestAES_CBC:
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  cipherInfo->input.pBuf.len);
+	return bltest_aes_init(cipherInfo, encrypt);
+	break;
+    case bltestCAMELLIA_ECB:
+    case bltestCAMELLIA_CBC:
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  cipherInfo->input.pBuf.len);
+	return bltest_camellia_init(cipherInfo, encrypt);
+	break;
+    case bltestRSA:
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  cipherInfo->input.pBuf.len);
+	return bltest_rsa_init(cipherInfo, encrypt);
+	break;
+    case bltestDSA:
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  DSA_SIGNATURE_LEN);
+	return bltest_dsa_init(cipherInfo, encrypt);
+	break;
+#ifdef NSS_ENABLE_ECC
+    case bltestECDSA:
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  2 * MAX_ECKEY_LEN);
+	return bltest_ecdsa_init(cipherInfo, encrypt);
+	break;
+#endif
+    case bltestMD2:
+	restart = cipherInfo->params.hash.restart;
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  MD2_LENGTH);
+	cipherInfo->cipher.hashCipher = (restart) ? md2_restart : md2_HashBuf;
+	return SECSuccess;
+	break;
+    case bltestMD5:
+	restart = cipherInfo->params.hash.restart;
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  MD5_LENGTH);
+	cipherInfo->cipher.hashCipher = (restart) ? md5_restart : MD5_HashBuf;
+	return SECSuccess;
+	break;
+    case bltestSHA1:
+	restart = cipherInfo->params.hash.restart;
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  SHA1_LENGTH);
+	cipherInfo->cipher.hashCipher = (restart) ? sha1_restart : SHA1_HashBuf;
+	return SECSuccess;
+	break;
+    case bltestSHA256:
+	restart = cipherInfo->params.hash.restart;
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  SHA256_LENGTH);
+	cipherInfo->cipher.hashCipher = (restart) ? SHA256_restart 
+	                                          : SHA256_HashBuf;
+	return SECSuccess;
+	break;
+    case bltestSHA384:
+	restart = cipherInfo->params.hash.restart;
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  SHA384_LENGTH);
+	cipherInfo->cipher.hashCipher = (restart) ? SHA384_restart 
+	                                          : SHA384_HashBuf;
+	return SECSuccess;
+	break;
+    case bltestSHA512:
+	restart = cipherInfo->params.hash.restart;
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  SHA512_LENGTH);
+	cipherInfo->cipher.hashCipher = (restart) ? SHA512_restart 
+	                                          : SHA512_HashBuf;
+	return SECSuccess;
+	break;
+    default:
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+dsaOp(bltestCipherInfo *cipherInfo)
+{
+    PRIntervalTime time1, time2;
+    SECStatus rv = SECSuccess;
+    int i;
+    int maxLen = cipherInfo->output.pBuf.len;
+    SECItem dummyOut = { 0, 0, 0 };
+    SECITEM_AllocItem(NULL, &dummyOut, maxLen);
+    if (cipherInfo->cipher.pubkeyCipher == dsa_signDigest) {
+	if (cipherInfo->params.dsa.sigseed.buf.len > 0) {
+            bltestDSAParams *dsa = &cipherInfo->params.dsa;
+            DSAPrivateKey *key = (DSAPrivateKey *)cipherInfo->cx;
+
+            TIMESTART();
+            rv = DSA_SignDigestWithSeed(key,
+                                        &cipherInfo->output.pBuf,
+                                        &cipherInfo->input.pBuf,
+                                        dsa->sigseed.buf.data);
+            TIMEFINISH(cipherInfo->optime, 1.0);
+            CHECKERROR(rv, __LINE__);
+            cipherInfo->repetitions = 0;
+            if (cipherInfo->repetitionsToPerfom != 0) {
+                TIMESTART();
+                for (i=0; i<cipherInfo->repetitionsToPerfom;
+                     i++, cipherInfo->repetitions++) {
+                    rv = DSA_SignDigestWithSeed(key, &dummyOut,
+                                                &cipherInfo->input.pBuf,
+                                                dsa->sigseed.buf.data);
+                    CHECKERROR(rv, __LINE__);
+                }
+            } else {
+                int opsBetweenChecks = 0;
+                TIMEMARK(cipherInfo->seconds);
+                while (! (TIMETOFINISH())) {
+                    int j = 0;
+                    for (;j < opsBetweenChecks;j++) {
+                        rv = DSA_SignDigestWithSeed(key, &dummyOut,
+                                                    &cipherInfo->input.pBuf,
+                                                    dsa->sigseed.buf.data);
+                        CHECKERROR(rv, __LINE__);
+                    }
+                    cipherInfo->repetitions += j;
+                }
+            }
+            TIMEFINISH(cipherInfo->optime, 1.0);
+        } else {
+            TIMESTART();
+            rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
+                                &cipherInfo->output.pBuf,
+                                &cipherInfo->input.pBuf);
+            TIMEFINISH(cipherInfo->optime, 1.0);
+            CHECKERROR(rv, __LINE__);
+            cipherInfo->repetitions = 0;
+            if (cipherInfo->repetitionsToPerfom != 0) {
+                TIMESTART();
+                for (i=0; i<cipherInfo->repetitionsToPerfom;
+                     i++, cipherInfo->repetitions++) {
+                    rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
+                                        &dummyOut,
+                                        &cipherInfo->input.pBuf);
+                    CHECKERROR(rv, __LINE__);
+                }
+            } else {
+                int opsBetweenChecks = 0;
+                TIMEMARK(cipherInfo->seconds);
+                while (! (TIMETOFINISH())) {
+                    int j = 0;
+                    for (;j < opsBetweenChecks;j++) {
+                        rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
+                                            &dummyOut,
+                                            &cipherInfo->input.pBuf);
+                        CHECKERROR(rv, __LINE__);
+                    }
+                    cipherInfo->repetitions += j;
+                }
+            }
+            TIMEFINISH(cipherInfo->optime, 1.0);
+        }
+        bltestCopyIO(cipherInfo->arena, &cipherInfo->params.dsa.sig, 
+                     &cipherInfo->output);
+    } else {
+        TIMESTART();
+        rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
+                              &cipherInfo->params.dsa.sig.buf,
+                              &cipherInfo->input.pBuf);
+        TIMEFINISH(cipherInfo->optime, 1.0);
+        CHECKERROR(rv, __LINE__);
+        cipherInfo->repetitions = 0;
+        if (cipherInfo->repetitionsToPerfom != 0) {
+            TIMESTART();
+            for (i=0; i<cipherInfo->repetitionsToPerfom;
+                 i++, cipherInfo->repetitions++) {
+                rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
+                                      &cipherInfo->params.dsa.sig.buf,
+                                      &cipherInfo->input.pBuf);
+                CHECKERROR(rv, __LINE__);
+            }
+        } else {
+            int opsBetweenChecks = 0;
+            TIMEMARK(cipherInfo->seconds);
+            while (! (TIMETOFINISH())) {
+                int j = 0;
+                for (;j < opsBetweenChecks;j++) {
+                    rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
+                                          &cipherInfo->params.dsa.sig.buf,
+                                          &cipherInfo->input.pBuf);
+                    CHECKERROR(rv, __LINE__);
+                }
+                cipherInfo->repetitions += j;
+            }
+        }
+        TIMEFINISH(cipherInfo->optime, 1.0);
+    }
+    SECITEM_FreeItem(&dummyOut, PR_FALSE);
+    return rv;
+}
+
+#ifdef NSS_ENABLE_ECC
+SECStatus
+ecdsaOp(bltestCipherInfo *cipherInfo)
+{
+    PRIntervalTime time1, time2;
+    SECStatus rv = SECSuccess;
+    int i;
+    int maxLen = cipherInfo->output.pBuf.len;
+    SECItem dummyOut = { 0, 0, 0 };
+    SECITEM_AllocItem(NULL, &dummyOut, maxLen);
+    if (cipherInfo->cipher.pubkeyCipher == ecdsa_signDigest) {
+        if (cipherInfo->params.ecdsa.sigseed.buf.len > 0) {
+            ECPrivateKey *key = (ECPrivateKey *)cipherInfo->cx;
+            bltestECDSAParams *ecdsa = &cipherInfo->params.ecdsa;
+
+            TIMESTART();
+            rv = ECDSA_SignDigestWithSeed(key,
+                                          &cipherInfo->output.pBuf,
+                                          &cipherInfo->input.pBuf,
+                                          ecdsa->sigseed.buf.data,
+                                          ecdsa->sigseed.buf.len);
+            TIMEFINISH(cipherInfo->optime, 1.0);
+            CHECKERROR(rv, __LINE__);
+            cipherInfo->repetitions = 0;
+            if (cipherInfo->repetitionsToPerfom != 0) {
+                TIMESTART();
+                for (i=0; i<cipherInfo->repetitionsToPerfom;
+                     i++, cipherInfo->repetitions++) {
+                    rv = ECDSA_SignDigestWithSeed(key, &dummyOut,
+                                                  &cipherInfo->input.pBuf,
+                                                  ecdsa->sigseed.buf.data,
+                                                  ecdsa->sigseed.buf.len);
+                    CHECKERROR(rv, __LINE__);
+                }
+            } else {
+                int opsBetweenChecks = 0;
+                TIMEMARK(cipherInfo->seconds);
+                while (! (TIMETOFINISH())) {
+                    int j = 0;
+                    for (;j < opsBetweenChecks;j++) {
+                        rv = ECDSA_SignDigestWithSeed(key, &dummyOut,
+                                                      &cipherInfo->input.pBuf,
+                                                      ecdsa->sigseed.buf.data,
+                                                      ecdsa->sigseed.buf.len);
+                        CHECKERROR(rv, __LINE__);
+                    }
+                    cipherInfo->repetitions += j;
+                }
+            }
+            TIMEFINISH(cipherInfo->optime, 1.0);
+        } else {
+            TIMESTART();
+            rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
+                                  &cipherInfo->output.pBuf,
+                                  &cipherInfo->input.pBuf);
+            TIMEFINISH(cipherInfo->optime, 1.0);
+            CHECKERROR(rv, __LINE__);
+            cipherInfo->repetitions = 0;
+            if (cipherInfo->repetitionsToPerfom != 0) {
+                TIMESTART();
+                for (i=0; i<cipherInfo->repetitionsToPerfom;
+                     i++, cipherInfo->repetitions++) {
+                    rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
+                                          &dummyOut,
+                                          &cipherInfo->input.pBuf);
+                    CHECKERROR(rv, __LINE__);
+                }
+            } else {
+                int opsBetweenChecks = 0;
+                TIMEMARK(cipherInfo->seconds);
+                while (! (TIMETOFINISH())) {
+                    int j = 0;
+                    for (;j < opsBetweenChecks;j++) {
+                        rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
+                                              &dummyOut,
+                                              &cipherInfo->input.pBuf);
+                        CHECKERROR(rv, __LINE__);
+                    }
+                    cipherInfo->repetitions += j;
+                }
+            }
+            TIMEFINISH(cipherInfo->optime, 1.0);
+        }
+        bltestCopyIO(cipherInfo->arena, &cipherInfo->params.ecdsa.sig, 
+                     &cipherInfo->output);
+    } else {
+        TIMESTART();
+        rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
+                                &cipherInfo->params.ecdsa.sig.buf,
+                                &cipherInfo->input.pBuf);
+        TIMEFINISH(cipherInfo->optime, 1.0);
+        CHECKERROR(rv, __LINE__);
+        cipherInfo->repetitions = 0;
+        if (cipherInfo->repetitionsToPerfom != 0) {
+            TIMESTART();
+            for (i=0; i<cipherInfo->repetitionsToPerfom;
+                 i++, cipherInfo->repetitions++) {
+                rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
+                                        &cipherInfo->params.ecdsa.sig.buf,
+                                        &cipherInfo->input.pBuf);
+                CHECKERROR(rv, __LINE__);
+            }
+        } else {
+            int opsBetweenChecks = 0;
+            TIMEMARK(cipherInfo->seconds);
+            while (! (TIMETOFINISH())) {
+                int j = 0;
+                for (;j < opsBetweenChecks;j++) {
+                    rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
+                                            &cipherInfo->params.ecdsa.sig.buf,
+                                            &cipherInfo->input.pBuf);
+                    CHECKERROR(rv, __LINE__);
+                }
+                cipherInfo->repetitions += j;
+            }
+        }
+        TIMEFINISH(cipherInfo->optime, 1.0);
+    }
+    SECITEM_FreeItem(&dummyOut, PR_FALSE);
+    return rv;
+}
+#endif
+
+SECStatus
+cipherDoOp(bltestCipherInfo *cipherInfo)
+{
+    PRIntervalTime time1, time2;
+    SECStatus rv = SECSuccess;
+    int i, len;
+    int maxLen = cipherInfo->output.pBuf.len;
+    unsigned char *dummyOut;
+    if (cipherInfo->mode == bltestDSA)
+	return dsaOp(cipherInfo);
+#ifdef NSS_ENABLE_ECC
+    else if (cipherInfo->mode == bltestECDSA)
+	return ecdsaOp(cipherInfo);
+#endif
+    dummyOut = PORT_Alloc(maxLen);
+    if (is_symmkeyCipher(cipherInfo->mode)) {
+        TIMESTART();
+        rv = (*cipherInfo->cipher.symmkeyCipher)(cipherInfo->cx,
+                                                 cipherInfo->output.pBuf.data,
+                                                 &len, maxLen,
+                                                 cipherInfo->input.pBuf.data,
+                                                 cipherInfo->input.pBuf.len);
+        TIMEFINISH(cipherInfo->optime, 1.0);
+        CHECKERROR(rv, __LINE__);
+        cipherInfo->repetitions = 0;
+        if (cipherInfo->repetitionsToPerfom != 0) {
+            TIMESTART();
+            for (i=0; i<cipherInfo->repetitionsToPerfom; i++,
+                     cipherInfo->repetitions++) {
+                (*cipherInfo->cipher.symmkeyCipher)(cipherInfo->cx, dummyOut,
+                                                    &len, maxLen,
+                                                    cipherInfo->input.pBuf.data,
+                                                    cipherInfo->input.pBuf.len);
+                
+                CHECKERROR(rv, __LINE__);
+            }
+        } else {
+            int opsBetweenChecks = 0;
+            bltestIO *input = &cipherInfo->input;
+            TIMEMARK(cipherInfo->seconds);
+            while (! (TIMETOFINISH())) {
+                int j = 0;
+                for (;j < opsBetweenChecks;j++) {
+                    (*cipherInfo->cipher.symmkeyCipher)(cipherInfo->cx,
+                                                        dummyOut,
+                                                        &len, maxLen,
+                                                        input->pBuf.data,
+                                                        input->pBuf.len);
+                }
+                cipherInfo->repetitions += j;
+            }
+        }
+        TIMEFINISH(cipherInfo->optime, 1.0);
+    } else if (is_pubkeyCipher(cipherInfo->mode)) {
+        TIMESTART();
+        rv = (*cipherInfo->cipher.pubkeyCipher)(cipherInfo->cx,
+                                                &cipherInfo->output.pBuf,
+                                                &cipherInfo->input.pBuf);
+        TIMEFINISH(cipherInfo->optime, 1.0);
+        CHECKERROR(rv, __LINE__);
+        cipherInfo->repetitions = 0;
+        if (cipherInfo->repetitionsToPerfom != 0) {
+            TIMESTART();
+            for (i=0; i<cipherInfo->repetitionsToPerfom;
+                 i++, cipherInfo->repetitions++) {
+                SECItem dummy;
+                dummy.data = dummyOut;
+                dummy.len = maxLen;
+                (*cipherInfo->cipher.pubkeyCipher)(cipherInfo->cx, &dummy, 
+                                                   &cipherInfo->input.pBuf);
+                CHECKERROR(rv, __LINE__);
+            }
+        } else {
+            int opsBetweenChecks = 0;
+            TIMEMARK(cipherInfo->seconds);
+            while (! (TIMETOFINISH())) {
+                int j = 0;
+                for (;j < opsBetweenChecks;j++) {
+                    SECItem dummy;
+                    dummy.data = dummyOut;
+                    dummy.len = maxLen;
+                    (*cipherInfo->cipher.pubkeyCipher)(cipherInfo->cx, &dummy,
+                                                       &cipherInfo->input.pBuf);
+                    CHECKERROR(rv, __LINE__);
+                }
+                cipherInfo->repetitions += j;
+            }
+        }
+        TIMEFINISH(cipherInfo->optime, 1.0);
+    } else if (is_hashCipher(cipherInfo->mode)) {
+        TIMESTART();
+        rv = (*cipherInfo->cipher.hashCipher)(cipherInfo->output.pBuf.data,
+                                              cipherInfo->input.pBuf.data,
+                                              cipherInfo->input.pBuf.len);
+        TIMEFINISH(cipherInfo->optime, 1.0);
+        CHECKERROR(rv, __LINE__);
+        cipherInfo->repetitions = 0;
+        if (cipherInfo->repetitionsToPerfom != 0) {
+            TIMESTART();
+            for (i=0; i<cipherInfo->repetitionsToPerfom;
+                 i++, cipherInfo->repetitions++) {
+                (*cipherInfo->cipher.hashCipher)(dummyOut,
+                                                 cipherInfo->input.pBuf.data,
+                                                 cipherInfo->input.pBuf.len);
+                CHECKERROR(rv, __LINE__);
+            }
+        } else {
+            int opsBetweenChecks = 0;
+            TIMEMARK(cipherInfo->seconds);
+            while (! (TIMETOFINISH())) {
+                int j = 0;
+                for (;j < opsBetweenChecks;j++) {
+                    bltestIO *input = &cipherInfo->input;
+                    (*cipherInfo->cipher.hashCipher)(dummyOut,
+                                                     input->pBuf.data,
+                                                     input->pBuf.len);
+                    CHECKERROR(rv, __LINE__);
+                }
+                cipherInfo->repetitions += j;
+            }
+        }
+        TIMEFINISH(cipherInfo->optime, 1.0);
+    }
+    PORT_Free(dummyOut);
+    return rv;
+}
+
+SECStatus
+cipherFinish(bltestCipherInfo *cipherInfo)
+{
+    switch (cipherInfo->mode) {
+    case bltestDES_ECB:
+    case bltestDES_CBC:
+    case bltestDES_EDE_ECB:
+    case bltestDES_EDE_CBC:
+	DES_DestroyContext((DESContext *)cipherInfo->cx, PR_TRUE);
+	break;
+    case bltestAES_ECB:
+    case bltestAES_CBC:
+	AES_DestroyContext((AESContext *)cipherInfo->cx, PR_TRUE);
+	break;
+    case bltestCAMELLIA_ECB:
+    case bltestCAMELLIA_CBC:
+	Camellia_DestroyContext((CamelliaContext *)cipherInfo->cx, PR_TRUE);
+	break;
+    case bltestRC2_ECB:
+    case bltestRC2_CBC:
+	RC2_DestroyContext((RC2Context *)cipherInfo->cx, PR_TRUE);
+	break;
+    case bltestRC4:
+	RC4_DestroyContext((RC4Context *)cipherInfo->cx, PR_TRUE);
+	break;
+#if NSS_SOFTOKEN_DOES_RC5
+    case bltestRC5_ECB:
+    case bltestRC5_CBC:
+	RC5_DestroyContext((RC5Context *)cipherInfo->cx, PR_TRUE);
+	break;
+#endif
+    case bltestRSA: /* keys are alloc'ed within cipherInfo's arena, */
+    case bltestDSA: /* will be freed with it. */
+#ifdef NSS_ENABLE_ECC
+    case bltestECDSA:
+#endif
+    case bltestMD2: /* hash contexts are ephemeral */
+    case bltestMD5:
+    case bltestSHA1:
+    case bltestSHA256:
+    case bltestSHA384:
+    case bltestSHA512:
+	return SECSuccess;
+	break;
+    default:
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+void
+print_exponent(SECItem *exp)
+{
+    int i;
+    int e = 0;
+    if (exp->len <= 4) {
+	for (i=exp->len; i >=0; --i) e |= exp->data[exp->len-i] << 8*(i-1);
+	fprintf(stdout, "%12d", e);
+    } else {
+	e = 8*exp->len;
+	fprintf(stdout, "~2**%-8d", e);
+    }
+}
+
+static void
+splitToReportUnit(PRInt64 res, int *resArr, int *del, int size)
+{
+    PRInt64 remaining = res, tmp = 0;
+    PRInt64 Ldel;
+    int i = -1;
+
+    while (remaining > 0 && ++i < size) {
+        LL_I2L(Ldel, del[i]);
+        LL_MOD(tmp, remaining, Ldel);
+        LL_L2I(resArr[i], tmp);
+        LL_DIV(remaining, remaining, Ldel);
+    }
+}
+
+static char*
+getHighUnitBytes(PRInt64 res)
+{
+    int spl[] = {0, 0, 0, 0};
+    int del[] = {1024, 1024, 1024, 1024};
+    char *marks[] = {"b", "Kb", "Mb", "Gb"};
+    int i = 3;
+
+    splitToReportUnit(res, spl, del, 4);
+
+    for (;i>0;i--) {
+        if (spl[i] != 0) {
+            break;
+        }
+    }
+
+    return PR_smprintf("%d%s", spl[i], marks[i]);
+}
+
+
+static void
+printPR_smpString(const char *sformat, char *reportStr,
+                  const char *nformat, PRInt64 rNum)
+{
+    if (reportStr) {
+        fprintf(stdout, sformat, reportStr);
+        PR_smprintf_free(reportStr);
+    } else {
+        int prnRes;
+        LL_L2I(prnRes, rNum);
+        fprintf(stdout, nformat, rNum);
+    }
+}
+
+static char*
+getHighUnitOps(PRInt64 res)
+{
+    int spl[] = {0, 0, 0, 0};
+    int del[] = {1000, 1000, 1000, 1000};
+    char *marks[] = {"", "T", "M", "B"};
+    int i = 3;
+
+    splitToReportUnit(res, spl, del, 4);
+
+    for (;i>0;i--) {
+        if (spl[i] != 0) {
+            break;
+        }
+    }
+
+    return PR_smprintf("%d%s", spl[i], marks[i]);
+}
+
+void
+dump_performance_info(bltestCipherInfo *infoList, double totalTimeInt,
+                      PRBool encrypt, PRBool cxonly)
+{
+    bltestCipherInfo *info = infoList;
+    
+    PRInt64 totalIn = 0;
+    PRBool td = PR_TRUE;
+
+    int   repetitions = 0;
+    int   cxreps = 0;
+    double cxtime = 0;
+    double optime = 0;
+    while (info != NULL) {
+        repetitions += info->repetitions;
+        cxreps += info->cxreps;
+        cxtime += info->cxtime;
+        optime += info->optime;
+        totalIn += (PRInt64) info->input.buf.len * (PRInt64) info->repetitions;
+        
+        info = info->next;
+    }
+    info = infoList;
+
+    fprintf(stdout, "#%9s", "mode");
+    fprintf(stdout, "%12s", "in");
+print_td:
+    switch (info->mode) {
+      case bltestDES_ECB:
+      case bltestDES_CBC:
+      case bltestDES_EDE_ECB:
+      case bltestDES_EDE_CBC:
+      case bltestAES_ECB:
+      case bltestAES_CBC:
+      case bltestCAMELLIA_ECB:
+      case bltestCAMELLIA_CBC:
+      case bltestRC2_ECB:
+      case bltestRC2_CBC:
+      case bltestRC4:
+          if (td)
+              fprintf(stdout, "%8s", "symmkey");
+          else
+              fprintf(stdout, "%8d", 8*info->params.sk.key.buf.len);
+          break;
+#if NSS_SOFTOKEN_DOES_RC5
+      case bltestRC5_ECB:
+      case bltestRC5_CBC:
+          if (info->params.sk.key.buf.len > 0)
+              printf("symmetric key(bytes)=%d,", info->params.sk.key.buf.len);
+          if (info->rounds > 0)
+              printf("rounds=%d,", info->params.rc5.rounds);
+          if (info->wordsize > 0)
+              printf("wordsize(bytes)=%d,", info->params.rc5.wordsize);
+          break;
+#endif
+      case bltestRSA:
+          if (td) {
+              fprintf(stdout, "%8s", "rsa_mod");
+              fprintf(stdout, "%12s", "rsa_pe");
+          } else {
+              fprintf(stdout, "%8d", info->params.rsa.keysizeInBits);
+              print_exponent(&info->params.rsa.rsakey->publicExponent);
+          }
+          break;
+      case bltestDSA:
+          if (td)
+              fprintf(stdout, "%8s", "pqg_mod");
+          else
+              fprintf(stdout, "%8d", PQG_INDEX_TO_PBITS(info->params.dsa.j));
+          break;
+#ifdef NSS_ENABLE_ECC
+      case bltestECDSA:
+          if (td)
+              fprintf(stdout, "%12s", "ec_curve");
+          else {
+	      ECCurveName curveName = info->params.ecdsa.eckey->ecParams.name;
+              fprintf(stdout, "%12s",
+                      ecCurve_map[curveName]? ecCurve_map[curveName]->text:
+					      "Unsupported curve");
+	  }
+          break;
+#endif
+      case bltestMD2:
+      case bltestMD5:
+      case bltestSHA1:
+      case bltestSHA256:
+      case bltestSHA384:
+      case bltestSHA512:
+      default:
+          break;
+    }
+    if (!td) {
+        PRInt64 totalThroughPut;
+
+        printPR_smpString("%8s", getHighUnitOps(repetitions),
+                          "%8d", repetitions);
+
+        printPR_smpString("%8s", getHighUnitOps(cxreps), "%8d", cxreps);
+
+        fprintf(stdout, "%12.3f", cxtime);
+        fprintf(stdout, "%12.3f", optime);
+        fprintf(stdout, "%12.03f", totalTimeInt / 1000);
+
+        totalThroughPut = (PRInt64)(totalIn / totalTimeInt * 1000);
+        printPR_smpString("%12s", getHighUnitBytes(totalThroughPut),
+                          "%12d", totalThroughPut);
+
+        fprintf(stdout, "\n");
+        return;
+    }
+    
+    fprintf(stdout, "%8s", "opreps");
+    fprintf(stdout, "%8s", "cxreps");
+    fprintf(stdout, "%12s", "context");
+    fprintf(stdout, "%12s", "op");
+    fprintf(stdout, "%12s", "time(sec)");
+    fprintf(stdout, "%12s", "thrgput");
+    fprintf(stdout, "\n");
+    fprintf(stdout, "%8s", mode_strings[info->mode]);
+    fprintf(stdout, "_%c", (cxonly) ? 'c' : (encrypt) ? 'e' : 'd');
+    printPR_smpString("%12s", getHighUnitBytes(totalIn), "%12d", totalIn);
+    
+    td = !td;
+    goto print_td;
+}
+
+void
+printmodes()
+{
+    bltestCipherMode mode;
+    int nummodes = sizeof(mode_strings) / sizeof(char *);
+    fprintf(stderr, "%s: Available modes (specify with -m):\n", progName);
+    for (mode=0; mode<nummodes; mode++)
+	fprintf(stderr, "%s\n", mode_strings[mode]);
+}
+
+bltestCipherMode
+get_mode(const char *modestring)
+{
+    bltestCipherMode mode;
+    int nummodes = sizeof(mode_strings) / sizeof(char *);
+    for (mode=0; mode<nummodes; mode++)
+	if (PL_strcmp(modestring, mode_strings[mode]) == 0)
+	    return mode;
+    fprintf(stderr, "%s: invalid mode: %s\n", progName, modestring);
+    return bltestINVALID;
+}
+
+void
+load_file_data(PRArenaPool *arena, bltestIO *data,
+	       char *fn, bltestIOMode ioMode)
+{
+    PRFileDesc *file;
+    data->mode = ioMode;
+    data->file = NULL; /* don't use -- not saving anything */
+    data->pBuf.data = NULL;
+    data->pBuf.len = 0;
+    file = PR_Open(fn, PR_RDONLY, 00660);
+    if (file)
+	setupIO(arena, data, file, NULL, 0);
+}
+
+void
+get_params(PRArenaPool *arena, bltestParams *params, 
+	   bltestCipherMode mode, int j)
+{
+    char filename[256];
+    char *modestr = mode_strings[mode];
+#if NSS_SOFTOKEN_DOES_RC5
+    FILE *file;
+    char *mark, *param, *val;
+    int index = 0;
+#endif
+    switch (mode) {
+    case bltestDES_CBC:
+    case bltestDES_EDE_CBC:
+    case bltestRC2_CBC:
+    case bltestAES_CBC:
+    case bltestCAMELLIA_CBC:
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "iv", j);
+	load_file_data(arena, &params->sk.iv, filename, bltestBinary);
+    case bltestDES_ECB:
+    case bltestDES_EDE_ECB:
+    case bltestRC2_ECB:
+    case bltestRC4:
+    case bltestAES_ECB:
+    case bltestCAMELLIA_ECB:
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
+	load_file_data(arena, &params->sk.key, filename, bltestBinary);
+	break;
+#if NSS_SOFTOKEN_DOES_RC5
+    case bltestRC5_ECB:
+    case bltestRC5_CBC:
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "iv", j);
+	load_file_data(arena, &params->sk.iv, filename, bltestBinary);
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
+	load_file_data(arena, &params->sk.key, filename, bltestBinary);
+	    sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
+			      "params", j);
+	file = fopen(filename, "r");
+	if (!file) return;
+	param = malloc(100);
+	len = fread(param, 1, 100, file);
+	while (index < len) {
+	    mark = PL_strchr(param, '=');
+	    *mark = '\0';
+	    val = mark + 1;
+	    mark = PL_strchr(val, '\n');
+	    *mark = '\0';
+	    if (PL_strcmp(param, "rounds") == 0) {
+		params->rc5.rounds = atoi(val);
+	    } else if (PL_strcmp(param, "wordsize") == 0) {
+		params->rc5.wordsize = atoi(val);
+	    }
+	    index += PL_strlen(param) + PL_strlen(val) + 2;
+	    param = mark + 1;
+	}
+	break;
+#endif
+    case bltestRSA:
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
+	load_file_data(arena, &params->rsa.key, filename, bltestBase64Encoded);
+	params->rsa.rsakey = rsakey_from_filedata(&params->key.buf);
+	break;
+    case bltestDSA:
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
+	load_file_data(arena, &params->dsa.key, filename, bltestBase64Encoded);
+	params->dsa.dsakey = dsakey_from_filedata(&params->key.buf);
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "pqg", j);
+	load_file_data(arena, &params->dsa.pqgdata, filename,
+		       bltestBase64Encoded);
+	params->dsa.pqg = pqg_from_filedata(&params->dsa.pqgdata.buf);
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "keyseed", j);
+	load_file_data(arena, &params->dsa.keyseed, filename, 
+	               bltestBase64Encoded);
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
+	load_file_data(arena, &params->dsa.sigseed, filename, 
+	               bltestBase64Encoded);
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
+	load_file_data(arena, &params->dsa.sig, filename, bltestBase64Encoded);
+	break;
+#ifdef NSS_ENABLE_ECC
+    case bltestECDSA:
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
+	load_file_data(arena, &params->ecdsa.key, filename, bltestBase64Encoded);
+	params->ecdsa.eckey = eckey_from_filedata(&params->key.buf);
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
+	load_file_data(arena, &params->ecdsa.sigseed, filename, 
+	               bltestBase64Encoded);
+	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
+	load_file_data(arena, &params->ecdsa.sig, filename, bltestBase64Encoded);
+	break;
+#endif
+    case bltestMD2:
+    case bltestMD5:
+    case bltestSHA1:
+    case bltestSHA256:
+    case bltestSHA384:
+    case bltestSHA512:
+	/*params->hash.restart = PR_TRUE;*/
+	params->hash.restart = PR_FALSE;
+	break;
+    default:
+	break;
+    }
+}
+
+SECStatus
+verify_self_test(bltestIO *result, bltestIO *cmp, bltestCipherMode mode,
+		 PRBool forward, SECStatus sigstatus)
+{
+    int res;
+    char *modestr = mode_strings[mode];
+    res = SECITEM_CompareItem(&result->pBuf, &cmp->buf);
+    if (is_sigCipher(mode)) {
+	if (forward) {
+	    if (res == 0) {
+		printf("Signature self-test for %s passed.\n", modestr);
+	    } else {
+		printf("Signature self-test for %s failed!\n", modestr);
+	    }
+	} else {
+	    if (sigstatus == SECSuccess) {
+		printf("Verification self-test for %s passed.\n", modestr);
+	    } else {
+		printf("Verification self-test for %s failed!\n", modestr);
+	    }
+	}
+	return sigstatus;
+    } else if (is_hashCipher(mode)) {
+	if (res == 0) {
+	    printf("Hash self-test for %s passed.\n", modestr);
+	} else {
+	    printf("Hash self-test for %s failed!\n", modestr);
+	}
+    } else {
+	if (forward) {
+	    if (res == 0) {
+		printf("Encryption self-test for %s passed.\n", modestr);
+	    } else {
+		printf("Encryption self-test for %s failed!\n", modestr);
+	    }
+	} else {
+	    if (res == 0) {
+		printf("Decryption self-test for %s passed.\n", modestr);
+	    } else {
+		printf("Decryption self-test for %s failed!\n", modestr);
+	    }
+	}
+    }
+    return (res != 0);
+}
+
+static SECStatus
+blapi_selftest(bltestCipherMode *modes, int numModes, int inoff, int outoff,
+               PRBool encrypt, PRBool decrypt)
+{
+    bltestCipherInfo cipherInfo;
+    bltestIO pt, ct;
+    bltestCipherMode mode;
+    bltestParams *params;
+    int i, j, nummodes, numtests;
+    char *modestr;
+    char filename[256];
+    PRFileDesc *file;
+    PRArenaPool *arena;
+    SECItem item;
+    PRBool finished;
+    SECStatus rv = SECSuccess, srv;
+
+    PORT_Memset(&cipherInfo, 0, sizeof(cipherInfo));
+    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
+    cipherInfo.arena = arena;
+
+    finished = PR_FALSE;
+    nummodes = (numModes == 0) ? NUMMODES : numModes;
+    for (i=0; i < nummodes && !finished; i++) {
+	if (i == bltestRC5_ECB || i == bltestRC5_CBC) continue;
+	if (numModes > 0)
+	    mode = modes[i];
+	else
+	    mode = i;
+	if (mode == bltestINVALID) {
+	    fprintf(stderr, "%s: Skipping invalid mode.\n",progName);
+	    continue;
+	}
+	modestr = mode_strings[mode];
+	cipherInfo.mode = mode;
+	params = &cipherInfo.params;
+#ifdef TRACK_BLTEST_BUG
+	if (mode == bltestRSA) {
+	    fprintf(stderr, "[%s] Self-Testing RSA\n", __bltDBG);
+	}
+#endif
+	/* get the number of tests in the directory */
+	sprintf(filename, "%s/tests/%s/%s", testdir, modestr, "numtests");
+	file = PR_Open(filename, PR_RDONLY, 00660);
+	if (!file) {
+	    fprintf(stderr, "%s: File %s does not exist.\n", progName,filename);
+	    return SECFailure;
+	}
+	rv = SECU_FileToItem(&item, file);
+#ifdef TRACK_BLTEST_BUG
+	if (mode == bltestRSA) {
+	    fprintf(stderr, "[%s] Loaded data from %s\n", __bltDBG, filename);
+	}
+#endif
+	PR_Close(file);
+	/* loop over the tests in the directory */
+	numtests = 0;
+	for (j=0; j<item.len; j++) {
+	    if (!isdigit(item.data[j])) {
+		break;
+	    }
+	    numtests *= 10;
+	    numtests += (int) (item.data[j] - '0');
+	}
+	for (j=0; j<numtests; j++) {
+#ifdef TRACK_BLTEST_BUG
+	    if (mode == bltestRSA) {
+		fprintf(stderr, "[%s] Executing self-test #%d\n", __bltDBG, j);
+	    }
+#endif
+	    sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
+			      "plaintext", j);
+	    load_file_data(arena, &pt, filename, 
+#ifdef NSS_ENABLE_ECC
+	                   ((mode == bltestDSA) || (mode == bltestECDSA))
+#else
+	                   (mode == bltestDSA)
+#endif
+	                   ? bltestBase64Encoded : bltestBinary);
+	    sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
+			      "ciphertext", j);
+	    load_file_data(arena, &ct, filename, bltestBase64Encoded);
+#ifdef TRACK_BLTEST_BUG
+	    if (mode == bltestRSA) {
+		fprintf(stderr, "[%s] Loaded data for  self-test #%d\n", __bltDBG, j);
+	    }
+#endif
+	    get_params(arena, params, mode, j);
+#ifdef TRACK_BLTEST_BUG
+	    if (mode == bltestRSA) {
+		fprintf(stderr, "[%s] Got parameters for #%d\n", __bltDBG, j);
+	    }
+#endif
+	    /* Forward Operation (Encrypt/Sign/Hash)
+	    ** Align the input buffer (plaintext) according to request
+	    ** then perform operation and compare to ciphertext
+	    */
+	    /* XXX for now */
+	    rv = SECSuccess;
+	    if (encrypt) {
+		bltestCopyIO(arena, &cipherInfo.input, &pt);
+		misalignBuffer(arena, &cipherInfo.input, inoff);
+		memset(&cipherInfo.output.buf, 0, sizeof cipherInfo.output.buf);
+		rv |= cipherInit(&cipherInfo, PR_TRUE);
+		misalignBuffer(arena, &cipherInfo.output, outoff);
+#ifdef TRACK_BLTEST_BUG
+		if (mode == bltestRSA) {
+		    fprintf(stderr, "[%s] Inited cipher context and buffers for #%d\n", __bltDBG, j);
+		}
+#endif
+		rv |= cipherDoOp(&cipherInfo);
+#ifdef TRACK_BLTEST_BUG
+		if (mode == bltestRSA) {
+		    fprintf(stderr, "[%s] Performed encrypt for #%d\n", __bltDBG, j);
+		}
+#endif
+		rv |= cipherFinish(&cipherInfo);
+#ifdef TRACK_BLTEST_BUG
+		if (mode == bltestRSA) {
+		    fprintf(stderr, "[%s] Finished encrypt for #%d\n", __bltDBG, j);
+		}
+#endif
+		rv |= verify_self_test(&cipherInfo.output, 
+		                       &ct, mode, PR_TRUE, 0);
+#ifdef TRACK_BLTEST_BUG
+		if (mode == bltestRSA) {
+		    fprintf(stderr, "[%s] Verified self-test for #%d\n", __bltDBG, j);
+		}
+#endif
+		/* If testing hash, only one op to test */
+		if (is_hashCipher(mode))
+		    continue;
+		/*if (rv) return rv;*/
+	    }
+	    if (!decrypt)
+		continue;
+	    /* XXX for now */
+	    rv = SECSuccess;
+	    /* Reverse Operation (Decrypt/Verify)
+	    ** Align the input buffer (ciphertext) according to request
+	    ** then perform operation and compare to plaintext
+	    */
+#ifdef NSS_ENABLE_ECC
+	    if ((mode != bltestDSA) && (mode != bltestECDSA))
+#else
+	    if (mode != bltestDSA)
+#endif
+		bltestCopyIO(arena, &cipherInfo.input, &ct);
+	    else
+		bltestCopyIO(arena, &cipherInfo.input, &pt);
+	    misalignBuffer(arena, &cipherInfo.input, inoff);
+	    memset(&cipherInfo.output.buf, 0, sizeof cipherInfo.output.buf);
+	    rv |= cipherInit(&cipherInfo, PR_FALSE);
+	    misalignBuffer(arena, &cipherInfo.output, outoff);
+#ifdef TRACK_BLTEST_BUG
+	    if (mode == bltestRSA) {
+		fprintf(stderr, "[%s] Inited cipher context and buffers for #%d\n", __bltDBG, j);
+	    }
+#endif
+	    srv = SECSuccess;
+	    srv |= cipherDoOp(&cipherInfo);
+#ifdef TRACK_BLTEST_BUG
+	    if (mode == bltestRSA) {
+		fprintf(stderr, "[%s] Performed decrypt for #%d\n", __bltDBG, j);
+	    }
+#endif
+	    rv |= cipherFinish(&cipherInfo);
+#ifdef TRACK_BLTEST_BUG
+	    if (mode == bltestRSA) {
+		fprintf(stderr, "[%s] Finished decrypt for #%d\n", __bltDBG, j);
+	    }
+#endif
+	    rv |= verify_self_test(&cipherInfo.output, 
+	                           &pt, mode, PR_FALSE, srv);
+#ifdef TRACK_BLTEST_BUG
+	    if (mode == bltestRSA) {
+		fprintf(stderr, "[%s] Verified self-test for #%d\n", __bltDBG, j);
+	    }
+#endif
+	    /*if (rv) return rv;*/
+	}
+    }
+    return rv;
+}
+
+SECStatus
+dump_file(bltestCipherMode mode, char *filename)
+{
+    bltestIO keydata;
+    PRArenaPool *arena = NULL;
+    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
+    if (mode == bltestRSA) {
+	RSAPrivateKey *key;
+	load_file_data(arena, &keydata, filename, bltestBase64Encoded);
+	key = rsakey_from_filedata(&keydata.buf);
+	dump_rsakey(key);
+    } else if (mode == bltestDSA) {
+#if 0
+	PQGParams *pqg;
+	get_file_data(filename, &item, PR_TRUE);
+	pqg = pqg_from_filedata(&item);
+	dump_pqg(pqg);
+#endif
+	DSAPrivateKey *key;
+	load_file_data(arena, &keydata, filename, bltestBase64Encoded);
+	key = dsakey_from_filedata(&keydata.buf);
+	dump_dsakey(key);
+#ifdef NSS_ENABLE_ECC
+    } else if (mode == bltestECDSA) {
+	ECPrivateKey *key;
+	load_file_data(arena, &keydata, filename, bltestBase64Encoded);
+	key = eckey_from_filedata(&keydata.buf);
+	dump_eckey(key);
+#endif
+    }
+    PORT_FreeArena(arena, PR_FALSE);
+    return SECFailure;
+}
+
+void ThreadExecTest(void *data)
+{
+    bltestCipherInfo *cipherInfo = (bltestCipherInfo*)data;
+
+    if (cipherInfo->mCarlo == PR_TRUE) {
+        int mciter;
+        for (mciter=0; mciter<10000; mciter++) {
+            cipherDoOp(cipherInfo);
+            memcpy(cipherInfo->input.buf.data,
+                   cipherInfo->output.buf.data,
+                   cipherInfo->input.buf.len);
+        }
+    } else {
+        cipherDoOp(cipherInfo);
+    }
+    cipherFinish(cipherInfo);
+}
+
+/* bltest commands */
+enum {
+    cmd_Decrypt = 0,
+    cmd_Encrypt,
+    cmd_FIPS,
+    cmd_Hash,
+    cmd_Nonce,
+    cmd_Dump,
+    cmd_Sign,
+    cmd_SelfTest,
+    cmd_Verify
+};
+
+/* bltest options */
+enum {
+    opt_B64 = 0,
+    opt_BufSize,
+    opt_Restart,
+    opt_SelfTestDir,
+    opt_Exponent,
+    opt_SigFile,
+    opt_KeySize,
+    opt_Hex,
+    opt_Input,
+    opt_PQGFile,
+    opt_Key,
+    opt_HexWSpc,
+    opt_Mode,
+#ifdef NSS_ENABLE_ECC
+    opt_CurveName,
+#endif
+    opt_Output,
+    opt_Repetitions,
+    opt_ZeroBuf,
+    opt_Rounds,
+    opt_Seed,
+    opt_SigSeedFile,
+    opt_CXReps,
+    opt_IV,
+    opt_WordSize,
+    opt_UseSeed,
+    opt_UseSigSeed,
+    opt_SeedFile,
+    opt_InputOffset,
+    opt_OutputOffset,
+    opt_MonteCarlo,
+    opt_ThreadNum,
+    opt_SecondsToRun,
+    opt_CmdLine
+};
+
+static secuCommandFlag bltest_commands[] =
+{
+    { /* cmd_Decrypt	*/ 'D', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_Encrypt	*/ 'E', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_FIPS	*/ 'F', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_Hash	*/ 'H', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_Nonce      */ 'N', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_Dump	*/ 'P', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_Sign	*/ 'S', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_SelfTest	*/ 'T', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_Verify	*/ 'V', PR_FALSE, 0, PR_FALSE }
+};
+
+static secuCommandFlag bltest_options[] =
+{
+    { /* opt_B64	  */ 'a', PR_FALSE, 0, PR_FALSE },
+    { /* opt_BufSize	  */ 'b', PR_TRUE,  0, PR_FALSE },
+    { /* opt_Restart	  */ 'c', PR_FALSE, 0, PR_FALSE },
+    { /* opt_SelfTestDir  */ 'd', PR_TRUE,  0, PR_FALSE },
+    { /* opt_Exponent	  */ 'e', PR_TRUE,  0, PR_FALSE },
+    { /* opt_SigFile      */ 'f', PR_TRUE,  0, PR_FALSE },
+    { /* opt_KeySize	  */ 'g', PR_TRUE,  0, PR_FALSE },
+    { /* opt_Hex	  */ 'h', PR_FALSE, 0, PR_FALSE },
+    { /* opt_Input	  */ 'i', PR_TRUE,  0, PR_FALSE },
+    { /* opt_PQGFile	  */ 'j', PR_TRUE,  0, PR_FALSE },
+    { /* opt_Key	  */ 'k', PR_TRUE,  0, PR_FALSE },
+    { /* opt_HexWSpc	  */ 'l', PR_FALSE, 0, PR_FALSE },
+    { /* opt_Mode	  */ 'm', PR_TRUE,  0, PR_FALSE },
+#ifdef NSS_ENABLE_ECC
+    { /* opt_CurveName	  */ 'n', PR_TRUE,  0, PR_FALSE },
+#endif
+    { /* opt_Output	  */ 'o', PR_TRUE,  0, PR_FALSE },
+    { /* opt_Repetitions  */ 'p', PR_TRUE,  0, PR_FALSE },
+    { /* opt_ZeroBuf	  */ 'q', PR_FALSE, 0, PR_FALSE },
+    { /* opt_Rounds	  */ 'r', PR_TRUE,  0, PR_FALSE },
+    { /* opt_Seed	  */ 's', PR_TRUE,  0, PR_FALSE },
+    { /* opt_SigSeedFile  */ 't', PR_TRUE,  0, PR_FALSE },
+    { /* opt_CXReps       */ 'u', PR_TRUE,  0, PR_FALSE },
+    { /* opt_IV		  */ 'v', PR_TRUE,  0, PR_FALSE },
+    { /* opt_WordSize	  */ 'w', PR_TRUE,  0, PR_FALSE },
+    { /* opt_UseSeed	  */ 'x', PR_FALSE, 0, PR_FALSE },
+    { /* opt_UseSigSeed	  */ 'y', PR_FALSE, 0, PR_FALSE },
+    { /* opt_SeedFile	  */ 'z', PR_FALSE, 0, PR_FALSE },
+    { /* opt_InputOffset  */ '1', PR_TRUE,  0, PR_FALSE },
+    { /* opt_OutputOffset */ '2', PR_TRUE,  0, PR_FALSE },
+    { /* opt_MonteCarlo   */ '3', PR_FALSE, 0, PR_FALSE },
+    { /* opt_ThreadNum    */ '4', PR_TRUE,  0, PR_FALSE },
+    { /* opt_SecondsToRun */ '5', PR_TRUE,  0, PR_FALSE },
+    { /* opt_CmdLine	  */ '-', PR_FALSE, 0, PR_FALSE }
+};
+
+int main(int argc, char **argv)
+{
+    char *infileName, *outfileName, *keyfileName, *ivfileName;
+    SECStatus rv = SECFailure;
+
+    double              totalTime;
+    PRIntervalTime      time1, time2;
+    PRFileDesc          *outfile;           
+    bltestCipherInfo    *cipherInfoListHead, *cipherInfo;
+    bltestIOMode        ioMode;
+    int                 bufsize, exponent, curThrdNum;
+#ifdef NSS_ENABLE_ECC
+    char		*curveName = NULL;
+#endif
+    int			 i, commandsEntered;
+    int			 inoff, outoff;
+    int                  threads = 1;
+
+    secuCommand bltest;
+    bltest.numCommands = sizeof(bltest_commands) / sizeof(secuCommandFlag);
+    bltest.numOptions = sizeof(bltest_options) / sizeof(secuCommandFlag);
+    bltest.commands = bltest_commands;
+    bltest.options = bltest_options;
+
+    progName = strrchr(argv[0], '/');
+    if (!progName) 
+	progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    rv = RNG_RNGInit();
+    if (rv != SECSuccess) {
+    	SECU_PrintPRandOSError(progName);
+	return -1;
+    }
+    RNG_SystemInfoForRNG();
+
+    rv = SECU_ParseCommandLine(argc, argv, progName, &bltest);
+    if (rv == SECFailure) {
+        fprintf(stderr, "%s: command line parsing error!\n", progName);
+        goto print_usage;
+    }
+    rv = SECFailure;
+
+    cipherInfo = PORT_ZNew(bltestCipherInfo);
+    cipherInfoListHead = cipherInfo;
+    /* set some defaults */
+    infileName = outfileName = keyfileName = ivfileName = NULL;
+
+    /* Check the number of commands entered on the command line. */
+    commandsEntered = 0;
+    for (i=0; i<bltest.numCommands; i++)
+	if (bltest.commands[i].activated)
+	    commandsEntered++;
+
+    if (commandsEntered > 1 &&
+	!(commandsEntered == 2 && bltest.commands[cmd_SelfTest].activated)) {
+	fprintf(stderr, "%s: one command at a time!\n", progName);
+        goto print_usage;
+    }
+
+    if (commandsEntered == 0) {
+	fprintf(stderr, "%s: you must enter a command!\n", progName);
+        goto print_usage;
+    }
+
+    if (bltest.commands[cmd_Sign].activated)
+	bltest.commands[cmd_Encrypt].activated = PR_TRUE;
+    if (bltest.commands[cmd_Verify].activated)
+	bltest.commands[cmd_Decrypt].activated = PR_TRUE;
+    if (bltest.commands[cmd_Hash].activated)
+	bltest.commands[cmd_Encrypt].activated = PR_TRUE;
+
+    inoff = outoff = 0;
+    if (bltest.options[opt_InputOffset].activated)
+	inoff = PORT_Atoi(bltest.options[opt_InputOffset].arg);
+    if (bltest.options[opt_OutputOffset].activated)
+	outoff = PORT_Atoi(bltest.options[opt_OutputOffset].arg);
+
+    testdir = (bltest.options[opt_SelfTestDir].activated) ? 
+                 strdup(bltest.options[opt_SelfTestDir].arg) : ".";
+
+    /*
+     * Handle three simple cases first
+     */
+
+    /* Do BLAPI self-test */
+    if (bltest.commands[cmd_SelfTest].activated) {
+	PRBool encrypt = PR_TRUE, decrypt = PR_TRUE;
+	/* user may specified a set of ciphers to test.  parse them. */
+	bltestCipherMode modesToTest[NUMMODES];
+	int numModesToTest = 0;
+	char *tok, *str;
+	str = bltest.options[opt_Mode].arg;
+	while (str) {
+	    tok = strchr(str, ',');
+	    if (tok) *tok = '\0';
+	    modesToTest[numModesToTest++] = get_mode(str);
+	    if (tok) {
+		*tok = ',';
+		str = tok + 1;
+	    } else {
+		break;
+	    }
+	}
+	if (bltest.commands[cmd_Decrypt].activated &&
+	    !bltest.commands[cmd_Encrypt].activated)
+	    encrypt = PR_FALSE;
+	if (bltest.commands[cmd_Encrypt].activated &&
+	    !bltest.commands[cmd_Decrypt].activated)
+	    decrypt = PR_FALSE;
+	rv = blapi_selftest(modesToTest, numModesToTest, inoff, outoff,
+                            encrypt, decrypt);
+        PORT_Free(cipherInfo);
+        return rv;
+    }
+
+    /* Do FIPS self-test */
+    if (bltest.commands[cmd_FIPS].activated) {
+	CK_RV ckrv = sftk_fipsPowerUpSelfTest();
+	fprintf(stdout, "CK_RV: %ld.\n", ckrv);
+        PORT_Free(cipherInfo);
+        if (ckrv == CKR_OK)
+            return SECSuccess;
+        return SECFailure;
+    }
+
+    /*
+     * Check command line arguments for Encrypt/Decrypt/Hash/Sign/Verify
+     */
+
+    if ((bltest.commands[cmd_Decrypt].activated ||
+	 bltest.commands[cmd_Verify].activated) &&
+	bltest.options[opt_BufSize].activated) {
+	fprintf(stderr, "%s: Cannot use a nonce as input to decrypt/verify.\n",
+			 progName);
+        goto print_usage;
+    }
+
+    if (bltest.options[opt_Mode].activated) {
+	cipherInfo->mode = get_mode(bltest.options[opt_Mode].arg);
+	if (cipherInfo->mode == bltestINVALID) {
+            goto print_usage;
+	}
+    } else {
+	fprintf(stderr, "%s: You must specify a cipher mode with -m.\n",
+			 progName);
+        goto print_usage;
+    }
+
+    
+    if (bltest.options[opt_Repetitions].activated &&
+        bltest.options[opt_SecondsToRun].activated) {
+        fprintf(stderr, "%s: Operation time should be defined in either "
+                "repetitions(-p) or seconds(-5) not both",
+                progName);
+        goto print_usage;
+    }
+
+    if (bltest.options[opt_Repetitions].activated) {
+        cipherInfo->repetitionsToPerfom =
+            PORT_Atoi(bltest.options[opt_Repetitions].arg);
+    } else {
+        cipherInfo->repetitionsToPerfom = 0;
+    }
+
+    if (bltest.options[opt_SecondsToRun].activated) {
+        cipherInfo->seconds = PORT_Atoi(bltest.options[opt_SecondsToRun].arg);
+    } else {
+        cipherInfo->seconds = 0;
+    }
+
+
+    if (bltest.options[opt_CXReps].activated) {
+        cipherInfo->cxreps = PORT_Atoi(bltest.options[opt_CXReps].arg);
+    } else {
+        cipherInfo->cxreps = 0;
+    }
+
+    if (bltest.options[opt_ThreadNum].activated) {
+        threads = PORT_Atoi(bltest.options[opt_ThreadNum].arg);
+        if (threads <= 0) {
+            threads = 1;
+        }
+    }
+
+    /* Dump a file (rsakey, dsakey, etc.) */
+    if (bltest.commands[cmd_Dump].activated) {
+        rv = dump_file(cipherInfo->mode, bltest.options[opt_Input].arg);
+        PORT_Free(cipherInfo);
+        return rv;
+    }
+
+    /* default input mode is binary */
+    ioMode = (bltest.options[opt_B64].activated)     ? bltestBase64Encoded :
+	     (bltest.options[opt_Hex].activated)     ? bltestHexStream :
+	     (bltest.options[opt_HexWSpc].activated) ? bltestHexSpaceDelim :
+						       bltestBinary;
+
+    if (bltest.options[opt_Exponent].activated)
+	exponent = PORT_Atoi(bltest.options[opt_Exponent].arg);
+    else
+	exponent = 65537;
+
+#ifdef NSS_ENABLE_ECC
+    if (bltest.options[opt_CurveName].activated)
+	curveName = PORT_Strdup(bltest.options[opt_CurveName].arg);
+    else
+	curveName = NULL;
+#endif
+
+    if (bltest.commands[cmd_Verify].activated &&
+        !bltest.options[opt_SigFile].activated) {
+        fprintf(stderr, "%s: You must specify a signature file with -f.\n",
+                progName);
+
+      print_usage:
+        PORT_Free(cipherInfo);
+        Usage();
+    }
+
+    if (bltest.options[opt_MonteCarlo].activated) {
+        cipherInfo->mCarlo = PR_TRUE;
+    } else {
+        cipherInfo->mCarlo = PR_FALSE;
+    }
+
+    for (curThrdNum = 0;curThrdNum < threads;curThrdNum++) {
+        int            keysize = 0;
+        PRFileDesc     *file = NULL, *infile;
+        bltestParams   *params;
+        char           *instr = NULL;
+        PRArenaPool    *arena;
+
+        if (curThrdNum > 0) {
+            bltestCipherInfo *newCInfo = PORT_ZNew(bltestCipherInfo);
+            if (!newCInfo) {
+                fprintf(stderr, "%s: Can not allocate  memory.\n", progName);
+                goto exit_point;
+            }
+            newCInfo->mode = cipherInfo->mode;
+            newCInfo->mCarlo = cipherInfo->mCarlo;
+            newCInfo->repetitionsToPerfom =
+                cipherInfo->repetitionsToPerfom;
+            newCInfo->seconds = cipherInfo->seconds;
+            newCInfo->cxreps = cipherInfo->cxreps;
+            cipherInfo->next = newCInfo;
+            cipherInfo = newCInfo;
+        }
+        arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
+        if (!arena) {
+            fprintf(stderr, "%s: Can not allocate memory.\n", progName);
+            goto exit_point;
+        }
+        cipherInfo->arena = arena;
+        params = &cipherInfo->params;
+        
+        /* Set up an encryption key. */
+        keysize = 0;
+        file = NULL;
+        if (is_symmkeyCipher(cipherInfo->mode)) {
+            char *keystr = NULL;  /* if key is on command line */
+            if (bltest.options[opt_Key].activated) {
+                if (bltest.options[opt_CmdLine].activated) {
+                    keystr = bltest.options[opt_Key].arg;
+                } else {
+                    file = PR_Open(bltest.options[opt_Key].arg,
+                                   PR_RDONLY, 00660);
+                }
+            } else {
+                if (bltest.options[opt_KeySize].activated)
+                    keysize = PORT_Atoi(bltest.options[opt_KeySize].arg);
+                else
+                    keysize = 8; /* use 64-bit default (DES) */
+                /* save the random key for reference */
+                file = PR_Open("tmp.key", PR_WRONLY|PR_CREATE_FILE, 00660);
+            }
+            params->key.mode = ioMode;
+            setupIO(cipherInfo->arena, &params->key, file, keystr, keysize);
+            if (file)
+                PR_Close(file);
+        } else if (is_pubkeyCipher(cipherInfo->mode)) {
+            if (bltest.options[opt_Key].activated) {
+                file = PR_Open(bltest.options[opt_Key].arg, PR_RDONLY, 00660);
+            } else {
+                if (bltest.options[opt_KeySize].activated)
+                    keysize = PORT_Atoi(bltest.options[opt_KeySize].arg);
+                else
+                    keysize = 64; /* use 512-bit default */
+                file = PR_Open("tmp.key", PR_WRONLY|PR_CREATE_FILE, 00660);
+            }
+            params->key.mode = bltestBase64Encoded;
+#ifdef NSS_ENABLE_ECC
+            pubkeyInitKey(cipherInfo, file, keysize, exponent, curveName);
+#else
+            pubkeyInitKey(cipherInfo, file, keysize, exponent);
+#endif
+            PR_Close(file);
+        }
+
+        /* set up an initialization vector. */
+        if (cipher_requires_IV(cipherInfo->mode)) {
+            char *ivstr = NULL;
+            bltestSymmKeyParams *skp;
+            file = NULL;
+            if (cipherInfo->mode == bltestRC5_CBC)
+                skp = (bltestSymmKeyParams *)&params->rc5;
+            else
+                skp = &params->sk;
+            if (bltest.options[opt_IV].activated) {
+                if (bltest.options[opt_CmdLine].activated) {
+                    ivstr = bltest.options[opt_IV].arg;
+                } else {
+                    file = PR_Open(bltest.options[opt_IV].arg,
+                                   PR_RDONLY, 00660);
+                }
+            } else {
+                /* save the random iv for reference */
+                file = PR_Open("tmp.iv", PR_WRONLY|PR_CREATE_FILE, 00660);
+            }
+            memset(&skp->iv, 0, sizeof skp->iv);
+            skp->iv.mode = ioMode;
+            setupIO(cipherInfo->arena, &skp->iv, file, ivstr, keysize);
+            if (file) {
+                PR_Close(file);
+            }
+        }
+        
+        if (bltest.commands[cmd_Verify].activated) {
+            file = PR_Open(bltest.options[opt_SigFile].arg, PR_RDONLY, 00660);
+            if (cipherInfo->mode == bltestDSA) {
+                memset(&cipherInfo->params.dsa.sig, 0, sizeof(bltestIO));
+                cipherInfo->params.dsa.sig.mode = ioMode;
+                setupIO(cipherInfo->arena, &cipherInfo->params.dsa.sig,
+                        file, NULL, 0);
+#ifdef NSS_ENABLE_ECC
+            } else if (cipherInfo->mode == bltestECDSA) {
+                memset(&cipherInfo->params.ecdsa.sig, 0, sizeof(bltestIO));
+                cipherInfo->params.ecdsa.sig.mode = ioMode;
+                setupIO(cipherInfo->arena, &cipherInfo->params.ecdsa.sig,
+                        file, NULL, 0);
+#endif
+            }
+            if (file) {
+                PR_Close(file);
+            }
+        }
+        
+        if (bltest.options[opt_PQGFile].activated) {
+            file = PR_Open(bltest.options[opt_PQGFile].arg, PR_RDONLY, 00660);
+            params->dsa.pqgdata.mode = bltestBase64Encoded;
+            setupIO(cipherInfo->arena, &params->dsa.pqgdata, file, NULL, 0);
+            if (file) {
+                PR_Close(file);
+            }
+        }
+
+        /* Set up the input buffer */
+        if (bltest.options[opt_Input].activated) {
+            if (bltest.options[opt_CmdLine].activated) {
+                instr = bltest.options[opt_Input].arg;
+                infile = NULL;
+            } else {
+                /* form file name from testdir and input arg. */
+                char * filename = bltest.options[opt_Input].arg;
+                if (bltest.options[opt_SelfTestDir].activated && 
+                    testdir && filename && filename[0] != '/') {
+                    filename = PR_smprintf("%s/tests/%s/%s", testdir, 
+                                           mode_strings[cipherInfo->mode],
+                                           filename);
+                    if (!filename) {
+                        fprintf(stderr, "%s: Can not allocate memory.\n",
+                                progName);
+                        goto exit_point;
+                    }
+                    infile = PR_Open(filename, PR_RDONLY, 00660);
+                    PR_smprintf_free(filename);
+                } else {
+                    infile = PR_Open(filename, PR_RDONLY, 00660);
+                }
+            }
+        } else if (bltest.options[opt_BufSize].activated) {
+            /* save the random plaintext for reference */
+            char *tmpFName = PR_smprintf("tmp.in.%d", curThrdNum);
+            if (!tmpFName) {
+                fprintf(stderr, "%s: Can not allocate memory.\n", progName);
+                goto exit_point;
+            }
+            infile = PR_Open(tmpFName, PR_WRONLY|PR_CREATE_FILE, 00660);
+            PR_smprintf_free(tmpFName);
+        } else {
+            infile = PR_STDIN;
+        }
+        if (!infile) {
+            fprintf(stderr, "%s: Failed to open input file.\n", progName);
+            goto exit_point;
+        }
+        cipherInfo->input.mode = ioMode;
+
+        /* Set up the output stream */
+        if (bltest.options[opt_Output].activated) {
+            /* form file name from testdir and input arg. */
+            char * filename = bltest.options[opt_Output].arg;
+            if (bltest.options[opt_SelfTestDir].activated && 
+                testdir && filename && filename[0] != '/') {
+                filename = PR_smprintf("%s/tests/%s/%s", testdir, 
+                                       mode_strings[cipherInfo->mode],
+                                       filename);
+                if (!filename) {
+                    fprintf(stderr, "%s: Can not allocate memory.\n", progName);
+                    goto exit_point;
+                }
+                outfile = PR_Open(filename, PR_WRONLY|PR_CREATE_FILE, 00660);
+                PR_smprintf_free(filename);
+            } else {
+                outfile = PR_Open(filename, PR_WRONLY|PR_CREATE_FILE, 00660);
+            }
+        } else {
+            outfile = PR_STDOUT;
+        }
+        if (!outfile) {
+            fprintf(stderr, "%s: Failed to open output file.\n", progName);
+            rv = SECFailure;
+            goto exit_point;
+        }
+        cipherInfo->output.mode = ioMode;
+        if (bltest.options[opt_SelfTestDir].activated && ioMode == bltestBinary)
+            cipherInfo->output.mode = bltestBase64Encoded;
+
+        if (is_hashCipher(cipherInfo->mode))
+            cipherInfo->params.hash.restart =
+                bltest.options[opt_Restart].activated;
+
+        bufsize = 0;
+        if (bltest.options[opt_BufSize].activated)
+            bufsize = PORT_Atoi(bltest.options[opt_BufSize].arg);
+
+        /*infile = NULL;*/
+        setupIO(cipherInfo->arena, &cipherInfo->input, infile, instr, bufsize);
+        if (infile && infile != PR_STDIN)
+            PR_Close(infile);
+        misalignBuffer(cipherInfo->arena, &cipherInfo->input, inoff);
+
+        cipherInit(cipherInfo, bltest.commands[cmd_Encrypt].activated);
+        misalignBuffer(cipherInfo->arena, &cipherInfo->output, outoff);
+    }
+
+    if (!bltest.commands[cmd_Nonce].activated) {
+        TIMESTART();
+        cipherInfo = cipherInfoListHead;
+        while (cipherInfo != NULL) {
+            cipherInfo->cipherThread = 
+                PR_CreateThread(PR_USER_THREAD,
+                                    ThreadExecTest,
+                                    cipherInfo,
+                                    PR_PRIORITY_NORMAL,
+                                    PR_GLOBAL_THREAD,
+                                    PR_JOINABLE_THREAD,
+                                    0);
+            cipherInfo = cipherInfo->next;
+        } 
+
+        cipherInfo = cipherInfoListHead;
+        while (cipherInfo != NULL) {
+            PR_JoinThread(cipherInfo->cipherThread);
+            finishIO(&cipherInfo->output, outfile);
+            cipherInfo = cipherInfo->next;
+        }
+        TIMEFINISH(totalTime, 1);
+    }
+    
+    cipherInfo = cipherInfoListHead;
+    if (cipherInfo->repetitions > 0 || cipherInfo->cxreps > 0 ||
+        threads > 1)
+        dump_performance_info(cipherInfoListHead, totalTime,
+                              bltest.commands[cmd_Encrypt].activated,
+	                      (cipherInfo->repetitions == 0));
+    
+    rv = SECSuccess;
+
+  exit_point:
+    if (outfile && outfile != PR_STDOUT)
+	PR_Close(outfile);
+    cipherInfo = cipherInfoListHead;
+    while (cipherInfo != NULL) {
+        bltestCipherInfo *tmpInfo = cipherInfo;
+
+        if (cipherInfo->arena)
+            PORT_FreeArena(cipherInfo->arena, PR_TRUE);
+        cipherInfo = cipherInfo->next;
+        PORT_Free(tmpInfo);
+    }
+
+    /*NSS_Shutdown();*/
+
+    return SECSuccess;
+}
diff --git a/security/nss/cmd/bltest/manifest.mn b/security/nss/cmd/bltest/manifest.mn
new file mode 100644
index 000000000..3c283af6d
--- /dev/null
+++ b/security/nss/cmd/bltest/manifest.mn
@@ -0,0 +1,58 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+REQUIRES = seccmd dbm softoken
+
+INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
+
+PROGRAM = bltest
+
+ USE_STATIC_LIBS = 1
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	$(NULL)
+
+CSRCS = \
+	blapitest.c \
+	$(NULL)
+
diff --git a/security/nss/cmd/bltest/tests/README b/security/nss/cmd/bltest/tests/README
new file mode 100644
index 000000000..9982a2f15
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/README
@@ -0,0 +1,49 @@
+This directory contains a set of tests for each cipher supported by
+BLAPI.  Each subdirectory contains known plaintext and ciphertext pairs
+(and keys and/or iv's if needed).  The tests can be run as a full set
+with:
+    bltest -T
+or as subsets, for example:
+    bltest -T -m des_ecb,md2,rsa
+
+In each subdirectory, the plaintext, key, and iv are ascii, and treated
+as such.  The ciphertext is base64-encoded to avoid the hassle of binary
+files.
+
+To add a test, incremement the value in the numtests file.  Create a
+plaintext, key, and iv file, such that the name of the file is
+incrememted one from the last set of tests.  For example, if you are
+adding the second test, put your data in files named plaintext1, key1,
+and iv1 (ignoring key and iv if they are not needed, of course).  Make
+sure your key and iv are the correct number of bytes for your cipher (a
+trailing \n is okay, but any other trailing bytes will be used!).  Once
+you have your input data, create output data by running bltest on a
+trusted implementation.  For example, for a new DES ECB test, run
+    bltest -E -m des_ecb -i plaintext1 -k key1 -o ciphertext1 -a in the
+tests/des_ecb directory.  Then run
+    bltest -T des_ecb from the cmd/bltest directory in the tree of the
+implementation you want to test.
+
+Note that the -a option above is important, it tells bltest to expect
+the input to be straight ASCII, and not base64 encoded binary!
+
+Special cases:
+
+RC5:
+RC5 can take additional parameters, the number of rounds to perform and
+the wordsize to use.  The number of rounds is between is between 0 and
+255, and the wordsize is either is either 16, 32, or 64 bits (at this
+time only 32-bit is supported).  These parameters are specified in a
+paramsN file, where N is an index as above.  The format of the file is
+"rounds=R\nwordsize=W\n".
+
+public key modes (RSA and DSA):
+Asymmetric key ciphers use keys with special properties, so creating a
+key file with "Mozilla!" in it will not get you very far!  To create a
+public key, run bltest with the plaintext you want to encrypt, using a
+trusted implementation.  bltest will generate a key and store it in
+"tmp.key", rename that file to keyN.  For example:
+    bltest -E -m rsa -i plaintext0 -o ciphertext0 -e 65537 -g 32 -a
+    mv tmp.key key0
+
+[note: specifying a keysize (-g) when using RSA is important!]
diff --git a/security/nss/cmd/bltest/tests/aes_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/aes_cbc/ciphertext0
new file mode 100644
index 000000000..040a397d7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_cbc/ciphertext0
@@ -0,0 +1 @@
+oJLgOzZ1GiWt3DGo2sPKaA==

diff --git a/security/nss/cmd/bltest/tests/aes_cbc/iv0 b/security/nss/cmd/bltest/tests/aes_cbc/iv0
new file mode 100644
index 000000000..4e65bc034
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_cbc/iv0
@@ -0,0 +1 @@
+qwertyuiopasdfgh
diff --git a/security/nss/cmd/bltest/tests/aes_cbc/key0 b/security/nss/cmd/bltest/tests/aes_cbc/key0
new file mode 100644
index 000000000..13911cc29
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_cbc/key0
@@ -0,0 +1 @@
+fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/aes_cbc/numtests b/security/nss/cmd/bltest/tests/aes_cbc/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_cbc/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/aes_cbc/plaintext0 b/security/nss/cmd/bltest/tests/aes_cbc/plaintext0
new file mode 100644
index 000000000..8d6a8d555
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_cbc/plaintext0
@@ -0,0 +1 @@
+0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/aes_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/aes_ecb/ciphertext0
new file mode 100644
index 000000000..d6818c1d0
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ecb/ciphertext0
@@ -0,0 +1 @@
+PVuaCIiaKQhblgFCbVMTTg==

diff --git a/security/nss/cmd/bltest/tests/aes_ecb/key0 b/security/nss/cmd/bltest/tests/aes_ecb/key0
new file mode 100644
index 000000000..13911cc29
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ecb/key0
@@ -0,0 +1 @@
+fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/aes_ecb/numtests b/security/nss/cmd/bltest/tests/aes_ecb/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ecb/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/aes_ecb/plaintext0 b/security/nss/cmd/bltest/tests/aes_ecb/plaintext0
new file mode 100644
index 000000000..8d6a8d555
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/aes_ecb/plaintext0
@@ -0,0 +1 @@
+0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext0
new file mode 100644
index 000000000..e7895954a
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext0
@@ -0,0 +1 @@
+taydfPlRJe3wf8Td0xJ9Tw==

diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext1 b/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext1
new file mode 100644
index 000000000..7dbd9b036
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext1
@@ -0,0 +1 @@
+yoYCZwKnUMcS4ADHxnwObA==

diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext2 b/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext2
new file mode 100644
index 000000000..007a2b0fa
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext2
@@ -0,0 +1 @@
+T+Wn4cs1Sbqrh/XtNd4vzQ==

diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/iv0 b/security/nss/cmd/bltest/tests/camellia_cbc/iv0
new file mode 100644
index 000000000..4e65bc034
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_cbc/iv0
@@ -0,0 +1 @@
+qwertyuiopasdfgh
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/key0 b/security/nss/cmd/bltest/tests/camellia_cbc/key0
new file mode 100644
index 000000000..13911cc29
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_cbc/key0
@@ -0,0 +1 @@
+fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/key1 b/security/nss/cmd/bltest/tests/camellia_cbc/key1
new file mode 100644
index 000000000..a9cb2f12f
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_cbc/key1
@@ -0,0 +1 @@
+fedcba9876543210fedcba98
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/key2 b/security/nss/cmd/bltest/tests/camellia_cbc/key2
new file mode 100644
index 000000000..ab55fe2ee
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_cbc/key2
@@ -0,0 +1 @@
+fedcba9876543210fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/numtests b/security/nss/cmd/bltest/tests/camellia_cbc/numtests
new file mode 100644
index 000000000..00750edc0
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_cbc/numtests
@@ -0,0 +1 @@
+3
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/plaintext0 b/security/nss/cmd/bltest/tests/camellia_cbc/plaintext0
new file mode 100644
index 000000000..8d6a8d555
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_cbc/plaintext0
@@ -0,0 +1 @@
+0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext0
new file mode 100644
index 000000000..084ba780e
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext0
@@ -0,0 +1 @@
+6v0CGxSwow3AhsyhunfdbQ==

diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext1 b/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext1
new file mode 100644
index 000000000..dbd6e5f42
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext1
@@ -0,0 +1 @@
+Nf1GwJiBtZT+VPJp+gBhPA==

diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext2 b/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext2
new file mode 100644
index 000000000..0b278ce2a
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext2
@@ -0,0 +1 @@
+ilB/0K3SI86Oecwh7cruGA==

diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/key0 b/security/nss/cmd/bltest/tests/camellia_ecb/key0
new file mode 100644
index 000000000..13911cc29
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_ecb/key0
@@ -0,0 +1 @@
+fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/key1 b/security/nss/cmd/bltest/tests/camellia_ecb/key1
new file mode 100644
index 000000000..a9cb2f12f
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_ecb/key1
@@ -0,0 +1 @@
+fedcba9876543210fedcba98
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/key2 b/security/nss/cmd/bltest/tests/camellia_ecb/key2
new file mode 100644
index 000000000..ab55fe2ee
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_ecb/key2
@@ -0,0 +1 @@
+fedcba9876543210fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/numtests b/security/nss/cmd/bltest/tests/camellia_ecb/numtests
new file mode 100644
index 000000000..00750edc0
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_ecb/numtests
@@ -0,0 +1 @@
+3
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/plaintext0 b/security/nss/cmd/bltest/tests/camellia_ecb/plaintext0
new file mode 100644
index 000000000..8d6a8d555
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/camellia_ecb/plaintext0
@@ -0,0 +1 @@
+0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/des3_cbc/ciphertext0
new file mode 100644
index 000000000..61dae3192
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des3_cbc/ciphertext0
@@ -0,0 +1 @@
+KV3MDNGKWOc=
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/iv0 b/security/nss/cmd/bltest/tests/des3_cbc/iv0
new file mode 100644
index 000000000..97b5955f7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des3_cbc/iv0
@@ -0,0 +1 @@
+12345678
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/key0 b/security/nss/cmd/bltest/tests/des3_cbc/key0
new file mode 100644
index 000000000..588efd111
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des3_cbc/key0
@@ -0,0 +1 @@
+abcdefghijklmnopqrstuvwx
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/numtests b/security/nss/cmd/bltest/tests/des3_cbc/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des3_cbc/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/plaintext0 b/security/nss/cmd/bltest/tests/des3_cbc/plaintext0
new file mode 100644
index 000000000..5513e438c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des3_cbc/plaintext0
@@ -0,0 +1 @@
+Mozilla!
diff --git a/security/nss/cmd/bltest/tests/des3_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/des3_ecb/ciphertext0
new file mode 100644
index 000000000..76dc820d3
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des3_ecb/ciphertext0
@@ -0,0 +1 @@
+RgckVNh4QcM=
diff --git a/security/nss/cmd/bltest/tests/des3_ecb/key0 b/security/nss/cmd/bltest/tests/des3_ecb/key0
new file mode 100644
index 000000000..588efd111
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des3_ecb/key0
@@ -0,0 +1 @@
+abcdefghijklmnopqrstuvwx
diff --git a/security/nss/cmd/bltest/tests/des3_ecb/numtests b/security/nss/cmd/bltest/tests/des3_ecb/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des3_ecb/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/des3_ecb/plaintext0 b/security/nss/cmd/bltest/tests/des3_ecb/plaintext0
new file mode 100644
index 000000000..5513e438c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des3_ecb/plaintext0
@@ -0,0 +1 @@
+Mozilla!
diff --git a/security/nss/cmd/bltest/tests/des_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/des_cbc/ciphertext0
new file mode 100644
index 000000000..67d2ad1aa
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des_cbc/ciphertext0
@@ -0,0 +1 @@
+Perdg9FMYQ4=
diff --git a/security/nss/cmd/bltest/tests/des_cbc/iv0 b/security/nss/cmd/bltest/tests/des_cbc/iv0
new file mode 100644
index 000000000..97b5955f7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des_cbc/iv0
@@ -0,0 +1 @@
+12345678
diff --git a/security/nss/cmd/bltest/tests/des_cbc/key0 b/security/nss/cmd/bltest/tests/des_cbc/key0
new file mode 100644
index 000000000..65513c116
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des_cbc/key0
@@ -0,0 +1 @@
+zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/des_cbc/numtests b/security/nss/cmd/bltest/tests/des_cbc/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des_cbc/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/des_cbc/plaintext0 b/security/nss/cmd/bltest/tests/des_cbc/plaintext0
new file mode 100644
index 000000000..5513e438c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des_cbc/plaintext0
@@ -0,0 +1 @@
+Mozilla!
diff --git a/security/nss/cmd/bltest/tests/des_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/des_ecb/ciphertext0
new file mode 100644
index 000000000..8be22fa5c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des_ecb/ciphertext0
@@ -0,0 +1 @@
+3bNoWzzNiFc=
diff --git a/security/nss/cmd/bltest/tests/des_ecb/key0 b/security/nss/cmd/bltest/tests/des_ecb/key0
new file mode 100644
index 000000000..65513c116
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des_ecb/key0
@@ -0,0 +1 @@
+zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/des_ecb/numtests b/security/nss/cmd/bltest/tests/des_ecb/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des_ecb/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/des_ecb/plaintext0 b/security/nss/cmd/bltest/tests/des_ecb/plaintext0
new file mode 100644
index 000000000..5513e438c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/des_ecb/plaintext0
@@ -0,0 +1 @@
+Mozilla!
diff --git a/security/nss/cmd/bltest/tests/dsa/ciphertext0 b/security/nss/cmd/bltest/tests/dsa/ciphertext0
new file mode 100644
index 000000000..8e7150562
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/dsa/ciphertext0
@@ -0,0 +1 @@
+fB0bnKWvjT6X5NIkZ5l/Y/DXZ6QNI6j0iPhR/ZERkfj67xRnTWY1cg==
diff --git a/security/nss/cmd/bltest/tests/dsa/key0 b/security/nss/cmd/bltest/tests/dsa/key0
new file mode 100644
index 000000000..e582eeb04
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/dsa/key0
@@ -0,0 +1,6 @@
+AAAAQI3ypJRJInaqPSV1m7BoacvqwNg6+40M98u4Mk8NeILl0HYvxbchDq/C6a2s

+Mqt6rElpPfv4NyTC7Ac27jHIApEAAAAUx3MhjHN+yO6ZO08t7TD0jtrOkV8AAABA

+Ym0CeDnqChNBMWOlW0y1ACmdVSKVbO/LO/8Q85nOLC5xy53l+iS6v1jlt5Uhklyc

+xC6fb0ZLCIzFcq9T5teIAgAAAEAZExhx11sWEqgZ8p140bDXNG96p3u2KoWb/WxW

+ddqdIS06Nu8Wcu9mC4x8JVzA7HSFj7oz9EwGaZYwp2sDDuMzAAAAFCBwsyI9ujcv

+3hwP/HsuO0mLJgYU

diff --git a/security/nss/cmd/bltest/tests/dsa/keyseed0 b/security/nss/cmd/bltest/tests/dsa/keyseed0
new file mode 100644
index 000000000..6eea359db
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/dsa/keyseed0
@@ -0,0 +1 @@
+AAAAAAAAAAAAAAAAAAAAAAAAAAA=

diff --git a/security/nss/cmd/bltest/tests/dsa/numtests b/security/nss/cmd/bltest/tests/dsa/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/dsa/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/dsa/plaintext0 b/security/nss/cmd/bltest/tests/dsa/plaintext0
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/dsa/plaintext0
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/dsa/pqg0 b/security/nss/cmd/bltest/tests/dsa/pqg0
new file mode 100644
index 000000000..f16326ccc
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/dsa/pqg0
@@ -0,0 +1,4 @@
+AAAAQI3ypJRJInaqPSV1m7BoacvqwNg6+40M98u4Mk8NeILl0HYvxbchDq/C6a2s

+Mqt6rElpPfv4NyTC7Ac27jHIApEAAAAUx3MhjHN+yO6ZO08t7TD0jtrOkV8AAABA

+Ym0CeDnqChNBMWOlW0y1ACmdVSKVbO/LO/8Q85nOLC5xy53l+iS6v1jlt5Uhklyc

+xC6fb0ZLCIzFcq9T5teIAg==

diff --git a/security/nss/cmd/bltest/tests/dsa/sigseed0 b/security/nss/cmd/bltest/tests/dsa/sigseed0
new file mode 100644
index 000000000..05d7fd2d6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/dsa/sigseed0
@@ -0,0 +1 @@
+aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/README b/security/nss/cmd/bltest/tests/ecdsa/README
new file mode 100644
index 000000000..764aeec81
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/README
@@ -0,0 +1,22 @@
+0  secp160k1
+1  secp160r1
+2  secp160r2
+3  nistk163
+4  sect163r1
+5  nistb163
+6  secp192k1
+7  nistp192
+8  secp224k1
+9  nistp224
+10 nistk233
+11 nistb233
+12 nistp256
+13 nistk283
+14 nistb283
+15 nistp384
+16 nistk409
+17 nistb409
+18 nistk571
+19 nistb571
+# the following tests are not yet implemented
+#20 nistp521
diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext0 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext0
new file mode 100644
index 000000000..14d8e0ece
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext0
@@ -0,0 +1 @@
+GoWqve3YezF7HOABQjioFL/3oq32oM9pHsGTQTJE7aFE62nItVqAdg==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext1 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext1
new file mode 100644
index 000000000..4484aae61
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext1
@@ -0,0 +1 @@
+PM6xHbiwP6Xcb44mg7BHtaJvd8PkxgvHAB1sh2cF0so3naFf0Tj6vQ==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext10 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext10
new file mode 100644
index 000000000..a956d53a6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext10
@@ -0,0 +1,2 @@
+AF3bbyED08NTrUgKmag9HiuUbaW0skXA/Bp9RPjRAD6M0rp3nvLDKozI940jxPP1

+nWpHF7VcyCVzJeV6

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext11 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext11
new file mode 100644
index 000000000..8cc2c2623
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext11
@@ -0,0 +1,2 @@
+AOLrxy4FWd29ToUjOwLs6GyQ+dYZN6NkZ8oVO6dsAEXt55ePlCWZbOtmk6v9PrNG

+JOsY/MHnGhDeAGRl

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext12 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext12
new file mode 100644
index 000000000..5a05a7863
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext12
@@ -0,0 +1,2 @@
+aQHMte9cFByD9Ff3rZOPOtPI75luPoxemmgjXIgh/9jEeoTdDk8xuAYQUkayCfs+

+DpDaGnOLkfAyZ8GcuaCujg==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext13 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext13
new file mode 100644
index 000000000..690c00a71
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext13
@@ -0,0 +1,2 @@
+AaeVCRJQPbpTqa1+zLd/8xAbkz3KKTr0dlS4tuGC8hc9j5esAeEv+7IklbA3v5Jz

+jC+nJy4p81iNO5E9H8nfGGckfQSiFzHG

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext14 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext14
new file mode 100644
index 000000000..fe527c625
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext14
@@ -0,0 +1,2 @@
+AgU0N7zJPg/1UxmCWD5Z+DqDqkRKjy4heFgayCyopb/u4XErAZArgsjashAxzMKC

+PSDJasPT90T5Va8sNtjXtSpHWxc2roV9

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext15 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext15
new file mode 100644
index 000000000..d1090942a
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext15
@@ -0,0 +1,2 @@
+NXo8is+7lAoOwWGt7+GBbT/UX8LGs8TXEHBI+tX9311pJ4J3pfBYobgN0ZK6ZBtp

+dS6PkrPaQp0S9nrfTOS5uAH95eD1eymRfCbOnjTUKzLuIn53V17vRjdcDtLzrhzX

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext16 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext16
new file mode 100644
index 000000000..d5fe14482
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext16
@@ -0,0 +1,3 @@
+ADhxjBz/ACTy4GJlL0tYZpyNpC4DsXND9lJuU7x9N7g6gkpJyBPw3vBYU1olw6PH

+dnegpgAm4Gh6MCsZB4KBcLwl1wjt4B3p2eqEqDYn5fiie5f4XuRomvI92jR5Sb+I

+nBLCHIppt/Q=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext17 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext17
new file mode 100644
index 000000000..486bf664f
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext17
@@ -0,0 +1,3 @@
+AGhHQ6kfdZRgu1svQTXEIewvFVglnUy6ANPumyUbM14AEfRkCUNa1uzvhV1sbWYj

+qT3egQCA9MTjThDNJeDOvvL6hVVOryUv4+C3RtkpQGCtdml+CSsjVTej8h9JbMds

+Dme40b2G6fE=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext18 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext18
new file mode 100644
index 000000000..7eeef3811
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext18
@@ -0,0 +1,3 @@
+AGBuqk48tufy0bKEWpu+xEHsmi+6KCfdwOSRwLDnpVetGe9AWknHDzeTSwe0QxcE

+RsEkUZGDpxfzUlCLSSSU+ErrYY/uyLV2AJTb3prB6A2YNwdmFGeRbDoxeOu7FuQA

+3gxBQhR+TGMuskeM+BdHFmFrwvTTdHCGzjTBa5S8mbgEJTfeik/it28T/9i+duZ8

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext19 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext19
new file mode 100644
index 000000000..ef8e5f381
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext19
@@ -0,0 +1,3 @@
+AaiotJfCiWU1d2LFe+t0CcWHDSF7EOlApWYJ+RNRSq8TbkXJIzi6abbb7BovtRwf

+i/COYwjS7OnkFQ6x5Pdrb7OZ0dTAdDRXAKtXWSKR20Y4fhnx/HUxisFwKrsCEQ3O

+uVtwDG8rh5V8zjBnCEcs5Iy9CsklucibR0PIyglVmW+ZuY42YNebuOC2VUKqHNF7

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext2 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext2
new file mode 100644
index 000000000..a3837a410
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext2
@@ -0,0 +1 @@
+Vli8Hau3xL8oder6ZdM9Y3fMd92jbguiMq6F+9CUjlUQXy5EwAVGeg==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext20 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext20
new file mode 100644
index 000000000..67c99244a
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext20
@@ -0,0 +1,3 @@
+ALAM5hGnex7TvBbSEzDlfv+n5g7aWyRyZsBbl2Y6wW1plSovbq2GcV6w1ZV1Vlot

+70zbqkKyNApvTi3xoD4Ens6pAeLMYDILwaQhnyJZWQv3etbWqUKJZNgfH1IDj03k

+n9hbjYLX3y4bc4CnrhOiv5Ab34s7M8wUYcjC+DbHwhLl/S6N

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext3 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext3
new file mode 100644
index 000000000..e9a480882
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext3
@@ -0,0 +1 @@
+AFohw5TN/dpmqbhp/T4z1Rl1boAUA6r9eEPJbYN0zf+eHZzyvezxqjxU

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext4 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext4
new file mode 100644
index 000000000..57ce239ab
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext4
@@ -0,0 +1 @@
+AtJdCPXn5yQW34jekhsnsNmaMOeeA3KIVl1d2+7pb6QycUAzYccgwSrp

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext5 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext5
new file mode 100644
index 000000000..e476c80bf
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext5
@@ -0,0 +1 @@
+AzEg0sOGHwxd0o3cv+o9dsRPOzXMAdpgtI6O0uUmVN2+a5qI5FYQlItz

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext6 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext6
new file mode 100644
index 000000000..bdea7171d
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext6
@@ -0,0 +1 @@
+5+HDXH/ieN8Bzxd3dfxKZoqbbhsm7jyeqWdemt6Xy0kx+7zwSYsh9Ng5KRdy6wtA

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext7 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext7
new file mode 100644
index 000000000..3273fd9f7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext7
@@ -0,0 +1 @@
+WcS9umnUASP0X6lHvkWJwPY37ZVvAMLBERHLjL3Vzg6QVjwcS8kDVortTFei3aTx

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext8 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext8
new file mode 100644
index 000000000..636392e43
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext8
@@ -0,0 +1,2 @@
+ItpmPaGAaoe2feXPbh5+EASLGnEzyYbEnwJ+JFNSOQcoY4a/cMV2rn8FYyBsEDiZ

+LPDBU0i2uOg=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext9 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext9
new file mode 100644
index 000000000..0c43fa3d7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/ciphertext9
@@ -0,0 +1,2 @@
+QjzCVGRUjulOLqeBqC5xpY0GWomOrmQUCtImY0czn98a/jHrdgsSRKiMHukBUxM1

+TIRGjkV2L+A=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key0 b/security/nss/cmd/bltest/tests/ecdsa/key0
new file mode 100644
index 000000000..7c6d61b36
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key0
@@ -0,0 +1,2 @@
+AAAABwYFK4EEAAkAAAApBPiF0ntSFtn41JULxlA1l/lHE/zUPGJWkCqtdOryS6yD

+WFCoF/IHwHsAAAAUcw+b2b1AJUlmezgu5EjmAGPC0YQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key1 b/security/nss/cmd/bltest/tests/ecdsa/key1
new file mode 100644
index 000000000..049aa1edb
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key1
@@ -0,0 +1,2 @@
+AAAABwYFK4EEAAgAAAApBI80VWK9xatmkFRiDTcdeFQ0T9h3h6iVOinMURyWZw0T

+5vZqd8/gvwwAAAAUYOQMjDdtNSL5zY0nVWPWY+UJoqQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key10 b/security/nss/cmd/bltest/tests/ecdsa/key10
new file mode 100644
index 000000000..3e3341714
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key10
@@ -0,0 +1,3 @@
+AAAABwYFK4EEABoAAAA9BACmzalMQJBOWV2FoyV0tXSpT07Xajq4bB1SUwSY7QGn

+dgGC3GBqjPs9vEpqfMMQ2M9k3+5oubWnexNFhQAAAB4BRha/6sE7VSHl92ZqCj5p

+LYtBpK23jzfdVWO8SAY=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key11 b/security/nss/cmd/bltest/tests/ecdsa/key11
new file mode 100644
index 000000000..6111d52ad
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key11
@@ -0,0 +1,3 @@
+AAAABwYFK4EEABsAAAA9BAD2/x9HSYYVEQ9AU4MivlIKPypJjsm0sTrp8BftlQGv

+KaYrKpZCg/CEw3C2kqvke7HAu+10hafK9asRxQAAAB4AXyFCurtsXhahkyJpkb5J

+LUg3xVL00vviR0KyFZY=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key12 b/security/nss/cmd/bltest/tests/ecdsa/key12
new file mode 100644
index 000000000..491fdba1b
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key12
@@ -0,0 +1,3 @@
+AAAACgYIKoZIzj0DAQcAAABBBNGB7n4kH15tKA/SMpetaQVqg6WxIuuUuMQT2tDX

+NN5jKZfaxD47NsTjTr3x3D5t1qRBYuL6VtdgIuxBIHGG9dcAAAAgaGjyZBL+LN3a

+7NkGiHJBfqh7XKNH0AnPF3vFWpostIQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key13 b/security/nss/cmd/bltest/tests/ecdsa/key13
new file mode 100644
index 000000000..fc8057a57
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key13
@@ -0,0 +1,3 @@
+AAAABwYFK4EEABAAAABJBAT3klWkt7+1Pr6QGEcvEIZplopwt1alrsJUThDOxvUF

+7KvBpQLVjB+DQTwYQnEREb/WFyRgUBuIbII0+zd/g0fLHE4PQ8SNlAAAACQFPsMX

+mqSVRreUVasUOIZQFB2jnpwCUyoq+xa9SRril5LeOCY=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key14 b/security/nss/cmd/bltest/tests/ecdsa/key14
new file mode 100644
index 000000000..2e158236c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key14
@@ -0,0 +1,3 @@
+AAAABwYFK4EEABEAAABJBAf/ei/XCrFrMZLBp5BFkKZ3Odn+ZJu7QIAK32Ubuxmi

+xgWTewf2vv+KY5kHwsBYuBXmmnKe9Ak9zGP4Lykvgk5n5J6iUz5ycQAAACQAQHXa

+d29OqGxoDNCl9xETW3tAL/2hfZzstNuOPLm5kj4j1Dc=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key15 b/security/nss/cmd/bltest/tests/ecdsa/key15
new file mode 100644
index 000000000..a062f1f67
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key15
@@ -0,0 +1,4 @@
+AAAABwYFK4EEACIAAABhBLWMJG3t4khPYcsl3H492rAqukJ1RqJm27pqpN54rFGG

+r2VDwOfqb9tMninq8IyOh42eaaVOEPXXu4Q/ATWBEfrbTRBjTpzAE2SSPuQma0lM

+q0RSVECCgdBOKIhB0H6VxAAAADA3WPjUaMWCS9E5KbVDrEcf5CV5tCNNWJQkwjsA

+yALMCiXJqRVXwbq42WMuaELMW+g=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key16 b/security/nss/cmd/bltest/tests/ecdsa/key16
new file mode 100644
index 000000000..d2694ae41
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key16
@@ -0,0 +1,4 @@
+AAAABwYFK4EEACQAAABpBADkgknFgTPuirxQxFlqIK+vcARWzlpJR+qmyRyQsBiz

+Nh6Ws036xUKY9M8LxMIWXFNM6aIA2wxKsBF+HHD6oy27EAJSJOGbke/9F9Kv5AiW

+2RXA4mllUaxCNsuQ36PqUdqv4FeXxWTpAAAANAHTZloqhR0V4bfyaeo2hojcvY3T

+NO04ewNryBpsHZ0bhID0EfewYuwQmX00GYNfuV3mJ2w=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key17 b/security/nss/cmd/bltest/tests/ecdsa/key17
new file mode 100644
index 000000000..30be05774
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key17
@@ -0,0 +1,4 @@
+AAAABwYFK4EEACUAAABpBAAEE/bAmqCjO3FLvN93Q/UjDyDp2sj+F//buuf1hZ0K

+1rSOGXMLcBrqVa8R6UJ57F9/Yc0BCTylpJMXjfCr4eDczG4WOQk+5x8kpKQs5Q9U

+V3IolHDiQY/Nhn7o4UFn5/mF71T3qUqwAAAANAH/o7jEl9Bw+Arj9uQ7ZHkoPGgx

+t92UJg1r/lxa7UUd66iJfRI8n8yQH/sw56D1+CweeII=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key18 b/security/nss/cmd/bltest/tests/ecdsa/key18
new file mode 100644
index 000000000..bbdcb1371
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key18
@@ -0,0 +1,5 @@
+AAAABwYFK4EEACYAAACRBAffZTrfwIl0dciO2fui3UhZw6r+jnFh7gyER92gXL7+

+LzPgTHagd1vdQiIX4K8Dv76KN0BldiFuX5odP7qC26MUaiURDdWT0AWcPmumSSBH

+NXZYLLx5hQjW3BTNwV7v5bmUjezfgtuOCC30dQGs2GMgExAmiWRjTkiPrHg1SFKF

+3RklauOyMWauaVpEzh3c+wAAAEgAZvLs4/Rx7tS+QGH92fGGIxPWPbVYOpDKwabY

+poV2i1BD5Fxvw+eHlvxVOLmRPqRCPTfOLwAeNbHyt17U/BVZ8+svTChlzuA=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key19 b/security/nss/cmd/bltest/tests/ecdsa/key19
new file mode 100644
index 000000000..31b4071f2
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key19
@@ -0,0 +1,5 @@
+AAAABwYFK4EEACcAAACRBASpPvOfQVqiMD+cBL/nulFit5pk/5beJ6/KpeIltg4s

+6/s7PPggJA59BP7RJwak6rgY3PsRqXVPjyM/1UkUfRUR2BJgOfNTkQe9WF7Y5zXy

+TM76cWhOP+sLSoUcscy/HTLCpHqRLLvWZPDzgjrfJqSlydMEDZjWsJRVPk9IfeQ/

+amGiWOhJIQd/bSrAazZn6AAAAEgFz1qZzjHuhuP1boJ7gzndJhQslx1efbESxHSc

+wbOpeBpw2MsCAwjtgo3Y8pviFIC8+5MStkFjE8uHQ0ngXc02wm3G0xj8XGQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key2 b/security/nss/cmd/bltest/tests/ecdsa/key2
new file mode 100644
index 000000000..f4ba6f2f2
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key2
@@ -0,0 +1,2 @@
+AAAABwYFK4EEAB4AAAApBGouC+vgvmItzsLO4hXn+AXi3skEE+M19o/QHLfjibbA

+p7av8F4tcGgAAAAUmpQDUgnIkiXPBs0moD4jEmJHato=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key20 b/security/nss/cmd/bltest/tests/ecdsa/key20
new file mode 100644
index 000000000..c4da3486d
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key20
@@ -0,0 +1,5 @@
+AAAABwYFK4EEACMAAACFBAHLMSpMFVyG6mXE7SZ5O5Bwv4d8/QiAB3BzpXkyrU1W

+jJ9O9uOYTXM+cFtF5v56+LsI4yGkaAl9+RF6lFPjrhpIswCmBmEqMBgZpjoz38my

+nLHBI9MaFF8AHkRQwD3LJLo4eSZHOVkdIvDYLwicdlgr0zD3Nf76/HB1+0DkBGqE

+MyG22gAAAEIAFah7z179UbqqdH68pzdZsP1ChXjtYZ11rBM0+HP7yLirxH3ahKTt

+DjsY19GEjz4gKsaLfLiQ1/Dp+VKVLcBKpk0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key3 b/security/nss/cmd/bltest/tests/ecdsa/key3
new file mode 100644
index 000000000..689e06bda
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key3
@@ -0,0 +1,2 @@
+AAAABwYFK4EEAAEAAAArBAe4qW9DTVGRVIYYznwJZbn8mWXLugA2A+Mv112Bu+y7

+gxI8E4/fEdLTsQAAABUGEQDNcbxi0JhwALA8FCCxvmWYM3E=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key4 b/security/nss/cmd/bltest/tests/ecdsa/key4
new file mode 100644
index 000000000..90ecb72c6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key4
@@ -0,0 +1,2 @@
+AAAABwYFK4EEAAIAAAArBAXw45Pc59l1QWmAB1W6M30lyFzQmAH/0FIFKYgEOYIa

+dnEXMwKNwaRdsQAAABUCErj052f+Rth5OxAm376LOAQyvBY=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key5 b/security/nss/cmd/bltest/tests/ecdsa/key5
new file mode 100644
index 000000000..b9d221f8e
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key5
@@ -0,0 +1,2 @@
+AAAABwYFK4EEAA8AAAArBAFhm71N2wsUOYCwDNr/6rFvNX1okAbki1SNlHq2TQDO

+Bktd1M0jlApWVQAAABUCILsraWg3Qi5nBsXQ1pGmZk0YuSA=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key6 b/security/nss/cmd/bltest/tests/ecdsa/key6
new file mode 100644
index 000000000..92fb463dc
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key6
@@ -0,0 +1,2 @@
+AAAABwYFK4EEAB8AAAAxBHOYACoc9XsLk5n8NZZKV2U9CDoMj/VRDvqbf+myloR7

+uBfVNm+uVN33Sa65phAfXQAAABitxs6KZtkqU4tglcdQ1Rmk2U74vjYP0JM=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key7 b/security/nss/cmd/bltest/tests/ecdsa/key7
new file mode 100644
index 000000000..83fced184
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key7
@@ -0,0 +1,2 @@
+AAAACgYIKoZIzj0DAQEAAAAxBOyOI+rIs3x+jsChxQqSVblnoZGqhIM1WX0FMfw+

+D8Dz6Y25iPcAQFpIAWh29FxnrgAAABh+uEQYXwMB783sULxE6PEd1t/MNZ9HSHI=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key8 b/security/nss/cmd/bltest/tests/ecdsa/key8
new file mode 100644
index 000000000..cc7c6103b
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key8
@@ -0,0 +1,3 @@
+AAAABwYFK4EEACAAAAA5BKQnZoj4VtlPqrJ5dekM4haG+7PjfgO4wNNIqD7JnrKI

+gTUd+oUQ41d517xCObyBaHNzdVPty9DvAAAAHIrG9+FE+OJV5UV2l/op7PCDPI4G

+qkpgzPIwe7U=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key9 b/security/nss/cmd/bltest/tests/ecdsa/key9
new file mode 100644
index 000000000..ab8f43bae
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/key9
@@ -0,0 +1,3 @@
+AAAABwYFK4EEACEAAAA5BGCNDWldzQCbI83PMR96tqR6JnIUpvfIO8l6hIf/QfMc

+rx2BbrSLoy6EJmP++Jyw5yNyaoVaNYl6AAAAHDnjgcUSIshTSLuejnSsvtvU363b

+1NJv4ULUbIs=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/numtests b/security/nss/cmd/bltest/tests/ecdsa/numtests
new file mode 100644
index 000000000..aabe6ec39
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/numtests
@@ -0,0 +1 @@
+21
diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext0 b/security/nss/cmd/bltest/tests/ecdsa/plaintext0
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext0
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext1 b/security/nss/cmd/bltest/tests/ecdsa/plaintext1
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext1
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext10 b/security/nss/cmd/bltest/tests/ecdsa/plaintext10
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext10
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext11 b/security/nss/cmd/bltest/tests/ecdsa/plaintext11
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext11
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext12 b/security/nss/cmd/bltest/tests/ecdsa/plaintext12
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext12
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext13 b/security/nss/cmd/bltest/tests/ecdsa/plaintext13
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext13
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext14 b/security/nss/cmd/bltest/tests/ecdsa/plaintext14
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext14
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext15 b/security/nss/cmd/bltest/tests/ecdsa/plaintext15
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext15
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext16 b/security/nss/cmd/bltest/tests/ecdsa/plaintext16
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext16
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext17 b/security/nss/cmd/bltest/tests/ecdsa/plaintext17
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext17
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext18 b/security/nss/cmd/bltest/tests/ecdsa/plaintext18
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext18
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext19 b/security/nss/cmd/bltest/tests/ecdsa/plaintext19
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext19
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext2 b/security/nss/cmd/bltest/tests/ecdsa/plaintext2
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext2
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext20 b/security/nss/cmd/bltest/tests/ecdsa/plaintext20
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext20
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext3 b/security/nss/cmd/bltest/tests/ecdsa/plaintext3
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext3
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext4 b/security/nss/cmd/bltest/tests/ecdsa/plaintext4
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext4
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext5 b/security/nss/cmd/bltest/tests/ecdsa/plaintext5
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext5
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext6 b/security/nss/cmd/bltest/tests/ecdsa/plaintext6
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext6
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext7 b/security/nss/cmd/bltest/tests/ecdsa/plaintext7
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext7
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext8 b/security/nss/cmd/bltest/tests/ecdsa/plaintext8
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext8
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext9 b/security/nss/cmd/bltest/tests/ecdsa/plaintext9
new file mode 100644
index 000000000..48fbdb6fd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/plaintext9
@@ -0,0 +1 @@
+qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed0 b/security/nss/cmd/bltest/tests/ecdsa/sigseed0
new file mode 100644
index 000000000..05d7fd2d6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed0
@@ -0,0 +1 @@
+aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed1 b/security/nss/cmd/bltest/tests/ecdsa/sigseed1
new file mode 100644
index 000000000..05d7fd2d6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed1
@@ -0,0 +1 @@
+aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed10 b/security/nss/cmd/bltest/tests/ecdsa/sigseed10
new file mode 100644
index 000000000..6983e5f7d
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed10
@@ -0,0 +1 @@
+fjIzMWJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed11 b/security/nss/cmd/bltest/tests/ecdsa/sigseed11
new file mode 100644
index 000000000..6983e5f7d
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed11
@@ -0,0 +1 @@
+fjIzMWJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed12 b/security/nss/cmd/bltest/tests/ecdsa/sigseed12
new file mode 100644
index 000000000..92aa40c82
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed12
@@ -0,0 +1 @@
+/jI1NmJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDk=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed13 b/security/nss/cmd/bltest/tests/ecdsa/sigseed13
new file mode 100644
index 000000000..4ac076584
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed13
@@ -0,0 +1 @@
+ATI4MWJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBi

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed14 b/security/nss/cmd/bltest/tests/ecdsa/sigseed14
new file mode 100644
index 000000000..4ac076584
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed14
@@ -0,0 +1 @@
+ATI4MWJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBi

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed15 b/security/nss/cmd/bltest/tests/ecdsa/sigseed15
new file mode 100644
index 000000000..097523032
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed15
@@ -0,0 +1 @@
+/jM4NGJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBiMGMwZDBlMGYxMDEx

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed16 b/security/nss/cmd/bltest/tests/ecdsa/sigseed16
new file mode 100644
index 000000000..36fbf0951
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed16
@@ -0,0 +1 @@
+fjQwN2JpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBiMGMwZDBlMGYxMDExMTIx

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed17 b/security/nss/cmd/bltest/tests/ecdsa/sigseed17
new file mode 100644
index 000000000..36fbf0951
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed17
@@ -0,0 +1 @@
+fjQwN2JpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBiMGMwZDBlMGYxMDExMTIx

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed18 b/security/nss/cmd/bltest/tests/ecdsa/sigseed18
new file mode 100644
index 000000000..7be8ce6dd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed18
@@ -0,0 +1,2 @@
+PjU2NmJpdHNPZlRleHQwMDAxMDIwMzA0MDUwNjA3MDgwOTBhMGIwYzBkMGUwZjEwMTExMjEz

+MTQxNTE2MTcxODE5MWExYjE=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed19 b/security/nss/cmd/bltest/tests/ecdsa/sigseed19
new file mode 100644
index 000000000..7be8ce6dd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed19
@@ -0,0 +1,2 @@
+PjU2NmJpdHNPZlRleHQwMDAxMDIwMzA0MDUwNjA3MDgwOTBhMGIwYzBkMGUwZjEwMTExMjEz

+MTQxNTE2MTcxODE5MWExYjE=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed2 b/security/nss/cmd/bltest/tests/ecdsa/sigseed2
new file mode 100644
index 000000000..05d7fd2d6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed2
@@ -0,0 +1 @@
+aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed20 b/security/nss/cmd/bltest/tests/ecdsa/sigseed20
new file mode 100644
index 000000000..f0dddb66c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed20
@@ -0,0 +1,2 @@
+/jUyMGJpdHNPZlRleHQwMDAxMDIwMzA0MDUwNjA3MDgwOTBhMGIwYzBkMGUwZjEwMTExMjEz

+MTQxNTE2MTcxODE=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed3 b/security/nss/cmd/bltest/tests/ecdsa/sigseed3
new file mode 100644
index 000000000..05d7fd2d6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed3
@@ -0,0 +1 @@
+aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed4 b/security/nss/cmd/bltest/tests/ecdsa/sigseed4
new file mode 100644
index 000000000..05d7fd2d6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed4
@@ -0,0 +1 @@
+aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed5 b/security/nss/cmd/bltest/tests/ecdsa/sigseed5
new file mode 100644
index 000000000..05d7fd2d6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed5
@@ -0,0 +1 @@
+aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed6 b/security/nss/cmd/bltest/tests/ecdsa/sigseed6
new file mode 100644
index 000000000..a0687196c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed6
@@ -0,0 +1 @@
+/jE5MmJpdHNPZlRleHQwMDAwMDAwMDAw

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed7 b/security/nss/cmd/bltest/tests/ecdsa/sigseed7
new file mode 100644
index 000000000..a0687196c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed7
@@ -0,0 +1 @@
+/jE5MmJpdHNPZlRleHQwMDAwMDAwMDAw

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed8 b/security/nss/cmd/bltest/tests/ecdsa/sigseed8
new file mode 100644
index 000000000..01ae26574
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed8
@@ -0,0 +1 @@
+/jIyNGJpdHNPZlRleHQwMDAwMDAwMDAwMDAwMA==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed9 b/security/nss/cmd/bltest/tests/ecdsa/sigseed9
new file mode 100644
index 000000000..01ae26574
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/ecdsa/sigseed9
@@ -0,0 +1 @@
+/jIyNGJpdHNPZlRleHQwMDAwMDAwMDAwMDAwMA==

diff --git a/security/nss/cmd/bltest/tests/md2/ciphertext0 b/security/nss/cmd/bltest/tests/md2/ciphertext0
new file mode 100644
index 000000000..22e1fc496
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/md2/ciphertext0
@@ -0,0 +1 @@
+CS/UNcrWhB5Knt7Gf8Tz3Q==
diff --git a/security/nss/cmd/bltest/tests/md2/numtests b/security/nss/cmd/bltest/tests/md2/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/md2/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/md2/plaintext0 b/security/nss/cmd/bltest/tests/md2/plaintext0
new file mode 100644
index 000000000..dce2994ba
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/md2/plaintext0
@@ -0,0 +1 @@
+16-bytes to MD2.
diff --git a/security/nss/cmd/bltest/tests/md5/ciphertext0 b/security/nss/cmd/bltest/tests/md5/ciphertext0
new file mode 100644
index 000000000..ea11ee523
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/md5/ciphertext0
@@ -0,0 +1 @@
+XN8lnQuWAiMqmSGfvd8Hdw==
diff --git a/security/nss/cmd/bltest/tests/md5/numtests b/security/nss/cmd/bltest/tests/md5/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/md5/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/md5/plaintext0 b/security/nss/cmd/bltest/tests/md5/plaintext0
new file mode 100644
index 000000000..5ae3875e2
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/md5/plaintext0
@@ -0,0 +1 @@
+63-byte input to MD5 can be a bit tricky, but no problems here.
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/rc2_cbc/ciphertext0
new file mode 100644
index 000000000..d964ef864
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc2_cbc/ciphertext0
@@ -0,0 +1 @@
+3ki6eVsWpY8=
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/iv0 b/security/nss/cmd/bltest/tests/rc2_cbc/iv0
new file mode 100644
index 000000000..97b5955f7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc2_cbc/iv0
@@ -0,0 +1 @@
+12345678
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/key0 b/security/nss/cmd/bltest/tests/rc2_cbc/key0
new file mode 100644
index 000000000..65513c116
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc2_cbc/key0
@@ -0,0 +1 @@
+zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/numtests b/security/nss/cmd/bltest/tests/rc2_cbc/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc2_cbc/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/plaintext0 b/security/nss/cmd/bltest/tests/rc2_cbc/plaintext0
new file mode 100644
index 000000000..5513e438c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc2_cbc/plaintext0
@@ -0,0 +1 @@
+Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc2_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/rc2_ecb/ciphertext0
new file mode 100644
index 000000000..337d30765
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc2_ecb/ciphertext0
@@ -0,0 +1 @@
+WT+tc4fANhQ=
diff --git a/security/nss/cmd/bltest/tests/rc2_ecb/key0 b/security/nss/cmd/bltest/tests/rc2_ecb/key0
new file mode 100644
index 000000000..65513c116
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc2_ecb/key0
@@ -0,0 +1 @@
+zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc2_ecb/numtests b/security/nss/cmd/bltest/tests/rc2_ecb/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc2_ecb/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/rc2_ecb/plaintext0 b/security/nss/cmd/bltest/tests/rc2_ecb/plaintext0
new file mode 100644
index 000000000..5513e438c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc2_ecb/plaintext0
@@ -0,0 +1 @@
+Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc4/ciphertext0 b/security/nss/cmd/bltest/tests/rc4/ciphertext0
new file mode 100644
index 000000000..004f13472
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc4/ciphertext0
@@ -0,0 +1 @@
+34sTZJtr20k=
diff --git a/security/nss/cmd/bltest/tests/rc4/ciphertext1 b/security/nss/cmd/bltest/tests/rc4/ciphertext1
new file mode 100644
index 000000000..6050da4c6
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc4/ciphertext1
@@ -0,0 +1 @@
+34sTZJtr20nGP6VxS3BIBxxIYm6QGIa1rehFHn51z9M=
diff --git a/security/nss/cmd/bltest/tests/rc4/key0 b/security/nss/cmd/bltest/tests/rc4/key0
new file mode 100644
index 000000000..65513c116
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc4/key0
@@ -0,0 +1 @@
+zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc4/key1 b/security/nss/cmd/bltest/tests/rc4/key1
new file mode 100644
index 000000000..65513c116
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc4/key1
@@ -0,0 +1 @@
+zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc4/numtests b/security/nss/cmd/bltest/tests/rc4/numtests
new file mode 100644
index 000000000..0cfbf0888
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc4/numtests
@@ -0,0 +1 @@
+2
diff --git a/security/nss/cmd/bltest/tests/rc4/plaintext0 b/security/nss/cmd/bltest/tests/rc4/plaintext0
new file mode 100644
index 000000000..5513e438c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc4/plaintext0
@@ -0,0 +1 @@
+Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc4/plaintext1 b/security/nss/cmd/bltest/tests/rc4/plaintext1
new file mode 100644
index 000000000..d41abc7b8
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc4/plaintext1
@@ -0,0 +1 @@
+Mozilla!Mozilla!Mozilla!Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/rc5_cbc/ciphertext0
new file mode 100644
index 000000000..544713b33
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_cbc/ciphertext0
@@ -0,0 +1 @@
+qsv4Fn2J6d0=
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/iv0 b/security/nss/cmd/bltest/tests/rc5_cbc/iv0
new file mode 100644
index 000000000..97b5955f7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_cbc/iv0
@@ -0,0 +1 @@
+12345678
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/key0 b/security/nss/cmd/bltest/tests/rc5_cbc/key0
new file mode 100644
index 000000000..65513c116
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_cbc/key0
@@ -0,0 +1 @@
+zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/numtests b/security/nss/cmd/bltest/tests/rc5_cbc/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_cbc/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/params0 b/security/nss/cmd/bltest/tests/rc5_cbc/params0
new file mode 100644
index 000000000..d68e0362d
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_cbc/params0
@@ -0,0 +1,2 @@
+rounds=10
+wordsize=4
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/plaintext0 b/security/nss/cmd/bltest/tests/rc5_cbc/plaintext0
new file mode 100644
index 000000000..5513e438c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_cbc/plaintext0
@@ -0,0 +1 @@
+Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/rc5_ecb/ciphertext0
new file mode 100644
index 000000000..133777dd0
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_ecb/ciphertext0
@@ -0,0 +1 @@
+4ZKK/1v5Ohc=
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/key0 b/security/nss/cmd/bltest/tests/rc5_ecb/key0
new file mode 100644
index 000000000..65513c116
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_ecb/key0
@@ -0,0 +1 @@
+zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/numtests b/security/nss/cmd/bltest/tests/rc5_ecb/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_ecb/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/params0 b/security/nss/cmd/bltest/tests/rc5_ecb/params0
new file mode 100644
index 000000000..d68e0362d
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_ecb/params0
@@ -0,0 +1,2 @@
+rounds=10
+wordsize=4
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/plaintext0 b/security/nss/cmd/bltest/tests/rc5_ecb/plaintext0
new file mode 100644
index 000000000..5513e438c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rc5_ecb/plaintext0
@@ -0,0 +1 @@
+Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rsa/ciphertext0 b/security/nss/cmd/bltest/tests/rsa/ciphertext0
new file mode 100644
index 000000000..943ea599a
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rsa/ciphertext0
@@ -0,0 +1 @@
+qPVrXv0y3SC5rY44bIi6GE4Aec8uDpHH7/cCg0FU5as=
diff --git a/security/nss/cmd/bltest/tests/rsa/key0 b/security/nss/cmd/bltest/tests/rsa/key0
new file mode 100644
index 000000000..1352fe986
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rsa/key0
@@ -0,0 +1,4 @@
+AAAAAAAAACC5lyu2K2ro8YGnvOCKaL1sFX1HEIblIVbuMXsa8oeFSwAAAAERAAAA

+IBXVjKwFG6LvPG4WOIjBBzmxGNpkQwDs3W5qZcXVzqahAAAAEOEOH/WnhZCJyM39

+oNfhf18AAAAQ0xvmxqXXs3L62xxogUl9lQAAABAaeiHgqkvy4wiQtG1Gkv/tAAAA

+EMaw2TNu6SFdKFXAYluQdjEAAAAQi0u+IlgKCt/hatGAsTrfzQ==

diff --git a/security/nss/cmd/bltest/tests/rsa/numtests b/security/nss/cmd/bltest/tests/rsa/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rsa/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/rsa/plaintext0 b/security/nss/cmd/bltest/tests/rsa/plaintext0
new file mode 100644
index 000000000..d915bc88c
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/rsa/plaintext0
@@ -0,0 +1 @@
+512bitsforRSAPublicKeyEncryption
diff --git a/security/nss/cmd/bltest/tests/sha1/ciphertext0 b/security/nss/cmd/bltest/tests/sha1/ciphertext0
new file mode 100644
index 000000000..1fe4bd2bd
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha1/ciphertext0
@@ -0,0 +1 @@
+cDSMAygXMPIJZC5bntZ4ZhecQ9g=
diff --git a/security/nss/cmd/bltest/tests/sha1/numtests b/security/nss/cmd/bltest/tests/sha1/numtests
new file mode 100644
index 000000000..d00491fd7
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha1/numtests
@@ -0,0 +1 @@
+1
diff --git a/security/nss/cmd/bltest/tests/sha1/plaintext0 b/security/nss/cmd/bltest/tests/sha1/plaintext0
new file mode 100644
index 000000000..863e79c65
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha1/plaintext0
@@ -0,0 +1 @@
+A cage went in search of a bird.
diff --git a/security/nss/cmd/bltest/tests/sha256/ciphertext0 b/security/nss/cmd/bltest/tests/sha256/ciphertext0
new file mode 100644
index 000000000..07e2ff14f
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha256/ciphertext0
@@ -0,0 +1 @@
+ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=
diff --git a/security/nss/cmd/bltest/tests/sha256/ciphertext1 b/security/nss/cmd/bltest/tests/sha256/ciphertext1
new file mode 100644
index 000000000..2ab6e1da5
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha256/ciphertext1
@@ -0,0 +1 @@
+JI1qYdIGOLjlwCaTDD5gOaM85Flk/yFn9uzt1BnbBsE=
diff --git a/security/nss/cmd/bltest/tests/sha256/numtests b/security/nss/cmd/bltest/tests/sha256/numtests
new file mode 100644
index 000000000..0cfbf0888
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha256/numtests
@@ -0,0 +1 @@
+2
diff --git a/security/nss/cmd/bltest/tests/sha256/plaintext0 b/security/nss/cmd/bltest/tests/sha256/plaintext0
new file mode 100644
index 000000000..8baef1b4a
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha256/plaintext0
@@ -0,0 +1 @@
+abc
diff --git a/security/nss/cmd/bltest/tests/sha256/plaintext1 b/security/nss/cmd/bltest/tests/sha256/plaintext1
new file mode 100644
index 000000000..afb5dce5d
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha256/plaintext1
@@ -0,0 +1 @@
+abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq
diff --git a/security/nss/cmd/bltest/tests/sha384/ciphertext0 b/security/nss/cmd/bltest/tests/sha384/ciphertext0
new file mode 100644
index 000000000..c94f91e22
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha384/ciphertext0
@@ -0,0 +1 @@
+ywB1P0WjXou1oD1pmsZQBycsMqsO3tFjGotgWkP/W+2AhgcroefMI1i67KE0yCWn
diff --git a/security/nss/cmd/bltest/tests/sha384/ciphertext1 b/security/nss/cmd/bltest/tests/sha384/ciphertext1
new file mode 100644
index 000000000..833f06d84
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha384/ciphertext1
@@ -0,0 +1 @@
+CTMMM/cRR+g9GS/Hgs0bR1MRGxc7OwXSL6CAhuOw9xL8x8caVX4tuWbD6fqRdGA5
diff --git a/security/nss/cmd/bltest/tests/sha384/numtests b/security/nss/cmd/bltest/tests/sha384/numtests
new file mode 100644
index 000000000..0cfbf0888
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha384/numtests
@@ -0,0 +1 @@
+2
diff --git a/security/nss/cmd/bltest/tests/sha384/plaintext0 b/security/nss/cmd/bltest/tests/sha384/plaintext0
new file mode 100644
index 000000000..8baef1b4a
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha384/plaintext0
@@ -0,0 +1 @@
+abc
diff --git a/security/nss/cmd/bltest/tests/sha384/plaintext1 b/security/nss/cmd/bltest/tests/sha384/plaintext1
new file mode 100644
index 000000000..94fcc2b29
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha384/plaintext1
@@ -0,0 +1 @@
+abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu
diff --git a/security/nss/cmd/bltest/tests/sha512/ciphertext0 b/security/nss/cmd/bltest/tests/sha512/ciphertext0
new file mode 100644
index 000000000..8b626e237
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha512/ciphertext0
@@ -0,0 +1,2 @@
+3a81oZNherrMQXNJriBBMRLm+k6JqX6iCp7u5ktV05ohkpkqJ0/BqDa6PCOj/uu9
+RU1EI2Q86A4qmslPpUyknw==
diff --git a/security/nss/cmd/bltest/tests/sha512/ciphertext1 b/security/nss/cmd/bltest/tests/sha512/ciphertext1
new file mode 100644
index 000000000..c02d1752d
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha512/ciphertext1
@@ -0,0 +1,2 @@
+jpWbddrjE9qM9PcoFPwUP493ecbrn3+hcpmurbaIkBhQHSieSQD35DMbmd7EtUM6
+x9Mp7rbdJlReluVbh0vpCQ==
diff --git a/security/nss/cmd/bltest/tests/sha512/numtests b/security/nss/cmd/bltest/tests/sha512/numtests
new file mode 100644
index 000000000..0cfbf0888
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha512/numtests
@@ -0,0 +1 @@
+2
diff --git a/security/nss/cmd/bltest/tests/sha512/plaintext0 b/security/nss/cmd/bltest/tests/sha512/plaintext0
new file mode 100644
index 000000000..8baef1b4a
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha512/plaintext0
@@ -0,0 +1 @@
+abc
diff --git a/security/nss/cmd/bltest/tests/sha512/plaintext1 b/security/nss/cmd/bltest/tests/sha512/plaintext1
new file mode 100644
index 000000000..94fcc2b29
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha512/plaintext1
@@ -0,0 +1 @@
+abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu
diff --git a/security/nss/cmd/btoa/Makefile b/security/nss/cmd/btoa/Makefile
new file mode 100644
index 000000000..6eb6e71da
--- /dev/null
+++ b/security/nss/cmd/btoa/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/btoa/btoa.c b/security/nss/cmd/btoa/btoa.c
new file mode 100644
index 000000000..f140bddf8
--- /dev/null
+++ b/security/nss/cmd/btoa/btoa.c
@@ -0,0 +1,213 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "plgetopt.h"
+#include "secutil.h"
+#include "nssb64.h"
+#include <errno.h>
+
+#if defined(XP_WIN) || (defined(__sun) && !defined(SVR4))
+#if !defined(WIN32)
+extern int fread(char *, size_t, size_t, FILE*);
+extern int fwrite(char *, size_t, size_t, FILE*);
+extern int fprintf(FILE *, char *, ...);
+#endif
+#endif
+
+#if defined(WIN32)
+#include "fcntl.h"
+#include "io.h"
+#endif
+
+static PRInt32 
+output_ascii (void *arg, const char *obuf, PRInt32 size)
+{
+    FILE *outFile = arg;
+    int nb;
+
+    nb = fwrite(obuf, 1, size, outFile);
+    if (nb != size) {
+	PORT_SetError(SEC_ERROR_IO);
+	return -1;
+    }
+
+    return nb;
+}
+
+static SECStatus
+encode_file(FILE *outFile, FILE *inFile)
+{
+    NSSBase64Encoder *cx;
+    int nb;
+    SECStatus status = SECFailure;
+    unsigned char ibuf[4096];
+
+    cx = NSSBase64Encoder_Create(output_ascii, outFile);
+    if (!cx) {
+	return -1;
+    }
+
+    for (;;) {
+	if (feof(inFile)) break;
+	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
+	if (nb != sizeof(ibuf)) {
+	    if (nb == 0) {
+		if (ferror(inFile)) {
+		    PORT_SetError(SEC_ERROR_IO);
+		    goto loser;
+		}
+		/* eof */
+		break;
+	    }
+	}
+
+	status = NSSBase64Encoder_Update(cx, ibuf, nb);
+	if (status != SECSuccess) goto loser;
+    }
+
+    status = NSSBase64Encoder_Destroy(cx, PR_FALSE);
+    if (status != SECSuccess)
+	return status;
+
+    /*
+     * Add a trailing CRLF.  Note this must be done *after* the call
+     * to Destroy above (because only then are we sure all data has
+     * been written out).
+     */
+    fwrite("\r\n", 1, 2, outFile);
+    return SECSuccess;
+
+  loser:
+    (void) NSSBase64Encoder_Destroy(cx, PR_TRUE);
+    return status;
+}
+
+static void Usage(char *progName)
+{
+    fprintf(stderr,
+	    "Usage: %s [-i input] [-o output]\n",
+	    progName);
+    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
+	    "-i input");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    exit(-1);
+}
+
+int main(int argc, char **argv)
+{
+    char *progName;
+    SECStatus rv;
+    FILE *inFile, *outFile;
+    PLOptState *optstate;
+    PLOptStatus status;
+
+    inFile = 0;
+    outFile = 0;
+    progName = strrchr(argv[0], '/');
+    if (!progName)
+	progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    /* Parse command line arguments */
+    optstate = PL_CreateOptState(argc, argv, "i:o:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  default:
+	    Usage(progName);
+	    break;
+
+	  case 'i':
+	    inFile = fopen(optstate->value, "rb");
+	    if (!inFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'o':
+	    outFile = fopen(optstate->value, "wb");
+	    if (!outFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+	}
+    }
+    if (status == PL_OPT_BAD)
+	Usage(progName);
+    if (!inFile) {
+#if defined(WIN32)
+	/* If we're going to read binary data from stdin, we must put stdin
+	** into O_BINARY mode or else incoming \r\n's will become \n's.
+	*/
+
+	int smrv = _setmode(_fileno(stdin), _O_BINARY);
+	if (smrv == -1) {
+	    fprintf(stderr,
+	    "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
+	            progName);
+	    return smrv;
+	}
+#endif
+    	inFile = stdin;
+    }
+    if (!outFile) {
+#if defined(WIN32)
+	/* We're going to write binary data to stdout. We must put stdout
+	** into O_BINARY mode or else outgoing \r\n's will become \r\r\n's.
+	*/
+
+	int smrv = _setmode(_fileno(stdout), _O_BINARY);
+	if (smrv == -1) {
+	    fprintf(stderr,
+	    "%s: Cannot change stdout to binary mode. Use -o option instead.\n",
+	            progName);
+	    return smrv;
+	}
+#endif
+    	outFile = stdout;
+    }
+    rv = encode_file(outFile, inFile);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "%s: lossage: error=%d errno=%d\n",
+		progName, PORT_GetError(), errno);
+	return -1;
+    }
+    return 0;
+}
diff --git a/security/nss/cmd/btoa/manifest.mn b/security/nss/cmd/btoa/manifest.mn
new file mode 100644
index 000000000..394c661be
--- /dev/null
+++ b/security/nss/cmd/btoa/manifest.mn
@@ -0,0 +1,53 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# MODULE is implicitly REQUIRED, doesn't need to be listed below.
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS = btoa.c
+
+PROGRAM	= btoa
+
diff --git a/security/nss/cmd/certcgi/HOWTO.txt b/security/nss/cmd/certcgi/HOWTO.txt
new file mode 100644
index 000000000..f02ad32fd
--- /dev/null
+++ b/security/nss/cmd/certcgi/HOWTO.txt
@@ -0,0 +1,168 @@
+        How to setup your very own Cert-O-Matic Root CA server
+
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is Netscape security libraries.
+
+The Initial Developer of the Original Code is Netscape Communications 
+Corporation.  Portions created by the Initial Developer are 
+Copyright (C) 2001 the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+        How to setup your very own Cert-O-Matic Root CA server
+
+The program certcgi is part of a small test CA that is used inside 
+Netscape by the NSS development team.  That CA is affectionately known
+as "Cert-O-Matic" or "Cert-O-Matic II".  It presently runs on a server
+named interzone.mcom.com inside Netscape's firewall.
+
+If you wish to setup your own Cert-O-Matic, here are directions.
+
+Disclaimer:  This program does not follow good practices for root CAs.
+It should be used only for playing/testing and never for production use.
+Remember, you've been warned!
+
+Cert-O-Matic consists of some html files, shell scripts, one executable
+program that uses NSS and NSPR, the usual set of NSS .db files, and a file
+in which to remember the serial number of the last cert issued.  The 
+html files and the source to the executable program are in this directory.
+Sample shell scripts are shown below.  
+
+The shell scripts and executable program run as CGI "scripts".  The
+entire thing runs on an ordinary http web server.  It would also run on
+an https web server.  The shell scripts and html files must be
+customized for the server on which they run.
+
+The package assumes you have a "document root" directory $DOCROOT, and a
+"cgi-bin" directory $CGIBIN.  In this example, the document root is
+assumed to be located in /var/www/htdocs, and the cgi-bin directory in
+/var/www/cgi-bin.
+
+The server is assumed to run all cgi scripts as the user "nobody".
+The names of the cgi scripts run directly by the server all end in .cgi
+because some servers like it that way.
+
+Instructions:
+
+- Create directory $DOCROOT/certomatic
+- Copy the following files from nss/cmd/certcgi to $DOCROOT/certomatic
+        ca.html index.html main.html nscp_ext_form.html stnd_ext_form.html
+- Edit the html files, substituting the name of your own server for the
+  server named in those files.
+- In some web page (e.g. your server's home page), provide an html link to
+  $DOCROOT/certomatic/index.html. This is where users start to get their
+  own certs from certomatic.
+- give these files and directories appropriate permissions.
+
+- Create directories $CGIBIN/certomatic and $CGIBIN/certomatic/bin
+  make sure that $CGIBIN/certomatic is writable by "nobody"
+
+- Create a new set of NSS db files there with the following command:
+
+        certutil -N -d $CGIBIN/certomatic
+
+- when certutil prompts you for the password, enter the word foo
+  because that is compiled into the certcgi program.
+
+- Create the new Root CA cert with this command
+
+        certutil -S -x -d $CGIBIN/certomatic -n "Cert-O-Matic II" \
+        -s "CN=Cert-O-Matic II, O=Cert-O-Matic II" -t TCu,cu,cu -k rsa \
+        -g 1024 -m 10001 -v 60
+
+  (adjust the -g, -m and -v parameters to taste.  -s and -x must be as
+shown.)
+
+- dump out the new root CA cert in base64 encoding:
+
+        certutil -d $CGIBIN/certomatic -L -n "Cert-O-Matic II" -a > \
+          $CGIBIN/certomatic/root.cacert
+
+- In $CGIBIN/certomatic/bin add two shell scripts - one to download the
+  root CA cert on demand, and one to run the certcgi program.
+
+download.cgi, the script to install the root CA cert into a browser on
+demand, is this:
+
+#!/bin/sh
+echo "Content-type: application/x-x509-ca-cert"
+echo
+cat $CGIBIN/certomatic/root.cacert
+
+You'll have to put the real path into that cat command because CGIBIN
+won't be defined when this script is run by the server.
+
+certcgi.cgi, the script to run the certcgi program is similar to this:
+
+#!/bin/sh
+cd $CGIBIN/certomatic/bin
+LD_LIBRARY_PATH=$PLATFORM/lib
+export LD_LIBRARY_PATH
+$PLATFORM/bin/certcgi $* 2>&1
+
+Where $PLATFORM/lib is where the NSPR nad NSS DSOs are located, and
+$PLATFORM/bin is where certcgi is located.  PLATFORM is not defined when 
+the server runs this script, so you'll have to substitute the right value 
+in your script.  certcgi requires that the working directory be one level 
+below the NSS DBs, that is, the DBs are accessed in the directory "..".
+
+You'll want to provide an html link somewhere to the script that downloads
+the root.cacert file.  You'll probably want to put that next to the link
+that loads the index.html page.  On interzone, this is done with the 
+following html:
+
+<a href="/certomatic/index.html">Cert-O-Matic II Root CA server</a>
+<p>
+<a href="/cgi-bin/certomatic/bin/download.cgi">Download and trust Root CA
+certificate</a>
+
+The index.html file in this directory invokes the certcgi.cgi script with 
+the form post method, so if you change the name of the certcgi.cgi script, 
+you'll also have to change the index.html file in $DOCROOT/certomatic
+
+The 4 files used by the certcgi program (the 3 NSS DBs, and the serial
+number file) are not required to live in $CGIBIN/certomatic, but they are
+required to live in $CWD/.. when certcgi starts.
+
+Known bugs:
+
+1. Because multiple of these CAs exist simultaneously, it would be best if 
+they didn't all have to be called "Cert-O-Matic II", but that string is 
+presently hard coded into certcgi.c.
+
+2. the html files in this directory contain numerous extraneous <FORM> tags
+which appear to use the post method and have action URLS that are never
+actually used.  burp.cgi and echoform.cgi are never actually used.  This
+should be cleaned up.
+
+3. The html files use <layer> tags which are supported only in Netscape 
+Navigator and Netscape Communication 4.x browsers.  The html files do 
+not work as intended with Netscape 6.x, Mozilla or Microsoft IE browsers.
+The html files should be fixed to work with all those named browsers.
+
diff --git a/security/nss/cmd/certcgi/Makefile b/security/nss/cmd/certcgi/Makefile
new file mode 100644
index 000000000..140b4191f
--- /dev/null
+++ b/security/nss/cmd/certcgi/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/certcgi/ca.html b/security/nss/cmd/certcgi/ca.html
new file mode 100644
index 000000000..5525b382a
--- /dev/null
+++ b/security/nss/cmd/certcgi/ca.html
@@ -0,0 +1,51 @@
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+
+<form method="post" name="ca_form" action="mailto:jerdonek@netscape.com">
+<input type="radio" name="caChoiceradio" value="SignWithDefaultkey" 
+    onClick="{parent.choice_change(this.form)}"> 
+    Use the Cert-O-matic certificate to issue the cert</p>
+<input type="radio" name="caChoiceradio" value="SignWithRandomChain" 
+    onClick="{parent.choice_change(this.form)}"> Use a 
+    <input type="text" size="2" maxsize="2" name="autoCAs"> CA long 
+    automatically generated chain ending with the Cert-O-Matic Cert 
+    (18 maximum)</p>
+<input type="radio" name="caChoiceradio" value="SignWithSpecifiedChain" 
+    onClick="{parent.choice_change(this.form)}"> Use a 
+    <input type="text" size="1" maxlength="1" name="manCAs" 
+    onChange="{parent.ca_num_change(this.value,this.form)}"> CA long 
+    user input chain ending in the Cert-O-Matic Cert.</p>
+</form>
diff --git a/security/nss/cmd/certcgi/ca_form.html b/security/nss/cmd/certcgi/ca_form.html
new file mode 100644
index 000000000..cb3e195ea
--- /dev/null
+++ b/security/nss/cmd/certcgi/ca_form.html
@@ -0,0 +1,388 @@
+<html>
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
+    <table border=0 cellspacing=10 cellpadding=0>
+    <tr>
+    <td>
+    Common Name:</td><td> <input type="text" name="name" onChange="{window.top.reset_subject('CN=', value, form)}"></p>
+    </td>
+    <td></td><td></td><td>
+    Mail: </td><td><input type="text" name="email" onChange="var temp;{if (email_type[0].checked) {temp = 'MAIL='} else {temp = 'E='}} ;{window.top.reset_subject(temp, value, form)}"></p>
+    RFC 1274<input type="radio" name="email_type" value="1" onClick="window.top.switch_mail(form)">
+    e-mail<input type="radio" name="email_type" value="2" checked onClick="window.top.switch_mail(form)"></td>
+    <tr>
+    <td>
+    Organization: </td><td>  <input type="text" name="org" onChange="{window.top.reset_subject('O=', value, form)}"></p></td>
+    <td></td><td></td><td>
+    Organizational Unit: </td><td><input type="text" name="org_unit" onChange="{window.top.reset_subject('OU=', value, form)}"></p></td>
+    <tr>
+    <td>
+    RFC 1274 UID: </td><td><input type="text" name="uid" onChange="{window.top.reset_subject('UID=', value, form)}"></p></td>
+    <td></td><td></td><td>
+    Locality: </td><td><input type="text" name="loc" onChange="{window.top.reset_subject('L=', value, form)}"></p></td>
+    <tr>
+    <td>
+    State or Province: </td><td><input type="text" name="state" onChange="{window.top.reset_subject('ST=', value, form)}"></p></td>
+    <td></td><td></td><td>
+    Country: </td><td><input type="text" size="2" maxsize="2" name="country" onChange="{window.top.reset_subject('C=', value, form)}"></p></td>
+    </table>
+    <table border=0 cellspacing=10 cellpadding=0>
+    <tr>
+    <td>
+    Serial Number:</p>
+    <DD>
+    <input type="radio" name="serial" value="auto" checked> Auto Generate</P>
+    <DD>
+    <input type="radio" name="serial" value="input">
+    Use this value: <input type="text" name="serial_value" size="8" maxlength="8"></p>
+    </td>
+    <td></td><td></td><td></td><td></td>
+    <td>
+    X.509 version:</p>
+    <DD>
+    <input type="radio" name="ver" value="1" checked> Version 1</p>
+    <DD>
+    <input type="radio" name="ver" value="3"> Version 3</P></td>
+    <td></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td>
+    <td>
+    Key Type:</p>
+    <DD>
+    <input type="radio" name="keyType" value="rsa" checked> RSA</p>
+    <DD>
+    <input type="radio" name="keyType" value="dsa"> DSA</P></td>
+    </table>
+    DN: <input type="text" name="subject" size="70" onChange="{window.top.reset_subjectFields(form)}"></P>
+    <Select name="keysize">
+        <option>1024 (High Grade)
+        <option>768 (Medium Grade)
+        <option>512 (Low Grade)
+    </select> 
+    </p>
+  <hr>
+    </p>
+    <table  border=1 cellspacing=5 cellpadding=5>
+    <tr>
+    <td>
+    <b>Netscape Certificate Type: </b></p>
+    Activate extension: <input type="checkbox" name="netscape-cert-type"></P>
+    Critical: <input type="checkbox" name="netscape-cert-type-crit">
+    <td>
+    <input type="checkbox" name="netscape-cert-type-ssl-client"> SSL Client</P>
+    <input type="checkbox" name="netscape-cert-type-ssl-server"> SSL Server</P>
+    <input type="checkbox" name="netscape-cert-type-smime"> S/MIME</P>
+    <input type="checkbox" name="netscape-cert-type-object-signing"> Object Signing</P>    
+    <input type="checkbox" name="netscape-cert-type-reserved"> Reserved for future use (bit 4)</P>
+    <input type="checkbox" name="netscape-cert-type-ssl-ca"> SSL CA</P>
+    <input type="checkbox" name="netscape-cert-type-smime-ca"> S/MIME CA</P>
+    <input type="checkbox" name="netscape-cert-type-object-signing-ca"> Object Signing CA</P>
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape Base URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-base-url"></P>
+    Critical: <input type="checkbox" name="netscape-base-url-crit">
+    <td>
+    <input type="text" name="netscape-base-url-text" size="50">
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape Revocation URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-revocation-url"></P>
+    Critical: <input type="checkbox" name="netscape-revocation-url-crit">
+    <td>
+    <input type="text" name="netscape-revocation-url-text" size="50">
+    </tr>
+    <tr>
+    <td>    
+    <b>Netscape CA Revocation URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-ca-revocation-url"></P>
+    Critical: <input type="checkbox" name="netscape-ca-revocation-url-crit">
+    <td>
+    <input type="text" name="netscape-ca-revocation-url-text" size="50">
+    </tr>
+    <tr>
+    <td>    
+    <b>Netscape Certificate Renewal URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-cert-renewal-url"></P>
+    Critical: <input type="checkbox" name="netscape-cert-renewal-url-crit">
+    <td>
+    <input type="text" name="netscape-cert-renewal-url-text" size="50">
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape CA Policy URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-ca-policy-url"></P>
+    Critical: <input type="checkbox" name="netscape-ca-policy-url-crit">
+    <td>
+    <input type="text" name="netscape-ca-policy-url-text" size="50">
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape SSL Server Name:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-ssl-server-name"></P>
+    Critical: <input type="checkbox" name="netscape-ssl-server-name-crit">
+    <td>
+    <input type="text" name="netscape-ssl-server-name-text" size="50">
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape Comment:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-comment"></P>
+    Critical: <input type="checkbox" name="netscape-comment-crit">
+    <td>
+    <textarea name="netscape-comment-text" rows="5" cols="50"></textarea>
+    </tr>
+    </table>
+    </p>
+  <hr>
+    </p>
+    <table  border=1 cellspacing=5 cellpadding=5>
+    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
+    <tr>
+    <td>
+    <b>Key Usage: </b></p>
+    Activate extension: <input type="checkbox" name="keyUsage"></P>
+    Critical: <input type="checkbox" name="keyUsage-crit">
+    <td>
+    <input type="checkbox" name="keyUsage-digitalSignature"> Digital Signature</P>
+    <input type="checkbox" name="keyUsage-nonRepudiation"> Non Repudiation</P>    
+    <input type="checkbox" name="keyUsage-keyEncipherment"> Key Encipherment</P>    
+    <input type="checkbox" name="keyUsage-dataEncipherment"> Data Encipherment</P>
+    <input type="checkbox" name="keyUsage-keyAgreement"> Key Agreement</P>
+    <input type="checkbox" name="keyUsage-keyCertSign"> Key Certificate Signing</P>
+    <input type="checkbox" name="keyUsage-cRLSign"> CRL Signing</P>
+    </tr>
+    <tr>
+    <td>
+    <b>Extended Key Usage: </b></p>
+    Activate extension: <input type="checkbox" name="extKeyUsage"></P>
+    Critical: <input type="checkbox" name="extKeyUsage-crit">
+    <td>
+    <input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
+    <input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
+    <input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
+    <input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
+    <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
+    <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
+    <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
+    </tr>
+    <tr>
+    <td>
+    <b>Basic Constraints:</b></p>
+    Activate extension: <input type="checkbox" name="basicConstraints"></P>
+    Critical: <input type="checkbox" name="basicConstraints-crit">
+    <td>
+    CA:</p>
+    <dd><input type=radio name="basicConstraints-cA-radio" value="CA"> True</p>
+    <dd><input type=radio name="basicConstraints-cA-radio" value="NotCA"> False</p>
+    <input type="checkbox" name="basicConstraints-pathLengthConstraint">
+     Include Path length:  <input type="text" name="basicConstraints-pathLengthConstraint-text" size="2"></p>
+    </tr>
+    <tr>
+    <td>
+    <b>Authority Key Identifier:</b></p>
+    Activate extension: <input type="checkbox" name="authorityKeyIdentifier">
+    <td>
+    <input type="radio" name="authorityKeyIdentifier-radio" value="keyIdentifier"> Key Identider</p>
+    <input type="radio" name="authorityKeyIdentifier-radio" value="authorityCertIssuer"> Issuer Name and Serial number</p>
+    </tr>
+    <tr>
+    <td>    
+    <b>Subject Key Identifier:</b></p>
+    Activate extension: <input type="checkbox" name="subjectKeyIdentifier">
+    <td>
+    Key Identifier: 
+    <input type="text" name="subjectKeyIdentifier-text"></p>
+    This is an:<p>
+    <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="ascii"> ascii text value<p>
+    <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="hex"> hex value<p>
+    </tr>
+    <tr>
+    <td>    
+    <b>Private Key Usage Period:</b></p>
+    Activate extension: <input type="checkbox" name="privKeyUsagePeriod"></p>
+    Critical: <input type="checkbox" name="privKeyUsagePeriod-crit">
+    <td>
+    Use:</p>
+    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notBefore"> Not Before</p>
+    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notAfter"> Not After</p>
+    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="both" > Both</p>
+    <b>Not to be used to sign before:</b></p>
+    <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="auto"> Set to time of certificate issue</p>
+    <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="manual"> Use This value</p>
+    <dd><dd>(YYYY/MM/DD HH:MM:SS): 
+    <input type="text" name="privKeyUsagePeriod-notBefore-year" size="4" maxlength="4">/
+    <input type="text" name="privKeyUsagePeriod-notBefore-month" size="2" maxlength="2">/
+    <input type="text" name="privKeyUsagePeriod-notBefore-day" size="2" maxlength="2"> 
+    <input type="text" name="privKeyUsagePeriod-notBefore-hour" size="2" maxlength="2">:
+    <input type="text" name="privKeyUsagePeriod-notBefore-minute" size="2" maxlength="2">:
+    <input type="text" name="privKeyUsagePeriod-notBefore-second" size="2" maxlength="2"></p>
+    <b>Not to be used to sign after:</b></p>
+    <dd>(YYYY/MM/DD HH:MM:SS): 
+    <input type="text" name="privKeyUsagePeriod-notAfter-year" size="4" maxlength="4">/
+    <input type="text" name="privKeyUsagePeriod-notAfter-month" size="2" maxlength="2">/
+    <input type="text" name="privKeyUsagePeriod-notAfter-day" size="2" maxlength="2"> 
+    <input type="text" name="privKeyUsagePeriod-notAfter-hour" size="2" maxlength="2">:
+    <input type="text" name="privKeyUsagePeriod-notAfter-minute" size="2" maxlength="2">:
+    <input type="text" name="privKeyUsagePeriod-notAfter-second" size="2" maxlength="2"></p>
+    </tr>
+    <tr>
+    <td>
+    <b>Subject Alternative Name:</b></p>
+    Activate extension: <input type="checkbox" name="SubAltName"></P>
+    Critical: <input type="checkbox" name="SubAltName-crit">
+    <td>
+      <table>
+      <tr>
+      <td>
+      General Names:</p>
+      <select name="SubAltNameSelect" multiple size="10">
+      </select></p></p>
+      <input type="button" name="SubAltName-add" value="Add" onClick="{parent.addSubAltName(this.form)}">
+      <input type="button" name="SubAltName-delete" value="Delete" onClick="parent.deleteSubAltName(this.form)">
+      </td><td>
+        <table><tr><td>
+        Name Type: </td></tr><tr><td>
+        <input type="radio" name="SubAltNameRadio" value="otherName" onClick="parent.setSubAltNameType(form)"> Other Name, 
+        OID: <input type="text" name="SubAltNameOtherNameOID" size="6"> </td><td>
+        <input type="radio" name="SubAltNameRadio" value="rfc822Name" onClick="parent.setSubAltNameType(form)"> RFC 822 Name</td></tr><td>
+        <input type="radio" name="SubAltNameRadio" value="dnsName" onClick="parent.setSubAltNameType(form)"> DNS Name </td><td>
+        <input type="radio" name="SubAltNameRadio" value="x400" onClick="parent.setSubAltNameType(form)"> X400 Address</td></tr><td>
+        <input type="radio" name="SubAltNameRadio" value="directoryName" onClick="parent.setSubAltNameType(form)"> Directory Name</td><td>
+        <input type="radio" name="SubAltNameRadio" value="ediPartyName" onClick="parent.setSubAltNameType(form)"> EDI Party Name</td></tr><td>
+        <input type="radio" name="SubAltNameRadio" value="URL" onClick="parent.setSubAltNameType(form)"> Uniform Resource Locator</td><td>
+        <input type="radio" name="SubAltNameRadio" value="ipAddress" onClick="parent.setSubAltNameType(form)"> IP Address</td></tr><td>
+        <input type="radio" name="SubAltNameRadio" value="regID"onClick="parent.setSubAltNameType(form)"> Registered ID</td><td>
+	<input type="radio" name="SubAltNameRadio" value="nscpNickname" onClick="parent.setSubAltNameType(form)"> Netscape Certificate Nickname</td><td></tr>
+        </table>
+      Name: <input type="text" name="SubAltNameText">
+        Binary Encoded: <input type="checkbox" name="SubAltNameDataType" value="binary" onClick="parent.setSubAltNameType(form)"></p>
+      </tr>
+      </table>
+    </tr>
+
+
+    <tr>
+    <td>
+    <b>Issuer Alternative Name:</b></p>
+    Activate extension: <input type="checkbox" name="IssuerAltName"></P>
+    Critical: <input type="checkbox" name="IssuerAltName-crit">
+    <td>
+      <input type="radio" name="IssuerAltNameSourceRadio" value="auto"> Use the Subject Alternative Name from the Issuers Certificate</p>
+      <input type="radio" name="IssuerAltNameSourceRadio" value="man"> Use this Name:
+      <table>
+      <tr>
+      <td>
+      General Names:</p>
+      <select name="IssuerAltNameSelect" multiple size="10">
+      </select></p></p>
+      <input type="button" name="IssuerAltName-add" value="Add" onClick="{parent.addIssuerAltName(this.form)}">
+      <input type="button" name="IssuerAltName-delete" value="Delete" onClick="parent.deleteIssuerAltName(this.form)">
+      </td><td>
+        <table><tr><td>
+        Name Type: </td></tr><tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="otherName" onClick="parent.setIssuerAltNameType(form)"> Other Name, 
+        OID: <input type="text" name="IssuerAltNameOtherNameOID" size="6"> </td><td>
+        <input type="radio" name="IssuerAltNameRadio" value="rfc822Name" onClick="parent.setIssuerAltNameType(form)"> RFC 822 Name</td></tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="dnsName" onClick="parent.setIssuerAltNameType(form)"> DNS Name </td><td>
+        <input type="radio" name="IssuerAltNameRadio" value="x400" onClick="parent.setIssuerAltNameType(form)"> X400 Address</td></tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="directoryName" onClick="parent.setIssuerAltNameType(form)"> Directory Name</td><td>
+        <input type="radio" name="IssuerAltNameRadio" value="ediPartyName" onClick="parent.setIssuerAltNameType(form)"> EDI Party Name</td></tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="URL" onClick="parent.setIssuerAltNameType(form)"> Uniform Resource Locator</td><td>
+        <input type="radio" name="IssuerAltNameRadio" value="ipAddress" onClick="parent.setIssuerAltNameType(form)"> IP Address</td></tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="regID" onClick="parent.setIssuerAltNameType(form)"> Registered ID</td><td></tr>
+        </table>
+      Name: <input type="text" name="IssuerAltNameText"> 
+        Binary Encoded: <input type="checkbox" name="IssuerAltNameDataType" value="binary" onClick="parent.setIssuerAltNameType(form)"></p>
+      </tr>
+      </table>
+    </tr>
+
+    <tr>
+    <td>
+    <b>Name Constraints:</b></p>
+    Activate extension: <input type="checkbox" name="NameConstraints"></P>
+    <td>
+      <table>
+      <tr>
+      <td>
+      Name Constraints:</p>
+
+
+      <select name="NameConstraintSelect" multiple size="10">
+      </select></p></p>
+      <input type="button" name="NameConstraint-add" value="Add" onClick="{parent.addNameConstraint(this.form)}">
+      <input type="button" name="NameConstraint-delete" value="Delete" onClick="parent.deleteNameConstraint(this.form)">
+      </td><td>
+        <table><tr><td>
+        Name Type: </td></tr><tr><td>
+        <input type="radio" name="NameConstraintRadio" value="otherName" onClick="parent.setNameConstraintNameType(form)"> Other Name,
+        OID: <input type="text" name="NameConstraintOtherNameOID" size="6">  </td><td>
+        <input type="radio" name="NameConstraintRadio" value="rfc822Name" onClick="parent.setNameConstraintNameType(form)"> RFC 822 Name</td></tr><td>
+        <input type="radio" name="NameConstraintRadio" value="dnsName" onClick="parent.setNameConstraintNameType(form)"> DNS Name </td><td>
+        <input type="radio" name="NameConstraintRadio" value="x400" onClick="parent.setNameConstraintNameType(form)"> X400 Address</td></tr><td>
+        <input type="radio" name="NameConstraintRadio" value="directoryName" onClick="parent.setNameConstraintNameType(form)"> Directory Name</td><td>
+        <input type="radio" name="NameConstraintRadio" value="ediPartyName" onClick="parent.setNameConstraintNameType(form)"> EDI Party Name</td></tr><td>
+        <input type="radio" name="NameConstraintRadio" value="URL" onClick="parent.setNameConstraintNameType(form)"> Uniform Resource Locator</td><td>
+        <input type="radio" name="NameConstraintRadio" value="ipAddress" onClick="parent.setNameConstraintNameType(form)"> IP Address</td></tr><td>
+        <input type="radio" name="NameConstraintRadio" value="regID" onClick="parent.setNameConstraintNameType(form)"> Registered ID</td><td></tr>
+        </table>
+      Name: <input type="text" name="NameConstraintText">
+        Binary Encoded: <input type="checkbox" name="NameConstraintNameDataType" value="binary" onClick="parent.setNameConstraintNameType(form)"></p>
+      Constraint type:<p>
+      <dd><input type="radio" name="NameConstraintTypeRadio" value="permited"> permited<p>
+      <dd><input type="radio" name="NameConstraintTypeRadio" value="excluded"> excluded<p>
+      Minimum: <input type="text" name="NameConstraintMin" size="8" maxlength="8"></p>
+      Maximum: <input type="text" name="NameConstraintMax" size="8" maxlength="8"></p>
+
+
+
+      </tr>
+      </table>
+    </tr>
+    </table>
+    </form>
+
+
+
+
+
+
+
+
+
+
diff --git a/security/nss/cmd/certcgi/certcgi.c b/security/nss/cmd/certcgi/certcgi.c
new file mode 100644
index 000000000..038b55f98
--- /dev/null
+++ b/security/nss/cmd/certcgi/certcgi.c
@@ -0,0 +1,2408 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Cert-O-Matic CGI */
+
+
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+
+#include "pk11func.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "secder.h"
+#include "genname.h"
+#include "xconst.h"
+#include "secutil.h"
+#include "pk11pqg.h"
+#include "certxutl.h"
+#include "nss.h"
+
+
+/* #define TEST           1 */
+/* #define FILEOUT        1 */
+/* #define OFFLINE        1 */
+#define START_FIELDS   100
+#define PREFIX_LEN     6
+#define SERIAL_FILE    "../serial"
+#define DB_DIRECTORY   ".."
+
+static char *progName;
+
+typedef struct PairStr Pair;
+
+struct PairStr {
+    char *name;
+    char *data;
+};
+
+
+char prefix[PREFIX_LEN];
+
+
+const SEC_ASN1Template CERTIA5TypeTemplate[] = {
+    { SEC_ASN1_IA5_STRING }
+};
+
+
+
+SECKEYPrivateKey *privkeys[9] = {NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+				 NULL, NULL};
+
+
+#ifdef notdef
+const SEC_ASN1Template CERT_GeneralNameTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
+};
+#endif
+
+
+static void
+error_out(char  *error_string)
+{
+    printf("Content-type: text/plain\n\n");
+    printf(error_string);
+    fflush(stderr);
+    fflush(stdout);
+    exit(1);
+}
+
+static void
+error_allocate(void)
+{
+    error_out("ERROR: Unable to allocate memory");
+}
+
+
+static char *
+make_copy_string(char  *read_pos, 
+		 int   length, 
+		 char  sentinal_value)
+    /* copys string from to a new string it creates and 
+       returns a pointer to the new string */
+{
+    int                remaining = length;
+    char               *write_pos;
+    char               *new;
+
+    new = write_pos = (char *) PORT_Alloc (length);
+    if (new == NULL) {
+	error_allocate();
+    }
+    while (*read_pos != sentinal_value) {
+	if (remaining == 1) {
+	    remaining += length;
+	    length = length * 2;
+	    new = PORT_Realloc(new,length);
+	    if (new == NULL) {
+		error_allocate();
+	    }
+	    write_pos = new + length - remaining;
+	}
+	*write_pos = *read_pos;
+	++write_pos;
+	++read_pos;
+	remaining = remaining - 1;
+    }
+    *write_pos = '\0';
+    return new;
+}
+
+
+static SECStatus
+clean_input(Pair *data)
+    /* converts the non-alphanumeric characters in a form post 
+       from hex codes back to characters */
+{
+    int           length;
+    int           hi_digit;
+    int           low_digit;
+    char          character;
+    char          *begin_pos;
+    char          *read_pos;
+    char          *write_pos;
+    PRBool        name = PR_TRUE;
+
+    begin_pos = data->name;
+    while (begin_pos != NULL) {
+	length = strlen(begin_pos);
+	read_pos = write_pos = begin_pos;
+	while ((read_pos - begin_pos) < length) {
+	    if (*read_pos == '+') {
+		*read_pos = ' ';
+	    }
+	    if (*read_pos == '%') {
+		hi_digit = *(read_pos + 1);
+		low_digit = *(read_pos +2);
+		read_pos += 3;
+		if (isdigit(hi_digit)){
+		    hi_digit = hi_digit - '0';
+		} else {
+		    hi_digit = toupper(hi_digit);
+		    if (isxdigit(hi_digit)) {
+			hi_digit = (hi_digit - 'A') + 10;
+		    } else {
+			error_out("ERROR: Form data incorrectly formated");
+		    }
+		}
+		if (isdigit(low_digit)){
+		    low_digit = low_digit - '0';
+		} else {
+		    low_digit = toupper(low_digit);
+		    if ((low_digit >='A') && (low_digit <= 'F')) {
+			low_digit = (low_digit - 'A') + 10;
+		    } else {
+			error_out("ERROR: Form data incorrectly formated");
+		    }
+		}
+		character = (hi_digit << 4) | low_digit;
+		if (character != 10) {
+		    *write_pos = character;
+		    ++write_pos;
+		}
+	    } else {
+		*write_pos = *read_pos;
+		++write_pos;
+		++read_pos;
+	    }
+	}
+	*write_pos = '\0';
+	if (name == PR_TRUE) {
+	    begin_pos = data->data;
+	    name = PR_FALSE;
+	} else {
+	    data++;
+	    begin_pos = data->name;
+	    name = PR_TRUE;
+	}
+    }
+    return SECSuccess;
+}
+
+static char *
+make_name(char  *new_data)
+    /* gets the next field name in the input string and returns
+       a pointer to a string containing a copy of it */
+{
+    int         length = 20;
+    char        *name;
+
+    name = make_copy_string(new_data, length, '=');
+    return name;
+}
+	
+static char *
+make_data(char  *new_data)
+    /* gets the data for the next field in the input string 
+       and returns a pointer to a string containing it */
+{
+    int         length = 100;
+    char        *data;
+    char        *read_pos;
+
+    read_pos = new_data;
+    while (*(read_pos - 1) != '=') {
+	++read_pos;
+    }
+    data = make_copy_string(read_pos, length, '&');
+    return data;
+}
+
+
+static Pair
+make_pair(char  *new_data)
+    /* makes a pair name/data pair from the input string */
+{
+    Pair        temp;
+
+    temp.name = make_name(new_data);
+    temp.data = make_data(new_data);
+    return temp;
+}
+
+
+
+static Pair *
+make_datastruct(char  *data, int len)
+    /* parses the input from the form post into a data 
+       structure of field name/data pairs */
+{
+    Pair              *datastruct;
+    Pair              *current;
+    char              *curr_pos;
+    int               fields = START_FIELDS;
+    int               remaining = START_FIELDS;
+
+    curr_pos = data;
+    datastruct = current = (Pair *) PORT_Alloc(fields * sizeof(Pair));
+    if (datastruct == NULL) {
+	error_allocate();
+    }
+    while (curr_pos - data < len) {
+	if (remaining == 1) {
+	    remaining += fields;
+	    fields = fields * 2;
+	    datastruct = (Pair *) PORT_Realloc
+		(datastruct, fields * sizeof(Pair));
+	    if (datastruct == NULL) {
+		error_allocate();
+	    }
+	    current = datastruct + (fields - remaining);
+	}
+	*current = make_pair(curr_pos);
+	while (*curr_pos != '&') {
+	    ++curr_pos;
+	}
+	++curr_pos;
+	++current;
+	remaining = remaining - 1;
+    }
+    current->name = NULL;
+    return datastruct;
+}
+
+static char *
+return_name(Pair  *data_struct,
+	    int   n)
+    /* returns a pointer to the name of the nth 
+       (starting from 0) item in the data structure */
+{
+    char          *name;
+
+    if ((data_struct + n)->name != NULL) {
+	name = (data_struct + n)->name;
+	return name;
+    } else {
+	return NULL;
+    }
+}
+
+static char *
+return_data(Pair  *data_struct,int n)
+    /* returns a pointer to the data of the nth (starting from 0) 
+       itme in the data structure */
+{
+    char          *data;
+
+    data = (data_struct + n)->data;
+    return data;
+}
+
+
+static char *
+add_prefix(char  *field_name)
+{
+    extern char  prefix[PREFIX_LEN];
+    int          i = 0;
+    char         *rv;
+    char         *write;
+
+    rv = write = PORT_Alloc(PORT_Strlen(prefix) + PORT_Strlen(field_name) + 1);
+    for(i = 0; i < PORT_Strlen(prefix); i++) {
+	*write = prefix[i];
+	write++;
+    }
+    *write = '\0';
+    rv = PORT_Strcat(rv,field_name);
+    return rv;
+}
+
+
+static char *
+find_field(Pair    *data, 
+	   char    *field_name, 
+	   PRBool  add_pre)
+    /* returns a pointer to the data of the first pair 
+       thats name matches the string it is passed */
+{
+    int            i = 0;
+    char           *retrieved;
+    int            found = 0;
+
+    if (add_pre) {
+	field_name = add_prefix(field_name);
+    }
+    while(return_name(data, i) != NULL) {
+	if (PORT_Strcmp(return_name(data, i), field_name) == 0) {
+	    retrieved = return_data(data, i);
+	    found = 1;
+	    break;
+	}
+	i++;
+    }
+    if (!found) {
+	retrieved = NULL;
+    }
+    return retrieved;
+}
+
+static PRBool
+find_field_bool(Pair    *data, 
+		char    *fieldname, 
+		PRBool  add_pre)
+{
+    char                *rv;
+
+    rv = find_field(data, fieldname, add_pre);
+	
+    if  ((rv != NULL) && (PORT_Strcmp(rv, "true")) == 0) {
+	return PR_TRUE;
+    } else {
+	return PR_FALSE;
+    }
+}
+
+static char *
+update_data_by_name(Pair  *data, 
+		    char  *field_name,
+                    char  *new_data)
+    /* replaces the data in the data structure associated with 
+       a name with new data, returns null if not found */
+{
+    int                   i = 0;
+    int                   found = 0;
+    int                   length = 100;
+    char                  *new;
+
+    while (return_name(data, i) != NULL) {
+	if (PORT_Strcmp(return_name(data, i), field_name) == 0) {
+	    new = make_copy_string( new_data, length, '\0');
+	    PORT_Free(return_data(data, i));
+	    found = 1;
+	    (*(data + i)).data = new;
+	    break;
+	}
+	i++;
+    }
+    if (!found) {
+	new = NULL;
+    }
+    return new;
+}
+
+static char *
+update_data_by_index(Pair  *data, 
+		     int   n, 
+		     char  *new_data)
+    /* replaces the data of a particular index in the data structure */
+{
+    int                    length = 100;
+    char                   *new;
+
+    new = make_copy_string(new_data, length, '\0');
+    PORT_Free(return_data(data, n));
+    (*(data + n)).data = new;
+    return new;
+}
+
+
+static Pair *
+add_field(Pair   *data, 
+	  char*  field_name, 
+	  char*  field_data)
+    /* adds a new name/data pair to the data structure */
+{
+    int          i = 0;
+    int          j;
+    int          name_length = 100;
+    int          data_length = 100;
+
+    while(return_name(data, i) != NULL) {
+	i++;
+    }
+    j = START_FIELDS;
+    while ( j < (i + 1) ) {
+	j = j * 2;
+    }
+    if (j == (i + 1)) {
+	data = (Pair *) PORT_Realloc(data, (j * 2) * sizeof(Pair));
+	if (data == NULL) {
+	    error_allocate();
+	}
+    }
+    (*(data + i)).name = make_copy_string(field_name, name_length, '\0');
+    (*(data + i)).data = make_copy_string(field_data, data_length, '\0');
+    (data + i + 1)->name = NULL;
+    return data;
+}
+
+
+static CERTCertificateRequest *
+makeCertReq(Pair             *form_data,
+	    int              which_priv_key)
+    /* makes and encodes a certrequest */
+{
+
+    PK11SlotInfo             *slot;
+    CERTCertificateRequest   *certReq = NULL;
+    CERTSubjectPublicKeyInfo *spki;
+    SECKEYPrivateKey         *privkey = NULL;
+    SECKEYPublicKey          *pubkey = NULL;
+    CERTName                 *name;
+    char                     *key;
+    extern SECKEYPrivateKey  *privkeys[9];
+    int                      keySizeInBits;
+    char                     *challenge = "foo";
+    SECStatus                rv = SECSuccess;
+    PQGParams                *pqgParams = NULL;
+    PQGVerify                *pqgVfy = NULL;
+
+    name = CERT_AsciiToName(find_field(form_data, "subject", PR_TRUE));
+    if (name == NULL) {
+	error_out("ERROR: Unable to create Subject Name");
+    }
+    key = find_field(form_data, "key", PR_TRUE);
+    if (key == NULL) {
+	switch (*find_field(form_data, "keysize", PR_TRUE)) {
+	  case '0':
+	    keySizeInBits = 2048;
+	    break;
+	  case '1':
+	    keySizeInBits = 1024;
+	    break;
+	  case '2':
+	    keySizeInBits = 512;
+	    break;
+	  default:
+	    error_out("ERROR: Unsupported Key length selected");
+	}
+	if (find_field_bool(form_data, "keyType-dsa", PR_TRUE)) {
+	    rv = PK11_PQG_ParamGen(keySizeInBits, &pqgParams, &pqgVfy);
+	    if (rv != SECSuccess) {
+		error_out("ERROR: Unable to generate PQG parameters");
+	    }
+	    slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL);
+	    privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, 
+					   pqgParams,&pubkey, PR_FALSE, 
+					   PR_TRUE, NULL);
+	} else {
+	    privkey = SECKEY_CreateRSAPrivateKey(keySizeInBits, &pubkey, NULL);
+	}
+	privkeys[which_priv_key] = privkey;
+	spki = SECKEY_CreateSubjectPublicKeyInfo(pubkey);
+    } else {
+	spki = SECKEY_ConvertAndDecodePublicKeyAndChallenge(key, challenge, 
+							    NULL);
+	if (spki == NULL) {
+	    error_out("ERROR: Unable to decode Public Key and Challenge String");
+	}
+    }
+    certReq = CERT_CreateCertificateRequest(name, spki, NULL);
+    if (certReq == NULL) {
+	error_out("ERROR: Unable to create Certificate Request");
+    }
+    if (pubkey != NULL) {
+	SECKEY_DestroyPublicKey(pubkey);
+    }
+    if (spki != NULL) {
+	SECKEY_DestroySubjectPublicKeyInfo(spki);
+    }
+    if (pqgParams != NULL) {
+	PK11_PQG_DestroyParams(pqgParams);
+    }
+    if (pqgVfy != NULL) {
+	PK11_PQG_DestroyVerify(pqgVfy);
+    }
+    return certReq;
+}
+
+
+
+static CERTCertificate *
+MakeV1Cert(CERTCertDBHandle        *handle, 
+	   CERTCertificateRequest  *req,
+	   char                    *issuerNameStr, 
+	   PRBool                  selfsign, 
+	   int                     serialNumber,
+	   int                     warpmonths,
+	   Pair                    *data)
+{
+    CERTCertificate                 *issuerCert = NULL;
+    CERTValidity                    *validity;
+    CERTCertificate                 *cert = NULL;
+    PRExplodedTime                  printableTime;
+    PRTime                          now, 
+	                            after;
+    SECStatus rv;
+   
+    
+
+    if ( !selfsign ) {
+	issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
+	if (!issuerCert) {
+	    error_out("ERROR: Could not find issuer's certificate");
+	    return NULL;
+	}
+    }
+    if (find_field_bool(data, "manValidity", PR_TRUE)) {
+	rv = DER_AsciiToTime(&now, find_field(data, "notBefore", PR_TRUE));
+    } else {
+	now = PR_Now();
+    }
+    PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
+    if ( warpmonths ) {
+	printableTime.tm_month += warpmonths;
+	now = PR_ImplodeTime (&printableTime);
+	PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
+    }
+    if (find_field_bool(data, "manValidity", PR_TRUE)) {
+	rv = DER_AsciiToTime(&after, find_field(data, "notAfter", PR_TRUE));
+	PR_ExplodeTime (after, PR_GMTParameters, &printableTime);
+    } else {
+	printableTime.tm_month += 3;
+	after = PR_ImplodeTime (&printableTime);
+    }
+    /* note that the time is now in micro-second unit */
+    validity = CERT_CreateValidity (now, after);
+
+    if ( selfsign ) {
+	cert = CERT_CreateCertificate
+	    (serialNumber,&(req->subject), validity, req);
+    } else {
+	cert = CERT_CreateCertificate
+	    (serialNumber,&(issuerCert->subject), validity, req);
+    }
+    
+    CERT_DestroyValidity(validity);
+    if ( issuerCert ) {
+	CERT_DestroyCertificate (issuerCert);
+    }
+    return(cert);
+}
+
+static int
+get_serial_number(Pair  *data)
+{
+    int                 serial = 0;
+    int                 error;
+    char                *filename = SERIAL_FILE;
+    char                *SN;
+    FILE                *serialFile;
+
+
+    if (find_field_bool(data, "serial-auto", PR_TRUE)) {
+	serialFile = fopen(filename, "r");
+	if (serialFile != NULL) {
+	    fread(&serial, sizeof(int), 1, serialFile);
+	    if (ferror(serialFile) != 0) {
+		error_out("Error: Unable to read serial number file");
+	    }
+	    if (serial == 4294967295) {
+		serial = 21;
+	    }
+	    fclose(serialFile);
+	    ++serial;
+	    serialFile = fopen(filename,"w");
+	    if (serialFile == NULL) {
+	        error_out("ERROR: Unable to open serial number file for writing");
+	    }
+	    fwrite(&serial, sizeof(int), 1, serialFile);
+	    if (ferror(serialFile) != 0) {
+		error_out("Error: Unable to write to serial number file");
+	    }
+	} else {
+	    fclose(serialFile);
+	    serialFile = fopen(filename,"w");
+	    if (serialFile == NULL) {
+		error_out("ERROR: Unable to open serial number file");
+	    }
+	    serial = 21;
+	    fwrite(&serial, sizeof(int), 1, serialFile);
+	    if (ferror(serialFile) != 0) {
+		error_out("Error: Unable to write to serial number file");
+	    }
+	    error = ferror(serialFile);
+	    if (error != 0) {
+		error_out("ERROR: Unable to write to serial file");
+	    }
+	}
+	fclose(serialFile);
+    } else {
+	SN = find_field(data, "serial_value", PR_TRUE);
+	while (*SN != '\0') {
+	    serial = serial * 16;
+	    if ((*SN >= 'A') && (*SN <='F')) {
+		serial += *SN - 'A' + 10; 
+	    } else {
+		if ((*SN >= 'a') && (*SN <='f')) {
+		    serial += *SN - 'a' + 10;
+		} else {
+		    serial += *SN - '0';
+		}
+	    }
+	    ++SN;
+	}
+    }
+    return serial;
+}
+	
+
+
+typedef SECStatus (* EXTEN_VALUE_ENCODER)
+		(PRArenaPool *extHandle, void *value, SECItem *encodedValue);
+
+static SECStatus 
+EncodeAndAddExtensionValue(
+	PRArenaPool          *arena, 
+	void                 *extHandle, 
+	void                 *value, 
+	PRBool 		     criticality,
+	int 		     extenType, 
+	EXTEN_VALUE_ENCODER  EncodeValueFn)
+{
+    SECItem                  encodedValue;
+    SECStatus                rv;
+	
+
+    encodedValue.data = NULL;
+    encodedValue.len = 0;
+    rv = (*EncodeValueFn)(arena, value, &encodedValue);
+    if (rv != SECSuccess) {
+	error_out("ERROR: Unable to encode extension value");
+    }
+    rv = CERT_AddExtension
+	(extHandle, extenType, &encodedValue, criticality, PR_TRUE);
+    return (rv);
+}
+
+
+
+static SECStatus 
+AddKeyUsage (void  *extHandle, 
+	     Pair  *data)
+{
+    SECItem        bitStringValue;
+    unsigned char  keyUsage = 0x0;
+
+    if (find_field_bool(data,"keyUsage-digitalSignature", PR_TRUE)){
+	keyUsage |= (0x80 >> 0);
+    }
+    if (find_field_bool(data,"keyUsage-nonRepudiation", PR_TRUE)){
+	keyUsage |= (0x80 >> 1);
+    }
+    if (find_field_bool(data,"keyUsage-keyEncipherment", PR_TRUE)){
+	keyUsage |= (0x80 >> 2);
+    }
+    if (find_field_bool(data,"keyUsage-dataEncipherment", PR_TRUE)){
+	keyUsage |= (0x80 >> 3);
+    }
+    if (find_field_bool(data,"keyUsage-keyAgreement", PR_TRUE)){
+	keyUsage |= (0x80 >> 4);
+    }
+    if (find_field_bool(data,"keyUsage-keyCertSign", PR_TRUE)) {
+	keyUsage |= (0x80 >> 5);
+    }
+    if (find_field_bool(data,"keyUsage-cRLSign", PR_TRUE)) {
+	keyUsage |= (0x80 >> 6);
+    }
+
+    bitStringValue.data = &keyUsage;
+    bitStringValue.len = 1;
+
+    return (CERT_EncodeAndAddBitStrExtension
+	    (extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue,
+	     (find_field_bool(data, "keyUsage-crit", PR_TRUE))));
+
+}
+
+static CERTOidSequence *
+CreateOidSequence(void)
+{
+  CERTOidSequence *rv = (CERTOidSequence *)NULL;
+  PRArenaPool *arena = (PRArenaPool *)NULL;
+
+  arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+  if( (PRArenaPool *)NULL == arena ) {
+    goto loser;
+  }
+
+  rv = (CERTOidSequence *)PORT_ArenaZAlloc(arena, sizeof(CERTOidSequence));
+  if( (CERTOidSequence *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->oids = (SECItem **)PORT_ArenaZAlloc(arena, sizeof(SECItem *));
+  if( (SECItem **)NULL == rv->oids ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  return rv;
+
+ loser:
+  if( (PRArenaPool *)NULL != arena ) {
+    PORT_FreeArena(arena, PR_FALSE);
+  }
+
+  return (CERTOidSequence *)NULL;
+}
+
+static SECStatus
+AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
+{
+  SECItem **oids;
+  PRUint32 count = 0;
+  SECOidData *od;
+
+  od = SECOID_FindOIDByTag(oidTag);
+  if( (SECOidData *)NULL == od ) {
+    return SECFailure;
+  }
+
+  for( oids = os->oids; (SECItem *)NULL != *oids; oids++ ) {
+    count++;
+  }
+
+  /* ArenaZRealloc */
+
+  {
+    PRUint32 i;
+
+    oids = (SECItem **)PORT_ArenaZAlloc(os->arena, sizeof(SECItem *) * (count+2));
+    if( (SECItem **)NULL == oids ) {
+      return SECFailure;
+    }
+    
+    for( i = 0; i < count; i++ ) {
+      oids[i] = os->oids[i];
+    }
+
+    /* ArenaZFree(os->oids); */
+  }
+
+  os->oids = oids;
+  os->oids[count] = &od->oid;
+
+  return SECSuccess;
+}
+
+static SECItem *
+EncodeOidSequence(CERTOidSequence *os)
+{
+  SECItem *rv;
+  extern const SEC_ASN1Template CERT_OidSeqTemplate[];
+
+  rv = (SECItem *)PORT_ArenaZAlloc(os->arena, sizeof(SECItem));
+  if( (SECItem *)NULL == rv ) {
+    goto loser;
+  }
+
+  if( !SEC_ASN1EncodeItem(os->arena, rv, os, CERT_OidSeqTemplate) ) {
+    goto loser;
+  }
+
+  return rv;
+
+ loser:
+  return (SECItem *)NULL;
+}
+
+static SECStatus
+AddExtKeyUsage(void *extHandle, Pair *data)
+{
+  SECStatus rv;
+  CERTOidSequence *os;
+  SECItem *value;
+  PRBool crit;
+
+  os = CreateOidSequence();
+  if( (CERTOidSequence *)NULL == os ) {
+    return SECFailure;
+  }
+
+  if( find_field_bool(data, "extKeyUsage-serverAuth", PR_TRUE) ) {
+    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);
+    if( SECSuccess != rv ) goto loser;
+  }
+
+  if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) {
+    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
+    if( SECSuccess != rv ) goto loser;
+  }
+
+  if( find_field_bool(data, "extKeyUsage-codeSign", PR_TRUE) ) {
+    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
+    if( SECSuccess != rv ) goto loser;
+  }
+
+  if( find_field_bool(data, "extKeyUsage-emailProtect", PR_TRUE) ) {
+    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);
+    if( SECSuccess != rv ) goto loser;
+  }
+
+  if( find_field_bool(data, "extKeyUsage-timeStamp", PR_TRUE) ) {
+    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);
+    if( SECSuccess != rv ) goto loser;
+  }
+
+  if( find_field_bool(data, "extKeyUsage-ocspResponder", PR_TRUE) ) {
+    rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);
+    if( SECSuccess != rv ) goto loser;
+  }
+
+  if( find_field_bool(data, "extKeyUsage-NS-govtApproved", PR_TRUE) ) {
+    rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
+    if( SECSuccess != rv ) goto loser;
+  }
+
+  value = EncodeOidSequence(os);
+
+  crit = find_field_bool(data, "extKeyUsage-crit", PR_TRUE);
+
+  rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, value,
+                         crit, PR_TRUE);
+  /*FALLTHROUGH*/
+ loser:
+  CERT_DestroyOidSequence(os);
+  return rv;
+}
+
+static SECStatus
+AddSubKeyID(void             *extHandle, 
+	    Pair             *data, 
+	    CERTCertificate  *subjectCert)
+{
+    SECItem                  encodedValue;
+    SECStatus                rv;
+    char                     *read;
+    char                     *write;
+    char                     *first;
+    char                     character;
+    int                      high_digit = 0,
+	                     low_digit = 0;
+    int                      len;
+    PRBool                   odd = PR_FALSE;
+
+
+    encodedValue.data = NULL;
+    encodedValue.len = 0;
+    first = read = write = find_field(data,"subjectKeyIdentifier-text", 
+				      PR_TRUE);
+    len = PORT_Strlen(first);
+    odd = ((len % 2) != 0 ) ? PR_TRUE : PR_FALSE;
+    if (find_field_bool(data, "subjectKeyIdentifier-radio-hex", PR_TRUE)) {
+	if (odd) {
+	    error_out("ERROR: Improperly formated subject key identifier, hex values must be expressed as an octet string");
+	}
+	while (*read != '\0') {
+	    if (!isxdigit(*read)) {
+		error_out("ERROR: Improperly formated subject key identifier");
+	    }
+	    *read = toupper(*read);
+	    if ((*read >= 'A') && (*read <= 'F')) {
+		high_digit = *read - 'A' + 10;
+	    }  else {
+		high_digit = *read - '0';
+	    }
+	    ++read;
+	    if (!isxdigit(*read)) {
+		error_out("ERROR: Improperly formated subject key identifier");
+	    }
+	    *read = toupper(*read);
+	    if ((*read >= 'A') && (*read <= 'F')) {
+		low_digit = *(read) - 'A' + 10;
+	    } else {
+		low_digit = *(read) - '0';
+	    }
+	    character = (high_digit << 4) | low_digit;
+	    *write = character;
+	    ++write;
+	    ++read;
+	}
+	*write = '\0';
+	len = write - first;
+    }
+    subjectCert->subjectKeyID.data = (unsigned char *) find_field
+	(data,"subjectKeyIdentifier-text", PR_TRUE);
+    subjectCert->subjectKeyID.len = len;
+    rv = CERT_EncodeSubjectKeyID
+	(NULL, &subjectCert->subjectKeyID, &encodedValue);
+    if (rv) {
+	return (rv);
+    }
+    return (CERT_AddExtension(extHandle,  SEC_OID_X509_SUBJECT_KEY_ID, 
+			      &encodedValue, PR_FALSE, PR_TRUE));
+}
+
+
+static SECStatus 
+AddAuthKeyID (void              *extHandle,
+	      Pair              *data, 
+	      char              *issuerNameStr, 
+	      CERTCertDBHandle  *handle)
+{
+    CERTAuthKeyID               *authKeyID = NULL;    
+    PRArenaPool                 *arena = NULL;
+    SECStatus                   rv = SECSuccess;
+    CERTCertificate             *issuerCert = NULL;
+    CERTGeneralName             *genNames;
+    CERTName                    *directoryName = NULL;
+
+
+    issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	error_allocate();
+    }
+
+    authKeyID = PORT_ArenaZAlloc (arena, sizeof (CERTAuthKeyID));
+    if (authKeyID == NULL) {
+	error_allocate();
+    }
+    if (find_field_bool(data, "authorityKeyIdentifier-radio-keyIdentifier", 
+			PR_TRUE)) {
+	authKeyID->keyID.data = PORT_ArenaAlloc (arena, PORT_Strlen 
+				       ((char *)issuerCert->subjectKeyID.data));
+	if (authKeyID->keyID.data == NULL) {
+	    error_allocate();
+	}
+	PORT_Memcpy (authKeyID->keyID.data, issuerCert->subjectKeyID.data, 
+		     authKeyID->keyID.len = 
+		        PORT_Strlen((char *)issuerCert->subjectKeyID.data));
+    } else {
+	
+	PORT_Assert (arena);
+	genNames = (CERTGeneralName *) PORT_ArenaZAlloc (arena, (sizeof(CERTGeneralName)));
+	if (genNames == NULL){
+	    error_allocate();
+	}
+	genNames->l.next = genNames->l.prev = &(genNames->l);
+	genNames->type = certDirectoryName;
+
+	directoryName = CERT_AsciiToName(issuerCert->subjectName);
+	if (!directoryName) {
+	    error_out("ERROR: Unable to create Directory Name");
+	}
+	rv = CERT_CopyName (arena, &genNames->name.directoryName, 
+			    directoryName);
+        CERT_DestroyName (directoryName);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to copy Directory Name");
+	}
+	authKeyID->authCertIssuer = genNames;
+	if (authKeyID->authCertIssuer == NULL && SECFailure == 
+	                                            PORT_GetError ()) {
+	    error_out("ERROR: Unable to get Issuer General Name for Authority Key ID Extension");
+	}
+	authKeyID->authCertSerialNumber = issuerCert->serialNumber;
+    }
+    rv = EncodeAndAddExtensionValue(arena, extHandle, authKeyID, PR_FALSE, 
+				    SEC_OID_X509_AUTH_KEY_ID, 
+				    (EXTEN_VALUE_ENCODER)
+				    CERT_EncodeAuthKeyID);
+    if (arena) {
+	PORT_FreeArena (arena, PR_FALSE);
+    }
+    return (rv);
+}
+
+
+static SECStatus 
+AddPrivKeyUsagePeriod(void             *extHandle, 
+		      Pair             *data, 
+		      CERTCertificate  *cert)
+{
+    char *notBeforeStr;
+    char *notAfterStr;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    CERTPrivKeyUsagePeriod *pkup;
+
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	error_allocate();
+    }
+    pkup = PORT_ArenaZNew (arena, CERTPrivKeyUsagePeriod);
+    if (pkup == NULL) {
+	error_allocate();
+    }
+    notBeforeStr = (char *) PORT_Alloc(16 );
+    notAfterStr = (char *) PORT_Alloc(16 );
+    *notBeforeStr = '\0';
+    *notAfterStr = '\0';
+    pkup->arena = arena;
+    pkup->notBefore.len = 0;
+    pkup->notBefore.data = NULL;
+    pkup->notAfter.len = 0;
+    pkup->notAfter.data = NULL;
+    if (find_field_bool(data, "privKeyUsagePeriod-radio-notBefore", PR_TRUE) ||
+	find_field_bool(data, "privKeyUsagePeriod-radio-both", PR_TRUE)) {
+	pkup->notBefore.len = 15;
+	pkup->notBefore.data = (unsigned char *)notBeforeStr;
+	if (find_field_bool(data, "privKeyUsagePeriod-notBefore-radio-manual", 
+			    PR_TRUE)) {
+	    PORT_Strcat(notBeforeStr,find_field(data,
+					   "privKeyUsagePeriod-notBefore-year",
+					   PR_TRUE));
+	    PORT_Strcat(notBeforeStr,find_field(data,
+					   "privKeyUsagePeriod-notBefore-month",
+					   PR_TRUE));
+	    PORT_Strcat(notBeforeStr,find_field(data,
+					   "privKeyUsagePeriod-notBefore-day",
+					   PR_TRUE));
+	    PORT_Strcat(notBeforeStr,find_field(data,
+					   "privKeyUsagePeriod-notBefore-hour",
+					   PR_TRUE));
+	    PORT_Strcat(notBeforeStr,find_field(data,
+					  "privKeyUsagePeriod-notBefore-minute",
+					   PR_TRUE));
+	    PORT_Strcat(notBeforeStr,find_field(data,
+					  "privKeyUsagePeriod-notBefore-second",
+					   PR_TRUE));
+	    if ((*(notBeforeStr + 14) != '\0') ||
+		(!isdigit(*(notBeforeStr + 13))) ||
+		(*(notBeforeStr + 12) >= '5' && *(notBeforeStr + 12) <= '0') ||
+		(!isdigit(*(notBeforeStr + 11))) ||
+		(*(notBeforeStr + 10) >= '5' && *(notBeforeStr + 10) <= '0') ||
+		(!isdigit(*(notBeforeStr + 9))) ||
+		(*(notBeforeStr + 8) >= '2' && *(notBeforeStr + 8) <= '0') ||
+		(!isdigit(*(notBeforeStr + 7))) ||
+		(*(notBeforeStr + 6) >= '3' && *(notBeforeStr + 6) <= '0') ||
+		(!isdigit(*(notBeforeStr + 5))) ||
+		(*(notBeforeStr + 4) >= '1' && *(notBeforeStr + 4) <= '0') ||
+		(!isdigit(*(notBeforeStr + 3))) ||
+		(!isdigit(*(notBeforeStr + 2))) ||
+		(!isdigit(*(notBeforeStr + 1))) ||
+		(!isdigit(*(notBeforeStr + 0))) ||
+		(*(notBeforeStr + 8) == '2' && *(notBeforeStr + 9) >= '4') ||
+		(*(notBeforeStr + 6) == '3' && *(notBeforeStr + 7) >= '1') ||
+		(*(notBeforeStr + 4) == '1' && *(notBeforeStr + 5) >= '2')) {
+		error_out("ERROR: Improperly formated private key usage period");
+	    }
+	    *(notBeforeStr + 14) = 'Z';
+	    *(notBeforeStr + 15) = '\0';
+	} else {
+	    if ((*(cert->validity.notBefore.data) > '5') || 
+		((*(cert->validity.notBefore.data) == '5') &&
+		 (*(cert->validity.notBefore.data + 1) != '0'))) {
+		PORT_Strcat(notBeforeStr, "19");
+	    } else {
+		PORT_Strcat(notBeforeStr, "20");
+	    }
+	    PORT_Strcat(notBeforeStr, (char *)cert->validity.notBefore.data);
+	}
+    }
+    if (find_field_bool(data, "privKeyUsagePeriod-radio-notAfter", PR_TRUE) ||
+	find_field_bool(data, "privKeyUsagePeriod-radio-both", PR_TRUE)) {
+	pkup->notAfter.len = 15;
+	pkup->notAfter.data = (unsigned char *)notAfterStr;
+	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-year", 
+				      PR_TRUE));
+	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-month",
+				      PR_TRUE));
+	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-day", 
+				      PR_TRUE));
+	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-hour", 
+				      PR_TRUE));
+	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-minute",
+				      PR_TRUE));
+	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-second",
+				      PR_TRUE));
+	if ((*(notAfterStr + 14) != '\0') ||
+	    (!isdigit(*(notAfterStr + 13))) ||
+	    (*(notAfterStr + 12) >= '5' && *(notAfterStr + 12) <= '0') ||
+	    (!isdigit(*(notAfterStr + 11))) ||
+	    (*(notAfterStr + 10) >= '5' && *(notAfterStr + 10) <= '0') ||
+	    (!isdigit(*(notAfterStr + 9))) ||
+	    (*(notAfterStr + 8) >= '2' && *(notAfterStr + 8) <= '0') ||
+	    (!isdigit(*(notAfterStr + 7))) ||
+	    (*(notAfterStr + 6) >= '3' && *(notAfterStr + 6) <= '0') ||
+	    (!isdigit(*(notAfterStr + 5))) ||
+	    (*(notAfterStr + 4) >= '1' && *(notAfterStr + 4) <= '0') ||
+	    (!isdigit(*(notAfterStr + 3))) ||
+	    (!isdigit(*(notAfterStr + 2))) ||
+	    (!isdigit(*(notAfterStr + 1))) ||
+	    (!isdigit(*(notAfterStr + 0))) ||
+	    (*(notAfterStr + 8) == '2' && *(notAfterStr + 9) >= '4') ||
+	    (*(notAfterStr + 6) == '3' && *(notAfterStr + 7) >= '1') ||
+	    (*(notAfterStr + 4) == '1' && *(notAfterStr + 5) >= '2')) {
+	    error_out("ERROR: Improperly formated private key usage period");
+	}
+	*(notAfterStr + 14) = 'Z';
+	*(notAfterStr + 15) = '\0';
+    }
+	
+    PORT_Assert (arena);
+
+    rv = EncodeAndAddExtensionValue(arena, extHandle, pkup, 
+				    find_field_bool(data,
+						    "privKeyUsagePeriod-crit", 
+						    PR_TRUE), 
+				    SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD, 
+				    (EXTEN_VALUE_ENCODER)
+				    CERT_EncodePrivateKeyUsagePeriod);
+    if (arena) {
+	PORT_FreeArena (arena, PR_FALSE);
+    }
+    if (notBeforeStr != NULL) {
+	PORT_Free(notBeforeStr);
+    }
+    if (notAfterStr != NULL) {
+	PORT_Free(notAfterStr);
+    }
+    return (rv);
+}    
+
+static SECStatus 
+AddBasicConstraint(void   *extHandle, 
+		   Pair   *data)
+{
+    CERTBasicConstraints  basicConstraint;
+    SECItem               encodedValue;
+    SECStatus             rv;
+
+    encodedValue.data = NULL;
+    encodedValue.len = 0;
+    basicConstraint.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
+    basicConstraint.isCA = (find_field_bool(data,"basicConstraints-cA-radio-CA",
+					    PR_TRUE));
+    if (find_field_bool(data,"basicConstraints-pathLengthConstraint", PR_TRUE)){
+	basicConstraint.pathLenConstraint = atoi 
+	    (find_field(data,"basicConstraints-pathLengthConstraint-text", 
+			PR_TRUE));
+    }
+    
+    rv = CERT_EncodeBasicConstraintValue (NULL, &basicConstraint, 
+					  &encodedValue);
+    if (rv)
+	return (rv);
+    rv = CERT_AddExtension(extHandle, SEC_OID_X509_BASIC_CONSTRAINTS, 
+			   &encodedValue, 
+			   (find_field_bool(data,"basicConstraints-crit", 
+					    PR_TRUE)), PR_TRUE);
+
+    PORT_Free (encodedValue.data);
+    return (rv);
+}
+
+
+
+static SECStatus 
+AddNscpCertType (void  *extHandle, 
+		 Pair  *data)
+{
+    SECItem            bitStringValue;
+    unsigned char      CertType = 0x0;
+
+    if (find_field_bool(data,"netscape-cert-type-ssl-client", PR_TRUE)){
+	CertType |= (0x80 >> 0);
+    }
+    if (find_field_bool(data,"netscape-cert-type-ssl-server", PR_TRUE)){
+	CertType |= (0x80 >> 1);
+    }
+    if (find_field_bool(data,"netscape-cert-type-smime", PR_TRUE)){
+	CertType |= (0x80 >> 2);
+    }
+    if (find_field_bool(data,"netscape-cert-type-object-signing", PR_TRUE)){
+	CertType |= (0x80 >> 3);
+    }
+    if (find_field_bool(data,"netscape-cert-type-reserved", PR_TRUE)){
+	CertType |= (0x80 >> 4);
+    }
+    if (find_field_bool(data,"netscape-cert-type-ssl-ca", PR_TRUE)) {
+	CertType |= (0x80 >> 5);
+    }
+    if (find_field_bool(data,"netscape-cert-type-smime-ca", PR_TRUE)) {
+	CertType |= (0x80 >> 6);
+    }
+    if (find_field_bool(data,"netscape-cert-type-object-signing-ca", PR_TRUE)) {
+	CertType |= (0x80 >> 7);
+    }
+
+    bitStringValue.data = &CertType;
+    bitStringValue.len = 1;
+
+    return (CERT_EncodeAndAddBitStrExtension
+	    (extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,
+	     (find_field_bool(data, "netscape-cert-type-crit", PR_TRUE))));
+}
+
+
+static SECStatus
+add_IA5StringExtension(void    *extHandle, 
+		       char    *string, 
+		       PRBool  crit, 
+		       int     idtag)
+{
+    SECItem                    encodedValue;
+    SECStatus                  rv;
+
+    encodedValue.data = NULL;
+    encodedValue.len = 0;
+
+    rv = CERT_EncodeIA5TypeExtension(NULL, string, &encodedValue);
+    if (rv) {
+	return (rv);
+    }
+    return (CERT_AddExtension(extHandle, idtag, &encodedValue, crit, PR_TRUE));
+}
+
+static SECItem *
+string_to_oid(char  *string)
+{
+    int             i;
+    int             length = 20;
+    int             remaining;
+    int             first_value;
+    int             second_value;
+    int             value;
+    int             oidLength;
+    unsigned char   *oidString;
+    unsigned char   *write;
+    unsigned char   *read;
+    unsigned char   *temp;
+    SECItem         *oid;
+    
+    
+    remaining = length;
+    i = 0;
+    while (*string == ' ') {
+	string++;
+    }
+    while (isdigit(*(string + i))) {
+	i++;
+    }
+    if (*(string + i) == '.') {
+	*(string + i) = '\0';
+    } else {
+	error_out("ERROR: Improperly formated OID");
+    }
+    first_value = atoi(string);
+    if (first_value < 0 || first_value > 2) {
+	error_out("ERROR: Improperly formated OID");
+    }
+    string += i + 1;
+    i = 0;
+    while (isdigit(*(string + i))) {
+	i++;
+    }
+    if (*(string + i) == '.') {
+	*(string + i) = '\0';
+    } else {
+	error_out("ERROR: Improperly formated OID");
+    }
+    second_value = atoi(string);
+    if (second_value < 0 || second_value > 39) {
+	error_out("ERROR: Improperly formated OID");
+    }
+    oidString = PORT_ZAlloc(2);
+    *oidString = (first_value * 40) + second_value;
+    *(oidString + 1) = '\0';
+    oidLength = 1;
+    string += i + 1;
+    i = 0;
+    temp = write = PORT_ZAlloc(length);
+    while (*string != '\0') {
+	value = 0;
+	while(isdigit(*(string + i))) {
+	    i++;
+	}
+	if (*(string + i) == '\0') {
+	    value = atoi(string);
+	    string += i;
+	} else {
+	    if (*(string + i) == '.') {
+		*(string + i) = '\0';
+		value = atoi(string);
+		string += i + 1;
+	    } else {
+		*(string + i) = '\0';
+		i++;
+		value = atoi(string);
+		while (*(string + i) == ' ')
+		    i++;
+		if (*(string + i) != '\0') {
+		    error_out("ERROR: Improperly formated OID");
+		}
+	    }
+	}
+	i = 0;
+	while (value != 0) {
+	    if (remaining < 1) {
+		remaining += length;
+		length = length * 2;
+		temp = PORT_Realloc(temp, length);
+		write = temp + length - remaining;
+	    }
+	    *write = (value & 0x7f) | (0x80);
+	    write++;
+	    remaining--;
+	    value = value >> 7;
+	}
+	*temp = *temp & (0x7f);
+	oidLength += write - temp;
+	oidString = PORT_Realloc(oidString, (oidLength + 1));
+	read = write - 1;
+	write = oidLength + oidString - 1;
+	for (i = 0; i < (length - remaining); i++) {
+	    *write = *read;
+	    write--;
+	    read++;
+	}
+	write = temp;
+	remaining = length;
+    }
+    *(oidString + oidLength) = '\0';
+    oid = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
+    oid->data = oidString;
+    oid->len  = oidLength;
+    PORT_Free(temp);
+    return oid;
+}
+
+static SECItem *
+string_to_ipaddress(char *string)
+{
+    int      i = 0;
+    int      value;
+    int      j = 0;
+    SECItem  *ipaddress;
+    
+
+    while (*string == ' ') {
+	string++;
+    }
+    ipaddress = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
+    ipaddress->data = PORT_ZAlloc(9);
+    while (*string != '\0' && j < 8) {
+	while (isdigit(*(string + i))) {
+	    i++;
+	}
+	if (*(string + i) == '.') {
+	    *(string + i) = '\0';
+	    value = atoi(string);
+	    string = string + i + 1;
+	    i = 0;
+	} else {
+	    if (*(string + i) == '\0') {
+		value = atoi(string);
+		string = string + i;
+		i = 0;
+	    } else {
+		*(string + i) = '\0';
+		while (*(string + i) == ' ') {
+		    i++;
+		}
+		if (*(string + i) == '\0') {
+		    value = atoi(string);
+		    string = string + i;
+		    i = 0;
+		} else {
+		    error_out("ERROR: Improperly formated IP Address");
+		}
+	    }
+	}
+	if (value >= 0 || value < 256) {
+	    *(ipaddress->data + j) = value;
+	} else {
+	    error_out("ERROR: Improperly formated IP Address");
+	}
+	j++;
+    }
+    *(ipaddress->data + j) = '\0';
+    if (j != 4 && j != 8) {
+	error_out("ERROR: Improperly formated IP Address");
+    }
+    ipaddress->len = j;
+    return ipaddress;
+}
+
+static SECItem *
+string_to_binary(char  *string)
+{
+    SECItem            *rv;
+    int                high_digit;
+    int                low_digit;
+
+    rv = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
+    if (rv == NULL) {
+	error_allocate();
+    }
+    rv->data = (unsigned char *) PORT_ZAlloc((PORT_Strlen(string))/3 + 2);
+    while (!isxdigit(*string)) {
+	string++;
+    }
+    rv->len = 0;
+    while (*string != '\0') {
+	if (isxdigit(*string)) {
+	    if (*string >= '0' && *string <= '9') {
+		high_digit = *string - '0';
+	    } else {
+		*string = toupper(*string);
+		high_digit = *string - 'A';
+	    }
+	    string++;
+	    if (*string >= '0' && *string <= '9') {
+		low_digit = *string - '0';
+	    } else {
+		*string = toupper(*string);
+		low_digit = *string = 'A';
+	    }
+	    (rv->len)++;
+	} else {
+	    if (*string == ':') {
+		string++;
+	    } else {
+		if (*string == ' ') {
+		    while (*string == ' ') {
+			string++;
+		    }
+		}
+		if (*string != '\0') {
+		    error_out("ERROR: Improperly formated binary encoding");
+		}
+	    }
+	} 
+    }
+
+    return rv;
+}
+
+static SECStatus
+MakeGeneralName(char             *name, 
+		CERTGeneralName  *genName,
+		PRArenaPool      *arena)
+{
+    SECItem                      *oid;
+    SECOidData                   *oidData;
+    SECItem                      *ipaddress;
+    SECItem                      *temp = NULL;
+    int                          i;
+    int                          nameType;
+    PRBool                       binary = PR_FALSE;
+    SECStatus                    rv = SECSuccess;
+    PRBool                       nickname = PR_FALSE;
+
+    PORT_Assert(genName);
+    PORT_Assert(arena);
+    nameType = *(name + PORT_Strlen(name) - 1) - '0';
+    if (nameType == 0  && *(name +PORT_Strlen(name) - 2) == '1') {
+	nickname = PR_TRUE;
+	nameType = certOtherName;
+    }
+    if (nameType < 1 || nameType > 9) {
+	error_out("ERROR: Unknown General Name Type");
+    }
+    *(name + PORT_Strlen(name) - 4) = '\0';
+    genName->type = nameType;
+    
+    switch (genName->type) {
+      case certURI:
+      case certRFC822Name:
+      case certDNSName: {
+	  genName->name.other.data = (unsigned char *)name;
+	  genName->name.other.len = PORT_Strlen(name);
+	  break;
+      }
+      
+      case certIPAddress: {
+	  ipaddress = string_to_ipaddress(name);
+	  genName->name.other.data = ipaddress->data;
+	  genName->name.other.len = ipaddress->len;
+	  break;
+      }
+      
+      case certRegisterID: {
+	  oid = string_to_oid(name);
+	  genName->name.other.data = oid->data;
+	  genName->name.other.len = oid->len;
+	  break;
+      }
+      
+      case certEDIPartyName:
+      case certX400Address: {
+	  
+	  genName->name.other.data = PORT_ArenaAlloc (arena, 
+						      PORT_Strlen (name) + 2);
+	  if (genName->name.other.data == NULL) {
+	      error_allocate();
+	  }
+	  
+	  PORT_Memcpy (genName->name.other.data + 2, name, PORT_Strlen (name));
+	  /* This may not be accurate for all cases.  
+	     For now, use this tag type */
+	  genName->name.other.data[0] = (char)(((genName->type - 1) & 
+						0x1f)| 0x80);
+	  genName->name.other.data[1] = (char)PORT_Strlen (name);
+	  genName->name.other.len = PORT_Strlen (name) + 2;
+	  break;
+      }
+      
+      case certOtherName: {
+	  i = 0;
+	  if (!nickname) {
+	      while (!isdigit(*(name + PORT_Strlen(name) - i))) {
+		  i++;
+	      }
+	      if (*(name + PORT_Strlen(name) - i) == '1') {
+		  binary = PR_TRUE;
+	      } else {
+		  binary = PR_FALSE;
+	      }  
+	      while (*(name + PORT_Strlen(name) - i) != '-') {
+		  i++;
+	      }
+	      *(name + PORT_Strlen(name) - i - 1) = '\0';
+	      i = 0;
+	      while (*(name + i) != '-') {
+		  i++;
+	      }
+	      *(name + i - 1) = '\0';
+	      oid = string_to_oid(name + i + 2);
+	  } else {
+	      oidData = SECOID_FindOIDByTag(SEC_OID_NETSCAPE_NICKNAME);
+	      oid = &oidData->oid;
+	      while (*(name + PORT_Strlen(name) - i) != '-') {
+		  i++;
+	      }
+	      *(name + PORT_Strlen(name) - i) = '\0';
+	  }
+	  genName->name.OthName.oid.data = oid->data;
+	  genName->name.OthName.oid.len  = oid->len;
+	  if (binary) {
+	      temp = string_to_binary(name);
+	      genName->name.OthName.name.data = temp->data;
+	      genName->name.OthName.name.len = temp->len;
+	  } else {
+	      temp = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
+	      if (temp == NULL) {
+		  error_allocate();
+	      }
+	      temp->data = (unsigned char *)name;
+	      temp->len = PORT_Strlen(name);
+	      SEC_ASN1EncodeItem (arena, &(genName->name.OthName.name), temp,
+				  CERTIA5TypeTemplate);
+	  }
+	  PORT_Free(temp);
+	  break;
+      }
+      
+      case certDirectoryName: {
+	  CERTName *directoryName = NULL;
+	  
+	  directoryName = CERT_AsciiToName (name);
+	  if (!directoryName) {
+	      error_out("ERROR: Improperly formated alternative name");
+	      break;
+	  }
+	  rv = CERT_CopyName (arena, &genName->name.directoryName, 
+			      directoryName);
+	  CERT_DestroyName (directoryName);
+	  
+	  break;
+      }
+    }
+    genName->l.next = &(genName->l);
+    genName->l.prev = &(genName->l);
+    return rv;
+}
+
+
+static CERTGeneralName *
+MakeAltName(Pair             *data, 
+	    char             *which, 
+	    PRArenaPool      *arena)
+{
+    CERTGeneralName          *SubAltName;
+    CERTGeneralName          *current;
+    CERTGeneralName          *newname;
+    char                     *name = NULL;
+    SECStatus                rv = SECSuccess;
+    int                      len;
+    
+
+    len = PORT_Strlen(which);
+    name = find_field(data, which, PR_TRUE);
+    SubAltName = current = (CERTGeneralName *) PORT_ZAlloc
+	                                        (sizeof(CERTGeneralName));
+    if (current == NULL) {
+	error_allocate();
+    }
+    while (name != NULL) {
+
+	rv = MakeGeneralName(name, current, arena);
+
+	if (rv != SECSuccess) {
+	    break;
+	}
+	if (*(which + len -1) < '9') {
+	    *(which + len - 1) = *(which + len - 1) + 1;
+	} else {
+	    if (isdigit(*(which + len - 2) )) {
+		*(which + len - 2) = *(which + len - 2) + 1;
+		*(which + len - 1) = '0';
+	    } else {
+		*(which + len - 1) = '1';
+		*(which + len) = '0';
+		*(which + len + 1) = '\0';
+		len++;
+	    }
+	}
+	len = PORT_Strlen(which);
+	name = find_field(data, which, PR_TRUE);
+	if (name != NULL) {
+	    newname = (CERTGeneralName *) PORT_ZAlloc(sizeof(CERTGeneralName));
+	    if (newname == NULL) {
+		error_allocate();
+	    }
+	    current->l.next = &(newname->l);
+	    newname->l.prev = &(current->l);
+	    current = newname;
+            newname = NULL;
+	} else {
+	    current->l.next = &(SubAltName->l);
+	    SubAltName->l.prev = &(current->l);
+	}
+    }
+    if (rv == SECFailure) {
+	return NULL;
+    }
+    return SubAltName;
+}
+
+static CERTNameConstraints *
+MakeNameConstraints(Pair             *data, 
+		    PRArenaPool      *arena)
+{
+    CERTNameConstraints      *NameConstraints;
+    CERTNameConstraint       *current = NULL;
+    CERTNameConstraint       *last_permited = NULL;
+    CERTNameConstraint       *last_excluded = NULL;
+    char                     *constraint = NULL;
+    char                     *which;
+    SECStatus                rv = SECSuccess;
+    int                      len;
+    int                      i;
+    long                     max;
+    long                     min;
+    PRBool                   permited;
+    
+
+    NameConstraints = (CERTNameConstraints *) PORT_ZAlloc
+	                            (sizeof(CERTNameConstraints));
+    which = make_copy_string("NameConstraintSelect0", 25,'\0');
+    len = PORT_Strlen(which);
+    constraint = find_field(data, which, PR_TRUE);
+    NameConstraints->permited = NameConstraints->excluded = NULL;
+    while (constraint != NULL) {
+	current = (CERTNameConstraint *) PORT_ZAlloc
+	                       (sizeof(CERTNameConstraint));
+	if (current == NULL) {
+	    error_allocate();
+	}
+	i = 0;
+	while (*(constraint + PORT_Strlen(constraint) - i) != '-') {
+	    i++;
+	}
+        *(constraint + PORT_Strlen(constraint) - i - 1) = '\0'; 
+	max = (long) atoi(constraint + PORT_Strlen(constraint) + 3);
+	if (max > 0) {
+	    (void) SEC_ASN1EncodeInteger(arena, &current->max, max);
+	}
+	i = 0;
+	while (*(constraint + PORT_Strlen(constraint) - i) != '-') {
+	    i++;
+	}
+        *(constraint + PORT_Strlen(constraint) - i - 1) = '\0';
+	min = (long) atoi(constraint + PORT_Strlen(constraint) + 3);
+	(void) SEC_ASN1EncodeInteger(arena, &current->min, min);
+	while (*(constraint + PORT_Strlen(constraint) - i) != '-') {
+	    i++;
+	}
+        *(constraint + PORT_Strlen(constraint) - i - 1) = '\0';
+	if (*(constraint + PORT_Strlen(constraint) + 3) == 'p') {
+	    permited = PR_TRUE;
+	} else {
+	    permited = PR_FALSE;
+	}
+	rv = MakeGeneralName(constraint, &(current->name), arena);
+
+	if (rv != SECSuccess) {
+	    break;
+	}
+	if (*(which + len - 1) < '9') {
+	    *(which + len - 1) = *(which + len - 1) + 1;
+	} else {
+	    if (isdigit(*(which + len - 2) )) {
+		*(which + len - 2) = *(which + len - 2) + 1;
+		*(which + len - 1) = '0';
+	    } else {
+		*(which + len - 1) = '1';
+		*(which + len) = '0';
+		*(which + len + 1) = '\0';
+		len++;
+	    }
+	}
+	len = PORT_Strlen(which);
+	if (permited) {
+	    if (NameConstraints->permited == NULL) {
+		NameConstraints->permited = last_permited = current;
+	    }
+	    last_permited->l.next = &(current->l);
+	    current->l.prev = &(last_permited->l);
+	    last_permited = current;
+	} else {
+	    if (NameConstraints->excluded == NULL) {
+		NameConstraints->excluded = last_excluded = current;
+	    }
+	    last_excluded->l.next = &(current->l);
+	    current->l.prev = &(last_excluded->l);
+	    last_excluded = current;
+	}
+	constraint = find_field(data, which, PR_TRUE);
+	if (constraint != NULL) {
+	    current = (CERTNameConstraint *) PORT_ZAlloc(sizeof(CERTNameConstraint));
+	    if (current == NULL) {
+		error_allocate();
+	    }
+	}
+    }
+    if (NameConstraints->permited != NULL) {
+	last_permited->l.next = &(NameConstraints->permited->l);
+	NameConstraints->permited->l.prev = &(last_permited->l);
+    }
+    if (NameConstraints->excluded != NULL) {
+	last_excluded->l.next = &(NameConstraints->excluded->l);
+	NameConstraints->excluded->l.prev = &(last_excluded->l);
+    }
+    if (which != NULL) {
+	PORT_Free(which);
+    }
+    if (rv == SECFailure) {
+	return NULL;
+    }
+    return NameConstraints;
+}
+
+
+
+static SECStatus
+AddAltName(void              *extHandle,
+	   Pair              *data,
+	   char              *issuerNameStr, 
+	   CERTCertDBHandle  *handle,
+	   int               type)
+{
+    PRBool             autoIssuer = PR_FALSE;
+    PRArenaPool        *arena = NULL;
+    CERTGeneralName    *genName = NULL;
+    char               *which = NULL;
+    char               *name = NULL;
+    SECStatus          rv = SECSuccess;
+    SECItem            *issuersAltName = NULL;
+    CERTCertificate    *issuerCert = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	error_allocate();
+    }
+    if (type == 0) {
+	which = make_copy_string("SubAltNameSelect0", 20,'\0');
+	genName = MakeAltName(data, which, arena);
+    } else {
+	if (autoIssuer) {
+	    autoIssuer = find_field_bool(data,"IssuerAltNameSourceRadio-auto",
+					 PR_TRUE);
+	    issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
+	    rv = cert_FindExtension((*issuerCert).extensions, 
+				    SEC_OID_X509_SUBJECT_ALT_NAME, 
+				    issuersAltName);
+	    if (issuersAltName == NULL) {
+		name = PORT_Alloc(PORT_Strlen((*issuerCert).subjectName) + 4);
+		PORT_Strcpy(name, (*issuerCert).subjectName);
+		PORT_Strcat(name, " - 5");
+	    }
+	} else {
+	    which = make_copy_string("IssuerAltNameSelect0", 20,'\0');
+	    genName = MakeAltName(data, which, arena);
+	}
+    }
+    if (type == 0) {
+	EncodeAndAddExtensionValue(arena, extHandle, genName, 
+				   find_field_bool(data, "SubAltName-crit", 
+						   PR_TRUE), 
+				   SEC_OID_X509_SUBJECT_ALT_NAME, 
+				   (EXTEN_VALUE_ENCODER)
+				   CERT_EncodeAltNameExtension);
+
+    } else {
+	if (autoIssuer && (name == NULL)) {
+	    rv = CERT_AddExtension
+		(extHandle, SEC_OID_X509_ISSUER_ALT_NAME, issuersAltName,
+		 find_field_bool(data, "IssuerAltName-crit", PR_TRUE), PR_TRUE);
+	} else {
+	    EncodeAndAddExtensionValue(arena, extHandle, genName, 
+				       find_field_bool(data, 
+						       "IssuerAltName-crit", 
+						       PR_TRUE), 
+				       SEC_OID_X509_ISSUER_ALT_NAME, 
+				       (EXTEN_VALUE_ENCODER)
+				       CERT_EncodeAltNameExtension);
+	}
+    }
+    if (which != NULL) {
+	PORT_Free(which);
+    }
+    if (issuerCert != NULL) {
+	CERT_DestroyCertificate(issuerCert);
+    }
+    return rv;
+}
+
+
+static SECStatus
+AddNameConstraints(void  *extHandle,
+		   Pair  *data)
+{
+    PRArenaPool         *arena = NULL;
+    CERTNameConstraints *constraints = NULL;
+    SECStatus           rv = SECSuccess;
+
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	error_allocate();
+    }
+    constraints = MakeNameConstraints(data, arena);
+    if (constraints != NULL) {
+	EncodeAndAddExtensionValue(arena, extHandle, constraints, PR_TRUE, 
+				   SEC_OID_X509_NAME_CONSTRAINTS, 
+				   (EXTEN_VALUE_ENCODER)
+				   CERT_EncodeNameConstraintsExtension);
+    }
+    if (arena != NULL) {
+	PORT_ArenaRelease (arena, NULL);
+    }
+    return rv;
+}
+
+
+static SECStatus
+add_extensions(CERTCertificate   *subjectCert, 
+	       Pair              *data, 
+	       char              *issuerNameStr, 
+	       CERTCertDBHandle  *handle)
+{
+    void                         *extHandle;
+    SECStatus                    rv = SECSuccess;
+
+
+    extHandle = CERT_StartCertExtensions (subjectCert);
+    if (extHandle == NULL) {
+	error_out("ERROR: Unable to get certificates extension handle");
+    }
+    if (find_field_bool(data, "keyUsage", PR_TRUE)) {
+	rv = AddKeyUsage(extHandle, data);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Key Usage extension");
+	}
+    }
+
+    if( find_field_bool(data, "extKeyUsage", PR_TRUE) ) {
+      rv = AddExtKeyUsage(extHandle, data);
+      if( SECSuccess != rv ) {
+        error_out("ERROR: Unable to add Extended Key Usage extension");
+      }
+    }
+
+    if (find_field_bool(data, "basicConstraints", PR_TRUE)) {
+	rv = AddBasicConstraint(extHandle, data);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Basic Constraint extension");
+	}
+    }
+    if (find_field_bool(data, "subjectKeyIdentifier", PR_TRUE)) {
+	rv = AddSubKeyID(extHandle, data, subjectCert);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Subject Key Identifier Extension");
+	}
+    }
+    if (find_field_bool(data, "authorityKeyIdentifier", PR_TRUE)) {
+	rv = AddAuthKeyID (extHandle, data, issuerNameStr, handle);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Authority Key Identifier extension");
+	}
+    }
+    if (find_field_bool(data, "privKeyUsagePeriod", PR_TRUE)) {
+	rv = AddPrivKeyUsagePeriod (extHandle, data, subjectCert);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Private Key Usage Period extension");
+	}
+    }
+    if (find_field_bool(data, "SubAltName", PR_TRUE)) {
+	rv = AddAltName (extHandle, data, NULL, NULL, 0);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Subject Alternative Name extension");
+	}
+    }
+    if (find_field_bool(data, "IssuerAltName", PR_TRUE)) {
+	rv = AddAltName (extHandle, data, issuerNameStr, handle, 1);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Issuer Alternative Name Extension");
+	}
+    }
+    if (find_field_bool(data, "NameConstraints", PR_TRUE)) {
+	rv = AddNameConstraints(extHandle, data);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Name Constraints Extension");
+	}
+    }
+    if (find_field_bool(data, "netscape-cert-type", PR_TRUE)) {
+	rv = AddNscpCertType(extHandle, data);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Netscape Certificate Type Extension");
+	}
+    }
+    if (find_field_bool(data, "netscape-base-url", PR_TRUE)) {
+	rv = add_IA5StringExtension(extHandle, 
+				    find_field(data, "netscape-base-url-text", 
+					       PR_TRUE), 
+				    find_field_bool(data, 
+						    "netscape-base-url-crit", 
+						    PR_TRUE),
+				    SEC_OID_NS_CERT_EXT_BASE_URL);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Netscape Base URL Extension");
+	}
+    }
+    if (find_field_bool(data, "netscape-revocation-url", PR_TRUE)) {
+	rv = add_IA5StringExtension(extHandle, 
+				    find_field(data, 
+					       "netscape-revocation-url-text", 
+					       PR_TRUE), 
+				    find_field_bool
+				       (data, "netscape-revocation-url-crit", 
+					PR_TRUE),
+				    SEC_OID_NS_CERT_EXT_REVOCATION_URL);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Netscape Revocation URL Extension");
+	}
+    }
+    if (find_field_bool(data, "netscape-ca-revocation-url", PR_TRUE)) {
+	rv = add_IA5StringExtension(extHandle, 
+				    find_field(data, 
+					      "netscape-ca-revocation-url-text",
+					       PR_TRUE), 
+				    find_field_bool
+				        (data, "netscape-ca-revocation-url-crit"
+					 , PR_TRUE),
+				    SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Netscape CA Revocation URL Extension");
+	}
+    }
+    if (find_field_bool(data, "netscape-cert-renewal-url", PR_TRUE)) {
+	rv = add_IA5StringExtension(extHandle, 
+				    find_field(data, 
+					       "netscape-cert-renewal-url-text",
+					       PR_TRUE), 
+				    find_field_bool
+				        (data, "netscape-cert-renewal-url-crit",
+					 PR_TRUE),
+				    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Netscape Certificate Renewal URL Extension");
+	}
+    }
+    if (find_field_bool(data, "netscape-ca-policy-url", PR_TRUE)) {
+	rv = add_IA5StringExtension(extHandle, 
+				    find_field(data, 
+					       "netscape-ca-policy-url-text", 
+					       PR_TRUE), 
+				    find_field_bool
+				         (data, "netscape-ca-policy-url-crit", 
+					  PR_TRUE),
+				    SEC_OID_NS_CERT_EXT_CA_POLICY_URL);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Netscape CA Policy URL Extension");
+	}
+    }
+    if (find_field_bool(data, "netscape-ssl-server-name", PR_TRUE)) {
+	rv = add_IA5StringExtension(extHandle, 
+				    find_field(data, 
+					       "netscape-ssl-server-name-text", 
+					       PR_TRUE), 
+				    find_field_bool
+				         (data, "netscape-ssl-server-name-crit",
+					  PR_TRUE),
+				    SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Netscape SSL Server Name Extension");
+	}
+    }
+    if (find_field_bool(data, "netscape-comment", PR_TRUE)) {
+	rv = add_IA5StringExtension(extHandle, 
+				    find_field(data, "netscape-comment-text", 
+					       PR_TRUE), 
+				    find_field_bool(data, 
+						    "netscape-comment-crit", 
+						    PR_TRUE),
+				    SEC_OID_NS_CERT_EXT_COMMENT);
+	if (rv != SECSuccess) {
+	    error_out("ERROR: Unable to add Netscape Comment Extension");
+	}
+    }
+    CERT_FinishExtensions(extHandle);
+    return (rv);
+}
+
+
+
+char *
+return_dbpasswd(PK11SlotInfo *slot, PRBool retry, void *data)
+{
+    char *rv;
+
+    /* don't clobber our poor smart card */
+    if (retry == PR_TRUE) {
+	return NULL;
+    }
+    rv = PORT_Alloc(4);
+    PORT_Strcpy(rv, "foo");
+    return rv;
+}
+
+
+SECKEYPrivateKey *
+FindPrivateKeyFromNameStr(char              *name, 
+			  CERTCertDBHandle  *certHandle)
+{
+    SECKEYPrivateKey                        *key;
+    CERTCertificate                         *cert;
+    CERTCertificate                         *p11Cert;
+
+
+    /* We don't presently have a PK11 function to find a cert by 
+    ** subject name.  
+    ** We do have a function to find a cert in the internal slot's
+    ** cert db by subject name, but it doesn't setup the slot info.
+    ** So, this HACK works, but should be replaced as soon as we 
+    ** have a function to search for certs accross slots by subject name.
+    */
+    cert = CERT_FindCertByNameString(certHandle, name);
+    if (cert == NULL || cert->nickname == NULL) {
+	error_out("ERROR: Unable to retrieve issuers certificate");
+    }
+    p11Cert = PK11_FindCertFromNickname(cert->nickname, NULL);
+    if (p11Cert == NULL) {
+	error_out("ERROR: Unable to retrieve issuers certificate");
+    }
+    key = PK11_FindKeyByAnyCert(p11Cert, NULL);
+    return key;
+}
+
+static SECItem *
+SignCert(CERTCertificate   *cert,
+	 char              *issuerNameStr,
+	 Pair              *data,
+	 CERTCertDBHandle  *handle,
+         int               which_key)
+{
+    SECItem                der;
+    SECKEYPrivateKey       *caPrivateKey = NULL;
+    SECStatus              rv;
+    PRArenaPool            *arena;
+    SECOidTag              algID;
+
+    if (which_key == 0) {
+	caPrivateKey = FindPrivateKeyFromNameStr(issuerNameStr, handle); 
+    } else {
+	caPrivateKey = privkeys[which_key - 1];
+    }
+    if (caPrivateKey == NULL) {
+	error_out("ERROR: unable to retrieve issuers key");
+    }
+	
+    arena = cert->arena;
+
+    algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType,
+					    SEC_OID_UNKNOWN);
+    if (algID == SEC_OID_UNKNOWN) {
+	error_out("ERROR: Unknown key type for issuer.");
+	goto done;
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
+    if (rv != SECSuccess) {
+	error_out("ERROR: Could not set signature algorithm id.");
+    }
+
+    if (find_field_bool(data,"ver-1", PR_TRUE)) {
+	*(cert->version.data) = 0;
+	cert->version.len = 1;
+    } else {
+	*(cert->version.data) = 2;
+	cert->version.len = 1;
+    }
+    der.data = NULL;
+    der.len = 0;
+    (void) SEC_ASN1EncodeItem (arena, &der, cert, CERT_CertificateTemplate);
+    if (der.data == NULL) {
+	error_out("ERROR: Could not encode certificate.\n");
+    }
+    rv = SEC_DerSignData (arena, &(cert->derCert), der.data, der.len, caPrivateKey,
+			  algID);
+    if (rv != SECSuccess) {
+	error_out("ERROR: Could not sign encoded certificate data.\n");
+    }
+done:
+    SECKEY_DestroyPrivateKey(caPrivateKey);
+    return &(cert->derCert);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    int                    length = 500;
+    int                    remaining = 500;
+    int                    n;
+    int                    i;
+    int                    serial;
+    int                    chainLen;
+    int                    which_key;
+    char                   *pos;
+#ifdef OFFLINE
+    char                   *form_output = "key=MIIBPTCBpzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7SLqjWBL9Wl11Vlg%0AaMqZCvcQOL%2FnvSqYPPRP0XZy9SoAeyWzQnBOiCm2t8H5mK7r2jnKdAQOmfhjaJil%0A3hNVu3SekHOXF6Ze7bkWa6%2FSGVcY%2FojkydxFSgY43nd1iydzPQDp8WWLL%2BpVpt%2B%2B%0ATRhFtVXbF0fQI03j9h3BoTgP2lkCAwEAARYDZm9vMA0GCSqGSIb3DQEBBAUAA4GB%0AAJ8UfRKJ0GtG%2B%2BufCC6tAfTzKrq3CTBHnom55EyXcsAsv6WbDqI%2F0rLAPkn2Xo1r%0AnNhtMxIuj441blMt%2Fa3AGLOy5zmC7Qawt8IytvQikQ1XTpTBCXevytrmLjCmlURr%0ANJryTM48WaMQHiMiJpbXCqVJC1d%2FpEWBtqvALzZaOOIy&subject=CN%3D%22test%22%26serial-auto%3Dtrue%26serial_value%3D%26ver-1%3Dtrue%26ver-3%3Dfalse%26caChoiceradio-SignWithDefaultkey%3Dtrue%26caChoiceradio-SignWithRandomChain%3Dfalse%26autoCAs%3D%26caChoiceradio-SignWithSpecifiedChain%3Dfalse%26manCAs%3D%26%24";
+#else
+    char                   *form_output;
+#endif
+    char                   *issuerNameStr;
+    char                   *certName;
+    char                   *DBdir = DB_DIRECTORY;
+    char                   *prefixs[10] = {"CA#1-", "CA#2-", "CA#3-", 
+					   "CA#4-", "CA#5-", "CA#6-", 
+					   "CA#7-", "CA#8-", "CA#9-", ""};
+    Pair                   *form_data;
+    CERTCertificate        *cert;
+    CERTCertDBHandle       *handle;
+    CERTCertificateRequest *certReq = NULL;
+    int                    warpmonths = 0;
+    SECItem                *certDER;
+#ifdef FILEOUT
+    FILE                   *outfile;
+#endif
+    SECStatus              status = SECSuccess;
+    extern                 char prefix[PREFIX_LEN];
+    SEC_PKCS7ContentInfo   *certChain;
+    SECItem                *encodedCertChain;
+    PRBool                 UChain = PR_FALSE;
+
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+
+#ifdef TEST
+    sleep(20);
+#endif
+    SECU_ConfigDirectory(DBdir);
+
+    PK11_SetPasswordFunc(return_dbpasswd);
+    status = NSS_InitReadWrite(DBdir);
+    if (status != SECSuccess) {
+	SECU_PrintPRandOSError(progName);
+	return -1;
+    }
+    handle = CERT_GetDefaultCertDB();
+
+    prefix[0]= '\0';
+#if !defined(OFFLINE)
+    form_output = (char*) PORT_Alloc(length);
+    if (form_output == NULL) {
+	error_allocate();
+    }
+    pos = form_output;
+    while (feof(stdin) == 0 ) {
+	if (remaining <= 1) {
+	    remaining += length;
+	    length = length * 2;
+	    form_output = PORT_Realloc(form_output, (length));
+	    if (form_output == NULL) {
+		error_allocate();
+	    }
+	    pos = form_output + length - remaining;
+	}
+	n = fread(pos, 1, (size_t) (remaining - 1), stdin);
+	pos += n;
+	remaining -= n;
+    }
+    *pos = '&';
+    pos++;
+    length = pos - form_output;
+#else
+    length = PORT_Strlen(form_output);
+#endif
+#ifdef FILEOUT
+    printf("Content-type: text/plain\n\n");
+    fwrite(form_output, 1, (size_t)length, stdout);
+    printf("\n");
+#endif
+#ifdef FILEOUT
+    fwrite(form_output, 1, (size_t)length, stdout);
+    printf("\n");
+    fflush(stdout);
+#endif
+    form_data = make_datastruct(form_output, length);
+    status = clean_input(form_data);
+#if !defined(OFFLINE)
+    PORT_Free(form_output);
+#endif
+#ifdef FILEOUT
+    i = 0;
+    while(return_name(form_data, i) != NULL) {
+        printf("%s",return_name(form_data,i));
+        printf("=\n");
+        printf("%s",return_data(form_data,i));
+        printf("\n");
+	i++;
+    }
+    printf("I got that done, woo hoo\n");
+    fflush(stdout);
+#endif
+    issuerNameStr = PORT_Alloc(200);
+    if (find_field_bool(form_data, "caChoiceradio-SignWithSpecifiedChain",
+			PR_FALSE)) {
+	UChain = PR_TRUE;
+	chainLen = atoi(find_field(form_data, "manCAs", PR_FALSE));
+	PORT_Strcpy(prefix, prefixs[0]);
+	issuerNameStr = PORT_Strcpy(issuerNameStr,
+			       "CN=Cert-O-Matic II, O=Cert-O-Matic II");
+	if (chainLen == 0) {
+	    UChain =  PR_FALSE;
+	}
+    } else {
+	if (find_field_bool(form_data, "caChoiceradio-SignWithRandomChain", 
+			    PR_FALSE)) {
+	    PORT_Strcpy(prefix,prefixs[9]);
+	    chainLen = atoi(find_field(form_data, "autoCAs", PR_FALSE));
+	    if (chainLen < 1 || chainLen > 18) {
+		issuerNameStr = PORT_Strcpy(issuerNameStr, 
+				       "CN=CA18, O=Cert-O-Matic II");
+	    }
+	    issuerNameStr = PORT_Strcpy(issuerNameStr, "CN=CA");
+	    issuerNameStr = PORT_Strcat(issuerNameStr, 
+				   find_field(form_data,"autoCAs", PR_FALSE));
+	    issuerNameStr = PORT_Strcat(issuerNameStr,", O=Cert-O-Matic II");
+	} else {
+	    issuerNameStr = PORT_Strcpy(issuerNameStr, 
+				   "CN=Cert-O-Matic II, O=Cert-O-Matic II");
+	}
+	chainLen = 0;
+    }
+
+    i = -1;
+    which_key = 0;
+    do {
+    	extern SECStatus cert_GetKeyID(CERTCertificate *cert);
+	i++;
+	if (i != 0 && UChain) {
+	    PORT_Strcpy(prefix, prefixs[i]);
+	}
+	/*        find_field(form_data,"subject", PR_TRUE); */
+	certReq = makeCertReq(form_data, which_key);
+#ifdef OFFLINE
+	serial = 900;
+#else
+	serial = get_serial_number(form_data);
+#endif
+	cert = MakeV1Cert(handle, certReq, issuerNameStr, PR_FALSE, 
+			  serial, warpmonths, form_data);
+	if (certReq != NULL) {
+	    CERT_DestroyCertificateRequest(certReq);
+	}
+	if (find_field_bool(form_data,"ver-3", PR_TRUE)) {
+	    status = add_extensions(cert, form_data, issuerNameStr, handle);
+	    if (status != SECSuccess) {
+		error_out("ERROR: Unable to add extensions");
+	    }
+	}
+	status = cert_GetKeyID(cert);
+	if (status == SECFailure) {
+	    error_out("ERROR: Unable to get Key ID.");
+	}
+	certDER = SignCert(cert, issuerNameStr, form_data, handle, which_key);
+	CERT_NewTempCertificate(handle, certDER, NULL, PR_FALSE, PR_TRUE);
+	issuerNameStr = find_field(form_data, "subject", PR_TRUE);
+	/*        SECITEM_FreeItem(certDER, PR_TRUE); */
+	CERT_DestroyCertificate(cert);
+	if (i == (chainLen - 1)) {
+	    i = 8;
+	}
+	++which_key;
+    } while (i < 9 && UChain);
+
+
+
+#ifdef FILEOUT
+    outfile = fopen("../certout", "wb");
+#endif
+    certName = find_field(form_data, "subject", PR_FALSE);
+    cert = CERT_FindCertByNameString(handle, certName);
+    certChain = SEC_PKCS7CreateCertsOnly (cert, PR_TRUE, handle);
+    if (certChain == NULL) {
+	error_out("ERROR: No certificates in cert chain");
+    }
+    encodedCertChain = SEC_PKCS7EncodeItem (NULL, NULL, certChain, NULL, NULL, 
+					    NULL);
+    if (encodedCertChain) {
+#if !defined(FILEOUT)
+	printf("Content-type: application/x-x509-user-cert\r\n");
+	printf("Content-length: %d\r\n\r\n", encodedCertChain->len);
+	fwrite (encodedCertChain->data, 1, encodedCertChain->len, stdout);
+#else
+	fwrite (encodedCertChain->data, 1, encodedCertChain->len, outfile);
+#endif
+
+    } else {
+	error_out("Error: Unable to DER encode certificate");
+    }
+#ifdef FILEOUT
+    printf("\nI got here!\n");
+    fflush(outfile);
+    fclose(outfile);
+#endif
+    fflush(stdout);
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+    return 0;
+}
+
diff --git a/security/nss/cmd/certcgi/index.html b/security/nss/cmd/certcgi/index.html
new file mode 100644
index 000000000..2909dd0cf
--- /dev/null
+++ b/security/nss/cmd/certcgi/index.html
@@ -0,0 +1,821 @@
+<HTML>	<!-- -*- Mode: Java; tab-width: 8 -*- -->
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+<HEAD>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 
+<SCRIPT LANGUAGE="JavaScript1.2">
+
+script_url = 'http://interzone.mcom.com/cgi-bin/certomatic/bin/certcgi.cgi'
+
+ext_page_ver1 =
+  make_page_intro('Version 1 extensions', "#FFFFFF") +
+  '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext1">' +
+  'Version 1 X.509 certs do not support extensions' +
+  '</IFRAME>' +
+  '</body></html>';
+
+num_ca = 0;
+
+your_certificate_index_label       = 'Your Certificate';
+netscape_extensions_index_label    = 'Netscape X.509 Extensions';
+standard_extensions_index_label    = 'Standard X.509 Extensions';
+certifying_authorities_index_label = 'Certifying Authorities';
+add_sub_alt_name_index_label       = 'Add Subject Alternative Name';
+
+index_list = 
+  '0, your_certificate_index_label,' +
+  '0, netscape_extensions_index_label,' +
+  '0, standard_extensions_index_label,' +
+  '0, certifying_authorities_index_label';
+
+add_index_list = '';
+
+ver = 3
+
+max_pages = 13;
+cur_page = 1;
+
+ext_page_array = new Array(max_pages);
+
+index_label = 'Options';
+
+var main_page = 
+  make_page_intro('Your Key', "#FFFFFF") +
+  '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="main" SRC="main.html">' +
+  '</IFRAME>' +
+  '</body></html>' ;
+
+function setSubAltNameType(form)
+{
+  with(form) {
+    if (SubAltNameRadio[0].checked) {
+      return true;
+    }
+    if (SubAltNameRadio[3].checked || SubAltNameRadio[5].checked) {
+      SubAltNameDataType.checked = true;
+      return true;
+    }
+    if (SubAltNameRadio[1].checked || SubAltNameRadio[2].checked ||
+	SubAltNameRadio[4].checked || SubAltNameRadio[6].checked ||
+	SubAltNameRadio[7].checked || SubAltNameRadio[8].checked) {
+      SubAltNameDataType.checked = false;
+      return true;
+    }
+  }
+  return true;
+}
+
+function setIssuerAltNameType(form)
+{
+  with(form) {
+    if (IssuerAltNameRadio[0].checked) {
+      return true;
+    }
+    if (IssuerAltNameRadio[3].checked || IssuerAltNameRadio[5].checked) {
+      IssuerAltNameDataType.checked = true;
+      return true;
+    }
+    if (IssuerAltNameRadio[1].checked || IssuerAltNameRadio[2].checked ||
+	IssuerAltNameRadio[4].checked || IssuerAltNameRadio[6].checked ||
+	IssuerAltNameRadio[7].checked || IssuerAltNameRadio[8].checked) {
+      IssuerAltNameDataType.checked = false;
+      return true;
+    }
+  }
+  return true;
+}
+
+
+function setNameConstraintNameType(form)
+{
+  with(form) {
+    if (NameConstraintRadio[0].checked) {
+      return true;
+    }
+    if (NameConstraintRadio[3].checked || NameConstraintRadio[5].checked) {
+      NameConstraintNameDataType.checked = true;
+      return true;
+    }
+    if (NameConstraintRadio[1].checked || NameConstraintRadio[2].checked ||
+	NameConstraintRadio[4].checked || NameConstraintRadio[6].checked ||
+	NameConstraintRadio[7].checked || NameConstraintRadio[8].checked) {
+      NameConstraintNameDataType.checked = false;
+      return true;
+    }
+  }
+  return true;
+}
+
+
+function addSubAltName(form)
+{
+  with(form) {
+    var len = SubAltNameSelect.length;
+    var value;
+    var i = 0;
+    while(!(i == (SubAltNameRadio.length - 1)) & 
+          !(SubAltNameRadio[i].checked == true)) {
+      i++;
+    }
+    if (i != 0) {
+      value = SubAltNameText.value + " - " + (i + 1);
+    } else {
+      value = SubAltNameText.value + " - " + 
+              SubAltNameOtherNameOID.value + " - ";
+      if (SubAltNameDataType.checked) {
+	value += "1 - ";
+      } else {
+	value += "0 - ";
+      }
+      value += (i + 1);
+      if (SubAltNameOtherNameOID.value == "") {
+	alert("Other names must include an OID");
+	return false;
+      }
+    }
+
+    if ((SubAltNameText.value == "") | (SubAltNameRadio[i].checked != true)) {
+      alert("Alternative Names must include values for name and name type.");
+    } else {
+      SubAltNameSelect.options[len] = new Option(value, value);
+    }
+  }
+  return true;
+}
+
+function deleteSubAltName(form)
+{
+  with(form) {
+    while (SubAltNameSelect.selectedIndex >= 0) {
+      SubAltNameSelect[SubAltNameSelect.selectedIndex] = null;
+    }
+  }
+}
+  
+function addIssuerAltName(form)
+{
+  with(form)
+  {
+    var len = IssuerAltNameSelect.length;
+    var value;
+    var i = 0;
+
+    while(!(i == (IssuerAltNameRadio.length -1)) & 
+          !(IssuerAltNameRadio[i].checked == true)) {
+      i++;
+    }
+    if (i != 0) {
+      value = IssuerAltNameText.value + " - " + (i + 1);
+    } else {
+      value = IssuerAltNameText.value + " - " + 
+              IssuerAltNameOtherNameOID.value + " - ";
+      if (IssuerAltNameDataType.checked) {
+	value += "1 - ";
+      } else {
+	value += "0 - ";
+      }
+      value += (i + 1);
+      if (IssuerAltNameOtherNameOID.value == "") {
+	  alert("Other names must include an OID");
+	  return false;
+      }
+    }
+    if ((IssuerAltNameText.value == "") | 
+        (IssuerAltNameRadio[i].checked != true)) {
+      alert("Alternative Names must include values for name and name type.")
+    } else {
+      IssuerAltNameSelect.options[len] = new Option(value, value);
+    }
+  }
+  return true;
+}
+
+function deleteIssuerAltName(form)
+{
+  with(form) {
+    while (IssuerAltNameSelect.selectedIndex >= 0) {
+      IssuerAltNameSelect[IssuerAltNameSelect.selectedIndex] = null;
+    }
+  }
+}
+
+
+
+function addNameConstraint(form)
+{
+  with(form) {
+    var len = NameConstraintSelect.length;
+    var value;
+    var i = 0;
+    var min = NameConstraintMin.value;
+    var max = NameConstraintMax.value;
+
+    while(!(i == (NameConstraintRadio.length - 1) ) & 
+          !(NameConstraintRadio[i].checked == true)) {
+      i++;
+    }
+    value = NameConstraintText.value + " - ";
+    if (i == 0) {
+      value += NameConstraintOtherNameOID.value + " - ";
+      if (NameConstraintNameDataType.checked) {
+	value += "1 - ";
+      } else {
+	value += "0 - ";
+      }
+      if (NameConstraintOtherNameOID.value == "") {
+	alert("Other names must include an OID");
+	return false;
+      }
+    }
+    value += (i + 1) + " - ";
+    if (NameConstraintTypeRadio[0].checked == true) {
+      value += "p - ";
+    } else {
+      value += "e - ";
+    }
+    value += min + " - " + max;
+    if ((min == "") | (NameConstraintText.value == "") | 
+        (NameConstraintRadio[i].checked != true)) {
+      alert("Name Constraints must include values for minimum, name, and name type.")
+    } else {
+      NameConstraintSelect.options[len] = new Option(value, value);
+    }
+  }
+  return true;
+}
+
+function deleteNameConstraint(form)
+{
+  with(form) {
+    while (NameConstraintSelect.selectedIndex >= 0) {
+      NameConstraintSelect[NameConstraintSelect.selectedIndex] = null;
+    }
+  }
+}
+
+
+function submit_it()
+{
+  save_cur_page(cur_page);
+
+  var ver1 = (ver == 1);
+  var ver3 = (ver == 3);
+  var array_string;
+  var serial        = ext_page_array[0][10][0];
+  var serial_number = ext_page_array[0][12][0];
+  var manValidity   = ext_page_array[0][19][0];
+  var notBefore     = ext_page_array[0][20][0];
+  var notAfter      = ext_page_array[0][21][0];
+  var subject       = ext_page_array[0][22][0];
+
+  if (subject == "") {
+    alert("The DN field must contain some data");
+    return false;
+  }
+  if (!serial & serial_number == "") {
+    alert("No serial number specified");
+    return false;
+  }
+  if (ext_page_array[0][15][0]) {
+    var keygen = "<keygen name=\"key\" challenge=\"foo\">";
+  } else {
+    switch (ext_page_array[0][17][0]) {
+      case 2:
+        var keygen = "<keygen keytype=\"dsa\" pqg=\"MIGdAkEAjfKklEkidqo9JXWbsGhpy+rA2Dr7jQz3y7gyTw14guXQdi/FtyEOr8Lprawyq3qsSWk9+/g3JMLsBzbuMcgCkQIVAMdzIYxzfsjumTtPLe0w9I7azpFfAkEAYm0CeDnqChNBMWOlW0y1ACmdVSKVbO/LO/8Q85nOLC5xy53l+iS6v1jlt5UhklycxC6fb0ZLCIzFcq9T5teIAg==\" name=\"key\" challenge=\"foo\">";
+	break;
+      case 1:
+        var keygen = "<keygen keytype=\"dsa\" pqg=\"MIHaAmDCboVgX0+6pEeMlbwsasWDVBcJNHPKMzkq9kbCRK2U3k+tE15n+Dc2g3ZjDYr1um51e2iLC34/BwAAAAAAAAAAAAAAAAAAAAAAAAABbBhnlFN5Djmt0Mk8cdEBY5H8iPMCFMhUnFtbpjn3EyfH2DjVg3ALh7FtAmA2zWzhpeCwvOTjYnQorlXiv0WcnSiWmaC79CRYkFt5i+UEfRxwP1eNGJBVB1T+CPW6JGd4WhgsqtSf53pn5DEtv++O7lNfXyOhWhb3KaWHYIx8fuAXtioIWkWmpfEIVZA=\" name=\"key\" challenge=\"foo\">";
+	break;
+      case 0:
+        var keygen = "<keygen keytype=\"dsa\" pqg=\"MIIBHAKBgId8SiiWrcdua5zbsBhPkKfFcnHBG7T/bQla7c6OixGjjmSSuq2fJLvMKa579CaxHxLZzZZXIHmAk9poRgWl2GUUkCJ68XSum8OQzDPXPsofcEdeANjw3mIAAAAAAAAAAAAAAAAAAAAAAAAIE+MkW5hguLIQqWvEVi9dMpbNu6OZAhTIA+y3TgyiwA0D8pt686ofaL1IOQKBgAiZQC6UCXztr2iXxJrAC+51gN5oX/R9Thilln9RGegsWnHrdxUOpcm5vAWp1LU8TOXtujE8kqkm3UxIRhUWQORe9IxLANAXmZJqkw9FEVHkxj6Cy9detwT2MyBzSwS6avsf7aLisgHmI/IHSeapJsQ3NQa3rikb6zRiqIV+TVa6\" name=\"key\" challenge=\"foo\">";
+        break;
+    }
+  }
+  array_string =  build_array_string();
+  hiddens = "<input type=\"hidden\" name=\"subject\" value=\'" + subject + "\'> \n" +
+            "<input type=\"hidden\" name=\"serial-auto\" value=\"" + serial + "\"> \n" +
+            "<input type=\"hidden\" name=\"serial_value\" value=\"" + serial_number + "\"> \n" +
+            "<input type=\"hidden\" name=\"ver-1\" value=\"" + ver1 + "\"> \n" +
+            "<input type=\"hidden\" name=\"ver-3\" value=\"" + ver3 + "\"> \n" +
+            "<input type=\"hidden\" name=\"notBefore\" value=\"" + notBefore + "\"> \n" +
+            "<input type=\"hidden\" name=\"notAfter\" value=\"" + notAfter + "\"> \n" +
+            "<input type=\"hidden\" name=\"manValidity\" value=\"" + manValidity + "\"> \n" +
+            array_string;
+
+  var good_submit_page =
+    '<html>' +
+    '<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" ALINK="#FF0000" BGCOLOR="#FFFFFF">' +
+    '<form method="post" action="' + script_url + '">' +
+    'Select size for your key:' + keygen + '</p>' +
+    '<input type="submit"></p>' +
+    hiddens +
+    '</form>\n' +
+    '</body>\n' +
+    '</html>\n';
+
+  window.frames['right'].document.write(good_submit_page);
+  window.frames['right'].document.close();
+  cur_page = max_pages + 1;
+  make_left_frame(window);
+  return false;
+}
+
+
+
+function build_array_string()
+{
+  var pg;
+  var array_string = '';
+  var pages;
+
+  if ((ext_page_array[3][4][0] > 0) && ext_page_array[3][3][0]) {
+    pages = 4 + parseInt(ext_page_array[3][4][0]);
+  } else {
+    pages = 4;
+  }
+  for (pg = 1; pg < pages; pg++) {
+    if ((pg > 1 || (ver == 3)) && (ext_page_array[pg].length > 1)) {
+      if (pg < 4) {
+	for (i = 0; i < ext_page_array[pg].length; i++) {
+	  if (ext_page_array[pg][i][3].indexOf("radio") == -1) {
+	    if (ext_page_array[pg][i][3].indexOf("multiple") == -1) {
+	      array_string +=  '<input type=\"hidden\" name=\"' + 
+                               ext_page_array[pg][i][1] + '\" value=\'' + 
+                               ext_page_array[pg][i][0] + '\'> \n';
+	    } else {
+	      for (k = 0; k < ext_page_array[pg][i][0].length; k++) {
+		array_string += '<input type=\"hidden\" name=\"' + 
+                                ext_page_array[pg][i][1] + k + '\" value=\'' + 
+                                ext_page_array[pg][i][0][k] + '\'> \n';
+	      }
+	    }
+	  } else {
+	    array_string += '<input type=\"hidden\" name=\"' + 
+                            ext_page_array[pg][i][1] + '-' + 
+			    ext_page_array[pg][i][2] + '\" value=\'' + 
+			    ext_page_array[pg][i][0] + '\'> \n';
+	  }
+	}
+      } else {
+	for (i = 0; i < ext_page_array[pg].length; i++) {
+	  if (ext_page_array[pg][i][3].indexOf("radio") == -1) {
+	    if (ext_page_array[pg][i][3].indexOf("multiple") == -1) {
+	      array_string += '<input type=\"hidden\" name=\"' + 
+	                      'CA#' + (pg - 3) + '-' + 
+			      ext_page_array[pg][i][1] + '\" value=\'' + 
+			      ext_page_array[pg][i][0] +'\'> \n';
+	    } else {
+	      for (k = 0; k < ext_page_array[pg][i][0].length; k++) {
+		array_string += '<input type=\"hidden\" name=\"' + 
+		                'CA#' + (pg - 3) + '-' + 
+				ext_page_array[pg][i][1] + k + '\" value=\'' + 
+				ext_page_array[pg][i][0][k] + '\'> \n';
+	      }
+	    }
+	  } else {
+	    array_string += '<input type=\"hidden\" name=\"' + 
+	                    'CA#' + (pg - 3) + '-' + 
+			    ext_page_array[pg][i][1] + '-' + 
+			    ext_page_array[pg][i][2] + '\" value=\'' + 
+			    ext_page_array[pg][i][0] + '\'> \n';
+	  }
+	}
+      }
+    }
+  }
+  return array_string;
+}
+
+
+
+function init_ext_page_array()
+{
+  for (i = 0; i < max_pages; i++) {
+    ext_page_array[i] = '';
+  }
+}
+
+function ca_num_change(n,ca_form)
+{
+  with(ca_form) {
+    n = parseInt(n,10);
+    if (caChoiceradio[2].checked) {
+      if (n) {
+	update_left_frame(n);
+      } else {
+	update_left_frame(0);
+      }
+    }
+  }
+}
+
+function choice_change(ca_form)
+{
+  with(ca_form) {
+    if (caChoiceradio[2].checked) {
+      ca_num_change(manCAs.value,ca_form);
+    } else {
+      update_left_frame(0);
+    }
+  }
+}
+
+function update_left_frame(n)
+{
+  var add_string = '';
+  for (var i = 0; i < n; i++) {
+    var j = i + 1;
+    add_string = add_string + ',1, \'CA #' + j + '\'';
+  }
+  top.add_index_list = add_string;
+  num_ca = n;
+  make_left_frame(window);
+}
+
+function set_ver1()
+// redraws the extensions page for version 1 certificates
+{
+  ver = 1
+  if (cur_page == 2 || cur_page == 3) {
+    switch_right_frame(window, cur_page, cur_page);
+  }
+}
+
+
+function set_ver3()
+// redraws the extensions page for version 3 certificates
+{
+  ver = 3
+  if (cur_page == 2) {
+    switch_right_frame(window, 0, 2);
+  } else if (cur_page == 3) {
+    switch_right_frame(window, 0, 3);
+  }
+}
+
+function reset_subject(marker, value, form)
+// Updates the subject field from a subordinate field
+{
+  with(form) {
+    var field_sep = '", ';
+    var begin_index = subject.value.indexOf(marker);
+    if (begin_index != 0 && subject.value[begin_index - 1] != ' ') {
+      begin_index = subject.value.indexOf(marker, begin_index +1);
+    }
+    var end_index = subject.value.indexOf(field_sep, begin_index);
+    if (begin_index > -1) {       // is it a delete/change?
+      if (end_index == -1) {      // is it the last one (includes only one)?
+        if (value.length > 0) {   // do I have to change it?
+          if (begin_index == 0) { // is is the only one?
+            subject.value = marker + '"' + value + '"';
+          } else {                // it is the last of many
+            subject.value = subject.value.substring(0,begin_index) + 
+	                    marker + '"' + value + '"';
+          }
+        } else {                  //  must be a delete
+          if (begin_index == 0) { // is it the only one?
+            begin_index += 2;
+          }
+          subject.value = subject.value.substring(0,(begin_index - 2));
+        }
+      } else {                    // it is the first of many or a middle one
+        if (value.length >0) {    // do I have to change it?
+          subject.value = 
+	  	subject.value.substring(0,(begin_index + marker.length + 1)) + 
+		value + subject.value.substring(end_index,subject.length);
+        } else {                  // it is a delete
+          subject.value = subject.value.substring(0,begin_index) + 
+	        subject.value.substring((end_index + 3),subject.length);
+        }
+      }
+    } else {                      // It is either an insert or a do nothing
+      if (value.length > 0) {     // is it an insert?
+        if (subject.value.length == 0) {  // is subject currently empty?
+          subject.value = marker + '"' + value + '"';
+        } else {
+          subject.value = subject.value + ', ' + marker + '"' + value + '"';
+        }
+      }
+    }
+  }
+}
+
+
+
+function reset_subjectFields(form)
+// updates all the subordinate fields from the subject field of a form
+// **** move the strings to global variables, to make maintentance easier ****
+{
+
+  update_subject_Field(form, 'CN=\"', form.name);
+  update_subject_Field(form, 'MAIL=\"', form.email);
+  update_subject_Field(form, 'O=\"', form.org);
+  update_subject_Field(form, 'C=\"', form.country);
+  update_subject_Field(form, ' L=\"', form.loc);
+  update_subject_Field(form, 'ST=\"', form.state);
+  update_subject_Field(form, 'E=\"', form.email);
+  update_subject_Field(form, 'OU=\"', form.org_unit);
+  update_subject_Field(form, 'UID=\"', form.uid);
+}
+
+function update_subject_Field(form, marker, update_field)
+//updates a single subordinate field from the subject field of a form
+// *** need to deal with the two types of e-mail addresses **************
+{
+  with(form) {
+    var field_sep = '", ';
+    var begin_index = subject.value.indexOf(marker) + marker.length;
+    var end_index = subject.value.indexOf(field_sep, begin_index);
+    if (end_index == -1) {
+      end_index = subject.value.indexOf('"',begin_index);
+    }
+    if (begin_index != (-1 + marker.length) ) {
+      update_field.value = subject.value.substring(begin_index, end_index);
+    } else {
+      update_field.value = '';
+    }
+  }
+}
+
+
+function switch_mail(form)
+// **** Do I want to delete the other type of e-mail address ? ************
+{
+  if (form.email_type[0].checked) {
+    var del = 'E=';
+    var ins = 'MAIL=';
+  } else {
+    var del = 'MAIL=';
+    var ins = 'E=';
+  }
+  reset_subject(del, '', form);
+  reset_subject(ins, form.email.value, form);
+}
+
+function make_page_intro(title, bgcolor)
+{
+  var style = '<STYLE TYPE="text/css">BODY{' +
+    'font-family: Geneva,MS Sans Serif,Arial,Lucida,Helvetica,sans-serif;' +
+    'font-size: 10pt;' +
+    '}' +
+    'TD{' +
+    'font-family: Geneva,MS Sans Serif,Arial,Lucida,Helvetica,sans-serif;' +
+    'font-size: 10pt;}' +
+    '</STYLE>';
+
+  if (bgcolor == null) { bgcolor = "#C0C0C0"; }
+  return '<HTML><HEAD>' +
+    '<TITLE>' + title + '</TITLE>' +
+    '</HEAD>' +
+    '<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" ALINK="#FF0000" ' +
+          'BGCOLOR="' + bgcolor + '">';
+}
+
+
+function make_left_frame(window)
+{
+  with (window.frames['index']) {
+    eval ('index_string = make_left_frame_page(cur_page, ' 
+           + index_list + add_index_list + ' )');
+    fool1 = make_page_intro(index_label, "#FFFFFF") +
+      index_string + '</BODY></HTML>';
+    document.write(fool1);
+    document.close();
+  }
+}
+
+
+function save_cur_page(page_number)
+{
+  var len;
+  var pg = page_number - 1;
+  if (window.frames['right'].document.forms.length != 0) {
+    with (window.frames['right'].document) {
+      if ((page_number != 2 && page_number != 3 && page_number <= max_pages) || 
+	  ver == 3) {
+        ext_page_array[pg] = new Array(forms[0].elements.length);
+        for (i = 0; i < forms[0].elements.length; i++) {
+	  ext_page_array[pg][i] = new Array(4);
+	  switch (forms[0].elements[i].type) {
+	  case 'radio': 
+          case 'checkbox':
+	    ext_page_array[pg][i][0] = forms[0].elements[i].checked;
+	    break;
+	  case 'select-one':
+	    ext_page_array[pg][i][0] = forms[0].elements[i].selectedIndex;
+	    break;
+	  case 'select-multiple':
+	    len = forms[0].elements[i].options.length;
+	    ext_page_array[pg][i][0] = new Array(len);
+	    for(k = 0; k < len; k++) {
+	      ext_page_array[pg][i][0][k] = forms[0].elements[i].options[k].value;
+	    }
+	    break;
+	  default:
+	    ext_page_array[pg][i][0] = forms[0].elements[i].value;
+	  }
+	  ext_page_array[pg][i][1] = forms[0].elements[i].name;
+	  ext_page_array[pg][i][2] = forms[0].elements[i].value;
+	  ext_page_array[pg][i][3] = forms[0].elements[i].type;
+        }
+      }
+    }
+  }
+}
+
+function reload_form(page_number)
+{
+  var j = page_number - 1;
+  with (window.frames['right'].document) {
+    if (((page_number < 2 || page_number > 3) || ver == 3) 
+	&& page_number != 0 && (ext_page_array[j].length > 1)) {
+      for (i = 0; i < ext_page_array[j].length; i++) {
+	switch (forms[0].elements[i].type) {
+	case 'radio': case 'checkbox':
+	  forms[0].elements[i].checked = ext_page_array[j][i][0];
+	  break;
+	case 'select-one':
+	  forms[0].elements[i].selectedIndex = ext_page_array[j][i][0];
+	  break;
+	case 'select-multiple':
+	  for (k = 0; k < ext_page_array[j][i][0].length; k++) {
+	    forms[0].elements[i].options[k] = 
+	        new Option(ext_page_array[j][i][0][k], 
+			   ext_page_array[j][i][0][k]);
+	  }
+	  break;
+	default:
+	  forms[0].elements[i].value = ext_page_array[j][i][0];
+	}
+      }
+    }
+  }
+}
+
+function switch_right_frame(top_window, old_pane, new_pane)
+{
+  var ext_page_stnd =
+    make_page_intro(standard_extensions_index_label, "#FFFFFF") +
+    '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
+    'SRC="stnd_ext_form.html">' +
+    '</IFRAME></body></html>';
+
+  var ext_page_nscp = 
+    make_page_intro(netscape_extensions_index_label, "#FFFFFF") +
+    '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
+    'SRC="nscp_ext_form.html">' +
+    '</IFRAME></body></html>';
+
+  var ext_page_ca =
+    make_page_intro(certifying_authorities_index_label, "#FFFFFF") +
+    '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
+    'SRC="ca.html">' +
+    '</IFRAME></body</html>';
+
+  var ext_page_ca_exp =
+    make_page_intro('Certifying Authority Details', "#FFFFFF") +
+    '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
+    'SRC="ca_form.html">' +
+    '</IFRAME></body></html>';
+
+
+  if (old_pane > 0 && cur_page <= max_pages) {
+    save_cur_page(old_pane);
+  }
+  cur_page = new_pane;
+  make_left_frame(top_window);
+  if (new_pane == 2 || new_pane == 3) {
+    if (ver == 1) {
+      frames['right'].document.write(ext_page_ver1);
+      frames['right'].document.close();
+    } else if (new_pane == 2) {
+      frames['right'].document.write(ext_page_nscp);
+      frames['right'].document.close();
+      reload_form(new_pane);
+    } else {
+      frames['right'].document.write(ext_page_stnd);
+      frames['right'].document.close();
+      reload_form(new_pane);
+    }
+  } else if (new_pane == 4) {
+    frames['right'].document.write(ext_page_ca);
+    frames['right'].document.close();
+    reload_form(new_pane);
+  } else if (new_pane == 1) {
+    frames['right'].document.write(main_page);
+    frames['right'].document.close();
+    reload_form(new_pane);
+  } else {
+    frames['right'].document.write(ext_page_ca_exp);
+    frames['right'].document.close();
+    reload_form(new_pane);
+  }
+}
+
+function make_left_frame_page(selected)
+{
+  var n_strings = ( make_left_frame_page.arguments.length - 1 ) / 2;
+  var table_background;
+  var command;
+  var indent;
+  var label;
+  var ret_string = "";
+    
+  ret_string += '<TABLE CELLSPACING=4>';
+  for ( var i = 1; i <= n_strings; i++ ) {
+    if ( i == selected ) {
+      table_background = 'BGCOLOR=#BBCCBB';
+    } else {
+      table_background = '';
+    }
+	
+    indent = make_left_frame_page.arguments[(i*2) - 1];
+    label =  make_left_frame_page.arguments[(i*2)];
+
+    if ( indent == 0 ) {
+      ret_string += ('<TR><TD COLSPAN=2 ' + table_background + '>');
+    } else {
+      ret_string += ('<TR><TD>&nbsp;&nbsp;</TD><TD ' + table_background + '>');
+    }
+
+    command = "'parent.switch_right_frame(parent," + selected + "," + i + ")'";
+    ret_string += ('<A HREF="javascript:void setTimeout(' + command + ',0)">');
+    if ( indent == 0 ) { ret_string += "<B>"; }
+    ret_string += label;
+    if ( indent == 0 ) { ret_string += "</B>"; }
+    ret_string += '</A></TD></TR>';
+  }
+  if (selected == (max_pages + 1)) {
+    table_background = 'BGCOLOR=#BBCCBB';
+  } else {
+    table_background = '';
+  }
+  ret_string +=
+    '<TR><TD COLSPAN=2 ' + table_background + 
+    '><b><A HREF="javascript:void setTimeout(\'top.submit_it()\', 0)">Finish</A></b>' +
+    '</TD></TR>' +
+    '<input type="submit"></form>' + 
+    '</TABLE>';
+  return(ret_string);
+}
+
+
+function make_page(window)
+// Draws the initial page setup
+{
+  selected = cur_page
+  init_ext_page_array()
+
+  with (window.frames['right']) {
+    location="main.html";
+//  document.write(main_page);
+//  document.close();
+  }
+
+  make_left_frame(window);
+
+}
+</script>
+
+</HEAD>
+<title>Cert-O-Matic</title>
+  <FRAMESET cols="150,*" BORDER=3 ONLOAD="make_page(window)">
+      <FRAME SRC="about:blank" ID="index" NAME="index"
+           MARGINWIDTH=15 MARGINHEIGHT=10 BORDER=3>
+      <FRAME SRC="about:blank" ID="right" NAME="right"
+           MARGINWIDTH=15 MARGINHEIGHT=10 BORDER=3>
+  </FRAMESET>
+</HTML>
diff --git a/security/nss/cmd/certcgi/main.html b/security/nss/cmd/certcgi/main.html
new file mode 100644
index 000000000..8a04ef9d6
--- /dev/null
+++ b/security/nss/cmd/certcgi/main.html
@@ -0,0 +1,108 @@
+<HTML>
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+<HEAD>
+    <TITLE>Main Layer for CertOMatic</TITLE>
+</HEAD>
+
+    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
+    <table border=0 cellspacing=10 cellpadding=0>
+    <tr>
+    <td>
+    Common Name:</td><td> <input type="text" name="name" onChange="{window.top.reset_subject('CN=', value, form)}"></p>
+    </td>
+    <td></td><td></td>
+    <td>
+    Organization: </td><td>  <input type="text" name="org" onChange="{window.top.reset_subject('O=', value, form)}"></p></td>
+    <tr>
+    <td>
+    <input type="radio" name="email_type" value="1" onClick="window.top.switch_mail(form)">MAIL=
+
+    <input type="radio" name="email_type" value="2" checked onClick="window.top.switch_mail(form)">E=
+    </td>
+    <td>
+    <input type="text" name="email" onChange="var temp;{if (email_type[0].checked) {temp = 'MAIL='} else {temp = 'E='}} ;{window.top.reset_subject(temp, value, form)}">
+    </td>
+    <td></td><td></td><td>
+    Organizational Unit: </td><td><input type="text" name="org_unit" onChange="{window.top.reset_subject('OU=', value, form)}"></p></td>
+    <tr>
+    <td>
+    UID= </td><td><input type="text" name="uid" onChange="{window.top.reset_subject('UID=', value, form)}"></p></td>
+    <td></td><td></td><td>
+    Locality: </td><td><input type="text" name="loc" onChange="{window.top.reset_subject('L=', value, form)}"></p></td>
+    <tr>
+    <td>
+    State or Province: </td><td><input type="text" name="state" onChange="{window.top.reset_subject('ST=', value, form)}"></p></td>
+    <td></td><td></td><td>
+    Country: </td><td><input type="text" size="2" name="country" onChange="{window.top.reset_subject('C=', value, form)}" maxlength="2"></p></td>
+    <tr>
+    <td COLSPAN=2>
+    Serial Number:
+    <DD><input type="radio" name="serial" value="auto" checked> Auto Generate
+    <DD><input type="radio" name="serial" value="input">
+    Use this hex value:&nbsp; <input type="text" name="serial_value" size="8" maxlength="8"></p>
+    </td>
+    <td></td> <td></td>
+    <td COLSPAN=2>
+    X.509 version:
+    <DD><input type="radio" name="ver" value="1" onClick="if (this.checked) {window.top.set_ver1();}"> Version 1
+    <DD><input type="radio" name="ver" value="3" checked onClick="if (this.checked) {window.top.set_ver3();}"> Version 3</P></td>
+    <tr>
+    <td COLSPAN=2>
+    Key Type:
+    <DD><input type="radio" name="keyType" value="rsa" checked> RSA
+    <DD><input type="radio" name="keyType" value="dsa"> DSA</p>
+    Intermediate CA Key Sizes:
+    <DD><select name="keysize">
+        <option>2048 (Very High Grade)
+        <option>1024 (High Grade)
+        <option>512  (Low Grade)
+        </select>
+    </td>
+    <td></td> <td></td>
+    <td COLSPAN=2>
+    Validity:
+    <DD><input type="radio" name="validity" value="auto" checked> 
+       Generate Automatically
+    <DD><input type="radio" name="validity" value="man"> Use these values:
+    <DD>Not Before:&nbsp; <input type="text" size="15" maxlength="17" name="notBefore">
+    <DD>Not After:&nbsp;&nbsp;&nbsp; <input type="text" size="15" maxlength="17" name="notAfter">
+    <DD>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
+    <FONT SIZE=-1><TT>YYMMDDhhmm[ss]{Z|+hhmm|-hhmm} </TT></FONT>
+    </table>
+    DN: <input type="text" name="subject" size="70" onChange="{window.top.reset_subjectFields(form)}"></P>  	      
+    </form>
+</HTML>
diff --git a/security/nss/cmd/certcgi/manifest.mn b/security/nss/cmd/certcgi/manifest.mn
new file mode 100644
index 000000000..057f2596d
--- /dev/null
+++ b/security/nss/cmd/certcgi/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header directories are implicitly REQUIREd.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS = certcgi.c
+
+PROGRAM	= certcgi
+
+USE_STATIC_LIBS = 1
+
diff --git a/security/nss/cmd/certcgi/nscp_ext_form.html b/security/nss/cmd/certcgi/nscp_ext_form.html
new file mode 100644
index 000000000..bc94ab3a2
--- /dev/null
+++ b/security/nss/cmd/certcgi/nscp_ext_form.html
@@ -0,0 +1,116 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html> 
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+
+  <body>
+    <table  border=1 cellspacing=5 cellpadding=5>
+    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
+    <tr>
+    <td>
+    <b>Netscape Certificate Type: </b></p>
+    Activate extension: <input type="checkbox" name="netscape-cert-type"></P>
+    Critical: <input type="checkbox" name="netscape-cert-type-crit">
+    <td>
+    <input type="checkbox" name="netscape-cert-type-ssl-client"> SSL Client</P>
+    <input type="checkbox" name="netscape-cert-type-ssl-server"> SSL Server</P>
+    <input type="checkbox" name="netscape-cert-type-smime"> S/MIME</P>
+    <input type="checkbox" name="netscape-cert-type-object-signing"> Object Signing</P>    
+    <input type="checkbox" name="netscape-cert-type-reserved"> Reserved for future use (bit 4)</P>
+    <input type="checkbox" name="netscape-cert-type-ssl-ca"> SSL CA</P>
+    <input type="checkbox" name="netscape-cert-type-smime-ca"> S/MIME CA</P>
+    <input type="checkbox" name="netscape-cert-type-object-signing-ca"> Object Signing CA</P>
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape Base URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-base-url"></P>
+    Critical: <input type="checkbox" name="netscape-base-url-crit">
+    <td>
+    <input type="text" name="netscape-base-url-text" size="50">
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape Revocation URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-revocation-url"></P>
+    Critical: <input type="checkbox" name="netscape-revocation-url-crit">
+    <td>
+    <input type="text" name="netscape-revocation-url-text" size="50">
+    </tr>
+    <tr>
+    <td>    
+    <b>Netscape CA Revocation URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-ca-revocation-url"></P>
+    Critical: <input type="checkbox" name="netscape-ca-revocation-url-crit">
+    <td>
+    <input type="text" name="netscape-ca-revocation-url-text" size="50">
+    </tr>
+    <tr>
+    <td>    
+    <b>Netscape Certificate Renewal URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-cert-renewal-url"></P>
+    Critical: <input type="checkbox" name="netscape-cert-renewal-url-crit">
+    <td>
+    <input type="text" name="netscape-cert-renewal-url-text" size="50">
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape CA Policy URL:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-ca-policy-url"></P>
+    Critical: <input type="checkbox" name="netscape-ca-policy-url-crit">
+    <td>
+    <input type="text" name="netscape-ca-policy-url-text" size="50">
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape SSL Server Name:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-ssl-server-name"></P>
+    Critical: <input type="checkbox" name="netscape-ssl-server-name-crit">
+    <td>
+    <input type="text" name="netscape-ssl-server-name-text" size="50">
+    </tr>
+    <tr>
+    <td>
+    <b>Netscape Comment:</b></p>
+    Activate extension: <input type="checkbox" name="netscape-comment"></P>
+    Critical: <input type="checkbox" name="netscape-comment-crit">
+    <td>
+    <textarea name="netscape-comment-text" rows="5" cols="50"></textarea>
+    </tr>
+        
+    </table>
+  </body>
+</html>
diff --git a/security/nss/cmd/certcgi/stnd_ext_form.html b/security/nss/cmd/certcgi/stnd_ext_form.html
new file mode 100644
index 000000000..de5d795ba
--- /dev/null
+++ b/security/nss/cmd/certcgi/stnd_ext_form.html
@@ -0,0 +1,250 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+
+  <body>
+    <table  border=1 cellspacing=5 cellpadding=5>
+    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
+    <tr>
+    <td>
+    <b>Key Usage: </b></p>
+    Activate extension: <input type="checkbox" name="keyUsage"></P>
+    Critical: <input type="checkbox" name="keyUsage-crit">
+    <td>
+    <input type="checkbox" name="keyUsage-digitalSignature"> Digital Signature</P>
+    <input type="checkbox" name="keyUsage-nonRepudiation"> Non Repudiation</P>    
+    <input type="checkbox" name="keyUsage-keyEncipherment"> Key Encipherment</P>    
+    <input type="checkbox" name="keyUsage-dataEncipherment"> Data Encipherment</P>
+    <input type="checkbox" name="keyUsage-keyAgreement"> Key Agreement</P>
+    <input type="checkbox" name="keyUsage-keyCertSign"> Key Certificate Signing</P>
+    <input type="checkbox" name="keyUsage-cRLSign"> CRL Signing</P>
+    </tr>
+    <tr>
+    <td>
+    <b>Extended Key Usage: </b></p>
+    Activate extension: <input type="checkbox" name="extKeyUsage"></P>
+    Critical: <input type="checkbox" name="extKeyUsage-crit">
+    <td>
+    <input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
+    <input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
+    <input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
+    <input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
+    <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
+    <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
+    <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
+    </tr>
+    <tr>
+    <td>
+    <b>Basic Constraints:</b></p>
+    Activate extension: <input type="checkbox" name="basicConstraints"></P>
+    Critical: <input type="checkbox" name="basicConstraints-crit">
+    <td>
+    CA:</p>
+    <dd><input type=radio name="basicConstraints-cA-radio" value="CA"> True</p>
+    <dd><input type=radio name="basicConstraints-cA-radio" value="NotCA"> False</p>
+    <input type="checkbox" name="basicConstraints-pathLengthConstraint">
+     Include Path length:  <input type="text" name="basicConstraints-pathLengthConstraint-text" size="2"></p>
+    </tr>
+    <tr>
+    <td>
+    <b>Authority Key Identifier:</b></p>
+    Activate extension: <input type="checkbox" name="authorityKeyIdentifier">
+    <td>
+    <input type="radio" name="authorityKeyIdentifier-radio" value="keyIdentifier"> Key Identider</p>
+    <input type="radio" name="authorityKeyIdentifier-radio" value="authorityCertIssuer"> Issuer Name and Serial number</p>
+    </tr>
+    <tr>
+    <td>    
+    <b>Subject Key Identifier:</b></p>
+    Activate extension: <input type="checkbox" name="subjectKeyIdentifier">
+    <td>
+    Key Identifier: 
+    <input type="text" name="subjectKeyIdentifier-text"></p>
+    This is an:<p>
+    <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="ascii"> ascii text value<p>
+    <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="hex"> hex value<p>
+    </tr>
+    <tr>
+    <td>    
+    <b>Private Key Usage Period:</b></p>
+    Activate extension: <input type="checkbox" name="privKeyUsagePeriod"></p>
+    Critical: <input type="checkbox" name="privKeyUsagePeriod-crit">
+    <td>
+    Use:</p>
+    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notBefore"> Not Before</p>
+    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notAfter"> Not After</p>
+    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="both" > Both</p>
+    <b>Not to be used to sign before:</b></p>
+    <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="auto"> Set to time of certificate issue</p>
+    <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="manual"> Use This value</p>
+    <dd><dd>(YYYY/MM/DD HH:MM:SS): 
+    <input type="text" name="privKeyUsagePeriod-notBefore-year" size="4" maxlength="4">/
+    <input type="text" name="privKeyUsagePeriod-notBefore-month" size="2" maxlength="2">/
+    <input type="text" name="privKeyUsagePeriod-notBefore-day" size="2" maxlength="2"> 
+    <input type="text" name="privKeyUsagePeriod-notBefore-hour" size="2" maxlength="2">:
+    <input type="text" name="privKeyUsagePeriod-notBefore-minute" size="2" maxlength="2">:
+    <input type="text" name="privKeyUsagePeriod-notBefore-second" size="2" maxlength="2"></p>
+    <b>Not to be used to sign after:</b></p>
+    <dd>(YYYY/MM/DD HH:MM:SS): 
+    <input type="text" name="privKeyUsagePeriod-notAfter-year" size="4" maxlength="4">/
+    <input type="text" name="privKeyUsagePeriod-notAfter-month" size="2" maxlength="2">/
+    <input type="text" name="privKeyUsagePeriod-notAfter-day" size="2" maxlength="2"> 
+    <input type="text" name="privKeyUsagePeriod-notAfter-hour" size="2" maxlength="2">:
+    <input type="text" name="privKeyUsagePeriod-notAfter-minute" size="2" maxlength="2">:
+    <input type="text" name="privKeyUsagePeriod-notAfter-second" size="2" maxlength="2"></p>
+    </tr>
+    <tr>
+    <td>
+    <b>Subject Alternative Name:</b></p>
+    Activate extension: <input type="checkbox" name="SubAltName"></P>
+    Critical: <input type="checkbox" name="SubAltName-crit">
+    <td>
+      <table>
+      <tr>
+      <td>
+      General Names:</p>
+      <select name="SubAltNameSelect" multiple size="10">
+      </select></p></p>
+      <input type="button" name="SubAltName-add" value="Add" onClick="{parent.addSubAltName(this.form)}">
+      <input type="button" name="SubAltName-delete" value="Delete" onClick="parent.deleteSubAltName(this.form)">
+      </td><td>
+        <table><tr><td>
+        Name Type: </td></tr><tr><td>
+        <input type="radio" name="SubAltNameRadio" value="otherName" onClick="parent.setSubAltNameType(form)"> Other Name, 
+        OID: <input type="text" name="SubAltNameOtherNameOID" size="6"> </td><td>
+        <input type="radio" name="SubAltNameRadio" value="rfc822Name" onClick="parent.setSubAltNameType(form)"> RFC 822 Name</td></tr><td>
+        <input type="radio" name="SubAltNameRadio" value="dnsName" onClick="parent.setSubAltNameType(form)"> DNS Name </td><td>
+        <input type="radio" name="SubAltNameRadio" value="x400" onClick="parent.setSubAltNameType(form)"> X400 Address</td></tr><td>
+        <input type="radio" name="SubAltNameRadio" value="directoryName" onClick="parent.setSubAltNameType(form)"> Directory Name</td><td>
+        <input type="radio" name="SubAltNameRadio" value="ediPartyName" onClick="parent.setSubAltNameType(form)"> EDI Party Name</td></tr><td>
+        <input type="radio" name="SubAltNameRadio" value="URL" onClick="parent.setSubAltNameType(form)"> Uniform Resource Locator</td><td>
+        <input type="radio" name="SubAltNameRadio" value="ipAddress" onClick="parent.setSubAltNameType(form)"> IP Address</td></tr><td>
+        <input type="radio" name="SubAltNameRadio" value="regID"onClick="parent.setSubAltNameType(form)"> Registered ID</td><td>
+	<input type="radio" name="SubAltNameRadio" value="nscpNickname" onClick="parent.setSubAltNameType(form)"> Netscape Certificate Nickname</td><td></tr>
+        </table>
+      Name: <input type="text" name="SubAltNameText">
+        Binary Encoded: <input type="checkbox" name="SubAltNameDataType" value="binary" onClick="parent.setSubAltNameType(form)"></p>
+      </tr>
+      </table>
+    </tr>
+
+
+    <tr>
+    <td>
+    <b>Issuer Alternative Name:</b></p>
+    Activate extension: <input type="checkbox" name="IssuerAltName"></P>
+    Critical: <input type="checkbox" name="IssuerAltName-crit">
+    <td>
+      <input type="radio" name="IssuerAltNameSourceRadio" value="auto"> Use the Subject Alternative Name from the Issuers Certificate</p>
+      <input type="radio" name="IssuerAltNameSourceRadio" value="man"> Use this Name:
+      <table>
+      <tr>
+      <td>
+      General Names:</p>
+      <select name="IssuerAltNameSelect" multiple size="10">
+      </select></p></p>
+      <input type="button" name="IssuerAltName-add" value="Add" onClick="{parent.addIssuerAltName(this.form)}">
+      <input type="button" name="IssuerAltName-delete" value="Delete" onClick="parent.deleteIssuerAltName(this.form)">
+      </td><td>
+        <table><tr><td>
+        Name Type: </td></tr><tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="otherName" onClick="parent.setIssuerAltNameType(form)"> Other Name, 
+        OID: <input type="text" name="IssuerAltNameOtherNameOID" size="6"> </td><td>
+        <input type="radio" name="IssuerAltNameRadio" value="rfc822Name" onClick="parent.setIssuerAltNameType(form)"> RFC 822 Name</td></tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="dnsName" onClick="parent.setIssuerAltNameType(form)"> DNS Name </td><td>
+        <input type="radio" name="IssuerAltNameRadio" value="x400" onClick="parent.setIssuerAltNameType(form)"> X400 Address</td></tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="directoryName" onClick="parent.setIssuerAltNameType(form)"> Directory Name</td><td>
+        <input type="radio" name="IssuerAltNameRadio" value="ediPartyName" onClick="parent.setIssuerAltNameType(form)"> EDI Party Name</td></tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="URL" onClick="parent.setIssuerAltNameType(form)"> Uniform Resource Locator</td><td>
+        <input type="radio" name="IssuerAltNameRadio" value="ipAddress" onClick="parent.setIssuerAltNameType(form)"> IP Address</td></tr><td>
+        <input type="radio" name="IssuerAltNameRadio" value="regID" onClick="parent.setIssuerAltNameType(form)"> Registered ID</td><td></tr>
+        </table>
+      Name: <input type="text" name="IssuerAltNameText"> 
+        Binary Encoded: <input type="checkbox" name="IssuerAltNameDataType" value="binary" onClick="parent.setIssuerAltNameType(form)"></p>
+      </tr>
+      </table>
+    </tr>
+
+    <tr>
+    <td>
+    <b>Name Constraints:</b></p>
+    Activate extension: <input type="checkbox" name="NameConstraints"></P>
+    <td>
+      <table>
+      <tr>
+      <td>
+      Name Constraints:</p>
+      <select name="NameConstraintSelect" multiple size="10">
+      </select></p></p>
+      <input type="button" name="NameConstraint-add" value="Add" onClick="{parent.addNameConstraint(this.form)}">
+      <input type="button" name="NameConstraint-delete" value="Delete" onClick="parent.deleteNameConstraint(this.form)">
+      </td><td>
+        <table><tr><td>
+        Name Type: </td></tr><tr><td>
+        <input type="radio" name="NameConstraintRadio" value="otherName" onClick="parent.setNameConstraintNameType(form)"> Other Name,
+        OID: <input type="text" name="NameConstraintOtherNameOID" size="6">  </td><td>
+        <input type="radio" name="NameConstraintRadio" value="rfc822Name" onClick="parent.setNameConstraintNameType(form)"> RFC 822 Name</td></tr><td>
+        <input type="radio" name="NameConstraintRadio" value="dnsName" onClick="parent.setNameConstraintNameType(form)"> DNS Name </td><td>
+        <input type="radio" name="NameConstraintRadio" value="x400" onClick="parent.setNameConstraintNameType(form)"> X400 Address</td></tr><td>
+        <input type="radio" name="NameConstraintRadio" value="directoryName" onClick="parent.setNameConstraintNameType(form)"> Directory Name</td><td>
+        <input type="radio" name="NameConstraintRadio" value="ediPartyName" onClick="parent.setNameConstraintNameType(form)"> EDI Party Name</td></tr><td>
+        <input type="radio" name="NameConstraintRadio" value="URL" onClick="parent.setNameConstraintNameType(form)"> Uniform Resource Locator</td><td>
+        <input type="radio" name="NameConstraintRadio" value="ipAddress" onClick="parent.setNameConstraintNameType(form)"> IP Address</td></tr><td>
+        <input type="radio" name="NameConstraintRadio" value="regID" onClick="parent.setNameConstraintNameType(form)"> Registered ID</td><td></tr>
+        </table>
+      Name: <input type="text" name="NameConstraintText">
+        Binary Encoded: <input type="checkbox" name="NameConstraintNameDataType" value="binary" onClick="parent.setNameConstraintNameType(form)"></p>
+      Constraint type:<p>
+      <dd><input type="radio" name="NameConstraintTypeRadio" value="permited"> permited<p>
+      <dd><input type="radio" name="NameConstraintTypeRadio" value="excluded"> excluded<p>
+      Minimum: <input type="text" name="NameConstraintMin" size="8" maxlength="8"></p>
+      Maximum: <input type="text" name="NameConstraintMax" size="8" maxlength="8"></p>
+      </tr>
+      </table>
+    </tr>
+
+    </table>
+  </body>
+</html>
+
+
+
+
+
+
+
+
diff --git a/security/nss/cmd/certutil/Makefile b/security/nss/cmd/certutil/Makefile
new file mode 100644
index 000000000..fe7991878
--- /dev/null
+++ b/security/nss/cmd/certutil/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+ 
diff --git a/security/nss/cmd/certutil/certext.c b/security/nss/cmd/certutil/certext.c
new file mode 100644
index 000000000..cdebedc6b
--- /dev/null
+++ b/security/nss/cmd/certutil/certext.c
@@ -0,0 +1,1694 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** certext.c
+**
+** part of certutil for managing certificates extensions
+**
+*/
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#if defined(WIN32)
+#include "fcntl.h"
+#include "io.h"
+#endif
+
+#include "secutil.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include "cert.h"
+#include "xconst.h"
+#include "prprf.h"
+#include "certutil.h"
+
+#define GEN_BREAK(e) rv=e; break;
+
+static char *
+Gets_s(char *buff, size_t size) {
+    char *str;
+    
+    if (buff == NULL || size < 1) {
+        PORT_Assert(0);
+        return NULL;
+    }
+    if ((str = fgets(buff, size, stdin)) != NULL) {
+        int len = PORT_Strlen(str);
+        /*
+         * fgets() automatically converts native text file
+         * line endings to '\n'.  As defensive programming
+         * (just in case fgets has a bug or we put stdin in
+         * binary mode by mistake), we handle three native 
+         * text file line endings here:
+         *   '\n'      Unix (including Linux and Mac OS X)
+         *   '\r''\n'  DOS/Windows & OS/2
+         *   '\r'      Mac OS Classic
+         * len can not be less then 1, since in case with
+         * empty string it has at least '\n' in the buffer
+         */
+        if (buff[len - 1] == '\n' || buff[len - 1] == '\r') {
+            buff[len - 1] = '\0';
+            if (len > 1 && buff[len - 2] == '\r')
+                buff[len - 2] = '\0';
+        }
+    } else {
+        buff[0] = '\0';
+    }
+    return str;
+}
+
+
+static SECStatus
+PrintChoicesAndGetAnswer(char* str, char* rBuff, int rSize)
+{
+    fprintf(stdout, str);
+    fprintf(stdout, " > ");
+    fflush (stdout);
+    if (Gets_s(rBuff, rSize) == NULL) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static CERTGeneralName *
+GetGeneralName (PRArenaPool *arena)
+{
+    CERTGeneralName *namesList = NULL;
+    CERTGeneralName *current;
+    CERTGeneralName *tail = NULL;
+    SECStatus rv = SECSuccess;
+    int intValue;
+    char buffer[512];
+    void *mark;
+
+    PORT_Assert (arena);
+    mark = PORT_ArenaMark (arena);
+    do {
+        if (PrintChoicesAndGetAnswer(
+		"\nSelect one of the following general name type: \n"
+		"\t2 - rfc822Name\n"
+		"\t3 - dnsName\n"
+		"\t5 - directoryName\n"
+		"\t7 - uniformResourceidentifier\n"
+		"\t8 - ipAddress\n"
+		"\t9 - registerID\n"
+		"\tAny other number to finish\n"
+		"\t\tChoice:", buffer, sizeof(buffer)) == SECFailure) {
+            GEN_BREAK (SECFailure);
+        }
+        intValue = PORT_Atoi (buffer);
+        /*
+         * Should use ZAlloc instead of Alloc to avoid problem with garbage
+         * initialized pointers in CERT_CopyName
+         */
+        switch (intValue) {
+        case certRFC822Name:
+        case certDNSName:
+        case certDirectoryName:
+        case certURI:
+        case certIPAddress:
+        case certRegisterID:
+	    break;
+	default:
+	    intValue = 0;   /* force a break for anything else */
+	}
+
+        if (intValue == 0)
+	    break;
+	
+	if (namesList == NULL) {
+	    namesList = current = tail =
+		PORT_ArenaZNew(arena, CERTGeneralName);
+	} else {
+	    current = PORT_ArenaZNew(arena, CERTGeneralName);
+	}
+	if (current == NULL) {
+	    GEN_BREAK (SECFailure);
+	}
+
+        current->type = intValue;
+        puts ("\nEnter data:");
+        fflush (stdout);
+        if (Gets_s (buffer, sizeof(buffer)) == NULL) {
+            PORT_SetError(SEC_ERROR_INPUT_LEN);
+            GEN_BREAK (SECFailure);
+        }
+        switch (current->type) {
+        case certURI:
+        case certDNSName:
+        case certRFC822Name:
+            current->name.other.data =
+                PORT_ArenaAlloc (arena, strlen (buffer));
+            if (current->name.other.data == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+            PORT_Memcpy(current->name.other.data, buffer,
+                        current->name.other.len = strlen(buffer));
+            break;
+
+        case certEDIPartyName:
+        case certIPAddress:
+        case certOtherName:
+        case certRegisterID:
+        case certX400Address: {
+
+            current->name.other.data =
+                PORT_ArenaAlloc (arena, strlen (buffer) + 2);
+            if (current->name.other.data == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+            
+            PORT_Memcpy (current->name.other.data + 2, buffer,
+                         strlen (buffer));
+            /* This may not be accurate for all cases.  For now,
+             * use this tag type */
+            current->name.other.data[0] =
+                (char)(((current->type - 1) & 0x1f)| 0x80);
+            current->name.other.data[1] = (char)strlen (buffer);
+            current->name.other.len = strlen (buffer) + 2;
+            break;
+        }
+
+        case certDirectoryName: {
+            CERTName *directoryName = NULL;
+            
+            directoryName = CERT_AsciiToName (buffer);
+            if (!directoryName) {
+                fprintf(stderr, "certutil: improperly formatted name: "
+                        "\"%s\"\n", buffer);
+                break;
+            }
+            
+            rv = CERT_CopyName (arena, &current->name.directoryName,
+                                directoryName);
+            CERT_DestroyName (directoryName);
+            
+            break;
+        }
+        }
+        if (rv != SECSuccess)
+            break;
+        current->l.next = &(namesList->l);
+        current->l.prev = &(tail->l);
+        tail->l.next = &(current->l);
+        tail = current;
+        
+    }while (1);
+
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease (arena, mark);
+        namesList = NULL;
+    }
+    return (namesList);
+}
+
+static SECStatus 
+GetString(PRArenaPool *arena, char *prompt, SECItem *value)
+{
+    char buffer[251];
+    char *buffPrt;
+
+    buffer[0] = '\0';
+    value->data = NULL;
+    value->len = 0;
+    
+    puts (prompt);
+    buffPrt = Gets_s (buffer, sizeof(buffer));
+    /* returned NULL here treated the same way as empty string */
+    if (buffPrt && strlen (buffer) > 0) {
+        value->data = PORT_ArenaAlloc (arena, strlen (buffer));
+        if (value->data == NULL) {
+            PORT_SetError (SEC_ERROR_NO_MEMORY);
+            return (SECFailure);
+        }
+        PORT_Memcpy (value->data, buffer, value->len = strlen(buffer));
+    }
+    return (SECSuccess);
+}
+
+static PRBool 
+GetYesNo(char *prompt) 
+{
+    char buf[3];
+    char *buffPrt;
+
+    buf[0] = 'n';
+    puts(prompt);
+    buffPrt = Gets_s(buf, sizeof(buf));
+    return (buffPrt && (buf[0] == 'y' || buf[0] == 'Y')) ? PR_TRUE : PR_FALSE;
+}
+
+static SECStatus 
+AddKeyUsage (void *extHandle)
+{
+    SECItem bitStringValue;
+    unsigned char keyUsage = 0x0;
+    char buffer[5];
+    int value;
+    PRBool yesNoAns;
+
+    while (1) {
+	if (PrintChoicesAndGetAnswer(
+                "\t\t0 - Digital Signature\n"
+                "\t\t1 - Non-repudiation\n"
+                "\t\t2 - Key encipherment\n"
+                "\t\t3 - Data encipherment\n"   
+                "\t\t4 - Key agreement\n"
+                "\t\t5 - Cert signing key\n"   
+                "\t\t6 - CRL signing key\n"
+                "\t\tOther to finish\n",
+                buffer, sizeof(buffer)) == SECFailure) {
+            return SECFailure;
+        }
+        value = PORT_Atoi (buffer);
+        if (value < 0 || value > 6)
+            break;
+        if (value == 0) {
+            /* Checking that zero value of variable 'value'
+             * corresponds to '0' input made by user */
+            char *chPtr = strchr(buffer, '0');
+            if (chPtr == NULL) {
+                continue;
+            }
+        }
+        keyUsage |= (0x80 >> value);
+    }
+
+    bitStringValue.data = &keyUsage;
+    bitStringValue.len = 1;
+    yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
+
+    return (CERT_EncodeAndAddBitStrExtension
+            (extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue,
+             yesNoAns));
+
+}
+
+
+static CERTOidSequence *
+CreateOidSequence(void)
+{
+    CERTOidSequence *rv = (CERTOidSequence *)NULL;
+    PRArenaPool *arena = (PRArenaPool *)NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if( (PRArenaPool *)NULL == arena ) {
+        goto loser;
+    }
+
+    rv = (CERTOidSequence *)PORT_ArenaZNew(arena, CERTOidSequence);
+    if( (CERTOidSequence *)NULL == rv ) {
+        goto loser;
+    }
+
+    rv->oids = (SECItem **)PORT_ArenaZNew(arena, SECItem *);
+    if( (SECItem **)NULL == rv->oids ) {
+        goto loser;
+    }
+
+    rv->arena = arena;
+    return rv;
+
+loser:
+    if( (PRArenaPool *)NULL != arena ) {
+        PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    return (CERTOidSequence *)NULL;
+}
+
+static void
+DestroyOidSequence(CERTOidSequence *os)
+{
+    if (os->arena) {
+        PORT_FreeArena(os->arena, PR_FALSE);
+    }
+}
+
+static SECStatus
+AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
+{
+    SECItem **oids;
+    PRUint32 count = 0;
+    SECOidData *od;
+
+    od = SECOID_FindOIDByTag(oidTag);
+    if( (SECOidData *)NULL == od ) {
+        return SECFailure;
+    }
+
+    for( oids = os->oids; (SECItem *)NULL != *oids; oids++ ) {
+        count++;
+    }
+
+    /* ArenaZRealloc */
+
+    {
+        PRUint32 i;
+
+        oids = (SECItem **)PORT_ArenaZNewArray(os->arena, SECItem *, count + 2);
+        if( (SECItem **)NULL == oids ) {
+            return SECFailure;
+        }
+    
+        for( i = 0; i < count; i++ ) {
+            oids[i] = os->oids[i];
+        }
+
+        /* ArenaZFree(os->oids); */
+    }
+
+    os->oids = oids;
+    os->oids[count] = &od->oid;
+
+    return SECSuccess;
+}
+
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
+
+const SEC_ASN1Template CERT_OidSeqTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, offsetof(CERTOidSequence, oids),
+      SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
+};
+
+
+static SECItem *
+EncodeOidSequence(CERTOidSequence *os)
+{
+    SECItem *rv;
+
+    rv = (SECItem *)PORT_ArenaZNew(os->arena, SECItem);
+    if( (SECItem *)NULL == rv ) {
+        goto loser;
+    }
+
+    if( !SEC_ASN1EncodeItem(os->arena, rv, os, CERT_OidSeqTemplate) ) {
+        goto loser;
+    }
+
+    return rv;
+
+loser:
+    return (SECItem *)NULL;
+}
+
+static SECStatus 
+AddExtKeyUsage (void *extHandle)
+{
+    char buffer[5];
+    int value;
+    CERTOidSequence *os;
+    SECStatus rv;
+    SECItem *item;
+    PRBool yesNoAns;
+
+    os = CreateOidSequence();
+    if( (CERTOidSequence *)NULL == os ) {
+        return SECFailure;
+    }
+
+    while (1) {
+        if (PrintChoicesAndGetAnswer(
+                "\t\t0 - Server Auth\n"
+                "\t\t1 - Client Auth\n"
+                "\t\t2 - Code Signing\n"
+                "\t\t3 - Email Protection\n"
+                "\t\t4 - Timestamp\n"
+                "\t\t5 - OCSP Responder\n"
+                "\t\t6 - Step-up\n"
+                "\t\tOther to finish\n",
+                buffer, sizeof(buffer)) == SECFailure) {
+            GEN_BREAK(SECFailure);
+        }
+        value = PORT_Atoi(buffer);
+
+        if (value == 0) {
+            /* Checking that zero value of variable 'value'
+             * corresponds to '0' input made by user */
+            char *chPtr = strchr(buffer, '0');
+            if (chPtr == NULL) {
+                continue;
+            }
+        }
+
+        switch( value ) {
+        case 0:
+            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);
+            break;
+        case 1:
+            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
+            break;
+        case 2:
+            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
+            break;
+        case 3:
+            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);
+            break;
+        case 4:
+            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);
+            break;
+        case 5:
+            rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);
+            break;
+        case 6:
+            rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
+            break;
+        default:
+            goto endloop;
+        }
+
+        if( SECSuccess != rv ) goto loser;
+    }
+
+endloop:
+    item = EncodeOidSequence(os);
+
+    yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
+
+    rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, item,
+                           yesNoAns, PR_TRUE);
+    /*FALLTHROUGH*/
+loser:
+    DestroyOidSequence(os);
+    return rv;
+}
+
+static SECStatus 
+AddNscpCertType (void *extHandle)
+{
+    SECItem bitStringValue;
+    unsigned char keyUsage = 0x0;
+    char buffer[5];
+    int value;
+    PRBool yesNoAns;
+
+    while (1) {
+        if (PrintChoicesAndGetAnswer(
+                "\t\t0 - SSL Client\n"
+                "\t\t1 - SSL Server\n"
+                "\t\t2 - S/MIME\n"
+                "\t\t3 - Object Signing\n"   
+                "\t\t4 - Reserved for future use\n"
+                "\t\t5 - SSL CA\n"   
+                "\t\t6 - S/MIME CA\n"
+                "\t\t7 - Object Signing CA\n"
+                "\t\tOther to finish\n",
+                buffer, sizeof(buffer)) == SECFailure) {
+            return SECFailure;
+        }
+        value = PORT_Atoi (buffer);
+        if (value < 0 || value > 7)
+            break;
+        if (value == 0) {
+            /* Checking that zero value of variable 'value'
+             * corresponds to '0' input made by user */
+            char *chPtr = strchr(buffer, '0');
+            if (chPtr == NULL) {
+                continue;
+            }
+        }
+        keyUsage |= (0x80 >> value);
+    }
+
+    bitStringValue.data = &keyUsage;
+    bitStringValue.len = 1;
+    yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
+
+    return (CERT_EncodeAndAddBitStrExtension
+            (extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,
+             yesNoAns));
+
+}
+
+static SECStatus 
+AddSubjectAltNames(PRArenaPool *arena, CERTGeneralName **existingListp,
+                   const char *names, CERTGeneralNameType type)
+{
+    CERTGeneralName *nameList = NULL;
+    CERTGeneralName *current = NULL;
+    PRCList *prev = NULL;
+    const char *cp;
+    char *tbuf;
+    SECStatus rv = SECSuccess;
+
+
+    /*
+     * walk down the comma separated list of names. NOTE: there is
+     * no sanity checks to see if the email address look like
+     * email addresses.
+     */
+    for (cp=names; cp; cp = PORT_Strchr(cp,',')) {
+        int len;
+        char *end;
+
+        if (*cp == ',') {
+            cp++;
+        }
+        end = PORT_Strchr(cp,',');
+        len = end ? end-cp : PORT_Strlen(cp);
+        if (len <= 0) {
+            continue;
+        }
+        tbuf = PORT_ArenaAlloc(arena,len+1);
+        PORT_Memcpy(tbuf,cp,len);
+        tbuf[len] = 0;
+        current = (CERTGeneralName *) PORT_ZAlloc(sizeof(CERTGeneralName));
+        if (!current) {
+            rv = SECFailure;
+            break;
+        }
+        if (prev) {
+            current->l.prev = prev;
+            prev->next = &(current->l);
+        } else {
+            nameList = current;
+        }
+        current->type = type;
+        current->name.other.data = (unsigned char *)tbuf;
+        current->name.other.len = PORT_Strlen(tbuf);
+        prev = &(current->l);
+    }
+    /* at this point nameList points to the head of a doubly linked,
+     * but not yet circular, list and current points to its tail. */
+    if (rv == SECSuccess && nameList) {
+        if (*existingListp != NULL) {
+            PRCList *existingprev;
+            /* add nameList to the end of the existing list */
+            existingprev = (*existingListp)->l.prev;
+            (*existingListp)->l.prev = &(current->l);
+            nameList->l.prev = existingprev;
+            existingprev->next = &(nameList->l);
+            current->l.next = &((*existingListp)->l);
+        }
+        else {
+            /* make nameList circular and set it as the new existingList */
+            nameList->l.prev = prev;
+            current->l.next = &(nameList->l);
+            *existingListp = nameList;
+        }
+    }
+    return rv;
+}
+
+static SECStatus 
+AddEmailSubjectAlt(PRArenaPool *arena, CERTGeneralName **existingListp,
+                   const char *emailAddrs)
+{
+    return AddSubjectAltNames(arena, existingListp, emailAddrs, 
+                              certRFC822Name);
+}
+
+static SECStatus 
+AddDNSSubjectAlt(PRArenaPool *arena, CERTGeneralName **existingListp,
+                 const char *dnsNames)
+{
+    return AddSubjectAltNames(arena, existingListp, dnsNames, certDNSName);
+}
+
+
+static SECStatus 
+AddBasicConstraint(void *extHandle)
+{
+    CERTBasicConstraints basicConstraint;    
+    SECStatus rv;
+    char buffer[10];
+    PRBool yesNoAns;
+
+    do {
+        basicConstraint.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
+        basicConstraint.isCA = GetYesNo ("Is this a CA certificate [y/N]?");
+
+        buffer[0] = '\0';
+        if (PrintChoicesAndGetAnswer("Enter the path length constraint, "
+                                     "enter to skip [<0 for unlimited path]:",
+                                     buffer, sizeof(buffer)) == SECFailure) {
+            GEN_BREAK(SECFailure);
+        }
+        if (PORT_Strlen (buffer) > 0)
+            basicConstraint.pathLenConstraint = PORT_Atoi (buffer);
+
+        yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
+
+        rv = SECU_EncodeAndAddExtensionValue(NULL, extHandle,
+		 &basicConstraint, yesNoAns, SEC_OID_X509_BASIC_CONSTRAINTS,
+		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeBasicConstraintValue);
+    } while (0);
+
+    return (rv);
+}
+
+static SECStatus 
+AddAuthKeyID (void *extHandle)
+{
+    CERTAuthKeyID *authKeyID = NULL;    
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    PRBool yesNoAns;
+
+    do {
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if ( !arena ) {
+            SECU_PrintError(progName, "out of memory");
+            GEN_BREAK (SECFailure);
+        }
+
+        if (GetYesNo ("Enter value for the authKeyID extension [y/N]?") == 0)
+            break;
+
+        authKeyID = PORT_ArenaZNew(arena, CERTAuthKeyID);
+        if (authKeyID == NULL) {
+            GEN_BREAK (SECFailure);
+        }
+
+        rv = GetString (arena, "Enter value for the key identifier fields,"
+                        "enter to omit:", &authKeyID->keyID);
+        if (rv != SECSuccess)
+            break;
+
+        SECU_SECItemHexStringToBinary(&authKeyID->keyID);
+
+        authKeyID->authCertIssuer = GetGeneralName (arena);
+        if (authKeyID->authCertIssuer == NULL && 
+            SECFailure == PORT_GetError ())
+            break;
+
+
+        rv = GetString (arena, "Enter value for the authCertSerial field, "
+                        "enter to omit:", &authKeyID->authCertSerialNumber);
+
+        yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
+
+        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
+		     authKeyID, yesNoAns, SEC_OID_X509_AUTH_KEY_ID, 
+		     (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeAuthKeyID);
+        if (rv)
+            break;
+
+    } while (0);
+    if (arena)
+        PORT_FreeArena (arena, PR_FALSE);
+    return (rv);
+}   
+    
+static SECStatus 
+AddSubjKeyID (void *extHandle)
+{
+    SECItem keyID;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    PRBool yesNoAns;
+
+    do {
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if ( !arena ) {
+            SECU_PrintError(progName, "out of memory");
+            GEN_BREAK (SECFailure);
+        }
+        printf("Adding Subject Key ID extension.\n");
+
+        rv = GetString (arena, "Enter value for the key identifier fields,"
+                        "enter to omit:", &keyID);
+        if (rv != SECSuccess)
+            break;
+
+        SECU_SECItemHexStringToBinary(&keyID);
+
+        yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
+
+        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
+		     &keyID, yesNoAns, SEC_OID_X509_SUBJECT_KEY_ID, 
+		     (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeSubjectKeyID);
+        if (rv)
+            break;
+
+    } while (0);
+    if (arena)
+        PORT_FreeArena (arena, PR_FALSE);
+    return (rv);
+}   
+
+static SECStatus 
+AddCrlDistPoint(void *extHandle)
+{
+    PRArenaPool *arena = NULL;
+    CERTCrlDistributionPoints *crlDistPoints = NULL;
+    CRLDistributionPoint *current;
+    SECStatus rv = SECSuccess;
+    int count = 0, intValue;
+    char buffer[512];
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena )
+        return (SECFailure);
+
+    do {
+        current = NULL;
+
+        current = PORT_ArenaZNew(arena, CRLDistributionPoint);
+        if (current == NULL) {
+            GEN_BREAK (SECFailure);
+        }   
+
+        /* Get the distributionPointName fields - this field is optional */
+        if (PrintChoicesAndGetAnswer(
+                "Enter the type of the distribution point name:\n"
+                "\t1 - Full Name\n\t2 - Relative Name\n\tAny other "
+                "number to finish\n\t\tChoice: ",
+                buffer, sizeof(buffer)) == SECFailure) {
+	    GEN_BREAK (SECFailure);
+	}
+        intValue = PORT_Atoi (buffer);
+        switch (intValue) {
+        case generalName:
+            current->distPointType = intValue;
+            current->distPoint.fullName = GetGeneralName (arena);
+            rv = PORT_GetError();
+            break;
+
+        case relativeDistinguishedName: {
+            CERTName *name;
+
+            current->distPointType = intValue;
+            puts ("Enter the relative name: ");
+            fflush (stdout);
+            if (Gets_s (buffer, sizeof(buffer)) == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+            /* For simplicity, use CERT_AsciiToName to converse from a string
+               to NAME, but we only interest in the first RDN */
+            name = CERT_AsciiToName (buffer);
+            if (!name) {
+                GEN_BREAK (SECFailure);
+            }
+            rv = CERT_CopyRDN (arena, &current->distPoint.relativeName,
+                               name->rdns[0]);
+            CERT_DestroyName (name);
+            break;
+          }
+        }
+        if (rv != SECSuccess)
+            break;
+
+        /* Get the reason flags */
+        if (PrintChoicesAndGetAnswer(
+                "\nSelect one of the following for the reason flags\n"
+                "\t0 - unused\n\t1 - keyCompromise\n"
+                "\t2 - caCompromise\n\t3 - affiliationChanged\n"
+                "\t4 - superseded\n\t5 - cessationOfOperation\n"
+                "\t6 - certificateHold\n"
+                "\tAny other number to finish\t\tChoice: ",
+                buffer, sizeof(buffer)) == SECFailure) {
+            GEN_BREAK(SECFailure);
+        }
+        intValue = PORT_Atoi (buffer);
+        if (intValue == 0) {
+            /* Checking that zero value of variable 'value'
+             * corresponds to '0' input made by user */
+            char *chPtr = strchr(buffer, '0');
+            if (chPtr == NULL) {
+                intValue = -1;
+            }
+        }
+        if (intValue >= 0 && intValue <8) {
+            current->reasons.data = PORT_ArenaAlloc (arena, sizeof(char));
+            if (current->reasons.data == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+            *current->reasons.data = (char)(0x80 >> intValue);
+            current->reasons.len = 1;
+        }
+        puts ("Enter value for the CRL Issuer name:\n");
+        current->crlIssuer = GetGeneralName (arena);
+        if (current->crlIssuer == NULL && (rv = PORT_GetError()) == SECFailure)
+            break;
+
+        if (crlDistPoints == NULL) {
+            crlDistPoints = PORT_ArenaZNew(arena, CERTCrlDistributionPoints);
+            if (crlDistPoints == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+        }
+
+        crlDistPoints->distPoints =
+            PORT_ArenaGrow (arena, crlDistPoints->distPoints,
+                            sizeof (*crlDistPoints->distPoints) * count,
+                            sizeof (*crlDistPoints->distPoints) *(count + 1));
+        if (crlDistPoints->distPoints == NULL) {
+            GEN_BREAK (SECFailure);
+        }
+
+        crlDistPoints->distPoints[count] = current;
+        ++count;
+        if (GetYesNo("Enter another value for the CRLDistributionPoint "
+                      "extension [y/N]?") == 0) {
+            /* Add null to the end to mark end of data */
+            crlDistPoints->distPoints =
+                PORT_ArenaGrow(arena, crlDistPoints->distPoints,
+			   sizeof (*crlDistPoints->distPoints) * count,
+			   sizeof (*crlDistPoints->distPoints) *(count + 1));
+            crlDistPoints->distPoints[count] = NULL;    
+            break;
+        }
+
+
+    } while (1);
+    
+    if (rv == SECSuccess) {
+        PRBool yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
+
+        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
+		 crlDistPoints, yesNoAns, SEC_OID_X509_CRL_DIST_POINTS,
+		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeCRLDistributionPoints);
+    }
+    if (arena)
+        PORT_FreeArena (arena, PR_FALSE);
+    return (rv);
+}
+
+
+
+static SECStatus 
+AddPolicyConstraints(void *extHandle)
+{
+    CERTCertificatePolicyConstraints *policyConstr;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    SECItem *item, *dummy;
+    char buffer[512];
+    int value;
+    PRBool yesNoAns;
+    PRBool skipExt = PR_TRUE;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+        SECU_PrintError(progName, "out of memory");
+        return SECFailure;
+    }
+
+    policyConstr = PORT_ArenaZNew(arena, CERTCertificatePolicyConstraints);
+    if (policyConstr == NULL) {
+        SECU_PrintError(progName, "out of memory");
+        goto loser;
+    }
+
+    if (PrintChoicesAndGetAnswer("for requireExplicitPolicy enter the number "
+               "of certs in path\nbefore explicit policy is required\n"
+               "(press Enter to omit)", buffer, sizeof(buffer)) == SECFailure) {
+        goto loser;
+    }
+
+    if (PORT_Strlen(buffer)) {
+        value = PORT_Atoi(buffer);
+	if (value < 0) {
+            goto loser;
+        }
+        item = &policyConstr->explicitPolicySkipCerts;
+        dummy = SEC_ASN1EncodeInteger(arena, item, value);
+        if (!dummy) {
+            goto loser;
+        }
+        skipExt = PR_FALSE;
+    }
+
+    if (PrintChoicesAndGetAnswer("for inihibitPolicyMapping enter "
+               "the number of certs in path\n"
+	       "after which policy mapping is not allowed\n"
+               "(press Enter to omit)", buffer, sizeof(buffer)) == SECFailure) {
+        goto loser;
+    }
+
+    if (PORT_Strlen(buffer)) {
+        value = PORT_Atoi(buffer);
+	if (value < 0) {
+            goto loser;
+        }
+        item = &policyConstr->inhibitMappingSkipCerts;
+        dummy = SEC_ASN1EncodeInteger(arena, item, value);
+        if (!dummy) {
+            goto loser;
+        }
+        skipExt = PR_FALSE;
+    }
+ 
+    
+    if (!skipExt) {
+        yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
+
+        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, policyConstr,
+	     yesNoAns, SEC_OID_X509_POLICY_CONSTRAINTS,
+	     (EXTEN_EXT_VALUE_ENCODER)CERT_EncodePolicyConstraintsExtension);
+    } else {
+	fprintf(stdout, "Policy Constraint extensions must contain "
+                        "at least one policy field\n");
+	rv = SECFailure;
+    }
+   
+loser:
+    if (arena) {
+        PORT_FreeArena (arena, PR_FALSE);
+    }
+    return (rv);
+}
+
+
+static SECStatus 
+AddInhibitAnyPolicy(void *extHandle)
+{
+    CERTCertificateInhibitAny certInhibitAny;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    SECItem *item, *dummy;
+    char buffer[10];
+    int value;
+    PRBool yesNoAns;
+    
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+        SECU_PrintError(progName, "out of memory");
+        return SECFailure;
+    }
+
+    if (PrintChoicesAndGetAnswer("Enter the number of certs in the path "
+                                 "permitted to use anyPolicy.\n"
+                                 "(press Enter for 0)",
+                                 buffer, sizeof(buffer)) == SECFailure) {
+        goto loser;
+    }
+
+    item = &certInhibitAny.inhibitAnySkipCerts;
+    value = PORT_Atoi(buffer);
+    if (value < 0) {
+        goto loser;
+    }
+    dummy = SEC_ASN1EncodeInteger(arena, item, value);
+    if (!dummy) {
+        goto loser;
+    }
+    
+    yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
+    
+    rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &certInhibitAny,
+		 yesNoAns, SEC_OID_X509_INHIBIT_ANY_POLICY,
+		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeInhibitAnyExtension);
+loser:
+    if (arena) {
+        PORT_FreeArena (arena, PR_FALSE);
+    }
+    return (rv);
+}
+
+
+static SECStatus 
+AddPolicyMappings(void *extHandle)
+{
+    CERTPolicyMap **policyMapArr = NULL;
+    CERTPolicyMap *current;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    int count = 0;
+    char buffer[512];
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+        SECU_PrintError(progName, "out of memory");
+        return SECFailure;
+    }
+
+    do {
+        if (PrintChoicesAndGetAnswer("Enter an Object Identifier (dotted "
+                                     "decimal format) for Issuer Domain Policy",
+                                     buffer, sizeof(buffer)) == SECFailure) {
+            GEN_BREAK (SECFailure);
+        }
+
+        current = PORT_ArenaZNew(arena, CERTPolicyMap);
+        if (current == NULL) {
+            GEN_BREAK(SECFailure);
+        }
+
+        rv = SEC_StringToOID(arena, &current->issuerDomainPolicy, buffer, 0);
+        if (rv == SECFailure) {
+            GEN_BREAK(SECFailure);
+        }
+
+        if (PrintChoicesAndGetAnswer("Enter an Object Identifier for "
+                                     "Subject Domain Policy",
+                                     buffer, sizeof(buffer)) == SECFailure) {
+            GEN_BREAK (SECFailure);
+        }
+
+        rv = SEC_StringToOID(arena, &current->subjectDomainPolicy, buffer, 0);
+        if (rv == SECFailure) {
+            GEN_BREAK(SECFailure);
+        }
+
+        if (policyMapArr == NULL) {
+            policyMapArr = PORT_ArenaZNew(arena, CERTPolicyMap *);
+            if (policyMapArr == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+        }
+
+        policyMapArr = PORT_ArenaGrow(arena, policyMapArr,
+                                         sizeof (current) * count,
+                                         sizeof (current) *(count + 1));
+        if (policyMapArr == NULL) {
+            GEN_BREAK (SECFailure);
+        }
+    
+        policyMapArr[count] = current;
+        ++count;
+        
+        if (!GetYesNo("Enter another Policy Mapping [y/N]")) {
+            /* Add null to the end to mark end of data */
+            policyMapArr = PORT_ArenaGrow (arena, policyMapArr,
+                                           sizeof (current) * count,
+                                           sizeof (current) *(count + 1));
+            if (policyMapArr == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+            policyMapArr[count] = NULL;        
+            break;
+        }
+
+    } while (1);
+
+    if (rv == SECSuccess) {
+        CERTCertificatePolicyMappings mappings;
+        PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
+
+        mappings.arena = arena;
+        mappings.policyMaps = policyMapArr;
+        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &mappings,
+		 yesNoAns, SEC_OID_X509_POLICY_MAPPINGS,
+		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodePolicyMappingExtension);
+    }
+    if (arena)
+        PORT_FreeArena (arena, PR_FALSE);
+    return (rv);
+}
+
+enum PoliciQualifierEnum {
+    cpsPointer = 1,
+    userNotice = 2
+};
+
+
+static CERTPolicyQualifier **
+RequestPolicyQualifiers(PRArenaPool *arena, SECItem *policyID)
+{
+    CERTPolicyQualifier **policyQualifArr = NULL;
+    CERTPolicyQualifier *current;
+    SECStatus rv = SECSuccess;
+    int count = 0;
+    char buffer[512];
+    void *mark;
+    SECOidData *oid = NULL;
+    int intValue = 0;
+    int inCount = 0;
+
+    PORT_Assert(arena);
+    mark = PORT_ArenaMark(arena);
+    do {
+        current = PORT_ArenaZNew(arena, CERTPolicyQualifier);
+        if (current == NULL) {
+            GEN_BREAK(SECFailure);
+        }
+
+        /* Get the accessMethod fields */
+        SECU_PrintObjectID(stdout, policyID,
+                           "Choose the type of qualifier for policy" , 0);
+
+        if (PrintChoicesAndGetAnswer(
+                "\t1 - CPS Pointer qualifier\n"
+                "\t2 - User notice qualifier\n"
+                "\tAny other number to finish\n"
+                "\t\tChoice: ", buffer, sizeof(buffer)) == SECFailure) {
+            GEN_BREAK (SECFailure);
+        }
+        intValue = PORT_Atoi(buffer);
+        switch (intValue) {
+        case cpsPointer: {
+            SECItem input;
+
+            oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CPS_POINTER_QUALIFIER);
+            if (PrintChoicesAndGetAnswer("Enter CPS pointer URI: ",
+				     buffer, sizeof(buffer)) == SECFailure) {
+                GEN_BREAK (SECFailure);
+            }
+            input.len = PORT_Strlen(buffer);
+            input.data = (void*)PORT_ArenaStrdup(arena, buffer);
+            if (input.data == NULL ||
+	        SEC_ASN1EncodeItem(arena, &current->qualifierValue, &input,
+			       SEC_ASN1_GET(SEC_IA5StringTemplate)) == NULL) {
+                GEN_BREAK (SECFailure);
+	    }
+            break;
+        }
+        case userNotice: {
+            SECItem **noticeNumArr;
+            CERTUserNotice *notice = PORT_ArenaZNew(arena, CERTUserNotice);
+            if (!notice) {
+                GEN_BREAK(SECFailure);
+            }
+            
+            oid = SECOID_FindOIDByTag(SEC_OID_PKIX_USER_NOTICE_QUALIFIER);
+
+            if (GetYesNo("\t add a User Notice reference? [y/N]")) {
+
+                if (PrintChoicesAndGetAnswer("Enter user organization string: ",
+				 buffer, sizeof(buffer)) == SECFailure) {
+                    GEN_BREAK (SECFailure);
+                }
+
+                notice->noticeReference.organization.type = siAsciiString;
+                notice->noticeReference.organization.len =
+                    PORT_Strlen(buffer);
+                notice->noticeReference.organization.data =
+                    (void*)PORT_ArenaStrdup(arena, buffer);
+
+
+                noticeNumArr = PORT_ArenaZNewArray(arena, SECItem *, 2);
+		if (!noticeNumArr) {
+                    GEN_BREAK (SECFailure);
+		}
+                
+                do {
+                    SECItem *noticeNum;
+                    
+                    noticeNum = PORT_ArenaZNew(arena, SECItem);
+                    
+                    if (PrintChoicesAndGetAnswer(
+				      "Enter User Notice reference number "
+				      "(or -1 to quit): ",
+                                      buffer, sizeof(buffer)) == SECFailure) {
+                        GEN_BREAK (SECFailure);
+                    }
+                    
+                    intValue = PORT_Atoi(buffer);
+		    if (noticeNum == NULL) {
+			if (intValue < 0) {
+			    fprintf(stdout, "a noticeReference must have at "
+                                    "least one reference number\n");
+                            GEN_BREAK (SECFailure);
+			}
+		    } else {
+			if (intValue >= 0) {
+                            noticeNumArr = PORT_ArenaGrow(arena, noticeNumArr,
+					      sizeof (current) * inCount,
+					      sizeof (current) *(inCount + 1));
+                            if (noticeNumArr == NULL) {
+                                GEN_BREAK (SECFailure);
+                            }
+			} else {
+			    break;
+			}
+                    }
+                    if (!SEC_ASN1EncodeInteger(arena, noticeNum, intValue)) {
+                        GEN_BREAK (SECFailure);
+		    }
+                    noticeNumArr[inCount++] = noticeNum;
+                    noticeNumArr[inCount] = NULL;
+                    
+                } while (1);
+                if (rv == SECFailure) {
+                    GEN_BREAK(SECFailure);
+                }
+                notice->noticeReference.noticeNumbers = noticeNumArr;
+                rv = CERT_EncodeNoticeReference(arena, &notice->noticeReference,
+                                                &notice->derNoticeReference);
+                if (rv == SECFailure) {
+                    GEN_BREAK(SECFailure);
+                }
+            }
+            if (GetYesNo("\t EnterUser Notice explicit text? [y/N]")) {
+                /* Getting only 200 bytes - RFC limitation */
+                if (PrintChoicesAndGetAnswer(
+                        "\t", buffer, 200) == SECFailure) {
+                        GEN_BREAK (SECFailure);
+                }
+                notice->displayText.type = siAsciiString;
+                notice->displayText.len = PORT_Strlen(buffer);
+                notice->displayText.data = 
+		                        (void*)PORT_ArenaStrdup(arena, buffer);
+		if (notice->displayText.data == NULL) {
+		    GEN_BREAK(SECFailure);
+		}
+            }
+
+            rv = CERT_EncodeUserNotice(arena, notice, &current->qualifierValue);
+            if (rv == SECFailure) {
+                GEN_BREAK(SECFailure);
+            }
+
+            break;
+        }
+        }
+        if (rv == SECFailure || oid == NULL ||
+            SECITEM_CopyItem(arena, &current->qualifierID, &oid->oid) 
+	    == SECFailure) {
+            GEN_BREAK (SECFailure);
+        }
+
+        if (!policyQualifArr) {
+            policyQualifArr = PORT_ArenaZNew(arena, CERTPolicyQualifier *);
+        } else {
+	    policyQualifArr = PORT_ArenaGrow (arena, policyQualifArr,
+                                         sizeof (current) * count,
+                                         sizeof (current) *(count + 1));
+	}
+        if (policyQualifArr == NULL) {
+            GEN_BREAK (SECFailure);
+        }
+    
+        policyQualifArr[count] = current;
+        ++count;
+
+        if (!GetYesNo ("Enter another policy qualifier [y/N]")) {
+            /* Add null to the end to mark end of data */
+            policyQualifArr = PORT_ArenaGrow(arena, policyQualifArr,
+                                              sizeof (current) * count,
+                                              sizeof (current) *(count + 1));
+            if (policyQualifArr == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+            policyQualifArr[count] = NULL;        
+            break;
+        }
+
+    } while (1);
+
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease (arena, mark);
+        policyQualifArr = NULL;
+    }
+    return (policyQualifArr);
+}
+
+static SECStatus 
+AddCertPolicies(void *extHandle)
+{
+    CERTPolicyInfo **certPoliciesArr = NULL;
+    CERTPolicyInfo *current;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    int count = 0;
+    char buffer[512];
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+        SECU_PrintError(progName, "out of memory");
+        return SECFailure;
+    }
+
+    do {
+        current = PORT_ArenaZNew(arena, CERTPolicyInfo);
+        if (current == NULL) {
+            GEN_BREAK(SECFailure);
+        }
+
+        if (PrintChoicesAndGetAnswer("Enter a CertPolicy Object Identifier "
+                                     "(dotted decimal format)\n"
+				     "or \"any\" for AnyPolicy:",
+                                     buffer, sizeof(buffer)) == SECFailure) {
+            GEN_BREAK (SECFailure);
+        }
+	
+	if (strncmp(buffer, "any", 3) == 0) {
+	    /* use string version of X509_CERTIFICATE_POLICIES.anyPolicy */
+	    strcpy(buffer, "OID.2.5.29.32.0");
+	}
+        rv = SEC_StringToOID(arena, &current->policyID, buffer, 0);
+
+        if (rv == SECFailure) {
+            GEN_BREAK(SECFailure);
+        }
+        
+        current->policyQualifiers = 
+            RequestPolicyQualifiers(arena, &current->policyID); 
+
+        if (!certPoliciesArr) {
+            certPoliciesArr = PORT_ArenaZNew(arena, CERTPolicyInfo *);
+        } else {
+	    certPoliciesArr = PORT_ArenaGrow(arena, certPoliciesArr,
+                                         sizeof (current) * count,
+                                         sizeof (current) *(count + 1));
+	}
+        if (certPoliciesArr == NULL) {
+            GEN_BREAK (SECFailure);
+        }
+    
+        certPoliciesArr[count] = current;
+        ++count;
+        
+        if (!GetYesNo ("Enter another PolicyInformation field [y/N]?")) {
+            /* Add null to the end to mark end of data */
+            certPoliciesArr = PORT_ArenaGrow(arena, certPoliciesArr,
+                                              sizeof (current) * count,
+                                              sizeof (current) *(count + 1));
+            if (certPoliciesArr == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+            certPoliciesArr[count] = NULL;        
+            break;
+        }
+
+    } while (1);
+
+    if (rv == SECSuccess) {
+        CERTCertificatePolicies policies;
+        PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
+
+        policies.arena = arena;
+        policies.policyInfos = certPoliciesArr;
+        
+        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &policies,
+		 yesNoAns, SEC_OID_X509_CERTIFICATE_POLICIES,
+		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeCertPoliciesExtension);
+    }
+    if (arena)
+	PORT_FreeArena(arena, PR_FALSE);
+    return (rv);
+}
+
+enum AuthInfoAccessTypesEnum {
+    caIssuers = 1,
+    ocsp = 2
+};
+
+enum SubjInfoAccessTypesEnum {
+    caRepository = 1,
+    timeStamping = 2
+};
+    
+/* Encode and add an AIA or SIA extension */
+static SECStatus 
+AddInfoAccess(void *extHandle, PRBool addSIAExt, PRBool isCACert)
+{
+    CERTAuthInfoAccess **infoAccArr = NULL;
+    CERTAuthInfoAccess *current;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    int count = 0;
+    char buffer[512];
+    SECOidData *oid = NULL;
+    int intValue = 0;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+        SECU_PrintError(progName, "out of memory");
+        return SECFailure;
+    }
+
+    do {
+        current = NULL;
+        current = PORT_ArenaZNew(arena, CERTAuthInfoAccess);
+        if (current == NULL) {
+            GEN_BREAK(SECFailure);
+        }
+
+        /* Get the accessMethod fields */
+        if (addSIAExt) {
+            if (isCACert) {
+                puts("Adding \"CA Repository\" access method type for "
+                    "Subject Information Access extension:\n");
+                intValue = caRepository;
+            } else {
+                puts("Adding \"Time Stamping Services\" access method type for "
+                    "Subject Information Access extension:\n");
+                intValue = timeStamping;
+            }
+        } else {
+            PrintChoicesAndGetAnswer("Enter access method type "
+                "for Authority Information Access extension:\n"
+                "\t1 - CA Issuers\n\t2 - OCSP\n\tAny"
+                "other number to finish\n\tChoice",
+                buffer, sizeof(buffer));
+            intValue = PORT_Atoi(buffer);
+        }
+        if (addSIAExt) {
+            switch (intValue) {
+              case caRepository:
+                  oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CA_REPOSITORY);
+                  break;
+                  
+              case timeStamping:
+                  oid = SECOID_FindOIDByTag(SEC_OID_PKIX_TIMESTAMPING);
+                  break;
+            } 
+        } else {
+            switch (intValue) {
+              case caIssuers:
+                  oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CA_ISSUERS);
+                  break;
+                  
+              case ocsp:
+                  oid = SECOID_FindOIDByTag(SEC_OID_PKIX_OCSP);
+                  break;
+            } 
+        }
+        if (oid == NULL ||
+            SECITEM_CopyItem(arena, &current->method, &oid->oid) 
+	    == SECFailure) {
+            GEN_BREAK (SECFailure);
+        }
+
+        current->location = GetGeneralName(arena);
+        if (!current->location) {
+            GEN_BREAK(SECFailure);
+        }
+       
+        if (infoAccArr == NULL) {
+            infoAccArr = PORT_ArenaZNew(arena, CERTAuthInfoAccess *);
+        } else {
+	    infoAccArr = PORT_ArenaGrow(arena, infoAccArr,
+                                     sizeof (current) * count,
+                                     sizeof (current) *(count + 1));
+	}
+        if (infoAccArr == NULL) {
+            GEN_BREAK (SECFailure);
+        }
+    
+        infoAccArr[count] = current;
+        ++count;
+        
+        PR_snprintf(buffer, sizeof(buffer), "Add another location to the %s"
+                    " Information Access extension [y/N]",
+                    (addSIAExt) ? "Subject" : "Authority");
+
+        if (GetYesNo (buffer) == 0) {
+            /* Add null to the end to mark end of data */
+            infoAccArr = PORT_ArenaGrow(arena, infoAccArr,
+                                         sizeof (current) * count,
+                                         sizeof (current) *(count + 1));
+            if (infoAccArr == NULL) {
+                GEN_BREAK (SECFailure);
+            }
+            infoAccArr[count] = NULL;        
+            break;
+        }
+
+    } while (1);
+
+    if (rv == SECSuccess) {
+        int oidIdent = SEC_OID_X509_AUTH_INFO_ACCESS;
+
+        PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
+        
+        if (addSIAExt) {
+            oidIdent = SEC_OID_X509_SUBJECT_INFO_ACCESS;
+        }
+        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, infoAccArr,
+		 yesNoAns, oidIdent,
+		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeInfoAccessExtension);
+    }
+    if (arena)
+        PORT_FreeArena(arena, PR_FALSE);
+    return (rv);
+}
+
+SECStatus
+AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
+              certutilExtnList extList)
+{
+    SECStatus rv = SECSuccess;
+    char *errstring = NULL;
+    
+    do {
+        /* Add key usage extension */
+        if (extList[ext_keyUsage]) {
+            rv = AddKeyUsage(extHandle);
+            if (rv) {
+		errstring = "KeyUsage";
+                break;
+	    }
+        }
+
+        /* Add extended key usage extension */
+        if (extList[ext_extKeyUsage]) {
+            rv = AddExtKeyUsage(extHandle);
+            if (rv) {
+		errstring = "ExtendedKeyUsage";
+                break;
+	    }
+        }
+
+        /* Add basic constraint extension */
+        if (extList[ext_basicConstraint]) {
+            rv = AddBasicConstraint(extHandle);
+            if (rv) {
+		errstring = "BasicConstraint";
+                break;
+	    }
+        }
+
+        if (extList[ext_authorityKeyID]) {
+            rv = AddAuthKeyID(extHandle);
+            if (rv) {
+		errstring = "AuthorityKeyID";
+                break;
+	    }
+        }
+
+        if (extList[ext_subjectKeyID]) {
+            rv = AddSubjKeyID(extHandle);
+            if (rv) {
+		errstring = "SubjectKeyID";
+                break;
+	    }
+        }    
+
+        if (extList[ext_CRLDistPts]) {
+            rv = AddCrlDistPoint(extHandle);
+            if (rv) {
+		errstring = "CRLDistPoints";
+                break;
+	    }
+        }
+
+        if (extList[ext_NSCertType]) {
+            rv = AddNscpCertType(extHandle);
+            if (rv) {
+		errstring = "NSCertType";
+                break;
+	    }
+        }
+
+        if (extList[ext_authInfoAcc] || extList[ext_subjInfoAcc]) {
+            rv = AddInfoAccess(extHandle, extList[ext_subjInfoAcc],
+	                       extList[ext_basicConstraint]);
+            if (rv) {
+		errstring = "InformationAccess";
+                break;
+	    }
+        }
+
+        if (extList[ext_certPolicies]) {
+            rv = AddCertPolicies(extHandle);
+            if (rv) {
+		errstring = "Policies";
+                break;
+	    }
+        }
+
+        if (extList[ext_policyMappings]) {
+            rv = AddPolicyMappings(extHandle);
+            if (rv) {
+		errstring = "PolicyMappings";
+                break;
+	    }
+        }
+
+        if (extList[ext_policyConstr]) {
+            rv = AddPolicyConstraints(extHandle);
+            if (rv) {
+		errstring = "PolicyConstraints";
+                break;
+	    }
+        }
+
+        if (extList[ext_inhibitAnyPolicy]) {
+            rv = AddInhibitAnyPolicy(extHandle);
+            if (rv) {
+		errstring = "InhibitAnyPolicy";
+                break;
+	    }
+        }
+
+        if (emailAddrs || dnsNames) {
+            PRArenaPool *arena;
+            CERTGeneralName *namelist = NULL;
+            SECItem item = { 0, NULL, 0 };
+            
+            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+            if (arena == NULL) {
+                rv = SECFailure;
+                break;
+            }
+
+            rv = AddEmailSubjectAlt(arena, &namelist, emailAddrs);
+
+            rv |= AddDNSSubjectAlt(arena, &namelist, dnsNames);
+
+            if (rv == SECSuccess) {
+		rv = CERT_EncodeAltNameExtension(arena, namelist, &item);
+	        if (rv == SECSuccess) {
+                    rv = CERT_AddExtension(extHandle,
+                                          SEC_OID_X509_SUBJECT_ALT_NAME,
+                                          &item, PR_FALSE, PR_TRUE);
+		}
+            }
+	    PORT_FreeArena(arena, PR_FALSE);
+	    if (rv) {
+                errstring = "SubjectAltName";
+                break;
+	    }
+        }
+    } while (0);
+    
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "Problem creating %s extension", errstring);
+    }
+    return rv;
+}
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
new file mode 100644
index 000000000..6ae740d50
--- /dev/null
+++ b/security/nss/cmd/certutil/certutil.c
@@ -0,0 +1,2938 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** certutil.c
+**
+** utility for managing certificates and the cert database
+**
+*/
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#if defined(WIN32)
+#include "fcntl.h"
+#include "io.h"
+#endif
+
+#include "secutil.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "nss.h"
+#include "certutil.h"
+
+#define MIN_KEY_BITS		512
+/* MAX_KEY_BITS should agree with MAX_RSA_MODULUS in freebl */
+#define MAX_KEY_BITS		8192
+#define DEFAULT_KEY_BITS	1024
+
+#define GEN_BREAK(e) rv=e; break;
+
+char *progName;
+
+static CERTCertificateRequest *
+GetCertRequest(PRFileDesc *inFile, PRBool ascii)
+{
+    CERTCertificateRequest *certReq = NULL;
+    CERTSignedData signedData;
+    PRArenaPool *arena = NULL;
+    SECItem reqDER;
+    SECStatus rv;
+
+    reqDER.data = NULL;
+    do {
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (arena == NULL) {
+	    GEN_BREAK (SECFailure);
+	}
+	
+ 	rv = SECU_ReadDERFromFile(&reqDER, inFile, ascii);
+	if (rv) {
+	    break;
+	}
+        certReq = (CERTCertificateRequest*) PORT_ArenaZAlloc
+		  (arena, sizeof(CERTCertificateRequest));
+        if (!certReq) { 
+	    GEN_BREAK(SECFailure);
+	}
+	certReq->arena = arena;
+
+	/* Since cert request is a signed data, must decode to get the inner
+	   data
+	 */
+	PORT_Memset(&signedData, 0, sizeof(signedData));
+	rv = SEC_ASN1DecodeItem(arena, &signedData, 
+		SEC_ASN1_GET(CERT_SignedDataTemplate), &reqDER);
+	if (rv) {
+	    break;
+	}
+	rv = SEC_ASN1DecodeItem(arena, certReq, 
+		SEC_ASN1_GET(CERT_CertificateRequestTemplate), &signedData.data);
+	if (rv) {
+	    break;
+	}
+   	rv = CERT_VerifySignedDataWithPublicKeyInfo(&signedData, 
+		&certReq->subjectPublicKeyInfo, NULL /* wincx */);
+   } while (0);
+
+   if (reqDER.data) {
+   	SECITEM_FreeItem(&reqDER, PR_FALSE);
+   }
+
+   if (rv) {
+   	SECU_PrintError(progName, "bad certificate request\n");
+   	if (arena) {
+   	    PORT_FreeArena(arena, PR_FALSE);
+   	}
+   	certReq = NULL;
+   }
+
+   return certReq;
+}
+
+static SECStatus
+AddCert(PK11SlotInfo *slot, CERTCertDBHandle *handle, char *name, char *trusts, 
+        PRFileDesc *inFile, PRBool ascii, PRBool emailcert, void *pwdata)
+{
+    CERTCertTrust *trust = NULL;
+    CERTCertificate *cert = NULL;
+    SECItem certDER;
+    SECStatus rv;
+
+    certDER.data = NULL;
+    do {
+	/* Read in the entire file specified with the -i argument */
+	rv = SECU_ReadDERFromFile(&certDER, inFile, ascii);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "unable to read input file");
+	    break;
+	}
+
+	/* Read in an ASCII cert and return a CERTCertificate */
+	cert = CERT_DecodeCertFromPackage((char *)certDER.data, certDER.len);
+	if (!cert) {
+	    SECU_PrintError(progName, "could not obtain certificate from file"); 
+	    GEN_BREAK(SECFailure);
+	}
+
+	/* Create a cert trust */
+	trust = (CERTCertTrust *)PORT_ZAlloc(sizeof(CERTCertTrust));
+	if (!trust) {
+	    SECU_PrintError(progName, "unable to allocate cert trust");
+	    GEN_BREAK(SECFailure);
+	}
+
+	rv = CERT_DecodeTrustString(trust, trusts);
+	if (rv) {
+	    SECU_PrintError(progName, "unable to decode trust string");
+	    GEN_BREAK(SECFailure);
+	}
+
+	if (PK11_IsFIPS() || !PK11_IsInternal(slot)) {
+	    rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
+	    if (rv != SECSuccess) {
+		SECU_PrintError(progName, "could not authenticate to token %s.",
+                                PK11_GetTokenName(slot));
+		GEN_BREAK(SECFailure);
+	    }
+	}
+
+	rv =  PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, name, PR_FALSE);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "could not add certificate to token or database");
+	    GEN_BREAK(SECFailure);
+	}
+
+	rv = CERT_ChangeCertTrust(handle, cert, trust);
+	if (rv != SECSuccess) {
+	    if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
+		rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
+		if (rv != SECSuccess) {
+                    SECU_PrintError(progName, "could not authenticate to token %s.",
+                                    PK11_GetTokenName(slot));
+		    GEN_BREAK(SECFailure);
+		}
+		rv = CERT_ChangeCertTrust(handle, cert, trust);
+	    }
+	    if (rv != SECSuccess) {
+		SECU_PrintError(progName, 
+			"could not change trust on certificate");
+		GEN_BREAK(SECFailure);
+	    }
+	}
+
+	if ( emailcert ) {
+	    CERT_SaveSMimeProfile(cert, NULL, pwdata);
+	}
+
+    } while (0);
+
+    CERT_DestroyCertificate (cert);
+    PORT_Free(trust);
+    PORT_Free(certDER.data);
+
+    return rv;
+}
+
+static SECStatus
+CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
+        SECOidTag hashAlgTag, CERTName *subject, char *phone, int ascii, 
+	const char *emailAddrs, const char *dnsNames,
+        certutilExtnList extnList,
+        PRFileDesc *outFile)
+{
+    CERTSubjectPublicKeyInfo *spki;
+    CERTCertificateRequest *cr;
+    SECItem *encoding;
+    SECOidTag signAlgTag;
+    SECItem result;
+    SECStatus rv;
+    PRArenaPool *arena;
+    PRInt32 numBytes;
+    void *extHandle;
+
+    /* Create info about public key */
+    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
+    if (!spki) {
+	SECU_PrintError(progName, "unable to create subject public key");
+	return SECFailure;
+    }
+    
+    /* Generate certificate request */
+    cr = CERT_CreateCertificateRequest(subject, spki, NULL);
+    if (!cr) {
+	SECU_PrintError(progName, "unable to make certificate request");
+	return SECFailure;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	SECU_PrintError(progName, "out of memory");
+	return SECFailure;
+    }
+    
+    extHandle = CERT_StartCertificateRequestAttributes(cr);
+    if (extHandle == NULL) {
+        PORT_FreeArena (arena, PR_FALSE);
+	return SECFailure;
+    }
+    if (AddExtensions(extHandle, emailAddrs, dnsNames, extnList)
+                  != SECSuccess) {
+        PORT_FreeArena (arena, PR_FALSE);
+        return SECFailure;
+    }
+    CERT_FinishExtensions(extHandle);
+    CERT_FinishCertificateRequestAttributes(cr);
+
+    /* Der encode the request */
+    encoding = SEC_ASN1EncodeItem(arena, NULL, cr,
+                                  SEC_ASN1_GET(CERT_CertificateRequestTemplate));
+    if (encoding == NULL) {
+	SECU_PrintError(progName, "der encoding of request failed");
+	return SECFailure;
+    }
+
+    /* Sign the request */
+    signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
+    if (signAlgTag == SEC_OID_UNKNOWN) {
+	SECU_PrintError(progName, "unknown Key or Hash type");
+	return SECFailure;
+    }
+    rv = SEC_DerSignData(arena, &result, encoding->data, encoding->len, 
+			 privk, signAlgTag);
+    if (rv) {
+	SECU_PrintError(progName, "signing of data failed");
+	return SECFailure;
+    }
+
+    /* Encode request in specified format */
+    if (ascii) {
+	char *obuf;
+	char *name, *email, *org, *state, *country;
+	SECItem *it;
+	int total;
+
+	it = &result;
+
+	obuf = BTOA_ConvertItemToAscii(it);
+	total = PL_strlen(obuf);
+
+	name = CERT_GetCommonName(subject);
+	if (!name) {
+	    name = strdup("(not specified)");
+	}
+
+	if (!phone)
+	    phone = strdup("(not specified)");
+
+	email = CERT_GetCertEmailAddress(subject);
+	if (!email)
+	    email = strdup("(not specified)");
+
+	org = CERT_GetOrgName(subject);
+	if (!org)
+	    org = strdup("(not specified)");
+
+	state = CERT_GetStateName(subject);
+	if (!state)
+	    state = strdup("(not specified)");
+
+	country = CERT_GetCountryName(subject);
+	if (!country)
+	    country = strdup("(not specified)");
+
+	PR_fprintf(outFile, 
+	           "\nCertificate request generated by Netscape certutil\n");
+	PR_fprintf(outFile, "Phone: %s\n\n", phone);
+	PR_fprintf(outFile, "Common Name: %s\n", name);
+	PR_fprintf(outFile, "Email: %s\n", email);
+	PR_fprintf(outFile, "Organization: %s\n", org);
+	PR_fprintf(outFile, "State: %s\n", state);
+	PR_fprintf(outFile, "Country: %s\n\n", country);
+
+	PR_fprintf(outFile, "%s\n", NS_CERTREQ_HEADER);
+	numBytes = PR_Write(outFile, obuf, total);
+	if (numBytes != total) {
+	    SECU_PrintSystemError(progName, "write error");
+	    return SECFailure;
+	}
+	PR_fprintf(outFile, "\n%s\n", NS_CERTREQ_TRAILER);
+    } else {
+	numBytes = PR_Write(outFile, result.data, result.len);
+	if (numBytes != (int)result.len) {
+	    SECU_PrintSystemError(progName, "write error");
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+static SECStatus 
+ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot,
+			char *name, char *trusts, void *pwdata)
+{
+    SECStatus rv;
+    CERTCertificate *cert;
+    CERTCertTrust *trust;
+    
+    cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
+    if (!cert) {
+	SECU_PrintError(progName, "could not find certificate named \"%s\"",
+			name);
+	return SECFailure;
+    }
+
+    trust = (CERTCertTrust *)PORT_ZAlloc(sizeof(CERTCertTrust));
+    if (!trust) {
+	SECU_PrintError(progName, "unable to allocate cert trust");
+	return SECFailure;
+    }
+
+    /* This function only decodes these characters: pPwcTCu, */
+    rv = CERT_DecodeTrustString(trust, trusts);
+    if (rv) {
+	SECU_PrintError(progName, "unable to decode trust string");
+	return SECFailure;
+    }
+
+    /* CERT_ChangeCertTrust API does not have a way to pass in
+     * a context, so NSS can't prompt for the password if it needs to.
+     * check to see if the failure was token not logged in and 
+     * log in if need be. */
+    rv = CERT_ChangeCertTrust(handle, cert, trust);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
+	    rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
+	    if (rv != SECSuccess) {
+		SECU_PrintError(progName, "could not authenticate to token %s.",
+                                PK11_GetTokenName(slot));
+		return SECFailure;
+	    }
+	    rv = CERT_ChangeCertTrust(handle, cert, trust);
+	}
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "unable to modify trust attributes");
+	    return SECFailure;
+	}
+    }
+    CERT_DestroyCertificate(cert);
+
+    return SECSuccess;
+}
+
+static SECStatus
+DumpChain(CERTCertDBHandle *handle, char *name)
+{
+    CERTCertificate *the_cert;
+    CERTCertificateList *chain;
+    int i, j;
+    the_cert = PK11_FindCertFromNickname(name, NULL);
+    if (!the_cert) {
+	SECU_PrintError(progName, "Could not find: %s\n", name);
+	return SECFailure;
+    }
+    chain = CERT_CertChainFromCert(the_cert, 0, PR_TRUE);
+    CERT_DestroyCertificate(the_cert);
+    if (!chain) {
+	SECU_PrintError(progName, "Could not obtain chain for: %s\n", name);
+	return SECFailure;
+    }
+    for (i=chain->len-1; i>=0; i--) {
+	CERTCertificate *c;
+	c = CERT_FindCertByDERCert(handle, &chain->certs[i]);
+	for (j=i; j<chain->len-1; j++) printf("  ");
+	printf("\"%s\" [%s]\n\n", c->nickname, c->subjectName);
+	CERT_DestroyCertificate(c);
+    }
+    CERT_DestroyCertificateList(chain);
+    return SECSuccess;
+}
+
+static SECStatus
+listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
+          PRBool raw, PRBool ascii, PRFileDesc *outfile, void *pwarg)
+{
+    SECItem data;
+    PRInt32 numBytes;
+    SECStatus rv = SECFailure;
+    CERTCertList *certs;
+    CERTCertListNode *node;
+
+    /* List certs on a non-internal slot. */
+    if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot)) {
+        SECStatus newrv = PK11_Authenticate(slot, PR_TRUE, pwarg);
+        if (newrv != SECSuccess) {
+            SECU_PrintError(progName, "could not authenticate to token %s.",
+                            PK11_GetTokenName(slot));
+            return SECFailure;
+        }
+    }
+    if (name) {
+	CERTCertificate *the_cert;
+	the_cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
+	if (!the_cert) {
+	    the_cert = PK11_FindCertFromNickname(name, NULL);
+	    if (!the_cert) {
+		SECU_PrintError(progName, "Could not find: %s\n", name);
+		return SECFailure;
+	    }
+	}
+	/* Here, we have one cert with the desired nickname or email 
+	 * address.  Now, we will attempt to get a list of ALL certs 
+	 * with the same subject name as the cert we have.  That list 
+	 * should contain, at a minimum, the one cert we have already found.
+	 * If the list of certs is empty (NULL), the libraries have failed.
+	 */
+	certs = CERT_CreateSubjectCertList(NULL, handle, &the_cert->derSubject,
+		PR_Now(), PR_FALSE);
+	CERT_DestroyCertificate(the_cert);
+	if (!certs) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    SECU_PrintError(progName, "problem printing certificates");
+	    return SECFailure;
+	}
+	for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
+						node = CERT_LIST_NEXT(node)) {
+	    the_cert = node->cert;
+	    /* now get the subjectList that matches this cert */
+	    data.data = the_cert->derCert.data;
+	    data.len = the_cert->derCert.len;
+	    if (ascii) {
+		PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER, 
+		        BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
+		rv = SECSuccess;
+	    } else if (raw) {
+		numBytes = PR_Write(outfile, data.data, data.len);
+		if (numBytes != (PRInt32) data.len) {
+		   SECU_PrintSystemError(progName, "error writing raw cert");
+		    rv = SECFailure;
+		}
+		rv = SECSuccess;
+	    } else {
+		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
+                                                  the_cert->trust);
+		if (rv != SECSuccess) {
+		    SECU_PrintError(progName, "problem printing certificate");
+		}
+
+	    }
+	    if (rv != SECSuccess) {
+		break;
+	    }
+	}
+    } else {
+
+	certs = PK11_ListCertsInSlot(slot);
+	if (certs) {
+	    for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
+						node = CERT_LIST_NEXT(node)) {
+		SECU_PrintCertNickname(node,stdout);
+	    }
+	    rv = SECSuccess;
+	}
+    }
+    if (certs) {
+        CERT_DestroyCertList(certs);
+    }
+    if (rv) {
+	SECU_PrintError(progName, "problem printing certificate nicknames");
+	return SECFailure;
+    }
+
+    return SECSuccess;	/* not rv ?? */
+}
+
+static SECStatus
+ListCerts(CERTCertDBHandle *handle, char *nickname, PK11SlotInfo *slot,
+          PRBool raw, PRBool ascii, PRFileDesc *outfile, secuPWData *pwdata)
+{
+    SECStatus rv;
+
+    if (!ascii && !raw && !nickname) {
+        PR_fprintf(outfile, "\n%-60s %-5s\n%-60s %-5s\n\n",
+                   "Certificate Nickname", "Trust Attributes", "",
+                   "SSL,S/MIME,JAR/XPI");
+    }
+    if (slot == NULL) {
+	CERTCertList *list;
+	CERTCertListNode *node;
+
+	list = PK11_ListCerts(PK11CertListAll, pwdata);
+	for (node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list);
+	     node = CERT_LIST_NEXT(node)) 
+	{
+	    SECU_PrintCertNickname(node, stdout);
+	}
+	CERT_DestroyCertList(list);
+	return SECSuccess;
+    } else {
+	rv = listCerts(handle,nickname,slot,raw,ascii,outfile,pwdata);
+    }
+    return rv;
+}
+
+static SECStatus 
+DeleteCert(CERTCertDBHandle *handle, char *name)
+{
+    SECStatus rv;
+    CERTCertificate *cert;
+
+    cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
+    if (!cert) {
+	SECU_PrintError(progName, "could not find certificate named \"%s\"",
+			name);
+	return SECFailure;
+    }
+
+    rv = SEC_DeletePermCertificate(cert);
+    CERT_DestroyCertificate(cert);
+    if (rv) {
+	SECU_PrintError(progName, "unable to delete certificate");
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+static SECStatus
+ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
+	     char *certUsage, PRBool checkSig, PRBool logit, secuPWData *pwdata)
+{
+    SECStatus rv;
+    CERTCertificate *cert = NULL;
+    int64 timeBoundary;
+    SECCertificateUsage usage;
+    CERTVerifyLog reallog;
+    CERTVerifyLog *log = NULL;
+
+    if (!certUsage) {
+	    PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	    return (SECFailure);
+    }
+    
+    switch (*certUsage) {
+	case 'O':
+	    usage = certificateUsageStatusResponder;
+	    break;
+	case 'C':
+	    usage = certificateUsageSSLClient;
+	    break;
+	case 'V':
+	    usage = certificateUsageSSLServer;
+	    break;
+	case 'S':
+	    usage = certificateUsageEmailSigner;
+	    break;
+	case 'R':
+	    usage = certificateUsageEmailRecipient;
+	    break;
+	case 'J':
+	    usage = certificateUsageObjectSigner;
+	    break;
+	default:
+	    PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	    return (SECFailure);
+    }
+    do {
+	cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
+	if (!cert) {
+	    SECU_PrintError(progName, "could not find certificate named \"%s\"",
+			    name);
+	    GEN_BREAK (SECFailure)
+	}
+
+	if (date != NULL) {
+	    rv = DER_AsciiToTime(&timeBoundary, date);
+	    if (rv) {
+		SECU_PrintError(progName, "invalid input date");
+		GEN_BREAK (SECFailure)
+	    }
+	} else {
+	    timeBoundary = PR_Now();
+	}
+
+	if ( logit ) {
+	    log = &reallog;
+	    
+	    log->count = 0;
+	    log->head = NULL;
+	    log->tail = NULL;
+	    log->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	    if ( log->arena == NULL ) {
+		SECU_PrintError(progName, "out of memory");
+		GEN_BREAK (SECFailure)
+	    }
+	}
+ 
+	rv = CERT_VerifyCertificate(handle, cert, checkSig, usage,
+			     timeBoundary, pwdata, log, &usage);
+	if ( log ) {
+	    if ( log->head == NULL ) {
+		fprintf(stdout, "%s: certificate is valid\n", progName);
+		GEN_BREAK (SECSuccess)
+	    } else {
+		char *name;
+		CERTVerifyLogNode *node;
+		
+		node = log->head;
+		while ( node ) {
+		    if ( node->cert->nickname != NULL ) {
+			name = node->cert->nickname;
+		    } else {
+			name = node->cert->subjectName;
+		    }
+		    fprintf(stderr, "%s : %s\n", name, 
+		    	SECU_Strerror(node->error));
+		    CERT_DestroyCertificate(node->cert);
+		    node = node->next;
+		}
+	    }
+	} else {
+	    if (rv != SECSuccess) {
+		PRErrorCode perr = PORT_GetError();
+		fprintf(stdout, "%s: certificate is invalid: %s\n",
+			progName, SECU_Strerror(perr));
+		GEN_BREAK (SECFailure)
+	    }
+	    fprintf(stdout, "%s: certificate is valid\n", progName);
+	    GEN_BREAK (SECSuccess)
+	}
+    } while (0);
+
+    if (cert) {
+        CERT_DestroyCertificate(cert);
+    }
+
+    return (rv);
+}
+
+static PRBool
+ItemIsPrintableASCII(const SECItem * item)
+{
+    unsigned char *src = item->data;
+    unsigned int   len = item->len;
+    while (len-- > 0) {
+        unsigned char uc = *src++;
+	if (uc < 0x20 || uc > 0x7e) 
+	    return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+/* Caller ensures that dst is at least item->len*2+1 bytes long */
+static void
+SECItemToHex(const SECItem * item, char * dst)
+{
+    if (dst && item && item->data) {
+	unsigned char * src = item->data;
+	unsigned int    len = item->len;
+	for (; len > 0; --len, dst += 2) {
+	    sprintf(dst, "%02x", *src++);
+	}
+	*dst = '\0';
+    }
+}
+
+static const char * const keyTypeName[] = {
+  "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec" };
+
+#define MAX_CKA_ID_BIN_LEN 20
+#define MAX_CKA_ID_STR_LEN 40
+
+/* print key number, key ID (in hex or ASCII), key label (nickname) */
+static SECStatus
+PrintKey(PRFileDesc *out, const char *nickName, int count, 
+         SECKEYPrivateKey *key, void *pwarg)
+{
+    SECItem * ckaID;
+    char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
+
+    pwarg = NULL;
+    ckaID = PK11_GetLowLevelKeyIDForPrivateKey(key);
+    if (!ckaID) {
+	strcpy(ckaIDbuf, "(no CKA_ID)");
+    } else if (ItemIsPrintableASCII(ckaID)) {
+	int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
+	ckaIDbuf[0] = '"';
+	memcpy(ckaIDbuf + 1, ckaID->data, len);
+	ckaIDbuf[1 + len] = '"';
+	ckaIDbuf[2 + len] = '\0';
+    } else {
+    	/* print ckaid in hex */
+	SECItem idItem = *ckaID;
+	if (idItem.len > MAX_CKA_ID_BIN_LEN)
+	    idItem.len = MAX_CKA_ID_BIN_LEN;
+        SECItemToHex(&idItem, ckaIDbuf);
+    }
+
+    PR_fprintf(out, "<%2d> %-8.8s %-42.42s %s\n", count, 
+               keyTypeName[key->keyType], ckaIDbuf, nickName);
+    SECITEM_ZfreeItem(ckaID, PR_TRUE);
+
+    return SECSuccess;
+}
+
+/* returns SECSuccess if ANY keys are found, SECFailure otherwise. */
+static SECStatus
+ListKeysInSlot(PK11SlotInfo *slot, const char *nickName, KeyType keyType, 
+               void *pwarg)
+{
+    SECKEYPrivateKeyList *list;
+    SECKEYPrivateKeyListNode *node;
+    int count = 0;
+
+    if (PK11_NeedLogin(slot)) {
+        SECStatus rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "could not authenticate to token %s.",
+                            PK11_GetTokenName(slot));
+            return SECFailure;
+        }
+    }
+
+    if (nickName && nickName[0]) 
+	list = PK11_ListPrivKeysInSlot(slot, (char *)nickName, pwarg);
+    else
+	list = PK11_ListPrivateKeysInSlot(slot);
+    if (list == NULL) {
+	SECU_PrintError(progName, "problem listing keys");
+	return SECFailure;
+    }
+    for (node=PRIVKEY_LIST_HEAD(list); 
+             !PRIVKEY_LIST_END(node,list);
+	 node=PRIVKEY_LIST_NEXT(node)) {
+	char * keyName;
+	static const char orphan[] = { "(orphan)" };
+
+	if (keyType != nullKey && keyType != node->key->keyType)
+	    continue;
+        keyName = PK11_GetPrivateKeyNickname(node->key);
+	if (!keyName || !keyName[0]) {
+	    /* Try extra hard to find nicknames for keys that lack them. */
+	    CERTCertificate * cert;
+	    PORT_Free((void *)keyName);
+	    keyName = NULL;
+	    cert = PK11_GetCertFromPrivateKey(node->key);
+	    if (cert) {
+		if (cert->nickname && !cert->nickname[0]) {
+		    keyName = PORT_Strdup(cert->nickname);
+		} else if (cert->emailAddr && cert->emailAddr[0]) {
+		    keyName = PORT_Strdup(cert->emailAddr);
+		}
+		CERT_DestroyCertificate(cert);
+	    }
+	}
+	if (nickName) {
+	    if (!keyName || PL_strcmp(keyName,nickName)) {
+		/* PKCS#11 module returned unwanted keys */
+	        PORT_Free((void *)keyName);
+		continue;
+	    }
+	}
+	if (!keyName)
+	    keyName = (char *)orphan;
+
+	PrintKey(PR_STDOUT, keyName, count, node->key, pwarg);
+
+	if (keyName != (char *)orphan)
+	    PORT_Free((void *)keyName);
+	count++;
+    }
+    SECKEY_DestroyPrivateKeyList(list);
+
+    if (count == 0) {
+	PR_fprintf(PR_STDOUT, "%s: no keys found\n", progName);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* returns SECSuccess if ANY keys are found, SECFailure otherwise. */
+static SECStatus
+ListKeys(PK11SlotInfo *slot, const char *nickName, int index, 
+         KeyType keyType, PRBool dopriv, secuPWData *pwdata)
+{
+    SECStatus rv = SECFailure;
+    static const char fmt[] = \
+    	"%s: Checking token \"%.33s\" in slot \"%.65s\"\n";
+
+    if (slot == NULL) {
+	PK11SlotList *list;
+	PK11SlotListElement *le;
+
+	list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,pwdata);
+	if (list) {
+	    for (le = list->head; le; le = le->next) {
+		PR_fprintf(PR_STDOUT, fmt, progName, 
+			   PK11_GetTokenName(le->slot), 
+			   PK11_GetSlotName(le->slot));
+		rv &= ListKeysInSlot(le->slot,nickName,keyType,pwdata);
+	    }
+	    PK11_FreeSlotList(list);
+	}
+    } else {
+	PR_fprintf(PR_STDOUT, fmt, progName, PK11_GetTokenName(slot), 
+	           PK11_GetSlotName(slot));
+	rv = ListKeysInSlot(slot,nickName,keyType,pwdata);
+    }
+    return rv;
+}
+
+static SECStatus
+DeleteKey(char *nickname, secuPWData *pwdata)
+{
+    SECStatus rv;
+    CERTCertificate *cert;
+    PK11SlotInfo *slot;
+
+    slot = PK11_GetInternalKeySlot();
+    if (PK11_NeedLogin(slot)) {
+        SECStatus rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "could not authenticate to token %s.",
+                            PK11_GetTokenName(slot));
+            return SECFailure;
+        }
+    }
+    cert = PK11_FindCertFromNickname(nickname, pwdata);
+    if (!cert) {
+	PK11_FreeSlot(slot);
+	return SECFailure;
+    }
+    rv = PK11_DeleteTokenCertAndKey(cert, pwdata);
+    if (rv != SECSuccess) {
+	SECU_PrintError("problem deleting private key \"%s\"\n", nickname);
+    }
+    CERT_DestroyCertificate(cert);
+    PK11_FreeSlot(slot);
+    return rv;
+}
+
+
+/*
+ *  L i s t M o d u l e s
+ *
+ *  Print a list of the PKCS11 modules that are
+ *  available. This is useful for smartcard people to
+ *  make sure they have the drivers loaded.
+ *
+ */
+static SECStatus
+ListModules(void)
+{
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,NULL);
+    if (list == NULL) return SECFailure;
+
+    /* look at each slot*/
+    for (le = list->head ; le; le = le->next) {
+      printf ("\n");
+      printf ("    slot: %s\n", PK11_GetSlotName(le->slot));
+      printf ("   token: %s\n", PK11_GetTokenName(le->slot));
+    }
+    PK11_FreeSlotList(list);
+
+    return SECSuccess;
+}
+
+static void 
+Usage(char *progName)
+{
+#define FPS fprintf(stderr, 
+    FPS "Type %s -H for more detailed descriptions\n", progName);
+    FPS "Usage:  %s -N [-d certdir] [-P dbprefix] [-f pwfile]\n", progName);
+    FPS "Usage:  %s -T [-d certdir] [-P dbprefix] [-h token-name]\n"
+	"\t\t [-f pwfile] [-0 SSO-password]\n", progName);
+    FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
+    	progName);
+    FPS "\t%s -B -i batch-file\n", progName);
+    FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
+	"\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
+        "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1] [-2] [-3] [-4] [-5]\n"
+	"\t\t [-6] [-7 emailAddrs] [-8 dns-names] [-a]\n",
+	progName);
+    FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
+    FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
+	progName);
+    FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n" 
+	"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
+    FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
+	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
+#ifdef NSS_ENABLE_ECC
+    FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n"
+	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
+    FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n", 
+	progName);
+#else
+    FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|rsa|all]\n", 
+	progName);
+#endif /* NSS_ENABLE_ECC */
+    FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n");
+    FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n",
+	progName);
+    FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n");
+    FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n");
+    FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
+    FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
+	progName);
+    FPS "\t\t [-P targetDBPrefix] [--source-prefix sourceDBPrefix]\n");
+    FPS "\t\t [-f targetPWfile] [-@ sourcePWFile]\n");
+    FPS "\t%s -L [-n cert-name] [-X] [-d certdir] [-P dbprefix] [-r] [-a]\n", progName);
+    FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
+	progName);
+    FPS "\t%s -O -n cert-name [-X] [-d certdir] [-P dbprefix]\n", progName);
+    FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n"
+	"\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile] [-g key-size]\n",
+	progName);
+    FPS "\t%s -V -n cert-name -u usage [-b time] [-e] \n"
+	"\t\t[-X] [-d certdir] [-P dbprefix]\n",
+	progName);
+    FPS "\t%s -S -n cert-name -s subj [-c issuer-name | -x]  -t trustargs\n"
+	"\t\t [-k key-type-or-id] [-q key-params] [-h token-name] [-g key-size]\n"
+        "\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
+	"\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
+        "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6] [-7 emailAddrs]\n"
+        "\t\t [-8 DNS-names]\n"
+        "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n"
+        "\t\t [--extSKID]\n", progName);
+    FPS "\t%s -U [-X] [-d certdir] [-P dbprefix]\n", progName);
+    exit(1);
+}
+
+static void LongUsage(char *progName)
+{
+
+    FPS "%-15s Add a certificate to the database        (create if needed)\n",
+	"-A");
+    FPS "%-20s\n", "   All options under -E apply");
+    FPS "%-15s Run a series of certutil commands from a batch file\n", "-B");
+    FPS "%-20s Specify the batch file\n", "   -i batch-file");
+    FPS "%-15s Add an Email certificate to the database (create if needed)\n",
+	"-E");
+    FPS "%-20s Specify the nickname of the certificate to add\n",
+	"   -n cert-name");
+    FPS "%-20s Set the certificate trust attributes:\n",
+	"   -t trustargs");
+    FPS "%-25s trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,\n", "");
+    FPS "%-25s and z is for code signing\n", "");
+    FPS "%-25s p \t valid peer\n", "");
+    FPS "%-25s P \t trusted peer (implies p)\n", "");
+    FPS "%-25s c \t valid CA\n", "");
+    FPS "%-25s T \t trusted CA to issue client certs (implies c)\n", "");
+    FPS "%-25s C \t trusted CA to issue server certs (implies c)\n", "");
+    FPS "%-25s u \t user cert\n", "");
+    FPS "%-25s w \t send warning\n", "");
+    FPS "%-25s g \t make step-up cert\n", "");
+    FPS "%-20s Specify the password file\n",
+	"   -f pwfile");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s The input certificate is encoded in ASCII (RFC1113)\n",
+	"   -a");
+    FPS "%-20s Specify the certificate file (default is stdin)\n",
+	"   -i input");
+    FPS "\n");
+
+    FPS "%-15s Create a new binary certificate from a BINARY cert request\n",
+	"-C");
+    FPS "%-20s The nickname of the issuer cert\n",
+	"   -c issuer-name");
+    FPS "%-20s The BINARY certificate request file\n",
+	"   -i cert-request ");
+    FPS "%-20s Output binary cert to this file (default is stdout)\n",
+	"   -o output-cert");
+    FPS "%-20s Self sign\n",
+	"   -x");
+    FPS "%-20s Cert serial number\n",
+	"   -m serial-number");
+    FPS "%-20s Time Warp\n",
+	"   -w warp-months");
+    FPS "%-20s Months valid (default is 3)\n",
+        "   -v months-valid");
+    FPS "%-20s Specify the password file\n",
+	"   -f pwfile");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s Create key usage extension\n",
+	"   -1 ");
+    FPS "%-20s Create basic constraint extension\n",
+	"   -2 ");
+    FPS "%-20s Create authority key ID extension\n",
+	"   -3 ");
+    FPS "%-20s Create crl distribution point extension\n",
+	"   -4 ");
+    FPS "%-20s Create netscape cert type extension\n",
+	"   -5 ");
+    FPS "%-20s Create extended key usage extension\n",
+	"   -6 ");
+    FPS "%-20s Create an email subject alt name extension\n",
+	"   -7 emailAddrs");
+    FPS "%-20s Create an dns subject alt name extension\n",
+	"   -8 dnsNames");
+    FPS "%-20s The input certificate request is encoded in ASCII (RFC1113)\n",
+	"   -a");
+    FPS "\n");
+
+    FPS "%-15s Generate a new key pair\n",
+	"-G");
+    FPS "%-20s Name of token in which to generate key (default is internal)\n",
+	"   -h token-name");
+#ifdef NSS_ENABLE_ECC
+    FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
+	"   -k key-type");
+    FPS "%-20s Key size in bits, (min %d, max %d, default %d) (not for ec)\n",
+	"   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+#else
+    FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
+	"   -k key-type");
+    FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n",
+	"   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+#endif /* NSS_ENABLE_ECC */
+    FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n",
+	"   -y exp");
+    FPS "%-20s Specify the password file\n",
+        "   -f password-file");
+    FPS "%-20s Specify the noise file to be used\n",
+	"   -z noisefile");
+    FPS "%-20s read PQG value from pqgfile (dsa only)\n",
+	"   -q pqgfile");
+#ifdef NSS_ENABLE_ECC
+    FPS "%-20s Elliptic curve name (ec only)\n",
+	"   -q curve-name");
+    FPS "%-20s One of nistp256, nistp384, nistp521\n", "");
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+    FPS "%-20s sect163k1, nistk163, sect163r1, sect163r2,\n", "");
+    FPS "%-20s nistb163, sect193r1, sect193r2, sect233k1, nistk233,\n", "");
+    FPS "%-20s sect233r1, nistb233, sect239k1, sect283k1, nistk283,\n", "");
+    FPS "%-20s sect283r1, nistb283, sect409k1, nistk409, sect409r1,\n", "");
+    FPS "%-20s nistb409, sect571k1, nistk571, sect571r1, nistb571,\n", "");
+    FPS "%-20s secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,\n", "");
+    FPS "%-20s nistp192, secp224k1, secp224r1, nistp224, secp256k1,\n", "");
+    FPS "%-20s secp256r1, secp384r1, secp521r1,\n", "");
+    FPS "%-20s prime192v1, prime192v2, prime192v3, \n", "");
+    FPS "%-20s prime239v1, prime239v2, prime239v3, c2pnb163v1, \n", "");
+    FPS "%-20s c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, \n", "");
+    FPS "%-20s c2tnb191v2, c2tnb191v3,  \n", "");
+    FPS "%-20s c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, \n", "");
+    FPS "%-20s c2pnb272w1, c2pnb304w1, \n", "");
+    FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", "");
+    FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", "");
+    FPS "%-20s sect131r1, sect131r2\n", "");
+#endif /* NSS_ECC_MORE_THAN_SUITE_B */
+#endif
+    FPS "%-20s Key database directory (default is ~/.netscape)\n",
+	"   -d keydir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "\n");
+
+    FPS "%-15s Delete a certificate from the database\n",
+	"-D");
+    FPS "%-20s The nickname of the cert to delete\n",
+	"   -n cert-name");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "\n");
+
+    FPS "%-15s List all modules\n", /*, or print out a single named module\n",*/
+        "-U");
+    FPS "%-20s Module database directory (default is '~/.netscape')\n",
+        "   -d moddir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s force the database to open R/W\n",
+	"   -X");
+    FPS "\n");
+
+    FPS "%-15s List all private keys\n",
+        "-K");
+          FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
+	"   -h token-name ");
+
+    FPS "%-20s Key type (\"all\" (default), \"dsa\","
+#ifdef NSS_ENABLE_ECC
+                                                    " \"ec\","
+#endif
+                                                             " \"rsa\")\n",
+	"   -k key-type");
+    FPS "%-20s The nickname of the key or associated certificate\n",
+	"   -n name");
+    FPS "%-20s Specify the password file\n",
+        "   -f password-file");
+    FPS "%-20s Key database directory (default is ~/.netscape)\n",
+	"   -d keydir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s force the database to open R/W\n",
+	"   -X");
+    FPS "\n");
+
+    FPS "%-15s List all certs, or print out a single named cert\n",
+	"-L");
+    FPS "%-20s Pretty print named cert (list all if unspecified)\n",
+	"   -n cert-name");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s force the database to open R/W\n",
+	"   -X");
+    FPS "%-20s For single cert, print binary DER encoding\n",
+	"   -r");
+    FPS "%-20s For single cert, print ASCII encoding (RFC1113)\n",
+	"   -a");
+    FPS "\n");
+
+    FPS "%-15s Modify trust attributes of certificate\n",
+	"-M");
+    FPS "%-20s The nickname of the cert to modify\n",
+	"   -n cert-name");
+    FPS "%-20s Set the certificate trust attributes (see -A above)\n",
+	"   -t trustargs");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "\n");
+
+    FPS "%-15s Create a new certificate database\n",
+	"-N");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "\n");
+    FPS "%-15s Reset the Key database or token\n",
+	"-T");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s Token to reset (default is internal)\n",
+	"   -h token-name");
+    FPS "%-20s Set token's Site Security Officer password\n",
+	"   -0 SSO-password");
+    FPS "\n");
+
+    FPS "\n");
+    FPS "%-15s Print the chain of a certificate\n",
+	"-O");
+    FPS "%-20s The nickname of the cert to modify\n",
+	"   -n cert-name");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s force the database to open R/W\n",
+	"   -X");
+    FPS "\n");
+
+    FPS "%-15s Generate a certificate request (stdout)\n",
+	"-R");
+    FPS "%-20s Specify the subject name (using RFC1485)\n",
+	"   -s subject");
+    FPS "%-20s Output the cert request to this file\n",
+	"   -o output-req");
+#ifdef NSS_ENABLE_ECC
+    FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
+#else
+    FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
+#endif /* NSS_ENABLE_ECC */
+	"   -k key-type-or-id");
+    FPS "%-20s or nickname of the cert key to use \n",
+	"");
+    FPS "%-20s Name of token in which to generate key (default is internal)\n",
+	"   -h token-name");
+    FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
+	"   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+    FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
+	"   -q pqgfile");
+#ifdef NSS_ENABLE_ECC
+    FPS "%-20s Elliptic curve name (ec only)\n",
+	"   -q curve-name");
+    FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
+	"");
+#endif /* NSS_ENABLE_ECC */
+    FPS "%-20s Specify the password file\n",
+	"   -f pwfile");
+    FPS "%-20s Key database directory (default is ~/.netscape)\n",
+	"   -d keydir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
+	"   -p phone");
+    FPS "%-20s Output the cert request in ASCII (RFC1113); default is binary\n",
+	"   -a");
+    FPS "%-20s \n",
+	"   See -S for available extension options");
+    FPS "\n");
+
+    FPS "%-15s Validate a certificate\n",
+	"-V");
+    FPS "%-20s The nickname of the cert to Validate\n",
+	"   -n cert-name");
+    FPS "%-20s validity time (\"YYMMDDHHMMSS[+HHMM|-HHMM|Z]\")\n",
+	"   -b time");
+    FPS "%-20s Check certificate signature \n",
+	"   -e ");   
+    FPS "%-20s Specify certificate usage:\n", "   -u certusage");
+    FPS "%-25s C \t SSL Client\n", "");
+    FPS "%-25s V \t SSL Server\n", "");
+    FPS "%-25s S \t Email signer\n", "");
+    FPS "%-25s R \t Email Recipient\n", "");   
+    FPS "%-25s O \t OCSP status responder\n", "");   
+    FPS "%-25s J \t Object signer\n", "");   
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s force the database to open R/W\n",
+	"   -X");
+    FPS "\n");
+
+    FPS "%-15s Upgrade an old database and merge it into a new one\n",
+	"--upgrade-merge");
+    FPS "%-20s Cert database directory to merge into (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix of the target database\n",
+	"   -P dbprefix");
+    FPS "%-20s Specify the password file for the target database\n",
+	"   -f pwfile");
+    FPS "%-20s \n%-20s Cert database directory to upgrade from\n",
+	"   --source-dir certdir", "");
+    FPS "%-20s \n%-20s Cert & Key database prefix of the upgrade database\n",
+	"   --soruce-prefix dbprefix", "");
+    FPS "%-20s \n%-20s Unique identifier for the upgrade database\n",
+	"   --upgrade-id uniqueID", "");
+    FPS "%-20s \n%-20s Name of the token while it is in upgrade state\n",
+	"   --upgrade-token-name name", "");
+    FPS "%-20s Specify the password file for the upgrade database\n",
+	"   -@ pwfile");
+    FPS "\n");
+
+    FPS "%-15s Merge source database into the target database\n",
+	"--merge");
+    FPS "%-20s Cert database directory of target (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix of the target database\n",
+	"   -P dbprefix");
+    FPS "%-20s Specify the password file for the target database\n",
+	"   -f pwfile");
+    FPS "%-20s \n%-20s Cert database directory of the source database\n",
+	"   --source-dir certdir", "");
+    FPS "%-20s \n%-20s Cert & Key database prefix of the source database\n",
+	"   --source-prefix dbprefix", "");
+    FPS "%-20s Specify the password file for the source database\n",
+	"   -@ pwfile");
+    FPS "\n");
+
+    FPS "%-15s Make a certificate and add to database\n",
+        "-S");
+    FPS "%-20s Specify the nickname of the cert\n",
+        "   -n key-name");
+    FPS "%-20s Specify the subject name (using RFC1485)\n",
+        "   -s subject");
+    FPS "%-20s The nickname of the issuer cert\n",
+	"   -c issuer-name");
+    FPS "%-20s Set the certificate trust attributes (see -A above)\n",
+	"   -t trustargs");
+#ifdef NSS_ENABLE_ECC
+    FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
+#else
+    FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
+#endif /* NSS_ENABLE_ECC */
+	"   -k key-type-or-id");
+    FPS "%-20s Name of token in which to generate key (default is internal)\n",
+	"   -h token-name");
+    FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
+	"   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+    FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
+	"   -q pqgfile");
+#ifdef NSS_ENABLE_ECC
+    FPS "%-20s Elliptic curve name (ec only)\n",
+	"   -q curve-name");
+    FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
+	"");
+#endif /* NSS_ENABLE_ECC */
+    FPS "%-20s Self sign\n",
+	"   -x");
+    FPS "%-20s Cert serial number\n",
+	"   -m serial-number");
+    FPS "%-20s Time Warp\n",
+	"   -w warp-months");
+    FPS "%-20s Months valid (default is 3)\n",
+        "   -v months-valid");
+    FPS "%-20s Specify the password file\n",
+	"   -f pwfile");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
+	"   -p phone");
+    FPS "%-20s Create key usage extension\n",
+	"   -1 ");
+    FPS "%-20s Create basic constraint extension\n",
+	"   -2 ");
+    FPS "%-20s Create authority key ID extension\n",
+	"   -3 ");
+    FPS "%-20s Create crl distribution point extension\n",
+	"   -4 ");
+    FPS "%-20s Create netscape cert type extension\n",
+	"   -5 ");
+    FPS "%-20s Create extended key usage extension\n",
+	"   -6 ");
+    FPS "%-20s Create an email subject alt name extension\n",
+	"   -7 emailAddrs ");
+    FPS "%-20s Create a DNS subject alt name extension\n",
+	"   -8 DNS-names");
+    FPS "%-20s Create an Authority Information Access extension\n",
+	"   --extAIA ");
+    FPS "%-20s Create a Subject Information Access extension\n",
+	"   --extSIA ");
+    FPS "%-20s Create a Certificate Policies extension\n",
+	"   --extCP ");
+    FPS "%-20s Create a Policy Mappings extension\n",
+	"   --extPM ");
+    FPS "%-20s Create a Policy Constraints extension\n",
+	"   --extPC ");
+    FPS "%-20s Create an Inhibit Any Policy extension\n",
+	"   --extIA ");
+    FPS "%-20s Create a subject key ID extension\n",
+	"   --extSKID ");
+    FPS "\n");
+
+    exit(1);
+#undef FPS
+}
+
+
+static CERTCertificate *
+MakeV1Cert(	CERTCertDBHandle *	handle, 
+		CERTCertificateRequest *req,
+	    	char *			issuerNickName, 
+		PRBool 			selfsign, 
+		unsigned int 		serialNumber,
+		int 			warpmonths,
+                int                     validityMonths)
+{
+    CERTCertificate *issuerCert = NULL;
+    CERTValidity *validity;
+    CERTCertificate *cert = NULL;
+    PRExplodedTime printableTime;
+    PRTime now, after;
+
+    if ( !selfsign ) {
+	issuerCert = CERT_FindCertByNicknameOrEmailAddr(handle, issuerNickName);
+	if (!issuerCert) {
+	    SECU_PrintError(progName, "could not find certificate named \"%s\"",
+			    issuerNickName);
+	    return NULL;
+	}
+    }
+
+    now = PR_Now();
+    PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
+    if ( warpmonths ) {
+	printableTime.tm_month += warpmonths;
+	now = PR_ImplodeTime (&printableTime);
+	PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
+    }
+    printableTime.tm_month += validityMonths;
+    after = PR_ImplodeTime (&printableTime);
+
+    /* note that the time is now in micro-second unit */
+    validity = CERT_CreateValidity (now, after);
+    if (validity) {
+        cert = CERT_CreateCertificate(serialNumber, 
+				      (selfsign ? &req->subject 
+				                : &issuerCert->subject), 
+	                              validity, req);
+    
+        CERT_DestroyValidity(validity);
+    }
+    if ( issuerCert ) {
+	CERT_DestroyCertificate (issuerCert);
+    }
+    
+    return(cert);
+}
+
+static SECItem *
+SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, 
+         SECOidTag hashAlgTag,
+         SECKEYPrivateKey *privKey, char *issuerNickName, void *pwarg)
+{
+    SECItem der;
+    SECItem *result = NULL;
+    SECKEYPrivateKey *caPrivateKey = NULL;    
+    SECStatus rv;
+    PRArenaPool *arena;
+    SECOidTag algID;
+    void *dummy;
+
+    if( !selfsign ) {
+      CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
+      if( (CERTCertificate *)NULL == issuer ) {
+        SECU_PrintError(progName, "unable to find issuer with nickname %s", 
+	                issuerNickName);
+        return (SECItem *)NULL;
+      }
+
+      privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg);
+      CERT_DestroyCertificate(issuer);
+      if (caPrivateKey == NULL) {
+	SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName);
+	return NULL;
+      }
+    }
+	
+    arena = cert->arena;
+
+    algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag);
+    if (algID == SEC_OID_UNKNOWN) {
+	fprintf(stderr, "Unknown key or hash type for issuer.");
+	goto done;
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "Could not set signature algorithm id.");
+	goto done;
+    }
+
+    /* we only deal with cert v3 here */
+    *(cert->version.data) = 2;
+    cert->version.len = 1;
+
+    der.len = 0;
+    der.data = NULL;
+    dummy = SEC_ASN1EncodeItem (arena, &der, cert,
+			 	SEC_ASN1_GET(CERT_CertificateTemplate));
+    if (!dummy) {
+	fprintf (stderr, "Could not encode certificate.\n");
+	goto done;
+    }
+
+    result = (SECItem *) PORT_ArenaZAlloc (arena, sizeof (SECItem));
+    if (result == NULL) {
+	fprintf (stderr, "Could not allocate item for certificate data.\n");
+	goto done;
+    }
+
+    rv = SEC_DerSignData(arena, result, der.data, der.len, privKey, algID);
+    if (rv != SECSuccess) {
+	fprintf (stderr, "Could not sign encoded certificate data.\n");
+	/* result allocated out of the arena, it will be freed
+	 * when the arena is freed */
+	result = NULL;
+	goto done;
+    }
+    cert->derCert = *result;
+done:
+    if (caPrivateKey) {
+	SECKEY_DestroyPrivateKey(caPrivateKey);
+    }
+    return result;
+}
+
+static SECStatus
+CreateCert(
+	CERTCertDBHandle *handle, 
+	PK11SlotInfo *slot,
+	char *  issuerNickName, 
+	PRFileDesc *inFile,
+	PRFileDesc *outFile, 
+	SECKEYPrivateKey **selfsignprivkey,
+	void 	*pwarg,
+	SECOidTag hashAlgTag,
+	unsigned int serialNumber, 
+	int     warpmonths,
+	int     validityMonths,
+	const char *emailAddrs,
+	const char *dnsNames,
+	PRBool  ascii,
+	PRBool  selfsign,
+	certutilExtnList extnList)
+{
+    void *	extHandle;
+    SECItem *	certDER;
+    CERTCertificate *subjectCert 	= NULL;
+    CERTCertificateRequest *certReq	= NULL;
+    SECStatus 	rv 			= SECSuccess;
+    SECItem 	reqDER;
+    CERTCertExtension **CRexts;
+
+    reqDER.data = NULL;
+    do {
+	/* Create a certrequest object from the input cert request der */
+	certReq = GetCertRequest(inFile, ascii);
+	if (certReq == NULL) {
+	    GEN_BREAK (SECFailure)
+	}
+
+	subjectCert = MakeV1Cert (handle, certReq, issuerNickName, selfsign,
+				  serialNumber, warpmonths, validityMonths);
+	if (subjectCert == NULL) {
+	    GEN_BREAK (SECFailure)
+	}
+        
+        
+	extHandle = CERT_StartCertExtensions (subjectCert);
+	if (extHandle == NULL) {
+	    GEN_BREAK (SECFailure)
+	}
+        
+        rv = AddExtensions(extHandle, emailAddrs, dnsNames, extnList);
+        if (rv != SECSuccess) {
+	    GEN_BREAK (SECFailure)
+	}
+        
+        if (certReq->attributes != NULL &&
+	    certReq->attributes[0] != NULL &&
+	    certReq->attributes[0]->attrType.data != NULL &&
+	    certReq->attributes[0]->attrType.len   > 0    &&
+            SECOID_FindOIDTag(&certReq->attributes[0]->attrType)
+                == SEC_OID_PKCS9_EXTENSION_REQUEST) {
+            rv = CERT_GetCertificateRequestExtensions(certReq, &CRexts);
+            if (rv != SECSuccess)
+                break;
+            rv = CERT_MergeExtensions(extHandle, CRexts);
+            if (rv != SECSuccess)
+                break;
+        }
+
+	CERT_FinishExtensions(extHandle);
+
+	/* self-signing a cert request, find the private key */
+	if (selfsign && *selfsignprivkey == NULL) {
+	    *selfsignprivkey = PK11_FindKeyByDERCert(slot, subjectCert, pwarg);
+	    if (!*selfsignprivkey) {
+		fprintf(stderr, "Failed to locate private key.\n");
+		rv = SECFailure;
+		break;
+	    }
+	}
+
+	certDER = SignCert(handle, subjectCert, selfsign, hashAlgTag,
+	                   *selfsignprivkey, issuerNickName,pwarg);
+
+	if (certDER) {
+	   if (ascii) {
+		PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CERT_HEADER, 
+		           BTOA_DataToAscii(certDER->data, certDER->len), 
+			   NS_CERT_TRAILER);
+	   } else {
+		PR_Write(outFile, certDER->data, certDER->len);
+	   }
+	}
+
+    } while (0);
+    CERT_DestroyCertificateRequest (certReq);
+    CERT_DestroyCertificate (subjectCert);
+    if (rv != SECSuccess) {
+	PRErrorCode  perr = PR_GetError();
+        fprintf(stderr, "%s: unable to create cert (%s)\n", progName,
+               SECU_Strerror(perr));
+    }
+    return (rv);
+}
+
+
+/*
+ * map a class to a user presentable string
+ */
+static const char *objClassArray[] = {
+   "Data",
+   "Certificate",
+   "Public Key",
+   "Private Key",
+   "Secret Key",
+   "Hardware Feature",
+   "Domain Parameters",
+   "Mechanism"
+};
+
+static const char *objNSSClassArray[] = {
+   "CKO_NSS",
+   "Crl",
+   "SMIME Record",
+   "Trust",
+   "Builtin Root List"
+};
+
+
+const char *
+getObjectClass(CK_ULONG classType)
+{
+    static char buf[sizeof(CK_ULONG)*2+3];
+
+    if (classType <= CKO_MECHANISM) {
+	return objClassArray[classType];
+    }
+    if (classType >= CKO_NSS && classType <= CKO_NSS_BUILTIN_ROOT_LIST) {
+	return objNSSClassArray[classType - CKO_NSS];
+    }
+    sprintf(buf, "0x%lx", classType);
+    return buf;
+}
+
+char *mkNickname(unsigned char *data, int len)
+{
+   char *nick = PORT_Alloc(len+1);
+   if (!nick) {
+	return nick;
+   }
+   PORT_Memcpy(nick, data, len);
+   nick[len] = 0;
+   return nick;
+}
+
+/*
+ * dump a PK11_MergeTokens error log to the console
+ */
+void
+DumpMergeLog(const char *progname, PK11MergeLog *log)
+{
+    PK11MergeLogNode *node;
+
+    for (node = log->head; node; node = node->next) {
+	SECItem  attrItem;
+	char *nickname = NULL;
+	const char *objectClass = NULL;
+	SECStatus rv;
+
+	attrItem.data = NULL;
+	rv = PK11_ReadRawAttribute(PK11_TypeGeneric, node->object, 
+				   CKA_LABEL, &attrItem);
+	if (rv == SECSuccess) {
+	    nickname = mkNickname(attrItem.data, attrItem.len);
+	    PORT_Free(attrItem.data);
+	}
+	attrItem.data = NULL;
+	rv = PK11_ReadRawAttribute(PK11_TypeGeneric, node->object, 
+				   CKA_CLASS, &attrItem);
+	if (rv == SECSuccess) {
+	     if (attrItem.len == sizeof(CK_ULONG)) {
+		objectClass = getObjectClass(*(CK_ULONG *)attrItem.data);
+	     }
+	     PORT_Free(attrItem.data);
+	}
+
+	fprintf(stderr, "%s: Could not merge object %s (type %s): %s\n",
+		progName,
+		nickname ? nickname : "unnamed",
+		objectClass ? objectClass : "unknown",
+		SECU_Strerror(node->error));
+
+	if (nickname) {
+	    PORT_Free(nickname);
+	}
+    }
+}
+
+/*  Certutil commands  */
+enum {
+    cmd_AddCert = 0,
+    cmd_CreateNewCert,
+    cmd_DeleteCert,
+    cmd_AddEmailCert,
+    cmd_DeleteKey,
+    cmd_GenKeyPair,
+    cmd_PrintHelp,
+    cmd_ListKeys,
+    cmd_ListCerts,
+    cmd_ModifyCertTrust,
+    cmd_NewDBs,
+    cmd_DumpChain,
+    cmd_CertReq,
+    cmd_CreateAndAddCert,
+    cmd_TokenReset,
+    cmd_ListModules,
+    cmd_CheckCertValidity,
+    cmd_ChangePassword,
+    cmd_Version,
+    cmd_Batch,
+    cmd_Merge,
+    cmd_UpgradeMerge /* test only */
+};
+
+/*  Certutil options */
+enum certutilOpts {
+    opt_SSOPass = 0,
+    opt_AddKeyUsageExt,
+    opt_AddBasicConstraintExt,
+    opt_AddAuthorityKeyIDExt,
+    opt_AddCRLDistPtsExt,
+    opt_AddNSCertTypeExt,
+    opt_AddExtKeyUsageExt,
+    opt_ExtendedEmailAddrs,
+    opt_ExtendedDNSNames,
+    opt_ASCIIForIO,
+    opt_ValidityTime,
+    opt_IssuerName,
+    opt_CertDir,
+    opt_VerifySig,
+    opt_PasswordFile,
+    opt_KeySize,
+    opt_TokenName,
+    opt_InputFile,
+    opt_KeyIndex,
+    opt_KeyType,
+    opt_DetailedInfo,
+    opt_SerialNumber,
+    opt_Nickname,
+    opt_OutputFile,
+    opt_PhoneNumber,
+    opt_DBPrefix,
+    opt_PQGFile,
+    opt_BinaryDER,
+    opt_Subject,
+    opt_Trust,
+    opt_Usage,
+    opt_Validity,
+    opt_OffsetMonths,
+    opt_SelfSign,
+    opt_RW,
+    opt_Exponent,
+    opt_NoiseFile,
+    opt_Hash,
+    opt_NewPasswordFile,
+    opt_AddAuthInfoAccExt,
+    opt_AddSubjInfoAccExt,
+    opt_AddCertPoliciesExt,
+    opt_AddPolicyMapExt,
+    opt_AddPolicyConstrExt,
+    opt_AddInhibAnyExt,
+    opt_AddSubjectKeyIDExt,
+    opt_SourceDir,
+    opt_SourcePrefix,
+    opt_UpgradeID,
+    opt_UpgradeTokenName
+};
+
+static const
+secuCommandFlag commands_init[] =
+{
+	{ /* cmd_AddCert             */  'A', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_CreateNewCert       */  'C', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_DeleteCert          */  'D', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_AddEmailCert        */  'E', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_DeleteKey           */  'F', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_GenKeyPair          */  'G', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_PrintHelp           */  'H', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_ListKeys            */  'K', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_ListCerts           */  'L', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_ModifyCertTrust     */  'M', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_NewDBs              */  'N', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_DumpChain           */  'O', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_CertReq             */  'R', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_CreateAndAddCert    */  'S', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_TokenReset          */  'T', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_ListModules         */  'U', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_CheckCertValidity   */  'V', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_ChangePassword      */  'W', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_Version             */  'Y', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_Batch               */  'B', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_Merge               */   0,  PR_FALSE, 0, PR_FALSE, "merge" },
+	{ /* cmd_UpgradeMerge        */   0,  PR_FALSE, 0, PR_FALSE, 
+                                                   "upgrade-merge" }
+};
+#define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0]))
+ 
+static const 
+secuCommandFlag options_init[] =
+{
+	{ /* opt_SSOPass             */  '0', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_AddKeyUsageExt      */  '1', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_AddBasicConstraintExt*/ '2', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_AddAuthorityKeyIDExt*/  '3', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_AddCRLDistPtsExt    */  '4', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_AddNSCertTypeExt    */  '5', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_AddExtKeyUsageExt   */  '6', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_ExtendedEmailAddrs  */  '7', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_ExtendedDNSNames    */  '8', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_ASCIIForIO          */  'a', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_ValidityTime        */  'b', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_IssuerName          */  'c', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_CertDir             */  'd', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_VerifySig           */  'e', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_PasswordFile        */  'f', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_KeySize             */  'g', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_TokenName           */  'h', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_InputFile           */  'i', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_KeyIndex            */  'j', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_KeyType             */  'k', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_DetailedInfo        */  'l', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_SerialNumber        */  'm', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_Nickname            */  'n', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_OutputFile          */  'o', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_PhoneNumber         */  'p', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_DBPrefix            */  'P', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_PQGFile             */  'q', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_BinaryDER           */  'r', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_Subject             */  's', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_Trust               */  't', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_Usage               */  'u', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_Validity            */  'v', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_OffsetMonths        */  'w', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_SelfSign            */  'x', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_RW                  */  'X', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_Exponent            */  'y', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_NoiseFile           */  'z', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_Hash                */  'Z', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_NewPasswordFile     */  '@', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_AddAuthInfoAccExt   */  0,   PR_FALSE, 0, PR_FALSE, "extAIA" },
+	{ /* opt_AddSubjInfoAccExt   */  0,   PR_FALSE, 0, PR_FALSE, "extSIA" },
+	{ /* opt_AddCertPoliciesExt  */  0,   PR_FALSE, 0, PR_FALSE, "extCP" },
+	{ /* opt_AddPolicyMapExt     */  0,   PR_FALSE, 0, PR_FALSE, "extPM" },
+	{ /* opt_AddPolicyConstrExt  */  0,   PR_FALSE, 0, PR_FALSE, "extPC" },
+	{ /* opt_AddInhibAnyExt      */  0,   PR_FALSE, 0, PR_FALSE, "extIA" },
+	{ /* opt_AddSubjectKeyIDExt  */  0,   PR_FALSE, 0, PR_FALSE, 
+						   "extSKID" },
+	{ /* opt_SourceDir           */  0,   PR_TRUE,  0, PR_FALSE,
+                                                   "source-dir"},
+	{ /* opt_SourcePrefix        */  0,   PR_TRUE,  0, PR_FALSE, 
+						   "source-prefix"},
+	{ /* opt_UpgradeID           */  0,   PR_TRUE,  0, PR_FALSE, 
+                                                   "upgrade-id"},
+	{ /* opt_UpgradeTokenName    */  0,   PR_TRUE,  0, PR_FALSE, 
+                                                   "upgrade-token-name"},
+};
+#define NUM_OPTIONS ((sizeof options_init)  / (sizeof options_init[0]))
+
+static secuCommandFlag certutil_commands[NUM_COMMANDS];
+static secuCommandFlag certutil_options [NUM_OPTIONS ];
+
+static const secuCommand certutil = {
+    NUM_COMMANDS, 
+    NUM_OPTIONS, 
+    certutil_commands, 
+    certutil_options
+};
+
+static certutilExtnList certutil_extns;
+
+static int 
+certutil_main(int argc, char **argv, PRBool initialize)
+{
+    CERTCertDBHandle *certHandle;
+    PK11SlotInfo *slot = NULL;
+    CERTName *  subject         = 0;
+    PRFileDesc *inFile          = PR_STDIN;
+    PRFileDesc *outFile         = NULL;
+    char *      certfile        = "tempcert";
+    char *      certreqfile     = "tempcertreq";
+    char *      slotname        = "internal";
+    char *      certPrefix      = "";
+    char *      sourceDir       = "";
+    char *      srcCertPrefix   = "";
+    char *      upgradeID        = "";
+    char *      upgradeTokenName     = "";
+    KeyType     keytype         = rsaKey;
+    char *      name            = NULL;
+    char *      keysource       = NULL;
+    SECOidTag   hashAlgTag      = SEC_OID_UNKNOWN;
+    int	        keysize	        = DEFAULT_KEY_BITS;
+    int         publicExponent  = 0x010001;
+    unsigned int serialNumber   = 0;
+    int         warpmonths      = 0;
+    int         validityMonths  = 3;
+    int         commandsEntered = 0;
+    char        commandToRun    = '\0';
+    secuPWData  pwdata          = { PW_NONE, 0 };
+    secuPWData  pwdata2         = { PW_NONE, 0 };
+    PRBool      readOnly        = PR_FALSE;
+    PRBool      initialized     = PR_FALSE;
+
+    SECKEYPrivateKey *privkey = NULL;
+    SECKEYPublicKey *pubkey = NULL;
+
+    int i;
+    SECStatus rv;
+
+    progName = PORT_Strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+    memcpy(certutil_commands, commands_init, sizeof commands_init);
+    memcpy(certutil_options,  options_init,  sizeof options_init);
+
+    rv = SECU_ParseCommandLine(argc, argv, progName, &certutil);
+
+    if (rv != SECSuccess)
+	Usage(progName);
+
+    if (certutil.commands[cmd_PrintHelp].activated)
+	LongUsage(progName);
+
+    if (certutil.options[opt_PasswordFile].arg) {
+	pwdata.source = PW_FROMFILE;
+	pwdata.data = certutil.options[opt_PasswordFile].arg;
+    }
+    if (certutil.options[opt_NewPasswordFile].arg) {
+	pwdata2.source = PW_FROMFILE;
+	pwdata2.data = certutil.options[opt_NewPasswordFile].arg;
+    }
+
+    if (certutil.options[opt_CertDir].activated)
+	SECU_ConfigDirectory(certutil.options[opt_CertDir].arg);
+
+    if (certutil.options[opt_SourceDir].activated)
+	sourceDir = certutil.options[opt_SourceDir].arg;
+
+    if (certutil.options[opt_UpgradeID].activated)
+	upgradeID = certutil.options[opt_UpgradeID].arg;
+
+    if (certutil.options[opt_UpgradeTokenName].activated)
+	upgradeTokenName = certutil.options[opt_UpgradeTokenName].arg;
+
+    if (certutil.options[opt_KeySize].activated) {
+	keysize = PORT_Atoi(certutil.options[opt_KeySize].arg);
+	if ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS)) {
+	    PR_fprintf(PR_STDERR, 
+                       "%s -g:  Keysize must be between %d and %d.\n",
+		       progName, MIN_KEY_BITS, MAX_KEY_BITS);
+	    return 255;
+	}
+#ifdef NSS_ENABLE_ECC
+	if (keytype == ecKey) {
+	    PR_fprintf(PR_STDERR, "%s -g:  Not for ec keys.\n", progName);
+	    return 255;
+	}
+#endif /* NSS_ENABLE_ECC */
+
+    }
+
+    /*  -h specify token name  */
+    if (certutil.options[opt_TokenName].activated) {
+	if (PL_strcmp(certutil.options[opt_TokenName].arg, "all") == 0)
+	    slotname = NULL;
+	else
+	    slotname = PL_strdup(certutil.options[opt_TokenName].arg);
+    }
+
+    /*  -Z hash type  */
+    if (certutil.options[opt_Hash].activated) {
+	char * arg = certutil.options[opt_Hash].arg;
+        hashAlgTag = SECU_StringToSignatureAlgTag(arg);
+        if (hashAlgTag == SEC_OID_UNKNOWN) {
+	    PR_fprintf(PR_STDERR, "%s -Z:  %s is not a recognized type.\n",
+	               progName, arg);
+	    return 255;
+	}
+    }
+
+    /*  -k key type  */
+    if (certutil.options[opt_KeyType].activated) {
+	char * arg = certutil.options[opt_KeyType].arg;
+	if (PL_strcmp(arg, "rsa") == 0) {
+	    keytype = rsaKey;
+	} else if (PL_strcmp(arg, "dsa") == 0) {
+	    keytype = dsaKey;
+#ifdef NSS_ENABLE_ECC
+	} else if (PL_strcmp(arg, "ec") == 0) {
+	    keytype = ecKey;
+#endif /* NSS_ENABLE_ECC */
+	} else if (PL_strcmp(arg, "all") == 0) {
+	    keytype = nullKey;
+	} else {
+	    /* use an existing private/public key pair */
+	    keysource = arg;
+	}
+    } else if (certutil.commands[cmd_ListKeys].activated) {
+	keytype = nullKey;
+    }
+
+    /*  -m serial number */
+    if (certutil.options[opt_SerialNumber].activated) {
+	int sn = PORT_Atoi(certutil.options[opt_SerialNumber].arg);
+	if (sn < 0) {
+	    PR_fprintf(PR_STDERR, "%s -m:  %s is not a valid serial number.\n",
+	               progName, certutil.options[opt_SerialNumber].arg);
+	    return 255;
+	}
+	serialNumber = sn;
+    }
+
+    /*  -P certdb name prefix */
+    if (certutil.options[opt_DBPrefix].activated) {
+        if (certutil.options[opt_DBPrefix].arg) {
+            certPrefix = strdup(certutil.options[opt_DBPrefix].arg);
+        } else {
+            Usage(progName);
+        }
+    }
+
+    /*  --source-prefix certdb name prefix */
+    if (certutil.options[opt_SourcePrefix].activated) {
+        if (certutil.options[opt_SourcePrefix].arg) {
+            srcCertPrefix = strdup(certutil.options[opt_SourcePrefix].arg);
+        } else {
+            Usage(progName);
+        }
+    }
+
+    /*  -q PQG file or curve name */
+    if (certutil.options[opt_PQGFile].activated) {
+#ifdef NSS_ENABLE_ECC
+	if ((keytype != dsaKey) && (keytype != ecKey)) {
+	    PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys" \
+		       " (-k dsa) or a named curve for EC keys (-k ec)\n)",
+	               progName);
+#else   /* } */
+	if (keytype != dsaKey) {
+	    PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)",
+	               progName);
+#endif /* NSS_ENABLE_ECC */
+	    return 255;
+	}
+    }
+
+    /*  -s subject name  */
+    if (certutil.options[opt_Subject].activated) {
+	subject = CERT_AsciiToName(certutil.options[opt_Subject].arg);
+	if (!subject) {
+	    PR_fprintf(PR_STDERR, "%s -s: improperly formatted name: \"%s\"\n",
+	               progName, certutil.options[opt_Subject].arg);
+	    return 255;
+	}
+    }
+
+    /*  -v validity period  */
+    if (certutil.options[opt_Validity].activated) {
+	validityMonths = PORT_Atoi(certutil.options[opt_Validity].arg);
+	if (validityMonths < 0) {
+	    PR_fprintf(PR_STDERR, "%s -v: incorrect validity period: \"%s\"\n",
+	               progName, certutil.options[opt_Validity].arg);
+	    return 255;
+	}
+    }
+
+    /*  -w warp months  */
+    if (certutil.options[opt_OffsetMonths].activated)
+	warpmonths = PORT_Atoi(certutil.options[opt_OffsetMonths].arg);
+
+    /*  -y public exponent (for RSA)  */
+    if (certutil.options[opt_Exponent].activated) {
+	publicExponent = PORT_Atoi(certutil.options[opt_Exponent].arg);
+	if ((publicExponent != 3) &&
+	    (publicExponent != 17) &&
+	    (publicExponent != 65537)) {
+	    PR_fprintf(PR_STDERR, "%s -y: incorrect public exponent %d.", 
+	                           progName, publicExponent);
+	    PR_fprintf(PR_STDERR, "Must be 3, 17, or 65537.\n");
+	    return 255;
+	}
+    }
+
+    /*  Check number of commands entered.  */
+    commandsEntered = 0;
+    for (i=0; i< certutil.numCommands; i++) {
+	if (certutil.commands[i].activated) {
+	    commandToRun = certutil.commands[i].flag;
+	    commandsEntered++;
+	}
+	if (commandsEntered > 1)
+	    break;
+    }
+    if (commandsEntered > 1) {
+	PR_fprintf(PR_STDERR, "%s: only one command at a time!\n", progName);
+	PR_fprintf(PR_STDERR, "You entered: ");
+	for (i=0; i< certutil.numCommands; i++) {
+	    if (certutil.commands[i].activated)
+		PR_fprintf(PR_STDERR, " -%c", certutil.commands[i].flag);
+	}
+	PR_fprintf(PR_STDERR, "\n");
+	return 255;
+    }
+    if (commandsEntered == 0) {
+	PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName);
+	Usage(progName);
+    }
+
+    if (certutil.commands[cmd_ListCerts].activated ||
+         certutil.commands[cmd_PrintHelp].activated ||
+         certutil.commands[cmd_ListKeys].activated ||
+         certutil.commands[cmd_ListModules].activated ||
+         certutil.commands[cmd_CheckCertValidity].activated ||
+         certutil.commands[cmd_Version].activated ) {
+	readOnly = !certutil.options[opt_RW].activated;
+    }
+
+    /*  -A, -D, -F, -M, -S, -V, and all require -n  */
+    if ((certutil.commands[cmd_AddCert].activated ||
+         certutil.commands[cmd_DeleteCert].activated ||
+         certutil.commands[cmd_DeleteKey].activated ||
+	 certutil.commands[cmd_DumpChain].activated ||
+         certutil.commands[cmd_ModifyCertTrust].activated ||
+         certutil.commands[cmd_CreateAndAddCert].activated ||
+         certutil.commands[cmd_CheckCertValidity].activated) &&
+        !certutil.options[opt_Nickname].activated) {
+	PR_fprintf(PR_STDERR, 
+	          "%s -%c: nickname is required for this command (-n).\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    /*  -A, -E, -M, -S require trust  */
+    if ((certutil.commands[cmd_AddCert].activated ||
+         certutil.commands[cmd_AddEmailCert].activated ||
+         certutil.commands[cmd_ModifyCertTrust].activated ||
+         certutil.commands[cmd_CreateAndAddCert].activated) &&
+        !certutil.options[opt_Trust].activated) {
+	PR_fprintf(PR_STDERR, 
+	          "%s -%c: trust is required for this command (-t).\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    /*  if -L is given raw or ascii mode, it must be for only one cert.  */
+    if (certutil.commands[cmd_ListCerts].activated &&
+        (certutil.options[opt_ASCIIForIO].activated ||
+         certutil.options[opt_BinaryDER].activated) &&
+        !certutil.options[opt_Nickname].activated) {
+	PR_fprintf(PR_STDERR, 
+	        "%s: nickname is required to dump cert in raw or ascii mode.\n",
+	           progName);
+	return 255;
+    }
+    
+    /*  -L can only be in (raw || ascii).  */
+    if (certutil.commands[cmd_ListCerts].activated &&
+        certutil.options[opt_ASCIIForIO].activated &&
+        certutil.options[opt_BinaryDER].activated) {
+	PR_fprintf(PR_STDERR, 
+	           "%s: cannot specify both -r and -a when dumping cert.\n",
+	           progName);
+	return 255;
+    }
+
+    /*  If making a cert request, need a subject.  */
+    if ((certutil.commands[cmd_CertReq].activated ||
+         certutil.commands[cmd_CreateAndAddCert].activated) &&
+        !(certutil.options[opt_Subject].activated || keysource)) {
+	PR_fprintf(PR_STDERR, 
+	           "%s -%c: subject is required to create a cert request.\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    /*  If making a cert, need a serial number.  */
+    if ((certutil.commands[cmd_CreateNewCert].activated ||
+         certutil.commands[cmd_CreateAndAddCert].activated) &&
+         !certutil.options[opt_SerialNumber].activated) {
+	/*  Make a default serial number from the current time.  */
+	PRTime now = PR_Now();
+	LL_USHR(now, now, 19);
+	LL_L2UI(serialNumber, now);
+    }
+
+    /*  Validation needs the usage to validate for.  */
+    if (certutil.commands[cmd_CheckCertValidity].activated &&
+        !certutil.options[opt_Usage].activated) {
+	PR_fprintf(PR_STDERR, 
+	           "%s -V: specify a usage to validate the cert for (-u).\n",
+	           progName);
+	return 255;
+    }
+
+    /* Upgrade/Merge needs a source database and a upgrade id. */
+    if (certutil.commands[cmd_UpgradeMerge].activated &&
+        !(certutil.options[opt_SourceDir].activated &&
+          certutil.options[opt_UpgradeID].activated)) {
+
+	PR_fprintf(PR_STDERR, 
+	           "%s --upgrade-merge: specify an upgrade database directory "
+		   "(--source-dir) and\n"
+                   "   an upgrade ID (--upgrade-id).\n",
+	           progName);
+	return 255;
+    }
+
+    /* Merge needs a source database */
+    if (certutil.commands[cmd_Merge].activated &&
+        !certutil.options[opt_SourceDir].activated) {
+
+
+	PR_fprintf(PR_STDERR, 
+	           "%s --merge: specify an source database directory "
+		   "(--source-dir)\n",
+	           progName);
+	return 255;
+    }
+
+    
+    /*  To make a cert, need either a issuer or to self-sign it.  */
+    if (certutil.commands[cmd_CreateAndAddCert].activated &&
+	!(certutil.options[opt_IssuerName].activated ||
+          certutil.options[opt_SelfSign].activated)) {
+	PR_fprintf(PR_STDERR,
+	           "%s -S: must specify issuer (-c) or self-sign (-x).\n",
+	           progName);
+	return 255;
+    }
+
+    /*  Using slotname == NULL for listing keys and certs on all slots, 
+     *  but only that. */
+    if (!(certutil.commands[cmd_ListKeys].activated ||
+	  certutil.commands[cmd_DumpChain].activated ||
+    	  certutil.commands[cmd_ListCerts].activated) && slotname == NULL) {
+	PR_fprintf(PR_STDERR,
+	           "%s -%c: cannot use \"-h all\" for this command.\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    /*  Using keytype == nullKey for list all key types, but only that.  */
+    if (!certutil.commands[cmd_ListKeys].activated && keytype == nullKey) {
+	PR_fprintf(PR_STDERR,
+	           "%s -%c: cannot use \"-k all\" for this command.\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    /*  -S  open outFile, temporary file for cert request.  */
+    if (certutil.commands[cmd_CreateAndAddCert].activated) {
+	outFile = PR_Open(certreqfile,
+                          PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660);
+	if (!outFile) {
+	    PR_fprintf(PR_STDERR, 
+		       "%s -o: unable to open \"%s\" for writing (%ld, %ld)\n",
+		       progName, certreqfile,
+		       PR_GetError(), PR_GetOSError());
+	    return 255;
+	}
+    }
+
+    /*  Open the input file.  */
+    if (certutil.options[opt_InputFile].activated) {
+	inFile = PR_Open(certutil.options[opt_InputFile].arg, PR_RDONLY, 0);
+	if (!inFile) {
+	    PR_fprintf(PR_STDERR,
+	               "%s:  unable to open \"%s\" for reading (%ld, %ld).\n",
+	               progName, certutil.options[opt_InputFile].arg,
+	               PR_GetError(), PR_GetOSError());
+	    return 255;
+	}
+    }
+
+    /*  Open the output file.  */
+    if (certutil.options[opt_OutputFile].activated && !outFile) {
+	outFile = PR_Open(certutil.options[opt_OutputFile].arg, 
+                          PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE, 00660);
+	if (!outFile) {
+	    PR_fprintf(PR_STDERR,
+	               "%s:  unable to open \"%s\" for writing (%ld, %ld).\n",
+	               progName, certutil.options[opt_OutputFile].arg,
+	               PR_GetError(), PR_GetOSError());
+	    return 255;
+	}
+    }
+
+    name = SECU_GetOptionArg(&certutil, opt_Nickname);
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    if (PR_TRUE == initialize) {
+        /*  Initialize NSPR and NSS.  */
+        PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+	if (!certutil.commands[cmd_UpgradeMerge].activated) {
+            rv = NSS_Initialize(SECU_ConfigDirectory(NULL), 
+			    certPrefix, certPrefix,
+                            "secmod.db", readOnly ? NSS_INIT_READONLY: 0);
+	} else {
+            rv = NSS_InitWithMerge(SECU_ConfigDirectory(NULL), 
+			    certPrefix, certPrefix, "secmod.db",
+			    sourceDir, srcCertPrefix, srcCertPrefix, 
+			    upgradeID, upgradeTokenName,
+                            readOnly ? NSS_INIT_READONLY: 0);
+	}
+        if (rv != SECSuccess) {
+	    SECU_PrintPRandOSError(progName);
+	    rv = SECFailure;
+	    goto shutdown;
+        }
+        initialized = PR_TRUE;
+    	SECU_RegisterDynamicOids();
+    }
+    certHandle = CERT_GetDefaultCertDB();
+
+    if (certutil.commands[cmd_Version].activated) {
+	printf("Certificate database content version: command not implemented.\n");
+    }
+
+    if (PL_strcmp(slotname, "internal") == 0)
+	slot = PK11_GetInternalKeySlot();
+    else if (slotname != NULL)
+	slot = PK11_FindSlotByName(slotname);
+
+    
+
+   
+    if ( !slot && (certutil.commands[cmd_NewDBs].activated ||
+         certutil.commands[cmd_ModifyCertTrust].activated  || 
+         certutil.commands[cmd_ChangePassword].activated   ||
+         certutil.commands[cmd_TokenReset].activated       ||
+         certutil.commands[cmd_CreateAndAddCert].activated ||
+         certutil.commands[cmd_AddCert].activated          ||
+         certutil.commands[cmd_Merge].activated          ||
+         certutil.commands[cmd_UpgradeMerge].activated          ||
+         certutil.commands[cmd_AddEmailCert].activated)) {
+      
+         SECU_PrintError(progName, "could not find the slot %s",slotname);
+         rv = SECFailure;
+         goto shutdown;
+    }
+
+    /*  If creating new database, initialize the password.  */
+    if (certutil.commands[cmd_NewDBs].activated) {
+	SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
+				certutil.options[opt_NewPasswordFile].arg);
+    }
+
+    /* walk through the upgrade merge if necessary.
+     * This option is more to test what some applications will want to do
+     * to do an automatic upgrade. The --merge command is more useful for
+     * the general case where 2 database need to be merged together.
+     */
+    if (certutil.commands[cmd_UpgradeMerge].activated) {
+	if (*upgradeTokenName == 0) {
+	    upgradeTokenName = upgradeID;
+	}
+	if (!PK11_IsInternal(slot)) {
+	    fprintf(stderr, "Only internal DB's can be upgraded\n");
+	    rv = SECSuccess;
+	    goto shutdown;
+	}
+	if (!PK11_IsRemovable(slot)) {
+	    printf("database already upgraded.\n");
+	    rv = SECSuccess;
+	    goto shutdown;
+	}
+	if (!PK11_NeedLogin(slot)) {
+	    printf("upgrade complete!\n");
+	    rv = SECSuccess;
+	    goto shutdown;
+	}
+	/* authenticate to the old DB if necessary */
+	if (PORT_Strcmp(PK11_GetTokenName(slot), upgradeTokenName) ==  0) {
+	    /* if we need a password, supply it. This will be the password
+	     * for the old database */
+	    rv = PK11_Authenticate(slot, PR_FALSE, &pwdata2);
+	    if (rv != SECSuccess) {
+         	SECU_PrintError(progName, "Could not get password for %s",
+				upgradeTokenName);
+		goto shutdown;
+	    }
+	    /* 
+	     * if we succeeded above, but still aren't logged in, that means
+	     * we just supplied the password for the old database. We may
+	     * need the password for the new database. NSS will automatically
+	     * change the token names at this point
+	     */
+	    if (PK11_IsLoggedIn(slot, &pwdata)) {
+		printf("upgrade complete!\n");
+		rv = SECSuccess;
+		goto shutdown;
+	    }
+ 	}
+
+	/* call PK11_IsPresent to update our cached token information */
+	if (!PK11_IsPresent(slot)) {
+	    /* this shouldn't happen. We call isPresent to force a token
+	     * info update */
+	    fprintf(stderr, "upgrade/merge internal error\n");
+	    rv = SECFailure;
+	    goto shutdown;
+	}
+
+	/* the token is now set to the state of the source database,
+	 * if we need a password for it, PK11_Authenticate will 
+	 * automatically prompt us */
+	rv = PK11_Authenticate(slot, PR_FALSE, &pwdata);
+	if (rv == SECSuccess) {
+	    printf("upgrade complete!\n");
+	} else {
+            SECU_PrintError(progName, "Could not get password for %s",
+				PK11_GetTokenName(slot));
+	}
+	goto shutdown;
+    }
+
+    /*
+     * merge 2 databases.
+     */
+    if (certutil.commands[cmd_Merge].activated) {
+	PK11SlotInfo *sourceSlot = NULL;
+	PK11MergeLog *log;
+	char *modspec = PR_smprintf(
+		"configDir='%s' certPrefix='%s' tokenDescription='%s'",
+		sourceDir, srcCertPrefix, 
+		*upgradeTokenName ? upgradeTokenName : "Source Database");
+
+	if (!modspec) {
+	    rv = SECFailure;
+	    goto shutdown;
+	}
+
+	sourceSlot = SECMOD_OpenUserDB(modspec);
+	PR_smprintf_free(modspec);
+	if (!sourceSlot) {
+	    SECU_PrintError(progName, "couldn't open source database");
+	    rv = SECFailure;
+	    goto shutdown;
+	}
+
+	rv = PK11_Authenticate(slot, PR_FALSE, &pwdata);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "Couldn't get password for %s",
+					PK11_GetTokenName(slot));
+	    goto merge_fail;
+	}
+
+	rv = PK11_Authenticate(sourceSlot, PR_FALSE, &pwdata2);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "Couldn't get password for %s",
+					PK11_GetTokenName(sourceSlot));
+	    goto merge_fail;
+	}
+
+	log = PK11_CreateMergeLog();
+	if (!log) {
+	    rv = SECFailure;
+	    SECU_PrintError(progName, "couldn't create error log");
+	    goto merge_fail;
+	}
+
+	rv = PK11_MergeTokens(slot, sourceSlot, log, &pwdata, &pwdata2);
+	if (rv != SECSuccess) {
+	    DumpMergeLog(progName, log);
+	}
+	PK11_DestroyMergeLog(log);
+
+merge_fail:
+	SECMOD_CloseUserDB(sourceSlot);
+	PK11_FreeSlot(sourceSlot);
+	goto shutdown;
+    }
+
+    /* The following 8 options are mutually exclusive with all others. */
+
+    /*  List certs (-L)  */
+    if (certutil.commands[cmd_ListCerts].activated) {
+	rv = ListCerts(certHandle, name, slot,
+	               certutil.options[opt_BinaryDER].activated,
+	               certutil.options[opt_ASCIIForIO].activated, 
+                       (outFile) ? outFile : PR_STDOUT, &pwdata);
+	goto shutdown;
+    }
+    if (certutil.commands[cmd_DumpChain].activated) {
+	rv = DumpChain(certHandle, name);
+	goto shutdown;
+    }
+    /*  XXX needs work  */
+    /*  List keys (-K)  */
+    if (certutil.commands[cmd_ListKeys].activated) {
+	rv = ListKeys(slot, name, 0 /*keyindex*/, keytype, PR_FALSE /*dopriv*/,
+	              &pwdata);
+	goto shutdown;
+    }
+    /*  List modules (-U)  */
+    if (certutil.commands[cmd_ListModules].activated) {
+	rv = ListModules();
+	goto shutdown;
+    }
+    /*  Delete cert (-D)  */
+    if (certutil.commands[cmd_DeleteCert].activated) {
+	rv = DeleteCert(certHandle, name);
+	goto shutdown;
+    }
+    /*  Delete key (-F)  */
+    if (certutil.commands[cmd_DeleteKey].activated) {
+	rv = DeleteKey(name, &pwdata);
+	goto shutdown;
+    }
+    /*  Modify trust attribute for cert (-M)  */
+    if (certutil.commands[cmd_ModifyCertTrust].activated) {
+	if (PK11_IsFIPS() || !PK11_IsFriendly(slot)) {
+	    rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
+	    if (rv != SECSuccess) {
+		SECU_PrintError(progName, "could not authenticate to token %s.",
+                                PK11_GetTokenName(slot));
+		goto shutdown;
+	    }
+	}
+	rv = ChangeTrustAttributes(certHandle, slot, name, 
+	                           certutil.options[opt_Trust].arg, &pwdata);
+	goto shutdown;
+    }
+    /*  Change key db password (-W) (future - change pw to slot?)  */
+    if (certutil.commands[cmd_ChangePassword].activated) {
+	rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
+				certutil.options[opt_NewPasswordFile].arg);
+	goto shutdown;
+    }
+    /*  Reset the a token */
+    if (certutil.commands[cmd_TokenReset].activated) {
+	char *sso_pass = "";
+
+	if (certutil.options[opt_SSOPass].activated) {
+	    sso_pass = certutil.options[opt_SSOPass].arg;
+ 	}
+	rv = PK11_ResetToken(slot,sso_pass);
+
+	goto shutdown;
+    }
+    /*  Check cert validity against current time (-V)  */
+    if (certutil.commands[cmd_CheckCertValidity].activated) {
+	/* XXX temporary hack for fips - must log in to get priv key */
+	if (certutil.options[opt_VerifySig].activated) {
+	    if (slot && PK11_NeedLogin(slot)) {
+                SECStatus newrv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
+                if (newrv != SECSuccess) {
+                    SECU_PrintError(progName, "could not authenticate to token %s.",
+                                    PK11_GetTokenName(slot));
+                    goto shutdown;
+                }
+            }
+	}
+	rv = ValidateCert(certHandle, name, 
+	                  certutil.options[opt_ValidityTime].arg,
+			  certutil.options[opt_Usage].arg,
+			  certutil.options[opt_VerifySig].activated,
+			  certutil.options[opt_DetailedInfo].activated,
+	                  &pwdata);
+	if (rv != SECSuccess && PR_GetError() == SEC_ERROR_INVALID_ARGS)
+            SECU_PrintError(progName, "validation failed");
+	goto shutdown;
+    }
+
+    /*
+     *  Key generation
+     */
+
+    /*  These commands may require keygen.  */
+    if (certutil.commands[cmd_CertReq].activated ||
+        certutil.commands[cmd_CreateAndAddCert].activated ||
+	certutil.commands[cmd_GenKeyPair].activated) {
+	if (keysource) {
+	    CERTCertificate *keycert;
+	    keycert = CERT_FindCertByNicknameOrEmailAddr(certHandle, keysource);
+	    if (!keycert) {
+		keycert = PK11_FindCertFromNickname(keysource, NULL);
+		if (!keycert) {
+		    SECU_PrintError(progName,
+			    "%s is neither a key-type nor a nickname", keysource);
+		    return SECFailure;
+		}
+	    }
+	    privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
+	    if (privkey)
+		pubkey = CERT_ExtractPublicKey(keycert);
+	    if (!pubkey) {
+		SECU_PrintError(progName,
+				"Could not get keys from cert %s", keysource);
+		rv = SECFailure;
+		CERT_DestroyCertificate(keycert);
+		goto shutdown;
+	    }
+	    keytype = privkey->keyType;
+	    /* On CertReq for renewal if no subject has been
+	     * specified obtain it from the certificate. 
+	     */
+	    if (certutil.commands[cmd_CertReq].activated && !subject) {
+	        subject = CERT_AsciiToName(keycert->subjectName);
+	        if (!subject) {
+	            SECU_PrintError(progName,
+			"Could not get subject from certificate %s", keysource);
+	            CERT_DestroyCertificate(keycert);
+	            rv = SECFailure;
+	            goto shutdown;
+	        }
+	    }
+	    CERT_DestroyCertificate(keycert);
+	} else {
+	    privkey = 
+		CERTUTIL_GeneratePrivateKey(keytype, slot, keysize,
+					    publicExponent, 
+					    certutil.options[opt_NoiseFile].arg,
+					    &pubkey, 
+					    certutil.options[opt_PQGFile].arg,
+					    &pwdata);
+	    if (privkey == NULL) {
+		SECU_PrintError(progName, "unable to generate key(s)\n");
+		rv = SECFailure;
+		goto shutdown;
+	    }
+	}
+	privkey->wincx = &pwdata;
+	PORT_Assert(pubkey != NULL);
+
+	/*  If all that was needed was keygen, exit.  */
+	if (certutil.commands[cmd_GenKeyPair].activated) {
+	    rv = SECSuccess;
+	    goto shutdown;
+	}
+    }
+
+    /* If we need a list of extensions convert the flags into list format */
+    if (certutil.commands[cmd_CertReq].activated ||
+        certutil.commands[cmd_CreateAndAddCert].activated ||
+        certutil.commands[cmd_CreateNewCert].activated) {
+        certutil_extns[ext_keyUsage] =
+				certutil.options[opt_AddKeyUsageExt].activated;
+        certutil_extns[ext_basicConstraint] =
+				certutil.options[opt_AddBasicConstraintExt].activated;
+        certutil_extns[ext_authorityKeyID] =
+				certutil.options[opt_AddAuthorityKeyIDExt].activated;
+        certutil_extns[ext_subjectKeyID] =
+				certutil.options[opt_AddSubjectKeyIDExt].activated;
+        certutil_extns[ext_CRLDistPts] =
+				certutil.options[opt_AddCRLDistPtsExt].activated;
+        certutil_extns[ext_NSCertType] =
+				certutil.options[opt_AddNSCertTypeExt].activated;
+        certutil_extns[ext_extKeyUsage] =
+				certutil.options[opt_AddExtKeyUsageExt].activated;
+        certutil_extns[ext_authInfoAcc] =
+				certutil.options[opt_AddAuthInfoAccExt].activated;
+        certutil_extns[ext_subjInfoAcc] =
+				certutil.options[opt_AddSubjInfoAccExt].activated;
+        certutil_extns[ext_certPolicies] =
+				certutil.options[opt_AddCertPoliciesExt].activated;
+        certutil_extns[ext_policyMappings] =
+				certutil.options[opt_AddPolicyMapExt].activated;
+        certutil_extns[ext_policyConstr] =
+				certutil.options[opt_AddPolicyConstrExt].activated;
+        certutil_extns[ext_inhibitAnyPolicy] =
+				certutil.options[opt_AddInhibAnyExt].activated;
+    }
+    /*
+     *  Certificate request
+     */
+
+    /*  Make a cert request (-R).  */
+    if (certutil.commands[cmd_CertReq].activated) {
+	rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
+	             certutil.options[opt_PhoneNumber].arg,
+	             certutil.options[opt_ASCIIForIO].activated,
+		     certutil.options[opt_ExtendedEmailAddrs].arg,
+		     certutil.options[opt_ExtendedDNSNames].arg,
+                     certutil_extns,
+                     outFile ? outFile : PR_STDOUT);
+	if (rv) 
+	    goto shutdown;
+	privkey->wincx = &pwdata;
+    }
+
+    /*
+     *  Certificate creation
+     */
+
+    /*  If making and adding a cert, create a cert request file first without
+     *  any extensions, then load it with the command line extensions
+     *  and output the cert to another file.
+     */
+    if (certutil.commands[cmd_CreateAndAddCert].activated) {
+	static certutilExtnList nullextnlist = {PR_FALSE};
+	rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
+	             certutil.options[opt_PhoneNumber].arg,
+	             certutil.options[opt_ASCIIForIO].activated,
+		     NULL,
+		     NULL,
+                     nullextnlist,
+                     outFile ? outFile : PR_STDOUT);
+	if (rv) 
+	    goto shutdown;
+	privkey->wincx = &pwdata;
+	PR_Close(outFile);
+	inFile  = PR_Open(certreqfile, PR_RDONLY, 0);
+	if (!inFile) {
+	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
+                       certreqfile, PR_GetError(), PR_GetOSError());
+	    rv = SECFailure;
+	    goto shutdown;
+	}
+	outFile = PR_Open(certfile,
+                          PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660);
+	if (!outFile) {
+	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
+                       certfile, PR_GetError(), PR_GetOSError());
+	    rv = SECFailure;
+	    goto shutdown;
+	}
+    }
+
+    /*  Create a certificate (-C or -S).  */
+    if (certutil.commands[cmd_CreateAndAddCert].activated ||
+         certutil.commands[cmd_CreateNewCert].activated) {
+	rv = CreateCert(certHandle, slot,
+	                certutil.options[opt_IssuerName].arg,
+	                inFile, outFile, &privkey, &pwdata, hashAlgTag,
+	                serialNumber, warpmonths, validityMonths,
+		        certutil.options[opt_ExtendedEmailAddrs].arg,
+		        certutil.options[opt_ExtendedDNSNames].arg,
+	                certutil.options[opt_ASCIIForIO].activated,
+	                certutil.options[opt_SelfSign].activated,
+	                certutil_extns);
+	if (rv) 
+	    goto shutdown;
+    }
+
+    /* 
+     * Adding a cert to the database (or slot)
+     */
+ 
+    if (certutil.commands[cmd_CreateAndAddCert].activated) { 
+	PORT_Assert(inFile != PR_STDIN);
+	PR_Close(inFile);
+	PR_Close(outFile);
+	inFile = PR_Open(certfile, PR_RDONLY, 0);
+	if (!inFile) {
+	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
+                       certfile, PR_GetError(), PR_GetOSError());
+	    rv = SECFailure;
+	    goto shutdown;
+	}
+    }
+
+    /* -A -E or -S    Add the cert to the DB */
+    if (certutil.commands[cmd_CreateAndAddCert].activated ||
+         certutil.commands[cmd_AddCert].activated ||
+	 certutil.commands[cmd_AddEmailCert].activated) {
+	rv = AddCert(slot, certHandle, name, 
+	             certutil.options[opt_Trust].arg,
+	             inFile, 
+	             certutil.options[opt_ASCIIForIO].activated,
+	             certutil.commands[cmd_AddEmailCert].activated,&pwdata);
+	if (rv) 
+	    goto shutdown;
+    }
+
+    if (certutil.commands[cmd_CreateAndAddCert].activated) {
+	PORT_Assert(inFile != PR_STDIN);
+	PR_Close(inFile);
+	PR_Delete(certfile);
+	PR_Delete(certreqfile);
+    }
+
+shutdown:
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    if (privkey) {
+	SECKEY_DestroyPrivateKey(privkey);
+    }
+    if (pubkey) {
+	SECKEY_DestroyPublicKey(pubkey);
+    }
+
+    /* Open the batch command file.
+     *
+     * - If -B <command line> option is specified, the contents in the
+     * command file will be interpreted as subsequent certutil
+     * commands to be executed in the current certutil process
+     * context after the current certutil command has been executed.
+     * - Each line in the command file consists of the command
+     * line arguments for certutil.
+     * - The -d <configdir> option will be ignored if specified in the
+     * command file.
+     * - Quoting with double quote characters ("...") is supported
+     * to allow white space in a command line argument.  The
+     * double quote character cannot be escaped and quoting cannot
+     * be nested in this version.
+     * - each line in the batch file is limited to 512 characters
+    */
+
+    if ((SECSuccess == rv) && certutil.commands[cmd_Batch].activated) {
+	FILE* batchFile = NULL;
+        char nextcommand[512];
+        if (!certutil.options[opt_InputFile].activated ||
+            !certutil.options[opt_InputFile].arg) {
+	    PR_fprintf(PR_STDERR,
+	               "%s:  no batch input file specified.\n",
+	               progName);
+	    return 255;
+        }
+        batchFile = fopen(certutil.options[opt_InputFile].arg, "r");
+        if (!batchFile) {
+	    PR_fprintf(PR_STDERR,
+	               "%s:  unable to open \"%s\" for reading (%ld, %ld).\n",
+	               progName, certutil.options[opt_InputFile].arg,
+	               PR_GetError(), PR_GetOSError());
+	    return 255;
+        }
+        /* read and execute command-lines in a loop */
+        while ( (SECSuccess == rv ) &&
+                fgets(nextcommand, sizeof(nextcommand), batchFile)) {
+            /* we now need to split the command into argc / argv format */
+            char* commandline = PORT_Strdup(nextcommand);
+            PRBool invalid = PR_FALSE;
+            int newargc = 2;
+            char* space = NULL;
+            char* nextarg = NULL;
+            char** newargv = NULL;
+            char* crlf = PORT_Strrchr(commandline, '\n');
+            if (crlf) {
+                *crlf = '\0';
+            }
+
+            newargv = PORT_Alloc(sizeof(char*)*(newargc+1));
+            newargv[0] = progName;
+            newargv[1] = commandline;
+            nextarg = commandline;
+            while ((space = PORT_Strpbrk(nextarg, " \f\n\r\t\v")) ) {
+                while (isspace(*space) ) {
+                    *space = '\0';
+                    space ++;
+                }
+                if (*space == '\0') {
+                    break;
+                } else if (*space != '\"') {
+                    nextarg = space;
+                } else {
+                    char* closingquote = strchr(space+1, '\"');
+                    if (closingquote) {
+                        *closingquote = '\0';
+                        space++;
+                        nextarg = closingquote+1;
+                    } else {
+                        invalid = PR_TRUE;
+                        nextarg = space;
+                    }
+                }
+                newargc++;
+                newargv = PORT_Realloc(newargv, sizeof(char*)*(newargc+1));
+                newargv[newargc-1] = space;
+            }
+            newargv[newargc] = NULL;
+            
+            /* invoke next command */
+            if (PR_TRUE == invalid) {
+                PR_fprintf(PR_STDERR, "Missing closing quote in batch command :\n%s\nNot executed.\n",
+                           nextcommand);
+                rv = SECFailure;
+            } else {
+                if (0 != certutil_main(newargc, newargv, PR_FALSE) )
+                    rv = SECFailure;
+            }
+            PORT_Free(newargv);
+            PORT_Free(commandline);
+        }
+        fclose(batchFile);
+    }
+
+    if ((initialized == PR_TRUE) && NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+    if (rv == SECSuccess) {
+	return 0;
+    } else {
+	return 255;
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    int rv = certutil_main(argc, argv, PR_TRUE);
+    PR_Cleanup();
+    return rv;
+}
+
diff --git a/security/nss/cmd/certutil/certutil.h b/security/nss/cmd/certutil/certutil.h
new file mode 100644
index 000000000..eda0c497e
--- /dev/null
+++ b/security/nss/cmd/certutil/certutil.h
@@ -0,0 +1,77 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _CERTUTIL_H
+#define	_CERTUTIL_H
+
+extern SECKEYPrivateKey *
+CERTUTIL_GeneratePrivateKey(KeyType keytype,
+                            PK11SlotInfo *slot, 
+                            int rsasize,
+                            int publicExponent,
+                            char *noise,
+                            SECKEYPublicKey **pubkeyp,
+                            char *pqgFile,
+                            secuPWData *pwdata);
+
+extern char *progName;
+
+enum certutilExtns {
+    ext_keyUsage = 0,
+    ext_basicConstraint,
+    ext_authorityKeyID,
+    ext_CRLDistPts,
+    ext_NSCertType,
+    ext_extKeyUsage,
+    ext_authInfoAcc,
+    ext_subjInfoAcc,
+    ext_certPolicies,
+    ext_policyMappings,
+    ext_policyConstr,
+    ext_inhibitAnyPolicy,
+    ext_subjectKeyID,
+    ext_End
+};
+
+typedef PRBool certutilExtnList[ext_End];
+
+extern SECStatus
+AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
+              certutilExtnList extList);
+
+#endif	/* _CERTUTIL_H */
+
diff --git a/security/nss/cmd/certutil/keystuff.c b/security/nss/cmd/certutil/keystuff.c
new file mode 100644
index 000000000..acc3db50d
--- /dev/null
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -0,0 +1,615 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <string.h>
+#include "secutil.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#include <sys/time.h>
+#include <termios.h>
+#endif
+
+#if defined(XP_WIN) || defined (XP_PC)
+#include <time.h>
+#include <conio.h>
+#endif
+
+#if defined(__sun) && !defined(SVR4)
+extern int fclose(FILE*);
+extern int fprintf(FILE *, char *, ...);
+extern int isatty(int);
+extern char *sys_errlist[];
+#define strerror(errno) sys_errlist[errno]
+#endif
+
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+
+#include "pk11func.h"
+
+#define NUM_KEYSTROKES 120
+#define RAND_BUF_SIZE 60
+
+#define ERROR_BREAK rv = SECFailure;break;
+
+const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
+    { 0, }
+};
+
+/* returns 0 for success, -1 for failure (EOF encountered) */
+static int
+UpdateRNG(void)
+{
+    char           randbuf[RAND_BUF_SIZE];
+    int            fd,  count;
+    int            c;
+    int            rv		= 0;
+#ifdef XP_UNIX
+    cc_t           orig_cc_min;
+    cc_t           orig_cc_time;
+    tcflag_t       orig_lflag;
+    struct termios tio;
+#endif
+    char meter[] = { 
+      "\r|                                                            |" };
+
+#define FPS fprintf(stderr, 
+    FPS "\n");
+    FPS "A random seed must be generated that will be used in the\n");
+    FPS "creation of your key.  One of the easiest ways to create a\n");
+    FPS "random seed is to use the timing of keystrokes on a keyboard.\n");
+    FPS "\n");
+    FPS "To begin, type keys on the keyboard until this progress meter\n");
+    FPS "is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!\n");
+    FPS "\n");
+    FPS "\n");
+    FPS "Continue typing until the progress meter is full:\n\n");
+    FPS meter);
+    FPS "\r|");
+
+    /* turn off echo on stdin & return on 1 char instead of NL */
+    fd = fileno(stdin);
+
+#if defined(XP_UNIX) && !defined(VMS)
+    tcgetattr(fd, &tio);
+    orig_lflag = tio.c_lflag;
+    orig_cc_min = tio.c_cc[VMIN];
+    orig_cc_time = tio.c_cc[VTIME];
+    tio.c_lflag &= ~ECHO;
+    tio.c_lflag &= ~ICANON;
+    tio.c_cc[VMIN] = 1;
+    tio.c_cc[VTIME] = 0;
+    tcsetattr(fd, TCSAFLUSH, &tio);
+#endif
+
+    /* Get random noise from keyboard strokes */
+    count = 0;
+    while (count < sizeof randbuf) {
+#ifdef VMS
+	c = GENERIC_GETCHAR_NOECHO();
+#elif XP_UNIX
+	c = getc(stdin);
+#else
+	c = getch();
+#endif
+	if (c == EOF) {
+	    rv = -1;
+	    break;
+	}
+	randbuf[count] = c;
+	if (count == 0 || c != randbuf[count-1]) {
+	    count++;
+	    FPS "*");
+	}
+    }
+    PK11_RandomUpdate(randbuf, sizeof randbuf);
+    memset(randbuf, 0, sizeof randbuf);
+
+    FPS "\n\n");
+    FPS "Finished.  Press enter to continue: ");
+#if defined(VMS)
+    while((c = GENERIC_GETCHAR_NO_ECHO()) != '\r' && c != EOF)
+	;
+#else
+    while ((c = getc(stdin)) != '\n' && c != EOF)
+	;
+#endif
+    if (c == EOF) 
+	rv = -1;
+    FPS "\n");
+
+#undef FPS
+
+#if defined(XP_UNIX) && !defined(VMS)
+    /* set back termio the way it was */
+    tio.c_lflag = orig_lflag;
+    tio.c_cc[VMIN] = orig_cc_min;
+    tio.c_cc[VTIME] = orig_cc_time;
+    tcsetattr(fd, TCSAFLUSH, &tio);
+#endif
+    return rv;
+}
+
+static const unsigned char P[] = { 0, 
+       0x98, 0xef, 0x3a, 0xae, 0x70, 0x98, 0x9b, 0x44, 
+       0xdb, 0x35, 0x86, 0xc1, 0xb6, 0xc2, 0x47, 0x7c, 
+       0xb4, 0xff, 0x99, 0xe8, 0xae, 0x44, 0xf2, 0xeb, 
+       0xc3, 0xbe, 0x23, 0x0f, 0x65, 0xd0, 0x4c, 0x04, 
+       0x82, 0x90, 0xa7, 0x9d, 0x4a, 0xc8, 0x93, 0x7f, 
+       0x41, 0xdf, 0xf8, 0x80, 0x6b, 0x0b, 0x68, 0x7f, 
+       0xaf, 0xe4, 0xa8, 0xb5, 0xb2, 0x99, 0xc3, 0x69, 
+       0xfb, 0x3f, 0xe7, 0x1b, 0xd0, 0x0f, 0xa9, 0x7a, 
+       0x4a, 0x04, 0xbf, 0x50, 0x9e, 0x22, 0x33, 0xb8, 
+       0x89, 0x53, 0x24, 0x10, 0xf9, 0x68, 0x77, 0xad, 
+       0xaf, 0x10, 0x68, 0xb8, 0xd3, 0x68, 0x5d, 0xa3, 
+       0xc3, 0xeb, 0x72, 0x3b, 0xa0, 0x0b, 0x73, 0x65, 
+       0xc5, 0xd1, 0xfa, 0x8c, 0xc0, 0x7d, 0xaa, 0x52, 
+       0x29, 0x34, 0x44, 0x01, 0xbf, 0x12, 0x25, 0xfe, 
+       0x18, 0x0a, 0xc8, 0x3f, 0xc1, 0x60, 0x48, 0xdb, 
+       0xad, 0x93, 0xb6, 0x61, 0x67, 0xd7, 0xa8, 0x2d };
+static const unsigned char Q[] = { 0,
+       0xb5, 0xb0, 0x84, 0x8b, 0x44, 0x29, 0xf6, 0x33, 
+       0x59, 0xa1, 0x3c, 0xbe, 0xd2, 0x7f, 0x35, 0xa1, 
+       0x76, 0x27, 0x03, 0x81                         };
+static const unsigned char G[] = { 
+       0x04, 0x0e, 0x83, 0x69, 0xf1, 0xcd, 0x7d, 0xe5, 
+       0x0c, 0x78, 0x93, 0xd6, 0x49, 0x6f, 0x00, 0x04, 
+       0x4e, 0x0e, 0x6c, 0x37, 0xaa, 0x38, 0x22, 0x47, 
+       0xd2, 0x58, 0xec, 0x83, 0x12, 0x95, 0xf9, 0x9c, 
+       0xf1, 0xf4, 0x27, 0xff, 0xd7, 0x99, 0x57, 0x35, 
+       0xc6, 0x64, 0x4c, 0xc0, 0x47, 0x12, 0x31, 0x50, 
+       0x82, 0x3c, 0x2a, 0x07, 0x03, 0x01, 0xef, 0x30, 
+       0x09, 0x89, 0x82, 0x41, 0x76, 0x71, 0xda, 0x9e, 
+       0x57, 0x8b, 0x76, 0x38, 0x37, 0x5f, 0xa5, 0xcd, 
+       0x32, 0x84, 0x45, 0x8d, 0x4c, 0x17, 0x54, 0x2b, 
+       0x5d, 0xc2, 0x6b, 0xba, 0x3e, 0xa0, 0x7b, 0x95, 
+       0xd7, 0x00, 0x42, 0xf7, 0x08, 0xb8, 0x83, 0x87, 
+       0x60, 0xe1, 0xe5, 0xf4, 0x1a, 0x54, 0xc2, 0x20, 
+       0xda, 0x38, 0x3a, 0xd1, 0xb6, 0x10, 0xf4, 0xcb, 
+       0x35, 0xda, 0x97, 0x92, 0x87, 0xd6, 0xa5, 0x37, 
+       0x62, 0xb4, 0x93, 0x4a, 0x15, 0x21, 0xa5, 0x10 };
+
+/*  h:
+ *      4a:76:30:89:eb:e1:81:7c:99:0b:39:7f:95:4a:65:72:
+ *      c6:b4:05:92:48:6c:3c:b2:7e:e7:39:f3:92:7d:c1:3f:
+ *      bf:e1:fd:b3:4a:46:3e:ce:29:80:e3:d6:f4:59:c6:92:
+ *      16:2b:0e:d7:d6:bb:ef:94:36:31:c2:66:46:c5:4a:77:
+ *      aa:95:84:ef:99:7e:e3:9c:d9:a0:32:42:09:b6:4e:d0:
+ *      b3:c8:5e:06:df:a1:ac:4d:2d:f9:08:c2:cb:4b:a4:42:
+ *      db:8a:5b:de:25:6e:2b:5b:ca:00:75:2c:57:00:18:aa:
+ *      68:59:a1:94:03:07:94:78:38:bc:f8:7c:1e:1c:a3:2e
+ *  SEED:
+ *      b5:44:66:c9:0f:f1:ca:1c:95:45:ce:90:74:89:14:f2:
+ *      13:3e:23:5a:b0:6a:bf:86:ad:cb:a0:7d:ce:3b:c8:16:
+ *      7f:2d:a2:1a:cb:33:7d:c1:e7:d7:07:aa:1b:a2:d7:89:
+ *      f5:a4:db:f7:8b:50:00:cd:b4:7d:25:81:3f:f8:a8:dd:
+ *      6c:46:e5:77:b5:60:7e:75:79:b8:99:57:c1:c4:f3:f7:
+ *      17:ca:43:00:b8:33:b6:06:8f:4d:91:ed:23:a5:66:1b:
+ *      ef:14:d7:bc:21:2b:82:d8:ab:fa:fd:a7:c3:4d:bf:52:
+ *      af:8e:57:59:61:1a:4e:65:c6:90:d6:a6:ff:0b:15:b1
+ *  g:       1024
+ *  counter: 1003
+ */
+
+static const SECKEYPQGParams default_pqg_params = {
+    NULL,
+    { 0, (unsigned char *)P, sizeof(P) },
+    { 0, (unsigned char *)Q, sizeof(Q) },
+    { 0, (unsigned char *)G, sizeof(G) }
+};
+
+static SECKEYPQGParams *
+decode_pqg_params(const char *str)
+{
+    char *buf;
+    unsigned int len;
+    PRArenaPool *arena;
+    SECKEYPQGParams *params;
+    SECStatus status;
+ 
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+        return NULL;
+ 
+    params = PORT_ArenaZAlloc(arena, sizeof(SECKEYPQGParams));
+    if (params == NULL)
+        goto loser;
+    params->arena = arena;
+ 
+    buf = (char *)ATOB_AsciiToData(str, &len);
+    if ((buf == NULL) || (len == 0))
+        goto loser;
+ 
+    status = SEC_ASN1Decode(arena, params, SECKEY_PQGParamsTemplate, buf, len);
+    if (status != SECSuccess)
+        goto loser;
+ 
+    return params;
+ 
+loser:
+    if (arena != NULL)
+        PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+void  
+CERTUTIL_DestroyParamsPQG(SECKEYPQGParams *params)
+{
+    if (params->arena) {
+        PORT_FreeArena(params->arena, PR_FALSE);
+    }
+}
+
+static int
+pqg_prime_bits(const SECKEYPQGParams *params)
+{
+    int primeBits = 0;
+ 
+    if (params != NULL) {
+	int i;
+	for (i = 0; params->prime.data[i] == 0; i++) {
+	    /* empty */;
+	}
+	primeBits = (params->prime.len - i) * 8;
+    }
+ 
+    return primeBits;
+}
+
+static char *
+getPQGString(const char *filename)
+{
+    unsigned char *buf      = NULL;
+    PRFileDesc    *src;
+    PRInt32        numBytes;
+    PRStatus       prStatus;
+    PRFileInfo     info;
+
+    src   = PR_Open(filename, PR_RDONLY, 0);
+    if (!src) {
+    	fprintf(stderr, "Failed to open PQG file %s\n", filename);
+	return NULL;
+    }
+
+    prStatus = PR_GetOpenFileInfo(src, &info);
+
+    if (prStatus == PR_SUCCESS) {
+	buf = (unsigned char*)PORT_Alloc(info.size + 1);
+    }
+    if (!buf) {
+	PR_Close(src);
+    	fprintf(stderr, "Failed to read PQG file %s\n", filename);
+	return NULL;
+    }
+
+    numBytes = PR_Read(src, buf, info.size);
+    PR_Close(src);
+    if (numBytes != info.size) {
+	PORT_Free(buf);
+    	fprintf(stderr, "Failed to read PQG file %s\n", filename);
+	PORT_SetError(SEC_ERROR_IO);
+	return NULL;
+    }
+
+    if (buf[numBytes-1] == '\n') 
+    	numBytes--;
+    if (buf[numBytes-1] == '\r') 
+    	numBytes--;
+    buf[numBytes] = 0;
+    
+    return (char *)buf;
+}
+
+static SECKEYPQGParams*
+getpqgfromfile(int keyBits, const char *pqgFile)
+{
+    char *end, *str, *pqgString;
+    SECKEYPQGParams* params = NULL;
+
+    str = pqgString = getPQGString(pqgFile);
+    if (!str) 
+	return NULL;
+
+    do {
+	end = PORT_Strchr(str, ',');
+	if (end)
+	    *end = '\0';
+	params = decode_pqg_params(str);
+	if (params) {
+	    int primeBits = pqg_prime_bits(params);
+	    if (keyBits == primeBits)
+		break;
+	    CERTUTIL_DestroyParamsPQG(params);
+	    params = NULL;
+	}
+	if (end)
+	    str = end + 1;
+    } while (end);
+
+    PORT_Free(pqgString);
+    return params;
+}
+
+static SECStatus 
+CERTUTIL_FileForRNG(const char *noise)
+{
+    char buf[2048];
+    PRFileDesc *fd;
+    PRInt32 count;
+
+    fd = PR_Open(noise,PR_RDONLY,0);
+    if (!fd) {
+	fprintf(stderr, "failed to open noise file.");
+	return SECFailure;
+    }
+
+    do {
+	count = PR_Read(fd,buf,sizeof(buf));
+	if (count > 0) {
+	    PK11_RandomUpdate(buf,count);
+	}
+    } while (count > 0);
+
+    PR_Close(fd);
+    return SECSuccess;
+}
+
+#ifdef NSS_ENABLE_ECC
+typedef struct curveNameTagPairStr {
+    char *curveName;
+    SECOidTag curveOidTag;
+} CurveNameTagPair;
+
+#define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
+/* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
+
+static CurveNameTagPair nameTagPair[] =
+{ 
+  { "sect163k1", SEC_OID_SECG_EC_SECT163K1},
+  { "nistk163", SEC_OID_SECG_EC_SECT163K1},
+  { "sect163r1", SEC_OID_SECG_EC_SECT163R1},
+  { "sect163r2", SEC_OID_SECG_EC_SECT163R2},
+  { "nistb163", SEC_OID_SECG_EC_SECT163R2},
+  { "sect193r1", SEC_OID_SECG_EC_SECT193R1},
+  { "sect193r2", SEC_OID_SECG_EC_SECT193R2},
+  { "sect233k1", SEC_OID_SECG_EC_SECT233K1},
+  { "nistk233", SEC_OID_SECG_EC_SECT233K1},
+  { "sect233r1", SEC_OID_SECG_EC_SECT233R1},
+  { "nistb233", SEC_OID_SECG_EC_SECT233R1},
+  { "sect239k1", SEC_OID_SECG_EC_SECT239K1},
+  { "sect283k1", SEC_OID_SECG_EC_SECT283K1},
+  { "nistk283", SEC_OID_SECG_EC_SECT283K1},
+  { "sect283r1", SEC_OID_SECG_EC_SECT283R1},
+  { "nistb283", SEC_OID_SECG_EC_SECT283R1},
+  { "sect409k1", SEC_OID_SECG_EC_SECT409K1},
+  { "nistk409", SEC_OID_SECG_EC_SECT409K1},
+  { "sect409r1", SEC_OID_SECG_EC_SECT409R1},
+  { "nistb409", SEC_OID_SECG_EC_SECT409R1},
+  { "sect571k1", SEC_OID_SECG_EC_SECT571K1},
+  { "nistk571", SEC_OID_SECG_EC_SECT571K1},
+  { "sect571r1", SEC_OID_SECG_EC_SECT571R1},
+  { "nistb571", SEC_OID_SECG_EC_SECT571R1},
+  { "secp160k1", SEC_OID_SECG_EC_SECP160K1},
+  { "secp160r1", SEC_OID_SECG_EC_SECP160R1},
+  { "secp160r2", SEC_OID_SECG_EC_SECP160R2},
+  { "secp192k1", SEC_OID_SECG_EC_SECP192K1},
+  { "secp192r1", SEC_OID_SECG_EC_SECP192R1},
+  { "nistp192", SEC_OID_SECG_EC_SECP192R1},
+  { "secp224k1", SEC_OID_SECG_EC_SECP224K1},
+  { "secp224r1", SEC_OID_SECG_EC_SECP224R1},
+  { "nistp224", SEC_OID_SECG_EC_SECP224R1},
+  { "secp256k1", SEC_OID_SECG_EC_SECP256K1},
+  { "secp256r1", SEC_OID_SECG_EC_SECP256R1},
+  { "nistp256", SEC_OID_SECG_EC_SECP256R1},
+  { "secp384r1", SEC_OID_SECG_EC_SECP384R1},
+  { "nistp384", SEC_OID_SECG_EC_SECP384R1},
+  { "secp521r1", SEC_OID_SECG_EC_SECP521R1},
+  { "nistp521", SEC_OID_SECG_EC_SECP521R1},
+
+  { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 },
+  { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 },
+  { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 },
+  { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 },
+  { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 },
+  { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 },
+
+  { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 },
+  { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 },
+  { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 },
+  { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 },
+  { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 },
+  { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 },
+  { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 },
+  { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 },
+  { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 },
+  { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 },
+  { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 },
+  { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 },
+  { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 },
+  { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 },
+  { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 },
+  { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 },
+  { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 },
+  { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 },
+  { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 },
+  { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 },
+
+  { "secp112r1", SEC_OID_SECG_EC_SECP112R1},
+  { "secp112r2", SEC_OID_SECG_EC_SECP112R2},
+  { "secp128r1", SEC_OID_SECG_EC_SECP128R1},
+  { "secp128r2", SEC_OID_SECG_EC_SECP128R2},
+
+  { "sect113r1", SEC_OID_SECG_EC_SECT113R1},
+  { "sect113r2", SEC_OID_SECG_EC_SECT113R2},
+  { "sect131r1", SEC_OID_SECG_EC_SECT131R1},
+  { "sect131r2", SEC_OID_SECG_EC_SECT131R2},
+};
+
+static SECKEYECParams * 
+getECParams(const char *curve)
+{
+    SECKEYECParams *ecparams;
+    SECOidData *oidData = NULL;
+    SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
+    int i, numCurves;
+
+    if (curve != NULL) {
+        numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
+	for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); 
+	     i++) {
+	    if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
+	        curveOidTag = nameTagPair[i].curveOidTag;
+	}
+    }
+
+    /* Return NULL if curve name is not recognized */
+    if ((curveOidTag == SEC_OID_UNKNOWN) || 
+	(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
+        fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
+	return NULL;
+    }
+
+    ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
+
+    /* 
+     * ecparams->data needs to contain the ASN encoding of an object ID (OID)
+     * representing the named curve. The actual OID is in 
+     * oidData->oid.data so we simply prepend 0x06 and OID length
+     */
+    ecparams->data[0] = SEC_ASN1_OBJECT_ID;
+    ecparams->data[1] = oidData->oid.len;
+    memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
+
+    return ecparams;
+}
+#endif /* NSS_ENABLE_ECC */
+
+SECKEYPrivateKey *
+CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
+			    int publicExponent, const char *noise, 
+			    SECKEYPublicKey **pubkeyp, const char *pqgFile,
+                            secuPWData *pwdata)
+{
+    CK_MECHANISM_TYPE  mechanism;
+    SECOidTag          algtag;
+    PK11RSAGenParams   rsaparams;
+    SECKEYPQGParams  * dsaparams = NULL;
+    void             * params;
+    SECKEYPrivateKey * privKey = NULL;
+
+    if (slot == NULL)
+	return NULL;
+
+    if (PK11_Authenticate(slot, PR_TRUE, pwdata) != SECSuccess)
+	return NULL;
+
+    /*
+     * Do some random-number initialization.
+     */
+
+    if (noise) {
+    	SECStatus rv = CERTUTIL_FileForRNG(noise);
+	if (rv != SECSuccess) {
+	    PORT_SetError(PR_END_OF_FILE_ERROR); /* XXX */
+	    return NULL;
+    	}
+    } else {
+	int rv = UpdateRNG();
+	if (rv) {
+	    PORT_SetError(PR_END_OF_FILE_ERROR);
+	    return NULL;
+	}
+    }
+
+    switch (keytype) {
+    case rsaKey:
+	rsaparams.keySizeInBits = size;
+	rsaparams.pe = publicExponent;
+	mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+	algtag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+	params = &rsaparams;
+	break;
+    case dsaKey:
+	mechanism = CKM_DSA_KEY_PAIR_GEN;
+	algtag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+	if (pqgFile) {
+	    dsaparams = getpqgfromfile(size, pqgFile);
+	    if (dsaparams == NULL)
+	    	return NULL;
+	    params = dsaparams;
+	} else {
+	    /* cast away const, and don't set dsaparams */
+	    params = (void *)&default_pqg_params;
+	}
+	break;
+#ifdef NSS_ENABLE_ECC
+    case ecKey:
+	mechanism = CKM_EC_KEY_PAIR_GEN;
+	/* For EC keys, PQGFile determines EC parameters */
+	if ((params = (void *) getECParams(pqgFile)) == NULL)
+	    return NULL;
+	break;
+#endif /* NSS_ENABLE_ECC */
+    default:
+	return NULL;
+    }
+
+    fprintf(stderr, "\n\n");
+    fprintf(stderr, "Generating key.  This may take a few moments...\n\n");
+
+    privKey = PK11_GenerateKeyPair(slot, mechanism, params, pubkeyp,
+				PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, 
+				pwdata /*wincx*/);
+    /* free up the params */
+    switch (keytype) {
+    case rsaKey: /* nothing to free */                        break;
+    case dsaKey: if (dsaparams) CERTUTIL_DestroyParamsPQG(dsaparams); 
+	                                                      break;
+#ifdef NSS_ENABLE_ECC
+    case ecKey: SECITEM_FreeItem((SECItem *)params, PR_TRUE); break;
+#endif
+    }
+    return privKey;
+}
diff --git a/security/nss/cmd/certutil/manifest.mn b/security/nss/cmd/certutil/manifest.mn
new file mode 100644
index 000000000..d8c755dc1
--- /dev/null
+++ b/security/nss/cmd/certutil/manifest.mn
@@ -0,0 +1,57 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+CSRCS = \
+	certext.c \
+	certutil.c \
+	keystuff.c \
+	$(NULL)
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = dbm seccmd
+
+PROGRAM = certutil
+
+#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/checkcert/Makefile b/security/nss/cmd/checkcert/Makefile
new file mode 100644
index 000000000..140b4191f
--- /dev/null
+++ b/security/nss/cmd/checkcert/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/checkcert/checkcert.c b/security/nss/cmd/checkcert/checkcert.c
new file mode 100644
index 000000000..27c201e1b
--- /dev/null
+++ b/security/nss/cmd/checkcert/checkcert.c
@@ -0,0 +1,591 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secutil.h"
+#include "plgetopt.h"
+#include "cert.h"
+#include "secoid.h"
+#include "cryptohi.h"
+
+/* maximum supported modulus length in bits (indicate problem if over this) */
+#define MAX_MODULUS (1024)
+
+
+static void Usage(char *progName)
+{
+    fprintf(stderr, "Usage: %s [aAvf] [certtocheck] [issuingcert]\n",
+	    progName);
+    fprintf(stderr, "%-20s Cert to check is base64 encoded\n",
+	    "-a");
+    fprintf(stderr, "%-20s Issuer's cert is base64 encoded\n",
+	    "-A");
+    fprintf(stderr, "%-20s Verbose (indicate decoding progress etc.)\n",
+	    "-v");
+    fprintf(stderr, "%-20s Force sanity checks even if pretty print fails.\n",
+	    "-f");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    fprintf(stderr, "%-20s Specify the input type (no default)\n",
+	    "-t type");
+    exit(-1);
+}
+
+
+/*
+ * Check integer field named fieldName, printing out results and
+ * returning the length of the integer in bits
+ */   
+
+static
+int checkInteger(SECItem *intItem, char *fieldName, int verbose) 
+{
+    int len, bitlen;
+    if (verbose) {
+	printf("Checking %s\n", fieldName);
+    }
+
+    len = intItem->len;
+
+    if (len && (intItem->data[0] & 0x80)) {
+	printf("PROBLEM: %s is NEGATIVE 2's-complement integer.\n",
+	       fieldName);
+    }
+
+
+    /* calculate bit length and check for unnecessary leading zeros */
+    bitlen = len << 3;
+    if (len > 1 && intItem->data[0] == 0) {
+	/* leading zero byte(s) */
+	if (!(intItem->data[1] & 0x80)) {
+	    printf("PROBLEM: %s has unneeded leading zeros.  Violates DER.\n",
+		   fieldName);
+	}
+	/* strip leading zeros in length calculation */
+	{
+	    int i=0;
+	    while (bitlen > 8 && intItem->data[i] == 0) {
+		bitlen -= 8;
+		i++;
+	    }
+	}
+    }
+    return bitlen;
+}
+
+
+
+
+static
+void checkName(CERTName *n, char *fieldName, int verbose)
+{
+    char *v=0;
+    if (verbose) {
+	printf("Checking %s\n", fieldName);
+    }
+
+    v = CERT_GetCountryName(n);
+    if (!v) {
+	printf("PROBLEM: %s lacks Country Name (C)\n",
+	       fieldName);
+    }
+    PORT_Free(v);
+
+    v = CERT_GetOrgName(n);
+    if (!v) {
+	printf("PROBLEM: %s lacks Organization Name (O)\n",
+	       fieldName);
+    }
+    PORT_Free(v);
+
+    v = CERT_GetOrgUnitName(n);
+    if (!v) {
+	printf("WARNING: %s lacks Organization Unit Name (OU)\n",
+	       fieldName);
+    }
+    PORT_Free(v);	
+
+    v = CERT_GetCommonName(n);
+    if (!v) {
+	printf("PROBLEM: %s lacks Common Name (CN)\n",
+	       fieldName);
+    }
+    PORT_Free(v);
+}
+
+
+static
+SECStatus
+OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
+	      SECItem *sig, SECAlgorithmID *sigAlgorithm)
+{
+    SECStatus rv;
+    VFYContext *cx;
+    SECOidData *sigAlgOid, *oiddata;
+    SECOidTag sigAlgTag;
+    SECOidTag hashAlgTag;
+    int showDigestOid=0;
+
+    cx = VFY_CreateContextWithAlgorithmID(key, sig, sigAlgorithm, &hashAlgTag, 
+                                          NULL);
+    if (cx == NULL)
+	return SECFailure;
+
+    sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm);
+    if (sigAlgOid == 0)
+	return SECFailure;
+    sigAlgTag = sigAlgOid->offset;
+
+
+    if (showDigestOid) {
+	oiddata = SECOID_FindOIDByTag(hashAlgTag);
+	if ( oiddata ) {
+	    printf("PROBLEM: (cont) Digest OID is %s\n", oiddata->desc);
+	} else {
+	    SECU_PrintAsHex(stdout,
+			    &oiddata->oid, "PROBLEM: UNKNOWN OID", 0);
+	}
+    }
+
+    rv = VFY_Begin(cx);
+    if (rv == SECSuccess) {
+	rv = VFY_Update(cx, buf, len);
+	if (rv == SECSuccess)
+	    rv = VFY_End(cx);
+    }
+
+    VFY_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+
+
+static
+SECStatus
+OurVerifySignedData(CERTSignedData *sd, CERTCertificate *cert)
+{
+    SECItem sig;
+    SECKEYPublicKey *pubKey = 0;
+    SECStatus rv;
+
+    /* check the certificate's validity */
+    rv = CERT_CertTimesValid(cert);
+    if ( rv ) {
+	return(SECFailure);
+    }
+
+    /* get cert's public key */
+    pubKey = CERT_ExtractPublicKey(cert);
+    if ( !pubKey ) {
+	return(SECFailure);
+    }
+
+    /* check the signature */
+    sig = sd->signature;
+    DER_ConvertBitString(&sig);
+    rv = OurVerifyData(sd->data.data, sd->data.len, pubKey, &sig,
+		       &sd->signatureAlgorithm);
+
+    SECKEY_DestroyPublicKey(pubKey);
+
+    if ( rv ) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+
+
+
+static
+CERTCertificate *createEmptyCertificate(void)
+{
+    PRArenaPool *arena = 0;
+    CERTCertificate *c = 0;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	return 0;
+    }
+
+
+    c = (CERTCertificate *) PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
+
+    if (c) {
+	c->referenceCount = 1;
+	c->arena = arena;
+    } else {
+	PORT_FreeArena(arena,PR_TRUE);
+    }
+
+    return c;
+}    
+
+
+
+
+int main(int argc, char **argv)
+{
+    int rv, verbose=0, force=0;
+    int ascii=0, issuerAscii=0;
+    char *progName=0;
+    PRFileDesc *inFile=0, *issuerCertFile=0;
+    SECItem derCert, derIssuerCert;
+    PRArenaPool *arena=0;
+    CERTSignedData *signedData=0;
+    CERTCertificate *cert=0, *issuerCert=0;
+    SECKEYPublicKey *rsapubkey=0;
+    SECAlgorithmID md5WithRSAEncryption, md2WithRSAEncryption;
+    SECAlgorithmID sha1WithRSAEncryption, rsaEncryption;
+    SECItem spk;
+    int selfSigned=0;
+    int invalid=0;
+    char *inFileName = NULL, *issuerCertFileName = NULL;
+    PLOptState *optstate;
+    PLOptStatus status;
+
+    PORT_Memset(&md5WithRSAEncryption, 0, sizeof(md5WithRSAEncryption));
+    PORT_Memset(&md2WithRSAEncryption, 0, sizeof(md2WithRSAEncryption));
+    PORT_Memset(&sha1WithRSAEncryption, 0, sizeof(sha1WithRSAEncryption));
+    PORT_Memset(&rsaEncryption, 0, sizeof(rsaEncryption));
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    optstate = PL_CreateOptState(argc, argv, "aAvf");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case 'v':
+	    verbose = 1;
+	    break;
+
+	  case 'f':
+	    force = 1;
+	    break;
+
+	  case 'a':
+	    ascii = 1;
+	    break;
+
+	  case 'A':
+	    issuerAscii = 1;
+	    break;
+
+	  case '\0':
+	    if (!inFileName)
+		inFileName = PL_strdup(optstate->value);
+	    else if (!issuerCertFileName)
+		issuerCertFileName = PL_strdup(optstate->value);
+	    else
+		Usage(progName);
+	    break;
+	}
+    }
+
+    if (!inFileName || !issuerCertFileName || status == PL_OPT_BAD) {
+	/* insufficient or excess args */
+	Usage(progName);
+    }
+
+    inFile = PR_Open(inFileName, PR_RDONLY, 0);
+    if (!inFile) {
+	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+	                 progName, inFileName);
+	exit(1);
+    }
+
+    issuerCertFile = PR_Open(issuerCertFileName, PR_RDONLY, 0);
+    if (!issuerCertFile) {
+	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+	                 progName, issuerCertFileName);
+	exit(1);
+    }
+
+    if (SECU_ReadDERFromFile(&derCert, inFile, ascii) != SECSuccess) {
+	printf("Couldn't read input certificate as DER binary or base64\n");
+	exit(1);
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == 0) {
+	fprintf(stderr,"%s: can't allocate scratch arena!", progName);
+	exit(1);
+    }
+
+    if (issuerCertFile) {
+	CERTSignedData *issuerCertSD=0;
+	if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii)
+	    != SECSuccess) {
+	    printf("Couldn't read issuer certificate as DER binary or base64.\n");
+	    exit(1);
+	}
+	issuerCertSD = PORT_ArenaZNew(arena, CERTSignedData);
+	if (!issuerCertSD) {
+	    fprintf(stderr,"%s: can't allocate issuer signed data!", progName);
+	    exit(1);
+	}
+	rv = SEC_ASN1DecodeItem(arena, issuerCertSD, 
+	                        SEC_ASN1_GET(CERT_SignedDataTemplate),
+				&derIssuerCert);
+	if (rv) {
+	    fprintf(stderr, "%s: Issuer cert isn't X509 SIGNED Data?\n",
+		    progName);
+	    exit(1);
+	}
+	issuerCert = createEmptyCertificate();
+	if (!issuerCert) {
+	    printf("%s: can't allocate space for issuer cert.", progName);
+	    exit(1);
+	}
+	rv = SEC_ASN1DecodeItem(arena, issuerCert, 
+	                    SEC_ASN1_GET(CERT_CertificateTemplate),
+			    &issuerCertSD->data);
+	if (rv) {
+	    printf("%s: Does not appear to be an X509 Certificate.\n",
+		   progName);
+	    exit(1);
+	}
+    }
+
+    signedData =  PORT_ArenaZNew(arena,CERTSignedData);
+    if (!signedData) {
+	fprintf(stderr,"%s: can't allocate signedData!", progName);
+	exit(1);
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, signedData, 
+                            SEC_ASN1_GET(CERT_SignedDataTemplate), 
+			    &derCert);
+    if (rv) {
+	fprintf(stderr, "%s: Does not appear to be X509 SIGNED Data.\n",
+		progName);
+	exit(1);
+    }
+
+    if (verbose) {
+	printf("Decoded ok as X509 SIGNED data.\n");
+    }
+
+    cert = createEmptyCertificate();
+    if (!cert) {
+	fprintf(stderr, "%s: can't allocate cert", progName);
+	exit(1);
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, cert, 
+                        SEC_ASN1_GET(CERT_CertificateTemplate), 
+			&signedData->data);
+    if (rv) {
+	fprintf(stderr, "%s: Does not appear to be an X509 Certificate.\n",
+		progName);
+	exit(1);
+    }
+
+
+    if (verbose) {
+	printf("Decoded ok as an X509 certificate.\n");
+    }
+
+    SECU_RegisterDynamicOids();
+    rv = SECU_PrintSignedData(stdout, &derCert, "Certificate", 0,
+			      SECU_PrintCertificate);
+
+    if (rv) {
+	fprintf(stderr, "%s: Unable to pretty print cert. Error: %d\n",
+		progName, PORT_GetError());
+	if (!force) {
+	    exit(1);
+	}
+    }
+
+
+    /* Do various checks on the cert */
+
+    printf("\n");
+
+    /* Check algorithms */
+    SECOID_SetAlgorithmID(arena, &md5WithRSAEncryption,
+		       SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, NULL);
+
+    SECOID_SetAlgorithmID(arena, &md2WithRSAEncryption,
+		       SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, NULL);
+
+    SECOID_SetAlgorithmID(arena, &sha1WithRSAEncryption,
+		       SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
+
+    SECOID_SetAlgorithmID(arena, &rsaEncryption,
+		       SEC_OID_PKCS1_RSA_ENCRYPTION, NULL);
+
+    {
+	int isMD5RSA = (SECOID_CompareAlgorithmID(&cert->signature,
+					       &md5WithRSAEncryption) == 0);
+	int isMD2RSA = (SECOID_CompareAlgorithmID(&cert->signature,
+					       &md2WithRSAEncryption) == 0);
+	int isSHA1RSA = (SECOID_CompareAlgorithmID(&cert->signature,
+					       &sha1WithRSAEncryption) == 0);
+
+	if (verbose) {
+	    printf("\nDoing algorithm checks.\n");
+	}
+
+	if (!(isMD5RSA || isMD2RSA || isSHA1RSA)) {
+	    printf("PROBLEM: Signature not PKCS1 MD5, MD2, or SHA1 + RSA.\n");
+	} else if (!isMD5RSA) {
+	    printf("WARNING: Signature not PKCS1 MD5 with RSA Encryption\n");
+	}
+
+	if (SECOID_CompareAlgorithmID(&cert->signature,
+				   &signedData->signatureAlgorithm)) {
+	    printf("PROBLEM: Algorithm in sig and certInfo don't match.\n");
+	}
+    }
+
+    if (SECOID_CompareAlgorithmID(&cert->subjectPublicKeyInfo.algorithm,
+			       &rsaEncryption)) {
+	printf("PROBLEM: Public key algorithm is not PKCS1 RSA Encryption.\n");
+    }
+
+    /* Check further public key properties */
+    spk = cert->subjectPublicKeyInfo.subjectPublicKey;
+    DER_ConvertBitString(&spk);
+
+    if (verbose) {
+	printf("\nsubjectPublicKey DER\n");
+	rv = DER_PrettyPrint(stdout, &spk, PR_FALSE);
+	printf("\n");
+    }
+
+    rsapubkey = (SECKEYPublicKey *) 
+	             PORT_ArenaZAlloc(arena,sizeof(SECKEYPublicKey));
+    if (!rsapubkey) {
+	fprintf(stderr, "%s: rsapubkey allocation failed.\n", progName);
+	exit(1);
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, rsapubkey, 
+                            SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), &spk);
+    if (rv) {
+	printf("PROBLEM: subjectPublicKey is not a DER PKCS1 RSAPublicKey.\n");
+    } else {
+	int mlen;
+	int pubexp;
+	if (verbose) {
+	    printf("Decoded RSA Public Key ok.  Doing key checks.\n");
+	}
+	PORT_Assert(rsapubkey->keyType == rsaKey); /* XXX RSA */
+	mlen = checkInteger(&rsapubkey->u.rsa.modulus, "Modulus", verbose);
+	printf("INFO: Public Key modulus length in bits: %d\n", mlen);
+	if (mlen > MAX_MODULUS) {
+	    printf("PROBLEM: Modulus length exceeds %d bits.\n",
+		   MAX_MODULUS);
+	}
+	if (mlen < 512) {
+	    printf("WARNING: Short modulus.\n");
+	}
+	if (mlen != (1 << (ffs(mlen)-1))) {
+	    printf("WARNING: Unusual modulus length (not a power of two).\n");
+	}
+	checkInteger(&rsapubkey->u.rsa.publicExponent, "Public Exponent",
+                     verbose);
+	pubexp = DER_GetInteger(&rsapubkey->u.rsa.publicExponent);
+	if (pubexp != 17 && pubexp != 3 && pubexp != 65537) {
+	    printf("WARNING: Public exponent not any of: 3, 17, 65537\n");
+	}
+    }
+
+
+    /* Name checks */
+    checkName(&cert->issuer, "Issuer Name", verbose);
+    checkName(&cert->subject, "Subject Name", verbose);
+
+    if (issuerCert) {
+	SECComparison c =
+	    CERT_CompareName(&cert->issuer, &issuerCert->subject);
+	if (c) {
+         printf("PROBLEM: Issuer Name and Subject in Issuing Cert differ\n");
+        }
+    }
+
+    /* Check if self-signed */
+    selfSigned = (CERT_CompareName(&cert->issuer, &cert->subject) == 0);
+    if (selfSigned) {
+	printf("INFO: Certificate is self signed.\n");
+    } else {
+	printf("INFO: Certificate is NOT self-signed.\n");
+    }
+
+
+    /* Validity time check */
+    if (CERT_CertTimesValid(cert) == SECSuccess) {
+	printf("INFO: Inside validity period of certificate.\n");
+    } else {
+	printf("PROBLEM: Not in validity period of certificate.\n");
+	invalid = 1;
+    }
+
+    /* Signature check if self-signed */
+    if (selfSigned && !invalid) {
+	if (rsapubkey->u.rsa.modulus.len) {
+	    SECStatus ver;
+	    if (verbose) {
+		printf("Checking self signature.\n");
+	    }
+	    ver = OurVerifySignedData(signedData, cert);
+	    if (ver != SECSuccess) {
+		printf("PROBLEM: Verification of self-signature failed!\n");
+	    } else {
+		printf("INFO: Self-signature verifies ok.\n");
+	    }
+	} else {
+	    printf("INFO: Not checking signature due to key problems.\n");
+	}
+    } else if (!selfSigned && !invalid && issuerCert) {
+	SECStatus ver;
+	ver = OurVerifySignedData(signedData, issuerCert);
+	if (ver != SECSuccess) {
+	    printf("PROBLEM: Verification of issuer's signature failed!\n");
+	} else {
+	    printf("INFO: Issuer's signature verifies ok.\n");
+	}
+    } else {
+	printf("INFO: Not checking signature.\n");
+    }
+
+    return 0;    
+}
+
+
+
diff --git a/security/nss/cmd/checkcert/manifest.mn b/security/nss/cmd/checkcert/manifest.mn
new file mode 100644
index 000000000..91cbf1f4c
--- /dev/null
+++ b/security/nss/cmd/checkcert/manifest.mn
@@ -0,0 +1,51 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS = checkcert.c
+
+PROGRAM	= checkcert
diff --git a/security/nss/cmd/crlutil/Makefile b/security/nss/cmd/crlutil/Makefile
new file mode 100644
index 000000000..0f01f4c47
--- /dev/null
+++ b/security/nss/cmd/crlutil/Makefile
@@ -0,0 +1,85 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+#
+# crlgen_lex can be generated on linux by flex or solaris by lex
+#
+crlgen_lex:
+	${LEX} -t crlgen_lex_orig.l > crlgen_lex_fix.c
+	sed -f crlgen_lex_fix.sed < crlgen_lex_fix.c > crlgen_lex.c
+	rm -f crlgen_lex_fix.c
+
+include ../platrules.mk
diff --git a/security/nss/cmd/crlutil/crlgen.c b/security/nss/cmd/crlutil/crlgen.c
new file mode 100644
index 000000000..e0d525e3b
--- /dev/null
+++ b/security/nss/cmd/crlutil/crlgen.c
@@ -0,0 +1,1630 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** crlgen.c
+**
+** utility for managing certificates revocation lists generation
+**
+*/
+
+
+#include <stdio.h>
+#include <math.h>
+
+#include "nspr.h"
+#include "plgetopt.h"
+#include "nss.h"
+#include "secutil.h"
+#include "cert.h"
+#include "certi.h"
+#include "certdb.h"
+#include "pk11func.h"
+#include "crlgen.h"
+
+
+/* these reroutines were taken from secitem.c, which is supposed to
+ * replace this file some day */
+/*
+ * This is the hash function.  We simply XOR the encoded form with
+ * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
+ * routine is left as an excercise for the more mathematically
+ * inclined student.
+ */
+PLHashNumber PR_CALLBACK
+SECITEM_Hash ( const void *key)
+{
+    const SECItem *item = (const SECItem *)key;
+    PLHashNumber rv = 0;
+
+    PRUint8 *data = (PRUint8 *)item->data;
+    PRUint32 i;
+    PRUint8 *rvc = (PRUint8 *)&rv;
+
+    for( i = 0; i < item->len; i++ ) {
+        rvc[ i % sizeof(rv) ] ^= *data;
+        data++;
+    }
+
+    return rv;
+}
+
+/*
+ * This is the key-compare function.  It simply does a lexical
+ * comparison on the item data.  This does not result in
+ * quite the same ordering as the "sequence of numbers" order,
+ * but heck it's only used internally by the hash table anyway.
+ */
+PRIntn PR_CALLBACK
+SECITEM_HashCompare ( const void *k1, const void *k2)
+{
+    const SECItem *i1 = (const SECItem *)k1;
+    const SECItem *i2 = (const SECItem *)k2;
+
+    return SECITEM_ItemsAreEqual(i1,i2);
+}
+
+/* Destroys extHandle and data. data was create on heap.
+ * extHandle creaded by CERT_StartCRLEntryExtensions. entry
+ * was allocated on arena.*/
+static void
+destroyEntryData(CRLGENEntryData *data)
+{
+    if (!data)
+        return;
+    PORT_Assert(data->entry);
+    if (data->extHandle)
+        CERT_FinishExtensions(data->extHandle);
+    PORT_Free(data);
+}
+
+
+/* Prints error messages along with line number */
+void 
+crlgen_PrintError(int line, char *msg, ...)
+{
+    va_list args;
+
+    va_start(args, msg);
+
+    fprintf(stderr, "crlgen: (line: %d) ", line);
+    vfprintf(stderr, msg, args);
+
+    va_end(args);
+}
+/* Finds CRLGENEntryData in hashtable according PRUint64 value
+ * - certId : cert serial number*/
+static CRLGENEntryData*
+crlgen_FindEntry(CRLGENGeneratorData *crlGenData, SECItem *certId) 
+{
+    if (!crlGenData->entryDataHashTable || !certId)
+        return NULL;
+    return (CRLGENEntryData*)
+        PL_HashTableLookup(crlGenData->entryDataHashTable,
+                           certId);
+}
+
+
+/* Removes CRLGENEntryData from hashtable according to certId
+ * - certId : cert serial number*/
+static SECStatus
+crlgen_RmEntry(CRLGENGeneratorData *crlGenData, SECItem *certId) 
+{
+    CRLGENEntryData *data = NULL;
+
+    if (!crlGenData->entryDataHashTable)
+        return SECSuccess;
+    data = crlgen_FindEntry(crlGenData, certId);
+    if (!data)
+        return SECSuccess;
+    if (PL_HashTableRemove(crlGenData->entryDataHashTable, certId))
+        return SECSuccess;
+    destroyEntryData(data);
+    return SECFailure;
+}
+
+
+/* Stores CRLGENEntryData in hashtable according to certId
+ * - certId : cert serial number*/
+static CRLGENEntryData*
+crlgen_PlaceAnEntry(CRLGENGeneratorData *crlGenData,
+                    CERTCrlEntry *entry, SECItem *certId)
+{
+    CRLGENEntryData *newData = NULL;
+
+    PORT_Assert(crlGenData && crlGenData->entryDataHashTable &&
+                entry);
+    if (!crlGenData || !crlGenData->entryDataHashTable || !entry) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    newData = PORT_ZNew(CRLGENEntryData);
+    if (!newData) {
+        return NULL;
+    }
+    newData->entry = entry;
+    newData->certId = certId;
+    if (!PL_HashTableAdd(crlGenData->entryDataHashTable,
+                         newData->certId, newData)) { 
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "Can not add entryData structure\n");
+        return NULL;
+    }
+    return newData;
+}
+
+/* Use this structure to keep pointer when commiting entries extensions */
+struct commitData {
+    int pos;
+    CERTCrlEntry **entries;
+};
+
+/* HT PL_HashTableEnumerateEntries callback. Sorts hashtable entries of the
+ * table he. Returns value through arg parameter*/
+static PRIntn PR_CALLBACK 
+crlgen_CommitEntryData(PLHashEntry *he, PRIntn i, void *arg)
+{
+    CRLGENEntryData *data = NULL;
+
+    PORT_Assert(he);
+    if (!he) {
+        return HT_ENUMERATE_NEXT;
+    }
+    data = (CRLGENEntryData*)he->value;
+
+    PORT_Assert(data);
+    PORT_Assert(arg);
+
+    if (data) {
+        struct commitData *dt = (struct commitData*)arg;
+        dt->entries[dt->pos++] = data->entry;
+        destroyEntryData(data);
+    }
+    return HT_ENUMERATE_NEXT;
+}
+
+
+
+/* Copy char * datainto allocated in arena SECItem */
+static SECStatus 
+crlgen_SetString(PRArenaPool *arena, const char *dataIn, SECItem *value)
+{
+    SECItem item;
+
+    PORT_Assert(arena && dataIn);
+    if (!arena || !dataIn) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    item.data = (void*)dataIn;
+    item.len = PORT_Strlen(dataIn);
+
+    return SECITEM_CopyItem(arena, value, &item);
+}
+
+/* Creates CERTGeneralName from parsed data for the Authority Key Extension */
+static CERTGeneralName *
+crlgen_GetGeneralName (PRArenaPool *arena, CRLGENGeneratorData *crlGenData,
+                       const char *data)
+{
+    CERTGeneralName *namesList = NULL;
+    CERTGeneralName *current;
+    CERTGeneralName *tail = NULL;
+    SECStatus rv = SECSuccess;
+    const char *nextChunk = NULL;
+    const char *currData = NULL;
+    int intValue;
+    char buffer[512];
+    void *mark;
+
+    if (!data)
+        return NULL;
+    PORT_Assert (arena);
+    if (!arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    mark = PORT_ArenaMark (arena);
+
+    nextChunk = data;
+    currData = data;
+    do {
+        int nameLen = 0;
+        char name[128];
+        const char *sepPrt = NULL;
+        nextChunk = PORT_Strchr(currData, '|');
+        if (!nextChunk)
+            nextChunk = data + strlen(data);
+        sepPrt = PORT_Strchr(currData, ':');
+        if (sepPrt == NULL || sepPrt >= nextChunk) {
+            *buffer = '\0';
+            sepPrt = nextChunk;
+        } else {
+            PORT_Memcpy(buffer, sepPrt + 1,
+                        (nextChunk - sepPrt - 1));
+            buffer[nextChunk - sepPrt - 1] = '\0';
+        }
+        nameLen = PR_MIN(sepPrt - currData, sizeof(name) - 1 );
+        PORT_Memcpy(name, currData, nameLen);
+        name[nameLen] = '\0';
+        currData = nextChunk + 1;
+
+        if (!PORT_Strcmp(name, "otherName"))
+            intValue = certOtherName;
+        else if (!PORT_Strcmp(name, "rfc822Name"))
+            intValue = certRFC822Name;
+        else if (!PORT_Strcmp(name, "dnsName"))
+            intValue = certDNSName;
+        else if (!PORT_Strcmp(name, "x400Address"))
+            intValue = certX400Address;
+        else if (!PORT_Strcmp(name, "directoryName"))
+            intValue = certDirectoryName;
+        else if (!PORT_Strcmp(name, "ediPartyName"))
+            intValue = certEDIPartyName;
+        else if (!PORT_Strcmp(name, "URI"))
+            intValue = certURI;
+        else if (!PORT_Strcmp(name, "ipAddress"))
+            intValue = certIPAddress;
+        else if (!PORT_Strcmp(name, "registerID"))
+            intValue = certRegisterID;
+        else intValue = -1;
+
+        if (intValue >= certOtherName && intValue <= certRegisterID) {
+            if (namesList == NULL) {
+                namesList = current = tail = PORT_ArenaZNew(arena,
+                                                            CERTGeneralName);
+            } else {
+                current = PORT_ArenaZNew(arena, CERTGeneralName);
+            }
+            if (current == NULL) {
+                rv = SECFailure;
+                break;
+            }
+        } else {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            break;
+        }
+        current->type = intValue;
+        switch (current->type) {
+          case certURI:
+          case certDNSName:
+          case certRFC822Name:
+              current->name.other.data = PORT_ArenaAlloc (arena, strlen (buffer));
+              if (current->name.other.data == NULL) {
+                  rv = SECFailure;
+                  break;
+              }
+              PORT_Memcpy(current->name.other.data, buffer,
+                          current->name.other.len = strlen(buffer));
+              break;
+
+          case certEDIPartyName:
+          case certIPAddress:
+          case certOtherName:
+          case certRegisterID:
+          case certX400Address: {
+
+              current->name.other.data = PORT_ArenaAlloc (arena, strlen (buffer) + 2);
+              if (current->name.other.data == NULL) {
+                  rv = SECFailure;
+                  break;
+              }
+
+              PORT_Memcpy (current->name.other.data + 2, buffer, strlen (buffer));
+/* This may not be accurate for all cases.For now, use this tag type */
+              current->name.other.data[0] = (char)(((current->type - 1) & 0x1f)| 0x80);
+              current->name.other.data[1] = (char)strlen (buffer);
+              current->name.other.len = strlen (buffer) + 2;
+              break;
+          }
+
+          case certDirectoryName: {
+              CERTName *directoryName = NULL;
+
+              directoryName = CERT_AsciiToName (buffer);
+              if (!directoryName) {
+                  rv = SECFailure;
+                  break;
+              }
+
+              rv = CERT_CopyName (arena, &current->name.directoryName, directoryName);
+              CERT_DestroyName (directoryName);
+
+              break;
+          }
+        }
+        if (rv != SECSuccess)
+            break;
+        current->l.next = &(namesList->l);
+        current->l.prev = &(tail->l);
+        tail->l.next = &(current->l);
+        tail = current;
+
+    } while(nextChunk != data + strlen(data));
+
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease (arena, mark);
+        namesList = NULL;
+    }
+    return (namesList);
+}
+
+/* Creates CERTGeneralName from parsed data for the Authority Key Extension */
+static CERTGeneralName *
+crlgen_DistinguishedName (PRArenaPool *arena, CRLGENGeneratorData *crlGenData,
+                          const char *data)
+{
+    CERTName *directoryName = NULL;
+    CERTGeneralName *current;
+    SECStatus rv = SECFailure;
+    void *mark;
+
+    if (!data)
+        return NULL;
+    PORT_Assert (arena);
+    if (!arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    mark = PORT_ArenaMark (arena);
+
+    current = PORT_ArenaZNew(arena, CERTGeneralName);
+    if (current == NULL) {
+        goto loser;
+    }
+    current->type = certDirectoryName;
+    current->l.next = &current->l;
+    current->l.prev = &current->l;
+    
+    directoryName = CERT_AsciiToName ((char*)data);
+    if (!directoryName) {
+        goto loser;
+    }
+    
+    rv = CERT_CopyName (arena, &current->name.directoryName, directoryName);
+    CERT_DestroyName (directoryName);
+
+  loser:
+    if (rv != SECSuccess) {
+        PORT_SetError (rv);
+        PORT_ArenaRelease (arena, mark);
+        current = NULL;
+    }
+    return (current);
+}
+
+
+/* Adding Authority Key ID extension to extension handle. */
+static SECStatus 
+crlgen_AddAuthKeyID (CRLGENGeneratorData *crlGenData,
+                     const char **dataArr)
+{
+    void *extHandle = NULL;
+    CERTAuthKeyID *authKeyID = NULL;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(dataArr && crlGenData);
+    if (!crlGenData || !dataArr) {
+        return SECFailure;
+    }
+
+    extHandle = crlGenData->crlExtHandle;
+
+    if (!dataArr[0] || !dataArr[1] || !dataArr[2]) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "insufficient number of parameters.\n");
+        return SECFailure;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+        return SECFailure;
+    }
+
+    authKeyID = PORT_ArenaZNew(arena, CERTAuthKeyID);
+    if (authKeyID == NULL) {
+        rv = SECFailure;
+        goto loser;
+    }
+
+    if (dataArr[3] == NULL) {
+        rv = crlgen_SetString (arena, dataArr[2], &authKeyID->keyID);
+        if (rv != SECSuccess)
+            goto loser;
+    } else {
+        rv = crlgen_SetString (arena, dataArr[3],
+                               &authKeyID->authCertSerialNumber);
+        if (rv != SECSuccess)
+            goto loser;
+
+        authKeyID->authCertIssuer = 
+            crlgen_DistinguishedName (arena, crlGenData, dataArr[2]);
+        if (authKeyID->authCertIssuer == NULL && SECFailure == PORT_GetError ()){
+            crlgen_PrintError(crlGenData->parsedLineNum, "syntax error.\n");
+            rv = SECFailure;
+            goto loser;
+        }
+    }
+
+    rv =
+        SECU_EncodeAndAddExtensionValue(arena, extHandle, authKeyID,
+                                        (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,
+                                        SEC_OID_X509_AUTH_KEY_ID, 
+                                        (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeAuthKeyID);
+  loser:
+    if (arena)
+        PORT_FreeArena (arena, PR_FALSE);
+    return rv;
+} 
+
+/* Creates and add Subject Alternative Names extension */
+static SECStatus 
+crlgen_AddIssuerAltNames(CRLGENGeneratorData *crlGenData,
+                          const char **dataArr)
+{
+    CERTGeneralName *nameList = NULL;
+    PRArenaPool *arena = NULL;
+    void *extHandle = NULL;
+    SECStatus rv = SECSuccess;
+
+
+    PORT_Assert(dataArr && crlGenData);
+    if (!crlGenData || !dataArr) {
+        return SECFailure;
+    }
+
+    if (!dataArr || !dataArr[0] || !dataArr[1] || !dataArr[2]) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "insufficient number of arguments.\n");
+        return SECFailure;
+    }
+
+    PORT_Assert(dataArr && crlGenData);
+    if (!crlGenData || !dataArr) {
+        return SECFailure;
+    }
+
+    extHandle = crlGenData->crlExtHandle;
+
+    if (!dataArr[0] || !dataArr[1] || !dataArr[2]) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "insufficient number of parameters.\n");
+        return SECFailure;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+        return SECFailure;
+    }
+
+    nameList = crlgen_GetGeneralName(arena, crlGenData, dataArr[2]);
+    if (nameList == NULL) {
+        crlgen_PrintError(crlGenData->parsedLineNum, "syntax error.\n");
+        rv = SECFailure;
+        goto loser;
+    }
+
+    rv =
+        SECU_EncodeAndAddExtensionValue(arena, extHandle, nameList,
+                                        (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,
+                                        SEC_OID_X509_ISSUER_ALT_NAME, 
+                                        (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeAltNameExtension);
+  loser:
+    if (arena)
+        PORT_FreeArena (arena, PR_FALSE);
+    return rv;
+}
+
+/* Creates and adds CRLNumber extension to extension handle.
+ * Since, this is CRL extension, extension handle is the one 
+ * related to CRL extensions */
+static SECStatus
+crlgen_AddCrlNumber(CRLGENGeneratorData *crlGenData, const char **dataArr)
+{
+    PRArenaPool *arena = NULL;
+    SECItem encodedItem;
+    void *extHandle = crlGenData->crlExtHandle;
+    void *dummy;
+    SECStatus rv = SECFailure;
+    int code = 0;
+
+    PORT_Assert(dataArr && crlGenData);
+    if (!crlGenData || !dataArr) {
+        goto loser;
+    }
+
+    if (!dataArr[0] || !dataArr[1] || !dataArr[2]) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "insufficient number of arguments.\n");
+        goto loser;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+        goto loser;
+    }
+
+    code = atoi(dataArr[2]);
+    if (code == 0 && *dataArr[2] != '0') {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+
+    dummy = SEC_ASN1EncodeInteger(arena, &encodedItem, code);
+    if (!dummy) {
+        rv = SECFailure;
+        goto loser;
+    }
+
+    rv = CERT_AddExtension (extHandle, SEC_OID_X509_CRL_NUMBER, &encodedItem, 
+                            (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,
+                            PR_TRUE);
+
+  loser:
+    if (arena)
+        PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+
+}
+
+
+/* Creates Cert Revocation Reason code extension. Encodes it and
+ * returns as SECItem structure */
+static SECItem*
+crlgen_CreateReasonCode(PRArenaPool *arena, const char **dataArr,
+                        int *extCode)
+{
+    SECItem *encodedItem;
+    void *dummy;
+    void *mark;
+    int code = 0;
+
+    PORT_Assert(arena && dataArr);
+    if (!arena || !dataArr) {
+        goto loser;
+    } 
+
+    mark = PORT_ArenaMark(arena);
+
+    encodedItem = PORT_ArenaZNew (arena, SECItem);
+    if (encodedItem == NULL) {
+        goto loser;
+    }
+
+    if (dataArr[2] == NULL) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+
+    code = atoi(dataArr[2]);
+    /* aACompromise(10) is the last possible of the values 
+     * for the Reason Core Extension */
+    if ((code == 0 && *dataArr[2] != '0') || code > 10) {
+        
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+
+    dummy = SEC_ASN1EncodeInteger(arena, encodedItem, code);
+    if (!dummy) {
+        goto loser;
+    }
+
+    *extCode = SEC_OID_X509_REASON_CODE;
+    return encodedItem;
+
+  loser:
+    PORT_ArenaRelease (arena, mark);
+    return NULL;
+}
+
+/* Creates Cert Invalidity Date extension. Encodes it and
+ * returns as SECItem structure */
+static SECItem*
+crlgen_CreateInvalidityDate(PRArenaPool *arena, const char **dataArr,
+                       int *extCode)
+{
+    SECItem *encodedItem;
+    int length = 0;
+    void *mark;
+
+    PORT_Assert(arena && dataArr);
+    if (!arena || !dataArr) {
+        goto loser;
+    } 
+
+    mark = PORT_ArenaMark(arena);
+
+    encodedItem = PORT_ArenaZNew(arena, SECItem);
+    if (encodedItem == NULL) {
+        goto loser;
+    }
+
+    length = PORT_Strlen(dataArr[2]);
+
+    encodedItem->type = siGeneralizedTime;
+    encodedItem->data = PORT_ArenaAlloc(arena, length);
+    if (!encodedItem->data) {
+        goto loser;
+    }
+
+    PORT_Memcpy(encodedItem->data, dataArr[2], (encodedItem->len = length) *
+                sizeof(char));
+
+    *extCode = SEC_OID_X509_INVALID_DATE;
+    return encodedItem;
+    
+  loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+/* Creates(by calling extCreator function) and adds extension to a set
+ * of already added certs. Uses values of rangeFrom and rangeTo from
+ * CRLGENCrlGenCtl structure for identifying the inclusive set of certs */
+static SECStatus
+crlgen_AddEntryExtension(CRLGENGeneratorData *crlGenData,
+                         const char **dataArr, char *extName,
+                         SECItem* (*extCreator)(PRArenaPool *arena,
+                                                const char **dataArr,
+                                                int *extCode))
+{
+    PRUint64 i = 0;
+    SECStatus rv = SECFailure;
+    int extCode = 0;
+    PRUint64 lastRange ;
+    SECItem *ext = NULL;
+    PRArenaPool *arena = NULL;
+
+
+    PORT_Assert(crlGenData &&  dataArr);
+    if (!crlGenData || !dataArr) {
+        goto loser;
+    } 
+    
+    if (!dataArr[0] || !dataArr[1]) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum, 
+                          "insufficient number of arguments.\n");
+    }
+
+    lastRange = crlGenData->rangeTo - crlGenData->rangeFrom + 1;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+        goto loser;
+    }
+
+    ext = extCreator(arena, dataArr, &extCode);
+    if (ext == NULL) {
+        crlgen_PrintError(crlGenData->parsedLineNum, 
+                          "got error while creating extension: %s\n",
+                          extName);
+        goto loser;
+    }
+
+    for (i = 0;i < lastRange;i++) {
+        CRLGENEntryData * extData = NULL;
+        void *extHandle = NULL;
+        SECItem * certIdItem =
+            SEC_ASN1EncodeInteger(arena, NULL,
+                                  crlGenData->rangeFrom + i);
+        if (!certIdItem) {
+            rv = SECFailure;
+            goto loser;
+        }
+
+        extData = crlgen_FindEntry(crlGenData, certIdItem);
+        if (!extData) {
+            crlgen_PrintError(crlGenData->parsedLineNum,
+                              "can not add extension: crl entry "
+                              "(serial number: %d) is not in the list yet.\n",
+                              crlGenData->rangeFrom + i);
+            continue;
+        }
+
+        extHandle = extData->extHandle;
+        if (extHandle == NULL) {
+            extHandle = extData->extHandle =
+                CERT_StartCRLEntryExtensions(&crlGenData->signCrl->crl,
+                                             (CERTCrlEntry*)extData->entry);
+        }
+        rv = CERT_AddExtension (extHandle, extCode, ext, 
+                               (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,
+                               PR_TRUE);
+        if (rv == SECFailure) {
+            goto loser;
+        }
+    }
+
+  loser:
+    if (arena)
+        PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
+
+/* Commits all added entries and their's extensions into CRL. */
+SECStatus
+CRLGEN_CommitExtensionsAndEntries(CRLGENGeneratorData *crlGenData)
+{
+    int size = 0;
+    CERTCrl *crl;
+    PRArenaPool *arena;
+    SECStatus rv = SECSuccess;
+    void *mark;
+
+    PORT_Assert(crlGenData && crlGenData->signCrl && crlGenData->signCrl->arena);
+    if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    arena = crlGenData->signCrl->arena;
+    crl = &crlGenData->signCrl->crl;
+
+    mark = PORT_ArenaMark(arena);
+
+    if (crlGenData->crlExtHandle)
+        CERT_FinishExtensions(crlGenData->crlExtHandle);
+
+    size = crlGenData->entryDataHashTable->nentries;
+    crl->entries = NULL;
+    if (size) {
+        crl->entries = PORT_ArenaZNewArray(arena, CERTCrlEntry*, size + 1);
+        if (!crl->entries) {
+            rv = SECFailure;
+        } else {
+            struct commitData dt;
+            dt.entries = crl->entries;
+            dt.pos = 0;
+            PL_HashTableEnumerateEntries(crlGenData->entryDataHashTable,
+                                         &crlgen_CommitEntryData, &dt);
+            /* Last should be NULL */
+            crl->entries[size] = NULL;
+        }
+    }
+
+    if (rv != SECSuccess)
+        PORT_ArenaRelease(arena, mark);
+    return rv;
+}
+
+/* Initializes extHandle with data from extensions array */
+static SECStatus
+crlgen_InitExtensionHandle(void *extHandle,
+                           CERTCertExtension **extensions)
+{
+    CERTCertExtension *extension = NULL;
+
+    if (!extensions)
+        return SECSuccess;
+
+    PORT_Assert(extHandle != NULL);
+    if (!extHandle) {
+        return SECFailure;
+    }
+
+    extension = *extensions;
+    while (extension) {
+        SECOidTag oidTag = SECOID_FindOIDTag (&extension->id);
+/* shell we skip unknown extensions? */
+        CERT_AddExtension (extHandle, oidTag, &extension->value, 
+                           (extension->critical.len != 0) ? PR_TRUE : PR_FALSE,
+                           PR_FALSE);
+        extension = *(++extensions);
+    }
+    return SECSuccess;
+}
+
+/* Used for initialization of extension handles for crl and certs
+ * extensions from existing CRL data then modifying existing CRL.*/
+SECStatus
+CRLGEN_ExtHandleInit(CRLGENGeneratorData *crlGenData)
+{
+    CERTCrl *crl = NULL;
+    PRUint64 maxSN = 0;
+
+    PORT_Assert(crlGenData && crlGenData->signCrl &&
+                crlGenData->entryDataHashTable);
+    if (!crlGenData || !crlGenData->signCrl ||
+        !crlGenData->entryDataHashTable) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    crl = &crlGenData->signCrl->crl;
+    crlGenData->crlExtHandle = CERT_StartCRLExtensions(crl);
+    crlgen_InitExtensionHandle(crlGenData->crlExtHandle,
+                               crl->extensions);
+    crl->extensions = NULL;
+
+    if (crl->entries) {
+        CERTCrlEntry **entry = crl->entries;
+        while (*entry) {
+            PRUint64 sn = DER_GetInteger(&(*entry)->serialNumber);
+            CRLGENEntryData *extData =
+                crlgen_PlaceAnEntry(crlGenData, *entry, &(*entry)->serialNumber);
+            if ((*entry)->extensions) {
+                extData->extHandle = 
+                    CERT_StartCRLEntryExtensions(&crlGenData->signCrl->crl,
+                                                 (CERTCrlEntry*)extData->entry);
+                if (crlgen_InitExtensionHandle(extData->extHandle,
+                                               (*entry)->extensions) == SECFailure)
+                    return SECFailure;
+            }
+            (*entry)->extensions = NULL;
+            entry++;
+            maxSN = PR_MAX(maxSN, sn);
+        }
+    }
+
+    crlGenData->rangeFrom = crlGenData->rangeTo = maxSN + 1;
+    return SECSuccess;
+}
+
+/*****************************************************************************
+ * Parser trigger functions start here
+ */
+
+/* Sets new internal range value for add/rm certs.*/
+static SECStatus
+crlgen_SetNewRangeField(CRLGENGeneratorData *crlGenData, char *value)
+{
+    long rangeFrom = 0, rangeTo = 0;
+    char *dashPos = NULL;
+
+    PORT_Assert(crlGenData);
+    if (!crlGenData) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (value == NULL) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "insufficient number of arguments.\n");
+        return SECFailure;
+    }
+
+    if ((dashPos = strchr(value, '-')) != NULL) {
+        char *rangeToS, *rangeFromS = value;
+        *dashPos = '\0';
+        rangeFrom = atoi(rangeFromS);
+        *dashPos = '-';
+
+        rangeToS = (char*)(dashPos + 1);
+        rangeTo = atol(rangeToS);
+    } else {
+        rangeFrom = atol(value);
+        rangeTo = rangeFrom;
+    }
+
+    if (rangeFrom < 1 || rangeTo<rangeFrom) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "bad cert id range: %s.\n", value);
+        return SECFailure;
+    }
+
+    crlGenData->rangeFrom = rangeFrom;
+    crlGenData->rangeTo = rangeTo;
+
+    return SECSuccess;
+}
+
+/* Changes issuer subject field in CRL. By default this data is taken from
+ * issuer cert subject field.Not yet implemented */
+static SECStatus
+crlgen_SetIssuerField(CRLGENGeneratorData *crlGenData, char *value)
+{
+    crlgen_PrintError(crlGenData->parsedLineNum, 
+                      "Can not change CRL issuer field.\n");
+    return SECFailure;
+}
+
+/* Encode and sets CRL thisUpdate and nextUpdate time fields*/
+static SECStatus
+crlgen_SetTimeField(CRLGENGeneratorData *crlGenData, char *value,
+                    PRBool setThisUpdate)
+{
+    CERTSignedCrl *signCrl;
+    PRArenaPool *arena;
+    CERTCrl *crl;
+    int length = 0;
+    SECItem *timeDest = NULL;
+
+    PORT_Assert(crlGenData && crlGenData->signCrl &&
+                crlGenData->signCrl->arena);
+    if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    signCrl = crlGenData->signCrl;
+    arena = signCrl->arena;
+    crl = &signCrl->crl;
+
+    if (value == NULL) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "insufficient number of arguments.\n");
+        return SECFailure;
+    }
+    length = PORT_Strlen(value);
+    
+    if (setThisUpdate == PR_TRUE) {
+        timeDest = &crl->lastUpdate;
+    } else {
+        timeDest = &crl->nextUpdate;
+    }
+
+    timeDest->type = siGeneralizedTime;
+    timeDest->data = PORT_ArenaAlloc(arena, length);
+    if (!timeDest->data) {
+        return SECFailure;
+    }
+    PORT_Memcpy(timeDest->data, value, length);
+    timeDest->len = length;
+
+    return SECSuccess;
+}
+
+
+/* Adds new extension into CRL or added cert handles */
+static SECStatus
+crlgen_AddExtension(CRLGENGeneratorData *crlGenData, const char **extData)
+{
+    PORT_Assert(crlGenData && crlGenData->crlExtHandle);
+    if (!crlGenData || !crlGenData->crlExtHandle) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (extData == NULL || *extData == NULL) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum, 
+                          "insufficient number of arguments.\n");
+        return SECFailure;
+    }
+    if (!PORT_Strcmp(*extData, "authKeyId"))
+        return crlgen_AddAuthKeyID(crlGenData, extData);
+    else if (!PORT_Strcmp(*extData, "issuerAltNames"))
+        return crlgen_AddIssuerAltNames(crlGenData, extData);
+    else if (!PORT_Strcmp(*extData, "crlNumber"))
+        return crlgen_AddCrlNumber(crlGenData, extData);
+    else if (!PORT_Strcmp(*extData, "reasonCode"))
+        return crlgen_AddEntryExtension(crlGenData, extData, "reasonCode",
+                                        crlgen_CreateReasonCode);
+    else if (!PORT_Strcmp(*extData, "invalidityDate"))
+        return crlgen_AddEntryExtension(crlGenData, extData, "invalidityDate",
+                                        crlgen_CreateInvalidityDate);
+    else {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "insufficient number of arguments.\n");
+        return SECFailure;
+    }
+}
+
+
+
+/* Created CRLGENEntryData for cert with serial number certId and
+ * adds it to entryDataHashTable. certId can be a single cert serial
+ * number or an inclusive rage of certs */
+static SECStatus
+crlgen_AddCert(CRLGENGeneratorData *crlGenData,
+        char *certId, char *revocationDate)
+{
+    CERTSignedCrl *signCrl;
+    SECItem *certIdItem;
+    PRArenaPool *arena;
+    PRUint64 rangeFrom = 0, rangeTo = 0, i = 0;
+    int timeValLength = -1;
+    SECStatus rv = SECFailure;
+    void *mark;
+
+
+    PORT_Assert(crlGenData && crlGenData->signCrl &&
+                crlGenData->signCrl->arena);
+    if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    signCrl = crlGenData->signCrl;
+    arena = signCrl->arena;
+
+    if (!certId || !revocationDate) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum,
+                          "insufficient number of arguments.\n");
+        return SECFailure;
+    }
+
+    timeValLength = strlen(revocationDate);
+
+    if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure &&
+        certId) {
+        return SECFailure;
+    }
+    rangeFrom = crlGenData->rangeFrom;
+    rangeTo = crlGenData->rangeTo;
+
+    for (i = 0;i < rangeTo - rangeFrom + 1;i++) {
+        CERTCrlEntry *entry;
+        mark = PORT_ArenaMark(arena);
+        entry = PORT_ArenaZNew(arena, CERTCrlEntry);
+        if (entry == NULL) {
+            goto loser;
+        }
+
+        certIdItem = SEC_ASN1EncodeInteger(arena, &entry->serialNumber,
+                                           rangeFrom + i);
+        if (!certIdItem) {
+            goto loser;
+        }
+
+        if (crlgen_FindEntry(crlGenData, certIdItem)) {
+            crlgen_PrintError(crlGenData->parsedLineNum,
+                              "entry already exists. Use \"range\" "
+                              "and \"rmcert\" before adding a new one with the "
+                              "same serial number %ld\n", rangeFrom + i);
+            goto loser;
+        }
+
+        entry->serialNumber.type = siBuffer;
+
+        entry->revocationDate.type = siGeneralizedTime;
+
+        entry->revocationDate.data =
+            PORT_ArenaAlloc(arena, timeValLength);
+        if (entry->revocationDate.data == NULL) {
+            goto loser;
+        }
+
+        PORT_Memcpy(entry->revocationDate.data, revocationDate,
+                    timeValLength * sizeof(char));
+        entry->revocationDate.len = timeValLength;
+
+
+        entry->extensions = NULL;
+        if (!crlgen_PlaceAnEntry(crlGenData, entry, certIdItem)) {
+            goto loser;
+        }
+        mark = NULL;
+    }
+
+    rv = SECSuccess;
+  loser:
+    if (mark) {
+        PORT_ArenaRelease(arena, mark);
+    }
+    return rv;
+}
+
+
+/* Removes certs from entryDataHashTable which have certId serial number.
+ * certId can have value of a range of certs */
+static SECStatus
+crlgen_RmCert(CRLGENGeneratorData *crlGenData, char *certId)
+{
+    PRUint64 i = 0;
+    PRArenaPool *arena;
+
+    PORT_Assert(crlGenData && certId);
+    if (!crlGenData || !certId) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    arena = crlGenData->signCrl->arena;
+
+    if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure &&
+        certId) {
+        return SECFailure;
+    }
+
+    for (i = 0;i < crlGenData->rangeTo - crlGenData->rangeFrom + 1;i++) {
+        SECItem* certIdItem = SEC_ASN1EncodeInteger(NULL, NULL,
+                                                    crlGenData->rangeFrom + i);
+        if (certIdItem) {
+            CRLGENEntryData *extData =
+                crlgen_FindEntry(crlGenData, certIdItem);
+            if (!extData) {
+                printf("Cert with id %s is not in the list\n", certId);
+            } else {
+                crlgen_RmEntry(crlGenData, certIdItem);
+            }
+            SECITEM_FreeItem(certIdItem, PR_TRUE);
+        }
+    }
+
+    return SECSuccess;
+}
+
+/*************************************************************************
+ * Lex Parser Helper functions are used to store parsed information
+ * in context related structures. Context(or state) is identified base on 
+ * a type of a instruction parser currently is going through. New context
+ * is identified by first token in a line. It can be addcert context,
+ * addext context, etc. */
+
+/* Updates CRL field depending on current context */ 
+static SECStatus
+crlgen_updateCrlFn_field(CRLGENGeneratorData *crlGenData, void *str)
+{
+    CRLGENCrlField *fieldStr = (CRLGENCrlField*)str;
+
+    PORT_Assert(crlGenData);
+    if (!crlGenData) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    switch(crlGenData->contextId) {
+      case CRLGEN_ISSUER_CONTEXT:
+          crlgen_SetIssuerField(crlGenData, fieldStr->value);
+          break;
+      case CRLGEN_UPDATE_CONTEXT:
+          return crlgen_SetTimeField(crlGenData, fieldStr->value, PR_TRUE);
+          break;
+      case CRLGEN_NEXT_UPDATE_CONTEXT:
+          return crlgen_SetTimeField(crlGenData, fieldStr->value, PR_FALSE);
+          break;
+      case CRLGEN_CHANGE_RANGE_CONTEXT:
+          return crlgen_SetNewRangeField(crlGenData, fieldStr->value);
+          break;
+      default:
+          crlgen_PrintError(crlGenData->parsedLineNum,
+                            "syntax error (unknow token type: %d)\n",
+                            crlGenData->contextId);
+          PORT_SetError(SEC_ERROR_INVALID_ARGS);
+          return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* Sets parsed data for CRL field update into temporary structure */ 
+static SECStatus
+crlgen_setNextDataFn_field(CRLGENGeneratorData *crlGenData, void *str,
+                    void *data, unsigned short dtype)
+{
+    CRLGENCrlField *fieldStr = (CRLGENCrlField*)str;
+
+    PORT_Assert(crlGenData);
+    if (!crlGenData) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    switch (crlGenData->contextId) {
+      case CRLGEN_CHANGE_RANGE_CONTEXT:
+          if (dtype != CRLGEN_TYPE_DIGIT || dtype != CRLGEN_TYPE_DIGIT_RANGE) {
+              crlgen_PrintError(crlGenData->parsedLineNum,
+                                "range value should have "
+                                "numeric or numeric range values.\n");
+              return SECFailure;
+          }
+          break;
+      case CRLGEN_NEXT_UPDATE_CONTEXT:
+      case CRLGEN_UPDATE_CONTEXT:
+          if (dtype != CRLGEN_TYPE_ZDATE){
+              crlgen_PrintError(crlGenData->parsedLineNum,
+                                "bad formated date. Should be "
+                                "YYYYMMDDHHMMSSZ.\n");
+              return SECFailure;
+          }
+          break;
+      default:
+          PORT_SetError(SEC_ERROR_INVALID_ARGS);
+          crlgen_PrintError(crlGenData->parsedLineNum,
+                            "syntax error (unknow token type: %d).\n",
+                            crlGenData->contextId, data);
+          return SECFailure;
+    }
+    fieldStr->value = PORT_Strdup(data);
+    if (!fieldStr->value) {
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* Triggers cert entries update depending on current context */ 
+static SECStatus
+crlgen_updateCrlFn_cert(CRLGENGeneratorData *crlGenData, void *str)
+{
+    CRLGENCertEntry *certStr = (CRLGENCertEntry*)str;
+
+    PORT_Assert(crlGenData);
+    if (!crlGenData) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    switch(crlGenData->contextId) {
+      case CRLGEN_ADD_CERT_CONTEXT:
+          return crlgen_AddCert(crlGenData, certStr->certId,
+                         certStr->revocationTime);
+      case CRLGEN_RM_CERT_CONTEXT:
+          return crlgen_RmCert(crlGenData, certStr->certId);
+      default:
+          PORT_SetError(SEC_ERROR_INVALID_ARGS);
+          crlgen_PrintError(crlGenData->parsedLineNum,
+                            "syntax error (unknow token type: %d).\n",
+                            crlGenData->contextId);
+          return SECFailure;
+    }
+}
+
+
+/* Sets parsed data for CRL entries update into temporary structure */ 
+static SECStatus
+crlgen_setNextDataFn_cert(CRLGENGeneratorData *crlGenData, void *str,
+                   void *data, unsigned short dtype)
+{
+    CRLGENCertEntry *certStr = (CRLGENCertEntry*)str;
+
+    PORT_Assert(crlGenData);
+    if (!crlGenData) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    switch(dtype) {
+      case CRLGEN_TYPE_DIGIT:
+      case CRLGEN_TYPE_DIGIT_RANGE:
+          certStr->certId = PORT_Strdup(data);
+          if (!certStr->certId) {
+              return SECFailure;
+          }
+          break;
+      case CRLGEN_TYPE_DATE:
+      case CRLGEN_TYPE_ZDATE:
+          certStr->revocationTime = PORT_Strdup(data);
+          if (!certStr->revocationTime) {
+              return SECFailure;
+          }
+          break;
+      default:
+          PORT_SetError(SEC_ERROR_INVALID_ARGS);
+          crlgen_PrintError(crlGenData->parsedLineNum,
+                            "syntax error (unknow token type: %d).\n",
+                            crlGenData->contextId);
+          return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* Triggers cert entries/crl extension update */ 
+static SECStatus
+crlgen_updateCrlFn_extension(CRLGENGeneratorData *crlGenData, void *str)
+{
+    CRLGENExtensionEntry *extStr = (CRLGENExtensionEntry*)str;
+
+    return crlgen_AddExtension(crlGenData, (const char**)extStr->extData);
+}
+
+/* Defines maximum number of fields extension may have */
+#define MAX_EXT_DATA_LENGTH 10
+
+/* Sets parsed extension data for CRL entries/CRL extensions update
+ * into temporary structure */ 
+static SECStatus
+crlgen_setNextDataFn_extension(CRLGENGeneratorData *crlGenData, void *str,
+                        void *data, unsigned short dtype)
+{
+    CRLGENExtensionEntry *extStr = (CRLGENExtensionEntry*)str;
+
+    PORT_Assert(crlGenData);
+    if (!crlGenData) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (extStr->extData == NULL) {
+        extStr->extData = PORT_ZNewArray(char *, MAX_EXT_DATA_LENGTH);
+        if (!extStr->extData) {
+            return SECFailure;
+        }
+    }
+    if (extStr->nextUpdatedData >= MAX_EXT_DATA_LENGTH) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        crlgen_PrintError(crlGenData->parsedLineNum, 
+                          "number of fields in extension "
+                          "exceeded maximum allowed data length: %d.\n",
+                          MAX_EXT_DATA_LENGTH);
+        return SECFailure;
+    }
+    extStr->extData[extStr->nextUpdatedData] = PORT_Strdup(data);
+    if (!extStr->extData[extStr->nextUpdatedData]) {
+        return SECFailure;
+    }
+    extStr->nextUpdatedData += 1;
+
+    return SECSuccess;
+}
+
+
+/****************************************************************************************
+ * Top level functions are triggered directly by parser.
+ */
+
+/*
+ * crl generation script parser recreates a temporary data staructure
+ * for each line it is going through. This function cleans temp structure.
+ */
+void
+crlgen_destroyTempData(CRLGENGeneratorData *crlGenData)
+{
+    if (crlGenData->contextId != CRLGEN_UNKNOWN_CONTEXT) {
+        switch(crlGenData->contextId) {
+          case CRLGEN_ISSUER_CONTEXT:
+          case CRLGEN_UPDATE_CONTEXT:
+          case CRLGEN_NEXT_UPDATE_CONTEXT:
+          case CRLGEN_CHANGE_RANGE_CONTEXT:
+              if (crlGenData->crlField->value)
+                  PORT_Free(crlGenData->crlField->value);
+              PORT_Free(crlGenData->crlField);
+              break;
+          case CRLGEN_ADD_CERT_CONTEXT:
+          case CRLGEN_RM_CERT_CONTEXT:
+              if (crlGenData->certEntry->certId)
+                  PORT_Free(crlGenData->certEntry->certId);
+              if (crlGenData->certEntry->revocationTime)
+                  PORT_Free(crlGenData->certEntry->revocationTime);
+              PORT_Free(crlGenData->certEntry);
+              break;
+          case CRLGEN_ADD_EXTENSION_CONTEXT:
+              if (crlGenData->extensionEntry->extData) {
+                  int i = 0;
+                  for (;i < crlGenData->extensionEntry->nextUpdatedData;i++)
+                      PORT_Free(*(crlGenData->extensionEntry->extData + i));
+                  PORT_Free(crlGenData->extensionEntry->extData);
+              }
+              PORT_Free(crlGenData->extensionEntry);
+              break;
+        }
+        crlGenData->contextId = CRLGEN_UNKNOWN_CONTEXT;
+    }
+}
+
+SECStatus
+crlgen_updateCrl(CRLGENGeneratorData *crlGenData)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(crlGenData);
+    if (!crlGenData) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    switch(crlGenData->contextId) {
+      case CRLGEN_ISSUER_CONTEXT:
+      case CRLGEN_UPDATE_CONTEXT:
+      case CRLGEN_NEXT_UPDATE_CONTEXT:
+      case CRLGEN_CHANGE_RANGE_CONTEXT:
+          rv = crlGenData->crlField->updateCrlFn(crlGenData, crlGenData->crlField);
+          break;
+      case CRLGEN_RM_CERT_CONTEXT:
+      case CRLGEN_ADD_CERT_CONTEXT:
+          rv = crlGenData->certEntry->updateCrlFn(crlGenData, crlGenData->certEntry);
+          break;
+      case CRLGEN_ADD_EXTENSION_CONTEXT:
+          rv = crlGenData->extensionEntry->
+              updateCrlFn(crlGenData, crlGenData->extensionEntry);
+          break;
+      case CRLGEN_UNKNOWN_CONTEXT:
+          break;
+      default:
+          crlgen_PrintError(crlGenData->parsedLineNum,
+                            "unknown lang context type code: %d.\n",
+                            crlGenData->contextId);
+          PORT_Assert(0);
+          return SECFailure;
+    }
+    /* Clrean structures after crl update */
+    crlgen_destroyTempData(crlGenData);
+
+    crlGenData->parsedLineNum += 1;
+
+    return rv;
+}
+
+SECStatus
+crlgen_setNextData(CRLGENGeneratorData *crlGenData, void *data,
+                   unsigned short dtype)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(crlGenData);
+    if (!crlGenData) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    switch(crlGenData->contextId) {
+      case CRLGEN_ISSUER_CONTEXT:
+      case CRLGEN_UPDATE_CONTEXT:
+      case CRLGEN_NEXT_UPDATE_CONTEXT:
+      case CRLGEN_CHANGE_RANGE_CONTEXT:
+          rv = crlGenData->crlField->setNextDataFn(crlGenData, crlGenData->crlField,
+                                                   data, dtype);
+          break;
+      case CRLGEN_ADD_CERT_CONTEXT:
+      case CRLGEN_RM_CERT_CONTEXT:
+          rv = crlGenData->certEntry->setNextDataFn(crlGenData, crlGenData->certEntry,
+                                                    data, dtype);
+          break;
+      case CRLGEN_ADD_EXTENSION_CONTEXT:
+          rv =
+              crlGenData->extensionEntry->
+              setNextDataFn(crlGenData, crlGenData->extensionEntry, data, dtype);
+          break;
+      case CRLGEN_UNKNOWN_CONTEXT:
+          break;
+      default:
+          crlgen_PrintError(crlGenData->parsedLineNum,
+                            "unknown context type: %d.\n",
+                            crlGenData->contextId);
+          PORT_Assert(0);
+          return SECFailure;
+    }
+    return rv;
+}
+
+SECStatus
+crlgen_createNewLangStruct(CRLGENGeneratorData *crlGenData,
+                           unsigned structType)
+{
+    PORT_Assert(crlGenData &&
+                crlGenData->contextId == CRLGEN_UNKNOWN_CONTEXT);
+    if (!crlGenData ||
+        crlGenData->contextId != CRLGEN_UNKNOWN_CONTEXT) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    switch(structType) {
+      case CRLGEN_ISSUER_CONTEXT:
+      case CRLGEN_UPDATE_CONTEXT:
+      case CRLGEN_NEXT_UPDATE_CONTEXT:
+      case CRLGEN_CHANGE_RANGE_CONTEXT:
+          crlGenData->crlField = PORT_New(CRLGENCrlField);
+          if (!crlGenData->crlField) {
+              return SECFailure;
+          }
+          crlGenData->contextId = structType;
+          crlGenData->crlField->value = NULL;
+          crlGenData->crlField->updateCrlFn = &crlgen_updateCrlFn_field;
+          crlGenData->crlField->setNextDataFn = &crlgen_setNextDataFn_field;
+          break;
+      case CRLGEN_RM_CERT_CONTEXT:
+      case CRLGEN_ADD_CERT_CONTEXT:
+          crlGenData->certEntry = PORT_New(CRLGENCertEntry);
+          if (!crlGenData->certEntry) {
+              return SECFailure;
+          }
+          crlGenData->contextId = structType;
+          crlGenData->certEntry->certId = 0;
+          crlGenData->certEntry->revocationTime = NULL;
+          crlGenData->certEntry->updateCrlFn = &crlgen_updateCrlFn_cert;
+          crlGenData->certEntry->setNextDataFn = &crlgen_setNextDataFn_cert;
+          break;
+      case CRLGEN_ADD_EXTENSION_CONTEXT:
+          crlGenData->extensionEntry = PORT_New(CRLGENExtensionEntry);
+          if (!crlGenData->extensionEntry) {
+              return SECFailure;
+          }
+          crlGenData->contextId = structType;
+          crlGenData->extensionEntry->extData = NULL;
+          crlGenData->extensionEntry->nextUpdatedData = 0;
+          crlGenData->extensionEntry->updateCrlFn =
+              &crlgen_updateCrlFn_extension;
+          crlGenData->extensionEntry->setNextDataFn =
+              &crlgen_setNextDataFn_extension;
+          break;
+      case CRLGEN_UNKNOWN_CONTEXT:
+          break;
+      default:
+          crlgen_PrintError(crlGenData->parsedLineNum,
+                            "unknown context type: %d.\n", structType);
+          PORT_Assert(0);
+          return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+/* Parser initialization function */
+CRLGENGeneratorData*
+CRLGEN_InitCrlGeneration(CERTSignedCrl *signCrl, PRFileDesc *src)
+{
+    CRLGENGeneratorData *crlGenData = NULL;
+
+    PORT_Assert(signCrl && src);
+    if (!signCrl || !src) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    crlGenData = PORT_ZNew(CRLGENGeneratorData);
+    if (!crlGenData) {
+        return NULL;
+    }
+
+    crlGenData->entryDataHashTable = 
+        PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
+                        PL_CompareValues, NULL, NULL);
+    if (!crlGenData->entryDataHashTable) {
+        PORT_Free(crlGenData);
+        return NULL;
+    }
+
+    crlGenData->src = src;
+    crlGenData->parsedLineNum = 1;
+    crlGenData->contextId = CRLGEN_UNKNOWN_CONTEXT;
+    crlGenData->signCrl = signCrl;
+    crlGenData->rangeFrom = 0;
+    crlGenData->rangeTo = 0;
+    crlGenData->crlExtHandle = NULL;
+
+    PORT_SetError(0);
+
+    return crlGenData;
+}
+
+void
+CRLGEN_FinalizeCrlGeneration(CRLGENGeneratorData *crlGenData)
+{
+    if (!crlGenData)
+        return;
+    if (crlGenData->src)
+        PR_Close(crlGenData->src);
+    PL_HashTableDestroy(crlGenData->entryDataHashTable);
+    PORT_Free(crlGenData);
+}
+
diff --git a/security/nss/cmd/crlutil/crlgen.h b/security/nss/cmd/crlutil/crlgen.h
new file mode 100644
index 000000000..4eb5304e3
--- /dev/null
+++ b/security/nss/cmd/crlutil/crlgen.h
@@ -0,0 +1,182 @@
+
+#ifndef _CRLGEN_H_
+#define _CRLGEN_H_
+
+#include "prio.h"
+#include "prprf.h"
+#include "plhash.h"
+#include "seccomon.h"
+#include "certt.h"
+#include "secoidt.h"
+
+
+#define CRLGEN_UNKNOWN_CONTEXT                   0
+#define CRLGEN_ISSUER_CONTEXT                    1
+#define CRLGEN_UPDATE_CONTEXT                    2
+#define CRLGEN_NEXT_UPDATE_CONTEXT               3
+#define CRLGEN_ADD_EXTENSION_CONTEXT             4
+#define CRLGEN_ADD_CERT_CONTEXT                  6
+#define CRLGEN_CHANGE_RANGE_CONTEXT              7
+#define CRLGEN_RM_CERT_CONTEXT                   8
+
+#define CRLGEN_TYPE_DATE                         0
+#define CRLGEN_TYPE_ZDATE                        1
+#define CRLGEN_TYPE_DIGIT                        2
+#define CRLGEN_TYPE_DIGIT_RANGE                  3
+#define CRLGEN_TYPE_OID                          4
+#define CRLGEN_TYPE_STRING                       5
+#define CRLGEN_TYPE_ID                           6
+
+
+typedef struct CRLGENGeneratorDataStr          CRLGENGeneratorData;
+typedef struct CRLGENEntryDataStr              CRLGENEntryData;
+typedef struct CRLGENExtensionEntryStr         CRLGENExtensionEntry;
+typedef struct CRLGENCertEntrySrt              CRLGENCertEntry;
+typedef struct CRLGENCrlFieldStr               CRLGENCrlField;
+typedef struct CRLGENEntriesSortedDataStr      CRLGENEntriesSortedData;
+
+/* Exported functions */
+
+/* Used for initialization of extension handles for crl and certs
+ * extensions from existing CRL data then modifying existing CRL.*/
+extern SECStatus CRLGEN_ExtHandleInit(CRLGENGeneratorData *crlGenData);
+
+/* Commits all added entries and their's extensions into CRL. */
+extern SECStatus CRLGEN_CommitExtensionsAndEntries(CRLGENGeneratorData *crlGenData);
+
+/* Lunches the crl generation script parse */
+extern SECStatus CRLGEN_StartCrlGen(CRLGENGeneratorData *crlGenData);
+
+/* Closes crl generation script file and frees crlGenData */
+extern void CRLGEN_FinalizeCrlGeneration(CRLGENGeneratorData *crlGenData);
+
+/* Parser initialization function. Creates CRLGENGeneratorData structure
+ *  for the current thread */
+extern CRLGENGeneratorData* CRLGEN_InitCrlGeneration(CERTSignedCrl *newCrl,
+                                                     PRFileDesc *src);
+
+
+/* This lock is defined in crlgen_lex.c(derived from crlgen_lex.l).
+ * It controls access to invocation of yylex, allows to parse one
+ * script at a time */
+extern void CRLGEN_InitCrlGenParserLock();
+extern void CRLGEN_DestroyCrlGenParserLock();
+
+
+/* The following function types are used to define functions for each of
+ * CRLGENExtensionEntryStr, CRLGENCertEntrySrt, CRLGENCrlFieldStr to
+ * provide functionality needed for these structures*/
+typedef SECStatus updateCrlFn_t(CRLGENGeneratorData *crlGenData, void *str);
+typedef SECStatus setNextDataFn_t(CRLGENGeneratorData *crlGenData, void *str,
+                                  void *data, unsigned short dtype);
+typedef SECStatus createNewLangStructFn_t(CRLGENGeneratorData *crlGenData,
+                                          void *str, unsigned i);
+
+/* Sets reports failure to parser if anything goes wrong */
+extern void      crlgen_setFailure(CRLGENGeneratorData *str, char *);
+
+/* Collects data in to one of the current data structure that corresponds
+ * to the correct context type. This function gets called after each token
+ * is found for a particular line */
+extern SECStatus crlgen_setNextData(CRLGENGeneratorData *str, void *data,
+                             unsigned short dtype);
+
+/* initiates crl update with collected data. This function is called at the
+ * end of each line */
+extern SECStatus crlgen_updateCrl(CRLGENGeneratorData *str);
+
+/* Creates new context structure depending on token that was parsed
+ * at the beginning of a line */
+extern SECStatus crlgen_createNewLangStruct(CRLGENGeneratorData *str,
+                                            unsigned structType);
+
+
+/* CRLGENExtensionEntry is used to store addext request data for either 
+ * CRL extensions or CRL entry extensions. The differentiation between
+ * is based on order and type of extension been added.
+ *    - extData : all data in request staring from name of the extension are
+ *                in saved here.
+ *    - nextUpdatedData: counter of elements added to extData
+ */
+struct CRLGENExtensionEntryStr {
+    char **extData;
+    int    nextUpdatedData;
+    updateCrlFn_t    *updateCrlFn;
+    setNextDataFn_t  *setNextDataFn;
+};
+
+/* CRLGENCeryestEntry is used to store addcert request data
+ *   - certId : certificate id or range of certificate with dash as a delimiter
+ *              All certs from range will be inclusively added to crl
+ *   - revocationTime: revocation time of cert(s)
+ */
+struct CRLGENCertEntrySrt {
+    char *certId;
+    char *revocationTime;
+    updateCrlFn_t   *updateCrlFn;
+    setNextDataFn_t *setNextDataFn;
+};
+
+
+/* CRLGENCrlField is used to store crl fields record like update time, next
+ * update time, etc.
+ *  - value: value of the parsed field data*/
+struct CRLGENCrlFieldStr {
+    char *value;
+    updateCrlFn_t   *updateCrlFn;
+    setNextDataFn_t *setNextDataFn;
+};
+
+/* Can not create entries extension until completely done with parsing.
+ * Therefore need to keep joined data
+ *   - certId : serial number of certificate
+ *   - extHandle: head pointer to a list of extensions that belong to
+ *                 entry
+ *   - entry : CERTCrlEntry structure pointer*/
+struct CRLGENEntryDataStr {
+    SECItem *certId;
+    void *extHandle;
+    CERTCrlEntry *entry;
+};
+
+/* Crl generator/parser main structure. Keeps info regarding current state of
+ * parser(context, status), parser helper functions pointers, parsed data and
+ * generated data.
+ *  - contextId : current parsing context. Context in this parser environment
+ *                defines what type of crl operations parser is going through
+ *                in the current line of crl generation script.
+ *                setting or new cert or an extension addition, etc.
+ *  - createNewLangStructFn: pointer to top level function which creates
+ *                             data structures according contextId
+ *  - setNextDataFn : pointer to top level function which sets new parsed data
+ *                    in temporary structure
+ *  - updateCrlFn   : pointer to top level function which triggers actual
+ *                    crl update functions with gathered data
+ *  - union         : data union create according to contextId
+ *  - rangeFrom, rangeTo : holds last range in which certs was added
+ *  - newCrl        : pointer to CERTSignedCrl newly created crl
+ *  - crlExtHandle : pointer to crl extension handle
+ *  - entryDataHashTable: hash of CRLGENEntryData.
+ *                     key: cert serial number
+ *                     data: CRLGENEntryData pointer
+ *  - parserStatus  : current status of parser. Triggers parser to abort when
+ *                    set to SECFailure
+ *  - src : PRFileDesc structure pointer of crl generator config file
+ *  - parsedLineNum : currently parsing line. Keeping it to report errors */ 
+struct CRLGENGeneratorDataStr {
+    unsigned short contextId;
+    CRLGENCrlField       *crlField;
+    CRLGENCertEntry      *certEntry;
+    CRLGENExtensionEntry *extensionEntry;	
+    PRUint64 rangeFrom;
+    PRUint64 rangeTo;
+    CERTSignedCrl *signCrl;
+    void *crlExtHandle;
+    PLHashTable *entryDataHashTable;
+    
+    PRFileDesc *src;
+    int parsedLineNum;
+};
+
+
+#endif /* _CRLGEN_H_ */
diff --git a/security/nss/cmd/crlutil/crlgen_lex.c b/security/nss/cmd/crlutil/crlgen_lex.c
new file mode 100644
index 000000000..26a888d60
--- /dev/null
+++ b/security/nss/cmd/crlutil/crlgen_lex.c
@@ -0,0 +1,1783 @@
+/* A lexical scanner generated by flex */
+
+/* Scanner skeleton version:
+ * $Header$
+ */
+
+#define FLEX_SCANNER
+#define YY_FLEX_MAJOR_VERSION 2
+#define YY_FLEX_MINOR_VERSION 5
+
+#include <stdio.h>
+#ifndef _WIN32
+#include <unistd.h>
+#endif
+
+
+/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */
+#ifdef c_plusplus
+#ifndef __cplusplus
+#define __cplusplus
+#endif
+#endif
+
+
+#ifdef __cplusplus
+
+#include <stdlib.h>
+
+/* Use prototypes in function declarations. */
+#define YY_USE_PROTOS
+
+/* The "const" storage-class-modifier is valid. */
+#define YY_USE_CONST
+
+#else	/* ! __cplusplus */
+
+#if __STDC__
+
+#define YY_USE_PROTOS
+#define YY_USE_CONST
+
+#endif	/* __STDC__ */
+#endif	/* ! __cplusplus */
+
+#ifdef __TURBOC__
+ #pragma warn -rch
+ #pragma warn -use
+#include <io.h>
+#include <stdlib.h>
+#define YY_USE_CONST
+#define YY_USE_PROTOS
+#endif
+
+#ifdef YY_USE_CONST
+#define yyconst const
+#else
+#define yyconst
+#endif
+
+
+#ifdef YY_USE_PROTOS
+#define YY_PROTO(proto) proto
+#else
+#define YY_PROTO(proto) ()
+#endif
+
+/* Returned upon end-of-file. */
+#define YY_NULL 0
+
+/* Promotes a possibly negative, possibly signed char to an unsigned
+ * integer for use as an array index.  If the signed char is negative,
+ * we want to instead treat it as an 8-bit unsigned char, hence the
+ * double cast.
+ */
+#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+
+/* Enter a start condition.  This macro really ought to take a parameter,
+ * but we do it the disgusting crufty way forced on us by the ()-less
+ * definition of BEGIN.
+ */
+#define BEGIN yy_start = 1 + 2 *
+
+/* Translate the current start state into a value that can be later handed
+ * to BEGIN to return to the state.  The YYSTATE alias is for lex
+ * compatibility.
+ */
+#define YY_START ((yy_start - 1) / 2)
+#define YYSTATE YY_START
+
+/* Action number for EOF rule of a given start state. */
+#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
+
+/* Special action meaning "start processing a new file". */
+#define YY_NEW_FILE yyrestart( yyin )
+
+#define YY_END_OF_BUFFER_CHAR 0
+
+/* Size of default input buffer. */
+#define YY_BUF_SIZE 16384
+
+typedef struct yy_buffer_state *YY_BUFFER_STATE;
+
+extern int yyleng;
+extern FILE *yyin, *yyout;
+
+#define EOB_ACT_CONTINUE_SCAN 0
+#define EOB_ACT_END_OF_FILE 1
+#define EOB_ACT_LAST_MATCH 2
+
+/* The funky do-while in the following #define is used to turn the definition
+ * int a single C statement (which needs a semi-colon terminator).  This
+ * avoids problems with code like:
+ *
+ * 	if ( condition_holds )
+ *		yyless( 5 );
+ *	else
+ *		do_something_else();
+ *
+ * Prior to using the do-while the compiler would get upset at the
+ * "else" because it interpreted the "if" statement as being all
+ * done when it reached the ';' after the yyless() call.
+ */
+
+/* Return all but the first 'n' matched characters back to the input stream. */
+
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+		*yy_cp = yy_hold_char; \
+		YY_RESTORE_YY_MORE_OFFSET \
+		yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \
+		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
+		} \
+	while ( 0 )
+
+#define unput(c) yyunput( c, yytext_ptr )
+
+/* The following is because we cannot portably get our hands on size_t
+ * (without autoconf's help, which isn't available because we want
+ * flex-generated scanners to compile on their own).
+ */
+typedef unsigned int yy_size_t;
+
+
+struct yy_buffer_state
+	{
+	FILE *yy_input_file;
+
+	char *yy_ch_buf;		/* input buffer */
+	char *yy_buf_pos;		/* current position in input buffer */
+
+	/* Size of input buffer in bytes, not including room for EOB
+	 * characters.
+	 */
+	yy_size_t yy_buf_size;
+
+	/* Number of characters read into yy_ch_buf, not including EOB
+	 * characters.
+	 */
+	int yy_n_chars;
+
+	/* Whether we "own" the buffer - i.e., we know we created it,
+	 * and can realloc() it to grow it, and should free() it to
+	 * delete it.
+	 */
+	int yy_is_our_buffer;
+
+	/* Whether this is an "interactive" input source; if so, and
+	 * if we're using stdio for input, then we want to use getc()
+	 * instead of fread(), to make sure we stop fetching input after
+	 * each newline.
+	 */
+	int yy_is_interactive;
+
+	/* Whether we're considered to be at the beginning of a line.
+	 * If so, '^' rules will be active on the next match, otherwise
+	 * not.
+	 */
+	int yy_at_bol;
+
+	/* Whether to try to fill the input buffer when we reach the
+	 * end of it.
+	 */
+	int yy_fill_buffer;
+
+	int yy_buffer_status;
+#define YY_BUFFER_NEW 0
+#define YY_BUFFER_NORMAL 1
+	/* When an EOF's been seen but there's still some text to process
+	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
+	 * shouldn't try reading from the input source any more.  We might
+	 * still have a bunch of tokens to match, though, because of
+	 * possible backing-up.
+	 *
+	 * When we actually see the EOF, we change the status to "new"
+	 * (via yyrestart()), so that the user can continue scanning by
+	 * just pointing yyin at a new input file.
+	 */
+#define YY_BUFFER_EOF_PENDING 2
+	};
+
+static YY_BUFFER_STATE yy_current_buffer = 0;
+
+/* We provide macros for accessing buffer states in case in the
+ * future we want to put the buffer states in a more general
+ * "scanner state".
+ */
+#define YY_CURRENT_BUFFER yy_current_buffer
+
+
+/* yy_hold_char holds the character lost when yytext is formed. */
+static char yy_hold_char;
+
+static int yy_n_chars;		/* number of characters read into yy_ch_buf */
+
+
+int yyleng;
+
+/* Points to current character in buffer. */
+static char *yy_c_buf_p = (char *) 0;
+static int yy_init = 1;		/* whether we need to initialize */
+static int yy_start = 0;	/* start state number */
+
+/* Flag which is used to allow yywrap()'s to do buffer switches
+ * instead of setting up a fresh yyin.  A bit of a hack ...
+ */
+static int yy_did_buffer_switch_on_eof;
+
+void yyrestart YY_PROTO(( FILE *input_file ));
+
+void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer ));
+void yy_load_buffer_state YY_PROTO(( void ));
+YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size ));
+void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b ));
+void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file ));
+void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b ));
+#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer )
+
+YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size ));
+YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
+YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len ));
+
+static void *yy_flex_alloc YY_PROTO(( yy_size_t ));
+static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t ));
+static void yy_flex_free YY_PROTO(( void * ));
+
+#define yy_new_buffer yy_create_buffer
+
+#define yy_set_interactive(is_interactive) \
+	{ \
+	if ( ! yy_current_buffer ) \
+		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
+	yy_current_buffer->yy_is_interactive = is_interactive; \
+	}
+
+#define yy_set_bol(at_bol) \
+	{ \
+	if ( ! yy_current_buffer ) \
+		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
+	yy_current_buffer->yy_at_bol = at_bol; \
+	}
+
+#define YY_AT_BOL() (yy_current_buffer->yy_at_bol)
+
+typedef unsigned char YY_CHAR;
+FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
+typedef int yy_state_type;
+extern char *yytext;
+#define yytext_ptr yytext
+
+static yy_state_type yy_get_previous_state YY_PROTO(( void ));
+static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state ));
+static int yy_get_next_buffer YY_PROTO(( void ));
+static void yy_fatal_error YY_PROTO(( yyconst char msg[] ));
+
+/* Done after the current pattern has been matched and before the
+ * corresponding action - sets up yytext.
+ */
+#define YY_DO_BEFORE_ACTION \
+	yytext_ptr = yy_bp; \
+	yytext_ptr -= yy_more_len; \
+	yyleng = (int) (yy_cp - yytext_ptr); \
+	yy_hold_char = *yy_cp; \
+	*yy_cp = '\0'; \
+	yy_c_buf_p = yy_cp;
+
+#define YY_NUM_RULES 17
+#define YY_END_OF_BUFFER 18
+static yyconst short int yy_accept[67] =
+    {   0,
+        0,    0,   18,   16,   14,   15,   16,   11,   12,    2,
+       10,    9,    9,    9,    9,    9,   13,   14,   15,   11,
+       12,    0,   12,    2,    9,    9,    9,    9,    9,   13,
+        3,    4,    2,    9,    9,    9,    9,    2,    9,    9,
+        9,    9,    2,    2,    9,    9,    8,    9,    2,    5,
+        9,    6,    2,    9,    2,    9,    2,    9,    2,    7,
+        2,    2,    2,    2,    1,    0
+    } ;
+
+static yyconst int yy_ec[256] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
+        1,    1,    4,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    2,    1,    5,    6,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    7,    8,    1,    9,    9,   10,
+       11,   12,   12,   12,   13,   13,   13,   14,    1,    1,
+       15,    1,    1,    1,   16,   16,   16,   16,   16,   16,
+       16,   16,   16,   16,   16,   16,   16,   16,   16,   16,
+       16,   16,   16,   16,   16,   16,   16,   16,   16,   17,
+        1,    1,    1,    1,    1,    1,   18,   16,   16,   19,
+
+       20,   16,   21,   16,   22,   16,   16,   16,   16,   23,
+       16,   24,   16,   25,   26,   27,   28,   16,   16,   29,
+       16,   16,    1,   14,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1
+    } ;
+
+static yyconst int yy_meta[30] =
+    {   0,
+        1,    1,    2,    1,    3,    1,    1,    4,    5,    5,
+        5,    5,    5,    4,    1,    4,    4,    4,    4,    4,
+        4,    4,    4,    4,    4,    4,    4,    4,    4
+    } ;
+
+static yyconst short int yy_base[72] =
+    {   0,
+        0,  149,  154,  205,  138,  205,  103,    0,    0,   23,
+      205,   29,   30,   31,   32,   33,    0,   99,  205,    0,
+        0,    0,   50,   55,   34,   61,   41,   63,   64,    0,
+        0,    0,   79,   65,   68,   86,   66,   99,  105,   88,
+      106,   90,  118,   76,  107,  110,   89,  125,   43,   91,
+      127,  128,  138,  144,  113,  129,  154,  160,  160,  130,
+      172,  166,  177,  144,    0,  205,  190,  192,  194,  199,
+       76
+    } ;
+
+static yyconst short int yy_def[72] =
+    {   0,
+       66,    1,   66,   66,   66,   66,   66,   67,   68,   68,
+       66,   69,   69,   69,   69,   69,   70,   66,   66,   67,
+       68,   71,   68,   10,   69,   69,   69,   69,   69,   70,
+       71,   23,   10,   69,   69,   69,   69,   10,   69,   69,
+       69,   69,   10,   38,   69,   69,   69,   69,   38,   69,
+       69,   69,   38,   69,   38,   69,   38,   69,   38,   69,
+       38,   38,   38,   38,   68,    0,   66,   66,   66,   66,
+       66
+    } ;
+
+static yyconst short int yy_nxt[235] =
+    {   0,
+        4,    5,    6,    7,    8,    4,    4,    9,   10,   10,
+       10,   10,   10,    9,   11,   12,   12,   12,   12,   12,
+       12,   13,   14,   12,   15,   12,   12,   16,   12,   22,
+       23,   24,   24,   24,   24,   24,   21,   21,   21,   21,
+       21,   21,   21,   21,   21,   21,   21,   21,   21,   28,
+       27,   53,   53,   53,   21,   26,   29,   32,   32,   32,
+       32,   32,   32,   33,   33,   33,   33,   33,   21,   35,
+       21,   21,   21,   21,   21,   21,   21,   21,   21,   21,
+       31,   21,   37,   42,   44,   36,   34,   38,   38,   38,
+       38,   38,   39,   21,   40,   21,   21,   21,   21,   21,
+
+       18,   21,   21,   21,   21,   19,   41,   43,   44,   44,
+       44,   44,   21,   21,   21,   46,   48,   21,   21,   21,
+       21,   57,   57,   21,   45,   47,   49,   49,   49,   49,
+       49,   50,   21,   51,   21,   21,   21,   21,   21,   18,
+       21,   21,   21,   21,   52,   54,   55,   55,   55,   55,
+       55,   21,   44,   66,   17,   58,   66,   21,   66,   66,
+       65,   56,   59,   59,   59,   59,   59,   21,   61,   61,
+       61,   61,   66,   21,   63,   63,   63,   63,   66,   60,
+       62,   62,   62,   62,   62,   64,   64,   64,   64,   64,
+       20,   20,   66,   20,   20,   21,   21,   25,   25,   30,
+
+       66,   30,   30,   30,    3,   66,   66,   66,   66,   66,
+       66,   66,   66,   66,   66,   66,   66,   66,   66,   66,
+       66,   66,   66,   66,   66,   66,   66,   66,   66,   66,
+       66,   66,   66,   66
+    } ;
+
+static yyconst short int yy_chk[235] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,   10,
+       10,   10,   10,   10,   10,   10,   12,   13,   14,   15,
+       16,   25,   12,   13,   14,   15,   16,   25,   27,   15,
+       14,   49,   49,   49,   27,   13,   16,   23,   23,   23,
+       23,   23,   23,   24,   24,   24,   24,   24,   26,   27,
+       28,   29,   34,   37,   26,   35,   28,   29,   34,   37,
+       71,   35,   29,   37,   44,   28,   26,   33,   33,   33,
+       33,   33,   34,   36,   35,   40,   47,   42,   50,   36,
+
+       18,   40,   47,   42,   50,    7,   36,   38,   38,   38,
+       38,   38,   39,   41,   45,   40,   42,   46,   39,   41,
+       45,   55,   55,   46,   39,   41,   43,   43,   43,   43,
+       43,   45,   48,   46,   51,   52,   56,   60,   48,    5,
+       51,   52,   56,   60,   48,   51,   53,   53,   53,   53,
+       53,   54,   64,    3,    2,   56,    0,   54,    0,    0,
+       64,   54,   57,   57,   57,   57,   57,   58,   59,   59,
+       59,   59,    0,   58,   62,   62,   62,   62,    0,   58,
+       61,   61,   61,   61,   61,   63,   63,   63,   63,   63,
+       67,   67,    0,   67,   67,   68,   68,   69,   69,   70,
+
+        0,   70,   70,   70,   66,   66,   66,   66,   66,   66,
+       66,   66,   66,   66,   66,   66,   66,   66,   66,   66,
+       66,   66,   66,   66,   66,   66,   66,   66,   66,   66,
+       66,   66,   66,   66
+    } ;
+
+static yy_state_type yy_last_accepting_state;
+static char *yy_last_accepting_cpos;
+
+/* The intent behind this definition is that it'll catch
+ * any uses of REJECT which flex missed.
+ */
+#define REJECT reject_used_but_not_detected
+static int yy_more_flag = 0;
+static int yy_more_len = 0;
+#define yymore() (yy_more_flag = 1)
+#define YY_MORE_ADJ yy_more_len
+#define YY_RESTORE_YY_MORE_OFFSET
+char *yytext;
+#line 1 "crlgen_lex_orig.l"
+#define INITIAL 0
+#line 2 "crlgen_lex_orig.l"
+
+#include "crlgen.h"
+
+static SECStatus parserStatus = SECSuccess;
+static CRLGENGeneratorData *parserData;
+static PRFileDesc *src;
+
+#define YY_INPUT(buf,result,max_size) \
+    if ( parserStatus != SECFailure) { \
+	 if (((result = PR_Read(src, buf, max_size)) == 0) && \
+	     ferror( yyin )) \
+	   return SECFailure; \
+    } else  { return SECFailure; }
+              
+
+
+/* Macros after this point can all be overridden by user definitions in
+ * section 1.
+ */
+
+#ifndef YY_SKIP_YYWRAP
+#ifdef __cplusplus
+extern "C" int yywrap YY_PROTO(( void ));
+#else
+extern int yywrap YY_PROTO(( void ));
+#endif
+#endif
+
+#ifndef YY_NO_UNPUT
+static void yyunput YY_PROTO(( int c, char *buf_ptr ));
+#endif
+
+#ifndef yytext_ptr
+static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int ));
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen YY_PROTO(( yyconst char * ));
+#endif
+
+#ifndef YY_NO_INPUT
+#ifdef __cplusplus
+static int yyinput YY_PROTO(( void ));
+#else
+static int input YY_PROTO(( void ));
+#endif
+#endif
+
+#if YY_STACK_USED
+static int yy_start_stack_ptr = 0;
+static int yy_start_stack_depth = 0;
+static int *yy_start_stack = 0;
+#ifndef YY_NO_PUSH_STATE
+static void yy_push_state YY_PROTO(( int new_state ));
+#endif
+#ifndef YY_NO_POP_STATE
+static void yy_pop_state YY_PROTO(( void ));
+#endif
+#ifndef YY_NO_TOP_STATE
+static int yy_top_state YY_PROTO(( void ));
+#endif
+
+#else
+#define YY_NO_PUSH_STATE 1
+#define YY_NO_POP_STATE 1
+#define YY_NO_TOP_STATE 1
+#endif
+
+#ifdef YY_MALLOC_DECL
+YY_MALLOC_DECL
+#else
+#if __STDC__
+#ifndef __cplusplus
+#include <stdlib.h>
+#endif
+#else
+/* Just try to get by without declaring the routines.  This will fail
+ * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int)
+ * or sizeof(void*) != sizeof(int).
+ */
+#endif
+#endif
+
+/* Amount of stuff to slurp up with each read. */
+#ifndef YY_READ_BUF_SIZE
+#define YY_READ_BUF_SIZE 8192
+#endif
+
+/* Copy whatever the last rule matched to the standard output. */
+
+#ifndef ECHO
+/* This used to be an fputs(), but since the string might contain NUL's,
+ * we now use fwrite().
+ */
+#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#endif
+
+/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
+ * is returned in "result".
+ */
+#ifndef YY_INPUT
+#define YY_INPUT(buf,result,max_size) \
+	if ( yy_current_buffer->yy_is_interactive ) \
+		{ \
+		int c = '*', n; \
+		for ( n = 0; n < max_size && \
+			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
+			buf[n] = (char) c; \
+		if ( c == '\n' ) \
+			buf[n++] = (char) c; \
+		if ( c == EOF && ferror( yyin ) ) \
+			YY_FATAL_ERROR( "input in flex scanner failed" ); \
+		result = n; \
+		} \
+	else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \
+		  && ferror( yyin ) ) \
+		YY_FATAL_ERROR( "input in flex scanner failed" );
+#endif
+
+/* No semi-colon after return; correct usage is to write "yyterminate();" -
+ * we don't want an extra ';' after the "return" because that will cause
+ * some compilers to complain about unreachable statements.
+ */
+#ifndef yyterminate
+#define yyterminate() return YY_NULL
+#endif
+
+/* Number of entries by which start-condition stack grows. */
+#ifndef YY_START_STACK_INCR
+#define YY_START_STACK_INCR 25
+#endif
+
+/* Report a fatal error. */
+#ifndef YY_FATAL_ERROR
+#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
+#endif
+
+/* Default declaration of generated scanner - a define so the user can
+ * easily add parameters.
+ */
+#ifndef YY_DECL
+#define YY_DECL int yylex YY_PROTO(( void ))
+#endif
+
+/* Code executed at the beginning of each rule, after yytext and yyleng
+ * have been set up.
+ */
+#ifndef YY_USER_ACTION
+#define YY_USER_ACTION
+#endif
+
+/* Code executed at the end of each rule. */
+#ifndef YY_BREAK
+#define YY_BREAK break;
+#endif
+
+#define YY_RULE_SETUP \
+	if ( yyleng > 0 ) \
+		yy_current_buffer->yy_at_bol = \
+				(yytext[yyleng - 1] == '\n'); \
+	YY_USER_ACTION
+
+YY_DECL
+	{
+	register yy_state_type yy_current_state;
+	register char *yy_cp = NULL, *yy_bp = NULL;
+	register int yy_act;
+
+#line 28 "crlgen_lex_orig.l"
+
+
+
+	if ( yy_init )
+		{
+		yy_init = 0;
+
+#ifdef YY_USER_INIT
+		YY_USER_INIT;
+#endif
+
+		if ( ! yy_start )
+			yy_start = 1;	/* first start state */
+
+		if ( ! yyin )
+			yyin = stdin;
+
+		if ( ! yyout )
+			yyout = stdout;
+
+		if ( ! yy_current_buffer )
+			yy_current_buffer =
+				yy_create_buffer( yyin, YY_BUF_SIZE );
+
+		yy_load_buffer_state();
+		}
+
+	while ( 1 )		/* loops until end-of-file is reached */
+		{
+		yy_more_len = 0;
+		if ( yy_more_flag )
+			{
+			yy_more_len = yy_c_buf_p - yytext_ptr;
+			yy_more_flag = 0;
+			}
+		yy_cp = yy_c_buf_p;
+
+		/* Support of yytext. */
+		*yy_cp = yy_hold_char;
+
+		/* yy_bp points to the position in yy_ch_buf of the start of
+		 * the current run.
+		 */
+		yy_bp = yy_cp;
+
+		yy_current_state = yy_start;
+		yy_current_state += YY_AT_BOL();
+yy_match:
+		do
+			{
+			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
+			if ( yy_accept[yy_current_state] )
+				{
+				yy_last_accepting_state = yy_current_state;
+				yy_last_accepting_cpos = yy_cp;
+				}
+			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+				{
+				yy_current_state = (int) yy_def[yy_current_state];
+				if ( yy_current_state >= 67 )
+					yy_c = yy_meta[(unsigned int) yy_c];
+				}
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			++yy_cp;
+			}
+		while ( yy_base[yy_current_state] != 205 );
+
+yy_find_action:
+		yy_act = yy_accept[yy_current_state];
+		if ( yy_act == 0 )
+			{ /* have to back up */
+			yy_cp = yy_last_accepting_cpos;
+			yy_current_state = yy_last_accepting_state;
+			yy_act = yy_accept[yy_current_state];
+			}
+
+		YY_DO_BEFORE_ACTION;
+
+
+do_action:	/* This label is used only to access EOF actions. */
+
+
+		switch ( yy_act )
+	{ /* beginning of action switch */
+			case 0: /* must back up */
+			/* undo the effects of YY_DO_BEFORE_ACTION */
+			*yy_cp = yy_hold_char;
+			yy_cp = yy_last_accepting_cpos;
+			yy_current_state = yy_last_accepting_state;
+			goto yy_find_action;
+
+case 1:
+YY_RULE_SETUP
+#line 30 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ZDATE);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 2:
+YY_RULE_SETUP
+#line 36 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 3:
+YY_RULE_SETUP
+#line 42 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT_RANGE);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 4:
+YY_RULE_SETUP
+#line 48 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_OID);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 5:
+YY_RULE_SETUP
+#line 54 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_ISSUER_CONTEXT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 6:
+YY_RULE_SETUP
+#line 60 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_UPDATE_CONTEXT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 7:
+YY_RULE_SETUP
+#line 65 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_NEXT_UPDATE_CONTEXT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 8:
+YY_RULE_SETUP
+#line 71 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_CHANGE_RANGE_CONTEXT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 9:
+YY_RULE_SETUP
+#line 77 "crlgen_lex_orig.l"
+{
+if (strcmp(yytext, "addcert") == 0) {
+    parserStatus = crlgen_createNewLangStruct(parserData,
+                                    CRLGEN_ADD_CERT_CONTEXT);
+    if (parserStatus != SECSuccess)
+        return parserStatus;
+} else if (strcmp(yytext, "rmcert") == 0) {
+    parserStatus = crlgen_createNewLangStruct(parserData,
+                                    CRLGEN_RM_CERT_CONTEXT);
+    if (parserStatus != SECSuccess)
+        return parserStatus;
+} else if (strcmp(yytext, "addext") == 0) {
+    parserStatus = crlgen_createNewLangStruct(parserData,
+                                    CRLGEN_ADD_EXTENSION_CONTEXT);
+    if (parserStatus != SECSuccess)
+        return parserStatus;
+} else {
+    parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ID);
+    if (parserStatus != SECSuccess)
+        return parserStatus;
+}
+}
+	YY_BREAK
+case 10:
+YY_RULE_SETUP
+#line 100 "crlgen_lex_orig.l"
+
+	YY_BREAK
+case 11:
+YY_RULE_SETUP
+#line 102 "crlgen_lex_orig.l"
+{
+if (yytext[yyleng-1] == '\\') {
+    yymore();
+} else {
+    register int c;
+    c = input();
+    if (c != '\"') {
+        printf( "Error: Line ending \" is missing:  %c\n", c);
+        unput(c);
+    } else {
+        parserStatus = crlgen_setNextData(parserData, yytext + 1,
+                                          CRLGEN_TYPE_STRING);
+        if (parserStatus != SECSuccess)
+            return parserStatus;
+    }
+}
+}
+	YY_BREAK
+case 12:
+YY_RULE_SETUP
+#line 120 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_STRING);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 13:
+YY_RULE_SETUP
+#line 128 "crlgen_lex_orig.l"
+/* eat up one-line comments */ {}
+	YY_BREAK
+case 14:
+YY_RULE_SETUP
+#line 130 "crlgen_lex_orig.l"
+{}
+	YY_BREAK
+case 15:
+YY_RULE_SETUP
+#line 132 "crlgen_lex_orig.l"
+{
+parserStatus = crlgen_updateCrl(parserData);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+	YY_BREAK
+case 16:
+YY_RULE_SETUP
+#line 138 "crlgen_lex_orig.l"
+{
+    fprintf(stderr, "Syntax error at line %d: unknown token %s\n",
+            parserData->parsedLineNum, yytext);
+    return SECFailure;
+}
+	YY_BREAK
+case 17:
+YY_RULE_SETUP
+#line 144 "crlgen_lex_orig.l"
+ECHO;
+	YY_BREAK
+case YY_STATE_EOF(INITIAL):
+	yyterminate();
+
+	case YY_END_OF_BUFFER:
+		{
+		/* Amount of text matched not including the EOB char. */
+		int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1;
+
+		/* Undo the effects of YY_DO_BEFORE_ACTION. */
+		*yy_cp = yy_hold_char;
+		YY_RESTORE_YY_MORE_OFFSET
+
+		if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW )
+			{
+			/* We're scanning a new file or input source.  It's
+			 * possible that this happened because the user
+			 * just pointed yyin at a new source and called
+			 * yylex().  If so, then we have to assure
+			 * consistency between yy_current_buffer and our
+			 * globals.  Here is the right place to do so, because
+			 * this is the first action (other than possibly a
+			 * back-up) that will match for the new input source.
+			 */
+			yy_n_chars = yy_current_buffer->yy_n_chars;
+			yy_current_buffer->yy_input_file = yyin;
+			yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL;
+			}
+
+		/* Note that here we test for yy_c_buf_p "<=" to the position
+		 * of the first EOB in the buffer, since yy_c_buf_p will
+		 * already have been incremented past the NUL character
+		 * (since all states make transitions on EOB to the
+		 * end-of-buffer state).  Contrast this with the test
+		 * in input().
+		 */
+		if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] )
+			{ /* This was really a NUL. */
+			yy_state_type yy_next_state;
+
+			yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text;
+
+			yy_current_state = yy_get_previous_state();
+
+			/* Okay, we're now positioned to make the NUL
+			 * transition.  We couldn't have
+			 * yy_get_previous_state() go ahead and do it
+			 * for us because it doesn't know how to deal
+			 * with the possibility of jamming (and we don't
+			 * want to build jamming into it because then it
+			 * will run more slowly).
+			 */
+
+			yy_next_state = yy_try_NUL_trans( yy_current_state );
+
+			yy_bp = yytext_ptr + YY_MORE_ADJ;
+
+			if ( yy_next_state )
+				{
+				/* Consume the NUL. */
+				yy_cp = ++yy_c_buf_p;
+				yy_current_state = yy_next_state;
+				goto yy_match;
+				}
+
+			else
+				{
+				yy_cp = yy_c_buf_p;
+				goto yy_find_action;
+				}
+			}
+
+		else switch ( yy_get_next_buffer() )
+			{
+			case EOB_ACT_END_OF_FILE:
+				{
+				yy_did_buffer_switch_on_eof = 0;
+
+				if ( yywrap() )
+					{
+					/* Note: because we've taken care in
+					 * yy_get_next_buffer() to have set up
+					 * yytext, we can now set up
+					 * yy_c_buf_p so that if some total
+					 * hoser (like flex itself) wants to
+					 * call the scanner after we return the
+					 * YY_NULL, it'll still work - another
+					 * YY_NULL will get returned.
+					 */
+					yy_c_buf_p = yytext_ptr + YY_MORE_ADJ;
+
+					yy_act = YY_STATE_EOF(YY_START);
+					goto do_action;
+					}
+
+				else
+					{
+					if ( ! yy_did_buffer_switch_on_eof )
+						YY_NEW_FILE;
+					}
+				break;
+				}
+
+			case EOB_ACT_CONTINUE_SCAN:
+				yy_c_buf_p =
+					yytext_ptr + yy_amount_of_matched_text;
+
+				yy_current_state = yy_get_previous_state();
+
+				yy_cp = yy_c_buf_p;
+				yy_bp = yytext_ptr + YY_MORE_ADJ;
+				goto yy_match;
+
+			case EOB_ACT_LAST_MATCH:
+				yy_c_buf_p =
+				&yy_current_buffer->yy_ch_buf[yy_n_chars];
+
+				yy_current_state = yy_get_previous_state();
+
+				yy_cp = yy_c_buf_p;
+				yy_bp = yytext_ptr + YY_MORE_ADJ;
+				goto yy_find_action;
+			}
+		break;
+		}
+
+	default:
+		YY_FATAL_ERROR(
+			"fatal flex scanner internal error--no action found" );
+	} /* end of action switch */
+		} /* end of scanning one token */
+	} /* end of yylex */
+
+
+/* yy_get_next_buffer - try to read in a new buffer
+ *
+ * Returns a code representing an action:
+ *	EOB_ACT_LAST_MATCH -
+ *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
+ *	EOB_ACT_END_OF_FILE - end of file
+ */
+
+static int yy_get_next_buffer()
+	{
+	register char *dest = yy_current_buffer->yy_ch_buf;
+	register char *source = yytext_ptr;
+	register int number_to_move, i;
+	int ret_val;
+
+	if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] )
+		YY_FATAL_ERROR(
+		"fatal flex scanner internal error--end of buffer missed" );
+
+	if ( yy_current_buffer->yy_fill_buffer == 0 )
+		{ /* Don't try to fill the buffer, so this is an EOF. */
+		if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 )
+			{
+			/* We matched a single character, the EOB, so
+			 * treat this as a final EOF.
+			 */
+			return EOB_ACT_END_OF_FILE;
+			}
+
+		else
+			{
+			/* We matched some text prior to the EOB, first
+			 * process it.
+			 */
+			return EOB_ACT_LAST_MATCH;
+			}
+		}
+
+	/* Try to read more data. */
+
+	/* First move last chars to start of buffer. */
+	number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1;
+
+	for ( i = 0; i < number_to_move; ++i )
+		*(dest++) = *(source++);
+
+	if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+		/* don't do the read, it's not guaranteed to return an EOF,
+		 * just force an EOF
+		 */
+		yy_current_buffer->yy_n_chars = yy_n_chars = 0;
+
+	else
+		{
+		int num_to_read =
+			yy_current_buffer->yy_buf_size - number_to_move - 1;
+
+		while ( num_to_read <= 0 )
+			{ /* Not enough room in the buffer - grow it. */
+#ifdef YY_USES_REJECT
+			YY_FATAL_ERROR(
+"input buffer overflow, can't enlarge buffer because scanner uses REJECT" );
+#else
+
+			/* just a shorter name for the current buffer */
+			YY_BUFFER_STATE b = yy_current_buffer;
+
+			int yy_c_buf_p_offset =
+				(int) (yy_c_buf_p - b->yy_ch_buf);
+
+			if ( b->yy_is_our_buffer )
+				{
+				int new_size = b->yy_buf_size * 2;
+
+				if ( new_size <= 0 )
+					b->yy_buf_size += b->yy_buf_size / 8;
+				else
+					b->yy_buf_size *= 2;
+
+				b->yy_ch_buf = (char *)
+					/* Include room in for 2 EOB chars. */
+					yy_flex_realloc( (void *) b->yy_ch_buf,
+							 b->yy_buf_size + 2 );
+				}
+			else
+				/* Can't grow it, we don't own it. */
+				b->yy_ch_buf = 0;
+
+			if ( ! b->yy_ch_buf )
+				YY_FATAL_ERROR(
+				"fatal error - scanner input buffer overflow" );
+
+			yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset];
+
+			num_to_read = yy_current_buffer->yy_buf_size -
+						number_to_move - 1;
+#endif
+			}
+
+		if ( num_to_read > YY_READ_BUF_SIZE )
+			num_to_read = YY_READ_BUF_SIZE;
+
+		/* Read in more data. */
+		YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]),
+			yy_n_chars, num_to_read );
+
+		yy_current_buffer->yy_n_chars = yy_n_chars;
+		}
+
+	if ( yy_n_chars == 0 )
+		{
+		if ( number_to_move == YY_MORE_ADJ )
+			{
+			ret_val = EOB_ACT_END_OF_FILE;
+			yyrestart( yyin );
+			}
+
+		else
+			{
+			ret_val = EOB_ACT_LAST_MATCH;
+			yy_current_buffer->yy_buffer_status =
+				YY_BUFFER_EOF_PENDING;
+			}
+		}
+
+	else
+		ret_val = EOB_ACT_CONTINUE_SCAN;
+
+	yy_n_chars += number_to_move;
+	yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR;
+	yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR;
+
+	yytext_ptr = &yy_current_buffer->yy_ch_buf[0];
+
+	return ret_val;
+	}
+
+
+/* yy_get_previous_state - get the state just before the EOB char was reached */
+
+static yy_state_type yy_get_previous_state()
+	{
+	register yy_state_type yy_current_state;
+	register char *yy_cp;
+
+	yy_current_state = yy_start;
+	yy_current_state += YY_AT_BOL();
+
+	for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp )
+		{
+		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
+		if ( yy_accept[yy_current_state] )
+			{
+			yy_last_accepting_state = yy_current_state;
+			yy_last_accepting_cpos = yy_cp;
+			}
+		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+			{
+			yy_current_state = (int) yy_def[yy_current_state];
+			if ( yy_current_state >= 67 )
+				yy_c = yy_meta[(unsigned int) yy_c];
+			}
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		}
+
+	return yy_current_state;
+	}
+
+
+/* yy_try_NUL_trans - try to make a transition on the NUL character
+ *
+ * synopsis
+ *	next_state = yy_try_NUL_trans( current_state );
+ */
+
+#ifdef YY_USE_PROTOS
+static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state )
+#else
+static yy_state_type yy_try_NUL_trans( yy_current_state )
+yy_state_type yy_current_state;
+#endif
+	{
+	register int yy_is_jam;
+	register char *yy_cp = yy_c_buf_p;
+
+	register YY_CHAR yy_c = 1;
+	if ( yy_accept[yy_current_state] )
+		{
+		yy_last_accepting_state = yy_current_state;
+		yy_last_accepting_cpos = yy_cp;
+		}
+	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+		{
+		yy_current_state = (int) yy_def[yy_current_state];
+		if ( yy_current_state >= 67 )
+			yy_c = yy_meta[(unsigned int) yy_c];
+		}
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_is_jam = (yy_current_state == 66);
+
+	return yy_is_jam ? 0 : yy_current_state;
+	}
+
+
+#ifndef YY_NO_UNPUT
+#ifdef YY_USE_PROTOS
+static void yyunput( int c, register char *yy_bp )
+#else
+static void yyunput( c, yy_bp )
+int c;
+register char *yy_bp;
+#endif
+	{
+	register char *yy_cp = yy_c_buf_p;
+
+	/* undo effects of setting up yytext */
+	*yy_cp = yy_hold_char;
+
+	if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
+		{ /* need to shift things up to make room */
+		/* +2 for EOB chars. */
+		register int number_to_move = yy_n_chars + 2;
+		register char *dest = &yy_current_buffer->yy_ch_buf[
+					yy_current_buffer->yy_buf_size + 2];
+		register char *source =
+				&yy_current_buffer->yy_ch_buf[number_to_move];
+
+		while ( source > yy_current_buffer->yy_ch_buf )
+			*--dest = *--source;
+
+		yy_cp += (int) (dest - source);
+		yy_bp += (int) (dest - source);
+		yy_current_buffer->yy_n_chars =
+			yy_n_chars = yy_current_buffer->yy_buf_size;
+
+		if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
+			YY_FATAL_ERROR( "flex scanner push-back overflow" );
+		}
+
+	*--yy_cp = (char) c;
+
+
+	yytext_ptr = yy_bp;
+	yy_hold_char = *yy_cp;
+	yy_c_buf_p = yy_cp;
+	}
+#endif	/* ifndef YY_NO_UNPUT */
+
+
+#ifndef YY_NO_INPUT
+#ifdef __cplusplus
+static int yyinput()
+#else
+static int input()
+#endif
+	{
+	int c;
+
+	*yy_c_buf_p = yy_hold_char;
+
+	if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR )
+		{
+		/* yy_c_buf_p now points to the character we want to return.
+		 * If this occurs *before* the EOB characters, then it's a
+		 * valid NUL; if not, then we've hit the end of the buffer.
+		 */
+		if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] )
+			/* This was really a NUL. */
+			*yy_c_buf_p = '\0';
+
+		else
+			{ /* need more input */
+			int offset = yy_c_buf_p - yytext_ptr;
+			++yy_c_buf_p;
+
+			switch ( yy_get_next_buffer() )
+				{
+				case EOB_ACT_LAST_MATCH:
+					/* This happens because yy_g_n_b()
+					 * sees that we've accumulated a
+					 * token and flags that we need to
+					 * try matching the token before
+					 * proceeding.  But for input(),
+					 * there's no matching to consider.
+					 * So convert the EOB_ACT_LAST_MATCH
+					 * to EOB_ACT_END_OF_FILE.
+					 */
+
+					/* Reset buffer status. */
+					yyrestart( yyin );
+
+					/* fall through */
+
+				case EOB_ACT_END_OF_FILE:
+					{
+					if ( yywrap() )
+						return EOF;
+
+					if ( ! yy_did_buffer_switch_on_eof )
+						YY_NEW_FILE;
+#ifdef __cplusplus
+					return yyinput();
+#else
+					return input();
+#endif
+					}
+
+				case EOB_ACT_CONTINUE_SCAN:
+					yy_c_buf_p = yytext_ptr + offset;
+					break;
+				}
+			}
+		}
+
+	c = *(unsigned char *) yy_c_buf_p;	/* cast for 8-bit char's */
+	*yy_c_buf_p = '\0';	/* preserve yytext */
+	yy_hold_char = *++yy_c_buf_p;
+
+	yy_current_buffer->yy_at_bol = (c == '\n');
+
+	return c;
+	}
+#endif /* YY_NO_INPUT */
+
+#ifdef YY_USE_PROTOS
+void yyrestart( FILE *input_file )
+#else
+void yyrestart( input_file )
+FILE *input_file;
+#endif
+	{
+	if ( ! yy_current_buffer )
+		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE );
+
+	yy_init_buffer( yy_current_buffer, input_file );
+	yy_load_buffer_state();
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_switch_to_buffer( YY_BUFFER_STATE new_buffer )
+#else
+void yy_switch_to_buffer( new_buffer )
+YY_BUFFER_STATE new_buffer;
+#endif
+	{
+	if ( yy_current_buffer == new_buffer )
+		return;
+
+	if ( yy_current_buffer )
+		{
+		/* Flush out information for old buffer. */
+		*yy_c_buf_p = yy_hold_char;
+		yy_current_buffer->yy_buf_pos = yy_c_buf_p;
+		yy_current_buffer->yy_n_chars = yy_n_chars;
+		}
+
+	yy_current_buffer = new_buffer;
+	yy_load_buffer_state();
+
+	/* We don't actually know whether we did this switch during
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
+	 * to go ahead and always set it.
+	 */
+	yy_did_buffer_switch_on_eof = 1;
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_load_buffer_state( void )
+#else
+void yy_load_buffer_state()
+#endif
+	{
+	yy_n_chars = yy_current_buffer->yy_n_chars;
+	yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos;
+	yyin = yy_current_buffer->yy_input_file;
+	yy_hold_char = *yy_c_buf_p;
+	}
+
+
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_create_buffer( FILE *file, int size )
+#else
+YY_BUFFER_STATE yy_create_buffer( file, size )
+FILE *file;
+int size;
+#endif
+	{
+	YY_BUFFER_STATE b;
+
+	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_buf_size = size;
+
+	/* yy_ch_buf has to be 2 characters longer than the size given because
+	 * we need to put in 2 end-of-buffer characters.
+	 */
+	b->yy_ch_buf = (char *) yy_flex_alloc( b->yy_buf_size + 2 );
+	if ( ! b->yy_ch_buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_is_our_buffer = 1;
+
+	yy_init_buffer( b, file );
+
+	return b;
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_delete_buffer( YY_BUFFER_STATE b )
+#else
+void yy_delete_buffer( b )
+YY_BUFFER_STATE b;
+#endif
+	{
+	if ( ! b )
+		return;
+
+	if ( b == yy_current_buffer )
+		yy_current_buffer = (YY_BUFFER_STATE) 0;
+
+	if ( b->yy_is_our_buffer )
+		yy_flex_free( (void *) b->yy_ch_buf );
+
+	yy_flex_free( (void *) b );
+	}
+
+
+
+#ifdef YY_USE_PROTOS
+void yy_init_buffer( YY_BUFFER_STATE b, FILE *file )
+#else
+void yy_init_buffer( b, file )
+YY_BUFFER_STATE b;
+FILE *file;
+#endif
+
+
+	{
+	yy_flush_buffer( b );
+
+	b->yy_input_file = file;
+	b->yy_fill_buffer = 1;
+
+#if YY_ALWAYS_INTERACTIVE
+	b->yy_is_interactive = 1;
+#else
+#if YY_NEVER_INTERACTIVE
+	b->yy_is_interactive = 0;
+#else
+	b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+#endif
+#endif
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_flush_buffer( YY_BUFFER_STATE b )
+#else
+void yy_flush_buffer( b )
+YY_BUFFER_STATE b;
+#endif
+
+	{
+	if ( ! b )
+		return;
+
+	b->yy_n_chars = 0;
+
+	/* We always need two end-of-buffer characters.  The first causes
+	 * a transition to the end-of-buffer state.  The second causes
+	 * a jam in that state.
+	 */
+	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
+	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
+
+	b->yy_buf_pos = &b->yy_ch_buf[0];
+
+	b->yy_at_bol = 1;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	if ( b == yy_current_buffer )
+		yy_load_buffer_state();
+	}
+
+
+#ifndef YY_NO_SCAN_BUFFER
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_scan_buffer( char *base, yy_size_t size )
+#else
+YY_BUFFER_STATE yy_scan_buffer( base, size )
+char *base;
+yy_size_t size;
+#endif
+	{
+	YY_BUFFER_STATE b;
+
+	if ( size < 2 ||
+	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
+	     base[size-1] != YY_END_OF_BUFFER_CHAR )
+		/* They forgot to leave room for the EOB's. */
+		return 0;
+
+	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
+
+	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_pos = b->yy_ch_buf = base;
+	b->yy_is_our_buffer = 0;
+	b->yy_input_file = 0;
+	b->yy_n_chars = b->yy_buf_size;
+	b->yy_is_interactive = 0;
+	b->yy_at_bol = 1;
+	b->yy_fill_buffer = 0;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	yy_switch_to_buffer( b );
+
+	return b;
+	}
+#endif
+
+
+#ifndef YY_NO_SCAN_STRING
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str )
+#else
+YY_BUFFER_STATE yy_scan_string( yy_str )
+yyconst char *yy_str;
+#endif
+	{
+	int len;
+	for ( len = 0; yy_str[len]; ++len )
+		;
+
+	return yy_scan_bytes( yy_str, len );
+	}
+#endif
+
+
+#ifndef YY_NO_SCAN_BYTES
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_scan_bytes( yyconst char *bytes, int len )
+#else
+YY_BUFFER_STATE yy_scan_bytes( bytes, len )
+yyconst char *bytes;
+int len;
+#endif
+	{
+	YY_BUFFER_STATE b;
+	char *buf;
+	yy_size_t n;
+	int i;
+
+	/* Get memory for full buffer, including space for trailing EOB's. */
+	n = len + 2;
+	buf = (char *) yy_flex_alloc( n );
+	if ( ! buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
+
+	for ( i = 0; i < len; ++i )
+		buf[i] = bytes[i];
+
+	buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR;
+
+	b = yy_scan_buffer( buf, n );
+	if ( ! b )
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
+
+	/* It's okay to grow etc. this buffer, and we should throw it
+	 * away when we're done.
+	 */
+	b->yy_is_our_buffer = 1;
+
+	return b;
+	}
+#endif
+
+
+#ifndef YY_NO_PUSH_STATE
+#ifdef YY_USE_PROTOS
+static void yy_push_state( int new_state )
+#else
+static void yy_push_state( new_state )
+int new_state;
+#endif
+	{
+	if ( yy_start_stack_ptr >= yy_start_stack_depth )
+		{
+		yy_size_t new_size;
+
+		yy_start_stack_depth += YY_START_STACK_INCR;
+		new_size = yy_start_stack_depth * sizeof( int );
+
+		if ( ! yy_start_stack )
+			yy_start_stack = (int *) yy_flex_alloc( new_size );
+
+		else
+			yy_start_stack = (int *) yy_flex_realloc(
+					(void *) yy_start_stack, new_size );
+
+		if ( ! yy_start_stack )
+			YY_FATAL_ERROR(
+			"out of memory expanding start-condition stack" );
+		}
+
+	yy_start_stack[yy_start_stack_ptr++] = YY_START;
+
+	BEGIN(new_state);
+	}
+#endif
+
+
+#ifndef YY_NO_POP_STATE
+static void yy_pop_state()
+	{
+	if ( --yy_start_stack_ptr < 0 )
+		YY_FATAL_ERROR( "start-condition stack underflow" );
+
+	BEGIN(yy_start_stack[yy_start_stack_ptr]);
+	}
+#endif
+
+
+#ifndef YY_NO_TOP_STATE
+static int yy_top_state()
+	{
+	return yy_start_stack[yy_start_stack_ptr - 1];
+	}
+#endif
+
+#ifndef YY_EXIT_FAILURE
+#define YY_EXIT_FAILURE 2
+#endif
+
+#ifdef YY_USE_PROTOS
+static void yy_fatal_error( yyconst char msg[] )
+#else
+static void yy_fatal_error( msg )
+char msg[];
+#endif
+	{
+	(void) fprintf( stderr, "%s\n", msg );
+	exit( YY_EXIT_FAILURE );
+	}
+
+
+
+/* Redefine yyless() so it works in section 3 code. */
+
+#undef yyless
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+		yytext[yyleng] = yy_hold_char; \
+		yy_c_buf_p = yytext + n; \
+		yy_hold_char = *yy_c_buf_p; \
+		*yy_c_buf_p = '\0'; \
+		yyleng = n; \
+		} \
+	while ( 0 )
+
+
+/* Internal utility routines. */
+
+#ifndef yytext_ptr
+#ifdef YY_USE_PROTOS
+static void yy_flex_strncpy( char *s1, yyconst char *s2, int n )
+#else
+static void yy_flex_strncpy( s1, s2, n )
+char *s1;
+yyconst char *s2;
+int n;
+#endif
+	{
+	register int i;
+	for ( i = 0; i < n; ++i )
+		s1[i] = s2[i];
+	}
+#endif
+
+#ifdef YY_NEED_STRLEN
+#ifdef YY_USE_PROTOS
+static int yy_flex_strlen( yyconst char *s )
+#else
+static int yy_flex_strlen( s )
+yyconst char *s;
+#endif
+	{
+	register int n;
+	for ( n = 0; s[n]; ++n )
+		;
+
+	return n;
+	}
+#endif
+
+
+#ifdef YY_USE_PROTOS
+static void *yy_flex_alloc( yy_size_t size )
+#else
+static void *yy_flex_alloc( size )
+yy_size_t size;
+#endif
+	{
+	return (void *) malloc( size );
+	}
+
+#ifdef YY_USE_PROTOS
+static void *yy_flex_realloc( void *ptr, yy_size_t size )
+#else
+static void *yy_flex_realloc( ptr, size )
+void *ptr;
+yy_size_t size;
+#endif
+	{
+	/* The cast to (char *) in the following accommodates both
+	 * implementations that use char* generic pointers, and those
+	 * that use void* generic pointers.  It works with the latter
+	 * because both ANSI C and C++ allow castless assignment from
+	 * any pointer type to void*, and deal with argument conversions
+	 * as though doing an assignment.
+	 */
+	return (void *) realloc( (char *) ptr, size );
+	}
+
+#ifdef YY_USE_PROTOS
+static void yy_flex_free( void *ptr )
+#else
+static void yy_flex_free( ptr )
+void *ptr;
+#endif
+	{
+	free( ptr );
+	}
+
+#if YY_MAIN
+int main()
+	{
+	yylex();
+	return 0;
+	}
+#endif
+#line 144 "crlgen_lex_orig.l"
+
+#include "prlock.h"
+
+static PRLock *parserInvocationLock;
+
+void CRLGEN_InitCrlGenParserLock()
+{
+    parserInvocationLock = PR_NewLock();
+}
+
+void CRLGEN_DestroyCrlGenParserLock()
+{
+    PR_DestroyLock(parserInvocationLock);
+}
+
+
+SECStatus CRLGEN_StartCrlGen(CRLGENGeneratorData *parserCtlData)
+{
+    SECStatus rv;
+
+    PR_Lock(parserInvocationLock);
+
+    parserStatus = SECSuccess;
+    parserData = parserCtlData;
+    src = parserCtlData->src;
+
+    rv = yylex();
+
+    PR_Unlock(parserInvocationLock);
+
+    return rv;
+}
+
+int yywrap() {return 1;}
diff --git a/security/nss/cmd/crlutil/crlgen_lex_fix.sed b/security/nss/cmd/crlutil/crlgen_lex_fix.sed
new file mode 100644
index 000000000..57125cd4a
--- /dev/null
+++ b/security/nss/cmd/crlutil/crlgen_lex_fix.sed
@@ -0,0 +1,4 @@
+/<unistd.h>/ {
+        i #ifndef _WIN32
+        a #endif
+}
diff --git a/security/nss/cmd/crlutil/crlgen_lex_orig.l b/security/nss/cmd/crlutil/crlgen_lex_orig.l
new file mode 100644
index 000000000..7cb1e5cde
--- /dev/null
+++ b/security/nss/cmd/crlutil/crlgen_lex_orig.l
@@ -0,0 +1,177 @@
+%{
+
+#include "crlgen.h"
+
+static SECStatus parserStatus = SECSuccess;
+static CRLGENGeneratorData *parserData;
+static PRFileDesc *src;
+
+#define YY_INPUT(buf,result,max_size) \
+    if ( parserStatus != SECFailure) { \
+	 if (((result = PR_Read(src, buf, max_size)) == 0) && \
+	     ferror( yyin )) \
+	   return SECFailure; \
+    } else  { return SECFailure; }
+              
+
+%}
+
+%a 5000
+DIGIT          [0-9]+
+DIGIT_RANGE    [0-9]+-[0-9]+
+ID             [a-zA-Z][a-zA-Z0-9]*
+OID            [0-9]+\.[\.0-9]+
+DATE           [0-9]{4}[01][0-9][0-3][0-9][0-2][0-9][0-6][0-9][0-6][0-9]
+ZDATE          [0-9]{4}[01][0-9][0-3][0-9][0-2][0-9][0-6][0-9][0-6][0-9]Z
+N_SP_STRING    [a-zA-Z0-9\:\|\.]+
+
+%%
+
+{ZDATE}   {
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ZDATE);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+
+{DIGIT}   {
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+
+{DIGIT_RANGE}  {
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT_RANGE);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+
+{OID}     {
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_OID);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+
+issuer     {
+parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_ISSUER_CONTEXT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+
+update     {
+parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_UPDATE_CONTEXT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+nextupdate {
+parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_NEXT_UPDATE_CONTEXT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+
+range      {
+parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_CHANGE_RANGE_CONTEXT);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+
+{ID}      {
+if (strcmp(yytext, "addcert") == 0) {
+    parserStatus = crlgen_createNewLangStruct(parserData,
+                                    CRLGEN_ADD_CERT_CONTEXT);
+    if (parserStatus != SECSuccess)
+        return parserStatus;
+} else if (strcmp(yytext, "rmcert") == 0) {
+    parserStatus = crlgen_createNewLangStruct(parserData,
+                                    CRLGEN_RM_CERT_CONTEXT);
+    if (parserStatus != SECSuccess)
+        return parserStatus;
+} else if (strcmp(yytext, "addext") == 0) {
+    parserStatus = crlgen_createNewLangStruct(parserData,
+                                    CRLGEN_ADD_EXTENSION_CONTEXT);
+    if (parserStatus != SECSuccess)
+        return parserStatus;
+} else {
+    parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ID);
+    if (parserStatus != SECSuccess)
+        return parserStatus;
+}
+}
+
+"="
+
+\"[^\"]* {
+if (yytext[yyleng-1] == '\\') {
+    yymore();
+} else {
+    register int c;
+    c = input();
+    if (c != '\"') {
+        printf( "Error: Line ending \" is missing:  %c\n", c);
+        unput(c);
+    } else {
+        parserStatus = crlgen_setNextData(parserData, yytext + 1,
+                                          CRLGEN_TYPE_STRING);
+        if (parserStatus != SECSuccess)
+            return parserStatus;
+    }
+}
+}
+
+{N_SP_STRING} {
+parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_STRING);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+
+
+
+^#[^\n]*     /* eat up one-line comments */ {}
+
+[ \t]+      {}
+
+(\n|\r\n)  {
+parserStatus = crlgen_updateCrl(parserData);
+if (parserStatus != SECSuccess)
+    return parserStatus;
+}
+
+.           {
+    fprintf(stderr, "Syntax error at line %d: unknown token %s\n",
+            parserData->parsedLineNum, yytext);
+    return SECFailure;
+}
+
+%%
+#include "prlock.h"
+
+static PRLock *parserInvocationLock;
+
+void CRLGEN_InitCrlGenParserLock()
+{
+    parserInvocationLock = PR_NewLock();
+}
+
+void CRLGEN_DestroyCrlGenParserLock()
+{
+    PR_DestroyLock(parserInvocationLock);
+}
+
+
+SECStatus CRLGEN_StartCrlGen(CRLGENGeneratorData *parserCtlData)
+{
+    SECStatus rv;
+
+    PR_Lock(parserInvocationLock);
+
+    parserStatus = SECSuccess;
+    parserData = parserCtlData;
+    src = parserCtlData->src;
+
+    rv = yylex();
+
+    PR_Unlock(parserInvocationLock);
+
+    return rv;
+}
+
+int yywrap() {return 1;}
diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c
new file mode 100644
index 000000000..a1b57bf64
--- /dev/null
+++ b/security/nss/cmd/crlutil/crlutil.c
@@ -0,0 +1,1088 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** certutil.c
+**
+** utility for managing certificates and the cert database
+**
+*/
+/* test only */
+
+#include "nspr.h"
+#include "plgetopt.h"
+#include "secutil.h"
+#include "cert.h"
+#include "certi.h"
+#include "certdb.h"
+#include "nss.h"
+#include "pk11func.h"
+#include "crlgen.h"
+
+#define SEC_CERT_DB_EXISTS 0
+#define SEC_CREATE_CERT_DB 1
+
+static char *progName;
+
+static CERTSignedCrl *FindCRL
+   (CERTCertDBHandle *certHandle, char *name, int type)
+{
+    CERTSignedCrl *crl = NULL;    
+    CERTCertificate *cert = NULL;
+    SECItem derName;
+
+    derName.data = NULL;
+    derName.len = 0;
+
+    cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
+    if (!cert) {
+        CERTName *certName = NULL;
+        PRArenaPool *arena = NULL;
+    
+        certName = CERT_AsciiToName(name);
+        if (certName) {
+            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+            if (arena) {
+                SECItem *nameItem = 
+                    SEC_ASN1EncodeItem (arena, NULL, (void *)certName,
+                                        SEC_ASN1_GET(CERT_NameTemplate));
+                if (nameItem) {
+                    SECITEM_CopyItem(NULL, &derName, nameItem);
+                }
+                PORT_FreeArena(arena, PR_FALSE);
+            }
+            CERT_DestroyName(certName);
+        }
+
+        if (!derName.len || !derName.data) {
+            SECU_PrintError(progName, "could not find certificate named '%s'", name);
+            return ((CERTSignedCrl *)NULL);
+        }
+    } else {
+        SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
+        CERT_DestroyCertificate (cert);
+    }
+ 
+    crl = SEC_FindCrlByName(certHandle, &derName, type);
+    if (crl ==NULL) 
+	SECU_PrintError
+		(progName, "could not find %s's CRL", name);
+    if (derName.data) {
+        SECITEM_FreeItem(&derName, PR_FALSE);
+    }
+    return (crl);
+}
+
+static SECStatus DisplayCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
+{
+    CERTSignedCrl *crl = NULL;
+
+    crl = FindCRL (certHandle, nickName, crlType);
+	
+    if (crl) {
+	SECU_PrintCRLInfo (stdout, &crl->crl, "CRL Info:\n", 0);
+	SEC_DestroyCrl (crl);
+	return SECSuccess;
+    }
+    return SECFailure;
+}
+
+static void ListCRLNames (CERTCertDBHandle *certHandle, int crlType, PRBool deletecrls)
+{
+    CERTCrlHeadNode *crlList = NULL;
+    CERTCrlNode *crlNode = NULL;
+    CERTName *name = NULL;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+
+    do {
+	arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	if (arena == NULL) {
+	    fprintf(stderr, "%s: fail to allocate memory\n", progName);
+	    break;
+	}
+	
+	name = PORT_ArenaZAlloc (arena, sizeof(*name));
+	if (name == NULL) {
+	    fprintf(stderr, "%s: fail to allocate memory\n", progName);
+	    break;
+	}
+	name->arena = arena;
+	    
+	rv = SEC_LookupCrls (certHandle, &crlList, crlType);
+	if (rv != SECSuccess) {
+	    fprintf(stderr, "%s: fail to look up CRLs (%s)\n", progName,
+	    SECU_Strerror(PORT_GetError()));
+	    break;
+	}
+	
+	/* just in case */
+	if (!crlList)
+	    break;
+
+	crlNode  = crlList->first;
+
+        fprintf (stdout, "\n");
+	fprintf (stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type");
+	while (crlNode) {
+	    char* asciiname = NULL;
+	    CERTCertificate *cert = NULL;
+	    if (crlNode->crl && &crlNode->crl->crl.derName) {
+	        cert = CERT_FindCertByName(certHandle,
+	                                   &crlNode->crl->crl.derName);
+	        if (!cert) {
+	            SECU_PrintError(progName, "could not find signing "
+	                         "certificate in database");
+	        }
+	    }
+	    if (cert) {
+	        char* certName = NULL;
+                 if (cert->nickname && PORT_Strlen(cert->nickname) > 0) {
+	            certName = cert->nickname;
+	        } else if (cert->emailAddr && PORT_Strlen(cert->emailAddr) > 0) {
+	            certName = cert->emailAddr;
+	        }
+	        if (certName) {
+	            asciiname = PORT_Strdup(certName);
+	        }
+	        CERT_DestroyCertificate(cert);
+	    }
+                
+	    if (!asciiname) {
+	        name = &crlNode->crl->crl.name;
+	        if (!name){
+	            SECU_PrintError(progName, "fail to get the CRL "
+	                           "issuer name");
+	            continue;
+	        }
+	        asciiname = CERT_NameToAscii(name);
+	    }
+	    fprintf (stdout, "%-40s %-5s\n", asciiname, "CRL");
+	    if (asciiname) {
+		PORT_Free(asciiname);
+	    }
+            if ( PR_TRUE == deletecrls) {
+                CERTSignedCrl* acrl = NULL;
+                SECItem* issuer = &crlNode->crl->crl.derName;
+                acrl = SEC_FindCrlByName(certHandle, issuer, crlType);
+                if (acrl)
+                {
+                    SEC_DeletePermCRL(acrl);
+                    SEC_DestroyCrl(acrl);
+                }
+            }
+            crlNode = crlNode->next;
+	} 
+	
+    } while (0);
+    if (crlList)
+	PORT_FreeArena (crlList->arena, PR_FALSE);
+    PORT_FreeArena (arena, PR_FALSE);
+}
+
+static SECStatus ListCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
+{
+    if (nickName == NULL) {
+	ListCRLNames (certHandle, crlType, PR_FALSE);
+	return SECSuccess;
+    } 
+
+    return DisplayCRL (certHandle, nickName, crlType);
+}
+
+
+
+static SECStatus DeleteCRL (CERTCertDBHandle *certHandle, char *name, int type)
+{
+    CERTSignedCrl *crl = NULL;    
+    SECStatus rv = SECFailure;
+
+    crl = FindCRL (certHandle, name, type);
+    if (!crl) {
+	SECU_PrintError
+		(progName, "could not find the issuer %s's CRL", name);
+	return SECFailure;
+    }
+    rv = SEC_DeletePermCRL (crl);
+    SEC_DestroyCrl(crl);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "fail to delete the issuer %s's CRL "
+	                "from the perm database (reason: %s)",
+	                name, SECU_Strerror(PORT_GetError()));
+	return SECFailure;
+    }
+    return (rv);
+}
+
+SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type, 
+                     PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions)
+{
+    CERTSignedCrl *crl = NULL;
+    SECItem crlDER;
+    PK11SlotInfo* slot = NULL;
+    int rv;
+#if defined(DEBUG_jp96085)
+    PRIntervalTime starttime, endtime, elapsed;
+    PRUint32 mins, secs, msecs;
+#endif
+
+    crlDER.data = NULL;
+
+
+    /* Read in the entire file specified with the -f argument */
+    rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "unable to read input file");
+	return (SECFailure);
+    }
+
+    decodeOptions |= CRL_DECODE_DONT_COPY_DER;
+
+    slot = PK11_GetInternalKeySlot();
+ 
+#if defined(DEBUG_jp96085)
+    starttime = PR_IntervalNow();
+#endif
+    crl = PK11_ImportCRL(slot, &crlDER, url, type,
+          NULL, importOptions, NULL, decodeOptions);
+#if defined(DEBUG_jp96085)
+    endtime = PR_IntervalNow();
+    elapsed = endtime - starttime;
+    mins = PR_IntervalToSeconds(elapsed) / 60;
+    secs = PR_IntervalToSeconds(elapsed) % 60;
+    msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
+    printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
+#endif
+    if (!crl) {
+	const char *errString;
+
+	rv = SECFailure;
+	errString = SECU_Strerror(PORT_GetError());
+	if ( errString && PORT_Strlen (errString) == 0)
+	    SECU_PrintError (progName, 
+	        "CRL is not imported (error: input CRL is not up to date.)");
+	else    
+	    SECU_PrintError (progName, "unable to import CRL");
+    } else {
+	SEC_DestroyCrl (crl);
+    }
+    if (slot) {
+        PK11_FreeSlot(slot);
+    }
+    return (rv);
+}
+
+
+static CERTCertificate*
+FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl,
+                char *certNickName)
+{                   
+    CERTCertificate *cert = NULL, *certTemp = NULL;
+    SECStatus rv = SECFailure;
+    CERTAuthKeyID* authorityKeyID = NULL;
+    SECItem* subject = NULL;
+
+    PORT_Assert(certHandle != NULL);
+    if (!certHandle || (!signCrl && !certNickName)) {
+        SECU_PrintError(progName, "invalid args for function "
+                        "FindSigningCert \n");
+        return NULL;
+    }
+
+    if (signCrl) {
+#if 0
+        authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl);
+#endif
+        subject = &signCrl->crl.derName;
+    } else {
+        certTemp = CERT_FindCertByNickname(certHandle, certNickName);
+        if (!certTemp) {
+            SECU_PrintError(progName, "could not find certificate \"%s\" "
+                            "in database", certNickName);
+            goto loser;
+        }
+        subject = &certTemp->derSubject;
+    }
+
+    cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now());
+    if (!cert) {
+        SECU_PrintError(progName, "could not find signing certificate "
+                        "in database");
+        goto loser;
+    } else {
+        rv = SECSuccess;
+    }
+
+  loser:
+    if (certTemp)
+        CERT_DestroyCertificate(certTemp);
+    if (cert && rv != SECSuccess)
+        CERT_DestroyCertificate(cert);
+    return cert;
+}
+
+static CERTSignedCrl*
+CreateModifiedCRLCopy(PRArenaPool *arena, CERTCertDBHandle *certHandle,
+                CERTCertificate **cert, char *certNickName,
+                PRFileDesc *inFile, PRInt32 decodeOptions,
+                PRInt32 importOptions)
+{
+    SECItem crlDER;
+    CERTSignedCrl *signCrl = NULL;
+    CERTSignedCrl *modCrl = NULL;
+    PRArenaPool *modArena = NULL;
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(arena != NULL && certHandle != NULL &&
+                certNickName != NULL);
+    if (!arena || !certHandle || !certNickName) {
+        SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n");
+        return NULL;
+    }
+
+    modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (!modArena) {
+        SECU_PrintError(progName, "fail to allocate memory\n");
+        return NULL;
+    }
+    
+    if (inFile != NULL) {
+        rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "unable to read input file");
+            PORT_FreeArena(modArena, PR_FALSE);
+            goto loser;
+        }
+        
+        decodeOptions |= CRL_DECODE_DONT_COPY_DER;
+        
+        modCrl = CERT_DecodeDERCrlWithFlags(modArena, &crlDER, SEC_CRL_TYPE,
+                                            decodeOptions);
+        if (!modCrl) {
+            SECU_PrintError(progName, "fail to decode CRL");
+            goto loser;
+        }
+        
+        if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
+            /* If caCert is a v2 certificate, make sure that it
+             * can be used for crl signing purpose */
+            *cert = FindSigningCert(certHandle, modCrl, NULL);
+            if (!*cert) {
+                goto loser;
+            }
+
+            rv = CERT_VerifySignedData(&modCrl->signatureWrap, *cert,
+                                       PR_Now(), NULL);
+            if (rv != SECSuccess) {
+                SECU_PrintError(progName, "fail to verify signed data\n");
+                goto loser;
+            }
+        }
+    } else {
+        modCrl = FindCRL(certHandle, certNickName, SEC_CRL_TYPE);
+        if (!modCrl) {
+            SECU_PrintError(progName, "fail to find crl %s in database\n",
+                            certNickName);
+            goto loser;
+        }
+    }
+
+    signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
+    if (signCrl == NULL) {
+        SECU_PrintError(progName, "fail to allocate memory\n");
+        goto loser;
+    }
+
+    rv = SECU_CopyCRL(arena, &signCrl->crl, &modCrl->crl);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "unable to dublicate crl for "
+                        "modification.");
+        goto loser;
+    }  
+
+    /* Make sure the update time is current. It can be modified later
+     * by "update <time>" command from crl generation script */
+    rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "fail to encode current time\n");
+        goto loser;
+    }
+
+    signCrl->arena = arena;
+
+  loser:
+    SECITEM_FreeItem(&crlDER, PR_FALSE);
+    if (modCrl)
+        SEC_DestroyCrl(modCrl);
+    if (rv != SECSuccess && signCrl) {
+        SEC_DestroyCrl(signCrl);
+        signCrl = NULL;
+    }
+    return signCrl;
+}
+
+
+static CERTSignedCrl*
+CreateNewCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle,
+             CERTCertificate *cert)
+{ 
+    CERTSignedCrl *signCrl = NULL;
+    void *dummy = NULL;
+    SECStatus rv;
+    void* mark = NULL;
+
+    /* if the CERTSignedCrl structure changes, this function will need to be
+       updated as well */
+    PORT_Assert(cert != NULL);
+    if (!cert || !arena) {
+        SECU_PrintError(progName, "invalid args for function "
+                        "CreateNewCrl\n");
+        return NULL;
+    }
+
+    mark = PORT_ArenaMark(arena);
+        
+    signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
+    if (signCrl == NULL) {
+        SECU_PrintError(progName, "fail to allocate memory\n");
+        return NULL;
+    }
+
+    dummy = SEC_ASN1EncodeInteger(arena, &signCrl->crl.version,
+                                  SEC_CRL_VERSION_2);
+    /* set crl->version */
+    if (!dummy) {
+        SECU_PrintError(progName, "fail to create crl version data "
+                        "container\n");
+        goto loser;
+    }
+    
+    /* copy SECItem name from cert */
+    rv = SECITEM_CopyItem(arena, &signCrl->crl.derName, &cert->derSubject);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "fail to duplicate der name from "
+                        "certificate.\n");
+        goto loser;
+    }
+        
+    /* copy CERTName name structure from cert issuer */
+    rv = CERT_CopyName (arena, &signCrl->crl.name, &cert->subject);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "fail to duplicate RD name from "
+                        "certificate.\n");
+        goto loser;
+    }
+
+    rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "fail to encode current time\n");
+        goto loser;
+    }
+
+    /* set fields */
+    signCrl->arena = arena;
+    signCrl->dbhandle = certHandle;
+    signCrl->crl.arena = arena;
+
+    return signCrl;
+
+  loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+
+static SECStatus
+UpdateCrl(CERTSignedCrl *signCrl, PRFileDesc *inCrlInitFile)
+{
+    CRLGENGeneratorData *crlGenData = NULL;
+    SECStatus rv;
+    
+    PORT_Assert(signCrl != NULL && inCrlInitFile != NULL);
+    if (!signCrl || !inCrlInitFile) {
+        SECU_PrintError(progName, "invalid args for function "
+                        "CreateNewCrl\n");
+        return SECFailure;
+    }
+
+    crlGenData = CRLGEN_InitCrlGeneration(signCrl, inCrlInitFile);
+    if (!crlGenData) {
+	SECU_PrintError(progName, "can not initialize parser structure.\n");
+	return SECFailure;
+    }
+
+    rv = CRLGEN_ExtHandleInit(crlGenData);
+    if (rv == SECFailure) {
+	SECU_PrintError(progName, "can not initialize entries handle.\n");
+	goto loser;
+    }
+	
+    rv = CRLGEN_StartCrlGen(crlGenData);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "crl generation failed");
+	goto loser;
+    }
+
+  loser:
+    /* CommitExtensionsAndEntries is partially responsible for freeing
+     * up memory that was used for CRL generation. Should be called regardless
+     * of previouse call status, but only after initialization of
+     * crlGenData was done. It will commit all changes that was done before
+     * an error has occured.
+     */
+    if (SECSuccess != CRLGEN_CommitExtensionsAndEntries(crlGenData)) {
+        SECU_PrintError(progName, "crl generation failed");
+        rv = SECFailure;
+    }
+    CRLGEN_FinalizeCrlGeneration(crlGenData);    
+    return rv;
+}
+
+static SECStatus
+SignAndStoreCrl(CERTSignedCrl *signCrl, CERTCertificate *cert,
+                char *outFileName, SECOidTag hashAlgTag, int ascii,
+                char *slotName, char *url, secuPWData *pwdata)
+{
+    PK11SlotInfo *slot = NULL;
+    PRFileDesc   *outFile = NULL;
+    SECStatus rv;
+    SignAndEncodeFuncExitStat errCode;
+
+    PORT_Assert(signCrl && (!ascii || outFileName));
+    if (!signCrl || (ascii && !outFileName)) {
+        SECU_PrintError(progName, "invalid args for function "
+                        "SignAndStoreCrl\n");
+        return SECFailure;
+    }
+
+    if (!slotName || !PL_strcmp(slotName, "internal"))
+	slot = PK11_GetInternalKeySlot();
+    else
+	slot = PK11_FindSlotByName(slotName);
+    if (!slot) {
+	SECU_PrintError(progName, "can not find requested slot");
+	return SECFailure;
+    }
+
+    if (PK11_NeedLogin(slot)) {
+        rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    rv = SECU_SignAndEncodeCRL(cert, signCrl, hashAlgTag, &errCode);
+    if (rv != SECSuccess) {
+        char* errMsg = NULL;
+        switch (errCode)
+        {
+            case noKeyFound:
+                errMsg = "No private key found of signing cert";
+                break;
+
+            case noSignatureMatch:
+                errMsg = "Key and Algorithm OId are do not match";
+                break;
+
+            default:
+            case failToEncode:
+                errMsg = "Failed to encode crl structure";
+                break;
+
+            case failToSign:
+                errMsg = "Failed to sign crl structure";
+                break;
+
+            case noMem:
+                errMsg = "Can not allocate memory";
+                break;
+        }
+	SECU_PrintError(progName, "%s\n", errMsg);
+	goto loser;
+    }
+
+    if (outFileName) {
+	outFile = PR_Open(outFileName, PR_WRONLY|PR_CREATE_FILE, PR_IRUSR | PR_IWUSR);
+	if (!outFile) {
+	    SECU_PrintError(progName, "unable to open \"%s\" for writing\n",
+			    outFileName);
+	    goto loser;
+	}
+    }
+
+    rv = SECU_StoreCRL(slot, signCrl->derCrl, outFile, ascii, url);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "fail to save CRL\n");
+    }
+
+  loser:
+    if (outFile)
+	PR_Close(outFile);
+    if (slot)
+	PK11_FreeSlot(slot);
+    return rv;
+}
+
+static SECStatus
+GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName, 
+	     PRFileDesc *inCrlInitFile,  PRFileDesc *inFile,
+	     char *outFileName, int ascii, char *slotName,
+	     PRInt32 importOptions, char *alg, PRBool quiet,
+             PRInt32 decodeOptions, char *url, secuPWData *pwdata,
+             int modifyFlag)
+{
+    CERTCertificate *cert = NULL;
+    CERTSignedCrl *signCrl = NULL;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
+
+    if (alg) {
+        hashAlgTag = SECU_StringToSignatureAlgTag(alg);
+        if (hashAlgTag == SEC_OID_UNKNOWN) {
+            SECU_PrintError(progName, "%s -Z:  %s is not a recognized type.\n",
+                            progName, alg);
+            return SECFailure;
+        }
+    } else {
+        hashAlgTag = SEC_OID_UNKNOWN;
+    }
+
+    arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (!arena) {
+        SECU_PrintError(progName, "fail to allocate memory\n");
+        return SECFailure;
+    }
+
+    if (modifyFlag == PR_TRUE) {
+        signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
+                                         inFile, decodeOptions, importOptions);
+        if (signCrl == NULL) {
+            goto loser;
+        }
+    }
+
+    if (!cert) {
+        cert = FindSigningCert(certHandle, signCrl, certNickName);
+        if (cert == NULL) {
+            goto loser;
+        }
+    }
+
+    if (!signCrl) {
+        if (modifyFlag == PR_TRUE) {
+            if (!outFileName) {
+                int len = strlen(certNickName) + 5;
+                outFileName = PORT_ArenaAlloc(arena, len);
+                PR_snprintf(outFileName, len, "%s.crl", certNickName);
+            }
+            SECU_PrintError(progName, "Will try to generate crl. "
+                            "It will be saved in file: %s",
+                            outFileName);
+        }
+        signCrl = CreateNewCrl(arena, certHandle, cert);
+        if (!signCrl)
+            goto loser;
+    }
+
+    rv = UpdateCrl(signCrl, inCrlInitFile);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = SignAndStoreCrl(signCrl, cert, outFileName, hashAlgTag, ascii,
+                         slotName, url, pwdata);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    if (signCrl && !quiet) {
+	SECU_PrintCRLInfo (stdout, &signCrl->crl, "CRL Info:\n", 0);
+    }
+
+  loser:
+    if (arena && (!signCrl || !signCrl->arena))
+        PORT_FreeArena (arena, PR_FALSE);
+    if (signCrl)
+	SEC_DestroyCrl (signCrl);
+    if (cert)
+	CERT_DestroyCertificate (cert);
+    return (rv);
+}
+
+static void Usage(char *progName)
+{
+    fprintf(stderr,
+	    "Usage:  %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n"
+	    "        %s -D -n nickname [-d keydir] [-P dbprefix]\n"
+	    "        %s -I -i crl -t crlType [-u url] [-d keydir] [-P dbprefix] [-B] "
+            "[-p pwd-file] -w [pwd-string]\n"
+	    "        %s -E -t crlType [-d keydir] [-P dbprefix]\n"
+	    "        %s -T\n"
+	    "        %s -G|-M -c crl-init-file -n nickname [-i crl] [-u url] "
+            "[-d keydir] [-P dbprefix] [-Z alg] ] [-p pwd-file] -w [pwd-string] "
+            "[-a] [-B]\n",
+	    progName, progName, progName, progName, progName, progName);
+
+    fprintf (stderr, "%-15s List CRL\n", "-L");
+    fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
+	    "-n nickname");
+    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
+	    "-d keydir");
+    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
+	    "-P dbprefix");
+   
+    fprintf (stderr, "%-15s Delete a CRL from the cert database\n", "-D");    
+    fprintf(stderr, "%-20s Specify the nickname for the CA certificate\n",
+	    "-n nickname");
+    fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
+    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
+	    "-d keydir");
+    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
+	    "-P dbprefix");
+
+    fprintf (stderr, "%-15s Erase all CRLs of specified type from hte cert database\n", "-E");
+    fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
+    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
+	    "-d keydir");
+    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
+	    "-P dbprefix");
+
+    fprintf (stderr, "%-15s Import a CRL to the cert database\n", "-I");    
+    fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
+	    "-i crl");
+    fprintf(stderr, "%-20s Specify the url.\n", "-u url");
+    fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
+    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
+	    "-d keydir");
+    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
+	    "-P dbprefix");
+#ifdef DEBUG
+    fprintf (stderr, "%-15s Test . Only for debugging purposes. See source code\n", "-T");
+#endif
+    fprintf(stderr, "%-20s CRL Types (default is SEC_CRL_TYPE):\n", " ");
+    fprintf(stderr, "%-20s \t 0 - SEC_KRL_TYPE\n", " ");
+    fprintf(stderr, "%-20s \t 1 - SEC_CRL_TYPE\n", " ");        
+    fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
+    fprintf(stderr, "\n%-20s Partial decode for faster operation.\n", "-p");
+    fprintf(stderr, "%-20s Repeat the operation.\n", "-r <iterations>");
+    fprintf(stderr, "\n%-15s Create CRL\n", "-G");
+    fprintf(stderr, "%-15s Modify CRL\n", "-M");
+    fprintf(stderr, "%-20s Specify crl initialization file\n",
+	    "-c crl-conf-file");
+    fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
+	    "-n nickname");
+    fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
+	    "-i crl");
+    fprintf(stderr, "%-20s Specify a CRL output file\n",
+	    "-o crl-output-file");
+    fprintf(stderr, "%-20s Specify to use base64 encoded CRL output format\n",
+	    "-a");
+    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
+	    "-d keydir");
+    fprintf(stderr, "%-20s Provide path to a default pwd file\n",
+	    "-f pwd-file");
+    fprintf(stderr, "%-20s Provide db password in command line\n",
+	    "-w pwd-string");
+    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
+	    "-P dbprefix");
+    fprintf(stderr, "%-20s Specify the url.\n", "-u url");
+    fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
+
+    exit(-1);
+}
+
+int main(int argc, char **argv)
+{
+    SECItem privKeyDER;
+    CERTCertDBHandle *certHandle;
+    FILE *certFile;
+    PRFileDesc *inFile;
+    PRFileDesc *inCrlInitFile = NULL;
+    int generateCRL;
+    int modifyCRL;
+    int listCRL;
+    int importCRL;
+    int deleteCRL;
+    int rv;
+    char *nickName;
+    char *url;
+    char *dbPrefix = "";
+    char *alg = NULL;
+    char *outFile = NULL;
+    char *slotName = NULL;
+    int ascii = 0;
+    int crlType;
+    PLOptState *optstate;
+    PLOptStatus status;
+    SECStatus secstatus;
+    PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS;
+    PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS;
+    PRBool quiet = PR_FALSE;
+    PRBool test = PR_FALSE;
+    PRBool erase = PR_FALSE;
+    PRInt32 i = 0;
+    PRInt32 iterations = 1;
+    PRBool readonly = PR_FALSE;
+
+    secuPWData  pwdata          = { PW_NONE, 0 };
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    rv = 0;
+    deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = 0;
+    certFile = NULL;
+    inFile = NULL;
+    nickName = url = NULL;
+    privKeyDER.data = NULL;
+    certHandle = NULL;
+    crlType = SEC_CRL_TYPE;
+    /*
+     * Parse command line arguments
+     */
+    optstate = PL_CreateOptState(argc, argv, "sqBCDGILMTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	    Usage(progName);
+	    break;
+
+          case 'T':
+            test = PR_TRUE;
+            break;
+
+          case 'E':
+            erase = PR_TRUE;
+            break;
+
+	  case 'B':
+            importOptions |= CRL_IMPORT_BYPASS_CHECKS;
+            break;
+
+	  case 'G':
+	    generateCRL = 1;
+	    break;
+
+          case 'M':
+            modifyCRL = 1;
+            break;
+
+	  case 'D':
+	      deleteCRL = 1;
+	      break;
+
+	  case 'I':
+	      importCRL = 1;
+	      break;
+	           
+	  case 'C':
+	  case 'L':
+	      listCRL = 1;
+	      break;
+
+	  case 'P':
+ 	    dbPrefix = strdup(optstate->value);
+ 	    break;
+              
+	  case 'Z':
+              alg = strdup(optstate->value);
+              break;
+              
+	  case 'a':
+	      ascii = 1;
+	      break;
+
+	  case 'c':
+              inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0);
+              if (!inCrlInitFile) {
+                  PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
+                             progName, optstate->value);
+                  PL_DestroyOptState(optstate);
+                  return -1;
+              }
+              break;
+	    
+	  case 'd':
+              SECU_ConfigDirectory(optstate->value);
+              break;
+
+	  case 'f':
+	      pwdata.source = PW_FROMFILE;
+	      pwdata.data = strdup(optstate->value);
+	      break;
+
+	  case 'h':
+              slotName = strdup(optstate->value);
+              break;
+
+	  case 'i':
+	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
+	    if (!inFile) {
+		PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		PL_DestroyOptState(optstate);
+		return -1;
+	    }
+	    break;
+	    
+	  case 'n':
+	    nickName = strdup(optstate->value);
+	    break;
+
+	  case 'o':
+	    outFile = strdup(optstate->value);
+	    break;
+	    
+	  case 'p':
+	    decodeOptions |= CRL_DECODE_SKIP_ENTRIES;
+	    break;
+
+	  case 'r': {
+	    const char* str = optstate->value;
+	    if (str && atoi(str)>0)
+		iterations = atoi(str);
+	    }
+	    break;
+	    
+	  case 't': {
+	    char *type;
+	    
+	    type = strdup(optstate->value);
+	    crlType = atoi (type);
+	    if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) {
+		PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName);
+		PL_DestroyOptState(optstate);
+		return -1;
+	    }
+	    break;
+
+	  case 'q':
+            quiet = PR_TRUE;
+	    break;
+
+	  case 'w':
+	      pwdata.source = PW_PLAINTEXT;
+	      pwdata.data = strdup(optstate->value);
+	      break;
+
+	  case 'u':
+	    url = strdup(optstate->value);
+	    break;
+
+          }
+	}
+    }
+    PL_DestroyOptState(optstate);
+
+    if (deleteCRL && !nickName) Usage (progName);
+    if (importCRL && !inFile) Usage (progName);
+    if ((generateCRL && !nickName) ||
+        (modifyCRL && !inFile && !nickName)) Usage (progName);
+    if (!(listCRL || deleteCRL || importCRL || generateCRL ||
+	  modifyCRL || test || erase)) Usage (progName);
+
+    if (listCRL) {
+        readonly = PR_TRUE;
+    }
+    
+    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix,
+			       "secmod.db", readonly ? NSS_INIT_READONLY : 0);
+    if (secstatus != SECSuccess) {
+	SECU_PrintPRandOSError(progName);
+	return -1;
+    }
+    SECU_RegisterDynamicOids();
+
+    certHandle = CERT_GetDefaultCertDB();
+    if (certHandle == NULL) {
+	SECU_PrintError(progName, "unable to open the cert db");	    	
+	/*ignoring return value of NSS_Shutdown() as code returns -1*/
+	(void) NSS_Shutdown();
+	return (-1);
+    }
+
+    CRLGEN_InitCrlGenParserLock();
+
+    for (i=0; i<iterations; i++) {
+	/* Read in the private key info */
+	if (deleteCRL) 
+	    DeleteCRL (certHandle, nickName, crlType);
+	else if (listCRL) {
+	    rv = ListCRL (certHandle, nickName, crlType);
+	}
+	else if (importCRL) {
+	    rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
+			    decodeOptions);
+	} else if (generateCRL || modifyCRL) {
+	    if (!inCrlInitFile)
+		inCrlInitFile = PR_STDIN;
+	    rv = GenerateCRL (certHandle, nickName, inCrlInitFile,
+			      inFile, outFile, ascii,  slotName,
+			      importOptions, alg, quiet,
+			      decodeOptions, url, &pwdata,
+			      modifyCRL);
+	}
+	else if (erase) {
+	    /* list and delete all CRLs */
+	    ListCRLNames (certHandle, crlType, PR_TRUE);
+	}
+#ifdef DEBUG
+	else if (test) {
+	    /* list and delete all CRLs */
+	    ListCRLNames (certHandle, crlType, PR_TRUE);
+	    /* list CRLs */
+	    ListCRLNames (certHandle, crlType, PR_FALSE);
+	    /* import CRL as a blob */
+	    rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
+			    decodeOptions);
+	    /* list CRLs */
+	    ListCRLNames (certHandle, crlType, PR_FALSE);
+	}
+#endif    
+    }
+
+    CRLGEN_DestroyCrlGenParserLock();
+
+    if (NSS_Shutdown() != SECSuccess) {
+        rv = SECFailure;
+    }
+
+    return (rv != SECSuccess);
+}
diff --git a/security/nss/cmd/crlutil/manifest.mn b/security/nss/cmd/crlutil/manifest.mn
new file mode 100644
index 000000000..c56ac20c7
--- /dev/null
+++ b/security/nss/cmd/crlutil/manifest.mn
@@ -0,0 +1,57 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS = crlgen_lex.c crlgen.c crlutil.c 
+
+# this has to be different for NT and UNIX.
+# PROGRAM	= ./$(OBJDIR)/crlutil.exe
+PROGRAM	= crlutil
+
+#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/crmf-cgi/Makefile b/security/nss/cmd/crmf-cgi/Makefile
new file mode 100644
index 000000000..1d0bb7b95
--- /dev/null
+++ b/security/nss/cmd/crmf-cgi/Makefile
@@ -0,0 +1,85 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+EXTRA_LIBS += $(DIST)/lib/crmf.lib
+else
+EXTRA_LIBS += $(DIST)/lib/libcrmf.$(LIB_SUFFIX) 
+endif
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/crmf-cgi/config.mk b/security/nss/cmd/crmf-cgi/config.mk
new file mode 100644
index 000000000..f3a06d153
--- /dev/null
+++ b/security/nss/cmd/crmf-cgi/config.mk
@@ -0,0 +1,48 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(PROGRAM)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+LIBRARY        =
+
diff --git a/security/nss/cmd/crmf-cgi/crmfcgi.c b/security/nss/cmd/crmf-cgi/crmfcgi.c
new file mode 100644
index 000000000..8a33a01ee
--- /dev/null
+++ b/security/nss/cmd/crmf-cgi/crmfcgi.c
@@ -0,0 +1,1122 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "seccomon.h"
+#include "nss.h"
+#include "key.h"
+#include "cert.h"
+#include "pk11func.h"
+#include "secmod.h"
+#include "cmmf.h"
+#include "crmf.h"
+#include "base64.h"
+#include "secasn1.h"
+#include "cryptohi.h"
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#define DEFAULT_ALLOC_SIZE 200
+#define DEFAULT_CGI_VARS   20
+
+typedef struct CGIVariableStr {
+  char *name;
+  char *value;
+} CGIVariable;
+
+typedef struct CGIVarTableStr {
+  CGIVariable **variables;
+  int           numVars;
+  int           numAlloc; 
+} CGIVarTable;
+
+typedef struct CertResponseInfoStr {
+  CERTCertificate *cert;
+  long             certReqID;
+} CertResponseInfo;
+
+typedef struct ChallengeCreationInfoStr {
+  long             random;
+  SECKEYPublicKey *pubKey;
+} ChallengeCreationInfo;
+
+char *missingVar = NULL;
+
+/*
+ * Error values.
+ */
+typedef enum {
+  NO_ERROR = 0,
+  NSS_INIT_FAILED,
+  AUTH_FAILED,
+  REQ_CGI_VAR_NOT_PRESENT,
+  CRMF_REQ_NOT_PRESENT,
+  BAD_ASCII_FOR_REQ,
+  CGI_VAR_MISSING,
+  COULD_NOT_FIND_CA,
+  COULD_NOT_DECODE_REQS,
+  OUT_OF_MEMORY,
+  ERROR_RETRIEVING_REQUEST_MSG,
+  ERROR_RETRIEVING_CERT_REQUEST,
+  ERROR_RETRIEVING_SUBJECT_FROM_REQ,
+  ERROR_RETRIEVING_PUBLIC_KEY_FROM_REQ,
+  ERROR_CREATING_NEW_CERTIFICATE,
+  COULD_NOT_START_EXTENSIONS,
+  ERROR_RETRIEVING_EXT_FROM_REQ,
+  ERROR_ADDING_EXT_TO_CERT,
+  ERROR_ENDING_EXTENSIONS,
+  COULD_NOT_FIND_ISSUER_PRIVATE_KEY,
+  UNSUPPORTED_SIGN_OPERATION_FOR_ISSUER,
+  ERROR_SETTING_SIGN_ALG,
+  ERROR_ENCODING_NEW_CERT,
+  ERROR_SIGNING_NEW_CERT,
+  ERROR_CREATING_CERT_REP_CONTENT,
+  ERROR_CREATING_SINGLE_CERT_RESPONSE,
+  ERROR_SETTING_CERT_RESPONSES,
+  ERROR_CREATING_CA_LIST,
+  ERROR_ADDING_ISSUER_TO_CA_LIST,
+  ERROR_ENCODING_CERT_REP_CONTENT,
+  NO_POP_FOR_REQUEST,
+  UNSUPPORTED_POP,
+  ERROR_RETRIEVING_POP_SIGN_KEY,
+  ERROR_RETRIEVING_ALG_ID_FROM_SIGN_KEY,
+  ERROR_RETRIEVING_SIGNATURE_FROM_POP_SIGN_KEY,
+  DO_CHALLENGE_RESPONSE,
+  ERROR_RETRIEVING_PUB_KEY_FROM_NEW_CERT,
+  ERROR_ENCODING_CERT_REQ_FOR_POP,
+  ERROR_VERIFYING_SIGNATURE_POP,
+  ERROR_RETRIEVING_PUB_KEY_FOR_CHALL,
+  ERROR_CREATING_EMPTY_CHAL_CONTENT,
+  ERROR_EXTRACTING_GEN_NAME_FROM_ISSUER,
+  ERROR_SETTING_CHALLENGE,
+  ERROR_ENCODING_CHALL,
+  ERROR_CONVERTING_CHALL_TO_BASE64,
+  ERROR_CONVERTING_RESP_FROM_CHALL_TO_BIN,
+  ERROR_CREATING_KEY_RESP_FROM_DER,
+  ERROR_RETRIEVING_CLIENT_RESPONSE_TO_CHALLENGE,
+  ERROR_RETURNED_CHALL_NOT_VALUE_EXPECTED,
+  ERROR_GETTING_KEY_ENCIPHERMENT,
+  ERROR_NO_POP_FOR_PRIVKEY,
+  ERROR_UNSUPPORTED_POPOPRIVKEY_TYPE
+} ErrorCode;
+
+const char *
+CGITableFindValue(CGIVarTable *varTable, const char *key);
+
+void
+spitOutHeaders(void)
+{
+  printf("Content-type: text/html\n\n");
+}
+
+void
+dumpRequest(CGIVarTable *varTable)
+{
+  int i;
+  CGIVariable *var;
+
+  printf ("<table border=1 cellpadding=1 cellspacing=1 width=\"100%%\">\n");
+  printf ("<tr><td><b><center>Variable Name<center></b></td>"
+          "<td><b><center>Value</center></b></td></tr>\n");
+  for (i=0; i<varTable->numVars; i++) {
+    var = varTable->variables[i];
+    printf ("<tr><td><pre>%s</pre></td><td><pre>%s</pre></td></tr>\n", 
+             var->name, var->value);
+  }
+  printf("</table>\n");
+}
+
+void
+echo_request(CGIVarTable *varTable)
+{
+  spitOutHeaders();
+  printf("<html><head><title>CGI Echo Page</title></head>\n"
+	 "<body><h1>Got the following request</h1>\n");
+  dumpRequest(varTable);
+  printf("</body></html>");
+}
+
+void
+processVariable(CGIVariable *var)
+{
+  char *plusSign, *percentSign;
+
+  /*First look for all of the '+' and convert them to spaces */
+  plusSign = var->value;
+  while ((plusSign=strchr(plusSign, '+')) != NULL) {
+    *plusSign = ' ';
+  }
+  percentSign = var->value;
+  while ((percentSign=strchr(percentSign, '%')) != NULL) {
+    char string[3];
+    int  value;
+
+    string[0] = percentSign[1];
+    string[1] = percentSign[2];
+    string[2] = '\0';
+
+    sscanf(string,"%x", &value);
+    *percentSign = (char)value;
+    memmove(&percentSign[1], &percentSign[3], 1+strlen(&percentSign[3]));
+  }
+}
+
+char *
+parseNextVariable(CGIVarTable *varTable, char *form_output)
+{
+  char *ampersand, *equal;
+  CGIVariable *var;
+
+  if (varTable->numVars == varTable->numAlloc) {
+    CGIVariable **newArr = realloc(varTable->variables, 
+                                   (varTable->numAlloc + DEFAULT_CGI_VARS)*sizeof(CGIVariable*));
+    if (newArr == NULL) {
+      return NULL;
+    }
+    varTable->variables = newArr;
+    varTable->numAlloc += DEFAULT_CGI_VARS;
+  }
+  equal     = strchr(form_output, '=');
+  if (equal == NULL) {
+    return NULL;
+  }
+  ampersand = strchr(equal, '&');
+  if (ampersand == NULL) {
+    return NULL;
+  }
+  equal[0] = '\0';
+  if (ampersand != NULL) {
+    ampersand[0] = '\0';
+  }
+  var = malloc(sizeof(CGIVariable));
+  var->name = form_output; 
+  var->value = &equal[1];
+  varTable->variables[varTable->numVars] = var;
+  varTable->numVars++;
+  processVariable(var);
+  return (ampersand != NULL) ? &ampersand[1] : NULL;
+}
+
+void
+ParseInputVariables(CGIVarTable *varTable, char *form_output)
+{
+  varTable->variables = malloc(sizeof(CGIVariable*)*DEFAULT_CGI_VARS);
+  varTable->numVars = 0;
+  varTable->numAlloc = DEFAULT_CGI_VARS;
+  while (form_output && form_output[0] != '\0') {
+    form_output = parseNextVariable(varTable, form_output);
+  }
+}
+
+const char *
+CGITableFindValue(CGIVarTable *varTable, const char *key)
+{
+  const char *retVal = NULL;
+  int i;
+
+  for (i=0; i<varTable->numVars; i++) {
+    if (strcmp(varTable->variables[i]->name, key) == 0) {
+      retVal = varTable->variables[i]->value;
+      break;
+    } 
+  }
+  return retVal;
+}
+
+char*
+passwordCallback(PK11SlotInfo *slot, PRBool retry, void *arg)
+{
+  const char *passwd;
+  if (retry) {
+    return NULL;
+  }
+  passwd = CGITableFindValue((CGIVarTable*)arg, "dbPassword");
+  if (passwd == NULL) {
+    return NULL;
+  }
+  return PORT_Strdup(passwd);
+}
+
+ErrorCode
+initNSS(CGIVarTable *varTable)
+{
+  const char *nssDir;
+  PK11SlotInfo *keySlot;
+  SECStatus rv;
+
+  nssDir = CGITableFindValue(varTable,"NSSDirectory");
+  if (nssDir == NULL) {
+    missingVar = "NSSDirectory";
+    return REQ_CGI_VAR_NOT_PRESENT;
+  }
+  rv = NSS_Init(nssDir);
+  if (rv != SECSuccess) {
+    return NSS_INIT_FAILED;
+  }
+  PK11_SetPasswordFunc(passwordCallback);
+  keySlot = PK11_GetInternalKeySlot();
+  rv = PK11_Authenticate(keySlot, PR_FALSE, varTable);
+  PK11_FreeSlot(keySlot);
+  if (rv != SECSuccess) {
+    return AUTH_FAILED;
+  }
+  return NO_ERROR;
+}
+
+void
+dumpErrorMessage(ErrorCode errNum)
+{
+  spitOutHeaders();
+  printf("<html><head><title>Error</title></head><body><h1>Error processing "
+	 "data</h1> Received the error %d<p>", errNum);
+  if (errNum  ==   REQ_CGI_VAR_NOT_PRESENT) {
+    printf ("The missing variable is %s.", missingVar);
+  }
+  printf ("<i>More useful information here in the future.</i></body></html>");
+}
+
+ErrorCode
+initOldCertReq(CERTCertificateRequest *oldCertReq,
+	       CERTName *subject, CERTSubjectPublicKeyInfo *spki)
+{
+  PRArenaPool *poolp;
+
+  poolp = oldCertReq->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+  SEC_ASN1EncodeInteger(poolp, &oldCertReq->version, 
+			SEC_CERTIFICATE_VERSION_3);
+  CERT_CopyName(poolp, &oldCertReq->subject, subject);
+  SECKEY_CopySubjectPublicKeyInfo(poolp, &oldCertReq->subjectPublicKeyInfo,
+				  spki);
+  oldCertReq->attributes = NULL;
+  return NO_ERROR;
+}
+
+ErrorCode
+addExtensions(CERTCertificate *newCert, CRMFCertRequest *certReq)
+{
+  int numExtensions, i;
+  void *extHandle;
+  ErrorCode rv = NO_ERROR;
+  CRMFCertExtension *ext;
+  SECStatus srv;
+
+  numExtensions = CRMF_CertRequestGetNumberOfExtensions(certReq);
+  if (numExtensions == 0) {
+    /* No extensions to add */
+    return NO_ERROR;
+  }
+  extHandle = CERT_StartCertExtensions(newCert);
+  if (extHandle == NULL) {
+    rv = COULD_NOT_START_EXTENSIONS;
+    goto loser;
+  }
+  for (i=0; i<numExtensions; i++) {
+    ext = CRMF_CertRequestGetExtensionAtIndex(certReq, i);
+    if (ext == NULL) {
+      rv = ERROR_RETRIEVING_EXT_FROM_REQ;
+    }
+    srv = CERT_AddExtension(extHandle, CRMF_CertExtensionGetOidTag(ext),
+			    CRMF_CertExtensionGetValue(ext),
+			    CRMF_CertExtensionGetIsCritical(ext), PR_FALSE);
+    if (srv != SECSuccess) {
+      rv = ERROR_ADDING_EXT_TO_CERT;
+    }
+  }
+  srv = CERT_FinishExtensions(extHandle);
+  if (srv != SECSuccess) {
+    rv = ERROR_ENDING_EXTENSIONS;
+    goto loser;
+  }
+  return NO_ERROR;
+ loser:
+  return rv;
+}
+
+void
+writeOutItem(const char *filePath, SECItem *der)
+{
+  PRFileDesc *outfile;
+
+  outfile = PR_Open (filePath,
+		     PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
+		     0666);
+  PR_Write(outfile, der->data, der->len);
+  PR_Close(outfile);
+
+}
+
+ErrorCode
+createNewCert(CERTCertificate**issuedCert,CERTCertificateRequest *oldCertReq,
+	      CRMFCertReqMsg *currReq, CRMFCertRequest *certReq, 
+	      CERTCertificate *issuerCert, CGIVarTable *varTable)
+{
+  CERTCertificate *newCert = NULL;
+  CERTValidity *validity;
+  PRExplodedTime printableTime;
+  PRTime now, after;
+  ErrorCode rv=NO_ERROR;
+  SECKEYPrivateKey *issuerPrivKey;
+  SECItem derCert = { 0 };
+  SECOidTag signTag;
+  SECStatus srv;
+  long version;
+
+  now = PR_Now();
+  PR_ExplodeTime(now, PR_GMTParameters, &printableTime);
+  printableTime.tm_month += 9;
+  after = PR_ImplodeTime(&printableTime);
+  validity = CERT_CreateValidity(now, after);
+  newCert = *issuedCert = 
+    CERT_CreateCertificate(rand(), &(issuerCert->subject), validity, 
+			   oldCertReq);
+  if (newCert == NULL) {
+    rv = ERROR_CREATING_NEW_CERTIFICATE;
+    goto loser;
+  }
+  rv = addExtensions(newCert, certReq);
+  if (rv != NO_ERROR) {
+    goto loser;
+  }
+  issuerPrivKey = PK11_FindKeyByAnyCert(issuerCert, varTable);
+  if (issuerPrivKey == NULL) {
+    rv = COULD_NOT_FIND_ISSUER_PRIVATE_KEY;
+  }
+  signTag = SEC_GetSignatureAlgorithmOidTag(issuerPrivatekey->keytype, 
+					    SEC_OID_UNKNOWN);
+  if (signTag == SEC_OID_UNKNOWN) {
+    rv = UNSUPPORTED_SIGN_OPERATION_FOR_ISSUER;
+    goto loser;
+  }
+  srv = SECOID_SetAlgorithmID(newCert->arena, &newCert->signature, 
+			      signTag, 0);
+  if (srv != SECSuccess) {
+    rv = ERROR_SETTING_SIGN_ALG;
+    goto loser;
+  }
+  srv = CRMF_CertRequestGetCertTemplateVersion(certReq, &version);
+  if (srv != SECSuccess) {
+    /* No version included in the request */
+    *(newCert->version.data) = SEC_CERTIFICATE_VERSION_3;
+  } else {
+    SECITEM_FreeItem(&newCert->version, PR_FALSE);
+    SEC_ASN1EncodeInteger(newCert->arena, &newCert->version, version);
+  }
+  SEC_ASN1EncodeItem(newCert->arena, &derCert, newCert, 
+		     CERT_CertificateTemplate);
+  if (derCert.data == NULL) {
+    rv = ERROR_ENCODING_NEW_CERT;
+    goto loser;
+  }
+  srv = SEC_DerSignData(newCert->arena, &(newCert->derCert), derCert.data,
+			derCert.len, issuerPrivKey, signTag);
+  if (srv != SECSuccess) {
+    rv = ERROR_SIGNING_NEW_CERT;
+    goto loser;
+  }
+#ifdef WRITE_OUT_RESPONSE
+  writeOutItem("newcert.der", &newCert->derCert);
+#endif
+  return NO_ERROR;
+ loser:
+  *issuedCert = NULL;
+  if (newCert) {
+    CERT_DestroyCertificate(newCert);
+  }
+  return rv;
+		     
+}
+
+void
+formatCMMFResponse(char *nickname, char *base64Response)
+{
+  char *currLine, *nextLine;
+
+  printf("var retVal = crypto.importUserCertificates(\"%s\",\n", nickname);
+  currLine = base64Response;
+  while (1) {
+    nextLine = strchr(currLine, '\n');
+    if (nextLine == NULL) {
+      /* print out the last line here. */
+      printf ("\"%s\",\n", currLine);
+      break;
+    }
+    nextLine[0] = '\0';
+    printf("\"%s\\n\"+\n", currLine);
+    currLine = nextLine+1;
+  }
+  printf("true);\n"
+	 "if(retVal == '') {\n"
+	 "\tdocument.write(\"<h1>New Certificate Succesfully Imported.</h1>\");\n"
+	 "} else {\n"
+	 "\tdocument.write(\"<h2>Unable to import New Certificate</h2>\");\n"
+	 "\tdocument.write(\"crypto.importUserCertificates returned <b>\");\n"
+	 "\tdocument.write(retVal);\n"
+	 "\tdocument.write(\"</b>\");\n"
+	 "}\n");
+}
+
+void
+spitOutCMMFResponse(char *nickname, char *base64Response)
+{
+  spitOutHeaders();
+  printf("<html>\n<head>\n<title>CMMF Resonse Page</title>\n</head>\n\n"
+	 "<body><h1>CMMF Response Page</h1>\n"
+	 "<script language=\"JavaScript\">\n"
+	 "<!--\n");
+  formatCMMFResponse(nickname, base64Response);
+  printf("// -->\n"
+	 "</script>\n</body>\n</html>");
+}
+
+char*
+getNickname(CERTCertificate *cert)
+{
+  char *nickname;
+
+  if (cert->nickname != NULL) {
+    return cert->nickname;
+  }
+  nickname = CERT_GetCommonName(&cert->subject);
+  if (nickname != NULL) {
+    return nickname;
+  }
+  return CERT_NameToAscii(&cert->subject);
+}
+
+ErrorCode
+createCMMFResponse(CertResponseInfo *issuedCerts, int numCerts, 
+		   CERTCertificate *issuerCert, char **base64der)
+{
+ CMMFCertRepContent *certRepContent=NULL;
+  ErrorCode rv = NO_ERROR;
+  CMMFCertResponse **responses, *currResponse;
+  CERTCertList *caList;
+  int i;
+  SECStatus srv;
+  PRArenaPool *poolp;
+  SECItem *der;
+
+  certRepContent = CMMF_CreateCertRepContent();
+  if (certRepContent == NULL) {
+    rv = ERROR_CREATING_CERT_REP_CONTENT;
+    goto loser;
+  }
+  responses = PORT_NewArray(CMMFCertResponse*, numCerts);
+  if (responses == NULL) {
+    rv = OUT_OF_MEMORY;
+    goto loser;
+  }
+  for (i=0; i<numCerts;i++) {
+    responses[i] = currResponse = 
+      CMMF_CreateCertResponse(issuedCerts[i].certReqID);
+    if (currResponse == NULL) {
+      rv = ERROR_CREATING_SINGLE_CERT_RESPONSE;
+      goto loser;
+    }
+    CMMF_CertResponseSetPKIStatusInfoStatus(currResponse, cmmfGranted);
+    CMMF_CertResponseSetCertificate(currResponse, issuedCerts[i].cert);
+  }
+  srv = CMMF_CertRepContentSetCertResponses(certRepContent, responses,
+					    numCerts);
+  if (srv != SECSuccess) {
+    rv = ERROR_SETTING_CERT_RESPONSES;
+    goto loser;
+  }
+  caList = CERT_NewCertList();
+  if (caList == NULL) {
+    rv = ERROR_CREATING_CA_LIST;
+    goto loser;
+  }
+  srv = CERT_AddCertToListTail(caList, issuerCert);
+  if (srv != SECSuccess) {
+    rv = ERROR_ADDING_ISSUER_TO_CA_LIST;
+    goto loser;
+  }
+  srv = CMMF_CertRepContentSetCAPubs(certRepContent, caList);
+  CERT_DestroyCertList(caList);
+  poolp = PORT_NewArena(1024);
+  der = SEC_ASN1EncodeItem(poolp, NULL, certRepContent, 
+			   CMMFCertRepContentTemplate);
+  if (der == NULL) {
+    rv = ERROR_ENCODING_CERT_REP_CONTENT;
+    goto loser;
+  }
+#ifdef WRITE_OUT_RESPONSE
+  writeOutItem("CertRepContent.der", der);
+#endif
+  *base64der = BTOA_DataToAscii(der->data, der->len);
+  return NO_ERROR;
+ loser:
+  return rv;
+}
+
+ErrorCode
+issueCerts(CertResponseInfo *issuedCerts, int numCerts, 
+	   CERTCertificate *issuerCert)
+{
+  ErrorCode rv;
+  char *base64Response;
+
+  rv = createCMMFResponse(issuedCerts, numCerts, issuerCert, &base64Response);
+  if (rv != NO_ERROR) {
+    goto loser;
+  }
+  spitOutCMMFResponse(getNickname(issuedCerts[0].cert),base64Response);
+  return NO_ERROR;
+ loser:
+  return rv;
+}
+
+ErrorCode
+verifySignature(CGIVarTable *varTable, CRMFCertReqMsg *currReq, 
+		CRMFCertRequest *certReq, CERTCertificate *newCert)
+{
+  SECStatus srv;
+  ErrorCode rv = NO_ERROR;
+  CRMFPOPOSigningKey *signKey   = NULL;
+  SECAlgorithmID     *algID     = NULL;
+  SECItem            *signature = NULL;
+  SECKEYPublicKey    *pubKey    = NULL;
+  SECItem            *reqDER    = NULL;
+
+  srv = CRMF_CertReqMsgGetPOPOSigningKey(currReq, &signKey);
+  if (srv != SECSuccess || signKey == NULL) {
+    rv = ERROR_RETRIEVING_POP_SIGN_KEY;
+    goto loser;
+  }
+  algID = CRMF_POPOSigningKeyGetAlgID(signKey);
+  if (algID == NULL) {
+    rv = ERROR_RETRIEVING_ALG_ID_FROM_SIGN_KEY;
+    goto loser;
+  }
+  signature = CRMF_POPOSigningKeyGetSignature(signKey);
+  if (signature == NULL) {
+    rv = ERROR_RETRIEVING_SIGNATURE_FROM_POP_SIGN_KEY;
+    goto loser;
+  }
+  /* Make the length the number of bytes instead of bits */
+  signature->len = (signature->len+7)/8;
+  pubKey = CERT_ExtractPublicKey(newCert);
+  if (pubKey == NULL) {
+    rv = ERROR_RETRIEVING_PUB_KEY_FROM_NEW_CERT;
+    goto loser;
+  }
+  reqDER = SEC_ASN1EncodeItem(NULL, NULL, certReq, CRMFCertRequestTemplate);
+  if (reqDER == NULL) {
+    rv = ERROR_ENCODING_CERT_REQ_FOR_POP;
+    goto loser;
+  }
+  srv = VFY_VerifyDataWithAlgorithmID(reqDER->data, reqDER->len, pubKey, 
+			signature, &algID->algorithm, NULL, varTable);
+  if (srv != SECSuccess) {
+    rv = ERROR_VERIFYING_SIGNATURE_POP;
+    goto loser;
+  }
+  /* Fall thru in successfull case. */
+ loser:
+  if (pubKey != NULL) {
+    SECKEY_DestroyPublicKey(pubKey);
+  }
+  if (reqDER != NULL) {
+    SECITEM_FreeItem(reqDER, PR_TRUE);
+  }
+  if (signature != NULL) {
+    SECITEM_FreeItem(signature, PR_TRUE);
+  }
+  if (algID != NULL) {
+    SECOID_DestroyAlgorithmID(algID, PR_TRUE);
+  }
+  if (signKey != NULL) {
+    CRMF_DestroyPOPOSigningKey(signKey);
+  }  
+  return rv;
+}
+
+ErrorCode
+doChallengeResponse(CGIVarTable *varTable, CRMFCertReqMsg *currReq, 
+		    CRMFCertRequest *certReq, CERTCertificate *newCert,
+		    ChallengeCreationInfo *challs, int *numChall)
+{
+  CRMFPOPOPrivKey *privKey = NULL;
+  CRMFPOPOPrivKeyChoice privKeyChoice;
+  SECStatus srv;
+  ErrorCode rv = NO_ERROR;
+ 
+  srv = CRMF_CertReqMsgGetPOPKeyEncipherment(currReq, &privKey);
+  if (srv != SECSuccess || privKey == NULL) {
+    rv = ERROR_GETTING_KEY_ENCIPHERMENT;
+    goto loser;
+  } 
+  privKeyChoice = CRMF_POPOPrivKeyGetChoice(privKey);
+  CRMF_DestroyPOPOPrivKey(privKey);
+  switch (privKeyChoice) {
+  case crmfSubsequentMessage:
+    challs = &challs[*numChall];
+    challs->random = rand();
+    challs->pubKey = CERT_ExtractPublicKey(newCert);
+    if (challs->pubKey == NULL) {
+      rv = ERROR_RETRIEVING_PUB_KEY_FOR_CHALL;
+      goto loser;
+    }
+    (*numChall)++;
+    rv = DO_CHALLENGE_RESPONSE;
+    break;
+  case crmfThisMessage:
+    /* There'd better be a PKIArchiveControl in this message */
+    if (!CRMF_CertRequestIsControlPresent(certReq, 
+					  crmfPKIArchiveOptionsControl)) {
+      rv = ERROR_NO_POP_FOR_PRIVKEY;
+      goto loser;
+    }
+    break;
+  default:
+    rv = ERROR_UNSUPPORTED_POPOPRIVKEY_TYPE;
+    goto loser;
+  }
+loser:
+  return rv;
+}
+
+ErrorCode
+doProofOfPossession(CGIVarTable *varTable, CRMFCertReqMsg *currReq, 
+		    CRMFCertRequest *certReq, CERTCertificate *newCert,
+		    ChallengeCreationInfo *challs, int *numChall)
+{
+  CRMFPOPChoice popChoice;
+  ErrorCode rv = NO_ERROR;
+
+  popChoice = CRMF_CertReqMsgGetPOPType(currReq);
+  if (popChoice == crmfNoPOPChoice) {
+    rv = NO_POP_FOR_REQUEST;
+    goto loser;
+  }
+  switch (popChoice) {
+  case crmfSignature:
+    rv = verifySignature(varTable, currReq, certReq, newCert);
+    break;
+  case crmfKeyEncipherment:
+    rv = doChallengeResponse(varTable, currReq, certReq, newCert,
+			     challs, numChall);
+    break;
+  case crmfRAVerified:
+  case crmfKeyAgreement:
+  default:
+    rv = UNSUPPORTED_POP;
+    goto loser;
+  }
+ loser:
+  return rv;
+}
+
+void
+convertB64ToJS(char *base64)
+{
+  int i;
+
+  for (i=0; base64[i] != '\0'; i++) {
+    if (base64[i] == '\n') {
+      printf ("\\n");
+    }else {
+      printf ("%c", base64[i]);
+    }
+  }
+}
+
+void
+formatChallenge(char *chall64, char *certRepContentDER,
+		 ChallengeCreationInfo *challInfo, int numChalls)
+{
+  printf ("function respondToChallenge() {\n"
+	  "  var chalForm = document.chalForm;\n\n"
+	  "  chalForm.CertRepContent.value = '");
+  convertB64ToJS(certRepContentDER);
+  printf ("';\n"
+	  "  chalForm.ChallResponse.value = crypto.popChallengeResponse('");
+  convertB64ToJS(chall64);
+  printf("');\n"
+	 "  chalForm.submit();\n"
+	 "}\n");
+
+}
+
+void
+spitOutChallenge(char *chall64, char *certRepContentDER,
+		 ChallengeCreationInfo *challInfo, int numChalls,
+		 char *nickname)
+{
+  int i;
+
+  spitOutHeaders();
+  printf("<html>\n"
+	 "<head>\n"
+	 "<title>Challenge Page</title>\n"
+	 "<script language=\"JavaScript\">\n"
+	 "<!--\n");
+  /* The JavaScript function actually gets defined within
+   * this function call
+   */
+  formatChallenge(chall64, certRepContentDER, challInfo, numChalls);
+  printf("// -->\n"
+	 "</script>\n"
+	 "</head>\n"
+	 "<body onLoad='respondToChallenge()'>\n"
+	 "<h1>Cartman is now responding to the Challenge "
+	 "presented by the CGI</h1>\n"
+	 "<form action='crmfcgi' method='post' name='chalForm'>\n"
+	 "<input type='hidden' name=CertRepContent value=''>\n"
+	 "<input type='hidden' name=ChallResponse value=''>\n");
+  for (i=0;i<numChalls; i++) {
+    printf("<input type='hidden' name='chal%d' value='%d'>\n",
+	   i+1, challInfo[i].random);
+  }
+  printf("<input type='hidden' name='nickname' value='%s'>\n", nickname);
+  printf("</form>\n</body>\n</html>");
+}
+
+ErrorCode
+issueChallenge(CertResponseInfo *issuedCerts, int numCerts, 
+	       ChallengeCreationInfo *challInfo, int numChalls,
+	       CERTCertificate *issuer, CGIVarTable *varTable)
+{
+  ErrorCode rv = NO_ERROR;
+  CMMFPOPODecKeyChallContent *chalContent = NULL;
+  int i;
+  SECStatus srv;
+  PRArenaPool *poolp;
+  CERTGeneralName *genName;
+  SECItem *challDER = NULL;
+  char *chall64, *certRepContentDER;
+
+  rv = createCMMFResponse(issuedCerts, numCerts, issuer, 
+			  &certRepContentDER);
+  if (rv != NO_ERROR) {
+    goto loser;
+  }
+  chalContent = CMMF_CreatePOPODecKeyChallContent();
+  if (chalContent == NULL) {
+    rv = ERROR_CREATING_EMPTY_CHAL_CONTENT;
+    goto loser;
+  }
+  poolp = PORT_NewArena(1024);
+  if (poolp == NULL) {
+    rv = OUT_OF_MEMORY;
+    goto loser;
+  }
+  genName = CERT_GetCertificateNames(issuer, poolp);
+  if (genName == NULL) {
+    rv = ERROR_EXTRACTING_GEN_NAME_FROM_ISSUER;
+    goto loser;
+  }
+  for (i=0;i<numChalls;i++) {
+    srv = CMMF_POPODecKeyChallContentSetNextChallenge(chalContent,
+						      challInfo[i].random,
+						      genName,
+						      challInfo[i].pubKey,
+						      varTable);
+    SECKEY_DestroyPublicKey(challInfo[i].pubKey);
+    if (srv != SECSuccess) {
+      rv = ERROR_SETTING_CHALLENGE;
+      goto loser;
+    }
+  }
+  challDER = SEC_ASN1EncodeItem(NULL, NULL, chalContent, 
+				CMMFPOPODecKeyChallContentTemplate);
+  if (challDER == NULL) {
+    rv = ERROR_ENCODING_CHALL;
+    goto loser;
+  }
+  chall64 = BTOA_DataToAscii(challDER->data, challDER->len);
+  SECITEM_FreeItem(challDER, PR_TRUE);
+  if (chall64 == NULL) {
+    rv = ERROR_CONVERTING_CHALL_TO_BASE64;
+    goto loser;
+  }
+  spitOutChallenge(chall64, certRepContentDER, challInfo, numChalls,
+		   getNickname(issuedCerts[0].cert));
+ loser:
+  return rv;
+}
+
+
+ErrorCode
+processRequest(CGIVarTable *varTable)
+{
+  CERTCertDBHandle *certdb;
+  SECKEYKeyDBHandle *keydb;
+  CRMFCertReqMessages *certReqs = NULL;
+  const char *crmfReq;
+  const char *caNickname;
+  CERTCertificate *caCert = NULL;
+  CertResponseInfo *issuedCerts = NULL;
+  CERTSubjectPublicKeyInfo spki = { 0 };
+  ErrorCode rv=NO_ERROR;
+  PRBool doChallengeResponse = PR_FALSE;
+  SECItem der = { 0 };
+  SECStatus srv;
+  CERTCertificateRequest oldCertReq = { 0 };
+  CRMFCertReqMsg **reqMsgs = NULL,*currReq = NULL;
+  CRMFCertRequest **reqs = NULL, *certReq = NULL;
+  CERTName         subject = { 0 };
+  int numReqs,i;
+  ChallengeCreationInfo *challInfo=NULL;
+  int numChalls = 0;
+
+  certdb = CERT_GetDefaultCertDB();
+  keydb = SECKEY_GetDefaultKeyDB();
+  crmfReq = CGITableFindValue(varTable, "CRMFRequest");
+  if (crmfReq == NULL) {
+    rv = CGI_VAR_MISSING;
+    missingVar = "CRMFRequest";
+    goto loser;
+  }
+  caNickname = CGITableFindValue(varTable, "CANickname");
+  if (caNickname == NULL) {
+    rv = CGI_VAR_MISSING;
+    missingVar = "CANickname";
+    goto loser;
+  }
+  caCert = CERT_FindCertByNickname(certdb, caNickname);
+  if (caCert == NULL) {
+    rv = COULD_NOT_FIND_CA;
+    goto loser;
+  }
+  srv = ATOB_ConvertAsciiToItem(&der, crmfReq);
+  if (srv != SECSuccess) {
+    rv = BAD_ASCII_FOR_REQ;
+    goto loser;
+  }
+  certReqs = CRMF_CreateCertReqMessagesFromDER(der.data, der.len);
+  SECITEM_FreeItem(&der, PR_FALSE);
+  if (certReqs == NULL) {
+    rv = COULD_NOT_DECODE_REQS;
+    goto loser;
+  }
+  numReqs = CRMF_CertReqMessagesGetNumMessages(certReqs);
+  issuedCerts = PORT_ZNewArray(CertResponseInfo, numReqs);
+  challInfo   = PORT_ZNewArray(ChallengeCreationInfo, numReqs);
+  if (issuedCerts == NULL || challInfo == NULL) {
+    rv = OUT_OF_MEMORY;
+    goto loser;
+  }
+  reqMsgs = PORT_ZNewArray(CRMFCertReqMsg*,   numReqs);
+  reqs    = PORT_ZNewArray(CRMFCertRequest*, numReqs);
+  if (reqMsgs == NULL || reqs == NULL) {
+    rv =   OUT_OF_MEMORY;
+    goto loser;
+  }
+  for (i=0; i<numReqs; i++) {
+    currReq = reqMsgs[i] = 
+      CRMF_CertReqMessagesGetCertReqMsgAtIndex(certReqs, i);
+    if (currReq == NULL) {
+      rv = ERROR_RETRIEVING_REQUEST_MSG;
+      goto loser;
+    }
+    certReq = reqs[i] = CRMF_CertReqMsgGetCertRequest(currReq);
+    if (certReq == NULL) {
+      rv = ERROR_RETRIEVING_CERT_REQUEST;
+      goto loser;
+    }
+    srv = CRMF_CertRequestGetCertTemplateSubject(certReq, &subject);
+    if (srv != SECSuccess) {
+      rv = ERROR_RETRIEVING_SUBJECT_FROM_REQ;
+      goto loser;
+    }
+    srv = CRMF_CertRequestGetCertTemplatePublicKey(certReq, &spki);
+    if (srv != SECSuccess) {
+      rv = ERROR_RETRIEVING_PUBLIC_KEY_FROM_REQ;
+      goto loser;
+    }
+    rv = initOldCertReq(&oldCertReq, &subject, &spki);
+    if (rv != NO_ERROR) {
+      goto loser;
+    }
+    rv = createNewCert(&issuedCerts[i].cert, &oldCertReq, currReq, certReq, 
+		       caCert, varTable);
+    if (rv != NO_ERROR) {
+      goto loser;
+    }
+    rv = doProofOfPossession(varTable, currReq, certReq, issuedCerts[i].cert,
+			     challInfo, &numChalls);
+    if (rv != NO_ERROR) {
+      if (rv == DO_CHALLENGE_RESPONSE) {
+	doChallengeResponse = PR_TRUE;
+      } else {
+	goto loser;
+      }
+    }
+    CRMF_CertReqMsgGetID(currReq, &issuedCerts[i].certReqID);
+    CRMF_DestroyCertReqMsg(currReq);
+    CRMF_DestroyCertRequest(certReq);
+  }
+  if (doChallengeResponse) {
+    rv = issueChallenge(issuedCerts, numReqs, challInfo, numChalls, caCert,
+			varTable);
+  } else {
+    rv = issueCerts(issuedCerts, numReqs, caCert);
+  }
+ loser:
+  if (certReqs != NULL) {
+    CRMF_DestroyCertReqMessages(certReqs);
+  }
+  return rv;
+}
+
+ErrorCode
+processChallengeResponse(CGIVarTable *varTable, const char *certRepContent)
+{
+  SECItem binDER = { 0 };
+  SECStatus srv;
+  ErrorCode rv = NO_ERROR;
+  const char *clientResponse;
+  const char *formChalValue;
+  const char *nickname;
+  CMMFPOPODecKeyRespContent *respContent = NULL;
+  int numResponses,i;
+  long curResponse, expectedResponse;
+  char cgiChalVar[10];
+#ifdef WRITE_OUT_RESPONSE
+  SECItem certRepBinDER = { 0 };
+
+  ATOB_ConvertAsciiToItem(&certRepBinDER, certRepContent);
+  writeOutItem("challCertRepContent.der", &certRepBinDER);
+  PORT_Free(certRepBinDER.data);
+#endif  
+  clientResponse = CGITableFindValue(varTable, "ChallResponse");
+  if (clientResponse == NULL) {
+    rv =   REQ_CGI_VAR_NOT_PRESENT;
+    missingVar = "ChallResponse";
+    goto loser;
+  }
+  srv = ATOB_ConvertAsciiToItem(&binDER, clientResponse);
+  if (srv != SECSuccess) {
+    rv = ERROR_CONVERTING_RESP_FROM_CHALL_TO_BIN;
+    goto loser;
+  }
+  respContent = CMMF_CreatePOPODecKeyRespContentFromDER(binDER.data,
+							binDER.len);
+  SECITEM_FreeItem(&binDER, PR_FALSE);
+  binDER.data = NULL;
+  if (respContent == NULL) {
+    rv = ERROR_CREATING_KEY_RESP_FROM_DER;
+    goto loser;
+  }
+  numResponses = CMMF_POPODecKeyRespContentGetNumResponses(respContent);
+  for (i=0;i<numResponses;i++){
+    srv = CMMF_POPODecKeyRespContentGetResponse(respContent,i,&curResponse);
+    if (srv != SECSuccess) {
+      rv = ERROR_RETRIEVING_CLIENT_RESPONSE_TO_CHALLENGE;
+      goto loser;
+    }
+    sprintf(cgiChalVar, "chal%d", i+1);
+    formChalValue = CGITableFindValue(varTable, cgiChalVar);
+    if (formChalValue == NULL) {
+      rv = REQ_CGI_VAR_NOT_PRESENT;
+      missingVar = strdup(cgiChalVar);
+      goto loser;
+    }
+    sscanf(formChalValue, "%ld", &expectedResponse);
+    if (expectedResponse != curResponse) {
+      rv = ERROR_RETURNED_CHALL_NOT_VALUE_EXPECTED;
+      goto loser;
+    }
+  }
+  nickname = CGITableFindValue(varTable, "nickname");
+  if (nickname == NULL) {
+    rv = REQ_CGI_VAR_NOT_PRESENT;
+    missingVar = "nickname";
+    goto loser;
+  }
+  spitOutCMMFResponse(nickname, certRepContent);
+ loser:
+  if (respContent != NULL) {
+    CMMF_DestroyPOPODecKeyRespContent(respContent);
+  }
+  return rv;
+}
+
+int
+main()
+{
+  char *form_output = NULL;
+  int   form_output_len, form_output_used;
+  CGIVarTable varTable = { 0 };
+  ErrorCode errNum = 0;
+  char *certRepContent;
+
+#ifdef ATTACH_CGI
+  /* Put an ifinite loop in here so I can attach to 
+   * the process after the process is spun off
+   */
+  { int stupid = 1;
+    while (stupid);
+  }
+#endif
+
+  form_output_used = 0;
+  srand(time(NULL));
+  while (feof(stdin) == 0) {
+    if (form_output == NULL) {
+      form_output = PORT_NewArray(char, DEFAULT_ALLOC_SIZE+1);
+      form_output_len  = DEFAULT_ALLOC_SIZE;
+    } else if ((form_output_used + DEFAULT_ALLOC_SIZE) >= form_output_len) {
+      form_output_len += DEFAULT_ALLOC_SIZE;
+      form_output = PORT_Realloc(form_output, form_output_len+1);
+    }
+    form_output_used += fread(&form_output[form_output_used], sizeof(char), 
+			      DEFAULT_ALLOC_SIZE, stdin);
+  }
+  ParseInputVariables(&varTable, form_output);
+  certRepContent = CGITableFindValue(&varTable, "CertRepContent");
+  if (certRepContent == NULL) {
+    errNum = initNSS(&varTable);
+    if (errNum != 0) {
+      goto loser;
+    }
+    errNum = processRequest(&varTable);
+  } else {
+    errNum = processChallengeResponse(&varTable, certRepContent);
+  }
+  if (errNum != NO_ERROR) {
+    goto loser;
+  }
+  goto done;
+loser:
+  dumpErrorMessage(errNum);
+done:
+  free (form_output);
+  return 0;
+}
+
diff --git a/security/nss/cmd/crmf-cgi/crmfcgi.html b/security/nss/cmd/crmf-cgi/crmfcgi.html
new file mode 100644
index 000000000..f6f0d8def
--- /dev/null
+++ b/security/nss/cmd/crmf-cgi/crmfcgi.html
@@ -0,0 +1,168 @@
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+
+<html>
+<head>
+<title>CRMF Test Page for PSM</title>
+<script language=javascript>
+var request;
+//This variable must be set to the first value
+//in the select field "testType" in the form.
+var keyGenType="SigningOnlyRSA";
+
+var requestedDN = "CN=Javi CA Shack ID, O=NSS";
+
+function setTestType() {
+  var testType = document.crmfForm.testType;
+  
+  keyGenType = testType.options[testType.selectedIndex].value;
+}
+
+function setRequest() {
+  with (document.crmfForm) {
+    CRMFRequest.value = request.request;
+    submit();
+  }
+}
+
+function generateSignAndEncryptRSARequest() {
+    request = crypto.generateCRMFRequest(requestedDN,
+                                         null, null, null, "setRequest()",
+                                         crypto.algorithms.rsa.keyEx.keySizes[0],
+                                         null, "rsa-dual-use");    
+}
+
+function generateSigningOnlyRSARequest() {
+    request = crypto.generateCRMFRequest(requestedDN,null,null,null,"setRequest()",
+                                         crypto.algorithms.rsa.signing.keySizes[0],
+                                         null, "rsa-sign");
+}
+
+function generateEncryptionOnlyRSARequest() {
+    request = crypto.generateCRMFRequest(requestedDN, null, null, null, "setRequest()",
+                                         crypto.algorithms.rsa.keyEx.keySizes[0],
+                                         null, "rsa-ex");
+}
+
+function generateDualRSAKeys() {
+    request = crypto.generateCRMFRequest(requestedDN, null, null, null, "setRequest()",
+                                         crypto.algorithms.rsa.keyEx.keySizes[0],
+                                         null, "rsa-ex",
+                                         crypto.algorithms.rsa.signing.keySizes[0],
+                                         null, "rsa-sign");
+}
+
+function generateDSAKey() {
+    request = crypto.generateCRMFRequest(requestedDN, null, null, null, "setRequest()",
+                                         crypto.algorithms.dsa.keySizes[0],
+                                         null, "dsa-sign-nonrepudiation");
+}
+
+function processForm(form) {
+  with (form) {
+    if (typeof(crypto.version) == "undefined") {
+      alert('You must be running PSM in order to use this page.');
+      return false;
+    }
+    if (NSSDirectory.value == "") {
+      alert('You must provide a path for NSS to use.');
+      return false;
+    }
+    if (dbPassword.value == "") {
+      alert('You must provide a password for the certificate database.');
+      return false;
+    }
+    if (CANickname.value == "") {
+      alert('You must provide a CA Nickname to use.');
+      return false;
+    }
+    //Now do the correct key generation.
+    if (keyGenType == "SignAndEncryptRSA") {
+      generateSignAndEncryptRSARequest();
+    } else if (keyGenType == "SigningOnlyRSA") {
+      generateSigningOnlyRSARequest();
+    } else if (keyGenType == "EncryptionOnlyRSA") {
+      generateEncryptionOnlyRSARequest();
+    } else if (keyGenType == "DualRSAKeys") {
+      generateDualRSAKeys();
+    } else if (keyGenType == "DSAKeyGen") {
+      generateDSAKey();
+    }
+  }
+  return true;
+}
+</script>
+</head>
+<body>
+<h1><center>CRMF Test page for PSM</center></h1>
+This page is designed to be used in combination with the executable
+produced by ns/security/cmd/crmf-cgi in a CGI environment.  In order
+to successfully use this page, modify its action to post to a a server
+where you have installed the crmfcgi executable and you'll be able to
+test the functionality.
+<hr>
+<form name="crmfForm" method=post action="http://www.cgi-site.com/cgi-bin/crmfcgi"> 
+<h2>Certificate Database information</h2>
+First, enter all the information for the CGI to use for initializing 
+NSS.  The CGI will use the directory entered below as the directory
+where to look for the certificate and key databases.
+<pre>
+Path for NSS Config: <input size=40 type="text" name="NSSDirectory">
+</pre>
+Enter the password for the certificate database found in the direcotry
+above.
+<pre>
+Database Password:   <input type="password" name="dbPassword" size=40>
+</pre>
+Now enter the nickname of the certificate to use for signing the 
+certificate issued during this test.
+<pre>
+CA Nickname:         <input size=40 type="text" name="CANickname">
+</pre>
+<h2>Now, figure out which type of key generation you want to test:</h2>
+<select name="testType" onChange="setTestType()">`
+<option value="SigningOnlyRSA">Signing Only-RSA
+<option value="EncryptionOnlyRSA">Encryption Only-RSA
+<option value="SignAndEncryptRSA">Sign and Encrypt Single Key -RSA
+<option value="DualRSAKeys">Dual Keys-RSA
+<option value="DSAKeyGen">DSA Key Gen
+</select>
+<input type="hidden" name=CRMFRequest value="">
+<hr>
+<input type="button" value="OK" onclick="processForm(document.crmfForm)">
+</form>
+</body>
+</html>
diff --git a/security/nss/cmd/crmf-cgi/manifest.mn b/security/nss/cmd/crmf-cgi/manifest.mn
new file mode 100644
index 000000000..c8c38e224
--- /dev/null
+++ b/security/nss/cmd/crmf-cgi/manifest.mn
@@ -0,0 +1,65 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+MODULE	= sectools
+
+EXPORTS = \
+	$(NULL)
+
+CSRCS = \
+	crmfcgi.c \
+	$(NULL)
+
+
+REQUIRES = nss dbm seccmd
+
+ifdef ATTACH_CGI
+DEFINES += -DATTACH_CGI
+endif
+
+ifdef WRITE_OUT_RESPONSE
+DEFINES += -DWRITE_OUT_RESPONSE
+endif
+
+PROGRAM  = crmfcgi
+
+USE_STATIC_LIBS = 1
+
+INCLUDES = 
+
+DEFINES = -DNSPR20
diff --git a/security/nss/cmd/crmftest/Makefile b/security/nss/cmd/crmftest/Makefile
new file mode 100644
index 000000000..66d334a7d
--- /dev/null
+++ b/security/nss/cmd/crmftest/Makefile
@@ -0,0 +1,96 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+include config.mk
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
+OS_LIBS += -lsvld 
+endif 
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), SunOS5.6)
+OS_LIBS += -ldl -lxnet -lposix4 -lsocket -lnsl
+endif
+
+EXTRA_LIBS += $(DIST)/lib/$(LIB_PREFIX)crmf.$(LIB_SUFFIX)
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+LDDIST = $(DIST)/lib
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+EXTRA_LIBS += $(LDDIST)/sectool.lib
+endif
+
+include ../platrules.mk
diff --git a/security/nss/cmd/crmftest/config.mk b/security/nss/cmd/crmftest/config.mk
new file mode 100644
index 000000000..ea8b592d6
--- /dev/null
+++ b/security/nss/cmd/crmftest/config.mk
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(PROGRAM)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+LIBRARY        =
+
diff --git a/security/nss/cmd/crmftest/manifest.mn b/security/nss/cmd/crmftest/manifest.mn
new file mode 100644
index 000000000..93786ee49
--- /dev/null
+++ b/security/nss/cmd/crmftest/manifest.mn
@@ -0,0 +1,57 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+DEPTH      = .
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE	= nss
+
+EXPORTS = \
+	$(NULL)
+
+CSRCS = \
+	testcrmf.c \
+	$(NULL)
+
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+# REQUIRES = dbm
+
+PROGRAM  = crmftest
+
diff --git a/security/nss/cmd/crmftest/testcrmf.c b/security/nss/cmd/crmftest/testcrmf.c
new file mode 100644
index 000000000..4d6b058ea
--- /dev/null
+++ b/security/nss/cmd/crmftest/testcrmf.c
@@ -0,0 +1,1710 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This program does 5 separate functions.  By default, it does them all.
+ * It can be told to do any subset of them.
+ * It does them in this order:
+ *
+ * 1. Generate file of CRMF cert requests.
+ *     Generates 2 keys pairs, one for signing, one for encryption.
+ *     Can generate RSA or DSA (XXX - DSA is only useful for signing).
+ *     Generate a cert request for each of the two public keys.
+ *     Generate a single CRMF cert request message that requests both certs.
+ *     Leave the generated CRMF request message in file
+ *         configdir/CertReqMessages.der
+ *
+ * 2. Decode CRMF Request(s) Message.
+ *	Reads in the file   configdir/CertReqMessages.der
+ *	(either generated by step 1 above, or user supplied).
+ *	Decodes it.  NOTHING MORE.  Drops these decoded results on the floor.
+ *	The CMMF response (below) contains a completely unrelated cert.  :-(
+ *
+ * 3. CMMF "Stuff".
+ *  a)  Generates a CMMF response, containing a single cert chain, as if 
+ *	it was a response to a received CRMF request.  But the cert is 
+ *	simply a user cert from the user's local soft token, whose 
+ *	nickname is given in the -p option.  The CMMF response has no
+ *	relationship to the request generated above.  The CMMF message
+ *	is placed in configdir/CertRepContent.der.
+ *  b)  Decodes the newly generated CMMF response found in file
+ *	configdir/CertRepContent.der and discards the result.  8-/
+ *  c)  Generate a CMMF Key Escrow message
+ *      needs 2 nicknames: 
+ *      It takes the public and private keys for the cert identified
+ *      by -p nickname, and wraps them with a sym key that is in turn
+ *      wrapped with the pubkey in the CA cert, whose nickname is 
+ *      given with the -s option.
+ *      Store the message in configdir/KeyRecRepContent.der
+ *  d)  Decode the CMMF Key Escrow message generated just above.
+ *      Get it from file configdir/KeyRecRepContent.der
+ *      This is just a decoder test.  Results are discarded.
+ *
+ * 4. Key Recovery
+ *	This code does not yet compile, and what it was intended to do
+ *	has not been fully determined.
+ *
+ * 5. Challenge/Response.
+ *	Haven't analyzed this code yet.
+ *
+ *
+ */
+
+/* KNOWN BUGS:
+** 1. generates BOTH signing and encryption cert requests, even for DSA keys.
+**
+** 2. Does not verify the siganture in the "Proof of Posession" in the
+**	decoded cert requests.  It only checks syntax of the POP.
+** 3. CMMF "Stuff" should be broken up into separate steps, each of 
+**	which may be optionally selected.
+*/
+
+#include <stdio.h>
+#include "nspr.h"
+#include "nss.h"
+#include "crmf.h"
+#include "secerr.h"
+#include "pk11func.h"
+#include "key.h"
+#include "cmmf.h"
+#include "plgetopt.h"
+#include "secutil.h"
+#include "pk11pqg.h"
+
+#if 0
+#include "pkcs11.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "pqggen.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "pkcs11.h"
+#include "secitem.h"
+#include "secasn1.h"
+#include "sechash.h"
+#endif
+
+#define MAX_KEY_LEN 512
+#define PATH_LEN    150
+#define BUFF_SIZE   150
+#define UID_BITS    800
+#define BPB           8
+#define CRMF_FILE   "CertReqMessages.der"
+
+PRTime notBefore;
+char *personalCert      = NULL;
+char *recoveryEncrypter = NULL;
+char *caCertName        = NULL;
+static secuPWData pwdata = { PW_NONE, 0 };
+char *configdir;
+PRBool doingDSA         = PR_FALSE;
+
+CERTCertDBHandle *db;
+
+typedef struct {
+    SECKEYPrivateKey *privKey;
+    SECKEYPublicKey  *pubKey;
+    CRMFCertRequest  *certReq;
+    CRMFCertReqMsg   *certReqMsg;
+} TESTKeyPair;
+
+void 
+debug_test(SECItem *src, char *filePath)
+{
+    PRFileDesc *fileDesc;
+
+    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
+			0666);
+    if (fileDesc == NULL) {
+        printf ("Could not cretae file %s.\n", filePath);
+	return;
+    }
+    PR_Write(fileDesc, src->data, src->len);
+    
+}
+
+SECStatus
+get_serial_number(long *dest)
+{
+   SECStatus   rv;
+
+   if (dest == NULL) {
+       PORT_SetError(SEC_ERROR_INVALID_ARGS);
+       return SECFailure;
+   }
+    rv = PK11_GenerateRandom((unsigned char *)dest, sizeof(long));
+    /* make serial number positive */
+    if (*dest < 0L)
+    	*dest = - *dest;
+    return SECSuccess;
+}
+
+PK11RSAGenParams *
+GetRSAParams(void) 
+{
+    PK11RSAGenParams *rsaParams;
+
+    rsaParams = PORT_ZNew(PK11RSAGenParams);
+
+    if (rsaParams == NULL)
+      return NULL;
+
+    rsaParams->keySizeInBits = MAX_KEY_LEN;
+    rsaParams->pe = 0x10001;
+    
+    return rsaParams;
+    
+}
+
+PQGParams*
+GetDSAParams(void)
+{
+    PQGParams *params = NULL;
+    PQGVerify *vfy = NULL;
+
+    SECStatus  rv;
+
+    rv = PK11_PQG_ParamGen(0, &params, &vfy);
+    if (rv != SECSuccess) {
+        return NULL;
+    }
+    PK11_PQG_DestroyVerify(vfy);
+    return params;
+}
+
+/* Generate a key pair, and then generate a subjectPublicKeyInfo
+** for the public key in that pair.  return all 3.
+*/
+CERTSubjectPublicKeyInfo *
+GetSubjectPubKeyInfo(TESTKeyPair *pair)
+{
+    CERTSubjectPublicKeyInfo *spki       = NULL;
+    SECKEYPrivateKey         *privKey    = NULL;
+    SECKEYPublicKey          *pubKey     = NULL;
+    PK11SlotInfo             *keySlot    = NULL;
+    
+    keySlot = PK11_GetInternalKeySlot();
+    PK11_Authenticate(keySlot, PR_FALSE, &pwdata);
+
+
+    if (!doingDSA) {
+	PK11RSAGenParams *rsaParams = GetRSAParams();
+	if (rsaParams == NULL) {
+	    PK11_FreeSlot(keySlot);
+	    return NULL;
+	}
+	privKey = PK11_GenerateKeyPair(keySlot, CKM_RSA_PKCS_KEY_PAIR_GEN,
+				       (void*)rsaParams, &pubKey, PR_FALSE,
+				       PR_FALSE, &pwdata);
+    } else {
+	PQGParams *dsaParams = GetDSAParams();
+	if (dsaParams == NULL) {
+	    PK11_FreeSlot(keySlot);
+	    return NULL;
+	}
+	privKey = PK11_GenerateKeyPair(keySlot, CKM_DSA_KEY_PAIR_GEN,
+				       (void*)dsaParams, &pubKey, PR_FALSE,
+				       PR_FALSE, &pwdata);
+    }
+    PK11_FreeSlot(keySlot);
+    if (privKey == NULL || pubKey == NULL) {
+        if (pubKey) {
+	    SECKEY_DestroyPublicKey(pubKey);
+	}
+	if (privKey) {
+	    SECKEY_DestroyPrivateKey(privKey);
+	}
+	return NULL;
+    }
+
+    spki = SECKEY_CreateSubjectPublicKeyInfo(pubKey);
+    pair->privKey = privKey;
+    pair->pubKey  = pubKey;
+    return spki;
+}
+
+
+SECStatus
+InitPKCS11(void)
+{
+    PK11SlotInfo *keySlot;
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    keySlot    = PK11_GetInternalKeySlot();
+    
+    if (PK11_NeedUserInit(keySlot) && PK11_NeedLogin(keySlot)) {
+        if (SECU_ChangePW(keySlot, NULL, NULL) != SECSuccess) {
+	    printf ("Initializing the PINs failed.\n");
+	    return SECFailure;
+	}
+    }
+
+    PK11_FreeSlot(keySlot);
+    return SECSuccess;
+}
+
+
+void 
+WriteItOut (void *arg, const char *buf, unsigned long len)
+{
+    PRFileDesc *fileDesc = (PRFileDesc*)arg;
+
+    PR_Write(fileDesc, (void*)buf, len);
+}
+
+
+
+CRMFCertExtCreationInfo*
+GetExtensions(void)
+{
+    unsigned char keyUsage[4] = { 0x03, 0x02, 0x07, KU_DIGITAL_SIGNATURE };
+				/* What are these magic numbers? */
+    SECItem data = { 0, NULL, 0 };
+    CRMFCertExtension *extension; 
+    CRMFCertExtCreationInfo *extInfo =
+	    PORT_ZNew(CRMFCertExtCreationInfo);
+
+    data.data = keyUsage;
+    data.len = sizeof keyUsage;
+
+
+    extension = 
+	    CRMF_CreateCertExtension(SEC_OID_X509_KEY_USAGE, PR_FALSE, &data);
+    if (extension && extInfo) {
+	extInfo->numExtensions = 1;
+	extInfo->extensions    = PORT_ZNewArray(CRMFCertExtension*, 1);
+	extInfo->extensions[0] = extension;
+    }
+    return extInfo;
+}
+
+void
+FreeExtInfo(CRMFCertExtCreationInfo *extInfo)
+{
+    int i;
+    
+    for (i=0; i<extInfo->numExtensions; i++) {
+        CRMF_DestroyCertExtension(extInfo->extensions[i]);
+    }
+    PORT_Free(extInfo->extensions);
+    PORT_Free(extInfo);
+}
+
+int
+InjectCertName( CRMFCertRequest       * certReq,
+	        CRMFCertTemplateField   inTemplateField,
+		const char            * inNameString)
+{
+    char      * nameStr;
+    CERTName  * name;
+    int         irv   = 0;
+
+    nameStr = PORT_Strdup(inNameString);
+    if (!nameStr) 
+    	return 5;
+    name = CERT_AsciiToName(nameStr);
+    if (name == NULL) {
+        printf ("Could not create CERTName structure from %s.\n", nameStr);
+	irv = 5;
+	goto finish;
+    }
+
+    irv = CRMF_CertRequestSetTemplateField(certReq, inTemplateField, (void*)name);
+    if (irv != SECSuccess) {
+        printf ("Could not add name to cert template\n");
+	irv = 6;
+    }
+
+finish:
+    PORT_Free(nameStr);
+    if (name)
+	CERT_DestroyName(name);
+    return irv;
+}
+
+int
+CreateCertRequest(TESTKeyPair *pair, long inRequestID)
+{
+    CERTCertificate         * caCert;
+    CERTSubjectPublicKeyInfo *spki;
+    CRMFCertExtCreationInfo * extInfo;
+    CRMFCertRequest         * certReq;
+    CRMFEncryptedKey        * encKey;
+    CRMFPKIArchiveOptions   * pkiArchOpt;
+    SECAlgorithmID          * algID;
+    long                      serialNumber;
+    long                      version       = 3;
+    SECStatus                 rv;
+    CRMFValidityCreationInfo  validity;
+    unsigned char             UIDbuf[UID_BITS / BPB];
+    SECItem                   issuerUID  = { siBuffer, NULL, 0 };
+    SECItem                   subjectUID = { siBuffer, NULL, 0 };
+
+    /* len in bits */
+    issuerUID.data = UIDbuf;
+    issuerUID.len = UID_BITS;
+    subjectUID.data = UIDbuf;
+    subjectUID.len = UID_BITS;
+
+    pair->certReq = NULL;
+    certReq = CRMF_CreateCertRequest(inRequestID);
+    if (certReq == NULL) {
+        printf ("Could not initialize a certificate request.\n");
+	return 1;
+    }
+
+    /* set to version 3 */
+    rv = CRMF_CertRequestSetTemplateField(certReq, crmfVersion, 
+                                          (void*)(&version));
+    if (rv != SECSuccess) {
+        printf("Could not add the version number to the "
+	       "Certificate Request.\n");
+	CRMF_DestroyCertRequest(certReq);
+	return 2;
+    }
+
+    /* set serial number */
+    if (get_serial_number(&serialNumber) != SECSuccess) {
+        printf ("Could not generate a serial number for cert request.\n");
+	CRMF_DestroyCertRequest(certReq);
+	return 3;
+    }
+    rv = CRMF_CertRequestSetTemplateField (certReq, crmfSerialNumber, 
+				      (void*)(&serialNumber));
+    if (rv != SECSuccess) {
+        printf ("Could not add serial number to certificate template\n.");
+	CRMF_DestroyCertRequest(certReq);
+	return 4;
+    }
+
+    /* Set issuer name */
+    rv = InjectCertName(certReq, crmfIssuer, 
+    			"CN=mozilla CA Shack,O=Information Systems");
+    if (rv) {
+        printf ("Could not add issuer to cert template\n");
+	CRMF_DestroyCertRequest(certReq);
+	return 5;
+    }
+
+    /* Set Subject Name */
+    rv = InjectCertName(certReq, crmfSubject, 
+    			"CN=mozilla CA Shack ID,O=Engineering,C=US");
+    if (rv) {
+        printf ("Could not add Subject to cert template\n");
+	CRMF_DestroyCertRequest(certReq);
+	return 5;
+    }
+
+    /* Set Algorithm ID */
+    algID = PK11_CreatePBEAlgorithmID(SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
+			              1, NULL);
+    if (algID == NULL) {
+        printf ("Couldn't create algorithm ID\n");
+	CRMF_DestroyCertRequest(certReq);
+	return 9;
+    }
+    rv = CRMF_CertRequestSetTemplateField(certReq, crmfSigningAlg, (void*)algID);
+    SECOID_DestroyAlgorithmID(algID, PR_TRUE);
+    if (rv != SECSuccess) {
+        printf ("Could not add the signing algorithm to the cert template.\n");
+	CRMF_DestroyCertRequest(certReq);
+	return 10;
+    }
+
+    /* Set Validity Dates */
+    validity.notBefore = &notBefore;
+    validity.notAfter  = NULL;
+    notBefore = PR_Now();
+    rv = CRMF_CertRequestSetTemplateField(certReq, crmfValidity,(void*)(&validity));
+    if (rv != SECSuccess) {
+        printf ("Could not add validity to cert template\n");
+	CRMF_DestroyCertRequest(certReq);
+	return 11;
+    }
+
+    /* Generate a key pair and Add the spki to the request */
+    spki = GetSubjectPubKeyInfo(pair);
+    if (spki == NULL) {
+        printf ("Could not create a Subject Public Key Info to add\n");
+	CRMF_DestroyCertRequest(certReq);
+	return 12;
+    }
+    rv = CRMF_CertRequestSetTemplateField(certReq, crmfPublicKey, (void*)spki);
+    SECKEY_DestroySubjectPublicKeyInfo(spki);
+    if (rv != SECSuccess) {
+        printf ("Could not add the public key to the template\n");
+	CRMF_DestroyCertRequest(certReq);
+	return 13;
+    }
+    
+    /* Set the requested isser Unique ID */
+    PK11_GenerateRandom(UIDbuf, sizeof UIDbuf);
+    CRMF_CertRequestSetTemplateField(certReq,crmfIssuerUID,  (void*)&issuerUID);
+
+    /* Set the requested Subject Unique ID */
+    PK11_GenerateRandom(UIDbuf, sizeof UIDbuf);
+    CRMF_CertRequestSetTemplateField(certReq,crmfSubjectUID, (void*)&subjectUID);
+
+    /* Add extensions - XXX need to understand these magic numbers */
+    extInfo = GetExtensions();
+    CRMF_CertRequestSetTemplateField(certReq, crmfExtension, (void*)extInfo);
+    FreeExtInfo(extInfo);
+
+    /* get the recipient CA's cert */
+    caCert = CERT_FindCertByNickname(db, caCertName);
+    if (caCert == NULL) {
+        printf ("Could not find the certificate for %s\n", caCertName);
+        CRMF_DestroyCertRequest(certReq);
+	return 50;
+    }
+    encKey = CRMF_CreateEncryptedKeyWithEncryptedValue(pair->privKey, caCert);
+    CERT_DestroyCertificate(caCert);
+    if (encKey == NULL) {
+        printf ("Could not create Encrypted Key with Encrypted Value.\n");
+	return 14;
+    }
+    pkiArchOpt = CRMF_CreatePKIArchiveOptions(crmfEncryptedPrivateKey, encKey);
+    CRMF_DestroyEncryptedKey(encKey);
+    if (pkiArchOpt == NULL) {
+        printf ("Could not create PKIArchiveOptions.\n");
+	return 15;
+    }
+    rv  = CRMF_CertRequestSetPKIArchiveOptions(certReq, pkiArchOpt);
+    CRMF_DestroyPKIArchiveOptions(pkiArchOpt);
+    if (rv != SECSuccess) {
+        printf ("Could not add the PKIArchiveControl to Cert Request.\n");
+	return 16;
+    }
+    pair->certReq = certReq;
+    return 0;
+}
+
+int 
+Encode(CRMFCertReqMsg *inCertReq1, CRMFCertReqMsg *inCertReq2)
+{   
+    PRFileDesc     *fileDesc;
+    SECStatus       rv;
+    int             irv = 0;
+    CRMFCertReqMsg *msgArr[3];
+    char            filePath[PATH_LEN];
+
+    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, CRMF_FILE);
+    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
+			0666);
+    if (fileDesc == NULL) {
+        printf ("Could not open file %s\n", filePath);
+	irv = 14;
+	goto finish;
+    }
+    msgArr[0] = inCertReq1;
+    msgArr[1] = inCertReq2;
+    msgArr[2] = NULL;
+    rv = CRMF_EncodeCertReqMessages(msgArr, WriteItOut, (void*)fileDesc);
+    if (rv != SECSuccess) {
+        printf ("An error occurred while encoding.\n");
+	irv = 15;
+    }
+finish:
+    PR_Close(fileDesc);
+    return irv;
+}
+
+int
+AddProofOfPossession(TESTKeyPair *pair,
+		     CRMFPOPChoice inPOPChoice)
+{
+
+    switch(inPOPChoice){
+    case crmfSignature:
+      CRMF_CertReqMsgSetSignaturePOP(pair->certReqMsg, pair->privKey, 
+                                     pair->pubKey, NULL, NULL, &pwdata);
+      break;
+    case crmfRAVerified:
+      CRMF_CertReqMsgSetRAVerifiedPOP(pair->certReqMsg);
+      break;
+    case crmfKeyEncipherment:
+      CRMF_CertReqMsgSetKeyEnciphermentPOP(pair->certReqMsg,
+					   crmfSubsequentMessage, 
+					   crmfChallengeResp, NULL);
+      break;
+    case crmfKeyAgreement:
+      {
+	SECItem pendejo;
+	unsigned char lame[] = { 0xf0, 0x0f, 0xf0, 0x0f, 0xf0 };
+
+	pendejo.data = lame;
+	pendejo.len  = 5;
+	
+	CRMF_CertReqMsgSetKeyAgreementPOP(pair->certReqMsg, crmfThisMessage, 
+					  crmfNoSubseqMess, &pendejo);
+      }
+      break;
+    default:
+      return 1;
+    }
+    return 0;
+}
+
+
+int
+Decode(void)
+{
+    PRFileDesc          *fileDesc;
+    CRMFCertReqMsg      *certReqMsg;
+    CRMFCertRequest     *certReq;
+    CRMFCertReqMessages *certReqMsgs;
+    SECStatus            rv;
+    int                  numMsgs, i;
+    long                 lame;
+    CRMFGetValidity      validity        = {NULL, NULL};
+    SECItem              item            = { siBuffer, NULL, 0 };
+    char                 filePath[PATH_LEN];
+
+    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, CRMF_FILE);
+    fileDesc = PR_Open(filePath, PR_RDONLY, 0644);
+    if (fileDesc == NULL) {
+        printf ("Could not open file %s\n", filePath);
+	return 214;
+    }
+    rv = SECU_FileToItem(&item, fileDesc);
+    PR_Close(fileDesc);
+    if (rv != SECSuccess) {
+    	return 215;
+    }
+
+    certReqMsgs = CRMF_CreateCertReqMessagesFromDER((char *)item.data, item.len);
+    if (certReqMsgs == NULL) {
+        printf ("Error decoding CertReqMessages.\n");
+	return 202;
+    }
+    numMsgs = CRMF_CertReqMessagesGetNumMessages(certReqMsgs);
+    if (numMsgs <= 0) {
+        printf ("WARNING: The DER contained %d messages.\n", numMsgs);
+    }
+    for (i=0; i < numMsgs; i++) {
+	SECStatus rv;
+	printf("crmftest: Processing cert request %d\n", i);
+        certReqMsg = CRMF_CertReqMessagesGetCertReqMsgAtIndex(certReqMsgs, i);
+	if (certReqMsg == NULL) {
+	    printf ("ERROR: Could not access the message at index %d of %s\n",
+		    i, filePath);
+	}
+	rv = CRMF_CertReqMsgGetID(certReqMsg, &lame);
+	if (rv) {
+	    SECU_PrintError("crmftest", "CRMF_CertReqMsgGetID");
+	}
+	certReq = CRMF_CertReqMsgGetCertRequest(certReqMsg);
+	if (!certReq) {
+	    SECU_PrintError("crmftest", "CRMF_CertReqMsgGetCertRequest");
+	}
+	rv = CRMF_CertRequestGetCertTemplateValidity(certReq, &validity);
+	if (rv) {
+	    SECU_PrintError("crmftest", "CRMF_CertRequestGetCertTemplateValidity");
+	}
+	if (!validity.notBefore) {
+	    /* We encoded a notBefore, so somthing's wrong if it's not here. */
+	    printf("ERROR: Validity period notBefore date missing.\n");
+	}
+	/* XXX It's all parsed now.  We probably should DO SOMETHING with it.
+	** But nope.  We just throw it all away.
+	** Maybe this was intended to be no more than a decoder test.
+	*/
+	CRMF_DestroyGetValidity(&validity);
+	CRMF_DestroyCertRequest(certReq);
+	CRMF_DestroyCertReqMsg(certReqMsg);
+    }
+    CRMF_DestroyCertReqMessages(certReqMsgs);
+    SECITEM_FreeItem(&item, PR_FALSE);
+    return 0;
+}
+
+int
+GetBitsFromFile(const char *filePath, SECItem *item)
+{
+    PRFileDesc *fileDesc;
+    SECStatus   rv;
+
+    fileDesc = PR_Open(filePath, PR_RDONLY, 0644);
+    if (fileDesc == NULL) {
+        printf ("Could not open file %s\n", filePath);
+	return 14;
+    }
+
+    rv = SECU_FileToItem(item, fileDesc);
+    PR_Close(fileDesc);
+
+    if (rv != SECSuccess) {
+	item->data = NULL;
+	item->len  = 0;
+    	return 15;
+    }
+    return 0;
+} 
+
+int
+DecodeCMMFCertRepContent(char *derFile)
+{
+    CMMFCertRepContent *certRepContent;
+    int                 irv             = 0;
+    SECItem             fileBits	= { siBuffer, NULL, 0 };
+
+    GetBitsFromFile(derFile, &fileBits);
+    if (fileBits.data == NULL) {
+        printf("Could not get bits from file %s\n", derFile);
+        return 304;
+    }
+    certRepContent = CMMF_CreateCertRepContentFromDER(db, 
+                                     (char*)fileBits.data, fileBits.len);
+    if (certRepContent == NULL) {
+        printf ("Error while decoding %s\n", derFile);
+	irv = 303;
+    } else {
+	/* That was fun.  Now, let's throw it away!  */
+	CMMF_DestroyCertRepContent(certRepContent);
+    }
+    SECITEM_FreeItem(&fileBits, PR_FALSE);
+    return irv;
+}
+
+int
+EncodeCMMFCertReply(const char       *filePath, 
+                    CERTCertificate  *cert,
+		    CERTCertList     *list)
+{
+    int                    rv                   = 0;
+    SECStatus              srv;
+    PRFileDesc            *fileDesc		= NULL;
+    CMMFCertRepContent    *certRepContent	= NULL;
+    CMMFCertResponse      *certResp		= NULL;
+    CMMFCertResponse      *certResponses[3];
+
+    certResp = CMMF_CreateCertResponse(0xff123);
+    CMMF_CertResponseSetPKIStatusInfoStatus(certResp, cmmfGranted);
+
+    CMMF_CertResponseSetCertificate(certResp, cert);
+
+    certResponses[0] = certResp;
+    certResponses[1] = NULL;
+    certResponses[2] = NULL;
+
+    certRepContent = CMMF_CreateCertRepContent();
+    CMMF_CertRepContentSetCertResponses(certRepContent, certResponses, 1);
+
+    CMMF_CertRepContentSetCAPubs(certRepContent, list);
+
+    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
+			0666);
+    if (fileDesc == NULL) {
+        printf ("Could not open file %s\n", filePath);
+	rv = 400;
+	goto finish;
+    }
+    
+    srv = CMMF_EncodeCertRepContent(certRepContent, WriteItOut, 
+				    (void*)fileDesc);
+    PR_Close(fileDesc);
+    if (srv != SECSuccess) {
+        printf ("CMMF_EncodeCertRepContent failed,\n");
+	rv = 401;
+    }
+finish:
+    if (certRepContent) {
+        CMMF_DestroyCertRepContent(certRepContent);
+    }
+    if (certResp) {
+        CMMF_DestroyCertResponse(certResp);
+    }
+    return rv;
+}
+
+
+/* Extract the public key from the cert whose nickname is given. */
+int
+extractPubKeyFromNamedCert(const char * nickname, SECKEYPublicKey **pPubKey)
+{
+    CERTCertificate  *caCert     = NULL;
+    SECKEYPublicKey  *caPubKey   = NULL;
+    int               rv         = 0;
+
+    caCert = CERT_FindCertByNickname(db, (char *)nickname);
+    if (caCert == NULL) {
+        printf ("Could not get the certifcate for %s\n", caCertName);
+	rv = 411;
+	goto finish;
+    }
+    caPubKey = CERT_ExtractPublicKey(caCert);
+    if (caPubKey == NULL) {
+        printf ("Could not extract the public from the "
+		"certificate for \n%s\n", caCertName);
+	rv = 412;
+    }
+finish:
+    *pPubKey = caPubKey;
+    CERT_DestroyCertificate(caCert);
+    caCert = NULL;
+    return rv;
+}
+
+int
+EncodeCMMFRecoveryMessage(const char * filePath, 
+                    CERTCertificate  *cert,
+		    CERTCertList     *list)
+{
+    SECKEYPublicKey       *caPubKey		= NULL;
+    SECKEYPrivateKey      *privKey 		= NULL;
+    CMMFKeyRecRepContent  *repContent		= NULL;
+    PRFileDesc            *fileDesc;
+    int                    rv 			= 0;
+    SECStatus              srv;
+
+    /* Extract the public key from the cert whose nickname is given in
+    ** the -s option.
+    */
+    rv = extractPubKeyFromNamedCert( caCertName, &caPubKey);
+    if (rv) 
+    	goto finish;
+
+    repContent = CMMF_CreateKeyRecRepContent();
+    if (repContent == NULL) {
+        printf ("Could not allocate a CMMFKeyRecRepContent structure\n");
+	rv = 407;
+	goto finish;
+    }
+    srv = CMMF_KeyRecRepContentSetPKIStatusInfoStatus(repContent, 
+						      cmmfGrantedWithMods);
+    if (srv != SECSuccess) {
+        printf ("Error trying to set PKIStatusInfo for "
+		"CMMFKeyRecRepContent.\n");
+	rv = 406;
+	goto finish;
+    }
+    srv = CMMF_KeyRecRepContentSetNewSignCert(repContent, cert);
+    if (srv != SECSuccess) {
+        printf ("Error trying to set the new signing certificate for "
+		"key recovery\n");
+	rv = 408;
+	goto finish;
+    }
+    srv = CMMF_KeyRecRepContentSetCACerts(repContent, list);
+    if (srv != SECSuccess) {
+        printf ("Errory trying to add the list of CA certs to the "
+		"CMMFKeyRecRepContent structure.\n");
+	rv = 409;
+	goto finish;
+    }
+    privKey = PK11_FindKeyByAnyCert(cert, &pwdata);
+    if (privKey == NULL) {
+        printf ("Could not get the private key associated with the\n"
+		"certificate %s\n", personalCert);
+	rv = 410;
+	goto finish;
+    }
+
+    srv = CMMF_KeyRecRepContentSetCertifiedKeyPair(repContent, cert, privKey,
+						   caPubKey);
+    if (srv != SECSuccess) {
+        printf ("Could not set the Certified Key Pair\n");
+	rv = 413;
+	goto finish;
+    }
+    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
+			0666);
+    if (fileDesc == NULL) {
+        printf ("Could not open file %s\n", filePath);
+	rv = 414;
+	goto finish;
+    }
+    
+    srv = CMMF_EncodeKeyRecRepContent(repContent, WriteItOut, 
+				      (void*)fileDesc);
+    PR_Close(fileDesc);
+    if (srv != SECSuccess) {
+        printf ("CMMF_EncodeKeyRecRepContent failed\n");
+    	rv = 415;
+    }
+finish:
+    if (privKey)
+	SECKEY_DestroyPrivateKey(privKey);
+    if (caPubKey)
+	SECKEY_DestroyPublicKey(caPubKey);
+    if (repContent)
+	CMMF_DestroyKeyRecRepContent(repContent);
+    return rv;
+}
+
+int
+decodeCMMFRecoveryMessage(const char * filePath)
+{
+    CMMFKeyRecRepContent  *repContent = NULL;
+    int                    rv         = 0;
+    SECItem                fileBits   = { siBuffer, NULL, 0 };
+
+    GetBitsFromFile(filePath, &fileBits);
+    if (!fileBits.len) {
+    	rv = 451;
+	goto finish;
+    }
+    repContent = 
+        CMMF_CreateKeyRecRepContentFromDER(db, (const char *) fileBits.data,
+					   fileBits.len);
+    if (repContent == NULL) {
+        printf ("ERROR: CMMF_CreateKeyRecRepContentFromDER failed on file:\n"
+		"\t%s\n", filePath);
+	rv = 452;
+    }
+finish:
+    if (repContent) {
+        CMMF_DestroyKeyRecRepContent(repContent);
+    }
+    SECITEM_FreeItem(&fileBits, PR_FALSE);
+    return rv;
+}
+
+int
+DoCMMFStuff(void)
+{
+    CERTCertificate       *cert			= NULL;
+    CERTCertList          *list			= NULL;
+    int                    rv 			= 0;
+    char                   filePath[PATH_LEN];
+
+    /* Do common setup for the following steps.
+    */
+    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, "CertRepContent.der");
+
+    cert = CERT_FindCertByNickname(db, personalCert);
+    if (cert == NULL) {
+        printf ("Could not find the certificate for %s\n", personalCert);
+        rv = 416;
+        goto finish;
+    } 
+    list = CERT_GetCertChainFromCert(cert, PR_Now(), certUsageEmailSigner);
+    if (list == NULL) {
+        printf ("Could not find the certificate chain for %s\n", personalCert);
+        rv = 418;
+        goto finish;
+    } 
+
+    /* a) Generate the CMMF response message, using a user cert named
+    **    by -p option, rather than a cert generated from the CRMF
+    **    request itself.   The CMMF message is placed in 
+    **    configdir/CertRepContent.der.
+    */
+    rv = EncodeCMMFCertReply(filePath, cert, list);
+    if (rv != 0) {
+        goto finish;
+    }
+
+    /* b) Decode the CMMF Cert granting message encoded just above,
+    **    found in configdir/CertRepContent.der.
+    **    This only tests the decoding.  The decoded content is discarded.
+    */
+    rv = DecodeCMMFCertRepContent(filePath);
+    if (rv != 0) {
+        goto finish;
+    }
+
+    /* c) Generate a CMMF Key Excrow message
+    **    It takes the public and private keys for the cert identified
+    **    by -p nickname, and wraps them with a sym key that is in turn
+    **    wrapped with the pubkey in the CA cert, whose nickname is 
+    **    given by the -s option.
+    **    Store the message in configdir/KeyRecRepContent.der
+    */
+    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, 
+		"KeyRecRepContent.der");
+
+    rv = EncodeCMMFRecoveryMessage(filePath, cert, list);
+    if (rv)
+    	goto finish;
+
+    /* d) Decode the CMMF Key Excrow message generated just above.
+    **    Get it from file configdir/KeyRecRepContent.der
+    **    This is just a decoder test.  Results are discarded.
+    */
+
+    rv = decodeCMMFRecoveryMessage(filePath);
+
+ finish:
+    if (cert) {
+        CERT_DestroyCertificate(cert);
+    }
+    if (list) {
+        CERT_DestroyCertList(list);
+    }
+    return rv;
+}
+
+static CK_MECHANISM_TYPE
+mapWrapKeyType(KeyType keyType)
+{
+    switch (keyType) {
+    case rsaKey:
+        return CKM_RSA_PKCS;
+    default:
+        break;
+    }
+    return CKM_INVALID_MECHANISM;
+} 
+
+#define KNOWN_MESSAGE_LENGTH 20 /*160 bits*/
+
+int
+DoKeyRecovery( SECKEYPrivateKey *privKey)
+{
+#ifdef DOING_KEY_RECOVERY  /* Doesn't compile yet. */
+    SECKEYPublicKey      *pubKey;
+    PK11SlotInfo         *slot;
+    unsigned char        *ciphertext;
+    unsigned char        *text_compared;
+    SECKEYPrivateKey     *unwrappedPrivKey;
+    SECKEYPrivateKey     *caPrivKey;
+    CMMFKeyRecRepContent *keyRecRep;
+    CMMFCertifiedKeyPair *certKeyPair;
+    CERTCertificate      *caCert;
+    CERTCertificate      *myCert;
+    SECKEYPublicKey      *caPubKey;
+    PRFileDesc           *fileDesc;
+    CK_ULONG              max_bytes_encrypted;
+    CK_ULONG              bytes_encrypted;
+    CK_ULONG              bytes_compared;
+    CK_ULONG              bytes_decrypted;
+    CK_RV                 crv;
+    CK_OBJECT_HANDLE      id;
+    CK_MECHANISM          mech      = { CKM_INVALID_MECHANISM, NULL, 0};
+    SECStatus             rv;
+    SECItem               fileBits;
+    SECItem               nickname;
+    unsigned char         plaintext[KNOWN_MESSAGE_LENGTH];
+    char                  filePath[PATH_LEN];
+    static const unsigned char known_message[] = { "Known Crypto Message" };
+
+    /*caCert = CERT_FindCertByNickname(db, caCertName);*/
+    myCert = CERT_FindCertByNickname(db, personalCert);
+    if (myCert == NULL) {
+        printf ("Could not find the certificate for %s\n", personalCert);
+        return 700;
+    }
+    caCert = CERT_FindCertByNickname(db, recoveryEncrypter);
+    if (caCert == NULL) {
+        printf ("Could not find the certificate for %s\n", recoveryEncrypter);
+        return 701;
+    }
+    caPubKey = CERT_ExtractPublicKey(caCert);
+    pubKey   = SECKEY_ConvertToPublicKey(privKey);
+    max_bytes_encrypted = PK11_GetPrivateModulusLen(privKey);
+    slot = PK11_GetBestSlot(mapWrapKeyType(privKey->keyType), NULL);
+    id   = PK11_ImportPublicKey(slot, pubKey, PR_FALSE);
+
+    switch(privKey->keyType) {
+    case rsaKey:
+        mech.mechanism = CKM_RSA_PKCS;
+	break;
+    case dsaKey:
+        mech.mechanism = CKM_DSA;
+	break;
+    case dhKey:
+        mech.mechanism = CKM_DH_PKCS_DERIVE;
+	break;
+    default:
+        printf ("Bad Key type in key recovery.\n");
+	return 512;
+
+    }
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_EncryptInit(slot->session, &mech, id);
+    if (crv != CKR_OK) {
+        PK11_ExitSlotMonitor(slot);
+	PK11_FreeSlot(slot);
+	printf ("C_EncryptInit failed in KeyRecovery\n");
+	return 500;
+    }
+    ciphertext = PORT_NewArray(unsigned char, max_bytes_encrypted);
+    if (ciphertext == NULL) {
+        PK11_ExitSlotMonitor(slot);
+	PK11_FreeSlot(slot);
+	printf ("Could not allocate memory for ciphertext.\n");
+	return 501;
+    }
+    bytes_encrypted = max_bytes_encrypted;
+    crv = PK11_GETTAB(slot)->C_Encrypt(slot->session, 
+				       known_message,
+				       KNOWN_MESSAGE_LENGTH,
+				       ciphertext,
+				       &bytes_encrypted);
+    PK11_ExitSlotMonitor(slot);
+    PK11_FreeSlot(slot);
+    if (crv != CKR_OK) {
+       PORT_Free(ciphertext);
+       return 502;
+    }
+    /* Always use the smaller of these two values . . . */
+    bytes_compared = ( bytes_encrypted > KNOWN_MESSAGE_LENGTH )
+                      ? KNOWN_MESSAGE_LENGTH
+                      : bytes_encrypted;
+ 
+    /* If there was a failure, the plaintext */
+    /* goes at the end, therefore . . .      */
+    text_compared = ( bytes_encrypted > KNOWN_MESSAGE_LENGTH )
+                    ? (ciphertext + bytes_encrypted -
+		       KNOWN_MESSAGE_LENGTH )
+                     : ciphertext;  
+
+    keyRecRep = CMMF_CreateKeyRecRepContent();
+    if (keyRecRep == NULL) {
+        PORT_Free(ciphertext);
+	PK11_FreeSlot(slot);
+	CMMF_DestroyKeyRecRepContent(keyRecRep);
+	printf ("Could not allocate a CMMFKeyRecRepContent structre.\n");
+	return 503;
+    }
+    rv = CMMF_KeyRecRepContentSetPKIStatusInfoStatus(keyRecRep,
+						     cmmfGranted);
+    if (rv != SECSuccess) {
+        PORT_Free(ciphertext);
+	PK11_FreeSlot(slot);
+	CMMF_DestroyKeyRecRepContent(keyRecRep);
+	printf ("Could not set the status for the KeyRecRepContent\n");
+	return 504;
+    }
+    /* The myCert here should correspond to the certificate corresponding
+     * to the private key, but for this test any certificate will do.
+     */
+    rv = CMMF_KeyRecRepContentSetCertifiedKeyPair(keyRecRep, myCert,
+						  privKey, caPubKey);
+    if (rv != SECSuccess) {
+        PORT_Free(ciphertext);
+	PK11_FreeSlot(slot);
+	CMMF_DestroyKeyRecRepContent(keyRecRep);
+	printf ("Could not set the Certified Key Pair\n");
+	return 505;
+    }
+    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, 
+		"KeyRecRepContent.der");
+    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
+			0666);
+    if (fileDesc == NULL) {
+        PORT_Free(ciphertext);
+	PK11_FreeSlot(slot);
+	CMMF_DestroyKeyRecRepContent(keyRecRep);
+        printf ("Could not open file %s\n", filePath);
+	return 506;
+    }
+    rv = CMMF_EncodeKeyRecRepContent(keyRecRep, WriteItOut, fileDesc);
+    CMMF_DestroyKeyRecRepContent(keyRecRep);
+    PR_Close(fileDesc);
+
+    if (rv != SECSuccess) {
+        PORT_Free(ciphertext);
+	PK11_FreeSlot(slot);
+	printf ("Error while encoding CMMFKeyRecRepContent\n");
+	return 507;
+    }
+    GetBitsFromFile(filePath, &fileBits);
+    if (fileBits.data == NULL) {
+        PORT_Free(ciphertext);
+	PK11_FreeSlot(slot);
+        printf ("Could not get the bits from file %s\n", filePath);
+	return 508;
+    }
+    keyRecRep = 
+        CMMF_CreateKeyRecRepContentFromDER(db,(const char*)fileBits.data,
+					   fileBits.len);
+    if (keyRecRep == NULL) {
+        printf ("Could not decode the KeyRecRepContent in file %s\n", 
+		filePath);
+	PORT_Free(ciphertext);
+	PK11_FreeSlot(slot);
+	return 509;
+    }
+    caPrivKey = PK11_FindKeyByAnyCert(caCert, &pwdata);
+    if (CMMF_KeyRecRepContentGetPKIStatusInfoStatus(keyRecRep) != 
+	                                                      cmmfGranted) {
+        PORT_Free(ciphertext);
+	PK11_FreeSlot(slot);
+	CMMF_DestroyKeyRecRepContent(keyRecRep);
+	printf ("A bad status came back with the "
+		"KeyRecRepContent structure\n");
+	return 510;
+    }
+
+#define NICKNAME "Key Recovery Test Key"
+    nickname.data = (unsigned char*)NICKNAME;
+    nickname.len  = PORT_Strlen(NICKNAME);
+
+    certKeyPair = CMMF_KeyRecRepContentGetCertKeyAtIndex(keyRecRep, 0);
+    CMMF_DestroyKeyRecRepContent(keyRecRep);
+    rv = CMMF_CertifiedKeyPairUnwrapPrivKey(certKeyPair,
+					    caPrivKey,
+					    &nickname,
+					    PK11_GetInternalKeySlot(),
+					    db,
+					    &unwrappedPrivKey, &pwdata);
+    CMMF_DestroyCertifiedKeyPair(certKeyPair);
+    if (rv != SECSuccess) {
+        printf ("Unwrapping the private key failed.\n");
+	return 511;
+    }
+    /*Now let's try to decrypt the ciphertext with the "recovered" key*/
+    PK11_EnterSlotMonitor(slot);
+    crv = 
+      PK11_GETTAB(slot)->C_DecryptInit(unwrappedPrivKey->pkcs11Slot->session,
+				       &mech,
+				       unwrappedPrivKey->pkcs11ID);
+    if (crv != CKR_OK) {
+        PK11_ExitSlotMonitor(slot);
+	PORT_Free(ciphertext);
+	PK11_FreeSlot(slot);
+	printf ("Decrypting with the recovered key failed.\n");
+	return 513;
+    }
+    bytes_decrypted = KNOWN_MESSAGE_LENGTH;
+    crv = PK11_GETTAB(slot)->C_Decrypt(unwrappedPrivKey->pkcs11Slot->session,
+				       ciphertext, 
+				       bytes_encrypted, plaintext,
+				       &bytes_decrypted);
+    SECKEY_DestroyPrivateKey(unwrappedPrivKey);
+    PK11_ExitSlotMonitor(slot);
+    PORT_Free(ciphertext);
+    if (crv != CKR_OK) {
+        PK11_FreeSlot(slot);
+	printf ("Decrypting the ciphertext with recovered key failed.\n");
+	return 514;
+    }
+    if ((bytes_decrypted != KNOWN_MESSAGE_LENGTH) || 
+	(PORT_Memcmp(plaintext, known_message, KNOWN_MESSAGE_LENGTH) != 0)) {
+        PK11_FreeSlot(slot);
+	printf ("The recovered plaintext does not equal the known message:\n"
+		"\tKnown message:       %s\n"
+		"\tRecovered plaintext: %s\n", known_message, plaintext);
+	return 515;
+    }
+#endif
+    return 0;
+}
+
+int
+DoChallengeResponse(SECKEYPrivateKey *privKey,
+		    SECKEYPublicKey *pubKey)
+{
+    CMMFPOPODecKeyChallContent *chalContent = NULL;
+    CMMFPOPODecKeyRespContent  *respContent = NULL;
+    CERTCertificate            *myCert      = NULL;
+    CERTGeneralName            *myGenName   = NULL;
+    PRArenaPool                *poolp       = NULL;
+    PRFileDesc                 *fileDesc;
+    SECItem                    *publicValue;
+    SECItem                    *keyID;
+    SECKEYPrivateKey           *foundPrivKey;
+    long                       *randomNums;
+    int                         numChallengesFound   = 0;
+    int                         numChallengesSet     = 1;
+    int                         i;
+    long                        retrieved;
+    SECStatus                   rv;
+    SECItem                     DecKeyChallBits;
+    char                        filePath[PATH_LEN];
+
+    chalContent = CMMF_CreatePOPODecKeyChallContent();
+    myCert = CERT_FindCertByNickname(db, personalCert);
+    if (myCert == NULL) {
+        printf ("Could not find the certificate for %s\n", personalCert);
+        return 900;
+    }
+    poolp = PORT_NewArena(1024);
+    if (poolp == NULL) {
+        printf("Could no allocate a new arena in DoChallengeResponse\n");
+	return 901;
+    }
+    myGenName = CERT_GetCertificateNames(myCert, poolp);
+    if (myGenName == NULL) {
+        printf ("Could not get the general names for %s certificate\n", 
+		personalCert);
+	return 902;
+    }
+    randomNums = PORT_ArenaNewArray(poolp,long, numChallengesSet);
+    PK11_GenerateRandom((unsigned char *)randomNums, 
+                        numChallengesSet * sizeof(long));
+    for (i=0; i<numChallengesSet; i++) {
+	rv = CMMF_POPODecKeyChallContentSetNextChallenge(chalContent,
+							 randomNums[i],
+							 myGenName,
+							 pubKey,
+							 &pwdata);
+	if (rv != SECSuccess) {
+	    printf ("Could not set the challenge in DoChallengeResponse\n");
+	    return 903;
+	}
+    }
+    PR_snprintf(filePath, PATH_LEN, "%s/POPODecKeyChallContent.der", 
+		configdir);
+    fileDesc = PR_Open(filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
+		       0666);
+    if (fileDesc == NULL) {
+        printf ("Could not open file %s\n", filePath);
+	return 904;
+    }
+    rv = CMMF_EncodePOPODecKeyChallContent(chalContent,WriteItOut, 
+					   (void*)fileDesc);
+    PR_Close(fileDesc);
+    CMMF_DestroyPOPODecKeyChallContent(chalContent);
+    if (rv != SECSuccess) {
+        printf ("Could not encode the POPODecKeyChallContent.\n");
+	return 905;
+    }
+    GetBitsFromFile(filePath, &DecKeyChallBits);
+    chalContent = CMMF_CreatePOPODecKeyChallContentFromDER
+		      ((const char*)DecKeyChallBits.data, DecKeyChallBits.len);
+    SECITEM_FreeItem(&DecKeyChallBits, PR_FALSE);
+    if (chalContent == NULL) {
+        printf ("Could not create the POPODecKeyChallContent from DER\n");
+	return 906;
+    }
+    numChallengesFound = 
+	    CMMF_POPODecKeyChallContentGetNumChallenges(chalContent);
+    if (numChallengesFound != numChallengesSet) {
+        printf ("Number of Challenges Found (%d) does not equal the number "
+		"set (%d)\n", numChallengesFound, numChallengesSet);
+	return 907;
+    }
+    for (i=0; i<numChallengesSet; i++) {
+        publicValue = CMMF_POPODecKeyChallContentGetPublicValue(chalContent, i);
+	if (publicValue == NULL) {
+	  printf("Could not get the public value for challenge at index %d\n",
+		 i);
+	  return 908;
+	}
+	keyID = PK11_MakeIDFromPubKey(publicValue);
+	if (keyID == NULL) {
+	    printf ("Could not make the keyID from the public value\n");
+	    return 909;
+	}
+	foundPrivKey = PK11_FindKeyByKeyID(privKey->pkcs11Slot, keyID, &pwdata);
+	if (foundPrivKey == NULL) {
+	    printf ("Could not find the private key corresponding to the public"
+		    " value.\n");
+	    return 910;
+	}
+	rv = CMMF_POPODecKeyChallContDecryptChallenge(chalContent, i, 
+						      foundPrivKey);
+	if (rv != SECSuccess) {
+	    printf ("Could not decrypt the challenge at index %d\n", i);
+	    return 911;
+	}
+	rv = CMMF_POPODecKeyChallContentGetRandomNumber(chalContent, i, 
+							&retrieved);
+	if (rv != SECSuccess) {
+	    printf ("Could not get the random number from the challenge at "
+		    "index %d\n", i);
+	    return 912;
+	}
+	if (retrieved != randomNums[i]) {
+	    printf ("Retrieved the number (%ld), expected (%ld)\n", retrieved,
+		    randomNums[i]);
+	    return 913;
+	}
+    }
+    CMMF_DestroyPOPODecKeyChallContent(chalContent);
+    PR_snprintf(filePath, PATH_LEN, "%s/POPODecKeyRespContent.der", 
+		configdir);
+    fileDesc = PR_Open(filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
+		       0666);
+    if (fileDesc == NULL) {
+        printf ("Could not open file %s\n", filePath);
+	return 914;
+    }
+    rv = CMMF_EncodePOPODecKeyRespContent(randomNums, numChallengesSet,
+					  WriteItOut, fileDesc);
+    PR_Close(fileDesc);
+    if (rv != 0) {
+        printf ("Could not encode the POPODecKeyRespContent\n");
+	return 915;
+    }
+    GetBitsFromFile(filePath, &DecKeyChallBits);
+    respContent = 
+     CMMF_CreatePOPODecKeyRespContentFromDER((const char*)DecKeyChallBits.data,
+					     DecKeyChallBits.len);
+    if (respContent == NULL) {
+        printf ("Could not decode the contents of the file %s\n", filePath);
+	return 916;
+    }
+    numChallengesFound = 
+         CMMF_POPODecKeyRespContentGetNumResponses(respContent);
+    if (numChallengesFound != numChallengesSet) {
+        printf ("Number of responses found (%d) does not match the number "
+		"of challenges set (%d)\n",
+		numChallengesFound, numChallengesSet);
+	return 917;
+    }
+    for (i=0; i<numChallengesSet; i++) {
+        rv = CMMF_POPODecKeyRespContentGetResponse(respContent, i, &retrieved);
+	if (rv != SECSuccess) {
+	    printf ("Could not retrieve the response at index %d\n", i);
+	    return 918;
+	}
+	if (retrieved != randomNums[i]) {
+	    printf ("Retrieved the number (%ld), expected (%ld)\n", retrieved,
+		    randomNums[i]);
+	    return 919;
+	}
+							  
+    }
+    CMMF_DestroyPOPODecKeyRespContent(respContent);
+    return 0;
+}
+
+int
+MakeCertRequest(TESTKeyPair *pair, CRMFPOPChoice inPOPChoice, long inRequestID)
+{
+    int               irv;
+
+    /* Generate a key pair and a cert request for it. */
+    irv = CreateCertRequest(pair, inRequestID);
+    if (irv != 0 || pair->certReq == NULL) {
+        goto loser;
+    }
+
+    pair->certReqMsg = CRMF_CreateCertReqMsg();
+    if (!pair->certReqMsg) {
+    	irv = 999;
+	goto loser;
+    }
+    /* copy certReq into certReqMsg */
+    CRMF_CertReqMsgSetCertRequest(pair->certReqMsg, pair->certReq);
+    irv = AddProofOfPossession(pair, inPOPChoice);
+loser:
+    return irv;
+}
+
+int
+DestroyPairReqAndMsg(TESTKeyPair *pair)
+{
+    SECStatus rv  = SECSuccess;
+    int       irv = 0;
+
+    if (pair->certReq) {
+	rv = CRMF_DestroyCertRequest(pair->certReq);
+	pair->certReq = NULL;
+	if (rv != SECSuccess) {
+	    printf ("Error when destroying cert request.\n");
+	    irv = 100;
+	}
+    }
+    if (pair->certReqMsg) {
+	rv = CRMF_DestroyCertReqMsg(pair->certReqMsg);
+	pair->certReqMsg = NULL;
+	if (rv != SECSuccess) {
+	    printf ("Error when destroying cert request msg.\n");
+	    if (!irv)
+		irv = 101;
+	}
+    }
+    return irv;
+}
+
+int
+DestroyPair(TESTKeyPair *pair)
+{
+    int       irv = 0;
+
+    if (pair->pubKey) {
+	SECKEY_DestroyPublicKey(pair->pubKey);
+	pair->pubKey = NULL;
+    }
+    if (pair->privKey) {
+	SECKEY_DestroyPrivateKey(pair->privKey);
+	pair->privKey = NULL;
+    }
+    DestroyPairReqAndMsg(pair);
+    return irv;
+}
+
+int
+DoCRMFRequest(TESTKeyPair *signPair, TESTKeyPair *cryptPair)
+{
+    int irv, tirv = 0;
+
+    /* Generate a key pair and a cert request for it. */
+    irv = MakeCertRequest(signPair, crmfSignature, 0x0f020304);
+    if (irv != 0 || signPair->certReq == NULL) {
+        goto loser;
+    }
+
+    if (!doingDSA) {
+	irv = MakeCertRequest(cryptPair, crmfKeyAgreement, 0x0f050607);
+	if (irv != 0 || cryptPair->certReq == NULL) {
+	    goto loser;
+	}
+    }
+
+    /* encode the cert request messages into a unified request message.
+    ** leave it in a file with a fixed name.  :(
+    */
+    irv = Encode(signPair->certReqMsg, cryptPair->certReqMsg);
+
+loser:
+    if (signPair->certReq) {
+	tirv = DestroyPairReqAndMsg(signPair);
+	if (tirv && !irv)
+    	    irv = tirv;
+    }
+    if (cryptPair->certReq) {
+	tirv = DestroyPairReqAndMsg(cryptPair);
+	if (tirv && !irv)
+    	    irv = tirv;
+    }
+    return irv;
+}
+
+void
+Usage (void)
+{
+    printf ("Usage:\n"
+	    "\tcrmftest -d [Database Directory] -p [Personal Cert]\n"
+	    "\t         -e [Encrypter] -s [CA Certificate] [-P password]\n\n"
+	    "\t         [crmf] [dsa] [decode] [cmmf] [recover] [challenge]\n"
+	    "\t         [-f password_file]\n"
+	    "Database Directory\n"
+	    "\tThis is the directory where the key3.db, cert7.db, and\n"
+	    "\tsecmod.db files are located.  This is also the directory\n"
+	    "\twhere the program will place CRMF/CMMF der files\n"
+	    "Personal Cert\n"
+	    "\tThis is the certificate that already exists in the cert\n"
+	    "\tdatabase to use while encoding the response.  The private\n"
+	    "\tkey associated with the certificate must also exist in the\n"
+	    "\tkey database.\n"
+	    "Encrypter\n"
+	    "\tThis is the certificate to use when encrypting the the \n"
+	    "\tkey recovery response.  The private key for this cert\n"
+	    "\tmust also be present in the key database.\n"
+	    "CA Certificate\n"
+	    "\tThis is the nickname of the certificate to use as the\n"
+	    "\tCA when doing all of the encoding.\n");
+}
+
+#define TEST_MAKE_CRMF_REQ      0x0001  
+#define TEST_USE_DSA            0x0002  
+#define TEST_DECODE_CRMF_REQ    0x0004  
+#define TEST_DO_CMMF_STUFF      0x0008  
+#define TEST_KEY_RECOVERY       0x0010  
+#define TEST_CHALLENGE_RESPONSE 0x0020  
+
+SECStatus
+parsePositionalParam(const char * arg, PRUint32 *flags)
+{
+    if (!strcmp(arg, "crmf")) {
+    	*flags |= TEST_MAKE_CRMF_REQ;
+    } else if (!strcmp(arg, "dsa")) {
+    	*flags |= TEST_MAKE_CRMF_REQ | TEST_USE_DSA;
+	doingDSA = PR_TRUE;
+    } else if (!strcmp(arg, "decode")) {
+    	*flags |= TEST_DECODE_CRMF_REQ;
+    } else if (!strcmp(arg, "cmmf")) {
+    	*flags |= TEST_DO_CMMF_STUFF;
+    } else if (!strcmp(arg, "recover")) {
+    	*flags |= TEST_KEY_RECOVERY;
+    } else if (!strcmp(arg, "challenge")) {
+    	*flags |= TEST_CHALLENGE_RESPONSE;
+    } else {
+	printf("unknown positional paremeter: %s\n", arg);
+    	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* it's not clear, in some cases, whether the desired key is from 
+** the sign pair or the crypt pair, so we're guessing in some places.  
+** This define serves to remind us of the places where we're guessing.
+*/
+#define WHICH_KEY cryptPair
+
+int
+main(int argc, char **argv) 
+{
+    TESTKeyPair       signPair, cryptPair;
+    PLOptState       *optstate;
+    PLOptStatus       status;
+    char             *password = NULL;
+    char             *pwfile = NULL;
+    int               irv     = 0;
+    PRUint32          flags   = 0;
+    SECStatus         rv;
+    PRBool            nssInit = PR_FALSE;
+    PRBool            pArg    = PR_FALSE;
+    PRBool            eArg    = PR_FALSE;
+    PRBool            sArg    = PR_FALSE;
+    PRBool            PArg    = PR_FALSE;
+
+    memset( &signPair,  0, sizeof signPair);
+    memset( &cryptPair, 0, sizeof cryptPair);
+    printf ("\ncrmftest v1.0\n");
+    optstate = PL_CreateOptState(argc, argv, "d:p:e:s:P:f:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	case 'd':
+	    configdir = PORT_Strdup(optstate->value);
+	    rv = NSS_Init(configdir);
+	    if (rv != SECSuccess) {
+	        printf ("NSS_Init (-d) failed\n");
+		return 101;
+	    }	      
+	    nssInit = PR_TRUE;
+	    break;
+	case 'p':
+	    personalCert = PORT_Strdup(optstate->value);
+	    if (personalCert == NULL) {
+	        printf ("-p  failed\n");
+	        return 603;
+	    }
+	    pArg = PR_TRUE;
+	    break;
+	case 'e':
+	    recoveryEncrypter = PORT_Strdup(optstate->value);
+	    if (recoveryEncrypter == NULL) {
+	        printf ("-e  failed\n");
+	        return 602;
+	    }
+	    eArg = PR_TRUE;
+	    break;
+	case 's':
+	    caCertName = PORT_Strdup(optstate->value);
+	    if (caCertName == NULL) {
+	        printf ("-s  failed\n");
+	        return 604;
+	    }
+	    sArg = PR_TRUE;
+	    break;
+	case 'P':
+	    password = PORT_Strdup(optstate->value);
+	    if (password == NULL) {
+	        printf ("-P  failed\n");
+	        return 606;
+	    }
+            pwdata.source = PW_PLAINTEXT;
+            pwdata.data = password;
+	    PArg = PR_TRUE;
+	    break;
+        case 'f':
+	    pwfile = PORT_Strdup(optstate->value);
+	    if (pwfile == NULL) {
+	        printf ("-f  failed\n");
+	        return 607;
+	    }
+            pwdata.source = PW_FROMFILE;
+            pwdata.data = pwfile;
+            break;
+	case 0:  /* positional parameter */
+	    rv = parsePositionalParam(optstate->value, &flags);
+	    if (rv) {
+	        printf ("bad positional parameter.\n");
+	        return 605;
+	    }
+	    break;
+	default:
+	    Usage();
+	    return 601;
+	}
+    }
+    PL_DestroyOptState(optstate);
+    if (status == PL_OPT_BAD || !nssInit) {
+        Usage();
+	return 600;
+    }
+    if (!flags) 
+    	flags = ~ TEST_USE_DSA;
+    db = CERT_GetDefaultCertDB();
+    InitPKCS11();
+
+    if (flags & TEST_MAKE_CRMF_REQ) {
+	printf("Generating CRMF request\n");
+    	irv = DoCRMFRequest(&signPair, &cryptPair);
+	if (irv)
+	    goto loser;
+    }
+
+    if (flags & TEST_DECODE_CRMF_REQ) {
+	printf("Decoding CRMF request\n");
+	irv = Decode();
+	if (irv != 0) {
+	    printf("Error while decoding\n");
+	    goto loser;
+	}
+    }
+
+    if (flags & TEST_DO_CMMF_STUFF) {
+	printf("Doing CMMF Stuff\n");
+	if ((irv = DoCMMFStuff()) != 0) {
+	    printf ("CMMF tests failed.\n");
+	    goto loser;
+	}
+    }
+
+    if (flags & TEST_KEY_RECOVERY) {
+	/* Requires some other options be set.
+	** Once we know exactly what hey are, test for them here. 
+	*/
+	printf("Doing Key Recovery\n");
+	irv = DoKeyRecovery(WHICH_KEY.privKey);
+	if (irv != 0) {
+	    printf ("Error doing key recovery\n");
+	    goto loser;
+	}
+    }
+
+    if (flags & TEST_CHALLENGE_RESPONSE) {
+	printf("Doing Challenge / Response\n");
+	irv = DoChallengeResponse(WHICH_KEY.privKey, WHICH_KEY.pubKey);
+	if (irv != 0) {
+	    printf ("Error doing challenge-response\n");
+	    goto loser;
+	}
+    }
+    printf ("Exiting successfully!!!\n\n");
+    irv = 0;
+
+ loser:
+    DestroyPair(&signPair);
+    DestroyPair(&cryptPair);
+    rv = NSS_Shutdown();
+    if (rv) {
+    	printf("NSS_Shutdown did not shutdown cleanly!\n");
+    }
+    PORT_Free(configdir);
+    if (irv)
+	printf("crmftest returning %d\n", irv);
+    return irv;
+}
diff --git a/security/nss/cmd/dbck/Makefile b/security/nss/cmd/dbck/Makefile
new file mode 100644
index 000000000..b9915d5e2
--- /dev/null
+++ b/security/nss/cmd/dbck/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+INCLUDES += -I ../../lib/softoken
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+ 
diff --git a/security/nss/cmd/dbck/dbck.c b/security/nss/cmd/dbck/dbck.c
new file mode 100644
index 000000000..a1bba5b0e
--- /dev/null
+++ b/security/nss/cmd/dbck/dbck.c
@@ -0,0 +1,1385 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** dbck.c
+**
+** utility for fixing corrupt cert databases
+**
+*/
+#include <stdio.h>
+#include <string.h>
+
+#include "secutil.h"
+#include "cdbhdl.h"
+#include "certdb.h"
+#include "cert.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+#include "pcert.h"
+#include "nss.h"
+
+static char *progName;
+
+/* placeholders for pointer error types */
+static void *WrongEntry;
+static void *NoNickname;
+static void *NoSMime;
+
+typedef enum {
+/* 0*/ NoSubjectForCert = 0,
+/* 1*/ SubjectHasNoKeyForCert,
+/* 2*/ NoNicknameOrSMimeForSubject,
+/* 3*/ WrongNicknameForSubject,
+/* 4*/ NoNicknameEntry,
+/* 5*/ WrongSMimeForSubject,
+/* 6*/ NoSMimeEntry,
+/* 7*/ NoSubjectForNickname,
+/* 8*/ NoSubjectForSMime,
+/* 9*/ NicknameAndSMimeEntries,
+    NUM_ERROR_TYPES
+} dbErrorType;
+
+static char *dbErrorString[NUM_ERROR_TYPES] = {
+/* 0*/ "<CERT ENTRY>\nDid not find a subject entry for this certificate.",
+/* 1*/ "<SUBJECT ENTRY>\nSubject has certKey which is not in db.",
+/* 2*/ "<SUBJECT ENTRY>\nSubject does not have a nickname or email address.",
+/* 3*/ "<SUBJECT ENTRY>\nUsing this subject's nickname, found a nickname entry for a different subject.",
+/* 4*/ "<SUBJECT ENTRY>\nDid not find a nickname entry for this subject.",
+/* 5*/ "<SUBJECT ENTRY>\nUsing this subject's email, found an S/MIME entry for a different subject.",
+/* 6*/ "<SUBJECT ENTRY>\nDid not find an S/MIME entry for this subject.",
+/* 7*/ "<NICKNAME ENTRY>\nDid not find a subject entry for this nickname.",
+/* 8*/ "<S/MIME ENTRY>\nDid not find a subject entry for this S/MIME profile.",
+};
+
+static char *errResult[NUM_ERROR_TYPES] = {
+    "Certificate entries that had no subject entry.", 
+    "Subject entries with no corresponding Certificate entries.", 
+    "Subject entries that had no nickname or S/MIME entries.",
+    "Redundant nicknames (subjects with the same nickname).",
+    "Subject entries that had no nickname entry.",
+    "Redundant email addresses (subjects with the same email address).",
+    "Subject entries that had no S/MIME entry.",
+    "Nickname entries that had no subject entry.", 
+    "S/MIME entries that had no subject entry.",
+    "Subject entries with BOTH nickname and S/MIME entries."
+};
+
+
+enum {
+    GOBOTH = 0,
+    GORIGHT,
+    GOLEFT
+};
+
+typedef struct
+{
+    PRBool verbose;
+    PRBool dograph;
+    PRFileDesc *out;
+    PRFileDesc *graphfile;
+    int dbErrors[NUM_ERROR_TYPES];
+} dbDebugInfo;
+
+struct certDBEntryListNodeStr {
+    PRCList link;
+    certDBEntry entry;
+    void *appData;
+};
+typedef struct certDBEntryListNodeStr  certDBEntryListNode;
+
+/*
+ * A list node for a cert db entry.  The index is a unique identifier
+ * to use for creating generic maps of a db.  This struct handles
+ * the cert, nickname, and smime db entry types, as all three have a
+ * single handle to a subject entry.
+ * This structure is pointed to by certDBEntryListNode->appData.
+ */
+typedef struct 
+{
+    PRArenaPool *arena;
+    int index;
+    certDBEntryListNode *pSubject;
+} certDBEntryMap;
+
+/*
+ * Subject entry is special case, it has bidirectional handles.  One
+ * subject entry can point to several certs (using the same DN), and
+ * a nickname and/or smime entry.
+ * This structure is pointed to by certDBEntryListNode->appData.
+ */
+typedef struct
+{
+    PRArenaPool *arena;
+    int index;
+    int numCerts;
+    certDBEntryListNode **pCerts;
+    certDBEntryListNode *pNickname;
+    certDBEntryListNode *pSMime;
+} certDBSubjectEntryMap;
+
+/*
+ * A map of a certdb.
+ */
+typedef struct
+{
+    int numCerts;
+    int numSubjects;
+    int numNicknames;
+    int numSMime;
+    int numRevocation;
+    certDBEntryListNode certs;      /* pointer to head of cert list */
+    certDBEntryListNode subjects;   /* pointer to head of subject list */
+    certDBEntryListNode nicknames;  /* pointer to head of nickname list */
+    certDBEntryListNode smime;      /* pointer to head of smime list */
+    certDBEntryListNode revocation; /* pointer to head of revocation list */
+} certDBArray;
+
+/* Cast list to the base element, a certDBEntryListNode. */
+#define LISTNODE_CAST(node) \
+    ((certDBEntryListNode *)(node))
+
+static void 
+Usage(char *progName)
+{
+#define FPS fprintf(stderr, 
+    FPS "Type %s -H for more detailed descriptions\n", progName);
+    FPS "Usage:  %s -D [-d certdir] [-m] [-v [-f dumpfile]]\n", 
+	progName);
+#ifdef DORECOVER
+    FPS "        %s -R -o newdbname [-d certdir] [-aprsx] [-v [-f dumpfile]]\n", 
+	progName);
+#endif
+    exit(-1);
+}
+
+static void
+LongUsage(char *progName)
+{
+    FPS "%-15s Display this help message.\n",
+	"-H");
+    FPS "%-15s Dump analysis.  No changes will be made to the database.\n",
+	"-D");
+    FPS "%-15s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-15s Put database graph in ./mailfile (default is stdout).\n",
+	"   -m");
+    FPS "%-15s Verbose mode.  Dumps the entire contents of your cert8.db.\n",
+	"   -v");
+    FPS "%-15s File to dump verbose output into. (default is stdout)\n",
+	"   -f dumpfile");
+#ifdef DORECOVER
+    FPS "%-15s Repair the database.  The program will look for broken\n",
+	"-R");
+    FPS "%-15s dependencies between subject entries and certificates,\n",
+        "");
+    FPS "%-15s between nickname entries and subjects, and between SMIME\n",
+        "");
+    FPS "%-15s profiles and subjects.  Any duplicate entries will be\n",
+        "");
+    FPS "%-15s removed, any missing entries will be created.\n",
+        "");
+    FPS "%-15s File to store new database in (default is new_cert8.db)\n",
+	"   -o newdbname");
+    FPS "%-15s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-15s Prompt before removing any certificates.\n",
+        "   -p");
+    FPS "%-15s Keep all possible certificates.  Only remove certificates\n",
+	"   -a");
+    FPS "%-15s which prevent creation of a consistent database.  Thus any\n",
+	"");
+    FPS "%-15s expired or redundant entries will be kept.\n",
+	"");
+    FPS "%-15s Keep redundant nickname/email entries.  It is possible\n",
+	"   -r");
+    FPS "%-15s only one such entry will be usable.\n",
+	"");
+    FPS "%-15s Don't require an S/MIME profile in order to keep an S/MIME\n",
+	"   -s");
+    FPS "%-15s cert.  An empty profile will be created.\n",
+	"");
+    FPS "%-15s Keep expired certificates.\n",
+	"   -x");
+    FPS "%-15s Verbose mode - report all activity while recovering db.\n",
+	"   -v");
+    FPS "%-15s File to dump verbose output into.\n",
+	"   -f dumpfile");
+    FPS "\n");
+#endif
+    exit(-1);
+#undef FPS
+}
+
+/*******************************************************************
+ *
+ *  Functions for dbck.
+ *
+ ******************************************************************/
+
+void
+printHexString(PRFileDesc *out, SECItem *hexval)
+{
+    unsigned int i;
+    for (i = 0; i < hexval->len; i++) {
+	if (i != hexval->len - 1) {
+	    PR_fprintf(out, "%02x:", hexval->data[i]);
+	} else {
+	    PR_fprintf(out, "%02x", hexval->data[i]);
+	}
+    }
+    PR_fprintf(out, "\n");
+}
+
+
+SECStatus
+dumpCertificate(CERTCertificate *cert, int num, PRFileDesc *outfile)
+{
+    int userCert = 0;
+    CERTCertTrust *trust = cert->trust;
+    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
+    if (num >= 0) {
+	PR_fprintf(outfile, "Certificate: %3d\n", num);
+    } else {
+	PR_fprintf(outfile, "Certificate:\n");
+    }
+    PR_fprintf(outfile, "----------------\n");
+    if (userCert)
+	PR_fprintf(outfile, "(User Cert)\n");
+    PR_fprintf(outfile, "## SUBJECT:  %s\n", cert->subjectName);
+    PR_fprintf(outfile, "## ISSUER:  %s\n", cert->issuerName);
+    PR_fprintf(outfile, "## SERIAL NUMBER:  ");
+    printHexString(outfile, &cert->serialNumber);
+    {  /*  XXX should be separate function.  */
+	int64 timeBefore, timeAfter;
+	PRExplodedTime beforePrintable, afterPrintable;
+	char *beforestr, *afterstr;
+	DER_DecodeTimeChoice(&timeBefore, &cert->validity.notBefore);
+	DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter);
+	PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable);
+	PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable);
+	beforestr = PORT_Alloc(100);
+	afterstr = PORT_Alloc(100);
+	PR_FormatTime(beforestr, 100, "%a %b %d %H:%M:%S %Y", &beforePrintable);
+	PR_FormatTime(afterstr, 100, "%a %b %d %H:%M:%S %Y", &afterPrintable);
+	PR_fprintf(outfile, "## VALIDITY:  %s to %s\n", beforestr, afterstr);
+    }
+    PR_fprintf(outfile, "\n");
+    return SECSuccess;
+}
+
+SECStatus
+dumpCertEntry(certDBEntryCert *entry, int num, PRFileDesc *outfile)
+{
+#if 0
+    NSSLOWCERTCertificate *cert;
+    /* should we check for existing duplicates? */
+    cert = nsslowcert_DecodeDERCertificate(&entry->cert.derCert, 
+					    entry->cert.nickname);
+#else
+    CERTCertificate *cert;
+    cert = CERT_DecodeDERCertificate(&entry->derCert, PR_FALSE, NULL);
+#endif
+    if (!cert) {
+	fprintf(stderr, "Failed to decode certificate.\n");
+	return SECFailure;
+    }
+    cert->trust = (CERTCertTrust *)&entry->trust;
+    dumpCertificate(cert, num, outfile);
+    CERT_DestroyCertificate(cert);
+    return SECSuccess;
+}
+
+SECStatus
+dumpSubjectEntry(certDBEntrySubject *entry, int num, PRFileDesc *outfile)
+{
+    char *subjectName = CERT_DerNameToAscii(&entry->derSubject);
+
+    PR_fprintf(outfile, "Subject: %3d\n", num);
+    PR_fprintf(outfile, "------------\n");
+    PR_fprintf(outfile, "## %s\n", subjectName);
+    if (entry->nickname)
+	PR_fprintf(outfile, "## Subject nickname:  %s\n", entry->nickname);
+    if (entry->emailAddrs) {
+	unsigned int n;
+	for (n = 0; n < entry->nemailAddrs && entry->emailAddrs[n]; ++n) {
+	    char * emailAddr = entry->emailAddrs[n];
+	    if (emailAddr[0]) {
+		PR_fprintf(outfile, "## Subject email address:  %s\n", 
+	           emailAddr);
+	    }
+	}
+    }
+    PR_fprintf(outfile, "## This subject has %d cert(s).\n", entry->ncerts);
+    PR_fprintf(outfile, "\n");
+    PORT_Free(subjectName);
+    return SECSuccess;
+}
+
+SECStatus
+dumpNicknameEntry(certDBEntryNickname *entry, int num, PRFileDesc *outfile)
+{
+    PR_fprintf(outfile, "Nickname: %3d\n", num);
+    PR_fprintf(outfile, "-------------\n");
+    PR_fprintf(outfile, "##  \"%s\"\n\n", entry->nickname);
+    return SECSuccess;
+}
+
+SECStatus
+dumpSMimeEntry(certDBEntrySMime *entry, int num, PRFileDesc *outfile)
+{
+    PR_fprintf(outfile, "S/MIME Profile: %3d\n", num);
+    PR_fprintf(outfile, "-------------------\n");
+    PR_fprintf(outfile, "##  \"%s\"\n", entry->emailAddr);
+#ifdef OLDWAY
+    PR_fprintf(outfile, "##  OPTIONS:  ");
+    printHexString(outfile, &entry->smimeOptions);
+    PR_fprintf(outfile, "##  TIMESTAMP:  ");
+    printHexString(outfile, &entry->optionsDate);
+#else
+    SECU_PrintAny(stdout, &entry->smimeOptions, "##  OPTIONS  ", 0);
+    fflush(stdout);
+    if (entry->optionsDate.len && entry->optionsDate.data)
+	PR_fprintf(outfile, "##  TIMESTAMP: %.*s\n", 
+	           entry->optionsDate.len, entry->optionsDate.data);
+#endif
+    PR_fprintf(outfile, "\n");
+    return SECSuccess;
+}
+
+SECStatus
+mapCertEntries(certDBArray *dbArray)
+{
+    certDBEntryCert *certEntry;
+    certDBEntrySubject *subjectEntry;
+    certDBEntryListNode *certNode, *subjNode;
+    certDBSubjectEntryMap *smap;
+    certDBEntryMap *map;
+    PRArenaPool *tmparena;
+    SECItem derSubject;
+    SECItem certKey;
+    PRCList *cElem, *sElem;
+
+    /* Arena for decoded entries */
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (tmparena == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    /* Iterate over cert entries and map them to subject entries. 
+     * NOTE: mapSubjectEntries must be called first to alloc memory
+     * for array of subject->cert map.
+     */
+    for (cElem = PR_LIST_HEAD(&dbArray->certs.link); 
+         cElem != &dbArray->certs.link; cElem = PR_NEXT_LINK(cElem)) {
+	certNode = LISTNODE_CAST(cElem);
+	certEntry = (certDBEntryCert *)&certNode->entry;
+	map = (certDBEntryMap *)certNode->appData;
+	CERT_NameFromDERCert(&certEntry->derCert, &derSubject);
+	CERT_KeyFromDERCert(tmparena, &certEntry->derCert, &certKey);
+	/*  Loop over found subjects for cert's DN.  */
+	for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
+	     sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
+	    subjNode = LISTNODE_CAST(sElem);
+	    subjectEntry = (certDBEntrySubject *)&subjNode->entry;
+	    if (SECITEM_ItemsAreEqual(&derSubject, &subjectEntry->derSubject)) {
+		unsigned int i;
+		/*  Found matching subject name, create link.  */
+		map->pSubject = subjNode;
+		/*  Make sure subject entry has cert's key.  */
+		for (i=0; i<subjectEntry->ncerts; i++) {
+		    if (SECITEM_ItemsAreEqual(&certKey,
+		                              &subjectEntry->certKeys[i])) {
+			/*  Found matching cert key.  */
+			smap = (certDBSubjectEntryMap *)subjNode->appData;
+			smap->pCerts[i] = certNode;
+			break;
+		    }
+		}
+	    }
+	}
+    }
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return SECSuccess;
+}
+
+SECStatus
+mapSubjectEntries(certDBArray *dbArray)
+{
+    certDBEntrySubject *subjectEntry;
+    certDBEntryListNode *subjNode;
+    certDBSubjectEntryMap *subjMap;
+    PRCList *sElem;
+
+    for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
+         sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
+	/* Iterate over subject entries and map subjects to nickname
+	 * and smime entries.  The cert<->subject map will be handled
+	 * by a subsequent call to mapCertEntries.
+	 */
+	subjNode = LISTNODE_CAST(sElem);
+	subjectEntry = (certDBEntrySubject *)&subjNode->entry;
+	subjMap = (certDBSubjectEntryMap *)subjNode->appData;
+	/* need to alloc memory here for array of matching certs. */
+	subjMap->pCerts = PORT_ArenaAlloc(subjMap->arena, 
+	                                  subjectEntry->ncerts*sizeof(int));
+	subjMap->numCerts = subjectEntry->ncerts;
+	subjMap->pNickname = NoNickname;
+	subjMap->pSMime = NoSMime;
+
+	if (subjectEntry->nickname) {
+	    /* Subject should have a nickname entry, so create a link. */
+	    PRCList *nElem;
+	    for (nElem = PR_LIST_HEAD(&dbArray->nicknames.link);
+	         nElem != &dbArray->nicknames.link; 
+	         nElem = PR_NEXT_LINK(nElem)) {
+		certDBEntryListNode *nickNode;
+		certDBEntryNickname *nicknameEntry;
+		/*  Look for subject's nickname in nickname entries.  */
+		nickNode = LISTNODE_CAST(nElem);
+		nicknameEntry = (certDBEntryNickname *)&nickNode->entry;
+		if (PL_strcmp(subjectEntry->nickname, 
+		              nicknameEntry->nickname) == 0) {
+		    /*  Found a nickname entry for subject's nickname.  */
+		    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
+		                              &nicknameEntry->subjectName)) {
+			certDBEntryMap *nickMap;
+			nickMap = (certDBEntryMap *)nickNode->appData;
+			/*  Nickname and subject match.  */
+			subjMap->pNickname = nickNode;
+			nickMap->pSubject = subjNode;
+		    } else if (subjMap->pNickname == NoNickname) {
+			/*  Nickname entry found is for diff. subject.  */
+			subjMap->pNickname = WrongEntry;
+		    }
+		}
+	    }
+	}
+	if (subjectEntry->emailAddrs) {
+	    unsigned int n;
+	    for (n = 0; n < subjectEntry->nemailAddrs && 
+	                subjectEntry->emailAddrs[n]; ++n) {
+		char * emailAddr = subjectEntry->emailAddrs[n];
+		if (emailAddr[0]) {
+		    PRCList *mElem;
+		    /* Subject should have an smime entry, so create a link. */
+		    for (mElem = PR_LIST_HEAD(&dbArray->smime.link);
+			 mElem != &dbArray->smime.link; 
+			 mElem = PR_NEXT_LINK(mElem)) {
+			certDBEntryListNode *smimeNode;
+			certDBEntrySMime *smimeEntry;
+			/*  Look for subject's email in S/MIME entries.  */
+			smimeNode = LISTNODE_CAST(mElem);
+			smimeEntry = (certDBEntrySMime *)&smimeNode->entry;
+			if (PL_strcmp(emailAddr, 
+				      smimeEntry->emailAddr) == 0) {
+			    /*  Found a S/MIME entry for subject's email.  */
+			    if (SECITEM_ItemsAreEqual(
+			    		&subjectEntry->derSubject,
+				        &smimeEntry->subjectName)) {
+				certDBEntryMap *smimeMap;
+				/*  S/MIME entry and subject match.  */
+				subjMap->pSMime = smimeNode;
+				smimeMap = (certDBEntryMap *)smimeNode->appData;
+				smimeMap->pSubject = subjNode;
+			    } else if (subjMap->pSMime == NoSMime) {
+				/*  S/MIME entry found is for diff. subject.  */
+				subjMap->pSMime = WrongEntry;
+			    }
+			}
+		    }   /* end for */
+		}   /* endif (emailAddr[0]) */
+	    }   /* end for */
+	}   /* endif (subjectEntry->emailAddrs) */
+    }
+    return SECSuccess;
+}
+
+void
+printnode(dbDebugInfo *info, const char *str, int num)
+{
+    if (!info->dograph)
+	return;
+    if (num < 0) {
+	PR_fprintf(info->graphfile, str);
+    } else {
+	PR_fprintf(info->graphfile, str, num);
+    }
+}
+
+PRBool
+map_handle_is_ok(dbDebugInfo *info, void *mapPtr, int indent)
+{
+    if (mapPtr == NULL) {
+	if (indent > 0)
+	    printnode(info, "                ", -1);
+	if (indent >= 0)
+	    printnode(info, "******************* ", -1);
+	return PR_FALSE;
+    } else if (mapPtr == WrongEntry) {
+	if (indent > 0)
+	    printnode(info, "                  ", -1);
+	if (indent >= 0)
+	    printnode(info, "??????????????????? ", -1);
+	return PR_FALSE;
+    } else {
+	return PR_TRUE;
+    }
+}
+
+/* these call each other */
+void print_smime_graph(dbDebugInfo *info, certDBEntryMap *smimeMap, 
+                       int direction);
+void print_nickname_graph(dbDebugInfo *info, certDBEntryMap *nickMap, 
+                          int direction);
+void print_subject_graph(dbDebugInfo *info, certDBSubjectEntryMap *subjMap, 
+                         int direction, int optindex, int opttype);
+void print_cert_graph(dbDebugInfo *info, certDBEntryMap *certMap, 
+                      int direction);
+
+/* Given an smime entry, print its unique identifier.  If GOLEFT is 
+ * specified, print the cert<-subject<-smime map, else just print
+ * the smime entry.
+ */
+void
+print_smime_graph(dbDebugInfo *info, certDBEntryMap *smimeMap, int direction)
+{
+    certDBSubjectEntryMap *subjMap;
+    certDBEntryListNode *subjNode;
+    if (direction == GOLEFT) {
+	/* Need to output subject and cert first, see print_subject_graph */
+	subjNode = smimeMap->pSubject;
+	if (map_handle_is_ok(info, (void *)subjNode, 1)) {
+	    subjMap = (certDBSubjectEntryMap *)subjNode->appData; 
+	    print_subject_graph(info, subjMap, GOLEFT,
+	                        smimeMap->index, certDBEntryTypeSMimeProfile);
+	} else {
+	    printnode(info, "<---- S/MIME   %5d   ", smimeMap->index);
+	    info->dbErrors[NoSubjectForSMime]++;
+	}
+    } else {
+	printnode(info, "S/MIME   %5d   ", smimeMap->index);
+    }
+}
+
+/* Given a nickname entry, print its unique identifier.  If GOLEFT is 
+ * specified, print the cert<-subject<-nickname map, else just print
+ * the nickname entry.
+ */
+void
+print_nickname_graph(dbDebugInfo *info, certDBEntryMap *nickMap, int direction)
+{
+    certDBSubjectEntryMap *subjMap;
+    certDBEntryListNode *subjNode;
+    if (direction == GOLEFT) {
+	/* Need to output subject and cert first, see print_subject_graph */
+	subjNode = nickMap->pSubject;
+	if (map_handle_is_ok(info, (void *)subjNode, 1)) {
+	    subjMap = (certDBSubjectEntryMap *)subjNode->appData;
+	    print_subject_graph(info, subjMap, GOLEFT,
+	                        nickMap->index, certDBEntryTypeNickname);
+	} else {
+	    printnode(info, "<---- Nickname %5d   ", nickMap->index);
+	    info->dbErrors[NoSubjectForNickname]++;
+	}
+    } else {
+	printnode(info, "Nickname %5d   ", nickMap->index);
+    }
+}
+
+/* Given a subject entry, if going right print the graph of the nickname|smime
+ * that it maps to (by its unique identifier); and if going left
+ * print the list of certs that it points to.
+ */
+void
+print_subject_graph(dbDebugInfo *info, certDBSubjectEntryMap *subjMap, 
+                    int direction, int optindex, int opttype)
+{
+    certDBEntryMap *map;
+    certDBEntryListNode *node;
+    int i;
+    /* The first line of output always contains the cert id, subject id,
+     * and nickname|smime id.  Subsequent lines may contain additional
+     * cert id's for the subject if going left or both directions.
+     * Ex. of printing the graph for a subject entry:
+     * Cert 3 <- Subject 5 -> Nickname 32
+     * Cert 8 /
+     * Cert 9 /
+     * means subject 5 has 3 certs, 3, 8, and 9, and corresponds
+     * to nickname entry 32.
+     * To accomplish the above, it is required to dump the entire first
+     * line left-to-right, regardless of the input direction, and then
+     * finish up any remaining cert entries.  Hence the code is uglier
+     * than one may expect.
+     */
+    if (direction == GOLEFT || direction == GOBOTH) {
+	/* In this case, nothing should be output until the first cert is
+	 * located and output (cert 3 in the above example).
+	 */
+	if (subjMap->numCerts == 0 || subjMap->pCerts == NULL)
+	    /* XXX uh-oh */
+	    return;
+	/* get the first cert and dump it. */
+	node = subjMap->pCerts[0];
+	if (map_handle_is_ok(info, (void *)node, 0)) {
+	    map = (certDBEntryMap *)node->appData;
+	    /* going left here stops. */
+	    print_cert_graph(info, map, GOLEFT); 
+	} else {
+	    info->dbErrors[SubjectHasNoKeyForCert]++;
+	}
+	/* Now it is safe to output the subject id. */
+	if (direction == GOLEFT)
+	    printnode(info, "Subject  %5d <---- ", subjMap->index);
+	else /* direction == GOBOTH */
+	    printnode(info, "Subject  %5d ----> ", subjMap->index);
+    }
+    if (direction == GORIGHT || direction == GOBOTH) { 
+	/* Okay, now output the nickname|smime for this subject. */
+	if (direction != GOBOTH) /* handled above */
+	   printnode(info, "Subject  %5d ----> ", subjMap->index);
+	if (subjMap->pNickname) {
+	    node = subjMap->pNickname;
+	    if (map_handle_is_ok(info, (void *)node, 0)) {
+		map = (certDBEntryMap *)node->appData;
+		/* going right here stops. */
+		print_nickname_graph(info, map, GORIGHT);
+	    }
+	}
+	if (subjMap->pSMime) {
+	    node = subjMap->pSMime;
+	    if (map_handle_is_ok(info, (void *)node, 0)) {
+		map = (certDBEntryMap *)node->appData;
+		/* going right here stops. */
+		print_smime_graph(info, map, GORIGHT); 
+	    }
+	}
+	if (!subjMap->pNickname && !subjMap->pSMime) {
+	    printnode(info, "******************* ", -1);
+	    info->dbErrors[NoNicknameOrSMimeForSubject]++;
+	}
+	if (subjMap->pNickname && subjMap->pSMime) {
+	    info->dbErrors[NicknameAndSMimeEntries]++;
+	}
+    }
+    if (direction != GORIGHT) { /* going right has only one cert */
+	if (opttype == certDBEntryTypeNickname)
+	    printnode(info, "Nickname %5d   ", optindex);
+	else if (opttype == certDBEntryTypeSMimeProfile)
+	    printnode(info, "S/MIME   %5d   ", optindex);
+	for (i=1 /* 1st one already done */; i<subjMap->numCerts; i++) {
+	    printnode(info, "\n", -1); /* start a new line */
+	    node = subjMap->pCerts[i];
+	    if (map_handle_is_ok(info, (void *)node, 0)) {
+		map = (certDBEntryMap *)node->appData;
+		/* going left here stops. */
+		print_cert_graph(info, map, GOLEFT); 
+		printnode(info, "/", -1);
+	    }
+	}
+    }
+}
+
+/* Given a cert entry, print its unique identifer.  If GORIGHT is specified,
+ * print the cert->subject->nickname|smime map, else just print
+ * the cert entry.
+ */
+void
+print_cert_graph(dbDebugInfo *info, certDBEntryMap *certMap, int direction)
+{
+    certDBSubjectEntryMap *subjMap;
+    certDBEntryListNode *subjNode;
+    if (direction == GOLEFT) {
+	printnode(info, "Cert     %5d <---- ", certMap->index);
+	/* only want cert entry, terminate here. */
+	return;
+    }
+    /* Keep going right then. */
+    printnode(info, "Cert     %5d ----> ", certMap->index);
+    subjNode = certMap->pSubject;
+    if (map_handle_is_ok(info, (void *)subjNode, 0)) {
+	subjMap = (certDBSubjectEntryMap *)subjNode->appData;
+	print_subject_graph(info, subjMap, GORIGHT, -1, -1);
+    } else {
+	info->dbErrors[NoSubjectForCert]++;
+    }
+}
+
+SECStatus
+computeDBGraph(certDBArray *dbArray, dbDebugInfo *info)
+{
+    PRCList *cElem, *sElem, *nElem, *mElem;
+    certDBEntryListNode *node;
+    certDBEntryMap *map;
+    certDBSubjectEntryMap *subjMap;
+
+    /* Graph is of this form:
+     *
+     * certs:
+     * cert ---> subject ---> (nickname|smime)
+     *
+     * subjects:
+     * cert <--- subject ---> (nickname|smime)
+     *
+     * nicknames and smime:
+     * cert <--- subject <--- (nickname|smime)
+     */
+
+    /* Print cert graph. */
+    for (cElem = PR_LIST_HEAD(&dbArray->certs.link);
+         cElem != &dbArray->certs.link; cElem = PR_NEXT_LINK(cElem)) {
+	/* Print graph of everything to right of cert entry. */
+	node = LISTNODE_CAST(cElem);
+	map = (certDBEntryMap *)node->appData;
+	print_cert_graph(info, map, GORIGHT);
+	printnode(info, "\n", -1);
+    }
+    printnode(info, "\n", -1);
+
+    /* Print subject graph. */
+    for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
+         sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
+	/* Print graph of everything to both sides of subject entry. */
+	node = LISTNODE_CAST(sElem);
+	subjMap = (certDBSubjectEntryMap *)node->appData;
+	print_subject_graph(info, subjMap, GOBOTH, -1, -1);
+	printnode(info, "\n", -1);
+    }
+    printnode(info, "\n", -1);
+
+    /* Print nickname graph. */
+    for (nElem = PR_LIST_HEAD(&dbArray->nicknames.link);
+         nElem != &dbArray->nicknames.link; nElem = PR_NEXT_LINK(nElem)) {
+	/* Print graph of everything to left of nickname entry. */
+	node = LISTNODE_CAST(nElem);
+	map = (certDBEntryMap *)node->appData;
+	print_nickname_graph(info, map, GOLEFT);
+	printnode(info, "\n", -1);
+    }
+    printnode(info, "\n", -1);
+
+    /* Print smime graph. */
+    for (mElem = PR_LIST_HEAD(&dbArray->smime.link);
+         mElem != &dbArray->smime.link; mElem = PR_NEXT_LINK(mElem)) {
+	/* Print graph of everything to left of smime entry. */
+	node = LISTNODE_CAST(mElem);
+	if (node == NULL) break;
+	map = (certDBEntryMap *)node->appData;
+	print_smime_graph(info, map, GOLEFT);
+	printnode(info, "\n", -1);
+    }
+    printnode(info, "\n", -1);
+
+    return SECSuccess;
+}
+
+/*
+ * List the entries in the db, showing handles between entry types.
+ */
+void
+verboseOutput(certDBArray *dbArray, dbDebugInfo *info)
+{
+    int i, ref;
+    PRCList *elem;
+    certDBEntryListNode *node;
+    certDBEntryMap *map;
+    certDBSubjectEntryMap *smap;
+    certDBEntrySubject *subjectEntry;
+
+    /* List certs */
+    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
+         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
+	node = LISTNODE_CAST(elem);
+	map = (certDBEntryMap *)node->appData;
+	dumpCertEntry((certDBEntryCert*)&node->entry, map->index, info->out);
+	/* walk the cert handle to it's subject entry */
+	if (map_handle_is_ok(info, map->pSubject, -1)) {
+	    smap = (certDBSubjectEntryMap *)map->pSubject->appData;
+	    ref = smap->index;
+	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
+	} else {
+	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
+	}
+    }
+    /* List subjects */
+    for (elem = PR_LIST_HEAD(&dbArray->subjects.link);
+         elem != &dbArray->subjects.link; elem = PR_NEXT_LINK(elem)) {
+	int refs = 0;
+	node = LISTNODE_CAST(elem);
+	subjectEntry = (certDBEntrySubject *)&node->entry;
+	smap = (certDBSubjectEntryMap *)node->appData;
+	dumpSubjectEntry(subjectEntry, smap->index, info->out);
+	/* iterate over subject's certs */
+	for (i=0; i<smap->numCerts; i++) {
+	    /* walk each subject handle to it's cert entries */
+	    if (map_handle_is_ok(info, smap->pCerts[i], -1)) {
+		ref = ((certDBEntryMap *)smap->pCerts[i]->appData)->index;
+		PR_fprintf(info->out, "-->(%d. certificate %d)\n", i, ref);
+	    } else {
+		PR_fprintf(info->out, "-->(%d. MISSING CERT ENTRY)\n", i);
+	    }
+	}
+	if (subjectEntry->nickname) {
+	    ++refs;
+	    /* walk each subject handle to it's nickname entry */
+	    if (map_handle_is_ok(info, smap->pNickname, -1)) {
+		ref = ((certDBEntryMap *)smap->pNickname->appData)->index;
+		PR_fprintf(info->out, "-->(nickname %d)\n", ref);
+	    } else {
+		PR_fprintf(info->out, "-->(MISSING NICKNAME ENTRY)\n");
+	    }
+	}
+	if (subjectEntry->nemailAddrs && 
+	    subjectEntry->emailAddrs &&
+	    subjectEntry->emailAddrs[0] &&
+	    subjectEntry->emailAddrs[0][0]) {
+	    ++refs;
+	    /* walk each subject handle to it's smime entry */
+	    if (map_handle_is_ok(info, smap->pSMime, -1)) {
+		ref = ((certDBEntryMap *)smap->pSMime->appData)->index;
+		PR_fprintf(info->out, "-->(s/mime %d)\n", ref);
+	    } else {
+		PR_fprintf(info->out, "-->(MISSING S/MIME ENTRY)\n");
+	    }
+	}
+	if (!refs) {
+	    PR_fprintf(info->out, "-->(NO NICKNAME+S/MIME ENTRY)\n");
+	}
+	PR_fprintf(info->out, "\n\n");
+    }
+    for (elem = PR_LIST_HEAD(&dbArray->nicknames.link);
+         elem != &dbArray->nicknames.link; elem = PR_NEXT_LINK(elem)) {
+	node = LISTNODE_CAST(elem);
+	map = (certDBEntryMap *)node->appData;
+	dumpNicknameEntry((certDBEntryNickname*)&node->entry, map->index, 
+	                  info->out);
+	if (map_handle_is_ok(info, map->pSubject, -1)) {
+	    ref = ((certDBEntryMap *)map->pSubject->appData)->index;
+	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
+	} else {
+	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
+	}
+    }
+    for (elem = PR_LIST_HEAD(&dbArray->smime.link);
+         elem != &dbArray->smime.link; elem = PR_NEXT_LINK(elem)) {
+	node = LISTNODE_CAST(elem);
+	map = (certDBEntryMap *)node->appData;
+	dumpSMimeEntry((certDBEntrySMime*)&node->entry, map->index, info->out);
+	if (map_handle_is_ok(info, map->pSubject, -1)) {
+	    ref = ((certDBEntryMap *)map->pSubject->appData)->index;
+	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
+	} else {
+	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
+	}
+    }
+    PR_fprintf(info->out, "\n\n");
+}
+
+
+/* A callback function, intended to be called from nsslowcert_TraverseDBEntries
+ * Builds a PRCList of DB entries of the specified type.
+ */
+SECStatus 
+SEC_GetCertDBEntryList(SECItem *dbdata, SECItem *dbkey, 
+                       certDBEntryType entryType, void *pdata)
+{
+    certDBEntry         * entry;
+    certDBEntryListNode * node;
+    PRCList             * list = (PRCList *)pdata;
+
+    if (!dbdata || !dbkey || !pdata || !dbdata->data || !dbkey->data) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    entry = nsslowcert_DecodeAnyDBEntry(dbdata, dbkey, entryType, NULL);
+    if (!entry) {
+    	return SECSuccess; /* skip it */
+    }
+    node = PORT_ArenaZNew(entry->common.arena, certDBEntryListNode);
+    if (!node) {
+    	/* DestroyDBEntry(entry); */
+	PLArenaPool *arena = entry->common.arena;
+	PORT_Memset(&entry->common, 0, sizeof entry->common);
+	PORT_FreeArena(arena, PR_FALSE);
+	return SECFailure;
+    }
+    node->entry = *entry;  		/* crude but effective. */
+    PR_INIT_CLIST(&node->link);
+    PR_INSERT_BEFORE(&node->link, list);
+    return SECSuccess;
+}
+
+
+int
+fillDBEntryArray(NSSLOWCERTCertDBHandle *handle, certDBEntryType type, 
+                 certDBEntryListNode *list)
+{
+    PRCList *elem;
+    certDBEntryListNode *node;
+    certDBEntryMap *mnode;
+    certDBSubjectEntryMap *smnode;
+    PRArenaPool *arena;
+    int count = 0;
+
+    /* Initialize a dummy entry in the list.  The list head will be the
+     * next element, so this element is skipped by for loops.
+     */
+    PR_INIT_CLIST((PRCList *)list);
+    /* Collect all of the cert db entries for this type into a list. */
+    nsslowcert_TraverseDBEntries(handle, type, SEC_GetCertDBEntryList, list);
+
+    for (elem = PR_LIST_HEAD(&list->link); 
+         elem != &list->link; elem = PR_NEXT_LINK(elem)) {
+	/* Iterate over the entries and ... */
+	node = (certDBEntryListNode *)elem;
+	if (type != certDBEntryTypeSubject) {
+	    arena = PORT_NewArena(sizeof(*mnode));
+	    mnode = PORT_ArenaZNew(arena, certDBEntryMap);
+	    mnode->arena = arena;
+	    /* ... assign a unique index number to each node, and ... */
+	    mnode->index = count;
+	    /* ... set the map pointer for the node. */
+	    node->appData = (void *)mnode;
+	} else {
+	    /* allocate some room for the cert pointers also */
+	    arena = PORT_NewArena(sizeof(*smnode) + 20*sizeof(void *));
+	    smnode = PORT_ArenaZNew(arena, certDBSubjectEntryMap);
+	    smnode->arena = arena;
+	    smnode->index = count;
+	    node->appData = (void *)smnode;
+	}
+	count++;
+    }
+    return count;
+}
+
+void
+freeDBEntryList(PRCList *list)
+{
+    PRCList *next, *elem;
+    certDBEntryListNode *node;
+    certDBEntryMap *map;
+
+    for (elem = PR_LIST_HEAD(list); elem != list;) { 
+	next = PR_NEXT_LINK(elem);
+	node = (certDBEntryListNode *)elem;
+	map = (certDBEntryMap *)node->appData;
+	PR_REMOVE_LINK(&node->link);
+	PORT_FreeArena(map->arena, PR_TRUE);
+	PORT_FreeArena(node->entry.common.arena, PR_TRUE);
+	elem = next;
+    }
+}
+
+void
+DBCK_DebugDB(NSSLOWCERTCertDBHandle *handle, PRFileDesc *out, 
+	     PRFileDesc *mailfile)
+{
+    int i, nCertsFound, nSubjFound, nErr;
+    int nCerts, nSubjects, nSubjCerts, nNicknames, nSMime, nRevocation;
+    PRCList *elem;
+    char c;
+    dbDebugInfo info;
+    certDBArray dbArray;
+
+    PORT_Memset(&dbArray, 0, sizeof(dbArray));
+    PORT_Memset(&info, 0, sizeof(info));
+    info.verbose = (PRBool)(out != NULL);
+    info.dograph = info.verbose;
+    info.out       = (out)    ? out      : PR_STDOUT;
+    info.graphfile = mailfile ? mailfile : PR_STDOUT;
+
+    /*  Fill the array structure with cert/subject/nickname/smime entries.  */
+    dbArray.numCerts     = fillDBEntryArray(handle, certDBEntryTypeCert, 
+                                            &dbArray.certs);
+    dbArray.numSubjects  = fillDBEntryArray(handle, certDBEntryTypeSubject, 
+                                            &dbArray.subjects);
+    dbArray.numNicknames = fillDBEntryArray(handle, certDBEntryTypeNickname, 
+                                            &dbArray.nicknames);
+    dbArray.numSMime     = fillDBEntryArray(handle, certDBEntryTypeSMimeProfile, 
+                                            &dbArray.smime);
+    dbArray.numRevocation= fillDBEntryArray(handle, certDBEntryTypeRevocation, 
+                                            &dbArray.revocation);
+
+    /*  Compute the map between the database entries.  */
+    mapSubjectEntries(&dbArray);
+    mapCertEntries(&dbArray);
+    computeDBGraph(&dbArray, &info);
+
+    /*  Store the totals for later reference.  */
+    nCerts     = dbArray.numCerts;
+    nSubjects  = dbArray.numSubjects;
+    nNicknames = dbArray.numNicknames;
+    nSMime     = dbArray.numSMime;
+    nRevocation= dbArray.numRevocation;
+    nSubjCerts = 0;
+    for (elem = PR_LIST_HEAD(&dbArray.subjects.link);
+         elem != &dbArray.subjects.link; elem = PR_NEXT_LINK(elem)) {
+	certDBSubjectEntryMap *smap;
+	smap = (certDBSubjectEntryMap *)LISTNODE_CAST(elem)->appData;
+	nSubjCerts += smap->numCerts;
+    }
+
+    if (info.verbose) {
+	/*  Dump the database contents.  */
+	verboseOutput(&dbArray, &info);
+    }
+
+    freeDBEntryList(&dbArray.certs.link);
+    freeDBEntryList(&dbArray.subjects.link);
+    freeDBEntryList(&dbArray.nicknames.link);
+    freeDBEntryList(&dbArray.smime.link);
+    freeDBEntryList(&dbArray.revocation.link);
+
+    PR_fprintf(info.out, "\n");
+    PR_fprintf(info.out, "Database statistics:\n");
+    PR_fprintf(info.out, "N0: Found %4d Certificate entries.\n", 
+                          nCerts);
+    PR_fprintf(info.out, "N1: Found %4d Subject entries (unique DN's).\n", 
+                          nSubjects);
+    PR_fprintf(info.out, "N2: Found %4d Cert keys within Subject entries.\n", 
+                          nSubjCerts);
+    PR_fprintf(info.out, "N3: Found %4d Nickname entries.\n", 
+                          nNicknames);
+    PR_fprintf(info.out, "N4: Found %4d S/MIME entries.\n", 
+                          nSMime);
+    PR_fprintf(info.out, "N5: Found %4d CRL entries.\n", 
+                          nRevocation);
+    PR_fprintf(info.out, "\n");
+
+    nErr = 0;
+    for (i=0; i < NUM_ERROR_TYPES; i++) {
+	PR_fprintf(info.out, "E%d: Found %4d %s\n", 
+	           i, info.dbErrors[i], errResult[i]);
+	nErr += info.dbErrors[i];
+    }
+    PR_fprintf(info.out, "--------------\n    Found %4d errors in database.\n", 
+               nErr);
+
+    PR_fprintf(info.out, "\nCertificates:\n");
+    PR_fprintf(info.out, "N0 == N2 + E%d + E%d\n", NoSubjectForCert, 
+                                                   SubjectHasNoKeyForCert);
+    nCertsFound = nSubjCerts +
+                  info.dbErrors[NoSubjectForCert] +
+                  info.dbErrors[SubjectHasNoKeyForCert];
+    c = (nCertsFound == nCerts) ? '=' : '!';
+    PR_fprintf(info.out, "%d %c= %d + %d + %d\n", nCerts, c, nSubjCerts, 
+                  info.dbErrors[NoSubjectForCert],
+                  info.dbErrors[SubjectHasNoKeyForCert]);
+    PR_fprintf(info.out, "\nSubjects:\n");
+    PR_fprintf(info.out, 
+    "N1 == N3 + N4 + E%d + E%d + E%d + E%d + E%d - E%d - E%d - E%d\n",
+                  NoNicknameOrSMimeForSubject, 
+		  WrongNicknameForSubject,
+		  NoNicknameEntry, 
+		  WrongSMimeForSubject, 
+		  NoSMimeEntry,
+		  NoSubjectForNickname, 
+		  NoSubjectForSMime,
+		  NicknameAndSMimeEntries);
+    nSubjFound = nNicknames + nSMime + 
+                 info.dbErrors[NoNicknameOrSMimeForSubject] +
+		 info.dbErrors[WrongNicknameForSubject] +
+		 info.dbErrors[NoNicknameEntry] +
+		 info.dbErrors[WrongSMimeForSubject] +
+                 info.dbErrors[NoSMimeEntry] -
+		 info.dbErrors[NoSubjectForNickname] -
+		 info.dbErrors[NoSubjectForSMime] -
+		 info.dbErrors[NicknameAndSMimeEntries];
+    c = (nSubjFound == nSubjects) ? '=' : '!';
+    PR_fprintf(info.out, 
+    "%2d %c= %2d + %2d + %2d + %2d + %2d + %2d + %2d - %2d - %2d - %2d\n",
+                  nSubjects, c, nNicknames, nSMime,
+                  info.dbErrors[NoNicknameOrSMimeForSubject],
+		  info.dbErrors[WrongNicknameForSubject],
+		  info.dbErrors[NoNicknameEntry],
+		  info.dbErrors[WrongSMimeForSubject],
+                  info.dbErrors[NoSMimeEntry],
+		  info.dbErrors[NoSubjectForNickname],
+		  info.dbErrors[NoSubjectForSMime],
+		  info.dbErrors[NicknameAndSMimeEntries]);
+    PR_fprintf(info.out, "\n");
+}
+
+#ifdef DORECOVER
+#include "dbrecover.c"
+#endif /* DORECOVER */
+
+enum {
+    cmd_Debug = 0,
+    cmd_LongUsage,
+    cmd_Recover
+};
+
+enum {
+    opt_KeepAll = 0,
+    opt_CertDir,
+    opt_Dumpfile,
+    opt_InputDB,
+    opt_OutputDB,
+    opt_Mailfile,
+    opt_Prompt,
+    opt_KeepRedundant,
+    opt_KeepNoSMimeProfile,
+    opt_Verbose,
+    opt_KeepExpired
+};
+
+static secuCommandFlag dbck_commands[] =
+{
+    { /* cmd_Debug,    */  'D', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_LongUsage,*/  'H', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_Recover,  */  'R', PR_FALSE, 0, PR_FALSE }
+};
+
+static secuCommandFlag dbck_options[] =
+{
+    { /* opt_KeepAll,           */  'a', PR_FALSE, 0, PR_FALSE },
+    { /* opt_CertDir,           */  'd', PR_TRUE,  0, PR_FALSE },
+    { /* opt_Dumpfile,          */  'f', PR_TRUE,  0, PR_FALSE },
+    { /* opt_InputDB,           */  'i', PR_TRUE,  0, PR_FALSE },
+    { /* opt_OutputDB,          */  'o', PR_TRUE,  0, PR_FALSE },
+    { /* opt_Mailfile,          */  'm', PR_FALSE, 0, PR_FALSE },
+    { /* opt_Prompt,            */  'p', PR_FALSE, 0, PR_FALSE },
+    { /* opt_KeepRedundant,     */  'r', PR_FALSE, 0, PR_FALSE },
+    { /* opt_KeepNoSMimeProfile,*/  's', PR_FALSE, 0, PR_FALSE },
+    { /* opt_Verbose,           */  'v', PR_FALSE, 0, PR_FALSE },
+    { /* opt_KeepExpired,       */  'x', PR_FALSE, 0, PR_FALSE }
+};
+
+#define CERT_DB_FMT "%s/cert%s.db"
+
+static char *
+dbck_certdb_name_cb(void *arg, int dbVersion)
+{
+    const char *configdir = (const char *)arg;
+    const char *dbver;
+    char *smpname = NULL;
+    char *dbname = NULL;
+
+    switch (dbVersion) {
+      case 8:
+	dbver = "8";
+	break;
+      case 7:
+	dbver = "7";
+	break;
+      case 6:
+	dbver = "6";
+	break;
+      case 5:
+	dbver = "5";
+	break;
+      case 4:
+      default:
+	dbver = "";
+	break;
+    }
+
+    /* make sure we return something allocated with PORT_ so we have properly
+     * matched frees at the end */
+    smpname = PR_smprintf(CERT_DB_FMT, configdir, dbver);
+    if (smpname) {
+	dbname = PORT_Strdup(smpname);
+	PR_smprintf_free(smpname);
+    }
+    return dbname;
+}
+    
+
+int 
+main(int argc, char **argv)
+{
+    NSSLOWCERTCertDBHandle *certHandle;
+
+    PRFileDesc *mailfile = NULL;
+    PRFileDesc *dumpfile = NULL;
+
+    char * pathname     = 0;
+    char * fullname     = 0;
+    char * newdbname    = 0;
+
+    PRBool removeExpired, requireProfile, singleEntry;
+    SECStatus   rv;
+    secuCommand dbck;
+
+    dbck.numCommands = sizeof(dbck_commands) / sizeof(secuCommandFlag);
+    dbck.numOptions = sizeof(dbck_options) / sizeof(secuCommandFlag);
+    dbck.commands = dbck_commands;
+    dbck.options = dbck_options;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    rv = SECU_ParseCommandLine(argc, argv, progName, &dbck);
+
+    if (rv != SECSuccess)
+	Usage(progName);
+
+    if (dbck.commands[cmd_LongUsage].activated)
+	LongUsage(progName);
+
+    if (!dbck.commands[cmd_Debug].activated &&
+        !dbck.commands[cmd_Recover].activated) {
+	PR_fprintf(PR_STDERR, "Please specify -H, -D or -R.\n");
+	Usage(progName);
+    }
+
+    removeExpired = !(dbck.options[opt_KeepAll].activated ||
+                      dbck.options[opt_KeepExpired].activated);
+
+    requireProfile = !(dbck.options[opt_KeepAll].activated ||
+                    dbck.options[opt_KeepNoSMimeProfile].activated);
+
+    singleEntry = !(dbck.options[opt_KeepAll].activated ||
+                    dbck.options[opt_KeepRedundant].activated);
+
+    if (dbck.options[opt_OutputDB].activated) {
+	newdbname = PL_strdup(dbck.options[opt_OutputDB].arg);
+    } else {
+	newdbname = PL_strdup("new_cert8.db");
+    }
+
+    /*  Create a generic graph of the database.  */
+    if (dbck.options[opt_Mailfile].activated) {
+	mailfile = PR_Open("./mailfile", PR_RDWR | PR_CREATE_FILE, 00660);
+	if (!mailfile) {
+	    fprintf(stderr, "Unable to create mailfile.\n");
+	    return -1;
+	}
+    }
+
+    /*  Dump all debugging info while running.  */
+    if (dbck.options[opt_Verbose].activated) {
+	if (dbck.options[opt_Dumpfile].activated) {
+	    dumpfile = PR_Open(dbck.options[opt_Dumpfile].arg,
+	                       PR_RDWR | PR_CREATE_FILE, 00660);
+	    if (!dumpfile) {
+		fprintf(stderr, "Unable to create dumpfile.\n");
+		return -1;
+	    }
+	} else {
+	    dumpfile = PR_STDOUT;
+	}
+    }
+
+    /*  Set the cert database directory.  */
+    if (dbck.options[opt_CertDir].activated) {
+	SECU_ConfigDirectory(dbck.options[opt_CertDir].arg);
+    }
+
+    pathname = SECU_ConfigDirectory(NULL);
+
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    rv = NSS_NoDB_Init(pathname);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "NSS_NoDB_Init failed\n");
+	return -1;
+    }
+
+    certHandle = PORT_ZNew(NSSLOWCERTCertDBHandle);
+    if (!certHandle) {
+	SECU_PrintError(progName, "unable to get database handle");
+	return -1;
+    }
+    certHandle->ref = 1;
+
+#ifdef NOTYET
+    /*  Open the possibly corrupt database.  */
+    if (dbck.options[opt_InputDB].activated) {
+	PRFileInfo fileInfo;
+	fullname = PR_smprintf("%s/%s", pathname, 
+	                                dbck.options[opt_InputDB].arg);
+	if (PR_GetFileInfo(fullname, &fileInfo) != PR_SUCCESS) {
+	    fprintf(stderr, "Unable to read file \"%s\".\n", fullname);
+	    return -1;
+	}
+	rv = CERT_OpenCertDBFilename(certHandle, fullname, PR_TRUE);
+    } else 
+#endif
+    {
+	/*  Use the default.  */
+#ifdef NOTYET
+	fullname = SECU_CertDBNameCallback(NULL, CERT_DB_FILE_VERSION);
+	if (PR_GetFileInfo(fullname, &fileInfo) != PR_SUCCESS) {
+	    fprintf(stderr, "Unable to read file \"%s\".\n", fullname);
+	    return -1;
+	}
+#endif
+	rv = nsslowcert_OpenCertDB(certHandle, 
+	                           PR_TRUE, 		    /* readOnly */
+				   NULL,                    /* rdb appName */
+				   "",                      /* rdb prefix */
+	                           dbck_certdb_name_cb,     /* namecb */
+				   pathname, 		    /* configDir */
+				   PR_FALSE);		    /* volatile */
+    }
+
+    if (rv) {
+	SECU_PrintError(progName, "unable to open cert database");
+	return -1;
+    }
+
+    if (dbck.commands[cmd_Debug].activated) {
+	DBCK_DebugDB(certHandle, dumpfile, mailfile);
+	return 0;
+    }
+
+#ifdef DORECOVER
+    if (dbck.commands[cmd_Recover].activated) {
+	DBCK_ReconstructDBFromCerts(certHandle, newdbname,
+	                            dumpfile, removeExpired, 
+	                            requireProfile, singleEntry, 
+	                            dbck.options[opt_Prompt].activated);
+	return 0;
+    }
+#endif
+
+    if (mailfile)
+	PR_Close(mailfile);
+    if (dumpfile)
+	PR_Close(dumpfile);
+    if (certHandle) {
+	nsslowcert_ClosePermCertDB(certHandle);
+	PORT_Free(certHandle);
+    }
+    return -1;
+}
diff --git a/security/nss/cmd/dbck/dbrecover.c b/security/nss/cmd/dbck/dbrecover.c
new file mode 100644
index 000000000..db65d0e5c
--- /dev/null
+++ b/security/nss/cmd/dbck/dbrecover.c
@@ -0,0 +1,702 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+enum {
+    dbInvalidCert = 0,
+    dbNoSMimeProfile,
+    dbOlderCert,
+    dbBadCertificate,
+    dbCertNotWrittenToDB
+};
+
+typedef struct dbRestoreInfoStr
+{
+    NSSLOWCERTCertDBHandle *handle;
+    PRBool verbose;
+    PRFileDesc *out;
+    int nCerts;
+    int nOldCerts;
+    int dbErrors[5];
+    PRBool removeType[3];
+    PRBool promptUser[3];
+} dbRestoreInfo;
+
+char *
+IsEmailCert(CERTCertificate *cert)
+{
+    char *email, *tmp1, *tmp2;
+    PRBool isCA;
+    int len;
+
+    if (!cert->subjectName) {
+	return NULL;
+    }
+
+    tmp1 = PORT_Strstr(cert->subjectName, "E=");
+    tmp2 = PORT_Strstr(cert->subjectName, "MAIL=");
+    /* XXX Nelson has cert for KTrilli which does not have either
+     * of above but is email cert (has cert->emailAddr). 
+     */
+    if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) {
+	return NULL;
+    }
+
+    /*  Server or CA cert, not personal email.  */
+    isCA = CERT_IsCACert(cert, NULL);
+    if (isCA)
+	return NULL;
+
+    /*  XXX CERT_IsCACert advertises checking the key usage ext.,
+	but doesn't appear to. */
+    /*  Check the key usage extension.  */
+    if (cert->keyUsagePresent) {
+	/*  Must at least be able to sign or encrypt (not neccesarily
+	 *  both if it is one of a dual cert).  
+	 */
+	if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || 
+              (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT)))
+	    return NULL;
+
+	/*  CA cert, not personal email.  */
+	if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN))
+	    return NULL;
+    }
+
+    if (cert->emailAddr && cert->emailAddr[0]) {
+	email = PORT_Strdup(cert->emailAddr);
+    } else {
+	if (tmp1)
+	    tmp1 += 2; /* "E="  */
+	else
+	    tmp1 = tmp2 + 5; /* "MAIL=" */
+	len = strcspn(tmp1, ", ");
+	email = (char*)PORT_Alloc(len+1);
+	PORT_Strncpy(email, tmp1, len);
+	email[len] = '\0';
+    }
+
+    return email;
+}
+
+SECStatus
+deleteit(CERTCertificate *cert, void *arg)
+{
+    return SEC_DeletePermCertificate(cert);
+}
+
+/*  Different than DeleteCertificate - has the added bonus of removing
+ *  all certs with the same DN.  
+ */
+SECStatus
+deleteAllEntriesForCert(NSSLOWCERTCertDBHandle *handle, CERTCertificate *cert,
+                        PRFileDesc *outfile)
+{
+#if 0
+    certDBEntrySubject *subjectEntry;
+    certDBEntryNickname *nicknameEntry;
+    certDBEntrySMime *smimeEntry;
+    int i;
+#endif
+
+    if (outfile) {
+	PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n");
+	PR_fprintf(outfile, "Deleting redundant certificate:\n");
+	dumpCertificate(cert, -1, outfile);
+    }
+
+    CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL);
+#if 0
+    CERT_LockDB(handle);
+    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
+    /*  It had better be there, or created a bad db.  */
+    PORT_Assert(subjectEntry);
+    for (i=0; i<subjectEntry->ncerts; i++) {
+	DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]);
+    }
+    DeleteDBSubjectEntry(handle, &cert->derSubject);
+    if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
+	smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr);
+	if (smimeEntry) {
+	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
+	                              &smimeEntry->subjectName))
+		/*  Only delete it if it's for this subject!  */
+		DeleteDBSMimeEntry(handle, subjectEntry->emailAddr);
+	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+	}
+    }
+    if (subjectEntry->nickname) {
+	nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname);
+	if (nicknameEntry) {
+	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
+	                              &nicknameEntry->subjectName))
+		/*  Only delete it if it's for this subject!  */
+		DeleteDBNicknameEntry(handle, subjectEntry->nickname);
+	    SEC_DestroyDBEntry((certDBEntry*)nicknameEntry);
+	}
+    }
+    SEC_DestroyDBEntry((certDBEntry*)subjectEntry);
+    CERT_UnlockDB(handle);
+#endif
+    return SECSuccess;
+}
+
+void
+getCertsToDelete(char *numlist, int len, int *certNums, int nCerts)
+{
+    int j, num;
+    char *numstr, *numend, *end;
+
+    numstr = numlist;
+    end = numstr + len - 1;
+    while (numstr != end) {
+	numend = strpbrk(numstr, ", \n");
+	*numend = '\0';
+	if (PORT_Strlen(numstr) == 0)
+	    return;
+	num = PORT_Atoi(numstr);
+	if (numstr == numlist)
+	    certNums[0] = num;
+	for (j=1; j<nCerts+1; j++) {
+	    if (num == certNums[j]) {
+		certNums[j] = -1;
+		break;
+	    }
+	}
+	if (numend == end)
+	    break;
+	numstr = strpbrk(numend+1, "0123456789");
+    }
+}
+
+PRBool
+userSaysDeleteCert(CERTCertificate **certs, int nCerts,
+                   int errtype, dbRestoreInfo *info, int *certNums)
+{
+    char response[32];
+    int32 nb;
+    int i;
+    /*  User wants to remove cert without prompting.  */
+    if (info->promptUser[errtype] == PR_FALSE)
+	return (info->removeType[errtype]);
+    switch (errtype) {
+    case dbInvalidCert:
+	PR_fprintf(PR_STDOUT, "********  Expired ********\n");
+	PR_fprintf(PR_STDOUT, "Cert has expired.\n\n");
+	dumpCertificate(certs[0], -1, PR_STDOUT);
+	PR_fprintf(PR_STDOUT,
+	           "Keep it? (y/n - this one, Y/N - all expired certs) [n] ");
+	break;
+    case dbNoSMimeProfile:
+	PR_fprintf(PR_STDOUT, "********  No Profile ********\n");
+	PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n");
+	dumpCertificate(certs[0], -1, PR_STDOUT);
+	PR_fprintf(PR_STDOUT,
+	      "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] ");
+	break;
+    case dbOlderCert:
+	PR_fprintf(PR_STDOUT, "*******  Redundant nickname/email *******\n\n");
+	PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n");
+	for (i=0; i<nCerts; i++)
+	    dumpCertificate(certs[i], i, PR_STDOUT);
+	PR_fprintf(PR_STDOUT, 
+	"Enter the certs you would like to keep from those listed above.\n");
+	PR_fprintf(PR_STDOUT, 
+	"Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n");
+	PR_fprintf(PR_STDOUT, 
+	"The first cert in the list will be the primary cert\n");
+	PR_fprintf(PR_STDOUT, 
+	" accessed by the nickname/email handle.\n");
+	PR_fprintf(PR_STDOUT, 
+	"List cert numbers to keep here, or hit enter\n");
+	PR_fprintf(PR_STDOUT, 
+	" to always keep only the newest cert:  ");
+	break;
+    default:
+    }
+    nb = PR_Read(PR_STDIN, response, sizeof(response));
+    PR_fprintf(PR_STDOUT, "\n\n");
+    if (errtype == dbOlderCert) {
+	if (!isdigit(response[0])) {
+	    info->promptUser[errtype] = PR_FALSE;
+	    info->removeType[errtype] = PR_TRUE;
+	    return PR_TRUE;
+	}
+	getCertsToDelete(response, nb, certNums, nCerts);
+	return PR_TRUE;
+    }
+    /*  User doesn't want to be prompted for this type anymore.  */
+    if (response[0] == 'Y') {
+	info->promptUser[errtype] = PR_FALSE;
+	info->removeType[errtype] = PR_FALSE;
+	return PR_FALSE;
+    } else if (response[0] == 'N') {
+	info->promptUser[errtype] = PR_FALSE;
+	info->removeType[errtype] = PR_TRUE;
+	return PR_TRUE;
+    }
+    return (response[0] != 'y') ? PR_TRUE : PR_FALSE;
+}
+
+SECStatus
+addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, 
+            NSSLOWCERTCertDBHandle *oldhandle)
+{
+    SECStatus rv = SECSuccess;
+    PRBool allowOverride;
+    PRBool userCert;
+    SECCertTimeValidity validity;
+    CERTCertificate *oldCert = NULL;
+    CERTCertificate *dbCert = NULL;
+    CERTCertificate *newCert = NULL;
+    CERTCertTrust *trust;
+    certDBEntrySMime *smimeEntry = NULL;
+    char *email = NULL;
+    char *nickname = NULL;
+    int nCertsForSubject = 1;
+
+    oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE,
+                                        certEntry->nickname);
+    if (!oldCert) {
+	info->dbErrors[dbBadCertificate]++;
+	SEC_DestroyDBEntry((certDBEntry*)certEntry);
+	return SECSuccess;
+    }
+
+    oldCert->dbEntry = certEntry;
+    oldCert->trust = &certEntry->trust;
+    oldCert->dbhandle = oldhandle;
+
+    trust = oldCert->trust;
+
+    info->nOldCerts++;
+
+    if (info->verbose)
+	PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n");
+
+    if (oldCert->nickname)
+	nickname = PORT_Strdup(oldCert->nickname);
+
+    /*  Always keep user certs.  Skip ahead.  */
+    /*  XXX if someone sends themselves a signed message, it is possible
+	for their cert to be imported as an "other" cert, not a user cert.
+	this mucks with smime entries...  */
+    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
+    if (userCert)
+	goto createcert;
+
+    /*  If user chooses so, ignore expired certificates.  */
+    allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
+                         (oldCert->keyUsage == certUsageSSLServerWithStepUp));
+    validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
+    /*  If cert expired and user wants to delete it, ignore it. */
+    if ((validity != secCertTimeValid) && 
+	 userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) {
+	info->dbErrors[dbInvalidCert]++;
+	if (info->verbose) {
+	    PR_fprintf(info->out, "Deleting expired certificate:\n");
+	    dumpCertificate(oldCert, -1, info->out);
+	}
+	goto cleanup;
+    }
+
+    /*  New database will already have default certs, don't attempt
+	to overwrite them.  */
+    dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert);
+    if (dbCert) {
+	info->nCerts++;
+	if (info->verbose) {
+	    PR_fprintf(info->out, "Added certificate to database:\n");
+	    dumpCertificate(oldCert, -1, info->out);
+	}
+	goto cleanup;
+    }
+    
+    /*  Determine if cert is S/MIME and get its email if so.  */
+    email = IsEmailCert(oldCert);
+
+    /*
+	XXX  Just create empty profiles?
+    if (email) {
+	SECItem *profile = CERT_FindSMimeProfile(oldCert);
+	if (!profile &&
+	    userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) {
+	    info->dbErrors[dbNoSMimeProfile]++;
+	    if (info->verbose) {
+		PR_fprintf(info->out, 
+		           "Deleted cert missing S/MIME profile.\n");
+		dumpCertificate(oldCert, -1, info->out);
+	    }
+	    goto cleanup;
+	} else {
+	    SECITEM_FreeItem(profile);
+	}
+    }
+    */
+
+createcert:
+
+    /*  Sometimes happens... */
+    if (!nickname && userCert)
+	nickname = PORT_Strdup(oldCert->subjectName);
+
+    /*  Create a new certificate, copy of the old one.  */
+    newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, 
+                                      nickname, PR_FALSE, PR_TRUE);
+    if (!newCert) {
+	PR_fprintf(PR_STDERR, "Unable to create new certificate.\n");
+	dumpCertificate(oldCert, -1, PR_STDERR);
+	info->dbErrors[dbBadCertificate]++;
+	goto cleanup;
+    }
+
+    /*  Add the cert to the new database.  */
+    rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust);
+    if (rv) {
+	PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n");
+	dumpCertificate(oldCert, -1, PR_STDERR);
+	info->dbErrors[dbCertNotWrittenToDB]++;
+	goto cleanup;
+    }
+
+    if (info->verbose) {
+	PR_fprintf(info->out, "Added certificate to database:\n");
+	dumpCertificate(oldCert, -1, info->out);
+    }
+
+    /*  If the cert is an S/MIME cert, and the first with it's subject,
+     *  modify the subject entry to include the email address,
+     *  CERT_AddTempCertToPerm does not do email addresses and S/MIME entries.
+     */
+    if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */
+#if 0
+	UpdateSubjectWithEmailAddr(newCert, email);
+#endif
+	SECItem emailProfile, profileTime;
+	rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime);
+	/*  calls UpdateSubjectWithEmailAddr  */
+	if (rv == SECSuccess)
+	    rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime);
+    }
+
+    info->nCerts++;
+
+cleanup:
+
+    if (nickname)
+	PORT_Free(nickname);
+    if (email)
+	PORT_Free(email);
+    if (oldCert)
+	CERT_DestroyCertificate(oldCert);
+    if (dbCert)
+	CERT_DestroyCertificate(dbCert);
+    if (newCert)
+	CERT_DestroyCertificate(newCert);
+    if (smimeEntry)
+	SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+    return SECSuccess;
+}
+
+#if 0
+SECStatus
+copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata)
+{
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *newdb = (NSSLOWCERTCertDBHandle *)pdata;
+    certDBEntryCommon common;
+    SECItem dbkey;
+
+    common.type = type;
+    common.version = CERT_DB_FILE_VERSION;
+    common.flags = data->data[2];
+    common.arena = NULL;
+
+    dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN;
+    dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char));
+    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len);
+    dbkey.data[0] = type;
+
+    rv = WriteDBEntry(newdb, &common, &dbkey, data);
+
+    PORT_Free(dbkey.data);
+    return rv;
+}
+#endif
+
+int
+certIsOlder(CERTCertificate **cert1, CERTCertificate** cert2)
+{
+    return !CERT_IsNewer(*cert1, *cert2);
+}
+
+int
+findNewestSubjectForEmail(NSSLOWCERTCertDBHandle *handle, int subjectNum,
+                          certDBArray *dbArray, dbRestoreInfo *info,
+                          int *subjectWithSMime, int *smimeForSubject)
+{
+    int newestSubject;
+    int subjectsForEmail[50];
+    int i, j, ns, sNum;
+    certDBEntryListNode *subjects = &dbArray->subjects;
+    certDBEntryListNode *smime = &dbArray->smime;
+    certDBEntrySubject *subjectEntry1, *subjectEntry2;
+    certDBEntrySMime *smimeEntry;
+    CERTCertificate **certs;
+    CERTCertificate *cert;
+    CERTCertTrust *trust;
+    PRBool userCert;
+    int *certNums;
+
+    ns = 0;
+    subjectEntry1 = (certDBEntrySubject*)&subjects.entries[subjectNum];
+    subjectsForEmail[ns++] = subjectNum;
+
+    *subjectWithSMime = -1;
+    *smimeForSubject = -1;
+    newestSubject = subjectNum;
+
+    cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
+    if (cert) {
+	trust = cert->trust;
+	userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
+	          (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
+	         (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
+	CERT_DestroyCertificate(cert);
+    }
+
+    /*
+     * XXX Should we make sure that subjectEntry1->emailAddr is not
+     * a null pointer or an empty string before going into the next
+     * two for loops, which pass it to PORT_Strcmp?
+     */
+
+    /*  Loop over the remaining subjects.  */
+    for (i=subjectNum+1; i<subjects.numEntries; i++) {
+	subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i];
+	if (!subjectEntry2)
+	    continue;
+	if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] &&
+	     PORT_Strcmp(subjectEntry1->emailAddr, 
+	                 subjectEntry2->emailAddr) == 0) {
+	    /*  Found a subject using the same email address.  */
+	    subjectsForEmail[ns++] = i;
+	}
+    }
+
+    /*  Find the S/MIME entry for this email address.  */
+    for (i=0; i<smime.numEntries; i++) {
+	smimeEntry = (certDBEntrySMime*)&smime.entries[i];
+	if (smimeEntry->common.arena == NULL)
+	    continue;
+	if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && 
+	    PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
+	    /*  Find which of the subjects uses this S/MIME entry.  */
+	    for (j=0; j<ns && *subjectWithSMime < 0; j++) {
+		sNum = subjectsForEmail[j];
+		subjectEntry2 = (certDBEntrySubject*)&subjects.entries[sNum];
+		if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName,
+		                          &subjectEntry2->derSubject)) {
+		    /*  Found the subject corresponding to the S/MIME entry. */
+		    *subjectWithSMime = sNum;
+		    *smimeForSubject = i;
+		}
+	    }
+	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+	    PORT_Memset(smimeEntry, 0, sizeof(certDBEntry));
+	    break;
+	}
+    }
+
+    if (ns <= 1)
+	return subjectNum;
+
+    if (userCert)
+	return *subjectWithSMime;
+
+    /*  Now find which of the subjects has the newest cert.  */
+    certs = (CERTCertificate**)PORT_Alloc(ns*sizeof(CERTCertificate*));
+    certNums = (int*)PORT_Alloc((ns+1)*sizeof(int));
+    certNums[0] = 0;
+    for (i=0; i<ns; i++) {
+	sNum = subjectsForEmail[i];
+	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
+	certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
+	certNums[i+1] = i;
+    }
+    /*  Sort the array by validity.  */
+    qsort(certs, ns, sizeof(CERTCertificate*), 
+          (int (*)(const void *, const void *))certIsOlder);
+    newestSubject = -1;
+    for (i=0; i<ns; i++) {
+	sNum = subjectsForEmail[i];
+	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
+	if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject,
+	                          &certs[0]->derSubject))
+	    newestSubject = sNum;
+	else
+	    SEC_DestroyDBEntry((certDBEntry*)subjectEntry1);
+    }
+    if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) {
+	for (i=1; i<ns+1; i++) {
+	    if (certNums[i] >= 0 && certNums[i] != certNums[0]) {
+		deleteAllEntriesForCert(handle, certs[certNums[i]], info->out);
+		info->dbErrors[dbOlderCert]++;
+	    }
+	}
+    }
+    CERT_DestroyCertArray(certs, ns);
+    return newestSubject;
+}
+
+NSSLOWCERTCertDBHandle *
+DBCK_ReconstructDBFromCerts(NSSLOWCERTCertDBHandle *oldhandle, char *newdbname,
+                            PRFileDesc *outfile, PRBool removeExpired,
+                            PRBool requireProfile, PRBool singleEntry,
+                            PRBool promptUser)
+{
+    SECStatus rv;
+    dbRestoreInfo info;
+    certDBEntryContentVersion *oldContentVersion;
+    certDBArray dbArray;
+    int i;
+
+    PORT_Memset(&dbArray, 0, sizeof(dbArray));
+    PORT_Memset(&info, 0, sizeof(info));
+    info.verbose = (outfile) ? PR_TRUE : PR_FALSE;
+    info.out = (outfile) ? outfile : PR_STDOUT;
+    info.removeType[dbInvalidCert] = removeExpired;
+    info.removeType[dbNoSMimeProfile] = requireProfile;
+    info.removeType[dbOlderCert] = singleEntry;
+    info.promptUser[dbInvalidCert]  = promptUser;
+    info.promptUser[dbNoSMimeProfile]  = promptUser;
+    info.promptUser[dbOlderCert]  = promptUser;
+
+    /*  Allocate a handle to fill with CERT_OpenCertDB below.  */
+    info.handle = PORT_ZNew(NSSLOWCERTCertDBHandle);
+    if (!info.handle) {
+	fprintf(stderr, "unable to get database handle");
+	return NULL;
+    }
+
+    /*  Create a certdb with the most recent set of roots.  */
+    rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE);
+
+    if (rv) {
+	fprintf(stderr, "could not open certificate database");
+	goto loser;
+    }
+
+    /*  Create certificate, subject, nickname, and email records.
+     *  mcom_db seems to have a sequential access bug.  Though reads and writes
+     *  should be allowed during traversal, they seem to screw up the sequence.
+     *  So, stuff all the cert entries into an array, and loop over the array
+     *  doing read/writes in the db.
+     */
+    fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs);
+    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
+         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
+	node = LISTNODE_CAST(elem);
+	addCertToDB((certDBEntryCert*)&node->entry, &info, oldhandle);
+	/* entries get destroyed in addCertToDB */
+    }
+#if 0
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, 
+                               copyDBEntry, info.handle);
+#endif
+
+    /*  Fix up the pointers between (nickname|S/MIME) --> (subject).
+     *  Create S/MIME entries for S/MIME certs.
+     *  Have the S/MIME entry point to the last-expiring cert using
+     *  an email address.
+     */
+#if 0
+    CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info);
+#endif
+
+    freeDBEntryList(&dbArray.certs.link);
+
+    /*  Copy over the version record.  */
+    /*  XXX Already exists - and _must_ be correct... */
+    /*
+    versionEntry = ReadDBVersionEntry(oldhandle);
+    rv = WriteDBVersionEntry(info.handle, versionEntry);
+    */
+
+    /*  Copy over the content version record.  */
+    /*  XXX Can probably get useful info from old content version?
+     *      Was this db created before/after this tool?  etc.
+     */
+#if 0
+    oldContentVersion = ReadDBContentVersionEntry(oldhandle);
+    CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); 
+#endif
+
+#if 0
+    /*  Copy over the CRL & KRL records.  */
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, 
+                               copyDBEntry, info.handle);
+    /*  XXX Only one KRL, just do db->get? */
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, 
+                               copyDBEntry, info.handle);
+#endif
+
+    PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts);
+
+    PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts);
+    PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", 
+                       info.dbErrors[dbInvalidCert]);
+    PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", 
+                       info.dbErrors[dbNoSMimeProfile]);
+    PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", 
+                       info.dbErrors[dbOlderCert]);
+    PR_fprintf(info.out, "     Rejected %d corrupt certificates.\n", 
+                       info.dbErrors[dbBadCertificate]);
+    PR_fprintf(info.out, "     Rejected %d certificates which did not write to the DB.\n", 
+                       info.dbErrors[dbCertNotWrittenToDB]);
+
+    if (rv)
+	goto loser;
+
+    return info.handle;
+
+loser:
+    if (info.handle) 
+	PORT_Free(info.handle);
+    return NULL;
+}
+
diff --git a/security/nss/cmd/dbck/manifest.mn b/security/nss/cmd/dbck/manifest.mn
new file mode 100644
index 000000000..c2405be5f
--- /dev/null
+++ b/security/nss/cmd/dbck/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+DEFINES += -DNSPR20 
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+CSRCS = \
+	dbck.c \
+	$(NULL)
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = dbm seccmd
+
+PROGRAM = dbck
+USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/dbtest/Makefile b/security/nss/cmd/dbtest/Makefile
new file mode 100644
index 000000000..297114522
--- /dev/null
+++ b/security/nss/cmd/dbtest/Makefile
@@ -0,0 +1,78 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#include ../platlibs.mk
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/dbtest/dbtest.c b/security/nss/cmd/dbtest/dbtest.c
new file mode 100644
index 000000000..fbcd4c53e
--- /dev/null
+++ b/security/nss/cmd/dbtest/dbtest.c
@@ -0,0 +1,266 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sonja Mirtitsch Sun Microsystems
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** dbtest.c
+**
+** QA test for cert and key databases, especially to open
+** database readonly (NSS_INIT_READONLY) and force initializations
+** even if the databases cannot be opened (NSS_INIT_FORCEOPEN)
+**
+*/
+#include <stdio.h>
+#include <string.h>
+
+#if defined(WIN32)
+#include "fcntl.h"
+#include "io.h"
+#endif
+
+#include "secutil.h"
+#include "pk11pub.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include "nspr.h"
+#include "prtypes.h"
+#include "certdb.h"
+#include "nss.h"
+#include "../modutil/modutil.h"
+
+#include "plgetopt.h"
+
+static char *progName;
+
+char *dbDir  =  NULL;
+
+static char *dbName[]={"secmod.db", "cert8.db", "key3.db"}; 
+static char* dbprefix = "";
+static char* secmodName = "secmod.db";
+static char* userPassword = "";
+PRBool verbose;
+
+static char *
+getPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
+{
+    int *success = (int *)arg;
+
+    if (retry) {
+	*success = 0;
+	return NULL;
+    }
+
+    *success = 1;
+     return PORT_Strdup(userPassword);
+}
+
+
+static void Usage(const char *progName)
+{
+    printf("Usage:  %s [-r] [-f] [-i] [-d dbdir ] \n",
+         progName);
+    printf("%-20s open database readonly (NSS_INIT_READONLY)\n", "-r");
+    printf("%-20s Continue to force initializations even if the\n", "-f");
+    printf("%-20s databases cannot be opened (NSS_INIT_FORCEOPEN)\n", " ");
+    printf("%-20s Try to initialize the database\n", "-i");
+    printf("%-20s Supply a password with which to initialize the db\n", "-p");
+    printf("%-20s Directory with cert database (default is .\n",
+          "-d certdir");
+    exit(1);
+}
+
+int main(int argc, char **argv)
+{
+    PLOptState *optstate;
+    PLOptStatus optstatus;
+
+    PRUint32 flags = 0;
+    Error ret;
+    SECStatus rv;
+    char * dbString = NULL;
+    PRBool doInitTest = PR_FALSE;
+    int i;
+
+    progName = strrchr(argv[0], '/');
+    if (!progName)
+        progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    optstate = PL_CreateOptState(argc, argv, "rfip:d:h");
+
+    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+        switch (optstate->option) {
+          case 'h':
+          default : Usage(progName);                    break;
+
+          case 'r': flags |= NSS_INIT_READONLY;         break;
+
+          case 'f': flags |= NSS_INIT_FORCEOPEN;        break;
+
+	  case 'i': doInitTest = PR_TRUE;		break;
+
+	  case 'p':
+		userPassword = PORT_Strdup(optstate->value);
+		break;
+
+          case 'd':
+                dbDir = PORT_Strdup(optstate->value);
+                break;
+
+        }
+    }
+    if (optstatus == PL_OPT_BAD)
+        Usage(progName);
+
+    if (!dbDir) {
+        dbDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
+    }
+    dbDir = SECU_ConfigDirectory(dbDir);
+    PR_fprintf(PR_STDERR, "dbdir selected is %s\n\n", dbDir);
+
+    if( dbDir[0] == '\0') {
+        PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
+        ret= DIR_DOESNT_EXIST_ERR;
+        goto loser;
+    }
+
+
+    PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
+
+    /* get the status of the directory and databases and output message */
+    if(PR_Access(dbDir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
+        PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
+    } else if(PR_Access(dbDir, PR_ACCESS_READ_OK) != PR_SUCCESS) {
+        PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dbDir);
+    } else {
+        if( !( flags & NSS_INIT_READONLY ) &&
+                PR_Access(dbDir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
+            PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dbDir);
+        }
+	if (!doInitTest) {
+            for (i=0;i<3;i++) {
+        	dbString=PR_smprintf("%s/%s",dbDir,dbName[i]);
+        	PR_fprintf(PR_STDOUT, "database checked is %s\n",dbString);
+        	if(PR_Access(dbString, PR_ACCESS_EXISTS) != PR_SUCCESS) {
+                    PR_fprintf(PR_STDERR, errStrings[FILE_DOESNT_EXIST_ERR], 
+                                      dbString);
+        	} else if(PR_Access(dbString, PR_ACCESS_READ_OK) != PR_SUCCESS) {
+                    PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR], 
+                                      dbString);
+        	} else if( !( flags & NSS_INIT_READONLY ) &&
+                       PR_Access(dbString, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
+                    PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR], 
+                                      dbString);
+        	}
+	    }
+        } 
+    }
+
+
+    rv = NSS_Initialize(SECU_ConfigDirectory(dbDir), dbprefix, dbprefix,
+                   secmodName, flags);
+    if (rv != SECSuccess) {
+        SECU_PrintPRandOSError(progName);
+        ret=NSS_INITIALIZE_FAILED_ERR;
+    } else {
+        ret=SUCCESS;
+	if (doInitTest) {
+	    PK11SlotInfo * slot = PK11_GetInternalKeySlot();
+	    SECStatus rv;
+	    int passwordSuccess = 0;
+	    int type = CKM_DES3_CBC;
+	    SECItem keyid = { 0, NULL, 0 };
+	    unsigned char keyIdData[] = { 0xff, 0xfe };
+	    PK11SymKey *key = NULL;
+
+	    keyid.data = keyIdData;
+	    keyid.len = sizeof(keyIdData);
+
+	    PK11_SetPasswordFunc(getPassword);
+	    rv = PK11_InitPin(slot, (char *)NULL, userPassword);
+	    if (rv != SECSuccess) {
+		PR_fprintf(PR_STDERR, "Failed to Init DB: %s\n", 
+					SECU_Strerror(PORT_GetError()));
+		ret = CHANGEPW_FAILED_ERR;
+	    }
+	    if (*userPassword && !PK11_IsLoggedIn(slot, &passwordSuccess)) {
+                PR_fprintf(PR_STDERR, "New DB did not log in after init\n");
+		ret = AUTHENTICATION_FAILED_ERR;
+	    }
+	    /* generate a symetric key */
+	    key = PK11_TokenKeyGen(slot, type, NULL, 0, &keyid,
+				    PR_TRUE, &passwordSuccess);
+
+	    if (!key) {
+		PR_fprintf(PR_STDERR, "Could not generated symetric key: %s\n",
+				SECU_Strerror(PORT_GetError()));
+		exit (UNSPECIFIED_ERR);
+	    }
+	    PK11_FreeSymKey(key);
+	    PK11_Logout(slot);
+
+	    PK11_Authenticate(slot, PR_TRUE, &passwordSuccess);
+
+	    if (*userPassword && !passwordSuccess) {
+		PR_fprintf(PR_STDERR, "New DB Did not initalize\n");
+		ret = AUTHENTICATION_FAILED_ERR;
+	    }
+	    key = PK11_FindFixedKey(slot, type, &keyid, &passwordSuccess);
+
+	    if (!key) {
+		PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
+				SECU_Strerror(PORT_GetError()));
+		ret = UNSPECIFIED_ERR;
+	    } else {
+		PK11_FreeSymKey(key);
+	    }
+ 	    PK11_FreeSlot(slot);
+	}
+	     
+        if (NSS_Shutdown() != SECSuccess) {
+	    PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
+				SECU_Strerror(PORT_GetError()));
+            exit(1);
+        }
+    }
+
+loser:
+    return ret;
+}
+
diff --git a/security/nss/cmd/dbtest/manifest.mn b/security/nss/cmd/dbtest/manifest.mn
new file mode 100644
index 000000000..0e3ba6c99
--- /dev/null
+++ b/security/nss/cmd/dbtest/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm 
+
+# DIRS = 
+
+CSRCS	= dbtest.c  
+
+PROGRAM	= dbtest
+
diff --git a/security/nss/cmd/derdump/Makefile b/security/nss/cmd/derdump/Makefile
new file mode 100644
index 000000000..140b4191f
--- /dev/null
+++ b/security/nss/cmd/derdump/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/derdump/derdump.c b/security/nss/cmd/derdump/derdump.c
new file mode 100644
index 000000000..7103eef2c
--- /dev/null
+++ b/security/nss/cmd/derdump/derdump.c
@@ -0,0 +1,137 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secutil.h"
+#include "nss.h"
+#include <errno.h>
+
+#if defined(XP_WIN) || (defined(__sun) && !defined(SVR4))
+#if !defined(WIN32)
+extern int fprintf(FILE *, char *, ...);
+#endif
+#endif
+#include "plgetopt.h"
+
+static void Usage(char *progName)
+{
+    fprintf(stderr,
+	    "Usage: %s [-r] [-i input] [-o output]\n",
+	    progName);
+    fprintf(stderr, "%-20s For formatted items, dump raw bytes as well\n",
+	    "-r");
+    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
+	    "-i input");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    exit(-1);
+}
+
+int main(int argc, char **argv)
+{
+    char *progName;
+    FILE *outFile;
+    PRFileDesc *inFile;
+    SECItem der;
+    SECStatus rv;
+    int16 xp_error;
+    PRBool raw = PR_FALSE;
+    PLOptState *optstate;
+    PLOptStatus status;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    /* Parse command line arguments */
+    inFile = 0;
+    outFile = 0;
+    optstate = PL_CreateOptState(argc, argv, "i:o:r");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case 'i':
+	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
+	    if (!inFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'o':
+	    outFile = fopen(optstate->value, "w");
+	    if (!outFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'r':
+	    raw = PR_TRUE;
+	    break;
+
+	  default:
+	    Usage(progName);
+	    break;
+	}
+    }
+	if (status == PL_OPT_BAD)
+		Usage(progName);
+
+    if (!inFile) inFile = PR_STDIN;
+    if (!outFile) outFile = stdout;
+
+    rv = NSS_NoDB_Init(NULL);	/* XXX */
+    if (rv != SECSuccess) {
+	SECU_PrintPRandOSError(progName);
+	return -1;
+    }
+
+	rv = SECU_ReadDERFromFile(&der, inFile, PR_FALSE);
+    if (rv == SECSuccess) {
+	rv = DER_PrettyPrint(outFile, &der, raw);
+	if (rv == SECSuccess)
+	    return 0;
+    }
+
+    xp_error = PORT_GetError();
+    if (xp_error) {
+	SECU_PrintError(progName, "error %d", xp_error);
+    }
+    if (errno) {
+	SECU_PrintSystemError(progName, "errno=%d", errno);
+    }
+    return 1;
+}
diff --git a/security/nss/cmd/derdump/manifest.mn b/security/nss/cmd/derdump/manifest.mn
new file mode 100644
index 000000000..f9299f0de
--- /dev/null
+++ b/security/nss/cmd/derdump/manifest.mn
@@ -0,0 +1,53 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS = derdump.c
+
+PROGRAM	= derdump
diff --git a/security/nss/cmd/digest/Makefile b/security/nss/cmd/digest/Makefile
new file mode 100644
index 000000000..140b4191f
--- /dev/null
+++ b/security/nss/cmd/digest/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/digest/digest.c b/security/nss/cmd/digest/digest.c
new file mode 100644
index 000000000..7a37856d9
--- /dev/null
+++ b/security/nss/cmd/digest/digest.c
@@ -0,0 +1,256 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secutil.h"
+#include "pk11func.h"
+#include "secoid.h"
+
+#if defined(XP_WIN) || (defined(__sun) && !defined(SVR4))
+#if !defined(WIN32)
+extern int fread(char *, size_t, size_t, FILE*);
+extern int fwrite(char *, size_t, size_t, FILE*);
+extern int fprintf(FILE *, char *, ...);
+#endif
+#endif
+
+#include "plgetopt.h"
+
+static SECOidData *
+HashTypeToOID(HASH_HashType hashtype)
+{
+    SECOidTag hashtag;
+
+    if (hashtype <= HASH_AlgNULL || hashtype >= HASH_AlgTOTAL)
+	return NULL;
+
+    switch (hashtype) {
+      case HASH_AlgMD2:
+	hashtag = SEC_OID_MD2;
+	break;
+      case HASH_AlgMD5:
+	hashtag = SEC_OID_MD5;
+	break;
+      case HASH_AlgSHA1:
+	hashtag = SEC_OID_SHA1;
+	break;
+      default:
+	fprintf(stderr, "A new hash type has been added to HASH_HashType.\n");
+	fprintf(stderr, "This program needs to be updated!\n");
+	return NULL;
+    }
+
+    return SECOID_FindOIDByTag(hashtag);
+}
+
+static SECOidData *
+HashNameToOID(const char *hashName)
+{
+    HASH_HashType htype;
+    SECOidData *hashOID;
+
+    for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
+	hashOID = HashTypeToOID(htype);
+	if (PORT_Strcasecmp(hashName, hashOID->desc) == 0)
+	    break;
+    }
+
+    if (htype == HASH_AlgTOTAL)
+	return NULL;
+
+    return hashOID;
+}
+
+static void
+Usage(char *progName)
+{
+    HASH_HashType htype;
+
+    fprintf(stderr,
+	    "Usage:  %s -t type [-i input] [-o output]\n",
+	    progName);
+    fprintf(stderr, "%-20s Specify the digest method (must be one of\n",
+	    "-t type");
+    fprintf(stderr, "%-20s ", "");
+    for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
+	fprintf(stderr, HashTypeToOID(htype)->desc);
+	if (htype == (HASH_AlgTOTAL - 2))
+	    fprintf(stderr, " or ");
+	else if (htype != (HASH_AlgTOTAL - 1))
+	    fprintf(stderr, ", ");
+    }
+    fprintf(stderr, " (case ignored))\n");
+    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
+	    "-i input");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    exit(-1);
+}
+
+static int
+DigestFile(FILE *outFile, FILE *inFile, SECOidData *hashOID)
+{
+    int nb;
+    unsigned char ibuf[4096], digest[32];
+    PK11Context *hashcx;
+    unsigned int len;
+    SECStatus rv;
+
+    hashcx = PK11_CreateDigestContext(hashOID->offset);
+    if (hashcx == NULL) {
+	return -1;
+    }
+    PK11_DigestBegin(hashcx);
+
+
+    for (;;) {
+	if (feof(inFile)) break;
+	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
+	if (nb != sizeof(ibuf)) {
+	    if (nb == 0) {
+		if (ferror(inFile)) {
+		    PORT_SetError(SEC_ERROR_IO);
+		    PK11_DestroyContext(hashcx,PR_TRUE);
+		    return -1;
+		}
+		/* eof */
+		break;
+	    }
+	}
+	rv = PK11_DigestOp(hashcx, ibuf, nb);
+	if (rv != SECSuccess) {
+	   PK11_DestroyContext(hashcx, PR_TRUE);
+	   return -1;
+	}
+    }
+
+    rv = PK11_DigestFinal(hashcx, digest, &len, 32);
+    PK11_DestroyContext(hashcx, PR_TRUE);
+
+    if (rv != SECSuccess) return -1;
+
+    nb = fwrite(digest, 1, len, outFile);
+    if (nb != len) {
+	PORT_SetError(SEC_ERROR_IO);
+	return -1;
+    }
+
+    return 0;
+}
+
+#include "nss.h"
+
+int
+main(int argc, char **argv)
+{
+    char *progName;
+    FILE *inFile, *outFile;
+    char *hashName;
+    SECOidData *hashOID;
+    PLOptState *optstate;
+    PLOptStatus status;
+    SECStatus   rv;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    inFile = NULL;
+    outFile = NULL;
+    hashName = NULL;
+
+    rv = NSS_Init("/tmp");
+    if (rv != SECSuccess) {
+    	fprintf(stderr, "%s: NSS_Init failed in directory %s\n",
+	        progName, "/tmp");
+        return -1;
+    }
+
+    /*
+     * Parse command line arguments
+     */
+    optstate = PL_CreateOptState(argc, argv, "t:i:o:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	    Usage(progName);
+	    break;
+
+	  case 'i':
+	    inFile = fopen(optstate->value, "r");
+	    if (!inFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'o':
+	    outFile = fopen(optstate->value, "w");
+	    if (!outFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 't':
+	    hashName = strdup(optstate->value);
+	    break;
+	}
+    }
+
+    if (!hashName) Usage(progName);
+
+    if (!inFile) inFile = stdin;
+    if (!outFile) outFile = stdout;
+
+    hashOID = HashNameToOID(hashName);
+    if (hashOID == NULL) {
+	fprintf(stderr, "%s: invalid digest type\n", progName);
+	Usage(progName);
+    }
+
+    if (DigestFile(outFile, inFile, hashOID)) {
+	fprintf(stderr, "%s: problem digesting data (%s)\n",
+		progName, SECU_Strerror(PORT_GetError()));
+	return -1;
+    }
+
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    } 
+    
+    return 0;
+}
diff --git a/security/nss/cmd/digest/manifest.mn b/security/nss/cmd/digest/manifest.mn
new file mode 100644
index 000000000..e4c9193be
--- /dev/null
+++ b/security/nss/cmd/digest/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS	= digest.c  
+
+PROGRAM	= digest
+
diff --git a/security/nss/cmd/ecperf/Makefile b/security/nss/cmd/ecperf/Makefile
new file mode 100644
index 000000000..7df60581b
--- /dev/null
+++ b/security/nss/cmd/ecperf/Makefile
@@ -0,0 +1,78 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1998-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/ecperf/ecperf.c b/security/nss/cmd/ecperf/ecperf.c
new file mode 100644
index 000000000..6750373fd
--- /dev/null
+++ b/security/nss/cmd/ecperf/ecperf.c
@@ -0,0 +1,760 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "blapi.h"
+#include "ec.h"
+#include "ecl-curve.h"
+#include "nss.h"
+#include "secutil.h"
+#include "pkcs11.h"
+#include <nspr.h>
+#include <stdio.h>
+#include <strings.h>
+#include <assert.h>
+
+#include <time.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+#define __PASTE(x,y)    x##y
+
+/*
+ * Get the NSS specific PKCS #11 function names.
+ */
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+
+#define CK_EXTERN extern
+#define CK_PKCS11_FUNCTION_INFO(func) \
+		CK_RV __PASTE(NS,func)
+#define CK_NEED_ARG_LIST	1
+
+#include "pkcs11f.h"
+
+
+
+/* mapping between ECCurveName enum and pointers to ECCurveParams */
+static SECOidTag ecCurve_oid_map[] = {
+    SEC_OID_UNKNOWN,	/* ECCurve_noName */
+    SEC_OID_ANSIX962_EC_PRIME192V1,    /* ECCurve_NIST_P192 */
+    SEC_OID_SECG_EC_SECP224R1,    /* ECCurve_NIST_P224 */
+    SEC_OID_ANSIX962_EC_PRIME256V1,    /* ECCurve_NIST_P256 */
+    SEC_OID_SECG_EC_SECP384R1,    /* ECCurve_NIST_P384 */
+    SEC_OID_SECG_EC_SECP521R1,    /* ECCurve_NIST_P521 */
+    SEC_OID_SECG_EC_SECT163K1,    /* ECCurve_NIST_K163 */
+    SEC_OID_SECG_EC_SECT163R1,    /* ECCurve_NIST_B163 */
+    SEC_OID_SECG_EC_SECT233K1,    /* ECCurve_NIST_K233 */
+    SEC_OID_SECG_EC_SECT233R1,    /* ECCurve_NIST_B233 */
+    SEC_OID_SECG_EC_SECT283K1,    /* ECCurve_NIST_K283 */
+    SEC_OID_SECG_EC_SECT283R1,    /* ECCurve_NIST_B283 */
+    SEC_OID_SECG_EC_SECT409K1,    /* ECCurve_NIST_K409 */
+    SEC_OID_SECG_EC_SECT409R1,    /* ECCurve_NIST_B409 */
+    SEC_OID_SECG_EC_SECT571K1,    /* ECCurve_NIST_K571 */
+    SEC_OID_SECG_EC_SECT571R1,    /* ECCurve_NIST_B571 */
+    SEC_OID_ANSIX962_EC_PRIME192V2,    
+    SEC_OID_ANSIX962_EC_PRIME192V3,
+    SEC_OID_ANSIX962_EC_PRIME239V1,
+    SEC_OID_ANSIX962_EC_PRIME239V2,
+    SEC_OID_ANSIX962_EC_PRIME239V3,
+	SEC_OID_ANSIX962_EC_C2PNB163V1,
+	SEC_OID_ANSIX962_EC_C2PNB163V2,
+	SEC_OID_ANSIX962_EC_C2PNB163V3,
+    SEC_OID_ANSIX962_EC_C2PNB176V1,
+    SEC_OID_ANSIX962_EC_C2TNB191V1,
+    SEC_OID_ANSIX962_EC_C2TNB191V2,
+    SEC_OID_ANSIX962_EC_C2TNB191V3,
+    SEC_OID_ANSIX962_EC_C2PNB208W1,
+    SEC_OID_ANSIX962_EC_C2TNB239V1,
+    SEC_OID_ANSIX962_EC_C2TNB239V2,
+    SEC_OID_ANSIX962_EC_C2TNB239V3,
+    SEC_OID_ANSIX962_EC_C2PNB272W1,
+    SEC_OID_ANSIX962_EC_C2PNB304W1,
+    SEC_OID_ANSIX962_EC_C2TNB359V1,
+    SEC_OID_ANSIX962_EC_C2PNB368W1,
+    SEC_OID_ANSIX962_EC_C2TNB431R1,
+    SEC_OID_SECG_EC_SECP112R1,
+    SEC_OID_SECG_EC_SECP112R2,
+    SEC_OID_SECG_EC_SECP128R1,
+    SEC_OID_SECG_EC_SECP128R2,
+    SEC_OID_SECG_EC_SECP160K1,
+    SEC_OID_SECG_EC_SECP160R1,
+    SEC_OID_SECG_EC_SECP160R2,
+    SEC_OID_SECG_EC_SECP192K1,
+    SEC_OID_SECG_EC_SECP224K1,
+    SEC_OID_SECG_EC_SECP256K1,
+    SEC_OID_SECG_EC_SECT113R1,
+    SEC_OID_SECG_EC_SECT113R2,
+    SEC_OID_SECG_EC_SECT131R1,
+    SEC_OID_SECG_EC_SECT131R2,
+    SEC_OID_SECG_EC_SECT163R1,
+    SEC_OID_SECG_EC_SECT193R1,
+    SEC_OID_SECG_EC_SECT193R2,
+    SEC_OID_SECG_EC_SECT239K1,
+    SEC_OID_UNKNOWN	    /* ECCurve_pastLastCurve */
+};
+
+typedef SECStatus (*op_func) (void *, void *, void *);
+typedef SECStatus (*pk11_op_func) (CK_SESSION_HANDLE, void *, void *, void *);
+
+typedef struct ThreadDataStr {
+    op_func op;
+    void *p1;
+    void *p2;
+    void *p3;
+    int iters;
+    PRLock *lock;
+    int count;
+    SECStatus status;
+    int isSign;
+} ThreadData;
+
+void PKCS11Thread(void *data)
+{
+    ThreadData *threadData = (ThreadData *)data;
+    pk11_op_func op = (pk11_op_func) threadData->op;
+    int iters = threadData->iters;
+    unsigned char sigData [256];
+    SECItem sig;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    threadData->status = SECSuccess;
+    threadData->count = 0;
+
+    /* get our thread's session */
+    PR_Lock(threadData->lock);
+    crv = NSC_OpenSession(1, CKF_SERIAL_SESSION, NULL, 0, &session);
+    PR_Unlock(threadData->lock);
+
+    if (threadData->isSign) {
+    sig.data = sigData;
+    sig.len = sizeof(sigData);
+    threadData->p2 = (void *)&sig;
+    }
+ 
+    while (iters --) {
+    threadData->status = (*op)(session, threadData->p1, 
+	       threadData->p2, threadData->p3);
+    if (threadData->status != SECSuccess) {
+	break;
+    }
+    threadData->count++;
+    }
+    return;
+}
+
+void genericThread(void *data)
+{
+    ThreadData *threadData = (ThreadData *)data;
+    int iters = threadData->iters;
+    unsigned char sigData [256];
+    SECItem sig;
+
+    threadData->status = SECSuccess;
+    threadData->count = 0;
+
+    if (threadData->isSign) {
+    sig.data = sigData;
+    sig.len = sizeof(sigData);
+    threadData->p2 = (void *)&sig;
+    }
+ 
+    while (iters --) {
+    threadData->status = (*threadData->op)(threadData->p1, 
+	       threadData->p2, threadData->p3);
+    if (threadData->status != SECSuccess) {
+	break;
+    }
+    threadData->count++;
+    }
+    return;
+}
+
+
+/* Time iter repetitions of operation op. */
+SECStatus
+M_TimeOperation(void (*threadFunc)(void *), 
+	op_func opfunc, char *op, void *param1, void *param2, 
+	void *param3, int iters, int numThreads, PRLock *lock, 
+	CK_SESSION_HANDLE session, int isSign, double *rate)
+{
+    double dUserTime;
+    int i, total;
+    PRIntervalTime startTime, totalTime;
+    PRThread **threadIDs;
+    ThreadData *threadData;
+    pk11_op_func pk11_op = (pk11_op_func) opfunc;
+    SECStatus rv;
+
+    /* verify operation works before testing performance */
+    if (session) {
+	rv = (*pk11_op)(session, param1, param2, param3);
+    } else {
+	rv = (*opfunc)(param1, param2, param3);
+    }
+    if (rv != SECSuccess) {
+	SECU_PrintError("Error:", op); 
+	return rv;
+    }
+
+    /* get Data structures */
+    threadIDs = (PRThread **)PORT_Alloc(numThreads*sizeof(PRThread *)); 
+    threadData = (ThreadData *)PORT_Alloc(numThreads*sizeof(ThreadData));
+
+    startTime = PR_Now();
+    if (numThreads == 1) {
+    for (i=0; i < iters; i++) {
+	if (session) {
+	    rv = (*pk11_op)(session, param1, param2, param3);
+	} else {
+	    rv = (*opfunc)(param1, param2, param3);
+	}
+    }
+	total = iters;
+    } else {
+	for (i = 0; i < numThreads; i++) {
+	    threadData[i].op = opfunc; 
+	    threadData[i].p1 = (void *)param1;
+	    threadData[i].p2 = (void *)param2;
+	    threadData[i].p3 = (void *)param3;
+	    threadData[i].iters = iters;
+	    threadData[i].lock = lock;
+	    threadData[i].isSign = isSign;
+	    threadIDs[i] = PR_CreateThread(PR_USER_THREAD, threadFunc,
+	                   (void *)&threadData[i], PR_PRIORITY_NORMAL,
+	                   PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0);
+	} 
+
+	total = 0;
+	for (i = 0; i < numThreads; i++) {
+	    PR_JoinThread(threadIDs[i]);
+	    /* check the status */
+	    total += threadData[i].count;
+	}
+
+	PORT_Free(threadIDs);
+	PORT_Free(threadData);
+    }
+
+    totalTime = PR_Now()- startTime; 
+    /* SecondsToInterval seems to be broken here ... */
+    dUserTime = (double)totalTime/(double)1000000;
+    if (dUserTime) {
+	printf("    %-15s count:%4d sec: %3.2f op/sec: %6.2f\n", 
+	    op, total, dUserTime, (double)total/dUserTime); 
+	if (rate) {
+	   *rate = ((double)total)/dUserTime;
+	}
+    }
+    return SECSuccess;
+}
+
+#define GFP_POPULATE(params,name_v) \
+    params.name = name_v; \
+    if ((params.name < ECCurve_noName) || \
+	    (params.name > ECCurve_pastLastCurve)) goto cleanup; \
+    params.type = ec_params_named; \
+    params.curveOID.data = NULL; \
+    params.curveOID.len = 0; \
+    params.curve.seed.data = NULL; \
+    params.curve.seed.len = 0; \
+    params.DEREncoding.data = NULL; \
+    params.DEREncoding.len = 0; \
+    params.arena = NULL; \
+    params.fieldID.size = ecCurve_map[name_v]->size; \
+    params.fieldID.type = ec_field_GFp; \
+    hexString2SECItem(params.arena, &params.fieldID.u.prime, \
+	    ecCurve_map[name_v]->irr); \
+    hexString2SECItem(params.arena, &params.curve.a, \
+	    ecCurve_map[name_v]->curvea); \
+    hexString2SECItem(params.arena, &params.curve.b, \
+	    ecCurve_map[name_v]->curveb); \
+    genenc[0] = '0'; \
+    genenc[1] = '4'; \
+    genenc[2] = '\0'; \
+    strcat(genenc, ecCurve_map[name_v]->genx); \
+    strcat(genenc, ecCurve_map[name_v]->geny); \
+    hexString2SECItem(params.arena, &params.base, \
+	    genenc); \
+    hexString2SECItem(params.arena, &params.order, \
+	    ecCurve_map[name_v]->order); \
+    params.cofactor = ecCurve_map[name_v]->cofactor;
+
+
+/* Test curve using specific field arithmetic. */
+#define ECTEST_NAMED_GFP(name_c, name_v) \
+    if (usefreebl) { \
+	printf("Testing %s using freebl implementation...\n", name_c); \
+	rv = ectest_curve_freebl(name_v, iterations, numThreads); \
+	    if (rv != SECSuccess) goto cleanup; \
+	printf("... okay.\n"); \
+	} \
+    if (usepkcs11) { \
+	printf("Testing %s using pkcs11 implementation...\n", name_c); \
+	rv = ectest_curve_pkcs11(name_v, iterations, numThreads); \
+	    if (rv != SECSuccess) goto cleanup; \
+	printf("... okay.\n"); \
+     }
+
+/*
+ * Initializes a SECItem from a hexadecimal string
+ *
+ * Warning: This function ignores leading 00's, so any leading 00's
+ * in the hexadecimal string must be optional.
+ */
+static SECItem *
+hexString2SECItem(PRArenaPool *arena, SECItem *item, const char *str)
+{
+    int i = 0;
+    int byteval = 0;
+    int tmp = PORT_Strlen(str);
+
+    if ((tmp % 2) != 0) return NULL;
+    
+    /* skip leading 00's unless the hex string is "00" */
+    while ((tmp > 2) && (str[0] == '0') && (str[1] == '0')) {
+	str += 2;
+	tmp -= 2;
+    }
+
+    item->data = (unsigned char *) PORT_Alloc( tmp/2);
+    if (item->data == NULL) return NULL;
+    item->len = tmp/2;
+
+    while (str[i]) {
+	if ((str[i] >= '0') && (str[i] <= '9'))
+	    tmp = str[i] - '0';
+	else if ((str[i] >= 'a') && (str[i] <= 'f'))
+	    tmp = str[i] - 'a' + 10;
+	else if ((str[i] >= 'A') && (str[i] <= 'F'))
+	    tmp = str[i] - 'A' + 10;
+	else
+	    return NULL;
+
+	byteval = byteval * 16 + tmp;
+	if ((i % 2) != 0) {
+	    item->data[i/2] = byteval;
+	    byteval = 0;
+	}
+	i++;
+    }
+
+    return item;
+}
+
+#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
+		(x)->pValue=(v); (x)->ulValueLen = (l);
+
+
+SECStatus
+PKCS11_Derive(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hKey, 
+	  CK_MECHANISM *pMech , int *dummy)
+{
+    CK_RV crv;
+    CK_OBJECT_HANDLE newKey;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+    CK_ATTRIBUTE keyTemplate[3];
+    CK_ATTRIBUTE *attrs = keyTemplate;
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
+    attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+    attrs++;
+    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, 1); attrs++;
+
+
+   crv = NSC_DeriveKey(session, pMech, *hKey, keyTemplate, 3, &newKey);
+   if (crv != CKR_OK) {
+	printf("Derive Failed CK_RV=0x%x\n", (int)crv);
+	return SECFailure;
+   }
+   return SECSuccess;
+}
+
+SECStatus
+PKCS11_Sign(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hKey, 
+	SECItem *sig, SECItem *digest)
+{
+   CK_RV crv;
+   CK_MECHANISM mech;
+
+   mech.mechanism = CKM_ECDSA;
+   mech.pParameter = NULL;
+   mech.ulParameterLen = 0;
+
+   crv = NSC_SignInit(session, &mech, *hKey);
+   if (crv != CKR_OK) {
+    printf("Sign Failed CK_RV=0x%x\n", (int)crv);
+    return SECFailure;
+   }
+   crv = NSC_Sign(session, digest->data, digest->len, sig->data, 
+	(CK_ULONG_PTR)&sig->len);
+   if (crv != CKR_OK) {
+    printf("Sign Failed CK_RV=0x%x\n", (int)crv);
+    return SECFailure;
+   }
+   return SECSuccess;
+}
+
+SECStatus
+PKCS11_Verify(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hKey, 
+	SECItem *sig, SECItem *digest)
+{
+   CK_RV crv;
+   CK_MECHANISM mech;
+
+   mech.mechanism = CKM_ECDSA;
+   mech.pParameter = NULL;
+   mech.ulParameterLen = 0;
+
+   crv = NSC_VerifyInit(session, &mech, *hKey);
+   if (crv != CKR_OK) {
+    printf("Verify Failed CK_RV=0x%x\n", (int)crv);
+    return SECFailure;
+   }
+   crv = NSC_Verify(session, digest->data, digest->len, sig->data, sig->len);
+   if (crv != CKR_OK) {
+    printf("Verify Failed CK_RV=0x%x\n", (int)crv);
+    return SECFailure;
+   }
+   return SECSuccess;
+}
+
+static SECStatus
+ecName2params(ECCurveName curve, SECKEYECParams * params)
+{
+    SECOidData *oidData = NULL;
+
+    if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) ||
+	((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) {
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	return SECFailure;
+    }
+
+    SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len));
+    /*
+     * params->data needs to contain the ASN encoding of an object ID (OID)
+     * representing the named curve. The actual OID is in
+     * oidData->oid.data so we simply prepend 0x06 and OID length
+     */
+    params->data[0] = SEC_ASN1_OBJECT_ID;
+    params->data[1] = oidData->oid.len;
+    memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
+
+    return SECSuccess;
+}
+
+
+
+/* Performs basic tests of elliptic curve cryptography over prime fields.
+ * If tests fail, then it prints an error message, aborts, and returns an
+ * error code. Otherwise, returns 0. */
+SECStatus
+ectest_curve_pkcs11(ECCurveName curve, int iterations, int numThreads)
+{
+    CK_OBJECT_HANDLE ecPriv;
+    CK_OBJECT_HANDLE ecPub;
+    CK_SESSION_HANDLE session;
+    SECItem sig;
+    SECItem digest;
+    SECKEYECParams ecParams;
+    CK_MECHANISM mech;
+    CK_ECDH1_DERIVE_PARAMS ecdh_params;
+    unsigned char sigData [256];
+    unsigned char digestData[20];
+    unsigned char pubKeyData[256];
+    PRLock *lock = NULL;
+    double signRate, deriveRate;
+    CK_ATTRIBUTE template;
+    SECStatus rv;
+    CK_RV crv;
+
+    ecParams.data = NULL;
+    ecParams.len = 0;
+    rv = ecName2params(curve, &ecParams);
+    if (rv != SECSuccess) {
+    goto cleanup;
+    }
+
+    crv = NSC_OpenSession(1, CKF_SERIAL_SESSION, NULL, 0, &session);
+    if (crv != CKR_OK) {
+    printf("OpenSession Failed CK_RV=0x%x\n", (int)crv);
+    return SECFailure;
+    }
+
+    PORT_Memset(digestData, 0xa5, sizeof(digestData));
+    digest.data = digestData;
+    digest.len = sizeof(digestData);
+    sig.data = sigData;
+    sig.len = sizeof(sigData);
+
+    template.type = CKA_EC_PARAMS;
+    template.pValue = ecParams.data;
+    template.ulValueLen = ecParams.len;
+    mech.mechanism = CKM_EC_KEY_PAIR_GEN;
+    mech.pParameter = NULL;
+    mech.ulParameterLen = 0;
+    crv = NSC_GenerateKeyPair(session, &mech, 
+		  &template, 1, NULL, 0, &ecPub, &ecPriv);
+    if (crv != CKR_OK) {
+    printf("GenerateKeyPair Failed CK_RV=0x%x\n", (int)crv);
+    return SECFailure;
+    }
+
+    template.type = CKA_EC_POINT;
+    template.pValue = pubKeyData;
+    template.ulValueLen = sizeof(pubKeyData);
+    crv = NSC_GetAttributeValue(session, ecPub, &template, 1);
+    if (crv != CKR_OK) {
+    printf("GenerateKeyPair Failed CK_RV=0x%x\n", (int)crv);
+    return SECFailure;
+    }
+
+    ecdh_params.kdf = CKD_NULL;
+    ecdh_params.ulSharedDataLen = 0;
+    ecdh_params.pSharedData = NULL;
+    ecdh_params.ulPublicDataLen = template.ulValueLen;
+    ecdh_params.pPublicData = template.pValue;
+
+    mech.mechanism = CKM_ECDH1_DERIVE;
+    mech.pParameter = (void *)&ecdh_params;
+    mech.ulParameterLen = sizeof(ecdh_params);
+
+    lock = PR_NewLock();
+
+    rv = M_TimeOperation(PKCS11Thread, (op_func)PKCS11_Derive, "ECDH_Derive",
+	    &ecPriv, &mech,  NULL, iterations, numThreads, 
+	    lock, session, 0, &deriveRate);
+    if (rv != SECSuccess) goto cleanup;
+    rv = M_TimeOperation(PKCS11Thread, (op_func)PKCS11_Sign, "ECDSA_Sign",
+	    (void *)&ecPriv, &sig, &digest, iterations, numThreads,
+	    lock, session, 1, &signRate);
+    if (rv != SECSuccess) goto cleanup;
+    printf("        ECDHE max rate = %.2f\n", (deriveRate+signRate)/4.0);
+    /* get a signature */
+    rv = PKCS11_Sign(session, &ecPriv, &sig, &digest);
+    if (rv != SECSuccess) goto cleanup;
+    rv = M_TimeOperation(PKCS11Thread, (op_func)PKCS11_Verify, "ECDSA_Verify",
+	    (void *)&ecPub, &sig, &digest, iterations, numThreads,
+	    lock, session, 0, NULL);
+    if (rv != SECSuccess) goto cleanup;
+
+cleanup:
+    if (lock) {
+    PR_DestroyLock(lock);
+    }
+    return rv;
+}
+
+SECStatus
+ECDH_DeriveWrap(ECPrivateKey *priv, ECPublicKey *pub, int *dummy)
+{
+    SECItem secret;
+    unsigned char secretData[256];
+    SECStatus rv;
+
+    secret.data = secretData;
+    secret.len = sizeof(secretData);
+
+    rv = ECDH_Derive(&pub->publicValue, &pub->ecParams, 
+	&priv->privateValue, 0, &secret);
+#ifdef notdef
+    if (rv == SECSuccess) {
+    PORT_Free(secret.data);
+    }
+#endif
+    return rv;
+}
+
+/* Performs basic tests of elliptic curve cryptography over prime fields.
+ * If tests fail, then it prints an error message, aborts, and returns an
+ * error code. Otherwise, returns 0. */
+SECStatus
+ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads)
+{
+    ECParams      ecParams;
+    ECPrivateKey *ecPriv = NULL;
+    ECPublicKey ecPub;
+    SECItem sig;
+    SECItem digest;
+    unsigned char sigData [256];
+    unsigned char digestData[20];
+    double signRate, deriveRate;
+    char genenc[3 + 2 * 2 * MAX_ECKEY_LEN];
+    SECStatus rv;
+
+
+    GFP_POPULATE(ecParams, curve);
+
+    PORT_Memset(digestData, 0xa5, sizeof(digestData));
+    digest.data = digestData;
+    digest.len = sizeof(digestData);
+    sig.data = sigData;
+    sig.len = sizeof(sigData);
+
+    rv = EC_NewKey(&ecParams, &ecPriv);
+    if (rv != SECSuccess) {
+    return SECFailure;
+    }
+    ecPub.ecParams = ecParams;
+    ecPub.publicValue = ecPriv->publicValue;
+
+    M_TimeOperation(genericThread, (op_func) ECDH_DeriveWrap, "ECDH_Derive",
+	    ecPriv, &ecPub, NULL, iterations, numThreads, 0, 0, 0, &deriveRate);
+    if (rv != SECSuccess) goto cleanup;
+    M_TimeOperation(genericThread, (op_func) ECDSA_SignDigest, "ECDSA_Sign",
+	    ecPriv, &sig, &digest, iterations, numThreads, 0, 0, 1, &signRate);
+    if (rv != SECSuccess) goto cleanup;
+    printf("        ECDHE max rate = %.2f\n", (deriveRate+signRate)/4.0);
+    rv = ECDSA_SignDigest(ecPriv, &sig, &digest);
+    if (rv != SECSuccess) goto cleanup;
+    M_TimeOperation(genericThread, (op_func) ECDSA_VerifyDigest, "ECDSA_Verify",
+	    &ecPub, &sig, &digest, iterations, numThreads, 0, 0, 0, NULL);
+    if (rv != SECSuccess) goto cleanup;
+
+cleanup:
+    return rv;
+}
+
+/* Prints help information. */
+void
+printUsage(char *prog)
+{
+    printf("Usage: %s [-i iterations] [-t threads ] [-ans] [-fp] [-A]\n",prog);
+}
+
+/* Performs tests of elliptic curve cryptography over prime fields If
+ * tests fail, then it prints an error message, aborts, and returns an
+ * error code. Otherwise, returns 0. */
+int
+main(int argv, char **argc)
+{
+    int ansi = 0;
+    int nist = 0;
+    int secp = 0;
+    int usefreebl = 0;
+    int usepkcs11 = 0;
+    int i;
+    SECStatus rv = SECSuccess;
+    int iterations = 100;
+    int numThreads = 1;
+
+    /* read command-line arguments */
+    for (i = 1; i < argv; i++) {
+	if (strcasecmp(argc[i], "-i") == 0) {
+	    i++;
+	    iterations = atoi(argc[i]);
+	} else if (strcasecmp(argc[i], "-t") == 0) {
+	    i++;
+	    numThreads = atoi(argc[i]);
+	} else if (strcasecmp(argc[i], "-A") == 0) {
+	    ansi = nist = secp = 1;
+	    usepkcs11 = usefreebl = 1;
+	} else if (strcasecmp(argc[i], "-a") == 0) {
+	    ansi = 1;
+	} else if (strcasecmp(argc[i], "-n") == 0) {
+	    nist = 1;
+	} else if (strcasecmp(argc[i], "-s") == 0) {
+	    secp = 1;
+	} else if (strcasecmp(argc[i], "-p") == 0) {
+	    usepkcs11 = 1;
+	} else if (strcasecmp(argc[i], "-f") == 0) {
+	    usefreebl = 1;
+	} else {
+	    printUsage(argc[0]);
+	    return 0;
+	}
+    }
+
+    if ((ansi | nist | secp) == 0) {
+	nist = 1;
+    }
+    if ((usepkcs11|usefreebl) == 0) {
+	usefreebl = 1;
+    }
+
+    rv = NSS_NoDB_Init(NULL);
+    if (rv != SECSuccess) {
+	SECU_PrintError("Error:", "NSS_NoDB_Init"); 
+	goto cleanup;
+    }
+
+    /* specific arithmetic tests */
+    if (nist) {
+        ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1);
+        ECTEST_NAMED_GFP("NIST-P192", ECCurve_NIST_P192);
+        ECTEST_NAMED_GFP("NIST-P224", ECCurve_NIST_P224);
+        ECTEST_NAMED_GFP("NIST-P256", ECCurve_NIST_P256);
+        ECTEST_NAMED_GFP("NIST-P384", ECCurve_NIST_P384);
+        ECTEST_NAMED_GFP("NIST-P521", ECCurve_NIST_P521);
+    }
+    if (ansi) {
+        ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v1", ECCurve_X9_62_PRIME_192V1);
+        ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v2", ECCurve_X9_62_PRIME_192V2);
+        ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v3", ECCurve_X9_62_PRIME_192V3);
+        ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v1", ECCurve_X9_62_PRIME_239V1);
+        ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v2", ECCurve_X9_62_PRIME_239V2);
+        ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v3", ECCurve_X9_62_PRIME_239V3);
+        ECTEST_NAMED_GFP("ANSI X9.62 PRIME256v1", ECCurve_X9_62_PRIME_256V1);
+    }
+    if (secp) {
+        ECTEST_NAMED_GFP("SECP-112R1", ECCurve_SECG_PRIME_112R1);
+        ECTEST_NAMED_GFP("SECP-112R2", ECCurve_SECG_PRIME_112R2);
+        ECTEST_NAMED_GFP("SECP-128R1", ECCurve_SECG_PRIME_128R1);
+        ECTEST_NAMED_GFP("SECP-128R2", ECCurve_SECG_PRIME_128R2);
+        ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1);
+        ECTEST_NAMED_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1);
+        ECTEST_NAMED_GFP("SECP-160R2", ECCurve_SECG_PRIME_160R2);
+        ECTEST_NAMED_GFP("SECP-192K1", ECCurve_SECG_PRIME_192K1);
+        ECTEST_NAMED_GFP("SECP-192R1", ECCurve_SECG_PRIME_192R1);
+        ECTEST_NAMED_GFP("SECP-224K1", ECCurve_SECG_PRIME_224K1);
+        ECTEST_NAMED_GFP("SECP-224R1", ECCurve_SECG_PRIME_224R1);
+        ECTEST_NAMED_GFP("SECP-256K1", ECCurve_SECG_PRIME_256K1);
+        ECTEST_NAMED_GFP("SECP-256R1", ECCurve_SECG_PRIME_256R1);
+        ECTEST_NAMED_GFP("SECP-384R1", ECCurve_SECG_PRIME_384R1);
+        ECTEST_NAMED_GFP("SECP-521R1", ECCurve_SECG_PRIME_521R1);
+    }
+
+  cleanup:
+    if (rv != SECSuccess) {
+	printf("Error: exiting with error value\n");
+    }
+    return rv;
+}
diff --git a/security/nss/cmd/ecperf/manifest.mn b/security/nss/cmd/ecperf/manifest.mn
new file mode 100755
index 000000000..0e02089cc
--- /dev/null
+++ b/security/nss/cmd/ecperf/manifest.mn
@@ -0,0 +1,56 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1998-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+DEPTH	= ../../..
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+REQUIRES = dbm seccmd 
+
+# DIRS = 
+
+CSRCS	= ecperf.c 
+
+PROGRAM	= ecperf
+
+USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/fipstest/Makefile b/security/nss/cmd/fipstest/Makefile
new file mode 100755
index 000000000..a54a124ed
--- /dev/null
+++ b/security/nss/cmd/fipstest/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+#MKPROG = purify -cache-dir=/u/mcgreer/pcache -best-effort \
+#	-always-use-cache-dir $(CC)
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
diff --git a/security/nss/cmd/fipstest/aes.sh b/security/nss/cmd/fipstest/aes.sh
new file mode 100644
index 000000000..09ed494bf
--- /dev/null
+++ b/security/nss/cmd/fipstest/aes.sh
@@ -0,0 +1,94 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST AES Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+cbc_kat_requests="
+CBCGFSbox128.req
+CBCGFSbox192.req
+CBCGFSbox256.req
+CBCKeySbox128.req
+CBCKeySbox192.req
+CBCKeySbox256.req
+CBCVarKey128.req
+CBCVarKey192.req
+CBCVarKey256.req
+CBCVarTxt128.req
+CBCVarTxt192.req
+CBCVarTxt256.req
+"
+
+cbc_mct_requests="
+CBCMCT128.req
+CBCMCT192.req
+CBCMCT256.req
+"
+
+cbc_mmt_requests="
+CBCMMT128.req
+CBCMMT192.req
+CBCMMT256.req
+"
+
+ecb_kat_requests="
+ECBGFSbox128.req
+ECBGFSbox192.req
+ECBGFSbox256.req
+ECBKeySbox128.req
+ECBKeySbox192.req
+ECBKeySbox256.req
+ECBVarKey128.req
+ECBVarKey192.req
+ECBVarKey256.req
+ECBVarTxt128.req
+ECBVarTxt192.req
+ECBVarTxt256.req
+"
+
+ecb_mct_requests="
+ECBMCT128.req
+ECBMCT192.req
+ECBMCT256.req
+"
+
+ecb_mmt_requests="
+ECBMMT128.req
+ECBMMT192.req
+ECBMMT256.req
+"
+
+for request in $ecb_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes kat ecb $request > $response
+done
+for request in $ecb_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes mmt ecb $request > $response
+done
+for request in $ecb_mct_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes mct ecb $request > $response
+done
+for request in $cbc_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes kat cbc $request > $response
+done
+for request in $cbc_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes mmt cbc $request > $response
+done
+for request in $cbc_mct_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes mct cbc $request > $response
+done
diff --git a/security/nss/cmd/fipstest/dsa.sh b/security/nss/cmd/fipstest/dsa.sh
new file mode 100755
index 000000000..50dd20d4a
--- /dev/null
+++ b/security/nss/cmd/fipstest/dsa.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST DSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+request=KeyPair.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa keypair $request > $response
+
+request=PQGGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa pqggen $request > $response
+
+request=PQGVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa pqgver $request > $response
+
+request=SigGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa siggen $request > $response
+
+request=SigVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa sigver $request > $response
diff --git a/security/nss/cmd/fipstest/ecdsa.sh b/security/nss/cmd/fipstest/ecdsa.sh
new file mode 100644
index 000000000..306c8650f
--- /dev/null
+++ b/security/nss/cmd/fipstest/ecdsa.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST ECDSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+request=KeyPair.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa keypair $request > $response
+
+request=PKV.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa pkv $request > $response
+
+request=SigGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa siggen $request > $response
+
+request=SigVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa sigver $request > $response
diff --git a/security/nss/cmd/fipstest/fipstest.c b/security/nss/cmd/fipstest/fipstest.c
new file mode 100644
index 000000000..d191fe391
--- /dev/null
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -0,0 +1,4602 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#include "secitem.h"
+#include "blapi.h"
+#include "nss.h"
+#include "secerr.h"
+#include "secder.h"
+#include "secdig.h"
+#include "keythi.h"
+#include "ec.h"
+#include "hasht.h"
+#include "lowkeyi.h"
+#include "softoken.h"
+
+#if 0
+#include "../../lib/freebl/mpi/mpi.h"
+#endif
+
+#ifdef NSS_ENABLE_ECC
+extern SECStatus
+EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
+extern SECStatus
+EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+              const ECParams *srcParams);
+#endif
+
+#define ENCRYPT 1
+#define DECRYPT 0
+#define BYTE unsigned char
+#define DEFAULT_RSA_PUBLIC_EXPONENT   0x10001
+#define RSA_MAX_TEST_MODULUS_BITS     4096
+#define RSA_MAX_TEST_MODULUS_BYTES    RSA_MAX_TEST_MODULUS_BITS/8
+#define RSA_MAX_TEST_EXPONENT_BYTES   8
+#define PQG_TEST_SEED_BYTES           20
+
+SECStatus
+hex_to_byteval(const char *c2, unsigned char *byteval)
+{
+    int i;
+    unsigned char offset;
+    *byteval = 0;
+    for (i=0; i<2; i++) {
+	if (c2[i] >= '0' && c2[i] <= '9') {
+	    offset = c2[i] - '0';
+	    *byteval |= offset << 4*(1-i);
+	} else if (c2[i] >= 'a' && c2[i] <= 'f') {
+	    offset = c2[i] - 'a';
+	    *byteval |= (offset + 10) << 4*(1-i);
+	} else if (c2[i] >= 'A' && c2[i] <= 'F') {
+	    offset = c2[i] - 'A';
+	    *byteval |= (offset + 10) << 4*(1-i);
+	} else {
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+byteval_to_hex(unsigned char byteval, char *c2, char a)
+{
+    int i;
+    unsigned char offset;
+    for (i=0; i<2; i++) {
+	offset = (byteval >> 4*(1-i)) & 0x0f;
+	if (offset < 10) {
+	    c2[i] = '0' + offset;
+	} else {
+	    c2[i] = a + offset - 10;
+	}
+    }
+    return SECSuccess;
+}
+
+void
+to_hex_str(char *str, const unsigned char *buf, unsigned int len)
+{
+    unsigned int i;
+    for (i=0; i<len; i++) {
+	byteval_to_hex(buf[i], &str[2*i], 'a');
+    }
+    str[2*len] = '\0';
+}
+
+void
+to_hex_str_cap(char *str, const unsigned char *buf, unsigned int len)
+{
+    unsigned int i;
+    for (i=0; i<len; i++) {
+	byteval_to_hex(buf[i], &str[2*i], 'A');
+    }
+    str[2*len] = '\0';
+}
+
+/*
+ * Convert a string of hex digits (str) to an array (buf) of len bytes.
+ * Return PR_TRUE if the hex string can fit in the byte array.  Return
+ * PR_FALSE if the hex string is empty or is too long.
+ */
+PRBool
+from_hex_str(unsigned char *buf, unsigned int len, const char *str)
+{
+    unsigned int nxdigit;  /* number of hex digits in str */
+    unsigned int i;  /* index into buf */
+    unsigned int j;  /* index into str */
+
+    /* count the hex digits */
+    nxdigit = 0;
+    for (nxdigit = 0; isxdigit(str[nxdigit]); nxdigit++) {
+	/* empty body */
+    }
+    if (nxdigit == 0) {
+	return PR_FALSE;
+    }
+    if (nxdigit > 2*len) {
+	/*
+	 * The input hex string is too long, but we allow it if the
+	 * extra digits are leading 0's.
+	 */
+	for (j = 0; j < nxdigit-2*len; j++) {
+	    if (str[j] != '0') {
+		return PR_FALSE;
+	    }
+	}
+	/* skip leading 0's */
+	str += nxdigit-2*len;
+	nxdigit = 2*len;
+    }
+    for (i=0, j=0; i< len; i++) {
+	if (2*i < 2*len-nxdigit) {
+	    /* Handle a short input as if we padded it with leading 0's. */
+	    if (2*i+1 < 2*len-nxdigit) {
+		buf[i] = 0;
+	    } else {
+		char tmp[2];
+		tmp[0] = '0';
+		tmp[1] = str[j];
+		hex_to_byteval(tmp, &buf[i]);
+		j++;
+	    }
+	} else {
+	    hex_to_byteval(&str[j], &buf[i]);
+	    j += 2;
+	}
+    }
+    return PR_TRUE;
+}
+
+SECStatus
+tdea_encrypt_buf(
+    int mode,
+    const unsigned char *key, 
+    const unsigned char *iv,
+    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
+    const unsigned char *input, unsigned int inputlen)
+{
+    SECStatus rv = SECFailure;
+    DESContext *cx;
+    unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
+    unsigned int doublechecklen = 0;
+
+    cx = DES_CreateContext(key, iv, mode, PR_TRUE);
+    if (cx == NULL) {
+        goto loser;
+    }
+    rv = DES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (*outputlen != inputlen) {
+        goto loser;
+    }
+    DES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+
+    /*
+     * Doublecheck our result by decrypting the ciphertext and
+     * compare the output with the input plaintext.
+     */
+    cx = DES_CreateContext(key, iv, mode, PR_FALSE);
+    if (cx == NULL) {
+        goto loser;
+    }
+    rv = DES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
+                    output, *outputlen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (doublechecklen != *outputlen) {
+        goto loser;
+    }
+    DES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+    if (memcmp(doublecheck, input, inputlen) != 0) {
+        goto loser;
+    }
+    rv = SECSuccess;
+
+loser:
+    if (cx != NULL) {
+        DES_DestroyContext(cx, PR_TRUE);
+    }
+    return rv;
+}
+
+SECStatus
+tdea_decrypt_buf(
+    int mode,
+    const unsigned char *key, 
+    const unsigned char *iv,
+    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
+    const unsigned char *input, unsigned int inputlen)
+{
+    SECStatus rv = SECFailure;
+    DESContext *cx;
+    unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
+    unsigned int doublechecklen = 0;
+
+    cx = DES_CreateContext(key, iv, mode, PR_FALSE);
+    if (cx == NULL) {
+        goto loser;
+    }
+    rv = DES_Decrypt(cx, output, outputlen, maxoutputlen,
+                    input, inputlen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (*outputlen != inputlen) {
+        goto loser;
+    }
+    DES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+
+    /*
+     * Doublecheck our result by encrypting the plaintext and
+     * compare the output with the input ciphertext.
+     */
+    cx = DES_CreateContext(key, iv, mode, PR_TRUE);
+    if (cx == NULL) {
+        goto loser;
+    }
+    rv = DES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
+        output, *outputlen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (doublechecklen != *outputlen) {
+        goto loser;
+    }
+    DES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+    if (memcmp(doublecheck, input, inputlen) != 0) {
+        goto loser;
+    }
+    rv = SECSuccess;
+
+loser:
+    if (cx != NULL) {
+        DES_DestroyContext(cx, PR_TRUE);
+    }
+    return rv;
+}
+
+/*
+ * Perform the TDEA Known Answer Test (KAT) or Multi-block Message
+ * Test (MMT) in ECB or CBC mode.  The KAT (there are five types)
+ * and MMT have the same structure: given the key and IV (CBC mode
+ * only), encrypt the given plaintext or decrypt the given ciphertext.
+ * So we can handle them the same way.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+tdea_kat_mmt(char *reqfn)
+{
+    char buf[180];      /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "CIPHERTEXT = <180 hex digits>\n".
+                         */
+    FILE *req;       /* input stream from the REQUEST file */
+    FILE *resp;      /* output stream to the RESPONSE file */
+    int i, j;
+    int mode;           /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */
+    int crypt = DECRYPT;    /* 1 means encrypt, 0 means decrypt */
+    unsigned char key[24];              /* TDEA 3 key bundle */
+    unsigned int numKeys = 0;
+    unsigned char iv[8];		/* for all modes except ECB */
+    unsigned char plaintext[8*20];     /* 1 to 20 blocks */
+    unsigned int plaintextlen;
+    unsigned char ciphertext[8*20];   /* 1 to 20 blocks */  
+    unsigned int ciphertextlen;
+    SECStatus rv;
+
+    req = fopen(reqfn, "r");
+    resp = stdout;
+    while (fgets(buf, sizeof buf, req) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, resp);
+            continue;
+        }
+        /* [ENCRYPT] or [DECRYPT] */
+        if (buf[0] == '[') {
+            if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
+                crypt = ENCRYPT;
+            } else {
+                crypt = DECRYPT;
+            }
+            fputs(buf, resp);
+            continue;
+        }
+        /* NumKeys */
+        if (strncmp(&buf[0], "NumKeys", 7) == 0) {
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            numKeys = buf[i];
+            fputs(buf, resp);
+            continue;
+        }
+        /* "COUNT = x" begins a new data set */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            /* mode defaults to ECB, if dataset has IV mode will be set CBC */
+            mode = NSS_DES_EDE3;
+            /* zeroize the variables for the test with this data set */
+            memset(key, 0, sizeof key);
+            memset(iv, 0, sizeof iv);
+            memset(plaintext, 0, sizeof plaintext);
+            plaintextlen = 0;
+            memset(ciphertext, 0, sizeof ciphertext);
+            ciphertextlen = 0;
+            fputs(buf, resp);
+            continue;
+        }
+        if (numKeys == 0) {
+            if (strncmp(buf, "KEYs", 4) == 0) {
+                i = 4;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                    hex_to_byteval(&buf[i], &key[j]);
+                    key[j+8] = key[j];
+                    key[j+16] = key[j];
+                }
+                fputs(buf, resp);
+                continue;
+            }
+        } else {
+            /* KEY1 = ... */
+            if (strncmp(buf, "KEY1", 4) == 0) {
+                i = 4;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                    hex_to_byteval(&buf[i], &key[j]);
+                }
+                fputs(buf, resp);
+                continue;
+            }
+            /* KEY2 = ... */
+            if (strncmp(buf, "KEY2", 4) == 0) {
+                i = 4;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=8; isxdigit(buf[i]); i+=2,j++) {
+                    hex_to_byteval(&buf[i], &key[j]);
+                }
+                fputs(buf, resp);
+                continue;
+            }
+            /* KEY3 = ... */
+            if (strncmp(buf, "KEY3", 4) == 0) {
+                i = 4;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                for (j=16; isxdigit(buf[i]); i+=2,j++) {
+                    hex_to_byteval(&buf[i], &key[j]);
+                }
+                fputs(buf, resp);
+                continue;
+            }
+        }
+
+        /* IV = ... */
+        if (strncmp(buf, "IV", 2) == 0) {
+            mode = NSS_DES_EDE3_CBC;
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j<sizeof iv; i+=2,j++) {
+                hex_to_byteval(&buf[i], &iv[j]);
+            }
+            fputs(buf, resp);
+            continue;
+        }
+
+        /* PLAINTEXT = ... */
+        if (strncmp(buf, "PLAINTEXT", 9) == 0) {
+            /* sanity check */
+            if (crypt != ENCRYPT) {
+                goto loser;
+            }
+            i = 9;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_to_byteval(&buf[i], &plaintext[j]);
+            }
+            plaintextlen = j;
+            rv = tdea_encrypt_buf(mode, key,
+                            (mode == NSS_DES_EDE3) ? NULL : iv,
+                            ciphertext, &ciphertextlen, sizeof ciphertext,
+                            plaintext, plaintextlen);
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+    
+            fputs(buf, resp);
+            fputs("CIPHERTEXT = ", resp);
+            to_hex_str(buf, ciphertext, ciphertextlen);
+            fputs(buf, resp);
+            fputc('\n', resp);
+            continue;
+        }
+        /* CIPHERTEXT = ... */
+        if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
+            /* sanity check */
+            if (crypt != DECRYPT) {
+                goto loser;
+            }
+ 
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_to_byteval(&buf[i], &ciphertext[j]);
+            }
+            ciphertextlen = j;
+ 
+            rv = tdea_decrypt_buf(mode, key,
+                            (mode == NSS_DES_EDE3) ? NULL : iv,
+                            plaintext, &plaintextlen, sizeof plaintext,
+                            ciphertext, ciphertextlen);
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+ 
+            fputs(buf, resp);
+            fputs("PLAINTEXT = ", resp);
+            to_hex_str(buf, plaintext, plaintextlen);
+            fputs(buf, resp);
+            fputc('\n', resp);
+            continue;
+        }
+    }
+
+loser:
+    fclose(req);
+}
+
+/*
+* Set the parity bit for the given byte
+*/
+BYTE odd_parity( BYTE in)
+{
+    BYTE out = in;
+    in ^= in >> 4;
+    in ^= in >> 2;
+    in ^= in >> 1;
+    return (BYTE)(out ^ !(in & 1));
+}
+
+/*
+ * Generate Keys [i+1] from Key[i], PT/CT[j-2], PT/CT[j-1], and PT/CT[j] 
+ * for TDEA Monte Carlo Test (MCT) in ECB and CBC modes.
+ */
+void
+tdea_mct_next_keys(unsigned char *key,
+    const unsigned char *text_2, const unsigned char *text_1, 
+    const unsigned char *text, unsigned int numKeys)
+{
+    int k;
+
+    /* key1[i+1] = key1[i] xor PT/CT[j] */
+    for (k=0; k<8; k++) {
+        key[k] ^= text[k];
+    }
+    /* key2 */
+    if (numKeys == 2 || numKeys == 3)  {
+        /* key2 independent */
+        for (k=8; k<16; k++) {
+            /* key2[i+1] = KEY2[i] xor PT/CT[j-1] */
+            key[k] ^= text_1[k-8];
+        }
+    } else {
+        /* key2 == key 1 */
+        for (k=8; k<16; k++) {
+            /* key2[i+1] = KEY2[i] xor PT/CT[j] */
+            key[k] = key[k-8];
+        }
+    }
+    /* key3 */
+    if (numKeys == 1 || numKeys == 2) {
+        /* key3 == key 1 */
+        for (k=16; k<24; k++) {
+            /* key3[i+1] = KEY3[i] xor PT/CT[j] */
+            key[k] = key[k-16];
+        }
+    } else {
+        /* key3 independent */ 
+        for (k=16; k<24; k++) {
+            /* key3[i+1] = KEY3[i] xor PT/CT[j-2] */
+            key[k] ^= text_2[k-16];
+        }
+    }
+    /* set the parity bits */            
+    for (k=0; k<24; k++) {
+        key[k] = odd_parity(key[k]);
+    }
+}
+
+/*
+ * Perform the Monte Carlo Test
+ *
+ * mode = NSS_DES_EDE3 or NSS_DES_EDE3_CBC
+ * crypt = ENCRYPT || DECRYPT
+ * inputtext = plaintext or Cyphertext depending on the value of crypt
+ * inputlength is expected to be size 8 bytes 
+ * iv = needs to be set for NSS_DES_EDE3_CBC mode
+ * resp = is the output response file. 
+ */
+ void                                                       
+tdea_mct_test(int mode, unsigned char* key, unsigned int numKeys, 
+              unsigned int crypt, unsigned char* inputtext, 
+              unsigned int inputlength, unsigned char* iv, FILE *resp) { 
+
+    int i, j;
+    unsigned char outputtext_1[8];      /* PT/CT[j-1] */
+    unsigned char outputtext_2[8];      /* PT/CT[j-2] */
+    char buf[80];       /* holds one line from the input REQUEST file. */
+    unsigned int outputlen;
+    unsigned char outputtext[8];
+    
+        
+    SECStatus rv;
+
+    if (mode == NSS_DES_EDE3 && iv != NULL) {
+        printf("IV must be NULL for NSS_DES_EDE3 mode");
+        goto loser;
+    } else if (mode == NSS_DES_EDE3_CBC && iv == NULL) {
+        printf("IV must not be NULL for NSS_DES_EDE3_CBC mode");
+        goto loser;
+    }
+
+    /* loop 400 times */
+    for (i=0; i<400; i++) {
+        /* if i == 0 CV[0] = IV  not necessary */        
+        /* record the count and key values and plainText */
+        sprintf(buf, "COUNT = %d\n", i);
+        fputs(buf, resp);
+        /* Output KEY1[i] */
+        fputs("KEY1 = ", resp);
+        to_hex_str(buf, key, 8);
+        fputs(buf, resp);
+        fputc('\n', resp);
+        /* Output KEY2[i] */
+        fputs("KEY2 = ", resp);
+        to_hex_str(buf, &key[8], 8);
+        fputs(buf, resp);
+        fputc('\n', resp);
+        /* Output KEY3[i] */
+        fputs("KEY3 = ", resp);
+        to_hex_str(buf, &key[16], 8);
+        fputs(buf, resp);
+        fputc('\n', resp);
+        if (mode == NSS_DES_EDE3_CBC) {
+            /* Output CV[i] */
+            fputs("IV = ", resp);
+            to_hex_str(buf, iv, 8);
+            fputs(buf, resp);
+            fputc('\n', resp);
+        }
+        if (crypt == ENCRYPT) {
+            /* Output PT[0] */
+            fputs("PLAINTEXT = ", resp);
+        } else {
+            /* Output CT[0] */
+            fputs("CIPHERTEXT = ", resp);
+        }
+
+        to_hex_str(buf, inputtext, inputlength);
+        fputs(buf, resp);
+        fputc('\n', resp);
+
+        /* loop 10,000 times */
+        for (j=0; j<10000; j++) {
+
+            outputlen = 0;
+            if (crypt == ENCRYPT) {
+                /* inputtext == ciphertext outputtext == plaintext*/
+                rv = tdea_encrypt_buf(mode, key,
+                            (mode == NSS_DES_EDE3) ? NULL : iv,
+                            outputtext, &outputlen, 8,
+                            inputtext, 8);
+            } else {
+                /* inputtext == plaintext outputtext == ciphertext */
+                rv = tdea_decrypt_buf(mode, key,
+                            (mode == NSS_DES_EDE3) ? NULL : iv,
+                            outputtext, &outputlen, 8,
+                            inputtext, 8);
+            }
+
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+            if (outputlen != inputlength) {
+                goto loser;
+            }
+
+            if (mode == NSS_DES_EDE3_CBC) {
+                if (crypt == ENCRYPT) {
+                    if (j == 0) {
+                        /*P[j+1] = CV[0] */
+                        memcpy(inputtext, iv, 8);
+                    } else {
+                        /* p[j+1] = C[j-1] */
+                        memcpy(inputtext, outputtext_1, 8);
+                    }
+                    /* CV[j+1] = C[j] */
+                    memcpy(iv, outputtext, 8);
+                    if (j != 9999) {
+                        /* save C[j-1] */
+                        memcpy(outputtext_1, outputtext, 8);
+                    }
+                } else { /* DECRYPT */
+                    /* CV[j+1] = C[j] */
+                    memcpy(iv, inputtext, 8);
+                    /* C[j+1] = P[j] */
+                    memcpy(inputtext, outputtext, 8);
+                }
+            } else {
+                /* ECB mode PT/CT[j+1] = CT/PT[j] */
+                memcpy(inputtext, outputtext, 8);
+            }
+
+            /* Save PT/CT[j-2] and PT/CT[j-1] */
+            if (j==9997) memcpy(outputtext_2, outputtext, 8);
+            if (j==9998) memcpy(outputtext_1, outputtext, 8);
+            /* done at the end of the for(j) loop */
+        }
+
+
+        if (crypt == ENCRYPT) {
+            /* Output CT[j] */
+            fputs("CIPHERTEXT = ", resp);
+        } else {
+            /* Output PT[j] */
+            fputs("PLAINTEXT = ", resp);
+        }
+        to_hex_str(buf, outputtext, 8);
+        fputs(buf, resp);
+        fputc('\n', resp);
+
+        /* Key[i+1] = Key[i] xor ...  outputtext_2 == PT/CT[j-2] 
+         *  outputtext_1 == PT/CT[j-1] outputtext == PT/CT[j] 
+         */
+        tdea_mct_next_keys(key, outputtext_2, 
+                           outputtext_1, outputtext, numKeys);
+
+        if (mode == NSS_DES_EDE3_CBC) {
+            /* taken care of in the j=9999 iteration */
+            if (crypt == ENCRYPT) {
+                /* P[i] = C[j-1] */
+                /* CV[i] = C[j] */
+            } else {
+                /* taken care of in the j=9999 iteration */
+                /* CV[i] = C[j] */
+                /* C[i] = P[j]  */
+            }
+        } else {
+            /* ECB PT/CT[i] = PT/CT[j]  */
+            memcpy(inputtext, outputtext, 8);
+        }
+        /* done at the end of the for(i) loop */
+        fputc('\n', resp);
+    }
+
+loser:
+    return;
+}
+
+/*
+ * Perform the TDEA Monte Carlo Test (MCT) in ECB/CBC modes.
+ * by gathering the input from the request file, and then 
+ * calling tdea_mct_test.
+ *
+ * reqfn is the pathname of the input REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+tdea_mct(int mode, char *reqfn)
+{
+    int i, j;
+    char buf[80];    /* holds one line from the input REQUEST file. */
+    FILE *req;       /* input stream from the REQUEST file */
+    FILE *resp;      /* output stream to the RESPONSE file */
+    unsigned int crypt = 0;    /* 1 means encrypt, 0 means decrypt */
+    unsigned char key[24];              /* TDEA 3 key bundle */
+    unsigned int numKeys = 0;
+    unsigned char plaintext[8];        /* PT[j] */
+    unsigned char ciphertext[8];       /* CT[j] */
+    unsigned char iv[8];
+
+    /* zeroize the variables for the test with this data set */
+    memset(key, 0, sizeof key);
+    memset(plaintext, 0, sizeof plaintext);
+    memset(ciphertext, 0, sizeof ciphertext);
+    memset(iv, 0, sizeof iv);
+
+    req = fopen(reqfn, "r");
+    resp = stdout;
+    while (fgets(buf, sizeof buf, req) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, resp);
+            continue;
+        }
+        /* [ENCRYPT] or [DECRYPT] */
+        if (buf[0] == '[') {
+            if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
+                crypt = ENCRYPT;
+            } else {
+                crypt = DECRYPT;
+           }
+           fputs(buf, resp);
+           continue;
+        }
+        /* NumKeys */
+        if (strncmp(&buf[0], "NumKeys", 7) == 0) {
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            numKeys = atoi(&buf[i]);
+            continue;
+        }
+        /* KEY1 = ... */
+        if (strncmp(buf, "KEY1", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_to_byteval(&buf[i], &key[j]);
+            }
+            continue;
+        }
+        /* KEY2 = ... */
+        if (strncmp(buf, "KEY2", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=8; isxdigit(buf[i]); i+=2,j++) {
+                hex_to_byteval(&buf[i], &key[j]);
+            }
+            continue;
+        }
+        /* KEY3 = ... */
+        if (strncmp(buf, "KEY3", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=16; isxdigit(buf[i]); i+=2,j++) {
+                hex_to_byteval(&buf[i], &key[j]);
+            }
+            continue;
+        }
+
+        /* IV = ... */
+        if (strncmp(buf, "IV", 2) == 0) {
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j<sizeof iv; i+=2,j++) {
+                hex_to_byteval(&buf[i], &iv[j]);
+            }
+            continue;
+        }
+
+       /* PLAINTEXT = ... */
+       if (strncmp(buf, "PLAINTEXT", 9) == 0) {
+
+            /* sanity check */
+            if (crypt != ENCRYPT) {
+                goto loser;
+            }
+            /* PT[0] = PT */
+            i = 9;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j<sizeof plaintext; i+=2,j++) {
+                hex_to_byteval(&buf[i], &plaintext[j]);
+            }                                     
+
+            /* do the Monte Carlo test */
+            if (mode==NSS_DES_EDE3) {
+                tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, plaintext, sizeof plaintext, NULL, resp);
+            } else {
+                tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, plaintext, sizeof plaintext, iv, resp);
+            }
+            continue;
+        }
+        /* CIPHERTEXT = ... */
+        if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
+            /* sanity check */
+            if (crypt != DECRYPT) {
+                goto loser;
+            }
+            /* CT[0] = CT */
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_to_byteval(&buf[i], &ciphertext[j]);
+            }
+            
+            /* do the Monte Carlo test */
+            if (mode==NSS_DES_EDE3) {
+                tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, ciphertext, sizeof ciphertext, NULL, resp); 
+            } else {
+                tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, ciphertext, sizeof ciphertext, iv, resp); 
+            }
+            continue;
+        }
+    }
+
+loser:
+    fclose(req);
+}
+
+
+SECStatus
+aes_encrypt_buf(
+    int mode,
+    const unsigned char *key, unsigned int keysize,
+    const unsigned char *iv,
+    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
+    const unsigned char *input, unsigned int inputlen)
+{
+    SECStatus rv = SECFailure;
+    AESContext *cx;
+    unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
+    unsigned int doublechecklen = 0;
+
+    cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
+    if (cx == NULL) {
+	goto loser;
+    }
+    rv = AES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    if (*outputlen != inputlen) {
+	goto loser;
+    }
+    AES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+
+    /*
+     * Doublecheck our result by decrypting the ciphertext and
+     * compare the output with the input plaintext.
+     */
+    cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
+    if (cx == NULL) {
+	goto loser;
+    }
+    rv = AES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
+	output, *outputlen);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    if (doublechecklen != *outputlen) {
+	goto loser;
+    }
+    AES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+    if (memcmp(doublecheck, input, inputlen) != 0) {
+	goto loser;
+    }
+    rv = SECSuccess;
+
+loser:
+    if (cx != NULL) {
+	AES_DestroyContext(cx, PR_TRUE);
+    }
+    return rv;
+}
+
+SECStatus
+aes_decrypt_buf(
+    int mode,
+    const unsigned char *key, unsigned int keysize,
+    const unsigned char *iv,
+    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
+    const unsigned char *input, unsigned int inputlen)
+{
+    SECStatus rv = SECFailure;
+    AESContext *cx;
+    unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
+    unsigned int doublechecklen = 0;
+
+    cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
+    if (cx == NULL) {
+	goto loser;
+    }
+    rv = AES_Decrypt(cx, output, outputlen, maxoutputlen,
+	input, inputlen);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    if (*outputlen != inputlen) {
+	goto loser;
+    }
+    AES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+
+    /*
+     * Doublecheck our result by encrypting the plaintext and
+     * compare the output with the input ciphertext.
+     */
+    cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
+    if (cx == NULL) {
+	goto loser;
+    }
+    rv = AES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
+	output, *outputlen);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    if (doublechecklen != *outputlen) {
+	goto loser;
+    }
+    AES_DestroyContext(cx, PR_TRUE);
+    cx = NULL;
+    if (memcmp(doublecheck, input, inputlen) != 0) {
+	goto loser;
+    }
+    rv = SECSuccess;
+
+loser:
+    if (cx != NULL) {
+	AES_DestroyContext(cx, PR_TRUE);
+    }
+    return rv;
+}
+
+/*
+ * Perform the AES Known Answer Test (KAT) or Multi-block Message
+ * Test (MMT) in ECB or CBC mode.  The KAT (there are four types)
+ * and MMT have the same structure: given the key and IV (CBC mode
+ * only), encrypt the given plaintext or decrypt the given ciphertext.
+ * So we can handle them the same way.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+aes_kat_mmt(char *reqfn)
+{
+    char buf[512];      /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "CIPHERTEXT = <320 hex digits>\n".
+                         */
+    FILE *aesreq;       /* input stream from the REQUEST file */
+    FILE *aesresp;      /* output stream to the RESPONSE file */
+    int i, j;
+    int mode;           /* NSS_AES (ECB) or NSS_AES_CBC */
+    int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
+    unsigned char key[32];              /* 128, 192, or 256 bits */
+    unsigned int keysize;
+    unsigned char iv[16];		/* for all modes except ECB */
+    unsigned char plaintext[10*16];     /* 1 to 10 blocks */
+    unsigned int plaintextlen;
+    unsigned char ciphertext[10*16];    /* 1 to 10 blocks */
+    unsigned int ciphertextlen;
+    SECStatus rv;
+
+    aesreq = fopen(reqfn, "r");
+    aesresp = stdout;
+    while (fgets(buf, sizeof buf, aesreq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, aesresp);
+	    continue;
+	}
+	/* [ENCRYPT] or [DECRYPT] */
+	if (buf[0] == '[') {
+	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
+		encrypt = 1;
+	    } else {
+		encrypt = 0;
+	    }
+	    fputs(buf, aesresp);
+	    continue;
+	}
+	/* "COUNT = x" begins a new data set */
+	if (strncmp(buf, "COUNT", 5) == 0) {
+	    mode = NSS_AES;
+	    /* zeroize the variables for the test with this data set */
+	    memset(key, 0, sizeof key);
+	    keysize = 0;
+	    memset(iv, 0, sizeof iv);
+	    memset(plaintext, 0, sizeof plaintext);
+	    plaintextlen = 0;
+	    memset(ciphertext, 0, sizeof ciphertext);
+	    ciphertextlen = 0;
+	    fputs(buf, aesresp);
+	    continue;
+	}
+	/* KEY = ... */
+	if (strncmp(buf, "KEY", 3) == 0) {
+	    i = 3;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_to_byteval(&buf[i], &key[j]);
+	    }
+	    keysize = j;
+	    fputs(buf, aesresp);
+	    continue;
+	}
+	/* IV = ... */
+	if (strncmp(buf, "IV", 2) == 0) {
+	    mode = NSS_AES_CBC;
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<sizeof iv; i+=2,j++) {
+		hex_to_byteval(&buf[i], &iv[j]);
+	    }
+	    fputs(buf, aesresp);
+	    continue;
+	}
+	/* PLAINTEXT = ... */
+	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
+	    /* sanity check */
+	    if (!encrypt) {
+		goto loser;
+	    }
+
+	    i = 9;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_to_byteval(&buf[i], &plaintext[j]);
+	    }
+	    plaintextlen = j;
+
+	    rv = aes_encrypt_buf(mode, key, keysize,
+		(mode == NSS_AES) ? NULL : iv,
+		ciphertext, &ciphertextlen, sizeof ciphertext,
+		plaintext, plaintextlen);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+
+	    fputs(buf, aesresp);
+	    fputs("CIPHERTEXT = ", aesresp);
+	    to_hex_str(buf, ciphertext, ciphertextlen);
+	    fputs(buf, aesresp);
+	    fputc('\n', aesresp);
+	    continue;
+	}
+	/* CIPHERTEXT = ... */
+	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
+	    /* sanity check */
+	    if (encrypt) {
+		goto loser;
+	    }
+
+	    i = 10;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_to_byteval(&buf[i], &ciphertext[j]);
+	    }
+	    ciphertextlen = j;
+
+	    rv = aes_decrypt_buf(mode, key, keysize,
+		(mode == NSS_AES) ? NULL : iv,
+		plaintext, &plaintextlen, sizeof plaintext,
+		ciphertext, ciphertextlen);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+
+	    fputs(buf, aesresp);
+	    fputs("PLAINTEXT = ", aesresp);
+	    to_hex_str(buf, plaintext, plaintextlen);
+	    fputs(buf, aesresp);
+	    fputc('\n', aesresp);
+	    continue;
+	}
+    }
+loser:
+    fclose(aesreq);
+}
+
+/*
+ * Generate Key[i+1] from Key[i], CT[j-1], and CT[j] for AES Monte Carlo
+ * Test (MCT) in ECB and CBC modes.
+ */
+void
+aes_mct_next_key(unsigned char *key, unsigned int keysize,
+    const unsigned char *ciphertext_1, const unsigned char *ciphertext)
+{
+    int k;
+
+    switch (keysize) {
+    case 16:  /* 128-bit key */
+	/* Key[i+1] = Key[i] xor CT[j] */
+	for (k=0; k<16; k++) {
+	    key[k] ^= ciphertext[k];
+	}
+	break;
+    case 24:  /* 192-bit key */
+	/*
+	 * Key[i+1] = Key[i] xor (last 64-bits of
+	 *            CT[j-1] || CT[j])
+	 */
+	for (k=0; k<8; k++) {
+	    key[k] ^= ciphertext_1[k+8];
+	}
+	for (k=8; k<24; k++) {
+	    key[k] ^= ciphertext[k-8];
+	}
+	break;
+    case 32:  /* 256-bit key */
+	/* Key[i+1] = Key[i] xor (CT[j-1] || CT[j]) */
+	for (k=0; k<16; k++) {
+	    key[k] ^= ciphertext_1[k];
+	}
+	for (k=16; k<32; k++) {
+	    key[k] ^= ciphertext[k-16];
+	}
+	break;
+    }
+}
+
+/*
+ * Perform the AES Monte Carlo Test (MCT) in ECB mode.  MCT exercises
+ * our AES code in streaming mode because the plaintext or ciphertext
+ * is generated block by block as we go, so we can't collect all the
+ * plaintext or ciphertext in one buffer and encrypt or decrypt it in
+ * one shot.
+ *
+ * reqfn is the pathname of the input REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+aes_ecb_mct(char *reqfn)
+{
+    char buf[80];       /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "KEY = <64 hex digits>\n".
+                         */
+    FILE *aesreq;       /* input stream from the REQUEST file */
+    FILE *aesresp;      /* output stream to the RESPONSE file */
+    int i, j;
+    int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
+    unsigned char key[32];              /* 128, 192, or 256 bits */
+    unsigned int keysize;
+    unsigned char plaintext[16];        /* PT[j] */
+    unsigned char plaintext_1[16];      /* PT[j-1] */
+    unsigned char ciphertext[16];       /* CT[j] */
+    unsigned char ciphertext_1[16];     /* CT[j-1] */
+    unsigned char doublecheck[16];
+    unsigned int outputlen;
+    AESContext *cx = NULL;	/* the operation being tested */
+    AESContext *cx2 = NULL;     /* the inverse operation done in parallel
+                                 * to doublecheck our result.
+                                 */
+    SECStatus rv;
+
+    aesreq = fopen(reqfn, "r");
+    aesresp = stdout;
+    while (fgets(buf, sizeof buf, aesreq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, aesresp);
+	    continue;
+	}
+	/* [ENCRYPT] or [DECRYPT] */
+	if (buf[0] == '[') {
+	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
+		encrypt = 1;
+	    } else {
+		encrypt = 0;
+	    }
+	    fputs(buf, aesresp);
+	    continue;
+	}
+	/* "COUNT = x" begins a new data set */
+	if (strncmp(buf, "COUNT", 5) == 0) {
+	    /* zeroize the variables for the test with this data set */
+	    memset(key, 0, sizeof key);
+	    keysize = 0;
+	    memset(plaintext, 0, sizeof plaintext);
+	    memset(ciphertext, 0, sizeof ciphertext);
+	    continue;
+	}
+	/* KEY = ... */
+	if (strncmp(buf, "KEY", 3) == 0) {
+	    /* Key[0] = Key */
+	    i = 3;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_to_byteval(&buf[i], &key[j]);
+	    }
+	    keysize = j;
+	    continue;
+	}
+	/* PLAINTEXT = ... */
+	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
+	    /* sanity check */
+	    if (!encrypt) {
+		goto loser;
+	    }
+	    /* PT[0] = PT */
+	    i = 9;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<sizeof plaintext; i+=2,j++) {
+		hex_to_byteval(&buf[i], &plaintext[j]);
+	    }
+
+	    for (i=0; i<100; i++) {
+		sprintf(buf, "COUNT = %d\n", i);
+	        fputs(buf, aesresp);
+		/* Output Key[i] */
+		fputs("KEY = ", aesresp);
+		to_hex_str(buf, key, keysize);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+		/* Output PT[0] */
+		fputs("PLAINTEXT = ", aesresp);
+		to_hex_str(buf, plaintext, sizeof plaintext);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+
+		cx = AES_CreateContext(key, NULL, NSS_AES,
+		    PR_TRUE, keysize, 16);
+		if (cx == NULL) {
+		    goto loser;
+		}
+		/*
+		 * doublecheck our result by decrypting the result
+		 * and comparing the output with the plaintext.
+		 */
+		cx2 = AES_CreateContext(key, NULL, NSS_AES,
+		    PR_FALSE, keysize, 16);
+		if (cx2 == NULL) {
+		    goto loser;
+		}
+		for (j=0; j<1000; j++) {
+		    /* Save CT[j-1] */
+		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
+
+		    /* CT[j] = AES(Key[i], PT[j]) */
+		    outputlen = 0;
+		    rv = AES_Encrypt(cx,
+			ciphertext, &outputlen, sizeof ciphertext,
+			plaintext, sizeof plaintext);
+		    if (rv != SECSuccess) {
+			goto loser;
+		    }
+		    if (outputlen != sizeof plaintext) {
+			goto loser;
+		    }
+
+		    /* doublecheck our result */
+		    outputlen = 0;
+		    rv = AES_Decrypt(cx2,
+			doublecheck, &outputlen, sizeof doublecheck,
+			ciphertext, sizeof ciphertext);
+		    if (rv != SECSuccess) {
+			goto loser;
+		    }
+		    if (outputlen != sizeof ciphertext) {
+			goto loser;
+		    }
+		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
+			goto loser;
+		    }
+
+		    /* PT[j+1] = CT[j] */
+		    memcpy(plaintext, ciphertext, sizeof plaintext);
+		}
+		AES_DestroyContext(cx, PR_TRUE);
+		cx = NULL;
+		AES_DestroyContext(cx2, PR_TRUE);
+		cx2 = NULL;
+
+		/* Output CT[j] */
+		fputs("CIPHERTEXT = ", aesresp);
+		to_hex_str(buf, ciphertext, sizeof ciphertext);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+
+		/* Key[i+1] = Key[i] xor ... */
+		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
+		/* PT[0] = CT[j] */
+		/* done at the end of the for(j) loop */
+
+		fputc('\n', aesresp);
+	    }
+
+	    continue;
+	}
+	/* CIPHERTEXT = ... */
+	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
+	    /* sanity check */
+	    if (encrypt) {
+		goto loser;
+	    }
+	    /* CT[0] = CT */
+	    i = 10;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_to_byteval(&buf[i], &ciphertext[j]);
+	    }
+
+	    for (i=0; i<100; i++) {
+		sprintf(buf, "COUNT = %d\n", i);
+	        fputs(buf, aesresp);
+		/* Output Key[i] */
+		fputs("KEY = ", aesresp);
+		to_hex_str(buf, key, keysize);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+		/* Output CT[0] */
+		fputs("CIPHERTEXT = ", aesresp);
+		to_hex_str(buf, ciphertext, sizeof ciphertext);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+
+		cx = AES_CreateContext(key, NULL, NSS_AES,
+		    PR_FALSE, keysize, 16);
+		if (cx == NULL) {
+		    goto loser;
+		}
+		/*
+		 * doublecheck our result by encrypting the result
+		 * and comparing the output with the ciphertext.
+		 */
+		cx2 = AES_CreateContext(key, NULL, NSS_AES,
+		    PR_TRUE, keysize, 16);
+		if (cx2 == NULL) {
+		    goto loser;
+		}
+		for (j=0; j<1000; j++) {
+		    /* Save PT[j-1] */
+		    memcpy(plaintext_1, plaintext, sizeof plaintext);
+
+		    /* PT[j] = AES(Key[i], CT[j]) */
+		    outputlen = 0;
+		    rv = AES_Decrypt(cx,
+			plaintext, &outputlen, sizeof plaintext,
+			ciphertext, sizeof ciphertext);
+		    if (rv != SECSuccess) {
+			goto loser;
+		    }
+		    if (outputlen != sizeof ciphertext) {
+			goto loser;
+		    }
+
+		    /* doublecheck our result */
+		    outputlen = 0;
+		    rv = AES_Encrypt(cx2,
+			doublecheck, &outputlen, sizeof doublecheck,
+			plaintext, sizeof plaintext);
+		    if (rv != SECSuccess) {
+			goto loser;
+		    }
+		    if (outputlen != sizeof plaintext) {
+			goto loser;
+		    }
+		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
+			goto loser;
+		    }
+
+		    /* CT[j+1] = PT[j] */
+		    memcpy(ciphertext, plaintext, sizeof ciphertext);
+		}
+		AES_DestroyContext(cx, PR_TRUE);
+		cx = NULL;
+		AES_DestroyContext(cx2, PR_TRUE);
+		cx2 = NULL;
+
+		/* Output PT[j] */
+		fputs("PLAINTEXT = ", aesresp);
+		to_hex_str(buf, plaintext, sizeof plaintext);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+
+		/* Key[i+1] = Key[i] xor ... */
+		aes_mct_next_key(key, keysize, plaintext_1, plaintext);
+		/* CT[0] = PT[j] */
+		/* done at the end of the for(j) loop */
+
+		fputc('\n', aesresp);
+	    }
+
+	    continue;
+	}
+    }
+loser:
+    if (cx != NULL) {
+	AES_DestroyContext(cx, PR_TRUE);
+    }
+    if (cx2 != NULL) {
+	AES_DestroyContext(cx2, PR_TRUE);
+    }
+    fclose(aesreq);
+}
+
+/*
+ * Perform the AES Monte Carlo Test (MCT) in CBC mode.  MCT exercises
+ * our AES code in streaming mode because the plaintext or ciphertext
+ * is generated block by block as we go, so we can't collect all the
+ * plaintext or ciphertext in one buffer and encrypt or decrypt it in
+ * one shot.
+ *
+ * reqfn is the pathname of the input REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+aes_cbc_mct(char *reqfn)
+{
+    char buf[80];       /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "KEY = <64 hex digits>\n".
+                         */
+    FILE *aesreq;       /* input stream from the REQUEST file */
+    FILE *aesresp;      /* output stream to the RESPONSE file */
+    int i, j;
+    int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
+    unsigned char key[32];              /* 128, 192, or 256 bits */
+    unsigned int keysize;
+    unsigned char iv[16];
+    unsigned char plaintext[16];        /* PT[j] */
+    unsigned char plaintext_1[16];      /* PT[j-1] */
+    unsigned char ciphertext[16];       /* CT[j] */
+    unsigned char ciphertext_1[16];     /* CT[j-1] */
+    unsigned char doublecheck[16];
+    unsigned int outputlen;
+    AESContext *cx = NULL;	/* the operation being tested */
+    AESContext *cx2 = NULL;     /* the inverse operation done in parallel
+                                 * to doublecheck our result.
+                                 */
+    SECStatus rv;
+
+    aesreq = fopen(reqfn, "r");
+    aesresp = stdout;
+    while (fgets(buf, sizeof buf, aesreq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, aesresp);
+	    continue;
+	}
+	/* [ENCRYPT] or [DECRYPT] */
+	if (buf[0] == '[') {
+	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
+		encrypt = 1;
+	    } else {
+		encrypt = 0;
+	    }
+	    fputs(buf, aesresp);
+	    continue;
+	}
+	/* "COUNT = x" begins a new data set */
+	if (strncmp(buf, "COUNT", 5) == 0) {
+	    /* zeroize the variables for the test with this data set */
+	    memset(key, 0, sizeof key);
+	    keysize = 0;
+	    memset(iv, 0, sizeof iv);
+	    memset(plaintext, 0, sizeof plaintext);
+	    memset(ciphertext, 0, sizeof ciphertext);
+	    continue;
+	}
+	/* KEY = ... */
+	if (strncmp(buf, "KEY", 3) == 0) {
+	    /* Key[0] = Key */
+	    i = 3;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_to_byteval(&buf[i], &key[j]);
+	    }
+	    keysize = j;
+	    continue;
+	}
+	/* IV = ... */
+	if (strncmp(buf, "IV", 2) == 0) {
+	    /* IV[0] = IV */
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<sizeof iv; i+=2,j++) {
+		hex_to_byteval(&buf[i], &iv[j]);
+	    }
+	    continue;
+	}
+	/* PLAINTEXT = ... */
+	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
+	    /* sanity check */
+	    if (!encrypt) {
+		goto loser;
+	    }
+	    /* PT[0] = PT */
+	    i = 9;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<sizeof plaintext; i+=2,j++) {
+		hex_to_byteval(&buf[i], &plaintext[j]);
+	    }
+
+	    for (i=0; i<100; i++) {
+		sprintf(buf, "COUNT = %d\n", i);
+	        fputs(buf, aesresp);
+		/* Output Key[i] */
+		fputs("KEY = ", aesresp);
+		to_hex_str(buf, key, keysize);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+		/* Output IV[i] */
+		fputs("IV = ", aesresp);
+		to_hex_str(buf, iv, sizeof iv);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+		/* Output PT[0] */
+		fputs("PLAINTEXT = ", aesresp);
+		to_hex_str(buf, plaintext, sizeof plaintext);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+
+		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
+		    PR_TRUE, keysize, 16);
+		if (cx == NULL) {
+		    goto loser;
+		}
+		/*
+		 * doublecheck our result by decrypting the result
+		 * and comparing the output with the plaintext.
+		 */
+		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
+		    PR_FALSE, keysize, 16);
+		if (cx2 == NULL) {
+		    goto loser;
+		}
+		/* CT[-1] = IV[i] */
+		memcpy(ciphertext, iv, sizeof ciphertext);
+		for (j=0; j<1000; j++) {
+		    /* Save CT[j-1] */
+		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
+		    /*
+		     * If ( j=0 )
+		     *      CT[j] = AES(Key[i], IV[i], PT[j])
+		     *      PT[j+1] = IV[i] (= CT[j-1])
+		     * Else
+		     *      CT[j] = AES(Key[i], PT[j])
+		     *      PT[j+1] = CT[j-1]
+		     */
+		    outputlen = 0;
+		    rv = AES_Encrypt(cx,
+			ciphertext, &outputlen, sizeof ciphertext,
+			plaintext, sizeof plaintext);
+		    if (rv != SECSuccess) {
+			goto loser;
+		    }
+		    if (outputlen != sizeof plaintext) {
+			goto loser;
+		    }
+
+		    /* doublecheck our result */
+		    outputlen = 0;
+		    rv = AES_Decrypt(cx2,
+			doublecheck, &outputlen, sizeof doublecheck,
+			ciphertext, sizeof ciphertext);
+		    if (rv != SECSuccess) {
+			goto loser;
+		    }
+		    if (outputlen != sizeof ciphertext) {
+			goto loser;
+		    }
+		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
+			goto loser;
+		    }
+
+		    memcpy(plaintext, ciphertext_1, sizeof plaintext);
+		}
+		AES_DestroyContext(cx, PR_TRUE);
+		cx = NULL;
+		AES_DestroyContext(cx2, PR_TRUE);
+		cx2 = NULL;
+
+		/* Output CT[j] */
+		fputs("CIPHERTEXT = ", aesresp);
+		to_hex_str(buf, ciphertext, sizeof ciphertext);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+
+		/* Key[i+1] = Key[i] xor ... */
+		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
+		/* IV[i+1] = CT[j] */
+		memcpy(iv, ciphertext, sizeof iv);
+		/* PT[0] = CT[j-1] */
+		/* done at the end of the for(j) loop */
+
+		fputc('\n', aesresp);
+	    }
+
+	    continue;
+	}
+	/* CIPHERTEXT = ... */
+	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
+	    /* sanity check */
+	    if (encrypt) {
+		goto loser;
+	    }
+	    /* CT[0] = CT */
+	    i = 10;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_to_byteval(&buf[i], &ciphertext[j]);
+	    }
+
+	    for (i=0; i<100; i++) {
+		sprintf(buf, "COUNT = %d\n", i);
+	        fputs(buf, aesresp);
+		/* Output Key[i] */
+		fputs("KEY = ", aesresp);
+		to_hex_str(buf, key, keysize);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+		/* Output IV[i] */
+		fputs("IV = ", aesresp);
+		to_hex_str(buf, iv, sizeof iv);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+		/* Output CT[0] */
+		fputs("CIPHERTEXT = ", aesresp);
+		to_hex_str(buf, ciphertext, sizeof ciphertext);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+
+		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
+		    PR_FALSE, keysize, 16);
+		if (cx == NULL) {
+		    goto loser;
+		}
+		/*
+		 * doublecheck our result by encrypting the result
+		 * and comparing the output with the ciphertext.
+		 */
+		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
+		    PR_TRUE, keysize, 16);
+		if (cx2 == NULL) {
+		    goto loser;
+		}
+		/* PT[-1] = IV[i] */
+		memcpy(plaintext, iv, sizeof plaintext);
+		for (j=0; j<1000; j++) {
+		    /* Save PT[j-1] */
+		    memcpy(plaintext_1, plaintext, sizeof plaintext);
+		    /*
+		     * If ( j=0 )
+		     *      PT[j] = AES(Key[i], IV[i], CT[j])
+		     *      CT[j+1] = IV[i] (= PT[j-1])
+		     * Else
+		     *      PT[j] = AES(Key[i], CT[j])
+		     *      CT[j+1] = PT[j-1]
+		     */
+		    outputlen = 0;
+		    rv = AES_Decrypt(cx,
+			plaintext, &outputlen, sizeof plaintext,
+			ciphertext, sizeof ciphertext);
+		    if (rv != SECSuccess) {
+			goto loser;
+		    }
+		    if (outputlen != sizeof ciphertext) {
+			goto loser;
+		    }
+
+		    /* doublecheck our result */
+		    outputlen = 0;
+		    rv = AES_Encrypt(cx2,
+			doublecheck, &outputlen, sizeof doublecheck,
+			plaintext, sizeof plaintext);
+		    if (rv != SECSuccess) {
+			goto loser;
+		    }
+		    if (outputlen != sizeof plaintext) {
+			goto loser;
+		    }
+		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
+			goto loser;
+		    }
+
+		    memcpy(ciphertext, plaintext_1, sizeof ciphertext);
+		}
+		AES_DestroyContext(cx, PR_TRUE);
+		cx = NULL;
+		AES_DestroyContext(cx2, PR_TRUE);
+		cx2 = NULL;
+
+		/* Output PT[j] */
+		fputs("PLAINTEXT = ", aesresp);
+		to_hex_str(buf, plaintext, sizeof plaintext);
+		fputs(buf, aesresp);
+		fputc('\n', aesresp);
+
+		/* Key[i+1] = Key[i] xor ... */
+		aes_mct_next_key(key, keysize, plaintext_1, plaintext);
+		/* IV[i+1] = PT[j] */
+		memcpy(iv, plaintext, sizeof iv);
+		/* CT[0] = PT[j-1] */
+		/* done at the end of the for(j) loop */
+
+		fputc('\n', aesresp);
+	    }
+
+	    continue;
+	}
+    }
+loser:
+    if (cx != NULL) {
+	AES_DestroyContext(cx, PR_TRUE);
+    }
+    if (cx2 != NULL) {
+	AES_DestroyContext(cx2, PR_TRUE);
+    }
+    fclose(aesreq);
+}
+
+void write_compact_string(FILE *out, unsigned char *hash, unsigned int len)
+{
+    unsigned int i;
+    int j, count = 0, last = -1, z = 0;
+    long start = ftell(out);
+    for (i=0; i<len; i++) {
+	for (j=7; j>=0; j--) {
+	    if (last < 0) {
+		last = (hash[i] & (1 << j)) ? 1 : 0;
+		fprintf(out, "%d ", last);
+		count = 1;
+	    } else if (hash[i] & (1 << j)) {
+		if (last) {
+		    count++; 
+		} else { 
+		    last = 0;
+		    fprintf(out, "%d ", count);
+		    count = 1;
+		    z++;
+		}
+	    } else {
+		if (!last) {
+		    count++; 
+		} else { 
+		    last = 1;
+		    fprintf(out, "%d ", count);
+		    count = 1;
+		    z++;
+		}
+	    }
+	}
+    }
+    fprintf(out, "^\n");
+    fseek(out, start, SEEK_SET);
+    fprintf(out, "%d ", z);
+    fseek(out, 0, SEEK_END);
+}
+
+int get_next_line(FILE *req, char *key, char *val, FILE *rsp)
+{
+    int ignore = 0;
+    char *writeto = key;
+    int w = 0;
+    int c;
+    while ((c = fgetc(req)) != EOF) {
+	if (ignore) {
+	    fprintf(rsp, "%c", c);
+	    if (c == '\n') return ignore;
+	} else if (c == '\n') {
+	    break;
+	} else if (c == '#') {
+	    ignore = 1;
+	    fprintf(rsp, "%c", c);
+	} else if (c == '=') {
+	    writeto[w] = '\0';
+	    w = 0;
+	    writeto = val;
+	} else if (c == ' ' || c == '[' || c == ']') {
+	    continue;
+	} else {
+	    writeto[w++] = c;
+	}
+    }
+    writeto[w] = '\0';
+    return (c == EOF) ? -1 : ignore;
+}
+
+#ifdef NSS_ENABLE_ECC
+typedef struct curveNameTagPairStr {
+    char *curveName;
+    SECOidTag curveOidTag;
+} CurveNameTagPair;
+
+#define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
+/* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
+
+static CurveNameTagPair nameTagPair[] =
+{ 
+  { "sect163k1", SEC_OID_SECG_EC_SECT163K1},
+  { "nistk163", SEC_OID_SECG_EC_SECT163K1},
+  { "sect163r1", SEC_OID_SECG_EC_SECT163R1},
+  { "sect163r2", SEC_OID_SECG_EC_SECT163R2},
+  { "nistb163", SEC_OID_SECG_EC_SECT163R2},
+  { "sect193r1", SEC_OID_SECG_EC_SECT193R1},
+  { "sect193r2", SEC_OID_SECG_EC_SECT193R2},
+  { "sect233k1", SEC_OID_SECG_EC_SECT233K1},
+  { "nistk233", SEC_OID_SECG_EC_SECT233K1},
+  { "sect233r1", SEC_OID_SECG_EC_SECT233R1},
+  { "nistb233", SEC_OID_SECG_EC_SECT233R1},
+  { "sect239k1", SEC_OID_SECG_EC_SECT239K1},
+  { "sect283k1", SEC_OID_SECG_EC_SECT283K1},
+  { "nistk283", SEC_OID_SECG_EC_SECT283K1},
+  { "sect283r1", SEC_OID_SECG_EC_SECT283R1},
+  { "nistb283", SEC_OID_SECG_EC_SECT283R1},
+  { "sect409k1", SEC_OID_SECG_EC_SECT409K1},
+  { "nistk409", SEC_OID_SECG_EC_SECT409K1},
+  { "sect409r1", SEC_OID_SECG_EC_SECT409R1},
+  { "nistb409", SEC_OID_SECG_EC_SECT409R1},
+  { "sect571k1", SEC_OID_SECG_EC_SECT571K1},
+  { "nistk571", SEC_OID_SECG_EC_SECT571K1},
+  { "sect571r1", SEC_OID_SECG_EC_SECT571R1},
+  { "nistb571", SEC_OID_SECG_EC_SECT571R1},
+  { "secp160k1", SEC_OID_SECG_EC_SECP160K1},
+  { "secp160r1", SEC_OID_SECG_EC_SECP160R1},
+  { "secp160r2", SEC_OID_SECG_EC_SECP160R2},
+  { "secp192k1", SEC_OID_SECG_EC_SECP192K1},
+  { "secp192r1", SEC_OID_SECG_EC_SECP192R1},
+  { "nistp192", SEC_OID_SECG_EC_SECP192R1},
+  { "secp224k1", SEC_OID_SECG_EC_SECP224K1},
+  { "secp224r1", SEC_OID_SECG_EC_SECP224R1},
+  { "nistp224", SEC_OID_SECG_EC_SECP224R1},
+  { "secp256k1", SEC_OID_SECG_EC_SECP256K1},
+  { "secp256r1", SEC_OID_SECG_EC_SECP256R1},
+  { "nistp256", SEC_OID_SECG_EC_SECP256R1},
+  { "secp384r1", SEC_OID_SECG_EC_SECP384R1},
+  { "nistp384", SEC_OID_SECG_EC_SECP384R1},
+  { "secp521r1", SEC_OID_SECG_EC_SECP521R1},
+  { "nistp521", SEC_OID_SECG_EC_SECP521R1},
+
+  { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 },
+  { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 },
+  { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 },
+  { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 },
+  { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 },
+  { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 },
+
+  { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 },
+  { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 },
+  { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 },
+  { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 },
+  { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 },
+  { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 },
+  { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 },
+  { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 },
+  { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 },
+  { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 },
+  { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 },
+  { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 },
+  { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 },
+  { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 },
+  { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 },
+  { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 },
+  { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 },
+  { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 },
+  { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 },
+  { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 },
+
+  { "secp112r1", SEC_OID_SECG_EC_SECP112R1},
+  { "secp112r2", SEC_OID_SECG_EC_SECP112R2},
+  { "secp128r1", SEC_OID_SECG_EC_SECP128R1},
+  { "secp128r2", SEC_OID_SECG_EC_SECP128R2},
+
+  { "sect113r1", SEC_OID_SECG_EC_SECT113R1},
+  { "sect113r2", SEC_OID_SECG_EC_SECT113R2},
+  { "sect131r1", SEC_OID_SECG_EC_SECT131R1},
+  { "sect131r2", SEC_OID_SECG_EC_SECT131R2},
+};
+
+static SECKEYECParams * 
+getECParams(const char *curve)
+{
+    SECKEYECParams *ecparams;
+    SECOidData *oidData = NULL;
+    SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
+    int i, numCurves;
+
+    if (curve != NULL) {
+        numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
+	for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); 
+	     i++) {
+	    if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
+	        curveOidTag = nameTagPair[i].curveOidTag;
+	}
+    }
+
+    /* Return NULL if curve name is not recognized */
+    if ((curveOidTag == SEC_OID_UNKNOWN) || 
+	(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
+        fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
+	return NULL;
+    }
+
+    ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
+
+    /* 
+     * ecparams->data needs to contain the ASN encoding of an object ID (OID)
+     * representing the named curve. The actual OID is in 
+     * oidData->oid.data so we simply prepend 0x06 and OID length
+     */
+    ecparams->data[0] = SEC_ASN1_OBJECT_ID;
+    ecparams->data[1] = oidData->oid.len;
+    memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
+
+    return ecparams;
+}
+
+/*
+ * Perform the ECDSA Key Pair Generation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdsa_keypair_test(char *reqfn)
+{
+    char buf[256];      /* holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * needs to be large enough to hold the longest
+                         * line "Qx = <144 hex digits>\n".
+                         */
+    FILE *ecdsareq;     /* input stream from the REQUEST file */
+    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
+    char curve[16];     /* "nistxddd" */
+    ECParams *ecparams;
+    int N;
+    int i;
+    unsigned int len;
+
+    ecdsareq = fopen(reqfn, "r");
+    ecdsaresp = stdout;
+    strcpy(curve, "nist");
+    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* [X-ddd] */
+	if (buf[0] == '[') {
+	    const char *src;
+	    char *dst;
+	    SECKEYECParams *encodedparams;
+
+	    src = &buf[1];
+	    dst = &curve[4];
+	    *dst++ = tolower(*src);
+	    src += 2;  /* skip the hyphen */
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst = '\0';
+	    encodedparams = getECParams(curve);
+	    if (encodedparams == NULL) {
+		goto loser;
+	    }
+	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
+		goto loser;
+	    }
+	    SECITEM_FreeItem(encodedparams, PR_TRUE);
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* N = x */
+	if (buf[0] == 'N') {
+	    if (sscanf(buf, "N = %d", &N) != 1) {
+		goto loser;
+	    }
+	    for (i = 0; i < N; i++) {
+		ECPrivateKey *ecpriv;
+
+		if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
+		    goto loser;
+		}
+		fputs("d = ", ecdsaresp);
+		to_hex_str(buf, ecpriv->privateValue.data,
+			   ecpriv->privateValue.len);
+		fputs(buf, ecdsaresp);
+		fputc('\n', ecdsaresp);
+		if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
+		    != SECSuccess) {
+		    goto loser;
+		}
+		len = ecpriv->publicValue.len;
+		if (len%2 == 0) {
+		    goto loser;
+		}
+		len = (len-1)/2;
+		if (ecpriv->publicValue.data[0]
+		    != EC_POINT_FORM_UNCOMPRESSED) {
+		    goto loser;
+		}
+		fputs("Qx = ", ecdsaresp);
+		to_hex_str(buf, &ecpriv->publicValue.data[1], len);
+		fputs(buf, ecdsaresp);
+		fputc('\n', ecdsaresp);
+		fputs("Qy = ", ecdsaresp);
+		to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
+		fputs(buf, ecdsaresp);
+		fputc('\n', ecdsaresp);
+		fputc('\n', ecdsaresp);
+		PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
+	    }
+	    PORT_FreeArena(ecparams->arena, PR_FALSE);
+	    continue;
+	}
+    }
+loser:
+    fclose(ecdsareq);
+}
+
+/*
+ * Perform the ECDSA Public Key Validation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdsa_pkv_test(char *reqfn)
+{
+    char buf[256];      /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "Qx = <144 hex digits>\n".
+                         */
+    FILE *ecdsareq;     /* input stream from the REQUEST file */
+    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
+    char curve[16];     /* "nistxddd" */
+    ECParams *ecparams = NULL;
+    SECItem pubkey;
+    unsigned int i;
+    unsigned int len;
+    PRBool keyvalid = PR_TRUE;
+
+    ecdsareq = fopen(reqfn, "r");
+    ecdsaresp = stdout;
+    strcpy(curve, "nist");
+    pubkey.data = NULL;
+    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* [X-ddd] */
+	if (buf[0] == '[') {
+	    const char *src;
+	    char *dst;
+	    SECKEYECParams *encodedparams;
+
+	    src = &buf[1];
+	    dst = &curve[4];
+	    *dst++ = tolower(*src);
+	    src += 2;  /* skip the hyphen */
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst = '\0';
+	    if (ecparams != NULL) {
+		PORT_FreeArena(ecparams->arena, PR_FALSE);
+		ecparams = NULL;
+	    }
+	    encodedparams = getECParams(curve);
+	    if (encodedparams == NULL) {
+		goto loser;
+	    }
+	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
+		goto loser;
+	    }
+	    SECITEM_FreeItem(encodedparams, PR_TRUE);
+	    len = (ecparams->fieldID.size + 7) >> 3;
+	    if (pubkey.data != NULL) {
+		PORT_Free(pubkey.data);
+		pubkey.data = NULL;
+	    }
+	    SECITEM_AllocItem(NULL, &pubkey, 2*len+1);
+	    if (pubkey.data == NULL) {
+		goto loser;
+	    }
+	    pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED;
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* Qx = ... */
+	if (strncmp(buf, "Qx", 2) == 0) {
+	    fputs(buf, ecdsaresp);
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    keyvalid = from_hex_str(&pubkey.data[1], len, &buf[i]);
+	    continue;
+	}
+	/* Qy = ... */
+	if (strncmp(buf, "Qy", 2) == 0) {
+	    fputs(buf, ecdsaresp);
+	    if (!keyvalid) {
+		fputs("Result = F\n", ecdsaresp);
+		continue;
+	    }
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    keyvalid = from_hex_str(&pubkey.data[1+len], len, &buf[i]);
+	    if (!keyvalid) {
+		fputs("Result = F\n", ecdsaresp);
+		continue;
+	    }
+	    if (EC_ValidatePublicKey(ecparams, &pubkey) == SECSuccess) {
+		fputs("Result = P\n", ecdsaresp);
+	    } else if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
+		fputs("Result = F\n", ecdsaresp);
+	    } else {
+		goto loser;
+	    }
+	    continue;
+	}
+    }
+loser:
+    if (ecparams != NULL) {
+	PORT_FreeArena(ecparams->arena, PR_FALSE);
+    }
+    if (pubkey.data != NULL) {
+	PORT_Free(pubkey.data);
+    }
+    fclose(ecdsareq);
+}
+
+/*
+ * Perform the ECDSA Signature Generation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdsa_siggen_test(char *reqfn)
+{
+    char buf[1024];     /* holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * needs to be large enough to hold the longest
+                         * line "Msg = <256 hex digits>\n".
+                         */
+    FILE *ecdsareq;     /* input stream from the REQUEST file */
+    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
+    char curve[16];     /* "nistxddd" */
+    ECParams *ecparams = NULL;
+    int i, j;
+    unsigned int len;
+    unsigned char msg[512];  /* message to be signed (<= 128 bytes) */
+    unsigned int msglen;
+    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
+    unsigned char sig[2*MAX_ECKEY_LEN];
+    SECItem signature, digest;
+
+    ecdsareq = fopen(reqfn, "r");
+    ecdsaresp = stdout;
+    strcpy(curve, "nist");
+    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* [X-ddd] */
+	if (buf[0] == '[') {
+	    const char *src;
+	    char *dst;
+	    SECKEYECParams *encodedparams;
+
+	    src = &buf[1];
+	    dst = &curve[4];
+	    *dst++ = tolower(*src);
+	    src += 2;  /* skip the hyphen */
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst = '\0';
+	    if (ecparams != NULL) {
+		PORT_FreeArena(ecparams->arena, PR_FALSE);
+		ecparams = NULL;
+	    }
+	    encodedparams = getECParams(curve);
+	    if (encodedparams == NULL) {
+		goto loser;
+	    }
+	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
+		goto loser;
+	    }
+	    SECITEM_FreeItem(encodedparams, PR_TRUE);
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* Msg = ... */
+	if (strncmp(buf, "Msg", 3) == 0) {
+	    ECPrivateKey *ecpriv;
+
+	    i = 3;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_to_byteval(&buf[i], &msg[j]);
+	    }
+	    msglen = j;
+	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
+		goto loser;
+	    }
+	    fputs(buf, ecdsaresp);
+
+	    if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
+		goto loser;
+	    }
+	    if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
+		!= SECSuccess) {
+		goto loser;
+	    }
+	    len = ecpriv->publicValue.len;
+	    if (len%2 == 0) {
+		goto loser;
+	    }
+	    len = (len-1)/2;
+	    if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+		goto loser;
+	    }
+	    fputs("Qx = ", ecdsaresp);
+	    to_hex_str(buf, &ecpriv->publicValue.data[1], len);
+	    fputs(buf, ecdsaresp);
+	    fputc('\n', ecdsaresp);
+	    fputs("Qy = ", ecdsaresp);
+	    to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
+	    fputs(buf, ecdsaresp);
+	    fputc('\n', ecdsaresp);
+
+	    digest.type = siBuffer;
+	    digest.data = sha1;
+	    digest.len = sizeof sha1;
+	    signature.type = siBuffer;
+	    signature.data = sig;
+	    signature.len = sizeof sig;
+	    if (ECDSA_SignDigest(ecpriv, &signature, &digest) != SECSuccess) {
+		goto loser;
+	    }
+	    len = signature.len;
+	    if (len%2 != 0) {
+		goto loser;
+	    }
+	    len = len/2;
+	    fputs("R = ", ecdsaresp);
+	    to_hex_str(buf, &signature.data[0], len);
+	    fputs(buf, ecdsaresp);
+	    fputc('\n', ecdsaresp);
+	    fputs("S = ", ecdsaresp);
+	    to_hex_str(buf, &signature.data[len], len);
+	    fputs(buf, ecdsaresp);
+	    fputc('\n', ecdsaresp);
+
+	    PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
+	    continue;
+	}
+    }
+loser:
+    if (ecparams != NULL) {
+	PORT_FreeArena(ecparams->arena, PR_FALSE);
+    }
+    fclose(ecdsareq);
+}
+
+/*
+ * Perform the ECDSA Signature Verification Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdsa_sigver_test(char *reqfn)
+{
+    char buf[1024];     /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "Msg = <256 hex digits>\n".
+                         */
+    FILE *ecdsareq;     /* input stream from the REQUEST file */
+    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
+    char curve[16];     /* "nistxddd" */
+    ECPublicKey ecpub;
+    unsigned int i, j;
+    unsigned int flen;  /* length in bytes of the field size */
+    unsigned int olen;  /* length in bytes of the base point order */
+    unsigned char msg[512];  /* message that was signed (<= 128 bytes) */
+    unsigned int msglen;
+    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
+    unsigned char sig[2*MAX_ECKEY_LEN];
+    SECItem signature, digest;
+    PRBool keyvalid = PR_TRUE;
+    PRBool sigvalid = PR_TRUE;
+
+    ecdsareq = fopen(reqfn, "r");
+    ecdsaresp = stdout;
+    ecpub.ecParams.arena = NULL;
+    strcpy(curve, "nist");
+    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* [X-ddd] */
+	if (buf[0] == '[') {
+	    const char *src;
+	    char *dst;
+	    SECKEYECParams *encodedparams;
+	    ECParams *ecparams;
+
+	    src = &buf[1];
+	    dst = &curve[4];
+	    *dst++ = tolower(*src);
+	    src += 2;  /* skip the hyphen */
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst++ = *src++;
+	    *dst = '\0';
+	    encodedparams = getECParams(curve);
+	    if (encodedparams == NULL) {
+		goto loser;
+	    }
+	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
+		goto loser;
+	    }
+	    SECITEM_FreeItem(encodedparams, PR_TRUE);
+	    if (ecpub.ecParams.arena != NULL) {
+		PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
+	    }
+	    ecpub.ecParams.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	    if (ecpub.ecParams.arena == NULL) {
+		goto loser;
+	    }
+	    if (EC_CopyParams(ecpub.ecParams.arena, &ecpub.ecParams, ecparams)
+		!= SECSuccess) {
+		goto loser;
+	    }
+	    PORT_FreeArena(ecparams->arena, PR_FALSE);
+	    flen = (ecpub.ecParams.fieldID.size + 7) >> 3;
+	    olen = ecpub.ecParams.order.len;
+	    if (2*olen > sizeof sig) {
+		goto loser;
+	    }
+	    ecpub.publicValue.type = siBuffer;
+	    ecpub.publicValue.data = NULL;
+	    ecpub.publicValue.len = 0;
+	    SECITEM_AllocItem(ecpub.ecParams.arena,
+			      &ecpub.publicValue, 2*flen+1);
+	    if (ecpub.publicValue.data == NULL) {
+		goto loser;
+	    }
+	    ecpub.publicValue.data[0] = EC_POINT_FORM_UNCOMPRESSED;
+	    fputs(buf, ecdsaresp);
+	    continue;
+	}
+	/* Msg = ... */
+	if (strncmp(buf, "Msg", 3) == 0) {
+	    i = 3;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
+		hex_to_byteval(&buf[i], &msg[j]);
+	    }
+	    msglen = j;
+	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
+		goto loser;
+	    }
+	    fputs(buf, ecdsaresp);
+
+	    digest.type = siBuffer;
+	    digest.data = sha1;
+	    digest.len = sizeof sha1;
+
+	    continue;
+	}
+	/* Qx = ... */
+	if (strncmp(buf, "Qx", 2) == 0) {
+	    fputs(buf, ecdsaresp);
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    keyvalid = from_hex_str(&ecpub.publicValue.data[1], flen,
+				    &buf[i]);
+	    continue;
+	}
+	/* Qy = ... */
+	if (strncmp(buf, "Qy", 2) == 0) {
+	    fputs(buf, ecdsaresp);
+	    if (!keyvalid) {
+		continue;
+	    }
+	    i = 2;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    keyvalid = from_hex_str(&ecpub.publicValue.data[1+flen], flen,
+				    &buf[i]);
+	    if (!keyvalid) {
+		continue;
+	    }
+	    if (EC_ValidatePublicKey(&ecpub.ecParams, &ecpub.publicValue)
+		!= SECSuccess) {
+		if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
+		    keyvalid = PR_FALSE;
+		} else {
+		    goto loser;
+		}
+	    }
+	    continue;
+	}
+	/* R = ... */
+	if (buf[0] == 'R') {
+	    fputs(buf, ecdsaresp);
+	    i = 1;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    sigvalid = from_hex_str(sig, olen, &buf[i]);
+	    continue;
+	}
+	/* S = ... */
+	if (buf[0] == 'S') {
+	    fputs(buf, ecdsaresp);
+	    i = 1;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    if (sigvalid) {
+		sigvalid = from_hex_str(&sig[olen], olen, &buf[i]);
+	    }
+	    signature.type = siBuffer;
+	    signature.data = sig;
+	    signature.len = 2*olen;
+
+	    if (!keyvalid || !sigvalid) {
+		fputs("Result = F\n", ecdsaresp);
+	    } else if (ECDSA_VerifyDigest(&ecpub, &signature, &digest)
+		== SECSuccess) {
+		fputs("Result = P\n", ecdsaresp);
+	    } else {
+		fputs("Result = F\n", ecdsaresp);
+	    }
+	    continue;
+	}
+    }
+loser:
+    if (ecpub.ecParams.arena != NULL) {
+	PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
+    }
+    fclose(ecdsareq);
+}
+#endif /* NSS_ENABLE_ECC */
+
+/*
+ * Perform the RNG Variable Seed Test (VST) for the RNG algorithm
+ * "DSA - Generation of X", used both as specified and as a generic
+ * purpose RNG.  The presence of "Q = ..." in the REQUEST file
+ * indicates we are using the algorithm as specified.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+rng_vst(char *reqfn)
+{
+    char buf[256];      /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "XSeed = <128 hex digits>\n".
+                         */
+    FILE *rngreq;       /* input stream from the REQUEST file */
+    FILE *rngresp;      /* output stream to the RESPONSE file */
+    unsigned int i, j;
+    unsigned char Q[DSA_SUBPRIME_LEN];
+    PRBool hasQ = PR_FALSE;
+    unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
+    unsigned char XKey[512/8];
+    unsigned char XSeed[512/8];
+    unsigned char GENX[2*SHA1_LENGTH];
+    unsigned char DSAX[DSA_SUBPRIME_LEN];
+    SECStatus rv;
+
+    rngreq = fopen(reqfn, "r");
+    rngresp = stdout;
+    while (fgets(buf, sizeof buf, rngreq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* [Xchange - SHA1] */
+	if (buf[0] == '[') {
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* Q = ... */
+	if (buf[0] == 'Q') {
+	    i = 1;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<sizeof Q; i+=2,j++) {
+		hex_to_byteval(&buf[i], &Q[j]);
+	    }
+	    fputs(buf, rngresp);
+	    hasQ = PR_TRUE;
+	    continue;
+	}
+	/* "COUNT = x" begins a new data set */
+	if (strncmp(buf, "COUNT", 5) == 0) {
+	    /* zeroize the variables for the test with this data set */
+	    b = 0;
+	    memset(XKey, 0, sizeof XKey);
+	    memset(XSeed, 0, sizeof XSeed);
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* b = ... */
+	if (buf[0] == 'b') {
+	    i = 1;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    b = atoi(&buf[i]);
+	    if (b < 160 || b > 512 || b%8 != 0) {
+		goto loser;
+	    }
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* XKey = ... */
+	if (strncmp(buf, "XKey", 4) == 0) {
+	    i = 4;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<b/8; i+=2,j++) {
+		hex_to_byteval(&buf[i], &XKey[j]);
+	    }
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* XSeed = ... */
+	if (strncmp(buf, "XSeed", 5) == 0) {
+	    i = 5;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<b/8; i+=2,j++) {
+		hex_to_byteval(&buf[i], &XSeed[j]);
+	    }
+	    fputs(buf, rngresp);
+
+	    rv = FIPS186Change_GenerateX(XKey, XSeed, GENX);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+	    fputs("X = ", rngresp);
+	    if (hasQ) {
+		rv = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
+		if (rv != SECSuccess) {
+		    goto loser;
+		}
+		to_hex_str(buf, DSAX, sizeof DSAX);
+	    } else {
+		to_hex_str(buf, GENX, sizeof GENX);
+	    }
+	    fputs(buf, rngresp);
+	    fputc('\n', rngresp);
+	    continue;
+	}
+    }
+loser:
+    fclose(rngreq);
+}
+
+/*
+ * Perform the RNG Monte Carlo Test (MCT) for the RNG algorithm
+ * "DSA - Generation of X", used both as specified and as a generic
+ * purpose RNG.  The presence of "Q = ..." in the REQUEST file
+ * indicates we are using the algorithm as specified.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+rng_mct(char *reqfn)
+{
+    char buf[256];      /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "XSeed = <128 hex digits>\n".
+                         */
+    FILE *rngreq;       /* input stream from the REQUEST file */
+    FILE *rngresp;      /* output stream to the RESPONSE file */
+    unsigned int i, j;
+    unsigned char Q[DSA_SUBPRIME_LEN];
+    PRBool hasQ = PR_FALSE;
+    unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
+    unsigned char XKey[512/8];
+    unsigned char XSeed[512/8];
+    unsigned char GENX[2*SHA1_LENGTH];
+    unsigned char DSAX[DSA_SUBPRIME_LEN];
+    SECStatus rv;
+
+    rngreq = fopen(reqfn, "r");
+    rngresp = stdout;
+    while (fgets(buf, sizeof buf, rngreq) != NULL) {
+	/* a comment or blank line */
+	if (buf[0] == '#' || buf[0] == '\n') {
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* [Xchange - SHA1] */
+	if (buf[0] == '[') {
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* Q = ... */
+	if (buf[0] == 'Q') {
+	    i = 1;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<sizeof Q; i+=2,j++) {
+		hex_to_byteval(&buf[i], &Q[j]);
+	    }
+	    fputs(buf, rngresp);
+	    hasQ = PR_TRUE;
+	    continue;
+	}
+	/* "COUNT = x" begins a new data set */
+	if (strncmp(buf, "COUNT", 5) == 0) {
+	    /* zeroize the variables for the test with this data set */
+	    b = 0;
+	    memset(XKey, 0, sizeof XKey);
+	    memset(XSeed, 0, sizeof XSeed);
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* b = ... */
+	if (buf[0] == 'b') {
+	    i = 1;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    b = atoi(&buf[i]);
+	    if (b < 160 || b > 512 || b%8 != 0) {
+		goto loser;
+	    }
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* XKey = ... */
+	if (strncmp(buf, "XKey", 4) == 0) {
+	    i = 4;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<b/8; i+=2,j++) {
+		hex_to_byteval(&buf[i], &XKey[j]);
+	    }
+	    fputs(buf, rngresp);
+	    continue;
+	}
+	/* XSeed = ... */
+	if (strncmp(buf, "XSeed", 5) == 0) {
+	    unsigned int k;
+	    i = 5;
+	    while (isspace(buf[i]) || buf[i] == '=') {
+		i++;
+	    }
+	    for (j=0; j<b/8; i+=2,j++) {
+		hex_to_byteval(&buf[i], &XSeed[j]);
+	    }
+	    fputs(buf, rngresp);
+
+	    for (k = 0; k < 10000; k++) {
+		rv = FIPS186Change_GenerateX(XKey, XSeed, GENX);
+		if (rv != SECSuccess) {
+		    goto loser;
+		}
+	    }
+	    fputs("X = ", rngresp);
+	    if (hasQ) {
+		rv = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
+		if (rv != SECSuccess) {
+		    goto loser;
+		}
+		to_hex_str(buf, DSAX, sizeof DSAX);
+	    } else {
+		to_hex_str(buf, GENX, sizeof GENX);
+	    }
+	    fputs(buf, rngresp);
+	    fputc('\n', rngresp);
+	    continue;
+	}
+    }
+loser:
+    fclose(rngreq);
+}
+
+/*
+ * Calculate the SHA Message Digest 
+ *
+ * MD = Message digest 
+ * MDLen = length of Message Digest and SHA_Type
+ * msg = message to digest 
+ * msgLen = length of message to digest
+ */
+SECStatus sha_calcMD(unsigned char *MD, unsigned int MDLen, unsigned char *msg, unsigned int msgLen) 
+{    
+    SECStatus   sha_status = SECFailure;
+
+    if (MDLen == SHA1_LENGTH) {
+        sha_status = SHA1_HashBuf(MD, msg, msgLen);
+    } else if (MDLen == SHA256_LENGTH) {
+        sha_status = SHA256_HashBuf(MD, msg, msgLen);
+    } else if (MDLen == SHA384_LENGTH) {
+        sha_status = SHA384_HashBuf(MD, msg, msgLen);
+    } else if (MDLen == SHA512_LENGTH) {
+        sha_status = SHA512_HashBuf(MD, msg, msgLen);
+    }
+
+    return sha_status;
+}
+
+/*
+ * Perform the SHA Monte Carlo Test
+ *
+ * MDLen = length of Message Digest and SHA_Type
+ * seed = input seed value
+ * resp = is the output response file. 
+ */
+SECStatus sha_mct_test(unsigned int MDLen, unsigned char *seed, FILE *resp) 
+{
+    int i, j;
+    unsigned int msgLen = MDLen*3;
+    unsigned char MD_i3[HASH_LENGTH_MAX];  /* MD[i-3] */
+    unsigned char MD_i2[HASH_LENGTH_MAX];  /* MD[i-2] */
+    unsigned char MD_i1[HASH_LENGTH_MAX];  /* MD[i-1] */
+    unsigned char MD_i[HASH_LENGTH_MAX];   /* MD[i] */
+    unsigned char msg[HASH_LENGTH_MAX*3];
+    char buf[HASH_LENGTH_MAX*2 + 1];  /* MAX buf MD_i as a hex string */
+
+    for (j=0; j<100; j++) {
+        /* MD_0 = MD_1 = MD_2 = seed */
+        memcpy(MD_i3, seed, MDLen);
+        memcpy(MD_i2, seed, MDLen);
+        memcpy(MD_i1, seed, MDLen);
+
+        for (i=3; i < 1003; i++) {
+            /* Mi = MD[i-3] || MD [i-2] || MD [i-1] */
+            memcpy(msg, MD_i3, MDLen);
+            memcpy(&msg[MDLen], MD_i2, MDLen);
+            memcpy(&msg[MDLen*2], MD_i1,MDLen); 
+
+            /* MDi = SHA(Msg) */
+            if (sha_calcMD(MD_i, MDLen,   
+                           msg, msgLen) != SECSuccess) {
+                return SECFailure;
+            }
+
+            /* save MD[i-3] MD[i-2]  MD[i-1] */
+            memcpy(MD_i3, MD_i2, MDLen);
+            memcpy(MD_i2, MD_i1, MDLen);
+            memcpy(MD_i1, MD_i, MDLen);
+
+        }
+
+        /* seed = MD_i */
+        memcpy(seed, MD_i, MDLen);
+
+        sprintf(buf, "COUNT = %d\n", j);
+        fputs(buf, resp);
+
+        /* output MD_i */
+        fputs("MD = ", resp);
+        to_hex_str(buf, MD_i, MDLen);
+        fputs(buf, resp);
+        fputc('\n', resp);
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * Perform the SHA Tests.
+ *
+ * reqfn is the pathname of the input REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void sha_test(char *reqfn) 
+{
+    unsigned int i, j;
+    unsigned int MDlen;   /* the length of the Message Digest in Bytes  */
+    unsigned int msgLen;  /* the length of the input Message in Bytes */
+    unsigned char *msg = NULL; /* holds the message to digest.*/
+    size_t bufSize = 25608; /*MAX buffer size */
+    char *buf = NULL;      /* holds one line from the input REQUEST file.*/
+    unsigned char seed[HASH_LENGTH_MAX];   /* max size of seed 64 bytes */
+    unsigned char MD[HASH_LENGTH_MAX];     /* message digest */
+
+    FILE *req = NULL;  /* input stream from the REQUEST file */
+    FILE *resp;        /* output stream to the RESPONSE file */
+
+    buf = PORT_ZAlloc(bufSize);
+    if (buf == NULL) {
+        goto loser;
+    }      
+
+    /* zeroize the variables for the test with this data set */
+    memset(seed, 0, sizeof seed);
+
+    req = fopen(reqfn, "r");
+    resp = stdout;
+    while (fgets(buf, bufSize, req) != NULL) {
+
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, resp);
+            continue;
+        }
+        /* [L = Length of the Message Digest and sha_type */
+        if (buf[0] == '[') {
+            if (strncmp(&buf[1], "L ", 1) == 0) {
+                i = 2;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                MDlen = atoi(&buf[i]);
+                fputs(buf, resp);
+                continue;
+            }
+        }
+        /* Len = Length of the Input Message Length  ... */
+        if (strncmp(buf, "Len", 3) == 0) {
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            if (msg) {
+                PORT_ZFree(msg,msgLen);
+                msg = NULL;
+            }
+            msgLen = atoi(&buf[i]); /* in bits */
+            if (msgLen%8 != 0) {
+                fprintf(stderr, "SHA tests are incorrectly configured for "
+                    "BIT oriented implementations\n");
+                goto loser;
+            }
+            msgLen = msgLen/8; /* convert to bytes */
+            fputs(buf, resp);
+            msg = PORT_ZAlloc(msgLen);
+            if (msg == NULL && msgLen != 0) {
+                goto loser;
+            } 
+            continue;
+        }
+        /* MSG = ... */
+        if (strncmp(buf, "Msg", 3) == 0) {
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< msgLen; i+=2,j++) {
+                hex_to_byteval(&buf[i], &msg[j]);
+            }
+           fputs(buf, resp);
+           /* calculate the Message Digest */ 
+           memset(MD, 0, sizeof MD);
+           if (sha_calcMD(MD, MDlen,   
+                          msg, msgLen) != SECSuccess) {
+               goto loser;
+           }
+
+           fputs("MD = ", resp);
+           to_hex_str(buf, MD, MDlen);
+           fputs(buf, resp);
+           fputc('\n', resp);
+
+           continue;
+        }
+        /* Seed = ... */
+        if (strncmp(buf, "Seed", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j<sizeof seed; i+=2,j++) {
+                hex_to_byteval(&buf[i], &seed[j]);
+            }                                     
+
+            fputs(buf, resp);
+            fputc('\n', resp);
+
+            /* do the Monte Carlo test */
+            if (sha_mct_test(MDlen, seed, resp) != SECSuccess) {
+                goto loser; 
+            }
+
+            continue;
+        }
+    }
+loser:
+    if (req) {
+        fclose(req);
+    }  
+    if (buf) {
+        PORT_ZFree(buf, bufSize);
+    }
+    if (msg) {
+        PORT_ZFree(msg, msgLen);
+    }
+}
+
+/****************************************************/
+/* HMAC SHA-X calc                                  */
+/* hmac_computed - the computed HMAC                */
+/* hmac_length - the length of the computed HMAC    */
+/* secret_key - secret key to HMAC                  */
+/* secret_key_length - length of secret key,        */
+/* message - message to HMAC                        */
+/* message_length - length ofthe message            */
+/****************************************************/
+static SECStatus
+hmac_calc(unsigned char *hmac_computed,
+          const unsigned int hmac_length,
+          const unsigned char *secret_key,
+          const unsigned int secret_key_length,
+          const unsigned char *message,
+          const unsigned int message_length,
+          const HASH_HashType hashAlg )
+{
+    SECStatus hmac_status = SECFailure;
+    HMACContext *cx = NULL;
+    SECHashObject *hashObj = NULL;
+    unsigned int bytes_hashed = 0;
+
+    hashObj = (SECHashObject *) HASH_GetRawHashObject(hashAlg);
+ 
+    if (!hashObj) 
+        return( SECFailure );
+
+    cx = HMAC_Create(hashObj, secret_key, 
+                     secret_key_length, 
+                     PR_TRUE);  /* PR_TRUE for in FIPS mode */
+
+    if (cx == NULL) 
+        return( SECFailure );
+
+    HMAC_Begin(cx);
+    HMAC_Update(cx, message, message_length);
+    hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, 
+                              hmac_length);
+
+    HMAC_Destroy(cx, PR_TRUE);
+
+    return( hmac_status );
+}
+
+/*
+ * Perform the HMAC Tests.
+ *
+ * reqfn is the pathname of the input REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void hmac_test(char *reqfn) 
+{
+    unsigned int i, j;
+    size_t bufSize =      288;    /* MAX buffer size */
+    char *buf = NULL;  /* holds one line from the input REQUEST file.*/
+    unsigned int keyLen;          /* Key Length */  
+    unsigned char key[140];       /* key MAX size = 140 */
+    unsigned int msgLen = 128;    /* the length of the input  */
+                                  /*  Message is always 128 Bytes */
+    unsigned char *msg = NULL;    /* holds the message to digest.*/
+    unsigned int HMACLen;         /* the length of the HMAC Bytes  */
+    unsigned char HMAC[HASH_LENGTH_MAX];  /* computed HMAC */
+    HASH_HashType hash_alg;       /* HMAC type */
+
+    FILE *req = NULL;  /* input stream from the REQUEST file */
+    FILE *resp;        /* output stream to the RESPONSE file */
+
+    buf = PORT_ZAlloc(bufSize);
+    if (buf == NULL) {
+        goto loser;
+    }      
+    msg = PORT_ZAlloc(msgLen);
+    memset(msg, 0, msgLen);
+    if (msg == NULL) {
+        goto loser;
+    } 
+
+    req = fopen(reqfn, "r");
+    resp = stdout;
+    while (fgets(buf, bufSize, req) != NULL) {
+
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, resp);
+            continue;
+        }
+        /* [L = Length of the MAC and HASH_type */
+        if (buf[0] == '[') {
+            if (strncmp(&buf[1], "L ", 1) == 0) {
+                i = 2;
+                while (isspace(buf[i]) || buf[i] == '=') {
+                    i++;
+                }
+                /* HMACLen will get reused for Tlen */
+                HMACLen = atoi(&buf[i]);
+                /* set the HASH algorithm for HMAC */
+                if (HMACLen == SHA1_LENGTH) {
+                    hash_alg = HASH_AlgSHA1;
+                } else if (HMACLen == SHA256_LENGTH) {
+                    hash_alg = HASH_AlgSHA256;
+                } else if (HMACLen == SHA384_LENGTH) {
+                    hash_alg = HASH_AlgSHA384;
+                } else if (HMACLen == SHA512_LENGTH) {
+                    hash_alg = HASH_AlgSHA512;
+                } else {
+                    goto loser;
+                }
+                fputs(buf, resp);
+                continue;
+            }
+        }
+        /* Count = test iteration number*/
+        if (strncmp(buf, "Count ", 5) == 0) {    
+            /* count can just be put into resp file */
+            fputs(buf, resp);
+            /* zeroize the variables for the test with this data set */
+            keyLen = 0; 
+            HMACLen = 0;
+            memset(key, 0, sizeof key);     
+            memset(msg, 0, sizeof msg);  
+            memset(HMAC, 0, sizeof HMAC);
+            continue;
+        }
+        /* KLen = Length of the Input Secret Key ... */
+        if (strncmp(buf, "Klen", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            keyLen = atoi(&buf[i]); /* in bytes */
+            fputs(buf, resp);
+            continue;
+        }
+        /* key = the secret key for the key to MAC */
+        if (strncmp(buf, "Key", 3) == 0) {
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< keyLen; i+=2,j++) {
+                hex_to_byteval(&buf[i], &key[j]);
+            }
+           fputs(buf, resp);
+        }
+        /* TLen = Length of the calculated HMAC */
+        if (strncmp(buf, "Tlen", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            HMACLen = atoi(&buf[i]); /* in bytes */
+            fputs(buf, resp);
+            continue;
+        }
+        /* MSG = to HMAC always 128 bytes for these tests */
+        if (strncmp(buf, "Msg", 3) == 0) {
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< msgLen; i+=2,j++) {
+                hex_to_byteval(&buf[i], &msg[j]);
+            }
+           fputs(buf, resp);
+           /* calculate the HMAC and output */ 
+           if (hmac_calc(HMAC, HMACLen, key, keyLen,   
+                         msg, msgLen, hash_alg) != SECSuccess) {
+               goto loser;
+           }
+           fputs("MAC = ", resp);
+           to_hex_str(buf, HMAC, HMACLen);
+           fputs(buf, resp);
+           fputc('\n', resp);
+           continue;
+        }
+    }
+loser:
+    if (req) {
+        fclose(req);
+    }
+    if (buf) {
+        PORT_ZFree(buf, bufSize);
+    }
+    if (msg) {
+        PORT_ZFree(msg, msgLen);
+    }
+}
+
+/*
+ * Perform the DSA Key Pair Generation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+dsa_keypair_test(char *reqfn)
+{
+    char buf[260];       /* holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * 257 to hold (128 public key (x2 for HEX) + 1'\n'
+                         */
+    FILE *dsareq;     /* input stream from the REQUEST file */
+    FILE *dsaresp;    /* output stream to the RESPONSE file */
+    int N;            /* number of time to generate key pair */
+    int modulus;
+    int i;
+    PQGParams *pqg = NULL;
+    PQGVerify *vfy = NULL;
+    int keySizeIndex;   /* index for valid key sizes */
+
+    dsareq = fopen(reqfn, "r");
+    dsaresp = stdout;
+    while (fgets(buf, sizeof buf, dsareq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* [Mod = x] */
+        if (buf[0] == '[') {
+            if(pqg!=NULL) {
+                PQG_DestroyParams(pqg);
+                pqg = NULL;
+            }
+            if(vfy!=NULL) {
+                PQG_DestroyVerify(vfy);
+                vfy = NULL;
+            }
+
+            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
+                goto loser;
+            }
+            fputs(buf, dsaresp);
+            fputc('\n', dsaresp);
+
+            /*****************************************************************
+             * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
+             * that points to a valid key size.
+             */
+            keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
+            if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
+               fprintf(dsaresp,
+                    "DSA key size must be a multiple of 64 between 512 "
+                    "and 1024, inclusive");
+                goto loser;
+            }
+
+            /* Generate the parameters P, Q, and G */
+            if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
+                &pqg, &vfy) != SECSuccess) {
+                fprintf(dsaresp, "ERROR: Unable to generate PQG parameters");
+                goto loser;
+            }
+
+            /* output P, Q, and G */
+            to_hex_str(buf, pqg->prime.data, pqg->prime.len);
+            fprintf(dsaresp, "P = %s\n", buf);
+            to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
+            fprintf(dsaresp, "Q = %s\n", buf);
+            to_hex_str(buf, pqg->base.data, pqg->base.len);
+            fprintf(dsaresp, "G = %s\n\n", buf);
+            continue;
+        }
+        /* N = ...*/
+        if (buf[0] == 'N') {
+
+            if (sscanf(buf, "N = %d", &N) != 1) {
+                goto loser;
+            }
+            /* Generate a DSA key, and output the key pair for N times */
+            for (i = 0; i < N; i++) {
+                DSAPrivateKey *dsakey = NULL;
+                if (DSA_NewKey(pqg, &dsakey) != SECSuccess) {
+                    fprintf(dsaresp, "ERROR: Unable to generate DSA key");
+                    goto loser;
+                }
+                to_hex_str(buf, dsakey->privateValue.data,
+                           dsakey->privateValue.len);
+                fprintf(dsaresp, "X = %s\n", buf);
+                to_hex_str(buf, dsakey->publicValue.data,
+                           dsakey->publicValue.len);
+                fprintf(dsaresp, "Y = %s\n\n", buf);
+                PORT_FreeArena(dsakey->params.arena, PR_TRUE);
+                dsakey = NULL;
+            }
+            continue;
+        }
+
+    }
+loser:
+    fclose(dsareq);
+}
+
+/*
+ * Perform the DSA Domain Parameter Validation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+dsa_pqgver_test(char *reqfn)
+{
+    char buf[263];      /* holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * 260 to hold (128 public key (x2 for HEX) + P = ...
+                         */
+    FILE *dsareq;     /* input stream from the REQUEST file */
+    FILE *dsaresp;    /* output stream to the RESPONSE file */
+    int modulus; 
+    unsigned int i, j;
+    PQGParams pqg;
+    PQGVerify vfy;
+    unsigned int pghSize;        /* size for p, g, and h */
+
+    dsareq = fopen(reqfn, "r");
+    dsaresp = stdout;
+    memset(&pqg, 0, sizeof(pqg));
+    memset(&vfy, 0, sizeof(vfy));
+
+    while (fgets(buf, sizeof buf, dsareq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* [Mod = x] */
+        if (buf[0] == '[') {
+
+            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
+                goto loser;
+            }
+
+            if (pqg.prime.data) { /* P */
+                SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
+            }
+            if (pqg.subPrime.data) { /* Q */
+                SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
+            }
+            if (pqg.base.data) {    /* G */
+                SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
+            }
+            if (vfy.seed.data) {   /* seed */
+                SECITEM_ZfreeItem(&vfy.seed, PR_FALSE);
+            }
+            if (vfy.h.data) {     /* H */
+                SECITEM_ZfreeItem(&vfy.h, PR_FALSE);
+            }
+
+            fputs(buf, dsaresp);
+
+            /*calculate the size of p, g, and h then allocate items  */
+            pghSize = modulus/8;
+            SECITEM_AllocItem(NULL, &pqg.prime, pghSize);
+            SECITEM_AllocItem(NULL, &pqg.base, pghSize);
+            SECITEM_AllocItem(NULL, &vfy.h, pghSize);
+            pqg.prime.len = pqg.base.len = vfy.h.len = pghSize;
+            /* seed and q are always 20 bytes */
+            SECITEM_AllocItem(NULL, &vfy.seed, 20);
+            SECITEM_AllocItem(NULL, &pqg.subPrime, 20);
+            vfy.seed.len = pqg.subPrime.len = 20;
+            vfy.counter = 0;
+
+            continue;
+        }
+        /* P = ... */
+        if (buf[0] == 'P') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< pqg.prime.len; i+=2,j++) {
+                hex_to_byteval(&buf[i], &pqg.prime.data[j]);
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* Q = ... */
+        if (buf[0] == 'Q') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< pqg.subPrime.len; i+=2,j++) {
+                hex_to_byteval(&buf[i], &pqg.subPrime.data[j]);
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* G = ... */
+        if (buf[0] == 'G') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< pqg.base.len; i+=2,j++) {
+                hex_to_byteval(&buf[i], &pqg.base.data[j]);
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* Seed = ... */
+        if (strncmp(buf, "Seed", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< vfy.seed.len; i+=2,j++) {
+                hex_to_byteval(&buf[i], &vfy.seed.data[j]);
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* c = ... */
+        if (buf[0] == 'c') {
+
+            if (sscanf(buf, "c = %u", &vfy.counter) != 1) {
+                goto loser;
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* H = ... */
+        if (buf[0] == 'H') {
+            SECStatus rv, result = SECFailure;
+
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< vfy.h.len; i+=2,j++) {
+                hex_to_byteval(&buf[i], &vfy.h.data[j]);
+            }
+            fputs(buf, dsaresp);
+
+            /* Verify the Parameters */
+            rv = PQG_VerifyParams(&pqg, &vfy, &result);
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+            if (result == SECSuccess) {
+                fprintf(dsaresp, "Result = P\n");
+            } else {
+                fprintf(dsaresp, "Result = F\n");
+            }
+            continue;
+        }
+    }
+loser:
+    fclose(dsareq);
+    if (pqg.prime.data) { /* P */
+        SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
+    }
+    if (pqg.subPrime.data) { /* Q */
+        SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
+    }
+    if (pqg.base.data) {    /* G */
+        SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
+    }
+    if (vfy.seed.data) {   /* seed */
+        SECITEM_ZfreeItem(&vfy.seed, PR_FALSE);
+    }
+    if (vfy.h.data) {     /* H */
+        SECITEM_ZfreeItem(&vfy.h, PR_FALSE);
+    }
+
+}
+
+/*
+ * Perform the DSA Public Key Validation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+dsa_pqggen_test(char *reqfn)
+{
+    char buf[263];      /* holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * 263 to hold seed = (128 public key (x2 for HEX)
+                         */
+    FILE *dsareq;     /* input stream from the REQUEST file */
+    FILE *dsaresp;    /* output stream to the RESPONSE file */
+    int N;            /* number of times to generate parameters */
+    int modulus; 
+    int i;
+    unsigned int j;
+    PQGParams *pqg = NULL;
+    PQGVerify *vfy = NULL;
+    unsigned int keySizeIndex;
+
+    dsareq = fopen(reqfn, "r");
+    dsaresp = stdout;
+    while (fgets(buf, sizeof buf, dsareq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* [Mod = ... ] */
+        if (buf[0] == '[') {
+
+            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
+                goto loser;
+            }
+
+            fputs(buf, dsaresp);
+            fputc('\n', dsaresp);
+
+            /****************************************************************
+             * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
+             * that points to a valid key size.
+             */
+            keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
+            if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
+               fprintf(dsaresp,
+                    "DSA key size must be a multiple of 64 between 512 "
+                    "and 1024, inclusive");
+                goto loser;
+            }
+
+            continue;
+        }
+        /* N = ... */
+        if (buf[0] == 'N') {
+
+            if (sscanf(buf, "N = %d", &N) != 1) {
+                goto loser;
+            }
+            for (i = 0; i < N; i++) {
+                if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
+                    &pqg, &vfy) != SECSuccess) {
+                    fprintf(dsaresp,
+                            "ERROR: Unable to generate PQG parameters");
+                    goto loser;
+                }
+                to_hex_str(buf, pqg->prime.data, pqg->prime.len);
+                fprintf(dsaresp, "P = %s\n", buf);
+                to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
+                fprintf(dsaresp, "Q = %s\n", buf);
+                to_hex_str(buf, pqg->base.data, pqg->base.len);
+                fprintf(dsaresp, "G = %s\n", buf);
+                to_hex_str(buf, vfy->seed.data, vfy->seed.len);
+                fprintf(dsaresp, "Seed = %s\n", buf);
+                fprintf(dsaresp, "c = %d\n", vfy->counter);
+                to_hex_str(buf, vfy->h.data, vfy->h.len);
+                fputs("H = ", dsaresp);
+                for (j=vfy->h.len; j<pqg->prime.len; j++) {
+                    fprintf(dsaresp, "00");
+                }
+                fprintf(dsaresp, "%s\n", buf);
+                fputc('\n', dsaresp);
+                if(pqg!=NULL) {
+                    PQG_DestroyParams(pqg);
+                    pqg = NULL;
+                }
+                if(vfy!=NULL) {
+                    PQG_DestroyVerify(vfy);
+                    vfy = NULL;
+                }
+            }
+
+            continue;
+        }
+
+    }
+loser:
+    fclose(dsareq);
+    if(pqg!=NULL) {
+        PQG_DestroyParams(pqg);
+    }
+    if(vfy!=NULL) {
+        PQG_DestroyVerify(vfy);
+    }
+}
+
+/*
+ * Perform the DSA Signature Generation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+dsa_siggen_test(char *reqfn)
+{
+    char buf[263];       /* holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * max for Msg = ....
+                         */
+    FILE *dsareq;     /* input stream from the REQUEST file */
+    FILE *dsaresp;    /* output stream to the RESPONSE file */
+    int modulus;          
+    int i, j;
+    PQGParams *pqg = NULL;
+    PQGVerify *vfy = NULL;
+    DSAPrivateKey *dsakey = NULL;
+    int keySizeIndex;     /* index for valid key sizes */
+    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
+    unsigned char sig[DSA_SIGNATURE_LEN];
+    SECItem digest, signature;
+
+    dsareq = fopen(reqfn, "r");
+    dsaresp = stdout;
+
+    while (fgets(buf, sizeof buf, dsareq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* [Mod = x] */
+        if (buf[0] == '[') {
+            if(pqg!=NULL) {
+                PQG_DestroyParams(pqg);
+                pqg = NULL;
+            }
+            if(vfy!=NULL) {
+                PQG_DestroyVerify(vfy);
+                vfy = NULL;
+            }
+            if (dsakey != NULL) {
+                    PORT_FreeArena(dsakey->params.arena, PR_TRUE);
+                    dsakey = NULL;
+            }
+
+            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
+                goto loser;
+            }
+            fputs(buf, dsaresp);
+            fputc('\n', dsaresp);
+
+            /****************************************************************
+            * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
+            * that points to a valid key size.
+            */
+            keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
+            if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
+                fprintf(dsaresp,
+                    "DSA key size must be a multiple of 64 between 512 "
+                    "and 1024, inclusive");
+                goto loser;
+            }
+
+            /* Generate PQG and output PQG */
+            if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
+                &pqg, &vfy) != SECSuccess) {
+                fprintf(dsaresp, "ERROR: Unable to generate PQG parameters");
+                goto loser;
+            }
+            to_hex_str(buf, pqg->prime.data, pqg->prime.len);
+            fprintf(dsaresp, "P = %s\n", buf);
+            to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
+            fprintf(dsaresp, "Q = %s\n", buf);
+            to_hex_str(buf, pqg->base.data, pqg->base.len);
+            fprintf(dsaresp, "G = %s\n", buf);
+
+            /* create DSA Key */
+            if (DSA_NewKey(pqg, &dsakey) != SECSuccess) {
+                fprintf(dsaresp, "ERROR: Unable to generate DSA key");
+                goto loser;
+            }
+            continue;
+        }
+
+        /* Msg = ... */
+        if (strncmp(buf, "Msg", 3) == 0) {
+            unsigned char msg[128]; /* MAX msg 128 */
+            unsigned int len = 0;
+
+            memset(sha1, 0, sizeof sha1);
+            memset(sig,  0, sizeof sig);
+
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_to_byteval(&buf[i], &msg[j]);
+            }
+            if (SHA1_HashBuf(sha1, msg, j) != SECSuccess) {
+                 fprintf(dsaresp, "ERROR: Unable to generate SHA1 digest");
+                 goto loser;
+            }
+
+            digest.type = siBuffer;
+            digest.data = sha1;
+            digest.len = sizeof sha1;
+            signature.type = siBuffer;
+            signature.data = sig;
+            signature.len = sizeof sig;
+
+            if (DSA_SignDigest(dsakey, &signature, &digest) != SECSuccess) {
+                fprintf(dsaresp, "ERROR: Unable to generate DSA signature");
+                goto loser;
+            }
+            len = signature.len;
+            if (len%2 != 0) {
+                goto loser;
+            }
+            len = len/2;
+
+            /* output the orginal Msg, and generated Y, R, and S */
+            fputs(buf, dsaresp);
+            fputc('\n', dsaresp);
+            to_hex_str(buf, dsakey->publicValue.data,
+                       dsakey->publicValue.len);
+            fprintf(dsaresp, "Y = %s\n", buf);
+            to_hex_str(buf, &signature.data[0], len);
+            fprintf(dsaresp, "R = %s\n", buf);
+            to_hex_str(buf, &signature.data[len], len);
+            fprintf(dsaresp, "S = %s\n", buf);
+            continue;
+        }
+
+    }
+loser:
+    fclose(dsareq);
+    if(pqg != NULL) {
+        PQG_DestroyParams(pqg);
+        pqg = NULL;
+    }
+    if(vfy != NULL) {
+        PQG_DestroyVerify(vfy);
+        vfy = NULL;
+    }
+    if (dsaKey) {
+        PORT_FreeArena(dsakey->params.arena, PR_TRUE);
+        dsakey = NULL;
+    }
+}
+
+ /*
+ * Perform the DSA Signature Verification Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+dsa_sigver_test(char *reqfn)
+{
+    char buf[263];       /* holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * max for Msg = ....
+                         */
+    FILE *dsareq;     /* input stream from the REQUEST file */
+    FILE *dsaresp;    /* output stream to the RESPONSE file */
+    int modulus;  
+    unsigned int i, j;
+    SECItem digest, signature;
+    DSAPublicKey pubkey;
+    unsigned int pgySize;        /* size for p, g, and y */
+    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
+    unsigned char sig[DSA_SIGNATURE_LEN];
+
+    dsareq = fopen(reqfn, "r");
+    dsaresp = stdout;
+    memset(&pubkey, 0, sizeof(pubkey));
+
+    while (fgets(buf, sizeof buf, dsareq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* [Mod = x] */
+        if (buf[0] == '[') {
+
+            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
+                goto loser;
+            }
+
+            if (pubkey.params.prime.data) { /* P */
+                SECITEM_ZfreeItem(&pubkey.params.prime, PR_FALSE);
+            }
+            if (pubkey.params.subPrime.data) { /* Q */
+                SECITEM_ZfreeItem(&pubkey.params.subPrime, PR_FALSE);
+            }
+            if (pubkey.params.base.data) {    /* G */
+                SECITEM_ZfreeItem(&pubkey.params.base, PR_FALSE);
+            }
+            if (pubkey.publicValue.data) {    /* Y */
+                SECITEM_ZfreeItem(&pubkey.publicValue, PR_FALSE);
+            }
+            fputs(buf, dsaresp);
+
+            /* calculate the size of p, g, and y then allocate items */
+            pgySize = modulus/8;
+            SECITEM_AllocItem(NULL, &pubkey.params.prime, pgySize);
+            SECITEM_AllocItem(NULL, &pubkey.params.base, pgySize);
+            SECITEM_AllocItem(NULL, &pubkey.publicValue, pgySize);
+            pubkey.params.prime.len = pubkey.params.base.len = pgySize;
+            pubkey.publicValue.len = pgySize;
+
+            /* q always 20 bytes */
+            SECITEM_AllocItem(NULL, &pubkey.params.subPrime, 20);
+            pubkey.params.subPrime.len = 20;
+
+            continue;
+        }
+        /* P = ... */
+        if (buf[0] == 'P') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            memset(pubkey.params.prime.data, 0, pubkey.params.prime.len);
+            for (j=0; j< pubkey.params.prime.len; i+=2,j++) {
+                hex_to_byteval(&buf[i], &pubkey.params.prime.data[j]);
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* Q = ... */
+        if (buf[0] == 'Q') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            memset(pubkey.params.subPrime.data, 0, pubkey.params.subPrime.len);
+            for (j=0; j< pubkey.params.subPrime.len; i+=2,j++) {
+                hex_to_byteval(&buf[i], &pubkey.params.subPrime.data[j]);
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* G = ... */
+        if (buf[0] == 'G') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            memset(pubkey.params.base.data, 0, pubkey.params.base.len);
+            for (j=0; j< pubkey.params.base.len; i+=2,j++) {
+                hex_to_byteval(&buf[i], &pubkey.params.base.data[j]);
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* Msg = ... */
+        if (strncmp(buf, "Msg", 3) == 0) {
+            unsigned char msg[128]; /* MAX msg 128 */
+            memset(sha1, 0, sizeof sha1);
+
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]); i+=2,j++) {
+                hex_to_byteval(&buf[i], &msg[j]);
+            }
+            if (SHA1_HashBuf(sha1, msg, j) != SECSuccess) {
+                fprintf(dsaresp, "ERROR: Unable to generate SHA1 digest");
+                goto loser;
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* Y = ... */
+        if (buf[0] == 'Y') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            memset(pubkey.publicValue.data, 0, pubkey.params.subPrime.len);
+            for (j=0; j< pubkey.publicValue.len; i+=2,j++) {
+                hex_to_byteval(&buf[i], &pubkey.publicValue.data[j]);
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* R = ... */
+        if (buf[0] == 'R') {
+            memset(sig,  0, sizeof sig);
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; j< DSA_SUBPRIME_LEN; i+=2,j++) {
+                hex_to_byteval(&buf[i], &sig[j]);
+            }
+
+            fputs(buf, dsaresp);
+            continue;
+        }
+
+        /* S = ... */
+        if (buf[0] == 'S') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=DSA_SUBPRIME_LEN; j< DSA_SIGNATURE_LEN; i+=2,j++) {
+                hex_to_byteval(&buf[i], &sig[j]);
+            }
+            fputs(buf, dsaresp);
+
+            digest.type = siBuffer;
+            digest.data = sha1;
+            digest.len = sizeof sha1;
+            signature.type = siBuffer;
+            signature.data = sig;
+            signature.len = sizeof sig;
+
+            if (DSA_VerifyDigest(&pubkey, &signature, &digest) == SECSuccess) {
+                fprintf(dsaresp, "Result = P\n");
+            } else {
+                fprintf(dsaresp, "Result = F\n");
+            }
+            continue;
+        }
+    }
+loser:
+    fclose(dsareq);
+    if (pubkey.params.prime.data) { /* P */
+        SECITEM_ZfreeItem(&pubkey.params.prime, PR_FALSE);
+    }
+    if (pubkey.params.subPrime.data) { /* Q */
+        SECITEM_ZfreeItem(&pubkey.params.subPrime, PR_FALSE);
+    }
+    if (pubkey.params.base.data) {    /* G */
+        SECITEM_ZfreeItem(&pubkey.params.base, PR_FALSE);
+    }
+    if (pubkey.publicValue.data) {    /* Y */
+        SECITEM_ZfreeItem(&pubkey.publicValue, PR_FALSE);
+    }
+}
+
+/*
+ * Perform the RSA Signature Generation Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+rsa_siggen_test(char *reqfn)
+{
+    char buf[2*RSA_MAX_TEST_MODULUS_BYTES+1];
+                        /* buf holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * 2x for HEX output + 1 for \n
+                         */
+    FILE *rsareq;     /* input stream from the REQUEST file */
+    FILE *rsaresp;    /* output stream to the RESPONSE file */
+    int i, j;
+    unsigned char  sha[HASH_LENGTH_MAX];    /* SHA digest */
+    unsigned int   shaLength = 0;           /* length of SHA */
+    HASH_HashType  shaAlg = HASH_AlgNULL;   /* type of SHA Alg */
+    SECOidTag      shaOid = SEC_OID_UNKNOWN;
+    int modulus;                                /* the Modulus size */
+    int  publicExponent  = DEFAULT_RSA_PUBLIC_EXPONENT;
+    SECItem pe = {0, 0, 0 };
+    unsigned char pubEx[4];
+    int peCount = 0;
+
+    RSAPrivateKey  *rsaBlapiPrivKey = NULL;   /* holds RSA private and
+                                              * public keys */
+    RSAPublicKey   *rsaBlapiPublicKey = NULL; /* hold RSA public key */
+
+    rsareq = fopen(reqfn, "r");
+    rsaresp = stdout;
+
+    /* calculate the exponent */
+    for (i=0; i < 4; i++) {
+        if (peCount || (publicExponent &
+                ((unsigned long)0xff000000L >> (i*8)))) {
+            pubEx[peCount] =
+                (unsigned char)((publicExponent >> (3-i)*8) & 0xff);
+            peCount++;
+        }
+    }
+    pe.len = peCount;
+    pe.data = &pubEx[0];
+    pe.type = siBuffer;
+
+    while (fgets(buf, sizeof buf, rsareq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, rsaresp);
+            continue;
+        }
+
+        /* [mod = ...] */
+        if (buf[0] == '[') {
+
+            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
+                goto loser;
+            }
+            if (modulus > RSA_MAX_TEST_MODULUS_BITS) {
+                fprintf(rsaresp,"ERROR: modulus greater than test maximum\n");
+                goto loser;
+            }
+
+            fputs(buf, rsaresp);
+
+            if (rsaBlapiPrivKey != NULL) {
+                PORT_FreeArena(rsaBlapiPrivKey->arena, PR_TRUE);
+                rsaBlapiPrivKey = NULL;
+                rsaBlapiPublicKey = NULL;
+            }
+
+            rsaBlapiPrivKey = RSA_NewKey(modulus, &pe);
+            if (rsaBlapiPrivKey == NULL) {
+                fprintf(rsaresp, "Error unable to create RSA key\n");
+                goto loser;
+            }
+
+            to_hex_str(buf, rsaBlapiPrivKey->modulus.data,
+                       rsaBlapiPrivKey->modulus.len);
+            fprintf(rsaresp, "\nn = %s\n\n", buf);
+            to_hex_str(buf, rsaBlapiPrivKey->publicExponent.data,
+                       rsaBlapiPrivKey->publicExponent.len);
+            fprintf(rsaresp, "e = %s\n", buf);
+            /* convert private key to public key.  Memory
+             * is freed with private key's arena  */
+            rsaBlapiPublicKey = (RSAPublicKey *)PORT_ArenaAlloc(
+                                                  rsaBlapiPrivKey->arena,
+                                                  sizeof(RSAPublicKey));
+
+            rsaBlapiPublicKey->modulus.len = rsaBlapiPrivKey->modulus.len;
+            rsaBlapiPublicKey->modulus.data = rsaBlapiPrivKey->modulus.data;
+            rsaBlapiPublicKey->publicExponent.len =
+                rsaBlapiPrivKey->publicExponent.len;
+            rsaBlapiPublicKey->publicExponent.data =
+                rsaBlapiPrivKey->publicExponent.data;
+            continue;
+        }
+
+        /* SHAAlg = ... */
+        if (strncmp(buf, "SHAAlg", 6) == 0) {
+           i = 6;
+           while (isspace(buf[i]) || buf[i] == '=') {
+               i++;
+           }
+           /* set the SHA Algorithm */
+           if (strncmp(&buf[i], "SHA1", 4) == 0) {
+                shaAlg = HASH_AlgSHA1;
+           } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
+                shaAlg = HASH_AlgSHA256;
+           } else if (strncmp(&buf[i], "SHA384", 6)== 0) {
+               shaAlg = HASH_AlgSHA384;
+           } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
+               shaAlg = HASH_AlgSHA512;
+           } else {
+               fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
+               goto loser;
+           }
+           fputs(buf, rsaresp);
+           continue;
+
+        }
+        /* Msg = ... */
+        if (strncmp(buf, "Msg", 3) == 0) {
+
+            unsigned char msg[128]; /* MAX msg 128 */
+            unsigned int rsa_bytes_signed;
+            unsigned char rsa_computed_signature[RSA_MAX_TEST_MODULUS_BYTES];
+            SECStatus       rv = SECFailure;
+            NSSLOWKEYPublicKey  * rsa_public_key;
+            NSSLOWKEYPrivateKey * rsa_private_key;
+            NSSLOWKEYPrivateKey   low_RSA_private_key = { NULL,
+                                                NSSLOWKEYRSAKey, };
+            NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
+                                                NSSLOWKEYRSAKey, };
+
+            low_RSA_private_key.u.rsa = *rsaBlapiPrivKey;
+            low_RSA_public_key.u.rsa = *rsaBlapiPublicKey;
+
+            rsa_private_key = &low_RSA_private_key;
+            rsa_public_key = &low_RSA_public_key;
+
+            memset(sha, 0, sizeof sha);
+            memset(msg, 0, sizeof msg);
+            rsa_bytes_signed = 0;
+            memset(rsa_computed_signature, 0, sizeof rsa_computed_signature);
+
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j=0; isxdigit(buf[i]) && j < sizeof(msg); i+=2,j++) {
+                hex_to_byteval(&buf[i], &msg[j]);
+            }
+
+            if (shaAlg == HASH_AlgSHA1) {
+                if (SHA1_HashBuf(sha, msg, j) != SECSuccess) {
+                     fprintf(rsaresp, "ERROR: Unable to generate SHA1");
+                     goto loser;
+                }
+                shaLength = SHA1_LENGTH;
+                shaOid = SEC_OID_SHA1;
+            } else if (shaAlg == HASH_AlgSHA256) {
+                if (SHA256_HashBuf(sha, msg, j) != SECSuccess) {
+                     fprintf(rsaresp, "ERROR: Unable to generate SHA256");
+                     goto loser;
+                }
+                shaLength = SHA256_LENGTH;
+                shaOid = SEC_OID_SHA256;
+            } else if (shaAlg == HASH_AlgSHA384) {
+                if (SHA384_HashBuf(sha, msg, j) != SECSuccess) {
+                     fprintf(rsaresp, "ERROR: Unable to generate SHA384");
+                     goto loser;
+                }
+                shaLength = SHA384_LENGTH;
+                shaOid = SEC_OID_SHA384;
+            } else if (shaAlg == HASH_AlgSHA512) {
+                if (SHA512_HashBuf(sha, msg, j) != SECSuccess) {
+                     fprintf(rsaresp, "ERROR: Unable to generate SHA512");
+                     goto loser;
+                }
+                shaLength = SHA512_LENGTH;
+                shaOid = SEC_OID_SHA512;
+            } else {
+                fprintf(rsaresp, "ERROR: SHAAlg not defined.");
+                goto loser;
+            }
+
+            /* Perform RSA signature with the RSA private key. */
+            rv = RSA_HashSign( shaOid,
+                               rsa_private_key,
+                               rsa_computed_signature,
+                               &rsa_bytes_signed,
+                               nsslowkey_PrivateModulusLen(rsa_private_key),
+                               sha,
+                               shaLength);
+
+            if( rv != SECSuccess ) {
+                 fprintf(rsaresp, "ERROR: RSA_HashSign failed");
+                 goto loser;
+            }
+
+            /* Output the signature */
+            fputs(buf, rsaresp);
+            to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed);
+            fprintf(rsaresp, "S = %s\n", buf);
+
+            /* Perform RSA verification with the RSA public key. */
+            rv = RSA_HashCheckSign( shaOid,
+                                    rsa_public_key,
+                                    rsa_computed_signature,
+                                    rsa_bytes_signed,
+                                    sha,
+                                    shaLength);
+            if( rv != SECSuccess ) {
+                 fprintf(rsaresp, "ERROR: RSA_HashCheckSign failed");
+                 goto loser;
+            }
+            continue;
+        }
+    }
+loser:
+    fclose(rsareq);
+
+    if (rsaBlapiPrivKey != NULL) {
+        /* frees private and public key */
+        PORT_FreeArena(rsaBlapiPrivKey->arena, PR_TRUE);
+        rsaBlapiPrivKey = NULL;
+        rsaBlapiPublicKey = NULL;
+    }
+
+}
+/*
+ * Perform the RSA Signature Verification Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+rsa_sigver_test(char *reqfn)
+{
+    char buf[2*RSA_MAX_TEST_MODULUS_BYTES+7];
+                        /* buf holds one line from the input REQUEST file
+                         * or to the output RESPONSE file.
+                         * s = 2x for HEX output + 1 for \n
+                         */
+    FILE *rsareq;     /* input stream from the REQUEST file */
+    FILE *rsaresp;    /* output stream to the RESPONSE file */
+    int i, j;
+    unsigned char   sha[HASH_LENGTH_MAX];   /* SHA digest */
+    unsigned int    shaLength = 0;              /* actual length of the digest */
+    HASH_HashType   shaAlg = HASH_AlgNULL;
+    SECOidTag       shaOid = SEC_OID_UNKNOWN;
+    int modulus = 0;                            /* the Modulus size */
+    unsigned char   signature[513];    /* largest signature size + '\n' */
+    unsigned int    signatureLength = 0;   /* actual length of the signature */
+    PRBool keyvalid = PR_TRUE;
+
+    RSAPublicKey   rsaBlapiPublicKey; /* hold RSA public key */
+
+    rsareq = fopen(reqfn, "r");
+    rsaresp = stdout;
+    memset(&rsaBlapiPublicKey, 0, sizeof(RSAPublicKey));
+
+    while (fgets(buf, sizeof buf, rsareq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, rsaresp);
+            continue;
+        }
+
+        /* [Mod = ...] */
+        if (buf[0] == '[') {
+            unsigned int flen;  /* length in bytes of the field size */
+
+            if (rsaBlapiPublicKey.modulus.data) { /* n */
+                SECITEM_ZfreeItem(&rsaBlapiPublicKey.modulus, PR_FALSE);
+            }
+            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
+                goto loser;
+            }
+
+            if (modulus > RSA_MAX_TEST_MODULUS_BITS) {
+                fprintf(rsaresp,"ERROR: modulus greater than test maximum\n");
+                goto loser;
+            }
+
+            fputs(buf, rsaresp);
+
+            signatureLength = flen = modulus/8;
+
+            SECITEM_AllocItem(NULL, &rsaBlapiPublicKey.modulus, flen);
+            if (rsaBlapiPublicKey.modulus.data == NULL) {
+                goto loser;
+            }
+            continue;
+        }
+
+        /* n = ... modulus */
+        if (buf[0] == 'n') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            keyvalid = from_hex_str(&rsaBlapiPublicKey.modulus.data[0],
+                                    rsaBlapiPublicKey.modulus.len,
+                                    &buf[i]);
+
+            if (!keyvalid) {
+                fprintf(rsaresp, "ERROR: rsa_sigver n not valid.\n");
+                                 goto loser;
+            }
+            fputs(buf, rsaresp);
+            continue;
+        }
+
+        /* SHAAlg = ... */
+        if (strncmp(buf, "SHAAlg", 6) == 0) {
+           i = 6;
+           while (isspace(buf[i]) || buf[i] == '=') {
+               i++;
+           }
+           /* set the SHA Algorithm */
+           if (strncmp(&buf[i], "SHA1", 4) == 0) {
+                shaAlg = HASH_AlgSHA1;
+           } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
+                shaAlg = HASH_AlgSHA256;
+           } else if (strncmp(&buf[i], "SHA384", 6) == 0) {
+               shaAlg = HASH_AlgSHA384;
+           } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
+               shaAlg = HASH_AlgSHA512;
+           } else {
+               fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
+               goto loser;
+           }
+           fputs(buf, rsaresp);
+           continue;
+        }
+
+        /* e = ... public Key */
+        if (buf[0] == 'e') {
+            unsigned char data[RSA_MAX_TEST_EXPONENT_BYTES];
+            unsigned char t;
+
+            memset(data, 0, sizeof data);
+
+            if (rsaBlapiPublicKey.publicExponent.data) { /* e */
+                SECITEM_ZfreeItem(&rsaBlapiPublicKey.publicExponent, PR_FALSE);
+            }
+
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            /* skip leading zero's */
+            while (isxdigit(buf[i])) {
+                hex_to_byteval(&buf[i], &t);
+                if (t == 0) {
+                    i+=2;
+                } else break;
+            }
+        
+            /* get the exponent */
+            for (j=0; isxdigit(buf[i]) && j < sizeof data; i+=2,j++) {
+                hex_to_byteval(&buf[i], &data[j]);
+            }
+
+            if (j == 0) { j = 1; }  /* to handle 1 byte length exponents */
+
+            SECITEM_AllocItem(NULL, &rsaBlapiPublicKey.publicExponent,  j);
+            if (rsaBlapiPublicKey.publicExponent.data == NULL) {
+                goto loser;
+            }
+
+            for (i=0; i < j; i++) {
+                rsaBlapiPublicKey.publicExponent.data[i] = data[i];
+            }
+
+            fputs(buf, rsaresp);
+            continue;
+        }
+
+        /* Msg = ... */
+        if (strncmp(buf, "Msg", 3) == 0) {
+            unsigned char msg[128]; /* MAX msg 128 */
+
+            memset(sha, 0, sizeof sha);
+            memset(msg, 0, sizeof msg);
+
+            i = 3;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+
+            for (j=0; isxdigit(buf[i]) && j < sizeof msg; i+=2,j++) {
+                hex_to_byteval(&buf[i], &msg[j]);
+            }
+
+            if (shaAlg == HASH_AlgSHA1) {
+                if (SHA1_HashBuf(sha, msg, j) != SECSuccess) {
+                     fprintf(rsaresp, "ERROR: Unable to generate SHA1");
+                     goto loser;
+                }
+                shaLength = SHA1_LENGTH;
+                shaOid = SEC_OID_SHA1;
+            } else if (shaAlg == HASH_AlgSHA256) {
+                if (SHA256_HashBuf(sha, msg, j) != SECSuccess) {
+                     fprintf(rsaresp, "ERROR: Unable to generate SHA256");
+                     goto loser;
+                }
+                shaLength = SHA256_LENGTH;
+                shaOid = SEC_OID_SHA256;
+            } else if (shaAlg == HASH_AlgSHA384) {
+                if (SHA384_HashBuf(sha, msg, j) != SECSuccess) {
+                     fprintf(rsaresp, "ERROR: Unable to generate SHA384");
+                     goto loser;
+                }
+                shaLength = SHA384_LENGTH;
+                shaOid = SEC_OID_SHA384;
+            } else if (shaAlg == HASH_AlgSHA512) {
+                if (SHA512_HashBuf(sha, msg, j) != SECSuccess) {
+                     fprintf(rsaresp, "ERROR: Unable to generate SHA512");
+                     goto loser;
+                }
+                shaLength = SHA512_LENGTH;
+                shaOid = SEC_OID_SHA512;
+            } else {
+                fprintf(rsaresp, "ERROR: SHAAlg not defined.");
+                goto loser;
+            }
+
+            fputs(buf, rsaresp);
+            continue;
+
+        }
+
+        /* S = ... */
+        if (buf[0] == 'S') {
+            SECStatus rv = SECFailure;
+            NSSLOWKEYPublicKey  * rsa_public_key;
+            NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
+                                                  NSSLOWKEYRSAKey, };
+
+            /* convert to a low RSA public key */
+            low_RSA_public_key.u.rsa = rsaBlapiPublicKey;
+            rsa_public_key = &low_RSA_public_key;
+
+            memset(signature, 0, sizeof(signature));
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+
+            for (j=0; isxdigit(buf[i]) && j < sizeof signature; i+=2,j++) {
+                hex_to_byteval(&buf[i], &signature[j]);
+            }
+
+            signatureLength = j;
+            fputs(buf, rsaresp);
+
+            /* Perform RSA verification with the RSA public key. */
+            rv = RSA_HashCheckSign( shaOid,
+                                    rsa_public_key,
+                                    signature,
+                                    signatureLength,
+                                    sha,
+                                    shaLength);
+            if( rv == SECSuccess ) {
+                fputs("Result = P\n", rsaresp);
+            } else {
+                fputs("Result = F\n", rsaresp);
+            }
+            continue;
+        }
+    }
+loser:
+    fclose(rsareq);
+    if (rsaBlapiPublicKey.modulus.data) { /* n */
+        SECITEM_ZfreeItem(&rsaBlapiPublicKey.modulus, PR_FALSE);
+    }
+    if (rsaBlapiPublicKey.publicExponent.data) { /* e */
+        SECITEM_ZfreeItem(&rsaBlapiPublicKey.publicExponent, PR_FALSE);
+    }
+}
+
+int main(int argc, char **argv)
+{
+    if (argc < 2) exit (-1);
+    NSS_NoDB_Init(NULL);
+    /*************/
+    /*   TDEA    */
+    /*************/
+    if (strcmp(argv[1], "tdea") == 0) {
+        /* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
+        if (strcmp(argv[2], "kat") == 0) {
+            /* Known Answer Test (KAT) */
+            tdea_kat_mmt(argv[4]);     
+        } else if (strcmp(argv[2], "mmt") == 0) {
+            /* Multi-block Message Test (MMT) */
+                tdea_kat_mmt(argv[4]);
+        } else if (strcmp(argv[2], "mct") == 0) {
+                /* Monte Carlo Test (MCT) */
+                if (strcmp(argv[3], "ecb") == 0) {
+                    /* ECB mode */
+                    tdea_mct(NSS_DES_EDE3, argv[4]); 
+                } else if (strcmp(argv[3], "cbc") == 0) {
+                    /* CBC mode */
+                    tdea_mct(NSS_DES_EDE3_CBC, argv[4]);
+                }
+        }
+    /*************/
+    /*   AES     */
+    /*************/
+    } else if (strcmp(argv[1], "aes") == 0) {
+	/* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
+	if (       strcmp(argv[2], "kat") == 0) {
+	    /* Known Answer Test (KAT) */
+	    aes_kat_mmt(argv[4]);
+	} else if (strcmp(argv[2], "mmt") == 0) {
+	    /* Multi-block Message Test (MMT) */
+	    aes_kat_mmt(argv[4]);
+	} else if (strcmp(argv[2], "mct") == 0) {
+	    /* Monte Carlo Test (MCT) */
+	    if (       strcmp(argv[3], "ecb") == 0) {
+		/* ECB mode */
+		aes_ecb_mct(argv[4]);
+	    } else if (strcmp(argv[3], "cbc") == 0) {
+		/* CBC mode */
+		aes_cbc_mct(argv[4]);
+	    }
+	}
+    /*************/
+    /*   SHA     */
+    /*************/
+    } else if (strcmp(argv[1], "sha") == 0) {
+        sha_test(argv[2]);
+    /*************/
+    /*   RSA     */
+    /*************/
+    } else if (strcmp(argv[1], "rsa") == 0) {
+        /* argv[2]=siggen|sigver */
+        /* argv[3]=<test name>.req */
+        if (strcmp(argv[2], "siggen") == 0) {
+            /* Signature Generation Test */
+            rsa_siggen_test(argv[3]);
+        } else if (strcmp(argv[2], "sigver") == 0) {
+            /* Signature Verification Test */
+            rsa_sigver_test(argv[3]);
+        }
+    /*************/
+    /*   HMAC    */
+    /*************/
+    } else if (strcmp(argv[1], "hmac") == 0) {
+        hmac_test(argv[2]);
+    /*************/
+    /*   DSA     */
+    /*************/
+    } else if (strcmp(argv[1], "dsa") == 0) {
+        /* argv[2]=keypair|pqggen|pqgver|siggen|sigver */
+        /* argv[3]=<test name>.req */
+        if (strcmp(argv[2], "keypair") == 0) {
+            /* Key Pair Generation Test */
+            dsa_keypair_test(argv[3]);
+        } else if (strcmp(argv[2], "pqggen") == 0) {
+        /* Domain Parameter Generation Test */
+            dsa_pqggen_test(argv[3]);
+        } else if (strcmp(argv[2], "pqgver") == 0) {
+                /* Domain Parameter Validation Test */
+            dsa_pqgver_test(argv[3]);
+        } else if (strcmp(argv[2], "siggen") == 0) {
+            /* Signature Generation Test */
+            dsa_siggen_test(argv[3]);
+        } else if (strcmp(argv[2], "sigver") == 0) {
+            /* Signature Verification Test */
+            dsa_sigver_test(argv[3]);
+        }
+#ifdef NSS_ENABLE_ECC
+    /*************/
+    /*   ECDSA   */
+    /*************/
+    } else if (strcmp(argv[1], "ecdsa") == 0) {
+	/* argv[2]=keypair|pkv|siggen|sigver argv[3]=<test name>.req */
+	if (       strcmp(argv[2], "keypair") == 0) {
+	    /* Key Pair Generation Test */
+	    ecdsa_keypair_test(argv[3]);
+	} else if (strcmp(argv[2], "pkv") == 0) {
+	    /* Public Key Validation Test */
+	    ecdsa_pkv_test(argv[3]);
+	} else if (strcmp(argv[2], "siggen") == 0) {
+	    /* Signature Generation Test */
+	    ecdsa_siggen_test(argv[3]);
+	} else if (strcmp(argv[2], "sigver") == 0) {
+	    /* Signature Verification Test */
+	    ecdsa_sigver_test(argv[3]);
+	}
+#endif /* NSS_ENABLE_ECC */
+    /*************/
+    /*   RNG     */
+    /*************/
+    } else if (strcmp(argv[1], "rng") == 0) {
+	/* argv[2]=vst|mct argv[3]=<test name>.req */
+	if (       strcmp(argv[2], "vst") == 0) {
+	    /* Variable Seed Test */
+	    rng_vst(argv[3]);
+	} else if (strcmp(argv[2], "mct") == 0) {
+	    /* Monte Carlo Test */
+	    rng_mct(argv[3]);
+	}
+    }
+    return 0;
+}
diff --git a/security/nss/cmd/fipstest/hmac.sh b/security/nss/cmd/fipstest/hmac.sh
new file mode 100755
index 000000000..ace988c7f
--- /dev/null
+++ b/security/nss/cmd/fipstest/hmac.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST HMAC Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+                               
+hmac_requests="
+HMAC.req
+"
+
+for request in $hmac_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest hmac $request > $response
+done
+
diff --git a/security/nss/cmd/fipstest/manifest.mn b/security/nss/cmd/fipstest/manifest.mn
new file mode 100644
index 000000000..ba3b1a448
--- /dev/null
+++ b/security/nss/cmd/fipstest/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+PROGRAM = fipstest
+
+USE_STATIC_LIBS = 1
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	$(NULL)
+
+CSRCS = \
+	fipstest.c \
+	$(NULL)
+
diff --git a/security/nss/cmd/fipstest/rng.sh b/security/nss/cmd/fipstest/rng.sh
new file mode 100644
index 000000000..4b62a998d
--- /dev/null
+++ b/security/nss/cmd/fipstest/rng.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST RNG Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+vst_requests="
+FIPS186_VST.req
+FIPS186_VSTGEN.req
+"
+mct_requests="
+FIPS186_MCT.req
+FIPS186_MCTGEN.req
+"
+
+for request in $vst_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest rng vst $request > $response
+done
+for request in $mct_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest rng mct $request > $response
+done
diff --git a/security/nss/cmd/fipstest/rsa.sh b/security/nss/cmd/fipstest/rsa.sh
new file mode 100644
index 000000000..4b68a58bc
--- /dev/null
+++ b/security/nss/cmd/fipstest/rsa.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST RSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+
+request=SigGen15.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest rsa siggen $request > $response
+
+request=SigVer15.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest rsa sigver $request > $response
diff --git a/security/nss/cmd/fipstest/sha.sh b/security/nss/cmd/fipstest/sha.sh
new file mode 100644
index 000000000..685a41b00
--- /dev/null
+++ b/security/nss/cmd/fipstest/sha.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST SHA Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+                               
+sha_ShortMsg_requests="
+SHA1ShortMsg.req
+SHA256ShortMsg.req
+SHA384ShortMsg.req
+SHA512ShortMsg.req
+"
+
+sha_LongMsg_requests="
+SHA1LongMsg.req
+SHA256LongMsg.req
+SHA384LongMsg.req
+SHA512LongMsg.req
+"
+
+sha_Monte_requests="
+SHA1Monte.req
+SHA256Monte.req
+SHA384Monte.req
+SHA512Monte.req
+"
+for request in $sha_ShortMsg_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest sha $request > $response
+done
+for request in $sha_LongMsg_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest sha $request > $response
+done
+for request in $sha_Monte_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest sha $request > $response
+done
+
diff --git a/security/nss/cmd/fipstest/tdea.sh b/security/nss/cmd/fipstest/tdea.sh
new file mode 100644
index 000000000..505478039
--- /dev/null
+++ b/security/nss/cmd/fipstest/tdea.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+# A Bourne shell script for running the NIST tdea Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+#CBC_Known_Answer_tests
+#Initial Permutation KAT  
+#Permutation Operation KAT 
+#Subsitution Table KAT    
+#Variable Key KAT         
+#Variable PlainText KAT   
+cbc_kat_requests="
+TCBCinvperm.req   
+TCBCpermop.req    
+TCBCsubtab.req    
+TCBCvarkey.req    
+TCBCvartext.req   
+"
+
+#CBC Monte Carlo KATs
+cbc_monte_requests="
+TCBCMonte1.req
+TCBCMonte2.req
+TCBCMonte3.req
+"
+#Multi-block Message KATs
+cbc_mmt_requests="
+TCBCMMT1.req
+TCBCMMT2.req
+TCBCMMT3.req
+"
+
+ecb_kat_requests="
+TECBinvperm.req   
+TECBpermop.req    
+TECBsubtab.req    
+TECBvarkey.req    
+TECBvartext.req   
+"
+
+ecb_monte_requests="
+TECBMonte1.req
+TECBMonte2.req
+TECBMonte3.req
+"
+
+ecb_mmt_requests="
+TECBMMT1.req
+TECBMMT2.req
+TECBMMT3.req
+"
+
+for request in $ecb_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mmt ecb $request > $response
+done
+for request in $ecb_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea kat ecb $request > $response
+done
+for request in $ecb_monte_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mct ecb $request > $response
+done
+for request in $cbc_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mmt cbc $request > $response
+done
+for request in $cbc_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea kat cbc $request > $response
+done
+for request in $cbc_monte_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mct cbc $request > $response
+done
diff --git a/security/nss/cmd/lib/Makefile b/security/nss/cmd/lib/Makefile
new file mode 100644
index 000000000..54ef29fdf
--- /dev/null
+++ b/security/nss/cmd/lib/Makefile
@@ -0,0 +1,82 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+$(OBJDIR)/secerror$(OBJ_SUFFIX): NSPRerrs.h SECerrs.h SSLerrs.h 
+
diff --git a/security/nss/cmd/lib/NSPRerrs.h b/security/nss/cmd/lib/NSPRerrs.h
new file mode 100644
index 000000000..b11169847
--- /dev/null
+++ b/security/nss/cmd/lib/NSPRerrs.h
@@ -0,0 +1,153 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* General NSPR 2.0 errors */
+/* Caller must #include "prerror.h" */
+
+ER2( PR_OUT_OF_MEMORY_ERROR, 	"Memory allocation attempt failed." )
+ER2( PR_BAD_DESCRIPTOR_ERROR, 	"Invalid file descriptor." )
+ER2( PR_WOULD_BLOCK_ERROR, 	"The operation would have blocked." )
+ER2( PR_ACCESS_FAULT_ERROR, 	"Invalid memory address argument." )
+ER2( PR_INVALID_METHOD_ERROR, 	"Invalid function for file type." )
+ER2( PR_ILLEGAL_ACCESS_ERROR, 	"Invalid memory address argument." )
+ER2( PR_UNKNOWN_ERROR, 		"Some unknown error has occurred." )
+ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." )
+ER2( PR_NOT_IMPLEMENTED_ERROR, 	"function not implemented." )
+ER2( PR_IO_ERROR, 		"I/O function error." )
+ER2( PR_IO_TIMEOUT_ERROR, 	"I/O operation timed out." )
+ER2( PR_IO_PENDING_ERROR, 	"I/O operation on busy file descriptor." )
+ER2( PR_DIRECTORY_OPEN_ERROR, 	"The directory could not be opened." )
+ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." )
+ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." )
+ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." )
+ER2( PR_IS_CONNECTED_ERROR, 	"Already connected." )
+ER2( PR_BAD_ADDRESS_ERROR, 	"Network address is invalid." )
+ER2( PR_ADDRESS_IN_USE_ERROR, 	"Local Network address is in use." )
+ER2( PR_CONNECT_REFUSED_ERROR, 	"Connection refused by peer." )
+ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." )
+ER2( PR_CONNECT_TIMEOUT_ERROR, 	"Connection attempt timed out." )
+ER2( PR_NOT_CONNECTED_ERROR, 	"Network file descriptor is not connected." )
+ER2( PR_LOAD_LIBRARY_ERROR, 	"Failure to load dynamic library." )
+ER2( PR_UNLOAD_LIBRARY_ERROR, 	"Failure to unload dynamic library." )
+ER2( PR_FIND_SYMBOL_ERROR, 	
+"Symbol not found in any of the loaded dynamic libraries." )
+ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." )
+ER2( PR_DIRECTORY_LOOKUP_ERROR, 	
+"A directory lookup on a network address has failed." )
+ER2( PR_TPD_RANGE_ERROR, 		
+"Attempt to access a TPD key that is out of range." )
+ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." )
+ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." )
+ER2( PR_NOT_SOCKET_ERROR, 	
+"Network operation attempted on non-network file descriptor." )
+ER2( PR_NOT_TCP_SOCKET_ERROR, 	
+"TCP-specific function attempted on a non-TCP file descriptor." )
+ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." )
+ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." )
+ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, 
+"The requested operation is not supported by the platform." )
+ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, 
+"The host operating system does not support the protocol requested." )
+ER2( PR_REMOTE_FILE_ERROR, 	"Access to the remote file has been severed." )
+ER2( PR_BUFFER_OVERFLOW_ERROR, 	
+"The value requested is too large to be stored in the data buffer provided." )
+ER2( PR_CONNECT_RESET_ERROR, 	"TCP connection reset by peer." )
+ER2( PR_RANGE_ERROR, 		"Unused." )
+ER2( PR_DEADLOCK_ERROR, 	"The operation would have deadlocked." )
+ER2( PR_FILE_IS_LOCKED_ERROR, 	"The file is already locked." )
+ER2( PR_FILE_TOO_BIG_ERROR, 	
+"Write would result in file larger than the system allows." )
+ER2( PR_NO_DEVICE_SPACE_ERROR, 	"The device for storing the file is full." )
+ER2( PR_PIPE_ERROR, 		"Unused." )
+ER2( PR_NO_SEEK_DEVICE_ERROR, 	"Unused." )
+ER2( PR_IS_DIRECTORY_ERROR, 	
+"Cannot perform a normal file operation on a directory." )
+ER2( PR_LOOP_ERROR, 		"Symbolic link loop." )
+ER2( PR_NAME_TOO_LONG_ERROR, 	"File name is too long." )
+ER2( PR_FILE_NOT_FOUND_ERROR, 	"File not found." )
+ER2( PR_NOT_DIRECTORY_ERROR, 	
+"Cannot perform directory operation on a normal file." )
+ER2( PR_READ_ONLY_FILESYSTEM_ERROR, 
+"Cannot write to a read-only file system." )
+ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, 
+"Cannot delete a directory that is not empty." )
+ER2( PR_FILESYSTEM_MOUNTED_ERROR, 
+"Cannot delete or rename a file object while the file system is busy." )
+ER2( PR_NOT_SAME_DEVICE_ERROR, 	
+"Cannot rename a file to a file system on another device." )
+ER2( PR_DIRECTORY_CORRUPTED_ERROR, 
+"The directory object in the file system is corrupted." )
+ER2( PR_FILE_EXISTS_ERROR, 	
+"Cannot create or rename a filename that already exists." )
+ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, 
+"Directory is full.  No additional filenames may be added." )
+ER2( PR_INVALID_DEVICE_STATE_ERROR, 
+"The required device was in an invalid state." )
+ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." )
+ER2( PR_NO_MORE_FILES_ERROR, 	"No more entries in the directory." )
+ER2( PR_END_OF_FILE_ERROR, 	"Encountered end of file." )
+ER2( PR_FILE_SEEK_ERROR, 	"Seek error." )
+ER2( PR_FILE_IS_BUSY_ERROR, 	"The file is busy." )
+ER2( PR_IN_PROGRESS_ERROR,
+"Operation is still in progress (probably a non-blocking connect)." )
+ER2( PR_ALREADY_INITIATED_ERROR,
+"Operation has already been initiated (probably a non-blocking connect)." )
+
+#ifdef PR_GROUP_EMPTY_ERROR
+ER2( PR_GROUP_EMPTY_ERROR, 	"The wait group is empty." )
+#endif
+
+#ifdef PR_INVALID_STATE_ERROR
+ER2( PR_INVALID_STATE_ERROR, 	"Object state improper for request." )
+#endif
+
+#ifdef PR_NETWORK_DOWN_ERROR
+ER2( PR_NETWORK_DOWN_ERROR,	"Network is down." )
+#endif
+
+#ifdef PR_SOCKET_SHUTDOWN_ERROR
+ER2( PR_SOCKET_SHUTDOWN_ERROR,	"The socket was previously shut down." )
+#endif
+
+#ifdef PR_CONNECT_ABORTED_ERROR
+ER2( PR_CONNECT_ABORTED_ERROR,	"TCP Connection aborted." )
+#endif
+
+#ifdef PR_HOST_UNREACHABLE_ERROR
+ER2( PR_HOST_UNREACHABLE_ERROR,	"Host is unreachable." )
+#endif
+
+/* always last */
+ER2( PR_MAX_ERROR, 		"Placeholder for the end of the list" )
diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/cmd/lib/SECerrs.h
new file mode 100644
index 000000000..de81429b4
--- /dev/null
+++ b/security/nss/cmd/lib/SECerrs.h
@@ -0,0 +1,557 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* General security error codes  */
+/* Caller must #include "secerr.h" */
+
+ER3(SEC_ERROR_IO,				SEC_ERROR_BASE + 0,
+"An I/O error occurred during security authorization.")
+
+ER3(SEC_ERROR_LIBRARY_FAILURE,			SEC_ERROR_BASE + 1,
+"security library failure.")
+
+ER3(SEC_ERROR_BAD_DATA,				SEC_ERROR_BASE + 2,
+"security library: received bad data.")
+
+ER3(SEC_ERROR_OUTPUT_LEN,			SEC_ERROR_BASE + 3,
+"security library: output length error.")
+
+ER3(SEC_ERROR_INPUT_LEN,			SEC_ERROR_BASE + 4,
+"security library has experienced an input length error.")
+
+ER3(SEC_ERROR_INVALID_ARGS,			SEC_ERROR_BASE + 5,
+"security library: invalid arguments.")
+
+ER3(SEC_ERROR_INVALID_ALGORITHM,		SEC_ERROR_BASE + 6,
+"security library: invalid algorithm.")
+
+ER3(SEC_ERROR_INVALID_AVA,			SEC_ERROR_BASE + 7,
+"security library: invalid AVA.")
+
+ER3(SEC_ERROR_INVALID_TIME,			SEC_ERROR_BASE + 8,
+"Improperly formatted time string.")
+
+ER3(SEC_ERROR_BAD_DER,				SEC_ERROR_BASE + 9,
+"security library: improperly formatted DER-encoded message.")
+
+ER3(SEC_ERROR_BAD_SIGNATURE,			SEC_ERROR_BASE + 10,
+"Peer's certificate has an invalid signature.")
+
+ER3(SEC_ERROR_EXPIRED_CERTIFICATE,		SEC_ERROR_BASE + 11,
+"Peer's Certificate has expired.")
+
+ER3(SEC_ERROR_REVOKED_CERTIFICATE,		SEC_ERROR_BASE + 12,
+"Peer's Certificate has been revoked.")
+
+ER3(SEC_ERROR_UNKNOWN_ISSUER,			SEC_ERROR_BASE + 13,
+"Peer's Certificate issuer is not recognized.")
+
+ER3(SEC_ERROR_BAD_KEY,				SEC_ERROR_BASE + 14,
+"Peer's public key is invalid.")
+
+ER3(SEC_ERROR_BAD_PASSWORD,			SEC_ERROR_BASE + 15,
+"The security password entered is incorrect.")
+
+ER3(SEC_ERROR_RETRY_PASSWORD,			SEC_ERROR_BASE + 16,
+"New password entered incorrectly.  Please try again.")
+
+ER3(SEC_ERROR_NO_NODELOCK,			SEC_ERROR_BASE + 17,
+"security library: no nodelock.")
+
+ER3(SEC_ERROR_BAD_DATABASE,			SEC_ERROR_BASE + 18,
+"security library: bad database.")
+
+ER3(SEC_ERROR_NO_MEMORY,			SEC_ERROR_BASE + 19,
+"security library: memory allocation failure.")
+
+ER3(SEC_ERROR_UNTRUSTED_ISSUER,			SEC_ERROR_BASE + 20,
+"Peer's certificate issuer has been marked as not trusted by the user.")
+
+ER3(SEC_ERROR_UNTRUSTED_CERT,			SEC_ERROR_BASE + 21,
+"Peer's certificate has been marked as not trusted by the user.")
+
+ER3(SEC_ERROR_DUPLICATE_CERT,			(SEC_ERROR_BASE + 22),
+"Certificate already exists in your database.")
+
+ER3(SEC_ERROR_DUPLICATE_CERT_NAME,		(SEC_ERROR_BASE + 23),
+"Downloaded certificate's name duplicates one already in your database.")
+
+ER3(SEC_ERROR_ADDING_CERT,			(SEC_ERROR_BASE + 24),
+"Error adding certificate to database.")
+
+ER3(SEC_ERROR_FILING_KEY,			(SEC_ERROR_BASE + 25),
+"Error refiling the key for this certificate.")
+
+ER3(SEC_ERROR_NO_KEY,				(SEC_ERROR_BASE + 26),
+"The private key for this certificate cannot be found in key database")
+
+ER3(SEC_ERROR_CERT_VALID,			(SEC_ERROR_BASE + 27),
+"This certificate is valid.")
+
+ER3(SEC_ERROR_CERT_NOT_VALID,			(SEC_ERROR_BASE + 28),
+"This certificate is not valid.")
+
+ER3(SEC_ERROR_CERT_NO_RESPONSE,			(SEC_ERROR_BASE + 29),
+"Cert Library: No Response")
+
+ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE,	(SEC_ERROR_BASE + 30),
+"The certificate issuer's certificate has expired.  Check your system date and time.")
+
+ER3(SEC_ERROR_CRL_EXPIRED,			(SEC_ERROR_BASE + 31),
+"The CRL for the certificate's issuer has expired.  Update it or check your system date and time.")
+
+ER3(SEC_ERROR_CRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 32),
+"The CRL for the certificate's issuer has an invalid signature.")
+
+ER3(SEC_ERROR_CRL_INVALID,			(SEC_ERROR_BASE + 33),
+"New CRL has an invalid format.")
+
+ER3(SEC_ERROR_EXTENSION_VALUE_INVALID,		(SEC_ERROR_BASE + 34),
+"Certificate extension value is invalid.")
+
+ER3(SEC_ERROR_EXTENSION_NOT_FOUND,		(SEC_ERROR_BASE + 35),
+"Certificate extension not found.")
+
+ER3(SEC_ERROR_CA_CERT_INVALID,			(SEC_ERROR_BASE + 36),
+"Issuer certificate is invalid.")
+   
+ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID,	(SEC_ERROR_BASE + 37),
+"Certificate path length constraint is invalid.")
+
+ER3(SEC_ERROR_CERT_USAGES_INVALID,		(SEC_ERROR_BASE + 38),
+"Certificate usages field is invalid.")
+
+ER3(SEC_INTERNAL_ONLY,				(SEC_ERROR_BASE + 39),
+"**Internal ONLY module**")
+
+ER3(SEC_ERROR_INVALID_KEY,			(SEC_ERROR_BASE + 40),
+"The key does not support the requested operation.")
+
+ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION,	(SEC_ERROR_BASE + 41),
+"Certificate contains unknown critical extension.")
+
+ER3(SEC_ERROR_OLD_CRL,				(SEC_ERROR_BASE + 42),
+"New CRL is not later than the current one.")
+
+ER3(SEC_ERROR_NO_EMAIL_CERT,			(SEC_ERROR_BASE + 43),
+"Not encrypted or signed: you do not yet have an email certificate.")
+
+ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY,		(SEC_ERROR_BASE + 44),
+"Not encrypted: you do not have certificates for each of the recipients.")
+
+ER3(SEC_ERROR_NOT_A_RECIPIENT,			(SEC_ERROR_BASE + 45),
+"Cannot decrypt: you are not a recipient, or matching certificate and \
+private key not found.")
+
+ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH,		(SEC_ERROR_BASE + 46),
+"Cannot decrypt: key encryption algorithm does not match your certificate.")
+
+ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE,		(SEC_ERROR_BASE + 47),
+"Signature verification failed: no signer found, too many signers found, \
+or improper or corrupted data.")
+
+ER3(SEC_ERROR_UNSUPPORTED_KEYALG,		(SEC_ERROR_BASE + 48),
+"Unsupported or unknown key algorithm.")
+
+ER3(SEC_ERROR_DECRYPTION_DISALLOWED,		(SEC_ERROR_BASE + 49),
+"Cannot decrypt: encrypted using a disallowed algorithm or key size.")
+
+
+/* Fortezza Alerts */
+ER3(XP_SEC_FORTEZZA_BAD_CARD,			(SEC_ERROR_BASE + 50),
+"Fortezza card has not been properly initialized.  \
+Please remove it and return it to your issuer.")
+
+ER3(XP_SEC_FORTEZZA_NO_CARD,			(SEC_ERROR_BASE + 51),
+"No Fortezza cards Found")
+
+ER3(XP_SEC_FORTEZZA_NONE_SELECTED,		(SEC_ERROR_BASE + 52),
+"No Fortezza card selected")
+
+ER3(XP_SEC_FORTEZZA_MORE_INFO,			(SEC_ERROR_BASE + 53),
+"Please select a personality to get more info on")
+
+ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND,		(SEC_ERROR_BASE + 54),
+"Personality not found")
+
+ER3(XP_SEC_FORTEZZA_NO_MORE_INFO,		(SEC_ERROR_BASE + 55),
+"No more information on that Personality")
+
+ER3(XP_SEC_FORTEZZA_BAD_PIN,			(SEC_ERROR_BASE + 56),
+"Invalid Pin")
+
+ER3(XP_SEC_FORTEZZA_PERSON_ERROR,		(SEC_ERROR_BASE + 57),
+"Couldn't initialize Fortezza personalities.")
+/* end fortezza alerts. */
+
+ER3(SEC_ERROR_NO_KRL,				(SEC_ERROR_BASE + 58),
+"No KRL for this site's certificate has been found.")
+
+ER3(SEC_ERROR_KRL_EXPIRED,			(SEC_ERROR_BASE + 59),
+"The KRL for this site's certificate has expired.")
+
+ER3(SEC_ERROR_KRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 60),
+"The KRL for this site's certificate has an invalid signature.")
+
+ER3(SEC_ERROR_REVOKED_KEY,			(SEC_ERROR_BASE + 61),
+"The key for this site's certificate has been revoked.")
+
+ER3(SEC_ERROR_KRL_INVALID,			(SEC_ERROR_BASE + 62),
+"New KRL has an invalid format.")
+
+ER3(SEC_ERROR_NEED_RANDOM,			(SEC_ERROR_BASE + 63),
+"security library: need random data.")
+
+ER3(SEC_ERROR_NO_MODULE,			(SEC_ERROR_BASE + 64),
+"security library: no security module can perform the requested operation.")
+
+ER3(SEC_ERROR_NO_TOKEN,				(SEC_ERROR_BASE + 65),
+"The security card or token does not exist, needs to be initialized, or has been removed.")
+
+ER3(SEC_ERROR_READ_ONLY,			(SEC_ERROR_BASE + 66),
+"security library: read-only database.")
+
+ER3(SEC_ERROR_NO_SLOT_SELECTED,			(SEC_ERROR_BASE + 67),
+"No slot or token was selected.")
+
+ER3(SEC_ERROR_CERT_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 68),
+"A certificate with the same nickname already exists.")
+
+ER3(SEC_ERROR_KEY_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 69),
+"A key with the same nickname already exists.")
+
+ER3(SEC_ERROR_SAFE_NOT_CREATED,			(SEC_ERROR_BASE + 70),
+"error while creating safe object")
+
+ER3(SEC_ERROR_BAGGAGE_NOT_CREATED,		(SEC_ERROR_BASE + 71),
+"error while creating baggage object")
+
+ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR,		(SEC_ERROR_BASE + 72),
+"Couldn't remove the principal")
+
+ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR,		(SEC_ERROR_BASE + 73),
+"Couldn't delete the privilege")
+
+ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR,		(SEC_ERROR_BASE + 74),
+"This principal doesn't have a certificate")
+
+ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM,		(SEC_ERROR_BASE + 75),
+"Required algorithm is not allowed.")
+
+ER3(SEC_ERROR_EXPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 76),
+"Error attempting to export certificates.")
+
+ER3(SEC_ERROR_IMPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 77),
+"Error attempting to import certificates.")
+
+ER3(SEC_ERROR_PKCS12_DECODING_PFX,		(SEC_ERROR_BASE + 78),
+"Unable to import.  Decoding error.  File not valid.")
+
+ER3(SEC_ERROR_PKCS12_INVALID_MAC,		(SEC_ERROR_BASE + 79),
+"Unable to import.  Invalid MAC.  Incorrect password or corrupt file.")
+
+ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM,	(SEC_ERROR_BASE + 80),
+"Unable to import.  MAC algorithm not supported.")
+
+ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE,(SEC_ERROR_BASE + 81),
+"Unable to import.  Only password integrity and privacy modes supported.")
+
+ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE,	(SEC_ERROR_BASE + 82),
+"Unable to import.  File structure is corrupt.")
+
+ER3(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, (SEC_ERROR_BASE + 83),
+"Unable to import.  Encryption algorithm not supported.")
+
+ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION,	(SEC_ERROR_BASE + 84),
+"Unable to import.  File version not supported.")
+
+ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT,(SEC_ERROR_BASE + 85),
+"Unable to import.  Incorrect privacy password.")
+
+ER3(SEC_ERROR_PKCS12_CERT_COLLISION,		(SEC_ERROR_BASE + 86),
+"Unable to import.  Same nickname already exists in database.")
+
+ER3(SEC_ERROR_USER_CANCELLED,			(SEC_ERROR_BASE + 87),
+"The user pressed cancel.")
+
+ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA,		(SEC_ERROR_BASE + 88),
+"Not imported, already in database.")
+
+ER3(SEC_ERROR_MESSAGE_SEND_ABORTED,		(SEC_ERROR_BASE + 89),
+"Message not sent.")
+
+ER3(SEC_ERROR_INADEQUATE_KEY_USAGE,		(SEC_ERROR_BASE + 90),
+"Certificate key usage inadequate for attempted operation.")
+
+ER3(SEC_ERROR_INADEQUATE_CERT_TYPE,		(SEC_ERROR_BASE + 91),
+"Certificate type not approved for application.")
+
+ER3(SEC_ERROR_CERT_ADDR_MISMATCH,		(SEC_ERROR_BASE + 92),
+"Address in signing certificate does not match address in message headers.")
+
+ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY,	(SEC_ERROR_BASE + 93),
+"Unable to import.  Error attempting to import private key.")
+
+ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN,	(SEC_ERROR_BASE + 94),
+"Unable to import.  Error attempting to import certificate chain.")
+
+ER3(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, (SEC_ERROR_BASE + 95),
+"Unable to export.  Unable to locate certificate or key by nickname.")
+
+ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY,	(SEC_ERROR_BASE + 96),
+"Unable to export.  Private Key could not be located and exported.")
+
+ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, 		(SEC_ERROR_BASE + 97),
+"Unable to export.  Unable to write the export file.")
+
+ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ,		(SEC_ERROR_BASE + 98),
+"Unable to import.  Unable to read the import file.")
+
+ER3(SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, (SEC_ERROR_BASE + 99),
+"Unable to export.  Key database corrupt or deleted.")
+
+ER3(SEC_ERROR_KEYGEN_FAIL,			(SEC_ERROR_BASE + 100),
+"Unable to generate public/private key pair.")
+
+ER3(SEC_ERROR_INVALID_PASSWORD,			(SEC_ERROR_BASE + 101),
+"Password entered is invalid.  Please pick a different one.")
+
+ER3(SEC_ERROR_RETRY_OLD_PASSWORD,		(SEC_ERROR_BASE + 102),
+"Old password entered incorrectly.  Please try again.")
+
+ER3(SEC_ERROR_BAD_NICKNAME,			(SEC_ERROR_BASE + 103),
+"Certificate nickname already in use.")
+
+ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER,       	(SEC_ERROR_BASE + 104),
+"Peer FORTEZZA chain has a non-FORTEZZA Certificate.")
+
+ER3(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, 	(SEC_ERROR_BASE + 105),
+"A sensitive key cannot be moved to the slot where it is needed.")
+
+ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, 		(SEC_ERROR_BASE + 106),
+"Invalid module name.")
+
+ER3(SEC_ERROR_JS_INVALID_DLL, 			(SEC_ERROR_BASE + 107),
+"Invalid module path/filename")
+
+ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, 		(SEC_ERROR_BASE + 108),
+"Unable to add module")
+
+ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, 		(SEC_ERROR_BASE + 109),
+"Unable to delete module")
+
+ER3(SEC_ERROR_OLD_KRL,	     			(SEC_ERROR_BASE + 110),
+"New KRL is not later than the current one.")
+ 
+ER3(SEC_ERROR_CKL_CONFLICT,	     		(SEC_ERROR_BASE + 111),
+"New CKL has different issuer than current CKL.  Delete current CKL.")
+
+ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, 		(SEC_ERROR_BASE + 112),
+"The Certifying Authority for this certificate is not permitted to issue a \
+certificate with this name.")
+
+ER3(SEC_ERROR_KRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 113),
+"The key revocation list for this certificate is not yet valid.")
+
+ER3(SEC_ERROR_CRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 114),
+"The certificate revocation list for this certificate is not yet valid.")
+
+ER3(SEC_ERROR_UNKNOWN_CERT,			(SEC_ERROR_BASE + 115),
+"The requested certificate could not be found.")
+
+ER3(SEC_ERROR_UNKNOWN_SIGNER,			(SEC_ERROR_BASE + 116),
+"The signer's certificate could not be found.")
+
+ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION,		(SEC_ERROR_BASE + 117),
+"The location for the certificate status server has invalid format.")
+
+ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE,	(SEC_ERROR_BASE + 118),
+"The OCSP response cannot be fully decoded; it is of an unknown type.")
+
+ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE,		(SEC_ERROR_BASE + 119),
+"The OCSP server returned unexpected/invalid HTTP data.")
+
+ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST,		(SEC_ERROR_BASE + 120),
+"The OCSP server found the request to be corrupted or improperly formed.")
+
+ER3(SEC_ERROR_OCSP_SERVER_ERROR,		(SEC_ERROR_BASE + 121),
+"The OCSP server experienced an internal error.")
+
+ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER,		(SEC_ERROR_BASE + 122),
+"The OCSP server suggests trying again later.")
+
+ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG,		(SEC_ERROR_BASE + 123),
+"The OCSP server requires a signature on this request.")
+
+ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST,	(SEC_ERROR_BASE + 124),
+"The OCSP server has refused this request as unauthorized.")
+
+ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS,	(SEC_ERROR_BASE + 125),
+"The OCSP server returned an unrecognizable status.")
+
+ER3(SEC_ERROR_OCSP_UNKNOWN_CERT,		(SEC_ERROR_BASE + 126),
+"The OCSP server has no status for the certificate.")
+
+ER3(SEC_ERROR_OCSP_NOT_ENABLED,			(SEC_ERROR_BASE + 127),
+"You must enable OCSP before performing this operation.")
+
+ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER,	(SEC_ERROR_BASE + 128),
+"You must set the OCSP default responder before performing this operation.")
+
+ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE,		(SEC_ERROR_BASE + 129),
+"The response from the OCSP server was corrupted or improperly formed.")
+
+ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE,	(SEC_ERROR_BASE + 130),
+"The signer of the OCSP response is not authorized to give status for \
+this certificate.")
+
+ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE,		(SEC_ERROR_BASE + 131),
+"The OCSP response is not yet valid (contains a date in the future).")
+
+ER3(SEC_ERROR_OCSP_OLD_RESPONSE,		(SEC_ERROR_BASE + 132),
+"The OCSP response contains out-of-date information.")
+
+ER3(SEC_ERROR_DIGEST_NOT_FOUND,			(SEC_ERROR_BASE + 133),
+"The CMS or PKCS #7 Digest was not found in signed message.")
+
+ER3(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE,		(SEC_ERROR_BASE + 134),
+"The CMS or PKCS #7 Message type is unsupported.")
+
+ER3(SEC_ERROR_MODULE_STUCK,			(SEC_ERROR_BASE + 135),
+"PKCS #11 module could not be removed because it is still in use.")
+
+ER3(SEC_ERROR_BAD_TEMPLATE,			(SEC_ERROR_BASE + 136),
+"Could not decode ASN.1 data. Specified template was invalid.")
+
+ER3(SEC_ERROR_CRL_NOT_FOUND,			(SEC_ERROR_BASE + 137),
+"No matching CRL was found.")
+
+ER3(SEC_ERROR_REUSED_ISSUER_AND_SERIAL,        (SEC_ERROR_BASE + 138),
+"You are attempting to import a cert with the same issuer/serial as \
+an existing cert, but that is not the same cert.")
+
+ER3(SEC_ERROR_BUSY,				(SEC_ERROR_BASE + 139),
+"NSS could not shutdown. Objects are still in use.")
+
+ER3(SEC_ERROR_EXTRA_INPUT,			(SEC_ERROR_BASE + 140),
+"DER-encoded message contained extra unused data.")
+
+ER3(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE,	(SEC_ERROR_BASE + 141),
+"Unsupported elliptic curve.")
+
+ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM,	(SEC_ERROR_BASE + 142),
+"Unsupported elliptic curve point form.")
+
+ER3(SEC_ERROR_UNRECOGNIZED_OID,			(SEC_ERROR_BASE + 143),
+"Unrecognized Object Identifier.")
+
+ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT,	(SEC_ERROR_BASE + 144),
+"Invalid OCSP signing certificate in OCSP response.")
+
+ER3(SEC_ERROR_REVOKED_CERTIFICATE_CRL,          (SEC_ERROR_BASE + 145),
+"Certificate is revoked in issuer's certificate revocation list.")
+
+ER3(SEC_ERROR_REVOKED_CERTIFICATE_OCSP,         (SEC_ERROR_BASE + 146),
+"Issuer's OCSP responder reports certificate is revoked.")
+
+ER3(SEC_ERROR_CRL_INVALID_VERSION,              (SEC_ERROR_BASE + 147),
+"Issuer's Certificate Revocation List has an unknown version number.")
+
+ER3(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION,        (SEC_ERROR_BASE + 148),
+"Issuer's V1 Certificate Revocation List has a critical extension.")
+
+ER3(SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION,   (SEC_ERROR_BASE + 149),
+"Issuer's V2 Certificate Revocation List has an unknown critical extension.")
+
+ER3(SEC_ERROR_UNKNOWN_OBJECT_TYPE,	        (SEC_ERROR_BASE + 150),
+"Unknown object type specified.")
+
+ER3(SEC_ERROR_INCOMPATIBLE_PKCS11,	        (SEC_ERROR_BASE + 151),
+"PKCS #11 driver violates the spec in an incompatible way.")
+
+ER3(SEC_ERROR_NO_EVENT,	        		(SEC_ERROR_BASE + 152),
+"No new slot event is available at this time.")
+
+ER3(SEC_ERROR_CRL_ALREADY_EXISTS,      		(SEC_ERROR_BASE + 153),
+"CRL already exists.")
+
+ER3(SEC_ERROR_NOT_INITIALIZED,      		(SEC_ERROR_BASE + 154),
+"NSS is not initialized.")
+
+ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN,  		(SEC_ERROR_BASE + 155),
+"The operation failed because the PKCS#11 token is not logged in.")
+
+ER3(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID,  	(SEC_ERROR_BASE + 156),
+"Configured OCSP responder's certificate is invalid.")
+
+ER3(SEC_ERROR_OCSP_BAD_SIGNATURE,      		(SEC_ERROR_BASE + 157),
+"OCSP response has an invalid signature.")
+
+ER3(SEC_ERROR_OUT_OF_SEARCH_LIMITS,      		(SEC_ERROR_BASE + 158),
+"Cert validation search is out of search limits")
+
+ER3(SEC_ERROR_INVALID_POLICY_MAPPING,      		(SEC_ERROR_BASE + 159),
+"Policy mapping contains anypolicy")
+
+ER3(SEC_ERROR_POLICY_VALIDATION_FAILED,    		(SEC_ERROR_BASE + 160),
+"Cert chain fails policy validation")
+
+ER3(SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE,    		(SEC_ERROR_BASE + 161),
+"Unknown location type in cert AIA extension")
+
+ER3(SEC_ERROR_BAD_HTTP_RESPONSE,    		(SEC_ERROR_BASE + 162),
+"Server returned bad HTTP response")
+
+ER3(SEC_ERROR_BAD_LDAP_RESPONSE,    		(SEC_ERROR_BASE + 163),
+"Server returned bad LDAP response")
+
+ER3(SEC_ERROR_FAILED_TO_ENCODE_DATA,    		(SEC_ERROR_BASE + 164),
+"Failed to encode data with ASN1 encoder")
+
+ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION,    		(SEC_ERROR_BASE + 165),
+"Bad information access location in cert extension")
+
+ER3(SEC_ERROR_LIBPKIX_INTERNAL,      		(SEC_ERROR_BASE + 166),
+"Libpkix internal error occured during cert validation.")
+
+ER3(SEC_ERROR_PKCS11_GENERAL_ERROR,      		(SEC_ERROR_BASE + 167),
+"A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
+
+ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED,      		(SEC_ERROR_BASE + 168),
+"A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed.  Trying the same operation again might succeed.")
+
+ER3(SEC_ERROR_PKCS11_DEVICE_ERROR,      		(SEC_ERROR_BASE + 169),
+"A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
diff --git a/security/nss/cmd/lib/SSLerrs.h b/security/nss/cmd/lib/SSLerrs.h
new file mode 100644
index 000000000..023524929
--- /dev/null
+++ b/security/nss/cmd/lib/SSLerrs.h
@@ -0,0 +1,392 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* SSL-specific security error codes  */
+/* caller must include "sslerr.h" */
+
+ER3(SSL_ERROR_EXPORT_ONLY_SERVER,			SSL_ERROR_BASE + 0,
+"Unable to communicate securely.  Peer does not support high-grade encryption.")
+
+ER3(SSL_ERROR_US_ONLY_SERVER,				SSL_ERROR_BASE + 1,
+"Unable to communicate securely.  Peer requires high-grade encryption which is not supported.")
+
+ER3(SSL_ERROR_NO_CYPHER_OVERLAP,			SSL_ERROR_BASE + 2,
+"Cannot communicate securely with peer: no common encryption algorithm(s).")
+
+ER3(SSL_ERROR_NO_CERTIFICATE,				SSL_ERROR_BASE + 3,
+"Unable to find the certificate or key necessary for authentication.")
+
+ER3(SSL_ERROR_BAD_CERTIFICATE,				SSL_ERROR_BASE + 4,
+"Unable to communicate securely with peer: peers's certificate was rejected.")
+
+/* unused						(SSL_ERROR_BASE + 5),*/
+
+ER3(SSL_ERROR_BAD_CLIENT,				SSL_ERROR_BASE + 6,
+"The server has encountered bad data from the client.")
+
+ER3(SSL_ERROR_BAD_SERVER,				SSL_ERROR_BASE + 7,
+"The client has encountered bad data from the server.")
+
+ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,		SSL_ERROR_BASE + 8,
+"Unsupported certificate type.")
+
+ER3(SSL_ERROR_UNSUPPORTED_VERSION,			SSL_ERROR_BASE + 9,
+"Peer using unsupported version of security protocol.")
+
+/* unused						(SSL_ERROR_BASE + 10),*/
+
+ER3(SSL_ERROR_WRONG_CERTIFICATE,			SSL_ERROR_BASE + 11,
+"Client authentication failed: private key in key database does not match public key in certificate database.")
+
+ER3(SSL_ERROR_BAD_CERT_DOMAIN,				SSL_ERROR_BASE + 12,
+"Unable to communicate securely with peer: requested domain name does not match the server's certificate.")
+
+/* SSL_ERROR_POST_WARNING				(SSL_ERROR_BASE + 13),
+   defined in sslerr.h
+*/
+
+ER3(SSL_ERROR_SSL2_DISABLED,				(SSL_ERROR_BASE + 14),
+"Peer only supports SSL version 2, which is locally disabled.")
+
+
+ER3(SSL_ERROR_BAD_MAC_READ,				(SSL_ERROR_BASE + 15),
+"SSL received a record with an incorrect Message Authentication Code.")
+
+ER3(SSL_ERROR_BAD_MAC_ALERT,				(SSL_ERROR_BASE + 16),
+"SSL peer reports incorrect Message Authentication Code.")
+
+ER3(SSL_ERROR_BAD_CERT_ALERT,				(SSL_ERROR_BASE + 17),
+"SSL peer cannot verify your certificate.")
+
+ER3(SSL_ERROR_REVOKED_CERT_ALERT,			(SSL_ERROR_BASE + 18),
+"SSL peer rejected your certificate as revoked.")
+
+ER3(SSL_ERROR_EXPIRED_CERT_ALERT,			(SSL_ERROR_BASE + 19),
+"SSL peer rejected your certificate as expired.")
+
+ER3(SSL_ERROR_SSL_DISABLED,				(SSL_ERROR_BASE + 20),
+"Cannot connect: SSL is disabled.")
+
+ER3(SSL_ERROR_FORTEZZA_PQG,				(SSL_ERROR_BASE + 21),
+"Cannot connect: SSL peer is in another FORTEZZA domain.")
+
+
+ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE          , (SSL_ERROR_BASE + 22),
+"An unknown SSL cipher suite has been requested.")
+
+ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED          , (SSL_ERROR_BASE + 23),
+"No cipher suites are present and enabled in this program.")
+
+ER3(SSL_ERROR_BAD_BLOCK_PADDING             , (SSL_ERROR_BASE + 24),
+"SSL received a record with bad block padding.")
+
+ER3(SSL_ERROR_RX_RECORD_TOO_LONG            , (SSL_ERROR_BASE + 25),
+"SSL received a record that exceeded the maximum permissible length.")
+
+ER3(SSL_ERROR_TX_RECORD_TOO_LONG            , (SSL_ERROR_BASE + 26),
+"SSL attempted to send a record that exceeded the maximum permissible length.")
+
+/*
+ * Received a malformed (too long or short or invalid content) SSL handshake.
+ */
+ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST    , (SSL_ERROR_BASE + 27),
+"SSL received a malformed Hello Request handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO     , (SSL_ERROR_BASE + 28),
+"SSL received a malformed Client Hello handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO     , (SSL_ERROR_BASE + 29),
+"SSL received a malformed Server Hello handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE      , (SSL_ERROR_BASE + 30),
+"SSL received a malformed Certificate handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH  , (SSL_ERROR_BASE + 31),
+"SSL received a malformed Server Key Exchange handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST     , (SSL_ERROR_BASE + 32),
+"SSL received a malformed Certificate Request handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE       , (SSL_ERROR_BASE + 33),
+"SSL received a malformed Server Hello Done handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY      , (SSL_ERROR_BASE + 34),
+"SSL received a malformed Certificate Verify handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH  , (SSL_ERROR_BASE + 35),
+"SSL received a malformed Client Key Exchange handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_FINISHED         , (SSL_ERROR_BASE + 36),
+"SSL received a malformed Finished handshake message.")
+
+/*
+ * Received a malformed (too long or short) SSL record.
+ */
+ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER    , (SSL_ERROR_BASE + 37),
+"SSL received a malformed Change Cipher Spec record.")
+
+ER3(SSL_ERROR_RX_MALFORMED_ALERT            , (SSL_ERROR_BASE + 38),
+"SSL received a malformed Alert record.")
+
+ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE        , (SSL_ERROR_BASE + 39),
+"SSL received a malformed Handshake record.")
+
+ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40),
+"SSL received a malformed Application Data record.")
+
+/*
+ * Received an SSL handshake that was inappropriate for the state we're in.
+ * E.g. Server received message from server, or wrong state in state machine.
+ */
+ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST   , (SSL_ERROR_BASE + 41),
+"SSL received an unexpected Hello Request handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO    , (SSL_ERROR_BASE + 42),
+"SSL received an unexpected Client Hello handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO    , (SSL_ERROR_BASE + 43),
+"SSL received an unexpected Server Hello handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE     , (SSL_ERROR_BASE + 44),
+"SSL received an unexpected Certificate handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45),
+"SSL received an unexpected Server Key Exchange handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST    , (SSL_ERROR_BASE + 46),
+"SSL received an unexpected Certificate Request handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE      , (SSL_ERROR_BASE + 47),
+"SSL received an unexpected Server Hello Done handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY     , (SSL_ERROR_BASE + 48),
+"SSL received an unexpected Certificate Verify handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49),
+"SSL received an unexpected Client Key Exchange handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED        , (SSL_ERROR_BASE + 50),
+"SSL received an unexpected Finished handshake message.")
+
+/*
+ * Received an SSL record that was inappropriate for the state we're in.
+ */
+ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER   , (SSL_ERROR_BASE + 51),
+"SSL received an unexpected Change Cipher Spec record.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_ALERT           , (SSL_ERROR_BASE + 52),
+"SSL received an unexpected Alert record.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE       , (SSL_ERROR_BASE + 53),
+"SSL received an unexpected Handshake record.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54),
+"SSL received an unexpected Application Data record.")
+
+/*
+ * Received record/message with unknown discriminant.
+ */
+ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE        , (SSL_ERROR_BASE + 55),
+"SSL received a record with an unknown content type.")
+
+ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE          , (SSL_ERROR_BASE + 56),
+"SSL received a handshake message with an unknown message type.")
+
+ER3(SSL_ERROR_RX_UNKNOWN_ALERT              , (SSL_ERROR_BASE + 57),
+"SSL received an alert record with an unknown alert description.")
+
+/*
+ * Received an alert reporting what we did wrong.  (more alerts above)
+ */
+ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT            , (SSL_ERROR_BASE + 58),
+"SSL peer has closed this connection.")
+
+ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT    , (SSL_ERROR_BASE + 59),
+"SSL peer was not expecting a handshake message it received.")
+
+ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT   , (SSL_ERROR_BASE + 60),
+"SSL peer was unable to successfully decompress an SSL record it received.")
+
+ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT       , (SSL_ERROR_BASE + 61),
+"SSL peer was unable to negotiate an acceptable set of security parameters.")
+
+ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT       , (SSL_ERROR_BASE + 62),
+"SSL peer rejected a handshake message for unacceptable content.")
+
+ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT        , (SSL_ERROR_BASE + 63),
+"SSL peer does not support certificates of the type it received.")
+
+ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT     , (SSL_ERROR_BASE + 64),
+"SSL peer had some unspecified issue with the certificate it received.")
+
+
+ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE       , (SSL_ERROR_BASE + 65),
+"SSL experienced a failure of its random number generator.")
+
+ER3(SSL_ERROR_SIGN_HASHES_FAILURE           , (SSL_ERROR_BASE + 66),
+"Unable to digitally sign data required to verify your certificate.")
+
+ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE    , (SSL_ERROR_BASE + 67),
+"SSL was unable to extract the public key from the peer's certificate.")
+
+ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE   , (SSL_ERROR_BASE + 68),
+"Unspecified failure while processing SSL Server Key Exchange handshake.")
+
+ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE   , (SSL_ERROR_BASE + 69),
+"Unspecified failure while processing SSL Client Key Exchange handshake.")
+
+ER3(SSL_ERROR_ENCRYPTION_FAILURE            , (SSL_ERROR_BASE + 70),
+"Bulk data encryption algorithm failed in selected cipher suite.")
+
+ER3(SSL_ERROR_DECRYPTION_FAILURE            , (SSL_ERROR_BASE + 71),
+"Bulk data decryption algorithm failed in selected cipher suite.")
+
+ER3(SSL_ERROR_SOCKET_WRITE_FAILURE          , (SSL_ERROR_BASE + 72),
+"Attempt to write encrypted data to underlying socket failed.")
+
+ER3(SSL_ERROR_MD5_DIGEST_FAILURE            , (SSL_ERROR_BASE + 73),
+"MD5 digest function failed.")
+
+ER3(SSL_ERROR_SHA_DIGEST_FAILURE            , (SSL_ERROR_BASE + 74),
+"SHA-1 digest function failed.")
+
+ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE       , (SSL_ERROR_BASE + 75),
+"MAC computation failed.")
+
+ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE       , (SSL_ERROR_BASE + 76),
+"Failure to create Symmetric Key context.")
+
+ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE        , (SSL_ERROR_BASE + 77),
+"Failure to unwrap the Symmetric key in Client Key Exchange message.")
+
+ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED   , (SSL_ERROR_BASE + 78),
+"SSL Server attempted to use domestic-grade public key with export cipher suite.")
+
+ER3(SSL_ERROR_IV_PARAM_FAILURE              , (SSL_ERROR_BASE + 79),
+"PKCS11 code failed to translate an IV into a param.")
+
+ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE     , (SSL_ERROR_BASE + 80),
+"Failed to initialize the selected cipher suite.")
+
+ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE       , (SSL_ERROR_BASE + 81),
+"Client failed to generate session keys for SSL session.")
+
+ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG         , (SSL_ERROR_BASE + 82),
+"Server has no key for the attempted key exchange algorithm.")
+
+ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL       , (SSL_ERROR_BASE + 83),
+"PKCS#11 token was inserted or removed while operation was in progress.")
+
+ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND          , (SSL_ERROR_BASE + 84),
+"No PKCS#11 token could be found to do a required operation.")
+
+ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP        , (SSL_ERROR_BASE + 85),
+"Cannot communicate securely with peer: no common compression algorithm(s).")
+
+ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED       , (SSL_ERROR_BASE + 86),
+"Cannot initiate another SSL handshake until current handshake is complete.")
+
+ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE      , (SSL_ERROR_BASE + 87),
+"Received incorrect handshakes hash values from peer.")
+
+ER3(SSL_ERROR_CERT_KEA_MISMATCH             , (SSL_ERROR_BASE + 88),
+"The certificate provided cannot be used with the selected key exchange algorithm.")
+
+ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	, (SSL_ERROR_BASE + 89),
+"No certificate authority is trusted for SSL client authentication.")
+
+ER3(SSL_ERROR_SESSION_NOT_FOUND		, (SSL_ERROR_BASE + 90),
+"Client's SSL session ID not found in server's session cache.")
+
+ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT     , (SSL_ERROR_BASE + 91),
+"Peer was unable to decrypt an SSL record it received.")
+
+ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT       , (SSL_ERROR_BASE + 92),
+"Peer received an SSL record that was longer than is permitted.")
+
+ER3(SSL_ERROR_UNKNOWN_CA_ALERT            , (SSL_ERROR_BASE + 93),
+"Peer does not recognize and trust the CA that issued your certificate.")
+
+ER3(SSL_ERROR_ACCESS_DENIED_ALERT         , (SSL_ERROR_BASE + 94),
+"Peer received a valid certificate, but access was denied.")
+
+ER3(SSL_ERROR_DECODE_ERROR_ALERT          , (SSL_ERROR_BASE + 95),
+"Peer could not decode an SSL handshake message.")
+
+ER3(SSL_ERROR_DECRYPT_ERROR_ALERT         , (SSL_ERROR_BASE + 96),
+"Peer reports failure of signature verification or key exchange.")
+
+ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT    , (SSL_ERROR_BASE + 97),
+"Peer reports negotiation not in compliance with export regulations.")
+
+ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT      , (SSL_ERROR_BASE + 98),
+"Peer reports incompatible or unsupported protocol version.")
+
+ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99),
+"Server requires ciphers more secure than those supported by client.")
+
+ER3(SSL_ERROR_INTERNAL_ERROR_ALERT        , (SSL_ERROR_BASE + 100),
+"Peer reports it experienced an internal error.")
+
+ER3(SSL_ERROR_USER_CANCELED_ALERT         , (SSL_ERROR_BASE + 101),
+"Peer user canceled handshake.")
+
+ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT      , (SSL_ERROR_BASE + 102),
+"Peer does not permit renegotiation of SSL security parameters.")
+
+ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103),
+"SSL server cache not configured and not disabled for this socket.")
+
+ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT    , (SSL_ERROR_BASE + 104),
+"SSL peer does not support requested TLS hello extension.")
+
+ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105),
+"SSL peer could not obtain your certificate from the supplied URL.")
+
+ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT        , (SSL_ERROR_BASE + 106),
+"SSL peer has no certificate for the requested DNS name.")
+
+ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107),
+"SSL peer was unable to get an OCSP response for its certificate.")
+
+ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT      , (SSL_ERROR_BASE + 108),
+"SSL peer reported bad certificate hash value.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109),
+"SSL received an unexpected New Session Ticket handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110),
+"SSL received a malformed New Session Ticket handshake message.")
diff --git a/security/nss/cmd/lib/berparse.c b/security/nss/cmd/lib/berparse.c
new file mode 100644
index 000000000..930d0b7c1
--- /dev/null
+++ b/security/nss/cmd/lib/berparse.c
@@ -0,0 +1,407 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "secutil.h"
+
+typedef enum {
+    tagDone, lengthDone, leafDone, compositeDone,
+    notDone,
+    parseError, parseComplete
+} ParseState;
+
+typedef unsigned char Byte;
+typedef void (*ParseProc)(BERParse *h, unsigned char **buf, int *len);
+typedef struct {
+    SECArb arb;
+    int pos;			/* length from global start to item start */
+    SECArb *parent;
+} ParseStackElem;
+
+struct BERParseStr {
+    PRArenaPool *his;
+    PRArenaPool *mine;
+    ParseProc proc;
+    int stackDepth;
+    ParseStackElem *stackPtr;
+    ParseStackElem *stack;
+    int pending;		/* bytes remaining to complete this part */
+    int pos;			/* running length of consumed characters */
+    ParseState state;
+    PRBool keepLeaves;
+    PRBool derOnly;
+    BERFilterProc filter;
+    void *filterArg;
+    BERNotifyProc before;
+    void *beforeArg;
+    BERNotifyProc after;
+    void *afterArg;
+};
+
+#define UNKNOWN -1
+
+static unsigned char NextChar(BERParse *h, unsigned char **buf, int *len)
+{
+    unsigned char c = *(*buf)++;
+    (*len)--;
+    h->pos++;
+    if (h->filter)
+	(*h->filter)(h->filterArg, &c, 1);
+    return c;
+}
+
+static void ParseTag(BERParse *h, unsigned char **buf, int *len)
+{
+    SECArb* arb = &(h->stackPtr->arb);
+    arb->tag = NextChar(h, buf, len);
+
+    PORT_Assert(h->state == notDone);
+
+  /*
+   * NOTE: This does not handle the high-tag-number form
+   */
+    if ((arb->tag & DER_HIGH_TAG_NUMBER) == DER_HIGH_TAG_NUMBER) {
+        PORT_SetError(SEC_ERROR_BAD_DER);
+	h->state = parseError;
+	return;
+    }
+
+    h->pending = UNKNOWN;
+    arb->length = UNKNOWN;
+    if (arb->tag & DER_CONSTRUCTED) {
+	arb->body.cons.numSubs = 0;
+	arb->body.cons.subs = NULL;
+    } else {
+	arb->body.item.len = UNKNOWN;
+	arb->body.item.data = NULL;
+    }
+
+    h->state = tagDone;
+}
+
+static void ParseLength(BERParse *h, unsigned char **buf, int *len)
+{
+    Byte b;
+    SECArb *arb = &(h->stackPtr->arb);
+
+    PORT_Assert(h->state == notDone);
+
+    if (h->pending == UNKNOWN) {
+	b = NextChar(h, buf, len);
+	if ((b & 0x80) == 0) {	/* short form */
+	    arb->length = b;
+	    /*
+	     * if the tag and the length are both zero bytes, then this
+	     * should be the marker showing end of list for the
+	     * indefinite length composite
+	     */
+	    if (arb->length == 0 && arb->tag == 0)
+		h->state = compositeDone;
+	    else
+		h->state = lengthDone;
+	    return;
+	}
+
+	h->pending = b & 0x7f;
+	/* 0 implies this is an indefinite length */
+	if (h->pending > 4) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    h->state = parseError;
+	    return;
+	}
+	arb->length = 0;
+    }
+
+    while ((*len > 0) && (h->pending > 0)) {
+	b = NextChar(h, buf, len);
+	arb->length = (arb->length << 8) + b;
+	h->pending--;
+    }
+    if (h->pending == 0) {
+	if (h->derOnly && (arb->length == 0))
+	    h->state = parseError;
+	else
+	    h->state = lengthDone;
+    }
+    return;
+}
+
+static void ParseLeaf(BERParse *h, unsigned char **buf, int *len)
+{
+    int count;
+    SECArb *arb = &(h->stackPtr->arb);
+
+    PORT_Assert(h->state == notDone);
+    PORT_Assert(h->pending >= 0);
+
+    if (*len < h->pending)
+	count = *len;
+    else
+	count = h->pending;
+
+    if (h->keepLeaves)
+	memcpy(arb->body.item.data + arb->body.item.len, *buf, count);
+    if (h->filter)
+	(*h->filter)(h->filterArg, *buf, count);
+    *buf += count;
+    *len -= count;
+    arb->body.item.len += count;
+    h->pending -= count;
+    h->pos += count;
+    if (h->pending == 0) {
+	h->state = leafDone;
+    }
+    return;
+}
+
+static void CreateArbNode(BERParse *h)
+{
+    SECArb *arb = PORT_ArenaAlloc(h->his, sizeof(SECArb));
+
+    *arb = h->stackPtr->arb;
+
+    /* 
+     * Special case closing the root
+     */	
+    if (h->stackPtr == h->stack) {
+	PORT_Assert(arb->tag & DER_CONSTRUCTED);
+	h->state = parseComplete;
+    } else {
+	SECArb *parent = h->stackPtr->parent;
+	parent->body.cons.subs = DS_ArenaGrow(
+	    h->his, parent->body.cons.subs,
+	    (parent->body.cons.numSubs) * sizeof(SECArb*),
+	    (parent->body.cons.numSubs + 1) * sizeof(SECArb*));
+	parent->body.cons.subs[parent->body.cons.numSubs] = arb;
+	parent->body.cons.numSubs++;
+	h->proc = ParseTag;
+	h->state = notDone;
+	h->pending = UNKNOWN;
+    }
+    if (h->after)
+	(*h->after)(h->afterArg, arb, h->stackPtr - h->stack, PR_FALSE);
+}
+
+SECStatus BER_ParseSome(BERParse *h, unsigned char *buf, int len)
+{
+    if (h->state == parseError) return PR_TRUE;
+
+    while (len) {
+        (*h->proc)(h, &buf, &len);
+	if (h->state == parseComplete) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    h->state = parseError;
+	    return PR_TRUE;
+	}
+	if (h->state == parseError) return PR_TRUE;
+	PORT_Assert(h->state != parseComplete);
+
+        if (h->state <= compositeDone) {
+	    if (h->proc == ParseTag) {
+		PORT_Assert(h->state == tagDone);
+		h->proc = ParseLength;
+		h->state = notDone;
+	    } else if (h->proc == ParseLength) {
+		SECArb *arb = &(h->stackPtr->arb);
+		PORT_Assert(h->state == lengthDone || h->state == compositeDone);
+
+		if (h->before)
+		    (*h->before)(h->beforeArg, arb,
+				 h->stackPtr - h->stack, PR_TRUE);
+
+		/*
+		 * Check to see if this is the end of an indefinite
+		 * length composite
+		 */
+		if (h->state == compositeDone) {
+		    SECArb *parent = h->stackPtr->parent;
+		    PORT_Assert(parent);
+		    PORT_Assert(parent->tag & DER_CONSTRUCTED);
+		    if (parent->length != 0) {
+			PORT_SetError(SEC_ERROR_BAD_DER);
+			h->state = parseError;
+			return PR_TRUE;
+		    }
+		    /*
+		     * NOTE: This does not check for an indefinite length
+		     * composite being contained inside a definite length
+		     * composite. It is not clear that is legal.
+		     */
+		    h->stackPtr--;
+		    CreateArbNode(h);
+		} else {
+		    h->stackPtr->pos = h->pos;
+
+
+		    if (arb->tag & DER_CONSTRUCTED) {
+			SECArb *parent;
+			/*
+			 * Make sure there is room on the stack before we
+			 * stick anything else there.
+			 */
+			PORT_Assert(h->stackPtr - h->stack < h->stackDepth);
+			if (h->stackPtr - h->stack == h->stackDepth - 1) {
+			    int newDepth = h->stackDepth * 2;
+			    h->stack = DS_ArenaGrow(h->mine, h->stack,
+				sizeof(ParseStackElem) * h->stackDepth,
+				sizeof(ParseStackElem) * newDepth);
+			    h->stackPtr = h->stack + h->stackDepth + 1;
+			    h->stackDepth = newDepth;
+			}
+			parent = &(h->stackPtr->arb);
+			h->stackPtr++;
+			h->stackPtr->parent = parent;
+			h->proc = ParseTag;
+			h->state = notDone;
+			h->pending = UNKNOWN;
+		    } else {
+			if (arb->length < 0) {
+			    PORT_SetError(SEC_ERROR_BAD_DER);
+			    h->state = parseError;
+			    return PR_TRUE;
+			}
+			arb->body.item.len = 0;
+			if (arb->length > 0 && h->keepLeaves) {
+			    arb->body.item.data =
+				PORT_ArenaAlloc(h->his, arb->length);
+			} else {
+			    arb->body.item.data = NULL;
+			}
+			h->proc = ParseLeaf;
+			h->state = notDone;
+			h->pending = arb->length;
+		    }
+		}
+	    } else {
+		ParseStackElem *parent;
+		PORT_Assert(h->state = leafDone);
+		PORT_Assert(h->proc == ParseLeaf);
+
+		for (;;) {
+		    CreateArbNode(h);
+		    if (h->stackPtr == h->stack)
+			break;
+		    parent = (h->stackPtr - 1);
+		    PORT_Assert(parent->arb.tag & DER_CONSTRUCTED);
+		    if (parent->arb.length == 0) /* need explicit end */
+			break;
+		    if (parent->pos + parent->arb.length > h->pos)
+			break;
+		    if (parent->pos + parent->arb.length < h->pos) {
+			PORT_SetError(SEC_ERROR_BAD_DER);
+			h->state = parseError;
+			return PR_TRUE;
+		    }
+		    h->stackPtr = parent;
+		}
+	    }
+
+	}
+    }
+    return PR_FALSE;
+}
+BERParse *BER_ParseInit(PRArenaPool *arena, PRBool derOnly)
+{
+    BERParse *h;
+    PRArenaPool *temp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (temp == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    h = PORT_ArenaAlloc(temp, sizeof(BERParse));
+    if (h == NULL) {
+	PORT_FreeArena(temp, PR_FALSE);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    h->his = arena;
+    h->mine = temp;
+    h->proc = ParseTag;
+    h->stackDepth = 20;
+    h->stack = PORT_ArenaZAlloc(h->mine,
+			      sizeof(ParseStackElem) * h->stackDepth);
+    h->stackPtr = h->stack;
+    h->state = notDone;
+    h->pos = 0;
+    h->keepLeaves = PR_TRUE;
+    h->before = NULL;
+    h->after = NULL;
+    h->filter = NULL;
+    h->derOnly = derOnly;
+    return h;
+}
+
+SECArb *BER_ParseFini(BERParse *h)
+{
+    PRArenaPool *myArena = h->mine;
+    SECArb *arb;
+
+    if (h->state != parseComplete) {
+	arb = NULL;
+    } else {
+	arb = PORT_ArenaAlloc(h->his, sizeof(SECArb));
+	*arb = h->stackPtr->arb;
+    }
+
+    PORT_FreeArena(myArena, PR_FALSE);
+
+    return arb;
+}
+
+
+void BER_SetFilter(BERParse *h, BERFilterProc proc, void *instance)
+{
+    h->filter = proc;
+    h->filterArg = instance;
+}
+
+void BER_SetLeafStorage(BERParse *h, PRBool keep)
+{
+    h->keepLeaves = keep;
+}
+
+void BER_SetNotifyProc(BERParse *h, BERNotifyProc proc, void *instance,
+			      PRBool beforeData)
+{
+    if (beforeData) {
+	h->before = proc;
+	h->beforeArg = instance;
+    } else {
+	h->after = proc;
+	h->afterArg = instance;
+    }
+}
+
+
+
diff --git a/security/nss/cmd/lib/config.mk b/security/nss/cmd/lib/config.mk
new file mode 100644
index 000000000..665828c63
--- /dev/null
+++ b/security/nss/cmd/lib/config.mk
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/cmd/lib/derprint.c b/security/nss/cmd/lib/derprint.c
new file mode 100644
index 000000000..50c6d02e6
--- /dev/null
+++ b/security/nss/cmd/lib/derprint.c
@@ -0,0 +1,622 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "secutil.h"
+#include "secoid.h"
+
+#ifdef __sun
+extern int fprintf(FILE *strm, const char *format, .../* args */);
+extern int fflush(FILE *stream);
+#endif
+
+#define RIGHT_MARGIN	24
+/*#define RAW_BYTES 1 */
+
+static int prettyColumn = 0;
+
+static int
+getInteger256(unsigned char *data, unsigned int nb)
+{
+    int val;
+
+    switch (nb) {
+      case 1:
+	val = data[0];
+	break;
+      case 2:
+	val = (data[0] << 8) | data[1];
+	break;
+      case 3:
+	val = (data[0] << 16) | (data[1] << 8) | data[2];
+	break;
+      case 4:
+	val = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return -1;
+    }
+
+    return val;
+}
+
+static int
+prettyNewline(FILE *out)
+{
+    int rv;
+
+    if (prettyColumn != -1) {
+	rv = fprintf(out, "\n");
+	prettyColumn = -1;
+	if (rv < 0) {
+	    PORT_SetError(SEC_ERROR_IO);
+	    return rv;
+	}
+    }
+    return 0;
+}
+
+static int
+prettyIndent(FILE *out, unsigned level)
+{
+    unsigned int i;
+    int rv;
+
+    if (prettyColumn == -1) {
+	prettyColumn = level;
+	for (i = 0; i < level; i++) {
+	    rv = fprintf(out, "   ");
+	    if (rv < 0) {
+		PORT_SetError(SEC_ERROR_IO);
+		return rv;
+	    }
+	}
+    }
+
+    return 0;
+}
+
+static int
+prettyPrintByte(FILE *out, unsigned char item, unsigned int level)
+{
+    int rv;
+
+    rv = prettyIndent(out, level);
+    if (rv < 0)
+	return rv;
+
+    rv = fprintf(out, "%02x ", item);
+    if (rv < 0) {
+	PORT_SetError(SEC_ERROR_IO);
+	return rv;
+    }
+
+    prettyColumn++;
+    if (prettyColumn >= RIGHT_MARGIN) {
+	return prettyNewline(out);
+    }
+
+    return 0;
+}
+
+static int
+prettyPrintLeaf(FILE *out, unsigned char *data,
+		unsigned int len, unsigned int lv)
+{
+    unsigned int i;
+    int rv;
+
+    for (i = 0; i < len; i++) {
+	rv = prettyPrintByte(out, *data++, lv);
+	if (rv < 0)
+	    return rv;
+    }
+    return prettyNewline(out);
+}
+
+static int
+prettyPrintStringStart(FILE *out, unsigned char *str,
+		       unsigned int len, unsigned int level)
+{
+#define BUF_SIZE 100
+    unsigned char buf[BUF_SIZE];
+    int rv;
+
+    if (len >= BUF_SIZE)
+	len = BUF_SIZE - 1;
+
+    rv = prettyNewline(out);
+    if (rv < 0)
+	return rv;
+
+    rv = prettyIndent(out, level);
+    if (rv < 0)
+	return rv;
+
+    memcpy(buf, str, len);
+    buf[len] = '\000';
+
+    rv = fprintf(out, "\"%s\"", buf);
+    if (rv < 0) {
+	PORT_SetError(SEC_ERROR_IO);
+	return rv;
+    }
+
+    return 0;
+#undef BUF_SIZE
+}
+
+static int
+prettyPrintString(FILE *out, unsigned char *str,
+		  unsigned int len, unsigned int level, PRBool raw)
+{
+    int rv;
+
+    rv = prettyPrintStringStart(out, str, len, level);
+    if (rv < 0)
+	return rv;
+
+    rv = prettyNewline(out);
+    if (rv < 0)
+	return rv;
+
+    if (raw) {
+	rv = prettyPrintLeaf(out, str, len, level);
+	if (rv < 0)
+	    return rv;
+    }
+
+    return 0;
+}
+
+static int
+prettyPrintTime(FILE *out, unsigned char *str,
+		unsigned int len, unsigned int level, PRBool raw, PRBool utc)
+{
+    SECItem time_item;
+    int rv;
+
+    rv = prettyPrintStringStart(out, str, len, level);
+    if (rv < 0)
+	return rv;
+
+    time_item.data = str;
+    time_item.len = len;
+
+    rv = fprintf(out, " (");
+    if (rv < 0) {
+	PORT_SetError(SEC_ERROR_IO);
+	return rv;
+    }
+
+    if (utc)
+	SECU_PrintUTCTime(out, &time_item, NULL, 0);
+    else
+	SECU_PrintGeneralizedTime(out, &time_item, NULL, 0);
+
+    rv = fprintf(out, ")");
+    if (rv < 0) {
+	PORT_SetError(SEC_ERROR_IO);
+	return rv;
+    }
+
+    rv = prettyNewline(out);
+    if (rv < 0)
+	return rv;
+
+    if (raw) {
+	rv = prettyPrintLeaf(out, str, len, level);
+	if (rv < 0)
+	    return rv;
+    }
+
+    return 0;
+}
+
+static int
+prettyPrintObjectID(FILE *out, unsigned char *data,
+		    unsigned int len, unsigned int level, PRBool raw)
+{
+    SECOidData *oiddata;
+    SECItem oiditem;
+    unsigned int i;
+    unsigned long val;
+    int rv;
+
+
+    /*
+     * First print the Object Id in numeric format
+     */
+
+    rv = prettyIndent(out, level);
+    if (rv < 0)
+	return rv;
+
+    val = data[0];
+    i   = val % 40;
+    val = val / 40;
+    rv = fprintf(out, "%lu %u ", val, i);
+    if (rv < 0) {
+	PORT_SetError(SEC_ERROR_IO);
+	return rv;
+    }
+
+    val = 0;
+    for (i = 1; i < len; ++i) {
+        unsigned long j;
+
+	j = data[i];
+	val = (val << 7) | (j & 0x7f);
+	if (j & 0x80) 
+	    continue;
+	rv = fprintf(out, "%lu ", val);
+	if (rv < 0) {
+	    PORT_SetError(SEC_ERROR_IO);
+	    return rv;
+	}
+	val = 0;
+    }
+
+    /*
+     * Now try to look it up and print a symbolic version.
+     */
+    oiditem.data = data;
+    oiditem.len = len;
+    oiddata = SECOID_FindOID(&oiditem);
+    if (oiddata != NULL) {
+	i = PORT_Strlen(oiddata->desc);
+	if ((prettyColumn + 1 + (i / 3)) > RIGHT_MARGIN) {
+	    rv = prettyNewline(out);
+	    if (rv < 0)
+		return rv;
+	}
+
+	rv = prettyIndent(out, level);
+	if (rv < 0)
+	    return rv;
+
+	rv = fprintf(out, "(%s)", oiddata->desc);
+	if (rv < 0) {
+	    PORT_SetError(SEC_ERROR_IO);
+	    return rv;
+	}
+    }
+
+    /*
+     * Finally, on a new line, print the raw bytes (if requested).
+     */
+    if (raw) {
+	rv = prettyNewline(out);
+	if (rv < 0) {
+	    PORT_SetError(SEC_ERROR_IO);
+	    return rv;
+	}
+
+	for (i = 0; i < len; i++) {
+	    rv = prettyPrintByte(out, *data++, level);
+	    if (rv < 0)
+		return rv;
+	}
+    }
+
+    return prettyNewline(out);
+}
+
+static char *prettyTagType [32] = {
+  "End of Contents",
+  "Boolean",
+  "Integer",
+  "Bit String",
+  "Octet String",
+  "NULL",
+  "Object Identifier",
+  "0x07",
+  "0x08",
+  "0x09",
+  "Enumerated",
+  "0x0B",
+  "UTF8 String",
+  "0x0D",
+  "0x0E",
+  "0x0F",
+  "Sequence",
+  "Set",
+  "0x12",
+  "Printable String",
+  "T61 String",
+  "0x15",
+  "IA5 String",
+  "UTC Time",
+  "Generalized Time",
+  "0x19",
+  "Visible String",
+  "0x1B",
+  "Universal String",
+  "0x1D",
+  "BMP String",
+  "High-Tag-Number"
+};
+
+static int
+prettyPrintTag(FILE *out, unsigned char *src, unsigned char *end,
+	       unsigned char *codep, unsigned int level, PRBool raw)
+{
+    int rv;
+    unsigned char code, tagnum;
+
+    if (src >= end) {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return -1;
+    }
+
+    code = *src;
+    tagnum = code & SEC_ASN1_TAGNUM_MASK;
+
+    /*
+     * NOTE: This code does not (yet) handle the high-tag-number form!
+     */
+    if (tagnum == SEC_ASN1_HIGH_TAG_NUMBER) {
+        PORT_SetError(SEC_ERROR_BAD_DER);
+	return -1;
+    }
+
+    if (raw)
+	rv = prettyPrintByte(out, code, level);
+    else
+	rv = prettyIndent(out, level);
+
+    if (rv < 0)
+	return rv;
+
+    if (code & SEC_ASN1_CONSTRUCTED) {
+        rv = fprintf(out, "C-");
+	if (rv < 0) {
+	    PORT_SetError(SEC_ERROR_IO);
+	    return rv;
+	}
+    }
+
+    switch (code & SEC_ASN1_CLASS_MASK) {
+    case SEC_ASN1_UNIVERSAL:
+        rv = fprintf(out, "%s ", prettyTagType[tagnum]);
+	break;
+    case SEC_ASN1_APPLICATION:
+        rv = fprintf(out, "Application: %d ", tagnum);
+	break;
+    case SEC_ASN1_CONTEXT_SPECIFIC:
+        rv = fprintf(out, "[%d] ", tagnum);
+	break;
+    case SEC_ASN1_PRIVATE:
+        rv = fprintf(out, "Private: %d ", tagnum);
+	break;
+    }
+
+    if (rv < 0) {
+        PORT_SetError(SEC_ERROR_IO);
+	return rv;
+    }
+
+    *codep = code;
+
+    return 1;
+}
+
+static int
+prettyPrintLength(FILE *out, unsigned char *data, unsigned char *end,
+		  int *lenp, PRBool *indefinitep, unsigned int lv, PRBool raw)
+{
+    unsigned char lbyte;
+    int lenLen;
+    int rv;
+
+    if (data >= end) {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return -1;
+    }
+
+    rv = fprintf(out, " ");
+    if (rv < 0) {
+        PORT_SetError(SEC_ERROR_IO);
+	return rv;
+    }
+
+    *indefinitep = PR_FALSE;
+
+    lbyte = *data++;
+    if (lbyte >= 0x80) {
+	/* Multibyte length */
+	unsigned nb = (unsigned) (lbyte & 0x7f);
+	if (nb > 4) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return -1;
+	}
+	if (nb > 0) {
+	    int il;
+
+	    if ((data + nb) > end) {
+		PORT_SetError(SEC_ERROR_BAD_DER);
+		return -1;
+	    }
+	    il = getInteger256(data, nb);
+	    if (il < 0) return -1;
+	    *lenp = (unsigned) il;
+	} else {
+	    *lenp = 0;
+	    *indefinitep = PR_TRUE;
+	}
+	lenLen = nb + 1;
+	if (raw) {
+	    int i;
+
+	    rv = prettyPrintByte(out, lbyte, lv);
+	    if (rv < 0)
+		return rv;
+	    for (i = 0; i < nb; i++) {
+		rv = prettyPrintByte(out, data[i], lv);
+		if (rv < 0)
+		    return rv;
+	    }
+	}
+    } else {
+	*lenp = lbyte;
+	lenLen = 1;
+	if (raw) {
+	    rv = prettyPrintByte(out, lbyte, lv);
+	    if (rv < 0)
+		return rv;
+	}
+    }
+    if (*indefinitep)
+	rv = fprintf(out, "(indefinite)\n");
+    else
+	rv = fprintf(out, "(%d)\n", *lenp);
+    if (rv < 0) {
+        PORT_SetError(SEC_ERROR_IO);
+	return rv;
+    }
+
+    prettyColumn = -1;
+    return lenLen;
+}
+
+static int
+prettyPrintItem(FILE *out, unsigned char *data, unsigned char *end,
+		unsigned int lv, PRBool raw)
+{
+    int slen;
+    int lenLen;
+    unsigned char *orig = data;
+    int rv;
+
+    while (data < end) {
+        unsigned char code;
+	PRBool indefinite;
+
+	slen = prettyPrintTag(out, data, end, &code, lv, raw);
+	if (slen < 0)
+	    return slen;
+	data += slen;
+
+	lenLen = prettyPrintLength(out, data, end, &slen, &indefinite, lv, raw);
+	if (lenLen < 0)
+	    return lenLen;
+	data += lenLen;
+
+	/*
+	 * Just quit now if slen more bytes puts us off the end.
+	 */
+	if ((data + slen) > end) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return -1;
+	}
+
+        if (code & SEC_ASN1_CONSTRUCTED) {
+	    if (slen > 0 || indefinite) {
+		slen = prettyPrintItem(out, data,
+				       slen == 0 ? end : data + slen,
+				       lv+1, raw);
+		if (slen < 0)
+		    return slen;
+		data += slen;
+	    }
+	} else if (code == 0) {
+	    if (slen != 0 || lenLen != 1) {
+		PORT_SetError(SEC_ERROR_BAD_DER);
+		return -1;
+	    }
+	    break;
+	} else {
+	    switch (code) {
+	      case SEC_ASN1_PRINTABLE_STRING:
+	      case SEC_ASN1_IA5_STRING:
+	      case SEC_ASN1_VISIBLE_STRING:
+	        rv = prettyPrintString(out, data, slen, lv+1, raw);
+		if (rv < 0)
+		    return rv;
+		break;
+	      case SEC_ASN1_UTC_TIME:
+	        rv = prettyPrintTime(out, data, slen, lv+1, raw, PR_TRUE);
+		if (rv < 0)
+		    return rv;
+		break;
+	      case SEC_ASN1_GENERALIZED_TIME:
+	        rv = prettyPrintTime(out, data, slen, lv+1, raw, PR_FALSE);
+		if (rv < 0)
+		    return rv;
+		break;
+	      case SEC_ASN1_OBJECT_ID:
+	        rv = prettyPrintObjectID(out, data, slen, lv+1, raw);
+		if (rv < 0)
+		    return rv;
+		break;
+	      case SEC_ASN1_BOOLEAN:	/* could do nicer job */
+	      case SEC_ASN1_INTEGER:	/* could do nicer job */
+	      case SEC_ASN1_BIT_STRING:	/* could do nicer job */
+	      case SEC_ASN1_OCTET_STRING:
+	      case SEC_ASN1_NULL:
+	      case SEC_ASN1_ENUMERATED:	/* could do nicer job, as INTEGER */
+	      case SEC_ASN1_UTF8_STRING:
+	      case SEC_ASN1_T61_STRING:	/* print as printable string? */
+	      case SEC_ASN1_UNIVERSAL_STRING:
+	      case SEC_ASN1_BMP_STRING:
+	      default:
+	        rv = prettyPrintLeaf(out, data, slen, lv+1);
+		if (rv < 0)
+		    return rv;
+		break;
+	    }
+	    data += slen;
+	}
+    }
+
+    rv = prettyNewline(out);
+    if (rv < 0)
+	return rv;
+
+    return data - orig;
+}
+
+SECStatus
+DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw)
+{
+    int rv;
+
+    prettyColumn = -1;
+
+    rv = prettyPrintItem(out, it->data, it->data + it->len, 0, raw);
+    if (rv < 0)
+	return SECFailure;
+    return SECSuccess;
+}
diff --git a/security/nss/cmd/lib/ffs.c b/security/nss/cmd/lib/ffs.c
new file mode 100644
index 000000000..c7105eb20
--- /dev/null
+++ b/security/nss/cmd/lib/ffs.c
@@ -0,0 +1,51 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#if !defined(XP_UNIX) && !defined(XP_OS2)

+
+int ffs( unsigned int i)
+{
+    int rv	= 1;
+
+    if (!i) return 0;
+
+    while (!(i & 1)) {
+    	i >>= 1;
+	++rv;
+    }
+
+    return rv;
+}
+#endif
diff --git a/security/nss/cmd/lib/manifest.mn b/security/nss/cmd/lib/manifest.mn
new file mode 100644
index 000000000..ee4a29c10
--- /dev/null
+++ b/security/nss/cmd/lib/manifest.mn
@@ -0,0 +1,63 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH	= ../../..
+
+LIBRARY_NAME	= sectool
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE		= nss
+
+DEFINES		= -DNSPR20
+
+PRIVATE_EXPORTS	= secutil.h \
+		  NSPRerrs.h \
+		  SECerrs.h \
+		  SSLerrs.h \
+		  $(NULL)
+
+CSRCS		= secutil.c \
+		secpwd.c    \
+		derprint.c \
+		moreoids.c \
+		pppolicy.c \
+		secerror.c \
+		ffs.c \
+		$(NULL)
+
+REQUIRES	= dbm
+
+NO_MD_RELEASE	= 1
diff --git a/security/nss/cmd/lib/moreoids.c b/security/nss/cmd/lib/moreoids.c
new file mode 100644
index 000000000..27488c59e
--- /dev/null
+++ b/security/nss/cmd/lib/moreoids.c
@@ -0,0 +1,180 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2004
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secoid.h"
+#include "secmodt.h" /* for CKM_INVALID_MECHANISM */
+
+#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
+#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext }
+#define ODN(oid,desc) \
+  { OI(oid), 0, desc, CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION }
+
+#define OIDT static const unsigned char
+
+/* OIW Security Special Interest Group defined algorithms. */
+#define OIWSSIG   0x2B, 13, 3, 2
+
+OIDT  oiwMD5RSA[] 	= { OIWSSIG,  3 };
+OIDT  oiwDESCBC[] 	= { OIWSSIG,  7 };
+OIDT  oiwRSAsig[] 	= { OIWSSIG, 11 };
+OIDT  oiwDSA   [] 	= { OIWSSIG, 12 };
+OIDT  oiwMD5RSAsig[] 	= { OIWSSIG, 25 };
+OIDT  oiwSHA1  [] 	= { OIWSSIG, 26 };
+OIDT  oiwDSASHA1[] 	= { OIWSSIG, 27 };
+OIDT  oiwDSASHA1param[] = { OIWSSIG, 28 };
+OIDT  oiwSHA1RSA[] 	= { OIWSSIG, 29 };
+
+
+/* Microsoft OIDs.  (1 3 6 1 4 1 311 ... )   */
+#define MICROSOFT 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37
+
+OIDT  mCTL[] 	= { MICROSOFT, 10, 3, 1 }; /* Cert Trust List signing */
+OIDT  mTSS[] 	= { MICROSOFT, 10, 3, 2 }; /* Time Stamp Signing */
+OIDT  mSGC[] 	= { MICROSOFT, 10, 3, 3 }; /* Server gated cryptography */
+OIDT  mEFS[]	= { MICROSOFT, 10, 3, 4 }; /* Encrypted File System */
+OIDT  mSMIME[]	= { MICROSOFT, 16, 4    }; /* SMIME encryption key prefs */
+
+OIDT  mECRTT[]	= { MICROSOFT, 20, 2    }; /* Enrollment cert type xtn */
+OIDT  mEAGNT[]	= { MICROSOFT, 20, 2, 1 }; /* Enrollment Agent         */
+OIDT  mKPSCL[]	= { MICROSOFT, 20, 2, 2 }; /* KP SmartCard Logon       */
+OIDT  mNTPN []	= { MICROSOFT, 20, 2, 3 }; /* NT Principal Name        */
+OIDT  mCASRV[]	= { MICROSOFT, 21, 1    }; /* CertServ CA version      */
+
+/* AOL OIDs     (1 3 6 1 4 1 1066 ... )   */
+#define AOL 0x2B, 0x06, 0x01, 0x04, 0x01, 0x88, 0x2A
+
+/* PKIX IDs     (1 3 6 1 5 5 7 ...)  */
+#define ID_PKIX 0x2B, 6, 1, 5, 5, 7
+/* PKIX Access Descriptors (methods for Authority Info Access Extns) */
+#define ID_AD   ID_PKIX, 48
+
+OIDT  padOCSP[]      = { ID_AD, 1 };  /* OCSP method */
+OIDT  padCAissuer[]  = { ID_AD, 2 };  /* URI (for CRL ?) */
+OIDT  padTimeStamp[] = { ID_AD, 3 };  /* time stamping */
+
+/* ISO Cert Extension type OIDs (id-ce)  (2 5 29 ...) */
+#define X500                    0x55
+#define X520_ATTRIBUTE_TYPE     X500, 0x04
+#define X500_ALG                X500, 0x08
+#define X500_ALG_ENCRYPTION     X500_ALG, 0x01
+#define ID_CE			X500, 29
+
+OIDT cePlcyObs[] = { ID_CE,  3 };  /* Cert policies, obsolete. */
+OIDT cePlcyCns[] = { ID_CE, 36 };  /* Cert policy constraints. */
+
+/* US Company arc (2 16 840 1 ...) */
+#define USCOM        0x60, 0x86, 0x48, 0x01
+#define USGOV        USCOM, 0x65
+#define USDOD        USGOV, 2
+#define ID_INFOSEC   USDOD, 1
+
+/* Verisign PKI OIDs (2 16 840 1 113733 1 ...) */
+#define VERISIGN_PKI USCOM, 0x86, 0xf8, 0x45, 1
+#define VERISIGN_XTN VERISIGN_PKI, 6
+#define VERISIGN_POL VERISIGN_PKI, 7	/* Cert policies */
+#define VERISIGN_TNET VERISIGN_POL, 23	/* Verisign Trust Network */
+
+OIDT  vcx7[]	= { VERISIGN_XTN, 7 };	/* Cert Extension 7 (?) */
+OIDT  vcp1[]	= { VERISIGN_TNET, 1 };	/* class 1 cert policy */
+OIDT  vcp2[]	= { VERISIGN_TNET, 2 };	/* class 2 cert policy */
+OIDT  vcp3[]	= { VERISIGN_TNET, 3 };	/* class 3 cert policy */
+OIDT  vcp4[]	= { VERISIGN_TNET, 4 };	/* class 4 cert policy */
+
+
+/* ------------------------------------------------------------------- */
+static const SECOidData oids[] = {
+/* OIW Security Special Interest Group OIDs */
+    ODN( oiwMD5RSA,	  "OIWSecSIG MD5 with RSA"),
+    ODN( oiwDESCBC,	  "OIWSecSIG DES CBC"),
+    ODN( oiwRSAsig,	  "OIWSecSIG RSA signature"),
+    ODN( oiwDSA   ,	  "OIWSecSIG DSA"),
+    ODN( oiwMD5RSAsig,	  "OIWSecSIG MD5 with RSA signature"),
+    ODN( oiwSHA1  ,	  "OIWSecSIG SHA1"),
+    ODN( oiwDSASHA1,	  "OIWSecSIG DSA with SHA1"),
+    ODN( oiwDSASHA1param, "OIWSecSIG DSA with SHA1 with params"),
+    ODN( oiwSHA1RSA,	  "OIWSecSIG MD5 with RSA"),
+
+/* Microsoft OIDs */
+    ODN( mCTL,   "Microsoft Cert Trust List signing"), 
+    ODN( mTSS,   "Microsoft Time Stamp signing"),
+    ODN( mSGC,   "Microsoft SGC SSL server"),
+    ODN( mEFS,   "Microsoft Encrypted File System"),
+    ODN( mSMIME, "Microsoft SMIME preferences"),
+    ODN( mECRTT, "Microsoft Enrollment Cert Type Extension"),
+    ODN( mEAGNT, "Microsoft Enrollment Agent"),
+    ODN( mKPSCL, "Microsoft KP SmartCard Logon"),
+    ODN( mNTPN,  "Microsoft NT Principal Name"),
+    ODN( mCASRV, "Microsoft CertServ CA version"),
+
+/* PKIX OIDs */
+    ODN( padOCSP,	"PKIX OCSP method"),
+    ODN( padCAissuer,	"PKIX CA Issuer method"),
+    ODN( padTimeStamp,	"PKIX Time Stamping method"),
+
+/* ID_CE OIDs. */
+    ODN( cePlcyObs,	"Certificate Policies (Obsolete)"),
+    ODN( cePlcyCns,	"Certificate Policy Constraints"),
+
+/* Verisign OIDs. */
+    ODN( vcx7,		"Verisign Cert Extension 7 (?)"),
+    ODN( vcp1,		"Verisign Class 1 Certificate Policy"),
+    ODN( vcp2,		"Verisign Class 2 Certificate Policy"),
+    ODN( vcp3,		"Verisign Class 3 Certificate Policy"),
+    ODN( vcp4,		"Verisign Class 4 Certificate Policy"),
+
+};
+
+static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]);
+
+SECStatus
+SECU_RegisterDynamicOids(void)
+{
+    unsigned int i;
+    SECStatus rv = SECSuccess;
+
+    for (i = 0; i < numOids; ++i) {
+	SECOidTag tag = SECOID_AddEntry(&oids[i]);
+	if (tag == SEC_OID_UNKNOWN) {
+	    rv = SECFailure;
+#ifdef DEBUG_DYN_OIDS
+	    fprintf(stderr, "Add OID[%d] failed\n", i);
+	} else {
+	    fprintf(stderr, "Add OID[%d] returned tag %d\n", i, tag);
+#endif
+	}
+    }
+    return rv;
+}
diff --git a/security/nss/cmd/lib/pppolicy.c b/security/nss/cmd/lib/pppolicy.c
new file mode 100644
index 000000000..c0094083c
--- /dev/null
+++ b/security/nss/cmd/lib/pppolicy.c
@@ -0,0 +1,299 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2004
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Support for various policy related extensions
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "secport.h"
+#include "secder.h"
+#include "cert.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "nspr.h"
+#include "secutil.h"
+
+/* This implementation is derived from the one in nss/lib/certdb/policyxtn.c .
+** The chief difference is the addition of the OPTIONAL flag to many 
+** parts.  The idea is to be able to parse and print as much of the 
+** policy extension as possible, even if some parts are invalid.
+**
+** If this approach still is unable to decode policy extensions that
+** contain invalid parts, then the next approach will be to parse 
+** the PolicyInfos as a SEQUENCE of ANYs, and then parse each of them 
+** as PolicyInfos, with the PolicyQualifiers being ANYs, and finally
+** parse each of the PolicyQualifiers.
+*/
+
+static const SEC_ASN1Template secu_PolicyQualifierTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTPolicyQualifier) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyQualifier, qualifierID) },
+    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
+	  offsetof(CERTPolicyQualifier, qualifierValue) },
+    { 0 }
+};
+
+static const SEC_ASN1Template secu_PolicyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTPolicyInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyInfo, policyID) },
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL,
+	  offsetof(CERTPolicyInfo, policyQualifiers),
+	  secu_PolicyQualifierTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template secu_CertificatePoliciesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCertificatePolicies, policyInfos),
+	  secu_PolicyInfoTemplate, sizeof(CERTCertificatePolicies)  }
+};
+
+
+static CERTCertificatePolicies *
+secu_DecodeCertificatePoliciesExtension(SECItem *extnValue)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTCertificatePolicies *policies;
+    CERTPolicyInfo **policyInfos, *policyInfo;
+    CERTPolicyQualifier **policyQualifiers, *policyQualifier;
+    SECItem newExtnValue;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the certifiate policies structure */
+    policies = PORT_ArenaZNew(arena, CERTCertificatePolicies);
+    if ( policies == NULL ) {
+	goto loser;
+    }
+    
+    policies->arena = arena;
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* decode the policy info */
+    rv = SEC_QuickDERDecodeItem(arena, policies, 
+                                secu_CertificatePoliciesTemplate,
+			        &newExtnValue);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize the oid tags */
+    policyInfos = policies->policyInfos;
+    while (policyInfos != NULL && *policyInfos != NULL ) {
+	policyInfo = *policyInfos;
+	policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID);
+	policyQualifiers = policyInfo->policyQualifiers;
+	while ( policyQualifiers && *policyQualifiers != NULL ) {
+	    policyQualifier = *policyQualifiers;
+	    policyQualifier->oid =
+		SECOID_FindOIDTag(&policyQualifier->qualifierID);
+	    policyQualifiers++;
+	}
+	policyInfos++;
+    }
+
+    return(policies);
+    
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+
+static char *
+itemToString(SECItem *item)
+{
+    char *string;
+
+    string = PORT_ZAlloc(item->len+1);
+    if (string == NULL) return NULL;
+    PORT_Memcpy(string,item->data,item->len);
+    string[item->len] = 0;
+    return string;
+}
+
+static SECStatus
+secu_PrintUserNoticeQualifier(FILE *out, SECItem * qualifierValue,
+                              char *msg, int level)
+{
+    CERTUserNotice *userNotice = NULL;
+    if (qualifierValue)
+	userNotice = CERT_DecodeUserNotice(qualifierValue);
+    if (userNotice) {
+	if (userNotice->noticeReference.organization.len != 0) {
+            char *string = 
+	            itemToString(&userNotice->noticeReference.organization);
+            SECItem **itemList = userNotice->noticeReference.noticeNumbers;
+
+	    while (itemList && *itemList) {
+		SECU_PrintInteger(out,*itemList,string,level+1);
+	        itemList++;
+	    }
+	    PORT_Free(string);
+	}
+	if (userNotice->displayText.len != 0) {
+	    SECU_PrintString(out,&userNotice->displayText,
+			     "Display Text", level+1);
+	}
+	CERT_DestroyUserNotice(userNotice);
+	return SECSuccess;
+    }
+    return SECFailure;	/* caller will print this value */
+}
+
+static SECStatus
+secu_PrintPolicyQualifier(FILE *out,CERTPolicyQualifier *policyQualifier,
+			  char *msg,int level)
+{
+   SECStatus rv;
+   SECItem * qualifierValue = &policyQualifier->qualifierValue;
+
+   SECU_PrintObjectID(out, &policyQualifier->qualifierID , 
+					"Policy Qualifier Name", level);
+   if (!qualifierValue->data) {
+	SECU_Indent(out, level);
+	fprintf(out,"Error: missing qualifier\n");
+   } else 
+   switch (policyQualifier->oid) {
+   case SEC_OID_PKIX_USER_NOTICE_QUALIFIER:
+       rv = secu_PrintUserNoticeQualifier(out, qualifierValue, msg, level);
+       if (SECSuccess == rv)
+	   break;
+       /* fall through on error */
+   case SEC_OID_PKIX_CPS_POINTER_QUALIFIER:
+   default:
+	SECU_PrintAny(out, qualifierValue, "Policy Qualifier Data", level);
+	break;
+   }
+   return SECSuccess;
+}
+
+static SECStatus
+secu_PrintPolicyInfo(FILE *out,CERTPolicyInfo *policyInfo,char *msg,int level)
+{
+   CERTPolicyQualifier **policyQualifiers;
+
+   policyQualifiers = policyInfo->policyQualifiers;
+   SECU_PrintObjectID(out, &policyInfo->policyID , "Policy Name", level);
+   
+   while (policyQualifiers && *policyQualifiers != NULL) {
+	secu_PrintPolicyQualifier(out,*policyQualifiers,"",level+1);
+	policyQualifiers++;
+   }
+   return SECSuccess;
+}
+
+void
+SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level)
+{
+   CERTCertificatePolicies *policies = NULL;
+   CERTPolicyInfo **policyInfos;
+
+   if (msg) {
+	SECU_Indent(out, level);
+	fprintf(out,"%s: \n",msg);
+	level++;
+   }
+   policies = secu_DecodeCertificatePoliciesExtension(value);
+   if (policies == NULL) {
+	SECU_PrintAny(out, value, "Invalid Policy Data", level);
+	return;
+   }
+
+   policyInfos = policies->policyInfos;
+   while (policyInfos && *policyInfos != NULL) {
+	secu_PrintPolicyInfo(out,*policyInfos,"",level);
+	policyInfos++;
+   }
+
+   CERT_DestroyCertificatePoliciesExtension(policies);
+}
+
+
+void
+SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, 
+			              char *msg, int level)
+{
+    CERTPrivKeyUsagePeriod * prd;
+    PLArenaPool * arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+    if ( !arena ) {
+	goto loser;
+    }
+    prd = CERT_DecodePrivKeyUsagePeriodExtension(arena, value);
+    if (!prd) {
+	goto loser;
+    }
+    if (prd->notBefore.data) {
+	SECU_PrintGeneralizedTime(out, &prd->notBefore, "Not Before", level);
+    }
+    if (prd->notAfter.data) {
+	SECU_PrintGeneralizedTime(out, &prd->notAfter,  "Not After ", level);
+    }
+    if (!prd->notBefore.data && !prd->notAfter.data) {
+	SECU_Indent(out, level);
+	fprintf(out, "Error: notBefore or notAfter MUST be present.\n");
+loser:
+	SECU_PrintAny(out, value, msg, level);
+    }
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+}
diff --git a/security/nss/cmd/lib/secerror.c b/security/nss/cmd/lib/secerror.c
new file mode 100644
index 000000000..651cf5520
--- /dev/null
+++ b/security/nss/cmd/lib/secerror.c
@@ -0,0 +1,110 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "nspr.h"
+
+struct tuple_str {
+    PRErrorCode	 errNum;
+    const char * errString;
+};
+
+typedef struct tuple_str tuple_str;
+
+#define ER2(a,b)   {a, b},
+#define ER3(a,b,c) {a, c},
+
+#include "secerr.h"
+#include "sslerr.h"
+
+const tuple_str errStrings[] = {
+
+/* keep this list in asceding order of error numbers */
+#include "SSLerrs.h"
+#include "SECerrs.h"
+#include "NSPRerrs.h"
+
+};
+
+const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str);
+
+/* Returns a UTF-8 encoded constant error string for "errNum".
+ * Returns NULL of errNum is unknown.
+ */
+const char *
+SECU_Strerror(PRErrorCode errNum) {
+    PRInt32 low  = 0;
+    PRInt32 high = numStrings - 1;
+    PRInt32 i;
+    PRErrorCode num;
+    static int initDone;
+
+    /* make sure table is in ascending order.
+     * binary search depends on it.
+     */
+    if (!initDone) {
+	PRErrorCode lastNum = ((PRInt32)0x80000000);
+    	for (i = low; i <= high; ++i) {
+	    num = errStrings[i].errNum;
+	    if (num <= lastNum) {
+	    	fprintf(stderr, 
+"sequence error in error strings at item %d\n"
+"error %d (%s)\n"
+"should come after \n"
+"error %d (%s)\n",
+		        i, lastNum, errStrings[i-1].errString, 
+			num, errStrings[i].errString);
+	    }
+	    lastNum = num;
+	}
+	initDone = 1;
+    }
+
+    /* Do binary search of table. */
+    while (low + 1 < high) {
+    	i = (low + high) / 2;
+	num = errStrings[i].errNum;
+	if (errNum == num) 
+	    return errStrings[i].errString;
+        if (errNum < num)
+	    high = i;
+	else 
+	    low = i;
+    }
+    if (errNum == errStrings[low].errNum)
+    	return errStrings[low].errString;
+    if (errNum == errStrings[high].errNum)
+    	return errStrings[high].errString;
+    return NULL;
+}
diff --git a/security/nss/cmd/lib/secpwd.c b/security/nss/cmd/lib/secpwd.c
new file mode 100644
index 000000000..ea4bc31d7
--- /dev/null
+++ b/security/nss/cmd/lib/secpwd.c
@@ -0,0 +1,199 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "secutil.h"
+
+/*
+ * NOTE:  The contents of this file are NOT used by the client.
+ * (They are part of the security library as a whole, but they are
+ * NOT USED BY THE CLIENT.)  Do not change things on behalf of the
+ * client (like localizing strings), or add things that are only
+ * for the client (put them elsewhere).  
+ */
+
+
+#ifdef XP_UNIX
+#include <termios.h>
+#endif
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+#include <unistd.h>  /* for isatty() */
+#endif
+
+#if( defined(_WINDOWS) && !defined(_WIN32_WCE))
+#include <conio.h>
+#include <io.h>
+#define QUIET_FGETS quiet_fgets
+static char * quiet_fgets (char *buf, int length, FILE *input);
+#else
+#define QUIET_FGETS fgets
+#endif
+
+static void echoOff(int fd)
+{
+#if defined(XP_UNIX) && !defined(VMS)
+    if (isatty(fd)) {
+	struct termios tio;
+	tcgetattr(fd, &tio);
+	tio.c_lflag &= ~ECHO;
+	tcsetattr(fd, TCSAFLUSH, &tio);
+    }
+#endif
+}
+
+static void echoOn(int fd)
+{
+#if defined(XP_UNIX) && !defined(VMS)
+    if (isatty(fd)) {
+	struct termios tio;
+	tcgetattr(fd, &tio);
+	tio.c_lflag |= ECHO;
+	tcsetattr(fd, TCSAFLUSH, &tio);
+    }
+#endif
+}
+
+char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
+			       PRBool (*ok)(char *))
+{
+#if defined(_WINDOWS)
+    int isTTY = (input == stdin);
+#define echoOn(x)
+#define echoOff(x)
+#else
+    int infd  = fileno(input);
+    int isTTY = isatty(infd);
+#endif
+    char phrase[200] = {'\0'};      /* ensure EOF doesn't return junk */
+
+    for (;;) {
+	/* Prompt for password */
+	if (isTTY) {
+	    fprintf(output, "%s", prompt);
+            fflush (output);
+	    echoOff(infd);
+	}
+
+	QUIET_FGETS ( phrase, sizeof(phrase), input);
+
+	if (isTTY) {
+	    fprintf(output, "\n");
+	    echoOn(infd);
+	}
+
+	/* stomp on newline */
+	phrase[PORT_Strlen(phrase)-1] = 0;
+
+	/* Validate password */
+	if (!(*ok)(phrase)) {
+	    /* Not weird enough */
+	    if (!isTTY) return 0;
+	    fprintf(output, "Password must be at least 8 characters long with one or more\n");
+	    fprintf(output, "non-alphabetic characters\n");
+	    continue;
+	}
+	return (char*) PORT_Strdup(phrase);
+    }
+}
+
+
+
+PRBool SEC_CheckPassword(char *cp)
+{
+    int len;
+    char *end;
+
+    len = PORT_Strlen(cp);
+    if (len < 8) {
+	return PR_FALSE;
+    }
+    end = cp + len;
+    while (cp < end) {
+	unsigned char ch = *cp++;
+	if (!((ch >= 'A') && (ch <= 'Z')) &&
+	    !((ch >= 'a') && (ch <= 'z'))) {
+	    /* pass phrase has at least one non alphabetic in it */
+	    return PR_TRUE;
+	}
+    }
+    return PR_FALSE;
+}
+
+PRBool SEC_BlindCheckPassword(char *cp)
+{
+    if (cp != NULL) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+/* Get a password from the input terminal, without echoing */
+
+#if defined(_WINDOWS)
+static char * quiet_fgets (char *buf, int length, FILE *input)
+  {
+  int c;
+  char *end = buf;
+
+  /* fflush (input); */
+  memset (buf, 0, length);
+
+  if (!isatty(fileno(input))) {
+     return fgets(buf,length,input);
+  }
+
+  while (1)
+    {
+#if defined (_WIN32_WCE)
+    c = getchar();	/* gets a character from stdin */
+#else
+    c = getch();	/* getch gets a character from the console */
+#endif
+    if (c == '\b')
+      {
+      if (end > buf)
+        end--;
+      }
+
+    else if (--length > 0)
+      *end++ = c;
+
+    if (!c || c == '\n' || c == '\r')
+      break;
+    }
+
+  return buf;
+  }
+#endif
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
new file mode 100644
index 000000000..9b36e2564
--- /dev/null
+++ b/security/nss/cmd/lib/secutil.c
@@ -0,0 +1,4116 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+** secutil.c - various functions used by security stuff
+**
+*/
+
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+#include "prerror.h"
+#include "prprf.h"
+#include "plgetopt.h"
+#include "prenv.h"
+#include "prnetdb.h"
+
+#include "cryptohi.h"
+#include "secutil.h"
+#include "secpkcs7.h"
+#include "secpkcs5.h"
+#include <stdarg.h>
+#if !defined(_WIN32_WCE)
+#include <sys/stat.h>
+#include <errno.h>
+#endif
+
+#ifdef XP_UNIX
+#include <unistd.h>
+#endif
+
+/* for SEC_TraverseNames */
+#include "cert.h"
+#include "certt.h"
+#include "certdb.h"
+
+/* #include "secmod.h" */
+#include "pk11func.h"
+#include "secoid.h"
+
+static char consoleName[] =  {
+#ifdef XP_UNIX
+#ifdef VMS
+    "TT"
+#else
+    "/dev/tty"
+#endif
+#else
+#ifdef XP_OS2
+    "\\DEV\\CON"
+#else
+    "CON:"
+#endif
+#endif
+};
+
+
+char *
+SECU_GetString(int16 error_number)
+{
+
+    static char errString[80];
+    sprintf(errString, "Unknown error string (%d)", error_number);
+    return errString;
+}
+
+void 
+SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
+{
+    va_list args;
+    PRErrorCode err = PORT_GetError();
+    const char * errString = SECU_Strerror(err);
+
+    va_start(args, msg);
+
+    SECU_Indent(out, level);
+    fprintf(out, "%s: ", progName);
+    vfprintf(out, msg, args);
+    if (errString != NULL && PORT_Strlen(errString) > 0)
+	fprintf(out, ": %s\n", errString);
+    else
+	fprintf(out, ": error %d\n", (int)err);
+
+    va_end(args);
+}
+
+void 
+SECU_PrintError(char *progName, char *msg, ...)
+{
+    va_list args;
+    PRErrorCode err = PORT_GetError();
+    const char * errString = SECU_Strerror(err);
+
+    va_start(args, msg);
+
+    fprintf(stderr, "%s: ", progName);
+    vfprintf(stderr, msg, args);
+    if (errString != NULL && PORT_Strlen(errString) > 0)
+	fprintf(stderr, ": %s\n", errString);
+    else
+	fprintf(stderr, ": error %d\n", (int)err);
+
+    va_end(args);
+}
+
+void
+SECU_PrintSystemError(char *progName, char *msg, ...)
+{
+    va_list args;
+
+    va_start(args, msg);
+    fprintf(stderr, "%s: ", progName);
+    vfprintf(stderr, msg, args);
+#if defined(_WIN32_WCE)
+    fprintf(stderr, ": %d\n", PR_GetOSError());
+#else
+    fprintf(stderr, ": %s\n", strerror(errno));
+#endif
+    va_end(args);
+}
+
+static void
+secu_ClearPassword(char *p)
+{
+    if (p) {
+	PORT_Memset(p, 0, PORT_Strlen(p));
+	PORT_Free(p);
+    }
+}
+
+char *
+SECU_GetPasswordString(void *arg, char *prompt)
+{
+#ifndef _WINDOWS
+    char *p = NULL;
+    FILE *input, *output;
+
+    /* open terminal */
+    input = fopen(consoleName, "r");
+    if (input == NULL) {
+	fprintf(stderr, "Error opening input terminal for read\n");
+	return NULL;
+    }
+
+    output = fopen(consoleName, "w");
+    if (output == NULL) {
+	fprintf(stderr, "Error opening output terminal for write\n");
+	return NULL;
+    }
+
+    p = SEC_GetPassword (input, output, prompt, SEC_BlindCheckPassword);
+        
+
+    fclose(input);
+    fclose(output);
+
+    return p;
+
+#else
+    /* Win32 version of above. opening the console may fail
+       on windows95, and certainly isn't necessary.. */
+
+    char *p = NULL;
+
+    p = SEC_GetPassword (stdin, stdout, prompt, SEC_BlindCheckPassword);
+    return p;
+
+#endif
+}
+
+
+/*
+ *  p a s s w o r d _ h a r d c o d e 
+ *
+ *  A function to use the password passed in the -f(pwfile) argument
+ *  of the command line.  
+ *  After use once, null it out otherwise PKCS11 calls us forever.?
+ *
+ */
+char *
+SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
+{
+    char* phrases, *phrase;
+    PRFileDesc *fd;
+    PRInt32 nb;
+    char *pwFile = arg;
+    int i;
+    const long maxPwdFileSize = 4096;
+    char* tokenName = NULL;
+    int tokenLen = 0;
+
+    if (!pwFile)
+	return 0;
+
+    if (retry) {
+	return 0;  /* no good retrying - the files contents will be the same */
+    }
+
+    phrases = PORT_ZAlloc(maxPwdFileSize);
+
+    if (!phrases) {
+        return 0; /* out of memory */
+    }
+ 
+    fd = PR_Open(pwFile, PR_RDONLY, 0);
+    if (!fd) {
+	fprintf(stderr, "No password file \"%s\" exists.\n", pwFile);
+        PORT_Free(phrases);
+	return NULL;
+    }
+
+    nb = PR_Read(fd, phrases, maxPwdFileSize);
+  
+    PR_Close(fd);
+
+    if (nb == 0) {
+        fprintf(stderr,"password file contains no data\n");
+        PORT_Free(phrases);
+        return NULL;
+    }
+
+    if (slot) {
+        tokenName = PK11_GetTokenName(slot);
+        if (tokenName) {
+            tokenLen = PORT_Strlen(tokenName);
+        }
+    }
+    i = 0;
+    do
+    {
+        int startphrase = i;
+        int phraseLen;
+
+        /* handle the Windows EOL case */
+        while (phrases[i] != '\r' && phrases[i] != '\n' && i < nb) i++;
+        /* terminate passphrase */
+        phrases[i++] = '\0';
+        /* clean up any EOL before the start of the next passphrase */
+        while ( (i<nb) && (phrases[i] == '\r' || phrases[i] == '\n')) {
+            phrases[i++] = '\0';
+        }
+        /* now analyze the current passphrase */
+        phrase = &phrases[startphrase];
+        if (!tokenName)
+            break;
+        if (PORT_Strncmp(phrase, tokenName, tokenLen)) continue;
+        phraseLen = PORT_Strlen(phrase);
+        if (phraseLen < (tokenLen+1)) continue;
+        if (phrase[tokenLen] != ':') continue;
+        phrase = &phrase[tokenLen+1];
+        break;
+
+    } while (i<nb);
+
+    phrase = PORT_Strdup((char*)phrase);
+    PORT_Free(phrases);
+    return phrase;
+}
+
+char *
+SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) 
+{
+    char prompt[255];
+    secuPWData *pwdata = (secuPWData *)arg;
+    secuPWData pwnull = { PW_NONE, 0 };
+    secuPWData pwxtrn = { PW_EXTERNAL, "external" };
+    char *pw;
+
+    if (pwdata == NULL)
+	pwdata = &pwnull;
+
+    if (PK11_ProtectedAuthenticationPath(slot)) {
+	pwdata = &pwxtrn;
+    }
+    if (retry && pwdata->source != PW_NONE) {
+	PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n");
+    	return NULL;
+    }
+
+    switch (pwdata->source) {
+    case PW_NONE:
+	sprintf(prompt, "Enter Password or Pin for \"%s\":",
+	                 PK11_GetTokenName(slot));
+	return SECU_GetPasswordString(NULL, prompt);
+    case PW_FROMFILE:
+	/* Instead of opening and closing the file every time, get the pw
+	 * once, then keep it in memory (duh).
+	 */
+	pw = SECU_FilePasswd(slot, retry, pwdata->data);
+	pwdata->source = PW_PLAINTEXT;
+	pwdata->data = PL_strdup(pw);
+	/* it's already been dup'ed */
+	return pw;
+    case PW_EXTERNAL:
+	sprintf(prompt, 
+	        "Press Enter, then enter PIN for \"%s\" on external device.\n",
+		PK11_GetTokenName(slot));
+	(void) SECU_GetPasswordString(NULL, prompt);
+    	/* Fall Through */
+    case PW_PLAINTEXT:
+	return PL_strdup(pwdata->data);
+    default:
+	break;
+    }
+
+    PR_fprintf(PR_STDERR, "Password check failed:  No password found.\n");
+    return NULL;
+}
+
+char *
+secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
+{
+    char *p0 = NULL;
+    char *p1 = NULL;
+    FILE *input, *output;
+    secuPWData *pwdata = arg;
+
+    if (pwdata->source == PW_FROMFILE) {
+	return SECU_FilePasswd(slot, retry, pwdata->data);
+    } 
+    if (pwdata->source == PW_PLAINTEXT) {
+	return PL_strdup(pwdata->data);
+    }
+    
+    /* PW_NONE - get it from tty */
+    /* open terminal */
+#ifdef _WINDOWS
+    input = stdin;
+#else
+    input = fopen(consoleName, "r");
+#endif
+    if (input == NULL) {
+	PR_fprintf(PR_STDERR, "Error opening input terminal for read\n");
+	return NULL;
+    }
+
+    /* we have no password, so initialize database with one */
+    PR_fprintf(PR_STDERR, 
+        "Enter a password which will be used to encrypt your keys.\n"
+     	"The password should be at least 8 characters long,\n"
+     	"and should contain at least one non-alphabetic character.\n\n");
+
+    output = fopen(consoleName, "w");
+    if (output == NULL) {
+	PR_fprintf(PR_STDERR, "Error opening output terminal for write\n");
+	return NULL;
+    }
+
+
+    for (;;) {
+	if (p0) 
+	    PORT_Free(p0);
+	p0 = SEC_GetPassword(input, output, "Enter new password: ",
+			     SEC_BlindCheckPassword);
+
+	if (p1)
+	    PORT_Free(p1);
+	p1 = SEC_GetPassword(input, output, "Re-enter password: ",
+			     SEC_BlindCheckPassword);
+	if (p0 && p1 && !PORT_Strcmp(p0, p1)) {
+	    break;
+	}
+	PR_fprintf(PR_STDERR, "Passwords do not match. Try again.\n");
+    }
+        
+    /* clear out the duplicate password string */
+    secu_ClearPassword(p1);
+    
+    fclose(input);
+    fclose(output);
+
+    return p0;
+}
+
+SECStatus
+SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile)
+{
+    return SECU_ChangePW2(slot, passwd, 0, pwFile, 0);
+}
+
+SECStatus
+SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
+			char *oldPwFile, char *newPwFile)
+{
+    SECStatus rv;
+    secuPWData pwdata, newpwdata;
+    char *oldpw = NULL, *newpw = NULL;
+
+    if (oldPass) {
+	pwdata.source = PW_PLAINTEXT;
+	pwdata.data = oldPass;
+    } else if (oldPwFile) {
+	pwdata.source = PW_FROMFILE;
+	pwdata.data = oldPwFile;
+    } else {
+	pwdata.source = PW_NONE;
+	pwdata.data = NULL;
+    }
+
+    if (newPass) {
+	newpwdata.source = PW_PLAINTEXT;
+	newpwdata.data = newPass;
+    } else if (newPwFile) {
+	newpwdata.source = PW_FROMFILE;
+	newpwdata.data = newPwFile;
+    } else {
+	newpwdata.source = PW_NONE;
+	newpwdata.data = NULL;
+    }
+
+    if (PK11_NeedUserInit(slot)) {
+	newpw = secu_InitSlotPassword(slot, PR_FALSE, &pwdata);
+	rv = PK11_InitPin(slot, (char*)NULL, newpw);
+	goto done;
+    }
+
+    for (;;) {
+	oldpw = SECU_GetModulePassword(slot, PR_FALSE, &pwdata);
+
+	if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) {
+	    if (pwdata.source == PW_NONE) {
+		PR_fprintf(PR_STDERR, "Invalid password.  Try again.\n");
+	    } else {
+		PR_fprintf(PR_STDERR, "Invalid password.\n");
+		PORT_Memset(oldpw, 0, PL_strlen(oldpw));
+		PORT_Free(oldpw);
+		return SECFailure;
+	    }
+	} else
+	    break;
+
+	PORT_Free(oldpw);
+    }
+
+    newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata);
+
+    if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
+	PR_fprintf(PR_STDERR, "Failed to change password.\n");
+	return SECFailure;
+    }
+
+    PORT_Memset(oldpw, 0, PL_strlen(oldpw));
+    PORT_Free(oldpw);
+
+    PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
+
+done:
+    PORT_Memset(newpw, 0, PL_strlen(newpw));
+    PORT_Free(newpw);
+    return SECSuccess;
+}
+
+struct matchobj {
+    SECItem index;
+    char *nname;
+    PRBool found;
+};
+
+char *
+SECU_DefaultSSLDir(void)
+{
+    char *dir;
+    static char sslDir[1000];
+
+    dir = PR_GetEnv("SSL_DIR");
+    if (!dir)
+	return NULL;
+
+    sprintf(sslDir, "%s", dir);
+
+    if (sslDir[strlen(sslDir)-1] == '/')
+	sslDir[strlen(sslDir)-1] = 0;
+
+    return sslDir;
+}
+
+char *
+SECU_AppendFilenameToDir(char *dir, char *filename)
+{
+    static char path[1000];
+
+    if (dir[strlen(dir)-1] == '/')
+	sprintf(path, "%s%s", dir, filename);
+    else
+	sprintf(path, "%s/%s", dir, filename);
+    return path;
+}
+
+char *
+SECU_ConfigDirectory(const char* base)
+{
+    static PRBool initted = PR_FALSE;
+    const char *dir = ".netscape";
+    char *home;
+    static char buf[1000];
+
+    if (initted) return buf;
+    
+
+    if (base == NULL || *base == 0) {
+	home = PR_GetEnv("HOME");
+	if (!home) home = "";
+
+	if (*home && home[strlen(home) - 1] == '/')
+	    sprintf (buf, "%.900s%s", home, dir);
+	else
+	    sprintf (buf, "%.900s/%s", home, dir);
+    } else {
+	sprintf(buf, "%.900s", base);
+	if (buf[strlen(buf) - 1] == '/')
+	    buf[strlen(buf) - 1] = 0;
+    }
+
+
+    initted = PR_TRUE;
+    return buf;
+}
+
+/*Turn off SSL for now */
+/* This gets called by SSL when server wants our cert & key */
+int
+SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
+		       struct CERTDistNamesStr *caNames,
+                      struct CERTCertificateStr **pRetCert,
+                      struct SECKEYPrivateKeyStr **pRetKey)
+{
+    SECKEYPrivateKey *key;
+    CERTCertificate *cert;
+    int errsave;
+
+    if (arg == NULL) {
+        fprintf(stderr, "no key/cert name specified for client auth\n");
+        return -1;
+    }
+    cert = PK11_FindCertFromNickname(arg, NULL);
+    errsave = PORT_GetError();
+    if (!cert) {
+        if (errsave == SEC_ERROR_BAD_PASSWORD)
+            fprintf(stderr, "Bad password\n");
+        else if (errsave > 0)
+            fprintf(stderr, "Unable to read cert (error %d)\n", errsave);
+        else if (errsave == SEC_ERROR_BAD_DATABASE)
+            fprintf(stderr, "Unable to get cert from database (%d)\n", errsave);
+        else
+            fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave);
+        return -1;
+    }
+
+    key = PK11_FindKeyByAnyCert(arg,NULL);
+    if (!key) {
+        fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError());
+        return -1;
+    }
+
+
+    *pRetCert = cert;
+    *pRetKey = key;
+
+    return 0;
+}
+
+SECStatus
+secu_StdinToItem(SECItem *dst)
+{
+    unsigned char buf[1000];
+    PRInt32 numBytes;
+    PRBool notDone = PR_TRUE;
+
+    dst->len = 0;
+    dst->data = NULL;
+
+    while (notDone) {
+	numBytes = PR_Read(PR_STDIN, buf, sizeof(buf));
+
+	if (numBytes < 0) {
+	    return SECFailure;
+	}
+
+	if (numBytes == 0)
+	    break;
+
+	if (dst->data) {
+	    unsigned char * p = dst->data;
+	    dst->data = (unsigned char*)PORT_Realloc(p, dst->len + numBytes);
+	    if (!dst->data) {
+	    	PORT_Free(p);
+	    }
+	} else {
+	    dst->data = (unsigned char*)PORT_Alloc(numBytes);
+	}
+	if (!dst->data) {
+	    return SECFailure;
+	}
+	PORT_Memcpy(dst->data + dst->len, buf, numBytes);
+	dst->len += numBytes;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+SECU_FileToItem(SECItem *dst, PRFileDesc *src)
+{
+    PRFileInfo info;
+    PRInt32 numBytes;
+    PRStatus prStatus;
+
+    if (src == PR_STDIN)
+	return secu_StdinToItem(dst);
+
+    prStatus = PR_GetOpenFileInfo(src, &info);
+
+    if (prStatus != PR_SUCCESS) {
+	PORT_SetError(SEC_ERROR_IO);
+	return SECFailure;
+    }
+
+    /* XXX workaround for 3.1, not all utils zero dst before sending */
+    dst->data = 0;
+    if (!SECITEM_AllocItem(NULL, dst, info.size))
+	goto loser;
+
+    numBytes = PR_Read(src, dst->data, info.size);
+    if (numBytes != info.size) {
+	PORT_SetError(SEC_ERROR_IO);
+	goto loser;
+    }
+
+    return SECSuccess;
+loser:
+    SECITEM_FreeItem(dst, PR_FALSE);
+    dst->data = NULL;
+    return SECFailure;
+}
+
+SECStatus
+SECU_TextFileToItem(SECItem *dst, PRFileDesc *src)
+{
+    PRFileInfo info;
+    PRInt32 numBytes;
+    PRStatus prStatus;
+    unsigned char *buf;
+
+    if (src == PR_STDIN)
+	return secu_StdinToItem(dst);
+
+    prStatus = PR_GetOpenFileInfo(src, &info);
+
+    if (prStatus != PR_SUCCESS) {
+	PORT_SetError(SEC_ERROR_IO);
+	return SECFailure;
+    }
+
+    buf = (unsigned char*)PORT_Alloc(info.size);
+    if (!buf)
+	return SECFailure;
+
+    numBytes = PR_Read(src, buf, info.size);
+    if (numBytes != info.size) {
+	PORT_SetError(SEC_ERROR_IO);
+	goto loser;
+    }
+
+    if (buf[numBytes-1] == '\n') numBytes--;
+#ifdef _WINDOWS
+    if (buf[numBytes-1] == '\r') numBytes--;
+#endif
+
+    /* XXX workaround for 3.1, not all utils zero dst before sending */
+    dst->data = 0;
+    if (!SECITEM_AllocItem(NULL, dst, numBytes))
+	goto loser;
+
+    memcpy(dst->data, buf, numBytes);
+
+    PORT_Free(buf);
+    return SECSuccess;
+loser:
+    PORT_Free(buf);
+    return SECFailure;
+}
+
+SECStatus
+SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
+{
+    SECStatus rv;
+    if (ascii) {
+	/* First convert ascii to binary */
+	SECItem filedata;
+	char *asc, *body;
+
+	/* Read in ascii data */
+	rv = SECU_FileToItem(&filedata, inFile);
+	asc = (char *)filedata.data;
+	if (!asc) {
+	    fprintf(stderr, "unable to read data from input file\n");
+	    return SECFailure;
+	}
+
+	/* check for headers and trailers and remove them */
+	if ((body = strstr(asc, "-----BEGIN")) != NULL) {
+	    char *trailer = NULL;
+	    asc = body;
+	    body = PORT_Strchr(body, '\n');
+	    if (!body)
+		body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
+	    if (body)
+		trailer = strstr(++body, "-----END");
+	    if (trailer != NULL) {
+		*trailer = '\0';
+	    } else {
+		fprintf(stderr, "input has header but no trailer\n");
+		PORT_Free(filedata.data);
+		return SECFailure;
+	    }
+	} else {
+	    body = asc;
+	}
+     
+	/* Convert to binary */
+	rv = ATOB_ConvertAsciiToItem(der, body);
+	if (rv) {
+	    fprintf(stderr, "error converting ascii to binary (%s)\n",
+		    SECU_Strerror(PORT_GetError()));
+	    PORT_Free(filedata.data);
+	    return SECFailure;
+	}
+
+	PORT_Free(filedata.data);
+    } else {
+	/* Read in binary der */
+	rv = SECU_FileToItem(der, inFile);
+	if (rv) {
+	    fprintf(stderr, "error converting der (%s)\n", 
+		    SECU_Strerror(PORT_GetError()));
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+#define INDENT_MULT	4
+void
+SECU_Indent(FILE *out, int level)
+{
+    int i;
+
+    for (i = 0; i < level; i++) {
+	fprintf(out, "    ");
+    }
+}
+
+static void secu_Newline(FILE *out)
+{
+    fprintf(out, "\n");
+}
+
+void
+SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level)
+{
+    unsigned i;
+    int column;
+    PRBool isString     = PR_TRUE;
+    PRBool isWhiteSpace = PR_TRUE;
+    PRBool printedHex   = PR_FALSE;
+    unsigned int limit = 15;
+
+    if ( m ) {
+	SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+	level++;
+    }
+    
+    SECU_Indent(out, level); column = level*INDENT_MULT;
+    if (!data->len) {
+	fprintf(out, "(empty)\n");
+	return;
+    }
+    /* take a pass to see if it's all printable. */
+    for (i = 0; i < data->len; i++) {
+	unsigned char val = data->data[i];
+        if (!val || !isprint(val)) {
+	    isString = PR_FALSE;
+	    break;
+	}
+	if (isWhiteSpace && !isspace(val)) {
+	    isWhiteSpace = PR_FALSE;
+	}
+    }
+
+    /* Short values, such as bit strings (which are printed with this
+    ** function) often look like strings, but we want to see the bits.
+    ** so this test assures that short values will be printed in hex,
+    ** perhaps in addition to being printed as strings.
+    ** The threshold size (4 bytes) is arbitrary.
+    */
+    if (!isString || data->len <= 4) {
+      for (i = 0; i < data->len; i++) {
+	if (i != data->len - 1) {
+	    fprintf(out, "%02x:", data->data[i]);
+	    column += 3;
+	} else {
+	    fprintf(out, "%02x", data->data[i]);
+	    column += 2;
+	    break;
+	}
+	if (column > 76 || (i % 16 == limit)) {
+	    secu_Newline(out);
+	    SECU_Indent(out, level); 
+	    column = level*INDENT_MULT;
+	    limit = i % 16;
+	}
+      }
+      printedHex = PR_TRUE;
+    }
+    if (isString && !isWhiteSpace) {
+	if (printedHex != PR_FALSE) {
+	    secu_Newline(out);
+	    SECU_Indent(out, level); column = level*INDENT_MULT;
+	}
+	for (i = 0; i < data->len; i++) {
+	    unsigned char val = data->data[i];
+
+	    if (val) {
+		fprintf(out,"%c",val);
+		column++;
+	    } else {
+		column = 77;
+	    }
+	    if (column > 76) {
+		secu_Newline(out);
+        	SECU_Indent(out, level); column = level*INDENT_MULT;
+	    }
+	}
+    }
+	    
+    if (column != level*INDENT_MULT) {
+	secu_Newline(out);
+    }
+}
+
+static const char *hex = "0123456789abcdef";
+
+static const char printable[257] = {
+	"................"	/* 0x */
+	"................"	/* 1x */
+	" !\"#$%&'()*+,-./"	/* 2x */
+	"0123456789:;<=>?"	/* 3x */
+	"@ABCDEFGHIJKLMNO"	/* 4x */
+	"PQRSTUVWXYZ[\\]^_"	/* 5x */
+	"`abcdefghijklmno"	/* 6x */
+	"pqrstuvwxyz{|}~."	/* 7x */
+	"................"	/* 8x */
+	"................"	/* 9x */
+	"................"	/* ax */
+	"................"	/* bx */
+	"................"	/* cx */
+	"................"	/* dx */
+	"................"	/* ex */
+	"................"	/* fx */
+};
+
+void 
+SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len)
+{
+    const unsigned char *cp = (const unsigned char *)vp;
+    char buf[80];
+    char *bp;
+    char *ap;
+
+    fprintf(out, "%s [Len: %d]\n", msg, len);
+    memset(buf, ' ', sizeof buf);
+    bp = buf;
+    ap = buf + 50;
+    while (--len >= 0) {
+	unsigned char ch = *cp++;
+	*bp++ = hex[(ch >> 4) & 0xf];
+	*bp++ = hex[ch & 0xf];
+	*bp++ = ' ';
+	*ap++ = printable[ch];
+	if (ap - buf >= 66) {
+	    *ap = 0;
+	    fprintf(out, "   %s\n", buf);
+	    memset(buf, ' ', sizeof buf);
+	    bp = buf;
+	    ap = buf + 50;
+	}
+    }
+    if (bp > buf) {
+	*ap = 0;
+	fprintf(out, "   %s\n", buf);
+    }
+}
+
+SECStatus
+SECU_StripTagAndLength(SECItem *i)
+{
+    unsigned int start;
+
+    if (!i || !i->data || i->len < 2) { /* must be at least tag and length */
+        return SECFailure;
+    }
+    start = ((i->data[1] & 0x80) ? (i->data[1] & 0x7f) + 2 : 2);
+    if (i->len < start) {
+        return SECFailure;
+    }
+    i->data += start;
+    i->len  -= start;
+    return SECSuccess;
+}
+
+
+/* This expents i->data[0] to be the MSB of the integer.
+** if you want to print a DER-encoded integer (with the tag and length)
+** call SECU_PrintEncodedInteger();
+*/
+void
+SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level)
+{
+    int iv;
+
+    if (!i || !i->len || !i->data) {
+	SECU_Indent(out, level); 
+	if (m) {
+	    fprintf(out, "%s: (null)\n", m);
+	} else {
+	    fprintf(out, "(null)\n");
+	}
+    } else if (i->len > 4) {
+	SECU_PrintAsHex(out, i, m, level);
+    } else {
+   	if (i->type == siUnsignedInteger && *i->data & 0x80) {
+            /* Make sure i->data has zero in the highest bite 
+             * if i->data is an unsigned integer */
+            SECItem tmpI;
+            char data[] = {0, 0, 0, 0, 0};
+
+            PORT_Memcpy(data + 1, i->data, i->len);
+            tmpI.len = i->len + 1;
+            tmpI.data = (void*)data;
+
+            iv = DER_GetInteger(&tmpI);
+	} else {
+            iv = DER_GetInteger(i);
+	}
+	SECU_Indent(out, level); 
+	if (m) {
+	    fprintf(out, "%s: %d (0x%x)\n", m, iv, iv);
+	} else {
+	    fprintf(out, "%d (0x%x)\n", iv, iv);
+	}
+    }
+}
+
+static void
+secu_PrintRawString(FILE *out, SECItem *si, char *m, int level)
+{
+    int column;
+    unsigned int i;
+
+    if ( m ) {
+	SECU_Indent(out, level); fprintf(out, "%s: ", m);
+	column = (level * INDENT_MULT) + strlen(m) + 2;
+	level++;
+    } else {
+	SECU_Indent(out, level); 
+	column = level*INDENT_MULT;
+    }
+    fprintf(out, "\""); column++;
+
+    for (i = 0; i < si->len; i++) {
+	unsigned char val = si->data[i];
+	if (column > 76) {
+	    secu_Newline(out);
+	    SECU_Indent(out, level); column = level*INDENT_MULT;
+	}
+
+	fprintf(out,"%c", printable[val]); column++;
+    }
+
+    fprintf(out, "\""); column++;
+    if (column != level*INDENT_MULT || column > 76) {
+	secu_Newline(out);
+    }
+}
+
+void
+SECU_PrintString(FILE *out, SECItem *si, char *m, int level)
+{
+    SECItem my = *si;
+
+    if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len)
+    	return;
+    secu_PrintRawString(out, &my, m, level);
+}
+
+/* print an unencoded boolean */
+static void
+secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level)
+{
+    int val = 0;
+    
+    if ( i->data && i->len ) {
+	val = i->data[0];
+    }
+
+    if (!m) {
+    	m = "Boolean";
+    }
+    SECU_Indent(out, level); 
+    fprintf(out, "%s: %s\n", m, (val ? "True" : "False"));
+}
+
+/*
+ * Format and print "time".  If the tag message "m" is not NULL,
+ * do indent formatting based on "level" and add a newline afterward;
+ * otherwise just print the formatted time string only.
+ */
+static void
+secu_PrintTime(FILE *out, int64 time, char *m, int level)
+{
+    PRExplodedTime printableTime; 
+    char *timeString;
+
+    /* Convert to local time */
+    PR_ExplodeTime(time, PR_GMTParameters, &printableTime);
+
+    timeString = PORT_Alloc(256);
+    if (timeString == NULL)
+	return;
+
+    if (m != NULL) {
+	SECU_Indent(out, level);
+	fprintf(out, "%s: ", m);
+    }
+
+    if (PR_FormatTime(timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime)) {
+        fprintf(out, timeString);
+    }
+
+    if (m != NULL)
+	fprintf(out, "\n");
+
+    PORT_Free(timeString);
+}
+
+/*
+ * Format and print the UTC Time "t".  If the tag message "m" is not NULL,
+ * do indent formatting based on "level" and add a newline afterward;
+ * otherwise just print the formatted time string only.
+ */
+void
+SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level)
+{
+    int64 time;
+    SECStatus rv;
+
+    rv = DER_UTCTimeToTime(&time, t);
+    if (rv != SECSuccess)
+	return;
+
+    secu_PrintTime(out, time, m, level);
+}
+
+/*
+ * Format and print the Generalized Time "t".  If the tag message "m"
+ * is not NULL, * do indent formatting based on "level" and add a newline
+ * afterward; otherwise just print the formatted time string only.
+ */
+void
+SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level)
+{
+    int64 time;
+    SECStatus rv;
+
+
+    rv = DER_GeneralizedTimeToTime(&time, t);
+    if (rv != SECSuccess)
+	return;
+
+    secu_PrintTime(out, time, m, level);
+}
+
+/*
+ * Format and print the UTC or Generalized Time "t".  If the tag message
+ * "m" is not NULL, do indent formatting based on "level" and add a newline
+ * afterward; otherwise just print the formatted time string only.
+ */
+void
+SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level)
+{
+    switch (t->type) {
+        case siUTCTime:
+            SECU_PrintUTCTime(out, t, m, level);
+            break;
+
+        case siGeneralizedTime:
+            SECU_PrintGeneralizedTime(out, t, m, level);
+            break;
+
+        default:
+            PORT_Assert(0);
+            break;
+    }
+}
+
+
+/* This prints a SET or SEQUENCE */
+void
+SECU_PrintSet(FILE *out, SECItem *t, char *m, int level)
+{
+    int            type        = t->data[0] & SEC_ASN1_TAGNUM_MASK;
+    int            constructed = t->data[0] & SEC_ASN1_CONSTRUCTED;
+    const char *   label;
+    SECItem        my          = *t;
+
+    if (!constructed) {
+	SECU_PrintAsHex(out, t, m, level);
+        return;
+    }
+    if (SECSuccess != SECU_StripTagAndLength(&my))
+    	return;
+
+    SECU_Indent(out, level);
+    if (m) {
+    	fprintf(out, "%s: ", m);
+    }
+
+    if (type == SEC_ASN1_SET)
+    	label = "Set ";
+    else if (type == SEC_ASN1_SEQUENCE)
+    	label = "Sequence ";
+    else
+    	label = "";
+    fprintf(out,"%s{\n", label); /* } */
+
+    while (my.len >= 2) {
+	SECItem  tmp = my;
+
+        if (tmp.data[1] & 0x80) {
+	    unsigned int i;
+	    unsigned int lenlen = tmp.data[1] & 0x7f;
+	    if (lenlen > sizeof tmp.len)
+	        break;
+	    tmp.len = 0;
+	    for (i=0; i < lenlen; i++) {
+		tmp.len = (tmp.len << 8) | tmp.data[2+i];
+	    }
+	    tmp.len += lenlen + 2;
+	} else {
+	    tmp.len = tmp.data[1] + 2;
+	}
+	if (tmp.len > my.len) {
+	    tmp.len = my.len;
+	}
+	my.data += tmp.len;
+	my.len  -= tmp.len;
+	SECU_PrintAny(out, &tmp, NULL, level + 1);
+    }
+    SECU_Indent(out, level); fprintf(out, /* { */ "}\n");
+}
+
+static void
+secu_PrintContextSpecific(FILE *out, SECItem *i, char *m, int level)
+{
+    int type        = i->data[0] & SEC_ASN1_TAGNUM_MASK;
+    int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED;
+    SECItem tmp;
+
+    if (constructed) {
+	char * m2;
+	if (!m) 
+	    m2 = PR_smprintf("[%d]", type);
+	else
+	    m2 = PR_smprintf("%s: [%d]", m, type);
+	if (m2) {
+	    SECU_PrintSet(out, i, m2, level);
+	    PR_smprintf_free(m2);
+	}
+	return;
+    }
+
+    SECU_Indent(out, level);
+    if (m) {
+    	fprintf(out, "%s: ", m);
+    }
+    fprintf(out,"[%d]\n", type);
+
+    tmp = *i;
+    if (SECSuccess == SECU_StripTagAndLength(&tmp))
+	SECU_PrintAsHex(out, &tmp, m, level+1);
+}
+
+static void
+secu_PrintOctetString(FILE *out, SECItem *i, char *m, int level)
+{
+    SECItem tmp = *i;
+    if (SECSuccess == SECU_StripTagAndLength(&tmp))
+	SECU_PrintAsHex(out, &tmp, m, level);
+}
+
+static void
+secu_PrintBitString(FILE *out, SECItem *i, char *m, int level)
+{
+    int unused_bits;
+    SECItem tmp = *i;
+
+    if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2)
+    	return;
+
+    unused_bits = *tmp.data++;
+    tmp.len--;
+
+    SECU_PrintAsHex(out, &tmp, m, level);
+    if (unused_bits) {
+	SECU_Indent(out, level + 1);
+	fprintf(out, "(%d least significant bits unused)\n", unused_bits);
+    }
+}
+
+/* in a decoded bit string, the len member is a bit length. */
+static void
+secu_PrintDecodedBitString(FILE *out, SECItem *i, char *m, int level)
+{
+    int unused_bits;
+    SECItem tmp = *i;
+
+
+    unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0;
+    DER_ConvertBitString(&tmp); /* convert length to byte length */
+
+    SECU_PrintAsHex(out, &tmp, m, level);
+    if (unused_bits) {
+	SECU_Indent(out, level + 1);
+	fprintf(out, "(%d least significant bits unused)\n", unused_bits);
+    }
+}
+
+
+/* Print a DER encoded Boolean */
+void
+SECU_PrintEncodedBoolean(FILE *out, SECItem *i, char *m, int level)
+{
+    SECItem my    = *i;
+    if (SECSuccess == SECU_StripTagAndLength(&my))
+	secu_PrintBoolean(out, &my, m, level);
+}
+
+/* Print a DER encoded integer */
+void
+SECU_PrintEncodedInteger(FILE *out, SECItem *i, char *m, int level)
+{
+    SECItem my    = *i;
+    if (SECSuccess == SECU_StripTagAndLength(&my))
+	SECU_PrintInteger(out, &my, m, level);
+}
+
+/* Print a DER encoded OID */
+void
+SECU_PrintEncodedObjectID(FILE *out, SECItem *i, char *m, int level)
+{
+    SECItem my    = *i;
+    if (SECSuccess == SECU_StripTagAndLength(&my))
+	SECU_PrintObjectID(out, &my, m, level);
+}
+
+static void
+secu_PrintBMPString(FILE *out, SECItem *i, char *m, int level)
+{
+    unsigned char * s;
+    unsigned char * d;
+    int      len;
+    SECItem  tmp = {0, 0, 0};
+    SECItem  my  = *i;
+
+    if (SECSuccess != SECU_StripTagAndLength(&my))
+	goto loser;
+    if (my.len % 2) 
+    	goto loser;
+    len = (int)(my.len / 2);
+    tmp.data = (unsigned char *)PORT_Alloc(len);
+    if (!tmp.data)
+    	goto loser;
+    tmp.len = len;
+    for (s = my.data, d = tmp.data ; len > 0; len--) {
+    	PRUint32 bmpChar = (s[0] << 8) | s[1]; s += 2;
+	if (!isprint(bmpChar))
+	    goto loser;
+	*d++ = (unsigned char)bmpChar;
+    }
+    secu_PrintRawString(out, &tmp, m, level);
+    PORT_Free(tmp.data);
+    return;
+
+loser:
+    SECU_PrintAsHex(out, i, m, level);
+    if (tmp.data)
+	PORT_Free(tmp.data);
+}
+
+static void
+secu_PrintUniversalString(FILE *out, SECItem *i, char *m, int level)
+{
+    unsigned char * s;
+    unsigned char * d;
+    int      len;
+    SECItem  tmp = {0, 0, 0};
+    SECItem  my  = *i;
+
+    if (SECSuccess != SECU_StripTagAndLength(&my))
+	goto loser;
+    if (my.len % 4) 
+    	goto loser;
+    len = (int)(my.len / 4);
+    tmp.data = (unsigned char *)PORT_Alloc(len);
+    if (!tmp.data)
+    	goto loser;
+    tmp.len = len;
+    for (s = my.data, d = tmp.data ; len > 0; len--) {
+    	PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3];
+	s += 4;
+	if (!isprint(bmpChar))
+	    goto loser;
+	*d++ = (unsigned char)bmpChar;
+    }
+    secu_PrintRawString(out, &tmp, m, level);
+    PORT_Free(tmp.data);
+    return;
+
+loser:
+    SECU_PrintAsHex(out, i, m, level);
+    if (tmp.data)
+	PORT_Free(tmp.data);
+}
+
+static void
+secu_PrintUniversal(FILE *out, SECItem *i, char *m, int level)
+{
+	switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) {
+	  case SEC_ASN1_ENUMERATED:
+	  case SEC_ASN1_INTEGER:
+	    SECU_PrintEncodedInteger(out, i, m, level);
+	    break;
+	  case SEC_ASN1_OBJECT_ID:
+	    SECU_PrintEncodedObjectID(out, i, m, level);
+	    break;
+	  case SEC_ASN1_BOOLEAN:
+	    SECU_PrintEncodedBoolean(out, i, m, level);
+	    break;
+	  case SEC_ASN1_UTF8_STRING:
+	  case SEC_ASN1_PRINTABLE_STRING:
+	  case SEC_ASN1_VISIBLE_STRING:
+	  case SEC_ASN1_IA5_STRING:
+	  case SEC_ASN1_T61_STRING:
+	    SECU_PrintString(out, i, m, level);
+	    break;
+	  case SEC_ASN1_GENERALIZED_TIME:
+	    SECU_PrintGeneralizedTime(out, i, m, level);
+	    break;
+	  case SEC_ASN1_UTC_TIME:
+	    SECU_PrintUTCTime(out, i, m, level);
+	    break;
+	  case SEC_ASN1_NULL:
+	    SECU_Indent(out, level); 
+	    if (m && m[0]) 
+	      fprintf(out, "%s: NULL\n", m);
+	    else
+	      fprintf(out, "NULL\n");
+	    break;
+          case SEC_ASN1_SET:
+          case SEC_ASN1_SEQUENCE:
+	    SECU_PrintSet(out, i, m, level);
+	    break;
+	  case SEC_ASN1_OCTET_STRING:
+	    secu_PrintOctetString(out, i, m, level);
+	    break;
+	  case SEC_ASN1_BIT_STRING:
+	    secu_PrintBitString(out, i, m, level);
+	    break;
+	  case SEC_ASN1_BMP_STRING:
+	    secu_PrintBMPString(out, i, m, level);
+	    break;
+	  case SEC_ASN1_UNIVERSAL_STRING:
+	    secu_PrintUniversalString(out, i, m, level);
+	    break;
+	  default:
+	    SECU_PrintAsHex(out, i, m, level);
+	    break;
+	}
+}
+
+void
+SECU_PrintAny(FILE *out, SECItem *i, char *m, int level)
+{
+    if ( i && i->len && i->data ) {
+	switch (i->data[0] & SEC_ASN1_CLASS_MASK) {
+	case SEC_ASN1_CONTEXT_SPECIFIC:
+	    secu_PrintContextSpecific(out, i, m, level);
+	    break;
+	case SEC_ASN1_UNIVERSAL:
+	    secu_PrintUniversal(out, i, m, level);
+	    break;
+	default:
+	    SECU_PrintAsHex(out, i, m, level);
+	    break;
+	}
+    }
+}
+
+static int
+secu_PrintValidity(FILE *out, CERTValidity *v, char *m, int level)
+{
+    SECU_Indent(out, level);  fprintf(out, "%s:\n", m);
+    SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1);
+    SECU_PrintTimeChoice(out, &v->notAfter,  "Not After ", level+1);
+    return 0;
+}
+
+/* This function does NOT expect a DER type and length. */
+SECOidTag
+SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level)
+{
+    SECOidData *oiddata;
+    char *      oidString = NULL;
+    
+    oiddata = SECOID_FindOID(oid);
+    if (oiddata != NULL) {
+	const char *name = oiddata->desc;
+	SECU_Indent(out, level);
+	if (m != NULL)
+	    fprintf(out, "%s: ", m);
+	fprintf(out, "%s\n", name);
+	return oiddata->offset;
+    } 
+    oidString = CERT_GetOidString(oid);
+    if (oidString) {
+	SECU_Indent(out, level);
+	if (m != NULL)
+	    fprintf(out, "%s: ", m);
+	fprintf(out, "%s\n", oidString);
+	PR_smprintf_free(oidString);
+	return SEC_OID_UNKNOWN;
+    }
+    SECU_PrintAsHex(out, oid, m, level);
+    return SEC_OID_UNKNOWN;
+}
+
+typedef struct secuPBEParamsStr {
+    SECItem salt;
+    SECItem iterationCount;
+    SECItem keyLength;
+    SECAlgorithmID cipherAlg;
+    SECAlgorithmID kdfAlg;
+} secuPBEParams;
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate);
+
+/* SECOID_PKCS5_PBKDF2 */
+const SEC_ASN1Template secuKDF2Params[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
+    { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
+    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
+    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
+
+/* PKCS5v1 & PKCS12 */
+const SEC_ASN1Template secuPBEParamsTemp[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
+    { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
+    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
+    { 0 }
+};
+
+/* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */
+const SEC_ASN1Template secuPBEV2Params[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams)},
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
+
+void
+secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
+{
+    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECStatus rv;
+    secuPBEParams param;
+
+    if (m) {
+	SECU_Indent(out, level);
+	fprintf (out, "%s:\n", m);
+    }
+
+    if (!pool) {
+	SECU_Indent(out, level);
+	fprintf(out, "Out of memory\n");
+	return;
+    }
+
+    PORT_Memset(&param, 0, sizeof param);
+    rv = SEC_QuickDERDecodeItem(pool, &param, secuKDF2Params, value);
+    if (rv == SECSuccess) {
+	SECU_PrintAsHex(out, &param.salt, "Salt", level+1);
+	SECU_PrintInteger(out, &param.iterationCount, "Iteration Count", 
+			level+1);
+	SECU_PrintInteger(out, &param.keyLength, "Key Length", level+1);
+	SECU_PrintAlgorithmID(out, &param.kdfAlg, "KDF algorithm", level+1);
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+void
+secu_PrintPKCS5V2Params(FILE *out, SECItem *value, char *m, int level)
+{
+    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECStatus rv;
+    secuPBEParams param;
+
+    if (m) {
+	SECU_Indent(out, level);
+	fprintf (out, "%s:\n", m);
+    }
+
+    if (!pool) {
+	SECU_Indent(out, level);
+	fprintf(out, "Out of memory\n");
+	return;
+    }
+
+    PORT_Memset(&param, 0, sizeof param);
+    rv = SEC_QuickDERDecodeItem(pool, &param, secuPBEV2Params, value);
+    if (rv == SECSuccess) {
+	SECU_PrintAlgorithmID(out, &param.kdfAlg, "KDF", level+1);
+	SECU_PrintAlgorithmID(out, &param.cipherAlg, "Cipher", level+1);
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+void
+secu_PrintPBEParams(FILE *out, SECItem *value, char *m, int level)
+{
+    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECStatus rv;
+    secuPBEParams param;
+
+    if (m) {
+	SECU_Indent(out, level);
+	fprintf (out, "%s:\n", m);
+    }
+
+    if (!pool) {
+	SECU_Indent(out, level);
+	fprintf(out, "Out of memory\n");
+	return;
+    }
+
+    PORT_Memset(&param, 0, sizeof(secuPBEParams));
+    rv = SEC_QuickDERDecodeItem(pool, &param, secuPBEParamsTemp, value);
+    if (rv == SECSuccess) {
+	SECU_PrintAsHex(out, &param.salt, "Salt", level+1);
+	SECU_PrintInteger(out, &param.iterationCount, "Iteration Count", 
+			level+1);
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+/* This function does NOT expect a DER type and length. */
+void
+SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
+{
+    SECOidTag algtag;
+    SECU_PrintObjectID(out, &a->algorithm, m, level);
+
+    algtag = SECOID_GetAlgorithmTag(a);
+    if (SEC_PKCS5IsAlgorithmPBEAlgTag(algtag)) {
+	switch (algtag) {
+	case SEC_OID_PKCS5_PBKDF2:
+	    secu_PrintKDF2Params(out, &a->parameters, "Parameters", level+1);
+	    break;
+	case SEC_OID_PKCS5_PBES2:
+	    secu_PrintPKCS5V2Params(out, &a->parameters, "Encryption", level+1);
+	    break;
+	case SEC_OID_PKCS5_PBMAC1:
+	    secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level+1);
+	    break;
+	default:
+	    secu_PrintPBEParams(out, &a->parameters, "Parameters", level+1);
+	    break;
+	}
+	return;
+    }
+	
+
+    if (a->parameters.len == 0
+	|| (a->parameters.len == 2
+	    && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
+	/* No arguments or NULL argument */
+    } else {
+	/* Print args to algorithm */
+	SECU_PrintAsHex(out, &a->parameters, "Args", level+1);
+    }
+}
+
+static void
+secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level)
+{
+    SECItem *value;
+    int i;
+    char om[100];
+
+    if (m) {
+    	SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    }
+
+    /*
+     * Should make this smarter; look at the type field and then decode
+     * and print the value(s) appropriately!
+     */
+    SECU_PrintObjectID(out, &(attr->type), "Type", level+1);
+    if (attr->values != NULL) {
+	i = 0;
+	while ((value = attr->values[i++]) != NULL) {
+	    sprintf(om, "Value (%d)%s", i, attr->encoded ? " (encoded)" : ""); 
+	    if (attr->encoded || attr->typeTag == NULL) {
+		SECU_PrintAny(out, value, om, level+1);
+	    } else {
+		switch (attr->typeTag->offset) {
+		  default:
+		    SECU_PrintAsHex(out, value, om, level+1);
+		    break;
+		  case SEC_OID_PKCS9_CONTENT_TYPE:
+		    SECU_PrintObjectID(out, value, om, level+1);
+		    break;
+		  case SEC_OID_PKCS9_SIGNING_TIME:
+		    SECU_PrintTimeChoice(out, value, om, level+1);
+		    break;
+		}
+	    }
+	}
+    }
+}
+
+static void
+secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
+{
+
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1);
+    SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1);
+    if (pk->u.rsa.publicExponent.len == 1 &&
+        pk->u.rsa.publicExponent.data[0] == 1) {
+	SECU_Indent(out, level +1); fprintf(out, "Error: INVALID RSA KEY!\n");
+    }
+}
+
+static void
+secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
+{
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1);
+    SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level+1);
+    SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level+1);
+    SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level+1);
+}
+
+#ifdef NSS_ENABLE_ECC
+static void
+secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
+{
+    SECItem curveOID = { siBuffer, NULL, 0};
+
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1);
+    /* For named curves, the DEREncodedParams field contains an
+     * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID).
+     */
+    if ((pk->u.ec.DEREncodedParams.len > 2) &&
+	(pk->u.ec.DEREncodedParams.data[0] == 0x06)) {
+        curveOID.len = pk->u.ec.DEREncodedParams.data[1];
+	curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
+	SECU_PrintObjectID(out, &curveOID, "Curve", level +1);
+    }
+}
+#endif /* NSS_ENABLE_ECC */
+
+static void
+secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena,
+		       CERTSubjectPublicKeyInfo *i,  char *msg, int level)
+{
+    SECKEYPublicKey *pk;
+
+    SECU_Indent(out, level); fprintf(out, "%s:\n", msg);
+    SECU_PrintAlgorithmID(out, &i->algorithm, "Public Key Algorithm", level+1);
+
+    pk = SECKEY_ExtractPublicKey(i);
+    if (pk) {
+	switch (pk->keyType) {
+	case rsaKey:
+	    secu_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1);
+	    break;
+
+	case dsaKey:
+	    secu_PrintDSAPublicKey(out, pk, "DSA Public Key", level +1);
+	    break;
+
+#ifdef NSS_ENABLE_ECC
+	case ecKey:
+	    secu_PrintECPublicKey(out, pk, "EC Public Key", level +1);
+	    break;
+#endif
+
+	case dhKey:
+	case fortezzaKey:
+	case keaKey:
+	    SECU_Indent(out, level);
+    	    fprintf(out, "unable to format this SPKI algorithm type\n");
+	    goto loser;
+	default:
+	    SECU_Indent(out, level);
+	    fprintf(out, "unknown SPKI algorithm type\n");
+	    goto loser;
+	}
+	PORT_FreeArena(pk->arena, PR_FALSE);
+    } else {
+	SECU_PrintErrMsg(out, level, "Error", "Parsing public key");
+loser:
+	if (i->subjectPublicKey.data) {
+	    SECU_PrintAny(out, &i->subjectPublicKey, "Raw", level);
+	}
+    }
+}
+
+static SECStatus
+secu_PrintX509InvalidDate(FILE *out, SECItem *value, char *msg, int level)
+{
+    SECItem decodedValue;
+    SECStatus rv;
+    int64 invalidTime;
+    char *formattedTime = NULL;
+
+    decodedValue.data = NULL;
+    rv = SEC_ASN1DecodeItem (NULL, &decodedValue, 
+			    SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
+			    value);
+    if (rv == SECSuccess) {
+	rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue);
+	if (rv == SECSuccess) {
+	    formattedTime = CERT_GenTime2FormattedAscii
+			    (invalidTime, "%a %b %d %H:%M:%S %Y");
+	    SECU_Indent(out, level +1);
+	    fprintf (out, "%s: %s\n", msg, formattedTime);
+	    PORT_Free (formattedTime);
+	}
+    }
+    PORT_Free (decodedValue.data);
+    return (rv);
+}
+
+static SECStatus
+PrintExtKeyUsageExtension  (FILE *out, SECItem *value, char *msg, int level)
+{
+    CERTOidSequence *os;
+    SECItem **op;
+
+    os = CERT_DecodeOidSequence(value);
+    if( (CERTOidSequence *)NULL == os ) {
+	return SECFailure;
+    }
+
+    for( op = os->oids; *op; op++ ) {
+	SECU_PrintObjectID(out, *op, msg, level + 1);
+    }
+    CERT_DestroyOidSequence(os);
+    return SECSuccess;
+}
+
+static SECStatus
+secu_PrintBasicConstraints(FILE *out, SECItem *value, char *msg, int level) {
+    CERTBasicConstraints constraints;
+    SECStatus rv;
+
+    SECU_Indent(out, level);
+    if (msg) {
+	    fprintf(out,"%s: ",msg);
+    } 
+    rv = CERT_DecodeBasicConstraintValue(&constraints,value);
+    if (rv == SECSuccess && constraints.isCA) {
+	if (constraints.pathLenConstraint >= 0) {
+	    fprintf(out,"Is a CA with a maximum path length of %d.\n",
+			constraints.pathLenConstraint);
+    	} else {
+	    fprintf(out,"Is a CA with no maximum path length.\n");
+	}
+    } else  {
+	fprintf(out,"Is not a CA.\n");
+    }
+    return SECSuccess;
+}
+
+static const char * const nsTypeBits[] = {
+    "SSL Client",
+    "SSL Server",
+    "S/MIME",
+    "Object Signing",
+    "Reserved",
+    "SSL CA",
+    "S/MIME CA",
+    "ObjectSigning CA" 
+};
+
+/* NSCertType is merely a bit string whose bits are displayed symbolically */
+static SECStatus
+secu_PrintNSCertType(FILE *out, SECItem *value, char *msg, int level) 
+{
+    int     unused;
+    int     NS_Type;
+    int     i;
+    int     found   = 0;
+    SECItem my      = *value;
+
+    if ((my.data[0] != SEC_ASN1_BIT_STRING) || 
+        SECSuccess != SECU_StripTagAndLength(&my)) {
+	SECU_PrintAny(out, value, "Data", level);
+	return SECSuccess;
+    }
+
+    unused = (my.len == 2) ? (my.data[0] & 0x0f) : 0;  
+    NS_Type = my.data[1] & (0xff << unused);
+	
+
+    SECU_Indent(out, level);
+    if (msg) {
+	fprintf(out,"%s: ",msg);
+    } else {
+	fprintf(out,"Netscape Certificate Type: ");
+    }
+    for (i=0; i < 8; i++) {
+	if ( (0x80 >> i) & NS_Type) {
+	    fprintf(out, "%c%s", (found ? ',' : '<'), nsTypeBits[i]);
+	    found = 1;
+	}
+    }
+    fprintf(out, (found ? ">\n" : "none\n"));
+    return SECSuccess;
+}
+
+static const char * const usageBits[] = {
+    "Digital Signature",   /* 0x80 */
+    "Non-Repudiation",     /* 0x40 */
+    "Key Encipherment",    /* 0x20 */
+    "Data Encipherment",   /* 0x10 */
+    "Key Agreement",       /* 0x08 */
+    "Certificate Signing", /* 0x04 */
+    "CRL Signing",         /* 0x02 */
+    "Encipher Only",       /* 0x01 */
+    "Decipher Only",       /* 0x0080 */ 
+    NULL
+};
+
+/* X509KeyUsage is merely a bit string whose bits are displayed symbolically */
+static void
+secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level) 
+{
+    int     unused;
+    int     usage;
+    int     i;
+    int     found   = 0;
+    SECItem my      = *value;
+
+    if ((my.data[0] != SEC_ASN1_BIT_STRING) || 
+        SECSuccess != SECU_StripTagAndLength(&my)) {
+	SECU_PrintAny(out, value, "Data", level);
+	return;
+    }
+
+    unused = (my.len >= 2) ? (my.data[0] & 0x0f) : 0;  
+    usage  = (my.len == 2) ? (my.data[1] & (0xff << unused)) << 8
+                           : (my.data[1] << 8) | 
+			     (my.data[2] & (0xff << unused));
+
+    SECU_Indent(out, level);
+    fprintf(out, "Usages: ");
+    for (i=0; usageBits[i]; i++) {
+	if ( (0x8000 >> i) & usage) {
+	    if (found)
+		SECU_Indent(out, level + 2);
+	    fprintf(out, "%s\n", usageBits[i]);
+	    found = 1;
+	}
+    }
+    if (!found) {
+	fprintf(out, "(none)\n");
+    }
+}
+
+static void
+secu_PrintIPAddress(FILE *out, SECItem *value, char *msg, int level)
+{
+    PRStatus   st;
+    PRNetAddr  addr;
+    char       addrBuf[80];
+
+    memset(&addr, 0, sizeof addr);
+    if (value->len == 4) {
+	addr.inet.family = PR_AF_INET;
+	memcpy(&addr.inet.ip, value->data, value->len);
+    } else if (value->len == 16) {
+	addr.ipv6.family = PR_AF_INET6;
+	memcpy(addr.ipv6.ip.pr_s6_addr, value->data, value->len);
+	if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) {
+	    /* convert to IPv4.  */
+	    addr.inet.family = PR_AF_INET;
+	    memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4);
+	    memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad);
+	}
+    } else {
+	goto loser;
+    }
+
+    st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf);
+    if (st == PR_SUCCESS) {
+	SECU_Indent(out, level);
+	fprintf(out, "%s: %s\n", msg, addrBuf);
+    } else {
+loser:
+	SECU_PrintAsHex(out, value, msg, level);
+    }
+}
+
+
+static void
+secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, char *msg, int level) 
+{
+    char label[40];
+    if (msg && msg[0]) {
+    	SECU_Indent(out, level++); fprintf(out, "%s: \n", msg);
+    }
+    switch (gname->type) {
+    case certOtherName :
+	SECU_PrintAny(     out, &gname->name.OthName.name, "Other Name", level);
+	SECU_PrintObjectID(out, &gname->name.OthName.oid,  "OID",      level+1);
+	break;
+    case certDirectoryName :
+	SECU_PrintName(out, &gname->name.directoryName, "Directory Name", level);
+	break;
+    case certRFC822Name :
+	secu_PrintRawString(   out, &gname->name.other, "RFC822 Name", level);
+	break;
+    case certDNSName :
+	secu_PrintRawString(   out, &gname->name.other, "DNS name", level);
+	break;
+    case certURI :
+	secu_PrintRawString(   out, &gname->name.other, "URI", level);
+	break;
+    case certIPAddress :
+	secu_PrintIPAddress(out, &gname->name.other, "IP Address", level);
+	break;
+    case certRegisterID :
+	SECU_PrintObjectID( out, &gname->name.other, "Registered ID", level);
+	break;
+    case certX400Address :
+	SECU_PrintAny(      out, &gname->name.other, "X400 Address", level);
+	break;
+    case certEDIPartyName :
+	SECU_PrintAny(      out, &gname->name.other, "EDI Party", level);
+	break;
+    default:
+	PR_snprintf(label, sizeof label, "unknown type [%d]", 
+	                                (int)gname->type - 1);
+	SECU_PrintAsHex(out, &gname->name.other, label, level);
+	break;
+    }
+}
+
+static void
+secu_PrintGeneralNames(FILE *out, CERTGeneralName *gname, char *msg, int level) 
+{
+    CERTGeneralName *name = gname;
+    do { 
+    	secu_PrintGeneralName(out, name, msg, level);
+	name = CERT_GetNextGeneralName(name);
+    } while (name && name != gname);
+}
+
+
+static void
+secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level) 
+{
+    CERTAuthKeyID *kid  = NULL;
+    PLArenaPool   *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+    if (!pool) {
+	SECU_PrintError("Error", "Allocating new ArenaPool");
+	return;
+    }
+    kid = CERT_DecodeAuthKeyID(pool, value);
+    if (!kid) {
+	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
+	SECU_PrintAny(out, value, "Data", level);
+    } else {
+	int keyIDPresent  = (kid->keyID.data && kid->keyID.len);
+	int issuerPresent = kid->authCertIssuer != NULL;
+	int snPresent = (kid->authCertSerialNumber.data &&
+	                 kid->authCertSerialNumber.len);
+
+	if (keyIDPresent)
+	    SECU_PrintAsHex(out, &kid->keyID, "Key ID", level);
+	if (issuerPresent)
+	    secu_PrintGeneralName(out, kid->authCertIssuer, "Issuer", level);
+	if (snPresent)
+	    SECU_PrintInteger(out, &kid->authCertSerialNumber, 
+	                    "Serial Number", level);
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+
+static void
+secu_PrintAltNameExtension(FILE *out, SECItem *value, char *msg, int level)
+{
+    CERTGeneralName * nameList;
+    CERTGeneralName * current;
+    PLArenaPool     * pool      = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+    if (!pool) {
+	SECU_PrintError("Error", "Allocating new ArenaPool");
+	return;
+    }
+    nameList = current = CERT_DecodeAltNameExtension(pool, value);
+    if (!current) {
+	if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
+	    /* Decoder found empty sequence, which is invalid. */
+	    PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
+	}
+	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
+	SECU_PrintAny(out, value, "Data", level);
+    } else {
+	do {
+	    secu_PrintGeneralName(out, current, msg, level);
+	    current = CERT_GetNextGeneralName(current);
+	} while (current != nameList);
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+static void
+secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level)
+{
+    CERTCrlDistributionPoints * dPoints;
+    PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+    if (!pool) {
+	SECU_PrintError("Error", "Allocating new ArenaPool");
+	return;
+    }
+    dPoints = CERT_DecodeCRLDistributionPoints(pool, value);
+    if (dPoints && dPoints->distPoints && dPoints->distPoints[0]) {
+	CRLDistributionPoint ** pPoints = dPoints->distPoints;
+	CRLDistributionPoint *  pPoint;
+	while (NULL != (pPoint = *pPoints++)) {
+	    if (pPoint->distPointType == generalName && 
+	        pPoint->distPoint.fullName != NULL) {
+		secu_PrintGeneralNames(out, pPoint->distPoint.fullName, NULL,
+		                       level);
+	    } else if (pPoint->distPointType == relativeDistinguishedName &&
+	               pPoint->distPoint.relativeName.avas) {
+		SECU_PrintRDN(out, &pPoint->distPoint.relativeName, "RDN", 
+		              level);
+	    } else if (pPoint->derDistPoint.data) {
+		SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level);
+	    }
+	    if (pPoint->reasons.data) {
+		secu_PrintDecodedBitString(out, &pPoint->reasons, "Reasons", 
+		                           level);
+	    }
+	    if (pPoint->crlIssuer) {
+		secu_PrintGeneralName(out, pPoint->crlIssuer, "Issuer", level);
+	    }
+	}
+    } else {
+	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
+	SECU_PrintAny(out, value, "Data", level);
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+
+static void
+secu_PrintNameConstraintSubtree(FILE *out, CERTNameConstraint *value, 
+                                char *msg, int level)
+{
+    CERTNameConstraint *head = value;
+    SECU_Indent(out, level); fprintf(out, "%s Subtree:\n", msg);
+    level++;
+    do {
+	secu_PrintGeneralName(out, &value->name, NULL, level);
+	if (value->min.data)
+	    SECU_PrintInteger(out, &value->min, "Minimum", level+1);
+	if (value->max.data)
+	    SECU_PrintInteger(out, &value->max, "Maximum", level+1);
+	value = CERT_GetNextNameConstraint(value);
+    } while (value != head);
+}
+
+static void
+secu_PrintNameConstraintsExtension(FILE *out, SECItem *value, char *msg, int level)
+{
+    CERTNameConstraints * cnstrnts;
+    PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+    if (!pool) {
+	SECU_PrintError("Error", "Allocating new ArenaPool");
+	return;
+    }
+    cnstrnts = CERT_DecodeNameConstraintsExtension(pool, value);
+    if (!cnstrnts) {
+	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
+    	SECU_PrintAny(out, value, "Raw", level);
+    } else {
+	if (cnstrnts->permited)
+	    secu_PrintNameConstraintSubtree(out, cnstrnts->permited, 
+	                                    "Permitted", level);
+	if (cnstrnts->excluded)
+	    secu_PrintNameConstraintSubtree(out, cnstrnts->excluded, 
+	                                    "Excluded", level);
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+
+static void
+secu_PrintAuthorityInfoAcess(FILE *out, SECItem *value, char *msg, int level)
+{
+    CERTAuthInfoAccess **infos = NULL;
+    PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+    if (!pool) {
+	SECU_PrintError("Error", "Allocating new ArenaPool");
+	return;
+    }
+    infos = CERT_DecodeAuthInfoAccessExtension(pool, value);
+    if (!infos) {
+	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
+    	SECU_PrintAny(out, value, "Raw", level);
+    } else {
+	CERTAuthInfoAccess *info;
+	while (NULL != (info = *infos++)) {
+	    if (info->method.data) {
+		SECU_PrintObjectID(out, &info->method, "Method", level);
+	    } else {
+	    	SECU_Indent(out,level);
+		fprintf(out, "Error: missing method\n");
+	    }
+	    if (info->location) {
+		secu_PrintGeneralName(out, info->location, "Location", level);
+	    } else {
+		SECU_PrintAny(out, &info->derLocation, "Location", level);
+	    }
+	}
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
+
+void
+SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
+		     char *msg, int level)
+{
+    SECOidTag oidTag;
+    
+    if ( extensions ) {
+	if (msg && *msg) {
+	    SECU_Indent(out, level++); fprintf(out, "%s:\n", msg);
+	}
+	
+	while ( *extensions ) {
+	    SECItem *tmpitem;
+
+	    tmpitem = &(*extensions)->id;
+	    SECU_PrintObjectID(out, tmpitem, "Name", level);
+
+	    tmpitem = &(*extensions)->critical;
+	    if ( tmpitem->len ) {
+		secu_PrintBoolean(out, tmpitem, "Critical", level);
+	    }
+
+	    oidTag = SECOID_FindOIDTag (&((*extensions)->id));
+	    tmpitem = &((*extensions)->value);
+
+	    switch (oidTag) {
+	      	case SEC_OID_X509_INVALID_DATE:
+		case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME:
+		   secu_PrintX509InvalidDate(out, tmpitem, "Date", level );
+		   break;
+		case SEC_OID_X509_CERTIFICATE_POLICIES:
+		   SECU_PrintPolicy(out, tmpitem, "Data", level );
+		   break;
+		case SEC_OID_NS_CERT_EXT_BASE_URL:
+		case SEC_OID_NS_CERT_EXT_REVOCATION_URL:
+		case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL:
+		case SEC_OID_NS_CERT_EXT_CA_CRL_URL:
+		case SEC_OID_NS_CERT_EXT_CA_CERT_URL:
+		case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL:
+		case SEC_OID_NS_CERT_EXT_CA_POLICY_URL:
+		case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL:
+		case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
+		case SEC_OID_OCSP_RESPONDER:
+		    SECU_PrintString(out,tmpitem, "URL", level);
+		    break;
+		case SEC_OID_NS_CERT_EXT_COMMENT:
+		    SECU_PrintString(out,tmpitem, "Comment", level);
+		    break;
+		case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME:
+		    SECU_PrintString(out,tmpitem, "ServerName", level);
+		    break;
+		case SEC_OID_NS_CERT_EXT_CERT_TYPE:
+		    secu_PrintNSCertType(out,tmpitem,"Data",level);
+		    break;
+		case SEC_OID_X509_BASIC_CONSTRAINTS:
+		    secu_PrintBasicConstraints(out,tmpitem,"Data",level);
+		    break;
+		case SEC_OID_X509_EXT_KEY_USAGE:
+		    PrintExtKeyUsageExtension(out, tmpitem, NULL, level);
+		    break;
+		case SEC_OID_X509_KEY_USAGE:
+		    secu_PrintX509KeyUsage(out, tmpitem, NULL, level );
+		    break;
+		case SEC_OID_X509_AUTH_KEY_ID:
+		    secu_PrintAuthKeyIDExtension(out, tmpitem, NULL, level );
+		    break;
+		case SEC_OID_X509_SUBJECT_ALT_NAME:
+		case SEC_OID_X509_ISSUER_ALT_NAME:
+		    secu_PrintAltNameExtension(out, tmpitem, NULL, level );
+		    break;
+		case SEC_OID_X509_CRL_DIST_POINTS:
+		    secu_PrintCRLDistPtsExtension(out, tmpitem, NULL, level );
+		    break;
+		case SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD:
+		    SECU_PrintPrivKeyUsagePeriodExtension(out, tmpitem, NULL, 
+							level );
+		    break;
+		case SEC_OID_X509_NAME_CONSTRAINTS:
+		    secu_PrintNameConstraintsExtension(out, tmpitem, NULL, level);
+		    break;
+		case SEC_OID_X509_AUTH_INFO_ACCESS:
+		    secu_PrintAuthorityInfoAcess(out, tmpitem, NULL, level);
+		    break;
+
+		case SEC_OID_X509_CRL_NUMBER:
+		case SEC_OID_X509_REASON_CODE:
+
+		/* PKIX OIDs */
+		case SEC_OID_PKIX_OCSP:
+		case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
+		case SEC_OID_PKIX_OCSP_NONCE:
+		case SEC_OID_PKIX_OCSP_CRL:
+		case SEC_OID_PKIX_OCSP_RESPONSE:
+		case SEC_OID_PKIX_OCSP_NO_CHECK:
+		case SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF:
+		case SEC_OID_PKIX_OCSP_SERVICE_LOCATOR:
+		case SEC_OID_PKIX_REGCTRL_REGTOKEN:
+		case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
+		case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
+		case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+		case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
+		case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
+		case SEC_OID_PKIX_REGINFO_UTF8_PAIRS:
+		case SEC_OID_PKIX_REGINFO_CERT_REQUEST:
+
+	        /* Netscape extension OIDs. */
+		case SEC_OID_NS_CERT_EXT_NETSCAPE_OK:
+		case SEC_OID_NS_CERT_EXT_ISSUER_LOGO:
+		case SEC_OID_NS_CERT_EXT_SUBJECT_LOGO:
+		case SEC_OID_NS_CERT_EXT_ENTITY_LOGO:
+		case SEC_OID_NS_CERT_EXT_USER_PICTURE:
+
+		/* x.509 v3 Extensions */
+		case SEC_OID_X509_SUBJECT_DIRECTORY_ATTR:
+		case SEC_OID_X509_SUBJECT_KEY_ID:
+		case SEC_OID_X509_POLICY_MAPPINGS:
+		case SEC_OID_X509_POLICY_CONSTRAINTS:
+
+
+	        default:
+		    SECU_PrintAny(out, tmpitem, "Data", level);
+		break;
+	    }
+
+	    secu_Newline(out);
+	    extensions++;
+	}
+    }
+}
+
+/* An RDN is a subset of a DirectoryName, and we already know how to
+ * print those, so make a directory name out of the RDN, and print it.
+ */
+void
+SECU_PrintRDN(FILE *out, CERTRDN *rdn, char *msg, int level)
+{
+    CERTName name;
+    CERTRDN *rdns[2];
+
+    name.arena = NULL;
+    name.rdns  = rdns;
+    rdns[0] = rdn;
+    rdns[1] = NULL;
+    SECU_PrintName(out, &name, msg, level);
+}
+
+void
+SECU_PrintName(FILE *out, CERTName *name, char *msg, int level)
+{
+    char *nameStr;
+    char *str;
+    SECItem my;
+
+    if (!name) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return;
+    }
+    if (!name->rdns || !name->rdns[0]) {
+	str = "(empty)";
+    } else {
+	str = nameStr = CERT_NameToAscii(name);
+    }
+    if (!str) {
+    	str = "!Invalid AVA!";
+    }
+    my.data = (unsigned char *)str;
+    my.len  = PORT_Strlen(str);
+#if 1
+    secu_PrintRawString(out, &my, msg, level);
+#else
+    SECU_Indent(out, level); fprintf(out, "%s: ", msg);
+    fprintf(out, str);
+    secu_Newline(out);
+#endif
+    PORT_Free(nameStr);
+}
+
+void
+printflags(char *trusts, unsigned int flags)
+{
+    if (flags & CERTDB_VALID_CA)
+	if (!(flags & CERTDB_TRUSTED_CA) &&
+	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
+	    PORT_Strcat(trusts, "c");
+    if (flags & CERTDB_VALID_PEER)
+	if (!(flags & CERTDB_TRUSTED))
+	    PORT_Strcat(trusts, "p");
+    if (flags & CERTDB_TRUSTED_CA)
+	PORT_Strcat(trusts, "C");
+    if (flags & CERTDB_TRUSTED_CLIENT_CA)
+	PORT_Strcat(trusts, "T");
+    if (flags & CERTDB_TRUSTED)
+	PORT_Strcat(trusts, "P");
+    if (flags & CERTDB_USER)
+	PORT_Strcat(trusts, "u");
+    if (flags & CERTDB_SEND_WARN)
+	PORT_Strcat(trusts, "w");
+    if (flags & CERTDB_INVISIBLE_CA)
+	PORT_Strcat(trusts, "I");
+    if (flags & CERTDB_GOVT_APPROVED_CA)
+	PORT_Strcat(trusts, "G");
+    return;
+}
+
+/* callback for listing certs through pkcs11 */
+SECStatus
+SECU_PrintCertNickname(CERTCertListNode *node, void *data)
+{
+    CERTCertTrust *trust;
+    CERTCertificate* cert;
+    FILE *out;
+    char trusts[30];
+    char *name;
+
+    cert = node->cert;
+
+    PORT_Memset (trusts, 0, sizeof (trusts));
+    out = (FILE *)data;
+    
+    name = node->appData;
+    if (!name || !name[0]) {
+        name = cert->nickname;
+    }
+    if (!name || !name[0]) {
+        name = cert->emailAddr;
+    }
+    if (!name || !name[0]) {
+        name = "(NULL)";
+    }
+
+    trust = cert->trust;
+    if (trust) {
+        printflags(trusts, trust->sslFlags);
+        PORT_Strcat(trusts, ",");
+        printflags(trusts, trust->emailFlags);
+        PORT_Strcat(trusts, ",");
+        printflags(trusts, trust->objectSigningFlags);
+    } else {
+        PORT_Memcpy(trusts,",,",3);
+    }
+    fprintf(out, "%-60s %-5s\n", name, trusts);
+
+    return (SECSuccess);
+}
+
+int
+SECU_DecodeAndPrintExtensions(FILE *out, SECItem *any, char *m, int level)
+{
+    CERTCertExtension **extensions = NULL;
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    int rv = 0;
+
+    if (!arena) 
+	return SEC_ERROR_NO_MEMORY;
+
+    rv = SEC_QuickDERDecodeItem(arena, &extensions, 
+		   SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), any);
+    if (!rv)
+	SECU_PrintExtensions(out, extensions, m, level);
+    else 
+    	SECU_PrintAny(out, any, m, level);
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
+/* print a decoded SET OF or SEQUENCE OF Extensions */
+int
+SECU_PrintSetOfExtensions(FILE *out, SECItem **any, char *m, int level)
+{
+    int rv = 0;
+    if (m && *m) {
+	SECU_Indent(out, level++); fprintf(out, "%s:\n", m);
+    }
+    while (any && any[0]) {
+    	rv |= SECU_DecodeAndPrintExtensions(out, any[0], "", level);
+	any++;
+    }
+    return rv;
+}
+
+/* print a decoded SET OF or SEQUENCE OF "ANY" */
+int
+SECU_PrintSetOfAny(FILE *out, SECItem **any, char *m, int level)
+{
+    int rv = 0;
+    if (m && *m) {
+	SECU_Indent(out, level++); fprintf(out, "%s:\n", m);
+    }
+    while (any && any[0]) {
+    	SECU_PrintAny(out, any[0], "", level);
+	any++;
+    }
+    return rv;
+}
+
+int
+SECU_PrintCertAttribute(FILE *out, CERTAttribute *attr, char *m, int level)
+{
+    int rv = 0;
+    SECOidTag tag;
+    tag = SECU_PrintObjectID(out, &attr->attrType, "Attribute Type", level);
+    if (tag == SEC_OID_PKCS9_EXTENSION_REQUEST) {
+	rv = SECU_PrintSetOfExtensions(out, attr->attrValue, "Extensions", level);
+    } else {
+	rv = SECU_PrintSetOfAny(out, attr->attrValue, "Attribute Values", level);
+    }
+    return rv;
+}
+
+int
+SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level)
+{
+    int rv = 0;
+    while (attrs[0]) {
+	rv |= SECU_PrintCertAttribute(out, attrs[0], m, level+1);
+    	attrs++;
+    }
+    return rv;
+}
+
+int  /* sometimes a PRErrorCode, other times a SECStatus.  Sigh. */
+SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    CERTCertificateRequest *cr;
+    int rv = SEC_ERROR_NO_MEMORY;
+
+    if (!arena) 
+	return rv;
+
+    /* Decode certificate request */
+    cr = PORT_ArenaZNew(arena, CERTCertificateRequest);
+    if (!cr)
+	goto loser;
+    cr->arena = arena;
+    rv = SEC_QuickDERDecodeItem(arena, cr, 
+                           SEC_ASN1_GET(CERT_CertificateRequestTemplate), der);
+    if (rv) 
+	goto loser;
+
+    /* Pretty print it out */
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &cr->version, "Version", level+1);
+    SECU_PrintName(out, &cr->subject, "Subject", level+1);
+    secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo,
+			      "Subject Public Key Info", level+1);
+    if (cr->attributes)
+	SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level+1);
+    rv = 0;
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
+int
+SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    CERTCertificate *c;
+    int rv = SEC_ERROR_NO_MEMORY;
+    int iv;
+    
+    if (!arena)
+	return rv;
+
+    /* Decode certificate */
+    c = PORT_ArenaZNew(arena, CERTCertificate);
+    if (!c)
+	goto loser;
+    c->arena = arena;
+    rv = SEC_ASN1DecodeItem(arena, c, 
+                            SEC_ASN1_GET(CERT_CertificateTemplate), der);
+    if (rv) {
+        SECU_Indent(out, level); 
+	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
+	SECU_PrintAny(out, der, "Raw", level);
+	goto loser;
+    }
+    /* Pretty print it out */
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    iv = c->version.len ? DER_GetInteger(&c->version) : 0;  /* version is optional */
+    SECU_Indent(out, level+1); fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv);
+
+    SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1);
+    SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1);
+    SECU_PrintName(out, &c->issuer, "Issuer", level+1);
+    secu_PrintValidity(out, &c->validity, "Validity", level+1);
+    SECU_PrintName(out, &c->subject, "Subject", level+1);
+    secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo,
+			      "Subject Public Key Info", level+1);
+    if (c->issuerID.data) 
+	secu_PrintDecodedBitString(out, &c->issuerID, "Issuer Unique ID", level+1);
+    if (c->subjectID.data) 
+	secu_PrintDecodedBitString(out, &c->subjectID, "Subject Unique ID", level+1);
+    SECU_PrintExtensions(out, c->extensions, "Signed Extensions", level+1);
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
+int
+SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECKEYPublicKey key;
+    int rv = SEC_ERROR_NO_MEMORY;
+
+    if (!arena)
+	return rv;
+
+    PORT_Memset(&key, 0, sizeof(key));
+    rv = SEC_ASN1DecodeItem(arena, &key, 
+                            SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), der);
+    if (!rv) {
+	/* Pretty print it out */
+	secu_PrintRSAPublicKey(out, &key, m, level);
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
+int
+SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, int level)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    int          rv    = SEC_ERROR_NO_MEMORY;
+    CERTSubjectPublicKeyInfo spki;
+
+    if (!arena)
+	return rv;
+
+    PORT_Memset(&spki, 0, sizeof spki);
+    rv = SEC_ASN1DecodeItem(arena, &spki, 
+                            SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate), 
+			    der);
+    if (!rv) {
+	if (m && *m) {
+	    SECU_Indent(out, level);  fprintf(out, "%s:\n", m);
+	}
+	secu_PrintSubjectPublicKeyInfo(out, arena, &spki,
+				       "Subject Public Key Info", level+1);
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
+#ifdef HAVE_EPV_TEMPLATE
+int
+SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECKEYEncryptedPrivateKeyInfo key;
+    int rv = SEC_ERROR_NO_MEMORY;
+
+    if (!arena)
+	return rv;
+
+    PORT_Memset(&key, 0, sizeof(key));
+    rv = SEC_ASN1DecodeItem(arena, &key, 
+		SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), der);
+    if (rv)
+	goto loser;
+
+    /* Pretty print it out */
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintAlgorithmID(out, &key.algorithm, "Encryption Algorithm", 
+			  level+1);
+    SECU_PrintAsHex(out, &key.encryptedData, "Encrypted Data", level+1);
+loser:
+    PORT_FreeArena(arena, PR_TRUE);
+    return rv;
+}
+#endif
+
+int
+SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level)
+{
+    unsigned char fingerprint[20];
+    char *fpStr = NULL;
+    int err     = PORT_GetError();
+    SECStatus rv;
+    SECItem fpItem;
+
+    /* print MD5 fingerprint */
+    memset(fingerprint, 0, sizeof fingerprint);
+    rv = PK11_HashBuf(SEC_OID_MD5,fingerprint, derCert->data, derCert->len);
+    fpItem.data = fingerprint;
+    fpItem.len = MD5_LENGTH;
+    fpStr = CERT_Hexify(&fpItem, 1);
+    SECU_Indent(out, level);  fprintf(out, "%s (MD5):\n", m);
+    SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr);
+    PORT_Free(fpStr);
+    fpStr = NULL;
+    if (rv != SECSuccess && !err)
+	err = PORT_GetError();
+
+    /* print SHA1 fingerprint */
+    memset(fingerprint, 0, sizeof fingerprint);
+    rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len);
+    fpItem.data = fingerprint;
+    fpItem.len = SHA1_LENGTH;
+    fpStr = CERT_Hexify(&fpItem, 1);
+    SECU_Indent(out, level);  fprintf(out, "%s (SHA1):\n", m);
+    SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr);
+    PORT_Free(fpStr);
+    fprintf(out, "\n");
+
+    if (err) 
+	PORT_SetError(err);
+    if (err || rv != SECSuccess)
+	return SECFailure;
+
+    return 0;
+}
+
+/*
+** PKCS7 Support
+*/
+
+/* forward declaration */
+static int
+secu_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, char *, int);
+
+/*
+** secu_PrintPKCS7EncContent
+**   Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it)
+*/
+static void
+secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, 
+			  char *m, int level)
+{
+    if (src->contentTypeTag == NULL)
+	src->contentTypeTag = SECOID_FindOID(&(src->contentType));
+
+    SECU_Indent(out, level);
+    fprintf(out, "%s:\n", m);
+    SECU_Indent(out, level + 1); 
+    fprintf(out, "Content Type: %s\n",
+	    (src->contentTypeTag != NULL) ? src->contentTypeTag->desc
+					  : "Unknown");
+    SECU_PrintAlgorithmID(out, &(src->contentEncAlg),
+			  "Content Encryption Algorithm", level+1);
+    SECU_PrintAsHex(out, &(src->encContent), 
+		    "Encrypted Content", level+1);
+}
+
+/*
+** secu_PrintRecipientInfo
+**   Prints a PKCS7RecipientInfo type
+*/
+static void
+secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m, 
+			int level)
+{
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &(info->version), "Version", level + 1);	
+
+    SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", 
+		 level + 1);
+    SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
+		      "Serial Number", level + 1);
+
+    /* Parse and display encrypted key */
+    SECU_PrintAlgorithmID(out, &(info->keyEncAlg), 
+			"Key Encryption Algorithm", level + 1);
+    SECU_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1);
+}
+
+/* 
+** secu_PrintSignerInfo
+**   Prints a PKCS7SingerInfo type
+*/
+static void
+secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m, int level)
+{
+    SEC_PKCS7Attribute *attr;
+    int iv;
+    char om[100];
+    
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &(info->version), "Version", level + 1);	
+
+    SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", 
+		 level + 1);
+    SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
+		      "Serial Number", level + 1);
+  
+    SECU_PrintAlgorithmID(out, &(info->digestAlg), "Digest Algorithm",
+			  level + 1);
+    
+    if (info->authAttr != NULL) {
+	SECU_Indent(out, level + 1); 
+	fprintf(out, "Authenticated Attributes:\n");
+	iv = 0;
+	while ((attr = info->authAttr[iv++]) != NULL) {
+	    sprintf(om, "Attribute (%d)", iv); 
+	    secu_PrintAttribute(out, attr, om, level + 2);
+	}
+    }
+    
+    /* Parse and display signature */
+    SECU_PrintAlgorithmID(out, &(info->digestEncAlg), 
+			"Digest Encryption Algorithm", level + 1);
+    SECU_PrintAsHex(out, &(info->encDigest), "Encrypted Digest", level + 1);
+    
+    if (info->unAuthAttr != NULL) {
+	SECU_Indent(out, level + 1); 
+	fprintf(out, "Unauthenticated Attributes:\n");
+	iv = 0;
+	while ((attr = info->unAuthAttr[iv++]) != NULL) {
+	    sprintf(om, "Attribute (%x)", iv); 
+	    secu_PrintAttribute(out, attr, om, level + 2);
+	}
+    }
+}
+
+/* callers of this function must make sure that the CERTSignedCrl
+   from which they are extracting the CERTCrl has been fully-decoded.
+   Otherwise it will not have the entries even though the CRL may have
+   some */
+
+void
+SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level)
+{
+    CERTCrlEntry *entry;
+    int iv;
+    char om[100];
+    
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    /* version is optional */
+    iv = crl->version.len ? DER_GetInteger(&crl->version) : 0;  
+    SECU_Indent(out, level+1); 
+    	fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv);
+    SECU_PrintAlgorithmID(out, &(crl->signatureAlg), "Signature Algorithm",
+			  level + 1);
+    SECU_PrintName(out, &(crl->name), "Issuer", level + 1);
+    SECU_PrintTimeChoice(out, &(crl->lastUpdate), "This Update", level + 1);
+    if (crl->nextUpdate.data && crl->nextUpdate.len) /* is optional */
+	SECU_PrintTimeChoice(out, &(crl->nextUpdate), "Next Update", level + 1);
+    
+    if (crl->entries != NULL) {
+	iv = 0;
+	while ((entry = crl->entries[iv++]) != NULL) {
+	    sprintf(om, "Entry (%x):\n", iv); 
+	    SECU_Indent(out, level + 1); fprintf(out, om);
+	    SECU_PrintInteger(out, &(entry->serialNumber), "Serial Number",
+			      level + 2);
+	    SECU_PrintTimeChoice(out, &(entry->revocationDate), 
+	                         "Revocation Date", level + 2);
+	    SECU_PrintExtensions(out, entry->extensions, 
+	                         "Entry Extensions", level + 2);
+	}
+    }
+    SECU_PrintExtensions(out, crl->extensions, "CRL Extensions", level + 1);
+}
+
+/*
+** secu_PrintPKCS7Signed
+**   Pretty print a PKCS7 signed data type (up to version 1).
+*/
+static int
+secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src,
+		      const char *m, int level)
+{
+    SECAlgorithmID *digAlg;		/* digest algorithms */
+    SECItem *aCert;			/* certificate */
+    CERTSignedCrl *aCrl;		/* certificate revocation list */
+    SEC_PKCS7SignerInfo *sigInfo;	/* signer information */
+    int rv, iv;
+    char om[100];
+
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
+
+    /* Parse and list digest algorithms (if any) */
+    if (src->digestAlgorithms != NULL) {
+	SECU_Indent(out, level + 1);  fprintf(out, "Digest Algorithm List:\n");
+	iv = 0;
+	while ((digAlg = src->digestAlgorithms[iv++]) != NULL) {
+	    sprintf(om, "Digest Algorithm (%x)", iv);
+	    SECU_PrintAlgorithmID(out, digAlg, om, level + 2);
+	}
+    }
+
+    /* Now for the content */
+    rv = secu_PrintPKCS7ContentInfo(out, &(src->contentInfo), 
+				    "Content Information", level + 1);
+    if (rv != 0)
+	return rv;
+
+    /* Parse and list certificates (if any) */
+    if (src->rawCerts != NULL) {
+	SECU_Indent(out, level + 1);  fprintf(out, "Certificate List:\n");
+	iv = 0;
+	while ((aCert = src->rawCerts[iv++]) != NULL) {
+	    sprintf(om, "Certificate (%x)", iv);
+	    rv = SECU_PrintSignedData(out, aCert, om, level + 2, 
+				      SECU_PrintCertificate);
+	    if (rv)
+		return rv;
+	}
+    }
+
+    /* Parse and list CRL's (if any) */
+    if (src->crls != NULL) {
+	SECU_Indent(out, level + 1);  
+	fprintf(out, "Signed Revocation Lists:\n");
+	iv = 0;
+	while ((aCrl = src->crls[iv++]) != NULL) {
+	    sprintf(om, "Signed Revocation List (%x)", iv);
+	    SECU_Indent(out, level + 2);  fprintf(out, "%s:\n", om);
+	    SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
+				  "Signature Algorithm", level+3);
+	    DER_ConvertBitString(&aCrl->signatureWrap.signature);
+	    SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature",
+			    level+3);
+	    SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", 
+			  level + 3); 
+	}
+    }
+
+    /* Parse and list signatures (if any) */
+    if (src->signerInfos != NULL) {
+	SECU_Indent(out, level + 1);
+	fprintf(out, "Signer Information List:\n");
+	iv = 0;
+	while ((sigInfo = src->signerInfos[iv++]) != NULL) {
+	    sprintf(om, "Signer Information (%x)", iv);
+	    secu_PrintSignerInfo(out, sigInfo, om, level + 2);
+	}
+    }  
+
+    return 0;
+}
+
+/*
+** secu_PrintPKCS7Enveloped
+**  Pretty print a PKCS7 enveloped data type (up to version 1).
+*/
+static void
+secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src,
+			 const char *m, int level)
+{
+    SEC_PKCS7RecipientInfo *recInfo;   /* pointer for signer information */
+    int iv;
+    char om[100];
+
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
+
+    /* Parse and list recipients (this is not optional) */
+    if (src->recipientInfos != NULL) {
+	SECU_Indent(out, level + 1);
+	fprintf(out, "Recipient Information List:\n");
+	iv = 0;
+	while ((recInfo = src->recipientInfos[iv++]) != NULL) {
+	    sprintf(om, "Recipient Information (%x)", iv);
+	    secu_PrintRecipientInfo(out, recInfo, om, level + 2);
+	}
+    }  
+
+    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
+			      "Encrypted Content Information", level + 1);
+}
+
+/*
+** secu_PrintPKCS7SignedEnveloped
+**   Pretty print a PKCS7 singed and enveloped data type (up to version 1).
+*/
+static int
+secu_PrintPKCS7SignedAndEnveloped(FILE *out,
+				  SEC_PKCS7SignedAndEnvelopedData *src,
+				  const char *m, int level)
+{
+    SECAlgorithmID *digAlg;  /* pointer for digest algorithms */
+    SECItem *aCert;           /* pointer for certificate */
+    CERTSignedCrl *aCrl;        /* pointer for certificate revocation list */
+    SEC_PKCS7SignerInfo *sigInfo;   /* pointer for signer information */
+    SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */
+    int rv, iv;
+    char om[100];
+
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
+
+    /* Parse and list recipients (this is not optional) */
+    if (src->recipientInfos != NULL) {
+	SECU_Indent(out, level + 1);
+	fprintf(out, "Recipient Information List:\n");
+	iv = 0;
+	while ((recInfo = src->recipientInfos[iv++]) != NULL) {
+	    sprintf(om, "Recipient Information (%x)", iv);
+	    secu_PrintRecipientInfo(out, recInfo, om, level + 2);
+	}
+    }  
+
+    /* Parse and list digest algorithms (if any) */
+    if (src->digestAlgorithms != NULL) {
+	SECU_Indent(out, level + 1);  fprintf(out, "Digest Algorithm List:\n");
+	iv = 0;
+	while ((digAlg = src->digestAlgorithms[iv++]) != NULL) {
+	    sprintf(om, "Digest Algorithm (%x)", iv);
+	    SECU_PrintAlgorithmID(out, digAlg, om, level + 2);
+	}
+    }
+
+    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
+			      "Encrypted Content Information", level + 1);
+
+    /* Parse and list certificates (if any) */
+    if (src->rawCerts != NULL) {
+	SECU_Indent(out, level + 1);  fprintf(out, "Certificate List:\n");
+	iv = 0;
+	while ((aCert = src->rawCerts[iv++]) != NULL) {
+	    sprintf(om, "Certificate (%x)", iv);
+	    rv = SECU_PrintSignedData(out, aCert, om, level + 2, 
+				      SECU_PrintCertificate);
+	    if (rv)
+		return rv;
+	}
+    }
+
+    /* Parse and list CRL's (if any) */
+    if (src->crls != NULL) {
+	SECU_Indent(out, level + 1);  
+	fprintf(out, "Signed Revocation Lists:\n");
+	iv = 0;
+	while ((aCrl = src->crls[iv++]) != NULL) {
+	    sprintf(om, "Signed Revocation List (%x)", iv);
+	    SECU_Indent(out, level + 2);  fprintf(out, "%s:\n", om);
+	    SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
+				  "Signature Algorithm", level+3);
+	    DER_ConvertBitString(&aCrl->signatureWrap.signature);
+	    SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature",
+			    level+3);
+	    SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", 
+			  level + 3); 
+	}
+    }
+
+    /* Parse and list signatures (if any) */
+    if (src->signerInfos != NULL) {
+	SECU_Indent(out, level + 1);
+	fprintf(out, "Signer Information List:\n");
+	iv = 0;
+	while ((sigInfo = src->signerInfos[iv++]) != NULL) {
+	    sprintf(om, "Signer Information (%x)", iv);
+	    secu_PrintSignerInfo(out, sigInfo, om, level + 2);
+	}
+    }  
+
+    return 0;
+}
+
+int
+SECU_PrintCrl (FILE *out, SECItem *der, char *m, int level)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    CERTCrl *c = NULL;
+    int rv = SEC_ERROR_NO_MEMORY;
+
+    if (!arena)
+    	return rv;
+    do {
+	/* Decode CRL */
+	c = PORT_ArenaZNew(arena, CERTCrl);
+	if (!c)
+	    break;
+
+	rv = SEC_QuickDERDecodeItem(arena, c, SEC_ASN1_GET(CERT_CrlTemplate), der);
+	if (rv != SECSuccess)
+	    break;
+	SECU_PrintCRLInfo (out, c, m, level);
+    } while (0);
+    PORT_FreeArena (arena, PR_FALSE);
+    return rv;
+}
+
+
+/*
+** secu_PrintPKCS7Encrypted
+**   Pretty print a PKCS7 encrypted data type (up to version 1).
+*/
+static void
+secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src,
+			 const char *m, int level)
+{
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
+
+    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
+			      "Encrypted Content Information", level + 1);
+}
+
+/*
+** secu_PrintPKCS7Digested
+**   Pretty print a PKCS7 digested data type (up to version 1).
+*/
+static void
+secu_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src,
+			const char *m, int level)
+{
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
+    
+    SECU_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm",
+			  level + 1);
+    secu_PrintPKCS7ContentInfo(out, &src->contentInfo, "Content Information",
+			       level + 1);
+    SECU_PrintAsHex(out, &src->digest, "Digest", level + 1);  
+}
+
+/*
+** secu_PrintPKCS7ContentInfo
+**   Takes a SEC_PKCS7ContentInfo type and sends the contents to the 
+** appropriate function
+*/
+static int
+secu_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src,
+			   char *m, int level)
+{
+    const char *desc;
+    SECOidTag kind;
+    int rv;
+
+    SECU_Indent(out, level);  fprintf(out, "%s:\n", m);
+    level++;
+
+    if (src->contentTypeTag == NULL)
+	src->contentTypeTag = SECOID_FindOID(&(src->contentType));
+
+    if (src->contentTypeTag == NULL) {
+	desc = "Unknown";
+	kind = SEC_OID_PKCS7_DATA;
+    } else {
+	desc = src->contentTypeTag->desc;
+	kind = src->contentTypeTag->offset;
+    }
+
+    if (src->content.data == NULL) {
+	SECU_Indent(out, level); fprintf(out, "%s:\n", desc);
+	level++;
+	SECU_Indent(out, level); fprintf(out, "<no content>\n");
+	return 0;
+    }
+
+    rv = 0;
+    switch (kind) {
+      case SEC_OID_PKCS7_SIGNED_DATA:  /* Signed Data */
+	rv = secu_PrintPKCS7Signed(out, src->content.signedData, desc, level);
+	break;
+
+      case SEC_OID_PKCS7_ENVELOPED_DATA:  /* Enveloped Data */
+        secu_PrintPKCS7Enveloped(out, src->content.envelopedData, desc, level);
+	break;
+
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:  /* Signed and Enveloped */
+	rv = secu_PrintPKCS7SignedAndEnveloped(out,
+					src->content.signedAndEnvelopedData,
+					desc, level);
+	break;
+
+      case SEC_OID_PKCS7_DIGESTED_DATA:  /* Digested Data */
+	secu_PrintPKCS7Digested(out, src->content.digestedData, desc, level);
+	break;
+
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:  /* Encrypted Data */
+	secu_PrintPKCS7Encrypted(out, src->content.encryptedData, desc, level);
+	break;
+
+      default:
+	SECU_PrintAsHex(out, src->content.data, desc, level);
+	break;
+    }
+
+    return rv;
+}
+
+/*
+** SECU_PrintPKCS7ContentInfo
+**   Decode and print any major PKCS7 data type (up to version 1).
+*/
+int
+SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    int rv;
+
+    cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
+    if (cinfo != NULL) {
+	/* Send it to recursive parsing and printing module */
+	rv = secu_PrintPKCS7ContentInfo(out, cinfo, m, level);
+	SEC_PKCS7DestroyContentInfo(cinfo);
+    } else {
+	rv = -1;
+    }
+
+    return rv;
+}
+
+/*
+** End of PKCS7 functions
+*/
+
+void
+printFlags(FILE *out, unsigned int flags, int level)
+{
+    if ( flags & CERTDB_VALID_PEER ) {
+	SECU_Indent(out, level); fprintf(out, "Valid Peer\n");
+    }
+    if ( flags & CERTDB_TRUSTED ) {
+	SECU_Indent(out, level); fprintf(out, "Trusted\n");
+    }
+    if ( flags & CERTDB_SEND_WARN ) {
+	SECU_Indent(out, level); fprintf(out, "Warn When Sending\n");
+    }
+    if ( flags & CERTDB_VALID_CA ) {
+	SECU_Indent(out, level); fprintf(out, "Valid CA\n");
+    }
+    if ( flags & CERTDB_TRUSTED_CA ) {
+	SECU_Indent(out, level); fprintf(out, "Trusted CA\n");
+    }
+    if ( flags & CERTDB_NS_TRUSTED_CA ) {
+	SECU_Indent(out, level); fprintf(out, "Netscape Trusted CA\n");
+    }
+    if ( flags & CERTDB_USER ) {
+	SECU_Indent(out, level); fprintf(out, "User\n");
+    }
+    if ( flags & CERTDB_TRUSTED_CLIENT_CA ) {
+	SECU_Indent(out, level); fprintf(out, "Trusted Client CA\n");
+    }
+    if ( flags & CERTDB_GOVT_APPROVED_CA ) {
+	SECU_Indent(out, level); fprintf(out, "Step-up\n");
+    }
+}
+
+void
+SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level)
+{
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n");
+    printFlags(out, trust->sslFlags, level+2);
+    SECU_Indent(out, level+1); fprintf(out, "Email Flags:\n");
+    printFlags(out, trust->emailFlags, level+2);
+    SECU_Indent(out, level+1); fprintf(out, "Object Signing Flags:\n");
+    printFlags(out, trust->objectSigningFlags, level+2);
+}
+
+int SECU_PrintSignedData(FILE *out, SECItem *der, char *m,
+			   int level, SECU_PPFunc inner)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    CERTSignedData *sd;
+    int rv = SEC_ERROR_NO_MEMORY;
+
+    if (!arena)
+	return rv;
+
+    /* Strip off the signature */
+    sd = PORT_ArenaZNew(arena, CERTSignedData);
+    if (!sd)
+	goto loser;
+
+    rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), 
+                            der);
+    if (rv)
+	goto loser;
+
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    rv = (*inner)(out, &sd->data, "Data", level+1);
+
+    SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm",
+			  level+1);
+    DER_ConvertBitString(&sd->signature);
+    SECU_PrintAsHex(out, &sd->signature, "Signature", level+1);
+    SECU_PrintFingerprints(out, der, "Fingerprint", level+1);
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+
+}
+
+SECStatus
+SEC_PrintCertificateAndTrust(CERTCertificate *cert,
+                             const char *label,
+                             CERTCertTrust *trust)
+{
+    SECStatus rv;
+    SECItem data;
+    
+    data.data = cert->derCert.data;
+    data.len = cert->derCert.len;
+
+    rv = SECU_PrintSignedData(stdout, &data, label, 0,
+			      SECU_PrintCertificate);
+    if (rv) {
+	return(SECFailure);
+    }
+    if (trust) {
+	SECU_PrintTrustFlags(stdout, trust,
+	                     "Certificate Trust Flags", 1);
+    } else if (cert->trust) {
+	SECU_PrintTrustFlags(stdout, cert->trust,
+	                     "Certificate Trust Flags", 1);
+    }
+
+    printf("\n");
+
+    return(SECSuccess);
+}
+
+
+SECStatus
+SECU_ParseCommandLine(int argc, char **argv, char *progName,
+		      const secuCommand *cmd)
+{
+    PRBool found;
+    PLOptState *optstate;
+    PLOptStatus status;
+    char *optstring;
+    PLLongOpt *longopts = NULL;
+    int i, j;
+    int lcmd = 0, lopt = 0;
+
+    optstring = (char *)PORT_Alloc(cmd->numCommands + 2*cmd->numOptions+1);
+    if (optstring == NULL)
+        return SECFailure;
+    
+    j = 0;
+    for (i=0; i<cmd->numCommands; i++) {
+	if (cmd->commands[i].flag) /* single character option ? */
+	    optstring[j++] = cmd->commands[i].flag;
+	if (cmd->commands[i].longform)
+	    lcmd++;
+    }
+    for (i=0; i<cmd->numOptions; i++) {
+	if (cmd->options[i].flag) {
+	    optstring[j++] = cmd->options[i].flag;
+	    if (cmd->options[i].needsArg)
+		optstring[j++] = ':';
+	}
+	if (cmd->options[i].longform)
+	    lopt++;
+    }
+    
+    optstring[j] = '\0';
+    
+    if (lcmd + lopt > 0) {
+	longopts = PORT_NewArray(PLLongOpt, lcmd+lopt+1);
+	if (!longopts) {
+	    PORT_Free(optstring);
+	    return SECFailure;
+	}
+
+	j = 0;
+	for (i=0; j<lcmd && i<cmd->numCommands; i++) {
+	    if (cmd->commands[i].longform) {
+		longopts[j].longOptName = cmd->commands[i].longform;
+		longopts[j].longOption = 0;
+		longopts[j++].valueRequired = cmd->commands[i].needsArg;
+	    } 
+	}
+	lopt += lcmd;
+	for (i=0; j<lopt && i<cmd->numOptions; i++) {
+	    if (cmd->options[i].longform) {
+		longopts[j].longOptName = cmd->options[i].longform;
+		longopts[j].longOption = 0;
+		longopts[j++].valueRequired = cmd->options[i].needsArg;
+	    }
+	}
+	longopts[j].longOptName = NULL;
+    }
+
+    optstate = PL_CreateLongOptState(argc, argv, optstring, longopts);
+    if (!optstate) {
+        PORT_Free(optstring);
+        PORT_Free(longopts);
+        return SECFailure;
+    }
+    /* Parse command line arguments */
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	const char *optstatelong;
+	char        option = optstate->option;
+
+	/*  positional parameter, single-char option or long opt? */
+	if (optstate->longOptIndex == -1) {
+	    /* not a long opt */
+	    if (option == '\0')
+	        continue;               /* it's a positional parameter */
+	    optstatelong = "";
+	} else {
+	    /* long opt */
+            if (option == '\0')
+		option = '\377';        /* force unequal with all flags */
+	    optstatelong = longopts[optstate->longOptIndex].longOptName;
+	}
+
+	found = PR_FALSE;
+
+	for (i=0; i<cmd->numCommands; i++) {
+	    if (cmd->commands[i].flag == option ||
+	        cmd->commands[i].longform == optstatelong) {
+		cmd->commands[i].activated = PR_TRUE;
+		if (optstate->value) {
+		    cmd->commands[i].arg = (char *)optstate->value;
+		}
+		found = PR_TRUE;
+		break;
+	    }
+	}
+
+	if (found)
+	    continue;
+
+	for (i=0; i<cmd->numOptions; i++) {
+	    if (cmd->options[i].flag == option ||
+		cmd->options[i].longform == optstatelong) {
+		cmd->options[i].activated = PR_TRUE;
+		if (optstate->value) {
+		    cmd->options[i].arg = (char *)optstate->value;
+		} else if (cmd->options[i].needsArg) {
+		    status = PL_OPT_BAD;
+		    goto loser;
+		}
+		found = PR_TRUE;
+		break;
+	    }
+	}
+
+	if (!found) {
+	    status = PL_OPT_BAD;
+	    break;
+	}
+    }
+
+loser:
+    PL_DestroyOptState(optstate);
+    PORT_Free(optstring);
+    if (longopts)
+	PORT_Free(longopts);
+    if (status == PL_OPT_BAD)
+	return SECFailure;
+    return SECSuccess;
+}
+
+char *
+SECU_GetOptionArg(const secuCommand *cmd, int optionNum)
+{
+	if (optionNum < 0 || optionNum >= cmd->numOptions)
+		return NULL;
+	if (cmd->options[optionNum].activated)
+		return PL_strdup(cmd->options[optionNum].arg);
+	else
+		return NULL;
+}
+
+static char SECUErrorBuf[64];
+
+char *
+SECU_ErrorStringRaw(int16 err)
+{
+    if (err == 0)
+	SECUErrorBuf[0] = '\0';
+    else if (err == SEC_ERROR_BAD_DATA)
+	sprintf(SECUErrorBuf, "Bad data");
+    else if (err == SEC_ERROR_BAD_DATABASE)
+	sprintf(SECUErrorBuf, "Problem with database");
+    else if (err == SEC_ERROR_BAD_DER)
+	sprintf(SECUErrorBuf, "Problem with DER");
+    else if (err == SEC_ERROR_BAD_KEY)
+	sprintf(SECUErrorBuf, "Problem with key");
+    else if (err == SEC_ERROR_BAD_PASSWORD)
+	sprintf(SECUErrorBuf, "Incorrect password");
+    else if (err == SEC_ERROR_BAD_SIGNATURE)
+	sprintf(SECUErrorBuf, "Bad signature");
+    else if (err == SEC_ERROR_EXPIRED_CERTIFICATE)
+	sprintf(SECUErrorBuf, "Expired certificate");
+    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
+	sprintf(SECUErrorBuf, "Invalid extension value");
+    else if (err == SEC_ERROR_INPUT_LEN)
+	sprintf(SECUErrorBuf, "Problem with input length");
+    else if (err == SEC_ERROR_INVALID_ALGORITHM)
+	sprintf(SECUErrorBuf, "Invalid algorithm");
+    else if (err == SEC_ERROR_INVALID_ARGS)
+	sprintf(SECUErrorBuf, "Invalid arguments");
+    else if (err == SEC_ERROR_INVALID_AVA)
+	sprintf(SECUErrorBuf, "Invalid AVA");
+    else if (err == SEC_ERROR_INVALID_TIME)
+	sprintf(SECUErrorBuf, "Invalid time");
+    else if (err == SEC_ERROR_IO)
+	sprintf(SECUErrorBuf, "Security I/O error");
+    else if (err == SEC_ERROR_LIBRARY_FAILURE)
+	sprintf(SECUErrorBuf, "Library failure");
+    else if (err == SEC_ERROR_NO_MEMORY)
+	sprintf(SECUErrorBuf, "Out of memory");
+    else if (err == SEC_ERROR_OLD_CRL)
+	sprintf(SECUErrorBuf, "CRL is older than the current one");
+    else if (err == SEC_ERROR_OUTPUT_LEN)
+	sprintf(SECUErrorBuf, "Problem with output length");
+    else if (err == SEC_ERROR_UNKNOWN_ISSUER)
+	sprintf(SECUErrorBuf, "Unknown issuer");
+    else if (err == SEC_ERROR_UNTRUSTED_CERT)
+	sprintf(SECUErrorBuf, "Untrusted certificate");
+    else if (err == SEC_ERROR_UNTRUSTED_ISSUER)
+	sprintf(SECUErrorBuf, "Untrusted issuer");
+    else if (err == SSL_ERROR_BAD_CERTIFICATE)
+	sprintf(SECUErrorBuf, "Bad certificate");
+    else if (err == SSL_ERROR_BAD_CLIENT)
+	sprintf(SECUErrorBuf, "Bad client");
+    else if (err == SSL_ERROR_BAD_SERVER)
+	sprintf(SECUErrorBuf, "Bad server");
+    else if (err == SSL_ERROR_EXPORT_ONLY_SERVER)
+	sprintf(SECUErrorBuf, "Export only server");
+    else if (err == SSL_ERROR_NO_CERTIFICATE)
+	sprintf(SECUErrorBuf, "No certificate");
+    else if (err == SSL_ERROR_NO_CYPHER_OVERLAP)
+	sprintf(SECUErrorBuf, "No cypher overlap");
+    else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE)
+	sprintf(SECUErrorBuf, "Unsupported certificate type");
+    else if (err == SSL_ERROR_UNSUPPORTED_VERSION)
+	sprintf(SECUErrorBuf, "Unsupported version");
+    else if (err == SSL_ERROR_US_ONLY_SERVER)
+	sprintf(SECUErrorBuf, "U.S. only server");
+    else if (err == PR_IO_ERROR)
+	sprintf(SECUErrorBuf, "I/O error");
+
+    else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)
+        sprintf (SECUErrorBuf, "Expired Issuer Certificate");
+    else if (err == SEC_ERROR_REVOKED_CERTIFICATE)
+        sprintf (SECUErrorBuf, "Revoked certificate");
+    else if (err == SEC_ERROR_NO_KEY)
+        sprintf (SECUErrorBuf, "No private key in database for this cert");
+    else if (err == SEC_ERROR_CERT_NOT_VALID)
+        sprintf (SECUErrorBuf, "Certificate is not valid");
+    else if (err == SEC_ERROR_EXTENSION_NOT_FOUND)
+        sprintf (SECUErrorBuf, "Certificate extension was not found");
+    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
+        sprintf (SECUErrorBuf, "Certificate extension value invalid");
+    else if (err == SEC_ERROR_CA_CERT_INVALID)
+        sprintf (SECUErrorBuf, "Issuer certificate is invalid");
+    else if (err == SEC_ERROR_CERT_USAGES_INVALID)
+        sprintf (SECUErrorBuf, "Certificate usages is invalid");
+    else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
+        sprintf (SECUErrorBuf, "Certificate has unknown critical extension");
+    else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE)
+        sprintf (SECUErrorBuf, "Bad PKCS7 signature");
+    else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE)
+        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
+    else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE)
+        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
+
+    return SECUErrorBuf;
+}
+
+char *
+SECU_ErrorString(int16 err)
+{
+    char *error_string;
+
+    *SECUErrorBuf = 0;
+    SECU_ErrorStringRaw (err);
+
+    if (*SECUErrorBuf == 0) { 
+	error_string = SECU_GetString(err);
+	if (error_string == NULL || *error_string == '\0') 
+	    sprintf(SECUErrorBuf, "No error string found for %d.",  err);
+	else
+	    return error_string;
+    }
+
+    return SECUErrorBuf;
+}
+
+
+void 
+SECU_PrintPRandOSError(char *progName) 
+{
+    char buffer[513];
+    PRInt32     errLen = PR_GetErrorTextLength();
+    if (errLen > 0 && errLen < sizeof buffer) {
+        PR_GetErrorText(buffer);
+    }
+    SECU_PrintError(progName, "function failed");
+    if (errLen > 0 && errLen < sizeof buffer) {
+        PR_fprintf(PR_STDERR, "\t%s\n", buffer);
+    }
+}
+
+
+static char *
+bestCertName(CERTCertificate *cert) {
+    if (cert->nickname) {
+	return cert->nickname;
+    }
+    if (cert->emailAddr && cert->emailAddr[0]) {
+	return cert->emailAddr;
+    }
+    return cert->subjectName;
+}
+
+void
+SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, 
+	CERTCertificate *cert, PRBool checksig, 
+	SECCertificateUsage certUsage, void *pinArg, PRBool verbose,
+	PRTime datetime)
+{
+    CERTVerifyLog      log;
+    CERTVerifyLogNode *node;
+
+    PRErrorCode	       err    = PORT_GetError();
+
+    log.arena = PORT_NewArena(512);
+    log.head = log.tail = NULL;
+    log.count = 0;
+    CERT_VerifyCertificate(handle, cert, checksig, certUsage, datetime, pinArg, &log, NULL);
+
+    SECU_displayVerifyLog(outfile, &log, verbose);
+
+    for (node = log.head; node; node = node->next) {
+        if (node->cert)
+            CERT_DestroyCertificate(node->cert);
+    }
+    PORT_FreeArena(log.arena, PR_FALSE);
+
+    PORT_SetError(err); /* restore original error code */
+}
+
+void
+SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
+                      PRBool verbose)
+{
+    CERTVerifyLogNode *node   = NULL;
+    unsigned int       depth  = (unsigned int)-1;
+    unsigned int       flags  = 0;
+    char *             errstr = NULL;
+
+    if (log->count > 0) {
+	fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n");
+	for (node = log->head; node; node = node->next) {
+	    if (depth != node->depth) {
+		depth = node->depth;
+		fprintf(outfile,"CERT %d. %s %s:\n", depth,
+				 bestCertName(node->cert), 
+			  	 depth ? "[Certificate Authority]": "");
+	    	if (verbose) {
+		    const char * emailAddr;
+		    emailAddr = CERT_GetFirstEmailAddress(node->cert);
+		    if (emailAddr) {
+		    	fprintf(outfile,"Email Address(es): ");
+			do {
+			    fprintf(outfile, "%s\n", emailAddr);
+			    emailAddr = CERT_GetNextEmailAddress(node->cert,
+			                                         emailAddr);
+			} while (emailAddr);
+		    }
+		}
+	    }
+	    fprintf(outfile,"  ERROR %ld: %s\n", node->error,
+						SECU_Strerror(node->error));
+	    errstr = NULL;
+	    switch (node->error) {
+	    case SEC_ERROR_INADEQUATE_KEY_USAGE:
+		flags = (unsigned int)node->arg;
+		switch (flags) {
+		case KU_DIGITAL_SIGNATURE:
+		    errstr = "Cert cannot sign.";
+		    break;
+		case KU_KEY_ENCIPHERMENT:
+		    errstr = "Cert cannot encrypt.";
+		    break;
+		case KU_KEY_CERT_SIGN:
+		    errstr = "Cert cannot sign other certs.";
+		    break;
+		default:
+		    errstr = "[unknown usage].";
+		    break;
+		}
+	    case SEC_ERROR_INADEQUATE_CERT_TYPE:
+		flags = (unsigned int)node->arg;
+		switch (flags) {
+		case NS_CERT_TYPE_SSL_CLIENT:
+		case NS_CERT_TYPE_SSL_SERVER:
+		    errstr = "Cert cannot be used for SSL.";
+		    break;
+		case NS_CERT_TYPE_SSL_CA:
+		    errstr = "Cert cannot be used as an SSL CA.";
+		    break;
+		case NS_CERT_TYPE_EMAIL:
+		    errstr = "Cert cannot be used for SMIME.";
+		    break;
+		case NS_CERT_TYPE_EMAIL_CA:
+		    errstr = "Cert cannot be used as an SMIME CA.";
+		    break;
+		case NS_CERT_TYPE_OBJECT_SIGNING:
+		    errstr = "Cert cannot be used for object signing.";
+		    break;
+		case NS_CERT_TYPE_OBJECT_SIGNING_CA:
+		    errstr = "Cert cannot be used as an object signing CA.";
+		    break;
+		default:
+		    errstr = "[unknown usage].";
+		    break;
+		}
+	    case SEC_ERROR_UNKNOWN_ISSUER:
+	    case SEC_ERROR_UNTRUSTED_ISSUER:
+	    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+		errstr = node->cert->issuerName;
+		break;
+	    default:
+		break;
+	    }
+	    if (errstr) {
+		fprintf(stderr,"    %s\n",errstr);
+	    }
+	}    
+    }
+}
+
+void
+SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
+	CERTCertificate *cert, PRBool checksig, 
+	SECCertificateUsage certUsage, void *pinArg, PRBool verbose)
+{
+    SECU_printCertProblemsOnDate(outfile, handle, cert, checksig, 
+	                         certUsage, pinArg, verbose, PR_Now());
+}
+
+SECOidTag 
+SECU_StringToSignatureAlgTag(const char *alg)
+{
+    SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
+
+    if (alg) {
+	if (!PL_strcmp(alg, "MD2")) {
+	    hashAlgTag = SEC_OID_MD2;
+	} else if (!PL_strcmp(alg, "MD4")) {
+	    hashAlgTag = SEC_OID_MD4;
+	} else if (!PL_strcmp(alg, "MD5")) {
+	    hashAlgTag = SEC_OID_MD5;
+	} else if (!PL_strcmp(alg, "SHA1")) {
+	    hashAlgTag = SEC_OID_SHA1;
+	} else if (!PL_strcmp(alg, "SHA256")) {
+	    hashAlgTag = SEC_OID_SHA256;
+	} else if (!PL_strcmp(alg, "SHA384")) {
+	    hashAlgTag = SEC_OID_SHA384;
+	} else if (!PL_strcmp(alg, "SHA512")) {
+	    hashAlgTag = SEC_OID_SHA512;
+	}
+    }
+    return hashAlgTag;
+}
+
+
+SECStatus
+SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile,
+              PRBool ascii, char *url)
+{
+    PORT_Assert(derCrl != NULL);
+    if (!derCrl) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (outFile != NULL) {
+        if (ascii) {
+            PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CRL_HEADER, 
+                       BTOA_DataToAscii(derCrl->data, derCrl->len), 
+                       NS_CRL_TRAILER);
+        } else {
+            if (PR_Write(outFile, derCrl->data, derCrl->len) != derCrl->len) {
+                return SECFailure;
+            }
+        }
+    }
+    if (slot) {
+        CERTSignedCrl *newCrl = PK11_ImportCRL(slot, derCrl, url,
+                                               SEC_CRL_TYPE, NULL, 0, NULL, 0);
+        if (newCrl != NULL) {
+            SEC_DestroyCrl(newCrl);
+            return SECSuccess;
+        }
+        return SECFailure;
+    }
+    if (!outFile && !slot) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
+                      SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode)
+{
+    SECItem der;
+    SECKEYPrivateKey *caPrivateKey = NULL;    
+    SECStatus rv;
+    PRArenaPool *arena;
+    SECOidTag algID;
+    void *dummy;
+
+    PORT_Assert(issuer != NULL && signCrl != NULL);
+    if (!issuer || !signCrl) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    arena = signCrl->arena;
+
+    caPrivateKey = PK11_FindKeyByAnyCert(issuer, NULL);
+    if (caPrivateKey == NULL) {
+        *resCode = noKeyFound;
+        return SECFailure;
+    }
+
+    algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType, hashAlgTag);
+    if (algID == SEC_OID_UNKNOWN) {
+        *resCode = noSignatureMatch;
+        rv = SECFailure;
+        goto done;
+    }
+
+    if (!signCrl->crl.signatureAlg.parameters.data) {
+        rv = SECOID_SetAlgorithmID(arena, &signCrl->crl.signatureAlg, algID, 0);
+        if (rv != SECSuccess) {
+            *resCode = failToEncode;
+            goto done;
+        }
+    }
+
+    der.len = 0;
+    der.data = NULL;
+    dummy = SEC_ASN1EncodeItem(arena, &der, &signCrl->crl,
+                               SEC_ASN1_GET(CERT_CrlTemplate));
+    if (!dummy) {
+        *resCode = failToEncode;
+        rv = SECFailure;
+        goto done;
+    }
+
+    rv = SECU_DerSignDataCRL(arena, &signCrl->signatureWrap,
+                             der.data, der.len, caPrivateKey, algID);
+    if (rv != SECSuccess) {
+        *resCode = failToSign;
+        goto done;
+    }
+
+    signCrl->derCrl = PORT_ArenaZNew(arena, SECItem);
+    if (signCrl->derCrl == NULL) {
+        *resCode = noMem;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        rv = SECFailure;
+        goto done;
+    }
+
+    signCrl->derCrl->len = 0;
+    signCrl->derCrl->data = NULL;
+    dummy = SEC_ASN1EncodeItem (arena, signCrl->derCrl, signCrl,
+                                SEC_ASN1_GET(CERT_SignedCrlTemplate));
+    if (!dummy) {
+        *resCode = failToEncode;
+        rv = SECFailure;
+        goto done;
+    }
+
+done:
+    if (caPrivateKey) {
+        SECKEY_DestroyPrivateKey(caPrivateKey);
+    }
+    return rv;
+}
+
+
+
+SECStatus
+SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl)
+{
+    void *dummy;
+    SECStatus rv = SECSuccess;
+    SECItem der;
+
+    PORT_Assert(destArena && srcCrl && destCrl);
+    if (!destArena || !srcCrl || !destCrl) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    der.len = 0;
+    der.data = NULL;
+    dummy = SEC_ASN1EncodeItem (destArena, &der, srcCrl,
+                                SEC_ASN1_GET(CERT_CrlTemplate));
+    if (!dummy) {
+        return SECFailure;
+    }
+
+    rv = SEC_QuickDERDecodeItem(destArena, destCrl,
+                                SEC_ASN1_GET(CERT_CrlTemplate), &der);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    
+    destCrl->arena = destArena;
+
+    return rv;
+}
+
+SECStatus
+SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
+                    unsigned char *buf, int len, SECKEYPrivateKey *pk,
+                    SECOidTag algID)
+{
+    SECItem it;
+    SECStatus rv;
+
+    it.data = 0;
+
+    /* XXX We should probably have some asserts here to make sure the key type
+     * and algID match
+     */
+
+    /* Sign input buffer */
+    rv = SEC_SignData(&it, buf, len, pk, algID);
+    if (rv) goto loser;
+
+    /* Fill out SignedData object */
+    PORT_Memset(sd, 0, sizeof(sd));
+    sd->data.data = buf;
+    sd->data.len = len;
+    sd->signature.data = it.data;
+    sd->signature.len = it.len << 3;		/* convert to bit string */
+    if (!sd->signatureAlgorithm.parameters.data) {
+        rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0);
+        if (rv) goto loser;
+    }
+
+    return rv;
+
+  loser:
+    PORT_Free(it.data);
+    return rv;
+}
+
+#if 0
+
+/* we need access to the private function cert_FindExtension for this code to work */
+
+CERTAuthKeyID *
+SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *scrl)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+    CERTAuthKeyID *ret;
+    CERTCrl* crl;
+
+    if (!scrl) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    crl = &scrl->crl;
+    
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID,
+			    &encodedExtenValue);
+    if ( rv != SECSuccess ) {
+	return (NULL);
+    }
+
+    ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
+
+    PORT_Free(encodedExtenValue.data);
+    encodedExtenValue.data = NULL;
+    
+    return(ret);
+}
+
+#endif
+
+/*
+ * Find the issuer of a Crl.  Use the authorityKeyID if it exists.
+ */
+CERTCertificate *
+SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject,
+                   CERTAuthKeyID* authorityKeyID, PRTime validTime)
+{
+    CERTCertificate *issuerCert = NULL;
+    CERTCertList *certList = NULL;
+
+    if (!subject) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    certList =
+        CERT_CreateSubjectCertList(NULL, dbhandle, subject,
+                                   validTime, PR_TRUE);
+    if (certList) {
+        CERTCertListNode *node = CERT_LIST_HEAD(certList);
+    
+        /* XXX and authoritykeyid in the future */
+        while ( ! CERT_LIST_END(node, certList) ) {
+            CERTCertificate *cert = node->cert;
+            /* check cert CERTCertTrust data is allocated, check cert
+               usage extension, check that cert has pkey in db. Select
+               the first (newest) user cert */
+            if (cert->trust &&
+                CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess &&
+                CERT_IsUserCert(cert)) {
+                
+                issuerCert = CERT_DupCertificate(cert);
+                break;
+            }
+            node = CERT_LIST_NEXT(node);   
+        }
+        CERT_DestroyCertList(certList);
+    }
+    return(issuerCert);
+}
+
+
+/* Encodes and adds extensions to the CRL or CRL entries. */
+SECStatus 
+SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, 
+                                void *value, PRBool criticality, int extenType, 
+                                EXTEN_EXT_VALUE_ENCODER EncodeValueFn)
+{
+    SECItem encodedValue;
+    SECStatus rv;
+
+    encodedValue.data = NULL;
+    encodedValue.len = 0;
+    do {
+        rv = (*EncodeValueFn)(arena, value, &encodedValue);
+        if (rv != SECSuccess)
+            break;
+
+        rv = CERT_AddExtension(extHandle, extenType, &encodedValue,
+                               criticality, PR_TRUE);
+        if (rv != SECSuccess)
+            break;
+    } while (0);
+
+    return (rv);
+}
+
+/* Caller ensures that dst is at least item->len*2+1 bytes long */
+void
+SECU_SECItemToHex(const SECItem * item, char * dst)
+{
+    if (dst && item && item->data) {
+	unsigned char * src = item->data;
+	unsigned int    len = item->len;
+	for (; len > 0; --len, dst += 2) {
+	    sprintf(dst, "%02x", *src++);
+	}
+	*dst = '\0';
+    }
+}
+
+static unsigned char nibble(char c) {
+    c = PORT_Tolower(c);
+    return ( c >= '0' && c <= '9') ? c - '0' :
+           ( c >= 'a' && c <= 'f') ? c - 'a' +10 : -1;
+}
+
+SECStatus
+SECU_SECItemHexStringToBinary(SECItem* srcdest)
+{
+    int i;
+
+    if (!srcdest) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    if (srcdest->len < 4 || (srcdest->len % 2) ) {
+        /* too short to convert, or even number of characters */
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        return SECFailure;
+    }
+    if (PORT_Strncasecmp((const char*)srcdest->data, "0x", 2)) {
+        /* wrong prefix */
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        return SECFailure;
+    }
+
+    /* 1st pass to check for hex characters */
+    for (i=2; i<srcdest->len; i++) {
+        char c = PORT_Tolower(srcdest->data[i]);
+        if (! ( ( c >= '0' && c <= '9') ||
+                ( c >= 'a' && c <= 'f')
+              ) ) {
+            PORT_SetError(SEC_ERROR_BAD_DATA);
+            return SECFailure;
+        }
+    }
+
+    /* 2nd pass to convert */
+    for (i=2; i<srcdest->len; i+=2) {
+        srcdest->data[(i-2)/2] = (nibble(srcdest->data[i]) << 4) +
+                                 nibble(srcdest->data[i+1]);
+    }
+
+    /* adjust length */
+    srcdest->len -= 2;
+    srcdest->len /= 2;
+    return SECSuccess;
+}
+
diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h
new file mode 100644
index 000000000..cfe975833
--- /dev/null
+++ b/security/nss/cmd/lib/secutil.h
@@ -0,0 +1,460 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _SEC_UTIL_H_
+#define _SEC_UTIL_H_
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "prerror.h"
+#include "base64.h"
+#include "key.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "secder.h"
+#include <stdio.h>
+
+#define SEC_CT_PRIVATE_KEY		"private-key"
+#define SEC_CT_PUBLIC_KEY		"public-key"
+#define SEC_CT_CERTIFICATE		"certificate"
+#define SEC_CT_CERTIFICATE_REQUEST	"certificate-request"
+#define SEC_CT_PKCS7			"pkcs7"
+#define SEC_CT_CRL			"crl"
+
+#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
+#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
+
+#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
+#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
+
+#define NS_CRL_HEADER  "-----BEGIN CRL-----"
+#define NS_CRL_TRAILER "-----END CRL-----"
+
+#ifdef SECUTIL_NEW
+typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, 
+                           char *msg, int level);
+#else
+typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
+#endif
+
+typedef struct {
+    enum {
+	PW_NONE = 0,
+	PW_FROMFILE = 1,
+	PW_PLAINTEXT = 2,
+	PW_EXTERNAL = 3
+    } source;
+    char *data;
+} secuPWData;
+
+/*
+** Change a password on a token, or initialize a token with a password
+** if it does not already have one.
+** Use passwd to send the password in plaintext, pwFile to specify a
+** file containing the password, or NULL for both to prompt the user.
+*/
+SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
+
+/*
+** Change a password on a token, or initialize a token with a password
+** if it does not already have one.
+** In this function, you can specify both the old and new passwords
+** as either a string or file. NOTE: any you don't specify will
+** be prompted for
+*/
+SECStatus SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
+                        char *oldPwFile, char *newPwFile);
+
+/*  These were stolen from the old sec.h... */
+/*
+** Check a password for legitimacy. Passwords must be at least 8
+** characters long and contain one non-alphabetic. Return DSTrue if the
+** password is ok, DSFalse otherwise.
+*/
+extern PRBool SEC_CheckPassword(char *password);
+
+/*
+** Blind check of a password. Complement to SEC_CheckPassword which 
+** ignores length and content type, just retuning DSTrue is the password
+** exists, DSFalse if NULL
+*/
+extern PRBool SEC_BlindCheckPassword(char *password);
+
+/*
+** Get a password.
+** First prompt with "msg" on "out", then read the password from "in".
+** The password is then checked using "chkpw".
+*/
+extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
+				      PRBool (*chkpw)(char *));
+
+char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
+
+char *SECU_GetPasswordString(void *arg, char *prompt);
+
+/*
+** Write a dongle password.
+** Uses MD5 to hash constant system data (hostname, etc.), and then
+** creates RC4 key to encrypt a password "pw" into a file "fd".
+*/
+extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
+
+/*
+** Get a dongle password.
+** Uses MD5 to hash constant system data (hostname, etc.), and then
+** creates RC4 key to decrypt and return a password from file "fd".
+*/
+extern char *SEC_ReadDongleFile(int fd);
+
+
+/* End stolen headers */
+
+/* Just sticks the two strings together with a / if needed */
+char *SECU_AppendFilenameToDir(char *dir, char *filename);
+
+/* Returns result of getenv("SSL_DIR") or NULL */
+extern char *SECU_DefaultSSLDir(void);
+
+/*
+** Should be called once during initialization to set the default 
+**    directory for looking for cert.db, key.db, and cert-nameidx.db files
+** Removes trailing '/' in 'base' 
+** If 'base' is NULL, defaults to set to .netscape in home directory.
+*/
+extern char *SECU_ConfigDirectory(const char* base);
+
+/* 
+** Basic callback function for SSL_GetClientAuthDataHook
+*/
+extern int
+SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
+		       struct CERTDistNamesStr *caNames,
+		       struct CERTCertificateStr **pRetCert,
+		       struct SECKEYPrivateKeyStr **pRetKey);
+
+/* print out an error message */
+extern void SECU_PrintError(char *progName, char *msg, ...);
+
+/* print out a system error message */
+extern void SECU_PrintSystemError(char *progName, char *msg, ...);
+
+/* Return informative error string */
+extern const char * SECU_Strerror(PRErrorCode errNum);
+
+/* revalidate the cert and print information about cert verification
+ * failure at time == now */
+extern void
+SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
+	CERTCertificate *cert, PRBool checksig, 
+	SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
+
+/* revalidate the cert and print information about cert verification
+ * failure at specified time */
+extern void
+SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, 
+	CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage, 
+	void *pinArg, PRBool verbose, PRTime datetime);
+
+/* print out CERTVerifyLog info. */
+extern void
+SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
+                      PRBool verbose);
+
+/* Read the contents of a file into a SECItem */
+extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
+extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
+
+/* Read in a DER from a file, may be ascii  */
+extern SECStatus 
+SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
+
+/* Indent based on "level" */
+extern void SECU_Indent(FILE *out, int level);
+
+/* Print integer value and hex */
+extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
+
+/* Print ObjectIdentifier symbolically */
+extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
+
+/* Print AlgorithmIdentifier symbolically */
+extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
+				  int level);
+
+/* Print SECItem as hex */
+extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
+
+/* dump a buffer in hex and ASCII */
+extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
+
+/*
+ * Format and print the UTC Time "t".  If the tag message "m" is not NULL,
+ * do indent formatting based on "level" and add a newline afterward;
+ * otherwise just print the formatted time string only.
+ */
+extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
+
+/*
+ * Format and print the Generalized Time "t".  If the tag message "m"
+ * is not NULL, * do indent formatting based on "level" and add a newline
+ * afterward; otherwise just print the formatted time string only.
+ */
+extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
+				      int level);
+
+/*
+ * Format and print the UTC or Generalized Time "t".  If the tag message
+ * "m" is not NULL, do indent formatting based on "level" and add a newline
+ * afterward; otherwise just print the formatted time string only.
+ */
+extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
+
+/* callback for listing certs through pkcs11 */
+extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
+
+/* Dump all certificate nicknames in a database */
+extern SECStatus
+SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out, 
+                           PRBool sortByName, PRBool sortByTrust);
+
+/* See if nickname already in database. Return 1 true, 0 false, -1 error */
+int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
+
+/* Dump contents of cert req */
+extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
+	int level);
+
+/* Dump contents of certificate */
+extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
+
+/* print trust flags on a cert */
+extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, 
+                                 int level);
+
+/* Dump contents of an RSA public key */
+extern int SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level);
+
+extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, 
+                                          int level);
+
+#ifdef HAVE_EPV_TEMPLATE
+/* Dump contents of private key */
+extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
+#endif
+
+/* Print the MD5 and SHA1 fingerprints of a cert */
+extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
+                                  int level);
+
+/* Pretty-print any PKCS7 thing */
+extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, 
+				      int level);
+
+/* Init PKCS11 stuff */
+extern SECStatus SECU_PKCS11Init(PRBool readOnly);
+
+/* Dump contents of signed data */
+extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level,
+				SECU_PPFunc inner);
+
+/* Print cert data and its trust flags */
+extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert,
+                                              const char *label,
+                                              CERTCertTrust *trust);
+
+extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
+
+extern void
+SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
+
+extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
+extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
+
+extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
+extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
+                                 char *msg, int level);
+
+extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
+				 char *msg, int level);
+
+extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level);
+extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, char *msg, int level);
+
+#ifdef SECU_GetPassword
+/* Convert a High public Key to a Low public Key */
+extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
+#endif
+
+extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
+
+extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
+extern void SEC_Init(void);
+
+extern char *SECU_SECModDBName(void);
+
+extern void SECU_PrintPRandOSError(char *progName);
+
+extern SECStatus SECU_RegisterDynamicOids(void);
+
+/* Identifies hash algorithm tag by its string representation. */
+extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
+
+/* Store CRL in output file or pk11 db. Also
+ * encodes with base64 and exports to file if ascii flag is set
+ * and file is not NULL. */
+extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
+                               PRFileDesc *outFile, PRBool ascii, char *url);
+
+
+/*
+** DER sign a single block of data using private key encryption and the
+** MD5 hashing algorithm. This routine first computes a digital signature
+** using SEC_SignData, then wraps it with an CERTSignedData and then der
+** encodes the result.
+**	"arena" is the memory arena to use to allocate data from
+**      "sd" returned CERTSignedData 
+** 	"result" the final der encoded data (memory is allocated)
+** 	"buf" the input data to sign
+** 	"len" the amount of data to sign
+** 	"pk" the private key to encrypt with
+*/
+extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
+                                     unsigned char *buf, int len,
+                                     SECKEYPrivateKey *pk, SECOidTag algID);
+
+typedef enum  {
+    noKeyFound = 1,
+    noSignatureMatch = 2,
+    failToEncode = 3,
+    failToSign = 4,
+    noMem = 5
+} SignAndEncodeFuncExitStat;
+
+extern SECStatus
+SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
+                      SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
+
+extern SECStatus
+SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
+
+/*
+** Finds the crl Authority Key Id extension. Returns NULL if no such extension
+** was found.
+*/
+CERTAuthKeyID *
+SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
+
+/*
+ * Find the issuer of a crl. Cert usage should be checked before signing a crl.
+ */
+CERTCertificate *
+SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
+                   CERTAuthKeyID* id, PRTime validTime);
+
+
+/* call back function used in encoding of an extension. Called from
+ * SECU_EncodeAndAddExtensionValue */
+typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
+                                               void *value, SECItem *encodedValue);
+
+/* Encodes and adds extensions to the CRL or CRL entries. */
+SECStatus 
+SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, 
+                                void *value, PRBool criticality, int extenType, 
+                                EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
+
+/* Caller ensures that dst is at least item->len*2+1 bytes long */
+void
+SECU_SECItemToHex(const SECItem * item, char * dst);
+
+/* Requires 0x prefix. Case-insensitive. Will do in-place replacement if
+ * successful */
+SECStatus
+SECU_SECItemHexStringToBinary(SECItem* srcdest);
+
+/*
+ *
+ *  Utilities for parsing security tools command lines 
+ *
+ */
+
+/*  A single command flag  */
+typedef struct {
+    char flag;
+    PRBool needsArg;
+    char *arg;
+    PRBool activated;
+    char *longform;
+} secuCommandFlag;
+
+/*  A full array of command/option flags  */
+typedef struct
+{
+    int numCommands;
+    int numOptions;
+
+    secuCommandFlag *commands;
+    secuCommandFlag *options;
+} secuCommand;
+
+/*  fill the "arg" and "activated" fields for each flag  */
+SECStatus 
+SECU_ParseCommandLine(int argc, char **argv, char *progName,
+		      const secuCommand *cmd);
+char *
+SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
+
+/*
+ *
+ *  Error messaging
+ *
+ */
+
+/* Return informative error string */
+char *SECU_ErrorString(int16 err);
+
+/* Return informative error string. Does not call XP_GetString */
+char *SECU_ErrorStringRaw(int16 err);
+
+void printflags(char *trusts, unsigned int flags);
+
+#if !defined(XP_UNIX) && !defined(XP_OS2)
+extern int ffs(unsigned int i);
+#endif
+
+#include "secerr.h"
+#include "sslerr.h"
+
+#endif /* _SEC_UTIL_H_ */
diff --git a/security/nss/cmd/libpkix/Makefile b/security/nss/cmd/libpkix/Makefile
new file mode 100755
index 000000000..032bd29c9
--- /dev/null
+++ b/security/nss/cmd/libpkix/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
+
diff --git a/security/nss/cmd/libpkix/config.mk b/security/nss/cmd/libpkix/config.mk
new file mode 100644
index 000000000..5ad9e1b90
--- /dev/null
+++ b/security/nss/cmd/libpkix/config.mk
@@ -0,0 +1,42 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+TARGETS = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
diff --git a/security/nss/cmd/libpkix/manifest.mn b/security/nss/cmd/libpkix/manifest.mn
new file mode 100755
index 000000000..3768a5ce5
--- /dev/null
+++ b/security/nss/cmd/libpkix/manifest.mn
@@ -0,0 +1,44 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = .
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+DIRS =  testutil  pkix_pl  pkix  sample_apps  perf  pkixutil \
+	$(NULL)
diff --git a/security/nss/cmd/libpkix/perf/Makefile b/security/nss/cmd/libpkix/perf/Makefile
new file mode 100755
index 000000000..c13b32931
--- /dev/null
+++ b/security/nss/cmd/libpkix/perf/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
+
diff --git a/security/nss/cmd/libpkix/perf/libpkix_buildthreads.c b/security/nss/cmd/libpkix/perf/libpkix_buildthreads.c
new file mode 100644
index 000000000..bce93f22a
--- /dev/null
+++ b/security/nss/cmd/libpkix/perf/libpkix_buildthreads.c
@@ -0,0 +1,382 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * libpkixBuildThreads.c
+ *
+ * libpkix Builder Performance Evaluation application (multi-threaded)
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "secutil.h"
+
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "nss.h"
+
+#include "pkix.h"
+#include "pkix_tools.h"
+#include "pkix_pl_cert.h"
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+#undef pkixTempResult
+#define PERF_DECREF(obj) \
+        { \
+                PKIX_Error *pkixTempResult = NULL; \
+                if (obj){ \
+                        pkixTempResult = PKIX_PL_Object_DecRef \
+                        ((PKIX_PL_Object *)(obj), plContext); \
+                        obj = NULL; \
+                } \
+        }
+
+static void finish(char* message, int code);
+
+typedef struct ThreadDataStr tData;
+
+struct ThreadDataStr {
+    CERTCertificate* anchor;
+    char* eecertName;
+    PRIntervalTime duration;
+    CERTCertDBHandle *handle;
+    PRUint32 iterations;
+};
+
+#define PKIX_LOGGER_ON 1
+
+#ifdef PKIX_LOGGER_ON
+
+char *logLevels[] = {
+        "None",
+        "Fatal Error",
+        "Error",
+        "Warning",
+        "Debug",
+        "Trace"
+};
+
+static PKIX_Error *loggerCallback(
+        PKIX_Logger *logger,
+        PKIX_PL_String *message,
+        PKIX_UInt32 logLevel,
+        PKIX_ERRORCLASS logComponent,
+        void *plContext)
+{
+        char *msg = NULL;
+        static int callCount = 0;
+
+        msg = PKIX_String2ASCII(message, plContext);
+        printf("Logging %s (%s): %s\n",
+                logLevels[logLevel],
+                PKIX_ERRORCLASSNAMES[logComponent],
+                msg);
+        PR_Free((void *)msg);
+
+        return(NULL);
+}
+
+#endif /* PKIX_LOGGER_ON */
+
+static void ThreadEntry(void* data)
+{
+        tData* tdata = (tData*) data;
+        PRIntervalTime duration = tdata->duration;
+        PRIntervalTime start = PR_IntervalNow();
+
+        PKIX_List *anchors = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        CERTCertificate* nsseecert;
+        PKIX_PL_Cert *eeCert = NULL;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_List *certStores = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_PL_Date *nowDate = NULL;
+        void *state = NULL; /* only relevant with non-blocking I/O */
+        void *nbioContext = NULL; /* only relevant with non-blocking I/O */
+
+        PR_ASSERT(duration);
+        if (!duration){
+                return;
+        }
+
+        do {
+
+                /* libpkix code */
+
+                /* keep more update time, testing cache */
+                PKIX_PL_Date_Create_UTCTime(NULL, &nowDate, plContext);
+
+                /* CertUsage is 0x10 and no NSS arena */
+                /* We haven't determined how we obtain the value of wincx */
+
+                nsseecert = CERT_FindCertByNicknameOrEmailAddr(tdata->handle,
+                        tdata->eecertName);
+                if (!nsseecert) finish("Unable to find eecert.\n", 1);
+
+                pkix_pl_Cert_CreateWithNSSCert
+                        (nsseecert, &eeCert, plContext);
+
+                PKIX_List_Create(&anchors, plContext);
+
+        /*
+         * This code is retired.
+         *      pkix_pl_Cert_CreateWithNSSCert
+         *              (tdata->anchor, &anchorCert, NULL);
+         *      PKIX_TrustAnchor_CreateWithCert(anchorCert, &anchor, NULL);
+         *      PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, NULL);
+         */
+
+                PKIX_ProcessingParams_Create(anchors, &procParams, plContext);
+
+                PKIX_ProcessingParams_SetRevocationEnabled
+                        (procParams, PKIX_TRUE, plContext);
+
+                PKIX_ProcessingParams_SetDate
+                        (procParams, nowDate, plContext);
+
+                /* create CertSelector with target certificate in params */
+
+                PKIX_ComCertSelParams_Create(&certSelParams, plContext);
+
+                PKIX_ComCertSelParams_SetCertificate
+                        (certSelParams, eeCert, plContext);
+
+                PKIX_CertSelector_Create
+                        (NULL, NULL, &certSelector, plContext);
+
+                PKIX_CertSelector_SetCommonCertSelectorParams
+                        (certSelector, certSelParams, plContext);
+
+                PKIX_ProcessingParams_SetTargetCertConstraints
+                        (procParams, certSelector, plContext);
+
+                PKIX_PL_Pk11CertStore_Create(&certStore, plContext);
+
+                PKIX_List_Create(&certStores, plContext);
+                PKIX_List_AppendItem
+                        (certStores, (PKIX_PL_Object *)certStore, plContext);
+                PKIX_ProcessingParams_SetCertStores
+                        (procParams, certStores, plContext);
+
+                PKIX_BuildChain
+                        (procParams,
+                        &nbioContext,
+                        &state,
+                        &buildResult,
+                        NULL,
+                        plContext);
+
+                /*
+                 * As long as we use only CertStores with blocking I/O, we
+                 * know we must be done at this point.
+                 */
+
+                if (!buildResult){
+                        (void) fprintf(stderr, "libpkix BuildChain failed.\n");
+                        PORT_Assert(0);
+                        return;
+                }
+
+                tdata->iterations ++;
+
+                PERF_DECREF(nowDate);
+                PERF_DECREF(anchors);
+                PERF_DECREF(procParams);
+                PERF_DECREF(buildResult);
+                PERF_DECREF(certStore);
+                PERF_DECREF(certStores);
+                PERF_DECREF(certSelParams);
+                PERF_DECREF(certSelector);
+                PERF_DECREF(eeCert);
+
+        } while ((PR_IntervalNow() - start) < duration);
+
+
+}
+
+static void
+Test(
+        CERTCertificate* anchor,
+        char* eecertName,
+        PRIntervalTime duration,
+        CERTCertDBHandle *handle,
+        PRUint32 threads)
+{
+        tData data;
+        tData** alldata;
+        PRIntervalTime starttime, endtime, elapsed;
+        PRUint32 msecs;
+        float total = 0;
+        PRThread** pthreads = NULL;
+        PRUint32 i = 0;
+
+        data.duration = duration;
+        data.anchor = anchor;
+        data.eecertName = eecertName;
+        data.handle = handle;
+
+        data.iterations = 0;
+
+        starttime = PR_IntervalNow();
+        pthreads = (PRThread**)PR_Malloc(threads*sizeof (PRThread*));
+        alldata = (tData**)PR_Malloc(threads*sizeof (tData*));
+        for (i = 0; i < threads; i++){
+                alldata[i] = (tData*)PR_Malloc(sizeof (tData));
+                *alldata[i] = data;
+                pthreads[i] =
+                        PR_CreateThread(PR_USER_THREAD,
+                                        ThreadEntry,
+                                        (void*) alldata[i],
+                                        PR_PRIORITY_NORMAL,
+                                        PR_GLOBAL_THREAD,
+                                        PR_JOINABLE_THREAD,
+                                        0);
+        }
+
+        for (i = 0; i < threads; i++) {
+                tData* args = alldata[i];
+                PR_JoinThread(pthreads[i]);
+                total += args->iterations;
+                PR_Free((void*)args);
+        }
+
+        PR_Free((void*) pthreads);
+        PR_Free((void*) alldata);
+        endtime = PR_IntervalNow();
+
+        endtime = PR_IntervalNow();
+        elapsed = endtime - starttime;
+        msecs = PR_IntervalToMilliseconds(elapsed);
+        total /= msecs;
+        total *= 1000;
+        (void) fprintf(stdout, "%f operations per second.\n", total);
+}
+
+
+static void finish(char* message, int code)
+{
+        (void) printf(message);
+        exit(code);
+}
+
+static void usage(char* progname)
+{
+        (void) printf("Usage : %s <-d certStoreDirectory> <duration> <threads> "
+                      "<anchorNickname> <eecertNickname>\n\n", progname);
+        finish("", 0);
+}
+
+int
+libpkix_buildthreads(int argc, char** argv)
+{
+        CERTCertDBHandle *handle = NULL;
+        CERTCertificate* eecert = NULL;
+        PRIntervalTime duration = PR_SecondsToInterval(1);
+        PRUint32 threads = 1;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        PKIX_Logger *logger = NULL;
+        void *wincx = NULL;
+
+        /* if (argc != 5) -- when TrustAnchor used to be on command line */
+        if (argc != 4)
+                {
+                        usage(argv[0]);
+                }
+        if (atoi(argv[1]) > 0)
+                {
+                        duration = PR_SecondsToInterval(atoi(argv[1]));
+                }
+        if (atoi(argv[2]) > 0)
+                {
+                        threads = atoi(argv[2]);
+                }
+
+        PKIX_PL_NssContext_Create(certificateUsageEmailSigner, PKIX_FALSE,
+                                  NULL, &plContext);
+
+        handle = CERT_GetDefaultCertDB();
+        PR_ASSERT(handle);
+
+#ifdef PKIX_LOGGER_ON
+
+        /* set logger to log trace and up */
+        PKIX_SetLoggers(NULL, plContext);
+        PKIX_Logger_Create(loggerCallback, NULL, &logger, plContext);
+        PKIX_Logger_SetMaxLoggingLevel
+                (logger, PKIX_LOGGER_LEVEL_WARNING, plContext);
+        PKIX_AddLogger(logger, plContext);
+
+#endif /* PKIX_LOGGER_ON */
+
+        /*
+         * This code is retired
+         *      anchor = CERT_FindCertByNicknameOrEmailAddr(handle, argv[3]);
+         *      if (!anchor) finish("Unable to find anchor.\n", 1);
+         *
+         *      eecert = CERT_FindCertByNicknameOrEmailAddr(handle, argv[4]);
+     
+         *      if (!eecert) finish("Unable to find eecert.\n", 1);
+         *
+         *      Test(anchor, eecert, duration, threads);
+         */
+
+        Test(NULL, argv[3], duration, handle, threads);
+
+        PERF_DECREF(logger);
+
+        PKIX_Shutdown(plContext);
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/perf/manifest.mn b/security/nss/cmd/libpkix/perf/manifest.mn
new file mode 100755
index 000000000..511118d14
--- /dev/null
+++ b/security/nss/cmd/libpkix/perf/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = libpkix_buildthreads.c \
+	nss_threads.c \
+	$(NULL)
+
+LIBRARY_NAME = pkixtoolperf
+
+SOURCE_LIB_DIR = $(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/perf/nss_threads.c b/security/nss/cmd/libpkix/perf/nss_threads.c
new file mode 100644
index 000000000..7f1a16eee
--- /dev/null
+++ b/security/nss/cmd/libpkix/perf/nss_threads.c
@@ -0,0 +1,197 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * nssThreads.c
+ *
+ * NSS Performance Evaluation application (multi-threaded)
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "secutil.h"
+
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "nss.h"
+
+typedef struct ThreadDataStr tData;
+
+struct ThreadDataStr {
+    CERTCertificate* cert;
+    PRIntervalTime duration;
+    PRUint32 iterations;
+};
+
+static void ThreadEntry(void* data)
+{
+        tData* tdata = (tData*) data;
+        PRIntervalTime duration = tdata->duration;
+        PRTime now = PR_Now();
+        PRIntervalTime start = PR_IntervalNow();
+
+        PR_ASSERT(duration);
+        if (!duration)
+                {
+                        return;
+                }
+        do {
+                SECStatus rv = CERT_VerifyCertificate
+                        (CERT_GetDefaultCertDB(),
+                        tdata->cert,
+                        PR_TRUE,
+                        certificateUsageEmailSigner,
+                        now,
+                        NULL,
+                        NULL,
+                        NULL);
+                if (rv != SECSuccess)
+                        {
+                                (void) fprintf(stderr, "Validation failed.\n");
+                                PORT_Assert(0);
+                                return;
+                        }
+                tdata->iterations ++;
+        } while ((PR_IntervalNow() - start) < duration);
+}
+
+static void Test(CERTCertificate* cert, PRIntervalTime duration, PRUint32 threads)
+{
+        tData data;
+        tData** alldata;
+        PRIntervalTime starttime, endtime, elapsed;
+        PRUint32 msecs;
+        float total = 0;
+        PRThread** pthreads = NULL;
+        PRUint32 i = 0;
+
+        data.duration = duration;
+        data.cert = cert;
+        data.iterations = 0;
+
+        starttime = PR_IntervalNow();
+        pthreads = (PRThread**)PR_Malloc(threads*sizeof (PRThread*));
+        alldata = (tData**)PR_Malloc(threads*sizeof (tData*));
+        for (i = 0; i < threads; i++)
+                {
+                        alldata[i] = (tData*)PR_Malloc(sizeof (tData));
+                        *alldata[i] = data;
+                        pthreads[i] =
+                                PR_CreateThread(PR_USER_THREAD,
+                                                ThreadEntry,
+                                                (void*) alldata[i],
+                                                PR_PRIORITY_NORMAL,
+                                                PR_GLOBAL_THREAD,
+                                                PR_JOINABLE_THREAD,
+                                                0);
+
+                }
+        for (i = 0; i < threads; i++)
+                {
+                        tData* args = alldata[i];
+                        PR_JoinThread(pthreads[i]);
+                        total += args->iterations;
+                        PR_Free((void*)args);
+                }
+        PR_Free((void*) pthreads);
+        PR_Free((void*) alldata);
+        endtime = PR_IntervalNow();
+
+        endtime = PR_IntervalNow();
+        elapsed = endtime - starttime;
+        msecs = PR_IntervalToMilliseconds(elapsed);
+        total /= msecs;
+        total *= 1000;
+        (void) fprintf(stdout, "%f operations per second.\n", total);
+}
+
+
+static void finish(char* message, int code)
+{
+        (void) printf(message);
+        exit(code);
+}
+
+static void usage(char* progname)
+{
+        (void) printf("Usage : %s <duration> <threads> <certnickname>\n\n",
+                    progname);
+        finish("", 0);
+}
+
+int nss_threads(int argc, char** argv)
+{
+        SECStatus rv = SECSuccess;
+        CERTCertDBHandle *handle = NULL;
+        CERTCertificate* cert = NULL;
+        PRIntervalTime duration = PR_SecondsToInterval(1);
+        PRUint32 threads = 1;
+        if (argc != 4)
+                {
+                        usage(argv[0]);
+                }
+        if (atoi(argv[1]) > 0)
+                {
+                        duration = PR_SecondsToInterval(atoi(argv[1]));
+                }
+        if (atoi(argv[2]) > 0)
+                {
+                        threads = atoi(argv[2]);
+                }
+
+        handle = CERT_GetDefaultCertDB();
+        PR_ASSERT(handle);
+        cert = CERT_FindCertByNicknameOrEmailAddr(handle, argv[3]);
+        if (!cert)
+                {
+                        finish("Unable to find certificate.\n", 1);
+                }
+        Test(cert, duration, threads);
+
+        CERT_DestroyCertificate(cert);
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/Makefile b/security/nss/cmd/libpkix/pkix/Makefile
new file mode 100755
index 000000000..2b004b29e
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
+
diff --git a/security/nss/cmd/libpkix/pkix/certsel/Makefile b/security/nss/cmd/libpkix/pkix/certsel/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/certsel/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/certsel/manifest.mn b/security/nss/cmd/libpkix/pkix/certsel/manifest.mn
new file mode 100755
index 000000000..7dbfd56a1
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/certsel/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_certselector.c \
+	test_comcertselparams.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtoolcertsel
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/certsel/test_certselector.c b/security/nss/cmd/libpkix/pkix/certsel/test_certselector.c
new file mode 100644
index 000000000..57068b76e
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/certsel/test_certselector.c
@@ -0,0 +1,1992 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_certselector.c
+ *
+ * Test Cert Selector
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS 5
+#define PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS 2
+#define PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS 2
+#define PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS 4
+#define PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS 1
+
+static void *plContext = NULL;
+
+/*
+ * The first three certs are used to obtain policies to test
+ * policy matching. Changing the table could break tests.
+ */
+static char *certList[] = {
+#define POLICY1CERT 0
+                "GoodCACert.crt",
+#define ANYPOLICYCERT 1
+                "anyPolicyCACert.crt",
+#define POLICY2CERT 2
+                "PoliciesP12CACert.crt",
+#define SUBJECTCERT 3
+                "PoliciesP3CACert.crt",
+                "PoliciesP1234CACert.crt",
+                "pathLenConstraint0CACert.crt",
+                "pathLenConstraint1CACert.crt",
+                "pathLenConstraint6CACert.crt",
+                "TrustAnchorRootCertificate.crt",
+                "GoodsubCACert.crt",
+                "AnyPolicyTest14EE.crt",
+                "UserNoticeQualifierTest16EE.crt"
+        };
+#define NUMCERTS (sizeof (certList)/sizeof (certList[0]))
+
+/*
+ * Following are Certs values for NameConstraints tests
+ *
+ * Cert0:nameConstraintsDN1subCA1Cert.crt:
+ * Subject:CN=nameConstraints DN1 subCA1,OU=permittedSubtree1,
+ *              O=Test Certificates,C=US
+ *      Permitted Name:(OU=permittedSubtree2,OU=permittedSubtree1,
+ *              O=Test Certificates,C=US)
+ *      Excluded Name: (EMPTY)
+ * Cert1:nameConstraintsDN3subCA2Cert.crt:
+ *      Subject:CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US
+ *      Permitted Name:(O=Test Certificates,C=US)
+ *      Excluded Name:(EMPTY)
+ * Cert2:nameConstraintsDN2CACert.crt
+ *      Subject:CN=nameConstraints DN2 CA,O=Test Certificates,C=US
+ *      Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US,
+ *              OU=permittedSubtree2,O=Test Certificates,C=US)
+ *      Excluded Name:(EMPTY)
+ * Cert3:nameConstraintsDN3subCA1Cert.crt
+ *      Subject:CN=nameConstraints DN3 subCA1,O=Test Certificates,C=US
+ *      Permitted Name:(EMPTY)
+ *      Excluded Name:(OU=excludedSubtree2,O=Test Certificates,C=US)
+ * Cert4:nameConstraintsDN4CACert.crt
+ *      Subject:CN=nameConstraints DN4 CA,O=Test Certificates,C=US
+ *      Permitted Name:(EMPTY)
+ *      Excluded Name:(OU=excludedSubtree1,O=Test Certificates,C=US,
+ *              OU=excludedSubtree2,O=Test Certificates,C=US)
+ * Cert5:nameConstraintsDN5CACert.crt
+ *      Subject:CN=nameConstraints DN5 CA,O=Test Certificates,C=US
+ *      Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US)
+ *      Excluded Name:(OU=excludedSubtree1,OU=permittedSubtree1,
+ *              O=Test Certificates,C=US)
+ * Cert6:ValidDNnameConstraintsTest1EE.crt
+ *      Subject:CN=Valid DN nameConstraints EE Certificate Test1,
+ *      OU=permittedSubtree1,O=Test Certificates,C=US
+ *
+ */
+static char *ncCertList[] = {
+        "nameConstraintsDN1subCA1Cert.crt",
+        "nameConstraintsDN3subCA2Cert.crt",
+        "nameConstraintsDN2CACert.crt",
+        "nameConstraintsDN3subCA1Cert.crt",
+        "nameConstraintsDN4CACert.crt",
+        "nameConstraintsDN5CACert.crt",
+        "ValidDNnameConstraintsTest1EE.crt"
+};
+#define NUMNCCERTS (sizeof (ncCertList)/sizeof (ncCertList[0]))
+
+static char *sanCertList[] = {
+        "InvalidDNnameConstraintsTest3EE.crt",
+        "InvalidDNSnameConstraintsTest38EE.crt"
+};
+#define NUMSANCERTS (sizeof (sanCertList)/sizeof (sanCertList[0]))
+
+/*
+ * This function calls the CertSelector pointed to by "selector" for each
+ * cert in the List pointed to by "certs", and compares the results against
+ * the bit array given by the UInt32 "expectedResults". If the first cert is
+ * expected to pass, the lower-order bit of "expectedResults" should be 1.
+ * If the second cert is expected to pass, the second bit of "expectedResults"
+ * should be 1, and so on. If more than 32 certs are provided, only the first
+ * 32 will be checked. It is not an error to provide more bits than needed.
+ * (For example, if you expect every cert to pass, "expectedResult" can be
+ * set to 0xFFFFFFFF, even if the chain has fewer than 32 certs.)
+ */
+static
+void testSelector(
+        PKIX_CertSelector *selector,
+        PKIX_List *certs,
+        PKIX_UInt32 expectedResults)
+{
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 numCerts = 0;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_CertSelector_MatchCallback callback = NULL;
+        PKIX_Error *errReturn = NULL;
+        PKIX_Boolean result = PKIX_TRUE;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback
+                (selector, &callback, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (certs, &numCerts, plContext));
+        if (numCerts > 32) {
+                numCerts = 32;
+        }
+
+        for (i = 0; i < numCerts; i++) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                        (certs, i, (PKIX_PL_Object **)&cert, plContext));
+                errReturn = callback(selector, cert, &result, plContext);
+
+                if (errReturn || result == PKIX_FALSE) {
+                        if ((expectedResults & 1) == 1) {
+                                testError("selector unexpectedly failed");
+                                (void) printf("    processing cert:\t%d\n", i);
+                        }
+                } else {
+                        if ((expectedResults & 1) == 0) {
+                                testError("selector unexpectedly passed");
+                                (void) printf("    processing cert:\t%d\n", i);
+                        }
+                }
+
+                expectedResults = expectedResults >> 1;
+                PKIX_TEST_DECREF_BC(cert);
+                PKIX_TEST_DECREF_BC(errReturn);
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(errReturn);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This function gets a policy from the Cert pointed to by "cert", according
+ * to the index provided by "index", creates an immutable List containing the
+ * OID of that policy, and stores the result at "pPolicyList".
+ */
+static void testGetPolicyFromCert(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 index,
+        PKIX_List **pPolicyList)
+{
+        PKIX_List *policyInfo = NULL;
+        PKIX_PL_CertPolicyInfo *firstPolicy = NULL;
+        PKIX_PL_OID *policyOID = NULL;
+        PKIX_List *list = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (cert, &policyInfo, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (policyInfo,
+                index,
+                (PKIX_PL_Object **)&firstPolicy,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
+                (firstPolicy, &policyOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (list, (PKIX_PL_Object *)policyOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(list, plContext));
+
+        *pPolicyList = list;
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(policyInfo);
+        PKIX_TEST_DECREF_AC(firstPolicy);
+        PKIX_TEST_DECREF_AC(policyOID);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This custom matchCallback will pass any Certificate which has no
+ * CertificatePolicies extension and any Certificate whose Policies
+ * extension include a CertPolicyQualifier.
+ */
+static PKIX_Error *
+custom_CertSelector_MatchCallback(
+        PKIX_CertSelector *selector,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 numPolicies = 0;
+        PKIX_List *certPolicies = NULL;
+        PKIX_List *quals = NULL;
+        PKIX_PL_CertPolicyInfo *policy = NULL;
+        PKIX_Error *error = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        *pResult = PKIX_TRUE;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (cert, &certPolicies, plContext));
+
+        if (certPolicies) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                        (certPolicies, &numPolicies, plContext));
+                      
+                for (i = 0; i < numPolicies; i++) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                            (certPolicies,
+                            i,
+                            (PKIX_PL_Object **)&policy,
+                            plContext));
+                        PKIX_TEST_EXPECT_NO_ERROR
+                            (PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                            (policy, &quals, plContext));
+                        if (quals) {
+                            goto cleanup;
+                        }
+                        PKIX_TEST_DECREF_BC(policy);
+                }
+                PKIX_TEST_DECREF_BC(certPolicies);
+                *pResult = PKIX_FALSE;
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
+                        (PKIX_CERTSELECTOR_ERROR,
+                        NULL,
+                        NULL,
+                        PKIX_TESTPOLICYEXTWITHNOPOLICYQUALIFIERS,
+                        &error,
+                        plContext));
+
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(certPolicies);
+        PKIX_TEST_DECREF_AC(policy);
+        PKIX_TEST_DECREF_AC(quals);
+
+        return(error);
+}
+
+/*
+ * This custom matchCallback will pass any Certificate whose
+ * CertificatePolicies extension asserts the Policy specified by
+ * the OID in the CertSelectorContext object.
+ */
+static PKIX_Error *
+custom_CertSelector_MatchOIDCallback(
+        PKIX_CertSelector *selector,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 numPolicies = 0;
+        PKIX_Boolean match = PKIX_FALSE;
+        PKIX_PL_Object *certSelectorContext = NULL;
+        PKIX_PL_OID *constraintOID = NULL;
+        PKIX_List *certPolicies = NULL;
+        PKIX_PL_CertPolicyInfo *policy = NULL;
+        PKIX_PL_OID *policyOID = NULL;
+        PKIX_PL_String *errorDesc = NULL;
+        PKIX_Error *error = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        *pResult = PKIX_TRUE;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCertSelectorContext
+                (selector, &certSelectorContext, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType
+                (certSelectorContext, PKIX_OID_TYPE, plContext));
+
+        constraintOID = (PKIX_PL_OID *)certSelectorContext;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (cert, &certPolicies, plContext));
+
+        if (certPolicies) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                        (certPolicies, &numPolicies, plContext));
+
+                for (i = 0; i < numPolicies; i++) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                                (certPolicies,
+                                i,
+                                (PKIX_PL_Object **)&policy,
+                                plContext));
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_CertPolicyInfo_GetPolicyId
+                                (policy, &policyOID, plContext));
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                ((PKIX_PL_Object *)policyOID,
+                                (PKIX_PL_Object *)constraintOID,
+                                &match,
+                                plContext));
+
+                        if (match) {
+                                goto cleanup;
+                        }
+                        PKIX_TEST_DECREF_BC(policy);
+                        PKIX_TEST_DECREF_BC(policyOID);
+                }
+        }
+
+        PKIX_TEST_DECREF_BC(certSelectorContext);
+        PKIX_TEST_DECREF_BC(certPolicies);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
+                        (PKIX_CERTSELECTOR_ERROR,
+                        NULL,
+                        NULL,
+                        PKIX_TESTNOMATCHINGPOLICY,
+                        &error,
+                        plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(certSelectorContext);
+        PKIX_TEST_DECREF_AC(certPolicies);
+        PKIX_TEST_DECREF_AC(policy);
+        PKIX_TEST_DECREF_AC(policyOID);
+        PKIX_TEST_DECREF_AC(errorDesc);
+
+        return(error);
+}
+
+static 
+void testSubjectMatch(
+        PKIX_List *certs,
+        PKIX_PL_Cert *certNameToMatch)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *subjParams = NULL;
+        PKIX_PL_X500Name *subjectName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Subject name match");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&subjParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
+                (certNameToMatch, &subjectName, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
+                (subjParams, subjectName, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, subjParams, plContext));
+        testSelector(selector, certs, 0x008);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(subjParams);
+        PKIX_TEST_DECREF_AC(subjectName);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testBasicConstraintsMatch(
+        PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *bcParams = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Basic Constraints match");
+        subTest("    pathLenContraint = -2: pass only EE's");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&bcParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetBasicConstraints
+                (bcParams, -2, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, bcParams, plContext));
+        testSelector(selector, certs, 0xC00);
+
+        subTest("    pathLenContraint = -1: pass all certs");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetBasicConstraints
+                (bcParams, -1, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, bcParams, plContext));
+        testSelector(selector, certs, 0xFFF);
+
+        subTest("    pathLenContraint = 1: pass only certs with pathLen >= 1");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetBasicConstraints
+                (bcParams, 1, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, bcParams, plContext));
+        testSelector(selector, certs, 0x3DF);
+
+        subTest("    pathLenContraint = 2: pass only certs with  pathLen >= 2");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetBasicConstraints
+                (bcParams, 2, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, bcParams, plContext));
+        testSelector(selector, certs, 0x39F);
+
+cleanup:
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(bcParams);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testPolicyMatch(
+        PKIX_List *certs,
+        PKIX_PL_Cert *NIST1Cert, /* a source for policy NIST1 */
+        PKIX_PL_Cert *NIST2Cert, /* a source for policy NIST2 */
+        PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_List *emptyList = NULL; /* no members */
+        PKIX_List *policy1List = NULL; /* OIDs */
+        PKIX_List *policy2List = NULL; /* OIDs */
+        PKIX_List *anyPolicyList = NULL; /* OIDs */
+        PKIX_ComCertSelParams *polParams = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Policy match");
+        testGetPolicyFromCert(NIST1Cert, 0, &policy1List);
+        testGetPolicyFromCert(NIST2Cert, 1, &policy2List);
+        testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList);
+
+        subTest("    Pass certs with any CertificatePolicies extension");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&polParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetPolicy
+                (polParams, emptyList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, polParams, plContext));
+        testSelector(selector, certs, 0xEFF);
+        PKIX_TEST_DECREF_BC(polParams);
+
+        subTest("    Pass only certs with policy NIST1");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&polParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetPolicy
+                (polParams, policy1List, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, polParams, plContext));
+        testSelector(selector, certs, 0xEF5);
+        PKIX_TEST_DECREF_BC(polParams);
+
+        subTest("    Pass only certs with policy NIST2");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&polParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetPolicy
+                (polParams, policy2List, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, polParams, plContext));
+        testSelector(selector, certs, 0x814);
+        PKIX_TEST_DECREF_BC(polParams);
+
+        subTest("    Pass only certs with policy anyPolicy");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&polParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetPolicy
+                (polParams, anyPolicyList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, polParams, plContext));
+        testSelector(selector, certs, 0x002);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(emptyList);
+        PKIX_TEST_DECREF_AC(policy1List);
+        PKIX_TEST_DECREF_AC(policy2List);
+        PKIX_TEST_DECREF_AC(anyPolicyList);
+        PKIX_TEST_DECREF_AC(polParams);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testCertificateMatch(
+        PKIX_List *certs,
+        PKIX_PL_Cert *certToMatch)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Certificate match");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&params, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate
+                (params, certToMatch, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+        testSelector(selector, certs, 0x008);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(params);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testNameConstraintsMatch(PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_CertNameConstraints *permitNameConstraints1 = NULL;
+        PKIX_PL_CertNameConstraints *permitNameConstraints2 = NULL;
+        PKIX_PL_CertNameConstraints *permitNameConstraints3 = NULL;
+        PKIX_PL_CertNameConstraints *excludeNameConstraints1 = NULL;
+        PKIX_PL_CertNameConstraints *excludeNameConstraints2 = NULL;
+        PKIX_PL_CertNameConstraints *excludeNameConstraints3 = NULL;
+        PKIX_UInt32 numCerts = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test NameConstraints Cert Selector");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (certs, &numCerts, plContext));
+
+        subTest("    PKIX_PL_Cert_GetNameConstraints <cert0-permitted>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, 0, (PKIX_PL_Object **)&cert, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (cert, &permitNameConstraints1, plContext));
+        PKIX_TEST_DECREF_BC(cert);
+
+        subTest("    PKIX_PL_Cert_GetNameConstraints <cert1-permitted>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, 1, (PKIX_PL_Object **)&cert, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (cert, &permitNameConstraints2, plContext));
+        PKIX_TEST_DECREF_BC(cert);
+
+        subTest("    PKIX_PL_Cert_GetNameConstraints <cert2-permitted>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, 2, (PKIX_PL_Object **)&cert, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (cert, &permitNameConstraints3, plContext));
+        PKIX_TEST_DECREF_BC(cert);
+
+        subTest("    PKIX_PL_Cert_GetNameConstraints <cert3-excluded>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, 3, (PKIX_PL_Object **)&cert, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (cert, &excludeNameConstraints1, plContext));
+        PKIX_TEST_DECREF_BC(cert);
+
+        subTest("    PKIX_PL_Cert_GetNameConstraints <cert4-excluded>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, 4, (PKIX_PL_Object **)&cert, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (cert, &excludeNameConstraints2, plContext));
+        PKIX_TEST_DECREF_BC(cert);
+
+        subTest("    PKIX_PL_Cert_GetNameConstraints <cert5-excluded>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, 5, (PKIX_PL_Object **)&cert, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (cert, &excludeNameConstraints3, plContext));
+        PKIX_TEST_DECREF_BC(cert);
+
+        subTest("    Create Selector and ComCertSelParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&params, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    CertNameConstraints testing permitted NONE");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
+                (params, permitNameConstraints1, plContext));
+        testSelector(selector, certs, 0x0);
+
+        subTest("    PKIX_ComCertSelParams_SetNameConstraint Reset");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
+                (params, NULL, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    CertNameConstraints testing permitted ALL");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
+                (params, permitNameConstraints2, plContext));
+        testSelector(selector, certs, 0x07F);
+
+        subTest("    CertNameConstraints testing permitted TWO");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
+                (params, permitNameConstraints3, plContext));
+        testSelector(selector, certs, 0x0041);
+
+        subTest("    PKIX_ComCertSelParams_SetNameConstraint Reset");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
+                (params, NULL, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    CertNameConstraints testing excluded");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
+                (params, excludeNameConstraints1, plContext));
+        testSelector(selector, certs, 0x07F);
+
+        subTest("    CertNameConstraints testing excluded");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
+                (params, excludeNameConstraints2, plContext));
+        testSelector(selector, certs, 0x07F);
+
+        subTest("    CertNameConstraints testing excluded");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
+                (params, excludeNameConstraints3, plContext));
+        testSelector(selector, certs, 0x41);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(params);
+        PKIX_TEST_DECREF_AC(permitNameConstraints1);
+        PKIX_TEST_DECREF_AC(permitNameConstraints2);
+        PKIX_TEST_DECREF_AC(permitNameConstraints3);
+        PKIX_TEST_DECREF_AC(excludeNameConstraints1);
+        PKIX_TEST_DECREF_AC(excludeNameConstraints2);
+        PKIX_TEST_DECREF_AC(excludeNameConstraints3);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testPathToNamesMatch(PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_List *nameList = NULL;
+        PKIX_PL_GeneralName *name = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test PathToName Cert Selector");
+
+        subTest("    PKIX_PL_GeneralName List create");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext));
+
+        subTest("    Add directory name <O=NotATest Certificates,C=US>");
+        name = createGeneralName
+                (PKIX_DIRECTORY_NAME,
+                "O=NotATest Certificates,C=US",
+                plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (nameList, (PKIX_PL_Object *)name, plContext));
+
+        subTest("    Create Selector and ComCertSelParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&params, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetPathToNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (params, nameList, plContext));
+
+        subTest("    Permitting THREE");
+        testSelector(selector, certs, 0x58);
+
+        subTest("    Remove directory name <O=NotATest Certificates,C=US...>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem
+                                (nameList, 0, plContext));
+        PKIX_TEST_DECREF_BC(name);
+
+        subTest("    PKIX_ComCertSelParams_SetPathToNames Reset");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (params, NULL, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    Add directory name <OU=permittedSubtree1,O=Test...>");
+        name = createGeneralName
+                (PKIX_DIRECTORY_NAME,
+                "OU=permittedSubtree1,O=Test Certificates,C=US",
+                plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (nameList, (PKIX_PL_Object *)name, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetPathToNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (params, nameList, plContext));
+
+        subTest("    Permitting SIX");
+        testSelector(selector, certs, 0x5F);
+
+        subTest("    Remove directory name <OU=permittedSubtree1,O=Test...>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem
+                                (nameList, 0, plContext));
+        PKIX_TEST_DECREF_BC(name);
+
+        subTest("    PKIX_ComCertSelParams_SetNameConstraint Reset");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (params, NULL, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    Add directory name <O=Test Certificates,C=US...>");
+        name = createGeneralName
+                (PKIX_DIRECTORY_NAME,
+                "O=Test Certificates,C=US",
+                plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (nameList, (PKIX_PL_Object *)name, plContext));
+        PKIX_TEST_DECREF_BC(name);
+
+        subTest("    PKIX_ComCertSelParams_SetPathToNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (params, nameList, plContext));
+
+        subTest("    Permitting FOUR");
+        testSelector(selector, certs, 0x47);
+
+        subTest("    Only directory name <OU=permittedSubtree1,O=Test ...>");
+        name = createGeneralName
+                (PKIX_DIRECTORY_NAME,
+                "OU=permittedSubtree1,O=Test Certificates,C=US",
+                plContext);
+
+        subTest("    PKIX_ComCertSelParams_AddPathToName");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName
+                (params, name, plContext));
+        PKIX_TEST_DECREF_BC(name);
+
+        subTest("    Permitting FOUR");
+        testSelector(selector, certs, 0x47);
+
+        subTest("    PKIX_ComCertSelParams_SetNameConstraint Reset");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (params, NULL, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+        PKIX_TEST_DECREF_BC(nameList);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext));
+
+        subTest("    Add directory name <CN=Valid DN nameConstraints EE...>");
+        name = createGeneralName
+                (PKIX_DIRECTORY_NAME, "CN=Valid DN nameConstraints EE "
+                "Certificate Test1,OU=permittedSubtree1,"
+                "O=Test Certificates,C=US",
+                plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (nameList, (PKIX_PL_Object *)name, plContext));
+        PKIX_TEST_DECREF_BC(name);
+
+        subTest("    PKIX_ComCertSelParams_SetPathToNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (params, nameList, plContext));
+
+        subTest("    Permitting SIX");
+        testSelector(selector, certs, 0x7e);
+
+        subTest("    Add directory name <OU=permittedSubtree1,O=Test>");
+        name = createGeneralName
+                (PKIX_DIRECTORY_NAME,
+                "OU=permittedSubtree1,O=Test",
+                plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (nameList, (PKIX_PL_Object *)name, plContext));
+        PKIX_TEST_DECREF_BC(name);
+
+        subTest("    PKIX_ComCertSelParams_SetPathToNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (params, nameList, plContext));
+
+        subTest("    Permitting SIX");
+        testSelector(selector, certs, 0x58);
+
+        subTest("    Add directory name <O=Test Certificates,C=US>");
+        name = createGeneralName
+                (PKIX_DIRECTORY_NAME, "O=Test Certificates,C=US", plContext);
+
+        subTest("    PKIX_ComCertSelParams_SetPathToNames Reset");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (params, NULL, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName
+                (params, name, plContext));
+        PKIX_TEST_DECREF_BC(name);
+
+        subTest("    Permitting FOUR");
+        testSelector(selector, certs, 0x47);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(params);
+        PKIX_TEST_DECREF_AC(nameList);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testSubjAltNamesMatch(PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_List *nameList = NULL;
+        PKIX_PL_GeneralName *name = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test SubjAltNames Cert Selector");
+
+        subTest("    PKIX_PL_GeneralName List create");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext));
+
+        subTest("    Create Selector and ComCertSelParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&params, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    Add directory name <CN=Invalid DN nameConstraints EE...>");
+        name = createGeneralName
+                (PKIX_DIRECTORY_NAME,
+                "CN=Invalid DN nameConstraints EE Certificate Test3,"
+                "OU=excludedSubtree1,O=Test Certificates,C=US",
+                plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (nameList, (PKIX_PL_Object *)name, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetSubjAltNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames
+                (params, nameList, plContext));
+
+        PKIX_TEST_DECREF_BC(name);
+        PKIX_TEST_DECREF_BC(nameList);
+
+        subTest("    Permitting ONE");
+        testSelector(selector, certs, 0x1);
+
+        subTest("    Add DNS name <mytestcertificates.gov>");
+        name = createGeneralName
+                (PKIX_DNS_NAME,
+                "mytestcertificates.gov",
+                plContext);
+
+        subTest("    PKIX_ComCertSelParams_AddSubjAltName");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName
+                (params, name, plContext));
+        PKIX_TEST_DECREF_BC(name);
+
+        subTest("    Permitting NONE");
+        testSelector(selector, certs, 0x0);
+
+        subTest("    PKIX_ComCertSelParams_SetMatchAllSubjAltNames to FALSE");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames
+                (params, PKIX_FALSE, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    Permitting TWO");
+        testSelector(selector, certs, 0x3);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(params);
+        PKIX_TEST_DECREF_AC(name);
+        PKIX_TEST_DECREF_AC(nameList);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testCertificateValidMatch(
+        PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_PL_String *stringRep = NULL;
+        PKIX_PL_Date *testDate = NULL;
+        char *asciiRep = "050501000000Z";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("CertificateValid match");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&params, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
+                (params, testDate, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+        testSelector(selector, certs, 0xFFFFFFFF);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(params);
+        PKIX_TEST_DECREF_AC(stringRep);
+        PKIX_TEST_DECREF_AC(testDate);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void test_customCallback1(PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("custom matchCallback");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (custom_CertSelector_MatchCallback,
+                NULL,
+                &selector,
+                plContext));
+
+        testSelector(selector, certs, 0x900);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selector);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void test_customCallback2
+        (PKIX_List *certs,
+        PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_List *anyPolicyList = NULL; /* OIDs */
+        PKIX_PL_OID *policyOID = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("custom matchCallback with CertSelectorContext");
+
+        testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (anyPolicyList, 0, (PKIX_PL_Object **)&policyOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (custom_CertSelector_MatchOIDCallback,
+                (PKIX_PL_Object *)policyOID,
+                &selector,
+                plContext));
+
+        testSelector(selector, certs, (1 << ANYPOLICYCERT));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(anyPolicyList);
+        PKIX_TEST_DECREF_AC(policyOID);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testExtendedKeyUsageMatch(char *certDir)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_PL_OID *ekuOid = NULL;
+        PKIX_List *ekuOidList = NULL;
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore_CertCallback certCallback;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_UInt32 numCert = 0;
+        void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test Extended KeyUsage Cert Selector");
+
+        subTest("    PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        subTest("    Create Extended Key Usage OID List");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&ekuOidList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                ("1.3.6.1.5.5.7.3.2", &ekuOid, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (ekuOidList, (PKIX_PL_Object *)ekuOid, plContext));
+
+        PKIX_TEST_DECREF_BC(ekuOid);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                ("1.3.6.1.5.5.7.3.3", &ekuOid, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (ekuOidList, (PKIX_PL_Object *)ekuOid, plContext));
+
+        PKIX_TEST_DECREF_BC(ekuOid);
+
+        subTest("    PKIX_ComCertSelParams_SetExtendedKeyUsage");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
+                (goodParams, ekuOidList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
+
+        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                (dirString, &certStore, plContext));
+
+        subTest("    PKIX_CertSelector_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, goodParams, plContext));
+
+        subTest("    PKIX_CertStore_GetCertCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+                (certStore, &certCallback, NULL));
+
+        subTest("    Getting data from Cert Callback");
+        PKIX_TEST_EXPECT_NO_ERROR(certCallback
+                (certStore, certSelector, &nbioContext, &certList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (certList, &numCert, plContext));
+
+        if (numCert != PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS) {
+                pkixTestErrorMsg = "unexpected Cert number mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(ekuOid);
+        PKIX_TEST_DECREF_AC(ekuOidList);
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(certList);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(certStore);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testKeyUsageMatch(char *certDir)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore_CertCallback certCallback;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_UInt32 numCert = 0;
+        void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test KeyUsage Cert Selector");
+
+        subTest("    PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetKeyUsage");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage
+                (goodParams, PKIX_CRL_SIGN, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
+
+        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                (dirString, &certStore, plContext));
+
+        subTest("    PKIX_CertSelector_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, goodParams, plContext));
+
+        subTest("    PKIX_CertStore_GetCertCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+                (certStore, &certCallback, NULL));
+
+        subTest("    Getting data from Cert Callback");
+        PKIX_TEST_EXPECT_NO_ERROR(certCallback
+                (certStore, certSelector, &nbioContext, &certList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (certList, &numCert, plContext));
+
+        if (numCert != PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS) {
+                pkixTestErrorMsg = "unexpected Cert number mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(certList);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(certStore);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testCertValidMatch(char *certDir)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_PL_Date *validDate = NULL;
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore_CertCallback certCallback;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_UInt32 numCert = 0;
+        void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test CertValid Cert Selector");
+
+        subTest("    PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        validDate = createDate("050601000000Z", plContext);
+
+        subTest("    PKIX_ComCertSelParams_SetCertificateValid");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
+                (goodParams, validDate, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
+
+        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                (dirString, &certStore, plContext));
+
+        subTest("    PKIX_CertSelector_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, goodParams, plContext));
+
+        subTest("    PKIX_CertStore_GetCertCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+                (certStore, &certCallback, NULL));
+
+        subTest("    Getting data from Cert Callback");
+        PKIX_TEST_EXPECT_NO_ERROR(certCallback
+                (certStore, certSelector, &nbioContext, &certList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (certList, &numCert, plContext));
+
+        if (numCert != PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS) {
+                pkixTestErrorMsg = "unexpected Cert number mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(validDate);
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(certList);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(certStore);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testIssuerMatch(char *certDir)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_PL_X500Name *issuer = NULL;
+        PKIX_PL_String *issuerStr = NULL;
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore_CertCallback certCallback;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_List *certList = NULL;
+        char *issuerName = "CN=science,O=mit,C=US";
+        PKIX_UInt32 numCert = 0;
+        void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test Issuer Cert Selector");
+
+        subTest("    PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, issuerName, 0, &issuerStr, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create
+                (issuerStr, &issuer, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetIssuer");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer
+                (goodParams, issuer, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
+
+        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                (dirString, &certStore, plContext));
+
+        subTest("    PKIX_CertSelector_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, goodParams, plContext));
+
+        subTest("    PKIX_CertStore_GetCertCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+                (certStore, &certCallback, NULL));
+
+        subTest("    Getting data from Cert Callback");
+        PKIX_TEST_EXPECT_NO_ERROR(certCallback
+                (certStore, certSelector, &nbioContext, &certList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (certList, &numCert, plContext));
+
+        if (numCert != PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS) {
+                pkixTestErrorMsg = "unexpected Cert number mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(issuer);
+        PKIX_TEST_DECREF_AC(issuerStr);
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(certList);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(certStore);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testSerialNumberVersionMatch(char *certDir)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_PL_BigInt *serialNumber = NULL;
+        PKIX_PL_String *serialNumberStr = NULL;
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore_CertCallback certCallback;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_UInt32 numCert = 0;
+        void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test Serial Number Cert Selector");
+
+        subTest("    PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, "01", 0, &serialNumberStr, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
+                (serialNumberStr, &serialNumber, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetSerialNumber");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber
+                (goodParams, serialNumber, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetVersion");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion
+                (goodParams, 0, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
+
+        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                (dirString, &certStore, plContext));
+
+        subTest("    PKIX_CertSelector_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, goodParams, plContext));
+
+        subTest("    PKIX_CertStore_GetCertCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+                (certStore, &certCallback, NULL));
+
+        subTest("    Getting data from Cert Callback");
+        PKIX_TEST_EXPECT_NO_ERROR(certCallback
+                (certStore, certSelector, &nbioContext, &certList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (certList, &numCert, plContext));
+
+        PKIX_TEST_DECREF_BC(certList);
+
+        if (numCert != 0) {
+                pkixTestErrorMsg = "unexpected Version mismatch";
+        }
+
+        subTest("    PKIX_ComCertSelParams_SetVersion");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion
+                (goodParams, 2, plContext));
+
+        subTest("    Getting data from Cert Callback");
+        PKIX_TEST_EXPECT_NO_ERROR(certCallback
+                (certStore, certSelector, &nbioContext, &certList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (certList, &numCert, plContext));
+
+        if (numCert != PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS) {
+                pkixTestErrorMsg = "unexpected Serial Number mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(serialNumber);
+        PKIX_TEST_DECREF_AC(serialNumberStr);
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(certList);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(certStore);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testSubjKeyIdMatch(PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_ByteArray *selSubjKeyId = NULL;
+        PKIX_UInt32 item = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test Subject Key Id Cert Selector");
+
+        item = 2;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, item, (PKIX_PL_Object **)&cert, plContext));
+
+        subTest("    PKIX_PL_Cert_GetSubjectKeyIdentifier");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier
+                (cert, &selSubjKeyId, plContext));
+
+        subTest("    Create Selector and ComCertSelParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&params, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetSubjKeyIdentifier");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier
+                (params, selSubjKeyId, plContext));
+
+        subTest("    Select One");
+        testSelector(selector, certs, 1<<item);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selSubjKeyId);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(params);
+        PKIX_TEST_DECREF_AC(selector);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testAuthKeyIdMatch(PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_ByteArray *selAuthKeyId = NULL;
+        PKIX_UInt32 item = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test Auth Key Id Cert Selector");
+
+        item = 3;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, item, (PKIX_PL_Object **)&cert, plContext));
+
+        subTest("    PKIX_PL_Cert_GetAuthorityKeyIdentifier");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier
+                (cert, &selAuthKeyId, plContext));
+
+        subTest("    Create Selector and ComCertSelParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&params, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetAuthorityKeyIdentifier");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetAuthorityKeyIdentifier
+                (params, selAuthKeyId, plContext));
+
+        subTest("    Select TWO");
+        testSelector(selector, certs, (1<<item)|(1<<1));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selAuthKeyId);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(params);
+        PKIX_TEST_DECREF_AC(selector);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testSubjPKAlgIdMatch(PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_OID *selAlgId = NULL;
+        PKIX_UInt32 item = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test Subject Public Key Algorithm Id Cert Selector");
+
+        item = 0;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, item, (PKIX_PL_Object **)&cert, plContext));
+
+        subTest("    PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKeyAlgId
+                (cert, &selAlgId, plContext));
+
+        subTest("    Create Selector and ComCertSelParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&params, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetSubjPKAlgId");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId
+                (params, selAlgId, plContext));
+
+        subTest("    Select All");
+        testSelector(selector, certs, 0x7F);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selAlgId);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(params);
+        PKIX_TEST_DECREF_AC(selector);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testSubjPublicKeyMatch(PKIX_List *certs)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_PublicKey *selPublicKey = NULL;
+        PKIX_UInt32 item = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test Subject Public Key Cert Selector");
+
+        item = 5;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certs, item, (PKIX_PL_Object **)&cert, plContext));
+
+        subTest("    PKIX_PL_Cert_GetSubjectPublicKey");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (cert, &selPublicKey, plContext));
+
+        subTest("    Create Selector and ComCertSelParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&params, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, params, plContext));
+
+        subTest("    PKIX_ComCertSelParams_SetSubjPubKey");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey
+                (params, selPublicKey, plContext));
+
+        subTest("    Select ONE");
+        testSelector(selector, certs, 1<<item);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selPublicKey);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(params);
+        PKIX_TEST_DECREF_AC(selector);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void test_CertSelector_Duplicate(PKIX_CertSelector *selector)
+{
+        PKIX_Int32 goodBasicConstraints = 0;
+        PKIX_Int32 equalBasicConstraints = 0;
+        PKIX_CertSelector *dupSelector = NULL;
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_ComCertSelParams *equalParams = NULL;
+        PKIX_CertSelector_MatchCallback goodCallback = NULL;
+        PKIX_CertSelector_MatchCallback equalCallback = NULL;
+        PKIX_PL_X500Name *goodSubject = NULL;
+        PKIX_PL_X500Name *equalSubject = NULL;
+        PKIX_List *goodPolicy = NULL;
+        PKIX_List *equalPolicy = NULL;
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_Cert *equalCert = NULL;
+        PKIX_PL_Date *goodDate = NULL;
+        PKIX_PL_Date *equalDate = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("test_CertSelector_Duplicate");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
+                ((PKIX_PL_Object *)selector,
+                (PKIX_PL_Object **)&dupSelector,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams
+                (selector, &goodParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams
+                (dupSelector, &equalParams, plContext));
+        /* There is no equals function, so look at components separately. */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
+                (goodParams, &goodSubject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
+                (equalParams, &equalSubject, plContext));
+        if (goodSubject && equalSubject) {
+                testEqualsHelper
+                        ((PKIX_PL_Object *)goodSubject,
+                        (PKIX_PL_Object *)equalSubject,
+                        PKIX_TRUE,
+                        plContext);
+        } else {
+                if PKIX_EXACTLY_ONE_NULL(goodSubject, equalSubject) {
+                        pkixTestErrorMsg = "Subject Names are not equal!";
+                        goto cleanup;
+                }
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
+                (goodParams, &goodPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
+                (equalParams, &equalPolicy, plContext));
+        if (goodPolicy && equalPolicy) {
+                testEqualsHelper
+                        ((PKIX_PL_Object *)goodPolicy,
+                        (PKIX_PL_Object *)equalPolicy,
+                        PKIX_TRUE,
+                        plContext);
+        } else {
+                if PKIX_EXACTLY_ONE_NULL(goodPolicy, equalPolicy) {
+                        pkixTestErrorMsg = "Policy Lists are not equal!";
+                        goto cleanup;
+                }
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate
+                (goodParams, &goodCert, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate
+                (equalParams, &equalCert, plContext));
+        if (goodCert && equalCert) {
+                testEqualsHelper
+                        ((PKIX_PL_Object *)goodCert,
+                        (PKIX_PL_Object *)equalCert,
+                        PKIX_TRUE,
+                        plContext);
+        } else {
+                if PKIX_EXACTLY_ONE_NULL(goodCert, equalCert) {
+                        pkixTestErrorMsg = "Cert Lists are not equal!";
+                        goto cleanup;
+                }
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
+                (goodParams, &goodDate, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
+                (equalParams, &equalDate, plContext));
+        if (goodCert && equalCert) {
+                testEqualsHelper
+                        ((PKIX_PL_Object *)goodDate,
+                        (PKIX_PL_Object *)equalDate,
+                        PKIX_TRUE,
+                        plContext);
+        } else {
+                if PKIX_EXACTLY_ONE_NULL(goodDate, equalDate) {
+                        pkixTestErrorMsg = "Date Lists are not equal!";
+                        goto cleanup;
+                }
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
+                (goodParams, &goodBasicConstraints, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
+                (equalParams, &equalBasicConstraints, plContext));
+        if (goodBasicConstraints != equalBasicConstraints) {
+                pkixTestErrorMsg = "BasicConstraints are not equal!";
+                goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback
+                (selector, &goodCallback, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback
+                (dupSelector, &equalCallback, plContext));
+        if (goodCallback != equalCallback) {
+                pkixTestErrorMsg = "MatchCallbacks are not equal!";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dupSelector);
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(equalParams);
+        PKIX_TEST_DECREF_AC(goodSubject);
+        PKIX_TEST_DECREF_AC(equalSubject);
+        PKIX_TEST_DECREF_AC(goodPolicy);
+        PKIX_TEST_DECREF_AC(equalPolicy);
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(equalCert);
+        PKIX_TEST_DECREF_AC(goodDate);
+        PKIX_TEST_DECREF_AC(equalDate);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void printUsage(void) {
+        (void) printf("\nUSAGE:\ttest_certselector <NIST_FILES_DIR> <cert-dir>\n\n");
+}
+
+int test_certselector(int argc, char *argv[]) {
+
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 actualMinorVersion;
+
+        PKIX_CertSelector *emptySelector = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_List *nameConstraintsCerts = NULL;
+        PKIX_List *subjAltNamesCerts = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_Cert *policy1Cert = NULL;
+        PKIX_PL_Cert *policy2Cert = NULL;
+        PKIX_PL_Cert *anyPolicyCert = NULL;
+        PKIX_PL_Cert *subjectCert = NULL;
+        PKIX_ComCertSelParams *selParams = NULL;
+        char *certDir = NULL;
+        char *dirName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("CertSelector");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 3) {
+                printUsage();
+                return (0);
+        }
+
+        dirName = argv[j+1];
+        certDir = argv[j+3];
+
+        /* Create a List of certs to use in testing the selector */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
+
+        for (i = 0; i < NUMCERTS; i++) {
+
+                cert = createCert(dirName, certList[i], plContext);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                        (certs, (PKIX_PL_Object *)cert, plContext));
+                if (i == POLICY1CERT) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                ((PKIX_PL_Object *)cert, plContext));
+                        policy1Cert = cert;
+                }
+                if (i == ANYPOLICYCERT) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                ((PKIX_PL_Object *)cert, plContext));
+                        anyPolicyCert = cert;
+                }
+                if (i == POLICY2CERT) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                ((PKIX_PL_Object *)cert, plContext));
+                        policy2Cert = cert;
+                }
+                if (i == SUBJECTCERT) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                ((PKIX_PL_Object *)cert, plContext));
+                        subjectCert = cert;
+                }
+                PKIX_TEST_DECREF_BC(cert);
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
+                (&nameConstraintsCerts, plContext));
+
+        for (i = 0; i < NUMNCCERTS; i++) {
+
+                cert = createCert(dirName, ncCertList[i], plContext);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                        (nameConstraintsCerts,
+                        (PKIX_PL_Object *)cert,
+                        plContext));
+
+                PKIX_TEST_DECREF_BC(cert);
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
+                (&subjAltNamesCerts, plContext));
+
+        for (i = 0; i < NUMSANCERTS; i++) {
+
+                cert = createCert(dirName, sanCertList[i], plContext);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                        (subjAltNamesCerts,
+                        (PKIX_PL_Object *)cert,
+                        plContext));
+
+                PKIX_TEST_DECREF_BC(cert);
+        }
+
+        subTest("test_CertSelector_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &emptySelector, plContext));
+
+        subTest("Default Match, no parameters set");
+        testSelector(emptySelector, certs, 0xFFFFFFFF);
+
+        testSubjectMatch(certs, subjectCert);
+
+        testBasicConstraintsMatch(certs);
+
+        testPolicyMatch(certs, policy1Cert, policy2Cert, anyPolicyCert);
+
+        testCertificateMatch(certs, subjectCert);
+
+        testCertificateValidMatch(certs);
+
+        subTest("Combination: pass only EE certs that assert some policy");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&selParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetBasicConstraints
+                (selParams, -2, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (emptySelector, selParams, plContext));
+        testSelector(emptySelector, certs, 0xC00);
+
+        testNameConstraintsMatch(nameConstraintsCerts);
+
+        testPathToNamesMatch(nameConstraintsCerts);
+
+        testSubjAltNamesMatch(subjAltNamesCerts);
+
+        testExtendedKeyUsageMatch(certDir);
+
+        testKeyUsageMatch(certDir);
+
+        testIssuerMatch(certDir);
+
+        testSerialNumberVersionMatch(certDir);
+
+        testCertValidMatch(certDir);
+
+        testSubjKeyIdMatch(nameConstraintsCerts);
+
+        testAuthKeyIdMatch(nameConstraintsCerts);
+
+        testSubjPKAlgIdMatch(nameConstraintsCerts);
+
+        testSubjPublicKeyMatch(nameConstraintsCerts);
+
+        test_CertSelector_Duplicate(emptySelector);
+
+        test_customCallback1(certs);
+
+        test_customCallback2(certs, anyPolicyCert);
+
+        subTest("test_CertSelector_Destroy");
+
+        PKIX_TEST_DECREF_BC(emptySelector);
+
+
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(emptySelector);
+        PKIX_TEST_DECREF_AC(certs);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(policy1Cert);
+        PKIX_TEST_DECREF_AC(policy2Cert);
+        PKIX_TEST_DECREF_AC(anyPolicyCert);
+        PKIX_TEST_DECREF_AC(subjectCert);
+        PKIX_TEST_DECREF_AC(selParams);
+        PKIX_TEST_DECREF_AC(nameConstraintsCerts);
+        PKIX_TEST_DECREF_AC(subjAltNamesCerts);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("CertSelector");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c b/security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c
new file mode 100644
index 000000000..0ebbdd462
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c
@@ -0,0 +1,953 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_comcertselparams.c
+ *
+ * Test Common Cert Selector Params
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void test_CreateOIDList(PKIX_List *certPolicyInfos, PKIX_List **pPolicyOIDs)
+{
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 numInfos = 0;
+        PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
+        PKIX_PL_OID *policyOID = NULL;
+        PKIX_List *certPolicies = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        /* Convert from List of CertPolicyInfos to List of OIDs */
+        if (certPolicyInfos) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                        (certPolicyInfos, &numInfos, plContext));
+        }
+
+        if (numInfos > 0) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
+                        (&certPolicies, plContext));
+        }
+        for (i = 0; i < numInfos; i++) {
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (certPolicyInfos,
+                i,
+                (PKIX_PL_Object **)&certPolicyInfo,
+                plContext));
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
+                (certPolicyInfo, &policyOID, plContext));
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (certPolicies, (PKIX_PL_Object *)policyOID, plContext));
+            PKIX_TEST_DECREF_BC(certPolicyInfo);
+            PKIX_TEST_DECREF_BC(policyOID);
+        }
+
+        *pPolicyOIDs = certPolicies;
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(certPolicyInfo);
+        PKIX_TEST_DECREF_AC(policyOID);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void test_NameConstraints(char *dirName)
+{
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_CertNameConstraints *getNameConstraints = NULL;
+        PKIX_PL_CertNameConstraints *setNameConstraints = NULL;
+        PKIX_ComCertSelParams *goodParams = NULL;
+        char *expectedAscii =
+                "[\n"
+                "\t\tPermitted Name:  (OU=permittedSubtree1,"
+                "O=Test Certificates,C=US, OU=permittedSubtree2,"
+                "O=Test Certificates,C=US)\n"
+                "\t\tExcluded Name:   (EMPTY)\n"
+                "\t]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Create Cert for NameConstraints test");
+
+        goodCert = createCert
+                (dirName, "nameConstraintsDN2CACert.crt", plContext);
+
+        subTest("PKIX_PL_Cert_GetNameConstraints");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (goodCert, &setNameConstraints, plContext));
+
+        subTest("PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetNameConstraints");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
+                (goodParams, setNameConstraints, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetNameConstraints");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetNameConstraints
+                (goodParams, &getNameConstraints, plContext));
+
+        subTest("Compare NameConstraints");
+        testEqualsHelper((PKIX_PL_Object *)setNameConstraints,
+                (PKIX_PL_Object *)getNameConstraints,
+                PKIX_TRUE,
+                plContext);
+
+        subTest("Compare NameConstraints with canned string");
+        testToStringHelper
+                ((PKIX_PL_Object *)getNameConstraints,
+                expectedAscii,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(getNameConstraints);
+        PKIX_TEST_DECREF_AC(setNameConstraints);
+        PKIX_TEST_DECREF_AC(goodParams);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void test_PathToNames(void)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_List *setGenNames = NULL;
+        PKIX_List *getGenNames = NULL;
+        PKIX_PL_GeneralName *rfc822GenName = NULL;
+        PKIX_PL_GeneralName *dnsGenName = NULL;
+        PKIX_PL_GeneralName *dirGenName = NULL;
+        PKIX_PL_GeneralName *uriGenName = NULL;
+        PKIX_PL_GeneralName *oidGenName = NULL;
+        char *rfc822Name = "john.doe@labs.com";
+        char *dnsName = "comcast.net";
+        char *dirName = "cn=john, ou=labs, o=sun, c=us";
+        char *uriName = "http://comcast.net";
+        char *oidName = "1.2.840.11";
+        char *expectedAscii =
+                "(john.doe@labs.com, "
+                "comcast.net, "
+                "CN=john,OU=labs,O=sun,C=us, "
+                "http://comcast.net)";
+        char *expectedAsciiAll =
+                "(john.doe@labs.com, "
+                "comcast.net, "
+                "CN=john,OU=labs,O=sun,C=us, "
+                "http://comcast.net, "
+                "1.2.840.11)";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_GeneralName_Create");
+        dnsGenName = createGeneralName(PKIX_DNS_NAME, dnsName, plContext);
+        uriGenName = createGeneralName(PKIX_URI_NAME, uriName, plContext);
+        oidGenName = createGeneralName(PKIX_OID_NAME, oidName, plContext);
+        dirGenName = createGeneralName(PKIX_DIRECTORY_NAME, dirName, plContext);
+        rfc822GenName = createGeneralName
+                (PKIX_RFC822_NAME,
+                rfc822Name,
+                plContext);
+
+        subTest("PKIX_PL_GeneralName List create and append");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setGenNames, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setGenNames, (PKIX_PL_Object *)rfc822GenName, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setGenNames, (PKIX_PL_Object *)dnsGenName, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setGenNames, (PKIX_PL_Object *)dirGenName, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setGenNames, (PKIX_PL_Object *)uriGenName, plContext));
+
+        subTest("PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetPathToNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
+                (goodParams, setGenNames, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetPathToNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPathToNames
+                (goodParams, &getGenNames, plContext));
+
+        subTest("Compare GeneralName List");
+        testEqualsHelper((PKIX_PL_Object *)setGenNames,
+                (PKIX_PL_Object *)getGenNames,
+                PKIX_TRUE,
+                plContext);
+
+        subTest("Compare GeneralName List with canned string");
+        testToStringHelper
+                ((PKIX_PL_Object *)getGenNames,
+                expectedAscii,
+                plContext);
+
+        subTest("PKIX_ComCertSelParams_AddPathToName");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName
+                (goodParams, oidGenName, plContext));
+
+        PKIX_TEST_DECREF_BC(getGenNames);
+
+        subTest("PKIX_ComCertSelParams_GetPathToNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPathToNames
+                (goodParams, &getGenNames, plContext));
+
+        subTest("Compare GeneralName List with canned string");
+        testToStringHelper
+                ((PKIX_PL_Object *)getGenNames,
+                expectedAsciiAll,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(setGenNames);
+        PKIX_TEST_DECREF_AC(getGenNames);
+        PKIX_TEST_DECREF_AC(rfc822GenName);
+        PKIX_TEST_DECREF_AC(dnsGenName);
+        PKIX_TEST_DECREF_AC(dirGenName);
+        PKIX_TEST_DECREF_AC(uriGenName);
+        PKIX_TEST_DECREF_AC(oidGenName);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void test_SubjAltNames(void)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_List *setGenNames = NULL;
+        PKIX_List *getGenNames = NULL;
+        PKIX_PL_GeneralName *rfc822GenName = NULL;
+        PKIX_PL_GeneralName *dnsGenName = NULL;
+        PKIX_PL_GeneralName *dirGenName = NULL;
+        PKIX_PL_GeneralName *uriGenName = NULL;
+        PKIX_PL_GeneralName *oidGenName = NULL;
+        PKIX_Boolean matchAll = PKIX_TRUE;
+        char *rfc822Name = "john.doe@labs.com";
+        char *dnsName = "comcast.net";
+        char *dirName = "cn=john, ou=labs, o=sun, c=us";
+        char *uriName = "http://comcast.net";
+        char *oidName = "1.2.840.11";
+        char *expectedAscii =
+                "(john.doe@labs.com, "
+                "comcast.net, "
+                "CN=john,OU=labs,O=sun,C=us, "
+                "http://comcast.net)";
+        char *expectedAsciiAll =
+                "(john.doe@labs.com, "
+                "comcast.net, "
+                "CN=john,OU=labs,O=sun,C=us, "
+                "http://comcast.net, "
+                "1.2.840.11)";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_GeneralName_Create");
+        dnsGenName = createGeneralName(PKIX_DNS_NAME, dnsName, plContext);
+        uriGenName = createGeneralName(PKIX_URI_NAME, uriName, plContext);
+        oidGenName = createGeneralName(PKIX_OID_NAME, oidName, plContext);
+        dirGenName = createGeneralName(PKIX_DIRECTORY_NAME, dirName, plContext);
+        rfc822GenName = createGeneralName
+                (PKIX_RFC822_NAME,
+                rfc822Name,
+                plContext);
+
+        subTest("PKIX_PL_GeneralName List create and append");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setGenNames, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setGenNames, (PKIX_PL_Object *)rfc822GenName, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setGenNames, (PKIX_PL_Object *)dnsGenName, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setGenNames, (PKIX_PL_Object *)dirGenName, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setGenNames, (PKIX_PL_Object *)uriGenName, plContext));
+
+        subTest("PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetSubjAltNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames
+                (goodParams, setGenNames, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetSubjAltNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames
+                (goodParams, &getGenNames, plContext));
+
+        subTest("Compare GeneralName List");
+        testEqualsHelper((PKIX_PL_Object *)setGenNames,
+                (PKIX_PL_Object *)getGenNames,
+                PKIX_TRUE,
+                plContext);
+
+        subTest("Compare GeneralName List with canned string");
+        testToStringHelper
+                ((PKIX_PL_Object *)getGenNames,
+                expectedAscii,
+                plContext);
+
+
+        subTest("PKIX_ComCertSelParams_AddSubjAltName");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName
+                (goodParams, oidGenName, plContext));
+
+        PKIX_TEST_DECREF_BC(getGenNames);
+
+        subTest("PKIX_ComCertSelParams_GetSubjAltNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames
+                (goodParams, &getGenNames, plContext));
+
+        subTest("Compare GeneralName List with canned string");
+        testToStringHelper
+                ((PKIX_PL_Object *)getGenNames,
+                expectedAsciiAll,
+                plContext);
+
+        subTest("PKIX_ComCertSelParams_GetMatchAllSubjAltNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
+                (goodParams, &matchAll, plContext));
+        if (matchAll != PKIX_TRUE) {
+                testError("unexpected mismatch <expect TRUE>");
+        }
+
+        subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames
+                (goodParams, PKIX_FALSE, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
+                (goodParams, &matchAll, plContext));
+        if (matchAll != PKIX_FALSE) {
+                testError("unexpected mismatch <expect FALSE>");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(setGenNames);
+        PKIX_TEST_DECREF_AC(getGenNames);
+        PKIX_TEST_DECREF_AC(rfc822GenName);
+        PKIX_TEST_DECREF_AC(dnsGenName);
+        PKIX_TEST_DECREF_AC(dirGenName);
+        PKIX_TEST_DECREF_AC(uriGenName);
+        PKIX_TEST_DECREF_AC(oidGenName);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void test_KeyUsages(void)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_PL_OID *ekuOid = NULL;
+        PKIX_List *setExtKeyUsage = NULL;
+        PKIX_List *getExtKeyUsage = NULL;
+        PKIX_UInt32 getKeyUsage = 0;
+        PKIX_UInt32 setKeyUsage = 0x1FF;
+        PKIX_Boolean isEqual = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetKeyUsage");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage
+                (goodParams, setKeyUsage, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetKeyUsage");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetKeyUsage
+                (goodParams, &getKeyUsage, plContext));
+
+        if (setKeyUsage != getKeyUsage) {
+                testError("unexpected KeyUsage mismatch <expect equal>");
+        }
+
+        subTest("PKIX_PL_OID List create and append");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setExtKeyUsage, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                ("1.3.6.1.5.5.7.3.1",   &ekuOid, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
+        PKIX_TEST_DECREF_BC(ekuOid);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                ("1.3.6.1.5.5.7.3.8",   &ekuOid, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
+        PKIX_TEST_DECREF_BC(ekuOid);
+
+        subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
+                (goodParams, setExtKeyUsage, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetExtendedKeyUsage");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetExtendedKeyUsage
+                (goodParams, &getExtKeyUsage, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)setExtKeyUsage,
+                (PKIX_PL_Object *)getExtKeyUsage,
+                &isEqual,
+                plContext));
+
+        if (isEqual == PKIX_FALSE) {
+                testError("unexpected ExtKeyUsage mismatch <expect equal>");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(ekuOid);
+        PKIX_TEST_DECREF_AC(setExtKeyUsage);
+        PKIX_TEST_DECREF_AC(getExtKeyUsage);
+        PKIX_TEST_DECREF_AC(goodParams);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void test_Version_Issuer_SerialNumber(void)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_UInt32 version = 0;
+        PKIX_PL_X500Name *setIssuer = NULL;
+        PKIX_PL_X500Name *getIssuer = NULL;
+        PKIX_PL_String *str = NULL;
+        PKIX_PL_BigInt *setSerialNumber = NULL;
+        PKIX_PL_BigInt *getSerialNumber = NULL;
+        PKIX_Boolean isEqual = PKIX_FALSE;
+        char *bigInt = "999999999999999999";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        /* Version */
+        subTest("PKIX_ComCertSelParams_SetVersion");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion
+                (goodParams, 2, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetVersion");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetVersion
+                (goodParams, &version, plContext));
+
+        if (version != 2) {
+                testError("unexpected Version mismatch <expect 2>");
+        }
+
+        /* Issuer */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, "CN=Test,O=Sun,C=US", 0, &str, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create
+                (str, &setIssuer, plContext));
+
+        PKIX_TEST_DECREF_BC(str);
+
+        subTest("PKIX_ComCertSelParams_SetIssuer");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer
+                (goodParams, setIssuer, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetIssuer");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetIssuer
+                (goodParams, &getIssuer, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)setIssuer,
+                (PKIX_PL_Object *)getIssuer,
+                &isEqual,
+                plContext));
+
+        if (isEqual == PKIX_FALSE) {
+                testError("unexpected Issuer mismatch <expect equal>");
+        }
+
+        /* Serial Number */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, bigInt, PL_strlen(bigInt), &str, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
+                (str, &setSerialNumber, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetSerialNumber");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber
+                (goodParams, setSerialNumber, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetSerialNumber");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSerialNumber
+                (goodParams, &getSerialNumber, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)setSerialNumber,
+                (PKIX_PL_Object *)getSerialNumber,
+                &isEqual,
+                plContext));
+
+        if (isEqual == PKIX_FALSE) {
+                testError("unexpected Serial Number mismatch <expect equal>");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(str);
+        PKIX_TEST_DECREF_AC(setIssuer);
+        PKIX_TEST_DECREF_AC(getIssuer);
+        PKIX_TEST_DECREF_AC(setSerialNumber);
+        PKIX_TEST_DECREF_AC(getSerialNumber);
+        PKIX_TEST_DECREF_AC(goodParams);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void test_SubjKeyId_AuthKeyId(void)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_PL_ByteArray *setKeyId = NULL;
+        PKIX_PL_ByteArray *getKeyId = NULL;
+        PKIX_Boolean isEqual = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        /* Subject Key Identifier */
+        subTest("PKIX_PL_ByteArray_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
+                ((void*)"66099", 1, &setKeyId, plContext));
+
+        subTest("PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetSubjectKeyIdentifier");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier
+                (goodParams, setKeyId, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetSubjectKeyIdentifier");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjKeyIdentifier
+                (goodParams, &getKeyId, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)setKeyId,
+                (PKIX_PL_Object *)getKeyId,
+                &isEqual,
+                plContext));
+
+        if (isEqual == PKIX_FALSE) {
+                testError("unexpected Subject Key Id mismatch <expect equal>");
+        }
+
+        PKIX_TEST_DECREF_BC(setKeyId);
+        PKIX_TEST_DECREF_BC(getKeyId);
+
+        /* Authority Key Identifier */
+        subTest("PKIX_PL_ByteArray_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
+                ((void*)"11022", 1, &setKeyId, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetAuthorityKeyIdentifier");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetAuthorityKeyIdentifier
+                (goodParams, setKeyId, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetAuthorityKeyIdentifier");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
+                (goodParams, &getKeyId, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)setKeyId,
+                (PKIX_PL_Object *)getKeyId,
+                &isEqual,
+                plContext));
+
+        if (isEqual == PKIX_FALSE) {
+                testError("unexpected Auth Key Id mismatch <expect equal>");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setKeyId);
+        PKIX_TEST_DECREF_AC(getKeyId);
+        PKIX_TEST_DECREF_AC(goodParams);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void test_SubjAlgId_SubjPublicKey(char *dirName)
+{
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_PL_OID *setAlgId = NULL;
+        PKIX_PL_OID *getAlgId = NULL;
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_PublicKey *setPublicKey = NULL;
+        PKIX_PL_PublicKey *getPublicKey = NULL;
+        PKIX_Boolean isEqual = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        /* Subject Algorithm Identifier */
+        subTest("PKIX_PL_OID_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                ("1.1.2.3", &setAlgId, plContext));
+
+        subTest("PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetSubjPKAlgId");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId
+                (goodParams, setAlgId, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetSubjPKAlgId");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPKAlgId
+                (goodParams, &getAlgId, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)setAlgId,
+                (PKIX_PL_Object *)getAlgId,
+                &isEqual,
+                plContext));
+
+        if (isEqual == PKIX_FALSE) {
+                testError("unexpected Subject Public Key Alg mismatch "
+                            "<expect equal>");
+        }
+
+        /* Subject Public Key */
+        subTest("Getting Cert for Subject Public Key");
+
+        goodCert = createCert
+                (dirName, "nameConstraintsDN2CACert.crt", plContext);
+
+        subTest("PKIX_PL_Cert_GetSubjectPublicKey");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (goodCert, &setPublicKey, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetSubjPubKey");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey
+                (goodParams, setPublicKey, plContext));
+
+        subTest("PKIX_ComCertSelParams_GetSubjPubKey");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPubKey
+                (goodParams, &getPublicKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)setPublicKey,
+                (PKIX_PL_Object *)getPublicKey,
+                &isEqual,
+                plContext));
+
+        if (isEqual == PKIX_FALSE) {
+                testError("unexpected Subject Public Key mismatch "
+                            "<expect equal>");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setAlgId);
+        PKIX_TEST_DECREF_AC(getAlgId);
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(setPublicKey);
+        PKIX_TEST_DECREF_AC(getPublicKey);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(void) {
+        (void) printf("\nUSAGE:\ttest_comcertselparams <NIST_FILES_DIR> \n\n");
+}
+
+int test_comcertselparams(int argc, char *argv[]) {
+
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_PL_Cert *testCert = NULL;
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_Cert *equalCert = NULL;
+        PKIX_PL_Cert *diffCert = NULL;
+        PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
+        PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
+        PKIX_List *testPolicyInfos = NULL; /* CertPolicyInfos */
+        PKIX_List *cert2PolicyInfos = NULL; /* CertPolicyInfos */
+
+        PKIX_ComCertSelParams *goodParams = NULL;
+        PKIX_ComCertSelParams *equalParams = NULL;
+        PKIX_PL_X500Name *goodSubject = NULL;
+        PKIX_PL_X500Name *equalSubject = NULL;
+        PKIX_PL_X500Name *diffSubject = NULL;
+        PKIX_PL_X500Name *testSubject = NULL;
+        PKIX_Int32 goodMinPathLength = 0;
+        PKIX_Int32 equalMinPathLength = 0;
+        PKIX_Int32 diffMinPathLength = 0;
+        PKIX_Int32 testMinPathLength = 0;
+        PKIX_List *goodPolicies = NULL; /* OIDs */
+        PKIX_List *equalPolicies = NULL; /* OIDs */
+        PKIX_List *testPolicies = NULL; /* OIDs */
+        PKIX_List *cert2Policies = NULL; /* OIDs */
+
+        PKIX_PL_Date *testDate = NULL;
+        PKIX_PL_Date *goodDate = NULL;
+        PKIX_PL_Date *equalDate = NULL;
+        PKIX_PL_String *stringRep = NULL;
+        char *asciiRep = NULL;
+        char *dirName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 2) {
+                printUsage();
+                return (0);
+        }
+
+        startTests("ComCertSelParams");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        dirName = argv[j+1];
+
+        asciiRep = "050501000000Z";
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext));
+
+        testCert = createCert
+                (dirName, "PoliciesP1234CACert.crt",  plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
+                (testCert, &testSubject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
+                (testCert, &goodBasicConstraints, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint
+                (goodBasicConstraints, &testMinPathLength, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (testCert, &testPolicyInfos, plContext));
+
+        /* Convert from List of CertPolicyInfos to List of OIDs */
+        test_CreateOIDList(testPolicyInfos, &testPolicies);
+
+        subTest("Create goodParams and set its fields");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&goodParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
+                (goodParams, testSubject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
+                (goodParams, testMinPathLength, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
+                (goodParams, testDate, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy
+                (goodParams, testPolicies, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate
+                (goodParams, testCert, plContext));
+
+        subTest("Duplicate goodParams and verify copy");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
+                ((PKIX_PL_Object *)goodParams,
+                (PKIX_PL_Object **)&equalParams,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
+                (goodParams, &goodSubject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
+                (goodParams, &goodMinPathLength, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_GetCertificate
+                (goodParams, &goodCert, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
+                (goodParams, &goodDate, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
+                (goodParams, &goodPolicies, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
+                (equalParams, &equalSubject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
+                (equalParams, &equalMinPathLength, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
+                (equalParams, &equalPolicies, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate
+                (equalParams, &equalCert, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
+                (equalParams, &equalDate, plContext));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodSubject,
+                (PKIX_PL_Object *)equalSubject,
+                PKIX_TRUE,
+                plContext);
+
+        if (goodMinPathLength != equalMinPathLength) {
+                testError("unexpected mismatch");
+                (void) printf("goodMinPathLength:\t%d\n", goodMinPathLength);
+                (void) printf("equalMinPathLength:\t%d\n", equalMinPathLength);
+        }
+
+        testEqualsHelper((PKIX_PL_Object *)goodPolicies,
+                (PKIX_PL_Object *)equalPolicies,
+                PKIX_TRUE,
+                plContext);
+
+        testEqualsHelper((PKIX_PL_Object *)goodCert,
+                (PKIX_PL_Object *)equalCert,
+                PKIX_TRUE,
+                plContext);
+
+        testEqualsHelper((PKIX_PL_Object *)goodDate,
+                (PKIX_PL_Object *)equalDate,
+                PKIX_TRUE,
+                plContext);
+
+        PKIX_TEST_DECREF_BC(equalSubject);
+        PKIX_TEST_DECREF_BC(equalPolicies);
+        PKIX_TEST_DECREF_BC(equalCert);
+        PKIX_TEST_DECREF_AC(equalDate);
+
+        subTest("Set different values and verify differences");
+
+        diffCert = createCert
+                (dirName, "pathLenConstraint6CACert.crt", plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
+                (diffCert, &diffSubject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
+                (diffCert, &diffBasicConstraints, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint
+                (diffBasicConstraints, &diffMinPathLength, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (diffCert, &cert2PolicyInfos, plContext));
+        test_CreateOIDList(cert2PolicyInfos, &cert2Policies);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(
+                equalParams, diffSubject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
+                (equalParams, diffMinPathLength, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy
+                (equalParams, cert2Policies, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
+                (equalParams, &equalSubject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
+                (equalParams, &equalMinPathLength, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
+                (equalParams, &equalPolicies, plContext));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodSubject,
+                (PKIX_PL_Object *)equalSubject,
+                PKIX_FALSE,
+                plContext);
+
+        if (goodMinPathLength == equalMinPathLength) {
+                testError("unexpected match");
+                (void) printf("goodMinPathLength:\t%d\n", goodMinPathLength);
+                (void) printf("equalMinPathLength:\t%d\n", equalMinPathLength);
+        }
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodPolicies,
+                (PKIX_PL_Object *)equalPolicies,
+                PKIX_FALSE,
+                plContext);
+
+        test_NameConstraints(dirName);
+        test_PathToNames();
+        test_SubjAltNames();
+        test_KeyUsages();
+        test_Version_Issuer_SerialNumber();
+        test_SubjKeyId_AuthKeyId();
+        test_SubjAlgId_SubjPublicKey(dirName);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(testSubject);
+        PKIX_TEST_DECREF_AC(goodSubject);
+        PKIX_TEST_DECREF_AC(equalSubject);
+        PKIX_TEST_DECREF_AC(diffSubject);
+        PKIX_TEST_DECREF_AC(testSubject);
+        PKIX_TEST_DECREF_AC(goodPolicies);
+        PKIX_TEST_DECREF_AC(equalPolicies);
+        PKIX_TEST_DECREF_AC(testPolicies);
+        PKIX_TEST_DECREF_AC(cert2Policies);
+        PKIX_TEST_DECREF_AC(goodParams);
+        PKIX_TEST_DECREF_AC(equalParams);
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(diffCert);
+        PKIX_TEST_DECREF_AC(testCert);
+        PKIX_TEST_DECREF_AC(goodBasicConstraints);
+        PKIX_TEST_DECREF_AC(diffBasicConstraints);
+        PKIX_TEST_DECREF_AC(testPolicyInfos);
+        PKIX_TEST_DECREF_AC(cert2PolicyInfos);
+        PKIX_TEST_DECREF_AC(stringRep);
+        PKIX_TEST_DECREF_AC(testDate);
+        PKIX_TEST_DECREF_AC(goodDate);
+
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("ComCertSelParams");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/checker/Makefile b/security/nss/cmd/libpkix/pkix/checker/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/checker/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/checker/manifest.mn b/security/nss/cmd/libpkix/pkix/checker/manifest.mn
new file mode 100755
index 000000000..317015232
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/checker/manifest.mn
@@ -0,0 +1,52 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_certchainchecker.c
+
+LIBRARY_NAME=pkixtoolchecker
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/checker/test_certchainchecker.c b/security/nss/cmd/libpkix/pkix/checker/test_certchainchecker.c
new file mode 100755
index 000000000..7ddd2c74e
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/checker/test_certchainchecker.c
@@ -0,0 +1,255 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_certchainchecker.c
+ *
+ * Test Cert Chain Checker
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+
+static
+PKIX_Error *dummyChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        goto cleanup;
+
+cleanup:
+
+        return(NULL);
+}
+
+
+static
+void test_CertChainChecker_Duplicate(PKIX_CertChainChecker *original)
+{
+        PKIX_Boolean originalForward = PKIX_FALSE;
+        PKIX_Boolean copyForward = PKIX_FALSE;
+        PKIX_Boolean originalForwardDir = PKIX_FALSE;
+        PKIX_Boolean copyForwardDir = PKIX_FALSE;
+        PKIX_CertChainChecker *copy = NULL;
+        PKIX_CertChainChecker_CheckCallback originalCallback = NULL;
+        PKIX_CertChainChecker_CheckCallback copyCallback = NULL;
+        PKIX_PL_Object *originalState = NULL;
+        PKIX_PL_Object *copyState = NULL;
+        PKIX_List *originalList = NULL;
+        PKIX_List *copyList = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("CertChainChecker_Duplicate");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
+                ((PKIX_PL_Object *)original,
+                (PKIX_PL_Object **)&copy,
+                plContext));
+
+        subTest("CertChainChecker_GetCheckCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_GetCheckCallback
+                (original, &originalCallback, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_GetCheckCallback
+                (copy, &copyCallback, plContext));
+        if (originalCallback != copyCallback) {
+                pkixTestErrorMsg = "CheckCallback functions are not equal!";
+                goto cleanup;
+        }
+
+        subTest("CertChainChecker_IsForwardCheckingSupported");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertChainChecker_IsForwardCheckingSupported
+                (original, &originalForward, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertChainChecker_IsForwardCheckingSupported
+                (copy, &copyForward, plContext));
+        if (originalForward != copyForward) {
+                pkixTestErrorMsg = "ForwardChecking booleans are not equal!";
+                goto cleanup;
+        }
+
+        subTest("CertChainChecker_IsForwardDirectionExpected");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertChainChecker_IsForwardDirectionExpected
+                (original, &originalForwardDir, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertChainChecker_IsForwardDirectionExpected
+                (copy, &copyForwardDir, plContext));
+        if (originalForwardDir != copyForwardDir) {
+                pkixTestErrorMsg = "ForwardDirection booleans are not equal!";
+                goto cleanup;
+        }
+
+        subTest("CertChainChecker_GetCertChainCheckerState");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertChainChecker_GetCertChainCheckerState
+                (original, &originalState, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertChainChecker_GetCertChainCheckerState
+                (copy, &copyState, plContext));
+        testEqualsHelper(originalState, copyState, PKIX_TRUE, plContext);
+
+        subTest("CertChainChecker_GetSupportedExtensions");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertChainChecker_GetSupportedExtensions
+                (original, &originalList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertChainChecker_GetSupportedExtensions
+                (copy, &copyList, plContext));
+        testEqualsHelper
+                ((PKIX_PL_Object *)originalList,
+                (PKIX_PL_Object *)copyList,
+                PKIX_TRUE,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(copy);
+        PKIX_TEST_DECREF_AC(originalState);
+        PKIX_TEST_DECREF_AC(copyState);
+        PKIX_TEST_DECREF_AC(originalList);
+        PKIX_TEST_DECREF_AC(copyList);
+
+        PKIX_TEST_RETURN();
+}
+
+int test_certchainchecker(int argc, char *argv[]) {
+
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_PL_OID *bcOID = NULL;
+        PKIX_PL_OID *ncOID = NULL;
+        PKIX_PL_OID *cpOID = NULL;
+        PKIX_PL_OID *pmOID = NULL;
+        PKIX_PL_OID *pcOID = NULL;
+        PKIX_PL_OID *iaOID = NULL;
+        PKIX_CertChainChecker *dummyChecker = NULL;
+        PKIX_List *supportedExtensions = NULL;
+        PKIX_PL_Object *initialState = NULL;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("CertChainChecker");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
+                (&supportedExtensions, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (PKIX_BASICCONSTRAINTS_OID, &bcOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (supportedExtensions, (PKIX_PL_Object *)bcOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (PKIX_NAMECONSTRAINTS_OID, &ncOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (supportedExtensions, (PKIX_PL_Object *)ncOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (PKIX_CERTIFICATEPOLICIES_OID, &cpOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (supportedExtensions, (PKIX_PL_Object *)cpOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (PKIX_POLICYMAPPINGS_OID, &pmOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (supportedExtensions, (PKIX_PL_Object *)pmOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (PKIX_POLICYCONSTRAINTS_OID, &pcOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (supportedExtensions, (PKIX_PL_Object *)pcOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (PKIX_INHIBITANYPOLICY_OID, &iaOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (supportedExtensions, (PKIX_PL_Object *)iaOID, plContext));
+
+        PKIX_TEST_DECREF_BC(bcOID);
+        PKIX_TEST_DECREF_BC(ncOID);
+        PKIX_TEST_DECREF_BC(cpOID);
+        PKIX_TEST_DECREF_BC(pmOID);
+        PKIX_TEST_DECREF_BC(pcOID);
+        PKIX_TEST_DECREF_BC(iaOID);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                ((PKIX_PL_Object *)supportedExtensions, plContext));
+
+        initialState = (PKIX_PL_Object *)supportedExtensions;
+
+        subTest("CertChainChecker_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
+                (dummyChecker_Check, /* PKIX_CertChainChecker_CheckCallback */
+                PKIX_FALSE,          /* forwardCheckingSupported */
+                PKIX_FALSE,          /* forwardDirectionExpected */
+                supportedExtensions,
+                NULL,                /* PKIX_PL_Object *initialState */
+                &dummyChecker,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertChainChecker_SetCertChainCheckerState
+                (dummyChecker, initialState, plContext));
+
+        test_CertChainChecker_Duplicate(dummyChecker);
+
+        subTest("CertChainChecker_Destroy");
+        PKIX_TEST_DECREF_BC(dummyChecker);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dummyChecker);
+        PKIX_TEST_DECREF_AC(initialState);
+        PKIX_TEST_DECREF_AC(supportedExtensions);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("CertChainChecker");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/crlsel/Makefile b/security/nss/cmd/libpkix/pkix/crlsel/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/crlsel/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/crlsel/manifest.mn b/security/nss/cmd/libpkix/pkix/crlsel/manifest.mn
new file mode 100755
index 000000000..0357ba854
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/crlsel/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_crlselector.c \
+	test_comcrlselparams.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtoolcrlsel
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/crlsel/test_comcrlselparams.c b/security/nss/cmd/libpkix/pkix/crlsel/test_comcrlselparams.c
new file mode 100644
index 000000000..64a61e966
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/crlsel/test_comcrlselparams.c
@@ -0,0 +1,474 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_comcrlselparams.c
+ *
+ * Test ComCRLSelParams Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+testIssuer(PKIX_ComCRLSelParams *goodObject)
+{
+        PKIX_PL_String *issuer1String = NULL;
+        PKIX_PL_String *issuer2String = NULL;
+        PKIX_PL_String *issuer3String = NULL;
+        PKIX_PL_X500Name *issuerName1 = NULL;
+        PKIX_PL_X500Name *issuerName2 = NULL;
+        PKIX_PL_X500Name *issuerName3 = NULL;
+        PKIX_List *setIssuerList = NULL;
+        PKIX_List *getIssuerList = NULL;
+        PKIX_PL_String *issuerListString = NULL;
+        char *name1 = "CN=yassir,OU=bcn,OU=east,O=sun,C=us";
+        char *name2 = "CN=richard,OU=bcn,OU=east,O=sun,C=us";
+        char *name3 = "CN=hanfei,OU=bcn,OU=east,O=sun,C=us";
+        PKIX_Int32 length;
+        PKIX_Boolean result = PKIX_FALSE;
+        char *expectedAscii =
+                "(CN=yassir,OU=bcn,OU=east,O=sun,"
+                "C=us, CN=richard,OU=bcn,OU=east,O=sun,C=us, "
+                "CN=hanfei,OU=bcn,OU=east,O=sun,C=us)";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ComCRLSelParams Create Issuers");
+
+        length = PL_strlen(name1);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_UTF8,
+                                    name1,
+                                    length,
+                                    &issuer1String,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuer1String,
+                                    &issuerName1,
+                                    plContext));
+
+        length = PL_strlen(name2);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_UTF8,
+                                    name2,
+                                    length,
+                                    &issuer2String,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuer2String,
+                                    &issuerName2,
+                                    plContext));
+
+        length = PL_strlen(name3);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_UTF8,
+                                    name3,
+                                    length,
+                                    &issuer3String,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create
+                                    (issuer3String,
+                                    &issuerName3,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setIssuerList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                    (setIssuerList,
+                                    (PKIX_PL_Object *)issuerName1,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                    (setIssuerList,
+                                    (PKIX_PL_Object *)issuerName2,
+                                    plContext));
+
+        subTest("PKIX_ComCRLSelParams_AddIssuerName");
+
+        /* Test adding an issuer to an empty list */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_AddIssuerName
+                                    (goodObject, issuerName3, plContext));
+
+        subTest("PKIX_ComCRLSelParams_GetIssuerNames");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetIssuerNames
+                                    (goodObject, &getIssuerList, plContext));
+
+        /* DECREF for GetIssuerNames */
+        PKIX_TEST_DECREF_BC(getIssuerList);
+        /* DECREF for AddIssuerName so next SetIssuerName start clean */
+        PKIX_TEST_DECREF_BC(getIssuerList);
+
+        /* Test setting issuer names on the list */
+        subTest("PKIX_ComCRLSelParams_SetIssuerNames");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetIssuerNames
+                                    (goodObject, setIssuerList, plContext));
+
+        subTest("PKIX_ComCRLSelParams_GetIssuerNames");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetIssuerNames
+                                    (goodObject, &getIssuerList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                    ((PKIX_PL_Object *)setIssuerList,
+                                    (PKIX_PL_Object *)getIssuerList,
+                                    &result,
+                                    plContext));
+
+        if (result != PKIX_TRUE) {
+                pkixTestErrorMsg = "unexpected Issuers mismatch";
+        }
+
+        /* Test adding an issuer to existing list */
+        subTest("PKIX_ComCRLSelParams_AddIssuerName");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_AddIssuerName
+                                    (goodObject, issuerName3, plContext));
+
+        subTest("PKIX_ComCRLSelParams_GetIssuerNames");
+        PKIX_TEST_DECREF_BC(getIssuerList);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetIssuerNames
+                                    (goodObject, &getIssuerList, plContext));
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                                    ((PKIX_PL_Object *)getIssuerList,
+                                    &issuerListString,
+                                    plContext));
+
+        testToStringHelper((PKIX_PL_Object *)getIssuerList,
+                            expectedAscii, plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(issuer1String);
+        PKIX_TEST_DECREF_AC(issuer2String);
+        PKIX_TEST_DECREF_AC(issuer3String);
+        PKIX_TEST_DECREF_AC(issuerListString);
+        PKIX_TEST_DECREF_AC(issuerName1);
+        PKIX_TEST_DECREF_AC(issuerName2);
+        PKIX_TEST_DECREF_AC(issuerName3);
+        PKIX_TEST_DECREF_AC(setIssuerList);
+        PKIX_TEST_DECREF_AC(getIssuerList);
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void testCertificateChecking(
+        char *dataCentralDir,
+        char *goodInput,
+        PKIX_ComCRLSelParams *goodObject)
+{
+        PKIX_PL_Cert *setCert = NULL;
+        PKIX_PL_Cert *getCert = NULL;
+        PKIX_Boolean result = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Test CertificateChecking Cert Create");
+        setCert = createCert(dataCentralDir, goodInput, plContext);
+        if (setCert == NULL) {
+                pkixTestErrorMsg = "create certificate failed";
+                goto cleanup;
+        }
+
+        subTest("PKIX_ComCRLSelParams_SetCertificateChecking");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetCertificateChecking
+                                    (goodObject, setCert, plContext));
+
+        subTest("PKIX_ComCRLSelParams_GetCertificateChecking");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetCertificateChecking
+                                    (goodObject, &getCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                    ((PKIX_PL_Object *)setCert,
+                                    (PKIX_PL_Object *)getCert,
+                                    &result, plContext));
+
+        if (result != PKIX_TRUE) {
+                pkixTestErrorMsg = "unexpected Cert mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setCert);
+        PKIX_TEST_DECREF_AC(getCert);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testDateAndTime(PKIX_ComCRLSelParams *goodObject){
+
+        PKIX_PL_Date *setDate = NULL;
+        PKIX_PL_Date *getDate = NULL;
+        char *asciiDate = "040329134847Z";
+        PKIX_Boolean result = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ComCRLSelParams_Date Create");
+        setDate = createDate(asciiDate, plContext);
+
+        subTest("PKIX_ComCRLSelParams_SetDateAndTime");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCRLSelParams_SetDateAndTime
+                (goodObject, setDate, plContext));
+
+        subTest("PKIX_ComCRLSelParams_GetDateAndTime");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCRLSelParams_GetDateAndTime
+                (goodObject, &getDate, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                    ((PKIX_PL_Object *)setDate,
+                                    (PKIX_PL_Object *)getDate,
+                                    &result, plContext));
+
+        if (result != PKIX_TRUE) {
+                pkixTestErrorMsg = "unexpected DateAndTime mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setDate);
+        PKIX_TEST_DECREF_AC(getDate);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testMaxMinCRLNumbers(PKIX_ComCRLSelParams *goodObject){
+        PKIX_PL_BigInt *setMaxCrlNumber = NULL;
+        PKIX_PL_BigInt *getMaxCrlNumber = NULL;
+        PKIX_PL_BigInt *setMinCrlNumber = NULL;
+        PKIX_PL_BigInt *getMinCrlNumber = NULL;
+        char *asciiCrlNumber1 = "01";
+        char *asciiCrlNumber99999 = "0909090909";
+        PKIX_PL_String *crlNumber1String = NULL;
+        PKIX_PL_String *crlNumber99999String = NULL;
+
+        PKIX_Boolean result = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ComCRLSelParams_SetMinCRLNumber");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiCrlNumber1,
+                    PL_strlen(asciiCrlNumber1),
+                    &crlNumber1String,
+                    NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
+                    (crlNumber1String, &setMinCrlNumber, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetMinCRLNumber
+                    (goodObject, setMinCrlNumber, NULL));
+
+        subTest("PKIX_ComCRLSelParams_GetMinCRLNumber");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCRLSelParams_GetMinCRLNumber
+                (goodObject, &getMinCrlNumber, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                    ((PKIX_PL_Object *)setMinCrlNumber,
+                                    (PKIX_PL_Object *)getMinCrlNumber,
+                                    &result, NULL));
+
+        if (result != PKIX_TRUE) {
+                pkixTestErrorMsg = "unexpected Minimum CRL Number mismatch";
+        }
+
+        subTest("PKIX_ComCRLSelParams_SetMaxCRLNumber");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiCrlNumber99999,
+                    PL_strlen(asciiCrlNumber99999),
+                    &crlNumber99999String,
+                    NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
+                    (crlNumber99999String, &setMaxCrlNumber, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetMaxCRLNumber
+                    (goodObject, setMaxCrlNumber, NULL));
+
+        subTest("PKIX_ComCRLSelParams_GetMaxCRLNumber");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCRLSelParams_GetMaxCRLNumber
+                (goodObject, &getMaxCrlNumber, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                    ((PKIX_PL_Object *)setMaxCrlNumber,
+                                    (PKIX_PL_Object *)getMaxCrlNumber,
+                                    &result, NULL));
+
+        if (result != PKIX_TRUE) {
+                pkixTestErrorMsg = "unexpected Maximum CRL Number mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setMaxCrlNumber);
+        PKIX_TEST_DECREF_AC(getMaxCrlNumber);
+        PKIX_TEST_DECREF_AC(setMinCrlNumber);
+        PKIX_TEST_DECREF_AC(getMinCrlNumber);
+        PKIX_TEST_DECREF_AC(crlNumber1String);
+        PKIX_TEST_DECREF_AC(crlNumber99999String);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testDuplicate(PKIX_ComCRLSelParams *goodObject){
+
+        PKIX_ComCRLSelParams *dupObject = NULL;
+        PKIX_Boolean result = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ComCRLSelParams_Duplicate");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
+                ((PKIX_PL_Object *)goodObject,
+                (PKIX_PL_Object **)&dupObject,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                    ((PKIX_PL_Object *)goodObject,
+                                    (PKIX_PL_Object *)dupObject,
+                                    &result, plContext));
+
+        if (result != PKIX_TRUE) {
+                pkixTestErrorMsg =
+                        "unexpected Duplicate ComCRLSelParams mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dupObject);
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(char *pName){
+        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
+}
+
+/* Functional tests for ComCRLSelParams public functions */
+
+int test_comcrlselparams(int argc, char *argv[]){
+
+        char *dataCentralDir = NULL;
+        char *goodInput = "yassir2yassir";
+        PKIX_ComCRLSelParams *goodObject = NULL;
+        PKIX_ComCRLSelParams *diffObject = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("ComCRLSelParams");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 2){
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        dataCentralDir = argv[j+1];
+
+        subTest("PKIX_ComCRLSelParams_Create");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
+                                    (&goodObject,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
+                                    (&diffObject,
+                                    plContext));
+
+        testIssuer(goodObject);
+
+        testCertificateChecking(dataCentralDir, goodInput, goodObject);
+
+        testDateAndTime(goodObject);
+
+        testMaxMinCRLNumbers(goodObject);
+
+        testDuplicate(goodObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                goodObject,
+                diffObject,
+                NULL,
+                ComCRLSelParams,
+                PKIX_TRUE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodObject);
+        PKIX_TEST_DECREF_AC(diffObject);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("ComCRLSelParams");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/crlsel/test_crlselector.c b/security/nss/cmd/libpkix/pkix/crlsel/test_crlselector.c
new file mode 100644
index 000000000..f5d6c4f3b
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/crlsel/test_crlselector.c
@@ -0,0 +1,206 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_crlselector.c
+ *
+ * Test CRLSelector Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+testGetMatchCallback(PKIX_CRLSelector *goodObject)
+{
+        PKIX_CRLSelector_MatchCallback mCallback = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("testGetMatchCallback");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_GetMatchCallback
+                                    (goodObject, &mCallback, plContext));
+
+        if (mCallback == NULL) {
+                pkixTestErrorMsg = "MatchCallback is NULL";
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void testGetCRLSelectorContext(PKIX_CRLSelector *goodObject)
+{
+        PKIX_PL_Object *context = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("testGetCRLSelectorContext");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_GetCRLSelectorContext
+                                    (goodObject, (void *)&context, plContext));
+
+        if (context == NULL) {
+                pkixTestErrorMsg = "CRLSelectorContext is NULL";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(context);
+        PKIX_TEST_RETURN();
+}
+
+static
+void testCommonCRLSelectorParams(PKIX_CRLSelector *goodObject){
+        PKIX_ComCRLSelParams *setParams = NULL;
+        PKIX_ComCRLSelParams *getParams = NULL;
+        PKIX_PL_Date *setDate = NULL;
+        char *asciiDate = "040329134847Z";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ComCRLSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
+                                    (&setParams,
+                                    plContext));
+
+        subTest("PKIX_ComCRLSelParams_Date Create");
+
+        setDate = createDate(asciiDate, plContext);
+
+        subTest("PKIX_ComCRLSelParams_SetDateAndTime");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetDateAndTime
+                (setParams, setDate, plContext));
+
+        subTest("PKIX_CRLSelector_SetCommonCRLSelectorParams");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(
+                goodObject, setParams, plContext));
+
+        subTest("PKIX_CRLSelector_GetCommonCRLSelectorParams");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_GetCommonCRLSelectorParams(
+                goodObject, &getParams, plContext));
+
+        testEqualsHelper((PKIX_PL_Object *)setParams,
+                        (PKIX_PL_Object *)getParams,
+                        PKIX_TRUE,
+                        plContext);
+
+        testHashcodeHelper((PKIX_PL_Object *)setParams,
+                        (PKIX_PL_Object *)getParams,
+                        PKIX_TRUE,
+                        plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setDate);
+        PKIX_TEST_DECREF_AC(setParams);
+        PKIX_TEST_DECREF_AC(getParams);
+
+        PKIX_TEST_RETURN();
+}
+
+/* Functional tests for CRLSelector public functions */
+
+int test_crlselector(int argc, char *argv[]){
+
+        PKIX_PL_Date *context = NULL;
+        PKIX_CRLSelector *goodObject = NULL;
+        PKIX_CRLSelector *diffObject = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        char *asciiDate = "040329134847Z";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("CRLSelector");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        context = createDate(asciiDate, plContext);
+
+        subTest("PKIX_CRLSelector_Create");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
+                                    (NULL,
+                                    (PKIX_PL_Object *)context,
+                                    &goodObject,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
+                                    (NULL,
+                                    (PKIX_PL_Object *)context,
+                                    &diffObject,
+                                    plContext));
+
+        testGetMatchCallback(goodObject);
+
+        testGetCRLSelectorContext(goodObject);
+
+        testCommonCRLSelectorParams(goodObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                goodObject,
+                diffObject,
+                NULL,
+                CRLSelector,
+                PKIX_TRUE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodObject);
+        PKIX_TEST_DECREF_AC(diffObject);
+        PKIX_TEST_DECREF_AC(context);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("CRLSelector");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/manifest.mn b/security/nss/cmd/libpkix/pkix/manifest.mn
new file mode 100755
index 000000000..0b467713e
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/manifest.mn
@@ -0,0 +1,44 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+DIRS =  certsel checker crlsel params results store top util \
+	$(NULL)
diff --git a/security/nss/cmd/libpkix/pkix/params/Makefile b/security/nss/cmd/libpkix/pkix/params/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/params/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/params/manifest.mn b/security/nss/cmd/libpkix/pkix/params/manifest.mn
new file mode 100755
index 000000000..2c0cde745
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/params/manifest.mn
@@ -0,0 +1,56 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_procparams.c \
+	test_trustanchor.c \
+	test_valparams.c \
+	test_resourcelimits.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtoolparams
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/params/test_buildparams.c b/security/nss/cmd/libpkix/pkix/params/test_buildparams.c
new file mode 100644
index 000000000..b3d165443
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/params/test_buildparams.c
@@ -0,0 +1,212 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_buildparams.c
+ *
+ * Test BuildParams Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_BuildParams_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void testGetProcParams(
+        PKIX_BuildParams *goodObject,
+        PKIX_BuildParams *equalObject){
+
+        PKIX_ProcessingParams *goodProcParams = NULL;
+        PKIX_ProcessingParams *equalProcParams = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_BuildParams_GetProcessingParams");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildParams_GetProcessingParams
+                (goodObject, &goodProcParams, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildParams_GetProcessingParams
+                (equalObject, &equalProcParams, NULL));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodProcParams,
+                (PKIX_PL_Object *)equalProcParams,
+                PKIX_TRUE,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodProcParams);
+        PKIX_TEST_DECREF_AC(equalProcParams);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(char *pName){
+        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
+}
+
+int test_buildparams(int argc, char *argv[]) {
+
+        PKIX_BuildParams *goodObject = NULL;
+        PKIX_BuildParams *equalObject = NULL;
+        PKIX_BuildParams *diffObject = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        char *dataCentralDir = NULL;
+        char *goodInput = "yassir2yassir";
+        char *diffInput = "yassir2bcn";
+
+        char *expectedAscii =
+                "[\n"
+                "\tProcessing Params: \n"
+                "\t********BEGIN PROCESSING PARAMS********\n"
+                "\t\t"
+                "[\n"
+                "\tTrust Anchors: \n"
+                "\t********BEGIN LIST OF TRUST ANCHORS********\n"
+                "\t\t"
+"([\n"
+                "\tTrusted CA Name:         "
+                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
+                "\tInitial Name Constraints:(null)\n"
+                "]\n"
+                ", [\n"
+                "\tTrusted CA Name:         OU=bcn,OU=east,O=sun,C=us\n"
+                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
+                "\tInitial Name Constraints:(null)\n"
+                "]\n"
+                ")\n"
+                "\t********END LIST OF TRUST ANCHORS********\n"
+                "\tDate:    \t\t(null)\n"
+                "\tTarget Constraints:    (null)\n"
+                "\tInitial Policies:      (null)\n"
+                "\tQualifiers Rejected:   FALSE\n"
+                "\tCert Stores:           (EMPTY)\n"
+                "\tResource Limits:       (null)\n"
+                "\tCRL Checking Enabled:  0\n"
+                "]\n"
+                "\n"
+                "\t********END PROCESSING PARAMS********\n"
+                "]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("BuildParams");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 2){
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        dataCentralDir = argv[j+1];
+
+        subTest("PKIX_BuildParams_Create");
+
+        goodObject = createBuildParams
+                (dataCentralDir,
+                goodInput,
+                diffInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                plContext);
+
+        equalObject = createBuildParams
+                (dataCentralDir,
+                goodInput,
+                diffInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                plContext);
+
+        diffObject = createBuildParams
+                (dataCentralDir,
+                diffInput,
+                goodInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                plContext);
+
+        testGetProcParams(goodObject, equalObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                expectedAscii,
+                BuildParams,
+                PKIX_FALSE);
+
+        testDestroy(goodObject, equalObject, diffObject);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("BuildParams");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/params/test_procparams.c b/security/nss/cmd/libpkix/pkix/params/test_procparams.c
new file mode 100644
index 000000000..1598de199
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/params/test_procparams.c
@@ -0,0 +1,552 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_procparams.c
+ *
+ * Test ProcessingParams Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ProcessingParams_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void testGetAnchors(
+        PKIX_ProcessingParams *goodObject,
+        PKIX_ProcessingParams *equalObject){
+
+        PKIX_List *goodAnchors = NULL;
+        PKIX_List *equalAnchors = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ProcessingParams_GetTrustAnchors");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetTrustAnchors
+                                    (goodObject, &goodAnchors, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetTrustAnchors
+                                    (equalObject, &equalAnchors, plContext));
+
+        testEqualsHelper((PKIX_PL_Object *)goodAnchors,
+                        (PKIX_PL_Object *)equalAnchors,
+                        PKIX_TRUE,
+                        plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodAnchors);
+        PKIX_TEST_DECREF_AC(equalAnchors);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetSetDate(
+        PKIX_ProcessingParams *goodObject,
+        PKIX_ProcessingParams *equalObject){
+
+        PKIX_PL_Date *setDate = NULL;
+        PKIX_PL_Date *getDate = NULL;
+        char *asciiDate = "040329134847Z";
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ProcessingParams_Get/SetDate");
+
+        setDate = createDate(asciiDate, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetDate(goodObject, setDate, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_GetDate
+                (goodObject, &getDate, plContext));
+
+        testEqualsHelper((PKIX_PL_Object *)setDate,
+                        (PKIX_PL_Object *)getDate,
+                        PKIX_TRUE,
+                        plContext);
+
+        /* we want to make sure that goodObject and equalObject are "equal" */
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetDate
+                (equalObject, setDate, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setDate);
+        PKIX_TEST_DECREF_AC(getDate);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+PKIX_Error *userChecker1cb(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,  /* list of PKIX_PL_OID */
+        void **pNBIOContext,
+        void *plContext)
+{
+        return(NULL);
+}
+
+static
+void testGetSetCertChainCheckers(
+        PKIX_ProcessingParams *goodObject,
+        PKIX_ProcessingParams *equalObject){
+
+        PKIX_CertChainChecker *checker = NULL;
+        PKIX_List *setCheckersList = NULL;
+        PKIX_List *getCheckersList = NULL;
+        PKIX_PL_Date *date = NULL;
+        char *asciiDate = "040329134847Z";
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ProcessingParams_Get/SetCertChainCheckers");
+
+        date = createDate(asciiDate, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
+                    (userChecker1cb,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *) date,
+                    &checker,
+                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
+                (&setCheckersList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setCheckersList, (PKIX_PL_Object *) checker, plContext));
+        PKIX_TEST_DECREF_BC(checker);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertChainCheckers
+                (goodObject, setCheckersList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
+                (userChecker1cb,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                NULL,
+                (PKIX_PL_Object *) date,
+                &checker,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
+                (goodObject, checker, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetCertChainCheckers
+                (goodObject, &getCheckersList, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setCheckersList);
+        PKIX_TEST_DECREF_AC(getCheckersList);
+        PKIX_TEST_DECREF_AC(date);
+        PKIX_TEST_DECREF_BC(checker);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+PKIX_Error *userChecker2cb(
+        PKIX_RevocationChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 *pResult,
+        void *plContext)
+{
+        return(NULL);
+}
+
+static
+void testGetSetRevocationCheckers(
+        PKIX_ProcessingParams *goodObject,
+        PKIX_ProcessingParams *equalObject){
+
+        PKIX_RevocationChecker *checker = NULL;
+        PKIX_List *setCheckersList = NULL;
+        PKIX_List *getCheckersList = NULL;
+        PKIX_PL_Date *date = NULL;
+        char *asciiDate = "040329134847Z";
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ProcessingParams_Get/SetRevocationCheckers");
+
+        date = createDate(asciiDate, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_RevocationChecker_Create
+                    (userChecker2cb,
+                    (PKIX_PL_Object *) date,
+                    &checker,
+                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
+                (&setCheckersList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                    (setCheckersList,
+                    (PKIX_PL_Object *) checker,
+                    plContext));
+        PKIX_TEST_DECREF_BC(checker);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
+                    (goodObject, setCheckersList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_RevocationChecker_Create
+                    (userChecker2cb,
+                    (PKIX_PL_Object *) date,
+                    &checker,
+                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddRevocationChecker
+                    (goodObject, checker, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetRevocationCheckers
+                    (goodObject, &getCheckersList, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setCheckersList);
+        PKIX_TEST_DECREF_AC(getCheckersList);
+        PKIX_TEST_DECREF_AC(date);
+        PKIX_TEST_DECREF_BC(checker);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetSetResourceLimits(
+        PKIX_ProcessingParams *goodObject,
+        PKIX_ProcessingParams *equalObject)
+
+{
+        PKIX_ResourceLimits *resourceLimits1 = NULL;
+        PKIX_ResourceLimits *resourceLimits2 = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ProcessingParams_Get/SetResourceLimits");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
+                    (&resourceLimits1, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
+                    (&resourceLimits2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
+                    (resourceLimits1, 3, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
+                    (resourceLimits1, 3, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
+                    (resourceLimits1, 2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits
+                    (goodObject, resourceLimits1, plContext));
+
+        PKIX_TEST_DECREF_BC(resourceLimits2);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetResourceLimits
+                    (goodObject, &resourceLimits2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits
+                    (equalObject, resourceLimits2, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(resourceLimits1);
+        PKIX_TEST_DECREF_AC(resourceLimits2);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetSetConstraints(PKIX_ProcessingParams *goodObject){
+
+        PKIX_CertSelector *setConstraints = NULL;
+        PKIX_CertSelector *getConstraints = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ProcessingParams_Get/SetTargetCertConstraints");
+
+        /*
+        * After createConstraints is implemented
+        * setConstraints = createConstraints();
+        */
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetTargetCertConstraints
+                (goodObject, setConstraints, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_GetTargetCertConstraints
+                (goodObject, &getConstraints, plContext));
+
+        testEqualsHelper((PKIX_PL_Object *)setConstraints,
+                        (PKIX_PL_Object *)getConstraints,
+                        PKIX_TRUE,
+                        plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(setConstraints);
+        PKIX_TEST_DECREF_AC(getConstraints);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetSetInitialPolicies(
+        PKIX_ProcessingParams *goodObject,
+        char *asciiPolicyOID)
+{
+        PKIX_PL_OID *policyOID = NULL;
+        PKIX_List* setPolicyList = NULL;
+        PKIX_List* getPolicyList = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ProcessingParams_Get/SetInitialPolicies");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (asciiPolicyOID, &policyOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setPolicyList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (setPolicyList, (PKIX_PL_Object *)policyOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_SetImmutable(setPolicyList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies
+                (goodObject, setPolicyList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetInitialPolicies
+                (goodObject, &getPolicyList, plContext));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)setPolicyList,
+                (PKIX_PL_Object *)getPolicyList,
+                PKIX_TRUE,
+                plContext);
+
+cleanup:
+        PKIX_TEST_DECREF_AC(policyOID);
+        PKIX_TEST_DECREF_AC(setPolicyList);
+        PKIX_TEST_DECREF_AC(getPolicyList);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetSetPolicyQualifiersRejected(
+        PKIX_ProcessingParams *goodObject,
+        PKIX_Boolean rejected)
+{
+        PKIX_Boolean getRejected = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ProcessingParams_Get/SetPolicyQualifiersRejected");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetPolicyQualifiersRejected
+                (goodObject, rejected, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_GetPolicyQualifiersRejected
+                (goodObject, &getRejected, plContext));
+
+        if (rejected != getRejected) {
+            testError
+                ("GetPolicyQualifiersRejected returned unexpected value");
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(char *pName){
+        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
+}
+
+int test_procparams(int argc, char *argv[]) {
+
+        PKIX_ProcessingParams *goodObject = NULL;
+        PKIX_ProcessingParams *equalObject = NULL;
+        PKIX_ProcessingParams *diffObject = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        char *dataCentralDir = NULL;
+        PKIX_UInt32 j = 0;
+
+        char *oidAnyPolicy = PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID;
+        char *oidNist1Policy = "2.16.840.1.101.3.2.1.48.2";
+
+        char *goodInput = "yassir2yassir";
+        char *diffInput = "yassir2bcn";
+
+        char *expectedAscii =
+                "[\n"
+                "\tTrust Anchors: \n"
+                "\t********BEGIN LIST OF TRUST ANCHORS********\n"
+                "\t\t"
+                "([\n"
+                "\tTrusted CA Name:         "
+                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
+                "\tInitial Name Constraints:(null)\n"
+                "]\n"
+                ", [\n"
+                "\tTrusted CA Name:         OU=bcn,OU=east,O=sun,C=us\n"
+                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
+                "\tInitial Name Constraints:(null)\n"
+                "]\n"
+                ")\n"
+                "\t********END LIST OF TRUST ANCHORS********\n"
+                "\tDate:    \t\tMon Mar 29 08:48:47 2004\n"
+                "\tTarget Constraints:    (null)\n"
+                "\tInitial Policies:      (2.5.29.32.0)\n"
+                "\tQualifiers Rejected:   FALSE\n"
+                "\tCert Stores:           (EMPTY)\n"
+                "\tResource Limits:       [\n"
+                "\tMaxTime:                     2\n"
+                "\tMaxFanout:                   3\n"
+                "\tMaxDepth:                    3\n"
+                "]\n\n"
+                "\tCRL Checking Enabled:  0\n"
+                "]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("ProcessingParams");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 2){
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        dataCentralDir = argv[j+1];
+
+        subTest("PKIX_ProcessingParams_Create");
+        goodObject = createProcessingParams
+                (dataCentralDir,
+                goodInput,
+                diffInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                plContext);
+
+        equalObject = createProcessingParams
+                (dataCentralDir,
+                goodInput,
+                diffInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                plContext);
+
+        diffObject = createProcessingParams
+                (dataCentralDir,
+                diffInput,
+                goodInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                plContext);
+
+        testGetAnchors(goodObject, equalObject);
+        testGetSetDate(goodObject, equalObject);
+        testGetSetCertChainCheckers(goodObject, equalObject);
+        testGetSetRevocationCheckers(goodObject, equalObject);
+        testGetSetResourceLimits(goodObject, equalObject);
+
+        /*
+        * XXX testGetSetConstraints(goodObject);
+        */
+
+        testGetSetInitialPolicies(goodObject, oidAnyPolicy);
+        testGetSetInitialPolicies(equalObject, oidAnyPolicy);
+        testGetSetInitialPolicies(diffObject, oidNist1Policy);
+        testGetSetPolicyQualifiersRejected(goodObject, PKIX_FALSE);
+        testGetSetPolicyQualifiersRejected(equalObject, PKIX_FALSE);
+        testGetSetPolicyQualifiersRejected(diffObject, PKIX_TRUE);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                NULL, /* expectedAscii, */
+                ProcessingParams,
+                PKIX_FALSE);
+
+        testDestroy(goodObject, equalObject, diffObject);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("ProcessingParams");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/params/test_resourcelimits.c b/security/nss/cmd/libpkix/pkix/params/test_resourcelimits.c
new file mode 100644
index 000000000..9299d4239
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/params/test_resourcelimits.c
@@ -0,0 +1,147 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_resourcelimits.c
+ *
+ * Test ResourceLimits Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ResourceLimits_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+int test_resourcelimits(int argc, char *argv[]) {
+
+        PKIX_ResourceLimits *goodObject = NULL;
+        PKIX_ResourceLimits *equalObject = NULL;
+        PKIX_ResourceLimits *diffObject = NULL;
+        PKIX_UInt32 maxTime = 0;
+        PKIX_UInt32 maxFanout = 0;
+        PKIX_UInt32 maxDepth = 0;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        char *expectedAscii =
+                "[\n"
+                "\tMaxTime:           		10\n"
+                "\tMaxFanout:         		5\n"
+                "\tMaxDepth:         		5\n"
+                "]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("ResourceLimits");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_ResourceLimits_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
+                                  (&goodObject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
+                                  (&diffObject, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
+                                  (&equalObject, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
+                                  (goodObject, 10, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_GetMaxTime
+                                  (goodObject, &maxTime, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
+                                  (equalObject, maxTime, plContext));
+        maxTime++;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
+                                  (diffObject, maxTime, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
+                                  (goodObject, 5, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_GetMaxFanout
+                                  (goodObject, &maxFanout, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
+                                  (equalObject, maxFanout, plContext));
+        maxFanout++;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
+                                  (diffObject, maxFanout, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
+                                  (goodObject, 5, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_GetMaxDepth
+                                  (goodObject, &maxDepth, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
+                                  (equalObject, maxDepth, plContext));
+        maxDepth++;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
+                                  (diffObject, maxDepth, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                expectedAscii,
+                ResourceLimits,
+                PKIX_FALSE);
+
+        testDestroy(goodObject, equalObject, diffObject);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("ResourceLimits");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/params/test_trustanchor.c b/security/nss/cmd/libpkix/pkix/params/test_trustanchor.c
new file mode 100644
index 000000000..6d4909304
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/params/test_trustanchor.c
@@ -0,0 +1,295 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_trustanchor.c
+ *
+ * Test TrustAnchor Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void createTrustAnchors(
+        char *dirName,
+        char *goodInput,
+        PKIX_TrustAnchor **goodObject,
+        PKIX_TrustAnchor **equalObject,
+        PKIX_TrustAnchor **diffObject)
+{
+        subTest("PKIX_TrustAnchor_CreateWithNameKeyPair <goodObject>");
+        *goodObject = createTrustAnchor
+                        (dirName, goodInput, PKIX_FALSE, plContext);
+
+        subTest("PKIX_TrustAnchor_CreateWithNameKeyPair <equalObject>");
+        *equalObject = createTrustAnchor
+                        (dirName, goodInput, PKIX_FALSE, plContext);
+
+        subTest("PKIX_TrustAnchor_CreateWithCert <diffObject>");
+        *diffObject = createTrustAnchor
+                        (dirName, goodInput, PKIX_TRUE, plContext);
+}
+
+static
+void testGetCAName(
+        PKIX_PL_Cert *diffCert,
+        PKIX_TrustAnchor *equalObject){
+
+        PKIX_PL_X500Name *diffCAName = NULL;
+        PKIX_PL_X500Name *equalCAName = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_TrustAnchor_GetCAName");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
+                                    (diffCert, &diffCAName, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetCAName
+                                    (equalObject, &equalCAName, plContext));
+
+        testEqualsHelper((PKIX_PL_Object *)diffCAName,
+                        (PKIX_PL_Object *)equalCAName,
+                        PKIX_TRUE,
+                        plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(diffCAName);
+        PKIX_TEST_DECREF_AC(equalCAName);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetCAPublicKey(
+        PKIX_PL_Cert *diffCert,
+        PKIX_TrustAnchor *equalObject){
+
+        PKIX_PL_PublicKey *diffPubKey = NULL;
+        PKIX_PL_PublicKey *equalPubKey = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_TrustAnchor_GetCAPublicKey");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                                    (diffCert, &diffPubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetCAPublicKey
+                                    (equalObject, &equalPubKey, plContext));
+
+        testEqualsHelper((PKIX_PL_Object *)diffPubKey,
+                        (PKIX_PL_Object *)equalPubKey,
+                        PKIX_TRUE,
+                        plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(diffPubKey);
+        PKIX_TEST_DECREF_AC(equalPubKey);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetNameConstraints(char *dirName)
+{
+        PKIX_TrustAnchor *goodObject = NULL;
+        PKIX_TrustAnchor *equalObject = NULL;
+        PKIX_TrustAnchor *diffObject = NULL;
+        PKIX_PL_Cert *diffCert;
+        PKIX_PL_CertNameConstraints *diffNC = NULL;
+        PKIX_PL_CertNameConstraints *equalNC = NULL;
+        char *goodInput = "nameConstraintsDN5CACert.crt";
+        char *expectedAscii =
+                "[\n"
+                "\tTrusted CA Name:         CN=nameConstraints DN5 CA,"
+                "O=Test Certificates,C=US\n"
+                "\tTrusted CA PublicKey:    PKCS #1 RSA Encryption\n"
+                "\tInitial Name Constraints:[\n"
+                "\t\tPermitted Name:  (OU=permittedSubtree1,"
+                "O=Test Certificates,C=US)\n"
+                "\t\tExcluded Name:   (OU=excludedSubtree1,"
+                "OU=permittedSubtree1,O=Test Certificates,C=US)\n"
+                "\t]\n"
+                "\n"
+                "]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Create TrustAnchors and compare");
+
+        createTrustAnchors
+                (dirName, goodInput, &goodObject, &equalObject, &diffObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                expectedAscii,
+                TrustAnchor,
+                PKIX_TRUE);
+
+        subTest("PKIX_TrustAnchor_GetTrustedCert");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetTrustedCert
+                                    (diffObject, &diffCert, plContext));
+
+        subTest("PKIX_PL_Cert_GetNameConstraints");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                                    (diffCert, &diffNC, plContext));
+
+        subTest("PKIX_TrustAnchor_GetNameConstraints");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetNameConstraints
+                                    (equalObject, &equalNC, plContext));
+
+        testEqualsHelper((PKIX_PL_Object *)diffNC,
+                        (PKIX_PL_Object *)equalNC,
+                        PKIX_TRUE,
+                        plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(diffNC);
+        PKIX_TEST_DECREF_AC(equalNC);
+        PKIX_TEST_DECREF_BC(diffCert);
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_TrustAnchor_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void printUsage(void) {
+        (void) printf("\nUSAGE:\ttest_trustanchor <NIST_FILES_DIR> <central-data-dir>\n\n");
+}
+
+int test_trustanchor(int argc, char *argv[]) {
+
+        PKIX_TrustAnchor *goodObject = NULL;
+        PKIX_TrustAnchor *equalObject = NULL;
+        PKIX_TrustAnchor *diffObject = NULL;
+        PKIX_PL_Cert *diffCert = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        char *goodInput = "yassir2yassir";
+        char *expectedAscii =
+                "[\n"
+                "\tTrusted CA Name:         "
+                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
+                "\tInitial Name Constraints:(null)\n"
+                "]\n";
+        char *dirName = NULL;
+        char *dataCentralDir = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("TrustAnchor");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 3) {
+                printUsage();
+                return (0);
+        }
+
+        dirName = argv[j+1];
+        dataCentralDir = argv[j+2];
+
+        createTrustAnchors
+                (dataCentralDir,
+                goodInput,
+                &goodObject,
+                &equalObject,
+                &diffObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                expectedAscii,
+                TrustAnchor,
+                PKIX_TRUE);
+
+        subTest("PKIX_TrustAnchor_GetTrustedCert");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetTrustedCert
+                                    (diffObject, &diffCert, plContext));
+
+        testGetCAName(diffCert, equalObject);
+        testGetCAPublicKey(diffCert, equalObject);
+
+        testGetNameConstraints(dirName);
+
+        testDestroy(goodObject, equalObject, diffObject);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(diffCert);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("TrustAnchor");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/params/test_valparams.c b/security/nss/cmd/libpkix/pkix/params/test_valparams.c
new file mode 100644
index 000000000..999fd95bc
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/params/test_valparams.c
@@ -0,0 +1,301 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_valparams.c
+ *
+ * Test ValidateParams Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ValidateParams_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void testGetProcParams(
+        PKIX_ValidateParams *goodObject,
+        PKIX_ValidateParams *equalObject){
+
+        PKIX_ProcessingParams *goodProcParams = NULL;
+        PKIX_ProcessingParams *equalProcParams = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ValidateParams_GetProcessingParams");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                (goodObject, &goodProcParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                (equalObject, &equalProcParams, plContext));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodProcParams,
+                (PKIX_PL_Object *)equalProcParams,
+                PKIX_TRUE,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodProcParams);
+        PKIX_TEST_DECREF_AC(equalProcParams);
+
+        PKIX_TEST_RETURN();
+}
+
+
+static
+void testGetCertChain(
+        PKIX_ValidateParams *goodObject,
+        PKIX_ValidateParams *equalObject){
+
+        PKIX_List *goodChain = NULL;
+        PKIX_List *equalChain = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ValidateParams_GetCertChain");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetCertChain
+                (goodObject, &goodChain, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetCertChain
+                (equalObject, &equalChain, plContext));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodChain,
+                (PKIX_PL_Object *)equalChain,
+                PKIX_TRUE,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodChain);
+        PKIX_TEST_DECREF_AC(equalChain);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(char *pName){
+        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
+}
+
+int test_valparams(int argc, char *argv[]) {
+
+        PKIX_ValidateParams *goodObject = NULL;
+        PKIX_ValidateParams *equalObject = NULL;
+        PKIX_ValidateParams *diffObject = NULL;
+        PKIX_List *chain = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        char *dirName = NULL;
+
+        char *goodInput = "yassir2yassir";
+        char *diffInput = "yassir2bcn";
+
+        char *expectedAscii =
+                "[\n"
+                "\tProcessing Params: \n"
+                "\t********BEGIN PROCESSING PARAMS********\n"
+                "\t\t"
+                "[\n"
+                "\tTrust Anchors: \n"
+                "\t********BEGIN LIST OF TRUST ANCHORS********\n"
+                "\t\t"
+"([\n"
+                "\tTrusted CA Name:         "
+                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
+                "\tInitial Name Constraints:(null)\n"
+                "]\n"
+                ", [\n"
+                "\tTrusted CA Name:         OU=bcn,OU=east,O=sun,C=us\n"
+                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
+                "\tInitial Name Constraints:(null)\n"
+                "]\n"
+                ")\n"
+                "\t********END LIST OF TRUST ANCHORS********\n"
+                "\tDate:    \t\t(null)\n"
+                "\tTarget Constraints:    (null)\n"
+                "\tInitial Policies:      (null)\n"
+                "\tQualifiers Rejected:   FALSE\n"
+                "\tCert Stores:           (EMPTY)\n"
+                "\tCRL Checking Enabled:  0\n"
+                "]\n"
+                "\n"
+                "\t********END PROCESSING PARAMS********\n"
+                "\tChain:    \t\t"
+                "([\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    37bc66ec\n"
+                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tSubject:         OU=bcn,OU=east,O=sun,C=us\n"
+                "\tValidity: [From: Thu Aug 19 16:19:56 1999\n"
+                "\t           To:   Fri Aug 18 16:19:56 2000]\n"
+                "\tSubjectAltNames: (null)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: CA(0)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "]\n"
+                ", [\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    37bc65af\n"
+                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tSubject:         CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tValidity: [From: Thu Aug 19 16:14:39 1999\n"
+                "\t           To:   Fri Aug 18 16:14:39 2000]\n"
+                "\tSubjectAltNames: (null)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: CA(0)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "]\n"
+                ")\n"
+                "]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("ValidateParams");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 2){
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        dirName = argv[j+1];
+
+        subTest("PKIX_ValidateParams_Create");
+        chain = createCertChain(dirName, diffInput, goodInput, plContext);
+        goodObject = createValidateParams
+                (dirName,
+                goodInput,
+                diffInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+        equalObject = createValidateParams
+                (dirName,
+                goodInput,
+                diffInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+        diffObject = createValidateParams
+                (dirName,
+                diffInput,
+                goodInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        testGetProcParams(goodObject, equalObject);
+        testGetCertChain(goodObject, equalObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                NULL, /* expectedAscii, */
+                ValidateParams,
+                PKIX_FALSE);
+
+        testDestroy(goodObject, equalObject, diffObject);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(chain);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("ValidateParams");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/results/Makefile b/security/nss/cmd/libpkix/pkix/results/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/results/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/results/manifest.mn b/security/nss/cmd/libpkix/pkix/results/manifest.mn
new file mode 100755
index 000000000..a043f672e
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/results/manifest.mn
@@ -0,0 +1,56 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH      = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_buildresult.c \
+	test_policynode.c \
+	test_verifynode.c \
+	test_valresult.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtoolresults
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/results/test_buildresult.c b/security/nss/cmd/libpkix/pkix/results/test_buildresult.c
new file mode 100644
index 000000000..89bd9c531
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/results/test_buildresult.c
@@ -0,0 +1,251 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_buildresult.c
+ *
+ * Test BuildResult Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_BuildResult_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void testGetValidateResult(
+        PKIX_BuildResult *goodObject,
+        PKIX_BuildResult *equalObject){
+
+        PKIX_ValidateResult *goodValResult = NULL;
+        PKIX_ValidateResult *equalValResult = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_BuildResult_GetValidateResult");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetValidateResult
+                (goodObject, &goodValResult, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetValidateResult
+                (equalObject, &equalValResult, NULL));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodValResult,
+                (PKIX_PL_Object *)equalValResult,
+                PKIX_TRUE,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodValResult);
+        PKIX_TEST_DECREF_AC(equalValResult);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetCertChain(
+        PKIX_BuildResult *goodObject,
+        PKIX_BuildResult *equalObject){
+
+        PKIX_List *goodChain = NULL;
+        PKIX_List *equalChain = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_BuildResult_GetCertChain");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain
+                (goodObject, &goodChain, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain
+                (equalObject, &equalChain, NULL));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodChain,
+                (PKIX_PL_Object *)equalChain,
+                PKIX_TRUE,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodChain);
+        PKIX_TEST_DECREF_AC(equalChain);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(char *pName){
+        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
+}
+
+int test_buildresult(int argc, char *argv[]) {
+
+        PKIX_BuildResult *goodObject = NULL;
+        PKIX_BuildResult *equalObject = NULL;
+        PKIX_BuildResult *diffObject = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        char *dirName = NULL;
+	PKIX_UInt32 j = 0;
+
+        char *goodInput = "yassir2yassir";
+        char *diffInput = "yassir2bcn";
+
+        char *expectedAscii =
+                "[\n"
+                "\tValidateResult: \t\t"
+                "[\n"
+                "\tTrustAnchor: \t\t"
+                "[\n"
+                "\tTrusted CA Name:         "
+                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
+                "\tInitial Name Constraints:(null)\n"
+                "]\n"
+                "\tPubKey:    \t\t"
+                "ANSI X9.57 DSA Signature\n"
+                "\tPolicyTree:  \t\t(null)\n"
+                "]\n"
+                "\tCertChain:    \t\t("
+                "[\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    37bc65af\n"
+                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tSubject:         CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tValidity: [From: Thu Aug 19 16:14:39 1999\n"
+                "\t           To:   Fri Aug 18 16:14:39 2000]\n"
+                "\tSubjectAltNames: (null)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: CA(0)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "]\n"
+                ", [\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    37bc66ec\n"
+                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tSubject:         OU=bcn,OU=east,O=sun,C=us\n"
+                "\tValidity: [From: Thu Aug 19 16:19:56 1999\n"
+                "\t           To:   Fri Aug 18 16:19:56 2000]\n"
+                "\tSubjectAltNames: (null)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: CA(0)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "]\n"
+                ")\n"
+                "]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("BuildResult");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 2){
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        dirName = argv[j+1];
+
+        subTest("pkix_BuildResult_Create");
+
+        goodObject = createBuildResult
+            (dirName, goodInput, diffInput, goodInput, diffInput, plContext);
+        equalObject = createBuildResult
+            (dirName, goodInput, diffInput, goodInput, diffInput, plContext);
+        diffObject = createBuildResult
+            (dirName, diffInput, goodInput, diffInput, goodInput, plContext);
+
+        testGetValidateResult(goodObject, equalObject);
+        testGetCertChain(goodObject, equalObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                NULL, /* expectedAscii, */
+                BuildResult,
+                PKIX_FALSE);
+
+        testDestroy(goodObject, equalObject, diffObject);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("BuildResult");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/results/test_policynode.c b/security/nss/cmd/libpkix/pkix/results/test_policynode.c
new file mode 100644
index 000000000..8229a337f
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/results/test_policynode.c
@@ -0,0 +1,712 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_policynode.c
+ *
+ * Test PolicyNode Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext =  NULL;
+
+static void
+test_GetChildren(
+        PKIX_PolicyNode *goodNode,
+        PKIX_PolicyNode *equalNode,
+        PKIX_PolicyNode *diffNode)
+{
+
+/*
+ * Caution: be careful where you insert this test. PKIX_PolicyNode_GetChildren
+ * is required by the API to return an immutable List, and it does it by setting
+ * the List immutable. We don't make a copy because the assumption is that
+ * certificate and policy processing have been completed before the user gets at
+ * the public API. So subsequent tests of functions that modify the policy tree,
+ * such as Prune, will fail if called after the execution of this test.
+ */
+
+        PKIX_Boolean isImmutable = PKIX_FALSE;
+        PKIX_List *goodList = NULL;
+        PKIX_List *equalList = NULL;
+        PKIX_List *diffList = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PolicyNode_GetChildren");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetChildren
+                (goodNode, &goodList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetChildren
+                (equalNode, &equalList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetChildren
+                (diffNode, &diffList, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodList, equalList, diffList, NULL, List, NULL);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
+                (goodList, &isImmutable, plContext));
+
+        if (isImmutable != PKIX_TRUE) {
+            testError("PKIX_PolicyNode_GetChildren returned a mutable List");
+        }
+
+cleanup:
+        PKIX_TEST_DECREF_AC(goodList);
+        PKIX_TEST_DECREF_AC(equalList);
+        PKIX_TEST_DECREF_AC(diffList);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+test_GetParent(
+        PKIX_PolicyNode *goodNode,
+        PKIX_PolicyNode *equalNode,
+        PKIX_PolicyNode *diffNode,
+        char *expectedAscii)
+{
+        PKIX_PolicyNode *goodParent = NULL;
+        PKIX_PolicyNode *equalParent = NULL;
+        PKIX_PolicyNode *diffParent = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PolicyNode_GetParent");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetParent
+                (goodNode, &goodParent, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetParent
+                (equalNode, &equalParent, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetParent
+                (diffNode, &diffParent, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodParent,
+                equalParent,
+                diffParent,
+                expectedAscii,
+                CertPolicyNode,
+                NULL);
+
+cleanup:
+        PKIX_TEST_DECREF_AC(goodParent);
+        PKIX_TEST_DECREF_AC(equalParent);
+        PKIX_TEST_DECREF_AC(diffParent);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This test is the same as testDuplicateHelper, except that it
+ * produces a more useful "Actual value" and "Expected value"
+ * in the case of an unexpected mismatch.
+ */
+static void
+test_DuplicateHelper(PKIX_PolicyNode *object, void *plContext)
+{
+        PKIX_PolicyNode *newObject = NULL;
+        PKIX_Boolean cmpResult;
+        PKIX_PL_String *original = NULL;
+        PKIX_PL_String *copy = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("testing pkix_PolicyNode_Duplicate");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
+                ((PKIX_PL_Object *)object,
+                (PKIX_PL_Object **)&newObject,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)object,
+                (PKIX_PL_Object *)newObject,
+                &cmpResult,
+                plContext));
+
+        if (!cmpResult){
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object*)object, &original, plContext));
+                testError("unexpected mismatch");
+                (void) printf
+                        ("original value:\t%s\n", original->escAsciiString);
+
+                if (newObject) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                                ((PKIX_PL_Object*)newObject, &copy, plContext));
+                        (void) printf
+                                ("copy value:\t%s\n", copy->escAsciiString);
+                } else {
+                        (void) printf("copy value:\t(NULL)\n");
+                }
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(newObject);
+        PKIX_TEST_DECREF_AC(original);
+        PKIX_TEST_DECREF_AC(copy);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+test_GetValidPolicy(
+        PKIX_PolicyNode *goodNode,
+        PKIX_PolicyNode *equalNode,
+        PKIX_PolicyNode *diffNode,
+        char *expectedAscii)
+{
+        PKIX_PL_OID *goodPolicy = NULL;
+        PKIX_PL_OID *equalPolicy = NULL;
+        PKIX_PL_OID *diffPolicy = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PolicyNode_GetValidPolicy");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetValidPolicy
+                (goodNode, &goodPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetValidPolicy
+                (equalNode, &equalPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetValidPolicy
+                (diffNode, &diffPolicy, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodPolicy, equalPolicy, diffPolicy, expectedAscii, OID, NULL);
+
+cleanup:
+        PKIX_TEST_DECREF_AC(goodPolicy);
+        PKIX_TEST_DECREF_AC(equalPolicy);
+        PKIX_TEST_DECREF_AC(diffPolicy);
+
+
+        PKIX_TEST_RETURN();
+}
+
+static void test_GetPolicyQualifiers(
+        PKIX_PolicyNode *goodNode,
+        PKIX_PolicyNode *equalNode,
+        PKIX_PolicyNode *diffNode,
+        char *expectedAscii)
+{
+        PKIX_Boolean isImmutable = PKIX_FALSE;
+        PKIX_List *goodList = NULL;
+        PKIX_List *equalList = NULL;
+        PKIX_List *diffList = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PolicyNode_GetPolicyQualifiers");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetPolicyQualifiers
+                (goodNode, &goodList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetPolicyQualifiers
+                (equalNode, &equalList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetPolicyQualifiers
+                (diffNode, &diffList, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodList, equalList, diffList, expectedAscii, List, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
+                (goodList, &isImmutable, plContext));
+
+        if (isImmutable != PKIX_TRUE) {
+            testError
+                ("PKIX_PolicyNode_GetPolicyQualifiers returned a mutable List");
+        }
+cleanup:
+        PKIX_TEST_DECREF_AC(goodList);
+        PKIX_TEST_DECREF_AC(equalList);
+        PKIX_TEST_DECREF_AC(diffList);
+
+        PKIX_TEST_RETURN();
+}
+
+static void test_GetExpectedPolicies(
+        PKIX_PolicyNode *goodNode,
+        PKIX_PolicyNode *equalNode,
+        PKIX_PolicyNode *diffNode,
+        char *expectedAscii)
+{
+        PKIX_Boolean isImmutable = PKIX_FALSE;
+        PKIX_List *goodList = NULL;
+        PKIX_List *equalList = NULL;
+        PKIX_List *diffList = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PolicyNode_GetExpectedPolicies");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetExpectedPolicies
+                (goodNode, &goodList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetExpectedPolicies
+                (equalNode, &equalList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetExpectedPolicies
+                (diffNode, &diffList, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodList, equalList, diffList, expectedAscii, List, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
+                (goodList, &isImmutable, plContext));
+
+        if (isImmutable != PKIX_TRUE) {
+            testError
+                ("PKIX_PolicyNode_GetExpectedPolicies returned a mutable List");
+        }
+cleanup:
+        PKIX_TEST_DECREF_AC(goodList);
+        PKIX_TEST_DECREF_AC(equalList);
+        PKIX_TEST_DECREF_AC(diffList);
+
+        PKIX_TEST_RETURN();
+}
+
+static void test_IsCritical(
+        PKIX_PolicyNode *goodNode,
+        PKIX_PolicyNode *equalNode,
+        PKIX_PolicyNode *diffNode)
+{
+        PKIX_Boolean goodBool = PKIX_FALSE;
+        PKIX_Boolean equalBool = PKIX_FALSE;
+        PKIX_Boolean diffBool = PKIX_FALSE;
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PolicyNode_IsCritical");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_IsCritical
+                (goodNode, &goodBool, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_IsCritical
+                (equalNode, &equalBool, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_IsCritical
+                (diffNode, &diffBool, plContext));
+
+        if ((!goodBool) || (!equalBool) || (diffBool)) {
+                testError("IsCritical returned unexpected value");
+        }
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void test_GetDepth(
+        PKIX_PolicyNode *depth1Node,
+        PKIX_PolicyNode *depth2Node,
+        PKIX_PolicyNode *depth3Node)
+{
+        PKIX_UInt32 depth1 = 0;
+        PKIX_UInt32 depth2 = 0;
+        PKIX_UInt32 depth3 = 0;
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PolicyNode_GetDepth");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetDepth
+                (depth1Node, &depth1, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetDepth
+                (depth2Node, &depth2, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetDepth
+                (depth3Node, &depth3, plContext));
+
+        if ((depth1 != 1) || (depth2 != 2) || (depth3 != 3)) {
+                testError("GetDepth returned unexpected value");
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(void) {
+        (void) printf("\nUSAGE:\ttest_policynode <NIST_FILES_DIR> \n\n");
+}
+
+int test_policynode(int argc, char *argv[]) {
+
+        /*
+         * Create a tree with parent = anyPolicy,
+         * child1 with Nist1+Nist2, child2 with Nist1.
+         * Give each child another child, with policies Nist2
+         * and Nist1, respectively. Pruning with a depth of two
+         * should have no effect. Give one of the children
+         * another child. Then pruning with a depth of three
+         * should reduce the tree to a single strand, as child1
+         * and child3 are removed.
+         *
+         *              parent (anyPolicy)
+         *          /                   \
+         *      child1(Nist1+Nist2)     child2(Nist1)
+         *          |                       |
+         *      child3(Nist2)           child4(Nist1)
+         *                                  |
+         *                              child5(Nist1)
+         *
+         */
+        char *asciiAnyPolicy = "2.5.29.32.0";
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_CertPolicyInfo *nist1Policy = NULL;
+        PKIX_PL_CertPolicyInfo *nist2Policy = NULL;
+        PKIX_List *policyQualifierList = NULL;
+        PKIX_PL_OID *oidAnyPolicy = NULL;
+        PKIX_PL_OID *oidNist1Policy = NULL;
+        PKIX_PL_OID *oidNist2Policy = NULL;
+        PKIX_List *expectedAnyList = NULL;
+        PKIX_List *expectedNist1List = NULL;
+        PKIX_List *expectedNist2List = NULL;
+        PKIX_List *expectedNist1Nist2List = NULL;
+        PKIX_List *emptyList = NULL;
+        PKIX_PolicyNode *parentNode = NULL;
+        PKIX_PolicyNode *childNode1 = NULL;
+        PKIX_PolicyNode *childNode2 = NULL;
+        PKIX_PolicyNode *childNode3 = NULL;
+        PKIX_PolicyNode *childNode4 = NULL;
+        PKIX_PolicyNode *childNode5 = NULL;
+        PKIX_PL_String *parentString = NULL;
+        PKIX_Boolean pDelete = PKIX_FALSE;
+        char *expectedParentAscii =
+                "{2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5C "
+                "1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 65"
+                " 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D 2"
+                "0 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 69 "
+                "73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 66"
+                " 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20 6"
+                "F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1[(1.3"
+                ".6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 69 7"
+                "3 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74 69 "
+                "63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 72 20"
+                " 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 63 6"
+                "1 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70 75 "
+                "72 70 6F 73 65 73 20 6F 6E 6C 79])], 2.16.840.1.101.3"
+                ".2.1.48.2[(1.3.6.1.5.5.7.2.2:[30 5A 1A 58 71 32 3A 20"
+                " 20 54 68 69 73 20 69 73 20 74 68 65 20 75 73 65 72 2"
+                "0 6E 6F 74 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 "
+                "66 69 65 72 20 32 2E 20 20 54 68 69 73 20 75 73 65 72"
+                " 20 6E 6F 74 69 63 65 20 73 68 6F 75 6C 64 20 6E 6F 7"
+                "4 20 62 65 20 64 69 73 70 6C 61 79 65 64])]),1}\n"
+                ". {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5"
+                "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
+                "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
+                " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
+                "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
+                "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
+                " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.2),2}";
+        char *expectedValidAscii =
+                "2.16.840.1.101.3.2.1.48.2";
+        char *expectedQualifiersAscii =
+                /* "(1.3.6.1.5.5.7.2.2)"; */
+                "(1.3.6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 "
+                "69 73 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74"
+                " 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 7"
+                "2 20 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 "
+                "63 61 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70"
+                " 75 72 70 6F 73 65 73 20 6F 6E 6C 79])";
+        char *expectedPoliciesAscii =
+                "(2.16.840.1.101.3.2.1.48.1)";
+        char *expectedTree =
+                "{2.5.29.32.0,{},Critical,(2.5.29.32.0),0}\n"
+                ". {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5"
+                "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
+                "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
+                " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
+                "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
+                "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
+                " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1[(1"
+                ".3.6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 69"
+                " 73 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74 6"
+                "9 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 72 "
+                "20 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 63"
+                " 61 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70 7"
+                "5 72 70 6F 73 65 73 20 6F 6E 6C 79])], 2.16.840.1.101"
+                ".3.2.1.48.2[(1.3.6.1.5.5.7.2.2:[30 5A 1A 58 71 32 3A "
+                "20 20 54 68 69 73 20 69 73 20 74 68 65 20 75 73 65 72"
+                " 20 6E 6F 74 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 6"
+                "9 66 69 65 72 20 32 2E 20 20 54 68 69 73 20 75 73 65 "
+                "72 20 6E 6F 74 69 63 65 20 73 68 6F 75 6C 64 20 6E 6F"
+                " 74 20 62 65 20 64 69 73 70 6C 61 79 65 64])]"
+                "),1}\n"
+                ". . {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30"
+                " 5C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 6"
+                "8 65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F "
+                "6D 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68"
+                " 69 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 2"
+                "0 66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 "
+                "20 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.2)"
+                ",2}\n"
+                ". {2.16.840.1.101.3.2.1.48.1,(1.3.6.1.5.5.7.2.2:[30 5"
+                "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
+                "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
+                " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
+                "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
+                "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
+                " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1),1}\n"
+                ". . {2.16.840.1.101.3.2.1.48.1,(EMPTY),Not Critical,"
+                "(2.16.840.1.101.3.2.1.48.1),2}\n"
+                ". . . {2.16.840.1.101.3.2.1.48.1,{},Critical,(2.16.84"
+                "0.1.101.3.2.1.48.1),3}";
+        char *expectedPrunedTree =
+                "{2.5.29.32.0,{},Critical,(2.5.29.32.0),0}\n"
+                ". {2.16.840.1.101.3.2.1.48.1,(1.3.6.1.5.5.7.2.2:[30 5"
+                "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
+                "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
+                " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
+                "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
+                "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
+                " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1),1}\n"
+                ". . {2.16.840.1.101.3.2.1.48.1,(EMPTY),Not Critical,"
+                "(2.16.840.1.101.3.2.1.48.1),2}\n"
+                ". . . {2.16.840.1.101.3.2.1.48.1,{},Critical,(2.16.84"
+                "0.1.101.3.2.1.48.1),3}";
+
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        char *dirName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 2) {
+                printUsage();
+                return (0);
+        }
+
+        startTests("PolicyNode");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        dirName = argv[j+1];
+
+        subTest("Creating OID objects");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (asciiAnyPolicy, &oidAnyPolicy, plContext));
+
+        /* Read certificates to get real policies, qualifiers */
+
+        cert = createCert
+                (dirName, "UserNoticeQualifierTest16EE.crt", plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (cert, &expectedNist1Nist2List, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (expectedNist1Nist2List,
+                0,
+                (PKIX_PL_Object **)&nist1Policy,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (expectedNist1Nist2List,
+                1,
+                (PKIX_PL_Object **)&nist2Policy,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (nist1Policy, &policyQualifierList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
+                (nist1Policy, &oidNist1Policy, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
+                (nist2Policy, &oidNist2Policy, plContext));
+
+        subTest("Creating expectedPolicy List objects");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_Create(&expectedAnyList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_Create(&expectedNist1List, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_Create(&expectedNist2List, plContext));
+
+
+        subTest("Populating expectedPolicy List objects");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (expectedAnyList, (PKIX_PL_Object *)oidAnyPolicy, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (expectedNist1List,
+                (PKIX_PL_Object *)oidNist1Policy,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                    (expectedNist2List,
+                                    (PKIX_PL_Object *)oidNist2Policy,
+                                    plContext));
+
+        subTest("Creating PolicyNode objects");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
+                (oidAnyPolicy,
+                NULL,
+                PKIX_TRUE,
+                expectedAnyList,
+                &parentNode,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
+                (oidNist2Policy,
+                policyQualifierList,
+                PKIX_TRUE,
+                expectedNist1Nist2List,
+                &childNode1,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
+                (oidNist1Policy,
+                policyQualifierList,
+                PKIX_TRUE,
+                expectedNist1List,
+                &childNode2,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
+                (oidNist2Policy,
+                policyQualifierList,
+                PKIX_TRUE,
+                expectedNist2List,
+                &childNode3,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
+                (oidNist1Policy,
+                emptyList,
+                PKIX_FALSE,
+                expectedNist1List,
+                &childNode4,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
+                (oidNist1Policy,
+                NULL,
+                PKIX_TRUE,
+                expectedNist1List,
+                &childNode5,
+                plContext));
+
+        subTest("Creating the PolicyNode tree");
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
+                (parentNode, childNode1, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
+                (parentNode, childNode2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
+                (childNode1, childNode3, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
+                (childNode2, childNode4, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
+                (childNode4, childNode5, plContext));
+
+        subTest("Displaying PolicyNode objects");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)parentNode, &parentString, plContext));
+        (void) printf("parentNode is\n\t%s\n", parentString->escAsciiString);
+
+        testToStringHelper
+                ((PKIX_PL_Object*)parentNode, expectedTree, plContext);
+
+        test_DuplicateHelper(parentNode, plContext);
+
+        test_GetParent(childNode3, childNode3, childNode4, expectedParentAscii);
+        test_GetValidPolicy
+                (childNode1, childNode3, parentNode, expectedValidAscii);
+        test_GetPolicyQualifiers
+                (childNode1, childNode3, childNode4, expectedQualifiersAscii);
+        test_GetExpectedPolicies
+                (childNode2, childNode4, childNode3, expectedPoliciesAscii);
+        test_IsCritical(childNode1, childNode2, childNode4);
+        test_GetDepth(childNode2, childNode4, childNode5);
+
+        subTest("pkix_PolicyNode_Prune");
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Prune
+                (parentNode, 2, &pDelete, plContext));
+
+        testToStringHelper
+                ((PKIX_PL_Object*)parentNode, expectedTree, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Prune
+                (parentNode, 3, &pDelete, plContext));
+
+        testToStringHelper
+                ((PKIX_PL_Object*)parentNode, expectedPrunedTree, plContext);
+
+        test_GetChildren(parentNode, parentNode, childNode2);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(nist1Policy);
+        PKIX_TEST_DECREF_AC(nist2Policy);
+        PKIX_TEST_DECREF_AC(policyQualifierList);
+        PKIX_TEST_DECREF_AC(oidAnyPolicy);
+        PKIX_TEST_DECREF_AC(oidNist1Policy);
+        PKIX_TEST_DECREF_AC(oidNist2Policy);
+        PKIX_TEST_DECREF_AC(expectedAnyList);
+        PKIX_TEST_DECREF_AC(expectedNist1List);
+        PKIX_TEST_DECREF_AC(expectedNist2List);
+        PKIX_TEST_DECREF_AC(expectedNist1Nist2List);
+        PKIX_TEST_DECREF_AC(emptyList);
+        PKIX_TEST_DECREF_AC(parentNode);
+        PKIX_TEST_DECREF_AC(childNode1);
+        PKIX_TEST_DECREF_AC(childNode2);
+        PKIX_TEST_DECREF_AC(childNode3);
+        PKIX_TEST_DECREF_AC(childNode4);
+        PKIX_TEST_DECREF_AC(childNode5);
+        PKIX_TEST_DECREF_AC(parentString);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("PolicyNode");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/results/test_valresult.c b/security/nss/cmd/libpkix/pkix/results/test_valresult.c
new file mode 100644
index 000000000..6633c5529
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/results/test_valresult.c
@@ -0,0 +1,240 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_valresult.c
+ *
+ * Test ValidateResult Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ValidateResult_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void testGetPublicKey(
+        PKIX_ValidateResult *goodObject,
+        PKIX_ValidateResult *equalObject){
+
+        PKIX_PL_PublicKey *goodPubKey = NULL;
+        PKIX_PL_PublicKey *equalPubKey = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ValidateResult_GetPublicKey");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPublicKey
+                (goodObject, &goodPubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPublicKey
+                (equalObject, &equalPubKey, plContext));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodPubKey,
+                (PKIX_PL_Object *)equalPubKey,
+                PKIX_TRUE,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodPubKey);
+        PKIX_TEST_DECREF_AC(equalPubKey);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetTrustAnchor(
+        PKIX_ValidateResult *goodObject,
+        PKIX_ValidateResult *equalObject){
+
+        PKIX_TrustAnchor *goodAnchor = NULL;
+        PKIX_TrustAnchor *equalAnchor = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ValidateResult_GetTrustAnchor");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetTrustAnchor
+                (goodObject, &goodAnchor, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetTrustAnchor
+                (equalObject, &equalAnchor, plContext));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)goodAnchor,
+                (PKIX_PL_Object *)equalAnchor,
+                PKIX_TRUE,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodAnchor);
+        PKIX_TEST_DECREF_AC(equalAnchor);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetPolicyTree(
+        PKIX_ValidateResult *goodObject,
+        PKIX_ValidateResult *equalObject){
+
+        PKIX_PolicyNode *goodTree = NULL;
+        PKIX_PolicyNode *equalTree = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_ValidateResult_GetPolicyTree");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree
+                (goodObject, &goodTree, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree
+                (equalObject, &equalTree, plContext));
+
+        if (goodTree) {
+                testEqualsHelper
+                        ((PKIX_PL_Object *)goodTree,
+                        (PKIX_PL_Object *)equalTree,
+                        PKIX_TRUE,
+                        plContext);
+        } else if (equalTree) {
+                pkixTestErrorMsg = "Mismatch: NULL and non-NULL Policy Trees";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodTree);
+        PKIX_TEST_DECREF_AC(equalTree);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(char *pName){
+        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
+}
+
+int test_valresult(int argc, char *argv[]) {
+
+        PKIX_ValidateResult *goodObject = NULL;
+        PKIX_ValidateResult *equalObject = NULL;
+        PKIX_ValidateResult *diffObject = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        char *goodInput = "yassir2yassir";
+        char *diffInput = "yassir2bcn";
+        char *dirName = NULL;
+
+        char *expectedAscii =
+                "[\n"
+                "\tTrustAnchor: \t\t"
+                "[\n"
+                "\tTrusted CA Name:         "
+                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
+                "\tInitial Name Constraints:(null)\n"
+                "]\n"
+                "\tPubKey:    \t\t"
+                "ANSI X9.57 DSA Signature\n"
+                "\tPolicyTree:  \t\t(null)\n"
+                "]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("ValidateResult");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 2){
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        dirName = argv[j+1];
+
+        subTest("pkix_ValidateResult_Create");
+
+        goodObject = createValidateResult
+                (dirName, goodInput, diffInput, plContext);
+        equalObject = createValidateResult
+                (dirName, goodInput, diffInput, plContext);
+        diffObject = createValidateResult
+                (dirName, diffInput, goodInput, plContext);
+
+        testGetPublicKey(goodObject, equalObject);
+        testGetTrustAnchor(goodObject, equalObject);
+        testGetPolicyTree(goodObject, equalObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                expectedAscii,
+                ValidateResult,
+                PKIX_FALSE);
+
+        testDestroy(goodObject, equalObject, diffObject);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("ValidateResult");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/results/test_verifynode.c b/security/nss/cmd/libpkix/pkix/results/test_verifynode.c
new file mode 100644
index 000000000..849c1d13d
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/results/test_verifynode.c
@@ -0,0 +1,153 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_verifynode.c
+ *
+ * Test VerifyNode Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext =  NULL;
+
+static
+void printUsage(void) {
+        (void) printf("\nUSAGE:\ttest_verifynode path cert1 cert2 cert3\n\n");
+}
+
+int test_verifynode(int argc, char *argv[]) {
+
+        /*
+         * Create a tree with parent = cert1, child=cert2, grandchild=cert3
+         */
+        PKIX_PL_Cert *cert1 = NULL;
+        PKIX_PL_Cert *cert2 = NULL;
+	PKIX_PL_Cert *cert3 = NULL;
+        PKIX_VerifyNode *parentNode = NULL;
+        PKIX_VerifyNode *childNode = NULL;
+        PKIX_VerifyNode *grandChildNode = NULL;
+        PKIX_PL_String *parentString = NULL;
+
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        char *dirName = NULL;
+	char *twoNodeAscii = "CERT[Issuer:CN=Trust Anchor,O=Test Cert"
+		"ificates,C=US, Subject:CN=Trust Anchor,O=Test Certif"
+		"icates,C=US], depth=0, error=(null)\n. CERT[Issuer:C"
+		"N=Trust Anchor,O=Test Certificates,C=US, Subject:CN="
+		"Good CA,O=Test Certificates,C=US], depth=1, error=(null)";
+	char *threeNodeAscii = "CERT[Issuer:CN=Trust Anchor,O=Test Ce"
+		"rtificates,C=US, Subject:CN=Trust Anchor,O=Test Cert"
+		"ificates,C=US], depth=0, error=(null)\n. CERT[Issuer"
+		":CN=Trust Anchor,O=Test Certificates,C=US, Subject:C"
+		"N=Good CA,O=Test Certificates,C=US], depth=1, error="
+		"(null)\n. . CERT[Issuer:CN=Good CA,O=Test Certificat"
+		"es,C=US, Subject:CN=Valid EE Certificate Test1,O=Tes"
+		"t Certificates,C=US], depth=2, error=(null)";
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 3) {
+                printUsage();
+                return (0);
+        }
+
+        startTests("VerifyNode");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        dirName = argv[++j];
+
+        subTest("Creating Certs");
+
+        cert1 = createCert
+                (dirName, argv[++j], plContext);
+
+        cert2 = createCert
+                (dirName, argv[++j], plContext);
+
+        cert3 = createCert
+                (dirName, argv[++j], plContext);
+
+        subTest("Creating VerifyNode objects");
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_Create
+		(cert1, 0, NULL, &parentNode, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_Create
+		(cert2, 1, NULL, &childNode, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_Create
+		(cert3, 2, NULL, &grandChildNode, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_AddToChain
+		(parentNode, childNode, plContext));
+
+        subTest("Creating VerifyNode ToString objects");
+
+	testToStringHelper
+		((PKIX_PL_Object *)parentNode, twoNodeAscii, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_AddToChain
+		(parentNode, grandChildNode, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)parentNode, &parentString, plContext));
+        (void) printf("parentNode is\n\t%s\n", parentString->escAsciiString);
+
+	testToStringHelper
+		((PKIX_PL_Object *)parentNode, threeNodeAscii, plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(cert1);
+        PKIX_TEST_DECREF_AC(cert2);
+        PKIX_TEST_DECREF_AC(parentNode);
+        PKIX_TEST_DECREF_AC(childNode);
+        PKIX_TEST_DECREF_AC(parentString);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("VerifyNode");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/store/Makefile b/security/nss/cmd/libpkix/pkix/store/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/store/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/store/manifest.mn b/security/nss/cmd/libpkix/pkix/store/manifest.mn
new file mode 100755
index 000000000..813a7902a
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/store/manifest.mn
@@ -0,0 +1,52 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_store.c
+
+LIBRARY_NAME=pkixtoolstore
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/store/test_store.c b/security/nss/cmd/libpkix/pkix/store/test_store.c
new file mode 100755
index 000000000..d54b7f9a2
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/store/test_store.c
@@ -0,0 +1,229 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_certstore.c
+ *
+ * Test CertStore Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+PKIX_Error *testCRLCallback(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+	void **pNBIOContext,
+        PKIX_List **pCrls,  /* list of PKIX_PL_Crl */
+        void *plContext)
+{
+        return (0);
+}
+
+static
+PKIX_Error *testCRLContinue(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+	void **pNBIOContext,
+        PKIX_List **pCrls,  /* list of PKIX_PL_Crl */
+        void *plContext)
+{
+        return (0);
+}
+
+static
+PKIX_Error *testCertCallback(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+	void **pNBIOContext,
+        PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
+        void *plContext)
+{
+        return (0);
+}
+
+static
+PKIX_Error *testCertContinue(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+	void **pNBIOContext,
+        PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
+        void *plContext)
+{
+        return (0);
+}
+
+static char *catDirName(char *platform, char *dir, void *plContext)
+{
+        char *pathName = NULL;
+        PKIX_UInt32 dirLen;
+        PKIX_UInt32 platformLen;
+
+        PKIX_TEST_STD_VARS();
+
+        dirLen = PL_strlen(dir);
+        platformLen = PL_strlen(platform);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
+                (platformLen + dirLen + 2, (void **)&pathName, plContext));
+
+        PL_strcpy(pathName, platform);
+        PL_strcat(pathName, "/");
+        PL_strcat(pathName, dir);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (pathName);
+}
+
+static
+void testCertStore(char *crlDir)
+{
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_PL_Object *getCertStoreContext = NULL;
+        PKIX_CertStore_CertCallback certCallback = NULL;
+        PKIX_CertStore_CRLCallback crlCallback = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    crlDir,
+                                    0,
+                                    &dirString,
+                                    plContext));
+
+        subTest("PKIX_CertStore_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_Create
+                                    (testCertCallback,
+                                    testCRLCallback,
+                                    testCertContinue,
+                                    testCRLContinue,
+                                    NULL,        /* trustCallback */
+                                    (PKIX_PL_Object *) dirString,
+                                    PKIX_TRUE,   /* cacheFlag */
+                                    PKIX_TRUE,   /* local */
+                                    &certStore,
+                                    plContext));
+
+        subTest("PKIX_CertStore_GetCertCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+                                    (certStore, &certCallback, plContext));
+
+        if (certCallback != testCertCallback) {
+                testError("PKIX_CertStore_GetCertCallback unexpected mismatch");
+        }
+
+        subTest("PKIX_CertStore_GetCRLCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
+                                    (certStore, &crlCallback, plContext));
+
+        if (crlCallback != testCRLCallback) {
+                testError("PKIX_CertStore_GetCRLCallback unexpected mismatch");
+        }
+
+        subTest("PKIX_CertStore_GetCertStoreContext");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertStore_GetCertStoreContext
+                (certStore, &getCertStoreContext, plContext));
+
+        if ((PKIX_PL_Object *)dirString != getCertStoreContext) {
+            testError("PKIX_CertStore_GetCertStoreContext unexpected mismatch");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(getCertStoreContext);
+
+        PKIX_TEST_RETURN();
+}
+
+
+static
+void printUsage(char *pName){
+        printf("\nUSAGE: %s testName <data-dir> <platform-dir>\n\n", pName);
+}
+
+/* Functional tests for CertStore public functions */
+
+int test_store(int argc, char *argv[]) {
+
+        char *platformDir = NULL;
+        char *dataDir = NULL;
+        char *combinedDir = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < (3 + j)) {
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        startTests(argv[1 + j]);
+
+        dataDir = argv[2 + j];
+        platformDir = argv[3 + j];
+	combinedDir = catDirName(platformDir, dataDir, plContext);
+
+        testCertStore(combinedDir);
+
+
+cleanup:
+
+        pkixTestErrorResult = PKIX_PL_Free(combinedDir, plContext);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("CertStore");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/Makefile b/security/nss/cmd/libpkix/pkix/top/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/top/manifest.mn b/security/nss/cmd/libpkix/pkix/top/manifest.mn
new file mode 100755
index 000000000..ba30cedb3
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/manifest.mn
@@ -0,0 +1,66 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_basicchecker.c \
+	test_basicconstraintschecker.c \
+	test_buildchain.c \
+	test_buildchain_uchecker.c \
+	test_buildchain_partialchain.c \
+	test_buildchain_resourcelimits.c \
+	test_customcrlchecker.c \
+	test_defaultcrlchecker2stores.c \
+	test_ocsp.c \
+	test_policychecker.c \
+	test_subjaltnamechecker.c \
+	test_validatechain.c \
+	test_validatechain_bc.c \
+	test_validatechain_NB.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtooltop
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/top/test_basicchecker.c b/security/nss/cmd/libpkix/pkix/top/test_basicchecker.c
new file mode 100644
index 000000000..f66fdf390
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_basicchecker.c
@@ -0,0 +1,276 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_basicchecker.c
+ *
+ * Test Basic Checking
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii){
+
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Basic-Common-Fields <pass>");
+        /*
+         * Tests the Expiration, NameChaining, and Signature Checkers
+         */
+
+        chain = createCertChain(dirName, goodInput, diffInput, plContext);
+
+        valParams = createValidateParams
+                (dirName,
+                goodInput,
+                diffInput,
+                dateAscii,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                (valParams, &valResult, &verifyTree, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
+        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testNameChainingFail(
+        char *dirName,
+        char *goodInput,
+        char *diffInput,
+        char *dateAscii)
+{
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("NameChaining <fail>");
+
+        chain = createCertChain(dirName, diffInput, goodInput, plContext);
+
+        valParams = createValidateParams
+                (dirName,
+                goodInput,
+                diffInput,
+                dateAscii,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                (valParams, &valResult, &verifyTree, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testDateFail(char *dirName, char *goodInput, char *diffInput){
+
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        chain = createCertChain(dirName, goodInput, diffInput, plContext);
+
+        subTest("Expiration <fail>");
+        valParams = createValidateParams
+                (dirName,
+                goodInput,
+                diffInput,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                                (valParams, &valResult, NULL, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testSignatureFail(
+       char *dirName,
+       char *goodInput,
+       char *diffInput,
+       char *dateAscii)
+{
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Signature <fail>");
+
+        chain = createCertChain(dirName, diffInput, goodInput, plContext);
+
+        valParams = createValidateParams
+                (dirName,
+                goodInput,
+                diffInput,
+                dateAscii,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                                (valParams, &valResult, NULL, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(char *pName){
+        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
+}
+
+int test_basicchecker(int argc, char *argv[]) {
+
+        char *goodInput = "yassir2yassir";
+        char *diffInput = "yassir2bcn";
+        char *dateAscii = "991201000000Z";
+        char *dirName = NULL;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 actualMinorVersion;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("SignatureChecker");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 2){
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        dirName = argv[j+1];
+
+        /* The NameChaining, Expiration, and Signature Checkers all pass */
+        testPass(dirName, goodInput, diffInput, dateAscii);
+
+        /* Individual Checkers fail */
+        testNameChainingFail(dirName, goodInput, diffInput, dateAscii);
+        testDateFail(dirName, goodInput, diffInput);
+
+        /*
+         * XXX
+         * since the signature check is done last, we need to create
+         * certs whose name chaining passes, but their signatures fail;
+         * we currently don't have any such certs.
+         */
+        /* testSignatureFail(goodInput, diffInput, dateAscii); */
+
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("SignatureChecker");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_basicconstraintschecker.c b/security/nss/cmd/libpkix/pkix/top/test_basicconstraintschecker.c
new file mode 100644
index 000000000..fcaf2d966
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_basicconstraintschecker.c
@@ -0,0 +1,177 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_basicconstraintschecker.c
+ *
+ * Test Basic Constraints Checking
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define PKIX_TEST_MAX_CERTS     10
+
+static void *plContext = NULL;
+
+static
+void printUsage1(char *pName){
+        printf("\nUSAGE: %s test-name [ENE|EE] ", pName);
+        printf("cert [certs].\n");
+}
+
+static
+void printUsageMax(PKIX_UInt32 numCerts){
+        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
+                numCerts, PKIX_TEST_MAX_CERTS);
+}
+
+int test_basicconstraintschecker(int argc, char *argv[]){
+
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        char *certNames[PKIX_TEST_MAX_CERTS];
+        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_Boolean testValid = PKIX_FALSE;
+        char *dirName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 4){
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        startTests("BasicConstraintsChecker");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        dirName = argv[3+j];
+
+        chainLength = (argc - j) - 4;
+        if (chainLength > PKIX_TEST_MAX_CERTS) {
+                printUsageMax(chainLength);
+        }
+
+        for (i = 0; i < chainLength; i++) {
+                certNames[i] = argv[(4+j)+i];
+                certs[i] = NULL;
+        }
+
+        subTest(argv[1+j]);
+
+        subTest("Basic-Constraints - Create Cert Chain");
+
+        chain = createCertChainPlus
+                (dirName, certNames, certs, chainLength, plContext);
+
+        /*
+         * Error occurs when creating Cert, this is critical and test
+         * should not continue. Since we expect error, we assume this
+         * error is the one that is expected, so undo the error count.
+         *
+         * This work needs future enhancement. We will introduce another
+         * flag ESE, in addition to the existing EE(expect validation
+         * error) and ENE(expect no validation error). ESE stands for
+         * "expect setup error". When running with ESE, if any of the setup
+         * calls such creating Cert Chain fails, the test can end and
+         * considered to be successful.
+         */
+        if (testValid == PKIX_FALSE && chain == NULL) {
+                testErrorUndo("Cert Error - Create failed");
+                goto cleanup;
+        }
+
+        subTest("Basic-Constraints - Create Params");
+
+        valParams = createValidateParams
+                (dirName,
+                argv[4+j],
+                NULL,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        subTest("Basic-Constraints - Validate Chain");
+
+        if (testValid == PKIX_TRUE) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        } else {
+                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("BasicConstraintsChecker");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain.c
new file mode 100644
index 000000000..1f22e4f6a
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_buildchain.c
@@ -0,0 +1,504 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_buildchain.c
+ *
+ * Test BuildChain function
+ *
+ */
+
+/* #define debuggingWithoutRevocation */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define LDAP_PORT 389
+static PKIX_Boolean usebind = PKIX_FALSE;
+static PKIX_Boolean useLDAP = PKIX_FALSE;
+static char buf[PR_NETDB_BUF_SIZE];
+static char *serverName = NULL;
+static char *sepPtr = NULL;
+static PRNetAddr netAddr;
+static PRHostEnt hostent;
+static PKIX_UInt32 portNum = 0;
+static PRIntn hostenum = 0;
+static PRStatus prstatus = PR_FAILURE;
+static void *ipaddr = NULL;
+
+
+static void *plContext = NULL;
+
+static void printUsage(void) {
+    (void) printf("\nUSAGE:\ttest_buildchain [-arenas] [usebind] "
+        "servername[:port] <testName> [ENE|EE]\n"
+        "\t <certStoreDirectory> <targetCert>"
+        " <intermediate Certs...> <trustedCert>\n\n");
+    (void) printf
+        ("Builds a chain of certificates from <targetCert> to <trustedCert>\n"
+        "using the certs and CRLs in <certStoreDirectory>. "
+        "servername[:port] gives\n"
+        "the address of an LDAP server. If port is not"
+        " specified, port 389 is used. \"-\" means no LDAP server.\n"
+        "If ENE is specified, then an Error is Not Expected. "
+        "EE indicates an Error is Expected.\n");
+}
+
+static PKIX_Error *
+createLdapCertStore(
+        char *hostname,
+        PRIntervalTime timeout,
+        PKIX_CertStore **pLdapCertStore,
+        void* plContext)
+{
+        PRIntn backlog = 0;
+
+        char *bindname = "";
+        char *auth = "";
+
+        LDAPBindAPI bindAPI;
+        LDAPBindAPI *bindPtr = NULL;
+        PKIX_PL_LdapDefaultClient *ldapClient = NULL;
+        PKIX_CertStore *ldapCertStore = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (usebind) {
+                bindPtr = &bindAPI;
+                bindAPI.selector = SIMPLE_AUTH;
+                bindAPI.chooser.simple.bindName = bindname;
+                bindAPI.chooser.simple.authentication = auth;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName
+                (hostname, timeout, bindPtr, &ldapClient, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create
+                ((PKIX_PL_LdapClient *)ldapClient,
+                &ldapCertStore,
+                plContext));
+
+        *pLdapCertStore = ldapCertStore;
+cleanup:
+
+        PKIX_TEST_DECREF_AC(ldapClient);
+
+        PKIX_TEST_RETURN();
+
+        return (pkixTestErrorResult);
+
+}
+
+int test_buildchain(int argc, char *argv[])
+{
+        PKIX_BuildResult *buildResult = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_RevocationChecker *revChecker = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        char *dirName = NULL;
+        PKIX_PL_String *dirNameString = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_Cert *targetCert = NULL;
+        PKIX_UInt32 actualMinorVersion = 0;
+        PKIX_UInt32 numCerts = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 k = 0;
+        PKIX_CertStore *ldapCertStore = NULL;
+        PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */
+        /* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */
+        PKIX_CertStore *certStore = NULL;
+        PKIX_List *certStores = NULL;
+        PKIX_List *revCheckers = NULL;
+        char * asciiResult = NULL;
+        PKIX_Boolean result = PKIX_FALSE;
+        PKIX_Boolean testValid = PKIX_TRUE;
+        PKIX_List *expectedCerts = NULL;
+        PKIX_PL_Cert *dirCert = NULL;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+        PKIX_PL_String *actualCertsString = NULL;
+        PKIX_PL_String *expectedCertsString = NULL;
+        void *state = NULL;
+        char *actualCertsAscii = NULL;
+        char *expectedCertsAscii = NULL;
+        PRPollDesc *pollDesc = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5) {
+                printUsage();
+                return (0);
+        }
+
+        startTests("BuildChain");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /*
+         * arguments:
+         * [optional] -arenas
+         * [optional] usebind
+         *            servername or servername:port ( - for no server)
+         *            testname
+         *            EE or ENE
+         *            cert directory
+         *            target cert (end entity)
+         *            intermediate certs
+         *            trust anchor
+         */
+
+        /* optional argument "usebind" for Ldap CertStore */
+        if (argv[j + 1]) {
+                if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
+                        usebind = PKIX_TRUE;
+                        j++;
+                }
+        }
+
+        if (PORT_Strcmp(argv[++j], "-") == 0) {
+                useLDAP = PKIX_FALSE;
+        } else {
+                serverName = argv[j];
+                useLDAP = PKIX_TRUE;
+        }
+
+        subTest(argv[++j]);
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[++j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage();
+                return (0);
+        }
+
+        dirName = argv[++j];
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
+
+        for (k = ++j; k < (PKIX_UInt32)argc; k++) {
+
+                dirCert = createCert(dirName, argv[k], plContext);
+
+                if (k == (PKIX_UInt32)(argc - 1)) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                ((PKIX_PL_Object *)dirCert, plContext));
+                        trustedCert = dirCert;
+                } else {
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_AppendItem
+                                (expectedCerts,
+                                (PKIX_PL_Object *)dirCert,
+                                plContext));
+
+                        if (k == j) {
+                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                        ((PKIX_PL_Object *)dirCert, plContext));
+                                targetCert = dirCert;
+                        }
+                }
+
+                PKIX_TEST_DECREF_BC(dirCert);
+        }
+
+        /* create processing params with list of trust anchors */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                (trustedCert, &anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (anchors, (PKIX_PL_Object *)anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                (anchors, &procParams, plContext));
+
+        /* create CertSelector with target certificate in params */
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetCertificate
+                (certSelParams, targetCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, certSelector, plContext));
+
+        /* create CertStores */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, dirName, 0, &dirNameString, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
+
+        if (useLDAP == PKIX_TRUE) {
+                PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore
+                        (serverName, timeout, &ldapCertStore, plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_AppendItem
+                        (certStores,
+                        (PKIX_PL_Object *)ldapCertStore,
+                        plContext));
+        } else {
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_CollectionCertStore_Create
+                        (dirNameString, &certStore, plContext));
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_AppendItem
+                        (certStores, (PKIX_PL_Object *)certStore, plContext));
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
+                (procParams, certStores, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (trustedCert, &trustedPubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (expectedCerts, &numCerts, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize
+                (certStores,
+                NULL, /* testDate, may be NULL */
+                trustedPubKey,
+                numCerts,
+                &revChecker,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
+                (procParams, revCheckers, plContext));
+
+#ifdef debuggingWithoutRevocation
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                (procParams, PKIX_FALSE, plContext));
+#endif
+
+        /* build cert chain using processing params and return buildResult */
+
+        pkixTestErrorResult = PKIX_BuildChain
+                (procParams,
+                (void **)&pollDesc,
+                &state,
+                &buildResult,
+		&verifyTree,
+                plContext);
+
+        while (pollDesc != NULL) {
+
+                if (PR_Poll(pollDesc, 1, 0) < 0) {
+                        testError("PR_Poll failed");
+                }
+
+                pkixTestErrorResult = PKIX_BuildChain
+                        (procParams,
+                        (void **)&pollDesc,
+                        &state,
+                        &buildResult,
+			&verifyTree,
+                        plContext);
+        }
+
+        if (pkixTestErrorResult) {
+                if (testValid == PKIX_FALSE) { /* EE */
+                        (void) printf("EXPECTED ERROR RECEIVED!\n");
+                } else { /* ENE */
+                        testError("UNEXPECTED ERROR RECEIVED");
+                }
+        } else {
+	        if (testValid == PKIX_TRUE) { /* ENE */
+        	        (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
+	        } else { /* EE */
+        	        (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
+	        }
+	}
+
+        subTest("Displaying VerifyNode objects");
+
+	if (verifyTree == NULL) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+		    (PKIX_ESCASCII, "(null)", 0, &verifyString, plContext));
+	} else {
+	        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+        	    ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
+	}
+
+        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+
+        if (pkixTestErrorResult) {
+                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+                goto cleanup;
+        }
+
+        if (buildResult) {
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_BuildResult_GetCertChain
+                        (buildResult, &certs, plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_GetLength(certs, &numCerts, plContext));
+
+                printf("\n");
+
+                for (i = 0; i < numCerts; i++) {
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem
+                                (certs,
+                                i,
+                                (PKIX_PL_Object**)&cert,
+                                plContext));
+
+                        asciiResult = PKIX_Cert2ASCII(cert);
+
+                        printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Free(asciiResult, NULL));
+                        asciiResult = NULL;
+
+                        PKIX_TEST_DECREF_BC(cert);
+                }
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_Object_Equals
+                        ((PKIX_PL_Object*)certs,
+                        (PKIX_PL_Object*)expectedCerts,
+                        &result,
+                        plContext));
+
+                if (!result) {
+                        testError("BUILT CERTCHAIN IS "
+                                    "NOT THE ONE THAT WAS EXPECTED");
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Object_ToString
+                                ((PKIX_PL_Object *)certs,
+                                &actualCertsString,
+                                plContext));
+
+                        actualCertsAscii = PKIX_String2ASCII
+                                (actualCertsString, plContext);
+                        if (actualCertsAscii == NULL) {
+                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
+                                goto cleanup;
+                        }
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Object_ToString
+                                ((PKIX_PL_Object *)expectedCerts,
+                                &expectedCertsString,
+                                plContext));
+
+                        expectedCertsAscii = PKIX_String2ASCII
+                                (expectedCertsString, plContext);
+                        if (expectedCertsAscii == NULL) {
+                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
+                                goto cleanup;
+                        }
+
+                        (void) printf("Actual value:\t%s\n", actualCertsAscii);
+                        (void) printf("Expected value:\t%s\n",
+                                        expectedCertsAscii);
+                }
+
+        }
+
+cleanup:
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+
+        PKIX_PL_Free(asciiResult, NULL);
+        PKIX_PL_Free(actualCertsAscii, plContext);
+        PKIX_PL_Free(expectedCertsAscii, plContext);
+
+        PKIX_TEST_DECREF_AC(state);
+        PKIX_TEST_DECREF_AC(actualCertsString);
+        PKIX_TEST_DECREF_AC(expectedCertsString);
+        PKIX_TEST_DECREF_AC(expectedCerts);
+        PKIX_TEST_DECREF_AC(buildResult);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(certStores);
+        PKIX_TEST_DECREF_AC(revCheckers);
+        PKIX_TEST_DECREF_AC(revChecker);
+        PKIX_TEST_DECREF_AC(ldapCertStore);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(dirNameString);
+        PKIX_TEST_DECREF_AC(certSelParams);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(anchors);
+        PKIX_TEST_DECREF_AC(anchor);
+        PKIX_TEST_DECREF_AC(trustedCert);
+        PKIX_TEST_DECREF_AC(trustedPubKey);
+
+        PKIX_TEST_DECREF_AC(certs);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(targetCert);
+
+        PKIX_TEST_RETURN();
+
+        PKIX_Shutdown(plContext);
+
+        endTests("BuildChain");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain_partialchain.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain_partialchain.c
new file mode 100644
index 000000000..2cc26e08b
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_buildchain_partialchain.c
@@ -0,0 +1,854 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_buildchain_partialchain.c
+ *
+ * Test BuildChain function
+ *
+ */
+
+#define debuggingWithoutRevocation
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define LDAP_PORT 389
+static PKIX_Boolean usebind = PKIX_FALSE;
+static PKIX_Boolean useLDAP = PKIX_FALSE;
+static char buf[PR_NETDB_BUF_SIZE];
+static char *serverName = NULL;
+static char *sepPtr = NULL;
+static PRNetAddr netAddr;
+static PRHostEnt hostent;
+static PKIX_UInt32 portNum = 0;
+static PRIntn hostenum = 0;
+static PRStatus prstatus = PR_FAILURE;
+static void *ipaddr = NULL;
+
+
+static void *plContext = NULL;
+
+static void printUsage(void) {
+    (void) printf("\nUSAGE:\ttest_buildchain [-arenas] [usebind] "
+        "servername[:port] <testName> [ENE|EE]\n"
+        "\t <certStoreDirectory> <targetCert>"
+        " <intermediate Certs...> <trustedCert>\n\n");
+    (void) printf
+        ("Builds a chain of certificates from <targetCert> to <trustedCert>\n"
+        "using the certs and CRLs in <certStoreDirectory>. "
+        "servername[:port] gives\n"
+        "the address of an LDAP server. If port is not"
+        " specified, port 389 is used. \"-\" means no LDAP server.\n"
+        "If ENE is specified, then an Error is Not Expected. "
+        "EE indicates an Error is Expected.\n");
+}
+
+static PKIX_Error *
+createLdapCertStore(
+        char *hostname,
+        PRIntervalTime timeout,
+        PKIX_CertStore **pLdapCertStore,
+        void* plContext)
+{
+        PRIntn backlog = 0;
+
+        char *bindname = "";
+        char *auth = "";
+
+        LDAPBindAPI bindAPI;
+        LDAPBindAPI *bindPtr = NULL;
+        PKIX_PL_LdapDefaultClient *ldapClient = NULL;
+        PKIX_CertStore *ldapCertStore = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (usebind) {
+                bindPtr = &bindAPI;
+                bindAPI.selector = SIMPLE_AUTH;
+                bindAPI.chooser.simple.bindName = bindname;
+                bindAPI.chooser.simple.authentication = auth;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName
+                (hostname, timeout, bindPtr, &ldapClient, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create
+                ((PKIX_PL_LdapClient *)ldapClient,
+                &ldapCertStore,
+                plContext));
+
+        *pLdapCertStore = ldapCertStore;
+cleanup:
+
+        PKIX_TEST_DECREF_AC(ldapClient);
+
+        PKIX_TEST_RETURN();
+
+        return (pkixTestErrorResult);
+
+}
+
+/* Test with all Certs in the partial list, no leaf */
+static PKIX_Error *
+testWithNoLeaf(
+        PKIX_PL_Cert *trustedCert,
+        PKIX_List *listOfCerts,
+        PKIX_PL_Cert *targetCert,
+        PKIX_List *certStores,
+        PKIX_Boolean testValid,
+        void* plContext)
+{
+        PKIX_UInt32 numCerts = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *hintCerts = NULL;
+        PKIX_List *revCheckers = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_RevocationChecker *revChecker = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        PRPollDesc *pollDesc = NULL;
+        void *state = NULL;
+        char *asciiResult = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        /* create processing params with list of trust anchors */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                (trustedCert, &anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (anchors, (PKIX_PL_Object *)anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                (anchors, &procParams, plContext));
+
+        /* create CertSelector with no target certificate in params */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, certSelector, plContext));
+
+        /* create hintCerts */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
+                ((PKIX_PL_Object *)listOfCerts,
+                (PKIX_PL_Object **)&hintCerts,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetHintCerts
+                (procParams, hintCerts, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
+                (procParams, certStores, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (trustedCert, &trustedPubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (listOfCerts, &numCerts, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize
+                (certStores,
+                NULL, /* testDate, may be NULL */
+                trustedPubKey,
+                numCerts,
+                &revChecker,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
+                (procParams, revCheckers, plContext));
+
+#ifdef debuggingWithoutRevocation
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                (procParams, PKIX_FALSE, plContext));
+#endif
+
+        /* build cert chain using processing params and return buildResult */
+
+        pkixTestErrorResult = PKIX_BuildChain
+                (procParams,
+                (void **)&pollDesc,
+                &state,
+                &buildResult,
+                NULL,
+                plContext);
+
+        while (pollDesc != NULL) {
+
+                if (PR_Poll(pollDesc, 1, 0) < 0) {
+                        testError("PR_Poll failed");
+                }
+
+                pkixTestErrorResult = PKIX_BuildChain
+                        (procParams,
+                        (void **)&pollDesc,
+                        &state,
+                        &buildResult,
+                        NULL,
+                        plContext);
+        }
+
+        if (pkixTestErrorResult) {
+                if (testValid == PKIX_FALSE) { /* EE */
+                        (void) printf("EXPECTED ERROR RECEIVED!\n");
+                } else { /* ENE */
+                        testError("UNEXPECTED ERROR RECEIVED");
+                }
+                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+                goto cleanup;
+        }
+
+        if (testValid == PKIX_TRUE) { /* ENE */
+                (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
+        } else { /* EE */
+                (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
+        }
+
+        if (buildResult) {
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_BuildResult_GetCertChain
+                        (buildResult, &certs, plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_GetLength(certs, &numCerts, plContext));
+
+                printf("\n");
+
+                for (i = 0; i < numCerts; i++) {
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem
+                                (certs,
+                                i,
+                                (PKIX_PL_Object**)&cert,
+                                plContext));
+
+                        asciiResult = PKIX_Cert2ASCII(cert);
+
+                        printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Free(asciiResult, NULL));
+                        asciiResult = NULL;
+
+                        PKIX_TEST_DECREF_BC(cert);
+                }
+        }
+
+cleanup:
+        PKIX_PL_Free(asciiResult, NULL);
+
+        PKIX_TEST_DECREF_AC(state);
+        PKIX_TEST_DECREF_AC(buildResult);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(revCheckers);
+        PKIX_TEST_DECREF_AC(revChecker);
+        PKIX_TEST_DECREF_AC(certSelParams);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(anchors);
+        PKIX_TEST_DECREF_AC(anchor);
+        PKIX_TEST_DECREF_AC(hintCerts);
+        PKIX_TEST_DECREF_AC(trustedPubKey);
+        PKIX_TEST_DECREF_AC(certs);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_RETURN();
+
+        return (pkixTestErrorResult);
+
+}
+
+/* Test with all Certs in the partial list, leaf duplicates the first one */
+static PKIX_Error *
+testWithDuplicateLeaf(
+        PKIX_PL_Cert *trustedCert,
+        PKIX_List *listOfCerts,
+        PKIX_PL_Cert *targetCert,
+        PKIX_List *certStores,
+        PKIX_Boolean testValid,
+        void* plContext)
+{
+        PKIX_UInt32 numCerts = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *hintCerts = NULL;
+        PKIX_List *revCheckers = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_RevocationChecker *revChecker = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        PRPollDesc *pollDesc = NULL;
+        void *state = NULL;
+        char *asciiResult = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        /* create processing params with list of trust anchors */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                (trustedCert, &anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (anchors, (PKIX_PL_Object *)anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                (anchors, &procParams, plContext));
+
+        /* create CertSelector with target certificate in params */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate
+                (certSelParams, targetCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, certSelector, plContext));
+
+        /* create hintCerts */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
+                ((PKIX_PL_Object *)listOfCerts,
+                (PKIX_PL_Object **)&hintCerts,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetHintCerts
+                (procParams, hintCerts, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
+                (procParams, certStores, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (trustedCert, &trustedPubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (listOfCerts, &numCerts, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize
+                (certStores,
+                NULL, /* testDate, may be NULL */
+                trustedPubKey,
+                numCerts,
+                &revChecker,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
+                (procParams, revCheckers, plContext));
+
+#ifdef debuggingWithoutRevocation
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                (procParams, PKIX_FALSE, plContext));
+#endif
+
+        /* build cert chain using processing params and return buildResult */
+
+        pkixTestErrorResult = PKIX_BuildChain
+                (procParams,
+                (void **)&pollDesc,
+                &state,
+                &buildResult,
+                NULL,
+                plContext);
+
+        while (pollDesc != NULL) {
+
+                if (PR_Poll(pollDesc, 1, 0) < 0) {
+                        testError("PR_Poll failed");
+                }
+
+                pkixTestErrorResult = PKIX_BuildChain
+                        (procParams,
+                        (void **)&pollDesc,
+                        &state,
+                        &buildResult,
+                        NULL,
+                        plContext);
+        }
+
+        if (pkixTestErrorResult) {
+                if (testValid == PKIX_FALSE) { /* EE */
+                        (void) printf("EXPECTED ERROR RECEIVED!\n");
+                } else { /* ENE */
+                        testError("UNEXPECTED ERROR RECEIVED");
+                }
+                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+                goto cleanup;
+        }
+
+        if (testValid == PKIX_TRUE) { /* ENE */
+                (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
+        } else { /* EE */
+                (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
+        }
+
+        if (buildResult) {
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_BuildResult_GetCertChain
+                        (buildResult, &certs, plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_GetLength(certs, &numCerts, plContext));
+
+                printf("\n");
+
+                for (i = 0; i < numCerts; i++) {
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem
+                                (certs,
+                                i,
+                                (PKIX_PL_Object**)&cert,
+                                plContext));
+
+                        asciiResult = PKIX_Cert2ASCII(cert);
+
+                        printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Free(asciiResult, NULL));
+                        asciiResult = NULL;
+
+                        PKIX_TEST_DECREF_BC(cert);
+                }
+        }
+
+cleanup:
+        PKIX_PL_Free(asciiResult, NULL);
+
+        PKIX_TEST_DECREF_AC(state);
+        PKIX_TEST_DECREF_AC(buildResult);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(revCheckers);
+        PKIX_TEST_DECREF_AC(revChecker);
+        PKIX_TEST_DECREF_AC(certSelParams);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(anchors);
+        PKIX_TEST_DECREF_AC(anchor);
+        PKIX_TEST_DECREF_AC(hintCerts);
+        PKIX_TEST_DECREF_AC(trustedPubKey);
+        PKIX_TEST_DECREF_AC(certs);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_RETURN();
+
+        return (pkixTestErrorResult);
+
+}
+
+/* Test with all Certs except the leaf in the partial list */
+static PKIX_Error *
+testWithLeafAndChain(
+        PKIX_PL_Cert *trustedCert,
+        PKIX_List *listOfCerts,
+        PKIX_PL_Cert *targetCert,
+        PKIX_List *certStores,
+        PKIX_Boolean testValid,
+        void* plContext)
+{
+        PKIX_UInt32 numCerts = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *hintCerts = NULL;
+        PKIX_List *revCheckers = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_RevocationChecker *revChecker = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        PRPollDesc *pollDesc = NULL;
+        void *state = NULL;
+        char *asciiResult = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        /* create processing params with list of trust anchors */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                (trustedCert, &anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (anchors, (PKIX_PL_Object *)anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                (anchors, &procParams, plContext));
+
+        /* create CertSelector with target certificate in params */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate
+                (certSelParams, targetCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, certSelector, plContext));
+
+        /* create hintCerts */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
+                ((PKIX_PL_Object *)listOfCerts,
+                (PKIX_PL_Object **)&hintCerts,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem
+                (hintCerts, 0, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetHintCerts
+                (procParams, hintCerts, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
+                (procParams, certStores, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (trustedCert, &trustedPubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (listOfCerts, &numCerts, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize
+                (certStores,
+                NULL, /* testDate, may be NULL */
+                trustedPubKey,
+                numCerts,
+                &revChecker,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
+                (procParams, revCheckers, plContext));
+
+#ifdef debuggingWithoutRevocation
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                (procParams, PKIX_FALSE, plContext));
+#endif
+
+        /* build cert chain using processing params and return buildResult */
+
+        pkixTestErrorResult = PKIX_BuildChain
+                (procParams,
+                (void **)&pollDesc,
+                &state,
+                &buildResult,
+                NULL,
+                plContext);
+
+        while (pollDesc != NULL) {
+
+                if (PR_Poll(pollDesc, 1, 0) < 0) {
+                        testError("PR_Poll failed");
+                }
+
+                pkixTestErrorResult = PKIX_BuildChain
+                        (procParams,
+                        (void **)&pollDesc,
+                        &state,
+                        &buildResult,
+                        NULL,
+                        plContext);
+        }
+
+        if (pkixTestErrorResult) {
+                if (testValid == PKIX_FALSE) { /* EE */
+                        (void) printf("EXPECTED ERROR RECEIVED!\n");
+                } else { /* ENE */
+                        testError("UNEXPECTED ERROR RECEIVED");
+                }
+                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+                goto cleanup;
+        }
+
+        if (testValid == PKIX_TRUE) { /* ENE */
+                (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
+        } else { /* EE */
+                (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
+        }
+
+        if (buildResult) {
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_BuildResult_GetCertChain
+                        (buildResult, &certs, plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_GetLength(certs, &numCerts, plContext));
+
+                printf("\n");
+
+                for (i = 0; i < numCerts; i++) {
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem
+                                (certs,
+                                i,
+                                (PKIX_PL_Object**)&cert,
+                                plContext));
+
+                        asciiResult = PKIX_Cert2ASCII(cert);
+
+                        printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Free(asciiResult, NULL));
+                        asciiResult = NULL;
+
+                        PKIX_TEST_DECREF_BC(cert);
+                }
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(state);
+        PKIX_TEST_DECREF_AC(buildResult);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(revCheckers);
+        PKIX_TEST_DECREF_AC(revChecker);
+        PKIX_TEST_DECREF_AC(certSelParams);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(anchors);
+        PKIX_TEST_DECREF_AC(anchor);
+        PKIX_TEST_DECREF_AC(hintCerts);
+        PKIX_TEST_DECREF_AC(trustedPubKey);
+        PKIX_TEST_DECREF_AC(certs);
+        PKIX_TEST_DECREF_AC(cert);
+
+        PKIX_TEST_RETURN();
+
+        return (pkixTestErrorResult);
+
+}
+
+int test_buildchain_partialchain(int argc, char *argv[])
+{
+        PKIX_UInt32 actualMinorVersion = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 k = 0;
+        PKIX_Boolean ene = PKIX_TRUE; /* expect no error */
+        PKIX_List *listOfCerts = NULL;
+        PKIX_List *certStores = NULL;
+        PKIX_PL_Cert *dirCert = NULL;
+        PKIX_PL_Cert *trusted = NULL;
+        PKIX_PL_Cert *target = NULL;
+        PKIX_CertStore *ldapCertStore = NULL;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_PL_String *dirNameString = NULL;
+        char *dirName = NULL;
+
+        PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */
+        /* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5) {
+                printUsage();
+                return (0);
+        }
+
+        startTests("BuildChain");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /*
+         * arguments:
+         * [optional] -arenas
+         * [optional] usebind
+         *            servername or servername:port ( - for no server)
+         *            testname
+         *            EE or ENE
+         *            cert directory
+         *            target cert (end entity)
+         *            intermediate certs
+         *            trust anchor
+         */
+
+        /* optional argument "usebind" for Ldap CertStore */
+        if (argv[j + 1]) {
+                if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
+                        usebind = PKIX_TRUE;
+                        j++;
+                }
+        }
+
+        if (PORT_Strcmp(argv[++j], "-") == 0) {
+                useLDAP = PKIX_FALSE;
+        } else {
+                serverName = argv[j];
+                useLDAP = PKIX_TRUE;
+        }
+
+        subTest(argv[++j]);
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[++j], "ENE") == 0) {
+                ene = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[j], "EE") == 0) {
+                ene = PKIX_FALSE;
+        } else {
+                printUsage();
+                return (0);
+        }
+
+        dirName = argv[++j];
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&listOfCerts, plContext));
+
+        for (k = ++j; k < ((PKIX_UInt32)argc); k++) {
+
+                dirCert = createCert(dirName, argv[k], plContext);
+
+                if (k == ((PKIX_UInt32)(argc - 1))) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                ((PKIX_PL_Object *)dirCert, plContext));
+                        trusted = dirCert;
+                } else {
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_AppendItem
+                                (listOfCerts,
+                                (PKIX_PL_Object *)dirCert,
+                                plContext));
+
+                        if (k == j) {
+                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                        ((PKIX_PL_Object *)dirCert, plContext));
+                                target = dirCert;
+                        }
+                }
+
+                PKIX_TEST_DECREF_BC(dirCert);
+        }
+
+        /* create CertStores */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, dirName, 0, &dirNameString, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
+
+        if (useLDAP == PKIX_TRUE) {
+                PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore
+                        (serverName, timeout, &ldapCertStore, plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_AppendItem
+                        (certStores,
+                        (PKIX_PL_Object *)ldapCertStore,
+                        plContext));
+        } else {
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_CollectionCertStore_Create
+                        (dirNameString, &certStore, plContext));
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_AppendItem
+                        (certStores, (PKIX_PL_Object *)certStore, plContext));
+        }
+
+        subTest("testWithNoLeaf");
+        PKIX_TEST_EXPECT_NO_ERROR(testWithNoLeaf
+                (trusted, listOfCerts, target, certStores, ene, plContext));
+
+        subTest("testWithDuplicateLeaf");
+        PKIX_TEST_EXPECT_NO_ERROR(testWithDuplicateLeaf
+                (trusted, listOfCerts, target, certStores, ene, plContext));
+
+        subTest("testWithLeafAndChain");
+        PKIX_TEST_EXPECT_NO_ERROR(testWithLeafAndChain
+                (trusted, listOfCerts, target, certStores, ene, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(listOfCerts);
+        PKIX_TEST_DECREF_AC(certStores);
+        PKIX_TEST_DECREF_AC(ldapCertStore);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(dirNameString);
+        PKIX_TEST_DECREF_AC(trusted);
+        PKIX_TEST_DECREF_AC(target);
+
+        PKIX_TEST_RETURN();
+
+        PKIX_Shutdown(plContext);
+
+        endTests("BuildChain");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain_resourcelimits.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain_resourcelimits.c
new file mode 100644
index 000000000..76ddaf327
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_buildchain_resourcelimits.c
@@ -0,0 +1,530 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_buildchain_resourcelimits.c
+ *
+ * Test BuildChain function with constraints on resources
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define PKIX_TESTUSERCHECKER_TYPE (PKIX_NUMTYPES+30)
+
+static void *plContext = NULL;
+static PKIX_Boolean usebind = PKIX_FALSE;
+static PKIX_Boolean useLDAP = PKIX_FALSE;
+static char buf[PR_NETDB_BUF_SIZE];
+static char *serverName = NULL;
+
+static void printUsage(void) {
+    (void) printf("\nUSAGE:\ttest_buildchain_resourcelimits [-arenas] "
+        "[usebind] servername[:port]\\\n\t\t<testName> [ENE|EE]"
+        " <certStoreDirectory>\\\n\t\t<targetCert>"
+        " <intermediate Certs...> <trustedCert>\n\n");
+    (void) printf
+        ("Builds a chain of certificates from <targetCert> to <trustedCert>\n"
+        "using the certs and CRLs in <certStoreDirectory>. "
+        "servername[:port] gives\n"
+        "the address of an LDAP server. If port is not"
+        " specified, port 389 is used.\n\"-\" means no LDAP server.\n\n"
+        "If ENE is specified, then an Error is Not Expected.\n"
+        "EE indicates an Error is Expected.\n");
+}
+
+static PKIX_Error *
+createLdapCertStore(
+        char *hostname,
+        PRIntervalTime timeout,
+        PKIX_CertStore **pLdapCertStore,
+        void* plContext)
+{
+        PRIntn backlog = 0;
+
+        char *bindname = "";
+        char *auth = "";
+
+        LDAPBindAPI bindAPI;
+        LDAPBindAPI *bindPtr = NULL;
+        PKIX_PL_LdapDefaultClient *ldapClient = NULL;
+        PKIX_CertStore *ldapCertStore = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (usebind) {
+                bindPtr = &bindAPI;
+                bindAPI.selector = SIMPLE_AUTH;
+                bindAPI.chooser.simple.bindName = bindname;
+                bindAPI.chooser.simple.authentication = auth;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName
+                (hostname, timeout, bindPtr, &ldapClient, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create
+                ((PKIX_PL_LdapClient *)ldapClient, &ldapCertStore, plContext));
+
+        *pLdapCertStore = ldapCertStore;
+cleanup:
+
+        PKIX_TEST_DECREF_AC(ldapClient);
+
+        PKIX_TEST_RETURN();
+
+        return (pkixTestErrorResult);
+
+}
+
+static void Test_BuildResult(
+        PKIX_ProcessingParams *procParams,
+        PKIX_Boolean testValid,
+        PKIX_List *expectedCerts,
+        void *plContext)
+{
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_PL_String *actualCertsString = NULL;
+        PKIX_PL_String *expectedCertsString = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        PKIX_Boolean result;
+        PKIX_Boolean supportForward = PKIX_FALSE;
+        PKIX_UInt32 numCerts, i;
+        char *asciiResult = NULL;
+        char *actualCertsAscii = NULL;
+        char *expectedCertsAscii = NULL;
+        void *state = NULL;
+        PRPollDesc *pollDesc = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        pkixTestErrorResult = PKIX_BuildChain
+                (procParams,
+                (void **)&pollDesc,
+                &state,
+                &buildResult,
+                NULL,
+                plContext);
+
+        while (pollDesc != NULL) {
+
+                if (PR_Poll(pollDesc, 1, 0) < 0) {
+                        testError("PR_Poll failed");
+                }
+
+                pkixTestErrorResult = PKIX_BuildChain
+                        (procParams,
+                        (void **)&pollDesc,
+                        &state,
+                        &buildResult,
+                        NULL,
+                        plContext);
+        }
+
+        if (pkixTestErrorResult) {
+                if (testValid == PKIX_FALSE) { /* EE */
+                        (void) printf("EXPECTED ERROR RECEIVED!\n");
+                } else { /* ENE */
+                        testError("UNEXPECTED ERROR RECEIVED!\n");
+                }
+                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+                goto cleanup;
+        }
+
+        if (testValid == PKIX_TRUE) { /* ENE */
+                (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
+        } else { /* EE */
+                testError("UNEXPECTED NON-ERROR RECEIVED!\n");
+        }
+
+        if (buildResult){
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_BuildResult_GetCertChain
+                        (buildResult, &certs, NULL));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_GetLength(certs, &numCerts, plContext));
+
+                printf("\n");
+
+                for (i = 0; i < numCerts; i++){
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem
+                                (certs,
+                                i,
+                                (PKIX_PL_Object**)&cert,
+                                plContext));
+
+                        asciiResult = PKIX_Cert2ASCII(cert);
+
+                        printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Free(asciiResult, NULL));
+                        asciiResult = NULL;
+
+                        PKIX_TEST_DECREF_BC(cert);
+                }
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_Object_Equals
+                        ((PKIX_PL_Object*)certs,
+                        (PKIX_PL_Object*)expectedCerts,
+                        &result,
+                        plContext));
+
+                if (!result){
+                        testError("BUILT CERTCHAIN IS "
+                                    "NOT THE ONE THAT WAS EXPECTED");
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Object_ToString
+                                ((PKIX_PL_Object *)certs,
+                                &actualCertsString,
+                                plContext));
+
+                        actualCertsAscii = PKIX_String2ASCII
+                                (actualCertsString, plContext);
+                        if (actualCertsAscii == NULL){
+                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
+                                goto cleanup;
+                        }
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Object_ToString
+                                ((PKIX_PL_Object *)expectedCerts,
+                                &expectedCertsString,
+                                plContext));
+
+                        expectedCertsAscii = PKIX_String2ASCII
+                                (expectedCertsString, plContext);
+                        if (expectedCertsAscii == NULL){
+                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
+                                goto cleanup;
+                        }
+
+                        (void) printf("Actual value:\t%s\n", actualCertsAscii);
+                        (void) printf("Expected value:\t%s\n",
+                                        expectedCertsAscii);
+                }
+
+        }
+
+cleanup:
+
+        PKIX_PL_Free(asciiResult, NULL);
+        PKIX_PL_Free(actualCertsAscii, plContext);
+        PKIX_PL_Free(expectedCertsAscii, plContext);
+        PKIX_TEST_DECREF_AC(state);
+        PKIX_TEST_DECREF_AC(buildResult);
+        PKIX_TEST_DECREF_AC(certs);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(actualCertsString);
+        PKIX_TEST_DECREF_AC(expectedCertsString);
+
+        PKIX_TEST_RETURN();
+
+}
+
+int test_buildchain_resourcelimits(int argc, char *argv[])
+{
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_CertChainChecker *checker = NULL;
+        PKIX_ResourceLimits *resourceLimits = NULL;
+        char *dirName = NULL;
+        PKIX_PL_String *dirNameString = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_Cert *targetCert = NULL;
+        PKIX_PL_Cert *dirCert = NULL;
+        PKIX_UInt32 actualMinorVersion = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 k = 0;
+        PKIX_CertStore *ldapCertStore = NULL;
+        PRIntervalTime timeout = 0; /* 0 for non-blocking */
+        PKIX_CertStore *certStore = NULL;
+        PKIX_List *certStores = NULL;
+        PKIX_List *expectedCerts = NULL;
+        PKIX_Boolean testValid = PKIX_FALSE;
+        PKIX_Boolean usebind = PKIX_FALSE;
+        PKIX_Boolean useLDAP = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5){
+                printUsage();
+                return (0);
+        }
+
+        startTests("BuildChain_ResourceLimits");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /*
+         * arguments:
+         * [optional] -arenas
+         * [optional] usebind
+         *            servername or servername:port ( - for no server)
+         *            testname
+         *            EE or ENE
+         *            cert directory
+         *            target cert (end entity)
+         *            intermediate certs
+         *            trust anchor
+         */
+
+        /* optional argument "usebind" for Ldap CertStore */
+        if (argv[j + 1]) {
+                if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
+                        usebind = PKIX_TRUE;
+                        j++;
+                }
+        }
+
+        if (PORT_Strcmp(argv[++j], "-") == 0) {
+                useLDAP = PKIX_FALSE;
+        } else {
+                serverName = argv[j];
+        }
+
+        subTest(argv[++j]);
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[++j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage();
+                return (0);
+        }
+
+        dirName = argv[++j];
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
+
+        for (k = ++j; k < argc; k++) {
+
+                dirCert = createCert(dirName, argv[k], plContext);
+
+                if (k == (argc - 1)) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                ((PKIX_PL_Object *)dirCert, plContext));
+                        trustedCert = dirCert;
+                } else {
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_AppendItem
+                                (expectedCerts,
+                                (PKIX_PL_Object *)dirCert,
+                                plContext));
+
+                        if (k == j) {
+                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                        ((PKIX_PL_Object *)dirCert, plContext));
+                                targetCert = dirCert;
+                        }
+                }
+
+                PKIX_TEST_DECREF_BC(dirCert);
+        }
+
+        /* create processing params with list of trust anchors */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                                    (trustedCert, &anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (anchors, (PKIX_PL_Object *)anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                                    (anchors, &procParams, plContext));
+
+        /* create CertSelector with target certificate in params */
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetCertificate
+                (certSelParams, targetCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                                (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, certSelector, plContext));
+
+        /* create CertStores */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    dirName,
+                                    0,
+                                    &dirNameString,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                                    (dirNameString, &certStore, plContext));
+
+#if 0
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
+                                    (&certStore, plContext));
+#endif
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
+
+        if (useLDAP == PKIX_TRUE) {
+                PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore
+                        (serverName, timeout, &ldapCertStore, plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_AppendItem
+                        (certStores,
+                        (PKIX_PL_Object *)ldapCertStore,
+                        plContext));
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (certStores, (PKIX_PL_Object *)certStore, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
+                                    (procParams, certStores, plContext));
+
+        /* set resource limits */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
+                (&resourceLimits, plContext));
+
+        /* need longer time when running dbx for memory leak checking */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
+                (resourceLimits, 60, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
+                (resourceLimits, 2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
+                (resourceLimits, 2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits
+                                    (procParams, resourceLimits, plContext));
+
+        /* build cert chain using processing params and return buildResult */
+
+        subTest("Testing ResourceLimits MaxFanout & MaxDepth - <pass>");
+        Test_BuildResult
+                (procParams,
+                testValid,
+                expectedCerts,
+                plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
+                (resourceLimits, 1, plContext));
+
+        subTest("Testing ResourceLimits MaxFanout - <fail>");
+        Test_BuildResult
+                (procParams,
+                PKIX_FALSE,
+                expectedCerts,
+                plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
+                (resourceLimits, 2, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
+                (resourceLimits, 1, plContext));
+
+        subTest("Testing ResourceLimits MaxDepth - <fail>");
+        Test_BuildResult
+                (procParams,
+                PKIX_FALSE,
+                expectedCerts,
+                plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
+                (resourceLimits, 0, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
+                (resourceLimits, 0, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
+                (resourceLimits, 0, plContext));
+
+        subTest("Testing ResourceLimits No checking - <pass>");
+        Test_BuildResult
+                (procParams,
+                testValid,
+                expectedCerts,
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(expectedCerts);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(certStores);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(ldapCertStore);
+        PKIX_TEST_DECREF_AC(dirNameString);
+        PKIX_TEST_DECREF_AC(trustedCert);
+        PKIX_TEST_DECREF_AC(targetCert);
+        PKIX_TEST_DECREF_AC(anchors);
+        PKIX_TEST_DECREF_AC(anchor);
+        PKIX_TEST_DECREF_AC(certSelParams);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(checker);
+        PKIX_TEST_DECREF_AC(resourceLimits);
+
+        PKIX_TEST_RETURN();
+
+        PKIX_Shutdown(plContext);
+
+        endTests("BuildChain_UserChecker");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain_uchecker.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain_uchecker.c
new file mode 100644
index 000000000..b133f2366
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_buildchain_uchecker.c
@@ -0,0 +1,406 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_buildchain_uchecker.c
+ *
+ * Test BuildChain User Checker function
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+static PKIX_UInt32 numUserCheckerCalled = 0;
+
+static
+void printUsage(void){
+        (void) printf("\nUSAGE:\ttest_buildchain_uchecker [ENE|EE] "
+                    "[-|[F]<userOID>] "
+                    "<trustedCert> <targetCert> <certStoreDirectory>\n\n");
+        (void) printf
+                ("Builds a chain of certificates between "
+                "<trustedCert> and <targetCert>\n"
+                "using the certs and CRLs in <certStoreDirectory>.\n"
+                "If <userOID> is not an empty string, its value is used as\n"
+                "user defined checker's critical extension OID.\n"
+                "A - for <userOID> is no OID and F is for supportingForward.\n"
+                "If ENE is specified, then an Error is Not Expected.\n"
+                "If EE is specified, an Error is Expected.\n");
+}
+
+static PKIX_Error *
+testUserChecker(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresExtOIDs,
+        void **pNBIOContext,
+        void *plContext)
+{
+        numUserCheckerCalled++;
+        return(0);
+}
+
+int test_buildchain_uchecker(int argc, char *argv[])
+{
+        PKIX_BuildResult *buildResult = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_CertChainChecker *checker = NULL;
+        char *dirName = NULL;
+        PKIX_PL_String *dirNameString = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_Cert *targetCert = NULL;
+        PKIX_UInt32 numCerts = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 k = 0;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_List *certStores = NULL;
+        char * asciiResult = NULL;
+        PKIX_Boolean result;
+        PKIX_Boolean testValid = PKIX_TRUE;
+        PKIX_Boolean supportForward = PKIX_FALSE;
+        PKIX_List *expectedCerts = NULL;
+        PKIX_List *userOIDs = NULL;
+        PKIX_PL_OID *oid = NULL;
+        PKIX_PL_Cert *dirCert = NULL;
+        PKIX_PL_String *actualCertsString = NULL;
+        PKIX_PL_String *expectedCertsString = NULL;
+        char *actualCertsAscii = NULL;
+        char *expectedCertsAscii = NULL;
+        char *oidString = NULL;
+        void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
+        void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5){
+                printUsage();
+                return (0);
+        }
+
+        startTests("BuildChain_UserChecker");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage();
+                return (0);
+        }
+
+        /* OID specified at argv[3+j] */
+
+        if (*argv[3+j] != '-') {
+
+                if (*argv[3+j] == 'F') {
+                        supportForward = PKIX_TRUE;
+                        oidString = argv[3+j]+1;
+                } else {
+                        oidString = argv[3+j];
+                }
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
+                                (&userOIDs, plContext));
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                                (oidString, &oid, plContext));
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                (userOIDs, (PKIX_PL_Object *)oid, plContext));
+                PKIX_TEST_DECREF_BC(oid);
+        }
+
+        subTest(argv[1+j]);
+
+        dirName = argv[4+j];
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
+
+        chainLength = argc - j - 5;
+
+        for (k = 0; k < chainLength; k++){
+
+                dirCert = createCert(dirName, argv[5+k+j], plContext);
+
+                if (k == (chainLength - 1)){
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Object_IncRef
+                                ((PKIX_PL_Object *)dirCert, plContext));
+                        trustedCert = dirCert;
+                } else {
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_AppendItem
+                                (expectedCerts,
+                                (PKIX_PL_Object *)dirCert,
+                                plContext));
+
+                        if (k == 0){
+                                PKIX_TEST_EXPECT_NO_ERROR
+                                        (PKIX_PL_Object_IncRef
+                                        ((PKIX_PL_Object *)dirCert,
+                                        plContext));
+                                targetCert = dirCert;
+                        }
+                }
+
+                PKIX_TEST_DECREF_BC(dirCert);
+        }
+
+        /* create processing params with list of trust anchors */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                                    (trustedCert, &anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (anchors, (PKIX_PL_Object *)anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                                    (anchors, &procParams, plContext));
+
+        /* create CertSelector with target certificate in params */
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetCertificate
+                (certSelParams, targetCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                                (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
+                                    (testUserChecker,
+                                    supportForward,
+                                    PKIX_FALSE,
+                                    userOIDs,
+                                    NULL,
+                                    &checker,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
+                                  (procParams, checker, plContext));
+
+
+        /* create CertStores */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    dirName,
+                                    0,
+                                    &dirNameString,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                                    (dirNameString, &certStore, plContext));
+
+#if 0
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
+                                    (&certStore, plContext));
+#endif
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (certStores, (PKIX_PL_Object *)certStore, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
+                                    (procParams, certStores, plContext));
+
+        /* build cert chain using processing params and return buildResult */
+
+        pkixTestErrorResult = PKIX_BuildChain
+                (procParams,
+                &nbioContext,
+                &buildState,
+                &buildResult,
+                NULL,
+                plContext);
+
+        if (testValid == PKIX_TRUE) { /* ENE */
+                if (pkixTestErrorResult){
+                        (void) printf("UNEXPECTED RESULT RECEIVED!\n");
+                } else {
+                        (void) printf("EXPECTED RESULT RECEIVED!\n");
+                        PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+                }
+        } else { /* EE */
+                if (pkixTestErrorResult){
+                        (void) printf("EXPECTED RESULT RECEIVED!\n");
+                        PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+                } else {
+                        testError("UNEXPECTED RESULT RECEIVED");
+                }
+        }
+
+        if (buildResult){
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_BuildResult_GetCertChain
+                        (buildResult, &certs, NULL));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_GetLength(certs, &numCerts, plContext));
+
+                printf("\n");
+
+                for (i = 0; i < numCerts; i++){
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem
+                                (certs,
+                                i,
+                                (PKIX_PL_Object**)&cert,
+                                plContext));
+
+                        asciiResult = PKIX_Cert2ASCII(cert);
+
+                        printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Free(asciiResult, plContext));
+                        asciiResult = NULL;
+
+                        PKIX_TEST_DECREF_BC(cert);
+                }
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_Object_Equals
+                        ((PKIX_PL_Object*)certs,
+                        (PKIX_PL_Object*)expectedCerts,
+                        &result,
+                        plContext));
+
+                if (!result){
+                        testError("BUILT CERTCHAIN IS "
+                                    "NOT THE ONE THAT WAS EXPECTED");
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Object_ToString
+                                ((PKIX_PL_Object *)certs,
+                                &actualCertsString,
+                                plContext));
+
+                        actualCertsAscii = PKIX_String2ASCII
+                                (actualCertsString, plContext);
+                        if (actualCertsAscii == NULL){
+                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
+                                goto cleanup;
+                        }
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Object_ToString
+                                ((PKIX_PL_Object *)expectedCerts,
+                                &expectedCertsString,
+                                plContext));
+
+                        expectedCertsAscii = PKIX_String2ASCII
+                                (expectedCertsString, plContext);
+                        if (expectedCertsAscii == NULL){
+                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
+                                goto cleanup;
+                        }
+
+                        (void) printf("Actual value:\t%s\n", actualCertsAscii);
+                        (void) printf("Expected value:\t%s\n",
+                                        expectedCertsAscii);
+
+                        if (chainLength - 1 != numUserCheckerCalled) {
+                                pkixTestErrorMsg =
+                                    "PKIX user defined checker not called";
+                        }
+
+                        goto cleanup;
+                }
+
+        }
+
+cleanup:
+        PKIX_PL_Free(asciiResult, plContext);
+        PKIX_PL_Free(actualCertsAscii, plContext);
+        PKIX_PL_Free(expectedCertsAscii, plContext);
+
+        PKIX_TEST_DECREF_AC(actualCertsString);
+        PKIX_TEST_DECREF_AC(expectedCertsString);
+        PKIX_TEST_DECREF_AC(expectedCerts);
+        PKIX_TEST_DECREF_AC(certs);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(certStores);
+        PKIX_TEST_DECREF_AC(dirNameString);
+        PKIX_TEST_DECREF_AC(trustedCert);
+        PKIX_TEST_DECREF_AC(targetCert);
+        PKIX_TEST_DECREF_AC(anchor);
+        PKIX_TEST_DECREF_AC(anchors);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(certSelParams);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(buildResult);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(userOIDs);
+        PKIX_TEST_DECREF_AC(checker);
+
+        PKIX_TEST_RETURN();
+
+        PKIX_Shutdown(plContext);
+
+        endTests("BuildChain_UserChecker");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_customcrlchecker.c b/security/nss/cmd/libpkix/pkix/top/test_customcrlchecker.c
new file mode 100644
index 000000000..fed86f278
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_customcrlchecker.c
@@ -0,0 +1,497 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_customcrlchecker.c
+ *
+ * Test Custom CRL Checking
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define PKIX_TEST_MAX_CERTS     10
+#define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS 5
+
+static void *plContext = NULL;
+char *dirName = NULL; /* also used in callback */
+
+static
+void printUsage1(char *pName){
+        printf("\nUSAGE: %s test-purpose [ENE|EE] ", pName);
+        printf("cert [certs].\n");
+}
+
+static
+void printUsageMax(PKIX_UInt32 numCerts){
+        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
+                numCerts, PKIX_TEST_MAX_CERTS);
+}
+
+static PKIX_Error *
+getCRLCallback(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *crlSelector,
+        void **pNBIOContext,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+        char *crlFileNames[] = {"chem.crl",
+                                "phys.crl",
+                                "prof.crl",
+                                "sci.crl",
+                                "test.crl",
+                                0 };
+        PKIX_PL_CRL *crl = NULL;
+        PKIX_List *crlList = NULL;
+        PKIX_UInt32 i = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&crlList, plContext));
+
+        while (crlFileNames[i]) {
+
+                crl = createCRL(dirName, crlFileNames[i++], plContext);
+
+                if (crl != NULL) {
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                (crlList, (PKIX_PL_Object *)crl, plContext));
+
+                        PKIX_TEST_DECREF_BC(crl);
+                }
+        }
+
+        *pCrlList = crlList;
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (0); /* this function is called by libpkix */
+
+}
+
+static PKIX_Error *
+getCRLContinue(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *crlSelector,
+        void **pNBIOContext,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+        return (NULL);
+}
+
+static PKIX_Error *
+getCertCallback(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *certSelector,
+        void **pNBIOContext,
+        PKIX_List **pCerts,
+        void *plContext)
+{
+        return (NULL);
+}
+
+static PKIX_Error *
+getCertContinue(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *certSelector,
+        void **pNBIOContext,
+        PKIX_List **pCerts,
+        void *plContext)
+{
+        return (NULL);
+}
+
+static PKIX_Error *
+testCRLSelectorMatchCallback(
+        PKIX_CRLSelector *selector,
+        PKIX_PL_CRL *crl,
+        void *plContext)
+{
+        PKIX_ComCRLSelParams *comCrlSelParams = NULL;
+        PKIX_List *issuerList = NULL;
+        PKIX_PL_X500Name *issuer = NULL;
+        PKIX_PL_X500Name *crlIssuer = NULL;
+        PKIX_UInt32 numIssuers = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_Boolean result = PKIX_FALSE;
+        PKIX_Error *error = NULL;
+        char *errorText = "Not an error, CRL Select mismatch";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Custom_Selector_MatchCallback");
+
+        if (selector != NULL) {
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_CRLSelector_GetCommonCRLSelectorParams
+                        (selector, &comCrlSelParams, plContext));
+        }
+
+        if (crl != NULL) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer
+                        (crl, &crlIssuer, plContext));
+        }
+
+        if (comCrlSelParams != NULL) {
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_ComCRLSelParams_GetIssuerNames
+                        (comCrlSelParams, &issuerList, plContext));
+        }
+
+        if (issuerList != NULL) {
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                    (issuerList, &numIssuers, plContext));
+
+                for (i = 0; i < numIssuers; i++){
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                                    (issuerList,
+                                    i, (PKIX_PL_Object **)&issuer,
+                                    plContext));
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                    ((PKIX_PL_Object *)crlIssuer,
+                                    (PKIX_PL_Object *)issuer,
+                                    &result,
+                                    plContext));
+
+                        if (result != PKIX_TRUE) {
+                                break;
+                        }
+
+                        if (i == numIssuers-1) {
+
+                                PKIX_TEST_EXPECT_NO_ERROR
+                                        (PKIX_Error_Create
+                                        (0,
+                                        NULL,
+                                        NULL,
+                                        PKIX_TESTNOTANERRORCRLSELECTMISMATCH,
+                                        &error,
+                                        plContext));
+
+                                PKIX_TEST_DECREF_AC(issuer);
+                                issuer = NULL;
+                                break;
+                        }
+
+                        PKIX_TEST_DECREF_AC(issuer);
+
+                }
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(comCrlSelParams);
+        PKIX_TEST_DECREF_AC(crlIssuer);
+        PKIX_TEST_DECREF_AC(issuer);
+        PKIX_TEST_DECREF_AC(issuerList);
+
+        PKIX_TEST_RETURN();
+
+        return (error);
+
+}
+
+static PKIX_Error *
+testAddIssuerName(PKIX_ComCRLSelParams *comCrlSelParams, char *issuerName)
+{
+        PKIX_PL_String *issuerString = NULL;
+        PKIX_PL_X500Name *issuer = NULL;
+        PKIX_UInt32 length = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ComCRLSelParams_AddIssuerName");
+
+        length = PL_strlen(issuerName);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_UTF8,
+                                    issuerName,
+                                    length,
+                                    &issuerString,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuerString,
+                                    &issuer,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_AddIssuerName
+                                    (comCrlSelParams, issuer, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(issuerString);
+        PKIX_TEST_DECREF_AC(issuer);
+
+        PKIX_TEST_RETURN();
+
+        return (0);
+}
+
+static PKIX_Error *
+testCustomCertStore(PKIX_ValidateParams *valParams)
+{
+        PKIX_CertStore_CRLCallback crlCallback;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        char *issuerName1 = "cn=science,o=mit,c=us";
+        char *issuerName2 = "cn=physics,o=mit,c=us";
+        char *issuerName3 = "cn=prof noall,o=mit,c=us";
+        char *issuerName4 = "cn=testing CRL,o=test,c=us";
+        PKIX_ComCRLSelParams *comCrlSelParams = NULL;
+        PKIX_CRLSelector *crlSelector = NULL;
+        PKIX_List *crlList = NULL;
+        PKIX_UInt32 numCrl = 0;
+        void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CollectionCertStore_Create");
+
+        /* Create CRLSelector, link in CollectionCertStore */
+
+        subTest("PKIX_ComCRLSelParams_AddIssuerNames");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
+                                    (&comCrlSelParams, plContext));
+
+
+        testAddIssuerName(comCrlSelParams, issuerName1);
+        testAddIssuerName(comCrlSelParams, issuerName2);
+        testAddIssuerName(comCrlSelParams, issuerName3);
+        testAddIssuerName(comCrlSelParams, issuerName4);
+
+
+        subTest("PKIX_CRLSelector_SetCommonCRLSelectorParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
+                                    (testCRLSelectorMatchCallback,
+                                    NULL,
+                                    &crlSelector,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams
+                                    (crlSelector, comCrlSelParams, plContext));
+
+        /* Create CertStore, link in CRLSelector */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                                    (valParams, &procParams, plContext));
+
+        subTest("PKIX_CertStore_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_Create
+                                    (getCertCallback,
+                                    getCRLCallback,
+                                    getCertContinue,
+                                    getCRLContinue,
+                                    NULL,       /* trustCallback */
+                                    (PKIX_PL_Object *)crlSelector, /* fake */
+                                    PKIX_FALSE, /* cacheFlag */
+                                    PKIX_TRUE,  /* localFlag */
+                                    &certStore,
+                                    plContext));
+
+
+        subTest("PKIX_ProcessingParams_AddCertStore");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
+                                    (procParams, certStore, plContext));
+
+        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                                    (procParams, PKIX_TRUE, plContext));
+
+        subTest("PKIX_CertStore_GetCRLCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
+                                    (certStore,
+                                    &crlCallback,
+                                    NULL));
+
+        subTest("Getting CRL by CRL Callback");
+        PKIX_TEST_EXPECT_NO_ERROR(crlCallback
+                                    (certStore,
+                                    crlSelector,
+                                    &nbioContext,
+                                    &crlList,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                                    (crlList,
+                                    &numCrl,
+                                    plContext));
+
+        if (numCrl != PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS) {
+                pkixTestErrorMsg = "unexpected CRL number mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(crlList);
+        PKIX_TEST_DECREF_AC(comCrlSelParams);
+        PKIX_TEST_DECREF_AC(crlSelector);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(certStore);
+
+        PKIX_TEST_RETURN();
+
+        return (0);
+}
+
+/*
+ * Validate Certificate Chain with Certificate Revocation List
+ *      Certificate Chain is built based on input certs' sequence.
+ *      CRL is fetched from the directory specified in CollectionCertStore.
+ *      while CollectionCertStore is linked in CertStore Object which then
+ *      linked in ProcessParam. During validation, CRLChecker will invoke
+ *      the crlCallback (this test uses PKIX_PL_CollectionCertStore_GetCRL)
+ *      to get CRL data for revocation check.
+ *      This test set criteria in CRLSelector which is linked in
+ *      CommonCRLSelectorParam. When CRL data is fetched into cache for
+ *      revocation check, CRL's are filtered based on the criteria set.
+ */
+
+int test_customcrlchecker(int argc, char *argv[]){
+
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        char *certNames[PKIX_TEST_MAX_CERTS];
+        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_Boolean testValid = PKIX_TRUE;
+        char *anchorName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5) {
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        startTests("CRL Checker");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        chainLength = (argc - j) - 5;
+        if (chainLength > PKIX_TEST_MAX_CERTS) {
+                printUsageMax(chainLength);
+        }
+
+        for (i = 0; i < chainLength; i++) {
+
+                certNames[i] = argv[(5 + j) +i];
+                certs[i] = NULL;
+        }
+
+        dirName = argv[3+j];
+
+        subTest(argv[1+j]);
+
+        subTest("Custom-CRL-Checker - Create Cert Chain");
+
+        chain = createCertChainPlus
+                (dirName, certNames, certs, chainLength, plContext);
+
+        subTest("Custom-CRL-Checker - Create Params");
+
+        anchorName = argv[4+j];
+
+        valParams = createValidateParams
+                (dirName,
+                anchorName,
+                NULL,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        subTest("Custom-CRL-Checker - Set Processing Params for CertStore");
+
+        testCustomCertStore(valParams);
+
+        subTest("Custom-CRL-Checker - Validate Chain");
+
+        if (testValid == PKIX_TRUE) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        } else {
+                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("CRL Checker");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_defaultcrlchecker2stores.c b/security/nss/cmd/libpkix/pkix/top/test_defaultcrlchecker2stores.c
new file mode 100644
index 000000000..dc763a1d3
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_defaultcrlchecker2stores.c
@@ -0,0 +1,274 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_defaultcrlchecker2stores.c
+ *
+ * Test Default CRL with multiple CertStore Checking
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define PKIX_TEST_MAX_CERTS     10
+
+static void *plContext = NULL;
+
+static
+void printUsage1(char *pName){
+        printf("\nUSAGE: %s test-purpose [ENE|EE] ", pName);
+        printf("crl-directory cert [certs].\n");
+}
+
+static
+void printUsageMax(PKIX_UInt32 numCerts){
+        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
+                numCerts, PKIX_TEST_MAX_CERTS);
+}
+
+static PKIX_Error *
+getCertCallback(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *certSelector,
+        PKIX_List **pCerts,
+        void *plContext)
+{
+        return (NULL);
+}
+
+static PKIX_Error *
+testDefaultMultipleCertStores(PKIX_ValidateParams *valParams,
+                        char *crlDir1,
+                        char *crlDir2)
+{
+        PKIX_PL_String *dirString1 = NULL;
+        PKIX_PL_String *dirString2 = NULL;
+        PKIX_CertStore *certStore1 = NULL;
+        PKIX_CertStore *certStore2 = NULL;
+        PKIX_List *certStoreList = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CollectionCertStore_Create");
+
+        /* Create CollectionCertStore */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    crlDir1,
+                                    0,
+                                    &dirString1,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                                    (dirString1,
+                                    &certStore1,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    crlDir2,
+                                    0,
+                                    &dirString2,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                                    (dirString2,
+                                    &certStore2,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                                    (valParams, &procParams, plContext));
+
+        /* Add multiple CollectionCertStores */
+
+        subTest("PKIX_ProcessingParams_SetCertStores");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStoreList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                    (certStoreList, (PKIX_PL_Object *)certStore1, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
+                    (procParams, certStoreList, plContext));
+
+        subTest("PKIX_ProcessingParams_AddCertStore");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
+                    (procParams, certStore2, plContext));
+
+        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                                    (procParams, PKIX_TRUE, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dirString1);
+        PKIX_TEST_DECREF_AC(dirString2);
+        PKIX_TEST_DECREF_AC(certStore1);
+        PKIX_TEST_DECREF_AC(certStore2);
+        PKIX_TEST_DECREF_AC(certStoreList);
+        PKIX_TEST_DECREF_AC(procParams);
+
+        PKIX_TEST_RETURN();
+
+        return (0);
+}
+
+/*
+ * Validate Certificate Chain with Certificate Revocation List
+ *      Certificate Chain is build based on input certs' sequence.
+ *      CRL is fetched from the directory specified in CollectionCertStore.
+ *      while CollectionCertStore is linked in CertStore Object which then
+ *      linked in ProcessParam. During validation, CRLChecker will invoke
+ *      the crlCallback (this test uses PKIX_PL_CollectionCertStore_GetCRL)
+ *      to get CRL data for revocation check.
+ *      This test gets CRL's from two CertStores, each has a valid CRL
+ *      required for revocation check to pass.
+ */
+
+int test_defaultcrlchecker2stores(int argc, char *argv[]){
+
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        char *certNames[PKIX_TEST_MAX_CERTS];
+        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_Boolean testValid = PKIX_TRUE;
+        char *dirName = NULL;
+        char *anchorName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 6) {
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        startTests("CRL Checker");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        chainLength = (argc - j) - 7;
+        if (chainLength > PKIX_TEST_MAX_CERTS) {
+                printUsageMax(chainLength);
+        }
+
+        for (i = 0; i < chainLength; i++) {
+
+                certNames[i] = argv[(7+j)+i];
+                certs[i] = NULL;
+        }
+
+
+        subTest(argv[1+j]);
+
+        subTest("Default-CRL-Checker");
+
+        subTest("Default-CRL-Checker - Create Cert Chain");
+
+        dirName = argv[3+j];
+
+        chain = createCertChainPlus
+                (dirName, certNames, certs, chainLength, plContext);
+
+        subTest("Default-CRL-Checker - Create Params");
+
+        anchorName = argv[6+j];
+
+        valParams = createValidateParams
+                (dirName,
+                anchorName,
+                NULL,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        subTest("Multiple-CertStores");
+
+        testDefaultMultipleCertStores(valParams, argv[4+j], argv[5+j]);
+
+        subTest("Default-CRL-Checker - Validate Chain");
+
+        if (testValid == PKIX_TRUE) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        } else {
+                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
+        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+        PKIX_TEST_DECREF_AC(chain);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("CRL Checker");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_ocsp.c b/security/nss/cmd/libpkix/pkix/top/test_ocsp.c
new file mode 100644
index 000000000..4a4d9fe59
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_ocsp.c
@@ -0,0 +1,349 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_ocspchecker.c
+ *
+ * Test OcspChecker function
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void printUsage(void){
+        (void) printf("\nUSAGE:\nOcspChecker -d <certStoreDirectory> TestName "
+                      "[ENE|EE] <certLocationDirectory> <trustedCert> "
+                      "<targetCert>\n\n");
+        (void) printf
+                ("Validates a chain of certificates between "
+                "<trustedCert> and <targetCert>\n"
+                "using the certs and CRLs in <certLocationDirectory> and "
+                "pkcs11 db from <certStoreDirectory>. "
+                "If ENE is specified,\n"
+                "then an Error is Not Expected. "
+                "If EE is specified, an Error is Expected.\n");
+}
+
+static
+char *createFullPathName(
+        char *dirName,
+        char *certFile,
+        void *plContext)
+{
+        PKIX_UInt32 certFileLen;
+        PKIX_UInt32 dirNameLen;
+        char *certPathName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        certFileLen = PL_strlen(certFile);
+        dirNameLen = PL_strlen(dirName);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
+                (dirNameLen + certFileLen + 2,
+                (void **)&certPathName,
+                plContext));
+
+        PL_strcpy(certPathName, dirName);
+        PL_strcat(certPathName, "/");
+        PL_strcat(certPathName, certFile);
+        printf("certPathName = %s\n", certPathName);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (certPathName);
+}
+
+static PKIX_Error *
+testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir)
+{
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_PL_Date *validity = NULL; 
+        PKIX_List *revCheckers = NULL;
+        PKIX_RevocationChecker *revChecker = NULL;
+	PKIX_PL_Object *revCheckerContext = NULL;
+        PKIX_OcspChecker *ocspChecker = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CollectionCertStoreContext_Create");
+
+        /* Create CollectionCertStore */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, crlDir, 0, &dirString, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                (dirString, &certStore, plContext));
+
+        /* Create CertStore */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                (valParams, &procParams, plContext));
+
+        subTest("PKIX_ProcessingParams_AddCertStore");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
+                (procParams, certStore, plContext));
+
+        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                (procParams, PKIX_FALSE, plContext));
+
+        /* create current Date */
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime
+                (PR_Now(), &validity, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
+
+        /* create revChecker */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize
+                (validity,
+                NULL,        /* pwArg */
+                NULL,        /* Use default responder */
+                &revChecker,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_RevocationChecker_GetRevCheckerContext
+                (revChecker, &revCheckerContext, plContext));
+
+        /* Check that this object is a ocsp checker */
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType
+                    (revCheckerContext, PKIX_OCSPCHECKER_TYPE, plContext));
+
+        ocspChecker = (PKIX_OcspChecker *)revCheckerContext;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_SetVerifyFcn
+                (ocspChecker,
+                PKIX_PL_OcspResponse_UseBuildChain,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
+                (procParams, revCheckers, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(revCheckers);
+        PKIX_TEST_DECREF_AC(revChecker);
+        PKIX_TEST_DECREF_AC(ocspChecker);
+        PKIX_TEST_DECREF_AC(validity);
+
+        PKIX_TEST_RETURN();
+
+        return (0);
+}
+
+int test_ocsp(int argc, char *argv[]){
+
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 k = 0;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_Boolean testValid = PKIX_TRUE;
+        PKIX_List *chainCerts = NULL;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+        PKIX_PL_Cert *dirCert = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_Cert *targetCert = NULL;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_List *anchors = NULL;
+        char *dirCertName = NULL;
+        char *anchorCertName = NULL;
+        char *dirName = NULL;
+        char *databaseDir = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5) {
+                printUsage();
+                return (0);
+        }
+
+        startTests("OcspChecker");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage();
+                return (0);
+        }
+
+        subTest(argv[1+j]);
+
+        dirName = argv[3+j];
+
+        chainLength = argc - j - 5;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext));
+
+        for (k = 0; k < chainLength; k++) {
+
+                dirCert = createCert(dirName, argv[5+k+j], plContext);
+
+                if (k == 0) {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                                ((PKIX_PL_Object *)dirCert, plContext));
+                        targetCert = dirCert;
+                }
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_AppendItem
+                        (chainCerts, (PKIX_PL_Object *)dirCert, plContext));
+
+                PKIX_TEST_DECREF_BC(dirCert);
+        }
+
+        /* create processing params with list of trust anchors */
+
+        anchorCertName = argv[4+j];
+        trustedCert = createCert(dirName, anchorCertName, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                (trustedCert, &anchor, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (anchors, (PKIX_PL_Object *)anchor, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                (anchors, &procParams, plContext));
+
+        /* create CertSelector with target certificate in params */
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetCertificate
+                (certSelParams, targetCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
+                (procParams, chainCerts, &valParams, plContext));
+
+        testDefaultCertStore(valParams, dirName);
+
+        pkixTestErrorResult = PKIX_ValidateChain
+                (valParams, &valResult, &verifyTree, plContext);
+
+
+        if (pkixTestErrorResult) {
+                if (testValid == PKIX_FALSE) { /* EE */
+                        (void) printf("EXPECTED ERROR RECEIVED!\n");
+                } else { /* ENE */
+                        testError("UNEXPECTED ERROR RECEIVED");
+                }
+                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+        } else {
+	        if (testValid == PKIX_TRUE) { /* ENE */
+        	        (void) printf("EXPECTED SUCCESSFUL VALIDATION!\n");
+	        } else { /* EE */
+        	        (void) printf("UNEXPECTED SUCCESSFUL VALIDATION!\n");
+	        }
+	}
+
+        subTest("Displaying VerifyTree");
+
+	if (verifyTree == NULL) {
+                (void) printf("VerifyTree is NULL\n");
+	} else {
+	        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+        	    ((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
+                (void) printf("verifyTree is\n%s\n",
+                    verifyString->escAsciiString);
+                PKIX_TEST_DECREF_BC(verifyString);
+                PKIX_TEST_DECREF_BC(verifyTree);
+	}
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(certSelParams);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(chainCerts);
+        PKIX_TEST_DECREF_AC(anchors);
+        PKIX_TEST_DECREF_AC(anchor);
+        PKIX_TEST_DECREF_AC(trustedCert);
+        PKIX_TEST_DECREF_AC(targetCert);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("OcspChecker");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_policychecker.c b/security/nss/cmd/libpkix/pkix/top/test_policychecker.c
new file mode 100644
index 000000000..e2593c81d
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_policychecker.c
@@ -0,0 +1,595 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_policychecker.c
+ *
+ * Test Policy Checking
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define PKIX_TEST_MAX_CERTS     10
+
+static void *plContext = NULL;
+
+static
+void printUsage(char *testname) {
+        char *fmt =
+                "USAGE: %s testname"
+                " [ENE|EE] \"{OID[:OID]*}\" [A|E|P] cert [cert]*\n"
+                "(The quotes are needed around the OID argument for dbx.)\n"
+                "(The optional arg A indicates initialAnyPolicyInhibit.)\n"
+                "(The optional arg E indicates initialExplicitPolicy.)\n"
+                "(The optional arg P indicates initialPolicyMappingInhibit.)\n";
+        printf(fmt, testname);
+}
+
+static
+void printUsageMax(PKIX_UInt32 numCerts)
+{
+        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
+                numCerts, PKIX_TEST_MAX_CERTS);
+}
+
+static
+PKIX_List *policySetParse(char *policyString)
+{
+        char *p = NULL;
+        char *oid = NULL;
+        char c = '\0';
+        PKIX_Boolean validString = PKIX_FALSE;
+        PKIX_PL_OID *plOID = NULL;
+        PKIX_List *policySet = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        p = policyString;
+
+        /*
+         * There may or may not be quotes around the initial-policy-set
+         * string. If they are omitted, dbx will strip off the curly braces.
+         * If they are included, dbx will strip off the quotes, but if you
+         * are running directly from a script, without dbx, the quotes will
+         * not be stripped. We need to be able to handle both cases.
+         */
+        if (*p == '"') {
+                p++;
+        }
+
+        if ('{' != *p++) {
+                return (NULL);
+        }
+        oid = p;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&policySet, plContext));
+
+        /* scan to the end of policyString */
+        while (!validString) {
+                /* scan to the end of the current OID string */
+                c = *oid;
+                while ((c != '\0') && (c != ':') && (c != '}')) {
+                        c = *++oid;
+                }
+
+                if ((c != ':') || (c != '}')) {
+                        *oid = '\0'; /* store a null terminator */
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                                (p, &plOID, plContext));
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_AppendItem
+                                (policySet,
+                                (PKIX_PL_Object *)plOID,
+                                plContext));
+
+                        PKIX_TEST_DECREF_BC(plOID);
+                        plOID = NULL;
+                        if (c == '}') {
+                                /*
+                                * Any exit but this one means
+                                * we were given a badly-formed string.
+                                */
+                                validString = PKIX_TRUE;
+                        }
+                        p = ++oid;
+                }
+        }
+
+
+cleanup:
+        if (!validString) {
+                PKIX_TEST_DECREF_AC(plOID);
+                PKIX_TEST_DECREF_AC(policySet);
+                policySet = NULL;
+        }
+
+        PKIX_TEST_RETURN();
+
+        return (policySet);
+}
+
+/*
+ * FUNCTION: treeToStringHelper
+ *  This function obtains the string representation of a PolicyNode
+ *  Tree and compares it to the expected value.
+ * PARAMETERS:
+ *  "parent" - a PolicyNode, the root of a PolicyNodeTree;
+ *      must be non-NULL.
+ *  "expected" - the desired string.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads can safely call this function without worrying
+ *  about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Nothing.
+ */
+static void
+treeToStringHelper(PKIX_PolicyNode *parent, char *expected)
+{
+        PKIX_PL_String *stringRep = NULL;
+        char *actual = NULL;
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object *)parent, &stringRep, plContext));
+
+        actual = PKIX_String2ASCII(stringRep, plContext);
+        if (actual == NULL){
+                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
+                goto cleanup;
+        }
+
+        if (PL_strcmp(actual, expected) != 0){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%s\n", actual);
+                (void) printf("Expected value:\t%s\n", expected);
+        }
+
+cleanup:
+
+        PKIX_PL_Free(actual, plContext);
+
+        PKIX_TEST_DECREF_AC(stringRep);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii){
+
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Basic-Common-Fields <pass>");
+        /*
+         * Tests the Expiration, NameChaining, and Signature Checkers
+         */
+
+        chain = createCertChain(dirName, goodInput, diffInput, plContext);
+
+        valParams = createValidateParams
+                (dirName,
+                goodInput,
+                diffInput,
+                dateAscii,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                                    (valParams, &valResult, NULL, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testNistTest1(char *dirName)
+{
+#define PKIX_TEST_NUM_CERTS     2
+        char *trustAnchor =
+                "TrustAnchorRootCertificate.crt";
+        char *intermediateCert =
+                "GoodCACert.crt";
+        char *endEntityCert =
+                "ValidCertificatePathTest1EE.crt";
+        char *certNames[PKIX_TEST_NUM_CERTS];
+        char *asciiAnyPolicy = "2.5.29.32.0";
+        PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };
+
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_List *chain = NULL;
+        PKIX_PL_OID *anyPolicyOID = NULL;
+        PKIX_List *initialPolicies = NULL;
+        char *anchorName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("testNistTest1: Creating the cert chain");
+        /*
+         * Create a chain, but don't include the first certName.
+         * That's the anchor, and is supplied separately from
+         * the chain.
+         */
+        certNames[0] = intermediateCert;
+        certNames[1] = endEntityCert;
+        chain = createCertChainPlus
+                (dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);
+
+        subTest("testNistTest1: Creating the Validate Parameters");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (asciiAnyPolicy, &anyPolicyOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_Create(&initialPolicies, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (initialPolicies, (PKIX_PL_Object *)anyPolicyOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
+                (initialPolicies, plContext));
+
+        valParams = createValidateParams
+                (dirName,
+                trustAnchor,
+                NULL,
+                NULL,
+                initialPolicies,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        subTest("testNistTest1: Validating the chain");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                (valParams, &valResult, NULL, plContext));
+
+
+cleanup:
+
+        PKIX_PL_Free(anchorName, plContext);
+
+        PKIX_TEST_DECREF_AC(anyPolicyOID);
+        PKIX_TEST_DECREF_AC(initialPolicies);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+        PKIX_TEST_DECREF_AC(chain);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testNistTest2(char *dirName)
+{
+#define PKIX_TEST_NUM_CERTS     2
+        char *trustAnchor =
+                "TrustAnchorRootCertificate.crt";
+        char *intermediateCert =
+                "GoodCACert.crt";
+        char *endEntityCert =
+                "ValidCertificatePathTest1EE.crt";
+        char *certNames[PKIX_TEST_NUM_CERTS];
+        char *asciiNist1Policy = "2.16.840.1.101.3.2.1.48.1";
+        PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };
+
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_List *chain = NULL;
+        PKIX_PL_OID *Nist1PolicyOID = NULL;
+        PKIX_List *initialPolicies = NULL;
+        char *anchorName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("testNistTest2: Creating the cert chain");
+        /*
+         * Create a chain, but don't include the first certName.
+         * That's the anchor, and is supplied separately from
+         * the chain.
+         */
+        certNames[0] = intermediateCert;
+        certNames[1] = endEntityCert;
+        chain = createCertChainPlus
+                (dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);
+
+        subTest("testNistTest2: Creating the Validate Parameters");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                (asciiNist1Policy, &Nist1PolicyOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_Create(&initialPolicies, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (initialPolicies, (PKIX_PL_Object *)Nist1PolicyOID, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
+                (initialPolicies, plContext));
+
+        valParams = createValidateParams
+                (dirName,
+                trustAnchor,
+                NULL,
+                NULL,
+                initialPolicies,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        subTest("testNistTest2: Validating the chain");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                (valParams, &valResult, NULL, plContext));
+
+
+cleanup:
+
+        PKIX_PL_Free(anchorName, plContext);
+
+        PKIX_TEST_DECREF_AC(Nist1PolicyOID);
+        PKIX_TEST_DECREF_AC(initialPolicies);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+        PKIX_TEST_DECREF_AC(chain);
+
+        PKIX_TEST_RETURN();
+}
+
+static void printValidPolicyTree(PKIX_ValidateResult *valResult)
+{
+        PKIX_PolicyNode* validPolicyTree = NULL;
+        PKIX_PL_String *treeString = NULL;
+
+        PKIX_TEST_STD_VARS();
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree
+                (valResult, &validPolicyTree, plContext));
+        if (validPolicyTree) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object*)validPolicyTree,
+                        &treeString,
+                        plContext));
+                (void) printf("validPolicyTree is\n\t%s\n",
+                        treeString->escAsciiString);
+        } else {
+                (void) printf("validPolicyTree is NULL\n");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(validPolicyTree);
+        PKIX_TEST_DECREF_AC(treeString);
+
+        PKIX_TEST_RETURN();
+}
+
+int test_policychecker(int argc, char *argv[])
+{
+
+        PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
+        PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
+        PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
+        PKIX_Boolean expectedResult = PKIX_FALSE;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_UInt32 initArgs = 0;
+        PKIX_UInt32 firstCert = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_Int32  j = 0;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_ProcessingParams *procParams = NULL;
+        char *firstTrustAnchor = "yassir2yassir";
+        char *secondTrustAnchor = "yassir2bcn";
+        char *dateAscii = "991201000000Z";
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_List *userInitialPolicySet = NULL; /* List of PKIX_PL_OID */
+        char *certNames[PKIX_TEST_MAX_CERTS];
+        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
+        PKIX_List *chain = NULL;
+        PKIX_Error *validationError = NULL;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+        char *dirName = NULL;
+        char *dataCentralDir = NULL;
+        char *anchorName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /*
+         * Perform hard-coded tests if no command line args.
+         * If command line args are provided, they must be:
+         * arg[1]: test name
+         * arg[2]: "ENE" or "EE", for "expect no error" or "expect error"
+         * arg[3]: directory for certificates
+         * arg[4]: user-initial-policy-set, consisting of braces
+         *      containing zero or more OID sequences, separated by commas
+         * arg[5]: (optional) "E", indicating initialExplicitPolicy
+         * arg[firstCert]: the path and filename of the trust anchor certificate
+         * arg[firstCert+1..(n-1)]: successive certificates in the chain
+         * arg[n]: the end entity certificate
+         *
+         * Example: test_policychecker test1EE ENE
+         *      {2.5.29.32.0,2.5.29.32.3.6} Anchor CA EndEntity
+         */
+
+        dirName = argv[3+j];
+        dataCentralDir = argv[4+j];
+
+        if (argc <= 5 || ((6 == argc) && (j))) {
+
+                testPass
+                    (dataCentralDir,
+                    firstTrustAnchor,
+                    secondTrustAnchor,
+                    dateAscii);
+
+                testNistTest1(dirName);
+
+                testNistTest2(dirName);
+
+                goto cleanup;
+        }
+
+        if (argc < (7 + j)) {
+                printUsage(argv[0]);
+                pkixTestErrorMsg = "Invalid command line arguments.";
+                goto cleanup;
+        }
+
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                expectedResult = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                expectedResult = PKIX_FALSE;
+        } else {
+                printUsage(argv[0]);
+                pkixTestErrorMsg = "Invalid command line arguments.";
+                goto cleanup;
+        }
+
+        userInitialPolicySet = policySetParse(argv[5+j]);
+        if (!userInitialPolicySet) {
+                printUsage(argv[0]);
+                pkixTestErrorMsg = "Invalid command line arguments.";
+                goto cleanup;
+        }
+
+        for (initArgs = 0; initArgs < 3; initArgs++) {
+                if (PORT_Strcmp(argv[6+j+initArgs], "A") == 0) {
+                        initialAnyPolicyInhibit = PKIX_TRUE;
+                } else if (PORT_Strcmp(argv[6+j+initArgs], "E") == 0) {
+                        initialExplicitPolicy = PKIX_TRUE;
+                } else if (PORT_Strcmp(argv[6+j+initArgs], "P") == 0) {
+                        initialPolicyMappingInhibit = PKIX_TRUE;
+                } else {
+                        break;
+                }
+        }
+
+        firstCert = initArgs + j + 6;
+        chainLength = argc - (firstCert + 1);
+        if (chainLength > PKIX_TEST_MAX_CERTS) {
+                printUsageMax(chainLength);
+                pkixTestErrorMsg = "Invalid command line arguments.";
+                goto cleanup;
+        }
+
+        /*
+         * Create a chain, but don't include the first certName.
+         * That's the anchor, and is supplied separately from
+         * the chain.
+         */
+        for (i = 0; i < chainLength; i++) {
+
+                certNames[i] = argv[i + (firstCert + 1)];
+                certs[i] = NULL;
+        }
+        chain = createCertChainPlus
+                (dirName, certNames, certs, chainLength, plContext);
+
+        subTest(argv[1+j]);
+
+        valParams = createValidateParams
+                (dirName,
+                argv[firstCert],
+                NULL,
+                NULL,
+                userInitialPolicySet,
+                initialPolicyMappingInhibit,
+                initialAnyPolicyInhibit,
+                initialExplicitPolicy,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        if (expectedResult == PKIX_TRUE) {
+                subTest("   (expecting successful validation)");
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+
+                printValidPolicyTree(valResult);
+
+        } else {
+                subTest("   (expecting validation to fail)");
+                validationError = PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext);
+                if (!validationError) {
+                        printValidPolicyTree(valResult);
+                        pkixTestErrorMsg = "Should have thrown an error here.";
+                }
+                PKIX_TEST_DECREF_BC(validationError);
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
+        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+
+cleanup:
+
+        PKIX_PL_Free(anchorName, plContext);
+
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+        PKIX_TEST_DECREF_AC(userInitialPolicySet);
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+        PKIX_TEST_DECREF_AC(validationError);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("PolicyChecker");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c b/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c
new file mode 100644
index 000000000..ceeddab67
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c
@@ -0,0 +1,299 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_subjaltnamechecker.c
+ *
+ * Test Subject Alternative Name Checking
+ *
+ */
+
+/*
+ * There is no subjaltnamechecker. Instead, targetcertchecker is doing
+ * the job for checking subject alternative names' validity. For testing,
+ * in order to enter names with various type, we create this test excutable
+ * to parse different scenario.
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define PKIX_TEST_MAX_CERTS     10
+
+static void *plContext = NULL;
+
+static
+void printUsage1(char *pName){
+        printf("\nUSAGE: %s test-name [ENE|EE] ", pName);
+        printf("cert [certs].\n");
+}
+
+static
+void printUsage2(char *name) {
+        printf("\ninvalid test-name syntax - %s", name);
+        printf("\ntest-name syntax: [01][DNORU]:<name>+...");
+        printf("\n             [01] 1 - match all; 0 - match one");
+        printf("\n    name - type can be specified as");
+        printf("\n          [DNORU] D-Directory name");
+        printf("\n                  N-DNS name");
+        printf("\n                  O-OID name");
+        printf("\n                  R-RFC822 name");
+        printf("\n                  U-URI name");
+        printf("\n                + separator for more names\n\n");
+}
+
+static
+void printUsageMax(PKIX_UInt32 numCerts){
+        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
+                numCerts, PKIX_TEST_MAX_CERTS);
+}
+
+static
+PKIX_UInt32 getNameType(char *name){
+        PKIX_UInt32 nameType;
+
+        PKIX_TEST_STD_VARS();
+
+        switch (*name) {
+        case 'D':
+                nameType = PKIX_DIRECTORY_NAME;
+                break;
+        case 'N':
+                nameType = PKIX_DNS_NAME;
+                break;
+        case 'O':
+                nameType = PKIX_OID_NAME;
+                break;
+        case 'R':
+                nameType = PKIX_RFC822_NAME;
+                break;
+        case 'U':
+                nameType = PKIX_URI_NAME;
+                break;
+        default:
+                printUsage2(name);
+                nameType = 0xFFFF;
+        }
+
+        goto cleanup;
+
+cleanup:
+        PKIX_TEST_RETURN();
+        return (nameType);
+}
+
+int test_subjaltnamechecker(int argc, char *argv[]){
+
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *selParams = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_PL_GeneralName *name = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        char *certNames[PKIX_TEST_MAX_CERTS];
+        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
+        PKIX_UInt32 chainLength = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        char *nameStr;
+        char *nameEnd;
+        char *names[PKIX_TEST_MAX_CERTS];
+        PKIX_UInt32 numNames = 0;
+        PKIX_UInt32 nameType;
+        PKIX_Boolean matchAll = PKIX_TRUE;
+        PKIX_Boolean testValid = PKIX_TRUE;
+        char *dirName = NULL;
+        char *anchorName = NULL;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5) {
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        startTests("SubjAltNameConstraintChecker");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+	j++; /* skip test-purpose string */
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        /* taking out leading and trailing ", if any */
+        nameStr = argv[1+j];
+        subTest(nameStr);
+        if (*nameStr == '"'){
+                nameStr++;
+                nameEnd = nameStr;
+                while (*nameEnd != '"' && *nameEnd != '\0') {
+                        nameEnd++;
+                }
+                *nameEnd = '\0';
+        }
+
+        /* extract first [0|1] inidcating matchAll or not */
+        matchAll = (*nameStr == '0')?PKIX_FALSE:PKIX_TRUE;
+        nameStr++;
+
+        numNames = 0;
+        while (*nameStr != '\0') {
+                names[numNames++] = nameStr;
+                while (*nameStr != '+' && *nameStr != '\0') {
+                        nameStr++;
+                }
+                if (*nameStr == '+') {
+                        *nameStr = '\0';
+                        nameStr++;
+                }
+        }
+
+        chainLength = (argc - j) - 4;
+        if (chainLength > PKIX_TEST_MAX_CERTS) {
+                printUsageMax(chainLength);
+        }
+
+        for (i = 0; i < chainLength; i++) {
+                certNames[i] = argv[(4+j)+i];
+                certs[i] = NULL;
+        }
+
+        /* SubjAltName for validation */
+
+        subTest("Add Subject Alt Name for NameConstraint checking");
+
+        subTest("Create Selector and ComCertSelParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&selParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, selParams, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames
+                (selParams, matchAll, plContext));
+
+        subTest("PKIX_ComCertSelParams_AddSubjAltName(s)");
+        for (i = 0; i < numNames; i++) {
+                nameType = getNameType(names[i]);
+                if (nameType == 0xFFFF) {
+                        return (0);
+                }
+                nameStr = names[i] + 2;
+                name = createGeneralName(nameType, nameStr, plContext);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName
+                        (selParams, name, plContext));
+                PKIX_TEST_DECREF_BC(name);
+        }
+
+        subTest("SubjAltName-Constraints - Create Cert Chain");
+
+        dirName = argv[3+j];
+
+        chain = createCertChainPlus
+                (dirName, certNames, certs, chainLength, plContext);
+
+        subTest("SubjAltName-Constraints - Create Params");
+
+        valParams = createValidateParams
+                (dirName,
+                argv[4+j],
+                NULL,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        subTest("PKIX_ValidateParams_getProcessingParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                (valParams, &procParams, plContext));
+
+        subTest("PKIX_ProcessingParams_SetTargetCertConstraints");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, selector, plContext));
+
+        subTest("Subject Alt Name - Validate Chain");
+
+        if (testValid == PKIX_TRUE) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        } else {
+                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        }
+
+cleanup:
+
+        PKIX_PL_Free(anchorName, plContext);
+
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+        PKIX_TEST_DECREF_AC(selector);
+        PKIX_TEST_DECREF_AC(selParams);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(name);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("SubjAltNameConstraintsChecker");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_validatechain.c b/security/nss/cmd/libpkix/pkix/top/test_validatechain.c
new file mode 100644
index 000000000..196c345ad
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_validatechain.c
@@ -0,0 +1,265 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_validatechain.c
+ *
+ * Test ValidateChain function
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void printUsage(void){
+        (void) printf("\nUSAGE:\nvalidateChain TestName [ENE|EE] "
+                    "<certStoreDirectory> <trustedCert> <targetCert>\n\n");
+        (void) printf
+                ("Validates a chain of certificates between "
+                "<trustedCert> and <targetCert>\n"
+                "using the certs and CRLs in <certStoreDirectory>. "
+                "If ENE is specified,\n"
+                "then an Error is Not Expected. "
+                "If EE is specified, an Error is Expected.\n");
+}
+
+static
+char *createFullPathName(
+        char *dirName,
+        char *certFile,
+        void *plContext)
+{
+        PKIX_UInt32 certFileLen;
+        PKIX_UInt32 dirNameLen;
+        char *certPathName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        certFileLen = PL_strlen(certFile);
+        dirNameLen = PL_strlen(dirName);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
+                (dirNameLen + certFileLen + 2,
+                (void **)&certPathName,
+                plContext));
+
+        PL_strcpy(certPathName, dirName);
+        PL_strcat(certPathName, "/");
+        PL_strcat(certPathName, certFile);
+        printf("certPathName = %s\n", certPathName);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (certPathName);
+}
+
+static PKIX_Error *
+testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir)
+{
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_PL_Date *validity = NULL; 
+        PKIX_List *revCheckers = NULL;
+        PKIX_RevocationChecker *ocspChecker = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CollectionCertStoreContext_Create");
+
+        /* Create CollectionCertStore */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, crlDir, 0, &dirString, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                (dirString, &certStore, plContext));
+
+        /* Create CertStore */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                (valParams, &procParams, plContext));
+
+        subTest("PKIX_ProcessingParams_AddCertStore");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
+                (procParams, certStore, plContext));
+
+        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                (procParams, PKIX_TRUE, plContext));
+
+        /* create current Date */
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime
+                (PR_Now(), &validity, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
+
+        /* create revChecker */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize
+                (validity,
+                NULL,        /* pwArg */
+                NULL,        /* Use default responder */
+                &ocspChecker,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (revCheckers, (PKIX_PL_Object *)ocspChecker, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
+                (procParams, revCheckers, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(revCheckers);
+        PKIX_TEST_DECREF_AC(ocspChecker);
+
+        PKIX_TEST_RETURN();
+
+        return (0);
+}
+
+int test_validatechain(int argc, char *argv[]){
+
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 k = 0;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_Boolean testValid = PKIX_TRUE;
+        PKIX_List *chainCerts = NULL;
+        PKIX_PL_Cert *dirCert = NULL;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+        char *dirCertName = NULL;
+        char *anchorCertName = NULL;
+        char *dirName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5) {
+                printUsage();
+                return (0);
+        }
+
+        startTests("ValidateChain");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage();
+                return (0);
+        }
+
+        subTest(argv[1+j]);
+
+        dirName = argv[3+j];
+
+        chainLength = argc - j - 5;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext));
+
+        for (k = 0; k < chainLength; k++) {
+
+                dirCert = createCert(dirName, argv[5+k+j], plContext);
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_AppendItem
+                        (chainCerts, (PKIX_PL_Object *)dirCert, plContext));
+
+                PKIX_TEST_DECREF_BC(dirCert);
+        }
+
+        valParams = createValidateParams
+                (dirName,
+                argv[4+j],
+                NULL,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chainCerts,
+                plContext);
+
+        testDefaultCertStore(valParams, dirName);
+
+        if (testValid == PKIX_TRUE) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        } else {
+                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                        (valParams, &valResult, &verifyTree, plContext));
+        }
+
+        subTest("Displaying VerifyNode objects");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
+        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+
+cleanup:
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+
+        PKIX_TEST_DECREF_AC(chainCerts);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("ValidateChain");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c b/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c
new file mode 100644
index 000000000..5dd5ca0c8
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c
@@ -0,0 +1,402 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_validatechain_NB.c
+ *
+ * Test ValidateChain (nonblocking I/O) function
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void printUsage(void){
+        (void) printf("\nUSAGE:\ntest_validateChain_NB TestName [ENE|EE] "
+                    "<certStoreDirectory> <trustedCert> <targetCert>\n\n");
+        (void) printf
+                ("Validates a chain of certificates between "
+                "<trustedCert> and <targetCert>\n"
+                "using the certs and CRLs in <certStoreDirectory>. "
+                "If ENE is specified,\n"
+                "then an Error is Not Expected. "
+                "If EE is specified, an Error is Expected.\n");
+}
+
+static
+char *createFullPathName(
+        char *dirName,
+        char *certFile,
+        void *plContext)
+{
+        PKIX_UInt32 certFileLen;
+        PKIX_UInt32 dirNameLen;
+        char *certPathName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        certFileLen = PL_strlen(certFile);
+        dirNameLen = PL_strlen(dirName);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
+                (dirNameLen + certFileLen + 2,
+                (void **)&certPathName,
+                plContext));
+
+        PL_strcpy(certPathName, dirName);
+        PL_strcat(certPathName, "/");
+        PL_strcat(certPathName, certFile);
+        printf("certPathName = %s\n", certPathName);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (certPathName);
+}
+
+static PKIX_Error *
+testSetupCertStore(PKIX_ValidateParams *valParams, char *ldapName)
+{
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_PL_LdapDefaultClient *ldapClient = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CollectionCertStoreContext_Create");
+
+        /* Create LDAPCertStore */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName
+                (ldapName,
+                0,      /* timeout */
+                NULL,   /* bindPtr */
+                &ldapClient,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create
+                ((PKIX_PL_LdapClient *)ldapClient,
+                &certStore,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                (valParams, &procParams, plContext));
+
+        subTest("PKIX_ProcessingParams_AddCertStore");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
+                (procParams, certStore, plContext));
+
+        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                (procParams, PKIX_TRUE, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(ldapClient);
+
+        PKIX_TEST_RETURN();
+
+        return (0);
+}
+
+static char *levels[] = {
+        "None", "Fatal Error", "Error", "Warning", "Debug", "Trace"
+};
+
+static PKIX_Error *loggerCallback(
+        PKIX_Logger *logger,
+        PKIX_PL_String *message,
+        PKIX_UInt32 logLevel,
+        PKIX_ERRORCLASS logComponent,
+        void *plContext)
+{
+#define resultSize 150
+        char *msg = NULL;
+        char result[resultSize];
+
+        PKIX_TEST_STD_VARS();
+
+        msg = PKIX_String2ASCII(message, plContext);
+        PR_snprintf(result, resultSize,
+            "Logging %s (%s): %s",
+	    levels[logLevel],
+	    PKIX_ERRORCLASSNAMES[logComponent],
+	    msg);
+        subTest(result);
+
+cleanup:
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(msg, plContext));
+        PKIX_TEST_RETURN();
+}
+
+static
+void testLogErrors(
+	PKIX_ERRORCLASS module,
+	PKIX_UInt32 loggingLevel,
+        PKIX_List *loggers,
+	void *plContext)
+{
+        PKIX_Logger *logger = NULL;
+        PKIX_PL_String *component = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_Create
+                (loggerCallback, NULL, &logger, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetLoggingComponent
+                (logger, module, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetMaxLoggingLevel
+                (logger, loggingLevel, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (loggers, (PKIX_PL_Object *) logger, plContext));
+
+cleanup:
+        PKIX_TEST_DECREF_AC(logger);
+        PKIX_TEST_DECREF_AC(component);
+
+        PKIX_TEST_RETURN();
+}
+
+int test_validatechain_NB(int argc, char *argv[]){
+
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 k = 0;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_Boolean testValid = PKIX_TRUE;
+        PKIX_List *chainCerts = NULL;
+        PKIX_PL_Cert *dirCert = NULL;
+        char *dirCertName = NULL;
+        char *anchorCertName = NULL;
+        char *dirName = NULL;
+        PKIX_UInt32 certIndex = 0;
+        PKIX_UInt32 anchorIndex = 0;
+        PKIX_UInt32 checkerIndex = 0;
+        PKIX_Boolean revChecking = PKIX_FALSE;
+        PKIX_List *checkers = NULL;
+        PRPollDesc *pollDesc = NULL;
+        PRErrorCode errorCode = 0;
+        PKIX_PL_Socket *socket = NULL;
+        char *ldapName = NULL;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+
+        PKIX_List *loggers = NULL;
+        PKIX_Logger *logger = NULL;
+        char *logging = NULL;
+        PKIX_PL_String *component = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5) {
+                printUsage();
+                return (0);
+        }
+
+        startTests("ValidateChain_NB");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage();
+                return (0);
+        }
+
+        subTest(argv[1+j]);
+
+        dirName = argv[3+j];
+
+        chainLength = argc - j - 5;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext));
+
+        for (k = 0; k < chainLength; k++){
+
+                dirCert = createCert(dirName, argv[5+k+j], plContext);
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_AppendItem
+                        (chainCerts, (PKIX_PL_Object *)dirCert, plContext));
+
+                PKIX_TEST_DECREF_BC(dirCert);
+        }
+
+        valParams = createValidateParams
+                (dirName,
+                argv[4+j],
+                NULL,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chainCerts,
+                plContext);
+
+        ldapName = PR_GetEnv("LDAP");
+        /* Is LDAP set in the environment? */
+        if ((ldapName == NULL) || (*ldapName == '\0')) {
+                testError("LDAP not set in environment");
+                goto cleanup;
+        }
+
+        pkixTestErrorResult = pkix_pl_Socket_CreateByName
+                (PKIX_FALSE,       /* isServer */
+                PR_SecondsToInterval(30), /* try 30 secs for connect */
+                ldapName,
+                &errorCode,
+                &socket,
+                plContext);
+
+        if (pkixTestErrorResult != NULL) {
+                PKIX_PL_Object_DecRef
+                        ((PKIX_PL_Object *)pkixTestErrorResult, plContext);
+                pkixTestErrorResult = NULL;
+                testError("Unable to connect to LDAP Server");
+                goto cleanup;
+        }
+
+        PKIX_TEST_DECREF_BC(socket);
+
+        testSetupCertStore(valParams, ldapName);
+
+        logging = PR_GetEnv("LOGGING");
+        /* Is LOGGING set in the environment? */
+        if ((logging != NULL) && (*logging != '\0')) {
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_Create(&loggers, plContext));
+
+		testLogErrors
+			(PKIX_VALIDATE_ERROR, 2, loggers, plContext);
+		testLogErrors
+			(PKIX_CERTCHAINCHECKER_ERROR, 2, loggers, plContext);
+		testLogErrors
+			(PKIX_LDAPDEFAULTCLIENT_ERROR, 2, loggers, plContext);
+		testLogErrors
+			(PKIX_CERTSTORE_ERROR, 2, loggers, plContext);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_SetLoggers(loggers, plContext));
+
+        }
+
+        pkixTestErrorResult = PKIX_ValidateChain_NB
+                (valParams,
+                &certIndex,
+                &anchorIndex,
+                &checkerIndex,
+                &revChecking,
+                &checkers,
+                (void **)&pollDesc,
+                &valResult,
+		&verifyTree,
+                plContext);
+
+        while (pollDesc != NULL) {
+
+                if (PR_Poll(pollDesc, 1, 0) < 0) {
+                        testError("PR_Poll failed");
+                }
+
+                pkixTestErrorResult = PKIX_ValidateChain_NB
+                        (valParams,
+                        &certIndex,
+                        &anchorIndex,
+                        &checkerIndex,
+                        &revChecking,
+                        &checkers,
+                        (void **)&pollDesc,
+                        &valResult,
+			&verifyTree,
+                        plContext);
+        }
+
+        if (pkixTestErrorResult) {
+                if (testValid == PKIX_FALSE) { /* EE */
+                        (void) printf("EXPECTED ERROR RECEIVED!\n");
+                } else { /* ENE */
+                        testError("UNEXPECTED ERROR RECEIVED");
+                }
+                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+        } else {
+
+	        if (testValid == PKIX_TRUE) { /* ENE */
+        	        (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
+	        } else { /* EE */
+        	        (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
+	        }
+        }
+
+cleanup:
+
+	if (verifyTree) {
+	        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+        	    ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
+	        (void) printf("verifyTree is\n%s\n",
+		    verifyString->escAsciiString);
+	}
+
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+        PKIX_TEST_DECREF_AC(checkers);
+        PKIX_TEST_DECREF_AC(chainCerts);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("ValidateChain_NB");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_validatechain_bc.c b/security/nss/cmd/libpkix/pkix/top/test_validatechain_bc.c
new file mode 100644
index 000000000..fc0c533fe
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_validatechain_bc.c
@@ -0,0 +1,289 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * validateChainBasicConstraints.c
+ *
+ * Tests Cert Chain Validation
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_cert.h"
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "keythi.h"
+#include "nss.h"
+
+static void *plContext = NULL;
+
+static
+void printUsage(void){
+        printf("\nUSAGE: incorrect.\n");
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        void *buf = NULL;
+        PRFileDesc *inFile = NULL;
+        PKIX_UInt32 len;
+        SECItem certDER;
+        SECStatus rv;
+        /* default: NULL cert (failure case) */
+        PKIX_PL_Cert *cert = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        certDER.data = NULL;
+
+        inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+        if (!inFile){
+                pkixTestErrorMsg = "Unable to open cert file";
+                goto cleanup;
+        } else {
+                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+                if (!rv){
+                        buf = (void *)certDER.data;
+                        len = certDER.len;
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_ByteArray_Create
+                                (buf, len, &byteArray, plContext));
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
+                                                (byteArray, &cert, plContext));
+
+                        SECITEM_FreeItem(&certDER, PR_FALSE);
+                } else {
+                        pkixTestErrorMsg = "Unable to read DER from cert file";
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        if (inFile){
+                PR_Close(inFile);
+        }
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                SECITEM_FreeItem(&certDER, PR_FALSE);
+        }
+
+        PKIX_TEST_DECREF_AC(byteArray);
+
+        PKIX_TEST_RETURN();
+
+        return (cert);
+}
+
+int test_validatechain_bc(int argc, char *argv[])
+{
+
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_PL_X500Name *subject = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+
+        char *trustedCertFile = NULL;
+        char *chainCertFile = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_Cert *chainCert = NULL;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 actualMinorVersion;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 3){
+                printUsage();
+                return (0);
+        }
+
+        startTests("ValidateChainBasicConstraints");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        chainLength = (argc - j) - 2;
+
+        /* create processing params with list of trust anchors */
+        trustedCertFile = argv[1+j];
+        trustedCert = createCert(trustedCertFile);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
+                    (certSelParams, -1, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                                    (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_DECREF_BC(subject);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                                    (trustedCert, &anchor, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (anchors, (PKIX_PL_Object *)anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                                    (anchors, &procParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                                    (procParams, PKIX_FALSE, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                    (PKIX_ProcessingParams_SetTargetCertConstraints
+                    (procParams, certSelector, plContext));
+
+        PKIX_TEST_DECREF_BC(certSelector);
+
+        /* create cert chain */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
+        for (i = 0; i < chainLength; i++){
+                chainCertFile = argv[i + (2+j)];
+                chainCert = createCert(chainCertFile);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                        (certs, (PKIX_PL_Object *)chainCert, plContext));
+
+                PKIX_TEST_DECREF_BC(chainCert);
+        }
+
+        /* create validate params with processing params and cert chain */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
+                                    (procParams, certs, &valParams, plContext));
+
+
+        /* validate cert chain using processing params and return valResult */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                (valParams, &valResult, &verifyTree, plContext));
+
+        if (valResult != NULL){
+                printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
+                printf("Cert Selector minimum path length to be -1\n");
+                PKIX_TEST_DECREF_BC(valResult);
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
+        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+        PKIX_TEST_DECREF_BC(verifyString);
+        PKIX_TEST_DECREF_BC(verifyTree);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
+                    (certSelParams, 6, plContext));
+
+        /* validate cert chain using processing params and return valResult */
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                (valParams, &valResult, &verifyTree, plContext));
+
+        if (valResult != NULL){
+                printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
+                printf("Cert Selector minimum path length to be 6\n");
+        }
+
+        PKIX_TEST_DECREF_BC(trustedCert);
+        PKIX_TEST_DECREF_BC(anchor);
+        PKIX_TEST_DECREF_BC(anchors);
+        PKIX_TEST_DECREF_BC(certs);
+        PKIX_TEST_DECREF_BC(procParams);
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                printf("FAILED TO VALIDATE\n");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
+        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+        PKIX_TEST_DECREF_AC(verifyString);
+        PKIX_TEST_DECREF_AC(verifyTree);
+
+        PKIX_TEST_DECREF_AC(certSelParams);
+        PKIX_TEST_DECREF_AC(valResult);
+        PKIX_TEST_DECREF_AC(valParams);
+
+        PKIX_TEST_RETURN();
+
+        PKIX_Shutdown(plContext);
+
+        endTests("ValidateChainBasicConstraints");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix/util/Makefile b/security/nss/cmd/libpkix/pkix/util/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/util/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/util/manifest.mn b/security/nss/cmd/libpkix/pkix/util/manifest.mn
new file mode 100755
index 000000000..f63ead6f4
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/util/manifest.mn
@@ -0,0 +1,56 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_error.c \
+	test_list.c \
+	test_list2.c \
+	test_logger.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtoolutil
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/util/test_error.c b/security/nss/cmd/libpkix/pkix/util/test_error.c
new file mode 100644
index 000000000..776c4bab1
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/util/test_error.c
@@ -0,0 +1,450 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_error.c
+ *
+ * Tests Error Object Creation, ToString, Callbacks and Destroy
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void createErrors(
+        PKIX_Error **error,
+        PKIX_Error **error2,
+        PKIX_Error **error3,
+        PKIX_Error **error5,
+        PKIX_Error **error6,
+        PKIX_Error **error7,
+        char *infoChar)
+
+{
+        PKIX_PL_String *infoString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                        PKIX_ESCASCII,
+                                        infoChar,
+                                        PL_strlen(infoChar),
+                                        &infoString,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
+                                  (PKIX_MEM_ERROR,
+                                   NULL,
+                                   NULL,
+                                   PKIX_TESTANOTHERERRORMESSAGE,
+                                   error2,
+                                   plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
+                                    (PKIX_OBJECT_ERROR,
+                                    *error2,
+                                    (PKIX_PL_Object*)infoString,
+                                     PKIX_TESTERRORMESSAGE,
+                                    error,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
+                                    (PKIX_OBJECT_ERROR,
+                                    *error2,
+                                    (PKIX_PL_Object*)infoString,
+                                     PKIX_TESTERRORMESSAGE,
+                                    error3,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
+                                    (PKIX_OBJECT_ERROR,
+                                    NULL,
+                                    (PKIX_PL_Object*)infoString,
+                                    0,
+                                    error5,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
+                                    (PKIX_MEM_ERROR,
+                                    *error5,
+                                    (PKIX_PL_Object*)infoString,
+                                    0,
+                                    error6,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
+                                    (PKIX_OBJECT_ERROR,
+                                    *error6,
+                                    (PKIX_PL_Object*)infoString,
+                                    0,
+                                    error7,
+                                    plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(infoString);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetErrorClass(PKIX_Error *error, PKIX_Error *error2)
+{
+        PKIX_ERRORCLASS errClass;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_Error_GetErrorClass(error, &errClass, plContext));
+
+        if (errClass != PKIX_OBJECT_ERROR) {
+                testError("Incorrect Class Returned");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_Error_GetErrorClass(error2, &errClass, plContext));
+
+        if (errClass != PKIX_MEM_ERROR) {
+                testError("Incorrect Class Returned");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetErrorClass(PKIX_ALLOC_ERROR(),
+                                            &errClass, plContext));
+        if (errClass != PKIX_FATAL_ERROR) {
+                testError("Incorrect Class Returned");
+        }
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetDescription(
+        PKIX_Error *error,
+        PKIX_Error *error2,
+        PKIX_Error *error3,
+        char *descChar,
+        char *descChar2)
+{
+
+        PKIX_PL_String *targetString = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetDescription
+                                (error, &targetString, plContext));
+        temp = PKIX_String2ASCII(targetString, plContext);
+        PKIX_TEST_DECREF_BC(targetString);
+
+        if (temp){
+                if (PL_strcmp(temp, descChar) != 0) {
+                        testError("Incorrect description returned");
+                }
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetDescription
+                    (error2, &targetString, plContext));
+        temp = PKIX_String2ASCII(targetString, plContext);
+        PKIX_TEST_DECREF_BC(targetString);
+
+        if (temp){
+                if (PL_strcmp(temp, descChar2) != 0) {
+                        testError("Incorrect description returned");
+                }
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetDescription
+                    (error3, &targetString, plContext));
+        temp = PKIX_String2ASCII(targetString, plContext);
+        PKIX_TEST_DECREF_BC(targetString);
+
+        if (temp){
+                if (PL_strcmp(temp, descChar) != 0) {
+                        testError("Incorrect description returned");
+                }
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void testGetCause(PKIX_Error *error, PKIX_Error *error2, PKIX_Error *error3)
+{
+
+        PKIX_Error *error4 = NULL;
+        PKIX_PL_String *targetString = NULL;
+        char *temp = NULL;
+        PKIX_Boolean boolResult;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_Error_GetCause(error, &error4, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                    ((PKIX_PL_Object*)error2,
+                    (PKIX_PL_Object*)error4,
+                    &boolResult, plContext));
+        if (!boolResult)
+                testError("Incorrect Cause returned");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_ToString((PKIX_PL_Object*)error4,
+                                        &targetString, plContext));
+
+        temp = PKIX_String2ASCII(targetString, plContext);
+        if (temp){
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+        PKIX_TEST_DECREF_BC(targetString);
+        PKIX_TEST_DECREF_BC(error4);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_Error_GetCause(error3, &error4, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                    ((PKIX_PL_Object*)error2,
+                    (PKIX_PL_Object*)error4,
+                    &boolResult, plContext));
+        if (!boolResult)
+                testError("Incorrect Cause returned");
+
+        PKIX_TEST_DECREF_BC(error4);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+
+}
+
+static
+void testGetSupplementaryInfo(PKIX_Error *error, char *infoChar)
+{
+
+        PKIX_PL_Object *targetString = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetSupplementaryInfo
+                    (error, &targetString, plContext));
+        temp = PKIX_String2ASCII((PKIX_PL_String*)targetString, plContext);
+        PKIX_TEST_DECREF_BC(targetString);
+
+        if (temp){
+                if (PL_strcmp(temp, infoChar) != 0) {
+                        testError("Incorrect info returned");
+                }
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+
+}
+
+static void
+testPrimitiveError(void)
+{
+        PKIX_PL_String *targetString = NULL;
+        PKIX_PL_String *targetStringCopy = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                    ((PKIX_PL_Object*)PKIX_ALLOC_ERROR(),
+                    &targetString, plContext));
+
+        temp = PKIX_String2ASCII(targetString, plContext);
+        if (temp){
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+        targetStringCopy = targetString;
+
+        PKIX_TEST_DECREF_BC(targetString);
+
+        /*
+         *  We need to DECREF twice, b/c the PKIX_ALLOC_ERROR object
+         *  which holds a cached copy of the stringRep can never be DECREF'd
+         */
+        PKIX_TEST_DECREF_BC(targetStringCopy);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testChaining(PKIX_Error *error7)
+{
+        PKIX_PL_String *targetString = NULL;
+        PKIX_Error *tempError = NULL;
+        char *temp = NULL;
+        PKIX_UInt32 i;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_ToString((PKIX_PL_Object*)error7,
+                                        &targetString, plContext));
+
+        temp = PKIX_String2ASCII(targetString, plContext);
+        if (temp){
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+
+        for (i = 0, tempError = error7; i < 2; i++) {
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_Error_GetCause(tempError, &tempError, plContext));
+                if (tempError == NULL) {
+                        testError("Unexpected end to error chain");
+                        break;
+                }
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_Object_DecRef
+                        ((PKIX_PL_Object*)tempError, plContext));
+        }
+
+        PKIX_TEST_DECREF_BC(targetString);
+
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(PKIX_Error *error)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(error);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+int test_error(int argc, char *argv[]) 
+{
+
+        PKIX_Error *error, *error2, *error3, *error5, *error6, *error7;
+        char *descChar = "Error Message";
+        char *descChar2 = "Another Error Message";
+        char *infoChar = "Auxiliary Info";
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Errors");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_Error_Create");
+        createErrors
+                (&error,
+                &error2,
+                &error3,
+                &error5,
+                &error6,
+                &error7,
+                infoChar);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (error,
+                error,
+                error2,
+                NULL,
+                Error,
+                PKIX_TRUE);
+
+        subTest("PKIX_Error_GetErrorClass");
+        testGetErrorClass(error, error2);
+
+        subTest("PKIX_Error_GetDescription");
+        testGetDescription(error, error2, error3, descChar, descChar2);
+
+        subTest("PKIX_Error_GetCause");
+        testGetCause(error, error2, error3);
+
+        subTest("PKIX_Error_GetSupplementaryInfo");
+        testGetSupplementaryInfo(error, infoChar);
+
+        subTest("Primitive Error Type");
+        testPrimitiveError();
+
+        subTest("Error Chaining");
+        testChaining(error7);
+
+        subTest("PKIX_Error_Destroy");
+        testDestroy(error);
+        testDestroy(error2);
+        testDestroy(error3);
+        testDestroy(error5);
+        testDestroy(error6);
+        testDestroy(error7);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Errors");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix/util/test_list.c b/security/nss/cmd/libpkix/pkix/util/test_list.c
new file mode 100644
index 000000000..eb145c0b1
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/util/test_list.c
@@ -0,0 +1,878 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_list.c
+ *
+ * Tests List Objects
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+createLists(PKIX_List **list, PKIX_List **list2)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(list, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(list2, plContext));
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testReverseList(void)
+{
+        PKIX_List *firstList = NULL;
+        PKIX_List *reverseList = NULL;
+        PKIX_UInt32 length, i;
+        char *testItemString = "one";
+        char *testItemString2 = "two";
+        PKIX_PL_String *testItem = NULL;
+        PKIX_PL_String *testItem2 = NULL;
+        PKIX_PL_Object *retrievedItem1 = NULL;
+        PKIX_PL_Object *retrievedItem2 = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&firstList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_ReverseList
+                                    (firstList, &reverseList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                                    (reverseList, &length, plContext));
+        if (length != 0){
+                testError("Incorrect Length returned");
+        }
+
+        PKIX_TEST_DECREF_BC(reverseList);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    testItemString,
+                                    0,
+                                    &testItem,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    testItemString2,
+                                    0,
+                                    &testItem2,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                    (firstList,
+                                    (PKIX_PL_Object*)testItem,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_ReverseList
+                                    (firstList, &reverseList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                                    (reverseList, &length, plContext));
+        if (length != 1){
+                testError("Incorrect Length returned");
+        }
+
+        PKIX_TEST_DECREF_BC(reverseList);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                    (firstList,
+                                    (PKIX_PL_Object*)testItem2,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                    (firstList,
+                                    (PKIX_PL_Object*)testItem,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                    (firstList,
+                                    (PKIX_PL_Object*)testItem2,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_ReverseList
+                                    (firstList, &reverseList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                                    (reverseList, &length, plContext));
+        if (length != 4){
+                testError("Incorrect Length returned");
+        }
+
+        for (i = 0; i < length; i++){
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                                            (firstList,
+                                            i,
+                                            &retrievedItem1,
+                                            plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                                            (reverseList,
+                                            (length - 1) - i,
+                                            &retrievedItem2,
+                                            plContext));
+
+                testEqualsHelper
+                        (retrievedItem1, retrievedItem2, PKIX_TRUE, plContext);
+
+                PKIX_TEST_DECREF_BC(retrievedItem1);
+                PKIX_TEST_DECREF_BC(retrievedItem2);
+
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(firstList);
+        PKIX_TEST_DECREF_AC(reverseList);
+
+        PKIX_TEST_DECREF_AC(testItem);
+        PKIX_TEST_DECREF_AC(testItem2);
+
+        PKIX_TEST_DECREF_AC(retrievedItem1);
+        PKIX_TEST_DECREF_AC(retrievedItem2);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testZeroLengthList(PKIX_List *list)
+{
+        PKIX_UInt32 length;
+        PKIX_Boolean empty;
+        char *testItemString = "hello";
+        PKIX_PL_String *testItem = NULL;
+        PKIX_PL_String *retrievedItem = NULL;
+        PKIX_List *diffList = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&diffList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetLength(list, &length, plContext));
+
+        if (length != 0){
+                testError("Incorrect Length returned");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsEmpty(list, &empty, plContext));
+        if (!empty){
+                testError("Incorrect result for PKIX_List_IsEmpty");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    testItemString,
+                                    0,
+                                    &testItem,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_InsertItem
+                            (list, 0, (PKIX_PL_Object *)testItem, plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_SetItem
+                            (list, 0, (PKIX_PL_Object *)testItem, plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_GetItem
+                            (list,
+                            0,
+                            (PKIX_PL_Object **)&retrievedItem,
+                            plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(list, 0, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                    (diffList,
+                                    (PKIX_PL_Object*)testItem,
+                                    plContext));
+
+        testDuplicateHelper((PKIX_PL_Object *)diffList, plContext);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (list, list, diffList, "(EMPTY)", List, PKIX_TRUE);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetLength(diffList, &length, plContext));
+        if (length != 1){
+                testError("Incorrect Length returned");
+        }
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(list, 1, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_DeleteItem(diffList, 0, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetLength(diffList, &length, plContext));
+        if (length != 0){
+                testError("Incorrect Length returned");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(testItem);
+        PKIX_TEST_DECREF_AC(diffList);
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetLength(PKIX_List *list)
+{
+        PKIX_UInt32 length;
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetLength(list, &length, plContext));
+
+        if (length != 3){
+                testError("Incorrect Length returned");
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetSetItem(
+        PKIX_List *list,
+        char *testItemString,
+        char *testItemString2,
+        char *testItemString3,
+        PKIX_PL_String **testItem,
+        PKIX_PL_String **testItem2,
+        PKIX_PL_String **testItem3)
+{
+        PKIX_PL_Object *tempItem = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                        (PKIX_ESCASCII,
+                                        testItemString,
+                                        PL_strlen(testItemString),
+                                        testItem,
+                                        plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                        (PKIX_ESCASCII,
+                                        testItemString2,
+                                        PL_strlen(testItemString2),
+                                        testItem2,
+                                        plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                        (PKIX_ESCASCII,
+                                        testItemString3,
+                                        PL_strlen(testItemString3),
+                                        testItem3,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (list, (PKIX_PL_Object*)*testItem, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (list, (PKIX_PL_Object*)*testItem, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (list, (PKIX_PL_Object*)*testItem, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
+                    (list, 0, (PKIX_PL_Object*)*testItem, plContext));
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
+                    (list, 1, (PKIX_PL_Object*)*testItem2, plContext));
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
+                    (list, 2, (PKIX_PL_Object*)*testItem3, plContext));
+
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem(list, 0, &tempItem, plContext));
+
+        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
+        if (temp){
+                if (PL_strcmp(testItemString, temp) != 0)
+                testError("GetItem from list is incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+        PKIX_TEST_DECREF_BC(tempItem);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem(list, 1, &tempItem, plContext));
+
+        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
+        if (temp){
+                if (PL_strcmp(testItemString2, temp) != 0)
+                        testError("GetItem from list is incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(tempItem);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem(list, 2, &tempItem, plContext));
+
+        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
+        if (temp){
+                if (PL_strcmp(testItemString3, temp) != 0)
+                        testError("GetItem from list is incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(tempItem);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
+                    (list, 0, (PKIX_PL_Object*)*testItem3, plContext));
+        temp = PKIX_String2ASCII(*testItem3, plContext);
+        if (temp){
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem(list, 0, &tempItem, plContext));
+
+        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
+        if (temp){
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
+        if (temp){
+                if (PL_strcmp(testItemString3, temp) != 0)
+                        testError("GetItem from list is incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(tempItem);
+
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testInsertItem(
+        PKIX_List *list,
+        PKIX_PL_String *testItem,
+        char *testItemString)
+{
+        PKIX_PL_Object *tempItem = NULL;
+        PKIX_PL_String *outputString = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_InsertItem
+                (list, 0, (PKIX_PL_Object*)testItem, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem(list, 0, &tempItem, plContext));
+
+        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
+        if (temp){
+                if (PL_strcmp(testItemString, temp) != 0)
+                        testError("GetItem from list is incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(tempItem);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
+                                        &outputString,
+                                        plContext));
+
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, c, b, c)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+        PKIX_TEST_DECREF_BC(outputString);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testAppendItem(PKIX_List *list, PKIX_PL_String *testItem)
+{
+        PKIX_UInt32 length2;
+        PKIX_PL_String *outputString = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetLength(list, &length2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list,
+                                        (PKIX_PL_Object*)testItem,
+                                        plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
+                                        &outputString,
+                                        plContext));
+
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, c, b, c, a)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+        PKIX_TEST_DECREF_BC(outputString);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testNestedLists(
+        PKIX_List *list,
+        PKIX_List *list2,
+        PKIX_PL_String *testItem,
+        PKIX_PL_String *testItem2)
+{
+        PKIX_PL_String *outputString = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (list2, (PKIX_PL_Object*)testItem, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list2,
+                                        (PKIX_PL_Object*)NULL,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list2,
+                                        (PKIX_PL_Object*)testItem,
+                                        plContext));
+
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
+                                        &outputString,
+                                        plContext));
+
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, (null), a)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(outputString);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_InsertItem(list, 1,
+                                        (PKIX_PL_Object*)list2,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
+                                        &outputString,
+                                        plContext));
+
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, (a, (null), a), c, b, c, a)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(outputString);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDeleteItem(
+        PKIX_List *list,
+        PKIX_List *list2,
+        PKIX_PL_String *testItem2,
+        PKIX_PL_String *testItem3)
+{
+        PKIX_PL_String *outputString = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list, 5, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                                    ((PKIX_PL_Object*)list,
+                                    &outputString,
+                                    plContext));
+
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, (a, (null), a), c, b, c)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(outputString);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list, 1, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                                    ((PKIX_PL_Object*)list,
+                                    &outputString,
+                                    plContext));
+
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, c, b, c)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(outputString);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list, 0, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
+                                        &outputString,
+                                        plContext));
+
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(c, b, c)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(outputString);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list2, 1, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
+                                        &outputString,
+                                        plContext));
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, a)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(outputString);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                    (list2,
+                    (PKIX_PL_Object*)testItem2,
+                    plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
+                                        &outputString,
+                                        plContext));
+
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, a, b)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(outputString);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list2, 2, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
+                                        &outputString,
+                                        plContext));
+
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, a)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(outputString);
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                    (list2,
+                    (PKIX_PL_Object*)testItem3,
+                    plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
+                                        &outputString,
+                                        plContext));
+        temp = PKIX_String2ASCII(outputString, plContext);
+        if (temp){
+                if (PL_strcmp("(a, a, c)", temp) != 0)
+                        testError("List toString is Incorrect");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(outputString);
+
+
+        PKIX_TEST_DECREF_BC(list2);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+#if testContainsFunction
+/* This test requires pkix_List_Contains to be in nss.def */
+static void
+testContains(void)
+{
+
+        PKIX_List *list;
+        PKIX_PL_String *testItem, *testItem2, *testItem3, *testItem4;
+        char *testItemString = "a";
+        char *testItemString2 = "b";
+        char *testItemString3 = "c";
+        char *testItemString4 = "d";
+        PKIX_Boolean found = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+        subTest("pkix_ListContains");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII,
+                testItemString,
+                PL_strlen(testItemString),
+                &testItem,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII,
+                testItemString2,
+                PL_strlen(testItemString2),
+                &testItem2,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII,
+                testItemString3,
+                PL_strlen(testItemString3),
+                &testItem3,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII,
+                testItemString4,
+                PL_strlen(testItemString4),
+                &testItem4,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (list, (PKIX_PL_Object*)testItem, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (list, (PKIX_PL_Object*)testItem2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (list, (PKIX_PL_Object*)testItem3, plContext));
+
+        subTest("pkix_List_Contains <object missing>");
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_List_Contains
+                (list, (PKIX_PL_Object *)testItem4, &found, plContext));
+
+        if (found){
+                testError("Contains found item that wasn't there!");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (list, (PKIX_PL_Object*)testItem4, plContext));
+
+        subTest("pkix_List_Contains <object present>");
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_List_Contains
+                (list, (PKIX_PL_Object *)testItem4, &found, plContext));
+
+        if (!found){
+                testError("Contains missed item that was present!");
+        }
+
+        PKIX_TEST_DECREF_BC(list);
+        PKIX_TEST_DECREF_BC(testItem);
+        PKIX_TEST_DECREF_BC(testItem2);
+        PKIX_TEST_DECREF_BC(testItem3);
+        PKIX_TEST_DECREF_BC(testItem4);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+#endif
+
+static void
+testErrorHandling(void)
+{
+        PKIX_List *emptylist = NULL;
+        PKIX_List *list = NULL;
+        PKIX_PL_Object *tempItem = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
+
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_List_GetItem(list, 4, &tempItem, plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_GetItem(list, 1, NULL, plContext));
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_SetItem(list, 4, tempItem, plContext));
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_SetItem(NULL, 1, tempItem, plContext));
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_List_InsertItem(list, 4, tempItem, plContext));
+
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_List_InsertItem(NULL, 1, tempItem, plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_AppendItem(NULL, tempItem, plContext));
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(list, 5, plContext));
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(NULL, 1, plContext));
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_GetLength(list, NULL, plContext));
+
+        PKIX_TEST_DECREF_BC(list);
+        PKIX_TEST_DECREF_BC(emptylist);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(PKIX_List *list)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(list);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+int test_list(int argc, char *argv[]) {
+
+        PKIX_List *list, *list2;
+        PKIX_PL_String *testItem, *testItem2, *testItem3;
+        char *testItemString = "a";
+        char *testItemString2 = "b";
+        char *testItemString3 = "c";
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Lists");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_List_Create");
+        createLists(&list, &list2);
+
+        subTest("pkix_List_ReverseList");
+        testReverseList();
+
+        subTest("Zero-length List");
+        testZeroLengthList(list);
+
+        subTest("PKIX_List_Get/SetItem");
+        testGetSetItem
+                (list,
+                testItemString,
+                testItemString2,
+                testItemString3,
+                &testItem,
+                &testItem2,
+                &testItem3);
+
+        subTest("PKIX_List_GetLength");
+        testGetLength(list);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (list,
+                list,
+                list2,
+                "(c, b, c)",
+                List,
+                PKIX_TRUE);
+
+        subTest("PKIX_List_InsertItem");
+        testInsertItem(list, testItem, testItemString);
+
+        subTest("PKIX_List_AppendItem");
+        testAppendItem(list, testItem);
+
+        subTest("Nested Lists");
+        testNestedLists(list, list2, testItem, testItem2);
+
+        subTest("PKIX_List_DeleteItem");
+        testDeleteItem(list, list2, testItem2, testItem3);
+
+        PKIX_TEST_DECREF_BC(testItem);
+        PKIX_TEST_DECREF_BC(testItem2);
+        PKIX_TEST_DECREF_BC(testItem3);
+
+#if testContainsFunction
+/* This test requires pkix_List_Contains to be in nss.def */
+        testContains();
+#endif
+
+        subTest("PKIX_List Error Handling");
+        testErrorHandling();
+
+        subTest("PKIX_List_Destroy");
+        testDestroy(list);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Lists");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix/util/test_list2.c b/security/nss/cmd/libpkix/pkix/util/test_list2.c
new file mode 100644
index 000000000..3dffef26e
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/util/test_list2.c
@@ -0,0 +1,154 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_list2.c
+ *
+ * Performs an in-place sort on a list
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+int test_list2(int argc, char *argv[]) {
+
+        PKIX_List *list;
+        char *temp;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_Int32 cmpResult;
+        PKIX_PL_OID *testOID;
+        PKIX_PL_String *testString;
+        PKIX_PL_Object *obj, *obj2;
+        PKIX_UInt32 size = 10;
+        char *testOIDString[10] = {
+                "2.9.999.1.20",
+                "1.2.3.4.5.6.7",
+                "0.1",
+                "1.2.3.5",
+                "0.39",
+                "1.2.3.4.7",
+                "1.2.3.4.6",
+                "0.39.1",
+                "1.2.3.4.5",
+                "0.39.1.300"
+        };
+        PKIX_UInt32 actualMinorVersion;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("List Sorting");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("Creating Unsorted Lists");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
+        for (i = 0; i < size; i++) {
+                /* Create a new OID object */
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(
+                                                testOIDString[i],
+                                                &testOID,
+                                                plContext));
+                /* Insert it into the list */
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                            (list, (PKIX_PL_Object*)testOID, plContext));
+                /* Decref the string object */
+                PKIX_TEST_DECREF_BC(testOID);
+        }
+
+        subTest("Outputting Unsorted List");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
+                                            &testString,
+                                            plContext));
+        temp = PKIX_String2ASCII(testString, plContext);
+        if (temp){
+                (void) printf("%s \n", temp);
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+        PKIX_TEST_DECREF_BC(testString);
+
+        subTest("Performing Bubble Sort");
+
+        for (i = 0; i < size; i++)
+                for (j = 9; j > i; j--) {
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem(list, j, &obj, plContext));
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem
+                                (list, j-1, &obj2, plContext));
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare
+                                    (obj, obj2, &cmpResult, plContext));
+                        if (cmpResult < 0) {
+                                /* Exchange the items */
+                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
+                                            (list, j, obj2, plContext));
+                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
+                                            (list, j-1, obj, plContext));
+                        }
+                        /* DecRef objects */
+                        PKIX_TEST_DECREF_BC(obj);
+                        PKIX_TEST_DECREF_BC(obj2);
+                }
+
+        subTest("Outputting Sorted List");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
+                                            &testString,
+                                            plContext));
+        temp = PKIX_String2ASCII(testString, plContext);
+        if (temp){
+                (void) printf("%s \n", temp);
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(testString);
+        PKIX_TEST_DECREF_AC(list);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("List Sorting");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix/util/test_logger.c b/security/nss/cmd/libpkix/pkix/util/test_logger.c
new file mode 100644
index 000000000..d481ab1a3
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/util/test_logger.c
@@ -0,0 +1,366 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_logger.c
+ *
+ * Tests Logger Objects
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static char *levels[] = {
+        "None",
+        "Fatal Error",
+        "Error",
+        "Warning",
+        "Debug",
+        "Trace"
+};
+
+static
+PKIX_Error *testLoggerCallback(
+        PKIX_Logger *logger,
+        PKIX_PL_String *message,
+        PKIX_UInt32 logLevel,
+        PKIX_ERRORCLASS logComponent,
+        void *plContext)
+{
+        char *comp = NULL;
+        char *msg = NULL;
+        char result[100];
+        static int callCount = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        msg = PKIX_String2ASCII(message, plContext);
+        PR_snprintf(result, 100, "Logging %s (%s): %s",
+                levels[logLevel], PKIX_ERRORCLASSNAMES[logComponent], msg);
+        subTest(result);
+
+        callCount++;
+        if (callCount > 1) {
+                testError("Incorrect number of Logger Callback <expect 1>");
+        }
+
+cleanup:
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(msg, plContext));
+        PKIX_TEST_RETURN();
+}
+
+static
+PKIX_Error *testLoggerCallback2(
+        PKIX_Logger *logger,
+        PKIX_PL_String *message,
+        PKIX_UInt32 logLevel,
+        PKIX_ERRORCLASS logComponent,
+        void *plContext)
+{
+        char *comp = NULL;
+        char *msg = NULL;
+        char result[100];
+
+        PKIX_TEST_STD_VARS();
+
+        msg = PKIX_String2ASCII(message, plContext);
+        PR_snprintf(result, 100, "Logging %s (%s): %s",
+                levels[logLevel], PKIX_ERRORCLASSNAMES[logComponent], msg);
+        subTest(result);
+
+cleanup:
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(msg, plContext));
+        PKIX_TEST_RETURN();
+}
+
+static void
+createLogger(PKIX_Logger **logger,
+        PKIX_PL_Object *context,
+        PKIX_Logger_LogCallback cb)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_Create
+                (cb, context, logger, plContext));
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testContextCallback(PKIX_Logger *logger, PKIX_Logger *logger2)
+{
+        PKIX_Logger_LogCallback cb = NULL;
+        PKIX_PL_Object *context = NULL;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+        PKIX_UInt32 length;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_Logger_GetLoggerContext");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetLoggerContext
+                (logger2, &context, plContext));
+
+        testEqualsHelper
+                ((PKIX_PL_Object *)logger, context, PKIX_TRUE, plContext);
+
+        subTest("PKIX_Logger_GetLogCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetLogCallback
+                (logger, &cb, plContext));
+
+        if (cb != testLoggerCallback) {
+                testError("Incorrect Logger Callback returned");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(context);
+        PKIX_TEST_RETURN();
+}
+
+static void
+testComponent(PKIX_Logger *logger)
+{
+        PKIX_ERRORCLASS compName = (PKIX_ERRORCLASS)NULL;
+        PKIX_ERRORCLASS compNameReturn = (PKIX_ERRORCLASS)NULL;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_Logger_GetLoggingComponent");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetLoggingComponent
+                (logger, &compName, plContext));
+
+        if (compName != (PKIX_ERRORCLASS)NULL) {
+                testError("Incorrect Logger Component returned. expect <NULL>");
+        }
+
+        subTest("PKIX_Logger_SetLoggingComponent");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetLoggingComponent
+                (logger, PKIX_LIST_ERROR, plContext));
+
+        subTest("PKIX_Logger_GetLoggingComponent");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetLoggingComponent
+                (logger, &compNameReturn, plContext));
+
+        if (compNameReturn != PKIX_LIST_ERROR) {
+                testError("Incorrect Logger Component returned.");
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testMaxLoggingLevel(PKIX_Logger *logger)
+{
+        PKIX_UInt32 level = 0;
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_Logger_GetMaxLoggingLevel");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetMaxLoggingLevel
+                (logger, &level, plContext));
+
+        if (level != 0) {
+                testError("Incorrect Logger MaxLoggingLevel returned");
+        }
+
+        subTest("PKIX_Logger_SetMaxLoggingLevel");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetMaxLoggingLevel
+                (logger, 3, plContext));
+
+        subTest("PKIX_Logger_GetMaxLoggingLevel");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetMaxLoggingLevel
+                (logger, &level, plContext));
+
+        if (level != 3) {
+                testError("Incorrect Logger MaxLoggingLevel returned");
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testLogger(PKIX_Logger *logger, PKIX_Logger *logger2)
+{
+        PKIX_List *loggerList = NULL;
+        PKIX_List *checkList = NULL;
+        PKIX_UInt32 length;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+        char *expectedAscii = "[\n"
+                "\tLogger: \n"
+                "\tContext:          (null)\n"
+                "\tMaximum Level:    3\n"
+                "\tComponent Name:   LIST\n"
+                "]\n";
+
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_GetLoggers");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_GetLoggers(&loggerList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (loggerList, &length, plContext));
+        if (length != 0){
+                testError("Incorrect Logger List returned");
+        }
+        PKIX_TEST_DECREF_BC(loggerList);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&loggerList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (loggerList, (PKIX_PL_Object *) logger, plContext));
+
+        subTest("PKIX_SetLoggers");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_SetLoggers(loggerList, plContext));
+
+        subTest("PKIX_Logger_SetLoggingComponent");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetLoggingComponent
+                (logger2, PKIX_MUTEX_ERROR, plContext));
+
+        subTest("PKIX_Logger_SetMaxLoggingLevel");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetMaxLoggingLevel
+                (logger2, 5, plContext));
+
+        subTest("PKIX_AddLogger");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_AddLogger(logger2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&checkList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (checkList, (PKIX_PL_Object *) logger, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (checkList, (PKIX_PL_Object *) logger2, plContext));
+
+        PKIX_TEST_DECREF_BC(loggerList);
+
+        subTest("PKIX_GetLoggers");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_GetLoggers(&loggerList, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (loggerList, &length, plContext));
+
+        subTest("pkix_Loggers_Equals");
+        testEqualsHelper
+                ((PKIX_PL_Object *) loggerList,
+                (PKIX_PL_Object *) checkList,
+                PKIX_TRUE,
+                plContext);
+
+        subTest("pkix_Loggers_Duplicate");
+        testDuplicateHelper((PKIX_PL_Object *)logger, plContext);
+
+        subTest("pkix_Loggers_Hashcode");
+        testHashcodeHelper((PKIX_PL_Object *) logger,
+                           (PKIX_PL_Object *) logger,
+                           PKIX_TRUE,
+                           plContext);
+
+        subTest("pkix_Loggers_ToString");
+        testToStringHelper((PKIX_PL_Object *) logger, expectedAscii, plContext);
+
+        subTest("PKIX Logger Callback");
+        subTest("Expect to have ***Fatal Error (List): Null argument*** once");
+        PKIX_TEST_EXPECT_ERROR(PKIX_List_AppendItem
+                (NULL, (PKIX_PL_Object *) NULL, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(loggerList);
+        PKIX_TEST_DECREF_AC(checkList);
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(PKIX_Logger *logger)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(logger);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+int test_logger(int argc, char *argv[]) {
+
+        PKIX_Logger *logger, *logger2;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Loggers");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_Logger_Create");
+        createLogger(&logger, NULL, testLoggerCallback);
+        createLogger(&logger2, (PKIX_PL_Object *)logger, testLoggerCallback2);
+
+        subTest("Logger Context and Callback");
+        testContextCallback(logger, logger2);
+
+        subTest("Logger Component");
+        testComponent(logger);
+
+        subTest("Logger MaxLoggingLevel");
+        testMaxLoggingLevel(logger);
+
+        subTest("Logger List operations");
+        testLogger(logger, logger2);
+
+        subTest("PKIX_Logger_Destroy");
+        testDestroy(logger);
+        testDestroy(logger2);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Loggers");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/Makefile b/security/nss/cmd/libpkix/pkix_pl/Makefile
new file mode 100755
index 000000000..2b004b29e
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
+
diff --git a/security/nss/cmd/libpkix/pkix_pl/manifest.mn b/security/nss/cmd/libpkix/pkix_pl/manifest.mn
new file mode 100755
index 000000000..836b74316
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/manifest.mn
@@ -0,0 +1,44 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ./..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+DIRS =  module  pki  system \
+	$(NULL)
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/Makefile b/security/nss/cmd/libpkix/pkix_pl/module/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/module/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/manifest.mn b/security/nss/cmd/libpkix/pkix_pl/module/manifest.mn
new file mode 100755
index 000000000..42edb9d62
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/module/manifest.mn
@@ -0,0 +1,57 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_colcertstore.c \
+	test_ekuchecker.c \
+	test_pk11certstore.c \
+	test_socket.c \
+	test_httpcertstore.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtoolmodule
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_colcertstore.c b/security/nss/cmd/libpkix/pkix_pl/module/test_colcertstore.c
new file mode 100644
index 000000000..5e3316c9b
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/module/test_colcertstore.c
@@ -0,0 +1,285 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_colcertstore.c
+ *
+ * Test CollectionCertStore Type
+ *
+ */
+
+#include "testutil.h"
+
+#include "testutil_nss.h"
+
+/* When CRL IDP is supported, change NUM_CRLS to 9 */
+#define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS 4
+#define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CERTS 15
+
+static void *plContext = NULL;
+
+static PKIX_Error *
+testCRLSelectorMatchCallback(
+        PKIX_CRLSelector *selector,
+        PKIX_PL_CRL *crl,
+	PKIX_Boolean *pMatch,
+        void *plContext)
+{
+	*pMatch = PKIX_TRUE;
+
+        return (0);
+}
+
+static PKIX_Error *
+testCertSelectorMatchCallback(
+        PKIX_CertSelector *selector,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        *pResult = PKIX_TRUE;
+
+        return (0);
+}
+
+static PKIX_Error *
+getCertCallback(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *certSelector,
+        PKIX_List **pCerts,
+        void *plContext)
+{
+        return (0);
+}
+
+static char *catDirName(char *platform, char *dir, void *plContext)
+{
+        char *pathName = NULL;
+        PKIX_UInt32 dirLen;
+        PKIX_UInt32 platformLen;
+
+        PKIX_TEST_STD_VARS();
+
+        dirLen = PL_strlen(dir);
+        platformLen = PL_strlen(platform);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
+                (platformLen + dirLen + 2, (void **)&pathName, plContext));
+
+        PL_strcpy(pathName, platform);
+        PL_strcat(pathName, "/");
+        PL_strcat(pathName, dir);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (pathName);
+}
+
+static 
+void testGetCRL(char *crlDir)
+{
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore_CRLCallback crlCallback;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CRLSelector *crlSelector = NULL;
+        PKIX_List *crlList = NULL;
+        PKIX_UInt32 numCrl = 0;
+	void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    crlDir,
+                                    0,
+                                    &dirString,
+                                    plContext));
+
+        subTest("PKIX_PL_CollectionCertStore_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                                    (dirString,
+                                    &certStore,
+                                    plContext));
+
+        subTest("PKIX_CRLSelector_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
+                                    (testCRLSelectorMatchCallback,
+                                    NULL,
+                                    &crlSelector,
+                                    plContext));
+
+        subTest("PKIX_CertStore_GetCRLCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
+                                    (certStore, &crlCallback, NULL));
+
+        subTest("Getting data from CRL Callback");
+        PKIX_TEST_EXPECT_NO_ERROR(crlCallback
+                                    (certStore,
+                                    crlSelector,
+                                    &nbioContext,
+                                    &crlList,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                                    (crlList,
+                                    &numCrl,
+                                    plContext));
+
+        if (numCrl != PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS) {
+                pkixTestErrorMsg = "unexpected CRL number mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(crlList);
+        PKIX_TEST_DECREF_AC(crlSelector);
+        PKIX_TEST_DECREF_AC(certStore);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void testGetCert(char *certDir)
+{
+        PKIX_PL_String *dirString = NULL;
+        PKIX_CertStore_CertCallback certCallback;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_UInt32 numCert = 0;
+	void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    certDir,
+                                    0,
+                                    &dirString,
+                                    plContext));
+
+        subTest("PKIX_PL_CollectionCertStore_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                                    (dirString,
+                                    &certStore,
+                                    plContext));
+
+        subTest("PKIX_CertSelector_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                                    (testCertSelectorMatchCallback,
+                                    NULL,
+                                    &certSelector,
+                                    plContext));
+
+        subTest("PKIX_CertStore_GetCertCallback");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+                                    (certStore, &certCallback, NULL));
+
+        subTest("Getting data from Cert Callback");
+        PKIX_TEST_EXPECT_NO_ERROR(certCallback
+                                    (certStore,
+                                    certSelector,
+                                    &nbioContext,
+                                    &certList,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                                    (certList,
+                                    &numCert,
+                                    plContext));
+
+        if (numCert != PKIX_TEST_COLLECTIONCERTSTORE_NUM_CERTS) {
+                pkixTestErrorMsg = "unexpected Cert number mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dirString);
+        PKIX_TEST_DECREF_AC(certList);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(certStore);
+
+        PKIX_TEST_RETURN();
+}
+
+static void printUsage(char *pName){
+        printf("\nUSAGE: %s test-purpose <data-dir> <platform-dir>\n\n", pName);
+}
+
+/* Functional tests for CollectionCertStore public functions */
+
+int test_colcertstore(int argc, char *argv[]) {
+
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        char *platformDir = NULL;
+        char *dataDir = NULL;
+        char *combinedDir = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("CollectionCertStore");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < (3 + j)) {
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        dataDir = argv[2 + j];
+        platformDir = argv[3 + j];
+	combinedDir = catDirName(platformDir, dataDir, plContext);
+
+        testGetCRL(combinedDir);
+        testGetCert(combinedDir);
+
+cleanup:
+
+        pkixTestErrorResult = PKIX_PL_Free(combinedDir, plContext);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("CollectionCertStore");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_ekuchecker.c b/security/nss/cmd/libpkix/pkix_pl/module/test_ekuchecker.c
new file mode 100644
index 000000000..0a6e7e8fb
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/module/test_ekuchecker.c
@@ -0,0 +1,321 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_ekuchecker.c
+ *
+ * Test Extend Key Usage Checker
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+#define PKIX_TEST_MAX_CERTS     10
+
+static void *plContext = NULL;
+
+static 
+void printUsage1(char *pName){
+        printf("\nUSAGE: %s test-purpose [ENE|EE] ", pName);
+        printf("[E]oid[,oid]* <data-dir> cert [certs].\n");
+}
+
+static void printUsageMax(PKIX_UInt32 numCerts){
+        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
+                numCerts, PKIX_TEST_MAX_CERTS);
+}
+
+static PKIX_Error *
+testCertSelectorMatchCallback(
+        PKIX_CertSelector *selector,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        *pResult = PKIX_TRUE;
+
+        return (0);
+}
+
+static PKIX_Error *
+testEkuSetup(
+        PKIX_ValidateParams *valParams,
+        char *ekuOidString,
+        PKIX_Boolean *only4EE)
+{
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_List *ekuList = NULL;
+        PKIX_PL_OID *ekuOid = NULL;
+        PKIX_ComCertSelParams *selParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_Boolean last_token = PKIX_FALSE;
+        PKIX_UInt32 i, tokeni;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_ValidateParams_GetProcessingParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                                    (valParams, &procParams, plContext));
+
+        /* Get extended key usage OID(s) from command line, separated by ","  */
+
+        if (ekuOidString[0] == '"') {
+                /* erase doble quotes, if any */
+                i = 1;
+                while (ekuOidString[i] != '"' && ekuOidString[i] != '\0') {
+                        ekuOidString[i-1] = ekuOidString[i];
+                        i++;
+                }
+                ekuOidString[i-1] = '\0';
+        }
+
+        if (ekuOidString[0] == '\0') {
+                ekuList = NULL;
+        } else {
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
+                        (&ekuList, plContext));
+
+                /* if OID string start with E, only check for last cert */
+                if (ekuOidString[0] == 'E') {
+                        *only4EE = PKIX_TRUE;
+                        tokeni = 2;
+                        i = 1;
+                } else {
+                        *only4EE = PKIX_FALSE;
+                        tokeni = 1;
+                        i = 0;
+                }
+
+                while (last_token != PKIX_TRUE) {
+                    while (ekuOidString[tokeni] != ',' &&
+                            ekuOidString[tokeni] != '\0') {
+                        tokeni++;
+                    }
+                    if (ekuOidString[tokeni] == '\0') {
+                        last_token = PKIX_TRUE;
+                    } else {
+                        ekuOidString[tokeni] = '\0';
+                        tokeni++;
+                    }
+
+                    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
+                        (&ekuOidString[i], &ekuOid, plContext));
+
+                    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                            (ekuList, (PKIX_PL_Object *)ekuOid, plContext));
+
+                    PKIX_TEST_DECREF_BC(ekuOid);
+                    i = tokeni;
+
+                }
+
+        }
+
+        /* Set extended key usage link to processing params */
+
+        subTest("PKIX_ComCertSelParams_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                        (&selParams, plContext));
+
+        subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
+                        (selParams, ekuList, plContext));
+
+        subTest("PKIX_CertSelector_Create");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                        (testCertSelectorMatchCallback,
+                        NULL,
+                        &certSelector,
+                        plContext));
+
+        subTest("PKIX_CertSelector_SetCommonCertSelectorParams");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                        (certSelector, selParams, plContext));
+
+        subTest("PKIX_ProcessingParams_SetTargetCertConstraints");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
+                        (procParams, certSelector, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(selParams);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(ekuOid);
+        PKIX_TEST_DECREF_AC(ekuList);
+
+        PKIX_TEST_RETURN();
+
+        return (0);
+}
+
+static PKIX_Error *
+testEkuChecker(
+        PKIX_ValidateParams *valParams,
+        PKIX_Boolean only4EE)
+{
+        PKIX_ProcessingParams *procParams = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
+                                    (valParams, &procParams, plContext));
+
+        subTest("PKIX_ProcessingParams_SetRevocationEnabled - disable");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                                    (procParams, PKIX_FALSE, plContext));
+
+        if (only4EE == PKIX_FALSE) {
+                subTest("PKIX_PL_EkuChecker_Create");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_EkuChecker_Create
+                                    (procParams, plContext));
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(procParams);
+
+        PKIX_TEST_RETURN();
+
+        return (0);
+}
+
+int test_ekuchecker(int argc, char *argv[]){
+        PKIX_List *chain = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        char *certNames[PKIX_TEST_MAX_CERTS];
+        char *dirName = NULL;
+        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
+        PKIX_UInt32 chainLength = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_Boolean testValid = PKIX_FALSE;
+        PKIX_Boolean only4EE = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 5) {
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        startTests("EKU Checker");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /* ENE = expect no error; EE = expect error */
+        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
+                testValid = PKIX_TRUE;
+        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
+                testValid = PKIX_FALSE;
+        } else {
+                printUsage1(argv[0]);
+                return (0);
+        }
+
+        dirName = argv[4+j];
+
+        chainLength = (argc - j) - 6;
+        if (chainLength > PKIX_TEST_MAX_CERTS) {
+                printUsageMax(chainLength);
+        }
+
+        for (i = 0; i < chainLength; i++) {
+
+                certNames[i] = argv[6+i+j];
+                certs[i] = NULL;
+        }
+
+        subTest(argv[1+j]);
+
+        subTest("Extended-Key-Usage-Checker");
+
+        subTest("Extended-Key-Usage-Checker - Create Cert Chain");
+
+        chain = createCertChainPlus
+                (dirName, certNames, certs, chainLength, plContext);
+
+        subTest("Extended-Key-Usage-Checker - Create Params");
+
+        valParams = createValidateParams
+                (dirName,
+                argv[5+j],
+                NULL,
+                NULL,
+                NULL,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                PKIX_FALSE,
+                chain,
+                plContext);
+
+        subTest("Default CertStore");
+
+        testEkuSetup(valParams, argv[3+j], &only4EE);
+
+        testEkuChecker(valParams, only4EE);
+
+        subTest("Extended-Key-Usage-Checker - Validate Chain");
+
+        if (testValid == PKIX_TRUE) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
+                                    (valParams, &valResult, NULL, plContext));
+        } else {
+                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
+                                    (valParams, &valResult, NULL, plContext));
+        }
+
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(chain);
+        PKIX_TEST_DECREF_AC(valParams);
+        PKIX_TEST_DECREF_AC(valResult);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("EKU Checker");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_httpcertstore.c b/security/nss/cmd/libpkix/pkix_pl/module/test_httpcertstore.c
new file mode 100644
index 000000000..6a45c4776
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/module/test_httpcertstore.c
@@ -0,0 +1,324 @@
+/*
+ * test_httpcertstore.c
+ *
+ * Test Httpcertstore Type
+ *
+ * Copyright 2004-2005 Sun Microsystems, Inc.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   1. Redistribution of source code must retain the above copyright notice,
+ *      this list of conditions and the following disclaimer.
+ *
+ *   2. Redistribution in binary form must reproduce the above copyright
+ *      notice, this list of conditions and the following disclaimer in the
+ *      documentation and/or other materials provided with the distribution.
+ *
+ * Neither the name of Sun Microsystems, Inc. or the names of contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * This software is provided "AS IS," without a warranty of any kind. ALL
+ * EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
+ * ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
+ * OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN")
+ * AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE
+ * AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS
+ * DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
+ * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,
+ * INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY
+ * OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE,
+ * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ *
+ * You acknowledge that this software is not designed or intended for use in
+ * the design, construction, operation or maintenance of any nuclear facility.
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+#include "pkix_pl_common.h"
+
+static void *plContext = NULL;
+
+static
+void printUsage(char *testname) 
+{
+        char *fmt =
+		"USAGE: %s [-arenas] certDir certName\n";
+        printf(fmt, "test_httpcertstore");
+}
+
+/* Functional tests for Socket public functions */
+static
+void do_other_work(void) { /* while waiting for nonblocking I/O to complete */
+        (void) PR_Sleep(2*60);
+}
+
+PKIX_Error *
+PKIX_PL_HttpCertStore_Create(
+        PKIX_PL_HttpClient *client, /* if NULL, use default Client */
+        PKIX_PL_GeneralName *location,
+        PKIX_CertStore **pCertStore,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_HttpCertStore_CreateWithAsciiName(
+        PKIX_PL_HttpClient *client, /* if NULL, use default Client */
+        char *location,
+        PKIX_CertStore **pCertStore,
+        void *plContext);
+
+static PKIX_Error *
+getLocation(
+	PKIX_PL_Cert *certWithAia,
+	PKIX_PL_GeneralName **pLocation,
+	void *plContext)
+{
+	PKIX_List *aiaList = NULL;
+	PKIX_UInt32 size = 0;
+        PKIX_PL_InfoAccess *aia = NULL;
+        PKIX_UInt32 iaType = PKIX_INFOACCESS_LOCATION_UNKNOWN;
+	PKIX_PL_GeneralName *location = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Getting Authority Info Access");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityInfoAccess
+                (certWithAia, &aiaList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (aiaList, &size, plContext));
+
+        if (size != 1) {
+                pkixTestErrorMsg = "unexpected number of AIA";
+                goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (aiaList, 0, (PKIX_PL_Object **) &aia, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_InfoAccess_GetLocationType
+                (aia, &iaType, plContext));
+
+        if (iaType != PKIX_INFOACCESS_LOCATION_HTTP) {
+                pkixTestErrorMsg = "unexpected location type in AIA";
+                goto cleanup;
+
+	}
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_InfoAccess_GetLocation
+                (aia, &location, plContext));
+
+	*pLocation = location;
+
+cleanup:
+	PKIX_TEST_DECREF_AC(aiaList);
+	PKIX_TEST_DECREF_AC(aia);
+
+        PKIX_TEST_RETURN();
+
+        return (NULL);
+}
+
+int test_httpcertstore(int argc, char *argv[]) 
+{
+
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 numCerts = 0;
+        PKIX_UInt32 numCrls = 0;
+        int j = 0;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 length = 0;
+
+        char *certName = NULL;
+        char *certDir = NULL;
+	PKIX_PL_Cert *cmdLineCert = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+	PKIX_CertStore *certStore = NULL;
+	PKIX_CertStore *crlStore = NULL;
+	PKIX_PL_GeneralName *location = NULL;
+	PKIX_CertStore_CertCallback getCerts = NULL;
+	PKIX_List *certs = NULL;
+        char *asciiResult = NULL;
+	void *nbio = NULL;
+
+        PKIX_PL_CRL *crl = NULL;
+        PKIX_CRLSelector *crlSelector = NULL;
+	char *crlLocation = "http://betty.nist.gov/pathdiscoverytestsuite/CRL"
+		"files/BasicHTTPURIPeer2CACRL.crl";
+	PKIX_CertStore_CRLCallback getCrls = NULL;
+	PKIX_List *crls = NULL;
+	PKIX_PL_String *crlString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("HttpCertStore");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc != (j + 3)) {
+                printUsage(argv[0]);
+                pkixTestErrorMsg = "Missing command line argument.";
+                goto cleanup;
+        }
+
+	certDir = argv[++j];
+	certName = argv[++j];
+
+	cmdLineCert = createCert(certDir, certName, plContext);
+	if (cmdLineCert == NULL) {
+                pkixTestErrorMsg = "Unable to create Cert";
+		goto cleanup;
+	}
+
+        /* muster arguments to create HttpCertStore */
+	PKIX_TEST_EXPECT_NO_ERROR(getLocation
+		(cmdLineCert, &location, plContext));
+
+	if (location == NULL) {
+                pkixTestErrorMsg = "Give me a cert with an HTTP URI!";
+                goto cleanup;
+	}
+
+        /* create HttpCertStore */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HttpCertStore_Create
+                (NULL, location, &certStore, plContext));
+
+	/* get the GetCerts callback */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+		(certStore, &getCerts, plContext));
+
+	/* create a CertSelector */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+	/* Get the certs */
+	PKIX_TEST_EXPECT_NO_ERROR(getCerts
+		(certStore, certSelector, &nbio, &certs, plContext));
+
+	while (nbio != NULL) {
+		/* poll for a completion */
+
+		PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_CertContinue
+			(certStore, certSelector, &nbio, &certs, plContext));
+	}
+
+        if (certs) {
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_GetLength(certs, &numCerts, plContext));
+
+		if (numCerts == 0) {
+			printf("HttpCertStore returned an empty Cert list\n");
+			goto cleanup;
+		}
+
+                for (i = 0; i < numCerts; i++) {
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem
+                                (certs,
+                                i,
+                                (PKIX_PL_Object**)&cert,
+                                plContext));
+
+                        asciiResult = PKIX_Cert2ASCII(cert);
+
+                        printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Free(asciiResult, NULL));
+                        asciiResult = NULL;
+
+                        PKIX_TEST_DECREF_BC(cert);
+                }
+	} else {
+		printf("HttpCertStore returned a NULL Cert list\n");
+	}
+
+        /* create HttpCertStore */
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_HttpCertStore_CreateWithAsciiName
+                (NULL, crlLocation, &crlStore, plContext));
+
+	/* get the GetCrls callback */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
+		(crlStore, &getCrls, plContext));
+
+	/* create a CrlSelector */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
+                (NULL, NULL, &crlSelector, plContext));
+
+	/* Get the crls */
+	PKIX_TEST_EXPECT_NO_ERROR(getCrls
+		(crlStore, crlSelector, &nbio, &crls, plContext));
+
+	while (nbio != NULL) {
+		/* poll for a completion */
+
+		PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_CrlContinue
+			(crlStore, crlSelector, &nbio, &crls, plContext));
+	}
+
+        if (crls) {
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_GetLength(crls, &numCrls, plContext));
+
+		if (numCrls == 0) {
+			printf("HttpCertStore returned an empty CRL list\n");
+			goto cleanup;
+		}
+
+                for (i = 0; i < numCrls; i++) {
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_List_GetItem
+                                (crls,
+                                i,
+                                (PKIX_PL_Object**)&crl,
+                                plContext));
+
+			PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString(
+                                (PKIX_PL_Object *)crl,
+                                &crlString,
+                                plContext));
+
+	                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded
+                                (crlString,
+                                PKIX_ESCASCII,
+                                (void **)&asciiResult,
+                                &length,
+                                plContext));
+
+                        printf("CRL[%d]:\n%s\n", i, asciiResult);
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_Free(asciiResult, plContext));
+        		PKIX_TEST_DECREF_BC(crlString);
+                        PKIX_TEST_DECREF_BC(crl);
+                }
+	} else {
+		printf("HttpCertStore returned a NULL CRL list\n");
+	}
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(cert);
+	PKIX_TEST_DECREF_AC(cmdLineCert);
+	PKIX_TEST_DECREF_AC(certStore);
+	PKIX_TEST_DECREF_AC(crlStore);
+	PKIX_TEST_DECREF_AC(location);
+	PKIX_TEST_DECREF_AC(certs);
+        PKIX_TEST_DECREF_AC(crl);
+        PKIX_TEST_DECREF_AC(crlString);
+	PKIX_TEST_DECREF_AC(crls);
+
+        PKIX_TEST_RETURN();
+
+        endTests("HttpDefaultClient");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_pk11certstore.c b/security/nss/cmd/libpkix/pkix_pl/module/test_pk11certstore.c
new file mode 100644
index 000000000..a2f54aec9
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/module/test_pk11certstore.c
@@ -0,0 +1,664 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_pk11certstore.c
+ *
+ * Test Pk11CertStore Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+
+static void *plContext = NULL;
+
+/*
+ * This function creates a certSelector with ComCertSelParams set up to
+ * select entries whose Subject Name matches that in the given Cert and
+ * whose validity window includes the Date specified by "validityDate".
+ */
+static
+void test_makeSubjectCertSelector(
+        PKIX_PL_Cert *certNameToMatch,
+        PKIX_PL_Date *validityDate,
+        PKIX_CertSelector **pSelector,
+        void *plContext)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *subjParams = NULL;
+        PKIX_PL_X500Name *subjectName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&subjParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
+                (certNameToMatch, &subjectName, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
+                (subjParams, subjectName, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
+                (subjParams, validityDate, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, subjParams, plContext));
+        *pSelector = selector;
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(subjParams);
+        PKIX_TEST_DECREF_AC(subjectName);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This function creates a certSelector with ComCertSelParams set up to
+ * select entries containing a Basic Constraints extension with a path
+ * length of at least the specified "minPathLength".
+ */
+static 
+void test_makePathCertSelector(
+        PKIX_Int32 minPathLength,
+        PKIX_CertSelector **pSelector,
+        void *plContext)
+{
+        PKIX_CertSelector *selector = NULL;
+        PKIX_ComCertSelParams *pathParams = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
+                (&pathParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
+                (pathParams, minPathLength, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_SetCommonCertSelectorParams
+                (selector, pathParams, plContext));
+        *pSelector = selector;
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(pathParams);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This function reads a directory-file cert specified by "desiredSubjectCert",
+ * and decodes the SubjectName. It uses that name to set up the CertSelector
+ * for a Subject Name match, and then queries the database for matching entries.
+ * It is intended to test a "smart" database query.
+ */
+static
+void testMatchCertSubject(
+        char *crlDir,
+        char *desiredSubjectCert,
+        char *expectedAscii,
+        PKIX_PL_Date *validityDate,
+        void *plContext)
+{
+        PKIX_UInt32 numCert = 0;
+        PKIX_PL_Cert *certWithDesiredSubject = NULL;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_CertStore_CertCallback getCert = NULL;
+	void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        certWithDesiredSubject = createCert
+                (crlDir, desiredSubjectCert, plContext);
+
+        test_makeSubjectCertSelector
+                (certWithDesiredSubject,
+                validityDate,
+                &certSelector,
+                plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
+                (&certStore, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+                (certStore, &getCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(getCert
+                (certStore,
+		certSelector,
+		&nbioContext,
+		&certList,
+		plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (certList, &numCert, plContext));
+
+        if (numCert > 0) {
+                /* List should be immutable */
+                PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem
+                (certList, 0, plContext));
+        }
+
+        if (expectedAscii) {
+                testToStringHelper
+                        ((PKIX_PL_Object *)certList, expectedAscii, plContext);
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(certWithDesiredSubject);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(certList);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This function uses the minimum path length specified by "minPath" to set up
+ * a CertSelector for a BasicConstraints match, and then queries the database
+ * for matching entries. It is intended to test the case where there
+ * is no "smart" database query, so the database will be asked for all
+ * available certs and the filtering will be done by the interaction of the
+ * certstore and the selector.
+ */
+static 
+void testMatchCertMinPath(
+        PKIX_Int32 minPath,
+        char *expectedAscii,
+        void *plContext)
+{
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_CertStore_CertCallback getCert = NULL;
+	void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Searching Certs for minPath");
+
+        test_makePathCertSelector
+                (minPath, &certSelector, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
+                (&certStore, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
+                (certStore, &getCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(getCert
+                (certStore,
+		certSelector,
+		&nbioContext,
+		&certList,
+		plContext));
+
+        if (expectedAscii) {
+                testToStringHelper
+                        ((PKIX_PL_Object *)certList, expectedAscii, plContext);
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(certList);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This function creates a crlSelector with ComCrlSelParams set up to
+ * select entries whose Issuer Name matches that in the given Crl.
+ */
+static
+void test_makeIssuerCRLSelector(
+        PKIX_PL_CRL *crlNameToMatch,
+        PKIX_CRLSelector **pSelector,
+        void *plContext)
+{
+        PKIX_CRLSelector *selector = NULL;
+        PKIX_ComCRLSelParams *issuerParams = NULL;
+        PKIX_PL_X500Name *issuerName = NULL;
+        PKIX_List *names = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
+                (&issuerParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer
+                (crlNameToMatch, &issuerName, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&names, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (names, (PKIX_PL_Object *)issuerName, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetIssuerNames
+                (issuerParams, names, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CRLSelector_SetCommonCRLSelectorParams
+                (selector, issuerParams, plContext));
+        *pSelector = selector;
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(issuerParams);
+        PKIX_TEST_DECREF_AC(issuerName);
+        PKIX_TEST_DECREF_AC(names);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This function creates a crlSelector with ComCrlSelParams set up to
+ * select entries that would be valid at the Date specified by the Date
+ * criterion.
+ */
+static 
+void test_makeDateCRLSelector(
+        PKIX_PL_Date *dateToMatch,
+        PKIX_CRLSelector **pSelector,
+        void *plContext)
+{
+        PKIX_CRLSelector *selector = NULL;
+        PKIX_ComCRLSelParams *dateParams = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
+                (NULL, NULL, &selector, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
+                (&dateParams, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetDateAndTime
+                (dateParams, dateToMatch, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CRLSelector_SetCommonCRLSelectorParams
+                (selector, dateParams, plContext));
+        *pSelector = selector;
+
+cleanup:
+        PKIX_TEST_DECREF_AC(dateParams);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This function reads a directory-file crl specified by "desiredIssuerCrl",
+ * and decodes the IssuerName. It uses that name to set up the CrlSelector
+ * for a Issuer Name match, and then queries the database for matching entries.
+ * It is intended to test the case of a "smart" database query.
+ */
+static 
+void testMatchCrlIssuer(
+        char *crlDir,
+        char *desiredIssuerCrl,
+        char *expectedAscii,
+        void *plContext)
+{
+        PKIX_UInt32 numCrl = 0;
+        PKIX_PL_CRL *crlWithDesiredIssuer = NULL;
+        PKIX_CertStore *crlStore = NULL;
+        PKIX_CRLSelector *crlSelector = NULL;
+        PKIX_List *crlList = NULL;
+        PKIX_CertStore_CRLCallback getCrl = NULL;
+	void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Searching CRLs for matching Issuer");
+
+        crlWithDesiredIssuer = createCRL(crlDir, desiredIssuerCrl, plContext);
+
+        test_makeIssuerCRLSelector
+                (crlWithDesiredIssuer, &crlSelector, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
+                (&crlStore, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
+                (crlStore, &getCrl, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(getCrl
+                (crlStore,
+		crlSelector,
+                &nbioContext,
+		&crlList,
+		plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (crlList, &numCrl, plContext));
+
+        if (numCrl > 0) {
+                /* List should be immutable */
+                PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem
+                (crlList, 0, plContext));
+        }
+
+        if (expectedAscii) {
+                testToStringHelper
+                        ((PKIX_PL_Object *)crlList, expectedAscii, plContext);
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(crlWithDesiredIssuer);
+        PKIX_TEST_DECREF_AC(crlStore);
+        PKIX_TEST_DECREF_AC(crlSelector);
+        PKIX_TEST_DECREF_AC(crlList);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * This function uses the date specified by "matchDate" to set up the
+ * CrlSelector for a Date match. It is intended to test the case where there
+ * is no "smart" database query, so the CertStore should throw an error
+ * rather than ask the database for all available CRLs and then filter the
+ * results using the selector.
+ */
+static 
+void testMatchCrlDate(
+        char *dateMatch,
+        char *expectedAscii,
+        void *plContext)
+{
+        PKIX_PL_Date *dateCriterion = NULL;
+        PKIX_CertStore *crlStore = NULL;
+        PKIX_CRLSelector *crlSelector = NULL;
+        PKIX_List *crlList = NULL;
+        PKIX_CertStore_CRLCallback getCrl = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("Searching CRLs for matching Date");
+
+        dateCriterion = createDate(dateMatch, plContext);
+        test_makeDateCRLSelector(dateCriterion, &crlSelector, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
+                (&crlStore, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
+                (crlStore, &getCrl, plContext));
+
+        PKIX_TEST_EXPECT_ERROR(getCrl
+                (crlStore, crlSelector, NULL, &crlList, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(dateCriterion);
+        PKIX_TEST_DECREF_AC(crlStore);
+        PKIX_TEST_DECREF_AC(crlSelector);
+        PKIX_TEST_DECREF_AC(crlList);
+
+        PKIX_TEST_RETURN();
+}
+
+static 
+void printUsage(char *pName){
+        printf("\nUSAGE: %s <-d data-dir> <database-dir>\n\n", pName);
+}
+
+/* Functional tests for Pk11CertStore public functions */
+
+int test_pk11certstore(int argc, char *argv[]) {
+
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_PL_Date *validityDate = NULL;
+        PKIX_PL_Date *betweenDate = NULL;
+        char *crlDir = NULL;
+        char *expectedProfAscii = "([\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    00ca\n"
+                "\tIssuer:          CN=chemistry,O=mit,C=us\n"
+                "\tSubject:         CN=prof noall,O=mit,C=us\n"
+                "\tValidity: [From: Fri Feb 11 14:14:06 2005\n"
+                "\t           To:   Mon Jan 18, 2105]\n"
+                "\tSubjectAltNames: (null)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: CA(6)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "]\n"
+                ", [\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    03\n"
+                "\tIssuer:          CN=physics,O=mit,C=us\n"
+                "\tSubject:         CN=prof noall,O=mit,C=us\n"
+                "\tValidity: [From: Fri Feb 11 12:52:26 2005\n"
+                "\t           To:   Mon Jan 18, 2105]\n"
+                "\tSubjectAltNames: (null)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: CA(0)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "]\n"
+                ")";
+        char *expectedValidityAscii = "([\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    03\n"
+                "\tIssuer:          CN=physics,O=mit,C=us\n"
+                "\tSubject:         CN=prof noall,O=mit,C=us\n"
+                "\tValidity: [From: Fri Feb 11 12:52:26 2005\n"
+                "\t           To:   Mon Jan 18, 2105]\n"
+                "\tSubjectAltNames: (null)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: CA(0)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "]\n"
+                ")";
+        char *expectedMinPathAscii = "([\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    01\n"
+                "\tIssuer:          CN=science,O=mit,C=us\n"
+                "\tSubject:         CN=science,O=mit,C=us\n"
+                "\tValidity: [From: Fri Feb 11 12:47:58 2005\n"
+                "\t           To:   Mon Jan 18, 2105]\n"
+                "\tSubjectAltNames: (null)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: CA(10)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "]\n"
+                ")";
+        char *expectedIssuerAscii = "([\n"
+                "\tVersion:         v2\n"
+                "\tIssuer:          CN=physics,O=mit,C=us\n"
+                "\tUpdate:   [Last: Fri Feb 11 13:51:38 2005\n"
+                "\t           Next: Mon Jan 18, 2105]\n"
+                "\tSignatureAlgId:  1.2.840.10040.4.3\n"
+                "\tCRL Number     : (null)\n"
+                "\n"
+                "\tEntry List:      (\n"
+                "\t[\n"
+                "\tSerialNumber:    67\n"
+                "\tReasonCode:      257\n"
+                "\tRevocationDate:  Fri Feb 11 13:51:38 2005\n"
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "\t]\n"
+                "\t)\n"
+                "\n"
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "]\n"
+                ")";
+        char *expectedDateAscii = "([\n"
+                "\tVersion:         v2\n"
+                "\tIssuer:          CN=science,O=mit,C=us\n"
+                "\tUpdate:   [Last: Fri Feb 11 13:34:40 2005\n"
+                "\t           Next: Mon Jan 18, 2105]\n"
+                "\tSignatureAlgId:  1.2.840.10040.4.3\n"
+                "\tCRL Number     : (null)\n"
+                "\n"
+                "\tEntry List:      (\n"
+                "\t[\n"
+                "\tSerialNumber:    65\n"
+                "\tReasonCode:      260\n"
+                "\tRevocationDate:  Fri Feb 11 13:34:40 2005\n"
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "\t]\n"
+                "\t)\n"
+                "\n"
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "]\n"
+                ", [\n"
+                "\tVersion:         v2\n"
+                "\tIssuer:          CN=testing CRL,O=test,C=us\n"
+                "\tUpdate:   [Last: Fri Feb 11 13:14:38 2005\n"
+                "\t           Next: Mon Jan 18, 2105]\n"
+                "\tSignatureAlgId:  1.2.840.10040.4.3\n"
+                "\tCRL Number     : (null)\n"
+                "\n"
+                "\tEntry List:      (\n"
+                "\t[\n"
+                "\tSerialNumber:    67\n"
+                "\tReasonCode:      258\n"
+                "\tRevocationDate:  Fri Feb 11 13:14:38 2005\n"
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "\t]\n"
+                "\t)\n"
+                "\n"
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "]\n"
+                ")";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Pk11CertStore");
+
+        if (argc < 3) {
+                printUsage(argv[0]);
+                return (0);
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        crlDir = argv[j+2];
+
+        /* Two certs for prof should be valid now */
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime
+                (PR_Now(), &validityDate, plContext));
+
+        subTest("Searching Certs for Subject");
+
+        testMatchCertSubject
+                (crlDir,
+                "phy2prof.crt",
+                NULL, /* expectedProfAscii, */
+                validityDate,
+                plContext);
+
+        /* One of the certs was not yet valid at this time. */
+        betweenDate = createDate("050210184000Z", plContext);
+
+        subTest("Searching Certs for Subject and Validity");
+
+        testMatchCertSubject
+                (crlDir,
+                "phy2prof.crt",
+                NULL, /* expectedValidityAscii, */
+                betweenDate,
+                plContext);
+
+        testMatchCertMinPath
+                (9,
+                NULL, /* expectedMinPathAscii, */
+        	plContext);
+
+        testMatchCrlIssuer
+                (crlDir,
+                "phys.crl",
+                NULL, /* expectedIssuerAscii, */
+                plContext);
+
+        testMatchCrlDate
+                ("050211184000Z",
+                NULL, /* expectedDateAscii, */
+                plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(validityDate);
+        PKIX_TEST_DECREF_AC(betweenDate);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Pk11CertStore");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_socket.c b/security/nss/cmd/libpkix/pkix_pl/module/test_socket.c
new file mode 100644
index 000000000..8e25c144b
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/module/test_socket.c
@@ -0,0 +1,600 @@
+/*
+ * test_socket.c
+ *
+ * Test Socket Type
+ *
+ * Copyright 2004-2005 Sun Microsystems, Inc.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   1. Redistribution of source code must retain the above copyright notice,
+ *      this list of conditions and the following disclaimer.
+ *
+ *   2. Redistribution in binary form must reproduce the above copyright
+ *      notice, this list of conditions and the following disclaimer in the
+ *      documentation and/or other materials provided with the distribution.
+ *
+ * Neither the name of Sun Microsystems, Inc. or the names of contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * This software is provided "AS IS," without a warranty of any kind. ALL
+ * EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
+ * ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
+ * OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN")
+ * AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE
+ * AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS
+ * DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
+ * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,
+ * INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY
+ * OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE,
+ * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ *
+ * You acknowledge that this software is not designed or intended for use in
+ * the design, construction, operation or maintenance of any nuclear facility.
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+#include "pkix_pl_common.h"
+
+#define LDAP_PORT 389
+
+static void *plContext = NULL;
+
+typedef enum {
+        SERVER_LISTENING,
+        SERVER_RECV1,
+        SERVER_POLL1,
+        SERVER_SEND2,
+        SERVER_POLL2,
+        SERVER_RECV3,
+        SERVER_POLL3,
+        SERVER_SEND4,
+        SERVER_POLL4,
+        SERVER_DONE,
+        SERVER_FAILED
+} SERVER_STATE;
+
+typedef enum {
+        CLIENT_WAITFORCONNECT,
+        CLIENT_SEND1,
+        CLIENT_POLL1,
+        CLIENT_RECV2,
+        CLIENT_POLL2,
+        CLIENT_SEND3,
+        CLIENT_POLL3,
+        CLIENT_RECV4,
+        CLIENT_POLL4,
+        CLIENT_DONE,
+        CLIENT_FAILED
+} CLIENT_STATE;
+
+SERVER_STATE serverState;
+CLIENT_STATE clientState;
+PKIX_PL_Socket *sSock = NULL;
+PKIX_PL_Socket *cSock = NULL;
+PKIX_PL_Socket *rendezvousSock = NULL;
+PKIX_PL_Socket_Callback *sCallbackList;
+PKIX_PL_Socket_Callback *cCallbackList;
+PKIX_PL_Socket_Callback *rvCallbackList;
+PRNetAddr serverNetAddr;
+PRNetAddr clientNetAddr;
+PRIntn backlog = 0;
+PRIntervalTime timeout = 0;
+char *sendBuf1 = "Hello, world!";
+char *sendBuf2 = "Ack";
+char *sendBuf3 = "What do you mean, \"Ack\"?";
+char *sendBuf4 = "What do you mean, \"What do you mean, \'Ack\'?\"?";
+char rcvBuf1[100];
+char rcvBuf2[100];
+
+static 
+void printUsage(char *testname) 
+{
+        char *fmt = "USAGE: %s [-arenas] server:port\n";
+        printf(fmt, testname);
+}
+
+/* Functional tests for Socket public functions */
+static 
+void do_other_work(void) 
+{ /* while waiting for nonblocking I/O to complete */
+        (void) PR_Sleep(2*60);
+}
+
+static 
+PKIX_Boolean server()
+{
+        PKIX_Int32 bytesRead = 0;
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_Boolean keepGoing = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        switch (serverState) {
+        case SERVER_LISTENING:
+                subTest("SERVER_LISTENING");
+                PKIX_TEST_EXPECT_NO_ERROR(sCallbackList->acceptCallback
+                        (sSock, &rendezvousSock, plContext));
+                if (rendezvousSock) {
+                        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
+                                (rendezvousSock, &rvCallbackList, plContext));
+
+                        serverState = SERVER_RECV1;
+                }
+                break;
+        case SERVER_RECV1:
+                subTest("SERVER_RECV1");
+                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->recvCallback
+                        (rendezvousSock,
+                        rcvBuf1,
+                        sizeof(rcvBuf1),
+                        &bytesRead,
+                        plContext));
+
+                if (bytesRead > 0) {
+                        /* confirm that rcvBuf1 = sendBuf1 */
+                        if ((bytesRead != (PRInt32)PL_strlen(sendBuf1) + 1) ||
+                            (strncmp(sendBuf1, rcvBuf1, bytesRead) != 0)) {
+                                testError("Receive buffer mismatch\n");
+                        }
+
+                        serverState = SERVER_SEND2;
+                        keepGoing = PKIX_TRUE;
+                } else {
+                        serverState = SERVER_POLL1;
+                }
+                break;
+        case SERVER_POLL1:
+                subTest("SERVER_POLL1");
+                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->pollCallback
+                        (rendezvousSock, NULL, &bytesRead, plContext));
+
+                if (bytesRead > 0) {
+                        /* confirm that rcvBuf1 = sendBuf1 */
+                        if ((bytesRead != (PRInt32)PL_strlen(sendBuf1) + 1) ||
+                            (strncmp(sendBuf1, rcvBuf1, bytesRead) != 0)) {
+                                testError("Receive buffer mismatch\n");
+                        }
+
+                        serverState = SERVER_SEND2;
+                        keepGoing = PKIX_TRUE;
+                }
+                break;
+        case SERVER_SEND2:
+                subTest("SERVER_SEND2");
+                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->sendCallback
+                        (rendezvousSock,
+                        sendBuf2,
+                        strlen(sendBuf2) + 1,
+                        &bytesWritten,
+                        plContext));
+                if (bytesWritten > 0) {
+                        serverState = SERVER_RECV3;
+                } else {
+                        serverState = SERVER_POLL2;
+                }
+                break;
+        case SERVER_POLL2:
+                subTest("SERVER_POLL2");
+                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->pollCallback
+                        (rendezvousSock, &bytesWritten, NULL, plContext));
+                if (bytesWritten > 0) {
+                        serverState = SERVER_RECV3;
+                }
+                break;
+        case SERVER_RECV3:
+                subTest("SERVER_RECV3");
+                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->recvCallback
+                        (rendezvousSock,
+                        rcvBuf1,
+                        sizeof(rcvBuf1),
+                        &bytesRead,
+                        plContext));
+
+                if (bytesRead > 0) {
+                        serverState = SERVER_SEND4;
+                        keepGoing = PKIX_TRUE;
+                } else {
+                        serverState = SERVER_POLL3;
+                }
+                break;
+        case SERVER_POLL3:
+                subTest("SERVER_POLL3");
+                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->pollCallback
+                        (rendezvousSock, NULL, &bytesRead, plContext));
+                if (bytesRead > 0) {
+                        serverState = SERVER_SEND4;
+                        keepGoing = PKIX_TRUE;
+                }
+                break;
+        case SERVER_SEND4:
+                subTest("SERVER_SEND4");
+                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->sendCallback
+                        (rendezvousSock,
+                        sendBuf4,
+                        strlen(sendBuf4) + 1,
+                        &bytesWritten,
+                        plContext));
+
+                if (bytesWritten > 0) {
+                        PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->shutdownCallback
+                                (rendezvousSock, plContext));
+                        PKIX_TEST_DECREF_BC(sSock);
+                        PKIX_TEST_DECREF_BC(rendezvousSock);
+                        serverState = SERVER_DONE;
+                } else {
+                        serverState = SERVER_POLL4;
+                }
+                break;
+        case SERVER_POLL4:
+                subTest("SERVER_POLL4");
+                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->pollCallback
+                        (rendezvousSock, &bytesWritten, NULL, plContext));
+                if (bytesWritten > 0) {
+                        PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->shutdownCallback
+                                (rendezvousSock, plContext));
+                        PKIX_TEST_DECREF_BC(sSock);
+                        PKIX_TEST_DECREF_BC(rendezvousSock);
+                        serverState = SERVER_DONE;
+                }
+                break;
+        case SERVER_DONE:
+        default:
+                subTest("SERVER_DONE");
+                break;
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (keepGoing);
+}
+
+static 
+PKIX_Boolean client() 
+{
+        PKIX_Boolean keepGoing = PKIX_FALSE;
+        PKIX_Int32 bytesRead = 0;
+        PKIX_Int32 bytesWritten = 0;
+        PRErrorCode cStat = 0;
+
+        /* At 2 seconds each cycle, this should suffice! */
+        PKIX_UInt32 giveUpCount = 10;
+
+        PKIX_TEST_STD_VARS();
+
+        switch (clientState) {
+        case CLIENT_WAITFORCONNECT:
+                subTest("CLIENT_WAITFORCONNECT");
+                clientState = CLIENT_FAILED;
+                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->connectcontinueCallback
+                        (cSock, &cStat, plContext));
+                if (cStat == 0) {
+                        clientState = CLIENT_SEND1;
+                        keepGoing = PKIX_TRUE;
+                } else {
+                    clientState = CLIENT_WAITFORCONNECT;
+                    if (--giveUpCount == 0) {
+                        testError("Client unable to connect");
+                    }
+                }
+                break;
+        case CLIENT_SEND1:
+                subTest("CLIENT_SEND1");
+                clientState = CLIENT_FAILED;
+                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->sendCallback
+                        (cSock,
+                        sendBuf1,
+                        strlen(sendBuf1) + 1,
+                        &bytesWritten,
+                        plContext));
+                if (bytesWritten > 0) {
+                        clientState = CLIENT_RECV2;
+                } else {
+                        clientState = CLIENT_POLL1;
+                }
+                break;
+        case CLIENT_POLL1:
+                subTest("CLIENT_POLL1");
+                clientState = CLIENT_FAILED;
+                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->pollCallback
+                        (cSock, &bytesWritten, NULL, plContext));
+                if (bytesWritten > 0) {
+                        clientState = CLIENT_RECV2;
+                } else {
+                        clientState = CLIENT_POLL1;
+                }
+                break;
+        case CLIENT_RECV2:
+                subTest("CLIENT_RECV2");
+                clientState = CLIENT_FAILED;
+                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->recvCallback
+                        (cSock,
+                        rcvBuf2,
+                        sizeof(rcvBuf2),
+                        &bytesRead,
+                        plContext));
+
+                if (bytesRead > 0) {
+                        /* confirm that rcvBuf2 = sendBuf2 */
+                        if ((bytesRead != (PRInt32)PL_strlen(sendBuf2) + 1) ||
+                            (strncmp(sendBuf2, rcvBuf2, bytesRead) != 0)) {
+                                testError("Receive buffer mismatch\n");
+                        }
+                        clientState = CLIENT_SEND3;
+                        keepGoing = PKIX_TRUE;
+                } else {
+                        clientState = CLIENT_POLL2;
+                }
+                break;
+        case CLIENT_POLL2:
+                subTest("CLIENT_POLL2");
+                clientState = CLIENT_FAILED;
+                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->pollCallback
+                        (cSock, NULL, &bytesRead, plContext));
+                if (bytesRead > 0) {
+                        /* confirm that rcvBuf2 = sendBuf2 */
+                        if ((bytesRead != (PRInt32)PL_strlen(sendBuf2) + 1) ||
+                            (strncmp(sendBuf2, rcvBuf2, bytesRead) != 0)) {
+                                testError("Receive buffer mismatch\n");
+                        }
+                        clientState = CLIENT_SEND3;
+                } else {
+                        clientState = CLIENT_POLL2;
+                }
+                break;
+        case CLIENT_SEND3:
+                subTest("CLIENT_SEND3");
+                clientState = CLIENT_FAILED;
+                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->sendCallback
+                        (cSock,
+                        sendBuf3,
+                        strlen(sendBuf3) + 1,
+                        &bytesWritten,
+                        plContext));
+
+                if (bytesWritten > 0) {
+                        clientState = CLIENT_RECV4;
+                } else {
+                        clientState = CLIENT_POLL3;
+                }
+                break;
+        case CLIENT_POLL3:
+                subTest("CLIENT_POLL3");
+                clientState = CLIENT_FAILED;
+                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->pollCallback
+                        (cSock, &bytesWritten, NULL, plContext));
+                if (bytesWritten > 0) {
+                        clientState = CLIENT_RECV4;
+                } else {
+                        clientState = CLIENT_POLL3;
+                }
+                break;
+        case CLIENT_RECV4:
+                subTest("CLIENT_RECV4");
+                clientState = CLIENT_FAILED;
+                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->recvCallback
+                        (cSock,
+                        rcvBuf2,
+                        sizeof(rcvBuf2),
+                        &bytesRead,
+                        plContext));
+
+                if (bytesRead > 0) {
+                        PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->shutdownCallback
+                                (cSock, plContext));
+                        PKIX_TEST_DECREF_BC(cSock);
+                        clientState = CLIENT_DONE;
+                } else {
+                        clientState = CLIENT_POLL4;
+                }
+                break;
+        case CLIENT_POLL4:
+                subTest("CLIENT_POLL4");
+                clientState = CLIENT_FAILED;
+                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->pollCallback
+                        (cSock, NULL, &bytesRead, plContext));
+                if (bytesRead > 0) {
+                        PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->shutdownCallback
+                                (cSock, plContext));
+                        PKIX_TEST_DECREF_BC(cSock);
+                        clientState = CLIENT_DONE;
+                } else {
+                    clientState = CLIENT_POLL4;
+                }
+                break;
+        case CLIENT_DONE:
+        default:
+                subTest("CLIENT_DONE");
+                break;
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (keepGoing);
+}
+
+static
+void dispatcher()
+{
+        PKIX_Boolean keepGoing = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        do {
+                if (serverState < SERVER_DONE) {
+                        do {
+                                keepGoing = server();
+                        } while (keepGoing == PKIX_TRUE);
+                }
+                if (clientState < CLIENT_DONE) {
+                        do {
+                                keepGoing = client();
+                        } while (keepGoing == PKIX_TRUE);
+                }
+                do_other_work();
+        
+        } while ((serverState < SERVER_DONE) || (clientState < CLIENT_DONE));
+
+        PKIX_TEST_RETURN();
+}
+
+int test_socket(int argc, char *argv[]) 
+{
+
+        int j = 0;
+        PKIX_UInt32 actualMinorVersion;
+        char buf[PR_NETDB_BUF_SIZE];
+        char *serverName = NULL;
+        char *sepPtr = NULL;
+        PRHostEnt hostent;
+        PRUint16 portNum = 0;
+        PRStatus prstatus = PR_FAILURE;
+        PRErrorCode cStat = 0;
+        void *ipaddr = NULL;
+        PKIX_Error *bindError = NULL;
+        PRIntn hostenum;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Socket");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc != (j + 2)) {
+                printUsage(argv[0]);
+                pkixTestErrorMsg = "Missing command line argument.";
+                goto cleanup;
+        }
+
+        serverName = argv[j + 1];
+
+        subTest("Using pkix_pl_Socket_CreateByName");
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_CreateByName
+                (PKIX_TRUE, timeout, serverName, &cStat, &sSock, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
+            (sSock, &sCallbackList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(sCallbackList->listenCallback
+            (sSock, backlog, plContext));
+
+        serverState = SERVER_LISTENING;
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_CreateByName
+                (PKIX_FALSE, timeout, serverName, &cStat, &cSock, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
+            (cSock, &cCallbackList, plContext));
+
+        if ((timeout == 0) && (cStat == PR_IN_PROGRESS_ERROR)) {
+            clientState = CLIENT_WAITFORCONNECT;
+        } else {
+            clientState = CLIENT_SEND1;
+        }
+
+        dispatcher();
+
+        subTest("Using pkix_pl_Socket_Create");
+
+        sepPtr = strchr(serverName, ':');
+        /* First strip off the portnum, if present, from the end of the name */
+        if (sepPtr) {
+                *sepPtr++ = '\0';
+                portNum = (PRUint16)atoi(sepPtr);
+        } else {
+                portNum = (PRUint16)LDAP_PORT;
+        }
+        /*
+         * The hostname may be a fully-qualified name. Just
+         * use the leftmost component in our lookup.
+         */
+        sepPtr = strchr(serverName, '.');
+        if (sepPtr) {
+                *sepPtr++ = '\0';
+        }
+        prstatus = PR_GetHostByName(serverName, buf, sizeof(buf), &hostent);
+
+        if ((prstatus != PR_SUCCESS) || (hostent.h_length != 4)) {
+                printUsage(argv[0]);
+                pkixTestErrorMsg =
+                        "PR_GetHostByName rejects command line argument.";
+                goto cleanup;
+        }
+
+        serverNetAddr.inet.family = PR_AF_INET;
+        serverNetAddr.inet.port = PR_htons(portNum);
+        serverNetAddr.inet.ip = PR_INADDR_ANY;
+
+        hostenum = PR_EnumerateHostEnt(0, &hostent, portNum, &clientNetAddr);
+        if (hostenum == -1) {
+                pkixTestErrorMsg =
+                    "PR_EnumerateHostEnt failed.";
+                goto cleanup;
+        }
+
+        backlog = 5;
+
+        /* timeout = PR_INTERVAL_NO_TIMEOUT; */
+        /* timeout = 0; nonblocking */
+        timeout = 0;
+
+        bindError = pkix_pl_Socket_Create
+            (PKIX_TRUE, timeout, &serverNetAddr, &cStat, &sSock, plContext);
+
+        /* If PR_Bind can't handle INADDR_ANY, try it with the real name */
+        if (bindError) {
+                PKIX_TEST_DECREF_BC(bindError);
+                serverNetAddr.inet.ip = PR_htonl(*(PRUint32 *)ipaddr); 
+
+                PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_Create
+                        (PKIX_TRUE,
+                        timeout,
+                        &serverNetAddr,
+                        &cStat,
+                        &sSock,
+                        plContext));
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
+            (sSock, &sCallbackList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(sCallbackList->listenCallback
+            (sSock, backlog, plContext));
+
+        serverState = SERVER_LISTENING;
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_Create
+            (PKIX_FALSE, timeout, &clientNetAddr, &cStat, &cSock, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
+            (cSock, &cCallbackList, plContext));
+
+        if ((timeout == 0) && (cStat == PR_IN_PROGRESS_ERROR)) {
+            clientState = CLIENT_WAITFORCONNECT;
+        } else {
+            clientState = CLIENT_SEND1;
+        }
+
+        dispatcher();
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(sSock);
+        PKIX_TEST_DECREF_AC(cSock);
+        PKIX_TEST_DECREF_AC(rendezvousSock);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Socket");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/Makefile b/security/nss/cmd/libpkix/pkix_pl/pki/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/manifest.mn b/security/nss/cmd/libpkix/pkix_pl/pki/manifest.mn
new file mode 100755
index 000000000..69d2289ff
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/manifest.mn
@@ -0,0 +1,61 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = test_cert.c \
+	test_crl.c \
+	test_crlentry.c \
+	test_date.c \
+	test_generalname.c \
+	test_nameconstraints.c \
+	test_x500name.c \
+	test_authorityinfoaccess.c \
+	test_subjectinfoaccess.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtoolpki
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_authorityinfoaccess.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_authorityinfoaccess.c
new file mode 100644
index 000000000..faae34899
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/test_authorityinfoaccess.c
@@ -0,0 +1,148 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_authorityinfoaccess.c
+ *
+ * Test Authority InfoAccess Type
+ *
+ */
+
+
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+int test_authorityinfoaccess(int argc, char *argv[]) {
+
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_Cert *certDiff = NULL;
+        PKIX_List *aiaList = NULL;
+        PKIX_List *siaList = NULL;
+        PKIX_PL_InfoAccess *aia = NULL;
+        PKIX_PL_InfoAccess *aiaDup = NULL;
+        PKIX_PL_InfoAccess *aiaDiff = NULL;
+        char *certPathName = NULL;
+        char *dirName = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 size, i;
+        PKIX_UInt32 j = 0;
+        char *expectedAscii = "[method:caIssuers, location:ldap:"
+                "//betty.nist.gov/cn=CA,ou=Basic%20LDAP%20URI%20OU1,"
+                "o=Test%20Certificates,c=US?cACertificate;binary,"
+                "crossCertificatePair;binary]";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("AuthorityInfoAccess");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 5+j) {
+                printf("Usage: %s <test-purpose> <cert> <diff-cert>\n", argv[0]);
+        }
+
+        dirName = argv[2+j];
+        certPathName = argv[3+j];
+
+        subTest("Creating Cert with Authority Info Access");
+        cert = createCert(dirName, certPathName, plContext);
+
+        certPathName = argv[4+j];
+
+        subTest("Creating Cert with Subject Info Access");
+        certDiff = createCert(dirName, certPathName, plContext);
+
+        subTest("Getting Authority Info Access");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityInfoAccess
+                (cert, &aiaList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (aiaList, &size, plContext));
+
+        if (size != 1) {
+                pkixTestErrorMsg = "unexpected number of AIA";
+                goto cleanup;
+        }
+ 
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (aiaList, 0, (PKIX_PL_Object **) &aia, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (aiaList, 0, (PKIX_PL_Object **) &aiaDup, plContext));
+
+        subTest("Getting Subject Info Access as difference comparison");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectInfoAccess
+                (certDiff, &siaList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (siaList, &size, plContext));
+
+        if (size != 1) {
+                pkixTestErrorMsg = "unexpected number of AIA";
+                goto cleanup;
+        }
+ 
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (siaList, 0, (PKIX_PL_Object **) &aiaDiff, plContext));
+
+        subTest("Checking: Equal, Hash and ToString");
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (aia, aiaDup, aiaDiff, expectedAscii, InfoAccess, PKIX_FALSE);
+
+
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(aia);
+        PKIX_TEST_DECREF_AC(aiaDup);
+        PKIX_TEST_DECREF_AC(aiaDiff);
+        PKIX_TEST_DECREF_AC(aiaList);
+        PKIX_TEST_DECREF_AC(siaList);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(certDiff);
+     
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Authorityinfoaccess");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_cert.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_cert.c
new file mode 100644
index 000000000..5d036658d
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/test_cert.c
@@ -0,0 +1,2360 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_cert.c
+ *
+ * Test Cert Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static PKIX_PL_Cert *altNameNoneCert = NULL;
+static PKIX_PL_Cert *altNameOtherCert = NULL;
+static PKIX_PL_Cert *altNameOtherCert_diff = NULL;
+static PKIX_PL_Cert *altNameRfc822Cert = NULL;
+static PKIX_PL_Cert *altNameRfc822Cert_diff = NULL;
+static PKIX_PL_Cert *altNameDnsCert = NULL;
+static PKIX_PL_Cert *altNameDnsCert_diff = NULL;
+static PKIX_PL_Cert *altNameX400Cert = NULL;
+static PKIX_PL_Cert *altNameX400Cert_diff = NULL;
+static PKIX_PL_Cert *altNameDnCert = NULL;
+static PKIX_PL_Cert *altNameDnCert_diff = NULL;
+static PKIX_PL_Cert *altNameEdiCert = NULL;
+static PKIX_PL_Cert *altNameEdiCert_diff = NULL;
+static PKIX_PL_Cert *altNameUriCert = NULL;
+static PKIX_PL_Cert *altNameUriCert_diff = NULL;
+static PKIX_PL_Cert *altNameIpCert = NULL;
+static PKIX_PL_Cert *altNameIpCert_diff = NULL;
+static PKIX_PL_Cert *altNameOidCert = NULL;
+static PKIX_PL_Cert *altNameOidCert_diff = NULL;
+static PKIX_PL_Cert *altNameMultipleCert = NULL;
+
+static void *plContext = NULL;
+
+static void createCerts(
+        char *dataCentralDir,
+        char *goodInput,
+        char *diffInput,
+        PKIX_PL_Cert **goodObject,
+        PKIX_PL_Cert **equalObject,
+        PKIX_PL_Cert **diffObject)
+{
+        subTest("PKIX_PL_Cert_Create <goodObject>");
+        *goodObject = createCert(dataCentralDir, goodInput, plContext);
+
+        subTest("PKIX_PL_Cert_Create <equalObject>");
+        *equalObject = createCert(dataCentralDir, goodInput, plContext);
+
+        subTest("PKIX_PL_Cert_Create <diffObject>");
+        *diffObject = createCert(dataCentralDir, diffInput, plContext);
+}
+
+
+static void
+createCertsWithSubjectAltNames(char *dataCentralDir)
+{
+        subTest("PKIX_PL_Cert_Create <altNameDNS>");
+        altNameDnsCert = createCert
+                (dataCentralDir, "generalName/altNameDnsCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameDNS_diff>");
+        altNameDnsCert_diff = createCert
+                (dataCentralDir, "generalName/altNameDnsCert_diff", plContext);
+
+
+        subTest("PKIX_PL_Cert_Create <altNameRFC822>");
+        altNameRfc822Cert = createCert
+                (dataCentralDir, "generalName/altNameRfc822Cert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameRFC822_diff>");
+        altNameRfc822Cert_diff = createCert
+                (dataCentralDir, "generalName/altNameRfc822Cert_diff", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameX400Cert>");
+        altNameX400Cert = createCert
+                (dataCentralDir, "generalName/altNameX400Cert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameX400_diff>");
+        altNameX400Cert_diff = createCert
+                (dataCentralDir, "generalName/altNameX400Cert_diff", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameDN>");
+        altNameDnCert = createCert
+                (dataCentralDir, "generalName/altNameDnCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameDN_diff>");
+        altNameDnCert_diff = createCert
+                (dataCentralDir, "generalName/altNameDnCert_diff", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameEdiCert>");
+        altNameEdiCert = createCert
+                (dataCentralDir, "generalName/altNameEdiCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameEdi_diff>");
+        altNameEdiCert_diff = createCert
+                (dataCentralDir, "generalName/altNameEdiCert_diff", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameURI>");
+        altNameUriCert = createCert
+                (dataCentralDir, "generalName/altNameUriCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameURI_diff>");
+        altNameUriCert_diff = createCert
+                (dataCentralDir, "generalName/altNameUriCert_diff", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameIP>");
+        altNameIpCert = createCert
+                (dataCentralDir, "generalName/altNameIpCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameIP_diff>");
+        altNameIpCert_diff = createCert
+                (dataCentralDir, "generalName/altNameIpCert_diff", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameOID>");
+        altNameOidCert = createCert
+                (dataCentralDir, "generalName/altNameOidCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameOID_diff>");
+        altNameOidCert_diff = createCert
+                (dataCentralDir, "generalName/altNameOidCert_diff", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameOther>");
+        altNameOtherCert = createCert
+                (dataCentralDir, "generalName/altNameOtherCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameOther_diff>");
+        altNameOtherCert_diff = createCert
+                (dataCentralDir, "generalName/altNameOtherCert_diff", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameNone>");
+        altNameNoneCert = createCert
+                (dataCentralDir, "generalName/altNameNoneCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <altNameMultiple>");
+        altNameMultipleCert = createCert
+                (dataCentralDir, "generalName/altNameRfc822DnsCert", plContext);
+}
+
+static void testGetVersion(
+        PKIX_PL_Cert *goodObject)
+{
+        PKIX_UInt32 goodVersion;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_GetVersion");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetVersion
+                (goodObject, &goodVersion, plContext));
+
+        if (goodVersion != 2){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%d\n", goodVersion);
+                (void) printf("Expected value:\t2\n");
+                goto cleanup;
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void testGetSerialNumber(
+        PKIX_PL_Cert *goodObject,
+        PKIX_PL_Cert *equalObject,
+        PKIX_PL_Cert *diffObject)
+{
+        PKIX_PL_BigInt *goodSN = NULL;
+        PKIX_PL_BigInt *equalSN = NULL;
+        PKIX_PL_BigInt *diffSN = NULL;
+        char *expectedAscii = "37bc66ec";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_GetSerialNumber");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber
+                (goodObject, &goodSN, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber
+                (equalObject, &equalSN, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber
+                (diffObject, &diffSN, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodSN, equalSN, diffSN, expectedAscii, BigInt, PKIX_TRUE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodSN);
+        PKIX_TEST_DECREF_AC(equalSN);
+        PKIX_TEST_DECREF_AC(diffSN);
+
+        PKIX_TEST_RETURN();
+}
+
+
+static void testGetSubject(
+        PKIX_PL_Cert *goodObject,
+        PKIX_PL_Cert *equalObject,
+        PKIX_PL_Cert *diffObject)
+{
+        PKIX_PL_X500Name *goodSubject = NULL;
+        PKIX_PL_X500Name *equalSubject = NULL;
+        PKIX_PL_X500Name *diffSubject = NULL;
+        char *expectedAscii = "OU=bcn,OU=east,O=sun,C=us";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_GetSubject");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
+                (goodObject, &goodSubject, plContext));
+
+        if (!goodSubject){
+                testError("Certificate Subject should not be NULL");
+                goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
+                (equalObject, &equalSubject, plContext));
+
+        if (!equalSubject){
+                testError("Certificate Subject should not be NULL");
+                goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
+                (diffObject, &diffSubject, plContext));
+
+        if (!diffSubject){
+                testError("Certificate Subject should not be NULL");
+                goto cleanup;
+        }
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodSubject,
+                equalSubject,
+                diffSubject,
+                expectedAscii,
+                X500Name,
+                PKIX_TRUE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodSubject);
+        PKIX_TEST_DECREF_AC(equalSubject);
+        PKIX_TEST_DECREF_AC(diffSubject);
+
+        PKIX_TEST_RETURN();
+}
+
+static void testGetIssuer(
+        PKIX_PL_Cert *goodObject,
+        PKIX_PL_Cert *equalObject,
+        PKIX_PL_Cert *diffObject)
+{
+        PKIX_PL_X500Name *goodIssuer = NULL;
+        PKIX_PL_X500Name *equalIssuer = NULL;
+        PKIX_PL_X500Name *diffIssuer = NULL;
+        char *expectedAscii = "CN=yassir,OU=bcn,OU=east,O=sun,C=us";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_GetIssuer");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer
+                (goodObject, &goodIssuer, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer
+                (equalObject, &equalIssuer, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer
+                (diffObject, &diffIssuer, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodIssuer,
+                equalIssuer,
+                diffIssuer,
+                expectedAscii,
+                X500Name,
+                PKIX_TRUE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodIssuer);
+        PKIX_TEST_DECREF_AC(equalIssuer);
+        PKIX_TEST_DECREF_AC(diffIssuer);
+
+        PKIX_TEST_RETURN();
+}
+
+static void testAltNames(
+        PKIX_PL_Cert *goodCert,
+        PKIX_PL_Cert *diffCert,
+        char *expectedAscii)
+{
+        PKIX_List *goodAltNames = NULL;
+        PKIX_List *diffAltNames = NULL;
+        PKIX_PL_GeneralName *goodAltName = NULL;
+        PKIX_PL_GeneralName *diffAltName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames
+                                    (goodCert, &goodAltNames, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                                (goodAltNames,
+                                0,
+                                (PKIX_PL_Object **)&goodAltName,
+                                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames
+                                    (diffCert, &diffAltNames, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                                (diffAltNames,
+                                0,
+                                (PKIX_PL_Object **)&diffAltName,
+                                plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodAltName, goodAltName, diffAltName,
+                expectedAscii, GeneralName, PKIX_TRUE);
+
+cleanup:
+        PKIX_TEST_DECREF_AC(goodAltNames);
+        PKIX_TEST_DECREF_AC(goodAltName);
+        PKIX_TEST_DECREF_AC(diffAltNames);
+        PKIX_TEST_DECREF_AC(diffAltName);
+        PKIX_TEST_RETURN();
+}
+
+static void testAltNamesNone(PKIX_PL_Cert *cert){
+
+        PKIX_List *altNames = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames
+                                    (cert, &altNames, plContext));
+
+        if (altNames != NULL){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%p\n", (void *)altNames);
+                (void) printf("Expected value:\tNULL\n");
+                goto cleanup;
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(altNames);
+        PKIX_TEST_RETURN();
+
+}
+static void testAltNamesMultiple(){
+        PKIX_List *altNames = NULL;
+        PKIX_PL_GeneralName *firstAltName = NULL;
+        PKIX_Int32 firstExpectedType = PKIX_RFC822_NAME;
+        PKIX_PL_GeneralName *secondAltName = NULL;
+        PKIX_Int32 secondExpectedType = PKIX_DNS_NAME;
+
+
+        char *expectedAscii =
+                "[\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    2d\n"
+                "\tIssuer:          OU=labs,O=sun,C=us\n"
+                "\tSubject:         CN=yassir,OU=labs,O=sun,C=us\n"
+                "\tValidity: [From: Mon Feb 09, 2004\n"
+        /*      "\tValidity: [From: Mon Feb 09 14:43:52 2004\n" */
+                "\t           To:   Mon Feb 09, 2004]\n"
+        /*      "\t           To:   Mon Feb 09 14:43:52 2004]\n" */
+                "\tSubjectAltNames: (yassir@sun.com, sunray.sun.com)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: (null)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "\tAuthorityInfoAccess: (null)\n"
+                "\tSubjectInfoAccess: (null)\n"
+                "\tCacheFlag:       0\n"
+                "]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        testToStringHelper
+                ((PKIX_PL_Object *)altNameMultipleCert,
+                expectedAscii,
+                plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames
+                (altNameMultipleCert, &altNames, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (altNames, 0, (PKIX_PL_Object **)&firstAltName, plContext));
+
+        if (firstAltName->type != firstExpectedType){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%d\n", firstAltName->type);
+                (void) printf("Expected value:\t%d\n", firstExpectedType);
+                goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (altNames, 1, (PKIX_PL_Object **)&secondAltName, plContext));
+
+        if (secondAltName->type != secondExpectedType){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%d\n", secondAltName->type);
+                (void) printf("Expected value:\t%d\n", secondExpectedType);
+                goto cleanup;
+        }
+
+cleanup:
+        PKIX_TEST_DECREF_AC(altNames);
+        PKIX_TEST_DECREF_AC(firstAltName);
+        PKIX_TEST_DECREF_AC(secondAltName);
+        PKIX_TEST_RETURN();
+}
+
+static void testGetSubjectAltNames(char *dataCentralDir){
+
+        char *expectedAscii = NULL;
+
+        createCertsWithSubjectAltNames(dataCentralDir);
+
+        subTest("PKIX_PL_Cert_GetSubjectAltNames <DNS>");
+        expectedAscii = "east.sun.com";
+        testAltNames(altNameDnsCert, altNameDnsCert_diff, expectedAscii);
+
+        subTest("PKIX_PL_Cert_GetSubjectAltNames <RFC822>");
+        expectedAscii = "alice.barnes@bcn.east.sun.com";
+        testAltNames(altNameRfc822Cert, altNameRfc822Cert_diff, expectedAscii);
+
+        /*
+         *this should work once bugzilla bug #233586 is fixed.
+         *subTest("PKIX_PL_Cert_GetSubjectAltNames <X400Address>");
+         *expectedAscii = "X400Address: <DER-encoded value>";
+         *testAltNames(altNameX400Cert, altNameX400Cert_diff, expectedAscii);
+         */
+
+        subTest("PKIX_PL_Cert_GetSubjectAltNames <DN>");
+        expectedAscii = "CN=elley,OU=labs,O=sun,C=us";
+        testAltNames(altNameDnCert, altNameDnCert_diff, expectedAscii);
+
+        /*
+         * this should work once bugzilla bug #233586 is fixed.
+         * subTest("PKIX_PL_Cert_GetSubjectAltNames <EdiPartyName>");
+         * expectedAscii = "EDIPartyName: <DER-encoded value>";
+         * testAltNames(altNameEdiCert, altNameEdiCert_diff, expectedAscii);
+         */
+
+        subTest("PKIX_PL_Cert_GetSubjectAltNames <URI>");
+        expectedAscii = "http://www.sun.com";
+        testAltNames(altNameUriCert, altNameUriCert_diff, expectedAscii);
+
+        subTest("PKIX_PL_Cert_GetSubjectAltNames <IP>");
+        expectedAscii = "1.2.3.4";
+        testAltNames(altNameIpCert, altNameIpCert_diff, expectedAscii);
+
+        subTest("PKIX_PL_Cert_GetSubjectAltNames <OID>");
+        expectedAscii = "1.2.39";
+        testAltNames(altNameOidCert, altNameOidCert_diff, expectedAscii);
+
+        subTest("PKIX_PL_Cert_GetSubjectAltNames <Other>");
+        expectedAscii = "1.7.26.97";
+        testAltNames(altNameOtherCert, altNameOtherCert_diff, expectedAscii);
+
+        subTest("PKIX_PL_Cert_GetSubjectAltNames <none>");
+        testAltNamesNone(altNameNoneCert);
+
+        subTest("PKIX_PL_Cert_GetSubjectAltNames <Multiple>");
+        testAltNamesMultiple();
+}
+
+static void testGetSubjectPublicKey(
+        PKIX_PL_Cert *goodObject,
+        PKIX_PL_Cert *equalObject,
+        PKIX_PL_Cert *diffObject)
+{
+        PKIX_PL_PublicKey *goodPubKey = NULL;
+        PKIX_PL_PublicKey *equalPubKey = NULL;
+        PKIX_PL_PublicKey *diffPubKey = NULL;
+        char *expectedAscii = "ANSI X9.57 DSA Signature";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_GetSubjectPublicKey");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (goodObject, &goodPubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (equalObject, &equalPubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (diffObject, &diffPubKey, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodPubKey, equalPubKey, diffPubKey,
+                expectedAscii, PublicKey, PKIX_TRUE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodPubKey);
+        PKIX_TEST_DECREF_AC(equalPubKey);
+        PKIX_TEST_DECREF_AC(diffPubKey);
+
+        PKIX_TEST_RETURN();
+}
+
+static void testGetSubjectPublicKeyAlgId(PKIX_PL_Cert *goodObject){
+        PKIX_PL_OID *pkixPubKeyOID = NULL;
+        char *expectedAscii = "1.2.840.10040.4.1";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_GetSubjectPublicKeyAlgId
+                (goodObject, &pkixPubKeyOID, plContext));
+
+        testToStringHelper
+                ((PKIX_PL_Object *)pkixPubKeyOID, expectedAscii, plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(pkixPubKeyOID);
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCritExtensionsPresent(PKIX_PL_Cert *cert)
+{
+        PKIX_List *critOIDList = NULL;
+        char *firstOIDAscii = "2.5.29.15";
+        PKIX_PL_OID *firstOID = NULL;
+        char *secondOIDAscii = "2.5.29.19";
+        PKIX_PL_OID *secondOID = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs
+                (cert, &critOIDList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (critOIDList, 0, (PKIX_PL_Object **)&firstOID, plContext));
+        testToStringHelper
+                ((PKIX_PL_Object *)firstOID, firstOIDAscii, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (critOIDList, 1, (PKIX_PL_Object **)&secondOID, plContext));
+
+        testToStringHelper
+                ((PKIX_PL_Object *)secondOID, secondOIDAscii, plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(critOIDList);
+        PKIX_TEST_DECREF_AC(firstOID);
+        PKIX_TEST_DECREF_AC(secondOID);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCritExtensionsAbsent(PKIX_PL_Cert *cert)
+{
+        PKIX_List *oidList = NULL;
+        PKIX_Boolean empty;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs
+                                    (cert, &oidList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_IsEmpty(oidList, &empty, plContext));
+
+        if (!empty){
+                pkixTestErrorMsg = "unexpected mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(oidList);
+        PKIX_TEST_RETURN();
+}
+
+
+static void
+testAllExtensionsAbsent(char *dataCentralDir)
+{
+        PKIX_List *oidList = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_Boolean empty;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_Create <noExtensionsCert>");
+        cert = createCert(dataCentralDir, "noExtensionsCert", plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs
+                                    (cert, &oidList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_IsEmpty(oidList, &empty, plContext));
+
+        if (!empty){
+                pkixTestErrorMsg = "unexpected mismatch";
+        }
+
+cleanup:
+        PKIX_TEST_DECREF_AC(oidList);
+        PKIX_TEST_DECREF_AC(cert);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetCriticalExtensionOIDs(char *dataCentralDir, PKIX_PL_Cert *goodObject)
+{
+        subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs "
+                "<CritExtensionsPresent>");
+        testCritExtensionsPresent(goodObject);
+
+
+        subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs "
+                "<CritExtensionsAbsent>");
+        testCritExtensionsAbsent(altNameOidCert);
+
+
+        subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs "
+                "<AllExtensionsAbsent>");
+        testAllExtensionsAbsent(dataCentralDir);
+}
+
+static void
+testKeyIdentifiersMatching(char *dataCentralDir)
+{
+        PKIX_PL_Cert *subjKeyIDCert = NULL;
+        PKIX_PL_Cert *authKeyIDCert = NULL;
+        PKIX_PL_ByteArray *subjKeyID = NULL;
+        PKIX_PL_ByteArray *authKeyID = NULL;
+        PKIX_PL_ByteArray *subjKeyID_diff = NULL;
+
+        char *expectedAscii =
+                "[116, 021, 213, 036, 028, 189, 094, 101, 136, 031, 225,"
+                " 139, 009, 126, 127, 234, 025, 072, 078, 097]";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_Create <subjKeyIDCert>");
+        subjKeyIDCert = createCert
+                (dataCentralDir, "keyIdentifier/subjKeyIDCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <authKeyIDCert>");
+        authKeyIDCert = createCert
+                (dataCentralDir, "keyIdentifier/authKeyIDCert", plContext);
+
+        subTest("PKIX_PL_Cert_GetSubjectKeyIdentifier <good>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier
+                                    (subjKeyIDCert, &subjKeyID, plContext));
+
+        subTest("PKIX_PL_Cert_GetAuthorityKeyIdentifier <equal>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier
+                                    (authKeyIDCert, &authKeyID, plContext));
+
+        subTest("PKIX_PL_Cert_GetSubjectKeyIdentifier <diff>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_GetSubjectKeyIdentifier
+                (authKeyIDCert, &subjKeyID_diff, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+            (subjKeyID,
+            authKeyID,
+            subjKeyID_diff,
+            expectedAscii,
+            ByteArray,
+            PKIX_TRUE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(subjKeyIDCert);
+        PKIX_TEST_DECREF_AC(authKeyIDCert);
+        PKIX_TEST_DECREF_AC(subjKeyID);
+        PKIX_TEST_DECREF_AC(authKeyID);
+        PKIX_TEST_DECREF_AC(subjKeyID_diff);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testKeyIdentifierAbsent(PKIX_PL_Cert *cert)
+{
+        PKIX_PL_ByteArray *subjKeyID = NULL;
+        PKIX_PL_ByteArray *authKeyID = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier
+                                    (cert, &subjKeyID, plContext));
+
+        if (subjKeyID != NULL){
+                pkixTestErrorMsg = "unexpected mismatch";
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier
+                                    (cert, &authKeyID, plContext));
+
+        if (authKeyID != NULL){
+                pkixTestErrorMsg = "unexpected mismatch";
+        }
+
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(subjKeyID);
+        PKIX_TEST_DECREF_AC(authKeyID);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetKeyIdentifiers(char *dataCentralDir, PKIX_PL_Cert *goodObject)
+{
+        testKeyIdentifiersMatching(dataCentralDir);
+        testKeyIdentifierAbsent(goodObject);
+}
+
+static void
+testVerifyKeyUsage(
+        char *dataCentralDir,
+        char *dataDir,
+        PKIX_PL_Cert *multiKeyUsagesCert)
+{
+        PKIX_PL_Cert *encipherOnlyCert = NULL;
+        PKIX_PL_Cert *decipherOnlyCert = NULL;
+        PKIX_PL_Cert *noKeyUsagesCert = NULL;
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_Create <encipherOnlyCert>");
+        encipherOnlyCert = createCert
+                (dataCentralDir, "keyUsage/encipherOnlyCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <decipherOnlyCert>");
+        decipherOnlyCert = createCert
+                (dataCentralDir, "keyUsage/decipherOnlyCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <noKeyUsagesCert>");
+        noKeyUsagesCert = createCert
+                (dataCentralDir, "keyUsage/noKeyUsagesCert", plContext);
+
+        subTest("PKIX_PL_Cert_VerifyKeyUsage <key_cert_sign>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_VerifyKeyUsage
+                (multiKeyUsagesCert, PKIX_KEY_CERT_SIGN, plContext));
+
+        subTest("PKIX_PL_Cert_VerifyKeyUsage <multiKeyUsages>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage
+                                (multiKeyUsagesCert,
+                                PKIX_KEY_CERT_SIGN | PKIX_DIGITAL_SIGNATURE,
+                                plContext));
+
+        subTest("PKIX_PL_Cert_VerifyKeyUsage <encipher_only>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_VerifyKeyUsage
+                (encipherOnlyCert, PKIX_ENCIPHER_ONLY, plContext));
+
+        subTest("PKIX_PL_Cert_VerifyKeyUsage <noKeyUsages>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_VerifyKeyUsage
+                (noKeyUsagesCert, PKIX_ENCIPHER_ONLY, plContext));
+
+        subTest("PKIX_PL_Cert_VerifyKeyUsage <decipher_only>");
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_PL_Cert_VerifyKeyUsage
+                (decipherOnlyCert, PKIX_DECIPHER_ONLY, plContext));
+
+cleanup:
+        PKIX_TEST_DECREF_AC(encipherOnlyCert);
+        PKIX_TEST_DECREF_AC(decipherOnlyCert);
+        PKIX_TEST_DECREF_AC(noKeyUsagesCert);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetExtendedKeyUsage(char *dataCentralDir)
+{
+
+        PKIX_PL_Cert *codeSigningEKUCert = NULL;
+        PKIX_PL_Cert *multiEKUCert = NULL;
+        PKIX_PL_Cert *noEKUCert = NULL;
+        PKIX_List *firstExtKeyUsage = NULL;
+        PKIX_List *secondExtKeyUsage = NULL;
+        PKIX_List *thirdExtKeyUsage = NULL;
+        PKIX_PL_OID *firstOID = NULL;
+        char *oidAscii = "1.3.6.1.5.5.7.3.3";
+        PKIX_PL_OID *secondOID = NULL;
+        char *secondOIDAscii = "1.3.6.1.5.5.7.3.1";
+        PKIX_PL_OID *thirdOID = NULL;
+        char *thirdOIDAscii = "1.3.6.1.5.5.7.3.2";
+        PKIX_PL_OID *fourthOID = NULL;
+        PKIX_UInt32 length = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_Create <codeSigningEKUCert>");
+        codeSigningEKUCert = createCert
+                (dataCentralDir, "extKeyUsage/codeSigningEKUCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <multiEKUCert>");
+        multiEKUCert = createCert
+                (dataCentralDir, "extKeyUsage/multiEKUCert", plContext);
+
+        subTest("PKIX_PL_Cert_Create <noEKUCert>");
+        noEKUCert = createCert
+                (dataCentralDir, "extKeyUsage/noEKUCert", plContext);
+
+        subTest("PKIX_PL_Cert_ExtendedKeyUsage <codeSigningEKU>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage
+                (codeSigningEKUCert, &firstExtKeyUsage, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (firstExtKeyUsage, 0, (PKIX_PL_Object **)&firstOID, plContext));
+        testToStringHelper((PKIX_PL_Object *)firstOID, oidAscii, plContext);
+
+        subTest("PKIX_PL_Cert_ExtendedKeyUsage <multiEKU>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage
+                (multiEKUCert, &secondExtKeyUsage, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (secondExtKeyUsage, &length, plContext));
+
+        if (length != 3){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%d\n", length);
+                (void) printf("Expected value:\t3\n");
+                goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (secondExtKeyUsage,
+                0,
+                (PKIX_PL_Object **)&secondOID,
+                plContext));
+
+        testToStringHelper((PKIX_PL_Object *)secondOID, oidAscii, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (secondExtKeyUsage,
+                1,
+                (PKIX_PL_Object **)&thirdOID,
+                plContext));
+
+        testToStringHelper
+                ((PKIX_PL_Object *)thirdOID, secondOIDAscii, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (secondExtKeyUsage,
+                2,
+                (PKIX_PL_Object **)&fourthOID,
+                plContext));
+
+        testToStringHelper
+                ((PKIX_PL_Object *)fourthOID, thirdOIDAscii, plContext);
+
+        subTest("PKIX_PL_Cert_ExtendedKeyUsage <noEKU>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage
+                (noEKUCert, &thirdExtKeyUsage, plContext));
+
+        if (thirdExtKeyUsage != NULL){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%p\n", (void *)thirdExtKeyUsage);
+                (void) printf("Expected value:\tNULL\n");
+                goto cleanup;
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(firstOID);
+        PKIX_TEST_DECREF_AC(secondOID);
+        PKIX_TEST_DECREF_AC(thirdOID);
+        PKIX_TEST_DECREF_AC(fourthOID);
+
+        PKIX_TEST_DECREF_AC(firstExtKeyUsage);
+        PKIX_TEST_DECREF_AC(secondExtKeyUsage);
+        PKIX_TEST_DECREF_AC(thirdExtKeyUsage);
+
+        PKIX_TEST_DECREF_AC(codeSigningEKUCert);
+        PKIX_TEST_DECREF_AC(multiEKUCert);
+        PKIX_TEST_DECREF_AC(noEKUCert);
+
+        PKIX_TEST_RETURN();
+}
+
+static void testMakeInheritedDSAPublicKey(char *dataCentralDir){
+        PKIX_PL_PublicKey *firstKey = NULL;
+        PKIX_PL_PublicKey *secondKey = NULL;
+        PKIX_PL_PublicKey *resultKeyPositive = NULL;
+        PKIX_PL_PublicKey *resultKeyNegative = NULL;
+        PKIX_PL_Cert *firstCert = NULL;
+        PKIX_PL_Cert *secondCert = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_Create <dsaWithoutParams>");
+        firstCert = createCert
+                (dataCentralDir, "publicKey/dsaWithoutParams", plContext);
+
+        subTest("PKIX_PL_Cert_Create <dsaWithParams>");
+        secondCert = createCert
+                (dataCentralDir, "publicKey/dsaWithParams", plContext);
+
+        subTest("PKIX_PL_Cert_GetSubjectPublicKey <firstKey>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_GetSubjectPublicKey
+                (firstCert, &firstKey, plContext));
+
+        subTest("PKIX_PL_Cert_GetSubjectPublicKey <secondKey>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                (secondCert, &secondKey, plContext));
+
+        subTest("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey <positive>");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
+                (firstKey, secondKey, &resultKeyPositive, plContext));
+
+        if (resultKeyPositive == NULL){
+                testError("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey failed");
+        }
+
+        subTest("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey <negative>");
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
+                (firstKey, firstKey, &resultKeyNegative, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(firstCert);
+        PKIX_TEST_DECREF_AC(secondCert);
+
+        PKIX_TEST_DECREF_AC(firstKey);
+        PKIX_TEST_DECREF_AC(secondKey);
+        PKIX_TEST_DECREF_AC(resultKeyPositive);
+        PKIX_TEST_DECREF_AC(resultKeyNegative);
+
+        PKIX_TEST_RETURN();
+}
+
+static void testVerifySignature(char *dataCentralDir){
+        PKIX_PL_Cert *firstCert = NULL;
+        PKIX_PL_Cert *secondCert = NULL;
+        PKIX_PL_PublicKey *firstPubKey = NULL;
+        PKIX_PL_PublicKey *secondPubKey = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_Create <labs2yassir>");
+        firstCert = createCert(dataCentralDir, "publicKey/labs2yassir", plContext);
+
+        subTest("PKIX_PL_Cert_Create <yassir2labs>");
+        secondCert = createCert(dataCentralDir, "publicKey/yassir2labs", plContext);
+
+        subTest("PKIX_PL_Cert_GetSubjectPublicKey <labs2yassir>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_GetSubjectPublicKey
+                (firstCert, &firstPubKey, plContext));
+
+        subTest("PKIX_PL_Cert_GetSubjectPublicKey <yassir2labs>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_GetSubjectPublicKey
+                (secondCert, &secondPubKey, plContext));
+
+        subTest("PKIX_PL_Cert_VerifySignature <positive>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_VerifySignature
+                (secondCert, firstPubKey, plContext));
+
+        subTest("PKIX_PL_Cert_VerifySignature <negative>");
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_PL_Cert_VerifySignature
+                (secondCert, secondPubKey, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(firstCert);
+        PKIX_TEST_DECREF_AC(secondCert);
+        PKIX_TEST_DECREF_AC(firstPubKey);
+        PKIX_TEST_DECREF_AC(secondPubKey);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCheckValidity(
+        PKIX_PL_Cert *olderCert,
+        PKIX_PL_Cert *newerCert)
+{
+        /*
+         * olderCert has the following Validity:
+         *  notBefore = August 19, 1999: 20:19:56 GMT
+         *  notAfter  = August 18, 2000: 20:19:56 GMT
+         *
+         * newerCert has the following Validity:
+         *  notBefore = November 13, 2003: 16:46:03 GMT
+         *  notAfter  = February 13, 2009: 16:46:03 GMT
+         */
+
+        /*  olderDateAscii = March    29, 2000: 13:48:47 GMT */
+        char *olderAscii = "000329134847Z";
+        PKIX_PL_String *olderString = NULL;
+        PKIX_PL_Date *olderDate = NULL;
+
+        /*  newerDateAscii = March    29, 2004: 13:48:47 GMT */
+        char *newerAscii = "040329134847Z";
+        PKIX_PL_String *newerString = NULL;
+        PKIX_PL_Date *newerDate = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_CheckValidity <creating Dates>");
+
+        /* create newer date when newer cert is valid but older cert is not */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+            (PKIX_ESCASCII, newerAscii, 0, &newerString, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Date_Create_UTCTime
+                (newerString, &newerDate, plContext));
+
+        /* create older date when older cert is valid but newer cert is not */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+            (PKIX_ESCASCII, olderAscii, 0, &olderString, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Date_Create_UTCTime
+                (olderString, &olderDate, plContext));
+
+        /* check validity of both certificates using olderDate */
+        subTest("PKIX_PL_Cert_CheckValidity <olderDate:positive>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_CheckValidity(olderCert, olderDate, plContext));
+
+        subTest("PKIX_PL_Cert_CheckValidity <olderDate:negative>");
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_PL_Cert_CheckValidity(newerCert, olderDate, plContext));
+
+        /* check validity of both certificates using newerDate */
+        subTest("PKIX_PL_Cert_CheckValidity <newerDate:positive>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_CheckValidity(newerCert, newerDate, plContext));
+
+        subTest("PKIX_PL_Cert_CheckValidity <newerDate:negative>");
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_PL_Cert_CheckValidity(olderCert, newerDate, plContext));
+
+        /*
+         * check validity of both certificates using current time
+         * NOTE: these "now" tests will not work when the current
+         * time is after newerCert.notAfter (~ February 13, 2009)
+         */
+        subTest("PKIX_PL_Cert_CheckValidity <now:positive>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_CheckValidity(newerCert, NULL, plContext));
+
+        subTest("PKIX_PL_Cert_CheckValidity <now:negative>");
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_PL_Cert_CheckValidity(olderCert, NULL, plContext));
+
+cleanup:
+        PKIX_TEST_DECREF_AC(olderString);
+        PKIX_TEST_DECREF_AC(newerString);
+        PKIX_TEST_DECREF_AC(olderDate);
+        PKIX_TEST_DECREF_AC(newerDate);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+readCertBasicConstraints(
+        char *dataDir,
+        char *goodCertName,
+        char *diffCertName,
+        PKIX_PL_CertBasicConstraints **goodBasicConstraints,
+        PKIX_PL_CertBasicConstraints **equalBasicConstraints,
+        PKIX_PL_CertBasicConstraints **diffBasicConstraints){
+
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_Cert *equalCert = NULL;
+        PKIX_PL_Cert *diffCert = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        createCerts(dataDir, goodCertName, diffCertName,
+                &goodCert, &equalCert, &diffCert);
+        /*
+         * Warning: pointer will be NULL if BasicConstraints
+         * extension is not present in the certificate. */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
+                (goodCert, goodBasicConstraints, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
+                (equalCert, equalBasicConstraints, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
+                (diffCert, diffBasicConstraints, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(equalCert);
+        PKIX_TEST_DECREF_AC(diffCert);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testBasicConstraintsHelper(
+        char *dataDir,
+        char *goodCertName,
+        char *diffCertName,
+        char *expectedAscii)
+{
+        PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
+        PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL;
+        PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        readCertBasicConstraints
+                (dataDir,
+                goodCertName,
+                diffCertName,
+                &goodBasicConstraints,
+                &equalBasicConstraints,
+                &diffBasicConstraints);
+
+        /*
+         * The standard test macro is applicable only
+         * if BasicConstraint extension is present
+         * in the certificate. Otherwise some
+         * pointers will be null.
+         */
+        if ((goodBasicConstraints) &&
+            (equalBasicConstraints) &&
+            (diffBasicConstraints)) {
+                PKIX_TEST_EQ_HASH_TOSTR_DUP
+                        (goodBasicConstraints,
+                        equalBasicConstraints,
+                        diffBasicConstraints,
+                        expectedAscii,
+                        BasicConstraints,
+                        PKIX_TRUE);
+        } else {
+            /* Test what we can */
+            if (goodBasicConstraints) {
+                if (!equalBasicConstraints) {
+                    testError
+                        ("Unexpected NULL value of equalBasicConstraints");
+                    goto cleanup;
+                }
+                subTest("PKIX_PL_BasicConstraints_Equals   <match>");
+                testEqualsHelper
+                    ((PKIX_PL_Object *)(goodBasicConstraints),
+                    (PKIX_PL_Object *)(equalBasicConstraints),
+                    PKIX_TRUE,
+                    plContext);
+                subTest("PKIX_PL_BasicConstraints_Hashcode <match>");
+                testHashcodeHelper
+                    ((PKIX_PL_Object *)(goodBasicConstraints),
+                    (PKIX_PL_Object *)(equalBasicConstraints),
+                    PKIX_TRUE,
+                    plContext);
+                if (diffBasicConstraints) {
+                    subTest("PKIX_PL_BasicConstraints_Equals   <non-match>");
+                    testEqualsHelper
+                        ((PKIX_PL_Object *)(goodBasicConstraints),
+                        (PKIX_PL_Object *)(diffBasicConstraints),
+                        PKIX_FALSE,
+                        plContext);
+                    subTest("PKIX_PL_BasicConstraints_Hashcode <non-match>");
+                    testHashcodeHelper
+                        ((PKIX_PL_Object *)(goodBasicConstraints),
+                        (PKIX_PL_Object *)(diffBasicConstraints),
+                        PKIX_FALSE,
+                        plContext);
+                }
+                subTest("PKIX_PL_BasicConstraints_Duplicate");
+                testDuplicateHelper
+                        ((PKIX_PL_Object *)goodBasicConstraints, plContext);
+            }
+            if (expectedAscii) {
+                subTest("PKIX_PL_BasicConstraints_ToString");
+                testToStringHelper
+                    ((PKIX_PL_Object *)(goodBasicConstraints),
+                    expectedAscii,
+                    plContext);
+            }
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodBasicConstraints);
+        PKIX_TEST_DECREF_AC(equalBasicConstraints);
+        PKIX_TEST_DECREF_AC(diffBasicConstraints);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testBasicConstraints_GetCAFlag(char *dataCentralDir)
+{
+        /*
+         * XXX  When we have a certificate with a non-null Basic
+         * Constraints field and a value of FALSE for CAFlag,
+         * this test should be modified to use that
+         * certificate for diffCertName, and to verify that
+         * GetCAFlag returns a FALSE value. But our certificates for
+         * non-CAs are created with no BasicConstraints extension.
+         */
+        PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
+        PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL;
+        PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
+        char *goodCertName = "yassir2yassir";
+        char *diffCertName = "nss2alice";
+        PKIX_Boolean goodCAFlag = PKIX_FALSE;
+        PKIX_Boolean diffCAFlag = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_BasicConstraints_GetCAFlag");
+
+        readCertBasicConstraints
+                (dataCentralDir,
+                goodCertName,
+                diffCertName,
+                &goodBasicConstraints,
+                &equalBasicConstraints,
+                &diffBasicConstraints);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetCAFlag
+                (goodBasicConstraints, &goodCAFlag, plContext));
+        if (!goodCAFlag) {
+                testError("BasicConstraint CAFlag unexpectedly FALSE");
+                goto cleanup;
+        }
+
+        if (diffBasicConstraints) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetCAFlag
+                        (diffBasicConstraints, &diffCAFlag, plContext));
+                if (diffCAFlag) {
+                        testError("BasicConstraint CAFlag unexpectedly TRUE");
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodBasicConstraints);
+        PKIX_TEST_DECREF_AC(equalBasicConstraints);
+        PKIX_TEST_DECREF_AC(diffBasicConstraints);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testBasicConstraints_GetPathLenConstraint(char *dataCentralDir)
+{
+        PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
+        PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL;
+        PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
+        char *goodCertName = "yassir2yassir";
+        char *diffCertName = "sun2sun";
+        PKIX_Int32 goodPathLen = 0;
+        PKIX_Int32 diffPathLen = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_BasicConstraints_GetPathLenConstraint");
+
+        readCertBasicConstraints
+                (dataCentralDir,
+                goodCertName,
+                diffCertName,
+                &goodBasicConstraints,
+                &equalBasicConstraints,
+                &diffBasicConstraints);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_BasicConstraints_GetPathLenConstraint
+                (goodBasicConstraints, &goodPathLen, plContext));
+        if (0 != goodPathLen) {
+                testError("unexpected basicConstraint pathLen");
+                (void) printf("Actual value:\t%d\n", goodPathLen);
+                (void) printf("Expected value:\t0\n");
+                goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_BasicConstraints_GetPathLenConstraint
+                (diffBasicConstraints, &diffPathLen, plContext));
+        if (1 != diffPathLen) {
+                testError("unexpected basicConstraint pathLen");
+                (void) printf("Actual value:\t%d\n", diffPathLen);
+                (void) printf("Expected value:\t1\n");
+                goto cleanup;
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodBasicConstraints);
+        PKIX_TEST_DECREF_AC(equalBasicConstraints);
+        PKIX_TEST_DECREF_AC(diffBasicConstraints);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetBasicConstraints(char *dataCentralDir)
+{
+        char *goodCertName = NULL;
+        char *diffCertName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_GetBasicConstraints <CA(0) and non-CA>");
+        goodCertName = "yassir2yassir";
+        diffCertName = "nss2alice";
+        testBasicConstraintsHelper
+                (dataCentralDir, goodCertName, diffCertName, "CA(0)");
+
+        subTest("PKIX_PL_Cert_GetBasicConstraints <non-CA and CA(1)>");
+        goodCertName = "nss2alice";
+        diffCertName = "sun2sun";
+        testBasicConstraintsHelper
+                (dataCentralDir, goodCertName, diffCertName, NULL);
+
+        subTest("PKIX_PL_Cert_GetBasicConstraints <CA(0) and CA(1)>");
+        goodCertName = "yassir2bcn";
+        diffCertName = "sun2sun";
+        testBasicConstraintsHelper
+                (dataCentralDir, goodCertName, diffCertName, "CA(0)");
+
+        subTest("PKIX_PL_Cert_GetBasicConstraints <CA(-1) and CA(1)>");
+        goodCertName = "anchor2dsa";
+        diffCertName = "sun2sun";
+        testBasicConstraintsHelper
+                (dataCentralDir, goodCertName, diffCertName, "CA(-1)");
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetPolicyInformation(char *dataDir)
+{
+
+        char *goodCertName =
+                "UserNoticeQualifierTest15EE.crt";
+        char *equalCertName =
+                "UserNoticeQualifierTest15EE.crt";
+        char *diffCertName =
+                "UserNoticeQualifierTest17EE.crt";
+        PKIX_Boolean isImmutable = PKIX_FALSE;
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_Cert *equalCert = NULL;
+        PKIX_PL_Cert *diffCert = NULL;
+        PKIX_List* goodPolicyInfo = NULL;
+        PKIX_List* equalPolicyInfo = NULL;
+        PKIX_List* diffPolicyInfo = NULL;
+        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_PL_Cert_GetPolicyInformation");
+
+        /*
+         * Get the cert, then the list of policyInfos.
+         * Take the first policyInfo from the list.
+         */
+
+        /* Get the PolicyInfo objects */
+        goodCert = createCert(dataDir, goodCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (goodCert, &goodPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
+
+        equalCert = createCert(dataDir, equalCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (equalCert, &equalPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (equalPolicyInfo,
+                0,
+                (PKIX_PL_Object **)&equalPolicy,
+                plContext));
+
+        diffCert = createCert(dataDir, diffCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (diffCert, &diffPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodPolicy,
+                equalPolicy,
+                diffPolicy,
+                NULL,
+                CertPolicyInfo,
+                PKIX_FALSE);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
+                (goodPolicyInfo, &isImmutable, plContext));
+
+        if (isImmutable != PKIX_TRUE) {
+                testError("PolicyInfo List is not immutable");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodPolicy);
+        PKIX_TEST_DECREF_AC(equalPolicy);
+        PKIX_TEST_DECREF_AC(diffPolicy);
+        PKIX_TEST_DECREF_AC(goodPolicyInfo);
+        PKIX_TEST_DECREF_AC(equalPolicyInfo);
+        PKIX_TEST_DECREF_AC(diffPolicyInfo);
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(equalCert);
+        PKIX_TEST_DECREF_AC(diffCert);
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCertPolicy_GetPolicyId(char *dataDir)
+{
+        char *goodCertName =
+                "UserNoticeQualifierTest15EE.crt";
+        char *equalCertName =
+                "UserNoticeQualifierTest16EE.crt";
+        char *diffCertName =
+                "UserNoticeQualifierTest17EE.crt";
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_Cert *equalCert = NULL;
+        PKIX_PL_Cert *diffCert = NULL;
+        PKIX_List* goodPolicyInfo = NULL;
+        PKIX_List* equalPolicyInfo = NULL;
+        PKIX_List* diffPolicyInfo = NULL;
+        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
+        PKIX_PL_OID *goodID = NULL;
+        PKIX_PL_OID *equalID = NULL;
+        PKIX_PL_OID *diffID = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_PL_CertPolicyInfo_GetPolicyId");
+
+        /*
+         * Get the cert, then the list of policyInfos.
+         * Take the first policyInfo from the list.
+         * Finally, get the policyInfo's ID.
+         */
+
+        /* Get the PolicyInfo objects */
+        goodCert = createCert(dataDir, goodCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (goodCert, &goodPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
+                (goodPolicy, &goodID, plContext));
+
+        equalCert = createCert(dataDir, equalCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (equalCert, &equalPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (equalPolicyInfo,
+                0,
+                (PKIX_PL_Object **)&equalPolicy,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
+                (equalPolicy, &equalID, plContext));
+
+        diffCert = createCert(dataDir, diffCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (diffCert, &diffPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
+                (diffPolicy, &diffID, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodID, equalID, diffID, NULL, OID, PKIX_FALSE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodID);
+        PKIX_TEST_DECREF_AC(equalID);
+        PKIX_TEST_DECREF_AC(diffID);
+        PKIX_TEST_DECREF_AC(goodPolicy);
+        PKIX_TEST_DECREF_AC(equalPolicy);
+        PKIX_TEST_DECREF_AC(diffPolicy);
+        PKIX_TEST_DECREF_AC(goodPolicyInfo);
+        PKIX_TEST_DECREF_AC(equalPolicyInfo);
+        PKIX_TEST_DECREF_AC(diffPolicyInfo);
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(equalCert);
+        PKIX_TEST_DECREF_AC(diffCert);
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCertPolicy_GetPolQualifiers(char *dataDir)
+{
+        char *goodCertName =
+                "UserNoticeQualifierTest15EE.crt";
+        char *equalCertName =
+                "UserNoticeQualifierTest16EE.crt";
+        char *diffCertName =
+                "UserNoticeQualifierTest18EE.crt";
+        PKIX_Boolean isImmutable = PKIX_FALSE;
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_Cert *equalCert = NULL;
+        PKIX_PL_Cert *diffCert = NULL;
+        PKIX_List* goodPolicyInfo = NULL;
+        PKIX_List* equalPolicyInfo = NULL;
+        PKIX_List* diffPolicyInfo = NULL;
+        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
+        PKIX_List* goodQuals = NULL;
+        PKIX_List* equalQuals = NULL;
+        PKIX_List* diffQuals = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_PL_CertPolicyInfo_GetPolQualifiers");
+
+        /*
+         * Get the cert, then the list of policyInfos.
+         * Take the first policyInfo from the list.
+         * Get its list of PolicyQualifiers.
+         */
+
+        /* Get the PolicyInfo objects */
+        goodCert = createCert(dataDir, goodCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (goodCert, &goodPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (goodPolicy, &goodQuals, plContext));
+
+        equalCert = createCert(dataDir, equalCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (equalCert, &equalPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (equalPolicyInfo,
+                0,
+                (PKIX_PL_Object **)&equalPolicy,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (equalPolicy, &equalQuals, plContext));
+
+        diffCert = createCert(dataDir, diffCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (diffCert, &diffPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (diffPolicy, &diffQuals, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodQuals,
+                equalQuals,
+                diffQuals,
+                NULL,
+                List,
+                PKIX_FALSE);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
+                (goodQuals, &isImmutable, plContext));
+
+        if (isImmutable != PKIX_TRUE) {
+                testError("PolicyQualifier List is not immutable");
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(goodPolicyInfo);
+        PKIX_TEST_DECREF_AC(goodPolicy);
+        PKIX_TEST_DECREF_AC(goodQuals);
+        PKIX_TEST_DECREF_AC(equalCert);
+        PKIX_TEST_DECREF_AC(equalPolicyInfo);
+        PKIX_TEST_DECREF_AC(equalQuals);
+        PKIX_TEST_DECREF_AC(equalPolicy);
+        PKIX_TEST_DECREF_AC(diffCert);
+        PKIX_TEST_DECREF_AC(diffPolicyInfo);
+        PKIX_TEST_DECREF_AC(diffPolicy);
+        PKIX_TEST_DECREF_AC(diffQuals);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testPolicyQualifier_GetQualifier(char *dataDir)
+{
+        char *goodCertName =
+                "UserNoticeQualifierTest15EE.crt";
+        char *equalCertName =
+                "UserNoticeQualifierTest16EE.crt";
+        char *diffCertName =
+                "UserNoticeQualifierTest18EE.crt";
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_Cert *equalCert = NULL;
+        PKIX_PL_Cert *diffCert = NULL;
+        PKIX_List* goodPolicyInfo = NULL;
+        PKIX_List* equalPolicyInfo = NULL;
+        PKIX_List* diffPolicyInfo = NULL;
+        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
+        PKIX_List* goodQuals = NULL;
+        PKIX_List* equalQuals = NULL;
+        PKIX_List* diffQuals = NULL;
+        PKIX_PL_CertPolicyQualifier *goodPolQualifier = NULL;
+        PKIX_PL_CertPolicyQualifier *equalPolQualifier = NULL;
+        PKIX_PL_CertPolicyQualifier *diffPolQualifier = NULL;
+        PKIX_PL_ByteArray *goodArray = NULL;
+        PKIX_PL_ByteArray *equalArray = NULL;
+        PKIX_PL_ByteArray *diffArray = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_PL_PolicyQualifier_GetQualifier");
+
+        /*
+         * Get the cert, then the list of policyInfos.
+         * Take the first policyInfo from the list.
+         * Get its list of PolicyQualifiers.
+         * Take the first policyQualifier from the list.
+         * Finally, get the policyQualifier's ByteArray.
+         */
+
+        /* Get the PolicyInfo objects */
+        goodCert = createCert(dataDir, goodCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (goodCert, &goodPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (goodPolicy, &goodQuals, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (goodQuals,
+                0,
+                (PKIX_PL_Object **)&goodPolQualifier,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier
+                (goodPolQualifier, &goodArray, plContext));
+
+        equalCert = createCert(dataDir, equalCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (equalCert, &equalPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (equalPolicyInfo,
+                0,
+                (PKIX_PL_Object **)&equalPolicy,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (equalPolicy, &equalQuals, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (equalQuals,
+                0,
+                (PKIX_PL_Object **)&equalPolQualifier,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier
+                (equalPolQualifier, &equalArray, plContext));
+
+        diffCert = createCert(dataDir, diffCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (diffCert, &diffPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (diffPolicy, &diffQuals, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (diffQuals,
+                0,
+                (PKIX_PL_Object **)&diffPolQualifier,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier
+                (diffPolQualifier, &diffArray, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodArray, equalArray, diffArray, NULL, ByteArray, PKIX_FALSE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodArray);
+        PKIX_TEST_DECREF_AC(equalArray);
+        PKIX_TEST_DECREF_AC(diffArray);
+        PKIX_TEST_DECREF_AC(goodPolQualifier);
+        PKIX_TEST_DECREF_AC(equalPolQualifier);
+        PKIX_TEST_DECREF_AC(diffPolQualifier);
+        PKIX_TEST_DECREF_AC(goodQuals);
+        PKIX_TEST_DECREF_AC(equalQuals);
+        PKIX_TEST_DECREF_AC(diffQuals);
+        PKIX_TEST_DECREF_AC(goodPolicy);
+        PKIX_TEST_DECREF_AC(equalPolicy);
+        PKIX_TEST_DECREF_AC(diffPolicy);
+        PKIX_TEST_DECREF_AC(goodPolicyInfo);
+        PKIX_TEST_DECREF_AC(equalPolicyInfo);
+        PKIX_TEST_DECREF_AC(diffPolicyInfo);
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(equalCert);
+        PKIX_TEST_DECREF_AC(diffCert);
+        PKIX_TEST_RETURN();
+}
+
+static void
+testPolicyQualifier_GetPolicyQualifierId(char *dataDir)
+{
+        char *goodCertName =
+                "UserNoticeQualifierTest15EE.crt";
+        char *equalCertName =
+                "UserNoticeQualifierTest16EE.crt";
+        char *diffCertName =
+                "CPSPointerQualifierTest20EE.crt";
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_Cert *equalCert = NULL;
+        PKIX_PL_Cert *diffCert = NULL;
+        PKIX_List* goodPolicyInfo = NULL;
+        PKIX_List* equalPolicyInfo = NULL;
+        PKIX_List* diffPolicyInfo = NULL;
+        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
+        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
+        PKIX_List* goodQuals = NULL;
+        PKIX_List* equalQuals = NULL;
+        PKIX_List* diffQuals = NULL;
+        PKIX_PL_CertPolicyQualifier *goodPolQualifier = NULL;
+        PKIX_PL_CertPolicyQualifier *equalPolQualifier = NULL;
+        PKIX_PL_CertPolicyQualifier *diffPolQualifier = NULL;
+        PKIX_PL_OID *goodID = NULL;
+        PKIX_PL_OID *equalID = NULL;
+        PKIX_PL_OID *diffID = NULL;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_PL_PolicyQualifier_GetPolicyQualifierId");
+
+        /*
+         * Get the cert, then the list of policyInfos.
+         * Take the first policyInfo from the list.
+         * Get its list of PolicyQualifiers.
+         * Take the first policyQualifier from the list.
+         * Finally, get the policyQualifier's ID.
+         */
+
+        /* Get the PolicyQualifier objects */
+        goodCert = createCert(dataDir, goodCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (goodCert, &goodPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (goodPolicy, &goodQuals, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (goodQuals,
+                0,
+                (PKIX_PL_Object **)&goodPolQualifier,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId
+                (goodPolQualifier, &goodID, plContext));
+
+        equalCert = createCert(dataDir, equalCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (equalCert, &equalPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (equalPolicyInfo,
+                0,
+                (PKIX_PL_Object **)&equalPolicy,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (equalPolicy, &equalQuals, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (equalQuals,
+                0,
+                (PKIX_PL_Object **)&equalPolQualifier,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId
+                (equalPolQualifier, &equalID, plContext));
+
+        diffCert = createCert(dataDir, diffCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
+                (diffCert, &diffPolicyInfo, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                (diffPolicy, &diffQuals, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetItem
+                (diffQuals,
+                0,
+                (PKIX_PL_Object **)&diffPolQualifier,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId
+                (diffPolQualifier, &diffID, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodID, equalID, diffID, NULL, OID, PKIX_FALSE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodID);
+        PKIX_TEST_DECREF_AC(equalID);
+        PKIX_TEST_DECREF_AC(diffID);
+        PKIX_TEST_DECREF_AC(goodPolQualifier);
+        PKIX_TEST_DECREF_AC(equalPolQualifier);
+        PKIX_TEST_DECREF_AC(diffPolQualifier);
+        PKIX_TEST_DECREF_AC(goodQuals);
+        PKIX_TEST_DECREF_AC(equalQuals);
+        PKIX_TEST_DECREF_AC(diffQuals);
+        PKIX_TEST_DECREF_AC(goodPolicy);
+        PKIX_TEST_DECREF_AC(equalPolicy);
+        PKIX_TEST_DECREF_AC(diffPolicy);
+        PKIX_TEST_DECREF_AC(goodPolicyInfo);
+        PKIX_TEST_DECREF_AC(equalPolicyInfo);
+        PKIX_TEST_DECREF_AC(diffPolicyInfo);
+        PKIX_TEST_DECREF_AC(goodCert);
+        PKIX_TEST_DECREF_AC(equalCert);
+        PKIX_TEST_DECREF_AC(diffCert);
+        PKIX_TEST_RETURN();
+}
+
+static void
+testAreCertPoliciesCritical(char *dataCentralDir, char *dataDir)
+{
+
+        char *trueCertName = "CertificatePoliciesCritical.crt";
+        char *falseCertName = "UserNoticeQualifierTest15EE.crt";
+        PKIX_PL_Cert *trueCert = NULL;
+        PKIX_PL_Cert *falseCert = NULL;
+        PKIX_Boolean trueVal = PKIX_FALSE;
+        PKIX_Boolean falseVal = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_PL_Cert_AreCertPoliciesCritical - <true>");
+
+        trueCert = createCert(dataCentralDir, trueCertName, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_AreCertPoliciesCritical
+                (trueCert, &trueVal, plContext));
+
+        if (trueVal != PKIX_TRUE) {
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%d\n", trueVal);
+                (void) printf("Expected value:\t1\n");
+                goto cleanup;
+        }
+
+        subTest("PKIX_PL_Cert_AreCertPoliciesCritical - <false>");
+
+        falseCert = createCert(dataDir, falseCertName, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_AreCertPoliciesCritical
+                (falseCert, &falseVal, plContext));
+
+        if (falseVal != PKIX_FALSE) {
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%d\n", falseVal);
+                (void) printf("Expected value:\t0\n");
+                goto cleanup;
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(trueCert);
+        PKIX_TEST_DECREF_AC(falseCert);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCertPolicyConstraints(char *dataDir)
+{
+        char *requireExplicitPolicy2CertName =
+                "requireExplicitPolicy2CACert.crt";
+        char *inhibitPolicyMapping5CertName =
+                "inhibitPolicyMapping5CACert.crt";
+        char *inhibitAnyPolicy5CertName =
+                "inhibitAnyPolicy5CACert.crt";
+        char *inhibitAnyPolicy0CertName =
+                "inhibitAnyPolicy0CACert.crt";
+        PKIX_PL_Cert *requireExplicitPolicy2Cert = NULL;
+        PKIX_PL_Cert *inhibitPolicyMapping5Cert = NULL;
+        PKIX_PL_Cert *inhibitAnyPolicy5Cert = NULL;
+        PKIX_PL_Cert *inhibitAnyPolicy0Cert = NULL;
+        PKIX_Int32 skipCerts = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_GetRequireExplicitPolicy");
+        requireExplicitPolicy2Cert = createCert
+                (dataDir, requireExplicitPolicy2CertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetRequireExplicitPolicy
+                (requireExplicitPolicy2Cert, &skipCerts, NULL));
+        PR_ASSERT(skipCerts == 2);
+
+        subTest("PKIX_PL_Cert_GetPolicyMappingInhibited");
+        inhibitPolicyMapping5Cert = createCert
+                (dataDir, inhibitPolicyMapping5CertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyMappingInhibited
+                (inhibitPolicyMapping5Cert, &skipCerts, NULL));
+        PR_ASSERT(skipCerts == 5);
+
+        subTest("PKIX_PL_Cert_GetInhibitAnyPolicy");
+        inhibitAnyPolicy5Cert = createCert
+                (dataDir, inhibitAnyPolicy5CertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetInhibitAnyPolicy
+                (inhibitAnyPolicy5Cert, &skipCerts, NULL));
+        PR_ASSERT(skipCerts == 5);
+
+        inhibitAnyPolicy0Cert = createCert
+                (dataDir, inhibitAnyPolicy0CertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetInhibitAnyPolicy
+                (inhibitAnyPolicy0Cert, &skipCerts, NULL));
+        PR_ASSERT(skipCerts == 0);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(requireExplicitPolicy2Cert);
+        PKIX_TEST_DECREF_AC(inhibitPolicyMapping5Cert);
+        PKIX_TEST_DECREF_AC(inhibitAnyPolicy5Cert);
+        PKIX_TEST_DECREF_AC(inhibitAnyPolicy0Cert);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCertPolicyMaps(char *dataDir)
+{
+        char *policyMappingsCertName =
+                "P1Mapping1to234CACert.crt";
+        char *expectedAscii =
+                "2.16.840.1.101.3.2.1.48.1=>2.16.840.1.101.3.2.1.48.2";
+
+        PKIX_PL_Cert *policyMappingsCert = NULL;
+        PKIX_List *mappings = NULL;
+        PKIX_PL_CertPolicyMap *goodMap = NULL;
+        PKIX_PL_CertPolicyMap *equalMap = NULL;
+        PKIX_PL_CertPolicyMap *diffMap = NULL;
+        PKIX_PL_OID *goodOID = NULL;
+        PKIX_PL_OID *equalOID = NULL;
+        PKIX_PL_OID *diffOID = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_GetPolicyMappings");
+
+        policyMappingsCert = createCert
+                (dataDir, policyMappingsCertName, plContext);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyMappings
+                (policyMappingsCert, &mappings, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (mappings, 0, (PKIX_PL_Object **)&goodMap, NULL));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (mappings, 0, (PKIX_PL_Object **)&equalMap, NULL));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (mappings, 2, (PKIX_PL_Object **)&diffMap, NULL));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodMap,
+                equalMap,
+                diffMap,
+                expectedAscii,
+                CertPolicyMap,
+                PKIX_TRUE);
+
+        subTest("PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
+                (goodMap, &goodOID, NULL));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
+                (diffMap, &equalOID, NULL));
+        subTest("PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
+                (diffMap, &diffOID, NULL));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodOID,
+                equalOID,
+                diffOID,
+                "2.16.840.1.101.3.2.1.48.1",
+                OID,
+                PKIX_FALSE);
+
+        subTest("pkix_pl_CertPolicyMap_Destroy");
+        PKIX_TEST_DECREF_BC(goodMap);
+        PKIX_TEST_DECREF_BC(equalMap);
+        PKIX_TEST_DECREF_BC(diffMap);
+
+cleanup:
+        PKIX_TEST_DECREF_AC(policyMappingsCert);
+        PKIX_TEST_DECREF_AC(mappings);
+        PKIX_TEST_DECREF_AC(goodOID);
+        PKIX_TEST_DECREF_AC(equalOID);
+        PKIX_TEST_DECREF_AC(diffOID);
+
+        PKIX_TEST_RETURN();
+}
+
+
+static void
+testNameConstraints(char *dataDir)
+{
+        char *firstPname = "nameConstraintsDN3subCA2Cert.crt";
+        char *secondPname = "nameConstraintsDN4CACert.crt";
+        char *thirdPname = "nameConstraintsDN5CACert.crt";
+        char *lastPname = "InvalidDNnameConstraintsTest3EE.crt";
+        PKIX_PL_Cert *firstCert = NULL;
+        PKIX_PL_Cert *secondCert = NULL;
+        PKIX_PL_Cert *thirdCert = NULL;
+        PKIX_PL_Cert *lastCert = NULL;
+        PKIX_PL_CertNameConstraints *firstNC = NULL;
+        PKIX_PL_CertNameConstraints *secondNC = NULL;
+        PKIX_PL_CertNameConstraints *thirdNC = NULL;
+        PKIX_PL_CertNameConstraints *firstMergedNC = NULL;
+        PKIX_PL_CertNameConstraints *secondMergedNC = NULL;
+        char *firstExpectedAscii =
+                "[\n"
+                "\t\tPermitted Name:  (O=Test Certificates,C=US)\n"
+                "\t\tExcluded Name:   (OU=excludedSubtree1,O=Test Certificates,"
+                "C=US, OU=excludedSubtree2,O=Test Certificates,C=US)\n"
+                "\t]\n";
+        char *secondExpectedAscii =
+                "[\n"
+                "\t\tPermitted Name:  (O=Test Certificates,C=US, "
+                "OU=permittedSubtree1,O=Test Certificates,C=US)\n"
+                "\t\tExcluded Name:   (OU=excludedSubtree1,"
+                "O=Test Certificates,"
+                "C=US, OU=excludedSubtree2,O=Test Certificates,C=US, "
+                "OU=excludedSubtree1,OU=permittedSubtree1,"
+                "O=Test Certificates,C=US)\n"
+                "\t]\n";
+
+        PKIX_TEST_STD_VARS();
+        subTest("PKIX_PL_CertNameConstraints");
+
+        firstCert = createCert(dataDir, firstPname, plContext);
+        secondCert = createCert(dataDir, secondPname, plContext);
+        thirdCert = createCert(dataDir, thirdPname, plContext);
+        lastCert = createCert(dataDir, lastPname, plContext);
+
+        subTest("PKIX_PL_Cert_GetNameConstraints <total=3>");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (firstCert, &firstNC, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (secondCert, &secondNC, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (thirdCert, &thirdNC, NULL));
+
+        subTest("PKIX_PL_Cert_MergeNameConstraints <1st and 2nd>");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_MergeNameConstraints
+                (firstNC, secondNC, &firstMergedNC, NULL));
+
+        subTest("PKIX_PL_Cert_MergeNameConstraints <1st+2nd and 3rd>");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_MergeNameConstraints
+                (firstMergedNC, thirdNC, &secondMergedNC, NULL));
+
+        testToStringHelper
+                ((PKIX_PL_Object *)firstMergedNC,
+                firstExpectedAscii,
+                plContext);
+
+        testToStringHelper
+                ((PKIX_PL_Object *)secondMergedNC,
+                secondExpectedAscii,
+                plContext);
+
+        subTest("PKIX_PL_Cert_CheckNameConstraints <permitted>");
+
+        /* Subject: CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_CheckNameConstraints
+                (firstCert, firstMergedNC, NULL));
+
+        subTest("PKIX_PL_Cert_CheckNameConstraints <OU in excluded>");
+
+        /*
+         * Subject: CN=Invalid DN nameConstraints EE Certificate Test3,
+         * OU=permittedSubtree1,O=Test Certificates,C=US
+         */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckNameConstraints
+                (lastCert, secondMergedNC, NULL));
+
+        subTest("PKIX_PL_Cert_CheckNameConstraints <excluded>");
+
+        /*
+         * Subject: CN=Invalid DN nameConstraints EE Certificate Test3,
+         * OU=permittedSubtree1,O=Test Certificates,C=US
+         * SubjectAltNames: CN=Invalid DN nameConstraints EE Certificate
+         * Test3,OU=excludedSubtree1,O=Test Certificates,C=US
+         */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckNameConstraints
+                (lastCert, firstMergedNC, NULL));
+
+        subTest("PKIX_PL_Cert_CheckNameConstraints <excluded>");
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckNameConstraints
+                (firstCert, secondMergedNC, NULL));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(firstCert);
+        PKIX_TEST_DECREF_AC(secondCert);
+        PKIX_TEST_DECREF_AC(thirdCert);
+        PKIX_TEST_DECREF_AC(lastCert);
+        PKIX_TEST_DECREF_AC(firstNC);
+        PKIX_TEST_DECREF_AC(secondNC);
+        PKIX_TEST_DECREF_AC(thirdNC);
+        PKIX_TEST_DECREF_AC(firstMergedNC);
+        PKIX_TEST_DECREF_AC(secondMergedNC);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+        PKIX_TEST_DECREF_BC(altNameNoneCert);
+        PKIX_TEST_DECREF_BC(altNameOtherCert);
+        PKIX_TEST_DECREF_BC(altNameOtherCert_diff);
+        PKIX_TEST_DECREF_BC(altNameRfc822Cert);
+        PKIX_TEST_DECREF_BC(altNameRfc822Cert_diff);
+        PKIX_TEST_DECREF_BC(altNameDnsCert);
+        PKIX_TEST_DECREF_BC(altNameDnsCert_diff);
+        PKIX_TEST_DECREF_BC(altNameX400Cert);
+        PKIX_TEST_DECREF_BC(altNameX400Cert_diff);
+        PKIX_TEST_DECREF_BC(altNameDnCert);
+        PKIX_TEST_DECREF_BC(altNameDnCert_diff);
+        PKIX_TEST_DECREF_BC(altNameEdiCert);
+        PKIX_TEST_DECREF_BC(altNameEdiCert_diff);
+        PKIX_TEST_DECREF_BC(altNameUriCert);
+        PKIX_TEST_DECREF_BC(altNameUriCert_diff);
+        PKIX_TEST_DECREF_BC(altNameIpCert);
+        PKIX_TEST_DECREF_BC(altNameIpCert_diff);
+        PKIX_TEST_DECREF_BC(altNameOidCert);
+        PKIX_TEST_DECREF_BC(altNameOidCert_diff);
+        PKIX_TEST_DECREF_BC(altNameMultipleCert);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void printUsage(void) {
+        (void) printf("\nUSAGE:\ttest_cert <test-purpose> <data-central-dir> <data-dir>\n\n");
+}
+
+int test_cert(int argc, char *argv[]) {
+
+        PKIX_PL_Cert *goodObject = NULL;
+        PKIX_PL_Cert *equalObject = NULL;
+        PKIX_PL_Cert *diffObject = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        char *dataCentralDir = NULL;
+        char *dataDir = NULL;
+        char *goodInput = "yassir2bcn";
+        char *diffInput = "nss2alice";
+
+        char *expectedAscii =
+                "[\n"
+                "\tVersion:         v3\n"
+                "\tSerialNumber:    37bc66ec\n"
+                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
+                "\tSubject:         OU=bcn,OU=east,O=sun,C=us\n"
+                "\tValidity: [From: Thu Aug 19, 1999\n"
+        /*      "\tValidity: [From: Thu Aug 19 16:19:56 1999\n"  */
+                "\t           To:   Fri Aug 18, 2000]\n"
+        /*      "\t           To:   Fri Aug 18 16:19:56 2000]\n" */
+                "\tSubjectAltNames: (null)\n"
+                "\tAuthorityKeyId:  (null)\n"
+                "\tSubjectKeyId:    (null)\n"
+                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
+                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
+                "\tExtKeyUsages:    (null)\n"
+                "\tBasicConstraint: CA(0)\n"
+                "\tCertPolicyInfo:  (null)\n"
+                "\tPolicyMappings:  (null)\n"
+                "\tExplicitPolicy:  -1\n"
+                "\tInhibitMapping:  -1\n"
+                "\tInhibitAnyPolicy:-1\n"
+                "\tNameConstraints: (null)\n"
+                "\tAuthorityInfoAccess: (null)\n"
+                "\tSubjectInfoAccess: (null)\n"
+                "\tCacheFlag:       0\n"
+                "]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Cert");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 3+j) {
+                printUsage();
+                return (0);
+        }
+
+        dataCentralDir = argv[2+j];
+        dataDir = argv[3+j];
+
+        createCerts
+                (dataCentralDir,
+                goodInput,
+                diffInput,
+                &goodObject,
+                &equalObject,
+                &diffObject);
+
+        testToStringHelper
+                ((PKIX_PL_Object*)goodObject, expectedAscii, plContext);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                expectedAscii,
+                Cert,
+                PKIX_TRUE);
+
+        testVerifyKeyUsage(dataCentralDir, dataDir, goodObject);
+
+
+        testGetExtendedKeyUsage(dataCentralDir);
+        testGetKeyIdentifiers(dataCentralDir, goodObject);
+
+        testGetVersion(goodObject);
+        testGetSerialNumber(goodObject, equalObject, diffObject);
+
+        testGetSubject(goodObject, equalObject, diffObject);
+        testGetIssuer(goodObject, equalObject, diffObject);
+
+        testGetSubjectAltNames(dataCentralDir);
+        testGetCriticalExtensionOIDs(dataCentralDir, goodObject);
+
+        testGetSubjectPublicKey(goodObject, equalObject, diffObject);
+        testGetSubjectPublicKeyAlgId(goodObject);
+        testMakeInheritedDSAPublicKey(dataCentralDir);
+
+        testCheckValidity(goodObject, diffObject);
+
+        testBasicConstraints_GetCAFlag(dataCentralDir);
+        testBasicConstraints_GetPathLenConstraint(dataCentralDir);
+        testGetBasicConstraints(dataCentralDir);
+
+        /* Basic Policy Processing */
+        testGetPolicyInformation(dataDir);
+        testCertPolicy_GetPolicyId(dataDir);
+        testCertPolicy_GetPolQualifiers(dataDir);
+        testPolicyQualifier_GetPolicyQualifierId(dataDir);
+        testPolicyQualifier_GetQualifier(dataDir);
+        testAreCertPoliciesCritical(dataCentralDir, dataDir);
+
+        /* Advanced Policy Processing */
+        testCertPolicyConstraints(dataDir);
+        testCertPolicyMaps(dataDir);
+
+        testNameConstraints(dataDir);
+
+        testVerifySignature(dataCentralDir);
+
+        testDestroy(goodObject, equalObject, diffObject);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Cert");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_crl.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_crl.c
new file mode 100644
index 000000000..87fb31bc1
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/test_crl.c
@@ -0,0 +1,341 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_crl.c
+ *
+ * Test CRL Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void createCRLs(
+        char *dataDir,
+        char *goodInput,
+        char *diffInput,
+        PKIX_PL_CRL **goodObject,
+        PKIX_PL_CRL **equalObject,
+        PKIX_PL_CRL **diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CRL_Create <goodObject>");
+        *goodObject = createCRL(dataDir, goodInput, plContext);
+
+        subTest("PKIX_PL_CRL_Create <equalObject>");
+        *equalObject = createCRL(dataDir, goodInput, plContext);
+
+        subTest("PKIX_PL_CRL_Create <diffObject>");
+        *diffObject = createCRL(dataDir, diffInput, plContext);
+
+        PKIX_TEST_RETURN();
+}
+
+static void testGetCRLEntryForSerialNumber(
+        PKIX_PL_CRL *goodObject)
+{
+        PKIX_PL_BigInt *bigInt;
+        PKIX_PL_String *bigIntString = NULL;
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+        PKIX_PL_String *crlEntryString = NULL;
+        char *snAscii = "3039";
+        char *expectedAscii =
+                "\n\t[\n"
+                "\tSerialNumber:    3039\n"
+                "\tReasonCode:      257\n"
+                "\tRevocationDate:  Fri Jan 07, 2005\n"
+        /*      "\tRevocationDate:  Fri Jan 07 15:09:10 2005\n" */
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "\t]\n\t";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CRL_GetCRLEntryForSerialNumber");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                    PKIX_ESCASCII,
+                                    snAscii,
+                                    PL_strlen(snAscii),
+                                    &bigIntString,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(
+                            bigIntString,
+                            &bigInt,
+                            plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCRLEntryForSerialNumber(
+                            goodObject, bigInt, &crlEntry, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString(
+                                    (PKIX_PL_Object *)crlEntry,
+                                    &crlEntryString,
+                                    plContext));
+
+        testToStringHelper((PKIX_PL_Object *)crlEntryString,
+                            expectedAscii, plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(bigIntString);
+        PKIX_TEST_DECREF_AC(bigInt);
+        PKIX_TEST_DECREF_AC(crlEntryString);
+        PKIX_TEST_DECREF_AC(crlEntry);
+        PKIX_TEST_RETURN();
+}
+
+static void testGetIssuer(
+        PKIX_PL_CRL *goodObject,
+        PKIX_PL_CRL *equalObject,
+        PKIX_PL_CRL *diffObject)
+{
+        PKIX_PL_X500Name *goodIssuer = NULL;
+        PKIX_PL_X500Name *equalIssuer = NULL;
+        PKIX_PL_X500Name *diffIssuer = NULL;
+        char *expectedAscii = "CN=hanfeiyu,O=sun,C=us";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CRL_GetIssuer");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+                PKIX_PL_CRL_GetIssuer(goodObject, &goodIssuer, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+                PKIX_PL_CRL_GetIssuer(equalObject, &equalIssuer, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+                PKIX_PL_CRL_GetIssuer(diffObject, &diffIssuer, plContext));
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodIssuer,
+                equalIssuer,
+                diffIssuer,
+                expectedAscii,
+                X500Name,
+                PKIX_TRUE);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodIssuer);
+        PKIX_TEST_DECREF_AC(equalIssuer);
+        PKIX_TEST_DECREF_AC(diffIssuer);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCritExtensionsAbsent(PKIX_PL_CRL *crl)
+{
+        PKIX_List *oidList = NULL;
+        PKIX_UInt32 numOids = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCriticalExtensionOIDs
+                                    (crl, &oidList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                                    (oidList, &numOids, plContext));
+        if (numOids != 0){
+                pkixTestErrorMsg = "unexpected mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(oidList);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetCriticalExtensionOIDs(PKIX_PL_CRL *goodObject)
+{
+        subTest("PKIX_PL_CRL_GetCriticalExtensionOIDs "
+                "<0 element>");
+        testCritExtensionsAbsent(goodObject);
+
+}
+
+static void testVerifySignature(char *dataCentralDir, PKIX_PL_CRL *crl){
+        PKIX_PL_Cert *firstCert = NULL;
+        PKIX_PL_Cert *secondCert = NULL;
+        PKIX_PL_PublicKey *firstPubKey = NULL;
+        PKIX_PL_PublicKey *secondPubKey = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Cert_Create <hanfeiyu2hanfeiyu>");
+        firstCert = createCert(dataCentralDir, "hanfeiyu2hanfeiyu", plContext);
+
+        subTest("PKIX_PL_Cert_Create <hy2hy-bc0>");
+        secondCert = createCert(dataCentralDir, "hy2hy-bc0", plContext);
+
+        subTest("PKIX_PL_Cert_GetSubjectPublicKey <hanfeiyu2hanfeiyu>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_GetSubjectPublicKey
+                (firstCert, &firstPubKey, plContext));
+
+        subTest("PKIX_PL_Cert_GetSubjectPublicKey <hanfei2hanfei>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_GetSubjectPublicKey
+                (secondCert, &secondPubKey, plContext));
+
+        subTest("PKIX_PL_CRL_VerifySignature <positive>");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_CRL_VerifySignature(crl, firstPubKey, plContext));
+
+        subTest("PKIX_PL_CRL_VerifySignature <negative>");
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_PL_CRL_VerifySignature(crl, secondPubKey, plContext));
+
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(firstCert);
+        PKIX_TEST_DECREF_AC(secondCert);
+        PKIX_TEST_DECREF_AC(firstPubKey);
+        PKIX_TEST_DECREF_AC(secondPubKey);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(void) {
+        (void) printf("\nUSAGE:\ttest_crl <test-purpose> <data-central-dir>\n\n");
+}
+
+/* Functional tests for CRL public functions */
+
+int test_crl(int argc, char *argv[]) {
+        PKIX_PL_CRL *goodObject = NULL;
+        PKIX_PL_CRL *equalObject = NULL;
+        PKIX_PL_CRL *diffObject = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        char *dataCentralDir = NULL;
+        char *goodInput = "crlgood.crl";
+        char *diffInput = "crldiff.crl";
+        char *expectedAscii =
+                "[\n"
+                "\tVersion:         v2\n"
+                "\tIssuer:          CN=hanfeiyu,O=sun,C=us\n"
+                "\tUpdate:   [Last: Fri Jan 07, 2005\n"
+        /*      "\tUpdate:   [Last: Fri Jan 07 15:09:10 2005\n" */
+                "\t           Next: Sat Jan 07, 2006]\n"
+        /*      "\t           Next: Sat Jan 07 15:09:10 2006]\n" */
+                "\tSignatureAlgId:  1.2.840.10040.4.3\n"
+                "\tCRL Number     : (null)\n"
+                "\n\tEntry List:      (\n"
+                "\t[\n"
+                "\tSerialNumber:    010932\n"
+                "\tReasonCode:      260\n"
+                "\tRevocationDate:  Fri Jan 07, 2005\n"
+        /*      "\tRevocationDate:  Fri Jan 07 15:09:10 2005\n" */
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "\t]\n\t"
+                ", "
+                "\n\t[\n"
+                "\tSerialNumber:    3039\n"
+                "\tReasonCode:      257\n"
+                "\tRevocationDate:  Fri Jan 07, 2005\n"
+        /*      "\tRevocationDate:  Fri Jan 07 15:09:10 2005\n" */
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "\t]\n\t"
+                ")"
+                "\n\n"
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "]\n";
+        /* Note XXX serialnumber and reasoncode need debug */
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("CRL");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 3+j) {
+                printUsage();
+                return (0);
+        }
+
+        dataCentralDir = argv[2+j];
+
+        createCRLs
+                (dataCentralDir,
+                goodInput,
+                diffInput,
+                &goodObject,
+                &equalObject,
+                &diffObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                expectedAscii,
+                CRL,
+                PKIX_TRUE);
+
+        testGetIssuer(goodObject, equalObject, diffObject);
+
+        testGetCriticalExtensionOIDs(goodObject);
+
+        testGetCRLEntryForSerialNumber(goodObject);
+
+        testVerifySignature(dataCentralDir, goodObject);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodObject);
+        PKIX_TEST_DECREF_AC(equalObject);
+        PKIX_TEST_DECREF_AC(diffObject);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("CRL");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_crlentry.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_crlentry.c
new file mode 100644
index 000000000..fb1e07002
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/test_crlentry.c
@@ -0,0 +1,244 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_crlentry.c
+ *
+ * Test CRLENTRY Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void createCRLEntries(
+        char *dataDir,
+        char *crlInput,
+        PKIX_PL_CRL **pCrl,
+        PKIX_PL_CRLEntry **goodObject,
+        PKIX_PL_CRLEntry **equalObject,
+        PKIX_PL_CRLEntry **diffObject)
+{
+        PKIX_PL_CRL *crl = NULL;
+        PKIX_PL_BigInt *firstSNBigInt = NULL;
+        PKIX_PL_BigInt *secondSNBigInt = NULL;
+        PKIX_PL_String *firstSNString = NULL;
+        PKIX_PL_String *secondSNString = NULL;
+        char *firstSNAscii = "010932";
+        char *secondSNAscii = "3039";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CRL_Create <crl>");
+        crl = createCRL(dataDir, crlInput, plContext);
+
+        subTest("PKIX_PL_CRL_GetCRLEntryForSerialNumber");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                    PKIX_ESCASCII,
+                                    firstSNAscii,
+                                    PL_strlen(firstSNAscii),
+                                    &firstSNString,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(
+                            firstSNString,
+                            &firstSNBigInt,
+                            plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCRLEntryForSerialNumber(
+                            crl, firstSNBigInt, goodObject, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCRLEntryForSerialNumber(
+                            crl, firstSNBigInt, equalObject, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                    PKIX_ESCASCII,
+                                    secondSNAscii,
+                                    PL_strlen(secondSNAscii),
+                                    &secondSNString,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(
+                            secondSNString,
+                            &secondSNBigInt,
+                            plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCRLEntryForSerialNumber(
+                            crl, secondSNBigInt, diffObject, plContext));
+
+
+
+        *pCrl = crl;
+
+cleanup:
+        PKIX_TEST_DECREF_AC(firstSNBigInt);
+        PKIX_TEST_DECREF_AC(secondSNBigInt);
+        PKIX_TEST_DECREF_AC(firstSNString);
+        PKIX_TEST_DECREF_AC(secondSNString);
+        PKIX_TEST_RETURN();
+}
+
+static void testGetReasonCode(
+        PKIX_PL_CRLEntry *goodObject)
+{
+        PKIX_Int32 reasonCode = 0;
+        PKIX_Int32 expectedReasonCode = 260;
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CRLEntry_GetCRLEntryReasonCode");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRLEntry_GetCRLEntryReasonCode(
+                            goodObject, &reasonCode, plContext));
+
+        if (reasonCode != expectedReasonCode) {
+                testError("unexpected value of CRL Entry Reason Code");
+                (void) printf("Actual value:\t%d\n", reasonCode);
+                (void) printf("Expected value:\t%d\n", expectedReasonCode);
+                goto cleanup;
+        }
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCritExtensionsAbsent(PKIX_PL_CRLEntry *crlEntry)
+{
+        PKIX_List *oidList = NULL;
+        PKIX_UInt32 numOids = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
+                                    (crlEntry, &oidList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                                    (oidList, &numOids, plContext));
+        if (numOids != 0){
+                pkixTestErrorMsg = "unexpected mismatch";
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(oidList);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetCriticalExtensionOIDs(PKIX_PL_CRLEntry *goodObject)
+{
+        subTest("PKIX_PL_CRL_GetCriticalExtensionOIDs "
+                "<CritExtensionsAbsent>");
+        testCritExtensionsAbsent(goodObject);
+
+}
+
+static
+void printUsage(void) {
+        (void) printf("\nUSAGE:\ttest_crlentry <data-dir>\n\n");
+}
+
+/* Functional tests for CRLENTRY public functions */
+
+int test_crlentry(int argc, char *argv[]) {
+        PKIX_PL_CRL *crl = NULL;
+        PKIX_PL_CRLEntry *goodObject = NULL;
+        PKIX_PL_CRLEntry *equalObject = NULL;
+        PKIX_PL_CRLEntry *diffObject = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        char *dataDir = NULL;
+        char *goodInput = "crlgood.crl";
+        char *expectedAscii =
+                "\n\t[\n"
+                "\tSerialNumber:    010932\n"
+                "\tReasonCode:      260\n"
+                "\tRevocationDate:  Fri Jan 07 15:09:10 2005\n"
+                "\tCritExtOIDs:     (EMPTY)\n"
+                "\t]\n\t";
+
+        /* Note XXX serialnumber and reasoncode need debug */
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("CRLEntry");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 1+j) {
+                printUsage();
+                return (0);
+        }
+
+        dataDir = argv[1+j];
+
+        createCRLEntries
+            (dataDir, goodInput, &crl, &goodObject, &equalObject, &diffObject);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodObject,
+                equalObject,
+                diffObject,
+                NULL, /* expectedAscii, */
+                CRLENTRY,
+                PKIX_TRUE);
+
+        testGetReasonCode(goodObject);
+
+        testGetCriticalExtensionOIDs(goodObject);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(crl);
+        PKIX_TEST_DECREF_AC(goodObject);
+        PKIX_TEST_DECREF_AC(equalObject);
+        PKIX_TEST_DECREF_AC(diffObject);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("CRLEntry");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_date.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_date.c
new file mode 100644
index 000000000..02ce70e5c
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/test_date.c
@@ -0,0 +1,141 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_date.c
+ *
+ * Test Date Type
+ *
+ */
+
+
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+createDates(char *goodInput, char *diffInput,
+                    PKIX_PL_Date **goodDate,
+                    PKIX_PL_Date **equalDate,
+                    PKIX_PL_Date **diffDate){
+
+        subTest("PKIX_PL_Date_Create <goodDate>");
+        *goodDate = createDate(goodInput, plContext);
+
+        subTest("PKIX_PL_Date_Create <equalDate>");
+        *equalDate = createDate(goodInput, plContext);
+
+        subTest("PKIX_PL_Date_Create <diffDate>");
+        *diffDate = createDate(diffInput, plContext);
+
+}
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_Date_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static
+void testDate(char *goodInput, char *diffInput){
+
+        PKIX_PL_Date *goodDate = NULL;
+        PKIX_PL_Date *equalDate = NULL;
+        PKIX_PL_Date *diffDate = NULL;
+
+        /*
+         * The ASCII rep of the date will vary by platform and locale
+         * This particular string was generated on a SPARC running Solaris 9
+         * in an English locale
+         */
+        /* char *expectedAscii = "Mon Mar 29 08:48:47 2004"; */
+        char *expectedAscii = "Mon Mar 29, 2004";
+
+        PKIX_TEST_STD_VARS();
+
+        createDates(goodInput, diffInput,
+                    &goodDate, &equalDate, &diffDate);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodDate, equalDate, diffDate, expectedAscii, Date, PKIX_TRUE);
+
+        testDestroy(goodDate, equalDate, diffDate);
+
+        PKIX_TEST_RETURN();
+
+}
+
+int test_date(int argc, char *argv[]) {
+
+        char *goodInput = NULL;
+        char *diffInput = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Date");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        goodInput = "040329134847Z";
+        diffInput = "050329135847Z";
+        testDate(goodInput, diffInput);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Date");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_generalname.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_generalname.c
new file mode 100644
index 000000000..2ee4beed4
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/test_generalname.c
@@ -0,0 +1,155 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_generalname.c
+ *
+ * Test GeneralName Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+createGeneralNames(PKIX_UInt32 nameType, char *goodInput, char *diffInput,
+                    PKIX_PL_GeneralName **goodName,
+                    PKIX_PL_GeneralName **equalName,
+                    PKIX_PL_GeneralName **diffName){
+
+        subTest("PKIX_PL_GeneralName_Create <goodName>");
+        *goodName = createGeneralName(nameType, goodInput, plContext);
+
+        subTest("PKIX_PL_GeneralName_Create <equalName>");
+        *equalName = createGeneralName(nameType, goodInput, plContext);
+
+        subTest("PKIX_PL_GeneralName_Create <diffName>");
+        *diffName = createGeneralName(nameType, diffInput, plContext);
+
+}
+
+static void
+testDestroy(void *goodObject, void *equalObject, void *diffObject)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_GeneralName_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static void testNameType
+(PKIX_UInt32 nameType, char *goodInput, char *diffInput, char *expectedAscii){
+
+        PKIX_PL_GeneralName *goodName = NULL;
+        PKIX_PL_GeneralName *equalName = NULL;
+        PKIX_PL_GeneralName *diffName = NULL;
+
+        createGeneralNames(nameType, goodInput, diffInput,
+                            &goodName, &equalName, &diffName);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (goodName,
+                equalName,
+                diffName,
+                expectedAscii,
+                GeneralName,
+                PKIX_TRUE);
+
+        testDestroy(goodName, equalName, diffName);
+}
+
+int test_generalname(int argc, char *argv[]) {
+
+        char *goodInput = NULL;
+        char *diffInput = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("GeneralName");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        goodInput = "john@sun.com";
+        diffInput = "john@labs.com";
+        testNameType(PKIX_RFC822_NAME, goodInput, diffInput, goodInput);
+
+        goodInput = "example1.com";
+        diffInput = "ex2.net";
+        testNameType(PKIX_DNS_NAME, goodInput, diffInput, goodInput);
+
+        goodInput = "cn=yassir, ou=labs, o=sun, c=us";
+        diffInput = "cn=alice, ou=labs, o=sun, c=us";
+        testNameType(PKIX_DIRECTORY_NAME,
+                    goodInput,
+                    diffInput,
+                    "CN=yassir,OU=labs,O=sun,C=us");
+
+        goodInput = "http://example1.com";
+        diffInput = "http://ex2.net";
+        testNameType(PKIX_URI_NAME, goodInput, diffInput, goodInput);
+
+        goodInput = "1.2.840.11";
+        diffInput = "1.2.840.115349";
+        testNameType(PKIX_OID_NAME, goodInput, diffInput, goodInput);
+
+        /*
+         * We don't support creating PKIX_EDIPARTY_NAME,
+         * PKIX_IP_NAME, OTHER_NAME, X400_ADDRESS from strings
+         */
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("GeneralName");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_nameconstraints.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_nameconstraints.c
new file mode 100644
index 000000000..14193ad6b
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/test_nameconstraints.c
@@ -0,0 +1,157 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_nameconstraints.c
+ *
+ * Test CERT Name Constraints Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static char *catDirName(char *platform, char *dir, void *plContext)
+{
+        char *pathName = NULL;
+        PKIX_UInt32 dirLen;
+        PKIX_UInt32 platformLen;
+
+        PKIX_TEST_STD_VARS();
+
+        dirLen = PL_strlen(dir);
+        platformLen = PL_strlen(platform);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
+                (platformLen + dirLen + 2, (void **)&pathName, plContext));
+
+        PL_strcpy(pathName, platform);
+        PL_strcat(pathName, "/");
+        PL_strcat(pathName, dir);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (pathName);
+}
+
+static void
+testNameConstraints(char *dataDir)
+{
+        char *goodPname = "nameConstraintsDN5CACert.crt";
+        PKIX_PL_Cert *goodCert = NULL;
+        PKIX_PL_CertNameConstraints *goodNC = NULL;
+        char *expectedAscii =
+                "[\n"
+                "\t\tPermitted Name:  (OU=permittedSubtree1,"
+                "O=Test Certificates,C=US)\n"
+                "\t\tExcluded Name:   (OU=excludedSubtree1,"
+                "OU=permittedSubtree1,O=Test Certificates,C=US)\n"
+                "\t]\n";
+
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_CertNameConstraints");
+
+        goodCert = createCert(dataDir, goodPname, plContext);
+
+        subTest("PKIX_PL_Cert_GetNameConstraints");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                (goodCert, &goodNC, plContext));
+
+        testToStringHelper
+                ((PKIX_PL_Object *)goodNC, expectedAscii, plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(goodNC);
+        PKIX_TEST_DECREF_AC(goodCert);
+
+        PKIX_TEST_RETURN();
+}
+
+static
+void printUsage(void) {
+        (void) printf
+		("\nUSAGE:\ttest_nameconstraints <test-purpose>"
+                 " <data-dir> <platform-prefix>\n\n");
+}
+
+/* Functional tests for CRL public functions */
+
+int test_nameconstraints(int argc, char *argv[]) {
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        char *platformDir = NULL;
+        char *dataDir = NULL;
+        char *combinedDir = NULL;
+
+        /* Note XXX serialnumber and reasoncode need debug */
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("NameConstraints");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 3 + j) {
+                printUsage();
+                return (0);
+        }
+
+        dataDir = argv[2 + j];
+        platformDir = argv[3 + j];
+	combinedDir = catDirName(platformDir, dataDir, plContext);
+
+        testNameConstraints(combinedDir);
+
+cleanup:
+
+        pkixTestErrorResult = PKIX_PL_Free(combinedDir, plContext);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("NameConstraints");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_subjectinfoaccess.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_subjectinfoaccess.c
new file mode 100644
index 000000000..9f2260f93
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/test_subjectinfoaccess.c
@@ -0,0 +1,166 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_subjectinfoaccess.c
+ *
+ * Test Subject InfoAccess Type
+ *
+ */
+
+
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+int test_subjectinfoaccess(int argc, char *argv[]) {
+
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_Cert *certDiff = NULL;
+        PKIX_List *aiaList = NULL;
+        PKIX_List *siaList = NULL;
+        PKIX_PL_InfoAccess *sia = NULL;
+        PKIX_PL_InfoAccess *siaDup = NULL;
+        PKIX_PL_InfoAccess *siaDiff = NULL;
+        PKIX_PL_GeneralName *location = NULL;
+        char *certPathName = NULL;
+        char *dirName = NULL;
+        PKIX_UInt32 method = 0;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 size, i;
+        PKIX_UInt32 j = 0;
+        char *expectedAscii = "[method:caRepository, "
+                "location:http://betty.nist.gov/pathdiscoverytestsuite/"
+                "p7cfiles/IssuedByTrustAnchor1.p7c]";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("SubjectInfoAccess");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        if (argc < 5+j) {
+                printf("Usage: %s <test-purpose> <cert> <diff-cert>\n", argv[0]);
+        }
+
+        dirName = argv[2+j];
+        certPathName = argv[3+j];
+
+        subTest("Creating Cert with Subject Info Access");
+        cert = createCert(dirName, certPathName, plContext);
+
+        certPathName = argv[4+j];
+
+        subTest("Creating Cert with Subject Info Access");
+        certDiff = createCert(dirName, certPathName, plContext);
+
+        subTest("Getting Subject Info Access");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectInfoAccess
+                (cert, &siaList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (siaList, &size, plContext));
+
+        if (size != 1) {
+                pkixTestErrorMsg = "unexpected number of AIA";
+                goto cleanup;
+        }
+ 
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (siaList, 0, (PKIX_PL_Object **) &sia, plContext));
+
+        subTest("PKIX_PL_InfoAccess_GetMethod");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_InfoAccess_GetMethod
+                (sia, &method, plContext));
+        if (method != PKIX_INFOACCESS_CA_REPOSITORY) {
+                pkixTestErrorMsg = "unexpected method of AIA";
+                goto cleanup;
+        }
+
+        subTest("PKIX_PL_InfoAccess_GetLocation");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_InfoAccess_GetLocation
+                (sia, &location, plContext));
+        if (!location) {
+                pkixTestErrorMsg = "Cannot get AIA location";
+                goto cleanup;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (siaList, 0, (PKIX_PL_Object **) &siaDup, plContext));
+
+        subTest("Getting Authority Info Access as difference comparison");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityInfoAccess
+                (certDiff, &aiaList, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
+                (aiaList, &size, plContext));
+
+        if (size != 1) {
+                pkixTestErrorMsg = "unexpected number of AIA";
+                goto cleanup;
+        }
+ 
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
+                (aiaList, 0, (PKIX_PL_Object **) &siaDiff, plContext));
+
+        subTest("Checking: Equal, Hash and ToString");
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (sia, siaDup, siaDiff, expectedAscii, InfoAccess, PKIX_FALSE);
+
+
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(location);
+        PKIX_TEST_DECREF_AC(sia);
+        PKIX_TEST_DECREF_AC(siaDup);
+        PKIX_TEST_DECREF_AC(siaDiff);
+        PKIX_TEST_DECREF_AC(aiaList);
+        PKIX_TEST_DECREF_AC(siaList);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(certDiff);
+     
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Subjectinfoaccess");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_x500name.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_x500name.c
new file mode 100644
index 000000000..2bf098188
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/pki/test_x500name.c
@@ -0,0 +1,210 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_x500name.c
+ *
+ * Test X500Name Type
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static PKIX_PL_X500Name *
+createX500Name(char *asciiName, PKIX_Boolean expectedToPass){
+
+        PKIX_PL_X500Name *x500Name = NULL;
+        PKIX_PL_String *plString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiName, 0, &plString, plContext));
+
+        if (expectedToPass){
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_X500Name_Create
+                        (plString, &x500Name, plContext));
+        } else {
+                PKIX_TEST_EXPECT_ERROR
+                        (PKIX_PL_X500Name_Create
+                        (plString, &x500Name, plContext));
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(plString);
+
+        PKIX_TEST_RETURN();
+
+        return (x500Name);
+}
+
+static void
+createX500Names(char *goodInput, char *diffInput, char *diffInputMatch,
+            PKIX_PL_X500Name **goodObject,
+            PKIX_PL_X500Name **equalObject,
+            PKIX_PL_X500Name **diffObject,
+            PKIX_PL_X500Name **diffObjectMatch)
+{
+        char *badAscii = "cn=yas#sir,ou=labs,o=sun,c=us";
+        PKIX_PL_X500Name *badObject = NULL;
+
+        subTest("PKIX_PL_X500Name_Create <goodObject>");
+        *goodObject = createX500Name(goodInput, PKIX_TRUE);
+
+        subTest("PKIX_PL_X500Name_Create <equalObject>");
+        *equalObject = createX500Name(goodInput, PKIX_TRUE);
+
+        subTest("PKIX_PL_X500Name_Create <diffObject>");
+        *diffObject = createX500Name(diffInput, PKIX_TRUE);
+
+        subTest("PKIX_PL_X500Name_Create <diffObjectMatch>");
+        *diffObjectMatch = createX500Name(diffInputMatch, PKIX_TRUE);
+
+        subTest("PKIX_PL_X500Name_Create <negative>");
+        badObject = createX500Name(badAscii, PKIX_FALSE);
+}
+
+static void testMatchHelper
+(PKIX_PL_X500Name *goodName, PKIX_PL_X500Name *otherName, PKIX_Boolean match)
+{
+        PKIX_Boolean cmpResult;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Match
+                                    (goodName,
+                                    otherName,
+                                    &cmpResult,
+                                    plContext));
+
+        if ((match && !cmpResult) || (!match && cmpResult)){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%d\n", cmpResult);
+                (void) printf("Expected value:\t%d\n", match);
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+static void
+testMatch(void *goodObject, void *diffObject, void *diffObjectMatch)
+{
+        subTest("PKIX_PL_X500Name_Match <match>");
+        testMatchHelper((PKIX_PL_X500Name *)diffObject,
+                        (PKIX_PL_X500Name *)diffObjectMatch,
+                        PKIX_TRUE);
+
+        subTest("PKIX_PL_X500Name_Match <non-match>");
+        testMatchHelper((PKIX_PL_X500Name *)goodObject,
+                        (PKIX_PL_X500Name *)diffObject,
+                        PKIX_FALSE);
+}
+
+static void testDestroy
+(void *goodObject, void *equalObject, void *diffObject, void *diffObjectMatch)
+{
+        PKIX_TEST_STD_VARS();
+
+        subTest("PKIX_PL_X500Name_Destroy");
+
+        PKIX_TEST_DECREF_BC(goodObject);
+        PKIX_TEST_DECREF_BC(equalObject);
+        PKIX_TEST_DECREF_BC(diffObject);
+        PKIX_TEST_DECREF_BC(diffObjectMatch);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+int test_x500name(int argc, char *argv[]) {
+
+        PKIX_PL_X500Name *goodObject = NULL;
+        PKIX_PL_X500Name *equalObject = NULL;
+        PKIX_PL_X500Name *diffObject = NULL;
+        PKIX_PL_X500Name *diffObjectMatch = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        /* goodInput is encoded in PKIX_ESCASCII */
+        char *goodInput = "cn=Strau&#x00Df;,ou=labs,o=sun,c=us";
+        char *diffInput = "cn=steve,ou=labs,o=sun,c=us";
+        char *diffInputMatch = "Cn=SteVe,Ou=lABs,o=SUn,c=uS";
+        char *expectedAscii = "CN=Strau&#x00DF;,OU=labs,O=sun,C=us";
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("X500Name");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        createX500Names
+                (goodInput, diffInput, diffInputMatch,
+                &goodObject, &equalObject, &diffObject, &diffObjectMatch);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+            (goodObject,
+            equalObject,
+            diffObject,
+            expectedAscii,
+            X500Name,
+            PKIX_TRUE);
+
+        testMatch(goodObject, diffObject, diffObjectMatch);
+
+        testDestroy(goodObject, equalObject, diffObject, diffObjectMatch);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("X500Name");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/Makefile b/security/nss/cmd/libpkix/pkix_pl/system/Makefile
new file mode 100755
index 000000000..3f1484b02
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/manifest.mn b/security/nss/cmd/libpkix/pkix_pl/system/manifest.mn
new file mode 100755
index 000000000..8d9ed0152
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/manifest.mn
@@ -0,0 +1,71 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+# test_rwlock.c is taken out, need to link to libpkix internals
+#
+# The test is using LIBPKIX PL call directly, which violates our
+# code convention.
+#
+CSRCS = test_bigint.c \
+	test_bytearray.c \
+	test_hashtable.c \
+	test_mem.c \
+	test_mutex.c \
+	test_mutex2.c \
+	test_mutex3.c \
+	test_monitorlock.c \
+	test_object.c \
+	test_oid.c \
+	stress_test.c \
+	test_string.c \
+	test_string2.c \
+	$(NULL)
+
+
+LIBRARY_NAME=pkixtoolsys
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+ 
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/stress_test.c b/security/nss/cmd/libpkix/pkix_pl/system/stress_test.c
new file mode 100644
index 000000000..251abe87c
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/stress_test.c
@@ -0,0 +1,188 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * stress_test.c
+ *
+ * Creates and deletes many objects
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+int stress_test(int argc, char *argv[]) {
+
+        PKIX_UInt32 i, k, length, hashcode;
+        PKIX_UInt32 size = 17576;
+        char temp[4];
+        PKIX_Boolean result;
+        PKIX_PL_String *strings[17576], *tempString;
+        PKIX_PL_String *utf16strings[17576];
+        PKIX_PL_ByteArray *byteArrays[17576];
+        void *dest;
+        PKIX_PL_HashTable *ht = NULL;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Stress Test");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        /* ---------------------------- */
+        subTest("Create every three letter String");
+
+        for (i = 0; i < 26; i++)
+                for (j = 0; j < 26; j++)
+                        for (k = 0; k < 26; k++) {
+                                temp[0] = (char)('a'+i);
+                                temp[1] = (char)('a'+j);
+                                temp[2] = (char)('a'+k);
+                                temp[3] = 0;
+                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                (PKIX_ESCASCII, temp, 3,
+                                &strings[26*(i*26+j)+k], plContext));
+                        }
+
+        /* ---------------------------- */
+        subTest("Create a bytearray from each string's UTF-16 encoding");
+        for (i = 0; i < size; i++) {
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_String_GetEncoded
+                        (strings[i],
+                        PKIX_UTF16,
+                        &dest,
+                        &length,
+                        plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
+                            (dest, length, &byteArrays[i], plContext));
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        }
+
+        /* ---------------------------- */
+        subTest("Create a copy string from each bytearray");
+        for (i = 0; i < size; i++) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                            (PKIX_UTF16, *(void **)byteArrays[i], 6,
+                            &utf16strings[i], plContext));
+        }
+
+        /* ---------------------------- */
+        subTest("Compare each original string with the copy");
+        for (i = 0; i < size; i++) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object*)strings[i],
+                            (PKIX_PL_Object*)utf16strings[i],
+                            &result,
+                            plContext));
+                if (result == 0)
+                        testError("Strings do not match");
+        }
+
+        /* ---------------------------- */
+        subTest("Put each string into a Hashtable");
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_HashTable_Create(size/2, 0, &ht, plContext));
+
+        for (i = 0; i < size; i++) {
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_Object_Hashcode
+                        ((PKIX_PL_Object*)strings[i],
+                        &hashcode,
+                        plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                            (ht,
+                            (void *)&hashcode,
+                            (void*)strings[i],
+                            plContext));
+        }
+
+
+        /* ---------------------------- */
+        subTest("Compare each copy string with the hashtable entries ");
+        for (i = 0; i < size; i++) {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Hashcode
+                            ((PKIX_PL_Object*)utf16strings[i],
+                            &hashcode,
+                            plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
+                            (ht,
+                            (void *)&hashcode,
+                            (PKIX_PL_Object**)&tempString,
+                            plContext));
+
+                if (tempString == NULL)
+                        testError("String not found in hashtable");
+                else {
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                    ((PKIX_PL_Object*)tempString,
+                                    (PKIX_PL_Object*)utf16strings[i],
+                                    &result,
+                                    plContext));
+                        if (result == 0)
+                                testError("Strings do not match");
+                        PKIX_TEST_DECREF_BC(tempString);
+                }
+        }
+
+cleanup:
+
+        /* ---------------------------- */
+        subTest("Destroy All Objects");
+
+        PKIX_TEST_DECREF_AC(ht);
+
+        for (i = 0; i < size; i++) {
+                PKIX_TEST_DECREF_AC(strings[i]);
+                PKIX_TEST_DECREF_AC(utf16strings[i]);
+                PKIX_TEST_DECREF_AC(byteArrays[i]);
+        }
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Stress Test");
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_bigint.c b/security/nss/cmd/libpkix/pkix_pl/system/test_bigint.c
new file mode 100644
index 000000000..236a1f295
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_bigint.c
@@ -0,0 +1,227 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_bigint.c
+ *
+ * Tests BigInt Types
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+createBigInt(
+        PKIX_PL_BigInt **bigInts,
+        char *bigIntAscii,
+        PKIX_Boolean errorHandling)
+{
+        PKIX_PL_String *bigIntString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    bigIntAscii,
+                                    PL_strlen(bigIntAscii),
+                                    &bigIntString,
+                                    plContext));
+
+        if (errorHandling){
+                PKIX_TEST_EXPECT_ERROR(PKIX_PL_BigInt_Create
+                                            (bigIntString,
+                                            bigInts,
+                                            plContext));
+        } else {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
+                                            (bigIntString,
+                                            bigInts,
+                                            plContext));
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(bigIntString);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testToString(
+        PKIX_PL_BigInt *bigInt,
+        char *expAscii)
+{
+        PKIX_PL_String *bigIntString = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                                    ((PKIX_PL_Object*)bigInt,
+                                    &bigIntString, plContext));
+
+        temp = PKIX_String2ASCII(bigIntString, plContext);
+        if (temp == plContext){
+                testError("PKIX_String2Ascii failed");
+                goto cleanup;
+        }
+
+        if (PL_strcmp(temp, expAscii) != 0) {
+                (void) printf("\tBigInt ToString: %s %s\n", temp, expAscii);
+                testError("Output string does not match source");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(bigIntString);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCompare(
+        PKIX_PL_BigInt *firstBigInt,
+        PKIX_PL_BigInt *secondBigInt,
+        PKIX_Int32 *cmpResult)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare
+                                    ((PKIX_PL_Object*)firstBigInt,
+                                    (PKIX_PL_Object*)secondBigInt,
+                                    cmpResult, plContext));
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(
+        PKIX_PL_BigInt *bigInt)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(bigInt);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+int test_bigint(int argc, char *argv[]) {
+
+        PKIX_UInt32 size = 4, badSize = 3, i = 0;
+        PKIX_PL_BigInt *testBigInt[4] = {NULL};
+        PKIX_Int32 cmpResult;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        char *bigIntValue[4] =
+        {
+                "03",
+                "ff",
+                "1010101010101010101010101010101010101010",
+                "1010101010101010101010101010101010101010",
+        };
+
+        char *badValue[3] = {"00ff", "fff", "-ff"};
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("BigInts");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        for (i = 0; i < badSize; i++) {
+                subTest("PKIX_PL_BigInt_Create <error_handling>");
+                createBigInt(&testBigInt[i], badValue[i], PKIX_TRUE);
+        }
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_BigInt_Create");
+                createBigInt(&testBigInt[i], bigIntValue[i], PKIX_FALSE);
+        }
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (testBigInt[2],
+                testBigInt[3],
+                testBigInt[1],
+                bigIntValue[2],
+                BigInt,
+                PKIX_TRUE);
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_BigInt_ToString");
+                testToString(testBigInt[i], bigIntValue[i]);
+        }
+
+        subTest("PKIX_PL_BigInt_Compare <gt>");
+        testCompare(testBigInt[2], testBigInt[1], &cmpResult);
+        if (cmpResult <= 0){
+                testError("Invalid Result from String Compare");
+        }
+
+        subTest("PKIX_PL_BigInt_Compare <lt>");
+        testCompare(testBigInt[1], testBigInt[2], &cmpResult);
+        if (cmpResult >= 0){
+                testError("Invalid Result from String Compare");
+        }
+
+        subTest("PKIX_PL_BigInt_Compare <eq>");
+        testCompare(testBigInt[2], testBigInt[3], &cmpResult);
+        if (cmpResult != 0){
+                testError("Invalid Result from String Compare");
+        }
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_BigInt_Destroy");
+                testDestroy(testBigInt[i]);
+        }
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        endTests("BigInt");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_bytearray.c b/security/nss/cmd/libpkix/pkix_pl/system/test_bytearray.c
new file mode 100644
index 000000000..d59199a9c
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_bytearray.c
@@ -0,0 +1,274 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_bytearray.c
+ *
+ * Tests ByteArray types.
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+createByteArray(
+        PKIX_PL_ByteArray **byteArray,
+        char *bytes,
+        PKIX_UInt32 length)
+{
+        PKIX_TEST_STD_VARS();
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
+                                    ((void*)bytes,
+                                    length,
+                                    byteArray,
+                                    plContext));
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+
+static void
+testZeroLength(void)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        void *array = NULL;
+        PKIX_UInt32 length = 2;
+
+        PKIX_TEST_STD_VARS();
+
+        createByteArray(&byteArray, NULL, 0);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_GetLength
+                                    (byteArray, &length, plContext));
+        if (length != 0){
+                testError("Length should be zero");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_GetPointer
+                                    (byteArray, &array, plContext));
+        if (array){
+                testError("Array should be NULL");
+        }
+
+        testToStringHelper((PKIX_PL_Object *)byteArray, "[]", plContext);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(byteArray);
+
+        PKIX_TEST_RETURN();
+}
+
+
+static void
+testToString(
+        PKIX_PL_ByteArray *byteArray,
+        char *expAscii)
+{
+        PKIX_PL_String *string = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                                    ((PKIX_PL_Object*)byteArray,
+                                    &string, plContext));
+
+        temp = PKIX_String2ASCII(string, plContext);
+        if (temp == NULL){
+                testError("PKIX_String2Ascii failed");
+                goto cleanup;
+        }
+
+        if (PL_strcmp(temp, expAscii) != 0) {
+                (void) printf("\tByteArray ToString: %s %s\n", temp, expAscii);
+                testError("Output string does not match source");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(string);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetLength(
+        PKIX_PL_ByteArray *byteArray,
+        PKIX_UInt32 expLength)
+{
+        PKIX_UInt32 arrayLength;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_GetLength
+                                    (byteArray, &arrayLength, plContext));
+
+        if (arrayLength != expLength){
+                (void) printf("\tByteArray GetLength: %d %d\n",
+                            arrayLength, expLength);
+                testError("Incorrect Array Length returned");
+        }
+
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetPointer(
+        PKIX_PL_ByteArray *byteArray,
+        char *expBytes,
+        PKIX_UInt32 arrayLength)
+{
+        char *temp = NULL;
+        PKIX_UInt32 j;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_GetPointer
+                                    (byteArray, (void **)&temp, plContext));
+
+        for (j = 0; j < arrayLength; j++) {
+                if (temp[j] != expBytes[j]){
+                        testError("Incorrect Byte Array Contents");
+                }
+        }
+
+cleanup:
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        PKIX_TEST_RETURN();
+}
+
+void
+testDestroy(
+        PKIX_PL_ByteArray *byteArray)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(byteArray);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+int test_bytearray(int argc, char *argv[]) {
+
+        PKIX_PL_ByteArray *testByteArray[4];
+
+        PKIX_UInt32 i, size = 4;
+        PKIX_UInt32 lengths[4] = {5, 6, 1, 5};
+        char dArray0[5] = {1, 2, 3, 4, 5};
+        unsigned char dArray1[6] = {127, 128, 129, 254, 255, 0};
+        char dArray2[1] = {100};
+        char dArray3[5] = {1, 2, 3, 4, 5};
+
+        char *expected[4] = {
+                "[001, 002, 003, 004, 005]",
+                "[127, 128, 129, 254, 255, 000]",
+                "[100]",
+                "[001, 002, 003, 004, 005]"
+        };
+
+        char *dummyArray[4];
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        dummyArray[0] = dArray0;
+        dummyArray[1] = (char*)dArray1;
+        dummyArray[2] = dArray2;
+        dummyArray[3] = dArray3;
+
+        startTests("ByteArrays");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest ("PKIX_PL_ByteArray_Create <zero length>");
+        testZeroLength();
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_ByteArray_Create");
+                createByteArray(&testByteArray[i], dummyArray[i], lengths[i]);
+        }
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (testByteArray[0],
+                testByteArray[3],
+                testByteArray[1],
+                "[001, 002, 003, 004, 005]",
+                ByteArray,
+                PKIX_TRUE);
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_ByteArray_ToString");
+                testToString(testByteArray[i], expected[i]);
+        }
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_ByteArray_GetLength");
+                testGetLength(testByteArray[i], lengths[i]);
+        }
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_ByteArray_GetPointer");
+                testGetPointer(testByteArray[i], dummyArray[i], lengths[i]);
+        }
+
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_ByteArray_Destroy");
+                testDestroy(testByteArray[i]);
+        }
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        endTests("ByteArray");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_hashtable.c b/security/nss/cmd/libpkix/pkix_pl/system/test_hashtable.c
new file mode 100644
index 000000000..57bcb7cc4
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_hashtable.c
@@ -0,0 +1,458 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_hashtable.c
+ *
+ * Tests Hashtables
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+createHashTables(
+        PKIX_PL_HashTable **ht,
+        PKIX_PL_HashTable **ht2,
+        PKIX_PL_HashTable **ht3,
+        PKIX_PL_HashTable **ht4)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Create
+                (1, 0, ht, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Create
+                (5, 0, ht2, plContext));
+
+        /* at most two entries per bucket */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Create
+                (1, 2, ht4, plContext));
+
+        *ht3 = *ht;
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_IncRef((PKIX_PL_Object*)*ht3, plContext));
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static void
+testAdd(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_HashTable *ht2,
+        PKIX_PL_String **testString,
+        PKIX_PL_String **testString2,
+        PKIX_PL_String **testString3,
+        PKIX_PL_OID **testOID)
+{
+        char* dummyString = "test string 1";
+        char* dummyString2 = "test string 2";
+        char* dummyString3 = "test string 3";
+        char* dummyOID = "2.11.22222.33333";
+
+        PKIX_TEST_STD_VARS();
+
+        /* Make some dummy objects */
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_String_Create(
+                                PKIX_ESCASCII,
+                                dummyString,
+                                PL_strlen(dummyString),
+                                testString,
+                                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_String_Create(
+                                PKIX_ESCASCII,
+                                dummyString2,
+                                PL_strlen(dummyString2),
+                                testString2,
+                                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_String_Create(
+                                PKIX_ESCASCII,
+                                dummyString3,
+                                PL_strlen(dummyString3),
+                                testString3,
+                                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_OID_Create(dummyOID, testOID, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                (ht,
+                (PKIX_PL_Object *)*testString,
+                (PKIX_PL_Object *)*testString2,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                (ht2,
+                (PKIX_PL_Object *)*testString,
+                (PKIX_PL_Object *)*testString2,
+                plContext));
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                (ht,
+                (PKIX_PL_Object *)*testString2,
+                (PKIX_PL_Object *)*testString,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                (ht2,
+                (PKIX_PL_Object *)*testString2,
+                (PKIX_PL_Object *)*testString,
+                plContext));
+
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                (ht,
+                (PKIX_PL_Object *)*testOID,
+                (PKIX_PL_Object *)*testOID,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                (ht2,
+                (PKIX_PL_Object *)*testOID,
+                (PKIX_PL_Object *)*testOID,
+                plContext));
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static void
+testAddFIFO(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_String **testString,
+        PKIX_PL_String **testString2,
+        PKIX_PL_String **testString3)
+{
+        PKIX_PL_String *targetString = NULL;
+        PKIX_Boolean cmpResult;
+
+        PKIX_TEST_STD_VARS();
+
+        /*
+         * ht is created as one bucket, two entries per bucket. Since we add
+         * three items to the ht, we expect the first one to be deleted.
+         */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                (ht,
+                (PKIX_PL_Object *)*testString,
+                (PKIX_PL_Object *)*testString,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                (ht,
+                (PKIX_PL_Object *)*testString2,
+                (PKIX_PL_Object *)*testString2,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
+                (ht,
+                (PKIX_PL_Object *)*testString3,
+                (PKIX_PL_Object *)*testString3,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
+                                    (ht,
+                                    (PKIX_PL_Object *)*testString,
+                                    (PKIX_PL_Object**)&targetString,
+                                    plContext));
+        if (targetString != NULL) {
+                testError("HashTable_Lookup retrieved a supposed deleted item");
+                PKIX_TEST_DECREF_BC(targetString);
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
+                                    (ht,
+                                    (PKIX_PL_Object *)*testString3,
+                                    (PKIX_PL_Object**)&targetString,
+                                    plContext));
+
+         PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Equals(
+                                    (PKIX_PL_Object *)targetString,
+                                    (PKIX_PL_Object *)*testString3,
+                                    &cmpResult,
+                                    plContext));
+        if (cmpResult != PKIX_TRUE){
+                testError("HashTable_Lookup failed");
+        }
+        PKIX_TEST_DECREF_BC(targetString);
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static void
+testLookup(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_HashTable *ht2,
+        PKIX_PL_String *testString,
+        PKIX_PL_String *testString2,
+        PKIX_PL_String *testString3,
+        PKIX_PL_OID *testOID)
+{
+        PKIX_PL_String *targetString = NULL;
+        PKIX_PL_String *targetOID = NULL;
+        PKIX_Boolean cmpResult;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
+                                    (ht,
+                                    (PKIX_PL_Object *)testString,
+                                    (PKIX_PL_Object**)&targetString,
+                                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Equals(
+                                    (PKIX_PL_Object *)targetString,
+                                    (PKIX_PL_Object *)testString2,
+                                    &cmpResult,
+                                    plContext));
+        if (cmpResult != PKIX_TRUE){
+                testError("HashTable_Lookup failed");
+        }
+        PKIX_TEST_DECREF_BC(targetString);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
+                (ht2,
+                (PKIX_PL_Object *)testString,
+                (PKIX_PL_Object**)&targetString,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Equals(
+                                    (PKIX_PL_Object *)targetString,
+                                    (PKIX_PL_Object *)testString2,
+                                    &cmpResult,
+                                    plContext));
+        if (cmpResult != PKIX_TRUE){
+                testError("HashTable_Lookup failed");
+        }
+        PKIX_TEST_DECREF_BC(targetString);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
+                (ht2,
+                (PKIX_PL_Object *)testString2,
+                (PKIX_PL_Object**)&targetString,
+                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Equals(
+                                    (PKIX_PL_Object *)targetString,
+                                    (PKIX_PL_Object *)testString,
+                                    &cmpResult,
+                                    plContext));
+        if (cmpResult != PKIX_TRUE){
+                testError("HashTable_Lookup failed");
+        }
+        PKIX_TEST_DECREF_BC(targetString);
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
+                (ht,
+                (PKIX_PL_Object *)testOID,
+                (PKIX_PL_Object**)&targetOID,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)targetOID, &targetString, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Equals(
+                                    (PKIX_PL_Object *)targetOID,
+                                    (PKIX_PL_Object *)testOID,
+                                    &cmpResult,
+                                    plContext));
+        if (cmpResult != PKIX_TRUE){
+                testError("HashTable_Lookup failed");
+        }
+        PKIX_TEST_DECREF_BC(targetString);
+        PKIX_TEST_DECREF_BC(targetOID);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
+                (ht2,
+                (PKIX_PL_Object *)testOID,
+                (PKIX_PL_Object**)&targetOID,
+                plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)targetOID, &targetString, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Equals(
+                                    (PKIX_PL_Object *)targetOID,
+                                    (PKIX_PL_Object *)testOID,
+                                    &cmpResult,
+                                    plContext));
+        if (cmpResult != PKIX_TRUE){
+                testError("HashTable_Lookup failed");
+        }
+        PKIX_TEST_DECREF_BC(targetString);
+        PKIX_TEST_DECREF_BC(targetOID);
+
+        (void) printf("Looking up item not in HashTable.\n");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
+                (ht,
+                (PKIX_PL_Object *)testString3,
+                (PKIX_PL_Object**)&targetString,
+                plContext));
+        if (targetString == NULL)
+                (void) printf("\tCorrectly returned NULL.\n");
+        else
+                testError("Hashtable did not return NULL value as expected");
+
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static void
+testRemove(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_HashTable *ht2,
+        PKIX_PL_String *testString,
+        PKIX_PL_String *testString2,
+        PKIX_PL_OID *testOID)
+{
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Remove
+                                (ht,
+                                (PKIX_PL_Object *)testString,
+                                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Remove
+                                (ht,
+                                (PKIX_PL_Object *)testOID,
+                                plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Remove
+                                (ht2,
+                                (PKIX_PL_Object *)testString2,
+                                plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_HashTable_Remove
+                            (ht,
+                            (PKIX_PL_Object *)testString,
+                            plContext));
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_HashTable *ht2,
+        PKIX_PL_HashTable *ht3,
+        PKIX_PL_HashTable *ht4)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(ht);
+        PKIX_TEST_DECREF_BC(ht2);
+        PKIX_TEST_DECREF_BC(ht3);
+        PKIX_TEST_DECREF_BC(ht4);
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+
+
+
+int test_hashtable(int argc, char *argv[]) {
+
+        PKIX_PL_HashTable *ht, *ht2, *ht3, *ht4;
+        PKIX_PL_String *testString, *testString2, *testString3;
+        PKIX_PL_OID *testOID;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("HashTables");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_PL_HashTable_Create");
+        createHashTables(&ht, &ht2, &ht3, &ht4);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (ht,
+                ht3,
+                ht2,
+                NULL,
+                HashTable,
+                PKIX_FALSE);
+
+        subTest("PKIX_PL_HashTable_Add");
+        testAdd(ht, ht2, &testString, &testString2, &testString3, &testOID);
+
+        subTest("PKIX_PL_HashTable_ADD - with Bucket Size limit");
+        testAddFIFO(ht4, &testString, &testString2, &testString3);
+
+        subTest("PKIX_PL_HashTable_Lookup");
+        testLookup(ht, ht2, testString, testString2, testString3, testOID);
+
+        subTest("PKIX_PL_HashTable_Remove");
+        testRemove(ht, ht2, testString, testString2, testOID);
+
+        PKIX_TEST_DECREF_BC(testString);
+        PKIX_TEST_DECREF_BC(testString2);
+        PKIX_TEST_DECREF_BC(testString3);
+        PKIX_TEST_DECREF_BC(testOID);
+
+        subTest("PKIX_PL_HashTable_Destroy");
+        testDestroy(ht, ht2, ht3, ht4);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        endTests("BigInt");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_mem.c b/security/nss/cmd/libpkix/pkix_pl/system/test_mem.c
new file mode 100644
index 000000000..e5a749bea
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_mem.c
@@ -0,0 +1,164 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_mem.c
+ *
+ * Tests Malloc, Realloc and Free
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void testMalloc(PKIX_UInt32 **array)
+{
+        PKIX_UInt32 i, arraySize = 10;
+        PKIX_TEST_STD_VARS();
+
+        /* Create an integer array of size 10 */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc(
+                            (PKIX_UInt32)(arraySize*sizeof (unsigned int)),
+                            (void **) array, plContext));
+
+        /* Fill in some values */
+        (void) printf ("Setting array[i] = i...\n");
+        for (i = 0; i < arraySize; i++) {
+                (*array)[i] = i;
+                if ((*array)[i] != i)
+                        testError("Array has incorrect contents");
+        }
+
+        /* Memory now reflects changes */
+        (void) printf("\tArray: a[0] = %d, a[5] = %d, a[7] = %d.\n",
+                    (*array[0]), (*array)[5], (*array)[7]);
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static
+void testRealloc(PKIX_UInt32 **array)
+{
+        PKIX_UInt32 i, arraySize = 20;
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Realloc(*array,
+                            (PKIX_UInt32)(arraySize*sizeof (unsigned int)),
+                            (void **) array, plContext));
+
+        /* Fill in the new elements */
+        (void) printf ("Setting new portion of array to a[i] = i...\n");
+        for (i = arraySize/2; i < arraySize; i++) {
+                (*array)[i] = i;
+                if ((*array)[i] != i)
+                        testError("Array has incorrect contents");
+        }
+
+        /* New elements should be reflected. The old should be the same */
+        (void) printf("\tArray: a[0] = %d, a[15] = %d, a[17] = %d.\n",
+                      (*array)[0], (*array)[15], (*array)[17]);
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static
+void testFree(PKIX_UInt32 *array)
+{
+
+        PKIX_TEST_STD_VARS();
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(array, plContext));
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+int test_mem(int argc, char *argv[]) {
+
+        unsigned int *array = NULL;
+        int arraySize = 10;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Memory Allocation");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_PL_Malloc");
+        testMalloc(&array);
+
+        subTest("PKIX_PL_Realloc");
+        testRealloc(&array);
+
+        subTest("PKIX_PL_Free");
+        testFree(array);
+
+        /* --Negative Test Cases------------------- */
+        /* Create an integer array of size 10 */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc(
+                            (PKIX_UInt32)(arraySize*sizeof (unsigned int)),
+                            (void **) &array, plContext));
+
+        (void) printf("Attempting to reallocate 0 sized memory...\n");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Realloc(array, 0, (void **) &array, plContext));
+
+        (void) printf("Attempting to allocate to null pointer...\n");
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Malloc(10, NULL, plContext));
+
+        (void) printf("Attempting to reallocate to null pointer...\n");
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Realloc(NULL, 10, NULL, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(array, plContext));
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        endTests("Memory Allocation");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_monitorlock.c b/security/nss/cmd/libpkix/pkix_pl/system/test_monitorlock.c
new file mode 100644
index 000000000..a21a620c6
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_monitorlock.c
@@ -0,0 +1,144 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_monitorlock.c
+ *
+ * Tests basic MonitorLock object functionality. No multi-threading.
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void createMonitorLockes(
+        PKIX_PL_MonitorLock **monitorLock,
+        PKIX_PL_MonitorLock **monitorLock2,
+        PKIX_PL_MonitorLock **monitorLock3)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Create
+                (monitorLock, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Create
+                (monitorLock2, plContext));
+
+        *monitorLock3 = *monitorLock;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
+                ((PKIX_PL_Object*)*monitorLock3, plContext));
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static
+void testLock(PKIX_PL_MonitorLock *monitorLock)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Enter
+                (monitorLock, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Enter
+                (monitorLock, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Exit
+                (monitorLock, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Exit
+                (monitorLock, plContext));
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static
+void testDestroy(
+        PKIX_PL_MonitorLock *monitorLock,
+        PKIX_PL_MonitorLock *monitorLock2,
+        PKIX_PL_MonitorLock *monitorLock3)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(monitorLock);
+        PKIX_TEST_DECREF_BC(monitorLock2);
+        PKIX_TEST_DECREF_BC(monitorLock3);
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+int test_monitorlock(int argc, char *argv[]) {
+
+        PKIX_PL_MonitorLock *monitorLock, *monitorLock2, *monitorLock3;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("MonitorLocks");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_PL_MonitorLock_Create");
+        createMonitorLockes(&monitorLock, &monitorLock2, &monitorLock3);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (monitorLock,
+                monitorLock3,
+                monitorLock2,
+                NULL,
+                MonitorLock,
+                PKIX_FALSE);
+
+        subTest("PKIX_PL_MonitorLock_Lock/Unlock");
+        testLock(monitorLock);
+
+        subTest("PKIX_PL_MonitorLock_Destroy");
+        testDestroy(monitorLock, monitorLock2, monitorLock3);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("MonitorLockes");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_mutex.c b/security/nss/cmd/libpkix/pkix_pl/system/test_mutex.c
new file mode 100644
index 000000000..981beb698
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_mutex.c
@@ -0,0 +1,136 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_mutex.c
+ *
+ * Tests basic mutex object functionality. No multi-threading.
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static
+void createMutexes(
+        PKIX_PL_Mutex **mutex,
+        PKIX_PL_Mutex **mutex2,
+        PKIX_PL_Mutex **mutex3)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Create(mutex, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Create(mutex2, plContext));
+
+        *mutex3 = *mutex;
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_IncRef((PKIX_PL_Object*)*mutex3, plContext));
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static
+void testLock(PKIX_PL_Mutex *mutex)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Lock(mutex, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Unlock(mutex, plContext));
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+static
+void testDestroy(
+        PKIX_PL_Mutex *mutex,
+        PKIX_PL_Mutex *mutex2,
+        PKIX_PL_Mutex *mutex3)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(mutex);
+        PKIX_TEST_DECREF_BC(mutex2);
+        PKIX_TEST_DECREF_BC(mutex3);
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+int test_mutex(int argc, char *argv[]) {
+
+        PKIX_PL_Mutex *mutex, *mutex2, *mutex3;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Mutexes");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_PL_Mutex_Create");
+        createMutexes(&mutex, &mutex2, &mutex3);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (mutex,
+                mutex3,
+                mutex2,
+                NULL,
+                Mutex,
+                PKIX_FALSE);
+
+        subTest("PKIX_PL_Mutex_Lock/Unlock");
+        testLock(mutex);
+
+        subTest("PKIX_PL_Mutex_Destroy");
+        testDestroy(mutex, mutex2, mutex3);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Mutexes");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_mutex2.c b/security/nss/cmd/libpkix/pkix_pl/system/test_mutex2.c
new file mode 100644
index 000000000..5edcb24ac
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_mutex2.c
@@ -0,0 +1,193 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_mutex2.c
+ *
+ * Tests multi-threaded functionality of Mutex
+ *
+ */
+
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static int box1 = 0, box2 = 0, box3 = 0;
+static PKIX_PL_Mutex *mutex;
+static PRCondVar *cv;
+static void *plContext = NULL;
+
+static void consumer(/* ARGSUSED */ void* arg) {
+        PRStatus status = PR_SUCCESS;
+        PKIX_Error *errorResult;
+        int i = 0;
+        for (i = 0; i < 5; i++) {
+                (void) PKIX_PL_Mutex_Lock(mutex, plContext);
+                while (((box1 == 0) ||
+                        (box2 == 0) ||
+                        (box3 == 0)) &&
+                        (status == PR_SUCCESS))
+                        status = PR_WaitCondVar(cv, PR_INTERVAL_NO_TIMEOUT);
+
+                (void) printf("\tConsumer got Box1 = %d ", box1);
+                box1 = 0;
+                (void) printf("Box2 = %d ", box2);
+                box2 = 0;
+                (void) printf("Box3 = %d\n", box3);
+                box3 = 0;
+
+                status = PR_NotifyAllCondVar(cv);
+                if (status == PR_FAILURE)
+                        (void) printf
+                                ("Consumer error while notifying condvar\n");
+                errorResult = PKIX_PL_Mutex_Unlock(mutex, plContext);
+                if (errorResult) testError("PKIX_PL_Mutex_Unlock failed");
+        }
+        (void) printf("Consumer exiting...\n");
+}
+
+static void producer(void* arg) {
+        PRStatus status = PR_SUCCESS;
+        int value = *(int*)arg;
+        int i = 0;
+        int *box;
+        PKIX_Error *errorResult;
+        if (value == 10) box = &box1;
+        else if (value == 20) box = &box2;
+        else if (value == 30) box = &box3;
+
+        for (i = 0; i < 5; i++) {
+                (void) PKIX_PL_Mutex_Lock(mutex, plContext);
+                while ((*box != 0) && (status == PR_SUCCESS))
+                        status = PR_WaitCondVar(cv, PR_INTERVAL_NO_TIMEOUT);
+
+                *box = i+1;
+                (void) printf
+                        ("\tProducer %d put value: %d\n", value, *box);
+
+                status = PR_NotifyAllCondVar(cv);
+                if (status == PR_FAILURE)
+                        (void) printf
+                                ("Producer %d error while notifying condvar\n",
+                                value);
+                errorResult = PKIX_PL_Mutex_Unlock(mutex, plContext);
+                if (errorResult) testError("PKIX_PL_Mutex_Unlock failed");
+        }
+}
+
+int test_mutex2(int argc, char *argv[]) {
+
+        PRThread *consThread, *prodThread, *prodThread2, *prodThread3;
+        int x = 10, y = 20, z = 30;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Mutex and Threads");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        (void) printf("Attempting to create new mutex...\n");
+        subTest("Mutex Creation");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Create(&mutex, plContext));
+
+        cv = PR_NewCondVar(*(PRLock **) mutex);
+
+        subTest("Starting consumer thread");
+        consThread = PR_CreateThread(PR_USER_THREAD,
+                            consumer,
+                            NULL,
+                            PR_PRIORITY_NORMAL,
+                            PR_LOCAL_THREAD,
+                            PR_JOINABLE_THREAD,
+                            0);
+
+        subTest("Starting producer thread 1");
+        prodThread = PR_CreateThread(PR_USER_THREAD,
+                                        producer,
+                                        &x,
+                                        PR_PRIORITY_NORMAL,
+                                        PR_LOCAL_THREAD,
+                                        PR_JOINABLE_THREAD,
+                                        0);
+
+        subTest("Starting producer thread 2");
+        prodThread2 = PR_CreateThread(PR_USER_THREAD,
+                                        producer,
+                                        &y,
+                                        PR_PRIORITY_NORMAL,
+                                        PR_LOCAL_THREAD,
+                                        PR_JOINABLE_THREAD,
+                                        0);
+
+        subTest("Starting producer thread 3");
+        prodThread3 = PR_CreateThread(PR_USER_THREAD,
+                                        producer,
+                                        &z,
+                                        PR_PRIORITY_NORMAL,
+                                        PR_LOCAL_THREAD,
+                                        PR_JOINABLE_THREAD,
+                                        0);
+
+
+        PR_JoinThread(consThread);
+
+        (void) PR_DestroyCondVar(cv);
+        PKIX_TEST_DECREF_BC(mutex);
+
+        /*
+         * Note: we should also be freeing each thread's stack, but we
+         * don't have access to the prodThread->stack variable (since
+         * it is not exported). As a result, we have 120 bytes of memory
+         * leakage.
+         */
+
+        PR_Free(prodThread);
+        PR_Free(prodThread2);
+        PR_Free(prodThread3);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Mutex and Threads");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_mutex3.c b/security/nss/cmd/libpkix/pkix_pl/system/test_mutex3.c
new file mode 100644
index 000000000..9eaa2cdcf
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_mutex3.c
@@ -0,0 +1,127 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_mutex3.c
+ *
+ * Tests multi-threaded functionality of Mutex
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static PKIX_PL_Mutex *mutex;
+static void *plContext = NULL;
+
+static void t1(/* ARGSUSED */ void* arg) {
+        PKIX_Error *errorResult;
+
+        (void) printf("t1 acquiring lock...\n");
+        errorResult = PKIX_PL_Mutex_Lock(mutex, plContext);
+        if (errorResult) testError("PKIX_PL_Mutex_Lock failed");
+
+        (void) printf("t1 sleeplng for 3 seconds\n");
+        PR_Sleep(PR_SecondsToInterval(3));
+        (void) printf("t1 releasing lock...\n");
+
+        errorResult = PKIX_PL_Mutex_Unlock(mutex, plContext);
+        if (errorResult) testError("PKIX_PL_Mutex_Unlock failed");
+
+        (void) printf("t1 exiting...\n");
+}
+
+static void t2(/* ARGSUSED */ void* arg) {
+        PKIX_Error *errorResult;
+
+        (void) printf("t2 acquiring lock...\n");
+        errorResult = PKIX_PL_Mutex_Lock(mutex, plContext);
+        if (errorResult) testError("PKIX_PL_Mutex_Lock failed");
+
+        (void) printf("t2 releasing lock...\n");
+        errorResult = PKIX_PL_Mutex_Unlock(mutex, plContext);
+        if (errorResult) testError("PKIX_PL_Mutex_Unlock failed");
+
+        (void) printf("t2 exiting...\n");
+}
+
+int test_mutex3(int argc, char *argv[]) {
+        PRThread *thread, *thread2;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Mutex and Threads");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("Mutex Creation");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Create(&mutex, plContext));
+
+        subTest("Starting thread");
+        thread = PR_CreateThread(PR_USER_THREAD,
+                                t1,
+                                NULL,
+                                PR_PRIORITY_NORMAL,
+                                PR_LOCAL_THREAD,
+                                PR_JOINABLE_THREAD,
+                                0);
+
+        thread2 = PR_CreateThread(PR_USER_THREAD,
+                                t2,
+                                NULL,
+                                PR_PRIORITY_NORMAL,
+                                PR_LOCAL_THREAD,
+                                PR_JOINABLE_THREAD,
+                                0);
+
+        PR_JoinThread(thread2);
+        PR_JoinThread(thread);
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(mutex);
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Mutex and Threads");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_object.c b/security/nss/cmd/libpkix/pkix_pl/system/test_object.c
new file mode 100644
index 000000000..5d83ac966
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_object.c
@@ -0,0 +1,322 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_object.c
+ *
+ * Test Object Allocation, toString, Equals, Destruction
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static PKIX_Error *
+destructor(
+        /* ARGSUSED */ PKIX_PL_Object *object,
+        /* ARGSUSED */ void *plContext)
+{
+        (void) printf("\tUser defined destructor called\n");
+        return (NULL);
+}
+
+static PKIX_Error*
+toStringCallback(
+        PKIX_PL_Object *obj,
+        PKIX_PL_String **pString,
+        /* ARGSUSED */ void* plContext) {
+
+        PKIX_Error *errorResult;
+        PKIX_UInt32 type;
+        char *format = "(addr: %x, type: %d)";
+        PKIX_PL_String *formatString = NULL;
+
+        errorResult = PKIX_PL_String_Create(
+                                        PKIX_ESCASCII,
+                                        format,
+                                        PL_strlen(format),
+                                        &formatString,
+                                        plContext);
+        if (errorResult) testError("PKIX_PL_String_Create failed");
+
+        if (pString == plContext)
+                testError("Null String");
+
+        type = (unsigned int)0;
+
+        (void) PKIX_PL_Object_GetType(obj, &type, plContext);
+
+        errorResult = PKIX_PL_Sprintf(pString, plContext,
+                                    formatString,
+                                    (int)obj, type);
+        if (errorResult) testError("PKIX_PL_Sprintf failed");
+
+
+        errorResult = PKIX_PL_Object_DecRef((PKIX_PL_Object*)formatString,
+                                        plContext);
+        if (errorResult) testError("PKIX_PL_Object_DecRef failed");
+
+        return (NULL);
+}
+
+static PKIX_Error *
+comparator(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Int32 *pValue,
+        /* ARGSUSED */ void *plContext)
+{
+        if (*(char *)first > *(char *)second)
+                *pValue = 1;
+        else if (*(char *)first < *(char *)second)
+                *pValue = -1;
+        else
+                *pValue = 0;
+        return (NULL);
+}
+
+
+static PKIX_Error *
+hashcodeCallback(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pValue,
+        /* ARGSUSED */ void *plContext)
+{
+        *pValue = 123456789;
+        return (NULL);
+}
+
+static PKIX_Error*
+equalsCallback(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *result,
+        void* plContext) {
+
+        PKIX_UInt32 firstType = 0, secondType = 0;
+
+        if ((first == plContext)||(second == plContext))
+                testError("Null Object");
+
+        (void) PKIX_PL_Object_GetType(first, &firstType, plContext);
+
+        (void) PKIX_PL_Object_GetType(second, &secondType, plContext);
+
+        *result = (firstType == secondType)?PKIX_TRUE:PKIX_FALSE;
+
+        return (NULL);
+}
+
+static void
+createObjects(
+        PKIX_PL_Object **obj,
+        PKIX_PL_Object **obj2,
+        PKIX_PL_Object **obj3,
+        PKIX_PL_Object **obj4)
+{
+        PKIX_TEST_STD_VARS();
+
+#ifdef PKIX_USER_OBJECT_TYPE
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_RegisterType
+                    (1000, /* type */
+                    "thousand", /* description */
+                    NULL, /* destructor */
+                    NULL, /* equals */
+                    (PKIX_PL_HashcodeCallback)hashcodeCallback,
+                    NULL,  /* toString */
+                    NULL,  /* Comparator */
+                    NULL,
+                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Alloc
+                    (1000, /* type */
+                    12, /* size */
+                    obj,
+                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_RegisterType
+                    (2000, /* type */
+                    "two thousand" /* description */,
+                    (PKIX_PL_DestructorCallback)destructor,
+                    (PKIX_PL_EqualsCallback)equalsCallback,
+                    NULL, /* hashcode */
+                    (PKIX_PL_ToStringCallback)toStringCallback,
+                    (PKIX_PL_ComparatorCallback)comparator,
+                    NULL,
+                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Alloc
+                    (2000, /* type */
+                    1, /* size */
+                    obj2,
+                    plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Alloc
+                    (2000, /* type */
+                    1, /* size */
+                    obj4,
+                    plContext));
+
+        *obj3 = *obj;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef(*obj3, plContext));
+
+cleanup:
+#endif /* PKIX_USER_OBJECT_TYPE */
+        PKIX_TEST_RETURN();
+}
+
+
+static void
+testGetType(
+            PKIX_PL_Object *obj,
+            PKIX_PL_Object *obj2,
+            PKIX_PL_Object *obj3)
+{
+        PKIX_UInt32 testType;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_GetType(obj, &testType, plContext));
+
+        if (testType != 1000)
+                testError("Object 1 returned the wrong type");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_GetType(obj2, &testType, plContext));
+        if (testType != 2000)
+                testError("Object 2 returned the wrong type");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_GetType(obj3, &testType, plContext));
+        if (testType != 1000)
+                testError("Object 3 returned the wrong type");
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCompare(
+            PKIX_PL_Object *obj2,
+            PKIX_PL_Object *obj4)
+{
+        PKIX_Int32 cmpResult;
+        PKIX_TEST_STD_VARS();
+
+        *(char *)obj2 = 0x20;
+        *(char *)obj4 = 0x10;
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Compare(obj2, obj4, &cmpResult, plContext));
+        if (cmpResult <= 0) testError("Invalid Result from Object Compare");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Compare(obj4, obj2, &cmpResult, plContext));
+        if (cmpResult >= 0) testError("Invalid Result from Object Compare");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Compare(obj4, obj4, &cmpResult, plContext));
+
+        *(char *)obj2 = 0x10;
+        if (cmpResult != 0) testError("Invalid Result from Object Compare");
+
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+
+static void
+testDestroy(
+            PKIX_PL_Object *obj,
+            PKIX_PL_Object *obj2,
+            PKIX_PL_Object *obj3,
+            PKIX_PL_Object *obj4)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(obj);
+        PKIX_TEST_DECREF_BC(obj2);
+        PKIX_TEST_DECREF_BC(obj3);
+        PKIX_TEST_DECREF_BC(obj4);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+int test_object(int argc, char *argv[]) {
+
+#ifdef PKIX_USER_OBJECT_TYPE
+        PKIX_PL_Object *obj, *obj2, *obj3, *obj4;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Objects");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_PL_Object_Create");
+        createObjects(&obj, &obj2, &obj3, &obj4);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP(obj, obj3, obj2, NULL, Object, PKIX_FALSE);
+
+        subTest("PKIX_PL_Object_GetType");
+        testGetType(obj, obj2, obj3);
+
+        subTest("PKIX_PL_Object_Compare");
+        testCompare(obj2, obj4);
+
+        subTest("PKIX_PL_Object_Destroy");
+        testDestroy(obj, obj2, obj3, obj4);
+
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        endTests("Objects");
+#endif /* PKIX_USER_OBJECT_TYPE */
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_oid.c b/security/nss/cmd/libpkix/pkix_pl/system/test_oid.c
new file mode 100644
index 000000000..819a95a50
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_oid.c
@@ -0,0 +1,246 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_oid.c
+ *
+ * Test OID Types
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+createOID(
+        PKIX_PL_OID **testOID,
+        char *oidAscii,
+        PKIX_Boolean errorHandling)
+{
+        PKIX_TEST_STD_VARS();
+
+        if (errorHandling){
+                PKIX_TEST_EXPECT_ERROR
+                        (PKIX_PL_OID_Create(oidAscii, testOID, plContext));
+        } else {
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_OID_Create(oidAscii, testOID, plContext));
+        }
+
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testToString(
+        PKIX_PL_OID *oid,
+        char *expAscii)
+{
+        PKIX_PL_String *oidString = NULL;
+        char *temp = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                                    ((PKIX_PL_Object*)oid,
+                                    &oidString, plContext));
+
+        temp = PKIX_String2ASCII(oidString, plContext);
+        if (temp == NULL){
+                testError("PKIX_String2Ascii failed");
+                goto cleanup;
+        }
+
+        if (PL_strcmp(temp, expAscii) != 0) {
+                (void) printf("\tOid ToString: %s %s\n", temp, expAscii);
+                testError("Output string does not match source");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(oidString);
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testCompare(
+            PKIX_PL_OID *oid0,
+            PKIX_PL_OID *oid1,
+            PKIX_PL_OID *oid2,
+            PKIX_PL_OID *oid3)
+{
+        PKIX_Int32 cmpResult;
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid0,
+                                            (PKIX_PL_Object*)oid1,
+                                            &cmpResult, plContext));
+        if (cmpResult <= 0) testError("Invalid Result from OID Compare");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid1,
+                                        (PKIX_PL_Object*)oid0,
+                                        &cmpResult, plContext));
+        if (cmpResult >= 0) testError("Invalid Result from OID Compare");
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid1,
+                                        (PKIX_PL_Object*)oid2,
+                                        &cmpResult, plContext));
+        if (cmpResult >= 0) testError("Invalid Result from OID Compare");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid2,
+                                        (PKIX_PL_Object*)oid1,
+                                        &cmpResult, plContext));
+        if (cmpResult <= 0) testError("Invalid Result from OID Compare");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid1,
+                                        (PKIX_PL_Object*)oid3,
+                                        &cmpResult, plContext));
+        if (cmpResult != 0) testError("Invalid Result from OID Compare");
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(
+        PKIX_PL_OID *oid)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(oid);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+
+int test_oid(int argc, char *argv[]) {
+
+        PKIX_PL_OID *testOID[6] = {NULL};
+        PKIX_PL_OID *badTestOID = NULL;
+        PKIX_UInt32 i, size = 6;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        char* validOID[6] = {
+                "2.11.22222.33333",
+                "1.2.3.004.5.6.7",
+                "2.11.22222.33333",
+                "1.2.3.4.5.6.7",
+                "1.2.3",
+                "2.39.3"
+        };
+
+        char* expected[6] = {
+                "2.11.22222.33333",
+                "1.2.3.4.5.6.7",
+                "2.11.22222.33333",
+                "1.2.3.4.5.6.7",
+                "1.2.3",
+                "2.39.3"
+        };
+
+        char *badOID[11] = {
+                "1.2.4294967299",
+                "this. is. a. bad. oid",
+                "00a1000.002b",
+                "100.-5.10",
+                "1.2..3",
+                ".1.2.3",
+                "1.2.3.",
+                "00010.1.2.3",
+                "1.000041.2.3",
+                "000000000000000000000000000000000000000010.3.2",
+                "1"
+        };
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("OIDs");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_OID_Create");
+                createOID(&testOID[i], validOID[i], PKIX_FALSE);
+        }
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (testOID[0],
+                testOID[2],
+                testOID[1],
+                NULL,
+                OID,
+                PKIX_FALSE);
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_OID_ToString");
+                testToString(testOID[i], expected[i]);
+        }
+
+        subTest("PKIX_PL_OID_Compare");
+        testCompare(testOID[0], testOID[1], testOID[2], testOID[3]);
+
+        for (i = 0; i < size; i++) {
+                subTest("PKIX_PL_OID_Destroy");
+                testDestroy(testOID[i]);
+        }
+
+        for (i = 0; i < 11; i++) {
+                subTest("PKIX_PL_OID Error Handling");
+                createOID(&badTestOID, badOID[i], PKIX_TRUE);
+        }
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        endTests("OIDs");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_rwlock.c b/security/nss/cmd/libpkix/pkix_pl/system/test_rwlock.c
new file mode 100644
index 000000000..ad48ee83a
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_rwlock.c
@@ -0,0 +1,227 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_rwlock.c
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static PKIX_PL_RWLock *rwlock = NULL, *rwlock2 = NULL, *rwlock3 = NULL;
+static PRThread *thread = NULL, *thread2 = NULL, *thread3 = NULL;
+static void *plContext = NULL;
+
+static void reader(void) {
+        PKIX_Error *errorResult;
+
+        errorResult = PKIX_PL_AcquireReaderLock(rwlock, NULL);
+        if (errorResult) testError("PKIX_PL_AcquireReaderLock failed");
+
+        (void) printf("\t[Thread #1 Read Lock #1.]\n");
+        (void) printf("\t[Thread #1 Sleeplng for 1 seconds.]\n");
+        PR_Sleep(PR_SecondsToInterval(1));
+        PKIX_PL_ReleaseReaderLock(rwlock, NULL);
+        if (errorResult) testError("PKIX_PL_ReleaseReaderLock failed");
+        (void) printf("\t[Thread #1 Read UNLock #1.]\n");
+}
+
+
+static void writer(void) {
+        PKIX_Error *errorResult;
+        /* This thread should stick here until lock 1 is released */
+        PKIX_PL_AcquireWriterLock(rwlock, NULL);
+        if (errorResult) testError("PKIX_PL_AcquireWriterLock failed");
+
+        (void) printf("\t[Thread #2 Write Lock #1.]\n");
+
+        PKIX_PL_AcquireWriterLock(rwlock2, NULL);
+        if (errorResult) testError("PKIX_PL_AcquireWriterLock failed");
+        (void) printf("\t[Thread #2 Write Lock #2.]\n");
+
+        (void) printf("\t[Thread #2 Sleeplng for 1 seconds.]\n");
+        PR_Sleep(PR_SecondsToInterval(1));
+
+        PKIX_PL_ReleaseWriterLock(rwlock2, NULL);
+        if (errorResult) testError("PKIX_PL_ReleaseWriterLock failed");
+        (void) printf("\t[Thread #2 Write UNLock #2.]\n");
+
+        (void) printf("\t[Thread #2 Sleeplng for 1 seconds.]\n");
+        PR_Sleep(PR_SecondsToInterval(1));
+
+        PKIX_PL_ReleaseWriterLock(rwlock, NULL);
+        if (errorResult) testError("PKIX_PL_ReleaseWriterLock failed");
+        (void) printf("\t[Thread #2 Write UNLock #1.]\n");
+
+        PR_JoinThread(thread3);
+}
+
+static void reader2(void) {
+        PKIX_Error *errorResult;
+        /* Reader 2 should yield here until the writer is done */
+
+        PKIX_PL_AcquireReaderLock(rwlock2, NULL);
+        if (errorResult) testError("PKIX_PL_AcquireReaderLock failed");
+
+        (void) printf("\t[Thread #3 Read Lock #2.]\n");
+
+        PKIX_PL_AcquireReaderLock(rwlock3, NULL);
+        if (errorResult) testError("PKIX_PL_AcquireReaderLock failed");
+        (void) printf("\t[Thread #3 Read Lock #3.]\n");
+
+        (void) printf("\t[Thread #3 Sleeplng for 1 seconds.]\n");
+        PR_Sleep(PR_SecondsToInterval(1));
+
+        PKIX_PL_ReleaseReaderLock(rwlock3, NULL);
+        if (errorResult) testError("PKIX_PL_ReleaseReaderLock failed");
+        (void) printf("\t[Thread #3 Read UNLock #3.]\n");
+
+        (void) printf("\t[Thread #3 Sleeplng for 1 seconds.]\n");
+        PR_Sleep(PR_SecondsToInterval(1));
+
+        PKIX_PL_ReleaseReaderLock(rwlock2, NULL);
+        if (errorResult) testError("PKIX_PL_ReleaseReaderLock failed");
+        (void) printf("\t[Thread #3 Read UNLock #2.]\n");
+}
+
+
+
+int test_rwlock() {
+        PKIX_PL_String* outputString = NULL;
+        PKIX_UInt32 j = 0;
+        PKIX_Boolean bool;
+        PKIX_UInt32 actualMinorVersion;
+
+        PKIX_TEST_STD_VARS();
+        startTests("RWLocks");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        (void) printf("Attempting to create new rwlock...\n");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_RWLock_Create(&rwlock, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_RWLock_Create(&rwlock2, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_RWLock_Create(&rwlock3, plContext));
+
+        /* Test toString functionality */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)rwlock, &outputString, plContext));
+
+        (void) printf("Testing RWLock toString: %s\n",
+                PKIX_String2ASCII(outputString));
+
+        PKIX_TEST_DECREF_BC(outputString);
+
+        /* Call Equals on two different objects */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object*)rwlock,
+                (PKIX_PL_Object*)rwlock2,
+                &bool,
+                plContext));
+
+        (void) printf("Testing RWLock Equals: %d (should be 0)\n", bool);
+
+        if (bool != 0)
+                testError("Error in RWLock_Equals");
+
+        /* Call Equals on two equal objects */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object*)rwlock,
+                            (PKIX_PL_Object*)rwlock, &bool, plContext));
+
+        (void) printf("Testing RWLock Equals: %d (should be 1)\n", bool);
+        if (bool != 1)
+                testError("Error in RWLock_Equals");
+
+        subTest("Multi-Thread Read/Write Lock Testing");
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_AcquireReaderLock(rwlock, plContext));
+        (void) printf("\t[Main Thread Read Lock #1.]\n");
+
+        thread = PR_CreateThread(PR_USER_THREAD,
+                            reader,
+                            NULL,
+                            PR_PRIORITY_NORMAL,
+                            PR_LOCAL_THREAD,
+                            PR_JOINABLE_THREAD,
+                            0);
+
+        thread2 = PR_CreateThread(PR_USER_THREAD,
+                            writer,
+                            NULL,
+                            PR_PRIORITY_NORMAL,
+                            PR_LOCAL_THREAD,
+                            PR_JOINABLE_THREAD,
+                            0);
+
+        thread3 = PR_CreateThread(PR_USER_THREAD,
+                            reader2,
+                            NULL,
+                            PR_PRIORITY_NORMAL,
+                            PR_LOCAL_THREAD,
+                            PR_JOINABLE_THREAD,
+                            0);
+
+        PR_JoinThread(thread);
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ReleaseReaderLock
+                (rwlock, plContext));
+        (void) printf("\t[Main Thread Read Unlock #1.]\n");
+
+        PR_JoinThread(thread2);
+
+
+
+cleanup:
+
+        /* Test destructor */
+        subTest("Testing destructor...");
+        PKIX_TEST_DECREF_AC(rwlock);
+        PKIX_TEST_DECREF_AC(rwlock2);
+        PKIX_TEST_DECREF_AC(rwlock3);
+
+        pkixTestTempResult = PKIX_Shutdown(plContext);
+        if (pkixTestTempResult) pkixTestErrorResult = pkixTestTempResult;
+
+        PKIX_TEST_RETURN();
+
+        endTests("RWLocks");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_string.c b/security/nss/cmd/libpkix/pkix_pl/system/test_string.c
new file mode 100644
index 000000000..ba49c18df
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_string.c
@@ -0,0 +1,479 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_string.c
+ *
+ * Tests Strings.
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+createString(
+        PKIX_PL_String **testString,
+        PKIX_UInt32 format,
+        char *stringAscii,
+        PKIX_UInt32 length)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_String_Create
+                (format, stringAscii, length, testString, plContext));
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+createStringOther(
+        PKIX_PL_String **testEscAscii,
+        PKIX_PL_String **testUtf16,
+        PKIX_PL_String **ampString,
+        PKIX_PL_String **testDebugAscii,
+        PKIX_PL_String **testNullString,
+        PKIX_UInt32 *utf16data)
+{
+        char *nullText = "Hi&#x0000; there!";
+
+        char *escAsciiString =
+                "&#x00A1;&#x00010000;&#x0FFF;&#x00100001;";
+
+        char *debugAsciiString =
+                "string with&#x000A;newlines and&#x0009;tabs";
+
+        char * utfAmp = "\x00&";
+
+        PKIX_TEST_STD_VARS();
+
+        createString(testEscAscii,
+                    PKIX_ESCASCII,
+                    escAsciiString,
+                    PL_strlen(escAsciiString));
+
+        createString(testUtf16, PKIX_UTF16, (char *)utf16data, 12);
+
+        createString(ampString, PKIX_UTF16, utfAmp, 2);
+
+        createString(testDebugAscii,
+                    PKIX_ESCASCII_DEBUG,
+                    debugAsciiString,
+                    PL_strlen(debugAsciiString));
+
+        createString(testNullString,
+                    PKIX_ESCASCII_DEBUG,
+                    nullText,
+                    PL_strlen(nullText));
+
+        goto cleanup;
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetEncoded(
+        PKIX_PL_String *testEscAscii,
+        PKIX_PL_String *testString0,
+        PKIX_PL_String *testDebugAscii,
+        PKIX_PL_String *testNullString,
+        PKIX_UInt32 *utf16data)
+{
+        char *temp = NULL;
+        void *dest = NULL;
+        void *dest2 = NULL;
+        char *plainText = "string with\nnewlines and\ttabs";
+        PKIX_UInt32 length, length2, i;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testEscAscii,
+                                        PKIX_UTF16,
+                                        &dest,
+                                        &length,
+                                        plContext));
+        for (i = 0; i < length; i++) {
+                if (((char*)dest)[i] != ((char*)utf16data)[i]) {
+                        testError("UTF-16 Data Differs from Source");
+                        printf("%d-th char is different -%c-%c-\n", i,
+                               ((char*)dest)[i], ((char*)utf16data)[i]);
+                }
+        }
+
+        length = 0;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testNullString,
+                                        PKIX_UTF16,
+                                        &dest,
+                                        &length,
+                                        plContext));
+
+        length = 0;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testString0,
+                                        PKIX_ESCASCII_DEBUG,
+                                        &dest,
+                                        &length,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testDebugAscii,
+                                        PKIX_ESCASCII_DEBUG,
+                                        &dest2,
+                                        &length2,
+                                        plContext));
+
+        for (i = 0; (i < length) && (i < length2); i++)
+                if (((char*)dest)[i] != ((char*)dest2)[i]) {
+                        testError("Equivalent strings are unequal");
+                        break;
+                }
+
+        length = 0;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        length2 = 0;
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest2, plContext));
+
+        temp = PKIX_String2ASCII(testDebugAscii, plContext);
+        if (temp){
+                if (PL_strcmp(plainText, temp) != 0)
+                        testError("Debugged ASCII does not match "
+                                    "equivalent EscAscii");
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testSprintf(void)
+{
+        PKIX_Int32 x = 0xCAFE;
+        PKIX_Int32 y = -12345;
+        PKIX_PL_String *testString = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *sprintfString = NULL;
+        char *plainText = "Testing Sprintf";
+        char *format = "%s %x %u %d";
+        char *convertedFormat = "%s %lx %lu %ld";
+        char *temp = NULL;
+        char *temp2 = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                        PKIX_ESCASCII,
+                                        plainText,
+                                        PL_strlen(plainText),
+                                        &testString,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                        PKIX_ESCASCII,
+                                        format,
+                                        11,
+                                        &formatString,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Sprintf(&sprintfString,
+                                plContext,
+                                formatString,
+                                testString, x, y, y));
+        PKIX_TEST_DECREF_BC(testString);
+
+        temp = PR_smprintf(convertedFormat, plainText, x, y, y);
+        temp2 = PKIX_String2ASCII(sprintfString, plContext);
+
+        if (PL_strcmp(temp, temp2) != 0)
+                testError("Sprintf produced incorrect output");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp2, plContext));
+
+
+        PKIX_TEST_DECREF_BC(sprintfString);
+
+
+        PKIX_TEST_DECREF_BC(formatString);
+
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testErrorHandling(void)
+{
+        char *debugAsciiString =
+                "string with&#x000A;newlines and&#x0009;tabs";
+
+        PKIX_PL_String *testString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                        PKIX_ESCASCII,
+                                        NULL,
+                                        50,
+                                        &testString,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII,
+                                        "blah", 4, NULL, plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Sprintf(&testString, plContext, NULL));
+
+        PKIX_TEST_EXPECT_ERROR
+                (PKIX_PL_GetString(0, NULL, &testString, plContext));
+
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_GetString(0, "blah", 0, plContext));
+
+        /* ---------------------------- */
+        subTest("Unicode Error Handling");
+
+        /* &#x must be followed by 4 hexadecimal digits */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_ESCASCII,
+                                            "&#x003k;",
+                                            7,
+                                            &testString,
+                                            plContext));
+
+        /* &#x must be followed by 4 hexadecimal digits */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_ESCASCII,
+                                            "abc&#x00",
+                                            8,
+                                            &testString,
+                                            plContext));
+
+        /* &#x must be between 00010000-0010FFFF */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_ESCASCII,
+                                            "&#x00200101;",
+                                            11,
+                                            &testString,
+                                            plContext));
+
+        /* &#x must be followed by 8 hexadecimal digits */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_ESCASCII,
+                                            "&#x001000",
+                                            10,
+                                            &testString,
+                                            plContext));
+
+        /* &#x must be followed by 8 hexadecimal digits */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_ESCASCII,
+                                            "&#x0010m00;",
+                                            10,
+                                            &testString,
+                                            plContext));
+
+        /* Byte values D800-DFFF are reserved */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_ESCASCII,
+                                            "&#xD800;",
+                                            7,
+                                            &testString,
+                                            plContext));
+
+        /* Can't use &#x for regular characters */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_ESCASCII,
+                                            "&#x0032;",
+                                            7,
+                                            &testString,
+                                            plContext));
+
+        /* Can't use non-printable characters */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_ESCASCII,
+                                            "\xA1",
+                                            1,
+                                            &testString,
+                                            plContext));
+
+        /* Only legal \\ characters are \\, u and U */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_ESCASCII,
+                                            "&blah",
+                                            5,
+                                            &testString,
+                                            plContext));
+
+
+
+        /* Surrogate pairs must be legal */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                            PKIX_UTF16,
+                                            "\xd8\x00\x0\x66",
+                                            4,
+                                            &testString,
+                                            plContext));
+
+        /* Debugged EscASCII should not be accepted as EscASCII */
+        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
+                                        PKIX_ESCASCII,
+                                        debugAsciiString,
+                                        PL_strlen(debugAsciiString),
+                                        &testString,
+                                        plContext));
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(
+        PKIX_PL_String *string)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(string);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+
+int test_string(int argc, char *argv[]) {
+
+        PKIX_PL_String *testString[6] = {NULL};
+        PKIX_PL_String *testNullString = NULL;
+        PKIX_PL_String *testDebugAscii = NULL;
+        PKIX_PL_String *testEscAscii = NULL;
+        PKIX_PL_String *testUtf16 = NULL;
+        PKIX_PL_String *ampString = NULL;
+        unsigned char utf16Data[] = {0x00, 0xA1, 0xD8, 0x00,
+                            0xDC, 0x00, 0x0F, 0xFF,
+                            0xDB, 0xC0, 0xDC, 0x01};
+        PKIX_UInt32 i, size = 6;
+
+        char *plainText[6] = {
+                "string with\nnewlines and\ttabs",
+                "Not an escaped char: &amp;#x0012;",
+                "Encode &amp; with &amp;amp; in ASCII",
+                "&#x00A1;",
+                "&amp;",
+                "string with\nnewlines and\ttabs"
+        };
+
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Strings");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_PL_String_Create <ascii format>");
+        for (i = 0; i < size; i++) {
+                testString[i] = NULL;
+                createString
+                        (&testString[i],
+                        PKIX_ESCASCII,
+                        plainText[i],
+                        PL_strlen(plainText[i]));
+        }
+
+        subTest("PKIX_PL_String_Create <other formats>");
+        createStringOther
+                (&testEscAscii,
+                &testUtf16,
+                &ampString,
+                &testDebugAscii,
+                &testNullString,
+                (PKIX_UInt32 *)utf16Data);
+
+        PKIX_TEST_EQ_HASH_TOSTR_DUP
+                (testString[0],
+                testString[5],
+                testString[1],
+                plainText[0],
+                String,
+                PKIX_TRUE);
+
+        subTest("PKIX_PL_String_GetEncoded");
+        testGetEncoded
+                (testEscAscii,
+                testString[0],
+                testDebugAscii,
+                testNullString,
+                (PKIX_UInt32 *)utf16Data);
+
+        subTest("PKIX_PL_Sprintf");
+        testSprintf();
+
+        subTest("PKIX_PL_String_Create <error_handling>");
+        testErrorHandling();
+
+        subTest("PKIX_PL_String_Destroy");
+        for (i = 0; i < size; i++) {
+                testDestroy(testString[i]);
+        }
+        testDestroy(testEscAscii);
+        testDestroy(testUtf16);
+        testDestroy(ampString);
+        testDestroy(testDebugAscii);
+        testDestroy(testNullString);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("String");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_string2.c b/security/nss/cmd/libpkix/pkix_pl/system/test_string2.c
new file mode 100644
index 000000000..170a945c2
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix_pl/system/test_string2.c
@@ -0,0 +1,375 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * test_string2.c
+ *
+ * Tests International Strings
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+createString(
+        PKIX_PL_String **vivaEspanaString,
+        PKIX_PL_String **straussString,
+        PKIX_PL_String **gorbachevString,
+        PKIX_PL_String **testUTF16String,
+        PKIX_PL_String **chineseString,
+        PKIX_PL_String **jeanRenoString)
+{
+        /* this is meant to fail - it highlights bug 0002 */
+        unsigned char utf16String[4] = { 0xF8, 0x60,
+                                        0xFC, 0x60};
+
+        unsigned char chinese[16] = { 0xe7, 0xab, 0xa0,
+                                        0xe5, 0xad, 0x90,
+                                        0xe6, 0x80, 0xa1,
+                                        0x20,
+                                        0xe4, 0xb8, 0xad,
+                                        0xe5, 0x9b, 0xbd
+        };
+
+        char* jeanReno = "Jean R\303\251no is an actor.";
+        char* gorbachev = /* This is the name "Gorbachev" in cyrllic */
+        "\xd0\x93\xd0\xbe\xd1\x80\xd0\xb1\xd0\xb0\xd1\x87\xd1\x91\xd0\xb2";
+
+        char *vivaEspana =
+                "&#x00A1;Viva Espa&#x00f1;a!";
+
+        char *strauss =
+                "Strau&#x00Df; was born in &#x00D6;sterreich";
+
+        PKIX_TEST_STD_VARS();
+
+        /* ---------------------------- */
+        subTest("String Creation");
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                        PKIX_ESCASCII,
+                                        vivaEspana,
+                                        PL_strlen(vivaEspana),
+                                        vivaEspanaString,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                        PKIX_ESCASCII,
+                                        strauss,
+                                        PL_strlen(strauss),
+                                        straussString,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                        PKIX_UTF8,
+                                        gorbachev,
+                                        PL_strlen(gorbachev),
+                                        gorbachevString,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                        PKIX_UTF16,
+                                        utf16String,
+                                        4,
+                                        testUTF16String,
+                                        plContext));
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                        PKIX_UTF8,
+                                        chinese,
+                                        16,
+                                        chineseString,
+                                        plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
+                                        PKIX_UTF8,
+                                        jeanReno,
+                                        PL_strlen(jeanReno),
+                                        jeanRenoString,
+                                        plContext));
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testGetEncoded(PKIX_PL_String *string, PKIX_UInt32 format)
+{
+        void *dest = NULL;
+        PKIX_UInt32 length;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded
+                                (string,
+                                format,
+                                &dest,
+                                &length,
+                                plContext));
+
+        if (dest){
+                (void) printf("\tResult: %s\n", (char *)dest);
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        }
+
+cleanup:
+        PKIX_TEST_RETURN();
+}
+
+
+static void
+testHTMLOutput(
+        PKIX_PL_String *vivaEspanaString,
+        PKIX_PL_String *straussString,
+        PKIX_PL_String *gorbachevString,
+        PKIX_PL_String *testUTF16String,
+        PKIX_PL_String *chineseString,
+        PKIX_PL_String *jeanRenoString)
+{
+        void *dest = NULL;
+        PKIX_UInt32 length;
+
+        FILE *htmlFile = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        /* Opening a file for output */
+        htmlFile = fopen("utf8.html", "w");
+
+        if (htmlFile != plContext) {
+                (void) fprintf(htmlFile, "<html><head>\n");
+                (void) fprintf(htmlFile, "<meta http-equiv=\"Content-Type\"");
+                (void) fprintf(htmlFile,
+                        "content = \"text/html; charset = UTF-8\">\n");
+                (void) fprintf(htmlFile, "</head><body>\n");
+                (void) fprintf(htmlFile, "<font size =\"+2\">\n");
+        } else
+                (void) printf("Could not open HTML file\n");
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testUTF16String,
+                                            PKIX_UTF8,
+                                            &dest,
+                                            &length,
+                                            plContext));
+        if (htmlFile != plContext) {
+                (void) printf("%d bytes written to HTML file\n",
+                        fwrite(dest, length, 1, htmlFile));
+                (void) fprintf(htmlFile, "<BR>\n");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        dest = NULL;
+        length = 0;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(chineseString,
+                                            PKIX_UTF8,
+                                            &dest,
+                                            &length,
+                                            plContext));
+        if (htmlFile != plContext) {
+                (void) printf("%d bytes written to HTML file\n",
+                        fwrite(dest, length, 1, htmlFile));
+                (void) fprintf(htmlFile, "<BR>\n");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        dest = NULL;
+        length = 0;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(jeanRenoString,
+                                            PKIX_UTF8,
+                                            &dest,
+                                            &length,
+                                            plContext));
+        if (htmlFile != plContext) {
+                (void) printf("%d bytes written to HTML file\n",
+                        fwrite(dest, length, 1, htmlFile));
+                (void) fprintf(htmlFile, "<BR>\n");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        dest = NULL;
+        length = 0;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(vivaEspanaString,
+                                            PKIX_UTF8,
+                                            &dest,
+                                            &length,
+                                            plContext));
+        if (htmlFile != plContext) {
+                (void) printf("%d bytes written to HTML file\n",
+                        fwrite(dest, length, 1, htmlFile));
+                (void) fprintf(htmlFile, "<BR>\n");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        dest = NULL;
+        length = 0;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(straussString,
+                                            PKIX_UTF8,
+                                            &dest,
+                                            &length,
+                                            plContext));
+        if (htmlFile != plContext) {
+                (void) printf("%d bytes written to HTML file\n",
+                        fwrite(dest, length, 1, htmlFile));
+                (void) fprintf(htmlFile, "<BR>\n");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        dest = NULL;
+        length = 0;
+
+
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(straussString,
+                                            PKIX_UTF8,
+                                            &dest,
+                                            &length,
+                                            plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        dest = NULL;
+        length = 0;
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(gorbachevString,
+                                            PKIX_UTF8,
+                                            &dest,
+                                            &length,
+                                            plContext));
+        if (htmlFile != plContext) {
+                (void) printf("%d bytes written to HTML file\n",
+                        fwrite(dest, length, 1, htmlFile));
+                (void) fprintf(htmlFile, "<BR>\n");
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
+        dest = NULL;
+        length = 0;
+
+        if (htmlFile != plContext) {
+                (void) fprintf(htmlFile, "</font>\n");
+                (void) fprintf(htmlFile, "</body></html>\n");
+                (void) fclose(htmlFile);
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+static void
+testDestroy(
+        PKIX_PL_String *string)
+{
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_DECREF_BC(string);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+int test_string2(int argc, char *argv[]) {
+
+        PKIX_PL_String *vivaEspanaString, *straussString, *testUTF16String;
+        PKIX_PL_String *chineseString, *jeanRenoString, *gorbachevString;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+
+        PKIX_TEST_STD_VARS();
+
+        startTests("Unicode Strings");
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        subTest("PKIX_PL_String_Create");
+        createString(&vivaEspanaString,
+                    &straussString,
+                    &gorbachevString,
+                    &testUTF16String,
+                    &chineseString,
+                    &jeanRenoString);
+
+        subTest("Converting UTF-16 to EscASCII");
+        testGetEncoded(testUTF16String, PKIX_ESCASCII);
+
+        subTest("Converting UTF-8 to EscASCII");
+        testGetEncoded(chineseString, PKIX_ESCASCII);
+
+        subTest("Converting UTF-8 to EscASCII");
+        testGetEncoded(jeanRenoString, PKIX_ESCASCII);
+
+        subTest("Converting EscASCII to UTF-16");
+        testGetEncoded(vivaEspanaString, PKIX_UTF16);
+
+        subTest("Converting UTF-8 to UTF-16");
+        testGetEncoded(chineseString, PKIX_UTF16);
+
+        subTest("Creating HTML Output File \'utf8.html\'");
+        testHTMLOutput(vivaEspanaString,
+                    straussString,
+                    gorbachevString,
+                    testUTF16String,
+                    chineseString,
+                    jeanRenoString);
+
+        subTest("Unicode Destructors");
+        testDestroy(testUTF16String);
+        testDestroy(chineseString);
+        testDestroy(jeanRenoString);
+        testDestroy(vivaEspanaString);
+        testDestroy(straussString);
+        testDestroy(gorbachevString);
+
+cleanup:
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("Unicode Strings");
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/pkixlibs.mk b/security/nss/cmd/libpkix/pkixlibs.mk
new file mode 100755
index 000000000..772fe4e8f
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkixlibs.mk
@@ -0,0 +1,60 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lpkixutil \
+	$(NULL)
+else # ! NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/pkixutil.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+else
+
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib/ \
+	-lpkixutil \
+	$(NULL)
+
+endif
+
diff --git a/security/nss/cmd/libpkix/pkixrules.mk b/security/nss/cmd/libpkix/pkixrules.mk
new file mode 100755
index 000000000..b2c6f8b84
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkixrules.mk
@@ -0,0 +1,40 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
diff --git a/security/nss/cmd/libpkix/pkixutil/Makefile b/security/nss/cmd/libpkix/pkixutil/Makefile
new file mode 100644
index 000000000..c00eeffe9
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkixutil/Makefile
@@ -0,0 +1,75 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkixutil/manifest.mn b/security/nss/cmd/libpkix/pkixutil/manifest.mn
new file mode 100644
index 000000000..00e174227
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkixutil/manifest.mn
@@ -0,0 +1,73 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = \
+	pkixutil.c \
+	$(NULL)
+
+PROGRAM = pkixutil
+
+TOOLS_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+EXTRA_LIBS += \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolperf.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolcertsel.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolparams.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolmodule.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolpki.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolsys.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolresults.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolstore.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtooltop.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolutil.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolsmplapps.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolchecker.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolcrlsel.$(LIB_SUFFIX) \
+	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtooltestutil.$(LIB_SUFFIX) \
+	$(NULL)
+
+NO_MD_RELEASE = 1
+
+USE_STATIC_LIBS = 1
+
diff --git a/security/nss/cmd/libpkix/pkixutil/pkixutil.c b/security/nss/cmd/libpkix/pkixutil/pkixutil.c
new file mode 100644
index 000000000..6d23c7059
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkixutil/pkixutil.c
@@ -0,0 +1,335 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * testwrapper.c
+ *
+ * Wrpper programm for libpkix tests.
+ *
+ */
+
+#include <stdio.h>
+
+#include "nspr.h"
+#include "plgetopt.h"
+
+#include "nss.h"
+#include "secport.h"
+
+typedef int (*mainTestFn)(int argc, char* argv[]);
+
+extern int libpkix_buildthreads(int argc, char *argv[]);
+extern int nss_threads(int argc, char *argv[]);
+extern int test_certselector(int argc, char *argv[]);
+extern int test_comcertselparams(int argc, char *argv[]);
+extern int test_certchainchecker(int argc, char *argv[]);
+extern int test_comcrlselparams(int argc, char *argv[]);
+extern int test_crlselector(int argc, char *argv[]);
+
+/* This test fails to build. Need to fix                */
+/* extern int test_buildparams(int argc, char *argv[]); */
+extern int test_procparams(int argc, char *argv[]);
+extern int test_resourcelimits(int argc, char *argv[]);
+extern int test_trustanchor(int argc, char *argv[]);
+extern int test_valparams(int argc, char *argv[]);
+extern int test_buildresult(int argc, char *argv[]);
+extern int test_policynode(int argc, char *argv[]);
+extern int test_valresult(int argc, char *argv[]);
+extern int test_verifynode(int argc, char *argv[]);
+extern int test_store(int argc, char *argv[]);
+extern int test_basicchecker(int argc, char *argv[]);
+extern int test_basicconstraintschecker(int argc, char *argv[]);
+extern int test_buildchain(int argc, char *argv[]);
+extern int test_buildchain_partialchain(int argc, char *argv[]);
+extern int test_buildchain_resourcelimits(int argc, char *argv[]);
+extern int test_buildchain_uchecker(int argc, char *argv[]);
+extern int test_customcrlchecker(int argc, char *argv[]);
+extern int test_defaultcrlchecker2stores(int argc, char *argv[]);
+extern int test_ocsp(int argc, char *argv[]);
+extern int test_policychecker(int argc, char *argv[]);
+extern int test_subjaltnamechecker(int argc, char *argv[]);
+extern int test_validatechain(int argc, char *argv[]);
+extern int test_validatechain_NB(int argc, char *argv[]);
+extern int test_validatechain_bc(int argc, char *argv[]);
+extern int test_error(int argc, char *argv[]);
+extern int test_list(int argc, char *argv[]);
+extern int test_list2(int argc, char *argv[]);
+extern int test_logger(int argc, char *argv[]);
+extern int test_colcertstore(int argc, char *argv[]);
+extern int test_ekuchecker(int argc, char *argv[]);
+extern int test_httpcertstore(int argc, char *argv[]);
+extern int test_pk11certstore(int argc, char *argv[]);
+extern int test_socket(int argc, char *argv[]);
+extern int test_authorityinfoaccess(int argc, char *argv[]);
+extern int test_cert(int argc, char *argv[]);
+extern int test_crl(int argc, char *argv[]);
+extern int test_crlentry(int argc, char *argv[]);
+extern int test_date(int argc, char *argv[]);
+extern int test_generalname(int argc, char *argv[]);
+extern int test_nameconstraints(int argc, char *argv[]);
+extern int test_subjectinfoaccess(int argc, char *argv[]);
+extern int test_x500name(int argc, char *argv[]);
+extern int stress_test(int argc, char *argv[]);
+extern int test_bigint(int argc, char *argv[]);
+extern int test_bytearray(int argc, char *argv[]);
+extern int test_hashtable(int argc, char *argv[]);
+extern int test_mem(int argc, char *argv[]);
+extern int test_monitorlock(int argc, char *argv[]);
+extern int test_mutex(int argc, char *argv[]);
+extern int test_mutex2(int argc, char *argv[]);
+extern int test_mutex3(int argc, char *argv[]);
+extern int test_object(int argc, char *argv[]);
+extern int test_oid(int argc, char *argv[]);
+
+/* Taken out. Problem with build                   */
+/* extern int test_rwlock(int argc, char *argv[]); */
+extern int test_string(int argc, char *argv[]);
+extern int test_string2(int argc, char *argv[]);
+extern int build_chain(int argc, char *argv[]);
+extern int dumpcert(int argc, char *argv[]);
+extern int dumpcrl(int argc, char *argv[]);
+extern int validate_chain(int argc, char *argv[]);
+
+
+typedef struct {
+    char *fnName;
+    mainTestFn fnPointer;
+} testFunctionRef;
+
+testFunctionRef testFnRefTable[] = {
+    {"libpkix_buildthreads",           libpkix_buildthreads},
+    {"nss_threads",                    nss_threads},
+    {"test_certselector",              test_certselector},
+    {"test_comcertselparams",          test_comcertselparams},
+    {"test_certchainchecker",          test_certchainchecker},
+    {"test_comcrlselparams",           test_comcrlselparams},
+    {"test_crlselector",               test_crlselector},
+/*  {"test_buildparams",               test_buildparams}*/
+    {"test_procparams",                test_procparams},
+    {"test_resourcelimits",            test_resourcelimits},
+    {"test_trustanchor",               test_trustanchor},
+    {"test_valparams",                 test_valparams},
+    {"test_buildresult",               test_buildresult},
+    {"test_policynode",                test_policynode},
+    {"test_valresult",                 test_valresult},
+    {"test_verifynode",                test_verifynode},
+    {"test_store",                     test_store},
+    {"test_basicchecker",              test_basicchecker},
+    {"test_basicconstraintschecker",   test_basicconstraintschecker},
+    {"test_buildchain",                test_buildchain},
+    {"test_buildchain_partialchain",   test_buildchain_partialchain},
+    {"test_buildchain_resourcelimits", test_buildchain_resourcelimits},
+    {"test_buildchain_uchecker",       test_buildchain_uchecker},
+    {"test_customcrlchecker",          test_customcrlchecker},
+    {"test_defaultcrlchecker2stores",  test_defaultcrlchecker2stores},
+    {"test_ocsp",                      test_ocsp},
+    {"test_policychecker",             test_policychecker},
+    {"test_subjaltnamechecker",        test_subjaltnamechecker},
+    {"test_validatechain",             test_validatechain},
+    {"test_validatechain_NB",          test_validatechain_NB},
+    {"test_validatechain_bc",          test_validatechain_bc},
+    {"test_error",                     test_error},
+    {"test_list",                      test_list},
+    {"test_list2",                     test_list2},
+    {"test_logger",                    test_logger},
+    {"test_colcertstore",              test_colcertstore},
+    {"test_ekuchecker",                test_ekuchecker},
+    {"test_httpcertstore",             test_httpcertstore},
+    {"test_pk11certstore",             test_pk11certstore},
+    {"test_socket",                    test_socket},
+    {"test_authorityinfoaccess",       test_authorityinfoaccess},
+    {"test_cert",                      test_cert},
+    {"test_crl",                       test_crl},
+    {"test_crlentry",                  test_crlentry},
+    {"test_date",                      test_date},
+    {"test_generalname",               test_generalname},
+    {"test_nameconstraints",           test_nameconstraints},
+    {"test_subjectinfoaccess",         test_subjectinfoaccess},
+    {"test_x500name",                  test_x500name},
+    {"stress_test",                    stress_test},
+    {"test_bigint",                    test_bigint},
+    {"test_bytearray",                 test_bytearray},
+    {"test_hashtable",                 test_hashtable},
+    {"test_mem",                       test_mem},
+    {"test_monitorlock",               test_monitorlock},
+    {"test_mutex",                     test_mutex},
+    {"test_mutex2",                    test_mutex2},
+    {"test_mutex3",                    test_mutex3},
+    {"test_object",                    test_object},
+    {"test_oid",                       test_oid},
+/*  {"test_rwlock",                    test_rwlock, }*/
+    {"test_string",                    test_string},
+    {"test_string2",                   test_string2},
+    {"build_chain",                    build_chain},
+    {"dumpcert",                       dumpcert},
+    {"dumpcrl",                        dumpcrl},
+    {"validate_chain",                 validate_chain},
+    {NULL,                             NULL },
+};
+
+static
+void printUsage(char *cmdName) {
+    int fnCounter = 0;
+
+    fprintf(stderr, "Usage: %s [test name] [arg1]...[argN]\n\n", cmdName);
+    fprintf(stderr, "List of possible names for the tests:");
+    while (testFnRefTable[fnCounter].fnName != NULL) {
+        if (fnCounter % 2 == 0) {
+            fprintf(stderr, "\n");
+        }
+        fprintf(stderr, "  %-35s ", testFnRefTable[fnCounter].fnName);
+        fnCounter += 1;
+    }
+    fprintf(stderr, "\n");
+}
+
+static SECStatus
+getTestArguments(int         argc,
+                 char      **argv,
+                 mainTestFn *ptestFn,
+                 char      **pdbPath,
+                 int        *pargc,
+                 char     ***pargv)
+{
+    PLOptState *optstate = NULL;
+    PLOptStatus status;
+    mainTestFn testFunction = NULL;
+    char **wArgv = NULL;
+    char  *dbPath = NULL;
+    char  *fnName = NULL;
+    int    wArgc = 0;
+    int    fnCounter = 0;
+    
+    if (argc < 2) {
+        printf("ERROR: insufficient number of arguments: %s.\n", fnName);
+        return SECFailure;
+    }
+
+    fnName = argv[1];
+    while (testFnRefTable[fnCounter].fnName != NULL) {
+        if (!PORT_Strcmp(fnName, testFnRefTable[fnCounter].fnName)) {
+            testFunction = testFnRefTable[fnCounter].fnPointer;
+            break;
+        }
+        fnCounter += 1;
+    }
+    if (!testFunction) {
+        printf("ERROR: unknown name of the test: %s.\n", fnName);
+        return SECFailure;
+    }
+
+    wArgv = PORT_ZNewArray(char*, argc);
+    if (!wArgv) {
+        return SECFailure;
+    }
+
+    /* set name of the function as a first arg and increment arg count. */
+    wArgv[0] = fnName;
+    wArgc += 1;
+
+    optstate = PL_CreateOptState(argc - 1, argv + 1, "d:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+        switch (optstate->option) {
+        case 'd':
+            dbPath = (char*)optstate->value;
+            break;
+
+        default:
+            wArgv[wArgc] = (char*)optstate->value;
+            wArgc += 1;
+            break;
+        }
+    }
+    PL_DestroyOptState(optstate);
+
+    *ptestFn = testFunction;
+    *pdbPath = dbPath;
+    *pargc = wArgc;
+    *pargv = wArgv;
+    
+    return SECSuccess;
+}
+
+
+static
+int runCmd(mainTestFn fnPointer,
+           int argc,
+           char **argv,
+           char *dbPath)
+{
+    int retStat = 0;
+    
+    /*  Initialize NSPR and NSS.  */
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    
+    /* if using databases, use NSS_Init and not NSS_NoDB_Init */
+    if (dbPath && PORT_Strlen(dbPath) != 0) {
+        if (NSS_Init(dbPath) != SECSuccess)
+            return SECFailure;
+    } else {
+        if (NSS_NoDB_Init(NULL) != 0)
+            return SECFailure;
+    }
+    retStat = fnPointer(argc, argv);
+
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+    PR_Cleanup();
+    return retStat;
+}
+
+int main(int argc, char **argv) {
+    mainTestFn testFunction = NULL;
+    char *dbPath = NULL;
+    char **testArgv = NULL;
+    int testArgc = 0;
+    int rv = 0;
+
+    rv = getTestArguments(argc, argv, &testFunction, &dbPath,
+                          &testArgc, &testArgv);
+    if (rv != SECSuccess) {
+        printUsage(argv[0]);
+        return 1;
+    }
+    
+    rv = runCmd(testFunction, testArgc, testArgv, dbPath);
+
+    PORT_Free(testArgv);
+
+    return rv;
+}
+
diff --git a/security/nss/cmd/libpkix/sample_apps/Makefile b/security/nss/cmd/libpkix/sample_apps/Makefile
new file mode 100755
index 000000000..ef8ff219f
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/sample_apps/build_chain.c b/security/nss/cmd/libpkix/sample_apps/build_chain.c
new file mode 100644
index 000000000..52e7c0a83
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/build_chain.c
@@ -0,0 +1,298 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * buildChain.c
+ *
+ * Tests Cert Chain Building
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_cert.h"
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "keythi.h"
+#include "nss.h"
+
+static void *plContext = NULL;
+
+static
+void printUsage(void){
+        (void) printf("\nUSAGE:\tbuildChain "
+                        "<trustedCert> <targetCert> <certStoreDirectory>\n\n");
+        (void) printf
+                ("Builds a chain of certificates between "
+                "<trustedCert> and <targetCert>\n"
+                "using the certs and CRLs in <certStoreDirectory>.\n");
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        void *buf = NULL;
+        PRFileDesc *inFile = NULL;
+        PKIX_UInt32 len;
+        SECItem certDER;
+        SECStatus rv;
+        /* default: NULL cert (failure case) */
+        PKIX_PL_Cert *cert = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        certDER.data = NULL;
+
+        inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+        if (!inFile){
+                pkixTestErrorMsg = "Unable to open cert file";
+                goto cleanup;
+        } else {
+                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+                if (!rv){
+                        buf = (void *)certDER.data;
+                        len = certDER.len;
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
+                                        (buf, len, &byteArray, plContext));
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
+                                        (byteArray, &cert, plContext));
+
+                        SECITEM_FreeItem(&certDER, PR_FALSE);
+                } else {
+                        pkixTestErrorMsg = "Unable to read DER from cert file";
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        if (inFile){
+                PR_Close(inFile);
+        }
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                SECITEM_FreeItem(&certDER, PR_FALSE);
+        }
+
+        PKIX_TEST_DECREF_AC(byteArray);
+
+        PKIX_TEST_RETURN();
+
+        return (cert);
+}
+
+int build_chain(int argc, char *argv[])
+{
+        PKIX_BuildResult *buildResult = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        char *trustedCertFile = NULL;
+        char *targetCertFile = NULL;
+        char *storeDirAscii = NULL;
+        PKIX_PL_String *storeDirString = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_Cert *targetCert = NULL;
+        PKIX_UInt32 actualMinorVersion, numCerts, i;
+        PKIX_UInt32 j = 0;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_List *certStores = NULL;
+        char * asciiResult = NULL;
+        PKIX_Boolean useArenas = PKIX_FALSE;
+        void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
+        void *nbioContext = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 4){
+                printUsage();
+                return (0);
+        }
+
+        useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Initialize
+                                    (PKIX_TRUE, /* nssInitNeeded */
+                                    useArenas,
+                                    PKIX_MAJOR_VERSION,
+                                    PKIX_MINOR_VERSION,
+                                    PKIX_MINOR_VERSION,
+                                    &actualMinorVersion,
+                                    &plContext));
+
+        /* create processing params with list of trust anchors */
+        trustedCertFile = argv[j+1];
+        trustedCert = createCert(trustedCertFile);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                                    (trustedCert, &anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                            (anchors, (PKIX_PL_Object *)anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                            (anchors, &procParams, plContext));
+
+
+        /* create CertSelector with target certificate in params */
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+        targetCertFile = argv[j+2];
+        targetCert = createCert(targetCertFile);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_SetCertificate
+                (certSelParams, targetCert, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+            (PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                                (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, certSelector, plContext));
+
+        /* create CertStores */
+
+        storeDirAscii = argv[j+3];
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+                (PKIX_ESCASCII, storeDirAscii, 0, &storeDirString, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
+                (storeDirString, &certStore, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (certStores, (PKIX_PL_Object *)certStore, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
+                (procParams, certStores, plContext));
+
+        /* build cert chain using processing params and return buildResult */
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildChain
+                (procParams,
+                &nbioContext,
+                &buildState,
+                &buildResult,
+                NULL,
+                plContext));
+
+        /*
+         * As long as we use only CertStores with blocking I/O, we can omit
+         * checking for completion with nbioContext.
+         */
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_GetLength(certs, &numCerts, plContext));
+
+        printf("\n");
+
+        for (i = 0; i < numCerts; i++){
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_List_GetItem
+                        (certs, i, (PKIX_PL_Object**)&cert, plContext));
+
+                asciiResult = PKIX_Cert2ASCII(cert);
+
+                printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, plContext));
+                asciiResult = NULL;
+
+                PKIX_TEST_DECREF_BC(cert);
+        }
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                (void) printf("FAILED TO BUILD CHAIN\n");
+        } else {
+                (void) printf("SUCCESSFULLY BUILT CHAIN\n");
+        }
+
+        PKIX_PL_Free(asciiResult, plContext);
+
+        PKIX_TEST_DECREF_AC(certs);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(certStore);
+        PKIX_TEST_DECREF_AC(certStores);
+        PKIX_TEST_DECREF_AC(storeDirString);
+        PKIX_TEST_DECREF_AC(trustedCert);
+        PKIX_TEST_DECREF_AC(targetCert);
+        PKIX_TEST_DECREF_AC(anchor);
+        PKIX_TEST_DECREF_AC(anchors);
+        PKIX_TEST_DECREF_AC(procParams);
+        PKIX_TEST_DECREF_AC(certSelParams);
+        PKIX_TEST_DECREF_AC(certSelector);
+        PKIX_TEST_DECREF_AC(buildResult);
+
+        PKIX_TEST_RETURN();
+
+        PKIX_Shutdown(plContext);
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcert.c b/security/nss/cmd/libpkix/sample_apps/dumpcert.c
new file mode 100644
index 000000000..af1035365
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/dumpcert.c
@@ -0,0 +1,217 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * dumpcert.c
+ *
+ * dump certificate sample application
+ *
+ */
+
+#include <stdio.h>
+
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "plarena.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secasn1t.h"
+#include "certt.h"
+
+static void *plContext = NULL;
+
+static 
+void printUsage(void){
+        (void) printf("\nUSAGE:\tdumpcert <certFile>\n");
+        (void) printf("\tParses a certificate located at <certFile> "
+                "and displays it.\n");
+}
+
+static 
+void printFailure(char *msg){
+        (void) printf("FAILURE: %s\n", msg);
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_Error *error = NULL;
+        PRFileDesc *inFile = NULL;
+        SECItem certDER;
+        void *buf = NULL;
+        PKIX_UInt32 len;
+        SECStatus rv = SECFailure;
+
+        certDER.data = NULL;
+
+        inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+        if (!inFile){
+                printFailure("Unable to open cert file");
+                goto cleanup;
+        } else {
+                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+                if (!rv){
+                        buf = (void *)certDER.data;
+                        len = certDER.len;
+
+                        error = PKIX_PL_ByteArray_Create
+                                (buf, len, &byteArray, plContext);
+
+                        if (error){
+                                printFailure("PKIX_PL_ByteArray_Create failed");
+                                goto cleanup;
+                        }
+
+                        error = PKIX_PL_Cert_Create
+                                (byteArray, &cert, plContext);
+
+                        if (error){
+                                printFailure("PKIX_PL_Cert_Create failed");
+                                goto cleanup;
+                        }
+                } else {
+                        printFailure("Unable to read DER from cert file");
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        if (inFile){
+                PR_Close(inFile);
+        }
+
+        if (rv == SECSuccess){
+                SECITEM_FreeItem(&certDER, PR_FALSE);
+        }
+
+        if (byteArray){
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext);
+        }
+
+        return (cert);
+}
+
+int dumpcert(int argc, char *argv[])
+{
+
+        PKIX_PL_String *string = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_Error *error = NULL;
+        char *ascii = NULL;
+        PKIX_UInt32 length = 0;
+        PKIX_UInt32 j = 0;
+	PKIX_Boolean useArenas = PKIX_FALSE;
+        PKIX_UInt32 actualMinorVersion;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc == 1){
+                printUsage();
+                return (0);
+        }
+
+        useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
+
+        PKIX_Initialize
+                (PKIX_TRUE, /* nssInitNeeded */
+                useArenas,
+                PKIX_MAJOR_VERSION,
+                PKIX_MINOR_VERSION,
+                PKIX_MINOR_VERSION,
+                &actualMinorVersion,
+                &plContext);
+
+        cert = createCert(argv[1+j]);
+
+        if (cert){
+
+                error = PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object *)cert, &string, plContext);
+
+                if (error){
+                        printFailure("Unable to get string representation "
+                                    "of cert");
+                        goto cleanup;
+                }
+
+                error = PKIX_PL_String_GetEncoded
+                        (string,
+                        PKIX_ESCASCII,
+                        (void **)&ascii,
+                        &length,
+                        plContext);
+
+                if (error || !ascii){
+                        printFailure("Unable to get ASCII encoding of string");
+                        goto cleanup;
+                }
+
+                (void) printf("OUTPUT:\n%s\n", ascii);
+
+        } else {
+                printFailure("Unable to create certificate");
+                goto cleanup;
+        }
+
+cleanup:
+
+        if (cert){
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(cert), plContext);
+        }
+
+        if (string){
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext);
+        }
+
+        if (ascii){
+                PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext);
+        }
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("DUMPCERT");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcrl.c b/security/nss/cmd/libpkix/sample_apps/dumpcrl.c
new file mode 100644
index 000000000..26e20f125
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/dumpcrl.c
@@ -0,0 +1,220 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * dumpcrl.c
+ *
+ * dump CRL sample application
+ *
+ */
+
+#include <stdio.h>
+
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "plarena.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secasn1t.h"
+#include "certt.h"
+
+static void *plContext = NULL;
+
+static 
+void printUsage(void){
+        (void) printf("\nUSAGE:\tdumpcrl <crlFile>\n");
+        (void) printf("\tParses a CRL located at <crlFile> "
+                "and displays it.\n");
+}
+
+static 
+void printFailure(char *msg){
+        (void) printf("FAILURE: %s\n", msg);
+}
+
+static PKIX_PL_CRL *
+createCRL(char *inFileName)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        PKIX_PL_CRL *crl = NULL;
+        PKIX_Error *error = NULL;
+        PRFileDesc *inFile = NULL;
+        SECItem crlDER;
+        void *buf = NULL;
+        PKIX_UInt32 len;
+        SECStatus rv;
+
+        PKIX_TEST_STD_VARS();
+
+        crlDER.data = NULL;
+
+        inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+        if (!inFile){
+                printFailure("Unable to open crl file");
+                goto cleanup;
+        } else {
+                rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+                if (!rv){
+                        buf = (void *)crlDER.data;
+                        len = crlDER.len;
+
+                        error = PKIX_PL_ByteArray_Create
+                                (buf, len, &byteArray, plContext);
+
+                        if (error){
+                                printFailure("PKIX_PL_ByteArray_Create failed");
+                                goto cleanup;
+                        }
+
+                        error = PKIX_PL_CRL_Create(byteArray, &crl, plContext);
+                        if (error){
+                                printFailure("PKIX_PL_CRL_Create failed");
+                                goto cleanup;
+                        }
+
+                        SECITEM_FreeItem(&crlDER, PR_FALSE);
+                } else {
+                        printFailure("Unable to read DER from crl file");
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        if (inFile){
+                PR_Close(inFile);
+        }
+
+        if (error){
+                SECITEM_FreeItem(&crlDER, PR_FALSE);
+        }
+
+        if (byteArray){
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext);
+        }
+
+        PKIX_TEST_RETURN();
+
+        return (crl);
+}
+
+int dumpcrl(int argc, char *argv[])
+{
+
+        PKIX_PL_String *string = NULL;
+        PKIX_PL_CRL *crl = NULL;
+        PKIX_Error *error = NULL;
+        char *ascii = NULL;
+        PKIX_UInt32 length;
+        PKIX_UInt32 actualMinorVersion;
+        PKIX_UInt32 j = 0;
+        PKIX_Boolean useArenas = PKIX_FALSE;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc == 1){
+                printUsage();
+                return (0);
+        }
+
+        useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
+
+        PKIX_Initialize
+                (PKIX_TRUE, /* nssInitNeeded */
+                useArenas,
+                PKIX_MAJOR_VERSION,
+                PKIX_MINOR_VERSION,
+                PKIX_MINOR_VERSION,
+                &actualMinorVersion,
+                &plContext);
+
+        crl = createCRL(argv[j+1]);
+
+        if (crl){
+
+                error = PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object *)crl, &string, plContext);
+
+                if (error){
+                        printFailure("Unable to get string representation "
+                                    "of crl");
+                        goto cleanup;
+                }
+
+                error = PKIX_PL_String_GetEncoded
+                        (string,
+                        PKIX_ESCASCII,
+                        (void **)&ascii,
+                        &length,
+                        plContext);
+                if (error || !ascii){
+                        printFailure("Unable to get ASCII encoding of string");
+                        goto cleanup;
+                }
+
+                (void) printf("OUTPUT:\n%s\n", ascii);
+
+        } else {
+                printFailure("Unable to create CRL");
+                goto cleanup;
+        }
+
+cleanup:
+
+        if (crl){
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(crl), plContext);
+        }
+
+        if (string){
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext);
+        }
+
+        if (ascii){
+                PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext);
+        }
+
+        PKIX_Shutdown(plContext);
+
+        PKIX_TEST_RETURN();
+
+        endTests("DUMPCRL");
+
+        return (0);
+}
diff --git a/security/nss/cmd/libpkix/sample_apps/manifest.mn b/security/nss/cmd/libpkix/sample_apps/manifest.mn
new file mode 100755
index 000000000..2e9cda0e1
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/manifest.mn
@@ -0,0 +1,56 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# htt/www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = dumpcert.c \
+	dumpcrl.c \
+	validate_chain.c \
+	build_chain.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtoolsmplapps
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/sample_apps/validate_chain.c b/security/nss/cmd/libpkix/sample_apps/validate_chain.c
new file mode 100644
index 000000000..c580399bb
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/validate_chain.c
@@ -0,0 +1,267 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * validateChain.c
+ *
+ * Tests Cert Chain Validation
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_cert.h"
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "keythi.h"
+#include "nss.h"
+
+static void *plContext = NULL;
+
+static 
+void printUsage(void){
+        (void) printf("\nUSAGE:\tvalidateChain <trustedCert> "
+                "<cert_1> <cert_2> ... <cert_n>\n");
+        (void) printf("\tValidates a chain of n certificates "
+                "using the given trust anchor.\n");
+
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        void *buf = NULL;
+        PRFileDesc *inFile = NULL;
+        PKIX_UInt32 len;
+        SECItem certDER;
+        SECStatus rv;
+        /* default: NULL cert (failure case) */
+        PKIX_PL_Cert *cert = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        certDER.data = NULL;
+
+        inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+        if (!inFile){
+                pkixTestErrorMsg = "Unable to open cert file";
+                goto cleanup;
+        } else {
+                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+                if (!rv){
+                        buf = (void *)certDER.data;
+                        len = certDER.len;
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_ByteArray_Create
+                                (buf, len, &byteArray, plContext));
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
+                                                (byteArray, &cert, plContext));
+
+                        SECITEM_FreeItem(&certDER, PR_FALSE);
+                } else {
+                        pkixTestErrorMsg = "Unable to read DER from cert file";
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        if (inFile){
+                PR_Close(inFile);
+        }
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                SECITEM_FreeItem(&certDER, PR_FALSE);
+        }
+
+        PKIX_TEST_DECREF_AC(byteArray);
+
+        PKIX_TEST_RETURN();
+
+        return (cert);
+}
+
+int validate_chain(int argc, char *argv[])
+{
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_PL_X500Name *subject = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+	PKIX_VerifyNode *verifyTree = NULL;
+	PKIX_PL_String *verifyString = NULL;
+
+        char *trustedCertFile = NULL;
+        char *chainCertFile = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_Cert *chainCert = NULL;
+        PKIX_UInt32 chainLength = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 j = 0;
+        PKIX_UInt32 actualMinorVersion;
+
+        PKIX_TEST_STD_VARS();
+
+        if (argc < 3){
+                printUsage();
+                return (0);
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(
+            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+        chainLength = (argc - j) - 2;
+
+        /* create processing params with list of trust anchors */
+        trustedCertFile = argv[1+j];
+        trustedCert = createCert(trustedCertFile);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+#if 0
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
+                                    (certSelParams, subject, plContext));
+#endif
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_CertSelector_Create
+                (NULL, NULL, &certSelector, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
+                                (certSelector, certSelParams, plContext));
+
+        PKIX_TEST_DECREF_BC(subject);
+        PKIX_TEST_DECREF_BC(certSelParams);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                                    (trustedCert, &anchor, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_List_AppendItem
+                (anchors, (PKIX_PL_Object *)anchor, plContext));
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                                    (anchors, &procParams, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetTargetCertConstraints
+                (procParams, certSelector, plContext));
+
+        PKIX_TEST_DECREF_BC(certSelector);
+
+        /* create cert chain */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
+        for (i = 0; i < chainLength; i++){
+                chainCertFile = argv[(i + j) + 2];
+                chainCert = createCert(chainCertFile);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                            (certs,
+                                            (PKIX_PL_Object *)chainCert,
+                                            plContext));
+
+                PKIX_TEST_DECREF_BC(chainCert);
+                chainCert = NULL;
+        }
+        /* create validate params with processing params and cert chain */
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
+                                    (procParams, certs, &valParams, plContext));
+
+        PKIX_TEST_DECREF_BC(trustedCert); trustedCert = NULL;
+        PKIX_TEST_DECREF_BC(anchor); anchor = NULL;
+        PKIX_TEST_DECREF_BC(anchors); anchors = NULL;
+        PKIX_TEST_DECREF_BC(certs); certs = NULL;
+        PKIX_TEST_DECREF_BC(procParams); procParams = NULL;
+
+        /* validate cert chain using processing params and return valResult */
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
+
+        if (valResult != NULL){
+                (void) printf("SUCCESSFULLY VALIDATED\n");
+        }
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                (void) printf("FAILED TO VALIDATE\n");
+	        (void) PKIX_PL_Object_ToString
+        	        ((PKIX_PL_Object*)verifyTree, &verifyString, plContext);
+	        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+	        PKIX_TEST_DECREF_AC(verifyString);
+
+        }
+
+        PKIX_TEST_DECREF_AC(verifyTree);
+        PKIX_TEST_DECREF_AC(valResult);
+        PKIX_TEST_DECREF_AC(valParams);
+
+        PKIX_TEST_RETURN();
+
+        PKIX_Shutdown(plContext);
+
+        return (0);
+
+}
diff --git a/security/nss/cmd/libpkix/testutil/Makefile b/security/nss/cmd/libpkix/testutil/Makefile
new file mode 100755
index 000000000..ea5fd90a6
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/Makefile
@@ -0,0 +1,84 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include $(PLAT_DEPTH)/platrules.mk
+
+export:: private_export
+
diff --git a/security/nss/cmd/libpkix/testutil/config.mk b/security/nss/cmd/libpkix/testutil/config.mk
new file mode 100644
index 000000000..46978a032
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/config.mk
@@ -0,0 +1,48 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# don't build the static library
+LIBRARY =
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+endif
diff --git a/security/nss/cmd/libpkix/testutil/manifest.mn b/security/nss/cmd/libpkix/testutil/manifest.mn
new file mode 100755
index 000000000..c40c467df
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/manifest.mn
@@ -0,0 +1,59 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+PKIX_DEPTH = ..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+
+MODULE = nss
+
+PRIVATE_EXPORTS = \
+	testutil_nss.h \
+	testutil.h \
+	$(NULL)
+
+CSRCS = \
+	testutil_nss.c \
+	testutil.c \
+	$(NULL)
+
+LIBRARY_NAME = pkixtooltestutil
+
+SOURCE_LIB_DIR = $(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/testutil/pkixutil.def b/security/nss/cmd/libpkix/testutil/pkixutil.def
new file mode 100644
index 000000000..eed954ac5
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/pkixutil.def
@@ -0,0 +1,81 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the PKIX-C library.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Sun Microsystems, Inc.
+;+# Portions created by the Initial Developer are Copyright (C) 2000
+;+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+;+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSS_3.12 {               # NSS 3.12 release
+;+    global:
+LIBRARY pkixutil ;-
+EXPORTS	;-
+createBuildResult;
+createCRL;
+createCert;
+createCertChain;
+createCertChainPlus;
+createDate;
+createGeneralName;
+createProcessingParams;
+createTrustAnchor;
+createValidateParams;
+createValidateResult;
+endTests;
+startTests;
+subTest;
+testDuplicateHelper;
+testEqualsHelper;
+testError;
+testErrorUndo;
+testHashcodeHelper;
+testToStringHelper;
+PKIX_Cert2ASCII;
+PKIX_Error2ASCII;
+PKIX_String2ASCII;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/cmd/libpkix/testutil/testutil.c b/security/nss/cmd/libpkix/testutil/testutil.c
new file mode 100755
index 000000000..266f2ca48
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/testutil.c
@@ -0,0 +1,619 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * testutil.c
+ *
+ * Utility error handling functions
+ *
+ */
+
+#include "testutil.h"
+
+/*
+ * static global variable to keep track of total number of errors for
+ * a particular test suite (eg. all the OID tests)
+ */
+static int errCount = 0;
+
+/*
+ * FUNCTION: startTests
+ * DESCRIPTION:
+ *
+ *  Prints standard message for starting the test suite with the name pointed
+ *  to by "testName". This function should be called in the beginning of every
+ *  test suite.
+ *
+ * PARAMETERS:
+ *  "testName"
+ *      Address of string representing name of test suite.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "errCount"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+startTests(char *testName)
+{
+        (void) printf("*START OF TESTS FOR %s:\n", testName);
+        errCount = 0;
+}
+
+/*
+ * FUNCTION: endTests
+ * DESCRIPTION:
+ *
+ *  Prints standard message for ending the test suite with the name pointed
+ *  to by "testName", followed by a success/failure message. This function
+ *  should be called at the end of every test suite.
+ *
+ * PARAMETERS:
+ *  "testName"
+ *      Address of string representing name of test suite.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "errCount"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+endTests(char *testName)
+{
+        char plural = ' ';
+
+        (void) printf("*END OF TESTS FOR %s: ", testName);
+        if (errCount > 0) {
+                if (errCount > 1) plural = 's';
+                (void) printf("%d SUBTEST%c FAILED.\n\n", errCount, plural);
+        } else {
+                (void) printf("ALL TESTS COMPLETED SUCCESSFULLY.\n\n");
+        }
+}
+
+/*
+ * FUNCTION: subTest
+ * DESCRIPTION:
+ *
+ *  Prints standard message for starting the subtest with the name pointed to
+ *  by "subTestName". This function should be called at the beginning of each
+ *  subtest.
+ *
+ * PARAMETERS:
+ *  "subTestName"
+ *      Address of string representing name of subTest.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+subTest(char *subTestName)
+{
+        (void) printf("TESTING: %s ...\n", subTestName);
+}
+
+/*
+ * FUNCTION: testErrorUndo
+ * DESCRIPTION:
+ *
+ *  Decrements the global variable "errCount" and prints a test failure
+ *  expected message followed by the string pointed to by "msg". This function
+ *  should be called when an expected error condition is encountered in the
+ *  tests. Calling this function *correct* the previous errCount increment.
+ *  It should only be called ONCE per subtest.
+ *
+ * PARAMETERS:
+ *  "msg"
+ *      Address of text of error message.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "errCount"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testErrorUndo(char *msg)
+{
+        --errCount;
+        (void) printf("TEST FAILURE *** EXPECTED *** :%s\n", msg);
+}
+
+/*
+ * FUNCTION: testError
+ * DESCRIPTION:
+ *
+ *  Increments the global variable "errCount" and prints a standard test
+ *  failure message followed by the string pointed to by "msg". This function
+ *  should be called when an unexpected error condition is encountered in the
+ *  tests. It should only be called ONCE per subtest.
+ *
+ * PARAMETERS:
+ *  "msg"
+ *      Address of text of error message.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "errCount"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testError(char *msg)
+{
+        ++errCount;
+        (void) printf("TEST FAILURE: %s\n", msg);
+}
+
+/*
+ * FUNCTION: PKIX_String2ASCII
+ * DESCRIPTION:
+ *
+ *  Converts String object pointed to by "string" to its ASCII representation
+ *  and returns the converted value. Returns NULL upon failure.
+ *
+ *  XXX Might want to use ESCASCII_DEBUG to show control characters, etc.
+ *
+ * PARAMETERS:
+ *  "string"
+ *      Address of String to be converted to ASCII. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns the ASCII representation of "string" upon success;
+ *  NULL upon failure.
+ */
+char *
+PKIX_String2ASCII(PKIX_PL_String *string, void *plContext)
+{
+        PKIX_UInt32 length;
+        char *asciiString = NULL;
+        PKIX_Error *errorResult;
+
+        errorResult = PKIX_PL_String_GetEncoded
+                (string,
+                PKIX_ESCASCII,
+                (void **)&asciiString,
+                &length,
+                plContext);
+
+        if (errorResult) goto cleanup;
+
+cleanup:
+
+        if (errorResult){
+                return (NULL);
+        }
+
+        return (asciiString);
+
+}
+
+/*
+ * FUNCTION: PKIX_Error2ASCII
+ * DESCRIPTION:
+ *
+ *  Converts Error pointed to by "error" to its ASCII representation and
+ *  returns the converted value. Returns NULL upon failure.
+ *
+ * PARAMETERS:
+ *  "error"
+ *      Address of Error to be converted to ASCII. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns the ASCII representation of "error" upon success;
+ *  NULL upon failure.
+ */
+char *
+PKIX_Error2ASCII(PKIX_Error *error, void *plContext)
+{
+        PKIX_UInt32 length;
+        char *asciiString = NULL;
+        PKIX_PL_String *pkixString = NULL;
+        PKIX_Error *errorResult = NULL;
+
+        errorResult = PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)error, &pkixString, plContext);
+        if (errorResult) goto cleanup;
+
+        errorResult = PKIX_PL_String_GetEncoded
+                (pkixString,
+                PKIX_ESCASCII,
+                (void **)&asciiString,
+                &length,
+                plContext);
+
+cleanup:
+
+        if (pkixString){
+                if (PKIX_PL_Object_DecRef
+                    ((PKIX_PL_Object*)pkixString, plContext)){
+                        return (NULL);
+                }
+        }
+
+        if (errorResult){
+                return (NULL);
+        }
+
+        return (asciiString);
+}
+
+/*
+ * FUNCTION: PKIX_Object2ASCII
+ * DESCRIPTION:
+ *
+ *  Converts Object pointed to by "object" to its ASCII representation and
+ *  returns the converted value. Returns NULL upon failure.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object to be converted to ASCII. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns the ASCII representation of "object" upon success;
+ *  NULL upon failure.
+ */
+char *
+PKIX_Object2ASCII(PKIX_PL_Object *object)
+{
+        PKIX_UInt32 length;
+        char *asciiString = NULL;
+        PKIX_PL_String *pkixString = NULL;
+        PKIX_Error *errorResult = NULL;
+
+        errorResult = PKIX_PL_Object_ToString
+                (object, &pkixString, NULL);
+        if (errorResult) goto cleanup;
+
+        errorResult = PKIX_PL_String_GetEncoded
+            (pkixString, PKIX_ESCASCII, (void **)&asciiString, &length, NULL);
+
+cleanup:
+
+        if (pkixString){
+                if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixString, NULL)){
+                        return (NULL);
+                }
+        }
+
+        if (errorResult){
+                return (NULL);
+        }
+
+        return (asciiString);
+}
+
+/*
+ * FUNCTION: PKIX_Cert2ASCII
+ * DESCRIPTION:
+ *
+ *  Converts Cert pointed to by "cert" to its partial ASCII representation and
+ *  returns the converted value. Returns NULL upon failure.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert to be converted to ASCII. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns the partial ASCII representation of "cert" upon success;
+ *  NULL upon failure.
+ */
+char *
+PKIX_Cert2ASCII(PKIX_PL_Cert *cert)
+{
+        PKIX_PL_X500Name *issuer = NULL;
+        void *issuerAscii = NULL;
+        PKIX_PL_X500Name *subject = NULL;
+        void *subjectAscii = NULL;
+        void *asciiString = NULL;
+        PKIX_Error *errorResult = NULL;
+        PKIX_UInt32 numChars;
+
+        /* Issuer */
+        errorResult = PKIX_PL_Cert_GetIssuer(cert, &issuer, NULL);
+        if (errorResult) goto cleanup;
+
+        issuerAscii = PKIX_Object2ASCII((PKIX_PL_Object*)issuer);
+
+        /* Subject */
+        errorResult = PKIX_PL_Cert_GetSubject(cert, &subject, NULL);
+        if (errorResult) goto cleanup;
+
+        if (subject){
+                subjectAscii = PKIX_Object2ASCII((PKIX_PL_Object*)subject);
+        }
+
+        errorResult = PKIX_PL_Malloc(200, &asciiString, NULL);
+        if (errorResult) goto cleanup;
+
+        numChars =
+                PR_snprintf
+                (asciiString,
+                200,
+                "Issuer=%s\nSubject=%s\n",
+                issuerAscii,
+                subjectAscii);
+
+        if (!numChars) goto cleanup;
+
+cleanup:
+
+        if (issuer){
+                if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)issuer, NULL)){
+                        return (NULL);
+                }
+        }
+
+        if (subject){
+                if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)subject, NULL)){
+                        return (NULL);
+                }
+        }
+
+        if (PKIX_PL_Free((PKIX_PL_Object*)issuerAscii, NULL)){
+                return (NULL);
+        }
+
+        if (PKIX_PL_Free((PKIX_PL_Object*)subjectAscii, NULL)){
+                return (NULL);
+        }
+
+        if (errorResult){
+                return (NULL);
+        }
+
+        return (asciiString);
+}
+
+/*
+ * FUNCTION: testHashcodeHelper
+ * DESCRIPTION:
+ *
+ *  Computes the hashcode of the Object pointed to by "goodObject" and the
+ *  Object pointed to by "otherObject" and compares them. If the result of the
+ *  comparison is not the desired match as specified by "match", an error
+ *  message is generated.
+ *
+ * PARAMETERS:
+ *  "goodObject"
+ *      Address of an object. Must be non-NULL.
+ *  "otherObject"
+ *      Address of another object. Must be non-NULL.
+ *  "match"
+ *      Boolean value representing the desired comparison result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testHashcodeHelper(
+        PKIX_PL_Object *goodObject,
+        PKIX_PL_Object *otherObject,
+        PKIX_Boolean match,
+        void *plContext)
+{
+
+        PKIX_UInt32 goodHash;
+        PKIX_UInt32 otherHash;
+        PKIX_Boolean cmpResult;
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Hashcode
+                        ((PKIX_PL_Object *)goodObject, &goodHash, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Hashcode
+                        ((PKIX_PL_Object *)otherObject, &otherHash, plContext));
+
+        cmpResult = (goodHash == otherHash);
+
+        if ((match && !cmpResult) || (!match && cmpResult)){
+                testError("unexpected mismatch");
+                (void) printf("Hash1:\t%d\n", goodHash);
+                (void) printf("Hash2:\t%d\n", otherHash);
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+}
+
+/*
+ * FUNCTION: testToStringHelper
+ * DESCRIPTION:
+ *
+ *  Calls toString on the Object pointed to by "goodObject" and compares the
+ *  result to the string pointed to by "expected". If the results are not
+ *  equal, an error message is generated.
+ *
+ * PARAMETERS:
+ *  "goodObject"
+ *      Address of Object. Must be non-NULL.
+ *  "expected"
+ *      Address of the desired string.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testToStringHelper(
+        PKIX_PL_Object *goodObject,
+        char *expected,
+        void *plContext)
+{
+        PKIX_PL_String *stringRep = NULL;
+        char *actual = NULL;
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
+                        (goodObject, &stringRep, plContext));
+
+        actual = PKIX_String2ASCII(stringRep, plContext);
+        if (actual == NULL){
+                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
+                goto cleanup;
+        }
+
+        /*
+         * If you are having trouble matching the string, uncomment the
+         * PL_strstr function to figure out what's going on.
+         */
+
+        /*
+            if (PL_strstr(actual, expected) == NULL){
+                testError("PL_strstr failed");
+            }
+        */
+
+
+        if (PL_strcmp(actual, expected) != 0){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%s\n", actual);
+                (void) printf("Expected value:\t%s\n", expected);
+        }
+
+cleanup:
+
+        PKIX_PL_Free(actual, plContext);
+
+        PKIX_TEST_DECREF_AC(stringRep);
+
+        PKIX_TEST_RETURN();
+}
+
+/*
+ * FUNCTION: testEqualsHelper
+ * DESCRIPTION:
+ *
+ *  Checks if the Object pointed to by "goodObject" is Equal to the Object
+ *  pointed to by "otherObject". If the result of the check is not the desired
+ *  match as specified by "match", an error message is generated.
+ *
+ * PARAMETERS:
+ *  "goodObject"
+ *      Address of an Object. Must be non-NULL.
+ *  "otherObject"
+ *      Address of another Object. Must be non-NULL.
+ *  "match"
+ *      Boolean value representing the desired comparison result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testEqualsHelper(
+        PKIX_PL_Object *goodObject,
+        PKIX_PL_Object *otherObject,
+        PKIX_Boolean match,
+        void *plContext)
+{
+
+        PKIX_Boolean cmpResult;
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_PL_Object_Equals
+                (goodObject, otherObject, &cmpResult, plContext));
+
+        if ((match && !cmpResult) || (!match && cmpResult)){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%d\n", cmpResult);
+                (void) printf("Expected value:\t%d\n", match);
+        }
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+}
+
+
+/*
+ * FUNCTION: testDuplicateHelper
+ * DESCRIPTION:
+ *  Checks if the Object pointed to by "object" is equal to its duplicate.
+ *  If the result of the check is not equality, an error message is generated.
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns nothing.
+ */
+void
+testDuplicateHelper(PKIX_PL_Object *object, void *plContext)
+{
+        PKIX_PL_Object *newObject = NULL;
+        PKIX_Boolean cmpResult;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
+                                    (object, &newObject, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
+                                    (object, newObject, &cmpResult, plContext));
+
+        if (!cmpResult){
+                testError("unexpected mismatch");
+                (void) printf("Actual value:\t%d\n", cmpResult);
+                (void) printf("Expected value:\t%d\n", PKIX_TRUE);
+        }
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(newObject);
+
+        PKIX_TEST_RETURN();
+}
diff --git a/security/nss/cmd/libpkix/testutil/testutil.h b/security/nss/cmd/libpkix/testutil/testutil.h
new file mode 100755
index 000000000..528fc0ea9
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/testutil.h
@@ -0,0 +1,337 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * testutil.h
+ *
+ * Utility functions for handling test errors
+ *
+ */
+
+#ifndef _TESTUTIL_H
+#define _TESTUTIL_H
+
+#include "pkix.h"
+#include "plstr.h"
+#include "prprf.h"
+#include "prlong.h"
+#include "pkix_pl_common.h"
+#include "secutil.h"
+#include <stdio.h>
+#include <ctype.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * In order to have a consistent format for displaying test information,
+ * all tests are REQUIRED to use the functions provided by this library
+ * (libtestutil.a) for displaying their information.
+ *
+ * A test using this library begins with a call to startTests with the test
+ * name as the arg (which is used only for formatting). Before the first
+ * subtest, a call to subTest should be made with the subtest name as the arg
+ * (again, for formatting). If the subTest is successful, then no action
+ * is needed. However, if the subTest is not successful, then a call
+ * to testError should be made with a descriptive error message as the arg.
+ * Note that a subTest MUST NOT call testError more than once.
+ * Finally, a call to endTests is made with the test name as the arg (for
+ * formatting). Note that most of these macros assume that a variable named
+ * "plContext" of type (void *) has been defined by the test. As such, it
+ * is essential that the test satisfy this condition.
+ */
+
+/*
+ * PKIX_TEST_STD_VARS should be called at the beginning of every function
+ * that uses PKIX_TEST_RETURN (e.g. subTests), but it should be called only
+ * AFTER declaring local variables (so we don't get compiler warnings about
+ * declarations after statements). PKIX_TEST_STD_VARS declares and initializes
+ * several variables needed by the other test macros.
+ */
+#define PKIX_TEST_STD_VARS() \
+        PKIX_Error *pkixTestErrorResult = NULL; \
+        char *pkixTestErrorMsg = NULL;
+
+/*
+ * PKIX_TEST_EXPECT_NO_ERROR should be used to wrap a standard PKIX function
+ * call (one which returns a pointer to PKIX_Error) that is expected to return
+ * NULL (i.e. to succeed). If "pkixTestErrorResult" is not NULL,
+ * "goto cleanup" is executed, where a testError call is made if there were
+ * unexpected results. This macro MUST NOT be called after the "cleanup" label.
+ *
+ * Example Usage: PKIX_TEST_EXPECT_NO_ERROR(pkixFunc_expected_to_succeed(...));
+ */
+
+#define PKIX_TEST_EXPECT_NO_ERROR(func) \
+        do { \
+                pkixTestErrorResult = (func); \
+                if (pkixTestErrorResult) { \
+                        goto cleanup; \
+                } \
+        } while (0)
+
+/*
+ * PKIX_TEST_EXPECT_ERROR should be used to wrap a standard PKIX function call
+ * (one which returns a pointer to PKIX_Error) that is expected to return
+ * a non-NULL value (i.e. to fail). If "pkixTestErrorResult" is NULL,
+ * "pkixTestErrorMsg" is set to a standard string and "goto cleanup"
+ * is executed, where a testError call is made if there were unexpected
+ * results. This macro MUST NOT be called after the "cleanup" label.
+ *
+ * Example Usage:  PKIX_TEST_EXPECT_ERROR(pkixFunc_expected_to_fail(...));
+ */
+
+#define PKIX_TEST_EXPECT_ERROR(func) \
+        do { \
+                pkixTestErrorResult = (func); \
+                if (!pkixTestErrorResult){ \
+                        pkixTestErrorMsg = \
+                                "Should have thrown an error here."; \
+                        goto cleanup; \
+                } \
+                PKIX_TEST_DECREF_BC(pkixTestErrorResult); \
+        } while (0)
+
+/*
+ * PKIX_TEST_DECREF_BC is a convenience macro which should only be called
+ * BEFORE the "cleanup" label ("BC"). If the input parameter is non-NULL, it
+ * DecRefs the input parameter and wraps the function with
+ * PKIX_TEST_EXPECT_NO_ERROR, which executes "goto cleanup" upon error.
+ * This macro MUST NOT be called after the "cleanup" label.
+ */
+
+#define PKIX_TEST_DECREF_BC(obj) \
+        do { \
+                if (obj){ \
+                        PKIX_TEST_EXPECT_NO_ERROR \
+                        (PKIX_PL_Object_DecRef \
+                                ((PKIX_PL_Object*)(obj), plContext)); \
+                obj = NULL; \
+                } \
+        } while (0)
+
+/*
+ * PKIX_TEST_DECREF_AC is a convenience macro which should only be called
+ * AFTER the "cleanup" label ("AC"). If the input parameter is non-NULL, it
+ * DecRefs the input parameter. A pkixTestTempResult variable is used to prevent
+ * incorrectly overwriting pkixTestErrorResult with NULL.
+ * In the case DecRef succeeds, pkixTestTempResult will be NULL, and we won't
+ * overwrite a previously set pkixTestErrorResult (if any). If DecRef fails,
+ * then we do want to overwrite a previously set pkixTestErrorResult since a
+ * DecRef failure is fatal and may be indicative of memory corruption.
+ */
+
+#define PKIX_TEST_DECREF_AC(obj) \
+        do { \
+                if (obj){ \
+                        PKIX_Error *pkixTestTempResult = NULL; \
+                        pkixTestTempResult = \
+                        PKIX_PL_Object_DecRef \
+                                ((PKIX_PL_Object*)(obj), plContext); \
+                        if (pkixTestTempResult) \
+                                pkixTestErrorResult = pkixTestTempResult; \
+                        obj = NULL; \
+                } \
+        } while (0)
+
+/*
+ * PKIX_TEST_RETURN must always be AFTER the "cleanup" label. It does nothing
+ * if everything went as expected. However, if there were unexpected results,
+ * PKIX_TEST_RETURN calls testError, which displays a standard failure message
+ * and increments the number of subtests that have failed. In the case
+ * of an unexpected error, testError is called using the error's description
+ * as an input and the error is DecRef'd. In the case of unexpected success
+ * testError is called with a standard string.
+ */
+#define PKIX_TEST_RETURN() \
+        { \
+                if (pkixTestErrorMsg){ \
+                        testError(pkixTestErrorMsg); \
+                } else if (pkixTestErrorResult){ \
+                        pkixTestErrorMsg = \
+                                PKIX_Error2ASCII \
+                                        (pkixTestErrorResult, plContext); \
+                        if (pkixTestErrorMsg) { \
+                                testError(pkixTestErrorMsg); \
+                                PKIX_PL_Free \
+                                        ((PKIX_PL_Object *)pkixTestErrorMsg, \
+                                        plContext); \
+                        } else { \
+                                testError("PKIX_Error2ASCII Failed"); \
+                        } \
+                        if (pkixTestErrorResult != PKIX_ALLOC_ERROR()){ \
+                                PKIX_PL_Object_DecRef \
+                                ((PKIX_PL_Object*)pkixTestErrorResult, \
+                                plContext); \
+                                pkixTestErrorResult = NULL; \
+                        } \
+                } \
+        }
+
+/*
+ * PKIX_TEST_EQ_HASH_TOSTR_DUP is a convenience macro which executes the
+ * standard set of operations that test the Equals, Hashcode, ToString, and
+ * Duplicate functions of an object type. The goodObj, equalObj, and diffObj
+ * are as the names suggest. The expAscii parameter is the expected result of
+ * calling ToString on the goodObj. If expAscii is NULL, then ToString will
+ * not be called on the goodObj. The checkDuplicate parameter is treated as
+ * a Boolean to indicate whether the Duplicate function should be tested. If
+ * checkDuplicate is NULL, then Duplicate will not be called on the goodObj.
+ * The type is the name of the function's family. For example, if the type is
+ * Cert, this macro will call PKIX_PL_Cert_Equals, PKIX_PL_Cert_Hashcode, and
+ * PKIX_PL_Cert_ToString.
+ *
+ * Note: If goodObj uses the default Equals and Hashcode functions, then
+ * for goodObj and equalObj to be equal, they must have the same pointer value.
+ */
+#define PKIX_TEST_EQ_HASH_TOSTR_DUP(goodObj, equalObj, diffObj, \
+                                        expAscii, type, checkDuplicate) \
+        do { \
+                subTest("PKIX_PL_" #type "_Equals   <match>"); \
+                testEqualsHelper \
+                        ((PKIX_PL_Object *)(goodObj), \
+                        (PKIX_PL_Object *)(equalObj), \
+                        PKIX_TRUE, \
+                        plContext); \
+                subTest("PKIX_PL_" #type "_Hashcode <match>"); \
+                testHashcodeHelper \
+                        ((PKIX_PL_Object *)(goodObj), \
+                        (PKIX_PL_Object *)(equalObj), \
+                        PKIX_TRUE, \
+                        plContext); \
+                subTest("PKIX_PL_" #type "_Equals   <non-match>"); \
+                testEqualsHelper \
+                        ((PKIX_PL_Object *)(goodObj), \
+                        (PKIX_PL_Object *)(diffObj), \
+                        PKIX_FALSE, \
+                        plContext); \
+                subTest("PKIX_PL_" #type "_Hashcode <non-match>"); \
+                testHashcodeHelper \
+                        ((PKIX_PL_Object *)(goodObj), \
+                        (PKIX_PL_Object *)(diffObj), \
+                        PKIX_FALSE, \
+                        plContext); \
+                if (expAscii){ \
+                        subTest("PKIX_PL_" #type "_ToString"); \
+                        testToStringHelper \
+                                ((PKIX_PL_Object *)(goodObj), \
+                                (expAscii), \
+                                plContext); } \
+                if (checkDuplicate){ \
+                        subTest("PKIX_PL_" #type "_Duplicate"); \
+                        testDuplicateHelper \
+                                ((PKIX_PL_Object *)goodObj, plContext); } \
+        } while (0)
+
+/*
+ * PKIX_TEST_DECREF_BC is a convenience macro which should only be called
+ * BEFORE the "cleanup" label ("BC"). If the input parameter is non-NULL, it
+ * DecRefs the input parameter and wraps the function with
+ * PKIX_TEST_EXPECT_NO_ERROR, which executes "goto cleanup" upon error.
+ * This macro MUST NOT be called after the "cleanup" label.
+ */
+
+#define PKIX_TEST_ABORT_ON_NULL(obj) \
+        do { \
+                if (!obj){ \
+                        goto cleanup; \
+                } \
+        } while (0)
+
+#define PKIX_TEST_ARENAS_ARG(arena) \
+        (arena? \
+        (PORT_Strcmp(arena, "arenas") ? PKIX_FALSE : (j++, PKIX_TRUE)): \
+        PKIX_FALSE)
+
+#define PKIX_TEST_ERROR_RECEIVED (pkixTestErrorMsg || pkixTestErrorResult)
+
+/* see source file for function documentation */
+
+void startTests(char *testName);
+
+void endTests(char *testName);
+
+void subTest(char *subTestName);
+
+void testError(char *msg);
+
+extern PKIX_Error *
+_ErrorCheck(PKIX_Error *errorResult);
+
+extern PKIX_Error *
+_OutputError(PKIX_Error *errorResult);
+
+char* PKIX_String2ASCII(PKIX_PL_String *string, void *plContext);
+
+char* PKIX_Error2ASCII(PKIX_Error *error, void *plContext);
+
+char* PKIX_Object2ASCII(PKIX_PL_Object *object);
+
+char *PKIX_Cert2ASCII(PKIX_PL_Cert *cert);
+
+void
+testHashcodeHelper(
+        PKIX_PL_Object *goodObject,
+        PKIX_PL_Object *otherObject,
+        PKIX_Boolean match,
+        void *plContext);
+
+void
+testToStringHelper(
+        PKIX_PL_Object *goodObject,
+        char *expected,
+        void *plContext);
+
+void
+testEqualsHelper(
+        PKIX_PL_Object *goodObject,
+        PKIX_PL_Object *otherObject,
+        PKIX_Boolean match,
+        void *plContext);
+
+void
+testDuplicateHelper(
+        PKIX_PL_Object *object,
+        void *plContext);
+void
+testErrorUndo(char *msg);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* TESTUTIL_H */
diff --git a/security/nss/cmd/libpkix/testutil/testutil_nss.c b/security/nss/cmd/libpkix/testutil/testutil_nss.c
new file mode 100755
index 000000000..6d2928a83
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/testutil_nss.c
@@ -0,0 +1,663 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * testutil_nss.c
+ *
+ * NSS-specific utility functions for handling test errors
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_cert.h"
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "secutil.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "keythi.h"
+#include "nss.h"
+
+static char *catDirName(char *dir, char *name, void *plContext)
+{
+        char *pathName = NULL;
+        PKIX_UInt32 nameLen;
+        PKIX_UInt32 dirLen;
+
+        PKIX_TEST_STD_VARS();
+
+        nameLen = PL_strlen(name);
+        dirLen = PL_strlen(dir);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
+                                    (dirLen + nameLen + 2,
+                                    (void **)&pathName,
+                                    plContext));
+
+        PL_strcpy(pathName, dir);
+        PL_strcat(pathName, "/");
+        PL_strcat(pathName, name);
+        printf("pathName = %s\n", pathName);
+
+cleanup:
+
+        PKIX_TEST_RETURN();
+
+        return (pathName);
+}
+
+PKIX_PL_Cert *
+createCert(
+        char *dirName,
+        char *certFileName,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        void *buf = NULL;
+        PRFileDesc *certFile = NULL;
+        PKIX_UInt32 len;
+        SECItem certDER;
+        SECStatus rv;
+        /* default: NULL cert (failure case) */
+        PKIX_PL_Cert *cert = NULL;
+        char *pathName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+
+        certDER.data = NULL;
+
+        pathName = catDirName(dirName, certFileName, plContext);
+        certFile = PR_Open(pathName, PR_RDONLY, 0);
+
+        if (!certFile){
+                pkixTestErrorMsg = "Unable to open cert file";
+                goto cleanup;
+        } else {
+                rv = SECU_ReadDERFromFile(&certDER, certFile, PR_FALSE);
+                if (!rv){
+                        buf = (void *)certDER.data;
+                        len = certDER.len;
+
+                        PKIX_TEST_EXPECT_NO_ERROR
+                                (PKIX_PL_ByteArray_Create
+                                (buf, len, &byteArray, plContext));
+
+                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
+                                                (byteArray, &cert, plContext));
+
+                        SECITEM_FreeItem(&certDER, PR_FALSE);
+                } else {
+                        pkixTestErrorMsg = "Unable to read DER from cert file";
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        pkixTestErrorResult = PKIX_PL_Free(pathName, plContext);
+
+        if (certFile){
+                PR_Close(certFile);
+        }
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                SECITEM_FreeItem(&certDER, PR_FALSE);
+        }
+
+        PKIX_TEST_DECREF_AC(byteArray);
+
+        PKIX_TEST_RETURN();
+
+        return (cert);
+}
+
+PKIX_PL_CRL *
+createCRL(
+        char *dirName,
+        char *crlFileName,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        PKIX_PL_CRL *crl = NULL;
+        PKIX_Error *error = NULL;
+        PRFileDesc *inFile = NULL;
+        SECItem crlDER;
+        void *buf = NULL;
+        PKIX_UInt32 len;
+        SECStatus rv;
+        char *pathName = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        crlDER.data = NULL;
+
+        pathName = catDirName(dirName, crlFileName, plContext);
+        inFile = PR_Open(pathName, PR_RDONLY, 0);
+
+        if (!inFile){
+                pkixTestErrorMsg = "Unable to open crl file";
+                goto cleanup;
+        } else {
+                rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+                if (!rv){
+                        buf = (void *)crlDER.data;
+                        len = crlDER.len;
+
+                        error = PKIX_PL_ByteArray_Create
+                                (buf, len, &byteArray, plContext);
+
+                        if (error){
+                                pkixTestErrorMsg =
+                                        "PKIX_PL_ByteArray_Create failed";
+                                goto cleanup;
+                        }
+
+                        error = PKIX_PL_CRL_Create(byteArray, &crl, plContext);
+                        if (error){
+                                pkixTestErrorMsg = "PKIX_PL_Crl_Create failed";
+                                goto cleanup;
+                        }
+
+                        SECITEM_FreeItem(&crlDER, PR_FALSE);
+                } else {
+                        pkixTestErrorMsg = "Unable to read DER from crl file";
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(pathName, plContext));
+
+        if (inFile){
+                PR_Close(inFile);
+        }
+
+        if (error){
+                SECITEM_FreeItem(&crlDER, PR_FALSE);
+        }
+
+        PKIX_TEST_DECREF_AC(byteArray);
+
+        PKIX_TEST_RETURN();
+
+        return (crl);
+
+}
+
+PKIX_TrustAnchor *
+createTrustAnchor(
+        char *dirName,
+        char *certFileName,
+        PKIX_Boolean useCert,
+        void *plContext)
+{
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_X500Name *name = NULL;
+        PKIX_PL_PublicKey *pubKey = NULL;
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        cert = createCert(dirName, certFileName, plContext);
+
+        if (useCert){
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
+                                        (cert, &anchor, plContext));
+        } else {
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
+                                        (cert, &name, plContext));
+
+                if (name == NULL){
+                        goto cleanup;
+                }
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                                        (cert, &pubKey, plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
+                                        (cert, &nameConstraints, NULL));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_TrustAnchor_CreateWithNameKeyPair
+                        (name, pubKey, nameConstraints, &anchor, plContext));
+        }
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                PKIX_TEST_DECREF_AC(anchor);
+        }
+
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(name);
+        PKIX_TEST_DECREF_AC(pubKey);
+        PKIX_TEST_DECREF_AC(nameConstraints);
+
+        PKIX_TEST_RETURN();
+
+        return (anchor);
+}
+
+PKIX_List *
+createCertChain(
+        char *dirName,
+        char *firstCertFileName,
+        char *secondCertFileName,
+        void *plContext)
+{
+        PKIX_PL_Cert *firstCert = NULL;
+        PKIX_PL_Cert *secondCert = NULL;
+        PKIX_List *certList = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));
+
+        firstCert = createCert(dirName, firstCertFileName, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                (certList, (PKIX_PL_Object *)firstCert, plContext));
+
+        if (secondCertFileName){
+                secondCert = createCert(dirName, secondCertFileName, plContext);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                        (certList, (PKIX_PL_Object *)secondCert, plContext));
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
+                                    (certList, plContext));
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                PKIX_TEST_DECREF_AC(certList);
+        }
+
+        PKIX_TEST_DECREF_AC(firstCert);
+        PKIX_TEST_DECREF_AC(secondCert);
+
+        PKIX_TEST_RETURN();
+
+        return (certList);
+}
+
+PKIX_List *
+createCertChainPlus(
+        char *dirName,
+        char *certNames[],
+        PKIX_PL_Cert *certs[],
+        PKIX_UInt32 numCerts,
+        void *plContext)
+{
+        PKIX_List *certList = NULL;
+        PKIX_UInt32 i;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));
+
+        for (i = 0; i < numCerts; i++) {
+
+                certs[i] = createCert(dirName, certNames[i], plContext);
+
+                /* Create Cert may fail */
+                if (certs[i] == NULL) {
+                        PKIX_TEST_DECREF_BC(certList);
+                        goto cleanup;
+                }
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                            (certList,
+                                            (PKIX_PL_Object *)certs[i],
+                                            plContext));
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
+                                    (certList, plContext));
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                PKIX_TEST_DECREF_AC(certList);
+        }
+
+        for (i = 0; i < numCerts; i++) {
+                PKIX_TEST_DECREF_AC(certs[i]);
+        }
+
+        PKIX_TEST_RETURN();
+
+        return (certList);
+
+}
+
+PKIX_PL_Date *
+createDate(
+        char *asciiDate,
+        void *plContext)
+{
+        PKIX_PL_Date *date = NULL;
+        PKIX_PL_String *plString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+            (PKIX_ESCASCII, asciiDate, 0, &plString, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime
+                                    (plString, &date, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(plString);
+
+        PKIX_TEST_RETURN();
+
+        return (date);
+}
+
+PKIX_ProcessingParams *
+createProcessingParams(
+        char *dirName,
+        char *firstAnchorFileName,
+        char *secondAnchorFileName,
+        char *dateAscii,
+        PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
+        PKIX_Boolean isCrlEnabled,
+        void *plContext)
+{
+
+        PKIX_TrustAnchor *firstAnchor = NULL;
+        PKIX_TrustAnchor *secondAnchor = NULL;
+        PKIX_List *anchorsList = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_PL_String *dateString = NULL;
+        PKIX_PL_Date *testDate = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchorsList, plContext));
+
+        firstAnchor = createTrustAnchor
+                (dirName, firstAnchorFileName, PKIX_FALSE, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                    (anchorsList,
+                                    (PKIX_PL_Object *)firstAnchor,
+                                    plContext));
+
+        if (secondAnchorFileName){
+                secondAnchor =
+                        createTrustAnchor
+                        (dirName, secondAnchorFileName, PKIX_FALSE, plContext);
+
+                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
+                                            (anchorsList,
+                                            (PKIX_PL_Object *)secondAnchor,
+                                            plContext));
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
+                                    (anchorsList, &procParams, plContext));
+
+        if (dateAscii){
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        dateAscii,
+                        0,
+                        &dateString,
+                        plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_PL_Date_Create_UTCTime
+                        (dateString, &testDate, plContext));
+
+                PKIX_TEST_EXPECT_NO_ERROR
+                        (PKIX_ProcessingParams_SetDate
+                        (procParams, testDate, plContext));
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies
+                (procParams, initialPolicies, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
+                                    (procParams, isCrlEnabled, plContext));
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                PKIX_TEST_DECREF_AC(procParams);
+        }
+
+        PKIX_TEST_DECREF_AC(dateString);
+        PKIX_TEST_DECREF_AC(testDate);
+        PKIX_TEST_DECREF_AC(anchorsList);
+        PKIX_TEST_DECREF_AC(firstAnchor);
+        PKIX_TEST_DECREF_AC(secondAnchor);
+
+        PKIX_TEST_RETURN();
+
+        return (procParams);
+}
+
+PKIX_ValidateParams *
+createValidateParams(
+        char *dirName,
+        char *firstAnchorFileName,
+        char *secondAnchorFileName,
+        char *dateAscii,
+        PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
+        PKIX_Boolean initialPolicyMappingInhibit,
+        PKIX_Boolean initialAnyPolicyInhibit,
+        PKIX_Boolean initialExplicitPolicy,
+        PKIX_Boolean isCrlEnabled,
+        PKIX_List *chain,
+        void *plContext)
+{
+
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_ValidateParams *valParams = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        procParams =
+                createProcessingParams
+                    (dirName,
+                    firstAnchorFileName,
+                    secondAnchorFileName,
+                    dateAscii,
+                    NULL,
+                    isCrlEnabled,
+                    plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies
+                (procParams, initialPolicies, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetPolicyMappingInhibited
+                (procParams, initialPolicyMappingInhibit, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetAnyPolicyInhibited
+                (procParams, initialAnyPolicyInhibit, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (PKIX_ProcessingParams_SetExplicitPolicyRequired
+                (procParams, initialExplicitPolicy, NULL));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
+                (procParams, chain, &valParams, plContext));
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                PKIX_TEST_DECREF_AC(valParams);
+        }
+
+        PKIX_TEST_DECREF_AC(procParams);
+
+        PKIX_TEST_RETURN();
+
+        return (valParams);
+}
+
+PKIX_ValidateResult *
+createValidateResult(
+        char *dirName,
+        char *anchorFileName,
+        char *pubKeyCertFileName,
+        void *plContext)
+{
+
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_PL_PublicKey *pubKey = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        anchor = createTrustAnchor
+                    (dirName, anchorFileName, PKIX_FALSE, plContext);
+        cert = createCert(dirName, pubKeyCertFileName, plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
+                                    (cert, &pubKey, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (pkix_ValidateResult_Create
+                (pubKey, anchor, NULL, &valResult, plContext));
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                PKIX_TEST_DECREF_AC(valResult);
+        }
+
+        PKIX_TEST_DECREF_AC(anchor);
+        PKIX_TEST_DECREF_AC(cert);
+        PKIX_TEST_DECREF_AC(pubKey);
+
+        PKIX_TEST_RETURN();
+
+        return (valResult);
+}
+
+PKIX_PL_GeneralName *
+createGeneralName(
+        PKIX_UInt32 nameType,
+        char *asciiName,
+        void *plContext)
+{
+
+        PKIX_PL_GeneralName *generalName = NULL;
+        PKIX_PL_String *plString = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
+            (PKIX_ESCASCII, asciiName, 0, &plString, plContext));
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_GeneralName_Create
+            (nameType, plString, &generalName, plContext));
+
+cleanup:
+
+        PKIX_TEST_DECREF_AC(plString);
+
+        PKIX_TEST_RETURN();
+
+        return (generalName);
+}
+
+PKIX_BuildResult *
+createBuildResult(
+        char *dirName,
+        char *anchorFileName,
+        char *pubKeyCertFileName,
+        char *firstChainCertFileName,
+        char *secondChainCertFileName,
+        void *plContext)
+{
+        PKIX_BuildResult *buildResult = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_List *certChain = NULL;
+
+        PKIX_TEST_STD_VARS();
+
+        valResult = createValidateResult
+                (dirName, anchorFileName, pubKeyCertFileName, plContext);
+        certChain = createCertChain
+                        (dirName,
+                        firstChainCertFileName,
+                        secondChainCertFileName,
+                        plContext);
+
+        PKIX_TEST_EXPECT_NO_ERROR
+                (pkix_BuildResult_Create
+                (valResult, certChain, &buildResult, plContext));
+
+cleanup:
+
+        if (PKIX_TEST_ERROR_RECEIVED){
+                PKIX_TEST_DECREF_AC(buildResult);
+        }
+
+        PKIX_TEST_DECREF_AC(valResult);
+        PKIX_TEST_DECREF_AC(certChain);
+
+        PKIX_TEST_RETURN();
+
+        return (buildResult);
+}
diff --git a/security/nss/cmd/libpkix/testutil/testutil_nss.h b/security/nss/cmd/libpkix/testutil/testutil_nss.h
new file mode 100755
index 000000000..4c2a2e04e
--- /dev/null
+++ b/security/nss/cmd/libpkix/testutil/testutil_nss.h
@@ -0,0 +1,153 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * testutil_nss.h
+ *
+ * NSS-specific utility functions for handling test errors
+ *
+ */
+
+#ifndef _TESTUTIL_NSS_H
+#define _TESTUTIL_NSS_H
+
+#include "pkix_tools.h"
+#include "plstr.h"
+#include "prprf.h"
+#include "prlong.h"
+#include "secutil.h"
+#include <stdio.h>
+#include <ctype.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "pkix_pl_generalname.h"
+
+/* see source file for function documentation */
+
+PKIX_PL_Cert *
+createCert(
+        char *dirName,
+        char *certFile,
+        void *plContext);
+
+PKIX_PL_CRL *
+createCRL(
+        char *dirName,
+        char *crlFileName,
+        void *plContext);
+
+PKIX_TrustAnchor *
+createTrustAnchor(
+        char *dirName,
+        char *taFileName,
+        PKIX_Boolean useCert,
+        void *plContext);
+
+PKIX_List *
+createCertChain(
+        char *dirName,
+        char *firstCertFileName,
+        char *secondCertFileName,
+        void *plContext);
+
+PKIX_List *
+createCertChainPlus(
+        char *dirName,
+        char *certNames[],
+        PKIX_PL_Cert *certs[],
+        PKIX_UInt32 numCerts,
+        void *plContext);
+
+PKIX_PL_Date *
+createDate(
+        char *asciiDate,
+        void *plContext);
+
+
+PKIX_ProcessingParams *
+createProcessingParams(
+        char *dirName,
+        char *firstAnchorFileName,
+        char *secondAnchorFileName,
+        char *dateAscii,
+        PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
+        PKIX_Boolean isCrlEnabled,
+        void *plContext);
+
+PKIX_ValidateParams *
+createValidateParams(
+        char *dirName,
+        char *firstAnchorFileName,
+        char *secondAnchorFileName,
+        char *dateAscii,
+        PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
+        PKIX_Boolean initialPolicyMappingInhibit,
+        PKIX_Boolean initialAnyPolicyInhibit,
+        PKIX_Boolean initialExplicitPolicy,
+        PKIX_Boolean isCrlEnabled,
+        PKIX_List *chain,
+        void *plContext);
+
+PKIX_ValidateResult *
+createValidateResult(
+        char *dirName,
+        char *anchorFileName,
+        char *pubKeyCertFileName,
+        void *plContext);
+
+PKIX_BuildResult *
+createBuildResult(
+        char *dirName,
+        char *anchorFileName,
+        char *pubKeyCertFileName,
+        char *firstChainCertFileName,
+        char *secondChainCertFileName,
+        void *plContext);
+
+PKIX_PL_GeneralName *
+createGeneralName(
+        PKIX_UInt32 nameType,
+        char *asciiName,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* TESTUTIL_NSS_H */
diff --git a/security/nss/cmd/makepqg/Makefile b/security/nss/cmd/makepqg/Makefile
new file mode 100644
index 000000000..835c85833
--- /dev/null
+++ b/security/nss/cmd/makepqg/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+ 
+
diff --git a/security/nss/cmd/makepqg/makepqg.c b/security/nss/cmd/makepqg/makepqg.c
new file mode 100644
index 000000000..5a172d696
--- /dev/null
+++ b/security/nss/cmd/makepqg/makepqg.c
@@ -0,0 +1,363 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+
+#include "nss.h"
+#include "secutil.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "pk11pqg.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include "plgetopt.h"
+
+#define BPB 8 /* bits per byte. */
+
+char  *progName;
+
+
+const SEC_ASN1Template seckey_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
+    { 0, }
+};
+
+
+
+void
+Usage(void)
+{
+    fprintf(stderr, "Usage:  %s\n", progName);
+    fprintf(stderr, 
+"-a   Output DER-encoded PQG params, BTOA encoded.\n"
+"     -l prime-length       Length of prime in bits (1024 is default)\n"
+"     -o file               Output to this file (default is stdout)\n"
+"-b   Output DER-encoded PQG params in binary\n"
+"     -l prime-length       Length of prime in bits (1024 is default)\n"
+"     -o file               Output to this file (default is stdout)\n"
+"-r   Output P, Q and G in ASCII hexadecimal. \n"
+"     -l prime-length       Length of prime in bits (1024 is default)\n"
+"     -o file               Output to this file (default is stdout)\n"   
+"-g bits       Generate SEED this many bits long.\n"
+);
+    exit(-1);
+
+}
+
+SECStatus
+outputPQGParams(PQGParams * pqgParams, PRBool output_binary, PRBool output_raw,
+                FILE * outFile)
+{
+    PRArenaPool   * arena 		= NULL;
+    char          * PQG;
+    SECItem       * pItem;
+    int             cc;
+    SECStatus       rv;
+    SECItem         encodedParams;
+
+    if (output_raw) {
+    	SECItem item;
+
+	rv = PK11_PQG_GetPrimeFromParams(pqgParams, &item);
+	if (rv) {
+	    SECU_PrintError(progName, "PK11_PQG_GetPrimeFromParams");
+	    return rv;
+	}
+	SECU_PrintInteger(outFile, &item,    "Prime",    1);
+	SECITEM_FreeItem(&item, PR_FALSE);
+
+	rv = PK11_PQG_GetSubPrimeFromParams(pqgParams, &item);
+	if (rv) {
+	    SECU_PrintError(progName, "PK11_PQG_GetPrimeFromParams");
+	    return rv;
+	}
+	SECU_PrintInteger(outFile, &item, "Subprime", 1);
+	SECITEM_FreeItem(&item, PR_FALSE);
+
+	rv = PK11_PQG_GetBaseFromParams(pqgParams, &item);
+	if (rv) {
+	    SECU_PrintError(progName, "PK11_PQG_GetPrimeFromParams");
+	    return rv;
+	}
+	SECU_PrintInteger(outFile, &item,     "Base",     1);
+	SECITEM_FreeItem(&item, PR_FALSE);
+
+	fprintf(outFile, "\n");
+	return SECSuccess;
+    }
+
+    encodedParams.data = NULL;
+    encodedParams.len  = 0;
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+    	SECU_PrintError(progName, "PORT_NewArena");
+	return SECFailure;
+    }
+    pItem = SEC_ASN1EncodeItem(arena, &encodedParams, pqgParams,
+			       seckey_PQGParamsTemplate);
+    if (!pItem) {
+    	SECU_PrintError(progName, "SEC_ASN1EncodeItem");
+	PORT_FreeArena(arena, PR_FALSE);
+    	return SECFailure;
+    }
+    if (output_binary) {
+	size_t len;
+	len = fwrite(encodedParams.data, 1, encodedParams.len, outFile);
+	PORT_FreeArena(arena, PR_FALSE);
+	if (len != encodedParams.len) {
+	     fprintf(stderr, "%s: fwrite failed\n", progName);
+	     return SECFailure;
+	}
+	return SECSuccess;
+    }
+
+    /* must be output ASCII */
+    PQG = BTOA_DataToAscii(encodedParams.data, encodedParams.len);    
+    PORT_FreeArena(arena, PR_FALSE);
+    if (!PQG) {
+    	SECU_PrintError(progName, "BTOA_DataToAscii");
+	return SECFailure;
+    }
+
+    cc = fprintf(outFile,"%s\n",PQG);
+    PORT_Free(PQG);
+    if (cc <= 0) {
+	 fprintf(stderr, "%s: fprintf failed\n", progName);
+	 return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+outputPQGVerify(PQGVerify * pqgVerify, PRBool output_binary, PRBool output_raw,
+                FILE * outFile)
+{
+    SECStatus rv = SECSuccess;
+    if (output_raw) {
+    	SECItem item;
+	unsigned int counter;
+
+	rv = PK11_PQG_GetHFromVerify(pqgVerify, &item);
+	if (rv) {
+	    SECU_PrintError(progName, "PK11_PQG_GetHFromVerify");
+	    return rv;
+	}
+	SECU_PrintInteger(outFile, &item,        "h",        1);
+	SECITEM_FreeItem(&item, PR_FALSE);
+
+	rv = PK11_PQG_GetSeedFromVerify(pqgVerify, &item);
+	if (rv) {
+	    SECU_PrintError(progName, "PK11_PQG_GetSeedFromVerify");
+	    return rv;
+	}
+	SECU_PrintInteger(outFile, &item,     "SEED",     1);
+	fprintf(outFile, "    g:       %d\n", item.len * BPB);
+	SECITEM_FreeItem(&item, PR_FALSE);
+
+	counter = PK11_PQG_GetCounterFromVerify(pqgVerify);
+	fprintf(outFile, "    counter: %d\n", counter);
+	fprintf(outFile, "\n");
+    }
+    return rv;
+}
+
+int
+main(int argc, char **argv)
+{
+    FILE          * outFile 		= NULL;
+    char          * outFileName         = NULL;
+    PQGParams     * pqgParams 		= NULL;
+    PQGVerify     * pqgVerify           = NULL;
+    int             keySizeInBits	= 1024;
+    int             j;
+    int             g                   = 0;
+    SECStatus       rv 			= 0;
+    SECStatus       passed 		= 0;
+    PRBool          output_ascii	= PR_FALSE;
+    PRBool          output_binary	= PR_FALSE;
+    PRBool          output_raw		= PR_FALSE;
+    PLOptState *optstate;
+    PLOptStatus status;
+
+
+    progName = strrchr(argv[0], '/');
+    if (!progName)
+	progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    /* Parse command line arguments */
+    optstate = PL_CreateOptState(argc, argv, "?abg:l:o:r" );
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+
+	  case 'l':
+	    keySizeInBits = atoi(optstate->value);
+	    break;
+
+	  case 'a':
+	    output_ascii = PR_TRUE;  
+	    break;
+
+	  case 'b':
+	    output_binary = PR_TRUE;
+	    break;
+
+	  case 'r':
+	    output_raw = PR_TRUE;
+	    break;
+
+	  case 'o':
+	    if (outFileName) {
+	    	PORT_Free(outFileName);
+	    }
+	    outFileName = PORT_Strdup(optstate->value);
+	    if (!outFileName) {
+		rv = -1;
+	    }
+	    break;
+
+	  case 'g':
+	    g = atoi(optstate->value);
+	    break;
+
+	  default:
+	  case '?':
+	    Usage();
+	    break;
+
+	}
+    }
+    PL_DestroyOptState(optstate);
+
+    if (status == PL_OPT_BAD) {
+        Usage();
+    }
+
+    /* exactly 1 of these options must be set. */
+    if (1 != ((output_ascii  != PR_FALSE) + 
+	      (output_binary != PR_FALSE) +
+	      (output_raw    != PR_FALSE))) {
+	Usage();
+    }
+
+    j = PQG_PBITS_TO_INDEX(keySizeInBits);
+    if (j < 0) {
+	fprintf(stderr, "%s: Illegal prime length, \n"
+			"\tacceptable values are between 512 and 1024,\n"
+			"\tand divisible by 64\n", progName);
+	return 2;
+    }
+    if (g != 0 && (g < 160 || g >= 2048 || g % 8 != 0)) {
+	fprintf(stderr, "%s: Illegal g bits, \n"
+			"\tacceptable values are between 160 and 2040,\n"
+			"\tand divisible by 8\n", progName);
+	return 3;
+    }
+
+    if (!rv && outFileName) {
+	outFile = fopen(outFileName, output_binary ? "wb" : "w");
+	if (!outFile) {
+	    fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+		    progName, outFileName);
+	    rv = -1;
+	}
+    }
+    if (outFileName) {
+	PORT_Free(outFileName);
+    }
+    if (rv != 0) {
+	return 1;
+    }
+
+    if (outFile == NULL) {
+	outFile = stdout;
+    }
+
+
+    NSS_NoDB_Init(NULL);
+
+    if (g) 
+	rv = PK11_PQG_ParamGenSeedLen((unsigned)j, (unsigned)(g/8), 
+	                         &pqgParams, &pqgVerify);
+    else 
+	rv = PK11_PQG_ParamGen((unsigned)j, &pqgParams, &pqgVerify);
+    /* below here, must go to loser */
+
+    if (rv != SECSuccess || pqgParams == NULL || pqgVerify == NULL) {
+	SECU_PrintError(progName, "PQG parameter generation failed.\n");
+	goto loser;
+    } 
+    fprintf(stderr, "%s: PQG parameter generation completed.\n", progName);
+
+    rv = outputPQGParams(pqgParams, output_binary, output_raw, outFile);
+    if (rv) {
+    	fprintf(stderr, "%s: failed to output PQG params.\n", progName);
+	goto loser;
+    }
+    rv = outputPQGVerify(pqgVerify, output_binary, output_raw, outFile);
+    if (rv) {
+    	fprintf(stderr, "%s: failed to output PQG Verify.\n", progName);
+	goto loser;
+    }
+
+    rv = PK11_PQG_VerifyParams(pqgParams, pqgVerify, &passed);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "%s: PQG parameter verification aborted.\n", progName);
+	goto loser;
+    }
+    if (passed != SECSuccess) {
+	fprintf(stderr, "%s: PQG parameters failed verification.\n", progName);
+	goto loser;
+    } 
+    fprintf(stderr, "%s: PQG parameters passed verification.\n", progName);
+
+    PK11_PQG_DestroyParams(pqgParams);
+    PK11_PQG_DestroyVerify(pqgVerify);
+    return 0;
+
+loser:
+    PK11_PQG_DestroyParams(pqgParams);
+    PK11_PQG_DestroyVerify(pqgVerify);
+    return 1;
+}
diff --git a/security/nss/cmd/makepqg/manifest.mn b/security/nss/cmd/makepqg/manifest.mn
new file mode 100644
index 000000000..7d623f11b
--- /dev/null
+++ b/security/nss/cmd/makepqg/manifest.mn
@@ -0,0 +1,51 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+REQUIRES = dbm 
+
+# DIRS = 
+
+CSRCS	=  makepqg.c
+
+PROGRAM	= makepqg
+
+#USE_STATIC_LIBS = 1
+
diff --git a/security/nss/cmd/makepqg/testit.ksh b/security/nss/cmd/makepqg/testit.ksh
new file mode 100644
index 000000000..31ac17ea1
--- /dev/null
+++ b/security/nss/cmd/makepqg/testit.ksh
@@ -0,0 +1,45 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+COUNTER=75
+while [ $COUNTER -ge "1" ] 
+do 
+	COUNTER=$(eval expr $COUNTER - 1)
+	echo $COUNTER
+    	*/makepqg.exe -r -l 640 -g 160 || exit 1
+done
+
diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn
new file mode 100644
index 000000000..d1b83e595
--- /dev/null
+++ b/security/nss/cmd/manifest.mn
@@ -0,0 +1,98 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+DEPTH	= ../..
+# MODULE	= seccmd
+
+REQUIRES = nss nspr libdbm
+
+DIRS = lib  \
+ $(ZLIB_SRCDIR) \
+ addbuiltin \
+ atob  \
+ bltest \
+ btoa  \
+ certcgi \
+ certutil  \
+ checkcert  \
+ crlutil  \
+ crmftest \
+ dbtest \
+ derdump  \
+ digest  \
+ fipstest  \
+ makepqg  \
+ ocspclnt  \
+ oidcalc  \
+ p7content  \
+ p7env  \
+ p7sign  \
+ p7verify  \
+ pk12util \
+ pk11mode \
+ pp  \
+ rsaperf \
+ sdrtest \
+ selfserv  \
+ signtool \
+ signver \
+ shlibsign \
+ smimetools  \
+ ssltap  \
+ strsclnt \
+ symkeyutil \
+ tests \
+ tstclnt  \
+ vfychain \
+ vfyserv \
+ modutil \
+ $(NULL)
+
+TEMPORARILY_DONT_BUILD = \
+ $(NULL)
+
+# rsaperf  \
+#
+#       needs to look at what needs to happen to make jar build in
+# the binary release environment.
+#
+# perror requires lib/strerror.c which requires the client code installed 
+# to build (requires allxpstr.h)
+#
+DONT_BULD = jar \
+ perror \
+$(NULL)
diff --git a/security/nss/cmd/modutil/Makefile b/security/nss/cmd/modutil/Makefile
new file mode 100644
index 000000000..8bdb8658d
--- /dev/null
+++ b/security/nss/cmd/modutil/Makefile
@@ -0,0 +1,84 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
+#
+# Cancel the built-in implicit yacc and lex rules.
+#
+
+%.c: %.y
+%.c: %.l
diff --git a/security/nss/cmd/modutil/README b/security/nss/cmd/modutil/README
new file mode 100644
index 000000000..12d192c9f
--- /dev/null
+++ b/security/nss/cmd/modutil/README
@@ -0,0 +1,7 @@
+                    CRYPTOGRAPHIC MODULE UTILITY (modutil)
+                                VERSION 1.0
+              ===============================================
+
+The file specification.html documentats the software.
+
+The file pk11jar.html documents the PKCS #11 JAR format.
diff --git a/security/nss/cmd/modutil/error.h b/security/nss/cmd/modutil/error.h
new file mode 100644
index 000000000..f8f4a9187
--- /dev/null
+++ b/security/nss/cmd/modutil/error.h
@@ -0,0 +1,189 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef MODUTIL_ERROR_H
+#define MODUTIL_ERROR_H
+
+/*
+ * The values of these enumerated constants are immutable and must not be
+ * changed.
+ */
+typedef enum {
+	NO_ERR=0,
+	INVALID_USAGE_ERR,
+	UNEXPECTED_ARG_ERR,
+	UNKNOWN_OPTION_ERR,
+	MULTIPLE_COMMAND_ERR,
+	OPTION_NEEDS_ARG_ERR,
+	DUPLICATE_OPTION_ERR,
+	MISSING_PARAM_ERR,
+	INVALID_FIPS_ARG,
+	NO_COMMAND_ERR,
+	NO_DBDIR_ERR,
+	FIPS_SWITCH_FAILED_ERR,
+	FIPS_ALREADY_ON_ERR,
+	FIPS_ALREADY_OFF_ERR,
+	FILE_ALREADY_EXISTS_ERR,
+	FILE_DOESNT_EXIST_ERR,
+	FILE_NOT_READABLE_ERR,
+	FILE_NOT_WRITEABLE_ERR,
+	DIR_DOESNT_EXIST_ERR,
+	DIR_NOT_READABLE_ERR,
+	DIR_NOT_WRITEABLE_ERR,
+	INVALID_CONSTANT_ERR,
+	ADD_MODULE_FAILED_ERR,
+	UNUSED_ERR,  /* reserved for future use */
+	OUT_OF_MEM_ERR,
+	DELETE_INTERNAL_ERR,
+	DELETE_FAILED_ERR,
+	NO_LIST_LOCK_ERR,
+	NO_MODULE_LIST_ERR,
+	NO_SUCH_MODULE_ERR,
+	MOD_INFO_ERR,
+	SLOT_INFO_ERR,
+	TOKEN_INFO_ERR,
+	NO_SUCH_TOKEN_ERR,
+	CHANGEPW_FAILED_ERR,
+	BAD_PW_ERR,
+	DB_ACCESS_ERR,
+	AUTHENTICATION_FAILED_ERR,
+	NO_SUCH_SLOT_ERR,
+	ENABLE_FAILED_ERR,
+	UPDATE_MOD_FAILED_ERR,
+	DEFAULT_FAILED_ERR,
+	UNDEFAULT_FAILED_ERR,
+	STDIN_READ_ERR,
+	UNSPECIFIED_ERR,
+	NOCERTDB_MISUSE_ERR,
+	NSS_INITIALIZE_FAILED_ERR,
+
+	LAST_ERR /* must be last */
+} Error;
+#define SUCCESS NO_ERR
+
+/* !!! Should move this into its own .c and un-static it. */
+static char *errStrings[] = {
+	"Operation completed successfully.\n",
+	"ERROR: Invalid command line.\n",
+	"ERROR: Not expecting argument \"%s\".\n",
+	"ERROR: Unknown option: %s.\n",
+	"ERROR: %s: multiple commands are not allowed on the command line.\n",
+	"ERROR: %s: option needs an argument.\n",
+	"ERROR: %s: option cannot be given more than once.\n",
+	"ERROR: Command \"%s\" requires parameter \"%s\".\n",
+	"ERROR: Argument to -fips must be \"true\" or \"false\".\n",
+	"ERROR: No command was specified.\n",
+	"ERROR: Cannot determine database directory: use the -dbdir option.\n",
+	"ERROR: Unable to switch FIPS modes.\n",
+	"FIPS mode already enabled.\n",
+	"FIPS mode already disabled.\n",
+	"ERROR: File \"%s\" already exists.\n",
+	"ERROR: File \"%s\" does not exist.\n",
+	"ERROR: File \"%s\" is not readable.\n",
+	"ERROR: File \"%s\" is not writeable.\n",
+	"ERROR: Directory \"%s\" does not exist.\n",
+	"ERROR: Directory \"%s\" is not readable.\n",
+	"ERROR: Directory \"%s\" is not writeable.\n",
+	"\"%s\" is not a recognized value.\n",
+	"ERROR: Failed to add module \"%s\". Probable cause : \"%s\".\n",
+	"Unused error string",
+	"ERROR: Out of memory.\n",
+	"ERROR: Cannot delete internal module.\n",
+	"ERROR: Failed to delete module \"%s\".\n",
+	"ERROR: Unable to obtain lock on module list.\n",
+	"ERROR: Unable to obtain module list.\n",
+	"ERROR: Module \"%s\" not found in database.\n",
+	"ERROR: Unable to get information about module \"%s\".\n",
+	"ERROR: Unable to get information about slot \"%s\".\n",
+	"ERROR: Unable to get information about token \"%s\".\n",
+	"ERROR: Token \"%s\" not found.\n",
+	"ERROR: Unable to change password on token \"%s\".\n",
+	"ERROR: Incorrect password.\n",
+	"ERROR: Unable to access database \"%s\".\n",
+	"ERROR: Unable to authenticate to token \"%s\".\n",
+	"ERROR: Slot \"%s\" not found.\n",
+	"ERROR: Failed to %s slot \"%s\".\n",
+	"ERROR: Failed to update module \"%s\".\n",
+	"ERROR: Failed to change defaults.\n",
+	"ERROR: Failed to change default.\n",
+	"ERROR: Unable to read from standard input.\n",
+	"ERROR: Unknown error occurred.\n",
+	"ERROR: -nocertdb option can only be used with the -jar command.\n"
+	"ERROR: NSS_Initialize() failed.\n"
+};
+
+typedef enum {
+	FIPS_ENABLED_MSG=0,
+	FIPS_DISABLED_MSG,
+	USING_DBDIR_MSG,
+	CREATING_DB_MSG,
+	ADD_MODULE_SUCCESS_MSG,
+	DELETE_SUCCESS_MSG,
+	CHANGEPW_SUCCESS_MSG,
+	BAD_PW_MSG,
+	PW_MATCH_MSG,
+	DONE_MSG,
+	ENABLE_SUCCESS_MSG,
+	DEFAULT_SUCCESS_MSG,
+	UNDEFAULT_SUCCESS_MSG,
+	BROWSER_RUNNING_MSG,
+	ABORTING_MSG,
+
+	LAST_MSG  /* must be last */
+} Message;
+
+static char *msgStrings[] = {
+	"FIPS mode enabled.\n",
+	"FIPS mode disabled.\n",
+	"Using database directory %s...\n",
+	"Creating \"%s\"...",
+	"Module \"%s\" added to database.\n",
+	"Module \"%s\" deleted from database.\n",
+	"Token \"%s\" password changed successfully.\n",
+	"Incorrect password, try again...\n",
+	"Passwords do not match, try again...\n",
+	"done.\n",
+	"Slot \"%s\" %s.\n",
+	"Successfully changed defaults.\n",
+	"Successfully changed defaults.\n",
+"\nWARNING: Performing this operation while the browser is running could cause"
+"\ncorruption of your security databases. If the browser is currently running,"
+"\nyou should exit browser before continuing this operation. Type "
+"\n'q <enter>' to abort, or <enter> to continue: ",
+	"\nAborting...\n"
+};
+
+#endif /* MODUTIL_ERROR_H */
diff --git a/security/nss/cmd/modutil/install-ds.c b/security/nss/cmd/modutil/install-ds.c
new file mode 100644
index 000000000..2961dc302
--- /dev/null
+++ b/security/nss/cmd/modutil/install-ds.c
@@ -0,0 +1,1544 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "install-ds.h"
+#include <prmem.h>
+#include <plstr.h>
+#include <prprf.h>
+#include <string.h>
+
+#define PORT_Strcasecmp PL_strcasecmp
+
+#define MODULE_FILE_STRING "ModuleFile"
+#define MODULE_NAME_STRING "ModuleName"
+#define MECH_FLAGS_STRING "DefaultMechanismFlags"
+#define CIPHER_FLAGS_STRING "DefaultCipherFlags"
+#define FILES_STRING "Files"
+#define FORWARD_COMPATIBLE_STRING "ForwardCompatible"
+#define PLATFORMS_STRING "Platforms"
+#define RELATIVE_DIR_STRING "RelativePath"
+#define ABSOLUTE_DIR_STRING "AbsolutePath"
+#define FILE_PERMISSIONS_STRING "FilePermissions"
+#define EQUIVALENT_PLATFORM_STRING "EquivalentPlatform"
+#define EXECUTABLE_STRING "Executable"
+
+#define DEFAULT_PERMISSIONS 0777
+
+#define PLATFORM_SEPARATOR_CHAR ':'
+
+/* Error codes */
+enum {
+	BOGUS_RELATIVE_DIR=0,
+	BOGUS_ABSOLUTE_DIR,
+	BOGUS_FILE_PERMISSIONS,
+	NO_RELATIVE_DIR,
+	NO_ABSOLUTE_DIR,
+	EMPTY_PLATFORM_STRING,
+	BOGUS_PLATFORM_STRING,
+	REPEAT_MODULE_FILE,
+	REPEAT_MODULE_NAME,
+	BOGUS_MODULE_FILE,
+	BOGUS_MODULE_NAME,
+	REPEAT_MECH,
+	BOGUS_MECH_FLAGS,
+	REPEAT_CIPHER,
+	BOGUS_CIPHER_FLAGS,
+	REPEAT_FILES,
+	REPEAT_EQUIV,
+	BOGUS_EQUIV,
+	EQUIV_TOO_MUCH_INFO,
+	NO_FILES,
+	NO_MODULE_FILE,
+	NO_MODULE_NAME,
+	NO_PLATFORMS,
+	EQUIV_LOOP,
+	UNKNOWN_MODULE_FILE
+};
+
+/* Indexed by the above error codes */
+static const char *errString[] = {
+	"%s: Invalid relative directory",
+	"%s: Invalid absolute directory",
+	"%s: Invalid file permissions",
+	"%s: No relative directory specified",
+	"%s: No absolute directory specified",
+	"Empty string given for platform name",
+	"%s: invalid platform string",
+	"More than one ModuleFile entry given for platform %s",
+	"More than one ModuleName entry given for platform %s",
+	"Invalid ModuleFile specification for platform %s",
+	"Invalid ModuleName specification for platform %s",
+	"More than one DefaultMechanismFlags entry given for platform %s",
+	"Invalid DefaultMechanismFlags specification for platform %s",
+	"More than one DefaultCipherFlags entry given for platform %s",
+	"Invalid DefaultCipherFlags entry given for platform %s",
+	"More than one Files entry given for platform %s",
+	"More than one EquivalentPlatform entry given for platform %s",
+	"Invalid EquivalentPlatform specification for platform %s",
+	"Module %s uses an EquivalentPlatform but also specifies its own"
+		" information",
+	"No Files specification in module %s",
+	"No ModuleFile specification in module %s",
+	"No ModuleName specification in module %s",
+	"No Platforms specification in installer script",
+	"Platform %s has an equivalency loop",
+	"Module file \"%s\" in platform \"%s\" does not exist"
+};
+
+static char* PR_Strdup(const char* str);
+
+#define PAD(x)  {int i; for(i=0;i<x;i++) printf(" ");}
+#define PADINC 4
+
+Pk11Install_File*
+Pk11Install_File_new()
+{
+	Pk11Install_File* new_this;
+	new_this = (Pk11Install_File*)PR_Malloc(sizeof(Pk11Install_File));
+	Pk11Install_File_init(new_this);
+	return new_this;
+}
+
+void
+Pk11Install_File_init(Pk11Install_File* _this)
+{
+	_this->jarPath=NULL;
+	_this->relativePath=NULL;
+	_this->absolutePath=NULL;
+	_this->executable=PR_FALSE;
+	_this->permissions=0;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	~Pk11Install_File
+// Class:	Pk11Install_File
+// Notes:	Destructor.
+*/
+void
+Pk11Install_File_delete(Pk11Install_File* _this)
+{
+	Pk11Install_File_Cleanup(_this);
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	Cleanup
+// Class:	Pk11Install_File
+*/
+void
+Pk11Install_File_Cleanup(Pk11Install_File* _this)
+{
+	if(_this->jarPath) {
+		PR_Free(_this->jarPath);
+		_this->jarPath = NULL;
+	}
+	if(_this->relativePath) {
+		PR_Free(_this->relativePath);
+		_this->relativePath = NULL;
+	}
+	if(_this->absolutePath) {
+		PR_Free(_this->absolutePath);
+		_this->absolutePath = NULL;
+	}
+
+	_this->permissions = 0;
+	_this->executable = PR_FALSE;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	Generate
+// Class:	Pk11Install_File
+// Notes:	Creates a file data structure from a syntax tree.
+// Returns:	NULL for success, otherwise an error message.
+*/
+char*
+Pk11Install_File_Generate(Pk11Install_File* _this,
+                          const Pk11Install_Pair *pair)
+{
+	Pk11Install_ListIter *iter;
+	Pk11Install_Value *val;
+	Pk11Install_Pair *subpair;
+	Pk11Install_ListIter *subiter;
+	Pk11Install_Value *subval;
+	char* errStr;
+	char *endp;
+	PRBool gotPerms;
+
+	iter=NULL;
+	subiter=NULL;
+	errStr=NULL;
+	gotPerms=PR_FALSE;
+
+	/* Clear out old values */
+	Pk11Install_File_Cleanup(_this);
+
+	_this->jarPath = PR_Strdup(pair->key);
+
+	/* Go through all the pairs under this file heading */
+	iter = Pk11Install_ListIter_new(pair->list);
+	for( ; (val = iter->current); Pk11Install_ListIter_nextItem(iter)) {
+		if(val->type == PAIR_VALUE) {
+			subpair = val->pair;
+
+			/* Relative directory */
+			if(!PORT_Strcasecmp(subpair->key, RELATIVE_DIR_STRING)) {
+				subiter = Pk11Install_ListIter_new(subpair->list);
+				subval = subiter->current;
+				if(!subval || (subval->type != STRING_VALUE)){
+					errStr = PR_smprintf(errString[BOGUS_RELATIVE_DIR], 
+                                    _this->jarPath);
+					goto loser;
+				}
+				_this->relativePath = PR_Strdup(subval->string);
+				Pk11Install_ListIter_delete(subiter);
+				subiter = NULL;
+
+				/* Absolute directory */
+			} else if( !PORT_Strcasecmp(subpair->key, ABSOLUTE_DIR_STRING)) {
+				subiter = Pk11Install_ListIter_new(subpair->list);
+				subval = subiter->current;
+				if(!subval || (subval->type != STRING_VALUE)){
+					errStr = PR_smprintf(errString[BOGUS_ABSOLUTE_DIR], 
+                                    _this->jarPath);
+					goto loser;
+				}
+				_this->absolutePath = PR_Strdup(subval->string);
+				Pk11Install_ListIter_delete(subiter);
+				subiter = NULL;
+
+			/* file permissions */
+			} else if( !PORT_Strcasecmp(subpair->key,
+                                     FILE_PERMISSIONS_STRING)) {
+				subiter = Pk11Install_ListIter_new(subpair->list);
+				subval = subiter->current;
+				if(!subval || (subval->type != STRING_VALUE)){
+					errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
+                                    _this->jarPath);
+					goto loser;
+				}
+				_this->permissions = (int) strtol(subval->string, &endp, 8);
+				if(*endp != '\0' || subval->string == "\0") {
+					errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
+                                    _this->jarPath);
+					goto loser;
+				}
+				gotPerms = PR_TRUE;
+				Pk11Install_ListIter_delete(subiter);
+				subiter = NULL;
+			}
+		} else {
+			if(!PORT_Strcasecmp(val->string, EXECUTABLE_STRING)) {
+				_this->executable = PR_TRUE;
+			}
+		}
+	}
+
+	/* Default permission value */
+	if(!gotPerms) {
+		_this->permissions = DEFAULT_PERMISSIONS;
+	}
+
+	/* Make sure we got all the information */
+	if(!_this->relativePath && !_this->absolutePath) {
+		errStr = PR_smprintf(errString[NO_ABSOLUTE_DIR], _this->jarPath);
+		goto loser;
+	}
+#if 0
+	if(!_this->relativePath ) {
+		errStr = PR_smprintf(errString[NO_RELATIVE_DIR], _this->jarPath);
+		goto loser;
+	}
+	if(!_this->absolutePath) {
+		errStr = PR_smprintf(errString[NO_ABSOLUTE_DIR], _this->jarPath);
+		goto loser;
+	}
+#endif
+
+loser:
+	if(iter) {
+		Pk11Install_ListIter_delete(iter);
+		PR_Free(iter);
+	}
+	if(subiter) {
+		Pk11Install_ListIter_delete(subiter);
+		PR_Free(subiter);
+	}
+	return errStr;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	Print
+// Class:	Pk11Install_File
+*/
+void
+Pk11Install_File_Print(Pk11Install_File* _this, int pad)
+{
+	PAD(pad); printf("jarPath: %s\n", 
+                    _this->jarPath ? _this->jarPath : "<NULL>");
+	PAD(pad); printf("relativePath: %s\n",
+				_this->relativePath ? _this->relativePath: "<NULL>");
+	PAD(pad); printf("absolutePath: %s\n",
+				_this->absolutePath ? _this->absolutePath: "<NULL>");
+	PAD(pad); printf("permissions: %o\n", _this->permissions);
+}
+
+Pk11Install_PlatformName*
+Pk11Install_PlatformName_new()
+{
+	Pk11Install_PlatformName* new_this;
+	new_this = (Pk11Install_PlatformName*)
+               PR_Malloc(sizeof(Pk11Install_PlatformName));
+	Pk11Install_PlatformName_init(new_this);
+	return new_this;
+}
+
+void
+Pk11Install_PlatformName_init(Pk11Install_PlatformName* _this)
+{
+	_this->OS = NULL;
+	_this->verString = NULL;
+	_this->numDigits = 0;
+	_this->arch = NULL;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	~Pk11Install_PlatformName
+// Class:	Pk11Install_PlatformName
+*/
+void
+Pk11Install_PlatformName_delete(Pk11Install_PlatformName* _this)
+{
+	Pk11Install_PlatformName_Cleanup(_this);
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	Cleanup
+// Class:	Pk11Install_PlatformName
+*/
+void
+Pk11Install_PlatformName_Cleanup(Pk11Install_PlatformName* _this)
+{
+	if(_this->OS) {
+		PR_Free(_this->OS);
+		_this->OS = NULL;
+	}
+	if(_this->verString) {
+		int i;
+		for (i=0; i<_this->numDigits; i++) {
+			PR_Free(_this->verString[i]);
+		}
+		PR_Free(_this->verString);
+		_this->verString = NULL;
+	}
+	if(_this->arch) {
+		PR_Free(_this->arch);
+		_this->arch = NULL;
+	}
+	_this->numDigits = 0;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	Generate
+// Class:	Pk11Install_PlatformName
+// Notes:	Extracts the information from a platform string.
+*/
+char*
+Pk11Install_PlatformName_Generate(Pk11Install_PlatformName* _this,
+                                  const char *str)
+{
+	char *errStr;
+	char *copy;
+	char *end, *start; /* start and end of a section (OS, version, arch)*/
+	char *pend, *pstart; /* start and end of one portion of version*/
+	char *endp; /* used by strtol*/
+	int periods, i;
+
+	errStr=NULL;
+	copy=NULL;
+
+	if(!str) {
+		errStr = PR_smprintf(errString[EMPTY_PLATFORM_STRING]);
+		goto loser;
+	}
+	copy = PR_Strdup(str);
+
+	/*
+	// Get the OS
+	*/
+	end = strchr(copy, PLATFORM_SEPARATOR_CHAR);
+	if(!end || end==copy) {
+		errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
+		goto loser;
+	}
+	*end = '\0';
+
+	_this->OS = PR_Strdup(copy);
+
+	/*
+	// Get the digits of the version of form: x.x.x (arbitrary number of digits)
+	*/
+
+	start = end+1;
+	end = strchr(start, PLATFORM_SEPARATOR_CHAR);
+	if(!end) {
+		errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
+		goto loser;
+	}
+	*end = '\0';
+
+	if(end!=start) { 
+		/* Find out how many periods*/
+		periods = 0;
+		pstart = start;
+		while( (pend=strchr(pstart, '.')) ) {
+			periods++;
+			pstart = pend+1;
+		}
+		_this->numDigits= 1+ periods;
+		_this->verString = (char**)PR_Malloc(sizeof(char*)*_this->numDigits);
+
+		pstart = start;
+		i = 0;
+		/* Get the digits before each period*/
+		while( (pend=strchr(pstart, '.')) ) {
+			if(pend == pstart) {
+				errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
+				goto loser;
+			}
+			*pend = '\0';
+			_this->verString[i] = PR_Strdup(pstart);
+			endp = pend;
+		if(endp==pstart || (*endp != '\0')) {
+				errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
+				goto loser;
+			}
+			pstart = pend+1;
+			i++;
+		}
+		/* Last digit comes after the last period*/
+		if(*pstart == '\0') {
+			errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
+			goto loser;
+		}
+		_this->verString[i] = PR_Strdup(pstart);
+		/*
+		if(endp==pstart || (*endp != '\0')) {
+			errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
+			goto loser;
+		}
+		*/
+	} else {
+		_this->verString = NULL;
+		_this->numDigits = 0;
+	}
+
+	/*
+	// Get the architecture
+	*/
+	start = end+1;
+	if( strchr(start, PLATFORM_SEPARATOR_CHAR) ) {
+		errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
+		goto loser;
+	}
+	_this->arch = PR_Strdup(start);
+
+	if(copy) {
+		PR_Free(copy);
+	}
+	return NULL;
+loser:
+	if(_this->OS) {
+		PR_Free(_this->OS);
+		_this->OS = NULL;
+	}
+	if(_this->verString) {
+		for (i=0; i<_this->numDigits; i++) {
+			PR_Free(_this->verString[i]);
+		}
+		PR_Free(_this->verString);
+		_this->verString = NULL;
+	}
+	_this->numDigits = 0;
+	if(_this->arch) {
+		PR_Free(_this->arch);
+		_this->arch = NULL;
+	}
+
+	return errStr;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	operator ==
+// Class:	Pk11Install_PlatformName
+// Returns:	PR_TRUE if the platform have the same OS, arch, and version
+*/
+PRBool
+Pk11Install_PlatformName_equal(Pk11Install_PlatformName* _this,
+                               Pk11Install_PlatformName* cmp) 
+{
+	int i;
+
+	if(!_this->OS || !_this->arch || !cmp->OS || !cmp->arch) {
+		return PR_FALSE;
+	}
+
+	if(	PORT_Strcasecmp(_this->OS, cmp->OS) ||
+		PORT_Strcasecmp(_this->arch, cmp->arch) ||
+		_this->numDigits != cmp->numDigits ) {
+			return PR_FALSE;
+	}
+
+	for(i=0; i < _this->numDigits; i++) {
+		if(PORT_Strcasecmp(_this->verString[i], cmp->verString[i])) {
+			return PR_FALSE;
+		}
+	}
+	return PR_TRUE;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	operator <=
+// Class:	Pk11Install_PlatformName
+// Returns:	PR_TRUE if the platform have the same OS and arch and a lower
+//			or equal release.
+*/
+PRBool
+Pk11Install_PlatformName_lteq(Pk11Install_PlatformName* _this,
+                              Pk11Install_PlatformName* cmp)
+{
+	return (Pk11Install_PlatformName_equal(_this,cmp) ||
+          Pk11Install_PlatformName_lt(_this,cmp)) ? PR_TRUE : PR_FALSE;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	operator <
+// Class:	Pk11Install_PlatformName
+// Returns:	PR_TRUE if the platform have the same OS and arch and a greater
+//			release.
+*/
+PRBool
+Pk11Install_PlatformName_lt(Pk11Install_PlatformName* _this,
+                            Pk11Install_PlatformName* cmp)
+{
+	int i, scmp;
+
+	if(!_this->OS || !_this->arch || !cmp->OS || !cmp->arch) {
+		return PR_FALSE;
+	}
+
+	if( PORT_Strcasecmp(_this->OS, cmp->OS) ) {
+		return PR_FALSE;
+	}
+	if( PORT_Strcasecmp(_this->arch, cmp->arch) ) {
+		return PR_FALSE;
+	}
+
+	for(i=0; (i < _this->numDigits) && (i < cmp->numDigits); i++) {
+		scmp = PORT_Strcasecmp(_this->verString[i], cmp->verString[i]);
+		if (scmp > 0) {
+			return PR_FALSE;
+		} else if (scmp < 0) {
+			return PR_TRUE;
+		}
+	}
+	/* All the digits they have in common are the same. */
+	if(_this->numDigits < cmp->numDigits) {
+		return  PR_TRUE;
+	} 
+
+	return PR_FALSE;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	GetString
+// Class:	Pk11Install_PlatformName
+// Returns:	String composed of OS, release, and architecture separated
+//			by the separator char.  Memory is allocated by this function
+//			but is the responsibility of the caller to de-allocate.
+*/
+char*
+Pk11Install_PlatformName_GetString(Pk11Install_PlatformName* _this) 
+{
+	char *ret;
+	char *ver;
+	char *OS_;
+	char *arch_;
+
+	OS_=NULL;
+	arch_=NULL;
+
+	OS_ = _this->OS ? _this->OS : "";
+	arch_ = _this->arch ? _this->arch : "";
+
+	ver = Pk11Install_PlatformName_GetVerString(_this);
+	ret = PR_smprintf("%s%c%s%c%s", OS_, PLATFORM_SEPARATOR_CHAR, ver,
+					PLATFORM_SEPARATOR_CHAR, arch_);
+
+	PR_Free(ver);
+
+	return ret;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	GetVerString
+// Class:	Pk11Install_PlatformName
+// Returns:	The version string for this platform, in the form x.x.x with an
+//			arbitrary number of digits.  Memory allocated by function,
+//			must be de-allocated by caller.
+*/
+char*
+Pk11Install_PlatformName_GetVerString(Pk11Install_PlatformName* _this) 
+{
+	char *tmp;
+	char *ret;
+	int i;
+	char buf[80];
+
+	tmp = (char*)PR_Malloc(80*_this->numDigits+1);
+	tmp[0] = '\0';
+
+	for(i=0; i < _this->numDigits-1; i++) {
+		sprintf(buf, "%s.", _this->verString[i]);
+		strcat(tmp, buf);
+	}
+	if(i < _this->numDigits) {
+		sprintf(buf, "%s", _this->verString[i]);
+		strcat(tmp, buf);
+	}
+
+	ret = PR_Strdup(tmp);
+	free(tmp);
+
+	return ret;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	Print
+// Class:	Pk11Install_PlatformName
+*/
+void
+Pk11Install_PlatformName_Print(Pk11Install_PlatformName* _this, int pad)
+{
+	PAD(pad); printf("OS: %s\n", _this->OS ? _this->OS : "<NULL>");
+	PAD(pad); printf("Digits: ");
+	if(_this->numDigits == 0) {
+		printf("None\n");
+	} else {
+		printf("%s\n", Pk11Install_PlatformName_GetVerString(_this));
+	}
+	PAD(pad); printf("arch: %s\n", _this->arch ? _this->arch : "<NULL>");
+}
+
+Pk11Install_Platform*
+Pk11Install_Platform_new()
+{
+	Pk11Install_Platform* new_this;
+	new_this = (Pk11Install_Platform*)PR_Malloc(sizeof(Pk11Install_Platform));
+	Pk11Install_Platform_init(new_this);
+	return new_this;
+}
+
+void
+Pk11Install_Platform_init(Pk11Install_Platform* _this)
+{
+	Pk11Install_PlatformName_init(&_this->name);
+	Pk11Install_PlatformName_init(&_this->equivName);
+	_this->equiv = NULL;
+	_this->usesEquiv = PR_FALSE;
+	_this->moduleFile = NULL;
+	_this->moduleName = NULL;
+	_this->modFile = -1;
+	_this->mechFlags = 0;
+	_this->cipherFlags = 0;
+	_this->files = NULL;
+	_this->numFiles = 0;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	~Pk11Install_Platform
+// Class:	Pk11Install_Platform
+*/
+void
+Pk11Install_Platform_delete(Pk11Install_Platform* _this)
+{
+	Pk11Install_Platform_Cleanup(_this);
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	Cleanup
+// Class:	Pk11Install_Platform
+*/
+void
+Pk11Install_Platform_Cleanup(Pk11Install_Platform* _this)
+{
+	int i;
+	if(_this->moduleFile) {
+		PR_Free(_this->moduleFile);
+		_this->moduleFile = NULL;
+	}
+	if(_this->moduleName) {
+		PR_Free(_this->moduleName);
+		_this->moduleName = NULL;
+	}
+	if(_this->files) {
+		for (i=0;i<_this->numFiles;i++) {
+			Pk11Install_File_delete(&_this->files[i]);
+		}
+		PR_Free(_this->files);
+		_this->files = NULL;
+	}
+	_this->equiv = NULL;
+	_this->usesEquiv = PR_FALSE;
+	_this->modFile = -1;
+	_this->numFiles = 0;
+	_this->mechFlags = _this->cipherFlags = 0;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:	Generate
+// Class:	Pk11Install_Platform
+// Notes:	Creates a platform data structure from a syntax tree.
+// Returns:	NULL for success, otherwise an error message.
+*/
+char*
+Pk11Install_Platform_Generate(Pk11Install_Platform* _this,
+                              const Pk11Install_Pair *pair)
+{
+	char* errStr;
+	char* endptr;
+	char* tmp;
+	int i;
+	Pk11Install_ListIter *iter;
+	Pk11Install_Value *val;
+	Pk11Install_Value *subval;
+	Pk11Install_Pair *subpair;
+	Pk11Install_ListIter *subiter;
+	PRBool gotModuleFile, gotModuleName, gotMech, 
+          gotCipher, gotFiles, gotEquiv;
+
+	errStr=NULL;
+	iter=subiter=NULL;
+	val=subval=NULL;
+	subpair=NULL;
+	gotModuleFile=gotModuleName=gotMech=gotCipher=gotFiles=gotEquiv=PR_FALSE;
+	Pk11Install_Platform_Cleanup(_this);
+
+	errStr = Pk11Install_PlatformName_Generate(&_this->name,pair->key);
+	if(errStr) {
+		tmp = PR_smprintf("%s: %s", pair->key, errStr);
+		PR_smprintf_free(errStr);
+		errStr = tmp;
+		goto loser;
+	}
+
+	iter = Pk11Install_ListIter_new(pair->list);
+	for( ; (val=iter->current); Pk11Install_ListIter_nextItem(iter)) {
+		if(val->type==PAIR_VALUE) {
+			subpair = val->pair;
+
+			if( !PORT_Strcasecmp(subpair->key, MODULE_FILE_STRING)) {
+				if(gotModuleFile) {
+					errStr = PR_smprintf(errString[REPEAT_MODULE_FILE],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				subiter = Pk11Install_ListIter_new(subpair->list);
+				subval = subiter->current;
+				if(!subval || (subval->type != STRING_VALUE)) {
+					errStr = PR_smprintf(errString[BOGUS_MODULE_FILE],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				_this->moduleFile = PR_Strdup(subval->string);
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter = NULL;
+				gotModuleFile = PR_TRUE;
+			} else if(!PORT_Strcasecmp(subpair->key, MODULE_NAME_STRING)){
+				if(gotModuleName) {
+					errStr = PR_smprintf(errString[REPEAT_MODULE_NAME],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				subiter = Pk11Install_ListIter_new(subpair->list);
+				subval = subiter->current;
+				if(!subval || (subval->type != STRING_VALUE)) {
+					errStr = PR_smprintf(errString[BOGUS_MODULE_NAME],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				_this->moduleName = PR_Strdup(subval->string);
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter = NULL;
+				gotModuleName = PR_TRUE;
+			} else if(!PORT_Strcasecmp(subpair->key, MECH_FLAGS_STRING)) {
+				endptr=NULL;
+
+				if(gotMech) {
+					errStr = PR_smprintf(errString[REPEAT_MECH],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				subiter = Pk11Install_ListIter_new(subpair->list);
+				subval = subiter->current;
+				if(!subval || (subval->type != STRING_VALUE)) {
+					errStr = PR_smprintf(errString[BOGUS_MECH_FLAGS],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				_this->mechFlags = strtol(subval->string, &endptr, 0);
+				if(*endptr!='\0' || (endptr==subval->string) ) {
+					errStr = PR_smprintf(errString[BOGUS_MECH_FLAGS],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter=NULL;
+				gotMech = PR_TRUE;
+			} else if(!PORT_Strcasecmp(subpair->key,CIPHER_FLAGS_STRING)) {
+				endptr=NULL;
+
+				if(gotCipher) {
+					errStr = PR_smprintf(errString[REPEAT_CIPHER],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				subiter = Pk11Install_ListIter_new(subpair->list);
+				subval = subiter->current;
+				if(!subval || (subval->type != STRING_VALUE)) {
+					errStr = PR_smprintf(errString[BOGUS_CIPHER_FLAGS],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				_this->cipherFlags = strtol(subval->string, &endptr, 0);
+				if(*endptr!='\0' || (endptr==subval->string) ) {
+					errStr = PR_smprintf(errString[BOGUS_CIPHER_FLAGS],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter=NULL;
+				gotCipher = PR_TRUE;
+			} else if(!PORT_Strcasecmp(subpair->key, FILES_STRING)) {
+				if(gotFiles) {
+					errStr = PR_smprintf(errString[REPEAT_FILES],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				subiter = Pk11Install_ListIter_new(subpair->list);
+				_this->numFiles = subpair->list->numPairs;
+				_this->files = (Pk11Install_File*)
+                            PR_Malloc(sizeof(Pk11Install_File)*_this->numFiles);
+				for(i=0; i < _this->numFiles; i++, 
+                                   Pk11Install_ListIter_nextItem(subiter)) {
+					Pk11Install_File_init(&_this->files[i]);
+					val = subiter->current;
+					if(val && (val->type==PAIR_VALUE)) {
+						errStr = Pk11Install_File_Generate(&_this->files[i],val->pair);
+						if(errStr) {
+							tmp = PR_smprintf("%s: %s", 
+                                       Pk11Install_PlatformName_GetString(&_this->name),errStr);
+							PR_smprintf_free(errStr);
+							errStr = tmp;
+							goto loser;
+						}
+					}
+				}
+				gotFiles = PR_TRUE;
+			} else if(!PORT_Strcasecmp(subpair->key,
+                                    EQUIVALENT_PLATFORM_STRING)) {
+				if(gotEquiv) {
+					errStr = PR_smprintf(errString[REPEAT_EQUIV],
+                                    Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				subiter = Pk11Install_ListIter_new(subpair->list);
+				subval = subiter->current;
+				if(!subval || (subval->type != STRING_VALUE) ) {
+					errStr = PR_smprintf(errString[BOGUS_EQUIV],
+                               Pk11Install_PlatformName_GetString(&_this->name));
+					goto loser;
+				}
+				errStr = Pk11Install_PlatformName_Generate(&_this->equivName,
+                                                       subval->string);
+				if(errStr) {
+					tmp = PR_smprintf("%s: %s", 
+                            Pk11Install_PlatformName_GetString(&_this->name), errStr);
+					tmp = PR_smprintf("%s: %s", 
+                            Pk11Install_PlatformName_GetString(&_this->name), errStr);
+					PR_smprintf_free(errStr);
+					errStr = tmp;
+					goto loser;
+				}
+				_this->usesEquiv = PR_TRUE;
+			}
+		}
+	}
+
+	/* Make sure we either have an EquivalentPlatform or all the other info */
+	if(_this->usesEquiv &&
+		(gotFiles || gotModuleFile || gotModuleName || gotMech || gotCipher)) {
+		errStr = PR_smprintf(errString[EQUIV_TOO_MUCH_INFO], 
+                           Pk11Install_PlatformName_GetString(&_this->name));
+		goto loser;
+	}
+	if(!gotFiles && !_this->usesEquiv) {
+		errStr = PR_smprintf(errString[NO_FILES], 
+                           Pk11Install_PlatformName_GetString(&_this->name));
+		goto loser;
+	}
+	if(!gotModuleFile && !_this->usesEquiv) {
+		errStr= PR_smprintf(errString[NO_MODULE_FILE], 
+                          Pk11Install_PlatformName_GetString(&_this->name));
+		goto loser;
+	}
+	if(!gotModuleName && !_this->usesEquiv) {
+		errStr = PR_smprintf(errString[NO_MODULE_NAME], 
+                          Pk11Install_PlatformName_GetString(&_this->name));
+		goto loser;
+	}
+
+	/* Point the modFile pointer to the correct file */
+	if(gotModuleFile) {
+		for(i=0; i < _this->numFiles; i++) {
+			if(!PORT_Strcasecmp(_this->moduleFile, _this->files[i].jarPath) ) {
+				_this->modFile = i;
+				break;
+			}
+		}
+		if(_this->modFile==-1) {
+			errStr = PR_smprintf(errString[UNKNOWN_MODULE_FILE], 
+                              _this->moduleFile,
+                              Pk11Install_PlatformName_GetString(&_this->name));
+			goto loser;
+		}
+	}
+	
+loser:
+	if(iter) {
+		PR_Free(iter);
+	}
+	if(subiter) {
+		PR_Free(subiter);
+	}
+	return errStr;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:		Print
+// Class:		Pk11Install_Platform
+*/
+void
+Pk11Install_Platform_Print(Pk11Install_Platform* _this, int pad)
+{
+	int i;
+
+	PAD(pad); printf("Name:\n"); 
+	Pk11Install_PlatformName_Print(&_this->name,pad+PADINC);
+	PAD(pad); printf("equivName:\n"); 
+	Pk11Install_PlatformName_Print(&_this->equivName,pad+PADINC);
+	PAD(pad);
+	if(_this->usesEquiv) {
+		printf("Uses equiv, which points to:\n");
+		Pk11Install_Platform_Print(_this->equiv,pad+PADINC);
+	} else {
+		printf("Doesn't use equiv\n");
+	}
+	PAD(pad); 
+	printf("Module File: %s\n", _this->moduleFile ? _this->moduleFile 
+                                                 : "<NULL>");
+	PAD(pad); printf("mechFlags: %lx\n", _this->mechFlags);
+	PAD(pad); printf("cipherFlags: %lx\n", _this->cipherFlags);
+	PAD(pad); printf("Files:\n");
+	for(i=0; i < _this->numFiles; i++) {
+		Pk11Install_File_Print(&_this->files[i],pad+PADINC);
+		PAD(pad); printf("--------------------\n");
+	}
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:		Pk11Install_Info
+// Class:		Pk11Install_Info
+*/
+Pk11Install_Info*
+Pk11Install_Info_new()
+{
+	Pk11Install_Info* new_this;
+	new_this = (Pk11Install_Info*)PR_Malloc(sizeof(Pk11Install_Info));
+	Pk11Install_Info_init(new_this);
+	return new_this;
+}
+
+void
+Pk11Install_Info_init(Pk11Install_Info* _this)
+{
+	_this->platforms = NULL;
+	_this->numPlatforms = 0;
+	_this->forwardCompatible = NULL;
+	_this->numForwardCompatible = 0;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:		~Pk11Install_Info
+// Class:		Pk11Install_Info
+*/
+void
+Pk11Install_Info_delete(Pk11Install_Info* _this)
+{
+	Pk11Install_Info_Cleanup(_this);
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:		Cleanup
+// Class:		Pk11Install_Info
+*/
+void
+Pk11Install_Info_Cleanup(Pk11Install_Info* _this)
+{
+	int i;
+	if(_this->platforms) {
+		for (i=0;i<_this->numPlatforms;i++) {
+			Pk11Install_Platform_delete(&_this->platforms[i]);
+		}
+		PR_Free(&_this->platforms);
+		_this->platforms = NULL;
+		_this->numPlatforms = 0;
+	}
+
+	if(_this->forwardCompatible) {
+		for (i=0;i<_this->numForwardCompatible;i++) {
+			Pk11Install_PlatformName_delete(&_this->forwardCompatible[i]);
+		}
+		PR_Free(&_this->forwardCompatible);
+		_this->numForwardCompatible = 0;
+	}
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:		Generate
+// Class:		Pk11Install_Info
+// Takes:		Pk11Install_ValueList *list, the top-level list
+//				resulting from parsing an installer file.
+// Returns:		char*, NULL if successful, otherwise an error string.
+//				Caller is responsible for freeing memory.
+*/
+char*
+Pk11Install_Info_Generate(Pk11Install_Info* _this,
+                          const Pk11Install_ValueList *list)
+{
+	char *errStr;
+	Pk11Install_ListIter *iter;
+	Pk11Install_Value *val;
+	Pk11Install_Pair *pair;
+	Pk11Install_ListIter *subiter;
+	Pk11Install_Value *subval;
+	Pk11Install_Platform *first, *second;
+	int i, j;
+
+	errStr=NULL;
+	iter=subiter=NULL;
+	Pk11Install_Info_Cleanup(_this);
+
+	iter = Pk11Install_ListIter_new(list);
+	for( ; (val=iter->current); Pk11Install_ListIter_nextItem(iter)) {
+		if(val->type == PAIR_VALUE) {
+			pair = val->pair;
+
+			if(!PORT_Strcasecmp(pair->key, FORWARD_COMPATIBLE_STRING)) {
+				subiter = Pk11Install_ListIter_new(pair->list);
+				_this->numForwardCompatible = pair->list->numStrings;
+				_this->forwardCompatible = (Pk11Install_PlatformName*)
+                                        PR_Malloc(sizeof(Pk11Install_PlatformName)*
+                                               _this->numForwardCompatible);
+				for(i=0; i < _this->numForwardCompatible; i++, 
+                       Pk11Install_ListIter_nextItem(subiter)) {
+					subval = subiter->current;
+					if(subval->type == STRING_VALUE) {
+						errStr = Pk11Install_PlatformName_Generate(
+                              &_this->forwardCompatible[i], subval->string);
+						if(errStr) {
+							goto loser;
+						}
+					}
+				}
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter = NULL;
+			} else if(!PORT_Strcasecmp(pair->key, PLATFORMS_STRING)) {
+				subiter = Pk11Install_ListIter_new(pair->list);
+				_this->numPlatforms = pair->list->numPairs;
+				_this->platforms = (Pk11Install_Platform*)
+                            PR_Malloc(sizeof(Pk11Install_Platform)*
+                            _this->numPlatforms);
+				for(i=0; i < _this->numPlatforms; i++, 
+                       Pk11Install_ListIter_nextItem(subiter)) {
+					 Pk11Install_Platform_init(&_this->platforms[i]);
+					subval = subiter->current;
+					if(subval->type == PAIR_VALUE) {
+						errStr = Pk11Install_Platform_Generate(&_this->platforms[i],subval->pair);
+						if(errStr) {
+							goto loser;
+						}
+					}
+				}
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter = NULL;
+			}
+		}
+	}
+
+	if(_this->numPlatforms == 0) {
+		errStr = PR_smprintf(errString[NO_PLATFORMS]);
+		goto loser;
+	}
+
+/*
+	//
+	// Now process equivalent platforms
+	//
+
+	// First the naive pass
+*/
+	for(i=0; i < _this->numPlatforms; i++) {
+		if(_this->platforms[i].usesEquiv) {
+			_this->platforms[i].equiv = NULL;
+			for(j=0; j < _this->numPlatforms; j++) {
+				if (Pk11Install_PlatformName_equal(&_this->platforms[i].equivName,
+                                           &_this->platforms[j].name)) {
+					if(i==j) {
+						errStr = PR_smprintf(errString[EQUIV_LOOP],
+                              Pk11Install_PlatformName_GetString(&_this->platforms[i].name));
+						goto loser;
+					}
+					_this->platforms[i].equiv = &_this->platforms[j];
+					break;
+				}
+			}
+			if(_this->platforms[i].equiv == NULL) {
+				errStr = PR_smprintf(errString[BOGUS_EQUIV],
+                       Pk11Install_PlatformName_GetString(&_this->platforms[i].name));
+				goto loser;
+			}
+		}
+	}
+
+/*
+	// Now the intelligent pass, which will also detect loops.
+	// We will send two pointers through the linked list of equivalent
+	// platforms. Both start with the current node.  "first" traverses
+	// two nodes for each iteration.  "second" lags behind, only traversing
+	// one node per iteration.  Eventually one of two things will happen:
+	// first will hit the end of the list (a platform that doesn't use
+	// an equivalency), or first will equal second if there is a loop.
+*/
+	for(i=0; i < _this->numPlatforms; i++) {
+		if(_this->platforms[i].usesEquiv) {
+			second = _this->platforms[i].equiv;
+			if(!second->usesEquiv) {
+				/* The first link is the terminal node */
+				continue;
+			}
+			first = second->equiv;
+			while(first->usesEquiv) {
+				if(first == second) {
+					errStr = PR_smprintf(errString[EQUIV_LOOP],
+                         Pk11Install_PlatformName_GetString(&_this->platforms[i].name));
+					goto loser;
+				}
+				first = first->equiv;
+				if(!first->usesEquiv) {
+					break;
+				}
+				if(first == second) {
+					errStr = PR_smprintf(errString[EQUIV_LOOP],
+                       Pk11Install_PlatformName_GetString(&_this->platforms[i].name));
+					goto loser;
+				}
+				second = second->equiv;
+				first = first->equiv;
+			}
+			_this->platforms[i].equiv = first;
+		}
+	}
+
+loser:
+	if(iter) {
+		Pk11Install_ListIter_delete(iter);
+		PR_Free(iter);
+		iter = NULL;
+	}
+	if(subiter) {
+		Pk11Install_ListIter_delete(subiter);
+		PR_Free(subiter);
+		subiter = NULL;
+	}
+	return errStr;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:		GetBestPlatform
+// Class:		Pk11Install_Info
+// Takes:		char *myPlatform, the platform we are currently running
+//				on.
+*/
+Pk11Install_Platform*
+Pk11Install_Info_GetBestPlatform(Pk11Install_Info* _this, char *myPlatform)
+{
+	Pk11Install_PlatformName plat;
+	char *errStr;
+	int i, j;
+
+	errStr=NULL;
+
+	Pk11Install_PlatformName_init(&plat);
+	if( (errStr=Pk11Install_PlatformName_Generate(&plat, myPlatform)) ) {
+		PR_smprintf_free(errStr);
+		return NULL;
+	}
+
+	/* First try real platforms */
+	for(i=0; i < _this->numPlatforms; i++) {
+		if(Pk11Install_PlatformName_equal(&_this->platforms[i].name,&plat)) {
+			if(_this->platforms[i].equiv) {
+				return _this->platforms[i].equiv;
+			}
+			else {
+				return &_this->platforms[i];
+			}
+		}
+	}
+
+	/* Now try forward compatible platforms */
+	for(i=0; i < _this->numForwardCompatible; i++) {
+		if(Pk11Install_PlatformName_lteq(&_this->forwardCompatible[i],&plat)) {
+			break;
+		}
+	}
+	if(i == _this->numForwardCompatible) {
+		return NULL;
+	}
+
+	/* Got a forward compatible name, find the actual platform. */
+	for(j=0; j < _this->numPlatforms; j++) {
+		if(Pk11Install_PlatformName_equal(&_this->platforms[j].name,
+         &_this->forwardCompatible[i])) {
+			if(_this->platforms[j].equiv) {
+				return _this->platforms[j].equiv;
+			} else {
+				return &_this->platforms[j];
+			}
+		}
+	}
+
+	return NULL;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Method:		Print
+// Class:		Pk11Install_Info
+*/
+void
+Pk11Install_Info_Print(Pk11Install_Info* _this, int pad)
+{
+	int i;
+
+	PAD(pad); printf("Forward Compatible:\n");
+	for(i = 0; i < _this->numForwardCompatible; i++) {
+		Pk11Install_PlatformName_Print(&_this->forwardCompatible[i],pad+PADINC);
+		PAD(pad); printf("-------------------\n");
+	}
+	PAD(pad); printf("Platforms:\n");
+	for( i = 0; i < _this->numPlatforms; i++) {
+		Pk11Install_Platform_Print(&_this->platforms[i],pad+PADINC);
+		PAD(pad); printf("-------------------\n");
+	}
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+*/
+static char*
+PR_Strdup(const char* str)
+{
+	char *tmp;
+	tmp = (char*) PR_Malloc((unsigned int)(strlen(str)+1));
+	strcpy(tmp, str);
+	return tmp;
+}
+
+/* The global value list, the top of the tree */
+Pk11Install_ValueList* Pk11Install_valueList=NULL;
+
+/****************************************************************************/
+void
+Pk11Install_ValueList_AddItem(Pk11Install_ValueList* _this,
+                              Pk11Install_Value *item)
+{
+	_this->numItems++;
+	if (item->type == STRING_VALUE) {
+		_this->numStrings++;
+	} else {
+		_this->numPairs++;
+	}
+	item->next = _this->head;
+	_this->head = item;
+}
+
+/****************************************************************************/
+Pk11Install_ListIter*
+Pk11Install_ListIter_new_default()
+{
+	Pk11Install_ListIter* new_this;
+	new_this = (Pk11Install_ListIter*)
+                    PR_Malloc(sizeof(Pk11Install_ListIter));
+	Pk11Install_ListIter_init(new_this);
+	return new_this;
+}
+
+/****************************************************************************/
+void
+Pk11Install_ListIter_init(Pk11Install_ListIter* _this)
+{
+	_this->list = NULL;
+	_this->current = NULL;
+}
+
+/****************************************************************************/
+Pk11Install_ListIter*
+Pk11Install_ListIter_new(const Pk11Install_ValueList *_list)
+{
+	Pk11Install_ListIter* new_this;
+	new_this = (Pk11Install_ListIter*)
+                    PR_Malloc(sizeof(Pk11Install_ListIter));
+	new_this->list = _list;
+	new_this->current = _list->head;
+	return new_this;
+}
+
+/****************************************************************************/
+void
+Pk11Install_ListIter_delete(Pk11Install_ListIter* _this)
+{
+	_this->list=NULL;
+	_this->current=NULL;
+}
+
+/****************************************************************************/
+void
+Pk11Install_ListIter_reset(Pk11Install_ListIter* _this)
+{
+	if(_this->list) {
+		_this->current = _this->list->head;
+	}
+}
+
+/*************************************************************************/
+Pk11Install_Value*
+Pk11Install_ListIter_nextItem(Pk11Install_ListIter* _this)
+{
+	if(_this->current) {
+		_this->current = _this->current->next;
+	}
+
+	return _this->current;
+}
+
+/****************************************************************************/
+Pk11Install_ValueList*
+Pk11Install_ValueList_new()
+{
+	Pk11Install_ValueList* new_this;
+	new_this = (Pk11Install_ValueList*)
+                    PR_Malloc(sizeof(Pk11Install_ValueList));
+	new_this->numItems = 0;
+	new_this->numPairs = 0;
+	new_this->numStrings = 0;
+	new_this->head = NULL;
+	return new_this;
+}
+
+/****************************************************************************/
+void
+Pk11Install_ValueList_delete(Pk11Install_ValueList* _this)
+{
+
+	Pk11Install_Value *tmp;
+	Pk11Install_Value *list;
+	list = _this->head;
+	
+	while(list != NULL) {
+		tmp = list;
+		list = list->next;
+		PR_Free(tmp);
+	}
+	PR_Free(_this);
+}
+
+/****************************************************************************/
+Pk11Install_Value*
+Pk11Install_Value_new_default()
+{
+	Pk11Install_Value* new_this;
+	new_this = (Pk11Install_Value*)PR_Malloc(sizeof(Pk11Install_Value));
+	new_this->type = STRING_VALUE;
+	new_this->string = NULL;
+	new_this->pair = NULL;
+	new_this->next = NULL;
+	return new_this;
+}
+
+/****************************************************************************/
+Pk11Install_Value*
+Pk11Install_Value_new(ValueType _type, Pk11Install_Pointer ptr)
+{
+	Pk11Install_Value* new_this;
+	new_this = Pk11Install_Value_new_default();
+	new_this->type = _type;
+	if(_type == STRING_VALUE) {
+		new_this->pair = NULL;
+		new_this->string = ptr.string;
+	} else {
+		new_this->string = NULL;
+		new_this->pair = ptr.pair;
+	}
+	return new_this;
+}
+
+/****************************************************************************/
+void
+Pk11Install_Value_delete(Pk11Install_Value* _this)
+{
+	if(_this->type == STRING_VALUE) {
+		PR_Free(_this->string);
+	} else {
+		PR_Free(_this->pair);
+	}
+}
+
+/****************************************************************************/
+Pk11Install_Pair*
+Pk11Install_Pair_new_default()
+{
+	return Pk11Install_Pair_new(NULL,NULL);
+}
+
+/****************************************************************************/
+Pk11Install_Pair*
+Pk11Install_Pair_new(char *_key, Pk11Install_ValueList *_list)
+{
+	Pk11Install_Pair* new_this;
+	new_this = (Pk11Install_Pair*)PR_Malloc(sizeof(Pk11Install_Pair));
+	new_this->key = _key;
+	new_this->list = _list;
+	return new_this;
+}
+
+/****************************************************************************/
+void
+Pk11Install_Pair_delete(Pk11Install_Pair* _this)
+{
+	PR_Free(_this->key);
+	Pk11Install_ValueList_delete(_this->list);
+	PR_Free(_this->list);
+}
+
+/*************************************************************************/
+void
+Pk11Install_Pair_Print(Pk11Install_Pair* _this, int pad)
+{
+	while (_this) {
+		/*PAD(pad); printf("**Pair\n");
+		PAD(pad); printf("***Key====\n");*/
+		PAD(pad); printf("%s {\n", _this->key);
+		/*PAD(pad); printf("====\n");*/
+		/*PAD(pad); printf("***ValueList\n");*/
+		Pk11Install_ValueList_Print(_this->list,pad+PADINC);
+		PAD(pad); printf("}\n");
+	}
+}
+
+/*************************************************************************/
+void
+Pk11Install_ValueList_Print(Pk11Install_ValueList* _this, int pad)
+{
+	Pk11Install_Value *v;
+
+	/*PAD(pad);printf("**Value List**\n");*/
+	for(v = _this->head; v != NULL; v=v->next) {
+		Pk11Install_Value_Print(v,pad);
+	}
+}
+
+/*************************************************************************/
+void
+Pk11Install_Value_Print(Pk11Install_Value* _this, int pad)
+{
+	/*PAD(pad); printf("**Value, type=%s\n",
+		type==STRING_VALUE ? "string" : "pair");*/
+	if(_this->type==STRING_VALUE) {
+		/*PAD(pad+PADINC); printf("====\n");*/
+		PAD(pad); printf("%s\n", _this->string);
+		/*PAD(pad+PADINC); printf("====\n");*/
+	} else {
+		Pk11Install_Pair_Print(_this->pair,pad+PADINC);
+	}
+}
diff --git a/security/nss/cmd/modutil/install-ds.h b/security/nss/cmd/modutil/install-ds.h
new file mode 100644
index 000000000..9af614437
--- /dev/null
+++ b/security/nss/cmd/modutil/install-ds.h
@@ -0,0 +1,293 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef INSTALL_DS_H
+#define INSTALL_DS_H
+
+#include <stdio.h>
+#include <prio.h>
+#include <prmem.h>
+
+extern PRFileDesc *Pk11Install_FD;
+extern int Pk11Install_yylex();
+extern int Pk11Install_yylinenum;
+extern char *Pk11Install_yyerrstr;
+
+typedef enum { STRING_VALUE, PAIR_VALUE } ValueType;
+
+typedef struct Pk11Install_Pair_str Pk11Install_Pair;
+typedef union Pk11Install_Pointer_str Pk11Install_Pointer;
+typedef struct Pk11Install_Value_str Pk11Install_Value;
+typedef struct Pk11Install_ValueList_str Pk11Install_ValueList;
+typedef struct Pk11Install_ListIter_str Pk11Install_ListIter;
+typedef struct Pk11Install_File_str Pk11Install_File;
+typedef struct Pk11Install_PlatformName_str Pk11Install_PlatformName;
+typedef struct Pk11Install_Platform_str Pk11Install_Platform;
+typedef struct Pk11Install_Info_str Pk11Install_Info;
+
+extern Pk11Install_Pointer Pk11Install_yylval;
+extern Pk11Install_ValueList* Pk11Install_valueList;
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Pk11Install_Pair
+//////////////////////////////////////////////////////////////////////////
+*/
+
+struct Pk11Install_Pair_str {
+	char * key;
+	Pk11Install_ValueList *list;
+
+};
+
+Pk11Install_Pair* 
+Pk11Install_Pair_new_default();
+Pk11Install_Pair* 
+Pk11Install_Pair_new( char* _key, Pk11Install_ValueList* _list);
+void 
+Pk11Install_Pair_delete(Pk11Install_Pair* _this);
+void
+Pk11Install_Pair_Print(Pk11Install_Pair* _this, int pad);
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Pk11Install_Pointer
+//////////////////////////////////////////////////////////////////////////
+*/
+union Pk11Install_Pointer_str {
+	Pk11Install_ValueList *list;
+	Pk11Install_Value *value;
+	Pk11Install_Pair *pair;
+	char *string;
+};
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Pk11Install_Value
+//////////////////////////////////////////////////////////////////////////
+*/
+struct Pk11Install_Value_str {
+
+	ValueType type;
+	char *string;	
+	Pk11Install_Pair *pair;
+	struct Pk11Install_Value_str *next;
+};
+
+Pk11Install_Value* 
+Pk11Install_Value_new_default();
+Pk11Install_Value*
+Pk11Install_Value_new(ValueType _type, Pk11Install_Pointer ptr);
+void
+Pk11Install_Value_delete(Pk11Install_Value* _this);
+void
+Pk11Install_Value_Print(Pk11Install_Value* _this, int pad);
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Pk11Install_ValueList
+//////////////////////////////////////////////////////////////////////////
+*/
+struct Pk11Install_ValueList_str {
+	int numItems;
+	int numPairs;
+	int numStrings;
+	Pk11Install_Value *head;
+};
+
+Pk11Install_ValueList* 
+Pk11Install_ValueList_new();
+void
+Pk11Install_ValueList_delete(Pk11Install_ValueList* _this);
+void
+Pk11Install_ValueList_AddItem(Pk11Install_ValueList* _this,
+                              Pk11Install_Value* item);
+void
+Pk11Install_ValueList_Print(Pk11Install_ValueList* _this, int pad);
+
+
+/*
+//////////////////////////////////////////////////////////////////////////
+// Pk11Install_ListIter
+//////////////////////////////////////////////////////////////////////////
+*/
+struct Pk11Install_ListIter_str {
+	const Pk11Install_ValueList *list;
+	Pk11Install_Value *current;
+};
+
+Pk11Install_ListIter* 
+Pk11Install_ListIter_new_default();
+void
+Pk11Install_ListIter_init(Pk11Install_ListIter* _this);
+Pk11Install_ListIter*
+Pk11Install_ListIter_new(const Pk11Install_ValueList* _list);
+void
+Pk11Install_ListIter_delete(Pk11Install_ListIter* _this);
+void
+Pk11Install_ListIter_reset(Pk11Install_ListIter* _this);
+Pk11Install_Value*
+Pk11Install_ListIter_nextItem(Pk11Install_ListIter* _this);
+
+/************************************************************************
+ *
+ * Pk11Install_File
+ */
+struct Pk11Install_File_str {
+	char *jarPath;
+	char *relativePath;
+	char *absolutePath;
+	PRBool executable;
+	int permissions;
+};
+
+Pk11Install_File*
+Pk11Install_File_new();
+void
+Pk11Install_File_init(Pk11Install_File* _this);
+void
+Pk11Install_file_delete(Pk11Install_File* _this);
+/*// Parses a syntax tree to obtain all attributes.
+// Returns NULL for success, error message if parse error.*/
+char*
+Pk11Install_File_Generate(Pk11Install_File* _this, 
+                          const Pk11Install_Pair* pair);
+void
+Pk11Install_File_Print(Pk11Install_File* _this, int pad);
+void
+Pk11Install_File_Cleanup(Pk11Install_File* _this);
+
+/************************************************************************
+ *
+ * Pk11Install_PlatformName
+ */
+struct Pk11Install_PlatformName_str {
+	char *OS;
+	char **verString;
+	int numDigits;
+	char *arch;
+};
+
+Pk11Install_PlatformName*
+Pk11Install_PlatformName_new();
+void
+Pk11Install_PlatformName_init(Pk11Install_PlatformName* _this);
+void
+Pk11Install_PlatformName_delete(Pk11Install_PlatformName* _this);
+char*
+Pk11Install_PlatformName_Generate(Pk11Install_PlatformName* _this,
+                                  const char* str);
+char*
+Pk11Install_PlatformName_GetString(Pk11Install_PlatformName* _this);
+char*
+Pk11Install_PlatformName_GetVerString(Pk11Install_PlatformName* _this);
+void
+Pk11Install_PlatformName_Print(Pk11Install_PlatformName* _this, int pad);
+void
+Pk11Install_PlatformName_Cleanup(Pk11Install_PlatformName* _this);
+PRBool
+Pk11Install_PlatformName_equal(Pk11Install_PlatformName* _this,
+                               Pk11Install_PlatformName* cmp);
+PRBool
+Pk11Install_PlatformName_lteq(Pk11Install_PlatformName* _this,
+                              Pk11Install_PlatformName* cmp);
+PRBool
+Pk11Install_PlatformName_lt(Pk11Install_PlatformName* _this,
+                            Pk11Install_PlatformName* cmp);
+
+/************************************************************************
+ *
+ * Pk11Install_Platform
+ */
+struct Pk11Install_Platform_str {
+	Pk11Install_PlatformName name;
+	Pk11Install_PlatformName equivName;
+	struct Pk11Install_Platform_str *equiv;
+	PRBool usesEquiv;
+	char *moduleFile;
+	char *moduleName;
+	int modFile;
+	unsigned long mechFlags;
+	unsigned long cipherFlags;
+	Pk11Install_File *files;
+	int numFiles;
+};
+
+Pk11Install_Platform*
+Pk11Install_Platform_new();
+void
+Pk11Install_Platform_init(Pk11Install_Platform* _this);
+void
+Pk11Install_Platform_delete(Pk11Install_Platform* _this);
+/*// Returns NULL for success, error message if parse error.*/
+char* 
+Pk11Install_Platform_Generate(Pk11Install_Platform* _this,
+                              const Pk11Install_Pair *pair);
+void 
+Pk11Install_Platform_Print(Pk11Install_Platform* _this, int pad);
+void 
+Pk11Install_Platform_Cleanup(Pk11Install_Platform* _this);
+
+/************************************************************************
+ *
+ * Pk11Install_Info
+ */
+struct Pk11Install_Info_str {
+	Pk11Install_Platform *platforms;
+	int numPlatforms;
+	Pk11Install_PlatformName *forwardCompatible;
+	int numForwardCompatible;
+};
+
+Pk11Install_Info*
+Pk11Install_Info_new();
+void
+Pk11Install_Info_init();
+void
+Pk11Install_Info_delete(Pk11Install_Info* _this);
+/*// Returns NULL for success, error message if parse error.*/
+char* 
+Pk11Install_Info_Generate(Pk11Install_Info* _this, 
+                          const Pk11Install_ValueList *list);
+	/*// Returns NULL if there is no matching platform*/
+Pk11Install_Platform* 
+Pk11Install_Info_GetBestPlatform(Pk11Install_Info* _this, char* myPlatform);
+void 
+Pk11Install_Info_Print(Pk11Install_Info* _this, int pad);
+void 
+Pk11Install_Info_Cleanup(Pk11Install_Info* _this);
+
+#endif /* INSTALL_DS_H */
diff --git a/security/nss/cmd/modutil/install.c b/security/nss/cmd/modutil/install.c
new file mode 100644
index 000000000..10819190c
--- /dev/null
+++ b/security/nss/cmd/modutil/install.c
@@ -0,0 +1,988 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "install.h"
+#include "install-ds.h"
+#include <prlock.h>
+#include <prio.h>
+#include <prmem.h>
+#include <prprf.h>
+#include <prsystem.h>
+#include <prproces.h>
+
+#ifdef XP_UNIX
+/* for chmod */
+#include <sys/types.h>
+#include <sys/stat.h>
+#endif
+
+/*extern "C" {*/
+#include <jar.h>
+/*}*/
+
+extern /*"C"*/
+int Pk11Install_AddNewModule(char* moduleName, char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags);
+extern /*"C"*/
+short Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out,
+	PRBool query);
+extern /*"C"*/
+const char* mySECU_ErrorString(int16);
+extern 
+int Pk11Install_yyparse();
+
+#define INSTALL_METAINFO_TAG "Pkcs11_install_script"
+#define SCRIPT_TEMP_FILE "pkcs11inst.tmp"
+#define ROOT_MARKER "%root%"
+#define TEMP_MARKER "%temp%"
+#define PRINTF_ROOT_MARKER "%%root%%"
+#define TEMPORARY_DIRECTORY_NAME "pk11inst.dir"
+#define JAR_BASE_END (JAR_BASE+100)
+
+static PRLock* errorHandlerLock=NULL;
+static Pk11Install_ErrorHandler errorHandler=NULL;
+static char* PR_Strdup(const char* str);
+static int rm_dash_r (char *path);
+static int make_dirs(char *path, int file_perms);
+static int dir_perms(int perms);
+
+static Pk11Install_Error DoInstall(JAR *jar, const char *installDir,
+	const char* tempDir, Pk11Install_Platform *platform, 
+	PRFileDesc *feedback, PRBool noverify);
+
+static char *errorString[]= {
+	"Operation was successful", /* PK11_INSTALL_NO_ERROR */
+	"Directory \"%s\" does not exist", /* PK11_INSTALL_DIR_DOESNT_EXIST */
+	"File \"%s\" does not exist", /* PK11_INSTALL_FILE_DOESNT_EXIST */
+	"File \"%s\" is not readable", /* PK11_INSTALL_FILE_NOT_READABLE */
+	"%s",		/* PK11_INSTALL_ERROR_STRING */
+	"Error in JAR file %s: %s",  /* PK11_INSTALL_JAR_ERROR */
+	"No Pkcs11_install_script specified in JAR metainfo file",
+				/* PK11_INSTALL_NO_INSTALLER_SCRIPT */
+	"Could not delete temporary file \"%s\"",
+				/*PK11_INSTALL_DELETE_TEMP_FILE */
+	"Could not open temporary file \"%s\"", /*PK11_INSTALL_OPEN_SCRIPT_FILE*/
+	"%s: %s", /* PK11_INSTALL_SCRIPT_PARSE */
+	"Error in script: %s",
+	"Unable to obtain system platform information",
+	"Installer script has no information about the current platform (%s)",
+	"Relative directory \"%s\" does not contain "PRINTF_ROOT_MARKER,
+	"Module File \"%s\" not found",
+	"Error occurred installing module \"%s\" into database",
+	"Error extracting \"%s\" from JAR file: %s",
+	"Directory \"%s\" is not writeable",
+	"Could not create directory \"%s\"",
+	"Could not remove directory \"%s\"",
+	"Unable to execute \"%s\"",
+	"Unable to wait for process \"%s\"",
+	"\"%s\" returned error code %d",
+	"User aborted operation",
+	"Unspecified error"
+};
+
+enum {
+	INSTALLED_FILE_MSG=0,
+	INSTALLED_MODULE_MSG,
+	INSTALLER_SCRIPT_NAME,
+	MY_PLATFORM_IS,
+	USING_PLATFORM,
+	PARSED_INSTALL_SCRIPT,
+	EXEC_FILE_MSG,
+	EXEC_SUCCESS,
+	INSTALLATION_COMPLETE_MSG,
+	USER_ABORT
+};
+
+static char *msgStrings[] = {
+	"Installed file %s to %s\n",
+	"Installed module \"%s\" into module database\n",
+	"Using installer script \"%s\"\n",
+	"Current platform is %s\n",
+	"Using installation parameters for platform %s\n",
+	"Successfully parsed installation script\n",
+	"Executing \"%s\"...\n",
+	"\"%s\" executed successfully\n",
+	"\nInstallation completed successfully\n",
+	"\nAborting...\n"
+};
+
+/**************************************************************************
+ * S t r i n g N o d e
+ */
+typedef struct StringNode_str {
+    char *str;
+    struct StringNode_str* next;
+} StringNode;
+
+StringNode* StringNode_new()
+{
+	StringNode* new_this;
+	new_this = (StringNode*)malloc(sizeof(StringNode));
+  new_this->str=NULL;
+  new_this->next=NULL;
+	return new_this;
+}
+
+void StringNode_delete(StringNode* s) 
+{
+	if(s->str) {
+		PR_Free(s->str);
+		s->str=NULL;
+	}
+}
+
+/*************************************************************************
+ * S t r i n g L i s t
+ */
+typedef struct StringList_str {
+  StringNode* head;
+	StringNode* tail;
+} StringList;
+
+void StringList_new(StringList* list)
+{
+  list->head=NULL;
+  list->tail=NULL;
+}
+
+void StringList_delete(StringList* list)
+{
+	StringNode *tmp;
+	while(list->head) {
+		tmp = list->head;
+		list->head = list->head->next;
+		StringNode_delete(tmp);
+	}
+}
+
+void
+StringList_Append(StringList* list, char* str)
+{
+	if(!str) {
+		return;
+	}
+
+	if(!list->tail) {
+		/* This is the first element */
+	  list->head = list->tail = StringNode_new();
+	} else {
+		list->tail->next = StringNode_new();
+		list->tail = list->tail->next;
+	}
+
+	list->tail->str = PR_Strdup(str);
+	list->tail->next = NULL;	/* just to be sure */
+}
+
+/**************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ S e t E r r o r H a n d l e r
+ *
+ * Sets the error handler to be used by the library.  Returns the current
+ * error handler function.
+ */
+Pk11Install_ErrorHandler
+Pk11Install_SetErrorHandler(Pk11Install_ErrorHandler handler)
+{
+	Pk11Install_ErrorHandler old;
+
+	if(!errorHandlerLock) {
+		errorHandlerLock = PR_NewLock();
+	}
+
+	PR_Lock(errorHandlerLock);
+
+	old = errorHandler;
+	errorHandler = handler;
+
+	PR_Unlock(errorHandlerLock);
+
+	return old;
+}
+
+/**************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ I n i t
+ *
+ * Does initialization that otherwise would be done on the fly.  Only
+ * needs to be called by multithreaded apps, before they make any calls
+ * to this library.
+ */
+void
+Pk11Install_Init()
+{
+	if(!errorHandlerLock) {
+		errorHandlerLock = PR_NewLock();
+	}
+}
+
+/**************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ R e l e a s e
+ *
+ * Releases static data structures used by the library.  Don't use the
+ * library after calling this, unless you call Pk11Install_Init()
+ * first.  This function doesn't have to be called at all unless you're
+ * really anal about freeing memory before your program exits.
+ */
+void
+Pk11Install_Release()
+{
+	if(errorHandlerLock) {
+		PR_Free(errorHandlerLock);
+		errorHandlerLock = NULL;
+	}
+}
+
+/*************************************************************************
+ *
+ * e r r o r
+ *
+ * Takes an error code and its arguments, creates the error string,
+ * and sends the string to the handler function if it exists.
+ */
+
+#ifdef OSF1
+/* stdarg has already been pulled in from NSPR */
+#undef va_start
+#undef va_end
+#undef va_arg
+#include <varargs.h>
+#else
+#include <stdarg.h>
+#endif
+
+#ifdef OSF1
+static void
+error(long va_alist, ...)
+#else
+static void
+error(Pk11Install_Error errcode, ...)
+#endif
+{
+
+	va_list ap;
+	char *errstr;
+	Pk11Install_ErrorHandler handler;
+
+	if(!errorHandlerLock) {
+		errorHandlerLock = PR_NewLock();
+	}
+
+	PR_Lock(errorHandlerLock);
+
+	handler = errorHandler;
+
+	PR_Unlock(errorHandlerLock);
+
+	if(handler) {
+#ifdef OSF1
+		va_start(ap);
+		errstr = PR_vsmprintf(errorString[va_arg(ap, Pk11Install_Error)], ap);
+#else
+		va_start(ap, errcode);
+		errstr = PR_vsmprintf(errorString[errcode], ap);
+#endif
+		handler(errstr);
+		PR_smprintf_free(errstr);
+		va_end(ap);
+	}
+}
+
+/*************************************************************************
+ *
+ * j a r _ c a l l b a c k
+ */
+static int
+jar_callback(int status, JAR *foo, const char *bar, char *pathname,
+	char *errortext) {
+	char *string;
+
+	string = PR_smprintf("JAR error %d: %s in file %s\n", status, errortext,
+		pathname);
+	error(PK11_INSTALL_ERROR_STRING, string);
+	PR_smprintf_free(string);
+	return 0;
+}
+	
+/*************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ D o I n s t a l l
+ *
+ * jarFile is the path of a JAR in the PKCS #11 module JAR format.
+ * installDir is the directory relative to which files will be
+ *   installed.
+ */
+Pk11Install_Error
+Pk11Install_DoInstall(char *jarFile, const char *installDir,
+	const char *tempDir, PRFileDesc *feedback, short force, PRBool noverify)
+{
+	JAR *jar;
+	char *installer;
+	unsigned long installer_len;
+	int status;
+	Pk11Install_Error ret;
+	PRBool made_temp_file;
+	Pk11Install_Info installInfo;
+	Pk11Install_Platform *platform;
+	char* errMsg;
+	char sysname[SYS_INFO_BUFFER_LENGTH], release[SYS_INFO_BUFFER_LENGTH],
+       arch[SYS_INFO_BUFFER_LENGTH];
+	char *myPlatform;
+
+	jar=NULL;
+	ret = PK11_INSTALL_UNSPECIFIED;
+	made_temp_file=PR_FALSE;
+	errMsg=NULL;
+	Pk11Install_Info_init(&installInfo);
+
+	/*
+	printf("Inside DoInstall, jarFile=%s, installDir=%s, tempDir=%s\n",
+		jarFile, installDir, tempDir);
+	*/
+
+	/*
+	 * Check out jarFile and installDir for validity
+	 */
+	if( PR_Access(installDir, PR_ACCESS_EXISTS) != PR_SUCCESS ) {
+		error(PK11_INSTALL_DIR_DOESNT_EXIST, installDir);
+		return PK11_INSTALL_DIR_DOESNT_EXIST;
+	}
+	if(!tempDir) {
+		tempDir = ".";
+	}
+	if( PR_Access(tempDir, PR_ACCESS_EXISTS) != PR_SUCCESS ) {
+		error(PK11_INSTALL_DIR_DOESNT_EXIST, tempDir);
+		return PK11_INSTALL_DIR_DOESNT_EXIST;
+	}
+	if( PR_Access(tempDir, PR_ACCESS_WRITE_OK) != PR_SUCCESS ) {
+		error(PK11_INSTALL_DIR_NOT_WRITEABLE, tempDir);
+		return PK11_INSTALL_DIR_NOT_WRITEABLE;
+	}
+	if( (PR_Access(jarFile, PR_ACCESS_EXISTS) != PR_SUCCESS) ) {
+		error(PK11_INSTALL_FILE_DOESNT_EXIST, jarFile);
+		return PK11_INSTALL_FILE_DOESNT_EXIST;
+	}
+	if( PR_Access(jarFile, PR_ACCESS_READ_OK) != PR_SUCCESS ) {
+		error(PK11_INSTALL_FILE_NOT_READABLE, jarFile);
+		return PK11_INSTALL_FILE_NOT_READABLE;
+	}
+
+	/*
+	 * Extract the JAR file
+	 */
+	jar = JAR_new();
+	JAR_set_callback(JAR_CB_SIGNAL, jar, jar_callback);
+
+	if(noverify) {
+		status = JAR_pass_archive_unverified(jar, jarArchGuess, jarFile, "url");
+	} else {
+		status = JAR_pass_archive(jar, jarArchGuess, jarFile, "url");
+	}
+	if( (status < 0) || (jar->valid < 0) ) {
+		if (status >= JAR_BASE && status <= JAR_BASE_END) {
+			error(PK11_INSTALL_JAR_ERROR, jarFile, JAR_get_error(status));
+		} else {
+			error(PK11_INSTALL_JAR_ERROR, jarFile,
+			  mySECU_ErrorString((int16) PORT_GetError()) );
+		}
+		ret=PK11_INSTALL_JAR_ERROR;
+		goto loser;
+	}
+	/*printf("passed the archive\n");*/
+
+	/*
+	 * Show the user security information, allow them to abort or continue
+	 */
+	if( Pk11Install_UserVerifyJar(jar, PR_STDOUT,
+		force?PR_FALSE:PR_TRUE) && !force) {
+		if(feedback) {
+			PR_fprintf(feedback, msgStrings[USER_ABORT]);
+		}
+		ret=PK11_INSTALL_USER_ABORT;
+		goto loser;
+	}
+
+	/*
+	 * Get the name of the installation file
+	 */
+	if( JAR_get_metainfo(jar, NULL, INSTALL_METAINFO_TAG, (void**)&installer,
+		(unsigned long*)&installer_len) ) {
+		error(PK11_INSTALL_NO_INSTALLER_SCRIPT);
+		ret=PK11_INSTALL_NO_INSTALLER_SCRIPT;
+		goto loser;
+	}
+	if(feedback) {
+		PR_fprintf(feedback, msgStrings[INSTALLER_SCRIPT_NAME], installer);
+	}
+
+	/*
+	 * Extract the installation file
+	 */
+	if( PR_Access(SCRIPT_TEMP_FILE, PR_ACCESS_EXISTS) == PR_SUCCESS) {
+		if( PR_Delete(SCRIPT_TEMP_FILE) != PR_SUCCESS) {
+			error(PK11_INSTALL_DELETE_TEMP_FILE, SCRIPT_TEMP_FILE);
+			ret=PK11_INSTALL_DELETE_TEMP_FILE;
+			goto loser;
+		}
+	}
+	if(noverify) {
+		status = JAR_extract(jar, installer, SCRIPT_TEMP_FILE);
+	} else {
+		status = JAR_verified_extract(jar, installer, SCRIPT_TEMP_FILE);
+	}
+	if(status) {
+		if (status >= JAR_BASE && status <= JAR_BASE_END) {
+			error(PK11_INSTALL_JAR_EXTRACT, installer, JAR_get_error(status));
+		} else {
+			error(PK11_INSTALL_JAR_EXTRACT, installer,
+			  mySECU_ErrorString((int16) PORT_GetError()) );
+		}
+		ret = PK11_INSTALL_JAR_EXTRACT;
+		goto loser;
+	} else {
+		made_temp_file = PR_TRUE;
+	}
+
+	/*
+	 * Parse the installation file into a syntax tree
+	 */
+	Pk11Install_FD = PR_Open(SCRIPT_TEMP_FILE, PR_RDONLY, 0);
+	if(!Pk11Install_FD) {
+		error(PK11_INSTALL_OPEN_SCRIPT_FILE, SCRIPT_TEMP_FILE);
+		ret=PK11_INSTALL_OPEN_SCRIPT_FILE;
+		goto loser;
+	}
+	if(Pk11Install_yyparse()) {
+		error(PK11_INSTALL_SCRIPT_PARSE, installer,
+			Pk11Install_yyerrstr ? Pk11Install_yyerrstr : "");
+		ret=PK11_INSTALL_SCRIPT_PARSE;
+		goto loser;
+	}
+
+#if 0
+	/* for debugging */
+	Pk11Install_valueList->Print(0);
+#endif
+
+	/*
+	 * From the syntax tree, build a semantic structure
+	 */
+	errMsg = Pk11Install_Info_Generate(&installInfo,Pk11Install_valueList);
+	if(errMsg) {
+		error(PK11_INSTALL_SEMANTIC, errMsg);
+		ret=PK11_INSTALL_SEMANTIC;
+		goto loser;
+	}
+#if 0
+	installInfo.Print(0);
+#endif
+
+	if(feedback) {
+		PR_fprintf(feedback, msgStrings[PARSED_INSTALL_SCRIPT]);
+	}
+
+	/*
+	 * Figure out which platform to use
+	 */
+	{
+		sysname[0] = release[0] = arch[0] = '\0';
+
+		if( (PR_GetSystemInfo(PR_SI_SYSNAME, sysname, SYS_INFO_BUFFER_LENGTH)
+				!= PR_SUCCESS) ||
+		    (PR_GetSystemInfo(PR_SI_RELEASE, release, SYS_INFO_BUFFER_LENGTH)
+				!= PR_SUCCESS) ||
+		    (PR_GetSystemInfo(PR_SI_ARCHITECTURE, arch, SYS_INFO_BUFFER_LENGTH)
+				!= PR_SUCCESS) ) {
+			error(PK11_INSTALL_SYSINFO);
+			ret=PK11_INSTALL_SYSINFO;
+			goto loser;
+		}
+		myPlatform = PR_smprintf("%s:%s:%s", sysname, release, arch);
+		platform = Pk11Install_Info_GetBestPlatform(&installInfo,myPlatform);
+		if(!platform) {
+			error(PK11_INSTALL_NO_PLATFORM, myPlatform);
+			PR_smprintf_free(myPlatform);
+			ret=PK11_INSTALL_NO_PLATFORM;
+			goto loser;
+		}
+		if(feedback) {
+			PR_fprintf(feedback, msgStrings[MY_PLATFORM_IS], myPlatform);
+			PR_fprintf(feedback, msgStrings[USING_PLATFORM],
+                    Pk11Install_PlatformName_GetString(&platform->name));
+		}
+		PR_smprintf_free(myPlatform);
+	}
+
+	/* Run the install for that platform */
+	ret = DoInstall(jar, installDir, tempDir, platform, feedback, noverify);
+	if(ret) {
+		goto loser;
+	}
+
+	ret = PK11_INSTALL_SUCCESS;
+loser:
+	if(Pk11Install_valueList) {
+		Pk11Install_ValueList_delete(Pk11Install_valueList);
+		PR_Free(Pk11Install_valueList);
+		Pk11Install_valueList = NULL;
+	}
+	if(jar) {
+		JAR_destroy(jar);
+	}
+	if(made_temp_file) {
+		PR_Delete(SCRIPT_TEMP_FILE);
+	}
+	if(errMsg) {
+		PR_smprintf_free(errMsg);
+	}
+	return ret;
+}
+
+/*
+/////////////////////////////////////////////////////////////////////////
+// actually run the installation, copying files to and fro
+*/
+static Pk11Install_Error
+DoInstall(JAR *jar, const char *installDir, const char *tempDir,
+	Pk11Install_Platform *platform, PRFileDesc *feedback, PRBool noverify)
+{
+	Pk11Install_File *file;
+	Pk11Install_Error ret;
+	char *reldir;
+	char *dest;
+	char *modDest;
+	char *cp;
+	int i;
+	int status;
+	char *tempname, *temp;
+	StringList executables;
+	StringNode *execNode;
+	PRProcessAttr *attr;
+	PRProcess *proc;
+	char *argv[2];
+	char *envp[1];
+	int errcode;
+
+	ret=PK11_INSTALL_UNSPECIFIED;
+	reldir=NULL;
+	dest=NULL;
+	modDest=NULL;
+	tempname=NULL;
+
+	StringList_new(&executables);
+	/*
+	// Create Temporary directory
+	*/
+	tempname = PR_smprintf("%s/%s", tempDir, TEMPORARY_DIRECTORY_NAME);
+	if( PR_Access(tempname, PR_ACCESS_EXISTS)==PR_SUCCESS ) {
+		/* Left over from previous run?  Delete it. */
+		rm_dash_r(tempname);
+	}
+	if(PR_MkDir(tempname, 0700) != PR_SUCCESS) {
+		error(PK11_INSTALL_CREATE_DIR, tempname);
+		ret = PK11_INSTALL_CREATE_DIR;
+		goto loser;
+	}
+
+	/*
+	// Install all the files
+	*/
+	for(i=0; i < platform->numFiles; i++) {
+		file = &platform->files[i];
+
+		if(file->relativePath) {
+			PRBool foundMarker = PR_FALSE;
+			reldir = PR_Strdup(file->relativePath);
+
+			/* Replace all the markers with the directories for which they stand */
+			while(1) {
+				if( (cp=PL_strcasestr(reldir, ROOT_MARKER)) ) {
+					/* Has a %root% marker  */
+					*cp = '\0';
+					temp = PR_smprintf("%s%s%s", reldir, installDir,
+						cp+strlen(ROOT_MARKER));
+					PR_Free(reldir);
+					reldir = temp;
+					foundMarker = PR_TRUE;
+				} else if( (cp = PL_strcasestr(reldir, TEMP_MARKER)) ) {
+					/* Has a %temp% marker */
+					*cp = '\0';
+					temp = PR_smprintf("%s%s%s", reldir, tempname, 
+						cp+strlen(TEMP_MARKER));
+					PR_Free(reldir);
+					reldir = temp;
+					foundMarker = PR_TRUE;
+				} else {
+					break;
+				}
+			}
+			if(!foundMarker) {
+				/* Has no markers...this isn't really a relative directory */
+				error(PK11_INSTALL_BOGUS_REL_DIR, file->relativePath);
+				ret = PK11_INSTALL_BOGUS_REL_DIR;
+				goto loser;
+			}
+			dest = reldir;
+			reldir = NULL;
+		} else if(file->absolutePath) {
+			dest = PR_Strdup(file->absolutePath);
+		}
+
+		/* Remember if this is the module file, we'll need to add it later */
+		if(i == platform->modFile) {
+			modDest = PR_Strdup(dest);
+		}
+
+		/* Remember is this is an executable, we'll need to run it later */
+		if(file->executable) {
+			StringList_Append(&executables,dest);
+			/*executables.Append(dest);*/
+		}
+
+		/* Make sure the directory we are targetting exists */
+		if( make_dirs(dest, file->permissions) ) {
+			ret=PK11_INSTALL_CREATE_DIR;
+			goto loser;
+		}
+
+		/* Actually extract the file onto the filesystem */
+		if(noverify) {
+			status = JAR_extract(jar, (char*)file->jarPath, dest);
+		} else {
+			status = JAR_verified_extract(jar, (char*)file->jarPath, dest);
+		}
+		if(status) {
+			if (status >= JAR_BASE && status <= JAR_BASE_END) {
+				error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
+                  JAR_get_error(status));
+			} else {
+				error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
+				  mySECU_ErrorString((int16) PORT_GetError()) );
+			}
+			ret=PK11_INSTALL_JAR_EXTRACT;
+			goto loser;
+		}
+		if(feedback) {
+			PR_fprintf(feedback, msgStrings[INSTALLED_FILE_MSG],
+				file->jarPath, dest);
+		}
+
+		/* no NSPR command to change permissions? */
+#ifdef XP_UNIX
+		chmod(dest, file->permissions);
+#endif
+
+		/* Memory clean-up tasks */
+		if(reldir) {
+			PR_Free(reldir);
+			reldir = NULL;
+		}
+		if(dest) {
+			PR_Free(dest);
+			dest = NULL;
+		}
+	}
+	/* Make sure we found the module file */
+	if(!modDest) {
+		/* Internal problem here, since every platform is supposed to have
+		   a module file */
+		error(PK11_INSTALL_NO_MOD_FILE, platform->moduleName);
+		ret=PK11_INSTALL_NO_MOD_FILE;
+		goto loser;
+	}
+
+	/*
+	// Execute any executable files
+	*/
+	{
+		argv[1] = NULL;
+		envp[0] = NULL;
+		for(execNode = executables.head; execNode; execNode = execNode->next) {
+			attr = PR_NewProcessAttr();
+			argv[0] = PR_Strdup(execNode->str);
+
+			/* Announce our intentions */
+			if(feedback) {
+				PR_fprintf(feedback, msgStrings[EXEC_FILE_MSG], execNode->str);
+			}
+
+			/* start the process */
+			if( !(proc=PR_CreateProcess(execNode->str, argv, envp, attr)) ) {
+				PR_Free(argv[0]);
+				PR_DestroyProcessAttr(attr);
+				error(PK11_INSTALL_EXEC_FILE, execNode->str);
+				ret=PK11_INSTALL_EXEC_FILE;
+				goto loser;
+			}
+
+			/* wait for it to finish */
+			if( PR_WaitProcess(proc, &errcode) != PR_SUCCESS) {
+				PR_Free(argv[0]);
+				PR_DestroyProcessAttr(attr);
+				error(PK11_INSTALL_WAIT_PROCESS, execNode->str);
+				ret=PK11_INSTALL_WAIT_PROCESS;
+				goto loser;
+			}
+
+			/* What happened? */
+			if(errcode) {
+				/* process returned an error */
+				error(PK11_INSTALL_PROC_ERROR, execNode->str, errcode);
+			} else if(feedback) {
+				/* process ran successfully */
+				PR_fprintf(feedback, msgStrings[EXEC_SUCCESS], execNode->str);
+			}
+
+			PR_Free(argv[0]);
+			PR_DestroyProcessAttr(attr);
+		}
+	}
+
+	/*
+	// Add the module
+	*/
+	status = Pk11Install_AddNewModule((char*)platform->moduleName,
+		(char*)modDest, platform->mechFlags, platform->cipherFlags );
+
+	if(status != SECSuccess) {
+		error(PK11_INSTALL_ADD_MODULE, platform->moduleName);
+		ret=PK11_INSTALL_ADD_MODULE;
+		goto loser;
+	}
+	if(feedback) {
+		PR_fprintf(feedback, msgStrings[INSTALLED_MODULE_MSG],
+			platform->moduleName);
+	}
+
+	if(feedback) {
+		PR_fprintf(feedback, msgStrings[INSTALLATION_COMPLETE_MSG]);
+	}
+
+	ret = PK11_INSTALL_SUCCESS;
+
+loser:
+	if(reldir) {
+		PR_Free(reldir);
+	}
+	if(dest) {
+		PR_Free(dest);
+	}
+	if(modDest) {
+		PR_Free(modDest);
+	}
+	if(tempname) {
+		PRFileInfo info;
+		if(PR_GetFileInfo(tempname, &info) == PR_SUCCESS) {
+			if((info.type == PR_FILE_DIRECTORY)) {
+				/* Recursively remove temporary directory */
+				if(rm_dash_r(tempname)) {
+					error(PK11_INSTALL_REMOVE_DIR,
+						tempname);
+					ret=PK11_INSTALL_REMOVE_DIR;
+				}
+					
+			}
+		}
+		PR_Free(tempname);
+	}
+	StringList_delete(&executables);
+	return ret;
+}
+
+/*
+//////////////////////////////////////////////////////////////////////////
+*/
+static char*
+PR_Strdup(const char* str)
+{
+	char *tmp = (char*) PR_Malloc(strlen(str)+1);
+	strcpy(tmp, str);
+	return tmp;
+}
+
+/*
+ *  r m _ d a s h _ r
+ *
+ *  Remove a file, or a directory recursively.
+ *
+ */
+static int
+rm_dash_r (char *path)
+{
+    PRDir   *dir;
+    PRDirEntry *entry;
+    PRFileInfo fileinfo;
+    char filename[240];
+
+    if(PR_GetFileInfo(path, &fileinfo) != PR_SUCCESS) {
+        /*fprintf(stderr, "Error: Unable to access %s\n", filename);*/
+        return -1;
+    }
+    if(fileinfo.type == PR_FILE_DIRECTORY) {
+
+        dir = PR_OpenDir(path);
+        if(!dir) {
+            return -1;
+        }
+
+        /* Recursively delete all entries in the directory */
+        while((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+            sprintf(filename, "%s/%s", path, entry->name);
+            if(rm_dash_r(filename)) return -1;
+        }
+
+        if(PR_CloseDir(dir) != PR_SUCCESS) {
+            return -1;
+        }
+
+        /* Delete the directory itself */
+        if(PR_RmDir(path) != PR_SUCCESS) {
+            return -1;
+        }
+    } else {
+        if(PR_Delete(path) != PR_SUCCESS) {
+            return -1;
+        }
+    }
+    return 0;
+}
+
+/***************************************************************************
+ *
+ * m a k e _ d i r s
+ *
+ * Ensure that the directory portion of the path exists.  This may require
+ * making the directory, and its parent, and its parent's parent, etc.
+ */
+static int
+make_dirs(char *path, int file_perms)
+{
+	char *Path;
+	char *start;
+	char *sep;
+	int ret = 0;
+	PRFileInfo info;
+
+	if(!path) {
+		return 0;
+	}
+
+	Path = PR_Strdup(path);
+	start = strpbrk(Path, "/\\");
+	if(!start) {
+		return 0;
+	}
+	start++; /* start right after first slash */
+
+	/* Each time through the loop add one more directory. */
+	while( (sep=strpbrk(start, "/\\")) ) {
+		*sep = '\0';
+
+		if( PR_GetFileInfo(Path, &info) != PR_SUCCESS) {
+			/* No such dir, we have to create it */
+			if( PR_MkDir(Path, dir_perms(file_perms)) != PR_SUCCESS) {
+				error(PK11_INSTALL_CREATE_DIR, Path);
+				ret = PK11_INSTALL_CREATE_DIR;
+				goto loser;
+			}
+		} else {
+			/* something exists by this name, make sure it's a directory */
+			if( info.type != PR_FILE_DIRECTORY ) {
+				error(PK11_INSTALL_CREATE_DIR, Path);
+				ret = PK11_INSTALL_CREATE_DIR;
+				goto loser;
+			}
+		}
+
+		/* If this is the lowest directory level, make sure it is writeable */
+		if(!strpbrk(sep+1, "/\\")) {
+			if( PR_Access(Path, PR_ACCESS_WRITE_OK)!=PR_SUCCESS) {
+				error(PK11_INSTALL_DIR_NOT_WRITEABLE, Path);
+				ret = PK11_INSTALL_DIR_NOT_WRITEABLE;
+				goto loser;
+			}
+		}
+
+		start = sep+1; /* start after the next slash */
+		*sep = '/';
+	}
+
+loser:
+	PR_Free(Path);
+	return ret;
+}
+
+/*************************************************************************
+ * d i r _ p e r m s
+ * 
+ * Guesses the desired permissions on a directory based on the permissions
+ * of a file that will be stored in it. Give read, write, and
+ * execute to the owner (so we can create the file), read and 
+ * execute to anyone who has read permissions on the file, and write
+ * to anyone who has write permissions on the file.
+ */
+static int
+dir_perms(int perms)
+{
+	int ret = 0;
+
+	/* owner */
+	ret |= 0700;
+
+	/* group */
+	if(perms & 0040) {
+		/* read on the file -> read and execute on the directory */
+		ret |= 0050;
+	}
+	if(perms & 0020) {
+		/* write on the file -> write on the directory */
+		ret |= 0020;
+	}
+
+	/* others */
+	if(perms & 0004) {
+		/* read on the file -> read and execute on the directory */
+		ret |= 0005;
+	}
+	if(perms & 0002) {
+		/* write on the file -> write on the directory */
+		ret |= 0002;
+	}
+
+	return ret;
+}
diff --git a/security/nss/cmd/modutil/install.h b/security/nss/cmd/modutil/install.h
new file mode 100644
index 000000000..00fae7aeb
--- /dev/null
+++ b/security/nss/cmd/modutil/install.h
@@ -0,0 +1,133 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef PK11INSTALL_H
+#define PK11INSTALL_H
+
+#include <prio.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef void (*Pk11Install_ErrorHandler)(char *);
+
+typedef enum {
+	PK11_INSTALL_NO_ERROR=0,
+	PK11_INSTALL_DIR_DOESNT_EXIST,
+	PK11_INSTALL_FILE_DOESNT_EXIST,
+	PK11_INSTALL_FILE_NOT_READABLE,
+	PK11_INSTALL_ERROR_STRING,
+	PK11_INSTALL_JAR_ERROR,
+	PK11_INSTALL_NO_INSTALLER_SCRIPT,
+	PK11_INSTALL_DELETE_TEMP_FILE,
+	PK11_INSTALL_OPEN_SCRIPT_FILE,
+	PK11_INSTALL_SCRIPT_PARSE,
+	PK11_INSTALL_SEMANTIC,
+	PK11_INSTALL_SYSINFO,
+	PK11_INSTALL_NO_PLATFORM,
+	PK11_INSTALL_BOGUS_REL_DIR,
+	PK11_INSTALL_NO_MOD_FILE,
+	PK11_INSTALL_ADD_MODULE,
+	PK11_INSTALL_JAR_EXTRACT,
+	PK11_INSTALL_DIR_NOT_WRITEABLE,
+	PK11_INSTALL_CREATE_DIR,
+	PK11_INSTALL_REMOVE_DIR,
+	PK11_INSTALL_EXEC_FILE,
+	PK11_INSTALL_WAIT_PROCESS,
+	PK11_INSTALL_PROC_ERROR,
+	PK11_INSTALL_USER_ABORT,
+	PK11_INSTALL_UNSPECIFIED
+} Pk11Install_Error;
+#define PK11_INSTALL_SUCCESS PK11_INSTALL_NO_ERROR
+
+/**************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ I n i t
+ *
+ * Does initialization that otherwise would be done on the fly.  Only
+ * needs to be called by multithreaded apps, before they make any calls
+ * to this library.
+ */
+void 
+Pk11Install_Init();
+
+/**************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ S e t E r r o r H a n d l e r
+ *
+ * Sets the error handler to be used by the library.  Returns the current
+ * error handler function.
+ */
+Pk11Install_ErrorHandler
+Pk11Install_SetErrorHandler(Pk11Install_ErrorHandler handler);
+
+
+/**************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ R e l e a s e
+ *
+ * Releases static data structures used by the library.  Don't use the
+ * library after calling this, unless you call Pk11Install_Init()
+ * first.  This function doesn't have to be called at all unless you're
+ * really anal about freeing memory before your program exits.
+ */
+void 
+Pk11Install_Release();
+
+/*************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ D o I n s t a l l
+ *
+ * jarFile is the path of a JAR in the PKCS #11 module JAR format.
+ * installDir is the directory relative to which files will be
+ *   installed.
+ * feedback is a file descriptor to which to write informative (not error)
+ * status messages: what files are being installed, what modules are being
+ * installed.  If feedback==NULL, no messages will be displayed.
+ * If force != 0, interactive prompts will be suppressed.
+ * If noverify == PR_TRUE, signatures won't be checked on the JAR file.
+ */
+Pk11Install_Error
+Pk11Install_DoInstall(char *jarFile, const char *installDir,
+	const char *tempDir, PRFileDesc *feedback, short force,
+	PRBool noverify);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /*PK11INSTALL_H*/
diff --git a/security/nss/cmd/modutil/installparse.c b/security/nss/cmd/modutil/installparse.c
new file mode 100644
index 000000000..1d85d213a
--- /dev/null
+++ b/security/nss/cmd/modutil/installparse.c
@@ -0,0 +1,429 @@
+#ifndef lint
+char yysccsid[] = "@(#)yaccpar	1.4 (Berkeley) 02/25/90";
+#endif
+#line 37 "installparse.y"
+ 
+#define yyparse Pk11Install_yyparse
+#define yylex Pk11Install_yylex
+#define yyerror Pk11Install_yyerror
+#define yychar Pk11Install_yychar
+#define yyval Pk11Install_yyval
+#define yylval Pk11Install_yylval
+#define yydebug Pk11Install_yydebug
+#define yynerrs Pk11Install_yynerrs
+#define yyerrflag Pk11Install_yyerrflag
+#define yyss Pk11Install_yyss
+#define yyssp Pk11Install_yyssp
+#define yyvs Pk11Install_yyvs
+#define yyvsp Pk11Install_yyvsp
+#define yylhs Pk11Install_yylhs
+#define yylen Pk11Install_yylen
+#define yydefred Pk11Install_yydefred
+#define yydgoto Pk11Install_yydgoto
+#define yysindex Pk11Install_yysindex
+#define yyrindex Pk11Install_yyrindex
+#define yygindex Pk11Install_yygindex
+#define yytable Pk11Install_yytable
+#define yycheck Pk11Install_yycheck
+#define yyname Pk11Install_yyname
+#define yyrule Pk11Install_yyrule
+
+/* C Stuff */
+#include "install-ds.h"
+#include <prprf.h>
+
+#define YYSTYPE Pk11Install_Pointer
+extern char *Pk11Install_yytext;
+char *Pk11Install_yyerrstr=NULL;
+
+#line 40 "ytab.c"
+#define OPENBRACE 257
+#define CLOSEBRACE 258
+#define STRING 259
+#define YYERRCODE 256
+short yylhs[] = {                                        -1,
+    0,    1,    1,    2,    2,    3,    4,
+};
+short yylen[] = {                                         2,
+    1,    2,    0,    1,    1,    4,    1,
+};
+short yydefred[] = {                                      0,
+    0,    0,    1,    0,    4,    0,    2,    0,    0,    6,
+};
+short yydgoto[] = {                                       2,
+    3,    4,    5,    6,
+};
+short yysindex[] = {                                   -257,
+    0,    0,    0, -257,    0, -252,    0, -257, -251,    0,
+};
+short yyrindex[] = {                                      6,
+    1,    0,    0,    3,    0,    0,    0, -250,    0,    0,
+};
+short yygindex[] = {                                      0,
+   -4,    0,    0,    0,
+};
+#define YYTABLESIZE 261
+short yytable[] = {                                       7,
+    5,    1,    3,    9,    8,    3,   10,    3,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+    0,    0,    0,    0,    0,    0,    0,    7,    5,    5,
+    3,
+};
+short yycheck[] = {                                       4,
+    0,  259,    0,    8,  257,    0,  258,  258,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
+   -1,   -1,   -1,   -1,   -1,   -1,   -1,  257,  258,  259,
+  258,
+};
+#define YYFINAL 2
+#ifndef YYDEBUG
+#define YYDEBUG 0
+#endif
+#define YYMAXTOKEN 259
+#if YYDEBUG
+char *yyname[] = {
+"end-of-file",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"OPENBRACE","CLOSEBRACE","STRING",
+};
+char *yyrule[] = {
+"$accept : toplist",
+"toplist : valuelist",
+"valuelist : value valuelist",
+"valuelist :",
+"value : key_value_pair",
+"value : STRING",
+"key_value_pair : key OPENBRACE valuelist CLOSEBRACE",
+"key : STRING",
+};
+#endif
+#ifndef YYSTYPE
+typedef int YYSTYPE;
+#endif
+#define yyclearin (yychar=(-1))
+#define yyerrok (yyerrflag=0)
+#ifndef YYSTACKSIZE
+#ifdef YYMAXDEPTH
+#define YYSTACKSIZE YYMAXDEPTH
+#else
+#define YYSTACKSIZE 300
+#endif
+#endif
+int yydebug;
+int yynerrs;
+int yyerrflag;
+int yychar;
+short *yyssp;
+YYSTYPE *yyvsp;
+YYSTYPE yyval;
+YYSTYPE yylval;
+#define yystacksize YYSTACKSIZE
+short yyss[YYSTACKSIZE];
+YYSTYPE yyvs[YYSTACKSIZE];
+#line 118 "installparse.y"
+/*----------------------- Program Section --------------------------------*/
+
+/*************************************************************************/
+void
+Pk11Install_yyerror(char *message)
+{
+	char *tmp;
+	if(Pk11Install_yyerrstr) {
+		tmp=PR_smprintf("%sline %d: %s\n", Pk11Install_yyerrstr,
+			Pk11Install_yylinenum, message);
+		PR_smprintf_free(Pk11Install_yyerrstr);
+	} else {
+		tmp = PR_smprintf("line %d: %s\n", Pk11Install_yylinenum, message);
+	}
+	Pk11Install_yyerrstr=tmp;
+}
+#line 191 "ytab.c"
+#define YYABORT goto yyabort
+#define YYACCEPT goto yyaccept
+#define YYERROR goto yyerrlab
+int
+yyparse()
+{
+    register int yym, yyn, yystate;
+#if YYDEBUG
+    register char *yys;
+    extern char *getenv();
+
+    if (yys = getenv("YYDEBUG"))
+    {
+        yyn = *yys;
+        if (yyn >= '0' && yyn <= '9')
+            yydebug = yyn - '0';
+    }
+#endif
+
+    yynerrs = 0;
+    yyerrflag = 0;
+    yychar = (-1);
+
+    yyssp = yyss;
+    yyvsp = yyvs;
+    *yyssp = yystate = 0;
+
+yyloop:
+    if (yyn = yydefred[yystate]) goto yyreduce;
+    if (yychar < 0)
+    {
+        if ((yychar = yylex()) < 0) yychar = 0;
+#if YYDEBUG
+        if (yydebug)
+        {
+            yys = 0;
+            if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
+            if (!yys) yys = "illegal-symbol";
+            printf("yydebug: state %d, reading %d (%s)\n", yystate,
+                    yychar, yys);
+        }
+#endif
+    }
+    if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 &&
+            yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
+    {
+#if YYDEBUG
+        if (yydebug)
+            printf("yydebug: state %d, shifting to state %d\n",
+                    yystate, yytable[yyn]);
+#endif
+        if (yyssp >= yyss + yystacksize - 1)
+        {
+            goto yyoverflow;
+        }
+        *++yyssp = yystate = yytable[yyn];
+        *++yyvsp = yylval;
+        yychar = (-1);
+        if (yyerrflag > 0)  --yyerrflag;
+        goto yyloop;
+    }
+    if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 &&
+            yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
+    {
+        yyn = yytable[yyn];
+        goto yyreduce;
+    }
+    if (yyerrflag) goto yyinrecovery;
+#ifdef lint
+    goto yynewerror;
+yynewerror:
+#endif
+    yyerror("syntax error");
+#ifdef lint
+    goto yyerrlab;
+yyerrlab:
+#endif
+    ++yynerrs;
+yyinrecovery:
+    if (yyerrflag < 3)
+    {
+        yyerrflag = 3;
+        for (;;)
+        {
+            if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE) >= 0 &&
+                    yyn <= YYTABLESIZE && yycheck[yyn] == YYERRCODE)
+            {
+#if YYDEBUG
+                if (yydebug)
+                    printf("yydebug: state %d, error recovery shifting\
+ to state %d\n", *yyssp, yytable[yyn]);
+#endif
+                if (yyssp >= yyss + yystacksize - 1)
+                {
+                    goto yyoverflow;
+                }
+                *++yyssp = yystate = yytable[yyn];
+                *++yyvsp = yylval;
+                goto yyloop;
+            }
+            else
+            {
+#if YYDEBUG
+                if (yydebug)
+                    printf("yydebug: error recovery discarding state %d\n",
+                            *yyssp);
+#endif
+                if (yyssp <= yyss) goto yyabort;
+                --yyssp;
+                --yyvsp;
+            }
+        }
+    }
+    else
+    {
+        if (yychar == 0) goto yyabort;
+#if YYDEBUG
+        if (yydebug)
+        {
+            yys = 0;
+            if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
+            if (!yys) yys = "illegal-symbol";
+            printf("yydebug: state %d, error recovery discards token %d (%s)\n",
+                    yystate, yychar, yys);
+        }
+#endif
+        yychar = (-1);
+        goto yyloop;
+    }
+yyreduce:
+#if YYDEBUG
+    if (yydebug)
+        printf("yydebug: state %d, reducing by rule %d (%s)\n",
+                yystate, yyn, yyrule[yyn]);
+#endif
+    yym = yylen[yyn];
+    yyval = yyvsp[1-yym];
+    switch (yyn)
+    {
+case 1:
+#line 84 "installparse.y"
+{
+	Pk11Install_valueList = yyvsp[0].list;
+}
+break;
+case 2:
+#line 89 "installparse.y"
+{ 
+	Pk11Install_ValueList_AddItem(yyvsp[0].list,yyvsp[-1].value);
+	yyval .list = yyvsp[0].list; 
+}
+break;
+case 3:
+#line 94 "installparse.y"
+{ 
+	yyval .list = Pk11Install_ValueList_new(); 
+}
+break;
+case 4:
+#line 99 "installparse.y"
+{
+	yyval .value= Pk11Install_Value_new(PAIR_VALUE,yyvsp[0]);
+}
+break;
+case 5:
+#line 103 "installparse.y"
+{
+	yyval .value= Pk11Install_Value_new(STRING_VALUE, yyvsp[0]);
+}
+break;
+case 6:
+#line 108 "installparse.y"
+{
+	yyval .pair = Pk11Install_Pair_new(yyvsp[-3].string,yyvsp[-1].list);
+}
+break;
+case 7:
+#line 113 "installparse.y"
+{
+	yyval .string = yyvsp[0].string;
+}
+break;
+#line 374 "ytab.c"
+    }
+    yyssp -= yym;
+    yystate = *yyssp;
+    yyvsp -= yym;
+    yym = yylhs[yyn];
+    if (yystate == 0 && yym == 0)
+    {
+#ifdef YYDEBUG
+        if (yydebug)
+            printf("yydebug: after reduction, shifting from state 0 to\
+ state %d\n", YYFINAL);
+#endif
+        yystate = YYFINAL;
+        *++yyssp = YYFINAL;
+        *++yyvsp = yyval;
+        if (yychar < 0)
+        {
+            if ((yychar = yylex()) < 0) yychar = 0;
+#if YYDEBUG
+            if (yydebug)
+            {
+                yys = 0;
+                if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
+                if (!yys) yys = "illegal-symbol";
+                printf("yydebug: state %d, reading %d (%s)\n",
+                        YYFINAL, yychar, yys);
+            }
+#endif
+        }
+        if (yychar == 0) goto yyaccept;
+        goto yyloop;
+    }
+    if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 &&
+            yyn <= YYTABLESIZE && yycheck[yyn] == yystate)
+        yystate = yytable[yyn];
+    else
+        yystate = yydgoto[yym];
+#ifdef YYDEBUG
+    if (yydebug)
+        printf("yydebug: after reduction, shifting from state %d \
+to state %d\n", *yyssp, yystate);
+#endif
+    if (yyssp >= yyss + yystacksize - 1)
+    {
+        goto yyoverflow;
+    }
+    *++yyssp = yystate;
+    *++yyvsp = yyval;
+    goto yyloop;
+yyoverflow:
+    yyerror("yacc stack overflow");
+yyabort:
+    return (1);
+yyaccept:
+    return (0);
+}
diff --git a/security/nss/cmd/modutil/installparse.h b/security/nss/cmd/modutil/installparse.h
new file mode 100644
index 000000000..75686d4fd
--- /dev/null
+++ b/security/nss/cmd/modutil/installparse.h
@@ -0,0 +1,3 @@
+#define OPENBRACE 257
+#define CLOSEBRACE 258
+#define STRING 259
diff --git a/security/nss/cmd/modutil/installparse.l b/security/nss/cmd/modutil/installparse.l
new file mode 100644
index 000000000..3881ea530
--- /dev/null
+++ b/security/nss/cmd/modutil/installparse.l
@@ -0,0 +1,169 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+/* lex file for analyzing PKCS #11 Module installation instructions */
+
+/*----------------------------- Definitions ---------------------------*/
+%{
+#include <string.h>
+
+#include "install-ds.h"		/* defines tokens and data structures */
+#include "installparse.h"	/* produced by yacc -d */
+#include <prprf.h>
+static char *putSimpleString(char*);	/* return copy of string */
+static char *putComplexString(char*);	/* strip out quotes, deal with */
+											/* escaped characters */
+
+void Pk11Install_yyerror(char *);
+
+/* Overrides to use NSPR */
+#define malloc PR_Malloc
+#define realloc PR_Realloc
+#define free PR_Free
+
+int Pk11Install_yylinenum=1;
+static char *err;
+
+#define YY_NEVER_INTERACTIVE 1
+#define yyunput Pkcs11Install_yyunput
+
+/* This is the default YY_INPUT modified for NSPR */
+#define YY_INPUT(buf,result,max_size) \
+	if ( yy_current_buffer->yy_is_interactive ) { \
+		char c; \
+		int n; \
+		for ( n = 0; n < max_size && \
+		  PR_Read(Pk11Install_FD, &c, 1)==1 && c != '\n'; ++n ) { \
+			buf[n] = c; \
+		} \
+        if ( c == '\n' ) { \
+            buf[n++] = c; \
+		} \
+        result = n; \
+	} else { \
+		result = PR_Read(Pk11Install_FD, buf, max_size); \
+	}
+
+%}
+
+/*** Regular expression definitions ***/
+/* simple_string has no whitespace, quotes, or braces */
+simple_string		[^ \t\r\n\""{""}"]+
+
+/* complex_string is enclosed in quotes. Inside the quotes, quotes and
+   backslashes must be backslash-escaped. No newlines or carriage returns
+   are allowed inside the quotes. Otherwise, anything goes. */
+complex_string		\"([^\"\\\r\n]|(\\\")|(\\\\))+\"
+
+/* Standard whitespace */
+whitespace			[ \t\r]+
+
+other				.
+
+/*---------------------------- Actions --------------------------------*/
+%%
+
+"{"					return OPENBRACE;
+"}"					return CLOSEBRACE;
+{simple_string}		{Pk11Install_yylval.string =
+						putSimpleString(Pk11Install_yytext);
+						return STRING;}
+{complex_string}	{Pk11Install_yylval.string =
+						putComplexString(Pk11Install_yytext);
+						return STRING;}
+
+"\n"				Pk11Install_yylinenum++;
+
+{whitespace}		;
+
+{other}				{err = PR_smprintf("Invalid lexeme: %s",Pk11Install_yytext);
+						Pk11Install_yyerror(err);
+						PR_smprintf_free(err);
+						return 1;
+					}
+
+%%
+/*------------------------ Program Section ----------------------------*/
+
+PRFileDesc *Pk11Install_FD=NULL;
+
+/*************************************************************************/
+/* dummy function required by lex */
+int Pk11Install_yywrap(void) { return 1;}
+
+/*************************************************************************/
+/* Return a copy of the given string */
+static char*
+putSimpleString(char *str)
+{
+	char *tmp = (char*) PR_Malloc(strlen(str)+1);
+	strcpy(tmp, str);
+	return tmp;
+}
+
+/*************************************************************************/
+/* Strip out quotes, replace escaped characters with what they stand for.
+   This function assumes that what is passed in is actually a complex
+   string, so error checking is lax. */
+static char*
+putComplexString(char *str)
+{
+	int size, i,j;
+	char *tmp;
+
+	if(!str) {
+		return NULL;
+	}
+	size = strlen(str);
+
+	/* Allocate the new space.  This string will actually be too big, 
+		since quotes and backslashes will be stripped out.  But that's ok. */
+	tmp = (char*) PR_Malloc(size+1);
+
+	/* Copy it over */
+	for(i=0, j=0; i < size; i++) {
+		if(str[i]=='\"') {
+			continue;  /* skip un-escaped quotes */
+		} else if(str[i]=='\\') {
+			++i;       /* escaped character. skip the backslash */
+		}
+		tmp[j++] = str[i];
+	}
+	tmp[j] = '\0';
+
+	return tmp;
+}
diff --git a/security/nss/cmd/modutil/installparse.y b/security/nss/cmd/modutil/installparse.y
new file mode 100644
index 000000000..003f04628
--- /dev/null
+++ b/security/nss/cmd/modutil/installparse.y
@@ -0,0 +1,136 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* yacc file for parsing PKCS #11 module installation instructions */
+/*------------------------ Definition Section ---------------------------*/
+
+%{ 
+#define yyparse Pk11Install_yyparse
+#define yylex Pk11Install_yylex
+#define yyerror Pk11Install_yyerror
+#define yychar Pk11Install_yychar
+#define yyval Pk11Install_yyval
+#define yylval Pk11Install_yylval
+#define yydebug Pk11Install_yydebug
+#define yynerrs Pk11Install_yynerrs
+#define yyerrflag Pk11Install_yyerrflag
+#define yyss Pk11Install_yyss
+#define yyssp Pk11Install_yyssp
+#define yyvs Pk11Install_yyvs
+#define yyvsp Pk11Install_yyvsp
+#define yylhs Pk11Install_yylhs
+#define yylen Pk11Install_yylen
+#define yydefred Pk11Install_yydefred
+#define yydgoto Pk11Install_yydgoto
+#define yysindex Pk11Install_yysindex
+#define yyrindex Pk11Install_yyrindex
+#define yygindex Pk11Install_yygindex
+#define yytable Pk11Install_yytable
+#define yycheck Pk11Install_yycheck
+#define yyname Pk11Install_yyname
+#define yyrule Pk11Install_yyrule
+
+/* C Stuff */
+#include "install-ds.h"
+#include <prprf.h>
+
+#define YYSTYPE Pk11Install_Pointer
+extern char *Pk11Install_yytext;
+char *Pk11Install_yyerrstr=NULL;
+
+%}
+
+/* Tokens */
+%token OPENBRACE
+%token CLOSEBRACE
+%token STRING
+%start toplist
+
+%%
+
+/*--------------------------- Productions -------------------------------*/
+
+toplist		: valuelist	
+{
+	Pk11Install_valueList = $1.list;
+}
+
+valuelist	: value valuelist
+{ 
+	Pk11Install_ValueList_AddItem($2.list,$1.value);
+	$$.list = $2.list; 
+}
+|
+{ 
+	$$.list = Pk11Install_ValueList_new(); 
+};
+
+value		: key_value_pair
+{
+	$$.value= Pk11Install_Value_new(PAIR_VALUE,$1);
+}
+| STRING
+{
+	$$.value= Pk11Install_Value_new(STRING_VALUE, $1);
+};
+
+key_value_pair	: key OPENBRACE valuelist CLOSEBRACE 
+{
+	$$.pair = Pk11Install_Pair_new($1.string,$3.list);
+};
+
+key			: STRING
+{
+	$$.string = $1.string;
+};
+
+%%
+/*----------------------- Program Section --------------------------------*/
+
+/*************************************************************************/
+void
+Pk11Install_yyerror(char *message)
+{
+	char *tmp;
+	if(Pk11Install_yyerrstr) {
+		tmp=PR_smprintf("%sline %d: %s\n", Pk11Install_yyerrstr,
+			Pk11Install_yylinenum, message);
+		PR_smprintf_free(Pk11Install_yyerrstr);
+	} else {
+		tmp = PR_smprintf("line %d: %s\n", Pk11Install_yylinenum, message);
+	}
+	Pk11Install_yyerrstr=tmp;
+}
diff --git a/security/nss/cmd/modutil/instsec.c b/security/nss/cmd/modutil/instsec.c
new file mode 100644
index 000000000..cfc008234
--- /dev/null
+++ b/security/nss/cmd/modutil/instsec.c
@@ -0,0 +1,181 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <plarena.h>
+#include <prio.h>
+#include <prprf.h>
+#include <seccomon.h>
+#include <secmod.h>
+#include <jar.h>
+#include <secutil.h>
+
+/* These are installation functions that make calls to the security library.
+ * We don't want to include security include files in the C++ code too much.
+ */
+
+static char* PR_fgets(char *buf, int size, PRFileDesc *file);
+
+/***************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ A d d N e w M o d u l e
+ */
+int
+Pk11Install_AddNewModule(char* moduleName, char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags)
+{
+	return (SECMOD_AddNewModule(moduleName, dllPath,
+		SECMOD_PubMechFlagstoInternal(defaultMechanismFlags),
+		SECMOD_PubCipherFlagstoInternal(cipherEnableFlags))
+													== SECSuccess) ? 0 : -1;
+}
+
+/*************************************************************************
+ *
+ * P k 1 1 I n s t a l l _ U s e r V e r i f y J a r
+ *
+ * Gives the user feedback on the signatures of a JAR files, asks them
+ * whether they actually want to continue.
+ * Assumes the jar structure has already been created and is valid.
+ * Returns 0 if the user wants to continue the installation, nonzero
+ * if the user wishes to abort.
+ */
+short
+Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out, PRBool query)
+{
+	JAR_Context *ctx;
+	JAR_Cert *fing;
+	JAR_Item *item;
+	char stdinbuf[80];
+	int count=0;
+
+	CERTCertificate *cert, *prev=NULL;
+
+	PR_fprintf(out, "\nThis installation JAR file was signed by:\n");
+
+	ctx = JAR_find(jar, NULL, jarTypeSign);
+
+	while(JAR_find_next(ctx, &item) >= 0 ) {
+		fing = (JAR_Cert*) item->data;
+		cert = fing->cert;
+		if(cert==prev) {
+			continue;
+		}
+
+		count++;
+		PR_fprintf(out, "----------------------------------------------\n");
+		if(cert) {
+			if(cert->nickname) {
+				PR_fprintf(out, "**NICKNAME**\n%s\n", cert->nickname);
+			}
+			if(cert->subjectName) {
+				PR_fprintf(out, "**SUBJECT NAME**\n%s\n", cert->subjectName); }
+			if(cert->issuerName) {
+				PR_fprintf(out, "**ISSUER NAME**\n%s\n", cert->issuerName);
+			}
+		} else {
+			PR_fprintf(out, "No matching certificate could be found.\n");
+		}
+		PR_fprintf(out, "----------------------------------------------\n\n");
+
+		prev=cert;
+	}
+
+	JAR_find_end(ctx);
+
+	if(count==0) {
+		PR_fprintf(out, "No signatures found: JAR FILE IS UNSIGNED.\n");
+	}
+
+	if(query) {
+		PR_fprintf(out,
+"Do you wish to continue this installation? (y/n) ");
+
+		if(PR_fgets(stdinbuf, 80, PR_STDIN) != NULL) {
+			char *response;
+
+			if( (response=strtok(stdinbuf, " \t\n\r")) ) {
+				if( !PL_strcasecmp(response, "y") ||
+					!PL_strcasecmp(response, "yes") ) {
+					return 0;
+				}
+			}
+		}
+	}
+
+	return 1;
+}
+
+/**************************************************************************
+ *
+ * P R _ f g e t s
+ *
+ * fgets implemented with NSPR.
+ */
+static char*
+PR_fgets(char *buf, int size, PRFileDesc *file)
+{
+    int i;
+    int status;
+    char c;
+
+    i=0;
+    while(i < size-1) {
+        status = PR_Read(file, (void*) &c, 1);
+        if(status==-1) {
+            return NULL;
+        } else if(status==0) {
+            break;
+        }
+        buf[i++] = c;
+        if(c=='\n') {
+            break;
+        }
+    }
+    buf[i]='\0';
+
+    return buf;
+}
+
+/**************************************************************************
+ *
+ * m y S E C U _ E r r o r S t r i n g
+ *
+ */
+const char* mySECU_ErrorString(int16 errnum)
+{
+	return SECU_Strerror(errnum);
+}
diff --git a/security/nss/cmd/modutil/lex.Pk11Install_yy.c b/security/nss/cmd/modutil/lex.Pk11Install_yy.c
new file mode 100644
index 000000000..1c123e578
--- /dev/null
+++ b/security/nss/cmd/modutil/lex.Pk11Install_yy.c
@@ -0,0 +1,1694 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#define yy_create_buffer Pk11Install_yy_create_buffer
+#define yy_delete_buffer Pk11Install_yy_delete_buffer
+#define yy_scan_buffer Pk11Install_yy_scan_buffer
+#define yy_scan_string Pk11Install_yy_scan_string
+#define yy_scan_bytes Pk11Install_yy_scan_bytes
+#define yy_flex_debug Pk11Install_yy_flex_debug
+#define yy_init_buffer Pk11Install_yy_init_buffer
+#define yy_flush_buffer Pk11Install_yy_flush_buffer
+#define yy_load_buffer_state Pk11Install_yy_load_buffer_state
+#define yy_switch_to_buffer Pk11Install_yy_switch_to_buffer
+#define yyin Pk11Install_yyin
+#define yyleng Pk11Install_yyleng
+#define yylex Pk11Install_yylex
+#define yyout Pk11Install_yyout
+#define yyrestart Pk11Install_yyrestart
+#define yytext Pk11Install_yytext
+#define yywrap Pk11Install_yywrap
+
+#line 20 "lex.Pk11Install_yy.c"
+/* A lexical scanner generated by flex */
+
+/* Scanner skeleton version:
+ * $Header$
+ */
+
+#define FLEX_SCANNER
+#define YY_FLEX_MAJOR_VERSION 2
+#define YY_FLEX_MINOR_VERSION 5
+
+#include <stdio.h>
+
+
+/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */
+#ifdef c_plusplus
+#ifndef __cplusplus
+#define __cplusplus
+#endif
+#endif
+
+
+#ifdef __cplusplus
+
+#include <stdlib.h>
+//#include <unistd.h>
+
+/* Use prototypes in function declarations. */
+#define YY_USE_PROTOS
+
+/* The "const" storage-class-modifier is valid. */
+#define YY_USE_CONST
+
+#else	/* ! __cplusplus */
+
+#if __STDC__
+
+#define YY_USE_PROTOS
+#define YY_USE_CONST
+
+#endif	/* __STDC__ */
+#endif	/* ! __cplusplus */
+
+#ifdef __TURBOC__
+ #pragma warn -rch
+ #pragma warn -use
+#include <io.h>
+#include <stdlib.h>
+#define YY_USE_CONST
+#define YY_USE_PROTOS
+#endif
+
+#ifdef YY_USE_CONST
+#define yyconst const
+#else
+#define yyconst
+#endif
+
+
+#ifdef YY_USE_PROTOS
+#define YY_PROTO(proto) proto
+#else
+#define YY_PROTO(proto) ()
+#endif
+
+/* Returned upon end-of-file. */
+#define YY_NULL 0
+
+/* Promotes a possibly negative, possibly signed char to an unsigned
+ * integer for use as an array index.  If the signed char is negative,
+ * we want to instead treat it as an 8-bit unsigned char, hence the
+ * double cast.
+ */
+#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
+
+/* Enter a start condition.  This macro really ought to take a parameter,
+ * but we do it the disgusting crufty way forced on us by the ()-less
+ * definition of BEGIN.
+ */
+#define BEGIN yy_start = 1 + 2 *
+
+/* Translate the current start state into a value that can be later handed
+ * to BEGIN to return to the state.  The YYSTATE alias is for lex
+ * compatibility.
+ */
+#define YY_START ((yy_start - 1) / 2)
+#define YYSTATE YY_START
+
+/* Action number for EOF rule of a given start state. */
+#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
+
+/* Special action meaning "start processing a new file". */
+#define YY_NEW_FILE yyrestart( yyin )
+
+#define YY_END_OF_BUFFER_CHAR 0
+
+/* Size of default input buffer. */
+#define YY_BUF_SIZE 16384
+
+typedef struct yy_buffer_state *YY_BUFFER_STATE;
+
+extern int yyleng;
+extern FILE *yyin, *yyout;
+
+#define EOB_ACT_CONTINUE_SCAN 0
+#define EOB_ACT_END_OF_FILE 1
+#define EOB_ACT_LAST_MATCH 2
+
+/* The funky do-while in the following #define is used to turn the definition
+ * int a single C statement (which needs a semi-colon terminator).  This
+ * avoids problems with code like:
+ *
+ * 	if ( condition_holds )
+ *		yyless( 5 );
+ *	else
+ *		do_something_else();
+ *
+ * Prior to using the do-while the compiler would get upset at the
+ * "else" because it interpreted the "if" statement as being all
+ * done when it reached the ';' after the yyless() call.
+ */
+
+/* Return all but the first 'n' matched characters back to the input stream. */
+
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+		*yy_cp = yy_hold_char; \
+		YY_RESTORE_YY_MORE_OFFSET \
+		yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \
+		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
+		} \
+	while ( 0 )
+
+#define unput(c) yyunput( c, yytext_ptr )
+
+/* The following is because we cannot portably get our hands on size_t
+ * (without autoconf's help, which isn't available because we want
+ * flex-generated scanners to compile on their own).
+ */
+typedef unsigned int yy_size_t;
+
+
+struct yy_buffer_state
+	{
+	FILE *yy_input_file;
+
+	char *yy_ch_buf;		/* input buffer */
+	char *yy_buf_pos;		/* current position in input buffer */
+
+	/* Size of input buffer in bytes, not including room for EOB
+	 * characters.
+	 */
+	yy_size_t yy_buf_size;
+
+	/* Number of characters read into yy_ch_buf, not including EOB
+	 * characters.
+	 */
+	int yy_n_chars;
+
+	/* Whether we "own" the buffer - i.e., we know we created it,
+	 * and can realloc() it to grow it, and should free() it to
+	 * delete it.
+	 */
+	int yy_is_our_buffer;
+
+	/* Whether this is an "interactive" input source; if so, and
+	 * if we're using stdio for input, then we want to use getc()
+	 * instead of fread(), to make sure we stop fetching input after
+	 * each newline.
+	 */
+	int yy_is_interactive;
+
+	/* Whether we're considered to be at the beginning of a line.
+	 * If so, '^' rules will be active on the next match, otherwise
+	 * not.
+	 */
+	int yy_at_bol;
+
+	/* Whether to try to fill the input buffer when we reach the
+	 * end of it.
+	 */
+	int yy_fill_buffer;
+
+	int yy_buffer_status;
+#define YY_BUFFER_NEW 0
+#define YY_BUFFER_NORMAL 1
+	/* When an EOF's been seen but there's still some text to process
+	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
+	 * shouldn't try reading from the input source any more.  We might
+	 * still have a bunch of tokens to match, though, because of
+	 * possible backing-up.
+	 *
+	 * When we actually see the EOF, we change the status to "new"
+	 * (via yyrestart()), so that the user can continue scanning by
+	 * just pointing yyin at a new input file.
+	 */
+#define YY_BUFFER_EOF_PENDING 2
+	};
+
+static YY_BUFFER_STATE yy_current_buffer = 0;
+
+/* We provide macros for accessing buffer states in case in the
+ * future we want to put the buffer states in a more general
+ * "scanner state".
+ */
+#define YY_CURRENT_BUFFER yy_current_buffer
+
+
+/* yy_hold_char holds the character lost when yytext is formed. */
+static char yy_hold_char;
+
+static int yy_n_chars;		/* number of characters read into yy_ch_buf */
+
+
+int yyleng;
+
+/* Points to current character in buffer. */
+static char *yy_c_buf_p = (char *) 0;
+static int yy_init = 1;		/* whether we need to initialize */
+static int yy_start = 0;	/* start state number */
+
+/* Flag which is used to allow yywrap()'s to do buffer switches
+ * instead of setting up a fresh yyin.  A bit of a hack ...
+ */
+static int yy_did_buffer_switch_on_eof;
+
+void yyrestart YY_PROTO(( FILE *input_file ));
+
+void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer ));
+void yy_load_buffer_state YY_PROTO(( void ));
+YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size ));
+void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b ));
+void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file ));
+void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b ));
+#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer )
+
+YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size ));
+YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
+YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len ));
+
+static void *yy_flex_alloc YY_PROTO(( yy_size_t ));
+static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t ));
+static void yy_flex_free YY_PROTO(( void * ));
+
+#define yy_new_buffer yy_create_buffer
+
+#define yy_set_interactive(is_interactive) \
+	{ \
+	if ( ! yy_current_buffer ) \
+		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
+	yy_current_buffer->yy_is_interactive = is_interactive; \
+	}
+
+#define yy_set_bol(at_bol) \
+	{ \
+	if ( ! yy_current_buffer ) \
+		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
+	yy_current_buffer->yy_at_bol = at_bol; \
+	}
+
+#define YY_AT_BOL() (yy_current_buffer->yy_at_bol)
+
+typedef unsigned char YY_CHAR;
+FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
+typedef int yy_state_type;
+extern char *yytext;
+#define yytext_ptr yytext
+
+static yy_state_type yy_get_previous_state YY_PROTO(( void ));
+static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state ));
+static int yy_get_next_buffer YY_PROTO(( void ));
+static void yy_fatal_error YY_PROTO(( yyconst char msg[] ));
+
+/* Done after the current pattern has been matched and before the
+ * corresponding action - sets up yytext.
+ */
+#define YY_DO_BEFORE_ACTION \
+	yytext_ptr = yy_bp; \
+	yyleng = (int) (yy_cp - yy_bp); \
+	yy_hold_char = *yy_cp; \
+	*yy_cp = '\0'; \
+	yy_c_buf_p = yy_cp;
+
+#define YY_NUM_RULES 8
+#define YY_END_OF_BUFFER 9
+static yyconst short int yy_accept[16] =
+    {   0,
+        0,    0,    9,    3,    6,    5,    7,    1,    2,    3,
+        6,    0,    0,    4,    0
+    } ;
+
+static yyconst int yy_ec[256] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
+        1,    1,    4,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    2,    1,    5,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    6,    1,    1,    1,    1,    1,    1,    1,    1,
+
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    7,    1,    8,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        1,    1,    1,    1,    1
+    } ;
+
+static yyconst int yy_meta[9] =
+    {   0,
+        1,    2,    3,    4,    3,    1,    5,    5
+    } ;
+
+static yyconst short int yy_base[19] =
+    {   0,
+        0,    0,   19,    0,    0,   21,   12,   21,   21,    0,
+        0,    4,    6,   21,   21,   13,   11,   15
+    } ;
+
+static yyconst short int yy_def[19] =
+    {   0,
+       15,    1,   15,   16,   17,   15,   18,   15,   15,   16,
+       17,   18,   15,   15,    0,   15,   15,   15
+    } ;
+
+static yyconst short int yy_nxt[30] =
+    {   0,
+        4,    5,    6,    5,    7,    4,    8,    9,   14,   13,
+       12,   12,   11,   10,   11,   12,   12,   13,   15,   12,
+        3,   15,   15,   15,   15,   15,   15,   15,   15
+    } ;
+
+static yyconst short int yy_chk[30] =
+    {   0,
+        1,    1,    1,    1,    1,    1,    1,    1,   12,   12,
+       13,   13,   17,   16,   17,   18,   18,    7,    3,   18,
+       15,   15,   15,   15,   15,   15,   15,   15,   15
+    } ;
+
+static yy_state_type yy_last_accepting_state;
+static char *yy_last_accepting_cpos;
+
+/* The intent behind this definition is that it'll catch
+ * any uses of REJECT which flex missed.
+ */
+#define REJECT reject_used_but_not_detected
+#define yymore() yymore_used_but_not_detected
+#define YY_MORE_ADJ 0
+#define YY_RESTORE_YY_MORE_OFFSET
+char *yytext;
+#line 1 "installparse.l"
+#define INITIAL 0
+/* lex file for analyzing PKCS #11 Module installation instructions */
+/*----------------------------- Definitions ---------------------------*/
+#line 5 "installparse.l"
+#include <string.h>
+
+#include "install-ds.h"		/* defines tokens and data structures */
+#include "installparse.h"	/* produced by yacc -d */
+#include <prprf.h>
+static char *putSimpleString(char*);	/* return copy of string */
+static char *putComplexString(char*);	/* strip out quotes, deal with */
+											/* escaped characters */
+
+void Pk11Install_yyerror(char *);
+
+/* Overrides to use NSPR */
+#define malloc PR_Malloc
+#define realloc PR_Realloc
+#define free PR_Free
+
+int Pk11Install_yylinenum=1;
+static char *err;
+
+#define YY_NEVER_INTERACTIVE 1
+#define yyunput Pkcs11Install_yyunput
+
+/* This is the default YY_INPUT modified for NSPR */
+#define YY_INPUT(buf,result,max_size) \
+	if ( yy_current_buffer->yy_is_interactive ) { \
+		char c; \
+		int n; \
+		for ( n = 0; n < max_size && \
+		  PR_Read(Pk11Install_FD, &c, 1)==1 && c != '\n'; ++n ) { \
+			buf[n] = c; \
+		} \
+        if ( c == '\n' ) { \
+            buf[n++] = c; \
+		} \
+        result = n; \
+	} else { \
+		result = PR_Read(Pk11Install_FD, buf, max_size); \
+	}
+
+/*** Regular expression definitions ***/
+/* simple_string has no whitespace, quotes, or braces */
+/* complex_string is enclosed in quotes. Inside the quotes, quotes and
+   backslashes must be backslash-escaped. Otherwise, anything goes. */
+/* Standard whitespace */
+/*---------------------------- Actions --------------------------------*/
+#line 437 "lex.Pk11Install_yy.cpp"
+
+/* Macros after this point can all be overridden by user definitions in
+ * section 1.
+ */
+
+#ifndef YY_SKIP_YYWRAP
+#ifdef __cplusplus
+extern "C" int yywrap YY_PROTO(( void ));
+#else
+extern int yywrap YY_PROTO(( void ));
+#endif
+#endif
+
+#ifndef YY_NO_UNPUT
+static void yyunput YY_PROTO(( int c, char *buf_ptr ));
+#endif
+
+#ifndef yytext_ptr
+static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int ));
+#endif
+
+#ifdef YY_NEED_STRLEN
+static int yy_flex_strlen YY_PROTO(( yyconst char * ));
+#endif
+
+#ifndef YY_NO_INPUT
+#ifdef __cplusplus
+static int yyinput YY_PROTO(( void ));
+#else
+static int input YY_PROTO(( void ));
+#endif
+#endif
+
+#if YY_STACK_USED
+static int yy_start_stack_ptr = 0;
+static int yy_start_stack_depth = 0;
+static int *yy_start_stack = 0;
+#ifndef YY_NO_PUSH_STATE
+static void yy_push_state YY_PROTO(( int new_state ));
+#endif
+#ifndef YY_NO_POP_STATE
+static void yy_pop_state YY_PROTO(( void ));
+#endif
+#ifndef YY_NO_TOP_STATE
+static int yy_top_state YY_PROTO(( void ));
+#endif
+
+#else
+#define YY_NO_PUSH_STATE 1
+#define YY_NO_POP_STATE 1
+#define YY_NO_TOP_STATE 1
+#endif
+
+#ifdef YY_MALLOC_DECL
+YY_MALLOC_DECL
+#else
+#if __STDC__
+#ifndef __cplusplus
+#include <stdlib.h>
+#endif
+#else
+/* Just try to get by without declaring the routines.  This will fail
+ * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int)
+ * or sizeof(void*) != sizeof(int).
+ */
+#endif
+#endif
+
+/* Amount of stuff to slurp up with each read. */
+#ifndef YY_READ_BUF_SIZE
+#define YY_READ_BUF_SIZE 8192
+#endif
+
+/* Copy whatever the last rule matched to the standard output. */
+
+#ifndef ECHO
+/* This used to be an fputs(), but since the string might contain NUL's,
+ * we now use fwrite().
+ */
+#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
+#endif
+
+/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
+ * is returned in "result".
+ */
+#ifndef YY_INPUT
+#define YY_INPUT(buf,result,max_size) \
+	if ( yy_current_buffer->yy_is_interactive ) \
+		{ \
+		int c = '*', n; \
+		for ( n = 0; n < max_size && \
+			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
+			buf[n] = (char) c; \
+		if ( c == '\n' ) \
+			buf[n++] = (char) c; \
+		if ( c == EOF && ferror( yyin ) ) \
+			YY_FATAL_ERROR( "input in flex scanner failed" ); \
+		result = n; \
+		} \
+	else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \
+		  && ferror( yyin ) ) \
+		YY_FATAL_ERROR( "input in flex scanner failed" );
+#endif
+
+/* No semi-colon after return; correct usage is to write "yyterminate();" -
+ * we don't want an extra ';' after the "return" because that will cause
+ * some compilers to complain about unreachable statements.
+ */
+#ifndef yyterminate
+#define yyterminate() return YY_NULL
+#endif
+
+/* Number of entries by which start-condition stack grows. */
+#ifndef YY_START_STACK_INCR
+#define YY_START_STACK_INCR 25
+#endif
+
+/* Report a fatal error. */
+#ifndef YY_FATAL_ERROR
+#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
+#endif
+
+/* Default declaration of generated scanner - a define so the user can
+ * easily add parameters.
+ */
+#ifndef YY_DECL
+#define YY_DECL int yylex YY_PROTO(( void ))
+#endif
+
+/* Code executed at the beginning of each rule, after yytext and yyleng
+ * have been set up.
+ */
+#ifndef YY_USER_ACTION
+#define YY_USER_ACTION
+#endif
+
+/* Code executed at the end of each rule. */
+#ifndef YY_BREAK
+#define YY_BREAK break;
+#endif
+
+#define YY_RULE_SETUP \
+	YY_USER_ACTION
+
+YY_DECL
+	{
+	register yy_state_type yy_current_state;
+	register char *yy_cp, *yy_bp;
+	register int yy_act;
+
+#line 60 "installparse.l"
+
+
+#line 591 "lex.Pk11Install_yy.cpp"
+
+	if ( yy_init )
+		{
+		yy_init = 0;
+
+#ifdef YY_USER_INIT
+		YY_USER_INIT;
+#endif
+
+		if ( ! yy_start )
+			yy_start = 1;	/* first start state */
+
+		if ( ! yyin )
+			yyin = stdin;
+
+		if ( ! yyout )
+			yyout = stdout;
+
+		if ( ! yy_current_buffer )
+			yy_current_buffer =
+				yy_create_buffer( yyin, YY_BUF_SIZE );
+
+		yy_load_buffer_state();
+		}
+
+	while ( 1 )		/* loops until end-of-file is reached */
+		{
+		yy_cp = yy_c_buf_p;
+
+		/* Support of yytext. */
+		*yy_cp = yy_hold_char;
+
+		/* yy_bp points to the position in yy_ch_buf of the start of
+		 * the current run.
+		 */
+		yy_bp = yy_cp;
+
+		yy_current_state = yy_start;
+yy_match:
+		do
+			{
+			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
+			if ( yy_accept[yy_current_state] )
+				{
+				yy_last_accepting_state = yy_current_state;
+				yy_last_accepting_cpos = yy_cp;
+				}
+			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+				{
+				yy_current_state = (int) yy_def[yy_current_state];
+				if ( yy_current_state >= 16 )
+					yy_c = yy_meta[(unsigned int) yy_c];
+				}
+			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+			++yy_cp;
+			}
+		while ( yy_base[yy_current_state] != 21 );
+
+yy_find_action:
+		yy_act = yy_accept[yy_current_state];
+		if ( yy_act == 0 )
+			{ /* have to back up */
+			yy_cp = yy_last_accepting_cpos;
+			yy_current_state = yy_last_accepting_state;
+			yy_act = yy_accept[yy_current_state];
+			}
+
+		YY_DO_BEFORE_ACTION;
+
+
+do_action:	/* This label is used only to access EOF actions. */
+
+
+		switch ( yy_act )
+	{ /* beginning of action switch */
+			case 0: /* must back up */
+			/* undo the effects of YY_DO_BEFORE_ACTION */
+			*yy_cp = yy_hold_char;
+			yy_cp = yy_last_accepting_cpos;
+			yy_current_state = yy_last_accepting_state;
+			goto yy_find_action;
+
+case 1:
+YY_RULE_SETUP
+#line 62 "installparse.l"
+return OPENBRACE;
+	YY_BREAK
+case 2:
+YY_RULE_SETUP
+#line 63 "installparse.l"
+return CLOSEBRACE;
+	YY_BREAK
+case 3:
+YY_RULE_SETUP
+#line 64 "installparse.l"
+{Pk11Install_yylval.string =
+						putSimpleString(Pk11Install_yytext);
+						return STRING;}
+	YY_BREAK
+case 4:
+YY_RULE_SETUP
+#line 67 "installparse.l"
+{Pk11Install_yylval.string =
+						putComplexString(Pk11Install_yytext);
+						return STRING;}
+	YY_BREAK
+case 5:
+YY_RULE_SETUP
+#line 71 "installparse.l"
+Pk11Install_yylinenum++;
+	YY_BREAK
+case 6:
+YY_RULE_SETUP
+#line 73 "installparse.l"
+;
+	YY_BREAK
+case 7:
+YY_RULE_SETUP
+#line 75 "installparse.l"
+{err = PR_smprintf("Invalid lexeme: %s",Pk11Install_yytext);
+						Pk11Install_yyerror(err);
+						PR_smprintf_free(err);
+						return 1;
+					}
+	YY_BREAK
+case 8:
+YY_RULE_SETUP
+#line 81 "installparse.l"
+ECHO;
+	YY_BREAK
+#line 722 "lex.Pk11Install_yy.cpp"
+case YY_STATE_EOF(INITIAL):
+	yyterminate();
+
+	case YY_END_OF_BUFFER:
+		{
+		/* Amount of text matched not including the EOB char. */
+		int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1;
+
+		/* Undo the effects of YY_DO_BEFORE_ACTION. */
+		*yy_cp = yy_hold_char;
+		YY_RESTORE_YY_MORE_OFFSET
+
+		if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW )
+			{
+			/* We're scanning a new file or input source.  It's
+			 * possible that this happened because the user
+			 * just pointed yyin at a new source and called
+			 * yylex().  If so, then we have to assure
+			 * consistency between yy_current_buffer and our
+			 * globals.  Here is the right place to do so, because
+			 * this is the first action (other than possibly a
+			 * back-up) that will match for the new input source.
+			 */
+			yy_n_chars = yy_current_buffer->yy_n_chars;
+			yy_current_buffer->yy_input_file = yyin;
+			yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL;
+			}
+
+		/* Note that here we test for yy_c_buf_p "<=" to the position
+		 * of the first EOB in the buffer, since yy_c_buf_p will
+		 * already have been incremented past the NUL character
+		 * (since all states make transitions on EOB to the
+		 * end-of-buffer state).  Contrast this with the test
+		 * in input().
+		 */
+		if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] )
+			{ /* This was really a NUL. */
+			yy_state_type yy_next_state;
+
+			yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text;
+
+			yy_current_state = yy_get_previous_state();
+
+			/* Okay, we're now positioned to make the NUL
+			 * transition.  We couldn't have
+			 * yy_get_previous_state() go ahead and do it
+			 * for us because it doesn't know how to deal
+			 * with the possibility of jamming (and we don't
+			 * want to build jamming into it because then it
+			 * will run more slowly).
+			 */
+
+			yy_next_state = yy_try_NUL_trans( yy_current_state );
+
+			yy_bp = yytext_ptr + YY_MORE_ADJ;
+
+			if ( yy_next_state )
+				{
+				/* Consume the NUL. */
+				yy_cp = ++yy_c_buf_p;
+				yy_current_state = yy_next_state;
+				goto yy_match;
+				}
+
+			else
+				{
+				yy_cp = yy_c_buf_p;
+				goto yy_find_action;
+				}
+			}
+
+		else switch ( yy_get_next_buffer() )
+			{
+			case EOB_ACT_END_OF_FILE:
+				{
+				yy_did_buffer_switch_on_eof = 0;
+
+				if ( yywrap() )
+					{
+					/* Note: because we've taken care in
+					 * yy_get_next_buffer() to have set up
+					 * yytext, we can now set up
+					 * yy_c_buf_p so that if some total
+					 * hoser (like flex itself) wants to
+					 * call the scanner after we return the
+					 * YY_NULL, it'll still work - another
+					 * YY_NULL will get returned.
+					 */
+					yy_c_buf_p = yytext_ptr + YY_MORE_ADJ;
+
+					yy_act = YY_STATE_EOF(YY_START);
+					goto do_action;
+					}
+
+				else
+					{
+					if ( ! yy_did_buffer_switch_on_eof )
+						YY_NEW_FILE;
+					}
+				break;
+				}
+
+			case EOB_ACT_CONTINUE_SCAN:
+				yy_c_buf_p =
+					yytext_ptr + yy_amount_of_matched_text;
+
+				yy_current_state = yy_get_previous_state();
+
+				yy_cp = yy_c_buf_p;
+				yy_bp = yytext_ptr + YY_MORE_ADJ;
+				goto yy_match;
+
+			case EOB_ACT_LAST_MATCH:
+				yy_c_buf_p =
+				&yy_current_buffer->yy_ch_buf[yy_n_chars];
+
+				yy_current_state = yy_get_previous_state();
+
+				yy_cp = yy_c_buf_p;
+				yy_bp = yytext_ptr + YY_MORE_ADJ;
+				goto yy_find_action;
+			}
+		break;
+		}
+
+	default:
+		YY_FATAL_ERROR(
+			"fatal flex scanner internal error--no action found" );
+	} /* end of action switch */
+		} /* end of scanning one token */
+	} /* end of yylex */
+
+
+/* yy_get_next_buffer - try to read in a new buffer
+ *
+ * Returns a code representing an action:
+ *	EOB_ACT_LAST_MATCH -
+ *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
+ *	EOB_ACT_END_OF_FILE - end of file
+ */
+
+static int yy_get_next_buffer()
+	{
+	register char *dest = yy_current_buffer->yy_ch_buf;
+	register char *source = yytext_ptr;
+	register int number_to_move, i;
+	int ret_val;
+
+	if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] )
+		YY_FATAL_ERROR(
+		"fatal flex scanner internal error--end of buffer missed" );
+
+	if ( yy_current_buffer->yy_fill_buffer == 0 )
+		{ /* Don't try to fill the buffer, so this is an EOF. */
+		if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 )
+			{
+			/* We matched a single character, the EOB, so
+			 * treat this as a final EOF.
+			 */
+			return EOB_ACT_END_OF_FILE;
+			}
+
+		else
+			{
+			/* We matched some text prior to the EOB, first
+			 * process it.
+			 */
+			return EOB_ACT_LAST_MATCH;
+			}
+		}
+
+	/* Try to read more data. */
+
+	/* First move last chars to start of buffer. */
+	number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1;
+
+	for ( i = 0; i < number_to_move; ++i )
+		*(dest++) = *(source++);
+
+	if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+		/* don't do the read, it's not guaranteed to return an EOF,
+		 * just force an EOF
+		 */
+		yy_current_buffer->yy_n_chars = yy_n_chars = 0;
+
+	else
+		{
+		int num_to_read =
+			yy_current_buffer->yy_buf_size - number_to_move - 1;
+
+		while ( num_to_read <= 0 )
+			{ /* Not enough room in the buffer - grow it. */
+#ifdef YY_USES_REJECT
+			YY_FATAL_ERROR(
+"input buffer overflow, can't enlarge buffer because scanner uses REJECT" );
+#else
+
+			/* just a shorter name for the current buffer */
+			YY_BUFFER_STATE b = yy_current_buffer;
+
+			int yy_c_buf_p_offset =
+				(int) (yy_c_buf_p - b->yy_ch_buf);
+
+			if ( b->yy_is_our_buffer )
+				{
+				int new_size = b->yy_buf_size * 2;
+
+				if ( new_size <= 0 )
+					b->yy_buf_size += b->yy_buf_size / 8;
+				else
+					b->yy_buf_size *= 2;
+
+				b->yy_ch_buf = (char *)
+					/* Include room in for 2 EOB chars. */
+					yy_flex_realloc( (void *) b->yy_ch_buf,
+							 b->yy_buf_size + 2 );
+				}
+			else
+				/* Can't grow it, we don't own it. */
+				b->yy_ch_buf = 0;
+
+			if ( ! b->yy_ch_buf )
+				YY_FATAL_ERROR(
+				"fatal error - scanner input buffer overflow" );
+
+			yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset];
+
+			num_to_read = yy_current_buffer->yy_buf_size -
+						number_to_move - 1;
+#endif
+			}
+
+		if ( num_to_read > YY_READ_BUF_SIZE )
+			num_to_read = YY_READ_BUF_SIZE;
+
+		/* Read in more data. */
+		YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]),
+			yy_n_chars, num_to_read );
+
+		yy_current_buffer->yy_n_chars = yy_n_chars;
+		}
+
+	if ( yy_n_chars == 0 )
+		{
+		if ( number_to_move == YY_MORE_ADJ )
+			{
+			ret_val = EOB_ACT_END_OF_FILE;
+			yyrestart( yyin );
+			}
+
+		else
+			{
+			ret_val = EOB_ACT_LAST_MATCH;
+			yy_current_buffer->yy_buffer_status =
+				YY_BUFFER_EOF_PENDING;
+			}
+		}
+
+	else
+		ret_val = EOB_ACT_CONTINUE_SCAN;
+
+	yy_n_chars += number_to_move;
+	yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR;
+	yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR;
+
+	yytext_ptr = &yy_current_buffer->yy_ch_buf[0];
+
+	return ret_val;
+	}
+
+
+/* yy_get_previous_state - get the state just before the EOB char was reached */
+
+static yy_state_type yy_get_previous_state()
+	{
+	register yy_state_type yy_current_state;
+	register char *yy_cp;
+
+	yy_current_state = yy_start;
+
+	for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp )
+		{
+		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
+		if ( yy_accept[yy_current_state] )
+			{
+			yy_last_accepting_state = yy_current_state;
+			yy_last_accepting_cpos = yy_cp;
+			}
+		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+			{
+			yy_current_state = (int) yy_def[yy_current_state];
+			if ( yy_current_state >= 16 )
+				yy_c = yy_meta[(unsigned int) yy_c];
+			}
+		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+		}
+
+	return yy_current_state;
+	}
+
+
+/* yy_try_NUL_trans - try to make a transition on the NUL character
+ *
+ * synopsis
+ *	next_state = yy_try_NUL_trans( current_state );
+ */
+
+#ifdef YY_USE_PROTOS
+static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state )
+#else
+static yy_state_type yy_try_NUL_trans( yy_current_state )
+yy_state_type yy_current_state;
+#endif
+	{
+	register int yy_is_jam;
+	register char *yy_cp = yy_c_buf_p;
+
+	register YY_CHAR yy_c = 1;
+	if ( yy_accept[yy_current_state] )
+		{
+		yy_last_accepting_state = yy_current_state;
+		yy_last_accepting_cpos = yy_cp;
+		}
+	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
+		{
+		yy_current_state = (int) yy_def[yy_current_state];
+		if ( yy_current_state >= 16 )
+			yy_c = yy_meta[(unsigned int) yy_c];
+		}
+	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
+	yy_is_jam = (yy_current_state == 15);
+
+	return yy_is_jam ? 0 : yy_current_state;
+	}
+
+
+#ifndef YY_NO_UNPUT
+#ifdef YY_USE_PROTOS
+static void yyunput( int c, register char *yy_bp )
+#else
+static void yyunput( c, yy_bp )
+int c;
+register char *yy_bp;
+#endif
+	{
+	register char *yy_cp = yy_c_buf_p;
+
+	/* undo effects of setting up yytext */
+	*yy_cp = yy_hold_char;
+
+	if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
+		{ /* need to shift things up to make room */
+		/* +2 for EOB chars. */
+		register int number_to_move = yy_n_chars + 2;
+		register char *dest = &yy_current_buffer->yy_ch_buf[
+					yy_current_buffer->yy_buf_size + 2];
+		register char *source =
+				&yy_current_buffer->yy_ch_buf[number_to_move];
+
+		while ( source > yy_current_buffer->yy_ch_buf )
+			*--dest = *--source;
+
+		yy_cp += (int) (dest - source);
+		yy_bp += (int) (dest - source);
+		yy_current_buffer->yy_n_chars =
+			yy_n_chars = yy_current_buffer->yy_buf_size;
+
+		if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
+			YY_FATAL_ERROR( "flex scanner push-back overflow" );
+		}
+
+	*--yy_cp = (char) c;
+
+
+	yytext_ptr = yy_bp;
+	yy_hold_char = *yy_cp;
+	yy_c_buf_p = yy_cp;
+	}
+#endif	/* ifndef YY_NO_UNPUT */
+
+
+#ifdef __cplusplus
+static int yyinput()
+#else
+static int input()
+#endif
+	{
+	int c;
+
+	*yy_c_buf_p = yy_hold_char;
+
+	if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR )
+		{
+		/* yy_c_buf_p now points to the character we want to return.
+		 * If this occurs *before* the EOB characters, then it's a
+		 * valid NUL; if not, then we've hit the end of the buffer.
+		 */
+		if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] )
+			/* This was really a NUL. */
+			*yy_c_buf_p = '\0';
+
+		else
+			{ /* need more input */
+			int offset = yy_c_buf_p - yytext_ptr;
+			++yy_c_buf_p;
+
+			switch ( yy_get_next_buffer() )
+				{
+				case EOB_ACT_LAST_MATCH:
+					/* This happens because yy_g_n_b()
+					 * sees that we've accumulated a
+					 * token and flags that we need to
+					 * try matching the token before
+					 * proceeding.  But for input(),
+					 * there's no matching to consider.
+					 * So convert the EOB_ACT_LAST_MATCH
+					 * to EOB_ACT_END_OF_FILE.
+					 */
+
+					/* Reset buffer status. */
+					yyrestart( yyin );
+
+					/* fall through */
+
+				case EOB_ACT_END_OF_FILE:
+					{
+					if ( yywrap() )
+						return EOF;
+
+					if ( ! yy_did_buffer_switch_on_eof )
+						YY_NEW_FILE;
+#ifdef __cplusplus
+					return yyinput();
+#else
+					return input();
+#endif
+					}
+
+				case EOB_ACT_CONTINUE_SCAN:
+					yy_c_buf_p = yytext_ptr + offset;
+					break;
+				}
+			}
+		}
+
+	c = *(unsigned char *) yy_c_buf_p;	/* cast for 8-bit char's */
+	*yy_c_buf_p = '\0';	/* preserve yytext */
+	yy_hold_char = *++yy_c_buf_p;
+
+
+	return c;
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yyrestart( FILE *input_file )
+#else
+void yyrestart( input_file )
+FILE *input_file;
+#endif
+	{
+	if ( ! yy_current_buffer )
+		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE );
+
+	yy_init_buffer( yy_current_buffer, input_file );
+	yy_load_buffer_state();
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_switch_to_buffer( YY_BUFFER_STATE new_buffer )
+#else
+void yy_switch_to_buffer( new_buffer )
+YY_BUFFER_STATE new_buffer;
+#endif
+	{
+	if ( yy_current_buffer == new_buffer )
+		return;
+
+	if ( yy_current_buffer )
+		{
+		/* Flush out information for old buffer. */
+		*yy_c_buf_p = yy_hold_char;
+		yy_current_buffer->yy_buf_pos = yy_c_buf_p;
+		yy_current_buffer->yy_n_chars = yy_n_chars;
+		}
+
+	yy_current_buffer = new_buffer;
+	yy_load_buffer_state();
+
+	/* We don't actually know whether we did this switch during
+	 * EOF (yywrap()) processing, but the only time this flag
+	 * is looked at is after yywrap() is called, so it's safe
+	 * to go ahead and always set it.
+	 */
+	yy_did_buffer_switch_on_eof = 1;
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_load_buffer_state( void )
+#else
+void yy_load_buffer_state()
+#endif
+	{
+	yy_n_chars = yy_current_buffer->yy_n_chars;
+	yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos;
+	yyin = yy_current_buffer->yy_input_file;
+	yy_hold_char = *yy_c_buf_p;
+	}
+
+
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_create_buffer( FILE *file, int size )
+#else
+YY_BUFFER_STATE yy_create_buffer( file, size )
+FILE *file;
+int size;
+#endif
+	{
+	YY_BUFFER_STATE b;
+
+	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_buf_size = size;
+
+	/* yy_ch_buf has to be 2 characters longer than the size given because
+	 * we need to put in 2 end-of-buffer characters.
+	 */
+	b->yy_ch_buf = (char *) yy_flex_alloc( b->yy_buf_size + 2 );
+	if ( ! b->yy_ch_buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
+
+	b->yy_is_our_buffer = 1;
+
+	yy_init_buffer( b, file );
+
+	return b;
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_delete_buffer( YY_BUFFER_STATE b )
+#else
+void yy_delete_buffer( b )
+YY_BUFFER_STATE b;
+#endif
+	{
+	if ( ! b )
+		return;
+
+	if ( b == yy_current_buffer )
+		yy_current_buffer = (YY_BUFFER_STATE) 0;
+
+	if ( b->yy_is_our_buffer )
+		yy_flex_free( (void *) b->yy_ch_buf );
+
+	yy_flex_free( (void *) b );
+	}
+
+
+#ifndef YY_ALWAYS_INTERACTIVE
+#ifndef YY_NEVER_INTERACTIVE
+extern int isatty YY_PROTO(( int ));
+#endif
+#endif
+
+#ifdef YY_USE_PROTOS
+void yy_init_buffer( YY_BUFFER_STATE b, FILE *file )
+#else
+void yy_init_buffer( b, file )
+YY_BUFFER_STATE b;
+FILE *file;
+#endif
+
+
+	{
+	yy_flush_buffer( b );
+
+	b->yy_input_file = file;
+	b->yy_fill_buffer = 1;
+
+#if YY_ALWAYS_INTERACTIVE
+	b->yy_is_interactive = 1;
+#else
+#if YY_NEVER_INTERACTIVE
+	b->yy_is_interactive = 0;
+#else
+	b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
+#endif
+#endif
+	}
+
+
+#ifdef YY_USE_PROTOS
+void yy_flush_buffer( YY_BUFFER_STATE b )
+#else
+void yy_flush_buffer( b )
+YY_BUFFER_STATE b;
+#endif
+
+	{
+	if ( ! b )
+		return;
+
+	b->yy_n_chars = 0;
+
+	/* We always need two end-of-buffer characters.  The first causes
+	 * a transition to the end-of-buffer state.  The second causes
+	 * a jam in that state.
+	 */
+	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
+	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
+
+	b->yy_buf_pos = &b->yy_ch_buf[0];
+
+	b->yy_at_bol = 1;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	if ( b == yy_current_buffer )
+		yy_load_buffer_state();
+	}
+
+
+#ifndef YY_NO_SCAN_BUFFER
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_scan_buffer( char *base, yy_size_t size )
+#else
+YY_BUFFER_STATE yy_scan_buffer( base, size )
+char *base;
+yy_size_t size;
+#endif
+	{
+	YY_BUFFER_STATE b;
+
+	if ( size < 2 ||
+	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
+	     base[size-1] != YY_END_OF_BUFFER_CHAR )
+		/* They forgot to leave room for the EOB's. */
+		return 0;
+
+	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
+	if ( ! b )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
+
+	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
+	b->yy_buf_pos = b->yy_ch_buf = base;
+	b->yy_is_our_buffer = 0;
+	b->yy_input_file = 0;
+	b->yy_n_chars = b->yy_buf_size;
+	b->yy_is_interactive = 0;
+	b->yy_at_bol = 1;
+	b->yy_fill_buffer = 0;
+	b->yy_buffer_status = YY_BUFFER_NEW;
+
+	yy_switch_to_buffer( b );
+
+	return b;
+	}
+#endif
+
+
+#ifndef YY_NO_SCAN_STRING
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str )
+#else
+YY_BUFFER_STATE yy_scan_string( yy_str )
+yyconst char *yy_str;
+#endif
+	{
+	int len;
+	for ( len = 0; yy_str[len]; ++len )
+		;
+
+	return yy_scan_bytes( yy_str, len );
+	}
+#endif
+
+
+#ifndef YY_NO_SCAN_BYTES
+#ifdef YY_USE_PROTOS
+YY_BUFFER_STATE yy_scan_bytes( yyconst char *bytes, int len )
+#else
+YY_BUFFER_STATE yy_scan_bytes( bytes, len )
+yyconst char *bytes;
+int len;
+#endif
+	{
+	YY_BUFFER_STATE b;
+	char *buf;
+	yy_size_t n;
+	int i;
+
+	/* Get memory for full buffer, including space for trailing EOB's. */
+	n = len + 2;
+	buf = (char *) yy_flex_alloc( n );
+	if ( ! buf )
+		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
+
+	for ( i = 0; i < len; ++i )
+		buf[i] = bytes[i];
+
+	buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR;
+
+	b = yy_scan_buffer( buf, n );
+	if ( ! b )
+		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
+
+	/* It's okay to grow etc. this buffer, and we should throw it
+	 * away when we're done.
+	 */
+	b->yy_is_our_buffer = 1;
+
+	return b;
+	}
+#endif
+
+
+#ifndef YY_NO_PUSH_STATE
+#ifdef YY_USE_PROTOS
+static void yy_push_state( int new_state )
+#else
+static void yy_push_state( new_state )
+int new_state;
+#endif
+	{
+	if ( yy_start_stack_ptr >= yy_start_stack_depth )
+		{
+		yy_size_t new_size;
+
+		yy_start_stack_depth += YY_START_STACK_INCR;
+		new_size = yy_start_stack_depth * sizeof( int );
+
+		if ( ! yy_start_stack )
+			yy_start_stack = (int *) yy_flex_alloc( new_size );
+
+		else
+			yy_start_stack = (int *) yy_flex_realloc(
+					(void *) yy_start_stack, new_size );
+
+		if ( ! yy_start_stack )
+			YY_FATAL_ERROR(
+			"out of memory expanding start-condition stack" );
+		}
+
+	yy_start_stack[yy_start_stack_ptr++] = YY_START;
+
+	BEGIN(new_state);
+	}
+#endif
+
+
+#ifndef YY_NO_POP_STATE
+static void yy_pop_state()
+	{
+	if ( --yy_start_stack_ptr < 0 )
+		YY_FATAL_ERROR( "start-condition stack underflow" );
+
+	BEGIN(yy_start_stack[yy_start_stack_ptr]);
+	}
+#endif
+
+
+#ifndef YY_NO_TOP_STATE
+static int yy_top_state()
+	{
+	return yy_start_stack[yy_start_stack_ptr - 1];
+	}
+#endif
+
+#ifndef YY_EXIT_FAILURE
+#define YY_EXIT_FAILURE 2
+#endif
+
+#ifdef YY_USE_PROTOS
+static void yy_fatal_error( yyconst char msg[] )
+#else
+static void yy_fatal_error( msg )
+char msg[];
+#endif
+	{
+	(void) fprintf( stderr, "%s\n", msg );
+	exit( YY_EXIT_FAILURE );
+	}
+
+
+
+/* Redefine yyless() so it works in section 3 code. */
+
+#undef yyless
+#define yyless(n) \
+	do \
+		{ \
+		/* Undo effects of setting up yytext. */ \
+		yytext[yyleng] = yy_hold_char; \
+		yy_c_buf_p = yytext + n; \
+		yy_hold_char = *yy_c_buf_p; \
+		*yy_c_buf_p = '\0'; \
+		yyleng = n; \
+		} \
+	while ( 0 )
+
+
+/* Internal utility routines. */
+
+#ifndef yytext_ptr
+#ifdef YY_USE_PROTOS
+static void yy_flex_strncpy( char *s1, yyconst char *s2, int n )
+#else
+static void yy_flex_strncpy( s1, s2, n )
+char *s1;
+yyconst char *s2;
+int n;
+#endif
+	{
+	register int i;
+	for ( i = 0; i < n; ++i )
+		s1[i] = s2[i];
+	}
+#endif
+
+#ifdef YY_NEED_STRLEN
+#ifdef YY_USE_PROTOS
+static int yy_flex_strlen( yyconst char *s )
+#else
+static int yy_flex_strlen( s )
+yyconst char *s;
+#endif
+	{
+	register int n;
+	for ( n = 0; s[n]; ++n )
+		;
+
+	return n;
+	}
+#endif
+
+
+#ifdef YY_USE_PROTOS
+static void *yy_flex_alloc( yy_size_t size )
+#else
+static void *yy_flex_alloc( size )
+yy_size_t size;
+#endif
+	{
+	return (void *) malloc( size );
+	}
+
+#ifdef YY_USE_PROTOS
+static void *yy_flex_realloc( void *ptr, yy_size_t size )
+#else
+static void *yy_flex_realloc( ptr, size )
+void *ptr;
+yy_size_t size;
+#endif
+	{
+	/* The cast to (char *) in the following accommodates both
+	 * implementations that use char* generic pointers, and those
+	 * that use void* generic pointers.  It works with the latter
+	 * because both ANSI C and C++ allow castless assignment from
+	 * any pointer type to void*, and deal with argument conversions
+	 * as though doing an assignment.
+	 */
+	return (void *) realloc( (char *) ptr, size );
+	}
+
+#ifdef YY_USE_PROTOS
+static void yy_flex_free( void *ptr )
+#else
+static void yy_flex_free( ptr )
+void *ptr;
+#endif
+	{
+	free( ptr );
+	}
+
+#if YY_MAIN
+int main()
+	{
+	yylex();
+	return 0;
+	}
+#endif
+#line 81 "installparse.l"
+
+/*------------------------ Program Section ----------------------------*/
+
+PRFileDesc *Pk11Install_FD=NULL;
+
+/*************************************************************************/
+/* dummy function required by lex */
+int Pk11Install_yywrap(void) { return 1;}
+
+/*************************************************************************/
+/* Return a copy of the given string */
+static char*
+putSimpleString(char *str)
+{
+	char *tmp = (char*) PR_Malloc(strlen(str)+1);
+	strcpy(tmp, str);
+	return tmp;
+}
+
+/*************************************************************************/
+/* Strip out quotes, replace escaped characters with what they stand for.
+   This function assumes that what is passed in is actually a complex
+   string, so error checking is lax. */
+static char*
+putComplexString(char *str)
+{
+	int size, i,j;
+	char *tmp;
+
+	if(!str) {
+		return NULL;
+	}
+	size = strlen(str);
+
+	/* Allocate the new space.  This string will actually be too big, 
+		since quotes and backslashes will be stripped out.  But that's ok. */
+	tmp = (char*) PR_Malloc(size+1);
+
+	/* Copy it over */
+	for(i=0, j=0; i < size; i++) {
+		if(str[i]=='\"') {
+			continue;  /* skip un-escaped quotes */
+		} else if(str[i]=='\\') {
+			++i;       /* escaped character. skip the backslash */
+		}
+		tmp[j++] = str[i];
+	}
+	tmp[j] = '\0';
+
+	return tmp;
+}
diff --git a/security/nss/cmd/modutil/manifest.mn b/security/nss/cmd/modutil/manifest.mn
new file mode 100644
index 000000000..31ebcf68c
--- /dev/null
+++ b/security/nss/cmd/modutil/manifest.mn
@@ -0,0 +1,66 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = sectools
+
+EXPORTS = 
+
+CSRCS = modutil.c		\
+		pk11.c			\
+		instsec.c		\
+		install.c		\
+		installparse.c		\
+		install-ds.c		\
+		lex.Pk11Install_yy.c	\
+		$(NULL)
+
+CPPSRCS = 
+
+PROGRAM =  modutil
+
+REQUIRES = seccmd nss dbm
+
+DEFINES = -DNSPR20
+
+# sigh
+#INCLUDES += -I$(CORE_DEPTH)/nss/lib/pk11wrap
+
+# USE_STATIC_LIBS = 1 
+
+EXTRA_LIBS = $(JAR_LIBS)
diff --git a/security/nss/cmd/modutil/modutil.c b/security/nss/cmd/modutil/modutil.c
new file mode 100644
index 000000000..c91c5eebd
--- /dev/null
+++ b/security/nss/cmd/modutil/modutil.c
@@ -0,0 +1,979 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* To edit this file, set TABSTOPS to 4 spaces. 
+ * This is not the normal NSS convention. 
+ */
+
+#include "modutil.h"
+#include "install.h"
+#include <plstr.h>
+#include "certdb.h" /* for CERT_DB_FILE_VERSION */
+#include "nss.h"
+
+static void install_error(char *message);
+static char* PR_fgets(char *buf, int size, PRFileDesc *file);
+static char *progName;
+
+
+/* This enum must be kept in sync with the commandNames list */
+typedef enum {
+	NO_COMMAND,
+	ADD_COMMAND,
+	CHANGEPW_COMMAND,
+	CREATE_COMMAND,
+	DEFAULT_COMMAND,
+	DELETE_COMMAND,
+	DISABLE_COMMAND,
+	ENABLE_COMMAND,
+	FIPS_COMMAND,
+	JAR_COMMAND,
+	LIST_COMMAND,
+	RAW_LIST_COMMAND,
+	RAW_ADD_COMMAND,
+	CHKFIPS_COMMAND,
+	UNDEFAULT_COMMAND
+} Command;
+
+/* This list must be kept in sync with the Command enum */
+static char *commandNames[] = {
+	"(no command)",
+	"-add",
+	"-changepw",
+	"-create",
+	"-default",
+	"-delete",
+	"-disable",
+	"-enable",
+	"-fips",
+	"-jar",
+	"-list",
+	"-rawlist",
+	"-rawadd",
+	"-chkfips",
+	"-undefault"
+};
+
+
+/* this enum must be kept in sync with the optionStrings list */
+typedef enum {
+	ADD_ARG=0,
+	RAW_ADD_ARG,
+	CHANGEPW_ARG,
+	CIPHERS_ARG,
+	CREATE_ARG,
+	DBDIR_ARG,
+	DBPREFIX_ARG,
+	DEFAULT_ARG,
+	DELETE_ARG,
+	DISABLE_ARG,
+	ENABLE_ARG,
+	FIPS_ARG,
+	FORCE_ARG,
+	JAR_ARG,
+	LIBFILE_ARG,
+	LIST_ARG,
+	RAW_LIST_ARG,
+	MECHANISMS_ARG,
+	NEWPWFILE_ARG,
+	PWFILE_ARG,
+	SLOT_ARG,
+	UNDEFAULT_ARG,
+	INSTALLDIR_ARG,
+	TEMPDIR_ARG,
+	SECMOD_ARG,
+	NOCERTDB_ARG,
+	STRING_ARG,
+	CHKFIPS_ARG,
+
+	NUM_ARGS	/* must be last */
+} Arg;
+
+/* This list must be kept in sync with the Arg enum */
+static char *optionStrings[] = {
+	"-add",
+	"-rawadd",
+	"-changepw",
+	"-ciphers",
+	"-create",
+	"-dbdir",
+	"-dbprefix",
+	"-default",
+	"-delete",
+	"-disable",
+	"-enable",
+	"-fips",
+	"-force",
+	"-jar",
+	"-libfile",
+	"-list",
+	"-rawlist",
+	"-mechanisms",
+	"-newpwfile",
+	"-pwfile",
+	"-slot",
+	"-undefault",
+	"-installdir",
+	"-tempdir",
+	"-secmod",
+	"-nocertdb",
+	"-string",
+	"-chkfips",
+};
+
+/* Increment i if doing so would have i still be less than j.  If you
+   are able to do this, return 0.  Otherwise return 1. */
+#define TRY_INC(i,j)  ( ((i+1)<j) ? (++i, 0) : 1 )
+
+/********************************************************************
+ *
+ * file-wide variables obtained from the command line
+ */
+static Command command = NO_COMMAND;
+static char* pwFile = NULL;
+static char* newpwFile = NULL;
+static char* moduleName = NULL;
+static char* moduleSpec = NULL;
+static char* slotName = NULL;
+static char* secmodName = NULL;
+static char* tokenName = NULL;
+static char* libFile = NULL;
+static char* dbdir = NULL;
+static char* dbprefix = "";
+static char* secmodString = NULL;
+static char* mechanisms = NULL;
+static char* ciphers = NULL;
+static char* fipsArg = NULL;
+static char* jarFile = NULL;
+static char* installDir = NULL;
+static char* tempDir = NULL;
+static short force = 0;
+static PRBool nocertdb = PR_FALSE;
+
+/*******************************************************************
+ *
+ * p a r s e _ a r g s
+ */
+static Error
+parse_args(int argc, char *argv[])
+{
+	int i;
+	char *arg;
+	int optionType;
+
+	/* Loop over all arguments */
+	for(i=1; i < argc; i++) {
+		arg = argv[i];
+
+		/* Make sure this is an option and not some floating argument */
+		if(arg[0] != '-') {
+			PR_fprintf(PR_STDERR, errStrings[UNEXPECTED_ARG_ERR], argv[i]);
+			return UNEXPECTED_ARG_ERR;
+		}
+
+		/* Find which option this is */
+		for(optionType=0; optionType < NUM_ARGS; optionType++) {
+			if(! strcmp(arg, optionStrings[optionType])) {
+				break;
+			}
+		}
+		
+		/* Deal with this specific option */
+		switch(optionType) {
+		case NUM_ARGS:
+		default:
+			PR_fprintf(PR_STDERR, errStrings[UNKNOWN_OPTION_ERR], arg);
+			return UNKNOWN_OPTION_ERR;
+			break;
+		case ADD_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = ADD_COMMAND;
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			moduleName = argv[i];
+			break;
+		case CHANGEPW_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = CHANGEPW_COMMAND;
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			tokenName = argv[i];
+			break;
+		case CIPHERS_ARG:
+			if(ciphers != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			ciphers = argv[i];
+			break;
+		case CREATE_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = CREATE_COMMAND;
+			break;
+		case DBDIR_ARG:
+			if(dbdir != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			dbdir = argv[i];
+			break;
+		case DBPREFIX_ARG:
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			dbprefix = argv[i];
+			break;
+		case UNDEFAULT_ARG:
+		case DEFAULT_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			if(optionType == DEFAULT_ARG) {
+				command = DEFAULT_COMMAND;
+			} else {
+				command = UNDEFAULT_COMMAND;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			moduleName = argv[i];
+			break;
+		case DELETE_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = DELETE_COMMAND;
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			moduleName = argv[i];
+			break;
+		case DISABLE_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = DISABLE_COMMAND;
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			moduleName = argv[i];
+			break;
+		case ENABLE_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = ENABLE_COMMAND;
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			moduleName = argv[i];
+			break;
+		case FIPS_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = FIPS_COMMAND;
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			fipsArg = argv[i];
+			break;
+		case CHKFIPS_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = CHKFIPS_COMMAND;
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			fipsArg = argv[i];
+			break;
+		case FORCE_ARG:
+			force = 1;
+			break;
+		case NOCERTDB_ARG:
+			nocertdb = PR_TRUE;
+			break;
+		case INSTALLDIR_ARG:
+			if(installDir != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			installDir = argv[i];
+			break;
+		case TEMPDIR_ARG:
+			if(tempDir != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			tempDir = argv[i];
+			break;
+		case JAR_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = JAR_COMMAND;
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			jarFile = argv[i];
+			break;
+		case LIBFILE_ARG:
+			if(libFile != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			libFile = argv[i];
+			break;
+		case LIST_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = LIST_COMMAND;
+			/* This option may or may not have an argument */
+			if( (i+1 < argc) && (argv[i+1][0] != '-') ) {
+				moduleName = argv[++i];
+			}
+			break;
+		case RAW_LIST_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = RAW_LIST_COMMAND;
+			/* This option may or may not have an argument */
+			if( (i+1 < argc) && (argv[i+1][0] != '-') ) {
+				moduleName = argv[++i];
+			}
+			break;
+		case RAW_ADD_ARG:
+			if(command != NO_COMMAND) {
+				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
+				return MULTIPLE_COMMAND_ERR;
+			}
+			command = RAW_ADD_COMMAND;
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			moduleSpec = argv[i];
+			break;
+		case MECHANISMS_ARG:
+			if(mechanisms != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			mechanisms = argv[i];
+			break;
+		case NEWPWFILE_ARG:
+			if(newpwFile != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			newpwFile = argv[i];
+			break;
+		case PWFILE_ARG:
+			if(pwFile != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			pwFile = argv[i];
+			break;
+		case SLOT_ARG:
+			if(slotName != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			slotName = argv[i];
+			break;
+		case SECMOD_ARG:
+			if(secmodName != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			secmodName = argv[i];
+			break;
+		case STRING_ARG:
+			if(secmodString != NULL) {
+				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
+				return DUPLICATE_OPTION_ERR;
+			}
+			if(TRY_INC(i, argc)) {
+				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
+				return OPTION_NEEDS_ARG_ERR;
+			}
+			secmodString = argv[i];
+			break;
+		}
+	}
+	return SUCCESS;
+}
+
+/************************************************************************
+ *
+ * v e r i f y _ p a r a m s
+ */
+static Error
+verify_params()
+{
+	switch(command) {
+	case ADD_COMMAND:
+		if(libFile == NULL) {
+			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],
+				commandNames[ADD_COMMAND], optionStrings[LIBFILE_ARG]);
+			return MISSING_PARAM_ERR;
+		}
+		break;
+	case CHANGEPW_COMMAND:
+		break;
+	case CREATE_COMMAND:
+		break;
+	case DELETE_COMMAND:
+		break;
+	case DISABLE_COMMAND:
+		break;
+	case ENABLE_COMMAND:
+		break;
+	case FIPS_COMMAND:
+	case CHKFIPS_COMMAND:
+		if(PL_strcasecmp(fipsArg, "true") &&
+			PL_strcasecmp(fipsArg, "false")) {
+			PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
+			return INVALID_FIPS_ARG;
+		}
+		break;
+	case JAR_COMMAND:
+		if(installDir == NULL) {
+			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],
+				commandNames[JAR_COMMAND], optionStrings[INSTALLDIR_ARG]);
+			return MISSING_PARAM_ERR;
+		}
+		break;
+	case LIST_COMMAND:
+	case RAW_LIST_COMMAND:
+		break;
+	case RAW_ADD_COMMAND:
+		break;
+	case UNDEFAULT_COMMAND:
+	case DEFAULT_COMMAND:
+		if(mechanisms == NULL) {
+			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],
+				commandNames[command], optionStrings[MECHANISMS_ARG]);
+			return MISSING_PARAM_ERR;
+		}
+		break;
+	default:
+		/* Ignore this here */
+		break;
+	}
+
+	return SUCCESS;
+}
+
+/********************************************************************
+ *
+ * i n i t _ c r y p t o
+ *
+ * Does crypto initialization that all commands will require.
+ * If -nocertdb option is specified, don't open key or cert db (we don't
+ * need them if we aren't going to be verifying signatures).  This is
+ * because serverland doesn't always have cert and key database files
+ * available.
+ *
+ * This function is ill advised. Names and locations of databases are
+ * private to NSS proper. Such functions only confuse other users.
+ *
+ */
+static Error
+check_crypto(PRBool create, PRBool readOnly)
+{
+	char *dir;
+	char *moddbname=NULL;
+	Error retval;
+	static const char multiaccess[] = { "multiaccess:" };
+
+	dir = SECU_ConfigDirectory(dbdir); /* dir is never NULL */
+	if (dir[0] == '\0') {
+		PR_fprintf(PR_STDERR, errStrings[NO_DBDIR_ERR]);
+		retval=NO_DBDIR_ERR;
+		goto loser;
+	}
+	if (strncmp(dir, multiaccess, sizeof multiaccess - 1) == 0) {
+		/* won't attempt to handle the multiaccess case. */
+		return SUCCESS;
+	}
+#ifdef notdef
+	/* Make sure db directory exists and is readable */
+	if(PR_Access(dir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
+		PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dir);
+		retval = DIR_DOESNT_EXIST_ERR;
+		goto loser;
+	} else if(PR_Access(dir, PR_ACCESS_READ_OK) != PR_SUCCESS) {
+		PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dir);
+		retval = DIR_NOT_READABLE_ERR;
+		goto loser;
+	}
+
+	if (secmodName == NULL) {
+		secmodName = "secmod.db";
+	}
+
+	moddbname = PR_smprintf("%s/%s", dir, secmodName);
+	if (!moddbname)
+	    return OUT_OF_MEM_ERR;
+
+	/* Check for the proper permissions on databases */
+	if(create) {
+		/* Make sure dbs don't already exist, and the directory is
+			writeable */
+		if(PR_Access(moddbname, PR_ACCESS_EXISTS)==PR_SUCCESS) {
+			PR_fprintf(PR_STDERR, errStrings[FILE_ALREADY_EXISTS_ERR],
+			           moddbname);
+			retval=FILE_ALREADY_EXISTS_ERR;
+			goto loser;
+		} else 
+		if(PR_Access(dir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
+			PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dir);
+			retval=DIR_NOT_WRITEABLE_ERR;
+			goto loser;
+		}
+	} else {
+		/* Make sure dbs are readable and writeable */
+		if(PR_Access(moddbname, PR_ACCESS_READ_OK) != PR_SUCCESS) {
+			PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR], moddbname);
+			retval=FILE_NOT_READABLE_ERR;
+			goto loser;
+		}
+
+		/* Check for write access if we'll be making changes */
+		if( !readOnly ) {
+			if(PR_Access(moddbname, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
+				PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],
+							moddbname);
+				retval=FILE_NOT_WRITEABLE_ERR;
+				goto loser;
+			}
+		}
+		PR_fprintf(PR_STDOUT, msgStrings[USING_DBDIR_MSG],
+		  SECU_ConfigDirectory(NULL));
+	}
+#endif
+	retval=SUCCESS;
+loser:
+	if (moddbname) {
+		PR_Free(moddbname);
+	}
+	return retval;
+}
+
+static Error
+init_crypto(PRBool create, PRBool readOnly)
+{
+
+	PRUint32  flags = 0;
+	SECStatus rv;
+	Error     retval;
+	/* Open/create key database */
+
+	if (readOnly) flags |= NSS_INIT_READONLY;
+	if (nocertdb) flags |= NSS_INIT_NOCERTDB;
+	rv = NSS_Initialize(SECU_ConfigDirectory(NULL), dbprefix, dbprefix,
+		       secmodName, flags);
+	if (rv != SECSuccess) {
+		SECU_PrintPRandOSError(progName);
+		retval=NSS_INITIALIZE_FAILED_ERR;
+	} else 
+		retval=SUCCESS;
+
+	return retval;
+}
+
+/*************************************************************************
+ *
+ * u s a g e
+ */
+static void
+usage()
+{
+	PR_fprintf(PR_STDOUT,
+"\nNetscape Cryptographic Module Utility\n"
+"Usage: modutil [command] [options]\n\n"
+"                            COMMANDS\n"
+"---------------------------------------------------------------------------\n"
+"-add MODULE_NAME                 Add the named module to the module database\n"
+"   -libfile LIBRARY_FILE         The name of the file (.so or .dll)\n"
+"                                 containing the implementation of PKCS #11\n"
+"   [-ciphers CIPHER_LIST]        Enable the given ciphers on this module\n"
+"   [-mechanisms MECHANISM_LIST]  Make the module a default provider of the\n"
+"                                 given mechanisms\n"
+"   [-string CONFIG_STRING]       Pass a configuration string to this module\n"
+"-changepw TOKEN                  Change the password on the named token\n"
+"   [-pwfile FILE]                The old password is in this file\n"
+"   [-newpwfile FILE]             The new password is in this file\n"
+"-chkfips [ true | false ]        If true, verify  FIPS mode.  If false,\n"
+"                                 verify not FIPS mode\n"
+"-create                          Create a new set of security databases\n"
+"-default MODULE                  Make the given module a default provider\n"
+"   -mechanisms MECHANISM_LIST    of the given mechanisms\n"
+"   [-slot SLOT]                  limit change to only the given slot\n"
+"-delete MODULE                   Remove the named module from the module\n"
+"                                 database\n"
+"-disable MODULE                  Disable the named module\n"
+"   [-slot SLOT]                  Disable only the named slot on the module\n"
+"-enable MODULE                   Enable the named module\n"
+"   [-slot SLOT]                  Enable only the named slot on the module\n"
+"-fips [ true | false ]           If true, enable FIPS mode.  If false,\n"
+"                                 disable FIPS mode\n"
+"-force                           Do not run interactively\n"
+"-jar JARFILE                     Install a PKCS #11 module from the given\n"
+"                                 JAR file in the PKCS #11 JAR format\n"
+"   -installdir DIR               Use DIR as the root directory of the\n"
+"                                 installation\n"
+"   [-tempdir DIR]                Use DIR as the temporary installation\n"
+"                                 directory. If not specified, the current\n"
+"                                 directory is used\n"
+"-list [MODULE]                   Lists information about the specified module\n"
+"                                 or about all modules if none is specified\n"
+"-rawadd MODULESPEC               Add module spec string to secmod DB\n"
+"-rawlist [MODULE]                Display module spec(s) for one or all\n"
+"                                 loadable modules\n"
+"-undefault MODULE                The given module is NOT a default provider\n"
+"   -mechanisms MECHANISM_LIST    of the listed mechanisms\n"
+"   [-slot SLOT]                  limit change to only the given slot\n"
+"---------------------------------------------------------------------------\n"
+"\n"
+"                             OPTIONS\n"
+"---------------------------------------------------------------------------\n"
+"-dbdir DIR                       Directory DIR contains the security databases\n"
+"-dbprefix prefix                 Prefix for the security databases\n"
+"-nocertdb                        Do not load certificate or key databases. No\n"
+"                                 verification will be performed on JAR files.\n"
+"-secmod secmodName               Name of the security modules file\n"
+"---------------------------------------------------------------------------\n"
+"\n"
+"Mechanism lists are colon-separated.  The following mechanisms are recognized:\n"
+"RSA, DSA, DH, RC2, RC4, RC5, AES, CAMELLIA, DES, MD2, MD5, SHA1, SHA256, SHA512,\n"
+"SSL, TLS, RANDOM, and FRIENDLY\n"
+"\n"
+"Cipher lists are colon-separated.  The following ciphers are recognized:\n"
+"\n"
+"\nQuestions or bug reports should be sent to modutil-support@netscape.com.\n"
+);
+
+}
+
+/*************************************************************************
+ *
+ * m a i n
+ */
+int
+main(int argc, char *argv[])
+{
+	int errcode = SUCCESS;
+	PRBool createdb, readOnly;
+#define STDINBUF_SIZE 80
+	char stdinbuf[STDINBUF_SIZE];
+
+	progName = strrchr(argv[0], '/');
+	progName = progName ? progName+1 : argv[0];
+
+
+	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
+
+	if(parse_args(argc, argv) != SUCCESS) {
+		usage();
+		errcode = INVALID_USAGE_ERR;
+		goto loser;
+	}
+
+	if(verify_params() != SUCCESS) {
+		usage();
+		errcode = INVALID_USAGE_ERR;
+		goto loser;
+	}
+
+	if(command==NO_COMMAND) {
+		PR_fprintf(PR_STDERR, errStrings[NO_COMMAND_ERR]);
+		usage();
+		errcode = INVALID_USAGE_ERR;
+		goto loser;
+	}
+
+	/* Set up crypto stuff */
+	createdb = command==CREATE_COMMAND;
+	readOnly = ((command == LIST_COMMAND) || 
+	            (command == CHKFIPS_COMMAND) ||
+	            (command == RAW_LIST_COMMAND));
+
+	/* Make sure browser is not running if we're writing to a database */
+	/* Do this before initializing crypto */
+	if(!readOnly && !force) {
+		char *response;
+
+		PR_fprintf(PR_STDOUT, msgStrings[BROWSER_RUNNING_MSG]);
+		if( ! PR_fgets(stdinbuf, STDINBUF_SIZE, PR_STDIN)) {
+			PR_fprintf(PR_STDERR, errStrings[STDIN_READ_ERR]);
+			errcode = STDIN_READ_ERR;
+			goto loser;
+		}
+		if( (response=strtok(stdinbuf, " \r\n\t")) ) {
+			if(!PL_strcasecmp(response, "q")) {
+				PR_fprintf(PR_STDOUT, msgStrings[ABORTING_MSG]);
+				errcode = SUCCESS;
+				goto loser;
+			}
+		}
+		PR_fprintf(PR_STDOUT, "\n");
+	}
+
+	errcode = check_crypto(createdb, readOnly);
+	if( errcode != SUCCESS) {
+		goto loser;
+	}
+
+	if ((command == RAW_LIST_COMMAND) || (command == RAW_ADD_COMMAND)) {
+		if(!moduleName) {
+			char *readOnlyStr, *noCertDBStr, *sep;
+			if (!secmodName) secmodName="secmod.db";
+			if (!dbprefix) dbprefix = "";
+			sep = ((command == RAW_LIST_COMMAND) && nocertdb) ? "," : " ";
+			readOnlyStr = (command == RAW_LIST_COMMAND) ? "readOnly" : "" ;
+			noCertDBStr = nocertdb ? "noCertDB" : "";
+			SECU_ConfigDirectory(dbdir);
+
+			moduleName=PR_smprintf(
+    "name=\"NSS default Module DB\" parameters=\"configdir=%s certPrefix=%s "
+    "keyPrefix=%s secmod=%s flags=%s%s%s\" NSS=\"flags=internal,moduleDB,"
+    "moduleDBOnly,critical\"",
+			                       SECU_ConfigDirectory(NULL),dbprefix,dbprefix,
+			                       secmodName, readOnlyStr,sep, noCertDBStr);
+		}
+		if (command == RAW_LIST_COMMAND) {
+			errcode = RawListModule(moduleName);
+		} else {
+			PORT_Assert(moduleSpec);
+			errcode = RawAddModule(moduleName,moduleSpec);
+		}
+		goto loser;
+	}
+
+	errcode = init_crypto(createdb, readOnly);
+	if( errcode != SUCCESS) {
+		goto loser;
+	}
+
+	/* Execute the command */
+	switch(command) {
+	case ADD_COMMAND:
+		errcode = AddModule(moduleName, libFile, ciphers, mechanisms, secmodString);
+		break;
+	case CHANGEPW_COMMAND:
+		errcode = ChangePW(tokenName, pwFile, newpwFile);
+		break;
+	case CREATE_COMMAND:
+		/* The work was already done in init_crypto() */
+		break;
+	case DEFAULT_COMMAND:
+		errcode = SetDefaultModule(moduleName, slotName, mechanisms);
+		break;
+	case DELETE_COMMAND:
+		errcode = DeleteModule(moduleName);
+		break;
+	case DISABLE_COMMAND:
+		errcode = EnableModule(moduleName, slotName, PR_FALSE);
+		break;
+	case ENABLE_COMMAND:
+		errcode = EnableModule(moduleName, slotName, PR_TRUE);
+		break;
+	case FIPS_COMMAND:
+		errcode = FipsMode(fipsArg);
+		break;
+	case CHKFIPS_COMMAND:
+		errcode = ChkFipsMode(fipsArg);
+		break;
+	case JAR_COMMAND:
+		Pk11Install_SetErrorHandler(install_error);
+		errcode = Pk11Install_DoInstall(jarFile, installDir, tempDir,
+		                                PR_STDOUT, force, nocertdb);
+		break;
+	case LIST_COMMAND:
+		if(moduleName) {
+			errcode = ListModule(moduleName);
+		} else {
+			errcode = ListModules();
+		}
+		break;
+	case UNDEFAULT_COMMAND:
+		errcode = UnsetDefaultModule(moduleName, slotName, mechanisms);
+		break;
+	default:
+		PR_fprintf(PR_STDERR, "This command is not supported yet.\n");
+		errcode = INVALID_USAGE_ERR;
+		break;
+	}
+
+	if (NSS_Shutdown() != SECSuccess) {
+		exit(1);
+	}
+
+loser:
+	PR_Cleanup();
+	return errcode;
+}
+
+/************************************************************************
+ *
+ * i n s t a l l _ e r r o r
+ *
+ * Callback function to handle errors in PK11 JAR file installation.
+ */
+static void
+install_error(char *message)
+{
+	PR_fprintf(PR_STDERR, "Install error: %s\n", message);
+}
+
+/*************************************************************************
+ *
+ * o u t _ o f _ m e m o r y
+ */
+void
+out_of_memory(void)
+{
+	PR_fprintf(PR_STDERR, errStrings[OUT_OF_MEM_ERR]);
+	exit(OUT_OF_MEM_ERR);
+}
+
+
+/**************************************************************************
+ *
+ * P R _ f g e t s
+ *
+ * fgets implemented with NSPR.
+ */
+static char*
+PR_fgets(char *buf, int size, PRFileDesc *file)
+{
+	int i;
+	int status;
+	char c;
+
+	i=0;
+	while(i < size-1) {
+		status = PR_Read(file, (void*) &c, 1);
+		if(status==-1) {
+			return NULL;
+		} else if(status==0) {
+			break;
+		}
+		buf[i++] = c;
+		if(c=='\n') {
+			break;
+		}
+	}
+	buf[i]='\0';
+
+	return buf;
+}
diff --git a/security/nss/cmd/modutil/modutil.h b/security/nss/cmd/modutil/modutil.h
new file mode 100644
index 000000000..d7c164ae4
--- /dev/null
+++ b/security/nss/cmd/modutil/modutil.h
@@ -0,0 +1,70 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef MODUTIL_H
+#define MODUTIL_H
+
+#include <stdio.h>
+#include <prio.h>
+#include <prprf.h>
+#include <prinit.h>
+#include <prmem.h>
+#include <plarena.h>
+#include <string.h>
+#include <seccomon.h>
+#include <secmod.h>
+#include <secutil.h>
+
+#include <prlock.h>
+
+#include "error.h"
+
+Error FipsMode(char *arg);
+Error ChkFipsMode(char *arg);
+Error AddModule(char *moduleName, char *libFile, char *ciphers,
+      char *mechanisms, char* modparms);
+Error DeleteModule(char *moduleName);
+Error ListModule(char *moduleName);
+Error ListModules();
+Error ChangePW(char *tokenName, char *pwFile, char *newpwFile);
+Error EnableModule(char *moduleName, char *slotName, PRBool enable);
+Error RawAddModule(char *dbmodulespec, char *modulespec);
+Error RawListModule(char *modulespec);
+Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
+Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
+void out_of_memory(void);
+
+#endif /*MODUTIL_H*/
diff --git a/security/nss/cmd/modutil/pk11.c b/security/nss/cmd/modutil/pk11.c
new file mode 100644
index 000000000..0e1f21603
--- /dev/null
+++ b/security/nss/cmd/modutil/pk11.c
@@ -0,0 +1,983 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* To edit this file, set TABSTOPS to 4 spaces. 
+ * This is not the normal NSS convention. 
+ */
+
+#include "modutil.h"
+/* #include "secmodti.h"  */
+#include "pk11func.h"
+
+static PK11DefaultArrayEntry *pk11_DefaultArray = NULL;
+static int pk11_DefaultArraySize = 0;
+
+/*************************************************************************
+ *
+ * F i p s M o d e
+ * If arg=="true", enable FIPS mode on the internal module.  If arg=="false",
+ * disable FIPS mode on the internal module.
+ */
+Error
+FipsMode(char *arg)
+{
+    char *internal_name;
+
+    if(!PORT_Strcasecmp(arg, "true")) {
+	if(!PK11_IsFIPS()) {
+	    internal_name = PR_smprintf("%s",
+		SECMOD_GetInternalModule()->commonName);
+	    if(SECMOD_DeleteInternalModule(internal_name) != SECSuccess) {
+		PR_fprintf(PR_STDERR, "%s\n", SECU_Strerror(PORT_GetError()));
+		PR_smprintf_free(internal_name);
+		PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
+		return FIPS_SWITCH_FAILED_ERR;
+	    }
+	    PR_smprintf_free(internal_name);
+	    if (!PK11_IsFIPS()) {
+		PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
+		return FIPS_SWITCH_FAILED_ERR;
+	    }
+	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
+	} else {
+	    PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_ON_ERR]);
+	    return FIPS_ALREADY_ON_ERR;
+	}
+    } else if(!PORT_Strcasecmp(arg, "false")) {
+	if(PK11_IsFIPS()) {
+	    internal_name = PR_smprintf("%s",
+		SECMOD_GetInternalModule()->commonName);
+	    if(SECMOD_DeleteInternalModule(internal_name) != SECSuccess) {
+		PR_fprintf(PR_STDERR, "%s\n", SECU_Strerror(PORT_GetError()));
+		PR_smprintf_free(internal_name);
+		PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
+		return FIPS_SWITCH_FAILED_ERR;
+	    }
+	    PR_smprintf_free(internal_name);
+	    if (PK11_IsFIPS()) {
+		PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
+		return FIPS_SWITCH_FAILED_ERR;
+	    }
+	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
+	} else {
+	    PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_OFF_ERR]);
+	    return FIPS_ALREADY_OFF_ERR;
+	}
+    } else {
+	PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
+	return INVALID_FIPS_ARG;
+    }
+
+    return SUCCESS;
+}
+
+/*************************************************************************
+ *
+ * C h k F i p s M o d e
+ * If arg=="true", verify FIPS mode is enabled on the internal module.  
+ * If arg=="false", verify FIPS mode is disabled on the internal module.
+ */
+Error
+ChkFipsMode(char *arg)
+{
+    if(!PORT_Strcasecmp(arg, "true")) {
+	if (PK11_IsFIPS()) {
+	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
+	} else {
+	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
+	    return FIPS_SWITCH_FAILED_ERR;
+	}
+
+    } else if(!PORT_Strcasecmp(arg, "false")) {
+	if(!PK11_IsFIPS()) {
+	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
+	} else {
+	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
+	    return FIPS_SWITCH_FAILED_ERR;
+	}
+    } else {
+	PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
+	return INVALID_FIPS_ARG;
+    }
+
+    return SUCCESS;
+}
+
+/************************************************************************
+ * Cipher and Mechanism name-bitmask translation tables
+ */
+
+typedef struct {
+    const char *name;
+    const unsigned long mask;
+} MaskString;
+
+static const MaskString mechanismStrings[] = {
+    {"RSA", PUBLIC_MECH_RSA_FLAG},
+    {"DSA", PUBLIC_MECH_DSA_FLAG},
+    {"RC2", PUBLIC_MECH_RC2_FLAG},
+    {"RC4", PUBLIC_MECH_RC4_FLAG},
+    {"RC5", PUBLIC_MECH_RC5_FLAG},
+    {"DES", PUBLIC_MECH_DES_FLAG},
+    {"DH", PUBLIC_MECH_DH_FLAG},
+    {"FORTEZZA", PUBLIC_MECH_FORTEZZA_FLAG},
+    {"SHA1", PUBLIC_MECH_SHA1_FLAG},
+    {"MD5", PUBLIC_MECH_MD5_FLAG},
+    {"MD2", PUBLIC_MECH_MD2_FLAG},
+    {"SSL", PUBLIC_MECH_SSL_FLAG},
+    {"TLS", PUBLIC_MECH_TLS_FLAG},
+    {"AES", PUBLIC_MECH_AES_FLAG},
+    {"CAMELLIA", PUBLIC_MECH_CAMELLIA_FLAG},
+    {"SHA256", PUBLIC_MECH_SHA256_FLAG},
+    {"SHA512", PUBLIC_MECH_SHA512_FLAG},
+    {"RANDOM", PUBLIC_MECH_RANDOM_FLAG},
+    {"FRIENDLY", PUBLIC_MECH_FRIENDLY_FLAG}
+};
+static const int numMechanismStrings =
+    sizeof(mechanismStrings) / sizeof(mechanismStrings[0]);
+
+static const MaskString cipherStrings[] = {
+    {"FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG}
+};
+static const int numCipherStrings =
+    sizeof(cipherStrings) / sizeof(cipherStrings[0]);
+
+/* Maximum length of a colon-separated list of all the strings in an 
+ * array. */
+#define MAX_STRING_LIST_LEN 240    /* or less */
+
+/************************************************************************
+ * 
+ * g e t F l a g s F r o m S t r i n g
+ *
+ * Parses a mechanism list passed on the command line and converts it
+ * to an unsigned long bitmask.
+ * string is a colon-separated string of constants
+ * array is an array of MaskStrings.
+ * elements is the number of elements in array.
+ */
+static unsigned long
+getFlagsFromString(char *string, const MaskString array[], int elements)
+{
+    unsigned long ret = 0;
+    short i = 0;
+    char *cp;
+    char *buf;
+    char *end;
+
+    if(!string || !string[0]) {
+	return ret;
+    }
+
+    /* Make a temporary copy of the string */
+    buf = PR_Malloc(strlen(string)+1);
+    if(!buf) {
+	out_of_memory();
+    }
+    strcpy(buf, string);
+
+    /* Look at each element of the list passed in */
+    for(cp=buf; cp && *cp; cp = (end ? end+1 : NULL) ) {
+	/* Look at the string up to the next colon */
+	end = strchr(cp, ':');
+	if(end) {
+	    *end = '\0';
+	}
+
+	/* Find which element this is */
+	for(i=0; i < elements; i++) {
+	    if( !PORT_Strcasecmp(cp, array[i].name) ) {
+		break;
+	    }
+	}
+	if(i == elements) {
+	    /* Skip a bogus string, but print a warning message */
+	    PR_fprintf(PR_STDERR, errStrings[INVALID_CONSTANT_ERR], cp);
+	    continue;
+	}
+	ret |= array[i].mask;
+    }
+
+    PR_Free(buf);
+    return ret;
+}
+
+/**********************************************************************
+ *
+ * g e t S t r i n g F r o m F l a g s
+ * 
+ * The return string's memory is owned by this function.  Copy it
+ * if you need it permanently or you want to change it.
+ */
+static char *
+getStringFromFlags(unsigned long flags, const MaskString array[], int elements)
+{
+    static char buf[MAX_STRING_LIST_LEN];
+    int i;
+    int count=0;
+
+    buf[0] = '\0';
+    for(i=0; i<elements; i++) {
+	if( flags & array[i].mask ) {
+	    ++count;
+	    if(count!=1) {
+		strcat(buf, ":");
+	    }
+	    strcat(buf, array[i].name);
+	}
+    }
+    return buf;
+}
+
+/**********************************************************************
+ *
+ * A d d M o d u l e
+ *
+ * Add the named module, with the given library file, ciphers, and
+ * default mechanism flags
+ */
+Error
+AddModule(char *moduleName, char *libFile, char *cipherString,
+    char *mechanismString, char* modparms)
+{
+    unsigned long ciphers;
+    unsigned long mechanisms;
+    SECStatus status;
+
+    mechanisms =
+	getFlagsFromString(mechanismString, mechanismStrings,
+			   numMechanismStrings);
+    ciphers =
+	getFlagsFromString(cipherString, cipherStrings, numCipherStrings);
+
+    status =
+	SECMOD_AddNewModuleEx(moduleName, libFile,
+		  SECMOD_PubMechFlagstoInternal(mechanisms),
+		  SECMOD_PubCipherFlagstoInternal(ciphers),
+		  modparms, NULL );
+
+    if(status != SECSuccess) {
+	char* errtxt=NULL;
+	PRInt32 copied = 0;
+	if (PR_GetErrorTextLength()) {
+	    errtxt = PR_Malloc(PR_GetErrorTextLength());
+	    copied = PR_GetErrorText(errtxt);
+	}
+	if (copied && errtxt) {
+	    PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR], 
+		       moduleName, errtxt);
+	    PR_Free(errtxt);
+	} else {
+	    PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR], 
+		       moduleName, SECU_Strerror(PORT_GetError()));
+	}
+	return ADD_MODULE_FAILED_ERR;
+    } else {
+	PR_fprintf(PR_STDOUT, msgStrings[ADD_MODULE_SUCCESS_MSG], moduleName);
+	return SUCCESS;
+    }
+}
+
+/***********************************************************************
+ *
+ * D e l e t e M o d u l e
+ *
+ * Deletes the named module from the database.
+ */
+Error
+DeleteModule(char *moduleName)
+{
+    SECStatus status;
+    int type;
+    
+    status = SECMOD_DeleteModule(moduleName, &type);
+
+    if(status != SECSuccess) {
+	if(type == SECMOD_FIPS || type == SECMOD_INTERNAL) {
+	    PR_fprintf(PR_STDERR, errStrings[DELETE_INTERNAL_ERR]);
+	    return DELETE_INTERNAL_ERR;
+	} else {
+	    PR_fprintf(PR_STDERR, errStrings[DELETE_FAILED_ERR], moduleName);
+	    return DELETE_FAILED_ERR;
+	}
+    }
+
+    PR_fprintf(PR_STDOUT, msgStrings[DELETE_SUCCESS_MSG], moduleName);
+    return SUCCESS;
+}
+
+/************************************************************************
+ *
+ * R a w L i s t M o d u l e s
+ *
+ * Lists all the modules in the database, along with their slots and tokens.
+ */
+Error
+RawListModule(char *modulespec)
+{
+    SECMODModule *module;
+    char **moduleSpecList;
+
+    module = SECMOD_LoadModule(modulespec,NULL,PR_FALSE);
+    if (module == NULL) {
+	/* handle error */
+	return NO_SUCH_MODULE_ERR;
+    }
+
+    moduleSpecList = SECMOD_GetModuleSpecList(module);
+    if (!moduleSpecList || !moduleSpecList[0]) {
+	SECU_PrintError("modutil",
+			    "no specs in secmod DB");
+	return NO_SUCH_MODULE_ERR;
+    }
+
+    for ( ;*moduleSpecList; moduleSpecList++) {
+	printf("%s\n\n",*moduleSpecList);
+    }
+
+    return SUCCESS;
+}
+
+Error
+RawAddModule(char *dbmodulespec, char *modulespec)
+{
+    SECMODModule *module;
+    SECMODModule *dbmodule;
+
+
+    dbmodule = SECMOD_LoadModule(dbmodulespec,NULL,PR_TRUE);
+    if (dbmodule == NULL) {
+	/* handle error */
+	return NO_SUCH_MODULE_ERR;
+    }
+
+    module = SECMOD_LoadModule(modulespec,dbmodule,PR_FALSE);
+    if (module == NULL) {
+	/* handle error */
+	return NO_SUCH_MODULE_ERR;
+    }
+
+    if( SECMOD_UpdateModule(module) != SECSuccess ) {
+	PR_fprintf(PR_STDERR, errStrings[UPDATE_MOD_FAILED_ERR], modulespec);
+	return UPDATE_MOD_FAILED_ERR;
+    }
+    return SUCCESS;
+}
+
+static void
+printModule(SECMODModule *module, int *count) 
+{
+    int slotCount = module->loaded ? module->slotCount : 0;
+    int i;
+
+    if ((*count)++) {
+        PR_fprintf(PR_STDOUT,"\n");
+    }
+        PR_fprintf(PR_STDOUT, "%3d. %s\n", *count, module->commonName);
+
+    if (module->dllName) {
+        PR_fprintf(PR_STDOUT, "\tlibrary name: %s\n", module->dllName);
+    }
+
+    if (slotCount == 0) {
+        PR_fprintf(PR_STDOUT,
+	"\t slots: There are no slots attached to this module\n");
+    } else {
+        PR_fprintf(PR_STDOUT, "\t slots: %d slot%s attached\n",
+		slotCount, (slotCount==1 ? "" : "s") );
+    }
+
+    if (module->loaded == 0) {
+        PR_fprintf(PR_STDOUT, "\tstatus: Not loaded\n");
+    } else {
+        PR_fprintf(PR_STDOUT, "\tstatus: loaded\n");
+    }
+
+    /* Print slot and token names */
+    for (i = 0; i < slotCount; i++) {
+        PK11SlotInfo *slot = module->slots[i];
+
+        PR_fprintf(PR_STDOUT, "\n");
+        PR_fprintf(PR_STDOUT, "\t slot: %s\n", PK11_GetSlotName(slot));
+        PR_fprintf(PR_STDOUT, "\ttoken: %s\n", PK11_GetTokenName(slot));
+    }
+    return;
+}
+
+/************************************************************************
+ *
+ * L i s t M o d u l e s
+ *
+ * Lists all the modules in the database, along with their slots and tokens.
+ */
+Error
+ListModules()
+{
+    SECMODListLock *lock;
+    SECMODModuleList *list;
+    SECMODModuleList *deadlist;
+    SECMODModuleList *mlp;
+    Error ret=UNSPECIFIED_ERR;
+    int count = 0;
+
+    lock = SECMOD_GetDefaultModuleListLock();
+    if(!lock) {
+	PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]);
+	return NO_LIST_LOCK_ERR;
+    }
+
+    SECMOD_GetReadLock(lock);
+
+    list = SECMOD_GetDefaultModuleList();
+    deadlist = SECMOD_GetDeadModuleList();
+    if (!list && !deadlist) {
+	PR_fprintf(PR_STDERR, errStrings[NO_MODULE_LIST_ERR]);
+	ret = NO_MODULE_LIST_ERR;
+	goto loser;
+    }
+
+    PR_fprintf(PR_STDOUT,
+	"\nListing of PKCS #11 Modules\n"
+	"-----------------------------------------------------------\n");
+    
+    for(mlp=list; mlp != NULL; mlp = mlp->next) {
+	printModule(mlp->module, &count);
+    }
+    for (mlp=deadlist; mlp != NULL; mlp = mlp->next) {
+	printModule(mlp->module, &count);
+    }
+
+
+    PR_fprintf(PR_STDOUT,
+	"-----------------------------------------------------------\n");
+
+    ret = SUCCESS;
+
+loser:
+    SECMOD_ReleaseReadLock(lock);
+    return ret;
+}
+
+/* Strings describing PK11DisableReasons */
+static char *disableReasonStr[] = {
+    "no reason",
+    "user disabled",
+    "could not initialize token",
+    "could not verify token",
+    "token not present"
+};
+static int numDisableReasonStr =
+    sizeof(disableReasonStr) / sizeof(disableReasonStr[0]);
+
+/***********************************************************************
+ *
+ * L i s t M o d u l e
+ *
+ * Lists detailed information about the named module.
+ */
+Error
+ListModule(char *moduleName)
+{
+    SECMODModule *module = NULL;
+    PK11SlotInfo *slot;
+    int slotnum;
+    CK_INFO modinfo;
+    CK_SLOT_INFO slotinfo;
+    CK_TOKEN_INFO tokeninfo;
+    char *ciphers, *mechanisms;
+    PK11DisableReasons reason;
+    Error  rv = SUCCESS;
+
+    if(!moduleName) {
+	return SUCCESS;
+    }
+
+    module = SECMOD_FindModule(moduleName);
+    if(!module) {
+	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
+	rv = NO_SUCH_MODULE_ERR;
+        goto loser;
+    }
+
+    if ((module->loaded) && 
+			(PK11_GetModInfo(module, &modinfo) != SECSuccess)) {
+	PR_fprintf(PR_STDERR, errStrings[MOD_INFO_ERR], moduleName);
+	rv = MOD_INFO_ERR;
+        goto loser;
+    }
+
+    /* Module info */
+    PR_fprintf(PR_STDOUT, 
+	"\n-----------------------------------------------------------\n");
+    PR_fprintf(PR_STDOUT, "Name: %s\n", module->commonName);
+    if(module->internal || !module->dllName) {
+	PR_fprintf(PR_STDOUT, "Library file: **Internal ONLY module**\n");
+    } else {
+	PR_fprintf(PR_STDOUT, "Library file: %s\n", module->dllName);
+    }
+
+    if (module->loaded) {
+	PR_fprintf(PR_STDOUT, "Manufacturer: %.32s\n", modinfo.manufacturerID);
+	PR_fprintf(PR_STDOUT, "Description: %.32s\n", modinfo.libraryDescription);
+	PR_fprintf(PR_STDOUT, "PKCS #11 Version %d.%d\n",
+	modinfo.cryptokiVersion.major, modinfo.cryptokiVersion.minor);
+	PR_fprintf(PR_STDOUT, "Library Version: %d.%d\n",
+	modinfo.libraryVersion.major, modinfo.libraryVersion.minor);
+    } else {
+	PR_fprintf(PR_STDOUT, "* Module not loaded\n");
+    }
+    /* Get cipher and mechanism flags */
+    ciphers = getStringFromFlags(module->ssl[0], cipherStrings,
+      numCipherStrings);
+    if(ciphers[0] == '\0') {
+	ciphers = "None";
+    }
+    PR_fprintf(PR_STDOUT, "Cipher Enable Flags: %s\n", ciphers);
+    mechanisms = NULL;
+    if (module->slotCount > 0) {
+	mechanisms = getStringFromFlags(
+	    PK11_GetDefaultFlags(module->slots[0]),
+	    mechanismStrings, numMechanismStrings);
+    }
+    if ((mechanisms==NULL) || (mechanisms[0] =='\0')) {
+	mechanisms = "None";
+    }
+    PR_fprintf(PR_STDOUT, "Default Mechanism Flags: %s\n", mechanisms);
+
+#define PAD "  "
+
+    /* Loop over each slot */
+    for (slotnum=0; slotnum < module->slotCount; slotnum++) {
+	slot = module->slots[slotnum];
+	if (PK11_GetSlotInfo(slot, &slotinfo) != SECSuccess) {
+	    PR_fprintf(PR_STDERR, errStrings[SLOT_INFO_ERR],
+		PK11_GetSlotName(slot));
+	    rv = SLOT_INFO_ERR;
+	    continue;
+	}
+
+	/* Slot Info */
+	PR_fprintf(PR_STDOUT, "\n"PAD"Slot: %s\n", PK11_GetSlotName(slot));
+	mechanisms = getStringFromFlags(PK11_GetDefaultFlags(slot),
+	    mechanismStrings, numMechanismStrings);
+	if(mechanisms[0] =='\0') {
+	     mechanisms = "None";
+	}
+	PR_fprintf(PR_STDOUT, PAD"Slot Mechanism Flags: %s\n", mechanisms);
+	PR_fprintf(PR_STDOUT, PAD"Manufacturer: %.32s\n",
+	    slotinfo.manufacturerID);
+	if (PK11_IsHW(slot)) {
+	    PR_fprintf(PR_STDOUT, PAD"Type: Hardware\n");
+	} else {
+	    PR_fprintf(PR_STDOUT, PAD"Type: Software\n");
+	}
+	PR_fprintf(PR_STDOUT, PAD"Version Number: %d.%d\n",
+	    slotinfo.hardwareVersion.major, slotinfo.hardwareVersion.minor);
+	PR_fprintf(PR_STDOUT, PAD"Firmware Version: %d.%d\n",
+	    slotinfo.firmwareVersion.major, slotinfo.firmwareVersion.minor);
+	if (PK11_IsDisabled(slot)) {
+	    reason  = PK11_GetDisabledReason(slot);
+	    if(reason < numDisableReasonStr) {
+		PR_fprintf(PR_STDOUT, PAD"Status: DISABLED (%s)\n",
+		  disableReasonStr[reason]);
+	    } else {
+		PR_fprintf(PR_STDOUT, PAD"Status: DISABLED\n");
+	    }
+	} else {
+	    PR_fprintf(PR_STDOUT, PAD"Status: Enabled\n");
+	}
+
+	if(PK11_GetTokenInfo(slot, &tokeninfo) != SECSuccess) {
+	    PR_fprintf(PR_STDERR, errStrings[TOKEN_INFO_ERR],
+	      PK11_GetTokenName(slot));
+	    rv = TOKEN_INFO_ERR;
+	    continue;
+	}
+
+	/* Token Info */
+	PR_fprintf(PR_STDOUT, PAD"Token Name: %.32s\n",
+	    tokeninfo.label);
+	PR_fprintf(PR_STDOUT, PAD"Token Manufacturer: %.32s\n",
+	    tokeninfo.manufacturerID);
+	PR_fprintf(PR_STDOUT, PAD"Token Model: %.16s\n", tokeninfo.model);
+	PR_fprintf(PR_STDOUT, PAD"Token Serial Number: %.16s\n",
+	    tokeninfo.serialNumber);
+	PR_fprintf(PR_STDOUT, PAD"Token Version: %d.%d\n",
+	    tokeninfo.hardwareVersion.major, tokeninfo.hardwareVersion.minor);
+	PR_fprintf(PR_STDOUT, PAD"Token Firmware Version: %d.%d\n",
+	    tokeninfo.firmwareVersion.major, tokeninfo.firmwareVersion.minor);
+	if(tokeninfo.flags & CKF_WRITE_PROTECTED) {
+	    PR_fprintf(PR_STDOUT, PAD"Access: Write Protected\n");
+	} else {
+	    PR_fprintf(PR_STDOUT, PAD"Access: NOT Write Protected\n");
+	}
+	if(tokeninfo.flags & CKF_LOGIN_REQUIRED) {
+	    PR_fprintf(PR_STDOUT, PAD"Login Type: Login required\n");
+	} else {
+	    PR_fprintf(PR_STDOUT, PAD
+	      "Login Type: Public (no login required)\n");
+	}
+	if(tokeninfo.flags & CKF_USER_PIN_INITIALIZED) {
+	    PR_fprintf(PR_STDOUT, PAD"User Pin: Initialized\n");
+	} else {
+	    PR_fprintf(PR_STDOUT, PAD"User Pin: NOT Initialized\n");
+	}
+    }
+    PR_fprintf(PR_STDOUT, 
+	"\n-----------------------------------------------------------\n");
+loser:
+    if (module) {
+        SECMOD_DestroyModule(module);
+    }
+    return rv;
+}
+
+/************************************************************************
+ *
+ * C h a n g e P W
+ */
+Error
+ChangePW(char *tokenName, char *pwFile, char *newpwFile)
+{
+    char *oldpw=NULL, *newpw=NULL, *newpw2=NULL;
+    PK11SlotInfo *slot;
+    Error ret=UNSPECIFIED_ERR;
+    PRBool matching;
+
+    slot = PK11_FindSlotByName(tokenName);
+    if(!slot) {
+	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], tokenName);
+	return NO_SUCH_TOKEN_ERR;
+    }
+
+    /* Get old password */
+    if(! PK11_NeedUserInit(slot)) {
+	if(pwFile) {
+	    oldpw = SECU_FilePasswd(NULL, PR_FALSE, pwFile);
+	    if(PK11_CheckUserPassword(slot, oldpw) != SECSuccess) {
+		PR_fprintf(PR_STDERR, errStrings[BAD_PW_ERR]);
+		ret=BAD_PW_ERR;
+		goto loser;
+	    }
+	} else {
+	    for(matching=PR_FALSE; !matching; ) {
+		oldpw = SECU_GetPasswordString(NULL, "Enter old password: ");
+		if(PK11_CheckUserPassword(slot, oldpw) == SECSuccess) {
+		    matching = PR_TRUE;
+		} else {
+		    PR_fprintf(PR_STDOUT, msgStrings[BAD_PW_MSG]);
+		}
+	    }
+	}
+    }
+
+    /* Get new password */
+    if(newpwFile) {
+	newpw = SECU_FilePasswd(NULL, PR_FALSE, newpwFile);
+    } else {
+	for(matching=PR_FALSE; !matching; ) {
+	    newpw = SECU_GetPasswordString(NULL, "Enter new password: ");
+	    newpw2 = SECU_GetPasswordString(NULL, "Re-enter new password: ");
+	    if(strcmp(newpw, newpw2)) {
+		PR_fprintf(PR_STDOUT, msgStrings[PW_MATCH_MSG]);
+	    } else {
+		matching = PR_TRUE;
+	    }
+	}
+    }
+
+    /* Change the password */
+    if(PK11_NeedUserInit(slot)) {
+	if(PK11_InitPin(slot, NULL /*ssopw*/, newpw) != SECSuccess) {
+	    PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
+	    ret = CHANGEPW_FAILED_ERR;
+	    goto loser;
+	}
+    } else {
+	if(PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
+	    PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
+	    ret = CHANGEPW_FAILED_ERR;
+	    goto loser;
+	}
+    }
+
+    PR_fprintf(PR_STDOUT, msgStrings[CHANGEPW_SUCCESS_MSG], tokenName);
+    ret = SUCCESS;
+
+loser:
+    if(oldpw) {
+	memset(oldpw, 0, strlen(oldpw));
+	PORT_Free(oldpw);
+    }
+    if(newpw) {
+	memset(newpw, 0, strlen(newpw));
+	PORT_Free(newpw);
+    }
+    if(newpw2) {
+	memset(newpw2, 0, strlen(newpw2));
+	PORT_Free(newpw2);
+    }
+    PK11_FreeSlot(slot);
+
+    return ret;
+}
+
+/***********************************************************************
+ *
+ * E n a b l e M o d u l e
+ *
+ * If enable==PR_TRUE, enables the module or slot.
+ * If enable==PR_FALSE, disables the module or slot.
+ * moduleName is the name of the module.
+ * slotName is the name of the slot.  It is optional.
+ */
+Error
+EnableModule(char *moduleName, char *slotName, PRBool enable)
+{
+    int i;
+    SECMODModule *module = NULL;
+    PK11SlotInfo *slot = NULL;
+    PRBool found = PR_FALSE;
+    Error rv;
+
+    module = SECMOD_FindModule(moduleName);
+    if(!module) {
+	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
+	rv = NO_SUCH_MODULE_ERR;
+        goto loser;
+    }
+
+    for(i=0; i < module->slotCount; i++) {
+	slot = module->slots[i];
+	if(slotName && strcmp(PK11_GetSlotName(slot), slotName)) {
+		/* Not the right slot */
+		continue;
+	}
+	if(enable) {
+	    if(! PK11_UserEnableSlot(slot)) {
+		PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
+		    "enable", PK11_GetSlotName(slot));
+		rv = ENABLE_FAILED_ERR;
+                goto loser;
+	    } else {
+		found = PR_TRUE;
+		PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG],
+		    PK11_GetSlotName(slot), "enabled");
+	    }
+	} else {
+	    if(! PK11_UserDisableSlot(slot)) {
+		PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
+		    "disable", PK11_GetSlotName(slot));
+		rv = ENABLE_FAILED_ERR;
+                goto loser;
+	    } else {
+		found = PR_TRUE;
+		PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG],
+		    PK11_GetSlotName(slot), "disabled");
+	    }
+	}
+    }
+
+    if(slotName && !found) {
+	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
+	rv = NO_SUCH_SLOT_ERR;
+        goto loser;
+    }
+
+    /* Delete and re-add module to save changes */
+    if( SECMOD_UpdateModule(module) != SECSuccess ) {
+	PR_fprintf(PR_STDERR, errStrings[UPDATE_MOD_FAILED_ERR], moduleName);
+	rv = UPDATE_MOD_FAILED_ERR;
+        goto loser;
+    }
+
+    rv = SUCCESS;
+loser:
+    if (module) {
+        SECMOD_DestroyModule(module);
+    }
+    return rv;
+}
+
+/*************************************************************************
+ *
+ * S e t D e f a u l t M o d u l e
+ *
+ */
+Error
+SetDefaultModule(char *moduleName, char *slotName, char *mechanisms)
+{
+    SECMODModule *module = NULL;
+    PK11SlotInfo *slot;
+    int s, i;
+    unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
+	numMechanismStrings);
+    PRBool found = PR_FALSE;
+    Error errcode = UNSPECIFIED_ERR;
+
+    if (pk11_DefaultArray == NULL) {
+	pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
+	if (pk11_DefaultArray == NULL) {
+	    /* should assert. This shouldn't happen */
+	    goto loser;
+	}
+    }
+
+    mechFlags =  SECMOD_PubMechFlagstoInternal(mechFlags);
+
+    module = SECMOD_FindModule(moduleName);
+    if(!module) {
+	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
+	errcode = NO_SUCH_MODULE_ERR;
+	goto loser;
+    }
+
+    /* Go through each slot */
+    for(s=0; s < module->slotCount; s++) {
+	slot = module->slots[s];
+
+	if ((slotName != NULL) &&
+	    !((strcmp(PK11_GetSlotName(slot),slotName) == 0) ||
+	    (strcmp(PK11_GetTokenName(slot),slotName) == 0)) ) {
+	    /* we are only interested in changing the one slot */
+	    continue;
+	}
+
+	found = PR_TRUE;
+
+	/* Go through each mechanism */
+	for(i=0; i < pk11_DefaultArraySize; i++) {
+	    if(pk11_DefaultArray[i].flag & mechFlags) {
+		/* Enable this default mechanism */
+		PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]),
+		    PR_TRUE);
+	    }
+	}
+    }
+    if (slotName && !found) {
+	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
+	errcode = NO_SUCH_SLOT_ERR;
+	goto loser;
+    }
+
+    /* Delete and re-add module to save changes */
+    if( SECMOD_UpdateModule(module) != SECSuccess ) {
+	PR_fprintf(PR_STDERR, errStrings[DEFAULT_FAILED_ERR],
+	  moduleName);
+	errcode = DEFAULT_FAILED_ERR;
+	goto loser;
+    }
+
+    PR_fprintf(PR_STDOUT, msgStrings[DEFAULT_SUCCESS_MSG]);
+
+    errcode = SUCCESS;
+loser:
+    if (module) {
+        SECMOD_DestroyModule(module);
+    }
+    return errcode;
+}
+
+/************************************************************************
+ *
+ * U n s e t D e f a u l t M o d u l e
+ */
+Error
+UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms)
+{
+    SECMODModule * module = NULL;
+    PK11SlotInfo *slot;
+    int s, i;
+    unsigned long mechFlags = getFlagsFromString(mechanisms,
+	mechanismStrings, numMechanismStrings);
+    PRBool found = PR_FALSE;
+    Error rv;
+
+    if (pk11_DefaultArray == NULL) {
+	pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
+	if (pk11_DefaultArray == NULL) {
+	    /* should assert. This shouldn't happen */
+	    rv = UNSPECIFIED_ERR;
+            goto loser;
+	}
+    }
+
+    mechFlags =  SECMOD_PubMechFlagstoInternal(mechFlags);
+
+    module = SECMOD_FindModule(moduleName);
+    if(!module) {
+	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
+	rv = NO_SUCH_MODULE_ERR;
+        goto loser;
+    }
+
+    for(s=0; s < module->slotCount; s++) {
+	slot = module->slots[s];
+	if ((slotName != NULL) &&
+	    !((strcmp(PK11_GetSlotName(slot),slotName) == 0) ||
+	    (strcmp(PK11_GetTokenName(slot),slotName) == 0)) ) {
+	    /* we are only interested in changing the one slot */
+	    continue;
+	}
+	for(i=0; i < pk11_DefaultArraySize ; i++) {
+	    if(pk11_DefaultArray[i].flag & mechFlags) {
+		PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]),
+		    PR_FALSE);
+	    }
+	}
+    }
+    if (slotName && !found) {
+	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
+	rv = NO_SUCH_SLOT_ERR;
+        goto loser;
+    }
+
+    /* Delete and re-add module to save changes */
+    if( SECMOD_UpdateModule(module) != SECSuccess ) {
+	PR_fprintf(PR_STDERR, errStrings[UNDEFAULT_FAILED_ERR],
+	  moduleName);
+	rv = UNDEFAULT_FAILED_ERR;
+        goto loser;
+    }
+
+    PR_fprintf(PR_STDOUT, msgStrings[UNDEFAULT_SUCCESS_MSG]);
+    rv = SUCCESS;
+loser:
+    if (module) {
+        SECMOD_DestroyModule(module);
+    }
+    return rv;
+}
diff --git a/security/nss/cmd/modutil/pk11jar.html b/security/nss/cmd/modutil/pk11jar.html
new file mode 100644
index 000000000..ddc6c6e13
--- /dev/null
+++ b/security/nss/cmd/modutil/pk11jar.html
@@ -0,0 +1,312 @@
+<html>
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+<head>
+<title>PKCS #11 JAR Format</title>
+</head>
+<body bgcolor=white text=black link=blue vlink=purple alink=red>
+<center><h1>PKCS #11 JAR Format</h1></center>
+
+<p>PKCS #11 modules can be packaged into JAR files that support automatic
+installation onto the filesystem and into the security module database.
+The JAR file should contain:
+<ul>
+<li>All files that will be installed onto the target machine.  This will
+include at least the PKCS #11 module library file (.DLL or .so), and
+may also include any other file that should be installed (such as
+documentation).
+<li>A script to perform the installation.
+</ul>
+The script can be in one of two forms. If the JAR file is to be
+run by Communicator (or any program that interprets Javascript), the
+instructions will be in the form of a SmartUpdate script.
+<a href="http://devedge/library/documentation/security/jmpkcs/">Documentation
+</a> on creating this script can be found on DevEdge.
+
+<p>If the
+JAR file is to be run by a server, modutil, or any other program that
+doesn't interpret Javascript, a special information file must be included
+in the format described in this document.
+
+<h2>Declaring the Script in the Manifest File</h2>
+The script can have any name, but it must be declared in the manifest file
+of the JAR archive.  The metainfo tag for this is
+<code>Pkcs11_install_script</code>.  Meta-information is put in the manifest
+file by putting it in a file which is passed to
+<a href="http://developer.netscape.com/software/index_frame.html?content=signedobj/jarpack.html#signtool1.3">Signtool</a>.  For example,
+suppose the PKCS #11 installer script is in the file <code>pk11install</code>.
+In Signtool's metainfo file, you would have a line like this:
+<blockquote><pre>
++ Pkcs11_install_script: pk11install
+</pre></blockquote>
+
+<h2>Sample Script File</h2>
+<blockquote><pre>
+ForwardCompatible { IRIX:6.2:mips Solaris:5.5.1:sparc }
+Platforms {
+	WINNT::x86 {
+		ModuleName { "Fortezza Module" }
+		ModuleFile { win32/fort32.dll }
+		DefaultMechanismFlags{0x0001}
+		DefaultCipherFlags{0x0001}
+		Files {
+			win32/setup.exe {
+				Executable
+				RelativePath { %temp%/setup.exe }
+			}
+			win32/setup.hlp {
+				RelativePath { %temp%/setup.hlp }
+			}
+			win32/setup.cab {
+				RelativePath { %temp%/setup.cab }
+			}
+		}
+	}
+	WIN95::x86 {
+		EquivalentPlatform {WINNT::x86}
+	}
+	Solaris:5.5.1:sparc {
+		ModuleName { "Fortezza UNIX Module" }
+		ModuleFile { unix/fort.so }
+		DefaultMechanismFlags{0x0001}
+		CipherEnableFlags{0x0001}
+		Files {
+			unix/fort.so {
+				RelativePath{%root%/lib/fort.so}
+				AbsolutePath{/usr/local/netscape/lib/fort.so}
+				FilePermissions{555}
+			}
+			xplat/instr.html {
+				RelativePath{%root%/docs/inst.html}
+				AbsolutePath{/usr/local/netscape/docs/inst.html}
+				FilePermissions{555}
+			}
+		}
+	}
+	IRIX:6.2:mips {
+		EquivalentPlatform { Solaris:5.5.1:sparc }
+	}
+}
+</pre></blockquote>
+
+<hr>
+
+<h2>Script File Grammar</h2>
+<blockquote><pre>
+--> <i>valuelist</i>
+
+<i>valuelist</i> --> <i>value</i> <i>valuelist</i>
+<i>         </i>     <i>&lt;null&gt;</i>
+
+<i>value</i> --> <i>key_value_pair</i>
+<i>     </i>     <i>string</i>
+
+<i>key_value_pair</i> --> <i>key</i> { <i>valuelist</i> }
+
+<i>key</i> --> <i>string</i>
+
+<i>string</i> --> <i>simple_string</i>
+<i>      </i>     "<i>complex_string</i>"
+
+<i>simple_string</i> --> [^ \t\n\""{""}"]+ <font size=-1><i>(no whitespace, quotes, or braces)</i></font>
+
+<i>complex_string</i> --> ([^\"\\\r\n]|(\\\")|(\\\\))+ <font size=-1><i>(quotes and backslashes must be escaped with a backslash, no newlines or carriage returns are allowed in the string)</i></font>
+</pre></blockquote>
+Outside of complex strings, all whitespace (space, tab, newline) is considered
+equal and is used only to delimit tokens. 
+
+<hr>
+
+<h2>Keys</h2>
+Keys are case-insensitive.
+<h3>Global Keys</h3>
+<dl>
+<dt><code>ForwardCompatible</code>
+<dd>Gives a list of platforms that are forward compatible.  If the current
+platform cannot be found in the list of supported platforms, then the
+ForwardCompatible list will be checked for any platforms that have the same
+OS and architecture and an earlier version. If one is found, its
+attributes will be used for the current platform.
+<dt><code>Platforms</code> (<i>required</i>)
+<dd>Gives a list of platforms.  Each entry in the list is itself a key-value
+pair:
+the key is the name of the platform, and the valuelist contains various
+attributes of the platform. The ModuleName, ModuleFile, and Files attributes
+must be specified, unless an EquivalentPlatform attribute is specified. 
+The platform string is in the following
+format: <u><i>system name</i></u>:<u><i>os release</i></u>:<u><i>architecture</i></u>. The installer
+will obtain these values from NSPR. <u><i>os release</i></u> is an empty
+string on non-UNIX operating systems.  The following system names and platforms
+are currently defined by NSPR:<code>
+<ul>
+<li>AIX (rs6000)
+<li>BSDI (x86)
+<li>FREEBSD (x86)
+<li>HPUX (hppa1.1)
+<li>IRIX (mips)
+<li>LINUX (ppc, alpha, x86)
+<li>MacOS (PowerPC) </code>(<i>Note: NSPR actually defines the OS as
+"</i><code>Mac OS</code><i>".  The
+space makes the name unsuitable for being embedded in identifiers.  Until
+NSPR changes, you will have to add some special code to deal with this case.
+</i>)<code>
+<li>NCR (x86)
+<li>NEC (mips)
+<li>OS2 (x86)
+<li>OSF (alpha)
+<li>ReliantUNIX (mips)
+<li>SCO (x86)
+<li>SOLARIS (sparc)
+<li>SONY (mips)
+<li>SUNOS (sparc)
+<li>UnixWare (x86)
+<li>WIN16 (x86)
+<li>WIN95 (x86)
+<li>WINNT (x86)
+</ul>
+</code>
+Examples of valid platform strings: <code>IRIX:6.2:mips, Solaris:5.5.1:sparc,
+Linux:2.0.32:x86, WIN95::x86</code>.
+</dl>
+
+<h3>Per-Platform Keys</h3>
+These keys only have meaning within the value list of an entry in 
+the <code>Platforms</code> list.
+<dl>
+<dt><code>ModuleName</code> (<i>required</i>)
+<dd>Gives the common name for the module. This name will be used to 
+reference the module from Communicator, modutil, servers, or any other
+program that uses the Netscape security module database.
+<dt><code>ModuleFile</code> (<i>required</i>)
+<dd>Names the PKCS #11 module file (DLL or .so) for this platform.  The name
+is given as the relative path of the file within the JAR archive.
+<dt><code>Files</code> (<i>required</i>)
+<dd>Lists the files that should be installed for this module.  Each entry
+in the file list is a key-value pair: the key is the path of the file in
+the JAR archive, and 
+the valuelist contains attributes of the file.  At least RelativePath and
+AbsoluteDir must be specified in this valuelist.
+<dt><code>DefaultMechanismFlags</code>
+<dd>This key-value pair specifies
+of which mechanisms this module will be a default provider. It is a bitstring
+specified in hexadecimal (0x) format.  It is constructed as a bitwise OR
+of the following constants. If the <code>DefaultMechanismFlags</code>
+entry is omitted, the value will default to 0x0.
+<blockquote><pre>
+RSA:			0x0000 0001
+DSA:			0x0000 0002
+RC2:			0x0000 0004
+RC4:			0x0000 0008
+DES:			0x0000 0010
+DH:			0x0000 0020
+FORTEZZA:		0x0000 0040
+RC5:			0x0000 0080
+SHA1:			0x0000 0100
+MD5:			0x0000 0200
+MD2:			0x0000 0400
+RANDOM:			0x0800 0000
+FRIENDLY:		0x1000 0000
+OWN_PW_DEFAULTS:	0x2000 0000
+DISABLE:		0x4000 0000
+</pre></blockquote>
+<dt><code>CipherEnableFlags</code>
+<dd>This key-value pair specifies
+which SSL ciphers will be enabled.  It is a bitstring specified in
+hexadecimal (0x) format.  It is constructed as a bitwise OR of the following
+constants.  If the <code>CipherEnableFlags</code> entry is omitted, the
+value will default to 0x0.
+<blockquote><pre>
+FORTEZZA:		0x0000 0001
+</pre></blockquote>
+<dt><code>EquivalentPlatform</code>
+<dd>Specifies that the attributes of the named platform should also be used
+for the current platform. Saves typing when there is more than one platform
+that uses the same settings.
+</dl>
+
+<h3>Per-File Keys</h3>
+These keys only have meaning within the valuelist of an entry in a
+<code>Files</code> list. At least one of <code>RelativePath</code> and
+<code>AbsolutePath</code> must be specified.  If both are specified, the
+relative path will be tried first and the absolute path used only if no
+relative root directory is provided by the installer program.
+<dl>
+<dt><code>RelativePath</code>
+<dd>Specifies the destination directory of the file, relative to some directory
+decided at install-time.  Two variables can be used in the relative
+path, "%root%" and "%temp%".  "%root%" will be replaced at run-time with
+the directory relative to which files should be installed; for
+example, it may be the server's root directory or Communicator's root
+directory. "%temp%" is a directory that will be created at the beginning
+of the installation and destroyed at the end of the installation. Its purpose
+is to hold executable files (such as setup programs), or files that are
+used by these programs.  For example, a Windows installation might consist
+of a <code>setup.exe</code> installation program, a help file, and a .cab file
+containing compressed information. All these files could be installed into the
+temporary directory. Files destined for the temporary directory are guaranteed
+to be in place before any executable file is run, and will not be deleted
+until all executable files have finished.
+<dt><code>AbsoluteDir</code>
+<dd>Specifies the destination directory of the file as an absolute path.
+This will only be used if the installer is unable to determine a
+relative directory.
+<dt><code>Executable</code>
+<dd>This string specifies that the file is to be executed during the
+course of the
+installation.  Typically this would be used for a setup program provided
+by a module vendor, such as a self-extracting <code>setup.exe</code>.
+More than one file can be specified as executable, in which case they will
+be run in the order they are specified in the script file. 
+<dt><code>FilePermissions</code>
+<dd>This string is interpreted as a string of octal digits, according to the
+standard UNIX format. It is a bitwise OR of the following constants:
+<blockquote><pre>
+user read:         400
+user write:        200
+user execute:      100
+group read:        040
+group write:       020
+group execute:     010
+other read:        004
+other write:       002
+other execute:     001
+</pre></blockquote>
+Some platforms may not understand these permissions.  They will only be
+applied insofar as makes sense for the current platform. If this attribute
+is omitted, a default of 777 is assumed.
+
+</body>
+</html>
diff --git a/security/nss/cmd/modutil/rules.mk b/security/nss/cmd/modutil/rules.mk
new file mode 100644
index 000000000..75eab4c9e
--- /dev/null
+++ b/security/nss/cmd/modutil/rules.mk
@@ -0,0 +1,58 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+# Some versions of yacc generate files that include platform-specific
+# system headers.  For example, the yacc in Solaris 2.6 inserts
+#     #include <values.h>
+# which does not exist on NT.  For portability, always use Berkeley
+# yacc (such as the yacc in Linux) to generate files.
+#
+
+generate: installparse.c installparse.l
+
+installparse.c:
+	yacc -p Pk11Install_yy -d installparse.y
+	mv y.tab.c installparse.c
+	mv y.tab.h installparse.h
+
+installparse.l:
+	lex -olex.Pk11Install_yy.c -PPk11Install_yy installparse.l
+	@echo
+	@echo "**YOU MUST COMMENT OUT UNISTD.H FROM lex.Pk11Install_yy.cpp**"
+
+install.c: install-ds.h install.h
diff --git a/security/nss/cmd/modutil/specification.html b/security/nss/cmd/modutil/specification.html
new file mode 100644
index 000000000..b64fe80c7
--- /dev/null
+++ b/security/nss/cmd/modutil/specification.html
@@ -0,0 +1,354 @@
+<html>
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+<head>
+<title>Modutil Specification</title>
+</head>
+<body bgcolor=white fgcolor=black>
+<center><h1>PKCS #11 Module Management Utility
+<br><i>Specification</i></h1></center>
+
+<!---------------------------------------------------------------------->
+<!-------------------------- capabilities ------------------------------>
+<!---------------------------------------------------------------------->
+<h2>Capabilities</h2>
+<ul>
+<li>Add a PKCS #11 module, specifying a name and library file.
+(<a href="#add">-add</a>)
+<li>Add a PKCS #11 module from a server-formatted JAR file.
+(<a href="#jar">-jar</a>)
+<li>Change the password on or initialize a token.
+(<a href="#changepw">-changepw</a>)
+<li>Create databases (secmod[ule].db, key3.db, cert7.db) from scratch.
+(<a href="#create">-create</a>)
+<li>Switch to and from FIPS-140 compliant mode.
+(<a href="#fips">-fips</a>)
+<li>Delete a PKCS #11 module. (<a href="#delete">-delete</a>)
+<li>List installed PKCS #11 modules. (<a href="#list">-list</a>)
+<li>List detailed info on a particular module and its tokens, including 
+whether needs login, is hardware, needs user init
+(<a href="#list">-list</a>)
+<li>Specify which modules should be the default provider of various
+cryptographic operations.(<a href="#default">-default</a>,
+<a href="#undefault">-undefault</a>)
+<li>Disable and enable slots, find out whether and why they are disabled.
+(<a href="#disable">-disable</a>, <a href="#enable">-enable</a>,
+<a href="#list">-list</a>)
+</ul>
+
+<hr>
+
+<!---------------------------------------------------------------------->
+<!-------------------------- Usage ------------------------------------->
+<!---------------------------------------------------------------------->
+<h2>Usage</h2>
+<code>modutil [<i>command</i>] [<i>options</i>]</code>
+<p>At most one command can be specified. With no arguments,
+<code>modutil</code> prints a usage message.
+<h3>Commands:</h3>
+<table border>
+<tr bgcolor="#cccccc">
+<th>Command</th><th>Description</th>
+</tr>
+
+<!---------------------------- -add ------------------------------>
+<tr>
+<td> <a name="add"></a>
+<code>-add <u><i>module name</i></u> -libfile <u><i>library file</i></u>
+ [-ciphers <u><i>cipher enable list</i></u>]
+ [-mechanisms <u><i>default mechanism list</i></u>]
+</code></td>
+<td>Adds a new module to the database with the given name.
+
+<p><u><i>library file</i></u> is the path of the DLL or other library file
+containing the module's implementation of the PKCS #11 interface.
+
+<p><u><i>cipher enable flags</i></u> is a colon-separated list of ciphers
+that will be enabled on this module. The list should be enclosed within quotes
+if necessary to prevent shell interpretation. The following ciphers are
+currently available:
+<ul>
+<li>FORTEZZA
+</ul>
+
+<p><u><i>default mechanism flags</i></u> is a colon-separated list of
+mechanisms for which this module should be the default provider. The
+list should be enclosed within quotes if necessary to prevent shell
+interpretation. <b>This
+list does not enable the mechanisms; it only specifies that this module
+will be a default provider for the listed mechanisms.</b> If more than
+one module claims to be a default provider for a given mechanism, it is
+undefined which will actually be chosen to provide that mechanism. The 
+following mechanisms are currently available:
+<ul>
+<li>RSA
+<li>DSA
+<li>RC2
+<li>RC4
+<li>RC5
+<li>DES
+<li>DH
+<li>FORTEZZA
+<li>SHA1
+<li>MD5
+<li>MD2
+<li>RANDOM <i>(random number generation)</i>
+<li>FRIENDLY <i>(certificates are publicly-readable)</i>
+</ul>
+</td>
+</tr>
+
+<!-------------------------- -changepw ------------------------------------->
+<tr>
+<td><a name="changepw"></a><code>-changepw <u><i>token name</i></u>
+[-pwfile <u><i>old password file</i></u>]
+[-newpwfile <u><i>new password file</i></u>]</code></td>
+<td>Changes the password on the named token.  If the token has not been
+initialized, this command will initialize the PIN.
+If a password file is given, the password will be read from that file;
+otherwise, the password will be obtained interactively.
+<b>Storing passwords in a file is much less secure than supplying them
+interactively.</b>
+<p>The password on the Netscape internal module cannot be changed if
+the <code>-nocertdb</code> option is specified.
+</td>
+</tr>
+
+<!-------------------------- -create ------------------------------------->
+<tr>
+<td><a name="create"></a><code>-create</code></td>
+<td>Creates a new secmod[ule].db, key3.db, and cert7.db in the directory
+specified with the
+<code>-dbdir</code> option, if one is specified.  If no directory is
+specified, UNIX systems will use the user's .netscape directory, while other
+systems will return with an error message.  If any of these databases already
+exist in the chosen directory, an error message is returned.
+<p>If used with <code>-nocertdb</code>, only secmod[ule].db will be created;
+cert7.db and key3.db will not be created.
+</td>
+</tr>
+
+<!------------------------------ -default -------------------------------->
+<tr>
+<td> <a name="default"></a> <code>-default <u><i>module name</i></u>
+-mechanisms <u><i>mechanism list</i></u></code>
+</td>
+<td>Specifies that the given module will be a default provider of the
+listed mechanisms.  The mechanism list is the same as in the <code>-add</code>
+command.
+</td>
+</tr>
+
+<!-------------------------- -delete ------------------------------------->
+<tr>
+<td><a name="delete"></a><code>-delete <u><i>module name</i></u></code></td>
+<td>Deletes the named module from the database</td>
+</tr>
+
+<!-------------------------- -disable ------------------------------------->
+<tr>
+<td> <a name="disable"></a> <code>-disable <u><i>module name</i></u>
+[-slot <u><i>slot name</i></u>]</code></td>
+<td>Disables the named slot. If no slot is specified, all slots on
+the module are disabled.</td>
+</tr>
+
+<!-------------------------- -enable ------------------------------------->
+<tr>
+<td> <a name="enable"></a> <code>-enable <u><i>module name</i></u>
+[-slot <u><i>slot name</i></u>]</code></td>
+<td>Enables the named slot. If no slot is specified, all slots on
+the module are enabled.</td>
+</tr>
+
+<!-------------------------- -fips ------------------------------------->
+<tr>
+<td><a name="fips"></a><code>-fips [true | false]</code></td>
+<td>Enables or disables FIPS mode on the internal module.  Passing
+<code>true</code> enables FIPS mode, passing <code>false</code> disables
+FIPS mode.</td>
+</tr>
+
+<!-------------------------- -force ------------------------------------->
+<tr>
+<td><a name="force"></a><code>-force</code></td>
+<td>Disables interactive prompts, so modutil can be run in a script. 
+Should only be used by experts, since the prompts may relate to security
+or database integrity. Before using this option, test the command
+interactively once to see the warnings that are produced.</td>
+</tr>
+
+<!-------------------------- -jar ------------------------------------->
+<tr>
+<td><a name="jar"></a><code>-jar <u><i>JAR file</i></u>
+-installdir <u><i>root installation directory</i></u>
+[-tempdir <u><i>temporary directory</i></u>]</code></td>
+<td>Adds a new module from the given JAR file. The JAR file uses the 
+server <a href="pk11jar.html">PKCS #11 JAR format</a> to describe the names of
+any files that need to be installed, the name of the module, mechanism flags,
+and cipher flags.  The <u><i>root installation directory</i></u>
+is the directory relative to which files will be installed. This should be a
+ directory 
+under which it would be natural to store dynamic library files, such as
+a server's root directory, or Communicator's root directory.
+The <u><i>temporary directory</i></u> is where temporary modutil files
+will be created in the course of the installation.  If no temporary directory
+is specified, the current directory will be used.
+<p>If used with the <code>-nocertdb</code> option, the signatures on the JAR
+file will not be checked.</td>
+</tr>
+
+<!----------------------------- -list ------------------------------>
+<tr>
+<td><a name="list"></a><code>-list [<u><i>module name</i></u>]</code></td>
+<td>Without an argument, lists the PKCS #11 modules present in the module
+database.
+<blockquote>
+<pre>
+% <b>modutil -list</b>
+Using database directory /u/nicolson/.netscape...
+
+Listing of PKCS #11 Modules
+-----------------------------------------------------------
+  1. Netscape Internal PKCS #11 Module
+         slots: 2 slots attached
+        status: loaded
+
+         slot: Communicator Internal Cryptographic Services Version 4.0
+        token: Communicator Generic Crypto Svcs
+
+         slot: Communicator User Private Key and Certificate Services
+        token: Communicator Certificate DB
+-----------------------------------------------------------
+</pre>
+</blockquote>
+<p>With an argument, provides a detailed description of the named module
+and its slots and tokens.
+<blockquote>
+<pre>
+% <b>modutil -list "Netscape Internal PKCS #11 Module"</b>
+Using database directory /u/nicolson/.netscape...
+
+-----------------------------------------------------------
+Name: Netscape Internal PKCS #11 Module
+Library file: **Internal ONLY module**
+Manufacturer: Netscape Communications Corp    
+Description: Communicator Internal Crypto Svc
+PKCS #11 Version 2.0
+Library Version: 4.0
+Cipher Enable Flags: None
+Default Mechanism Flags: RSA:DSA:RC2:RC4:DES:SHA1:MD5:MD2
+
+  Slot: Communicator Internal Cryptographic Services Version 4.0
+  Manufacturer: Netscape Communications Corp    
+  Type: Software
+  Version Number: 4.1
+  Firmware Version: 0.0
+  Status: Enabled
+  Token Name: Communicator Generic Crypto Svcs
+  Token Manufacturer: Netscape Communications Corp    
+  Token Model: Libsec 4.0      
+  Token Serial Number: 0000000000000000
+  Token Version: 4.0
+  Token Firmware Version: 0.0
+  Access: Write Protected
+  Login Type: Public (no login required)
+  User Pin: NOT Initialized
+
+  Slot: Communicator User Private Key and Certificate Services
+  Manufacturer: Netscape Communications Corp    
+  Type: Software
+  Version Number: 3.0
+  Firmware Version: 0.0
+  Status: Enabled
+  Token Name: Communicator Certificate DB     
+  Token Manufacturer: Netscape Communications Corp    
+  Token Model: Libsec 4.0      
+  Token Serial Number: 0000000000000000
+  Token Version: 7.0
+  Token Firmware Version: 0.0
+  Access: NOT Write Protected
+  Login Type: Login required
+  User Pin: Initialized
+
+-----------------------------------------------------------
+</pre>
+</blockquote>
+</td>
+</tr>
+
+<!------------------------------ Undefault ------------------------------->
+<tr>
+<td><a name="undefault"></a><code>-undefault <u><i>module name</i></u>
+-mechanisms <u><i>mechanism list</i></u></code></td>
+<td>Specifies that the given module will NOT be a default provider of 
+the listed mechanisms. This command clears the default mechanism flags
+for the given module.</td>
+</tr>
+
+</table>
+
+<!------------------------------------------------------------------------>
+<!------------------------------ Options --------------------------------->
+<!------------------------------------------------------------------------>
+<h3>Options:</h3>
+<table border>
+<tr bgcolor="#cccccc"><th>Option</th><th>Description</th> </tr>
+
+<!------------------------------ -dbdir ---------------------------------->
+<tr>
+<td><code>-dbdir <u><i>directory</i></u></code></td>
+<td>Specifies which directory holds the module database. On UNIX systems,
+the user's netscape directory is the default. On other systems, there is
+no default, and this option must be used.</td>
+</tr>
+
+<!------------------------------ -dbdir ---------------------------------->
+<tr>
+<td><code>-nocertdb</code></td>
+<td>Do not open the certificate or key databases.  This has several effects.
+With the <code>-create</code> command, this means that only a secmod.db file
+will be created; cert7.db and key3.db will not be created.  With the
+<code>-jar</code> command, signatures on the JAR file will not be checked.
+With the <code>-changepw</code> command, the password on the Netscape internal 
+module cannot be set or changed, since this password is stored in key3.db.
+</td>
+</tr>
+
+</table>
+
+</body>
+</html>
diff --git a/security/nss/cmd/ocspclnt/Makefile b/security/nss/cmd/ocspclnt/Makefile
new file mode 100644
index 000000000..4d209348e
--- /dev/null
+++ b/security/nss/cmd/ocspclnt/Makefile
@@ -0,0 +1,77 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
diff --git a/security/nss/cmd/ocspclnt/manifest.mn b/security/nss/cmd/ocspclnt/manifest.mn
new file mode 100644
index 000000000..158d0a5e8
--- /dev/null
+++ b/security/nss/cmd/ocspclnt/manifest.mn
@@ -0,0 +1,58 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = \
+	ocspclnt.c \
+	$(NULL)
+
+# headers for the MODULE (defined above) are implicitly required.
+REQUIRES = dbm seccmd
+
+# WINNT uses EXTRA_LIBS as the list of libs to link in.
+# Unix uses     OS_LIBS for that purpose.
+# We can solve this via conditional makefile code, but 
+# can't do this in manifest.mn because OS_ARCH isn't defined there.
+# So, look in the local Makefile for the defines for the list of libs.
+
+PROGRAM = ocspclnt
+
+USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/ocspclnt/ocspclnt.c b/security/nss/cmd/ocspclnt/ocspclnt.c
new file mode 100644
index 000000000..f86c5a2c5
--- /dev/null
+++ b/security/nss/cmd/ocspclnt/ocspclnt.c
@@ -0,0 +1,1293 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Test program for client-side OCSP.
+ *
+ * $Id$
+ */
+
+#include "secutil.h"
+#include "nspr.h"
+#include "plgetopt.h"
+#include "nss.h"
+#include "cert.h"
+#include "ocsp.h"
+#include "xconst.h"	/*
+			 * XXX internal header file; needed to get at
+			 * cert_DecodeAuthInfoAccessExtension -- would be
+			 * nice to not need this, but that would require
+			 * better/different APIs.
+			 */
+
+#ifndef NO_PP		/*
+			 * Compile with this every once in a while to be
+			 * sure that no dependencies on it get added
+			 * outside of the pretty-printing routines.
+			 */
+#include "ocspti.h"	/* internals for pretty-printing routines *only* */
+#endif	/* NO_PP */
+
+#if defined(_WIN32)
+#include "fcntl.h"
+#include "io.h"
+#endif
+
+#define DEFAULT_DB_DIR	"~/.netscape"
+
+/* global */
+char	*program_name;
+
+
+static void
+synopsis (char *program_name)
+{
+    PRFileDesc *pr_stderr;
+
+    pr_stderr = PR_STDERR;
+    PR_fprintf (pr_stderr, "Usage:");
+    PR_fprintf (pr_stderr,
+		"\t%s -p [-d <dir>]\n",
+		program_name);
+    PR_fprintf (pr_stderr,
+		"\t%s -P [-d <dir>]\n",
+		program_name);
+    PR_fprintf (pr_stderr,
+		"\t%s -r <name> [-a] [-L] [-s <name>] [-d <dir>]\n",
+		program_name);
+    PR_fprintf (pr_stderr,
+		"\t%s -R <name> [-a] [-l <location>] [-s <name>] [-d <dir>]\n",
+		program_name);
+    PR_fprintf (pr_stderr,
+		"\t%s -S <name> [-a] [-l <location> -t <name>]\n",
+		program_name);
+    PR_fprintf (pr_stderr,
+		"\t\t [-s <name>] [-w <time>] [-d <dir>]\n");
+    PR_fprintf (pr_stderr,
+		"\t%s -V <name> [-a] -u <usage> [-l <location> -t <name>]\n",
+		program_name);
+    PR_fprintf (pr_stderr,
+		"\t\t [-s <name>] [-w <time>] [-d <dir>]\n");
+}
+
+
+static void
+short_usage (char *program_name)
+{
+    PR_fprintf (PR_STDERR,
+		"Type %s -H for more detailed descriptions\n",
+		program_name);
+    synopsis (program_name);
+}
+
+
+static void
+long_usage (char *program_name)
+{
+    PRFileDesc *pr_stderr;
+
+    pr_stderr = PR_STDERR;
+    synopsis (program_name);
+    PR_fprintf (pr_stderr, "\nCommands (must specify exactly one):\n");
+    PR_fprintf (pr_stderr,
+		"  %-13s Pretty-print a binary request read from stdin\n",
+		"-p");
+    PR_fprintf (pr_stderr,
+		"  %-13s Pretty-print a binary response read from stdin\n",
+		"-P");
+    PR_fprintf (pr_stderr,
+		"  %-13s Create a request for cert \"nickname\" on stdout\n",
+		"-r nickname");
+    PR_fprintf (pr_stderr,
+		"  %-13s Get response for cert \"nickname\", dump to stdout\n",
+		"-R nickname");
+    PR_fprintf (pr_stderr,
+		"  %-13s Get status for cert \"nickname\"\n",
+		"-S nickname");
+    PR_fprintf (pr_stderr,
+		"  %-13s Fully verify cert \"nickname\", w/ status check\n",
+		"-V nickname");
+    PR_fprintf (pr_stderr,
+		"\n     %-10s also can be the name of the file with DER or\n"
+                "  %-13s PEM(use -a option) cert encoding\n", "nickname", "");
+    PR_fprintf (pr_stderr, "Options:\n");
+    PR_fprintf (pr_stderr,
+		"  %-13s Decode input cert from PEM format. DER is default\n",
+		"-a");
+    PR_fprintf (pr_stderr,
+		"  %-13s Add the service locator extension to the request\n",
+		"-L");
+    PR_fprintf (pr_stderr,
+		"  %-13s Find security databases in \"dbdir\" (default %s)\n",
+		"-d dbdir", DEFAULT_DB_DIR);
+    PR_fprintf (pr_stderr,
+		"  %-13s Use \"location\" as URL of responder\n",
+		"-l location");
+    PR_fprintf (pr_stderr,
+		"  %-13s Trust cert \"nickname\" as response signer\n",
+		"-t nickname");
+    PR_fprintf (pr_stderr,
+		"  %-13s Sign requests with cert \"nickname\"\n",
+		"-s nickname");
+    PR_fprintf (pr_stderr,
+		"  %-13s Type of certificate usage for verification:\n",
+		"-u usage");
+    PR_fprintf (pr_stderr,
+		"%-17s c   SSL Client\n", "");
+    PR_fprintf (pr_stderr,
+		"%-17s s   SSL Server\n", "");
+    PR_fprintf (pr_stderr,
+		"%-17s e   Email Recipient\n", "");
+    PR_fprintf (pr_stderr,
+		"%-17s E   Email Signer\n", "");
+    PR_fprintf (pr_stderr,
+		"%-17s S   Object Signer\n", "");
+    PR_fprintf (pr_stderr,
+		"%-17s C   CA\n", "");
+    PR_fprintf (pr_stderr,
+		"  %-13s Validity time (default current time), one of:\n",
+		"-w time");
+    PR_fprintf (pr_stderr,
+		"%-17s %-25s (GMT)\n", "", "YYMMDDhhmm[ss]Z");
+    PR_fprintf (pr_stderr,
+		"%-17s %-25s (later than GMT)\n", "", "YYMMDDhhmm[ss]+hhmm");
+    PR_fprintf (pr_stderr,
+		"%-17s %-25s (earlier than GMT)\n", "", "YYMMDDhhmm[ss]-hhmm");
+}
+
+#if defined(WIN32)
+/* We're going to write binary data to stdout, or read binary from stdin. 
+ * We must put stdout or stdin into O_BINARY mode or else 
+   outgoing \n's will become \r\n's, and incoming \r\n's will become \n's.
+*/
+static SECStatus
+make_file_binary(FILE * binfile)
+{
+    int smrv = _setmode(_fileno(binfile), _O_BINARY);
+    if (smrv == -1) {
+        fprintf(stderr, "%s: Cannot change stdout to binary mode.\n",
+                  program_name);
+    }
+    return smrv;
+}
+#define MAKE_FILE_BINARY make_file_binary
+#else
+#define MAKE_FILE_BINARY(file) 
+#endif
+
+/*
+ * XXX This is a generic function that would probably make a good
+ * replacement for SECU_DER_Read (which is not at all specific to DER,
+ * despite its name), but that requires fixing all of the tools...
+ * Still, it should be done, whenenver I/somebody has the time.
+ * (Also, consider whether this actually belongs in the security
+ * library itself, not just in the command library.)
+ *
+ * This function takes an open file (a PRFileDesc *) and reads the
+ * entire file into a SECItem.  (Obviously, the file is intended to
+ * be small enough that such a thing is advisable.)  Both the SECItem
+ * and the buffer it points to are allocated from the heap; the caller
+ * is expected to free them.  ("SECITEM_FreeItem(item, PR_TRUE)")
+ */
+static SECItem *
+read_file_into_item (PRFileDesc *in_file, SECItemType si_type)
+{
+    PRStatus	 prv;
+    SECItem 	*item;
+    PRFileInfo	 file_info;
+    PRInt32	 bytes_read;
+
+    prv = PR_GetOpenFileInfo (in_file, &file_info);
+    if (prv != PR_SUCCESS)
+	return NULL;
+
+    if (file_info.size ==  0) {
+	/* XXX Need a better error; just grabbed this one for expediency. */
+	PORT_SetError (SEC_ERROR_INPUT_LEN);
+	return NULL;
+    }
+
+    if (file_info.size > 0xffff) {	/* I think this is too big. */
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    item = PORT_Alloc (sizeof (SECItem));
+    if (item == NULL)
+	return NULL;
+
+    item->type = si_type;
+    item->len = (unsigned int) file_info.size;
+    item->data = PORT_Alloc ((size_t)item->len);
+    if (item->data == NULL)
+	goto loser;
+
+    bytes_read = PR_Read (in_file, item->data, (PRInt32) item->len);
+    if (bytes_read < 0) {
+	/* Something went wrong; error is already set for us. */
+	goto loser;
+    } else if (bytes_read == 0) {
+	/* Something went wrong; we read nothing.  But no system/nspr error. */
+	/* XXX Need to set an error here. */
+	goto loser;
+    } else if (item->len != (unsigned int)bytes_read) {
+	/* Something went wrong; we read less (or more!?) than we expected. */
+	/* XXX Need to set an error here. */
+	goto loser;
+    }
+
+    return item;
+
+loser:
+    SECITEM_FreeItem (item, PR_TRUE);
+    return NULL;
+}
+
+
+/*
+ * Create a DER-encoded OCSP request (for the certificate whose nickname
+ * is "name") and dump it out.
+ */
+static SECStatus
+create_request (FILE *out_file, CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool add_service_locator, PRBool add_acceptable_responses)
+{
+    CERTCertList *certs = NULL;
+    CERTCertificate *myCert = NULL;
+    CERTOCSPRequest *request = NULL;
+    int64 now = PR_Now();
+    SECItem *encoding = NULL;
+    SECStatus rv = SECFailure;
+
+    if (handle == NULL || cert == NULL)
+	return rv;
+
+    myCert = CERT_DupCertificate(cert);
+    if (myCert == NULL)
+        goto loser;
+
+    /*
+     * We need to create a list of one.
+     */
+    certs = CERT_NewCertList();
+    if (certs == NULL)
+	goto loser;
+
+    if (CERT_AddCertToListTail (certs, myCert) != SECSuccess)
+	goto loser;
+
+    /*
+     * Now that cert is included in the list, we need to be careful
+     * that we do not try to destroy it twice.  This will prevent that.
+     */
+    myCert = NULL;
+
+    request = CERT_CreateOCSPRequest (certs, now, add_service_locator, NULL);
+    if (request == NULL)
+	goto loser;
+
+    if (add_acceptable_responses) {
+	rv = CERT_AddOCSPAcceptableResponses(request,
+					     SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    encoding = CERT_EncodeOCSPRequest (NULL, request, NULL);
+    if (encoding == NULL)
+	goto loser;
+
+    MAKE_FILE_BINARY(out_file);
+    if (fwrite (encoding->data, encoding->len, 1, out_file) != 1)
+	goto loser;
+
+    rv = SECSuccess;
+
+loser:
+    if (encoding != NULL)
+	SECITEM_FreeItem(encoding, PR_TRUE);
+    if (request != NULL)
+	CERT_DestroyOCSPRequest(request);
+    if (certs != NULL)
+	CERT_DestroyCertList (certs);
+    if (myCert != NULL)
+	CERT_DestroyCertificate(myCert);
+
+    return rv;
+}
+
+
+/*
+ * Create a DER-encoded OCSP request (for the certificate whose nickname is
+ * "cert_name"), then get and dump a corresponding response.  The responder
+ * location is either specified explicitly (as "responder_url") or found
+ * via the AuthorityInfoAccess URL in the cert.
+ */
+static SECStatus
+dump_response (FILE *out_file, CERTCertDBHandle *handle, CERTCertificate *cert,
+	       const char *responder_url)
+{
+    CERTCertList *certs = NULL;
+    CERTCertificate *myCert = NULL;
+    char *loc = NULL;
+    int64 now = PR_Now();
+    SECItem *response = NULL;
+    SECStatus rv = SECFailure;
+    PRBool includeServiceLocator;
+
+    if (handle == NULL || cert == NULL)
+	return rv;
+
+    myCert = CERT_DupCertificate(cert);
+    if (myCert == NULL)
+        goto loser;
+
+    if (responder_url != NULL) {
+	loc = (char *) responder_url;
+	includeServiceLocator = PR_TRUE;
+    } else {
+	loc = CERT_GetOCSPAuthorityInfoAccessLocation (cert);
+	if (loc == NULL)
+	    goto loser;
+	includeServiceLocator = PR_FALSE;
+    }
+
+    /*
+     * We need to create a list of one.
+     */
+    certs = CERT_NewCertList();
+    if (certs == NULL)
+	goto loser;
+
+    if (CERT_AddCertToListTail (certs, myCert) != SECSuccess)
+	goto loser;
+
+    /*
+     * Now that cert is included in the list, we need to be careful
+     * that we do not try to destroy it twice.  This will prevent that.
+     */
+    myCert = NULL;
+
+    response = CERT_GetEncodedOCSPResponse (NULL, certs, loc, now,
+					    includeServiceLocator,
+					    NULL, NULL, NULL);
+    if (response == NULL)
+	goto loser;
+
+    MAKE_FILE_BINARY(out_file);
+    if (fwrite (response->data, response->len, 1, out_file) != 1)
+	goto loser;
+
+    rv = SECSuccess;
+
+loser:
+    if (response != NULL)
+	SECITEM_FreeItem (response, PR_TRUE);
+    if (certs != NULL)
+	CERT_DestroyCertList (certs);
+    if (myCert != NULL)
+	CERT_DestroyCertificate(myCert);
+    if (loc != NULL && loc != responder_url)
+	PORT_Free (loc);
+
+    return rv;
+}
+
+
+/*
+ * Get the status for the specified certificate (whose nickname is "cert_name").
+ * Directly use the OCSP function rather than doing a full verification.
+ */
+static SECStatus
+get_cert_status (FILE *out_file, CERTCertDBHandle *handle,
+		 CERTCertificate *cert, const char *cert_name,
+                 int64 verify_time)
+{
+    SECStatus rv = SECFailure;
+
+    if (handle == NULL || cert == NULL)
+	goto loser;
+
+    rv = CERT_CheckOCSPStatus (handle, cert, verify_time, NULL);
+
+    fprintf (out_file, "Check of certificate \"%s\" ", cert_name); 
+    if (rv == SECSuccess) {
+	fprintf (out_file, "succeeded.\n"); 
+    } else {
+	const char *error_string = SECU_Strerror(PORT_GetError());
+	fprintf (out_file, "failed.  Reason:\n");
+	if (error_string != NULL && PORT_Strlen(error_string) > 0)
+	    fprintf (out_file, "%s\n", error_string);
+	else
+	    fprintf (out_file, "Unknown\n");
+    }
+
+    rv = SECSuccess;
+
+loser:
+
+    return rv;
+}
+
+
+/*
+ * Verify the specified certificate (whose nickname is "cert_name").
+ * OCSP is already turned on, so we just need to call the standard
+ * certificate verification API and let it do all the work.
+ */
+static SECStatus
+verify_cert (FILE *out_file, CERTCertDBHandle *handle, CERTCertificate *cert,
+	     const char *cert_name, SECCertUsage cert_usage, int64 verify_time)
+{
+    SECStatus rv = SECFailure;
+
+    if (handle == NULL || cert == NULL)
+	return rv;
+
+    rv = CERT_VerifyCert (handle, cert, PR_TRUE, cert_usage, verify_time,
+			  NULL, NULL);
+
+    fprintf (out_file, "Verification of certificate \"%s\" ", cert_name); 
+    if (rv == SECSuccess) {
+	fprintf (out_file, "succeeded.\n"); 
+    } else {
+	const char *error_string = SECU_Strerror(PORT_GetError());
+	fprintf (out_file, "failed.  Reason:\n");
+	if (error_string != NULL && PORT_Strlen(error_string) > 0)
+	    fprintf (out_file, "%s\n", error_string);
+	else
+	    fprintf (out_file, "Unknown\n");
+    }
+
+    rv = SECSuccess;
+
+    return rv;
+}
+
+CERTCertificate*
+find_certificate(CERTCertDBHandle *handle, const char *name, PRBool ascii)
+{
+    CERTCertificate *cert = NULL;
+    SECItem der;
+    PRFileDesc *certFile;
+
+    if (handle == NULL || name == NULL)
+        return NULL;
+
+    if (ascii == PR_FALSE) { 
+        /* by default need to check if there is cert nick is given */
+        cert = CERT_FindCertByNicknameOrEmailAddr (handle, (char *) name);
+        if (cert != NULL)
+            return cert;
+    }
+
+    certFile = PR_Open(name, PR_RDONLY, 0);
+    if (certFile == NULL) {
+        return NULL;
+    }
+
+    if (SECU_ReadDERFromFile(&der, certFile, ascii) == SECSuccess) {
+        cert = CERT_DecodeCertFromPackage((char*)der.data, der.len);
+        SECITEM_FreeItem(&der, PR_FALSE);
+    }
+    PR_Close(certFile);
+
+    return cert;
+}
+
+
+#ifdef	NO_PP
+
+static SECStatus
+print_request (FILE *out_file, SECItem *data)
+{
+    fprintf (out_file, "Cannot pretty-print request compiled with NO_PP.\n");
+    return SECSuccess;
+}
+
+static SECStatus
+print_response (FILE *out_file, SECItem *data, CERTCertDBHandle *handle)
+{
+    fprintf (out_file, "Cannot pretty-print response compiled with NO_PP.\n");
+    return SECSuccess;
+}
+
+#else /* NO_PP */
+
+static void
+print_ocsp_version (FILE *out_file, SECItem *version, int level)
+{
+    if (version->len > 0) {
+	SECU_PrintInteger (out_file, version, "Version", level);
+    } else {
+	SECU_Indent (out_file, level);
+	fprintf (out_file, "Version: DEFAULT\n");
+    }
+}
+
+
+static void
+print_ocsp_cert_id (FILE *out_file, CERTOCSPCertID *cert_id, int level)
+{
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Cert ID:\n");
+    level++;
+
+    SECU_PrintAlgorithmID (out_file, &(cert_id->hashAlgorithm),
+			   "Hash Algorithm", level);
+    SECU_PrintAsHex (out_file, &(cert_id->issuerNameHash),
+		     "Issuer Name Hash", level);
+    SECU_PrintAsHex (out_file, &(cert_id->issuerKeyHash),
+		     "Issuer Key Hash", level);
+    SECU_PrintInteger (out_file, &(cert_id->serialNumber),
+		       "Serial Number", level);
+    /* XXX lookup the cert; if found, print something nice (nickname?) */
+}
+
+
+static void
+print_raw_certificates (FILE *out_file, SECItem **raw_certs, int level)
+{
+    SECItem *raw_cert;
+    int i = 0;
+    char cert_label[50];
+
+    SECU_Indent (out_file, level);
+
+    if (raw_certs == NULL) {
+	fprintf (out_file, "No Certificates.\n");
+	return;
+    }
+
+    fprintf (out_file, "Certificate List:\n");
+    while ((raw_cert = raw_certs[i++]) != NULL) {
+	sprintf (cert_label, "Certificate (%d)", i);
+	(void) SECU_PrintSignedData (out_file, raw_cert, cert_label, level + 1,
+				     SECU_PrintCertificate);
+    }
+}
+
+
+static void
+print_ocsp_extensions (FILE *out_file, CERTCertExtension **extensions,
+		       char *msg, int level)
+{
+    if (extensions) {
+	SECU_PrintExtensions (out_file, extensions, msg, level);
+    } else {
+	SECU_Indent (out_file, level);
+	fprintf (out_file, "No %s\n", msg);
+    }
+}
+
+
+static void
+print_single_request (FILE *out_file, ocspSingleRequest *single, int level)
+{
+    print_ocsp_cert_id (out_file, single->reqCert, level);
+    print_ocsp_extensions (out_file, single->singleRequestExtensions,
+			   "Single Request Extensions", level);
+}
+
+
+/*
+ * Decode the DER/BER-encoded item "data" as an OCSP request
+ * and pretty-print the subfields.
+ */
+static SECStatus
+print_request (FILE *out_file, SECItem *data)
+{
+    CERTOCSPRequest *request;
+    ocspTBSRequest *tbsRequest;
+    int level = 0;
+
+    PORT_Assert (out_file != NULL);
+    PORT_Assert (data != NULL);
+    if (out_file == NULL || data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    request = CERT_DecodeOCSPRequest (data);
+    if (request == NULL || request->tbsRequest == NULL)
+	return SECFailure;
+
+    tbsRequest = request->tbsRequest;
+
+    fprintf (out_file, "TBS Request:\n");
+    level++;
+
+    print_ocsp_version (out_file, &(tbsRequest->version), level);
+
+    /*
+     * XXX Probably should be an interface to get the signer name
+     * without looking inside the tbsRequest at all.
+     */
+    if (tbsRequest->requestorName != NULL) {
+	SECU_Indent (out_file, level);
+	fprintf (out_file, "XXX print the requestorName\n");
+    } else {
+	SECU_Indent (out_file, level);
+	fprintf (out_file, "No Requestor Name.\n");
+    }
+
+    if (tbsRequest->requestList != NULL) {
+	int i;
+
+	for (i = 0; tbsRequest->requestList[i] != NULL; i++) {
+	    SECU_Indent (out_file, level);
+	    fprintf (out_file, "Request %d:\n", i);
+	    print_single_request (out_file, tbsRequest->requestList[i],
+				  level + 1);
+	}
+    } else {
+	fprintf (out_file, "Request list is empty.\n");
+    }
+
+    print_ocsp_extensions (out_file, tbsRequest->requestExtensions,
+			   "Request Extensions", level);
+
+    if (request->optionalSignature != NULL) {
+	ocspSignature *whole_sig;
+	SECItem rawsig;
+
+	fprintf (out_file, "Signature:\n");
+
+	whole_sig = request->optionalSignature;
+	SECU_PrintAlgorithmID (out_file, &(whole_sig->signatureAlgorithm),
+			       "Signature Algorithm", level);
+
+	rawsig = whole_sig->signature;
+	DER_ConvertBitString (&rawsig);
+	SECU_PrintAsHex (out_file, &rawsig, "Signature", level);
+
+	print_raw_certificates (out_file, whole_sig->derCerts, level);
+
+	fprintf (out_file, "XXX verify the sig and print result\n");
+    } else {
+	fprintf (out_file, "No Signature\n");
+    }
+
+    CERT_DestroyOCSPRequest (request);
+    return SECSuccess;
+}
+
+
+static void
+print_revoked_info (FILE *out_file, ocspRevokedInfo *revoked_info, int level)
+{
+    SECU_PrintGeneralizedTime (out_file, &(revoked_info->revocationTime),
+			       "Revocation Time", level);
+
+    if (revoked_info->revocationReason != NULL) {
+	SECU_PrintAsHex (out_file, revoked_info->revocationReason,
+			 "Revocation Reason", level);
+    } else {
+	SECU_Indent (out_file, level);
+	fprintf (out_file, "No Revocation Reason.\n");
+    }
+}
+
+
+static void
+print_cert_status (FILE *out_file, ocspCertStatus *status, int level)
+{
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Status: ");
+
+    switch (status->certStatusType) {
+      case ocspCertStatus_good:
+	fprintf (out_file, "Cert is good.\n");
+	break;
+      case ocspCertStatus_revoked:
+	fprintf (out_file, "Cert has been revoked.\n");
+	print_revoked_info (out_file, status->certStatusInfo.revokedInfo,
+			    level + 1);
+	break;
+      case ocspCertStatus_unknown:
+	fprintf (out_file, "Cert is unknown to responder.\n");
+	break;
+      default:
+	fprintf (out_file, "Unrecognized status.\n");
+	break;
+    }
+}
+
+
+static void
+print_single_response (FILE *out_file, CERTOCSPSingleResponse *single,
+		       int level)
+{
+    print_ocsp_cert_id (out_file, single->certID, level);
+
+    print_cert_status (out_file, single->certStatus, level);
+
+    SECU_PrintGeneralizedTime (out_file, &(single->thisUpdate),
+			       "This Update", level);
+
+    if (single->nextUpdate != NULL) {
+	SECU_PrintGeneralizedTime (out_file, single->nextUpdate,
+				   "Next Update", level);
+    } else {
+	SECU_Indent (out_file, level);
+	fprintf (out_file, "No Next Update\n");
+    }
+
+    print_ocsp_extensions (out_file, single->singleExtensions,
+			   "Single Response Extensions", level);
+}
+
+
+static void
+print_responder_id (FILE *out_file, ocspResponderID *responderID, int level)
+{
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Responder ID ");
+
+    switch (responderID->responderIDType) {
+      case ocspResponderID_byName:
+	fprintf (out_file, "(byName):\n");
+	SECU_PrintName (out_file, &(responderID->responderIDValue.name),
+			"Name", level + 1);
+	break;
+      case ocspResponderID_byKey:
+	fprintf (out_file, "(byKey):\n");
+	SECU_PrintAsHex (out_file, &(responderID->responderIDValue.keyHash),
+			 "Key Hash", level + 1);
+	break;
+      default:
+	fprintf (out_file, "Unrecognized Responder ID Type\n");
+	break;
+    }
+}
+
+
+static void
+print_response_data (FILE *out_file, ocspResponseData *responseData, int level)
+{
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Response Data:\n");
+    level++;
+
+    print_ocsp_version (out_file, &(responseData->version), level);
+
+    print_responder_id (out_file, responseData->responderID, level);
+
+    SECU_PrintGeneralizedTime (out_file, &(responseData->producedAt),
+			       "Produced At", level);
+
+    if (responseData->responses != NULL) {
+	int i;
+
+	for (i = 0; responseData->responses[i] != NULL; i++) {
+	    SECU_Indent (out_file, level);
+	    fprintf (out_file, "Response %d:\n", i);
+	    print_single_response (out_file, responseData->responses[i],
+				   level + 1);
+	}
+    } else {
+	fprintf (out_file, "Response list is empty.\n");
+    }
+
+    print_ocsp_extensions (out_file, responseData->responseExtensions,
+			   "Response Extensions", level);
+}
+
+
+static void
+print_basic_response (FILE *out_file, ocspBasicOCSPResponse *basic, int level)
+{
+    SECItem rawsig;
+
+    SECU_Indent (out_file, level);
+    fprintf (out_file, "Basic OCSP Response:\n");
+    level++;
+
+    print_response_data (out_file, basic->tbsResponseData, level);
+
+    SECU_PrintAlgorithmID (out_file,
+			   &(basic->responseSignature.signatureAlgorithm),
+			   "Signature Algorithm", level);
+
+    rawsig = basic->responseSignature.signature;
+    DER_ConvertBitString (&rawsig);
+    SECU_PrintAsHex (out_file, &rawsig, "Signature", level);
+
+    print_raw_certificates (out_file, basic->responseSignature.derCerts, level);
+}
+
+
+/*
+ * Note this must match (exactly) the enumeration ocspResponseStatus.
+ */
+static char *responseStatusNames[] = {
+    "successful (Response has valid confirmations)",
+    "malformedRequest (Illegal confirmation request)",
+    "internalError (Internal error in issuer)",
+    "tryLater (Try again later)",
+    "unused ((4) is not used)",
+    "sigRequired (Must sign the request)",
+    "unauthorized (Request unauthorized)",
+    "other (Status value out of defined range)"
+};
+
+/*
+ * Decode the DER/BER-encoded item "data" as an OCSP response
+ * and pretty-print the subfields.
+ */
+static SECStatus
+print_response (FILE *out_file, SECItem *data, CERTCertDBHandle *handle)
+{
+    CERTOCSPResponse *response;
+    int level = 0;
+
+    PORT_Assert (out_file != NULL);
+    PORT_Assert (data != NULL);
+    if (out_file == NULL || data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    response = CERT_DecodeOCSPResponse (data);
+    if (response == NULL)
+	return SECFailure;
+
+    PORT_Assert (response->statusValue <= ocspResponse_other);
+    fprintf (out_file, "Response Status: %s\n",
+	     responseStatusNames[response->statusValue]);
+
+    if (response->statusValue == ocspResponse_successful) {
+	ocspResponseBytes *responseBytes = response->responseBytes;
+	SECStatus sigStatus;
+	CERTCertificate *signerCert = NULL;
+
+	PORT_Assert (responseBytes != NULL);
+
+	level++;
+	fprintf (out_file, "Response Bytes:\n");
+	SECU_PrintObjectID (out_file, &(responseBytes->responseType),
+			    "Response Type", level);
+	switch (response->responseBytes->responseTypeTag) {
+	  case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
+	    print_basic_response (out_file,
+				  responseBytes->decodedResponse.basic,
+				  level);
+	    break;
+	  default:
+	    SECU_Indent (out_file, level);
+	    fprintf (out_file, "Unknown response syntax\n");
+	    break;
+	}
+
+	sigStatus = CERT_VerifyOCSPResponseSignature (response, handle,
+						      NULL, &signerCert, NULL);
+	SECU_Indent (out_file, level);
+	fprintf (out_file, "Signature verification ");
+	if (sigStatus != SECSuccess) {
+	    fprintf (out_file, "failed: %s\n", SECU_Strerror (PORT_GetError()));
+	} else {
+	    fprintf (out_file, "succeeded.\n");
+	    if (signerCert != NULL) {
+		SECU_PrintName (out_file, &signerCert->subject, "Signer",
+				level);
+		CERT_DestroyCertificate (signerCert);
+	    } else {
+		SECU_Indent (out_file, level);
+		fprintf (out_file, "No signer cert returned?\n");
+	    }
+	}
+    } else {
+	SECU_Indent (out_file, level);
+	fprintf (out_file, "Unsuccessful response, no more information.\n");
+    }
+
+    CERT_DestroyOCSPResponse (response);
+    return SECSuccess;
+}
+
+#endif	/* NO_PP */
+
+
+static SECStatus
+cert_usage_from_char (const char *cert_usage_str, SECCertUsage *cert_usage)
+{
+    PORT_Assert (cert_usage_str != NULL);
+    PORT_Assert (cert_usage != NULL);
+
+    if (PORT_Strlen (cert_usage_str) != 1)
+	return SECFailure;
+
+    switch (*cert_usage_str) {
+      case 'c':
+	*cert_usage = certUsageSSLClient;
+	break;
+      case 's':
+	*cert_usage = certUsageSSLServer;
+	break;
+      case 'e':
+	*cert_usage = certUsageEmailRecipient;
+	break;
+      case 'E':
+	*cert_usage = certUsageEmailSigner;
+	break;
+      case 'S':
+	*cert_usage = certUsageObjectSigner;
+	break;
+      case 'C':
+	*cert_usage = certUsageVerifyCA;
+	break;
+      default:
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+int
+main (int argc, char **argv)
+{
+    int		 retval;
+    PRFileDesc	*in_file;
+    FILE	*out_file;	/* not PRFileDesc until SECU accepts it */
+    int		 crequest, dresponse;
+    int		 prequest, presponse;
+    int		 ccert, vcert;
+    const char	*db_dir, *date_str, *cert_usage_str, *name;
+    const char	*responder_name, *responder_url, *signer_name;
+    PRBool	 add_acceptable_responses, add_service_locator;
+    SECItem	*data = NULL;
+    PLOptState	*optstate;
+    SECStatus	 rv;
+    CERTCertDBHandle *handle = NULL;
+    SECCertUsage cert_usage;
+    int64	 verify_time;
+    CERTCertificate *cert = NULL;
+    PRBool ascii = PR_FALSE;
+
+    retval = -1;		/* what we return/exit with on error */
+
+    program_name = PL_strrchr(argv[0], '/');
+    program_name = program_name ? (program_name + 1) : argv[0];
+
+    in_file = PR_STDIN;
+    out_file = stdout;
+
+    crequest = 0;
+    dresponse = 0;
+    prequest = 0;
+    presponse = 0;
+    ccert = 0;
+    vcert = 0;
+
+    db_dir = NULL;
+    date_str = NULL;
+    cert_usage_str = NULL;
+    name = NULL;
+    responder_name = NULL;
+    responder_url = NULL;
+    signer_name = NULL;
+
+    add_acceptable_responses = PR_FALSE;
+    add_service_locator = PR_FALSE;
+
+    optstate = PL_CreateOptState (argc, argv, "AHLPR:S:V:d:l:pr:s:t:u:w:");
+    if (optstate == NULL) {
+	SECU_PrintError (program_name, "PL_CreateOptState failed");
+	return retval;
+    }
+
+    while (PL_GetNextOpt (optstate) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	    short_usage (program_name);
+	    return retval;
+
+	  case 'A':
+	    add_acceptable_responses = PR_TRUE;
+	    break;
+
+	  case 'H':
+	    long_usage (program_name);
+	    return retval;
+
+	  case 'L':
+	    add_service_locator = PR_TRUE;
+	    break;
+
+	  case 'P':
+	    presponse = 1;
+	    break;
+
+	  case 'R':
+	    dresponse = 1;
+	    name = optstate->value;
+	    break;
+
+	  case 'S':
+	    ccert = 1;
+	    name = optstate->value;
+	    break;
+
+	  case 'V':
+	    vcert = 1;
+	    name = optstate->value;
+	    break;
+
+	  case 'a':
+	    ascii = PR_TRUE;
+	    break;
+
+	  case 'd':
+	    db_dir = optstate->value;
+	    break;
+
+	  case 'l':
+	    responder_url = optstate->value;
+	    break;
+
+	  case 'p':
+	    prequest = 1;
+	    break;
+
+	  case 'r':
+	    crequest = 1;
+	    name = optstate->value;
+	    break;
+
+	  case 's':
+	    signer_name = optstate->value;
+	    break;
+
+	  case 't':
+	    responder_name = optstate->value;
+	    break;
+
+	  case 'u':
+	    cert_usage_str = optstate->value;
+	    break;
+
+	  case 'w':
+	    date_str = optstate->value;
+	    break;
+	}
+    }
+
+    PL_DestroyOptState(optstate);
+
+    if ((crequest + dresponse + prequest + presponse + ccert + vcert) != 1) {
+	PR_fprintf (PR_STDERR, "%s: must specify exactly one command\n\n",
+		    program_name);
+	short_usage (program_name);
+	return retval;
+    }
+
+    if (vcert) {
+	if (cert_usage_str == NULL) {
+	    PR_fprintf (PR_STDERR, "%s: verification requires cert usage\n\n",
+			program_name);
+	    short_usage (program_name);
+	    return retval;
+	}
+
+	rv = cert_usage_from_char (cert_usage_str, &cert_usage);
+	if (rv != SECSuccess) {
+	    PR_fprintf (PR_STDERR, "%s: invalid cert usage (\"%s\")\n\n",
+			program_name, cert_usage_str);
+	    long_usage (program_name);
+	    return retval;
+	}
+    }
+
+    if (ccert + vcert) {
+	if (responder_url != NULL || responder_name != NULL) {
+	    /*
+	     * To do a full status check, both the URL and the cert name
+	     * of the responder must be specified if either one is.
+	     */
+	    if (responder_url == NULL || responder_name == NULL) {
+		if (responder_url == NULL)
+		    PR_fprintf (PR_STDERR,
+				"%s: must also specify responder location\n\n",
+				program_name);
+		else
+		    PR_fprintf (PR_STDERR,
+				"%s: must also specify responder name\n\n",
+				program_name);
+		short_usage (program_name);
+		return retval;
+	    }
+	}
+
+	if (date_str != NULL) {
+	    rv = DER_AsciiToTime (&verify_time, (char *) date_str);
+	    if (rv != SECSuccess) {
+		SECU_PrintError (program_name, "error converting time string");
+		PR_fprintf (PR_STDERR, "\n");
+		long_usage (program_name);
+		return retval;
+	    }
+	} else {
+	    verify_time = PR_Now();
+	}
+    }
+
+    retval = -2;		/* errors change from usage to runtime */
+
+    /*
+     * Initialize the NSPR and Security libraries.
+     */
+    PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    db_dir = SECU_ConfigDirectory (db_dir);
+    rv = NSS_Init (db_dir);
+    if (rv != SECSuccess) {
+	SECU_PrintError (program_name, "NSS_Init failed");
+	goto prdone;
+    }
+    SECU_RegisterDynamicOids();
+
+    if (prequest + presponse) {
+	MAKE_FILE_BINARY(stdin);
+	data = read_file_into_item (in_file, siBuffer);
+	if (data == NULL) {
+	    SECU_PrintError (program_name, "problem reading input");
+	    goto nssdone;
+	}
+    }
+
+    if (crequest + dresponse + presponse + ccert + vcert) {
+	handle = CERT_GetDefaultCertDB();
+	if (handle == NULL) {
+	    SECU_PrintError (program_name, "problem getting certdb handle");
+	    goto nssdone;
+	}
+
+	/*
+	 * It would be fine to do the enable for all of these commands,
+	 * but this way we check that everything but an overall verify
+	 * can be done without it.  That is, that the individual pieces
+	 * work on their own.
+	 */
+	if (vcert) {
+	    rv = CERT_EnableOCSPChecking (handle);
+	    if (rv != SECSuccess) {
+		SECU_PrintError (program_name, "error enabling OCSP checking");
+		goto nssdone;
+	    }
+	}
+
+	if ((ccert + vcert) && (responder_name != NULL)) {
+	    rv = CERT_SetOCSPDefaultResponder (handle, responder_url,
+					       responder_name);
+	    if (rv != SECSuccess) {
+		SECU_PrintError (program_name,
+				 "error setting default responder");
+		goto nssdone;
+	    }
+
+	    rv = CERT_EnableOCSPDefaultResponder (handle);
+	    if (rv != SECSuccess) {
+		SECU_PrintError (program_name,
+				 "error enabling default responder");
+		goto nssdone;
+	    }
+	}
+    }
+
+#define NOTYET(opt)							\
+	{								\
+	    PR_fprintf (PR_STDERR, "%s not yet working\n", opt);	\
+	    exit (-1);							\
+	}
+
+    if (name) {
+        cert = find_certificate(handle, name, ascii);
+    }
+
+    if (crequest) {
+	if (signer_name != NULL) {
+	    NOTYET("-s");
+	}
+	rv = create_request (out_file, handle, cert, add_service_locator,
+			     add_acceptable_responses);
+    } else if (dresponse) {
+	if (signer_name != NULL) {
+	    NOTYET("-s");
+	}
+	rv = dump_response (out_file, handle, cert, responder_url);
+    } else if (prequest) {
+	rv = print_request (out_file, data);
+    } else if (presponse) {
+	rv = print_response (out_file, data, handle);
+    } else if (ccert) {
+	if (signer_name != NULL) {
+	    NOTYET("-s");
+	}
+	rv = get_cert_status (out_file, handle, cert, name, verify_time);
+    } else if (vcert) {
+	if (signer_name != NULL) {
+	    NOTYET("-s");
+	}
+	rv = verify_cert (out_file, handle, cert, name, cert_usage, verify_time);
+    }
+
+    if (rv != SECSuccess)
+	SECU_PrintError (program_name, "error performing requested operation");
+    else
+	retval = 0;
+
+nssdone:
+    if (cert) {
+        CERT_DestroyCertificate(cert);
+    }
+
+    if (data != NULL) {
+	SECITEM_FreeItem (data, PR_TRUE);
+    }
+
+    if (handle != NULL) {
+ 	CERT_DisableOCSPDefaultResponder(handle);        
+ 	CERT_DisableOCSPChecking (handle);
+    }
+
+    if (NSS_Shutdown () != SECSuccess) {
+	retval = 1;
+    }
+
+prdone:
+    PR_Cleanup ();
+    return retval;
+}
diff --git a/security/nss/cmd/oidcalc/Makefile b/security/nss/cmd/oidcalc/Makefile
new file mode 100644
index 000000000..27ca0c50e
--- /dev/null
+++ b/security/nss/cmd/oidcalc/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/oidcalc/manifest.mn b/security/nss/cmd/oidcalc/manifest.mn
new file mode 100644
index 000000000..59fe6c51c
--- /dev/null
+++ b/security/nss/cmd/oidcalc/manifest.mn
@@ -0,0 +1,51 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS = oidcalc.c
+
+PROGRAM	= oidcalc
diff --git a/security/nss/cmd/oidcalc/oidcalc.c b/security/nss/cmd/oidcalc/oidcalc.c
new file mode 100644
index 000000000..27b0e2b3b
--- /dev/null
+++ b/security/nss/cmd/oidcalc/oidcalc.c
@@ -0,0 +1,120 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int
+main(int argc, char **argv)
+{
+    char *curstr;
+    char *nextstr;
+    unsigned int firstval;
+    unsigned int secondval;
+    unsigned int val;
+    unsigned char buf[5];
+    int count;
+    
+    if ( argc != 2 ) {
+	fprintf(stderr, "wrong number of args\n");
+	exit(-1);
+    }
+    
+    curstr = argv[1];
+    
+    nextstr = strchr(curstr, '.');
+    
+    if ( nextstr == NULL ) {
+	fprintf(stderr, "only one component\n");
+	exit(-1);
+    }
+    
+    *nextstr = '\0';
+    firstval = atoi(curstr);
+
+    curstr = nextstr + 1;
+    
+    nextstr = strchr(curstr, '.');
+
+    if ( nextstr ) {
+	*nextstr = '\0';
+    }
+
+    secondval = atoi(curstr);
+    
+    if ( ( firstval < 0 ) || ( firstval > 2 ) ) {
+	fprintf(stderr, "first component out of range\n");
+	exit(-1);
+	
+    }
+    
+    if ( ( secondval < 0 ) || ( secondval > 39 ) ) {
+	fprintf(stderr, "second component out of range\n");
+	exit(-1);
+    }
+    
+    printf("0x%x, ", ( firstval * 40 ) + secondval );
+    while ( nextstr ) {
+	curstr = nextstr + 1;
+
+	nextstr = strchr(curstr, '.');
+
+	if ( nextstr ) {
+	    *nextstr = '\0';
+	}
+
+	memset(buf, 0, sizeof(buf));
+	val = atoi(curstr);
+	count = 0;
+	while ( val ) {
+	    buf[count] = ( val & 0x7f );
+	    val = val >> 7;
+	    count++;
+	}
+
+	while ( count-- ) {
+	    if ( count ) {
+		printf("0x%x, ", buf[count] | 0x80 );
+	    } else {
+		printf("0x%x, ", buf[count] );
+	    }
+	}
+    }
+    printf("\n");
+    return 0;
+}
+
diff --git a/security/nss/cmd/p7content/Makefile b/security/nss/cmd/p7content/Makefile
new file mode 100644
index 000000000..9ee2a8f00
--- /dev/null
+++ b/security/nss/cmd/p7content/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/p7content/manifest.mn b/security/nss/cmd/p7content/manifest.mn
new file mode 100644
index 000000000..3a9f7f9a7
--- /dev/null
+++ b/security/nss/cmd/p7content/manifest.mn
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+MODULE = nss
+
+CSRCS = p7content.c
+
+REQUIRES = seccmd 
+
+PROGRAM = p7content
+
diff --git a/security/nss/cmd/p7content/p7content.c b/security/nss/cmd/p7content/p7content.c
new file mode 100644
index 000000000..95c0eccf2
--- /dev/null
+++ b/security/nss/cmd/p7content/p7content.c
@@ -0,0 +1,287 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * p7content -- A command to display pkcs7 content.
+ *
+ * $Id$
+ */
+
+#include "nspr.h"
+#include "secutil.h"
+#include "plgetopt.h"
+#include "secpkcs7.h"
+#include "cert.h"
+#include "certdb.h"
+#include "nss.h"
+#include "pk11pub.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
+extern int fwrite(char *, size_t, size_t, FILE*);
+extern int fprintf(FILE *, char *, ...);
+#endif
+
+
+
+static void
+Usage(char *progName)
+{
+    fprintf(stderr,
+	    "Usage:  %s [-d dbdir] [-i input] [-o output]\n",
+	    progName);
+    fprintf(stderr,
+	    "%-20s Key/Cert database directory (default is ~/.netscape)\n",
+	    "-d dbdir");
+    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
+	    "-i input");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    exit(-1);
+}
+
+static PRBool saw_content;
+static secuPWData  pwdata          = { PW_NONE, 0 };
+
+static void
+PrintBytes(void *arg, const char *buf, unsigned long len)
+{
+    FILE *out;
+
+    out = arg; 
+    fwrite (buf, len, 1, out);
+
+    saw_content = PR_TRUE;
+}
+
+/*
+ * XXX Someday we may want to do real policy stuff here.  This allows
+ * anything to be decrypted, which is okay for a test program but does
+ * not set an example of how a real client with a real policy would
+ * need to do it.
+ */
+static PRBool
+decryption_allowed(SECAlgorithmID *algid, PK11SymKey *key)
+{
+    return PR_TRUE;
+}
+
+int
+DecodeAndPrintFile(FILE *out, PRFileDesc *in, char *progName)
+{
+    SECItem derdata;
+    SEC_PKCS7ContentInfo *cinfo = NULL;
+    SEC_PKCS7DecoderContext *dcx;
+
+    if (SECU_ReadDERFromFile(&derdata, in, PR_FALSE)) {
+        SECU_PrintError(progName, "error converting der");
+	return -1;
+    }
+
+    fprintf(out,
+	    "Content printed between bars (newline added before second bar):");
+    fprintf(out, "\n---------------------------------------------\n");
+
+    saw_content = PR_FALSE;
+    dcx = SEC_PKCS7DecoderStart(PrintBytes, out, NULL, &pwdata,
+				NULL, NULL, decryption_allowed);
+    if (dcx != NULL) {
+#if 0	/* Test that decoder works when data is really streaming in. */
+	{
+	    unsigned long i;
+	    for (i = 0; i < derdata.len; i++)
+		SEC_PKCS7DecoderUpdate(dcx, derdata.data + i, 1);
+	}
+#else
+	SEC_PKCS7DecoderUpdate(dcx, (char *)derdata.data, derdata.len);
+#endif
+	cinfo = SEC_PKCS7DecoderFinish(dcx);
+    }
+
+    fprintf(out, "\n---------------------------------------------\n");
+
+    if (cinfo == NULL)
+	return -1;
+
+    fprintf(out, "Content was%s encrypted.\n",
+	    SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not");
+
+    if (SEC_PKCS7ContentIsSigned(cinfo)) {
+	char *signer_cname, *signer_ename;
+	SECItem *signing_time;
+
+	if (saw_content) {
+	    fprintf(out, "Signature is ");
+	    PORT_SetError(0);
+	    if (SEC_PKCS7VerifySignature(cinfo, certUsageEmailSigner, PR_FALSE))
+		fprintf(out, "valid.\n");
+	    else
+		fprintf(out, "invalid (Reason: %s).\n",
+			SECU_Strerror(PORT_GetError()));
+	} else {
+	    fprintf(out,
+		    "Content is detached; signature cannot be verified.\n");
+	}
+
+	signer_cname = SEC_PKCS7GetSignerCommonName(cinfo);
+	if (signer_cname != NULL) {
+	    fprintf(out, "The signer's common name is %s\n", signer_cname);
+	    PORT_Free(signer_cname);
+	} else {
+	    fprintf(out, "No signer common name.\n");
+	}
+
+	signer_ename = SEC_PKCS7GetSignerEmailAddress(cinfo);
+	if (signer_ename != NULL) {
+	    fprintf(out, "The signer's email address is %s\n", signer_ename);
+	    PORT_Free(signer_ename);
+	} else {
+	    fprintf(out, "No signer email address.\n");
+	}
+
+	signing_time = SEC_PKCS7GetSigningTime(cinfo);
+	if (signing_time != NULL) {
+	    SECU_PrintTimeChoice(out, signing_time, "Signing time", 0);
+	} else {
+	    fprintf(out, "No signing time included.\n");
+	}
+    } else {
+	fprintf(out, "Content was not signed.\n");
+    }
+
+    fprintf(out, "There were%s certs or crls included.\n",
+	    SEC_PKCS7ContainsCertsOrCrls(cinfo) ? "" : " no");
+
+    SEC_PKCS7DestroyContentInfo(cinfo);
+    return 0;
+}
+
+/*
+ * Print the contents of a PKCS7 message, indicating signatures, etc.
+ */
+
+int
+main(int argc, char **argv)
+{
+    char *progName;
+    FILE *outFile;
+    PRFileDesc *inFile;
+    PLOptState *optstate;
+    PLOptStatus status;
+    SECStatus rv;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    inFile = NULL;
+    outFile = NULL;
+
+    /*
+     * Parse command line arguments
+     */
+    optstate = PL_CreateOptState(argc, argv, "d:i:o:p:f:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case 'd':
+	    SECU_ConfigDirectory(optstate->value);
+	    break;
+
+	  case 'i':
+	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
+	    if (!inFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'o':
+	    outFile = fopen(optstate->value, "w");
+	    if (!outFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'p':
+            pwdata.source = PW_PLAINTEXT;
+            pwdata.data = PORT_Strdup (optstate->value);
+            break;
+
+          case 'f':
+            pwdata.source = PW_FROMFILE;
+            pwdata.data = PORT_Strdup (optstate->value);
+            break;
+
+	  default:
+	    Usage(progName);
+	    break;
+	}
+    }
+    if (status == PL_OPT_BAD)
+	Usage(progName);
+
+    if (!inFile) inFile = PR_STDIN;
+    if (!outFile) outFile = stdout;
+
+    /* Call the initialization routines */
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    rv = NSS_Init(SECU_ConfigDirectory(NULL));
+    if (rv != SECSuccess) {
+	SECU_PrintPRandOSError(progName);
+	return -1;
+    }
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    if (DecodeAndPrintFile(outFile, inFile, progName)) {
+	SECU_PrintError(progName, "problem decoding data");
+	return -1;
+    }
+    
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+
+    return 0;
+}
diff --git a/security/nss/cmd/p7env/Makefile b/security/nss/cmd/p7env/Makefile
new file mode 100644
index 000000000..9ee2a8f00
--- /dev/null
+++ b/security/nss/cmd/p7env/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/p7env/manifest.mn b/security/nss/cmd/p7env/manifest.mn
new file mode 100644
index 000000000..8378fe2e6
--- /dev/null
+++ b/security/nss/cmd/p7env/manifest.mn
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+CSRCS = p7env.c  
+
+REQUIRES = seccmd 
+
+PROGRAM = p7env
+
diff --git a/security/nss/cmd/p7env/p7env.c b/security/nss/cmd/p7env/p7env.c
new file mode 100644
index 000000000..0e7e96bb6
--- /dev/null
+++ b/security/nss/cmd/p7env/p7env.c
@@ -0,0 +1,275 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * p7env -- A command to create a pkcs7 enveloped data.
+ *
+ * $Id$
+ */
+
+#include "nspr.h"
+#include "secutil.h"
+#include "plgetopt.h"
+#include "secpkcs7.h"
+#include "cert.h"
+#include "certdb.h"
+#include "nss.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
+extern int fread(char *, size_t, size_t, FILE*);
+extern int fwrite(char *, size_t, size_t, FILE*);
+extern int fprintf(FILE *, char *, ...);
+#endif
+
+extern void SEC_Init(void);		/* XXX */
+
+
+static void
+Usage(char *progName)
+{
+    fprintf(stderr,
+	    "Usage:  %s -r recipient [-d dbdir] [-i input] [-o output]\n",
+	    progName);
+    fprintf(stderr, "%-20s Nickname of cert to use for encryption\n",
+	    "-r recipient");
+    fprintf(stderr, "%-20s Cert database directory (default is ~/.netscape)\n",
+	    "-d dbdir");
+    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
+	    "-i input");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    exit(-1);
+}
+
+struct recipient {
+    struct recipient *next;
+    char *nickname;
+    CERTCertificate *cert;
+};
+
+static void
+EncryptOut(void *arg, const char *buf, unsigned long len)
+{
+   FILE *out;
+
+   out = arg; 
+   fwrite (buf, len, 1, out);
+}
+
+static int
+EncryptFile(FILE *outFile, FILE *inFile, struct recipient *recipients,
+	    char *progName)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7EncoderContext *ecx;
+    struct recipient *rcpt;
+    SECStatus rv;
+
+    if (outFile == NULL || inFile == NULL || recipients == NULL)
+	return -1;
+
+    /* XXX Need a better way to handle that certUsage stuff! */
+    /* XXX keysize? */
+    cinfo = SEC_PKCS7CreateEnvelopedData (recipients->cert,
+					  certUsageEmailRecipient,
+					  NULL, SEC_OID_DES_EDE3_CBC, 0, 
+					  NULL, NULL);
+    if (cinfo == NULL)
+	return -1;
+
+    for (rcpt = recipients->next; rcpt != NULL; rcpt = rcpt->next) {
+	rv = SEC_PKCS7AddRecipient (cinfo, rcpt->cert, certUsageEmailRecipient,
+				    NULL);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "error adding recipient \"%s\"",
+			    rcpt->nickname);
+	    return -1;
+	}
+    }
+
+    ecx = SEC_PKCS7EncoderStart (cinfo, EncryptOut, outFile, NULL);
+    if (ecx == NULL)
+	return -1;
+
+    for (;;) {
+	char ibuf[1024];
+	int nb;
+ 
+	if (feof(inFile))
+	    break;
+	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
+	if (nb == 0) {
+	    if (ferror(inFile)) {
+		PORT_SetError(SEC_ERROR_IO);
+		rv = SECFailure;
+	    }
+	    break;
+	}
+	rv = SEC_PKCS7EncoderUpdate(ecx, ibuf, nb);
+	if (rv != SECSuccess)
+	    break;
+    }
+
+    if (SEC_PKCS7EncoderFinish(ecx, NULL, NULL) != SECSuccess)
+	rv = SECFailure;
+
+    SEC_PKCS7DestroyContentInfo (cinfo);
+
+    if (rv != SECSuccess)
+	return -1;
+
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    char *progName;
+    FILE *inFile, *outFile;
+    char *certName;
+    CERTCertDBHandle *certHandle;
+    struct recipient *recipients, *rcpt;
+    PLOptState *optstate;
+    PLOptStatus status;
+    SECStatus rv;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    inFile = NULL;
+    outFile = NULL;
+    certName = NULL;
+    recipients = NULL;
+    rcpt = NULL;
+
+    /*
+     * Parse command line arguments
+     * XXX This needs to be enhanced to allow selection of algorithms
+     * and key sizes (or to look up algorithms and key sizes for each
+     * recipient in the magic database).
+     */
+    optstate = PL_CreateOptState(argc, argv, "d:i:o:r:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	    Usage(progName);
+	    break;
+
+	  case 'd':
+	    SECU_ConfigDirectory(optstate->value);
+	    break;
+
+	  case 'i':
+	    inFile = fopen(optstate->value, "r");
+	    if (!inFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'o':
+	    outFile = fopen(optstate->value, "wb");
+	    if (!outFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'r':
+	    if (rcpt == NULL) {
+		recipients = rcpt = PORT_Alloc (sizeof(struct recipient));
+	    } else {
+		rcpt->next = PORT_Alloc (sizeof(struct recipient));
+		rcpt = rcpt->next;
+	    }
+	    if (rcpt == NULL) {
+		fprintf(stderr, "%s: unable to allocate recipient struct\n",
+			progName);
+		return -1;
+	    }
+	    rcpt->nickname = strdup(optstate->value);
+	    rcpt->cert = NULL;
+	    rcpt->next = NULL;
+	    break;
+	}
+    }
+
+    if (!recipients) Usage(progName);
+
+    if (!inFile) inFile = stdin;
+    if (!outFile) outFile = stdout;
+
+    /* Call the NSS initialization routines */
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    rv = NSS_Init(SECU_ConfigDirectory(NULL));
+    if (rv != SECSuccess) {
+    	SECU_PrintPRandOSError(progName);
+	return -1;
+    }
+
+    /* open cert database */
+    certHandle = CERT_GetDefaultCertDB();
+    if (certHandle == NULL) {
+	return -1;
+    }
+
+    /* find certs */
+    for (rcpt = recipients; rcpt != NULL; rcpt = rcpt->next) {
+	rcpt->cert = CERT_FindCertByNickname(certHandle, rcpt->nickname);
+	if (rcpt->cert == NULL) {
+	    SECU_PrintError(progName,
+			    "the cert for name \"%s\" not found in database",
+			    rcpt->nickname);
+	    return -1;
+	}
+    }
+
+    if (EncryptFile(outFile, inFile, recipients, progName)) {
+	SECU_PrintError(progName, "problem encrypting data");
+	return -1;
+    }
+
+    return 0;
+}
diff --git a/security/nss/cmd/p7sign/Makefile b/security/nss/cmd/p7sign/Makefile
new file mode 100644
index 000000000..9ee2a8f00
--- /dev/null
+++ b/security/nss/cmd/p7sign/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/p7sign/manifest.mn b/security/nss/cmd/p7sign/manifest.mn
new file mode 100644
index 000000000..4facb6246
--- /dev/null
+++ b/security/nss/cmd/p7sign/manifest.mn
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+CSRCS = p7sign.c  
+
+REQUIRES = seccmd 
+
+PROGRAM = p7sign
+
diff --git a/security/nss/cmd/p7sign/p7sign.c b/security/nss/cmd/p7sign/p7sign.c
new file mode 100644
index 000000000..d489c4556
--- /dev/null
+++ b/security/nss/cmd/p7sign/p7sign.c
@@ -0,0 +1,309 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * p7sign -- A command to create a *detached* pkcs7 signature (over a given
+ * input file).
+ *
+ * $Id$
+ */
+
+#include "nspr.h"
+#include "plgetopt.h"
+#include "secutil.h"
+#include "secpkcs7.h"
+#include "cert.h"
+#include "certdb.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
+#include "nss.h"
+#include "pk11func.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
+extern int fread(char *, size_t, size_t, FILE*);
+extern int fwrite(char *, size_t, size_t, FILE*);
+extern int fprintf(FILE *, char *, ...);
+#endif
+
+static secuPWData  pwdata          = { PW_NONE, 0 };
+
+static void
+Usage(char *progName)
+{
+    fprintf(stderr,
+	    "Usage:  %s -k keyname [-d keydir] [-i input] [-o output]\n",
+	    progName);
+    fprintf(stderr, "%-20s Nickname of key to use for signature\n",
+	    "-k keyname");
+    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
+	    "-d keydir");
+    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
+	    "-i input");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    fprintf(stderr, "%-20s Encapsulate content in signature message\n",
+	    "-e");
+    fprintf(stderr, "%-20s Password to the key databse\n", "-p");
+    fprintf(stderr, "%-20s password file\n", "-f");
+    exit(-1);
+}
+
+static void
+SignOut(void *arg, const char *buf, unsigned long len)
+{
+   FILE *out;
+
+   out = (FILE*) arg; 
+   fwrite (buf, len, 1, out);
+}
+
+static int
+CreateDigest(SECItem *data, char *digestdata, unsigned int *len, unsigned int maxlen)
+{
+    const SECHashObject *hashObj;
+    void *hashcx;
+
+    /* XXX probably want to extend interface to allow other hash algorithms */
+    hashObj = HASH_GetHashObject(HASH_AlgSHA1);
+
+    hashcx = (* hashObj->create)();
+    if (hashcx == NULL)
+	return -1;
+
+    (* hashObj->begin)(hashcx);
+    (* hashObj->update)(hashcx, data->data, data->len);
+    (* hashObj->end)(hashcx, (unsigned char *)digestdata, len, maxlen);
+    (* hashObj->destroy)(hashcx, PR_TRUE);
+    return 0;
+}
+
+static int
+SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert, 
+         PRBool encapsulated)
+{
+    char digestdata[32];
+    unsigned int len;
+    SECItem digest, data2sign;
+    SEC_PKCS7ContentInfo *cinfo;
+    SECStatus rv;
+
+    if (outFile == NULL || inFile == NULL || cert == NULL)
+	return -1;
+
+    /* suck the file in */
+	if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE) != SECSuccess)
+	return -1;
+
+    if (!encapsulated) {
+	/* unfortunately, we must create the digest ourselves */
+	/* SEC_PKCS7CreateSignedData should have a flag to not include */
+	/* the content for non-encapsulated content at encode time, but */
+	/* should always compute the hash itself */
+	if (CreateDigest(&data2sign, digestdata, &len, 32) < 0)
+	    return -1;
+	digest.data = (unsigned char *)digestdata;
+	digest.len = len;
+    }
+
+    /* XXX Need a better way to handle that usage stuff! */
+    cinfo = SEC_PKCS7CreateSignedData (cert, certUsageEmailSigner, NULL,
+				       SEC_OID_SHA1,
+				       encapsulated ? NULL : &digest,
+				       NULL, NULL);
+    if (cinfo == NULL)
+	return -1;
+
+    if (encapsulated) {
+	SEC_PKCS7SetContent(cinfo, (char *)data2sign.data, data2sign.len);
+    }
+
+    rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return -1;
+    }
+
+    rv = SEC_PKCS7Encode (cinfo, SignOut, outFile, NULL,
+			  NULL, &pwdata);
+
+    SEC_PKCS7DestroyContentInfo (cinfo);
+
+    if (rv != SECSuccess)
+	return -1;
+
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    char *progName;
+    FILE *outFile;
+    PRFileDesc *inFile;
+    char *keyName = NULL;
+    CERTCertDBHandle *certHandle;
+    CERTCertificate *cert;
+    PRBool encapsulated = PR_FALSE;
+    PLOptState *optstate;
+    PLOptStatus status;
+    SECStatus rv;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    inFile = NULL;
+    outFile = NULL;
+    keyName = NULL;
+
+    /*
+     * Parse command line arguments
+     */
+    optstate = PL_CreateOptState(argc, argv, "ed:k:i:o:p:f:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	    Usage(progName);
+	    break;
+
+	  case 'e':
+	    /* create a message with the signed content encapsulated */
+	    encapsulated = PR_TRUE;
+	    break;
+
+	  case 'd':
+	    SECU_ConfigDirectory(optstate->value);
+	    break;
+
+	  case 'i':
+	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
+	    if (!inFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'k':
+	    keyName = strdup(optstate->value);
+	    break;
+
+	  case 'o':
+	    outFile = fopen(optstate->value, "wb");
+	    if (!outFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+	  case 'p':
+            pwdata.source = PW_PLAINTEXT;
+            pwdata.data = strdup (optstate->value);
+            break;
+
+	  case 'f':
+              pwdata.source = PW_FROMFILE;
+              pwdata.data = PORT_Strdup (optstate->value);
+              break;
+	}
+    }
+
+    if (!keyName) Usage(progName);
+
+    if (!inFile) inFile = PR_STDIN;
+    if (!outFile) outFile = stdout;
+
+    /* Call the initialization routines */
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    rv = NSS_Init(SECU_ConfigDirectory(NULL));
+    if (rv != SECSuccess) {
+	SECU_PrintPRandOSError(progName);
+	goto loser;
+    }
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    /* open cert database */
+    certHandle = CERT_GetDefaultCertDB();
+    if (certHandle == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    /* find cert */
+    cert = CERT_FindCertByNickname(certHandle, keyName);
+    if (cert == NULL) {
+	SECU_PrintError(progName,
+		        "the corresponding cert for key \"%s\" does not exist",
+			keyName);
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if (SignFile(outFile, inFile, cert, encapsulated)) {
+	SECU_PrintError(progName, "problem signing data");
+	rv = SECFailure;
+	goto loser;
+    }
+
+loser:
+    if (pwdata.data) {
+        PORT_Free(pwdata.data);
+    }
+    if (keyName) {
+        PORT_Free(keyName);
+    }
+    if (cert) {
+        CERT_DestroyCertificate(cert);
+    }
+    if (inFile && inFile != PR_STDIN) {
+        PR_Close(inFile);
+    }
+    if (outFile && outFile != stdout) {
+        fclose(outFile);
+    }
+    if (NSS_Shutdown() != SECSuccess) {
+        SECU_PrintError(progName, "NSS shutdown:");
+        exit(1);
+    }
+
+    return (rv != SECSuccess);
+}
diff --git a/security/nss/cmd/p7verify/Makefile b/security/nss/cmd/p7verify/Makefile
new file mode 100644
index 000000000..9ee2a8f00
--- /dev/null
+++ b/security/nss/cmd/p7verify/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/p7verify/manifest.mn b/security/nss/cmd/p7verify/manifest.mn
new file mode 100644
index 000000000..f25311772
--- /dev/null
+++ b/security/nss/cmd/p7verify/manifest.mn
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+CSRCS = p7verify.c  
+
+REQUIRES = seccmd 
+
+PROGRAM = p7verify
+
diff --git a/security/nss/cmd/p7verify/p7verify.c b/security/nss/cmd/p7verify/p7verify.c
new file mode 100644
index 000000000..c247fe039
--- /dev/null
+++ b/security/nss/cmd/p7verify/p7verify.c
@@ -0,0 +1,308 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * p7verify -- A command to do a verification of a *detached* pkcs7 signature.
+ *
+ * $Id$
+ */
+
+#include "nspr.h"
+#include "secutil.h"
+#include "plgetopt.h"
+#include "secpkcs7.h"
+#include "cert.h"
+#include "certdb.h"
+#include "secoid.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
+#include "nss.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
+extern int fread(char *, size_t, size_t, FILE*);
+extern int fprintf(FILE *, char *, ...);
+#endif
+
+
+static HASH_HashType
+AlgorithmToHashType(SECAlgorithmID *digestAlgorithms)
+{
+
+    SECOidTag tag;
+
+    tag = SECOID_GetAlgorithmTag(digestAlgorithms);
+    
+    switch (tag) {
+      case SEC_OID_MD2:
+	return HASH_AlgMD2;
+      case SEC_OID_MD5:
+	return HASH_AlgMD5;
+      case SEC_OID_SHA1:
+	return HASH_AlgSHA1;
+      default:
+	fprintf(stderr, "should never get here\n");
+	return HASH_AlgNULL;
+    }
+}
+
+static int
+DigestFile(unsigned char *digest, unsigned int *len, unsigned int maxLen,
+	   FILE *inFile, HASH_HashType hashType)
+{
+    int nb;
+    unsigned char ibuf[4096];
+    const SECHashObject *hashObj;
+    void *hashcx;
+
+    hashObj = HASH_GetHashObject(hashType);
+
+    hashcx = (* hashObj->create)();
+    if (hashcx == NULL)
+	return -1;
+
+    (* hashObj->begin)(hashcx);
+
+    for (;;) {
+	if (feof(inFile)) break;
+	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
+	if (nb != sizeof(ibuf)) {
+	    if (nb == 0) {
+		if (ferror(inFile)) {
+		    PORT_SetError(SEC_ERROR_IO);
+		    (* hashObj->destroy)(hashcx, PR_TRUE);
+		    return -1;
+		}
+		/* eof */
+		break;
+	    }
+	}
+	(* hashObj->update)(hashcx, ibuf, nb);
+    }
+
+    (* hashObj->end)(hashcx, digest, len, maxLen);
+    (* hashObj->destroy)(hashcx, PR_TRUE);
+
+    return 0;
+}
+
+
+static void
+Usage(char *progName)
+{
+    fprintf(stderr,
+	    "Usage:  %s -c content -s signature [-d dbdir] [-u certusage]\n",
+	    progName);
+    fprintf(stderr, "%-20s content file that was signed\n",
+	    "-c content");
+    fprintf(stderr, "%-20s file containing signature for that content\n",
+	    "-s signature");
+    fprintf(stderr,
+	    "%-20s Key/Cert database directory (default is ~/.netscape)\n",
+	    "-d dbdir");
+    fprintf(stderr, "%-20s Define the type of certificate usage (default is certUsageEmailSigner)\n",
+	    "-u certusage");
+    fprintf(stderr, "%-25s  0 - certUsageSSLClient\n", " ");
+    fprintf(stderr, "%-25s  1 - certUsageSSLServer\n", " ");
+    fprintf(stderr, "%-25s  2 - certUsageSSLServerWithStepUp\n", " ");
+    fprintf(stderr, "%-25s  3 - certUsageSSLCA\n", " ");
+    fprintf(stderr, "%-25s  4 - certUsageEmailSigner\n", " ");
+    fprintf(stderr, "%-25s  5 - certUsageEmailRecipient\n", " ");
+    fprintf(stderr, "%-25s  6 - certUsageObjectSigner\n", " ");
+    fprintf(stderr, "%-25s  7 - certUsageUserCertImport\n", " ");
+    fprintf(stderr, "%-25s  8 - certUsageVerifyCA\n", " ");
+    fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");
+    fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
+    fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
+
+    exit(-1);
+}
+
+static int
+HashDecodeAndVerify(FILE *out, FILE *content, PRFileDesc *signature,
+		    SECCertUsage usage, char *progName)
+{
+    SECItem derdata;
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7SignedData *signedData;
+    HASH_HashType digestType;
+    SECItem digest;
+    unsigned char buffer[32];
+
+    if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE) != SECSuccess) {
+	SECU_PrintError(progName, "error reading signature file");
+	return -1;
+    }
+
+    cinfo = SEC_PKCS7DecodeItem(&derdata, NULL, NULL, NULL, NULL,
+				NULL, NULL, NULL);
+    if (cinfo == NULL)
+	return -1;
+
+    if (! SEC_PKCS7ContentIsSigned(cinfo)) {
+	fprintf (out, "Signature file is pkcs7 data, but not signed.\n");
+	return -1;
+    }
+
+    signedData = cinfo->content.signedData;
+
+    /* assume that there is only one digest algorithm for now */
+    digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]);
+    if (digestType == HASH_AlgNULL) {
+	fprintf (out, "Invalid hash algorithmID\n");
+	return -1;
+    }
+
+    digest.data = buffer;
+    if (DigestFile (digest.data, &digest.len, 32, content, digestType)) {
+	SECU_PrintError (progName, "problem computing message digest");
+	return -1;
+    }
+
+    fprintf(out, "Signature is ");
+    if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage, &digest, digestType,
+					  PR_FALSE))
+	fprintf(out, "valid.\n");
+    else
+	fprintf(out, "invalid (Reason: %s).\n",
+		SECU_Strerror(PORT_GetError()));
+
+    SEC_PKCS7DestroyContentInfo(cinfo);
+    return 0;
+}
+
+
+int
+main(int argc, char **argv)
+{
+    char *progName;
+    FILE *contentFile, *outFile;
+    PRFileDesc *signatureFile;
+    SECCertUsage certUsage = certUsageEmailSigner;
+    PLOptState *optstate;
+    PLOptStatus status;
+    SECStatus rv;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    contentFile = NULL;
+    signatureFile = NULL;
+    outFile = NULL;
+
+    /*
+     * Parse command line arguments
+     */
+    optstate = PL_CreateOptState(argc, argv, "c:d:o:s:u:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	    Usage(progName);
+	    break;
+
+	  case 'c':
+	    contentFile = fopen(optstate->value, "r");
+	    if (!contentFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'd':
+	    SECU_ConfigDirectory(optstate->value);
+	    break;
+
+	  case 'o':
+	    outFile = fopen(optstate->value, "w");
+	    if (!outFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 's':
+	    signatureFile = PR_Open(optstate->value, PR_RDONLY, 0);
+	    if (!signatureFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'u': {
+	    int usageType;
+
+	    usageType = atoi (strdup(optstate->value));
+	    if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
+		return -1;
+	    certUsage = (SECCertUsage)usageType;
+	    break;
+	  }
+	      
+	}
+    }
+
+    if (!contentFile) Usage (progName);
+    if (!signatureFile) Usage (progName);
+    if (!outFile) outFile = stdout;
+
+    /* Call the NSS initialization routines */
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    rv = NSS_Init(SECU_ConfigDirectory(NULL));
+    if (rv != SECSuccess) {
+    	SECU_PrintPRandOSError(progName);
+	return -1;
+    }
+
+    if (HashDecodeAndVerify(outFile, contentFile, signatureFile,
+			    certUsage, progName)) {
+	SECU_PrintError(progName, "problem decoding/verifying signature");
+	return -1;
+    }
+
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+
+    return 0;
+}
diff --git a/security/nss/cmd/pk11mode/Makefile b/security/nss/cmd/pk11mode/Makefile
new file mode 100755
index 000000000..9e2708a76
--- /dev/null
+++ b/security/nss/cmd/pk11mode/Makefile
@@ -0,0 +1,93 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+ifeq ($(OS_ARCH), WINNT)
+
+EXTRA_LIBS += \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
+	$(NULL)
+
+else
+
+EXTRA_SHARED_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+
+endif
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
diff --git a/security/nss/cmd/pk11mode/manifest.mn b/security/nss/cmd/pk11mode/manifest.mn
new file mode 100644
index 000000000..6c84958b6
--- /dev/null
+++ b/security/nss/cmd/pk11mode/manifest.mn
@@ -0,0 +1,48 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+EXPORTS =
+
+CSRCS = pk11mode.c
+
+PROGRAM = pk11mode
+
+REQUIRES =
diff --git a/security/nss/cmd/pk11mode/pk11mode.c b/security/nss/cmd/pk11mode/pk11mode.c
new file mode 100644
index 000000000..a54087560
--- /dev/null
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -0,0 +1,5344 @@
+/*
+ * pk11mode.c - Test FIPS or NONFIPS Modes for the NSS PKCS11 api.
+ *              The goal of this program is to test every function
+ *              entry point of the PKCS11 api at least once.
+ *              To test in FIPS mode: pk11mode
+ *              To test in NONFIPS mode: pk11mode -n
+ *              usage: pk11mode -h
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+#ifdef _WIN32
+#include <windows.h>
+#define LIB_NAME "softokn3.dll"
+#endif
+#include "prlink.h"
+#include "prprf.h"
+#include "plgetopt.h"
+#include "prenv.h"
+
+#include "pkcs11.h"
+
+
+#define NUM_ELEM(array) (sizeof(array)/sizeof(array[0]))
+
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+
+struct tuple_str {
+    CK_RV         errNum;
+    const char * errString;
+};
+
+
+typedef struct tuple_str tuple_str;
+
+static const tuple_str errStrings[] = {
+{CKR_OK                              , "CKR_OK                              "},
+{CKR_CANCEL                          , "CKR_CANCEL                          "},
+{CKR_HOST_MEMORY                     , "CKR_HOST_MEMORY                     "},
+{CKR_SLOT_ID_INVALID                 , "CKR_SLOT_ID_INVALID                 "},
+{CKR_GENERAL_ERROR                   , "CKR_GENERAL_ERROR                   "},
+{CKR_FUNCTION_FAILED                 , "CKR_FUNCTION_FAILED                 "},
+{CKR_ARGUMENTS_BAD                   , "CKR_ARGUMENTS_BAD                   "},
+{CKR_NO_EVENT                        , "CKR_NO_EVENT                        "},
+{CKR_NEED_TO_CREATE_THREADS          , "CKR_NEED_TO_CREATE_THREADS          "},
+{CKR_CANT_LOCK                       , "CKR_CANT_LOCK                       "},
+{CKR_ATTRIBUTE_READ_ONLY             , "CKR_ATTRIBUTE_READ_ONLY             "},
+{CKR_ATTRIBUTE_SENSITIVE             , "CKR_ATTRIBUTE_SENSITIVE             "},
+{CKR_ATTRIBUTE_TYPE_INVALID          , "CKR_ATTRIBUTE_TYPE_INVALID          "},
+{CKR_ATTRIBUTE_VALUE_INVALID         , "CKR_ATTRIBUTE_VALUE_INVALID         "},
+{CKR_DATA_INVALID                    , "CKR_DATA_INVALID                    "},
+{CKR_DATA_LEN_RANGE                  , "CKR_DATA_LEN_RANGE                  "},
+{CKR_DEVICE_ERROR                    , "CKR_DEVICE_ERROR                    "},
+{CKR_DEVICE_MEMORY                   , "CKR_DEVICE_MEMORY                   "},
+{CKR_DEVICE_REMOVED                  , "CKR_DEVICE_REMOVED                  "},
+{CKR_ENCRYPTED_DATA_INVALID          , "CKR_ENCRYPTED_DATA_INVALID          "},
+{CKR_ENCRYPTED_DATA_LEN_RANGE        , "CKR_ENCRYPTED_DATA_LEN_RANGE        "},
+{CKR_FUNCTION_CANCELED               , "CKR_FUNCTION_CANCELED               "},
+{CKR_FUNCTION_NOT_PARALLEL           , "CKR_FUNCTION_NOT_PARALLEL           "},
+{CKR_FUNCTION_NOT_SUPPORTED          , "CKR_FUNCTION_NOT_SUPPORTED          "},
+{CKR_KEY_HANDLE_INVALID              , "CKR_KEY_HANDLE_INVALID              "},
+{CKR_KEY_SIZE_RANGE                  , "CKR_KEY_SIZE_RANGE                  "},
+{CKR_KEY_TYPE_INCONSISTENT           , "CKR_KEY_TYPE_INCONSISTENT           "},
+{CKR_KEY_NOT_NEEDED                  , "CKR_KEY_NOT_NEEDED                  "},
+{CKR_KEY_CHANGED                     , "CKR_KEY_CHANGED                     "},
+{CKR_KEY_NEEDED                      , "CKR_KEY_NEEDED                      "},
+{CKR_KEY_INDIGESTIBLE                , "CKR_KEY_INDIGESTIBLE                "},
+{CKR_KEY_FUNCTION_NOT_PERMITTED      , "CKR_KEY_FUNCTION_NOT_PERMITTED      "},
+{CKR_KEY_NOT_WRAPPABLE               , "CKR_KEY_NOT_WRAPPABLE               "},
+{CKR_KEY_UNEXTRACTABLE               , "CKR_KEY_UNEXTRACTABLE               "},
+{CKR_MECHANISM_INVALID               , "CKR_MECHANISM_INVALID               "},
+{CKR_MECHANISM_PARAM_INVALID         , "CKR_MECHANISM_PARAM_INVALID         "},
+{CKR_OBJECT_HANDLE_INVALID           , "CKR_OBJECT_HANDLE_INVALID           "},
+{CKR_OPERATION_ACTIVE                , "CKR_OPERATION_ACTIVE                "},
+{CKR_OPERATION_NOT_INITIALIZED       , "CKR_OPERATION_NOT_INITIALIZED       "},
+{CKR_PIN_INCORRECT                   , "CKR_PIN_INCORRECT                   "},
+{CKR_PIN_INVALID                     , "CKR_PIN_INVALID                     "},
+{CKR_PIN_LEN_RANGE                   , "CKR_PIN_LEN_RANGE                   "},
+{CKR_PIN_EXPIRED                     , "CKR_PIN_EXPIRED                     "},
+{CKR_PIN_LOCKED                      , "CKR_PIN_LOCKED                      "},
+{CKR_SESSION_CLOSED                  , "CKR_SESSION_CLOSED                  "},
+{CKR_SESSION_COUNT                   , "CKR_SESSION_COUNT                   "},
+{CKR_SESSION_HANDLE_INVALID          , "CKR_SESSION_HANDLE_INVALID          "},
+{CKR_SESSION_PARALLEL_NOT_SUPPORTED  , "CKR_SESSION_PARALLEL_NOT_SUPPORTED  "},
+{CKR_SESSION_READ_ONLY               , "CKR_SESSION_READ_ONLY               "},
+{CKR_SESSION_EXISTS                  , "CKR_SESSION_EXISTS                  "},
+{CKR_SESSION_READ_ONLY_EXISTS        , "CKR_SESSION_READ_ONLY_EXISTS        "},
+{CKR_SESSION_READ_WRITE_SO_EXISTS    , "CKR_SESSION_READ_WRITE_SO_EXISTS    "},
+{CKR_SIGNATURE_INVALID               , "CKR_SIGNATURE_INVALID               "},
+{CKR_SIGNATURE_LEN_RANGE             , "CKR_SIGNATURE_LEN_RANGE             "},
+{CKR_TEMPLATE_INCOMPLETE             , "CKR_TEMPLATE_INCOMPLETE             "},
+{CKR_TEMPLATE_INCONSISTENT           , "CKR_TEMPLATE_INCONSISTENT           "},
+{CKR_TOKEN_NOT_PRESENT               , "CKR_TOKEN_NOT_PRESENT               "},
+{CKR_TOKEN_NOT_RECOGNIZED            , "CKR_TOKEN_NOT_RECOGNIZED            "},
+{CKR_TOKEN_WRITE_PROTECTED           , "CKR_TOKEN_WRITE_PROTECTED           "},
+{CKR_UNWRAPPING_KEY_HANDLE_INVALID   , "CKR_UNWRAPPING_KEY_HANDLE_INVALID   "},
+{CKR_UNWRAPPING_KEY_SIZE_RANGE       , "CKR_UNWRAPPING_KEY_SIZE_RANGE       "},
+{CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT"},
+{CKR_USER_ALREADY_LOGGED_IN          , "CKR_USER_ALREADY_LOGGED_IN          "},
+{CKR_USER_NOT_LOGGED_IN              , "CKR_USER_NOT_LOGGED_IN              "},
+{CKR_USER_PIN_NOT_INITIALIZED        , "CKR_USER_PIN_NOT_INITIALIZED        "},
+{CKR_USER_TYPE_INVALID               , "CKR_USER_TYPE_INVALID               "},
+{CKR_USER_ANOTHER_ALREADY_LOGGED_IN  , "CKR_USER_ANOTHER_ALREADY_LOGGED_IN  "},
+{CKR_USER_TOO_MANY_TYPES             , "CKR_USER_TOO_MANY_TYPES             "},
+{CKR_WRAPPED_KEY_INVALID             , "CKR_WRAPPED_KEY_INVALID             "},
+{CKR_WRAPPED_KEY_LEN_RANGE           , "CKR_WRAPPED_KEY_LEN_RANGE           "},
+{CKR_WRAPPING_KEY_HANDLE_INVALID     , "CKR_WRAPPING_KEY_HANDLE_INVALID     "},
+{CKR_WRAPPING_KEY_SIZE_RANGE         , "CKR_WRAPPING_KEY_SIZE_RANGE         "},
+{CKR_WRAPPING_KEY_TYPE_INCONSISTENT  , "CKR_WRAPPING_KEY_TYPE_INCONSISTENT  "},
+{CKR_RANDOM_SEED_NOT_SUPPORTED       , "CKR_RANDOM_SEED_NOT_SUPPORTED       "},
+{CKR_RANDOM_NO_RNG                   , "CKR_RANDOM_NO_RNG                   "},
+{CKR_DOMAIN_PARAMS_INVALID           , "CKR_DOMAIN_PARAMS_INVALID           "},
+{CKR_BUFFER_TOO_SMALL                , "CKR_BUFFER_TOO_SMALL                "},
+{CKR_SAVED_STATE_INVALID             , "CKR_SAVED_STATE_INVALID             "},
+{CKR_INFORMATION_SENSITIVE           , "CKR_INFORMATION_SENSITIVE           "},
+{CKR_STATE_UNSAVEABLE                , "CKR_STATE_UNSAVEABLE                "},
+{CKR_CRYPTOKI_NOT_INITIALIZED        , "CKR_CRYPTOKI_NOT_INITIALIZED        "},
+{CKR_CRYPTOKI_ALREADY_INITIALIZED    , "CKR_CRYPTOKI_ALREADY_INITIALIZED    "},
+{CKR_MUTEX_BAD                       , "CKR_MUTEX_BAD                       "},
+{CKR_MUTEX_NOT_LOCKED                , "CKR_MUTEX_NOT_LOCKED                "},
+{CKR_FUNCTION_REJECTED               , "CKR_FUNCTION_REJECTED               "},
+{CKR_VENDOR_DEFINED                  , "CKR_VENDOR_DEFINED                  "},
+{0xCE534351                          , "CKR_NETSCAPE_CERTDB_FAILED          "},
+{0xCE534352                          , "CKR_NETSCAPE_KEYDB_FAILED           "}
+};
+
+static const CK_ULONG numStrings = sizeof(errStrings) / sizeof(tuple_str);
+
+/* Returns constant error string for "CRV".
+ * Returns "unknown error" if errNum is unknown.
+ */
+const char *
+PKM_CK_RVtoStr(CK_RV errNum) {
+    CK_ULONG low  = 1;
+    CK_ULONG high = numStrings - 1;
+    CK_ULONG i;
+    CK_RV num;
+    static int initDone;
+
+    /* make sure table is in  ascending order.
+     * binary search depends on it.
+     */
+    if (!initDone) {
+        CK_RV lastNum = CKR_OK;
+        for (i = low; i <= high; ++i) {
+            num = errStrings[i].errNum;
+            if (num <= lastNum) {
+                    fprintf(stderr,
+"sequence error in error strings at item %d\n"
+"error %d (%s)\n"
+"should come after \n"
+"error %d (%s)\n",
+                        (int) i, (int) lastNum, errStrings[i-1].errString,
+                        (int) num, errStrings[i].errString);
+            }
+            lastNum = num;
+        }
+        initDone = 1;
+    }
+
+    /* Do binary search of table. */
+    while (low + 1 < high) {
+        i = (low + high) / 2;
+        num = errStrings[i].errNum;
+        if (errNum == num)
+            return errStrings[i].errString;
+        if (errNum < num)
+            high = i;
+        else
+            low = i;
+    }
+    if (errNum == errStrings[low].errNum)
+            return errStrings[low].errString;
+    if (errNum == errStrings[high].errNum)
+            return errStrings[high].errString;
+    return "unknown error";
+}
+
+#include "pkcs11p.h"
+
+typedef struct CK_C_INITIALIZE_ARGS_NSS {
+    CK_CREATEMUTEX CreateMutex;
+    CK_DESTROYMUTEX DestroyMutex;
+    CK_LOCKMUTEX LockMutex;
+    CK_UNLOCKMUTEX UnlockMutex;
+    CK_FLAGS flags;
+    /* The official PKCS #11 spec does not have a 'LibraryParameters' field, but
+     * a reserved field. NSS needs a way to pass instance-specific information
+     * to the library (like where to find its config files, etc). This
+     * information is usually provided by the installer and passed uninterpreted
+     * by NSS to the library, though NSS does know the specifics of the softoken
+     * version of this parameter. Most compliant PKCS#11 modules expect this
+     * parameter to be NULL, and will return CKR_ARGUMENTS_BAD from
+     * C_Initialize if Library parameters is supplied. */
+    CK_CHAR_PTR *LibraryParameters;
+    /* This field is only present if the LibraryParameters is not NULL. It must
+     * be NULL in all cases */
+    CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS_NSS;
+
+#include "pkcs11u.h"
+
+static CK_ATTRIBUTE_TYPE all_known_attribute_types[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_LABEL,
+    CKA_APPLICATION,
+    CKA_VALUE,
+    CKA_CERTIFICATE_TYPE,
+    CKA_ISSUER,
+    CKA_SERIAL_NUMBER,
+    CKA_KEY_TYPE,
+    CKA_SUBJECT,
+    CKA_ID,
+    CKA_SENSITIVE,
+    CKA_ENCRYPT,
+    CKA_DECRYPT,
+    CKA_WRAP,
+    CKA_UNWRAP,
+    CKA_SIGN,
+    CKA_SIGN_RECOVER,
+    CKA_VERIFY,
+    CKA_VERIFY_RECOVER,
+    CKA_DERIVE,
+    CKA_START_DATE,
+    CKA_END_DATE,
+    CKA_MODULUS,
+    CKA_MODULUS_BITS,
+    CKA_PUBLIC_EXPONENT,
+    CKA_PRIVATE_EXPONENT,
+    CKA_PRIME_1,
+    CKA_PRIME_2,
+    CKA_EXPONENT_1,
+    CKA_EXPONENT_2,
+    CKA_COEFFICIENT,
+    CKA_PRIME,
+    CKA_SUBPRIME,
+    CKA_BASE,
+    CKA_VALUE_BITS,
+    CKA_VALUE_LEN,
+    CKA_EXTRACTABLE,
+    CKA_LOCAL,
+    CKA_NEVER_EXTRACTABLE,
+    CKA_ALWAYS_SENSITIVE,
+    CKA_MODIFIABLE,
+#ifdef CKA_NETSCAPE
+    CKA_NETSCAPE_URL,
+    CKA_NETSCAPE_EMAIL,
+    CKA_NETSCAPE_SMIME_INFO,
+    CKA_NETSCAPE_SMIME_TIMESTAMP,
+    CKA_NETSCAPE_PKCS8_SALT,
+    CKA_NETSCAPE_PASSWORD_CHECK,
+    CKA_NETSCAPE_EXPIRES,
+#endif /* CKA_NETSCAPE */
+#ifdef CKA_TRUST
+    CKA_TRUST_DIGITAL_SIGNATURE,
+    CKA_TRUST_NON_REPUDIATION,
+    CKA_TRUST_KEY_ENCIPHERMENT,
+    CKA_TRUST_DATA_ENCIPHERMENT,
+    CKA_TRUST_KEY_AGREEMENT,
+    CKA_TRUST_KEY_CERT_SIGN,
+    CKA_TRUST_CRL_SIGN,
+    CKA_TRUST_SERVER_AUTH,
+    CKA_TRUST_CLIENT_AUTH,
+    CKA_TRUST_CODE_SIGNING,
+    CKA_TRUST_EMAIL_PROTECTION,
+    CKA_TRUST_IPSEC_END_SYSTEM,
+    CKA_TRUST_IPSEC_TUNNEL,
+    CKA_TRUST_IPSEC_USER,
+    CKA_TRUST_TIME_STAMPING,
+#endif /* CKA_TRUST */
+};
+
+static int number_of_all_known_attribute_types =
+(sizeof(all_known_attribute_types)/sizeof(all_known_attribute_types[0]));
+
+#define MAX_SIG_SZ 128
+#define MAX_CIPHER_SZ 128
+#define MAX_DATA_SZ 64
+#define MAX_DIGEST_SZ 64
+#define HMAC_MAX_LENGTH 64
+#define FIPSMODE 0
+#define NONFIPSMODE 1
+#define HYBRIDMODE 2
+#define NOMODE 3
+int MODE = FIPSMODE;
+
+CK_BBOOL true = CK_TRUE;
+CK_BBOOL false = CK_FALSE;
+static const CK_BYTE PLAINTEXT[] = {"Firefox  Rules!"};
+static const CK_BYTE PLAINTEXT_PAD[] = 
+                                  {"Firefox and thunderbird rule the world!"};
+CK_ULONG NUMTESTS = 0;
+
+static const char * slotFlagName[] = {
+    "CKF_TOKEN_PRESENT",
+    "CKF_REMOVABLE_DEVICE",
+    "CKF_HW_SLOT",
+    "unknown token flag 0x00000008",
+    "unknown token flag 0x00000010",
+    "unknown token flag 0x00000020",
+    "unknown token flag 0x00000040",
+    "unknown token flag 0x00000080",
+    "unknown token flag 0x00000100",
+    "unknown token flag 0x00000200",
+    "unknown token flag 0x00000400",
+    "unknown token flag 0x00000800",
+    "unknown token flag 0x00001000",
+    "unknown token flag 0x00002000",
+    "unknown token flag 0x00004000",
+    "unknown token flag 0x00008000"
+    "unknown token flag 0x00010000",
+    "unknown token flag 0x00020000",
+    "unknown token flag 0x00040000",
+    "unknown token flag 0x00080000",
+    "unknown token flag 0x00100000",
+    "unknown token flag 0x00200000",
+    "unknown token flag 0x00400000",
+    "unknown token flag 0x00800000"
+    "unknown token flag 0x01000000",
+    "unknown token flag 0x02000000",
+    "unknown token flag 0x04000000",
+    "unknown token flag 0x08000000",
+    "unknown token flag 0x10000000",
+    "unknown token flag 0x20000000",
+    "unknown token flag 0x40000000",
+    "unknown token flag 0x80000000"
+};
+
+static const char * tokenFlagName[] = {
+    "CKF_PKM_RNG",
+    "CKF_WRITE_PROTECTED",
+    "CKF_LOGIN_REQUIRED",
+    "CKF_USER_PIN_INITIALIZED",
+    "unknown token flag 0x00000010",
+    "CKF_RESTORE_KEY_NOT_NEEDED",
+    "CKF_CLOCK_ON_TOKEN",
+    "unknown token flag 0x00000080",
+    "CKF_PROTECTED_AUTHENTICATION_PATH",
+    "CKF_DUAL_CRYPTO_OPERATIONS",
+    "CKF_TOKEN_INITIALIZED",
+    "CKF_SECONDARY_AUTHENTICATION",
+    "unknown token flag 0x00001000",
+    "unknown token flag 0x00002000",
+    "unknown token flag 0x00004000",
+    "unknown token flag 0x00008000",
+    "CKF_USER_PIN_COUNT_LOW",
+    "CKF_USER_PIN_FINAL_TRY",
+    "CKF_USER_PIN_LOCKED",
+    "CKF_USER_PIN_TO_BE_CHANGED",
+    "CKF_SO_PIN_COUNT_LOW",
+    "CKF_SO_PIN_FINAL_TRY",
+    "CKF_SO_PIN_LOCKED",
+    "CKF_SO_PIN_TO_BE_CHANGED",
+    "unknown token flag 0x01000000",
+    "unknown token flag 0x02000000",
+    "unknown token flag 0x04000000",
+    "unknown token flag 0x08000000",
+    "unknown token flag 0x10000000",
+    "unknown token flag 0x20000000",
+    "unknown token flag 0x40000000",
+    "unknown token flag 0x80000000"
+};
+
+static const unsigned char TLSClientRandom[] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x0d, 0x90, 0xbb, 0x5e, 0xc6, 0xe1, 0x3f, 0x71,
+    0x0a, 0xa2, 0x70, 0x5a, 0x4f, 0xbc, 0x3f, 0x0d
+};
+static const unsigned char TLSServerRandom[] = {
+    0x00, 0x00, 0x1d, 0x4a, 0x7a, 0x0a, 0xa5, 0x01,
+    0x8e, 0x79, 0x72, 0xde, 0x9e, 0x2f, 0x8a, 0x0d,
+    0xed, 0xb2, 0x5d, 0xf1, 0x14, 0xc2, 0xc6, 0x66,
+    0x95, 0x86, 0xb0, 0x0d, 0x87, 0x2a, 0x2a, 0xc9
+};
+
+typedef enum {
+    CORRECT,
+    BOGUS_CLIENT_RANDOM,
+    BOGUS_CLIENT_RANDOM_LEN,
+    BOGUS_SERVER_RANDOM,
+    BOGUS_SERVER_RANDOM_LEN
+} enum_random_t;
+
+void
+dumpToHash64(const unsigned char *buf, unsigned int bufLen)
+{
+    unsigned int i;
+    for (i = 0; i < bufLen; i += 8) {
+        if (i % 32 == 0)
+            printf("\n");
+        printf(" 0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,",
+               buf[i  ], buf[i+1], buf[i+2], buf[i+3],
+               buf[i+4], buf[i+5], buf[i+6], buf[i+7]);
+    }
+    printf("\n");
+}
+
+
+#ifdef _WIN32
+HMODULE hModule;
+#else
+PRLibrary *lib;
+#endif
+
+/*
+* All api that belongs to pk11mode.c layer start with the prefix PKM_
+*/
+void PKM_LogIt(const char *fmt, ...);
+void PKM_Error(const char *fmt, ...);
+CK_SLOT_ID *PKM_GetSlotList(CK_FUNCTION_LIST_PTR pFunctionList,
+                            CK_ULONG slotID);
+CK_RV PKM_ShowInfo(CK_FUNCTION_LIST_PTR pFunctionList, CK_ULONG slotID);
+CK_RV PKM_InitPWforDB(CK_FUNCTION_LIST_PTR pFunctionList,
+                      CK_SLOT_ID *pSlotList, CK_ULONG slotID,
+                      CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
+CK_RV PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList,
+                    CK_SLOT_ID * pSlotList, CK_ULONG slotID);
+CK_RV PKM_RNG(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID * pSlotList,
+              CK_ULONG slotID);
+CK_RV PKM_SessionLogin(CK_FUNCTION_LIST_PTR pFunctionList,
+                       CK_SLOT_ID *pSlotList, CK_ULONG slotID,
+                       CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
+CK_RV PKM_SecretKey(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID *pSlotList,
+                    CK_ULONG slotID, CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
+CK_RV PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID *pSlotList,
+                    CK_ULONG slotID, CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
+CK_RV PKM_HybridMode(CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen, 
+                     CK_C_INITIALIZE_ARGS_NSS *initArgs);
+CK_RV PKM_FindAllObjects(CK_FUNCTION_LIST_PTR pFunctionList,
+                          CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                          CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
+CK_RV PKM_MultiObjectManagement(CK_FUNCTION_LIST_PTR pFunctionList,
+                                 CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                                 CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
+CK_RV PKM_OperationalState(CK_FUNCTION_LIST_PTR pFunctionList,
+                            CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                            CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
+CK_RV PKM_LegacyFunctions(CK_FUNCTION_LIST_PTR pFunctionList,
+                          CK_SLOT_ID *pSlotList, CK_ULONG slotID,
+                          CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
+CK_RV PKM_AttributeCheck(CK_FUNCTION_LIST_PTR pFunctionList,
+                         CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE obj,
+                         CK_ATTRIBUTE_PTR expected_attrs,
+                         CK_ULONG expected_attrs_count);
+CK_RV PKM_MechCheck(CK_FUNCTION_LIST_PTR pFunctionList,
+                    CK_SESSION_HANDLE hSession, CK_MECHANISM_TYPE mechType,
+                    CK_FLAGS flags, CK_BBOOL check_sizes,
+                    CK_ULONG minkeysize, CK_ULONG maxkeysize);
+CK_RV PKM_TLSKeyAndMacDerive(CK_FUNCTION_LIST_PTR pFunctionList,
+                            CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                            CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen,
+                            CK_MECHANISM_TYPE mechType, enum_random_t rnd);
+CK_RV PKM_TLSMasterKeyDerive(CK_FUNCTION_LIST_PTR pFunctionList,
+                            CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                            CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen,
+                            CK_MECHANISM_TYPE mechType,
+                            enum_random_t rnd);
+CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunctionList,
+                       CK_SLOT_ID *pSlotList, CK_ULONG slotID,
+                       CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
+CK_RV PKM_DualFuncSign(CK_FUNCTION_LIST_PTR pFunctionList,
+                      CK_SESSION_HANDLE hRwSession,
+                      CK_OBJECT_HANDLE publicKey, CK_OBJECT_HANDLE privateKey,
+                      CK_MECHANISM *sigMech, CK_OBJECT_HANDLE secretKey,
+                      CK_MECHANISM *cryptMech, 
+                      const CK_BYTE *  pData, CK_ULONG pDataLen);
+CK_RV PKM_DualFuncDigest(CK_FUNCTION_LIST_PTR pFunctionList,
+                       CK_SESSION_HANDLE hSession,
+                       CK_OBJECT_HANDLE hSecKey, CK_MECHANISM *cryptMech,
+                       CK_OBJECT_HANDLE hSecKeyDigest, 
+                       CK_MECHANISM *digestMech, 
+                       const CK_BYTE *  pData, CK_ULONG pDataLen); 
+CK_RV PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFunctionList, 
+                     CK_SESSION_HANDLE hRwSession,
+                     CK_OBJECT_HANDLE hPubKey, CK_OBJECT_HANDLE hPrivKey,
+                     CK_MECHANISM *signMech, const CK_BYTE *  pData, 
+                     CK_ULONG dataLen);
+CK_RV PKM_SecKeyCrypt(CK_FUNCTION_LIST_PTR pFunctionList, 
+                      CK_SESSION_HANDLE hSession,
+                      CK_OBJECT_HANDLE hSymKey, CK_MECHANISM *cryptMech,
+                      const CK_BYTE *  pData, CK_ULONG dataLen);
+CK_RV PKM_Hmac(CK_FUNCTION_LIST_PTR pFunctionList, CK_SESSION_HANDLE hSession,
+                CK_OBJECT_HANDLE sKey, CK_MECHANISM *hmacMech, 
+                const CK_BYTE *  pData, CK_ULONG pDataLen);
+CK_RV PKM_Digest(CK_FUNCTION_LIST_PTR pFunctionList, 
+                 CK_SESSION_HANDLE hRwSession,
+                 CK_MECHANISM *digestMech, CK_OBJECT_HANDLE hSecretKey,
+                 const CK_BYTE *  pData, CK_ULONG pDataLen);
+CK_RV PKM_wrapUnwrap(CK_FUNCTION_LIST_PTR pFunctionList,
+                     CK_SESSION_HANDLE hSession, 
+                     CK_OBJECT_HANDLE hPublicKey, 
+                     CK_OBJECT_HANDLE hPrivateKey,
+                     CK_MECHANISM *wrapMechanism,
+                     CK_OBJECT_HANDLE hSecretKey,
+                     CK_ATTRIBUTE *sKeyTemplate,
+                     CK_ULONG skeyTempSize);
+CK_RV PKM_RecoverFunctions(CK_FUNCTION_LIST_PTR pFunctionList, 
+                    CK_SESSION_HANDLE hSession,
+                    CK_OBJECT_HANDLE hPubKey, CK_OBJECT_HANDLE hPrivKey,
+                    CK_MECHANISM *signMech, const CK_BYTE * pData, 
+                    CK_ULONG pDataLen);
+void  PKM_Help(); 
+void  PKM_CheckPath(char *string);
+char  *PKM_FilePasswd(char *pwFile);
+static PRBool verbose = PR_FALSE;
+
+int main(int argc, char **argv)
+{
+    CK_C_GetFunctionList pC_GetFunctionList;
+    CK_FUNCTION_LIST_PTR pFunctionList;
+    CK_RV crv = CKR_OK;
+    CK_C_INITIALIZE_ARGS_NSS initArgs;
+    CK_SLOT_ID *pSlotList = NULL;
+    CK_TOKEN_INFO tokenInfo;
+    CK_ULONG slotID = 0; /* slotID == 0 for FIPSMODE */
+
+    CK_UTF8CHAR *pwd = NULL;
+    CK_ULONG pwdLen = 0;
+    char *moduleSpec = NULL;
+    char *configDir = NULL;
+    char *dbPrefix = NULL;
+    char *disableUnload = NULL;
+
+    PLOptStatus os;
+    PLOptState *opt = PL_CreateOptState(argc, argv, "nvhf:d:p:");
+    while (PL_OPT_EOL != (os = PL_GetNextOpt(opt)))
+    {
+        if (PL_OPT_BAD == os) continue;
+       switch (opt->option)
+        {
+        case 'n':  /* non fips mode */
+            MODE = NONFIPSMODE;
+            slotID = 1;
+            break;
+        case 'f':  /* password file */
+            pwd = (CK_UTF8CHAR *) PKM_FilePasswd((char *)opt->value);
+            if (!pwd) PKM_Help();
+            break;
+        case 'd':  /* opt_CertDir */
+            if (!opt->value) PKM_Help();
+            configDir = strdup(opt->value);
+            PKM_CheckPath(configDir);
+            break;
+        case 'p':  /* opt_DBPrefix */
+            if (!opt->value) PKM_Help();
+            dbPrefix = strdup(opt->value);
+            break;
+        case 'v':
+            verbose = PR_TRUE;
+            break;
+        case 'h':  /* help message */
+        default:
+            PKM_Help();
+            break;
+        }
+    }
+    PL_DestroyOptState(opt);
+
+    if (!pwd) {
+        pwd = (CK_UTF8CHAR *)strdup("1Mozilla");
+    }
+    pwdLen = strlen((const char*)pwd); 
+    if (!configDir) {
+        configDir = strdup(".");
+    }
+    if (!dbPrefix) {
+        dbPrefix = strdup("");
+    }
+
+#ifdef _WIN32
+    hModule = LoadLibrary(LIB_NAME);
+    if (hModule == NULL) {
+        PKM_Error( "cannot load %s\n", LIB_NAME);
+        goto cleanup;
+    }
+    if (MODE == FIPSMODE) {
+        /* FIPS mode == FC_GetFunctionList */
+        pC_GetFunctionList = (CK_C_GetFunctionList)
+                             GetProcAddress(hModule, "FC_GetFunctionList");
+    } else {
+        /* NON FIPS mode  == C_GetFunctionList */
+        pC_GetFunctionList = (CK_C_GetFunctionList)
+                             GetProcAddress(hModule, "C_GetFunctionList");
+     }
+    if (pC_GetFunctionList == NULL) {
+        PKM_Error( "cannot load %s\n", LIB_NAME);
+        goto cleanup;
+    }
+#else
+    {
+    char *libname = NULL;
+    /* Get the platform-dependent library name of the NSS cryptographic module */
+    libname = PR_GetLibraryName(NULL, "softokn3");
+    assert(libname != NULL);
+    lib = PR_LoadLibrary(libname);
+    assert(lib != NULL);
+    PR_FreeLibraryName(libname);
+    } 
+    if (MODE == FIPSMODE) {
+        pC_GetFunctionList = (CK_C_GetFunctionList) PR_FindFunctionSymbol(lib,
+        "FC_GetFunctionList");
+        assert(pC_GetFunctionList != NULL);
+        slotID = 0;
+    } else {
+        pC_GetFunctionList = (CK_C_GetFunctionList) PR_FindFunctionSymbol(lib,
+        "C_GetFunctionList");
+        assert(pC_GetFunctionList != NULL);
+        slotID = 1;
+    }
+#endif
+
+    if (MODE == FIPSMODE) {
+        printf("Loaded FC_GetFunctionList for FIPS MODE; slotID %d \n",
+               (int) slotID);
+    } else {
+        printf("loaded C_GetFunctionList for NON FIPS MODE; slotID %d \n",
+                (int) slotID);
+    }
+
+    crv = (*pC_GetFunctionList)(&pFunctionList);
+    assert(crv == CKR_OK);
+
+    initArgs.CreateMutex = NULL;
+    initArgs.DestroyMutex = NULL;
+    initArgs.LockMutex = NULL;
+    initArgs.UnlockMutex = NULL;
+    initArgs.flags = CKF_OS_LOCKING_OK;
+    moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' "
+                             "keyPrefix='%s' secmod='secmod.db' flags= ",
+                             configDir, dbPrefix, dbPrefix);
+    initArgs.LibraryParameters = (CK_CHAR_PTR *) moduleSpec;
+    initArgs.pReserved = NULL;
+
+    /*DebugBreak();*/
+    /* FIPSMODE invokes FC_Initialize as pFunctionList->C_Initialize */
+    /* NSS cryptographic module library initialization for the FIPS  */
+    /* Approved mode when FC_Initialize is envoked will perfom       */
+    /* software integrity test, and power-up self-tests before       */
+    /* FC_Initialize returns                                         */
+    crv = pFunctionList->C_Initialize(&initArgs);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Initialize succeeded\n");
+    } else {
+        PKM_Error( "C_Initialize failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    crv = PKM_ShowInfo(pFunctionList, slotID);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_ShowInfo succeeded\n");
+    } else {
+        PKM_Error( "PKM_ShowInfo failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    pSlotList = PKM_GetSlotList(pFunctionList, slotID);
+    if (pSlotList == NULL) {
+        PKM_Error( "PKM_GetSlotList failed with \n");
+        goto cleanup;
+    }
+    crv = pFunctionList->C_GetTokenInfo(pSlotList[slotID], &tokenInfo);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GetTokenInfo succeeded\n\n");
+    } else {
+        PKM_Error( "C_GetTokenInfo failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+
+    if (!(tokenInfo.flags & CKF_USER_PIN_INITIALIZED)) {
+        PKM_LogIt("Initing PW for DB\n");
+        crv = PKM_InitPWforDB(pFunctionList, pSlotList, slotID,
+                        pwd, pwdLen);
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_InitPWforDB succeeded\n\n");
+        } else {
+            PKM_Error( "PKM_InitPWforDB failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+            goto cleanup;
+        }
+    } else {
+        PKM_LogIt("using existing DB\n");
+    }
+
+    /* general mechanism by token */ 
+    crv = PKM_Mechanism(pFunctionList, pSlotList, slotID);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_Mechanism succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_Mechanism failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    } 
+    /* RNG example without Login */
+    crv = PKM_RNG(pFunctionList, pSlotList, slotID);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_RNG succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_RNG failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+
+    crv = PKM_SessionLogin(pFunctionList, pSlotList, slotID,
+                           pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_SessionLogin succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_SessionLogin failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+
+    /*
+     * PKM_KeyTest creates RSA,DSA public keys 
+     * and AES, DES3 secret keys.
+     * then does digest, hmac, encrypt/decrypt, signing operations. 
+     */
+    crv = PKM_KeyTests(pFunctionList, pSlotList, slotID,
+                            pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_KeyTests succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_KeyTest failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+
+    crv = PKM_SecretKey(pFunctionList, pSlotList, slotID, pwd, 
+                        pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_SecretKey succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_SecretKey failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+
+    crv = PKM_PublicKey(pFunctionList, pSlotList, slotID,
+                        pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_PublicKey succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_PublicKey failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    crv = PKM_OperationalState(pFunctionList, pSlotList, slotID,
+                               pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_OperationalState succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_OperationalState failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    crv = PKM_MultiObjectManagement(pFunctionList, pSlotList, slotID,
+                                    pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_MultiObjectManagement succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_MultiObjectManagement failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    crv = PKM_LegacyFunctions(pFunctionList, pSlotList, slotID,
+                              pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_LegacyFunctions succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_LegacyFunctions failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    crv = PKM_TLSKeyAndMacDerive(pFunctionList, pSlotList, slotID,
+                                 pwd, pwdLen,
+                                 CKM_TLS_KEY_AND_MAC_DERIVE, CORRECT);
+
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_TLSKeyAndMacDerive succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_TLSKeyAndMacDerive failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    crv = PKM_TLSMasterKeyDerive(pFunctionList, pSlotList, slotID,
+                                 pwd, pwdLen,
+                                 CKM_TLS_MASTER_KEY_DERIVE,
+                                 CORRECT);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_TLSMasterKeyDerive succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_TLSMasterKeyDerive failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    crv = PKM_TLSMasterKeyDerive(pFunctionList, pSlotList, slotID,
+                                 pwd, pwdLen,
+                                 CKM_TLS_MASTER_KEY_DERIVE_DH,
+                                 CORRECT);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_TLSMasterKeyDerive succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_TLSMasterKeyDerive failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    crv = PKM_FindAllObjects(pFunctionList, pSlotList, slotID,
+                             pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_FindAllObjects succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_FindAllObjects failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+    crv = pFunctionList->C_Finalize(NULL);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Finalize succeeded\n");
+    } else {
+        PKM_Error( "C_Finalize failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+
+    if (pSlotList) free(pSlotList);
+
+    /* demostrate how an application can be in Hybrid mode */
+    /* PKM_HybridMode shows how to switch between NONFIPS */
+    /* mode to FIPS mode */
+
+    PKM_LogIt("Testing Hybrid mode \n");
+    crv = PKM_HybridMode(pwd, pwdLen, &initArgs);
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_HybridMode succeeded\n");
+    } else {
+        PKM_Error( "PKM_HybridMode failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        goto cleanup;
+    }
+
+    printf("**** Total number of TESTS ran in %s is %d. ****\n", 
+          ((MODE == FIPSMODE) ? "FIPS MODE" : "NON FIPS MODE"), (int) NUMTESTS);    
+    printf("**** ALL TESTS PASSED ****\n");
+    PKM_LogIt("unloading NSS PKCS # 11 softoken and exiting\n");
+
+cleanup:
+
+    if (pwd) {
+        free(pwd);
+    }
+    if (configDir) {
+        free(configDir);
+    }
+    if (dbPrefix) {
+        free(dbPrefix);
+    }
+    if (moduleSpec) {
+        free(moduleSpec);
+    }
+
+#ifdef _WIN32
+    FreeLibrary(hModule);
+#else
+    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    if (!disableUnload) {
+        PR_UnloadLibrary(lib);
+    }
+#endif
+
+    return crv;
+}
+
+/*
+*  PKM_KeyTests
+*
+*
+*/
+
+CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunctionList,
+                        CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                        CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
+    CK_SESSION_HANDLE hRwSession;
+
+    CK_RV crv = CKR_OK;
+
+/*** DSA Key ***/
+    CK_MECHANISM dsaParamGenMech;
+    CK_ULONG primeBits = 1024;
+    CK_ATTRIBUTE dsaParamGenTemplate[1]; 
+    CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE;
+    CK_BYTE DSA_P[128];
+    CK_BYTE DSA_Q[20];
+    CK_BYTE DSA_G[128];
+    CK_MECHANISM dsaKeyPairGenMech;
+    CK_ATTRIBUTE dsaPubKeyTemplate[5]; 
+    CK_ATTRIBUTE dsaPrivKeyTemplate[5]; 
+    CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE;
+    CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE;
+
+/**** RSA Key ***/
+    CK_KEY_TYPE rsatype = CKK_RSA;
+    CK_MECHANISM rsaKeyPairGenMech;
+    CK_BYTE subject[] = {"RSA Private Key"};
+    CK_ULONG modulusBits = 1024;
+    CK_BYTE publicExponent[] = {0x01, 0x00, 0x01};
+    CK_BYTE id[] = {"RSA123"};
+    CK_ATTRIBUTE rsaPubKeyTemplate[9]; 
+    CK_ATTRIBUTE rsaPrivKeyTemplate[11]; 
+    CK_OBJECT_HANDLE hRSApubKey = CK_INVALID_HANDLE;
+    CK_OBJECT_HANDLE hRSAprivKey = CK_INVALID_HANDLE;
+
+ /*** AES Key ***/
+    CK_MECHANISM sAESKeyMech = {
+        CKM_AES_KEY_GEN, NULL, 0
+    };
+    CK_OBJECT_CLASS class = CKO_SECRET_KEY;
+    CK_KEY_TYPE keyAESType = CKK_AES;
+    CK_UTF8CHAR AESlabel[] = "An AES secret key object";
+    CK_ULONG AESvalueLen = 32;
+    CK_ATTRIBUTE sAESKeyTemplate[9];    
+    CK_OBJECT_HANDLE hAESSecKey;
+
+/*** DES3 Key ***/
+    CK_KEY_TYPE keyDES3Type = CKK_DES3;
+    CK_UTF8CHAR DES3label[] = "An Triple DES secret key object";
+    CK_ULONG DES3valueLen = 56;
+    CK_MECHANISM sDES3KeyGenMechanism = {
+        CKM_DES3_KEY_GEN, NULL, 0
+    };
+    CK_ATTRIBUTE sDES3KeyTemplate[9];
+    CK_OBJECT_HANDLE hDES3SecKey;
+    
+    CK_MECHANISM dsaWithSha1Mech = {
+        CKM_DSA_SHA1, NULL, 0
+    };
+
+    CK_BYTE IV[16];
+    CK_MECHANISM mech_DES3_CBC; 
+    CK_MECHANISM mech_DES3_CBC_PAD; 
+    CK_MECHANISM mech_AES_CBC_PAD;
+    CK_MECHANISM mech_AES_CBC;
+    struct mech_str {
+        CK_ULONG    mechanism;
+        const char *mechanismStr;
+    };
+
+    typedef struct mech_str mech_str;
+
+    mech_str digestMechs[] = {
+        {CKM_SHA_1, "CKM_SHA_1 "},
+        {CKM_SHA256, "CKM_SHA256"},
+        {CKM_SHA384, "CKM_SHA384"},
+        {CKM_SHA512, "CKM_SHA512"}
+    };
+    mech_str hmacMechs[] = {
+        {CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"}, 
+        {CKM_SHA256_HMAC, "CKM_SHA256_HMAC"},
+        {CKM_SHA384_HMAC, "CKM_SHA384_HMAC"},
+        {CKM_SHA512_HMAC, "CKM_SHA512_HMAC"}
+    };
+    mech_str sigRSAMechs[] = {
+        {CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"}, 
+        {CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"},
+        {CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"},
+        {CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"}
+    };
+
+    CK_ULONG digestMechsSZ = NUM_ELEM(digestMechs);
+    CK_ULONG sigRSAMechsSZ = NUM_ELEM(sigRSAMechs);
+    CK_ULONG hmacMechsSZ = NUM_ELEM(hmacMechs);
+    CK_MECHANISM mech;
+
+    unsigned int i;
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+    /* DSA key init */
+    dsaParamGenMech.mechanism      = CKM_DSA_PARAMETER_GEN; 
+    dsaParamGenMech.pParameter = NULL_PTR; 
+    dsaParamGenMech.ulParameterLen = 0;
+    dsaParamGenTemplate[0].type = CKA_PRIME_BITS; 
+    dsaParamGenTemplate[0].pValue     = &primeBits; 
+    dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits);
+    dsaPubKeyTemplate[0].type       = CKA_PRIME; 
+    dsaPubKeyTemplate[0].pValue     = DSA_P;
+    dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P);
+    dsaPubKeyTemplate[1].type = CKA_SUBPRIME; 
+    dsaPubKeyTemplate[1].pValue = DSA_Q;
+    dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q);
+    dsaPubKeyTemplate[2].type = CKA_BASE; 
+    dsaPubKeyTemplate[2].pValue = DSA_G; 
+    dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G);
+    dsaPubKeyTemplate[3].type = CKA_TOKEN; 
+    dsaPubKeyTemplate[3].pValue = &true; 
+    dsaPubKeyTemplate[3].ulValueLen = sizeof(true);
+    dsaPubKeyTemplate[4].type = CKA_VERIFY; 
+    dsaPubKeyTemplate[4].pValue = &true; 
+    dsaPubKeyTemplate[4].ulValueLen = sizeof(true);
+    dsaKeyPairGenMech.mechanism      = CKM_DSA_KEY_PAIR_GEN;
+    dsaKeyPairGenMech.pParameter = NULL_PTR;
+    dsaKeyPairGenMech.ulParameterLen = 0;
+    dsaPrivKeyTemplate[0].type       = CKA_TOKEN;
+    dsaPrivKeyTemplate[0].pValue     = &true; 
+    dsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
+    dsaPrivKeyTemplate[1].type       = CKA_PRIVATE; 
+    dsaPrivKeyTemplate[1].pValue     = &true; 
+    dsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
+    dsaPrivKeyTemplate[2].type       = CKA_SENSITIVE; 
+    dsaPrivKeyTemplate[2].pValue     = &true; 
+    dsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
+    dsaPrivKeyTemplate[3].type       = CKA_SIGN, 
+    dsaPrivKeyTemplate[3].pValue     = &true;
+    dsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
+    dsaPrivKeyTemplate[4].type       = CKA_EXTRACTABLE; 
+    dsaPrivKeyTemplate[4].pValue     = &true; 
+    dsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
+
+    /* RSA key init */
+    rsaKeyPairGenMech.mechanism      = CKM_RSA_PKCS_KEY_PAIR_GEN;
+    rsaKeyPairGenMech.pParameter = NULL_PTR;
+    rsaKeyPairGenMech.ulParameterLen = 0;
+
+    rsaPubKeyTemplate[0].type       = CKA_KEY_TYPE; 
+    rsaPubKeyTemplate[0].pValue     = &rsatype; 
+    rsaPubKeyTemplate[0].ulValueLen = sizeof(rsatype);
+    rsaPubKeyTemplate[1].type       = CKA_PRIVATE; 
+    rsaPubKeyTemplate[1].pValue     = &true; 
+    rsaPubKeyTemplate[1].ulValueLen = sizeof(true);
+    rsaPubKeyTemplate[2].type       = CKA_ENCRYPT;
+    rsaPubKeyTemplate[2].pValue     = &true; 
+    rsaPubKeyTemplate[2].ulValueLen = sizeof(true);
+    rsaPubKeyTemplate[3].type       = CKA_DECRYPT;
+    rsaPubKeyTemplate[3].pValue     = &true;
+    rsaPubKeyTemplate[3].ulValueLen = sizeof(true);
+    rsaPubKeyTemplate[4].type       = CKA_VERIFY;
+    rsaPubKeyTemplate[4].pValue     = &true; 
+    rsaPubKeyTemplate[4].ulValueLen = sizeof(true);
+    rsaPubKeyTemplate[5].type       = CKA_SIGN;
+    rsaPubKeyTemplate[5].pValue     = &true; 
+    rsaPubKeyTemplate[5].ulValueLen = sizeof(true);
+    rsaPubKeyTemplate[6].type       = CKA_WRAP; 
+    rsaPubKeyTemplate[6].pValue     = &true; 
+    rsaPubKeyTemplate[6].ulValueLen = sizeof(true);
+    rsaPubKeyTemplate[7].type       = CKA_MODULUS_BITS; 
+    rsaPubKeyTemplate[7].pValue     = &modulusBits; 
+    rsaPubKeyTemplate[7].ulValueLen = sizeof(modulusBits);
+    rsaPubKeyTemplate[8].type       = CKA_PUBLIC_EXPONENT; 
+    rsaPubKeyTemplate[8].pValue     = publicExponent; 
+    rsaPubKeyTemplate[8].ulValueLen = sizeof (publicExponent);
+
+    rsaPrivKeyTemplate[0].type       = CKA_KEY_TYPE;
+    rsaPrivKeyTemplate[0].pValue     = &rsatype; 
+    rsaPrivKeyTemplate[0].ulValueLen = sizeof(rsatype);
+    rsaPrivKeyTemplate[1].type       = CKA_TOKEN;
+    rsaPrivKeyTemplate[1].pValue     = &true; 
+    rsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
+    rsaPrivKeyTemplate[2].type       = CKA_PRIVATE;
+    rsaPrivKeyTemplate[2].pValue     = &true; 
+    rsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
+    rsaPrivKeyTemplate[3].type       = CKA_SUBJECT; 
+    rsaPrivKeyTemplate[3].pValue     = subject; 
+    rsaPrivKeyTemplate[3].ulValueLen = sizeof(subject);
+    rsaPrivKeyTemplate[4].type       = CKA_ID; 
+    rsaPrivKeyTemplate[4].pValue     = id; 
+    rsaPrivKeyTemplate[4].ulValueLen = sizeof(id);
+    rsaPrivKeyTemplate[5].type       = CKA_SENSITIVE; 
+    rsaPrivKeyTemplate[5].pValue     = &true; 
+    rsaPrivKeyTemplate[5].ulValueLen = sizeof(true);
+    rsaPrivKeyTemplate[6].type       = CKA_ENCRYPT; 
+    rsaPrivKeyTemplate[6].pValue     = &true; 
+    rsaPrivKeyTemplate[6].ulValueLen = sizeof(true);
+    rsaPrivKeyTemplate[7].type       = CKA_DECRYPT; 
+    rsaPrivKeyTemplate[7].pValue     = &true; 
+    rsaPrivKeyTemplate[7].ulValueLen = sizeof(true);
+    rsaPrivKeyTemplate[8].type       = CKA_VERIFY; 
+    rsaPrivKeyTemplate[8].pValue     = &true; 
+    rsaPrivKeyTemplate[8].ulValueLen = sizeof(true);
+    rsaPrivKeyTemplate[9].type       = CKA_SIGN; 
+    rsaPrivKeyTemplate[9].pValue     = &true; 
+    rsaPrivKeyTemplate[9].ulValueLen = sizeof(true);
+    rsaPrivKeyTemplate[10].type       = CKA_UNWRAP; 
+    rsaPrivKeyTemplate[10].pValue     = &true; 
+    rsaPrivKeyTemplate[10].ulValueLen = sizeof(true);
+    
+    /* AES key template */
+    sAESKeyTemplate[0].type       = CKA_CLASS; 
+    sAESKeyTemplate[0].pValue     = &class;
+    sAESKeyTemplate[0].ulValueLen = sizeof(class);
+    sAESKeyTemplate[1].type       = CKA_KEY_TYPE; 
+    sAESKeyTemplate[1].pValue     = &keyAESType; 
+    sAESKeyTemplate[1].ulValueLen = sizeof(keyAESType);
+    sAESKeyTemplate[2].type       = CKA_LABEL;
+    sAESKeyTemplate[2].pValue     = AESlabel; 
+    sAESKeyTemplate[2].ulValueLen = sizeof(AESlabel)-1;
+    sAESKeyTemplate[3].type       = CKA_ENCRYPT; 
+    sAESKeyTemplate[3].pValue     = &true; 
+    sAESKeyTemplate[3].ulValueLen = sizeof(true);
+    sAESKeyTemplate[4].type       = CKA_DECRYPT; 
+    sAESKeyTemplate[4].pValue     = &true; 
+    sAESKeyTemplate[4].ulValueLen = sizeof(true);
+    sAESKeyTemplate[5].type       = CKA_SIGN; 
+    sAESKeyTemplate[5].pValue     = &true; 
+    sAESKeyTemplate[5].ulValueLen = sizeof (true);
+    sAESKeyTemplate[6].type       = CKA_VERIFY; 
+    sAESKeyTemplate[6].pValue     = &true; 
+    sAESKeyTemplate[6].ulValueLen = sizeof(true);
+    sAESKeyTemplate[7].type       = CKA_UNWRAP; 
+    sAESKeyTemplate[7].pValue     = &true; 
+    sAESKeyTemplate[7].ulValueLen = sizeof(true);
+    sAESKeyTemplate[8].type       = CKA_VALUE_LEN; 
+    sAESKeyTemplate[8].pValue     = &AESvalueLen; 
+    sAESKeyTemplate[8].ulValueLen = sizeof(AESvalueLen);
+
+    /* DES3 key template */
+    sDES3KeyTemplate[0].type       = CKA_CLASS;
+    sDES3KeyTemplate[0].pValue     = &class; 
+    sDES3KeyTemplate[0].ulValueLen = sizeof(class);
+    sDES3KeyTemplate[1].type       = CKA_KEY_TYPE; 
+    sDES3KeyTemplate[1].pValue     = &keyDES3Type; 
+    sDES3KeyTemplate[1].ulValueLen = sizeof(keyDES3Type);
+    sDES3KeyTemplate[2].type       = CKA_LABEL; 
+    sDES3KeyTemplate[2].pValue     = DES3label; 
+    sDES3KeyTemplate[2].ulValueLen = sizeof(DES3label)-1;
+    sDES3KeyTemplate[3].type       = CKA_ENCRYPT; 
+    sDES3KeyTemplate[3].pValue     = &true; 
+    sDES3KeyTemplate[3].ulValueLen = sizeof(true);
+    sDES3KeyTemplate[4].type       = CKA_DECRYPT; 
+    sDES3KeyTemplate[4].pValue     = &true; 
+    sDES3KeyTemplate[4].ulValueLen = sizeof(true);
+    sDES3KeyTemplate[5].type       = CKA_UNWRAP; 
+    sDES3KeyTemplate[5].pValue     = &true; 
+    sDES3KeyTemplate[5].ulValueLen = sizeof(true);
+    sDES3KeyTemplate[6].type       = CKA_SIGN, 
+    sDES3KeyTemplate[6].pValue     = &true; 
+    sDES3KeyTemplate[6].ulValueLen = sizeof (true);
+    sDES3KeyTemplate[7].type       = CKA_VERIFY; 
+    sDES3KeyTemplate[7].pValue     = &true; 
+    sDES3KeyTemplate[7].ulValueLen = sizeof(true);
+    sDES3KeyTemplate[8].type       = CKA_VALUE_LEN; 
+    sDES3KeyTemplate[8].pValue     = &DES3valueLen; 
+    sDES3KeyTemplate[8].ulValueLen = sizeof(DES3valueLen);
+    
+    /* mech init */
+    memset(IV, 0x01, sizeof(IV));
+    mech_DES3_CBC.mechanism      = CKM_DES3_CBC; 
+    mech_DES3_CBC.pParameter = IV; 
+    mech_DES3_CBC.ulParameterLen = sizeof(IV);
+    mech_DES3_CBC_PAD.mechanism      = CKM_DES3_CBC_PAD; 
+    mech_DES3_CBC_PAD.pParameter = IV; 
+    mech_DES3_CBC_PAD.ulParameterLen = sizeof(IV);
+    mech_AES_CBC.mechanism      = CKM_AES_CBC; 
+    mech_AES_CBC.pParameter = IV; 
+    mech_AES_CBC.ulParameterLen = sizeof(IV);
+    mech_AES_CBC_PAD.mechanism      = CKM_AES_CBC_PAD; 
+    mech_AES_CBC_PAD.pParameter = IV; 
+    mech_AES_CBC_PAD.ulParameterLen = sizeof(IV);
+
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
+                                       CKF_RW_SESSION | CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hRwSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("Opening a read/write session succeeded\n");
+    } else {
+        PKM_Error( "Opening a read/write session failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if (MODE == FIPSMODE) {
+        crv = pFunctionList->C_GenerateKey(hRwSession, &sAESKeyMech,
+                                           sAESKeyTemplate,
+                                           NUM_ELEM(sAESKeyTemplate),
+                                           &hAESSecKey);
+        if (crv == CKR_OK) {
+            PKM_Error("C_GenerateKey succeeded when not logged in.\n");
+            return CKR_GENERAL_ERROR;
+        } else {
+            PKM_LogIt("C_GenerateKey returned as EXPECTED with 0x%08X, %-26s\n"
+                      "since not logged in\n", crv, PKM_CK_RVtoStr(crv));
+        }
+        crv = pFunctionList->C_GenerateKeyPair(hRwSession, &rsaKeyPairGenMech,
+                                               rsaPubKeyTemplate,
+                                               NUM_ELEM(rsaPubKeyTemplate),
+                                               rsaPrivKeyTemplate,
+                                               NUM_ELEM(rsaPrivKeyTemplate),
+                                               &hRSApubKey, &hRSAprivKey);
+        if (crv == CKR_OK) {
+            PKM_Error("C_GenerateKeyPair succeeded when not logged in.\n");
+            return CKR_GENERAL_ERROR;
+        } else {
+            PKM_LogIt("C_GenerateKeyPair returned as EXPECTED with 0x%08X, "
+                      "%-26s\n since not logged in\n", crv, 
+                      PKM_CK_RVtoStr(crv));
+        }
+    }
+
+    crv = pFunctionList->C_Login(hRwSession, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Login with correct password succeeded\n");
+    } else {
+        PKM_Error("C_Login with correct password failed "
+                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt("Generate an AES key ... \n");
+    /* generate an AES Secret Key */
+    crv = pFunctionList->C_GenerateKey(hRwSession, &sAESKeyMech,
+                                       sAESKeyTemplate,
+                                       NUM_ELEM(sAESKeyTemplate),
+                                       &hAESSecKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GenerateKey AES succeeded\n");
+    } else {
+        PKM_Error( "C_GenerateKey AES failed with 0x%08X, %-26s\n", 
+                   crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    
+    PKM_LogIt("Generate an 3DES key ...\n");
+    /* generate an 3DES Secret Key */   
+    crv = pFunctionList->C_GenerateKey(hRwSession, &sDES3KeyGenMechanism,
+                                       sDES3KeyTemplate,
+                                       NUM_ELEM(sDES3KeyTemplate),
+                                       &hDES3SecKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GenerateKey DES3 succeeded\n");
+    } else {
+        PKM_Error( "C_GenerateKey failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt("Generate DSA PQG domain parameters ... \n");
+    /* Generate DSA domain parameters PQG */
+    crv = pFunctionList->C_GenerateKey(hRwSession, &dsaParamGenMech,
+                                       dsaParamGenTemplate,
+                                       1,
+                                       &hDsaParams);
+    if (crv == CKR_OK) {
+        PKM_LogIt("DSA domain parameter generation succeeded\n");
+    } else {
+        PKM_Error( "DSA domain parameter generation failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_GetAttributeValue(hRwSession, hDsaParams,
+                                             dsaPubKeyTemplate, 3);
+    if (crv == CKR_OK) {
+        PKM_LogIt("Getting DSA domain parameters succeeded\n");
+    } else {
+        PKM_Error( "Getting DSA domain parameters failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_DestroyObject(hRwSession, hDsaParams);
+    if (crv == CKR_OK) {
+        PKM_LogIt("Destroying DSA domain parameters succeeded\n");
+    } else {
+        PKM_Error( "Destroying DSA domain parameters failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    
+    PKM_LogIt("Generate a DSA key pair ... \n");
+    /* Generate a persistent DSA key pair */
+    crv = pFunctionList->C_GenerateKeyPair(hRwSession, &dsaKeyPairGenMech,
+                                           dsaPubKeyTemplate,
+                                           NUM_ELEM(dsaPubKeyTemplate),
+                                           dsaPrivKeyTemplate,
+                                           NUM_ELEM(dsaPrivKeyTemplate),
+                                           &hDSApubKey, &hDSAprivKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("DSA key pair generation succeeded\n");
+    } else {
+        PKM_Error( "DSA key pair generation failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    
+    PKM_LogIt("Generate a RSA key pair ... \n");
+    /*** GEN RSA Key ***/
+    crv = pFunctionList->C_GenerateKeyPair(hRwSession, &rsaKeyPairGenMech,
+                                           rsaPubKeyTemplate,
+                                           NUM_ELEM(rsaPubKeyTemplate),
+                                           rsaPrivKeyTemplate,
+                                           NUM_ELEM(rsaPrivKeyTemplate),
+                                           &hRSApubKey, &hRSAprivKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GenerateKeyPair created an RSA key pair. \n");
+    } else {
+        PKM_Error("C_GenerateKeyPair failed to create an RSA key pair.\n"
+                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt("**** Generation of keys completed ***** \n");
+    
+    mech.mechanism = CKM_RSA_PKCS;
+    mech.pParameter = NULL;
+    mech.ulParameterLen = 0;
+
+    crv = PKM_wrapUnwrap(pFunctionList,
+                     hRwSession, 
+                     hRSApubKey, hRSAprivKey,
+                     &mech,
+                     hAESSecKey,
+                     sAESKeyTemplate,
+                     NUM_ELEM(sAESKeyTemplate));
+    
+   if (crv == CKR_OK) {
+        PKM_LogIt("PKM_wrapUnwrap using RSA keypair to wrap AES key "
+                  "succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_wrapUnwrap using RSA keypair to wrap AES key failed "
+                   "with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = PKM_wrapUnwrap(pFunctionList,
+                     hRwSession, 
+                     hRSApubKey, hRSAprivKey,
+                     &mech,
+                     hDES3SecKey,
+                     sDES3KeyTemplate,
+                     NUM_ELEM(sDES3KeyTemplate));
+    
+   if (crv == CKR_OK) {
+        PKM_LogIt("PKM_wrapUnwrap using RSA keypair to wrap DES3 key "
+                  "succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_wrapUnwrap using RSA keypair to wrap DES3 key "
+                   "failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = PKM_SecKeyCrypt(pFunctionList, hRwSession,
+                    hAESSecKey, &mech_AES_CBC_PAD,
+                    PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_SecKeyCrypt succeeded \n\n");
+    } else {
+        PKM_Error( "PKM_SecKeyCrypt failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    
+    crv = PKM_SecKeyCrypt(pFunctionList, hRwSession,
+                    hAESSecKey, &mech_AES_CBC,
+                    PLAINTEXT, sizeof(PLAINTEXT));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_SecKeyCrypt AES succeeded \n\n");
+    } else {
+        PKM_Error( "PKM_SecKeyCrypt failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = PKM_SecKeyCrypt(pFunctionList, hRwSession,
+                    hDES3SecKey, &mech_DES3_CBC,
+                    PLAINTEXT, sizeof(PLAINTEXT));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_SecKeyCrypt DES3 succeeded \n");
+    } else {
+        PKM_Error( "PKM_SecKeyCrypt DES3 failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = PKM_SecKeyCrypt(pFunctionList, hRwSession,
+                    hDES3SecKey, &mech_DES3_CBC_PAD,
+                    PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_SecKeyCrypt DES3 succeeded \n\n");
+    } else {
+        PKM_Error( "PKM_SecKeyCrypt DES3 failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    
+    mech.mechanism = CKM_RSA_PKCS;
+    crv = PKM_RecoverFunctions(pFunctionList, hRwSession,
+                       hRSApubKey, hRSAprivKey,
+                       &mech,
+                       PLAINTEXT, sizeof(PLAINTEXT));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_RecoverFunctions for CKM_RSA_PKCS succeeded\n\n");
+    } else {
+        PKM_Error( "PKM_RecoverFunctions failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    mech.pParameter = NULL;
+    mech.ulParameterLen = 0;
+
+    for (i=0; i < sigRSAMechsSZ; i++) {
+
+        mech.mechanism = sigRSAMechs[i].mechanism;
+
+        crv = PKM_PubKeySign(pFunctionList, hRwSession,
+                       hRSApubKey, hRSAprivKey,
+                       &mech,
+                       PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_PubKeySign succeeded for %-10s\n\n", 
+                sigRSAMechs[i].mechanismStr );
+        } else {
+            PKM_Error( "PKM_PubKeySign failed for %-10s  "
+                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
+                PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+        crv = PKM_DualFuncSign(pFunctionList, hRwSession,
+                       hRSApubKey, hRSAprivKey,
+                       &mech,
+                       hAESSecKey, &mech_AES_CBC,
+                       PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_DualFuncSign with AES secret key succeeded "
+                      "for %-10s\n\n", 
+                sigRSAMechs[i].mechanismStr );
+        } else {
+            PKM_Error( "PKM_DualFuncSign with AES secret key failed "
+                       "for %-10s  "
+                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
+                PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+        crv = PKM_DualFuncSign(pFunctionList, hRwSession,
+                       hRSApubKey, hRSAprivKey,
+                       &mech,
+                       hDES3SecKey, &mech_DES3_CBC,
+                       PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_DualFuncSign with DES3 secret key succeeded "
+                      "for %-10s\n\n", 
+                sigRSAMechs[i].mechanismStr );
+        } else {
+            PKM_Error( "PKM_DualFuncSign with DES3 secret key failed "
+                       "for %-10s  "
+                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
+                PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+        crv = PKM_DualFuncSign(pFunctionList, hRwSession,
+                       hRSApubKey, hRSAprivKey,
+                       &mech,
+                       hAESSecKey, &mech_AES_CBC_PAD,
+                       PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_DualFuncSign with AES secret key CBC_PAD "
+                      "succeeded for %-10s\n\n", 
+                sigRSAMechs[i].mechanismStr );
+        } else {
+            PKM_Error( "PKM_DualFuncSign with AES secret key CBC_PAD "
+                       "failed for %-10s  "
+                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
+                PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+        crv = PKM_DualFuncSign(pFunctionList, hRwSession,
+                       hRSApubKey, hRSAprivKey,
+                       &mech,
+                       hDES3SecKey, &mech_DES3_CBC_PAD,
+                       PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_DualFuncSign with DES3 secret key CBC_PAD "
+                      "succeeded for %-10s\n\n", 
+                sigRSAMechs[i].mechanismStr );
+        } else {
+            PKM_Error( "PKM_DualFuncSign with DES3 secret key CBC_PAD "
+                       "failed for %-10s  "
+                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
+                PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+
+    } /* end of RSA for loop */
+
+    crv = PKM_PubKeySign(pFunctionList, hRwSession,
+                    hDSApubKey, hDSAprivKey,
+                    &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_PubKeySign for DSAwithSHA1 succeeded \n\n");
+    } else {
+        PKM_Error( "PKM_PubKeySign failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = PKM_DualFuncSign(pFunctionList, hRwSession,
+                       hDSApubKey, hDSAprivKey,
+                       &dsaWithSha1Mech,
+                       hAESSecKey, &mech_AES_CBC,
+                       PLAINTEXT, sizeof(PLAINTEXT));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_DualFuncSign with AES secret key succeeded "
+                "for DSAWithSHA1\n\n");
+    } else {
+        PKM_Error( "PKM_DualFuncSign with AES secret key failed "
+                "for DSAWithSHA1 with 0x%08X, %-26s\n", 
+                crv, PKM_CK_RVtoStr(crv));
+           return crv;
+    }
+    crv = PKM_DualFuncSign(pFunctionList, hRwSession,
+                       hDSApubKey, hDSAprivKey,
+                       &dsaWithSha1Mech,
+                       hDES3SecKey, &mech_DES3_CBC,
+                       PLAINTEXT, sizeof(PLAINTEXT));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_DualFuncSign with DES3 secret key succeeded "
+                "for DSAWithSHA1\n\n");
+    } else {
+        PKM_Error( "PKM_DualFuncSign with DES3 secret key failed "
+                "for DSAWithSHA1 with 0x%08X, %-26s\n", 
+                crv, PKM_CK_RVtoStr(crv));
+           return crv;
+    }
+    crv = PKM_DualFuncSign(pFunctionList, hRwSession,
+                       hDSApubKey, hDSAprivKey,
+                       &dsaWithSha1Mech,
+                       hAESSecKey, &mech_AES_CBC_PAD,
+                       PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_DualFuncSign with AES secret key CBC_PAD succeeded "
+                "for DSAWithSHA1\n\n");
+    } else {
+        PKM_Error( "PKM_DualFuncSign with AES secret key CBC_PAD failed "
+                "for DSAWithSHA1 with 0x%08X, %-26s\n", 
+                crv, PKM_CK_RVtoStr(crv));
+           return crv;
+    }
+    crv = PKM_DualFuncSign(pFunctionList, hRwSession,
+                       hDSApubKey, hDSAprivKey,
+                       &dsaWithSha1Mech,
+                       hDES3SecKey, &mech_DES3_CBC_PAD,
+                       PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_DualFuncSign with DES3 secret key CBC_PAD succeeded "
+                "for DSAWithSHA1\n\n");
+    } else {
+        PKM_Error( "PKM_DualFuncSign with DES3 secret key CBC_PAD failed "
+                "for DSAWithSHA1 with 0x%08X, %-26s\n", 
+                crv, PKM_CK_RVtoStr(crv));
+           return crv;
+    }
+
+
+    for (i=0; i < digestMechsSZ; i++) {
+        mech.mechanism = digestMechs[i].mechanism;
+        crv = PKM_Digest(pFunctionList, hRwSession,
+                     &mech, hAESSecKey,
+                     PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_Digest with AES secret key succeeded for %-10s\n\n", 
+                digestMechs[i].mechanismStr);
+        } else {
+            PKM_Error( "PKM_Digest with AES secret key failed for "
+                       "%-10s with 0x%08X,  %-26s\n", 
+                       digestMechs[i].mechanismStr, crv, 
+                       PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+        crv = PKM_DualFuncDigest(pFunctionList, hRwSession,
+                     hAESSecKey, &mech_AES_CBC,
+                     0,&mech,
+                     PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_DualFuncDigest with AES secret key succeeded\n\n");
+        } else {
+            PKM_Error( "PKM_DualFuncDigest with AES secret key "
+                       "failed with 0x%08X, %-26s\n", crv, 
+                       PKM_CK_RVtoStr(crv));
+        }
+
+        crv = PKM_Digest(pFunctionList, hRwSession,
+                     &mech, hDES3SecKey,
+                     PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_Digest with DES3 secret key succeeded for %-10s\n\n", 
+                digestMechs[i].mechanismStr);
+        } else {
+            PKM_Error( "PKM_Digest with DES3 secret key failed for "
+                       "%-10s with 0x%08X,  %-26s\n", 
+                       digestMechs[i].mechanismStr, crv, 
+                       PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+        crv = PKM_DualFuncDigest(pFunctionList, hRwSession,
+                     hDES3SecKey, &mech_DES3_CBC,
+                     0,&mech,
+                     PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_DualFuncDigest DES3 secret key succeeded\n\n");
+        } else {
+            PKM_Error( "PKM_DualFuncDigest DES3 secret key "
+                       "failed with 0x%08X, %-26s\n", crv, 
+                       PKM_CK_RVtoStr(crv));
+        }
+
+        crv = PKM_Digest(pFunctionList, hRwSession,
+                     &mech, 0,
+                     PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_Digest with no secret key succeeded for %-10s\n\n", 
+                digestMechs[i].mechanismStr );
+        } else {
+            PKM_Error( "PKM_Digest with no secret key failed for %-10s  "
+                "with 0x%08X, %-26s\n", digestMechs[i].mechanismStr, crv, 
+                PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+    } /* end of digest loop */
+
+    for (i=0; i < hmacMechsSZ; i++) {
+        mech.mechanism = hmacMechs[i].mechanism;
+        crv = PKM_Hmac(pFunctionList, hRwSession,
+                      hAESSecKey, &mech,
+                     PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_Hmac with AES secret key succeeded for %-10s\n\n", 
+                hmacMechs[i].mechanismStr);
+        } else {
+            PKM_Error( "PKM_Hmac with AES secret key failed for %-10s "
+                       "with 0x%08X, %-26s\n", 
+                       hmacMechs[i].mechanismStr, crv, PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+        if ((MODE == FIPSMODE) && (mech.mechanism == CKM_SHA512_HMAC)) break;
+        crv = PKM_Hmac(pFunctionList, hRwSession,
+                      hDES3SecKey, &mech,
+                     PLAINTEXT, sizeof(PLAINTEXT));
+        if (crv == CKR_OK) {
+            PKM_LogIt("PKM_Hmac with DES3 secret key succeeded for %-10s\n\n", 
+                hmacMechs[i].mechanismStr);
+        } else {
+            PKM_Error( "PKM_Hmac with DES3 secret key failed for %-10s "
+                       "with 0x%08X,  %-26s\n", 
+                       hmacMechs[i].mechanismStr, crv, PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+
+    } /* end of hmac loop */
+
+    crv = pFunctionList->C_Logout(hRwSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_CloseSession(hRwSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    return crv;
+
+}
+
+void PKM_LogIt(const char *fmt, ...) {
+    va_list args;
+    
+    if (verbose) {
+        va_start (args, fmt);
+        if (MODE == FIPSMODE) {
+            printf("FIPS MODE: ");
+        } else if (MODE == NONFIPSMODE) {
+            printf("NON FIPS MODE: ");
+        } else if (MODE == HYBRIDMODE) {
+            printf("Hybrid MODE: ");
+        } else printf ("NO MODE: ");
+        vprintf(fmt, args);
+        va_end(args);
+    }
+}
+
+void PKM_Error(const char *fmt, ...) {
+    va_list args;
+    va_start (args, fmt);
+
+    if (MODE == FIPSMODE) {
+        fprintf(stderr, "\nFIPS MODE PKM_Error: ");
+    } else if (MODE == NONFIPSMODE) {
+        fprintf(stderr, "NON FIPS MODE PKM_Error: ");
+    } else if (MODE == HYBRIDMODE) {
+        fprintf(stderr, "Hybrid MODE PKM_Error: ");
+    } else fprintf(stderr, "NOMODE PKM_Error: ");
+    vfprintf(stderr, fmt, args);
+    va_end(args);
+}
+CK_SLOT_ID *PKM_GetSlotList(CK_FUNCTION_LIST_PTR pFunctionList,
+                            CK_ULONG slotID) {
+    CK_RV crv = CKR_OK;
+    CK_SLOT_ID *pSlotList = NULL;
+    CK_ULONG slotCount;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+
+    /* Get slot list */
+    crv = pFunctionList->C_GetSlotList(CK_FALSE /* all slots */,
+                                       NULL, &slotCount);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_GetSlotList failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return NULL;
+    }
+    PKM_LogIt("C_GetSlotList reported there are %lu slots\n", slotCount);
+    pSlotList = (CK_SLOT_ID *)malloc(slotCount * sizeof(CK_SLOT_ID));
+    if (!pSlotList) {
+        PKM_Error( "failed to allocate slot list\n");
+        return NULL;
+    }
+    crv = pFunctionList->C_GetSlotList(CK_FALSE /* all slots */,
+                                       pSlotList, &slotCount);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_GetSlotList failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        if (pSlotList) free(pSlotList);
+        return NULL;
+    }
+    return pSlotList;
+}
+
+CK_RV PKM_InitPWforDB(CK_FUNCTION_LIST_PTR pFunctionList,
+                      CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                      CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen)  {
+    CK_RV crv = CKR_OK;
+    CK_SESSION_HANDLE hSession;
+    static const CK_UTF8CHAR testPin[] = {"0Mozilla"};
+    static const CK_UTF8CHAR weakPin[] = {"mozilla"};
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
+                                       CKF_RW_SESSION | CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    PKM_LogIt("CKU_USER 0x%08X \n", CKU_USER); 
+
+    crv = pFunctionList->C_Login(hSession, CKU_SO, NULL, 0);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Login failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    if (MODE == FIPSMODE) {
+        crv = pFunctionList->C_InitPIN(hSession, (CK_UTF8CHAR *) weakPin, 
+                                       sizeof(weakPin));
+        if (crv == CKR_OK) {
+            PKM_Error( "C_InitPIN with a weak password succeeded\n");
+            return crv;
+        } else {
+            PKM_LogIt("C_InitPIN with a weak password failed with "
+                      "0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        }
+    }
+    crv = pFunctionList->C_InitPIN(hSession, (CK_UTF8CHAR *) testPin, 
+                                   sizeof(testPin));
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_InitPIN succeeded\n");
+    } else {
+        PKM_Error( "C_InitPIN failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Logout(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_CloseSession(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
+                                       CKF_RW_SESSION | CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt("CKU_USER 0x%08X \n", CKU_USER); 
+
+    crv = pFunctionList->C_Login(hSession, CKU_USER, (CK_UTF8CHAR *) testPin,
+                                 strlen((const char *)testPin));
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Login failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    if (MODE == FIPSMODE) {
+        crv = pFunctionList->C_SetPIN(
+                                     hSession, (CK_UTF8CHAR *) testPin, 
+                                     strlen((const char *)testPin),
+                                     (CK_UTF8CHAR *) weakPin, 
+                                     strlen((const char *)weakPin));
+        if (crv == CKR_OK) {
+            PKM_Error( "C_SetPIN with a weak password succeeded\n");
+            return crv;
+        } else {
+            PKM_LogIt("C_SetPIN with a weak password returned with "
+                      "0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        }
+    }
+    crv = pFunctionList->C_SetPIN(
+                                 hSession, (CK_UTF8CHAR *) testPin, 
+                                 strlen((const char *)testPin),
+                                 pwd, pwdLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CSetPin failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Logout(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_CloseSession(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    return crv;
+}
+
+CK_RV PKM_ShowInfo(CK_FUNCTION_LIST_PTR pFunctionList, CK_ULONG slotID) {
+    CK_RV crv = CKR_OK;
+    CK_INFO info;
+    CK_SLOT_ID *pSlotList = NULL;
+    unsigned i;
+
+    CK_SLOT_INFO slotInfo;
+    CK_TOKEN_INFO tokenInfo;
+    CK_FLAGS bitflag;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+
+
+    crv = pFunctionList->C_GetInfo(&info);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GetInfo succeeded\n");
+    } else {
+        PKM_Error( "C_GetInfo failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    PKM_LogIt("General information about the PKCS #11 library:\n");
+    PKM_LogIt("    PKCS #11 version: %d.%d\n",
+              (int)info.cryptokiVersion.major,
+              (int)info.cryptokiVersion.minor);
+    PKM_LogIt("    manufacturer ID: %.32s\n", info.manufacturerID);
+    PKM_LogIt("    flags: 0x%08lX\n", info.flags);
+    PKM_LogIt("    library description: %.32s\n", info.libraryDescription);
+    PKM_LogIt("    library version: %d.%d\n",
+              (int)info.libraryVersion.major, (int)info.libraryVersion.minor);
+    PKM_LogIt("\n");
+
+    /* Get slot list */
+    pSlotList = PKM_GetSlotList(pFunctionList, slotID);
+    if (pSlotList == NULL) {
+        PKM_Error( "PKM_GetSlotList failed with \n");
+        return crv;
+    }
+    crv = pFunctionList->C_GetSlotInfo(pSlotList[slotID], &slotInfo);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GetSlotInfo succeeded\n");
+    } else {
+        PKM_Error( "C_GetSlotInfo failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    PKM_LogIt("Information about slot %lu:\n", pSlotList[slotID]);
+    PKM_LogIt("    slot description: %.64s\n", slotInfo.slotDescription);
+    PKM_LogIt("    slot manufacturer ID: %.32s\n", slotInfo.manufacturerID);
+    PKM_LogIt("    flags: 0x%08lX\n", slotInfo.flags);
+    bitflag = 1;
+    for (i = 0; i < sizeof(slotFlagName)/sizeof(slotFlagName[0]); i++) {
+        if (slotInfo.flags & bitflag) {
+            PKM_LogIt("           %s\n", slotFlagName[i]);
+        }
+        bitflag <<= 1;
+    }
+    PKM_LogIt("    slot's hardware version number: %d.%d\n",
+              (int)slotInfo.hardwareVersion.major,
+              (int)slotInfo.hardwareVersion.minor);
+    PKM_LogIt("    slot's firmware version number: %d.%d\n",
+              (int)slotInfo.firmwareVersion.major,
+              (int)slotInfo.firmwareVersion.minor);
+    PKM_LogIt("\n");
+
+    crv = pFunctionList->C_GetTokenInfo(pSlotList[slotID], &tokenInfo);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GetTokenInfo succeeded\n");
+    } else {
+        PKM_Error( "C_GetTokenInfo failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    PKM_LogIt("Information about the token in slot %lu:\n",
+              pSlotList[slotID]);
+    PKM_LogIt("    label: %.32s\n", tokenInfo.label);
+    PKM_LogIt("    device manufacturer ID: %.32s\n",
+              tokenInfo.manufacturerID);
+    PKM_LogIt("    device model: %.16s\n", tokenInfo.model);
+    PKM_LogIt("    device serial number: %.16s\n", tokenInfo.serialNumber);
+    PKM_LogIt("    flags: 0x%08lX\n", tokenInfo.flags);
+    bitflag = 1;
+    for (i = 0; i < sizeof(tokenFlagName)/sizeof(tokenFlagName[0]); i++) {
+        if (tokenInfo.flags & bitflag) {
+            PKM_LogIt("           %s\n", tokenFlagName[i]);
+        }
+        bitflag <<= 1;
+    }
+    PKM_LogIt("    maximum session count: %lu\n",
+              tokenInfo.ulMaxSessionCount);
+    PKM_LogIt("    session count: %lu\n", tokenInfo.ulSessionCount);
+    PKM_LogIt("    maximum read/write session count: %lu\n",
+              tokenInfo.ulMaxRwSessionCount);
+    PKM_LogIt("    read/write session count: %lu\n",
+              tokenInfo.ulRwSessionCount);
+    PKM_LogIt("    maximum PIN length: %lu\n", tokenInfo.ulMaxPinLen);
+    PKM_LogIt("    minimum PIN length: %lu\n", tokenInfo.ulMinPinLen);
+    PKM_LogIt("    total public memory: %lu\n",
+              tokenInfo.ulTotalPublicMemory);
+    PKM_LogIt("    free public memory: %lu\n",
+              tokenInfo.ulFreePublicMemory);
+    PKM_LogIt("    total private memory: %lu\n",
+              tokenInfo.ulTotalPrivateMemory);
+    PKM_LogIt("    free private memory: %lu\n",
+              tokenInfo.ulFreePrivateMemory);
+    PKM_LogIt("    hardware version number: %d.%d\n",
+              (int)tokenInfo.hardwareVersion.major,
+              (int)tokenInfo.hardwareVersion.minor);
+    PKM_LogIt("    firmware version number: %d.%d\n",
+              (int)tokenInfo.firmwareVersion.major,
+              (int)tokenInfo.firmwareVersion.minor);
+    if (tokenInfo.flags & CKF_CLOCK_ON_TOKEN) {
+        PKM_LogIt("    current time: %.16s\n", tokenInfo.utcTime);
+    }
+    PKM_LogIt("PKM_ShowInfo done \n\n");
+    if (pSlotList) free(pSlotList);
+    return crv;
+}
+
+/* PKM_HybridMode                                                         */
+/* The NSS cryptographic module has two modes of operation: FIPS Approved */
+/* mode and NONFIPS Approved mode. The two modes of operation are         */
+/* independent of each other -- they have their own copies of data        */
+/* structures and they are even allowed to be active at the same time.    */
+/* The module is FIPS 140-2 compliant only when the NONFIPS mode          */
+/* is inactive.                                                           */
+/* PKM_HybridMode demostrates how an application can switch between the   */
+/* two modes: FIPS Approved mode and NONFIPS mode.                        */
+CK_RV PKM_HybridMode(CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen, 
+                     CK_C_INITIALIZE_ARGS_NSS *initArgs) {
+
+    CK_C_GetFunctionList pC_GetFunctionList;  /* NONFIPSMode */
+    CK_FUNCTION_LIST_PTR pC_FunctionList;
+    CK_SLOT_ID *pC_SlotList = NULL;
+    CK_ULONG slotID_C = 1;
+    CK_C_GetFunctionList pFC_GetFunctionList; /* FIPSMode */
+    CK_FUNCTION_LIST_PTR pFC_FunctionList;
+    CK_SLOT_ID *pFC_SlotList = NULL;
+    CK_ULONG slotID_FC = 0;
+    CK_RV crv = CKR_OK;
+    CK_SESSION_HANDLE hSession;
+    int origMode = MODE; /* remember the orginal MODE value */ 
+
+    NUMTESTS++; /* increment NUMTESTS */
+    MODE = NONFIPSMODE;
+#ifdef _WIN32
+    /* NON FIPS mode  == C_GetFunctionList */
+    pC_GetFunctionList = (CK_C_GetFunctionList)
+                         GetProcAddress(hModule, "C_GetFunctionList");
+    if (pC_GetFunctionList == NULL) {
+        PKM_Error( "cannot load %s\n", LIB_NAME);
+        return crv;
+    }
+#else
+        pC_GetFunctionList = (CK_C_GetFunctionList) PR_FindFunctionSymbol(lib,
+        "C_GetFunctionList");
+        assert(pC_GetFunctionList != NULL);
+#endif
+    PKM_LogIt("loading C_GetFunctionList for Non FIPS Mode; slotID %d \n",
+              slotID_C);
+    crv = (*pC_GetFunctionList)(&pC_FunctionList);
+    assert(crv == CKR_OK);
+
+    /* invoke C_Initialize as pC_FunctionList->C_Initialize */
+    crv = pC_FunctionList->C_Initialize(initArgs);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Initialize succeeded\n");
+    } else {
+        PKM_Error( "C_Initialize failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    pC_SlotList = PKM_GetSlotList(pC_FunctionList, slotID_C);
+    if (pC_SlotList == NULL) {
+        PKM_Error( "PKM_GetSlotList failed with \n");
+        return crv;
+    }
+    crv = pC_FunctionList->C_OpenSession(pC_SlotList[slotID_C],
+                                         CKF_SERIAL_SESSION,
+                                         NULL, NULL, &hSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("NONFIPS C_OpenSession succeeded\n");
+    } else {
+        PKM_Error( "C_OpenSession failed for NONFIPS token "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pC_FunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("able to login in NONFIPS token\n");
+    } else {
+        PKM_Error( "Unable to login in to NONFIPS token "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pC_FunctionList->C_Logout(hSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_ShowInfo(pC_FunctionList, slotID_C);
+    MODE = HYBRIDMODE;
+
+    /* Now load the FIPS token */
+    /* FIPS mode == FC_GetFunctionList */
+    pFC_GetFunctionList = NULL; 
+#ifdef _WIN32
+    pFC_GetFunctionList = (CK_C_GetFunctionList)
+                          GetProcAddress(hModule, "FC_GetFunctionList");
+#else
+     pFC_GetFunctionList = (CK_C_GetFunctionList) PR_FindFunctionSymbol(lib,
+        "FC_GetFunctionList");
+        assert(pFC_GetFunctionList != NULL);
+#endif
+
+    PKM_LogIt("loading FC_GetFunctionList for FIPS Mode; slotID %d \n",
+              slotID_FC);
+    PKM_LogIt("pFC_FunctionList->C_Foo == pFC_FunctionList->FC_Foo\n");
+    if (pFC_GetFunctionList == NULL) {
+        PKM_Error( "unable to load pFC_GetFunctionList\n");
+        return crv;
+    }
+
+    crv = (*pFC_GetFunctionList)(&pFC_FunctionList);
+    assert(crv == CKR_OK);
+
+    /* invoke FC_Initialize as pFunctionList->C_Initialize */
+    crv = pFC_FunctionList->C_Initialize(initArgs);
+    if (crv == CKR_OK) {
+        PKM_LogIt("FC_Initialize succeeded\n");
+    } else {
+        PKM_Error( "FC_Initialize failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    PKM_ShowInfo(pFC_FunctionList, slotID_FC);
+
+    pFC_SlotList = PKM_GetSlotList(pFC_FunctionList, slotID_FC);
+    if (pFC_SlotList == NULL) {
+        PKM_Error( "PKM_GetSlotList failed with \n");
+        return crv;
+    }
+
+    crv = pC_FunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
+    if (crv != CKR_OK) {
+        PKM_LogIt("NONFIPS token cannot log in when FIPS token is loaded\n");
+    } else {
+        PKM_Error("Able to login in to NONFIPS token\n");
+        return crv;
+    }
+    crv = pC_FunctionList->C_CloseSession(hSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("NONFIPS pC_CloseSession succeeded\n");
+    } else {
+        PKM_Error( "pC_CloseSession failed for NONFIPS token "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt("The module is FIPS 140-2 compliant\n"
+              "only when the NONFIPS Approved mode is inactive by \n"
+              "calling C_Finalize on the NONFIPS token.\n");
+
+
+    /* to go in FIPSMODE you must Finalize the NONFIPS mode pointer */
+    crv = pC_FunctionList->C_Finalize(NULL);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Finalize of NONFIPS Token succeeded\n");
+        MODE = FIPSMODE;
+    } else {
+        PKM_Error( "C_Finalize of NONFIPS Token failed with "
+                   "0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt("*** In FIPS mode!  ***\n");
+
+    /* could do some operations in FIPS MODE */
+
+    crv = pFC_FunctionList->C_Finalize(NULL);
+    if (crv == CKR_OK) {
+        PKM_LogIt("Exiting FIPSMODE by caling FC_Finalize.\n");
+        MODE = NOMODE;
+    } else {
+        PKM_Error( "FC_Finalize failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if (pC_SlotList) free(pC_SlotList);
+    if (pFC_SlotList) free(pFC_SlotList);
+
+    MODE = origMode; /* set the mode back to the orginal Mode value */
+    PKM_LogIt("PKM_HybridMode test Completed\n\n");
+    return crv;
+}
+
+CK_RV PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList,
+                    CK_SLOT_ID * pSlotList, CK_ULONG slotID) {
+
+    CK_RV crv = CKR_OK;
+    CK_MECHANISM_TYPE *pMechanismList;
+    CK_ULONG mechanismCount;
+    CK_ULONG i;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+
+    /* Get the mechanism list */
+    crv = pFunctionList->C_GetMechanismList(pSlotList[slotID],
+                                            NULL, &mechanismCount);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_GetMechanismList failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    PKM_LogIt("C_GetMechanismList reported there are %lu mechanisms\n",
+              mechanismCount);
+    pMechanismList = (CK_MECHANISM_TYPE *)
+                     malloc(mechanismCount * sizeof(CK_MECHANISM_TYPE));
+    if (!pMechanismList) {
+        PKM_Error( "failed to allocate mechanism list\n");
+        return crv;
+    }
+    crv = pFunctionList->C_GetMechanismList(pSlotList[slotID],
+                                            pMechanismList, &mechanismCount);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_GetMechanismList failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    PKM_LogIt("C_GetMechanismList returned the mechanism types:\n");
+    if (verbose) {
+        for (i = 0; i < mechanismCount; i++) {
+            printf("    0x%08lX", pMechanismList[i]);
+            if ((i != 0) && ((i % 4) == 0 )) printf("\n");
+        }
+        printf("\n");
+    }
+    
+    for ( i = 0; i < mechanismCount; i++ ) {
+        CK_MECHANISM_INFO minfo;
+
+        memset(&minfo, 0, sizeof(CK_MECHANISM_INFO));
+        crv = pFunctionList->C_GetMechanismInfo(pSlotList[slotID],
+                                                pMechanismList[i], &minfo);
+        if ( CKR_OK != crv ) {
+            PKM_Error( "C_GetMechanismInfo(%lu, %lu) returned 0x%08X, %-26s\n",
+                       pSlotList[slotID], pMechanismList[i], crv, 
+                       PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+
+        PKM_LogIt( "    [%lu]: CK_MECHANISM_TYPE = %lu\n", (i+1),
+                   pMechanismList[i]);
+        PKM_LogIt( "    ulMinKeySize = %lu\n", minfo.ulMinKeySize);
+        PKM_LogIt( "    ulMaxKeySize = %lu\n", minfo.ulMaxKeySize);
+        PKM_LogIt( "    flags = 0x%08x\n", minfo.flags);
+        PKM_LogIt( "        -> HW = %s\n", minfo.flags & CKF_HW ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> ENCRYPT = %s\n", minfo.flags & CKF_ENCRYPT ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> DECRYPT = %s\n", minfo.flags & CKF_DECRYPT ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> DIGEST = %s\n", minfo.flags & CKF_DIGEST ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> SIGN = %s\n", minfo.flags & CKF_SIGN ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> SIGN_RECOVER = %s\n", minfo.flags &
+                   CKF_SIGN_RECOVER ? "TRUE" : "FALSE");
+        PKM_LogIt( "        -> VERIFY = %s\n", minfo.flags & CKF_VERIFY ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> VERIFY_RECOVER = %s\n",
+                   minfo.flags & CKF_VERIFY_RECOVER ? "TRUE" : "FALSE");
+        PKM_LogIt( "        -> GENERATE = %s\n", minfo.flags & CKF_GENERATE ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> GENERATE_KEY_PAIR = %s\n",
+                   minfo.flags & CKF_GENERATE_KEY_PAIR ? "TRUE" : "FALSE");
+        PKM_LogIt( "        -> WRAP = %s\n", minfo.flags & CKF_WRAP ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> UNWRAP = %s\n", minfo.flags & CKF_UNWRAP ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> DERIVE = %s\n", minfo.flags & CKF_DERIVE ?
+                   "TRUE" : "FALSE");
+        PKM_LogIt( "        -> EXTENSION = %s\n", minfo.flags & CKF_EXTENSION ?
+                   "TRUE" : "FALSE");
+
+        PKM_LogIt( "\n");
+    }
+
+
+    return crv;
+
+}
+
+CK_RV PKM_RNG(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID * pSlotList,
+              CK_ULONG slotID) {
+    CK_SESSION_HANDLE hSession;
+    CK_RV crv = CKR_OK;
+    CK_BYTE randomData[16];
+    CK_BYTE seed[] = {0x01, 0x03, 0x35, 0x55, 0xFF};
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_GenerateRandom(hSession,
+                                          randomData, sizeof randomData);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GenerateRandom without login succeeded\n");
+    } else {
+        PKM_Error( "C_GenerateRandom without login failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_SeedRandom(hSession, seed, sizeof(seed));
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_SeedRandom without login succeeded\n");
+    } else {
+        PKM_Error( "C_SeedRandom without login failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_GenerateRandom(hSession,
+                                          randomData, sizeof randomData);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GenerateRandom without login succeeded\n");
+    } else {
+        PKM_Error( "C_GenerateRandom without login failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_CloseSession(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    return crv;
+
+}
+
+CK_RV PKM_SessionLogin(CK_FUNCTION_LIST_PTR pFunctionList,
+                       CK_SLOT_ID *pSlotList, CK_ULONG slotID,
+                       CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
+    CK_SESSION_HANDLE hSession;
+    CK_RV crv = CKR_OK;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error("C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_Login(hSession, CKU_USER, (unsigned char *) 
+                                 "netscape", 8);
+    if (crv == CKR_OK) {
+        PKM_Error("C_Login with wrong password succeeded\n");
+        return CKR_FUNCTION_FAILED;
+    } else {
+        PKM_LogIt("As expected C_Login with wrong password returned 0x%08X, "
+                  "%-26s.\n ", crv, PKM_CK_RVtoStr(crv));
+    }
+    crv = pFunctionList->C_Login(hSession, CKU_USER, (unsigned char *) 
+                                 "red hat", 7);
+    if (crv == CKR_OK) {
+        PKM_Error("C_Login with wrong password succeeded\n");
+        return CKR_FUNCTION_FAILED;
+    } else {
+        PKM_LogIt("As expected C_Login with wrong password returned 0x%08X, "
+                  "%-26s.\n ", crv, PKM_CK_RVtoStr(crv));
+    }
+    crv = pFunctionList->C_Login(hSession, CKU_USER, 
+                                 (unsigned char *) "sun", 3);
+    if (crv == CKR_OK) {
+        PKM_Error("C_Login with wrong password succeeded\n");
+        return CKR_FUNCTION_FAILED;
+    } else {
+        PKM_LogIt("As expected C_Login with wrong password returned 0x%08X, "
+                  "%-26s.\n ", crv, PKM_CK_RVtoStr(crv));
+    }
+    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Login with correct password succeeded\n");
+    } else {
+        PKM_Error("C_Login with correct password failed "
+                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_Logout(hSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_CloseSession(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    return crv;
+
+}
+
+/*
+* PKM_LegacyFunctions
+*
+* Legacyfunctions exist only for backwards compatibility.
+* C_GetFunctionStatus and C_CancelFunction functions were
+* meant for managing parallel execution of cryptographic functions.
+*
+* C_GetFunctionStatus is a legacy function which should simply return
+* the value CKR_FUNCTION_NOT_PARALLEL.
+*
+* C_CancelFunction is a legacy function which should simply return the
+* value CKR_FUNCTION_NOT_PARALLEL.
+*
+*/
+CK_RV PKM_LegacyFunctions(CK_FUNCTION_LIST_PTR pFunctionList,
+                          CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                          CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
+    CK_SESSION_HANDLE hSession;
+    CK_RV crv = CKR_OK;
+    NUMTESTS++; /* increment NUMTESTS */
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Login with correct password succeeded\n");
+    } else {
+        PKM_Error( "C_Login with correct password failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_GetFunctionStatus(hSession);
+    if (crv == CKR_FUNCTION_NOT_PARALLEL) {
+        PKM_LogIt("C_GetFunctionStatus correctly"
+                  "returned CKR_FUNCTION_NOT_PARALLEL \n");
+    } else {
+        PKM_Error( "C_GetFunctionStatus failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_CancelFunction(hSession);
+    if (crv == CKR_FUNCTION_NOT_PARALLEL) {
+        PKM_LogIt("C_CancelFunction correctly "
+                  "returned CKR_FUNCTION_NOT_PARALLEL \n");
+    } else {
+        PKM_Error( "C_CancelFunction failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_Logout(hSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_CloseSession(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    return crv;
+
+}
+
+/*
+*  PKM_DualFuncDigest - demostrates the Dual-function
+*  cryptograpic functions:
+*
+*   C_DigestEncryptUpdate - multi-part Digest and Encrypt
+*   C_DecryptDigestUpdate - multi-part Decrypt and Digest
+*
+*
+*/
+
+CK_RV PKM_DualFuncDigest(CK_FUNCTION_LIST_PTR pFunctionList,
+                       CK_SESSION_HANDLE hSession,
+                       CK_OBJECT_HANDLE hSecKey, CK_MECHANISM *cryptMech,
+                       CK_OBJECT_HANDLE hSecKeyDigest, 
+                       CK_MECHANISM *digestMech, 
+                       const CK_BYTE *  pData, CK_ULONG pDataLen) {
+    CK_RV crv = CKR_OK;
+    CK_BYTE eDigest[MAX_DIGEST_SZ];
+    CK_BYTE dDigest[MAX_DIGEST_SZ];
+    CK_ULONG ulDigestLen;
+    CK_BYTE ciphertext[MAX_CIPHER_SZ];
+    CK_ULONG ciphertextLen, lastLen;
+    CK_BYTE plaintext[MAX_DATA_SZ];
+    CK_ULONG plaintextLen;
+    unsigned int i;
+
+    memset(eDigest, 0, sizeof(eDigest));
+    memset(dDigest, 0, sizeof(dDigest));
+    memset(ciphertext, 0, sizeof(ciphertext));
+    memset(plaintext, 0, sizeof(plaintext));
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+    /*
+     * First init the Digest and Ecrypt operations
+     */
+    crv = pFunctionList->C_EncryptInit(hSession, cryptMech, hSecKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_DigestInit(hSession, digestMech);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DigestInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    ciphertextLen = sizeof(ciphertext);
+    crv = pFunctionList->C_DigestEncryptUpdate(hSession, (CK_BYTE * ) pData,
+                                               pDataLen,
+                                               ciphertext, &ciphertextLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DigestEncryptUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    ulDigestLen = sizeof(eDigest);
+    crv = pFunctionList->C_DigestFinal(hSession, eDigest, &ulDigestLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DigestFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+
+    /* get the last piece of ciphertext (length should be 0 */
+    lastLen = sizeof(ciphertext) - ciphertextLen;
+    crv = pFunctionList->C_EncryptFinal(hSession,
+                                      (CK_BYTE * )&ciphertext[ciphertextLen],
+                                      &lastLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    ciphertextLen = ciphertextLen + lastLen;
+    if (verbose) {
+        printf("ciphertext = ");
+        for (i = 0; i < ciphertextLen; i++) {
+            printf("%02x", (unsigned)ciphertext[i]);
+        }
+        printf("\n");
+        printf("eDigest = ");
+        for (i = 0; i < ulDigestLen; i++) {
+            printf("%02x", (unsigned)eDigest[i]);
+        }
+        printf("\n");
+    }
+
+    /* Decrypt the text */
+    crv = pFunctionList->C_DecryptInit(hSession, cryptMech, hSecKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_DigestInit(hSession, digestMech);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    plaintextLen = sizeof(plaintext);
+    crv = pFunctionList->C_DecryptDigestUpdate(hSession, ciphertext,
+                                               ciphertextLen,
+                                               plaintext,
+                                               &plaintextLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptDigestUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    lastLen = sizeof(plaintext) - plaintextLen;
+
+    crv = pFunctionList->C_DecryptFinal(hSession,
+                                        (CK_BYTE * )&plaintext[plaintextLen],
+                                        &lastLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    plaintextLen = plaintextLen + lastLen;
+
+    ulDigestLen = sizeof(dDigest);
+    crv = pFunctionList->C_DigestFinal(hSession, dDigest, &ulDigestLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DigestFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if (plaintextLen != pDataLen) {
+        PKM_Error( "plaintextLen is %lu\n", plaintextLen);
+        return crv;
+    }
+    
+    if (verbose) {
+        printf("plaintext = ");
+        for (i = 0; i < plaintextLen; i++) {
+            printf("%02x", (unsigned)plaintext[i]);
+        }
+        printf("\n");
+        printf("dDigest = ");
+        for (i = 0; i < ulDigestLen; i++) {
+            printf("%02x", (unsigned)dDigest[i]);
+        }
+        printf("\n");
+    }
+    
+    if (memcmp(eDigest, dDigest, ulDigestLen) == 0) {
+        PKM_LogIt("Encrypted Digest equals Decrypted Digest\n");
+    } else {
+        PKM_Error( "Digests don't match\n");
+    }
+
+    if ((plaintextLen == pDataLen) &&
+        (memcmp(plaintext, pData, pDataLen))  == 0) {
+        PKM_LogIt("DualFuncDigest decrypt test case passed\n");
+    } else {
+        PKM_Error( "DualFuncDigest derypt test case failed\n");
+    }
+
+    return crv;
+
+}
+
+/*
+* PKM_SecKeyCrypt - Symmetric key encrypt/decyprt
+*
+*/
+
+CK_RV PKM_SecKeyCrypt(CK_FUNCTION_LIST_PTR pFunctionList, 
+                      CK_SESSION_HANDLE hSession,
+                       CK_OBJECT_HANDLE hSymKey, CK_MECHANISM *cryptMech,
+                       const CK_BYTE *  pData, CK_ULONG dataLen) {
+    CK_RV crv = CKR_OK;
+
+    CK_BYTE cipher1[MAX_CIPHER_SZ];
+    CK_BYTE cipher2[MAX_CIPHER_SZ];
+    CK_BYTE data1[MAX_DATA_SZ];
+    CK_BYTE data2[MAX_DATA_SZ];
+    CK_ULONG cipher1Len =0, cipher2Len =0, lastLen =0;
+    CK_ULONG data1Len =0, data2Len =0;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+
+    memset(cipher1, 0, sizeof(cipher1));
+    memset(cipher2, 0, sizeof(cipher2));
+    memset(data1, 0, sizeof(data1));
+    memset(data2, 0, sizeof(data2));
+
+    /* C_Encrypt */
+    crv = pFunctionList->C_EncryptInit(hSession, cryptMech, hSymKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    cipher1Len = sizeof(cipher1);
+    crv = pFunctionList->C_Encrypt(hSession, (CK_BYTE * ) pData, dataLen,
+                                   cipher1, &cipher1Len);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Encrypt failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* C_EncryptUpdate */
+    crv = pFunctionList->C_EncryptInit(hSession, cryptMech, hSymKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    cipher2Len = sizeof(cipher2);
+    crv = pFunctionList->C_EncryptUpdate (hSession, (CK_BYTE * ) pData,
+                                          dataLen,
+                                          cipher2, &cipher2Len);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    lastLen = sizeof(cipher2) - cipher2Len;
+
+    crv = pFunctionList->C_EncryptFinal(hSession,
+                                    (CK_BYTE * )&cipher2[cipher2Len],
+                                    &lastLen);
+    cipher2Len = cipher2Len + lastLen;
+
+    if ( (cipher1Len == cipher2Len) &&
+         (memcmp(cipher1, cipher2, sizeof(cipher1Len)) == 0) ) {
+        PKM_LogIt("encrypt test case passed\n");
+    } else {
+        PKM_Error( "encrypt test case failed\n");
+        return CKR_GENERAL_ERROR;
+    }
+
+    /* C_Decrypt */
+    crv = pFunctionList->C_DecryptInit(hSession, cryptMech, hSymKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    data1Len = sizeof(data1);
+    crv = pFunctionList->C_Decrypt(hSession, cipher1, cipher1Len,
+                                   data1, &data1Len);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    /* now use C_DecryptUpdate the text */
+    crv = pFunctionList->C_DecryptInit(hSession, cryptMech, hSymKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    data2Len = sizeof(data2);
+    crv = pFunctionList->C_DecryptUpdate(hSession, cipher2,
+                                         cipher2Len,
+                                         data2, &data2Len);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    lastLen = sizeof(data2) - data2Len;
+    crv = pFunctionList->C_DecryptFinal(hSession,
+                                        (CK_BYTE * )&data2[data2Len],
+                                        &lastLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    data2Len = data2Len + lastLen;
+
+
+    /* Comparison of Decrypt data */
+
+    if ( (data1Len == data2Len) && (dataLen == data1Len) &&
+         (memcmp(data1, pData, dataLen) == 0) &&
+         (memcmp(data2, pData, dataLen) == 0) ) {
+        PKM_LogIt("decrypt test case passed\n");
+    } else {
+        PKM_Error( "derypt test case failed\n");
+    }
+
+    return crv;
+
+}
+    
+
+CK_RV PKM_SecretKey(CK_FUNCTION_LIST_PTR pFunctionList,
+                    CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                    CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
+    CK_SESSION_HANDLE hSession;
+    CK_RV crv = CKR_OK;
+    CK_MECHANISM sAESKeyMech = {
+        CKM_AES_KEY_GEN, NULL, 0
+    };
+    CK_OBJECT_CLASS class = CKO_SECRET_KEY;
+    CK_KEY_TYPE keyAESType = CKK_AES;
+    CK_UTF8CHAR AESlabel[] = "An AES secret key object";
+    CK_ULONG AESvalueLen = 16;
+    CK_ATTRIBUTE sAESKeyTemplate[9];    
+    CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+
+    CK_BYTE KEY[16];
+    CK_BYTE IV[16];
+    static const CK_BYTE CIPHERTEXT[] = {
+        0x7e,0x6a,0x3f,0x3b,0x39,0x3c,0xf2,0x4b, 
+        0xce,0xcc,0x23,0x6d,0x80,0xfd,0xe0,0xff
+    };
+    CK_BYTE ciphertext[64];
+    CK_BYTE ciphertext2[64];
+    CK_ULONG ciphertextLen, ciphertext2Len, lastLen;
+    CK_BYTE plaintext[32];
+    CK_BYTE plaintext2[32];
+    CK_ULONG plaintextLen, plaintext2Len;
+    CK_BYTE wrappedKey[16];
+    CK_ULONG wrappedKeyLen;
+    CK_MECHANISM aesEcbMech = {
+        CKM_AES_ECB, NULL, 0
+    };
+    CK_OBJECT_HANDLE hTestKey;
+    CK_MECHANISM mech_AES_CBC;
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+    memset(ciphertext, 0, sizeof(ciphertext));
+    memset(ciphertext2, 0, sizeof(ciphertext2));
+    memset(IV, 0x00, sizeof(IV));
+    memset(KEY, 0x00, sizeof(KEY));
+    
+    mech_AES_CBC.mechanism      = CKM_AES_CBC; 
+    mech_AES_CBC.pParameter = IV; 
+    mech_AES_CBC.ulParameterLen = sizeof(IV);
+
+    /* AES key template */
+    sAESKeyTemplate[0].type       = CKA_CLASS; 
+    sAESKeyTemplate[0].pValue     = &class;
+    sAESKeyTemplate[0].ulValueLen = sizeof(class);
+    sAESKeyTemplate[1].type       = CKA_KEY_TYPE; 
+    sAESKeyTemplate[1].pValue     = &keyAESType; 
+    sAESKeyTemplate[1].ulValueLen = sizeof(keyAESType);
+    sAESKeyTemplate[2].type       = CKA_LABEL;
+    sAESKeyTemplate[2].pValue     = AESlabel; 
+    sAESKeyTemplate[2].ulValueLen = sizeof(AESlabel)-1;
+    sAESKeyTemplate[3].type       = CKA_ENCRYPT; 
+    sAESKeyTemplate[3].pValue     = &true; 
+    sAESKeyTemplate[3].ulValueLen = sizeof(true);
+    sAESKeyTemplate[4].type       = CKA_DECRYPT; 
+    sAESKeyTemplate[4].pValue     = &true; 
+    sAESKeyTemplate[4].ulValueLen = sizeof(true);
+    sAESKeyTemplate[5].type       = CKA_SIGN; 
+    sAESKeyTemplate[5].pValue     = &true; 
+    sAESKeyTemplate[5].ulValueLen = sizeof (true);
+    sAESKeyTemplate[6].type       = CKA_VERIFY; 
+    sAESKeyTemplate[6].pValue     = &true; 
+    sAESKeyTemplate[6].ulValueLen = sizeof(true);
+    sAESKeyTemplate[7].type       = CKA_UNWRAP; 
+    sAESKeyTemplate[7].pValue     = &true; 
+    sAESKeyTemplate[7].ulValueLen = sizeof(true);
+    sAESKeyTemplate[8].type       = CKA_VALUE_LEN; 
+    sAESKeyTemplate[8].pValue     = &AESvalueLen; 
+    sAESKeyTemplate[8].ulValueLen = sizeof(AESvalueLen);
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Login with correct password succeeded\n");
+    } else {
+        PKM_Error( "C_Login with correct password failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt("Generate an AES key ... \n");
+    /* generate an AES Secret Key */
+    crv = pFunctionList->C_GenerateKey(hSession, &sAESKeyMech,
+                                       sAESKeyTemplate,
+                                       NUM_ELEM(sAESKeyTemplate),
+                                       &hKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GenerateKey AES succeeded\n");
+    } else {
+        PKM_Error( "C_GenerateKey AES failed with 0x%08X, %-26s\n", 
+                   crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_EncryptInit(hSession, &aesEcbMech, hKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    wrappedKeyLen = sizeof(wrappedKey);
+    crv = pFunctionList->C_Encrypt(hSession, KEY, sizeof(KEY),
+                                   wrappedKey, &wrappedKeyLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Encrypt failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    if (wrappedKeyLen != sizeof(wrappedKey)) {
+        PKM_Error( "wrappedKeyLen is %lu\n", wrappedKeyLen);
+        return crv;
+    }
+    /* Import an encrypted key */
+    crv = pFunctionList->C_UnwrapKey(hSession, &aesEcbMech, hKey,
+                                     wrappedKey, wrappedKeyLen,
+                                     sAESKeyTemplate,
+                                     NUM_ELEM(sAESKeyTemplate),
+                                     &hTestKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_UnwraPKey failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    /* AES Encrypt the text */
+    crv = pFunctionList->C_EncryptInit(hSession, &mech_AES_CBC, hTestKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    ciphertextLen = sizeof(ciphertext);
+    crv = pFunctionList->C_Encrypt(hSession, (CK_BYTE *) PLAINTEXT, 
+                                   sizeof(PLAINTEXT),
+                                   ciphertext, &ciphertextLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Encrypt failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if ( (ciphertextLen == sizeof(CIPHERTEXT)) &&
+       (memcmp(ciphertext, CIPHERTEXT, ciphertextLen) == 0)) {
+        PKM_LogIt("AES CBCVarKey128 encrypt test case 1 passed\n");
+    } else {
+        PKM_Error( "AES CBCVarKey128 encrypt test case 1 failed\n");
+        return crv;
+    }
+
+    /* now use EncryptUpdate the text */
+    crv = pFunctionList->C_EncryptInit(hSession, &mech_AES_CBC, hTestKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    ciphertext2Len = sizeof(ciphertext2);
+    crv = pFunctionList->C_EncryptUpdate (hSession, (CK_BYTE *) PLAINTEXT,
+                                          sizeof(PLAINTEXT),
+                                          ciphertext2, &ciphertext2Len);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    lastLen = sizeof(ciphertext2) - ciphertext2Len;
+
+    crv = pFunctionList->C_EncryptFinal(hSession,
+                                    (CK_BYTE * )&ciphertext2[ciphertext2Len],
+                                    &lastLen);
+    ciphertext2Len = ciphertext2Len + lastLen;
+
+    if ( (ciphertextLen == ciphertext2Len) &&
+         (memcmp(ciphertext, ciphertext2, sizeof(CIPHERTEXT)) == 0) &&
+         (memcmp(ciphertext2, CIPHERTEXT, sizeof(CIPHERTEXT)) == 0)) {
+        PKM_LogIt("AES CBCVarKey128 encrypt test case 2 passed\n");
+    } else {
+        PKM_Error( "AES CBCVarKey128 encrypt test case 2 failed\n");
+        return CKR_GENERAL_ERROR;
+    }
+
+    /* AES CBC Decrypt the text */
+    crv = pFunctionList->C_DecryptInit(hSession, &mech_AES_CBC, hTestKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    plaintextLen = sizeof(plaintext);
+    crv = pFunctionList->C_Decrypt(hSession, ciphertext, ciphertextLen,
+                                   plaintext, &plaintextLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    if ((plaintextLen == sizeof(PLAINTEXT))
+        && (memcmp(plaintext, PLAINTEXT, plaintextLen) == 0)) {
+        PKM_LogIt("AES CBCVarKey128 decrypt test case 1 passed\n");
+    } else {
+        PKM_Error( "AES CBCVarKey128 derypt test case 1 failed\n");
+    }
+    /* now use DecryptUpdate the text */
+    crv = pFunctionList->C_DecryptInit(hSession, &mech_AES_CBC, hTestKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    plaintext2Len = sizeof(plaintext2);
+    crv = pFunctionList->C_DecryptUpdate(hSession, ciphertext2,
+                                         ciphertext2Len,
+                                         plaintext2, &plaintext2Len);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    lastLen = sizeof(plaintext2) - plaintext2Len;
+    crv = pFunctionList->C_DecryptFinal(hSession,
+                                     (CK_BYTE * )&plaintext2[plaintext2Len],
+                                     &lastLen);
+    plaintext2Len = plaintext2Len + lastLen;
+
+    if ( (plaintextLen == plaintext2Len) &&
+         (memcmp(plaintext, plaintext2, plaintext2Len) == 0) &&
+         (memcmp(plaintext2, PLAINTEXT, sizeof(PLAINTEXT)) == 0)) {
+        PKM_LogIt("AES CBCVarKey128 decrypt test case 2 passed\n");
+    } else {
+        PKM_Error( "AES CBCVarKey128 decrypt test case 2 failed\n");
+        return CKR_GENERAL_ERROR;
+    }
+
+    crv = pFunctionList->C_Logout(hSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_CloseSession(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+
+    return crv;
+
+}
+
+CK_RV PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFunctionList, 
+                    CK_SESSION_HANDLE hRwSession,
+                    CK_OBJECT_HANDLE hPubKey, CK_OBJECT_HANDLE hPrivKey,
+                    CK_MECHANISM *signMech, const CK_BYTE *  pData, 
+                    CK_ULONG pDataLen) {
+    CK_RV crv = CKR_OK;
+    CK_BYTE sig[MAX_SIG_SZ];
+    CK_ULONG sigLen = 0 ;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+    memset(sig, 0, sizeof(sig));
+
+    /* C_Sign  */
+    crv = pFunctionList->C_SignInit(hRwSession, signMech, hPrivKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    sigLen = sizeof(sig);
+    crv = pFunctionList->C_Sign(hRwSession, (CK_BYTE * ) pData, pDataLen,
+                                sig, &sigLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* C_Verify the signature */
+    crv = pFunctionList->C_VerifyInit(hRwSession, signMech, hPubKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Verify(hRwSession, (CK_BYTE * ) pData, pDataLen,
+                                  sig, sigLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Verify succeeded\n");
+    } else {
+        PKM_Error( "C_Verify failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+   /* Check that the mechanism is Multi-part */
+    if (signMech->mechanism == CKM_DSA || 
+        signMech->mechanism == CKM_RSA_PKCS) {
+        return crv;
+    }
+
+    memset(sig, 0, sizeof(sig));
+    /* SignUpdate  */
+    crv = pFunctionList->C_SignInit(hRwSession, signMech, hPrivKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_SignInit failed with 0x%08lX %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_SignUpdate(hRwSession, (CK_BYTE * ) pData, pDataLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Sign failed with 0x%08lX %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    sigLen = sizeof(sig);
+    crv = pFunctionList->C_SignFinal(hRwSession, sig, &sigLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* C_VerifyUpdate the signature  */
+    crv = pFunctionList->C_VerifyInit(hRwSession, signMech,
+                                      hPubKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyUpdate(hRwSession, (CK_BYTE * ) pData, 
+                                        pDataLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyFinal(hRwSession, sig, sigLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_VerifyFinal succeeded\n");
+    } else {
+        PKM_Error( "C_VerifyFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    return crv;
+
+}
+
+
+
+CK_RV PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunctionList, 
+                    CK_SLOT_ID * pSlotList,
+                    CK_ULONG slotID, CK_UTF8CHAR_PTR pwd, 
+                    CK_ULONG pwdLen){
+    CK_SESSION_HANDLE hSession;
+    CK_RV crv = CKR_OK;
+
+/*** DSA Key ***/
+    CK_MECHANISM dsaParamGenMech;
+    CK_ULONG primeBits = 1024;
+    CK_ATTRIBUTE dsaParamGenTemplate[1]; 
+    CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE;
+    CK_BYTE DSA_P[128];
+    CK_BYTE DSA_Q[20];
+    CK_BYTE DSA_G[128];
+    CK_MECHANISM dsaKeyPairGenMech;
+    CK_ATTRIBUTE dsaPubKeyTemplate[5]; 
+    CK_ATTRIBUTE dsaPrivKeyTemplate[5]; 
+    CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE;
+    CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE;
+    
+    /* From SHA1ShortMsg.req, Len = 136 */
+    CK_BYTE MSG[] = {
+        0xba, 0x33, 0x95, 0xfb,
+        0x5a, 0xfa, 0x8e, 0x6a,
+        0x43, 0xdf, 0x41, 0x6b,
+        0x32, 0x7b, 0x74, 0xfa,
+        0x44
+    };
+    CK_BYTE MD[] = {
+        0xf7, 0x5d, 0x92, 0xa4,
+        0xbb, 0x4d, 0xec, 0xc3,
+        0x7c, 0x5c, 0x72, 0xfa,
+        0x04, 0x75, 0x71, 0x0a,
+        0x06, 0x75, 0x8c, 0x1d
+    };
+
+    CK_BYTE sha1Digest[20];
+    CK_ULONG sha1DigestLen;
+    CK_BYTE dsaSig[40];
+    CK_ULONG dsaSigLen;
+    CK_MECHANISM sha1Mech = {
+        CKM_SHA_1, NULL, 0
+    };
+    CK_MECHANISM dsaMech = {
+        CKM_DSA, NULL, 0
+    };
+    CK_MECHANISM dsaWithSha1Mech = {
+        CKM_DSA_SHA1, NULL, 0
+    };
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+    /* DSA key init */
+    dsaParamGenMech.mechanism      = CKM_DSA_PARAMETER_GEN; 
+    dsaParamGenMech.pParameter = NULL_PTR; 
+    dsaParamGenMech.ulParameterLen = 0;
+    dsaParamGenTemplate[0].type = CKA_PRIME_BITS; 
+    dsaParamGenTemplate[0].pValue     = &primeBits; 
+    dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits);
+    dsaPubKeyTemplate[0].type       = CKA_PRIME; 
+    dsaPubKeyTemplate[0].pValue     = DSA_P;
+    dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P);
+    dsaPubKeyTemplate[1].type = CKA_SUBPRIME; 
+    dsaPubKeyTemplate[1].pValue = DSA_Q;
+    dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q);
+    dsaPubKeyTemplate[2].type = CKA_BASE; 
+    dsaPubKeyTemplate[2].pValue = DSA_G; 
+    dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G);
+    dsaPubKeyTemplate[3].type = CKA_TOKEN; 
+    dsaPubKeyTemplate[3].pValue = &true; 
+    dsaPubKeyTemplate[3].ulValueLen = sizeof(true);
+    dsaPubKeyTemplate[4].type = CKA_VERIFY; 
+    dsaPubKeyTemplate[4].pValue = &true; 
+    dsaPubKeyTemplate[4].ulValueLen = sizeof(true);
+    dsaKeyPairGenMech.mechanism      = CKM_DSA_KEY_PAIR_GEN;
+    dsaKeyPairGenMech.pParameter = NULL_PTR;
+    dsaKeyPairGenMech.ulParameterLen = 0;
+    dsaPrivKeyTemplate[0].type       = CKA_TOKEN;
+    dsaPrivKeyTemplate[0].pValue     = &true; 
+    dsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
+    dsaPrivKeyTemplate[1].type       = CKA_PRIVATE; 
+    dsaPrivKeyTemplate[1].pValue     = &true; 
+    dsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
+    dsaPrivKeyTemplate[2].type       = CKA_SENSITIVE; 
+    dsaPrivKeyTemplate[2].pValue     = &true; 
+    dsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
+    dsaPrivKeyTemplate[3].type       = CKA_SIGN, 
+    dsaPrivKeyTemplate[3].pValue     = &true;
+    dsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
+    dsaPrivKeyTemplate[4].type       = CKA_EXTRACTABLE; 
+    dsaPrivKeyTemplate[4].pValue     = &true; 
+    dsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
+                                       CKF_RW_SESSION | CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Login with correct password succeeded\n");
+    } else {
+        PKM_Error( "C_Login with correct password failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt("Generate DSA PQG domain parameters ... \n");
+    /* Generate DSA domain parameters PQG */
+    crv = pFunctionList->C_GenerateKey(hSession, &dsaParamGenMech,
+                                       dsaParamGenTemplate,
+                                       1,
+                                       &hDsaParams);
+    if (crv == CKR_OK) {
+        PKM_LogIt("DSA domain parameter generation succeeded\n");
+    } else {
+        PKM_Error( "DSA domain parameter generation failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_GetAttributeValue(hSession, hDsaParams,
+                                             dsaPubKeyTemplate, 3);
+    if (crv == CKR_OK) {
+        PKM_LogIt("Getting DSA domain parameters succeeded\n");
+    } else {
+        PKM_Error( "Getting DSA domain parameters failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_DestroyObject(hSession, hDsaParams);
+    if (crv == CKR_OK) {
+        PKM_LogIt("Destroying DSA domain parameters succeeded\n");
+    } else {
+        PKM_Error( "Destroying DSA domain parameters failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    
+    PKM_LogIt("Generate a DSA key pair ... \n");
+    /* Generate a persistent DSA key pair */
+    crv = pFunctionList->C_GenerateKeyPair(hSession, &dsaKeyPairGenMech,
+                                           dsaPubKeyTemplate,
+                                           NUM_ELEM(dsaPubKeyTemplate),
+                                           dsaPrivKeyTemplate,
+                                           NUM_ELEM(dsaPrivKeyTemplate),
+                                           &hDSApubKey, &hDSAprivKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("DSA key pair generation succeeded\n");
+    } else {
+        PKM_Error( "DSA key pair generation failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* Compute SHA-1 digest */
+    crv = pFunctionList->C_DigestInit(hSession, &sha1Mech);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DigestInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    sha1DigestLen = sizeof(sha1Digest);
+    crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG),
+                                  sha1Digest, &sha1DigestLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Digest failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    if (sha1DigestLen != sizeof(sha1Digest)) {
+        PKM_Error( "sha1DigestLen is %lu\n", sha1DigestLen);
+        return crv;
+    }
+
+    if (memcmp(sha1Digest, MD, sizeof(MD)) == 0) {
+        PKM_LogIt("SHA-1 SHA1ShortMsg test case Len = 136 passed\n");
+    } else {
+        PKM_Error( "SHA-1 SHA1ShortMsg test case Len = 136 failed\n");
+    }
+
+    crv = PKM_PubKeySign(pFunctionList, hSession,
+                    hDSApubKey, hDSAprivKey,
+                    &dsaMech, sha1Digest, sizeof(sha1Digest));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_PubKeySign CKM_DSA succeeded \n");
+    } else {
+        PKM_Error( "PKM_PubKeySign failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = PKM_PubKeySign(pFunctionList, hSession,
+                    hDSApubKey, hDSAprivKey,
+                    &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT));
+    if (crv == CKR_OK) {
+        PKM_LogIt("PKM_PubKeySign CKM_DSA_SHA1 succeeded \n");
+    } else {
+        PKM_Error( "PKM_PubKeySign failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* Sign with DSA */
+    crv = pFunctionList->C_SignInit(hSession, &dsaMech, hDSAprivKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    dsaSigLen = sizeof(dsaSig);
+    crv = pFunctionList->C_Sign(hSession, sha1Digest, sha1DigestLen,
+                                dsaSig, &dsaSigLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* Verify the DSA signature */
+    crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen,
+                                  dsaSig, dsaSigLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Verify succeeded\n");
+    } else {
+        PKM_Error( "C_Verify failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* Verify the signature in a different way */
+    crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech,
+                                      hDSApubKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyUpdate(hSession, MSG, 1);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyUpdate(hSession, MSG+1, sizeof(MSG)-1);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_VerifyFinal succeeded\n");
+    } else {
+        PKM_Error( "C_VerifyFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* Verify the signature in a different way */
+    crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech,
+                                      hDSApubKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", 
+            crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyUpdate(hSession, MSG, 1);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", 
+            crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyUpdate(hSession, MSG+1, sizeof(MSG)-1);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", 
+            crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_VerifyFinal of multi update succeeded.\n");
+    } else {
+        PKM_Error("C_VerifyFinal of multi update failed with 0x%08X, %-26s\n", 
+            crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    /* Now modify the data */
+    MSG[0] += 1;
+    /* Compute SHA-1 digest */
+    crv = pFunctionList->C_DigestInit(hSession, &sha1Mech);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DigestInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    sha1DigestLen = sizeof(sha1Digest);
+    crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG),
+                                  sha1Digest, &sha1DigestLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Digest failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen,
+                                  dsaSig, dsaSigLen);
+    if (crv != CKR_SIGNATURE_INVALID) {
+        PKM_Error( "C_Verify of modified data succeeded\n");
+        return crv;
+    } else {
+        PKM_LogIt("C_Verify of modified data returned as EXPECTED "
+            " with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+    }
+
+    crv = pFunctionList->C_Logout(hSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_CloseSession(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    return crv;
+
+}
+
+CK_RV PKM_Hmac(CK_FUNCTION_LIST_PTR pFunctionList, CK_SESSION_HANDLE hSession,
+                CK_OBJECT_HANDLE sKey, CK_MECHANISM *hmacMech, 
+                const CK_BYTE *  pData, CK_ULONG pDataLen) {
+
+    CK_RV crv = CKR_OK;
+
+    CK_BYTE hmac1[HMAC_MAX_LENGTH];
+    CK_ULONG hmac1Len = 0;
+    CK_BYTE hmac2[HMAC_MAX_LENGTH];
+    CK_ULONG hmac2Len = 0;
+
+    memset(hmac1, 0, sizeof(hmac1));
+    memset(hmac2, 0, sizeof(hmac2));
+    
+    NUMTESTS++; /* increment NUMTESTS */
+
+    crv = pFunctionList->C_SignInit(hSession, hmacMech, sKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_SignInit succeeded\n");
+    } else {
+        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    hmac1Len = sizeof(hmac1);
+    crv = pFunctionList->C_Sign(hSession, (CK_BYTE * )pData,
+                                pDataLen,
+                                (CK_BYTE * )hmac1, &hmac1Len);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Sign succeeded\n");
+    } else {
+        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_SignInit(hSession, hmacMech, sKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_SignInit succeeded\n");
+    } else {
+        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_SignUpdate(hSession, (CK_BYTE * )pData,
+                                      pDataLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_SignUpdate succeeded\n");
+    } else {
+        PKM_Error( "C_SignUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    hmac2Len = sizeof(hmac2);
+    crv = pFunctionList->C_SignFinal(hSession, (CK_BYTE * )hmac2, &hmac2Len);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_SignFinal succeeded\n");
+    } else {
+        PKM_Error( "C_SignFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if ((hmac1Len == hmac2Len) && (memcmp(hmac1, hmac2, hmac1Len) == 0) ) {
+        PKM_LogIt("hmacs are equal!\n");
+    } else {
+        PKM_Error("hmacs are not equal!\n");
+    }
+    crv = pFunctionList->C_VerifyInit(hSession, hmacMech, sKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Verify(hSession, (CK_BYTE * )pData,
+                                  pDataLen,
+                                  (CK_BYTE * ) hmac2, hmac2Len);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Verify of hmac succeeded\n");
+    } else {
+        PKM_Error( "C_Verify failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyInit(hSession, hmacMech, sKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyUpdate(hSession, (CK_BYTE * )pData,
+                                  pDataLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_VerifyUpdate of hmac succeeded\n");
+    } else {
+        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyFinal(hSession, (CK_BYTE * ) hmac1, 
+                                       hmac1Len);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_VerifyFinal of hmac succeeded\n");
+    } else {
+        PKM_Error( "C_VerifyFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    return crv;
+}
+
+CK_RV PKM_FindAllObjects(CK_FUNCTION_LIST_PTR pFunctionList,
+                         CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                         CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
+    CK_RV crv = CKR_OK;
+
+    CK_SESSION_HANDLE h = (CK_SESSION_HANDLE)0;
+    CK_SESSION_INFO sinfo;
+    CK_ATTRIBUTE_PTR pTemplate;
+    CK_ULONG tnObjects = 0;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
+                                       NULL, NULL, &h);
+    if ( CKR_OK != crv ) {
+        PKM_Error("C_OpenSession(%lu, CKF_SERIAL_SESSION, , )"
+                  "returned 0x%08X, %-26s\n", pSlotList[slotID], crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt( "    Opened a session: handle = 0x%08x\n", h);
+
+    (void)memset(&sinfo, 0, sizeof(CK_SESSION_INFO));
+    crv = pFunctionList->C_GetSessionInfo(h, &sinfo);
+    if ( CKR_OK != crv ) {
+        PKM_LogIt( "C_GetSessionInfo(%lu, ) returned 0x%08X, %-26s\n", h, crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt( "    SESSION INFO:\n");
+    PKM_LogIt( "        slotID = %lu\n", sinfo.slotID);
+    PKM_LogIt( "        state = %lu\n", sinfo.state);
+    PKM_LogIt( "        flags = 0x%08x\n", sinfo.flags);
+#ifdef CKF_EXCLUSIVE_SESSION
+    PKM_LogIt( "            -> EXCLUSIVE SESSION = %s\n", sinfo.flags &
+               CKF_EXCLUSIVE_SESSION ? "TRUE" : "FALSE");
+#endif /* CKF_EXCLUSIVE_SESSION */
+    PKM_LogIt( "            -> RW SESSION = %s\n", sinfo.flags &
+               CKF_RW_SESSION ? "TRUE" : "FALSE");
+    PKM_LogIt( "            -> SERIAL SESSION = %s\n", sinfo.flags &
+               CKF_SERIAL_SESSION ? "TRUE" : "FALSE");
+#ifdef CKF_INSERTION_CALLBACK
+    PKM_LogIt( "            -> INSERTION CALLBACK = %s\n", sinfo.flags &
+               CKF_INSERTION_CALLBACK ? "TRUE" : "FALSE");
+#endif /* CKF_INSERTION_CALLBACK */
+    PKM_LogIt( "        ulDeviceError = %lu\n", sinfo.ulDeviceError);
+    PKM_LogIt( "\n");
+
+    crv = pFunctionList->C_FindObjectsInit(h, NULL, 0);
+    if ( CKR_OK != crv ) {
+        PKM_LogIt( "C_FindObjectsInit(%lu, NULL, 0) returned "
+                   "0x%08X, %-26s\n",
+                   h, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    pTemplate = (CK_ATTRIBUTE_PTR)calloc(number_of_all_known_attribute_types,
+                                         sizeof(CK_ATTRIBUTE));
+    if ( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
+        PKM_Error(  "[memory allocation of %lu bytes failed]\n",
+                    number_of_all_known_attribute_types *
+                    sizeof(CK_ATTRIBUTE));
+        return crv;
+    }
+
+    PKM_LogIt( "    All objects:\n");
+
+    while (1) {
+        CK_OBJECT_HANDLE o = (CK_OBJECT_HANDLE)0;
+        CK_ULONG nObjects = 0;
+        CK_ULONG k;
+        CK_ULONG nAttributes = 0;
+        CK_ATTRIBUTE_PTR pT2;
+        CK_ULONG l;
+
+        crv = pFunctionList->C_FindObjects(h, &o, 1, &nObjects);
+        if ( CKR_OK != crv ) {
+            PKM_Error(  "C_FindObjects(%lu, , 1, ) returned 0x%08X, %-26s\n", 
+                        h, crv, PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+
+        if ( 0 == nObjects ) {
+            PKM_LogIt( "\n");
+            break;
+        }
+
+        tnObjects++;
+
+        PKM_LogIt( "        OBJECT HANDLE %lu:\n", o);
+
+        for ( k = 0; k < (CK_ULONG)number_of_all_known_attribute_types; k++ ) {
+            pTemplate[k].type = all_known_attribute_types[k];
+            pTemplate[k].pValue = (CK_VOID_PTR) NULL;
+            pTemplate[k].ulValueLen = 0;
+        }
+
+        crv = pFunctionList->C_GetAttributeValue(h, o, pTemplate,
+                                       number_of_all_known_attribute_types);
+        switch ( crv ) {
+        case CKR_OK:
+        case CKR_ATTRIBUTE_SENSITIVE:
+        case CKR_ATTRIBUTE_TYPE_INVALID:
+        case CKR_BUFFER_TOO_SMALL:
+            break;
+        default:
+            PKM_Error(  "C_GetAtributeValue(%lu, %lu, {all attribute types},"
+                        "%lu) returned 0x%08X, %-26s\n",
+                        h, o, number_of_all_known_attribute_types, crv, 
+                        PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+
+        for ( k = 0; k < (CK_ULONG) number_of_all_known_attribute_types; k++) {
+            if ( -1 != (CK_LONG)pTemplate[k].ulValueLen ) {
+                nAttributes++;
+            }
+        }
+
+        if ( 1 ) {
+            PKM_LogIt( "            %lu attributes:\n", nAttributes);
+            for ( k = 0; k < (CK_ULONG) number_of_all_known_attribute_types;
+                k++ ) {
+                if ( -1 != (CK_LONG)pTemplate[k].ulValueLen ) {
+                    PKM_LogIt( "                0x%08x (len = %lu)\n",
+                               pTemplate[k].type,
+                               pTemplate[k].ulValueLen);
+                }
+            }
+            PKM_LogIt( "\n");
+        }
+
+        pT2 = (CK_ATTRIBUTE_PTR)calloc(nAttributes, sizeof(CK_ATTRIBUTE));
+        if ( (CK_ATTRIBUTE_PTR)NULL == pT2 ) {
+            PKM_Error(  "[memory allocation of %lu bytes failed]\n",
+                        nAttributes * sizeof(CK_ATTRIBUTE));
+            return crv;
+        }
+
+        for ( l = 0, k = 0; k < (CK_ULONG) number_of_all_known_attribute_types;
+            k++ ) {
+            if ( -1 != (CK_LONG)pTemplate[k].ulValueLen ) {
+                pT2[l].type = pTemplate[k].type;
+                pT2[l].ulValueLen = pTemplate[k].ulValueLen;
+                pT2[l].pValue = (CK_VOID_PTR)malloc(pT2[l].ulValueLen);
+                if ( (CK_VOID_PTR)NULL == pT2[l].pValue ) {
+                    PKM_Error(  "[memory allocation of %lu bytes failed]\n",
+                                pT2[l].ulValueLen);
+                    return crv;
+                }
+                l++;
+            }
+        }
+
+        assert( l == nAttributes );
+
+        crv = pFunctionList->C_GetAttributeValue(h, o, pT2, nAttributes);
+        switch ( crv ) {
+        case CKR_OK:
+        case CKR_ATTRIBUTE_SENSITIVE:
+        case CKR_ATTRIBUTE_TYPE_INVALID:
+        case CKR_BUFFER_TOO_SMALL:
+            break;
+        default:
+            PKM_Error(  "C_GetAtributeValue(%lu, %lu, {existant attribute"
+                        " types}, %lu) returned 0x%08X, %-26s\n",
+                        h, o, nAttributes, crv, PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+
+        for ( l = 0; l < nAttributes; l++ ) {
+            PKM_LogIt( "            type = 0x%08x, len = %ld", pT2[l].type,
+                       (CK_LONG)pT2[l].ulValueLen);
+            if ( -1 == (CK_LONG)pT2[l].ulValueLen ) {
+                ;
+            } else {
+                CK_ULONG m;
+
+                if ( pT2[l].ulValueLen <= 8 ) {
+                    PKM_LogIt( ", value = ");
+                } else {
+                    PKM_LogIt( ", value = \n                ");
+                }
+
+                for ( m = 0; (m < pT2[l].ulValueLen) && (m < 20); m++ ) {
+                    PKM_LogIt( "%02x", (CK_ULONG)(0xff &
+                              ((CK_CHAR_PTR)pT2[l].pValue)[m]));
+                }
+
+                PKM_LogIt( " ");
+
+                for ( m = 0; (m < pT2[l].ulValueLen) && (m < 20); m++ ) {
+                    CK_CHAR c = ((CK_CHAR_PTR)pT2[l].pValue)[m];
+                    if ( (c < 0x20) || (c >= 0x7f) ) {
+                        c = '.';
+                    }
+                    PKM_LogIt( "%c", c);
+                }
+            }
+
+            PKM_LogIt( "\n");
+        }
+
+        PKM_LogIt( "\n");
+
+        for ( l = 0; l < nAttributes; l++ ) {
+            free(pT2[l].pValue);
+        }
+        free(pT2);
+    } /* while(1) */
+
+    crv = pFunctionList->C_FindObjectsFinal(h);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_FindObjectsFinal(%lu) returned 0x%08X, %-26s\n", h, crv, 
+                    PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt( "    (%lu objects total)\n", tnObjects);
+
+    crv = pFunctionList->C_CloseSession(h);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_CloseSession(%lu) returned 0x%08X, %-26s\n", h, crv, 
+                    PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    return crv;
+}
+/* session to create, find, and delete a couple session objects */
+CK_RV PKM_MultiObjectManagement (CK_FUNCTION_LIST_PTR pFunctionList,
+                                 CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                                 CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
+
+    CK_RV crv = CKR_OK;
+
+    CK_SESSION_HANDLE h = (CK_SESSION_HANDLE)0;
+    CK_SESSION_HANDLE h2 = (CK_SESSION_HANDLE)0;
+    CK_ATTRIBUTE one[7], two[7], three[7], delta[1], mask[1];
+    CK_OBJECT_CLASS cko_data = CKO_DATA;
+    char *key = "TEST PROGRAM";
+    CK_ULONG key_len = 0; 
+    CK_OBJECT_HANDLE hOneIn = (CK_OBJECT_HANDLE)0;
+    CK_OBJECT_HANDLE hTwoIn = (CK_OBJECT_HANDLE)0;
+    CK_OBJECT_HANDLE hThreeIn = (CK_OBJECT_HANDLE)0;
+    CK_OBJECT_HANDLE hDeltaIn = (CK_OBJECT_HANDLE)0;
+    CK_OBJECT_HANDLE found[10];
+    CK_ULONG nFound;
+    CK_ULONG   hDeltaLen, hThreeLen = 0;
+
+    CK_TOKEN_INFO tinfo;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+    key_len = sizeof(key);
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
+                                       CKF_SERIAL_SESSION, NULL, NULL, &h);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_OpenSession(%lu, CKF_SERIAL_SESSION, , )"
+                    "returned 0x%08X, %-26s\n", pSlotList[slotID], crv, 
+                    PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Login(h, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Login with correct password succeeded\n");
+    } else {
+        PKM_Error( "C_Login with correct password failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+
+    (void)memset(&tinfo, 0, sizeof(CK_TOKEN_INFO));
+    crv = pFunctionList->C_GetTokenInfo(pSlotList[slotID], &tinfo);
+    if ( CKR_OK != crv ) {
+        PKM_Error("C_GetTokenInfo(%lu, ) returned 0x%08X, %-26s\n",
+                  pSlotList[slotID], crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+
+    PKM_LogIt( "    Opened a session: handle = 0x%08x\n", h);
+
+    one[0].type = CKA_CLASS;
+    one[0].pValue = &cko_data;
+    one[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+    one[1].type = CKA_TOKEN;
+    one[1].pValue = &false;
+    one[1].ulValueLen = sizeof(CK_BBOOL);
+    one[2].type = CKA_PRIVATE;
+    one[2].pValue = &false;
+    one[2].ulValueLen = sizeof(CK_BBOOL);
+    one[3].type = CKA_MODIFIABLE;
+    one[3].pValue = &true;
+    one[3].ulValueLen = sizeof(CK_BBOOL);
+    one[4].type = CKA_LABEL;
+    one[4].pValue = "Test data object one";
+    one[4].ulValueLen = strlen(one[4].pValue);
+    one[5].type = CKA_APPLICATION;
+    one[5].pValue = key;
+    one[5].ulValueLen = key_len;
+    one[6].type = CKA_VALUE;
+    one[6].pValue = "Object one";
+    one[6].ulValueLen = strlen(one[6].pValue);
+
+    two[0].type = CKA_CLASS;
+    two[0].pValue = &cko_data;
+    two[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+    two[1].type = CKA_TOKEN;
+    two[1].pValue = &false;
+    two[1].ulValueLen = sizeof(CK_BBOOL);
+    two[2].type = CKA_PRIVATE;
+    two[2].pValue = &false;
+    two[2].ulValueLen = sizeof(CK_BBOOL);
+    two[3].type = CKA_MODIFIABLE;
+    two[3].pValue = &true;
+    two[3].ulValueLen = sizeof(CK_BBOOL);
+    two[4].type = CKA_LABEL;
+    two[4].pValue = "Test data object two";
+    two[4].ulValueLen = strlen(two[4].pValue);
+    two[5].type = CKA_APPLICATION;
+    two[5].pValue = key;
+    two[5].ulValueLen = key_len;
+    two[6].type = CKA_VALUE;
+    two[6].pValue = "Object two";
+    two[6].ulValueLen = strlen(two[6].pValue);
+
+    three[0].type = CKA_CLASS;
+    three[0].pValue = &cko_data;
+    three[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+    three[1].type = CKA_TOKEN;
+    three[1].pValue = &false;
+    three[1].ulValueLen = sizeof(CK_BBOOL);
+    three[2].type = CKA_PRIVATE;
+    three[2].pValue = &false;
+    three[2].ulValueLen = sizeof(CK_BBOOL);
+    three[3].type = CKA_MODIFIABLE;
+    three[3].pValue = &true;
+    three[3].ulValueLen = sizeof(CK_BBOOL);
+    three[4].type = CKA_LABEL;
+    three[4].pValue = "Test data object three";
+    three[4].ulValueLen = strlen(three[4].pValue);
+    three[5].type = CKA_APPLICATION;
+    three[5].pValue = key;
+    three[5].ulValueLen = key_len;
+    three[6].type = CKA_VALUE;
+    three[6].pValue = "Object three";
+    three[6].ulValueLen = strlen(three[6].pValue);
+
+    crv = pFunctionList->C_CreateObject(h, one, 7, &hOneIn);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_CreateObject(%lu, one, 7, ) returned 0x%08X, %-26s\n",
+                    h, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt( "    Created object one: handle = %lu\n", hOneIn);
+
+    crv = pFunctionList->C_CreateObject(h, two, 7, &hTwoIn);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_CreateObject(%lu, two, 7, ) returned 0x%08X, %-26s\n",
+                    h, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt( "    Created object two: handle = %lu\n", hTwoIn);
+
+    crv = pFunctionList->C_CreateObject(h, three, 7, &hThreeIn);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_CreateObject(%lu, three, 7, ) returned 0x%08x\n",
+                    h, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_GetObjectSize(h, hThreeIn, &hThreeLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GetObjectSize succeeded\n");
+    } else {
+        PKM_Error("C_GetObjectSize failed "
+                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt( "    Created object three: handle = %lu\n", hThreeIn);
+
+    delta[0].type = CKA_VALUE;
+    delta[0].pValue = "Copied object";
+    delta[0].ulValueLen = strlen(delta[0].pValue);
+
+    crv = pFunctionList->C_CopyObject(h, hThreeIn, delta, 1, &hDeltaIn);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_CopyObject(%lu, %lu, delta, 1, ) returned "
+                    "0x%08X, %-26s\n",
+                    h, hThreeIn, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_GetObjectSize(h, hDeltaIn, &hDeltaLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GetObjectSize succeeded\n");
+    } else {
+        PKM_Error("C_GetObjectSize failed "
+                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if (hThreeLen == hDeltaLen) {
+        PKM_LogIt("Copied object size same as orginal\n");
+    } else {
+        PKM_Error("Copied object different from original\n");
+        return CKR_DEVICE_ERROR;
+    }
+
+    PKM_LogIt( "    Copied object three: new handle = %lu\n", hDeltaIn);
+
+    mask[0].type = CKA_APPLICATION;
+    mask[0].pValue = key;
+    mask[0].ulValueLen = key_len;
+
+    crv = pFunctionList->C_FindObjectsInit(h, mask, 1);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_FindObjectsInit(%lu, mask, 1) returned 0x%08X, %-26s\n",
+                    h, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    (void)memset(&found, 0, sizeof(found));
+    nFound = 0;
+    crv = pFunctionList->C_FindObjects(h, found, 10, &nFound);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_FindObjects(%lu,, 10, ) returned 0x%08X, %-26s\n",
+                    h, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if ( 4 != nFound ) {
+        PKM_Error(  "Found %lu objects, not 4.\n", nFound);
+        return crv;
+    }
+
+    PKM_LogIt( "    Found 4 objects: %lu, %lu, %lu, %lu\n",
+               found[0], found[1], found[2], found[3]);
+
+    crv = pFunctionList->C_FindObjectsFinal(h);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_FindObjectsFinal(%lu) returned 0x%08X, %-26s\n", 
+                    h, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_DestroyObject(h, hThreeIn);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_DestroyObject(%lu, %lu) returned 0x%08X, %-26s\n", h,
+                    hThreeIn, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt( "    Destroyed object three (handle = %lu)\n", hThreeIn);
+
+    delta[0].type = CKA_APPLICATION;
+    delta[0].pValue = "Changed application";
+    delta[0].ulValueLen = strlen(delta[0].pValue);
+
+    crv = pFunctionList->C_SetAttributeValue(h, hTwoIn, delta, 1);
+    if ( CKR_OK != crv ) {
+        PKM_Error("C_SetAttributeValue(%lu, %lu, delta, 1) returned "
+                  "0x%08X, %-26s\n",
+                  h, hTwoIn, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt( "    Changed object two (handle = %lu).\n", hTwoIn);
+
+    /* Can another session find these session objects? */
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
+                                       NULL, NULL, &h2);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_OpenSession(%lu, CKF_SERIAL_SESSION, , )"
+                    " returned 0x%08X, %-26s\n", pSlotList[slotID], crv, 
+                    PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    PKM_LogIt( "    Opened a second session: handle = 0x%08x\n", h2);
+
+    /* mask is still the same */
+
+    crv = pFunctionList->C_FindObjectsInit(h2, mask, 1);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_FindObjectsInit(%lu, mask, 1) returned 0x%08X, %-26s\n",
+                    h2, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    (void)memset(&found, 0, sizeof(found));
+    nFound = 0;
+    crv = pFunctionList->C_FindObjects(h2, found, 10, &nFound);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_FindObjects(%lu,, 10, ) returned 0x%08X, %-26s\n",
+                    h2, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if ( 2 != nFound ) {
+        PKM_Error(  "Found %lu objects, not 2.\n", nFound);
+        return crv;
+    }
+
+    PKM_LogIt( "    Found 2 objects: %lu, %lu\n",
+               found[0], found[1]);
+
+    crv = pFunctionList->C_FindObjectsFinal(h2);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_FindObjectsFinal(%lu) returned 0x%08X, %-26s\n", h2, crv, 
+                    PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Logout(h);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_CloseAllSessions(pSlotList[slotID]);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_CloseAllSessions(%lu) returned 0x%08X, %-26s\n",
+                    pSlotList[slotID], crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt( "\n");
+    return crv;
+}
+
+CK_RV PKM_OperationalState(CK_FUNCTION_LIST_PTR pFunctionList,
+                           CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                           CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
+    CK_SESSION_HANDLE hSession;
+    CK_RV crv = CKR_OK;
+    CK_MECHANISM sAESKeyMech = {
+        CKM_AES_KEY_GEN, NULL, 0
+    };
+    CK_OBJECT_CLASS class = CKO_SECRET_KEY;
+    CK_KEY_TYPE keyAESType = CKK_AES;
+    CK_UTF8CHAR AESlabel[] = "An AES secret key object";
+    CK_ULONG AESvalueLen = 16;
+    CK_ATTRIBUTE sAESKeyTemplate[9];    
+    CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE;
+    CK_BYTE_PTR     pstate = NULL;
+    CK_ULONG statelen, digestlen, plainlen, plainlen_1, plainlen_2, slen;
+
+    static const CK_UTF8CHAR *plaintext = (CK_UTF8CHAR *)"Firefox rules.";
+    static const CK_UTF8CHAR *plaintext_1 = (CK_UTF8CHAR *)"Thunderbird rules.";
+    static const CK_UTF8CHAR *plaintext_2 = (CK_UTF8CHAR *)
+                                            "Firefox and Thunderbird.";
+
+    char    digest[MAX_DIGEST_SZ], digest_1[MAX_DIGEST_SZ];
+    char    sign[MAX_SIG_SZ];
+    CK_MECHANISM signmech;
+    CK_MECHANISM digestmech;
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+
+    /* AES key template */
+    sAESKeyTemplate[0].type       = CKA_CLASS; 
+    sAESKeyTemplate[0].pValue     = &class;
+    sAESKeyTemplate[0].ulValueLen = sizeof(class);
+    sAESKeyTemplate[1].type       = CKA_KEY_TYPE; 
+    sAESKeyTemplate[1].pValue     = &keyAESType; 
+    sAESKeyTemplate[1].ulValueLen = sizeof(keyAESType);
+    sAESKeyTemplate[2].type       = CKA_LABEL;
+    sAESKeyTemplate[2].pValue     = AESlabel; 
+    sAESKeyTemplate[2].ulValueLen = sizeof(AESlabel)-1;
+    sAESKeyTemplate[3].type       = CKA_ENCRYPT; 
+    sAESKeyTemplate[3].pValue     = &true; 
+    sAESKeyTemplate[3].ulValueLen = sizeof(true);
+    sAESKeyTemplate[4].type       = CKA_DECRYPT; 
+    sAESKeyTemplate[4].pValue     = &true; 
+    sAESKeyTemplate[4].ulValueLen = sizeof(true);
+    sAESKeyTemplate[5].type       = CKA_SIGN; 
+    sAESKeyTemplate[5].pValue     = &true; 
+    sAESKeyTemplate[5].ulValueLen = sizeof (true);
+    sAESKeyTemplate[6].type       = CKA_VERIFY; 
+    sAESKeyTemplate[6].pValue     = &true; 
+    sAESKeyTemplate[6].ulValueLen = sizeof(true);
+    sAESKeyTemplate[7].type       = CKA_UNWRAP; 
+    sAESKeyTemplate[7].pValue     = &true; 
+    sAESKeyTemplate[7].ulValueLen = sizeof(true);
+    sAESKeyTemplate[8].type       = CKA_VALUE_LEN; 
+    sAESKeyTemplate[8].pValue     = &AESvalueLen; 
+    sAESKeyTemplate[8].ulValueLen = sizeof(AESvalueLen);
+
+    signmech.mechanism = CKM_SHA_1_HMAC;
+    signmech.pParameter = NULL;
+    signmech.ulParameterLen = 0;
+    digestmech.mechanism = CKM_SHA256;
+    digestmech.pParameter = NULL;
+    digestmech.ulParameterLen = 0;
+
+
+    plainlen = strlen((char *)plaintext);
+    plainlen_1 = strlen((char *)plaintext_1);
+    plainlen_2 = strlen((char *)plaintext_2);
+    digestlen = MAX_DIGEST_SZ;
+
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Login with correct password succeeded\n");
+    } else {
+        PKM_Error( "C_Login with correct password failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    PKM_LogIt("Generate an AES key ...\n");
+    /* generate an AES Secret Key */
+    crv = pFunctionList->C_GenerateKey(hSession, &sAESKeyMech,
+                                       sAESKeyTemplate,
+                                       NUM_ELEM(sAESKeyTemplate),
+                                       &sKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GenerateKey AES succeeded\n");
+    } else {
+        PKM_Error( "C_GenerateKey AES failed with 0x%08X, %-26s\n", 
+                   crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_SignInit(hSession, &signmech, sKey);
+    if (crv != CKR_OK) {
+        PKM_Error("C_SignInit failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    slen = sizeof(sign);
+    crv = pFunctionList->C_Sign(hSession, (CK_BYTE_PTR)plaintext, plainlen,
+                                (CK_BYTE_PTR)sign, &slen);
+    if (crv != CKR_OK) {
+        PKM_Error("C_Sign failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_DestroyObject(hSession, sKey);
+    if (crv != CKR_OK) {
+        PKM_Error("C_DestroyObject failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    digestlen = MAX_DIGEST_SZ;
+    crv = pFunctionList->C_DigestInit(hSession, &digestmech);
+    if (crv != CKR_OK) {
+        PKM_Error("C_DigestInit failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_DigestUpdate(hSession, (CK_BYTE_PTR)plaintext,
+                                        plainlen);
+    if (crv != CKR_OK) {
+        PKM_Error("C_DigestUpdate failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_GetOperationState(hSession, NULL, &statelen);
+    if (crv != CKR_OK) {
+        PKM_Error("C_GetOperationState failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    pstate = (CK_BYTE_PTR) malloc(statelen * sizeof (CK_BYTE_PTR));
+    crv = pFunctionList->C_GetOperationState(hSession, pstate, &statelen);
+    if (crv != CKR_OK) {
+        PKM_Error("C_GetOperationState failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_DigestUpdate(hSession, (CK_BYTE_PTR)plaintext_1,
+                                        plainlen_1);
+    if (crv != CKR_OK) {
+        PKM_Error("C_DigestUpdate failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_DigestUpdate(hSession, (CK_BYTE_PTR)plaintext_2,
+                                        plainlen_2);
+    if (crv != CKR_OK) {
+        PKM_Error("C_DigestUpdate failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /*
+     *      This will override/negate the above 2 digest_update
+     *      operations
+     */
+    crv = pFunctionList->C_SetOperationState(hSession, pstate, statelen,
+                                             0, 0);
+    if (crv != CKR_OK) {
+        PKM_Error("C_SetOperationState failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_DigestFinal(hSession, (CK_BYTE_PTR)digest,
+                                       &digestlen);
+    if (crv != CKR_OK) {
+        PKM_Error("C_DigestFinal failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    digestlen = MAX_DIGEST_SZ;
+    crv = pFunctionList->C_DigestInit(hSession, &digestmech);
+    if (crv != CKR_OK) {
+        PKM_Error("C_DigestInit failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Digest(hSession, (CK_BYTE_PTR)plaintext, plainlen,
+                                  (CK_BYTE_PTR)digest_1, &digestlen);
+    if (crv != CKR_OK) {
+        PKM_Error("C_Digest failed returned 0x%08X, %-26s\n", crv, 
+                  PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    if (memcmp(digest, digest_1, digestlen) == 0) {
+        PKM_LogIt("Digest and digest_1 are equal!\n");
+    } else {
+        PKM_Error("Digest and digest_1 are not equal!\n");
+    }
+    crv = pFunctionList->C_Logout(hSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_CloseSession(hSession);
+    if ( CKR_OK != crv ) {
+        PKM_Error(  "C_CloseSession(%lu) returned 0x%08X, %-26s\n", 
+                    hSession, crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    return crv;
+}
+
+
+/*
+* Recover Functions
+*/
+CK_RV PKM_RecoverFunctions(CK_FUNCTION_LIST_PTR pFunctionList, 
+                    CK_SESSION_HANDLE hSession,
+                    CK_OBJECT_HANDLE hPubKey, CK_OBJECT_HANDLE hPrivKey,
+                    CK_MECHANISM *signMech, const CK_BYTE * pData, 
+                    CK_ULONG pDataLen) {
+    CK_RV crv = CKR_OK;
+    CK_BYTE sig[MAX_SIG_SZ];
+    CK_ULONG sigLen = MAX_SIG_SZ;
+    CK_BYTE recover[MAX_SIG_SZ];
+    CK_ULONG recoverLen = MAX_SIG_SZ;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+    
+    /* initializes a signature operation,
+     *  where the data can be recovered from the signature
+     */
+    crv = pFunctionList->C_SignRecoverInit(hSession, signMech,
+                                           hPrivKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_SignRecoverInit succeeded. \n");
+    } else {
+        PKM_Error("C_SignRecoverInit failed.\n"
+                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* signs single-part data,
+     * where the data can be recovered from the signature
+     */
+    crv = pFunctionList->C_SignRecover(hSession, (CK_BYTE * )pData,
+                                       pDataLen,
+                                       (CK_BYTE * )sig, &sigLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_SignRecover succeeded. \n");
+    } else {
+        PKM_Error("C_SignRecoverInit failed to create an RSA key pair.\n"
+                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /*
+     * initializes a verification operation
+     *where the data is recovered from the signature
+     */
+    crv = pFunctionList->C_VerifyRecoverInit(hSession, signMech,
+                                             hPubKey);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_VerifyRecoverInit succeeded. \n");
+    } else {
+        PKM_Error("C_VerifyRecoverInit failed.\n"
+                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /*
+    * verifies a signature on single-part data,
+    * where the data is recovered from the signature
+    */
+    crv = pFunctionList->C_VerifyRecover(hSession, (CK_BYTE * )sig,
+                                         sigLen,
+                                         (CK_BYTE * )recover, &recoverLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_VerifyRecover succeeded. \n");
+    } else {
+        PKM_Error("C_VerifyRecover failed.\n"
+                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if ((recoverLen == pDataLen)
+        && (memcmp(recover, pData, pDataLen) == 0)) {
+        PKM_LogIt("VerifyRecover test case passed\n");
+    } else {
+        PKM_Error( "VerifyRecover test case failed\n");
+    }
+
+    return crv;
+}
+/*
+* wrapUnwrap
+* wrap the secretkey with the public key.
+* unwrap the secretkey with the private key.
+*/
+CK_RV PKM_wrapUnwrap(CK_FUNCTION_LIST_PTR pFunctionList,
+                     CK_SESSION_HANDLE hSession, 
+                     CK_OBJECT_HANDLE hPublicKey, 
+                     CK_OBJECT_HANDLE hPrivateKey,
+                     CK_MECHANISM *wrapMechanism,
+                     CK_OBJECT_HANDLE hSecretKey,
+                     CK_ATTRIBUTE *sKeyTemplate,
+                     CK_ULONG skeyTempSize) {
+    CK_RV crv = CKR_OK;
+    CK_OBJECT_HANDLE hSecretKeyUnwrapped = CK_INVALID_HANDLE;
+    CK_BYTE wrappedKey[128];
+    CK_ULONG ulWrappedKeyLen = 0;
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+    ulWrappedKeyLen = sizeof(wrappedKey);
+    crv = pFunctionList->C_WrapKey(
+                                  hSession, wrapMechanism,
+                                  hPublicKey, hSecretKey,
+                                  wrappedKey, &ulWrappedKeyLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_WrapKey succeeded\n");
+    } else {
+        PKM_Error( "C_WrapKey failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_UnwrapKey(
+                                    hSession, wrapMechanism, hPrivateKey,
+                                    wrappedKey, ulWrappedKeyLen, sKeyTemplate,
+                                    skeyTempSize,
+                                    &hSecretKeyUnwrapped);
+    if ((crv == CKR_OK) && (hSecretKeyUnwrapped != CK_INVALID_HANDLE)) {
+        PKM_LogIt("C_UnwrapKey succeeded\n");
+    } else {
+        PKM_Error( "C_UnwrapKey failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    return crv;
+}
+
+/*
+ * Tests if the object's attributes match the expected_attrs
+ */
+CK_RV
+PKM_AttributeCheck(CK_FUNCTION_LIST_PTR pFunctionList,
+                   CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE obj,
+                   CK_ATTRIBUTE_PTR expected_attrs,
+                   CK_ULONG expected_attrs_count)
+{
+    CK_RV crv;
+    CK_ATTRIBUTE_PTR tmp_attrs;
+    unsigned int i;
+    
+    NUMTESTS++; /* increment NUMTESTS */
+
+    /* First duplicate the themplate */
+    tmp_attrs = malloc(expected_attrs_count * sizeof (CK_ATTRIBUTE));
+
+    if (tmp_attrs == NULL) {
+        PKM_Error("Internal test memory failure\n");
+        return (CKR_HOST_MEMORY);
+    }
+
+    for (i = 0; i < expected_attrs_count; i++) {
+        tmp_attrs[i].type = expected_attrs[i].type;
+        tmp_attrs[i].ulValueLen = expected_attrs[i].ulValueLen;
+
+        /* Don't give away the expected one. just zeros */
+        tmp_attrs[i].pValue = calloc(expected_attrs[i].ulValueLen, 1);
+
+        if (tmp_attrs[i].pValue == NULL) {
+            unsigned int j;
+            for (j = 0; j < i; j++)
+                free(tmp_attrs[j].pValue);
+
+            free(tmp_attrs);
+            printf("Internal test memory failure\n");
+            return (CKR_HOST_MEMORY);
+        }
+    }
+
+    /* then get the attributes from the object */
+    crv = pFunctionList->C_GetAttributeValue(hSession, obj, tmp_attrs,
+                                             expected_attrs_count);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_GetAttributeValue failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        crv = CKR_FUNCTION_FAILED;
+        goto out;
+    }
+
+    /* Finally compare with the expected ones */
+    for (i = 0; i < expected_attrs_count; i++) {
+
+        if (memcmp(tmp_attrs[i].pValue, expected_attrs[i].pValue,
+                   expected_attrs[i].ulValueLen) != 0) {
+        PKM_LogIt("comparing attribute type 0x%x with expected  0x%x\n",
+                      tmp_attrs[i].type, expected_attrs[i].type);
+        PKM_LogIt("comparing attribute type value 0x%x with expected 0x%x\n",
+                      tmp_attrs[i].pValue, expected_attrs[i].pValue);
+        /* don't report error at this time */
+        }
+    }
+
+    out:
+    for (i = 0; i < expected_attrs_count; i++)
+        free(tmp_attrs[i].pValue);
+    free(tmp_attrs);
+    return (crv);
+}
+
+/*
+ * Check the validity of a mech
+ */
+CK_RV
+PKM_MechCheck(CK_FUNCTION_LIST_PTR pFunctionList, CK_SESSION_HANDLE hSession,
+              CK_MECHANISM_TYPE mechType, CK_FLAGS flags,
+              CK_BBOOL check_sizes, CK_ULONG minkeysize, CK_ULONG maxkeysize)
+{
+    CK_SESSION_INFO         sess_info;
+    CK_MECHANISM_INFO       mech_info;
+    CK_RV                   crv;
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+    if ((crv = pFunctionList->C_GetSessionInfo(hSession, &sess_info))
+        != CKR_OK) {
+        PKM_Error( "C_GetSessionInfo failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return (CKR_FUNCTION_FAILED);
+    }
+
+    crv = pFunctionList->C_GetMechanismInfo(0, mechType,
+                                            &mech_info);
+
+
+    crv = pFunctionList->C_GetMechanismInfo(sess_info.slotID, mechType,
+                                            &mech_info);
+
+    if (crv != CKR_OK) {
+        PKM_Error( "C_GetMechanismInfo failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return (CKR_FUNCTION_FAILED);
+    }
+
+    if ((mech_info.flags & flags) == 0) {
+        PKM_Error("0x%x flag missing from mech\n", flags);
+        return (CKR_MECHANISM_INVALID);
+    }
+    if (!check_sizes)
+        return (CKR_OK);
+
+    if (mech_info.ulMinKeySize != minkeysize) {
+        PKM_Error("Bad MinKeySize %d expected %d\n", mech_info.ulMinKeySize,
+                  minkeysize);
+        return (CKR_MECHANISM_INVALID);
+    }
+    if (mech_info.ulMaxKeySize != maxkeysize) {
+        PKM_Error("Bad MaxKeySize %d expected %d\n", mech_info.ulMaxKeySize,
+                  maxkeysize);
+        return (CKR_MECHANISM_INVALID);
+    }
+    return (CKR_OK);
+}
+
+
+
+
+
+/*
+ * Can be called with a non-null premaster_key_len for the
+ * *_DH mechanisms. In that case, no checking for the matching of
+ * the expected results is done.
+ * The rnd argument tells which correct/bogus randomInfo to use.
+ */
+CK_RV
+PKM_TLSMasterKeyDerive( CK_FUNCTION_LIST_PTR pFunctionList,
+                        CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                        CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen,
+                        CK_MECHANISM_TYPE mechType,
+                        enum_random_t rnd)  {
+    CK_SESSION_HANDLE hSession;
+    CK_RV crv;
+    CK_MECHANISM            mk_mech;
+    CK_VERSION              expected_version, version;
+    CK_OBJECT_CLASS         class = CKO_SECRET_KEY;
+    CK_KEY_TYPE             type = CKK_GENERIC_SECRET;
+    CK_BBOOL                derive_bool = true;
+    CK_ATTRIBUTE            attrs[4];
+    CK_ULONG                attrs_count = 4;
+    CK_OBJECT_HANDLE        pmk_obj = CK_INVALID_HANDLE;
+    CK_OBJECT_HANDLE        mk_obj = CK_INVALID_HANDLE;
+    CK_SSL3_MASTER_KEY_DERIVE_PARAMS mkd_params;
+    CK_MECHANISM            skmd_mech;
+
+    CK_BBOOL isDH = false;
+ 
+    NUMTESTS++; /* increment NUMTESTS */
+
+    attrs[0].type       = CKA_CLASS; 
+    attrs[0].pValue     = &class; 
+    attrs[0].ulValueLen = sizeof (class);
+    attrs[1].type       = CKA_KEY_TYPE; 
+    attrs[1].pValue     = &type; 
+    attrs[1].ulValueLen = sizeof (type);
+    attrs[2].type       = CKA_DERIVE; 
+    attrs[2].pValue     = &derive_bool;
+    attrs[2].ulValueLen = sizeof (derive_bool);
+    attrs[3].type       = CKA_VALUE; 
+    attrs[3].pValue     = NULL; 
+    attrs[3].ulValueLen = 0;
+    
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Login with correct password succeeded\n");
+    } else {
+        PKM_Error( "C_Login with correct password failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* Before all, check if the mechanism is supported correctly */
+    if (MODE == FIPSMODE) {
+    crv = PKM_MechCheck(pFunctionList, hSession, mechType, CKF_DERIVE, false,
+                        0, 0);
+    if (crv != CKR_OK) {
+        PKM_Error( "PKM_MechCheck failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return (crv);
+    }
+    }
+
+    mk_mech.mechanism = mechType;
+    mk_mech.pParameter = &mkd_params;
+    mk_mech.ulParameterLen = sizeof (mkd_params);
+
+    switch (mechType) {
+    case CKM_TLS_MASTER_KEY_DERIVE_DH:
+        isDH = true;
+        /* FALLTHRU */
+    case CKM_TLS_MASTER_KEY_DERIVE:
+        attrs[3].pValue = NULL;
+        attrs[3].ulValueLen = 0;
+        expected_version.major = 3;
+        expected_version.minor = 1;
+
+        mkd_params.RandomInfo.pClientRandom = (unsigned char * ) TLSClientRandom;
+        mkd_params.RandomInfo.ulClientRandomLen =
+        sizeof (TLSClientRandom);
+        mkd_params.RandomInfo.pServerRandom = (unsigned char * ) TLSServerRandom;
+        mkd_params.RandomInfo.ulServerRandomLen =
+        sizeof (TLSServerRandom);
+        break;
+    }
+    mkd_params.pVersion = (!isDH) ? &version : NULL;
+
+    /* First create the pre-master secret key */
+
+    skmd_mech.mechanism = CKM_SSL3_PRE_MASTER_KEY_GEN;
+    skmd_mech.pParameter = &mkd_params;
+    skmd_mech.ulParameterLen = sizeof (mkd_params);
+
+
+    crv = pFunctionList->C_GenerateKey(hSession, &skmd_mech,
+                                       attrs,
+                                       attrs_count,
+                                       &pmk_obj);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GenerateKey succeeded\n");
+    } else {
+        PKM_Error( "C_GenerateKey failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+
+    }
+    /* Test the bad cases */
+    switch (rnd) {
+    case CORRECT:
+        goto correct;
+
+    case BOGUS_CLIENT_RANDOM:
+        mkd_params.RandomInfo.pClientRandom = NULL;
+        break;
+
+    case BOGUS_CLIENT_RANDOM_LEN:
+        mkd_params.RandomInfo.ulClientRandomLen = 0;
+        break;
+
+    case BOGUS_SERVER_RANDOM:
+        mkd_params.RandomInfo.pServerRandom = NULL;
+        break;
+
+    case BOGUS_SERVER_RANDOM_LEN:
+        mkd_params.RandomInfo.ulServerRandomLen = 0;
+        break;
+    }
+    crv = pFunctionList->C_DeriveKey(hSession, &mk_mech, pmk_obj, NULL, 0,
+                                     &mk_obj);
+    if (crv != CKR_MECHANISM_PARAM_INVALID) {
+        PKM_LogIt( "C_DeriveKey returned as EXPECTED with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+    } else {
+        PKM_Error( "C_DeriveKey did not fail  with  bad data \n" );
+    }
+    goto out;
+
+
+    correct:
+    /* Now derive the master secret key */
+    crv = pFunctionList->C_DeriveKey(hSession, &mk_mech, pmk_obj, NULL, 0,
+                                     &mk_obj);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_DeriveKey succeeded\n");
+    } else {
+        PKM_Error( "C_DeriveKey failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+
+    }
+
+    out:
+    if (pmk_obj != CK_INVALID_HANDLE)
+        (void) pFunctionList->C_DestroyObject(hSession, pmk_obj);
+    if (mk_obj != CK_INVALID_HANDLE)
+        (void) pFunctionList->C_DestroyObject(hSession, mk_obj);
+    crv = pFunctionList->C_Logout(hSession);
+
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_CloseSession(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    return (crv);
+}
+
+
+CK_RV
+PKM_TLSKeyAndMacDerive( CK_FUNCTION_LIST_PTR pFunctionList,
+                        CK_SLOT_ID * pSlotList, CK_ULONG slotID,
+                        CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen,
+                        CK_MECHANISM_TYPE mechType, enum_random_t rnd)
+{
+    CK_SESSION_HANDLE hSession;
+    CK_RV crv;
+    CK_MECHANISM            kmd_mech;
+    CK_MECHANISM            skmd_mech;
+    CK_OBJECT_CLASS         class = CKO_SECRET_KEY;
+    CK_KEY_TYPE             type = CKK_GENERIC_SECRET;
+    CK_BBOOL                derive_bool = true;
+    CK_BBOOL                sign_bool = true, verify_bool = true;
+    CK_BBOOL                encrypt_bool = true, decrypt_bool = true;
+    CK_ULONG                value_len;
+
+    /*
+     * We arrange this template so that:
+     * . Attributes 0-6 are good for a MAC key comparison template.
+     * . Attributes 2-5 are good for the master key creation template.
+     * . Attributes 3-8 are good for a cipher key comparison template.
+     */
+    CK_ATTRIBUTE            attrs[9]; 
+
+    CK_OBJECT_HANDLE        mk_obj = CK_INVALID_HANDLE;
+    CK_SSL3_KEY_MAT_PARAMS km_params;
+    CK_SSL3_KEY_MAT_OUT kmo;
+    CK_BYTE         IVClient[8];
+    CK_BYTE         IVServer[8];
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+    attrs[0].type       = CKA_SIGN;
+    attrs[0].pValue     = &sign_bool; 
+    attrs[0].ulValueLen = sizeof (sign_bool);
+    attrs[1].type       = CKA_VERIFY; 
+    attrs[1].pValue     = &verify_bool; 
+    attrs[1].ulValueLen = sizeof (verify_bool);
+    attrs[2].type       = CKA_KEY_TYPE; 
+    attrs[2].pValue     = &type; 
+    attrs[2].ulValueLen = sizeof (type);
+    attrs[3].type       = CKA_CLASS; 
+    attrs[3].pValue     = &class; 
+    attrs[3].ulValueLen = sizeof (class);
+    attrs[4].type       = CKA_DERIVE; 
+    attrs[4].pValue     = &derive_bool; 
+    attrs[4].ulValueLen = sizeof (derive_bool);
+    attrs[5].type       = CKA_VALUE; 
+    attrs[5].pValue     = NULL; 
+    attrs[5].ulValueLen = 0;
+    attrs[6].type       = CKA_VALUE_LEN; 
+    attrs[6].pValue     = &value_len; 
+    attrs[6].ulValueLen = sizeof (value_len);
+    attrs[7].type       = CKA_ENCRYPT; 
+    attrs[7].pValue     = &encrypt_bool; 
+    attrs[7].ulValueLen = sizeof (encrypt_bool);
+    attrs[8].type       = CKA_DECRYPT; 
+    attrs[8].pValue     = &decrypt_bool; 
+    attrs[8].ulValueLen = sizeof (decrypt_bool);
+
+    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
+                                       NULL, NULL, &hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Login with correct password succeeded\n");
+    } else {
+        PKM_Error( "C_Login with correct password failed "
+                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+
+    /* Before all, check if the mechanism is supported correctly */
+    if (MODE == FIPSMODE) {
+        crv = PKM_MechCheck(pFunctionList, hSession, mechType, CKF_DERIVE,
+                            CK_TRUE, 48, 48);
+
+        if (crv != CKR_OK) {
+            PKM_Error( "PKM_MechCheck failed with 0x%08X, %-26s\n", crv, 
+                       PKM_CK_RVtoStr(crv));
+            return (crv);
+        }
+    }
+    kmd_mech.mechanism = mechType;
+    kmd_mech.pParameter = &km_params;
+    kmd_mech.ulParameterLen = sizeof (km_params);
+
+    km_params.ulMacSizeInBits = 128;        /* an MD5 based MAC */
+    km_params.ulKeySizeInBits = 192;        /* 3DES key size */
+    km_params.ulIVSizeInBits = 64;          /* 3DES block size */
+    km_params.pReturnedKeyMaterial = &kmo;
+    km_params.bIsExport = false;
+    kmo.hClientMacSecret = CK_INVALID_HANDLE;
+    kmo.hServerMacSecret = CK_INVALID_HANDLE;
+    kmo.hClientKey = CK_INVALID_HANDLE;
+    kmo.hServerKey = CK_INVALID_HANDLE;
+    kmo.pIVClient = IVClient;
+    kmo.pIVServer = IVServer;
+
+    skmd_mech.mechanism = CKM_SSL3_PRE_MASTER_KEY_GEN;
+    skmd_mech.pParameter = &km_params;
+    skmd_mech.ulParameterLen = sizeof (km_params);
+
+
+    crv = pFunctionList->C_GenerateKey(hSession, &skmd_mech,
+                                       &attrs[2],
+                                       4,
+                                       &mk_obj);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_GenerateKey succeeded\n");
+    } else {
+        PKM_Error( "C_GenerateKey failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+        attrs[5].pValue = NULL;
+        attrs[5].ulValueLen = 0;
+
+    km_params.RandomInfo.pClientRandom = (unsigned char *) TLSClientRandom;
+    km_params.RandomInfo.ulClientRandomLen =
+    sizeof (TLSClientRandom);
+    km_params.RandomInfo.pServerRandom = (unsigned char *) TLSServerRandom;
+    km_params.RandomInfo.ulServerRandomLen =
+    sizeof (TLSServerRandom);
+
+    /* Test the bad cases */
+    switch (rnd) {
+    case CORRECT:
+        goto correct;
+
+    case BOGUS_CLIENT_RANDOM:
+        km_params.RandomInfo.pClientRandom = NULL;
+        break;
+
+    case BOGUS_CLIENT_RANDOM_LEN:
+        km_params.RandomInfo.ulClientRandomLen = 0;
+        break;
+
+    case BOGUS_SERVER_RANDOM:
+        km_params.RandomInfo.pServerRandom = NULL;
+        break;
+
+    case BOGUS_SERVER_RANDOM_LEN:
+        km_params.RandomInfo.ulServerRandomLen = 0;
+        break;
+    }
+    crv = pFunctionList->C_DeriveKey(hSession, &kmd_mech, mk_obj, NULL, 0,
+                                     NULL);
+    if (crv != CKR_MECHANISM_PARAM_INVALID) {
+        PKM_Error( "key materials derivation returned unexpected "
+                   "error 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
+        (void) pFunctionList->C_DestroyObject(hSession, mk_obj);
+        return (CKR_FUNCTION_FAILED);
+
+    }
+    return (CKR_OK);
+
+    correct:
+    /*
+     * Then use the master key and the client 'n server random data to
+     * derive the key materials
+     */
+    crv = pFunctionList->C_DeriveKey(hSession, &kmd_mech, mk_obj, NULL, 0,
+                                     NULL);
+    if (crv != CKR_OK) {
+        PKM_Error( "Cannot derive the key materials, crv 0x%08X, %-26s\n", 
+                   crv, PKM_CK_RVtoStr(crv));
+        (void) pFunctionList->C_DestroyObject(hSession, mk_obj);
+        return (crv);
+    }
+
+    if (mk_obj != CK_INVALID_HANDLE)
+        (void) pFunctionList->C_DestroyObject(hSession, mk_obj);
+    if (kmo.hClientMacSecret != CK_INVALID_HANDLE)
+        (void) pFunctionList->C_DestroyObject(hSession, kmo.hClientMacSecret);
+    if (kmo.hServerMacSecret != CK_INVALID_HANDLE)
+        (void) pFunctionList->C_DestroyObject(hSession, kmo.hServerMacSecret);
+    if (kmo.hClientKey != CK_INVALID_HANDLE)
+        (void) pFunctionList->C_DestroyObject(hSession, kmo.hClientKey);
+    if (kmo.hServerKey != CK_INVALID_HANDLE)
+        (void) pFunctionList->C_DestroyObject(hSession, kmo.hServerKey);
+
+    crv = pFunctionList->C_Logout(hSession);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_Logout succeeded\n");
+    } else {
+        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_CloseSession(hSession);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    return (crv);
+}
+
+CK_RV PKM_DualFuncSign(CK_FUNCTION_LIST_PTR pFunctionList,
+                       CK_SESSION_HANDLE hRwSession,
+                       CK_OBJECT_HANDLE publicKey, CK_OBJECT_HANDLE privateKey,
+                       CK_MECHANISM *sigMech,
+                       CK_OBJECT_HANDLE secretKey, CK_MECHANISM *cryptMech,
+                       const CK_BYTE *  pData, CK_ULONG pDataLen) {
+
+    CK_RV crv = CKR_OK;
+    CK_BYTE encryptedData[MAX_CIPHER_SZ];
+    CK_ULONG ulEncryptedDataLen = 0;
+    CK_ULONG ulLastUpdateSize = 0 ;
+    CK_BYTE sig[MAX_SIG_SZ];
+    CK_ULONG ulSigLen = 0;
+    CK_BYTE data[MAX_DATA_SZ];
+    CK_ULONG ulDataLen = 0;
+
+    memset(encryptedData, 0, sizeof(encryptedData));
+    memset(sig, 0, sizeof(sig));
+    memset(data, 0, sizeof(data));
+
+    NUMTESTS++; /* increment NUMTESTS */
+
+    /* Check that the mechanism is Multi-part */
+    if (sigMech->mechanism == CKM_DSA || sigMech->mechanism == CKM_RSA_PKCS) {
+        PKM_Error( "PKM_DualFuncSign must be called with a Multi-part "
+                   "operation mechanism\n");        
+        return CKR_DEVICE_ERROR;
+    }
+
+    /* Sign and Encrypt */
+    if (privateKey == 0 && publicKey == 0) {
+        crv = pFunctionList->C_SignInit(hRwSession, sigMech, secretKey);
+        if (crv != CKR_OK) {
+            PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
+                       PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+    } else {
+        crv = pFunctionList->C_SignInit(hRwSession, sigMech, privateKey);
+        if (crv != CKR_OK) {
+            PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
+                       PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+     }
+    crv = pFunctionList->C_EncryptInit(hRwSession, cryptMech, secretKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+
+    ulEncryptedDataLen = sizeof(encryptedData);
+    crv = pFunctionList->C_SignEncryptUpdate(hRwSession, (CK_BYTE * ) pData,
+                                             pDataLen,
+                                             encryptedData,
+                                             &ulEncryptedDataLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    ulLastUpdateSize = sizeof(encryptedData) - ulEncryptedDataLen;
+    crv = pFunctionList->C_EncryptFinal(hRwSession,
+         (CK_BYTE * )&encryptedData[ulEncryptedDataLen], &ulLastUpdateSize);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_EncryptFinal failed with 0x%08X, %-26s\n", crv,
+                    PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    ulEncryptedDataLen = ulEncryptedDataLen + ulLastUpdateSize; 
+    ulSigLen = sizeof(sig);
+    crv = pFunctionList->C_SignFinal(hRwSession, sig, &ulSigLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_SignFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* Decrypt and Verify */
+
+    crv = pFunctionList->C_DecryptInit(hRwSession, cryptMech, secretKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    crv = pFunctionList->C_VerifyInit(hRwSession, sigMech,
+                                      publicKey);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    ulDataLen = sizeof(data);
+    crv = pFunctionList->C_DecryptVerifyUpdate(hRwSession,
+                                               encryptedData,
+                                               ulEncryptedDataLen,
+                                               data, &ulDataLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptVerifyUpdate failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    ulLastUpdateSize = sizeof(data) - ulDataLen;
+    /* Get last little piece of plaintext.  Should have length 0 */
+    crv = pFunctionList->C_DecryptFinal(hRwSession, &data[ulDataLen],
+                                        &ulLastUpdateSize);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DecryptFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    
+    if (ulLastUpdateSize != 0) {
+        crv = pFunctionList->C_VerifyUpdate(hRwSession, &data[ulDataLen],
+                                        ulLastUpdateSize);
+        if (crv != CKR_OK) {
+            PKM_Error( "C_DecryptFinal failed with 0x%08X, %-26s\n", crv, 
+                       PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+    }
+    ulDataLen = ulDataLen + ulLastUpdateSize; 
+
+    /* input for the verify operation is the decrypted data */
+    crv = pFunctionList->C_VerifyFinal(hRwSession, sig, ulSigLen);
+    if (crv == CKR_OK) {
+        PKM_LogIt("C_VerifyFinal succeeded\n");
+    } else {
+        PKM_Error( "C_VerifyFinal failed with 0x%08X, %-26s\n", crv, 
+                   PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    /* Comparison of Decrypted data with inputed data */
+    if ( (ulDataLen == pDataLen) && 
+         (memcmp(data, pData, pDataLen) == 0) ) {
+        PKM_LogIt("PKM_DualFuncSign decrypt test case passed\n");
+    } else {
+        PKM_Error( "PKM_DualFuncSign derypt test case failed\n");
+    }
+
+    return crv;
+
+}
+
+CK_RV PKM_Digest(CK_FUNCTION_LIST_PTR pFunctionList, 
+                 CK_SESSION_HANDLE hSession,
+                 CK_MECHANISM *digestMech, CK_OBJECT_HANDLE hSecretKey,
+                 const CK_BYTE *  pData, CK_ULONG pDataLen) {
+    CK_RV crv = CKR_OK;
+    CK_BYTE digest1[MAX_DIGEST_SZ];
+    CK_ULONG digest1Len = 0 ;
+    CK_BYTE digest2[MAX_DIGEST_SZ];
+    CK_ULONG digest2Len = 0;
+
+    /* Tested with CKM_SHA_1, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
+
+    memset(digest1, 0, sizeof(digest1));
+    memset(digest2, 0, sizeof(digest2));
+    
+    NUMTESTS++; /* increment NUMTESTS */
+
+    crv = pFunctionList->C_DigestInit(hSession, digestMech);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
+            PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+    digest1Len = sizeof(digest1);
+    crv = pFunctionList->C_Digest(hSession, (CK_BYTE * ) pData, pDataLen, 
+        digest1, &digest1Len);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
+            PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+
+    crv = pFunctionList->C_DigestInit(hSession, digestMech);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DigestInit failed with 0x%08X, %-26s\n", crv, 
+            PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    crv = pFunctionList->C_DigestUpdate(hSession, (CK_BYTE * ) pData, pDataLen);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DigestUpdate failed with 0x%08X, %-26s\n", crv, 
+            PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+ 	
+    /* C_DigestKey continues a multiple-part message-digesting operation by*/
+    /* digesting the value of a secret key. (only used with C_DigestUpdate)*/
+    if (hSecretKey != 0) {
+        crv = pFunctionList->C_DigestKey(hSession, hSecretKey);
+        if (crv != CKR_OK) {
+            PKM_Error( "C_DigestKey failed with 0x%08X, %-26s\n", crv, 
+                PKM_CK_RVtoStr(crv));
+            return crv;
+        }
+    }
+
+    digest2Len = sizeof(digest2);
+    crv = pFunctionList->C_DigestFinal(hSession, digest2, &digest2Len);
+    if (crv != CKR_OK) {
+        PKM_Error( "C_DigestFinal failed with 0x%08X, %-26s\n", crv, 
+            PKM_CK_RVtoStr(crv));
+        return crv;
+    }
+
+    if (hSecretKey == 0){
+        /* did not digest a secret key so digests should equal */ 
+        if  ( (digest1Len == digest2Len) 
+            && (memcmp(digest1, digest2, digest1Len) == 0) ) {
+                PKM_LogIt("Single and Multiple-part message digest "
+                    "operations succesful\n");
+            } else {
+                PKM_Error("Single and Multiple-part message digest "
+                    "operations failed\n");
+            }
+    } else {
+        if  (digest1Len == digest2Len) { 
+            PKM_LogIt("PKM_Digest Single and Multiple-part message digest "
+                "operations succesful\n");
+        } else {
+            PKM_Error("PKM_Digest Single and Multiple-part message digest "
+                "operations failed\n");
+        }
+
+    }
+
+    return crv;
+
+}
+
+char * PKM_FilePasswd(char *pwFile)
+{
+    unsigned char phrase[200];
+    PRFileDesc *fd;
+    PRInt32 nb;
+    int i;
+
+    if (!pwFile)
+        return 0;
+
+    fd = PR_Open(pwFile, PR_RDONLY, 0);
+    if (!fd) {
+        fprintf(stderr, "No password file \"%s\" exists.\n", pwFile);
+        return NULL;
+    }
+
+    nb = PR_Read(fd, phrase, sizeof(phrase));
+ 
+    PR_Close(fd);
+    /* handle the Windows EOL case */
+    i = 0;
+    while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++;
+    phrase[i] = '\0';
+    if (nb == 0) {
+        fprintf(stderr,"password file contains no data\n");
+        return NULL;
+    }
+    return (char*) strdup((char*)phrase);
+}
+
+void PKM_Help() 
+{
+    PRFileDesc *debug_out = PR_GetSpecialFD(PR_StandardError);
+    PR_fprintf(debug_out, "pk11mode test program usage:\n");
+    PR_fprintf(debug_out, "\t-f <file>   Password File : echo pw > file \n");
+    PR_fprintf(debug_out, "\t-n          Non Fips Mode \n");
+    PR_fprintf(debug_out, "\t-d <path>   Database path location\n");
+    PR_fprintf(debug_out, "\t-p <prefix> DataBase prefix\n");
+    PR_fprintf(debug_out, "\t-h          this help message\n");
+    exit(1);
+}
+
+void PKM_CheckPath(char *string)
+{
+   char *src;
+   char *dest;
+
+   /*
+   * windows support convert any back slashes to
+   * forward slashes.
+   */
+   for (src=string, dest=string; *src; src++,dest++) {
+       if (*src == '\\') {
+           *dest = '/';
+       }
+   }
+   dest--;
+   /* if the last char is a / set it to 0 */
+   if (*dest == '/')
+       *dest = 0;
+
+}
diff --git a/security/nss/cmd/pk11util/Makefile b/security/nss/cmd/pk11util/Makefile
new file mode 100644
index 000000000..fe7991878
--- /dev/null
+++ b/security/nss/cmd/pk11util/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+ 
diff --git a/security/nss/cmd/pk11util/manifest.mn b/security/nss/cmd/pk11util/manifest.mn
new file mode 100644
index 000000000..3badc6efe
--- /dev/null
+++ b/security/nss/cmd/pk11util/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+CSRCS = pk11util.c pk11table.c
+#CSRCS = symkeytest.c 
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd
+
+PROGRAM = pk11util
+#PROGRAM = symkeytest
+
+#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/pk11util/pk11table.c b/security/nss/cmd/pk11util/pk11table.c
new file mode 100644
index 000000000..c233fd80d
--- /dev/null
+++ b/security/nss/cmd/pk11util/pk11table.c
@@ -0,0 +1,1411 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <pkcs11.h>
+#include "pk11util.h"
+
+const char *_valueString[] = {
+    "None",
+    "Variable",
+    "CK_ULONG",
+    "Data",
+    "UTF8",
+    "CK_INFO",
+    "CK_SLOT_INFO",
+    "CK_TOKEN_INFO",
+    "CK_SESSION_INFO",
+    "CK_ATTRIBUTE",
+    "CK_MECHANISM",
+    "CK_MECHANISM_INFO",
+    "CK_C_INITIALIZE_ARGS",
+    "CK_FUNCTION_LIST"
+};
+
+const char **valueString = &_valueString[0];
+const int valueCount = sizeof(_valueString)/sizeof(_valueString[0]);
+
+const char *_constTypeString[] = {
+    "None",
+    "Bool",
+    "InfoFlags",
+    "SlotFlags",
+    "TokenFlags",
+    "SessionFlags",
+    "MechanismFlags",
+    "InitializeFlags",
+    "Users",
+    "SessionState",
+    "Object",
+    "Hardware",
+    "KeyType",
+    "CertificateType",
+    "Attribute",
+    "Mechanism",
+    "Result",
+    "Trust",
+    "AvailableSizes",
+    "CurrentSize"
+};
+
+const char **constTypeString = &_constTypeString[0];
+const int constTypeCount = sizeof(_constTypeString)/sizeof(_constTypeString[0]);
+
+#define mkEntry(x,t) { #x, x, Const##t, ConstNone }
+#define mkEntry2(x,t,t2) { #x, x, Const##t, Const##t2 }
+
+const Constant _consts[] = {
+	mkEntry(CK_FALSE, Bool),
+	mkEntry(CK_TRUE, Bool),
+
+	mkEntry(CKF_TOKEN_PRESENT, SlotFlags),
+	mkEntry(CKF_REMOVABLE_DEVICE, SlotFlags),
+	mkEntry(CKF_HW_SLOT, SlotFlags),
+
+	mkEntry(CKF_RNG, TokenFlags),
+	mkEntry(CKF_WRITE_PROTECTED, TokenFlags),
+	mkEntry(CKF_LOGIN_REQUIRED, TokenFlags),
+	mkEntry(CKF_USER_PIN_INITIALIZED, TokenFlags),
+	mkEntry(CKF_RESTORE_KEY_NOT_NEEDED, TokenFlags),
+	mkEntry(CKF_CLOCK_ON_TOKEN, TokenFlags),
+	mkEntry(CKF_PROTECTED_AUTHENTICATION_PATH, TokenFlags),
+	mkEntry(CKF_DUAL_CRYPTO_OPERATIONS, TokenFlags),
+	mkEntry(CKF_TOKEN_INITIALIZED, TokenFlags),
+	mkEntry(CKF_SECONDARY_AUTHENTICATION, TokenFlags),
+	mkEntry(CKF_USER_PIN_COUNT_LOW, TokenFlags),
+	mkEntry(CKF_USER_PIN_FINAL_TRY, TokenFlags),
+	mkEntry(CKF_USER_PIN_LOCKED, TokenFlags),
+	mkEntry(CKF_USER_PIN_TO_BE_CHANGED, TokenFlags),
+	mkEntry(CKF_SO_PIN_COUNT_LOW, TokenFlags),
+	mkEntry(CKF_SO_PIN_FINAL_TRY, TokenFlags),
+	mkEntry(CKF_SO_PIN_LOCKED, TokenFlags),
+	mkEntry(CKF_SO_PIN_TO_BE_CHANGED, TokenFlags),
+
+	mkEntry(CKF_RW_SESSION, SessionFlags),
+	mkEntry(CKF_SERIAL_SESSION, SessionFlags),
+
+	mkEntry(CKF_HW, MechanismFlags),
+	mkEntry(CKF_ENCRYPT, MechanismFlags),
+	mkEntry(CKF_DECRYPT, MechanismFlags),
+	mkEntry(CKF_DIGEST, MechanismFlags),
+	mkEntry(CKF_SIGN, MechanismFlags),
+	mkEntry(CKF_SIGN_RECOVER, MechanismFlags),
+	mkEntry(CKF_VERIFY, MechanismFlags),
+	mkEntry(CKF_VERIFY_RECOVER, MechanismFlags),
+	mkEntry(CKF_GENERATE, MechanismFlags),
+	mkEntry(CKF_GENERATE_KEY_PAIR, MechanismFlags),
+	mkEntry(CKF_WRAP, MechanismFlags),
+	mkEntry(CKF_UNWRAP, MechanismFlags),
+	mkEntry(CKF_DERIVE, MechanismFlags),
+	mkEntry(CKF_EC_FP, MechanismFlags),
+	mkEntry(CKF_EC_F_2M, MechanismFlags),
+	mkEntry(CKF_EC_ECPARAMETERS, MechanismFlags),
+	mkEntry(CKF_EC_NAMEDCURVE, MechanismFlags),
+	mkEntry(CKF_EC_UNCOMPRESS, MechanismFlags),
+	mkEntry(CKF_EC_COMPRESS, MechanismFlags),
+
+	mkEntry(CKF_LIBRARY_CANT_CREATE_OS_THREADS, InitializeFlags),
+	mkEntry(CKF_OS_LOCKING_OK, InitializeFlags),
+
+	mkEntry(CKU_SO, Users),
+	mkEntry(CKU_USER, Users),
+
+	mkEntry(CKS_RO_PUBLIC_SESSION, SessionState),
+	mkEntry(CKS_RO_USER_FUNCTIONS, SessionState),
+	mkEntry(CKS_RW_PUBLIC_SESSION, SessionState),
+	mkEntry(CKS_RW_USER_FUNCTIONS, SessionState),
+	mkEntry(CKS_RW_SO_FUNCTIONS, SessionState),
+
+	mkEntry(CKO_DATA, Object),
+	mkEntry(CKO_CERTIFICATE, Object),
+	mkEntry(CKO_PUBLIC_KEY, Object),
+	mkEntry(CKO_PRIVATE_KEY, Object),
+	mkEntry(CKO_SECRET_KEY, Object),
+	mkEntry(CKO_HW_FEATURE, Object),
+	mkEntry(CKO_DOMAIN_PARAMETERS, Object),
+	mkEntry(CKO_KG_PARAMETERS, Object),
+	mkEntry(CKO_NETSCAPE_CRL, Object),
+	mkEntry(CKO_NETSCAPE_SMIME, Object),
+	mkEntry(CKO_NETSCAPE_TRUST, Object),
+	mkEntry(CKO_NETSCAPE_BUILTIN_ROOT_LIST, Object),
+
+	mkEntry(CKH_MONOTONIC_COUNTER, Hardware),
+	mkEntry(CKH_CLOCK, Hardware),
+
+	mkEntry(CKK_RSA, KeyType),
+	mkEntry(CKK_DSA, KeyType),
+	mkEntry(CKK_DH, KeyType),
+	mkEntry(CKK_ECDSA, KeyType),
+	mkEntry(CKK_EC, KeyType),
+	mkEntry(CKK_X9_42_DH, KeyType),
+	mkEntry(CKK_KEA, KeyType),
+	mkEntry(CKK_GENERIC_SECRET, KeyType),
+	mkEntry(CKK_RC2, KeyType),
+	mkEntry(CKK_RC4, KeyType),
+	mkEntry(CKK_DES, KeyType),
+	mkEntry(CKK_DES2, KeyType),
+	mkEntry(CKK_DES3, KeyType),
+	mkEntry(CKK_CAST, KeyType),
+	mkEntry(CKK_CAST3, KeyType),
+	mkEntry(CKK_CAST5, KeyType),
+	mkEntry(CKK_CAST128, KeyType),
+	mkEntry(CKK_RC5, KeyType),
+	mkEntry(CKK_IDEA, KeyType),
+	mkEntry(CKK_SKIPJACK, KeyType),
+	mkEntry(CKK_BATON, KeyType),
+	mkEntry(CKK_JUNIPER, KeyType),
+	mkEntry(CKK_CDMF, KeyType),
+	mkEntry(CKK_AES, KeyType),
+	mkEntry(CKK_CAMELLIA, KeyType),
+	mkEntry(CKK_NETSCAPE_PKCS8, KeyType),
+
+	mkEntry(CKC_X_509, CertType),
+	mkEntry(CKC_X_509_ATTR_CERT, CertType),
+
+	mkEntry2(CKA_CLASS, Attribute, Object),
+	mkEntry2(CKA_TOKEN, Attribute, Bool),
+	mkEntry2(CKA_PRIVATE, Attribute, Bool),
+	mkEntry2(CKA_LABEL, Attribute, None),
+	mkEntry2(CKA_APPLICATION, Attribute, None),
+	mkEntry2(CKA_VALUE, Attribute, None),
+	mkEntry2(CKA_OBJECT_ID, Attribute, None),
+	mkEntry2(CKA_CERTIFICATE_TYPE, Attribute, CertType),
+	mkEntry2(CKA_ISSUER, Attribute, None),
+	mkEntry2(CKA_SERIAL_NUMBER, Attribute, None),
+	mkEntry2(CKA_AC_ISSUER, Attribute, None),
+	mkEntry2(CKA_OWNER, Attribute, None),
+	mkEntry2(CKA_ATTR_TYPES, Attribute, None),
+	mkEntry2(CKA_TRUSTED, Attribute, Bool),
+	mkEntry2(CKA_KEY_TYPE, Attribute, KeyType),
+	mkEntry2(CKA_SUBJECT, Attribute, None),
+	mkEntry2(CKA_ID, Attribute, None),
+	mkEntry2(CKA_SENSITIVE, Attribute, Bool),
+	mkEntry2(CKA_ENCRYPT, Attribute, Bool),
+	mkEntry2(CKA_DECRYPT, Attribute, Bool),
+	mkEntry2(CKA_WRAP, Attribute, Bool),
+	mkEntry2(CKA_UNWRAP, Attribute, Bool),
+	mkEntry2(CKA_SIGN, Attribute, Bool),
+	mkEntry2(CKA_SIGN_RECOVER, Attribute, Bool),
+	mkEntry2(CKA_VERIFY, Attribute, Bool),
+	mkEntry2(CKA_VERIFY_RECOVER, Attribute, Bool),
+	mkEntry2(CKA_DERIVE, Attribute, Bool),
+	mkEntry2(CKA_START_DATE, Attribute, None),
+	mkEntry2(CKA_END_DATE, Attribute, None),
+	mkEntry2(CKA_MODULUS, Attribute, None),
+	mkEntry2(CKA_MODULUS_BITS, Attribute, None),
+	mkEntry2(CKA_PUBLIC_EXPONENT, Attribute, None),
+	mkEntry2(CKA_PRIVATE_EXPONENT, Attribute, None),
+	mkEntry2(CKA_PRIME_1, Attribute, None),
+	mkEntry2(CKA_PRIME_2, Attribute, None),
+	mkEntry2(CKA_EXPONENT_1, Attribute, None),
+	mkEntry2(CKA_EXPONENT_2, Attribute, None),
+	mkEntry2(CKA_COEFFICIENT, Attribute, None),
+	mkEntry2(CKA_PRIME, Attribute, None),
+	mkEntry2(CKA_SUBPRIME, Attribute, None),
+	mkEntry2(CKA_BASE, Attribute, None),
+	mkEntry2(CKA_PRIME_BITS, Attribute, None),
+	mkEntry2(CKA_SUB_PRIME_BITS, Attribute, None),
+	mkEntry2(CKA_VALUE_BITS, Attribute, None),
+	mkEntry2(CKA_VALUE_LEN, Attribute, None),
+	mkEntry2(CKA_EXTRACTABLE, Attribute, Bool),
+	mkEntry2(CKA_LOCAL, Attribute, Bool),
+	mkEntry2(CKA_NEVER_EXTRACTABLE, Attribute, Bool),
+	mkEntry2(CKA_ALWAYS_SENSITIVE, Attribute, Bool),
+	mkEntry2(CKA_KEY_GEN_MECHANISM, Attribute, Mechanism),
+	mkEntry2(CKA_MODIFIABLE, Attribute, Bool),
+	mkEntry2(CKA_ECDSA_PARAMS, Attribute, None),
+	mkEntry2(CKA_EC_PARAMS, Attribute, None),
+	mkEntry2(CKA_EC_POINT, Attribute, None),
+	mkEntry2(CKA_SECONDARY_AUTH, Attribute, None),
+	mkEntry2(CKA_AUTH_PIN_FLAGS, Attribute, None),
+	mkEntry2(CKA_HW_FEATURE_TYPE, Attribute, Hardware),
+	mkEntry2(CKA_RESET_ON_INIT, Attribute, Bool),
+	mkEntry2(CKA_HAS_RESET, Attribute, Bool),
+	mkEntry2(CKA_NETSCAPE_URL, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_EMAIL, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_SMIME_INFO, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_SMIME_TIMESTAMP, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_PKCS8_SALT, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_PASSWORD_CHECK, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_EXPIRES, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_KRL, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_PQG_COUNTER, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_PQG_SEED, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_PQG_H, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_PQG_SEED_BITS, Attribute, None),
+	mkEntry2(CKA_TRUST_DIGITAL_SIGNATURE, Attribute, Trust),
+	mkEntry2(CKA_TRUST_NON_REPUDIATION, Attribute, Trust),
+	mkEntry2(CKA_TRUST_KEY_ENCIPHERMENT, Attribute, Trust),
+	mkEntry2(CKA_TRUST_DATA_ENCIPHERMENT, Attribute, Trust),
+	mkEntry2(CKA_TRUST_KEY_AGREEMENT, Attribute, Trust),
+	mkEntry2(CKA_TRUST_KEY_CERT_SIGN, Attribute, Trust),
+	mkEntry2(CKA_TRUST_CRL_SIGN, Attribute, Trust),
+	mkEntry2(CKA_TRUST_SERVER_AUTH, Attribute, Trust),
+	mkEntry2(CKA_TRUST_CLIENT_AUTH, Attribute, Trust),
+	mkEntry2(CKA_TRUST_CODE_SIGNING, Attribute, Trust),
+	mkEntry2(CKA_TRUST_EMAIL_PROTECTION, Attribute, Trust),
+	mkEntry2(CKA_TRUST_IPSEC_END_SYSTEM, Attribute, Trust),
+	mkEntry2(CKA_TRUST_IPSEC_TUNNEL, Attribute, Trust),
+	mkEntry2(CKA_TRUST_IPSEC_USER, Attribute, Trust),
+	mkEntry2(CKA_TRUST_TIME_STAMPING, Attribute, Trust),
+	mkEntry2(CKA_CERT_SHA1_HASH, Attribute, None),
+	mkEntry2(CKA_CERT_MD5_HASH, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_DB, Attribute, None),
+	mkEntry2(CKA_NETSCAPE_TRUST, Attribute, Trust),
+
+	mkEntry(CKM_RSA_PKCS, Mechanism),
+	mkEntry(CKM_RSA_9796, Mechanism),
+	mkEntry(CKM_RSA_X_509, Mechanism),
+	mkEntry(CKM_RSA_PKCS_KEY_PAIR_GEN, Mechanism),
+	mkEntry(CKM_MD2_RSA_PKCS, Mechanism),
+	mkEntry(CKM_MD5_RSA_PKCS, Mechanism),
+	mkEntry(CKM_SHA1_RSA_PKCS, Mechanism),
+	mkEntry(CKM_RIPEMD128_RSA_PKCS, Mechanism),
+	mkEntry(CKM_RIPEMD160_RSA_PKCS, Mechanism),
+	mkEntry(CKM_RSA_PKCS_OAEP, Mechanism),
+	mkEntry(CKM_RSA_X9_31_KEY_PAIR_GEN, Mechanism),
+	mkEntry(CKM_RSA_X9_31, Mechanism),
+	mkEntry(CKM_SHA1_RSA_X9_31, Mechanism),
+	mkEntry(CKM_DSA_KEY_PAIR_GEN, Mechanism),
+	mkEntry(CKM_DSA, Mechanism),
+	mkEntry(CKM_DSA_SHA1, Mechanism),
+	mkEntry(CKM_DH_PKCS_KEY_PAIR_GEN, Mechanism),
+	mkEntry(CKM_DH_PKCS_DERIVE, Mechanism),
+	mkEntry(CKM_X9_42_DH_DERIVE, Mechanism),
+	mkEntry(CKM_X9_42_DH_HYBRID_DERIVE, Mechanism),
+	mkEntry(CKM_X9_42_MQV_DERIVE, Mechanism),
+	mkEntry(CKM_SHA256_RSA_PKCS, Mechanism),
+	mkEntry(CKM_SHA384_RSA_PKCS, Mechanism),
+	mkEntry(CKM_SHA512_RSA_PKCS, Mechanism),
+	mkEntry(CKM_RC2_KEY_GEN, Mechanism),
+	mkEntry(CKM_RC2_ECB, Mechanism),
+	mkEntry(CKM_RC2_CBC, Mechanism),
+	mkEntry(CKM_RC2_MAC, Mechanism),
+	mkEntry(CKM_RC2_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_RC2_CBC_PAD, Mechanism),
+	mkEntry(CKM_RC4_KEY_GEN, Mechanism),
+	mkEntry(CKM_RC4, Mechanism),
+	mkEntry(CKM_DES_KEY_GEN, Mechanism),
+	mkEntry(CKM_DES_ECB, Mechanism),
+	mkEntry(CKM_DES_CBC, Mechanism),
+	mkEntry(CKM_DES_MAC, Mechanism),
+	mkEntry(CKM_DES_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_DES_CBC_PAD, Mechanism),
+	mkEntry(CKM_DES2_KEY_GEN, Mechanism),
+	mkEntry(CKM_DES3_KEY_GEN, Mechanism),
+	mkEntry(CKM_DES3_ECB, Mechanism),
+	mkEntry(CKM_DES3_CBC, Mechanism),
+	mkEntry(CKM_DES3_MAC, Mechanism),
+	mkEntry(CKM_DES3_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_DES3_CBC_PAD, Mechanism),
+	mkEntry(CKM_CDMF_KEY_GEN, Mechanism),
+	mkEntry(CKM_CDMF_ECB, Mechanism),
+	mkEntry(CKM_CDMF_CBC, Mechanism),
+	mkEntry(CKM_CDMF_MAC, Mechanism),
+	mkEntry(CKM_CDMF_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_CDMF_CBC_PAD, Mechanism),
+	mkEntry(CKM_MD2, Mechanism),
+	mkEntry(CKM_MD2_HMAC, Mechanism),
+	mkEntry(CKM_MD2_HMAC_GENERAL, Mechanism),
+	mkEntry(CKM_MD5, Mechanism),
+	mkEntry(CKM_MD5_HMAC, Mechanism),
+	mkEntry(CKM_MD5_HMAC_GENERAL, Mechanism),
+	mkEntry(CKM_SHA_1, Mechanism),
+	mkEntry(CKM_SHA_1_HMAC, Mechanism),
+	mkEntry(CKM_SHA_1_HMAC_GENERAL, Mechanism),
+	mkEntry(CKM_RIPEMD128, Mechanism),
+	mkEntry(CKM_RIPEMD128_HMAC, Mechanism),
+	mkEntry(CKM_RIPEMD128_HMAC_GENERAL, Mechanism),
+	mkEntry(CKM_RIPEMD160, Mechanism),
+	mkEntry(CKM_RIPEMD160_HMAC, Mechanism),
+	mkEntry(CKM_RIPEMD160_HMAC_GENERAL, Mechanism),
+	mkEntry(CKM_SHA256, Mechanism),
+	mkEntry(CKM_SHA256_HMAC_GENERAL, Mechanism),
+	mkEntry(CKM_SHA256_HMAC, Mechanism),
+	mkEntry(CKM_SHA384, Mechanism),
+	mkEntry(CKM_SHA384_HMAC_GENERAL, Mechanism),
+	mkEntry(CKM_SHA384_HMAC, Mechanism),
+	mkEntry(CKM_SHA512, Mechanism),
+	mkEntry(CKM_SHA512_HMAC_GENERAL, Mechanism),
+	mkEntry(CKM_SHA512_HMAC, Mechanism),
+	mkEntry(CKM_CAST_KEY_GEN, Mechanism),
+	mkEntry(CKM_CAST_ECB, Mechanism),
+	mkEntry(CKM_CAST_CBC, Mechanism),
+	mkEntry(CKM_CAST_MAC, Mechanism),
+	mkEntry(CKM_CAST_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_CAST_CBC_PAD, Mechanism),
+	mkEntry(CKM_CAST3_KEY_GEN, Mechanism),
+	mkEntry(CKM_CAST3_ECB, Mechanism),
+	mkEntry(CKM_CAST3_CBC, Mechanism),
+	mkEntry(CKM_CAST3_MAC, Mechanism),
+	mkEntry(CKM_CAST3_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_CAST3_CBC_PAD, Mechanism),
+	mkEntry(CKM_CAST5_KEY_GEN, Mechanism),
+	mkEntry(CKM_CAST128_KEY_GEN, Mechanism),
+	mkEntry(CKM_CAST5_ECB, Mechanism),
+	mkEntry(CKM_CAST128_ECB, Mechanism),
+	mkEntry(CKM_CAST5_CBC, Mechanism),
+	mkEntry(CKM_CAST128_CBC, Mechanism),
+	mkEntry(CKM_CAST5_MAC, Mechanism),
+	mkEntry(CKM_CAST128_MAC, Mechanism),
+	mkEntry(CKM_CAST5_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_CAST128_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_CAST5_CBC_PAD, Mechanism),
+	mkEntry(CKM_CAST128_CBC_PAD, Mechanism),
+	mkEntry(CKM_RC5_KEY_GEN, Mechanism),
+	mkEntry(CKM_RC5_ECB, Mechanism),
+	mkEntry(CKM_RC5_CBC, Mechanism),
+	mkEntry(CKM_RC5_MAC, Mechanism),
+	mkEntry(CKM_RC5_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_RC5_CBC_PAD, Mechanism),
+	mkEntry(CKM_IDEA_KEY_GEN, Mechanism),
+	mkEntry(CKM_IDEA_ECB, Mechanism),
+	mkEntry(CKM_IDEA_CBC, Mechanism),
+	mkEntry(CKM_IDEA_MAC, Mechanism),
+	mkEntry(CKM_IDEA_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_IDEA_CBC_PAD, Mechanism),
+	mkEntry(CKM_GENERIC_SECRET_KEY_GEN, Mechanism),
+	mkEntry(CKM_CONCATENATE_BASE_AND_KEY, Mechanism),
+	mkEntry(CKM_CONCATENATE_BASE_AND_DATA, Mechanism),
+	mkEntry(CKM_CONCATENATE_DATA_AND_BASE, Mechanism),
+	mkEntry(CKM_XOR_BASE_AND_DATA, Mechanism),
+	mkEntry(CKM_EXTRACT_KEY_FROM_KEY, Mechanism),
+	mkEntry(CKM_SSL3_PRE_MASTER_KEY_GEN, Mechanism),
+	mkEntry(CKM_SSL3_MASTER_KEY_DERIVE, Mechanism),
+	mkEntry(CKM_SSL3_KEY_AND_MAC_DERIVE, Mechanism),
+	mkEntry(CKM_SSL3_MASTER_KEY_DERIVE_DH, Mechanism),
+	mkEntry(CKM_TLS_PRE_MASTER_KEY_GEN, Mechanism),
+	mkEntry(CKM_TLS_MASTER_KEY_DERIVE, Mechanism),
+	mkEntry(CKM_TLS_KEY_AND_MAC_DERIVE, Mechanism),
+	mkEntry(CKM_TLS_MASTER_KEY_DERIVE_DH, Mechanism),
+	mkEntry(CKM_SSL3_MD5_MAC, Mechanism),
+	mkEntry(CKM_SSL3_SHA1_MAC, Mechanism),
+	mkEntry(CKM_MD5_KEY_DERIVATION, Mechanism),
+	mkEntry(CKM_MD2_KEY_DERIVATION, Mechanism),
+	mkEntry(CKM_SHA1_KEY_DERIVATION, Mechanism),
+	mkEntry(CKM_SHA256_KEY_DERIVATION, Mechanism),
+	mkEntry(CKM_SHA384_KEY_DERIVATION, Mechanism),
+	mkEntry(CKM_SHA512_KEY_DERIVATION, Mechanism),
+	mkEntry(CKM_PBE_MD2_DES_CBC, Mechanism),
+	mkEntry(CKM_PBE_MD5_DES_CBC, Mechanism),
+	mkEntry(CKM_PBE_MD5_CAST_CBC, Mechanism),
+	mkEntry(CKM_PBE_MD5_CAST3_CBC, Mechanism),
+	mkEntry(CKM_PBE_MD5_CAST5_CBC, Mechanism),
+	mkEntry(CKM_PBE_MD5_CAST128_CBC, Mechanism),
+	mkEntry(CKM_PBE_SHA1_CAST5_CBC, Mechanism),
+	mkEntry(CKM_PBE_SHA1_CAST128_CBC, Mechanism),
+	mkEntry(CKM_PBE_SHA1_RC4_128, Mechanism),
+	mkEntry(CKM_PBE_SHA1_RC4_40, Mechanism),
+	mkEntry(CKM_PBE_SHA1_DES3_EDE_CBC, Mechanism),
+	mkEntry(CKM_PBE_SHA1_DES2_EDE_CBC, Mechanism),
+	mkEntry(CKM_PBE_SHA1_RC2_128_CBC, Mechanism),
+	mkEntry(CKM_PBE_SHA1_RC2_40_CBC, Mechanism),
+	mkEntry(CKM_PKCS5_PBKD2, Mechanism),
+	mkEntry(CKM_PBA_SHA1_WITH_SHA1_HMAC, Mechanism),
+	mkEntry(CKM_KEY_WRAP_LYNKS, Mechanism),
+	mkEntry(CKM_KEY_WRAP_SET_OAEP, Mechanism),
+	mkEntry(CKM_SKIPJACK_KEY_GEN, Mechanism),
+	mkEntry(CKM_SKIPJACK_ECB64, Mechanism),
+	mkEntry(CKM_SKIPJACK_CBC64, Mechanism),
+	mkEntry(CKM_SKIPJACK_OFB64, Mechanism),
+	mkEntry(CKM_SKIPJACK_CFB64, Mechanism),
+	mkEntry(CKM_SKIPJACK_CFB32, Mechanism),
+	mkEntry(CKM_SKIPJACK_CFB16, Mechanism),
+	mkEntry(CKM_SKIPJACK_CFB8, Mechanism),
+	mkEntry(CKM_SKIPJACK_WRAP, Mechanism),
+	mkEntry(CKM_SKIPJACK_PRIVATE_WRAP, Mechanism),
+	mkEntry(CKM_SKIPJACK_RELAYX, Mechanism),
+	mkEntry(CKM_KEA_KEY_PAIR_GEN, Mechanism),
+	mkEntry(CKM_KEA_KEY_DERIVE, Mechanism),
+	mkEntry(CKM_FORTEZZA_TIMESTAMP, Mechanism),
+	mkEntry(CKM_BATON_KEY_GEN, Mechanism),
+	mkEntry(CKM_BATON_ECB128, Mechanism),
+	mkEntry(CKM_BATON_ECB96, Mechanism),
+	mkEntry(CKM_BATON_CBC128, Mechanism),
+	mkEntry(CKM_BATON_COUNTER, Mechanism),
+	mkEntry(CKM_BATON_SHUFFLE, Mechanism),
+	mkEntry(CKM_BATON_WRAP, Mechanism),
+	mkEntry(CKM_ECDSA_KEY_PAIR_GEN, Mechanism),
+	mkEntry(CKM_EC_KEY_PAIR_GEN, Mechanism),
+	mkEntry(CKM_ECDSA, Mechanism),
+	mkEntry(CKM_ECDSA_SHA1, Mechanism),
+	mkEntry(CKM_ECDH1_DERIVE, Mechanism),
+	mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism),
+	mkEntry(CKM_ECMQV_DERIVE, Mechanism),
+	mkEntry(CKM_JUNIPER_KEY_GEN, Mechanism),
+	mkEntry(CKM_JUNIPER_ECB128, Mechanism),
+	mkEntry(CKM_JUNIPER_CBC128, Mechanism),
+	mkEntry(CKM_JUNIPER_COUNTER, Mechanism),
+	mkEntry(CKM_JUNIPER_SHUFFLE, Mechanism),
+	mkEntry(CKM_JUNIPER_WRAP, Mechanism),
+	mkEntry(CKM_FASTHASH, Mechanism),
+	mkEntry(CKM_AES_KEY_GEN, Mechanism),
+	mkEntry(CKM_AES_ECB, Mechanism),
+	mkEntry(CKM_AES_CBC, Mechanism),
+	mkEntry(CKM_AES_MAC, Mechanism),
+	mkEntry(CKM_AES_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_AES_CBC_PAD, Mechanism),
+	mkEntry(CKM_CAMELLIA_KEY_GEN, Mechanism),
+	mkEntry(CKM_CAMELLIA_ECB, Mechanism),
+	mkEntry(CKM_CAMELLIA_CBC, Mechanism),
+	mkEntry(CKM_CAMELLIA_MAC, Mechanism),
+	mkEntry(CKM_CAMELLIA_MAC_GENERAL, Mechanism),
+	mkEntry(CKM_CAMELLIA_CBC_PAD, Mechanism),
+	mkEntry(CKM_DSA_PARAMETER_GEN, Mechanism),
+	mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism),
+	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP, Mechanism),
+	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP_PAD, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN, Mechanism),
+	mkEntry(CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN, Mechanism),
+	mkEntry(CKM_TLS_PRF_GENERAL, Mechanism),
+
+	mkEntry(CKR_OK, Result),
+	mkEntry(CKR_CANCEL, Result),
+	mkEntry(CKR_HOST_MEMORY, Result),
+	mkEntry(CKR_SLOT_ID_INVALID, Result),
+	mkEntry(CKR_GENERAL_ERROR, Result),
+	mkEntry(CKR_FUNCTION_FAILED, Result),
+	mkEntry(CKR_ARGUMENTS_BAD, Result),
+	mkEntry(CKR_NO_EVENT, Result),
+	mkEntry(CKR_NEED_TO_CREATE_THREADS, Result),
+	mkEntry(CKR_CANT_LOCK, Result),
+	mkEntry(CKR_ATTRIBUTE_READ_ONLY, Result),
+	mkEntry(CKR_ATTRIBUTE_SENSITIVE, Result),
+	mkEntry(CKR_ATTRIBUTE_TYPE_INVALID, Result),
+	mkEntry(CKR_ATTRIBUTE_VALUE_INVALID, Result),
+	mkEntry(CKR_DATA_INVALID, Result),
+	mkEntry(CKR_DATA_LEN_RANGE, Result),
+	mkEntry(CKR_DEVICE_ERROR, Result),
+	mkEntry(CKR_DEVICE_MEMORY, Result),
+	mkEntry(CKR_DEVICE_REMOVED, Result),
+	mkEntry(CKR_ENCRYPTED_DATA_INVALID, Result),
+	mkEntry(CKR_ENCRYPTED_DATA_LEN_RANGE, Result),
+	mkEntry(CKR_FUNCTION_CANCELED, Result),
+	mkEntry(CKR_FUNCTION_NOT_PARALLEL, Result),
+	mkEntry(CKR_FUNCTION_NOT_SUPPORTED, Result),
+	mkEntry(CKR_KEY_HANDLE_INVALID, Result),
+	mkEntry(CKR_KEY_SIZE_RANGE, Result),
+	mkEntry(CKR_KEY_TYPE_INCONSISTENT, Result),
+	mkEntry(CKR_KEY_NOT_NEEDED, Result),
+	mkEntry(CKR_KEY_CHANGED, Result),
+	mkEntry(CKR_KEY_NEEDED, Result),
+	mkEntry(CKR_KEY_INDIGESTIBLE, Result),
+	mkEntry(CKR_KEY_FUNCTION_NOT_PERMITTED, Result),
+	mkEntry(CKR_KEY_NOT_WRAPPABLE, Result),
+	mkEntry(CKR_KEY_UNEXTRACTABLE, Result),
+	mkEntry(CKR_KEY_PARAMS_INVALID, Result),
+	mkEntry(CKR_MECHANISM_INVALID, Result),
+	mkEntry(CKR_MECHANISM_PARAM_INVALID, Result),
+	mkEntry(CKR_OBJECT_HANDLE_INVALID, Result),
+	mkEntry(CKR_OPERATION_ACTIVE, Result),
+	mkEntry(CKR_OPERATION_NOT_INITIALIZED, Result),
+	mkEntry(CKR_PIN_INCORRECT, Result),
+	mkEntry(CKR_PIN_INVALID, Result),
+	mkEntry(CKR_PIN_LEN_RANGE, Result),
+	mkEntry(CKR_PIN_EXPIRED, Result),
+	mkEntry(CKR_PIN_LOCKED, Result),
+	mkEntry(CKR_SESSION_CLOSED, Result),
+	mkEntry(CKR_SESSION_COUNT, Result),
+	mkEntry(CKR_SESSION_HANDLE_INVALID, Result),
+	mkEntry(CKR_SESSION_PARALLEL_NOT_SUPPORTED, Result),
+	mkEntry(CKR_SESSION_READ_ONLY, Result),
+	mkEntry(CKR_SESSION_EXISTS, Result),
+	mkEntry(CKR_SESSION_READ_ONLY_EXISTS, Result),
+	mkEntry(CKR_SESSION_READ_WRITE_SO_EXISTS, Result),
+	mkEntry(CKR_SIGNATURE_INVALID, Result),
+	mkEntry(CKR_SIGNATURE_LEN_RANGE, Result),
+	mkEntry(CKR_TEMPLATE_INCOMPLETE, Result),
+	mkEntry(CKR_TEMPLATE_INCONSISTENT, Result),
+	mkEntry(CKR_TOKEN_NOT_PRESENT, Result),
+	mkEntry(CKR_TOKEN_NOT_RECOGNIZED, Result),
+	mkEntry(CKR_TOKEN_WRITE_PROTECTED, Result),
+	mkEntry(CKR_UNWRAPPING_KEY_HANDLE_INVALID, Result),
+	mkEntry(CKR_UNWRAPPING_KEY_SIZE_RANGE, Result),
+	mkEntry(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, Result),
+	mkEntry(CKR_USER_ALREADY_LOGGED_IN, Result),
+	mkEntry(CKR_USER_NOT_LOGGED_IN, Result),
+	mkEntry(CKR_USER_PIN_NOT_INITIALIZED, Result),
+	mkEntry(CKR_USER_TYPE_INVALID, Result),
+	mkEntry(CKR_USER_ANOTHER_ALREADY_LOGGED_IN, Result),
+	mkEntry(CKR_USER_TOO_MANY_TYPES, Result),
+	mkEntry(CKR_WRAPPED_KEY_INVALID, Result),
+	mkEntry(CKR_WRAPPED_KEY_LEN_RANGE, Result),
+	mkEntry(CKR_WRAPPING_KEY_HANDLE_INVALID, Result),
+	mkEntry(CKR_WRAPPING_KEY_SIZE_RANGE, Result),
+	mkEntry(CKR_WRAPPING_KEY_TYPE_INCONSISTENT, Result),
+	mkEntry(CKR_RANDOM_SEED_NOT_SUPPORTED, Result),
+	mkEntry(CKR_RANDOM_NO_RNG, Result),
+	mkEntry(CKR_DOMAIN_PARAMS_INVALID, Result),
+	mkEntry(CKR_BUFFER_TOO_SMALL, Result),
+	mkEntry(CKR_SAVED_STATE_INVALID, Result),
+	mkEntry(CKR_INFORMATION_SENSITIVE, Result),
+	mkEntry(CKR_STATE_UNSAVEABLE, Result),
+	mkEntry(CKR_CRYPTOKI_NOT_INITIALIZED, Result),
+	mkEntry(CKR_CRYPTOKI_ALREADY_INITIALIZED, Result),
+	mkEntry(CKR_MUTEX_BAD, Result),
+	mkEntry(CKR_MUTEX_NOT_LOCKED, Result),
+	mkEntry(CKR_VENDOR_DEFINED, Result),
+
+	mkEntry(CKT_NETSCAPE_TRUSTED, Trust),
+	mkEntry(CKT_NETSCAPE_TRUSTED_DELEGATOR, Trust),
+	mkEntry(CKT_NETSCAPE_UNTRUSTED, Trust),
+	mkEntry(CKT_NETSCAPE_MUST_VERIFY, Trust),
+	mkEntry(CKT_NETSCAPE_TRUST_UNKNOWN, Trust),
+	mkEntry(CKT_NETSCAPE_VALID, Trust),
+	mkEntry(CKT_NETSCAPE_VALID_DELEGATOR, Trust),
+
+	mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes),
+	mkEntry(CK_UNAVAILABLE_INFORMATION, CurrentSize),
+};
+
+const Constant *consts = &_consts[0];
+const int constCount = sizeof(_consts)/sizeof(_consts[0]);
+
+const Commands _commands[] = {
+    {"C_Initialize", F_C_Initialize,
+"C_Initialize pInitArgs\n\n"
+"C_Initialize initializes the PKCS #11 library.\n"
+"  pInitArgs  if this is not NULL_PTR it gets cast to and dereferenced\n",
+	{ArgInitializeArgs, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_Finalize", F_C_Finalize,
+"C_Finalize pReserved\n\n"
+"C_Finalize indicates that an application is done with the PKCS #11 library.\n"
+" pReserved  reserved. Should be NULL_PTR\n",
+	{ArgInitializeArgs, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetInfo", F_C_GetInfo,
+"C_GetInfo pInfo\n\n"
+"C_GetInfo returns general information about PKCS #11.\n"
+" pInfo   location that receives information\n",
+	{ArgInfo|ArgOut,   ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetFunctionList", F_C_GetFunctionList,
+"C_GetFunctionList ppFunctionList\n\n"
+"C_GetFunctionList returns the function list.\n"
+" ppFunctionList   receives pointer to function list\n",
+	{ArgFunctionList|ArgOut,   ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetSlotList", F_C_GetSlotList,
+"C_GetSlotList tokenPresent pSlotList pulCount\n\n"
+"C_GetSlotList obtains a list of slots in the system.\n"
+" tokenPresent    only slots with tokens?\n"
+" pSlotList       receives array of slot IDs\n"
+" pulCount        receives number of slots\n",
+	{ArgULong, ArgULong|ArgArray|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetSlotInfo", F_C_GetSlotInfo,
+"C_GetSlotInfo slotID pInfo\n\n"
+"C_GetSlotInfo obtains information about a particular slot in the system.\n"
+" slotID    the ID of the slot\n"
+" pInfo     receives the slot information\n",
+	{ArgULong, ArgSlotInfo|ArgOut, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetTokenInfo", F_C_GetTokenInfo,
+"C_GetTokenInfo slotID pInfo\n\n"
+"C_GetTokenInfo obtains information about a particular token in the system.\n"
+" slotID    ID of the token's slot\n"
+" pInfo     receives the token information\n",
+	{ArgULong, ArgTokenInfo|ArgOut, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetMechanismList", F_C_GetMechanismList,
+"C_GetMechanismList slotID pMechanismList pulCount\n\n"
+"C_GetMechanismList obtains a list of mechanism types supported by a token.\n"
+" slotID            ID of token's slot\n"
+" pMechanismList    gets mech. array\n"
+" pulCount          gets # of mechs.\n",
+	{ArgULong, ArgULong|ArgArray|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetMechanismInfo", F_C_GetMechanismInfo,
+"C_GetMechanismInfo slotID type pInfo\n\n"
+"C_GetMechanismInfo obtains information about a particular mechanism possibly\n"
+"supported by a token.\n"
+" slotID    ID of the token's slot\n"
+" type      type of mechanism\n"
+" pInfo     receives mechanism info\n",
+	{ArgULong, ArgULong, ArgMechanismInfo|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_InitToken", F_C_InitToken,
+"C_InitToken slotID pPin ulPinLen pLabel\n\n"
+"C_InitToken initializes a token.\n"
+" slotID      ID of the token's slot\n"
+" pPin        the SO's initial PIN\n"
+" ulPinLen    length in bytes of the PIN\n"
+" pLabel      32-byte token label (blank padded)\n",
+	{ArgULong, ArgUTF8, ArgULong, ArgUTF8, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_InitPIN", F_C_InitPIN,
+"C_InitPIN hSession pPin ulPinLen\n\n"
+"C_InitPIN initializes the normal user's PIN.\n"
+" hSession    the session's handle\n"
+" pPin        the normal user's PIN\n"
+" ulPinLen    length in bytes of the PIN\n",
+	{ArgULong, ArgUTF8, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SetPIN", F_C_SetPIN,
+"C_SetPIN hSession pOldPin ulOldLen pNewPin ulNewLen\n\n"
+"C_SetPIN modifies the PIN of the user who is logged in.\n"
+" hSession    the session's handle\n"
+" pOldPin     the old PIN\n"
+" ulOldLen    length of the old PIN\n"
+" pNewPin     the new PIN\n"
+" ulNewLen    length of the new PIN\n",
+	{ArgULong, ArgUTF8, ArgULong, ArgUTF8, ArgULong,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_OpenSession", F_C_OpenSession,
+"C_OpenSession slotID flags phSession\n\n"
+"C_OpenSession opens a session between an application and a token.\n"
+" slotID          the slot's ID\n"
+" flags           from\n"
+" phSession       gets session handle\n",
+	{ArgULong, ArgULong, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_CloseSession", F_C_CloseSession,
+"C_CloseSession hSession\n\n"
+"C_CloseSession closes a session between an application and a token.\n"
+" hSession   the session's handle\n",
+	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_CloseAllSessions", F_C_CloseAllSessions,
+"C_CloseAllSessions slotID\n\n"
+"C_CloseAllSessions closes all sessions with a token.\n"
+" slotID   the token's slot\n",
+	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetSessionInfo", F_C_GetSessionInfo,
+"C_GetSessionInfo hSession pInfo\n\n"
+"C_GetSessionInfo obtains information about the session.\n"
+" hSession    the session's handle\n"
+" pInfo       receives session info\n",
+	{ArgULong, ArgSessionInfo|ArgOut, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetOperationState", F_C_GetOperationState,
+"C_GetOperationState hSession pOpState pulOpStateLen\n\n"
+"C_GetOperationState obtains the state of the cryptographic operation in a\n"
+"session.\n"
+" hSession        session's handle\n"
+" pOpState        gets state\n"
+" pulOpStateLen   gets state length\n",
+	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SetOperationState", F_C_SetOperationState,
+"C_SetOperationState hSession pOpState ulOpStateLen hEncKey hAuthKey\n\n"
+"C_SetOperationState restores the state of the cryptographic operation in a\n"
+"session.\n"
+" hSession        session's handle\n"
+" pOpState        holds state\n"
+" ulOpStateLen    holds state length\n"
+" hEncKey         en/decryption key\n"
+" hAuthnKey       sign/verify key\n",
+	{ArgULong, ArgChar|ArgOut, ArgULong, ArgULong, ArgULong,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_Login", F_C_Login,
+"C_Login hSession userType pPin ulPinLen\n\n"
+"C_Login logs a user into a token.\n"
+" hSession    the session's handle\n"
+" userType    the user type\n"
+" pPin        the user's PIN\n"
+" ulPinLen    the length of the PIN\n",
+	{ArgULong, ArgULong, ArgVar, ArgULong, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_Logout", F_C_Logout,
+"C_Logout hSession\n\n"
+"C_Logout logs a user out from a token.\n"
+" hSession   the session's handle\n",
+	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_CreateObject", F_C_CreateObject,
+"C_CreateObject hSession pTemplate ulCount phObject\n\n"
+"C_CreateObject creates a new object.\n"
+" hSession      the session's handle\n"
+" pTemplate     the object's template\n"
+" ulCount       attributes in template\n"
+" phObject   gets new object's handle.\n",
+	{ArgULong, ArgAttribute|ArgArray, ArgULong, ArgULong|ArgOut, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_CopyObject", F_C_CopyObject,
+"C_CopyObject hSession hObject pTemplate ulCount phNewObject\n\n"
+"C_CopyObject copies an object creating a new object for the copy.\n"
+" hSession      the session's handle\n"
+" hObject       the object's handle\n"
+" pTemplate     template for new object\n"
+" ulCount       attributes in template\n"
+" phNewObject   receives handle of copy\n",
+	{ArgULong, ArgULong, ArgAttribute|ArgArray, ArgULong, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DestroyObject", F_C_DestroyObject,
+"C_DestroyObject hSession hObject\n\n"
+"C_DestroyObject destroys an object.\n"
+" hSession    the session's handle\n"
+" hObject     the object's handle\n",
+	{ArgULong, ArgULong, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetObjectSize", F_C_GetObjectSize,
+"C_GetObjectSize hSession hObject pulSize\n\n"
+"C_GetObjectSize gets the size of an object in bytes.\n"
+" hSession    the session's handle\n"
+" hObject     the object's handle\n"
+" pulSize     receives size of object\n",
+	{ArgULong, ArgULong, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetAttributeValue", F_C_GetAttributeValue,
+"C_GetAttributeValue hSession hObject pTemplate ulCount\n\n"
+"C_GetAttributeValue obtains the value of one or more object attributes.\n"
+" hSession     the session's handle\n"
+" hObject      the object's handle\n"
+" pTemplate    specifies attrs; gets vals\n"
+" ulCount      attributes in template\n",
+	{ArgULong, ArgULong, ArgAttribute|ArgArray, ArgULong, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SetAttributeValue", F_C_SetAttributeValue,
+"C_SetAttributeValue hSession hObject pTemplate ulCount\n\n"
+"C_SetAttributeValue modifies the value of one or more object attributes\n"
+" hSession     the session's handle\n"
+" hObject      the object's handle\n"
+" pTemplate    specifies attrs and values\n"
+" ulCount      attributes in template\n",
+	{ArgULong, ArgULong, ArgAttribute|ArgArray, ArgULong, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_FindObjectsInit", F_C_FindObjectsInit,
+"C_FindObjectsInit hSession pTemplate ulCount\n\n"
+"C_FindObjectsInit initializes a search for token and session objects that\n"
+"match a template.\n"
+" hSession     the session's handle\n"
+" pTemplate    attribute values to match\n"
+" ulCount      attrs in search template\n",
+	{ArgULong, ArgAttribute|ArgArray, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_FindObjectsFinal", F_C_FindObjectsFinal,
+"C_FindObjectsFinal hSession\n\n"
+"C_FindObjectsFinal finishes a search for token and session objects.\n"
+" hSession   the session's handle\n",
+	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_FindObjects", F_C_FindObjects,
+"C_FindObjects hSession phObject ulMaxObjectCount pulObjectCount\n\n"
+"C_FindObjects continues a search for token and session objects that match\n"
+"a template obtaining additional object handles.\n"
+" hSession            session's handle\n"
+" phObject            gets obj. handles\n"
+" ulMaxObjectCount    max handles to get\n"
+" pulObjectCount      actual # returned\n",
+	{ArgULong, ArgULong|ArgOut, ArgULong, ArgULong|ArgOut, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_EncryptInit", F_C_EncryptInit,
+"C_EncryptInit hSession pMechanism hKey\n\n"
+"C_EncryptInit initializes an encryption operation.\n"
+" hSession      the session's handle\n"
+" pMechanism    the encryption mechanism\n"
+" hKey          handle of encryption key\n",
+	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_EncryptUpdate", F_C_EncryptUpdate,
+"C_EncryptUpdate hSession pPart ulPartLen pEncryptedPart pulEncryptedPartLen\n"
+"\n"
+"C_EncryptUpdate continues a multiple-part encryption operation.\n"
+" hSession             session's handle\n"
+" pPart                the plaintext data\n"
+" ulPartLen            plaintext data len\n"
+" pEncryptedPart       gets ciphertext\n"
+" pulEncryptedPartLen  gets c-text size\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_EncryptFinal", F_C_EncryptFinal,
+"C_EncryptFinal hSession pLastEncryptedPart pulLastEncryptedPartLen\n\n"
+"C_EncryptFinal finishes a multiple-part encryption operation.\n"
+" hSession                  session handle\n"
+" pLastEncryptedPart        last c-text\n"
+" pulLastEncryptedPartLen   gets last size\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_Encrypt", F_C_Encrypt,
+"C_Encrypt hSession pData ulDataLen pEncryptedData pulEncryptedDataLen\n\n"
+"C_Encrypt encrypts single-part data.\n"
+" hSession              session's handle\n"
+" pData                 the plaintext data\n"
+" ulDataLen             bytes of plaintext\n"
+" pEncryptedData        gets ciphertext\n"
+" pulEncryptedDataLen   gets c-text size\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DecryptInit", F_C_DecryptInit,
+"C_DecryptInit hSession pMechanism hKey\n\n"
+"C_DecryptInit initializes a decryption operation.\n"
+" hSession      the session's handle\n"
+" pMechanism    the decryption mechanism\n"
+" hKey          handle of decryption key\n",
+	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DecryptUpdate", F_C_DecryptUpdate,
+"C_DecryptUpdate hSession pEncryptedPart ulEncryptedPartLen pPart pulPartLen\n"
+"\n"
+"C_DecryptUpdate continues a multiple-part decryption operation.\n"
+" hSession              session's handle\n"
+" pEncryptedPart        encrypted data\n"
+" ulEncryptedPartLen    input length\n"
+" pPart                 gets plaintext\n"
+" pulPartLen            p-text size\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DecryptFinal", F_C_DecryptFinal,
+"C_DecryptFinal hSession pLastPart pulLastPartLen\n\n"
+"C_DecryptFinal finishes a multiple-part decryption operation.\n"
+" hSession         the session's handle\n"
+" pLastPart        gets plaintext\n"
+" pulLastPartLen   p-text size\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_Decrypt", F_C_Decrypt,
+"C_Decrypt hSession pEncryptedData ulEncryptedDataLen pData pulDataLen\n\n"
+"C_Decrypt decrypts encrypted data in a single part.\n"
+" hSession             session's handle\n"
+" pEncryptedData       ciphertext\n"
+" ulEncryptedDataLen   ciphertext length\n"
+" pData                gets plaintext\n"
+" pulDataLen           gets p-text size\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DigestInit", F_C_DigestInit,
+"C_DigestInit hSession pMechanism\n\n"
+"C_DigestInit initializes a message-digesting operation.\n"
+" hSession     the session's handle\n"
+" pMechanism   the digesting mechanism\n",
+	{ArgULong, ArgMechanism, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DigestUpdate", F_C_DigestUpdate,
+"C_DigestUpdate hSession pPart ulPartLen\n\n"
+"C_DigestUpdate continues a multiple-part message-digesting operation.\n"
+" hSession    the session's handle\n"
+" pPart       data to be digested\n"
+" ulPartLen   bytes of data to be digested\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DigestKey", F_C_DigestKey,
+"C_DigestKey hSession hKey\n\n"
+"C_DigestKey continues a multi-part message-digesting operation by digesting\n"
+"the value of a secret key as part of the data already digested.\n"
+" hSession    the session's handle\n"
+" hKey        secret key to digest\n",
+	{ArgULong, ArgULong, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DigestFinal", F_C_DigestFinal,
+"C_DigestFinal hSession pDigest pulDigestLen\n\n"
+"C_DigestFinal finishes a multiple-part message-digesting operation.\n"
+" hSession       the session's handle\n"
+" pDigest        gets the message digest\n"
+" pulDigestLen   gets byte count of digest\n",
+	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_Digest", F_C_Digest,
+"C_Digest hSession pData ulDataLen pDigest pulDigestLen\n\n"
+"C_Digest digests data in a single part.\n"
+" hSession       the session's handle\n"
+" pData          data to be digested\n"
+" ulDataLen      bytes of data to digest\n"
+" pDigest        gets the message digest\n"
+" pulDigestLen   gets digest length\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SignInit", F_C_SignInit,
+"C_SignInit hSession pMechanism hKey\n\n"
+"C_SignInit initializes a signature (private key encryption operation where\n"
+"the signature is (will be) an appendix to the data and plaintext cannot be\n"
+"recovered from the signature.\n"
+" hSession      the session's handle\n"
+" pMechanism    the signature mechanism\n"
+" hKey          handle of signature key\n",
+	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SignUpdate", F_C_SignUpdate,
+"C_SignUpdate hSession pPart ulPartLen\n\n"
+"C_SignUpdate continues a multiple-part signature operation where the\n"
+"signature is (will be) an appendix to the data and plaintext cannot be\n"
+"recovered from the signature.\n"
+" hSession    the session's handle\n"
+" pPart       the data to sign\n"
+" ulPartLen   count of bytes to sign\n",
+	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SignFinal", F_C_SignFinal,
+"C_SignFinal hSession pSignature pulSignatureLen\n\n"
+"C_SignFinal finishes a multiple-part signature operation returning the\n"
+"signature.\n"
+" hSession          the session's handle\n"
+" pSignature        gets the signature\n"
+" pulSignatureLen   gets signature length\n",
+	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SignRecoverInit", F_C_SignRecoverInit,
+"C_SignRecoverInit hSession pMechanism hKey\n\n"
+"C_SignRecoverInit initializes a signature operation where the data can be\n"
+"recovered from the signature.\n"
+" hSession     the session's handle\n"
+" pMechanism   the signature mechanism\n"
+" hKey         handle of the signature key\n",
+	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SignRecover", F_C_SignRecover,
+"C_SignRecover hSession pData ulDataLen pSignature pulSignatureLen\n\n"
+"C_SignRecover signs data in a single operation where the data can be\n"
+"recovered from the signature.\n"
+" hSession          the session's handle\n"
+" pData             the data to sign\n"
+" ulDataLen         count of bytes to sign\n"
+" pSignature        gets the signature\n"
+" pulSignatureLen   gets signature length\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_Sign", F_C_Sign,
+"C_Sign hSession pData ulDataLen pSignature pulSignatureLen\n\n"
+"C_Sign signs (encrypts with private key) data in a single part where the\n"
+"signature is (will be) an appendix to the data and plaintext cannot be\n"
+"recovered from the signature.\n"
+" hSession          the session's handle\n"
+" pData             the data to sign\n"
+" ulDataLen         count of bytes to sign\n"
+" pSignature        gets the signature\n"
+" pulSignatureLen   gets signature length\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_VerifyInit", F_C_VerifyInit,
+"C_VerifyInit hSession pMechanism hKey\n\n"
+"C_VerifyInit initializes a verification operation where the signature is an\n"
+"appendix to the data and plaintext cannot cannot be recovered from the\n"
+"signature (e.g. DSA).\n"
+" hSession      the session's handle\n"
+" pMechanism    the verification mechanism\n"
+" hKey          verification key\n",
+	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_VerifyUpdate", F_C_VerifyUpdate,
+"C_VerifyUpdate hSession pPart ulPartLen\n\n"
+"C_VerifyUpdate continues a multiple-part verification operation where the\n"
+"signature is an appendix to the data and plaintext cannot be recovered from\n"
+"the signature.\n"
+" hSession    the session's handle\n"
+" pPart       signed data\n"
+" ulPartLen   length of signed data\n",
+	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_VerifyFinal", F_C_VerifyFinal,
+"C_VerifyFinal hSession pSignature ulSignatureLen\n\n"
+"C_VerifyFinal finishes a multiple-part verification operation checking the\n"
+"signature.\n"
+" hSession         the session's handle\n"
+" pSignature       signature to verify\n"
+" ulSignatureLen   signature length\n",
+	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_VerifyRecoverInit", F_C_VerifyRecoverInit,
+"C_VerifyRecoverInit hSession pMechanism hKey\n\n"
+"C_VerifyRecoverInit initializes a signature verification operation where the\n"
+"data is recovered from the signature.\n"
+" hSession      the session's handle\n"
+" pMechanism    the verification mechanism\n"
+" hKey          verification key\n",
+	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_VerifyRecover", F_C_VerifyRecover,
+"C_VerifyRecover hSession pSignature ulSignatureLen pData pulDataLen\n\n"
+"C_VerifyRecover verifies a signature in a single-part operation where the\n"
+"data is recovered from the signature.\n"
+" hSession          the session's handle\n"
+" pSignature        signature to verify\n"
+" ulSignatureLen    signature length\n"
+" pData             gets signed data\n"
+" pulDataLen        gets signed data len\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_Verify", F_C_Verify,
+"C_Verify hSession pData ulDataLen pSignature ulSignatureLen\n\n"
+"C_Verify verifies a signature in a single-part operation where the signature\n"
+"is an appendix to the data and plaintext cannot be recovered from the\n"
+"signature.\n"
+" hSession         the session's handle\n"
+" pData            signed data\n"
+" ulDataLen        length of signed data\n"
+" pSignature       signature\n"
+" ulSignatureLen   signature length*/\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DigestEncryptUpdate", F_C_DigestEncryptUpdate,
+"C_DigestEncryptUpdate hSession pPart ulPartLen pEncryptedPart \\\n"
+"    pulEncryptedPartLen\n\n"
+"C_DigestEncryptUpdate continues a multiple-part digesting and encryption\n"
+"operation.\n"
+" hSession              session's handle\n"
+" pPart                 the plaintext data\n"
+" ulPartLen             plaintext length\n"
+" pEncryptedPart        gets ciphertext\n"
+" pulEncryptedPartLen   gets c-text length\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DecryptDigestUpdate", F_C_DecryptDigestUpdate,
+"C_DecryptDigestUpdate hSession pEncryptedPart ulEncryptedPartLen pPart \\\n"
+"    pulPartLen\n\n"
+"C_DecryptDigestUpdate continues a multiple-part decryption and digesting\n"
+"operation.\n"
+" hSession              session's handle\n"
+" pEncryptedPart        ciphertext\n"
+" ulEncryptedPartLen    ciphertext length\n"
+" pPart                 gets plaintext\n"
+" pulPartLen            gets plaintext len\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SignEncryptUpdate", F_C_SignEncryptUpdate,
+"C_SignEncryptUpdate hSession pPart ulPartLen pEncryptedPart \\\n"
+"    pulEncryptedPartLen\n\n"
+"C_SignEncryptUpdate continues a multiple-part signing and encryption\n"
+"operation.\n"
+" hSession              session's handle\n"
+" pPart                 the plaintext data\n"
+" ulPartLen             plaintext length\n"
+" pEncryptedPart        gets ciphertext\n"
+" pulEncryptedPartLen   gets c-text length\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_DecryptVerifyUpdate", F_C_DecryptVerifyUpdate,
+"C_DecryptVerifyUpdate hSession pEncryptedPart ulEncryptedPartLen pPart \\\n"
+"    pulPartLen\n\n"
+"C_DecryptVerifyUpdate continues a multiple-part decryption and verify\n"
+"operation.\n"
+" hSession              session's handle\n"
+" pEncryptedPart        ciphertext\n"
+" ulEncryptedPartLen    ciphertext length\n"
+" pPart                 gets plaintext\n"
+" pulPartLen            gets p-text length\n",
+	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GenerateKeyPair", F_C_GenerateKeyPair,
+"C_GenerateKeyPair hSession pMechanism pPublicKeyTemplate \\\n"
+"    ulPublicKeyAttributeCount pPrivateKeyTemplate ulPrivateKeyAttributeCount \\\n"
+"    phPublicKey phPrivateKey\n\n"
+"C_GenerateKeyPair generates a public-key/private-key pair creating new key\n"
+"objects.\n"
+" hSession                      sessionhandle\n"
+" pMechanism                    key-genmech.\n"
+" pPublicKeyTemplate            templatefor pub. key\n"
+" ulPublicKeyAttributeCount     # pub. attrs.\n"
+" pPrivateKeyTemplate           templatefor priv. key\n"
+" ulPrivateKeyAttributeCount    # priv. attrs.\n"
+" phPublicKey                   gets pub. keyhandle\n"
+" phPrivateKey                  getspriv. keyhandle\n",
+	{ArgULong, ArgMechanism, ArgAttribute|ArgArray, ArgULong, 
+						ArgAttribute|ArgArray,
+	 ArgULong, ArgULong|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone }},
+    {"C_GenerateKey", F_C_GenerateKey,
+"C_GenerateKey hSession pMechanism pTemplate ulCount phKey\n\n"
+"C_GenerateKey generates a secret key creating a new key object.\n"
+" hSession      the session's handle\n"
+" pMechanism    key generation mech.\n"
+" pTemplate     template for new key\n"
+" ulCount       # of attrs in template\n"
+" phKey         gets handle of new key\n",
+	{ArgULong, ArgMechanism, ArgAttribute|ArgArray, ArgULong, 
+	 					ArgULong|ArgOut,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_WrapKey", F_C_WrapKey,
+"C_WrapKey hSession pMechanism hWrappingKey hKey pWrappedKey pulWrappedKeyLen\n\n"
+"C_WrapKey wraps (i.e. encrypts) a key.\n"
+" hSession          the session's handle\n"
+" pMechanism        the wrapping mechanism\n"
+" hWrappingKey      wrapping key\n"
+" hKey              key to be wrapped\n"
+" pWrappedKey       gets wrapped key\n"
+" pulWrappedKeyLen  gets wrapped key size\n",
+	{ArgULong, ArgMechanism, ArgULong, ArgULong, ArgULong,
+	 ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone, ArgNone }},
+    {"C_UnwrapKey", F_C_UnwrapKey,
+"C_UnwrapKey hSession pMechanism hUnwrappingKey pWrappedKey ulWrappedKeyLen \\\n"
+"    pTemplate ulAttributeCount phKey\n\n"
+"C_UnwrapKey unwraps (decrypts) a wrapped key creating a new key object.\n"
+" hSession            session's handle\n"
+" pMechanism          unwrapping mech.\n"
+" hUnwrappingKey      unwrapping key\n"
+" pWrappedKey         the wrapped key\n"
+" ulWrappedKeyLen     wrapped key len\n"
+" pTemplate           new key template\n"
+" ulAttributeCount    template length\n"
+" phKey               gets new handle\n",
+	{ArgULong, ArgMechanism, ArgULong, ArgChar, ArgULong,
+	 ArgAttribute|ArgArray, ArgULong, ArgULong|ArgOut, ArgNone, ArgNone }},
+    {"C_DeriveKey", F_C_DeriveKey,
+"C_DeriveKey hSession pMechanism hBaseKey pTemplate ulAttributeCount phKey\n\n"
+"C_DeriveKey derives a key from a base key creating a new key object.\n"
+" hSession            session's handle\n"
+" pMechanism          key deriv. mech.\n"
+" hBaseKey            base key\n"
+" pTemplate           new key template\n"
+" ulAttributeCount    template length\n"
+" phKey               gets new handle\n",
+	{ArgULong, ArgMechanism, ArgULong, ArgAttribute|ArgArray,  ArgULong,
+	 ArgULong|ArgOut, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_SeedRandom", F_C_SeedRandom,
+"C_SeedRandom hSession pSeed ulSeedLen\n\n"
+"C_SeedRandom mixes additional seed material into the token's random number\n"
+"generator.\n"
+" hSession    the session's handle\n"
+" pSeed       the seed material\n"
+" ulSeedLen   length of seed material\n",
+	{ArgULong, ArgChar, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GenerateRandom", F_C_GenerateRandom,
+"C_GenerateRandom hSession RandomData ulRandomLen\n\n"
+"C_GenerateRandom generates random data.\n"
+" hSession      the session's handle\n"
+" RandomData    receives the random data\n"
+" ulRandomLen   # of bytes to generate\n",
+	{ArgULong, ArgChar, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_GetFunctionStatus", F_C_GetFunctionStatus,
+"C_GetFunctionStatus hSession\n\n"
+"C_GetFunctionStatus is a legacy function; it obtains an updated status of\n"
+"a function running in parallel with an application.\n"
+" hSession   the session's handle\n",
+	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_CancelFunction", F_C_CancelFunction,
+"C_CancelFunction hSession\n\n"
+"C_CancelFunction is a legacy function; it cancels a function running in\n"
+"parallel.\n"
+" hSession   the session's handle\n",
+	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"C_WaitForSlotEvent", F_C_WaitForSlotEvent,
+"C_WaitForSlotEvent flags pSlot pRserved\n\n"
+"C_WaitForSlotEvent waits for a slot event (token insertion removal etc.)\n"
+"to occur.\n"
+" flags          blocking/nonblocking flag\n"
+" pSlot    location that receives the slot ID\n"
+" pRserved    reserved.  Should be NULL_PTR\n",
+	{ArgULong, ArgULong|ArgArray, ArgVar, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"NewArray", F_NewArray,
+"NewArray varName varType array size\n\n"
+"Creates a new array variable.\n"
+" varName     variable name of the new array\n"
+" varType     data type of the new array\n"
+" size        number of elements in the array\n",
+	{ArgVar|ArgNew, ArgVar, ArgULong, ArgNone, ArgNone, 
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"NewInitArg", F_NewInitializeArgs,
+"NewInitArg varName flags string\n\n"
+"Creates a new init variable.\n"
+" varName     variable name of the new initArg\n"
+" flags       value to set the flags field\n"
+" string      string parameter for init arg\n",
+	{ArgVar|ArgNew, ArgULong, ArgVar|ArgNew, ArgNone, ArgNone, 
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"NewTemplate", F_NewTemplate,
+"NewTemplate varName attributeList\n\n"
+"Create a new empty template and populate the attribute list\n"
+" varName        variable name of the new template\n"
+" attributeList  comma separated list of CKA_ATTRIBUTE types\n",
+	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, 
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"NewMechanism", F_NewMechanism,
+"NewMechanism varName mechanismType\n\n"
+"Create a new CK_MECHANISM object with type NULL paramters and specified type\n"
+" varName        variable name of the new mechansim\n"
+" mechanismType  CKM_ mechanism type value to set int the type field\n",
+	{ArgVar|ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, 
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"BuildTemplate", F_BuildTemplate,
+"BuildTemplate template\n\n"
+"Allocates space for the value in a template which has the sizes filled in,\n"
+"but no values allocated yet.\n"
+" template        variable name of the template\n",
+	{ArgAttribute, ArgNone, ArgNone, ArgNone, ArgNone, 
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"SetTemplate", F_SetTemplate,
+"SetTemplate template index value\n\n"
+"Sets a particular element of a template to a CK_ULONG\n"
+" template        variable name of the template\n"
+" index           index into the template to the element to change\n"
+" value           32 bit value to set in the template\n",
+	{ArgAttribute, ArgULong, ArgULong, ArgNone, ArgNone, 
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"SetString", F_SetStringVar,
+"SetString varName string\n\n"
+"Sets a particular variable to a string value\n"
+" variable        variable name of new string\n"
+" string	         String to set the variable to\n",
+	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, 
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Set", F_SetVar,
+"Set varName value\n\n"
+"Sets a particular variable to CK_ULONG\n"
+" variable        name of the new variable\n"
+" value           32 bit value to set variable to\n",
+	{ArgVar|ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, 
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Print", F_Print,
+"Print varName\n\n"
+"prints a variable\n"
+" variable        name of the variable to print\n",
+	{ArgVar, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Delete", F_Delete,
+"Delete varName\n\n"
+"delete a variable\n"
+" variable        name of the variable to delete\n",
+	{ArgVar|ArgNew, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Load", F_Load,
+"load libraryName\n\n"
+"load a pkcs #11 module\n"
+" libraryName        Name of a shared library\n",
+	{ArgVar, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Save", F_SaveVar,
+"Save filename variable\n\n"
+"Saves the binary value of 'variable' in file 'filename'\n"
+" fileName        target file to save the variable in\n"
+" variable        variable to save\n",
+	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Restore", F_RestoreVar,
+"Restore filename variable\n\n"
+"Restores a variable from a file\n"
+" fileName        target file to restore the variable from\n"
+" variable        variable to restore\n",
+	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Increment", F_Increment,
+"Increment variable value\n\n"
+"Increment a variable by value\n",
+	{ArgVar, ArgULong, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Decrement", F_Decrement,
+"Decrement variable value\n\n"
+"Decrement a variable by value\n",
+	{ArgVar, ArgULong, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"List", F_List,
+"List all the variables\n",
+	{ArgNone, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Unload", F_Unload,
+"Unload the currrently loaded PKCS #11 library\n",
+	{ArgNone, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Run", F_Run,
+"Run filename\n\n"
+"reads filename as script of commands to execute\n",
+	{ArgVar|ArgNew, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Time", F_Time,
+"Time pkcs11 command\n\n"
+"Execute a pkcs #11 command and time the results\n",
+	{ArgVar|ArgFull, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"System", F_System,
+	"Set System Flag",
+	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"LoopRun", F_Loop,
+"LoopRun filename var start end step\n\n"
+"Run in a loop. Loop exit if scrip does and explicit quit (Quit QuitIf etc.)",
+	{ArgVar|ArgNew, ArgVar|ArgNew, ArgULong, ArgULong, ArgULong,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Help", F_Help,
+"Help [command]\n\n"
+"print general help, or help for a specific command\n",
+	{ArgVar|ArgOpt, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"QuitIf", F_QuitIf,
+"QuitIf arg1 comparator arg2\n\n"
+"Exit from this program if Condition is valid, valid comparators:\n"
+"  < > <= >= = !=\n",
+	{ArgULong, ArgVar|ArgNew, ArgULong, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"QuitIfString", F_QuitIfString,
+"QuitIfString arg1 comparator arg2\n\n"
+"Exit from this program if Condition is valid, valid comparators:\n"
+"  = !=\n",
+	{ArgVar|ArgNew, ArgVar|ArgNew, ArgVar|ArgNew, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+    {"Quit", F_Quit,
+"Exit from this program",
+	{ArgNone, ArgNone, ArgNone, ArgNone, ArgNone,
+	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
+};
+
+const Commands  *commands= &_commands[0];
+const int commandCount = sizeof(_commands) / sizeof(_commands[0]);
+
+const Topics _topics[] = {
+   { "variables", 
+"Variables are random strings of characters. These should begin with alpha\n"
+" characters, and should not contain any spaces, nor should they match any\n"
+" built-in constants. There is some checking in the code for these things,\n"
+" but it's not 100% and using invalid variable names can cause problems.\n"
+" Variables are created by any 'OUT' parameter. If the variable does not\n"
+" exist, it will be created. For in parameters variables must already exist.\n"
+   },
+   { "constants",
+"pk11util recognizes *lots* of constants. All CKA_, CKF_, CKO_, CKU_, CKS_,\n"
+" CKC_, CKK_, CKH_, CKM_, CKT_ values from the PKCS #11 spec are recognized.\n"
+" Constants can be specified with their fully qualified CK?_ value, or the\n"
+" prefix can be dropped. Constants are matched case insensitve.\n" 
+   },
+   { "arrays",
+"Arrays are special variables which represent 'C' arrays. Each array \n"
+" variable can be referenced as a group (using just the name), or as \n"
+" individual elements (with the [int] operator). Example:\n"
+"      print myArray    # prints the full array.\n"
+"      print myArray[3] # prints the 3rd elemement of the array \n"
+   },
+   { "sizes",
+"Size operaters returns the size in bytes of a variable, or the number of\n"
+" elements in an array.\n"
+"    size(var) and sizeof(var) return the size of var in bytes.\n"
+"    sizea(var) and sizeofarray(var) return the number of elements in var.\n"
+"       If var is not an array, sizea(var) returns 1.\n"
+   },
+};
+
+const Topics *topics=&_topics[0];
+const int topicCount = sizeof(_topics)/sizeof(_topics[0]);
+
+
diff --git a/security/nss/cmd/pk11util/pk11util.c b/security/nss/cmd/pk11util/pk11util.c
new file mode 100644
index 000000000..4929ad1e3
--- /dev/null
+++ b/security/nss/cmd/pk11util/pk11util.c
@@ -0,0 +1,2186 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(WIN32)
+#undef __STDC__
+#include "fcntl.h"
+#include "io.h"
+#include <fcntl.h>
+#else
+#include <unistd.h>
+#include <sys/fcntl.h>
+#endif
+
+#include "secutil.h"
+
+
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "prlong.h"
+#include "prinrval.h"
+#include "prenv.h"
+
+#include "pkcs11.h"
+
+#include "pk11util.h"
+
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+CK_ULONG systemFlags;
+#define FLAG_NEGATE 0x80000000
+#define FLAG_Verify 0x00000001
+#define FLAG_VerifyFile 0x00000002
+#define CKR_QUIT 0x80000000
+
+int ArgSize(ArgType type);
+const char *constLookup(const char *bp, CK_ULONG *value, ConstType *type);
+
+int
+isNum(char c)
+{
+    return (c >= '0' && c <= '9');
+}
+
+int
+isConst(const char *c)
+{
+    CK_ULONG value;
+    ConstType type;
+
+    constLookup(c, &value, &type);
+    return type != ConstNone;
+}
+
+/*
+ * see if the variable is really a 'size' function. This
+ * function may modify var if it is a size function.
+ */
+char *
+isSize(char *var, int *isArray)
+{
+    char *ptr = NULL;
+    char *end;
+    int array = 0;
+
+    if (PL_strncasecmp(var,"sizeof(",/*)*/ 7) == 0) {
+	ptr = var + 7;
+    } else if (PL_strncasecmp(var,"size(",/*)*/ 5) == 0) {
+	ptr = var + 5;
+    } else if (PL_strncasecmp(var,"sizeofarray(",/*)*/ 12) == 0) {
+	ptr = var + 12;
+	array = 1;
+    } else if (PL_strncasecmp(var,"sizea(",/*)*/ 6) == 0) {
+	ptr = var + 6;
+	array = 1;
+    } else {
+	return NULL;
+    }
+    end = strchr(ptr,/*(*/ ')') ;
+    if (end == NULL) {
+	return NULL;
+    }
+    if (isArray) *isArray = array;
+    *end = 0;
+    return ptr;
+}
+ 
+void
+printConst(CK_ULONG value, ConstType type, int newLine)
+{
+    int i;
+
+    for (i=0; i < constCount; i++) {
+	if (consts[i].type == type && consts[i].value == value) {
+	    printf("%s",consts[i].name);
+	    break;
+	}
+	if (type == ConstNone && consts[i].value == value) {
+	    printf("%s",consts[i].name);
+	    break;
+	}
+    }
+    if (i == constCount) {
+	if ((type == ConstAvailableSizes) || (type == ConstCurrentSize)) {
+	    printf("%lu",value);
+	} else {
+	    printf("Unknown %s (%lu:0x%lx)",constTypeString[type],value,value);
+	}
+    }
+    if (newLine) {
+	printf("\n");
+    }
+}
+
+ConstType
+getConstFromAttribute(CK_ATTRIBUTE_TYPE type)
+{
+    int i;
+
+    for (i=0; i < constCount; i++) {
+	if (consts[i].type == ConstAttribute && consts[i].value == type) {
+	    return consts[i].attrType;
+	}
+    }
+    return ConstNone;
+}
+
+void
+printChars(const char *name, CK_ULONG size)
+{
+    CK_ULONG i;
+    for (i=0; i < size; i++) {
+	if (name[i] == 0) {
+		break;
+	}
+	printf("%c",name[i]);
+    }
+    printf("\n");
+}
+
+#define DUMP_LEN 16
+void printDump(const unsigned char *buf, int size)
+{
+    int i,j;
+
+    for(i=0; i < size; i+= DUMP_LEN) {
+	printf(" ");
+	for (j=0; j< DUMP_LEN; j++) {
+	    if (i+j < size) {
+		printf("%02x ",buf[i+j]);
+	    } else {
+		printf("   ");
+	    }
+	} 
+	for (j=0; j< DUMP_LEN; j++) {
+	    if (i+j < size) {
+		if (buf[i+j] < ' ' || buf[i+j] >= 0x7f) {
+		    printf(".");
+		} else {
+		    printf("%c",buf[i+j]);
+		}
+	    } else {
+		printf(" ");
+	    }
+	} 
+	printf("\n");
+    }
+}
+
+/*
+ * free an argument structure
+ */
+void
+argFreeData(Value *arg)
+{
+    if (arg->data && ((arg->type & ArgStatic) == 0)) {
+	if ((arg->type & ArgMask) == ArgAttribute) {
+	    int i;
+	    CK_ATTRIBUTE *template = (CK_ATTRIBUTE *)arg->data;
+
+	    for (i=0; i < arg->arraySize; i++) {
+		free(template[i].pValue);
+	    }
+	}
+	if ((arg->type & ArgMask) == ArgInitializeArgs) {
+	    CK_C_INITIALIZE_ARGS *init = (CK_C_INITIALIZE_ARGS *)arg->data;
+            if (init->LibraryParameters) {
+		free(init->LibraryParameters);
+	    }
+	}
+	free(arg->data);
+    }
+    arg->type &= ~ArgStatic;
+    arg->data = NULL;
+}
+
+void
+argFree(Value *arg)
+{
+    if (arg == NULL) return;
+
+    arg->reference--;
+    if (arg->reference == 0) {
+	if (arg->type & ArgFile) {
+	    free(arg->filename);
+	}
+	argFreeData(arg);
+	free (arg);
+    }
+}
+
+/*
+ * free and argument list
+ */
+void
+parseFree(Value **ap)
+{
+    int i;
+    for (i=0 ; i < MAX_ARGS; i++) {
+	argFree(ap[i]);
+    }
+}
+
+/*
+ * getEnd: how for to the end of this argmument list?
+ */
+int
+getEnd(const char *bp)
+{
+    int count = 0;
+
+    while (*bp) {
+        if (*bp == ' ' || *bp == '\t' || *bp == '\n') return count;
+	count++;
+	bp++;
+    }
+    return (count);
+}
+
+
+/*
+ * strip: return the first none white space character
+ */
+const char *
+strip(const char *bp)
+{
+    while (*bp && (*bp == ' ' || *bp == '\t' || *bp == '\n')) bp++;
+    return bp;
+}
+
+/*
+ * read in the next argument into dp ... don't overflow
+ */
+const char *
+readChars(const char *bp, char *dp, int max )
+{
+    int count = 1;
+    while (*bp) {
+        if (*bp == ' ' || *bp == '\t' || *bp == '\n' ) {
+	    *dp = 0;
+	    return bp;
+	}
+	*dp++ = *bp++;
+	if (++count == max) break;
+    }
+    while (*bp && (*bp != ' ' && *bp != '\t' && *bp != '\n')) bp++;
+    *dp = 0;
+    return (bp);
+}
+
+Value * varLookup(const char *bp, char *vname, int max, int *error);
+
+CK_ULONG
+getValue(const char *v, int *error)
+{
+    Value * varVal = NULL;
+    CK_ULONG retVal = 0;
+    ConstType type;
+    char tvar[512];
+
+    *error = 0;
+
+    varVal = varLookup( v, tvar, sizeof(tvar), error);
+
+    if (varVal) {
+	if ((varVal->type & ArgMask) == ArgULong) {
+	    retVal = *(CK_ULONG *)varVal->data;
+	} else {
+	    fprintf(stderr,"%s: is not a ulong\n", v);
+	    *error = 1;
+	}
+	argFree(varVal);
+	return retVal;
+    }
+    constLookup(v, &retVal, &type);
+    return retVal;
+}
+
+Value *
+NewValue(ArgType type, CK_ULONG arraySize)
+{
+    Value *value;
+
+    value = (Value *)malloc(sizeof(Value));
+    if (!value) return NULL;
+    value->size = ArgSize(type)*arraySize;
+    value->type = type;
+    value->filename = NULL;
+    value->constType = ConstNone;
+    value->data = (void *)malloc(value->size);
+    if (!value->data) {
+	free(value);
+	return NULL;
+    }
+    value->reference = 1;
+    value->arraySize = (type == ArgChar) ? 1: arraySize;
+
+    memset(value->data, 0, value->size);
+    return value;
+}
+
+#define INVALID_INDEX 0xffffffff
+
+CK_ULONG
+handleArray(char *vname, int *error)
+{
+    char *bracket;
+    CK_ULONG index = INVALID_INDEX;
+
+    if ((bracket = strchr(vname,'[')) != 0) {
+	char *tmpv = bracket+1;
+	*bracket = 0;
+	bracket = strchr(tmpv,']');
+
+	if (bracket == 0) {
+	    fprintf(stderr,"%s: missing closing brace\n", vname);
+	    return INVALID_INDEX;
+	}
+	*bracket = 0;
+
+	index = getValue(tmpv, error);
+	if (*error == 1) {
+	    return INVALID_INDEX;
+	} else if (index == INVALID_INDEX) {
+	    fprintf(stderr, "%s: 0x%x is an invalid index\n",vname,index);
+	    *error = 1;
+	}
+    }
+    return index;
+}
+
+void *
+makeArrayTarget(const char *vname, const Value *value, CK_ULONG index)
+{
+    char * target;
+    CK_ULONG elementSize;
+
+    if (index >= (CK_ULONG)value->arraySize) {
+	fprintf(stderr, "%s[%d]: index larger than array size (%d)\n",
+		vname, index, value->arraySize);
+	return NULL;
+    }
+
+    target = (char *)value->data;
+    elementSize = value->size/value->arraySize;
+    target += index * elementSize;
+    return target;
+}
+
+/*
+ * look up a variable from the variable chain
+ */
+static Variable *varHead = NULL;
+Value *
+varLookup(const char *bp, char *vname, int max, int *error)
+{
+    Variable *current;
+    CK_ULONG index = INVALID_INDEX;
+    int isArray = 0;
+    char *ptr;
+    *error = 0;
+
+    if (bp != NULL) {
+	readChars(bp, vname, max);
+    } 
+
+    /* don't make numbers into variables */
+    if (isNum(vname[0])) {
+	return NULL;
+    }
+    /* nor consts */
+    if (isConst(vname)) {
+	return NULL;
+    }
+    /* handle sizeof() */
+    if ((ptr = isSize(vname, &isArray)) != NULL) {
+	CK_ULONG size;
+	Value  *targetValue = NULL;
+	Value  *sourceValue = varLookup(NULL, ptr, 0, error);
+	if (!sourceValue) {
+	   if (*error == 0) {
+		/* just didn't find it */
+		*error = 1;
+		fprintf(stderr,"Couldn't find variable %s to take size of\n",
+			ptr);
+		return NULL;
+	   }
+	}
+	size = isArray ? sourceValue->arraySize : sourceValue->size;
+	targetValue = NewValue(ArgULong,1);
+	memcpy(targetValue->data, &size, sizeof(size));
+
+	return targetValue;
+    }
+
+    /* modifies vname */
+    index = handleArray(vname, error);
+    if (*error == 1) {
+	return NULL;
+    }
+
+    for (current = varHead; current; current = current->next) {
+	if (PL_strcasecmp(current->vname, vname) == 0) {
+	    char *target;
+	    if (index == INVALID_INDEX) {
+		(current->value->reference)++;
+		return current->value;
+	    }
+	    target = makeArrayTarget(vname, current->value, index);
+	    if (target) {
+		Value *element = NewValue(current->value->type, 1);
+		if (!element) {
+		    fprintf(stderr, "MEMORY ERROR!\n");
+		    *error = 1;
+		}
+		argFreeData(element);
+		element->data = target;
+		element->type |= ArgStatic;
+		return element;
+	    }
+	    *error = 1;
+	    return NULL;
+	}
+    }
+    return NULL;
+}
+
+static CK_RV 
+list(void)
+{
+    Variable *current;
+
+    if (varHead) {
+    	printf(" %10s\t%16s\t%8s\tSize\tElements\n","Name","Type","Const");
+    } else {
+    	printf(" no variables set\n");
+    }
+
+    for (current = varHead; current; current = current->next) {
+    	printf(" %10s\t%16s\t%8s\t%d\t%d\n", current->vname,
+	    valueString[current->value->type&ArgMask],
+	    constTypeString[current->value->constType],
+	    current->value->size, current->value->arraySize);
+    }
+    return CKR_OK;
+}
+
+CK_RV
+printFlags(const char *s, CK_ULONG flags, ConstType type)
+{
+    CK_ULONG i;
+    int needComma = 0;
+
+    printf("%s",s);
+    for (i=1; i ; i=i << 1) {
+	if (flags & i) {
+	   printf("%s",needComma?",":"");
+	   printConst(i, type, 0);
+	   needComma=1;
+	}
+    }
+    if (!needComma) {
+	printf("Empty");
+    }
+    printf("\n");
+    return CKR_OK;
+}
+
+/*
+ * add a new variable to the chain
+ */
+const char *
+AddVariable(const char *bp, Value **ptr)
+{
+    char vname[512];
+    Variable *current;
+    int index = INVALID_INDEX;
+    int size;
+    int error = 0;
+
+    bp = readChars(bp,vname,sizeof(vname));
+
+    /* don't make numbers into variables */
+    if (isNum(vname[0])) {
+	return bp;
+    }
+    /* or consts */
+    if (isConst(vname)) {
+	return bp;
+    }
+    /* or NULLs */
+    if (vname[0] == 0) {
+	return bp;
+    }
+    /* or sizeof */
+    if (isSize(vname, NULL)) {
+	return bp;
+    }
+    /* arrays values should be written back to the original */
+    index = handleArray(vname, &error);
+    if (error == 1) {
+	return bp;
+    }
+
+
+    for (current = varHead; current; current = current->next) {
+	if (PL_strcasecmp(current->vname,vname) == 0) {
+	    char *target;
+	    /* found a complete object, return the found one */
+	    if (index == INVALID_INDEX) {
+		argFree(*ptr);
+		*ptr = current->value;
+		return bp;
+	    }
+	    /* found an array, update the array element */
+	    target = makeArrayTarget(vname, current->value, index);
+	    if (target) {
+		memcpy(target, (*ptr)->data, (*ptr)->size);
+		argFreeData(*ptr);
+		(*ptr)->data = target;
+		(*ptr)->type |= ArgStatic;
+	    }
+	    return bp;
+	}
+    }
+
+    /* we are looking for an array and didn't find one */
+    if (index != INVALID_INDEX) {
+	return bp;
+    }
+
+
+    current = (Variable *)malloc(sizeof(Variable));
+    size = strlen(vname);
+    current->vname = (char *)malloc(size+1);
+    strcpy(current->vname,vname);
+    current->value = *ptr;
+    (*ptr)->reference++;
+
+    current->next = varHead;
+    varHead = current;
+    return bp;
+}
+
+ArgType
+FindTypeByName(const char *typeName)
+{
+    int i;
+
+    for (i=0; i < valueCount; i++) {
+	if (PL_strcasecmp(typeName,valueString[i]) == 0) {
+	    return (ArgType) i;
+	}
+	if (valueString[i][0] == 'C' && valueString[i][1] == 'K' &&
+	   valueString[i][2] == '_' && 
+			(PL_strcasecmp(typeName,&valueString[i][3]) == 0)) {
+	    return (ArgType) i;
+	}
+    }
+    return ArgNone;
+}
+
+CK_RV 
+ArrayVariable(const char *bp, const char *typeName, CK_ULONG count)
+{
+    ArgType type;
+    Value *value; /* new Value */
+
+    type = FindTypeByName(typeName);
+    if (type == ArgNone) {
+	fprintf(stderr,"Invalid type (%s)\n", typeName);
+	return CKR_FUNCTION_FAILED;
+    }
+    value = NewValue(type, count);
+    (void) AddVariable(bp, &value);
+    return CKR_OK;
+}
+
+#define MAX_TEMPLATE 25
+
+CK_RV 
+ArrayTemplate(const char *bp, char *attributes)
+{
+    char aname[512];
+    CK_ULONG attributeTypes[MAX_TEMPLATE];
+    CK_ATTRIBUTE *template;
+    Value *value; /* new Value */
+    char *ap;
+    int i, count = 0;
+
+    memcpy(aname,attributes,strlen(attributes)+1);
+
+    for (ap = aname, count = 0; ap && *ap && count < MAX_TEMPLATE; count++) {
+	char *cur = ap;
+	ConstType type;
+
+	ap = strchr(ap,',');
+	if (ap) {
+	    *ap++ = 0;
+	}
+
+	(void)constLookup(cur, &attributeTypes[count], &type);
+	if ((type != ConstAttribute) && (type != ConstNone)) {
+	   fprintf(stderr, "Unknown Attribute %s\n", cur);
+	   return CKR_FUNCTION_FAILED;
+	}
+    }
+
+    value = NewValue(ArgAttribute, count);
+
+    template = (CK_ATTRIBUTE *)value->data;
+    for (i=0; i < count ; i++) {
+	template[i].type = attributeTypes[i];
+    }
+    (void) AddVariable(bp, &value);
+    return CKR_OK;
+}
+
+CK_RV
+BuildTemplate(Value *vp)
+{
+    CK_ATTRIBUTE *template = (CK_ATTRIBUTE *)vp->data;
+    int i;
+
+    for (i=0; i < vp->arraySize; i++) {
+	if (((signed long)template[i].ulValueLen) > 0) {
+	    if (template[i].pValue) free(template[i].pValue);
+	    template[i].pValue = malloc(template[i].ulValueLen);
+	}
+    }
+    return CKR_OK;
+}
+
+CK_RV
+SetTemplate(Value *vp, CK_ULONG index, CK_ULONG value)
+{
+    CK_ATTRIBUTE *template = (CK_ATTRIBUTE *)vp->data;
+    int isbool = 0;
+    CK_ULONG len;
+    ConstType attrType;
+
+    if (index >= (CK_ULONG) vp->arraySize) {
+	fprintf(stderr,"index (%lu) greater than array (%d)\n", 
+						index, vp->arraySize);
+	return CKR_ARGUMENTS_BAD;
+    }
+    attrType =  getConstFromAttribute(template[index].type);
+
+    if (attrType == ConstNone) {
+	fprintf(stderr,"can't set index (%lu) because ", index);
+	printConst(template[index].type,ConstAttribute, 0);
+	fprintf(stderr, " is not a CK_BBOOL or CK_ULONG\n");
+	return CKR_ARGUMENTS_BAD;
+    }
+    isbool = (attrType == ConstBool);
+    len = isbool ? sizeof (CK_BBOOL) : sizeof(CK_ULONG);
+    if ((template[index].ulValueLen != len) || (template[index].pValue)) {
+	free(template[index].pValue);
+	template[index].pValue = malloc(len);
+	template[index].ulValueLen = len;
+    }
+    if (isbool) {
+	*(CK_BBOOL *)template[index].pValue = (CK_BBOOL) value;
+    } else {
+	*(CK_ULONG *)template[index].pValue = (CK_ULONG) value;
+    }
+    return CKR_OK;
+
+}
+
+CK_RV
+NewMechanism(const char *bp, CK_ULONG mechType)
+{
+    Value *value; /* new Value */
+    CK_MECHANISM *mechanism;
+
+    value = NewValue(ArgMechanism, 1);
+    mechanism = (CK_MECHANISM *)value->data;
+    mechanism->mechanism = mechType;
+    mechanism->pParameter = NULL;
+    mechanism->ulParameterLen = 0;
+    (void) AddVariable(bp, &value);
+    return CKR_OK;
+}
+
+CK_RV
+NewInitializeArgs(const char *bp, CK_ULONG flags, const char *param)
+{
+    Value *value; /* new Value */
+    CK_C_INITIALIZE_ARGS *init;
+
+    value = NewValue(ArgInitializeArgs, 1);
+    init = (CK_C_INITIALIZE_ARGS *)value->data;
+    init->flags = flags;
+    if (strcmp(param, "null") != 0) {
+        init->LibraryParameters = (CK_CHAR_PTR *)strdup(param);
+    }
+    (void) AddVariable(bp, &value);
+    return CKR_OK;
+}
+
+/*
+ * add a new variable to the chain
+ */
+CK_RV
+DeleteVariable(const char *bp)
+{
+    char vname[512];
+    Variable **current;
+
+    bp = readChars(bp,vname,sizeof(vname));
+
+    for (current = &varHead; *current; current = &(*current)->next) {
+	if (PL_strcasecmp((*current)->vname,vname) == 0) {
+	        argFree((*current)->value);
+		*current = (*current)->next;
+		break;
+	}
+    }
+    return CKR_OK;
+}
+
+/*
+ * convert an octal value to integer
+ */   
+CK_ULONG
+otoi(const char *o)
+{
+    CK_ULONG value = 0;
+
+    while (*o) {
+	if ((*o >= '0') && (*o <= '7')) {
+	    value = (value << 3) | (unsigned)(*o - '0');
+	} else {
+	    break;
+	}
+    }
+    return value;
+}
+
+/*
+ * convert a hex value to integer
+ */   
+CK_ULONG
+htoi(const char *x)
+{
+    CK_ULONG value = 0;
+
+    while (*x) {
+	if ((*x >= '0') && (*x <= '9')) {
+	    value = (value << 4) | (unsigned)(*x - '0');
+	} else if ((*x >= 'a') && (*x <= 'f')) {
+	    value = (value << 4) | (unsigned)(*x - 'a');
+	} else if ((*x >= 'A') && (*x <= 'F')) {
+	    value = (value << 4) | (unsigned)(*x - 'A');
+	} else {
+	    break;
+	}
+    }
+    return value;
+}
+
+
+/*
+ * look up or decode a constant value
+ */
+const char *
+constLookup(const char *bp, CK_ULONG *value, ConstType *type)
+{
+    char vname[512];
+    int i;
+
+    bp = readChars(bp,vname,sizeof(vname));
+
+    for (i=0; i < constCount; i++) {
+	if ((PL_strcasecmp(consts[i].name,vname) == 0) ||
+		PL_strcasecmp(consts[i].name+5,vname) == 0) {
+	    *value = consts[i].value;
+	    *type = consts[i].type;
+	    return bp;
+	}
+    }
+
+    *type = ConstNone;
+    if (vname[0] == '0' && vname[1] == 'X') {
+	*value = htoi(&vname[2]);
+    } else if (vname[0] == '0') {
+	*value = otoi(&vname[1]);
+    } else {
+    	*value = atoi(vname);
+    }
+    return bp;
+}
+
+int
+ArgSize(ArgType type)
+{
+	int size=0;
+	type &= ArgMask;
+
+	switch (type) {
+    	case ArgNone:
+	    size = 0;
+	    break;
+    	case ArgULong:
+	    size = sizeof(CK_ULONG);
+	    break;
+    	case ArgVar:
+	    size = 1; /* get's changed later */
+	    break;
+    	case ArgChar:
+    	case ArgUTF8:
+	    size = 1;
+	    break;
+    	case ArgInfo:
+	    size = sizeof(CK_INFO);
+	    break;
+    	case ArgSlotInfo:
+	    size = sizeof(CK_SLOT_INFO);
+	    break;
+    	case ArgTokenInfo:
+	    size = sizeof(CK_TOKEN_INFO);
+	    break;
+    	case ArgSessionInfo:
+	    size = sizeof(CK_SESSION_INFO);
+	    break;
+    	case ArgAttribute:
+	    size = sizeof(CK_ATTRIBUTE);
+	    break;
+    	case ArgMechanism:
+	    size = sizeof(CK_MECHANISM);
+	    break;
+    	case ArgMechanismInfo:
+	    size = sizeof(CK_MECHANISM_INFO);
+	    break;
+	case ArgInitializeArgs:
+	    size = sizeof(CK_C_INITIALIZE_ARGS);
+	    break;
+	case ArgFunctionList:
+	    size = sizeof(CK_FUNCTION_LIST);
+	    break;
+	default:
+	    break;
+	}
+
+	return (size);
+}
+
+CK_RV
+restore(const char *filename,Value *ptr)
+{
+    int fd,size;
+
+    fd = open(filename,O_RDONLY|O_BINARY);
+    if (fd < 0) {
+	perror(filename);
+	return CKR_FUNCTION_FAILED;
+    }
+
+    size = read(fd,ptr->data,ptr->size);
+    if (systemFlags & FLAG_VerifyFile) {
+	printDump(ptr->data,ptr->size);
+    }
+    if (size < 0) {
+	perror(filename);
+	return CKR_FUNCTION_FAILED;
+    } else if (size != ptr->size) {
+	fprintf(stderr,"%s: only read %d bytes, needed to read %d bytes\n",
+			filename,size,ptr->size);
+	return CKR_FUNCTION_FAILED;
+    }
+    close(fd);
+    return CKR_OK;
+}
+
+CK_RV
+save(const char *filename,Value *ptr)
+{
+    int fd,size;
+
+    fd = open(filename,O_WRONLY|O_BINARY|O_CREAT,0666);
+    if (fd < 0) {
+	perror(filename);
+	return CKR_FUNCTION_FAILED;
+    }
+
+    size = write(fd,ptr->data,ptr->size);
+    if (size < 0) {
+	perror(filename);
+	return CKR_FUNCTION_FAILED;
+    } else if (size != ptr->size) {
+	fprintf(stderr,"%s: only wrote %d bytes, need to write %d bytes\n",
+			filename,size,ptr->size);
+	return CKR_FUNCTION_FAILED;
+    }
+    close(fd);
+    return CKR_OK;
+}
+
+static CK_RV
+increment(Value *ptr, CK_ULONG value)
+{
+    if ((ptr->type & ArgMask) != ArgULong) {
+	return CKR_ARGUMENTS_BAD;
+    }
+    *(CK_ULONG *)ptr->data += value;
+    return CKR_OK;
+}
+
+static CK_RV
+decrement(Value *ptr, CK_ULONG value)
+{
+    if ((ptr->type & ArgMask) != ArgULong) {
+	return CKR_ARGUMENTS_BAD;
+    }
+    *(CK_ULONG *)ptr->data -= value;
+    return CKR_OK;
+}
+
+CK_RV
+printArg(Value *ptr,int arg_number)
+{
+    ArgType type = ptr->type & ArgMask;
+    CK_INFO *info;
+    CK_SLOT_INFO    *slotInfo;
+    CK_TOKEN_INFO   *tokenInfo;
+    CK_SESSION_INFO *sessionInfo;
+    CK_ATTRIBUTE    *attribute;
+    CK_MECHANISM    *mechanism;
+    CK_MECHANISM_INFO    *mechanismInfo;
+    CK_C_INITIALIZE_ARGS *initArgs;
+    CK_FUNCTION_LIST *functionList;
+    CK_RV ckrv = CKR_OK;
+    ConstType constType;
+
+    if (arg_number) {
+	printf("Arg %d: \n",arg_number);
+    }
+    if (ptr->arraySize > 1) {
+	Value element;
+	int i;
+	int elementSize = ptr->size/ptr->arraySize;
+	char *dp = (char *)ptr->data;
+
+	/* build a temporary Value to hold a single element */
+	element.type = type;
+	element.constType = ptr->constType;
+	element.size = elementSize;
+	element.filename = ptr->filename;
+	element.reference = 1;
+	element.arraySize = 1;
+	for (i=0; i < ptr->arraySize; i++) {
+	    printf(" -----[ %d ] -----\n", i);
+	    element.data = (void *) &dp[i*elementSize];
+	    (void) printArg(&element, 0);
+	}
+	return ckrv;
+    }
+    if (ptr->data == NULL) {
+	printf(" NULL ptr to a %s\n", valueString[type]);
+	return ckrv;
+    }
+    switch (type) {
+    case ArgNone:
+	printf(" None\n");
+	break;
+    case ArgULong:
+	printf(" %lu (0x%lx)\n", *((CK_ULONG *)ptr->data),
+			*((CK_ULONG *)ptr->data));
+	if (ptr->constType != ConstNone) {
+	    printf(" ");
+	    printConst(*(CK_ULONG *)ptr->data,ptr->constType,1);
+	}
+	break;
+    case ArgVar:
+	printf(" %s\n",(char *)ptr->data);
+	break;
+    case ArgUTF8:
+	printf(" %s\n",(char *)ptr->data);
+	break;
+    case ArgChar:
+	printDump(ptr->data,ptr->size);
+	break;
+    case ArgInfo:
+#define VERSION(x) (x).major, (x).minor
+	info = (CK_INFO *)ptr->data;
+	printf(" Cryptoki Version: %d.%02d\n",
+		VERSION(info->cryptokiVersion));
+	printf(" Manufacturer ID: ");
+	printChars(info->manufacturerID,sizeof(info->manufacturerID));
+	printFlags(" Flags: ", info->flags, ConstInfoFlags);
+	printf(" Library Description: ");
+	printChars(info->libraryDescription,sizeof(info->libraryDescription));
+	printf(" Library Version: %d.%02d\n",
+		VERSION(info->libraryVersion));
+	break;
+    case ArgSlotInfo:
+	slotInfo = (CK_SLOT_INFO *)ptr->data;
+	printf(" Slot Description: ");
+	printChars(slotInfo->slotDescription,sizeof(slotInfo->slotDescription));
+	printf(" Manufacturer ID: ");
+	printChars(slotInfo->manufacturerID,sizeof(slotInfo->manufacturerID));
+	printFlags(" Flags: ", slotInfo->flags, ConstSlotFlags);
+	printf(" Hardware Version: %d.%02d\n",
+		VERSION(slotInfo->hardwareVersion));
+	printf(" Firmware Version: %d.%02d\n",
+		VERSION(slotInfo->firmwareVersion));
+	break;
+    case ArgTokenInfo:
+	tokenInfo = (CK_TOKEN_INFO *)ptr->data;
+	printf(" Label: ");
+	printChars(tokenInfo->label,sizeof(tokenInfo->label));
+	printf(" Manufacturer ID: ");
+	printChars(tokenInfo->manufacturerID,sizeof(tokenInfo->manufacturerID));
+	printf(" Model: ");
+	printChars(tokenInfo->model,sizeof(tokenInfo->model));
+	printf(" Serial Number: ");
+	printChars(tokenInfo->serialNumber,sizeof(tokenInfo->serialNumber));
+	printFlags(" Flags: ", tokenInfo->flags, ConstTokenFlags);
+	printf(" Max Session Count: ");
+	printConst(tokenInfo->ulMaxSessionCount, ConstAvailableSizes, 1);
+	printf(" Session Count: ");
+	printConst(tokenInfo->ulSessionCount, ConstCurrentSize, 1);
+	printf(" RW Session Count: ");
+	printConst(tokenInfo->ulMaxRwSessionCount, ConstAvailableSizes, 1);
+	printf(" Max Pin Length : ");
+	printConst(tokenInfo->ulMaxPinLen, ConstCurrentSize, 1);
+	printf(" Min Pin Length : ");
+	printConst(tokenInfo->ulMinPinLen, ConstCurrentSize, 1);
+	printf(" Total Public Memory: ");
+	printConst(tokenInfo->ulTotalPublicMemory, ConstAvailableSizes, 1);
+	printf(" Free Public Memory: ");
+	printConst(tokenInfo->ulFreePublicMemory, ConstCurrentSize, 1);
+	printf(" Total Private Memory: ");
+	printConst(tokenInfo->ulTotalPrivateMemory, ConstAvailableSizes, 1);
+	printf(" Free Private Memory: ");
+	printConst(tokenInfo->ulFreePrivateMemory, ConstCurrentSize, 1);
+	printf(" Hardware Version: %d.%02d\n",
+		VERSION(tokenInfo->hardwareVersion));
+	printf(" Firmware Version: %d.%02d\n",
+		VERSION(tokenInfo->firmwareVersion));
+	printf(" UTC Time: ");
+	printChars(tokenInfo->utcTime,sizeof(tokenInfo->utcTime));
+	break;
+    case ArgSessionInfo:
+	sessionInfo = (CK_SESSION_INFO *)ptr->data;
+	printf(" SlotID: 0x%08lx\n", sessionInfo->slotID);
+	printf(" State: ");
+	printConst(sessionInfo->state, ConstSessionState, 1);
+	printFlags(" Flags: ", sessionInfo->flags, ConstSessionFlags);
+	printf(" Device error: %lu 0x%08lx\n",sessionInfo->ulDeviceError,
+			sessionInfo->ulDeviceError);
+	break;
+    case ArgAttribute:
+	attribute = (CK_ATTRIBUTE *)ptr->data;
+	printf(" Attribute Type: ");
+	printConst(attribute->type, ConstAttribute, 1);
+	printf(" Attribute Data: ");
+	if (attribute->pValue == NULL) {
+	    printf("NULL\n");
+	    printf("Attribute Len: %lu\n",attribute->ulValueLen);
+	} else {
+	    constType = getConstFromAttribute(attribute->type);
+	    if (constType != ConstNone) {
+		CK_ULONG value = (constType == ConstBool) ?
+		    *(CK_BBOOL *)attribute->pValue :
+		    *(CK_ULONG *)attribute->pValue;
+		printConst(value, constType, 1);
+	    } else {
+		printf("\n");
+		printDump(attribute->pValue, attribute->ulValueLen);
+	    }
+	}
+	break;
+    case ArgMechanism:
+	mechanism = (CK_MECHANISM *)ptr->data;
+	printf(" Mechanism Type: ");
+	printConst(mechanism->mechanism, ConstMechanism, 1);
+	printf(" Mechanism Data:\n");
+	printDump(mechanism->pParameter, mechanism->ulParameterLen);
+	break;
+    case ArgMechanismInfo:
+	mechanismInfo = (CK_MECHANISM_INFO *)ptr->data;
+	printf(" Minimum Key Size: %ld\n",mechanismInfo->ulMinKeySize);
+	printf(" Maximum Key Size: %ld\n",mechanismInfo->ulMaxKeySize);
+	printFlags(" Flags: ", mechanismInfo->flags, ConstMechanismFlags);
+	break;
+    case ArgInitializeArgs:
+	initArgs = (CK_C_INITIALIZE_ARGS *)ptr->data;
+	printFlags(" Flags: ", initArgs->flags, ConstInitializeFlags);
+        if (initArgs->LibraryParameters) {
+	    printf("Params: %s\n",initArgs->LibraryParameters);
+	}
+    case ArgFunctionList:
+	functionList = (CK_FUNCTION_LIST *)ptr->data;
+	printf(" Version: %d.%02d\n", VERSION(functionList->version));
+#ifdef notdef
+#undef CK_NEED_ARG_LIST
+#define CK_PKCS11_FUNCTION_INFO(func) \
+	printf(" %s: 0x%08lx\n", #func, (unsigned long) functionList->func );
+#include "pkcs11f.h"
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+#endif
+    default:
+	ckrv = CKR_ARGUMENTS_BAD;
+	break;
+    }
+
+    return ckrv;
+}
+
+
+/*
+ * Feeling ambitious? turn this whole thing into lexx yacc parser
+ * with full expressions.
+ */
+Value **
+parseArgs(int index, const char * bp)
+{
+    const Commands *cp = &commands[index];
+    int size = strlen(cp->fname);
+    int i;
+    CK_ULONG value;
+    char vname[512];
+    Value **argList,*possible;
+    ConstType constType;
+
+    /*
+     * skip pass the command
+     */
+    if ((cp->fname[0] == 'C') && (cp->fname[1] == '_') && (bp[1] != '_')) {
+	size -= 2;
+    }
+    bp += size;
+
+    /*
+     * Initialize our argument list
+     */
+    argList = (Value **)malloc(sizeof(Value*)*MAX_ARGS);
+    for (i=0; i < MAX_ARGS; i++) { argList[i] = NULL; }
+
+    /*
+     * Walk the argument list parsing it...
+     */
+    for (i=0 ;i < MAX_ARGS; i++) {
+	ArgType type = cp->args[i] & ArgMask;
+	int error;
+
+        /* strip blanks */
+        bp = strip(bp);
+
+	/* if we hit ArgNone, we've nabbed all the arguments we need */
+	if (type == ArgNone) {
+	    break;
+	}
+
+	/* if we run out of space in the line, we weren't given enough
+	 * arguments... */
+	if (*bp == '\0') {
+	    /* we're into optional arguments, ok to quit now */
+	    if (cp->args[i] & ArgOpt) {
+		break;
+	    }
+	    fprintf(stderr,"%s: only %d args found,\n",cp->fname,i);
+	    parseFree(argList);
+	    return NULL;
+	}
+
+	/* collect all the rest of the command line and send
+	 * it as a single argument */
+	if (cp->args[i] & ArgFull) {
+	    int size = strlen(bp)+1;
+	    argList[i] = NewValue(type, size);
+	    memcpy(argList[i]->data, bp, size);
+	    break;
+	}
+
+	/*
+	 * look up the argument in our variable list first... only 
+	 * exception is the new argument type for set...
+	 */
+	error = 0;
+	if ((cp->args[i] != (ArgVar|ArgNew)) && 
+			(possible = varLookup(bp,vname,sizeof(vname),&error))) {
+	   /* ints are only compatible with other ints... all other types
+	    * are interchangeable... */
+	   if (type != ArgVar) { /* ArgVar's match anyone */
+		if ((type == ArgULong) ^ 
+				((possible->type & ArgMask) == ArgULong)) {
+		    fprintf(stderr,"%s: Arg %d incompatible type with <%s>\n",
+				cp->fname,i+1,vname);
+		    argFree(possible);
+		    parseFree(argList);
+		    return NULL;
+		}
+		/*
+		 * ... that is as long as they are big enough...
+		 */
+		if (ArgSize(type) > possible->size) {
+		    fprintf(stderr,
+	        "%s: Arg %d %s is too small (%d bytes needs to be %d bytes)\n",
+	    		cp->fname,i+1,vname,possible->size,ArgSize(type));
+		    argFree(possible);
+		    parseFree(argList);
+		    return NULL;
+		}
+	   }
+	
+	   /* everything looks kosher here, use it */	
+	   argList[i] = possible;
+
+	   bp = readChars(bp,vname,sizeof(vname));
+	   if (cp->args[i] & ArgOut) {
+		possible->type |= ArgOut;
+	   }
+	   continue;
+	}
+
+	if (error == 1) {
+	    parseFree(argList);
+	    return NULL;
+	}
+
+	/* create space for our argument */
+	argList[i] = NewValue(type, 1);
+
+        if ((PL_strncasecmp(bp, "null", 4) == 0)  && ((bp[4] == 0) 
+		|| (bp[4] == ' ') || (bp[4] =='\t') || (bp[4] =='\n'))) {
+	    if (cp->args[i] == ArgULong) {
+		fprintf(stderr, "%s: Arg %d CK_ULONG can't be NULL\n",
+	    							cp->fname,i+1);
+		parseFree(argList);
+		return NULL;
+	    }
+	    argFreeData(argList[i]);
+	    argList[i]->data = NULL;
+	    argList[i]->size = 0;
+	    bp += 4;
+	    if (*bp) bp++;
+	    continue;
+        }
+
+	/* if we're an output variable, we need to add it */
+	if (cp->args[i] & ArgOut) {
+            if (PL_strncasecmp(bp,"file(",5) == 0 /* ) */ ) {
+	        char filename[512];
+		bp = readChars(bp+5,filename,sizeof(filename));
+		size = PL_strlen(filename);
+	    	if ((size > 0) && (/* ( */filename[size-1] == ')')) {
+		    filename[size-1] = 0; 
+		}
+		filename[size] = 0; 
+		argList[i]->filename = (char *)malloc(size+1);
+
+		PL_strcpy(argList[i]->filename,filename);
+
+	    	argList[i]->type |= ArgOut|ArgFile;
+		break;
+	    }
+	    bp = AddVariable(bp,&argList[i]);
+	    argList[i]->type |= ArgOut;
+	    continue;
+	} 
+
+        if (PL_strncasecmp(bp, "file(", 5) == 0 /* ) */ ) {
+	    char filename[512];
+
+	    bp = readChars(bp+5,filename,sizeof(filename));
+	    size = PL_strlen(filename);
+	    if ((size > 0) && ( /* ( */ filename[size-1] == ')')) {
+		filename[size-1] = 0; 
+	    }
+
+	    if (restore(filename,argList[i]) != CKR_OK) {
+		parseFree(argList);
+		return NULL;
+	    }
+	    continue;
+	}
+
+	switch (type) {
+    	case ArgULong:
+	     bp = constLookup(bp, &value, &constType);
+	     *(int *)argList[i]->data = value;
+	     argList[i]->constType = constType;
+	     break;
+    	case ArgVar:
+	     argFreeData(argList[i]);
+	     size = getEnd(bp)+1;
+	     argList[i]->data = (void *)malloc(size);
+	     argList[i]->size = size;
+	     /* fall through */
+    	case ArgInfo:
+    	case ArgSlotInfo:
+    	case ArgTokenInfo:
+    	case ArgSessionInfo:
+    	case ArgAttribute:
+    	case ArgMechanism:
+    	case ArgMechanismInfo:
+    	case ArgInitializeArgs:
+	case ArgUTF8:
+	case ArgChar:
+	     bp = readChars(bp,(char *)argList[i]->data,argList[i]->size);
+    	case ArgNone:
+	default:
+	     break;
+	}
+    }
+
+    return argList;
+}
+
+/* lookup the command in the array */
+int
+lookup(const char *buf)
+{
+    int size,i;
+    int buflen;
+
+    buflen = PL_strlen(buf);
+
+    for ( i = 0; i < commandCount; i++) {
+	size = PL_strlen(commands[i].fname);
+
+	if (size <= buflen) {
+	    if (PL_strncasecmp(buf,commands[i].fname,size) == 0) {
+		return i;
+	    }
+	}
+	if (size-2 <= buflen) {
+	    if (commands[i].fname[0] == 'C' && commands[i].fname[1] == '_' &&
+		(PL_strncasecmp(buf,&commands[i].fname[2],size-2) == 0)) {
+		return i;
+	    }
+	}
+    }
+    fprintf(stderr,"Can't find command %s\n",buf);
+    return -1;
+}
+
+void
+putOutput(Value **ptr)
+{
+    int i;
+
+    for (i=0; i < MAX_ARGS; i++) {
+	ArgType type;
+
+	if (ptr[i] == NULL) break;
+
+	type  = ptr[i]->type;
+
+	ptr[i]->type &= ~ArgOut;
+	if (type == ArgNone) {
+	    break;
+	}
+	if (type & ArgOut) {
+	    (void) printArg(ptr[i],i+1);
+	}
+	if (type & ArgFile) {
+	    save(ptr[i]->filename,ptr[i]);
+	    free(ptr[i]->filename);
+	    ptr[i]->filename= NULL; /* paranoia */
+	}
+    }
+}
+	   
+CK_RV
+unloadModule(Module *module)
+{
+    char *disableUnload = NULL;
+
+    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+
+    if (module->library && !disableUnload) {
+	PR_UnloadLibrary(module->library);
+    }
+
+    module->library = NULL;
+    module->functionList = NULL;
+
+    return CKR_OK;
+}
+
+CK_RV
+loadModule(Module *module, char *library)
+{
+   PRLibrary *newLibrary;
+   CK_C_GetFunctionList getFunctionList;
+   CK_FUNCTION_LIST *functionList;
+   CK_RV ckrv;
+
+   newLibrary = PR_LoadLibrary(library);
+   if (!newLibrary) {
+	fprintf(stderr,"Couldn't load library %s\n",library);
+	return CKR_FUNCTION_FAILED;
+   }
+   getFunctionList = (CK_C_GetFunctionList) 
+			PR_FindSymbol(newLibrary,"C_GetFunctionList");
+   if (!getFunctionList) {
+	fprintf(stderr,"Couldn't find \"C_GetFunctionList\" in %s\n",library);
+	return CKR_FUNCTION_FAILED;
+   }
+
+   ckrv = (*getFunctionList)(&functionList);
+   if (ckrv != CKR_OK) {
+	return ckrv;
+   }
+   
+   if (module->library) {
+	PR_UnloadLibrary(module->library);
+   }
+
+   module->library = newLibrary;
+   module->functionList = functionList;
+
+   return CKR_OK;
+}
+
+static void
+printHelp(int index, int full)
+{
+    int j;
+    printf(" %s", commands[index].fname);
+    for (j=0; j < MAX_ARGS; j++) {
+	ArgType type = commands[index].args[j] & ArgMask;
+	if (type == ArgNone) {
+	    break;
+	}
+	printf(" %s", valueString[type]);
+    }
+    printf("\n");
+    printf(" %s\n",commands[index].helpString);
+}
+
+/* add Topical help here ! */
+static CK_RV
+printTopicHelp(char *topic)
+{
+    int size,i;
+    int topicLen;
+
+    topicLen = PL_strlen(topic);
+
+    for ( i = 0; i < topicCount; i++) {
+	size = PL_strlen(topics[i].name);
+
+	if (size <= topicLen) {
+	    if (PL_strncasecmp(topic,topics[i].name,size) == 0) {
+		break;
+	    }
+	}
+    }
+
+    if (i == topicCount) {
+	fprintf(stderr,"Can't find topic '%s'\n", topic);
+	return CKR_DATA_INVALID;
+    }
+
+    printf(" %s", topic);
+    printf("\n");
+    printf(" %s\n",topics[i].helpString);
+    return CKR_OK;
+}
+
+static CK_RV
+printGeneralHelp(void)
+{
+    int i;
+    printf(" To get help on commands, select from the list below:");
+    for ( i = 0; i < commandCount; i++) {
+       if (i % 5 == 0) printf("\n");
+       printf("%s,", commands[i].fname);
+    }
+    printf("\n");
+    /* print help topics */
+    printf(" To get help on a topic, select from the list below:");
+    for ( i = 0; i < topicCount; i++) {
+       if (i % 5 == 0) printf("\n");
+       printf("%s,", topics[i].name);
+    }
+    printf("\n");
+   return CKR_OK;
+}
+
+static CK_RV
+quitIf(CK_ULONG a, const char *cmp, CK_ULONG b)
+{
+    if (strcmp(cmp, "<") == 0) {
+ 	return (a < b) ? CKR_QUIT : CKR_OK;
+    } else if (strcmp(cmp, ">") == 0) {
+ 	return (a > b) ? CKR_QUIT : CKR_OK;
+    } else if (strcmp(cmp, "<=") == 0) {
+ 	return (a <= b) ? CKR_QUIT : CKR_OK;
+    } else if (strcmp(cmp, ">=") == 0) {
+ 	return (a >= b) ? CKR_QUIT : CKR_OK;
+    } else if (strcmp(cmp, "=") == 0) {
+ 	return (a == b) ? CKR_QUIT : CKR_OK;
+    } else if (strcmp(cmp, "!=") == 0) {
+ 	return (a != b) ? CKR_QUIT : CKR_OK;
+    }
+    printf("Unkown integer comparator: '%s'\n", cmp);
+    return CKR_ARGUMENTS_BAD;
+}
+
+static CK_RV
+quitIfString(const char *a, const char *cmp, const char *b)
+{
+
+    if (strcmp(cmp, "=") == 0) {
+ 	return (strcmp(a,b) == 0) ? CKR_QUIT : CKR_OK;
+    } else if (strcmp(cmp, "!=") == 0) {
+ 	return (strcmp(a,b) != 0) ? CKR_QUIT : CKR_OK;
+    }
+    printf("Unkown string comparator: '%s'\n", cmp);
+    return CKR_ARGUMENTS_BAD;
+}
+
+CK_RV run(const char *); 
+CK_RV timeCommand(const char *); 
+CK_RV loop(const char *filename, const char *var, 
+            CK_ULONG start, CK_ULONG end, CK_ULONG step) ;
+
+/*
+ * Actually dispatch the function... Bad things happen
+ * if these don't match the commands array.
+ */
+CK_RV
+do_func(int index, Value **a)
+{
+    int value, helpIndex;
+    static Module module = { NULL, NULL} ;
+    CK_FUNCTION_LIST *func = module.functionList;
+
+    switch (commands[index].fType) {
+    case F_C_Initialize:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_Initialize((void *)a[0]->data);
+    case F_C_Finalize:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_Finalize((void *)a[0]->data);
+    case F_C_GetInfo:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetInfo((CK_INFO *)a[0]->data);
+    case F_C_GetFunctionList:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetFunctionList((CK_FUNCTION_LIST **)a[0]->data);
+    case F_C_GetSlotList:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetSlotList((CK_BBOOL)*(CK_ULONG *)a[0]->data,
+					(CK_SLOT_ID *)a[1]->data,
+					(CK_LONG *)a[2]->data);
+    case F_C_GetSlotInfo:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetSlotInfo(*(CK_ULONG *)a[0]->data,
+					(CK_SLOT_INFO *)a[1]->data);
+    case F_C_GetTokenInfo:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetTokenInfo(*(CK_ULONG *)a[0]->data,
+					(CK_TOKEN_INFO *)a[1]->data);
+    case F_C_GetMechanismList:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	if (a[1]->data) {
+	    a[1]->constType = ConstMechanism;
+	}
+	return func->C_GetMechanismList(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM_TYPE*)a[1]->data,
+					(CK_ULONG *)a[2]->data);
+    case F_C_GetMechanismInfo:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetMechanismInfo(*(CK_ULONG *)a[0]->data,
+					*(CK_ULONG *)a[1]->data,
+					(CK_MECHANISM_INFO *)a[2]->data);
+    case F_C_InitToken:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_InitToken(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data);
+    case F_C_InitPIN:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_InitPIN(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_SetPIN:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SetPIN(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					*(CK_ULONG *)a[4]->data);
+    case F_C_OpenSession:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_OpenSession(*(CK_ULONG *)a[0]->data,
+					*(CK_ULONG *)a[1]->data,
+					(void *)NULL,
+					(CK_NOTIFY) NULL,
+					(CK_ULONG *)a[2]->data);
+    case F_C_CloseSession:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_CloseSession(*(CK_ULONG *)a[0]->data);
+    case F_C_CloseAllSessions:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_CloseAllSessions(*(CK_ULONG *)a[0]->data);
+    case F_C_GetSessionInfo:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetSessionInfo(*(CK_ULONG *)a[0]->data,
+					(CK_SESSION_INFO *)a[1]->data);
+    case F_C_GetOperationState:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetOperationState(*(CK_ULONG *)a[0]->data,
+					(CK_BYTE *)a[1]->data,
+					(CK_ULONG *)a[2]->data);
+    case F_C_SetOperationState:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SetOperationState(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					*(CK_ULONG *)a[3]->data,
+					*(CK_ULONG *)a[4]->data);
+    case F_C_Login:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_Login(*(CK_ULONG *)a[0]->data,
+					*(CK_ULONG *)a[1]->data,
+					(CK_CHAR *)a[2]->data,
+					*(CK_ULONG *)a[3]->data);
+    case F_C_Logout:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_Logout(*(CK_ULONG *)a[0]->data);
+    case F_C_CreateObject:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_CreateObject(*(CK_ULONG *)a[0]->data,
+					(CK_ATTRIBUTE *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_ULONG *)a[3]->data);
+    case F_C_CopyObject:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_CopyObject(*(CK_ULONG *)a[0]->data,
+					*(CK_ULONG *)a[0]->data,
+					(CK_ATTRIBUTE *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_ULONG *)a[3]->data);
+    case F_C_DestroyObject:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DestroyObject(*(CK_ULONG *)a[0]->data,
+					*(CK_ULONG *)a[1]->data);
+    case F_C_GetObjectSize:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetObjectSize(*(CK_ULONG *)a[0]->data,
+					*(CK_ULONG *)a[1]->data,
+					(CK_ULONG *)a[2]->data);
+    case F_C_GetAttributeValue:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetAttributeValue(*(CK_ULONG *)a[0]->data,
+					*(CK_ULONG *)a[1]->data,
+					(CK_ATTRIBUTE *)a[2]->data,
+					*(CK_ULONG *)a[3]->data);
+    case F_C_SetAttributeValue:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SetAttributeValue(*(CK_ULONG *)a[0]->data,
+					*(CK_ULONG *)a[1]->data,
+					(CK_ATTRIBUTE *)a[2]->data,
+					*(CK_ULONG *)a[3]->data);
+    case F_C_FindObjectsInit:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_FindObjectsInit(*(CK_ULONG *)a[0]->data,
+					(CK_ATTRIBUTE *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_FindObjects:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_FindObjects(*(CK_ULONG *)a[0]->data,
+					(CK_ULONG *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_ULONG *)a[3]->data);
+    case F_C_FindObjectsFinal:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_FindObjectsFinal(*(CK_ULONG *)a[0]->data);
+    case F_C_EncryptInit:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_EncryptInit(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_Encrypt:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_Encrypt(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_EncryptUpdate:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_EncryptUpdate(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_EncryptFinal:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_EncryptFinal(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					(CK_ULONG *)a[2]->data);
+    case F_C_DecryptInit:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DecryptInit(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_Decrypt:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_Decrypt(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_DecryptUpdate:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DecryptUpdate(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_DecryptFinal:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DecryptFinal(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					(CK_ULONG *)a[2]->data);
+    case F_C_DigestInit:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DigestInit(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data);
+    case F_C_Digest:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_Digest(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_DigestUpdate:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DigestUpdate(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_DigestKey:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DigestKey(*(CK_ULONG *)a[0]->data,
+					*(CK_ULONG *)a[1]->data);
+    case F_C_DigestFinal:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DigestFinal(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					(CK_ULONG *)a[2]->data);
+    case F_C_SignInit:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SignInit(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_Sign:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_Sign(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_SignUpdate:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SignUpdate(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_SignFinal:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SignFinal(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					(CK_ULONG *)a[2]->data);
+
+    case F_C_SignRecoverInit:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SignRecoverInit(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_SignRecover:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SignRecover(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_VerifyInit:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_VerifyInit(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_Verify:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_Verify(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					*(CK_ULONG *)a[4]->data);
+    case F_C_VerifyUpdate:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_VerifyUpdate(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_VerifyFinal:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_VerifyFinal(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+
+    case F_C_VerifyRecoverInit:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_VerifyRecoverInit(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_VerifyRecover:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_VerifyRecover(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_DigestEncryptUpdate:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DigestEncryptUpdate(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_DecryptDigestUpdate:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DecryptDigestUpdate(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_SignEncryptUpdate:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SignEncryptUpdate(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_DecryptVerifyUpdate:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DecryptVerifyUpdate(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_GenerateKey:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GenerateKey(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					(CK_ATTRIBUTE *)a[2]->data,
+					*(CK_ULONG *)a[3]->data,
+					(CK_ULONG *)a[4]->data);
+    case F_C_GenerateKeyPair:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GenerateKeyPair(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					(CK_ATTRIBUTE *)a[2]->data,
+					*(CK_ULONG *)a[3]->data,
+					(CK_ATTRIBUTE *)a[4]->data,
+					*(CK_ULONG *)a[5]->data,
+					(CK_ULONG *)a[6]->data,
+					(CK_ULONG *)a[7]->data);
+    case F_C_WrapKey:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_WrapKey(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					*(CK_ULONG *)a[3]->data,
+					(CK_CHAR *)a[5]->data,
+					(CK_ULONG *)a[6]->data);
+    case F_C_UnwrapKey:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_UnwrapKey(*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_CHAR *)a[3]->data,
+					*(CK_ULONG *)a[4]->data,
+					(CK_ATTRIBUTE *)a[5]->data,
+					*(CK_ULONG *)a[6]->data,
+					(CK_ULONG *)a[7]->data);
+    case F_C_DeriveKey:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_DeriveKey (*(CK_ULONG *)a[0]->data,
+					(CK_MECHANISM *)a[1]->data,
+					*(CK_ULONG *)a[2]->data,
+					(CK_ATTRIBUTE *)a[3]->data,
+					*(CK_ULONG *)a[4]->data,
+					(CK_ULONG *)a[5]->data);
+    case F_C_SeedRandom:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_SeedRandom(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_GenerateRandom:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GenerateRandom(*(CK_ULONG *)a[0]->data,
+					(CK_CHAR *)a[1]->data,
+					*(CK_ULONG *)a[2]->data);
+    case F_C_GetFunctionStatus:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_GetFunctionStatus(*(CK_ULONG *)a[0]->data);
+    case F_C_CancelFunction:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_CancelFunction(*(CK_ULONG *)a[0]->data);
+    case F_C_WaitForSlotEvent:
+	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
+	return func->C_WaitForSlotEvent(*(CK_ULONG *)a[0]->data,
+					(CK_ULONG *)a[1]->data,
+					(void *)a[2]->data);
+    /* set a variable */
+    case F_SetVar:	
+    case F_SetStringVar:	
+	(void) DeleteVariable(a[0]->data);
+	(void) AddVariable(a[0]->data,&a[1]);
+	return CKR_OK;
+    /* print a value */
+    case F_Print:
+	return printArg(a[0],0);
+    case F_SaveVar:
+	return save(a[0]->data,a[1]);
+    case F_RestoreVar:
+	return restore(a[0]->data,a[1]);
+    case F_Delete:
+	return DeleteVariable(a[0]->data);
+    case F_Increment:
+	return increment(a[0], *(CK_ULONG *)a[1]->data);
+    case F_Decrement:
+	return decrement(a[0], *(CK_ULONG *)a[1]->data);
+    case F_List:
+	return list();
+    case F_Run:
+	return run(a[0]->data);
+    case F_Time:
+	return timeCommand(a[0]->data);
+    case F_Load:
+	return loadModule(&module,a[0]->data);
+    case F_Unload:
+	return unloadModule(&module);
+    case F_NewArray:
+	(void) DeleteVariable(a[0]->data);
+	return ArrayVariable(a[0]->data,a[1]->data,*(CK_ULONG *)a[2]->data);
+    case F_NewTemplate:
+	(void) DeleteVariable(a[0]->data);
+	return ArrayTemplate(a[0]->data,a[1]->data);
+    case F_BuildTemplate:
+	return BuildTemplate(a[0]);
+    case F_SetTemplate:
+	return SetTemplate(a[0],
+		*(CK_ULONG *)a[1]->data,
+		*(CK_ULONG *)a[2]->data);
+    case F_NewMechanism:
+	(void) DeleteVariable(a[0]->data);
+	return NewMechanism(a[0]->data,*(CK_ULONG *)a[1]->data);
+    case F_NewInitializeArgs:
+	(void) DeleteVariable(a[0]->data);
+	return NewInitializeArgs(a[0]->data,*(CK_ULONG *)a[1]->data,a[2]->data);
+    case F_System:
+        value = *(int *)a[0]->data;
+	if (value & 0x80000000) {
+	    systemFlags &= ~value;
+	} else {
+	    systemFlags |= value;
+	}
+	return CKR_OK;
+    case F_Loop:
+	return loop(a[0]->data,a[1]->data,*(CK_ULONG *)a[2]->data,
+		*(CK_ULONG *)a[3]->data,*(CK_ULONG *)a[4]->data);
+    case F_Help:
+	if (a[0]) {
+	    helpIndex = lookup(a[0]->data);
+	    if (helpIndex < 0) {
+		return printTopicHelp(a[0]->data);
+	    }
+	    printHelp(helpIndex, 1);
+	    return CKR_OK;
+	}
+	return printGeneralHelp();
+    case F_QuitIfString:
+	return quitIfString(a[0]->data,a[1]->data,a[2]->data);
+    case F_QuitIf:
+	return quitIf(*(CK_ULONG *)a[0]->data,a[1]->data,*(CK_ULONG *)a[2]->data);
+    case F_Quit:
+	return CKR_QUIT;
+    default:
+	fprintf(stderr,
+		"Function %s not yet supported\n",commands[index].fname );
+	return CKR_OK;
+    }
+    /* Not Reached */
+    return CKR_OK;
+}
+
+CK_RV
+processCommand(const char * buf)
+{
+    CK_RV error = CKR_OK;
+    int index;
+    const char *bp;
+    Value **arglist;
+
+    bp = strip(buf);
+    /* allow comments and blank lines in scripts */
+    if ((*bp == '#') || (*bp == 0) || (*bp == '\n')){
+	return CKR_OK;
+    }
+
+    index = lookup(bp);
+
+    if (index < 0) {
+	return CKR_OK;
+    }
+
+    arglist = parseArgs(index,bp);
+    if (arglist == NULL) {
+	return CKR_OK;
+    }
+
+    error = do_func(index,arglist);
+    if (error == CKR_OK) {
+	putOutput(arglist);
+    } else if (error != CKR_QUIT) {
+	printf(">> Error : ");
+	printConst(error, ConstResult, 1);
+    }
+
+    parseFree(arglist);
+    return error;
+}
+
+CK_RV
+timeCommand(const char *command) 
+{
+    CK_RV ckrv;
+    PRIntervalTime startTime = PR_IntervalNow();
+    PRIntervalTime endTime;
+    PRIntervalTime elapsedTime;
+
+    ckrv = processCommand(command);
+
+    endTime = PR_IntervalNow();
+    elapsedTime = endTime - startTime;
+    printf("Time -- %d msec \n", 
+	PR_IntervalToMilliseconds(elapsedTime));
+    
+    return ckrv;
+}
+
+
+
+CK_RV
+process(FILE *inFile,int user)
+{
+    char buf[2048];
+    CK_RV error;
+    CK_RV ckrv = CKR_OK;
+
+    if (user) { printf("pkcs11> "); fflush(stdout); }
+
+    while (fgets(buf,2048,inFile) != NULL) {
+
+	if (!user) printf("* %s",buf);
+	error = processCommand(buf);
+	if (error == CKR_QUIT) {
+	    break;
+	} else if (error != CKR_OK) {
+	    ckrv = error;
+	}
+	if (user) { 
+	    printf("pkcs11> "); fflush(stdout); 
+	}
+    }
+    return ckrv;
+}
+
+CK_RV
+run(const char *filename) 
+{
+    FILE *infile;
+    CK_RV ckrv;
+
+    infile = fopen(filename,"r");
+
+    if (infile == NULL) {
+	perror(filename);
+	return CKR_FUNCTION_FAILED;
+    }
+
+    ckrv = process(infile, 0);
+
+    fclose(infile);
+    return ckrv;
+}
+
+CK_RV
+loop(const char *filename, const char *var, 
+     CK_ULONG start, CK_ULONG end, CK_ULONG step) 
+{
+    CK_ULONG i = 0;
+    Value *value = 0;
+    CK_RV ckrv;
+
+    for (i=start; i < end; i += step)
+    {
+        value = NewValue(ArgULong, 1);
+	*(CK_ULONG *)value->data = i;
+	DeleteVariable(var);
+	AddVariable(var, &value);
+	ckrv = run(filename);
+	argFree(value);
+	if (ckrv == CKR_QUIT) {
+	    break;
+	}
+    }
+    return ckrv;
+}
+
+int
+main(int argc, char **argv)
+{
+    /* I suppose that some day we could parse some arguments */
+    (void) process(stdin, 1);
+    return 0;
+}
diff --git a/security/nss/cmd/pk11util/pk11util.h b/security/nss/cmd/pk11util/pk11util.h
new file mode 100644
index 000000000..8a2f4d592
--- /dev/null
+++ b/security/nss/cmd/pk11util/pk11util.h
@@ -0,0 +1,165 @@
+
+/*
+ * Supported functions..
+ */
+#include <pkcs11.h>
+#include "nspr.h"
+#include "prtypes.h"
+
+typedef enum {
+    F_No_Function,
+#undef CK_NEED_ARG_LIST
+#define CK_PKCS11_FUNCTION_INFO(func) F_##func,
+#include "pkcs11f.h"
+#undef CK_NEED_ARG_LISt
+#undef CK_PKCS11_FUNCTION_INFO
+    F_SetVar,
+    F_SetStringVar,
+    F_NewArray,
+    F_NewInitializeArgs,
+    F_NewTemplate,
+    F_NewMechanism,
+    F_BuildTemplate,
+    F_SetTemplate,
+    F_Print,
+    F_SaveVar,
+    F_RestoreVar,
+    F_Increment,
+    F_Decrement,
+    F_Delete,
+    F_List,
+    F_Run,
+    F_Load,
+    F_Unload,
+    F_System,
+    F_Loop,
+    F_Time,
+    F_Help,
+    F_Quit,
+    F_QuitIf,
+    F_QuitIfString,
+} FunctionType;
+
+/*
+ * Supported Argument Types
+ */
+typedef enum {
+    ArgNone,
+    ArgVar,
+    ArgULong,
+    ArgChar,
+    ArgUTF8,
+    ArgInfo,
+    ArgSlotInfo,
+    ArgTokenInfo,
+    ArgSessionInfo,
+    ArgAttribute,
+    ArgMechanism,
+    ArgMechanismInfo,
+    ArgInitializeArgs,
+    ArgFunctionList,
+/* Modifier Flags */
+    ArgMask = 0xff,
+    ArgOut = 0x100,
+    ArgArray = 0x200,
+    ArgNew = 0x400,
+    ArgFile = 0x800,
+    ArgStatic = 0x1000,
+    ArgOpt = 0x2000,
+    ArgFull = 0x4000,
+} ArgType;
+
+typedef enum _constType
+{
+    ConstNone,
+    ConstBool,
+    ConstInfoFlags,
+    ConstSlotFlags,
+    ConstTokenFlags,
+    ConstSessionFlags,
+    ConstMechanismFlags,
+    ConstInitializeFlags,
+    ConstUsers,
+    ConstSessionState,
+    ConstObject,
+    ConstHardware,
+    ConstKeyType,
+    ConstCertType,
+    ConstAttribute,
+    ConstMechanism,
+    ConstResult,
+    ConstTrust,
+    ConstAvailableSizes,
+    ConstCurrentSize
+} ConstType;
+
+typedef struct _constant {
+    const char *name;
+    CK_ULONG value;
+    ConstType type;
+    ConstType attrType;
+} Constant ;
+
+/*
+ * Values structures.
+ */
+typedef struct _values {
+    ArgType	type;
+    ConstType	constType;
+    int		size;
+    char	*filename;
+    void	*data;
+    int 	reference;
+    int		arraySize;
+} Value;
+
+/*
+ * Variables
+ */
+typedef struct _variable Variable;
+struct _variable {
+    Variable *next;
+    char *vname;
+    Value *value;
+};
+
+/* NOTE: if you change MAX_ARGS, you need to change the commands array
+ * below as well.
+ */
+
+#define MAX_ARGS 10
+/*
+ * structure for master command array
+ */
+typedef struct _commands {
+    char	*fname;
+    FunctionType	fType;
+    char	*helpString;
+    ArgType	args[MAX_ARGS];
+} Commands;
+
+typedef struct _module {
+    PRLibrary *library;
+    CK_FUNCTION_LIST *functionList;
+} Module;
+
+typedef struct _topics {
+    char	*name;
+    char	*helpString;
+} Topics;
+
+/*
+ * the command array itself. Make name to function and it's arguments
+ */
+
+extern const char **valueString;
+extern const int valueCount;
+extern const char **constTypeString;
+extern const int constTypeCount;
+extern const Constant *consts;
+extern const int constCount;
+extern const Commands *commands;
+extern const int commandCount;
+extern const Topics *topics;
+extern const int topicCount;
+
diff --git a/security/nss/cmd/pk11util/scripts/dosign b/security/nss/cmd/pk11util/scripts/dosign
new file mode 100644
index 000000000..33e761f0b
--- /dev/null
+++ b/security/nss/cmd/pk11util/scripts/dosign
@@ -0,0 +1,162 @@
+Load nsscapi.dll
+C_Initialize NULL
+C_GetSlotList false NULL slotCount
+NewArray slotList CK_ULONG slotCount
+C_GetSlotList false slotList slotCount
+#change the following to the appropriate slot id
+set slotID 1
+#set slotID slotList[0]
+C_GetSlotInfo slotID slotInfo
+C_GetTokenInfo slotID tokenInfo
+C_OpenSession slotID CKF_SERIAL_SESSION session
+#
+#uncomment the following line and include the correct password
+#C_Login session CKU_USER 0000 4 
+#
+# build the search template
+#
+NewTemplate search CKA_CLASS
+SetTemplate search 0 CKO_CERTIFICATE
+NewArray certID CK_ULONG 10
+C_FindObjectsInit session search 1
+C_FindObjects session certID sizeA(certID) count
+C_FindObjectsFinal session
+#
+# now read the cert out
+#
+#NewTemplate derCert CKA_VALUE
+#NewTemplate certName CKA_LABEL,CKA_VALUE
+#C_GetAttributeValue session certID[0] certName sizeA(certName)
+#BuildTemplate certName
+#C_GetAttributeValue session certID[0] certName sizeA(certName)
+#print certName[0]
+Set countm1 count
+Decrement countm1 1
+LoopRun pLabel1 i 0 countm1 1
+Set i 1
+run pLabel1
+NewTemplate id CKA_CLASS,CKA_ID
+C_GetAttributeValue session certID[i] id sizeA(id)
+BuildTemplate id
+C_GetAttributeValue session certID[i] id sizeA(id)
+SetTemplate id 0 CKO_PRIVATE_KEY
+NewArray keyID CK_ULONG 10
+C_FindObjectsInit session id sizeA(id)
+C_FindObjects session keyID sizeA(keyID) count
+C_FindObjectsFinal session
+
+NewMechanism rsaParams CKM_RSA_PKCS
+NewArray sign data 256
+NewArray sdata data 36
+C_SignInit session rsaParams keyID[0]
+print sdata
+C_Sign session sdata sizeof(sdata) sign sizeof(sign)
+save signature sign
+save hash sdata
+NewTemplate privValue CKA_MODULUS,CKA_PUBLIC_EXPONENT
+C_GetAttributeValue session keyID[0] privValue sizeA(privValue)
+BuildTemplate privValue
+C_GetAttributeValue session keyID[0] privValue sizeA(privValue)
+print privValue[0]
+print privValue[1]
+
+# save the public key
+SetTemplate id 0 CKO_PUBLIC_KEY
+NewArray pubkeyID CK_ULONG 10
+C_FindObjectsInit session id sizeA(id)
+C_FindObjects session pubkeyID sizeA(pubkeyID) count
+C_FindObjectsFinal session
+NewTemplate pubkeyValue CKA_MODULUS,CKA_PUBLIC_EXPONENT
+C_GetAttributeValue session pubkeyID[0] pubkeyValue sizeA(pubkeyValue)
+BuildTemplate pubkeyValue
+C_GetAttributeValue session pubkeyID[0] pubkeyValue sizeA(pubkeyValue)
+print pubkeyValue[0]
+print pubkeyValue[1]
+
+
+C_Finalize null
+unload
+
+#
+# Now do the same for using softoken
+#
+load softokn3.dll
+NewInitArg init CKF_OS_LOCKING_OK configdir=./db
+C_Initialize init
+C_GetSlotList false NULL slotCount
+NewArray slotList CK_ULONG slotCount
+C_GetSlotList false slotList slotCount
+#change the following to the appropriate slot id
+set slotID slotList[1]
+#set slotID slotList[0]
+C_GetSlotInfo slotID slotInfo
+C_GetTokenInfo slotID tokenInfo
+C_OpenSession slotID CKF_SERIAL_SESSION session
+NewTemplate search CKA_CLASS
+SetTemplate search 0 CKO_CERTIFICATE
+NewArray certID CK_ULONG 10
+C_FindObjectsInit session search 1
+C_FindObjects session certID sizeA(certID) count
+C_FindObjectsFinal session
+#
+# now read the cert out
+#
+#NewTemplate derCert CKA_VALUE
+#NewTemplate certName CKA_LABEL,CKA_VALUE
+#C_GetAttributeValue session certID[0] certName sizeA(certName)
+#BuildTemplate certName
+#C_GetAttributeValue session certID[0] certName sizeA(certName)
+#print certName[0]
+#Set countm1 count
+#Decrement countm1 1
+#LoopRun pLabel1 i 0 countm1 1
+Set i 0
+run pLabel1
+NewTemplate id CKA_CLASS,CKA_ID
+C_GetAttributeValue session certID[i] id sizeA(id)
+BuildTemplate id
+C_GetAttributeValue session certID[i] id sizeA(id)
+SetTemplate id 0 CKO_PRIVATE_KEY
+NewArray keyID CK_ULONG 10
+C_FindObjectsInit session id sizeA(id)
+C_FindObjects session keyID sizeA(keyID) count
+C_FindObjectsFinal session
+
+NewMechanism rsaParams CKM_RSA_PKCS
+NewArray sign data 256
+NewArray sdata data 36
+C_SignInit session rsaParams keyID[0]
+C_Sign session sdata sizeof(sdata) sign sizeof(sign)
+save signature2 sign
+save hash2 sdata
+
+SetTemplate id 0 CKO_PUBLIC_KEY
+NewArray pubkeyID CK_ULONG 10
+C_FindObjectsInit session id sizeA(id)
+C_FindObjects session pubkeyID sizeA(pubkeyID) count
+C_FindObjectsFinal session
+
+#
+# OK now we use raw unwrap and see what we have...
+#
+NewMechanism rawRsaParams CKM_RSA_X_509
+NewArray vdata data 256
+C_VerifyRecoverInit session rawRsaParams pubkeyID[0]
+C_VerifyRecover session sign sizeof(sign) vdata sizeof(vdata)
+save verify2 vdata
+restore signature sign
+C_VerifyRecoverInit session rawRsaParams pubkeyID[0]
+C_VerifyRecover session sign sizeof(sign) vdata sizeof(vdata)
+save verify vdata
+
+NewTemplate pubkeyValue CKA_MODULUS,CKA_PUBLIC_EXPONENT
+C_GetAttributeValue session pubkeyID[0] pubkeyValue sizeA(pubkeyValue)
+BuildTemplate pubkeyValue
+C_GetAttributeValue session pubkeyID[0] pubkeyValue sizeA(pubkeyValue)
+print pubkeyValue[0]
+print pubkeyValue[1]
+
+
+C_Finalize null
+
+unload
diff --git a/security/nss/cmd/pk11util/scripts/hssign b/security/nss/cmd/pk11util/scripts/hssign
new file mode 100644
index 000000000..9bcf365cc
--- /dev/null
+++ b/security/nss/cmd/pk11util/scripts/hssign
@@ -0,0 +1,48 @@
+Load aolkeypk11.dll
+C_Initialize NULL
+C_GetSlotList false NULL slotCount
+NewArray slotList CK_ULONG slotCount
+C_GetSlotList false slotList slotCount
+#change the following to the appropriate slot id
+#set slotID slotList[0]
+set slotID 1
+C_GetSlotInfo slotID slotInfo
+C_GetTokenInfo slotID tokenInfo
+C_OpenSession slotID CK_SESSION_SERIAL session
+#
+#uncomment the following line and include the correct password
+#for authenticated tokens
+#C_Login session CKU_USER 0000 4
+#
+# build the search template
+#
+#NewTemplate search CKA_CLASS
+#SetTemplate search 0 CKO_CERTIFICATE
+#NewArray certID CK_ULONG 1
+#C_FindObjectsInit session search 1
+#C_FindObjects session certID 1 count
+#C_FindObjectsFinal session
+#
+# now read the cert out
+#
+#NewTemplate derCert CKA_VALUE
+#C_GetAttributeValue session certID derCert 1
+#BuildTemplate derCert
+#C_GetAttributeValue session certID derCert 1
+#
+# Do a signature
+#
+NewTemplate search CKA_CLASS
+SetTemplate search 0 CKO_PRIVATE_KEY
+NewArray privateKey CK_ULONG 1
+C_FindObjectsInit session search 1
+C_FindObjects session privateKey 1 count
+C_FindObjectsFinal session
+# sign
+NewMechanism rsaParams CKM_RSA_PKCS
+NewArray sign data 128
+NewArray sdata data 20
+C_SignInit session rsaParams privateKey
+C_Sign session sdata sizeof(sdata) sign sizeof(sign)
+#C_Logout session
+
diff --git a/security/nss/cmd/pk11util/scripts/lcert b/security/nss/cmd/pk11util/scripts/lcert
new file mode 100644
index 000000000..0f249c3b5
--- /dev/null
+++ b/security/nss/cmd/pk11util/scripts/lcert
@@ -0,0 +1,35 @@
+Load nsscapi.dll
+C_Initialize NULL
+C_GetSlotList false NULL slotCount
+NewArray slotList CK_ULONG slotCount
+C_GetSlotList false slotList slotCount
+#change the following to the appropriate slot id
+set slotID 1
+#set slotID slotList[0]
+C_GetSlotInfo slotID slotInfo
+C_GetTokenInfo slotID tokenInfo
+C_OpenSession slotID CKF_SERIAL_SESSION session
+#
+#uncomment the following line and include the correct password
+#C_Login session CKU_USER 0000 4 
+#
+# build the search template
+#
+NewTemplate search CKA_CLASS
+SetTemplate search 0 CKO_CERTIFICATE
+NewArray certID CK_ULONG 10
+C_FindObjectsInit session search 1
+C_FindObjects session certID sizeA(certID) count
+C_FindObjectsFinal session
+#
+# now read the cert out
+#
+#NewTemplate derCert CKA_VALUE
+#NewTemplate certName CKA_LABEL,CKA_VALUE
+#C_GetAttributeValue session certID[0] certName sizeA(certName)
+#BuildTemplate certName
+#C_GetAttributeValue session certID[0] certName sizeA(certName)
+#print certName[0]
+Set countm1 count
+Decrement countm1 1
+LoopRun pLabel1 i 0 countm1 1
diff --git a/security/nss/cmd/pk11util/scripts/mechanisms b/security/nss/cmd/pk11util/scripts/mechanisms
new file mode 100644
index 000000000..d103a9c4f
--- /dev/null
+++ b/security/nss/cmd/pk11util/scripts/mechanisms
@@ -0,0 +1,11 @@
+Load nsscapi.dll
+C_Initialize NULL
+C_GetSlotList false NULL slotCount
+NewArray slotList CK_ULONG slotCount
+C_GetSlotList false slotList slotCount
+
+LoopRun pMechanisms i 0 slotCount 1
+
+#C_Finalize
+#Unload
+
diff --git a/security/nss/cmd/pk11util/scripts/pLabel1 b/security/nss/cmd/pk11util/scripts/pLabel1
new file mode 100644
index 000000000..0be909bb4
--- /dev/null
+++ b/security/nss/cmd/pk11util/scripts/pLabel1
@@ -0,0 +1,6 @@
+NewTemplate certName CKA_LABEL,CKA_VALUE
+C_GetAttributeValue session certID[i] certName sizeA(certName)
+BuildTemplate certName
+C_GetAttributeValue session certID[i] certName sizeA(certName)
+print i
+print certName[0]
diff --git a/security/nss/cmd/pk11util/scripts/pMechanisms b/security/nss/cmd/pk11util/scripts/pMechanisms
new file mode 100644
index 000000000..82e860258
--- /dev/null
+++ b/security/nss/cmd/pk11util/scripts/pMechanisms
@@ -0,0 +1,8 @@
+#
+# print the mechanism list for a given token
+#
+set slotID slotList[i]
+C_GetMechanismList slotID NULL mechCount
+NewArray mechanismList CK_ULONG  mechcount
+C_GetMechanismList slotID mechanismList mechCount
+print mechanismList
diff --git a/security/nss/cmd/pk11util/scripts/pcert b/security/nss/cmd/pk11util/scripts/pcert
new file mode 100644
index 000000000..c322a8bfe
--- /dev/null
+++ b/security/nss/cmd/pk11util/scripts/pcert
@@ -0,0 +1,30 @@
+Load aolkeypk11.dll
+C_Initialize NULL
+C_GetSlotList false NULL slotCount
+NewArray slotList CK_ULONG slotCount
+C_GetSlotList false slotList slotCount
+#change the following to the appropriate slot id
+set slotID 1
+#set slotID slotList[0]
+C_GetSlotInfo slotID slotInfo
+C_GetTokenInfo slotID tokenInfo
+C_OpenSession slotID CK_SESSION_SERIAL session
+#
+#uncomment the following line and include the correct password
+#C_Login session CKU_USER 0000 4 
+#
+# build the search template
+#
+NewTemplate search CKA_CLASS
+SetTemplate search 0 CKO_CERTIFICATE
+NewArray certID CK_ULONG 1
+C_FindObjectsInit session search 1
+C_FindObjects session certID 1 count
+C_FindObjectsFinal session
+#
+# now read the cert out
+#
+NewTemplate derCert CKA_VALUE
+C_GetAttributeValue session certID derCert 1
+BuildTemplate derCert
+C_GetAttributeValue session certID derCert 1
diff --git a/security/nss/cmd/pk12util/Makefile b/security/nss/cmd/pk12util/Makefile
new file mode 100644
index 000000000..fe7991878
--- /dev/null
+++ b/security/nss/cmd/pk12util/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+ 
diff --git a/security/nss/cmd/pk12util/manifest.mn b/security/nss/cmd/pk12util/manifest.mn
new file mode 100644
index 000000000..4971d7bcf
--- /dev/null
+++ b/security/nss/cmd/pk12util/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+CSRCS = \
+	pk12util.c \
+	$(NULL)
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = dbm seccmd
+
+PROGRAM = pk12util
+
+# USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c
new file mode 100644
index 000000000..a4d0e6b93
--- /dev/null
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -0,0 +1,1123 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nspr.h"
+#include "secutil.h"
+#include "pk11func.h"
+#include "pkcs12.h"
+#include "p12plcy.h"
+#include "pk12util.h"
+#include "nss.h"
+#include "secport.h"
+#include "secpkcs5.h"
+#include "certdb.h"
+
+#define PKCS12_IN_BUFFER_SIZE	200
+
+static char *progName;
+PRBool pk12_debugging = PR_FALSE;
+PRBool dumpRawFile;
+
+PRIntn pk12uErrno = 0;
+
+static void
+Usage(char *progName)
+{
+#define FPS PR_fprintf(PR_STDERR,
+    FPS "Usage:	 %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname] [-v]\n",
+				 progName);
+    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
+
+    FPS "Usage:	 %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname] [-r]\n",
+				 progName);
+    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
+
+    FPS "Usage:	 %s -o exportfile -n certname [-d certdir] [-P dbprefix] [-v]\n", 
+        progName);
+    FPS "\t\t [-c key_cipher] [-C cert_cipher] [-m | --key_len keyLen] [-n | --cert_key_len certKeyLen]\n");
+    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filefilepw]\n");
+
+    exit(PK12UERR_USAGE);
+}
+
+static PRBool
+p12u_OpenFile(p12uContext *p12cxt, PRBool fileRead)
+{
+    if(!p12cxt || !p12cxt->filename) {
+	return PR_FALSE;
+    }
+
+    if(fileRead) {
+	p12cxt->file = PR_Open(p12cxt->filename,
+				 PR_RDONLY, 0400);
+    } else {
+	p12cxt->file = PR_Open(p12cxt->filename,
+				 PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE,
+				 0600);
+    }
+
+    if(!p12cxt->file) {
+	p12cxt->error = PR_TRUE;
+	return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
+static void
+p12u_DestroyContext(p12uContext **ppCtx, PRBool removeFile)
+{
+    if(!ppCtx || !(*ppCtx)) {
+	return;
+    }
+
+    if((*ppCtx)->file != NULL) {
+	PR_Close((*ppCtx)->file);
+    }
+
+    if((*ppCtx)->filename != NULL) {
+	if(removeFile) {
+	    PR_Delete((*ppCtx)->filename);
+	}
+	PR_Free((*ppCtx)->filename);
+    }
+
+    PR_Free(*ppCtx);
+    *ppCtx = NULL;
+}
+
+static p12uContext *
+p12u_InitContext(PRBool fileImport, char *filename)
+{
+    p12uContext *p12cxt;
+    PRBool fileExist;
+
+    fileExist = fileImport;
+
+    p12cxt = PORT_ZNew(p12uContext);
+    if(!p12cxt) {
+	return NULL;
+    }
+
+    p12cxt->error = PR_FALSE;
+    p12cxt->errorValue = 0;
+    p12cxt->filename = strdup(filename);
+
+    if(!p12u_OpenFile(p12cxt, fileImport)) {
+	p12u_DestroyContext(&p12cxt, PR_FALSE);
+	return NULL;
+    }
+
+    return p12cxt;
+}
+
+SECItem *
+P12U_NicknameCollisionCallback(SECItem *old_nick, PRBool *cancel, void *wincx)
+{
+    char           *nick     = NULL;
+    SECItem        *ret_nick = NULL;
+    CERTCertificate* cert    = (CERTCertificate*)wincx;
+
+    if (!cancel || !cert) {
+	pk12uErrno = PK12UERR_USER_CANCELLED;
+	return NULL;
+    }
+
+    if (!old_nick)
+	fprintf(stdout, "pk12util: no nickname for cert in PKCS12 file.\n");
+
+#if 0
+    /* XXX not handled yet  */
+    *cancel = PR_TRUE;
+    return NULL;
+
+#else
+
+    nick = CERT_MakeCANickname(cert); 
+    if (!nick) {
+    	return NULL;
+    }
+
+    if(old_nick && old_nick->data && old_nick->len &&
+       PORT_Strlen(nick) == old_nick->len &&
+       !PORT_Strncmp((char *)old_nick->data, nick, old_nick->len)) {
+	PORT_Free(nick);
+	PORT_SetError(SEC_ERROR_IO);
+	return NULL;
+    }
+
+    fprintf(stdout, "pk12util: using nickname: %s\n", nick);
+    ret_nick = PORT_ZNew(SECItem);
+    if(ret_nick == NULL) {
+	PORT_Free(nick);
+	return NULL;
+    }
+
+    ret_nick->data = (unsigned char *)nick;
+    ret_nick->len = PORT_Strlen(nick);
+
+    return ret_nick;
+#endif
+}
+
+static SECStatus
+p12u_SwapUnicodeBytes(SECItem *uniItem)
+{
+    unsigned int i;
+    unsigned char a;
+    if((uniItem == NULL) || (uniItem->len % 2)) {
+	return SECFailure;
+    }
+    for(i = 0; i < uniItem->len; i += 2) {
+	a = uniItem->data[i];
+	uniItem->data[i] = uniItem->data[i+1];
+	uniItem->data[i+1] = a;
+    }
+    return SECSuccess;
+}
+
+static PRBool
+p12u_ucs2_ascii_conversion_function(PRBool	   toUnicode,
+				    unsigned char *inBuf,
+				    unsigned int   inBufLen,
+				    unsigned char *outBuf,
+				    unsigned int   maxOutBufLen,
+				    unsigned int  *outBufLen,
+				    PRBool	   swapBytes)
+{
+    SECItem it = { 0 };
+    SECItem *dup = NULL;
+    PRBool ret;
+
+#ifdef DEBUG_CONVERSION
+    if (pk12_debugging) {
+	int i;
+	printf("Converted from:\n");
+	for (i=0; i<inBufLen; i++) {
+	    printf("%2x ", inBuf[i]);
+	    /*if (i%60 == 0) printf("\n");*/
+	}
+	printf("\n");
+    }
+#endif
+    it.data = inBuf;
+    it.len = inBufLen;
+    dup = SECITEM_DupItem(&it);
+    /* If converting Unicode to ASCII, swap bytes before conversion
+     * as neccessary.
+     */
+    if (!toUnicode && swapBytes) {
+	if (p12u_SwapUnicodeBytes(dup) != SECSuccess) {
+	    SECITEM_ZfreeItem(dup, PR_TRUE);
+	    return PR_FALSE;
+	}
+    }
+    /* Perform the conversion. */
+    ret = PORT_UCS2_UTF8Conversion(toUnicode, dup->data, dup->len,
+                                   outBuf, maxOutBufLen, outBufLen);
+    if (dup)
+	SECITEM_ZfreeItem(dup, PR_TRUE);
+
+#ifdef DEBUG_CONVERSION
+    if (pk12_debugging) {
+	int i;
+	printf("Converted to:\n");
+	for (i=0; i<*outBufLen; i++) {
+	    printf("%2x ", outBuf[i]);
+	    /*if (i%60 == 0) printf("\n");*/
+	}
+	printf("\n");
+    }
+#endif
+    return ret;
+}
+
+SECStatus
+P12U_UnicodeConversion(PRArenaPool *arena, SECItem *dest, SECItem *src,
+		       PRBool toUnicode, PRBool swapBytes)
+{
+    unsigned int allocLen;
+    if(!dest || !src) {
+	return SECFailure;
+    }
+    allocLen = ((toUnicode) ? (src->len << 2) : src->len);
+    if(arena) {
+	dest->data = PORT_ArenaZAlloc(arena, allocLen);
+    } else {
+	dest->data = PORT_ZAlloc(allocLen);
+    }
+    if(PORT_UCS2_ASCIIConversion(toUnicode, src->data, src->len,
+				 dest->data, allocLen, &dest->len,
+				 swapBytes) == PR_FALSE) {
+	if(!arena) {
+	    PORT_Free(dest->data);
+	}
+	dest->data = NULL;
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ *
+ */
+SECItem *
+P12U_GetP12FilePassword(PRBool confirmPw, secuPWData *p12FilePw)
+{
+    char *p0 = NULL;
+    SECItem *pwItem = NULL;
+
+    if (p12FilePw == NULL || p12FilePw->source == PW_NONE) {
+	char *p1 = NULL;
+	int   rc;
+	for (;;) {
+	    p0 = SECU_GetPasswordString(NULL,
+					"Enter password for PKCS12 file: ");
+	    if (!confirmPw || p0 == NULL)
+		break;
+	    p1 = SECU_GetPasswordString(NULL, "Re-enter password: ");
+	    if (p1 == NULL) {
+		PORT_ZFree(p0, PL_strlen(p0));
+		p0 = NULL;
+		break;
+	    }
+	    rc = PL_strcmp(p0, p1);
+	    PORT_ZFree(p1, PL_strlen(p1));
+	    if (rc == 0)
+		break;
+	    PORT_ZFree(p0, PL_strlen(p0));
+	}
+    } else if (p12FilePw->source == PW_FROMFILE) {
+	p0 = SECU_FilePasswd(NULL, PR_FALSE, p12FilePw->data);
+    } else { /* Plaintext */
+	p0 = PORT_Strdup(p12FilePw->data);
+    }
+
+    if (p0 == NULL) {
+        return NULL;
+    }
+    pwItem = SECITEM_AllocItem(NULL, NULL, PL_strlen(p0) + 1);
+    memcpy(pwItem->data, p0, pwItem->len);
+
+    PORT_ZFree(p0, PL_strlen(p0));
+
+    return pwItem;
+}
+
+SECStatus
+P12U_InitSlot(PK11SlotInfo *slot, secuPWData *slotPw)
+{
+    SECStatus rv;
+
+    /*	New databases, initialize keydb password. */
+    if (PK11_NeedUserInit(slot)) {
+	rv = SECU_ChangePW(slot,
+			   (slotPw->source == PW_PLAINTEXT) ? slotPw->data : 0,
+			   (slotPw->source == PW_FROMFILE) ? slotPw->data : 0);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "Failed to initialize slot \"%s\"",
+				    PK11_GetSlotName(slot));
+	    return SECFailure;
+	}
+    }
+
+    if (PK11_Authenticate(slot, PR_TRUE, slotPw) != SECSuccess) {
+	SECU_PrintError(progName,
+			 "Failed to authenticate to PKCS11 slot");
+	PORT_SetError(SEC_ERROR_USER_CANCELLED);
+	pk12uErrno = PK12UERR_USER_CANCELLED;
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+/* This routine takes care of getting the PKCS12 file password, then reading and
+ * verifying the file. It returns the decoder context and a filled in password.
+ * (The password is needed by P12U_ImportPKCS12Object() to import the private
+ * key.)
+ */
+SEC_PKCS12DecoderContext *
+p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot,
+                    secuPWData *slotPw, secuPWData *p12FilePw)
+{
+    SEC_PKCS12DecoderContext *p12dcx = NULL;
+    p12uContext *p12cxt = NULL;
+    SECItem *pwitem = NULL;
+    SECItem p12file = { 0 };
+    SECStatus rv = SECFailure;
+    PRBool swapUnicode = PR_FALSE;
+    PRBool trypw;
+    int error;
+    
+#ifdef IS_LITTLE_ENDIAN
+    swapUnicode = PR_TRUE;
+#endif
+
+    p12cxt = p12u_InitContext(PR_TRUE, in_file);
+    if(!p12cxt) {
+	SECU_PrintError(progName,"File Open failed: %s", in_file);
+	pk12uErrno = PK12UERR_INIT_FILE;
+        return NULL;
+    }
+
+    /* get the password */
+    pwitem = P12U_GetP12FilePassword(PR_FALSE, p12FilePw);
+    if (!pwitem) {
+	pk12uErrno = PK12UERR_USER_CANCELLED;
+	goto done;
+    }
+
+    if(P12U_UnicodeConversion(NULL, uniPwp, pwitem, PR_TRUE,
+                              swapUnicode) != SECSuccess) {
+	SECU_PrintError(progName,"Unicode conversion failed");
+	pk12uErrno = PK12UERR_UNICODECONV;
+	goto done;
+    }
+    rv = SECU_FileToItem(&p12file, p12cxt->file);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName,"Failed to read from import file");
+        goto done;
+    }
+
+    do {
+        trypw = PR_FALSE;                  /* normally we do this once */
+        rv = SECFailure;
+        /* init the decoder context */
+        p12dcx = SEC_PKCS12DecoderStart(uniPwp, slot, slotPw,
+                                        NULL, NULL, NULL, NULL, NULL);
+        if(!p12dcx) {
+            SECU_PrintError(progName,"PKCS12 decoder start failed");
+            pk12uErrno = PK12UERR_PK12DECODESTART;
+            break;
+        }
+
+        /* decode the item */
+        rv = SEC_PKCS12DecoderUpdate(p12dcx, p12file.data, p12file.len);
+
+        if(rv != SECSuccess) {
+            error = PR_GetError();
+            if(error == SEC_ERROR_DECRYPTION_DISALLOWED) {
+                PR_SetError(error, 0);
+                break;
+            }
+            SECU_PrintError(progName,"PKCS12 decoding failed");
+            pk12uErrno = PK12UERR_DECODE;
+        }
+
+        /* does the blob authenticate properly? */
+        rv = SEC_PKCS12DecoderVerify(p12dcx);
+        if (rv != SECSuccess) {
+            if(uniPwp->len == 2) {
+                /* this is a null PW, try once more with a zero-length PW
+                   instead of a null string */
+                SEC_PKCS12DecoderFinish(p12dcx);
+                uniPwp->len = 0;
+                trypw = PR_TRUE;
+            }
+            else {
+                SECU_PrintError(progName,"PKCS12 decode not verified");
+                pk12uErrno = PK12UERR_DECODEVERIFY;
+                break;
+            }
+        }
+    } while (trypw == PR_TRUE);
+    /* rv has been set at this point */
+
+
+done:
+    if (rv != SECSuccess) {
+        if (p12dcx != NULL) {
+            SEC_PKCS12DecoderFinish(p12dcx);
+            p12dcx = NULL;
+        }
+        if (uniPwp->data) {
+            SECITEM_ZfreeItem(uniPwp, PR_FALSE);
+            uniPwp->data = NULL;
+        }
+    }
+    PR_Close(p12cxt->file);
+    p12cxt->file = NULL;
+    /* PK11_FreeSlot(slot); */
+    p12u_DestroyContext(&p12cxt, PR_FALSE);
+
+    if (pwitem) {
+	SECITEM_ZfreeItem(pwitem, PR_TRUE);
+    }
+    return p12dcx;
+}
+
+/*
+ * given a filename for pkcs12 file, imports certs and keys
+ *
+ * Change: altitude
+ *  I've changed this function so that it takes the keydb and pkcs12 file
+ *  passwords from files.  The "pwdKeyDB" and "pwdP12File"
+ *  variables have been added for this purpose.
+ */
+PRIntn
+P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot,
+			secuPWData *slotPw, secuPWData *p12FilePw)
+{
+    SEC_PKCS12DecoderContext *p12dcx = NULL;
+    SECItem uniPwitem = { 0 };
+    SECStatus rv = SECFailure;
+
+    rv = P12U_InitSlot(slot, slotPw);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "Failed to authenticate to \"%s\"",
+			       			 PK11_GetSlotName(slot));
+	pk12uErrno = PK12UERR_PK11GETSLOT;
+	return rv;
+    }
+
+    rv = SECFailure;
+    p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
+    
+    if(p12dcx == NULL) {
+        goto loser;
+    }
+    
+    /* make sure the bags are okey dokey -- nicknames correct, etc. */
+    rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) {
+	    pk12uErrno = PK12UERR_CERTALREADYEXISTS;
+	} else {
+	    pk12uErrno = PK12UERR_DECODEVALIBAGS;
+	}
+	SECU_PrintError(progName,"PKCS12 decode validate bags failed");
+	goto loser;
+    }
+
+    /* stuff 'em in */
+    rv = SEC_PKCS12DecoderImportBags(p12dcx);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName,"PKCS12 decode import bags failed");
+	pk12uErrno = PK12UERR_DECODEIMPTBAGS;
+	goto loser;
+    }
+
+    fprintf(stdout, "%s: PKCS12 IMPORT SUCCESSFUL\n", progName);
+    rv = SECSuccess;
+
+loser:
+    if (p12dcx) {
+	SEC_PKCS12DecoderFinish(p12dcx);
+    }
+    
+    if (uniPwitem.data) {
+	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
+    }
+    
+    return rv;
+}
+
+static void
+p12u_DoPKCS12ExportErrors()
+{
+    int error_value;
+
+    error_value = PORT_GetError();
+    if ((error_value == SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY) ||
+	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME) ||
+	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_WRITE)) {
+	fprintf(stderr, SECU_ErrorStringRaw((int16)error_value));
+    } else if(error_value == SEC_ERROR_USER_CANCELLED) {
+	;
+    } else {
+	fprintf(stderr, SECU_ErrorStringRaw(SEC_ERROR_EXPORTING_CERTIFICATES));
+    }
+}
+
+static void
+p12u_WriteToExportFile(void *arg, const char *buf, unsigned long len)
+{
+    p12uContext *p12cxt = arg;
+    int writeLen;
+
+    if(!p12cxt || (p12cxt->error == PR_TRUE)) {
+	return;
+    }
+
+    if(p12cxt->file == NULL) {
+	p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
+	p12cxt->error = PR_TRUE;
+	return;
+    }
+
+    writeLen = PR_Write(p12cxt->file, (unsigned char *)buf, (int32)len);
+
+    if(writeLen != (int)len) {
+	PR_Close(p12cxt->file);
+	PR_Free(p12cxt->filename);
+	p12cxt->filename = NULL;
+	p12cxt->file = NULL;
+	p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
+	p12cxt->error = PR_TRUE;
+    }
+}
+
+
+void
+P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot,
+		SECOidTag cipher, SECOidTag certCipher, 
+		secuPWData *slotPw, secuPWData *p12FilePw)
+{
+    SEC_PKCS12ExportContext *p12ecx = NULL;
+    SEC_PKCS12SafeInfo *keySafe = NULL, *certSafe = NULL;
+    SECItem *pwitem = NULL;
+    p12uContext *p12cxt = NULL;
+    CERTCertList* certlist = NULL;
+    CERTCertListNode* node = NULL;
+    PK11SlotInfo* slot = NULL;
+
+    if (P12U_InitSlot(inSlot, slotPw) != SECSuccess) {
+	SECU_PrintError(progName,"Failed to authenticate to \"%s\"",
+			  PK11_GetSlotName(inSlot));
+	pk12uErrno = PK12UERR_PK11GETSLOT;
+	goto loser;
+    }
+    certlist = PK11_FindCertsFromNickname(nn, slotPw);
+    if(!certlist) {
+	SECU_PrintError(progName,"find user certs from nickname failed");
+	pk12uErrno = PK12UERR_FINDCERTBYNN;
+	return;
+    }
+
+    if ((SECSuccess != CERT_FilterCertListForUserCerts(certlist)) ||
+        CERT_LIST_EMPTY(certlist)) {
+        PR_fprintf(PR_STDERR, "%s: no user certs from given nickname\n",
+                   progName);
+        pk12uErrno = PK12UERR_FINDCERTBYNN;
+        goto loser;
+    }
+
+    /*	Password to use for PKCS12 file.  */
+    pwitem = P12U_GetP12FilePassword(PR_TRUE, p12FilePw);
+    if(!pwitem) {
+	goto loser;
+    }
+
+    p12cxt = p12u_InitContext(PR_FALSE, outfile); 
+    if(!p12cxt) {
+	SECU_PrintError(progName,"Initialization failed: %s", outfile);
+	pk12uErrno = PK12UERR_INIT_FILE;
+	goto loser;
+    }
+
+    if (certlist) {
+        CERTCertificate* cert = NULL;
+        node = CERT_LIST_HEAD(certlist);
+        if (node) {
+            cert = node->cert;
+        }
+        if (cert) {
+            slot = cert->slot; /* use the slot from the first matching
+                certificate to create the context . This is for keygen */
+        }
+    }
+    if (!slot) {
+        SECU_PrintError(progName,"cert does not have a slot");
+        pk12uErrno = PK12UERR_FINDCERTBYNN;
+        goto loser;
+    }
+    p12ecx = SEC_PKCS12CreateExportContext(NULL, NULL, slot, slotPw);
+    if(!p12ecx) {
+        SECU_PrintError(progName,"export context creation failed");
+        pk12uErrno = PK12UERR_EXPORTCXCREATE;
+        goto loser;
+    }
+
+    if(SEC_PKCS12AddPasswordIntegrity(p12ecx, pwitem, SEC_OID_SHA1)
+       != SECSuccess) {
+        SECU_PrintError(progName,"PKCS12 add password integrity failed");
+        pk12uErrno = PK12UERR_PK12ADDPWDINTEG;
+        goto loser;
+    }
+
+    for (node = CERT_LIST_HEAD(certlist);!CERT_LIST_END(node,certlist);node=CERT_LIST_NEXT(node))
+    {
+        CERTCertificate* cert = node->cert;
+        if (!cert->slot) {
+            SECU_PrintError(progName,"cert does not have a slot");
+            pk12uErrno = PK12UERR_FINDCERTBYNN;
+            goto loser;
+        }
+    
+        keySafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx);
+        if(certCipher == SEC_OID_UNKNOWN) {
+            certSafe = keySafe;
+        } else {
+            certSafe = 
+		SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem, certCipher);
+        }
+    
+        if(!certSafe || !keySafe) {
+            SECU_PrintError(progName,"key or cert safe creation failed");
+            pk12uErrno = PK12UERR_CERTKEYSAFE;
+            goto loser;
+        }
+    
+        if(SEC_PKCS12AddCertAndKey(p12ecx, certSafe, NULL, cert,
+            CERT_GetDefaultCertDB(), keySafe, NULL, PR_TRUE, pwitem, cipher)
+            != SECSuccess) {
+                SECU_PrintError(progName,"add cert and key failed");
+                pk12uErrno = PK12UERR_ADDCERTKEY;
+                goto loser;
+        }
+    }
+
+    CERT_DestroyCertList(certlist);
+    certlist = NULL;
+
+    if(SEC_PKCS12Encode(p12ecx, p12u_WriteToExportFile, p12cxt)
+                        != SECSuccess) {
+        SECU_PrintError(progName,"PKCS12 encode failed");
+        pk12uErrno = PK12UERR_ENCODE;
+        goto loser;
+    }
+
+    p12u_DestroyContext(&p12cxt, PR_FALSE);
+    SECITEM_ZfreeItem(pwitem, PR_TRUE);
+    fprintf(stdout, "%s: PKCS12 EXPORT SUCCESSFUL\n", progName);
+    SEC_PKCS12DestroyExportContext(p12ecx);
+
+    return;
+
+loser:
+    SEC_PKCS12DestroyExportContext(p12ecx);
+
+    if (certlist) {
+        CERT_DestroyCertList(certlist);
+        certlist = NULL;
+    }    
+
+    p12u_DestroyContext(&p12cxt, PR_TRUE);
+    if(pwitem) {
+        SECITEM_ZfreeItem(pwitem, PR_TRUE);
+    }
+    p12u_DoPKCS12ExportErrors();
+    return;
+}
+
+
+PRIntn
+P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot,
+			secuPWData *slotPw, secuPWData *p12FilePw)
+{
+    SEC_PKCS12DecoderContext *p12dcx = NULL;
+    SECItem uniPwitem = { 0 };
+    SECStatus rv = SECFailure;
+    const SEC_PKCS12DecoderItem *dip;
+
+    p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw,
+                             p12FilePw);
+    /* did the blob authenticate properly? */
+    if(p12dcx == NULL) {
+	SECU_PrintError(progName,"PKCS12 decode not verified");
+	pk12uErrno = PK12UERR_DECODEVERIFY;
+        goto loser;
+    }
+    rv = SEC_PKCS12DecoderIterateInit(p12dcx);
+    if(rv != SECSuccess) {
+	SECU_PrintError(progName,"PKCS12 decode iterate bags failed");
+	pk12uErrno = PK12UERR_DECODEIMPTBAGS;
+        rv = SECFailure;
+    } else {
+	int fileCounter = 0;
+        while (SEC_PKCS12DecoderIterateNext(p12dcx, &dip) == SECSuccess) {
+            switch (dip->type) {
+                case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+                    printf("Certificate");
+		    if (dumpRawFile) {
+			PRFileDesc * fd;
+			char fileName[20];
+			sprintf(fileName, "file%04d.der", ++fileCounter);
+			fd = PR_Open(fileName,
+				     PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE,
+				     0600);
+			if (!fd) {
+			    SECU_PrintError(progName,
+			                    "Cannot create output file");
+			} else {
+			    PR_Write(fd, dip->der->data, dip->der->len);
+			    PR_Close(fd);
+			}
+		    } else 
+                    if (SECU_PrintSignedData(stdout, dip->der,
+                            (dip->hasKey) ? "(has private key)" : "",
+                             0, SECU_PrintCertificate) != 0) {
+                        SECU_PrintError(progName,"PKCS12 print cert bag failed");
+                    }
+                    if (dip->friendlyName != NULL) {
+                        printf("    Friendly Name: %s\n\n",
+                                dip->friendlyName->data);
+                    }
+		    if (dip->shroudAlg) {
+			SECU_PrintAlgorithmID(stdout, dip->shroudAlg,
+						 "Encryption algorithm",1);
+		    }
+                    break;
+                case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+                case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+                    printf("Key");
+                    if (dip->type == SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID)
+                        printf("(shrouded)");
+                    printf(":\n");
+                    if (dip->friendlyName != NULL) {
+                        printf("    Friendly Name: %s\n\n",
+                                dip->friendlyName->data);
+                    }
+		    if (dip->shroudAlg) {
+			SECU_PrintAlgorithmID(stdout, dip->shroudAlg,
+						 "Encryption algorithm",1);
+		    }
+                    break;
+                default:
+                    printf("unknown bag type(%d): %s\n\n", dip->type,
+                            SECOID_FindOIDTagDescription(dip->type));
+                    break;
+            }
+        }
+        rv = SECSuccess;
+    }
+
+loser:
+    
+    if (p12dcx) {
+	SEC_PKCS12DecoderFinish(p12dcx);
+    }
+    
+    if (uniPwitem.data) {
+	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
+    }
+    
+    return rv;
+}
+
+/*
+ * use the oid table description to map a user input string to a particular
+ * oid.
+ */
+SECOidTag
+PKCS12U_MapCipherFromString(char *cipherString, int keyLen)
+{
+    SECOidTag tag;
+    SECOidData *oid;
+    SECOidTag cipher;
+
+    /* future enhancement: accept dotted oid spec? */
+
+    /* future enhancement: provide 'friendlier' typed in names for
+     * pbe mechanisms.
+     */
+
+    /* look for the oid tag by Description */
+    cipher = SEC_OID_UNKNOWN;
+    for (tag=1;  (oid=SECOID_FindOIDByTag(tag)) != NULL ; tag++) {
+	/* only interested in oids that we actually understand */
+	if (oid->mechanism == CKM_INVALID_MECHANISM) {
+	    continue;
+	}
+	if (PORT_Strcasecmp(oid->desc, cipherString) != 0) {
+	    continue;
+	}
+	/* we found a match... get the PBE version of this
+	 * cipher... */
+	if (!SEC_PKCS5IsAlgorithmPBEAlgTag(tag)) {
+	    cipher = SEC_PKCS5GetPBEAlgorithm(tag, keyLen);
+	    /* no eqivalent PKCS5/PKCS12 cipher, use the raw
+	     * encryption tag we got and pass it directly in,
+	     * pkcs12 will use the pkcsv5 mechanism */
+	    if (cipher == SEC_OID_PKCS5_PBES2) {
+		cipher = tag;
+	    } else if (cipher == SEC_OID_PKCS5_PBMAC1) {
+		/* make sure we have not macing ciphers here */
+		cipher = SEC_OID_UNKNOWN;
+	    }
+	} else {
+		cipher = tag;
+	}
+	break;
+    }
+    return cipher;
+}
+
+static void
+p12u_EnableAllCiphers()
+{
+    SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
+    SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
+    SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1);
+    SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
+    SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
+    SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
+    SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
+}
+
+static PRUintn
+P12U_Init(char *dir, char *dbprefix, PRBool listonly)
+{
+    SECStatus rv;
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    if (listonly && NSS_NoDB_Init("") == SECSuccess) {
+        rv = SECSuccess;
+    }
+    else {
+        rv = NSS_Initialize(dir,dbprefix,dbprefix,"secmod.db",0);
+    }
+    if (rv != SECSuccess) {
+    	SECU_PrintPRandOSError(progName);
+        exit(-1);
+    }
+
+    /* setup unicode callback functions */
+    PORT_SetUCS2_ASCIIConversionFunction(p12u_ucs2_ascii_conversion_function);
+    /* use the defaults for UCS4-UTF8 and UCS2-UTF8 */
+
+    p12u_EnableAllCiphers();
+
+    return 0;
+}
+
+enum {
+    opt_CertDir = 0,
+    opt_TokenName,
+    opt_Import,
+    opt_SlotPWFile,
+    opt_SlotPW,
+    opt_List,
+    opt_Nickname,
+    opt_Export,
+    opt_Raw,
+    opt_P12FilePWFile,
+    opt_P12FilePW,
+    opt_DBPrefix,
+    opt_Debug,
+    opt_Cipher,
+    opt_CertCipher,
+    opt_KeyLength,
+    opt_CertKeyLength
+};
+
+static secuCommandFlag pk12util_options[] =
+{
+    { /* opt_CertDir	       */ 'd', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_TokenName	       */ 'h', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_Import	       */ 'i', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_SlotPWFile	       */ 'k', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_SlotPW	       */ 'K', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_List              */ 'l', PR_TRUE,  0, PR_FALSE },
+    { /* opt_Nickname	       */ 'n', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_Export	       */ 'o', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_Raw   	       */ 'r', PR_FALSE, 0, PR_FALSE },
+    { /* opt_P12FilePWFile     */ 'w', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_P12FilePW	       */ 'W', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_DBPrefix	       */ 'P', PR_TRUE,	 0, PR_FALSE },
+    { /* opt_Debug	       */ 'v', PR_FALSE, 0, PR_FALSE },
+    { /* opt_Cipher	       */ 'c', PR_TRUE,  0, PR_FALSE },
+    { /* opt_CertCipher	       */ 'C', PR_TRUE,  0, PR_FALSE },
+    { /* opt_KeyLength         */ 'm', PR_TRUE,  0, PR_FALSE, "key_len" },
+    { /* opt_CertKeyLength     */ 'n', PR_TRUE,  0, PR_FALSE, "cert_key_len" }
+};
+
+int
+main(int argc, char **argv)
+{
+    secuPWData slotPw = { PW_NONE, NULL };
+    secuPWData p12FilePw = { PW_NONE, NULL };
+    PK11SlotInfo *slot;
+    char *slotname = NULL;
+    char *import_file = NULL;
+    char *export_file = NULL;
+    char *dbprefix = "";
+    SECStatus rv;
+    SECOidTag cipher = 
+            SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
+    SECOidTag certCipher;
+    int keyLen = 0;
+    int certKeyLen = 0;
+
+    secuCommand pk12util;
+    pk12util.numCommands = 0;
+    pk12util.commands = 0;
+    pk12util.numOptions = sizeof(pk12util_options) / sizeof(secuCommandFlag);
+    pk12util.options = pk12util_options;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    rv = SECU_ParseCommandLine(argc, argv, progName, &pk12util);
+
+    if (rv != SECSuccess)
+	Usage(progName);
+
+    pk12_debugging = pk12util.options[opt_Debug].activated;
+
+    if ((pk12util.options[opt_Import].activated +
+	pk12util.options[opt_Export].activated +
+        pk12util.options[opt_List].activated) != 1) {
+	Usage(progName);
+    }
+
+    if (pk12util.options[opt_Export].activated &&
+       !pk12util.options[opt_Nickname].activated) {
+	Usage(progName);
+    }
+
+    slotname = SECU_GetOptionArg(&pk12util, opt_TokenName);
+
+    import_file = (pk12util.options[opt_List].activated) ?
+                    SECU_GetOptionArg(&pk12util, opt_List) :
+                    SECU_GetOptionArg(&pk12util, opt_Import);
+    export_file = SECU_GetOptionArg(&pk12util, opt_Export);
+
+    if (pk12util.options[opt_P12FilePWFile].activated) {
+	p12FilePw.source = PW_FROMFILE;
+	p12FilePw.data = PL_strdup(pk12util.options[opt_P12FilePWFile].arg);
+    }
+
+    if (pk12util.options[opt_P12FilePW].activated) {
+	p12FilePw.source = PW_PLAINTEXT;
+	p12FilePw.data = PL_strdup(pk12util.options[opt_P12FilePW].arg);
+    }
+
+    if (pk12util.options[opt_SlotPWFile].activated) {
+	slotPw.source = PW_FROMFILE;
+	slotPw.data = PL_strdup(pk12util.options[opt_SlotPWFile].arg);
+    }
+
+    if (pk12util.options[opt_SlotPW].activated) {
+	slotPw.source = PW_PLAINTEXT;
+	slotPw.data = PL_strdup(pk12util.options[opt_SlotPW].arg);
+    }
+
+    if (pk12util.options[opt_CertDir].activated) {
+	SECU_ConfigDirectory(pk12util.options[opt_CertDir].arg);
+    }
+    if (pk12util.options[opt_DBPrefix].activated) {
+    	dbprefix = pk12util.options[opt_DBPrefix].arg;
+    }
+    if (pk12util.options[opt_Raw].activated) {
+    	dumpRawFile = PR_TRUE;
+    }
+    if (pk12util.options[opt_KeyLength].activated) {
+    	keyLen = atoi(pk12util.options[opt_KeyLength].arg);
+    }
+    if (pk12util.options[opt_CertKeyLength].activated) {
+    	certKeyLen = atoi(pk12util.options[opt_CertKeyLength].arg);
+    }
+		
+    P12U_Init(SECU_ConfigDirectory(NULL), dbprefix,
+                pk12util.options[opt_List].activated);
+
+    if (!slotname || PL_strcmp(slotname, "internal") == 0)
+	slot = PK11_GetInternalKeySlot();
+    else
+	slot = PK11_FindSlotByName(slotname);
+
+    if (!slot) {
+	SECU_PrintError(progName,"Invalid slot \"%s\"", slotname);
+	pk12uErrno = PK12UERR_PK11GETSLOT;
+	goto done;
+    }
+
+    if (pk12util.options[opt_Cipher].activated) {
+	char *cipherString = pk12util.options[opt_Cipher].arg;
+
+	cipher = PKCS12U_MapCipherFromString(cipherString, keyLen);
+	/* We only want encryption PBE's. make sure we don't have
+	 * any MAC pbes */
+	if (cipher == SEC_OID_UNKNOWN) {
+	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString);
+	    pk12uErrno = PK12UERR_INVALIDALGORITHM;
+	    goto done;
+	}
+    }
+
+    certCipher = PK11_IsFIPS() ? SEC_OID_UNKNOWN :
+                SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+    if (pk12util.options[opt_CertCipher].activated) {
+	char *cipherString = pk12util.options[opt_CertCipher].arg;
+
+	if (PORT_Strcasecmp(cipherString, "none") == 0) {
+	    certCipher = SEC_OID_UNKNOWN;
+	} else {
+	    certCipher = PKCS12U_MapCipherFromString(cipherString, certKeyLen);
+	    /* If the user requested a cipher and we didn't find it, then
+	     * don't just silently not encrypt. */
+	    if (cipher == SEC_OID_UNKNOWN) {
+		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+		SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString);
+		pk12uErrno = PK12UERR_INVALIDALGORITHM;
+		goto done;
+	    }
+	}
+    }
+	   
+
+    if (pk12util.options[opt_Import].activated) {
+	P12U_ImportPKCS12Object(import_file, slot,  &slotPw,
+					   &p12FilePw);
+
+    } else if (pk12util.options[opt_Export].activated) {
+	P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg,
+			export_file, slot, cipher, certCipher, 
+			&slotPw, &p12FilePw);
+        
+    } else if (pk12util.options[opt_List].activated) {
+	P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw);
+                                           
+    } else {
+	Usage(progName);
+	pk12uErrno = PK12UERR_USAGE;
+    }
+
+done:
+    if (slotPw.data != NULL)
+	PORT_ZFree(slotPw.data, PL_strlen(slotPw.data));
+    if (p12FilePw.data != NULL)
+	PORT_ZFree(p12FilePw.data, PL_strlen(p12FilePw.data));
+    if (slot) PK11_FreeSlot(slot);
+    if (NSS_Shutdown() != SECSuccess) {
+	pk12uErrno = 1;
+    }
+    return pk12uErrno;
+}
diff --git a/security/nss/cmd/pk12util/pk12util.h b/security/nss/cmd/pk12util/pk12util.h
new file mode 100644
index 000000000..53751a33e
--- /dev/null
+++ b/security/nss/cmd/pk12util/pk12util.h
@@ -0,0 +1,73 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * ERROR codes in pk12util
+ * - should be organized better later
+ */
+#define PK12UERR_USER_CANCELLED 1
+#define PK12UERR_USAGE 2
+#define PK12UERR_CERTDB_OPEN 8
+#define PK12UERR_KEYDB_OPEN 9
+#define PK12UERR_INIT_FILE 10
+#define PK12UERR_UNICODECONV 11
+#define PK12UERR_TMPDIGCREATE 12
+#define PK12UERR_PK11GETSLOT 13
+#define PK12UERR_PK12DECODESTART 14
+#define PK12UERR_IMPORTFILEREAD 15
+#define PK12UERR_DECODE 16
+#define PK12UERR_DECODEVERIFY 17
+#define PK12UERR_DECODEVALIBAGS 18
+#define PK12UERR_DECODEIMPTBAGS 19
+#define PK12UERR_CERTALREADYEXISTS 20
+#define PK12UERR_PATCHDB 22
+#define PK12UERR_GETDEFCERTDB 23
+#define PK12UERR_FINDCERTBYNN 24
+#define PK12UERR_EXPORTCXCREATE 25
+#define PK12UERR_PK12ADDPWDINTEG 26
+#define PK12UERR_CERTKEYSAFE 27
+#define PK12UERR_ADDCERTKEY 28
+#define PK12UERR_ENCODE 29
+#define PK12UERR_INVALIDALGORITHM 30
+
+
+/* additions for importing and exporting PKCS 12 files */
+typedef struct p12uContextStr {
+    char        *filename;    /* name of file */
+	PRFileDesc  *file;        /* pointer to file */
+	PRBool       error;       /* error occurred? */
+	int          errorValue;  /* which error occurred? */
+} p12uContext;
diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk
new file mode 100644
index 000000000..284ad5fc1
--- /dev/null
+++ b/security/nss/cmd/platlibs.mk
@@ -0,0 +1,269 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# set RPATH-type linker instructions here so they can be used in the shared
+# version and in the mixed (static nss libs/shared NSPR libs) version.
+
+ifeq ($(OS_ARCH), SunOS) 
+ifeq ($(BUILD_SUN_PKG), 1)
+ifeq ($(USE_64), 1)
+EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
+else
+EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps'
+endif
+else
+EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib'
+endif
+endif
+
+ifeq ($(OS_ARCH), Linux)
+ifeq ($(USE_64), 1)
+EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
+else
+EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
+endif
+endif
+
+ifeq ($(OS_ARCH), HP-UX) 
+ifeq ($(OS_TEST), ia64)
+EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib'
+else
+# pa-risc
+ifeq ($(USE_64), 1)
+EXTRA_SHARED_LIBS += \
+-Wl,+b,'$$ORIGIN/../../lib/pa20_64:$$ORIGIN/../../lib/64:$$ORIGIN/../lib'
+else
+EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib'
+endif
+endif
+endif
+
+SQLITE=-lsqlite3
+
+ifdef USE_STATIC_LIBS
+
+# can't do this in manifest.mn because OS_ARCH isn't defined there.
+ifeq ($(OS_ARCH), WINNT)
+
+DEFINES += -DNSS_USE_STATIC_LIBS
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+ifdef MOZILLA_SECURITY_BUILD
+	CRYPTOLIB=$(DIST)/lib/crypto.lib
+endif
+ifdef MOZILLA_BSAFE_BUILD
+	CRYPTOLIB+=$(DIST)/lib/bsafe$(BSAFEVER).lib
+	CRYPTOLIB+=$(DIST)/lib/freebl.lib
+endif
+
+PKIXLIB = \
+	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX)
+
+EXTRA_LIBS += \
+	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \
+	$(CRYPTOLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(PKIXLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)sqlite3.$(LIB_SUFFIX) \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
+	$(NULL)
+
+# $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
+#OS_LIBS += \
+	wsock32.lib \
+	winmm.lib \
+	$(NULL)
+else
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+ifdef MOZILLA_SECURITY_BUILD
+	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
+endif
+ifdef MOZILLA_BSAFE_BUILD
+	CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)bsafe.$(LIB_SUFFIX)
+	CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+endif
+
+PKIXLIB = \
+	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
+
+EXTRA_LIBS += \
+	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(CRYPTOLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
+	$(PKIXLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(NULL)
+
+ifeq ($(OS_ARCH), AIX) 
+EXTRA_SHARED_LIBS += -brtl 
+endif
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	$(SQLITE) \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+ifeq ($(OS_TARGET), SunOS)
+OS_LIBS += -lbsm
+endif
+
+else # USE_STATIC_LIBS
+# can't do this in manifest.mn because OS_ARCH isn't defined there.
+ifeq ($(OS_ARCH), WINNT)
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+EXTRA_LIBS += \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
+	$(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
+	$(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
+	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4$(IMPORT_LIB_SUFFIX) \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4$(IMPORT_LIB_SUFFIX) \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4$(IMPORT_LIB_SUFFIX) \
+	$(NULL)
+
+# $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
+#OS_LIBS += \
+	wsock32.lib \
+	winmm.lib \
+	$(NULL)
+else
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+EXTRA_LIBS += \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(NULL)
+
+ifeq ($(OS_ARCH), AIX) 
+EXTRA_SHARED_LIBS += -brtl 
+endif
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lssl3 \
+	-lsmime3 \
+	-lnss3 \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+endif # USE_STATIC_LIBS
+
+# If a platform has a system zlib, set USE_SYSTEM_ZLIB to 1 and
+# ZLIB_LIBS to the linker command-line arguments for the system zlib
+# (for example, -lz) in the platform's config file in coreconf.
+ifndef USE_SYSTEM_ZLIB
+ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX)
+endif
+
+JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX) \
+	$(ZLIB_LIBS) \
+	$(NULL)
diff --git a/security/nss/cmd/platrules.mk b/security/nss/cmd/platrules.mk
new file mode 100644
index 000000000..f32a75d18
--- /dev/null
+++ b/security/nss/cmd/platrules.mk
@@ -0,0 +1,51 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+show:
+	@echo "DEFINES 		= ${DEFINES}"
+	@echo "EXTRA_LIBS	= >$(EXTRA_LIBS)<"
+	@echo "IMPORT_LIBRARY 	= $(IMPORT_LIBRARY)"
+	@echo "LIBRARY 		= $(LIBRARY)"
+	@echo "OBJS 		= $(OBJS)"
+	@echo "OS_ARCH 		= $(OS_ARCH)"
+	@echo "PROGRAM 		= >$(PROGRAM)<"
+	@echo "PROGRAMS 	= $(PROGRAMS)"
+	@echo "SHARED_LIBRARY 	= $(SHARED_LIBRARY)"
+	@echo "TARGETS 		= >$(TARGETS)<"
+
+showplatform:
+	@echo $(PLATFORM)
diff --git a/security/nss/cmd/pp/Makefile b/security/nss/cmd/pp/Makefile
new file mode 100644
index 000000000..9ee2a8f00
--- /dev/null
+++ b/security/nss/cmd/pp/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/pp/manifest.mn b/security/nss/cmd/pp/manifest.mn
new file mode 100644
index 000000000..698a1e7f7
--- /dev/null
+++ b/security/nss/cmd/pp/manifest.mn
@@ -0,0 +1,51 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS = pp.c
+
+PROGRAM	= pp
diff --git a/security/nss/cmd/pp/pp.c b/security/nss/cmd/pp/pp.c
new file mode 100644
index 000000000..e29eaff8f
--- /dev/null
+++ b/security/nss/cmd/pp/pp.c
@@ -0,0 +1,190 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Pretty-print some well-known BER or DER encoded data (e.g. certificates,
+ * keys, pkcs7)
+ *
+ * $Id$
+ */
+
+#include "secutil.h"
+
+#if defined(__sun) && !defined(SVR4)
+extern int fprintf(FILE *, char *, ...);
+#endif
+
+#include "plgetopt.h"
+
+#include "pk11func.h"
+#include "nspr.h"
+#include "nss.h"
+
+static void Usage(char *progName)
+{
+    fprintf(stderr,
+	    "Usage:  %s -t type [-a] [-i input] [-o output]\n",
+	    progName);
+    fprintf(stderr, "%-20s Specify the input type (must be one of %s,\n",
+	    "-t type", SEC_CT_PRIVATE_KEY);
+    fprintf(stderr, "%-20s %s, %s, %s,\n", "", SEC_CT_PUBLIC_KEY,
+	    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
+    fprintf(stderr, "%-20s %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL);    
+    fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n",
+	    "-a");
+    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
+	    "-i input");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    exit(-1);
+}
+
+int main(int argc, char **argv)
+{
+    int rv, ascii;
+    char *progName;
+    FILE *outFile;
+    PRFileDesc *inFile;
+    SECItem der, data;
+    char *typeTag;
+    PLOptState *optstate;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    ascii = 0;
+    inFile = 0;
+    outFile = 0;
+    typeTag = 0;
+    optstate = PL_CreateOptState(argc, argv, "at:i:o:");
+    while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) {
+	switch (optstate->option) {
+	  case '?':
+	    Usage(progName);
+	    break;
+
+	  case 'a':
+	    ascii = 1;
+	    break;
+
+	  case 'i':
+	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
+	    if (!inFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 'o':
+	    outFile = fopen(optstate->value, "w");
+	    if (!outFile) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		return -1;
+	    }
+	    break;
+
+	  case 't':
+	    typeTag = strdup(optstate->value);
+	    break;
+	}
+    }
+    PL_DestroyOptState(optstate);
+    if (!typeTag) Usage(progName);
+
+    if (!inFile) inFile = PR_STDIN;
+    if (!outFile) outFile = stdout;
+
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    rv = NSS_NoDB_Init(NULL);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "%s: NSS_NoDB_Init failed (%s)\n",
+		progName, SECU_Strerror(PORT_GetError()));
+	exit(1);
+    }
+    SECU_RegisterDynamicOids();
+
+    rv = SECU_ReadDERFromFile(&der, inFile, ascii);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName);
+	exit(1);
+    }
+
+    /* Data is untyped, using the specified type */
+    data.data = der.data;
+    data.len = der.len;
+
+    /* Pretty print it */
+    if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0) {
+	rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
+			     SECU_PrintCertificate);
+    } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0) {
+	rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0,
+			     SECU_PrintCertificateRequest);
+    } else if (PORT_Strcmp (typeTag, SEC_CT_CRL) == 0) {
+	rv = SECU_PrintSignedData (outFile, &data, "CRL", 0, SECU_PrintCrl);
+#ifdef HAVE_EPV_TEMPLATE
+    } else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0) {
+	rv = SECU_PrintPrivateKey(outFile, &data, "Private Key", 0);
+#endif
+    } else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0) {
+	rv = SECU_PrintSubjectPublicKeyInfo(outFile, &data, "Public Key", 0);
+    } else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) {
+	rv = SECU_PrintPKCS7ContentInfo(outFile, &data,
+					"PKCS #7 Content Info", 0);
+    } else {
+	fprintf(stderr, "%s: don't know how to print out '%s' files\n",
+		progName, typeTag);
+	SECU_PrintAny(outFile, &data, "File contains", 0);
+	return -1;
+    }
+
+    if (inFile != PR_STDIN)
+	PR_Close(inFile);
+    PORT_Free(der.data);
+    if (rv) {
+	fprintf(stderr, "%s: problem converting data (%s)\n",
+		progName, SECU_Strerror(PORT_GetError()));
+    }
+    if (NSS_Shutdown() != SECSuccess) {
+	fprintf(stderr, "%s: NSS_Shutdown failed (%s)\n",
+		progName, SECU_Strerror(PORT_GetError()));
+	rv = SECFailure;
+    }
+    PR_Cleanup();
+    return rv;
+}
diff --git a/security/nss/cmd/pwdecrypt/Makefile b/security/nss/cmd/pwdecrypt/Makefile
new file mode 100644
index 000000000..4d209348e
--- /dev/null
+++ b/security/nss/cmd/pwdecrypt/Makefile
@@ -0,0 +1,77 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
diff --git a/security/nss/cmd/pwdecrypt/manifest.mn b/security/nss/cmd/pwdecrypt/manifest.mn
new file mode 100644
index 000000000..f0d6c4e6e
--- /dev/null
+++ b/security/nss/cmd/pwdecrypt/manifest.mn
@@ -0,0 +1,58 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = \
+	pwdecrypt.c \
+	$(NULL)
+
+# headers for the MODULE (defined above) are implicitly required.
+REQUIRES = dbm seccmd
+
+# WINNT uses EXTRA_LIBS as the list of libs to link in.
+# Unix uses     OS_LIBS for that purpose.
+# We can solve this via conditional makefile code, but 
+# can't do this in manifest.mn because OS_ARCH isn't defined there.
+# So, look in the local Makefile for the defines for the list of libs.
+
+PROGRAM = pwdecrypt
+
+#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/pwdecrypt/pwdecrypt.c b/security/nss/cmd/pwdecrypt/pwdecrypt.c
new file mode 100644
index 000000000..6a23238dd
--- /dev/null
+++ b/security/nss/cmd/pwdecrypt/pwdecrypt.c
@@ -0,0 +1,374 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Test program for SDR (Secret Decoder Ring) functions.
+ *
+ * $Id$
+ */
+
+#include "nspr.h"
+#include "string.h"
+#include "nss.h"
+#include "secutil.h"
+#include "cert.h"
+#include "pk11func.h"
+#include "nssb64.h"
+
+#include "plgetopt.h"
+#include "pk11sdr.h"
+
+#define DEFAULT_VALUE "Test"
+
+static void
+synopsis (char *program_name)
+{
+    PRFileDesc *pr_stderr;
+
+    pr_stderr = PR_STDERR;
+    PR_fprintf (pr_stderr,
+	"Usage:\t%s [-i <input-file>] [-o <output-file>] [-d <dir>]\n"
+        "      \t[-l logfile] [-p pwd] [-f pwfile]\n", program_name);
+}
+
+
+static void
+short_usage (char *program_name)
+{
+    PR_fprintf (PR_STDERR,
+		"Type %s -H for more detailed descriptions\n",
+		program_name);
+    synopsis (program_name);
+}
+
+
+static void
+long_usage (char *program_name)
+{
+    PRFileDesc *pr_stderr;
+
+    pr_stderr = PR_STDERR;
+    synopsis (program_name);
+    PR_fprintf (pr_stderr, "\nDecode encrypted passwords (and other data).\n");
+    PR_fprintf (pr_stderr, 
+	"This program reads in standard configuration files looking\n"
+	"for base 64 encoded data. Data that looks like it's base 64 encode\n"
+	"is decoded an passed to the NSS SDR code. If the decode and decrypt\n"
+	"is successful, then decrypted data is outputted in place of the\n"
+	"original base 64 data. If the decode or decrypt fails, the original\n"
+	"data is written and the reason for failure is logged to the \n"
+	"optional logfile.\n");
+    PR_fprintf (pr_stderr,
+		"  %-13s Read stream including encrypted data from "
+	        "\"read_file\"\n",
+		"-i read_file");
+    PR_fprintf (pr_stderr,
+		"  %-13s Write results to \"write_file\"\n",
+		"-o write_file");
+    PR_fprintf (pr_stderr,
+		"  %-13s Find security databases in \"dbdir\"\n",
+		"-d dbdir");
+    PR_fprintf (pr_stderr,
+		"  %-13s Log failed decrypt/decode attempts to \"log_file\"\n",
+		"-l log_file");
+    PR_fprintf (pr_stderr,
+		"  %-13s Token password\n",
+		"-p pwd");
+    PR_fprintf (pr_stderr,
+		"  %-13s Password file\n",
+		"-f pwfile");
+}
+
+/*
+ * base64 table only used to identify the end of a base64 string 
+ */
+static unsigned char b64[256] = {
+/*   0: */        0,      0,      0,      0,      0,      0,      0,      0,
+/*   8: */        0,      0,      0,      0,      0,      0,      0,      0,
+/*  16: */        0,      0,      0,      0,      0,      0,      0,      0,
+/*  24: */        0,      0,      0,      0,      0,      0,      0,      0,
+/*  32: */        0,      0,      0,      0,      0,      0,      0,      0,
+/*  40: */        0,      0,      0,      1,      0,      0,      0,      1,
+/*  48: */        1,      1,      1,      1,      1,      1,      1,      1,
+/*  56: */        1,      1,      0,      0,      0,      0,      0,      0,
+/*  64: */        0,      1,      1,      1,      1,      1,      1,      1,
+/*  72: */        1,      1,      1,      1,      1,      1,      1,      1,
+/*  80: */        1,      1,      1,      1,      1,      1,      1,      1,
+/*  88: */        1,      1,      1,      0,      0,      0,      0,      0,
+/*  96: */        0,      1,      1,      1,      1,      1,      1,      1,
+/* 104: */        1,      1,      1,      1,      1,      1,      1,      1,
+/* 112: */        1,      1,      1,      1,      1,      1,      1,      1,
+/* 120: */        1,      1,      1,      0,      0,      0,      0,      0,
+/* 128: */        0,      0,      0,      0,      0,      0,      0,      0
+};
+
+enum {
+   false = 0,
+   true = 1
+} bool;
+
+int
+isatobchar(int c) { return b64[c] != 0; }
+
+
+#define MAX_STRING 256
+int
+getData(FILE *inFile,char **inString) {
+    int len = 0;
+    int space = MAX_STRING;
+    int oneequal = false;
+    int c;
+    char *string = (char *) malloc(space);
+
+    string[len++]='M';
+
+    while ((c = getc(inFile)) != EOF) {
+	if (len >= space) {
+	    char *newString;
+
+	    space *= 2;
+	    newString = (char *)realloc(string,space);
+	    if (newString == NULL) {
+		ungetc(c,inFile);
+		break;
+	    }
+	    string = newString;
+	}
+	string[len++] = c;
+	if (!isatobchar(c)) {
+	   if (c == '=') {
+		if (oneequal) {
+		    break;
+		}
+		oneequal = true;
+		continue;
+	   } else {
+	       ungetc(c,inFile);
+	       len--;
+	       break;
+	   }
+	}
+	if (oneequal) {
+	   ungetc(c,inFile);
+	   len--;
+	   break;
+	}
+    }
+    if (len >= space) {
+	space += 2;
+	string = (char *)realloc(string,space);
+    }
+    string[len++] = 0;
+    *inString = string;
+    return true;
+}
+
+int
+main (int argc, char **argv)
+{
+    int		 retval = 0;  /* 0 - test succeeded.  -1 - test failed */
+    SECStatus	 rv;
+    PLOptState	*optstate;
+    char	*program_name;
+    char  *input_file = NULL; 	/* read encrypted data from here (or create) */
+    char  *output_file = NULL;	/* write new encrypted data here */
+    char  *log_file = NULL;	/* write new encrypted data here */
+    FILE	*inFile = stdin;
+    FILE	*outFile = stdout;
+    FILE	*logFile = NULL;
+    PLOptStatus optstatus;
+    SECItem	result;
+    int		c;
+    secuPWData  pwdata = { PW_NONE, NULL };
+
+    result.data = 0;
+
+    program_name = PL_strrchr(argv[0], '/');
+    program_name = program_name ? (program_name + 1) : argv[0];
+
+    optstate = PL_CreateOptState (argc, argv, "Hd:f:i:o:l:p:?");
+    if (optstate == NULL) {
+	SECU_PrintError (program_name, "PL_CreateOptState failed");
+	return 1;
+    }
+
+    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	    short_usage (program_name);
+	    return 1;
+
+	  case 'H':
+	    long_usage (program_name);
+	    return 1;
+
+	  case 'd':
+	    SECU_ConfigDirectory(optstate->value);
+	    break;
+
+          case 'i':
+            input_file = PL_strdup(optstate->value);
+            break;
+
+          case 'o':
+            output_file = PL_strdup(optstate->value);
+            break;
+
+          case 'l':
+            log_file = PL_strdup(optstate->value);
+            break;
+
+          case 'f':
+            pwdata.source = PW_FROMFILE;
+            pwdata.data = PL_strdup(optstate->value);
+            break;
+
+          case 'p':
+            pwdata.source = PW_PLAINTEXT;
+            pwdata.data = PL_strdup(optstate->value);
+            break;
+
+	}
+    }
+    PL_DestroyOptState(optstate);
+    if (optstatus == PL_OPT_BAD) {
+	short_usage (program_name);
+	return 1;
+    }
+
+    if (input_file) {
+      inFile = fopen(input_file,"r");
+      if (inFile == NULL) {
+	perror(input_file);
+	return 1;
+      }
+      PR_Free(input_file);
+    }
+    if (output_file) {
+      outFile = fopen(output_file,"w+");
+      if (outFile == NULL) {
+	perror(output_file);
+	return 1;
+      }
+      PR_Free(output_file);
+    }
+    if (log_file) {
+      logFile = fopen(log_file,"w+");
+      if (logFile == NULL) {
+	perror(log_file);
+	return 1;
+      }
+      PR_Free(log_file);
+    }
+
+    /*
+     * Initialize the Security libraries.
+     */
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+    rv = NSS_Init(SECU_ConfigDirectory(NULL));
+    if (rv != SECSuccess) {
+	SECU_PrintError (program_name, "NSS_Init failed");
+	retval = 1;
+	goto prdone;
+    }
+
+    /* Get the encrypted result, either from the input file
+     * or from encrypting the plaintext value
+     */
+
+    while ((c = getc(inFile)) != EOF) {
+	if (c == 'M') {
+	   char *dataString = NULL;
+	   SECItem *inText;
+
+	   rv = getData(inFile, &dataString);
+	   if (!rv) {
+		fputs(dataString,outFile);
+		free(dataString);
+		continue;
+	   }
+	   inText = NSSBase64_DecodeBuffer(NULL, NULL, dataString,
+							strlen(dataString));
+	   if ((inText == NULL) || (inText->len == 0)) {
+		if (logFile) {
+		    fprintf(logFile,"Base 64 decode failed on <%s>\n",
+								dataString);
+		    fprintf(logFile," Error %x: %s\n",PORT_GetError(),
+			SECU_Strerror(PORT_GetError()));
+		}
+		fputs(dataString,outFile);
+		free(dataString);
+		continue;
+	   }
+	   result.data = NULL;
+	   result.len  = 0;
+	   rv = PK11SDR_Decrypt(inText, &result, &pwdata);
+	   SECITEM_FreeItem(inText, PR_TRUE);
+	   if (rv != SECSuccess) {
+		if (logFile) {
+		    fprintf(logFile,"SDR decrypt failed on <%s>\n",
+								dataString);
+		    fprintf(logFile," Error %x: %s\n",PORT_GetError(),
+			SECU_Strerror(PORT_GetError()));
+		}
+		fputs(dataString,outFile);
+		free(dataString);
+		SECITEM_ZfreeItem(&result, PR_FALSE);
+		continue;
+	   }
+	   /* result buffer has no extra space for a NULL */
+	   fprintf(outFile, "%.*s", result.len, result.data);
+	   SECITEM_ZfreeItem(&result, PR_FALSE);
+         } else {
+	   putc(c,outFile);
+         }
+    }
+
+    fclose(outFile);
+    fclose(inFile);
+    if (logFile) {
+	fclose(logFile);
+    }
+
+    if (NSS_Shutdown() != SECSuccess) {
+	SECU_PrintError (program_name, "NSS_Shutdown failed");
+       exit(1);
+    }
+
+prdone:
+    PR_Cleanup ();
+    return retval;
+}
diff --git a/security/nss/cmd/rsaperf/Makefile b/security/nss/cmd/rsaperf/Makefile
new file mode 100644
index 000000000..7df60581b
--- /dev/null
+++ b/security/nss/cmd/rsaperf/Makefile
@@ -0,0 +1,78 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1998-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/rsaperf/defkey.c b/security/nss/cmd/rsaperf/defkey.c
new file mode 100644
index 000000000..1cc04c785
--- /dev/null
+++ b/security/nss/cmd/rsaperf/defkey.c
@@ -0,0 +1,325 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* This key is the 1024-bit test key used for speed testing of RSA private 
+** key ops.
+*/
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+
+#undef CONST
+#define CONST
+
+static CONST unsigned char default_n1024[128] = {
+0xc2,0xae,0x96,0x89,0xaf,0xce,0xd0,0x7b,0x3b,0x35,0xfd,0x0f,0xb1,0xf4,0x7a,0xd1,
+0x3c,0x7d,0xb5,0x86,0xf2,0x68,0x36,0xc9,0x97,0xe6,0x82,0x94,0x86,0xaa,0x05,0x39,
+0xec,0x11,0x51,0xcc,0x5c,0xa1,0x59,0xba,0x29,0x18,0xf3,0x28,0xf1,0x9d,0xe3,0xae,
+0x96,0x5d,0x6d,0x87,0x73,0xf6,0xf6,0x1f,0xd0,0x2d,0xfb,0x2f,0x7a,0x13,0x7f,0xc8,
+0x0c,0x7a,0xe9,0x85,0xfb,0xce,0x74,0x86,0xf8,0xef,0x2f,0x85,0x37,0x73,0x0f,0x62,
+0x4e,0x93,0x17,0xb7,0x7e,0x84,0x9a,0x94,0x11,0x05,0xca,0x0d,0x31,0x4b,0x2a,0xc8,
+0xdf,0xfe,0xe9,0x0c,0x13,0xc7,0xf2,0xad,0x19,0x64,0x28,0x3c,0xb5,0x6a,0xc8,0x4b,
+0x79,0xea,0x7c,0xce,0x75,0x92,0x45,0x3e,0xa3,0x9d,0x64,0x6f,0x04,0x69,0x19,0x17
+};
+
+static CONST unsigned char default_e1024[3] = { 0x01,0x00,0x01 };
+
+static CONST unsigned char default_d1024[128] = {
+0x13,0xcb,0xbc,0xf2,0xf3,0x35,0x8c,0x6d,0x7b,0x6f,0xd9,0xf3,0xa6,0x9c,0xbd,0x80,
+0x59,0x2e,0x4f,0x2f,0x11,0xa7,0x17,0x2b,0x18,0x8f,0x0f,0xe8,0x1a,0x69,0x5f,0x6e,
+0xac,0x5a,0x76,0x7e,0xd9,0x4c,0x6e,0xdb,0x47,0x22,0x8a,0x57,0x37,0x7a,0x5e,0x94,
+0x7a,0x25,0xb5,0xe5,0x78,0x1d,0x3c,0x99,0xaf,0x89,0x7d,0x69,0x2e,0x78,0x9d,0x1d,
+0x84,0xc8,0xc1,0xd7,0x1a,0xb2,0x6d,0x2d,0x8a,0xd9,0xab,0x6b,0xce,0xae,0xb0,0xa0,
+0x58,0x55,0xad,0x5c,0x40,0x8a,0xd6,0x96,0x08,0x8a,0xe8,0x63,0xe6,0x3d,0x6c,0x20,
+0x49,0xc7,0xaf,0x0f,0x25,0x73,0xd3,0x69,0x43,0x3b,0xf2,0x32,0xf8,0x3d,0x5e,0xee,
+0x7a,0xca,0xd6,0x94,0x55,0xe5,0xbd,0x25,0x34,0x8d,0x63,0x40,0xb5,0x8a,0xc3,0x01
+};
+
+static CONST unsigned char default_p1024[64] = {
+0xf6,0x3c,0x3f,0x56,0x58,0x4f,0xb3,0x82,0x0c,0xf0,0x5b,0x42,0x36,0x1c,0x93,0xde,
+0x9b,0x32,0x01,0xb1,0x48,0xf8,0x00,0x57,0x9b,0xc1,0xbe,0x66,0xc2,0xbb,0xea,0x7c,
+0x75,0x29,0x2c,0x22,0xaa,0x7c,0xaf,0xbd,0x0d,0x3f,0xb0,0x64,0x97,0xf0,0x88,0x25,
+0xcb,0x8d,0xc7,0x19,0x0a,0x75,0x44,0xa4,0x5a,0xc3,0xb5,0xb9,0x85,0xea,0x27,0xa7
+};
+
+static CONST unsigned char default_q1024[64] = {
+0xca,0x66,0xfa,0x18,0x6a,0x46,0x36,0x1c,0x46,0xfe,0x47,0xe9,0x7e,0x52,0x83,0x8a,
+0xbb,0x72,0x13,0xcc,0x83,0x56,0x3d,0x64,0x22,0xdd,0xfa,0x7c,0x61,0x99,0xea,0xa4,
+0xb3,0x0e,0x8f,0x79,0x10,0xab,0xba,0x4a,0x73,0xd1,0x48,0x40,0x34,0x34,0xd3,0xd2,
+0x54,0x92,0xbe,0xf5,0xc8,0xc4,0x60,0x5f,0xd3,0xf7,0xce,0xbe,0x60,0x3e,0xb1,0x11
+};
+
+static CONST unsigned char default_dModP1024[64] = {
+0x8e,0x80,0xbf,0x87,0x11,0x04,0xcf,0x36,0x6c,0x96,0x8d,0xb9,0xfb,0xe6,0xfe,0x0c,
+0xce,0x74,0x5a,0x56,0x67,0x8c,0x5f,0x66,0x54,0x56,0x04,0x03,0x24,0x9f,0xec,0x4c,
+0xaa,0xe1,0x71,0x11,0x7e,0xe9,0x3a,0x2b,0x87,0x07,0x5c,0xe6,0x5a,0xa8,0x71,0xa2,
+0xad,0xf3,0x17,0x4e,0x7e,0xa6,0xef,0x5a,0xce,0xcc,0x84,0xd7,0x21,0x91,0x29,0xf1
+};
+
+static CONST unsigned char default_dModQ1024[64] = {
+0x87,0x60,0x1d,0x02,0xdb,0x82,0x1e,0x8b,0x07,0x48,0xe8,0x5c,0x59,0xeb,0x62,0xa4,
+0x15,0xff,0x95,0x12,0x82,0xfd,0xd9,0x8d,0xf2,0x6c,0x3a,0x2f,0x9b,0x30,0x51,0x6a,
+0xdb,0x80,0x6f,0xa1,0xef,0xee,0x8c,0x69,0x63,0xd1,0xa4,0xdb,0x9c,0x8f,0x80,0xe5,
+0xfb,0x3f,0x33,0x8e,0x3d,0x3c,0x6b,0xa1,0x6c,0xab,0x20,0x92,0xe0,0xd8,0xcd,0xa1
+};
+
+static CONST unsigned char default_qInvModP1024[64] = {
+0xce,0xcf,0x5a,0xad,0xc4,0x8c,0x44,0x91,0x3a,0xbc,0x7b,0xf8,0x80,0xf8,0x53,0xf5,
+0x12,0x84,0x8c,0x9c,0x6b,0x33,0x93,0x0d,0xa1,0x11,0xea,0xfa,0x4a,0xc1,0xeb,0x48,
+0xdc,0x44,0x86,0x93,0x1b,0x98,0xc7,0x82,0x22,0x68,0x30,0x44,0xd7,0x62,0x1b,0x90,
+0x54,0x07,0x4b,0x66,0xa7,0xc5,0x75,0x5a,0x72,0x77,0x92,0xdd,0x6c,0xf3,0x37,0xab
+};
+
+static CONST unsigned char default_n2048[256] = {
+0xb3,0x9b,0x57,0x2c,0x15,0xdf,0x6c,0x6b,0xfc,0x04,0x83,0x02,0xf5,0xb3,0x2c,0x87,
+0x1b,0x9c,0xbf,0x6c,0x46,0x1d,0xdd,0xe2,0xc0,0x6d,0xfe,0xf9,0x00,0xd1,0x85,0x91,
+0x17,0x0d,0x43,0x67,0xa1,0x1f,0x8b,0xcd,0x22,0x8a,0x93,0xdc,0x9f,0xf0,0x45,0x9e,
+0x58,0x0f,0x99,0x87,0xe6,0x60,0xdf,0x8c,0x1a,0xa3,0x8f,0xc3,0x6c,0xa0,0x49,0x3a,
+0xdb,0x7f,0xd0,0xda,0x48,0x47,0xe3,0xd6,0x1f,0x29,0xcb,0xf2,0x1d,0xf3,0x81,0xd0,
+0x4d,0xf1,0x64,0xcf,0x42,0x8e,0x0f,0xe0,0x10,0x18,0x4c,0x75,0xce,0x96,0x09,0x2e,
+0x52,0xa6,0x96,0xa9,0xe1,0xab,0x3e,0x6f,0xa5,0xd3,0xee,0xd8,0xb2,0x4f,0x17,0x08,
+0x6d,0x43,0xd4,0xb3,0x1c,0x8a,0x4a,0x43,0x06,0xb5,0xab,0xfb,0xf4,0x34,0x2f,0x2f,
+0xe1,0x43,0x7b,0xe0,0x93,0xd0,0xaa,0x42,0xa3,0xb7,0xb7,0x43,0x52,0xeb,0xf3,0x64,
+0x9a,0xbc,0xa7,0xf2,0x39,0xad,0xe4,0x62,0x7d,0xbc,0x31,0x8f,0xbf,0x59,0x93,0x62,
+0x88,0xc5,0xd1,0x62,0x2d,0xe3,0xc7,0x75,0xf9,0xb8,0x00,0x96,0xe0,0x05,0x87,0x35,
+0x86,0x5d,0xeb,0x7c,0x20,0xf6,0xb2,0xb1,0x65,0x1f,0xdc,0x74,0xec,0xf4,0x0e,0xd1,
+0xf2,0x2d,0x06,0x47,0x02,0xc5,0x18,0xdb,0x19,0xb9,0x1b,0x40,0x90,0xc8,0x74,0x5c,
+0xf6,0xe8,0x17,0x64,0xf4,0xcf,0xd3,0x17,0xeb,0xd6,0x0d,0x2b,0xec,0x2a,0x9b,0xcf,
+0xc4,0xf5,0xcc,0x9a,0xc3,0x5c,0x2e,0xf1,0x98,0x25,0x2b,0xe4,0x01,0x02,0x15,0x36,
+0xe1,0xe0,0x2b,0xbe,0xdf,0x23,0xf1,0xde,0x2f,0x1b,0xbb,0x44,0xa7,0x12,0x2c,0x9d
+};
+
+static CONST unsigned char default_e2048[3] = { 0x01,0x00,0x01 };
+
+static CONST unsigned char default_d2048[256] = {
+0x0f,0x03,0x3f,0x08,0x1a,0x53,0xf0,0x96,0x1e,0x1c,0xaa,0x6e,0xc6,0xe6,0xd1,0x24,
+0x01,0xf4,0xda,0x33,0x4c,0xb1,0x16,0x68,0xeb,0xb8,0xc6,0x05,0x3e,0x42,0x45,0x2d,
+0xd9,0x85,0x6c,0x4a,0xef,0x36,0xd9,0xd2,0xad,0xbe,0x73,0x99,0x8f,0x6c,0xe0,0x04,
+0xda,0x4b,0x83,0x83,0xce,0x87,0xee,0x67,0xa1,0x9a,0x66,0x5b,0xe9,0x6a,0x84,0x74,
+0x7d,0x00,0x74,0x0e,0xaa,0xd8,0x07,0x7d,0x50,0x61,0x88,0x00,0x96,0xec,0x51,0xbf,
+0x7d,0xa4,0x5d,0xce,0xcd,0x3b,0x5e,0xac,0x55,0xec,0x12,0x08,0x0e,0xda,0x8f,0xad,
+0xe5,0x8e,0xb3,0x2d,0x44,0x05,0xb2,0x54,0x56,0xc2,0x1e,0x46,0xd2,0xb0,0xb5,0xb6,
+0x28,0x9b,0xf0,0xdd,0x7f,0xd7,0x37,0x59,0xde,0xe7,0xb4,0x96,0x7c,0xd5,0x17,0xd4,
+0x7e,0xe0,0xcb,0xb3,0x3c,0x5f,0x72,0x30,0xbe,0x3c,0x81,0x82,0x8e,0xb9,0xc6,0xa7,
+0x23,0x71,0xf5,0x6f,0xd7,0x56,0xe4,0xee,0x3b,0x2d,0x8f,0x3e,0x43,0x98,0xc8,0xe8,
+0x95,0xfd,0xc3,0x73,0xd3,0x8e,0x38,0x01,0xa5,0xc6,0xbe,0x0c,0x6b,0x6b,0x4f,0x13,
+0x2f,0x66,0x8b,0x85,0xe3,0x9e,0x12,0xc0,0x52,0x60,0xec,0x4a,0xcb,0xfa,0x7e,0x7c,
+0x20,0x9a,0x11,0x16,0x1a,0xb7,0x96,0xd6,0x00,0x7a,0x04,0x7b,0x17,0xcc,0x4c,0x43,
+0xdc,0xd0,0x64,0x45,0x45,0xd3,0x21,0x06,0x8b,0xd6,0xb0,0xf0,0xbf,0x20,0x56,0xfd,
+0x11,0x9c,0x1d,0x82,0xcd,0x34,0x16,0x75,0x63,0xac,0x51,0xd5,0x55,0xb4,0x35,0x0a,
+0xc3,0x8c,0x47,0x01,0x8e,0x99,0x95,0xc5,0x99,0x21,0x79,0x66,0x1a,0xa6,0xb0,0xe9
+};
+
+static CONST unsigned char default_p2048[128] = {
+0xd7,0xaa,0xb4,0x8d,0xb1,0x23,0x67,0x80,0x7b,0x98,0xf7,0xe6,0xfd,0x6d,0x5c,0x98,
+0x34,0x89,0x97,0xbd,0xa8,0x88,0xdd,0xb3,0xe6,0xbc,0x5f,0xb8,0xd6,0xa5,0x14,0x00,
+0x4a,0x54,0x1a,0xbf,0x65,0x64,0x7d,0x39,0x55,0xff,0x27,0x0f,0x2f,0x99,0x57,0xe6,
+0x69,0x89,0x1c,0xc4,0x89,0xff,0xe4,0x1f,0xa5,0x47,0xea,0x1e,0x47,0x07,0xf7,0x46,
+0xa5,0x3a,0x25,0x70,0x9e,0x6d,0xe3,0x83,0xc1,0x9d,0x75,0xf5,0x67,0xb5,0x7f,0x5c,
+0xf8,0x24,0xff,0x85,0x11,0x53,0xff,0x0e,0xbc,0x57,0x6f,0xc7,0x2a,0x36,0xbd,0xdd,
+0x0b,0xe5,0x25,0x04,0x1f,0x48,0xbc,0xdd,0xd6,0x13,0xb8,0xe9,0xfd,0x00,0xba,0x37,
+0x13,0x63,0xc2,0xd4,0x70,0xf8,0x4b,0x09,0x71,0xa8,0xbe,0xca,0x0d,0x68,0x16,0x5f
+};
+
+static CONST unsigned char default_q2048[128] = {
+0xd5,0x32,0x38,0x82,0x14,0xed,0xd1,0x90,0x51,0xef,0x17,0xa2,0x9b,0xc3,0xb0,0x45,
+0x86,0x64,0xbe,0xce,0x8f,0x85,0x78,0x18,0x7a,0xf8,0x3a,0xb7,0x17,0x7b,0x5d,0xf3,
+0xe9,0xd7,0x9d,0xb3,0x2f,0x96,0x35,0x96,0x60,0x38,0xe7,0x96,0xc3,0x08,0xe6,0xf1,
+0xb8,0x16,0xc0,0x1d,0xc9,0x6f,0xd3,0x99,0x14,0x8e,0xd3,0x6a,0x2b,0x6c,0x4d,0xd1,
+0x71,0x1c,0x4c,0x38,0x72,0x18,0x23,0xf9,0xd1,0x6c,0xa2,0x87,0xfe,0x33,0xc2,0x9d,
+0x6e,0xd0,0x80,0x62,0x44,0x7b,0x3a,0x4d,0x2f,0xff,0x5f,0x73,0xe5,0x53,0x32,0x18,
+0x14,0xb2,0xdb,0x6b,0x25,0x7b,0xac,0xb4,0x3b,0x1e,0x5e,0xcd,0xec,0x01,0x99,0xdb,
+0x0c,0x1f,0xc2,0xa6,0x50,0x1d,0x6d,0x7b,0x58,0x75,0x04,0x89,0x5d,0x87,0x86,0x83
+};
+
+static CONST unsigned char default_dModP2048[128] = {
+0xc0,0xba,0x16,0x1b,0xc1,0x3e,0xc8,0x51,0xb3,0x22,0x21,0xf7,0x54,0x66,0x14,0xa7,
+0x17,0xdc,0x15,0xb4,0x31,0x16,0x0e,0x39,0xa4,0x6a,0x96,0x88,0x11,0x98,0xf7,0xe4,
+0xc2,0x87,0xa2,0x57,0x83,0xfe,0x67,0x41,0x83,0xae,0x3e,0x73,0x7d,0xaf,0xe5,0x33,
+0x4d,0x00,0x70,0xaa,0xda,0x3f,0xc8,0xd6,0xd6,0xd7,0x0b,0x4a,0xff,0x63,0x09,0x01,
+0x22,0xca,0x71,0x86,0xd0,0xad,0x96,0xf1,0xb9,0x66,0x43,0x71,0x88,0xba,0x53,0x14,
+0xfb,0xd3,0xe4,0x5c,0x3f,0xfd,0xf6,0x22,0x6f,0x01,0x1c,0x2c,0xb9,0x76,0xad,0xf9,
+0x09,0x96,0x3e,0x9c,0x0e,0x70,0xec,0x06,0xba,0x36,0x69,0xbb,0x00,0x93,0x53,0xd5,
+0xc0,0x08,0x18,0xa5,0xcc,0x46,0xb6,0x97,0xbb,0xf0,0x76,0x7f,0x0d,0xb8,0x04,0xb5
+};
+
+static CONST unsigned char default_dModQ2048[128] = {
+0xa9,0x18,0xfd,0x43,0x07,0xf0,0x9d,0x50,0x77,0xfc,0x48,0xe5,0xdb,0xe0,0x39,0xd6,
+0xdb,0x42,0xdb,0x28,0xa1,0x23,0x7e,0xdf,0x03,0xe2,0x11,0x48,0x19,0xa2,0xeb,0x21,
+0x44,0xaf,0x95,0x50,0x83,0x85,0x03,0x99,0xf3,0x56,0x0f,0x32,0x40,0x1d,0xb6,0x77,
+0xb0,0xc8,0xb2,0xb6,0xad,0x88,0x39,0xef,0xe8,0x23,0x64,0xc2,0x88,0x10,0x8e,0x24,
+0x7a,0x2f,0xb4,0xb0,0xec,0xa6,0x03,0x1a,0xe9,0xa5,0xdd,0xc0,0x39,0xba,0xba,0x38,
+0xfe,0xa4,0xf7,0xbf,0x79,0x8b,0xb7,0xf1,0x73,0x09,0x7d,0x9f,0x42,0x1c,0x5b,0xd6,
+0x47,0xcc,0x99,0x46,0x81,0xe3,0x77,0x57,0x38,0xb0,0xdd,0x07,0x3d,0x93,0x03,0x82,
+0x7f,0x3a,0x4d,0xbc,0x76,0x3c,0xf1,0x12,0x6d,0x55,0xdb,0x34,0x4c,0xef,0xea,0x9b
+};
+
+static CONST unsigned char default_qInvModP2048[128] = {
+0x77,0xd9,0x45,0xd4,0xd2,0xd1,0x46,0xa8,0xaf,0x57,0x8f,0x5e,0x4f,0x6b,0x24,0x0f,
+0xb4,0xaa,0xff,0x92,0x86,0x78,0xa8,0xc1,0x69,0x9c,0x54,0xe9,0x81,0xa1,0x9c,0x26,
+0x11,0x5d,0xfa,0xff,0x70,0x9e,0xa3,0xf3,0xe3,0x78,0x41,0x2b,0x31,0x35,0x09,0xa2,
+0x5c,0x5f,0x6e,0x4d,0xad,0xeb,0x4a,0xe0,0xb1,0xce,0x2c,0x22,0x59,0x72,0x4c,0x17,
+0xad,0x71,0x5c,0x25,0xca,0x4f,0x00,0xc6,0xee,0x63,0x10,0x8e,0xf7,0xbe,0xa4,0x55,
+0x22,0x0d,0x2c,0xb9,0xe5,0xa9,0x72,0x07,0xa2,0xb1,0x29,0xf2,0x4a,0x9f,0xde,0x70,
+0x0c,0x28,0xb7,0x60,0x12,0x9d,0x4b,0x04,0xd7,0xe3,0xd7,0xc5,0x71,0xdf,0x5c,0xc0,
+0x65,0x75,0x6e,0xfb,0xc6,0x3e,0x61,0x4c,0xc2,0xdf,0xb3,0xd3,0xba,0x17,0x36,0x24
+};
+
+static struct NSSLOWKEYPrivateKeyStr rsaPriv;
+
+NSSLOWKEYPrivateKey *
+getDefaultRSAPrivateKey(int keysize)
+{
+    if (rsaPriv.keyType != NSSLOWKEYRSAKey) {
+
+	/* leaving arena uninitialized. It isn't used in this test. */
+
+	rsaPriv.keyType                     = NSSLOWKEYRSAKey;
+
+	/* leaving arena   uninitialized. It isn't used. */
+	/* leaving version uninitialized. It isn't used. */
+
+        if (keysize == 2048) {
+	    rsaPriv.u.rsa.modulus.data          =        default_n2048;
+	    rsaPriv.u.rsa.modulus.len           = sizeof default_n2048;
+	    rsaPriv.u.rsa.publicExponent.data   =        default_e2048;
+	    rsaPriv.u.rsa.publicExponent.len    = sizeof default_e2048;
+	    rsaPriv.u.rsa.privateExponent.data  =        default_d2048;
+	    rsaPriv.u.rsa.privateExponent.len   = sizeof default_d2048;
+	    rsaPriv.u.rsa.prime1.data           =        default_p2048;
+	    rsaPriv.u.rsa.prime1.len            = sizeof default_p2048;
+	    rsaPriv.u.rsa.prime2.data           =        default_q2048;
+	    rsaPriv.u.rsa.prime2.len            = sizeof default_q2048;
+	    rsaPriv.u.rsa.exponent1.data        =        default_dModP2048;
+	    rsaPriv.u.rsa.exponent1.len         = sizeof default_dModP2048;
+	    rsaPriv.u.rsa.exponent2.data        =        default_dModQ2048;
+	    rsaPriv.u.rsa.exponent2.len         = sizeof default_dModQ2048;
+	    rsaPriv.u.rsa.coefficient.data      =        default_qInvModP2048;
+	    rsaPriv.u.rsa.coefficient.len       = sizeof default_qInvModP2048;
+	} else {
+	    rsaPriv.u.rsa.modulus.data          =        default_n1024;
+	    rsaPriv.u.rsa.modulus.len           = sizeof default_n1024;
+	    rsaPriv.u.rsa.publicExponent.data   =        default_e1024;
+	    rsaPriv.u.rsa.publicExponent.len    = sizeof default_e1024;
+	    rsaPriv.u.rsa.privateExponent.data  =        default_d1024;
+	    rsaPriv.u.rsa.privateExponent.len   = sizeof default_d1024;
+	    rsaPriv.u.rsa.prime1.data           =        default_p1024;
+	    rsaPriv.u.rsa.prime1.len            = sizeof default_p1024;
+	    rsaPriv.u.rsa.prime2.data           =        default_q1024;
+	    rsaPriv.u.rsa.prime2.len            = sizeof default_q1024;
+	    rsaPriv.u.rsa.exponent1.data        =        default_dModP1024;
+	    rsaPriv.u.rsa.exponent1.len         = sizeof default_dModP1024;
+	    rsaPriv.u.rsa.exponent2.data        =        default_dModQ1024;
+	    rsaPriv.u.rsa.exponent2.len         = sizeof default_dModQ1024;
+	    rsaPriv.u.rsa.coefficient.data      =        default_qInvModP1024;
+	    rsaPriv.u.rsa.coefficient.len       = sizeof default_qInvModP1024;
+	}
+    }
+    return &rsaPriv;
+}
+
+static struct NSSLOWKEYPublicKeyStr rsaPub;
+
+NSSLOWKEYPublicKey *
+getDefaultRSAPublicKey(int keysize)
+{
+    if (rsaPub.keyType != NSSLOWKEYRSAKey) {
+
+	rsaPub.keyType			   = NSSLOWKEYRSAKey;
+
+        if (keysize == 2048) {
+	    rsaPub.u.rsa.modulus.data          =        default_n2048;
+	    rsaPub.u.rsa.modulus.len           = sizeof default_n2048;
+
+	    rsaPub.u.rsa.publicExponent.data   =        default_e2048;
+	    rsaPub.u.rsa.publicExponent.len    = sizeof default_e2048;
+	} else {
+	    rsaPub.u.rsa.modulus.data          =        default_n1024;
+	    rsaPub.u.rsa.modulus.len           = sizeof default_n1024;
+
+	    rsaPub.u.rsa.publicExponent.data   =        default_e1024;
+	    rsaPub.u.rsa.publicExponent.len    = sizeof default_e1024;
+	}
+    }
+    return &rsaPub;
+}
+
+/*  modPop = 536, privPop = 531, ex1Pop = 261, ex2Pop = 257
+ *  After 46 tries, found this key:
+ *  Version: 0 (0x0)
+ *  Modulus:
+ *      c2:ae:96:89:af:ce:d0:7b:3b:35:fd:0f:b1:f4:7a:d1:3c:7d:b5:
+ *      86:f2:68:36:c9:97:e6:82:94:86:aa:05:39:ec:11:51:cc:5c:a1:
+ *      59:ba:29:18:f3:28:f1:9d:e3:ae:96:5d:6d:87:73:f6:f6:1f:d0:
+ *      2d:fb:2f:7a:13:7f:c8:0c:7a:e9:85:fb:ce:74:86:f8:ef:2f:85:
+ *      37:73:0f:62:4e:93:17:b7:7e:84:9a:94:11:05:ca:0d:31:4b:2a:
+ *      c8:df:fe:e9:0c:13:c7:f2:ad:19:64:28:3c:b5:6a:c8:4b:79:ea:
+ *      7c:ce:75:92:45:3e:a3:9d:64:6f:04:69:19:17
+ *  Public Exponent: 65537 (0x10001)
+ *  Private Exponent:
+ *      13:cb:bc:f2:f3:35:8c:6d:7b:6f:d9:f3:a6:9c:bd:80:59:2e:4f:
+ *      2f:11:a7:17:2b:18:8f:0f:e8:1a:69:5f:6e:ac:5a:76:7e:d9:4c:
+ *      6e:db:47:22:8a:57:37:7a:5e:94:7a:25:b5:e5:78:1d:3c:99:af:
+ *      89:7d:69:2e:78:9d:1d:84:c8:c1:d7:1a:b2:6d:2d:8a:d9:ab:6b:
+ *      ce:ae:b0:a0:58:55:ad:5c:40:8a:d6:96:08:8a:e8:63:e6:3d:6c:
+ *      20:49:c7:af:0f:25:73:d3:69:43:3b:f2:32:f8:3d:5e:ee:7a:ca:
+ *      d6:94:55:e5:bd:25:34:8d:63:40:b5:8a:c3:01
+ *  Prime 1:
+ *      f6:3c:3f:56:58:4f:b3:82:0c:f0:5b:42:36:1c:93:de:9b:32:01:
+ *      b1:48:f8:00:57:9b:c1:be:66:c2:bb:ea:7c:75:29:2c:22:aa:7c:
+ *      af:bd:0d:3f:b0:64:97:f0:88:25:cb:8d:c7:19:0a:75:44:a4:5a:
+ *      c3:b5:b9:85:ea:27:a7
+ *  Prime 2:
+ *      ca:66:fa:18:6a:46:36:1c:46:fe:47:e9:7e:52:83:8a:bb:72:13:
+ *      cc:83:56:3d:64:22:dd:fa:7c:61:99:ea:a4:b3:0e:8f:79:10:ab:
+ *      ba:4a:73:d1:48:40:34:34:d3:d2:54:92:be:f5:c8:c4:60:5f:d3:
+ *      f7:ce:be:60:3e:b1:11
+ *  Exponent 1:
+ *      8e:80:bf:87:11:04:cf:36:6c:96:8d:b9:fb:e6:fe:0c:ce:74:5a:
+ *      56:67:8c:5f:66:54:56:04:03:24:9f:ec:4c:aa:e1:71:11:7e:e9:
+ *      3a:2b:87:07:5c:e6:5a:a8:71:a2:ad:f3:17:4e:7e:a6:ef:5a:ce:
+ *      cc:84:d7:21:91:29:f1
+ *  Exponent 2:
+ *      87:60:1d:02:db:82:1e:8b:07:48:e8:5c:59:eb:62:a4:15:ff:95:
+ *      12:82:fd:d9:8d:f2:6c:3a:2f:9b:30:51:6a:db:80:6f:a1:ef:ee:
+ *      8c:69:63:d1:a4:db:9c:8f:80:e5:fb:3f:33:8e:3d:3c:6b:a1:6c:
+ *      ab:20:92:e0:d8:cd:a1
+ *  Coefficient:
+ *      ce:cf:5a:ad:c4:8c:44:91:3a:bc:7b:f8:80:f8:53:f5:12:84:8c:
+ *      9c:6b:33:93:0d:a1:11:ea:fa:4a:c1:eb:48:dc:44:86:93:1b:98:
+ *      c7:82:22:68:30:44:d7:62:1b:90:54:07:4b:66:a7:c5:75:5a:72:
+ *      77:92:dd:6c:f3:37:ab
+ */
diff --git a/security/nss/cmd/rsaperf/manifest.mn b/security/nss/cmd/rsaperf/manifest.mn
new file mode 100644
index 000000000..2c820e3ce
--- /dev/null
+++ b/security/nss/cmd/rsaperf/manifest.mn
@@ -0,0 +1,56 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1998-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+DEPTH	= ../../..
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+REQUIRES = dbm seccmd 
+
+# DIRS = 
+
+CSRCS	= rsaperf.c defkey.c 
+
+PROGRAM	= rsaperf
+
+USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/rsaperf/rsaperf.c b/security/nss/cmd/rsaperf/rsaperf.c
new file mode 100644
index 000000000..78b707255
--- /dev/null
+++ b/security/nss/cmd/rsaperf/rsaperf.c
@@ -0,0 +1,714 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "seccomon.h"
+#include "cert.h"
+#include "secutil.h"
+#include "nspr.h"
+#include "nss.h"
+#include "blapi.h"
+#include "plgetopt.h"
+#include "lowkeyi.h"
+#include "pk11pub.h"
+
+
+#define DEFAULT_ITERS           10
+#define DEFAULT_DURATION        10
+#define DEFAULT_KEY_BITS        1024
+#define MIN_KEY_BITS            512
+#define MAX_KEY_BITS            65536
+#define BUFFER_BYTES            MAX_KEY_BITS / 8
+#define DEFAULT_THREADS         1
+#define DEFAULT_EXPONENT        0x10001
+
+extern NSSLOWKEYPrivateKey * getDefaultRSAPrivateKey(void);
+extern NSSLOWKEYPublicKey  * getDefaultRSAPublicKey(void);
+
+secuPWData pwData = { PW_NONE, NULL };
+
+typedef struct TimingContextStr TimingContext;
+
+struct TimingContextStr {
+    PRTime start;
+    PRTime end;
+    PRTime interval;
+
+    long  days;     
+    int   hours;    
+    int   minutes;  
+    int   seconds;  
+    int   millisecs;
+};
+
+TimingContext *CreateTimingContext(void) {
+    return PORT_Alloc(sizeof(TimingContext));
+}
+
+void DestroyTimingContext(TimingContext *ctx) {
+    PORT_Free(ctx);
+}
+
+void TimingBegin(TimingContext *ctx, PRTime begin) {
+    ctx->start = begin;
+}
+
+static void timingUpdate(TimingContext *ctx) {
+    PRInt64 tmp, remaining;
+    PRInt64 L1000,L60,L24;
+
+    LL_I2L(L1000,1000);
+    LL_I2L(L60,60);
+    LL_I2L(L24,24);
+
+    LL_DIV(remaining, ctx->interval, L1000);
+    LL_MOD(tmp, remaining, L1000);
+    LL_L2I(ctx->millisecs, tmp);
+    LL_DIV(remaining, remaining, L1000);
+    LL_MOD(tmp, remaining, L60);
+    LL_L2I(ctx->seconds, tmp);
+    LL_DIV(remaining, remaining, L60);
+    LL_MOD(tmp, remaining, L60);
+    LL_L2I(ctx->minutes, tmp);
+    LL_DIV(remaining, remaining, L60);
+    LL_MOD(tmp, remaining, L24);
+    LL_L2I(ctx->hours, tmp);
+    LL_DIV(remaining, remaining, L24);
+    LL_L2I(ctx->days, remaining);
+}
+
+void TimingEnd(TimingContext *ctx, PRTime end) {
+    ctx->end = end;
+    LL_SUB(ctx->interval, ctx->end, ctx->start);
+    PORT_Assert(LL_GE_ZERO(ctx->interval));
+    timingUpdate(ctx);
+}
+
+void TimingDivide(TimingContext *ctx, int divisor) {
+    PRInt64 tmp;
+
+    LL_I2L(tmp, divisor);
+    LL_DIV(ctx->interval, ctx->interval, tmp);
+
+    timingUpdate(ctx);
+}
+
+char *TimingGenerateString(TimingContext *ctx) {
+    char *buf = NULL;
+
+    if (ctx->days != 0) {
+	buf = PR_sprintf_append(buf, "%d days", ctx->days);
+    }
+    if (ctx->hours != 0) {
+	if (buf != NULL) buf = PR_sprintf_append(buf, ", ");
+	buf = PR_sprintf_append(buf, "%d hours", ctx->hours);
+    }
+    if (ctx->minutes != 0) {
+	if (buf != NULL) buf = PR_sprintf_append(buf, ", ");
+	buf = PR_sprintf_append(buf, "%d minutes", ctx->minutes);
+    }
+    if (buf != NULL) buf = PR_sprintf_append(buf, ", and ");
+    if (!buf && ctx->seconds == 0) {
+	int interval;
+	LL_L2I(interval, ctx->interval);
+    	if (ctx->millisecs < 100) 
+	    buf = PR_sprintf_append(buf, "%d microseconds", interval);
+	else
+	    buf = PR_sprintf_append(buf, "%d milliseconds", ctx->millisecs);
+    } else if (ctx->millisecs == 0) {
+	buf = PR_sprintf_append(buf, "%d seconds", ctx->seconds);
+    } else {
+	buf = PR_sprintf_append(buf, "%d.%03d seconds",
+				ctx->seconds, ctx->millisecs);
+    }
+    return buf;
+}
+
+void
+Usage(char *progName)
+{
+    fprintf(stderr, "Usage: %s [-s | -e] [-i iterations | -p period] "
+            "[-t threads]\n[-n none [-k keylength] [ [-g] -x exponent] |\n"
+            " -n token:nickname [-d certdir] [-w password] |\n"
+            " -h token [-d certdir] [-w password] [-g] [-k keylength] "
+            "[-x exponent] [-f pwfile]\n",
+	    progName);
+    fprintf(stderr, "%-20s Cert database directory (default is ~/.netscape)\n",
+	    "-d certdir");
+    fprintf(stderr, "%-20s How many operations to perform\n", "-i iterations");
+    fprintf(stderr, "%-20s How many seconds to run\n", "-p period");
+    fprintf(stderr, "%-20s Perform signing (private key) operations\n", "-s");
+    fprintf(stderr, "%-20s Perform encryption (public key) operations\n","-e");
+    fprintf(stderr, "%-20s Nickname of certificate or key, prefixed "
+            "by optional token name\n", "-n nickname");
+    fprintf(stderr, "%-20s PKCS#11 token to perform operation with.\n",
+            "-h token");
+    fprintf(stderr, "%-20s key size in bits, from %d to %d\n", "-k keylength",
+            MIN_KEY_BITS, MAX_KEY_BITS);
+    fprintf(stderr, "%-20s token password\n", "-w password");
+    fprintf(stderr, "%-20s temporary key generation. Not for token keys.\n",
+            "-g");
+    fprintf(stderr, "%-20s set public exponent for keygen\n", "-x");
+    fprintf(stderr, "%-20s Number of execution threads (default 1)\n",
+            "-t threads");
+    exit(-1);
+}
+
+static void
+dumpBytes( unsigned char * b, int l)
+{
+    int i;
+    if (l <= 0)
+        return;
+    for (i = 0; i < l; ++i) {
+        if (i % 16 == 0)
+            printf("\t");
+        printf(" %02x", b[i]);
+        if (i % 16 == 15)
+            printf("\n");
+    }
+    if ((i % 16) != 0)
+        printf("\n");
+}
+
+static void
+dumpItem( SECItem * item, const char * description)
+{
+    if (item->len & 1 && item->data[0] == 0) {
+	printf("%s: (%d bytes)\n", description, item->len - 1);
+	dumpBytes(item->data + 1, item->len - 1);
+    } else {
+	printf("%s: (%d bytes)\n", description, item->len);
+	dumpBytes(item->data, item->len);
+    }
+}
+
+void
+printPrivKey(NSSLOWKEYPrivateKey * privKey)
+{
+    RSAPrivateKey *rsa = &privKey->u.rsa;
+
+    dumpItem( &rsa->modulus, 		"n");
+    dumpItem( &rsa->publicExponent, 	"e");
+    dumpItem( &rsa->privateExponent, 	"d");
+    dumpItem( &rsa->prime1, 		"P");
+    dumpItem( &rsa->prime2, 		"Q");
+    dumpItem( &rsa->exponent1, 	        "d % (P-1)");
+    dumpItem( &rsa->exponent2, 	        "d % (Q-1)");
+    dumpItem( &rsa->coefficient, 	"(Q ** -1) % P");
+    puts("");
+}
+
+typedef SECStatus (* RSAOp)(void *               key, 
+			    unsigned char *      output,
+		            unsigned char *      input);
+
+typedef struct {
+    SECKEYPublicKey* pubKey;
+    SECKEYPrivateKey* privKey;
+} PK11Keys;
+
+
+SECStatus PK11_PublicKeyOp (SECKEYPublicKey*     key,
+			    unsigned char *      output,
+		            unsigned char *      input)
+{
+    return PK11_PubEncryptRaw(key, output, input, key->u.rsa.modulus.len,
+                              NULL);
+}
+
+SECStatus PK11_PrivateKeyOp (PK11Keys*            keys,
+			     unsigned char *      output,
+		             unsigned char *      input)
+{
+    unsigned outLen = 0;
+    return PK11_PrivDecryptRaw(keys->privKey,
+                               output, &outLen,
+                               keys->pubKey->u.rsa.modulus.len, input,
+                               keys->pubKey->u.rsa.modulus.len);
+}
+typedef struct ThreadRunDataStr ThreadRunData;
+
+struct ThreadRunDataStr {
+    const PRBool        *doIters;
+    const void          *rsaKey;
+    const unsigned char *buf;
+    RSAOp                fn;
+    int                  seconds;
+    long                 iters;
+    long                 iterRes;
+    PRErrorCode          errNum;
+    SECStatus            status;
+};
+
+
+void ThreadExecFunction(void *data)
+{
+    ThreadRunData *tdata = (ThreadRunData*)data;
+    unsigned char buf2[BUFFER_BYTES];
+
+    tdata->status = SECSuccess;
+    if (*tdata->doIters) {
+        long i = tdata->iters;
+        tdata->iterRes = 0;
+        while (i--) {
+            SECStatus rv = tdata->fn((void*)tdata->rsaKey, buf2,
+                                     (unsigned char*)tdata->buf);
+            if (rv != SECSuccess) {
+                tdata->errNum = PORT_GetError();
+                tdata->status = rv;
+                break;
+            }
+            tdata->iterRes++;
+        }
+    } else {
+        PRIntervalTime total = PR_SecondsToInterval(tdata->seconds);
+        PRIntervalTime start = PR_IntervalNow();
+        tdata->iterRes = 0;
+        while (PR_IntervalNow() - start < total) {
+            SECStatus rv = tdata->fn((void*)tdata->rsaKey, buf2,
+                                     (unsigned char*)tdata->buf);
+            if (rv != SECSuccess) {
+                tdata->errNum = PORT_GetError();
+                tdata->status = rv;
+                break;
+            }
+            tdata->iterRes++;
+        }
+    }
+}
+
+#define INT_ARG(arg,def) atol(arg)>0?atol(arg):def
+
+int
+main(int argc, char **argv)
+{
+    TimingContext *	  timeCtx       = NULL;
+    SECKEYPublicKey *	  pubHighKey    = NULL;
+    SECKEYPrivateKey *    privHighKey   = NULL;
+    NSSLOWKEYPrivateKey * privKey       = NULL;
+    NSSLOWKEYPublicKey *  pubKey        = NULL;
+    CERTCertificate *	  cert          = NULL;
+    char *		  progName      = NULL;
+    char *		  secDir 	= NULL;
+    char *		  nickname 	= NULL;
+    char *                slotname      = NULL;
+    long                  keybits     = 0;
+    RSAOp                 fn;
+    void *                rsaKey        = NULL;
+    PLOptState *          optstate;
+    PLOptStatus           optstatus;
+    long 		  iters 	= DEFAULT_ITERS;
+    int		 	  i;
+    PRBool 		  doPriv 	= PR_FALSE;
+    PRBool 		  doPub 	= PR_FALSE;
+    int 		  rv;
+    unsigned char 	  buf[BUFFER_BYTES];
+    unsigned char 	  buf2[BUFFER_BYTES];
+    int                   seconds       = DEFAULT_DURATION;
+    PRBool                doIters       = PR_FALSE;
+    PRBool                doTime        = PR_FALSE;
+    PRBool                useTokenKey   = PR_FALSE; /* use PKCS#11 token
+                                                       object key */
+    PRBool                useSessionKey = PR_FALSE; /* use PKCS#11 session
+                                                       object key */
+    PRBool                useBLKey = PR_FALSE;      /* use freebl */
+    PK11SlotInfo*         slot          = NULL;     /* slot for session
+                                                       object key operations */
+    PRBool                doKeyGen      = PR_FALSE;
+    int                   publicExponent  = DEFAULT_EXPONENT;
+    PK11Keys keys;
+    int peCount = 0;
+    CK_BYTE pubEx[4];
+    SECItem pe;
+    RSAPublicKey          pubKeyStr;
+    int                   threadNum     = DEFAULT_THREADS;
+    ThreadRunData      ** runDataArr = NULL;
+    PRThread           ** threadsArr = NULL;
+    int                   calcThreads = 0;
+
+    progName = strrchr(argv[0], '/');
+    if (!progName)
+	progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    optstate = PL_CreateOptState(argc, argv, "d:ef:gh:i:k:n:p:st:w:x:");
+    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	case '?':
+	    Usage(progName);
+	    break;
+	case 'd':
+	    secDir = PORT_Strdup(optstate->value);
+	    break;
+	case 'i':
+	    iters = INT_ARG(optstate->value, DEFAULT_ITERS);
+	    doIters = PR_TRUE;
+	    break;
+	case 's':
+	    doPriv = PR_TRUE;
+	    break;
+	case 'e':
+	    doPub = PR_TRUE;
+	    break;
+	case 'g':
+	    doKeyGen = PR_TRUE;
+	    break;
+	case 'n':
+	    nickname = PORT_Strdup(optstate->value);
+            /* for compatibility, nickname of "none" means go to freebl */
+            if (nickname && strcmp(nickname, "none")) {
+	        useTokenKey = PR_TRUE;
+            } else {
+                useBLKey = PR_TRUE;
+            }
+	    break;
+	case 'p':
+	    seconds = INT_ARG(optstate->value, DEFAULT_DURATION);
+	    doTime = PR_TRUE;
+            break;
+	case 'h':
+	    slotname = PORT_Strdup(optstate->value);
+	    useSessionKey = PR_TRUE;
+	    break;
+	case 'k':
+	    keybits = INT_ARG(optstate->value, DEFAULT_KEY_BITS);
+	    break;
+	case 'w':
+	    pwData.data = PORT_Strdup(optstate->value);;
+	    pwData.source = PW_PLAINTEXT;
+	    break;
+        case 'f':
+            pwData.data = PORT_Strdup(optstate->value);
+            pwData.source = PW_FROMFILE;
+            break;
+	case 'x':
+	    /*  -x public exponent (for RSA keygen)  */
+	    publicExponent = INT_ARG(optstate->value, DEFAULT_EXPONENT);
+	    break;
+	case 't':
+	    threadNum = INT_ARG(optstate->value, DEFAULT_THREADS);
+	    break;
+	}
+    }
+    if (optstatus == PL_OPT_BAD)
+	Usage(progName);
+
+    if ((doPriv && doPub) || (doIters && doTime) ||
+        ((useTokenKey + useSessionKey + useBLKey) != PR_TRUE) ||
+        (useTokenKey && keybits) || (useTokenKey && doKeyGen) ||
+        (keybits && (keybits<MIN_KEY_BITS || keybits>MAX_KEY_BITS))) {
+        Usage(progName);
+    }
+
+    if (!doPriv && !doPub) doPriv = PR_TRUE;
+
+    if (doIters && doTime) Usage(progName);
+
+    if (!doTime) {
+        doIters = PR_TRUE;
+    }
+
+    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+    secDir = SECU_ConfigDirectory(secDir);
+
+    if (useTokenKey || useSessionKey) {
+	rv = NSS_Init(secDir);
+	if (rv != SECSuccess) {
+	    fprintf(stderr, "NSS_Init failed.\n");
+	    exit(1);
+	}
+    } else {
+	rv = NSS_NoDB_Init(NULL);
+	if (rv != SECSuccess) {
+	    fprintf(stderr, "NSS_NoDB_Init failed.\n");
+	    exit(1);
+	}
+    }
+
+    if (useTokenKey) {
+        CK_OBJECT_HANDLE kh = CK_INVALID_HANDLE;
+        CERTCertDBHandle* certdb = NULL;
+	certdb = CERT_GetDefaultCertDB();
+        
+        cert = PK11_FindCertFromNickname(nickname, &pwData);
+        if (cert == NULL) {
+            fprintf(stderr,
+                    "Can't find certificate by name \"%s\"\n", nickname);
+            exit(1);
+        }
+        pubHighKey = CERT_ExtractPublicKey(cert);
+        if (pubHighKey == NULL) {
+            fprintf(stderr, "Can't extract public key from certificate");
+            exit(1);
+        }
+
+        if (doPub) {
+            /* do public key ops */
+            fn = (RSAOp)PK11_PublicKeyOp;
+            rsaKey = (void *) pubHighKey;
+                
+            kh = PK11_ImportPublicKey(cert->slot, pubHighKey, PR_FALSE);
+            if (CK_INVALID_HANDLE == kh) {
+                fprintf(stderr,
+                        "Unable to import public key to certificate slot.");
+                exit(1);
+            }
+            pubHighKey->pkcs11Slot = PK11_ReferenceSlot(cert->slot);
+            pubHighKey->pkcs11ID = kh;
+            printf("Using PKCS#11 for RSA encryption with token %s.\n",
+                   PK11_GetTokenName(cert->slot));
+        } else {
+            /* do private key ops */
+            privHighKey = PK11_FindKeyByAnyCert(cert, &pwData);
+            if (privHighKey == NULL) {
+                fprintf(stderr,
+                        "Can't find private key by name \"%s\"\n", nickname);
+                exit(1);
+            }
+    
+            SECKEY_CacheStaticFlags(privHighKey);
+            fn = (RSAOp)PK11_PrivateKeyOp;
+            keys.privKey = privHighKey;
+            keys.pubKey = pubHighKey;
+            rsaKey = (void *) &keys;
+            printf("Using PKCS#11 for RSA decryption with token %s.\n",
+                   PK11_GetTokenName(privHighKey->pkcs11Slot));
+        }        
+    } else
+
+    if (useSessionKey) {
+        /* use PKCS#11 session key objects */
+        PK11RSAGenParams   rsaparams;
+        void             * params;
+
+        slot = PK11_FindSlotByName(slotname); /* locate target slot */
+        if (!slot) {
+            fprintf(stderr, "Can't find slot \"%s\"\n", slotname);
+            exit(1);
+        }
+
+        doKeyGen = PR_TRUE; /* Always do a keygen for session keys.
+                               Import of hardcoded key is not supported */
+        /* do a temporary keygen in selected slot */        
+        if (!keybits) {
+            keybits = DEFAULT_KEY_BITS;
+        }
+
+        printf("Using PKCS#11 with %ld bits session key in token %s.\n",
+               keybits, PK11_GetTokenName(slot));
+
+        rsaparams.keySizeInBits = keybits;
+        rsaparams.pe = publicExponent;
+        params = &rsaparams;
+
+        fprintf(stderr,"\nGenerating RSA key. This may take a few moments.\n");
+
+        privHighKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
+                                           params, &pubHighKey, PR_FALSE,
+                                           PR_FALSE, (void*)&pwData);
+        if (!privHighKey) {
+            fprintf(stderr,
+                    "Key generation failed in token \"%s\"\n",
+                    PK11_GetTokenName(slot));
+            exit(1);
+        }
+
+        SECKEY_CacheStaticFlags(privHighKey);
+        
+        fprintf(stderr,"Keygen completed.\n");
+
+        if (doPub) {
+            /* do public key operations */
+            fn = (RSAOp)PK11_PublicKeyOp;
+            rsaKey = (void *) pubHighKey;
+        } else {
+            /* do private key operations */
+            fn = (RSAOp)PK11_PrivateKeyOp;
+            keys.privKey = privHighKey;
+            keys.pubKey = pubHighKey;
+            rsaKey = (void *) &keys;
+        }        
+    } else
+        
+    {
+        /* use freebl directly */
+        if (!keybits) {
+            keybits = DEFAULT_KEY_BITS;
+        }
+        if (!doKeyGen) {
+            if (keybits != DEFAULT_KEY_BITS) {
+                doKeyGen = PR_TRUE;
+            }
+        }
+        printf("Using freebl with %ld bits key.\n", keybits);
+        if (doKeyGen) {
+            fprintf(stderr,"\nGenerating RSA key. "
+                    "This may take a few moments.\n");
+            for (i=0; i < 4; i++) {
+                if (peCount || (publicExponent & ((unsigned long)0xff000000L >>
+                                                  (i*8)))) {
+                    pubEx[peCount] =  (CK_BYTE)((publicExponent >>
+                                                 (3-i)*8) & 0xff);
+                    peCount++;
+                }
+            }
+            pe.len = peCount;
+            pe.data = &pubEx[0];
+            pe.type = siBuffer;
+
+            rsaKey = RSA_NewKey(keybits, &pe);
+            fprintf(stderr,"Keygen completed.\n");
+        } else {
+            /* use a hardcoded key */
+            printf("Using hardcoded %ld bits key.\n", keybits);
+            if (doPub) {
+                pubKey = getDefaultRSAPublicKey();
+            } else {
+                privKey = getDefaultRSAPrivateKey();
+            }
+        }
+
+        if (doPub) {
+            /* do public key operations */
+            fn = (RSAOp)RSA_PublicKeyOp;
+            if (rsaKey) {
+                /* convert the RSAPrivateKey to RSAPublicKey */
+                pubKeyStr.arena = NULL;
+                pubKeyStr.modulus = ((RSAPrivateKey*)rsaKey)->modulus;
+                pubKeyStr.publicExponent =
+                    ((RSAPrivateKey*)rsaKey)->publicExponent;
+                rsaKey = &pubKeyStr;
+            } else {
+                /* convert NSSLOWKeyPublicKey to RSAPublicKey */
+                rsaKey = (void *)(&pubKey->u.rsa);
+            }
+            PORT_Assert(rsaKey);
+        } else {
+            /* do private key operations */
+            fn = (RSAOp)RSA_PrivateKeyOp;
+            if (privKey) {
+                /* convert NSSLOWKeyPrivateKey to RSAPrivateKey */
+                rsaKey = (void *)(&privKey->u.rsa);
+            }
+            PORT_Assert(rsaKey);
+        }
+    }
+
+    memset(buf, 1, sizeof buf);
+    rv = fn(rsaKey, buf2, buf);
+    if (rv != SECSuccess) {
+	PRErrorCode errNum;
+	const char * errStr = NULL;
+
+	errNum = PORT_GetError();
+	if (errNum)
+	    errStr = SECU_Strerror(errNum);
+	else
+	    errNum = rv;
+	if (!errStr)
+	    errStr = "(null)";
+	fprintf(stderr, "Error in RSA operation: %d : %s\n", errNum, errStr);
+	exit(1);
+    }
+
+    threadsArr = (PRThread**)PORT_Alloc(threadNum*sizeof(PRThread*));
+    runDataArr = (ThreadRunData**)PORT_Alloc(threadNum*sizeof(ThreadRunData*));
+    timeCtx = CreateTimingContext();
+    TimingBegin(timeCtx, PR_Now());
+    for (i = 0;i < threadNum;i++) {
+        runDataArr[i] = (ThreadRunData*)PORT_Alloc(sizeof(ThreadRunData));
+        runDataArr[i]->fn = fn;
+        runDataArr[i]->buf = buf;
+        runDataArr[i]->doIters = &doIters;
+        runDataArr[i]->rsaKey = rsaKey;
+        runDataArr[i]->seconds = seconds;
+        runDataArr[i]->iters = iters;
+        threadsArr[i] = 
+            PR_CreateThread(PR_USER_THREAD,
+                 ThreadExecFunction,
+                 (void*) runDataArr[i],
+                 PR_PRIORITY_NORMAL,
+                 PR_GLOBAL_THREAD,
+                 PR_JOINABLE_THREAD,
+                 0);
+    }
+    iters = 0;
+    calcThreads = 0;
+    for (i = 0;i < threadNum;i++, calcThreads++)
+    {
+        PR_JoinThread(threadsArr[i]);
+        if (runDataArr[i]->status != SECSuccess) {
+            const char * errStr = SECU_Strerror(runDataArr[i]->errNum);
+            fprintf(stderr, "Thread %d: Error in RSA operation: %d : %s\n",
+                    i, runDataArr[i]->errNum, errStr);
+            calcThreads -= 1;
+        } else {
+            iters += runDataArr[i]->iterRes;
+        }
+        PORT_Free((void*)runDataArr[i]);
+    }
+    PORT_Free(runDataArr);
+    PORT_Free(threadsArr);
+
+    TimingEnd(timeCtx, PR_Now());
+    
+    printf("%ld iterations in %s\n",
+	   iters, TimingGenerateString(timeCtx));
+    printf("%.2f operations/s .\n", ((double)(iters)*(double)1000000.0) /
+           (double)timeCtx->interval );
+    TimingDivide(timeCtx, iters);
+    printf("one operation every %s\n", TimingGenerateString(timeCtx));
+
+    if (pubHighKey) {
+        SECKEY_DestroyPublicKey(pubHighKey);
+    }
+
+    if (privHighKey) {
+         SECKEY_DestroyPrivateKey(privHighKey);
+    }
+
+    if (cert) {
+        CERT_DestroyCertificate(cert);
+    }
+
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+
+    return 0;
+}
diff --git a/security/nss/cmd/samples/cert b/security/nss/cmd/samples/cert
new file mode 100644
index 000000000..3f8ec48df
--- /dev/null
+++ b/security/nss/cmd/samples/cert
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIIB7TCCAVYCAgMaMA0GCSqGSIb3DQEBBAUAMEcxCzAJBgNVBAYTAlVTMRAwDgYD
+VQQLEwdUZXN0IENBMSYwJAYDVQQKEx1OZXRzY2FwZSBDb21tdW5pY2F0aW9ucyBD
+b3JwLjAeFw05NTEyMDgwMjQwMjdaFw05NjAzMDcwMjQwMjdaMDgxFjAUBgNVBAMT
+DURhdmlkIGthcmx0b24xETAPBgNVBAoTCE5ldHNjYXBlMQswCQYDVQQGEwJVUzCB
+nTANBgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEAltV2TH+QxqlgfUFk+UyiYAjByxrC
+dCSIa/FwRaPceLvE7ycD9L6AC4JA6k58E6ICsr/Y8TsXT4UmZhhLNc50VgSo8cGQ
+lajqIDvntq8M1uCXiVOnXmIAqoB6E8GiqW+9evOkgkumMksSwXiXAhMM7vJt3IU6
+b+FwdF5cRs0u1FUCAQMwDQYJKoZIhvcNAQEEBQADgYEAkFdr3ypcvI2+Xgwfp7+d
+YtN7w4UnQ7LR9FKmlnBauTVLmUtichn/O3WMT9cYTtZm5QQVRaE3qrGh0Nr6Ko1E
+nIHowd36TN45zkFraWoATfCV/f+P37WaADp20l2ryEY0Jpe4gnoeZ0+/ffoxyajC
+LZEJL6Dv2Ed83cebLjYxKsI=
+
+-----END CERTIFICATE-----
+
diff --git a/security/nss/cmd/samples/cert0 b/security/nss/cmd/samples/cert0
new file mode 100644
index 000000000..05cdc8553
--- /dev/null
+++ b/security/nss/cmd/samples/cert0
diff --git a/security/nss/cmd/samples/cert1 b/security/nss/cmd/samples/cert1
new file mode 100644
index 000000000..38a7d299a
--- /dev/null
+++ b/security/nss/cmd/samples/cert1
diff --git a/security/nss/cmd/samples/cert2 b/security/nss/cmd/samples/cert2
new file mode 100644
index 000000000..147c3eb9e
--- /dev/null
+++ b/security/nss/cmd/samples/cert2
diff --git a/security/nss/cmd/samples/pkcs7.ber b/security/nss/cmd/samples/pkcs7.ber
new file mode 100644
index 000000000..6e3814c37
--- /dev/null
+++ b/security/nss/cmd/samples/pkcs7.ber
diff --git a/security/nss/cmd/samples/pkcs7bday.ber b/security/nss/cmd/samples/pkcs7bday.ber
new file mode 100644
index 000000000..0ee6cfc13
--- /dev/null
+++ b/security/nss/cmd/samples/pkcs7bday.ber
diff --git a/security/nss/cmd/samples/pkcs7cnet.ber b/security/nss/cmd/samples/pkcs7cnet.ber
new file mode 100644
index 000000000..df2bb2dd1
--- /dev/null
+++ b/security/nss/cmd/samples/pkcs7cnet.ber
diff --git a/security/nss/cmd/samples/pkcs7news.ber b/security/nss/cmd/samples/pkcs7news.ber
new file mode 100644
index 000000000..c46a1786d
--- /dev/null
+++ b/security/nss/cmd/samples/pkcs7news.ber
diff --git a/security/nss/cmd/samples/x509v3.der b/security/nss/cmd/samples/x509v3.der
new file mode 100644
index 000000000..1ada57c56
--- /dev/null
+++ b/security/nss/cmd/samples/x509v3.der
diff --git a/security/nss/cmd/samples/x509v3.txt b/security/nss/cmd/samples/x509v3.txt
new file mode 100644
index 000000000..dde307697
--- /dev/null
+++ b/security/nss/cmd/samples/x509v3.txt
@@ -0,0 +1,10 @@
+MIIByzCCAXWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBLMQswCQYDVQQGEwJVUzEW
+MBQGA1UEChMNVmVyaVNpZ24gSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxDjAM
+BgNVBAMTBUphc29uMB4XDTk1MDgwODA3MDAwMFoXDTk2MDgwNzA3MDAwMFowSzEL
+MAkGA1UEBhMCVVMxFjAUBgNVBAoTDVZlcmlTaWduIEluYy4xFDASBgNVBAsTC0Vu
+Z2luZWVyaW5nMQ4wDAYDVQQDEwVKYXNvbjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
+QQCvpXRU9t3NPFXvxJz2vuxX4zI55AA+xY1PsAEadhwWEMF2EnpG8woF4EGTwLdx
+xrw3Eirzu5RAAhqegCN1aPVBAgMBAAGjRDBCMBQGA2FiYwEB/wQKZXh0ZW5zaW9u
+MTAUBgNkZWYBAf8ECmV4dGVuc2lvbjIwFAYDZ2hpAQH/BApleHRlbnNpb24zMA0G
+CSqGSIb3DQEBBAUAA0EAawLNWFSYMtywAqkSYJb1gejljqi9QAtLZIM2ui+RCTP2
+jEjW5bp4oU1RX2iBSfU+MdEZx9DpMNjqBLrgOy1Djw==
diff --git a/security/nss/cmd/sdrtest/Makefile b/security/nss/cmd/sdrtest/Makefile
new file mode 100644
index 000000000..4d209348e
--- /dev/null
+++ b/security/nss/cmd/sdrtest/Makefile
@@ -0,0 +1,77 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
diff --git a/security/nss/cmd/sdrtest/manifest.mn b/security/nss/cmd/sdrtest/manifest.mn
new file mode 100644
index 000000000..383f1e83c
--- /dev/null
+++ b/security/nss/cmd/sdrtest/manifest.mn
@@ -0,0 +1,58 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = \
+	sdrtest.c \
+	$(NULL)
+
+# headers for the MODULE (defined above) are implicitly required.
+REQUIRES = dbm seccmd
+
+# WINNT uses EXTRA_LIBS as the list of libs to link in.
+# Unix uses     OS_LIBS for that purpose.
+# We can solve this via conditional makefile code, but 
+# can't do this in manifest.mn because OS_ARCH isn't defined there.
+# So, look in the local Makefile for the defines for the list of libs.
+
+PROGRAM = sdrtest
+
+#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/sdrtest/sdrtest.c b/security/nss/cmd/sdrtest/sdrtest.c
new file mode 100644
index 000000000..a50eb23e1
--- /dev/null
+++ b/security/nss/cmd/sdrtest/sdrtest.c
@@ -0,0 +1,451 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Test program for SDR (Secret Decoder Ring) functions.
+ *
+ * $Id$
+ */
+
+#include "nspr.h"
+#include "string.h"
+#include "nss.h"
+#include "secutil.h"
+#include "cert.h"
+#include "pk11func.h"
+
+#include "plgetopt.h"
+#include "pk11sdr.h"
+#include "nssb64.h"
+
+#define DEFAULT_VALUE "Test"
+static const char default_value[] = { DEFAULT_VALUE };
+
+PRFileDesc *pr_stderr;
+PRBool      verbose = PR_FALSE;
+
+static void
+synopsis (char *program_name)
+{
+    PR_fprintf (pr_stderr, 
+"Usage: %s [<common>] -i <input-file>\n"
+"       %s [<common>]  -o <output-file>\n"
+"       <common> [-d dir] [-v] [-t text] [-a] [-f pwfile | -p pwd]\n",
+	program_name, program_name);
+}
+
+static void
+short_usage (char *program_name)
+{
+    PR_fprintf (pr_stderr,
+		"Type %s -H for more detailed descriptions\n",
+		program_name);
+    synopsis (program_name);
+}
+
+
+static void
+long_usage (char *program_name)
+{
+    synopsis (program_name);
+    PR_fprintf (pr_stderr, "\nSecret Decoder Test:\n");
+    PR_fprintf (pr_stderr,
+		"  %-13s Read encrypted data from \"file\"\n",
+		"-i file");
+    PR_fprintf (pr_stderr,
+		"  %-13s Write newly generated encrypted data to \"file\"\n",
+		"-o file");
+    PR_fprintf (pr_stderr,
+		"  %-13s Use \"text\" as the plaintext for encryption and verification\n",
+		"-t text");
+    PR_fprintf (pr_stderr,
+		"  %-13s Find security databases in \"dbdir\"\n",
+		"-d dbdir");
+    PR_fprintf (pr_stderr,
+		"  %-13s read the password from \"pwfile\"\n",
+		"-f pwfile");
+    PR_fprintf (pr_stderr,
+		"  %-13s supply \"password\" on the command line\n",
+		"-p password");
+}
+
+int 
+readStdin(SECItem * result)
+{
+  int bufsize = 0;
+  int cc;
+  int wanted  = 8192;
+
+  result->len = 0;
+  result->data = NULL;
+  do {
+    if (bufsize < wanted) {
+      unsigned char * tmpData = (unsigned char *)realloc(result->data, wanted);
+      if (!tmpData) {
+	if (verbose) PR_fprintf(pr_stderr, "Allocation of buffer failed\n");
+	return -1;
+      }
+      result->data = tmpData;
+      bufsize = wanted;
+    }
+    cc = PR_Read(PR_STDIN, result->data + result->len, bufsize - result->len);
+    if (cc > 0) {
+      result->len += (unsigned)cc;
+      if (result->len >= wanted) 
+        wanted *= 2;
+    }
+  } while (cc > 0);
+  return cc;
+}
+
+int
+readInputFile(const char * filename, SECItem * result)
+{
+  PRFileDesc *file /* = PR_OpenFile(input_file, 0) */;
+  PRFileInfo info;
+  PRStatus s;
+  PRInt32 count;
+  int retval = -1;
+
+  file = PR_Open(filename, PR_RDONLY, 0);
+  if (!file) {
+    if (verbose) PR_fprintf(pr_stderr, "Open of file %s failed\n", filename);
+    goto loser;
+  }
+
+  s = PR_GetOpenFileInfo(file, &info);
+  if (s != PR_SUCCESS) {
+    if (verbose) PR_fprintf(pr_stderr, "File info operation failed\n");
+    goto file_loser;
+  }
+
+  result->len = info.size;
+  result->data = (unsigned char *)malloc(result->len);
+  if (!result->data) {
+    if (verbose) PR_fprintf(pr_stderr, "Allocation of buffer failed\n");
+    goto file_loser;
+  }
+
+  count = PR_Read(file, result->data, result->len);
+  if (count != result->len) {
+    if (verbose) PR_fprintf(pr_stderr, "Read failed\n");
+    goto file_loser;
+  }
+  retval = 0;
+
+file_loser:
+  PR_Close(file);
+loser:
+  return retval;
+}
+
+int
+main (int argc, char **argv)
+{
+    int		 retval = 0;  /* 0 - test succeeded.  -1 - test failed */
+    SECStatus	 rv;
+    PLOptState	*optstate;
+    PLOptStatus  optstatus;
+    char	*program_name;
+    const char  *input_file = NULL; 	/* read encrypted data from here (or create) */
+    const char  *output_file = NULL;	/* write new encrypted data here */
+    const char  *value = default_value;	/* Use this for plaintext */
+    SECItem     data;
+    SECItem     result = {0, 0, 0};
+    SECItem     text;
+    PRBool      ascii = PR_FALSE;
+    secuPWData  pwdata = { PW_NONE, 0 };
+
+    pr_stderr = PR_STDERR;
+    result.data = 0;
+    text.data = 0; text.len = 0;
+
+    program_name = PL_strrchr(argv[0], '/');
+    program_name = program_name ? (program_name + 1) : argv[0];
+
+    optstate = PL_CreateOptState (argc, argv, "?Had:i:o:t:vf:p:");
+    if (optstate == NULL) {
+	SECU_PrintError (program_name, "PL_CreateOptState failed");
+	return -1;
+    }
+
+    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	    short_usage (program_name);
+	    return retval;
+
+	  case 'H':
+	    long_usage (program_name);
+	    return retval;
+
+	  case 'a':
+	    ascii = PR_TRUE;
+	    break;
+
+	  case 'd':
+	    SECU_ConfigDirectory(optstate->value);
+	    break;
+
+          case 'i':
+            input_file = optstate->value;
+            break;
+
+          case 'o':
+            output_file = optstate->value;
+            break;
+
+          case 't':
+            value = optstate->value;
+            break;
+
+	  case 'f':
+	    if (pwdata.data) {
+		PORT_Free(pwdata.data);
+		short_usage(program_name);
+		return -1;
+	    }
+	    pwdata.source = PW_FROMFILE;
+	    pwdata.data = PORT_Strdup(optstate->value);
+	    break;
+
+	  case 'p':
+	    if (pwdata.data) {
+		PORT_Free(pwdata.data);
+		short_usage(program_name);
+		return -1;
+	    }
+	    pwdata.source = PW_PLAINTEXT;
+	    pwdata.data = PORT_Strdup(optstate->value);
+	    break;
+
+          case 'v':
+            verbose = PR_TRUE;
+            break;
+	}
+    }
+    PL_DestroyOptState(optstate);
+    if (optstatus == PL_OPT_BAD) {
+	short_usage (program_name);
+	return -1;
+    }
+    if (!output_file && !input_file && value == default_value) {
+	short_usage (program_name);
+	PR_fprintf (pr_stderr, "Must specify at least one of -t, -i or -o \n");
+	return -1;
+    }
+
+    /*
+     * Initialize the Security libraries.
+     */
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    if (output_file) {
+	rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL));
+    } else {
+	rv = NSS_Init(SECU_ConfigDirectory(NULL));
+    }
+    if (rv != SECSuccess) {
+	SECU_PrintError(program_name, "NSS_Init failed");
+	retval = -1;
+	goto prdone;
+    }
+
+    /* Convert value into an item */
+    data.data = (unsigned char *)value;
+    data.len = strlen(value);
+
+    /* Get the encrypted result, either from the input file
+     * or from encrypting the plaintext value
+     */
+    if (input_file)
+    {
+      if (verbose) printf("Reading data from %s\n", input_file);
+
+      if (!strcmp(input_file, "-")) {
+	retval = readStdin(&result);
+        ascii = PR_TRUE;
+      } else {
+        retval = readInputFile(input_file, &result);
+      }
+      if (retval != 0) 
+	goto loser;
+      if (ascii) {
+	/* input was base64 encoded.  Decode it. */
+	SECItem newResult = {0, 0, 0};
+	SECItem *ok = NSSBase64_DecodeBuffer(NULL, &newResult, 
+	                       (const char *)result.data, result.len);
+	if (!ok) {
+	  SECU_PrintError(program_name, "Base 64 decode failed");
+	  retval = -1;
+	  goto loser;
+	}
+	free(result.data);
+	result = *ok;
+      }
+    }
+    else
+    {
+      SECItem keyid = { 0, 0, 0 };
+      SECItem outBuf = { 0, 0, 0 };
+      PK11SlotInfo *slot = NULL;
+
+      /* sigh, initialize the key database */
+      slot = PK11_GetInternalKeySlot();
+      if (slot && PK11_NeedUserInit(slot)) {
+	switch (pwdata.source) {
+	case PW_FROMFILE:
+	    rv = SECU_ChangePW(slot, 0, pwdata.data);
+	    break;
+	case PW_PLAINTEXT:
+	    rv = SECU_ChangePW(slot, pwdata.data, 0);
+	    break;
+	default:
+            rv = SECU_ChangePW(slot, "", 0);
+	    break;
+	}
+        if (rv != SECSuccess) {
+            SECU_PrintError(program_name, "Failed to initialize slot \"%s\"",
+                                    PK11_GetSlotName(slot));
+            return SECFailure;
+        }
+      }
+      if (slot) {
+	PK11_FreeSlot(slot);
+      }
+
+      rv = PK11SDR_Encrypt(&keyid, &data, &result, &pwdata);
+      if (rv != SECSuccess) {
+        if (verbose) 
+	  SECU_PrintError(program_name, "Encrypt operation failed\n");
+        retval = -1;
+        goto loser;
+      }
+
+      if (verbose) printf("Encrypted result is %d bytes long\n", result.len);
+
+      if (!strcmp(output_file, "-")) {
+        ascii = PR_TRUE;
+      }
+
+      if (ascii) {
+      	/* base64 encode output. */
+	char * newResult = NSSBase64_EncodeItem(NULL, NULL, 0, &result);
+	if (!newResult) {
+	  SECU_PrintError(program_name, "Base 64 encode failed\n");
+	  retval = -1;
+	  goto loser;
+	}
+	outBuf.data = (unsigned char *)newResult;
+	outBuf.len  = strlen(newResult);
+	if (verbose) 
+	  printf("Base 64 encoded result is %d bytes long\n", outBuf.len);
+      } else {
+	outBuf = result;
+      }
+
+      /* -v printf("Result is %.*s\n", text.len, text.data); */
+      if (output_file) {
+         PRFileDesc *file;
+         PRInt32 count;
+
+         if (verbose) printf("Writing result to %s\n", output_file);
+	 if (!strcmp(output_file, "-")) {
+	   file = PR_STDOUT;
+	 } else {
+	   /* Write to file */
+	   file = PR_Open(output_file, PR_CREATE_FILE|PR_WRONLY, 0666);
+	 }
+         if (!file) {
+            if (verbose) 
+		SECU_PrintError(program_name, 
+                                "Open of output file %s failed\n",
+                                output_file);
+            retval = -1;
+            goto loser;
+         }
+
+         count = PR_Write(file, outBuf.data, outBuf.len);
+
+	 if (file == PR_STDOUT) {
+	   puts("");
+	 } else {
+	   PR_Close(file);
+	 }
+
+         if (count != outBuf.len) {
+           if (verbose) SECU_PrintError(program_name, "Write failed\n");
+           retval = -1;
+           goto loser;
+         }
+	 if (ascii) {
+	   free(outBuf.data);
+	 }
+      }
+    }
+
+    /* Decrypt the value */
+    rv = PK11SDR_Decrypt(&result, &text, &pwdata);
+    if (rv != SECSuccess) {
+      if (verbose) SECU_PrintError(program_name, "Decrypt operation failed\n");
+      retval = -1; 
+      goto loser;
+    }
+
+    if (verbose) printf("Decrypted result is \"%.*s\"\n", text.len, text.data);
+
+    /* Compare to required value */
+    if (text.len != data.len || memcmp(data.data, text.data, text.len) != 0)
+    {
+      if (verbose) PR_fprintf(pr_stderr, "Comparison failed\n");
+      retval = -1;
+      goto loser;
+    }
+
+loser:
+    if (text.data) free(text.data);
+    if (result.data) free(result.data);
+    if (NSS_Shutdown() != SECSuccess) {
+       exit(1);
+    }
+
+prdone:
+    PR_Cleanup ();
+    if (pwdata.data) {
+	PORT_Free(pwdata.data);
+    }
+    return retval;
+}
diff --git a/security/nss/cmd/selfserv/Makefile b/security/nss/cmd/selfserv/Makefile
new file mode 100644
index 000000000..4de295a9c
--- /dev/null
+++ b/security/nss/cmd/selfserv/Makefile
@@ -0,0 +1,78 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/selfserv/manifest.mn b/security/nss/cmd/selfserv/manifest.mn
new file mode 100644
index 000000000..f1f1516f3
--- /dev/null
+++ b/security/nss/cmd/selfserv/manifest.mn
@@ -0,0 +1,52 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = selfserv.c
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm 
+
+PROGRAM = selfserv
+
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
new file mode 100644
index 000000000..5402aa703
--- /dev/null
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -0,0 +1,2293 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* -r flag is interepreted as follows:
+ *	1 -r  means request, not require, on initial handshake.
+ *	2 -r's mean request  and require, on initial handshake.
+ *	3 -r's mean request, not require, on second handshake.
+ *	4 -r's mean request  and require, on second handshake.
+ */
+#include <stdio.h>
+#include <string.h>
+
+#include "secutil.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#if defined(_WINDOWS)
+#include <process.h>	/* for getpid() */
+#endif
+
+#include <signal.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+
+#include "nspr.h"
+#include "prio.h"
+#include "prerror.h"
+#include "prnetdb.h"
+#include "prclist.h"
+#include "plgetopt.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "nss.h"
+#include "ssl.h"
+#include "sslproto.h"
+#include "cert.h"
+#include "certt.h"
+
+#ifndef PORT_Sprintf
+#define PORT_Sprintf sprintf
+#endif
+
+#ifndef PORT_Strstr
+#define PORT_Strstr strstr
+#endif
+
+#ifndef PORT_Malloc
+#define PORT_Malloc PR_Malloc
+#endif
+
+int NumSidCacheEntries = 1024;
+
+static int handle_connection( PRFileDesc *, PRFileDesc *, int );
+
+static const char envVarName[] = { SSL_ENV_VAR_NAME };
+static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" };
+
+#define DEFAULT_BULK_TEST 16384
+#define MAX_BULK_TEST     1048576 /* 1 MB */
+static PRBool testBulk;
+static PRUint32 testBulkSize       = DEFAULT_BULK_TEST;
+static PRUint32 testBulkTotal;
+static char* testBulkBuf;
+static PRDescIdentity log_layer_id = PR_INVALID_IO_LAYER;
+static PRFileDesc *loggingFD;
+static PRIOMethods loggingMethods;
+
+static PRBool logStats;
+static PRBool loggingLayer;
+static int logPeriod = 30;
+static PRUint32 loggerOps;
+static PRUint32 loggerBytes;
+static PRUint32 loggerBytesTCP;
+static PRUint32 bulkSentChunks;
+
+const int ssl2CipherSuites[] = {
+    SSL_EN_RC4_128_WITH_MD5,			/* A */
+    SSL_EN_RC4_128_EXPORT40_WITH_MD5,		/* B */
+    SSL_EN_RC2_128_CBC_WITH_MD5,		/* C */
+    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,	/* D */
+    SSL_EN_DES_64_CBC_WITH_MD5,			/* E */
+    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,		/* F */
+    0
+};
+
+const int ssl3CipherSuites[] = {
+    -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
+    -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA	 * b */
+    SSL_RSA_WITH_RC4_128_MD5,			/* c */
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
+    SSL_RSA_WITH_DES_CBC_SHA,			/* e */
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
+    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
+    -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,	 * h */
+    SSL_RSA_WITH_NULL_MD5,			/* i */
+    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,		/* j */
+    SSL_RSA_FIPS_WITH_DES_CBC_SHA,		/* k */
+    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,	/* l */
+    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,	        /* m */
+    SSL_RSA_WITH_RC4_128_SHA,			/* n */
+    -1, /* TLS_DHE_DSS_WITH_RC4_128_SHA, 	 * o */
+    -1, /* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,	 * p */
+    -1, /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,	 * q */
+    -1, /* SSL_DHE_RSA_WITH_DES_CBC_SHA,	 * r */
+    -1, /* SSL_DHE_DSS_WITH_DES_CBC_SHA,	 * s */
+    -1, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA,	 * t */
+    -1, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA,	 * u */
+    TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
+    -1, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA,	 * w */
+    -1, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA,	 * x */
+    TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
+    SSL_RSA_WITH_NULL_SHA,			/* z */
+    0
+};
+
+/* data and structures for shutdown */
+static int	stopping;
+
+static PRBool  noDelay;
+static int     requestCert;
+static int	verbose;
+static SECItem	bigBuf;
+
+static PRThread * acceptorThread;
+
+static PRLogModuleInfo *lm;
+
+#define PRINTF  if (verbose)  printf
+#define FPRINTF if (verbose) fprintf
+#define FLUSH	if (verbose) { fflush(stdout); fflush(stderr); }
+#define VLOG(arg) PR_LOG(lm,PR_LOG_DEBUG,arg)
+
+static void
+Usage(const char *progName)
+{
+    fprintf(stderr, 
+
+"Usage: %s -n rsa_nickname -p port [-3BDENRSTbjlmrsuvx] [-w password]\n"
+"         [-t threads] [-i pid_file] [-c ciphers] [-d dbdir] [-g numblocks]\n"
+"         [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
+#ifdef NSS_ENABLE_ECC
+"         [-C SSLCacheEntries] [-e ec_nickname]\n"
+#else
+"         [-C SSLCacheEntries]\n"
+#endif /* NSS_ENABLE_ECC */
+"-S means disable SSL v2\n"
+"-3 means disable SSL v3\n"
+"-T means disable TLS\n"
+"-B bypasses the PKCS11 layer for SSL encryption and MACing\n"
+"-q checks for bypassability\n"
+"-D means disable Nagle delays in TCP\n"
+"-E means disable export ciphersuites and SSL step down key gen\n"
+"-R means disable detection of rollback from TLS to SSL3\n"
+"-b means try binding to the port and exit\n"
+"-m means test the model-socket feature of SSL_ImportFD.\n"
+"-r flag is interepreted as follows:\n"
+"    1 -r  means request, not require, cert on initial handshake.\n"
+"    2 -r's mean request  and require, cert on initial handshake.\n"
+"    3 -r's mean request, not require, cert on second handshake.\n"
+"    4 -r's mean request  and require, cert on second handshake.\n"
+"-s means disable SSL socket locking for performance\n"
+"-u means enable Session Ticket extension for TLS.\n"
+"-v means verbose output\n"
+"-x means use export policy.\n"
+"-L seconds means log statistics every 'seconds' seconds (default=30).\n"
+"-M maxProcs tells how many processes to run in a multi-process server\n"
+"-N means do NOT use the server session cache.  Incompatible with -M.\n"
+"-t threads -- specify the number of threads to use for connections.\n"
+"-i pid_file file to write the process id of selfserve\n"
+"-l means use local threads instead of global threads\n"
+"-g numblocks means test throughput by sending total numblocks chunks\n"
+"    of size 16kb to the client, 0 means unlimited (default=0)\n"
+"-j means measure TCP throughput (for use with -g option)\n"
+"-C SSLCacheEntries sets the maximum number of entries in the SSL\n" 
+"    session cache\n"
+"-c ciphers   Letter(s) chosen from the following list\n"
+"A    SSL2 RC4 128 WITH MD5\n"
+"B    SSL2 RC4 128 EXPORT40 WITH MD5\n"
+"C    SSL2 RC2 128 CBC WITH MD5\n"
+"D    SSL2 RC2 128 CBC EXPORT40 WITH MD5\n"
+"E    SSL2 DES 64 CBC WITH MD5\n"
+"F    SSL2 DES 192 EDE3 CBC WITH MD5\n"
+"\n"
+"c    SSL3 RSA WITH RC4 128 MD5\n"
+"d    SSL3 RSA WITH 3DES EDE CBC SHA\n"
+"e    SSL3 RSA WITH DES CBC SHA\n"
+"f    SSL3 RSA EXPORT WITH RC4 40 MD5\n"
+"g    SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n"
+"i    SSL3 RSA WITH NULL MD5\n"
+"j    SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n"
+"k    SSL3 RSA FIPS WITH DES CBC SHA\n"
+"l    SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n"
+"m    SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n"
+"n    SSL3 RSA WITH RC4 128 SHA\n"
+"v    SSL3 RSA WITH AES 128 CBC SHA\n"
+"y    SSL3 RSA WITH AES 256 CBC SHA\n"
+"z    SSL3 RSA WITH NULL SHA\n"
+"\n"
+":WXYZ  Use cipher with hex code { 0xWX , 0xYZ } in TLS\n"
+	,progName);
+}
+
+static const char *
+errWarn(char * funcString)
+{
+    PRErrorCode  perr      = PR_GetError();
+    const char * errString = SECU_Strerror(perr);
+
+    fprintf(stderr, "selfserv: %s returned error %d:\n%s\n",
+            funcString, perr, errString);
+    return errString;
+}
+
+static void
+errExit(char * funcString)
+{
+    errWarn(funcString);
+    exit(3);
+}
+
+
+/**************************************************************************
+** 
+** Routines for disabling SSL ciphers.
+**
+**************************************************************************/
+
+/* disable all the SSL cipher suites */
+void
+disableAllSSLCiphers(void)
+{
+    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    int             i            = SSL_NumImplementedCiphers;
+    SECStatus       rv;
+
+    while (--i >= 0) {
+	PRUint16 suite = cipherSuites[i];
+        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
+	if (rv != SECSuccess) {
+	    printf("SSL_CipherPrefSetDefault rejected suite 0x%04x (i = %d)\n",
+	    	   suite, i);
+	    errWarn("SSL_CipherPrefSetDefault");
+	}
+    }
+}
+
+/* disable all the export SSL cipher suites */
+SECStatus
+disableExportSSLCiphers(void)
+{
+    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    int             i            = SSL_NumImplementedCiphers;
+    SECStatus       rv           = SECSuccess;
+    SSLCipherSuiteInfo info;
+
+    while (--i >= 0) {
+	PRUint16 suite = cipherSuites[i];
+	SECStatus status;
+	status = SSL_GetCipherSuiteInfo(suite, &info, sizeof info);
+	if (status != SECSuccess) {
+	    printf("SSL_GetCipherSuiteInfo rejected suite 0x%04x (i = %d)\n",
+		   suite, i);
+	    errWarn("SSL_GetCipherSuiteInfo");
+	    rv = SECFailure;
+	    continue;
+	}
+	if (info.cipherSuite != suite) {
+	    printf(
+"SSL_GetCipherSuiteInfo returned wrong suite! Wanted 0x%04x, Got 0x%04x\n",
+		   suite, i);
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    rv = SECFailure;
+	    continue;
+	}
+	/* should check here that info.length >= offsetof isExportable */
+	if (info.isExportable) {
+	    status = SSL_CipherPolicySet(suite, SSL_NOT_ALLOWED);
+	    if (status != SECSuccess) {
+		printf("SSL_CipherPolicySet rejected suite 0x%04x (i = %d)\n",
+		       suite, i);
+		errWarn("SSL_CipherPolicySet");
+		rv = SECFailure;
+	    }
+	}
+    }
+    return rv;
+}
+
+static SECStatus
+mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
+		     PRBool isServer)
+{
+    SECStatus rv;
+    CERTCertificate *    peerCert;
+
+    peerCert = SSL_PeerCertificate(fd);
+
+    PRINTF("selfserv: Subject: %s\nselfserv: Issuer : %s\n",
+           peerCert->subjectName, peerCert->issuerName);
+
+    rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);
+
+    if (rv == SECSuccess) {
+	PRINTF("selfserv: -- SSL3: Certificate Validated.\n");
+    } else {
+    	int err = PR_GetError();
+	FPRINTF(stderr, "selfserv: -- SSL3: Certificate Invalid, err %d.\n%s\n", 
+                err, SECU_Strerror(err));
+    }
+    CERT_DestroyCertificate(peerCert);
+    FLUSH;
+    return rv;  
+}
+
+void
+printSSLStatistics()
+{
+    SSL3Statistics *  ssl3stats = SSL_GetStatistics();
+
+    printf(
+	"selfserv: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
+	"          %ld stateless resumes, %ld ticket parse failures\n",
+	ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
+	ssl3stats->hch_sid_cache_not_ok, ssl3stats->hch_sid_stateless_resumes,
+	ssl3stats->hch_sid_ticket_parse_failures);
+}
+
+void 
+printSecurityInfo(PRFileDesc *fd)
+{
+    CERTCertificate * cert      = NULL;
+    SECStatus         result;
+    SSLChannelInfo    channel;
+    SSLCipherSuiteInfo suite;
+
+    if (verbose)
+	printSSLStatistics();
+
+    result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
+    if (result == SECSuccess && 
+        channel.length == sizeof channel && 
+	channel.cipherSuite) {
+	result = SSL_GetCipherSuiteInfo(channel.cipherSuite, 
+					&suite, sizeof suite);
+	if (result == SECSuccess) {
+	    FPRINTF(stderr, 
+	    "selfserv: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
+	       channel.protocolVersion >> 8, channel.protocolVersion & 0xff,
+	       suite.effectiveKeyBits, suite.symCipherName, 
+	       suite.macBits, suite.macAlgorithmName);
+	    FPRINTF(stderr, 
+	    "selfserv: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
+	       channel.authKeyBits, suite.authAlgorithmName,
+	       channel.keaKeyBits,  suite.keaTypeName);
+    	}
+    }
+    if (requestCert)
+	cert = SSL_PeerCertificate(fd);
+    else
+	cert = SSL_LocalCertificate(fd);
+    if (cert) {
+	char * ip = CERT_NameToAscii(&cert->issuer);
+	char * sp = CERT_NameToAscii(&cert->subject);
+        if (sp) {
+	    FPRINTF(stderr, "selfserv: subject DN: %s\n", sp);
+	    PORT_Free(sp);
+	}
+        if (ip) {
+	    FPRINTF(stderr, "selfserv: issuer  DN: %s\n", ip);
+	    PORT_Free(ip);
+	}
+	CERT_DestroyCertificate(cert);
+	cert = NULL;
+    }
+    FLUSH;
+}
+
+static int MakeCertOK;
+
+static SECStatus
+myBadCertHandler( void *arg, PRFileDesc *fd)
+{
+    int err = PR_GetError();
+    if (!MakeCertOK)
+	fprintf(stderr, 
+	    "selfserv: -- SSL: Client Certificate Invalid, err %d.\n%s\n", 
+            err, SECU_Strerror(err));
+    return (MakeCertOK ? SECSuccess : SECFailure);
+}
+
+/**************************************************************************
+** Begin thread management routines and data.
+**************************************************************************/
+#define MIN_THREADS 3
+#define DEFAULT_THREADS 8
+#define MAX_THREADS 4096
+#define MAX_PROCS 25
+static int  maxThreads = DEFAULT_THREADS;
+
+
+typedef struct jobStr {
+    PRCList     link;
+    PRFileDesc *tcp_sock;
+    PRFileDesc *model_sock;
+    int         requestCert;
+} JOB;
+
+static PZLock    * qLock; /* this lock protects all data immediately below */
+static PRLock    * lastLoadedCrlLock; /* this lock protects lastLoadedCrl variable */
+static PZCondVar * jobQNotEmptyCv;
+static PZCondVar * freeListNotEmptyCv;
+static PZCondVar * threadCountChangeCv;
+static int  threadCount;
+static PRCList  jobQ;
+static PRCList  freeJobs;
+static JOB *jobTable;
+
+SECStatus
+setupJobs(int maxJobs)
+{
+    int i;
+
+    jobTable = (JOB *)PR_Calloc(maxJobs, sizeof(JOB));
+    if (!jobTable)
+    	return SECFailure;
+
+    PR_INIT_CLIST(&jobQ);
+    PR_INIT_CLIST(&freeJobs);
+
+    for (i = 0; i < maxJobs; ++i) {
+	JOB * pJob = jobTable + i;
+	PR_APPEND_LINK(&pJob->link, &freeJobs);
+    }
+    return SECSuccess;
+}
+
+typedef int startFn(PRFileDesc *a, PRFileDesc *b, int c);
+
+typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState;
+
+typedef struct perThreadStr {
+    PRFileDesc *a;
+    PRFileDesc *b;
+    int         c;
+    int         rv;
+    startFn  *  startFunc;
+    PRThread *  prThread;
+    runState	state;
+} perThread;
+
+static perThread *threads;
+
+void
+thread_wrapper(void * arg)
+{
+    perThread * slot = (perThread *)arg;
+
+    slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->c);
+
+    /* notify the thread exit handler. */
+    PZ_Lock(qLock);
+    slot->state = rs_zombie;
+    --threadCount;
+    PZ_NotifyAllCondVar(threadCountChangeCv);
+    PZ_Unlock(qLock);
+}
+
+int 
+jobLoop(PRFileDesc *a, PRFileDesc *b, int c)
+{
+    PRCList * myLink = 0;
+    JOB     * myJob;
+
+    PZ_Lock(qLock);
+    do {
+	myLink = 0;
+	while (PR_CLIST_IS_EMPTY(&jobQ) && !stopping) {
+            PZ_WaitCondVar(jobQNotEmptyCv, PR_INTERVAL_NO_TIMEOUT);
+	}
+	if (!PR_CLIST_IS_EMPTY(&jobQ)) {
+	    myLink = PR_LIST_HEAD(&jobQ);
+	    PR_REMOVE_AND_INIT_LINK(myLink);
+	}
+	PZ_Unlock(qLock);
+	myJob = (JOB *)myLink;
+	/* myJob will be null when stopping is true and jobQ is empty */
+	if (!myJob) 
+	    break;
+	handle_connection( myJob->tcp_sock, myJob->model_sock, 
+			   myJob->requestCert);
+	PZ_Lock(qLock);
+	PR_APPEND_LINK(myLink, &freeJobs);
+	PZ_NotifyCondVar(freeListNotEmptyCv);
+    } while (PR_TRUE);
+    return 0;
+}
+
+
+SECStatus
+launch_threads(
+    startFn    *startFunc,
+    PRFileDesc *a,
+    PRFileDesc *b,
+    int         c,
+    PRBool      local)
+{
+    int i;
+    SECStatus rv = SECSuccess;
+
+    /* create the thread management serialization structs */
+    qLock               = PZ_NewLock(nssILockSelfServ);
+    jobQNotEmptyCv      = PZ_NewCondVar(qLock);
+    freeListNotEmptyCv  = PZ_NewCondVar(qLock);
+    threadCountChangeCv = PZ_NewCondVar(qLock);
+
+    /* create monitor for crl reload procedure */
+    lastLoadedCrlLock   = PR_NewLock();
+
+    /* allocate the array of thread slots */
+    threads = PR_Calloc(maxThreads, sizeof(perThread));
+    if ( NULL == threads )  {
+        fprintf(stderr, "Oh Drat! Can't allocate the perThread array\n");
+        return SECFailure;
+    }
+    /* 5 is a little extra, intended to keep the jobQ from underflowing. 
+    ** That is, from going empty while not stopping and clients are still
+    ** trying to contact us.
+    */
+    rv = setupJobs(maxThreads + 5);
+    if (rv != SECSuccess)
+    	return rv;
+
+    PZ_Lock(qLock);
+    for (i = 0; i < maxThreads; ++i) {
+    	perThread * slot = threads + i;
+
+	slot->state = rs_running;
+	slot->a = a;
+	slot->b = b;
+	slot->c = c;
+	slot->startFunc = startFunc;
+	slot->prThread = PR_CreateThread(PR_USER_THREAD, 
+			thread_wrapper, slot, PR_PRIORITY_NORMAL, 
+                        (PR_TRUE==local)?PR_LOCAL_THREAD:PR_GLOBAL_THREAD,
+                        PR_UNJOINABLE_THREAD, 0);
+	if (slot->prThread == NULL) {
+	    printf("selfserv: Failed to launch thread!\n");
+	    slot->state = rs_idle;
+	    rv = SECFailure;
+	    break;
+	} 
+
+	++threadCount;
+    }
+    PZ_Unlock(qLock); 
+
+    return rv;
+}
+
+#define DESTROY_CONDVAR(name) if (name) { \
+        PZ_DestroyCondVar(name); name = NULL; }
+#define DESTROY_LOCK(name) if (name) { \
+        PZ_DestroyLock(name); name = NULL; }
+	
+
+void
+terminateWorkerThreads(void)
+{
+    VLOG(("selfserv: server_thead: waiting on stopping"));
+    PZ_Lock(qLock);
+    PZ_NotifyAllCondVar(jobQNotEmptyCv);
+    while (threadCount > 0) {
+	PZ_WaitCondVar(threadCountChangeCv, PR_INTERVAL_NO_TIMEOUT);
+    }
+    /* The worker threads empty the jobQ before they terminate. */
+    PORT_Assert(PR_CLIST_IS_EMPTY(&jobQ));
+    PZ_Unlock(qLock); 
+
+    DESTROY_CONDVAR(jobQNotEmptyCv);
+    DESTROY_CONDVAR(freeListNotEmptyCv);
+    DESTROY_CONDVAR(threadCountChangeCv);
+
+    PR_DestroyLock(lastLoadedCrlLock);
+    DESTROY_LOCK(qLock);
+    PR_Free(jobTable);
+    PR_Free(threads);
+}
+
+static void 
+logger(void *arg)
+{
+    PRFloat64 seconds;
+    PRFloat64 opsPerSec;
+    PRIntervalTime period;
+    PRIntervalTime previousTime;
+    PRIntervalTime latestTime;
+    PRUint32 previousOps;
+    PRUint32 ops;
+    PRIntervalTime logPeriodTicks = PR_TicksPerSecond();
+    PRFloat64 secondsPerTick = 1.0 / (PRFloat64)logPeriodTicks;
+    int iterations = 0;
+    int secondsElapsed = 0;
+    static PRInt64 totalPeriodBytes = 0;
+    static PRInt64 totalPeriodBytesTCP = 0;
+
+    previousOps = loggerOps;
+    previousTime = PR_IntervalNow();
+ 
+    for (;;) {
+        /* OK, implementing a new sleep algorithm here... always sleep 
+         * for 1 second but print out info at the user-specified interval.
+         * This way, we don't overflow all of our PR_Atomic* functions and 
+         * we don't have to use locks. 
+         */
+        PR_Sleep(logPeriodTicks);
+        secondsElapsed++;
+        totalPeriodBytes +=  PR_AtomicSet(&loggerBytes, 0);
+        totalPeriodBytesTCP += PR_AtomicSet(&loggerBytesTCP, 0);
+        if (secondsElapsed != logPeriod) {
+            continue;
+        }
+        /* when we reach the user-specified logging interval, print out all
+         * data 
+         */
+        secondsElapsed = 0;
+        latestTime = PR_IntervalNow();
+        ops = loggerOps;
+        period = latestTime - previousTime;
+        seconds = (PRFloat64) period*secondsPerTick;
+        opsPerSec = (ops - previousOps) / seconds;
+
+        if (testBulk) {
+            if (iterations == 0) {
+                if (loggingLayer == PR_TRUE) {
+                    printf("Conn.--------App Data--------TCP Data\n");
+                } else {
+                    printf("Conn.--------App Data\n");
+                }
+            }
+            if (loggingLayer == PR_TRUE) {
+                printf("%4.d       %5.3f MB/s      %5.3f MB/s\n", ops, 
+                    totalPeriodBytes / (seconds * 1048576.0), 
+                    totalPeriodBytesTCP / (seconds * 1048576.0));
+            } else {
+                printf("%4.d       %5.3f MB/s\n", ops, 
+                    totalPeriodBytes / (seconds * 1048576.0));
+            }
+            totalPeriodBytes = 0;
+            totalPeriodBytesTCP = 0;
+            /* Print the "legend" every 20 iterations */
+            iterations = (iterations + 1) % 20; 
+        } else {
+            printf("%.2f ops/second, %d threads\n", opsPerSec, threadCount);
+        }
+
+        fflush(stdout);
+        previousOps = ops;
+        previousTime = latestTime;
+        if (stopping) {
+            break;
+        }
+    }
+}
+
+
+/**************************************************************************
+** End   thread management routines.
+**************************************************************************/
+
+PRBool useModelSocket  = PR_FALSE;
+PRBool disableSSL2     = PR_FALSE;
+PRBool disableSSL3     = PR_FALSE;
+PRBool disableTLS      = PR_FALSE;
+PRBool disableRollBack = PR_FALSE;
+PRBool NoReuse         = PR_FALSE;
+PRBool hasSidCache     = PR_FALSE;
+PRBool disableStepDown = PR_FALSE;
+PRBool bypassPKCS11    = PR_FALSE;
+PRBool disableLocking  = PR_FALSE;
+PRBool testbypass      = PR_FALSE;
+PRBool enableSessionTickets = PR_FALSE;
+
+static const char stopCmd[] = { "GET /stop " };
+static const char getCmd[]  = { "GET " };
+static const char EOFmsg[]  = { "EOF\r\n\r\n\r\n" };
+static const char outHeader[] = {
+    "HTTP/1.0 200 OK\r\n"
+    "Server: Generic Web Server\r\n"
+    "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n"
+    "Content-type: text/plain\r\n"
+    "\r\n"
+};
+static const char crlCacheErr[]  = { "CRL ReCache Error: " };
+
+PRUint16 cipherlist[100];
+int nciphers;
+
+void
+savecipher(int c)
+{
+    if (nciphers < sizeof cipherlist / sizeof (cipherlist[0]))
+	cipherlist[nciphers++] = (PRUint16)c;
+}
+
+
+#ifdef FULL_DUPLEX_CAPABLE
+
+struct lockedVarsStr {
+    PZLock *	lock;
+    int		count;
+    int		waiters;
+    PZCondVar *	condVar;
+};
+
+typedef struct lockedVarsStr lockedVars;
+
+void 
+lockedVars_Init( lockedVars * lv)
+{
+    lv->count   = 0;
+    lv->waiters = 0;
+    lv->lock    = PZ_NewLock(nssILockSelfServ);
+    lv->condVar = PZ_NewCondVar(lv->lock);
+}
+
+void
+lockedVars_Destroy( lockedVars * lv)
+{
+    PZ_DestroyCondVar(lv->condVar);
+    lv->condVar = NULL;
+
+    PZ_DestroyLock(lv->lock);
+    lv->lock = NULL;
+}
+
+void
+lockedVars_WaitForDone(lockedVars * lv)
+{
+    PZ_Lock(lv->lock);
+    while (lv->count > 0) {
+    	PZ_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
+    }
+    PZ_Unlock(lv->lock);
+}
+
+int	/* returns count */
+lockedVars_AddToCount(lockedVars * lv, int addend)
+{
+    int rv;
+
+    PZ_Lock(lv->lock);
+    rv = lv->count += addend;
+    if (rv <= 0) {
+	PZ_NotifyCondVar(lv->condVar);
+    }
+    PZ_Unlock(lv->lock);
+    return rv;
+}
+
+int
+do_writes(
+    PRFileDesc *	ssl_sock,
+    PRFileDesc *	model_sock,
+    int         	requestCert
+    )
+{
+    int			sent  = 0;
+    int 		count = 0;
+    lockedVars *	lv = (lockedVars *)model_sock;
+
+    VLOG(("selfserv: do_writes: starting"));
+    while (sent < bigBuf.len) {
+
+	count = PR_Write(ssl_sock, bigBuf.data + sent, bigBuf.len - sent);
+	if (count < 0) {
+	    errWarn("PR_Write bigBuf");
+	    break;
+	}
+	FPRINTF(stderr, "selfserv: PR_Write wrote %d bytes from bigBuf\n", count );
+	sent += count;
+    }
+    if (count >= 0) {	/* last write didn't fail. */
+    	PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND);
+    }
+
+    /* notify the reader that we're done. */
+    lockedVars_AddToCount(lv, -1);
+    FLUSH;
+    VLOG(("selfserv: do_writes: exiting"));
+    return (sent < bigBuf.len) ? SECFailure : SECSuccess;
+}
+
+static int 
+handle_fdx_connection(
+    PRFileDesc *       tcp_sock,
+    PRFileDesc *       model_sock,
+    int                requestCert
+    )
+{
+    PRFileDesc *       ssl_sock	= NULL;
+    SECStatus          result;
+    int                firstTime = 1;
+    lockedVars         lv;
+    PRSocketOptionData opt;
+    char               buf[10240];
+
+
+    VLOG(("selfserv: handle_fdx_connection: starting"));
+    opt.option             = PR_SockOpt_Nonblocking;
+    opt.value.non_blocking = PR_FALSE;
+    PR_SetSocketOption(tcp_sock, &opt);
+
+    if (useModelSocket && model_sock) {
+	SECStatus rv;
+	ssl_sock = SSL_ImportFD(model_sock, tcp_sock);
+	if (!ssl_sock) {
+	    errWarn("SSL_ImportFD with model");
+	    goto cleanup;
+	}
+	rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 1);
+	if (rv != SECSuccess) {
+	    errWarn("SSL_ResetHandshake");
+	    goto cleanup;
+	}
+    } else {
+	ssl_sock = tcp_sock;
+    }
+
+    lockedVars_Init(&lv);
+    lockedVars_AddToCount(&lv, 1);
+
+    /* Attempt to launch the writer thread. */
+    result = launch_thread(do_writes, ssl_sock, (PRFileDesc *)&lv, 
+                           requestCert);
+
+    if (result == SECSuccess) 
+      do {
+	/* do reads here. */
+	int count;
+	count = PR_Read(ssl_sock, buf, sizeof buf);
+	if (count < 0) {
+	    errWarn("FDX PR_Read");
+	    break;
+	}
+	FPRINTF(stderr, "selfserv: FDX PR_Read read %d bytes.\n", count );
+	if (firstTime) {
+	    firstTime = 0;
+	    printSecurityInfo(ssl_sock);
+	}
+    } while (lockedVars_AddToCount(&lv, 0) > 0);
+
+    /* Wait for writer to finish */
+    lockedVars_WaitForDone(&lv);
+    lockedVars_Destroy(&lv);
+    FLUSH;
+
+cleanup:
+    if (ssl_sock) {
+	PR_Close(ssl_sock);
+    } else if (tcp_sock) {
+	PR_Close(tcp_sock);
+    }
+
+    VLOG(("selfserv: handle_fdx_connection: exiting"));
+    return SECSuccess;
+}
+
+#endif
+
+static SECItem *lastLoadedCrl = NULL;
+
+static SECStatus
+reload_crl(PRFileDesc *crlFile)
+{
+    SECItem *crlDer;
+    CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
+    SECStatus rv;
+
+    /* Read in the entire file specified with the -f argument */
+    crlDer = PORT_Malloc(sizeof(SECItem));
+    if (!crlDer) {
+        errWarn("Can not allocate memory.");
+        return SECFailure;
+    }
+
+    rv = SECU_ReadDERFromFile(crlDer, crlFile, PR_FALSE);
+    if (rv != SECSuccess) {
+        errWarn("Unable to read input file.");
+        PORT_Free(crlDer);
+        return SECFailure;
+    }
+
+    PR_Lock(lastLoadedCrlLock);
+    rv = CERT_CacheCRL(certHandle, crlDer);
+    if (rv == SECSuccess) {
+        SECItem *tempItem = crlDer;
+        if (lastLoadedCrl != NULL) {
+            rv = CERT_UncacheCRL(certHandle, lastLoadedCrl);
+            if (rv != SECSuccess) {
+                errWarn("Unable to uncache crl.");
+                goto loser;
+            }
+            crlDer = lastLoadedCrl;
+        } else {
+            crlDer = NULL;
+        }
+        lastLoadedCrl = tempItem;
+    }
+
+  loser:
+    PR_Unlock(lastLoadedCrlLock);
+    SECITEM_FreeItem(crlDer, PR_TRUE);
+    return rv;
+}
+
+void stop_server()
+{
+    stopping = 1;
+    PR_Interrupt(acceptorThread);
+    PZ_TraceFlush();
+}
+
+int
+handle_connection( 
+    PRFileDesc *tcp_sock,
+    PRFileDesc *model_sock,
+    int         requestCert
+    )
+{
+    PRFileDesc *       ssl_sock = NULL;
+    PRFileDesc *       local_file_fd = NULL;
+    char  *            post;
+    char  *            pBuf;			/* unused space at end of buf */
+    const char *       errString;
+    PRStatus           status;
+    int                bufRem;			/* unused bytes at end of buf */
+    int                bufDat;			/* characters received in buf */
+    int                newln    = 0;		/* # of consecutive newlns */
+    int                firstTime = 1;
+    int                reqLen;
+    int                rv;
+    int                numIOVs;
+    PRSocketOptionData opt;
+    PRIOVec            iovs[16];
+    char               msgBuf[160];
+    char               buf[10240];
+    char               fileName[513];
+    char               proto[128];
+    PRDescIdentity     aboveLayer = PR_INVALID_IO_LAYER;
+
+    pBuf   = buf;
+    bufRem = sizeof buf;
+
+    VLOG(("selfserv: handle_connection: starting"));
+    opt.option             = PR_SockOpt_Nonblocking;
+    opt.value.non_blocking = PR_FALSE;
+    PR_SetSocketOption(tcp_sock, &opt);
+
+    VLOG(("selfserv: handle_connection: starting\n"));
+    if (useModelSocket && model_sock) {
+	SECStatus rv;
+	ssl_sock = SSL_ImportFD(model_sock, tcp_sock);
+	if (!ssl_sock) {
+	    errWarn("SSL_ImportFD with model");
+	    goto cleanup;
+	}
+	rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 1);
+	if (rv != SECSuccess) {
+	    errWarn("SSL_ResetHandshake");
+	    goto cleanup;
+	}
+    } else {
+	ssl_sock = tcp_sock;
+    }
+
+    if (loggingLayer) {
+        /* find the layer where our new layer is to be pushed */
+        aboveLayer = PR_GetLayersIdentity(ssl_sock->lower);
+        if (aboveLayer == PR_INVALID_IO_LAYER) {
+            errExit("PRGetUniqueIdentity");
+        }
+        /* create the new layer - this is a very cheap operation */
+        loggingFD = PR_CreateIOLayerStub(log_layer_id, &loggingMethods);
+        if (!loggingFD)
+            errExit("PR_CreateIOLayerStub");
+        /* push the layer below ssl but above TCP */
+        rv = PR_PushIOLayer(ssl_sock, aboveLayer, loggingFD);
+        if (rv != PR_SUCCESS) {
+            errExit("PR_PushIOLayer");
+        }
+    }
+
+    if (noDelay) {
+	opt.option         = PR_SockOpt_NoDelay;
+	opt.value.no_delay = PR_TRUE;
+	status = PR_SetSocketOption(ssl_sock, &opt);
+	if (status != PR_SUCCESS) {
+	    errWarn("PR_SetSocketOption(PR_SockOpt_NoDelay, PR_TRUE)");
+            if (ssl_sock) {
+	        PR_Close(ssl_sock);
+            }
+	    return SECFailure;
+	}
+    }
+
+    while (1) {
+	newln = 0;
+	reqLen     = 0;
+	rv = PR_Read(ssl_sock, pBuf, bufRem - 1);
+	if (rv == 0 || 
+	    (rv < 0 && PR_END_OF_FILE_ERROR == PR_GetError())) {
+	    if (verbose)
+		errWarn("HDX PR_Read hit EOF");
+	    break;
+	}
+	if (rv < 0) {
+	    errWarn("HDX PR_Read");
+	    goto cleanup;
+	}
+	/* NULL termination */
+	pBuf[rv] = 0;
+	if (firstTime) {
+	    firstTime = 0;
+	    printSecurityInfo(ssl_sock);
+	}
+
+	pBuf   += rv;
+	bufRem -= rv;
+	bufDat = pBuf - buf;
+	/* Parse the input, starting at the beginning of the buffer.
+	 * Stop when we detect two consecutive \n's (or \r\n's) 
+	 * as this signifies the end of the GET or POST portion.
+	 * The posted data follows.
+	 */
+	while (reqLen < bufDat && newln < 2) {
+	    int octet = buf[reqLen++];
+	    if (octet == '\n') {
+		newln++;
+	    } else if (octet != '\r') {
+		newln = 0;
+	    }
+	}
+
+	/* came to the end of the buffer, or second newln
+	 * If we didn't get an empty line (CRLFCRLF) then keep on reading.
+	 */
+	if (newln < 2) 
+	    continue;
+
+	/* we're at the end of the HTTP request.
+	 * If the request is a POST, then there will be one more
+	 * line of data.
+	 * This parsing is a hack, but ok for SSL test purposes.
+	 */
+	post = PORT_Strstr(buf, "POST ");
+	if (!post || *post != 'P') 
+	    break;
+
+	/* It's a post, so look for the next and final CR/LF. */
+	/* We should parse content length here, but ... */
+	while (reqLen < bufDat && newln < 3) {
+	    int octet = buf[reqLen++];
+	    if (octet == '\n') {
+		newln++;
+	    }
+	}
+	if (newln == 3)
+	    break;
+    } /* read loop */
+
+    bufDat = pBuf - buf;
+    if (bufDat) do {	/* just close if no data */
+	/* Have either (a) a complete get, (b) a complete post, (c) EOF */
+	if (reqLen > 0 && !strncmp(buf, getCmd, sizeof getCmd - 1)) {
+	    char *      fnBegin = buf + 4;
+	    char *      fnEnd;
+	    PRFileInfo  info;
+	    /* try to open the file named.  
+	     * If succesful, then write it to the client.
+	     */
+	    fnEnd = strpbrk(fnBegin, " \r\n");
+	    if (fnEnd) {
+		int fnLen = fnEnd - fnBegin;
+		if (fnLen < sizeof fileName) {
+                    char *real_fileName = fileName;
+                    char *protoEnd = NULL;
+                    strncpy(fileName, fnBegin, fnLen);
+                    fileName[fnLen] = 0;	/* null terminate */
+                    if ((protoEnd = strstr(fileName, "://")) != NULL) {
+                        int protoLen = PR_MIN(protoEnd - fileName, sizeof(proto) - 1);
+                        PL_strncpy(proto, fileName, protoLen);
+                        proto[protoLen] = 0;
+                        real_fileName= protoEnd + 3;
+                    } else {
+                        proto[0] = 0;
+                    }
+		    status = PR_GetFileInfo(real_fileName, &info);
+		    if (status == PR_SUCCESS &&
+			info.type == PR_FILE_FILE &&
+			info.size >= 0 ) {
+			local_file_fd = PR_Open(real_fileName, PR_RDONLY, 0);
+		    }
+		}
+	    }
+	}
+	/* if user has requested client auth in a subsequent handshake,
+	 * do it here.
+	 */
+	if (requestCert > 2) { /* request cert was 3 or 4 */
+	    CERTCertificate *  cert =  SSL_PeerCertificate(ssl_sock);
+	    if (cert) {
+		CERT_DestroyCertificate(cert);
+	    } else {
+		rv = SSL_OptionSet(ssl_sock, SSL_REQUEST_CERTIFICATE, 1);
+		if (rv < 0) {
+		    errWarn("second SSL_OptionSet SSL_REQUEST_CERTIFICATE");
+		    break;
+		}
+		rv = SSL_OptionSet(ssl_sock, SSL_REQUIRE_CERTIFICATE, 
+				(requestCert == 4));
+		if (rv < 0) {
+		    errWarn("second SSL_OptionSet SSL_REQUIRE_CERTIFICATE");
+		    break;
+		}
+		rv = SSL_ReHandshake(ssl_sock, PR_TRUE);
+		if (rv != 0) {
+		    errWarn("SSL_ReHandshake");
+		    break;
+		}
+		rv = SSL_ForceHandshake(ssl_sock);
+		if (rv < 0) {
+		    errWarn("SSL_ForceHandshake");
+		    break;
+		}
+	    }
+	}
+
+	numIOVs = 0;
+
+	iovs[numIOVs].iov_base = (char *)outHeader;
+	iovs[numIOVs].iov_len  = (sizeof(outHeader)) - 1;
+	numIOVs++;
+
+	if (local_file_fd) {
+	    PRInt32     bytes;
+	    int         errLen;
+	    if (!PL_strlen(proto) || !PL_strcmp(proto, "file")) {
+                bytes = PR_TransmitFile(ssl_sock, local_file_fd, outHeader,
+                                        sizeof outHeader - 1,
+                                        PR_TRANSMITFILE_KEEP_OPEN,
+                                        PR_INTERVAL_NO_TIMEOUT);
+                if (bytes >= 0) {
+                    bytes -= sizeof outHeader - 1;
+                    FPRINTF(stderr, 
+                            "selfserv: PR_TransmitFile wrote %d bytes from %s\n",
+                            bytes, fileName);
+                    break;
+                }
+                errString = errWarn("PR_TransmitFile");
+                errLen = PORT_Strlen(errString);
+                errLen = PR_MIN(errLen, sizeof msgBuf - 1);
+                PORT_Memcpy(msgBuf, errString, errLen);
+                msgBuf[errLen] = 0;
+                
+                iovs[numIOVs].iov_base = msgBuf;
+                iovs[numIOVs].iov_len  = PORT_Strlen(msgBuf);
+                numIOVs++;
+            }
+            if (!PL_strcmp(proto, "crl")) {
+                if (reload_crl(local_file_fd) == SECFailure) {
+                    errString = errWarn("CERT_CacheCRL");
+                    if (!errString)
+                        errString = "Unknow error";
+                    PR_snprintf(msgBuf, sizeof(msgBuf), "%s%s ",
+                                crlCacheErr, errString);
+                    
+                    iovs[numIOVs].iov_base = msgBuf;
+                    iovs[numIOVs].iov_len  = PORT_Strlen(msgBuf);
+                    numIOVs++;
+                } else {
+                    FPRINTF(stderr, 
+                            "selfserv: CRL %s reloaded.\n",
+                            fileName);
+                    break;
+                }
+            }
+	} else if (reqLen <= 0) {	/* hit eof */
+	    PORT_Sprintf(msgBuf, "Get or Post incomplete after %d bytes.\r\n",
+			 bufDat);
+
+	    iovs[numIOVs].iov_base = msgBuf;
+	    iovs[numIOVs].iov_len  = PORT_Strlen(msgBuf);
+	    numIOVs++;
+	} else if (reqLen < bufDat) {
+	    PORT_Sprintf(msgBuf, "Discarded %d characters.\r\n", 
+	                 bufDat - reqLen);
+
+	    iovs[numIOVs].iov_base = msgBuf;
+	    iovs[numIOVs].iov_len  = PORT_Strlen(msgBuf);
+	    numIOVs++;
+	}
+
+	if (reqLen > 0) {
+	    if (verbose > 1) 
+	    	fwrite(buf, 1, reqLen, stdout);	/* display it */
+
+	    iovs[numIOVs].iov_base = buf;
+	    iovs[numIOVs].iov_len  = reqLen;
+	    numIOVs++;
+	}
+
+        /* Don't add the EOF if we want to test bulk encryption */
+        if (!testBulk) {
+            iovs[numIOVs].iov_base = (char *)EOFmsg;
+            iovs[numIOVs].iov_len  = sizeof EOFmsg - 1;
+            numIOVs++;
+        }
+
+	rv = PR_Writev(ssl_sock, iovs, numIOVs, PR_INTERVAL_NO_TIMEOUT);
+	if (rv < 0) {
+	    errWarn("PR_Writev");
+	    break;
+	}
+
+        /* Send testBulkTotal chunks to the client. Unlimited if 0. */
+        if (testBulk) {
+            while (0 < (rv = PR_Write(ssl_sock, testBulkBuf, testBulkSize))) {
+                PR_AtomicAdd(&loggerBytes, rv);
+                PR_AtomicIncrement(&bulkSentChunks);
+                if ((bulkSentChunks > testBulkTotal) && (testBulkTotal != 0))
+                    break;
+            }
+
+            /* There was a write error, so close this connection. */
+            if (bulkSentChunks <= testBulkTotal) {
+                errWarn("PR_Write");
+            }
+            PR_AtomicDecrement(&loggerOps);
+            break;
+        }
+    } while (0);
+
+cleanup:
+    if (ssl_sock) {
+        PR_Close(ssl_sock);
+    } else if (tcp_sock) {
+        PR_Close(tcp_sock);
+    }
+    if (local_file_fd)
+	PR_Close(local_file_fd);
+    VLOG(("selfserv: handle_connection: exiting\n"));
+
+    /* do a nice shutdown if asked. */
+    if (!strncmp(buf, stopCmd, sizeof stopCmd - 1)) {
+        VLOG(("selfserv: handle_connection: stop command"));
+        stop_server();
+    }
+    VLOG(("selfserv: handle_connection: exiting"));
+    return SECSuccess;	/* success */
+}
+
+#ifdef XP_UNIX
+
+void sigusr1_handler(int sig)
+{
+    VLOG(("selfserv: sigusr1_handler: stop server"));
+    stop_server();
+}
+
+#endif
+
+SECStatus
+do_accepts(
+    PRFileDesc *listen_sock,
+    PRFileDesc *model_sock,
+    int         requestCert
+    )
+{
+    PRNetAddr   addr;
+    PRErrorCode  perr;
+#ifdef XP_UNIX
+    struct sigaction act;
+#endif
+
+    VLOG(("selfserv: do_accepts: starting"));
+    PR_SetThreadPriority( PR_GetCurrentThread(), PR_PRIORITY_HIGH);
+
+    acceptorThread = PR_GetCurrentThread();
+#ifdef XP_UNIX
+    /* set up the signal handler */
+    act.sa_handler = sigusr1_handler;
+    sigemptyset(&act.sa_mask);
+    act.sa_flags = 0;
+    if (sigaction(SIGUSR1, &act, NULL)) {
+        fprintf(stderr, "Error installing signal handler.\n");
+        exit(1);
+    }
+#endif
+    while (!stopping) {
+	PRFileDesc *tcp_sock;
+	PRCList    *myLink;
+
+	FPRINTF(stderr, "\n\n\nselfserv: About to call accept.\n");
+	tcp_sock = PR_Accept(listen_sock, &addr, PR_INTERVAL_NO_TIMEOUT);
+	if (tcp_sock == NULL) {
+    	    perr      = PR_GetError();
+	    if ((perr != PR_CONNECT_RESET_ERROR &&
+	         perr != PR_PENDING_INTERRUPT_ERROR) || verbose) {
+		errWarn("PR_Accept");
+	    } 
+	    if (perr == PR_CONNECT_RESET_ERROR) {
+		FPRINTF(stderr, 
+		        "Ignoring PR_CONNECT_RESET_ERROR error - continue\n");
+		continue;
+	    }
+	    stopping = 1;
+	    break;
+	}
+
+        VLOG(("selfserv: do_accept: Got connection\n"));
+
+        if (logStats) {
+            PR_AtomicIncrement(&loggerOps);
+        }
+
+	PZ_Lock(qLock);
+	while (PR_CLIST_IS_EMPTY(&freeJobs) && !stopping) {
+            PZ_WaitCondVar(freeListNotEmptyCv, PR_INTERVAL_NO_TIMEOUT);
+	}
+	if (stopping) {
+	    PZ_Unlock(qLock);
+            if (tcp_sock) {
+	        PR_Close(tcp_sock);
+            }
+	    break;
+	}
+	myLink = PR_LIST_HEAD(&freeJobs);
+	PR_REMOVE_AND_INIT_LINK(myLink);
+	/* could release qLock here and reaquire it 7 lines below, but 
+	** why bother for 4 assignment statements? 
+	*/
+	{
+	    JOB * myJob = (JOB *)myLink;
+	    myJob->tcp_sock    = tcp_sock;
+	    myJob->model_sock  = model_sock;
+	    myJob->requestCert = requestCert;
+	}
+
+	PR_APPEND_LINK(myLink, &jobQ);
+	PZ_NotifyCondVar(jobQNotEmptyCv);
+	PZ_Unlock(qLock);
+    }
+
+    FPRINTF(stderr, "selfserv: Closing listen socket.\n");
+    VLOG(("selfserv: do_accepts: exiting"));
+    if (listen_sock) {
+        PR_Close(listen_sock);
+    }
+    return SECSuccess;
+}
+
+PRFileDesc *
+getBoundListenSocket(unsigned short port)
+{
+    PRFileDesc *       listen_sock;
+    int                listenQueueDepth = 5 + (2 * maxThreads);
+    PRStatus	       prStatus;
+    PRNetAddr          addr;
+    PRSocketOptionData opt;
+
+    addr.inet.family = PR_AF_INET;
+    addr.inet.ip     = PR_INADDR_ANY;
+    addr.inet.port   = PR_htons(port);
+
+    listen_sock = PR_NewTCPSocket();
+    if (listen_sock == NULL) {
+	errExit("PR_NewTCPSocket");
+    }
+
+    opt.option = PR_SockOpt_Nonblocking;
+    opt.value.non_blocking = PR_FALSE;
+    prStatus = PR_SetSocketOption(listen_sock, &opt);
+    if (prStatus < 0) {
+        PR_Close(listen_sock);
+	errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
+    }
+
+    opt.option=PR_SockOpt_Reuseaddr;
+    opt.value.reuse_addr = PR_TRUE;
+    prStatus = PR_SetSocketOption(listen_sock, &opt);
+    if (prStatus < 0) {
+        PR_Close(listen_sock);
+	errExit("PR_SetSocketOption(PR_SockOpt_Reuseaddr)");
+    }
+
+#ifndef WIN95
+    /* Set PR_SockOpt_Linger because it helps prevent a server bind issue
+     * after clean shutdown . See bug 331413 .
+     * Don't do it in the WIN95 build configuration because clean shutdown is
+     * not implemented, and PR_SockOpt_Linger causes a hang in ssl.sh .
+     * See bug 332348 */
+    opt.option=PR_SockOpt_Linger;
+    opt.value.linger.polarity = PR_TRUE;
+    opt.value.linger.linger = PR_SecondsToInterval(1);
+    prStatus = PR_SetSocketOption(listen_sock, &opt);
+    if (prStatus < 0) {
+        PR_Close(listen_sock);
+        errExit("PR_SetSocketOption(PR_SockOpt_Linger)");
+    }
+#endif
+
+    prStatus = PR_Bind(listen_sock, &addr);
+    if (prStatus < 0) {
+        PR_Close(listen_sock);
+	errExit("PR_Bind");
+    }
+
+    prStatus = PR_Listen(listen_sock, listenQueueDepth);
+    if (prStatus < 0) {
+        PR_Close(listen_sock);
+	errExit("PR_Listen");
+    }
+    return listen_sock;
+}
+
+PRInt32 PR_CALLBACK 
+logWritev (
+    PRFileDesc     *fd,
+    const PRIOVec  *iov,
+    PRInt32         size, 
+    PRIntervalTime  timeout )
+{
+    PRInt32 rv = (fd->lower->methods->writev)(fd->lower, iov, size, 
+        timeout);
+    /* Add the amount written, but not if there's an error */
+    if (rv > 0) 
+        PR_AtomicAdd(&loggerBytesTCP, rv);
+    return rv;
+}
+    
+PRInt32 PR_CALLBACK 
+logWrite (
+    PRFileDesc  *fd, 
+    const void  *buf, 
+    PRInt32      amount)
+{   
+    PRInt32 rv = (fd->lower->methods->write)(fd->lower, buf, amount);
+    /* Add the amount written, but not if there's an error */
+    if (rv > 0) 
+        PR_AtomicAdd(&loggerBytesTCP, rv);
+    
+    return rv;
+}
+
+PRInt32 PR_CALLBACK 
+logSend (
+    PRFileDesc     *fd, 
+    const void     *buf, 
+    PRInt32         amount, 
+    PRIntn          flags, 
+    PRIntervalTime  timeout)
+{
+    PRInt32 rv = (fd->lower->methods->send)(fd->lower, buf, amount, 
+        flags, timeout);
+    /* Add the amount written, but not if there's an error */
+    if (rv > 0) 
+        PR_AtomicAdd(&loggerBytesTCP, rv);
+    return rv;
+}
+ 
+void initLoggingLayer(void)
+{   
+    /* get a new layer ID */
+    log_layer_id = PR_GetUniqueIdentity("Selfserv Logging");
+    if (log_layer_id == PR_INVALID_IO_LAYER)
+        errExit("PR_GetUniqueIdentity");
+    
+    /* setup the default IO methods with my custom write methods */
+    memcpy(&loggingMethods, PR_GetDefaultIOMethods(), sizeof(PRIOMethods));
+    loggingMethods.writev = logWritev;
+    loggingMethods.write  = logWrite;
+    loggingMethods.send   = logSend;
+}
+
+void
+server_main(
+    PRFileDesc *        listen_sock,
+    int                 requestCert, 
+    SECKEYPrivateKey ** privKey,
+    CERTCertificate **  cert)
+{
+    PRFileDesc *model_sock	= NULL;
+    int         rv;
+    SSLKEAType  kea;
+    SECStatus	secStatus;
+
+    if (useModelSocket) {
+    	model_sock = PR_NewTCPSocket();
+	if (model_sock == NULL) {
+	    errExit("PR_NewTCPSocket on model socket");
+	}
+	model_sock = SSL_ImportFD(NULL, model_sock);
+	if (model_sock == NULL) {
+	    errExit("SSL_ImportFD");
+	}
+    } else {
+	model_sock = listen_sock = SSL_ImportFD(NULL, listen_sock);
+	if (listen_sock == NULL) {
+	    errExit("SSL_ImportFD");
+	}
+    }
+
+    /* do SSL configuration. */
+    rv = SSL_OptionSet(model_sock, SSL_SECURITY,
+        !(disableSSL2 && disableSSL3 && disableTLS));
+    if (rv < 0) {
+	errExit("SSL_OptionSet SSL_SECURITY");
+    }
+
+    rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL3, !disableSSL3);
+    if (rv != SECSuccess) {
+	errExit("error enabling SSLv3 ");
+    }
+
+    rv = SSL_OptionSet(model_sock, SSL_ENABLE_TLS, !disableTLS);
+    if (rv != SECSuccess) {
+	errExit("error enabling TLS ");
+    }
+
+    rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL2, !disableSSL2);
+    if (rv != SECSuccess) {
+	errExit("error enabling SSLv2 ");
+    }
+    
+    rv = SSL_OptionSet(model_sock, SSL_ROLLBACK_DETECTION, !disableRollBack);
+    if (rv != SECSuccess) {
+	errExit("error enabling RollBack detection ");
+    }
+    if (disableStepDown) {
+	rv = SSL_OptionSet(model_sock, SSL_NO_STEP_DOWN, PR_TRUE);
+	if (rv != SECSuccess) {
+	    errExit("error disabling SSL StepDown ");
+	}
+    }
+    if (bypassPKCS11) {
+       rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE);
+	if (rv != SECSuccess) {
+	    errExit("error enabling PKCS11 bypass ");
+	}
+    }
+    if (disableLocking) {
+       rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, PR_TRUE);
+	if (rv != SECSuccess) {
+	    errExit("error disabling SSL socket locking ");
+	}
+    } 
+    if (enableSessionTickets) {
+	rv = SSL_OptionSet(model_sock, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
+	if (rv != SECSuccess) {
+	    errExit("error enabling Session Ticket extension ");
+	}
+    }
+
+    for (kea = kt_rsa; kea < kt_kea_size; kea++) {
+	if (cert[kea] != NULL) {
+	    secStatus = SSL_ConfigSecureServer(model_sock, 
+	    		cert[kea], privKey[kea], kea);
+	    if (secStatus != SECSuccess)
+		errExit("SSL_ConfigSecureServer");
+	}
+    }
+
+    if (bigBuf.data) { /* doing FDX */
+	rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1);
+	if (rv < 0) {
+	    errExit("SSL_OptionSet SSL_ENABLE_FDX");
+	}
+    }
+
+    if (NoReuse) {
+        rv = SSL_OptionSet(model_sock, SSL_NO_CACHE, 1);
+        if (rv < 0) {
+            errExit("SSL_OptionSet SSL_NO_CACHE");
+        }
+    }
+
+    /* This cipher is not on by default. The Acceptance test
+     * would like it to be. Turn this cipher on.
+     */
+
+    secStatus = SSL_CipherPrefSetDefault( SSL_RSA_WITH_NULL_MD5, PR_TRUE);
+    if ( secStatus != SECSuccess ) {
+	errExit("SSL_CipherPrefSetDefault:SSL_RSA_WITH_NULL_MD5");
+    }
+
+
+    if (requestCert) {
+	SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, 
+	                        (void *)CERT_GetDefaultCertDB());
+	if (requestCert <= 2) { 
+	    rv = SSL_OptionSet(model_sock, SSL_REQUEST_CERTIFICATE, 1);
+	    if (rv < 0) {
+		errExit("first SSL_OptionSet SSL_REQUEST_CERTIFICATE");
+	    }
+	    rv = SSL_OptionSet(model_sock, SSL_REQUIRE_CERTIFICATE, 
+	                    (requestCert == 2));
+	    if (rv < 0) {
+		errExit("first SSL_OptionSet SSL_REQUIRE_CERTIFICATE");
+	    }
+	}
+    }
+
+    if (MakeCertOK)
+	SSL_BadCertHook(model_sock, myBadCertHandler, NULL);
+
+    /* end of ssl configuration. */
+
+
+    /* Now, do the accepting, here in the main thread. */
+    rv = do_accepts(listen_sock, model_sock, requestCert);
+
+    terminateWorkerThreads();
+
+    if (useModelSocket && model_sock) {
+        if (model_sock) {
+            PR_Close(model_sock);
+        }
+    }
+
+}
+
+SECStatus
+readBigFile(const char * fileName)
+{
+    PRFileInfo  info;
+    PRStatus	status;
+    SECStatus	rv	= SECFailure;
+    int		count;
+    int		hdrLen;
+    PRFileDesc *local_file_fd = NULL;
+
+    status = PR_GetFileInfo(fileName, &info);
+
+    if (status == PR_SUCCESS &&
+	info.type == PR_FILE_FILE &&
+	info.size > 0 &&
+	NULL != (local_file_fd = PR_Open(fileName, PR_RDONLY, 0))) {
+
+	hdrLen      = PORT_Strlen(outHeader);
+	bigBuf.len  = hdrLen + info.size;
+	bigBuf.data = PORT_Malloc(bigBuf.len + 4095);
+	if (!bigBuf.data) {
+	    errWarn("PORT_Malloc");
+	    goto done;
+	}
+
+	PORT_Memcpy(bigBuf.data, outHeader, hdrLen);
+
+	count = PR_Read(local_file_fd, bigBuf.data + hdrLen, info.size);
+	if (count != info.size) {
+	    errWarn("PR_Read local file");
+	    goto done;
+	}
+	rv = SECSuccess;
+done:
+        if (local_file_fd) {
+            PR_Close(local_file_fd);
+        }
+    }
+    return rv;
+}
+
+int          numChildren;
+PRProcess *  child[MAX_PROCS];
+
+PRProcess *
+haveAChild(int argc, char **argv, PRProcessAttr * attr)
+{
+    PRProcess *  newProcess;
+
+    newProcess = PR_CreateProcess(argv[0], argv, NULL, attr);
+    if (!newProcess) {
+	errWarn("Can't create new process.");
+    } else {
+	child[numChildren++] = newProcess;
+    }
+    return newProcess;
+}
+
+void
+beAGoodParent(int argc, char **argv, int maxProcs, PRFileDesc * listen_sock)
+{
+    PRProcess *     newProcess;
+    PRProcessAttr * attr;
+    int             i;
+    PRInt32         exitCode;
+    PRStatus        rv;
+
+    rv = PR_SetFDInheritable(listen_sock, PR_TRUE);
+    if (rv != PR_SUCCESS)
+	errExit("PR_SetFDInheritable");
+
+    attr = PR_NewProcessAttr();
+    if (!attr)
+	errExit("PR_NewProcessAttr");
+
+    rv = PR_ProcessAttrSetInheritableFD(attr, listen_sock, inheritableSockName);
+    if (rv != PR_SUCCESS)
+	errExit("PR_ProcessAttrSetInheritableFD");
+
+    for (i = 0; i < maxProcs; ++i) {
+	newProcess = haveAChild(argc, argv, attr);
+	if (!newProcess) 
+	    break;
+    }
+
+    rv = PR_SetFDInheritable(listen_sock, PR_FALSE);
+    if (rv != PR_SUCCESS)
+	errExit("PR_SetFDInheritable");
+
+    while (numChildren > 0) {
+	newProcess = child[numChildren - 1];
+	PR_WaitProcess(newProcess, &exitCode);
+	fprintf(stderr, "Child %d exited with exit code %x\n", 
+		numChildren, exitCode);
+	numChildren--;
+    }
+    exit(0);
+}
+
+#define HEXCHAR_TO_INT(c, i) \
+    if (((c) >= '0') && ((c) <= '9')) { \
+	i = (c) - '0'; \
+    } else if (((c) >= 'a') && ((c) <= 'f')) { \
+	i = (c) - 'a' + 10; \
+    } else if (((c) >= 'A') && ((c) <= 'F')) { \
+	i = (c) - 'A' + 10; \
+    } else if ((c) == '\0') { \
+	fprintf(stderr, "Invalid length of cipher string (-c :WXYZ).\n"); \
+	exit(9); \
+    } else { \
+	fprintf(stderr, "Non-hex char in cipher string (-c :WXYZ).\n"); \
+	exit(9); \
+    } 
+
+int
+main(int argc, char **argv)
+{
+    char *               progName    = NULL;
+    char *               nickName    = NULL;
+#ifdef NSS_ENABLE_ECC
+    char *               ecNickName   = NULL;
+#endif
+    const char *         fileName    = NULL;
+    char *               cipherString= NULL;
+    const char *         dir         = ".";
+    char *               passwd      = NULL;
+    char *               pwfile      = NULL;
+    const char *         pidFile     = NULL;
+    char *               tmp;
+    char *               envString;
+    PRFileDesc *         listen_sock;
+    CERTCertificate *    cert   [kt_kea_size] = { NULL };
+    SECKEYPrivateKey *   privKey[kt_kea_size] = { NULL };
+    int                  optionsFound = 0;
+    int                  maxProcs     = 1;
+    unsigned short       port        = 0;
+    SECStatus            rv;
+    PRStatus             prStatus;
+    PRBool               bindOnly = PR_FALSE;
+    PRBool               useExportPolicy = PR_FALSE;
+    PRBool               useLocalThreads = PR_FALSE;
+    PLOptState		*optstate;
+    PLOptStatus          status;
+    PRThread             *loggerThread = NULL;
+    PRBool               debugCache = PR_FALSE; /* bug 90518 */
+    char                 emptyString[] = { "" };
+    char*                certPrefix = emptyString;
+    PRUint32             protos = 0;
+    SSL3Statistics      *ssl3stats;
+    PRUint32             i;
+    secuPWData  pwdata = { PW_NONE, 0 };
+ 
+    tmp = strrchr(argv[0], '/');
+    tmp = tmp ? tmp + 1 : argv[0];
+    progName = strrchr(tmp, '\\');
+    progName = progName ? progName + 1 : tmp;
+
+    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+
+    /* please keep this list of options in ASCII collating sequence.
+    ** numbers, then capital letters, then lower case, alphabetical. 
+    */
+    optstate = PL_CreateOptState(argc, argv, 
+        "2:3BC:DEL:M:NP:RSTbc:d:e:f:g:hi:jlmn:op:qrst:uvw:xy");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	++optionsFound;
+	switch(optstate->option) {
+	case '2': fileName = optstate->value; break;
+
+	case '3': disableSSL3 = PR_TRUE; break;
+
+	case 'B': bypassPKCS11 = PR_TRUE; break;
+
+        case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); break;
+
+	case 'D': noDelay = PR_TRUE; break;
+	case 'E': disableStepDown = PR_TRUE; break;
+
+        case 'L':
+            logStats = PR_TRUE;
+	    if (optstate->value == NULL) {
+	    	logPeriod = 30;
+	    } else {
+                logPeriod  = PORT_Atoi(optstate->value);
+                if (logPeriod <= 0) logPeriod = 30;
+	    }
+            break;
+
+	case 'M': 
+	    maxProcs = PORT_Atoi(optstate->value); 
+	    if (maxProcs < 1)         maxProcs = 1;
+	    if (maxProcs > MAX_PROCS) maxProcs = MAX_PROCS;
+	    break;
+
+	case 'N': NoReuse = PR_TRUE; break;
+
+	case 'R': disableRollBack = PR_TRUE; break;
+        
+        case 'S': disableSSL2 = PR_TRUE; break;
+
+	case 'T': disableTLS = PR_TRUE; break;
+
+	case 'b': bindOnly = PR_TRUE; break;
+
+	case 'c': cipherString = PORT_Strdup(optstate->value); break;
+
+	case 'd': dir = optstate->value; break;
+
+#ifdef NSS_ENABLE_ECC
+	case 'e': ecNickName = PORT_Strdup(optstate->value); break;
+#endif /* NSS_ENABLE_ECC */
+
+	case 'f':
+            pwdata.source = PW_FROMFILE;
+            pwdata.data = pwfile = PORT_Strdup(optstate->value);
+            break;
+
+        case 'g': 
+            testBulk = PR_TRUE;
+            testBulkTotal = PORT_Atoi(optstate->value);
+            break;
+
+	case 'h': Usage(progName); exit(0); break;
+
+	case 'i': pidFile = optstate->value; break;
+
+        case 'j': 
+            initLoggingLayer(); 
+            loggingLayer = PR_TRUE;
+            break;
+
+        case 'l': useLocalThreads = PR_TRUE; break;
+
+	case 'm': useModelSocket = PR_TRUE; break;
+
+	case 'n': nickName = PORT_Strdup(optstate->value); break;
+
+	case 'P': certPrefix = PORT_Strdup(optstate->value); break;
+
+	case 'o': MakeCertOK = 1; break;
+
+	case 'p': port = PORT_Atoi(optstate->value); break;
+
+	case 'q': testbypass = PR_TRUE; break;
+
+	case 'r': ++requestCert; break;
+
+	case 's': disableLocking = PR_TRUE; break;
+
+	case 't':
+	    maxThreads = PORT_Atoi(optstate->value);
+	    if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS;
+	    if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS;
+	    break;
+
+	case 'u': enableSessionTickets = PR_TRUE; break;
+
+	case 'v': verbose++; break;
+
+	case 'w':
+            pwdata.source = PW_PLAINTEXT;
+            pwdata.data = passwd = PORT_Strdup(optstate->value);
+            break;
+
+	case 'x': useExportPolicy = PR_TRUE; break;
+
+	case 'y': debugCache = PR_TRUE; break;
+
+	default:
+	case '?':
+	    fprintf(stderr, "Unrecognized or bad option specified.\n");
+	    fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+	    exit(4);
+	    break;
+	}
+    }
+    PL_DestroyOptState(optstate);
+    if (status == PL_OPT_BAD) {
+	fprintf(stderr, "Unrecognized or bad option specified.\n");
+	fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+	exit(5);
+    }
+    if (!optionsFound) {
+	Usage(progName);
+	exit(51);
+    } 
+
+    /* The -b (bindOnly) option is only used by the ssl.sh test
+     * script on Linux to determine whether a previous selfserv
+     * process has fully died and freed the port.  (Bug 129701)
+     */
+    if (bindOnly) {
+	listen_sock = getBoundListenSocket(port);
+	if (!listen_sock) {
+	    exit(1);
+	}
+        if (listen_sock) {
+            PR_Close(listen_sock);
+        }
+	exit(0);
+    }
+
+    if ((nickName == NULL)
+ #ifdef NSS_ENABLE_ECC
+						&& (ecNickName == NULL)
+ #endif
+    ) {
+
+	fprintf(stderr, "Required arg '-n' (rsa nickname) not supplied.\n");
+	fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+        exit(6);
+    }
+
+    if (port == 0) {
+	fprintf(stderr, "Required argument 'port' must be non-zero value\n");
+	exit(7);
+    }
+
+    if (NoReuse && maxProcs > 1) {
+	fprintf(stderr, "-M and -N options are mutually exclusive.\n");
+	exit(14);
+    }
+
+    if (pidFile) {
+	FILE *tmpfile=fopen(pidFile,"w+");
+
+	if (tmpfile) {
+	    fprintf(tmpfile,"%d",getpid());
+	    fclose(tmpfile);
+	}
+    }
+
+    /* allocate and initialize app data for bulk encryption testing */
+    if (testBulk) {
+        testBulkBuf = PORT_Malloc(testBulkSize);
+        if (testBulkBuf == NULL)
+            errExit("Out of memory: testBulkBuf");
+        for (i = 0; i < testBulkSize; i++)
+            testBulkBuf[i] = i;
+    }
+
+    envString = getenv(envVarName);
+    tmp = getenv("TMP");
+    if (!tmp)
+	tmp = getenv("TMPDIR");
+    if (!tmp)
+	tmp = getenv("TEMP");
+    if (envString) {
+	/* we're one of the children in a multi-process server. */
+	listen_sock = PR_GetInheritedFD(inheritableSockName);
+	if (!listen_sock)
+	    errExit("PR_GetInheritedFD");
+#ifndef WINNT
+	/* we can't do this on NT because it breaks NSPR and
+	PR_Accept will fail on the socket in the child process if
+	the socket state is change to non inheritable
+	It is however a security issue to leave it accessible,
+	but it is OK for a test server such as selfserv.
+	NSPR should fix it eventually . see bugzilla 101617
+	and 102077
+	*/
+	prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
+	if (prStatus != PR_SUCCESS)
+	    errExit("PR_SetFDInheritable");
+#endif
+	rv = SSL_InheritMPServerSIDCache(envString);
+	if (rv != SECSuccess)
+	    errExit("SSL_InheritMPServerSIDCache");
+    	hasSidCache = PR_TRUE;
+    } else if (maxProcs > 1) {
+	/* we're going to be the parent in a multi-process server.  */
+	listen_sock = getBoundListenSocket(port);
+	rv = SSL_ConfigMPServerSIDCache(NumSidCacheEntries, 0, 0, tmp);
+	if (rv != SECSuccess)
+	    errExit("SSL_ConfigMPServerSIDCache");
+    	hasSidCache = PR_TRUE;
+	beAGoodParent(argc, argv, maxProcs, listen_sock);
+	exit(99); /* should never get here */
+    } else {
+	/* we're an ordinary single process server. */
+	listen_sock = getBoundListenSocket(port);
+	prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
+	if (prStatus != PR_SUCCESS)
+	    errExit("PR_SetFDInheritable");
+	if (!NoReuse) {
+	    rv = SSL_ConfigServerSessionIDCache(NumSidCacheEntries, 
+	                                        0, 0, tmp);
+	    if (rv != SECSuccess)
+		errExit("SSL_ConfigServerSessionIDCache");
+	    hasSidCache = PR_TRUE;
+	}
+    }
+
+    lm = PR_NewLogModule("TestCase");
+
+    if (fileName)
+    	readBigFile(fileName);
+
+    /* set our password function */
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    /* Call the NSS initialization routines */
+    rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
+    if (rv != SECSuccess) {
+    	fputs("NSS_Init failed.\n", stderr);
+		exit(8);
+    }
+
+    /* set the policy bits true for all the cipher suites. */
+    if (useExportPolicy) {
+	NSS_SetExportPolicy();
+	if (disableStepDown) {
+	    fputs("selfserv: -x and -E options may not be used together\n", 
+	          stderr);
+	    exit(98);
+	}
+    } else {
+	NSS_SetDomesticPolicy();
+	if (disableStepDown) {
+	    rv = disableExportSSLCiphers();
+	    if (rv != SECSuccess) {
+		errExit("error disabling export ciphersuites ");
+	    }
+    	}
+    }
+
+    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
+    if (cipherString) {
+    	char *cstringSaved = cipherString;
+    	int ndx;
+
+	/* disable all the ciphers, then enable the ones we want. */
+	disableAllSSLCiphers();
+
+	while (0 != (ndx = *cipherString++)) {
+	    int  cipher;
+
+	    if (ndx == ':') {
+		int ctmp;
+
+		cipher = 0;
+		HEXCHAR_TO_INT(*cipherString, ctmp)
+		cipher |= (ctmp << 12);
+		cipherString++;
+		HEXCHAR_TO_INT(*cipherString, ctmp)
+		cipher |= (ctmp << 8);
+		cipherString++;
+		HEXCHAR_TO_INT(*cipherString, ctmp)
+		cipher |= (ctmp << 4);
+		cipherString++;
+		HEXCHAR_TO_INT(*cipherString, ctmp)
+		cipher |= ctmp;
+		cipherString++;
+	    } else {
+		const int *cptr;
+
+		if (! isalpha(ndx)) {
+		    fprintf(stderr, 
+			    "Non-alphabetic char in cipher string (-c arg).\n");
+		    exit(9);
+		}
+		cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
+		for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
+		    /* do nothing */;
+	    }
+	    if (cipher > 0) {
+		SECStatus status;
+		status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED);
+		if (status != SECSuccess) 
+		    SECU_PrintError(progName, "SSL_CipherPrefSet()");
+	    } else {
+		fprintf(stderr, 
+			"Invalid cipher specification (-c arg).\n");
+		exit(9);
+	    }
+	}
+	PORT_Free(cstringSaved);
+    }
+
+    if (testbypass) {
+	const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+	int             i            = SSL_NumImplementedCiphers;
+	PRBool		enabled;
+
+	for (i=0; i < SSL_NumImplementedCiphers; i++, cipherSuites++) {
+	    if (SSL_CipherPrefGetDefault(*cipherSuites, &enabled) == SECSuccess
+				    && enabled)
+		savecipher(*cipherSuites);		    
+	}
+	protos = (disableTLS ? 0 : SSL_CBP_TLS1_0) +
+		 (disableSSL3 ? 0 : SSL_CBP_SSL3);
+    }
+
+    if (nickName) {
+	cert[kt_rsa] = PK11_FindCertFromNickname(nickName, &pwdata);
+	if (cert[kt_rsa] == NULL) {
+	    fprintf(stderr, "selfserv: Can't find certificate %s\n", nickName);
+	    exit(10);
+	}
+	privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], &pwdata);
+	if (privKey[kt_rsa] == NULL) {
+	    fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n", 
+	            nickName);
+	    exit(11);
+	}
+	if (testbypass) {
+	    PRBool bypassOK;
+	    if (SSL_CanBypass(cert[kt_rsa], privKey[kt_rsa], protos, cipherlist, 
+	                      nciphers, &bypassOK, &pwdata) != SECSuccess) {
+		SECU_PrintError(progName, "Bypass test failed %s\n", nickName);
+		exit(14);
+	    }
+	    fprintf(stderr, "selfserv: %s can%s bypass\n", nickName,
+		    bypassOK ? "" : "not");
+	}
+    }
+#ifdef NSS_ENABLE_ECC
+    if (ecNickName) {
+	cert[kt_ecdh] = PK11_FindCertFromNickname(ecNickName, &pwdata);
+	if (cert[kt_ecdh] == NULL) {
+	    fprintf(stderr, "selfserv: Can't find certificate %s\n",
+		    ecNickName);
+	    exit(13);
+	}
+	privKey[kt_ecdh] = PK11_FindKeyByAnyCert(cert[kt_ecdh], &pwdata);
+	if (privKey[kt_ecdh] == NULL) {
+	    fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n", 
+	            ecNickName);
+	    exit(11);
+	}	    
+	if (testbypass) {
+	    PRBool bypassOK;
+	    if (SSL_CanBypass(cert[kt_ecdh], privKey[kt_ecdh], protos, cipherlist,
+			      nciphers, &bypassOK, &pwdata) != SECSuccess) {
+		SECU_PrintError(progName, "Bypass test failed %s\n", ecNickName);
+		exit(15);
+	    }
+	    fprintf(stderr, "selfserv: %s can%s bypass\n", ecNickName,
+		    bypassOK ? "" : "not");
+       }
+    }
+#endif /* NSS_ENABLE_ECC */
+
+    if (testbypass)
+	goto cleanup;
+
+/* allocate the array of thread slots, and launch the worker threads. */
+    rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads);
+
+    if (rv == SECSuccess && logStats) {
+	loggerThread = PR_CreateThread(PR_SYSTEM_THREAD, 
+			logger, NULL, PR_PRIORITY_NORMAL, 
+                        useLocalThreads ? PR_LOCAL_THREAD:PR_GLOBAL_THREAD,
+                        PR_JOINABLE_THREAD, 0);
+	if (loggerThread == NULL) {
+	    fprintf(stderr, "selfserv: Failed to launch logger thread!\n");
+	    rv = SECFailure;
+	} 
+    }
+
+    if (rv == SECSuccess) {
+	server_main(listen_sock, requestCert, privKey, cert);
+    }
+
+    VLOG(("selfserv: server_thread: exiting"));
+
+cleanup:
+    printSSLStatistics();
+    ssl3stats = SSL_GetStatistics();
+    if (ssl3stats->hch_sid_ticket_parse_failures != 0) {
+	fprintf(stderr, "selfserv: Experienced ticket parse failure(s)\n");
+	exit(1);
+    }
+
+    {
+	int i;
+	for (i=0; i<kt_kea_size; i++) {
+	    if (cert[i]) {
+		CERT_DestroyCertificate(cert[i]);
+	    }
+	    if (privKey[i]) {
+		SECKEY_DestroyPrivateKey(privKey[i]);
+	    }
+	}
+    }
+
+    if (debugCache) {
+	nss_DumpCertificateCacheInfo();
+    }
+
+    if (nickName) {
+        PORT_Free(nickName);
+    }
+    if (passwd) {
+        PORT_Free(passwd);
+    }
+    if (pwfile) {
+        PORT_Free(pwfile);
+    }
+    if (certPrefix && certPrefix != emptyString) {                            
+        PORT_Free(certPrefix);
+    }
+ #ifdef NSS_ENABLE_ECC
+    if (ecNickName) {
+        PORT_Free(ecNickName);
+    }
+ #endif
+
+    if (hasSidCache) {
+	SSL_ShutdownServerSessionIDCache();
+    }
+    if (NSS_Shutdown() != SECSuccess) {
+	SECU_PrintError(progName, "NSS_Shutdown");
+        if (loggerThread) {
+            PR_JoinThread(loggerThread);
+        }
+	PR_Cleanup();
+	exit(1);
+    }
+    PR_Cleanup();
+    printf("selfserv: normal termination\n");
+    return 0;
+}
+
diff --git a/security/nss/cmd/shlibsign/Makefile b/security/nss/cmd/shlibsign/Makefile
new file mode 100644
index 000000000..6c6ad27e1
--- /dev/null
+++ b/security/nss/cmd/shlibsign/Makefile
@@ -0,0 +1,103 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+# sign any and all shared libraries that contain the word freebl
+
+CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX)
+CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX))
+CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk)
+
+MD_LIB_RELEASE_FILES = $(CHECKLOC)
+ALL_TRASH += $(CHECKLOC)
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
+SRCDIR = $(call core_abspath,.)
+
+%.chk: %.$(DLL_SUFFIX) 
+ifeq ($(OS_TARGET), OS2)
+	cd $(OBJDIR) ; cmd.exe /c $(SRCDIR)/sign.cmd $(DIST) \
+	$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
+	$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
+else
+	cd $(OBJDIR) ; sh $(SRCDIR)/sign.sh $(call core_abspath,$(DIST)) \
+	$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
+	$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
+endif
+
+libs install :: $(CHECKLOC)
+
diff --git a/security/nss/cmd/shlibsign/mangle/Makefile b/security/nss/cmd/shlibsign/mangle/Makefile
new file mode 100644
index 000000000..056c31b3d
--- /dev/null
+++ b/security/nss/cmd/shlibsign/mangle/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../../platrules.mk
+
diff --git a/security/nss/cmd/shlibsign/mangle/mangle.c b/security/nss/cmd/shlibsign/mangle/mangle.c
new file mode 100644
index 000000000..30b1daca3
--- /dev/null
+++ b/security/nss/cmd/shlibsign/mangle/mangle.c
@@ -0,0 +1,175 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Test program to mangle 1 bit in a binary
+ *
+ * $Id$
+ */
+
+#include "nspr.h"
+#include "plstr.h"
+#include "plgetopt.h"
+#include "prio.h"
+
+static PRFileDesc *pr_stderr;
+static void
+usage (char *program_name)
+{
+
+    PR_fprintf (pr_stderr, "Usage:");
+    PR_fprintf (pr_stderr, "%s -i shared_library_name -o byte_offset -b bit\n", program_name);
+}
+
+
+int
+main (int argc, char **argv)
+{
+    /* buffers and locals */
+    PLOptState	*optstate;
+    char	*programName;
+    char	cbuf;
+
+    /* parameter set variables */
+    const char  *libFile = NULL; 	
+    int bitOffset = -1;
+
+    /* return values */
+    int		 retval = 2;  /* 0 - test succeeded.
+			       * 1 - illegal args 
+			       * 2 - function failed */
+    PRFileDesc *fd = NULL;
+    int bytesRead;
+    int bytesWritten;
+    PROffset32   offset = -1;
+    PROffset32   pos;
+
+    programName = PL_strrchr(argv[0], '/');
+    programName = programName ? (programName + 1) : argv[0];
+
+    pr_stderr = PR_STDERR;
+
+    optstate = PL_CreateOptState (argc, argv, "i:o:b:");
+    if (optstate == NULL) {
+	return 1;
+    }
+
+    while (PL_GetNextOpt (optstate) == PL_OPT_OK) {
+	switch (optstate->option) {
+          case 'i':
+            libFile = optstate->value;
+            break;
+
+          case 'o':
+            offset = atoi(optstate->value);
+            break;
+
+          case 'b':
+            bitOffset = atoi(optstate->value);
+            break;
+	}
+    }
+
+    if (libFile == NULL) {
+	usage(programName);
+	return 1;
+    }
+    if ((bitOffset >= 8) || (bitOffset < 0)) {
+	usage(programName);
+	return 1;
+    }
+
+    /* open the target signature file */
+    fd = PR_OpenFile(libFile,PR_RDWR,0666);
+    if (fd == NULL ) {
+	/* lperror(libFile); */
+	PR_fprintf(pr_stderr,"Couldn't Open %s\n",libFile);
+	goto loser;
+    }
+
+    if (offset < 0) { /* convert to positive offset */
+	pos = PR_Seek(fd, offset, PR_SEEK_END);
+	if (pos == -1) {
+	    PR_fprintf(pr_stderr,"Seek for read on %s (to %d) failed\n", 
+		       libFile, offset);
+	    goto loser;
+	}
+	offset = pos;
+    }
+
+    /* read the byte */
+    pos = PR_Seek(fd, offset, PR_SEEK_SET);
+    if (pos != offset) {
+	PR_fprintf(pr_stderr,"Seek for read on %s (to %d) failed\n", 
+	           libFile, offset);
+	goto loser;
+    }
+    bytesRead = PR_Read(fd, &cbuf, 1);
+    if (bytesRead != 1) {
+	PR_fprintf(pr_stderr,"Read on %s (to %d) failed\n", libFile, offset);
+	goto loser;
+    }
+
+    PR_fprintf(pr_stderr,"Changing byte 0x%08x (%d): from %02x (%d) to ", 
+		offset, offset, (unsigned char)cbuf, (unsigned char)cbuf);
+    /* change it */
+    cbuf ^= 1 << bitOffset;
+    PR_fprintf(pr_stderr,"%02x (%d)\n", 
+               (unsigned char)cbuf, (unsigned char)cbuf);
+
+    /* write it back out */
+    pos = PR_Seek(fd, offset, PR_SEEK_SET);
+    if (pos != offset) {
+	PR_fprintf(pr_stderr,"Seek for write on %s (to %d) failed\n", 
+	           libFile, offset);
+	goto loser;
+    }
+    bytesWritten = PR_Write(fd, &cbuf, 1);
+    if (bytesWritten != 1) {
+	PR_fprintf(pr_stderr,"Write on %s (to %d) failed\n", libFile, offset);
+	goto loser;
+    }
+
+    retval = 0;
+
+loser:
+    if (fd)
+	PR_Close(fd);
+    PR_Cleanup ();
+    return retval;
+}
+
+/*#DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" */
diff --git a/security/nss/cmd/shlibsign/mangle/manifest.mn b/security/nss/cmd/shlibsign/mangle/manifest.mn
new file mode 100644
index 000000000..613076adf
--- /dev/null
+++ b/security/nss/cmd/shlibsign/mangle/manifest.mn
@@ -0,0 +1,56 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\"
+
+CSRCS = \
+	mangle.c \
+	$(NULL)
+
+
+# headers for the MODULE (defined above) are implicitly required.
+REQUIRES = 
+
+PROGRAM = mangle
+
+USE_STATIC_LIBS = 1
+
diff --git a/security/nss/cmd/shlibsign/manifest.mn b/security/nss/cmd/shlibsign/manifest.mn
new file mode 100644
index 000000000..ca460771f
--- /dev/null
+++ b/security/nss/cmd/shlibsign/manifest.mn
@@ -0,0 +1,62 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\"
+
+CSRCS = \
+	shlibsign.c \
+	$(NULL)
+
+# headers for the MODULE (defined above) are implicitly required.
+REQUIRES = dbm seccmd
+
+# WINNT uses EXTRA_LIBS as the list of libs to link in.
+# Unix uses     OS_LIBS for that purpose.
+# We can solve this via conditional makefile code, but 
+# can't do this in manifest.mn because OS_ARCH isn't defined there.
+# So, look in the local Makefile for the defines for the list of libs.
+
+PROGRAM = shlibsign
+
+DIRS = mangle
+
+#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/shlibsign/shlibsign.c b/security/nss/cmd/shlibsign/shlibsign.c
new file mode 100644
index 000000000..665b89b0a
--- /dev/null
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@@ -0,0 +1,536 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Test program for SDR (Secret Decoder Ring) functions.
+ *
+ * $Id$
+ */
+
+#ifdef XP_UNIX
+#define USES_LINKS 1
+#endif
+
+#include "nspr.h"
+#include <stdio.h>
+#include "nss.h"
+#include "secutil.h"
+#include "cert.h"
+#include "pk11func.h"
+
+#include "plgetopt.h"
+#include "pk11sdr.h"
+#include "shsign.h"
+#include "pk11pqg.h"
+
+#ifdef USES_LINKS
+#include <unistd.h>
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#endif
+
+static void
+usage (char *program_name)
+{
+    PRFileDesc *pr_stderr;
+
+    pr_stderr = PR_STDERR;
+    PR_fprintf (pr_stderr,
+      "Usage:%s [-v] [-o outfile] [-d dbdir] [-f pwfile] [-p pwd]\n"
+      "      -i shared_library_name\n", program_name);
+}
+
+static char *
+mkoutput(const char *input)
+{
+    int in_len = PORT_Strlen(input);
+    char *output = PORT_Alloc(in_len+sizeof(SGN_SUFFIX));
+    int index = in_len + 1 - sizeof("."SHLIB_SUFFIX);
+
+    if ((index > 0) && 
+	(PORT_Strncmp(&input[index],
+			"."SHLIB_SUFFIX,sizeof("."SHLIB_SUFFIX)) == 0)) {
+	in_len = index;
+    }
+    PORT_Memcpy(output,input,in_len);
+    PORT_Memcpy(&output[in_len],SGN_SUFFIX,sizeof(SGN_SUFFIX));
+    return output;
+}
+
+
+static void
+lperror(const char *string)
+{
+     int errNum = PORT_GetError();
+     const char *error = SECU_Strerror(errNum);
+     fprintf(stderr,"%s: %s\n",string, error);
+}
+
+static void
+encodeInt(unsigned char *buf, int val)
+{
+    buf[3] = (val >> 0) & 0xff;
+    buf[2] = (val >>  8) & 0xff;
+    buf[1] = (val >> 16) & 0xff;
+    buf[0] = (val >> 24) & 0xff;
+    return;
+}
+
+static SECStatus 
+writeItem(PRFileDesc *fd, SECItem *item, char *file)
+{
+    unsigned char buf[4];
+    int bytesWritten;
+
+    encodeInt(buf,item->len);
+    bytesWritten = PR_Write(fd,buf, 4);
+    if (bytesWritten != 4) {
+	lperror(file);
+	return SECFailure;
+    }
+    bytesWritten = PR_Write(fd, item->data, item->len);
+    if (bytesWritten != item->len) {
+	lperror(file);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static const unsigned char prime[] = { 0x00,
+   0x97, 0x44, 0x1d, 0xcc, 0x0d, 0x39, 0x0d, 0x8d, 
+   0xcb, 0x75, 0xdc, 0x24, 0x25, 0x6f, 0x01, 0x92, 
+   0xa1, 0x11, 0x07, 0x6b, 0x70, 0xac, 0x73, 0xd7, 
+   0x82, 0x28, 0xdf, 0xab, 0x82, 0x0c, 0x41, 0x0c, 
+   0x95, 0xb3, 0x3c, 0x3d, 0xea, 0x8a, 0xe6, 0x44, 
+   0x0a, 0xb8, 0xab, 0x90, 0x15, 0x41, 0x11, 0xe8, 
+   0x48, 0x7b, 0x8d, 0xb0, 0x9c, 0xd3, 0xf2, 0x69, 
+   0x66, 0xff, 0x66, 0x4b, 0x70, 0x2b, 0xbf, 0xfb, 
+   0xd6, 0x68, 0x85, 0x76, 0x1e, 0x34, 0xaa, 0xc5, 
+   0x57, 0x6e, 0x23, 0x02, 0x08, 0x60, 0x6e, 0xfd, 
+   0x67, 0x76, 0xe1, 0x7c, 0xc8, 0xcb, 0x51, 0x77, 
+   0xcf, 0xb1, 0x3b, 0x00, 0x2e, 0xfa, 0x21, 0xcd, 
+   0x34, 0x76, 0x75, 0x01, 0x19, 0xfe, 0xf8, 0x5d, 
+   0x43, 0xc5, 0x34, 0xf3, 0x7a, 0x95, 0xdc, 0xc2, 
+   0x58, 0x07, 0x19, 0x2f, 0x1d, 0x6f, 0x9a, 0x77, 
+   0x7e, 0x55, 0xaa, 0xe7, 0x5a, 0x50, 0x43, 0xd3 };
+
+static const unsigned char subprime[] = { 0x0,
+   0xd8, 0x16, 0x23, 0x34, 0x8a, 0x9e, 0x3a, 0xf5, 
+   0xd9, 0x10, 0x13, 0x35, 0xaa, 0xf3, 0xf3, 0x54, 
+   0x0b, 0x31, 0x24, 0xf1 };
+
+static const unsigned char base[] = { 
+    0x03, 0x3a, 0xad, 0xfa, 0x3a, 0x0c, 0xea, 0x0a, 
+    0x4e, 0x43, 0x32, 0x92, 0xbb, 0x87, 0xf1, 0x11, 
+    0xc0, 0xad, 0x39, 0x38, 0x56, 0x1a, 0xdb, 0x23, 
+    0x66, 0xb1, 0x08, 0xda, 0xb6, 0x19, 0x51, 0x42, 
+    0x93, 0x4f, 0xc3, 0x44, 0x43, 0xa8, 0x05, 0xc1, 
+    0xf8, 0x71, 0x62, 0x6f, 0x3d, 0xe2, 0xab, 0x6f, 
+    0xd7, 0x80, 0x22, 0x6f, 0xca, 0x0d, 0xf6, 0x9f, 
+    0x45, 0x27, 0x83, 0xec, 0x86, 0x0c, 0xda, 0xaa, 
+    0xd6, 0xe0, 0xd0, 0x84, 0xfd, 0xb1, 0x4f, 0xdc, 
+    0x08, 0xcd, 0x68, 0x3a, 0x77, 0xc2, 0xc5, 0xf1, 
+    0x99, 0x0f, 0x15, 0x1b, 0x6a, 0x8c, 0x3d, 0x18, 
+    0x2b, 0x6f, 0xdc, 0x2b, 0xd8, 0xb5, 0x9b, 0xb8, 
+    0x2d, 0x57, 0x92, 0x1c, 0x46, 0x27, 0xaf, 0x6d, 
+    0xe1, 0x45, 0xcf, 0x0b, 0x3f, 0xfa, 0x07, 0xcc, 
+    0x14, 0x8e, 0xe7, 0xb8, 0xaa, 0xd5, 0xd1, 0x36, 
+    0x1d, 0x7e, 0x5e, 0x7d, 0xfa, 0x5b, 0x77, 0x1f };
+
+static const unsigned char h[] = { 
+    0x41, 0x87, 0x47, 0x79, 0xd8, 0xba, 0x4e, 0xac, 
+    0x44, 0x4f, 0x6b, 0xd2, 0x16, 0x5e, 0x04, 0xc6, 
+    0xc2, 0x29, 0x93, 0x5e, 0xbd, 0xc7, 0xa9, 0x8f, 
+    0x23, 0xa1, 0xc8, 0xee, 0x80, 0x64, 0xd5, 0x67, 
+    0x3c, 0xba, 0x59, 0x9a, 0x06, 0x0c, 0xcc, 0x29, 
+    0x56, 0xc0, 0xb2, 0x21, 0xe0, 0x5b, 0x52, 0xcd, 
+    0x84, 0x73, 0x57, 0xfd, 0xd8, 0xc3, 0x5b, 0x13, 
+    0x54, 0xd7, 0x4a, 0x06, 0x86, 0x63, 0x09, 0xa5, 
+    0xb0, 0x59, 0xe2, 0x32, 0x9e, 0x09, 0xa3, 0x9f, 
+    0x49, 0x62, 0xcc, 0xa6, 0xf9, 0x54, 0xd5, 0xb2, 
+    0xc3, 0x08, 0x71, 0x7e, 0xe3, 0x37, 0x50, 0xd6, 
+    0x7b, 0xa7, 0xc2, 0x60, 0xc1, 0xeb, 0x51, 0x32, 
+    0xfa, 0xad, 0x35, 0x25, 0x17, 0xf0, 0x7f, 0x23, 
+    0xe5, 0xa8, 0x01, 0x52, 0xcf, 0x2f, 0xd9, 0xa9, 
+    0xf6, 0x00, 0x21, 0x15, 0xf1, 0xf7, 0x70, 0xb7, 
+    0x57, 0x8a, 0xd0, 0x59, 0x6a, 0x82, 0xdc, 0x9c };
+
+static const unsigned char seed[] = { 0x00,
+    0xcc, 0x4c, 0x69, 0x74, 0xf6, 0x72, 0x24, 0x68, 
+    0x24, 0x4f, 0xd7, 0x50, 0x11, 0x40, 0x81, 0xed, 
+    0x19, 0x3c, 0x8a, 0x25, 0xbc, 0x78, 0x0a, 0x85, 
+    0x82, 0x53, 0x70, 0x20, 0xf6, 0x54, 0xa5, 0x1b, 
+    0xf4, 0x15, 0xcd, 0xff, 0xc4, 0x88, 0xa7, 0x9d, 
+    0xf3, 0x47, 0x1c, 0x0a, 0xbe, 0x10, 0x29, 0x83, 
+    0xb9, 0x0f, 0x4c, 0xdf, 0x90, 0x16, 0x83, 0xa2, 
+    0xb3, 0xe3, 0x2e, 0xc1, 0xc2, 0x24, 0x6a, 0xc4, 
+    0x9d, 0x57, 0xba, 0xcb, 0x0f, 0x18, 0x75, 0x00, 
+    0x33, 0x46, 0x82, 0xec, 0xd6, 0x94, 0x77, 0xc3, 
+    0x4f, 0x4c, 0x58, 0x1c, 0x7f, 0x61, 0x3c, 0x36, 
+    0xd5, 0x2f, 0xa5, 0x66, 0xd8, 0x2f, 0xce, 0x6e, 
+    0x8e, 0x20, 0x48, 0x4a, 0xbb, 0xe3, 0xe0, 0xb2, 
+    0x50, 0x33, 0x63, 0x8a, 0x5b, 0x2d, 0x6a, 0xbe, 
+    0x4c, 0x28, 0x81, 0x53, 0x5b, 0xe4, 0xf6, 0xfc, 
+    0x64, 0x06, 0x13, 0x51, 0xeb, 0x4a, 0x91, 0x9c };
+
+#define MK_SECITEM(bb) { siBuffer, (unsigned char *)(bb), sizeof(bb) }
+
+static PQGParams pqgParams = {
+    NULL,                   /* arena */
+    MK_SECITEM(prime),      /* P     */
+    MK_SECITEM(subprime),   /* Q     */
+    MK_SECITEM(base)        /* G     */
+};
+
+static PQGVerify pqgVerify = {
+    NULL,              /* arena   */
+    1496,              /* counter */
+    MK_SECITEM(seed),  /* seed    */
+    MK_SECITEM(h)      /* h       */
+};
+
+
+
+int
+main (int argc, char **argv)
+{
+    int		 retval = 1;  /* 0 - test succeeded.  1 - test failed */
+    SECStatus	 rv;
+    PLOptState	*optstate;
+    char	*program_name;
+    const char  *input_file = NULL; 	/* read encrypted data from here (or create) */
+    char  *output_file = NULL;	/* write new encrypted data here */
+    PRBool      verbose = PR_FALSE;
+    SECKEYPrivateKey *privk = NULL;
+    SECKEYPublicKey *pubk = NULL;
+    PK11SlotInfo *slot = NULL;
+    PRFileDesc *fd;
+    int bytesRead;
+    int bytesWritten;
+    unsigned char file_buf[512];
+    unsigned char hash_buf[SHA1_LENGTH];
+    unsigned char sign_buf[40]; /* DSA_LENGTH */
+    SECItem hash,sign;
+    PK11Context *hashcx = NULL;
+    int count=0;
+    int keySize = 1024;
+    const char *nssDir = NULL;
+    secuPWData  pwdata = { PW_NONE, 0 };
+#ifdef USES_LINKS
+    int ret;
+    struct stat stat_buf;
+    char link_buf[MAXPATHLEN+1];
+    char *link_file = NULL;
+#endif
+
+    hash.len = sizeof(hash_buf); hash.data = hash_buf;
+    sign.len = sizeof(sign_buf); sign.data = sign_buf;
+
+    program_name = PL_strrchr(argv[0], '/');
+    program_name = program_name ? (program_name + 1) : argv[0];
+
+    optstate = PL_CreateOptState (argc, argv, "d:f:i:o:p:v");
+    if (optstate == NULL) {
+	SECU_PrintError (program_name, "PL_CreateOptState failed");
+	return 1;
+    }
+
+    while (PL_GetNextOpt (optstate) == PL_OPT_OK) {
+	switch (optstate->option) {
+#ifdef notdef
+	  case '?':
+	    short_usage (program_name);
+	    return 0;
+
+	  case 'H':
+	    long_usage (program_name);
+	    return 0;
+#endif
+
+	  case 'd':
+	    nssDir = optstate->value;
+	    break;
+
+          case 'i':
+            input_file = optstate->value;
+            break;
+
+          case 'o':
+            output_file = PORT_Strdup(optstate->value);
+            break;
+
+          case 'f':
+            pwdata.source = PW_FROMFILE;
+            pwdata.data = PORT_Strdup(optstate->value);
+            break;
+
+          case 'p':
+            pwdata.source = PW_PLAINTEXT;
+            pwdata.data = PORT_Strdup(optstate->value);
+            break;
+
+          case 'v':
+            verbose = PR_TRUE;
+            break;
+	}
+    }
+
+    if (input_file == NULL) {
+	usage(program_name);
+	return 1;
+    }
+
+    /*
+     * Initialize the Security libraries.
+     */
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    if (nssDir) {
+        rv = NSS_Init(nssDir);
+        if (rv != SECSuccess) {
+            rv = NSS_NoDB_Init("");
+        }
+    } else {
+        rv = NSS_NoDB_Init("");
+    }
+    
+    if (rv != SECSuccess) {
+	lperror("NSS_Init failed");
+	goto prdone;
+    }
+    
+    /* Generate a DSA Key pair */
+    slot = PK11_GetBestSlot(CKM_DSA,&pwdata);
+    if (slot == NULL) {
+	lperror("CKM_DSA");
+	goto loser;
+	
+    }
+    printf("Generating DSA Key Pair...."); fflush(stdout);
+    privk = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, &pqgParams, &pubk, 
+						PR_FALSE, PR_TRUE, &pwdata);
+    if (privk == NULL) {
+	lperror("Generating DSA Key");
+	goto loser;
+    }
+
+    printf("done\n");
+
+    /* open the shared library */
+    fd = PR_OpenFile(input_file,PR_RDONLY,0);
+    if (fd == NULL ) {
+	lperror(input_file);
+	goto loser;
+    }
+#ifdef USES_LINKS
+    ret = lstat(input_file, &stat_buf);
+    if (ret < 0) {
+	perror(input_file);
+	goto loser;
+    }
+    if (S_ISLNK(stat_buf.st_mode)) {
+	char *dirpath,*dirend;
+	ret = readlink(input_file, link_buf, sizeof(link_buf) - 1);
+	if (ret < 0) {
+	   perror(input_file);
+	   goto loser;
+	}
+	link_buf[ret] = 0;
+	link_file = mkoutput(input_file);
+	/* get the dirname of input_file */
+	dirpath = PORT_Strdup(input_file);
+	dirend = PORT_Strrchr(dirpath, '/');
+	if (dirend) {
+	    *dirend = '\0';
+	    ret = chdir(dirpath);
+	    if (ret < 0) {
+		perror(dirpath);
+		goto loser;
+	    }
+	}
+	PORT_Free(dirpath);
+	input_file = link_buf;
+	/* get the basename of link_file */
+	dirend = PORT_Strrchr(link_file, '/');
+	if (dirend) {
+	    link_file = dirend + 1;
+	}
+    }
+#endif
+    if (output_file == NULL) {
+	output_file = mkoutput(input_file);
+    }
+
+    hashcx = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (hashcx == NULL) {
+	lperror("SHA1 Digest Create");
+	goto loser;
+    }
+
+    /* hash the file */
+    while ((bytesRead = PR_Read(fd,file_buf,sizeof(file_buf))) > 0) {
+	PK11_DigestOp(hashcx,file_buf,bytesRead);
+	count += bytesRead;
+    }
+
+    PR_Close(fd);
+    fd = NULL;
+    if (bytesRead < 0) {
+	lperror(input_file);
+	goto loser;
+    }
+
+
+    PK11_DigestFinal(hashcx, hash.data, &hash.len, hash.len);
+
+    if (hash.len != SHA1_LENGTH) {
+	fprintf(stderr, "Digest length was not correct\n");
+	goto loser;
+    }
+
+    /* signe the hash */
+    rv = PK11_Sign(privk,&sign,&hash);
+    if (rv != SECSuccess) {
+	lperror("Signing");
+	goto loser;
+    }
+
+    if (verbose) {
+	int i,j;
+	fprintf(stderr,"Library File: %s %d bytes\n",input_file, count);
+	fprintf(stderr,"Check File: %s\n",output_file);
+#ifdef USES_LINKS
+	if (link_file) {
+	    fprintf(stderr,"Link: %s\n",link_file);
+	}
+#endif
+	fprintf(stderr,"  hash: %d bytes\n", hash.len);
+#define STEP 10
+	for (i=0; i < hash.len; i += STEP) {
+	   fprintf(stderr,"   ");
+	   for (j=0; j < STEP && (i+j) < hash.len; j++) {
+		fprintf(stderr," %02x", hash.data[i+j]);
+	   }
+	   fprintf(stderr,"\n");
+	}
+	fprintf(stderr,"  signature: %d bytes\n", sign.len);
+	for (i=0; i < sign.len; i += STEP) {
+	   fprintf(stderr,"   ");
+	   for (j=0; j < STEP && (i+j) < sign.len; j++) {
+		fprintf(stderr," %02x", sign.data[i+j]);
+	   }
+	   fprintf(stderr,"\n");
+	}
+    }
+
+    /* open the target signature file */
+    fd = PR_OpenFile(output_file,PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE,0666);
+    if (fd == NULL ) {
+	lperror(output_file);
+	goto loser;
+    }
+
+    /*
+     * we write the key out in a straight binary format because very
+     * low level libraries need to read an parse this file. Ideally we should
+     * just derEncode the public key (which would be pretty simple, and be
+     * more general), but then we'd need to link the ASN.1 decoder with the
+     * freebl libraries.
+     */
+
+    file_buf[0] = NSS_SIGN_CHK_MAGIC1;
+    file_buf[1] = NSS_SIGN_CHK_MAGIC2;
+    file_buf[2] = NSS_SIGN_CHK_MAJOR_VERSION;
+    file_buf[3] = NSS_SIGN_CHK_MINOR_VERSION;
+    encodeInt(&file_buf[4],12);			/* offset to data start */
+    encodeInt(&file_buf[8],CKK_DSA);
+    bytesWritten = PR_Write(fd,file_buf, 12);
+    if (bytesWritten != 12) {
+	lperror(output_file);
+	goto loser;
+    }
+
+    rv = writeItem(fd,&pubk->u.dsa.params.prime,output_file);
+    if (rv != SECSuccess) goto loser;
+    rv = writeItem(fd,&pubk->u.dsa.params.subPrime,output_file);
+    if (rv != SECSuccess) goto loser;
+    rv = writeItem(fd,&pubk->u.dsa.params.base,output_file);
+    if (rv != SECSuccess) goto loser;
+    rv = writeItem(fd,&pubk->u.dsa.publicValue,output_file);
+    if (rv != SECSuccess) goto loser;
+    rv = writeItem(fd,&sign,output_file);
+    if (rv != SECSuccess) goto loser;
+
+    PR_Close(fd);
+
+#ifdef USES_LINKS
+    if (link_file) {
+	(void)unlink(link_file);
+	ret = symlink(output_file, link_file);
+	if (ret < 0) {
+	   perror(link_file);
+	   goto loser;
+	}
+    }
+#endif
+
+    retval = 0;
+
+loser:
+    if (hashcx) {
+        PK11_DestroyContext(hashcx, PR_TRUE);
+    }
+    if (privk) {
+        SECKEY_DestroyPrivateKey(privk);
+    }
+    if (pubk) {
+        SECKEY_DestroyPublicKey(pubk);
+    }
+    if (slot) {
+        PK11_FreeSlot(slot);
+    }
+    if (pwdata.data) {
+        PORT_Free(pwdata.data);
+    }
+    if (NSS_Shutdown() != SECSuccess) {
+	exit(1);
+    }
+
+prdone:
+    PR_Cleanup ();
+    return retval;
+}
diff --git a/security/nss/cmd/shlibsign/sign.cmd b/security/nss/cmd/shlibsign/sign.cmd
new file mode 100644
index 000000000..9ad4b9236
--- /dev/null
+++ b/security/nss/cmd/shlibsign/sign.cmd
@@ -0,0 +1,21 @@
+/* Equivalent to sign.sh for OS/2 */
+PARSE ARG dist objdir os_target nspr_lib_dir therest
+dist=forwardtoback(dist);
+objdir=forwardtoback(objdir);
+nspr_lib_dir=forwardtoback(nspr_lib_dir);
+'echo 'dist
+'echo 'objdir
+'echo 'nspr_lib_dir
+'set BEGINLIBPATH='dist'\lib;'nspr_lib_dir';'dist'\bin;%BEGINLIBPATH%'
+'set LIBPATHSTRICT=T'
+objdir'\shlibsign -v -i 'therest
+exit
+
+forwardtoback: procedure
+  arg pathname
+  parse var pathname pathname'/'rest
+  do while (rest <> "")
+    pathname = pathname'\'rest
+    parse var pathname pathname'/'rest
+  end
+  return pathname
diff --git a/security/nss/cmd/shlibsign/sign.sh b/security/nss/cmd/shlibsign/sign.sh
new file mode 100644
index 000000000..764012d7b
--- /dev/null
+++ b/security/nss/cmd/shlibsign/sign.sh
@@ -0,0 +1,58 @@
+#!/bin/sh
+case "${3}" in
+WIN*)
+    if echo "${PATH}" | grep -c \; >/dev/null; then
+        PATH=${1}/lib\;${1}/bin\;${4}\;${PATH}
+    else
+        # ARG1 is ${1} with the drive letter escaped.
+        if echo "${1}" | grep -c : >/dev/null; then
+            ARG1=`(cd ${1}; pwd)`
+        else
+            ARG1=${1}
+        fi
+        if echo "${4}" | grep -c : >/dev/null; then
+            ARG4=`(cd ${4}; pwd)`
+        else
+            ARG4=${4}
+        fi
+        PATH=${ARG1}/lib:${ARG1}/bin:${ARG4}:${PATH}
+    fi
+    export PATH
+    echo ${2}/shlibsign -v -i ${5}
+    ${2}/shlibsign -v -i ${5}
+    ;;
+OpenVMS)
+    temp="tmp$$.tmp"
+    temp2="tmp$$.tmp2"
+    cd ${1}/lib
+    vmsdir=`dcl show default`
+    ls *.so > $temp
+    sed -e "s/\([^\.]*\)\.so/\$ define\/job \1 ${vmsdir}\1.so/" $temp > $temp2
+    echo '$ define/job getipnodebyname xxx' >> $temp2
+    echo '$ define/job vms_null_dl_name sys$share:decc$shr' >> $temp2
+    dcl @$temp2
+    echo ${2}/shlibsign -v -i ${5}
+    ${2}/shlibsign -v -i ${5}
+    sed -e "s/\([^\.]*\)\.so/\$ deass\/job \1/" $temp > $temp2
+    echo '$ deass/job getipnodebyname' >> $temp2
+    echo '$ deass/job vms_null_dl_name' >> $temp2
+    dcl @$temp2
+    rm $temp $temp2
+    ;;
+*)
+    LIBPATH=`(cd ${1}/lib; pwd)`:`(cd ${4}; pwd)`:$LIBPATH
+    export LIBPATH
+    SHLIB_PATH=${1}/lib:${4}:$SHLIB_PATH
+    export SHLIB_PATH
+    LD_LIBRARY_PATH=${1}/lib:${4}:$LD_LIBRARY_PATH
+    export LD_LIBRARY_PATH
+    DYLD_LIBRARY_PATH=${1}/lib:${4}:$DYLD_LIBRARY_PATH
+    export DYLD_LIBRARY_PATH
+    LIBRARY_PATH=${1}/lib:${4}:$LIBRARY_PATH
+    export LIBRARY_PATH
+    ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+    export ADDON_PATH
+    echo ${2}/shlibsign -v -i ${5}
+    ${2}/shlibsign -v -i ${5}
+    ;;
+esac
diff --git a/security/nss/cmd/signtool/Makefile b/security/nss/cmd/signtool/Makefile
new file mode 100644
index 000000000..cd06aaa4f
--- /dev/null
+++ b/security/nss/cmd/signtool/Makefile
@@ -0,0 +1,75 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
diff --git a/security/nss/cmd/signtool/README b/security/nss/cmd/signtool/README
new file mode 100644
index 000000000..100fb2778
--- /dev/null
+++ b/security/nss/cmd/signtool/README
@@ -0,0 +1,128 @@
+                      Signing Tool (signtool)
+                         3.10 Release Notes
+               ========================================
+
+Documentation is provided online at mozilla.org
+
+Problems or questions not covered by the online documentation can be
+discussed in the DevEdge Security Newsgroup.
+
+=== New Features in 3.10
+=======================
+One new option (-X) has been added to create a Mozilla aware signed XPI archive. 
+The option must be accompanied by the -Z option. This new option
+creates a JAR file with the META-INF/zigbert.rsa/dsa file as the first file in 
+the archive instead of the default third to last. This will enable the archive
+to be seen as signed by products incorporating XPInstall. i.e. .xpi extensions
+for FireFox or Mozilla.
+
+=== New Features in 1.3
+=======================
+
+The security library components have been upgraded to utilize NSS_2_7_1_RTM.
+This means that the maximum RSA keysize now supported should be 4096 bits.
+
+=== Zigbert 0.6 Support
+=======================
+This program was previously named Zigbert.  The last version of zigbert
+was Zigbert 0.6.  Because all the functionality of Zigbert is maintained in
+signtool 1.2, Zigbert is no longer supported.  If you have problems
+using Zigbert, please upgrade to signtool 1.2.
+
+=== New Features in 1.2
+=======================
+
+Certificate Generation Improvements
+-----------------------------------
+Two new options have been added to control generation of self-signed object
+signing certificates with the -G option. The -s option takes the size (in bits)
+of the generated RSA private key.  The -t option takes the name of the PKCS #11
+token on which to generate the keypair and install the certificate.  Both
+options are optional.  By default, the private key is 1024 bits and is generated
+on the internal software token.
+
+
+=== New Features in 1.1
+=======================
+
+File I/O
+--------
+Signtool can now read its options from a command file specified with the -f
+option on the command line. The format for the file is described in the
+documentation.
+Error messages and informational output can be redirected to an output file
+by supplying the "--outfile" option on the command line or the "outfile="
+option in the command file.
+
+New Options
+-----------
+"--norecurse" tells Signtool not to recurse into subdirectories when signing
+directories or parsing HTML with the -J option.
+"--leavearc" tells Signtool not to delete the temporary .arc directories
+produced by the -J option.  This can aid debugging.
+"--verbosity" tells Signtool how much information to display. 0 is the
+default. -1 suppresses most messages, except for errors.
+
+=== Bug Fixes in 1.1
+====================
+
+-J option revamped
+------------------
+The -J option, which parses HTML files, extracts Java and Javascript code,
+and stores them in signed JAR files, has been re-implemented. Several bugs
+have been fixed:
+- CODEBASE attribute is no longer ignored
+- CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than
+  just filenames ("x.class").
+- LINK tags are handled correctly
+- various HTML parsing bugs fixed
+- error messages are more informative
+
+No Password on Key Database
+---------------------------
+If you had not yet set a Communicator password (which locks key3.db, the
+key database), signtool would fail with a cryptic error message whenever it
+attempted to verify the password.  Now this condition is detected at the
+beginning of the program, and a more informative message is displayed.
+
+-x and -e Options
+-----------------
+Previously, only one of each of these options could be specified on the command
+line. Now arbitrarily many can be specified.  For example, to sign only files
+with .class or .js extensions, the arguments "-eclass -ejs" could both be
+specified. To exclude the directories "subdir1" and "subdir2" from signing,
+the arguments "-x subdir1 -x subdir2" could both be specified.
+
+New Features in 1.0
+===================
+
+Creation of JAR files
+----------------------
+The -Z option causes signtool to output a JAR file formed by storing the
+signed archive in ZIP format.  This eliminates the need to use a separate ZIP
+utility.  The -c option specifies the compression level of the resulting
+JAR file.
+
+Generation of Object-Signing Certificates and Keys
+--------------------------------------------------
+The -G option will create a new, self-signed object-signing certificate
+which can be used for testing purposes.  The generated certificate and 
+associated public and private keys will be installed in the cert7.db and
+key3.db files in the directory specified with the -d option (unless the key
+is generated on an external token using the -t option). On Unix systems,
+if no directory is specified, the user's Netscape directory (~/.netscape)
+will be used. In addition, the certificate is output in X509 format to the
+files x509.raw and x509.cacert in the current directory.  x509.cacert can
+be published on a web page and imported into browsers that visit that page.
+
+Extraction and Signing of JavaScript from HTML
+----------------------------------------------
+The -J option activates the same functionality provided by the signpages
+Perl script.  It will parse a directory of html files, creating archives
+of the JavaScript called from the HTML. These archives are then signed and
+made into JAR files.
+
+Enhanced Smart Card Support
+---------------------------
+Certificates that reside on smart cards are displayed when using the -L and
+-l options.
diff --git a/security/nss/cmd/signtool/certgen.c b/security/nss/cmd/signtool/certgen.c
new file mode 100644
index 000000000..a08d98b6f
--- /dev/null
+++ b/security/nss/cmd/signtool/certgen.c
@@ -0,0 +1,738 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "signtool.h"
+
+#include "secoid.h"
+#include "cryptohi.h"
+#include "certdb.h"
+
+static char	*GetSubjectFromUser(unsigned long serial);
+static CERTCertificate*GenerateSelfSignedObjectSigningCert(char *nickname,
+ 	CERTCertDBHandle *db, char *subject, unsigned long serial, int keysize,
+        char *token);
+static SECStatus ChangeTrustAttributes(CERTCertDBHandle *db,
+	CERTCertificate *cert, char *trusts);
+static SECStatus set_cert_type(CERTCertificate *cert, unsigned int type);
+static SECItem *sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk);
+static CERTCertificate*install_cert(CERTCertDBHandle *db, SECItem *derCert,
+            char *nickname);
+static SECStatus GenerateKeyPair(PK11SlotInfo *slot, SECKEYPublicKey **pubk,
+ 	SECKEYPrivateKey **privk, int keysize);
+static CERTCertificateRequest*make_cert_request(char *subject,
+	SECKEYPublicKey *pubk);
+static CERTCertificate *make_cert(CERTCertificateRequest *req,
+	unsigned long serial, CERTName *ca_subject);
+static void	output_ca_cert (CERTCertificate *cert, CERTCertDBHandle *db);
+
+
+/***********************************************************************
+ *
+ * G e n e r a t e C e r t
+ *
+ * Runs the whole process of creating a new cert, getting info from the
+ * user, etc.
+ */
+int
+GenerateCert(char *nickname, int keysize, char *token)
+{
+    CERTCertDBHandle * db;
+    CERTCertificate * cert;
+    char	*subject;
+    unsigned long	serial;
+    char	stdinbuf[160];
+
+    /* Print warning about having the browser open */
+    PR_fprintf(PR_STDOUT /*always go to console*/,
+        "\nWARNING: Performing this operation while the browser is running could cause"
+        "\ncorruption of your security databases. If the browser is currently running,"
+        "\nyou should exit the browser before continuing this operation. Enter "
+        "\n\"y\" to continue, or anything else to abort: ");
+    pr_fgets(stdinbuf, 160, PR_STDIN);
+    PR_fprintf(PR_STDOUT, "\n");
+    if (tolower(stdinbuf[0]) != 'y') {
+	PR_fprintf(errorFD, "Operation aborted at user's request.\n");
+	errorCount++;
+	return - 1;
+    }
+
+    db = CERT_GetDefaultCertDB();
+    if (!db) {
+	FatalError("Unable to open certificate database");
+    }
+
+    if (PK11_FindCertFromNickname(nickname, &pwdata)) {
+	PR_fprintf(errorFD,
+	    "ERROR: Certificate with nickname \"%s\" already exists in database. You\n"
+	    "must choose a different nickname.\n", nickname);
+	errorCount++;
+	exit(ERRX);
+    }
+
+    LL_L2UI(serial, PR_Now());
+
+    subject = GetSubjectFromUser(serial);
+
+    cert = GenerateSelfSignedObjectSigningCert(nickname, db, subject,
+         		serial, keysize, token);
+
+    if (cert) {
+	output_ca_cert(cert, db);
+	CERT_DestroyCertificate(cert);
+    }
+
+    PORT_Free(subject);
+    return 0;
+}
+
+
+#undef VERBOSE_PROMPTS
+
+/*********************************************************************8
+ * G e t S u b j e c t F r o m U s e r
+ *
+ * Construct the subject information line for a certificate by querying
+ * the user on stdin.
+ */
+static char	*
+GetSubjectFromUser(unsigned long serial)
+{
+    char	buf[STDIN_BUF_SIZE];
+    char	common_name_buf[STDIN_BUF_SIZE];
+    char	*common_name, *state, *orgunit, *country, *org, *locality;
+    char	*email, *uid;
+    char	*subject;
+    char	*cp;
+    int	subjectlen = 0;
+
+    common_name = state = orgunit = country = org = locality = email =
+        uid = subject = NULL;
+
+    /* Get subject information */
+    PR_fprintf(PR_STDOUT,
+        "\nEnter certificate information.  All fields are optional. Acceptable\n"
+        "characters are numbers, letters, spaces, and apostrophes.\n");
+
+#ifdef VERBOSE_PROMPTS
+    PR_fprintf(PR_STDOUT, "\nCOMMON NAME\n"
+        "Enter the full name you want to give your certificate. (Example: Test-Only\n"
+        "Object Signing Certificate)\n"
+        "-->");
+#else
+    PR_fprintf(PR_STDOUT, "certificate common name: ");
+#endif
+    fgets(buf, STDIN_BUF_SIZE, stdin);
+    cp = chop(buf);
+    if (*cp == '\0') {
+	sprintf(common_name_buf, "%s (%lu)", DEFAULT_COMMON_NAME,
+	     serial);
+	cp = common_name_buf;
+    }
+    common_name = PORT_ZAlloc(strlen(cp) + 6);
+    if (!common_name) {
+	out_of_memory();
+    }
+    sprintf(common_name, "CN=%s, ", cp);
+    subjectlen += strlen(common_name);
+
+#ifdef VERBOSE_PROMPTS
+    PR_fprintf(PR_STDOUT, "\nORGANIZATION NAME\n"
+        "Enter the name of your organization. For example, this could be the name\n"
+        "of your company.\n"
+        "-->");
+#else
+    PR_fprintf(PR_STDOUT, "organization: ");
+#endif
+    fgets(buf, STDIN_BUF_SIZE, stdin);
+    cp = chop(buf);
+    if (*cp != '\0') {
+	org = PORT_ZAlloc(strlen(cp) + 5);
+	if (!org) {
+	    out_of_memory();
+	}
+	sprintf(org, "O=%s, ", cp);
+	subjectlen += strlen(org);
+    }
+
+#ifdef VERBOSE_PROMPTS
+    PR_fprintf(PR_STDOUT, "\nORGANIZATION UNIT\n"
+        "Enter the name of your organization unit.  For example, this could be the\n"
+        "name of your department.\n"
+        "-->");
+#else
+    PR_fprintf(PR_STDOUT, "organization unit: ");
+#endif
+    fgets(buf, STDIN_BUF_SIZE, stdin);
+    cp = chop(buf);
+    if (*cp != '\0') {
+	orgunit = PORT_ZAlloc(strlen(cp) + 6);
+	if (!orgunit) {
+	    out_of_memory();
+	}
+	sprintf(orgunit, "OU=%s, ", cp);
+	subjectlen += strlen(orgunit);
+    }
+
+#ifdef VERBOSE_PROMPTS
+    PR_fprintf(PR_STDOUT, "\nSTATE\n"
+        "Enter the name of your state or province.\n"
+        "-->");
+#else
+    PR_fprintf(PR_STDOUT, "state or province: ");
+#endif
+    fgets(buf, STDIN_BUF_SIZE, stdin);
+    cp = chop(buf);
+    if (*cp != '\0') {
+	state = PORT_ZAlloc(strlen(cp) + 6);
+	if (!state) {
+	    out_of_memory();
+	}
+	sprintf(state, "ST=%s, ", cp);
+	subjectlen += strlen(state);
+    }
+
+#ifdef VERBOSE_PROMPTS
+    PR_fprintf(PR_STDOUT, "\nCOUNTRY\n"
+        "Enter the 2-character abbreviation for the name of your country.\n"
+        "-->");
+#else
+    PR_fprintf(PR_STDOUT, "country (must be exactly 2 characters): ");
+#endif
+    fgets(buf, STDIN_BUF_SIZE, stdin);
+    cp = chop(cp);
+    if (strlen(cp) != 2) {
+	*cp = '\0';	/* country code must be 2 chars */
+    }
+    if (*cp != '\0') {
+	country = PORT_ZAlloc(strlen(cp) + 5);
+	if (!country) {
+	    out_of_memory();
+	}
+	sprintf(country, "C=%s, ", cp);
+	subjectlen += strlen(country);
+    }
+
+#ifdef VERBOSE_PROMPTS
+    PR_fprintf(PR_STDOUT, "\nUSERNAME\n"
+        "Enter your system username or UID\n"
+        "-->");
+#else
+    PR_fprintf(PR_STDOUT, "username: ");
+#endif
+    fgets(buf, STDIN_BUF_SIZE, stdin);
+    cp = chop(buf);
+    if (*cp != '\0') {
+	uid = PORT_ZAlloc(strlen(cp) + 7);
+	if (!uid) {
+	    out_of_memory();
+	}
+	sprintf(uid, "UID=%s, ", cp);
+	subjectlen += strlen(uid);
+    }
+
+#ifdef VERBOSE_PROMPTS
+    PR_fprintf(PR_STDOUT, "\nEMAIL ADDRESS\n"
+        "Enter your email address.\n"
+        "-->");
+#else
+    PR_fprintf(PR_STDOUT, "email address: ");
+#endif
+    fgets(buf, STDIN_BUF_SIZE, stdin);
+    cp = chop(buf);
+    if (*cp != '\0') {
+	email = PORT_ZAlloc(strlen(cp) + 5);
+	if (!email) {
+	    out_of_memory();
+	}
+	sprintf(email, "E=%s,", cp);
+	subjectlen += strlen(email);
+    }
+
+    subjectlen++;
+
+    subject = PORT_ZAlloc(subjectlen);
+    if (!subject) {
+	out_of_memory();
+    }
+
+    sprintf(subject, "%s%s%s%s%s%s%s",
+        common_name ? common_name : "",
+        org ? org : "",
+        orgunit ? orgunit : "",
+        state ? state : "",
+        country ? country : "",
+        uid ? uid : "",
+        email ? email : ""
+        );
+    if ( (strlen(subject) > 1) && (subject[strlen(subject)-1] == ' ') ) {
+	subject[strlen(subject)-2] = '\0';
+    }
+
+    PORT_Free(common_name);
+    PORT_Free(org);
+    PORT_Free(orgunit);
+    PORT_Free(state);
+    PORT_Free(country);
+    PORT_Free(uid);
+    PORT_Free(email);
+
+    return subject;
+}
+
+
+/**************************************************************************
+ *
+ * G e n e r a t e S e l f S i g n e d O b j e c t S i g n i n g C e r t
+ *														   		  *phew*^
+ *
+ */
+static CERTCertificate*
+GenerateSelfSignedObjectSigningCert(char *nickname, CERTCertDBHandle *db,
+ 	char *subject, unsigned long serial, int keysize, char *token)
+{
+    CERTCertificate * cert, *temp_cert;
+    SECItem * derCert;
+    CERTCertificateRequest * req;
+
+    PK11SlotInfo * slot = NULL;
+    SECKEYPrivateKey * privk = NULL;
+    SECKEYPublicKey * pubk = NULL;
+
+    if ( token ) {
+	slot = PK11_FindSlotByName(token);
+    } else {
+	slot = PK11_GetInternalKeySlot();
+    }
+
+    if (slot == NULL) {
+	PR_fprintf(errorFD, "Can't find PKCS11 slot %s\n",
+	    token ? token : "");
+	errorCount++;
+	exit (ERRX);
+    }
+
+    if ( GenerateKeyPair(slot, &pubk, &privk, keysize) != SECSuccess) {
+	FatalError("Error generating keypair.");
+    }
+    req = make_cert_request (subject, pubk);
+    temp_cert = make_cert (req, serial, &req->subject);
+    if (set_cert_type(temp_cert,
+        NS_CERT_TYPE_OBJECT_SIGNING | NS_CERT_TYPE_OBJECT_SIGNING_CA)
+         != SECSuccess) {
+	FatalError("Unable to set cert type");
+    }
+
+    derCert = sign_cert (temp_cert, privk);
+    cert = install_cert(db, derCert, nickname);
+    if (ChangeTrustAttributes(db, cert, ",,uC") != SECSuccess) {
+	FatalError("Unable to change trust on generated certificate");
+    }
+
+    /* !!! Free memory ? !!! */
+    PK11_FreeSlot(slot);
+    SECKEY_DestroyPrivateKey(privk);
+    SECKEY_DestroyPublicKey(pubk);
+
+    return cert;
+}
+
+
+/**************************************************************************
+ *
+ * C h a n g e T r u s t A t t r i b u t e s
+ */
+static SECStatus
+ChangeTrustAttributes(CERTCertDBHandle *db, CERTCertificate *cert, char *trusts)
+{
+
+    CERTCertTrust	 * trust;
+
+    if (!db || !cert || !trusts) {
+	PR_fprintf(errorFD, "ChangeTrustAttributes got incomplete arguments.\n");
+	errorCount++;
+	return SECFailure;
+    }
+
+    trust = (CERTCertTrust * ) PORT_ZAlloc(sizeof(CERTCertTrust));
+    if (!trust) {
+	PR_fprintf(errorFD, "ChangeTrustAttributes unable to allocate "
+	    "CERTCertTrust\n");
+	errorCount++;
+	return SECFailure;
+    }
+
+    if ( CERT_DecodeTrustString(trust, trusts) ) {
+	return SECFailure;
+    }
+
+    if ( CERT_ChangeCertTrust(db, cert, trust) ) {
+	PR_fprintf(errorFD, "unable to modify trust attributes for cert %s\n",
+	     		 cert->nickname ? cert->nickname : "");
+	errorCount++;
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+/*************************************************************************
+ *
+ * s e t _ c e r t _ t y p e
+ */
+static SECStatus
+set_cert_type(CERTCertificate *cert, unsigned int type)
+{
+    void	*context;
+    SECStatus status = SECSuccess;
+    SECItem certType;
+    char	ctype;
+
+    context = CERT_StartCertExtensions(cert);
+
+    certType.type = siBuffer;
+    certType.data = (unsigned char * ) &ctype;
+    certType.len = 1;
+    ctype = (unsigned char)type;
+    if (CERT_EncodeAndAddBitStrExtension(context, SEC_OID_NS_CERT_EXT_CERT_TYPE,
+         	 &certType, PR_TRUE /*critical*/) != SECSuccess) {
+	status = SECFailure;
+    }
+
+    if (CERT_FinishExtensions(context) != SECSuccess) {
+	status = SECFailure;
+    }
+
+    return status;
+}
+
+
+/********************************************************************
+ *
+ * s i g n _ c e r t
+ */
+static SECItem *
+sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk)
+{
+    SECStatus rv;
+
+    SECItem der2;
+    SECItem * result2;
+
+    void	*dummy;
+    SECOidTag alg = SEC_OID_UNKNOWN;
+
+    alg = SEC_GetSignatureAlgorithmOidTag(privk->keyType, SEC_OID_UNKNOWN);
+    if (alg == SEC_OID_UNKNOWN) {
+	FatalError("Unknown key type");
+    }
+
+    rv = SECOID_SetAlgorithmID (cert->arena, &cert->signature, alg, 0);
+
+    if (rv != SECSuccess) {
+	PR_fprintf(errorFD, "%s: unable to set signature alg id\n",
+	     PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    der2.len = 0;
+    der2.data = NULL;
+
+    dummy = SEC_ASN1EncodeItem
+        (cert->arena, &der2, cert, SEC_ASN1_GET(CERT_CertificateTemplate));
+
+    if (rv != SECSuccess) {
+	PR_fprintf(errorFD, "%s: error encoding cert\n", PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    result2 = (SECItem * ) PORT_ArenaZAlloc (cert->arena, sizeof (SECItem));
+    if (result2 == NULL)
+	out_of_memory();
+
+    rv = SEC_DerSignData 
+        (cert->arena, result2, der2.data, der2.len, privk, alg);
+
+    if (rv != SECSuccess) {
+	PR_fprintf(errorFD, "can't sign encoded certificate data\n");
+	errorCount++;
+	exit (ERRX);
+    } else if (verbosity >= 0) {
+	PR_fprintf(outputFD, "certificate has been signed\n");
+    }
+
+    cert->derCert = *result2;
+
+    return result2;
+}
+
+
+/*********************************************************************
+ *
+ * i n s t a l l _ c e r t
+ *
+ * Installs the cert in the permanent database.
+ */
+static CERTCertificate*
+install_cert(CERTCertDBHandle *db, SECItem *derCert, char *nickname)
+{
+    CERTCertificate * newcert;
+    PK11SlotInfo * newSlot;
+
+
+    newSlot = PK11_ImportDERCertForKey(derCert, nickname, &pwdata);
+    if ( newSlot == NULL ) {
+	PR_fprintf(errorFD, "Unable to install certificate\n");
+	errorCount++;
+	exit(ERRX);
+    }
+
+    newcert = PK11_FindCertFromDERCertItem(newSlot, derCert, &pwdata);
+    PK11_FreeSlot(newSlot);
+    if (newcert == NULL) {
+	PR_fprintf(errorFD, "%s: can't find new certificate\n",
+	     PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "certificate \"%s\" added to database\n",
+	     nickname);
+    }
+
+    return newcert;
+}
+
+
+/******************************************************************
+ *
+ * G e n e r a t e K e y P a i r
+ */
+static SECStatus
+GenerateKeyPair(PK11SlotInfo *slot, SECKEYPublicKey **pubk,
+SECKEYPrivateKey **privk, int keysize)
+{
+
+    PK11RSAGenParams rsaParams;
+
+    if ( keysize == -1 ) {
+	rsaParams.keySizeInBits = DEFAULT_RSA_KEY_SIZE;
+    } else {
+	rsaParams.keySizeInBits = keysize;
+    }
+    rsaParams.pe = 0x10001;
+
+    if (PK11_Authenticate( slot, PR_FALSE /*loadCerts*/, &pwdata)
+         != SECSuccess) {
+	SECU_PrintError(progName, "failure authenticating to key database.\n");
+	exit(ERRX);
+    }
+
+    *privk = PK11_GenerateKeyPair (slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams,
+         
+        pubk, PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, &pwdata);
+
+    if (*privk != NULL && *pubk != NULL) {
+	if (verbosity >= 0) {
+	    PR_fprintf(outputFD, "generated public/private key pair\n");
+	}
+    } else {
+	SECU_PrintError(progName, "failure generating key pair\n");
+	exit (ERRX);
+    }
+
+    return SECSuccess;
+}
+
+
+
+/******************************************************************
+ *
+ * m a k e _ c e r t _ r e q u e s t
+ */
+static CERTCertificateRequest*
+make_cert_request(char *subject, SECKEYPublicKey *pubk)
+{
+    CERTName * subj;
+    CERTSubjectPublicKeyInfo * spki;
+
+    CERTCertificateRequest * req;
+
+    /* Create info about public key */
+    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
+    if (!spki) {
+	SECU_PrintError(progName, "unable to create subject public key");
+	exit (ERRX);
+    }
+
+    subj = CERT_AsciiToName (subject);
+    if (subj == NULL) {
+	FatalError("Invalid data in certificate description");
+    }
+
+    /* Generate certificate request */
+    req = CERT_CreateCertificateRequest(subj, spki, 0);
+    if (!req) {
+	SECU_PrintError(progName, "unable to make certificate request");
+	exit (ERRX);
+    }
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "certificate request generated\n");
+    }
+
+    return req;
+}
+
+
+/******************************************************************
+ *
+ * m a k e _ c e r t
+ */
+static CERTCertificate *
+make_cert(CERTCertificateRequest *req, unsigned long serial,
+CERTName *ca_subject)
+{
+    CERTCertificate * cert;
+
+    CERTValidity * validity = NULL;
+
+    PRTime now, after;
+    PRExplodedTime printableTime;
+
+    now = PR_Now();
+    PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
+
+    printableTime.tm_month += 3;
+    after = PR_ImplodeTime (&printableTime);
+
+    validity = CERT_CreateValidity (now, after);
+
+    if (validity == NULL) {
+	PR_fprintf(errorFD, "%s: error creating certificate validity\n",
+	     PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    cert = CERT_CreateCertificate
+        (serial, ca_subject, validity, req);
+
+    if (cert == NULL) {
+	/* should probably be more precise here */
+	PR_fprintf(errorFD, "%s: error while generating certificate\n",
+	     PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    return cert;
+}
+
+
+/*************************************************************************
+ *
+ * o u t p u t _ c a _ c e r t
+ */
+static void	
+output_ca_cert (CERTCertificate *cert, CERTCertDBHandle *db)
+{
+    FILE * out;
+
+    SECItem * encodedCertChain;
+    SEC_PKCS7ContentInfo * certChain;
+    char	*filename;
+
+    /* the raw */
+
+    filename = PORT_ZAlloc(strlen(DEFAULT_X509_BASENAME) + 8);
+    if (!filename) 
+	out_of_memory();
+
+    sprintf(filename, "%s.raw", DEFAULT_X509_BASENAME);
+    if ((out = fopen (filename, "wb")) == NULL) {
+	PR_fprintf(errorFD, "%s: Can't open %s output file\n", PROGRAM_NAME,
+	     filename);
+	errorCount++;
+	exit(ERRX);
+    }
+
+    certChain = SEC_PKCS7CreateCertsOnly (cert, PR_TRUE, db);
+    encodedCertChain 
+         = SEC_PKCS7EncodeItem (NULL, NULL, certChain, NULL, NULL, NULL);
+    SEC_PKCS7DestroyContentInfo (certChain);
+
+    if (encodedCertChain) {
+	fprintf(out, "Content-type: application/x-x509-ca-cert\n\n");
+	fwrite (encodedCertChain->data, 1, encodedCertChain->len,
+	     out);
+	SECITEM_FreeItem(encodedCertChain, PR_TRUE);
+    } else {
+	PR_fprintf(errorFD, "%s: Can't DER encode this certificate\n",
+	     PROGRAM_NAME);
+	errorCount++;
+	exit(ERRX);
+    }
+
+    fclose (out);
+
+    /* and the cooked */
+
+    sprintf(filename, "%s.cacert", DEFAULT_X509_BASENAME);
+    if ((out = fopen (filename, "wb")) == NULL) {
+	PR_fprintf(errorFD, "%s: Can't open %s output file\n", PROGRAM_NAME,
+	     filename);
+	errorCount++;
+	return;
+    }
+
+    fprintf (out, "%s\n%s\n%s\n", 
+        NS_CERT_HEADER,
+        BTOA_DataToAscii (cert->derCert.data, cert->derCert.len), 
+        NS_CERT_TRAILER);
+
+    fclose (out);
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "Exported certificate to %s.raw and %s.cacert.\n",
+	     			DEFAULT_X509_BASENAME, DEFAULT_X509_BASENAME);
+    }
+}
+
+
diff --git a/security/nss/cmd/signtool/javascript.c b/security/nss/cmd/signtool/javascript.c
new file mode 100644
index 000000000..add76db03
--- /dev/null
+++ b/security/nss/cmd/signtool/javascript.c
@@ -0,0 +1,1867 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "signtool.h"
+#include <prmem.h>
+#include <prio.h>
+#include <prenv.h>
+
+static int	javascript_fn(char *relpath, char *basedir, char *reldir,
+char *filename, void *arg);
+static int	extract_js (char *filename);
+static int	copyinto (char *from, char *to);
+static PRStatus ensureExists (char *base, char *path);
+static int	make_dirs(char *path, PRInt32 file_perms);
+
+static char	*jartree = NULL;
+static int	idOrdinal;
+static PRBool dumpParse = PR_FALSE;
+
+static char	*event_handlers[] = {
+    "onAbort",
+    "onBlur",
+    "onChange",
+    "onClick",
+    "onDblClick",
+    "onDragDrop",
+    "onError",
+    "onFocus",
+    "onKeyDown",
+    "onKeyPress",
+    "onKeyUp",
+    "onLoad",
+    "onMouseDown",
+    "onMouseMove",
+    "onMouseOut",
+    "onMouseOver",
+    "onMouseUp",
+    "onMove",
+    "onReset",
+    "onResize",
+    "onSelect",
+    "onSubmit",
+    "onUnload"
+};
+
+
+static int	num_handlers = 23;
+
+/*
+ *  I n l i n e J a v a S c r i p t
+ *
+ *  Javascript signing. Instead of passing an archive to signtool,
+ *  a directory containing html files is given. Archives are created
+ *  from the archive= and src= tag attributes inside the html,
+ *  as appropriate. Then the archives are signed.
+ *
+ */
+int
+InlineJavaScript(char *dir, PRBool recurse)
+{
+    jartree = dir;
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "\nGenerating inline signatures from HTML files in: %s\n",
+	     dir);
+    }
+    if (PR_GetEnv("SIGNTOOL_DUMP_PARSE")) {
+	dumpParse = PR_TRUE;
+    }
+
+    return foreach(dir, "", javascript_fn, recurse, PR_FALSE /*include dirs*/,
+         		(void * )NULL);
+
+}
+
+
+/************************************************************************
+ *
+ * j a v a s c r i p t _ f n
+ */
+static int	javascript_fn
+(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
+{
+    char	fullname [FNSIZE];
+
+    /* only process inline scripts from .htm, .html, and .shtml*/
+
+    if (!(PL_strcaserstr(filename, ".htm") == filename + strlen(filename) -
+        4) && 
+        !(PL_strcaserstr(filename, ".html") == filename + strlen(filename) -
+        5) && 
+        !(PL_strcaserstr(filename, ".shtml") == filename + strlen(filename)
+        -6)) {
+	return 0;
+    }
+
+    /* don't process scripts that signtool has already
+     extracted (those that are inside .arc directories) */
+
+    if (PL_strcaserstr(filename, ".arc") == filename + strlen(filename) - 4)
+	return 0;
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "Processing HTML file: %s\n", relpath);
+    }
+
+    /* reset firstArchive at top of each HTML file */
+
+    /* skip directories that contain extracted scripts */
+
+    if (PL_strcaserstr(reldir, ".arc") == reldir + strlen(reldir) - 4)
+	return 0;
+
+    sprintf (fullname, "%s/%s", basedir, relpath);
+    return extract_js (fullname);
+}
+
+
+/*===========================================================================
+ =
+ = D A T A   S T R U C T U R E S
+ =
+*/
+typedef enum {
+    TEXT_HTML_STATE = 0,
+    SCRIPT_HTML_STATE
+} 
+
+
+HTML_STATE ;
+
+typedef enum {
+    /* we start in the start state */
+    START_STATE,
+
+    /* We are looking for or reading in an attribute */
+    GET_ATT_STATE,
+
+    /* We're burning ws before finding an attribute */
+    PRE_ATT_WS_STATE,
+
+    /* We're burning ws after an attribute.  Looking for an '='. */
+    POST_ATT_WS_STATE,
+
+    /* We're burning ws after an '=', waiting for a value */
+    PRE_VAL_WS_STATE,
+
+    /* We're reading in a value */
+    GET_VALUE_STATE,
+
+    /* We're reading in a value that's inside quotes */
+    GET_QUOTED_VAL_STATE,
+
+    /* We've encountered the closing '>' */
+    DONE_STATE,
+
+    /* Error state */
+    ERR_STATE
+} 
+
+
+TAG_STATE ;
+
+typedef struct AVPair_Str {
+    char	*attribute;
+    char	*value;
+    unsigned int	valueLine; /* the line that the value ends on */
+    struct AVPair_Str *next;
+} AVPair;
+
+typedef enum {
+    APPLET_TAG,
+    SCRIPT_TAG,
+    LINK_TAG,
+    STYLE_TAG,
+    COMMENT_TAG,
+    OTHER_TAG
+} 
+
+
+TAG_TYPE ;
+
+typedef struct {
+    TAG_TYPE type;
+    AVPair * attList;
+    AVPair * attListTail;
+    char	*text;
+} TagItem;
+
+typedef enum {
+    TAG_ITEM,
+    TEXT_ITEM
+} 
+
+
+ITEM_TYPE ;
+
+typedef struct HTMLItem_Str {
+    unsigned int	startLine;
+    unsigned int	endLine;
+    ITEM_TYPE type;
+    union {
+	TagItem *tag;
+	char	*text;
+    } item;
+    struct HTMLItem_Str *next;
+} HTMLItem;
+
+typedef struct {
+    PRFileDesc *fd;
+    PRInt32 curIndex;
+    PRBool IsEOF;
+#define FILE_BUFFER_BUFSIZE 512
+    char	buf[FILE_BUFFER_BUFSIZE];
+    PRInt32 startOffset;
+    PRInt32 maxIndex;
+    unsigned int	lineNum;
+} FileBuffer;
+
+/*===========================================================================
+ =
+ = F U N C T I O N S
+ =
+*/
+static HTMLItem*CreateTextItem(char *text, unsigned int startline,
+unsigned int endline);
+static HTMLItem*CreateTagItem(TagItem*ti, unsigned int startline,
+unsigned int endline);
+static TagItem*ProcessTag(FileBuffer*fb, char **errStr);
+static void	DestroyHTMLItem(HTMLItem *item);
+static void	DestroyTagItem(TagItem*ti);
+static TAG_TYPE GetTagType(char *att);
+static FileBuffer*FB_Create(PRFileDesc*fd);
+static int	FB_GetChar(FileBuffer *fb);
+static PRInt32 FB_GetPointer(FileBuffer *fb);
+static PRInt32 FB_GetRange(FileBuffer *fb, PRInt32 start, PRInt32 end,
+char **buf);
+static unsigned int	FB_GetLineNum(FileBuffer *fb);
+static void	FB_Destroy(FileBuffer *fb);
+static void	PrintTagItem(PRFileDesc *fd, TagItem *ti);
+static void	PrintHTMLStream(PRFileDesc *fd, HTMLItem *head);
+
+/************************************************************************
+ *
+ * C r e a t e T e x t I t e m
+ */
+static HTMLItem*
+CreateTextItem(char *text, unsigned int startline, unsigned int endline)
+{
+    HTMLItem * item;
+
+    item = PR_Malloc(sizeof(HTMLItem));
+    if (!item) {
+	return NULL;
+    }
+
+    item->type = TEXT_ITEM;
+    item->item.text = text;
+    item->next = NULL;
+    item->startLine = startline;
+    item->endLine = endline;
+
+    return item;
+}
+
+
+/************************************************************************
+ *
+ * C r e a t e T a g I t e m
+ */
+static HTMLItem*
+CreateTagItem(TagItem*ti, unsigned int startline, unsigned int endline)
+{
+    HTMLItem * item;
+
+    item = PR_Malloc(sizeof(HTMLItem));
+    if (!item) {
+	return NULL;
+    }
+
+    item->type = TAG_ITEM;
+    item->item.tag = ti;
+    item->next = NULL;
+    item->startLine = startline;
+    item->endLine = endline;
+
+    return item;
+}
+
+
+static PRBool
+isAttChar(int c)
+{
+    return (isalnum(c) || c == '/' || c == '-');
+}
+
+
+/************************************************************************
+ *
+ * P r o c e s s T a g
+ */
+static TagItem*
+ProcessTag(FileBuffer*fb, char **errStr)
+{
+    TAG_STATE state;
+    PRInt32 startText, startID, curPos;
+    PRBool firstAtt;
+    int	curchar;
+    TagItem * ti = NULL;
+    AVPair * curPair = NULL;
+    char	quotechar = '\0';
+    unsigned int	linenum;
+    unsigned int	startline;
+
+    state = START_STATE;
+
+    startID = FB_GetPointer(fb);
+    startText = startID;
+    firstAtt = PR_TRUE;
+
+    ti = (TagItem * ) PR_Malloc(sizeof(TagItem));
+    if (!ti) 
+	out_of_memory();
+    ti->type = OTHER_TAG;
+    ti->attList = NULL;
+    ti->attListTail = NULL;
+    ti->text = NULL;
+
+    startline = FB_GetLineNum(fb);
+
+    while (state != DONE_STATE && state != ERR_STATE) {
+	linenum = FB_GetLineNum(fb);
+	curchar = FB_GetChar(fb);
+	if (curchar == EOF) {
+	    *errStr = PR_smprintf(
+	        "line %d: Unexpected end-of-file while parsing tag starting at line %d.\n",
+	         linenum, startline);
+	    state = ERR_STATE;
+	    continue;
+	}
+
+	switch (state) {
+	case START_STATE:
+	    if (curchar == '!') {
+		/*
+		 * SGML tag or comment
+		 * Here's the general rule for SGML tags.  Everything from
+		 * <! to > is the tag.  Inside the tag, comments are
+		 * delimited with --.  So we are looking for the first '>'
+		 * that is not commented out, that is, not inside a pair
+		 * of --: <!DOCTYPE --this is a comment >(psyche!)   -->
+		 */
+
+		PRBool inComment = PR_FALSE;
+		short	hyphenCount = 0; /* number of consecutive hyphens */
+
+		while (1) {
+		    linenum = FB_GetLineNum(fb);
+		    curchar = FB_GetChar(fb);
+		    if (curchar == EOF) {
+			/* Uh oh, EOF inside comment */
+			*errStr = PR_smprintf(
+    "line %d: Unexpected end-of-file inside comment starting at line %d.\n",
+  						linenum, startline);
+			state = ERR_STATE;
+			break;
+		    }
+		    if (curchar == '-') {
+			if (hyphenCount == 1) {
+			    /* This is a comment delimiter */
+			    inComment = !inComment;
+			    hyphenCount = 0;
+			} else {
+			    /* beginning of a comment delimiter? */
+			    hyphenCount = 1;
+			}
+		    } else if (curchar == '>') {
+			if (!inComment) {
+			    /* This is the end of the tag */
+			    state = DONE_STATE;
+			    break;
+			} else {
+			    /* The > is inside a comment, so it's not
+							 * really the end of the tag */
+			    hyphenCount = 0;
+			}
+		    } else {
+			hyphenCount = 0;
+		    }
+		}
+		ti->type = COMMENT_TAG;
+		break;
+	    }
+	    /* fall through */
+	case GET_ATT_STATE:
+	    if (isspace(curchar) || curchar == '=' || curchar
+	        == '>') {
+		/* end of the current attribute */
+		curPos = FB_GetPointer(fb) - 2;
+		if (curPos >= startID) {
+		    /* We have an attribute */
+		    curPair = (AVPair * )PR_Malloc(sizeof(AVPair));
+		    if (!curPair) 
+			out_of_memory();
+		    curPair->value = NULL;
+		    curPair->next = NULL;
+		    FB_GetRange(fb, startID, curPos,
+		        &curPair->attribute);
+
+		    /* Stick this attribute on the list */
+		    if (ti->attListTail) {
+			ti->attListTail->next = curPair;
+			ti->attListTail = curPair;
+		    } else {
+			ti->attList = ti->attListTail =
+			    curPair;
+		    }
+
+		    /* If this is the first attribute, find the type of tag
+		     * based on it. Also, start saving the text of the tag. */
+		    if (firstAtt) {
+			ti->type = GetTagType(curPair->attribute);
+			startText = FB_GetPointer(fb)
+			    -1;
+			firstAtt = PR_FALSE;
+		    }
+		} else {
+		    if (curchar == '=') {
+			/* If we don't have any attribute but we do have an
+			 * equal sign, that's an error */
+			*errStr = PR_smprintf("line %d: Malformed tag starting at line %d.\n",
+			     linenum, startline);
+			state = ERR_STATE;
+			break;
+		    }
+		}
+
+		/* Compute next state */
+		if (curchar == '=') {
+		    startID = FB_GetPointer(fb);
+		    state = PRE_VAL_WS_STATE;
+		} else if (curchar == '>') {
+		    state = DONE_STATE;
+		} else if (curPair) {
+		    state = POST_ATT_WS_STATE;
+		} else {
+		    state = PRE_ATT_WS_STATE;
+		}
+	    } else if (isAttChar(curchar)) {
+		/* Just another char in the attribute. Do nothing */
+		state = GET_ATT_STATE;
+	    } else {
+		/* bogus char */
+		*errStr = PR_smprintf("line %d: Bogus chararacter '%c' in tag.\n",
+		     			linenum, curchar);
+		state = ERR_STATE;
+		break;
+	    }
+	    break;
+	case PRE_ATT_WS_STATE:
+	    if (curchar == '>') {
+		state = DONE_STATE;
+	    } else if (isspace(curchar)) {
+		/* more whitespace, do nothing */
+	    } else if (isAttChar(curchar)) {
+		/* starting another attribute */
+		startID = FB_GetPointer(fb) - 1;
+		state = GET_ATT_STATE;
+	    } else {
+		/* bogus char */
+		*errStr = PR_smprintf("line %d: Bogus character '%c' in tag.\n",
+		     			linenum, curchar);
+		state = ERR_STATE;
+		break;
+	    }
+	    break;
+	case POST_ATT_WS_STATE:
+	    if (curchar == '>') {
+		state = DONE_STATE;
+	    } else if (isspace(curchar)) {
+		/* more whitespace, do nothing */
+	    } else if (isAttChar(curchar)) {
+		/* starting another attribute */
+		startID = FB_GetPointer(fb) - 1;
+		state = GET_ATT_STATE;
+	    } else if (curchar == '=') {
+		/* there was whitespace between the attribute and its equal
+		 * sign, which means there's a value coming up */
+		state = PRE_VAL_WS_STATE;
+	    } else {
+		/* bogus char */
+		*errStr = PR_smprintf("line %d: Bogus character '%c' in tag.\n",
+		     					linenum, curchar);
+		state = ERR_STATE;
+		break;
+	    }
+	    break;
+	case PRE_VAL_WS_STATE:
+	    if (curchar == '>') {
+		/* premature end-of-tag (sounds like a personal problem). */
+		*errStr = PR_smprintf(
+		    "line %d: End of tag while waiting for value.\n",
+		     linenum);
+		state = ERR_STATE;
+		break;
+	    } else if (isspace(curchar)) {
+		/* more whitespace, do nothing */
+		break;
+	    } else {
+		/* this must be some sort of value. Fall through
+				 * to GET_VALUE_STATE */
+		startID = FB_GetPointer(fb) - 1;
+		state = GET_VALUE_STATE;
+	    }
+	    /* Fall through if we didn't break on '>' or whitespace */
+	case GET_VALUE_STATE:
+	    if (isspace(curchar) || curchar == '>') {
+		/* end of value */
+		curPos = FB_GetPointer(fb) - 2;
+		if (curPos >= startID) {
+		    /* Grab the value */
+		    FB_GetRange(fb, startID, curPos,
+		        &curPair->value);
+		    curPair->valueLine = linenum;
+		} else {
+		    /* empty value, leave as NULL */
+		}
+		if (isspace(curchar)) {
+		    state = PRE_ATT_WS_STATE;
+		} else {
+		    state = DONE_STATE;
+		}
+	    } else if (curchar == '\"' || curchar == '\'') {
+		/* quoted value.  Start recording the value inside the quote*/
+		startID = FB_GetPointer(fb);
+		state = GET_QUOTED_VAL_STATE;
+		PORT_Assert(quotechar == '\0');
+		quotechar = curchar; /* look for matching quote type */
+	    } else {
+		/* just more value */
+	    }
+	    break;
+	case GET_QUOTED_VAL_STATE:
+	    PORT_Assert(quotechar != '\0');
+	    if (curchar == quotechar) {
+		/* end of quoted value */
+		curPos = FB_GetPointer(fb) - 2;
+		if (curPos >= startID) {
+		    /* Grab the value */
+		    FB_GetRange(fb, startID, curPos,
+		        &curPair->value);
+		    curPair->valueLine = linenum;
+		} else {
+		    /* empty value, leave it as NULL */
+		}
+		state = GET_ATT_STATE;
+		quotechar = '\0';
+		startID = FB_GetPointer(fb);
+	    } else {
+		/* more quoted value, continue */
+	    }
+	    break;
+	case DONE_STATE:
+	case ERR_STATE:
+	default:
+	    ; /* should never get here */
+	}
+    }
+
+    if (state == DONE_STATE) {
+	/* Get the text of the tag */
+	curPos = FB_GetPointer(fb) - 1;
+	FB_GetRange(fb, startText, curPos, &ti->text);
+
+	/* Return the tag */
+	return ti;
+    }
+
+    /* Uh oh, an error.  Kill the tag item*/
+    DestroyTagItem(ti);
+    return NULL;
+}
+
+
+/************************************************************************
+ *
+ * D e s t r o y H T M L I t e m
+ */
+static void	
+DestroyHTMLItem(HTMLItem *item)
+{
+    if (item->type == TAG_ITEM) {
+	DestroyTagItem(item->item.tag);
+    } else {
+	if (item->item.text) {
+	    PR_Free(item->item.text);
+	}
+    }
+}
+
+
+/************************************************************************
+ *
+ * D e s t r o y T a g I t e m
+ */
+static void	
+DestroyTagItem(TagItem*ti)
+{
+    AVPair * temp;
+
+    if (ti->text) {
+	PR_Free(ti->text); 
+	ti->text = NULL;
+    }
+
+    while (ti->attList) {
+	temp = ti->attList;
+	ti->attList = ti->attList->next;
+
+	if (temp->attribute) {
+	    PR_Free(temp->attribute); 
+	    temp->attribute = NULL;
+	}
+	if (temp->value) {
+	    PR_Free(temp->value); 
+	    temp->value = NULL;
+	}
+	PR_Free(temp);
+    }
+
+    PR_Free(ti);
+}
+
+
+/************************************************************************
+ *
+ * G e t T a g T y p e
+ */
+static TAG_TYPE
+GetTagType(char *att)
+{
+    if (!PORT_Strcasecmp(att, "APPLET")) {
+	return APPLET_TAG;
+    }
+    if (!PORT_Strcasecmp(att, "SCRIPT")) {
+	return SCRIPT_TAG;
+    }
+    if (!PORT_Strcasecmp(att, "LINK")) {
+	return LINK_TAG;
+    }
+    if (!PORT_Strcasecmp(att, "STYLE")) {
+	return STYLE_TAG;
+    }
+    return OTHER_TAG;
+}
+
+
+/************************************************************************
+ *
+ * F B _ C r e a t e
+ */
+static FileBuffer*
+FB_Create(PRFileDesc*fd)
+{
+    FileBuffer * fb;
+    PRInt32 amountRead;
+    PRInt32 storedOffset;
+
+    fb = (FileBuffer * ) PR_Malloc(sizeof(FileBuffer));
+    fb->fd = fd;
+    storedOffset = PR_Seek(fd, 0, PR_SEEK_CUR);
+    PR_Seek(fd, 0, PR_SEEK_SET);
+    fb->startOffset = 0;
+    amountRead = PR_Read(fd, fb->buf, FILE_BUFFER_BUFSIZE);
+    if (amountRead == -1) 
+	goto loser;
+    fb->maxIndex = amountRead - 1;
+    fb->curIndex = 0;
+    fb->IsEOF = (fb->curIndex > fb->maxIndex) ? PR_TRUE : PR_FALSE;
+    fb->lineNum = 1;
+
+    PR_Seek(fd, storedOffset, PR_SEEK_SET);
+    return fb;
+loser:
+    PR_Seek(fd, storedOffset, PR_SEEK_SET);
+    PR_Free(fb);
+    return NULL;
+}
+
+
+/************************************************************************
+ *
+ * F B _ G e t C h a r
+ */
+static int	
+FB_GetChar(FileBuffer *fb)
+{
+    PRInt32 storedOffset;
+    PRInt32 amountRead;
+    int	retval = -1;
+
+    if (fb->IsEOF) {
+	return EOF;
+    }
+
+    storedOffset = PR_Seek(fb->fd, 0, PR_SEEK_CUR);
+
+    retval = (unsigned char) fb->buf[fb->curIndex++];
+    if (retval == '\n') 
+	fb->lineNum++;
+
+    if (fb->curIndex > fb->maxIndex) {
+	/* We're at the end of the buffer. Try to get some new data from the
+		 * file */
+	fb->startOffset += fb->maxIndex + 1;
+	PR_Seek(fb->fd, fb->startOffset, PR_SEEK_SET);
+	amountRead = PR_Read(fb->fd, fb->buf, FILE_BUFFER_BUFSIZE);
+	if (amountRead == -1)  
+	    goto loser;
+	fb->maxIndex = amountRead - 1;
+	fb->curIndex = 0;
+    }
+
+    fb->IsEOF = (fb->curIndex > fb->maxIndex) ? PR_TRUE : PR_FALSE;
+
+loser:
+    PR_Seek(fb->fd, storedOffset, PR_SEEK_SET);
+    return retval;
+}
+
+
+/************************************************************************
+ *
+ * F B _ G e t L i n e N u m
+ *
+ */
+static unsigned int	
+FB_GetLineNum(FileBuffer *fb)
+{
+    return fb->lineNum;
+}
+
+
+/************************************************************************
+ *
+ * F B _ G e t P o i n t e r
+ *
+ */
+static PRInt32
+FB_GetPointer(FileBuffer *fb)
+{
+    return fb->startOffset + fb->curIndex;
+}
+
+
+/************************************************************************
+ *
+ * F B _ G e t R a n g e
+ *
+ */
+static PRInt32
+FB_GetRange(FileBuffer *fb, PRInt32 start, PRInt32 end, char **buf)
+{
+    PRInt32 amountRead;
+    PRInt32 storedOffset;
+
+    *buf = PR_Malloc(end - start + 2);
+    if (*buf == NULL) {
+	return 0;
+    }
+
+    storedOffset = PR_Seek(fb->fd, 0, PR_SEEK_CUR);
+    PR_Seek(fb->fd, start, PR_SEEK_SET);
+    amountRead = PR_Read(fb->fd, *buf, end - start + 1);
+    PR_Seek(fb->fd, storedOffset, PR_SEEK_SET);
+    if (amountRead == -1) {
+	PR_Free(*buf);
+	*buf = NULL;
+	return 0;
+    }
+
+    (*buf)[end-start+1] = '\0';
+    return amountRead;
+}
+
+
+/************************************************************************
+ *
+ * F B _ D e s t r o y
+ *
+ */
+static void	
+FB_Destroy(FileBuffer *fb)
+{
+    if (fb) {
+	PR_Free(fb);
+    }
+}
+
+
+/************************************************************************
+ *
+ * P r i n t T a g I t e m
+ *
+ */
+static void	
+PrintTagItem(PRFileDesc *fd, TagItem *ti)
+{
+    AVPair * pair;
+
+    PR_fprintf(fd, "TAG:\n----\nType: ");
+    switch (ti->type) {
+    case APPLET_TAG:
+	PR_fprintf(fd, "applet\n");
+	break;
+    case SCRIPT_TAG:
+	PR_fprintf(fd, "script\n");
+	break;
+    case LINK_TAG:
+	PR_fprintf(fd, "link\n");
+	break;
+    case STYLE_TAG:
+	PR_fprintf(fd, "style\n");
+	break;
+    case COMMENT_TAG:
+	PR_fprintf(fd, "comment\n");
+	break;
+    case OTHER_TAG:
+    default:
+	PR_fprintf(fd, "other\n");
+	break;
+    }
+
+    PR_fprintf(fd, "Attributes:\n");
+    for (pair = ti->attList; pair; pair = pair->next) {
+	PR_fprintf(fd, "\t%s=%s\n", pair->attribute,
+	    pair->value ? pair->value : "");
+    }
+    PR_fprintf(fd, "Text:%s\n", ti->text ? ti->text : "");
+
+    PR_fprintf(fd, "---End of tag---\n");
+}
+
+
+/************************************************************************
+ *
+ * P r i n t H T M L S t r e a m
+ *
+ */
+static void	
+PrintHTMLStream(PRFileDesc *fd, HTMLItem *head)
+{
+    while (head) {
+	if (head->type == TAG_ITEM) {
+	    PrintTagItem(fd, head->item.tag);
+	} else {
+	    PR_fprintf(fd, "\nTEXT:\n-----\n%s\n-----\n\n", head->item.text);
+	}
+	head = head->next;
+    }
+}
+
+
+/************************************************************************
+ *
+ * S a v e I n l i n e S c r i p t
+ *
+ */
+static int	
+SaveInlineScript(char *text, char *id, char *basedir, char *archiveDir)
+{
+    char	*filename = NULL;
+    PRFileDesc * fd = NULL;
+    int	retval = -1;
+    PRInt32 writeLen;
+    char	*ilDir = NULL;
+
+    if (!text || !id || !archiveDir) {
+	return - 1;
+    }
+
+    if (dumpParse) {
+	PR_fprintf(outputFD, "SaveInlineScript: text=%s, id=%s, \n"
+	    "basedir=%s, archiveDir=%s\n",
+	    text, id, basedir, archiveDir);
+    }
+
+    /* Make sure the archive directory is around */
+    if (ensureExists(basedir, archiveDir) != PR_SUCCESS) {
+	PR_fprintf(errorFD,
+	    "ERROR: Unable to create archive directory %s.\n", archiveDir);
+	errorCount++;
+	return - 1;
+    }
+
+    /* Make sure the inline script directory is around */
+    ilDir = PR_smprintf("%s/inlineScripts", archiveDir);
+    scriptdir = "inlineScripts";
+    if (ensureExists(basedir, ilDir) != PR_SUCCESS) {
+	PR_fprintf(errorFD,
+	    "ERROR: Unable to create directory %s.\n", ilDir);
+	errorCount++;
+	return - 1;
+    }
+
+    filename = PR_smprintf("%s/%s/%s", basedir, ilDir, id);
+
+    /* If the file already exists, give a warning, then blow it away */
+    if (PR_Access(filename, PR_ACCESS_EXISTS) == PR_SUCCESS) {
+	PR_fprintf(errorFD,
+	    "warning: file \"%s\" already exists--will overwrite.\n",
+	     			filename);
+	warningCount++;
+	if (rm_dash_r(filename)) {
+	    PR_fprintf(errorFD, "ERROR: Unable to delete %s.\n", filename);
+	    errorCount++;
+	    goto finish;
+	}
+    }
+
+    /* Write text into file with name id */
+    fd = PR_Open(filename, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0777);
+    if (!fd) {
+	PR_fprintf(errorFD, "ERROR: Unable to create file \"%s\".\n",
+	     			filename);
+	errorCount++;
+	goto finish;
+    }
+    writeLen = strlen(text);
+    if ( PR_Write(fd, text, writeLen) != writeLen) {
+	PR_fprintf(errorFD, "ERROR: Unable to write to file \"%s\".\n",
+	     			filename);
+	errorCount++;
+	goto finish;
+    }
+
+    retval = 0;
+finish:
+    if (filename) {
+	PR_smprintf_free(filename);
+    }
+    if (ilDir) {
+	PR_smprintf_free(ilDir);
+    }
+    if (fd) {
+	PR_Close(fd);
+    }
+    return retval;
+}
+
+
+/************************************************************************
+ *
+ * S a v e U n n a m a b l e S c r i p t
+ *
+ */
+static int	
+SaveUnnamableScript(char *text, char *basedir, char *archiveDir,
+char *HTMLfilename)
+{
+    char	*id = NULL;
+    char	*ext = NULL;
+    char	*start = NULL;
+    int	retval = -1;
+
+    if (!text || !archiveDir || !HTMLfilename) {
+	return - 1;
+    }
+
+    if (dumpParse) {
+	PR_fprintf(outputFD, "SaveUnnamableScript: text=%s, basedir=%s,\n"
+	    "archiveDir=%s, filename=%s\n", text, basedir, archiveDir,
+	     			HTMLfilename);
+    }
+
+    /* Construct the filename */
+    ext = PL_strrchr(HTMLfilename, '.');
+    if (ext) {
+	*ext = '\0';
+    }
+    for (start = HTMLfilename; strpbrk(start, "/\\"); 
+         start = strpbrk(start, "/\\") + 1)
+	/* do nothing */;
+    if (*start == '\0') 
+	start = HTMLfilename;
+    id = PR_smprintf("_%s%d", start, idOrdinal++);
+    if (ext) {
+	*ext = '.';
+    }
+
+    /* Now call SaveInlineScript to do the work */
+    retval = SaveInlineScript(text, id, basedir, archiveDir);
+
+    PR_Free(id);
+
+    return retval;
+}
+
+
+/************************************************************************
+ *
+ * S a v e S o u r c e
+ *
+ */
+static int	
+SaveSource(char *src, char *codebase, char *basedir, char *archiveDir)
+{
+    char	*from = NULL, *to = NULL;
+    int	retval = -1;
+    char	*arcDir = NULL;
+
+    if (!src || !archiveDir) {
+	return - 1;
+    }
+
+    if (dumpParse) {
+	PR_fprintf(outputFD, "SaveSource: src=%s, codebase=%s, basedir=%s,\n"
+	    "archiveDir=%s\n", src, codebase, basedir, archiveDir);
+    }
+
+    if (codebase) {
+	arcDir = PR_smprintf("%s/%s/%s/", basedir, codebase, archiveDir);
+    } else {
+	arcDir = PR_smprintf("%s/%s/", basedir, archiveDir);
+    }
+
+    if (codebase) {
+	from = PR_smprintf("%s/%s/%s", basedir, codebase, src);
+	to = PR_smprintf("%s%s", arcDir, src);
+    } else {
+	from = PR_smprintf("%s/%s", basedir, src);
+	to = PR_smprintf("%s%s", arcDir, src);
+    }
+
+    if (make_dirs(to, 0777)) {
+	PR_fprintf(errorFD,
+	    "ERROR: Unable to create archive directory %s.\n", archiveDir);
+	errorCount++;
+	goto finish;
+    }
+
+    retval = copyinto(from, to);
+finish:
+    if (from) 
+	PR_Free(from);
+    if (to) 
+	PR_Free(to);
+    if (arcDir) 
+	PR_Free(arcDir);
+    return retval;
+}
+
+
+/************************************************************************
+ *
+ * T a g T y p e T o S t r i n g
+ *
+ */
+char	*
+TagTypeToString(TAG_TYPE type)
+{
+    switch (type) {
+    case APPLET_TAG:
+	return "APPLET";
+    case SCRIPT_TAG:
+	return "SCRIPT";
+    case LINK_TAG:
+	return "LINK";
+    case STYLE_TAG:
+	return "STYLE";
+    default:
+	break;
+    }
+    return "unknown";
+}
+
+
+/************************************************************************
+ *
+ * e x t r a c t _ j s
+ *
+ */
+static int	
+extract_js(char *filename)
+{
+    PRFileDesc * fd = NULL;
+    FileBuffer * fb = NULL;
+    HTMLItem * head = NULL;
+    HTMLItem * tail = NULL;
+    HTMLItem * curitem = NULL;
+    HTMLItem * styleList	= NULL;
+    HTMLItem * styleListTail	= NULL;
+    HTMLItem * entityList	= NULL;
+    HTMLItem * entityListTail	= NULL;
+    TagItem * tagp = NULL;
+    char	*text = NULL;
+    char	*tagerr = NULL;
+    char	*archiveDir = NULL;
+    char	*firstArchiveDir = NULL;
+    char	*basedir = NULL;
+    PRInt32    textStart;
+    PRInt32    curOffset;
+    HTML_STATE state;
+    int	       curchar;
+    int	       retval = -1;
+    unsigned int linenum, startLine;
+
+    /* Initialize the implicit ID counter for each file */
+    idOrdinal = 0;
+
+    /*
+     * First, parse the HTML into a stream of tags and text.
+     */
+
+    fd = PR_Open(filename, PR_RDONLY, 0);
+    if (!fd) {
+	PR_fprintf(errorFD, "Unable to open %s for reading.\n", filename);
+	errorCount++;
+	return - 1;
+    }
+
+    /* Construct base directory of filename. */
+     {
+	char	*cp;
+
+	basedir = PL_strdup(filename);
+
+	/* Remove trailing slashes */
+	while ( (cp = PL_strprbrk(basedir, "/\\")) == 
+	    (basedir + strlen(basedir) - 1)) {
+	    *cp = '\0';
+	}
+
+	/* Now remove everything from the last slash (which will be followed
+	 * by a filename) to the end */
+	cp = PL_strprbrk(basedir, "/\\");
+	if (cp) {
+	    *cp = '\0';
+	}
+    }
+
+    state = TEXT_HTML_STATE;
+
+    fb = FB_Create(fd);
+
+    textStart = 0;
+    startLine = 0;
+    while (linenum = FB_GetLineNum(fb), (curchar = FB_GetChar(fb)) !=
+        EOF) {
+	switch (state) {
+	case TEXT_HTML_STATE:
+	    if (curchar == '<') {
+		/*
+		 * Found a tag
+		 */
+		/* Save the text so far to a new text item */
+		curOffset = FB_GetPointer(fb) - 2;
+		if (curOffset >= textStart) {
+		    if (FB_GetRange(fb, textStart, curOffset,
+		         &text) != 
+		        curOffset - textStart + 1)  {
+			PR_fprintf(errorFD,
+			    "Unable to read from %s.\n",
+			     filename);
+			errorCount++;
+			goto loser;
+		    }
+		    /* little fudge here.  If the first character on a line
+		     * is '<', meaning a new tag, the preceding text item
+		     * actually ends on the previous line.  In this case
+		     * we will be saying that the text segment ends on the
+		     * next line. I don't think this matters for text items. */
+		    curitem = CreateTextItem(text, startLine,
+		         linenum);
+		    text = NULL;
+		    if (tail == NULL) {
+			head = tail = curitem;
+		    } else {
+			tail->next = curitem;
+			tail = curitem;
+		    }
+		}
+
+		/* Process the tag */
+		tagp = ProcessTag(fb, &tagerr);
+		if (!tagp) {
+		    if (tagerr) {
+			PR_fprintf(errorFD, "Error in file %s: %s\n",
+						  filename, tagerr);
+			errorCount++;
+		    } else {
+			PR_fprintf(errorFD,
+			    "Error in file %s, in tag starting at line %d\n",
+						  filename, linenum);
+			errorCount++;
+		    }
+		    goto loser;
+		}
+		/* Add the tag to the list */
+		curitem = CreateTagItem(tagp, linenum, FB_GetLineNum(fb));
+		if (tail == NULL) {
+		    head = tail = curitem;
+		} else {
+		    tail->next = curitem;
+		    tail = curitem;
+		}
+
+		/* What's the next state */
+		if (tagp->type == SCRIPT_TAG) {
+		    state = SCRIPT_HTML_STATE;
+		}
+
+		/* Start recording text from the new offset */
+		textStart = FB_GetPointer(fb);
+		startLine = FB_GetLineNum(fb);
+	    } else {
+		/* regular character.  Next! */
+	    }
+	    break;
+	case SCRIPT_HTML_STATE:
+	    if (curchar == '<') {
+		char	*cp;
+		/*
+		 * If this is a </script> tag, then we're at the end of the
+		 * script.  Otherwise, ignore
+		 */
+		curOffset = FB_GetPointer(fb) - 1;
+		cp = NULL;
+		if (FB_GetRange(fb, curOffset, curOffset + 8, &cp) != 9) {
+		    if (cp) { 
+			PR_Free(cp); 
+			cp = NULL; 
+		    }
+		} else {
+		    /* compare the strings */
+		    if ( !PORT_Strncasecmp(cp, "</script>", 9) ) {
+			/* This is the end of the script. Record the text. */
+			curOffset--;
+			if (curOffset >= textStart) {
+			    if (FB_GetRange(fb, textStart, curOffset, &text) != 
+			        curOffset - textStart + 1) {
+				PR_fprintf(errorFD, "Unable to read from %s.\n",
+				     filename);
+				errorCount++;
+				goto loser;
+			    }
+			    curitem = CreateTextItem(text, startLine, linenum);
+			    text = NULL;
+			    if (tail == NULL) {
+				head = tail = curitem;
+			    } else {
+				tail->next = curitem;
+				tail = curitem;
+			    }
+			}
+
+			/* Now parse the /script tag and put it on the list */
+			tagp = ProcessTag(fb, &tagerr);
+			if (!tagp) {
+			    if (tagerr) {
+				PR_fprintf(errorFD, "Error in file %s: %s\n",
+				     filename, tagerr);
+			    } else {
+				PR_fprintf(errorFD, 
+				    "Error in file %s, in tag starting at"
+				    " line %d\n", filename, linenum);
+			    }
+			    errorCount++;
+			    goto loser;
+			}
+			curitem = CreateTagItem(tagp, linenum,
+						FB_GetLineNum(fb));
+			if (tail == NULL) {
+			    head = tail = curitem;
+			} else {
+			    tail->next = curitem;
+			    tail = curitem;
+			}
+
+			/* go back to text state */
+			state = TEXT_HTML_STATE;
+
+			textStart = FB_GetPointer(fb);
+			startLine = FB_GetLineNum(fb);
+		    }
+		}
+	    }
+	    break;
+	}
+    }
+
+    /* End of the file.  Wrap up any remaining text */
+    if (state == SCRIPT_HTML_STATE) {
+	if (tail && tail->type == TAG_ITEM) {
+	    PR_fprintf(errorFD, "ERROR: <SCRIPT> tag at %s:%d is not followed "
+	        "by a </SCRIPT> tag.\n", filename, tail->startLine);
+	} else {
+	    PR_fprintf(errorFD, "ERROR: <SCRIPT> tag in file %s is not followed"
+	        " by a </SCRIPT tag.\n", filename);
+	}
+	errorCount++;
+	goto loser;
+    }
+    curOffset = FB_GetPointer(fb) - 1;
+    if (curOffset >= textStart) {
+	text = NULL;
+	if ( FB_GetRange(fb, textStart, curOffset, &text) != 
+	    curOffset - textStart + 1) {
+	    PR_fprintf(errorFD, "Unable to read from %s.\n", filename);
+	    errorCount++;
+	    goto loser;
+	}
+	curitem = CreateTextItem(text, startLine, linenum);
+	text = NULL;
+	if (tail == NULL) {
+	    head = tail = curitem;
+	} else {
+	    tail->next = curitem;
+	    tail = curitem;
+	}
+    }
+
+    if (dumpParse) {
+	PrintHTMLStream(outputFD, head);
+    }
+
+    /*
+     * Now we have a stream of tags and text.  Go through and deal with each.
+     */
+    for (curitem = head; curitem; curitem = curitem->next) {
+	TagItem * tagp = NULL;
+	AVPair * pairp = NULL;
+	char	*src = NULL, *id = NULL, *codebase = NULL;
+	PRBool hasEventHandler = PR_FALSE;
+	int	i;
+
+	/* Reset archive directory for each tag */
+	if (archiveDir) {
+	    PR_Free(archiveDir); 
+	    archiveDir = NULL;
+	}
+
+	/* We only analyze tags */
+	if (curitem->type != TAG_ITEM) {
+	    continue;
+	}
+
+	tagp = curitem->item.tag;
+
+	/* go through the attributes to get information */
+	for (pairp = tagp->attList; pairp; pairp = pairp->next) {
+
+	    /* ARCHIVE= */
+	    if ( !PL_strcasecmp(pairp->attribute, "archive")) {
+		if (archiveDir) {
+		    /* Duplicate attribute.  Print warning */
+		    PR_fprintf(errorFD,
+		        "warning: \"%s\" attribute overwrites previous attribute"
+		        " in tag starting at %s:%d.\n",
+		        pairp->attribute, filename, curitem->startLine);
+		    warningCount++;
+		    PR_Free(archiveDir);
+		}
+		archiveDir = PL_strdup(pairp->value);
+
+		/* Substiture ".arc" for ".jar" */
+		if ( (PL_strlen(archiveDir) < 4) || 
+		    PL_strcasecmp((archiveDir + strlen(archiveDir) -4), 
+			".jar")) {
+		    PR_fprintf(errorFD,
+		        "warning: ARCHIVE attribute should end in \".jar\" in tag"
+		        " starting on %s:%d.\n", filename, curitem->startLine);
+		    warningCount++;
+		    PR_Free(archiveDir);
+		    archiveDir = PR_smprintf("%s.arc", archiveDir);
+		} else {
+		    PL_strcpy(archiveDir + strlen(archiveDir) -4, ".arc");
+		}
+
+		/* Record the first archive.  This will be used later if
+		 * the archive is not specified */
+		if (firstArchiveDir == NULL) {
+		    firstArchiveDir = PL_strdup(archiveDir);
+		}
+	    } 
+	    /* CODEBASE= */
+	    else if ( !PL_strcasecmp(pairp->attribute, "codebase")) {
+		if (codebase) {
+		    /* Duplicate attribute.  Print warning */
+		    PR_fprintf(errorFD,
+		        "warning: \"%s\" attribute overwrites previous attribute"
+		        " in tag staring at %s:%d.\n",
+		        pairp->attribute, filename, curitem->startLine);
+		    warningCount++;
+		}
+		codebase = pairp->value;
+	    } 
+	    /* SRC= and HREF= */
+	    else if ( !PORT_Strcasecmp(pairp->attribute, "src") ||
+	        !PORT_Strcasecmp(pairp->attribute, "href") ) {
+		if (src) {
+		    /* Duplicate attribute.  Print warning */
+		    PR_fprintf(errorFD,
+		        "warning: \"%s\" attribute overwrites previous attribute"
+		        " in tag staring at %s:%d.\n",
+		        pairp->attribute, filename, curitem->startLine);
+		    warningCount++;
+		}
+		src = pairp->value;
+	    } 
+	    /* CODE= */
+	    else if (!PORT_Strcasecmp(pairp->attribute, "code") ) {
+		/*!!!XXX Change PORT to PL all over this code !!! */
+		if (src) {
+		    /* Duplicate attribute.  Print warning */
+		    PR_fprintf(errorFD,
+		        "warning: \"%s\" attribute overwrites previous attribute"
+		        " ,in tag staring at %s:%d.\n",
+		        pairp->attribute, filename, curitem->startLine);
+		    warningCount++;
+		}
+		src = pairp->value;
+
+		/* Append a .class if one is not already present */
+		if ( (PL_strlen(src) < 6) || 
+		    PL_strcasecmp( (src + PL_strlen(src) - 6), ".class") ) {
+		    src = PR_smprintf("%s.class", src);
+		    /* Put this string back into the data structure so it
+		     * will be deallocated properly */
+		    PR_Free(pairp->value);
+		    pairp->value = src;
+		}
+	    } 
+	    /* ID= */
+	    else if (!PL_strcasecmp(pairp->attribute, "id") ) {
+		if (id) {
+		    /* Duplicate attribute.  Print warning */
+		    PR_fprintf(errorFD,
+		        "warning: \"%s\" attribute overwrites previous attribute"
+		        " in tag staring at %s:%d.\n",
+		        pairp->attribute, filename, curitem->startLine);
+		    warningCount++;
+		}
+		id = pairp->value;
+	    }
+
+	    /* STYLE= */
+	    /* style= attributes, along with JS entities, are stored into
+	     * files with dynamically generated names. The filenames are
+	     * based on the order in which the text is found in the file.
+	     * All JS entities on all lines up to and including the line
+	     * containing the end of the tag that has this style= attribute
+	     * will be processed before this style=attribute.  So we need
+	     * to record the line that this _tag_ (not the attribute) ends on.
+	     */
+	    else if (!PL_strcasecmp(pairp->attribute, "style") && pairp->value) 
+	    {
+		HTMLItem * styleItem;
+		/* Put this item on the style list */
+		styleItem = CreateTextItem(PL_strdup(pairp->value),
+		    curitem->startLine, curitem->endLine);
+		if (styleListTail == NULL) {
+		    styleList = styleListTail = styleItem;
+		} else {
+		    styleListTail->next = styleItem;
+		    styleListTail = styleItem;
+		}
+	    } 
+	    /* Event handlers */
+	    else {
+		for (i = 0; i < num_handlers; i++) {
+		    if (!PL_strcasecmp(event_handlers[i], pairp->attribute)) {
+			hasEventHandler = PR_TRUE;
+			break;
+		    }
+		}
+	    }
+
+
+	    /* JS Entity */
+	    {
+		char	*entityStart, *entityEnd;
+		HTMLItem * entityItem;
+
+		/* go through each JavaScript entity ( &{...}; ) and store it
+		 * in the entityList.  The important thing is to record what
+		 * line number it's on, so we can get it in the right order
+		 * in relation to style= attributes.
+		 * Apparently, these can't flow across lines, so the start and
+		 * end line will be the same.  That helps matters.
+		 */
+		entityEnd = pairp->value;
+		while ( entityEnd && 
+		    (entityStart = PL_strstr(entityEnd, "&{")) /*}*/ != NULL) {
+		    entityStart += 2; /* point at beginning of actual entity */
+		    entityEnd = PL_strstr(entityStart, /*{*/ "}");
+		    if (entityEnd) {
+			/* Put this item on the entity list */
+			*entityEnd = '\0';
+			entityItem = CreateTextItem(PL_strdup(entityStart),
+					    pairp->valueLine, pairp->valueLine);
+			*entityEnd = /* { */ '}';
+			if (entityListTail) {
+			    entityListTail->next = entityItem;
+			    entityListTail = entityItem;
+			} else {
+			    entityList = entityListTail = entityItem;
+			}
+		    }
+		}
+	    }
+	}
+
+	/* If no archive was supplied, we use the first one of the file */
+	if (!archiveDir && firstArchiveDir) {
+	    archiveDir = PL_strdup(firstArchiveDir);
+	}
+
+	/* If we have an event handler, we need to archive this tag */
+	if (hasEventHandler) {
+	    if (!id) {
+		PR_fprintf(errorFD,
+		    "warning: tag starting at %s:%d has event handler but"
+		    " no ID attribute.  The tag will not be signed.\n",
+					filename, curitem->startLine);
+		warningCount++;
+	    } else if (!archiveDir) {
+		PR_fprintf(errorFD,
+		    "warning: tag starting at %s:%d has event handler but"
+		    " no ARCHIVE attribute.  The tag will not be signed.\n",
+					    filename, curitem->startLine);
+		warningCount++;
+	    } else {
+		if (SaveInlineScript(tagp->text, id, basedir, archiveDir)) {
+		    goto loser;
+		}
+	    }
+	}
+
+	switch (tagp->type) {
+	case APPLET_TAG:
+	    if (!src) {
+		PR_fprintf(errorFD,
+		    "error: APPLET tag starting on %s:%d has no CODE "
+		    "attribute.\n", filename, curitem->startLine);
+		errorCount++;
+		goto loser;
+	    } else if (!archiveDir) {
+		PR_fprintf(errorFD,
+		    "error: APPLET tag starting on %s:%d has no ARCHIVE "
+		    "attribute.\n", filename, curitem->startLine);
+		errorCount++;
+		goto loser;
+	    } else {
+		if (SaveSource(src, codebase, basedir, archiveDir)) {
+		    goto loser;
+		}
+	    }
+	    break;
+	case SCRIPT_TAG:
+	case LINK_TAG:
+	case STYLE_TAG:
+	    if (!archiveDir) {
+		PR_fprintf(errorFD,
+		    "error: %s tag starting on %s:%d has no ARCHIVE "
+		    "attribute.\n", TagTypeToString(tagp->type),
+					    filename, curitem->startLine);
+		errorCount++;
+		goto loser;
+	    } else if (src) {
+		if (SaveSource(src, codebase, basedir, archiveDir)) {
+		    goto loser;
+		}
+	    } else if (id) {
+		/* Save the next text item */
+		if (!curitem->next || (curitem->next->type !=
+		    TEXT_ITEM)) {
+		    PR_fprintf(errorFD,
+		        "warning: %s tag starting on %s:%d is not followed"
+		        " by script text.\n", TagTypeToString(tagp->type),
+					    filename, curitem->startLine);
+		    warningCount++;
+		    /* just create empty file */
+		    if (SaveInlineScript("", id, basedir, archiveDir)) {
+			goto loser;
+		    }
+		} else {
+		    curitem = curitem->next;
+		    if (SaveInlineScript(curitem->item.text,
+		         id, basedir,
+		        archiveDir)) {
+			goto loser;
+		    }
+		}
+	    } else {
+		/* No src or id tag--warning */
+		PR_fprintf(errorFD,
+		    "warning: %s tag starting on %s:%d has no SRC or"
+		    " ID attributes.  Will not sign.\n",
+		    TagTypeToString(tagp->type), filename, curitem->startLine);
+		warningCount++;
+	    }
+	    break;
+	default:
+	    /* do nothing for other tags */
+	    break;
+	}
+
+    }
+
+    /* Now deal with all the unnamable scripts */
+    if (firstArchiveDir) {
+	HTMLItem * style, *entity;
+
+	/* Go through the lists of JS entities and style attributes.  Do them
+	 * in chronological order within a list.  Pick the list with the lower
+	 * endLine. In case of a tie, entities come first.
+	 */
+	style = styleList; 
+	entity = entityList;
+	while (style || entity) {
+	    if (!entity || (style && (style->endLine < entity->endLine))) {
+		/* Process style */
+		SaveUnnamableScript(style->item.text, basedir, firstArchiveDir,
+				    filename);
+		style = style->next;
+	    } else {
+		/* Process entity */
+		SaveUnnamableScript(entity->item.text, basedir, firstArchiveDir,
+				    filename);
+		entity = entity->next;
+	    }
+	}
+    }
+
+
+    retval = 0;
+loser:
+    /* Blow away the stream */
+    while (head) {
+	curitem = head;
+	head = head->next;
+	DestroyHTMLItem(curitem);
+    }
+    while (styleList) {
+	curitem = styleList;
+	styleList = styleList->next;
+	DestroyHTMLItem(curitem);
+    }
+    while (entityList) {
+	curitem = entityList;
+	entityList = entityList->next;
+	DestroyHTMLItem(curitem);
+    }
+    if (text) {
+	PR_Free(text); 
+	text = NULL;
+    }
+    if (fb) {
+	FB_Destroy(fb); 
+	fb = NULL;
+    }
+    if (fd) {
+	PR_Close(fd);
+    }
+    if (tagerr) {
+	PR_smprintf_free(tagerr); 
+	tagerr = NULL;
+    }
+    if (archiveDir) {
+	PR_Free(archiveDir); 
+	archiveDir = NULL;
+    }
+    if (firstArchiveDir) {
+	PR_Free(firstArchiveDir); 
+	firstArchiveDir = NULL;
+    }
+    return retval;
+}
+
+
+/**********************************************************************
+ *
+ * e n s u r e E x i s t s
+ *
+ * Check for existence of indicated directory.  If it doesn't exist,
+ * it will be created.
+ * Returns PR_SUCCESS if the directory is present, PR_FAILURE otherwise.
+ */
+static PRStatus
+ensureExists (char *base, char *path)
+{
+    char	fn [FNSIZE];
+    PRDir * dir;
+    sprintf (fn, "%s/%s", base, path);
+
+    /*PR_fprintf(outputFD, "Trying to open directory %s.\n", fn);*/
+
+    if ( (dir = PR_OpenDir(fn)) ) {
+	PR_CloseDir(dir);
+	return PR_SUCCESS;
+    }
+    return PR_MkDir(fn, 0777);
+}
+
+
+/***************************************************************************
+ *
+ * m a k e _ d i r s
+ *
+ * Ensure that the directory portion of the path exists.  This may require
+ * making the directory, and its parent, and its parent's parent, etc.
+ */
+static int	
+make_dirs(char *path, int file_perms)
+{
+    char	*Path;
+    char	*start;
+    char	*sep;
+    int	ret = 0;
+    PRFileInfo info;
+
+    if (!path) {
+	return 0;
+    }
+
+    Path = PL_strdup(path);
+    start = strpbrk(Path, "/\\");
+    if (!start) {
+	return 0;
+    }
+    start++; /* start right after first slash */
+
+    /* Each time through the loop add one more directory. */
+    while ( (sep = strpbrk(start, "/\\")) ) {
+	*sep = '\0';
+
+	if ( PR_GetFileInfo(Path, &info) != PR_SUCCESS) {
+	    /* No such dir, we have to create it */
+	    if ( PR_MkDir(Path, file_perms) != PR_SUCCESS) {
+		PR_fprintf(errorFD, "ERROR: Unable to create directory %s.\n",
+		     					Path);
+		errorCount++;
+		ret = -1;
+		goto loser;
+	    }
+	} else {
+	    /* something exists by this name, make sure it's a directory */
+	    if ( info.type != PR_FILE_DIRECTORY ) {
+		PR_fprintf(errorFD, "ERROR: Unable to create directory %s.\n",
+		     					Path);
+		errorCount++;
+		ret = -1;
+		goto loser;
+	    }
+	}
+
+	start = sep + 1; /* start after the next slash */
+	*sep = '/';
+    }
+
+loser:
+    PR_Free(Path);
+    return ret;
+}
+
+
+/*
+ *  c o p y i n t o
+ *
+ *  Function to copy file "from" to path "to".
+ *
+ */
+static int	
+copyinto (char *from, char *to)
+{
+    PRInt32 num;
+    char	buf [BUFSIZ];
+    PRFileDesc * infp = NULL, *outfp = NULL;
+    int	retval = -1;
+
+    if ((infp = PR_Open(from, PR_RDONLY, 0777)) == NULL) {
+	PR_fprintf(errorFD, "ERROR: Unable to open \"%s\" for reading.\n",
+	     			from);
+	errorCount++;
+	goto finish;
+    }
+
+    /* If to already exists, print a warning before deleting it */
+    if (PR_Access(to, PR_ACCESS_EXISTS) == PR_SUCCESS) {
+	PR_fprintf(errorFD, "warning: %s already exists--will overwrite\n", to);
+	warningCount++;
+	if (rm_dash_r(to)) {
+	    PR_fprintf(errorFD,
+	        "ERROR: Unable to remove %s.\n", to);
+	    errorCount++;
+	    goto finish;
+	}
+    }
+
+    if ((outfp = PR_Open(to, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0777))
+         == NULL) {
+	char	*errBuf = NULL;
+
+	errBuf = PR_Malloc(PR_GetErrorTextLength());
+	PR_fprintf(errorFD, "ERROR: Unable to open \"%s\" for writing.\n", to);
+	if (PR_GetErrorText(errBuf)) {
+	    PR_fprintf(errorFD, "Cause: %s\n", errBuf);
+	}
+	if (errBuf) {
+	    PR_Free(errBuf);
+	}
+	errorCount++;
+	goto finish;
+    }
+
+    while ( (num = PR_Read(infp, buf, BUFSIZ)) > 0) {
+	if (PR_Write(outfp, buf, num) != num) {
+	    PR_fprintf(errorFD, "ERROR: Error writing to %s.\n", to);
+	    errorCount++;
+	    goto finish;
+	}
+    }
+
+    retval = 0;
+finish:
+    if (infp) 
+	PR_Close(infp);
+    if (outfp) 
+	PR_Close(outfp);
+
+    return retval;
+}
+
+
diff --git a/security/nss/cmd/signtool/list.c b/security/nss/cmd/signtool/list.c
new file mode 100644
index 000000000..6801a9c5c
--- /dev/null
+++ b/security/nss/cmd/signtool/list.c
@@ -0,0 +1,280 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "signtool.h"
+#include "pk11func.h"
+#include "certdb.h"
+
+static int	num_trav_certs = 0;
+static SECStatus cert_trav_callback(CERTCertificate *cert, SECItem *k,
+			void *data);
+
+/*********************************************************************
+ *
+ * L i s t C e r t s
+ */
+int
+ListCerts(char *key, int list_certs)
+{
+    int	failed = 0;
+    SECStatus rv;
+    char	*ugly_list;
+    CERTCertDBHandle * db;
+
+    CERTCertificate * cert;
+    CERTVerifyLog errlog;
+
+    errlog.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( errlog.arena == NULL) {
+	out_of_memory();
+    }
+    errlog.head = NULL;
+    errlog.tail = NULL;
+    errlog.count = 0;
+
+    ugly_list = PORT_ZAlloc (16);
+
+    if (ugly_list == NULL) {
+	out_of_memory();
+    }
+
+    *ugly_list = 0;
+
+    db = CERT_GetDefaultCertDB();
+
+    if (list_certs == 2) {
+	PR_fprintf(outputFD, "\nS Certificates\n");
+	PR_fprintf(outputFD, "- ------------\n");
+    } else {
+	PR_fprintf(outputFD, "\nObject signing certificates\n");
+	PR_fprintf(outputFD, "---------------------------------------\n");
+    }
+
+    num_trav_certs = 0;
+
+    /* Traverse non-internal DBs */
+    rv = PK11_TraverseSlotCerts(cert_trav_callback, (void * )&list_certs,
+         		&pwdata);
+
+    if (rv) {
+	PR_fprintf(outputFD, "**Traverse of non-internal DBs failed**\n");
+	return - 1;
+    }
+
+    if (num_trav_certs == 0) {
+	PR_fprintf(outputFD,
+	    "You don't appear to have any object signing certificates.\n");
+    }
+
+    if (list_certs == 2) {
+	PR_fprintf(outputFD, "- ------------\n");
+    } else {
+	PR_fprintf(outputFD, "---------------------------------------\n");
+    }
+
+    if (list_certs == 1) {
+	PR_fprintf(outputFD,
+	    "For a list including CA's, use \"%s -L\"\n", PROGRAM_NAME);
+    }
+
+    if (list_certs == 2) {
+	PR_fprintf(outputFD,
+	    "Certificates that can be used to sign objects have *'s to "
+	    "their left.\n");
+    }
+
+    if (key) {
+	/* Do an analysis of the given cert */
+
+	cert = PK11_FindCertFromNickname(key, &pwdata);
+
+	if (cert) {
+	    PR_fprintf(outputFD,
+	        "\nThe certificate with nickname \"%s\" was found:\n",
+	         			 cert->nickname);
+	    PR_fprintf(outputFD, "\tsubject name: %s\n", cert->subjectName);
+	    PR_fprintf(outputFD, "\tissuer name: %s\n", cert->issuerName);
+
+	    PR_fprintf(outputFD, "\n");
+
+	    rv = CERT_CertTimesValid (cert);
+	    if (rv != SECSuccess) {
+		PR_fprintf(outputFD, "**This certificate is expired**\n");
+	    } else {
+		PR_fprintf(outputFD, "This certificate is not expired.\n");
+	    }
+
+	    rv = CERT_VerifyCert (db, cert, PR_TRUE,
+	        certUsageObjectSigner, PR_Now(), &pwdata, &errlog);
+
+	    if (rv != SECSuccess) {
+		failed = 1;
+		if (errlog.count > 0) {
+		    PR_fprintf(outputFD,
+		        "**Certificate validation failed for the "
+		        "following reason(s):**\n");
+		} else {
+		    PR_fprintf(outputFD, "**Certificate validation failed**");
+		}
+	    } else {
+		PR_fprintf(outputFD, "This certificate is valid.\n");
+	    }
+	    displayVerifyLog(&errlog);
+
+
+	} else {
+	    failed = 1;
+	    PR_fprintf(outputFD,
+	        "The certificate with nickname \"%s\" was NOT FOUND\n", key);
+	}
+    }
+
+    if (errlog.arena != NULL) {
+	PORT_FreeArena(errlog.arena, PR_FALSE);
+    }
+
+    if (failed) {
+	return - 1;
+    }
+    return 0;
+}
+
+
+/********************************************************************
+ *
+ * c e r t _ t r a v _ c a l l b a c k
+ */
+static SECStatus
+cert_trav_callback(CERTCertificate *cert, SECItem *k, void *data)
+{
+    int	isSigningCert;
+    int	list_certs = 1;
+
+    char	*name, *issuerCN, *expires;
+    CERTCertificate * issuerCert = NULL;
+
+    if (data) {
+	list_certs = *((int * )data);
+    }
+
+    if (cert->nickname) {
+	name = cert->nickname;
+
+	isSigningCert = cert->nsCertType & NS_CERT_TYPE_OBJECT_SIGNING;
+	issuerCert = CERT_FindCertIssuer (cert, PR_Now(), certUsageObjectSigner);
+	issuerCN = CERT_GetCommonName (&cert->issuer);
+
+	if (!isSigningCert && list_certs == 1)
+	    return (SECSuccess);
+
+	/* Add this name or email to list */
+
+	if (name) {
+	    int	rv;
+
+	    num_trav_certs++;
+	    if (list_certs == 2) {
+		PR_fprintf(outputFD, "%s ", isSigningCert ? "*" : " ");
+	    }
+	    PR_fprintf(outputFD, "%s\n", name);
+
+	    if (list_certs == 1) {
+		if (issuerCert == NULL) {
+		    PR_fprintf(outputFD,
+		        "\t++ Error ++ Unable to find issuer certificate\n");
+		    return SECSuccess; 
+			   /*function was a success even if cert is bogus*/
+		}
+		if (issuerCN == NULL)
+		    PR_fprintf(outputFD, "    Issued by: %s\n",
+		         issuerCert->nickname);
+		else
+		    PR_fprintf(outputFD,
+		        "    Issued by: %s (%s)\n", issuerCert->nickname,
+		         issuerCN);
+
+		expires = DER_TimeChoiceDayToAscii(&cert->validity.notAfter);
+
+		if (expires)
+		    PR_fprintf(outputFD, "    Expires: %s\n", expires);
+
+		rv = CERT_CertTimesValid (cert);
+
+		if (rv != SECSuccess)
+		    PR_fprintf(outputFD, 
+			"    ++ Error ++ THIS CERTIFICATE IS EXPIRED\n");
+
+		if (rv == SECSuccess) {
+		    rv = CERT_VerifyCertNow (cert->dbhandle, cert,
+		        PR_TRUE, certUsageObjectSigner, &pwdata);
+
+		    if (rv != SECSuccess) {
+			rv = PORT_GetError();
+			PR_fprintf(outputFD,
+			"    ++ Error ++ THIS CERTIFICATE IS NOT VALID (%s)\n",
+			     				secErrorString(rv));            
+		    }
+		}
+
+		expires = DER_TimeChoiceDayToAscii(&issuerCert->validity.notAfter);
+		if (expires == NULL) 
+		    expires = "(unknown)";
+
+		rv = CERT_CertTimesValid (issuerCert);
+
+		if (rv != SECSuccess)
+		    PR_fprintf(outputFD,
+		        "    ++ Error ++ ISSUER CERT \"%s\" EXPIRED ON %s\n",
+			issuerCert->nickname, expires);
+
+		if (rv == SECSuccess) {
+		    rv = CERT_VerifyCertNow (issuerCert->dbhandle, issuerCert, 
+		        PR_TRUE, certUsageVerifyCA, &pwdata);
+		    if (rv != SECSuccess) {
+			rv = PORT_GetError();
+			PR_fprintf(outputFD,
+			"    ++ Error ++ ISSUER CERT \"%s\" IS NOT VALID (%s)\n",
+			     issuerCert->nickname, secErrorString(rv));
+		    }
+		}
+	    }
+	}
+    }
+
+    return (SECSuccess);
+}
+
+
diff --git a/security/nss/cmd/signtool/manifest.mn b/security/nss/cmd/signtool/manifest.mn
new file mode 100644
index 000000000..df3a55908
--- /dev/null
+++ b/security/nss/cmd/signtool/manifest.mn
@@ -0,0 +1,57 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+EXPORTS = 
+
+CSRCS = signtool.c		\
+		certgen.c	\
+		javascript.c	\
+		list.c		\
+		sign.c		\
+		util.c		\
+		verify.c	\
+		zip.c		\
+	$(NULL)
+
+PROGRAM =  signtool
+
+REQUIRES = seccmd
+
+EXTRA_LIBS = $(JAR_LIBS)
diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c
new file mode 100644
index 000000000..93b2d552a
--- /dev/null
+++ b/security/nss/cmd/signtool/sign.c
@@ -0,0 +1,869 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "signtool.h"
+#include "zip.h" 
+#include "prmem.h"
+#include "blapi.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
+
+static int	create_pk7 (char *dir, char *keyName, int *keyType);
+static int	jar_find_key_type (CERTCertificate *cert);
+static int	manifesto (char *dirname, char *install_script, PRBool recurse);
+static int	manifesto_fn(char *relpath, char *basedir, char *reldir,
+			char *filename, void *arg);
+static int	manifesto_xpi_fn(char *relpath, char *basedir, char *reldir,
+			char *filename, void *arg);
+static int	sign_all_arc_fn(char *relpath, char *basedir, char *reldir,
+			char *filename, void *arg);
+static int	add_meta (FILE *fp, char *name);
+static int	SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert);
+static int	generate_SF_file (char *manifile, char *who);
+static int	calculate_MD5_range (FILE *fp, long r1, long r2, 
+			JAR_Digest *dig);
+static void	SignOut (void *arg, const char *buf, unsigned long len);
+
+static char	*metafile = NULL;
+static int	optimize = 0;
+static FILE *mf;
+static ZIPfile *zipfile = NULL;
+
+/* 
+ *  S i g n A r c h i v e
+ *
+ *  Sign an individual archive tree. A directory 
+ *  called META-INF is created underneath this.
+ *
+ */
+int
+SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
+	char *meta_file, char *install_script, int _optimize, PRBool recurse)
+{
+    int	status;
+    char	tempfn [FNSIZE], fullfn [FNSIZE];
+    int	keyType = rsaKey;
+
+    metafile = meta_file;
+    optimize = _optimize;
+
+    /* To create XPI compatible Archive manifesto() must be run before 
+     * the zipfile is opened. This is so the signed files are not added
+     * the archive before the crucial rsa/dsa file*/
+    if (xpi_arc) {
+	manifesto (tree, install_script, recurse);
+    }
+
+    if (zip_file) {
+	zipfile = JzipOpen(zip_file, NULL /*no comment*/);
+    }
+
+    /*Sign and add files to the archive normally with manifesto()*/
+    if (!xpi_arc) {
+	manifesto (tree, install_script, recurse);
+    }
+
+    if (keyName) {
+	status = create_pk7 (tree, keyName, &keyType);
+	if (status < 0) {
+	    PR_fprintf(errorFD, "the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
+	         tree);
+	    errorCount++;
+	    exit (ERRX);
+	}
+    }
+
+    /* Add the rsa/dsa file as the first file in the archive. This is crucial
+     * for a XPInstall compatible archive */
+    if (xpi_arc) {
+	if (verbosity >= 0) {
+	    PR_fprintf(outputFD, "%s \n", XPI_TEXT);
+	}
+
+	/* rsa/dsa to zip */
+	sprintf (tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ?
+	    "dsa" : "rsa"));
+	sprintf (fullfn, "%s/%s", tree, tempfn);
+	JzipAdd(fullfn, tempfn, zipfile, compression_level);
+
+	/* Loop through all files & subdirectories, add to archive */
+	foreach (tree, "", manifesto_xpi_fn, recurse, PR_FALSE /*include dirs */,
+	     		(void * )NULL);
+    }
+    /* mf to zip */
+    strcpy (tempfn, "META-INF/manifest.mf");
+    sprintf (fullfn, "%s/%s", tree, tempfn);
+    JzipAdd(fullfn, tempfn, zipfile, compression_level);
+
+    /* sf to zip */
+    sprintf (tempfn, "META-INF/%s.sf", base);
+    sprintf (fullfn, "%s/%s", tree, tempfn);
+    JzipAdd(fullfn, tempfn, zipfile, compression_level);
+
+    /* Add the rsa/dsa file to the zip archive normally */
+    if (!xpi_arc) {
+	/* rsa/dsa to zip */
+	sprintf (tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ?
+	    "dsa" : "rsa"));
+	sprintf (fullfn, "%s/%s", tree, tempfn);
+	JzipAdd(fullfn, tempfn, zipfile, compression_level);
+    }
+
+    JzipClose(zipfile);
+
+    if (verbosity >= 0) {
+	if (javascript) {
+	    PR_fprintf(outputFD, "jarfile \"%s\" signed successfully\n",
+	         				zip_file);
+	} else {
+	    PR_fprintf(outputFD, "tree \"%s\" signed successfully\n",
+	         tree);
+	}
+    }
+
+    return 0;
+}
+
+
+typedef struct {
+    char	*keyName;
+    int	javascript;
+    char	*metafile;
+    char	*install_script;
+    int	optimize;
+} SignArcInfo;
+
+/* 
+ *  S i g n A l l A r c
+ *
+ *  Javascript may generate multiple .arc directories, one
+ *  for each jar archive needed. Sign them all.
+ *
+ */
+int
+SignAllArc(char *jartree, char *keyName, int javascript, char *metafile,
+char *install_script, int optimize, PRBool recurse)
+{
+    SignArcInfo info;
+
+    info.keyName = keyName;
+    info.javascript = javascript;
+    info.metafile = metafile;
+    info.install_script = install_script;
+    info.optimize = optimize;
+
+    return foreach(jartree, "", sign_all_arc_fn, recurse,
+        PR_TRUE /*include dirs*/, (void * )&info);
+}
+
+
+static int	
+sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename,
+ 	void *arg)
+{
+    char	*zipfile = NULL;
+    char	*arc = NULL, *archive = NULL;
+    int	retval = 0;
+    SignArcInfo * infop = (SignArcInfo * )arg;
+
+    /* Make sure there is one and only one ".arc" in the relative path, 
+     * and that it is at the end of the path (don't sign .arcs within .arcs) */
+    if ( (PL_strcaserstr(relpath, ".arc") == relpath + strlen(relpath) -
+        4) && 
+        (PL_strcasestr(relpath, ".arc") == relpath + strlen(relpath) - 4) ) {
+
+	if (!infop) {
+	    PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME);
+	    errorCount++;
+	    retval = -1;
+	    goto finish;
+	}
+	archive = PR_smprintf("%s/%s", basedir, relpath);
+
+	zipfile = PL_strdup(archive);
+	arc = PORT_Strrchr (zipfile, '.');
+
+	if (arc == NULL) {
+	    PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME);
+	    errorCount++;
+	    retval = -1;
+	    goto finish;
+	}
+
+	PL_strcpy (arc, ".jar");
+
+	if (verbosity >= 0) {
+	    PR_fprintf(outputFD, "\nsigning: %s\n", zipfile);
+	}
+	retval = SignArchive(archive, infop->keyName, zipfile,
+	    infop->javascript, infop->metafile, infop->install_script,
+	     			infop->optimize, PR_TRUE /* recurse */);
+    }
+finish:
+    if (archive) 
+	PR_Free(archive);
+    if (zipfile) 
+	PR_Free(zipfile);
+
+    return retval;
+}
+
+
+/*********************************************************************
+ *
+ * c r e a t e _ p k 7
+ */
+static int	
+create_pk7 (char *dir, char *keyName, int *keyType)
+{
+    int	status = 0;
+    char	*file_ext;
+
+    CERTCertificate * cert;
+    CERTCertDBHandle * db;
+
+    FILE * in, *out;
+
+    char	sf_file [FNSIZE];
+    char	pk7_file [FNSIZE];
+
+    /* open cert database */
+    db = CERT_GetDefaultCertDB();
+
+    if (db == NULL)
+	return - 1;
+
+    /* find cert */
+    /*cert = CERT_FindCertByNicknameOrEmailAddr(db, keyName);*/
+    cert = PK11_FindCertFromNickname(keyName, &pwdata);
+
+    if (cert == NULL) {
+	SECU_PrintError ( PROGRAM_NAME,
+	    "Cannot find the cert \"%s\"", keyName);
+	return -1;
+    }
+
+
+    /* determine the key type, which sets the extension for pkcs7 object */
+
+    *keyType = jar_find_key_type (cert);
+    file_ext = (*keyType == dsaKey) ? "dsa" : "rsa";
+
+    sprintf (sf_file, "%s/META-INF/%s.sf", dir, base);
+    sprintf (pk7_file, "%s/META-INF/%s.%s", dir, base, file_ext);
+
+    if ((in = fopen (sf_file, "rb")) == NULL) {
+	PR_fprintf(errorFD, "%s: Can't open %s for reading\n", PROGRAM_NAME,
+	     sf_file);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    if ((out = fopen (pk7_file, "wb")) == NULL) {
+	PR_fprintf(errorFD, "%s: Can't open %s for writing\n", PROGRAM_NAME,
+	     sf_file);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    status = SignFile (out, in, cert);
+
+    CERT_DestroyCertificate (cert);
+    fclose (in);
+    fclose (out);
+
+    if (status) {
+	PR_fprintf(errorFD, "%s: PROBLEM signing data (%s)\n",
+	    PROGRAM_NAME, SECU_ErrorString ((int16) PORT_GetError()));
+	errorCount++;
+	return - 1;
+    }
+
+    return 0;
+}
+
+
+/*
+ *  j a r _ f i n d _ k e y _ t y p e
+ * 
+ *  Determine the key type for a given cert, which 
+ * should be rsaKey or dsaKey. Any error return 0.
+ *
+ */
+static int	
+jar_find_key_type (CERTCertificate *cert)
+{
+    SECKEYPrivateKey * privk = NULL;
+    KeyType keyType;
+
+    /* determine its type */
+    privk = PK11_FindKeyByAnyCert (cert, &pwdata);
+    if (privk == NULL) {
+	PR_fprintf(errorFD, "warning - can't find private key for this cert\n");
+	warningCount++;
+	return 0;
+    }
+
+    keyType = privk->keyType;
+    SECKEY_DestroyPrivateKey (privk);
+    return keyType;
+}
+
+
+/*
+ *  m a n i f e s t o
+ *
+ *  Run once for every subdirectory in which a 
+ *  manifest is to be created -- usually exactly once.
+ *
+ */
+static int	
+manifesto (char *dirname, char *install_script, PRBool recurse)
+{
+    char	metadir [FNSIZE], sfname [FNSIZE];
+
+    /* Create the META-INF directory to hold signing info */
+
+    if (PR_Access (dirname, PR_ACCESS_READ_OK)) {
+	PR_fprintf(errorFD, "%s: unable to read your directory: %s\n",
+	     PROGRAM_NAME, dirname);
+	errorCount++;
+	perror (dirname);
+	exit (ERRX);
+    }
+
+    if (PR_Access (dirname, PR_ACCESS_WRITE_OK)) {
+	PR_fprintf(errorFD, "%s: unable to write to your directory: %s\n",
+	     			PROGRAM_NAME, dirname);
+	errorCount++;
+	perror(dirname);
+	exit(ERRX);
+    }
+
+    sprintf (metadir, "%s/META-INF", dirname);
+
+    strcpy (sfname, metadir);
+
+    PR_MkDir (metadir, 0777);
+
+    strcat (metadir, "/");
+    strcat (metadir, MANIFEST);
+
+    if ((mf = fopen (metadir, "wb")) == NULL) {
+	perror (MANIFEST);
+	PR_fprintf(errorFD, "%s: Probably, the directory you are trying to"
+			    " sign has\n", PROGRAM_NAME);
+	PR_fprintf(errorFD, "%s: permissions problems or may not exist.\n",
+	     		PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "Generating %s file..\n", metadir);
+    }
+
+    fprintf(mf, "Manifest-Version: 1.0\n");
+    fprintf (mf, "Created-By: %s\n", CREATOR);
+    fprintf (mf, "Comments: %s\n", BREAKAGE);
+
+    if (scriptdir) {
+	fprintf (mf, "Comments: --\n");
+	fprintf (mf, "Comments: --\n");
+	fprintf (mf, "Comments: -- This archive signs Javascripts which may not necessarily\n");
+	fprintf (mf, "Comments: -- be included in the physical jar file.\n");
+	fprintf (mf, "Comments: --\n");
+	fprintf (mf, "Comments: --\n");
+    }
+
+    if (install_script)
+	fprintf (mf, "Install-Script: %s\n", install_script);
+
+    if (metafile)
+	add_meta (mf, "+");
+
+    /* Loop through all files & subdirectories */
+    foreach (dirname, "", manifesto_fn, recurse, PR_FALSE /*include dirs */,
+         		(void * )NULL);
+
+    fclose (mf);
+
+    strcat (sfname, "/");
+    strcat (sfname, base);
+    strcat (sfname, ".sf");
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "Generating %s.sf file..\n", base);
+    }
+    generate_SF_file (metadir, sfname);
+
+    return 0;
+}
+
+
+/*
+ *  m a n i f e s t o _ x p i _ f n
+ *
+ *  Called by pointer from SignArchive(), once for
+ *  each file within the directory. This function
+ *  is only used for adding to XPI compatible archive
+ *
+ */
+static int	manifesto_xpi_fn 
+(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
+{
+    char	fullname [FNSIZE];
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "--> %s\n", relpath);
+    }
+
+    /* extension matching */
+    if (extensionsGiven) {
+	char	*ext = PL_strrchr(relpath, '.');
+	if (!ext) 
+	    return 0;
+	if (!PL_HashTableLookup(extensions, ext)) 
+	    return 0;
+    }
+    sprintf (fullname, "%s/%s", basedir, relpath);
+    JzipAdd(fullname, relpath, zipfile, compression_level);
+
+    return 0;
+}
+
+
+/*
+ *  m a n i f e s t o _ f n
+ *
+ *  Called by pointer from manifesto(), once for
+ *  each file within the directory.
+ *
+ */
+static int	manifesto_fn 
+(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
+{
+    int	use_js;
+
+    JAR_Digest dig;
+    char	fullname [FNSIZE];
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "--> %s\n", relpath);
+    }
+
+    /* extension matching */
+    if (extensionsGiven) {
+	char	*ext = PL_strrchr(relpath, '.');
+	if (!ext) 
+	    return 0;
+	if (!PL_HashTableLookup(extensions, ext)) 
+	    return 0;
+    }
+
+    sprintf (fullname, "%s/%s", basedir, relpath);
+
+    fprintf (mf, "\n");
+
+    use_js = 0;
+
+    if (scriptdir && !PORT_Strcmp (scriptdir, reldir))
+	use_js++;
+
+    /* sign non-.js files inside .arc directories using the javascript magic */
+
+    if ( (PL_strcaserstr(filename, ".js") != filename + strlen(filename) - 3)
+         && (PL_strcaserstr(reldir, ".arc") == reldir + strlen(filename) - 4))
+	use_js++;
+
+    if (use_js) {
+	fprintf (mf, "Name: %s\n", filename);
+	fprintf (mf, "Magic: javascript\n");
+
+	if (optimize == 0)
+	    fprintf (mf, "javascript.id: %s\n", filename);
+
+	if (metafile)
+	    add_meta (mf, filename);
+    } else {
+	fprintf (mf, "Name: %s\n", relpath);
+	if (metafile)
+	    add_meta (mf, relpath);
+    }
+
+    JAR_digest_file (fullname, &dig);
+
+
+    if (optimize == 0) {
+	fprintf (mf, "Digest-Algorithms: MD5 SHA1\n");
+	fprintf (mf, "MD5-Digest: %s\n", BTOA_DataToAscii (dig.md5,
+	     MD5_LENGTH));
+    }
+
+    fprintf (mf, "SHA1-Digest: %s\n", BTOA_DataToAscii (dig.sha1, SHA1_LENGTH));
+
+    if (!use_js) {
+	JzipAdd(fullname, relpath, zipfile, compression_level);
+    }
+
+    return 0;
+}
+
+
+/*
+ *  a d d _ m e t a
+ *
+ *  Parse the metainfo file, and add any details
+ *  necessary to the manifest file. In most cases you
+ *  should be using the -i option (ie, for SmartUpdate).
+ *
+ */
+static int	add_meta (FILE *fp, char *name)
+{
+    FILE * met;
+    char	buf [BUFSIZ];
+
+    int	place;
+    char	*pattern, *meta;
+
+    int	num = 0;
+
+    if ((met = fopen (metafile, "r")) != NULL) {
+	while (fgets (buf, BUFSIZ, met)) {
+	    char	*s;
+
+	    for (s = buf; *s && *s != '\n' && *s != '\r'; s++)
+		;
+	    *s = 0;
+
+	    if (*buf == 0)
+		continue;
+
+	    pattern = buf;
+
+	    /* skip to whitespace */
+	    for (s = buf; *s && *s != ' ' && *s != '\t'; s++)
+		;
+
+	    /* terminate pattern */
+	    if (*s == ' ' || *s == '\t') 
+		*s++ = 0;
+
+	    /* eat through whitespace */
+	    while (*s == ' ' || *s == '\t') 
+		s++;
+
+	    meta = s;
+
+	    /* this will eventually be regexp matching */
+
+	    place = 0;
+	    if (!PORT_Strcmp (pattern, name))
+		place = 1;
+
+	    if (place) {
+		num++;
+		if (verbosity >= 0) {
+		    PR_fprintf(outputFD, "[%s] %s\n", name, meta);
+		}
+		fprintf (fp, "%s\n", meta);
+	    }
+	}
+	fclose (met);
+    } else {
+	PR_fprintf(errorFD, "%s: can't open metafile: %s\n", PROGRAM_NAME,
+	     metafile);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    return num;
+}
+
+
+/**********************************************************************
+ *
+ * S i g n F i l e
+ */
+static int	
+SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert)
+{
+    int	nb;
+    char	ibuf[4096], digestdata[32];
+    const SECHashObject *hashObj;
+    void	*hashcx;
+    unsigned int	len;
+
+    SECItem digest;
+    SEC_PKCS7ContentInfo * cinfo;
+    SECStatus rv;
+
+    if (outFile == NULL || inFile == NULL || cert == NULL)
+	return - 1;
+
+    /* XXX probably want to extend interface to allow other hash algorithms */
+    hashObj = HASH_GetHashObject(HASH_AlgSHA1);
+
+    hashcx = (*hashObj->create)();
+    if (hashcx == NULL)
+	return - 1;
+
+    (*hashObj->begin)(hashcx);
+
+    for (; ; ) {
+	if (feof(inFile)) 
+	    break;
+	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
+	if (nb == 0) {
+	    if (ferror(inFile)) {
+		PORT_SetError(SEC_ERROR_IO);
+		(*hashObj->destroy)(hashcx, PR_TRUE);
+		return - 1;
+	    }
+	    /* eof */
+	    break;
+	}
+	(*hashObj->update)(hashcx, (unsigned char *) ibuf, nb);
+    }
+
+    (*hashObj->end)(hashcx, (unsigned char *) digestdata, &len, 32);
+    (*hashObj->destroy)(hashcx, PR_TRUE);
+
+    digest.data = (unsigned char *) digestdata;
+    digest.len = len;
+
+    cinfo = SEC_PKCS7CreateSignedData 
+        (cert, certUsageObjectSigner, NULL, 
+        SEC_OID_SHA1, &digest, NULL, NULL);
+
+    if (cinfo == NULL)
+	return - 1;
+
+    rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return - 1;
+    }
+
+    if (no_time == 0) {
+	rv = SEC_PKCS7AddSigningTime (cinfo);
+	if (rv != SECSuccess) {
+	    /* don't check error */
+	}
+    }
+
+    rv = SEC_PKCS7Encode(cinfo, SignOut, outFile, NULL, NULL, &pwdata);
+
+    SEC_PKCS7DestroyContentInfo (cinfo);
+
+    if (rv != SECSuccess)
+	return - 1;
+
+    return 0;
+}
+
+
+/*
+ *  g e n e r a t e _ S F _ f i l e 
+ *
+ *  From the supplied manifest file, calculates
+ *  digests on the various sections, creating a .SF
+ *  file in the process.
+ * 
+ */
+static int	generate_SF_file (char *manifile, char *who)
+{
+    FILE * sf;
+    FILE * mf;
+    long	r1, r2, r3;
+    char	whofile [FNSIZE];
+    char	*buf, *name = NULL;
+    JAR_Digest dig;
+    int	line = 0;
+
+    strcpy (whofile, who);
+
+    if ((mf = fopen (manifile, "rb")) == NULL) {
+	perror (manifile);
+	exit (ERRX);
+    }
+
+    if ((sf = fopen (whofile, "wb")) == NULL) {
+	perror (who);
+	exit (ERRX);
+    }
+
+    buf = (char *) PORT_ZAlloc (BUFSIZ);
+
+    if (buf)
+	name = (char *) PORT_ZAlloc (BUFSIZ);
+
+    if (buf == NULL || name == NULL)
+	out_of_memory();
+
+    fprintf (sf, "Signature-Version: 1.0\n");
+    fprintf (sf, "Created-By: %s\n", CREATOR);
+    fprintf (sf, "Comments: %s\n", BREAKAGE);
+
+    if (fgets (buf, BUFSIZ, mf) == NULL) {
+	PR_fprintf(errorFD, "%s: empty manifest file!\n", PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    if (strncmp (buf, "Manifest-Version:", 17)) {
+	PR_fprintf(errorFD, "%s: not a manifest file!\n", PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    fseek (mf, 0L, SEEK_SET);
+
+    /* Process blocks of headers, and calculate their hashen */
+
+    while (1) {
+	/* Beginning range */
+	r1 = ftell (mf);
+
+	if (fgets (name, BUFSIZ, mf) == NULL)
+	    break;
+
+	line++;
+
+	if (r1 != 0 && strncmp (name, "Name:", 5)) {
+	    PR_fprintf(errorFD, 
+	    "warning: unexpected input in manifest file \"%s\" at line %d:\n",
+	         manifile, line);
+	    PR_fprintf(errorFD, "%s\n", name);
+	    warningCount++;
+	}
+
+	r2 = r1;
+	while (fgets (buf, BUFSIZ, mf)) {
+	    if (*buf == 0 || *buf == '\n' || *buf == '\r')
+		break;
+
+	    line++;
+
+	    /* Ending range for hashing */
+	    r2 = ftell (mf);
+	}
+
+	r3 = ftell (mf);
+
+	if (r1) {
+	    fprintf (sf, "\n");
+	    fprintf (sf, "%s", name);
+	}
+
+	calculate_MD5_range (mf, r1, r2, &dig);
+
+	if (optimize == 0) {
+	    fprintf (sf, "Digest-Algorithms: MD5 SHA1\n");
+	    fprintf (sf, "MD5-Digest: %s\n", 
+	        BTOA_DataToAscii (dig.md5, MD5_LENGTH));
+	}
+
+	fprintf (sf, "SHA1-Digest: %s\n", 
+	    BTOA_DataToAscii (dig.sha1, SHA1_LENGTH));
+
+	/* restore normalcy after changing offset position */
+	fseek (mf, r3, SEEK_SET);
+    }
+
+    PORT_Free (buf);
+    PORT_Free (name);
+
+    fclose (sf);
+    fclose (mf);
+
+    return 0;
+}
+
+
+/*
+ *  c a l c u l a t e _ M D 5 _ r a n g e
+ *
+ *  Calculate the MD5 digest on a range of bytes in
+ *  the specified fopen'd file. Returns base64.
+ *
+ */
+static int	
+calculate_MD5_range (FILE *fp, long r1, long r2, JAR_Digest *dig)
+{
+    int	num;
+    int	range;
+    unsigned char	*buf;
+    SECStatus rv;
+
+    range = r2 - r1;
+
+    /* position to the beginning of range */
+    fseek (fp, r1, SEEK_SET);
+
+    buf = (unsigned char *) PORT_ZAlloc (range);
+    if (buf == NULL)
+	out_of_memory();
+
+    if ((num = fread (buf, 1, range, fp)) != range) {
+	PR_fprintf(errorFD, "%s: expected %d bytes, got %d\n", PROGRAM_NAME,
+	     		range, num);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    rv = PK11_HashBuf(SEC_OID_MD5, dig->md5, buf, range);
+    if (rv == SECSuccess) {
+	rv =PK11_HashBuf(SEC_OID_SHA1, dig->sha1, buf, range);
+    }
+    if (rv != SECSuccess) {
+	PR_fprintf(errorFD, "%s: can't generate digest context\n",
+	     PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    PORT_Free (buf);
+
+    return 0;
+}
+
+
+static void	SignOut (void *arg, const char *buf, unsigned long len)
+{
+    fwrite (buf, len, 1, (FILE * ) arg);
+}
+
+
diff --git a/security/nss/cmd/signtool/signtool.c b/security/nss/cmd/signtool/signtool.c
new file mode 100644
index 000000000..881a4e92d
--- /dev/null
+++ b/security/nss/cmd/signtool/signtool.c
@@ -0,0 +1,1108 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ *  SIGNTOOL
+ *
+ *  A command line tool to create manifest files
+ *  from a directory hierarchy. It is assumed that
+ *  the tree will be equivalent to what resides
+ *  or will reside in an archive. 
+ *
+ * 
+ */
+
+#include "nss.h"
+#include "signtool.h"
+#include "prmem.h"
+#include "prio.h"
+
+/***********************************************************************
+ * Global Variable Definitions
+ */
+char	*progName; /* argv[0] */
+
+/* password data */
+secuPWData  pwdata = { PW_NONE, 0 };
+
+/* directories or files to exclude in descent */
+PLHashTable *excludeDirs = NULL;
+static PRBool exclusionsGiven = PR_FALSE;
+
+/* zatharus is the man who knows no time, dies tragic death */
+int	no_time = 0;
+
+/* -b basename of .rsa, .sf files */
+char	*base = DEFAULT_BASE_NAME;
+
+/* Only sign files with this extension */
+PLHashTable *extensions = NULL;
+PRBool extensionsGiven = PR_FALSE;
+
+char	*scriptdir = NULL;
+
+int	verbosity = 0;
+
+PRFileDesc *outputFD = NULL, *errorFD = NULL;
+
+int	errorCount = 0, warningCount = 0;
+
+int	compression_level = DEFAULT_COMPRESSION_LEVEL;
+PRBool compression_level_specified = PR_FALSE;
+
+int	xpi_arc = 0;
+
+/* Command-line arguments */
+static char	*genkey = NULL;
+static char	*verify = NULL;
+static char	*zipfile = NULL;
+static char	*cert_dir = NULL;
+static int	javascript = 0;
+static char	*jartree = NULL;
+static char	*keyName = NULL;
+static char	*metafile = NULL;
+static char	*install_script = NULL;
+static int	list_certs = 0;
+static int	list_modules = 0;
+static int	optimize = 0;
+static int	enableOCSP = 0;
+static char	*tell_who = NULL;
+static char	*outfile = NULL;
+static char	*cmdFile = NULL;
+static PRBool noRecurse = PR_FALSE;
+static PRBool leaveArc = PR_FALSE;
+static int	keySize = -1;
+static char	*token = NULL;
+
+typedef enum {
+    UNKNOWN_OPT,
+    HELP_OPT,
+    LONG_HELP_OPT,
+    BASE_OPT,
+    COMPRESSION_OPT,
+    CERT_DIR_OPT,
+    EXTENSION_OPT,
+    INSTALL_SCRIPT_OPT,
+    SCRIPTDIR_OPT,
+    CERTNAME_OPT,
+    LIST_OBJSIGN_CERTS_OPT,
+    LIST_ALL_CERTS_OPT,
+    METAFILE_OPT,
+    OPTIMIZE_OPT,
+    ENABLE_OCSP_OPT,
+    PASSWORD_OPT,
+    VERIFY_OPT,
+    WHO_OPT,
+    EXCLUDE_OPT,
+    NO_TIME_OPT,
+    JAVASCRIPT_OPT,
+    ZIPFILE_OPT,
+    GENKEY_OPT,
+    MODULES_OPT,
+    NORECURSE_OPT,
+    SIGNDIR_OPT,
+    OUTFILE_OPT,
+    COMMAND_FILE_OPT,
+    LEAVE_ARC_OPT,
+    VERBOSITY_OPT,
+    KEYSIZE_OPT,
+    TOKEN_OPT,
+    XPI_ARC_OPT
+} 
+
+
+OPT_TYPE;
+
+typedef enum {
+    DUPLICATE_OPTION_ERR = 0,
+    OPTION_NEEDS_ARG_ERR
+} 
+
+
+Error;
+
+static char	*errStrings[] = {
+    "warning: %s option specified more than once.\n"
+    "Only last specification will be used.\n",
+    "ERROR: option \"%s\" requires an argument.\n"
+};
+
+
+static int	ProcessOneOpt(OPT_TYPE type, char *arg);
+
+/*********************************************************************
+ *
+ * P r o c e s s C o m m a n d F i l e
+ */
+int
+ProcessCommandFile()
+{
+    PRFileDesc * fd;
+#define CMD_FILE_BUFSIZE 1024
+    char	buf[CMD_FILE_BUFSIZE];
+    char	*equals;
+    int	linenum = 0;
+    int	retval = -1;
+    OPT_TYPE type;
+
+    fd = PR_Open(cmdFile, PR_RDONLY, 0777);
+    if (!fd) {
+	PR_fprintf(errorFD, "ERROR: Unable to open command file %s.\n");
+	errorCount++;
+	return - 1;
+    }
+
+    while (pr_fgets(buf, CMD_FILE_BUFSIZE, fd)) {
+	char	*eol;
+	linenum++;
+
+	/* Chop off final newline */
+	eol = PL_strchr(buf, '\r');
+	if (!eol) {
+	    eol = PL_strchr(buf, '\n');
+	}
+	if (eol) 
+	    *eol = '\0';
+
+	equals = PL_strchr(buf, '=');
+	if (!equals) {
+	    continue;
+	}
+
+	*equals = '\0';
+	equals++;
+
+	/* Now buf points to the attribute, and equals points to the value. */
+
+	/* This is pretty straightforward, just deal with whatever attribute
+		 * this is */
+	if (!PL_strcasecmp(buf, "basename")) {
+	    type = BASE_OPT;
+	} else if (!PL_strcasecmp(buf, "compression")) {
+	    type = COMPRESSION_OPT;
+	} else if (!PL_strcasecmp(buf, "certdir")) {
+	    type = CERT_DIR_OPT;
+	} else if (!PL_strcasecmp(buf, "extension")) {
+	    type = EXTENSION_OPT;
+	} else if (!PL_strcasecmp(buf, "generate")) {
+	    type = GENKEY_OPT;
+	} else if (!PL_strcasecmp(buf, "installScript")) {
+	    type = INSTALL_SCRIPT_OPT;
+	} else if (!PL_strcasecmp(buf, "javascriptdir")) {
+	    type = SCRIPTDIR_OPT;
+	} else if (!PL_strcasecmp(buf, "htmldir")) {
+	    type = JAVASCRIPT_OPT;
+	    if (jartree) {
+		PR_fprintf(errorFD,
+		    "warning: directory to be signed specified more than once."
+		    " Only last specification will be used.\n");
+		warningCount++;
+		PR_Free(jartree); 
+		jartree = NULL;
+	    }
+	    jartree = PL_strdup(equals);
+	} else if (!PL_strcasecmp(buf, "certname")) {
+	    type = CERTNAME_OPT;
+	} else if (!PL_strcasecmp(buf, "signdir")) {
+	    type = SIGNDIR_OPT;
+	} else if (!PL_strcasecmp(buf, "list")) {
+	    type = LIST_OBJSIGN_CERTS_OPT;
+	} else if (!PL_strcasecmp(buf, "listall")) {
+	    type = LIST_ALL_CERTS_OPT;
+	} else if (!PL_strcasecmp(buf, "metafile")) {
+	    type = METAFILE_OPT;
+	} else if (!PL_strcasecmp(buf, "modules")) {
+	    type = MODULES_OPT;
+	} else if (!PL_strcasecmp(buf, "optimize")) {
+	    type = OPTIMIZE_OPT;
+	} else if (!PL_strcasecmp(buf, "ocsp")) {
+	    type = ENABLE_OCSP_OPT;
+	} else if (!PL_strcasecmp(buf, "password")) {
+	    type = PASSWORD_OPT;
+	} else if (!PL_strcasecmp(buf, "verify")) {
+	    type = VERIFY_OPT;
+	} else if (!PL_strcasecmp(buf, "who")) {
+	    type = WHO_OPT;
+	} else if (!PL_strcasecmp(buf, "exclude")) {
+	    type = EXCLUDE_OPT;
+	} else if (!PL_strcasecmp(buf, "notime")) {
+	    type = NO_TIME_OPT;
+	} else if (!PL_strcasecmp(buf, "jarfile")) {
+	    type = ZIPFILE_OPT;
+	} else if (!PL_strcasecmp(buf, "outfile")) {
+	    type = OUTFILE_OPT;
+	} else if (!PL_strcasecmp(buf, "leavearc")) {
+	    type = LEAVE_ARC_OPT;
+	} else if (!PL_strcasecmp(buf, "verbosity")) {
+	    type = VERBOSITY_OPT;
+	} else if (!PL_strcasecmp(buf, "keysize")) {
+	    type = KEYSIZE_OPT;
+	} else if (!PL_strcasecmp(buf, "token")) {
+	    type = TOKEN_OPT;
+	} else if (!PL_strcasecmp(buf, "xpi")) {
+	    type = XPI_ARC_OPT;
+	} else {
+	    PR_fprintf(errorFD,
+	        "warning: unknown attribute \"%s\" in command file, line %d.\n",
+	         					buf, linenum);
+	    warningCount++;
+	    type = UNKNOWN_OPT;
+	}
+
+	/* Process the option, whatever it is */
+	if (type != UNKNOWN_OPT) {
+	    if (ProcessOneOpt(type, equals) == -1) {
+		goto finish;
+	    }
+	}
+    }
+
+    retval = 0;
+
+finish:
+    PR_Close(fd);
+    return retval;
+}
+
+
+/*********************************************************************
+ *
+ * p a r s e _ a r g s
+ */
+static int	
+parse_args(int argc, char *argv[])
+{
+    char	*opt;
+    char	*arg;
+    int	needsInc = 0;
+    int	i;
+    OPT_TYPE type;
+
+    /* Loop over all arguments */
+    for (i = 1; i < argc; i++) {
+	opt = argv[i];
+	arg = NULL;
+
+	if (opt[0] == '-') {
+	    if (opt[1] == '-') {
+		/* word option */
+		if (i < argc - 1) {
+		    needsInc = 1;
+		    arg = argv[i+1];
+		} else {
+		    arg = NULL;
+		}
+
+		if ( !PL_strcasecmp(opt + 2, "norecurse")) {
+		    type = NORECURSE_OPT;
+		} else if ( !PL_strcasecmp(opt + 2, "leavearc")) {
+		    type = LEAVE_ARC_OPT;
+		} else if ( !PL_strcasecmp(opt + 2, "verbosity")) {
+		    type = VERBOSITY_OPT;
+		} else if ( !PL_strcasecmp(opt + 2, "outfile")) {
+		    type = OUTFILE_OPT;
+		} else if ( !PL_strcasecmp(opt + 2, "keysize")) {
+		    type = KEYSIZE_OPT;
+		} else if ( !PL_strcasecmp(opt + 2, "token")) {
+		    type = TOKEN_OPT;
+		} else {
+		    PR_fprintf(errorFD, "warning: unknown option: %s\n",
+		         opt);
+		    warningCount++;
+		    type = UNKNOWN_OPT;
+		}
+	    } else {
+		/* char option */
+		if (opt[2] != '\0') {
+		    arg = opt + 2;
+		} else if (i < argc - 1) {
+		    needsInc = 1;
+		    arg = argv[i+1];
+		} else {
+		    arg = NULL;
+		}
+
+		switch (opt[1]) {
+		case 'b':
+		    type = BASE_OPT;
+		    break;
+		case 'c':
+		    type = COMPRESSION_OPT;
+		    break;
+		case 'd':
+		    type = CERT_DIR_OPT;
+		    break;
+		case 'e':
+		    type = EXTENSION_OPT;
+		    break;
+		case 'f':
+		    type = COMMAND_FILE_OPT;
+		    break;
+		case 'h':
+		    type = HELP_OPT;
+		    break;
+		case 'H':
+		    type = LONG_HELP_OPT;
+		    break;
+		case 'i':
+		    type = INSTALL_SCRIPT_OPT;
+		    break;
+		case 'j':
+		    type = SCRIPTDIR_OPT;
+		    break;
+		case 'k':
+		    type = CERTNAME_OPT;
+		    break;
+		case 'l':
+		    type = LIST_OBJSIGN_CERTS_OPT;
+		    break;
+		case 'L':
+		    type = LIST_ALL_CERTS_OPT;
+		    break;
+		case 'm':
+		    type = METAFILE_OPT;
+		    break;
+		case 'o':
+		    type = OPTIMIZE_OPT;
+		    break;
+		case 'O':
+		    type = ENABLE_OCSP_OPT;
+		    break;
+		case 'p':
+		    type = PASSWORD_OPT;
+		    break;
+		case 'v':
+		    type = VERIFY_OPT;
+		    break;
+		case 'w':
+		    type = WHO_OPT;
+		    break;
+		case 'x':
+		    type = EXCLUDE_OPT;
+		    break;
+		case 'X':
+		    type = XPI_ARC_OPT;
+		    break;
+		case 'z':
+		    type = NO_TIME_OPT;
+		    break;
+		case 'J':
+		    type = JAVASCRIPT_OPT;
+		    break;
+		case 'Z':
+		    type = ZIPFILE_OPT;
+		    break;
+		case 'G':
+		    type = GENKEY_OPT;
+		    break;
+		case 'M':
+		    type = MODULES_OPT;
+		    break;
+		case 's':
+		    type = KEYSIZE_OPT;
+		    break;
+		case 't':
+		    type = TOKEN_OPT;
+		    break;
+		default:
+		    type = UNKNOWN_OPT;
+		    PR_fprintf(errorFD, "warning: unrecognized option: -%c.\n",
+		         
+		        opt[1]);
+		    warningCount++;
+		    break;
+		}
+	    }
+	} else {
+	    type = UNKNOWN_OPT;
+	    if (i == argc - 1) {
+		if (jartree) {
+		    PR_fprintf(errorFD,
+		        "warning: directory to be signed specified more than once.\n"
+		        " Only last specification will be used.\n");
+		    warningCount++;
+		    PR_Free(jartree); 
+		    jartree = NULL;
+		}
+		jartree = PL_strdup(opt);
+	    } else {
+		PR_fprintf(errorFD, "warning: unrecognized option: %s\n", opt);
+		warningCount++;
+	    }
+	}
+
+	if (type != UNKNOWN_OPT) {
+	    short	ateArg = ProcessOneOpt(type, arg);
+	    if (ateArg == -1) {
+		/* error */
+		return - 1;
+	    } 
+	    if (ateArg && needsInc) {
+		i++;
+	    }
+	}
+    }
+
+    return 0;
+}
+
+
+/*********************************************************************
+ *
+ * P r o c e s s O n e O p t
+ *
+ * Since options can come from different places (command file, word options,
+ * char options), this is a central function that is called to deal with
+ * them no matter where they come from.
+ *
+ * type is the type of option.
+ * arg is the argument to the option, possibly NULL.
+ * Returns 1 if the argument was eaten, 0 if it wasn't, and -1 for error.
+ */
+static int	
+ProcessOneOpt(OPT_TYPE type, char *arg)
+{
+    int	ate = 0;
+
+    switch (type) {
+    case HELP_OPT:
+	Usage();
+	break;
+    case LONG_HELP_OPT:
+	LongUsage();
+	break;
+    case BASE_OPT:
+	if (base) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-b");
+	    warningCount++;
+	    PR_Free(base); 
+	    base = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR], "-b");
+	    errorCount++;
+	    goto loser;
+	}
+	base = PL_strdup(arg);
+	ate = 1;
+	break;
+    case COMPRESSION_OPT:
+	if (compression_level_specified) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-c");
+	    warningCount++;
+	}
+	if ( !arg ) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR], "-c");
+	    errorCount++;
+	    goto loser;
+	}
+	compression_level = atoi(arg);
+	compression_level_specified = PR_TRUE;
+	ate = 1;
+	break;
+    case CERT_DIR_OPT:
+	if (cert_dir) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-d");
+	    warningCount++;
+	    PR_Free(cert_dir); 
+	    cert_dir = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR], "-d");
+	    errorCount++;
+	    goto loser;
+	}
+	cert_dir = PL_strdup(arg);
+	ate = 1;
+	break;
+    case EXTENSION_OPT:
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"extension (-e)");
+	    errorCount++;
+	    goto loser;
+	}
+	PL_HashTableAdd(extensions, arg, arg);
+	extensionsGiven = PR_TRUE;
+	ate = 1;
+	break;
+    case INSTALL_SCRIPT_OPT:
+	if (install_script) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"installScript (-i)");
+	    warningCount++;
+	    PR_Free(install_script); 
+	    install_script = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"installScript (-i)");
+	    errorCount++;
+	    goto loser;
+	}
+	install_script = PL_strdup(arg);
+	ate = 1;
+	break;
+    case SCRIPTDIR_OPT:
+	if (scriptdir) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"javascriptdir (-j)");
+	    warningCount++;
+	    PR_Free(scriptdir); 
+	    scriptdir = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"javascriptdir (-j)");
+	    errorCount++;
+	    goto loser;
+	}
+	scriptdir = PL_strdup(arg);
+	ate = 1;
+	break;
+    case CERTNAME_OPT:
+	if (keyName) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"keyName (-k)");
+	    warningCount++;
+	    PR_Free(keyName); 
+	    keyName = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"keyName (-k)");
+	    errorCount++;
+	    goto loser;
+	}
+	keyName = PL_strdup(arg);
+	ate = 1;
+	break;
+    case LIST_OBJSIGN_CERTS_OPT:
+    case LIST_ALL_CERTS_OPT:
+	if (list_certs != 0) {
+	    PR_fprintf(errorFD,
+	        "warning: only one of -l and -L may be specified.\n");
+	    warningCount++;
+	}
+	list_certs = (type == LIST_OBJSIGN_CERTS_OPT ? 1 : 2);
+	break;
+    case METAFILE_OPT:
+	if (metafile) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"metafile (-m)");
+	    warningCount++;
+	    PR_Free(metafile); 
+	    metafile = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"metafile (-m)");
+	    errorCount++;
+	    goto loser;
+	}
+	metafile = PL_strdup(arg);
+	ate = 1;
+	break;
+    case OPTIMIZE_OPT:
+	optimize = 1;
+	break;
+    case ENABLE_OCSP_OPT:
+	enableOCSP = 1;
+	break;
+    case PASSWORD_OPT:
+	if (pwdata.data) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"password (-p)");
+	    warningCount++;
+	    PR_Free(pwdata.data); 
+	    pwdata.data = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"password (-p)");
+	    errorCount++;
+	    goto loser;
+	}
+        pwdata.source = PW_PLAINTEXT;
+	pwdata.data = PL_strdup(arg);
+	ate = 1;
+	break;
+    case VERIFY_OPT:
+	if (verify) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"verify (-v)");
+	    warningCount++;
+	    PR_Free(verify); 
+	    verify = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"verify (-v)");
+	    errorCount++;
+	    goto loser;
+	}
+	verify = PL_strdup(arg);
+	ate = 1;
+	break;
+    case WHO_OPT:
+	if (tell_who) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"who (-v)");
+	    warningCount++;
+	    PR_Free(tell_who); 
+	    tell_who = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"who (-w)");
+	    errorCount++;
+	    goto loser;
+	}
+	tell_who = PL_strdup(arg);
+	ate = 1;
+	break;
+    case EXCLUDE_OPT:
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"exclude (-x)");
+	    errorCount++;
+	    goto loser;
+	}
+	PL_HashTableAdd(excludeDirs, arg, arg);
+	exclusionsGiven = PR_TRUE;
+	ate = 1;
+	break;
+    case NO_TIME_OPT:
+	no_time = 1;
+	break;
+    case JAVASCRIPT_OPT:
+	javascript++;
+	break;
+    case ZIPFILE_OPT:
+	if (zipfile) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"jarfile (-Z)");
+	    warningCount++;
+	    PR_Free(zipfile); 
+	    zipfile = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"jarfile (-Z)");
+	    errorCount++;
+	    goto loser;
+	}
+	zipfile = PL_strdup(arg);
+	ate = 1;
+	break;
+    case GENKEY_OPT:
+	if (genkey) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"generate (-G)");
+	    warningCount++;
+	    PR_Free(zipfile); 
+	    zipfile = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         				"generate (-G)");
+	    errorCount++;
+	    goto loser;
+	}
+	genkey = PL_strdup(arg);
+	ate = 1;
+	break;
+    case MODULES_OPT:
+	list_modules++;
+	break;
+    case SIGNDIR_OPT:
+	if (jartree) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"signdir");
+	    warningCount++;
+	    PR_Free(jartree); 
+	    jartree = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         "signdir");
+	    errorCount++;
+	    goto loser;
+	}
+	jartree = PL_strdup(arg);
+	ate = 1;
+	break;
+    case OUTFILE_OPT:
+	if (outfile) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         				"outfile");
+	    warningCount++;
+	    PR_Free(outfile); 
+	    outfile = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         "outfile");
+	    errorCount++;
+	    goto loser;
+	}
+	outfile = PL_strdup(arg);
+	ate = 1;
+	break;
+    case COMMAND_FILE_OPT:
+	if (cmdFile) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
+	         "-f");
+	    warningCount++;
+	    PR_Free(cmdFile); 
+	    cmdFile = NULL;
+	}
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         "-f");
+	    errorCount++;
+	    goto loser;
+	}
+	cmdFile = PL_strdup(arg);
+	ate = 1;
+	break;
+    case NORECURSE_OPT:
+	noRecurse = PR_TRUE;
+	break;
+    case LEAVE_ARC_OPT:
+	leaveArc = PR_TRUE;
+	break;
+    case VERBOSITY_OPT:
+	if (!arg) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
+	         			  "--verbosity");
+	    errorCount++;
+	    goto loser;
+	}
+	verbosity = atoi(arg);
+	ate = 1;
+	break;
+    case KEYSIZE_OPT:
+	if ( keySize != -1 ) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-s");
+	    warningCount++;
+	}
+	keySize = atoi(arg);
+	ate = 1;
+	if ( keySize < 1 || keySize > MAX_RSA_KEY_SIZE ) {
+	    PR_fprintf(errorFD, "Invalid key size: %d.\n", keySize);
+	    errorCount++;
+	    goto loser;
+	}
+	break;
+    case TOKEN_OPT:
+	if ( token ) {
+	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-t");
+	    PR_Free(token); 
+	    token = NULL;
+	}
+	if ( !arg ) {
+	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR], "-t");
+	    errorCount++;
+	    goto loser;
+	}
+	token = PL_strdup(arg);
+	ate = 1;
+	break;
+    case XPI_ARC_OPT:
+	xpi_arc = 1;
+	break;
+    default:
+	PR_fprintf(errorFD, "warning: unknown option\n");
+	warningCount++;
+	break;
+    }
+
+    return ate;
+loser:
+    return - 1;
+}
+
+
+/*********************************************************************
+ *
+ * m a i n
+ */
+int
+main(int argc, char *argv[])
+{
+    PRBool readOnly;
+    int	retval = 0;
+
+    outputFD = PR_STDOUT;
+    errorFD = PR_STDERR;
+
+    progName = argv[0];
+
+    if (argc < 2) {
+	Usage();
+    }
+
+    excludeDirs = PL_NewHashTable(10, PL_HashString, PL_CompareStrings,
+         					PL_CompareStrings, NULL, NULL);
+    extensions = PL_NewHashTable(10, PL_HashString, PL_CompareStrings,
+         					PL_CompareStrings, NULL, NULL);
+
+    if (parse_args(argc, argv)) {
+	retval = -1;
+	goto cleanup;
+    }
+
+    /* Parse the command file if one was given */
+    if (cmdFile) {
+	if (ProcessCommandFile()) {
+	    retval = -1;
+	    goto cleanup;
+	}
+    }
+
+    /* Set up output redirection */
+    if (outfile) {
+	if (PR_Access(outfile, PR_ACCESS_EXISTS) == PR_SUCCESS) {
+	    /* delete the file if it is already present */
+	    PR_fprintf(errorFD,
+	        "warning: %s already exists and will be overwritten.\n",
+	         				outfile);
+	    warningCount++;
+	    if (PR_Delete(outfile) != PR_SUCCESS) {
+		PR_fprintf(errorFD, "ERROR: unable to delete %s.\n", outfile);
+		errorCount++;
+		exit(ERRX);
+	    }
+	}
+	outputFD = PR_Open(outfile,
+	    PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0777);
+	if (!outputFD) {
+	    PR_fprintf(errorFD, "ERROR: Unable to create %s.\n",
+	         outfile);
+	    errorCount++;
+	    exit(ERRX);
+	}
+	errorFD = outputFD;
+    }
+
+    /* This seems to be a fairly common user error */
+
+    if (verify && list_certs > 0) {
+	PR_fprintf (errorFD, "%s: Can't use -l and -v at the same time\n",
+	     		PROGRAM_NAME);
+	errorCount++;
+	retval = -1;
+	goto cleanup;
+    }
+
+    /* -J assumes -Z now */
+
+    if (javascript && zipfile) {
+	PR_fprintf (errorFD, "%s: Can't use -J and -Z at the same time\n",
+	     		PROGRAM_NAME);
+	PR_fprintf (errorFD, "%s: -J option will create the jar files for you\n",
+	     		PROGRAM_NAME);
+	errorCount++;
+	retval = -1;
+	goto cleanup;
+    }
+
+    /* -X needs -Z */
+
+    if (xpi_arc && !zipfile) {
+	PR_fprintf (errorFD, "%s: option XPI (-X) requires option jarfile (-Z)\n",
+	     		PROGRAM_NAME);
+	errorCount++;
+	retval = -1;
+	goto cleanup;
+    }
+
+    /* Less common mixing of -L with various options */
+
+    if (list_certs > 0 && 
+        (tell_who || zipfile || javascript || 
+        scriptdir || extensionsGiven || exclusionsGiven || install_script)) {
+	PR_fprintf(errorFD, "%s: Can't use -l or -L with that option\n",
+	     			PROGRAM_NAME);
+	errorCount++;
+	retval = -1;
+	goto cleanup;
+    }
+
+
+    if (!cert_dir)
+	cert_dir = get_default_cert_dir();
+
+    VerifyCertDir(cert_dir, keyName);
+
+
+    if (	compression_level < MIN_COMPRESSION_LEVEL || 
+        compression_level > MAX_COMPRESSION_LEVEL) {
+	PR_fprintf(errorFD, "Compression level must be between %d and %d.\n",
+	     		 MIN_COMPRESSION_LEVEL, MAX_COMPRESSION_LEVEL);
+	errorCount++;
+	retval = -1;
+	goto cleanup;
+    }
+
+    if (jartree && !keyName) {
+	PR_fprintf(errorFD, "You must specify a key with which to sign.\n");
+	errorCount++;
+	retval = -1;
+	goto cleanup;
+    }
+
+    readOnly = (genkey == NULL); /* only key generation requires write */
+    if (InitCrypto(cert_dir, readOnly)) {
+	PR_fprintf(errorFD, "ERROR: Cryptographic initialization failed.\n");
+	errorCount++;
+	retval = -1;
+	goto cleanup;
+    }
+
+    if (enableOCSP) {
+	SECStatus rv = CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
+	if (rv != SECSuccess) {
+	    PR_fprintf(errorFD, "ERROR: Attempt to enable OCSP Checking failed.\n");
+	    errorCount++;
+	    retval = -1;
+	}
+    }
+
+    if (verify) {
+	if (VerifyJar(verify)) {
+	    errorCount++;
+	    retval = -1;
+	    goto cleanup;
+	}
+    } else if (list_certs) {
+	if (ListCerts(keyName, list_certs)) {
+	    errorCount++;
+	    retval = -1;
+	    goto cleanup;
+	}
+    } else if (list_modules) {
+	JarListModules();
+    } else if (genkey) {
+	if (GenerateCert(genkey, keySize, token)) {
+	    errorCount++;
+	    retval = -1;
+	    goto cleanup;
+	}
+    } else if (tell_who) {
+	if (JarWho(tell_who)) {
+	    errorCount++;
+	    retval = -1;
+	    goto cleanup;
+	}
+    } else if (javascript && jartree) {
+	/* make sure directory exists */
+	PRDir * dir;
+	dir = PR_OpenDir(jartree);
+	if (!dir) {
+	    PR_fprintf(errorFD, "ERROR: unable to open directory %s.\n",
+	         jartree);
+	    errorCount++;
+	    retval = -1;
+	    goto cleanup;
+	} else {
+	    PR_CloseDir(dir);
+	}
+
+	/* undo junk from prior runs of signtool*/
+	if (RemoveAllArc(jartree)) {
+	    PR_fprintf(errorFD, "Error removing archive directories under %s\n",
+	         jartree);
+	    errorCount++;
+	    retval = -1;
+	    goto cleanup;
+	}
+
+	/* traverse all the htm|html files in the directory */
+	if (InlineJavaScript(jartree, !noRecurse)) {
+	    retval = -1;
+	    goto cleanup;
+	}
+
+	/* sign any resultant .arc directories created in above step */
+	if (SignAllArc(jartree, keyName, javascript, metafile, install_script,
+	     		optimize, !noRecurse)) {
+	    retval = -1;
+	    goto cleanup;
+	}
+
+	if (!leaveArc) {
+	    RemoveAllArc(jartree);
+	}
+
+	if (errorCount > 0 || warningCount > 0) {
+	    PR_fprintf(outputFD, "%d error%s, %d warning%s.\n",
+	         errorCount,
+	        errorCount == 1 ? "" : "s", warningCount, warningCount
+	        == 1 ? "" : "s");
+	} else {
+	    PR_fprintf(outputFD, "Directory %s signed successfully.\n",
+	         jartree);
+	}
+    } else if (jartree) {
+	SignArchive(jartree, keyName, zipfile, javascript, metafile,
+	     		install_script, optimize, !noRecurse);
+    } else
+	Usage();
+
+cleanup:
+    if (extensions) {
+	PL_HashTableDestroy(extensions); 
+	extensions = NULL;
+    }
+    if (excludeDirs) {
+	PL_HashTableDestroy(excludeDirs); 
+	excludeDirs = NULL;
+    }
+    if (outputFD != PR_STDOUT) {
+	PR_Close(outputFD);
+    }
+    rm_dash_r(TMP_OUTPUT);
+    if (retval == 0) {
+	if (NSS_Shutdown() != SECSuccess) {
+	    exit(1);
+	}
+    }
+    return retval;
+}
+
+
diff --git a/security/nss/cmd/signtool/signtool.h b/security/nss/cmd/signtool/signtool.h
new file mode 100644
index 000000000..e05c73371
--- /dev/null
+++ b/security/nss/cmd/signtool/signtool.h
@@ -0,0 +1,146 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef SIGNTOOL_H
+#define SIGNTOOL_H
+ 
+#define DJN_TEST
+
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+#include "prprf.h"
+#include "prio.h"
+#include "secutil.h"
+#include "ocsp.h"
+#include "jar.h"
+#include "jarfile.h"
+#include "secpkcs7.h"
+#include "pk11func.h"
+#include "secmod.h"
+#include "plhash.h"
+#include "nss.h"
+
+#ifdef _UNIX
+#include <unistd.h> 
+#endif
+
+/**********************************************************************
+ * General Defines
+ */
+#define JAR_BASE_END JAR_BASE + 100
+#define ERRX (-1)	/* the exit code used on failure */
+#define FNSIZE 256	/* the maximum length for filenames */
+#define MAX_RSA_KEY_SIZE 4096
+#define DEFAULT_RSA_KEY_SIZE 1024
+#define MANIFEST "manifest.mf"
+#define DEFAULT_X509_BASENAME "x509"
+#define DEFAULT_COMMON_NAME "Signtool " NSS_VERSION " Testing Certificate"
+#define CREATOR  "Signtool (signtool " NSS_VERSION ")"
+#define BREAKAGE "PLEASE DO NOT EDIT THIS FILE. YOU WILL BREAK IT."
+#define MIN_COMPRESSION_LEVEL (-1)
+#define MAX_COMPRESSION_LEVEL 9
+#define DEFAULT_COMPRESSION_LEVEL (-1) /* zlib understands this to be default*/
+#define STDIN_BUF_SIZE 160
+#define PROGRAM_NAME	"signtool"
+#define LONG_PROGRAM_NAME "Signing Tool"
+#define DEFAULT_BASE_NAME "zigbert"
+#define TMP_OUTPUT "signtool.tmp"
+#define XPI_TEXT "Creating XPI Compatible Archive"
+
+/***************************************************************
+ * Main Task Functions
+ */
+int GenerateCert(char *nickname, int keysize, char *token);
+int ListCerts(char *key, int list_certs);
+int VerifyJar(char *filename);
+int SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
+	char *meta_file, char *install_script, int _optimize, PRBool recurse);
+int SignAllArc(char *jartree, char *keyName, int javascript, char *metafile,
+	char *install_script, int optimize, PRBool recurse);
+int InlineJavaScript(char *dir, PRBool recurse);
+int JarWho(char *filename);
+void JarListModules(void);
+
+/**************************************************************
+ * Utility Functions
+ */
+CERTCertDBHandle *OpenCertDB (PRBool readOnly);
+
+int RemoveAllArc(char *tree);
+void VerifyCertDir(char *dir, char *keyName);
+int InitCrypto(char *cert_dir, PRBool readOnly);
+int foreach (char *dirname, char *prefix,
+	int (*fn)(char *filename, char *dirname, char *basedir,char *base,void*arg),
+	PRBool recurse, PRBool includeDirs, void *arg);
+void print_error (int i);
+void give_help (int status);
+const char* secErrorString(long code);
+void displayVerifyLog(CERTVerifyLog *log);
+void Usage (void);
+void LongUsage (void);
+char* chop(char*);
+void out_of_memory(void);
+void FatalError(char *msg);
+char* get_default_cert_dir(void);
+SECItem *password_hardcode(void *arg, void *handle);
+char* pk11_password_hardcode(PK11SlotInfo *slot, PRBool retry, void *arg);
+int rm_dash_r(char *path);
+char* pr_fgets(char *buf, int size, PRFileDesc *file);
+
+
+/*****************************************************************
+ * Global Variables (*gag*)
+ */
+extern char *password;	/* the password passed in on the command line */
+extern PLHashTable *excludeDirs;  /* directory entry to skip while recursing */
+extern int no_time;
+extern int xpi_arc;
+extern char *base;		/* basename of ".rsa" and ".sf" files */
+extern long *mozilla_event_queue;
+extern char *progName; /* argv[0] */
+extern PLHashTable *extensions;/* only sign files with this extension */
+extern PRBool extensionsGiven;
+extern char *scriptdir;
+extern int compression_level;
+extern PRFileDesc *outputFD, *errorFD;
+extern int verbosity;
+extern int errorCount;
+extern int warningCount;
+extern secuPWData pwdata;
+
+#endif /* SIGNTOOL_H */
diff --git a/security/nss/cmd/signtool/util.c b/security/nss/cmd/signtool/util.c
new file mode 100644
index 000000000..be780d29b
--- /dev/null
+++ b/security/nss/cmd/signtool/util.c
@@ -0,0 +1,1131 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "signtool.h"
+#include "prio.h"
+#include "prmem.h"
+#include "nss.h"
+
+static int	is_dir (char *filename);
+
+/***********************************************************
+ * Nasty hackish function definitions
+ */
+
+long	*mozilla_event_queue = 0;
+
+#ifndef XP_WIN
+char	*XP_GetString (int i)
+{
+    return SECU_ErrorStringRaw ((int16) i);
+}
+#endif
+
+void	FE_SetPasswordEnabled()
+{
+}
+
+
+void	/*MWContext*/ *FE_GetInitContext (void)
+{
+    return 0;
+}
+
+
+void	/*MWContext*/ *XP_FindSomeContext()
+{
+    /* No windows context in command tools */
+    return NULL;
+}
+
+
+void	ET_moz_CallFunction()
+{
+}
+
+
+/*
+ *  R e m o v e A l l A r c
+ *
+ *  Remove .arc directories that are lingering
+ *  from a previous run of signtool.
+ *
+ */
+int
+RemoveAllArc(char *tree)
+{
+    PRDir * dir;
+    PRDirEntry * entry;
+    char	*archive = NULL;
+    int	retval = 0;
+
+    dir = PR_OpenDir (tree);
+    if (!dir) 
+	return - 1;
+
+    for (entry = PR_ReadDir (dir, 0); entry; entry = PR_ReadDir (dir,
+         0)) {
+
+	if (entry->name[0] == '.') {
+	    continue;
+	}
+
+	if (archive) 
+	    PR_Free(archive);
+	archive = PR_smprintf("%s/%s", tree, entry->name);
+
+	if (PL_strcaserstr (entry->name, ".arc")
+	     == (entry->name + strlen(entry->name) - 4) ) {
+
+	    if (verbosity >= 0) {
+		PR_fprintf(outputFD, "removing: %s\n", archive);
+	    }
+
+	    if (rm_dash_r(archive)) {
+		PR_fprintf(errorFD, "Error removing %s\n", archive);
+		errorCount++;
+		retval = -1;
+		goto finish;
+	    }
+	} else if (is_dir(archive)) {
+	    if (RemoveAllArc(archive)) {
+		retval = -1;
+		goto finish;
+	    }
+	}
+    }
+
+finish:
+    PR_CloseDir (dir);
+    if (archive) 
+	PR_Free(archive);
+
+    return retval;
+}
+
+
+/*
+ *  r m _ d a s h _ r
+ *
+ *  Remove a file, or a directory recursively.
+ *
+ */
+int	rm_dash_r (char *path)
+{
+    PRDir	 * dir;
+    PRDirEntry * entry;
+    PRFileInfo fileinfo;
+    char	filename[FNSIZE];
+
+    if (PR_GetFileInfo(path, &fileinfo) != PR_SUCCESS) {
+	/*fprintf(stderr, "Error: Unable to access %s\n", filename);*/
+	return - 1;
+    }
+    if (fileinfo.type == PR_FILE_DIRECTORY) {
+
+	dir = PR_OpenDir(path);
+	if (!dir) {
+	    PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
+	    errorCount++;
+	    return - 1;
+	}
+
+	/* Recursively delete all entries in the directory */
+	while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+	    sprintf(filename, "%s/%s", path, entry->name);
+	    if (rm_dash_r(filename)) 
+		return - 1;
+	}
+
+	if (PR_CloseDir(dir) != PR_SUCCESS) {
+	    PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
+	    errorCount++;
+	    return - 1;
+	}
+
+	/* Delete the directory itself */
+	if (PR_RmDir(path) != PR_SUCCESS) {
+	    PR_fprintf(errorFD, "Error: Unable to delete %s\n", path);
+	    errorCount++;
+	    return - 1;
+	}
+    } else {
+	if (PR_Delete(path) != PR_SUCCESS) {
+	    PR_fprintf(errorFD, "Error: Unable to delete %s\n", path);
+	    errorCount++;
+	    return - 1;
+	}
+    }
+    return 0;
+}
+
+
+/*
+ *  u s a g e 
+ * 
+ *  Print some useful help information
+ *
+ */
+
+
+void
+Usage (void)
+{
+#define FPS PR_fprintf(outputFD,
+    FPS "%s %s -a signing tool for jar files\n", LONG_PROGRAM_NAME,NSS_VERSION);
+    FPS "\n\nType %s -H for more detailed descriptions\n", PROGRAM_NAME);
+    FPS "\nUsage:  %s -k keyName [-b basename] [-c Compression Level]\n"
+        "\t\t [-d cert-dir] [-i installer script] [-m metafile] [-x name]\n"
+        "\t\t [-e extension] [-o] [-z] [-X] [--outfile] [--verbose value]\n"
+        "\t\t [--norecurse] [--leavearc] [-j directory] [-Z jarfile] [-O]\n"
+        "\t\t [-p password] directory-tree\n", PROGRAM_NAME);
+    FPS "\t%s -J -k keyName [-b basename] [-c Compression Level]\n"
+        "\t\t [-d cert-dir][-i installer script] [-m metafile] [-x name]\n"
+        "\t\t [-e extension] [-o] [-z] [-X] [--outfile] [--verbose value]\n"
+        "\t\t [--norecurse] [--leavearc] [-j directory] [-p password] [-O] \n"
+        "\t\t directory-tree\n", PROGRAM_NAME);
+    FPS "\t%s -h \n", PROGRAM_NAME);
+    FPS "\t%s -H \n", PROGRAM_NAME);
+    FPS "\t%s -l [-k keyName] [-d cert-dir] [--outfile] [-O] \n", PROGRAM_NAME);
+    FPS "\t%s -L [-k keyName] [-d cert-dir] [--outfile] [-O] \n", PROGRAM_NAME);
+    FPS "\t%s -M [--outfile] [-O] \n", PROGRAM_NAME);
+    FPS "\t%s -v [-d cert-dir] [--outfile] [-O] archive\n", PROGRAM_NAME);
+    FPS "\t%s -w [--outfile] [-O] archive\n" , PROGRAM_NAME);
+    FPS "\t%s -G nickname [--keysize|-s size] [-t |--token tokenname]\n"
+        "\t\t [--outfile] [-O] \n", PROGRAM_NAME);
+    FPS "\t%s -f filename\n" , PROGRAM_NAME);
+    exit (ERRX);
+}
+
+void 
+LongUsage(void)
+{
+    FPS "%s %s -a signing tool for jar files\n", LONG_PROGRAM_NAME,NSS_VERSION);
+    FPS "\n%-20s  Signs the directory-tree\n",
+        "signtool directory-tree");
+    FPS "%-30s Nickname (key) of the certificate to sign with\n",
+        "   -k keyname");
+    FPS "%-30s Base filename for the .rsa and.sf files in the\n",
+        "   -b basename");
+    FPS "%-30s META-INF directory\n"," ");
+    FPS "%-30s Set the compression level. 0-9, 0=none\n", 
+	"   -c CompressionLevel");
+    FPS "%-30s Certificate database directory containing cert*db\n",
+	"   -d certificate directory");
+    FPS "%-30s and key*db\n"," ");
+    FPS "%-30s Name of the installer script for SmartUpdate\n",
+	"   -i installer script");
+    FPS "%-30s Name of a metadata control file\n",
+	"   -m metafile");
+    FPS "%-30s For optimizing the archive for size.\n",
+	"   -o");
+    FPS "%-30s Omit Optional Headers\n"," ");
+    FPS "%-30s Excludes the specified directory or file from\n",
+	"   -x  directory or file name");
+    FPS "%-30s signing\n"," ");
+    FPS "%-30s To not store the signing time in digital\n",
+	"   -z  directory or file name");
+    FPS "%-30s signature\n"," ");
+    FPS "%-30s Create XPI Compatible Archive. It requires -Z\n",
+	"   -X  directory or file name");
+    FPS "%-30s option\n"," ");
+    FPS "%-30s Sign only files with the given extension\n",
+	"   -e");
+    FPS "%-30s Causes the specified directory to be signed and\n",
+	"   -j");
+    FPS "%-30s tags its entries as inline JavaScript\n"," ");
+    FPS "%-30s Creates a JAR file with the specified name.\n",
+	"   -Z");
+    FPS "%-30s -Z option cannot be used with -J option\n"," ");
+    FPS "%-30s Specifies a password for the private-key database\n",
+	"   -p");
+    FPS "%-30s (insecure)\n"," ");
+    FPS "%-30s File to receive redirected output\n",
+    	"   --outfile filename");
+    FPS "%-30s Sets the quantity of information generated in\n",
+	"   --verbosity value");
+    FPS "%-30s operation\n"," ");
+    FPS "%-30s Blocks recursion into subdirectories\n",
+	"   --norecurse");
+    FPS "%-30s Retains the temporary .arc (archive) directories\n",
+	"   --leavearc");
+    FPS "%-30s -J option creates\n"," ");
+
+    FPS "\n%-20s Signs a directory of HTML files containing JavaScript and\n",
+	"-J" );
+    FPS "%-20s creates as many archive files as are in the HTML tags.\n"," ");
+
+    FPS "%-20s The options are same as without any command option given\n"," ");
+    FPS "%-20s above. -Z and -J options are not allowed together\n"," ");
+    
+    FPS "\n%-20s Generates a new private-public key pair and corresponding\n",
+	"-G nickname");
+    FPS "%-20s object-signing certificates with the given nickname\n"," ");
+    FPS "%-30s Specifies the size of the key for generated \n",
+	"   --keysize|-s keysize");
+    FPS "%-30s certificate\n"," ");
+    FPS "%-30s Specifies which available token should generate\n",
+	"   --token|-t token name ");
+    FPS "%-30s the key and receive the certificate\n"," ");
+    FPS "%-30s Specifies a file to receive redirected output\n",
+	"   --outfile filename ");
+    
+    FPS "\n%-20s Display signtool help\n",
+	"-h ");
+    
+    FPS "\n%-20s Display signtool help(Detailed)\n",
+	"-H ");
+    
+    FPS "\n%-20s Lists signing certificates, including issuing CAs\n",
+	"-l ");
+    FPS "%-30s Certificate database directory containing cert*db\n",
+	"   -d certificate directory");
+    FPS "%-30s and key*db\n"," ");
+
+    FPS "%-30s Specifies a file to receive redirected output\n",
+	"   --outfile filename ");
+    FPS "%-30s Specifies the nickname (key) of the certificate\n",
+	"   -k keyname");
+
+    
+    FPS "\n%-20s Lists the certificates in your database\n",
+	"-L ");
+    FPS "%-30s Certificate database directory containing cert*db\n",
+	"   -d certificate directory");
+    FPS "%-30s and key*db\n"," ");
+
+    FPS "%-30s Specifies a file to receive redirected output\n",
+	"   --outfile filename ");
+    FPS "%-30s Specifies the nickname (key) of the certificate\n",
+	"   -k keyname");
+    
+    FPS "\n%-20s Lists the PKCS #11 modules available to signtool\n",
+	"-M ");
+   
+    FPS "\n%-20s Displays the contents of an archive and verifies\n",
+	"-v archive");
+    FPS "%-20s cryptographic integrity\n"," ");
+    FPS "%-30s Certificate database directory containing cert*db\n",
+	"   -d certificate directory");
+    FPS "%-30s and key*db\n"," ");
+    FPS "%-30s Specifies a file to receive redirected output\n",
+	"   --outfile filename ");
+    
+    FPS "\n%-20s Displays the names of signers in the archive\n",
+	"-w archive");
+    FPS "%-30s Specifies a file to receive redirected output\n",
+	"   --outfile filename ");
+
+    
+    FPS "\n%-30s Common option to all the above.\n",
+	"   -O");
+    FPS "%-30s Enable OCSP checking\n"," ");
+    
+    FPS "\n%-20s Specifies a text file containing options and arguments in\n",
+	"-f command-file");
+    FPS "%-20s keyword=value format. Commands are taken from this file\n"," ");
+
+    FPS  "\n\n\n");
+    FPS  "Example:\n");
+    FPS  "%-10s -d \"certificate directory\" -k \"certnickname\" \\",
+         PROGRAM_NAME);
+    FPS  "\n%-10s -p \"password\"  -X -Z \"file.xpi\" directory-tree\n"," " );
+    FPS  "Common syntax to create an XPInstall compatible"
+         " signed archive\n\n"," ");
+    FPS  "\nCommand File Keywords and Example:\n");
+    FPS "\nKeyword\t\tValue\n");
+    FPS "basename\tSame as -b option\n");
+    FPS "compression\tSame as -c option\n");
+    FPS "certdir\t\tSame as -d option\n");
+    FPS "extension\tSame as -e option\n");
+    FPS "generate\tSame as -G option\n");
+    FPS "installscript\tSame as -i option\n");
+    FPS "javascriptdir\tSame as -j option\n");
+    FPS "htmldir\t\tSame as -J option\n");
+    FPS "certname\tNickname of certificate, as with -k  option\n");
+    FPS "signdir\t\tThe directory to be signed, as with -k option\n");
+    FPS "list\t\tSame as -l option. Value is ignored,\n"
+        "    \t\tbut = sign must be present\n");
+    FPS "listall\t\tSame as -L option. Value is ignored\n"
+        "       \t\tbut = sign must be present\n");
+    FPS "metafile\tSame as -m option\n");
+    FPS "modules\t\tSame as -M option. Value is ignored,\n"
+        "       \t\tbut = sign must be present\n");
+    FPS "optimize\tSame as -o option. Value is ignored,\n" 
+        "        \tbut = sign must be present\n");
+    FPS "ocsp\t\tSame as -O option\n");
+    FPS "password\tSame as -p option\n");
+    FPS "verify\t\tSame as -v option\n");
+    FPS "who\t\tSame as -w option\n");
+    FPS "exclude\t\tSame as -x option\n");
+    FPS "notime\t\tSame as -z option. Value is ignored,\n"
+        "      \t\tbut = sign must be present\n");
+    FPS "jarfile\t\tSame as -Z option\n");
+    FPS "outfile\t\tSame as --outfile option. The argument\n");
+    FPS "       \t\tis the name of a file to which output\n");
+    FPS "       \t\tof a file and error messages will be  \n");
+    FPS "       \t\tredirected\n");
+    FPS "leavearc\tSame as --leavearc option\n");
+    FPS "verbosity\tSame as --verbosity option\n");
+    FPS "keysize\t\tSame as -s option\n");
+    FPS "token\t\tSame as -t option\n");
+    FPS "xpi\t\tSame as -X option\n");
+    FPS "\n\n");
+    FPS "Here's an example of the use of the command file. The command\n\n");
+    FPS "   signtool -d c:\\netscape\\users\\james -k mycert -Z myjar.jar \\\n"
+        "   signdir > output.txt\n\n"); 
+    FPS "becomes\n\n");
+    FPS "   signtool -f somefile\n\n");
+    FPS "where somefile contains the following lines:\n\n");
+    FPS "   certdir=c:\\netscape\\users\\james\n"," "); 
+    FPS "   certname=mycert\n"," "); 
+    FPS "   jarfile=myjar.jar\n"," "); 
+    FPS "   signdir=signdir\n"," "); 
+    FPS "   outfile=output.txt\n"," "); 
+    exit (ERRX);
+#undef FPS
+}
+
+/*
+ *  p r i n t _ e r r o r
+ *
+ *  For the undocumented -E function. If an older version
+ *  of communicator gives you a numeric error, we can see what
+ *  really happened without doing hex math.
+ *
+ */
+
+void
+print_error (int err)
+{
+    PR_fprintf(errorFD, "Error %d: %s\n", err, JAR_get_error (err));
+    errorCount++;
+    give_help (err);
+}
+
+
+/*
+ *  o u t _ o f _ m e m o r y
+ *
+ *  Out of memory, exit Signtool.
+ * 
+ */
+void
+out_of_memory (void)
+{
+    PR_fprintf(errorFD, "%s: out of memory\n", PROGRAM_NAME);
+    errorCount++;
+    exit (ERRX);
+}
+
+
+/*
+ *  V e r i f y C e r t D i r
+ *
+ *  Validate that the specified directory
+ *  contains a certificate database
+ *
+ */
+void
+VerifyCertDir(char *dir, char *keyName)
+{
+    char	fn [FNSIZE];
+
+    /* don't try verifying if we don't have a local directory */
+    if (strncmp(dir, "multiaccess:", sizeof("multiaccess:") - 1) == 0) {
+	return;
+    }
+    /* this function is truly evil. Tools and applications should not have
+     * any knowledge of actual cert databases! */
+    return;
+
+    /* This code is really broken because it makes underlying assumptions about
+   * how the NSS profile directory is laid out, but these names can change
+   * from release to release. */
+    sprintf (fn, "%s/cert8.db", dir);
+
+    if (PR_Access (fn, PR_ACCESS_EXISTS)) {
+	PR_fprintf(errorFD, "%s: No certificate database in \"%s\"\n",
+			 PROGRAM_NAME, dir);
+	PR_fprintf(errorFD, "%s: Check the -d arguments that you gave\n",
+	     		PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "using certificate directory: %s\n", dir);
+    }
+
+    if (keyName == NULL)
+	return;
+
+    /* if the user gave the -k key argument, verify that 
+     a key database already exists */
+
+    sprintf (fn, "%s/key3.db", dir);
+
+    if (PR_Access (fn, PR_ACCESS_EXISTS)) {
+	PR_fprintf(errorFD, "%s: No private key database in \"%s\"\n",
+	     PROGRAM_NAME,
+	    dir);
+	PR_fprintf(errorFD, "%s: Check the -d arguments that you gave\n",
+	     		PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+}
+
+
+/*
+ *  f o r e a c h 
+ * 
+ *  A recursive function to loop through all names in
+ *  the specified directory, as well as all subdirectories.
+ *
+ *  FIX: Need to see if all platforms allow multiple
+ *  opendir's to be called.
+ *
+ */
+
+int
+foreach(char *dirname, char *prefix, 
+int (*fn)(char *relpath, char *basedir, char *reldir, char *filename,
+void*arg),
+PRBool recurse, PRBool includeDirs, void *arg) 
+{
+    char	newdir [FNSIZE];
+    int	retval = 0;
+
+    PRDir * dir;
+    PRDirEntry * entry;
+
+    strcpy (newdir, dirname);
+    if (*prefix) {
+	strcat (newdir, "/");
+	strcat (newdir, prefix);
+    }
+
+    dir = PR_OpenDir (newdir);
+    if (!dir) 
+	return - 1;
+
+    for (entry = PR_ReadDir (dir, 0); entry; entry = PR_ReadDir (dir, 0)) {
+	if ( strcmp(entry->name, ".") == 0   || 
+	    strcmp(entry->name, "..") == 0 ) {
+	    /* no infinite recursion, please */
+	    continue;
+	}
+
+	/* can't sign self */
+	if (!strcmp (entry->name, "META-INF"))
+	    continue;
+
+	/* -x option */
+	if (PL_HashTableLookup(excludeDirs, entry->name))
+	    continue;
+
+	strcpy (newdir, dirname);
+	if (*dirname)
+	    strcat (newdir, "/");
+
+	if (*prefix) {
+	    strcat (newdir, prefix);
+	    strcat (newdir, "/");
+	}
+	strcat (newdir, entry->name);
+
+	if (!is_dir(newdir) || includeDirs) {
+	    char	newpath [FNSIZE];
+
+	    strcpy (newpath, prefix);
+	    if (*newpath)
+		strcat (newpath, "/");
+	    strcat (newpath, entry->name);
+
+	    if ( (*fn) (newpath, dirname, prefix, (char *) entry->name,
+	         arg)) {
+		retval = -1;
+		break;
+	    }
+	}
+
+	if (is_dir (newdir)) {
+	    if (recurse) {
+		char	newprefix [FNSIZE];
+
+		strcpy (newprefix, prefix);
+		if (*newprefix) {
+		    strcat (newprefix, "/");
+		}
+		strcat (newprefix, entry->name);
+
+		if (foreach (dirname, newprefix, fn, recurse,
+		     includeDirs, arg)) {
+		    retval = -1;
+		    break;
+		}
+	    }
+	}
+
+    }
+
+    PR_CloseDir (dir);
+
+    return retval;
+}
+
+
+/*
+ *  i s _ d i r
+ *
+ *  Return 1 if file is a directory.
+ *  Wonder if this runs on a mac, trust not.
+ *
+ */
+static int	is_dir (char *filename)
+{
+    PRFileInfo	finfo;
+
+    if ( PR_GetFileInfo(filename, &finfo) != PR_SUCCESS ) {
+	printf("Unable to get information about %s\n", filename);
+	return 0;
+    }
+
+    return ( finfo.type == PR_FILE_DIRECTORY );
+}
+
+
+/***************************************************************
+ *
+ * s e c E r r o r S t r i n g
+ *
+ * Returns an error string corresponding to the given error code.
+ * Doesn't cover all errors; returns a default for many.
+ * Returned string is only valid until the next call of this function.
+ */
+const char	*
+secErrorString(long code)
+{
+    static char	errstring[80]; /* dynamically constructed error string */
+    char	*c; /* the returned string */
+
+    switch (code) {
+    case SEC_ERROR_IO: 
+	c = "io error";
+	break;
+    case SEC_ERROR_LIBRARY_FAILURE: 
+	c = "security library failure";
+	break;
+    case SEC_ERROR_BAD_DATA: 
+	c = "bad data";
+	break;
+    case SEC_ERROR_OUTPUT_LEN: 
+	c = "output length";
+	break;
+    case SEC_ERROR_INPUT_LEN: 
+	c = "input length";
+	break;
+    case SEC_ERROR_INVALID_ARGS: 
+	c = "invalid args";
+	break;
+    case SEC_ERROR_EXPIRED_CERTIFICATE: 
+	c = "expired certificate";
+	break;
+    case SEC_ERROR_REVOKED_CERTIFICATE: 
+	c = "revoked certificate";
+	break;
+    case SEC_ERROR_INADEQUATE_KEY_USAGE: 
+	c = "inadequate key usage";
+	break;
+    case SEC_ERROR_INADEQUATE_CERT_TYPE: 
+	c = "inadequate certificate type";
+	break;
+    case SEC_ERROR_UNTRUSTED_CERT: 
+	c = "untrusted cert";
+	break;
+    case SEC_ERROR_NO_KRL: 
+	c = "no key revocation list";
+	break;
+    case SEC_ERROR_KRL_BAD_SIGNATURE: 
+	c = "key revocation list: bad signature";
+	break;
+    case SEC_ERROR_KRL_EXPIRED: 
+	c = "key revocation list expired";
+	break;
+    case SEC_ERROR_REVOKED_KEY: 
+	c = "revoked key";
+	break;
+    case SEC_ERROR_CRL_BAD_SIGNATURE:
+	c = "certificate revocation list: bad signature";
+	break;
+    case SEC_ERROR_CRL_EXPIRED: 
+	c = "certificate revocation list expired";
+	break;
+    case SEC_ERROR_CRL_NOT_YET_VALID:
+	c = "certificate revocation list not yet valid";
+	break;
+    case SEC_ERROR_UNKNOWN_ISSUER: 
+	c = "unknown issuer";
+	break;
+    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: 
+	c = "expired issuer certificate";
+	break;
+    case SEC_ERROR_BAD_SIGNATURE: 
+	c = "bad signature";
+	break;
+    case SEC_ERROR_BAD_KEY: 
+	c = "bad key";
+	break;
+    case SEC_ERROR_NOT_FORTEZZA_ISSUER: 
+	c = "not fortezza issuer";
+	break;
+    case SEC_ERROR_CA_CERT_INVALID:
+	c = "Certificate Authority certificate invalid";
+	break;
+    case SEC_ERROR_EXTENSION_NOT_FOUND: 
+	c = "extension not found";
+	break;
+    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE: 
+	c = "certificate not in name space";
+	break;
+    case SEC_ERROR_UNTRUSTED_ISSUER: 
+	c = "untrusted issuer";
+	break;
+    default:
+	sprintf(errstring, "security error %ld", code);
+	c = errstring;
+	break;
+    }
+
+    return c;
+}
+
+
+/***************************************************************
+ *
+ * d i s p l a y V e r i f y L o g
+ *
+ * Prints the log of a cert verification.
+ */
+void
+displayVerifyLog(CERTVerifyLog *log)
+{
+    CERTVerifyLogNode	 * node;
+    CERTCertificate		 * cert;
+    char	*name;
+
+    if ( !log  || (log->count <= 0) ) {
+	return;
+    }
+
+    for (node = log->head; node != NULL; node = node->next) {
+
+	if ( !(cert = node->cert) ) {
+	    continue;
+	}
+
+	/* Get a name for this cert */
+	if (cert->nickname != NULL) {
+	    name = cert->nickname;
+	} else if (cert->emailAddr && cert->emailAddr[0]) {
+	    name = cert->emailAddr;
+	} else {
+	    name = cert->subjectName;
+	}
+
+	printf( "%s%s:\n", name,
+	    (node->depth > 0) ? " [Certificate Authority]" : "");
+
+	printf("\t%s\n", secErrorString(node->error));
+
+    }
+}
+
+
+/*
+ *  J a r L i s t M o d u l e s
+ *
+ *  Print a list of the PKCS11 modules that are
+ *  available. This is useful for smartcard people to
+ *  make sure they have the drivers loaded.
+ *
+ */
+void
+JarListModules(void)
+{
+    int	i;
+    int	count = 0;
+
+    SECMODModuleList * modules = NULL;
+    static SECMODListLock *moduleLock = NULL;
+
+    SECMODModuleList * mlp;
+
+    if ((moduleLock = SECMOD_GetDefaultModuleListLock()) == NULL) {
+	/* this is the wrong text */
+	PR_fprintf(errorFD, "%s: unable to acquire lock on module list\n",
+	     		PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    SECMOD_GetReadLock (moduleLock);
+
+    modules = SECMOD_GetDefaultModuleList();
+
+    if (modules == NULL) {
+	SECMOD_ReleaseReadLock (moduleLock);
+	PR_fprintf(errorFD, "%s: Can't get module list\n", PROGRAM_NAME);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    PR_fprintf(outputFD, "\nListing of PKCS11 modules\n");
+    PR_fprintf(outputFD, "-----------------------------------------------\n");
+
+    for (mlp = modules; mlp != NULL; mlp = mlp->next) {
+	count++;
+	PR_fprintf(outputFD, "%3d. %s\n", count, mlp->module->commonName);
+
+	if (mlp->module->internal)
+	    PR_fprintf(outputFD, "          (this module is internally loaded)\n");
+	else
+	    PR_fprintf(outputFD, "          (this is an external module)\n");
+
+	if (mlp->module->dllName)
+	    PR_fprintf(outputFD, "          DLL name: %s\n",
+	        mlp->module->dllName);
+
+	if (mlp->module->slotCount == 0)
+	    PR_fprintf(outputFD, "          slots: There are no slots attached to this module\n");
+	else
+	    PR_fprintf(outputFD, "          slots: %d slots attached\n",
+	         mlp->module->slotCount);
+
+	if (mlp->module->loaded == 0)
+	    PR_fprintf(outputFD, "          status: Not loaded\n");
+	else
+	    PR_fprintf(outputFD, "          status: loaded\n");
+
+	for (i = 0; i < mlp->module->slotCount; i++) {
+	    PK11SlotInfo * slot = mlp->module->slots[i];
+
+	    PR_fprintf(outputFD, "\n");
+	    PR_fprintf(outputFD, "    slot: %s\n", PK11_GetSlotName(slot));
+	    PR_fprintf(outputFD, "   token: %s\n", PK11_GetTokenName(slot));
+	}
+    }
+
+    PR_fprintf(outputFD, "-----------------------------------------------\n");
+
+    if (count == 0)
+	PR_fprintf(outputFD,
+	    "Warning: no modules were found (should have at least one)\n");
+
+    SECMOD_ReleaseReadLock (moduleLock);
+}
+
+
+/**********************************************************************
+ * c h o p
+ *
+ * Eliminates leading and trailing whitespace.  Returns a pointer to the 
+ * beginning of non-whitespace, or an empty string if it's all whitespace.
+ */
+char*
+chop(char *str)
+{
+    char	*start, *end;
+
+    if (str) {
+	start = str;
+
+	/* Nip leading whitespace */
+	while (isspace(*start)) {
+	    start++;
+	}
+
+	/* Nip trailing whitespace */
+	if (*start) {
+	    end = start + strlen(start) - 1;
+	    while (isspace(*end) && end > start) {
+		end--;
+	    }
+	    *(end + 1) = '\0';
+	}
+
+	return start;
+    } else {
+	return NULL;
+    }
+}
+
+
+/***********************************************************************
+ *
+ * F a t a l E r r o r
+ *
+ * Outputs an error message and bails out of the program.
+ */
+void
+FatalError(char *msg)
+{
+    if (!msg) 
+	msg = "";
+
+    PR_fprintf(errorFD, "FATAL ERROR: %s\n", msg);
+    errorCount++;
+    exit(ERRX);
+}
+
+
+/*************************************************************************
+ *
+ * I n i t C r y p t o
+ */
+int
+InitCrypto(char *cert_dir, PRBool readOnly)
+{
+    SECStatus rv;
+    static int	prior = 0;
+    PK11SlotInfo * slotinfo;
+
+    if (prior == 0) {
+	/* some functions such as OpenKeyDB expect this path to be
+	 * implicitly set prior to calling */
+	if (readOnly) {
+	    rv = NSS_Init(cert_dir);
+	} else {
+	    rv = NSS_InitReadWrite(cert_dir);
+	}
+	if (rv != SECSuccess) {
+	    SECU_PrintPRandOSError(PROGRAM_NAME);
+	    exit(-1);
+	}
+
+	SECU_ConfigDirectory (cert_dir);
+
+	/* Been there done that */
+	prior++;
+
+        PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+	/* Must login to FIPS before you do anything else */
+	if (PK11_IsFIPS()) {
+	    slotinfo = PK11_GetInternalSlot();
+	    if (!slotinfo) {
+		fprintf(stderr, "%s: Unable to get PKCS #11 Internal Slot."
+				    "\n", PROGRAM_NAME);
+		return - 1;
+	    }
+	    if (PK11_Authenticate(slotinfo, PR_FALSE /*loadCerts*/,
+	         			  &pwdata) != SECSuccess) {
+		fprintf(stderr, "%s: Unable to authenticate to %s.\n",
+				    PROGRAM_NAME, PK11_GetSlotName(slotinfo));
+		PK11_FreeSlot(slotinfo);
+		return - 1;
+	    }
+	    PK11_FreeSlot(slotinfo);
+	}
+
+	/* Make sure there is a password set on the internal key slot */
+	slotinfo = PK11_GetInternalKeySlot();
+	if (!slotinfo) {
+	    fprintf(stderr, "%s: Unable to get PKCS #11 Internal Key Slot."
+	        "\n", PROGRAM_NAME);
+	    return - 1;
+	}
+	if (PK11_NeedUserInit(slotinfo)) {
+	    PR_fprintf(errorFD,
+	        "\nWARNING: No password set on internal key database.  Most operations will fail."
+	        "\nYou must create a password.\n");
+	    warningCount++;
+	}
+
+	/* Make sure we can authenticate to the key slot in FIPS mode */
+	if (PK11_IsFIPS()) {
+	    if (PK11_Authenticate(slotinfo, PR_FALSE /*loadCerts*/,
+	         			  &pwdata) != SECSuccess) {
+		fprintf(stderr, "%s: Unable to authenticate to %s.\n",
+				PROGRAM_NAME, PK11_GetSlotName(slotinfo));
+		PK11_FreeSlot(slotinfo);
+		return - 1;
+	    }
+	}
+	PK11_FreeSlot(slotinfo);
+    }
+
+    return 0;
+}
+
+
+/* Windows foolishness is now in the secutil lib */
+
+/*****************************************************************
+ *  g e t _ d e f a u l t _ c e r t _ d i r
+ *
+ *  Attempt to locate a certificate directory.
+ *  Failing that, complain that the user needs to
+ *  use the -d(irectory) parameter.
+ *
+ */
+char	*get_default_cert_dir (void)
+{
+    char	*home;
+
+    char	*cd = NULL;
+    static char	db [FNSIZE];
+
+#ifdef XP_UNIX
+    home = getenv ("HOME");
+
+    if (home && *home) {
+	sprintf (db, "%s/.netscape", home);
+	cd = db;
+    }
+#endif
+
+#ifdef XP_PC
+    FILE * fp;
+
+    /* first check the environment override */
+
+    home = getenv ("JAR_HOME");
+
+    if (home && *home) {
+	sprintf (db, "%s/cert7.db", home);
+
+	if ((fp = fopen (db, "r")) != NULL) {
+	    fclose (fp);
+	    cd = home;
+	}
+    }
+
+    /* try the old navigator directory */
+
+    if (cd == NULL) {
+	home = "c:/Program Files/Netscape/Navigator";
+
+	sprintf (db, "%s/cert7.db", home);
+
+	if ((fp = fopen (db, "r")) != NULL) {
+	    fclose (fp);
+	    cd = home;
+	}
+    }
+
+    /* Try the current directory, I wonder if this
+     is really a good idea. Remember, Windows only.. */
+
+    if (cd == NULL) {
+	home = ".";
+
+	sprintf (db, "%s/cert7.db", home);
+
+	if ((fp = fopen (db, "r")) != NULL) {
+	    fclose (fp);
+	    cd = home;
+	}
+    }
+
+#endif
+
+    if (!cd) {
+	PR_fprintf(errorFD,
+	    "You must specify the location of your certificate directory\n");
+	PR_fprintf(errorFD,
+	    "with the -d option. Example: -d ~/.netscape in many cases with Unix.\n");
+	errorCount++;
+	exit (ERRX);
+    }
+
+    return cd;
+}
+
+
+/************************************************************************
+ * g i v e _ h e l p
+ */
+void	give_help (int status)
+{
+    if (status == SEC_ERROR_UNKNOWN_ISSUER) {
+	PR_fprintf(errorFD,
+	    "The Certificate Authority (CA) for this certificate\n");
+	PR_fprintf(errorFD,
+	    "does not appear to be in your database. You should contact\n");
+	PR_fprintf(errorFD,
+	    "the organization which issued this certificate to obtain\n");
+	PR_fprintf(errorFD, "a copy of its CA Certificate.\n");
+    }
+}
+
+
+/**************************************************************************
+ *
+ * p r _ f g e t s
+ *
+ * fgets implemented with NSPR.
+ */
+char*
+pr_fgets(char *buf, int size, PRFileDesc *file)
+{
+    int	i;
+    int	status;
+    char	c;
+
+    i = 0;
+    while (i < size - 1) {
+	status = PR_Read(file, &c, 1);
+	if (status == -1) {
+	    return NULL;
+	} else if (status == 0) {
+	    if (i == 0) {
+		return NULL;
+	    }
+	    break;
+	}
+	buf[i++] = c;
+	if (c == '\n') {
+	    break;
+	}
+    }
+    buf[i] = '\0';
+
+    return buf;
+}
+
+
diff --git a/security/nss/cmd/signtool/verify.c b/security/nss/cmd/signtool/verify.c
new file mode 100644
index 000000000..302e9d497
--- /dev/null
+++ b/security/nss/cmd/signtool/verify.c
@@ -0,0 +1,371 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "signtool.h"
+
+
+static int	jar_cb(int status, JAR *jar, const char *metafile, 
+char *pathname, char *errortext);
+static int	verify_global (JAR *jar);
+
+/*************************************************************************
+ *
+ * V e r i f y J a r
+ */
+int
+VerifyJar(char *filename)
+{
+    FILE * fp;
+
+    int	ret;
+    int	status;
+    int	failed = 0;
+    char	*err;
+
+    JAR * jar;
+    JAR_Context * ctx;
+
+    JAR_Item * it;
+
+    jar = JAR_new();
+
+    if ((fp = fopen (filename, "r")) == NULL) {
+	perror (filename);
+	exit (ERRX);
+    } else
+	fclose (fp);
+
+    JAR_set_callback (JAR_CB_SIGNAL, jar, jar_cb);
+
+
+    status = JAR_pass_archive (jar, jarArchGuess, filename, "some-url");
+
+    if (status < 0 || jar->valid < 0) {
+	failed = 1;
+	PR_fprintf(outputFD, 
+	    "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
+	     filename);
+	if (status < 0) {
+	    char	*errtext;
+
+	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
+		errtext = JAR_get_error (status);
+	    } else {
+		errtext = SECU_ErrorString ((int16) PORT_GetError());
+	    }
+
+	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n",
+	         errtext);
+
+	    /* corrupt files should not have their contents listed */
+
+	    if (status == JAR_ERR_CORRUPT)
+		return - 1;
+	}
+	PR_fprintf(outputFD,
+	    "entries shown below will have their digests checked only.\n");
+	jar->valid = 0;
+    } else
+	PR_fprintf(outputFD,
+	    "archive \"%s\" has passed crypto verification.\n", filename);
+
+    if (verify_global (jar))
+	failed = 1;
+
+    PR_fprintf(outputFD, "\n");
+    PR_fprintf(outputFD, "%16s   %s\n", "status", "path");
+    PR_fprintf(outputFD, "%16s   %s\n", "------------", "-------------------");
+
+    ctx = JAR_find (jar, NULL, jarTypeMF);
+
+    while (JAR_find_next (ctx, &it) >= 0) {
+	if (it && it->pathname) {
+	    rm_dash_r(TMP_OUTPUT);
+	    ret = JAR_verified_extract (jar, it->pathname, TMP_OUTPUT);
+	    /* if (ret < 0) printf ("error %d on %s\n", ret, it->pathname); */
+	    if (ret < 0) 
+		failed = 1;
+
+	    if (ret == JAR_ERR_PNF)
+		err = "NOT PRESENT";
+	    else if (ret == JAR_ERR_HASH)
+		err = "HASH FAILED";
+	    else
+		err = "NOT VERIFIED";
+
+	    PR_fprintf(outputFD, "%16s   %s\n", 
+	        ret >= 0 ? "verified" : err, it->pathname);
+
+	    if (ret != 0 && ret != JAR_ERR_PNF && ret != JAR_ERR_HASH)
+		PR_fprintf(outputFD, "      (reason: %s)\n",
+		     JAR_get_error (ret));
+	}
+    }
+
+    JAR_find_end (ctx);
+
+    if (status < 0 || jar->valid < 0) {
+	failed = 1;
+	PR_fprintf(outputFD,
+	    "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
+	     filename);
+	give_help (status);
+    }
+
+    JAR_destroy (jar);
+
+    if (failed)
+	return - 1;
+    return 0;
+}
+
+
+/***************************************************************************
+ *
+ * v e r i f y _ g l o b a l
+ */
+static int	
+verify_global (JAR *jar)
+{
+    FILE        * fp;
+    JAR_Context * ctx;
+    JAR_Item    * it;
+    JAR_Digest  * globaldig;
+    char	* ext;
+    unsigned char *md5_digest, *sha1_digest;
+    unsigned int  sha1_length, md5_length;
+    int	          retval = 0;
+    char	  buf [BUFSIZ];
+
+    ctx = JAR_find (jar, "*", jarTypePhy);
+
+    while (JAR_find_next (ctx, &it) >= 0) {
+	if (!PORT_Strncmp (it->pathname, "META-INF", 8)) {
+	    for (ext = it->pathname; *ext; ext++)
+		;
+	    while (ext > it->pathname && *ext != '.') 
+		ext--;
+
+	    if (verbosity >= 0) {
+		if (!PORT_Strcasecmp (ext, ".rsa")) {
+		    PR_fprintf(outputFD, "found a RSA signature file: %s\n",
+		         				  it->pathname);
+		}
+
+		if (!PORT_Strcasecmp (ext, ".dsa")) {
+		    PR_fprintf(outputFD, "found a DSA signature file: %s\n",
+		         				  it->pathname);
+		}
+
+		if (!PORT_Strcasecmp (ext, ".mf")) {
+		    PR_fprintf(outputFD,
+		        "found a MF master manifest file: %s\n",
+		         it->pathname);
+		}
+	    }
+
+	    if (!PORT_Strcasecmp (ext, ".sf")) {
+		if (verbosity >= 0) {
+		    PR_fprintf(outputFD,
+		        "found a SF signature manifest file: %s\n",
+		         it->pathname);
+		}
+
+		rm_dash_r(TMP_OUTPUT);
+		if (JAR_extract (jar, it->pathname, TMP_OUTPUT) < 0) {
+		    PR_fprintf(errorFD, "%s: error extracting %s\n",
+		         PROGRAM_NAME, it->pathname);
+		    errorCount++;
+		    retval = -1;
+		    continue;
+		}
+
+		md5_digest = NULL;
+		sha1_digest = NULL;
+
+		if ((fp = fopen (TMP_OUTPUT, "rb")) != NULL) {
+		    while (fgets (buf, BUFSIZ, fp)) {
+			char	*s;
+
+			if (*buf == 0 || *buf == '\n' || *buf == '\r') 
+			    break;
+
+			for (s = buf; *s && *s != '\n' && *s != '\r'; s++)
+			    ;
+			*s = 0;
+
+			if (!PORT_Strncmp (buf, "MD5-Digest: ", 12)) {
+			    md5_digest = 
+				ATOB_AsciiToData (buf + 12, &md5_length);
+			}
+			if (!PORT_Strncmp (buf, "SHA1-Digest: ", 13)) {
+			    sha1_digest = 
+				ATOB_AsciiToData (buf + 13, &sha1_length);
+			}
+			if (!PORT_Strncmp (buf, "SHA-Digest: ", 12)) {
+			    sha1_digest = 
+				ATOB_AsciiToData (buf + 12, &sha1_length);
+			}
+		    }
+
+		    globaldig = jar->globalmeta;
+
+		    if (globaldig && md5_digest && verbosity >= 0) {
+			PR_fprintf(outputFD,
+			   "  md5 digest on global metainfo: %s\n",
+			    PORT_Memcmp(md5_digest, globaldig->md5, MD5_LENGTH)
+			    ? "no match" : "match");
+		    }
+
+		    if (globaldig && sha1_digest && verbosity >= 0) {
+			PR_fprintf(outputFD,
+			    "  sha digest on global metainfo: %s\n",
+			    PORT_Memcmp(sha1_digest, globaldig->sha1, SHA1_LENGTH) 
+			    ? "no match" : "match");
+		    }
+
+		    if (globaldig == NULL && verbosity >= 0) {
+			PR_fprintf(outputFD,
+			     "global metadigest is not available, strange.\n");
+		    }
+
+		    fclose (fp);
+		}
+	    }
+	}
+    }
+
+    JAR_find_end (ctx);
+
+    return retval;
+}
+
+
+/************************************************************************
+ *
+ * J a r W h o
+ */
+int
+JarWho(char *filename)
+{
+    FILE * fp;
+
+    JAR * jar;
+    JAR_Context * ctx;
+
+    int	status;
+    int	retval = 0;
+
+    JAR_Item * it;
+    JAR_Cert * fing;
+
+    CERTCertificate * cert, *prev = NULL;
+
+    jar = JAR_new();
+
+    if ((fp = fopen (filename, "r")) == NULL) {
+	perror (filename);
+	exit (ERRX);
+    } 
+    fclose (fp);
+
+    status = JAR_pass_archive (jar, jarArchGuess, filename, "some-url");
+
+    if (status < 0 || jar->valid < 0) {
+	PR_fprintf(outputFD,
+	    "NOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
+	     filename);
+	retval = -1;
+	if (jar->valid < 0 || status != -1) {
+	    char	*errtext;
+
+	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
+		errtext = JAR_get_error (status);
+	    } else {
+		errtext = SECU_ErrorString ((int16) PORT_GetError());
+	    }
+
+	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n", errtext);
+	}
+    }
+
+    PR_fprintf(outputFD, "\nSigner information:\n\n");
+
+    ctx = JAR_find (jar, NULL, jarTypeSign);
+
+    while (JAR_find_next (ctx, &it) >= 0) {
+	fing = (JAR_Cert * ) it->data;
+	cert = fing->cert;
+
+	if (cert) {
+	    if (prev == cert)
+		break;
+
+	    if (cert->nickname)
+		PR_fprintf(outputFD, "nickname: %s\n", cert->nickname);
+	    if (cert->subjectName)
+		PR_fprintf(outputFD, "subject name: %s\n",
+		     cert->subjectName);
+	    if (cert->issuerName)
+		PR_fprintf(outputFD, "issuer name: %s\n", cert->issuerName);
+	} else {
+	    PR_fprintf(outputFD, "no certificate could be found\n");
+	    retval = -1;
+	}
+
+	prev = cert;
+    }
+
+    JAR_find_end (ctx);
+
+    JAR_destroy (jar);
+    return retval;
+}
+
+
+/************************************************************************
+ * j a r _ c b
+ */
+static int	jar_cb(int status, JAR *jar, const char *metafile,
+char *pathname, char *errortext)
+{
+    PR_fprintf(errorFD, "error %d: %s IN FILE %s\n", status, errortext,
+         pathname);
+    errorCount++;
+    return 0;
+}
+
+
diff --git a/security/nss/cmd/signtool/zip.c b/security/nss/cmd/signtool/zip.c
new file mode 100644
index 000000000..2da1623ad
--- /dev/null
+++ b/security/nss/cmd/signtool/zip.c
@@ -0,0 +1,721 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "signtool.h"
+#include "zip.h"
+#include "zlib.h"
+#include "prmem.h"
+
+static void	inttox (int in, char *out);
+static void	longtox (long in, char *out);
+
+/****************************************************************
+ *
+ * J z i p O p e n
+ *
+ * Opens a new ZIP file and creates a new ZIPfile structure to 
+ * control the process of installing files into a zip.
+ */
+ZIPfile*
+JzipOpen(char *filename, char *comment)
+{
+    ZIPfile * zipfile;
+    PRExplodedTime prtime;
+
+    zipfile = PORT_ZAlloc(sizeof(ZIPfile));
+    if (!zipfile) 
+	out_of_memory();
+
+    /* Construct time and date */
+    PR_ExplodeTime(PR_Now(), PR_LocalTimeParameters, &prtime);
+    zipfile->date = 	((prtime.tm_year - 1980) << 9) | 
+			((prtime.tm_month + 1) << 5)   | 
+			prtime.tm_mday;
+    zipfile->time = 	(prtime.tm_hour << 11)   | 
+			(prtime.tm_min << 5)     | 
+			(prtime.tm_sec & 0x3f);
+
+    zipfile->fp = NULL;
+    if (filename  && 
+        (zipfile->fp = PR_Open(filename,
+        PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0777)) == NULL) {
+	char	*nsprErr;
+	if (PR_GetErrorTextLength()) {
+	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
+	    PR_GetErrorText(nsprErr);
+	} else {
+	    nsprErr = NULL;
+	}
+	PR_fprintf(errorFD, "%s: can't open output jar, %s.%s\n",
+	     PROGRAM_NAME,
+	    filename, nsprErr ? nsprErr : "");
+	if (nsprErr) 
+	    PR_Free(nsprErr);
+	errorCount++;
+	exit (ERRX);
+    }
+
+    zipfile->list = NULL;
+    if (filename) {
+	zipfile->filename = PORT_ZAlloc(strlen(filename) + 1);
+	if (!zipfile->filename) 
+	    out_of_memory();
+	PORT_Strcpy(zipfile->filename, filename);
+    }
+    if (comment) {
+	zipfile->comment = PORT_ZAlloc(strlen(comment) + 1);
+	if (!zipfile->comment) 
+	    out_of_memory();
+	PORT_Strcpy(zipfile->comment, comment);
+    }
+
+    return zipfile;
+}
+
+
+static
+void*
+my_alloc_func(void*opaque, uInt items, uInt size)
+{
+    return PORT_Alloc(items * size);
+}
+
+
+static
+void
+my_free_func(void*opaque, void*address)
+{
+    PORT_Free(address);
+}
+
+
+static
+void
+handle_zerror(int err, char *msg)
+{
+    if (!msg) {
+	msg = "";
+    }
+
+    errorCount++; /* unless Z_OK...see below */
+
+    switch (err) {
+    case Z_OK:
+	PR_fprintf(errorFD, "No error: %s\n", msg);
+	errorCount--; /* this was incremented above */
+	break;
+    case Z_MEM_ERROR:
+	PR_fprintf(errorFD, "Deflation ran out of memory: %s\n", msg);
+	break;
+    case Z_STREAM_ERROR:
+	PR_fprintf(errorFD, "Invalid compression level: %s\n", msg);
+	break;
+    case Z_VERSION_ERROR:
+	PR_fprintf(errorFD, "Incompatible compression library version: %s\n",
+	     msg);
+	break;
+    case Z_DATA_ERROR:
+	PR_fprintf(errorFD, "Compression data error: %s\n", msg);
+	break;
+    default:
+	PR_fprintf(errorFD, "Unknown error in compression library: %s\n", msg);
+	break;
+    }
+}
+
+
+
+
+/****************************************************************
+ *
+ * J z i p A d d
+ *
+ * Adds a new file into a ZIP file.  The ZIP file must have already
+ * been opened with JzipOpen.
+ */
+int
+JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level)
+{
+    ZIPentry * entry;
+    PRFileDesc * readfp;
+    PRFileDesc * zipfp;
+    unsigned long crc;
+    unsigned long local_size_pos;
+    int	          num;
+    int	          err;
+    int	          deflate_percent;
+    z_stream      zstream;
+    Bytef         inbuf[BUFSIZ];
+    Bytef         outbuf[BUFSIZ];
+
+
+    if ( !fullname || !filename || !zipfile) {
+	return - 1;
+    }
+
+    zipfp = zipfile->fp;
+    if (!zipfp)
+	return - 1;
+
+
+    if ( (readfp = PR_Open(fullname, PR_RDONLY, 0777)) == NULL) {
+	char	*nsprErr;
+	if (PR_GetErrorTextLength()) {
+	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
+	    PR_GetErrorText(nsprErr);
+	} else {
+	    nsprErr = NULL;
+	}
+	PR_fprintf(errorFD, "%s: %s\n", fullname, nsprErr ? nsprErr :
+	    "");
+	errorCount++;
+	if (nsprErr) 
+	    PR_Free(nsprErr);
+	exit(ERRX);
+    }
+
+    /*
+     * Make sure the input file is not the output file.
+     * Add a few bytes to the end of the JAR file and see if the input file
+     * twitches
+     */
+     {
+	PRInt32 endOfJar;
+	PRInt32 inputSize;
+	PRBool isSame;
+
+	inputSize = PR_Available(readfp);
+
+	endOfJar = PR_Seek(zipfp, 0L, PR_SEEK_CUR);
+
+	if (PR_Write(zipfp, "abcde", 5) < 5) {
+	    char	*nsprErr;
+
+	    if (PR_GetErrorTextLength()) {
+		nsprErr = PR_Malloc(PR_GetErrorTextLength());
+		PR_GetErrorText(nsprErr);
+	    } else {
+		nsprErr = NULL;
+	    }
+	    PR_fprintf(errorFD, "Writing to zip file: %s\n",
+	        nsprErr ? nsprErr : "");
+	    if (nsprErr) 
+		PR_Free(nsprErr);
+	    errorCount++;
+	    exit(ERRX);
+	}
+
+	isSame = (PR_Available(readfp) != inputSize);
+
+	PR_Seek(zipfp, endOfJar, PR_SEEK_SET);
+
+	if (isSame) {
+	    /* It's the same file! Forget it! */
+	    PR_Close(readfp);
+	    return 0;
+	}
+    }
+
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "adding %s to %s...", fullname, zipfile->filename);
+    }
+
+    entry = PORT_ZAlloc(sizeof(ZIPentry));
+    if (!entry) 
+	out_of_memory();
+
+    entry->filename = PORT_Strdup(filename);
+    entry->comment = NULL;
+
+    /* Set up local file header */
+    longtox(LSIG, entry->local.signature);
+    inttox(strlen(filename), entry->local.filename_len);
+    inttox(zipfile->time, entry->local.time);
+    inttox(zipfile->date, entry->local.date);
+    inttox(Z_DEFLATED, entry->local.method);
+
+    /* Set up central directory entry */
+    longtox(CSIG, entry->central.signature);
+    inttox(strlen(filename), entry->central.filename_len);
+    if (entry->comment) {
+	inttox(strlen(entry->comment), entry->central.commentfield_len);
+    }
+    longtox(PR_Seek(zipfile->fp, 0, PR_SEEK_CUR),
+        entry->central.localhdr_offset);
+    inttox(zipfile->time, entry->central.time);
+    inttox(zipfile->date, entry->central.date);
+    inttox(Z_DEFLATED, entry->central.method);
+
+    /* Compute crc.  Too bad we have to process the whole file to do this*/
+    crc = crc32(0L, NULL, 0);
+    while ( (num = PR_Read(readfp, inbuf, BUFSIZ)) > 0) {
+	crc = crc32(crc, inbuf, num);
+    }
+    PR_Seek(readfp, 0L, PR_SEEK_SET);
+
+    /* Store CRC */
+    longtox(crc, entry->local.crc32);
+    longtox(crc, entry->central.crc32);
+
+    /* Stick this entry onto the end of the list */
+    entry->next = NULL;
+    if ( zipfile->list == NULL ) {
+	/* First entry */
+	zipfile->list = entry;
+    } else {
+	ZIPentry * pe;
+
+	pe = zipfile->list;
+	while (pe->next != NULL) {
+	    pe = pe->next;
+	}
+	pe->next = entry;
+    }
+
+    /*
+     * Start writing stuff out
+     */
+
+    local_size_pos = PR_Seek(zipfp, 0, PR_SEEK_CUR) + 18;
+    /* File header */
+    if (PR_Write(zipfp, &entry->local, sizeof(struct ZipLocal ))
+         < sizeof(struct ZipLocal )) {
+	char	*nsprErr;
+	if (PR_GetErrorTextLength()) {
+	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
+	    PR_GetErrorText(nsprErr);
+	} else {
+	    nsprErr = NULL;
+	}
+	PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr :
+	    "");
+	if (nsprErr) 
+	    PR_Free(nsprErr);
+	errorCount++;
+	exit(ERRX);
+    }
+
+    /* File Name */
+    if ( PR_Write(zipfp, filename, strlen(filename)) < strlen(filename)) {
+	char	*nsprErr;
+	if (PR_GetErrorTextLength()) {
+	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
+	    PR_GetErrorText(nsprErr);
+	} else {
+	    nsprErr = NULL;
+	}
+	PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr :
+	    "");
+	if (nsprErr) 
+	    PR_Free(nsprErr);
+	errorCount++;
+	exit(ERRX);
+    }
+
+    /*
+     * File data
+     */
+    /* Initialize zstream */
+    zstream.zalloc = my_alloc_func;
+    zstream.zfree = my_free_func;
+    zstream.opaque = NULL;
+    zstream.next_in = inbuf;
+    zstream.avail_in = BUFSIZ;
+    zstream.next_out = outbuf;
+    zstream.avail_out = BUFSIZ;
+    /* Setting the windowBits to -MAX_WBITS is an undocumented feature of
+     * zlib (see deflate.c in zlib).  It is the same thing that Java does
+     * when you specify the nowrap option for deflation in java.util.zip.
+     * It causes zlib to leave out its headers and footers, which don't
+     * work in PKZIP files.
+     */
+    err = deflateInit2(&zstream, compression_level, Z_DEFLATED,
+			-MAX_WBITS, 8 /*default*/, Z_DEFAULT_STRATEGY);
+    if (err != Z_OK) {
+	handle_zerror(err, zstream.msg);
+	exit(ERRX);
+    }
+
+    while ( (zstream.avail_in = PR_Read(readfp, inbuf, BUFSIZ)) > 0) {
+	zstream.next_in = inbuf;
+	/* Process this chunk of data */
+	while (zstream.avail_in > 0) {
+	    err = deflate(&zstream, Z_NO_FLUSH);
+	    if (err != Z_OK) {
+		handle_zerror(err, zstream.msg);
+		exit(ERRX);
+	    }
+	    if (zstream.avail_out <= 0) {
+		if ( PR_Write(zipfp, outbuf, BUFSIZ) < BUFSIZ) {
+		    char	*nsprErr;
+		    if (PR_GetErrorTextLength()) {
+			nsprErr = PR_Malloc(PR_GetErrorTextLength());
+			PR_GetErrorText(nsprErr);
+		    } else {
+			nsprErr = NULL;
+		    }
+		    PR_fprintf(errorFD, "Writing zip data: %s\n",
+					nsprErr ? nsprErr : "");
+		    if (nsprErr) 
+			PR_Free(nsprErr);
+		    errorCount++;
+		    exit(ERRX);
+		}
+		zstream.next_out = outbuf;
+		zstream.avail_out = BUFSIZ;
+	    }
+	}
+    }
+
+    /* Now flush everything */
+    while (1) {
+	err = deflate(&zstream, Z_FINISH);
+	if (err == Z_STREAM_END) {
+	    break;
+	} else if (err == Z_OK) {
+	    /* output buffer full, repeat */
+	} else {
+	    handle_zerror(err, zstream.msg);
+	    exit(ERRX);
+	}
+	if ( PR_Write(zipfp, outbuf, BUFSIZ) < BUFSIZ) {
+	    char	*nsprErr;
+	    if (PR_GetErrorTextLength()) {
+		nsprErr = PR_Malloc(PR_GetErrorTextLength());
+		PR_GetErrorText(nsprErr);
+	    } else {
+		nsprErr = NULL;
+	    }
+	    PR_fprintf(errorFD, "Writing zip data: %s\n",
+				nsprErr ? nsprErr : "");
+	    if (nsprErr) 
+		PR_Free(nsprErr);
+	    errorCount++;
+	    exit(ERRX);
+	}
+	zstream.avail_out = BUFSIZ;
+	zstream.next_out = outbuf;
+    }
+
+    /* If there's any output left, write it out. */
+    if (zstream.next_out != outbuf) {
+	if ( PR_Write(zipfp, outbuf, zstream.next_out - outbuf) <
+	    zstream.next_out - outbuf) {
+	    char	*nsprErr;
+	    if (PR_GetErrorTextLength()) {
+		nsprErr = PR_Malloc(PR_GetErrorTextLength());
+		PR_GetErrorText(nsprErr);
+	    } else {
+		nsprErr = NULL;
+	    }
+	    PR_fprintf(errorFD, "Writing zip data: %s\n",
+				nsprErr ? nsprErr : "");
+	    if (nsprErr) 
+		PR_Free(nsprErr);
+	    errorCount++;
+	    exit(ERRX);
+	}
+	zstream.avail_out = BUFSIZ;
+	zstream.next_out = outbuf;
+    }
+
+    /* Now that we know the compressed size, write this to the headers */
+    longtox(zstream.total_in, entry->local.orglen);
+    longtox(zstream.total_out, entry->local.size);
+    if (PR_Seek(zipfp, local_size_pos, PR_SEEK_SET) == -1) {
+	char	*nsprErr;
+	if (PR_GetErrorTextLength()) {
+	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
+	    PR_GetErrorText(nsprErr);
+	} else {
+	    nsprErr = NULL;
+	}
+	PR_fprintf(errorFD, "Accessing zip file: %s\n", nsprErr ? nsprErr : "");
+	if (nsprErr) 
+	    PR_Free(nsprErr);
+	errorCount++;
+	exit(ERRX);
+    }
+    if ( PR_Write(zipfp, entry->local.size, 8) != 8) {
+	char	*nsprErr;
+	if (PR_GetErrorTextLength()) {
+	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
+	    PR_GetErrorText(nsprErr);
+	} else {
+	    nsprErr = NULL;
+	}
+	PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr : "");
+	if (nsprErr) 
+	    PR_Free(nsprErr);
+	errorCount++;
+	exit(ERRX);
+    }
+    if (PR_Seek(zipfp, 0L, PR_SEEK_END) == -1) {
+	char	*nsprErr;
+	if (PR_GetErrorTextLength()) {
+	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
+	    PR_GetErrorText(nsprErr);
+	} else {
+	    nsprErr = NULL;
+	}
+	PR_fprintf(errorFD, "Accessing zip file: %s\n", 
+			    nsprErr ? nsprErr : "");
+	if (nsprErr) 
+	    PR_Free(nsprErr);
+	errorCount++;
+	exit(ERRX);
+    }
+    longtox(zstream.total_in, entry->central.orglen);
+    longtox(zstream.total_out, entry->central.size);
+
+    /* Close out the deflation operation */
+    err = deflateEnd(&zstream);
+    if (err != Z_OK) {
+	handle_zerror(err, zstream.msg);
+	exit(ERRX);
+    }
+
+    PR_Close(readfp);
+
+    if ((zstream.total_in > zstream.total_out) && (zstream.total_in > 0)) {
+	deflate_percent = (int) 
+	    ((zstream.total_in - zstream.total_out) *100 / zstream.total_in);
+    } else {
+	deflate_percent = 0;
+    }
+    if (verbosity >= 0) {
+	PR_fprintf(outputFD, "(deflated %d%%)\n", deflate_percent);
+    }
+
+    return 0;
+}
+
+
+/********************************************************************
+ * J z i p C l o s e
+ *
+ * Finishes the ZipFile. ALSO DELETES THE ZIPFILE STRUCTURE PASSED IN!!
+ */
+int
+JzipClose(ZIPfile *zipfile)
+{
+    ZIPentry * pe, *dead;
+    PRFileDesc * zipfp;
+    struct ZipEnd zipend;
+    unsigned int	entrycount = 0;
+
+    if (!zipfile) {
+	return - 1;
+    }
+
+    if (!zipfile->filename) {
+	/* bogus */
+	return 0;
+    }
+
+    zipfp = zipfile->fp;
+    zipfile->central_start = PR_Seek(zipfp, 0L, PR_SEEK_CUR);
+
+    /* Write out all the central directories */
+    pe = zipfile->list;
+    while (pe) {
+	entrycount++;
+
+	/* Write central directory info */
+	if ( PR_Write(zipfp, &pe->central, sizeof(struct ZipCentral ))
+	     < sizeof(struct ZipCentral )) {
+	    char	*nsprErr;
+	    if (PR_GetErrorTextLength()) {
+		nsprErr = PR_Malloc(PR_GetErrorTextLength());
+		PR_GetErrorText(nsprErr);
+	    } else {
+		nsprErr = NULL;
+	    }
+	    PR_fprintf(errorFD, "Writing zip data: %s\n",
+				nsprErr ? nsprErr : "");
+	    if (nsprErr) 
+		PR_Free(nsprErr);
+	    errorCount++;
+	    exit(ERRX);
+	}
+
+	/* Write filename */
+	if ( PR_Write(zipfp, pe->filename, strlen(pe->filename))
+	     < strlen(pe->filename)) {
+	    char	*nsprErr;
+	    if (PR_GetErrorTextLength()) {
+		nsprErr = PR_Malloc(PR_GetErrorTextLength());
+		PR_GetErrorText(nsprErr);
+	    } else {
+		nsprErr = NULL;
+	    }
+	    PR_fprintf(errorFD, "Writing zip data: %s\n",
+				nsprErr ? nsprErr : "");
+	    if (nsprErr) 
+		PR_Free(nsprErr);
+	    errorCount++;
+	    exit(ERRX);
+	}
+
+	/* Write file comment */
+	if (pe->comment) {
+	    if ( PR_Write(zipfp, pe->comment, strlen(pe->comment))
+	         < strlen(pe->comment)) {
+		char	*nsprErr;
+		if (PR_GetErrorTextLength()) {
+		    nsprErr = PR_Malloc(PR_GetErrorTextLength());
+		    PR_GetErrorText(nsprErr);
+		} else {
+		    nsprErr = NULL;
+		}
+		PR_fprintf(errorFD, "Writing zip data: %s\n",
+					    nsprErr ? nsprErr : "");
+		if (nsprErr) 
+		    PR_Free(nsprErr);
+		errorCount++;
+		exit(ERRX);
+	    }
+	}
+
+	/* Delete the structure */
+	dead = pe;
+	pe = pe->next;
+	if (dead->filename) {
+	    PORT_Free(dead->filename);
+	}
+	if (dead->comment) {
+	    PORT_Free(dead->comment);
+	}
+	PORT_Free(dead);
+    }
+    zipfile->central_end = PR_Seek(zipfile->fp, 0L, PR_SEEK_CUR);
+
+    /* Create the ZipEnd structure */
+    PORT_Memset(&zipend, 0, sizeof(zipend));
+    longtox(ESIG, zipend.signature);
+    inttox(entrycount, zipend.total_entries_disk);
+    inttox(entrycount, zipend.total_entries_archive);
+    longtox(zipfile->central_end - zipfile->central_start,
+	    zipend.central_dir_size);
+    longtox(zipfile->central_start, zipend.offset_central_dir);
+    if (zipfile->comment) {
+	inttox(strlen(zipfile->comment), zipend.commentfield_len);
+    }
+
+    /* Write out ZipEnd xtructure */
+    if ( PR_Write(zipfp, &zipend, sizeof(zipend)) < sizeof(zipend)) {
+	char	*nsprErr;
+	if (PR_GetErrorTextLength()) {
+	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
+	    PR_GetErrorText(nsprErr);
+	} else {
+	    nsprErr = NULL;
+	}
+	PR_fprintf(errorFD, "Writing zip data: %s\n", 
+			    nsprErr ? nsprErr : "");
+	if (nsprErr) 
+	    PR_Free(nsprErr);
+	errorCount++;
+	exit(ERRX);
+    }
+
+    /* Write out Zipfile comment */
+    if (zipfile->comment) {
+	if ( PR_Write(zipfp, zipfile->comment, strlen(zipfile->comment))
+	     < strlen(zipfile->comment)) {
+	    char	*nsprErr;
+	    if (PR_GetErrorTextLength()) {
+		nsprErr = PR_Malloc(PR_GetErrorTextLength());
+		PR_GetErrorText(nsprErr);
+	    } else {
+		nsprErr = NULL;
+	    }
+	    PR_fprintf(errorFD, "Writing zip data: %s\n",
+				nsprErr ? nsprErr : "");
+	    if (nsprErr) 
+		PR_Free(nsprErr);
+	    errorCount++;
+	    exit(ERRX);
+	}
+    }
+
+    PR_Close(zipfp);
+
+    /* Free the memory of the zipfile structure */
+    if (zipfile->filename) {
+	PORT_Free(zipfile->filename);
+    }
+    if (zipfile->comment) {
+	PORT_Free(zipfile->comment);
+    }
+    PORT_Free(zipfile);
+
+    return 0;
+}
+
+
+/**********************************************
+ *  i n t t o x
+ *
+ *  Converts a two byte ugly endianed integer
+ *  to our platform's integer.
+ *
+ */
+
+static void	inttox (int in, char *out)
+{
+    out [0] = (in & 0xFF);
+    out [1] = (in & 0xFF00) >> 8;
+}
+
+
+/*********************************************
+ *  l o n g t o x
+ *
+ *  Converts a four byte ugly endianed integer
+ *  to our platform's integer.
+ *
+ */
+
+static void	longtox (long in, char *out)
+{
+    out [0] = (in & 0xFF);
+    out [1] = (in & 0xFF00) >> 8;
+    out [2] = (in & 0xFF0000) >> 16;
+    out [3] = (in & 0xFF000000) >> 24;
+}
+
+
diff --git a/security/nss/cmd/signtool/zip.h b/security/nss/cmd/signtool/zip.h
new file mode 100644
index 000000000..c1cd5df5b
--- /dev/null
+++ b/security/nss/cmd/signtool/zip.h
@@ -0,0 +1,103 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* zip.h
+ * Structures and functions for creating ZIP archives.
+ */
+#ifndef ZIP_H
+#define ZIP_H
+
+/* For general information on ZIP formats, you can look at jarfile.h
+ * in ns/security/lib/jar.  Or look it up on the web...
+ */
+
+/* One entry in a ZIPfile.  This corresponds to one file in the archive.
+ * We have to save this information because first all the files go into
+ * the archive with local headers; then at the end of the file we have to
+ * put the central directory entries for each file.
+ */
+typedef struct ZIPentry_s {
+	struct ZipLocal local;		/* local header info */
+	struct ZipCentral central;	/* central directory info */
+	char *filename;				/* name of file */
+	char *comment;				/* comment for this file -- optional */
+
+	struct ZIPentry_s *next;
+} ZIPentry;
+
+/* This structure contains the necessary data for putting a ZIP file
+ * together.  Has some overall information and a list of ZIPentrys.
+ */
+typedef struct ZIPfile_s {
+	char *filename;	/* ZIP file name */
+	char *comment;	/* ZIP file comment -- may be NULL */
+	PRFileDesc *fp;	/* ZIP file pointer */
+	ZIPentry *list;	/* one entry for each file in the archive */
+	unsigned int time;	/* the GMT time of creation, in DOS format */
+	unsigned int date;  /* the GMT date of creation, in DOS format */
+	unsigned long central_start; /* starting offset of central directory */
+	unsigned long central_end; /*index right after the last byte of central*/
+} ZIPfile;
+
+
+/* Open a new ZIP file.  Takes the name of the zip file and an optional
+ * comment to be included in the file.  Returns a new ZIPfile structure
+ * which is used by JzipAdd and JzipClose
+ */
+ZIPfile* JzipOpen(char *filename, char *comment);
+
+/* Add a file to a ZIP archive.  Fullname is the path relative to the
+ * current directory.  Filename is what the name will be stored as in the
+ * archive, and thus what it will be restored as.  zipfile is a structure
+ * returned from a previous call to JzipOpen.
+ *
+ * Non-zero return code means error (although usually the function will
+ * call exit() rather than return an error--gotta fix this).
+ */
+int JzipAdd(char *fullname, char *filename, ZIPfile *zipfile,
+	int compression_level);
+
+/* Finalize a ZIP archive.  Adds all the footer information to the end of
+ * the file and closes it.  Also DELETES THE ZIPFILE STRUCTURE that was
+ * passed in.  So you never have to allocate or free a ZIPfile yourself.
+ *
+ * Non-zero return code means error (although usually the function will
+ * call exit() rather than return an error--gotta fix this).
+ */
+int JzipClose (ZIPfile *zipfile);
+
+
+#endif /* ZIP_H */
diff --git a/security/nss/cmd/signver/Makefile b/security/nss/cmd/signver/Makefile
new file mode 100644
index 000000000..cd06aaa4f
--- /dev/null
+++ b/security/nss/cmd/signver/Makefile
@@ -0,0 +1,75 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
diff --git a/security/nss/cmd/signver/examples/1/form.pl b/security/nss/cmd/signver/examples/1/form.pl
new file mode 100755
index 000000000..aedc0c46a
--- /dev/null
+++ b/security/nss/cmd/signver/examples/1/form.pl
@@ -0,0 +1,54 @@
+#! /usr/bin/perl
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+print "Content-type: text/html\n\n";
+print "<B>Server Name:</B> ", $ENV{'SERVER_NAME'}, "<BR>", "\n";
+print "<B>Server Port:</B> ", $ENV{'SERVER_PORT'}, "<BR>", "\n";
+print "<B>Server Software:</B> ", $ENV{'SERVER_SOFTWARE'}, "<BR>", "\n";
+print "<B>Server Protocol:</B> ", $ENV{'SERVER_PROTOCOL'}, "<BR>", "\n";
+print "<B>CGI Revision:</B> ", $ENV{'GATEWAY_INTERFACE'}, "<BR>", "\n";
+print "<B>Browser:</B> ", $ENV{'HTTP_USER_AGENT'}, "<BR>", "\n";
+print "<B>Remote Address:</B> ", $ENV{'REMOTE_ADDR'}, "<BR>", "\n";
+print "<B>Remote Host:</B> ", $ENV{'REMOTE_HOST'}, "<BR>", "\n";
+print "<B>Remote User:</B> ", $ENV{'REMOTE_USER'}, "<BR>", "\n";
+print "You typed:\n";
+
+while( $_ = <STDIN>) {
+  print "$_";
+}
+
diff --git a/security/nss/cmd/signver/examples/1/signedForm.html b/security/nss/cmd/signver/examples/1/signedForm.html
new file mode 100644
index 000000000..3463fac8f
--- /dev/null
+++ b/security/nss/cmd/signver/examples/1/signedForm.html
@@ -0,0 +1,87 @@
+<html>
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+<head>
+<title>Form to sign</title>
+<script language="javascript">
+<!--
+function submitSigned(form){
+  var signature = "";
+  var dataToSign = "";
+  var i;
+
+  form.action='signedForm.pl';
+  for (i = 0; i < form.length; i++)
+    if (form.elements[i].type == "text")
+      dataToSign += form.elements[i].value;
+
+  // alert("Data to sign:\n" + dataToSign);
+  signature = crypto.signText(dataToSign, "ask");
+  /* alert("You cannot see this alert");
+  alert("Data signature:\n" + signature); */
+
+  if (signature != "error:userCancel") {
+    for (i = 0; i < form.length; i++) {
+      if (form.elements[i].type == "hidden") {
+        if (form.elements[i].name == "dataToSign")
+          form.elements[i].value = dataToSign;
+        if (form.elements[i].name == "dataSignature")
+          form.elements[i].value = signature;
+      }
+    }
+    form.submit();
+  }
+}
+//-->
+</script>
+</head>
+
+<body>
+<form method=post Action="form.pl">
+<input type=hidden size=30 name=dataSignature>
+<input type=hidden size=30 name=dataToSign>
+<input type=text size=30 name=p>
+<BR>
+<input type=text size=30 name=q>
+<BR>
+<input type=text size=30 name=r>
+<BR>
+<input type=submit value="Submit Data">
+<input type=button value="Sign and Submit Data" onclick=submitSigned(this.form)>
+<input type=reset value=Reset>
+</form>
+</body>
+</html>
diff --git a/security/nss/cmd/signver/examples/1/signedForm.nt.html b/security/nss/cmd/signver/examples/1/signedForm.nt.html
new file mode 100644
index 000000000..86e4c7e01
--- /dev/null
+++ b/security/nss/cmd/signver/examples/1/signedForm.nt.html
@@ -0,0 +1,87 @@
+<html>
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+<head>
+<title>Form to sign</title>
+<script language="javascript">
+<!--
+function submitSigned(form){
+  var signature = "";
+  var dataToSign = "";
+  var i;
+
+  form.action='cgi-bin/signedForm.pl';
+  for (i = 0; i < form.length; i++)
+    if (form.elements[i].type == "text")
+      dataToSign += form.elements[i].value;
+
+  // alert("Data to sign:\n" + dataToSign);
+  signature = crypto.signText(dataToSign, "ask");
+  /* alert("You cannot see this alert");
+  alert("Data signature:\n" + signature); */
+
+  if (signature != "error:userCancel") {
+    for (i = 0; i < form.length; i++) {
+      if (form.elements[i].type == "hidden") {
+        if (form.elements[i].name == "dataToSign")
+          form.elements[i].value = dataToSign;
+        if (form.elements[i].name == "dataSignature")
+          form.elements[i].value = signature;
+      }
+    }
+    form.submit();
+  }
+}
+//-->
+</script>
+</head>
+
+<body>
+<form method=post Action="cgi-bin/form.pl">
+<input type=hidden size=30 name=dataSignature>
+<input type=hidden size=30 name=dataToSign>
+<input type=text size=30 name=p>
+<BR>
+<input type=text size=30 name=q>
+<BR>
+<input type=text size=30 name=r>
+<BR>
+<input type=submit value="Submit Data">
+<input type=button value="Sign and Submit Data" onclick=submitSigned(this.form)>
+<input type=reset value=Reset>
+</form>
+</body>
+</html>
diff --git a/security/nss/cmd/signver/examples/1/signedForm.pl b/security/nss/cmd/signver/examples/1/signedForm.pl
new file mode 100755
index 000000000..c9b596061
--- /dev/null
+++ b/security/nss/cmd/signver/examples/1/signedForm.pl
@@ -0,0 +1,92 @@
+#! /usr/bin/perl
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+
+sub decode {
+    read (STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
+    @pairs = split(/&/, $buffer);
+    foreach $pair (@pairs)
+    {
+        ($name, $value) = split(/=/, $pair);
+        $value =~tr/+/ /;
+        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
+        $FORM{$name} = $value;
+#        print "name=$name  value=$value<BR>\n";
+    }
+}
+
+print "Content-type: text/html\n\n";
+
+&decode();
+
+$dataSignature = $FORM{'dataSignature'};
+$dataToSign = $FORM{'dataToSign'};
+
+unlink("signature");
+open(FILE1,">signature") || die("Cannot open file for writing\n");
+
+print FILE1 "$dataSignature";
+
+close(FILE1);
+
+
+unlink("data");
+open(FILE2,">data") || die("Cannot open file for writing\n");
+
+print FILE2 "$dataToSign";
+
+close(FILE2);
+
+
+print "<BR><B>Signed Data:</B><BR>", "$dataToSign", "<BR>";
+ 
+print "<BR><b>Verification Info:</b><BR>";
+ 
+$verInfo = `./signver -D . -s signature -d data -v`;
+print "<font color=red><b>$verInfo</b></font><BR>";
+
+print "<BR><B>Signature Data:</B><BR>", "$dataSignature", "<BR>";
+
+print "<BR><b>Signature Info:</b><BR>";
+
+foreach $line (`./signver -s signature -A`) {
+     print "$line<BR>\n";
+}
+
+print "<b>End of Info</b><BR>";
+
diff --git a/security/nss/cmd/signver/manifest.mn b/security/nss/cmd/signver/manifest.mn
new file mode 100644
index 000000000..a063d2a3c
--- /dev/null
+++ b/security/nss/cmd/signver/manifest.mn
@@ -0,0 +1,56 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+CSRCS = signver.c	\
+        pk7print.c	\
+	$(NULL)
+
+REQUIRES = dbm seccmd
+
+PROGRAM = signver
+
+PACKAGE_FILES = README.txt signedForm.html signedForm.pl form.pl
+ifeq ($(subst /,_,$(shell uname -s)),WINNT)
+PACKAGE_FILES += signedForm.nt.pl signver.exe
+else
+PACKAGE_FILES += signver
+endif
+
+ARCHIVE_NAME  = signver
diff --git a/security/nss/cmd/signver/pk7print.c b/security/nss/cmd/signver/pk7print.c
new file mode 100644
index 000000000..60e0d07ec
--- /dev/null
+++ b/security/nss/cmd/signver/pk7print.c
@@ -0,0 +1,900 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** secutil.c - various functions used by security stuff
+**
+*/
+ 
+/* pkcs #7 -related functions */
+ 
+ 
+#include "secutil.h"
+#include "secpkcs7.h"
+#include "secoid.h"
+#include <sys/stat.h>
+#include <stdarg.h>
+ 
+#ifdef XP_UNIX
+#include <unistd.h>
+#endif
+ 
+/* for SEC_TraverseNames */
+#include "cert.h"
+#include "prtypes.h"
+#include "prtime.h"
+ 
+#include "prlong.h"
+#include "secmod.h"
+#include "pk11func.h"
+#include "prerror.h"
+ 
+
+
+
+/*
+** PKCS7 Support
+*/
+
+/* forward declaration */
+int
+sv_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, char *);
+
+
+void
+sv_PrintAsHex(FILE *out, SECItem *data, char *m)
+{
+    unsigned i;
+
+    if (m) fprintf(out, m);
+    
+    for (i = 0; i < data->len; i++) {
+        if (i < data->len - 1) {
+            fprintf(out, "%02x:", data->data[i]);
+        } else {
+            fprintf(out, "%02x\n", data->data[i]);
+            break;
+        }
+    }
+}
+
+void
+sv_PrintInteger(FILE *out, SECItem *i, char *m)
+{
+    int iv;
+
+    if (i->len > 4) {
+        sv_PrintAsHex(out, i, m);
+    } else {
+        iv = DER_GetInteger(i);
+        fprintf(out, "%s%d (0x%x)\n", m, iv, iv);
+    }
+}
+
+
+int
+sv_PrintTime(FILE *out, SECItem *t, char *m)
+{
+    PRExplodedTime printableTime; 
+    int64 time;
+    char *timeString;
+    int rv;
+
+    rv = DER_DecodeTimeChoice(&time, t);
+    if (rv) return rv;
+
+    /* Convert to local time */
+    PR_ExplodeTime(time, PR_LocalTimeParameters, &printableTime);
+
+    timeString = (char *)PORT_Alloc(256);
+
+    if ( timeString ) {
+        if (PR_FormatTime( timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime )) {
+            fprintf(out, "%s%s\n", m, timeString);
+        }
+        PORT_Free(timeString);
+        return 0;
+    }
+    return SECFailure;
+}
+
+int
+sv_PrintValidity(FILE *out, CERTValidity *v, char *m)
+{
+    int rv;
+
+    fprintf(out, m);
+    rv = sv_PrintTime(out, &v->notBefore, "notBefore=");
+    if (rv) return rv;
+    fprintf(out, m);
+    sv_PrintTime(out, &v->notAfter, "notAfter=");
+    return rv;
+}
+
+void
+sv_PrintObjectID(FILE *out, SECItem *oid, char *m)
+{
+    const char *name;
+    SECOidData *oiddata;
+    
+    oiddata = SECOID_FindOID(oid);
+    if (oiddata == NULL) {
+        sv_PrintAsHex(out, oid, m);
+        return;
+    }
+    name = oiddata->desc;
+
+    if (m != NULL)
+        fprintf(out, "%s", m);
+    fprintf(out, "%s\n", name);
+}
+
+void
+sv_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m)
+{
+    sv_PrintObjectID(out, &a->algorithm, m);
+
+    if ((a->parameters.len != 2) ||
+        (PORT_Memcmp(a->parameters.data, "\005\000", 2) != 0)) {
+        /* Print args to algorithm */
+        sv_PrintAsHex(out, &a->parameters, "Args=");
+    }
+}
+
+void
+sv_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m)
+{
+    SECItem *value;
+    int i;
+    char om[100];
+
+    fprintf(out, m);
+
+    /*
+     * XXX Make this smarter; look at the type field and then decode
+     * and print the value(s) appropriately!
+     */
+    sv_PrintObjectID(out, &(attr->type), "type=");
+    if (attr->values != NULL) {
+        i = 0;
+        while ((value = attr->values[i]) != NULL) {
+            sprintf(om, "%svalue[%d]=%s", m, i++, attr->encoded ? "(encoded)" : ""); 
+            if (attr->encoded || attr->typeTag == NULL) {
+                sv_PrintAsHex(out, value, om);
+            } else {
+                switch (attr->typeTag->offset) {
+                    default:
+                        sv_PrintAsHex(out, value, om);
+                        break;
+                    case SEC_OID_PKCS9_CONTENT_TYPE:
+                        sv_PrintObjectID(out, value, om);
+                        break;
+                    case SEC_OID_PKCS9_SIGNING_TIME:
+                        sv_PrintTime(out, value, om);
+                        break;
+                }
+            }
+        }
+    }
+}
+
+void
+sv_PrintName(FILE *out, CERTName *name, char *msg)
+{
+    char *str;
+
+    str = CERT_NameToAscii(name);
+    fprintf(out, "%s%s\n", msg, str);
+    PORT_Free(str);
+}
+
+
+#if 0
+/*
+** secu_PrintPKCS7EncContent
+**   Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it)
+*/
+void
+secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, 
+			  char *m, int level)
+{
+    if (src->contentTypeTag == NULL)
+	src->contentTypeTag = SECOID_FindOID(&(src->contentType));
+
+    secu_Indent(out, level);
+    fprintf(out, "%s:\n", m);
+    secu_Indent(out, level + 1); 
+    fprintf(out, "Content Type: %s\n",
+	    (src->contentTypeTag != NULL) ? src->contentTypeTag->desc
+					  : "Unknown");
+    sv_PrintAlgorithmID(out, &(src->contentEncAlg),
+			  "Content Encryption Algorithm");
+    sv_PrintAsHex(out, &(src->encContent), 
+		    "Encrypted Content", level+1);
+}
+
+/*
+** secu_PrintRecipientInfo
+**   Prints a PKCS7RecipientInfo type
+*/
+void
+secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m, 
+			int level)
+{
+    secu_Indent(out, level); fprintf(out, "%s:\n", m);
+    sv_PrintInteger(out, &(info->version), "Version");	
+
+    sv_PrintName(out, &(info->issuerAndSN->issuer), "Issuer");
+    sv_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
+		      "Serial Number");
+
+    /* Parse and display encrypted key */
+    sv_PrintAlgorithmID(out, &(info->keyEncAlg), 
+			"Key Encryption Algorithm");
+    sv_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1);
+}
+#endif
+
+/* 
+** secu_PrintSignerInfo
+**   Prints a PKCS7SingerInfo type
+*/
+void
+sv_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m)
+{
+    SEC_PKCS7Attribute *attr;
+    int iv;
+    
+    fprintf(out, m);
+    sv_PrintInteger(out, &(info->version), "version=");
+
+    fprintf(out, m);
+    sv_PrintName(out, &(info->issuerAndSN->issuer), "issuerName=");
+    fprintf(out, m);
+    sv_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
+                        "serialNumber=");
+  
+    fprintf(out, m);
+    sv_PrintAlgorithmID(out, &(info->digestAlg), "digestAlgorithm=");
+    
+    if (info->authAttr != NULL) {
+        char mm[120];
+
+        iv = 0;
+        while (info->authAttr[iv] != NULL) iv++;
+        fprintf(out, "%sauthenticatedAttributes=%d\n", m, iv);
+        iv = 0;
+        while ((attr = info->authAttr[iv]) != NULL) {
+            sprintf(mm, "%sattribute[%d].", m, iv++); 
+            sv_PrintAttribute(out, attr, mm);
+        }
+    }
+    
+    /* Parse and display signature */
+    fprintf(out, m);
+    sv_PrintAlgorithmID(out, &(info->digestEncAlg), "digestEncryptionAlgorithm=");
+    fprintf(out, m);
+    sv_PrintAsHex(out, &(info->encDigest), "encryptedDigest=");
+    
+    if (info->unAuthAttr != NULL) {
+        char mm[120];
+
+        iv = 0;
+        while (info->unAuthAttr[iv] != NULL) iv++;
+        fprintf(out, "%sunauthenticatedAttributes=%d\n", m, iv);
+        iv = 0;
+        while ((attr = info->unAuthAttr[iv]) != NULL) {
+            sprintf(mm, "%sattribute[%d].", m, iv++); 
+            sv_PrintAttribute(out, attr, mm);
+        }
+    }
+}
+
+void
+sv_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
+{
+    fprintf(out, m);
+    sv_PrintInteger(out, &pk->u.rsa.modulus, "modulus=");
+    fprintf(out, m);
+    sv_PrintInteger(out, &pk->u.rsa.publicExponent, "exponent=");
+}
+
+void
+sv_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
+{
+    fprintf(out, m);
+    sv_PrintInteger(out, &pk->u.dsa.params.prime, "prime=");
+    fprintf(out, m);
+    sv_PrintInteger(out, &pk->u.dsa.params.subPrime, "subprime=");
+    fprintf(out, m);
+    sv_PrintInteger(out, &pk->u.dsa.params.base, "base=");
+    fprintf(out, m);
+    sv_PrintInteger(out, &pk->u.dsa.publicValue, "publicValue=");
+}
+
+int
+sv_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena,
+                             CERTSubjectPublicKeyInfo *i,  char *msg)
+{
+    SECKEYPublicKey *pk;
+    int rv;
+    char mm[200];
+
+    sprintf(mm, "%s.publicKeyAlgorithm=", msg);
+    sv_PrintAlgorithmID(out, &i->algorithm, mm);
+
+    pk = (SECKEYPublicKey*) PORT_ZAlloc(sizeof(SECKEYPublicKey));
+    if (!pk) return PORT_GetError();
+
+    DER_ConvertBitString(&i->subjectPublicKey);
+    switch(SECOID_FindOIDTag(&i->algorithm.algorithm)) {
+        case SEC_OID_PKCS1_RSA_ENCRYPTION:
+            rv = SEC_ASN1DecodeItem(arena, pk,
+                                    SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate),
+                                    &i->subjectPublicKey);
+            if (rv) return rv;
+            sprintf(mm, "%s.rsaPublicKey.", msg);
+            sv_PrintRSAPublicKey(out, pk, mm);
+            break;
+        case SEC_OID_ANSIX9_DSA_SIGNATURE:
+            rv = SEC_ASN1DecodeItem(arena, pk,
+                                    SEC_ASN1_GET(SECKEY_DSAPublicKeyTemplate),
+                                    &i->subjectPublicKey);
+            if (rv) return rv;
+            sprintf(mm, "%s.dsaPublicKey.", msg);
+            sv_PrintDSAPublicKey(out, pk, mm);
+            break;
+        default:
+            fprintf(out, "%s=bad SPKI algorithm type\n", msg);
+            return 0;
+    }
+
+    return 0;
+}
+
+SECStatus
+sv_PrintInvalidDateExten  (FILE *out, SECItem *value, char *msg)
+{
+    SECItem decodedValue;
+    SECStatus rv;
+    int64 invalidTime;
+    char *formattedTime = NULL;
+
+    decodedValue.data = NULL;
+    rv = SEC_ASN1DecodeItem (NULL, &decodedValue,
+                             SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
+                             value);
+    if (rv == SECSuccess) {
+        rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue);
+        if (rv == SECSuccess) {
+            formattedTime = CERT_GenTime2FormattedAscii(invalidTime, "%a %b %d %H:%M:%S %Y");
+            fprintf (out, "%s: %s\n", msg, formattedTime);
+            PORT_Free (formattedTime);
+        }
+    }
+    PORT_Free (decodedValue.data);
+
+    return (rv);
+}
+
+int
+sv_PrintExtensions(FILE *out, CERTCertExtension **extensions, char *msg)
+{
+    SECOidTag oidTag;
+
+    if (extensions) {
+
+        while ( *extensions ) {
+            SECItem *tmpitem;
+
+            fprintf(out, "%sname=", msg);
+
+            tmpitem = &(*extensions)->id;
+            sv_PrintObjectID(out, tmpitem, NULL);
+
+            tmpitem = &(*extensions)->critical;
+            if ( tmpitem->len )
+                fprintf(out, "%scritical=%s\n", msg,
+                        (tmpitem->data && tmpitem->data[0])? "True": "False");
+
+            oidTag = SECOID_FindOIDTag (&((*extensions)->id));
+
+            fprintf(out, msg);
+            tmpitem = &((*extensions)->value);
+            if (oidTag == SEC_OID_X509_INVALID_DATE) 
+                sv_PrintInvalidDateExten (out, tmpitem,"invalidExt");
+            else			    
+                sv_PrintAsHex(out,tmpitem, "data=");
+
+            /*fprintf(out, "\n");*/
+            extensions++;
+        }
+    }
+
+    return 0;
+}
+
+/* callers of this function must make sure that the CERTSignedCrl
+   from which they are extracting the CERTCrl has been fully-decoded.
+   Otherwise it will not have the entries even though the CRL may have
+   some */
+void
+sv_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m)
+{
+    CERTCrlEntry *entry;
+    int iv;
+    char om[100];
+    
+    fprintf(out, m);
+    sv_PrintAlgorithmID(out, &(crl->signatureAlg), "signatureAlgorithm=");
+    fprintf(out, m);
+    sv_PrintName(out, &(crl->name), "name=");
+    fprintf(out, m);
+    sv_PrintTime(out, &(crl->lastUpdate), "lastUpdate=");
+    fprintf(out, m);
+    sv_PrintTime(out, &(crl->nextUpdate), "nextUpdate=");
+    
+    if (crl->entries != NULL) {
+        iv = 0;
+        while ((entry = crl->entries[iv]) != NULL) {
+            fprintf(out, "%sentry[%d].", m, iv); 
+            sv_PrintInteger(out, &(entry->serialNumber), "serialNumber=");
+            fprintf(out, "%sentry[%d].", m, iv); 
+            sv_PrintTime(out, &(entry->revocationDate), "revocationDate=");
+            sprintf(om, "%sentry[%d].signedCRLEntriesExtensions.", m, iv++); 
+            sv_PrintExtensions(out, entry->extensions, om);
+        }
+    }
+    sprintf(om, "%ssignedCRLEntriesExtensions.", m); 
+    sv_PrintExtensions(out, crl->extensions, om);
+}
+
+
+int
+sv_PrintCertificate(FILE *out, SECItem *der, char *m, int level)
+{
+    PRArenaPool *arena = NULL;
+    CERTCertificate *c;
+    int rv;
+    int iv;
+    char mm[200];
+    
+    /* Decode certificate */
+    c = (CERTCertificate*) PORT_ZAlloc(sizeof(CERTCertificate));
+    if (!c) return PORT_GetError();
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena) return SEC_ERROR_NO_MEMORY;
+
+    rv = SEC_ASN1DecodeItem(arena, c, SEC_ASN1_GET(CERT_CertificateTemplate),
+                            der);
+    if (rv) {
+        PORT_FreeArena(arena, PR_FALSE);
+        return rv;
+    }
+
+    /* Pretty print it out */
+    iv = DER_GetInteger(&c->version);
+    fprintf(out, "%sversion=%d (0x%x)\n", m, iv + 1, iv);
+    sprintf(mm, "%sserialNumber=", m);
+    sv_PrintInteger(out, &c->serialNumber, mm);
+    sprintf(mm, "%ssignatureAlgorithm=", m);
+    sv_PrintAlgorithmID(out, &c->signature, mm);
+    sprintf(mm, "%sissuerName=", m);
+    sv_PrintName(out, &c->issuer, mm);
+    sprintf(mm, "%svalidity.", m);
+    sv_PrintValidity(out, &c->validity, mm);
+    sprintf(mm, "%ssubject=", m);
+    sv_PrintName(out, &c->subject, mm);
+    sprintf(mm, "%ssubjectPublicKeyInfo", m);
+    rv = sv_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo, mm);
+    if (rv) {
+        PORT_FreeArena(arena, PR_FALSE);
+        return rv;
+    }
+    sprintf(mm, "%ssignedExtensions.", m);
+    sv_PrintExtensions(out, c->extensions, mm);
+    
+    PORT_FreeArena(arena, PR_FALSE);
+    return 0;
+}
+
+int
+sv_PrintSignedData(FILE *out, SECItem *der, char *m, SECU_PPFunc inner)
+{
+    PRArenaPool *arena = NULL;
+    CERTSignedData *sd;
+    int rv;
+
+    /* Strip off the signature */
+    sd = (CERTSignedData*) PORT_ZAlloc(sizeof(CERTSignedData));
+    if (!sd) return PORT_GetError();
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena) return SEC_ERROR_NO_MEMORY;
+
+    rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate),
+                            der);
+    if (rv) {
+        PORT_FreeArena(arena, PR_FALSE);
+        return rv;
+    }
+
+/*    fprintf(out, "%s:\n", m); */
+    PORT_Strcat(m, "data.");
+
+    rv = (*inner)(out, &sd->data, m, 0);
+    if (rv) {
+        PORT_FreeArena(arena, PR_FALSE);
+        return rv;
+    }
+
+    m[PORT_Strlen(m) - 5] = 0;
+    fprintf(out, m);
+    sv_PrintAlgorithmID(out, &sd->signatureAlgorithm, "signatureAlgorithm=");
+    DER_ConvertBitString(&sd->signature);
+    fprintf(out, m);
+    sv_PrintAsHex(out, &sd->signature, "signature=");
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return 0;
+
+}
+
+
+/*
+** secu_PrintPKCS7Signed
+**   Pretty print a PKCS7 signed data type (up to version 1).
+*/
+int
+sv_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src)
+{
+    SECAlgorithmID *digAlg;		/* digest algorithms */
+    SECItem *aCert;			/* certificate */
+    CERTSignedCrl *aCrl;		/* certificate revocation list */
+    SEC_PKCS7SignerInfo *sigInfo;	/* signer information */
+    int rv, iv;
+    char om[120];
+
+    sv_PrintInteger(out, &(src->version), "pkcs7.version=");
+
+    /* Parse and list digest algorithms (if any) */
+    if (src->digestAlgorithms != NULL) {
+        iv = 0;
+        while (src->digestAlgorithms[iv] != NULL)
+            iv++;
+        fprintf(out, "pkcs7.digestAlgorithmListLength=%d\n", iv);
+        iv = 0;
+        while ((digAlg = src->digestAlgorithms[iv]) != NULL) {
+            sprintf(om, "pkcs7.digestAlgorithm[%d]=", iv++);
+            sv_PrintAlgorithmID(out, digAlg, om);
+        }
+    }
+
+    /* Now for the content */
+    rv = sv_PrintPKCS7ContentInfo(out, &(src->contentInfo), 
+				                    "pkcs7.contentInformation=");
+    if (rv != 0) return rv;
+
+    /* Parse and list certificates (if any) */
+    if (src->rawCerts != NULL) {
+        iv = 0;
+        while (src->rawCerts[iv] != NULL)
+            iv++;
+        fprintf(out, "pkcs7.certificateListLength=%d\n", iv);
+
+        iv = 0;
+        while ((aCert = src->rawCerts[iv]) != NULL) {
+            sprintf(om, "certificate[%d].", iv++);
+            rv = sv_PrintSignedData(out, aCert, om, sv_PrintCertificate);
+            if (rv) return rv;
+        }
+    }
+
+    /* Parse and list CRL's (if any) */
+    if (src->crls != NULL) {
+        iv = 0;
+        while (src->crls[iv] != NULL) iv++;
+        fprintf(out, "pkcs7.signedRevocationLists=%d\n", iv);
+        iv = 0;
+        while ((aCrl = src->crls[iv]) != NULL) {
+            sprintf(om, "signedRevocationList[%d].", iv);
+            fprintf(out, om);
+            sv_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
+                                "signatureAlgorithm=");
+            DER_ConvertBitString(&aCrl->signatureWrap.signature);
+            fprintf(out, om);
+            sv_PrintAsHex(out, &aCrl->signatureWrap.signature, "signature=");
+            sprintf(om, "certificateRevocationList[%d].", iv);
+            sv_PrintCRLInfo(out, &aCrl->crl, om);
+            iv++;
+        }
+    }
+
+    /* Parse and list signatures (if any) */
+    if (src->signerInfos != NULL) {
+        iv = 0;
+        while (src->signerInfos[iv] != NULL)
+            iv++;
+        fprintf(out, "pkcs7.signerInformationListLength=%d\n", iv);
+        iv = 0;
+        while ((sigInfo = src->signerInfos[iv]) != NULL) {
+            sprintf(om, "signerInformation[%d].", iv++);
+            sv_PrintSignerInfo(out, sigInfo, om);
+        }
+    }  
+
+    return 0;
+}
+
+#if 0
+/*
+** secu_PrintPKCS7Enveloped
+**  Pretty print a PKCS7 enveloped data type (up to version 1).
+*/
+void
+secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src,
+			 char *m, int level)
+{
+    SEC_PKCS7RecipientInfo *recInfo;   /* pointer for signer information */
+    int iv;
+    char om[100];
+
+    secu_Indent(out, level); fprintf(out, "%s:\n", m);
+    sv_PrintInteger(out, &(src->version), "Version", level + 1);
+
+    /* Parse and list recipients (this is not optional) */
+    if (src->recipientInfos != NULL) {
+	secu_Indent(out, level + 1);
+	fprintf(out, "Recipient Information List:\n");
+	iv = 0;
+	while ((recInfo = src->recipientInfos[iv++]) != NULL) {
+	    sprintf(om, "Recipient Information (%x)", iv);
+	    secu_PrintRecipientInfo(out, recInfo, om, level + 2);
+	}
+    }  
+
+    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
+			      "Encrypted Content Information", level + 1);
+}
+
+/*
+** secu_PrintPKCS7SignedEnveloped
+**   Pretty print a PKCS7 singed and enveloped data type (up to version 1).
+*/
+int
+secu_PrintPKCS7SignedAndEnveloped(FILE *out,
+				  SEC_PKCS7SignedAndEnvelopedData *src,
+				  char *m, int level)
+{
+    SECAlgorithmID *digAlg;  /* pointer for digest algorithms */
+    SECItem *aCert;           /* pointer for certificate */
+    CERTSignedCrl *aCrl;        /* pointer for certificate revocation list */
+    SEC_PKCS7SignerInfo *sigInfo;   /* pointer for signer information */
+    SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */
+    int rv, iv;
+    char om[100];
+
+    secu_Indent(out, level); fprintf(out, "%s:\n", m);
+    sv_PrintInteger(out, &(src->version), "Version", level + 1);
+
+    /* Parse and list recipients (this is not optional) */
+    if (src->recipientInfos != NULL) {
+	secu_Indent(out, level + 1);
+	fprintf(out, "Recipient Information List:\n");
+	iv = 0;
+	while ((recInfo = src->recipientInfos[iv++]) != NULL) {
+	    sprintf(om, "Recipient Information (%x)", iv);
+	    secu_PrintRecipientInfo(out, recInfo, om, level + 2);
+	}
+    }  
+
+    /* Parse and list digest algorithms (if any) */
+    if (src->digestAlgorithms != NULL) {
+	secu_Indent(out, level + 1);  fprintf(out, "Digest Algorithm List:\n");
+	iv = 0;
+	while ((digAlg = src->digestAlgorithms[iv++]) != NULL) {
+	    sprintf(om, "Digest Algorithm (%x)", iv);
+	    sv_PrintAlgorithmID(out, digAlg, om);
+	}
+    }
+
+    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
+			      "Encrypted Content Information", level + 1);
+
+    /* Parse and list certificates (if any) */
+    if (src->rawCerts != NULL) {
+	secu_Indent(out, level + 1);  fprintf(out, "Certificate List:\n");
+	iv = 0;
+	while ((aCert = src->rawCerts[iv++]) != NULL) {
+	    sprintf(om, "Certificate (%x)", iv);
+	    rv = SECU_PrintSignedData(out, aCert, om, level + 2, 
+				      SECU_PrintCertificate);
+	    if (rv)
+		return rv;
+	}
+    }
+
+    /* Parse and list CRL's (if any) */
+    if (src->crls != NULL) {
+	secu_Indent(out, level + 1);  
+	fprintf(out, "Signed Revocation Lists:\n");
+	iv = 0;
+	while ((aCrl = src->crls[iv++]) != NULL) {
+	    sprintf(om, "Signed Revocation List (%x)", iv);
+	    secu_Indent(out, level + 2);  fprintf(out, "%s:\n", om);
+	    sv_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
+				  "Signature Algorithm");
+	    DER_ConvertBitString(&aCrl->signatureWrap.signature);
+	    sv_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature",
+			    level+3);
+	    SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", 
+			  level + 3); 
+	}
+    }
+
+    /* Parse and list signatures (if any) */
+    if (src->signerInfos != NULL) {
+	secu_Indent(out, level + 1);
+	fprintf(out, "Signer Information List:\n");
+	iv = 0;
+	while ((sigInfo = src->signerInfos[iv++]) != NULL) {
+	    sprintf(om, "Signer Information (%x)", iv);
+	    secu_PrintSignerInfo(out, sigInfo, om, level + 2);
+	}
+    }  
+
+    return 0;
+}
+
+/*
+** secu_PrintPKCS7Encrypted
+**   Pretty print a PKCS7 encrypted data type (up to version 1).
+*/
+void
+secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src,
+			 char *m, int level)
+{
+    secu_Indent(out, level); fprintf(out, "%s:\n", m);
+    sv_PrintInteger(out, &(src->version), "Version", level + 1);
+
+    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
+			      "Encrypted Content Information", level + 1);
+}
+
+/*
+** secu_PrintPKCS7Digested
+**   Pretty print a PKCS7 digested data type (up to version 1).
+*/
+void
+sv_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src)
+{
+    secu_Indent(out, level); fprintf(out, "%s:\n", m);
+    sv_PrintInteger(out, &(src->version), "Version", level + 1);
+    
+    sv_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm");
+    sv_PrintPKCS7ContentInfo(out, &src->contentInfo, "Content Information",
+			       level + 1);
+    sv_PrintAsHex(out, &src->digest, "Digest", level + 1);  
+}
+
+#endif
+
+/*
+** secu_PrintPKCS7ContentInfo
+**   Takes a SEC_PKCS7ContentInfo type and sends the contents to the 
+** appropriate function
+*/
+int
+sv_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src, char *m)
+{
+    const char *desc;
+    SECOidTag kind;
+    int rv;
+
+    if (src->contentTypeTag == NULL)
+        src->contentTypeTag = SECOID_FindOID(&(src->contentType));
+
+    if (src->contentTypeTag == NULL) {
+        desc = "Unknown";
+        kind = SEC_OID_PKCS7_DATA;
+    } else {
+        desc = src->contentTypeTag->desc;
+        kind = src->contentTypeTag->offset;
+    }
+
+    fprintf(out, "%s%s\n", m, desc);
+
+    if (src->content.data == NULL) {
+        fprintf(out, "pkcs7.data=<no content>\n");
+        return 0;
+    }
+
+    rv = 0;
+    switch (kind) {
+        case SEC_OID_PKCS7_SIGNED_DATA:  /* Signed Data */
+            rv = sv_PrintPKCS7Signed(out, src->content.signedData);
+            break;
+
+        case SEC_OID_PKCS7_ENVELOPED_DATA:  /* Enveloped Data */
+            fprintf(out, "pkcs7EnvelopedData=<unsupported>\n");
+            /*sv_PrintPKCS7Enveloped(out, src->content.envelopedData);*/
+            break;
+
+        case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:  /* Signed and Enveloped */
+            fprintf(out, "pkcs7SignedEnvelopedData=<unsupported>\n");
+            /*rv = sv_PrintPKCS7SignedAndEnveloped(out,
+                                src->content.signedAndEnvelopedData);*/
+            break;
+
+        case SEC_OID_PKCS7_DIGESTED_DATA:  /* Digested Data */
+            fprintf(out, "pkcs7DigestedData=<unsupported>\n");
+            /*sv_PrintPKCS7Digested(out, src->content.digestedData);*/
+            break;
+
+        case SEC_OID_PKCS7_ENCRYPTED_DATA:  /* Encrypted Data */
+            fprintf(out, "pkcs7EncryptedData=<unsupported>\n");
+            /*sv_PrintPKCS7Encrypted(out, src->content.encryptedData);*/
+            break;
+
+        default:
+            fprintf(out, "pkcs7UnknownData=<unsupported>\n");
+            /*sv_PrintAsHex(out, src->content.data);*/
+            break;
+    }
+
+    return rv;
+}
+
+
+int
+SV_PrintPKCS7ContentInfo(FILE *out, SECItem *der)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    int rv = -1;
+
+    cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
+
+    if (cinfo != NULL) {
+        rv = sv_PrintPKCS7ContentInfo(out, cinfo, "pkcs7.contentInfo=");
+        SEC_PKCS7DestroyContentInfo(cinfo);
+    }
+
+    return rv;
+}
+/*
+** End of PKCS7 functions
+*/
diff --git a/security/nss/cmd/signver/signver.c b/security/nss/cmd/signver/signver.c
new file mode 100644
index 000000000..cff5272f0
--- /dev/null
+++ b/security/nss/cmd/signver/signver.c
@@ -0,0 +1,347 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secutil.h"
+#include "secmod.h"
+#include "cert.h"
+#include "secoid.h"
+#include "nss.h"
+
+/* NSPR 2.0 header files */
+#include "prinit.h"
+#include "prprf.h"
+#include "prsystem.h"
+#include "prmem.h"
+/* Portable layer header files */
+#include "plstr.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
+
+static PRBool debugInfo;
+static PRBool verbose;
+static PRBool doVerify;
+static PRBool displayAll;
+
+static const char * const usageInfo[] = {
+    "signver - verify a detached PKCS7 signature - Version " NSS_VERSION,
+    "Commands:",
+    " -A		    display all information from pkcs #7",
+    " -V		    verify the signed object and display result",
+    "Options:",
+    " -a		    signature file is ASCII",
+    " -d certdir	    directory containing cert database",
+    " -i dataFileName	    input file containing signed data (default stdin)",
+    " -o outputFileName     output file name, default stdout",
+    " -s signatureFileName  input file for signature (default stdin)",
+    " -v		    display verbose reason for failure"
+};
+static int nUsageInfo = sizeof(usageInfo)/sizeof(char *);
+
+extern int SV_PrintPKCS7ContentInfo(FILE *, SECItem *);
+
+static void Usage(char *progName, FILE *outFile)
+{
+    int i;
+    fprintf(outFile, "Usage:  %s [ commands ] options\n", progName);
+    for (i = 0; i < nUsageInfo; i++)
+	fprintf(outFile, "%s\n", usageInfo[i]);
+    exit(-1);
+}
+
+static HASH_HashType
+AlgorithmToHashType(SECAlgorithmID *digestAlgorithms)
+{
+    SECOidTag	  tag  = SECOID_GetAlgorithmTag(digestAlgorithms);
+    HASH_HashType hash = HASH_GetHashTypeByOidTag(tag);
+    return hash;
+}
+
+
+static SECStatus
+DigestContent (SECItem * digest, SECItem * content, HASH_HashType hashType)
+{
+    unsigned int maxLen = digest->len;
+    unsigned int len	= HASH_ResultLen(hashType);
+    SECStatus	 rv;
+
+    if (len > maxLen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+
+    rv = HASH_HashBuf(hashType, digest->data, content->data, content->len);
+    if (rv == SECSuccess)
+	digest->len = len;
+    return rv;
+}
+
+enum {
+    cmd_DisplayAllPCKS7Info = 0,
+    cmd_VerifySignedObj
+};
+
+enum {
+    opt_ASCII,
+    opt_CertDir,
+    opt_InputDataFile,
+    opt_ItemNumber,
+    opt_OutputFile,
+    opt_InputSigFile,
+    opt_PrintWhyFailure,
+    opt_DebugInfo
+};
+
+static secuCommandFlag signver_commands[] =
+{
+    { /* cmd_DisplayAllPCKS7Info*/  'A', PR_FALSE, 0, PR_FALSE },
+    { /* cmd_VerifySignedObj	*/  'V', PR_FALSE, 0, PR_FALSE }
+};
+
+static secuCommandFlag signver_options[] =
+{
+    { /* opt_ASCII		*/  'a', PR_FALSE, 0, PR_FALSE },
+    { /* opt_CertDir		*/  'd', PR_TRUE,  0, PR_FALSE },
+    { /* opt_InputDataFile	*/  'i', PR_TRUE,  0, PR_FALSE },
+    { /* opt_OutputFile 	*/  'o', PR_TRUE,  0, PR_FALSE },
+    { /* opt_InputSigFile	*/  's', PR_TRUE,  0, PR_FALSE },
+    { /* opt_PrintWhyFailure	*/  'v', PR_FALSE, 0, PR_FALSE },
+    { /* opt_DebugInfo		*/    0, PR_FALSE, 0, PR_FALSE, "debug" }
+};
+
+int main(int argc, char **argv)
+{
+    PRFileDesc *contentFile = NULL;
+    PRFileDesc *signFile = PR_STDIN;
+    FILE *	outFile  = stdout;
+    char *	progName;
+    SECStatus	rv;
+    int 	result	 = 1;
+    SECItem	pkcs7der, content;
+    secuCommand signver;
+
+    pkcs7der.data  = NULL;
+    content.data = NULL;
+
+    signver.numCommands = sizeof(signver_commands) /sizeof(secuCommandFlag);
+    signver.numOptions = sizeof(signver_options) / sizeof(secuCommandFlag);
+    signver.commands = signver_commands;
+    signver.options = signver_options;
+
+#ifdef XP_PC
+    progName = strrchr(argv[0], '\\');
+#else
+    progName = strrchr(argv[0], '/');
+#endif
+    progName = progName ? progName+1 : argv[0];
+
+    rv = SECU_ParseCommandLine(argc, argv, progName, &signver);
+    if (SECSuccess != rv) {
+	Usage(progName, outFile);
+    }
+    debugInfo = signver.options[opt_DebugInfo	    ].activated;
+    verbose   = signver.options[opt_PrintWhyFailure ].activated;
+    doVerify  = signver.commands[cmd_VerifySignedObj].activated;
+    displayAll= signver.commands[cmd_DisplayAllPCKS7Info].activated;
+    if (!doVerify && !displayAll)
+	doVerify = PR_TRUE;
+
+    /*	Set the certdb directory (default is ~/.netscape) */
+    rv = NSS_Init(SECU_ConfigDirectory(signver.options[opt_CertDir].arg));
+    if (rv != SECSuccess) {
+	SECU_PrintPRandOSError(progName);
+	return result;
+    }
+    /* below here, goto cleanup */
+    SECU_RegisterDynamicOids();
+
+    /*	Open the input content file. */
+    if (signver.options[opt_InputDataFile].activated &&
+	signver.options[opt_InputDataFile].arg) {
+	if (PL_strcmp("-", signver.options[opt_InputDataFile].arg)) {
+	    contentFile = PR_Open(signver.options[opt_InputDataFile].arg,
+			       PR_RDONLY, 0);
+	    if (!contentFile) {
+		PR_fprintf(PR_STDERR,
+			   "%s: unable to open \"%s\" for reading.\n",
+			   progName, signver.options[opt_InputDataFile].arg);
+		goto cleanup;
+	    }
+	} else
+	    contentFile = PR_STDIN;
+    }
+
+    /*	Open the input signature file.	*/
+    if (signver.options[opt_InputSigFile].activated &&
+	signver.options[opt_InputSigFile].arg) {
+	if (PL_strcmp("-", signver.options[opt_InputSigFile].arg)) {
+	    signFile = PR_Open(signver.options[opt_InputSigFile].arg,
+			       PR_RDONLY, 0);
+	    if (!signFile) {
+		PR_fprintf(PR_STDERR,
+			   "%s: unable to open \"%s\" for reading.\n",
+			   progName, signver.options[opt_InputSigFile].arg);
+		goto cleanup;
+	    }
+	}
+    }
+
+    if (contentFile == PR_STDIN && signFile == PR_STDIN && doVerify) {
+	PR_fprintf(PR_STDERR,
+	    "%s: cannot read both content and signature from standard input\n",
+		   progName);
+	goto cleanup;
+    }
+
+    /*	Open|Create the output file.  */
+    if (signver.options[opt_OutputFile].activated) {
+	outFile = fopen(signver.options[opt_OutputFile].arg, "w");
+	if (!outFile) {
+	    PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for writing.\n",
+		       progName, signver.options[opt_OutputFile].arg);
+	    goto cleanup;
+	}
+    }
+
+    /* read in the input files' contents */
+    rv = SECU_ReadDERFromFile(&pkcs7der, signFile,
+			      signver.options[opt_ASCII].activated);
+    if (signFile != PR_STDIN)
+	PR_Close(signFile);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "problem reading PKCS7 input");
+	goto cleanup;
+    }
+    if (contentFile) {
+	rv = SECU_FileToItem(&content, contentFile);
+	if (contentFile != PR_STDIN)
+	    PR_Close(contentFile);
+	if (rv != SECSuccess)
+	    content.data = NULL;
+    }
+
+    /* Signature Verification */
+    if (doVerify) {
+	SEC_PKCS7ContentInfo *cinfo;
+	SEC_PKCS7SignedData *signedData;
+	HASH_HashType digestType;
+	PRBool contentIsSigned;
+
+	cinfo = SEC_PKCS7DecodeItem(&pkcs7der, NULL, NULL, NULL, NULL,
+				    NULL, NULL, NULL);
+	if (cinfo == NULL) {
+	    PR_fprintf(PR_STDERR, "Unable to decode PKCS7 data\n");
+	    goto cleanup;
+	}
+	/* below here, goto done */
+
+	contentIsSigned = SEC_PKCS7ContentIsSigned(cinfo);
+	if (debugInfo) {
+	    PR_fprintf(PR_STDERR, "Content is%s encrypted.\n",
+		       SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not");
+	}
+	if (debugInfo || !contentIsSigned) {
+	    PR_fprintf(PR_STDERR, "Content is%s signed.\n",
+		       contentIsSigned ? "" : " not");
+	}
+
+	if (!contentIsSigned)
+	    goto done;
+
+	signedData = cinfo->content.signedData;
+
+	/* assume that there is only one digest algorithm for now */
+	digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]);
+	if (digestType == HASH_AlgNULL) {
+	    PR_fprintf(PR_STDERR, "Invalid hash algorithmID\n");
+	    goto done;
+	}
+	if (content.data) {
+	    SECCertUsage   usage = certUsageEmailSigner;
+	    SECItem	   digest;
+	    unsigned char  digestBuffer[HASH_LENGTH_MAX];
+
+	    if (debugInfo)
+		PR_fprintf(PR_STDERR, "contentToVerify=%s\n", content.data);
+
+	    digest.data = digestBuffer;
+	    digest.len	= sizeof digestBuffer;
+
+	    if (DigestContent(&digest, &content, digestType)) {
+		SECU_PrintError(progName, "Message digest computation failure");
+		goto done;
+	    }
+
+	    if (debugInfo) {
+		unsigned int i;
+		PR_fprintf(PR_STDERR, "Data Digest=:");
+		for (i = 0; i < digest.len; i++)
+		    PR_fprintf(PR_STDERR, "%02x:", digest.data[i]);
+		PR_fprintf(PR_STDERR, "\n");
+	    }
+
+	    fprintf(outFile, "signatureValid=");
+	    PORT_SetError(0);
+	    if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage,
+				   &digest, digestType, PR_FALSE)) {
+		fprintf(outFile, "yes");
+	    } else {
+		fprintf(outFile, "no");
+		if (verbose) {
+		    fprintf(outFile, ":%s",
+			    SECU_ErrorString((int16)PORT_GetError()));
+		}
+	    }
+	    fprintf(outFile, "\n");
+	    result = 0;
+	}
+done:
+	SEC_PKCS7DestroyContentInfo(cinfo);
+    }
+
+    if (displayAll) {
+	if (SV_PrintPKCS7ContentInfo(outFile, &pkcs7der))
+	    result = 1;
+    }
+
+cleanup:
+    SECITEM_FreeItem(&pkcs7der, PR_FALSE);
+    SECITEM_FreeItem(&content, PR_FALSE);
+
+    if (NSS_Shutdown() != SECSuccess) {
+	result = 1;
+    }
+
+    return result;
+}
diff --git a/security/nss/cmd/smimetools/Makefile b/security/nss/cmd/smimetools/Makefile
new file mode 100644
index 000000000..2d4665b18
--- /dev/null
+++ b/security/nss/cmd/smimetools/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+ifdef NISCC_TEST
+DEFINES += -DNISCC_TEST
+endif
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include rules.mk
+
+include ../platrules.mk
diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c
new file mode 100644
index 000000000..19218456d
--- /dev/null
+++ b/security/nss/cmd/smimetools/cmsutil.c
@@ -0,0 +1,1651 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * cmsutil -- A command to work with CMS data
+ *
+ * $Id$
+ */
+
+#include "nspr.h"
+#include "secutil.h"
+#include "plgetopt.h"
+#include "secpkcs7.h"
+#include "cert.h"
+#include "certdb.h"
+#include "secoid.h"
+#include "cms.h"
+#include "nss.h"
+#include "smime.h"
+#include "pk11func.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#if defined(_WIN32)
+#include "fcntl.h"
+#include "io.h"
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+char *progName = NULL;
+static int cms_verbose = 0;
+static secuPWData pwdata = { PW_NONE, 0 };
+static PK11PasswordFunc pwcb = NULL;
+static void *pwcb_arg = NULL;
+
+
+/* XXX stolen from cmsarray.c
+ * nss_CMSArray_Count - count number of elements in array
+ */
+int
+nss_CMSArray_Count(void **array)
+{
+    int n = 0;
+    if (array == NULL)
+	return 0;
+    while (*array++ != NULL)
+	n++;
+    return n;
+}
+
+static SECStatus
+DigestFile(PLArenaPool *poolp, SECItem ***digests, SECItem *input,
+           SECAlgorithmID **algids)
+{
+    NSSCMSDigestContext *digcx;
+    SECStatus rv;
+
+    digcx = NSS_CMSDigestContext_StartMultiple(algids);
+    if (digcx == NULL)
+	return SECFailure;
+
+    NSS_CMSDigestContext_Update(digcx, input->data, input->len);
+
+    rv = NSS_CMSDigestContext_FinishMultiple(digcx, poolp, digests);
+    return rv;
+}
+
+
+static void
+Usage(char *progName)
+{
+    fprintf(stderr, 
+"Usage:  %s [-C|-D|-E|-O|-S] [<options>] [-d dbdir] [-u certusage]\n"
+" -C            create a CMS encrypted data message\n"
+" -D            decode a CMS message\n"
+"  -b           decode a batch of files named in infile\n"
+"  -c content   use this detached content\n"
+"  -n           suppress output of content\n"
+"  -h num       display num levels of CMS message info as email headers\n"
+"  -k           keep decoded encryption certs in perm cert db\n"
+" -E            create a CMS enveloped data message\n"
+"  -r id,...    create envelope for these recipients,\n"
+"               where id can be a certificate nickname or email address\n"
+" -S            create a CMS signed data message\n"
+"  -G           include a signing time attribute\n"
+"  -H hash      use hash (default:SHA1)\n"
+"  -N nick      use certificate named \"nick\" for signing\n"
+"  -P           include a SMIMECapabilities attribute\n"
+"  -T           do not include content in CMS message\n"
+"  -Y nick      include a EncryptionKeyPreference attribute with cert\n"
+"                 (use \"NONE\" to omit)\n"
+" -O            create a CMS signed message containing only certificates\n"
+" General Options:\n"
+" -d dbdir      key/cert database directory (default: ~/.netscape)\n"
+" -e envelope   enveloped data message in this file is used for bulk key\n"
+" -i infile     use infile as source of data (default: stdin)\n"
+" -o outfile    use outfile as destination of data (default: stdout)\n"
+" -p password   use password as key db password (default: prompt)\n"
+" -f pwfile     use password file to set password on all PKCS#11 tokens)\n"
+" -u certusage  set type of certificate usage (default: certUsageEmailSigner)\n"
+" -v            print debugging information\n"
+"\n"
+"Cert usage codes:\n",
+	    progName);
+    fprintf(stderr, "%-25s  0 - certUsageSSLClient\n", " ");
+    fprintf(stderr, "%-25s  1 - certUsageSSLServer\n", " ");
+    fprintf(stderr, "%-25s  2 - certUsageSSLServerWithStepUp\n", " ");
+    fprintf(stderr, "%-25s  3 - certUsageSSLCA\n", " ");
+    fprintf(stderr, "%-25s  4 - certUsageEmailSigner\n", " ");
+    fprintf(stderr, "%-25s  5 - certUsageEmailRecipient\n", " ");
+    fprintf(stderr, "%-25s  6 - certUsageObjectSigner\n", " ");
+    fprintf(stderr, "%-25s  7 - certUsageUserCertImport\n", " ");
+    fprintf(stderr, "%-25s  8 - certUsageVerifyCA\n", " ");
+    fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");
+    fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
+    fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
+
+    exit(-1);
+}
+
+struct optionsStr {
+    char *pwfile;
+    char *password;
+    SECCertUsage certUsage;
+    CERTCertDBHandle *certHandle;
+};
+
+struct decodeOptionsStr {
+    struct optionsStr *options;
+    SECItem            content;
+    int headerLevel;
+    PRBool suppressContent;
+    NSSCMSGetDecryptKeyCallback dkcb;
+    PK11SymKey *bulkkey;
+    PRBool      keepCerts;
+};
+
+struct signOptionsStr {
+    struct optionsStr *options;
+    char *nickname;
+    char *encryptionKeyPreferenceNick;
+    PRBool signingTime;
+    PRBool smimeProfile;
+    PRBool detached;
+    SECOidTag hashAlgTag;
+};
+
+struct envelopeOptionsStr {
+    struct optionsStr *options;
+    char **recipients;
+};
+
+struct certsonlyOptionsStr {
+    struct optionsStr *options;
+    char **recipients;
+};
+
+struct encryptOptionsStr {
+    struct optionsStr *options;
+    char **recipients;
+    NSSCMSMessage *envmsg;
+    SECItem *input;
+    FILE *outfile;
+    PRFileDesc *envFile;
+    PK11SymKey *bulkkey;
+    SECOidTag bulkalgtag;
+    int keysize;
+};
+
+static NSSCMSMessage *
+decode(FILE *out, SECItem *input, const struct decodeOptionsStr *decodeOptions)
+{
+    NSSCMSDecoderContext *dcx;
+    SECStatus rv;
+    NSSCMSMessage *cmsg;
+    int nlevels, i;
+    SECItem sitem = { 0, 0, 0 };
+
+    PORT_SetError(0);
+    dcx = NSS_CMSDecoder_Start(NULL, 
+                               NULL, NULL,         /* content callback     */
+                               pwcb, pwcb_arg,     /* password callback    */
+			       decodeOptions->dkcb, /* decrypt key callback */
+                               decodeOptions->bulkkey);
+    if (dcx == NULL) {
+	fprintf(stderr, "%s: failed to set up message decoder.\n", progName);
+	return NULL;
+    }
+    rv = NSS_CMSDecoder_Update(dcx, (char *)input->data, input->len);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "%s: failed to decode message.\n", progName);
+	NSS_CMSDecoder_Cancel(dcx);
+	return NULL;
+    }
+    cmsg = NSS_CMSDecoder_Finish(dcx);
+    if (cmsg == NULL) {
+	fprintf(stderr, "%s: failed to decode message.\n", progName);
+	return NULL;
+    }
+
+    if (decodeOptions->headerLevel >= 0) {
+	/*fprintf(out, "SMIME: ", decodeOptions->headerLevel, i);*/
+	fprintf(out, "SMIME: ");
+    }
+
+    nlevels = NSS_CMSMessage_ContentLevelCount(cmsg);
+    for (i = 0; i < nlevels; i++) {
+	NSSCMSContentInfo *cinfo;
+	SECOidTag typetag;
+
+	cinfo = NSS_CMSMessage_ContentLevel(cmsg, i);
+	typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+
+	if (decodeOptions->headerLevel >= 0)
+	    fprintf(out, "\tlevel=%d.%d; ", decodeOptions->headerLevel, nlevels - i);
+
+	switch (typetag) {
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	  {
+	    NSSCMSSignedData *sigd = NULL;
+	    SECItem **digests;
+	    int nsigners;
+	    int j;
+
+	    if (decodeOptions->headerLevel >= 0)
+		fprintf(out, "type=signedData; ");
+	    sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent(cinfo);
+	    if (sigd == NULL) {
+		SECU_PrintError(progName, "signedData component missing");
+		goto loser;
+	    }
+
+	    /* if we have a content file, but no digests for this signedData */
+	    if (decodeOptions->content.data != NULL && 
+	        !NSS_CMSSignedData_HasDigests(sigd)) {
+		PLArenaPool     *poolp;
+		SECAlgorithmID **digestalgs;
+
+		/* detached content: grab content file */
+		sitem = decodeOptions->content;
+
+		if ((poolp = PORT_NewArena(1024)) == NULL) {
+		    fprintf(stderr, "cmsutil: Out of memory.\n");
+		    goto loser;
+		}
+		digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd);
+		if (DigestFile (poolp, &digests, &sitem, digestalgs) 
+		      != SECSuccess) {
+		    SECU_PrintError(progName, 
+		                    "problem computing message digest");
+		    PORT_FreeArena(poolp, PR_FALSE);
+		    goto loser;
+		}
+		if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests) 
+		    != SECSuccess) {
+		    SECU_PrintError(progName, 
+		                    "problem setting message digests");
+		    PORT_FreeArena(poolp, PR_FALSE);
+		    goto loser;
+		}
+		PORT_FreeArena(poolp, PR_FALSE);
+	    }
+
+	    /* import the certificates */
+	    if (NSS_CMSSignedData_ImportCerts(sigd, 
+	                                   decodeOptions->options->certHandle, 
+	                                   decodeOptions->options->certUsage, 
+	                                   decodeOptions->keepCerts) 
+	          != SECSuccess) {
+		SECU_PrintError(progName, "cert import failed");
+		goto loser;
+	    }
+
+	    /* find out about signers */
+	    nsigners = NSS_CMSSignedData_SignerInfoCount(sigd);
+	    if (decodeOptions->headerLevel >= 0)
+		fprintf(out, "nsigners=%d; ", nsigners);
+	    if (nsigners == 0) {
+		/* Might be a cert transport message
+		** or might be an invalid message, such as a QA test message
+		** or a message from an attacker.
+		*/
+		SECStatus rv;
+		rv = NSS_CMSSignedData_VerifyCertsOnly(sigd, 
+		                            decodeOptions->options->certHandle, 
+		                            decodeOptions->options->certUsage);
+		if (rv != SECSuccess) {
+		    fprintf(stderr, "cmsutil: Verify certs-only failed!\n");
+		    goto loser;
+		}
+		return cmsg;
+	    }
+
+	    /* still no digests? */
+	    if (!NSS_CMSSignedData_HasDigests(sigd)) {
+		SECU_PrintError(progName, "no message digests");
+		goto loser;
+	    }
+
+	    for (j = 0; j < nsigners; j++) {
+		const char * svs;
+		NSSCMSSignerInfo *si;
+		NSSCMSVerificationStatus vs;
+		SECStatus bad;
+
+		si = NSS_CMSSignedData_GetSignerInfo(sigd, j);
+		if (decodeOptions->headerLevel >= 0) {
+		    char *signercn;
+		    static char empty[] = { "" };
+
+		    signercn = NSS_CMSSignerInfo_GetSignerCommonName(si);
+		    if (signercn == NULL)
+			signercn = empty;
+		    fprintf(out, "\n\t\tsigner%d.id=\"%s\"; ", j, signercn);
+		    if (signercn != empty)
+		        PORT_Free(signercn);
+		}
+		bad = NSS_CMSSignedData_VerifySignerInfo(sigd, j, 
+		                           decodeOptions->options->certHandle, 
+		                           decodeOptions->options->certUsage);
+		vs  = NSS_CMSSignerInfo_GetVerificationStatus(si);
+		svs = NSS_CMSUtil_VerificationStatusToString(vs);
+		if (decodeOptions->headerLevel >= 0) {
+		    fprintf(out, "signer%d.status=%s; ", j, svs);
+		    /* goto loser ? */
+		} else if (bad && out) {
+		    fprintf(stderr, "signer %d status = %s\n", j, svs);
+		    goto loser;
+		}
+	    }
+	  }
+	  break;
+	case SEC_OID_PKCS7_ENVELOPED_DATA:
+	  {
+	    NSSCMSEnvelopedData *envd;
+	    if (decodeOptions->headerLevel >= 0)
+		fprintf(out, "type=envelopedData; ");
+	    envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent(cinfo);
+	    if (envd == NULL) {
+		SECU_PrintError(progName, "envelopedData component missing");
+		goto loser;
+	    }
+	  }
+	  break;
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	  {
+	    NSSCMSEncryptedData *encd;
+	    if (decodeOptions->headerLevel >= 0)
+		fprintf(out, "type=encryptedData; ");
+	    encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent(cinfo);
+	    if (encd == NULL) {
+		SECU_PrintError(progName, "encryptedData component missing");
+		goto loser;
+	    }
+	  }
+	  break;
+	case SEC_OID_PKCS7_DATA:
+	    if (decodeOptions->headerLevel >= 0)
+		fprintf(out, "type=data; ");
+	    break;
+	default:
+	    break;
+	}
+	if (decodeOptions->headerLevel >= 0)
+	    fprintf(out, "\n");
+    }
+
+    if (!decodeOptions->suppressContent && out) {
+	SECItem *item = (sitem.data ? &sitem 
+	                            : NSS_CMSMessage_GetContent(cmsg));
+	if (item && item->data && item->len) {
+	    fwrite(item->data, item->len, 1, out);
+    	}
+    }
+    return cmsg;
+
+loser:
+    if (cmsg)
+	NSS_CMSMessage_Destroy(cmsg);
+    return NULL;
+}
+
+/* example of a callback function to use with encoder */
+/*
+static void
+writeout(void *arg, const char *buf, unsigned long len)
+{
+    FILE *f = (FILE *)arg;
+
+    if (f != NULL && buf != NULL)
+	(void)fwrite(buf, len, 1, f);
+}
+*/
+
+static NSSCMSMessage *
+signed_data(struct signOptionsStr *signOptions)
+{
+    NSSCMSMessage *cmsg = NULL;
+    NSSCMSContentInfo *cinfo;
+    NSSCMSSignedData *sigd;
+    NSSCMSSignerInfo *signerinfo;
+    CERTCertificate *cert= NULL, *ekpcert = NULL;
+
+    if (cms_verbose) {
+	fprintf(stderr, "Input to signed_data:\n");
+	if (signOptions->options->password)
+	    fprintf(stderr, "password [%s]\n", signOptions->options->password);
+        else if (signOptions->options->pwfile)
+	    fprintf(stderr, "password file [%s]\n", signOptions->options->pwfile);
+	else
+	    fprintf(stderr, "password [NULL]\n");
+	fprintf(stderr, "certUsage [%d]\n", signOptions->options->certUsage);
+	if (signOptions->options->certHandle)
+	    fprintf(stderr, "certdb [%p]\n", signOptions->options->certHandle);
+	else
+	    fprintf(stderr, "certdb [NULL]\n");
+	if (signOptions->nickname)
+	    fprintf(stderr, "nickname [%s]\n", signOptions->nickname);
+	else
+	    fprintf(stderr, "nickname [NULL]\n");
+    }
+    if (signOptions->nickname == NULL) {
+	fprintf(stderr, 
+        "ERROR: please indicate the nickname of a certificate to sign with.\n");
+	return NULL;
+    }
+    if ((cert = CERT_FindUserCertByUsage(signOptions->options->certHandle, 
+                                         signOptions->nickname,
+                                         signOptions->options->certUsage,
+                                         PR_FALSE,
+                                         &pwdata)) == NULL) {
+	SECU_PrintError(progName, 
+	                "the corresponding cert for key \"%s\" does not exist",
+	                signOptions->nickname);
+	return NULL;
+    }
+    if (cms_verbose) {
+	fprintf(stderr, "Found certificate for %s\n", signOptions->nickname);
+    }
+    /*
+     * create the message object
+     */
+    cmsg = NSS_CMSMessage_Create(NULL); /* create a message on its own pool */
+    if (cmsg == NULL) {
+	fprintf(stderr, "ERROR: cannot create CMS message.\n");
+	return NULL;
+    }
+    /*
+     * build chain of objects: message->signedData->data
+     */
+    if ((sigd = NSS_CMSSignedData_Create(cmsg)) == NULL) {
+	fprintf(stderr, "ERROR: cannot create CMS signedData object.\n");
+	goto loser;
+    }
+    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
+    if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd) 
+          != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot attach CMS signedData object.\n");
+	goto loser;
+    }
+    cinfo = NSS_CMSSignedData_GetContentInfo(sigd);
+    /* we're always passing data in and detaching optionally */
+    if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, 
+                                           signOptions->detached) 
+          != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
+	goto loser;
+    }
+    /* 
+     * create & attach signer information
+     */
+    signerinfo = NSS_CMSSignerInfo_Create(cmsg, cert, signOptions->hashAlgTag);
+    if (signerinfo == NULL) {
+	fprintf(stderr, "ERROR: cannot create CMS signerInfo object.\n");
+	goto loser;
+    }
+    if (cms_verbose) {
+	fprintf(stderr,
+		 "Created CMS message, added signed data w/ signerinfo\n");
+    }
+    /* we want the cert chain included for this one */
+    if (NSS_CMSSignerInfo_IncludeCerts(signerinfo, NSSCMSCM_CertChain, 
+                                       signOptions->options->certUsage) 
+          != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot find cert chain.\n");
+	goto loser;
+    }
+    if (cms_verbose) {
+	fprintf(stderr, "imported certificate\n");
+    }
+    if (signOptions->signingTime) {
+	if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) 
+	      != SECSuccess) {
+	    fprintf(stderr, "ERROR: cannot add signingTime attribute.\n");
+	    goto loser;
+	}
+    }
+    if (signOptions->smimeProfile) {
+	if (NSS_CMSSignerInfo_AddSMIMECaps(signerinfo) != SECSuccess) {
+	    fprintf(stderr, "ERROR: cannot add SMIMECaps attribute.\n");
+	    goto loser;
+	}
+    }
+
+    if (!signOptions->encryptionKeyPreferenceNick) {
+	/* check signing cert for fitness as encryption cert */
+        SECStatus FitForEncrypt = CERT_CheckCertUsage(cert,
+                                                      certUsageEmailRecipient);
+
+        if (SECSuccess == FitForEncrypt) {
+            /* if yes, add signing cert as EncryptionKeyPreference */
+            if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, cert, 
+                                              signOptions->options->certHandle)
+                  != SECSuccess) {
+                fprintf(stderr, 
+                    "ERROR: cannot add default SMIMEEncKeyPrefs attribute.\n");
+                goto loser;
+            }
+            if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, cert, 
+                                              signOptions->options->certHandle)
+                  != SECSuccess) {
+                fprintf(stderr, 
+                    "ERROR: cannot add default MS SMIMEEncKeyPrefs attribute.\n");
+                goto loser;
+            }
+        } else {
+            /* this is a dual-key cert case, we need to look for the encryption
+               certificate under the same nickname as the signing cert */
+            /* get the cert, add it to the message */
+            if ((ekpcert = CERT_FindUserCertByUsage(
+                                              signOptions->options->certHandle,
+                                              signOptions->nickname,
+                                              certUsageEmailRecipient,
+                                              PR_FALSE,
+                                              &pwdata)) == NULL) {
+                SECU_PrintError(progName, 
+                         "the corresponding cert for key \"%s\" does not exist",
+                         signOptions->encryptionKeyPreferenceNick);
+                goto loser;
+            }
+            if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, ekpcert, 
+                                              signOptions->options->certHandle)
+                  != SECSuccess) {
+                fprintf(stderr, 
+                        "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n");
+                goto loser;
+            }
+            if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert, 
+                                              signOptions->options->certHandle)
+                  != SECSuccess) {
+                fprintf(stderr, 
+                        "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n");
+                goto loser;
+            }
+            if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
+                fprintf(stderr, "ERROR: cannot add encryption certificate.\n");
+                goto loser;
+            }
+        }
+    } else if (PL_strcmp(signOptions->encryptionKeyPreferenceNick, "NONE") == 0) {
+        /* No action */
+    } else {
+	/* get the cert, add it to the message */
+	if ((ekpcert = CERT_FindUserCertByUsage(
+                                     signOptions->options->certHandle, 
+	                             signOptions->encryptionKeyPreferenceNick,
+                                     certUsageEmailRecipient, PR_FALSE, &pwdata))
+	      == NULL) {
+	    SECU_PrintError(progName, 
+	               "the corresponding cert for key \"%s\" does not exist",
+	                signOptions->encryptionKeyPreferenceNick);
+	    goto loser;
+	}
+	if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, ekpcert, 
+	                                     signOptions->options->certHandle)
+	      != SECSuccess) {
+	    fprintf(stderr, "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n");
+	    goto loser;
+	}
+	if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert, 
+	                                     signOptions->options->certHandle)
+	      != SECSuccess) {
+	    fprintf(stderr, "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n");
+	    goto loser;
+	}
+	if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
+	    fprintf(stderr, "ERROR: cannot add encryption certificate.\n");
+	    goto loser;
+	}
+    }
+
+    if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot add CMS signerInfo object.\n");
+	goto loser;
+    }
+    if (cms_verbose) {
+	fprintf(stderr, "created signed-data message\n");
+    }
+    if (ekpcert) {
+	CERT_DestroyCertificate(ekpcert);
+    }
+    if (cert) {
+	CERT_DestroyCertificate(cert);
+    }
+    return cmsg;
+loser:
+    if (ekpcert) {
+	CERT_DestroyCertificate(ekpcert);
+    }
+    if (cert) {
+	CERT_DestroyCertificate(cert);
+    }
+    NSS_CMSMessage_Destroy(cmsg);
+    return NULL;
+}
+
+static NSSCMSMessage *
+enveloped_data(struct envelopeOptionsStr *envelopeOptions)
+{
+    NSSCMSMessage *cmsg = NULL;
+    NSSCMSContentInfo *cinfo;
+    NSSCMSEnvelopedData *envd;
+    NSSCMSRecipientInfo *recipientinfo;
+    CERTCertificate **recipientcerts = NULL;
+    CERTCertDBHandle *dbhandle;
+    PLArenaPool *tmppoolp = NULL;
+    SECOidTag bulkalgtag;
+    int keysize, i = 0;
+    int cnt;
+    dbhandle = envelopeOptions->options->certHandle;
+    /* count the recipients */
+    if ((cnt = nss_CMSArray_Count((void **)envelopeOptions->recipients)) == 0) {
+	fprintf(stderr, "ERROR: please name at least one recipient.\n");
+	goto loser;
+    }
+    if ((tmppoolp = PORT_NewArena (1024)) == NULL) {
+	fprintf(stderr, "ERROR: out of memory.\n");
+	goto loser;
+    }
+    /* XXX find the recipient's certs by email address or nickname */
+    if ((recipientcerts = 
+         (CERTCertificate **)PORT_ArenaZAlloc(tmppoolp, 
+					     (cnt+1)*sizeof(CERTCertificate*)))
+            == NULL) {
+	fprintf(stderr, "ERROR: out of memory.\n");
+	goto loser;
+    }
+    for (i=0; envelopeOptions->recipients[i] != NULL; i++) {
+	if ((recipientcerts[i] = 
+	      CERT_FindCertByNicknameOrEmailAddr(dbhandle,  
+	                                        envelopeOptions->recipients[i]))
+	        == NULL) {
+	    SECU_PrintError(progName, "cannot find certificate for \"%s\"", 
+	                    envelopeOptions->recipients[i]);
+	    i=0;
+	    goto loser;
+	}
+    }
+    recipientcerts[i] = NULL;
+    i=0;
+    /* find a nice bulk algorithm */
+    if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipientcerts, &bulkalgtag, 
+                                               &keysize) != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot find common bulk algorithm.\n");
+	goto loser;
+    }
+    /*
+     * create the message object
+     */
+    cmsg = NSS_CMSMessage_Create(NULL); /* create a message on its own pool */
+    if (cmsg == NULL) {
+	fprintf(stderr, "ERROR: cannot create CMS message.\n");
+	goto loser;
+    }
+    /*
+     * build chain of objects: message->envelopedData->data
+     */
+    if ((envd = NSS_CMSEnvelopedData_Create(cmsg, bulkalgtag, keysize)) 
+          == NULL) {
+	fprintf(stderr, "ERROR: cannot create CMS envelopedData object.\n");
+	goto loser;
+    }
+    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
+    if (NSS_CMSContentInfo_SetContent_EnvelopedData(cmsg, cinfo, envd) 
+          != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot attach CMS envelopedData object.\n");
+	goto loser;
+    }
+    cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd);
+    /* we're always passing data in, so the content is NULL */
+    if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE) 
+          != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
+	goto loser;
+    }
+    /* 
+     * create & attach recipient information
+     */
+    for (i = 0; recipientcerts[i] != NULL; i++) {
+	if ((recipientinfo = NSS_CMSRecipientInfo_Create(cmsg, 
+	                                                 recipientcerts[i])) 
+	      == NULL) {
+	    fprintf(stderr, "ERROR: cannot create CMS recipientInfo object.\n");
+	    goto loser;
+	}
+	if (NSS_CMSEnvelopedData_AddRecipient(envd, recipientinfo) 
+	      != SECSuccess) {
+	    fprintf(stderr, "ERROR: cannot add CMS recipientInfo object.\n");
+	    goto loser;
+	}
+	CERT_DestroyCertificate(recipientcerts[i]);
+    }
+    if (tmppoolp)
+	PORT_FreeArena(tmppoolp, PR_FALSE);
+    return cmsg;
+loser:
+    if (recipientcerts) {
+	for (; recipientcerts[i] != NULL; i++) {
+	    CERT_DestroyCertificate(recipientcerts[i]);
+	}
+    }
+    if (cmsg)
+	NSS_CMSMessage_Destroy(cmsg);
+    if (tmppoolp)
+	PORT_FreeArena(tmppoolp, PR_FALSE);
+    return NULL;
+}
+
+PK11SymKey *dkcb(void *arg, SECAlgorithmID *algid)
+{
+    return (PK11SymKey*)arg;
+}
+
+static SECStatus
+get_enc_params(struct encryptOptionsStr *encryptOptions)
+{
+    struct envelopeOptionsStr envelopeOptions;
+    SECStatus rv = SECFailure;
+    NSSCMSMessage *env_cmsg;
+    NSSCMSContentInfo *cinfo;
+    int i, nlevels;
+    /*
+     * construct an enveloped data message to obtain bulk keys
+     */
+    if (encryptOptions->envmsg) {
+	env_cmsg = encryptOptions->envmsg; /* get it from an old message */
+    } else {
+	SECItem dummyOut = { 0, 0, 0 };
+	SECItem dummyIn  = { 0, 0, 0 };
+	char str[] = "Hello!";
+	PLArenaPool *tmparena = PORT_NewArena(1024);
+	dummyIn.data = (unsigned char *)str;
+	dummyIn.len = strlen(str);
+	envelopeOptions.options = encryptOptions->options;
+	envelopeOptions.recipients = encryptOptions->recipients;
+	env_cmsg = enveloped_data(&envelopeOptions);
+	NSS_CMSDEREncode(env_cmsg, &dummyIn, &dummyOut, tmparena);
+	PR_Write(encryptOptions->envFile, dummyOut.data, dummyOut.len);
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    /*
+     * get the content info for the enveloped data 
+     */
+    nlevels = NSS_CMSMessage_ContentLevelCount(env_cmsg);
+    for (i = 0; i < nlevels; i++) {
+    	SECOidTag typetag;
+	cinfo = NSS_CMSMessage_ContentLevel(env_cmsg, i);
+	typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+	if (typetag == SEC_OID_PKCS7_DATA) {
+	    /*
+	     * get the symmetric key
+	     */
+	    encryptOptions->bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo);
+	    encryptOptions->keysize = NSS_CMSContentInfo_GetBulkKeySize(cinfo);
+	    encryptOptions->bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
+	    rv = SECSuccess;
+	    break;
+	}
+    }
+    if (i == nlevels) {
+	fprintf(stderr, "%s: could not retrieve enveloped data.", progName);
+    }
+    if (env_cmsg)
+	NSS_CMSMessage_Destroy(env_cmsg);
+    return rv;
+}
+
+static NSSCMSMessage *
+encrypted_data(struct encryptOptionsStr *encryptOptions)
+{
+    SECStatus rv = SECFailure;
+    NSSCMSMessage *cmsg = NULL;
+    NSSCMSContentInfo *cinfo;
+    NSSCMSEncryptedData *encd;
+    NSSCMSEncoderContext *ecx = NULL;
+    PLArenaPool *tmppoolp = NULL;
+    SECItem derOut = { 0, 0, 0 };
+    /* arena for output */
+    tmppoolp = PORT_NewArena(1024);
+    if (!tmppoolp) {
+	fprintf(stderr, "%s: out of memory.\n", progName);
+	return NULL;
+    }
+    /*
+     * create the message object
+     */
+    cmsg = NSS_CMSMessage_Create(NULL);
+    if (cmsg == NULL) {
+	fprintf(stderr, "ERROR: cannot create CMS message.\n");
+	goto loser;
+    }
+    /*
+     * build chain of objects: message->encryptedData->data
+     */
+    if ((encd = NSS_CMSEncryptedData_Create(cmsg, encryptOptions->bulkalgtag, 
+                                                  encryptOptions->keysize)) 
+           == NULL) {
+	fprintf(stderr, "ERROR: cannot create CMS encryptedData object.\n");
+	goto loser;
+    }
+    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
+    if (NSS_CMSContentInfo_SetContent_EncryptedData(cmsg, cinfo, encd)
+          != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot attach CMS encryptedData object.\n");
+	goto loser;
+    }
+    cinfo = NSS_CMSEncryptedData_GetContentInfo(encd);
+    /* we're always passing data in, so the content is NULL */
+    if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE) 
+          != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
+	goto loser;
+    }
+    ecx = NSS_CMSEncoder_Start(cmsg, NULL, NULL, &derOut, tmppoolp, NULL, NULL,
+                               dkcb, encryptOptions->bulkkey, NULL, NULL);
+    if (!ecx) {
+	fprintf(stderr, "%s: cannot create encoder context.\n", progName);
+	goto loser;
+    }
+    rv = NSS_CMSEncoder_Update(ecx, (char *)encryptOptions->input->data, 
+                                    encryptOptions->input->len);
+    if (rv) {
+	fprintf(stderr, "%s: failed to add data to encoder.\n", progName);
+	goto loser;
+    }
+    rv = NSS_CMSEncoder_Finish(ecx);
+    if (rv) {
+	fprintf(stderr, "%s: failed to encrypt data.\n", progName);
+	goto loser;
+    }
+    fwrite(derOut.data, derOut.len, 1, encryptOptions->outfile);
+    /*
+    if (bulkkey)
+	PK11_FreeSymKey(bulkkey);
+	*/
+    if (tmppoolp)
+	PORT_FreeArena(tmppoolp, PR_FALSE);
+    return cmsg;
+loser:
+    /*
+    if (bulkkey)
+	PK11_FreeSymKey(bulkkey);
+	*/
+    if (tmppoolp)
+	PORT_FreeArena(tmppoolp, PR_FALSE);
+    if (cmsg)
+	NSS_CMSMessage_Destroy(cmsg);
+    return NULL;
+}
+
+static NSSCMSMessage *
+signed_data_certsonly(struct certsonlyOptionsStr *certsonlyOptions)
+{
+    NSSCMSMessage *cmsg = NULL;
+    NSSCMSContentInfo *cinfo;
+    NSSCMSSignedData *sigd;
+    CERTCertificate **certs = NULL;
+    CERTCertDBHandle *dbhandle;
+    PLArenaPool *tmppoolp = NULL;
+    int i = 0, cnt;
+    dbhandle = certsonlyOptions->options->certHandle;
+    if ((cnt = nss_CMSArray_Count((void**)certsonlyOptions->recipients)) == 0) {
+	fprintf(stderr, 
+        "ERROR: please indicate the nickname of a certificate to sign with.\n");
+	goto loser;
+    }
+    if (!(tmppoolp = PORT_NewArena(1024))) {
+	fprintf(stderr, "ERROR: out of memory.\n");
+	goto loser;
+    }
+    if (!(certs = PORT_ArenaZNewArray(tmppoolp, CERTCertificate *, cnt + 1))) {
+	fprintf(stderr, "ERROR: out of memory.\n");
+	goto loser;
+    }
+    for (i=0; certsonlyOptions->recipients[i] != NULL; i++) {
+	if ((certs[i] = 
+	      CERT_FindCertByNicknameOrEmailAddr(dbhandle,
+	                                      certsonlyOptions->recipients[i]))
+	        == NULL) {
+	    SECU_PrintError(progName, "cannot find certificate for \"%s\"", 
+	                    certsonlyOptions->recipients[i]);
+	    i=0;
+	    goto loser;
+	}
+    }
+    certs[i] = NULL;
+    i=0;
+    /*
+     * create the message object
+     */
+    cmsg = NSS_CMSMessage_Create(NULL);
+    if (cmsg == NULL) {
+	fprintf(stderr, "ERROR: cannot create CMS message.\n");
+	goto loser;
+    }
+    /*
+     * build chain of objects: message->signedData->data
+     */
+    if ((sigd = NSS_CMSSignedData_CreateCertsOnly(cmsg, certs[0], PR_TRUE))
+          == NULL) {
+	fprintf(stderr, "ERROR: cannot create CMS signedData object.\n");
+	goto loser;
+    }
+    CERT_DestroyCertificate(certs[0]);
+    for (i=1; i<cnt; i++) {
+	if (NSS_CMSSignedData_AddCertChain(sigd, certs[i])) {
+	    fprintf(stderr, "ERROR: cannot add cert chain for \"%s\".\n",
+	            certsonlyOptions->recipients[i]);
+	    goto loser;
+	}
+	CERT_DestroyCertificate(certs[i]);
+    }
+    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
+    if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd) 
+          != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot attach CMS signedData object.\n");
+	goto loser;
+    }
+    cinfo = NSS_CMSSignedData_GetContentInfo(sigd);
+    if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE) 
+	   != SECSuccess) {
+	fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
+	goto loser;
+    }
+    if (tmppoolp)
+	PORT_FreeArena(tmppoolp, PR_FALSE);
+    return cmsg;
+loser:
+    if (certs) {
+	for (; i<cnt; i++) {
+	    CERT_DestroyCertificate(certs[i]);
+	}
+    }
+    if (cmsg)
+	NSS_CMSMessage_Destroy(cmsg);
+    if (tmppoolp)
+	PORT_FreeArena(tmppoolp, PR_FALSE);
+    return NULL;
+}
+
+static char *
+pl_fgets(char * buf, int size, PRFileDesc * fd)
+{
+    char * bp = buf;
+    int    nb = 0;;
+
+    while (size > 1) {
+    	nb = PR_Read(fd, bp, 1);
+	if (nb < 0) {
+	    /* deal with error */
+	    return NULL;
+	} else if (nb == 0) {
+	    /* deal with EOF */
+	    return NULL;
+	} else if (*bp == '\n') {
+	    /* deal with EOL */
+	    ++bp;  /* keep EOL character */
+	    break;
+	} else {
+	    /* ordinary character */
+	    ++bp;
+	    --size;
+	}
+    }
+    *bp = '\0';
+    return buf;
+}
+
+typedef enum { UNKNOWN, DECODE, SIGN, ENCRYPT, ENVELOPE, CERTSONLY } Mode;
+
+static int 
+doBatchDecode(FILE *outFile, PRFileDesc *batchFile, 
+              const struct decodeOptionsStr *decodeOptions)
+{
+    char * str;
+    int    exitStatus = 0;
+    char   batchLine[512];
+
+    while (NULL != (str = pl_fgets(batchLine, sizeof batchLine, batchFile))) {
+	NSSCMSMessage *cmsg = NULL;
+	PRFileDesc *   inFile;
+    	int            len = strlen(str);
+	SECStatus      rv;
+	SECItem        input = {0, 0, 0};
+	char           cc;
+
+	while (len > 0 && 
+	       ((cc = str[len - 1]) == '\n' || cc == '\r')) {
+	    str[--len] = '\0';
+	}
+	if (!len) /* skip empty line */
+	    continue;
+	if (str[0] == '#')
+	    continue;  /* skip comment line */
+	fprintf(outFile, "========== %s ==========\n", str);
+	inFile = PR_Open(str, PR_RDONLY, 00660);
+	if (inFile == NULL) {
+	    fprintf(outFile, "%s: unable to open \"%s\" for reading\n",
+		    progName, str);
+	    exitStatus = 1;
+	    continue;
+	}
+	rv = SECU_FileToItem(&input, inFile);
+	PR_Close(inFile);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "unable to read infile");
+	    exitStatus = 1;
+	    continue;
+	}
+	cmsg = decode(outFile, &input, decodeOptions);
+	SECITEM_FreeItem(&input, PR_FALSE);
+	if (cmsg)
+	    NSS_CMSMessage_Destroy(cmsg);
+	else {
+	    SECU_PrintError(progName, "problem decoding");
+	    exitStatus = 1;
+	}
+    }
+    return exitStatus;
+}
+
+int
+main(int argc, char **argv)
+{
+    FILE *outFile;
+    NSSCMSMessage *cmsg = NULL;
+    PRFileDesc *inFile;
+    PLOptState *optstate;
+    PLOptStatus status;
+    Mode mode = UNKNOWN;
+    struct decodeOptionsStr decodeOptions = { 0 };
+    struct signOptionsStr signOptions = { 0 };
+    struct envelopeOptionsStr envelopeOptions = { 0 };
+    struct certsonlyOptionsStr certsonlyOptions = { 0 };
+    struct encryptOptionsStr encryptOptions = { 0 };
+    struct optionsStr options = { 0 };
+    int exitstatus;
+    static char *ptrarray[128] = { 0 };
+    int nrecipients = 0;
+    char *str, *tok;
+    char *envFileName;
+    SECItem input = { 0, 0, 0};
+    SECItem envmsg = { 0, 0, 0 };
+    SECStatus rv;
+    PRFileDesc *contentFile = NULL;
+    PRBool      batch = PR_FALSE;
+
+#ifdef NISCC_TEST
+    const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
+    PORT_Assert(ev); 
+    ev = PR_GetEnv("NSS_STRICT_SHUTDOWN");
+    PORT_Assert(ev); 
+#endif 
+
+    progName = strrchr(argv[0], '/');
+    if (!progName)
+       progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    inFile = PR_STDIN;
+    outFile = stdout;
+    envFileName = NULL;
+    mode = UNKNOWN;
+    decodeOptions.content.data = NULL;
+    decodeOptions.content.len  = 0;
+    decodeOptions.suppressContent = PR_FALSE;
+    decodeOptions.headerLevel = -1;
+    decodeOptions.keepCerts = PR_FALSE;
+    options.certUsage = certUsageEmailSigner;
+    options.password = NULL;
+    options.pwfile = NULL;
+    signOptions.nickname = NULL;
+    signOptions.detached = PR_FALSE;
+    signOptions.signingTime = PR_FALSE;
+    signOptions.smimeProfile = PR_FALSE;
+    signOptions.encryptionKeyPreferenceNick = NULL;
+    signOptions.hashAlgTag = SEC_OID_SHA1;
+    envelopeOptions.recipients = NULL;
+    encryptOptions.recipients = NULL;
+    encryptOptions.envmsg = NULL;
+    encryptOptions.envFile = NULL;
+    encryptOptions.bulkalgtag = SEC_OID_UNKNOWN;
+    encryptOptions.bulkkey = NULL;
+    encryptOptions.keysize = -1;
+
+    /*
+     * Parse command line arguments
+     */
+    optstate = PL_CreateOptState(argc, argv, 
+				 "CDEGH:N:OPSTY:bc:d:e:f:h:i:kno:p:r:s:u:v");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	case 'C':
+	    mode = ENCRYPT;
+	    break;
+	case 'D':
+	    mode = DECODE;
+	    break;
+	case 'E':
+	    mode = ENVELOPE;
+	    break;
+	case 'G':
+	    if (mode != SIGN) {
+		fprintf(stderr, 
+		        "%s: option -G only supported with option -S.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    signOptions.signingTime = PR_TRUE;
+	    break;
+       case 'H':
+           if (mode != SIGN) {
+               fprintf(stderr,
+                       "%s: option -H only supported with option -S.\n",
+                       progName);
+               Usage(progName);
+               exit(1);
+           }
+           decodeOptions.suppressContent = PR_TRUE;
+           if (!strcmp(optstate->value, "MD2"))
+               signOptions.hashAlgTag = SEC_OID_MD2;
+           else if (!strcmp(optstate->value, "MD4"))
+               signOptions.hashAlgTag = SEC_OID_MD4;
+           else if (!strcmp(optstate->value, "MD5"))
+               signOptions.hashAlgTag = SEC_OID_MD5;
+           else if (!strcmp(optstate->value, "SHA1"))
+               signOptions.hashAlgTag = SEC_OID_SHA1;
+           else if (!strcmp(optstate->value, "SHA256"))
+               signOptions.hashAlgTag = SEC_OID_SHA256;
+           else if (!strcmp(optstate->value, "SHA384"))
+               signOptions.hashAlgTag = SEC_OID_SHA384;
+           else if (!strcmp(optstate->value, "SHA512"))
+               signOptions.hashAlgTag = SEC_OID_SHA512;
+           else {
+               fprintf(stderr,
+           "%s: -H requires one of MD2,MD4,MD5,SHA1,SHA256,SHA384,SHA512\n",
+                       progName);
+               exit(1);
+           }
+           break;
+	case 'N':
+	    if (mode != SIGN) {
+		fprintf(stderr, 
+		        "%s: option -N only supported with option -S.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    signOptions.nickname = strdup(optstate->value);
+	    break;
+	case 'O':
+	    mode = CERTSONLY;
+	    break;
+	case 'P':
+	    if (mode != SIGN) {
+		fprintf(stderr, 
+		        "%s: option -P only supported with option -S.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    signOptions.smimeProfile = PR_TRUE;
+	    break;
+	case 'S':
+	    mode = SIGN;
+	    break;
+	case 'T':
+	    if (mode != SIGN) {
+		fprintf(stderr, 
+		        "%s: option -T only supported with option -S.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    signOptions.detached = PR_TRUE;
+	    break;
+	case 'Y':
+	    if (mode != SIGN) {
+		fprintf(stderr, 
+		        "%s: option -Y only supported with option -S.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    signOptions.encryptionKeyPreferenceNick = strdup(optstate->value);
+	    break;
+
+	case 'b':
+	    if (mode != DECODE) {
+		fprintf(stderr, 
+		        "%s: option -b only supported with option -D.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    batch = PR_TRUE;
+	    break;
+
+	case 'c':
+	    if (mode != DECODE) {
+		fprintf(stderr, 
+		        "%s: option -c only supported with option -D.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    contentFile = PR_Open(optstate->value, PR_RDONLY, 006600);
+	    if (contentFile == NULL) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading.\n",
+			progName, optstate->value);
+		exit(1);
+	    }
+
+	    rv = SECU_FileToItem(&decodeOptions.content, contentFile);
+	    PR_Close(contentFile);
+	    if (rv != SECSuccess) {
+		SECU_PrintError(progName, "problem reading content file");
+		exit(1);
+	    }
+	    if (!decodeOptions.content.data) {
+		/* file was zero length */
+		decodeOptions.content.data = (unsigned char *)PORT_Strdup("");
+		decodeOptions.content.len  = 0;
+	    }
+
+	    break;
+	case 'd':
+	    SECU_ConfigDirectory(optstate->value);
+	    break;
+	case 'e':
+	    envFileName = strdup(optstate->value);
+	    encryptOptions.envFile = PR_Open(envFileName, PR_RDONLY, 00660);
+	    break;
+
+	case 'h':
+	    if (mode != DECODE) {
+		fprintf(stderr, 
+		        "%s: option -h only supported with option -D.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    decodeOptions.headerLevel = atoi(optstate->value);
+	    if (decodeOptions.headerLevel < 0) {
+		fprintf(stderr, "option -h cannot have a negative value.\n");
+		exit(1);
+	    }
+	    break;
+	case 'i':
+	    if (!optstate->value) {
+	        fprintf(stderr, "-i option requires filename argument\n");
+	        exit(1);
+	    }
+	    inFile = PR_Open(optstate->value, PR_RDONLY, 00660);
+	    if (inFile == NULL) {
+		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+			progName, optstate->value);
+		exit(1);
+	    }
+	    break;
+
+	case 'k':
+	    if (mode != DECODE) {
+		fprintf(stderr, 
+		        "%s: option -k only supported with option -D.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    decodeOptions.keepCerts = PR_TRUE;
+	    break;
+
+	case 'n':
+	    if (mode != DECODE) {
+		fprintf(stderr, 
+		        "%s: option -n only supported with option -D.\n", 
+		        progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    decodeOptions.suppressContent = PR_TRUE;
+	    break;
+	case 'o':
+	    outFile = fopen(optstate->value, "wb");
+	    if (outFile == NULL) {
+		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+			progName, optstate->value);
+		exit(1);
+	    }
+	    break;
+	case 'p':
+	    if (!optstate->value) {
+		fprintf(stderr, "%s: option -p must have a value.\n", progName);
+		Usage(progName);
+		exit(1);
+	    }
+		
+	    options.password = strdup(optstate->value);
+	    break;
+
+        case 'f':
+            if (!optstate->value) {
+                fprintf(stderr, "%s: option -f must have a value.\n", progName);
+                Usage(progName);
+                exit(1);
+            }
+
+            options.pwfile = strdup(optstate->value);
+            break;
+
+	case 'r':
+	    if (!optstate->value) {
+		fprintf(stderr, "%s: option -r must have a value.\n", progName);
+		Usage(progName);
+		exit(1);
+	    }
+	    envelopeOptions.recipients = ptrarray;
+	    str = (char *)optstate->value;
+	    do {
+		tok = strchr(str, ',');
+		if (tok) *tok = '\0';
+		envelopeOptions.recipients[nrecipients++] = strdup(str);
+		if (tok) str = tok + 1;
+	    } while (tok);
+	    envelopeOptions.recipients[nrecipients] = NULL;
+	    encryptOptions.recipients = envelopeOptions.recipients;
+	    certsonlyOptions.recipients = envelopeOptions.recipients;
+	    break;
+
+	case 'u': {
+	    int usageType;
+
+	    usageType = atoi (strdup(optstate->value));
+	    if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
+		return -1;
+	    options.certUsage = (SECCertUsage)usageType;
+	    break;
+	  }
+	case 'v':
+	    cms_verbose = 1;
+	    break;
+
+	}
+    }
+    if (status == PL_OPT_BAD)
+	Usage(progName);
+    PL_DestroyOptState(optstate);
+
+    if (mode == UNKNOWN)
+	Usage(progName);
+
+    if (mode != CERTSONLY && !batch) {
+	rv = SECU_FileToItem(&input, inFile);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "unable to read infile");
+	    exit(1);
+	}
+	if (inFile != PR_STDIN) {
+	    PR_Close(inFile);
+    	}
+    }
+    if (cms_verbose) {
+	fprintf(stderr, "received commands\n");
+    }
+
+    /* Call the NSS initialization routines */
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL));
+    if (SECSuccess != rv) {
+	SECU_PrintError(progName, "NSS_Init failed");
+	exit(1);
+    }
+    if (cms_verbose) {
+	fprintf(stderr, "NSS has been initialized.\n");
+    }
+    options.certHandle = CERT_GetDefaultCertDB();
+    if (!options.certHandle) {
+	SECU_PrintError(progName, "No default cert DB");
+	exit(1);
+    }
+    if (cms_verbose) {
+	fprintf(stderr, "Got default certdb\n");
+    }
+    if (options.password)
+    {
+    	pwdata.source = PW_PLAINTEXT;
+    	pwdata.data = options.password;
+    }
+    if (options.pwfile)
+    {
+    	pwdata.source = PW_FROMFILE;
+    	pwdata.data = options.pwfile;
+    }
+    pwcb = SECU_GetModulePassword;
+    pwcb_arg = (void *)&pwdata;
+
+    PK11_SetPasswordFunc(&SECU_GetModulePassword);
+
+
+#if defined(_WIN32)
+    if (outFile == stdout) {
+	/* If we're going to write binary data to stdout, we must put stdout
+	** into O_BINARY mode or else outgoing \n's will become \r\n's.
+	*/
+	int smrv = _setmode(_fileno(stdout), _O_BINARY);
+	if (smrv == -1) {
+	    fprintf(stderr,
+	    "%s: Cannot change stdout to binary mode. Use -o option instead.\n",
+	            progName);
+	    return smrv;
+	}
+    }
+#endif
+
+    exitstatus = 0;
+    switch (mode) {
+    case DECODE:       /* -D */
+	decodeOptions.options = &options;
+	if (encryptOptions.envFile) {
+	    /* Decoding encrypted-data, so get the bulkkey from an
+	     * enveloped-data message.
+	     */
+	    SECU_FileToItem(&envmsg, encryptOptions.envFile);
+	    decodeOptions.options = &options;
+	    encryptOptions.envmsg = decode(NULL, &envmsg, &decodeOptions);
+	    if (!encryptOptions.envmsg) {
+		SECU_PrintError(progName, "problem decoding env msg");
+		exitstatus = 1;
+		break;
+	    }
+	    rv = get_enc_params(&encryptOptions);
+	    decodeOptions.dkcb = dkcb;
+	    decodeOptions.bulkkey = encryptOptions.bulkkey;
+	}
+	if (!batch) {
+	    cmsg = decode(outFile, &input, &decodeOptions);
+	    if (!cmsg) {
+		SECU_PrintError(progName, "problem decoding");
+		exitstatus = 1;
+	    }
+	} else {
+	    exitstatus = doBatchDecode(outFile, inFile, &decodeOptions);
+	    if (inFile != PR_STDIN) {
+		PR_Close(inFile);
+	    }
+	}
+	break;
+    case SIGN:         /* -S */
+	signOptions.options = &options;
+	cmsg = signed_data(&signOptions);
+	if (!cmsg) {
+	    SECU_PrintError(progName, "problem signing");
+	    exitstatus = 1;
+	}
+	break;
+    case ENCRYPT:      /* -C */
+	if (!envFileName) {
+	    fprintf(stderr, "%s: you must specify an envelope file with -e.\n",
+	            progName);
+	    exit(1);
+	}
+	encryptOptions.options = &options;
+	encryptOptions.input = &input;
+	encryptOptions.outfile = outFile;
+	/* decode an enveloped-data message to get the bulkkey (create
+	 * a new one if neccessary)
+	 */
+	if (!encryptOptions.envFile) {
+	    encryptOptions.envFile = PR_Open(envFileName, 
+	                                     PR_WRONLY|PR_CREATE_FILE, 00660);
+	    if (!encryptOptions.envFile) {
+		fprintf(stderr, "%s: failed to create file %s.\n", progName,
+		        envFileName);
+		exit(1);
+	    }
+	} else {
+	    SECU_FileToItem(&envmsg, encryptOptions.envFile);
+	    decodeOptions.options = &options;
+	    encryptOptions.envmsg = decode(NULL, &envmsg, &decodeOptions);
+	    if (encryptOptions.envmsg == NULL) {
+	    	SECU_PrintError(progName, "problem decrypting env msg");
+		exitstatus = 1;
+	    	break;
+	    }
+	}
+	rv = get_enc_params(&encryptOptions);
+	/* create the encrypted-data message */
+	cmsg = encrypted_data(&encryptOptions);
+	if (!cmsg) {
+	    SECU_PrintError(progName, "problem encrypting");
+	    exitstatus = 1;
+	}
+	if (encryptOptions.bulkkey) {
+	    PK11_FreeSymKey(encryptOptions.bulkkey);
+	    encryptOptions.bulkkey = NULL;
+	}
+	break;
+    case ENVELOPE:     /* -E */
+	envelopeOptions.options = &options;
+	cmsg = enveloped_data(&envelopeOptions);
+	if (!cmsg) {
+	    SECU_PrintError(progName, "problem enveloping");
+	    exitstatus = 1;
+	}
+	break;
+    case CERTSONLY:    /* -O */
+	certsonlyOptions.options = &options;
+	cmsg = signed_data_certsonly(&certsonlyOptions);
+	if (!cmsg) {
+	    SECU_PrintError(progName, "problem with certs-only");
+	    exitstatus = 1;
+	}
+	break;
+    default:
+	fprintf(stderr, "One of options -D, -S or -E must be set.\n");
+	Usage(progName);
+	exitstatus = 1;
+    }
+    if ( (mode == SIGN || mode == ENVELOPE || mode == CERTSONLY)
+         && (!exitstatus) ) {
+	PLArenaPool *arena = PORT_NewArena(1024);
+	NSSCMSEncoderContext *ecx;
+	SECItem output = { 0, 0, 0 };
+
+	if (!arena) {
+	    fprintf(stderr, "%s: out of memory.\n", progName);
+	    exit(1);
+	}
+
+	if (cms_verbose) {
+	    fprintf(stderr, "cmsg [%p]\n", cmsg);
+	    fprintf(stderr, "arena [%p]\n", arena);
+	    if (pwcb_arg && (PW_PLAINTEXT == ((secuPWData*)pwcb_arg)->source))
+		fprintf(stderr, "password [%s]\n",
+                        ((secuPWData*)pwcb_arg)->data);
+	    else
+		fprintf(stderr, "password [NULL]\n");
+	}
+	ecx = NSS_CMSEncoder_Start(cmsg, 
+                                   NULL, NULL,     /* DER output callback  */
+                                   &output, arena, /* destination storage  */
+                                   pwcb, pwcb_arg, /* password callback    */
+                                   NULL, NULL,     /* decrypt key callback */
+                                   NULL, NULL );   /* detached digests    */
+	if (!ecx) {
+	    fprintf(stderr, "%s: cannot create encoder context.\n", progName);
+	    exit(1);
+	}
+	if (cms_verbose) {
+	    fprintf(stderr, "input len [%d]\n", input.len);
+	    { unsigned int j; 
+		for(j=0;j<input.len;j++)
+	     fprintf(stderr, "%2x%c", input.data[j], (j>0&&j%35==0)?'\n':' ');
+	    }
+	}
+	if (input.len > 0) { /* skip if certs-only (or other zero content) */
+	    rv = NSS_CMSEncoder_Update(ecx, (char *)input.data, input.len);
+	    if (rv) {
+		fprintf(stderr, 
+		        "%s: failed to add data to encoder.\n", progName);
+		exit(1);
+	    }
+	}
+	rv = NSS_CMSEncoder_Finish(ecx);
+	if (rv) {
+            SECU_PrintError(progName, "failed to encode data");
+	    exit(1);
+	}
+
+	if (cms_verbose) {
+	    fprintf(stderr, "encoding passed\n");
+	}
+	fwrite(output.data, output.len, 1, outFile);
+	if (cms_verbose) {
+	    fprintf(stderr, "wrote to file\n");
+	}
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if (cmsg)
+	NSS_CMSMessage_Destroy(cmsg);
+    if (outFile != stdout)
+	fclose(outFile);
+
+    SECITEM_FreeItem(&decodeOptions.content, PR_FALSE);
+    SECITEM_FreeItem(&envmsg, PR_FALSE);
+    SECITEM_FreeItem(&input, PR_FALSE);
+    if (NSS_Shutdown() != SECSuccess) {
+	SECU_PrintError(progName, "NSS_Shutdown failed");
+	exitstatus = 1;
+    }
+    PR_Cleanup();
+    return exitstatus;
+}
diff --git a/security/nss/cmd/smimetools/manifest.mn b/security/nss/cmd/smimetools/manifest.mn
new file mode 100644
index 000000000..ac2052ac4
--- /dev/null
+++ b/security/nss/cmd/smimetools/manifest.mn
@@ -0,0 +1,49 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+CSRCS = cmsutil.c  
+
+MYLIB = $(DIST)/lib/libsmime.a
+
+REQUIRES = seccmd dbm
+
+PROGRAM = cmsutil
+SCRIPTS = smime
diff --git a/security/nss/cmd/smimetools/rules.mk b/security/nss/cmd/smimetools/rules.mk
new file mode 100644
index 000000000..1743a5e42
--- /dev/null
+++ b/security/nss/cmd/smimetools/rules.mk
@@ -0,0 +1,40 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+# $Id$
+
+install::
+	$(INSTALL) -m 755 $(SCRIPTS) $(SOURCE_BIN_DIR)
diff --git a/security/nss/cmd/smimetools/smime b/security/nss/cmd/smimetools/smime
new file mode 100755
index 000000000..0ac312e05
--- /dev/null
+++ b/security/nss/cmd/smimetools/smime
@@ -0,0 +1,581 @@
+#!/usr/local/bin/perl
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+# smime.pl - frontend for S/MIME message generation and parsing
+#
+# $Id$
+#
+
+use Getopt::Std;
+
+@boundarychars = ( "0" .. "9", "A" .. "F" );
+
+# path to cmsutil
+$cmsutilpath = "cmsutil";
+
+#
+# Thanks to Gisle Aas <gisle@aas.no> for the base64 functions
+# originally taken from MIME-Base64-2.11 at www.cpan.org
+#
+sub encode_base64($)
+{
+    my $res = "";
+    pos($_[0]) = 0;                          # ensure start at the beginning
+    while ($_[0] =~ /(.{1,45})/gs) {
+	$res .= substr(pack('u', $1), 1);    # get rid of length byte after packing
+	chop($res);
+    }
+    $res =~ tr|` -_|AA-Za-z0-9+/|;
+    # fix padding at the end
+    my $padding = (3 - length($_[0]) % 3) % 3;
+    $res =~ s/.{$padding}$/'=' x $padding/e if $padding;
+    # break encoded string into lines of no more than 76 characters each
+    $res =~ s/(.{1,76})/$1\n/g;
+    $res;
+}
+
+sub decode_base64($)
+{
+    local($^W) = 0; # unpack("u",...) gives bogus warning in 5.00[123]
+
+    my $str = shift;
+    my $res = "";
+
+    $str =~ tr|A-Za-z0-9+=/||cd;            # remove non-base64 chars
+    if (length($str) % 4) {
+	require Carp;
+	Carp::carp("Length of base64 data not a multiple of 4")
+    }
+    $str =~ s/=+$//;                        # remove padding
+    $str =~ tr|A-Za-z0-9+/| -_|;            # convert to uuencoded format
+    while ($str =~ /(.{1,60})/gs) {
+	my $len = chr(32 + length($1)*3/4); # compute length byte
+	$res .= unpack("u", $len . $1 );    # uudecode
+    }
+    $res;
+}
+
+#
+# parse headers into a hash
+#
+# %headers = parseheaders($headertext);
+#
+sub parseheaders($)
+{
+    my ($headerdata) = @_;
+    my $hdr;
+    my %hdrhash;
+    my $hdrname;
+    my $hdrvalue;
+    my @hdrvalues;
+    my $subhdrname;
+    my $subhdrvalue;
+
+    # the expression in split() correctly handles continuation lines
+    foreach $hdr (split(/\n(?=\S)/, $headerdata)) {
+	$hdr =~ s/\r*\n\s+/ /g;	# collapse continuation lines
+	($hdrname, $hdrvalue) = $hdr =~ m/^(\S+):\s+(.*)$/;
+
+	# ignore non-headers (or should we die horribly?)
+	next unless (defined($hdrname));
+	$hdrname =~ tr/A-Z/a-z/;			# lowercase the header name
+	@hdrvalues = split(/\s*;\s*/, $hdrvalue);	# split header values (XXXX quoting)
+
+	# there is guaranteed to be at least one value
+	$hdrvalue = shift @hdrvalues;
+	if ($hdrvalue =~ /^\s*\"(.*)\"\s*$/) {		# strip quotes if there
+	    $hdrvalue = $1;
+	}
+
+	$hdrhash{$hdrname}{MAIN} = $hdrvalue;
+	# print "XXX $hdrname = $hdrvalue\n";
+
+	# deal with additional name-value pairs
+	foreach $hdrvalue (@hdrvalues) {
+	    ($subhdrname, $subhdrvalue) = $hdrvalue =~ m/^(\S+)\s*=\s*(.*)$/;
+	    # ignore non-name-value pairs (or should we die?)
+	    next unless (defined($subhdrname));
+	    $subhdrname =~ tr/A-Z/a-z/;
+	    if ($subhdrvalue =~ /^\s*\"(.*)\"\s*$/) {	# strip quotes if there
+		$subhdrvalue = $1;
+	    }
+	    $hdrhash{$hdrname}{$subhdrname} = $subhdrvalue;
+	}
+
+    }
+    return %hdrhash;
+}
+
+#
+# encryptentity($entity, $options) - encrypt an S/MIME entity,
+#                                    creating a new application/pkcs7-smime entity
+#
+# entity  - string containing entire S/MIME entity to encrypt
+# options - options for cmsutil
+#
+# this will generate and return a new application/pkcs7-smime entity containing
+# the enveloped input entity.
+#
+sub encryptentity($$)
+{
+    my ($entity, $cmsutiloptions) = @_;
+    my $out = "";
+    my $boundary;
+
+    $tmpencfile = "/tmp/encryptentity.$$";
+
+    #
+    # generate a random boundary string
+    #
+    $boundary = "------------ms" . join("", @boundarychars[map{rand @boundarychars }( 1 .. 24 )]);
+
+    #
+    # tell cmsutil to generate a enveloped CMS message using our data
+    #
+    open(CMS, "|$cmsutilpath -E $cmsutiloptions -o $tmpencfile") or die "ERROR: cannot pipe to cmsutil";
+    print CMS $entity;
+    unless (close(CMS)) {
+	print STDERR "ERROR: encryption failed.\n";
+	unlink($tmpsigfile);
+	exit 1;
+    }
+
+    $out  = "Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m\n";
+    $out .= "Content-Transfer-Encoding: base64\n";
+    $out .= "Content-Disposition: attachment; filename=smime.p7m\n";
+    $out .= "\n";			# end of entity header
+
+    open (ENC, $tmpencfile) or die "ERROR: cannot find newly generated encrypted content";
+    local($/) = undef;			# slurp whole file
+    $out .= encode_base64(<ENC>), "\n";	# entity body is base64-encoded CMS message
+    close(ENC);
+
+    unlink($tmpencfile);
+
+    $out;
+}
+
+#
+# signentity($entity, $options) - sign an S/MIME entity
+#
+# entity  - string containing entire S/MIME entity to sign
+# options - options for cmsutil
+#
+# this will generate and return a new multipart/signed entity consisting
+# of the canonicalized original content, plus a signature block.
+#
+sub signentity($$)
+{
+    my ($entity, $cmsutiloptions) = @_;
+    my $out = "";
+    my $boundary;
+
+    $tmpsigfile = "/tmp/signentity.$$";
+
+    #
+    # generate a random boundary string
+    #
+    $boundary = "------------ms" . join("", @boundarychars[map{rand @boundarychars }( 1 .. 24 )]);
+
+    #
+    # tell cmsutil to generate a signed CMS message using the canonicalized data
+    # The signedData has detached content (-T) and includes a signing time attribute (-G)
+    #
+    # if we do not provide a password on the command line, here's where we would be asked for it
+    #
+    open(CMS, "|$cmsutilpath -S -T -G $cmsutiloptions -o $tmpsigfile") or die "ERROR: cannot pipe to cmsutil";
+    print CMS $entity;
+    unless (close(CMS)) {
+	print STDERR "ERROR: signature generation failed.\n";
+	unlink($tmpsigfile);
+	exit 1;
+    }
+
+    open (SIG, $tmpsigfile) or die "ERROR: cannot find newly generated signature";
+
+    #
+    # construct a new multipart/signed MIME entity consisting of the original content and
+    # the signature
+    #
+    # (we assume that cmsutil generates a SHA1 digest)
+    $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n";
+    $out .= "\n";		# end of entity header
+    $out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment
+    $out .= "\n--${boundary}\n";
+    $out .= $entity;
+    $out .= "\n--${boundary}\n";
+    $out .= "Content-Type: application/pkcs7-signature; name=smime.p7s\n";
+    $out .= "Content-Transfer-Encoding: base64\n";
+    $out .= "Content-Disposition: attachment; filename=smime.p7s\n";
+    $out .= "Content-Description: S/MIME Cryptographic Signature\n";
+    $out .= "\n";		# end of signature subentity header
+
+    local($/) = undef;		# slurp whole file
+    $out .= encode_base64(<SIG>);	# append base64-encoded signature
+    $out .= "\n--${boundary}--\n";
+
+    close(SIG);
+    unlink($tmpsigfile);
+
+    $out;
+}
+
+sub usage {
+    print STDERR "usage: smime [options]\n";
+    print STDERR " options:\n";
+    print STDERR " -S nick             generate signed message, use certificate named \"nick\"\n";
+    print STDERR "  -p passwd          use \"passwd\" as security module password\n";
+    print STDERR " -E rec1[,rec2...]   generate encrypted message for recipients\n";
+    print STDERR " -D                  decode a S/MIME message\n";
+    print STDERR "  -p passwd          use \"passwd\" as security module password\n";
+    print STDERR "                     (required for decrypting only)\n";
+    print STDERR " -C pathname         set pathname of \"cmsutil\"\n";
+    print STDERR " -d directory        set directory containing certificate db\n";
+    print STDERR "                     (default: ~/.netscape)\n";
+    print STDERR "\nWith -S or -E, smime will take a regular RFC822 message or MIME entity\n";
+    print STDERR "on stdin and generate a signed or encrypted S/MIME message with the same\n";
+    print STDERR "headers and content from it. The output can be used as input to a MTA.\n";
+    print STDERR "-D causes smime to strip off all S/MIME layers if possible and output\n";
+    print STDERR "the \"inner\" message.\n";
+}
+
+#
+# start of main procedures
+#
+
+#
+# process command line options
+#
+unless (getopts('S:E:p:d:C:D')) {
+    usage();
+    exit 1;
+}
+
+unless (defined($opt_S) or defined($opt_E) or defined($opt_D)) {
+    print STDERR "ERROR: -S and/or -E, or -D must be specified.\n";
+    usage();
+    exit 1;
+}
+
+$signopts = "";
+$encryptopts = "";
+$decodeopts = "";
+
+# pass -d option along
+if (defined($opt_d)) {
+    $signopts .= "-d \"$opt_d\" ";
+    $encryptopts .= "-d \"$opt_d\" ";
+    $decodeopts .= "-d \"$opt_d\" ";
+}
+
+if (defined($opt_S)) {
+    $signopts .= "-N \"$opt_S\" ";
+}
+
+if (defined($opt_p)) {
+    $signopts .= "-p \"$opt_p\" ";
+    $decodeopts .= "-p \"$opt_p\" ";
+}
+
+if (defined($opt_E)) {
+    @recipients = split(",", $opt_E);
+    $encryptopts .= "-r ";
+    $encryptopts .= join (" -r ", @recipients);
+}
+
+if (defined($opt_C)) {
+    $cmsutilpath = $opt_C;
+}
+
+#
+# split headers into mime entity headers and RFC822 headers
+# The RFC822 headers are preserved and stay on the outer layer of the message
+#
+$rfc822headers = "";
+$mimeheaders = "";
+$mimebody = "";
+$skippedheaders = "";
+while (<STDIN>) {
+    last if (/^$/);
+    if (/^content-\S+: /i) {
+	$lastref = \$mimeheaders;
+    } elsif (/^mime-version: /i) {
+	$lastref = \$skippedheaders;			# skip it
+    } elsif (/^\s/) {
+	;
+    } else {
+	$lastref = \$rfc822headers;
+    }
+    $$lastref .= $_;
+}
+
+#
+# if there are no MIME entity headers, generate some default ones
+#
+if ($mimeheaders eq "") {
+    $mimeheaders .= "Content-Type: text/plain; charset=us-ascii\n";
+    $mimeheaders .= "Content-Transfer-Encoding: 7bit\n";
+}
+
+#
+# slurp in the entity body
+#
+$saveRS = $/;
+$/ = undef;
+$mimebody = <STDIN>;
+$/ = $saveRS;
+chomp($mimebody);
+
+if (defined $opt_D) {
+    #
+    # decode
+    #
+    # possible options would be:
+    # - strip off only one layer
+    # - strip off outer signature (if present)
+    # - just print information about the structure of the message
+    # - strip n layers, then dump DER of CMS message
+
+    $layercounter = 1;
+
+    while (1) {
+	%hdrhash = parseheaders($mimeheaders);
+	unless (exists($hdrhash{"content-type"}{MAIN})) {
+	    print STDERR "ERROR: no content type header found in MIME entity\n";
+	    last;	# no content-type - we're done
+	}
+
+	$contenttype = $hdrhash{"content-type"}{MAIN};
+	if ($contenttype eq "application/pkcs7-mime") {
+	    #
+	    # opaque-signed or enveloped message
+	    #
+	    unless (exists($hdrhash{"content-type"}{"smime-type"})) {
+		print STDERR "ERROR: no smime-type attribute in application/pkcs7-smime entity.\n";
+		last;
+	    }
+	    $smimetype = $hdrhash{"content-type"}{"smime-type"};
+	    if ($smimetype eq "signed-data" or $smimetype eq "enveloped-data") {
+		# it's verification or decryption time!
+
+		# can handle only base64 encoding for now
+		# all other encodings are treated as binary (8bit)
+		if ($hdrhash{"content-transfer-encoding"}{MAIN} eq "base64") {
+		    $mimebody = decode_base64($mimebody);
+		}
+
+		# if we need to dump the DER, we would do it right here
+
+		# now write the DER
+		$tmpderfile = "/tmp/der.$$";
+		open(TMP, ">$tmpderfile") or die "ERROR: cannot write signature data to temporary file";
+		print TMP $mimebody;
+		unless (close(TMP)) {
+		    print STDERR "ERROR: writing signature data to temporary file.\n";
+		    unlink($tmpderfile);
+		    exit 1;
+		}
+
+		$mimeheaders = "";
+		open(TMP, "$cmsutilpath -D $decodeopts -h $layercounter -i $tmpderfile |") or die "ERROR: cannot open pipe to cmsutil";
+		$layercounter++;
+		while (<TMP>) {
+		    last if (/^\r?$/);			# empty lines mark end of header
+		    if (/^SMIME: /) {			# add all SMIME info to the rfc822 hdrs
+			$lastref = \$rfc822headers;
+		    } elsif (/^\s/) {
+			;				# continuation lines go to the last dest
+		    } else {
+			$lastref = \$mimeheaders;	# all other headers are mime headers
+		    }
+		    $$lastref .= $_;
+		}
+		# slurp in rest of the data to $mimebody
+		$saveRS = $/; $/ = undef; $mimebody = <TMP>; $/ = $saveRS;
+		close(TMP);
+
+		unlink($tmpderfile);
+
+	    } else {
+		print STDERR "ERROR: unknown smime-type \"$smimetype\" in application/pkcs7-smime entity.\n";
+		last;
+	    }
+	} elsif ($contenttype eq "multipart/signed") {
+	    #
+	    # clear signed message
+	    #
+	    unless (exists($hdrhash{"content-type"}{"protocol"})) {
+		print STDERR "ERROR: content type has no protocol attribute in multipart/signed entity.\n";
+		last;
+	    }
+	    if ($hdrhash{"content-type"}{"protocol"} ne "application/pkcs7-signature") {
+		# we cannot handle this guy
+		print STDERR "ERROR: unknown protocol \"", $hdrhash{"content-type"}{"protocol"},
+			"\" in multipart/signed entity.\n";
+		last;
+	    }
+	    unless (exists($hdrhash{"content-type"}{"boundary"})) {
+		print STDERR "ERROR: no boundary attribute in multipart/signed entity.\n";
+		last;
+	    }
+	    $boundary = $hdrhash{"content-type"}{"boundary"};
+
+	    # split $mimebody along \n--$boundary\n - gets you four parts
+	    # first (0), any comments the sending agent might have put in
+	    # second (1), the message itself
+	    # third (2), the signature as a mime entity
+	    # fourth (3), trailing data (there shouldn't be any)
+
+	    @multiparts = split(/\r?\n--$boundary(?:--)?\r?\n/, $mimebody);
+
+	    #
+	    # parse the signature headers
+	    ($submimeheaders, $submimebody) = split(/^$/m, $multiparts[2]);
+	    %sighdrhash = parseheaders($submimeheaders);
+	    unless (exists($sighdrhash{"content-type"}{MAIN})) {
+		print STDERR "ERROR: signature entity has no content type.\n";
+		last;
+	    }
+	    if ($sighdrhash{"content-type"}{MAIN} ne "application/pkcs7-signature") {
+		# we cannot handle this guy
+		print STDERR "ERROR: unknown content type \"", $sighdrhash{"content-type"}{MAIN},
+			"\" in signature entity.\n";
+		last;
+	    }
+	    if ($sighdrhash{"content-transfer-encoding"}{MAIN} eq "base64") {
+		$submimebody = decode_base64($submimebody);
+	    }
+
+	    # we would dump the DER at this point
+
+	    $tmpsigfile = "/tmp/sig.$$";
+	    open(TMP, ">$tmpsigfile") or die "ERROR: cannot write signature data to temporary file";
+	    print TMP $submimebody;
+	    unless (close(TMP)) {
+		print STDERR "ERROR: writing signature data to temporary file.\n";
+		unlink($tmpsigfile);
+		exit 1;
+	    }
+
+	    $tmpmsgfile = "/tmp/msg.$$";
+	    open(TMP, ">$tmpmsgfile") or die "ERROR: cannot write message data to temporary file";
+	    print TMP $multiparts[1];
+	    unless (close(TMP)) {
+		print STDERR "ERROR: writing message data to temporary file.\n";
+		unlink($tmpsigfile);
+		unlink($tmpmsgfile);
+		exit 1;
+	    }
+
+	    $mimeheaders = "";
+	    open(TMP, "$cmsutilpath -D $decodeopts -h $layercounter -c $tmpmsgfile -i $tmpsigfile |") or die "ERROR: cannot open pipe to cmsutil";
+	    $layercounter++;
+	    while (<TMP>) {
+		last if (/^\r?$/);
+		if (/^SMIME: /) {
+		    $lastref = \$rfc822headers;
+		} elsif (/^\s/) {
+		    ;
+		} else {
+		    $lastref = \$mimeheaders;
+		}
+		$$lastref .= $_;
+	    }
+	    $saveRS = $/; $/ = undef; $mimebody = <TMP>; $/ = $saveRS;
+	    close(TMP);
+	    unlink($tmpsigfile);
+	    unlink($tmpmsgfile);
+
+	} else {
+
+	    # not a content type we know - we're done
+	    last;
+
+	}
+    }
+
+    # so now we have the S/MIME parsing information in rfc822headers
+    # and the first mime entity we could not handle in mimeheaders and mimebody.
+    # dump 'em out and we're done.
+    print $rfc822headers;
+    print $mimeheaders . "\n" . $mimebody;
+
+} else {
+
+    #
+    # encode (which is much easier than decode)
+    #
+
+    $mimeentity = $mimeheaders . "\n" . $mimebody;
+
+    #
+    # canonicalize inner entity (rudimentary yet)
+    # convert single LFs to CRLF
+    # if no Content-Transfer-Encoding header present:
+    #  if 8 bit chars present, use Content-Transfer-Encoding: quoted-printable
+    #  otherwise, use Content-Transfer-Encoding: 7bit
+    #
+    $mimeentity =~ s/\r*\n/\r\n/mg;
+
+    #
+    # now do the wrapping
+    # we sign first, then encrypt because that's what Communicator needs
+    #
+    if (defined($opt_S)) {
+	$mimeentity = signentity($mimeentity, $signopts);
+    }
+
+    if (defined($opt_E)) {
+	$mimeentity = encryptentity($mimeentity, $encryptopts);	
+    }
+
+    #
+    # XXX sign again to do triple wrapping (RFC2634)
+    #
+
+    #
+    # now write out the RFC822 headers
+    # followed by the final $mimeentity
+    #
+    print $rfc822headers;
+    print "MIME-Version: 1.0 (NSS SMIME - http://www.mozilla.org/projects/security)\n";	# set up the flag
+    print $mimeentity;
+}
+
+exit 0;
diff --git a/security/nss/cmd/ssltap/Makefile b/security/nss/cmd/ssltap/Makefile
new file mode 100644
index 000000000..c2eb4e1ce
--- /dev/null
+++ b/security/nss/cmd/ssltap/Makefile
@@ -0,0 +1,83 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+# Since ssltap doesn't use any of NSS, we'll skip NSS's link libs,
+# and just link with NSPR.
+#
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
+-include ../platrules.mk
+
diff --git a/security/nss/cmd/ssltap/manifest.mn b/security/nss/cmd/ssltap/manifest.mn
new file mode 100644
index 000000000..36937600b
--- /dev/null
+++ b/security/nss/cmd/ssltap/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+EXPORTS = 
+
+CSRCS = ssltap.c	\
+	$(NULL)
+
+PROGRAM =  ssltap
+
+REQUIRES = seccmd dbm
+
+PACKAGE_FILES = ssltap-manual.html licence.doc ssltap.exe
+
+ARCHIVE_NAME = ssltap
+
diff --git a/security/nss/cmd/ssltap/ssltap-manual.html b/security/nss/cmd/ssltap/ssltap-manual.html
new file mode 100644
index 000000000..f49bf7282
--- /dev/null
+++ b/security/nss/cmd/ssltap/ssltap-manual.html
@@ -0,0 +1,202 @@
+<HTML>

+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+<HEAD>

+   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">

+   <META NAME="GENERATOR" CONTENT="Mozilla/4.05 [en] (WinNT; U) [Netscape]">

+   <META NAME="Author" CONTENT="Steve Parkinson">

+   <TITLE>SSLTap - manual</TITLE>

+</HEAD>

+<BODY>

+

+<H1>

+SSLTap Manual page</H1>

+

+<H3>

+Summary</H3>

+A command-line proxy which is SSL-aware. It snoops on TCP connections,

+and displays the data going by, including SSL records and handshaking&nbsp;

+if the connection is SSL.

+<H3>

+Synopsis</H3>

+<TT>ssltap [-vhfsxl] [-p port] hostname:port</TT>

+

+<P><TT>&nbsp;&nbsp; -v&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [prints version string]</TT>

+<BR><TT>&nbsp;&nbsp; -h&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [outputs hex instead

+of ASCII]</TT>

+<BR><TT>&nbsp;&nbsp; -f&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [turn on Fancy HTML

+coloring]</TT>

+<BR><TT>&nbsp;&nbsp; -s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [turn on SSL decoding]</TT>

+<BR><TT>&nbsp;&nbsp; -x&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [turn on extra SSL

+hex dumps]</TT>

+<BR><TT>&nbsp;&nbsp; -p port [specify rendezvous port (default 1924)]</TT>

+<BR><TT>&nbsp;&nbsp; -l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [loop - continue

+to wait for more connections]</TT>

+<H3>

+Description</H3>

+SSLTap opens a socket on a rendezvous port, and waits for an incoming connection

+(client side). Once this connection arrives, SSLTap makes another connection

+to hostname:port (server side). It passes any data sent by the client to

+the server, and vice versa. However, SSLTap will also display the data

+to the console. It can do this for plain HTTP connections, or any TCP protocol.

+However, SSLTap can also work with SSL streams, as detailed below.

+

+<P>Let's assume your development machine is called 'intercept'. The simplest

+usage of SSLTap is to run the command <TT>'ssltap www.netscape.com:80'</TT>

+on intercept. The program will wait for an incoming connection on port

+1924. Next you would want to go to your browser, and enter the URL http://intercept:1924.

+The page retrieved by the browser will actually be gotten from the server

+at www.netscape.com, but will go via SSLTap.

+

+<P>Data sent from the client to the server is surrounded by a '--> [ ]'

+symbol, and data sent from the server to the client, a '&lt;---[&nbsp;

+]' symbol.

+

+<P>You'll notice that the page retrieved with this example looks incomplete.

+This is because SSLTap by default closes down after the first connection

+is complete, so the browser is not able to load images. To make the SSLTap

+continue to accept connections, switch on looping mode with the -l option.

+

+<P>You can change the default rendezvous port to something else with the

+-p option.

+

+<P>The remaining options change the way the output is produced.

+

+<P>The -f option prints 'fancy' output - in colored HTML. Data sent from

+the client to the server is in blue. The server's reply is in red. This

+is designed so you can load the output up into a browser. When used with

+looping mode, the different connections are separated with horizontal lines.

+

+<P>-x will turn on HEX printing. Instead of being output as ascii, the

+data is shown as Hex, like this:

+<UL><TT>&lt;-- [</TT>

+<BR><TT>&nbsp;&nbsp; 0: 56 d5 16 3e&nbsp; a1 6b b1 4a&nbsp; 8f 67 c4 d7&nbsp;

+21 2f 6f dd&nbsp; | V..>.k.J.g..!/o.</TT>

+<BR><TT>&nbsp; 10: bb 22 c4 75&nbsp; 8c f4 ce 28&nbsp; 16 a6 20 aa&nbsp;

+fb 9a 59 a1&nbsp; | .".u...(.. ...Y.</TT>

+<BR><TT>&nbsp; 20: 51 91 14 d2&nbsp; fc 9f a7 ea&nbsp; 4d 9c f7 3a&nbsp;

+9d 83 62 4a&nbsp; | Q.......M..:..bJ</TT>

+<BR><TT>]</TT>

+<BR>&nbsp;</UL>

+

+<H4>

+SSL Parse mode</H4>

+The following options deal with SSL connections.

+<UL>-s will turn on SSL parsing. (SSLTap doesn't automatically detect SSL

+sessions.)

+<BR>-x will turn on extra SSL hexdumps. Mostly, if SSL can decode the data,

+it doesn't display the hex.</UL>

+The following SSL3 Data structures are parsed: Handshake, ClientHello,

+ServerHello, CertificateChain, Certificate. In addition, SSL2 ClientHello,

+ServerHello, ClientMasterKey are also partly parsed. NO DECRYPTION IS PERFORMED

+ON THE DATA. SSLTAP CANNOT DECRYPT the data.

+

+<P>If a certificate chain is detected, DER-encoded certificates will be

+saved into files in the current directory called 'cert.0x' where x is the

+sequence number of the certificate.

+<BR>&nbsp;

+<H3>

+Operation Hints</H3>

+Often, you'll find that the server certificate does not get transferred,

+or other parts of the handshake do not happen. This is because the browser

+is taking advantage of session-id-reuse (using the handshake results from

+a previous session). If you restart the browser, it'll clear the session

+id cache.

+

+<P>If you run the ssltap on a different machine that the ssl server you're

+trying to connect to, the browser will complain that the host name you're

+trying to connect to is different to the certificate, but it will still

+let you connect, after showing you a dialog.

+<H3>

+Bugs</H3>

+Please contact <A HREF="mailto:ssltap-support@netscape.com">ssltap-support@netscape.com</A>

+for bug reports.

+<H3>

+History</H3>

+2.1 - First public release (March 1998)

+<BR>&nbsp;

+<H3>

+Other</H3>

+For reference, here is a table of some well-known port numbers:

+<BR>&nbsp;

+<TABLE BORDER=2 >

+<TR>

+<TD>HTTP</TD>

+

+<TD>80</TD>

+</TR>

+

+<TR>

+<TD>SMTP</TD>

+

+<TD>25</TD>

+</TR>

+

+<TR>

+<TD>HTTPS</TD>

+

+<TD>443</TD>

+</TR>

+

+<TR>

+<TD>FTP</TD>

+

+<TD>21</TD>

+</TR>

+

+<TR>

+<TD>IMAPS</TD>

+

+<TD>993</TD>

+</TR>

+

+<TR>

+<TD>NNTP</TD>

+

+<TD>119</TD>

+</TR>

+

+<TR>

+<TD>NNTPS</TD>

+

+<TD>563</TD>

+</TR>

+</TABLE>

+&nbsp;

+

+<P>&nbsp;

+</BODY>

+</HTML>

diff --git a/security/nss/cmd/ssltap/ssltap.c b/security/nss/cmd/ssltap/ssltap.c
new file mode 100644
index 000000000..c2fbaf99e
--- /dev/null
+++ b/security/nss/cmd/ssltap/ssltap.c
@@ -0,0 +1,1699 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * ssltap.c
+ *
+ * Version 1.0 : Frederick Roeber : 11 June 1997
+ * Version 2.0 : Steve Parkinson  : 13 November 1997
+ * Version 3.0 : Nelson Bolyard   : 22 July 1998
+ * Version 3.1 : Nelson Bolyard   : 24 May  1999
+ *
+ * changes in version 2.0:
+ *  Uses NSPR20
+ *  Shows structure of SSL negotiation, if enabled.
+ *
+ * This "proxies" a socket connection (like a socks tunnel), but displays the
+ * data is it flies by.
+ *
+ * In the code, the 'client' socket is the one on the client side of the
+ * proxy, and the server socket is on the server side.
+ *
+ */
+
+#include "nspr.h"
+#include "plstr.h"
+#include "secutil.h"
+#include <memory.h>	/* for memcpy, etc. */
+#include <string.h>
+#include <time.h>
+
+#include "plgetopt.h"
+#include "nss.h"
+#include "cert.h"
+#include "sslproto.h"
+
+#define VERSIONSTRING "$Revision$ ($Date$) $Author$"
+
+
+struct _DataBufferList;
+struct _DataBuffer;
+
+typedef struct _DataBufferList {
+  struct _DataBuffer *first,*last;
+  int size;
+  int isEncrypted;
+} DataBufferList;
+
+typedef struct _DataBuffer {
+  unsigned char *buffer;
+  int length;
+  int offset;  /* offset of first good byte */
+  struct _DataBuffer *next;
+} DataBuffer;
+
+
+DataBufferList
+  clientstream = {NULL, NULL, 0, 0},
+  serverstream = {NULL, NULL, 0, 0};
+
+struct sslhandshake {
+  PRUint8 type;
+  PRUint32 length;
+};
+
+typedef struct _SSLRecord {
+  PRUint8 type;
+  PRUint8 ver_maj,ver_min;
+
+  PRUint8 length[2];
+} SSLRecord;
+
+typedef struct _ClientHelloV2 {
+  PRUint8 length[2];
+  PRUint8 type;
+  PRUint8 version[2];
+  PRUint8 cslength[2];
+  PRUint8 sidlength[2];
+  PRUint8 rndlength[2];
+  PRUint8 csuites[1];
+} ClientHelloV2;
+
+typedef struct _ServerHelloV2 {
+  PRUint8 length[2];
+  PRUint8 type;
+  PRUint8 sidhit;
+  PRUint8 certtype;
+  PRUint8 version[2];
+  PRUint8 certlength[2];
+  PRUint8 cslength[2];
+  PRUint8 cidlength[2];
+} ServerHelloV2;
+
+typedef struct _ClientMasterKeyV2 {
+  PRUint8 length[2];
+  PRUint8 type;
+
+  PRUint8 cipherkind[3];
+  PRUint8 clearkey[2];
+  PRUint8 secretkey[2];
+
+} ClientMasterKeyV2;
+
+
+
+#define TAPBUFSIZ 16384
+
+#define DEFPORT 1924
+#include <ctype.h>
+
+int hexparse=0;
+int sslparse=0;
+int sslhexparse=0;
+int looparound=0;
+int fancy=0;
+int isV2Session=0;
+int currentcipher=0;
+int hMACsize=0;
+
+#define PR_FPUTS(x) PR_fprintf(PR_STDOUT, x )
+
+#define GET_SHORT(x) ((PRUint16)(((PRUint16)((PRUint8*)x)[0]) << 8) + ((PRUint16)((PRUint8*)x)[1]))
+#define GET_24(x) ((PRUint32)   (  \
+				 (((PRUint32)((PRUint8*)x)[0]) << 16) \
+				 +                          \
+				 (((PRUint32)((PRUint8*)x)[1]) << 8)  \
+				 +                          \
+				 (((PRUint32)((PRUint8*)x)[2]) << 0)  \
+				 ) )
+#define GET_32(x) ((PRUint32)   (  \
+				 (((PRUint32)((PRUint8*)x)[0]) << 24) \
+				 +                          \
+				 (((PRUint32)((PRUint8*)x)[1]) << 16) \
+				 +                          \
+				 (((PRUint32)((PRUint8*)x)[2]) << 8)  \
+				 +                          \
+				 (((PRUint32)((PRUint8*)x)[3]) << 0)  \
+				 ) )
+
+void print_hex(int amt, unsigned char *buf);
+void read_stream_bytes(unsigned char *d, DataBufferList *db, int length);
+
+void myhalt(int dblsize,int collectedsize) {
+
+  while(1) ;
+
+}
+
+const char *get_error_text(int error) {
+  switch (error) {
+  case PR_IO_TIMEOUT_ERROR:
+    return "Timeout";
+    break;
+  case PR_CONNECT_REFUSED_ERROR:
+    return "Connection refused";
+    break;
+  case PR_NETWORK_UNREACHABLE_ERROR:
+    return "Network unreachable";
+    break;
+  case PR_BAD_ADDRESS_ERROR:
+    return "Bad address";
+    break;
+  case PR_CONNECT_RESET_ERROR:
+    return "Connection reset";
+    break;
+  case PR_PIPE_ERROR:
+    return "Pipe error";
+    break;
+  }
+
+  return "";
+}
+
+
+
+
+
+void check_integrity(DataBufferList *dbl) {
+  DataBuffer *db;
+  int i;
+
+  db = dbl->first;
+  i =0;
+  while (db) {
+    i+= db->length - db->offset;
+    db = db->next;
+  }
+  if (i != dbl->size) {
+    myhalt(dbl->size,i);
+  }
+}
+
+/* Free's the DataBuffer at the head of the list and returns the pointer
+ * to the new head of the list.
+ */
+DataBuffer * 
+free_head(DataBufferList *dbl)
+{
+  DataBuffer *db       = dbl->first;
+  PR_ASSERT(db->offset >= db->length);
+  if (db->offset >= db->length) {
+    dbl->first = db->next;
+    if (dbl->first == NULL) {
+      dbl->last = NULL;
+    }
+    PR_Free(db->buffer);
+    PR_Free(db);
+    db = dbl->first;
+  }
+  return db;
+}
+
+void 
+read_stream_bytes(unsigned char *d, DataBufferList *dbl, int length) {
+  int         copied 	= 0;
+  DataBuffer *db	= dbl->first;
+
+  if (!db) {
+    PR_fprintf(PR_STDERR,"assert failed - dbl->first is null\n");
+    exit(8);
+  }
+  while (length) {
+    int         toCopy;
+    /* find the number of bytes to copy from the head buffer */
+    /* if there's too many in this buffer, then only copy 'length' */
+    toCopy = PR_MIN(db->length - db->offset, length);
+
+    memcpy(d + copied, db->buffer + db->offset, toCopy);
+    copied     += toCopy;
+    db->offset += toCopy;
+    length     -= toCopy;
+    dbl->size  -= toCopy;
+
+    /* if we emptied the head buffer */
+    if (db->offset >= db->length) {
+      db = free_head(dbl);
+    }
+  }
+
+  check_integrity(dbl);
+
+}
+
+void
+flush_stream(DataBufferList *dbl)
+{
+    DataBuffer *db = dbl->first;
+    check_integrity(dbl);
+    while (db) {
+	db->offset = db->length;
+    	db = free_head(dbl);
+    }
+    dbl->size = 0;
+    check_integrity(dbl);
+}
+
+
+const char * V2CipherString(int cs_int) {
+  char *cs_str;
+  cs_str = NULL;
+  switch (cs_int) {
+
+  case 0x010080:    cs_str = "SSL2/RSA/RC4-128/MD5";       break;
+  case 0x020080:    cs_str = "SSL2/RSA/RC4-40/MD5";    break;
+  case 0x030080:    cs_str = "SSL2/RSA/RC2CBC128/MD5";     break;
+  case 0x040080:    cs_str = "SSL2/RSA/RC2CBC40/MD5";  break;
+  case 0x050080:    cs_str = "SSL2/RSA/IDEA128CBC/MD5";    break;
+  case 0x060040:    cs_str = "SSL2/RSA/DES56-CBC/MD5";      break;
+  case 0x0700C0:    cs_str = "SSL2/RSA/3DES192EDE-CBC/MD5"; break;
+
+  case 0x000001:    cs_str = "SSL3/RSA/NULL/MD5";             break;
+  case 0x000002:    cs_str = "SSL3/RSA/NULL/SHA";             break;
+  case 0x000003:    cs_str = "SSL3/RSA/RC4-40/MD5";       break;
+  case 0x000004:    cs_str = "SSL3/RSA/RC4-128/MD5";          break;
+  case 0x000005:    cs_str = "SSL3/RSA/RC4-128/SHA";          break;
+  case 0x000006:    cs_str = "SSL3/RSA/RC2CBC40/MD5";     break;
+  case 0x000007:    cs_str = "SSL3/RSA/IDEA128CBC/SHA";       break;
+  case 0x000008:    cs_str = "SSL3/RSA/DES40-CBC/SHA";         break;
+  case 0x000009:    cs_str = "SSL3/RSA/DES56-CBC/SHA";         break;
+  case 0x00000A:    cs_str = "SSL3/RSA/3DES192EDE-CBC/SHA";    break;
+
+  case 0x00000B:    cs_str = "SSL3/DH-DSS/DES40-CBC/SHA";      break;
+  case 0x00000C:    cs_str = "SSL3/DH-DSS/DES56-CBC/SHA";      break;
+  case 0x00000D:    cs_str = "SSL3/DH-DSS/DES192EDE3CBC/SHA"; break;
+  case 0x00000E:    cs_str = "SSL3/DH-RSA/DES40-CBC/SHA";      break;
+  case 0x00000F:    cs_str = "SSL3/DH-RSA/DES56-CBC/SHA";      break;
+  case 0x000010:    cs_str = "SSL3/DH-RSA/3DES192EDE-CBC/SHA"; break;
+
+  case 0x000011:    cs_str = "SSL3/DHE-DSS/DES40-CBC/SHA";      break;
+  case 0x000012:    cs_str = "SSL3/DHE-DSS/DES56-CBC/SHA";      break;
+  case 0x000013:    cs_str = "SSL3/DHE-DSS/DES192EDE3CBC/SHA"; break;
+  case 0x000014:    cs_str = "SSL3/DHE-RSA/DES40-CBC/SHA";      break;
+  case 0x000015:    cs_str = "SSL3/DHE-RSA/DES56-CBC/SHA";      break;
+  case 0x000016:    cs_str = "SSL3/DHE-RSA/3DES192EDE-CBC/SHA"; break;
+
+  case 0x000017:    cs_str = "SSL3/DH-anon/RC4-40/MD5";     break;
+  case 0x000018:    cs_str = "SSL3/DH-anon/RC4-128/MD5";        break;
+  case 0x000019:    cs_str = "SSL3/DH-anon/DES40-CBC/SHA";       break;
+  case 0x00001A:    cs_str = "SSL3/DH-anon/DES56-CBC/SHA";       break;
+  case 0x00001B:    cs_str = "SSL3/DH-anon/3DES192EDE-CBC/SHA"; break;
+
+  case 0x00001C:    cs_str = "SSL3/FORTEZZA-DMS/NULL/SHA";      break;
+  case 0x00001D:    cs_str = "SSL3/FORTEZZA-DMS/FORTEZZA-CBC/SHA";  break;
+  case 0x00001E:    cs_str = "SSL3/FORTEZZA-DMS/RC4-128/SHA";  break;
+
+  case 0x00002F:    cs_str = "TLS/RSA/AES128-CBC/SHA";  	break;
+  case 0x000030:    cs_str = "TLS/DH-DSS/AES128-CBC/SHA";	break;
+  case 0x000031:    cs_str = "TLS/DH-RSA/AES128-CBC/SHA";	break;
+  case 0x000032:    cs_str = "TLS/DHE-DSS/AES128-CBC/SHA";	break;
+  case 0x000033:    cs_str = "TLS/DHE-RSA/AES128-CBC/SHA";	break;
+  case 0x000034:    cs_str = "TLS/DH-ANON/AES128-CBC/SHA";	break;
+
+  case 0x000035:    cs_str = "TLS/RSA/AES256-CBC/SHA";  	break;
+  case 0x000036:    cs_str = "TLS/DH-DSS/AES256-CBC/SHA";	break;
+  case 0x000037:    cs_str = "TLS/DH-RSA/AES256-CBC/SHA";	break;
+  case 0x000038:    cs_str = "TLS/DHE-DSS/AES256-CBC/SHA";	break;
+  case 0x000039:    cs_str = "TLS/DHE-RSA/AES256-CBC/SHA";	break;
+  case 0x00003A:    cs_str = "TLS/DH-ANON/AES256-CBC/SHA";	break;
+
+  case 0x000041:    cs_str = "TLS/RSA/CAMELLIA128-CBC/SHA";	break;
+  case 0x000042:    cs_str = "TLS/DH-DSS/CAMELLIA128-CBC/SHA";	break;
+  case 0x000043:    cs_str = "TLS/DH-RSA/CAMELLIA128-CBC/SHA";	break;
+  case 0x000044:    cs_str = "TLS/DHE-DSS/CAMELLIA128-CBC/SHA";	break;
+  case 0x000045:    cs_str = "TLS/DHE-RSA/CAMELLIA128-CBC/SHA";	break;
+  case 0x000046:    cs_str = "TLS/DH-ANON/CAMELLIA128-CBC/SHA";	break;
+
+  case 0x000060:    cs_str = "TLS/RSA-EXPORT1024/RC4-56/MD5";	break;
+  case 0x000061:    cs_str = "TLS/RSA-EXPORT1024/RC2CBC56/MD5";	break;
+  case 0x000062:    cs_str = "TLS/RSA-EXPORT1024/DES56-CBC/SHA";   break;
+  case 0x000064:    cs_str = "TLS/RSA-EXPORT1024/RC4-56/SHA";	   break;
+  case 0x000063:    cs_str = "TLS/DHE-DSS_EXPORT1024/DES56-CBC/SHA"; break;
+  case 0x000065:    cs_str = "TLS/DHE-DSS_EXPORT1024/RC4-56/SHA";  break;
+  case 0x000066:    cs_str = "TLS/DHE-DSS/RC4-128/SHA";		   break;
+
+  case 0x000072:    cs_str = "TLS/DHE-DSS/3DESEDE-CBC/RMD160"; break;
+  case 0x000073:    cs_str = "TLS/DHE-DSS/AES128-CBC/RMD160";  break;
+  case 0x000074:    cs_str = "TLS/DHE-DSS/AES256-CBC/RMD160";  break;
+
+  case 0x000079:    cs_str = "TLS/DHE-RSA/AES256-CBC/RMD160";  break;
+
+  case 0x00007C:    cs_str = "TLS/RSA/3DESEDE-CBC/RMD160"; break;
+  case 0x00007D:    cs_str = "TLS/RSA/AES128-CBC/RMD160"; break;
+  case 0x00007E:    cs_str = "TLS/RSA/AES256-CBC/RMD160"; break;
+
+  case 0x000080:    cs_str = "TLS/GOST341094/GOST28147-OFB/GOST28147"; break;
+  case 0x000081:    cs_str = "TLS/GOST34102001/GOST28147-OFB/GOST28147"; break;
+  case 0x000082:    cs_str = "TLS/GOST341094/NULL/GOSTR3411"; break;
+  case 0x000083:    cs_str = "TLS/GOST34102001/NULL/GOSTR3411"; break;
+
+  case 0x000084:    cs_str = "TLS/RSA/CAMELLIA256-CBC/SHA";	break;
+  case 0x000085:    cs_str = "TLS/DH-DSS/CAMELLIA256-CBC/SHA";	break;
+  case 0x000086:    cs_str = "TLS/DH-RSA/CAMELLIA256-CBC/SHA";	break;
+  case 0x000087:    cs_str = "TLS/DHE-DSS/CAMELLIA256-CBC/SHA";	break;
+  case 0x000088:    cs_str = "TLS/DHE-RSA/CAMELLIA256-CBC/SHA";	break;
+  case 0x000089:    cs_str = "TLS/DH-ANON/CAMELLIA256-CBC/SHA";	break;
+  case 0x00008A:    cs_str = "TLS/PSK/RC4-128/SHA";		break;
+  case 0x00008B:    cs_str = "TLS/PSK/3DES-EDE-CBC/SHA";	break;
+  case 0x00008C:    cs_str = "TLS/PSK/AES128-CBC/SHA";		break;      
+  case 0x00008D:    cs_str = "TLS/PSK/AES256-CBC/SHA";		break;      
+  case 0x00008E:    cs_str = "TLS/DHE-PSK/RC4-128/SHA";		break;      
+  case 0x00008F:    cs_str = "TLS/DHE-PSK/3DES-EDE-CBC/SHA";	break; 
+  case 0x000090:    cs_str = "TLS/DHE-PSK/AES128-CBC/SHA";	break;  
+  case 0x000091:    cs_str = "TLS/DHE-PSK/AES256-CBC/SHA";	break;  
+  case 0x000092:    cs_str = "TLS/RSA-PSK/RC4-128/SHA";		break;      
+  case 0x000093:    cs_str = "TLS/RSA-PSK/3DES-EDE-CBC/SHA";	break; 
+  case 0x000094:    cs_str = "TLS/RSA-PSK/AES128-CBC/SHA";	break;  
+  case 0x000095:    cs_str = "TLS/RSA-PSK/AES256-CBC/SHA";	break;  
+  case 0x000096:    cs_str = "TLS/RSA/SEED-CBC/SHA";		break;         
+  case 0x000097:    cs_str = "TLS/DH-DSS/SEED-CBC/SHA";		break;      
+  case 0x000098:    cs_str = "TLS/DH-RSA/SEED-CBC/SHA";		break;      
+  case 0x000099:    cs_str = "TLS/DHE-DSS/SEED-CBC/SHA";	break;     
+  case 0x00009A:    cs_str = "TLS/DHE-RSA/SEED-CBC/SHA";	break;     
+  case 0x00009B:    cs_str = "TLS/DH-ANON/SEED-CBC/SHA";	break;     
+
+  case 0x00C001:    cs_str = "TLS/ECDH-ECDSA/NULL/SHA";         break;
+  case 0x00C002:    cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA";      break;
+  case 0x00C003:    cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break;
+  case 0x00C004:    cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA";   break;
+  case 0x00C005:    cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA";   break;
+  case 0x00C006:    cs_str = "TLS/ECDHE-ECDSA/NULL/SHA";        break;
+  case 0x00C007:    cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA";     break;
+  case 0x00C008:    cs_str = "TLS/ECDHE-ECDSA/3DES-EDE-CBC/SHA";break;
+  case 0x00C009:    cs_str = "TLS/ECDHE-ECDSA/AES128-CBC/SHA";  break;
+  case 0x00C00A:    cs_str = "TLS/ECDHE-ECDSA/AES256-CBC/SHA";  break;
+  case 0x00C00B:    cs_str = "TLS/ECDH-RSA/NULL/SHA";           break;
+  case 0x00C00C:    cs_str = "TLS/ECDH-RSA/RC4-128/SHA";        break;
+  case 0x00C00D:    cs_str = "TLS/ECDH-RSA/3DES-EDE-CBC/SHA";   break;
+  case 0x00C00E:    cs_str = "TLS/ECDH-RSA/AES128-CBC/SHA";     break;
+  case 0x00C00F:    cs_str = "TLS/ECDH-RSA/AES256-CBC/SHA";     break;
+  case 0x00C010:    cs_str = "TLS/ECDHE-RSA/NULL/SHA";          break;
+  case 0x00C011:    cs_str = "TLS/ECDHE-RSA/RC4-128/SHA";       break;
+  case 0x00C012:    cs_str = "TLS/ECDHE-RSA/3DES-EDE-CBC/SHA";  break;
+  case 0x00C013:    cs_str = "TLS/ECDHE-RSA/AES128-CBC/SHA";    break;
+  case 0x00C014:    cs_str = "TLS/ECDHE-RSA/AES256-CBC/SHA";    break;
+  case 0x00C015:    cs_str = "TLS/ECDH-anon/NULL/SHA";          break;
+  case 0x00C016:    cs_str = "TLS/ECDH-anon/RC4-128/SHA";       break;
+  case 0x00C017:    cs_str = "TLS/ECDH-anon/3DES-EDE-CBC/SHA";  break;
+  case 0x00C018:    cs_str = "TLS/ECDH-anon/AES128-CBC/SHA";    break;
+  case 0x00C019:    cs_str = "TLS/ECDH-anon/AES256-CBC/SHA";    break;
+
+  case 0x00feff:    cs_str = "SSL3/RSA-FIPS/3DESEDE-CBC/SHA";	break;
+  case 0x00fefe:    cs_str = "SSL3/RSA-FIPS/DES-CBC/SHA";	break;
+  case 0x00ffe1:    cs_str = "SSL3/RSA-FIPS/DES56-CBC/SHA";     break;
+  case 0x00ffe0:    cs_str = "SSL3/RSA-FIPS/3DES192EDE-CBC/SHA";break;
+
+  /* the string literal is broken up to avoid trigraphs */
+  default:          cs_str = "????" "/????????" "/?????????" "/???"; break;
+  }
+
+  return cs_str;
+}
+
+const char * helloExtensionNameString(int ex_num) {
+  const char *ex_name = NULL;
+  static char buf[10];
+
+  switch (ex_num) {
+  case  0: ex_name = "server_name";                    break;
+  case  1: ex_name = "max_fragment_length";            break;
+  case  2: ex_name = "client_certificate_url";         break;
+  case  3: ex_name = "trusted_ca_keys";                break;
+  case  4: ex_name = "truncated_hmac";                 break;
+  case  5: ex_name = "status_request";                 break;
+  case 10: ex_name = "elliptic_curves";                break;
+  case 11: ex_name = "ec_point_formats";               break;
+  case 35: ex_name = "session_ticket";                 break;
+  default: sprintf(buf, "%d", ex_num);  ex_name = (const char *)buf; break;
+  }
+
+  return ex_name;
+}
+
+static int isNULLmac(int cs_int)
+{
+    return (cs_int == SSL_NULL_WITH_NULL_NULL); 
+}
+
+static int isNULLcipher(int cs_int)
+{
+ return ((cs_int == SSL_RSA_WITH_NULL_MD5) ||
+         (cs_int == SSL_RSA_WITH_NULL_SHA) ||
+         (cs_int == SSL_FORTEZZA_DMS_WITH_NULL_SHA) ||
+         (cs_int == TLS_ECDH_ECDSA_WITH_NULL_SHA) ||
+         (cs_int == TLS_ECDHE_ECDSA_WITH_NULL_SHA) ||
+         (cs_int == TLS_ECDH_RSA_WITH_NULL_SHA) ||
+         (cs_int == TLS_ECDHE_RSA_WITH_NULL_SHA));
+} 
+
+void partial_packet(int thispacket, int size, int needed)
+{
+  PR_fprintf(PR_STDOUT,"(%u bytes", thispacket);
+  if (thispacket < needed) {
+    PR_fprintf(PR_STDOUT,", making %u", size);
+  }
+  PR_fprintf(PR_STDOUT," of %u", needed);
+  if (size > needed) {
+    PR_fprintf(PR_STDOUT,", with %u left over", size - needed);
+  }
+  PR_fprintf(PR_STDOUT,")\n");
+}
+
+char * get_time_string(void)
+{
+  char      *cp;
+  char      *eol;
+  time_t     tt;
+
+  time(&tt);
+  cp = ctime(&tt);
+  eol = strchr(cp, '\n');
+  if (eol) 
+    *eol = 0;
+  return cp;
+}
+
+void print_sslv2(DataBufferList *s, unsigned char *tbuf, unsigned int alloclen)
+{
+  ClientHelloV2 *chv2;
+  ServerHelloV2 *shv2;
+  unsigned char *pos;
+  unsigned int   p;
+  unsigned int   q;
+  PRUint32       len;
+
+  chv2 = (ClientHelloV2 *)tbuf;
+  shv2 = (ServerHelloV2 *)tbuf;
+  if (s->isEncrypted) {
+    PR_fprintf(PR_STDOUT," [ssl2]  Encrypted {...}\n");
+    return;
+  }
+  PR_fprintf(PR_STDOUT," [%s]", get_time_string() );
+  switch(chv2->type) {
+  case 1:
+    PR_fprintf(PR_STDOUT," [ssl2]  ClientHelloV2 {\n");
+    PR_fprintf(PR_STDOUT,"           version = {0x%02x, 0x%02x}\n",
+	       (PRUint32)chv2->version[0],(PRUint32)chv2->version[1]);
+    PR_fprintf(PR_STDOUT,"           cipher-specs-length = %d (0x%02x)\n",
+	       (PRUint32)(GET_SHORT((chv2->cslength))),
+	       (PRUint32)(GET_SHORT((chv2->cslength))));
+    PR_fprintf(PR_STDOUT,"           sid-length = %d (0x%02x)\n",
+	       (PRUint32)(GET_SHORT((chv2->sidlength))),
+	       (PRUint32)(GET_SHORT((chv2->sidlength))));
+    PR_fprintf(PR_STDOUT,"           challenge-length = %d (0x%02x)\n",
+	       (PRUint32)(GET_SHORT((chv2->rndlength))),
+	       (PRUint32)(GET_SHORT((chv2->rndlength))));
+    PR_fprintf(PR_STDOUT,"           cipher-suites = { \n");
+    for (p=0;p<GET_SHORT((chv2->cslength));p+=3) {
+      const char *cs_str=NULL;
+      PRUint32 cs_int=0;
+      cs_int = GET_24((&chv2->csuites[p]));
+      cs_str = V2CipherString(cs_int);
+
+      PR_fprintf(PR_STDOUT,"                (0x%06x) %s\n",
+		  cs_int, cs_str);
+    }
+    q = p;
+    PR_fprintf(PR_STDOUT,"                }\n");
+    if (chv2->sidlength) {
+      PR_fprintf(PR_STDOUT,"           session-id = { ");
+      for (p=0;p<GET_SHORT((chv2->sidlength));p+=2) {
+	PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
+      }
+    }
+    q += p;
+    PR_fprintf(PR_STDOUT,"}\n");
+    if (chv2->rndlength) {
+      PR_fprintf(PR_STDOUT,"           challenge = { ");
+      for (p=0;p<GET_SHORT((chv2->rndlength));p+=2) {
+	PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
+      }
+      PR_fprintf(PR_STDOUT,"}\n");
+    }
+    PR_fprintf(PR_STDOUT,"}\n");
+    break;
+    /* end of V2 CLientHello Parsing */
+
+  case 2:  /* Client Master Key  */
+    {
+    const char *cs_str=NULL;
+    PRUint32 cs_int=0;
+    ClientMasterKeyV2 *cmkv2;
+    cmkv2 = (ClientMasterKeyV2 *)chv2;
+    isV2Session = 1;
+
+    PR_fprintf(PR_STDOUT," [ssl2]  ClientMasterKeyV2 { \n");
+
+    cs_int = GET_24(&cmkv2->cipherkind[0]);
+    cs_str = V2CipherString(cs_int);
+    PR_fprintf(PR_STDOUT,"         cipher-spec-chosen = (0x%06x) %s\n",
+	       cs_int, cs_str);
+
+    PR_fprintf(PR_STDOUT,"         clear-portion = %d bits\n",
+	       8*(PRUint32)(GET_SHORT((cmkv2->clearkey))));
+
+    PR_fprintf(PR_STDOUT,"      }\n");
+    clientstream.isEncrypted = 1;
+    serverstream.isEncrypted = 1;
+    }
+    break;
+
+
+  case 3:
+    PR_fprintf(PR_STDOUT," [ssl2]  Client Finished V2 {...}\n");
+    isV2Session = 1;
+    break;
+
+
+  case 4:  /* V2 Server Hello */
+    isV2Session = 1;
+
+    PR_fprintf(PR_STDOUT," [ssl2]  ServerHelloV2 {\n");
+    PR_fprintf(PR_STDOUT,"           sid hit = {0x%02x}\n",
+	       (PRUintn)shv2->sidhit);
+    PR_fprintf(PR_STDOUT,"           version = {0x%02x, 0x%02x}\n",
+	       (PRUint32)shv2->version[0],(PRUint32)shv2->version[1]);
+    PR_fprintf(PR_STDOUT,"           cipher-specs-length = %d (0x%02x)\n",
+	       (PRUint32)(GET_SHORT((shv2->cslength))),
+	       (PRUint32)(GET_SHORT((shv2->cslength))));
+    PR_fprintf(PR_STDOUT,"           sid-length = %d (0x%02x)\n",
+	       (PRUint32)(GET_SHORT((shv2->cidlength))),
+	       (PRUint32)(GET_SHORT((shv2->cidlength))));
+
+    pos = (unsigned char *)shv2;
+    pos += 2;   /* skip length header */
+    pos += 11;  /* position pointer to Certificate data area */
+    q = GET_SHORT(&shv2->certlength);
+    if (q >alloclen) {
+      goto eosh;
+    }
+    pos += q; 			/* skip certificate */
+
+    PR_fprintf(PR_STDOUT,"           cipher-suites = { ");
+    len = GET_SHORT((shv2->cslength));
+    for (p = 0; p < len; p += 3) {
+      const char *cs_str=NULL;
+      PRUint32 cs_int=0;
+      cs_int = GET_24((pos+p));
+      cs_str = V2CipherString(cs_int);
+      PR_fprintf(PR_STDOUT,"\n              ");
+      PR_fprintf(PR_STDOUT,"(0x%06x) %s", cs_int, cs_str);
+    }
+    pos += len;
+    PR_fprintf(PR_STDOUT,"   }\n");	/* End of cipher suites */
+    len = (PRUint32)GET_SHORT((shv2->cidlength));
+    if (len) {
+      PR_fprintf(PR_STDOUT,"           connection-id = { ");
+      for (p = 0; p < len; p += 2) {
+	PR_fprintf(PR_STDOUT,"0x%04x ", (PRUint32)(GET_SHORT((pos + p))));
+      }
+      PR_fprintf(PR_STDOUT,"   }\n");	/* End of connection id */
+    }
+eosh:
+    PR_fprintf(PR_STDOUT,"\n              }\n"); /* end of ServerHelloV2 */
+    if (shv2->sidhit) {
+      clientstream.isEncrypted = 1;
+      serverstream.isEncrypted = 1;
+    }
+    break;
+
+  case 5:
+    PR_fprintf(PR_STDOUT," [ssl2]  Server Verify V2 {...}\n");
+    isV2Session = 1;
+    break;
+
+  case 6:
+    PR_fprintf(PR_STDOUT," [ssl2]  Server Finished V2 {...}\n");
+    isV2Session = 1;
+    break;
+
+  case 7:
+    PR_fprintf(PR_STDOUT," [ssl2]  Request Certificate V2 {...}\n");
+    isV2Session = 1;
+    break;
+
+  case 8:
+    PR_fprintf(PR_STDOUT," [ssl2]  Client Certificate V2 {...}\n");
+    isV2Session = 1;
+    break;
+
+  default:
+    PR_fprintf(PR_STDOUT," [ssl2]  UnknownType 0x%02x {...}\n",
+	  (PRUint32)chv2->type);
+    break;
+  }
+}
+
+
+
+unsigned int print_hello_extension(unsigned char *  hsdata,
+				   unsigned int     length,
+				   unsigned int     pos)
+{
+  /* pretty print extensions, if any */
+  if (pos < length) {
+    int exListLen = GET_SHORT((hsdata+pos)); pos += 2;
+    PR_fprintf(PR_STDOUT,
+	       "            extensions[%d] = {\n", exListLen);
+    while (exListLen > 0 && pos < length) {
+      int exLen;
+      int exType = GET_SHORT((hsdata+pos)); pos += 2;
+      exLen = GET_SHORT((hsdata+pos)); pos += 2;
+      /* dump the extension */
+      PR_fprintf(PR_STDOUT,
+		 "              extension type %s, length [%d]",
+		 helloExtensionNameString(exType), exLen);
+      if (exLen > 0) {
+	  PR_fprintf(PR_STDOUT, " = {\n");
+	  print_hex(exLen, hsdata + pos);
+	  PR_fprintf(PR_STDOUT, "              }\n");
+      } else {
+	  PR_fprintf(PR_STDOUT, "\n");
+      }
+      pos += exLen;
+      exListLen -= 2 + exLen;
+    }
+    PR_fprintf(PR_STDOUT,"            }\n");
+  }
+  return pos;
+}
+
+
+void print_ssl3_handshake(unsigned char *tbuf, 
+                          unsigned int   alloclen,
+                          SSLRecord *    sr)
+{
+  struct sslhandshake sslh; 
+  unsigned char *     hsdata;  
+  int                 offset=0;
+
+  PR_fprintf(PR_STDOUT,"   handshake {\n");
+
+  while (offset + hMACsize < alloclen) {
+    sslh.type = tbuf[offset]; 
+    sslh.length = GET_24(tbuf+offset+1);
+    hsdata= &tbuf[offset+4];
+
+    if (sslhexparse) print_hex(4,tbuf+offset);
+
+    PR_fprintf(PR_STDOUT,"      type = %d (",sslh.type);
+    switch(sslh.type) {
+    case 0:  PR_FPUTS("hello_request)\n"               ); break;
+    case 1:  PR_FPUTS("client_hello)\n"                ); break;
+    case 2:  PR_FPUTS("server_hello)\n"                ); break;
+    case 4:  PR_FPUTS("new_session_ticket)\n"          ); break;
+    case 11: PR_FPUTS("certificate)\n"                 ); break;
+    case 12: PR_FPUTS("server_key_exchange)\n"         ); break;
+    case 13: PR_FPUTS("certificate_request)\n"         ); break;
+    case 14: PR_FPUTS("server_hello_done)\n"           ); break;
+    case 15: PR_FPUTS("certificate_verify)\n"          ); break;
+    case 16: PR_FPUTS("client_key_exchange)\n"         ); break;
+    case 20: PR_FPUTS("finished)\n"                    ); break;
+    default: PR_FPUTS("unknown)\n"                     ); break;
+    }
+
+    PR_fprintf(PR_STDOUT,"      length = %d (0x%06x)\n",sslh.length,sslh.length);
+    switch (sslh.type) {
+
+    case 0: /* hello_request */ /* not much to show here. */ break;
+
+    case 1: /* client hello */
+      switch (sr->ver_maj)  {
+      case 3:  /* ssl version 3 */
+	{
+	  unsigned int pos;
+	  int w;
+
+	  PR_fprintf(PR_STDOUT,"         ClientHelloV3 {\n");
+	  PR_fprintf(PR_STDOUT,"            client_version = {%d, %d}\n",
+		     (PRUint8)hsdata[0],(PRUint8)hsdata[1]);
+	  PR_fprintf(PR_STDOUT,"            random = {...}\n");
+	  if (sslhexparse) print_hex(32,&hsdata[2]);
+
+	  /* pretty print Session ID */
+	  {
+	    int sidlength = (int)hsdata[2+32];
+	    PR_fprintf(PR_STDOUT,"            session ID = {\n");
+	    PR_fprintf(PR_STDOUT,"                length = %d\n",sidlength);
+	    PR_fprintf(PR_STDOUT,"                contents = {...}\n");
+	    if (sslhexparse) print_hex(sidlength,&hsdata[2+32+1]);
+	    PR_fprintf(PR_STDOUT,"            }\n");
+	    pos = 2+32+1+sidlength;
+	  }
+
+	  /* pretty print cipher suites */
+	  {
+	    int csuitelength = GET_SHORT((hsdata+pos));
+	    PR_fprintf(PR_STDOUT,"            cipher_suites[%d] = { \n",
+		       csuitelength/2);
+	    if (csuitelength % 2) {
+	      PR_fprintf(PR_STDOUT,
+		 "*error in protocol - csuitelength shouldn't be odd*\n");
+	    }
+	    for (w=0; w<csuitelength; w+=2) {
+	      const char *cs_str=NULL;
+	      PRUint32 cs_int=0;
+	      cs_int = GET_SHORT((hsdata+pos+2+w));
+	      cs_str = V2CipherString(cs_int);
+	      PR_fprintf(PR_STDOUT,
+		"                (0x%04x) %s\n", cs_int, cs_str);
+	    }
+	    pos += 2 + csuitelength;
+	    PR_fprintf(PR_STDOUT,"            }\n");
+	  }
+
+	  /* pretty print compression methods */
+	  {
+	    int complength = hsdata[pos];
+	    PR_fprintf(PR_STDOUT,"            compression[%d] = {",
+	               complength);
+	    for (w=0; w < complength; w++) {
+	      PR_fprintf(PR_STDOUT, " %02x", hsdata[pos+1+w]);
+	    }
+	    pos += 1 + complength;
+	    PR_fprintf(PR_STDOUT," }\n");
+	  }
+
+	  /* pretty print extensions, if any */
+	  pos = print_hello_extension(hsdata, sslh.length, pos);
+
+	  PR_fprintf(PR_STDOUT,"         }\n");
+	} /* end of ssl version 3 */
+	break;
+      default:
+	PR_fprintf(PR_STDOUT,"         UNDEFINED VERSION %d.%d {...}\n",
+	                     sr->ver_maj, sr->ver_min );
+	if (sslhexparse) print_hex(sslh.length, hsdata);
+	break;
+      } /* end of switch sr->ver_maj */
+      break;
+
+    case 2: /* server hello */
+      {
+	unsigned int sidlength, pos;
+
+	PR_fprintf(PR_STDOUT,"         ServerHello {\n");
+
+	PR_fprintf(PR_STDOUT,"            server_version = {%d, %d}\n",
+		   (PRUint8)hsdata[0],(PRUint8)hsdata[1]);
+	PR_fprintf(PR_STDOUT,"            random = {...}\n");
+	if (sslhexparse) print_hex(32,&hsdata[2]);
+	PR_fprintf(PR_STDOUT,"            session ID = {\n");
+	sidlength = (int)hsdata[2+32];
+	PR_fprintf(PR_STDOUT,"                length = %d\n",sidlength);
+	PR_fprintf(PR_STDOUT,"                contents = {...}\n");
+	if (sslhexparse) print_hex(sidlength,&hsdata[2+32+1]);
+	PR_fprintf(PR_STDOUT,"            }\n");
+	pos = 2+32+1+sidlength;
+
+	/* pretty print chosen cipher suite */
+	{
+	  PRUint32 cs_int    = GET_SHORT((hsdata+pos));
+	  const char *cs_str = V2CipherString(cs_int);
+	  PR_fprintf(PR_STDOUT,"            cipher_suite = (0x%04x) %s\n",
+		     cs_int, cs_str);
+	  currentcipher = cs_int;
+	  pos += 2;
+	}
+	PR_fprintf(PR_STDOUT,  "            compression method = %02x\n", 
+		   hsdata[pos++]);
+
+	/* pretty print extensions, if any */
+	pos = print_hello_extension(hsdata, sslh.length, pos);
+
+	PR_fprintf(PR_STDOUT,"         }\n");
+      }
+      break;
+
+    case 4: /* new session ticket */
+      {
+	PRUint32 lifetimehint;
+	PRUint16 ticketlength;
+	char lifetime[32];
+	lifetimehint = GET_32(hsdata);
+	if (lifetimehint) {
+	  PRExplodedTime et;
+	  PRTime t = lifetimehint;
+	  t *= PR_USEC_PER_SEC;
+	  PR_ExplodeTime(t, PR_GMTParameters, &et);
+	  /* use HTTP Cookie header's date format */
+	  PR_FormatTimeUSEnglish(lifetime, sizeof lifetime,
+				 "%a, %d-%b-%Y %H:%M:%S GMT", &et);
+	} else {
+	  /* 0 means the lifetime of the ticket is unspecified */
+	  strcpy(lifetime, "unspecified");
+	}
+	ticketlength = GET_SHORT((hsdata+4));
+	PR_fprintf(PR_STDOUT,"         NewSessionTicket {\n");
+	PR_fprintf(PR_STDOUT,"            ticket_lifetime_hint = %s\n",
+		   lifetime);
+	PR_fprintf(PR_STDOUT,"            ticket = {\n");
+	PR_fprintf(PR_STDOUT,"                length = %d\n",ticketlength);
+	PR_fprintf(PR_STDOUT,"                contents = {...}\n");
+	if (sslhexparse) print_hex(ticketlength,&hsdata[4+2]);
+	PR_fprintf(PR_STDOUT,"            }\n");
+	PR_fprintf(PR_STDOUT,"         }\n");
+      }
+      break;
+
+    case 11: /* certificate */
+      {
+	PRFileDesc *cfd;
+	int         pos;
+	int         certslength;
+	int         certlength;
+	int         certbytesread	= 0;
+	static int  certFileNumber;
+	char        certFileName[20];
+
+	PR_fprintf(PR_STDOUT,"         CertificateChain {\n");
+	certslength = GET_24(hsdata);
+	PR_fprintf(PR_STDOUT,"            chainlength = %d (0x%04x)\n",
+		certslength,certslength);
+	pos = 3;
+	while (certbytesread < certslength) {
+	  certlength = GET_24((hsdata+pos));
+	  pos += 3;
+	  PR_fprintf(PR_STDOUT,"            Certificate {\n");
+	  PR_fprintf(PR_STDOUT,"               size = %d (0x%04x)\n",
+		certlength,certlength);
+
+	  PR_snprintf(certFileName, sizeof certFileName, "cert.%03d",
+	              ++certFileNumber);
+	  cfd = PR_Open(certFileName, PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE, 
+	                0664);
+	  if (!cfd) {
+	    PR_fprintf(PR_STDOUT,
+	               "               data = { couldn't save file '%s' }\n",
+		       certFileName);
+	  } else {
+	    PR_Write(cfd, (hsdata+pos), certlength);
+	    PR_fprintf(PR_STDOUT,
+	               "               data = { saved in file '%s' }\n",
+		       certFileName);
+	    PR_Close(cfd);
+	  }
+
+	  PR_fprintf(PR_STDOUT,"            }\n");
+	  pos           += certlength;
+	  certbytesread += certlength+3;
+	}
+	PR_fprintf(PR_STDOUT,"         }\n");
+      }
+      break;
+
+    case 12: /* server_key_exchange */                    
+      if (sslhexparse) print_hex(sslh.length, hsdata);
+      break;
+
+    case 13: /* certificate request */
+      { 
+	unsigned int pos = 0;
+	int w, reqLength;
+
+	PR_fprintf(PR_STDOUT,"         CertificateRequest {\n");
+
+	/* pretty print requested certificate types */
+	reqLength = hsdata[pos];
+	PR_fprintf(PR_STDOUT,"            certificate types[%d] = {",
+		   reqLength);
+	for (w=0; w < reqLength; w++) {
+	  PR_fprintf(PR_STDOUT, " %02x", hsdata[pos+1+w]);
+	}
+	pos += 1 + reqLength;
+	PR_fprintf(PR_STDOUT," }\n");
+
+	/* pretty print CA names, if any */
+	if (pos < sslh.length) {
+	  int exListLen = GET_SHORT((hsdata+pos)); pos += 2;
+	  PR_fprintf(PR_STDOUT,
+		     "            certificate_authorities[%d] = {\n", 
+		     exListLen);
+	  while (exListLen > 0 && pos < sslh.length) {
+	    char *  ca_name;
+	    SECItem it;
+	    int     dnLen = GET_SHORT((hsdata+pos)); pos += 2;
+
+	    /* dump the CA name */
+	    it.type = siBuffer;
+	    it.data = hsdata + pos;
+	    it.len  = dnLen;
+	    ca_name = CERT_DerNameToAscii(&it);
+	    if (ca_name) {
+	      PR_fprintf(PR_STDOUT,"   %s\n", ca_name);
+	      PORT_Free(ca_name);
+	    } else {
+	      PR_fprintf(PR_STDOUT,
+			 "              distinguished name [%d]", dnLen);
+	      if (dnLen > 0 && sslhexparse) {
+		  PR_fprintf(PR_STDOUT, " = {\n");
+		  print_hex(dnLen, hsdata + pos);
+		  PR_fprintf(PR_STDOUT, "              }\n");
+	      } else {
+		  PR_fprintf(PR_STDOUT, "\n");
+	      }
+            }
+	    pos += dnLen;
+	    exListLen -= 2 + dnLen;
+	  }
+	  PR_fprintf(PR_STDOUT,"            }\n");
+	}
+
+	PR_fprintf(PR_STDOUT,"         }\n");
+      }
+      break;
+
+    case 14: /* server_hello_done */ /* not much to show here. */ break;
+
+    case 15: /* certificate_verify */	           
+      if (sslhexparse) print_hex(sslh.length, hsdata);
+      break;
+
+    case 16: /* client key exchange */
+      {
+	PR_fprintf(PR_STDOUT,"         ClientKeyExchange {\n");
+	PR_fprintf(PR_STDOUT,"            message = {...}\n");
+	PR_fprintf(PR_STDOUT,"         }\n");
+      }
+      break;
+
+    case 20: /* finished */			 
+      PR_fprintf(PR_STDOUT,"         Finished {\n");
+      PR_fprintf(PR_STDOUT,"            verify_data = {...}\n");
+      if (sslhexparse) print_hex(sslh.length, hsdata);
+      PR_fprintf(PR_STDOUT,"         }\n");
+
+      if (!isNULLmac(currentcipher) && !hMACsize) {
+          /* To calculate the size of MAC, we subtract the number
+           * of known bytes of message from the number of remaining
+           * bytes in the record. */
+          hMACsize = alloclen - (sslh.length + 4);
+      }
+      break;
+
+    default:
+      {
+	PR_fprintf(PR_STDOUT,"         UNKNOWN MESSAGE TYPE %d [%d] {\n",
+	                     sslh.type, sslh.length);
+	if (sslhexparse) print_hex(sslh.length, hsdata);
+	PR_fprintf(PR_STDOUT,"         }\n");
+
+      }
+    }  /* end of switch sslh.type */
+    offset += sslh.length + 4; /* +4 because of length (3 bytes) and type (1 byte) */
+  } /* while */
+  if (hMACsize) {
+      /* at this point offset should be at the first byte of MAC */
+      if (offset + hMACsize > alloclen) {
+          PR_fprintf(PR_STDOUT,"BAD RECORD: content + MAC ends beyond "
+                     "allocated limit.\n");
+      } else {
+          PR_fprintf(PR_STDOUT,"      MAC = {...}\n");
+          if (sslhexparse) print_hex(hMACsize, hsdata);
+      }
+  }
+  PR_fprintf(PR_STDOUT,"   }\n");
+}
+
+
+void print_ssl(DataBufferList *s, int length, unsigned char *buffer)
+{
+  /* --------------------------------------------------------  */
+  /* first, create a new buffer object for this piece of data. */
+
+  DataBuffer *db;
+  int i,l;
+
+  if (s->size == 0 && length > 0 && buffer[0] >= 32 && buffer[0] < 128) {
+    /* Not an SSL record, treat entire buffer as plaintext */
+    PR_Write(PR_STDOUT,buffer,length);
+    return;
+  }
+
+
+  check_integrity(s);
+
+  i = 0;
+  l = length;
+
+  db = PR_NEW(struct _DataBuffer);
+
+  db->buffer = (unsigned char*)PR_Malloc(length);
+  db->length = length;
+  db->offset = 0;
+  memcpy(db->buffer, buffer, length);
+  db->next = NULL;
+
+  /* now, add it to the stream */
+
+  if (s->last != NULL) s->last->next = db;
+  s->last = db;
+  s->size += length;
+  if (s->first == NULL) s->first = db;
+
+  check_integrity(s);
+
+  /*------------------------------------------------------- */
+  /* now we look at the stream to see if we have enough data to
+     decode  */
+
+  while (s->size > 0 ) {
+    unsigned char *tbuf = NULL;
+
+    SSLRecord sr;
+    unsigned alloclen;
+    unsigned recordsize;
+
+    check_integrity(s);
+
+    if ( s->first == NULL) {
+      PR_fprintf(PR_STDOUT,"ERROR: s->first is null\n");
+      exit(9);
+    }
+
+    /* in the case of an SSL 2 client-hello (which is all ssltap supports) */
+    /* will have the high-bit set, whereas an SSL 3 client-hello will not  */
+    /* SSL2 can also send records that begin with the high bit clear.
+     * This code will incorrectly handle them. XXX
+     */
+    if (isV2Session || s->first->buffer[s->first->offset] & 0x80) {
+      /* it's an SSL 2 packet */
+      unsigned char lenbuf[3];
+
+      /* first, we check if there's enough data for it to be an SSL2-type
+       * record.  What a pain.*/
+      if (s->size < sizeof lenbuf) {
+	partial_packet(length, s->size, sizeof lenbuf);
+	return;
+      }
+
+      /* read the first two bytes off the stream. */
+      read_stream_bytes(lenbuf, s, sizeof(lenbuf));
+      alloclen = ((unsigned int)(lenbuf[0] & 0x7f) << 8) + lenbuf[1] + 
+                 ((lenbuf[0] & 0x80) ? 2 : 3);
+      PR_fprintf(PR_STDOUT, "alloclen = %u bytes\n", alloclen);
+
+      /* put 'em back on the head of the stream. */
+      db = PR_NEW(struct _DataBuffer);
+
+      db->length = sizeof lenbuf;
+      db->buffer = (unsigned char*) PR_Malloc(db->length);
+      db->offset = 0;
+      memcpy(db->buffer, lenbuf, sizeof lenbuf);
+
+      db->next = s->first;
+      s->first = db;
+      if (s->last == NULL) 
+	s->last = db;
+      s->size += db->length;
+
+      /* if there wasn't enough, go back for more. */
+      if (s->size < alloclen) {
+	check_integrity(s);
+	partial_packet(length, s->size, alloclen);
+	return;
+      }
+      partial_packet(length, s->size, alloclen);
+
+      /* read in the whole record. */
+      tbuf = PR_Malloc(alloclen);
+      read_stream_bytes(tbuf, s, alloclen);
+
+      print_sslv2(s, tbuf, alloclen);
+      PR_FREEIF(tbuf);
+      check_integrity(s);
+
+      continue;
+    }
+
+    /***********************************************************/
+    /* It's SSL v3 */
+    /***********************************************************/
+    check_integrity(s);
+
+    if (s->size < sizeof(SSLRecord)) {
+      partial_packet(length, s->size, sizeof(SSLRecord));
+      return;
+    }
+
+    read_stream_bytes((unsigned char *)&sr, s, sizeof sr);
+
+    /* we have read the stream bytes. Look at the length of
+       the ssl record. If we don't have enough data to satisfy this
+       request, then put the bytes we just took back at the head
+       of the queue */
+    recordsize = GET_SHORT(sr.length);
+
+    if (recordsize > s->size) {
+      db = PR_NEW(struct _DataBuffer);
+
+      db->length = sizeof sr;
+      db->buffer = (unsigned char*) PR_Malloc(db->length);
+      db->offset = 0;
+      memcpy(db->buffer, &sr, sizeof sr);
+      db->next = s->first;
+
+      /* now, add it back on to the head of the stream */
+
+      s->first = db;
+      if (s->last == NULL) 
+        s->last = db;
+      s->size += db->length;
+
+      check_integrity(s);
+      partial_packet(length, s->size, recordsize);
+      return;
+    }
+    partial_packet(length, s->size, recordsize);
+
+
+    PR_fprintf(PR_STDOUT,"SSLRecord { [%s]\n", get_time_string() );
+    if (sslhexparse) {
+      print_hex(5,(unsigned char*)&sr);
+    }
+
+    check_integrity(s);
+
+    PR_fprintf(PR_STDOUT,"   type    = %d (",sr.type);
+    switch(sr.type) {
+    case 20 :
+      PR_fprintf(PR_STDOUT,"change_cipher_spec)\n");
+      break;
+    case 21 :
+      PR_fprintf(PR_STDOUT,"alert)\n");
+      break;
+    case 22 :
+      PR_fprintf(PR_STDOUT,"handshake)\n");
+      break;
+    case 23 :
+      PR_fprintf(PR_STDOUT,"application_data)\n");
+      break;
+    default:
+      PR_fprintf(PR_STDOUT,"unknown)\n");
+      break;
+    }
+    PR_fprintf(PR_STDOUT,"   version = { %d,%d }\n",
+	       (PRUint32)sr.ver_maj,(PRUint32)sr.ver_min);
+    PR_fprintf(PR_STDOUT,"   length  = %d (0x%x)\n",
+    	(PRUint32)GET_SHORT(sr.length), (PRUint32)GET_SHORT(sr.length));
+
+
+    alloclen = recordsize;
+    PR_ASSERT(s->size >= alloclen);
+    if (s->size >= alloclen) {
+      tbuf = (unsigned char*) PR_Malloc(alloclen);
+      read_stream_bytes(tbuf, s, alloclen);
+
+      if (s->isEncrypted) {
+	PR_fprintf(PR_STDOUT,"            < encrypted >\n");
+      } else 
+
+      switch(sr.type) {
+      case 20 : /* change_cipher_spec */
+	if (sslhexparse) print_hex(alloclen,tbuf);
+         /* mark to say we can only dump hex form now on
+          * if it is not one on a null cipher */
+	s->isEncrypted = isNULLcipher(currentcipher) ? 0 : 1; 
+	break;
+
+      case 21 : /* alert */
+	switch(tbuf[0]) {
+	case 1: PR_fprintf(PR_STDOUT, "   warning: "); break;
+	case 2: PR_fprintf(PR_STDOUT, "   fatal: "); break;
+	default: PR_fprintf(PR_STDOUT, "   unknown level %d: ", tbuf[0]); break;
+	}
+
+	switch(tbuf[1]) {
+	case 0:   PR_FPUTS("close_notify\n"                    ); break;
+	case 10:  PR_FPUTS("unexpected_message\n"              ); break;
+	case 20:  PR_FPUTS("bad_record_mac\n"                  ); break;
+	case 21:  PR_FPUTS("decryption_failed\n"               ); break;
+	case 22:  PR_FPUTS("record_overflow\n"                 ); break;
+	case 30:  PR_FPUTS("decompression_failure\n"           ); break;
+	case 40:  PR_FPUTS("handshake_failure\n"               ); break;
+	case 41:  PR_FPUTS("no_certificate\n"                  ); break;
+	case 42:  PR_FPUTS("bad_certificate\n"                 ); break;
+	case 43:  PR_FPUTS("unsupported_certificate\n"         ); break;
+	case 44:  PR_FPUTS("certificate_revoked\n"             ); break;
+	case 45:  PR_FPUTS("certificate_expired\n"             ); break;
+	case 46:  PR_FPUTS("certificate_unknown\n"             ); break;
+	case 47:  PR_FPUTS("illegal_parameter\n"               ); break;
+	case 48:  PR_FPUTS("unknown_ca\n"                      ); break;
+	case 49:  PR_FPUTS("access_denied\n"                   ); break;
+	case 50:  PR_FPUTS("decode_error\n"                    ); break;
+	case 51:  PR_FPUTS("decrypt_error\n"                   ); break;
+	case 60:  PR_FPUTS("export_restriction\n"              ); break;
+	case 70:  PR_FPUTS("protocol_version\n"                ); break;
+	case 71:  PR_FPUTS("insufficient_security\n"           ); break;
+	case 80:  PR_FPUTS("internal_error\n"                  ); break;
+	case 90:  PR_FPUTS("user_canceled\n"                   ); break;
+	case 100: PR_FPUTS("no_renegotiation\n"                ); break;
+	case 110: PR_FPUTS("unsupported_extension\n"           ); break;
+	case 111: PR_FPUTS("certificate_unobtainable\n"        ); break;
+	case 112: PR_FPUTS("unrecognized_name\n"               ); break;
+	case 113: PR_FPUTS("bad_certificate_status_response\n" ); break;
+	case 114: PR_FPUTS("bad_certificate_hash_value\n"      ); break;
+
+	default:  PR_fprintf(PR_STDOUT, "unknown alert %d\n", tbuf[1]); break;
+	}
+
+	if (sslhexparse) print_hex(alloclen,tbuf);
+	break;
+
+      case 22 : /* handshake */ 	
+        print_ssl3_handshake( tbuf, alloclen, &sr );
+	break;
+
+      case 23 : /* application data */
+         if (hMACsize) {
+             print_hex(alloclen - hMACsize,tbuf);
+             PR_fprintf(PR_STDOUT,"      MAC = {...}\n");
+             if (sslhexparse) {
+                 unsigned char *offset = tbuf + (alloclen - hMACsize);
+                 print_hex(hMACsize, offset);
+             }
+         } else {
+             print_hex(alloclen,tbuf);
+         }
+         break;
+
+      default:
+	print_hex(alloclen,tbuf);
+	break;
+      }
+    }
+    PR_fprintf(PR_STDOUT,"}\n");
+    PR_FREEIF(tbuf);
+    check_integrity(s);
+  }
+}
+
+void print_hex(int amt, unsigned char *buf) {
+  int i,j,k;
+  char t[20];
+  static char string[5000];
+
+
+  for(i=0;i<amt;i++) {
+    t[1] =0;
+
+    if (i%16 ==0) {  /* if we are at the beginning of a line */
+      PR_fprintf(PR_STDOUT,"%4x:",i); /* print the line number  */
+      strcpy(string,"");
+    }
+
+    if (i%4 == 0) {
+      PR_fprintf(PR_STDOUT," ");
+    }
+
+    j = buf[i];
+
+    t[0] = (j >= 0x20 && j < 0x80) ? j : '.';
+
+    if (fancy)  {
+      switch (t[0]) {
+      case '<':
+        strcpy(t,"&lt;");
+        break;
+      case '>':
+        strcpy(t,"&gt;");
+        break;
+      case '&':
+        strcpy(t,"&amp;");
+        break;
+      }
+    }
+    strcat(string,t);
+
+    PR_fprintf(PR_STDOUT,"%02x ",(PRUint8) buf[i]);
+
+    /* if we've reached the end of the line - add the string */
+    if (i%16 == 15) PR_fprintf(PR_STDOUT," | %s\n",string);
+  }
+  /* we reached the end of the buffer,*/
+  /* do we have buffer left over? */
+  j = i%16;
+  if (j > 0) {
+    for (k=0;k<(16-j);k++) {
+        /* print additional space after every four bytes */
+        if ((k + j)%4 == 0) {
+            PR_fprintf(PR_STDOUT," ");
+        }
+        PR_fprintf(PR_STDOUT,"   ");
+    }
+    PR_fprintf(PR_STDOUT," | %s\n",string);
+  }
+}
+
+void Usage(void) {
+  PR_fprintf(PR_STDERR, "SSLTAP (C) 1997, 1998 Netscape Communications Corporation.\n");
+  PR_fprintf(PR_STDERR, "Usage: ssltap [-vhfsxl] [-p port] hostname:port\n");
+  PR_fprintf(PR_STDERR, "   -v      [prints version string]\n");
+  PR_fprintf(PR_STDERR, "   -h      [outputs hex instead of ASCII]\n");
+  PR_fprintf(PR_STDERR, "   -f      [turn on Fancy HTML coloring]\n");
+  PR_fprintf(PR_STDERR, "   -s      [turn on SSL decoding]\n");
+  PR_fprintf(PR_STDERR, "   -x      [turn on extra SSL hex dumps]\n");
+  PR_fprintf(PR_STDERR, "   -p port [specify rendezvous port (default 1924)]\n");
+  PR_fprintf(PR_STDERR, "   -l      [loop - continue to wait for more connections]\n");
+
+
+}
+
+void
+showErr(const char * msg) {
+  PRErrorCode  err       = PR_GetError();
+  const char * errString;
+
+  if (err == PR_UNKNOWN_ERROR)
+    err = PR_CONNECT_RESET_ERROR;	/* bug in NSPR. */
+  errString = SECU_Strerror(err);
+
+  if (!errString)
+    errString = "(no text available)";
+  PR_fprintf(PR_STDERR, "Error %d: %s: %s", err, errString, msg);
+}
+
+int main(int argc,  char *argv[])
+{
+  char *hostname=NULL;
+  PRUint16 rendport=DEFPORT,port;
+  PRHostEnt hp;
+  PRStatus r;
+  PRNetAddr na_client,na_server,na_rend;
+  PRFileDesc *s_server,*s_client,*s_rend; /*rendezvous */
+  char netdbbuf[PR_NETDB_BUF_SIZE];
+  int c_count=0;
+  PLOptState *optstate;
+  PLOptStatus status;
+  SECStatus   rv;
+
+  optstate = PL_CreateOptState(argc,argv,"fvxhslp:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+    switch (optstate->option) {
+    case 'f':
+      fancy++;
+      break;
+    case 'h':
+      hexparse++;
+      break;
+    case 'v':
+      PR_fprintf(PR_STDOUT,"Version: %s\n",VERSIONSTRING);
+      break;
+    case 's':
+      sslparse++;
+      break;
+    case 'x':
+      sslhexparse++;
+      break;
+    case 'l':
+      looparound++;
+      break;
+    case 'p':
+      rendport = atoi(optstate->value);
+      break;
+    case '\0':
+      hostname = PL_strdup(optstate->value);
+    }
+  }
+  if (status == PL_OPT_BAD)
+    Usage();
+
+  if (fancy) {
+    if (!hexparse && !sslparse) {
+      PR_fprintf(PR_STDERR,
+"Note: use of -f without -s or -h not recommended, \n"
+"as the output looks a little strange. It may be useful, however\n");
+    }
+  }
+
+  if(! hostname ) Usage(), exit(2);
+
+  {
+    char *colon = (char *)strchr(hostname, ':');
+    if (!colon) {
+      PR_fprintf(PR_STDERR,
+      "You must specify the host AND port you wish to connect to\n");
+      Usage(), exit(3);
+    }
+    port = atoi(&colon[1]);
+    *colon = '\0';
+
+    if (port == 0) {
+	PR_fprintf(PR_STDERR, "Port must be a nonzero number.\n");
+	exit(4);
+      }
+  }
+
+  /* find the 'server' IP address so we don't have to look it up later */
+
+  if (fancy) {
+      PR_fprintf(PR_STDOUT,"<HTML><HEAD><TITLE>SSLTAP output</TITLE></HEAD>\n");
+      PR_fprintf(PR_STDOUT,"<BODY><PRE>\n");
+    }
+  PR_fprintf(PR_STDERR,"Looking up \"%s\"...\n", hostname);
+  r = PR_GetHostByName(hostname,netdbbuf,PR_NETDB_BUF_SIZE,&hp);
+  if (r) {
+    showErr("Host Name lookup failed\n");
+    exit(5);
+  }
+
+  PR_EnumerateHostEnt(0,&hp,0,&na_server);
+  PR_InitializeNetAddr(PR_IpAddrNull,port,&na_server);
+  /* set up the port which the client will connect to */
+
+  r = PR_InitializeNetAddr(PR_IpAddrAny,rendport,&na_rend);
+  if (r == PR_FAILURE) {
+    PR_fprintf(PR_STDERR,
+    "PR_InitializeNetAddr(,%d,) failed with error %d\n",PR_GetError());
+    exit(0);
+  }
+
+  rv = NSS_NoDB_Init("");
+  if (rv != SECSuccess) {
+    PR_fprintf(PR_STDERR,
+    "NSS_NoDB_Init() failed with error %d\n",PR_GetError());
+    exit(5);
+  }
+
+  s_rend = PR_NewTCPSocket();
+  if (!s_rend) {
+    showErr("Couldn't create socket\n");
+    exit(6);
+  }
+
+  if (PR_Bind(s_rend, &na_rend )) {
+    PR_fprintf(PR_STDERR,"Couldn't bind to port %d (error %d)\n",rendport, PR_GetError());
+    exit(-1);
+  }
+
+  if ( PR_Listen(s_rend, 5)) {
+    showErr("Couldn't listen\n");
+    exit(-1);
+  }
+
+  PR_fprintf(PR_STDERR,"Proxy socket ready and listening\n");
+  do {	/* accept one connection and process it. */
+      PRPollDesc pds[2];
+
+      s_client = PR_Accept(s_rend,&na_client,PR_SecondsToInterval(3600));
+      if (s_client == NULL) {
+	showErr("accept timed out\n");
+	exit(7);
+      }
+
+      s_server = PR_NewTCPSocket();
+      if (s_server == NULL) {
+	showErr("couldn't open new socket to connect to server \n");
+	exit(8);
+      }
+
+      r = PR_Connect(s_server,&na_server,PR_SecondsToInterval(5));
+
+      if ( r == PR_FAILURE )
+        {
+	  showErr("Couldn't connect\n");
+	  return -1;
+        }
+
+      if (looparound) {
+	if (fancy)  PR_fprintf(PR_STDOUT,"<p><HR><H2>");
+	PR_fprintf(PR_STDOUT,"Connection #%d [%s]\n", c_count+1,
+	                     get_time_string());
+	if (fancy)  PR_fprintf(PR_STDOUT,"</H2>");
+	}
+
+
+      PR_fprintf(PR_STDOUT,"Connected to %s:%d\n", hostname, port);
+
+#define PD_C 0
+#define PD_S 1
+
+      pds[PD_C].fd = s_client;
+      pds[PD_S].fd = s_server;
+      pds[PD_C].in_flags = PR_POLL_READ;
+      pds[PD_S].in_flags = PR_POLL_READ;
+
+      /* make sure the new connections don't start out encrypted. */
+      clientstream.isEncrypted = 0;
+      serverstream.isEncrypted = 0;
+      isV2Session = 0;
+
+      while( (pds[PD_C].in_flags & PR_POLL_READ) != 0 ||
+             (pds[PD_S].in_flags & PR_POLL_READ) != 0 )
+        {  /* Handle all messages on the connection */
+	  PRInt32 amt;
+	  PRInt32 wrote;
+	  unsigned char buffer[ TAPBUFSIZ ];
+
+	  amt = PR_Poll(pds,2,PR_INTERVAL_NO_TIMEOUT);
+	  if (amt <= 0) {
+	    if (amt)
+		showErr( "PR_Poll failed.\n");
+	    else
+		showErr( "PR_Poll timed out.\n");
+	    break;
+	  }
+
+	  if (pds[PD_C].out_flags & PR_POLL_EXCEPT) {
+	    showErr( "Exception on client-side socket.\n");
+	    break;
+	  }
+
+	  if (pds[PD_S].out_flags & PR_POLL_EXCEPT) {
+	    showErr( "Exception on server-side socket.\n");
+	    break;
+	  }
+
+
+/* read data, copy it to stdout, and write to other socket */
+
+	  if ((pds[PD_C].in_flags  & PR_POLL_READ) != 0 &&
+	      (pds[PD_C].out_flags & PR_POLL_READ) != 0 ) {
+
+	    amt = PR_Read(s_client, buffer, sizeof(buffer));
+
+	    if ( amt < 0)  {
+	      showErr( "Client socket read failed.\n");
+	      break;
+	    }
+
+	    if( amt == 0 ) {
+	      PR_fprintf(PR_STDOUT, "Read EOF on Client socket. [%s]\n",
+	                            get_time_string() );
+	      pds[PD_C].in_flags &= ~PR_POLL_READ;
+	      PR_Shutdown(s_server, PR_SHUTDOWN_SEND);
+	      continue;
+	    }
+
+	    PR_fprintf(PR_STDOUT,"--> [\n");
+	    if (fancy) PR_fprintf(PR_STDOUT,"<font color=blue>");
+
+	    if (hexparse)  print_hex(amt, buffer);
+	    if (sslparse)  print_ssl(&clientstream,amt,buffer);
+	    if (!hexparse && !sslparse)  PR_Write(PR_STDOUT,buffer,amt);
+	    if (fancy) PR_fprintf(PR_STDOUT,"</font>");
+	    PR_fprintf(PR_STDOUT,"]\n");
+
+	    wrote = PR_Write(s_server, buffer, amt);
+	    if (wrote != amt )  {
+	      if (wrote < 0) {
+	        showErr("Write to server socket failed.\n");
+		break;
+	      } else {
+		PR_fprintf(PR_STDERR, "Short write to server socket!\n");
+	      }
+	    }
+	  }  /* end of read from client socket. */
+
+/* read data, copy it to stdout, and write to other socket */
+	  if ((pds[PD_S].in_flags  & PR_POLL_READ) != 0 &&
+	      (pds[PD_S].out_flags & PR_POLL_READ) != 0 ) {
+
+	    amt = PR_Read(s_server, buffer, sizeof(buffer));
+
+	    if ( amt < 0)  {
+	      showErr( "error on server-side socket.\n");
+	      break;
+	    }
+
+	    if( amt == 0 ) {
+	      PR_fprintf(PR_STDOUT, "Read EOF on Server socket. [%s]\n",
+	                            get_time_string() );
+	      pds[PD_S].in_flags &= ~PR_POLL_READ;
+	      PR_Shutdown(s_client, PR_SHUTDOWN_SEND);
+	      continue;
+	    } 
+
+	    PR_fprintf(PR_STDOUT,"<-- [\n");
+	    if (fancy) PR_fprintf(PR_STDOUT,"<font color=red>");
+	    if (hexparse)  print_hex(amt, (unsigned char *)buffer);
+	    if (sslparse)  print_ssl(&serverstream,amt,(unsigned char *)buffer);
+	    if (!hexparse && !sslparse)  PR_Write(PR_STDOUT,buffer,amt);
+	    if (fancy) PR_fprintf(PR_STDOUT,"</font>");
+	    PR_fprintf(PR_STDOUT,"]\n");
+
+
+	    wrote = PR_Write(s_client, buffer, amt);
+	    if (wrote != amt )  {
+	      if (wrote < 0) {
+	        showErr("Write to client socket failed.\n");
+		break;
+	      } else {
+		PR_fprintf(PR_STDERR, "Short write to client socket!\n");
+	      }
+	    }
+
+	  } /* end of read from server socket. */
+
+/* Loop, handle next message. */
+
+        }	/* handle messages during a connection loop */
+      PR_Close(s_client);
+      PR_Close(s_server);
+      flush_stream(&clientstream);
+      flush_stream(&serverstream);
+      /* Connection is closed, so reset the current cipher */
+      currentcipher = 0;
+      /* Reset MAC size */
+      hMACsize = 0;
+
+      c_count++;
+      PR_fprintf(PR_STDERR,"Connection %d Complete [%s]\n", c_count,
+                            get_time_string() );
+    }  while (looparound); /* accept connection and process it. */
+    PR_Close(s_rend);
+    NSS_Shutdown();
+    return 0;
+}
diff --git a/security/nss/cmd/strsclnt/Makefile b/security/nss/cmd/strsclnt/Makefile
new file mode 100644
index 000000000..9ee2a8f00
--- /dev/null
+++ b/security/nss/cmd/strsclnt/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/strsclnt/manifest.mn b/security/nss/cmd/strsclnt/manifest.mn
new file mode 100644
index 000000000..8f284ce45
--- /dev/null
+++ b/security/nss/cmd/strsclnt/manifest.mn
@@ -0,0 +1,51 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = strsclnt.c
+
+# the MODULE above is always implicitly REQUIREd
+REQUIRES = seccmd dbm 
+
+PROGRAM = strsclnt
+# PROGRAM = ./$(OBJDIR)/strsclnt.exe
+
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c
new file mode 100644
index 000000000..10c64bd3a
--- /dev/null
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -0,0 +1,1540 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include <stdio.h>
+#include <string.h>
+
+#include "secutil.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+#include <stdlib.h>
+#if !defined(_WIN32_WCE)
+#include <errno.h>
+#include <fcntl.h>
+#endif
+#include <stdarg.h>
+
+#include "plgetopt.h"
+
+#include "nspr.h"
+#include "prio.h"
+#include "prnetdb.h"
+#include "prerror.h"
+
+#include "pk11func.h"
+#include "secitem.h"
+#include "sslproto.h"
+#include "nss.h"
+#include "ssl.h"
+
+#ifndef PORT_Sprintf
+#define PORT_Sprintf sprintf
+#endif
+
+#ifndef PORT_Strstr
+#define PORT_Strstr strstr
+#endif
+
+#ifndef PORT_Malloc
+#define PORT_Malloc PR_Malloc
+#endif
+
+#define RD_BUF_SIZE (60 * 1024)
+
+/* Include these cipher suite arrays to re-use tstclnt's 
+ * cipher selection code.
+ */
+
+int ssl2CipherSuites[] = {
+    SSL_EN_RC4_128_WITH_MD5,                    /* A */
+    SSL_EN_RC4_128_EXPORT40_WITH_MD5,           /* B */
+    SSL_EN_RC2_128_CBC_WITH_MD5,                /* C */
+    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,       /* D */
+    SSL_EN_DES_64_CBC_WITH_MD5,                 /* E */
+    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,           /* F */
+    0
+};
+
+int ssl3CipherSuites[] = {
+    -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
+    -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA     * b */
+    SSL_RSA_WITH_RC4_128_MD5,                   /* c */
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,              /* d */
+    SSL_RSA_WITH_DES_CBC_SHA,                   /* e */
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5,             /* f */
+    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,         /* g */
+    -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA        * h */
+    SSL_RSA_WITH_NULL_MD5,                      /* i */
+    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,         /* j */
+    SSL_RSA_FIPS_WITH_DES_CBC_SHA,              /* k */
+    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 	/* l */
+    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,		/* m */
+    SSL_RSA_WITH_RC4_128_SHA,                   /* n */
+    TLS_DHE_DSS_WITH_RC4_128_SHA,		/* o */
+    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
+    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
+    SSL_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
+    SSL_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    	/* t */
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       	/* u */
+    TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    	/* w */
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
+    TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
+    SSL_RSA_WITH_NULL_SHA,			/* z */
+    0
+};
+
+#define NO_FULLHS_PERCENTAGE -1
+
+/* This global string is so that client main can see 
+ * which ciphers to use. 
+ */
+
+static const char *cipherString;
+
+static PRInt32 certsTested;
+static int MakeCertOK;
+static int NoReuse;
+static int fullhs = NO_FULLHS_PERCENTAGE; /* percentage of full handshakes to
+                                          ** perform */
+static PRInt32 globalconid = 0; /* atomically set */
+static int total_connections;  /* total number of connections to perform */
+static int total_connections_rounded_down_to_hundreds;
+static int total_connections_modulo_100;
+
+static PRBool NoDelay;
+static PRBool QuitOnTimeout = PR_FALSE;
+static PRBool ThrottleUp = PR_FALSE;
+
+static PRLock    * threadLock; /* protects the global variables below */
+static PRTime lastConnectFailure;
+static PRTime lastConnectSuccess;
+static PRTime lastThrottleUp;
+static PRInt32 remaining_connections;  /* number of connections left */
+static int active_threads = 8; /* number of threads currently trying to
+                               ** connect */
+static PRInt32 numUsed;
+/* end of variables protected by threadLock */
+
+static SSL3Statistics * ssl3stats;
+
+static int failed_already = 0;
+static PRBool disableSSL2     = PR_FALSE;
+static PRBool disableSSL3     = PR_FALSE;
+static PRBool disableTLS      = PR_FALSE;
+static PRBool bypassPKCS11    = PR_FALSE;
+static PRBool disableLocking  = PR_FALSE;
+static PRBool ignoreErrors    = PR_FALSE;
+static PRBool enableSessionTickets = PR_FALSE;
+
+PRIntervalTime maxInterval    = PR_INTERVAL_NO_TIMEOUT;
+
+char * progName;
+
+int	stopping;
+int	verbose;
+SECItem	bigBuf;
+
+#define PRINTF  if (verbose)  printf
+#define FPRINTF if (verbose) fprintf
+
+static void
+Usage(const char *progName)
+{
+    fprintf(stderr, 
+    	"Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
+ 	"          [-23BDNTovqs] [-f filename] [-N | -P percentage]\n"
+	"          [-w dbpasswd] [-C cipher(s)] [-t threads] hostname\n"
+        "          [-W pwfile]\n"
+	" where -v means verbose\n"
+        "       -o flag is interpreted as follows:\n"
+        "          1 -o   means override the result of server certificate validation.\n"
+        "          2 -o's mean skip server certificate validation altogether.\n"
+	"       -D means no TCP delays\n"
+	"       -q means quit when server gone (timeout rather than retry forever)\n"
+	"       -s means disable SSL socket locking\n"
+	"       -N means no session reuse\n"
+	"       -P means do a specified percentage of full handshakes (0-100)\n"
+        "       -2 means disable SSL2\n"
+        "       -3 means disable SSL3\n"
+        "       -T means disable TLS\n"
+        "       -U means enable throttling up threads\n"
+	"       -B bypasses the PKCS11 layer for SSL encryption and MACing\n"
+	"       -u enable TLS Session Ticket extension\n",
+	progName);
+    exit(1);
+}
+
+
+static void
+errWarn(char * funcString)
+{
+    PRErrorCode  perr      = PR_GetError();
+    const char * errString = SECU_Strerror(perr);
+
+    fprintf(stderr, "strsclnt: %s returned error %d:\n%s\n",
+            funcString, perr, errString);
+}
+
+static void
+errExit(char * funcString)
+{
+    errWarn(funcString);
+    exit(1);
+}
+
+/**************************************************************************
+** 
+** Routines for disabling SSL ciphers.
+**
+**************************************************************************/
+
+void
+disableAllSSLCiphers(void)
+{
+    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    int             i            = SSL_NumImplementedCiphers;
+    SECStatus       rv;
+
+    /* disable all the SSL3 cipher suites */
+    while (--i >= 0) {
+	PRUint16 suite = cipherSuites[i];
+        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
+	if (rv != SECSuccess) {
+	    printf("SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
+	    	   suite, i);
+	    errWarn("SSL_CipherPrefSetDefault");
+	    exit(2);
+	}
+    }
+}
+
+/* This invokes the "default" AuthCert handler in libssl.
+** The only reason to use this one is that it prints out info as it goes. 
+*/
+static SECStatus
+mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
+		     PRBool isServer)
+{
+    SECStatus rv;
+    CERTCertificate *    peerCert;
+
+    if (MakeCertOK>=2) {
+        return SECSuccess;
+    }
+    peerCert = SSL_PeerCertificate(fd);
+
+    PRINTF("strsclnt: Subject: %s\nstrsclnt: Issuer : %s\n", 
+           peerCert->subjectName, peerCert->issuerName); 
+    /* invoke the "default" AuthCert handler. */
+    rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);
+
+    PR_AtomicIncrement(&certsTested);
+    if (rv == SECSuccess) {
+	fputs("strsclnt: -- SSL: Server Certificate Validated.\n", stderr);
+    }
+    CERT_DestroyCertificate(peerCert);
+    /* error, if any, will be displayed by the Bad Cert Handler. */
+    return rv;  
+}
+
+static SECStatus
+myBadCertHandler( void *arg, PRFileDesc *fd)
+{
+    int err = PR_GetError();
+    if (!MakeCertOK)
+	fprintf(stderr, 
+	    "strsclnt: -- SSL: Server Certificate Invalid, err %d.\n%s\n", 
+            err, SECU_Strerror(err));
+    return (MakeCertOK ? SECSuccess : SECFailure);
+}
+
+void 
+printSecurityInfo(PRFileDesc *fd)
+{
+    CERTCertificate * cert = NULL;
+    SSL3Statistics * ssl3stats = SSL_GetStatistics();
+    SECStatus result;
+    SSLChannelInfo    channel;
+    SSLCipherSuiteInfo suite;
+
+    static int only_once;
+
+    if (only_once && verbose < 2)
+    	return;
+    only_once = 1;
+
+    result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
+    if (result == SECSuccess && 
+        channel.length == sizeof channel && 
+	channel.cipherSuite) {
+	result = SSL_GetCipherSuiteInfo(channel.cipherSuite, 
+					&suite, sizeof suite);
+	if (result == SECSuccess) {
+	    FPRINTF(stderr, 
+	    "strsclnt: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
+	       channel.protocolVersion >> 8, channel.protocolVersion & 0xff,
+	       suite.effectiveKeyBits, suite.symCipherName, 
+	       suite.macBits, suite.macAlgorithmName);
+	    FPRINTF(stderr, 
+	    "strsclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
+	       channel.authKeyBits, suite.authAlgorithmName,
+	       channel.keaKeyBits,  suite.keaTypeName);
+    	}
+    }
+
+    cert = SSL_LocalCertificate(fd);
+    if (!cert)
+	cert = SSL_PeerCertificate(fd);
+
+    if (verbose && cert) {
+	char * ip = CERT_NameToAscii(&cert->issuer);
+	char * sp = CERT_NameToAscii(&cert->subject);
+        if (sp) {
+	    fprintf(stderr, "strsclnt: subject DN: %s\n", sp);
+	    PORT_Free(sp);
+	}
+        if (ip) {
+	    fprintf(stderr, "strsclnt: issuer  DN: %s\n", ip);
+	    PORT_Free(ip);
+	}
+    }
+    if (cert) {
+	CERT_DestroyCertificate(cert);
+	cert = NULL;
+    }
+    fprintf(stderr,
+    	"strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
+	"          %ld stateless resumes\n",
+    	ssl3stats->hsh_sid_cache_hits, 
+	ssl3stats->hsh_sid_cache_misses,
+	ssl3stats->hsh_sid_cache_not_ok,
+	ssl3stats->hsh_sid_stateless_resumes);
+
+}
+
+/**************************************************************************
+** Begin thread management routines and data.
+**************************************************************************/
+
+#define MAX_THREADS 128
+
+typedef int startFn(void *a, void *b, int c);
+
+
+static PRInt32     numConnected;
+static int         max_threads;    /* peak threads allowed */
+
+typedef struct perThreadStr {
+    void *	a;
+    void *	b;
+    int         tid;
+    int         rv;
+    startFn  *  startFunc;
+    PRThread *  prThread;
+    PRBool	inUse;
+} perThread;
+
+perThread threads[MAX_THREADS];
+
+void
+thread_wrapper(void * arg)
+{
+    perThread * slot = (perThread *)arg;
+    PRBool done = PR_FALSE;
+
+    do {
+        PRBool doop = PR_FALSE;
+        PRBool dosleep = PR_FALSE;
+        PRTime now = PR_Now();
+
+        PR_Lock(threadLock);
+        if (! (slot->tid < active_threads)) {
+            /* this thread isn't supposed to be running */
+            if (!ThrottleUp) {
+                /* we'll never need this thread again, so abort it */
+                done = PR_TRUE;
+            } else if (remaining_connections > 0) {
+                /* we may still need this thread, so just sleep for 1s */
+                dosleep = PR_TRUE;
+                /* the conditions to trigger a throttle up are :
+                ** 1. last PR_Connect failure must have happened more than
+                **    10s ago
+                ** 2. last throttling up must have happened more than 0.5s ago
+                ** 3. there must be a more recent PR_Connect success than
+                **    failure
+                */
+                if ( (now - lastConnectFailure > 10 * PR_USEC_PER_SEC) &&
+                    ( (!lastThrottleUp) || ( (now - lastThrottleUp) >=
+                                             (PR_USEC_PER_SEC/2)) ) &&
+                    (lastConnectSuccess > lastConnectFailure) ) {
+                    /* try throttling up by one thread */
+                    active_threads = PR_MIN(max_threads, active_threads+1);
+                    fprintf(stderr,"active_threads set up to %d\n",
+                            active_threads);
+                    lastThrottleUp = PR_MAX(now, lastThrottleUp);
+                }
+            } else {
+                /* no more connections left, we are done */
+                done = PR_TRUE;
+            }
+        } else {
+            /* this thread should run */
+            if (--remaining_connections >= 0) { /* protected by threadLock */
+                doop = PR_TRUE;
+            } else {
+                done = PR_TRUE;
+            }
+        }
+        PR_Unlock(threadLock);
+        if (doop) {
+            slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid);
+            PRINTF("strsclnt: Thread in slot %d returned %d\n", 
+                   slot->tid, slot->rv);
+        }
+        if (dosleep) {
+            PR_Sleep(PR_SecondsToInterval(1));
+        }
+    } while (!done && (!failed_already || ignoreErrors));
+}
+
+SECStatus
+launch_thread(
+    startFn *	startFunc,
+    void *	a,
+    void *	b,
+    int         tid)
+{
+    PRUint32 i;
+    perThread * slot;
+
+    PR_Lock(threadLock);
+
+    PORT_Assert(numUsed < MAX_THREADS);
+    if (! (numUsed < MAX_THREADS)) {
+        PR_Unlock(threadLock);
+        return SECFailure;
+    }
+
+    i = numUsed++;
+    slot = &threads[i];
+    slot->a = a;
+    slot->b = b;
+    slot->tid = tid;
+
+    slot->startFunc = startFunc;
+
+    slot->prThread      = PR_CreateThread(PR_USER_THREAD,
+                                      thread_wrapper, slot,
+				      PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
+				      PR_JOINABLE_THREAD, 0);
+    if (slot->prThread == NULL) {
+	PR_Unlock(threadLock);
+	printf("strsclnt: Failed to launch thread!\n");
+	return SECFailure;
+    } 
+
+    slot->inUse   = 1;
+    PR_Unlock(threadLock);
+    PRINTF("strsclnt: Launched thread in slot %d \n", i);
+
+    return SECSuccess;
+}
+
+/* join all the threads */
+int 
+reap_threads(void)
+{
+    int         i;
+
+    for (i = 0; i < MAX_THREADS; ++i) {
+        if (threads[i].prThread) {
+            PR_JoinThread(threads[i].prThread);
+            threads[i].prThread = NULL;
+        }
+    }
+    return 0;
+}
+
+void
+destroy_thread_data(void)
+{
+    PORT_Memset(threads, 0, sizeof threads);
+
+    if (threadLock) {
+    	PR_DestroyLock(threadLock);
+	threadLock = NULL;
+    }
+}
+
+void
+init_thread_data(void)
+{
+    threadLock = PR_NewLock();
+}
+
+/**************************************************************************
+** End   thread management routines.
+**************************************************************************/
+
+PRBool useModelSocket = PR_TRUE;
+
+static const char stopCmd[] = { "GET /stop " };
+static const char outHeader[] = {
+    "HTTP/1.0 200 OK\r\n"
+    "Server: Netscape-Enterprise/2.0a\r\n"
+    "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n"
+    "Content-type: text/plain\r\n"
+    "\r\n"
+};
+
+struct lockedVarsStr {
+    PRLock *	lock;
+    int		count;
+    int		waiters;
+    PRCondVar *	condVar;
+};
+
+typedef struct lockedVarsStr lockedVars;
+
+void 
+lockedVars_Init( lockedVars * lv)
+{
+    lv->count   = 0;
+    lv->waiters = 0;
+    lv->lock    = PR_NewLock();
+    lv->condVar = PR_NewCondVar(lv->lock);
+}
+
+void
+lockedVars_Destroy( lockedVars * lv)
+{
+    PR_DestroyCondVar(lv->condVar);
+    lv->condVar = NULL;
+
+    PR_DestroyLock(lv->lock);
+    lv->lock = NULL;
+}
+
+void
+lockedVars_WaitForDone(lockedVars * lv)
+{
+    PR_Lock(lv->lock);
+    while (lv->count > 0) {
+    	PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
+    }
+    PR_Unlock(lv->lock);
+}
+
+int	/* returns count */
+lockedVars_AddToCount(lockedVars * lv, int addend)
+{
+    int rv;
+
+    PR_Lock(lv->lock);
+    rv = lv->count += addend;
+    if (rv <= 0) {
+	PR_NotifyCondVar(lv->condVar);
+    }
+    PR_Unlock(lv->lock);
+    return rv;
+}
+
+int
+do_writes(
+    void *       a,
+    void *       b,
+    int          c)
+{
+    PRFileDesc *	ssl_sock	= (PRFileDesc *)a;
+    lockedVars *	lv 		= (lockedVars *)b;
+    int			sent  		= 0;
+    int 		count		= 0;
+
+    while (sent < bigBuf.len) {
+
+	count = PR_Send(ssl_sock, bigBuf.data + sent, bigBuf.len - sent, 
+	                0, maxInterval);
+	if (count < 0) {
+	    errWarn("PR_Send bigBuf");
+	    break;
+	}
+	FPRINTF(stderr, "strsclnt: PR_Send wrote %d bytes from bigBuf\n", 
+		count );
+	sent += count;
+    }
+    if (count >= 0) {	/* last write didn't fail. */
+    	PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND);
+    }
+
+    /* notify the reader that we're done. */
+    lockedVars_AddToCount(lv, -1);
+    return (sent < bigBuf.len) ? SECFailure : SECSuccess;
+}
+
+int 
+handle_fdx_connection( PRFileDesc * ssl_sock, int connection)
+{
+    SECStatus          result;
+    int                firstTime = 1;
+    int                countRead = 0;
+    lockedVars         lv;
+    char               *buf;
+
+
+    lockedVars_Init(&lv);
+    lockedVars_AddToCount(&lv, 1);
+
+    /* Attempt to launch the writer thread. */
+    result = launch_thread(do_writes, ssl_sock, &lv, connection);
+
+    if (result != SECSuccess) 
+    	goto cleanup;
+
+    buf = PR_Malloc(RD_BUF_SIZE);
+
+    if (buf) {
+	do {
+	    /* do reads here. */
+	    PRInt32 count;
+
+	    count = PR_Recv(ssl_sock, buf, RD_BUF_SIZE, 0, maxInterval);
+	    if (count < 0) {
+		errWarn("PR_Recv");
+		break;
+	    }
+	    countRead += count;
+	    FPRINTF(stderr, 
+		    "strsclnt: connection %d read %d bytes (%d total).\n", 
+		    connection, count, countRead );
+	    if (firstTime) {
+		firstTime = 0;
+		printSecurityInfo(ssl_sock);
+	    }
+	} while (lockedVars_AddToCount(&lv, 0) > 0);
+	PR_Free(buf);
+	buf = 0;
+    }
+
+    /* Wait for writer to finish */
+    lockedVars_WaitForDone(&lv);
+    lockedVars_Destroy(&lv);
+
+    FPRINTF(stderr, 
+    "strsclnt: connection %d read %d bytes total. -----------------------\n", 
+    	    connection, countRead);
+
+cleanup:
+    /* Caller closes the socket. */
+
+    return SECSuccess;
+}
+
+const char request[] = {"GET /abc HTTP/1.0\r\n\r\n" };
+
+SECStatus
+handle_connection( PRFileDesc *ssl_sock, int tid)
+{
+    int	    countRead = 0;
+    PRInt32 rv;
+    char    *buf;
+
+    buf = PR_Malloc(RD_BUF_SIZE);
+    if (!buf)
+	return SECFailure;
+
+    /* compose the http request here. */
+
+    rv = PR_Send(ssl_sock, request, strlen(request), 0, maxInterval);
+    if (rv <= 0) {
+	errWarn("PR_Send");
+	PR_Free(buf);
+	buf = 0;
+        failed_already = 1;
+	return SECFailure;
+    }
+    printSecurityInfo(ssl_sock);
+
+    /* read until EOF */
+    while (1) {
+	rv = PR_Recv(ssl_sock, buf, RD_BUF_SIZE, 0, maxInterval);
+	if (rv == 0) {
+	    break;	/* EOF */
+	}
+	if (rv < 0) {
+	    errWarn("PR_Recv");
+	    failed_already = 1;
+	    break;
+	}
+
+	countRead += rv;
+	FPRINTF(stderr,
+                "strsclnt: connection on thread %d read %d bytes (%d total).\n",
+		tid, rv, countRead );
+    }
+    PR_Free(buf);
+    buf = 0;
+
+    /* Caller closes the socket. */
+
+    FPRINTF(stderr, 
+    "strsclnt: connection on thread %d read %d bytes total. ---------\n", 
+    	    tid, countRead);
+
+    return SECSuccess;	/* success */
+}
+
+#define USE_SOCK_PEER_ID 1
+
+#ifdef USE_SOCK_PEER_ID
+
+PRInt32 lastFullHandshakePeerID;
+
+void
+myHandshakeCallback(PRFileDesc *socket, void *arg) 
+{
+    PR_AtomicSet(&lastFullHandshakePeerID, (PRInt32) arg);
+}
+
+#endif
+
+/* one copy of this function is launched in a separate thread for each
+** connection to be made.
+*/
+int
+do_connects(
+    void *	a,
+    void *	b,
+    int         tid)
+{
+    PRNetAddr  *        addr		= (PRNetAddr *)  a;
+    PRFileDesc *        model_sock	= (PRFileDesc *) b;
+    PRFileDesc *        ssl_sock	= 0;
+    PRFileDesc *        tcp_sock	= 0;
+    PRStatus	        prStatus;
+    PRUint32            sleepInterval	= 50; /* milliseconds */
+    SECStatus   	result;
+    int                 rv 		= SECSuccess;
+    PRSocketOptionData  opt;
+
+retry:
+
+    tcp_sock = PR_OpenTCPSocket(addr->raw.family);
+    if (tcp_sock == NULL) {
+	errExit("PR_OpenTCPSocket");
+    }
+
+    opt.option             = PR_SockOpt_Nonblocking;
+    opt.value.non_blocking = PR_FALSE;
+    prStatus = PR_SetSocketOption(tcp_sock, &opt);
+    if (prStatus != PR_SUCCESS) {
+	errWarn("PR_SetSocketOption(PR_SockOpt_Nonblocking, PR_FALSE)");
+    	PR_Close(tcp_sock);
+	return SECSuccess;
+    } 
+
+    if (NoDelay) {
+	opt.option         = PR_SockOpt_NoDelay;
+	opt.value.no_delay = PR_TRUE;
+	prStatus = PR_SetSocketOption(tcp_sock, &opt);
+	if (prStatus != PR_SUCCESS) {
+	    errWarn("PR_SetSocketOption(PR_SockOpt_NoDelay, PR_TRUE)");
+	    PR_Close(tcp_sock);
+	    return SECSuccess;
+	} 
+    }
+
+    prStatus = PR_Connect(tcp_sock, addr, PR_INTERVAL_NO_TIMEOUT);
+    if (prStatus != PR_SUCCESS) {
+        PRErrorCode err = PR_GetError(); /* save error code */
+        if (ThrottleUp) {
+            PRTime now = PR_Now();
+            PR_Lock(threadLock);
+            lastConnectFailure = PR_MAX(now, lastConnectFailure);
+            PR_Unlock(threadLock);
+        }
+        if ((err == PR_CONNECT_REFUSED_ERROR) || 
+	    (err == PR_CONNECT_RESET_ERROR)      ) {
+	    int connections = numConnected;
+
+	    PR_Close(tcp_sock);
+            PR_Lock(threadLock);
+            if (connections > 2 && active_threads >= connections) {
+                active_threads = connections - 1;
+                fprintf(stderr,"active_threads set down to %d\n",
+                        active_threads);
+            }
+            PR_Unlock(threadLock);
+
+            if (QuitOnTimeout && sleepInterval > 40000) {
+                fprintf(stderr,
+	            "strsclnt: Client timed out waiting for connection to server.\n");
+                exit(1);
+            }
+	    PR_Sleep(PR_MillisecondsToInterval(sleepInterval));
+	    sleepInterval <<= 1;
+	    goto retry;
+	}
+	errWarn("PR_Connect");
+	rv = SECFailure;
+	goto done;
+    } else {
+        if (ThrottleUp) {
+            PRTime now = PR_Now();
+            PR_Lock(threadLock);
+            lastConnectSuccess = PR_MAX(now, lastConnectSuccess);
+            PR_Unlock(threadLock);
+        }
+    }
+
+    ssl_sock = SSL_ImportFD(model_sock, tcp_sock);
+    /* XXX if this import fails, close tcp_sock and return. */
+    if (!ssl_sock) {
+    	PR_Close(tcp_sock);
+	return SECSuccess;
+    }
+    if (fullhs != NO_FULLHS_PERCENTAGE) {
+#ifdef USE_SOCK_PEER_ID
+        char sockPeerIDString[512];
+        static PRInt32 sockPeerID = 0; /* atomically incremented */
+        PRInt32 thisPeerID;
+#endif
+        PRInt32 savid = PR_AtomicIncrement(&globalconid);
+        PRInt32 conid = 1 + (savid - 1) % 100;
+        /* don't change peer ID on the very first handshake, which is always
+           a full, so the session gets stored into the client cache */
+        if ( (savid != 1) &&
+            ( ( (savid <= total_connections_rounded_down_to_hundreds) &&
+                (conid <= fullhs) ) ||
+              (conid*100 <= total_connections_modulo_100*fullhs ) ) ) 
+#ifdef USE_SOCK_PEER_ID
+        {
+            /* force a full handshake by changing the socket peer ID */
+            thisPeerID = PR_AtomicIncrement(&sockPeerID);
+        } else {
+            /* reuse previous sockPeerID for restart handhsake */
+            thisPeerID = lastFullHandshakePeerID;
+        }
+        PR_snprintf(sockPeerIDString, sizeof(sockPeerIDString), "ID%d",
+                    thisPeerID);
+        SSL_SetSockPeerID(ssl_sock, sockPeerIDString);
+        SSL_HandshakeCallback(ssl_sock, myHandshakeCallback, (void*)thisPeerID);
+#else
+            /* force a full handshake by setting the no cache option */
+            SSL_OptionSet(ssl_sock, SSL_NO_CACHE, 1);
+#endif
+    }
+    rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0);
+    if (rv != SECSuccess) {
+	errWarn("SSL_ResetHandshake");
+	goto done;
+    }
+
+    PR_AtomicIncrement(&numConnected);
+
+    if (bigBuf.data != NULL) {
+	result = handle_fdx_connection( ssl_sock, tid);
+    } else {
+	result = handle_connection( ssl_sock, tid);
+    }
+
+    PR_AtomicDecrement(&numConnected);
+
+done:
+    if (ssl_sock) {
+	PR_Close(ssl_sock);
+    } else if (tcp_sock) {
+	PR_Close(tcp_sock);
+    }
+    return SECSuccess;
+}
+
+
+typedef struct {
+    PRLock* lock;
+    char* nickname;
+    CERTCertificate* cert;
+    SECKEYPrivateKey* key;
+    void* wincx;
+} cert_and_key;
+
+PRBool FindCertAndKey(cert_and_key* Cert_And_Key)
+{
+    if ( (NULL == Cert_And_Key->nickname) || (0 == strcmp(Cert_And_Key->nickname,"none"))) {
+        return PR_TRUE;
+    }
+    Cert_And_Key->cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
+                            Cert_And_Key->nickname, certUsageSSLClient,
+                            PR_FALSE, Cert_And_Key->wincx);
+    if (Cert_And_Key->cert) {
+        Cert_And_Key->key = PK11_FindKeyByAnyCert(Cert_And_Key->cert, Cert_And_Key->wincx);
+    }
+    if (Cert_And_Key->cert && Cert_And_Key->key) {
+        return PR_TRUE;
+    } else {
+        return PR_FALSE;
+    }
+}
+
+PRBool LoggedIn(CERTCertificate* cert, SECKEYPrivateKey* key)
+{
+    if ( (cert->slot) && (key->pkcs11Slot) &&
+         (PR_TRUE == PK11_IsLoggedIn(cert->slot, NULL)) &&
+         (PR_TRUE == PK11_IsLoggedIn(key->pkcs11Slot, NULL)) ) {
+        return PR_TRUE;
+    }
+ 
+    return PR_FALSE;
+}
+
+SECStatus 
+StressClient_GetClientAuthData(void * arg,
+                      PRFileDesc * socket,
+		      struct CERTDistNamesStr * caNames,
+		      struct CERTCertificateStr ** pRetCert,
+		      struct SECKEYPrivateKeyStr **pRetKey)
+{
+    cert_and_key* Cert_And_Key = (cert_and_key*) arg;
+
+    if (!pRetCert || !pRetKey) {
+        /* bad pointers, can't return a cert or key */
+        return SECFailure;
+    }
+
+    *pRetCert = NULL;
+    *pRetKey = NULL;
+
+    if (Cert_And_Key && Cert_And_Key->nickname) {
+        while (PR_TRUE) {
+            if (Cert_And_Key && Cert_And_Key->lock) {
+                int timeout = 0;
+                PR_Lock(Cert_And_Key->lock);
+
+                if (Cert_And_Key->cert) {
+                    *pRetCert = CERT_DupCertificate(Cert_And_Key->cert);
+                }
+
+                if (Cert_And_Key->key) {
+                    *pRetKey = SECKEY_CopyPrivateKey(Cert_And_Key->key);
+                }
+                PR_Unlock(Cert_And_Key->lock);
+                if (!*pRetCert || !*pRetKey) {
+                    /* one or both of them failed to copy. Either the source was NULL, or there was
+                    ** an out of memory condition. Free any allocated copy and fail */
+                    if (*pRetCert) {
+                        CERT_DestroyCertificate(*pRetCert);
+                        *pRetCert = NULL;
+                    }
+                    if (*pRetKey) {
+                        SECKEY_DestroyPrivateKey(*pRetKey);
+                        *pRetKey = NULL;
+                    }
+                    break;
+                }
+                /* now check if those objects are valid */
+                if ( PR_FALSE == LoggedIn(*pRetCert, *pRetKey) ) {
+                    /* token is no longer logged in, it was removed */
+
+                    /* first, delete and clear our invalid local objects */
+                    CERT_DestroyCertificate(*pRetCert);
+                    SECKEY_DestroyPrivateKey(*pRetKey);
+                    *pRetCert = NULL;
+                    *pRetKey = NULL;
+
+                    PR_Lock(Cert_And_Key->lock);
+                    /* check if another thread already logged back in */
+                    if (PR_TRUE == LoggedIn(Cert_And_Key->cert, Cert_And_Key->key)) {
+                        /* yes : try again */
+                        PR_Unlock(Cert_And_Key->lock);
+                        continue;
+                    }
+                    /* this is the thread to retry */
+                    CERT_DestroyCertificate(Cert_And_Key->cert);
+                    SECKEY_DestroyPrivateKey(Cert_And_Key->key);
+                    Cert_And_Key->cert = NULL;
+                    Cert_And_Key->key = NULL;
+
+
+                    /* now look up the cert and key again */
+                    while (PR_FALSE == FindCertAndKey(Cert_And_Key) ) {
+                        PR_Sleep(PR_SecondsToInterval(1));
+                        timeout++;
+                        if (timeout>=60) {
+                            printf("\nToken pulled and not reinserted early enough : aborting.\n");
+                            exit(1);
+                        }
+                    }
+                    PR_Unlock(Cert_And_Key->lock);
+                    continue;
+                    /* try again to reduce code size */
+                }
+                return SECSuccess;
+            }
+        }
+        *pRetCert = NULL;
+        *pRetKey = NULL;
+        return SECFailure;
+    } else {
+        /* no cert configured, automatically find the right cert. */
+        CERTCertificate *  cert = NULL;
+        SECKEYPrivateKey * privkey = NULL;
+        CERTCertNicknames * names;
+        int                 i;
+        void *             proto_win = NULL;
+        SECStatus          rv         = SECFailure;
+
+        if (Cert_And_Key) {
+            proto_win = Cert_And_Key->wincx;
+        }
+
+        names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
+                                      SEC_CERT_NICKNAMES_USER, proto_win);
+        if (names != NULL) {
+            for (i = 0; i < names->numnicknames; i++) {
+                cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
+                            names->nicknames[i], certUsageSSLClient,
+                            PR_FALSE, proto_win);	
+                if ( !cert )
+                    continue;
+                /* Only check unexpired certs */
+                if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != 
+                                             secCertTimeValid ) {
+                    CERT_DestroyCertificate(cert);
+                    continue;
+                }
+                rv = NSS_CmpCertChainWCANames(cert, caNames);
+                if ( rv == SECSuccess ) {
+                    privkey = PK11_FindKeyByAnyCert(cert, proto_win);
+                    if ( privkey )
+                        break;
+                }
+                rv = SECFailure;
+                CERT_DestroyCertificate(cert);
+            }
+            CERT_FreeNicknames(names);
+        }
+        if (rv == SECSuccess) {
+            *pRetCert = cert;
+            *pRetKey  = privkey;
+        }
+        return rv;
+    }
+}
+
+int 
+hexchar_to_int(int c) 
+{
+    if (((c) >= '0') && ((c) <= '9'))
+	return (c) - '0'; 
+    if (((c) >= 'a') && ((c) <= 'f'))
+	return (c) - 'a' + 10;
+    if (((c) >= 'A') && ((c) <= 'F'))
+	return (c) - 'A' + 10; 
+    failed_already = 1;
+    return -1;
+}
+
+void
+client_main(
+    unsigned short      port, 
+    int                 connections,
+    cert_and_key* Cert_And_Key,
+    const char *	hostName)
+{
+    PRFileDesc *model_sock	= NULL;
+    int         i;
+    int         rv;
+    PRStatus    status;
+    PRNetAddr   addr;
+
+    status = PR_StringToNetAddr(hostName, &addr);
+    if (status == PR_SUCCESS) {
+    	addr.inet.port = PR_htons(port);
+    } else {
+	/* Lookup host */
+	PRAddrInfo *addrInfo;
+	void       *enumPtr   = NULL;
+
+	addrInfo = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, 
+	                                PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME);
+	if (!addrInfo) {
+	    SECU_PrintError(progName, "error looking up host");
+	    return;
+	}
+	do {
+	    enumPtr = PR_EnumerateAddrInfo(enumPtr, addrInfo, port, &addr);
+	} while (enumPtr != NULL &&
+		 addr.raw.family != PR_AF_INET &&
+		 addr.raw.family != PR_AF_INET6);
+	PR_FreeAddrInfo(addrInfo);
+	if (enumPtr == NULL) {
+	    SECU_PrintError(progName, "error looking up host address");
+	    return;
+	}
+    }
+
+    /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
+    NSS_SetDomesticPolicy();
+
+    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
+    if (cipherString) {
+        int ndx;
+
+        /* disable all the ciphers, then enable the ones we want. */
+        disableAllSSLCiphers();
+
+        while (0 != (ndx = *cipherString)) {
+	    const char * startCipher = cipherString++;
+            int  cipher = 0;
+	    SECStatus rv;
+
+	    if (ndx == ':') {
+		cipher  = hexchar_to_int(*cipherString++);
+		cipher <<= 4;
+		cipher |= hexchar_to_int(*cipherString++);
+		cipher <<= 4;
+		cipher |= hexchar_to_int(*cipherString++);
+		cipher <<= 4;
+		cipher |= hexchar_to_int(*cipherString++);
+		if (cipher <= 0) {
+		    fprintf(stderr, "strsclnt: Invalid cipher value: %-5.5s\n",
+		                    startCipher);
+		    failed_already = 1;
+		    return;
+		}
+	    } else {
+		if (isalpha(ndx)) {
+		    const int *cptr;
+
+		    cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
+		    for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
+			/* do nothing */;
+		}
+	    	if (cipher <= 0) {
+		    fprintf(stderr, "strsclnt: Invalid cipher letter: %c\n", 
+		                    *startCipher);
+		    failed_already = 1;
+		    return;
+		}
+	    }
+	    rv = SSL_CipherPrefSetDefault(cipher, PR_TRUE);
+	    if (rv != SECSuccess) {
+		fprintf(stderr, 
+			"strsclnt: SSL_CipherPrefSetDefault(0x%04x) failed\n",
+			cipher);
+		failed_already = 1;
+		return;
+	    }
+        }
+    }
+
+    /* configure model SSL socket. */
+
+    model_sock = PR_OpenTCPSocket(addr.raw.family);
+    if (model_sock == NULL) {
+	errExit("PR_OpenTCPSocket for model socket");
+    }
+
+    model_sock = SSL_ImportFD(NULL, model_sock);
+    if (model_sock == NULL) {
+	errExit("SSL_ImportFD");
+    }
+
+    /* do SSL configuration. */
+
+    rv = SSL_OptionSet(model_sock, SSL_SECURITY,
+        !(disableSSL2 && disableSSL3 && disableTLS));
+    if (rv < 0) {
+	errExit("SSL_OptionSet SSL_SECURITY");
+    }
+
+    /* disabling SSL2 compatible hellos also disables SSL2 */
+    rv = SSL_OptionSet(model_sock, SSL_V2_COMPATIBLE_HELLO, !disableSSL2);
+    if (rv != SECSuccess) {
+	errExit("error enabling SSLv2 compatible hellos ");
+    }
+
+    rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL3, !disableSSL3);
+    if (rv != SECSuccess) {
+	errExit("error enabling SSLv3 ");
+    }
+
+    rv = SSL_OptionSet(model_sock, SSL_ENABLE_TLS, !disableTLS);
+    if (rv != SECSuccess) {
+	errExit("error enabling TLS ");
+    }
+
+    if (bigBuf.data) { /* doing FDX */
+	rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1);
+	if (rv < 0) {
+	    errExit("SSL_OptionSet SSL_ENABLE_FDX");
+	}
+    }
+
+    if (NoReuse) {
+	rv = SSL_OptionSet(model_sock, SSL_NO_CACHE, 1);
+	if (rv < 0) {
+	    errExit("SSL_OptionSet SSL_NO_CACHE");
+	}
+    }
+
+    if (bypassPKCS11) {
+	rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, 1);
+	if (rv < 0) {
+	    errExit("SSL_OptionSet SSL_BYPASS_PKCS11");
+	}
+    }
+
+    if (disableLocking) {
+        rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, 1);
+	if (rv < 0) {
+	    errExit("SSL_OptionSet SSL_NO_LOCKS");
+	}
+    }
+
+    if (enableSessionTickets) {
+	rv = SSL_OptionSet(model_sock, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
+	if (rv != SECSuccess)
+	    errExit("SSL_OptionSet SSL_ENABLE_SESSION_TICKETS");
+    }
+
+    SSL_SetURL(model_sock, hostName);
+
+    SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, 
+			(void *)CERT_GetDefaultCertDB());
+    SSL_BadCertHook(model_sock, myBadCertHandler, NULL);
+
+    SSL_GetClientAuthDataHook(model_sock, StressClient_GetClientAuthData, (void*)Cert_And_Key);
+
+    /* I'm not going to set the HandshakeCallback function. */
+
+    /* end of ssl configuration. */
+
+    init_thread_data();
+
+    remaining_connections = total_connections = connections;
+    total_connections_modulo_100 = total_connections % 100;
+    total_connections_rounded_down_to_hundreds =
+        total_connections - total_connections_modulo_100;
+
+    if (!NoReuse) {
+        remaining_connections = 1;
+	rv = launch_thread(do_connects, &addr, model_sock, 0);
+	/* wait for the first connection to terminate, then launch the rest. */
+	reap_threads();
+        remaining_connections = total_connections - 1 ;
+    }
+    if (remaining_connections > 0) {
+        active_threads  = PR_MIN(active_threads, remaining_connections);
+	/* Start up the threads */
+	for (i=0;i<active_threads;i++) {
+	    rv = launch_thread(do_connects, &addr, model_sock, i);
+	}
+	reap_threads();
+    }
+    destroy_thread_data();
+
+    PR_Close(model_sock);
+}
+
+SECStatus
+readBigFile(const char * fileName)
+{
+    PRFileInfo  info;
+    PRStatus	status;
+    SECStatus	rv	= SECFailure;
+    int		count;
+    int		hdrLen;
+    PRFileDesc *local_file_fd = NULL;
+
+    status = PR_GetFileInfo(fileName, &info);
+
+    if (status == PR_SUCCESS &&
+	info.type == PR_FILE_FILE &&
+	info.size > 0 &&
+	NULL != (local_file_fd = PR_Open(fileName, PR_RDONLY, 0))) {
+
+	hdrLen      = PORT_Strlen(outHeader);
+	bigBuf.len  = hdrLen + info.size;
+	bigBuf.data = PORT_Malloc(bigBuf.len + 4095);
+	if (!bigBuf.data) {
+	    errWarn("PORT_Malloc");
+	    goto done;
+	}
+
+	PORT_Memcpy(bigBuf.data, outHeader, hdrLen);
+
+	count = PR_Read(local_file_fd, bigBuf.data + hdrLen, info.size);
+	if (count != info.size) {
+	    errWarn("PR_Read local file");
+	    goto done;
+	}
+	rv = SECSuccess;
+done:
+	PR_Close(local_file_fd);
+    }
+    return rv;
+}
+
+int
+main(int argc, char **argv)
+{
+    const char *         dir         = ".";
+    const char *         fileName    = NULL;
+    char *               hostName    = NULL;
+    char *               nickName    = NULL;
+    char *               tmp         = NULL;
+    int                  connections = 1;
+    int                  exitVal;
+    int                  tmpInt;
+    unsigned short       port        = 443;
+    SECStatus            rv;
+    PLOptState *         optstate;
+    PLOptStatus          status;
+    cert_and_key Cert_And_Key;
+    secuPWData  pwdata          = { PW_NONE, 0 };
+
+    /* Call the NSPR initialization routines */
+    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+
+    tmp      = strrchr(argv[0], '/');
+    tmp      = tmp ? tmp + 1 : argv[0];
+    progName = strrchr(tmp, '\\');
+    progName = progName ? progName + 1 : tmp;
+ 
+
+    optstate = PL_CreateOptState(argc, argv, "23BC:DNP:TUW:c:d:f:in:op:qst:uvw:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch(optstate->option) {
+
+	case '2': disableSSL2 = PR_TRUE; break;
+
+	case '3': disableSSL3 = PR_TRUE; break;
+
+	case 'B': bypassPKCS11 = PR_TRUE; break;
+
+	case 'C': cipherString = optstate->value; break;
+
+	case 'D': NoDelay = PR_TRUE; break;
+
+	case 'N': NoReuse = 1; break;
+        
+	case 'P': fullhs = PORT_Atoi(optstate->value); break;
+
+	case 'T': disableTLS = PR_TRUE; break;
+            
+	case 'U': ThrottleUp = PR_TRUE; break;
+
+	case 'c': connections = PORT_Atoi(optstate->value); break;
+
+	case 'd': dir = optstate->value; break;
+
+	case 'f': fileName = optstate->value; break;
+
+	case 'i': ignoreErrors = PR_TRUE; break;
+
+        case 'n': nickName = PL_strdup(optstate->value); break;
+
+	case 'o': MakeCertOK++; break;
+
+	case 'p': port = PORT_Atoi(optstate->value); break;
+
+	case 'q': QuitOnTimeout = PR_TRUE; break;
+
+	case 's': disableLocking = PR_TRUE; break;
+
+	case 't':
+	    tmpInt = PORT_Atoi(optstate->value);
+	    if (tmpInt > 0 && tmpInt < MAX_THREADS) 
+	        max_threads = active_threads = tmpInt;
+	    break;
+
+	case 'u': enableSessionTickets = PR_TRUE; break;
+
+	case 'v': verbose++; break;
+
+        case 'w':
+            pwdata.source = PW_PLAINTEXT;
+            pwdata.data = PL_strdup(optstate->value);
+            break;
+
+        case 'W':
+            pwdata.source = PW_FROMFILE;
+            pwdata.data = PL_strdup(optstate->value);
+            break;
+
+	case 0:   /* positional parameter */
+	    if (hostName) {
+		Usage(progName);
+	    }
+	    hostName = PL_strdup(optstate->value);
+	    break;
+
+	default:
+	case '?':
+	    Usage(progName);
+	    break;
+
+	}
+    }
+    PL_DestroyOptState(optstate);
+
+    if (!hostName || status == PL_OPT_BAD)
+    	Usage(progName);
+
+    if (fullhs!= NO_FULLHS_PERCENTAGE && (fullhs < 0 || fullhs>100 || NoReuse) )
+        Usage(progName);
+
+    if (port == 0)
+	Usage(progName);
+
+    if (fileName)
+    	readBigFile(fileName);
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
+    if (tmp && tmp[0]) {
+        int sec = PORT_Atoi(tmp);
+	if (sec > 0) {
+	    maxInterval = PR_SecondsToInterval(sec);
+    	}
+    }
+
+    /* Call the NSS initialization routines */
+    rv = NSS_Initialize(dir, "", "", SECMOD_DB, NSS_INIT_READONLY);
+    if (rv != SECSuccess) {
+    	fputs("NSS_Init failed.\n", stderr);
+	exit(1);
+    }
+    ssl3stats = SSL_GetStatistics();
+    Cert_And_Key.lock = PR_NewLock();
+    Cert_And_Key.nickname = nickName;
+    Cert_And_Key.wincx = &pwdata;
+    Cert_And_Key.cert = NULL;
+    Cert_And_Key.key = NULL;
+
+    if (PR_FALSE == FindCertAndKey(&Cert_And_Key)) {
+
+	if (Cert_And_Key.cert == NULL) {
+	    fprintf(stderr, "strsclnt: Can't find certificate %s\n", Cert_And_Key.nickname);
+	    exit(1);
+	}
+
+	if (Cert_And_Key.key == NULL) {
+	    fprintf(stderr, "strsclnt: Can't find Private Key for cert %s\n", 
+		    Cert_And_Key.nickname);
+	    exit(1);
+	}
+
+    }
+
+    client_main(port, connections, &Cert_And_Key, hostName);
+
+    /* clean up */
+    if (Cert_And_Key.cert) {
+	CERT_DestroyCertificate(Cert_And_Key.cert);
+    }
+    if (Cert_And_Key.key) {
+	SECKEY_DestroyPrivateKey(Cert_And_Key.key);
+    }
+
+    PR_DestroyLock(Cert_And_Key.lock);
+
+    if (pwdata.data) {
+        PL_strfree(pwdata.data);
+    }
+    if (Cert_And_Key.nickname) {
+        PL_strfree(Cert_And_Key.nickname);
+    }
+
+    PL_strfree(hostName);
+
+    /* some final stats. */
+    if (ssl3stats->hsh_sid_cache_hits +
+	ssl3stats->hsh_sid_cache_misses +
+	ssl3stats->hsh_sid_cache_not_ok +
+	ssl3stats->hsh_sid_stateless_resumes == 0) {
+	/* presumably we were testing SSL2. */
+	printf("strsclnt: SSL2 - %d server certificates tested.\n",
+               certsTested);
+    } else {
+	printf(
+	"strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
+	"          %ld stateless resumes\n",
+	    ssl3stats->hsh_sid_cache_hits, 
+	    ssl3stats->hsh_sid_cache_misses,
+	    ssl3stats->hsh_sid_cache_not_ok,
+	    ssl3stats->hsh_sid_stateless_resumes);
+    }
+
+    if (!NoReuse) {
+	if (enableSessionTickets)
+	    exitVal = (ssl3stats->hsh_sid_stateless_resumes == 0);
+	else
+	    exitVal = (ssl3stats->hsh_sid_cache_misses > 1) ||
+		      (ssl3stats->hsh_sid_stateless_resumes != 0);
+	if (!exitVal)
+	    exitVal = (ssl3stats->hsh_sid_cache_not_ok != 0) ||
+		      (certsTested > 1);
+    } else {
+	printf("strsclnt: NoReuse - %d server certificates tested.\n",
+               certsTested);
+        if (ssl3stats->hsh_sid_cache_hits +
+            ssl3stats->hsh_sid_cache_misses +
+            ssl3stats->hsh_sid_cache_not_ok +
+            ssl3stats->hsh_sid_stateless_resumes > 0) {
+            exitVal = (ssl3stats->hsh_sid_cache_misses != connections) ||
+                (ssl3stats->hsh_sid_stateless_resumes != 0) ||
+                (certsTested != connections);
+        } else {                /* ssl2 connections */
+            exitVal = (certsTested != connections);
+        }
+    }
+
+    exitVal = ( exitVal || failed_already );
+    SSL_ClearSessionCache();
+    if (NSS_Shutdown() != SECSuccess) {
+        printf("strsclnt: NSS_Shutdown() failed.\n");
+        exit(1);
+    }
+
+    PR_Cleanup();
+    return exitVal;
+}
+
diff --git a/security/nss/cmd/symkeyutil/Makefile b/security/nss/cmd/symkeyutil/Makefile
new file mode 100644
index 000000000..fe7991878
--- /dev/null
+++ b/security/nss/cmd/symkeyutil/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+ 
diff --git a/security/nss/cmd/symkeyutil/manifest.mn b/security/nss/cmd/symkeyutil/manifest.mn
new file mode 100644
index 000000000..3755edcdd
--- /dev/null
+++ b/security/nss/cmd/symkeyutil/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+CSRCS = symkeyutil.c 
+#CSRCS = symkeytest.c 
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = dbm seccmd
+
+PROGRAM = symkeyutil
+#PROGRAM = symkeytest
+
+#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/symkeyutil/symkey.man b/security/nss/cmd/symkeyutil/symkey.man
new file mode 100644
index 000000000..4cf7b19f6
--- /dev/null
+++ b/security/nss/cmd/symkeyutil/symkey.man
@@ -0,0 +1,182 @@
+
+NAME
+    symkeyutil - manage fixed keys in the database
+
+SYNOPSIS
+    symkeyutil -H
+    symkeyutil -L [std_opts] [-r]
+    symkeyutil -K [-n name] -t type [-s size] [-i id |-j id_file] [std_opts]
+    symkeyutil -D <[-n name | -i id | -j id_file> [std_opts]
+    symkeyutil -I [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts]
+    symkeyutil -E  <-nname | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts]
+    symkeyutil -U [-n name] [-t type] [-i id | -j id_file] -k data_file <wrap_opts> [std_opts]
+    symkeyutil -W <-n name | -i id | -j id_file> [-t type] -k data_file [-r] <wrap_opts> [std_opts]
+    symkeyutil -M <-n name | -i id | -j id_file> -g target_token [std_opts]
+      std_opts -> [-d certdir] [-P dbprefix] [-p password] [-f passwordFile] [-h token]
+      wrap_opts -> <-w wrap_name | -x wrap_id | -y id_file>
+
+DESCRIPTION
+
+    NSS can store fixed keys as well as asymetric keys in the database. The
+    symkeyutil command can be used to manage these keys. 
+
+    As with certutil, symkeyutil takes two types of arguments, commands and
+    options. Most commands fall into one of two catagories: commands which
+    create keys and commands which extract or destroy keys. 
+
+    Exceptions to these catagories are listed first:
+
+    -H    takes no additional options. It lists a more detailed help message.
+    -L    takes the standard set of options. It lists all the keys in a the 
+          specified token (NSS Internal DB Token is the default).  Only the 
+          -L option accepts the all option for tokens to list all the fixed 
+          keys.
+
+    Key Creation commands:
+    For these commands, the key type (-t) option is always required. 
+    In addition, the -s option may be required for certain key types.
+    The standard set of options may be specified.
+
+    -K   Create a new key using the token key gen function.
+    -I   Import a new key from the raw data specified in the data file,
+         specified with the -k options (required). This command may fail on 
+         some tokens that don't support direct import of key material. 
+    -U   Unwrap a new key from an encrypted data file specified with the -k
+         option. The -w, -x, or -y option specifies the unwrapping key.
+         The unwrapping algorithm is selected based on the type of the 
+         unwrapping key.
+
+    Key extraction/destruction options:
+    For these keys, one and only of of the -n, -i, or -j options must be 
+    specified. If more than one key matches the -n option, the 'first' key
+    matching will be used.  The standard set of options may be specified.
+
+    -D   Delete the key specified by the -n, -i, or -j options.
+    -E   Export the key specified by the -n, -i, or -j options and store the
+         contents to a file specified by the -k file (required). 
+         This command will seldom work on any token since most keys are 
+         protected from export.
+    -W   Wrap the key specified by the -n, -i, or -j options and store the
+         encrypted contents to a file specified by the -k file (required). 
+         The -w, -x, or -y option specifies the key used to wrap the 
+         target key. 
+    -M   Move the key specified by the -n, -i, or -j options to the token
+         specified by the -g option (required). The new key will have the
+         same attributes as the source key.
+
+OPTIONS
+
+    Standard options are those options that may be used by any command, and
+    whose meaning is the same for all commands.
+
+    -h token         Specify the token which the command will operate on. 
+                     If -h is not specified the internal token is presumed. In
+                     addition the special value 'all' may be used to specify 
+                     that all tokens should be used. This is only valid for 
+                     the '-L' command.
+    -d certdir       Specify the location of the NSS databases. The default
+                     value is platform dependent.
+    -P dbprefix      Specify the prefix for the NSS database. The default value
+                     is NULL.
+    -p password      Specify the password for the token. On the command line. 
+                     The -p and -f options are mutually exclusive. If 
+                     neither option is specified, the password would be 
+                     prompted from the user.
+    -f passwordFile  Specify a file that contains the password for the token.
+                     This option is mutually exclusive to the -p option.
+
+    In addition to the standard options are the following command specific 
+    options are.
+
+    -r               Opens the NSS databases Read/Write. By default the -L,
+                     -E, and -W commands open the database read only. Other
+                     commands automatically opens the databases Read/Write and
+                     igore this option if it is specified.
+
+    -n name          Specifies the nickname for the key.
+
+                     For the -K, -I, or -U options, name is the name for 
+                     the new key.  If -n is not specified, no name is 
+                     assumed. There is not check for duplicate names.
+
+                     For the -D, -E, -W, or -M, the name specifies the key to
+                     operate on. In this case one andy only one of the -n, -i
+                     or -j options should be specifed. It is possible that
+                     the -n options specifies and ambiguous key. In that case
+                     the 'first' valid key is used.
+
+                     For the -M option, the nickname for the new key is copied
+                     from it's original key, even if the original key is
+                     specified using -i or -j.
+
+    -i key id
+    -j key id file   These options are equivalent and mutually exclusive. 
+                     They specify the key id for the file. The -i option
+                     specifies the key id on the command line using a hex 
+                     string. The -j specifies a file to read the raw key
+                     id from.
+
+                     For the -K, -I, or -U options, key id is the key id for 
+                     the new key.  If -i or -j is not specified, no key id 
+                     is assumed.  Some tokens may generate their own unique 
+                     id for the key in this case (but it is not guarrenteed).
+
+                     For the -D, -E, -W, or -M, the key id specifies the key to
+                     operate on. In this case one andy only one of the -n, -i
+                     or -j options should be specifed. 
+
+   -t type           Specifies the key Type for the new key. This option is
+                     required for the -K, -I, and -U commands. Valid values
+                     are:
+			generic, rc2, rc4, des, des2, des3, cast, cast3,
+                        cast5, cast128, rc5, idea, skipjack, baton, juniper,
+                        cdmf, aes, camellia
+
+                     Not all tokens support all key types. The generic key
+                     type is usually used in MACing and key derivation 
+                     algorithms. Neither generic nor rc4 keys may be used
+                     to wrap other keys. Fixed rc4 keys are dangerous since
+                     multiple use of the same stream cipher key to encrypted
+                     different data can compromise all data encrypted with
+                     that key.
+
+   -s size           Specifies the key size. For most situations the key size
+                     is already known and need not be specified. For some 
+                     algorithms, however, it is necessary to specify the key
+                     size when generation or unwrapping the key.
+
+   -k key file       Specifies the name of a file that contains key data to
+                     import or unwrap (-I or -U), or the location to store
+                     key data or encrypted key data (-E or -W).
+
+   -g target token   Specifies the target token when moving a key (-M). This
+                     option is required for the -M command. It is invalid for
+                     all other commands.
+
+
+
+   -w wrap name
+   -x wrap key id
+   -y wrap key id file Specifies the wrapping key used int the -U and -W
+                      command. Exactly one of these must be specified for the
+                      -U or -W commands. Same semantics as the -n, -i, and -j
+                      options above.
+
+BUGS
+
+   There is no way display the key id of a key.
+
+   The -p and -f options only specifies one password. Multiple passwords may
+   be needed for the -L -h all command and the -M command.
+
+   Perhaps RC4 should not be supported as a key type. Use of these keys as
+   fixed keys is exceedingly dangerous.
+
+   The handling of multiple keys with the same nickname should be more 
+   deterministic than 'the first one'
+
+   There is no way to specify, or display the operation flags of a key. The
+   operation flags are not copied with the -M option as they should be.
+
+   There is no way to change the attributes of a key (nickname, id, operation
+   flags).
diff --git a/security/nss/cmd/symkeyutil/symkeyutil.c b/security/nss/cmd/symkeyutil/symkeyutil.c
new file mode 100644
index 000000000..1c1aff6f3
--- /dev/null
+++ b/security/nss/cmd/symkeyutil/symkeyutil.c
@@ -0,0 +1,1130 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** symkeyutil.c
+**
+** utility for managing symetric keys in the database or the token
+**
+*/
+
+/*
+ * Wish List for this utility:
+ *  1) Display and Set the CKA_ operation flags for the key.
+ *  2) Modify existing keys
+ *  3) Copy keys
+ *  4) Read CKA_ID and display for keys.
+ *  5) Option to store CKA_ID in a file on key creation.
+ *  6) Encrypt, Decrypt, Hash, and Mac with generated keys.
+ *  7) Use asymetric keys to wrap and unwrap keys.
+ *  8) Derive.
+ *  9) PBE keys.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "secutil.h"
+
+#include "nspr.h"
+
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "nss.h"
+
+typedef struct _KeyTypes {
+    CK_KEY_TYPE	keyType;
+    CK_MECHANISM_TYPE mechType;
+    CK_MECHANISM_TYPE wrapMech;
+    char *label;
+} KeyTypes;
+
+static KeyTypes keyArray[] = {
+#ifdef RECOGNIZE_ASYMETRIC_TYPES
+    { CKK_RSA, CKM_RSA_PKCS, CKM_RSA_PKCS, "rsa" },
+    { CKK_DSA, CKM_DSA, CKM_INVALID_MECHANISM, "dsa" },
+    { CKK_DH, CKM_DH_PKCS_DERIVE, CKM_INVALID_MECHANISM, "dh" },
+    { CKK_EC, CKM_ECDSA, CKM_INVALID_MECHANISM, "ec" },
+    { CKK_X9_42_DH, CKM_X9_42_DH_DERIVE, CKM_INVALID_MECHANISM, "x9.42dh" },
+    { CKK_KEA, CKM_KEA_KEY_DERIVE, CKM_INVALID_MECHANISM, "kea" },
+#endif
+    { CKK_GENERIC_SECRET, CKM_SHA_1_HMAC, CKM_INVALID_MECHANISM, "generic" },
+    { CKK_RC2, CKM_RC2_CBC, CKM_RC2_ECB,"rc2" },
+    /* don't define a wrap mech for RC-4 since it's note really safe */
+    { CKK_RC4, CKM_RC4, CKM_INVALID_MECHANISM, "rc4" }, 
+    { CKK_DES, CKM_DES_CBC, CKM_DES_ECB,"des" },
+    { CKK_DES2, CKM_DES2_KEY_GEN, CKM_DES3_ECB, "des2" },
+    { CKK_DES3, CKM_DES3_KEY_GEN, CKM_DES3_ECB, "des3" },
+    { CKK_CAST, CKM_CAST_CBC, CKM_CAST_ECB, "cast" },
+    { CKK_CAST3, CKM_CAST3_CBC, CKM_CAST3_ECB, "cast3" },
+    { CKK_CAST5, CKM_CAST5_CBC, CKM_CAST5_ECB, "cast5" },
+    { CKK_CAST128, CKM_CAST128_CBC, CKM_CAST128_ECB, "cast128" },
+    { CKK_RC5, CKM_RC5_CBC, CKM_RC5_ECB, "rc5" },
+    { CKK_IDEA, CKM_IDEA_CBC, CKM_IDEA_ECB, "idea" },
+    { CKK_SKIPJACK, CKM_SKIPJACK_CBC64, CKM_SKIPJACK_WRAP, "skipjack" },
+    { CKK_BATON, CKM_BATON_CBC128, CKM_BATON_WRAP, "baton" },
+    { CKK_JUNIPER, CKM_JUNIPER_CBC128, CKM_JUNIPER_WRAP, "juniper" },
+    { CKK_CDMF, CKM_CDMF_CBC, CKM_CDMF_ECB, "cdmf" },
+    { CKK_AES, CKM_AES_CBC, CKM_AES_ECB, "aes" },
+    { CKK_CAMELLIA, CKM_CAMELLIA_CBC, CKM_CAMELLIA_ECB, "camellia" },
+};
+
+static int keyArraySize = sizeof(keyArray)/sizeof(keyArray[0]);
+
+int
+GetLen(PRFileDesc* fd)
+{
+    PRFileInfo info;
+
+    if (PR_SUCCESS != PR_GetOpenFileInfo(fd, &info)) {
+        return -1;
+    }
+
+    return info.size;
+}
+
+int
+ReadBuf(char *inFile, SECItem *item)
+{
+    int len;
+    int ret;
+    PRFileDesc* fd = PR_Open(inFile, PR_RDONLY, 0);
+    if (NULL == fd) {
+        SECU_PrintError("symkeyutil", "PR_Open failed");
+	return -1;
+    }
+
+    len = GetLen(fd);
+    if (len < 0) {
+	SECU_PrintError("symkeyutil", "PR_GetOpenFileInfo failed");
+	return -1;
+    }
+    item->data = (unsigned char *)PORT_Alloc(len);
+    if (item->data == NULL) {
+	fprintf(stderr,"Failed to allocate %d to read file %s\n",len,inFile);
+	return -1;
+    }
+
+    ret = PR_Read(fd,item->data,item->len);
+    if (ret < 0) {
+	SECU_PrintError("symkeyutil", "PR_Read failed");
+	PORT_Free(item->data);
+	item->data = NULL;
+	return -1;
+    }
+    PR_Close(fd);
+    item->len = len;
+    return 0;
+}
+
+int
+WriteBuf(char *inFile, SECItem *item)
+{
+    int ret;
+    PRFileDesc* fd = PR_Open(inFile, PR_WRONLY|PR_CREATE_FILE, 0x200);
+    if (NULL == fd) {
+        SECU_PrintError("symkeyutil", "PR_Open failed");
+	return -1;
+    }
+
+    ret = PR_Write(fd,item->data,item->len);
+    if (ret < 0) {
+	SECU_PrintError("symkeyutil", "PR_Write failed");
+	return -1;
+    }
+    PR_Close(fd);
+    return 0;
+}
+
+CK_KEY_TYPE
+GetKeyTypeFromString(const char *keyString)
+{
+    int i;
+    for (i=0; i < keyArraySize; i++) {
+	if (PL_strcasecmp(keyString,keyArray[i].label) == 0) {
+	    return keyArray[i].keyType;
+	}
+    }
+    return (CK_KEY_TYPE)-1;
+}
+
+CK_MECHANISM_TYPE
+GetKeyMechFromString(const char *keyString)
+{
+    int i;
+    for (i=0; i < keyArraySize; i++) {
+	if (PL_strcasecmp(keyString,keyArray[i].label) == 0) {
+	    return keyArray[i].mechType;
+	}
+    }
+    return (CK_MECHANISM_TYPE)-1;
+}
+
+const char *
+GetStringFromKeyType(CK_KEY_TYPE type)
+{
+    int i;
+    for (i=0; i < keyArraySize; i++) {
+	if (keyArray[i].keyType == type) {
+	    return keyArray[i].label;
+	}
+    }
+    return "unmatched";
+}
+
+CK_MECHANISM_TYPE
+GetWrapFromKeyType(CK_KEY_TYPE type)
+{
+    int i;
+    for (i=0; i < keyArraySize; i++) {
+	if (keyArray[i].keyType == type) {
+	    return keyArray[i].wrapMech;
+	}
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+CK_MECHANISM_TYPE
+GetWrapMechanism(PK11SymKey *symKey)
+{
+    CK_KEY_TYPE type = PK11_GetSymKeyType(symKey);
+
+    return GetWrapFromKeyType(type);
+}
+
+int
+GetDigit(char c)
+{
+    if (c == 0) {
+	return -1;
+    }
+    if (c <= '9' && c >= '0') {
+	return c - '0';
+    }
+    if (c <= 'f' && c >= 'a') {
+	return c - 'a' + 0xa;
+    }
+    if (c <= 'F' && c >= 'A') {
+	return c - 'A' + 0xa;
+    }
+    return -1;
+}
+
+char
+ToDigit(unsigned char c)
+{
+    c = c & 0xf;
+    if (c <= 9) {
+	return (char) (c+'0');
+    }
+    return (char) (c+'a'-0xa);
+}
+
+char *
+BufToHex(SECItem *outbuf)
+{
+    int len = outbuf->len * 2 +1;
+    char *string, *ptr;
+    unsigned int i;
+
+    string = PORT_Alloc(len);
+
+    ptr = string;
+    for (i=0; i < outbuf->len; i++) {
+	*ptr++ = ToDigit(outbuf->data[i] >> 4);
+	*ptr++ = ToDigit(outbuf->data[i] & 0xf);
+    }
+    *ptr = 0;
+    return string;
+}
+
+
+int
+HexToBuf(char *inString, SECItem *outbuf)
+{
+    int len = strlen(inString);
+    int outlen = len+1/2;
+    int trueLen = 0;
+
+    outbuf->data = PORT_Alloc(outlen);
+    if (outbuf->data) {
+	return -1;
+    }
+
+    while (*inString) {
+	int digit1, digit2;
+	digit1 = GetDigit(*inString++);
+	digit2 = GetDigit(*inString++);
+	if ((digit1 == -1) || (digit2 == -1)) {
+	    PORT_Free(outbuf->data);
+	    outbuf->data = NULL;
+	    return -1;
+	}
+	outbuf->data[trueLen++] = digit1 << 4 | digit2;
+    }
+    outbuf->len = trueLen;
+    return 0;
+}
+
+void
+printBuf(unsigned char *data, int len)
+{
+    int i;
+
+    for (i=0; i < len; i++) {
+	printf("%02x",data[i]);
+    }
+}
+
+void
+PrintKey(PK11SymKey *symKey)
+{
+    char *name = PK11_GetSymKeyNickname(symKey);
+    int len = PK11_GetKeyLength(symKey);
+    int strength = PK11_GetKeyStrength(symKey, NULL);
+    SECItem *value = NULL;
+    CK_KEY_TYPE type = PK11_GetSymKeyType(symKey);
+    (void) PK11_ExtractKeyValue(symKey);
+
+    value = PK11_GetKeyData(symKey);
+
+    printf("%-20s %3d   %4d   %10s  ", name ? name: " ", len, strength, 
+				GetStringFromKeyType(type));
+    if (value && value->data) {
+	printBuf(value->data, value->len);
+    } else {
+	printf("<restricted>");
+    }
+    printf("\n");
+}
+
+SECStatus
+ListKeys(PK11SlotInfo *slot, int *printLabel, void *pwd) {
+    PK11SymKey *keyList;
+    SECStatus rv = PK11_Authenticate(slot, PR_FALSE, pwd);
+    if (rv != SECSuccess) {
+        return rv;;
+    }
+
+    keyList = PK11_ListFixedKeysInSlot(slot, NULL, pwd);
+    if (keyList) {
+	if (*printLabel) {
+            printf("     Name            Len Strength     Type    Data\n");
+	    *printLabel = 0;
+	}
+	printf("%s:\n",PK11_GetTokenName(slot));
+    }
+    while (keyList) {
+        PK11SymKey *freeKey = keyList;
+        PrintKey(keyList);
+        keyList = PK11_GetNextSymKey(keyList);
+        PK11_FreeSymKey(freeKey);
+    }
+    return SECSuccess;
+}
+
+PK11SymKey *
+FindKey(PK11SlotInfo *slot, char *name, SECItem *id, void *pwd)
+{
+    PK11SymKey *key = NULL;
+    SECStatus rv = PK11_Authenticate(slot, PR_FALSE, pwd);
+
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+
+
+    if (id->data) {
+	key = PK11_FindFixedKey(slot,CKM_INVALID_MECHANISM, id, pwd);
+    }
+    if (name && !key) {
+	key = PK11_ListFixedKeysInSlot(slot,name, pwd);
+    }
+
+    if (key) {
+	printf("Found a key\n");
+	PrintKey(key);
+    }
+    return key;
+}
+
+PRBool
+IsKeyList(PK11SymKey *symKey)
+{
+   return (PRBool) (PK11_GetNextSymKey(symKey) != NULL);
+}
+
+void
+FreeKeyList(PK11SymKey *symKey)
+{
+   PK11SymKey *next,*current;
+
+   for (current = symKey; current; current = next) {
+	next = PK11_GetNextSymKey(current);
+	PK11_FreeSymKey(current);
+   }
+   return;
+}
+	   
+static void 
+Usage(char *progName)
+{
+#define FPS fprintf(stderr, 
+    FPS "Type %s -H for more detailed descriptions\n", progName);
+    FPS "Usage:");
+    FPS "\t%s -L [std_opts] [-r]\n", progName);
+    FPS "\t%s -K [-n name] -t type [-s size] [-i id |-j id_file] [std_opts]\n", progName);
+    FPS "\t%s -D <[-n name | -i id | -j id_file> [std_opts]\n", progName);
+    FPS "\t%s -I [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts]\n", progName);
+    FPS "\t%s -E  <-nname | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts]\n", progName);
+    FPS "\t%s -U [-n name] [-t type] [-i id | -j id_file] -k data_file <wrap_opts> [std_opts]\n", progName);
+    FPS "\t%s -W <-n name | -i id | -j id_file> [-t type] -k data_file [-r] <wrap_opts> [std_opts]\n", progName);
+    FPS "\t%s -M <-n name | -i id | -j id_file> -g target_token [std_opts]\n", progName);
+    FPS "\t\t std_opts -> [-d certdir] [-P dbprefix] [-p password] [-f passwordFile] [-h token]\n");
+    FPS "\t\t wrap_opts -> <-w wrap_name | -x wrap_id | -y id_file>\n");
+    exit(1);
+}
+
+static void LongUsage(char *progName)
+{
+    int i;
+    FPS "%-15s List all the keys.\n", "-L");
+    FPS "%-15s Generate a new key.\n", "-K");
+    FPS "%-20s Specify the nickname of the new key\n",
+	"   -n name");
+    FPS "%-20s Specify the id in hex of the new key\n",
+	"   -i key id");
+    FPS "%-20s Specify a file to read the id of the new key\n",
+	"   -j key id file");
+    FPS "%-20s Specify the keyType of the new key\n",
+	"   -t type");
+    FPS "%-20s", "  valid types: ");
+    for (i=0; i < keyArraySize ; i++) {
+	FPS "%s%c", keyArray[i].label, i == keyArraySize-1? '\n':',');
+    }
+    FPS "%-20s Specify the size of the new key in bytes (required by some types)\n",
+	"   -s size");
+    FPS "%-15s Delete a key.\n", "-D");
+    FPS "%-20s Specify the nickname of the key to delete\n",
+	"   -n name");
+    FPS "%-20s Specify the id in hex of the key to delete\n",
+	"   -i key id");
+    FPS "%-20s Specify a file to read the id of the key to delete\n",
+	"   -j key id file");
+    FPS "%-15s Import a new key from a data file.\n", "-I");
+    FPS "%-20s Specify the data file to read the key from.\n",
+	"   -k key file");
+    FPS "%-20s Specify the nickname of the new key\n",
+	"   -n name");
+    FPS "%-20s Specify the id in hex of the new key\n",
+	"   -i key id");
+    FPS "%-20s Specify a file to read the id of the new key\n",
+	"   -j key id file");
+    FPS "%-20s Specify the keyType of the new key\n",
+	"   -t type");
+    FPS "%-20s", "  valid types: ");
+    for (i=0; i < keyArraySize ; i++) {
+	FPS "%s%c", keyArray[i].label, i == keyArraySize-1? '\n':',');
+    }
+    FPS "%-15s Export a key to a data file.\n", "-E");
+    FPS "%-20s Specify the data file to write the key to.\n",
+	"   -k key file");
+    FPS "%-20s Specify the nickname of the key to export\n",
+	"   -n name");
+    FPS "%-20s Specify the id in hex of the key to export\n",
+	"   -i key id");
+    FPS "%-20s Specify a file to read the id of the key to export\n",
+	"   -j key id file");
+    FPS "%-15s Move a key to a new token.\n", "-M");
+    FPS "%-20s Specify the nickname of the key to move\n",
+	"   -n name");
+    FPS "%-20s Specify the id in hex of the key to move\n",
+	"   -i key id");
+    FPS "%-20s Specify a file to read the id of the key to move\n",
+	"   -j key id file");
+    FPS "%-20s Specify the token to move the key to\n",
+	"   -g target token");
+    FPS "%-15s Unwrap a new key from a data file.\n", "-U");
+    FPS "%-20s Specify the data file to read the encrypted key from.\n",
+	"   -k key file");
+    FPS "%-20s Specify the nickname of the new key\n",
+	"   -n name");
+    FPS "%-20s Specify the id in hex of the new key\n",
+	"   -i key id");
+    FPS "%-20s Specify a file to read the id of the new key\n",
+	"   -j key id file");
+    FPS "%-20s Specify the keyType of the new key\n",
+	"   -t type");
+    FPS "%-20s", "  valid types: ");
+    for (i=0; i < keyArraySize ; i++) {
+	FPS "%s%c", keyArray[i].label, i == keyArraySize-1? '\n':',');
+    }
+    FPS "%-20s Specify the nickname of the wrapping key\n",
+	"   -w wrap name");
+    FPS "%-20s Specify the id in hex of the wrapping key\n",
+	"   -x wrap key id");
+    FPS "%-20s Specify a file to read the id of the wrapping key\n",
+	"   -y wrap key id file");
+    FPS "%-15s Wrap a new key to a data file. [not yet implemented]\n", "-W");
+    FPS "%-20s Specify the data file to write the encrypted key to.\n",
+	"   -k key file");
+    FPS "%-20s Specify the nickname of the key to wrap\n",
+	"   -n name");
+    FPS "%-20s Specify the id in hex of the key to wrap\n",
+	"   -i key id");
+    FPS "%-20s Specify a file to read the id of the key to wrap\n",
+	"   -j key id file");
+    FPS "%-20s Specify the nickname of the wrapping key\n",
+	"   -w wrap name");
+    FPS "%-20s Specify the id in hex of the wrapping key\n",
+	"   -x wrap key id");
+    FPS "%-20s Specify a file to read the id of the wrapping key\n",
+	"   -y wrap key id file");
+    FPS "%-15s Options valid for all commands\n", "std_opts");
+    FPS "%-20s The directory where the NSS db's reside\n",
+	"   -d certdir");
+    FPS "%-20s Prefix for the NSS db's\n",
+	"   -P db prefix");
+    FPS "%-20s Specify password on the command line\n",
+	"   -p password");
+    FPS "%-20s Specify password file on the command line\n",
+	"   -f password file");
+    FPS "%-20s Specify token to act on\n",
+	"   -h token");
+    exit(1);
+#undef FPS
+}
+
+/*  Certutil commands  */
+enum {
+    cmd_CreateNewKey = 0,
+    cmd_DeleteKey,
+    cmd_ImportKey,
+    cmd_ExportKey,
+    cmd_WrapKey,
+    cmd_UnwrapKey,
+    cmd_MoveKey,
+    cmd_ListKeys,
+    cmd_PrintHelp
+};
+
+/*  Certutil options */
+enum {
+    opt_CertDir = 0,
+    opt_PasswordFile,
+    opt_TargetToken,
+    opt_TokenName,
+    opt_KeyID,
+    opt_KeyIDFile,
+    opt_KeyType,
+    opt_Nickname,
+    opt_KeyFile,
+    opt_Password,
+    opt_dbPrefix,
+    opt_RW,
+    opt_KeySize,
+    opt_WrapKeyName,
+    opt_WrapKeyID,
+    opt_WrapKeyIDFile,
+    opt_NoiseFile
+};
+
+static secuCommandFlag symKeyUtil_commands[] =
+{
+	{ /* cmd_CreateNewKey        */  'K', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_DeleteKey           */  'D', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_ImportKey           */  'I', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_ExportKey           */  'E', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_WrapKey             */  'W', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_UnwrapKey           */  'U', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_MoveKey             */  'M', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_ListKeys            */  'L', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_PrintHelp           */  'H', PR_FALSE, 0, PR_FALSE },
+};
+
+static secuCommandFlag symKeyUtil_options[] =
+{
+	{ /* opt_CertDir             */  'd', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_PasswordFile        */  'f', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_TargetToken         */  'g', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_TokenName           */  'h', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_KeyID               */  'i', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_KeyIDFile           */  'j', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_KeyType             */  't', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_Nickname            */  'n', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_KeyFile             */  'k', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_Password            */  'p', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_dbPrefix            */  'P', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_RW                  */  'r', PR_FALSE, 0, PR_FALSE },
+	{ /* opt_KeySize             */  's', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_WrapKeyName         */  'w', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_WrapKeyID           */  'x', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_WrapKeyIDFile       */  'y', PR_TRUE,  0, PR_FALSE },
+	{ /* opt_NoiseFile           */  'z', PR_TRUE,  0, PR_FALSE },
+};
+
+int 
+main(int argc, char **argv)
+{
+    PK11SlotInfo *slot = NULL;
+    char *      slotname        = "internal";
+    char *      certPrefix      = "";
+    CK_MECHANISM_TYPE keyType   = CKM_SHA_1_HMAC;
+    int         keySize		= 0;
+    char *      name            = NULL;
+    char *      wrapName        = NULL;
+    secuPWData  pwdata          = { PW_NONE, 0 };
+    PRBool 	readOnly	= PR_FALSE;
+    SECItem	key;
+    SECItem	keyID;
+    SECItem	wrapKeyID;
+    int commandsEntered = 0;
+    int commandToRun = 0;
+    char *progName;
+    int i;
+    SECStatus rv = SECFailure;
+
+    secuCommand symKeyUtil;
+    symKeyUtil.numCommands=sizeof(symKeyUtil_commands)/sizeof(secuCommandFlag);
+    symKeyUtil.numOptions=sizeof(symKeyUtil_options)/sizeof(secuCommandFlag);
+    symKeyUtil.commands = symKeyUtil_commands;
+    symKeyUtil.options = symKeyUtil_options;
+
+    key.data = NULL; key.len = 0;
+    keyID.data = NULL; keyID.len = 0;
+    wrapKeyID.data = NULL; wrapKeyID.len = 0;
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    rv = SECU_ParseCommandLine(argc, argv, progName, &symKeyUtil);
+
+    if (rv != SECSuccess)
+	Usage(progName);
+
+    rv = SECFailure;
+
+    /* -H print help */
+    if (symKeyUtil.commands[cmd_PrintHelp].activated)
+	LongUsage(progName);
+
+    /* -f password file, -p password */
+    if (symKeyUtil.options[opt_PasswordFile].arg) {
+	pwdata.source = PW_FROMFILE;
+	pwdata.data = symKeyUtil.options[opt_PasswordFile].arg;
+    } else if (symKeyUtil.options[opt_Password].arg) {
+	pwdata.source = PW_PLAINTEXT;
+	pwdata.data = symKeyUtil.options[opt_Password].arg;
+    } 
+
+    /* -d directory */
+    if (symKeyUtil.options[opt_CertDir].activated)
+	SECU_ConfigDirectory(symKeyUtil.options[opt_CertDir].arg);
+
+    /* -s key size */
+    if (symKeyUtil.options[opt_KeySize].activated) {
+	keySize = PORT_Atoi(symKeyUtil.options[opt_KeySize].arg);
+    }
+
+    /*  -h specify token name  */
+    if (symKeyUtil.options[opt_TokenName].activated) {
+	if (PL_strcmp(symKeyUtil.options[opt_TokenName].arg, "all") == 0)
+	    slotname = NULL;
+	else
+	    slotname = PL_strdup(symKeyUtil.options[opt_TokenName].arg);
+    }
+
+    /* -t key type */
+    if  (symKeyUtil.options[opt_KeyType].activated) {
+	keyType = GetKeyMechFromString(symKeyUtil.options[opt_KeyType].arg);
+	if (keyType == (CK_MECHANISM_TYPE)-1) {
+	    PR_fprintf(PR_STDERR, 
+	          "%s unknown key type (%s).\n",
+	           progName, symKeyUtil.options[opt_KeyType].arg);
+	    return 255;
+	}
+    }
+
+    /* -k for import and unwrap, it specifies an input file to read from,
+     * for export and wrap it specifies an output file to write to */
+    if (symKeyUtil.options[opt_KeyFile].activated) {
+        if (symKeyUtil.commands[cmd_ImportKey].activated ||
+		symKeyUtil.commands[cmd_UnwrapKey].activated ) {
+	    int ret = ReadBuf(symKeyUtil.options[opt_KeyFile].arg, &key);
+	    if (ret < 0) {
+	        PR_fprintf(PR_STDERR, 
+	          "%s Couldn't read key file (%s).\n",
+	           progName, symKeyUtil.options[opt_KeyFile].arg);
+		return 255;
+	    }
+	}
+    }
+
+    /* -i specify the key ID */
+    if (symKeyUtil.options[opt_KeyID].activated) {
+	int ret = HexToBuf(symKeyUtil.options[opt_KeyID].arg, &keyID);
+	if (ret < 0) {
+	    PR_fprintf(PR_STDERR, 
+	          "%s invalid key ID (%s).\n",
+	           progName, symKeyUtil.options[opt_KeyID].arg);
+	    return 255;
+	}
+    }
+
+    /* -i & -j are mutually exclusive */
+    if ((symKeyUtil.options[opt_KeyID].activated) &&
+		 (symKeyUtil.options[opt_KeyIDFile].activated)) {
+	PR_fprintf(PR_STDERR, 
+	          "%s -i and -j options are mutually exclusive.\n", progName);
+	return 255;
+    }
+
+    /* -x specify the Wrap key ID */
+    if (symKeyUtil.options[opt_WrapKeyID].activated) {
+	int ret = HexToBuf(symKeyUtil.options[opt_WrapKeyID].arg, &wrapKeyID);
+	if (ret < 0) {
+	    PR_fprintf(PR_STDERR, 
+	          "%s invalid key ID (%s).\n",
+	           progName, symKeyUtil.options[opt_WrapKeyID].arg);
+	    return 255;
+	}
+    }
+
+    /* -x & -y are mutually exclusive */
+    if ((symKeyUtil.options[opt_KeyID].activated) &&
+		 (symKeyUtil.options[opt_KeyIDFile].activated)) {
+	PR_fprintf(PR_STDERR, 
+	          "%s -i and -j options are mutually exclusive.\n", progName);
+	return 255;
+    }
+	
+
+    /* -y specify the key ID */
+    if (symKeyUtil.options[opt_WrapKeyIDFile].activated) {
+	int ret = ReadBuf(symKeyUtil.options[opt_WrapKeyIDFile].arg,
+								 &wrapKeyID);
+	if (ret < 0) {
+	    PR_fprintf(PR_STDERR, 
+	          "%s Couldn't read key ID file (%s).\n",
+	           progName, symKeyUtil.options[opt_WrapKeyIDFile].arg);
+	    return 255;
+	}
+    }
+
+    /*  -P certdb name prefix */
+    if (symKeyUtil.options[opt_dbPrefix].activated)
+	certPrefix = strdup(symKeyUtil.options[opt_dbPrefix].arg);
+
+    /*  Check number of commands entered.  */
+    commandsEntered = 0;
+    for (i=0; i< symKeyUtil.numCommands; i++) {
+	if (symKeyUtil.commands[i].activated) {
+	    commandToRun = symKeyUtil.commands[i].flag;
+	    commandsEntered++;
+	}
+	if (commandsEntered > 1)
+	    break;
+    }
+    if (commandsEntered > 1) {
+	PR_fprintf(PR_STDERR, "%s: only one command at a time!\n", progName);
+	PR_fprintf(PR_STDERR, "You entered: ");
+	for (i=0; i< symKeyUtil.numCommands; i++) {
+	    if (symKeyUtil.commands[i].activated)
+		PR_fprintf(PR_STDERR, " -%c", symKeyUtil.commands[i].flag);
+	}
+	PR_fprintf(PR_STDERR, "\n");
+	return 255;
+    }
+    if (commandsEntered == 0) {
+	PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName);
+	Usage(progName);
+    }
+
+    if (symKeyUtil.commands[cmd_ListKeys].activated ||
+         symKeyUtil.commands[cmd_PrintHelp].activated ||
+         symKeyUtil.commands[cmd_ExportKey].activated ||
+         symKeyUtil.commands[cmd_WrapKey].activated) {
+	readOnly = !symKeyUtil.options[opt_RW].activated;
+    }
+
+    if ((symKeyUtil.commands[cmd_ImportKey].activated ||
+         symKeyUtil.commands[cmd_ExportKey].activated ||
+         symKeyUtil.commands[cmd_WrapKey].activated ||
+         symKeyUtil.commands[cmd_UnwrapKey].activated ) &&
+        !symKeyUtil.options[opt_KeyFile].activated) {
+	PR_fprintf(PR_STDERR, 
+	          "%s -%c: keyfile is required for this command (-k).\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    /*  -E, -D, -W, and all require -n, -i, or -j to identify the key  */
+    if ((symKeyUtil.commands[cmd_ExportKey].activated ||
+         symKeyUtil.commands[cmd_DeleteKey].activated ||
+         symKeyUtil.commands[cmd_WrapKey].activated) &&
+        !(symKeyUtil.options[opt_Nickname].activated ||
+	  symKeyUtil.options[opt_KeyID].activated ||
+	  symKeyUtil.options[opt_KeyIDFile].activated)) {
+	PR_fprintf(PR_STDERR, 
+	  "%s -%c: nickname or id is required for this command (-n, -i, -j).\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    /*  -W, -U, and all  -w, -x, or -y to identify the wrapping key  */
+    if (( symKeyUtil.commands[cmd_WrapKey].activated ||
+         symKeyUtil.commands[cmd_UnwrapKey].activated) &&
+        !(symKeyUtil.options[opt_WrapKeyName].activated ||
+	  symKeyUtil.options[opt_WrapKeyID].activated ||
+	  symKeyUtil.options[opt_WrapKeyIDFile].activated)) {
+	PR_fprintf(PR_STDERR, 
+	  "%s -%c: wrap key is required for this command (-w, -x, or -y).\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    /* -M needs the target slot  (-g) */
+    if (symKeyUtil.commands[cmd_MoveKey].activated  &&
+			!symKeyUtil.options[opt_TargetToken].activated) {
+	PR_fprintf(PR_STDERR, 
+	          "%s -%c: target token is required for this command (-g).\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    /*  Using slotname == NULL for listing keys and certs on all slots, 
+     *  but only that. */
+    if (!(symKeyUtil.commands[cmd_ListKeys].activated) && slotname == NULL) {
+	PR_fprintf(PR_STDERR,
+	           "%s -%c: cannot use \"-h all\" for this command.\n",
+	           progName, commandToRun);
+	return 255;
+    }
+
+    name = SECU_GetOptionArg(&symKeyUtil, opt_Nickname);
+    wrapName = SECU_GetOptionArg(&symKeyUtil, opt_WrapKeyName);
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    /*  Initialize NSPR and NSS.  */
+    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+    rv = NSS_Initialize(SECU_ConfigDirectory(NULL), certPrefix, certPrefix,
+                        "secmod.db", readOnly ? NSS_INIT_READONLY: 0);
+    if (rv != SECSuccess) {
+	SECU_PrintPRandOSError(progName);
+	goto shutdown;
+    }
+    rv = SECFailure;
+
+    if (PL_strcmp(slotname, "internal") == 0)
+	slot = PK11_GetInternalKeySlot();
+    else if (slotname != NULL)
+	slot = PK11_FindSlotByName(slotname);
+
+    /* generating a new key */
+    if (symKeyUtil.commands[cmd_CreateNewKey].activated)  {
+	PK11SymKey *symKey;
+
+	symKey = PK11_TokenKeyGen(slot, keyType, NULL, keySize, 
+							NULL, PR_TRUE, &pwdata);
+	if (!symKey) {
+	    PR_fprintf(PR_STDERR, "%s: Token Key Gen Failed\n", progName);
+	    goto shutdown;
+	}
+	if (symKeyUtil.options[opt_Nickname].activated) {
+	    rv = PK11_SetSymKeyNickname(symKey, name);
+	    if (rv != SECSuccess) {
+		PK11_DeleteTokenSymKey(symKey);
+		PK11_FreeSymKey(symKey);
+	        PR_fprintf(PR_STDERR, "%s: Couldn't set nickname on key\n",
+								 progName);
+		goto shutdown;
+	    }
+	}
+	rv = SECSuccess;
+	PrintKey(symKey);
+	PK11_FreeSymKey(symKey);
+    }
+    if (symKeyUtil.commands[cmd_DeleteKey].activated) {
+	PK11SymKey *symKey = FindKey(slot,name,&keyID,&pwdata);
+
+	if (!symKey) {
+	    char *keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
+	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
+			progName, keyName, PK11_GetTokenName(slot));
+	    PORT_Free(keyName);
+	    goto shutdown;
+	}
+
+	rv = PK11_DeleteTokenSymKey(symKey);
+	FreeKeyList(symKey);
+	if (rv != SECSuccess) {
+	    PR_fprintf(PR_STDERR, "%s: Couldn't Delete Key \n", progName);
+	    goto shutdown;
+	}
+    }
+    if (symKeyUtil.commands[cmd_UnwrapKey].activated) {
+	PK11SymKey *wrapKey = FindKey(slot,wrapName,&wrapKeyID,&pwdata);
+	PK11SymKey *symKey;
+ 	CK_MECHANISM_TYPE mechanism;
+
+	if (!wrapKey) {
+	    char *keyName = wrapKeyID.data ? BufToHex(&wrapKeyID) 
+							: PORT_Strdup(wrapName);
+	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
+			progName, keyName, PK11_GetTokenName(slot));
+	    PORT_Free(keyName);
+	    goto shutdown;
+	}
+	mechanism = GetWrapMechanism(wrapKey);
+	if (mechanism == CKM_INVALID_MECHANISM) {
+	    char *keyName = wrapKeyID.data ? BufToHex(&wrapKeyID) 
+							: PORT_Strdup(wrapName);
+	    PR_fprintf(PR_STDERR, "%s: %s on %s is an invalid wrapping key\n",
+			progName, keyName, PK11_GetTokenName(slot));
+	    PORT_Free(keyName);
+	    PK11_FreeSymKey(wrapKey);
+	    goto shutdown;
+	}
+
+	symKey = PK11_UnwrapSymKeyWithFlagsPerm(wrapKey, mechanism, NULL,
+			&key, keyType, CKA_ENCRYPT, keySize, 0, PR_TRUE);
+	PK11_FreeSymKey(wrapKey);
+	if (!symKey) {
+	    PR_fprintf(PR_STDERR, "%s: Unwrap Key Failed\n", progName);
+	    goto shutdown;
+	}
+
+	if (symKeyUtil.options[opt_Nickname].activated) {
+	    rv = PK11_SetSymKeyNickname(symKey, name);
+	    if (rv != SECSuccess) {
+	        PR_fprintf(PR_STDERR, "%s: Couldn't set name on key\n", 
+								progName);
+		PK11_DeleteTokenSymKey(symKey);
+		PK11_FreeSymKey(symKey);
+		goto shutdown;
+	    }
+	}
+	rv = SECSuccess;
+	PrintKey(symKey);
+	PK11_FreeSymKey(symKey);
+    }
+
+#define MAX_KEY_SIZE 4098
+    if (symKeyUtil.commands[cmd_WrapKey].activated) {
+	PK11SymKey *symKey = FindKey(slot, name, &keyID, &pwdata);
+	PK11SymKey *wrapKey;
+	CK_MECHANISM_TYPE mechanism;
+	SECItem data;
+	unsigned char buf[MAX_KEY_SIZE];
+	int ret;
+
+	if (!symKey) {
+	    char *keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
+	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
+			progName, keyName, PK11_GetTokenName(slot));
+	    PORT_Free(keyName);
+	    goto shutdown;
+	}
+
+	wrapKey = FindKey(slot, wrapName, &wrapKeyID, &pwdata);
+	if (!wrapKey) {
+	    char *keyName = wrapKeyID.data ? BufToHex(&wrapKeyID) 
+							: PORT_Strdup(wrapName);
+	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
+			progName, keyName, PK11_GetTokenName(slot));
+	    PORT_Free(keyName);
+	    PK11_FreeSymKey(symKey);
+	    goto shutdown;
+	}
+
+	mechanism = GetWrapMechanism(wrapKey);
+	if (mechanism == CKM_INVALID_MECHANISM) {
+	    char *keyName = wrapKeyID.data ? BufToHex(&wrapKeyID) 
+							: PORT_Strdup(wrapName);
+	    PR_fprintf(PR_STDERR, "%s: %s on %s is an invalid wrapping key\n",
+			progName, keyName, PK11_GetTokenName(slot));
+	    PORT_Free(keyName);
+	    PK11_FreeSymKey(symKey);
+	    PK11_FreeSymKey(wrapKey);
+	    goto shutdown;
+	}
+
+	data.data = buf;
+	data.len = sizeof(buf);
+	rv = PK11_WrapSymKey(mechanism, NULL,  wrapKey, symKey, &data);
+	PK11_FreeSymKey(symKey);
+	PK11_FreeSymKey(wrapKey);
+	if (rv != SECSuccess) {
+	    PR_fprintf(PR_STDERR, "%s: Couldn't wrap key\n",progName);
+	    goto shutdown;
+	}
+
+	/* WriteBuf outputs it's own error using SECU_PrintError */
+	ret = WriteBuf(symKeyUtil.options[opt_KeyFile].arg, &data);
+	if (ret < 0) {
+	    goto shutdown;
+	}
+    }
+
+    if (symKeyUtil.commands[cmd_ImportKey].activated) {
+	PK11SymKey *symKey = PK11_ImportSymKey(slot, keyType,
+			 PK11_OriginUnwrap, CKA_ENCRYPT, &key,&pwdata);
+	if (!symKey) {
+	    PR_fprintf(PR_STDERR, "%s: Import Key Failed\n", progName);
+	    goto shutdown;
+	}
+	if (symKeyUtil.options[opt_Nickname].activated) {
+	    rv = PK11_SetSymKeyNickname(symKey, name);
+	    if (rv != SECSuccess) {
+	        PR_fprintf(PR_STDERR, "%s: Couldn't set name on key\n", 
+								progName);
+		PK11_DeleteTokenSymKey(symKey);
+		PK11_FreeSymKey(symKey);
+		goto shutdown;
+	    }
+	}
+	rv = SECSuccess;
+	PrintKey(symKey);
+	PK11_FreeSymKey(symKey);
+    }
+
+    /*  List certs (-L)  */
+    if (symKeyUtil.commands[cmd_ListKeys].activated) {
+	int printLabel = 1;
+	if (slot) {
+	    rv = ListKeys(slot,&printLabel,&pwdata);
+	} else {
+	    /* loop over all the slots */
+	    PK11SlotList *slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
+					PR_FALSE, PR_FALSE, &pwdata);
+	    PK11SlotListElement *se;
+
+	    if (slotList == NULL) {
+	        PR_fprintf(PR_STDERR, "%s: No tokens found\n",progName);
+	    }
+	    for (se = PK11_GetFirstSafe(slotList); se; 
+				se=PK11_GetNextSafe(slotList,se, PR_FALSE)) {
+	        rv = ListKeys(se->slot,&printLabel,&pwdata);
+	        if (rv !=SECSuccess) {
+		    break;
+		}
+	    }
+	}
+    }
+
+    /*  Move key (-M)  */
+    if (symKeyUtil.commands[cmd_MoveKey].activated) {
+	PK11SlotInfo *target;
+	char *targetName = symKeyUtil.options[opt_TargetToken].arg;
+	PK11SymKey *newKey;
+	PK11SymKey *symKey = FindKey(slot,name,&keyID,&pwdata);
+	char *keyName = PK11_GetSymKeyNickname(symKey);
+
+	if (!symKey) {
+	    char *keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
+	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
+			progName, keyName, PK11_GetTokenName(slot));
+	    PORT_Free(keyName);
+	    goto shutdown;
+	}
+	target = PK11_FindSlotByName(targetName);
+	if (!target) {
+	    PR_fprintf(PR_STDERR, "%s: Couldn't find slot %s\n",
+			progName, targetName);
+	    goto shutdown;
+	}
+	rv = PK11_Authenticate(target, PR_FALSE, &pwdata);
+	if (rv != SECSuccess) {
+	    PR_fprintf(PR_STDERR, "%s: Failed to log into %s\n",
+			progName, targetName);
+	    goto shutdown;
+	}
+	rv = SECFailure;
+	newKey = PK11_MoveSymKey(target, CKA_ENCRYPT, 0, PR_TRUE, symKey);
+	if (!newKey) {
+	    PR_fprintf(PR_STDERR, "%s: Couldn't move the key \n",progName);
+	    goto shutdown;
+	}
+	if (keyName) {
+	    rv = PK11_SetSymKeyNickname(newKey, keyName);
+	    if (rv != SECSuccess) {
+		PK11_DeleteTokenSymKey(newKey);
+		PK11_FreeSymKey(newKey);
+	        PR_fprintf(PR_STDERR, "%s: Couldn't set nickname on key\n",
+								 progName);
+		goto shutdown;
+	    }
+	}
+	PK11_FreeSymKey(newKey);
+	rv = SECSuccess;
+    }
+
+shutdown:
+    if (rv != SECSuccess) {
+	PR_fprintf(PR_STDERR, "%s: %s\n", progName,
+					SECU_Strerror(PORT_GetError()));
+    }
+
+    if (key.data) {
+	PORT_Free(key.data);
+    }
+
+    if (keyID.data) {
+	PORT_Free(keyID.data);
+    }
+
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+
+    if (rv == SECSuccess) {
+	return 0;
+    } else {
+	return 255;
+    }
+}
+
+
+
diff --git a/security/nss/cmd/tests/Makefile b/security/nss/cmd/tests/Makefile
new file mode 100644
index 000000000..f4e0038c0
--- /dev/null
+++ b/security/nss/cmd/tests/Makefile
@@ -0,0 +1,77 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
diff --git a/security/nss/cmd/tests/conflict.c b/security/nss/cmd/tests/conflict.c
new file mode 100644
index 000000000..7dc95b57a
--- /dev/null
+++ b/security/nss/cmd/tests/conflict.c
@@ -0,0 +1,58 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2008
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This test verifies that NSS public headers don't conflict with common
+ * identifier names.
+ */
+
+#include "nssilckt.h"
+
+/*
+ * Bug 455424: nssilckt.h used to define the enumeration constant 'Lock',
+ * which conflicts with C++ code that defines a Lock class.  This is a
+ * reduced test case in C for that name conflict.
+ */
+typedef struct {
+    int dummy;
+} Lock;
+
+Lock lock;
+
+int main()
+{
+    return 0;
+}
diff --git a/security/nss/cmd/tests/manifest.mn b/security/nss/cmd/tests/manifest.mn
new file mode 100644
index 000000000..1418d08f3
--- /dev/null
+++ b/security/nss/cmd/tests/manifest.mn
@@ -0,0 +1,57 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = \
+	conflict.c \
+	nonspr10.c \
+	remtest.c \
+	$(NULL)
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm
+
+PROGRAMS = $(CSRCS:.c=)
+
+TARGETS = $(PROGRAMS)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/tests/nonspr10.c b/security/nss/cmd/tests/nonspr10.c
new file mode 100644
index 000000000..dd71eb271
--- /dev/null
+++ b/security/nss/cmd/tests/nonspr10.c
@@ -0,0 +1,122 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2008
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This test verifies that NSS public headers can be compiled with no
+ * NSPR 1.0 support.
+ */
+
+#define NO_NSPR_10_SUPPORT 1
+
+#include "base64.h"
+#include "blapit.h"
+#include "cert.h"
+#include "certdb.h"
+#include "certt.h"
+#include "ciferfam.h"
+#include "cmmf.h"
+#include "cmmft.h"
+#include "cms.h"
+#include "cmsreclist.h"
+#include "cmst.h"
+#include "crmf.h"
+#include "crmft.h"
+#include "cryptohi.h"
+#include "cryptoht.h"
+#include "ecl-exp.h"
+#include "hasht.h"
+#include "key.h"
+#include "keyhi.h"
+#include "keyt.h"
+#include "keythi.h"
+#include "nss.h"
+#include "nssb64.h"
+#include "nssb64t.h"
+#include "nssbase.h"
+#include "nssbaset.h"
+#include "nssckbi.h"
+#include "nssilckt.h"
+#include "nssilock.h"
+#include "nsslocks.h"
+#include "nssrwlk.h"
+#include "nssrwlkt.h"
+#include "ocsp.h"
+#include "ocspt.h"
+#include "p12.h"
+#include "p12plcy.h"
+#include "p12t.h"
+#include "pk11func.h"
+#include "pk11pqg.h"
+#include "pk11priv.h"
+#include "pk11pub.h"
+#include "pk11sdr.h"
+#include "pkcs11.h"
+#include "pkcs11t.h"
+#include "pkcs12.h"
+#include "pkcs12t.h"
+#include "pkcs7t.h"
+#include "portreg.h"
+#include "preenc.h"
+#include "secasn1.h"
+#include "secasn1t.h"
+#include "seccomon.h"
+#include "secder.h"
+#include "secdert.h"
+#include "secdig.h"
+#include "secdigt.h"
+#include "secerr.h"
+#include "sechash.h"
+#include "secitem.h"
+#include "secmime.h"
+#include "secmod.h"
+#include "secmodt.h"
+#include "secoid.h"
+#include "secoidt.h"
+#include "secpkcs5.h"
+#include "secpkcs7.h"
+#include "secport.h"
+#include "shsign.h"
+#include "smime.h"
+#include "ssl.h"
+#include "sslerr.h"
+#include "sslproto.h"
+#include "sslt.h"
+#include "watcomfx.h"
+
+int main()
+{
+    return 0;
+}
diff --git a/security/nss/cmd/tests/remtest.c b/security/nss/cmd/tests/remtest.c
new file mode 100644
index 000000000..c49c7e4f1
--- /dev/null
+++ b/security/nss/cmd/tests/remtest.c
@@ -0,0 +1,167 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+**
+** Sample client side test program that uses SSL and NSS
+**
+*/
+
+#include "secutil.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#else
+#include "ctype.h"	/* for isalpha() */
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+
+#include "nspr.h"
+#include "prio.h"
+#include "prnetdb.h"
+#include "nss.h"
+#include "pk11func.h"
+#include "plgetopt.h"
+
+void
+Usage(char *progName) 
+{
+    fprintf(stderr,"usage: %s [-d profiledir] -t tokenName [-r]\n", progName);
+    exit(1);
+}
+
+int main(int argc, char **argv)
+{
+    char *             certDir  =  NULL;
+    PLOptState *optstate;
+    PLOptStatus optstatus;
+    SECStatus rv;
+    char * tokenName = NULL;
+    PRBool cont=PR_TRUE;
+    PK11TokenEvent event = PK11TokenPresentEvent;
+    PK11TokenStatus status;
+    char *progName;
+    PK11SlotInfo *slot;
+
+    progName = strrchr(argv[0], '/');
+    if (!progName)
+	progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    optstate = PL_CreateOptState(argc, argv, "rd:t:");
+    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+
+	  case 'd':
+	    certDir = strdup(optstate->value);
+	    certDir = SECU_ConfigDirectory(certDir);
+	    break;
+	  case 't':
+	    tokenName = strdup(optstate->value);
+	    break;
+	  case 'r':
+	    event = PK11TokenRemovedOrChangedEvent;
+	    break;
+	}
+    }
+    if (optstatus == PL_OPT_BAD)
+	Usage(progName);
+
+    if (tokenName == NULL) {
+	Usage(progName);
+    }
+
+    if (!certDir) {
+	certDir = SECU_DefaultSSLDir();	/* Look in $SSL_DIR */
+	certDir = SECU_ConfigDirectory(certDir); /* call even if it's NULL */
+    }
+
+    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    /* open the cert DB, the key DB, and the secmod DB. */
+    rv = NSS_Init(certDir);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "unable to open cert database");
+	return 1;
+    }
+
+    printf("Looking up tokenNamed: <%s>\n",tokenName);
+    slot = PK11_FindSlotByName(tokenName);
+    if (slot == NULL) {
+	SECU_PrintError(progName, "unable to find token");
+	return 1;
+    }
+
+    do {
+	status = 
+	   PK11_WaitForTokenEvent(slot,event,PR_INTERVAL_NO_TIMEOUT, 0, 0);
+
+	switch (status) {
+	case PK11TokenNotRemovable:
+	    cont = PR_FALSE;
+	    printf("%s Token Not Removable\n",tokenName);
+	    break;
+	case PK11TokenChanged:
+	    event = PK11TokenRemovedOrChangedEvent;
+	    printf("%s Token Changed\n", tokenName);
+	    break;
+	case PK11TokenRemoved:
+	    event = PK11TokenPresentEvent;
+	    printf("%s Token Removed\n", tokenName);
+	    break;
+	case PK11TokenPresent:
+	    event = PK11TokenRemovedOrChangedEvent;
+	    printf("%s Token Present\n", tokenName);
+	    break;
+	}
+    } while (cont);
+
+    PK11_FreeSlot(slot);
+
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+    PR_Cleanup();
+    return 0;
+}
diff --git a/security/nss/cmd/tstclnt/Makefile b/security/nss/cmd/tstclnt/Makefile
new file mode 100644
index 000000000..297114522
--- /dev/null
+++ b/security/nss/cmd/tstclnt/Makefile
@@ -0,0 +1,78 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#include ../platlibs.mk
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/tstclnt/manifest.mn b/security/nss/cmd/tstclnt/manifest.mn
new file mode 100644
index 000000000..fa3f5fe16
--- /dev/null
+++ b/security/nss/cmd/tstclnt/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm 
+
+# DIRS = 
+
+CSRCS	= tstclnt.c  
+
+PROGRAM	= tstclnt
+
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
new file mode 100644
index 000000000..06c154108
--- /dev/null
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -0,0 +1,1065 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+**
+** Sample client side test program that uses SSL and NSS
+**
+*/
+
+#include "secutil.h"
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#else
+#include <ctype.h>	/* for isalpha() */
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+
+#include "nspr.h"
+#include "prio.h"
+#include "prnetdb.h"
+#include "nss.h"
+#include "ssl.h"
+#include "sslproto.h"
+#include "pk11func.h"
+#include "plgetopt.h"
+#include "plstr.h"
+
+#if defined(WIN32)
+#include <fcntl.h>
+#include <io.h>
+#endif
+
+#define PRINTF  if (verbose)  printf
+#define FPRINTF if (verbose) fprintf
+
+#define MAX_WAIT_FOR_SERVER 600
+#define WAIT_INTERVAL       100
+
+PRIntervalTime maxInterval    = PR_INTERVAL_NO_TIMEOUT;
+
+int ssl2CipherSuites[] = {
+    SSL_EN_RC4_128_WITH_MD5,			/* A */
+    SSL_EN_RC4_128_EXPORT40_WITH_MD5,		/* B */
+    SSL_EN_RC2_128_CBC_WITH_MD5,		/* C */
+    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,	/* D */
+    SSL_EN_DES_64_CBC_WITH_MD5,			/* E */
+    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,		/* F */
+    0
+};
+
+int ssl3CipherSuites[] = {
+    -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
+    -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,	 * b */
+    SSL_RSA_WITH_RC4_128_MD5,			/* c */
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
+    SSL_RSA_WITH_DES_CBC_SHA,			/* e */
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
+    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
+    -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,	 * h */
+    SSL_RSA_WITH_NULL_MD5,			/* i */
+    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,		/* j */
+    SSL_RSA_FIPS_WITH_DES_CBC_SHA,		/* k */
+    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,	/* l */
+    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,	        /* m */
+    SSL_RSA_WITH_RC4_128_SHA,			/* n */
+    TLS_DHE_DSS_WITH_RC4_128_SHA,		/* o */
+    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
+    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
+    SSL_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
+    SSL_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    	/* t */
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       	/* u */
+    TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    	/* w */
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
+    TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
+    SSL_RSA_WITH_NULL_SHA,			/* z */
+    0
+};
+
+unsigned long __cmp_umuls;
+PRBool verbose;
+int renegotiate = 0;
+
+static char *progName;
+
+secuPWData  pwdata          = { PW_NONE, 0 };
+
+void printSecurityInfo(PRFileDesc *fd)
+{
+    CERTCertificate * cert;
+    SSL3Statistics * ssl3stats = SSL_GetStatistics();
+    SECStatus result;
+    SSLChannelInfo    channel;
+    SSLCipherSuiteInfo suite;
+
+    result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
+    if (result == SECSuccess && 
+        channel.length == sizeof channel && 
+	channel.cipherSuite) {
+	result = SSL_GetCipherSuiteInfo(channel.cipherSuite, 
+					&suite, sizeof suite);
+	if (result == SECSuccess) {
+	    FPRINTF(stderr, 
+	    "tstclnt: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
+	       channel.protocolVersion >> 8, channel.protocolVersion & 0xff,
+	       suite.effectiveKeyBits, suite.symCipherName, 
+	       suite.macBits, suite.macAlgorithmName);
+	    FPRINTF(stderr, 
+	    "tstclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
+	       channel.authKeyBits, suite.authAlgorithmName,
+	       channel.keaKeyBits,  suite.keaTypeName);
+    	}
+    }
+    cert = SSL_RevealCert(fd);
+    if (cert) {
+	char * ip = CERT_NameToAscii(&cert->issuer);
+	char * sp = CERT_NameToAscii(&cert->subject);
+        if (sp) {
+	    fprintf(stderr, "subject DN: %s\n", sp);
+	    PORT_Free(sp);
+	}
+        if (ip) {
+	    fprintf(stderr, "issuer  DN: %s\n", ip);
+	    PORT_Free(ip);
+	}
+	CERT_DestroyCertificate(cert);
+	cert = NULL;
+    }
+    fprintf(stderr,
+    	"%ld cache hits; %ld cache misses, %ld cache not reusable\n"
+	"%ld stateless resumes\n",
+    	ssl3stats->hsh_sid_cache_hits, ssl3stats->hsh_sid_cache_misses,
+	ssl3stats->hsh_sid_cache_not_ok, ssl3stats->hsh_sid_stateless_resumes);
+}
+
+void
+handshakeCallback(PRFileDesc *fd, void *client_data)
+{
+    printSecurityInfo(fd);
+    if (renegotiate > 0) {
+	renegotiate--;
+	SSL_ReHandshake(fd, PR_FALSE);
+    }
+}
+
+static void Usage(const char *progName)
+{
+    fprintf(stderr, 
+"Usage:  %s -h host [-p port] [-d certdir] [-n nickname] [-23BTfosvxr] \n"
+"                   [-c ciphers] [-w passwd] [-W pwfile] [-q]\n", progName);
+    fprintf(stderr, "%-20s Hostname to connect with\n", "-h host");
+    fprintf(stderr, "%-20s Port number for SSL server\n", "-p port");
+    fprintf(stderr, 
+            "%-20s Directory with cert database (default is ~/.netscape)\n",
+	    "-d certdir");
+    fprintf(stderr, "%-20s Nickname of key and cert for client auth\n", 
+                    "-n nickname");
+    fprintf(stderr, 
+            "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
+    fprintf(stderr, "%-20s Disable SSL v2.\n", "-2");
+    fprintf(stderr, "%-20s Disable SSL v3.\n", "-3");
+    fprintf(stderr, "%-20s Disable TLS (SSL v3.1).\n", "-T");
+    fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S");
+    fprintf(stderr, "%-20s Client speaks first. \n", "-f");
+    fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
+    fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
+    fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
+    fprintf(stderr, "%-20s Use export policy.\n", "-x");
+    fprintf(stderr, "%-20s Ping the server and then exit.\n", "-q");
+    fprintf(stderr, "%-20s Renegotiate with session resumption.\n", "-r");
+    fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
+    fprintf(stderr, "%-20s Letter(s) chosen from the following list\n", 
+                    "-c ciphers");
+    fprintf(stderr, 
+"A    SSL2 RC4 128 WITH MD5\n"
+"B    SSL2 RC4 128 EXPORT40 WITH MD5\n"
+"C    SSL2 RC2 128 CBC WITH MD5\n"
+"D    SSL2 RC2 128 CBC EXPORT40 WITH MD5\n"
+"E    SSL2 DES 64 CBC WITH MD5\n"
+"F    SSL2 DES 192 EDE3 CBC WITH MD5\n"
+"\n"
+"c    SSL3 RSA WITH RC4 128 MD5\n"
+"d    SSL3 RSA WITH 3DES EDE CBC SHA\n"
+"e    SSL3 RSA WITH DES CBC SHA\n"
+"f    SSL3 RSA EXPORT WITH RC4 40 MD5\n"
+"g    SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n"
+"i    SSL3 RSA WITH NULL MD5\n"
+"j    SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n"
+"k    SSL3 RSA FIPS WITH DES CBC SHA\n"
+"l    SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n"
+"m    SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n"
+"n    SSL3 RSA WITH RC4 128 SHA\n"
+"o    SSL3 DHE DSS WITH RC4 128 SHA\n"
+"p    SSL3 DHE RSA WITH 3DES EDE CBC SHA\n"
+"q    SSL3 DHE DSS WITH 3DES EDE CBC SHA\n"
+"r    SSL3 DHE RSA WITH DES CBC SHA\n"
+"s    SSL3 DHE DSS WITH DES CBC SHA\n"
+"t    SSL3 DHE DSS WITH AES 128 CBC SHA\n"
+"u    SSL3 DHE RSA WITH AES 128 CBC SHA\n"
+"v    SSL3 RSA WITH AES 128 CBC SHA\n"
+"w    SSL3 DHE DSS WITH AES 256 CBC SHA\n"
+"x    SSL3 DHE RSA WITH AES 256 CBC SHA\n"
+"y    SSL3 RSA WITH AES 256 CBC SHA\n"
+"z    SSL3 RSA WITH NULL SHA\n"
+"\n"
+":WXYZ  Use cipher with hex code { 0xWX , 0xYZ } in TLS\n"
+	);
+    exit(1);
+}
+
+void
+milliPause(PRUint32 milli)
+{
+    PRIntervalTime ticks = PR_MillisecondsToInterval(milli);
+    PR_Sleep(ticks);
+}
+
+void
+disableAllSSLCiphers(void)
+{
+    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    int             i            = SSL_NumImplementedCiphers;
+    SECStatus       rv;
+
+    /* disable all the SSL3 cipher suites */
+    while (--i >= 0) {
+	PRUint16 suite = cipherSuites[i];
+        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
+	if (rv != SECSuccess) {
+	    PRErrorCode err = PR_GetError();
+	    fprintf(stderr,
+	            "SSL_CipherPrefSet didn't like value 0x%04x (i = %d): %s\n",
+	    	   suite, i, SECU_Strerror(err));
+	    exit(2);
+	}
+    }
+}
+
+/*
+ * Callback is called when incoming certificate is not valid.
+ * Returns SECSuccess to accept the cert anyway, SECFailure to reject.
+ */
+static SECStatus 
+ownBadCertHandler(void * arg, PRFileDesc * socket)
+{
+    PRErrorCode err = PR_GetError();
+    /* can log invalid cert here */
+    fprintf(stderr, "Bad server certificate: %d, %s\n", err, 
+            SECU_Strerror(err));
+    return SECSuccess;	/* override, say it's OK. */
+}
+
+SECStatus
+own_GetClientAuthData(void *                       arg,
+                      PRFileDesc *                 socket,
+                      struct CERTDistNamesStr *    caNames,
+                      struct CERTCertificateStr ** pRetCert,
+                      struct SECKEYPrivateKeyStr **pRetKey)
+{
+    if (verbose > 1) {
+	SECStatus rv;
+        fprintf(stderr, "Server requested Client Authentication\n");
+	if (caNames && caNames->nnames > 0) {
+	    PLArenaPool *arena = caNames->arena;
+	    if (!arena)
+		arena = PORT_NewArena(2048);
+	    if (arena) {
+		int i;
+		for (i = 0; i < caNames->nnames; ++i) {
+		    char *nameString;
+		    CERTName dn;
+		    rv = SEC_QuickDERDecodeItem(arena, 
+					    &dn,
+					    SEC_ASN1_GET(CERT_NameTemplate), 
+					    caNames->names + i);
+		    if (rv != SECSuccess)
+			continue;
+		    nameString = CERT_NameToAscii(&dn);
+		    if (!nameString)
+			continue;
+		    fprintf(stderr, "CA[%d]: %s\n", i + 1, nameString);
+		    PORT_Free(nameString);
+		}
+		if (!caNames->arena) {
+		    PORT_FreeArena(arena, PR_FALSE);
+		}
+	    }
+	}
+	rv = NSS_GetClientAuthData(arg, socket, caNames, pRetCert, pRetKey);
+	if (rv == SECSuccess && *pRetCert) {
+	    char *nameString = CERT_NameToAscii(&((*pRetCert)->subject));
+	    if (nameString) {
+		fprintf(stderr, "sent cert: %s\n", nameString);
+		PORT_Free(nameString);
+	    }
+	} else {
+	    fprintf(stderr, "send no cert\n");
+	}
+	return rv;
+    }
+    return NSS_GetClientAuthData(arg, socket, caNames, pRetCert, pRetKey);
+}
+
+#if defined(WIN32) || defined(OS2)
+void
+thread_main(void * arg)
+{
+    PRFileDesc * ps     = (PRFileDesc *)arg;
+    PRFileDesc * std_in = PR_GetSpecialFD(PR_StandardInput);
+    int wc, rc;
+    char buf[256];
+
+#ifdef WIN32
+    {
+	/* Put stdin into O_BINARY mode 
+	** or else incoming \r\n's will become \n's.
+	*/
+	int smrv = _setmode(_fileno(stdin), _O_BINARY);
+	if (smrv == -1) {
+	    fprintf(stderr,
+	    "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
+	            progName);
+	    /* plow ahead anyway */
+	}
+    }
+#endif
+
+    do {
+	rc = PR_Read(std_in, buf, sizeof buf);
+	if (rc <= 0)
+	    break;
+	wc = PR_Send(ps, buf, rc, 0, maxInterval);
+    } while (wc == rc);
+    PR_Close(ps);
+}
+
+#endif
+
+static void
+printHostNameAndAddr(const char * host, const PRNetAddr * addr)
+{
+    PRUint16 port = PR_NetAddrInetPort(addr);
+    char addrBuf[80];
+    PRStatus st = PR_NetAddrToString(addr, addrBuf, sizeof addrBuf);
+
+    if (st == PR_SUCCESS) {
+	port = PR_ntohs(port);
+	FPRINTF(stderr, "%s: connecting to %s:%hu (address=%s)\n",
+	       progName, host, port, addrBuf);
+    }
+}
+
+/*
+ *  Prints output according to skipProtoHeader flag. If skipProtoHeader
+ *  is not set, prints without any changes, otherwise looking
+ *  for \n\r\n(empty line sequence: HTTP header separator) and
+ *  prints everything after it.
+ */
+static void
+separateReqHeader(const PRFileDesc* outFd, const char* buf, const int nb,
+                  PRBool *wrStarted, int *ptrnMatched) {
+
+    /* it is sufficient to look for only "\n\r\n". Hopping that
+     * HTTP response format satisfies the standard */
+    char *ptrnStr = "\n\r\n";
+    char *resPtr;
+
+    if (nb == 0) {
+        return;
+    }
+
+    if (*ptrnMatched > 0) {
+        /* Get here only if previous separateReqHeader call found
+         * only a fragment of "\n\r\n" in previous buffer. */
+        PORT_Assert(*ptrnMatched < 3);
+
+        /* the size of fragment of "\n\r\n" what we want to find in this
+         * buffer is equal to *ptrnMatched */
+        if (*ptrnMatched <= nb) {
+            /* move the pointer to the beginning of the fragment */
+            int strSize = *ptrnMatched;
+            char *tmpPtrn = ptrnStr + (3 - strSize);
+            if (PL_strncmp(buf, tmpPtrn, strSize) == 0) {
+                /* print the rest of the buffer(without the fragment) */
+                PR_Write((void*)outFd, buf + strSize, nb - strSize);
+                *wrStarted = PR_TRUE;
+                return;
+            }
+        } else {
+            /* we are here only when nb == 1 && *ptrnMatched == 2 */
+            if (*buf == '\r') {
+                *ptrnMatched = 1;
+            } else {
+                *ptrnMatched = 0;
+            }
+            return;
+        }
+    }
+    resPtr = PL_strnstr(buf, ptrnStr, nb);
+    if (resPtr != NULL) {
+        /* if "\n\r\n" was found in the buffer, calculate offset
+         * and print the rest of the buffer */
+        int newBn = nb - (resPtr - buf + 3); /* 3 is the length of "\n\r\n" */
+
+        PR_Write((void*)outFd, resPtr + 3, newBn);
+        *wrStarted = PR_TRUE;
+        return;
+    } else {
+        /* try to find a fragment of "\n\r\n" at the end of the buffer.
+         * if found, set *ptrnMatched to the number of chars left to find
+         * in the next buffer.*/
+        int i;
+        for(i = 1 ;i < 3;i++) {
+            char *bufPrt;
+            int strSize = 3 - i;
+            
+            if (strSize > nb) {
+                continue;
+            }
+            bufPrt = (char*)(buf + nb - strSize);
+            
+            if (PL_strncmp(bufPrt, ptrnStr, strSize) == 0) {
+                *ptrnMatched = i;
+                return;
+            }
+        }
+    }
+}
+
+#define SSOCK_FD 0
+#define STDIN_FD 1
+
+#define HEXCHAR_TO_INT(c, i) \
+    if (((c) >= '0') && ((c) <= '9')) { \
+	i = (c) - '0'; \
+    } else if (((c) >= 'a') && ((c) <= 'f')) { \
+	i = (c) - 'a' + 10; \
+    } else if (((c) >= 'A') && ((c) <= 'F')) { \
+	i = (c) - 'A' + 10; \
+    } else { \
+	Usage(progName); \
+    }
+
+int main(int argc, char **argv)
+{
+    PRFileDesc *       s;
+    PRFileDesc *       std_out;
+    CERTCertDBHandle * handle;
+    char *             host	=  NULL;
+    char *             certDir  =  NULL;
+    char *             nickname =  NULL;
+    char *             cipherString = NULL;
+    char *             tmp;
+    int                multiplier = 0;
+    SECStatus          rv;
+    PRStatus           status;
+    PRInt32            filesReady;
+    int                npds;
+    int                override = 0;
+    int                disableSSL2 = 0;
+    int                disableSSL3 = 0;
+    int                disableTLS  = 0;
+    int                bypassPKCS11 = 0;
+    int                disableLocking = 0;
+    int                useExportPolicy = 0;
+    int                enableSessionTickets = 0;
+    PRSocketOptionData opt;
+    PRNetAddr          addr;
+    PRPollDesc         pollset[2];
+    PRBool             pingServerFirst = PR_FALSE;
+    PRBool             clientSpeaksFirst = PR_FALSE;
+    PRBool             wrStarted = PR_FALSE;
+    PRBool             skipProtoHeader = PR_FALSE;
+    int                headerSeparatorPtrnId = 0;
+    int                error = 0;
+    PRUint16           portno = 443;
+    PLOptState *optstate;
+    PLOptStatus optstatus;
+    PRStatus prStatus;
+
+    progName = strrchr(argv[0], '/');
+    if (!progName)
+	progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
+    if (tmp && tmp[0]) {
+       int sec = PORT_Atoi(tmp);
+       if (sec > 0) {
+           maxInterval = PR_SecondsToInterval(sec);
+       }
+    }
+
+    optstate = PL_CreateOptState(argc, argv, "23BTSfc:h:p:d:m:n:oqr:suvw:xW:");
+    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case '?':
+	  default : Usage(progName); 			break;
+
+          case '2': disableSSL2 = 1; 			break;
+
+          case '3': disableSSL3 = 1; 			break;
+
+          case 'B': bypassPKCS11 = 1; 			break;
+
+          case 'T': disableTLS  = 1; 			break;
+
+          case 'S': skipProtoHeader = PR_TRUE;                 break;
+
+          case 'c': cipherString = PORT_Strdup(optstate->value); break;
+
+          case 'h': host = PORT_Strdup(optstate->value);	break;
+
+          case 'f':  clientSpeaksFirst = PR_TRUE;       break;
+
+          case 'd': certDir = PORT_Strdup(optstate->value);   break;
+
+	  case 'm':
+	    multiplier = atoi(optstate->value);
+	    if (multiplier < 0)
+	    	multiplier = 0;
+	    break;
+
+	  case 'n': nickname = PORT_Strdup(optstate->value);	break;
+
+	  case 'o': override = 1; 			break;
+
+	  case 'p': portno = (PRUint16)atoi(optstate->value);	break;
+
+	  case 'q': pingServerFirst = PR_TRUE;          break;
+
+	  case 's': disableLocking = 1;                 break;
+
+	  case 'u': enableSessionTickets = PR_TRUE;	break;
+
+	  case 'v': verbose++;	 			break;
+
+	  case 'r': renegotiate = atoi(optstate->value);	break;
+
+          case 'w':
+                pwdata.source = PW_PLAINTEXT;
+		pwdata.data = PORT_Strdup(optstate->value);
+		break;
+
+          case 'W':
+                pwdata.source = PW_FROMFILE;
+                pwdata.data = PORT_Strdup(optstate->value);
+                break;
+
+	  case 'x': useExportPolicy = 1; 		break;
+	}
+    }
+
+    PL_DestroyOptState(optstate);
+
+    if (optstatus == PL_OPT_BAD)
+	Usage(progName);
+
+    if (!host || !portno) 
+    	Usage(progName);
+
+    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    /* open the cert DB, the key DB, and the secmod DB. */
+    if (!certDir) {
+	certDir = SECU_DefaultSSLDir();	/* Look in $SSL_DIR */
+	certDir = SECU_ConfigDirectory(certDir);
+    } else {
+	char *certDirTmp = certDir;
+	certDir = SECU_ConfigDirectory(certDirTmp);
+	PORT_Free(certDirTmp);
+    }
+    rv = NSS_Init(certDir);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "unable to open cert database");
+#if 0
+    rv = CERT_OpenVolatileCertDB(handle);
+	CERT_SetDefaultCertDB(handle);
+#else
+	return 1;
+#endif
+    }
+    handle = CERT_GetDefaultCertDB();
+
+    /* set the policy bits true for all the cipher suites. */
+    if (useExportPolicy)
+	NSS_SetExportPolicy();
+    else
+	NSS_SetDomesticPolicy();
+
+    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
+    if (cipherString) {
+	/* disable all the ciphers, then enable the ones we want. */
+	disableAllSSLCiphers();
+    }
+
+    status = PR_StringToNetAddr(host, &addr);
+    if (status == PR_SUCCESS) {
+    	addr.inet.port = PR_htons(portno);
+    } else {
+	/* Lookup host */
+	PRAddrInfo *addrInfo;
+	void       *enumPtr   = NULL;
+
+	addrInfo = PR_GetAddrInfoByName(host, PR_AF_UNSPEC, 
+	                                PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME);
+	if (!addrInfo) {
+	    SECU_PrintError(progName, "error looking up host");
+	    return 1;
+	}
+	do {
+	    enumPtr = PR_EnumerateAddrInfo(enumPtr, addrInfo, portno, &addr);
+	} while (enumPtr != NULL &&
+		 addr.raw.family != PR_AF_INET &&
+		 addr.raw.family != PR_AF_INET6);
+	PR_FreeAddrInfo(addrInfo);
+	if (enumPtr == NULL) {
+	    SECU_PrintError(progName, "error looking up host address");
+	    return 1;
+	}
+    }
+
+    printHostNameAndAddr(host, &addr);
+
+    if (pingServerFirst) {
+	int iter = 0;
+	PRErrorCode err;
+	do {
+	    s = PR_OpenTCPSocket(addr.raw.family);
+	    if (s == NULL) {
+		SECU_PrintError(progName, "Failed to create a TCP socket");
+	    }
+	    opt.option             = PR_SockOpt_Nonblocking;
+	    opt.value.non_blocking = PR_FALSE;
+	    prStatus = PR_SetSocketOption(s, &opt);
+	    if (prStatus != PR_SUCCESS) {
+		PR_Close(s);
+		SECU_PrintError(progName, 
+		                "Failed to set blocking socket option");
+		return 1;
+	    }
+	    prStatus = PR_Connect(s, &addr, PR_INTERVAL_NO_TIMEOUT);
+	    if (prStatus == PR_SUCCESS) {
+    		PR_Shutdown(s, PR_SHUTDOWN_BOTH);
+    		PR_Close(s);
+               if (NSS_Shutdown() != SECSuccess) {
+                   exit(1);
+               }
+    		PR_Cleanup();
+		return 0;
+	    }
+	    err = PR_GetError();
+	    if ((err != PR_CONNECT_REFUSED_ERROR) && 
+	        (err != PR_CONNECT_RESET_ERROR)) {
+		SECU_PrintError(progName, "TCP Connection failed");
+		return 1;
+	    }
+	    PR_Close(s);
+	    PR_Sleep(PR_MillisecondsToInterval(WAIT_INTERVAL));
+	} while (++iter < MAX_WAIT_FOR_SERVER);
+	SECU_PrintError(progName, 
+                     "Client timed out while waiting for connection to server");
+	return 1;
+    }
+
+    /* Create socket */
+    s = PR_OpenTCPSocket(addr.raw.family);
+    if (s == NULL) {
+	SECU_PrintError(progName, "error creating socket");
+	return 1;
+    }
+
+    opt.option = PR_SockOpt_Nonblocking;
+    opt.value.non_blocking = PR_TRUE;
+    PR_SetSocketOption(s, &opt);
+    /*PR_SetSocketOption(PR_GetSpecialFD(PR_StandardInput), &opt);*/
+
+    s = SSL_ImportFD(NULL, s);
+    if (s == NULL) {
+	SECU_PrintError(progName, "error importing socket");
+	return 1;
+    }
+
+    rv = SSL_OptionSet(s, SSL_SECURITY, 1);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "error enabling socket");
+	return 1;
+    }
+
+    rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, 1);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling client handshake");
+	return 1;
+    }
+
+    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
+    if (cipherString) {
+    	char *cstringSaved = cipherString;
+    	int ndx;
+
+	while (0 != (ndx = *cipherString++)) {
+	    int  cipher;
+
+	    if (ndx == ':') {
+		int ctmp;
+
+		cipher = 0;
+		HEXCHAR_TO_INT(*cipherString, ctmp)
+		cipher |= (ctmp << 12);
+		cipherString++;
+		HEXCHAR_TO_INT(*cipherString, ctmp)
+		cipher |= (ctmp << 8);
+		cipherString++;
+		HEXCHAR_TO_INT(*cipherString, ctmp)
+		cipher |= (ctmp << 4);
+		cipherString++;
+		HEXCHAR_TO_INT(*cipherString, ctmp)
+		cipher |= ctmp;
+		cipherString++;
+	    } else {
+		const int *cptr;
+
+		if (! isalpha(ndx))
+		    Usage(progName);
+		cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
+		for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
+		    /* do nothing */;
+	    }
+	    if (cipher > 0) {
+		SECStatus status;
+		status = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED);
+		if (status != SECSuccess) 
+		    SECU_PrintError(progName, "SSL_CipherPrefSet()");
+	    } else {
+		Usage(progName);
+	    }
+	}
+	PORT_Free(cstringSaved);
+    }
+
+    rv = SSL_OptionSet(s, SSL_ENABLE_SSL2, !disableSSL2);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling SSLv2 ");
+	return 1;
+    }
+
+    rv = SSL_OptionSet(s, SSL_ENABLE_SSL3, !disableSSL3);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling SSLv3 ");
+	return 1;
+    }
+
+    rv = SSL_OptionSet(s, SSL_ENABLE_TLS, !disableTLS);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling TLS ");
+	return 1;
+    }
+
+    /* disable ssl2 and ssl2-compatible client hellos. */
+    rv = SSL_OptionSet(s, SSL_V2_COMPATIBLE_HELLO, !disableSSL2);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error disabling v2 compatibility");
+	return 1;
+    }
+
+    /* enable PKCS11 bypass */
+    rv = SSL_OptionSet(s, SSL_BYPASS_PKCS11, bypassPKCS11);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling PKCS11 bypass");
+	return 1;
+    }
+
+    /* disable SSL socket locking */
+    rv = SSL_OptionSet(s, SSL_NO_LOCKS, disableLocking);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error disabling SSL socket locking");
+	return 1;
+    }
+
+    /* enable Session Ticket extension. */
+    rv = SSL_OptionSet(s, SSL_ENABLE_SESSION_TICKETS, enableSessionTickets);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling Session Ticket extension");
+	return 1;
+    }
+
+    SSL_SetPKCS11PinArg(s, &pwdata);
+
+    SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle);
+    if (override) {
+	SSL_BadCertHook(s, ownBadCertHandler, NULL);
+    }
+    SSL_GetClientAuthDataHook(s, own_GetClientAuthData, (void *)nickname);
+    SSL_HandshakeCallback(s, handshakeCallback, NULL);
+    SSL_SetURL(s, host);
+
+    /* Try to connect to the server */
+    status = PR_Connect(s, &addr, PR_INTERVAL_NO_TIMEOUT);
+    if (status != PR_SUCCESS) {
+	if (PR_GetError() == PR_IN_PROGRESS_ERROR) {
+	    if (verbose)
+		SECU_PrintError(progName, "connect");
+	    milliPause(50 * multiplier);
+	    pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
+	    pollset[SSOCK_FD].out_flags = 0;
+	    pollset[SSOCK_FD].fd = s;
+	    while(1) {
+		FPRINTF(stderr, 
+		        "%s: about to call PR_Poll for connect completion!\n", 
+			progName);
+		filesReady = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT);
+		if (filesReady < 0) {
+		    SECU_PrintError(progName, "unable to connect (poll)");
+		    return 1;
+		}
+		FPRINTF(stderr,
+		        "%s: PR_Poll returned 0x%02x for socket out_flags.\n",
+			progName, pollset[SSOCK_FD].out_flags);
+		if (filesReady == 0) {	/* shouldn't happen! */
+		    FPRINTF(stderr, "%s: PR_Poll returned zero!\n", progName);
+		    return 1;
+		}
+		/* Must milliPause between PR_Poll and PR_GetConnectStatus,
+		 * Or else winsock gets mighty confused.
+		 * Sleep(0);
+		 */
+		milliPause(1);
+		status = PR_GetConnectStatus(pollset);
+		if (status == PR_SUCCESS) {
+		    break;
+		}
+		if (PR_GetError() != PR_IN_PROGRESS_ERROR) {
+		    SECU_PrintError(progName, "unable to connect (poll)");
+		    return 1;
+		}
+		SECU_PrintError(progName, "poll");
+		milliPause(50 * multiplier);
+	    }
+	} else {
+	    SECU_PrintError(progName, "unable to connect");
+	    return 1;
+	}
+    }
+
+    pollset[SSOCK_FD].fd        = s;
+    pollset[SSOCK_FD].in_flags  = PR_POLL_EXCEPT |
+                                  (clientSpeaksFirst ? 0 : PR_POLL_READ);
+    pollset[STDIN_FD].fd        = PR_GetSpecialFD(PR_StandardInput);
+    pollset[STDIN_FD].in_flags  = PR_POLL_READ;
+    npds                 = 2;
+    std_out              = PR_GetSpecialFD(PR_StandardOutput);
+
+#if defined(WIN32) || defined(OS2)
+    /* PR_Poll cannot be used with stdin on Windows or OS/2.  (sigh). 
+    ** But use of PR_Poll and non-blocking sockets is a major feature
+    ** of this program.  So, we simulate a pollable stdin with a 
+    ** TCP socket pair and a  thread that reads stdin and writes to 
+    ** that socket pair.
+    */
+  {
+    PRFileDesc * fds[2];
+    PRThread *   thread;
+
+    int nspr_rv = PR_NewTCPSocketPair(fds);
+    if (nspr_rv != PR_SUCCESS) {
+        SECU_PrintError(progName, "PR_NewTCPSocketPair failed");
+	error = 1;
+	goto done;
+    }
+    pollset[STDIN_FD].fd = fds[1];
+
+    thread = PR_CreateThread(PR_USER_THREAD, thread_main, fds[0], 
+                             PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, 
+                             PR_UNJOINABLE_THREAD, 0);
+    if (!thread) {
+        SECU_PrintError(progName, "PR_CreateThread failed");
+	error = 1;
+	goto done;
+    }
+  }
+#endif
+
+    /*
+    ** Select on stdin and on the socket. Write data from stdin to
+    ** socket, read data from socket and write to stdout.
+    */
+    FPRINTF(stderr, "%s: ready...\n", progName);
+
+    while (pollset[SSOCK_FD].in_flags | pollset[STDIN_FD].in_flags) {
+	char buf[4000];	/* buffer for stdin */
+	int nb;		/* num bytes read from stdin. */
+
+	pollset[SSOCK_FD].out_flags = 0;
+	pollset[STDIN_FD].out_flags = 0;
+
+	FPRINTF(stderr, "%s: about to call PR_Poll !\n", progName);
+	filesReady = PR_Poll(pollset, npds, PR_INTERVAL_NO_TIMEOUT);
+	if (filesReady < 0) {
+	    SECU_PrintError(progName, "select failed");
+	    error = 1;
+	    goto done;
+	}
+	if (filesReady == 0) {	/* shouldn't happen! */
+	    FPRINTF(stderr, "%s: PR_Poll returned zero!\n", progName);
+	    return 1;
+	}
+	FPRINTF(stderr, "%s: PR_Poll returned!\n", progName);
+	if (pollset[STDIN_FD].in_flags) {
+	    FPRINTF(stderr,
+		    "%s: PR_Poll returned 0x%02x for stdin out_flags.\n",
+		    progName, pollset[STDIN_FD].out_flags);
+	}
+	if (pollset[SSOCK_FD].in_flags) {
+	    FPRINTF(stderr, 
+	            "%s: PR_Poll returned 0x%02x for socket out_flags.\n",
+		    progName, pollset[SSOCK_FD].out_flags);
+	}
+	if (pollset[STDIN_FD].out_flags & PR_POLL_READ) {
+	    /* Read from stdin and write to socket */
+	    nb = PR_Read(pollset[STDIN_FD].fd, buf, sizeof(buf));
+	    FPRINTF(stderr, "%s: stdin read %d bytes\n", progName, nb);
+	    if (nb < 0) {
+		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
+		    SECU_PrintError(progName, "read from stdin failed");
+	            error = 1;
+		    break;
+		}
+	    } else if (nb == 0) {
+		/* EOF on stdin, stop polling stdin for read. */
+		pollset[STDIN_FD].in_flags = 0;
+	    } else {
+		char * bufp = buf;
+		FPRINTF(stderr, "%s: Writing %d bytes to server\n", 
+		        progName, nb);
+		do {
+		    PRInt32 cc = PR_Send(s, bufp, nb, 0, maxInterval);
+		    if (cc < 0) {
+		    	PRErrorCode err = PR_GetError();
+			if (err != PR_WOULD_BLOCK_ERROR) {
+			    SECU_PrintError(progName, 
+			                    "write to SSL socket failed");
+			    error = 254;
+			    goto done;
+			}
+			cc = 0;
+		    }
+		    bufp += cc;
+		    nb   -= cc;
+		    if (nb <= 0) 
+		    	break;
+		    pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
+		    pollset[SSOCK_FD].out_flags = 0;
+		    FPRINTF(stderr,
+		            "%s: about to call PR_Poll on writable socket !\n", 
+			    progName);
+		    cc = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT);
+		    FPRINTF(stderr,
+		            "%s: PR_Poll returned with writable socket !\n", 
+			    progName);
+		} while (1);
+		pollset[SSOCK_FD].in_flags  = PR_POLL_READ;
+	    }
+	}
+
+	if (pollset[SSOCK_FD].in_flags) {
+	    FPRINTF(stderr, 
+	            "%s: PR_Poll returned 0x%02x for socket out_flags.\n",
+		    progName, pollset[SSOCK_FD].out_flags);
+	}
+	if (   (pollset[SSOCK_FD].out_flags & PR_POLL_READ) 
+	    || (pollset[SSOCK_FD].out_flags & PR_POLL_ERR)  
+#ifdef PR_POLL_HUP
+	    || (pollset[SSOCK_FD].out_flags & PR_POLL_HUP)
+#endif
+	    ) {
+	    /* Read from socket and write to stdout */
+	    nb = PR_Recv(pollset[SSOCK_FD].fd, buf, sizeof buf, 0, maxInterval);
+	    FPRINTF(stderr, "%s: Read from server %d bytes\n", progName, nb);
+	    if (nb < 0) {
+		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
+		    SECU_PrintError(progName, "read from socket failed");
+		    error = 1;
+		    goto done;
+	    	}
+	    } else if (nb == 0) {
+		/* EOF from socket... stop polling socket for read */
+		pollset[SSOCK_FD].in_flags = 0;
+	    } else {
+		if (skipProtoHeader != PR_TRUE || wrStarted == PR_TRUE) {
+		    PR_Write(std_out, buf, nb);
+		} else {
+		    separateReqHeader(std_out, buf, nb, &wrStarted,
+		                      &headerSeparatorPtrnId);
+		}
+		if (verbose)
+		    fputs("\n\n", stderr);
+	    }
+	}
+	milliPause(50 * multiplier);
+    }
+
+  done:
+    if (nickname) {
+        PORT_Free(nickname);
+    }
+    if (pwdata.data) {
+        PORT_Free(pwdata.data);
+    }
+    PORT_Free(host);
+
+    PR_Close(s);
+    SSL_ClearSessionCache();
+    if (NSS_Shutdown() != SECSuccess) {
+        exit(1);
+    }
+
+    FPRINTF(stderr, "tstclnt: exiting with return code %d\n", error);
+    PR_Cleanup();
+    return error;
+}
diff --git a/security/nss/cmd/vfychain/Makefile b/security/nss/cmd/vfychain/Makefile
new file mode 100644
index 000000000..297114522
--- /dev/null
+++ b/security/nss/cmd/vfychain/Makefile
@@ -0,0 +1,78 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#include ../platlibs.mk
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/vfychain/manifest.mn b/security/nss/cmd/vfychain/manifest.mn
new file mode 100644
index 000000000..981d55bb8
--- /dev/null
+++ b/security/nss/cmd/vfychain/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd 
+
+# DIRS = 
+
+CSRCS	= vfychain.c  
+DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\"
+
+PROGRAM	= vfychain
+
diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c
new file mode 100644
index 000000000..b2f52a475
--- /dev/null
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -0,0 +1,578 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/****************************************************************************
+ *  Read in a cert chain from one or more files, and verify the chain for
+ *  some usage.
+ *                                                                          *
+ *  This code was modified from other code also kept in the NSS directory.
+ ****************************************************************************/ 
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include "prerror.h"
+
+#include "pk11func.h"
+#include "seccomon.h"
+#include "secutil.h"
+#include "secmod.h"
+#include "secitem.h"
+#include "cert.h"
+#include "ocsp.h"
+
+
+/* #include <stdlib.h> */
+/* #include <errno.h> */
+/* #include <fcntl.h> */
+/* #include <stdarg.h> */
+
+#include "nspr.h"
+#include "plgetopt.h"
+#include "prio.h"
+#include "nss.h"
+
+/* #include "vfyutil.h" */
+
+#define RD_BUF_SIZE (60 * 1024)
+
+int verbose;
+
+secuPWData  pwdata          = { PW_NONE, 0 };
+
+static void
+Usage(const char *progName)
+{
+    fprintf(stderr, 
+	"Usage: %s [options] certfile [[options] certfile] ...\n"
+	"\tWhere options are:\n"
+	"\t-a\t\t Following certfile is base64 encoded\n"
+	"\t-b YYMMDDHHMMZ\t Validate date (default: now)\n"
+	"\t-d directory\t Database directory\n"
+	"\t-f \t\t Enable cert fetching from AIA URL\n"
+	"\t-o oid\t\t Set policy OID for cert validation(Format OID.1.2.3)\n"
+	"\t-p \t\t Use PKIX Library to validate certificate by calling:\n"
+	"\t\t\t   * CERT_VerifyCertificate if specified once,\n"
+	"\t\t\t   * CERT_PKIXVerifyCert if specified twice and more.\n"
+	"\t-r\t\t Following certfile is raw binary DER (default)\n"
+        "\t-s\t\t Status checking, following a configuration description.\n"
+        "\t\t\t Implemented as of today are:\n"
+        "\t\t\t   * allow-crl (default)\n"
+        "\t\t\t   * allow-crl-and-ocsp\n"
+        "\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n"
+	"\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
+	"\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
+	"\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
+	"\t-v\t\t Verbose mode. Prints root cert subject(double the\n"
+	"\t\t\t argument for whole root cert info)\n"
+	"\t-w password\t Database password.\n",
+	"\t-W pwfile\t Password file.\n",
+	progName);
+    exit(1);
+}
+
+/**************************************************************************
+** 
+** Error and information routines.
+**
+**************************************************************************/
+
+void
+errWarn(char *function)
+{
+    PRErrorCode  errorNumber = PR_GetError();
+    const char * errorString = SECU_Strerror(errorNumber);
+
+    fprintf(stderr, "Error in function %s: %d\n - %s\n",
+		    function, errorNumber, errorString);
+}
+
+void
+exitErr(char *function)
+{
+    errWarn(function);
+    /* Exit gracefully. */
+    /* ignoring return value of NSS_Shutdown as code exits with 1 anyway*/
+    (void) NSS_Shutdown();
+    PR_Cleanup();
+    exit(1);
+}
+
+typedef struct certMemStr {
+    struct certMemStr * next;
+    CERTCertificate * cert;
+} certMem;
+
+certMem * theCerts;
+CERTCertList *trustedCertList;
+
+void
+rememberCert(CERTCertificate * cert, PRBool trusted)
+{
+    if (trusted) {
+        if (!trustedCertList) {
+            trustedCertList = CERT_NewCertList();
+        }
+        CERT_AddCertToListTail(trustedCertList, cert);
+    } else {
+        certMem * newCertMem = PORT_ZNew(certMem);
+        if (newCertMem) {
+            newCertMem->next = theCerts;
+            newCertMem->cert = cert;
+            theCerts = newCertMem;
+        }
+    }
+}
+
+void
+forgetCerts(void)
+{
+    certMem * oldCertMem;
+    while (theCerts) {
+	oldCertMem = theCerts;
+    	theCerts = theCerts->next;
+	CERT_DestroyCertificate(oldCertMem->cert);
+	PORT_Free(oldCertMem);
+    }
+    if (trustedCertList) {
+        CERT_DestroyCertList(trustedCertList);
+    }
+}
+
+
+CERTCertificate *
+getCert(const char *name, PRBool isAscii, const char * progName)
+{
+    CERTCertificate * cert;
+    CERTCertDBHandle *defaultDB;
+    PRFileDesc*     fd;
+    SECStatus       rv;
+    SECItem         item        = {0, NULL, 0};
+
+    defaultDB = CERT_GetDefaultCertDB();
+
+    /* First, let's try to find the cert in existing DB. */
+    cert = CERT_FindCertByNicknameOrEmailAddr(defaultDB, name);
+    if (cert) {
+        return cert;
+    }
+
+    /* Don't have a cert with name "name" in the DB. Try to
+     * open a file with such name and get the cert from there.*/
+    fd = PR_Open(name, PR_RDONLY, 0777); 
+    if (!fd) {
+	PRIntn err = PR_GetError();
+    	fprintf(stderr, "open of %s failed, %d = %s\n", 
+	        name, err, SECU_Strerror(err));
+	return cert;
+    }
+
+    rv = SECU_ReadDERFromFile(&item, fd, isAscii);
+    PR_Close(fd);
+    if (rv != SECSuccess) {
+	fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName);
+	return cert;
+    }
+
+    if (!item.len) { /* file was empty */
+	fprintf(stderr, "cert file %s was empty.\n", name);
+	return cert;
+    }
+
+    cert = CERT_NewTempCertificate(defaultDB, &item, 
+                                   NULL     /* nickname */, 
+                                   PR_FALSE /* isPerm */, 
+				   PR_TRUE  /* copyDER */);
+    if (!cert) {
+	PRIntn err = PR_GetError();
+	fprintf(stderr, "couldn't import %s, %d = %s\n",
+	        name, err, SECU_Strerror(err));
+    }
+    PORT_Free(item.data);
+    return cert;
+}
+
+#define REVCONFIG_ALLOW_CRL "allow-crl"
+#define REVCONFIG_ALLOW_CRL_OCSP "allow-crl-and-ocsp"
+
+PRBool
+isAllowedRevConfig(const char *name)
+{
+    if (strcmp(REVCONFIG_ALLOW_CRL, name) == 0)
+        return PR_TRUE;
+
+    if (strcmp(REVCONFIG_ALLOW_CRL_OCSP, name) == 0)
+        return PR_TRUE;
+
+    return PR_FALSE;
+}
+
+int
+main(int argc, char *argv[], char *envp[])
+{
+    char *               certDir      = NULL;
+    char *               progName     = NULL;
+    char *               oidStr       = NULL;
+    CERTCertificate *    cert;
+    CERTCertificate *    firstCert    = NULL;
+    CERTCertificate *    issuerCert   = NULL;
+    CERTCertDBHandle *   defaultDB    = NULL;
+    PRBool               isAscii      = PR_FALSE;
+    PRBool               trusted      = PR_FALSE;
+    SECStatus            secStatus;
+    SECCertificateUsage  certUsage    = certificateUsageSSLServer;
+    PLOptState *         optstate;
+    PRTime               time         = 0;
+    PLOptStatus          status;
+    int                  usePkix      = 0;
+    int                  rv           = 1;
+    int                  usage;
+    CERTVerifyLog        log;
+    CERTCertList        *builtChain = NULL;
+    char *               revConfig    = NULL;
+    PRBool               certFetching = PR_FALSE;
+
+    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+
+    progName = PL_strdup(argv[0]);
+
+    optstate = PL_CreateOptState(argc, argv, "ab:d:fo:prs:tu:vw:W:");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch(optstate->option) {
+	case  0  : /* positional parameter */  goto breakout;
+	case 'a' : isAscii  = PR_TRUE;                        break;
+	case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
+	           if (secStatus != SECSuccess) Usage(progName); break;
+	case 'd' : certDir  = PL_strdup(optstate->value);     break;
+	case 'f' : certFetching = PR_TRUE;                    break;
+	case 'o' : oidStr = PL_strdup(optstate->value);       break;
+	case 'p' : usePkix += 1;                              break;
+	case 'r' : isAscii  = PR_FALSE;                       break;
+	case 's' : revConfig  = PL_strdup(optstate->value);   break;
+	case 't' : trusted  = PR_TRUE;                        break;
+	case 'u' : usage    = PORT_Atoi(optstate->value);
+	           if (usage < 0 || usage > 62) Usage(progName);
+		   certUsage = ((SECCertificateUsage)1) << usage; 
+		   if (certUsage > certificateUsageHighest) Usage(progName);
+		   break;
+        case 'w':
+                  pwdata.source = PW_PLAINTEXT;
+                  pwdata.data = PORT_Strdup(optstate->value);
+                  break;
+
+        case 'W':
+                  pwdata.source = PW_FROMFILE;
+                  pwdata.data = PORT_Strdup(optstate->value);
+                  break;
+	case 'v' : verbose++;                                 break;
+	default  : Usage(progName);                           break;
+	}
+    }
+breakout:
+    if (status != PL_OPT_OK)
+	Usage(progName);
+
+    if (usePkix < 2) {
+        if (oidStr) {
+            fprintf(stderr, "Policy oid(-o) can be used only with"
+                    " CERT_PKIXVerifyChain(-pp) function.\n");
+            Usage(progName);
+        }
+        if (trusted) {
+            fprintf(stderr, "Cert trust flag can be used only with"
+                    " CERT_PKIXVerifyChain(-pp) function.\n");
+            Usage(progName);
+        }
+    }
+
+    if (revConfig && !isAllowedRevConfig(revConfig)) {
+        fprintf(stderr, "Invalid revocation configuration specified.\n");
+        goto punt;
+    }
+
+    /* Set our password function callback. */
+    PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+    /* Initialize the NSS libraries. */
+    if (certDir) {
+	secStatus = NSS_Init(certDir);
+    } else {
+	secStatus = NSS_NoDB_Init(NULL);
+
+	/* load the builtins */
+	SECMOD_AddNewModule("Builtins", DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0);
+    }
+    if (secStatus != SECSuccess) {
+	exitErr("NSS_Init");
+    }
+    SECU_RegisterDynamicOids();
+    if (revConfig && strcmp(REVCONFIG_ALLOW_CRL_OCSP, revConfig) == 0) {
+        CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
+        CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
+    }
+
+    while (status == PL_OPT_OK) {
+	switch(optstate->option) {
+	default  : Usage(progName);                           break;
+	case 'a' : isAscii  = PR_TRUE;                        break;
+	case 'r' : isAscii  = PR_FALSE;                       break;
+	case 't' : trusted  = PR_TRUE;                       break;
+	case  0  : /* positional parameter */
+            if (usePkix < 2 && trusted) {
+                fprintf(stderr, "Cert trust flag can be used only with"
+                        " CERT_PKIXVerifyChain(-pp) function.\n");
+                Usage(progName);
+            }
+	    cert = getCert(optstate->value, isAscii, progName);
+	    if (!cert) 
+	        goto punt;
+	    rememberCert(cert, trusted);
+	    if (!firstCert)
+	        firstCert = cert;
+            trusted = PR_FALSE;
+	}
+        status = PL_GetNextOpt(optstate);
+    }
+    PL_DestroyOptState(optstate);
+    if (status == PL_OPT_BAD || !firstCert)
+	Usage(progName);
+
+    if (!time)
+    	time = PR_Now();
+
+    /* Initialize log structure */
+    log.arena = PORT_NewArena(512);
+    log.head = log.tail = NULL;
+    log.count = 0;
+
+    if (usePkix < 2) {
+        /* NOW, verify the cert chain. */
+        if (usePkix) {
+            /* Use old API with libpkix validation lib */
+            CERT_SetUsePKIXForValidation(PR_TRUE);
+        }
+        defaultDB = CERT_GetDefaultCertDB();
+        secStatus = CERT_VerifyCertificate(defaultDB, firstCert, 
+                                           PR_TRUE /* check sig */,
+                                           certUsage, 
+                                           time, 
+                                           &pwdata, /* wincx  */
+                                           &log, /* error log */
+                                           NULL);/* returned usages */
+    } else do {
+        static CERTValOutParam cvout[4];
+        static CERTValInParam cvin[6];
+        SECOidTag oidTag;
+        int inParamIndex = 0;
+        static CERTRevocationFlags rev;
+        static PRUint64 revFlags[2];
+
+        if (oidStr) {
+            PRArenaPool *arena;
+            SECOidData od;
+            memset(&od, 0, sizeof od);
+            od.offset = SEC_OID_UNKNOWN;
+            od.desc = "User Defined Policy OID";
+            od.mechanism = CKM_INVALID_MECHANISM;
+            od.supportedExtension = INVALID_CERT_EXTENSION;
+
+            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+            if ( !arena ) {
+                fprintf(stderr, "out of memory");
+                goto punt;
+            }
+            
+            secStatus = SEC_StringToOID(arena, &od.oid, oidStr, 0);
+            if (secStatus != SECSuccess) {
+                PORT_FreeArena(arena, PR_FALSE);
+                fprintf(stderr, "Can not encode oid: %s(%s)\n", oidStr,
+                        SECU_Strerror(PORT_GetError()));
+                break;
+            }
+            
+            oidTag = SECOID_AddEntry(&od);
+            PORT_FreeArena(arena, PR_FALSE);
+            if (oidTag == SEC_OID_UNKNOWN) {
+                fprintf(stderr, "Can not add new oid to the dynamic "
+                        "table: %s\n", oidStr);
+                secStatus = SECFailure;
+                break;
+            }
+
+            cvin[inParamIndex].type = cert_pi_policyOID;
+            cvin[inParamIndex].value.arraySize = 1;
+            cvin[inParamIndex].value.array.oids = &oidTag;
+
+            inParamIndex++;
+        }
+
+        if (trustedCertList) {
+            cvin[inParamIndex].type = cert_pi_trustAnchors;
+            cvin[inParamIndex].value.pointer.chain = trustedCertList;
+            
+            inParamIndex++;
+        }
+
+        cvin[inParamIndex].type = cert_pi_useAIACertFetch;
+        cvin[inParamIndex].value.scalar.b = certFetching;
+        inParamIndex++;
+
+        cvin[inParamIndex].type = cert_pi_date;
+        cvin[inParamIndex].value.scalar.time = time;
+        inParamIndex++;
+
+        revFlags[cert_revocation_method_crl] = 
+            CERT_REV_M_TEST_USING_THIS_METHOD;
+        rev.leafTests.number_of_defined_methods = 
+            cert_revocation_method_crl +1;
+        rev.chainTests.number_of_defined_methods = 
+            cert_revocation_method_crl +1;
+
+        if (revConfig && strcmp(REVCONFIG_ALLOW_CRL_OCSP, revConfig) == 0) {
+            revFlags[cert_revocation_method_ocsp] = 
+                CERT_REV_M_TEST_USING_THIS_METHOD;
+            rev.leafTests.number_of_defined_methods = 
+                cert_revocation_method_ocsp +1;
+            rev.chainTests.number_of_defined_methods = 
+                cert_revocation_method_ocsp +1;
+        }
+
+        rev.leafTests.cert_rev_flags_per_method = revFlags;
+        rev.leafTests.number_of_preferred_methods = 0;
+        rev.leafTests.preferred_methods = 0;
+        rev.leafTests.cert_rev_method_independent_flags = 0;
+      
+        rev.chainTests.cert_rev_flags_per_method = revFlags;
+        rev.chainTests.number_of_preferred_methods = 0;
+        rev.chainTests.preferred_methods = 0;
+        rev.chainTests.cert_rev_method_independent_flags = 0;
+
+        cvin[inParamIndex].type = cert_pi_revocationFlags;
+        cvin[inParamIndex].value.pointer.revocation = &rev;
+	inParamIndex++;
+
+        cvin[inParamIndex].type = cert_pi_end;
+        
+        cvout[0].type = cert_po_trustAnchor;
+        cvout[0].value.pointer.cert = NULL;
+        cvout[1].type = cert_po_certList;
+        cvout[1].value.pointer.chain = NULL;
+
+        /* setting pointer to CERTVerifyLog. Initialized structure
+         * will be used CERT_PKIXVerifyCert */
+        cvout[2].type = cert_po_errorLog;
+        cvout[2].value.pointer.log = &log;
+
+        cvout[3].type = cert_po_end;
+        
+        secStatus = CERT_PKIXVerifyCert(firstCert, certUsage,
+                                        cvin, cvout, &pwdata);
+        if (secStatus != SECSuccess) {
+            break;
+        }
+        issuerCert = cvout[0].value.pointer.cert;
+        builtChain = cvout[1].value.pointer.chain;
+    } while (0);
+
+    /* Display validation results */
+    if (secStatus != SECSuccess || log.count > 0) {
+	CERTVerifyLogNode *node = NULL;
+	PRIntn err = PR_GetError();
+	fprintf(stderr, "Chain is bad, %d = %s\n", err, SECU_Strerror(err));
+
+	SECU_displayVerifyLog(stderr, &log, verbose); 
+	/* Have cert refs in the log only in case of failure.
+	 * Destroy them. */
+	for (node = log.head; node; node = node->next) {
+	    if (node->cert)
+	        CERT_DestroyCertificate(node->cert);
+	}
+    	rv = 1;
+    } else {
+    	fprintf(stderr, "Chain is good!\n");
+    	if (issuerCert) {
+    	   if (verbose > 1) {
+               rv = SEC_PrintCertificateAndTrust(issuerCert, "Root Certificate",
+                                                 NULL);
+               if (rv != SECSuccess) {
+		 SECU_PrintError(progName, "problem printing certificate");
+               }
+    	   } else if (verbose > 0) {
+    	      SECU_PrintName(stdout, &issuerCert->subject, "Root "
+                             "Certificate Subject:", 0);
+    	   }
+    	   CERT_DestroyCertificate(issuerCert);
+    	}
+         if (builtChain) {
+            CERTCertListNode *node;
+            int count = 0;
+            char buff[256];
+
+            if (verbose) { 
+                for(node = CERT_LIST_HEAD(builtChain); !CERT_LIST_END(node, builtChain);
+                    node = CERT_LIST_NEXT(node), count++ ) {
+                    sprintf(buff, "Certificate %d Subject", count + 1);
+                    SECU_PrintName(stdout, &node->cert->subject, buff, 0);
+                }
+            }
+            CERT_DestroyCertList(builtChain);
+         }
+	rv = 0;
+    }
+
+    /* Need to destroy CERTVerifyLog arena at the end */
+    PORT_FreeArena(log.arena, PR_FALSE);
+
+punt:
+    forgetCerts();
+    if (NSS_Shutdown() != SECSuccess) {
+	SECU_PrintError(progName, "NSS_Shutdown");
+	rv = 1;
+    }
+    PORT_Free(progName);
+    PORT_Free(certDir);
+    PORT_Free(oidStr);
+    PORT_Free(revConfig);
+    if (pwdata.data) {
+        PORT_Free(pwdata.data);
+    }
+    PR_Cleanup();
+    return rv;
+}
diff --git a/security/nss/cmd/vfyserv/Makefile b/security/nss/cmd/vfyserv/Makefile
new file mode 100644
index 000000000..297114522
--- /dev/null
+++ b/security/nss/cmd/vfyserv/Makefile
@@ -0,0 +1,78 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#include ../platlibs.mk
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/vfyserv/manifest.mn b/security/nss/cmd/vfyserv/manifest.mn
new file mode 100644
index 000000000..eb9c5bd32
--- /dev/null
+++ b/security/nss/cmd/vfyserv/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd dbm 
+
+# DIRS = 
+
+CSRCS	= vfyserv.c  vfyutil.c
+DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\"
+
+PROGRAM	= vfyserv
+
diff --git a/security/nss/cmd/vfyserv/vfyserv.c b/security/nss/cmd/vfyserv/vfyserv.c
new file mode 100644
index 000000000..84ee69eef
--- /dev/null
+++ b/security/nss/cmd/vfyserv/vfyserv.c
@@ -0,0 +1,594 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/****************************************************************************
+ *  SSL client program that tests  a server for proper operation of SSL2,   *
+ *  SSL3, and TLS. Test propder certificate installation.                   *
+ *                                                                          *
+ *  This code was modified from the SSLSample code also kept in the NSS     *
+ *  directory.                                                              *
+ ****************************************************************************/ 
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#include "prerror.h"
+
+#include "pk11func.h"
+#include "secmod.h"
+#include "secitem.h"
+
+
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+
+#include "nspr.h"
+#include "plgetopt.h"
+#include "prio.h"
+#include "prnetdb.h"
+#include "nss.h"
+#include "secutil.h"
+#include "ocsp.h"
+
+#include "vfyserv.h"
+
+#define RD_BUF_SIZE (60 * 1024)
+
+extern int ssl2CipherSuites[];
+extern int ssl3CipherSuites[];
+
+GlobalThreadMgr threadMGR;
+char *certNickname = NULL;
+char *hostName = NULL;
+secuPWData  pwdata          = { PW_NONE, 0 };
+unsigned short port = 0;
+PRBool dumpChain;
+
+static void
+Usage(const char *progName)
+{
+    PRFileDesc *pr_stderr;
+
+    pr_stderr = PR_STDERR;
+
+    PR_fprintf(pr_stderr, "Usage:\n"
+               "   %s  [-c ] [-o] [-p port] [-d dbdir] [-w password] [-f pwfile]\n"
+               "   \t\t[-C cipher(s)]  [-l <url> -t <nickname> ] hostname",
+               progName);
+    PR_fprintf (pr_stderr, "\nWhere:\n");
+    PR_fprintf (pr_stderr,
+                "  %-13s dump server cert chain into files\n",
+                "-c");
+    PR_fprintf (pr_stderr,
+                "  %-13s perform server cert OCSP check\n",
+                "-o");
+    PR_fprintf (pr_stderr,
+                "  %-13s server port to be used\n",
+                "-p");
+    PR_fprintf (pr_stderr,
+                "  %-13s use security databases in \"dbdir\"\n",
+                "-d dbdir");
+    PR_fprintf (pr_stderr,
+                "  %-13s key database password\n",
+                "-w password");
+    PR_fprintf (pr_stderr,
+                "  %-13s token password file\n",
+                "-f pwfile");
+    PR_fprintf (pr_stderr,
+                "  %-13s communication cipher list\n",
+                "-C cipher(s)");
+    PR_fprintf (pr_stderr,
+                "  %-13s OCSP responder location. This location is used to\n"
+                "  %-13s check  status  of a server  certificate.  If  not \n"
+                "  %-13s specified, location  will  be taken  from the AIA\n"
+                "  %-13s server certificate extension.\n",
+                "-l url", "", "", "");
+    PR_fprintf (pr_stderr,
+                "  %-13s OCSP Trusted Responder Cert nickname\n\n",
+                "-t nickname");
+
+	exit(1);
+}
+
+PRFileDesc *
+setupSSLSocket(PRNetAddr *addr)
+{
+	PRFileDesc         *tcpSocket;
+	PRFileDesc         *sslSocket;
+	PRSocketOptionData	socketOption;
+	PRStatus            prStatus;
+	SECStatus           secStatus;
+
+
+	tcpSocket = PR_NewTCPSocket();
+	if (tcpSocket == NULL) {
+		errWarn("PR_NewTCPSocket");
+	}
+
+	/* Make the socket blocking. */
+	socketOption.option	            = PR_SockOpt_Nonblocking;
+	socketOption.value.non_blocking = PR_FALSE;
+
+	prStatus = PR_SetSocketOption(tcpSocket, &socketOption);
+	if (prStatus != PR_SUCCESS) {
+		errWarn("PR_SetSocketOption");
+		goto loser;
+	} 
+
+
+	/* Import the socket into the SSL layer. */
+	sslSocket = SSL_ImportFD(NULL, tcpSocket);
+	if (!sslSocket) {
+		errWarn("SSL_ImportFD");
+		goto loser;
+	}
+
+	/* Set configuration options. */
+	secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE);
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_OptionSet:SSL_SECURITY");
+		goto loser;
+	}
+
+	secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_CLIENT");
+		goto loser;
+	}
+
+	/* Set SSL callback routines. */
+	secStatus = SSL_GetClientAuthDataHook(sslSocket,
+	                          (SSLGetClientAuthData)myGetClientAuthData,
+	                          (void *)certNickname);
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_GetClientAuthDataHook");
+		goto loser;
+	}
+
+	secStatus = SSL_AuthCertificateHook(sslSocket,
+	                                   (SSLAuthCertificate)myAuthCertificate,
+                                       (void *)CERT_GetDefaultCertDB());
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_AuthCertificateHook");
+		goto loser;
+	}
+
+	secStatus = SSL_BadCertHook(sslSocket, 
+	                           (SSLBadCertHandler)myBadCertHandler, NULL);
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_BadCertHook");
+		goto loser;
+	}
+
+	secStatus = SSL_HandshakeCallback(sslSocket, 
+	                                  myHandshakeCallback,
+	                                  NULL);
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_HandshakeCallback");
+		goto loser;
+	}
+
+	return sslSocket;
+
+loser:
+
+	PR_Close(tcpSocket);
+	return NULL;
+}
+
+
+const char requestString[] = {"GET /testfile HTTP/1.0\r\n\r\n" };
+
+SECStatus
+handle_connection(PRFileDesc *sslSocket, int connection)
+{
+	int	countRead = 0;
+	PRInt32  numBytes;
+	char    *readBuffer;
+
+	readBuffer = PORT_Alloc(RD_BUF_SIZE);
+	if (!readBuffer) {
+		exitErr("PORT_Alloc");
+	}
+
+	/* compose the http request here. */
+
+	numBytes = PR_Write(sslSocket, requestString, strlen(requestString));
+	if (numBytes <= 0) {
+		errWarn("PR_Write");
+		PR_Free(readBuffer);
+		readBuffer = NULL;
+		return SECFailure;
+	}
+
+	/* read until EOF */
+	while (PR_TRUE) {
+		numBytes = PR_Read(sslSocket, readBuffer, RD_BUF_SIZE);
+		if (numBytes == 0) {
+			break;	/* EOF */
+		}
+		if (numBytes < 0) {
+			errWarn("PR_Read");
+			break;
+		}
+		countRead += numBytes;
+	}
+
+	printSecurityInfo(stderr, sslSocket);
+	
+	PR_Free(readBuffer);
+	readBuffer = NULL;
+
+	/* Caller closes the socket. */
+
+	fprintf(stderr, 
+	        "***** Connection %d read %d bytes total.\n", 
+	        connection, countRead);
+
+	return SECSuccess;	/* success */
+}
+
+#define BYTE(n,i) (((i)>>((n)*8))&0xff)
+
+/* one copy of this function is launched in a separate thread for each
+** connection to be made.
+*/
+SECStatus
+do_connects(void *a, int connection)
+{
+	PRNetAddr  *addr = (PRNetAddr *)a;
+	PRFileDesc *sslSocket;
+	PRHostEnt   hostEntry;
+	char        buffer[PR_NETDB_BUF_SIZE];
+	PRStatus    prStatus;
+	PRIntn      hostenum;
+	PRInt32    ip;
+	SECStatus   secStatus;
+
+	/* Set up SSL secure socket. */
+	sslSocket = setupSSLSocket(addr);
+	if (sslSocket == NULL) {
+		errWarn("setupSSLSocket");
+		return SECFailure;
+	}
+
+	secStatus = SSL_SetPKCS11PinArg(sslSocket, &pwdata);
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_SetPKCS11PinArg");
+		return secStatus;
+	}
+
+	secStatus = SSL_SetURL(sslSocket, hostName);
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_SetURL");
+		return secStatus;
+	}
+
+	/* Prepare and setup network connection. */
+	prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry);
+	if (prStatus != PR_SUCCESS) {
+		errWarn("PR_GetHostByName");
+		return SECFailure;
+	}
+
+	hostenum = PR_EnumerateHostEnt(0, &hostEntry, port, addr);
+	if (hostenum == -1) {
+		errWarn("PR_EnumerateHostEnt");
+		return SECFailure;
+	}
+
+ 	ip = PR_ntohl(addr->inet.ip);
+	fprintf(stderr,
+	 	"Connecting to host %s (addr %d.%d.%d.%d) on port %d\n",
+			hostName, BYTE(3,ip), BYTE(2,ip), BYTE(1,ip), 
+			BYTE(0,ip), PR_ntohs(addr->inet.port)); 
+
+	prStatus = PR_Connect(sslSocket, addr, PR_INTERVAL_NO_TIMEOUT);
+	if (prStatus != PR_SUCCESS) {
+		errWarn("PR_Connect");
+		return SECFailure;
+	}
+
+	/* Established SSL connection, ready to send data. */
+#if 0
+	secStatus = SSL_ForceHandshake(sslSocket);
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_ForceHandshake");
+		return secStatus;
+	}
+#endif
+
+	secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE);
+	if (secStatus != SECSuccess) {
+		errWarn("SSL_ResetHandshake");
+		prStatus = PR_Close(sslSocket);
+		if (prStatus != PR_SUCCESS) {
+			errWarn("PR_Close");
+		}
+		return secStatus;
+	}
+
+	secStatus = handle_connection(sslSocket, connection);
+	if (secStatus != SECSuccess) {
+		/* error already printed out in handle_connection */
+		/* errWarn("handle_connection"); */
+		prStatus = PR_Close(sslSocket);
+		if (prStatus != PR_SUCCESS) {
+			errWarn("PR_Close");
+		}
+		return secStatus;
+	}
+
+	PR_Close(sslSocket);
+	return SECSuccess;
+}
+
+void
+client_main(unsigned short      port, 
+            int	                connections, 
+            const char *        hostName)
+{
+	int			i;
+	SECStatus	secStatus;
+	PRStatus    prStatus;
+	PRInt32     rv;
+	PRNetAddr	addr;
+	PRHostEnt   hostEntry;
+	char        buffer[PR_NETDB_BUF_SIZE];
+
+	/* Setup network connection. */
+	prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry);
+	if (prStatus != PR_SUCCESS) {
+		exitErr("PR_GetHostByName");
+	}
+
+	rv = PR_EnumerateHostEnt(0, &hostEntry, port, &addr);
+	if (rv < 0) {
+		exitErr("PR_EnumerateHostEnt");
+	}
+
+	secStatus = launch_thread(&threadMGR, do_connects, &addr, 1);
+	if (secStatus != SECSuccess) {
+		exitErr("launch_thread");
+	}
+
+	if (connections > 1) {
+		/* wait for the first connection to terminate, then launch the rest. */
+		reap_threads(&threadMGR);
+		/* Start up the connections */
+		for (i = 2; i <= connections; ++i) {
+			secStatus = launch_thread(&threadMGR, do_connects, &addr, i);
+			if (secStatus != SECSuccess) {
+				errWarn("launch_thread");
+			}
+		}
+	}
+
+	reap_threads(&threadMGR);
+	destroy_thread_data(&threadMGR);
+}
+
+#define HEXCHAR_TO_INT(c, i) \
+    if (((c) >= '0') && ((c) <= '9')) { \
+	i = (c) - '0'; \
+    } else if (((c) >= 'a') && ((c) <= 'f')) { \
+	i = (c) - 'a' + 10; \
+    } else if (((c) >= 'A') && ((c) <= 'F')) { \
+	i = (c) - 'A' + 10; \
+    } else { \
+	Usage(progName); \
+    }
+
+int
+main(int argc, char **argv)
+{
+	char *               certDir = NULL;
+	char *               progName     = NULL;
+	int                  connections  = 1;
+	char *               cipherString = NULL;
+	char *               respUrl = NULL;
+	char *               respCertName = NULL;
+	SECStatus            secStatus;
+	PLOptState *         optstate;
+	PLOptStatus          status;
+	PRBool               doOcspCheck = PR_FALSE;
+
+	/* Call the NSPR initialization routines */
+	PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+
+	progName = PORT_Strdup(argv[0]);
+
+	hostName = NULL;
+	optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:");
+	while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+		switch(optstate->option) {
+		case 'C' : cipherString = PL_strdup(optstate->value); break;
+ 		case 'c' : dumpChain = PR_TRUE;                       break;
+		case 'd' : certDir = PL_strdup(optstate->value);      break;
+		case 'l' : respUrl = PL_strdup(optstate->value);      break;
+		case 'p' : port = PORT_Atoi(optstate->value);         break;
+		case 'o' : doOcspCheck = PR_TRUE;                     break;
+		case 't' : respCertName = PL_strdup(optstate->value); break;
+                case 'w':
+                           pwdata.source = PW_PLAINTEXT;
+                           pwdata.data = PORT_Strdup(optstate->value);
+                           break;
+
+                case 'f':
+                           pwdata.source = PW_FROMFILE;
+                           pwdata.data = PORT_Strdup(optstate->value);
+                           break;
+		case '\0': hostName = PL_strdup(optstate->value);     break;
+		default  : Usage(progName);
+		}
+	}
+
+	if (port == 0) {
+		port = 443;
+	}
+
+	if (port == 0 || hostName == NULL)
+		Usage(progName);
+
+        if (doOcspCheck &&
+            ((respCertName != NULL && respUrl == NULL) ||
+             (respUrl != NULL && respCertName == NULL))) {
+	    SECU_PrintError (progName, "options -l <url> and -t "
+	                     "<responder> must be used together");
+	    Usage(progName);
+        }
+    
+	PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+	/* Initialize the NSS libraries. */
+	if (certDir) {
+	    secStatus = NSS_Init(certDir);
+	} else {
+	    secStatus = NSS_NoDB_Init(NULL);
+
+	    /* load the builtins */
+	    SECMOD_AddNewModule("Builtins",
+				DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0);
+	}
+	if (secStatus != SECSuccess) {
+		exitErr("NSS_Init");
+	}
+	SECU_RegisterDynamicOids();
+
+	if (doOcspCheck == PR_TRUE) {
+            SECStatus rv;
+            CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
+            if (handle == NULL) {
+                SECU_PrintError (progName, "problem getting certdb handle");
+                goto cleanup;
+            }
+            
+            rv = CERT_EnableOCSPChecking (handle);
+            if (rv != SECSuccess) {
+                SECU_PrintError (progName, "error enabling OCSP checking");
+                goto cleanup;
+            }
+
+            if (respUrl != NULL) {
+                rv = CERT_SetOCSPDefaultResponder (handle, respUrl,
+                                                   respCertName);
+                if (rv != SECSuccess) {
+                    SECU_PrintError (progName,
+                                     "error setting default responder");
+                    goto cleanup;
+                }
+                
+                rv = CERT_EnableOCSPDefaultResponder (handle);
+                if (rv != SECSuccess) {
+                    SECU_PrintError (progName,
+                                     "error enabling default responder");
+                    goto cleanup;
+                }
+            }
+	}
+
+	/* All cipher suites except RSA_NULL_MD5 are enabled by 
+	 * Domestic Policy. */
+	NSS_SetDomesticPolicy();
+	SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
+
+	/* all the SSL2 and SSL3 cipher suites are enabled by default. */
+	if (cipherString) {
+	    int ndx;
+
+	    /* disable all the ciphers, then enable the ones we want. */
+	    disableAllSSLCiphers();
+
+	    while (0 != (ndx = *cipherString++)) {
+		int  cipher;
+
+		if (ndx == ':') {
+		    int ctmp;
+
+		    cipher = 0;
+		    HEXCHAR_TO_INT(*cipherString, ctmp)
+		    cipher |= (ctmp << 12);
+		    cipherString++;
+		    HEXCHAR_TO_INT(*cipherString, ctmp)
+		    cipher |= (ctmp << 8);
+		    cipherString++;
+		    HEXCHAR_TO_INT(*cipherString, ctmp)
+		    cipher |= (ctmp << 4);
+		    cipherString++;
+		    HEXCHAR_TO_INT(*cipherString, ctmp)
+		    cipher |= ctmp;
+		    cipherString++;
+		} else {
+		    const int *cptr;
+		    if (! isalpha(ndx))
+			Usage(progName);
+		    cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
+		    for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; )
+			/* do nothing */;
+		}
+		if (cipher > 0) {
+		    SSL_CipherPrefSetDefault(cipher, PR_TRUE);
+		} else {
+		    Usage(progName);
+		}
+	    }
+	}
+
+	client_main(port, connections, hostName);
+
+cleanup:
+        if (doOcspCheck) {
+            CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
+            CERT_DisableOCSPDefaultResponder(handle);        
+            CERT_DisableOCSPChecking (handle);
+        }
+
+        if (NSS_Shutdown() != SECSuccess) {
+            exit(1);
+        }
+
+	PR_Cleanup();
+	PORT_Free(progName);
+	return 0;
+}
+
diff --git a/security/nss/cmd/vfyserv/vfyserv.h b/security/nss/cmd/vfyserv/vfyserv.h
new file mode 100644
index 000000000..9d172cfda
--- /dev/null
+++ b/security/nss/cmd/vfyserv/vfyserv.h
@@ -0,0 +1,180 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef SSLSAMPLE_H
+#define SSLSAMPLE_H
+
+/* Generic header files */
+
+#include <stdio.h>
+#include <string.h>
+
+/* NSPR header files */
+
+#include "nspr.h"
+#include "prerror.h"
+#include "prnetdb.h"
+
+/* NSS header files */
+
+#include "pk11func.h"
+#include "secitem.h"
+#include "ssl.h"
+#include "certt.h"
+#include "nss.h"
+#include "secder.h"
+#include "key.h"
+#include "sslproto.h"
+
+/* Custom header files */
+
+/*
+#include "sslerror.h"
+*/
+
+#define BUFFER_SIZE 10240
+
+/* Declare SSL cipher suites. */
+
+extern int cipherSuites[];
+extern int ssl2CipherSuites[];
+extern int ssl3CipherSuites[];
+
+/* Data buffer read from a socket. */
+typedef struct DataBufferStr {
+	char data[BUFFER_SIZE];
+	int  index;
+	int  remaining;
+	int  dataStart;
+	int  dataEnd;
+} DataBuffer;
+
+/* SSL callback routines. */
+
+char * myPasswd(PK11SlotInfo *info, PRBool retry, void *arg);
+
+SECStatus myAuthCertificate(void *arg, PRFileDesc *socket,
+                            PRBool checksig, PRBool isServer);
+
+SECStatus myBadCertHandler(void *arg, PRFileDesc *socket);
+
+void myHandshakeCallback(PRFileDesc *socket, void *arg);
+
+SECStatus myGetClientAuthData(void *arg, PRFileDesc *socket,
+                              struct CERTDistNamesStr *caNames,
+                              struct CERTCertificateStr **pRetCert,
+                              struct SECKEYPrivateKeyStr **pRetKey);
+
+/* Disable all v2/v3 SSL ciphers. */
+
+void disableAllSSLCiphers(void);
+
+
+/* Error and information utilities. */
+
+void errWarn(char *function);
+
+void exitErr(char *function);
+
+void printSecurityInfo(FILE *outfile, PRFileDesc *fd);
+
+/* Some simple thread management routines. */
+
+#define MAX_THREADS 32
+
+typedef SECStatus startFn(void *a, int b);
+
+typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState;
+
+typedef struct perThreadStr {
+	PRFileDesc *a;
+	int         b;
+	int         rv;
+	startFn    *startFunc;
+	PRThread   *prThread;
+	PRBool      inUse;
+	runState    running;
+} perThread;
+
+typedef struct GlobalThreadMgrStr {
+	PRLock	  *threadLock;
+	PRCondVar *threadStartQ;
+	PRCondVar *threadEndQ;
+	perThread  threads[MAX_THREADS];
+	int        index;
+	int        numUsed;
+	int        numRunning;
+} GlobalThreadMgr;
+
+void thread_wrapper(void * arg);
+
+SECStatus launch_thread(GlobalThreadMgr *threadMGR, 
+                        startFn *startFunc, void *a, int b);
+
+SECStatus reap_threads(GlobalThreadMgr *threadMGR);
+
+void destroy_thread_data(GlobalThreadMgr *threadMGR);
+
+/* Management of locked variables. */
+
+struct lockedVarsStr {
+	PRLock *    lock;
+	int         count;
+	int         waiters;
+	PRCondVar * condVar;
+};
+
+typedef struct lockedVarsStr lockedVars;
+
+void lockedVars_Init(lockedVars *lv);
+
+void lockedVars_Destroy(lockedVars *lv);
+
+void lockedVars_WaitForDone(lockedVars *lv);
+
+int lockedVars_AddToCount(lockedVars *lv, int addend);
+
+/* Buffer stuff. */
+
+static const char stopCmd[] = { "GET /stop " };
+static const char defaultHeader[] = {
+	"HTTP/1.0 200 OK\r\n"
+	"Server: SSL sample server\r\n"
+	"Content-type: text/plain\r\n"
+	"\r\n"
+};
+
+#endif
diff --git a/security/nss/cmd/vfyserv/vfyutil.c b/security/nss/cmd/vfyserv/vfyutil.c
new file mode 100644
index 000000000..101152d6b
--- /dev/null
+++ b/security/nss/cmd/vfyserv/vfyutil.c
@@ -0,0 +1,665 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "vfyserv.h"
+#include "secerr.h"
+#include "sslerr.h"
+#include "nspr.h"
+#include "secutil.h"
+
+
+extern PRBool dumpChain;
+extern void dumpCertChain(CERTCertificate *, SECCertUsage);
+
+/* Declare SSL cipher suites. */
+
+int ssl2CipherSuites[] = {
+    SSL_EN_RC4_128_WITH_MD5,              /* A */
+    SSL_EN_RC4_128_EXPORT40_WITH_MD5,     /* B */
+    SSL_EN_RC2_128_CBC_WITH_MD5,          /* C */
+    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, /* D */
+    SSL_EN_DES_64_CBC_WITH_MD5,           /* E */
+    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     /* F */
+    0
+};
+
+int ssl3CipherSuites[] = {
+    -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
+    -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,	 * b */
+    SSL_RSA_WITH_RC4_128_MD5,			/* c */
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
+    SSL_RSA_WITH_DES_CBC_SHA,			/* e */
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
+    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
+    -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,	 * h */
+    SSL_RSA_WITH_NULL_MD5,			/* i */
+    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,		/* j */
+    SSL_RSA_FIPS_WITH_DES_CBC_SHA,		/* k */
+    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,	/* l */
+    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,	        /* m */
+    SSL_RSA_WITH_RC4_128_SHA,			/* n */
+    TLS_DHE_DSS_WITH_RC4_128_SHA,		/* o */
+    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
+    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
+    SSL_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
+    SSL_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    	/* t */
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       	/* u */
+    TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    	/* w */
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
+    TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
+    SSL_RSA_WITH_NULL_SHA,			/* z */
+    0
+};
+
+/**************************************************************************
+** 
+** SSL callback routines.
+**
+**************************************************************************/
+
+/* Function: char * myPasswd()
+ * 
+ * Purpose: This function is our custom password handler that is called by
+ * SSL when retreiving private certs and keys from the database. Returns a
+ * pointer to a string that with a password for the database. Password pointer
+ * should point to dynamically allocated memory that will be freed later.
+ */
+char *
+myPasswd(PK11SlotInfo *info, PRBool retry, void *arg)
+{
+    char * passwd = NULL;
+
+    if ( (!retry) && arg ) {
+	passwd = PORT_Strdup((char *)arg);
+    }
+    return passwd;
+}
+
+/* Function: SECStatus myAuthCertificate()
+ *
+ * Purpose: This function is our custom certificate authentication handler.
+ * 
+ * Note: This implementation is essentially the same as the default 
+ *       SSL_AuthCertificate().
+ */
+SECStatus 
+myAuthCertificate(void *arg, PRFileDesc *socket, 
+                  PRBool checksig, PRBool isServer) 
+{
+
+    SECCertificateUsage certUsage;
+    CERTCertificate *   cert;
+    void *              pinArg;
+    char *              hostName;
+    SECStatus           secStatus;
+
+    if (!arg || !socket) {
+	errWarn("myAuthCertificate");
+	return SECFailure;
+    }
+
+    /* Define how the cert is being used based upon the isServer flag. */
+
+    certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
+
+    cert = SSL_PeerCertificate(socket);
+	
+    pinArg = SSL_RevealPinArg(socket);
+    
+    if (dumpChain == PR_TRUE) {
+        dumpCertChain(cert, certUsage);
+    }
+
+    secStatus = CERT_VerifyCertificateNow((CERTCertDBHandle *)arg,
+				   cert,
+				   checksig,
+				   certUsage,
+				   pinArg,
+                                   NULL);
+
+    /* If this is a server, we're finished. */
+    if (isServer || secStatus != SECSuccess) {
+	SECU_printCertProblems(stderr, (CERTCertDBHandle *)arg, cert, 
+			  checksig, certUsage, pinArg, PR_FALSE);
+	CERT_DestroyCertificate(cert);
+	return secStatus;
+    }
+
+    /* Certificate is OK.  Since this is the client side of an SSL
+     * connection, we need to verify that the name field in the cert
+     * matches the desired hostname.  This is our defense against
+     * man-in-the-middle attacks.
+     */
+
+    /* SSL_RevealURL returns a hostName, not an URL. */
+    hostName = SSL_RevealURL(socket);
+
+    if (hostName && hostName[0]) {
+	secStatus = CERT_VerifyCertName(cert, hostName);
+    } else {
+	PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
+	secStatus = SECFailure;
+    }
+
+    if (hostName)
+	PR_Free(hostName);
+
+    CERT_DestroyCertificate(cert);
+    return secStatus;
+}
+
+/* Function: SECStatus myBadCertHandler()
+ *
+ * Purpose: This callback is called when the incoming certificate is not
+ * valid. We define a certain set of parameters that still cause the
+ * certificate to be "valid" for this session, and return SECSuccess to cause
+ * the server to continue processing the request when any of these conditions
+ * are met. Otherwise, SECFailure is return and the server rejects the 
+ * request.
+ */
+SECStatus 
+myBadCertHandler(void *arg, PRFileDesc *socket) 
+{
+
+    SECStatus	secStatus = SECFailure;
+    PRErrorCode	err;
+
+    /* log invalid cert here */
+
+    if (!arg) {
+	return secStatus;
+    }
+
+    *(PRErrorCode *)arg = err = PORT_GetError();
+
+    /* If any of the cases in the switch are met, then we will proceed   */
+    /* with the processing of the request anyway. Otherwise, the default */	
+    /* case will be reached and we will reject the request.              */
+
+    switch (err) {
+    case SEC_ERROR_INVALID_AVA:
+    case SEC_ERROR_INVALID_TIME:
+    case SEC_ERROR_BAD_SIGNATURE:
+    case SEC_ERROR_EXPIRED_CERTIFICATE:
+    case SEC_ERROR_UNKNOWN_ISSUER:
+    case SEC_ERROR_UNTRUSTED_CERT:
+    case SEC_ERROR_CERT_VALID:
+    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+    case SEC_ERROR_CRL_EXPIRED:
+    case SEC_ERROR_CRL_BAD_SIGNATURE:
+    case SEC_ERROR_EXTENSION_VALUE_INVALID:
+    case SEC_ERROR_CA_CERT_INVALID:
+    case SEC_ERROR_CERT_USAGES_INVALID:
+    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
+	secStatus = SECSuccess;
+	break;
+    default:
+	secStatus = SECFailure;
+	break;
+    }
+
+    fprintf(stderr, "Bad certificate: %d, %s\n", err, SECU_Strerror(err));
+
+    return secStatus;
+}
+
+/* Function: SECStatus ownGetClientAuthData()
+ *
+ * Purpose: This callback is used by SSL to pull client certificate 
+ * information upon server request.
+ */
+SECStatus 
+myGetClientAuthData(void *arg,
+                    PRFileDesc *socket,
+                    struct CERTDistNamesStr *caNames,
+                    struct CERTCertificateStr **pRetCert,
+                    struct SECKEYPrivateKeyStr **pRetKey) 
+{
+
+    CERTCertificate *  cert;
+    SECKEYPrivateKey * privKey;
+    char *             chosenNickName = (char *)arg;
+    void *             proto_win      = NULL;
+    SECStatus          secStatus      = SECFailure;
+
+    proto_win = SSL_RevealPinArg(socket);
+
+    if (chosenNickName) {
+	cert = PK11_FindCertFromNickname(chosenNickName, proto_win);
+	if (cert) {
+	    privKey = PK11_FindKeyByAnyCert(cert, proto_win);
+	    if (privKey) {
+		secStatus = SECSuccess;
+	    } else {
+		CERT_DestroyCertificate(cert);
+	    }
+	}
+    } else { /* no nickname given, automatically find the right cert */
+	CERTCertNicknames *names;
+	int                i;
+
+	names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), 
+				      SEC_CERT_NICKNAMES_USER, proto_win);
+
+	if (names != NULL) {
+	    for(i = 0; i < names->numnicknames; i++ ) {
+
+		cert = PK11_FindCertFromNickname(names->nicknames[i], 
+						 proto_win);
+		if (!cert) {
+		    continue;
+		}
+
+		/* Only check unexpired certs */
+		if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE)
+		      != secCertTimeValid ) {
+		    CERT_DestroyCertificate(cert);
+		    continue;
+		}
+
+		secStatus = NSS_CmpCertChainWCANames(cert, caNames);
+		if (secStatus == SECSuccess) {
+		    privKey = PK11_FindKeyByAnyCert(cert, proto_win);
+		    if (privKey) {
+			break;
+		    }
+		    secStatus = SECFailure;
+		}
+		CERT_DestroyCertificate(cert);
+	    } /* for loop */
+	    CERT_FreeNicknames(names);
+	}
+    }
+
+    if (secStatus == SECSuccess) {
+	*pRetCert = cert;
+	*pRetKey  = privKey;
+    }
+
+    return secStatus;
+}
+
+/* Function: void myHandshakeCallback()
+ *
+ * Purpose: Called by SSL to inform application that the handshake is
+ * complete. This function is mostly used on the server side of an SSL
+ * connection, although it is provided for a client as well.
+ * Useful when a non-blocking SSL_ReHandshake or SSL_ResetHandshake 
+ * is used to initiate a handshake.
+ *
+ * A typical scenario would be:
+ *
+ * 1. Server accepts an SSL connection from the client without client auth.
+ * 2. Client sends a request.
+ * 3. Server determines that to service request it needs to authenticate the
+ * client and initiates another handshake requesting client auth.
+ * 4. While handshake is in progress, server can do other work or spin waiting
+ * for the handshake to complete.
+ * 5. Server is notified that handshake has been successfully completed by
+ * the custom handshake callback function and it can service the client's
+ * request.
+ *
+ * Note: This function is not implemented in this sample, as we are using
+ * blocking sockets.
+ */
+void
+myHandshakeCallback(PRFileDesc *socket, void *arg) 
+{
+    fprintf(stderr,"Handshake Complete: SERVER CONFIGURED CORRECTLY\n");
+}
+
+
+/**************************************************************************
+** 
+** Routines for disabling SSL ciphers.
+**
+**************************************************************************/
+
+void
+disableAllSSLCiphers(void)
+{
+    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    int             i            = SSL_NumImplementedCiphers;
+    SECStatus       rv;
+
+    /* disable all the SSL3 cipher suites */
+    while (--i >= 0) {
+	PRUint16 suite = cipherSuites[i];
+        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
+	if (rv != SECSuccess) {
+	    fprintf(stderr,
+		"SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
+	    	   suite, i);
+	    errWarn("SSL_CipherPrefSetDefault");
+	    exit(2);
+	}
+    }
+}
+
+/**************************************************************************
+** 
+** Error and information routines.
+**
+**************************************************************************/
+
+void
+errWarn(char *function)
+{
+    PRErrorCode  errorNumber = PR_GetError();
+    const char * errorString = SECU_Strerror(errorNumber);
+
+    fprintf(stderr, "Error in function %s: %d\n - %s\n",
+		    function, errorNumber, errorString);
+}
+
+void
+exitErr(char *function)
+{
+    errWarn(function);
+    /* Exit gracefully. */
+    /* ignoring return value of NSS_Shutdown as code exits with 1 anyway*/
+    (void) NSS_Shutdown();
+    PR_Cleanup();
+    exit(1);
+}
+
+void 
+printSecurityInfo(FILE *outfile, PRFileDesc *fd)
+{
+    char * cp;	/* bulk cipher name */
+    char * ip;	/* cert issuer DN */
+    char * sp;	/* cert subject DN */
+    int    op;	/* High, Low, Off */
+    int    kp0;	/* total key bits */
+    int    kp1;	/* secret key bits */
+    int    result;
+    SSL3Statistics * ssl3stats = SSL_GetStatistics();
+
+    if (!outfile) {
+	outfile = stdout;
+    }
+
+    result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp);
+    if (result != SECSuccess)
+	return;
+    fprintf(outfile,
+     "   bulk cipher %s, %d secret key bits, %d key bits, status: %d\n"
+     "   subject DN:\n %s\n"
+     "   issuer  DN:\n %s\n", cp, kp1, kp0, op, sp, ip);
+    PR_Free(cp);
+    PR_Free(ip);
+    PR_Free(sp);
+
+    fprintf(outfile,
+      "   %ld cache hits; %ld cache misses, %ld cache not reusable\n",
+	    ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
+    ssl3stats->hch_sid_cache_not_ok);
+
+}
+
+
+/**************************************************************************
+** Begin thread management routines and data.
+**************************************************************************/
+
+void
+thread_wrapper(void * arg)
+{
+    GlobalThreadMgr *threadMGR = (GlobalThreadMgr *)arg;
+    perThread *slot = &threadMGR->threads[threadMGR->index];
+
+    /* wait for parent to finish launching us before proceeding. */
+    PR_Lock(threadMGR->threadLock);
+    PR_Unlock(threadMGR->threadLock);
+
+    slot->rv = (* slot->startFunc)(slot->a, slot->b);
+
+    PR_Lock(threadMGR->threadLock);
+    slot->running = rs_zombie;
+
+    /* notify the thread exit handler. */
+    PR_NotifyCondVar(threadMGR->threadEndQ);
+
+    PR_Unlock(threadMGR->threadLock);
+}
+
+SECStatus
+launch_thread(GlobalThreadMgr *threadMGR,
+              startFn         *startFunc,
+              void            *a,
+              int              b)
+{
+    perThread *slot;
+    int        i;
+
+    if (!threadMGR->threadStartQ) {
+	threadMGR->threadLock   = PR_NewLock();
+	threadMGR->threadStartQ = PR_NewCondVar(threadMGR->threadLock);
+	threadMGR->threadEndQ   = PR_NewCondVar(threadMGR->threadLock);
+    }
+    PR_Lock(threadMGR->threadLock);
+    while (threadMGR->numRunning >= MAX_THREADS) {
+	PR_WaitCondVar(threadMGR->threadStartQ, PR_INTERVAL_NO_TIMEOUT);
+    }
+    for (i = 0; i < threadMGR->numUsed; ++i) {
+	slot = &threadMGR->threads[i];
+	if (slot->running == rs_idle) 
+	    break;
+    }
+    if (i >= threadMGR->numUsed) {
+	if (i >= MAX_THREADS) {
+	    /* something's really wrong here. */
+	    PORT_Assert(i < MAX_THREADS);
+	    PR_Unlock(threadMGR->threadLock);
+	    return SECFailure;
+	}
+	++(threadMGR->numUsed);
+	PORT_Assert(threadMGR->numUsed == i + 1);
+	slot = &threadMGR->threads[i];
+    }
+
+    slot->a = a;
+    slot->b = b;
+    slot->startFunc = startFunc;
+
+    threadMGR->index = i;
+
+    slot->prThread = PR_CreateThread(PR_USER_THREAD,
+				     thread_wrapper, threadMGR,
+				     PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
+				     PR_JOINABLE_THREAD, 0);
+
+    if (slot->prThread == NULL) {
+	PR_Unlock(threadMGR->threadLock);
+	printf("Failed to launch thread!\n");
+	return SECFailure;
+    } 
+
+    slot->inUse   = 1;
+    slot->running = 1;
+    ++(threadMGR->numRunning);
+    PR_Unlock(threadMGR->threadLock);
+
+    return SECSuccess;
+}
+
+SECStatus 
+reap_threads(GlobalThreadMgr *threadMGR)
+{
+    perThread * slot;
+    int			i;
+
+    if (!threadMGR->threadLock)
+	return SECSuccess;
+    PR_Lock(threadMGR->threadLock);
+    while (threadMGR->numRunning > 0) {
+	PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT);
+	for (i = 0; i < threadMGR->numUsed; ++i) {
+	    slot = &threadMGR->threads[i];
+	    if (slot->running == rs_zombie)  {
+		/* Handle cleanup of thread here. */
+
+		/* Now make sure the thread has ended OK. */
+		PR_JoinThread(slot->prThread);
+		slot->running = rs_idle;
+		--threadMGR->numRunning;
+
+		/* notify the thread launcher. */
+		PR_NotifyCondVar(threadMGR->threadStartQ);
+	    }
+	}
+    }
+
+    /* Safety Sam sez: make sure count is right. */
+    for (i = 0; i < threadMGR->numUsed; ++i) {
+	slot = &threadMGR->threads[i];
+	if (slot->running != rs_idle)  {
+	    fprintf(stderr, "Thread in slot %d is in state %d!\n", 
+			     i, slot->running);
+	}
+    }
+    PR_Unlock(threadMGR->threadLock);
+    return SECSuccess;
+}
+
+void
+destroy_thread_data(GlobalThreadMgr *threadMGR)
+{
+    PORT_Memset(threadMGR->threads, 0, sizeof(threadMGR->threads));
+
+    if (threadMGR->threadEndQ) {
+	PR_DestroyCondVar(threadMGR->threadEndQ);
+	threadMGR->threadEndQ = NULL;
+    }
+    if (threadMGR->threadStartQ) {
+	PR_DestroyCondVar(threadMGR->threadStartQ);
+	threadMGR->threadStartQ = NULL;
+    }
+    if (threadMGR->threadLock) {
+	PR_DestroyLock(threadMGR->threadLock);
+	threadMGR->threadLock = NULL;
+    }
+}
+
+/**************************************************************************
+** End	 thread management routines.
+**************************************************************************/
+
+void 
+lockedVars_Init( lockedVars * lv)
+{
+    lv->count	= 0;
+    lv->waiters = 0;
+    lv->lock	= PR_NewLock();
+    lv->condVar = PR_NewCondVar(lv->lock);
+}
+
+void
+lockedVars_Destroy( lockedVars * lv)
+{
+    PR_DestroyCondVar(lv->condVar);
+    lv->condVar = NULL;
+
+    PR_DestroyLock(lv->lock);
+    lv->lock = NULL;
+}
+
+void
+lockedVars_WaitForDone(lockedVars * lv)
+{
+    PR_Lock(lv->lock);
+    while (lv->count > 0) {
+	PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
+    }
+    PR_Unlock(lv->lock);
+}
+
+int	/* returns count */
+lockedVars_AddToCount(lockedVars * lv, int addend)
+{
+    int rv;
+
+    PR_Lock(lv->lock);
+    rv = lv->count += addend;
+    if (rv <= 0) {
+	PR_NotifyCondVar(lv->condVar);
+    }
+    PR_Unlock(lv->lock);
+    return rv;
+}
+
+
+/*
+ * Dump cert chain in to cert.* files. This function is will
+ * create collisions while dumping cert chains if called from
+ * multiple treads. But it should not be a problem since we
+ * consider vfyserv to be single threaded(see bug 353477).
+ */
+
+void
+dumpCertChain(CERTCertificate *cert, SECCertUsage usage)
+{
+    CERTCertificateList *certList;
+    int count = 0;
+
+    certList = CERT_CertChainFromCert(cert, usage, PR_TRUE);
+    if (certList == NULL) {
+        errWarn("CERT_CertChainFromCert");
+        return;
+    }
+
+    for(count = 0; count < (unsigned int)certList->len; count++) {
+        char certFileName[16];
+        PRFileDesc *cfd;
+
+        PR_snprintf(certFileName, sizeof certFileName, "cert.%03d",
+                    count);
+        cfd = PR_Open(certFileName, PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE, 
+                      0664);
+        if (!cfd) {
+            PR_fprintf(PR_STDOUT,
+                       "Error: couldn't save cert der in file '%s'\n",
+                       certFileName);
+        } else {
+            PR_Write(cfd,  certList->certs[count].data,  certList->certs[count].len);
+            PR_Close(cfd);
+            PR_fprintf(PR_STDOUT, "Cert file %s was created.\n", certFileName);
+        }
+    }
+    CERT_DestroyCertificateList(certList);
+}
diff --git a/security/nss/cmd/zlib/Makefile b/security/nss/cmd/zlib/Makefile
new file mode 100644
index 000000000..52596b760
--- /dev/null
+++ b/security/nss/cmd/zlib/Makefile
@@ -0,0 +1,88 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+test: $(PROGRAMS)
+	@cd $(OBJDIR); \
+	echo hello world | ./minigzip | ./minigzip -d || \
+	  echo '		*** minigzip test FAILED ***' ; \
+	if ./example; then \
+	  echo '		*** zlib test OK ***'; \
+	else \
+	  echo '		*** zlib test FAILED ***'; \
+	fi
diff --git a/security/nss/cmd/zlib/README b/security/nss/cmd/zlib/README
new file mode 100644
index 000000000..758cc5002
--- /dev/null
+++ b/security/nss/cmd/zlib/README
@@ -0,0 +1,125 @@
+ZLIB DATA COMPRESSION LIBRARY
+
+zlib 1.2.3 is a general purpose data compression library.  All the code is
+thread safe.  The data format used by the zlib library is described by RFCs
+(Request for Comments) 1950 to 1952 in the files
+http://www.ietf.org/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format)
+and rfc1952.txt (gzip format). These documents are also available in other
+formats from ftp://ftp.uu.net/graphics/png/documents/zlib/zdoc-index.html
+
+All functions of the compression library are documented in the file zlib.h
+(volunteer to write man pages welcome, contact zlib@gzip.org). A usage example
+of the library is given in the file example.c which also tests that the library
+is working correctly. Another example is given in the file minigzip.c. The
+compression library itself is composed of all source files except example.c and
+minigzip.c.
+
+To compile all files and run the test program, follow the instructions given at
+the top of Makefile. In short "make test; make install" should work for most
+machines. For Unix: "./configure; make test; make install". For MSDOS, use one
+of the special makefiles such as Makefile.msc. For VMS, use make_vms.com.
+
+Questions about zlib should be sent to <zlib@gzip.org>, or to Gilles Vollant
+<info@winimage.com> for the Windows DLL version. The zlib home page is
+http://www.zlib.org or http://www.gzip.org/zlib/ Before reporting a problem,
+please check this site to verify that you have the latest version of zlib;
+otherwise get the latest version and check whether the problem still exists or
+not.
+
+PLEASE read the zlib FAQ http://www.gzip.org/zlib/zlib_faq.html before asking
+for help.
+
+Mark Nelson <markn@ieee.org> wrote an article about zlib for the Jan. 1997
+issue of  Dr. Dobb's Journal; a copy of the article is available in
+http://dogma.net/markn/articles/zlibtool/zlibtool.htm
+
+The changes made in version 1.2.3 are documented in the file ChangeLog.
+
+Unsupported third party contributions are provided in directory "contrib".
+
+A Java implementation of zlib is available in the Java Development Kit
+http://java.sun.com/j2se/1.4.2/docs/api/java/util/zip/package-summary.html
+See the zlib home page http://www.zlib.org for details.
+
+A Perl interface to zlib written by Paul Marquess <pmqs@cpan.org> is in the
+CPAN (Comprehensive Perl Archive Network) sites
+http://www.cpan.org/modules/by-module/Compress/
+
+A Python interface to zlib written by A.M. Kuchling <amk@amk.ca> is
+available in Python 1.5 and later versions, see
+http://www.python.org/doc/lib/module-zlib.html
+
+A zlib binding for TCL written by Andreas Kupries <a.kupries@westend.com> is
+availlable at http://www.oche.de/~akupries/soft/trf/trf_zip.html
+
+An experimental package to read and write files in .zip format, written on top
+of zlib by Gilles Vollant <info@winimage.com>, is available in the
+contrib/minizip directory of zlib.
+
+
+Notes for some targets:
+
+- For Windows DLL versions, please see win32/DLL_FAQ.txt
+
+- For 64-bit Irix, deflate.c must be compiled without any optimization. With
+  -O, one libpng test fails. The test works in 32 bit mode (with the -n32
+  compiler flag). The compiler bug has been reported to SGI.
+
+- zlib doesn't work with gcc 2.6.3 on a DEC 3000/300LX under OSF/1 2.1 it works
+  when compiled with cc.
+
+- On Digital Unix 4.0D (formely OSF/1) on AlphaServer, the cc option -std1 is
+  necessary to get gzprintf working correctly. This is done by configure.
+
+- zlib doesn't work on HP-UX 9.05 with some versions of /bin/cc. It works with
+  other compilers. Use "make test" to check your compiler.
+
+- gzdopen is not supported on RISCOS, BEOS and by some Mac compilers.
+
+- For PalmOs, see http://palmzlib.sourceforge.net/
+
+- When building a shared, i.e. dynamic library on Mac OS X, the library must be
+  installed before testing (do "make install" before "make test"), since the
+  library location is specified in the library.
+
+
+Acknowledgments:
+
+  The deflate format used by zlib was defined by Phil Katz. The deflate
+  and zlib specifications were written by L. Peter Deutsch. Thanks to all the
+  people who reported problems and suggested various improvements in zlib;
+  they are too numerous to cite here.
+
+Copyright notice:
+
+ (C) 1995-2004 Jean-loup Gailly and Mark Adler
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  Jean-loup Gailly        Mark Adler
+  jloup@gzip.org          madler@alumni.caltech.edu
+
+If you use the zlib library in a product, we would appreciate *not*
+receiving lengthy legal documents to sign. The sources are provided
+for free but without warranty of any kind.  The library has been
+entirely written by Jean-loup Gailly and Mark Adler; it does not
+include third-party code.
+
+If you redistribute modified sources, we would appreciate that you include
+in the file ChangeLog history information documenting your changes. Please
+read the FAQ for more information on the distribution of modified source
+versions.
diff --git a/security/nss/cmd/zlib/adler32.c b/security/nss/cmd/zlib/adler32.c
new file mode 100644
index 000000000..007ba2627
--- /dev/null
+++ b/security/nss/cmd/zlib/adler32.c
@@ -0,0 +1,149 @@
+/* adler32.c -- compute the Adler-32 checksum of a data stream
+ * Copyright (C) 1995-2004 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* @(#) $Id$ */
+
+#define ZLIB_INTERNAL
+#include "zlib.h"
+
+#define BASE 65521UL    /* largest prime smaller than 65536 */
+#define NMAX 5552
+/* NMAX is the largest n such that 255n(n+1)/2 + (n+1)(BASE-1) <= 2^32-1 */
+
+#define DO1(buf,i)  {adler += (buf)[i]; sum2 += adler;}
+#define DO2(buf,i)  DO1(buf,i); DO1(buf,i+1);
+#define DO4(buf,i)  DO2(buf,i); DO2(buf,i+2);
+#define DO8(buf,i)  DO4(buf,i); DO4(buf,i+4);
+#define DO16(buf)   DO8(buf,0); DO8(buf,8);
+
+/* use NO_DIVIDE if your processor does not do division in hardware */
+#ifdef NO_DIVIDE
+#  define MOD(a) \
+    do { \
+        if (a >= (BASE << 16)) a -= (BASE << 16); \
+        if (a >= (BASE << 15)) a -= (BASE << 15); \
+        if (a >= (BASE << 14)) a -= (BASE << 14); \
+        if (a >= (BASE << 13)) a -= (BASE << 13); \
+        if (a >= (BASE << 12)) a -= (BASE << 12); \
+        if (a >= (BASE << 11)) a -= (BASE << 11); \
+        if (a >= (BASE << 10)) a -= (BASE << 10); \
+        if (a >= (BASE << 9)) a -= (BASE << 9); \
+        if (a >= (BASE << 8)) a -= (BASE << 8); \
+        if (a >= (BASE << 7)) a -= (BASE << 7); \
+        if (a >= (BASE << 6)) a -= (BASE << 6); \
+        if (a >= (BASE << 5)) a -= (BASE << 5); \
+        if (a >= (BASE << 4)) a -= (BASE << 4); \
+        if (a >= (BASE << 3)) a -= (BASE << 3); \
+        if (a >= (BASE << 2)) a -= (BASE << 2); \
+        if (a >= (BASE << 1)) a -= (BASE << 1); \
+        if (a >= BASE) a -= BASE; \
+    } while (0)
+#  define MOD4(a) \
+    do { \
+        if (a >= (BASE << 4)) a -= (BASE << 4); \
+        if (a >= (BASE << 3)) a -= (BASE << 3); \
+        if (a >= (BASE << 2)) a -= (BASE << 2); \
+        if (a >= (BASE << 1)) a -= (BASE << 1); \
+        if (a >= BASE) a -= BASE; \
+    } while (0)
+#else
+#  define MOD(a) a %= BASE
+#  define MOD4(a) a %= BASE
+#endif
+
+/* ========================================================================= */
+uLong ZEXPORT adler32(adler, buf, len)
+    uLong adler;
+    const Bytef *buf;
+    uInt len;
+{
+    unsigned long sum2;
+    unsigned n;
+
+    /* split Adler-32 into component sums */
+    sum2 = (adler >> 16) & 0xffff;
+    adler &= 0xffff;
+
+    /* in case user likes doing a byte at a time, keep it fast */
+    if (len == 1) {
+        adler += buf[0];
+        if (adler >= BASE)
+            adler -= BASE;
+        sum2 += adler;
+        if (sum2 >= BASE)
+            sum2 -= BASE;
+        return adler | (sum2 << 16);
+    }
+
+    /* initial Adler-32 value (deferred check for len == 1 speed) */
+    if (buf == Z_NULL)
+        return 1L;
+
+    /* in case short lengths are provided, keep it somewhat fast */
+    if (len < 16) {
+        while (len--) {
+            adler += *buf++;
+            sum2 += adler;
+        }
+        if (adler >= BASE)
+            adler -= BASE;
+        MOD4(sum2);             /* only added so many BASE's */
+        return adler | (sum2 << 16);
+    }
+
+    /* do length NMAX blocks -- requires just one modulo operation */
+    while (len >= NMAX) {
+        len -= NMAX;
+        n = NMAX / 16;          /* NMAX is divisible by 16 */
+        do {
+            DO16(buf);          /* 16 sums unrolled */
+            buf += 16;
+        } while (--n);
+        MOD(adler);
+        MOD(sum2);
+    }
+
+    /* do remaining bytes (less than NMAX, still just one modulo) */
+    if (len) {                  /* avoid modulos if none remaining */
+        while (len >= 16) {
+            len -= 16;
+            DO16(buf);
+            buf += 16;
+        }
+        while (len--) {
+            adler += *buf++;
+            sum2 += adler;
+        }
+        MOD(adler);
+        MOD(sum2);
+    }
+
+    /* return recombined sums */
+    return adler | (sum2 << 16);
+}
+
+/* ========================================================================= */
+uLong ZEXPORT adler32_combine(adler1, adler2, len2)
+    uLong adler1;
+    uLong adler2;
+    z_off_t len2;
+{
+    unsigned long sum1;
+    unsigned long sum2;
+    unsigned rem;
+
+    /* the derivation of this formula is left as an exercise for the reader */
+    rem = (unsigned)(len2 % BASE);
+    sum1 = adler1 & 0xffff;
+    sum2 = rem * sum1;
+    MOD(sum2);
+    sum1 += (adler2 & 0xffff) + BASE - 1;
+    sum2 += ((adler1 >> 16) & 0xffff) + ((adler2 >> 16) & 0xffff) + BASE - rem;
+    if (sum1 > BASE) sum1 -= BASE;
+    if (sum1 > BASE) sum1 -= BASE;
+    if (sum2 > (BASE << 1)) sum2 -= (BASE << 1);
+    if (sum2 > BASE) sum2 -= BASE;
+    return sum1 | (sum2 << 16);
+}
diff --git a/security/nss/cmd/zlib/compress.c b/security/nss/cmd/zlib/compress.c
new file mode 100644
index 000000000..df04f0148
--- /dev/null
+++ b/security/nss/cmd/zlib/compress.c
@@ -0,0 +1,79 @@
+/* compress.c -- compress a memory buffer
+ * Copyright (C) 1995-2003 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* @(#) $Id$ */
+
+#define ZLIB_INTERNAL
+#include "zlib.h"
+
+/* ===========================================================================
+     Compresses the source buffer into the destination buffer. The level
+   parameter has the same meaning as in deflateInit.  sourceLen is the byte
+   length of the source buffer. Upon entry, destLen is the total size of the
+   destination buffer, which must be at least 0.1% larger than sourceLen plus
+   12 bytes. Upon exit, destLen is the actual size of the compressed buffer.
+
+     compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_BUF_ERROR if there was not enough room in the output buffer,
+   Z_STREAM_ERROR if the level parameter is invalid.
+*/
+int ZEXPORT compress2 (dest, destLen, source, sourceLen, level)
+    Bytef *dest;
+    uLongf *destLen;
+    const Bytef *source;
+    uLong sourceLen;
+    int level;
+{
+    z_stream stream;
+    int err;
+
+    stream.next_in = (Bytef*)source;
+    stream.avail_in = (uInt)sourceLen;
+#ifdef MAXSEG_64K
+    /* Check for source > 64K on 16-bit machine: */
+    if ((uLong)stream.avail_in != sourceLen) return Z_BUF_ERROR;
+#endif
+    stream.next_out = dest;
+    stream.avail_out = (uInt)*destLen;
+    if ((uLong)stream.avail_out != *destLen) return Z_BUF_ERROR;
+
+    stream.zalloc = (alloc_func)0;
+    stream.zfree = (free_func)0;
+    stream.opaque = (voidpf)0;
+
+    err = deflateInit(&stream, level);
+    if (err != Z_OK) return err;
+
+    err = deflate(&stream, Z_FINISH);
+    if (err != Z_STREAM_END) {
+        deflateEnd(&stream);
+        return err == Z_OK ? Z_BUF_ERROR : err;
+    }
+    *destLen = stream.total_out;
+
+    err = deflateEnd(&stream);
+    return err;
+}
+
+/* ===========================================================================
+ */
+int ZEXPORT compress (dest, destLen, source, sourceLen)
+    Bytef *dest;
+    uLongf *destLen;
+    const Bytef *source;
+    uLong sourceLen;
+{
+    return compress2(dest, destLen, source, sourceLen, Z_DEFAULT_COMPRESSION);
+}
+
+/* ===========================================================================
+     If the default memLevel or windowBits for deflateInit() is changed, then
+   this function needs to be updated.
+ */
+uLong ZEXPORT compressBound (sourceLen)
+    uLong sourceLen;
+{
+    return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + 11;
+}
diff --git a/security/nss/cmd/zlib/config.mk b/security/nss/cmd/zlib/config.mk
new file mode 100644
index 000000000..5471310e2
--- /dev/null
+++ b/security/nss/cmd/zlib/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY) $(PROGRAMS)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+EXTRA_LIBS     = $(LIBRARY)
diff --git a/security/nss/cmd/zlib/crc32.c b/security/nss/cmd/zlib/crc32.c
new file mode 100644
index 000000000..f658a9ef5
--- /dev/null
+++ b/security/nss/cmd/zlib/crc32.c
@@ -0,0 +1,423 @@
+/* crc32.c -- compute the CRC-32 of a data stream
+ * Copyright (C) 1995-2005 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ *
+ * Thanks to Rodney Brown <rbrown64@csc.com.au> for his contribution of faster
+ * CRC methods: exclusive-oring 32 bits of data at a time, and pre-computing
+ * tables for updating the shift register in one step with three exclusive-ors
+ * instead of four steps with four exclusive-ors.  This results in about a
+ * factor of two increase in speed on a Power PC G4 (PPC7455) using gcc -O3.
+ */
+
+/* @(#) $Id$ */
+
+/*
+  Note on the use of DYNAMIC_CRC_TABLE: there is no mutex or semaphore
+  protection on the static variables used to control the first-use generation
+  of the crc tables.  Therefore, if you #define DYNAMIC_CRC_TABLE, you should
+  first call get_crc_table() to initialize the tables before allowing more than
+  one thread to use crc32().
+ */
+
+#ifdef MAKECRCH
+#  include <stdio.h>
+#  ifndef DYNAMIC_CRC_TABLE
+#    define DYNAMIC_CRC_TABLE
+#  endif /* !DYNAMIC_CRC_TABLE */
+#endif /* MAKECRCH */
+
+#include "zutil.h"      /* for STDC and FAR definitions */
+
+#define local static
+
+/* Find a four-byte integer type for crc32_little() and crc32_big(). */
+#ifndef NOBYFOUR
+#  ifdef STDC           /* need ANSI C limits.h to determine sizes */
+#    include <limits.h>
+#    define BYFOUR
+#    if (UINT_MAX == 0xffffffffUL)
+       typedef unsigned int u4;
+#    else
+#      if (ULONG_MAX == 0xffffffffUL)
+         typedef unsigned long u4;
+#      else
+#        if (USHRT_MAX == 0xffffffffUL)
+           typedef unsigned short u4;
+#        else
+#          undef BYFOUR     /* can't find a four-byte integer type! */
+#        endif
+#      endif
+#    endif
+#  endif /* STDC */
+#endif /* !NOBYFOUR */
+
+/* Definitions for doing the crc four data bytes at a time. */
+#ifdef BYFOUR
+#  define REV(w) (((w)>>24)+(((w)>>8)&0xff00)+ \
+                (((w)&0xff00)<<8)+(((w)&0xff)<<24))
+   local unsigned long crc32_little OF((unsigned long,
+                        const unsigned char FAR *, unsigned));
+   local unsigned long crc32_big OF((unsigned long,
+                        const unsigned char FAR *, unsigned));
+#  define TBLS 8
+#else
+#  define TBLS 1
+#endif /* BYFOUR */
+
+/* Local functions for crc concatenation */
+local unsigned long gf2_matrix_times OF((unsigned long *mat,
+                                         unsigned long vec));
+local void gf2_matrix_square OF((unsigned long *square, unsigned long *mat));
+
+#ifdef DYNAMIC_CRC_TABLE
+
+local volatile int crc_table_empty = 1;
+local unsigned long FAR crc_table[TBLS][256];
+local void make_crc_table OF((void));
+#ifdef MAKECRCH
+   local void write_table OF((FILE *, const unsigned long FAR *));
+#endif /* MAKECRCH */
+/*
+  Generate tables for a byte-wise 32-bit CRC calculation on the polynomial:
+  x^32+x^26+x^23+x^22+x^16+x^12+x^11+x^10+x^8+x^7+x^5+x^4+x^2+x+1.
+
+  Polynomials over GF(2) are represented in binary, one bit per coefficient,
+  with the lowest powers in the most significant bit.  Then adding polynomials
+  is just exclusive-or, and multiplying a polynomial by x is a right shift by
+  one.  If we call the above polynomial p, and represent a byte as the
+  polynomial q, also with the lowest power in the most significant bit (so the
+  byte 0xb1 is the polynomial x^7+x^3+x+1), then the CRC is (q*x^32) mod p,
+  where a mod b means the remainder after dividing a by b.
+
+  This calculation is done using the shift-register method of multiplying and
+  taking the remainder.  The register is initialized to zero, and for each
+  incoming bit, x^32 is added mod p to the register if the bit is a one (where
+  x^32 mod p is p+x^32 = x^26+...+1), and the register is multiplied mod p by
+  x (which is shifting right by one and adding x^32 mod p if the bit shifted
+  out is a one).  We start with the highest power (least significant bit) of
+  q and repeat for all eight bits of q.
+
+  The first table is simply the CRC of all possible eight bit values.  This is
+  all the information needed to generate CRCs on data a byte at a time for all
+  combinations of CRC register values and incoming bytes.  The remaining tables
+  allow for word-at-a-time CRC calculation for both big-endian and little-
+  endian machines, where a word is four bytes.
+*/
+local void make_crc_table()
+{
+    unsigned long c;
+    int n, k;
+    unsigned long poly;                 /* polynomial exclusive-or pattern */
+    /* terms of polynomial defining this crc (except x^32): */
+    static volatile int first = 1;      /* flag to limit concurrent making */
+    static const unsigned char p[] = {0,1,2,4,5,7,8,10,11,12,16,22,23,26};
+
+    /* See if another task is already doing this (not thread-safe, but better
+       than nothing -- significantly reduces duration of vulnerability in
+       case the advice about DYNAMIC_CRC_TABLE is ignored) */
+    if (first) {
+        first = 0;
+
+        /* make exclusive-or pattern from polynomial (0xedb88320UL) */
+        poly = 0UL;
+        for (n = 0; n < sizeof(p)/sizeof(unsigned char); n++)
+            poly |= 1UL << (31 - p[n]);
+
+        /* generate a crc for every 8-bit value */
+        for (n = 0; n < 256; n++) {
+            c = (unsigned long)n;
+            for (k = 0; k < 8; k++)
+                c = c & 1 ? poly ^ (c >> 1) : c >> 1;
+            crc_table[0][n] = c;
+        }
+
+#ifdef BYFOUR
+        /* generate crc for each value followed by one, two, and three zeros,
+           and then the byte reversal of those as well as the first table */
+        for (n = 0; n < 256; n++) {
+            c = crc_table[0][n];
+            crc_table[4][n] = REV(c);
+            for (k = 1; k < 4; k++) {
+                c = crc_table[0][c & 0xff] ^ (c >> 8);
+                crc_table[k][n] = c;
+                crc_table[k + 4][n] = REV(c);
+            }
+        }
+#endif /* BYFOUR */
+
+        crc_table_empty = 0;
+    }
+    else {      /* not first */
+        /* wait for the other guy to finish (not efficient, but rare) */
+        while (crc_table_empty)
+            ;
+    }
+
+#ifdef MAKECRCH
+    /* write out CRC tables to crc32.h */
+    {
+        FILE *out;
+
+        out = fopen("crc32.h", "w");
+        if (out == NULL) return;
+        fprintf(out, "/* crc32.h -- tables for rapid CRC calculation\n");
+        fprintf(out, " * Generated automatically by crc32.c\n */\n\n");
+        fprintf(out, "local const unsigned long FAR ");
+        fprintf(out, "crc_table[TBLS][256] =\n{\n  {\n");
+        write_table(out, crc_table[0]);
+#  ifdef BYFOUR
+        fprintf(out, "#ifdef BYFOUR\n");
+        for (k = 1; k < 8; k++) {
+            fprintf(out, "  },\n  {\n");
+            write_table(out, crc_table[k]);
+        }
+        fprintf(out, "#endif\n");
+#  endif /* BYFOUR */
+        fprintf(out, "  }\n};\n");
+        fclose(out);
+    }
+#endif /* MAKECRCH */
+}
+
+#ifdef MAKECRCH
+local void write_table(out, table)
+    FILE *out;
+    const unsigned long FAR *table;
+{
+    int n;
+
+    for (n = 0; n < 256; n++)
+        fprintf(out, "%s0x%08lxUL%s", n % 5 ? "" : "    ", table[n],
+                n == 255 ? "\n" : (n % 5 == 4 ? ",\n" : ", "));
+}
+#endif /* MAKECRCH */
+
+#else /* !DYNAMIC_CRC_TABLE */
+/* ========================================================================
+ * Tables of CRC-32s of all single-byte values, made by make_crc_table().
+ */
+#include "crc32.h"
+#endif /* DYNAMIC_CRC_TABLE */
+
+/* =========================================================================
+ * This function can be used by asm versions of crc32()
+ */
+const unsigned long FAR * ZEXPORT get_crc_table()
+{
+#ifdef DYNAMIC_CRC_TABLE
+    if (crc_table_empty)
+        make_crc_table();
+#endif /* DYNAMIC_CRC_TABLE */
+    return (const unsigned long FAR *)crc_table;
+}
+
+/* ========================================================================= */
+#define DO1 crc = crc_table[0][((int)crc ^ (*buf++)) & 0xff] ^ (crc >> 8)
+#define DO8 DO1; DO1; DO1; DO1; DO1; DO1; DO1; DO1
+
+/* ========================================================================= */
+unsigned long ZEXPORT crc32(crc, buf, len)
+    unsigned long crc;
+    const unsigned char FAR *buf;
+    unsigned len;
+{
+    if (buf == Z_NULL) return 0UL;
+
+#ifdef DYNAMIC_CRC_TABLE
+    if (crc_table_empty)
+        make_crc_table();
+#endif /* DYNAMIC_CRC_TABLE */
+
+#ifdef BYFOUR
+    if (sizeof(void *) == sizeof(ptrdiff_t)) {
+        u4 endian;
+
+        endian = 1;
+        if (*((unsigned char *)(&endian)))
+            return crc32_little(crc, buf, len);
+        else
+            return crc32_big(crc, buf, len);
+    }
+#endif /* BYFOUR */
+    crc = crc ^ 0xffffffffUL;
+    while (len >= 8) {
+        DO8;
+        len -= 8;
+    }
+    if (len) do {
+        DO1;
+    } while (--len);
+    return crc ^ 0xffffffffUL;
+}
+
+#ifdef BYFOUR
+
+/* ========================================================================= */
+#define DOLIT4 c ^= *buf4++; \
+        c = crc_table[3][c & 0xff] ^ crc_table[2][(c >> 8) & 0xff] ^ \
+            crc_table[1][(c >> 16) & 0xff] ^ crc_table[0][c >> 24]
+#define DOLIT32 DOLIT4; DOLIT4; DOLIT4; DOLIT4; DOLIT4; DOLIT4; DOLIT4; DOLIT4
+
+/* ========================================================================= */
+local unsigned long crc32_little(crc, buf, len)
+    unsigned long crc;
+    const unsigned char FAR *buf;
+    unsigned len;
+{
+    register u4 c;
+    register const u4 FAR *buf4;
+
+    c = (u4)crc;
+    c = ~c;
+    while (len && ((ptrdiff_t)buf & 3)) {
+        c = crc_table[0][(c ^ *buf++) & 0xff] ^ (c >> 8);
+        len--;
+    }
+
+    buf4 = (const u4 FAR *)(const void FAR *)buf;
+    while (len >= 32) {
+        DOLIT32;
+        len -= 32;
+    }
+    while (len >= 4) {
+        DOLIT4;
+        len -= 4;
+    }
+    buf = (const unsigned char FAR *)buf4;
+
+    if (len) do {
+        c = crc_table[0][(c ^ *buf++) & 0xff] ^ (c >> 8);
+    } while (--len);
+    c = ~c;
+    return (unsigned long)c;
+}
+
+/* ========================================================================= */
+#define DOBIG4 c ^= *++buf4; \
+        c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
+            crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
+#define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
+
+/* ========================================================================= */
+local unsigned long crc32_big(crc, buf, len)
+    unsigned long crc;
+    const unsigned char FAR *buf;
+    unsigned len;
+{
+    register u4 c;
+    register const u4 FAR *buf4;
+
+    c = REV((u4)crc);
+    c = ~c;
+    while (len && ((ptrdiff_t)buf & 3)) {
+        c = crc_table[4][(c >> 24) ^ *buf++] ^ (c << 8);
+        len--;
+    }
+
+    buf4 = (const u4 FAR *)(const void FAR *)buf;
+    buf4--;
+    while (len >= 32) {
+        DOBIG32;
+        len -= 32;
+    }
+    while (len >= 4) {
+        DOBIG4;
+        len -= 4;
+    }
+    buf4++;
+    buf = (const unsigned char FAR *)buf4;
+
+    if (len) do {
+        c = crc_table[4][(c >> 24) ^ *buf++] ^ (c << 8);
+    } while (--len);
+    c = ~c;
+    return (unsigned long)(REV(c));
+}
+
+#endif /* BYFOUR */
+
+#define GF2_DIM 32      /* dimension of GF(2) vectors (length of CRC) */
+
+/* ========================================================================= */
+local unsigned long gf2_matrix_times(mat, vec)
+    unsigned long *mat;
+    unsigned long vec;
+{
+    unsigned long sum;
+
+    sum = 0;
+    while (vec) {
+        if (vec & 1)
+            sum ^= *mat;
+        vec >>= 1;
+        mat++;
+    }
+    return sum;
+}
+
+/* ========================================================================= */
+local void gf2_matrix_square(square, mat)
+    unsigned long *square;
+    unsigned long *mat;
+{
+    int n;
+
+    for (n = 0; n < GF2_DIM; n++)
+        square[n] = gf2_matrix_times(mat, mat[n]);
+}
+
+/* ========================================================================= */
+uLong ZEXPORT crc32_combine(crc1, crc2, len2)
+    uLong crc1;
+    uLong crc2;
+    z_off_t len2;
+{
+    int n;
+    unsigned long row;
+    unsigned long even[GF2_DIM];    /* even-power-of-two zeros operator */
+    unsigned long odd[GF2_DIM];     /* odd-power-of-two zeros operator */
+
+    /* degenerate case */
+    if (len2 == 0)
+        return crc1;
+
+    /* put operator for one zero bit in odd */
+    odd[0] = 0xedb88320L;           /* CRC-32 polynomial */
+    row = 1;
+    for (n = 1; n < GF2_DIM; n++) {
+        odd[n] = row;
+        row <<= 1;
+    }
+
+    /* put operator for two zero bits in even */
+    gf2_matrix_square(even, odd);
+
+    /* put operator for four zero bits in odd */
+    gf2_matrix_square(odd, even);
+
+    /* apply len2 zeros to crc1 (first square will put the operator for one
+       zero byte, eight zero bits, in even) */
+    do {
+        /* apply zeros operator for this bit of len2 */
+        gf2_matrix_square(even, odd);
+        if (len2 & 1)
+            crc1 = gf2_matrix_times(even, crc1);
+        len2 >>= 1;
+
+        /* if no more bits set, then done */
+        if (len2 == 0)
+            break;
+
+        /* another iteration of the loop with odd and even swapped */
+        gf2_matrix_square(odd, even);
+        if (len2 & 1)
+            crc1 = gf2_matrix_times(odd, crc1);
+        len2 >>= 1;
+
+        /* if no more bits set, then done */
+    } while (len2 != 0);
+
+    /* return combined crc */
+    crc1 ^= crc2;
+    return crc1;
+}
diff --git a/security/nss/cmd/zlib/crc32.h b/security/nss/cmd/zlib/crc32.h
new file mode 100644
index 000000000..8053b6117
--- /dev/null
+++ b/security/nss/cmd/zlib/crc32.h
@@ -0,0 +1,441 @@
+/* crc32.h -- tables for rapid CRC calculation
+ * Generated automatically by crc32.c
+ */
+
+local const unsigned long FAR crc_table[TBLS][256] =
+{
+  {
+    0x00000000UL, 0x77073096UL, 0xee0e612cUL, 0x990951baUL, 0x076dc419UL,
+    0x706af48fUL, 0xe963a535UL, 0x9e6495a3UL, 0x0edb8832UL, 0x79dcb8a4UL,
+    0xe0d5e91eUL, 0x97d2d988UL, 0x09b64c2bUL, 0x7eb17cbdUL, 0xe7b82d07UL,
+    0x90bf1d91UL, 0x1db71064UL, 0x6ab020f2UL, 0xf3b97148UL, 0x84be41deUL,
+    0x1adad47dUL, 0x6ddde4ebUL, 0xf4d4b551UL, 0x83d385c7UL, 0x136c9856UL,
+    0x646ba8c0UL, 0xfd62f97aUL, 0x8a65c9ecUL, 0x14015c4fUL, 0x63066cd9UL,
+    0xfa0f3d63UL, 0x8d080df5UL, 0x3b6e20c8UL, 0x4c69105eUL, 0xd56041e4UL,
+    0xa2677172UL, 0x3c03e4d1UL, 0x4b04d447UL, 0xd20d85fdUL, 0xa50ab56bUL,
+    0x35b5a8faUL, 0x42b2986cUL, 0xdbbbc9d6UL, 0xacbcf940UL, 0x32d86ce3UL,
+    0x45df5c75UL, 0xdcd60dcfUL, 0xabd13d59UL, 0x26d930acUL, 0x51de003aUL,
+    0xc8d75180UL, 0xbfd06116UL, 0x21b4f4b5UL, 0x56b3c423UL, 0xcfba9599UL,
+    0xb8bda50fUL, 0x2802b89eUL, 0x5f058808UL, 0xc60cd9b2UL, 0xb10be924UL,
+    0x2f6f7c87UL, 0x58684c11UL, 0xc1611dabUL, 0xb6662d3dUL, 0x76dc4190UL,
+    0x01db7106UL, 0x98d220bcUL, 0xefd5102aUL, 0x71b18589UL, 0x06b6b51fUL,
+    0x9fbfe4a5UL, 0xe8b8d433UL, 0x7807c9a2UL, 0x0f00f934UL, 0x9609a88eUL,
+    0xe10e9818UL, 0x7f6a0dbbUL, 0x086d3d2dUL, 0x91646c97UL, 0xe6635c01UL,
+    0x6b6b51f4UL, 0x1c6c6162UL, 0x856530d8UL, 0xf262004eUL, 0x6c0695edUL,
+    0x1b01a57bUL, 0x8208f4c1UL, 0xf50fc457UL, 0x65b0d9c6UL, 0x12b7e950UL,
+    0x8bbeb8eaUL, 0xfcb9887cUL, 0x62dd1ddfUL, 0x15da2d49UL, 0x8cd37cf3UL,
+    0xfbd44c65UL, 0x4db26158UL, 0x3ab551ceUL, 0xa3bc0074UL, 0xd4bb30e2UL,
+    0x4adfa541UL, 0x3dd895d7UL, 0xa4d1c46dUL, 0xd3d6f4fbUL, 0x4369e96aUL,
+    0x346ed9fcUL, 0xad678846UL, 0xda60b8d0UL, 0x44042d73UL, 0x33031de5UL,
+    0xaa0a4c5fUL, 0xdd0d7cc9UL, 0x5005713cUL, 0x270241aaUL, 0xbe0b1010UL,
+    0xc90c2086UL, 0x5768b525UL, 0x206f85b3UL, 0xb966d409UL, 0xce61e49fUL,
+    0x5edef90eUL, 0x29d9c998UL, 0xb0d09822UL, 0xc7d7a8b4UL, 0x59b33d17UL,
+    0x2eb40d81UL, 0xb7bd5c3bUL, 0xc0ba6cadUL, 0xedb88320UL, 0x9abfb3b6UL,
+    0x03b6e20cUL, 0x74b1d29aUL, 0xead54739UL, 0x9dd277afUL, 0x04db2615UL,
+    0x73dc1683UL, 0xe3630b12UL, 0x94643b84UL, 0x0d6d6a3eUL, 0x7a6a5aa8UL,
+    0xe40ecf0bUL, 0x9309ff9dUL, 0x0a00ae27UL, 0x7d079eb1UL, 0xf00f9344UL,
+    0x8708a3d2UL, 0x1e01f268UL, 0x6906c2feUL, 0xf762575dUL, 0x806567cbUL,
+    0x196c3671UL, 0x6e6b06e7UL, 0xfed41b76UL, 0x89d32be0UL, 0x10da7a5aUL,
+    0x67dd4accUL, 0xf9b9df6fUL, 0x8ebeeff9UL, 0x17b7be43UL, 0x60b08ed5UL,
+    0xd6d6a3e8UL, 0xa1d1937eUL, 0x38d8c2c4UL, 0x4fdff252UL, 0xd1bb67f1UL,
+    0xa6bc5767UL, 0x3fb506ddUL, 0x48b2364bUL, 0xd80d2bdaUL, 0xaf0a1b4cUL,
+    0x36034af6UL, 0x41047a60UL, 0xdf60efc3UL, 0xa867df55UL, 0x316e8eefUL,
+    0x4669be79UL, 0xcb61b38cUL, 0xbc66831aUL, 0x256fd2a0UL, 0x5268e236UL,
+    0xcc0c7795UL, 0xbb0b4703UL, 0x220216b9UL, 0x5505262fUL, 0xc5ba3bbeUL,
+    0xb2bd0b28UL, 0x2bb45a92UL, 0x5cb36a04UL, 0xc2d7ffa7UL, 0xb5d0cf31UL,
+    0x2cd99e8bUL, 0x5bdeae1dUL, 0x9b64c2b0UL, 0xec63f226UL, 0x756aa39cUL,
+    0x026d930aUL, 0x9c0906a9UL, 0xeb0e363fUL, 0x72076785UL, 0x05005713UL,
+    0x95bf4a82UL, 0xe2b87a14UL, 0x7bb12baeUL, 0x0cb61b38UL, 0x92d28e9bUL,
+    0xe5d5be0dUL, 0x7cdcefb7UL, 0x0bdbdf21UL, 0x86d3d2d4UL, 0xf1d4e242UL,
+    0x68ddb3f8UL, 0x1fda836eUL, 0x81be16cdUL, 0xf6b9265bUL, 0x6fb077e1UL,
+    0x18b74777UL, 0x88085ae6UL, 0xff0f6a70UL, 0x66063bcaUL, 0x11010b5cUL,
+    0x8f659effUL, 0xf862ae69UL, 0x616bffd3UL, 0x166ccf45UL, 0xa00ae278UL,
+    0xd70dd2eeUL, 0x4e048354UL, 0x3903b3c2UL, 0xa7672661UL, 0xd06016f7UL,
+    0x4969474dUL, 0x3e6e77dbUL, 0xaed16a4aUL, 0xd9d65adcUL, 0x40df0b66UL,
+    0x37d83bf0UL, 0xa9bcae53UL, 0xdebb9ec5UL, 0x47b2cf7fUL, 0x30b5ffe9UL,
+    0xbdbdf21cUL, 0xcabac28aUL, 0x53b39330UL, 0x24b4a3a6UL, 0xbad03605UL,
+    0xcdd70693UL, 0x54de5729UL, 0x23d967bfUL, 0xb3667a2eUL, 0xc4614ab8UL,
+    0x5d681b02UL, 0x2a6f2b94UL, 0xb40bbe37UL, 0xc30c8ea1UL, 0x5a05df1bUL,
+    0x2d02ef8dUL
+#ifdef BYFOUR
+  },
+  {
+    0x00000000UL, 0x191b3141UL, 0x32366282UL, 0x2b2d53c3UL, 0x646cc504UL,
+    0x7d77f445UL, 0x565aa786UL, 0x4f4196c7UL, 0xc8d98a08UL, 0xd1c2bb49UL,
+    0xfaefe88aUL, 0xe3f4d9cbUL, 0xacb54f0cUL, 0xb5ae7e4dUL, 0x9e832d8eUL,
+    0x87981ccfUL, 0x4ac21251UL, 0x53d92310UL, 0x78f470d3UL, 0x61ef4192UL,
+    0x2eaed755UL, 0x37b5e614UL, 0x1c98b5d7UL, 0x05838496UL, 0x821b9859UL,
+    0x9b00a918UL, 0xb02dfadbUL, 0xa936cb9aUL, 0xe6775d5dUL, 0xff6c6c1cUL,
+    0xd4413fdfUL, 0xcd5a0e9eUL, 0x958424a2UL, 0x8c9f15e3UL, 0xa7b24620UL,
+    0xbea97761UL, 0xf1e8e1a6UL, 0xe8f3d0e7UL, 0xc3de8324UL, 0xdac5b265UL,
+    0x5d5daeaaUL, 0x44469febUL, 0x6f6bcc28UL, 0x7670fd69UL, 0x39316baeUL,
+    0x202a5aefUL, 0x0b07092cUL, 0x121c386dUL, 0xdf4636f3UL, 0xc65d07b2UL,
+    0xed705471UL, 0xf46b6530UL, 0xbb2af3f7UL, 0xa231c2b6UL, 0x891c9175UL,
+    0x9007a034UL, 0x179fbcfbUL, 0x0e848dbaUL, 0x25a9de79UL, 0x3cb2ef38UL,
+    0x73f379ffUL, 0x6ae848beUL, 0x41c51b7dUL, 0x58de2a3cUL, 0xf0794f05UL,
+    0xe9627e44UL, 0xc24f2d87UL, 0xdb541cc6UL, 0x94158a01UL, 0x8d0ebb40UL,
+    0xa623e883UL, 0xbf38d9c2UL, 0x38a0c50dUL, 0x21bbf44cUL, 0x0a96a78fUL,
+    0x138d96ceUL, 0x5ccc0009UL, 0x45d73148UL, 0x6efa628bUL, 0x77e153caUL,
+    0xbabb5d54UL, 0xa3a06c15UL, 0x888d3fd6UL, 0x91960e97UL, 0xded79850UL,
+    0xc7cca911UL, 0xece1fad2UL, 0xf5facb93UL, 0x7262d75cUL, 0x6b79e61dUL,
+    0x4054b5deUL, 0x594f849fUL, 0x160e1258UL, 0x0f152319UL, 0x243870daUL,
+    0x3d23419bUL, 0x65fd6ba7UL, 0x7ce65ae6UL, 0x57cb0925UL, 0x4ed03864UL,
+    0x0191aea3UL, 0x188a9fe2UL, 0x33a7cc21UL, 0x2abcfd60UL, 0xad24e1afUL,
+    0xb43fd0eeUL, 0x9f12832dUL, 0x8609b26cUL, 0xc94824abUL, 0xd05315eaUL,
+    0xfb7e4629UL, 0xe2657768UL, 0x2f3f79f6UL, 0x362448b7UL, 0x1d091b74UL,
+    0x04122a35UL, 0x4b53bcf2UL, 0x52488db3UL, 0x7965de70UL, 0x607eef31UL,
+    0xe7e6f3feUL, 0xfefdc2bfUL, 0xd5d0917cUL, 0xcccba03dUL, 0x838a36faUL,
+    0x9a9107bbUL, 0xb1bc5478UL, 0xa8a76539UL, 0x3b83984bUL, 0x2298a90aUL,
+    0x09b5fac9UL, 0x10aecb88UL, 0x5fef5d4fUL, 0x46f46c0eUL, 0x6dd93fcdUL,
+    0x74c20e8cUL, 0xf35a1243UL, 0xea412302UL, 0xc16c70c1UL, 0xd8774180UL,
+    0x9736d747UL, 0x8e2de606UL, 0xa500b5c5UL, 0xbc1b8484UL, 0x71418a1aUL,
+    0x685abb5bUL, 0x4377e898UL, 0x5a6cd9d9UL, 0x152d4f1eUL, 0x0c367e5fUL,
+    0x271b2d9cUL, 0x3e001cddUL, 0xb9980012UL, 0xa0833153UL, 0x8bae6290UL,
+    0x92b553d1UL, 0xddf4c516UL, 0xc4eff457UL, 0xefc2a794UL, 0xf6d996d5UL,
+    0xae07bce9UL, 0xb71c8da8UL, 0x9c31de6bUL, 0x852aef2aUL, 0xca6b79edUL,
+    0xd37048acUL, 0xf85d1b6fUL, 0xe1462a2eUL, 0x66de36e1UL, 0x7fc507a0UL,
+    0x54e85463UL, 0x4df36522UL, 0x02b2f3e5UL, 0x1ba9c2a4UL, 0x30849167UL,
+    0x299fa026UL, 0xe4c5aeb8UL, 0xfdde9ff9UL, 0xd6f3cc3aUL, 0xcfe8fd7bUL,
+    0x80a96bbcUL, 0x99b25afdUL, 0xb29f093eUL, 0xab84387fUL, 0x2c1c24b0UL,
+    0x350715f1UL, 0x1e2a4632UL, 0x07317773UL, 0x4870e1b4UL, 0x516bd0f5UL,
+    0x7a468336UL, 0x635db277UL, 0xcbfad74eUL, 0xd2e1e60fUL, 0xf9ccb5ccUL,
+    0xe0d7848dUL, 0xaf96124aUL, 0xb68d230bUL, 0x9da070c8UL, 0x84bb4189UL,
+    0x03235d46UL, 0x1a386c07UL, 0x31153fc4UL, 0x280e0e85UL, 0x674f9842UL,
+    0x7e54a903UL, 0x5579fac0UL, 0x4c62cb81UL, 0x8138c51fUL, 0x9823f45eUL,
+    0xb30ea79dUL, 0xaa1596dcUL, 0xe554001bUL, 0xfc4f315aUL, 0xd7626299UL,
+    0xce7953d8UL, 0x49e14f17UL, 0x50fa7e56UL, 0x7bd72d95UL, 0x62cc1cd4UL,
+    0x2d8d8a13UL, 0x3496bb52UL, 0x1fbbe891UL, 0x06a0d9d0UL, 0x5e7ef3ecUL,
+    0x4765c2adUL, 0x6c48916eUL, 0x7553a02fUL, 0x3a1236e8UL, 0x230907a9UL,
+    0x0824546aUL, 0x113f652bUL, 0x96a779e4UL, 0x8fbc48a5UL, 0xa4911b66UL,
+    0xbd8a2a27UL, 0xf2cbbce0UL, 0xebd08da1UL, 0xc0fdde62UL, 0xd9e6ef23UL,
+    0x14bce1bdUL, 0x0da7d0fcUL, 0x268a833fUL, 0x3f91b27eUL, 0x70d024b9UL,
+    0x69cb15f8UL, 0x42e6463bUL, 0x5bfd777aUL, 0xdc656bb5UL, 0xc57e5af4UL,
+    0xee530937UL, 0xf7483876UL, 0xb809aeb1UL, 0xa1129ff0UL, 0x8a3fcc33UL,
+    0x9324fd72UL
+  },
+  {
+    0x00000000UL, 0x01c26a37UL, 0x0384d46eUL, 0x0246be59UL, 0x0709a8dcUL,
+    0x06cbc2ebUL, 0x048d7cb2UL, 0x054f1685UL, 0x0e1351b8UL, 0x0fd13b8fUL,
+    0x0d9785d6UL, 0x0c55efe1UL, 0x091af964UL, 0x08d89353UL, 0x0a9e2d0aUL,
+    0x0b5c473dUL, 0x1c26a370UL, 0x1de4c947UL, 0x1fa2771eUL, 0x1e601d29UL,
+    0x1b2f0bacUL, 0x1aed619bUL, 0x18abdfc2UL, 0x1969b5f5UL, 0x1235f2c8UL,
+    0x13f798ffUL, 0x11b126a6UL, 0x10734c91UL, 0x153c5a14UL, 0x14fe3023UL,
+    0x16b88e7aUL, 0x177ae44dUL, 0x384d46e0UL, 0x398f2cd7UL, 0x3bc9928eUL,
+    0x3a0bf8b9UL, 0x3f44ee3cUL, 0x3e86840bUL, 0x3cc03a52UL, 0x3d025065UL,
+    0x365e1758UL, 0x379c7d6fUL, 0x35dac336UL, 0x3418a901UL, 0x3157bf84UL,
+    0x3095d5b3UL, 0x32d36beaUL, 0x331101ddUL, 0x246be590UL, 0x25a98fa7UL,
+    0x27ef31feUL, 0x262d5bc9UL, 0x23624d4cUL, 0x22a0277bUL, 0x20e69922UL,
+    0x2124f315UL, 0x2a78b428UL, 0x2bbade1fUL, 0x29fc6046UL, 0x283e0a71UL,
+    0x2d711cf4UL, 0x2cb376c3UL, 0x2ef5c89aUL, 0x2f37a2adUL, 0x709a8dc0UL,
+    0x7158e7f7UL, 0x731e59aeUL, 0x72dc3399UL, 0x7793251cUL, 0x76514f2bUL,
+    0x7417f172UL, 0x75d59b45UL, 0x7e89dc78UL, 0x7f4bb64fUL, 0x7d0d0816UL,
+    0x7ccf6221UL, 0x798074a4UL, 0x78421e93UL, 0x7a04a0caUL, 0x7bc6cafdUL,
+    0x6cbc2eb0UL, 0x6d7e4487UL, 0x6f38fadeUL, 0x6efa90e9UL, 0x6bb5866cUL,
+    0x6a77ec5bUL, 0x68315202UL, 0x69f33835UL, 0x62af7f08UL, 0x636d153fUL,
+    0x612bab66UL, 0x60e9c151UL, 0x65a6d7d4UL, 0x6464bde3UL, 0x662203baUL,
+    0x67e0698dUL, 0x48d7cb20UL, 0x4915a117UL, 0x4b531f4eUL, 0x4a917579UL,
+    0x4fde63fcUL, 0x4e1c09cbUL, 0x4c5ab792UL, 0x4d98dda5UL, 0x46c49a98UL,
+    0x4706f0afUL, 0x45404ef6UL, 0x448224c1UL, 0x41cd3244UL, 0x400f5873UL,
+    0x4249e62aUL, 0x438b8c1dUL, 0x54f16850UL, 0x55330267UL, 0x5775bc3eUL,
+    0x56b7d609UL, 0x53f8c08cUL, 0x523aaabbUL, 0x507c14e2UL, 0x51be7ed5UL,
+    0x5ae239e8UL, 0x5b2053dfUL, 0x5966ed86UL, 0x58a487b1UL, 0x5deb9134UL,
+    0x5c29fb03UL, 0x5e6f455aUL, 0x5fad2f6dUL, 0xe1351b80UL, 0xe0f771b7UL,
+    0xe2b1cfeeUL, 0xe373a5d9UL, 0xe63cb35cUL, 0xe7fed96bUL, 0xe5b86732UL,
+    0xe47a0d05UL, 0xef264a38UL, 0xeee4200fUL, 0xeca29e56UL, 0xed60f461UL,
+    0xe82fe2e4UL, 0xe9ed88d3UL, 0xebab368aUL, 0xea695cbdUL, 0xfd13b8f0UL,
+    0xfcd1d2c7UL, 0xfe976c9eUL, 0xff5506a9UL, 0xfa1a102cUL, 0xfbd87a1bUL,
+    0xf99ec442UL, 0xf85cae75UL, 0xf300e948UL, 0xf2c2837fUL, 0xf0843d26UL,
+    0xf1465711UL, 0xf4094194UL, 0xf5cb2ba3UL, 0xf78d95faUL, 0xf64fffcdUL,
+    0xd9785d60UL, 0xd8ba3757UL, 0xdafc890eUL, 0xdb3ee339UL, 0xde71f5bcUL,
+    0xdfb39f8bUL, 0xddf521d2UL, 0xdc374be5UL, 0xd76b0cd8UL, 0xd6a966efUL,
+    0xd4efd8b6UL, 0xd52db281UL, 0xd062a404UL, 0xd1a0ce33UL, 0xd3e6706aUL,
+    0xd2241a5dUL, 0xc55efe10UL, 0xc49c9427UL, 0xc6da2a7eUL, 0xc7184049UL,
+    0xc25756ccUL, 0xc3953cfbUL, 0xc1d382a2UL, 0xc011e895UL, 0xcb4dafa8UL,
+    0xca8fc59fUL, 0xc8c97bc6UL, 0xc90b11f1UL, 0xcc440774UL, 0xcd866d43UL,
+    0xcfc0d31aUL, 0xce02b92dUL, 0x91af9640UL, 0x906dfc77UL, 0x922b422eUL,
+    0x93e92819UL, 0x96a63e9cUL, 0x976454abUL, 0x9522eaf2UL, 0x94e080c5UL,
+    0x9fbcc7f8UL, 0x9e7eadcfUL, 0x9c381396UL, 0x9dfa79a1UL, 0x98b56f24UL,
+    0x99770513UL, 0x9b31bb4aUL, 0x9af3d17dUL, 0x8d893530UL, 0x8c4b5f07UL,
+    0x8e0de15eUL, 0x8fcf8b69UL, 0x8a809decUL, 0x8b42f7dbUL, 0x89044982UL,
+    0x88c623b5UL, 0x839a6488UL, 0x82580ebfUL, 0x801eb0e6UL, 0x81dcdad1UL,
+    0x8493cc54UL, 0x8551a663UL, 0x8717183aUL, 0x86d5720dUL, 0xa9e2d0a0UL,
+    0xa820ba97UL, 0xaa6604ceUL, 0xaba46ef9UL, 0xaeeb787cUL, 0xaf29124bUL,
+    0xad6fac12UL, 0xacadc625UL, 0xa7f18118UL, 0xa633eb2fUL, 0xa4755576UL,
+    0xa5b73f41UL, 0xa0f829c4UL, 0xa13a43f3UL, 0xa37cfdaaUL, 0xa2be979dUL,
+    0xb5c473d0UL, 0xb40619e7UL, 0xb640a7beUL, 0xb782cd89UL, 0xb2cddb0cUL,
+    0xb30fb13bUL, 0xb1490f62UL, 0xb08b6555UL, 0xbbd72268UL, 0xba15485fUL,
+    0xb853f606UL, 0xb9919c31UL, 0xbcde8ab4UL, 0xbd1ce083UL, 0xbf5a5edaUL,
+    0xbe9834edUL
+  },
+  {
+    0x00000000UL, 0xb8bc6765UL, 0xaa09c88bUL, 0x12b5afeeUL, 0x8f629757UL,
+    0x37def032UL, 0x256b5fdcUL, 0x9dd738b9UL, 0xc5b428efUL, 0x7d084f8aUL,
+    0x6fbde064UL, 0xd7018701UL, 0x4ad6bfb8UL, 0xf26ad8ddUL, 0xe0df7733UL,
+    0x58631056UL, 0x5019579fUL, 0xe8a530faUL, 0xfa109f14UL, 0x42acf871UL,
+    0xdf7bc0c8UL, 0x67c7a7adUL, 0x75720843UL, 0xcdce6f26UL, 0x95ad7f70UL,
+    0x2d111815UL, 0x3fa4b7fbUL, 0x8718d09eUL, 0x1acfe827UL, 0xa2738f42UL,
+    0xb0c620acUL, 0x087a47c9UL, 0xa032af3eUL, 0x188ec85bUL, 0x0a3b67b5UL,
+    0xb28700d0UL, 0x2f503869UL, 0x97ec5f0cUL, 0x8559f0e2UL, 0x3de59787UL,
+    0x658687d1UL, 0xdd3ae0b4UL, 0xcf8f4f5aUL, 0x7733283fUL, 0xeae41086UL,
+    0x525877e3UL, 0x40edd80dUL, 0xf851bf68UL, 0xf02bf8a1UL, 0x48979fc4UL,
+    0x5a22302aUL, 0xe29e574fUL, 0x7f496ff6UL, 0xc7f50893UL, 0xd540a77dUL,
+    0x6dfcc018UL, 0x359fd04eUL, 0x8d23b72bUL, 0x9f9618c5UL, 0x272a7fa0UL,
+    0xbafd4719UL, 0x0241207cUL, 0x10f48f92UL, 0xa848e8f7UL, 0x9b14583dUL,
+    0x23a83f58UL, 0x311d90b6UL, 0x89a1f7d3UL, 0x1476cf6aUL, 0xaccaa80fUL,
+    0xbe7f07e1UL, 0x06c36084UL, 0x5ea070d2UL, 0xe61c17b7UL, 0xf4a9b859UL,
+    0x4c15df3cUL, 0xd1c2e785UL, 0x697e80e0UL, 0x7bcb2f0eUL, 0xc377486bUL,
+    0xcb0d0fa2UL, 0x73b168c7UL, 0x6104c729UL, 0xd9b8a04cUL, 0x446f98f5UL,
+    0xfcd3ff90UL, 0xee66507eUL, 0x56da371bUL, 0x0eb9274dUL, 0xb6054028UL,
+    0xa4b0efc6UL, 0x1c0c88a3UL, 0x81dbb01aUL, 0x3967d77fUL, 0x2bd27891UL,
+    0x936e1ff4UL, 0x3b26f703UL, 0x839a9066UL, 0x912f3f88UL, 0x299358edUL,
+    0xb4446054UL, 0x0cf80731UL, 0x1e4da8dfUL, 0xa6f1cfbaUL, 0xfe92dfecUL,
+    0x462eb889UL, 0x549b1767UL, 0xec277002UL, 0x71f048bbUL, 0xc94c2fdeUL,
+    0xdbf98030UL, 0x6345e755UL, 0x6b3fa09cUL, 0xd383c7f9UL, 0xc1366817UL,
+    0x798a0f72UL, 0xe45d37cbUL, 0x5ce150aeUL, 0x4e54ff40UL, 0xf6e89825UL,
+    0xae8b8873UL, 0x1637ef16UL, 0x048240f8UL, 0xbc3e279dUL, 0x21e91f24UL,
+    0x99557841UL, 0x8be0d7afUL, 0x335cb0caUL, 0xed59b63bUL, 0x55e5d15eUL,
+    0x47507eb0UL, 0xffec19d5UL, 0x623b216cUL, 0xda874609UL, 0xc832e9e7UL,
+    0x708e8e82UL, 0x28ed9ed4UL, 0x9051f9b1UL, 0x82e4565fUL, 0x3a58313aUL,
+    0xa78f0983UL, 0x1f336ee6UL, 0x0d86c108UL, 0xb53aa66dUL, 0xbd40e1a4UL,
+    0x05fc86c1UL, 0x1749292fUL, 0xaff54e4aUL, 0x322276f3UL, 0x8a9e1196UL,
+    0x982bbe78UL, 0x2097d91dUL, 0x78f4c94bUL, 0xc048ae2eUL, 0xd2fd01c0UL,
+    0x6a4166a5UL, 0xf7965e1cUL, 0x4f2a3979UL, 0x5d9f9697UL, 0xe523f1f2UL,
+    0x4d6b1905UL, 0xf5d77e60UL, 0xe762d18eUL, 0x5fdeb6ebUL, 0xc2098e52UL,
+    0x7ab5e937UL, 0x680046d9UL, 0xd0bc21bcUL, 0x88df31eaUL, 0x3063568fUL,
+    0x22d6f961UL, 0x9a6a9e04UL, 0x07bda6bdUL, 0xbf01c1d8UL, 0xadb46e36UL,
+    0x15080953UL, 0x1d724e9aUL, 0xa5ce29ffUL, 0xb77b8611UL, 0x0fc7e174UL,
+    0x9210d9cdUL, 0x2aacbea8UL, 0x38191146UL, 0x80a57623UL, 0xd8c66675UL,
+    0x607a0110UL, 0x72cfaefeUL, 0xca73c99bUL, 0x57a4f122UL, 0xef189647UL,
+    0xfdad39a9UL, 0x45115eccUL, 0x764dee06UL, 0xcef18963UL, 0xdc44268dUL,
+    0x64f841e8UL, 0xf92f7951UL, 0x41931e34UL, 0x5326b1daUL, 0xeb9ad6bfUL,
+    0xb3f9c6e9UL, 0x0b45a18cUL, 0x19f00e62UL, 0xa14c6907UL, 0x3c9b51beUL,
+    0x842736dbUL, 0x96929935UL, 0x2e2efe50UL, 0x2654b999UL, 0x9ee8defcUL,
+    0x8c5d7112UL, 0x34e11677UL, 0xa9362eceUL, 0x118a49abUL, 0x033fe645UL,
+    0xbb838120UL, 0xe3e09176UL, 0x5b5cf613UL, 0x49e959fdUL, 0xf1553e98UL,
+    0x6c820621UL, 0xd43e6144UL, 0xc68bceaaUL, 0x7e37a9cfUL, 0xd67f4138UL,
+    0x6ec3265dUL, 0x7c7689b3UL, 0xc4caeed6UL, 0x591dd66fUL, 0xe1a1b10aUL,
+    0xf3141ee4UL, 0x4ba87981UL, 0x13cb69d7UL, 0xab770eb2UL, 0xb9c2a15cUL,
+    0x017ec639UL, 0x9ca9fe80UL, 0x241599e5UL, 0x36a0360bUL, 0x8e1c516eUL,
+    0x866616a7UL, 0x3eda71c2UL, 0x2c6fde2cUL, 0x94d3b949UL, 0x090481f0UL,
+    0xb1b8e695UL, 0xa30d497bUL, 0x1bb12e1eUL, 0x43d23e48UL, 0xfb6e592dUL,
+    0xe9dbf6c3UL, 0x516791a6UL, 0xccb0a91fUL, 0x740cce7aUL, 0x66b96194UL,
+    0xde0506f1UL
+  },
+  {
+    0x00000000UL, 0x96300777UL, 0x2c610eeeUL, 0xba510999UL, 0x19c46d07UL,
+    0x8ff46a70UL, 0x35a563e9UL, 0xa395649eUL, 0x3288db0eUL, 0xa4b8dc79UL,
+    0x1ee9d5e0UL, 0x88d9d297UL, 0x2b4cb609UL, 0xbd7cb17eUL, 0x072db8e7UL,
+    0x911dbf90UL, 0x6410b71dUL, 0xf220b06aUL, 0x4871b9f3UL, 0xde41be84UL,
+    0x7dd4da1aUL, 0xebe4dd6dUL, 0x51b5d4f4UL, 0xc785d383UL, 0x56986c13UL,
+    0xc0a86b64UL, 0x7af962fdUL, 0xecc9658aUL, 0x4f5c0114UL, 0xd96c0663UL,
+    0x633d0ffaUL, 0xf50d088dUL, 0xc8206e3bUL, 0x5e10694cUL, 0xe44160d5UL,
+    0x727167a2UL, 0xd1e4033cUL, 0x47d4044bUL, 0xfd850dd2UL, 0x6bb50aa5UL,
+    0xfaa8b535UL, 0x6c98b242UL, 0xd6c9bbdbUL, 0x40f9bcacUL, 0xe36cd832UL,
+    0x755cdf45UL, 0xcf0dd6dcUL, 0x593dd1abUL, 0xac30d926UL, 0x3a00de51UL,
+    0x8051d7c8UL, 0x1661d0bfUL, 0xb5f4b421UL, 0x23c4b356UL, 0x9995bacfUL,
+    0x0fa5bdb8UL, 0x9eb80228UL, 0x0888055fUL, 0xb2d90cc6UL, 0x24e90bb1UL,
+    0x877c6f2fUL, 0x114c6858UL, 0xab1d61c1UL, 0x3d2d66b6UL, 0x9041dc76UL,
+    0x0671db01UL, 0xbc20d298UL, 0x2a10d5efUL, 0x8985b171UL, 0x1fb5b606UL,
+    0xa5e4bf9fUL, 0x33d4b8e8UL, 0xa2c90778UL, 0x34f9000fUL, 0x8ea80996UL,
+    0x18980ee1UL, 0xbb0d6a7fUL, 0x2d3d6d08UL, 0x976c6491UL, 0x015c63e6UL,
+    0xf4516b6bUL, 0x62616c1cUL, 0xd8306585UL, 0x4e0062f2UL, 0xed95066cUL,
+    0x7ba5011bUL, 0xc1f40882UL, 0x57c40ff5UL, 0xc6d9b065UL, 0x50e9b712UL,
+    0xeab8be8bUL, 0x7c88b9fcUL, 0xdf1ddd62UL, 0x492dda15UL, 0xf37cd38cUL,
+    0x654cd4fbUL, 0x5861b24dUL, 0xce51b53aUL, 0x7400bca3UL, 0xe230bbd4UL,
+    0x41a5df4aUL, 0xd795d83dUL, 0x6dc4d1a4UL, 0xfbf4d6d3UL, 0x6ae96943UL,
+    0xfcd96e34UL, 0x468867adUL, 0xd0b860daUL, 0x732d0444UL, 0xe51d0333UL,
+    0x5f4c0aaaUL, 0xc97c0dddUL, 0x3c710550UL, 0xaa410227UL, 0x10100bbeUL,
+    0x86200cc9UL, 0x25b56857UL, 0xb3856f20UL, 0x09d466b9UL, 0x9fe461ceUL,
+    0x0ef9de5eUL, 0x98c9d929UL, 0x2298d0b0UL, 0xb4a8d7c7UL, 0x173db359UL,
+    0x810db42eUL, 0x3b5cbdb7UL, 0xad6cbac0UL, 0x2083b8edUL, 0xb6b3bf9aUL,
+    0x0ce2b603UL, 0x9ad2b174UL, 0x3947d5eaUL, 0xaf77d29dUL, 0x1526db04UL,
+    0x8316dc73UL, 0x120b63e3UL, 0x843b6494UL, 0x3e6a6d0dUL, 0xa85a6a7aUL,
+    0x0bcf0ee4UL, 0x9dff0993UL, 0x27ae000aUL, 0xb19e077dUL, 0x44930ff0UL,
+    0xd2a30887UL, 0x68f2011eUL, 0xfec20669UL, 0x5d5762f7UL, 0xcb676580UL,
+    0x71366c19UL, 0xe7066b6eUL, 0x761bd4feUL, 0xe02bd389UL, 0x5a7ada10UL,
+    0xcc4add67UL, 0x6fdfb9f9UL, 0xf9efbe8eUL, 0x43beb717UL, 0xd58eb060UL,
+    0xe8a3d6d6UL, 0x7e93d1a1UL, 0xc4c2d838UL, 0x52f2df4fUL, 0xf167bbd1UL,
+    0x6757bca6UL, 0xdd06b53fUL, 0x4b36b248UL, 0xda2b0dd8UL, 0x4c1b0aafUL,
+    0xf64a0336UL, 0x607a0441UL, 0xc3ef60dfUL, 0x55df67a8UL, 0xef8e6e31UL,
+    0x79be6946UL, 0x8cb361cbUL, 0x1a8366bcUL, 0xa0d26f25UL, 0x36e26852UL,
+    0x95770cccUL, 0x03470bbbUL, 0xb9160222UL, 0x2f260555UL, 0xbe3bbac5UL,
+    0x280bbdb2UL, 0x925ab42bUL, 0x046ab35cUL, 0xa7ffd7c2UL, 0x31cfd0b5UL,
+    0x8b9ed92cUL, 0x1daede5bUL, 0xb0c2649bUL, 0x26f263ecUL, 0x9ca36a75UL,
+    0x0a936d02UL, 0xa906099cUL, 0x3f360eebUL, 0x85670772UL, 0x13570005UL,
+    0x824abf95UL, 0x147ab8e2UL, 0xae2bb17bUL, 0x381bb60cUL, 0x9b8ed292UL,
+    0x0dbed5e5UL, 0xb7efdc7cUL, 0x21dfdb0bUL, 0xd4d2d386UL, 0x42e2d4f1UL,
+    0xf8b3dd68UL, 0x6e83da1fUL, 0xcd16be81UL, 0x5b26b9f6UL, 0xe177b06fUL,
+    0x7747b718UL, 0xe65a0888UL, 0x706a0fffUL, 0xca3b0666UL, 0x5c0b0111UL,
+    0xff9e658fUL, 0x69ae62f8UL, 0xd3ff6b61UL, 0x45cf6c16UL, 0x78e20aa0UL,
+    0xeed20dd7UL, 0x5483044eUL, 0xc2b30339UL, 0x612667a7UL, 0xf71660d0UL,
+    0x4d476949UL, 0xdb776e3eUL, 0x4a6ad1aeUL, 0xdc5ad6d9UL, 0x660bdf40UL,
+    0xf03bd837UL, 0x53aebca9UL, 0xc59ebbdeUL, 0x7fcfb247UL, 0xe9ffb530UL,
+    0x1cf2bdbdUL, 0x8ac2bacaUL, 0x3093b353UL, 0xa6a3b424UL, 0x0536d0baUL,
+    0x9306d7cdUL, 0x2957de54UL, 0xbf67d923UL, 0x2e7a66b3UL, 0xb84a61c4UL,
+    0x021b685dUL, 0x942b6f2aUL, 0x37be0bb4UL, 0xa18e0cc3UL, 0x1bdf055aUL,
+    0x8def022dUL
+  },
+  {
+    0x00000000UL, 0x41311b19UL, 0x82623632UL, 0xc3532d2bUL, 0x04c56c64UL,
+    0x45f4777dUL, 0x86a75a56UL, 0xc796414fUL, 0x088ad9c8UL, 0x49bbc2d1UL,
+    0x8ae8effaUL, 0xcbd9f4e3UL, 0x0c4fb5acUL, 0x4d7eaeb5UL, 0x8e2d839eUL,
+    0xcf1c9887UL, 0x5112c24aUL, 0x1023d953UL, 0xd370f478UL, 0x9241ef61UL,
+    0x55d7ae2eUL, 0x14e6b537UL, 0xd7b5981cUL, 0x96848305UL, 0x59981b82UL,
+    0x18a9009bUL, 0xdbfa2db0UL, 0x9acb36a9UL, 0x5d5d77e6UL, 0x1c6c6cffUL,
+    0xdf3f41d4UL, 0x9e0e5acdUL, 0xa2248495UL, 0xe3159f8cUL, 0x2046b2a7UL,
+    0x6177a9beUL, 0xa6e1e8f1UL, 0xe7d0f3e8UL, 0x2483dec3UL, 0x65b2c5daUL,
+    0xaaae5d5dUL, 0xeb9f4644UL, 0x28cc6b6fUL, 0x69fd7076UL, 0xae6b3139UL,
+    0xef5a2a20UL, 0x2c09070bUL, 0x6d381c12UL, 0xf33646dfUL, 0xb2075dc6UL,
+    0x715470edUL, 0x30656bf4UL, 0xf7f32abbUL, 0xb6c231a2UL, 0x75911c89UL,
+    0x34a00790UL, 0xfbbc9f17UL, 0xba8d840eUL, 0x79dea925UL, 0x38efb23cUL,
+    0xff79f373UL, 0xbe48e86aUL, 0x7d1bc541UL, 0x3c2ade58UL, 0x054f79f0UL,
+    0x447e62e9UL, 0x872d4fc2UL, 0xc61c54dbUL, 0x018a1594UL, 0x40bb0e8dUL,
+    0x83e823a6UL, 0xc2d938bfUL, 0x0dc5a038UL, 0x4cf4bb21UL, 0x8fa7960aUL,
+    0xce968d13UL, 0x0900cc5cUL, 0x4831d745UL, 0x8b62fa6eUL, 0xca53e177UL,
+    0x545dbbbaUL, 0x156ca0a3UL, 0xd63f8d88UL, 0x970e9691UL, 0x5098d7deUL,
+    0x11a9ccc7UL, 0xd2fae1ecUL, 0x93cbfaf5UL, 0x5cd76272UL, 0x1de6796bUL,
+    0xdeb55440UL, 0x9f844f59UL, 0x58120e16UL, 0x1923150fUL, 0xda703824UL,
+    0x9b41233dUL, 0xa76bfd65UL, 0xe65ae67cUL, 0x2509cb57UL, 0x6438d04eUL,
+    0xa3ae9101UL, 0xe29f8a18UL, 0x21cca733UL, 0x60fdbc2aUL, 0xafe124adUL,
+    0xeed03fb4UL, 0x2d83129fUL, 0x6cb20986UL, 0xab2448c9UL, 0xea1553d0UL,
+    0x29467efbUL, 0x687765e2UL, 0xf6793f2fUL, 0xb7482436UL, 0x741b091dUL,
+    0x352a1204UL, 0xf2bc534bUL, 0xb38d4852UL, 0x70de6579UL, 0x31ef7e60UL,
+    0xfef3e6e7UL, 0xbfc2fdfeUL, 0x7c91d0d5UL, 0x3da0cbccUL, 0xfa368a83UL,
+    0xbb07919aUL, 0x7854bcb1UL, 0x3965a7a8UL, 0x4b98833bUL, 0x0aa99822UL,
+    0xc9fab509UL, 0x88cbae10UL, 0x4f5def5fUL, 0x0e6cf446UL, 0xcd3fd96dUL,
+    0x8c0ec274UL, 0x43125af3UL, 0x022341eaUL, 0xc1706cc1UL, 0x804177d8UL,
+    0x47d73697UL, 0x06e62d8eUL, 0xc5b500a5UL, 0x84841bbcUL, 0x1a8a4171UL,
+    0x5bbb5a68UL, 0x98e87743UL, 0xd9d96c5aUL, 0x1e4f2d15UL, 0x5f7e360cUL,
+    0x9c2d1b27UL, 0xdd1c003eUL, 0x120098b9UL, 0x533183a0UL, 0x9062ae8bUL,
+    0xd153b592UL, 0x16c5f4ddUL, 0x57f4efc4UL, 0x94a7c2efUL, 0xd596d9f6UL,
+    0xe9bc07aeUL, 0xa88d1cb7UL, 0x6bde319cUL, 0x2aef2a85UL, 0xed796bcaUL,
+    0xac4870d3UL, 0x6f1b5df8UL, 0x2e2a46e1UL, 0xe136de66UL, 0xa007c57fUL,
+    0x6354e854UL, 0x2265f34dUL, 0xe5f3b202UL, 0xa4c2a91bUL, 0x67918430UL,
+    0x26a09f29UL, 0xb8aec5e4UL, 0xf99fdefdUL, 0x3accf3d6UL, 0x7bfde8cfUL,
+    0xbc6ba980UL, 0xfd5ab299UL, 0x3e099fb2UL, 0x7f3884abUL, 0xb0241c2cUL,
+    0xf1150735UL, 0x32462a1eUL, 0x73773107UL, 0xb4e17048UL, 0xf5d06b51UL,
+    0x3683467aUL, 0x77b25d63UL, 0x4ed7facbUL, 0x0fe6e1d2UL, 0xccb5ccf9UL,
+    0x8d84d7e0UL, 0x4a1296afUL, 0x0b238db6UL, 0xc870a09dUL, 0x8941bb84UL,
+    0x465d2303UL, 0x076c381aUL, 0xc43f1531UL, 0x850e0e28UL, 0x42984f67UL,
+    0x03a9547eUL, 0xc0fa7955UL, 0x81cb624cUL, 0x1fc53881UL, 0x5ef42398UL,
+    0x9da70eb3UL, 0xdc9615aaUL, 0x1b0054e5UL, 0x5a314ffcUL, 0x996262d7UL,
+    0xd85379ceUL, 0x174fe149UL, 0x567efa50UL, 0x952dd77bUL, 0xd41ccc62UL,
+    0x138a8d2dUL, 0x52bb9634UL, 0x91e8bb1fUL, 0xd0d9a006UL, 0xecf37e5eUL,
+    0xadc26547UL, 0x6e91486cUL, 0x2fa05375UL, 0xe836123aUL, 0xa9070923UL,
+    0x6a542408UL, 0x2b653f11UL, 0xe479a796UL, 0xa548bc8fUL, 0x661b91a4UL,
+    0x272a8abdUL, 0xe0bccbf2UL, 0xa18dd0ebUL, 0x62defdc0UL, 0x23efe6d9UL,
+    0xbde1bc14UL, 0xfcd0a70dUL, 0x3f838a26UL, 0x7eb2913fUL, 0xb924d070UL,
+    0xf815cb69UL, 0x3b46e642UL, 0x7a77fd5bUL, 0xb56b65dcUL, 0xf45a7ec5UL,
+    0x370953eeUL, 0x763848f7UL, 0xb1ae09b8UL, 0xf09f12a1UL, 0x33cc3f8aUL,
+    0x72fd2493UL
+  },
+  {
+    0x00000000UL, 0x376ac201UL, 0x6ed48403UL, 0x59be4602UL, 0xdca80907UL,
+    0xebc2cb06UL, 0xb27c8d04UL, 0x85164f05UL, 0xb851130eUL, 0x8f3bd10fUL,
+    0xd685970dUL, 0xe1ef550cUL, 0x64f91a09UL, 0x5393d808UL, 0x0a2d9e0aUL,
+    0x3d475c0bUL, 0x70a3261cUL, 0x47c9e41dUL, 0x1e77a21fUL, 0x291d601eUL,
+    0xac0b2f1bUL, 0x9b61ed1aUL, 0xc2dfab18UL, 0xf5b56919UL, 0xc8f23512UL,
+    0xff98f713UL, 0xa626b111UL, 0x914c7310UL, 0x145a3c15UL, 0x2330fe14UL,
+    0x7a8eb816UL, 0x4de47a17UL, 0xe0464d38UL, 0xd72c8f39UL, 0x8e92c93bUL,
+    0xb9f80b3aUL, 0x3cee443fUL, 0x0b84863eUL, 0x523ac03cUL, 0x6550023dUL,
+    0x58175e36UL, 0x6f7d9c37UL, 0x36c3da35UL, 0x01a91834UL, 0x84bf5731UL,
+    0xb3d59530UL, 0xea6bd332UL, 0xdd011133UL, 0x90e56b24UL, 0xa78fa925UL,
+    0xfe31ef27UL, 0xc95b2d26UL, 0x4c4d6223UL, 0x7b27a022UL, 0x2299e620UL,
+    0x15f32421UL, 0x28b4782aUL, 0x1fdeba2bUL, 0x4660fc29UL, 0x710a3e28UL,
+    0xf41c712dUL, 0xc376b32cUL, 0x9ac8f52eUL, 0xada2372fUL, 0xc08d9a70UL,
+    0xf7e75871UL, 0xae591e73UL, 0x9933dc72UL, 0x1c259377UL, 0x2b4f5176UL,
+    0x72f11774UL, 0x459bd575UL, 0x78dc897eUL, 0x4fb64b7fUL, 0x16080d7dUL,
+    0x2162cf7cUL, 0xa4748079UL, 0x931e4278UL, 0xcaa0047aUL, 0xfdcac67bUL,
+    0xb02ebc6cUL, 0x87447e6dUL, 0xdefa386fUL, 0xe990fa6eUL, 0x6c86b56bUL,
+    0x5bec776aUL, 0x02523168UL, 0x3538f369UL, 0x087faf62UL, 0x3f156d63UL,
+    0x66ab2b61UL, 0x51c1e960UL, 0xd4d7a665UL, 0xe3bd6464UL, 0xba032266UL,
+    0x8d69e067UL, 0x20cbd748UL, 0x17a11549UL, 0x4e1f534bUL, 0x7975914aUL,
+    0xfc63de4fUL, 0xcb091c4eUL, 0x92b75a4cUL, 0xa5dd984dUL, 0x989ac446UL,
+    0xaff00647UL, 0xf64e4045UL, 0xc1248244UL, 0x4432cd41UL, 0x73580f40UL,
+    0x2ae64942UL, 0x1d8c8b43UL, 0x5068f154UL, 0x67023355UL, 0x3ebc7557UL,
+    0x09d6b756UL, 0x8cc0f853UL, 0xbbaa3a52UL, 0xe2147c50UL, 0xd57ebe51UL,
+    0xe839e25aUL, 0xdf53205bUL, 0x86ed6659UL, 0xb187a458UL, 0x3491eb5dUL,
+    0x03fb295cUL, 0x5a456f5eUL, 0x6d2fad5fUL, 0x801b35e1UL, 0xb771f7e0UL,
+    0xeecfb1e2UL, 0xd9a573e3UL, 0x5cb33ce6UL, 0x6bd9fee7UL, 0x3267b8e5UL,
+    0x050d7ae4UL, 0x384a26efUL, 0x0f20e4eeUL, 0x569ea2ecUL, 0x61f460edUL,
+    0xe4e22fe8UL, 0xd388ede9UL, 0x8a36abebUL, 0xbd5c69eaUL, 0xf0b813fdUL,
+    0xc7d2d1fcUL, 0x9e6c97feUL, 0xa90655ffUL, 0x2c101afaUL, 0x1b7ad8fbUL,
+    0x42c49ef9UL, 0x75ae5cf8UL, 0x48e900f3UL, 0x7f83c2f2UL, 0x263d84f0UL,
+    0x115746f1UL, 0x944109f4UL, 0xa32bcbf5UL, 0xfa958df7UL, 0xcdff4ff6UL,
+    0x605d78d9UL, 0x5737bad8UL, 0x0e89fcdaUL, 0x39e33edbUL, 0xbcf571deUL,
+    0x8b9fb3dfUL, 0xd221f5ddUL, 0xe54b37dcUL, 0xd80c6bd7UL, 0xef66a9d6UL,
+    0xb6d8efd4UL, 0x81b22dd5UL, 0x04a462d0UL, 0x33cea0d1UL, 0x6a70e6d3UL,
+    0x5d1a24d2UL, 0x10fe5ec5UL, 0x27949cc4UL, 0x7e2adac6UL, 0x494018c7UL,
+    0xcc5657c2UL, 0xfb3c95c3UL, 0xa282d3c1UL, 0x95e811c0UL, 0xa8af4dcbUL,
+    0x9fc58fcaUL, 0xc67bc9c8UL, 0xf1110bc9UL, 0x740744ccUL, 0x436d86cdUL,
+    0x1ad3c0cfUL, 0x2db902ceUL, 0x4096af91UL, 0x77fc6d90UL, 0x2e422b92UL,
+    0x1928e993UL, 0x9c3ea696UL, 0xab546497UL, 0xf2ea2295UL, 0xc580e094UL,
+    0xf8c7bc9fUL, 0xcfad7e9eUL, 0x9613389cUL, 0xa179fa9dUL, 0x246fb598UL,
+    0x13057799UL, 0x4abb319bUL, 0x7dd1f39aUL, 0x3035898dUL, 0x075f4b8cUL,
+    0x5ee10d8eUL, 0x698bcf8fUL, 0xec9d808aUL, 0xdbf7428bUL, 0x82490489UL,
+    0xb523c688UL, 0x88649a83UL, 0xbf0e5882UL, 0xe6b01e80UL, 0xd1dadc81UL,
+    0x54cc9384UL, 0x63a65185UL, 0x3a181787UL, 0x0d72d586UL, 0xa0d0e2a9UL,
+    0x97ba20a8UL, 0xce0466aaUL, 0xf96ea4abUL, 0x7c78ebaeUL, 0x4b1229afUL,
+    0x12ac6fadUL, 0x25c6adacUL, 0x1881f1a7UL, 0x2feb33a6UL, 0x765575a4UL,
+    0x413fb7a5UL, 0xc429f8a0UL, 0xf3433aa1UL, 0xaafd7ca3UL, 0x9d97bea2UL,
+    0xd073c4b5UL, 0xe71906b4UL, 0xbea740b6UL, 0x89cd82b7UL, 0x0cdbcdb2UL,
+    0x3bb10fb3UL, 0x620f49b1UL, 0x55658bb0UL, 0x6822d7bbUL, 0x5f4815baUL,
+    0x06f653b8UL, 0x319c91b9UL, 0xb48adebcUL, 0x83e01cbdUL, 0xda5e5abfUL,
+    0xed3498beUL
+  },
+  {
+    0x00000000UL, 0x6567bcb8UL, 0x8bc809aaUL, 0xeeafb512UL, 0x5797628fUL,
+    0x32f0de37UL, 0xdc5f6b25UL, 0xb938d79dUL, 0xef28b4c5UL, 0x8a4f087dUL,
+    0x64e0bd6fUL, 0x018701d7UL, 0xb8bfd64aUL, 0xddd86af2UL, 0x3377dfe0UL,
+    0x56106358UL, 0x9f571950UL, 0xfa30a5e8UL, 0x149f10faUL, 0x71f8ac42UL,
+    0xc8c07bdfUL, 0xada7c767UL, 0x43087275UL, 0x266fcecdUL, 0x707fad95UL,
+    0x1518112dUL, 0xfbb7a43fUL, 0x9ed01887UL, 0x27e8cf1aUL, 0x428f73a2UL,
+    0xac20c6b0UL, 0xc9477a08UL, 0x3eaf32a0UL, 0x5bc88e18UL, 0xb5673b0aUL,
+    0xd00087b2UL, 0x6938502fUL, 0x0c5fec97UL, 0xe2f05985UL, 0x8797e53dUL,
+    0xd1878665UL, 0xb4e03addUL, 0x5a4f8fcfUL, 0x3f283377UL, 0x8610e4eaUL,
+    0xe3775852UL, 0x0dd8ed40UL, 0x68bf51f8UL, 0xa1f82bf0UL, 0xc49f9748UL,
+    0x2a30225aUL, 0x4f579ee2UL, 0xf66f497fUL, 0x9308f5c7UL, 0x7da740d5UL,
+    0x18c0fc6dUL, 0x4ed09f35UL, 0x2bb7238dUL, 0xc518969fUL, 0xa07f2a27UL,
+    0x1947fdbaUL, 0x7c204102UL, 0x928ff410UL, 0xf7e848a8UL, 0x3d58149bUL,
+    0x583fa823UL, 0xb6901d31UL, 0xd3f7a189UL, 0x6acf7614UL, 0x0fa8caacUL,
+    0xe1077fbeUL, 0x8460c306UL, 0xd270a05eUL, 0xb7171ce6UL, 0x59b8a9f4UL,
+    0x3cdf154cUL, 0x85e7c2d1UL, 0xe0807e69UL, 0x0e2fcb7bUL, 0x6b4877c3UL,
+    0xa20f0dcbUL, 0xc768b173UL, 0x29c70461UL, 0x4ca0b8d9UL, 0xf5986f44UL,
+    0x90ffd3fcUL, 0x7e5066eeUL, 0x1b37da56UL, 0x4d27b90eUL, 0x284005b6UL,
+    0xc6efb0a4UL, 0xa3880c1cUL, 0x1ab0db81UL, 0x7fd76739UL, 0x9178d22bUL,
+    0xf41f6e93UL, 0x03f7263bUL, 0x66909a83UL, 0x883f2f91UL, 0xed589329UL,
+    0x546044b4UL, 0x3107f80cUL, 0xdfa84d1eUL, 0xbacff1a6UL, 0xecdf92feUL,
+    0x89b82e46UL, 0x67179b54UL, 0x027027ecUL, 0xbb48f071UL, 0xde2f4cc9UL,
+    0x3080f9dbUL, 0x55e74563UL, 0x9ca03f6bUL, 0xf9c783d3UL, 0x176836c1UL,
+    0x720f8a79UL, 0xcb375de4UL, 0xae50e15cUL, 0x40ff544eUL, 0x2598e8f6UL,
+    0x73888baeUL, 0x16ef3716UL, 0xf8408204UL, 0x9d273ebcUL, 0x241fe921UL,
+    0x41785599UL, 0xafd7e08bUL, 0xcab05c33UL, 0x3bb659edUL, 0x5ed1e555UL,
+    0xb07e5047UL, 0xd519ecffUL, 0x6c213b62UL, 0x094687daUL, 0xe7e932c8UL,
+    0x828e8e70UL, 0xd49eed28UL, 0xb1f95190UL, 0x5f56e482UL, 0x3a31583aUL,
+    0x83098fa7UL, 0xe66e331fUL, 0x08c1860dUL, 0x6da63ab5UL, 0xa4e140bdUL,
+    0xc186fc05UL, 0x2f294917UL, 0x4a4ef5afUL, 0xf3762232UL, 0x96119e8aUL,
+    0x78be2b98UL, 0x1dd99720UL, 0x4bc9f478UL, 0x2eae48c0UL, 0xc001fdd2UL,
+    0xa566416aUL, 0x1c5e96f7UL, 0x79392a4fUL, 0x97969f5dUL, 0xf2f123e5UL,
+    0x05196b4dUL, 0x607ed7f5UL, 0x8ed162e7UL, 0xebb6de5fUL, 0x528e09c2UL,
+    0x37e9b57aUL, 0xd9460068UL, 0xbc21bcd0UL, 0xea31df88UL, 0x8f566330UL,
+    0x61f9d622UL, 0x049e6a9aUL, 0xbda6bd07UL, 0xd8c101bfUL, 0x366eb4adUL,
+    0x53090815UL, 0x9a4e721dUL, 0xff29cea5UL, 0x11867bb7UL, 0x74e1c70fUL,
+    0xcdd91092UL, 0xa8beac2aUL, 0x46111938UL, 0x2376a580UL, 0x7566c6d8UL,
+    0x10017a60UL, 0xfeaecf72UL, 0x9bc973caUL, 0x22f1a457UL, 0x479618efUL,
+    0xa939adfdUL, 0xcc5e1145UL, 0x06ee4d76UL, 0x6389f1ceUL, 0x8d2644dcUL,
+    0xe841f864UL, 0x51792ff9UL, 0x341e9341UL, 0xdab12653UL, 0xbfd69aebUL,
+    0xe9c6f9b3UL, 0x8ca1450bUL, 0x620ef019UL, 0x07694ca1UL, 0xbe519b3cUL,
+    0xdb362784UL, 0x35999296UL, 0x50fe2e2eUL, 0x99b95426UL, 0xfcdee89eUL,
+    0x12715d8cUL, 0x7716e134UL, 0xce2e36a9UL, 0xab498a11UL, 0x45e63f03UL,
+    0x208183bbUL, 0x7691e0e3UL, 0x13f65c5bUL, 0xfd59e949UL, 0x983e55f1UL,
+    0x2106826cUL, 0x44613ed4UL, 0xaace8bc6UL, 0xcfa9377eUL, 0x38417fd6UL,
+    0x5d26c36eUL, 0xb389767cUL, 0xd6eecac4UL, 0x6fd61d59UL, 0x0ab1a1e1UL,
+    0xe41e14f3UL, 0x8179a84bUL, 0xd769cb13UL, 0xb20e77abUL, 0x5ca1c2b9UL,
+    0x39c67e01UL, 0x80fea99cUL, 0xe5991524UL, 0x0b36a036UL, 0x6e511c8eUL,
+    0xa7166686UL, 0xc271da3eUL, 0x2cde6f2cUL, 0x49b9d394UL, 0xf0810409UL,
+    0x95e6b8b1UL, 0x7b490da3UL, 0x1e2eb11bUL, 0x483ed243UL, 0x2d596efbUL,
+    0xc3f6dbe9UL, 0xa6916751UL, 0x1fa9b0ccUL, 0x7ace0c74UL, 0x9461b966UL,
+    0xf10605deUL
+#endif
+  }
+};
diff --git a/security/nss/cmd/zlib/deflate.c b/security/nss/cmd/zlib/deflate.c
new file mode 100644
index 000000000..29ce1f64a
--- /dev/null
+++ b/security/nss/cmd/zlib/deflate.c
@@ -0,0 +1,1736 @@
+/* deflate.c -- compress data using the deflation algorithm
+ * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/*
+ *  ALGORITHM
+ *
+ *      The "deflation" process depends on being able to identify portions
+ *      of the input text which are identical to earlier input (within a
+ *      sliding window trailing behind the input currently being processed).
+ *
+ *      The most straightforward technique turns out to be the fastest for
+ *      most input files: try all possible matches and select the longest.
+ *      The key feature of this algorithm is that insertions into the string
+ *      dictionary are very simple and thus fast, and deletions are avoided
+ *      completely. Insertions are performed at each input character, whereas
+ *      string matches are performed only when the previous match ends. So it
+ *      is preferable to spend more time in matches to allow very fast string
+ *      insertions and avoid deletions. The matching algorithm for small
+ *      strings is inspired from that of Rabin & Karp. A brute force approach
+ *      is used to find longer strings when a small match has been found.
+ *      A similar algorithm is used in comic (by Jan-Mark Wams) and freeze
+ *      (by Leonid Broukhis).
+ *         A previous version of this file used a more sophisticated algorithm
+ *      (by Fiala and Greene) which is guaranteed to run in linear amortized
+ *      time, but has a larger average cost, uses more memory and is patented.
+ *      However the F&G algorithm may be faster for some highly redundant
+ *      files if the parameter max_chain_length (described below) is too large.
+ *
+ *  ACKNOWLEDGEMENTS
+ *
+ *      The idea of lazy evaluation of matches is due to Jan-Mark Wams, and
+ *      I found it in 'freeze' written by Leonid Broukhis.
+ *      Thanks to many people for bug reports and testing.
+ *
+ *  REFERENCES
+ *
+ *      Deutsch, L.P.,"DEFLATE Compressed Data Format Specification".
+ *      Available in http://www.ietf.org/rfc/rfc1951.txt
+ *
+ *      A description of the Rabin and Karp algorithm is given in the book
+ *         "Algorithms" by R. Sedgewick, Addison-Wesley, p252.
+ *
+ *      Fiala,E.R., and Greene,D.H.
+ *         Data Compression with Finite Windows, Comm.ACM, 32,4 (1989) 490-595
+ *
+ */
+
+/* @(#) $Id$ */
+
+#include "deflate.h"
+
+const char deflate_copyright[] =
+   " deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly ";
+/*
+  If you use the zlib library in a product, an acknowledgment is welcome
+  in the documentation of your product. If for some reason you cannot
+  include such an acknowledgment, I would appreciate that you keep this
+  copyright string in the executable of your product.
+ */
+
+/* ===========================================================================
+ *  Function prototypes.
+ */
+typedef enum {
+    need_more,      /* block not completed, need more input or more output */
+    block_done,     /* block flush performed */
+    finish_started, /* finish started, need only more output at next deflate */
+    finish_done     /* finish done, accept no more input or output */
+} block_state;
+
+typedef block_state (*compress_func) OF((deflate_state *s, int flush));
+/* Compression function. Returns the block state after the call. */
+
+local void fill_window    OF((deflate_state *s));
+local block_state deflate_stored OF((deflate_state *s, int flush));
+local block_state deflate_fast   OF((deflate_state *s, int flush));
+#ifndef FASTEST
+local block_state deflate_slow   OF((deflate_state *s, int flush));
+#endif
+local void lm_init        OF((deflate_state *s));
+local void putShortMSB    OF((deflate_state *s, uInt b));
+local void flush_pending  OF((z_streamp strm));
+local int read_buf        OF((z_streamp strm, Bytef *buf, unsigned size));
+#ifndef FASTEST
+#ifdef ASMV
+      void match_init OF((void)); /* asm code initialization */
+      uInt longest_match  OF((deflate_state *s, IPos cur_match));
+#else
+local uInt longest_match  OF((deflate_state *s, IPos cur_match));
+#endif
+#endif
+local uInt longest_match_fast OF((deflate_state *s, IPos cur_match));
+
+#ifdef DEBUG
+local  void check_match OF((deflate_state *s, IPos start, IPos match,
+                            int length));
+#endif
+
+/* ===========================================================================
+ * Local data
+ */
+
+#define NIL 0
+/* Tail of hash chains */
+
+#ifndef TOO_FAR
+#  define TOO_FAR 4096
+#endif
+/* Matches of length 3 are discarded if their distance exceeds TOO_FAR */
+
+#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)
+/* Minimum amount of lookahead, except at the end of the input file.
+ * See deflate.c for comments about the MIN_MATCH+1.
+ */
+
+/* Values for max_lazy_match, good_match and max_chain_length, depending on
+ * the desired pack level (0..9). The values given below have been tuned to
+ * exclude worst case performance for pathological files. Better values may be
+ * found for specific files.
+ */
+typedef struct config_s {
+   ush good_length; /* reduce lazy search above this match length */
+   ush max_lazy;    /* do not perform lazy search above this match length */
+   ush nice_length; /* quit search above this match length */
+   ush max_chain;
+   compress_func func;
+} config;
+
+#ifdef FASTEST
+local const config configuration_table[2] = {
+/*      good lazy nice chain */
+/* 0 */ {0,    0,  0,    0, deflate_stored},  /* store only */
+/* 1 */ {4,    4,  8,    4, deflate_fast}}; /* max speed, no lazy matches */
+#else
+local const config configuration_table[10] = {
+/*      good lazy nice chain */
+/* 0 */ {0,    0,  0,    0, deflate_stored},  /* store only */
+/* 1 */ {4,    4,  8,    4, deflate_fast}, /* max speed, no lazy matches */
+/* 2 */ {4,    5, 16,    8, deflate_fast},
+/* 3 */ {4,    6, 32,   32, deflate_fast},
+
+/* 4 */ {4,    4, 16,   16, deflate_slow},  /* lazy matches */
+/* 5 */ {8,   16, 32,   32, deflate_slow},
+/* 6 */ {8,   16, 128, 128, deflate_slow},
+/* 7 */ {8,   32, 128, 256, deflate_slow},
+/* 8 */ {32, 128, 258, 1024, deflate_slow},
+/* 9 */ {32, 258, 258, 4096, deflate_slow}}; /* max compression */
+#endif
+
+/* Note: the deflate() code requires max_lazy >= MIN_MATCH and max_chain >= 4
+ * For deflate_fast() (levels <= 3) good is ignored and lazy has a different
+ * meaning.
+ */
+
+#define EQUAL 0
+/* result of memcmp for equal strings */
+
+#ifndef NO_DUMMY_DECL
+struct static_tree_desc_s {int dummy;}; /* for buggy compilers */
+#endif
+
+/* ===========================================================================
+ * Update a hash value with the given input byte
+ * IN  assertion: all calls to to UPDATE_HASH are made with consecutive
+ *    input characters, so that a running hash key can be computed from the
+ *    previous key instead of complete recalculation each time.
+ */
+#define UPDATE_HASH(s,h,c) (h = (((h)<<s->hash_shift) ^ (c)) & s->hash_mask)
+
+
+/* ===========================================================================
+ * Insert string str in the dictionary and set match_head to the previous head
+ * of the hash chain (the most recent string with same hash key). Return
+ * the previous length of the hash chain.
+ * If this file is compiled with -DFASTEST, the compression level is forced
+ * to 1, and no hash chains are maintained.
+ * IN  assertion: all calls to to INSERT_STRING are made with consecutive
+ *    input characters and the first MIN_MATCH bytes of str are valid
+ *    (except for the last MIN_MATCH-1 bytes of the input file).
+ */
+#ifdef FASTEST
+#define INSERT_STRING(s, str, match_head) \
+   (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \
+    match_head = s->head[s->ins_h], \
+    s->head[s->ins_h] = (Pos)(str))
+#else
+#define INSERT_STRING(s, str, match_head) \
+   (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \
+    match_head = s->prev[(str) & s->w_mask] = s->head[s->ins_h], \
+    s->head[s->ins_h] = (Pos)(str))
+#endif
+
+/* ===========================================================================
+ * Initialize the hash table (avoiding 64K overflow for 16 bit systems).
+ * prev[] will be initialized on the fly.
+ */
+#define CLEAR_HASH(s) \
+    s->head[s->hash_size-1] = NIL; \
+    zmemzero((Bytef *)s->head, (unsigned)(s->hash_size-1)*sizeof(*s->head));
+
+/* ========================================================================= */
+int ZEXPORT deflateInit_(strm, level, version, stream_size)
+    z_streamp strm;
+    int level;
+    const char *version;
+    int stream_size;
+{
+    return deflateInit2_(strm, level, Z_DEFLATED, MAX_WBITS, DEF_MEM_LEVEL,
+                         Z_DEFAULT_STRATEGY, version, stream_size);
+    /* To do: ignore strm->next_in if we use it as window */
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+                  version, stream_size)
+    z_streamp strm;
+    int  level;
+    int  method;
+    int  windowBits;
+    int  memLevel;
+    int  strategy;
+    const char *version;
+    int stream_size;
+{
+    deflate_state *s;
+    int wrap = 1;
+    static const char my_version[] = ZLIB_VERSION;
+
+    ushf *overlay;
+    /* We overlay pending_buf and d_buf+l_buf. This works since the average
+     * output size for (length,distance) codes is <= 24 bits.
+     */
+
+    if (version == Z_NULL || version[0] != my_version[0] ||
+        stream_size != sizeof(z_stream)) {
+        return Z_VERSION_ERROR;
+    }
+    if (strm == Z_NULL) return Z_STREAM_ERROR;
+
+    strm->msg = Z_NULL;
+    if (strm->zalloc == (alloc_func)0) {
+        strm->zalloc = zcalloc;
+        strm->opaque = (voidpf)0;
+    }
+    if (strm->zfree == (free_func)0) strm->zfree = zcfree;
+
+#ifdef FASTEST
+    if (level != 0) level = 1;
+#else
+    if (level == Z_DEFAULT_COMPRESSION) level = 6;
+#endif
+
+    if (windowBits < 0) { /* suppress zlib wrapper */
+        wrap = 0;
+        windowBits = -windowBits;
+    }
+#ifdef GZIP
+    else if (windowBits > 15) {
+        wrap = 2;       /* write gzip wrapper instead */
+        windowBits -= 16;
+    }
+#endif
+    if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
+        windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||
+        strategy < 0 || strategy > Z_FIXED) {
+        return Z_STREAM_ERROR;
+    }
+    if (windowBits == 8) windowBits = 9;  /* until 256-byte window bug fixed */
+    s = (deflate_state *) ZALLOC(strm, 1, sizeof(deflate_state));
+    if (s == Z_NULL) return Z_MEM_ERROR;
+    strm->state = (struct internal_state FAR *)s;
+    s->strm = strm;
+
+    s->wrap = wrap;
+    s->gzhead = Z_NULL;
+    s->w_bits = windowBits;
+    s->w_size = 1 << s->w_bits;
+    s->w_mask = s->w_size - 1;
+
+    s->hash_bits = memLevel + 7;
+    s->hash_size = 1 << s->hash_bits;
+    s->hash_mask = s->hash_size - 1;
+    s->hash_shift =  ((s->hash_bits+MIN_MATCH-1)/MIN_MATCH);
+
+    s->window = (Bytef *) ZALLOC(strm, s->w_size, 2*sizeof(Byte));
+    s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
+    s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));
+
+    s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
+
+    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
+    s->pending_buf = (uchf *) overlay;
+    s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
+
+    if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
+        s->pending_buf == Z_NULL) {
+        s->status = FINISH_STATE;
+        strm->msg = (char*)ERR_MSG(Z_MEM_ERROR);
+        deflateEnd (strm);
+        return Z_MEM_ERROR;
+    }
+    s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
+    s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
+
+    s->level = level;
+    s->strategy = strategy;
+    s->method = (Byte)method;
+
+    return deflateReset(strm);
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateSetDictionary (strm, dictionary, dictLength)
+    z_streamp strm;
+    const Bytef *dictionary;
+    uInt  dictLength;
+{
+    deflate_state *s;
+    uInt length = dictLength;
+    uInt n;
+    IPos hash_head = 0;
+
+    if (strm == Z_NULL || strm->state == Z_NULL || dictionary == Z_NULL ||
+        strm->state->wrap == 2 ||
+        (strm->state->wrap == 1 && strm->state->status != INIT_STATE))
+        return Z_STREAM_ERROR;
+
+    s = strm->state;
+    if (s->wrap)
+        strm->adler = adler32(strm->adler, dictionary, dictLength);
+
+    if (length < MIN_MATCH) return Z_OK;
+    if (length > MAX_DIST(s)) {
+        length = MAX_DIST(s);
+        dictionary += dictLength - length; /* use the tail of the dictionary */
+    }
+    zmemcpy(s->window, dictionary, length);
+    s->strstart = length;
+    s->block_start = (long)length;
+
+    /* Insert all strings in the hash table (except for the last two bytes).
+     * s->lookahead stays null, so s->ins_h will be recomputed at the next
+     * call of fill_window.
+     */
+    s->ins_h = s->window[0];
+    UPDATE_HASH(s, s->ins_h, s->window[1]);
+    for (n = 0; n <= length - MIN_MATCH; n++) {
+        INSERT_STRING(s, n, hash_head);
+    }
+    if (hash_head) hash_head = 0;  /* to make compiler happy */
+    return Z_OK;
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateReset (strm)
+    z_streamp strm;
+{
+    deflate_state *s;
+
+    if (strm == Z_NULL || strm->state == Z_NULL ||
+        strm->zalloc == (alloc_func)0 || strm->zfree == (free_func)0) {
+        return Z_STREAM_ERROR;
+    }
+
+    strm->total_in = strm->total_out = 0;
+    strm->msg = Z_NULL; /* use zfree if we ever allocate msg dynamically */
+    strm->data_type = Z_UNKNOWN;
+
+    s = (deflate_state *)strm->state;
+    s->pending = 0;
+    s->pending_out = s->pending_buf;
+
+    if (s->wrap < 0) {
+        s->wrap = -s->wrap; /* was made negative by deflate(..., Z_FINISH); */
+    }
+    s->status = s->wrap ? INIT_STATE : BUSY_STATE;
+    strm->adler =
+#ifdef GZIP
+        s->wrap == 2 ? crc32(0L, Z_NULL, 0) :
+#endif
+        adler32(0L, Z_NULL, 0);
+    s->last_flush = Z_NO_FLUSH;
+
+    _tr_init(s);
+    lm_init(s);
+
+    return Z_OK;
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateSetHeader (strm, head)
+    z_streamp strm;
+    gz_headerp head;
+{
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    if (strm->state->wrap != 2) return Z_STREAM_ERROR;
+    strm->state->gzhead = head;
+    return Z_OK;
+}
+
+/* ========================================================================= */
+int ZEXPORT deflatePrime (strm, bits, value)
+    z_streamp strm;
+    int bits;
+    int value;
+{
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    strm->state->bi_valid = bits;
+    strm->state->bi_buf = (ush)(value & ((1 << bits) - 1));
+    return Z_OK;
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateParams(strm, level, strategy)
+    z_streamp strm;
+    int level;
+    int strategy;
+{
+    deflate_state *s;
+    compress_func func;
+    int err = Z_OK;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    s = strm->state;
+
+#ifdef FASTEST
+    if (level != 0) level = 1;
+#else
+    if (level == Z_DEFAULT_COMPRESSION) level = 6;
+#endif
+    if (level < 0 || level > 9 || strategy < 0 || strategy > Z_FIXED) {
+        return Z_STREAM_ERROR;
+    }
+    func = configuration_table[s->level].func;
+
+    if (func != configuration_table[level].func && strm->total_in != 0) {
+        /* Flush the last buffer: */
+        err = deflate(strm, Z_PARTIAL_FLUSH);
+    }
+    if (s->level != level) {
+        s->level = level;
+        s->max_lazy_match   = configuration_table[level].max_lazy;
+        s->good_match       = configuration_table[level].good_length;
+        s->nice_match       = configuration_table[level].nice_length;
+        s->max_chain_length = configuration_table[level].max_chain;
+    }
+    s->strategy = strategy;
+    return err;
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateTune(strm, good_length, max_lazy, nice_length, max_chain)
+    z_streamp strm;
+    int good_length;
+    int max_lazy;
+    int nice_length;
+    int max_chain;
+{
+    deflate_state *s;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    s = strm->state;
+    s->good_match = good_length;
+    s->max_lazy_match = max_lazy;
+    s->nice_match = nice_length;
+    s->max_chain_length = max_chain;
+    return Z_OK;
+}
+
+/* =========================================================================
+ * For the default windowBits of 15 and memLevel of 8, this function returns
+ * a close to exact, as well as small, upper bound on the compressed size.
+ * They are coded as constants here for a reason--if the #define's are
+ * changed, then this function needs to be changed as well.  The return
+ * value for 15 and 8 only works for those exact settings.
+ *
+ * For any setting other than those defaults for windowBits and memLevel,
+ * the value returned is a conservative worst case for the maximum expansion
+ * resulting from using fixed blocks instead of stored blocks, which deflate
+ * can emit on compressed data for some combinations of the parameters.
+ *
+ * This function could be more sophisticated to provide closer upper bounds
+ * for every combination of windowBits and memLevel, as well as wrap.
+ * But even the conservative upper bound of about 14% expansion does not
+ * seem onerous for output buffer allocation.
+ */
+uLong ZEXPORT deflateBound(strm, sourceLen)
+    z_streamp strm;
+    uLong sourceLen;
+{
+    deflate_state *s;
+    uLong destLen;
+
+    /* conservative upper bound */
+    destLen = sourceLen +
+              ((sourceLen + 7) >> 3) + ((sourceLen + 63) >> 6) + 11;
+
+    /* if can't get parameters, return conservative bound */
+    if (strm == Z_NULL || strm->state == Z_NULL)
+        return destLen;
+
+    /* if not default parameters, return conservative bound */
+    s = strm->state;
+    if (s->w_bits != 15 || s->hash_bits != 8 + 7)
+        return destLen;
+
+    /* default settings: return tight bound for that case */
+    return compressBound(sourceLen);
+}
+
+/* =========================================================================
+ * Put a short in the pending buffer. The 16-bit value is put in MSB order.
+ * IN assertion: the stream state is correct and there is enough room in
+ * pending_buf.
+ */
+local void putShortMSB (s, b)
+    deflate_state *s;
+    uInt b;
+{
+    put_byte(s, (Byte)(b >> 8));
+    put_byte(s, (Byte)(b & 0xff));
+}
+
+/* =========================================================================
+ * Flush as much pending output as possible. All deflate() output goes
+ * through this function so some applications may wish to modify it
+ * to avoid allocating a large strm->next_out buffer and copying into it.
+ * (See also read_buf()).
+ */
+local void flush_pending(strm)
+    z_streamp strm;
+{
+    unsigned len = strm->state->pending;
+
+    if (len > strm->avail_out) len = strm->avail_out;
+    if (len == 0) return;
+
+    zmemcpy(strm->next_out, strm->state->pending_out, len);
+    strm->next_out  += len;
+    strm->state->pending_out  += len;
+    strm->total_out += len;
+    strm->avail_out  -= len;
+    strm->state->pending -= len;
+    if (strm->state->pending == 0) {
+        strm->state->pending_out = strm->state->pending_buf;
+    }
+}
+
+/* ========================================================================= */
+int ZEXPORT deflate (strm, flush)
+    z_streamp strm;
+    int flush;
+{
+    int old_flush; /* value of flush param for previous deflate call */
+    deflate_state *s;
+
+    if (strm == Z_NULL || strm->state == Z_NULL ||
+        flush > Z_FINISH || flush < 0) {
+        return Z_STREAM_ERROR;
+    }
+    s = strm->state;
+
+    if (strm->next_out == Z_NULL ||
+        (strm->next_in == Z_NULL && strm->avail_in != 0) ||
+        (s->status == FINISH_STATE && flush != Z_FINISH)) {
+        ERR_RETURN(strm, Z_STREAM_ERROR);
+    }
+    if (strm->avail_out == 0) ERR_RETURN(strm, Z_BUF_ERROR);
+
+    s->strm = strm; /* just in case */
+    old_flush = s->last_flush;
+    s->last_flush = flush;
+
+    /* Write the header */
+    if (s->status == INIT_STATE) {
+#ifdef GZIP
+        if (s->wrap == 2) {
+            strm->adler = crc32(0L, Z_NULL, 0);
+            put_byte(s, 31);
+            put_byte(s, 139);
+            put_byte(s, 8);
+            if (s->gzhead == NULL) {
+                put_byte(s, 0);
+                put_byte(s, 0);
+                put_byte(s, 0);
+                put_byte(s, 0);
+                put_byte(s, 0);
+                put_byte(s, s->level == 9 ? 2 :
+                            (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ?
+                             4 : 0));
+                put_byte(s, OS_CODE);
+                s->status = BUSY_STATE;
+            }
+            else {
+                put_byte(s, (s->gzhead->text ? 1 : 0) +
+                            (s->gzhead->hcrc ? 2 : 0) +
+                            (s->gzhead->extra == Z_NULL ? 0 : 4) +
+                            (s->gzhead->name == Z_NULL ? 0 : 8) +
+                            (s->gzhead->comment == Z_NULL ? 0 : 16)
+                        );
+                put_byte(s, (Byte)(s->gzhead->time & 0xff));
+                put_byte(s, (Byte)((s->gzhead->time >> 8) & 0xff));
+                put_byte(s, (Byte)((s->gzhead->time >> 16) & 0xff));
+                put_byte(s, (Byte)((s->gzhead->time >> 24) & 0xff));
+                put_byte(s, s->level == 9 ? 2 :
+                            (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ?
+                             4 : 0));
+                put_byte(s, s->gzhead->os & 0xff);
+                if (s->gzhead->extra != NULL) {
+                    put_byte(s, s->gzhead->extra_len & 0xff);
+                    put_byte(s, (s->gzhead->extra_len >> 8) & 0xff);
+                }
+                if (s->gzhead->hcrc)
+                    strm->adler = crc32(strm->adler, s->pending_buf,
+                                        s->pending);
+                s->gzindex = 0;
+                s->status = EXTRA_STATE;
+            }
+        }
+        else
+#endif
+        {
+            uInt header = (Z_DEFLATED + ((s->w_bits-8)<<4)) << 8;
+            uInt level_flags;
+
+            if (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2)
+                level_flags = 0;
+            else if (s->level < 6)
+                level_flags = 1;
+            else if (s->level == 6)
+                level_flags = 2;
+            else
+                level_flags = 3;
+            header |= (level_flags << 6);
+            if (s->strstart != 0) header |= PRESET_DICT;
+            header += 31 - (header % 31);
+
+            s->status = BUSY_STATE;
+            putShortMSB(s, header);
+
+            /* Save the adler32 of the preset dictionary: */
+            if (s->strstart != 0) {
+                putShortMSB(s, (uInt)(strm->adler >> 16));
+                putShortMSB(s, (uInt)(strm->adler & 0xffff));
+            }
+            strm->adler = adler32(0L, Z_NULL, 0);
+        }
+    }
+#ifdef GZIP
+    if (s->status == EXTRA_STATE) {
+        if (s->gzhead->extra != NULL) {
+            uInt beg = s->pending;  /* start of bytes to update crc */
+
+            while (s->gzindex < (s->gzhead->extra_len & 0xffff)) {
+                if (s->pending == s->pending_buf_size) {
+                    if (s->gzhead->hcrc && s->pending > beg)
+                        strm->adler = crc32(strm->adler, s->pending_buf + beg,
+                                            s->pending - beg);
+                    flush_pending(strm);
+                    beg = s->pending;
+                    if (s->pending == s->pending_buf_size)
+                        break;
+                }
+                put_byte(s, s->gzhead->extra[s->gzindex]);
+                s->gzindex++;
+            }
+            if (s->gzhead->hcrc && s->pending > beg)
+                strm->adler = crc32(strm->adler, s->pending_buf + beg,
+                                    s->pending - beg);
+            if (s->gzindex == s->gzhead->extra_len) {
+                s->gzindex = 0;
+                s->status = NAME_STATE;
+            }
+        }
+        else
+            s->status = NAME_STATE;
+    }
+    if (s->status == NAME_STATE) {
+        if (s->gzhead->name != NULL) {
+            uInt beg = s->pending;  /* start of bytes to update crc */
+            int val;
+
+            do {
+                if (s->pending == s->pending_buf_size) {
+                    if (s->gzhead->hcrc && s->pending > beg)
+                        strm->adler = crc32(strm->adler, s->pending_buf + beg,
+                                            s->pending - beg);
+                    flush_pending(strm);
+                    beg = s->pending;
+                    if (s->pending == s->pending_buf_size) {
+                        val = 1;
+                        break;
+                    }
+                }
+                val = s->gzhead->name[s->gzindex++];
+                put_byte(s, val);
+            } while (val != 0);
+            if (s->gzhead->hcrc && s->pending > beg)
+                strm->adler = crc32(strm->adler, s->pending_buf + beg,
+                                    s->pending - beg);
+            if (val == 0) {
+                s->gzindex = 0;
+                s->status = COMMENT_STATE;
+            }
+        }
+        else
+            s->status = COMMENT_STATE;
+    }
+    if (s->status == COMMENT_STATE) {
+        if (s->gzhead->comment != NULL) {
+            uInt beg = s->pending;  /* start of bytes to update crc */
+            int val;
+
+            do {
+                if (s->pending == s->pending_buf_size) {
+                    if (s->gzhead->hcrc && s->pending > beg)
+                        strm->adler = crc32(strm->adler, s->pending_buf + beg,
+                                            s->pending - beg);
+                    flush_pending(strm);
+                    beg = s->pending;
+                    if (s->pending == s->pending_buf_size) {
+                        val = 1;
+                        break;
+                    }
+                }
+                val = s->gzhead->comment[s->gzindex++];
+                put_byte(s, val);
+            } while (val != 0);
+            if (s->gzhead->hcrc && s->pending > beg)
+                strm->adler = crc32(strm->adler, s->pending_buf + beg,
+                                    s->pending - beg);
+            if (val == 0)
+                s->status = HCRC_STATE;
+        }
+        else
+            s->status = HCRC_STATE;
+    }
+    if (s->status == HCRC_STATE) {
+        if (s->gzhead->hcrc) {
+            if (s->pending + 2 > s->pending_buf_size)
+                flush_pending(strm);
+            if (s->pending + 2 <= s->pending_buf_size) {
+                put_byte(s, (Byte)(strm->adler & 0xff));
+                put_byte(s, (Byte)((strm->adler >> 8) & 0xff));
+                strm->adler = crc32(0L, Z_NULL, 0);
+                s->status = BUSY_STATE;
+            }
+        }
+        else
+            s->status = BUSY_STATE;
+    }
+#endif
+
+    /* Flush as much pending output as possible */
+    if (s->pending != 0) {
+        flush_pending(strm);
+        if (strm->avail_out == 0) {
+            /* Since avail_out is 0, deflate will be called again with
+             * more output space, but possibly with both pending and
+             * avail_in equal to zero. There won't be anything to do,
+             * but this is not an error situation so make sure we
+             * return OK instead of BUF_ERROR at next call of deflate:
+             */
+            s->last_flush = -1;
+            return Z_OK;
+        }
+
+    /* Make sure there is something to do and avoid duplicate consecutive
+     * flushes. For repeated and useless calls with Z_FINISH, we keep
+     * returning Z_STREAM_END instead of Z_BUF_ERROR.
+     */
+    } else if (strm->avail_in == 0 && flush <= old_flush &&
+               flush != Z_FINISH) {
+        ERR_RETURN(strm, Z_BUF_ERROR);
+    }
+
+    /* User must not provide more input after the first FINISH: */
+    if (s->status == FINISH_STATE && strm->avail_in != 0) {
+        ERR_RETURN(strm, Z_BUF_ERROR);
+    }
+
+    /* Start a new block or continue the current one.
+     */
+    if (strm->avail_in != 0 || s->lookahead != 0 ||
+        (flush != Z_NO_FLUSH && s->status != FINISH_STATE)) {
+        block_state bstate;
+
+        bstate = (*(configuration_table[s->level].func))(s, flush);
+
+        if (bstate == finish_started || bstate == finish_done) {
+            s->status = FINISH_STATE;
+        }
+        if (bstate == need_more || bstate == finish_started) {
+            if (strm->avail_out == 0) {
+                s->last_flush = -1; /* avoid BUF_ERROR next call, see above */
+            }
+            return Z_OK;
+            /* If flush != Z_NO_FLUSH && avail_out == 0, the next call
+             * of deflate should use the same flush parameter to make sure
+             * that the flush is complete. So we don't have to output an
+             * empty block here, this will be done at next call. This also
+             * ensures that for a very small output buffer, we emit at most
+             * one empty block.
+             */
+        }
+        if (bstate == block_done) {
+            if (flush == Z_PARTIAL_FLUSH) {
+                _tr_align(s);
+            } else { /* FULL_FLUSH or SYNC_FLUSH */
+                _tr_stored_block(s, (char*)0, 0L, 0);
+                /* For a full flush, this empty block will be recognized
+                 * as a special marker by inflate_sync().
+                 */
+                if (flush == Z_FULL_FLUSH) {
+                    CLEAR_HASH(s);             /* forget history */
+                }
+            }
+            flush_pending(strm);
+            if (strm->avail_out == 0) {
+              s->last_flush = -1; /* avoid BUF_ERROR at next call, see above */
+              return Z_OK;
+            }
+        }
+    }
+    Assert(strm->avail_out > 0, "bug2");
+
+    if (flush != Z_FINISH) return Z_OK;
+    if (s->wrap <= 0) return Z_STREAM_END;
+
+    /* Write the trailer */
+#ifdef GZIP
+    if (s->wrap == 2) {
+        put_byte(s, (Byte)(strm->adler & 0xff));
+        put_byte(s, (Byte)((strm->adler >> 8) & 0xff));
+        put_byte(s, (Byte)((strm->adler >> 16) & 0xff));
+        put_byte(s, (Byte)((strm->adler >> 24) & 0xff));
+        put_byte(s, (Byte)(strm->total_in & 0xff));
+        put_byte(s, (Byte)((strm->total_in >> 8) & 0xff));
+        put_byte(s, (Byte)((strm->total_in >> 16) & 0xff));
+        put_byte(s, (Byte)((strm->total_in >> 24) & 0xff));
+    }
+    else
+#endif
+    {
+        putShortMSB(s, (uInt)(strm->adler >> 16));
+        putShortMSB(s, (uInt)(strm->adler & 0xffff));
+    }
+    flush_pending(strm);
+    /* If avail_out is zero, the application will call deflate again
+     * to flush the rest.
+     */
+    if (s->wrap > 0) s->wrap = -s->wrap; /* write the trailer only once! */
+    return s->pending != 0 ? Z_OK : Z_STREAM_END;
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateEnd (strm)
+    z_streamp strm;
+{
+    int status;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+
+    status = strm->state->status;
+    if (status != INIT_STATE &&
+        status != EXTRA_STATE &&
+        status != NAME_STATE &&
+        status != COMMENT_STATE &&
+        status != HCRC_STATE &&
+        status != BUSY_STATE &&
+        status != FINISH_STATE) {
+      return Z_STREAM_ERROR;
+    }
+
+    /* Deallocate in reverse order of allocations: */
+    TRY_FREE(strm, strm->state->pending_buf);
+    TRY_FREE(strm, strm->state->head);
+    TRY_FREE(strm, strm->state->prev);
+    TRY_FREE(strm, strm->state->window);
+
+    ZFREE(strm, strm->state);
+    strm->state = Z_NULL;
+
+    return status == BUSY_STATE ? Z_DATA_ERROR : Z_OK;
+}
+
+/* =========================================================================
+ * Copy the source state to the destination state.
+ * To simplify the source, this is not supported for 16-bit MSDOS (which
+ * doesn't have enough memory anyway to duplicate compression states).
+ */
+int ZEXPORT deflateCopy (dest, source)
+    z_streamp dest;
+    z_streamp source;
+{
+#ifdef MAXSEG_64K
+    return Z_STREAM_ERROR;
+#else
+    deflate_state *ds;
+    deflate_state *ss;
+    ushf *overlay;
+
+
+    if (source == Z_NULL || dest == Z_NULL || source->state == Z_NULL) {
+        return Z_STREAM_ERROR;
+    }
+
+    ss = source->state;
+
+    zmemcpy(dest, source, sizeof(z_stream));
+
+    ds = (deflate_state *) ZALLOC(dest, 1, sizeof(deflate_state));
+    if (ds == Z_NULL) return Z_MEM_ERROR;
+    dest->state = (struct internal_state FAR *) ds;
+    zmemcpy(ds, ss, sizeof(deflate_state));
+    ds->strm = dest;
+
+    ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
+    ds->prev   = (Posf *)  ZALLOC(dest, ds->w_size, sizeof(Pos));
+    ds->head   = (Posf *)  ZALLOC(dest, ds->hash_size, sizeof(Pos));
+    overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
+    ds->pending_buf = (uchf *) overlay;
+
+    if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
+        ds->pending_buf == Z_NULL) {
+        deflateEnd (dest);
+        return Z_MEM_ERROR;
+    }
+    /* following zmemcpy do not work for 16-bit MSDOS */
+    zmemcpy(ds->window, ss->window, ds->w_size * 2 * sizeof(Byte));
+    zmemcpy(ds->prev, ss->prev, ds->w_size * sizeof(Pos));
+    zmemcpy(ds->head, ss->head, ds->hash_size * sizeof(Pos));
+    zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
+
+    ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
+    ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
+    ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
+
+    ds->l_desc.dyn_tree = ds->dyn_ltree;
+    ds->d_desc.dyn_tree = ds->dyn_dtree;
+    ds->bl_desc.dyn_tree = ds->bl_tree;
+
+    return Z_OK;
+#endif /* MAXSEG_64K */
+}
+
+/* ===========================================================================
+ * Read a new buffer from the current input stream, update the adler32
+ * and total number of bytes read.  All deflate() input goes through
+ * this function so some applications may wish to modify it to avoid
+ * allocating a large strm->next_in buffer and copying from it.
+ * (See also flush_pending()).
+ */
+local int read_buf(strm, buf, size)
+    z_streamp strm;
+    Bytef *buf;
+    unsigned size;
+{
+    unsigned len = strm->avail_in;
+
+    if (len > size) len = size;
+    if (len == 0) return 0;
+
+    strm->avail_in  -= len;
+
+    if (strm->state->wrap == 1) {
+        strm->adler = adler32(strm->adler, strm->next_in, len);
+    }
+#ifdef GZIP
+    else if (strm->state->wrap == 2) {
+        strm->adler = crc32(strm->adler, strm->next_in, len);
+    }
+#endif
+    zmemcpy(buf, strm->next_in, len);
+    strm->next_in  += len;
+    strm->total_in += len;
+
+    return (int)len;
+}
+
+/* ===========================================================================
+ * Initialize the "longest match" routines for a new zlib stream
+ */
+local void lm_init (s)
+    deflate_state *s;
+{
+    s->window_size = (ulg)2L*s->w_size;
+
+    CLEAR_HASH(s);
+
+    /* Set the default configuration parameters:
+     */
+    s->max_lazy_match   = configuration_table[s->level].max_lazy;
+    s->good_match       = configuration_table[s->level].good_length;
+    s->nice_match       = configuration_table[s->level].nice_length;
+    s->max_chain_length = configuration_table[s->level].max_chain;
+
+    s->strstart = 0;
+    s->block_start = 0L;
+    s->lookahead = 0;
+    s->match_length = s->prev_length = MIN_MATCH-1;
+    s->match_available = 0;
+    s->ins_h = 0;
+#ifndef FASTEST
+#ifdef ASMV
+    match_init(); /* initialize the asm code */
+#endif
+#endif
+}
+
+#ifndef FASTEST
+/* ===========================================================================
+ * Set match_start to the longest match starting at the given string and
+ * return its length. Matches shorter or equal to prev_length are discarded,
+ * in which case the result is equal to prev_length and match_start is
+ * garbage.
+ * IN assertions: cur_match is the head of the hash chain for the current
+ *   string (strstart) and its distance is <= MAX_DIST, and prev_length >= 1
+ * OUT assertion: the match length is not greater than s->lookahead.
+ */
+#ifndef ASMV
+/* For 80x86 and 680x0, an optimized version will be provided in match.asm or
+ * match.S. The code will be functionally equivalent.
+ */
+local uInt longest_match(s, cur_match)
+    deflate_state *s;
+    IPos cur_match;                             /* current match */
+{
+    unsigned chain_length = s->max_chain_length;/* max hash chain length */
+    register Bytef *scan = s->window + s->strstart; /* current string */
+    register Bytef *match;                       /* matched string */
+    register int len;                           /* length of current match */
+    int best_len = s->prev_length;              /* best match length so far */
+    int nice_match = s->nice_match;             /* stop if match long enough */
+    IPos limit = s->strstart > (IPos)MAX_DIST(s) ?
+        s->strstart - (IPos)MAX_DIST(s) : NIL;
+    /* Stop when cur_match becomes <= limit. To simplify the code,
+     * we prevent matches with the string of window index 0.
+     */
+    Posf *prev = s->prev;
+    uInt wmask = s->w_mask;
+
+#ifdef UNALIGNED_OK
+    /* Compare two bytes at a time. Note: this is not always beneficial.
+     * Try with and without -DUNALIGNED_OK to check.
+     */
+    register Bytef *strend = s->window + s->strstart + MAX_MATCH - 1;
+    register ush scan_start = *(ushf*)scan;
+    register ush scan_end   = *(ushf*)(scan+best_len-1);
+#else
+    register Bytef *strend = s->window + s->strstart + MAX_MATCH;
+    register Byte scan_end1  = scan[best_len-1];
+    register Byte scan_end   = scan[best_len];
+#endif
+
+    /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.
+     * It is easy to get rid of this optimization if necessary.
+     */
+    Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever");
+
+    /* Do not waste too much time if we already have a good match: */
+    if (s->prev_length >= s->good_match) {
+        chain_length >>= 2;
+    }
+    /* Do not look for matches beyond the end of the input. This is necessary
+     * to make deflate deterministic.
+     */
+    if ((uInt)nice_match > s->lookahead) nice_match = s->lookahead;
+
+    Assert((ulg)s->strstart <= s->window_size-MIN_LOOKAHEAD, "need lookahead");
+
+    do {
+        Assert(cur_match < s->strstart, "no future");
+        match = s->window + cur_match;
+
+        /* Skip to next match if the match length cannot increase
+         * or if the match length is less than 2.  Note that the checks below
+         * for insufficient lookahead only occur occasionally for performance
+         * reasons.  Therefore uninitialized memory will be accessed, and
+         * conditional jumps will be made that depend on those values.
+         * However the length of the match is limited to the lookahead, so
+         * the output of deflate is not affected by the uninitialized values.
+         */
+#if (defined(UNALIGNED_OK) && MAX_MATCH == 258)
+        /* This code assumes sizeof(unsigned short) == 2. Do not use
+         * UNALIGNED_OK if your compiler uses a different size.
+         */
+        if (*(ushf*)(match+best_len-1) != scan_end ||
+            *(ushf*)match != scan_start) continue;
+
+        /* It is not necessary to compare scan[2] and match[2] since they are
+         * always equal when the other bytes match, given that the hash keys
+         * are equal and that HASH_BITS >= 8. Compare 2 bytes at a time at
+         * strstart+3, +5, ... up to strstart+257. We check for insufficient
+         * lookahead only every 4th comparison; the 128th check will be made
+         * at strstart+257. If MAX_MATCH-2 is not a multiple of 8, it is
+         * necessary to put more guard bytes at the end of the window, or
+         * to check more often for insufficient lookahead.
+         */
+        Assert(scan[2] == match[2], "scan[2]?");
+        scan++, match++;
+        do {
+        } while (*(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
+                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
+                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
+                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
+                 scan < strend);
+        /* The funny "do {}" generates better code on most compilers */
+
+        /* Here, scan <= window+strstart+257 */
+        Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
+        if (*scan == *match) scan++;
+
+        len = (MAX_MATCH - 1) - (int)(strend-scan);
+        scan = strend - (MAX_MATCH-1);
+
+#else /* UNALIGNED_OK */
+
+        if (match[best_len]   != scan_end  ||
+            match[best_len-1] != scan_end1 ||
+            *match            != *scan     ||
+            *++match          != scan[1])      continue;
+
+        /* The check at best_len-1 can be removed because it will be made
+         * again later. (This heuristic is not always a win.)
+         * It is not necessary to compare scan[2] and match[2] since they
+         * are always equal when the other bytes match, given that
+         * the hash keys are equal and that HASH_BITS >= 8.
+         */
+        scan += 2, match++;
+        Assert(*scan == *match, "match[2]?");
+
+        /* We check for insufficient lookahead only every 8th comparison;
+         * the 256th check will be made at strstart+258.
+         */
+        do {
+        } while (*++scan == *++match && *++scan == *++match &&
+                 *++scan == *++match && *++scan == *++match &&
+                 *++scan == *++match && *++scan == *++match &&
+                 *++scan == *++match && *++scan == *++match &&
+                 scan < strend);
+
+        Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
+
+        len = MAX_MATCH - (int)(strend - scan);
+        scan = strend - MAX_MATCH;
+
+#endif /* UNALIGNED_OK */
+
+        if (len > best_len) {
+            s->match_start = cur_match;
+            best_len = len;
+            if (len >= nice_match) break;
+#ifdef UNALIGNED_OK
+            scan_end = *(ushf*)(scan+best_len-1);
+#else
+            scan_end1  = scan[best_len-1];
+            scan_end   = scan[best_len];
+#endif
+        }
+    } while ((cur_match = prev[cur_match & wmask]) > limit
+             && --chain_length != 0);
+
+    if ((uInt)best_len <= s->lookahead) return (uInt)best_len;
+    return s->lookahead;
+}
+#endif /* ASMV */
+#endif /* FASTEST */
+
+/* ---------------------------------------------------------------------------
+ * Optimized version for level == 1 or strategy == Z_RLE only
+ */
+local uInt longest_match_fast(s, cur_match)
+    deflate_state *s;
+    IPos cur_match;                             /* current match */
+{
+    register Bytef *scan = s->window + s->strstart; /* current string */
+    register Bytef *match;                       /* matched string */
+    register int len;                           /* length of current match */
+    register Bytef *strend = s->window + s->strstart + MAX_MATCH;
+
+    /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.
+     * It is easy to get rid of this optimization if necessary.
+     */
+    Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever");
+
+    Assert((ulg)s->strstart <= s->window_size-MIN_LOOKAHEAD, "need lookahead");
+
+    Assert(cur_match < s->strstart, "no future");
+
+    match = s->window + cur_match;
+
+    /* Return failure if the match length is less than 2:
+     */
+    if (match[0] != scan[0] || match[1] != scan[1]) return MIN_MATCH-1;
+
+    /* The check at best_len-1 can be removed because it will be made
+     * again later. (This heuristic is not always a win.)
+     * It is not necessary to compare scan[2] and match[2] since they
+     * are always equal when the other bytes match, given that
+     * the hash keys are equal and that HASH_BITS >= 8.
+     */
+    scan += 2, match += 2;
+    Assert(*scan == *match, "match[2]?");
+
+    /* We check for insufficient lookahead only every 8th comparison;
+     * the 256th check will be made at strstart+258.
+     */
+    do {
+    } while (*++scan == *++match && *++scan == *++match &&
+             *++scan == *++match && *++scan == *++match &&
+             *++scan == *++match && *++scan == *++match &&
+             *++scan == *++match && *++scan == *++match &&
+             scan < strend);
+
+    Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
+
+    len = MAX_MATCH - (int)(strend - scan);
+
+    if (len < MIN_MATCH) return MIN_MATCH - 1;
+
+    s->match_start = cur_match;
+    return (uInt)len <= s->lookahead ? (uInt)len : s->lookahead;
+}
+
+#ifdef DEBUG
+/* ===========================================================================
+ * Check that the match at match_start is indeed a match.
+ */
+local void check_match(s, start, match, length)
+    deflate_state *s;
+    IPos start, match;
+    int length;
+{
+    /* check that the match is indeed a match */
+    if (zmemcmp(s->window + match,
+                s->window + start, length) != EQUAL) {
+        fprintf(stderr, " start %u, match %u, length %d\n",
+                start, match, length);
+        do {
+            fprintf(stderr, "%c%c", s->window[match++], s->window[start++]);
+        } while (--length != 0);
+        z_error("invalid match");
+    }
+    if (z_verbose > 1) {
+        fprintf(stderr,"\\[%d,%d]", start-match, length);
+        do { putc(s->window[start++], stderr); } while (--length != 0);
+    }
+}
+#else
+#  define check_match(s, start, match, length)
+#endif /* DEBUG */
+
+/* ===========================================================================
+ * Fill the window when the lookahead becomes insufficient.
+ * Updates strstart and lookahead.
+ *
+ * IN assertion: lookahead < MIN_LOOKAHEAD
+ * OUT assertions: strstart <= window_size-MIN_LOOKAHEAD
+ *    At least one byte has been read, or avail_in == 0; reads are
+ *    performed for at least two bytes (required for the zip translate_eol
+ *    option -- not supported here).
+ */
+local void fill_window(s)
+    deflate_state *s;
+{
+    register unsigned n, m;
+    register Posf *p;
+    unsigned more;    /* Amount of free space at the end of the window. */
+    uInt wsize = s->w_size;
+
+    do {
+        more = (unsigned)(s->window_size -(ulg)s->lookahead -(ulg)s->strstart);
+
+        /* Deal with !@#$% 64K limit: */
+        if (sizeof(int) <= 2) {
+            if (more == 0 && s->strstart == 0 && s->lookahead == 0) {
+                more = wsize;
+
+            } else if (more == (unsigned)(-1)) {
+                /* Very unlikely, but possible on 16 bit machine if
+                 * strstart == 0 && lookahead == 1 (input done a byte at time)
+                 */
+                more--;
+            }
+        }
+
+        /* If the window is almost full and there is insufficient lookahead,
+         * move the upper half to the lower one to make room in the upper half.
+         */
+        if (s->strstart >= wsize+MAX_DIST(s)) {
+
+            zmemcpy(s->window, s->window+wsize, (unsigned)wsize);
+            s->match_start -= wsize;
+            s->strstart    -= wsize; /* we now have strstart >= MAX_DIST */
+            s->block_start -= (long) wsize;
+
+            /* Slide the hash table (could be avoided with 32 bit values
+               at the expense of memory usage). We slide even when level == 0
+               to keep the hash table consistent if we switch back to level > 0
+               later. (Using level 0 permanently is not an optimal usage of
+               zlib, so we don't care about this pathological case.)
+             */
+            /* %%% avoid this when Z_RLE */
+            n = s->hash_size;
+            p = &s->head[n];
+            do {
+                m = *--p;
+                *p = (Pos)(m >= wsize ? m-wsize : NIL);
+            } while (--n);
+
+            n = wsize;
+#ifndef FASTEST
+            p = &s->prev[n];
+            do {
+                m = *--p;
+                *p = (Pos)(m >= wsize ? m-wsize : NIL);
+                /* If n is not on any hash chain, prev[n] is garbage but
+                 * its value will never be used.
+                 */
+            } while (--n);
+#endif
+            more += wsize;
+        }
+        if (s->strm->avail_in == 0) return;
+
+        /* If there was no sliding:
+         *    strstart <= WSIZE+MAX_DIST-1 && lookahead <= MIN_LOOKAHEAD - 1 &&
+         *    more == window_size - lookahead - strstart
+         * => more >= window_size - (MIN_LOOKAHEAD-1 + WSIZE + MAX_DIST-1)
+         * => more >= window_size - 2*WSIZE + 2
+         * In the BIG_MEM or MMAP case (not yet supported),
+         *   window_size == input_size + MIN_LOOKAHEAD  &&
+         *   strstart + s->lookahead <= input_size => more >= MIN_LOOKAHEAD.
+         * Otherwise, window_size == 2*WSIZE so more >= 2.
+         * If there was sliding, more >= WSIZE. So in all cases, more >= 2.
+         */
+        Assert(more >= 2, "more < 2");
+
+        n = read_buf(s->strm, s->window + s->strstart + s->lookahead, more);
+        s->lookahead += n;
+
+        /* Initialize the hash value now that we have some input: */
+        if (s->lookahead >= MIN_MATCH) {
+            s->ins_h = s->window[s->strstart];
+            UPDATE_HASH(s, s->ins_h, s->window[s->strstart+1]);
+#if MIN_MATCH != 3
+            Call UPDATE_HASH() MIN_MATCH-3 more times
+#endif
+        }
+        /* If the whole input has less than MIN_MATCH bytes, ins_h is garbage,
+         * but this is not important since only literal bytes will be emitted.
+         */
+
+    } while (s->lookahead < MIN_LOOKAHEAD && s->strm->avail_in != 0);
+}
+
+/* ===========================================================================
+ * Flush the current block, with given end-of-file flag.
+ * IN assertion: strstart is set to the end of the current match.
+ */
+#define FLUSH_BLOCK_ONLY(s, eof) { \
+   _tr_flush_block(s, (s->block_start >= 0L ? \
+                   (charf *)&s->window[(unsigned)s->block_start] : \
+                   (charf *)Z_NULL), \
+                (ulg)((long)s->strstart - s->block_start), \
+                (eof)); \
+   s->block_start = s->strstart; \
+   flush_pending(s->strm); \
+   Tracev((stderr,"[FLUSH]")); \
+}
+
+/* Same but force premature exit if necessary. */
+#define FLUSH_BLOCK(s, eof) { \
+   FLUSH_BLOCK_ONLY(s, eof); \
+   if (s->strm->avail_out == 0) return (eof) ? finish_started : need_more; \
+}
+
+/* ===========================================================================
+ * Copy without compression as much as possible from the input stream, return
+ * the current block state.
+ * This function does not insert new strings in the dictionary since
+ * uncompressible data is probably not useful. This function is used
+ * only for the level=0 compression option.
+ * NOTE: this function should be optimized to avoid extra copying from
+ * window to pending_buf.
+ */
+local block_state deflate_stored(s, flush)
+    deflate_state *s;
+    int flush;
+{
+    /* Stored blocks are limited to 0xffff bytes, pending_buf is limited
+     * to pending_buf_size, and each stored block has a 5 byte header:
+     */
+    ulg max_block_size = 0xffff;
+    ulg max_start;
+
+    if (max_block_size > s->pending_buf_size - 5) {
+        max_block_size = s->pending_buf_size - 5;
+    }
+
+    /* Copy as much as possible from input to output: */
+    for (;;) {
+        /* Fill the window as much as possible: */
+        if (s->lookahead <= 1) {
+
+            Assert(s->strstart < s->w_size+MAX_DIST(s) ||
+                   s->block_start >= (long)s->w_size, "slide too late");
+
+            fill_window(s);
+            if (s->lookahead == 0 && flush == Z_NO_FLUSH) return need_more;
+
+            if (s->lookahead == 0) break; /* flush the current block */
+        }
+        Assert(s->block_start >= 0L, "block gone");
+
+        s->strstart += s->lookahead;
+        s->lookahead = 0;
+
+        /* Emit a stored block if pending_buf will be full: */
+        max_start = s->block_start + max_block_size;
+        if (s->strstart == 0 || (ulg)s->strstart >= max_start) {
+            /* strstart == 0 is possible when wraparound on 16-bit machine */
+            s->lookahead = (uInt)(s->strstart - max_start);
+            s->strstart = (uInt)max_start;
+            FLUSH_BLOCK(s, 0);
+        }
+        /* Flush if we may have to slide, otherwise block_start may become
+         * negative and the data will be gone:
+         */
+        if (s->strstart - (uInt)s->block_start >= MAX_DIST(s)) {
+            FLUSH_BLOCK(s, 0);
+        }
+    }
+    FLUSH_BLOCK(s, flush == Z_FINISH);
+    return flush == Z_FINISH ? finish_done : block_done;
+}
+
+/* ===========================================================================
+ * Compress as much as possible from the input stream, return the current
+ * block state.
+ * This function does not perform lazy evaluation of matches and inserts
+ * new strings in the dictionary only for unmatched strings or for short
+ * matches. It is used only for the fast compression options.
+ */
+local block_state deflate_fast(s, flush)
+    deflate_state *s;
+    int flush;
+{
+    IPos hash_head = NIL; /* head of the hash chain */
+    int bflush;           /* set if current block must be flushed */
+
+    for (;;) {
+        /* Make sure that we always have enough lookahead, except
+         * at the end of the input file. We need MAX_MATCH bytes
+         * for the next match, plus MIN_MATCH bytes to insert the
+         * string following the next match.
+         */
+        if (s->lookahead < MIN_LOOKAHEAD) {
+            fill_window(s);
+            if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {
+                return need_more;
+            }
+            if (s->lookahead == 0) break; /* flush the current block */
+        }
+
+        /* Insert the string window[strstart .. strstart+2] in the
+         * dictionary, and set hash_head to the head of the hash chain:
+         */
+        if (s->lookahead >= MIN_MATCH) {
+            INSERT_STRING(s, s->strstart, hash_head);
+        }
+
+        /* Find the longest match, discarding those <= prev_length.
+         * At this point we have always match_length < MIN_MATCH
+         */
+        if (hash_head != NIL && s->strstart - hash_head <= MAX_DIST(s)) {
+            /* To simplify the code, we prevent matches with the string
+             * of window index 0 (in particular we have to avoid a match
+             * of the string with itself at the start of the input file).
+             */
+#ifdef FASTEST
+            if ((s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) ||
+                (s->strategy == Z_RLE && s->strstart - hash_head == 1)) {
+                s->match_length = longest_match_fast (s, hash_head);
+            }
+#else
+            if (s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) {
+                s->match_length = longest_match (s, hash_head);
+            } else if (s->strategy == Z_RLE && s->strstart - hash_head == 1) {
+                s->match_length = longest_match_fast (s, hash_head);
+            }
+#endif
+            /* longest_match() or longest_match_fast() sets match_start */
+        }
+        if (s->match_length >= MIN_MATCH) {
+            check_match(s, s->strstart, s->match_start, s->match_length);
+
+            _tr_tally_dist(s, s->strstart - s->match_start,
+                           s->match_length - MIN_MATCH, bflush);
+
+            s->lookahead -= s->match_length;
+
+            /* Insert new strings in the hash table only if the match length
+             * is not too large. This saves time but degrades compression.
+             */
+#ifndef FASTEST
+            if (s->match_length <= s->max_insert_length &&
+                s->lookahead >= MIN_MATCH) {
+                s->match_length--; /* string at strstart already in table */
+                do {
+                    s->strstart++;
+                    INSERT_STRING(s, s->strstart, hash_head);
+                    /* strstart never exceeds WSIZE-MAX_MATCH, so there are
+                     * always MIN_MATCH bytes ahead.
+                     */
+                } while (--s->match_length != 0);
+                s->strstart++;
+            } else
+#endif
+            {
+                s->strstart += s->match_length;
+                s->match_length = 0;
+                s->ins_h = s->window[s->strstart];
+                UPDATE_HASH(s, s->ins_h, s->window[s->strstart+1]);
+#if MIN_MATCH != 3
+                Call UPDATE_HASH() MIN_MATCH-3 more times
+#endif
+                /* If lookahead < MIN_MATCH, ins_h is garbage, but it does not
+                 * matter since it will be recomputed at next deflate call.
+                 */
+            }
+        } else {
+            /* No match, output a literal byte */
+            Tracevv((stderr,"%c", s->window[s->strstart]));
+            _tr_tally_lit (s, s->window[s->strstart], bflush);
+            s->lookahead--;
+            s->strstart++;
+        }
+        if (bflush) FLUSH_BLOCK(s, 0);
+    }
+    FLUSH_BLOCK(s, flush == Z_FINISH);
+    return flush == Z_FINISH ? finish_done : block_done;
+}
+
+#ifndef FASTEST
+/* ===========================================================================
+ * Same as above, but achieves better compression. We use a lazy
+ * evaluation for matches: a match is finally adopted only if there is
+ * no better match at the next window position.
+ */
+local block_state deflate_slow(s, flush)
+    deflate_state *s;
+    int flush;
+{
+    IPos hash_head = NIL;    /* head of hash chain */
+    int bflush;              /* set if current block must be flushed */
+
+    /* Process the input block. */
+    for (;;) {
+        /* Make sure that we always have enough lookahead, except
+         * at the end of the input file. We need MAX_MATCH bytes
+         * for the next match, plus MIN_MATCH bytes to insert the
+         * string following the next match.
+         */
+        if (s->lookahead < MIN_LOOKAHEAD) {
+            fill_window(s);
+            if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {
+                return need_more;
+            }
+            if (s->lookahead == 0) break; /* flush the current block */
+        }
+
+        /* Insert the string window[strstart .. strstart+2] in the
+         * dictionary, and set hash_head to the head of the hash chain:
+         */
+        if (s->lookahead >= MIN_MATCH) {
+            INSERT_STRING(s, s->strstart, hash_head);
+        }
+
+        /* Find the longest match, discarding those <= prev_length.
+         */
+        s->prev_length = s->match_length, s->prev_match = s->match_start;
+        s->match_length = MIN_MATCH-1;
+
+        if (hash_head != NIL && s->prev_length < s->max_lazy_match &&
+            s->strstart - hash_head <= MAX_DIST(s)) {
+            /* To simplify the code, we prevent matches with the string
+             * of window index 0 (in particular we have to avoid a match
+             * of the string with itself at the start of the input file).
+             */
+            if (s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) {
+                s->match_length = longest_match (s, hash_head);
+            } else if (s->strategy == Z_RLE && s->strstart - hash_head == 1) {
+                s->match_length = longest_match_fast (s, hash_head);
+            }
+            /* longest_match() or longest_match_fast() sets match_start */
+
+            if (s->match_length <= 5 && (s->strategy == Z_FILTERED
+#if TOO_FAR <= 32767
+                || (s->match_length == MIN_MATCH &&
+                    s->strstart - s->match_start > TOO_FAR)
+#endif
+                )) {
+
+                /* If prev_match is also MIN_MATCH, match_start is garbage
+                 * but we will ignore the current match anyway.
+                 */
+                s->match_length = MIN_MATCH-1;
+            }
+        }
+        /* If there was a match at the previous step and the current
+         * match is not better, output the previous match:
+         */
+        if (s->prev_length >= MIN_MATCH && s->match_length <= s->prev_length) {
+            uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;
+            /* Do not insert strings in hash table beyond this. */
+
+            check_match(s, s->strstart-1, s->prev_match, s->prev_length);
+
+            _tr_tally_dist(s, s->strstart -1 - s->prev_match,
+                           s->prev_length - MIN_MATCH, bflush);
+
+            /* Insert in hash table all strings up to the end of the match.
+             * strstart-1 and strstart are already inserted. If there is not
+             * enough lookahead, the last two strings are not inserted in
+             * the hash table.
+             */
+            s->lookahead -= s->prev_length-1;
+            s->prev_length -= 2;
+            do {
+                if (++s->strstart <= max_insert) {
+                    INSERT_STRING(s, s->strstart, hash_head);
+                }
+            } while (--s->prev_length != 0);
+            s->match_available = 0;
+            s->match_length = MIN_MATCH-1;
+            s->strstart++;
+
+            if (bflush) FLUSH_BLOCK(s, 0);
+
+        } else if (s->match_available) {
+            /* If there was no match at the previous position, output a
+             * single literal. If there was a match but the current match
+             * is longer, truncate the previous match to a single literal.
+             */
+            Tracevv((stderr,"%c", s->window[s->strstart-1]));
+            _tr_tally_lit(s, s->window[s->strstart-1], bflush);
+            if (bflush) {
+                FLUSH_BLOCK_ONLY(s, 0);
+            }
+            s->strstart++;
+            s->lookahead--;
+            if (s->strm->avail_out == 0) return need_more;
+        } else {
+            /* There is no previous match to compare with, wait for
+             * the next step to decide.
+             */
+            s->match_available = 1;
+            s->strstart++;
+            s->lookahead--;
+        }
+    }
+    Assert (flush != Z_NO_FLUSH, "no flush?");
+    if (s->match_available) {
+        Tracevv((stderr,"%c", s->window[s->strstart-1]));
+        _tr_tally_lit(s, s->window[s->strstart-1], bflush);
+        s->match_available = 0;
+    }
+    FLUSH_BLOCK(s, flush == Z_FINISH);
+    return flush == Z_FINISH ? finish_done : block_done;
+}
+#endif /* FASTEST */
+
+#if 0
+/* ===========================================================================
+ * For Z_RLE, simply look for runs of bytes, generate matches only of distance
+ * one.  Do not maintain a hash table.  (It will be regenerated if this run of
+ * deflate switches away from Z_RLE.)
+ */
+local block_state deflate_rle(s, flush)
+    deflate_state *s;
+    int flush;
+{
+    int bflush;         /* set if current block must be flushed */
+    uInt run;           /* length of run */
+    uInt max;           /* maximum length of run */
+    uInt prev;          /* byte at distance one to match */
+    Bytef *scan;        /* scan for end of run */
+
+    for (;;) {
+        /* Make sure that we always have enough lookahead, except
+         * at the end of the input file. We need MAX_MATCH bytes
+         * for the longest encodable run.
+         */
+        if (s->lookahead < MAX_MATCH) {
+            fill_window(s);
+            if (s->lookahead < MAX_MATCH && flush == Z_NO_FLUSH) {
+                return need_more;
+            }
+            if (s->lookahead == 0) break; /* flush the current block */
+        }
+
+        /* See how many times the previous byte repeats */
+        run = 0;
+        if (s->strstart > 0) {      /* if there is a previous byte, that is */
+            max = s->lookahead < MAX_MATCH ? s->lookahead : MAX_MATCH;
+            scan = s->window + s->strstart - 1;
+            prev = *scan++;
+            do {
+                if (*scan++ != prev)
+                    break;
+            } while (++run < max);
+        }
+
+        /* Emit match if have run of MIN_MATCH or longer, else emit literal */
+        if (run >= MIN_MATCH) {
+            check_match(s, s->strstart, s->strstart - 1, run);
+            _tr_tally_dist(s, 1, run - MIN_MATCH, bflush);
+            s->lookahead -= run;
+            s->strstart += run;
+        } else {
+            /* No match, output a literal byte */
+            Tracevv((stderr,"%c", s->window[s->strstart]));
+            _tr_tally_lit (s, s->window[s->strstart], bflush);
+            s->lookahead--;
+            s->strstart++;
+        }
+        if (bflush) FLUSH_BLOCK(s, 0);
+    }
+    FLUSH_BLOCK(s, flush == Z_FINISH);
+    return flush == Z_FINISH ? finish_done : block_done;
+}
+#endif
diff --git a/security/nss/cmd/zlib/deflate.h b/security/nss/cmd/zlib/deflate.h
new file mode 100644
index 000000000..05a5ab3a2
--- /dev/null
+++ b/security/nss/cmd/zlib/deflate.h
@@ -0,0 +1,331 @@
+/* deflate.h -- internal compression state
+ * Copyright (C) 1995-2004 Jean-loup Gailly
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+/* @(#) $Id$ */
+
+#ifndef DEFLATE_H
+#define DEFLATE_H
+
+#include "zutil.h"
+
+/* define NO_GZIP when compiling if you want to disable gzip header and
+   trailer creation by deflate().  NO_GZIP would be used to avoid linking in
+   the crc code when it is not needed.  For shared libraries, gzip encoding
+   should be left enabled. */
+#ifndef NO_GZIP
+#  define GZIP
+#endif
+
+/* ===========================================================================
+ * Internal compression state.
+ */
+
+#define LENGTH_CODES 29
+/* number of length codes, not counting the special END_BLOCK code */
+
+#define LITERALS  256
+/* number of literal bytes 0..255 */
+
+#define L_CODES (LITERALS+1+LENGTH_CODES)
+/* number of Literal or Length codes, including the END_BLOCK code */
+
+#define D_CODES   30
+/* number of distance codes */
+
+#define BL_CODES  19
+/* number of codes used to transfer the bit lengths */
+
+#define HEAP_SIZE (2*L_CODES+1)
+/* maximum heap size */
+
+#define MAX_BITS 15
+/* All codes must not exceed MAX_BITS bits */
+
+#define INIT_STATE    42
+#define EXTRA_STATE   69
+#define NAME_STATE    73
+#define COMMENT_STATE 91
+#define HCRC_STATE   103
+#define BUSY_STATE   113
+#define FINISH_STATE 666
+/* Stream status */
+
+
+/* Data structure describing a single value and its code string. */
+typedef struct ct_data_s {
+    union {
+        ush  freq;       /* frequency count */
+        ush  code;       /* bit string */
+    } fc;
+    union {
+        ush  dad;        /* father node in Huffman tree */
+        ush  len;        /* length of bit string */
+    } dl;
+} FAR ct_data;
+
+#define Freq fc.freq
+#define Code fc.code
+#define Dad  dl.dad
+#define Len  dl.len
+
+typedef struct static_tree_desc_s  static_tree_desc;
+
+typedef struct tree_desc_s {
+    ct_data *dyn_tree;           /* the dynamic tree */
+    int     max_code;            /* largest code with non zero frequency */
+    static_tree_desc *stat_desc; /* the corresponding static tree */
+} FAR tree_desc;
+
+typedef ush Pos;
+typedef Pos FAR Posf;
+typedef unsigned IPos;
+
+/* A Pos is an index in the character window. We use short instead of int to
+ * save space in the various tables. IPos is used only for parameter passing.
+ */
+
+typedef struct internal_state {
+    z_streamp strm;      /* pointer back to this zlib stream */
+    int   status;        /* as the name implies */
+    Bytef *pending_buf;  /* output still pending */
+    ulg   pending_buf_size; /* size of pending_buf */
+    Bytef *pending_out;  /* next pending byte to output to the stream */
+    uInt   pending;      /* nb of bytes in the pending buffer */
+    int   wrap;          /* bit 0 true for zlib, bit 1 true for gzip */
+    gz_headerp  gzhead;  /* gzip header information to write */
+    uInt   gzindex;      /* where in extra, name, or comment */
+    Byte  method;        /* STORED (for zip only) or DEFLATED */
+    int   last_flush;    /* value of flush param for previous deflate call */
+
+                /* used by deflate.c: */
+
+    uInt  w_size;        /* LZ77 window size (32K by default) */
+    uInt  w_bits;        /* log2(w_size)  (8..16) */
+    uInt  w_mask;        /* w_size - 1 */
+
+    Bytef *window;
+    /* Sliding window. Input bytes are read into the second half of the window,
+     * and move to the first half later to keep a dictionary of at least wSize
+     * bytes. With this organization, matches are limited to a distance of
+     * wSize-MAX_MATCH bytes, but this ensures that IO is always
+     * performed with a length multiple of the block size. Also, it limits
+     * the window size to 64K, which is quite useful on MSDOS.
+     * To do: use the user input buffer as sliding window.
+     */
+
+    ulg window_size;
+    /* Actual size of window: 2*wSize, except when the user input buffer
+     * is directly used as sliding window.
+     */
+
+    Posf *prev;
+    /* Link to older string with same hash index. To limit the size of this
+     * array to 64K, this link is maintained only for the last 32K strings.
+     * An index in this array is thus a window index modulo 32K.
+     */
+
+    Posf *head; /* Heads of the hash chains or NIL. */
+
+    uInt  ins_h;          /* hash index of string to be inserted */
+    uInt  hash_size;      /* number of elements in hash table */
+    uInt  hash_bits;      /* log2(hash_size) */
+    uInt  hash_mask;      /* hash_size-1 */
+
+    uInt  hash_shift;
+    /* Number of bits by which ins_h must be shifted at each input
+     * step. It must be such that after MIN_MATCH steps, the oldest
+     * byte no longer takes part in the hash key, that is:
+     *   hash_shift * MIN_MATCH >= hash_bits
+     */
+
+    long block_start;
+    /* Window position at the beginning of the current output block. Gets
+     * negative when the window is moved backwards.
+     */
+
+    uInt match_length;           /* length of best match */
+    IPos prev_match;             /* previous match */
+    int match_available;         /* set if previous match exists */
+    uInt strstart;               /* start of string to insert */
+    uInt match_start;            /* start of matching string */
+    uInt lookahead;              /* number of valid bytes ahead in window */
+
+    uInt prev_length;
+    /* Length of the best match at previous step. Matches not greater than this
+     * are discarded. This is used in the lazy match evaluation.
+     */
+
+    uInt max_chain_length;
+    /* To speed up deflation, hash chains are never searched beyond this
+     * length.  A higher limit improves compression ratio but degrades the
+     * speed.
+     */
+
+    uInt max_lazy_match;
+    /* Attempt to find a better match only when the current match is strictly
+     * smaller than this value. This mechanism is used only for compression
+     * levels >= 4.
+     */
+#   define max_insert_length  max_lazy_match
+    /* Insert new strings in the hash table only if the match length is not
+     * greater than this length. This saves time but degrades compression.
+     * max_insert_length is used only for compression levels <= 3.
+     */
+
+    int level;    /* compression level (1..9) */
+    int strategy; /* favor or force Huffman coding*/
+
+    uInt good_match;
+    /* Use a faster search when the previous match is longer than this */
+
+    int nice_match; /* Stop searching when current match exceeds this */
+
+                /* used by trees.c: */
+    /* Didn't use ct_data typedef below to supress compiler warning */
+    struct ct_data_s dyn_ltree[HEAP_SIZE];   /* literal and length tree */
+    struct ct_data_s dyn_dtree[2*D_CODES+1]; /* distance tree */
+    struct ct_data_s bl_tree[2*BL_CODES+1];  /* Huffman tree for bit lengths */
+
+    struct tree_desc_s l_desc;               /* desc. for literal tree */
+    struct tree_desc_s d_desc;               /* desc. for distance tree */
+    struct tree_desc_s bl_desc;              /* desc. for bit length tree */
+
+    ush bl_count[MAX_BITS+1];
+    /* number of codes at each bit length for an optimal tree */
+
+    int heap[2*L_CODES+1];      /* heap used to build the Huffman trees */
+    int heap_len;               /* number of elements in the heap */
+    int heap_max;               /* element of largest frequency */
+    /* The sons of heap[n] are heap[2*n] and heap[2*n+1]. heap[0] is not used.
+     * The same heap array is used to build all trees.
+     */
+
+    uch depth[2*L_CODES+1];
+    /* Depth of each subtree used as tie breaker for trees of equal frequency
+     */
+
+    uchf *l_buf;          /* buffer for literals or lengths */
+
+    uInt  lit_bufsize;
+    /* Size of match buffer for literals/lengths.  There are 4 reasons for
+     * limiting lit_bufsize to 64K:
+     *   - frequencies can be kept in 16 bit counters
+     *   - if compression is not successful for the first block, all input
+     *     data is still in the window so we can still emit a stored block even
+     *     when input comes from standard input.  (This can also be done for
+     *     all blocks if lit_bufsize is not greater than 32K.)
+     *   - if compression is not successful for a file smaller than 64K, we can
+     *     even emit a stored file instead of a stored block (saving 5 bytes).
+     *     This is applicable only for zip (not gzip or zlib).
+     *   - creating new Huffman trees less frequently may not provide fast
+     *     adaptation to changes in the input data statistics. (Take for
+     *     example a binary file with poorly compressible code followed by
+     *     a highly compressible string table.) Smaller buffer sizes give
+     *     fast adaptation but have of course the overhead of transmitting
+     *     trees more frequently.
+     *   - I can't count above 4
+     */
+
+    uInt last_lit;      /* running index in l_buf */
+
+    ushf *d_buf;
+    /* Buffer for distances. To simplify the code, d_buf and l_buf have
+     * the same number of elements. To use different lengths, an extra flag
+     * array would be necessary.
+     */
+
+    ulg opt_len;        /* bit length of current block with optimal trees */
+    ulg static_len;     /* bit length of current block with static trees */
+    uInt matches;       /* number of string matches in current block */
+    int last_eob_len;   /* bit length of EOB code for last block */
+
+#ifdef DEBUG
+    ulg compressed_len; /* total bit length of compressed file mod 2^32 */
+    ulg bits_sent;      /* bit length of compressed data sent mod 2^32 */
+#endif
+
+    ush bi_buf;
+    /* Output buffer. bits are inserted starting at the bottom (least
+     * significant bits).
+     */
+    int bi_valid;
+    /* Number of valid bits in bi_buf.  All bits above the last valid bit
+     * are always zero.
+     */
+
+} FAR deflate_state;
+
+/* Output a byte on the stream.
+ * IN assertion: there is enough room in pending_buf.
+ */
+#define put_byte(s, c) {s->pending_buf[s->pending++] = (c);}
+
+
+#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)
+/* Minimum amount of lookahead, except at the end of the input file.
+ * See deflate.c for comments about the MIN_MATCH+1.
+ */
+
+#define MAX_DIST(s)  ((s)->w_size-MIN_LOOKAHEAD)
+/* In order to simplify the code, particularly on 16 bit machines, match
+ * distances are limited to MAX_DIST instead of WSIZE.
+ */
+
+        /* in trees.c */
+void _tr_init         OF((deflate_state *s));
+int  _tr_tally        OF((deflate_state *s, unsigned dist, unsigned lc));
+void _tr_flush_block  OF((deflate_state *s, charf *buf, ulg stored_len,
+                          int eof));
+void _tr_align        OF((deflate_state *s));
+void _tr_stored_block OF((deflate_state *s, charf *buf, ulg stored_len,
+                          int eof));
+
+#define d_code(dist) \
+   ((dist) < 256 ? _dist_code[dist] : _dist_code[256+((dist)>>7)])
+/* Mapping from a distance to a distance code. dist is the distance - 1 and
+ * must not have side effects. _dist_code[256] and _dist_code[257] are never
+ * used.
+ */
+
+#ifndef DEBUG
+/* Inline versions of _tr_tally for speed: */
+
+#if defined(GEN_TREES_H) || !defined(STDC)
+  extern uch _length_code[];
+  extern uch _dist_code[];
+#else
+  extern const uch _length_code[];
+  extern const uch _dist_code[];
+#endif
+
+# define _tr_tally_lit(s, c, flush) \
+  { uch cc = (c); \
+    s->d_buf[s->last_lit] = 0; \
+    s->l_buf[s->last_lit++] = cc; \
+    s->dyn_ltree[cc].Freq++; \
+    flush = (s->last_lit == s->lit_bufsize-1); \
+   }
+# define _tr_tally_dist(s, distance, length, flush) \
+  { uch len = (length); \
+    ush dist = (distance); \
+    s->d_buf[s->last_lit] = dist; \
+    s->l_buf[s->last_lit++] = len; \
+    dist--; \
+    s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
+    s->dyn_dtree[d_code(dist)].Freq++; \
+    flush = (s->last_lit == s->lit_bufsize-1); \
+  }
+#else
+# define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
+# define _tr_tally_dist(s, distance, length, flush) \
+              flush = _tr_tally(s, distance, length)
+#endif
+
+#endif /* DEFLATE_H */
diff --git a/security/nss/cmd/zlib/example.c b/security/nss/cmd/zlib/example.c
new file mode 100644
index 000000000..6c8a0ee76
--- /dev/null
+++ b/security/nss/cmd/zlib/example.c
@@ -0,0 +1,565 @@
+/* example.c -- usage example of the zlib compression library
+ * Copyright (C) 1995-2004 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* @(#) $Id$ */
+
+#include <stdio.h>
+#include "zlib.h"
+
+#ifdef STDC
+#  include <string.h>
+#  include <stdlib.h>
+#endif
+
+#if defined(VMS) || defined(RISCOS)
+#  define TESTFILE "foo-gz"
+#else
+#  define TESTFILE "foo.gz"
+#endif
+
+#define CHECK_ERR(err, msg) { \
+    if (err != Z_OK) { \
+        fprintf(stderr, "%s error: %d\n", msg, err); \
+        exit(1); \
+    } \
+}
+
+const char hello[] = "hello, hello!";
+/* "hello world" would be more standard, but the repeated "hello"
+ * stresses the compression code better, sorry...
+ */
+
+const char dictionary[] = "hello";
+uLong dictId; /* Adler32 value of the dictionary */
+
+void test_compress      OF((Byte *compr, uLong comprLen,
+                            Byte *uncompr, uLong uncomprLen));
+void test_gzio          OF((const char *fname,
+                            Byte *uncompr, uLong uncomprLen));
+void test_deflate       OF((Byte *compr, uLong comprLen));
+void test_inflate       OF((Byte *compr, uLong comprLen,
+                            Byte *uncompr, uLong uncomprLen));
+void test_large_deflate OF((Byte *compr, uLong comprLen,
+                            Byte *uncompr, uLong uncomprLen));
+void test_large_inflate OF((Byte *compr, uLong comprLen,
+                            Byte *uncompr, uLong uncomprLen));
+void test_flush         OF((Byte *compr, uLong *comprLen));
+void test_sync          OF((Byte *compr, uLong comprLen,
+                            Byte *uncompr, uLong uncomprLen));
+void test_dict_deflate  OF((Byte *compr, uLong comprLen));
+void test_dict_inflate  OF((Byte *compr, uLong comprLen,
+                            Byte *uncompr, uLong uncomprLen));
+int  main               OF((int argc, char *argv[]));
+
+/* ===========================================================================
+ * Test compress() and uncompress()
+ */
+void test_compress(compr, comprLen, uncompr, uncomprLen)
+    Byte *compr, *uncompr;
+    uLong comprLen, uncomprLen;
+{
+    int err;
+    uLong len = (uLong)strlen(hello)+1;
+
+    err = compress(compr, &comprLen, (const Bytef*)hello, len);
+    CHECK_ERR(err, "compress");
+
+    strcpy((char*)uncompr, "garbage");
+
+    err = uncompress(uncompr, &uncomprLen, compr, comprLen);
+    CHECK_ERR(err, "uncompress");
+
+    if (strcmp((char*)uncompr, hello)) {
+        fprintf(stderr, "bad uncompress\n");
+        exit(1);
+    } else {
+        printf("uncompress(): %s\n", (char *)uncompr);
+    }
+}
+
+/* ===========================================================================
+ * Test read/write of .gz files
+ */
+void test_gzio(fname, uncompr, uncomprLen)
+    const char *fname; /* compressed file name */
+    Byte *uncompr;
+    uLong uncomprLen;
+{
+#ifdef NO_GZCOMPRESS
+    fprintf(stderr, "NO_GZCOMPRESS -- gz* functions cannot compress\n");
+#else
+    int err;
+    int len = (int)strlen(hello)+1;
+    gzFile file;
+    z_off_t pos;
+
+    file = gzopen(fname, "wb");
+    if (file == NULL) {
+        fprintf(stderr, "gzopen error\n");
+        exit(1);
+    }
+    gzputc(file, 'h');
+    if (gzputs(file, "ello") != 4) {
+        fprintf(stderr, "gzputs err: %s\n", gzerror(file, &err));
+        exit(1);
+    }
+    if (gzprintf(file, ", %s!", "hello") != 8) {
+        fprintf(stderr, "gzprintf err: %s\n", gzerror(file, &err));
+        exit(1);
+    }
+    gzseek(file, 1L, SEEK_CUR); /* add one zero byte */
+    gzclose(file);
+
+    file = gzopen(fname, "rb");
+    if (file == NULL) {
+        fprintf(stderr, "gzopen error\n");
+        exit(1);
+    }
+    strcpy((char*)uncompr, "garbage");
+
+    if (gzread(file, uncompr, (unsigned)uncomprLen) != len) {
+        fprintf(stderr, "gzread err: %s\n", gzerror(file, &err));
+        exit(1);
+    }
+    if (strcmp((char*)uncompr, hello)) {
+        fprintf(stderr, "bad gzread: %s\n", (char*)uncompr);
+        exit(1);
+    } else {
+        printf("gzread(): %s\n", (char*)uncompr);
+    }
+
+    pos = gzseek(file, -8L, SEEK_CUR);
+    if (pos != 6 || gztell(file) != pos) {
+        fprintf(stderr, "gzseek error, pos=%ld, gztell=%ld\n",
+                (long)pos, (long)gztell(file));
+        exit(1);
+    }
+
+    if (gzgetc(file) != ' ') {
+        fprintf(stderr, "gzgetc error\n");
+        exit(1);
+    }
+
+    if (gzungetc(' ', file) != ' ') {
+        fprintf(stderr, "gzungetc error\n");
+        exit(1);
+    }
+
+    gzgets(file, (char*)uncompr, (int)uncomprLen);
+    if (strlen((char*)uncompr) != 7) { /* " hello!" */
+        fprintf(stderr, "gzgets err after gzseek: %s\n", gzerror(file, &err));
+        exit(1);
+    }
+    if (strcmp((char*)uncompr, hello + 6)) {
+        fprintf(stderr, "bad gzgets after gzseek\n");
+        exit(1);
+    } else {
+        printf("gzgets() after gzseek: %s\n", (char*)uncompr);
+    }
+
+    gzclose(file);
+#endif
+}
+
+/* ===========================================================================
+ * Test deflate() with small buffers
+ */
+void test_deflate(compr, comprLen)
+    Byte *compr;
+    uLong comprLen;
+{
+    z_stream c_stream; /* compression stream */
+    int err;
+    uLong len = (uLong)strlen(hello)+1;
+
+    c_stream.zalloc = (alloc_func)0;
+    c_stream.zfree = (free_func)0;
+    c_stream.opaque = (voidpf)0;
+
+    err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION);
+    CHECK_ERR(err, "deflateInit");
+
+    c_stream.next_in  = (Bytef*)hello;
+    c_stream.next_out = compr;
+
+    while (c_stream.total_in != len && c_stream.total_out < comprLen) {
+        c_stream.avail_in = c_stream.avail_out = 1; /* force small buffers */
+        err = deflate(&c_stream, Z_NO_FLUSH);
+        CHECK_ERR(err, "deflate");
+    }
+    /* Finish the stream, still forcing small buffers: */
+    for (;;) {
+        c_stream.avail_out = 1;
+        err = deflate(&c_stream, Z_FINISH);
+        if (err == Z_STREAM_END) break;
+        CHECK_ERR(err, "deflate");
+    }
+
+    err = deflateEnd(&c_stream);
+    CHECK_ERR(err, "deflateEnd");
+}
+
+/* ===========================================================================
+ * Test inflate() with small buffers
+ */
+void test_inflate(compr, comprLen, uncompr, uncomprLen)
+    Byte *compr, *uncompr;
+    uLong comprLen, uncomprLen;
+{
+    int err;
+    z_stream d_stream; /* decompression stream */
+
+    strcpy((char*)uncompr, "garbage");
+
+    d_stream.zalloc = (alloc_func)0;
+    d_stream.zfree = (free_func)0;
+    d_stream.opaque = (voidpf)0;
+
+    d_stream.next_in  = compr;
+    d_stream.avail_in = 0;
+    d_stream.next_out = uncompr;
+
+    err = inflateInit(&d_stream);
+    CHECK_ERR(err, "inflateInit");
+
+    while (d_stream.total_out < uncomprLen && d_stream.total_in < comprLen) {
+        d_stream.avail_in = d_stream.avail_out = 1; /* force small buffers */
+        err = inflate(&d_stream, Z_NO_FLUSH);
+        if (err == Z_STREAM_END) break;
+        CHECK_ERR(err, "inflate");
+    }
+
+    err = inflateEnd(&d_stream);
+    CHECK_ERR(err, "inflateEnd");
+
+    if (strcmp((char*)uncompr, hello)) {
+        fprintf(stderr, "bad inflate\n");
+        exit(1);
+    } else {
+        printf("inflate(): %s\n", (char *)uncompr);
+    }
+}
+
+/* ===========================================================================
+ * Test deflate() with large buffers and dynamic change of compression level
+ */
+void test_large_deflate(compr, comprLen, uncompr, uncomprLen)
+    Byte *compr, *uncompr;
+    uLong comprLen, uncomprLen;
+{
+    z_stream c_stream; /* compression stream */
+    int err;
+
+    c_stream.zalloc = (alloc_func)0;
+    c_stream.zfree = (free_func)0;
+    c_stream.opaque = (voidpf)0;
+
+    err = deflateInit(&c_stream, Z_BEST_SPEED);
+    CHECK_ERR(err, "deflateInit");
+
+    c_stream.next_out = compr;
+    c_stream.avail_out = (uInt)comprLen;
+
+    /* At this point, uncompr is still mostly zeroes, so it should compress
+     * very well:
+     */
+    c_stream.next_in = uncompr;
+    c_stream.avail_in = (uInt)uncomprLen;
+    err = deflate(&c_stream, Z_NO_FLUSH);
+    CHECK_ERR(err, "deflate");
+    if (c_stream.avail_in != 0) {
+        fprintf(stderr, "deflate not greedy\n");
+        exit(1);
+    }
+
+    /* Feed in already compressed data and switch to no compression: */
+    deflateParams(&c_stream, Z_NO_COMPRESSION, Z_DEFAULT_STRATEGY);
+    c_stream.next_in = compr;
+    c_stream.avail_in = (uInt)comprLen/2;
+    err = deflate(&c_stream, Z_NO_FLUSH);
+    CHECK_ERR(err, "deflate");
+
+    /* Switch back to compressing mode: */
+    deflateParams(&c_stream, Z_BEST_COMPRESSION, Z_FILTERED);
+    c_stream.next_in = uncompr;
+    c_stream.avail_in = (uInt)uncomprLen;
+    err = deflate(&c_stream, Z_NO_FLUSH);
+    CHECK_ERR(err, "deflate");
+
+    err = deflate(&c_stream, Z_FINISH);
+    if (err != Z_STREAM_END) {
+        fprintf(stderr, "deflate should report Z_STREAM_END\n");
+        exit(1);
+    }
+    err = deflateEnd(&c_stream);
+    CHECK_ERR(err, "deflateEnd");
+}
+
+/* ===========================================================================
+ * Test inflate() with large buffers
+ */
+void test_large_inflate(compr, comprLen, uncompr, uncomprLen)
+    Byte *compr, *uncompr;
+    uLong comprLen, uncomprLen;
+{
+    int err;
+    z_stream d_stream; /* decompression stream */
+
+    strcpy((char*)uncompr, "garbage");
+
+    d_stream.zalloc = (alloc_func)0;
+    d_stream.zfree = (free_func)0;
+    d_stream.opaque = (voidpf)0;
+
+    d_stream.next_in  = compr;
+    d_stream.avail_in = (uInt)comprLen;
+
+    err = inflateInit(&d_stream);
+    CHECK_ERR(err, "inflateInit");
+
+    for (;;) {
+        d_stream.next_out = uncompr;            /* discard the output */
+        d_stream.avail_out = (uInt)uncomprLen;
+        err = inflate(&d_stream, Z_NO_FLUSH);
+        if (err == Z_STREAM_END) break;
+        CHECK_ERR(err, "large inflate");
+    }
+
+    err = inflateEnd(&d_stream);
+    CHECK_ERR(err, "inflateEnd");
+
+    if (d_stream.total_out != 2*uncomprLen + comprLen/2) {
+        fprintf(stderr, "bad large inflate: %ld\n", d_stream.total_out);
+        exit(1);
+    } else {
+        printf("large_inflate(): OK\n");
+    }
+}
+
+/* ===========================================================================
+ * Test deflate() with full flush
+ */
+void test_flush(compr, comprLen)
+    Byte *compr;
+    uLong *comprLen;
+{
+    z_stream c_stream; /* compression stream */
+    int err;
+    uInt len = (uInt)strlen(hello)+1;
+
+    c_stream.zalloc = (alloc_func)0;
+    c_stream.zfree = (free_func)0;
+    c_stream.opaque = (voidpf)0;
+
+    err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION);
+    CHECK_ERR(err, "deflateInit");
+
+    c_stream.next_in  = (Bytef*)hello;
+    c_stream.next_out = compr;
+    c_stream.avail_in = 3;
+    c_stream.avail_out = (uInt)*comprLen;
+    err = deflate(&c_stream, Z_FULL_FLUSH);
+    CHECK_ERR(err, "deflate");
+
+    compr[3]++; /* force an error in first compressed block */
+    c_stream.avail_in = len - 3;
+
+    err = deflate(&c_stream, Z_FINISH);
+    if (err != Z_STREAM_END) {
+        CHECK_ERR(err, "deflate");
+    }
+    err = deflateEnd(&c_stream);
+    CHECK_ERR(err, "deflateEnd");
+
+    *comprLen = c_stream.total_out;
+}
+
+/* ===========================================================================
+ * Test inflateSync()
+ */
+void test_sync(compr, comprLen, uncompr, uncomprLen)
+    Byte *compr, *uncompr;
+    uLong comprLen, uncomprLen;
+{
+    int err;
+    z_stream d_stream; /* decompression stream */
+
+    strcpy((char*)uncompr, "garbage");
+
+    d_stream.zalloc = (alloc_func)0;
+    d_stream.zfree = (free_func)0;
+    d_stream.opaque = (voidpf)0;
+
+    d_stream.next_in  = compr;
+    d_stream.avail_in = 2; /* just read the zlib header */
+
+    err = inflateInit(&d_stream);
+    CHECK_ERR(err, "inflateInit");
+
+    d_stream.next_out = uncompr;
+    d_stream.avail_out = (uInt)uncomprLen;
+
+    inflate(&d_stream, Z_NO_FLUSH);
+    CHECK_ERR(err, "inflate");
+
+    d_stream.avail_in = (uInt)comprLen-2;   /* read all compressed data */
+    err = inflateSync(&d_stream);           /* but skip the damaged part */
+    CHECK_ERR(err, "inflateSync");
+
+    err = inflate(&d_stream, Z_FINISH);
+    if (err != Z_DATA_ERROR) {
+        fprintf(stderr, "inflate should report DATA_ERROR\n");
+        /* Because of incorrect adler32 */
+        exit(1);
+    }
+    err = inflateEnd(&d_stream);
+    CHECK_ERR(err, "inflateEnd");
+
+    printf("after inflateSync(): hel%s\n", (char *)uncompr);
+}
+
+/* ===========================================================================
+ * Test deflate() with preset dictionary
+ */
+void test_dict_deflate(compr, comprLen)
+    Byte *compr;
+    uLong comprLen;
+{
+    z_stream c_stream; /* compression stream */
+    int err;
+
+    c_stream.zalloc = (alloc_func)0;
+    c_stream.zfree = (free_func)0;
+    c_stream.opaque = (voidpf)0;
+
+    err = deflateInit(&c_stream, Z_BEST_COMPRESSION);
+    CHECK_ERR(err, "deflateInit");
+
+    err = deflateSetDictionary(&c_stream,
+                               (const Bytef*)dictionary, sizeof(dictionary));
+    CHECK_ERR(err, "deflateSetDictionary");
+
+    dictId = c_stream.adler;
+    c_stream.next_out = compr;
+    c_stream.avail_out = (uInt)comprLen;
+
+    c_stream.next_in = (Bytef*)hello;
+    c_stream.avail_in = (uInt)strlen(hello)+1;
+
+    err = deflate(&c_stream, Z_FINISH);
+    if (err != Z_STREAM_END) {
+        fprintf(stderr, "deflate should report Z_STREAM_END\n");
+        exit(1);
+    }
+    err = deflateEnd(&c_stream);
+    CHECK_ERR(err, "deflateEnd");
+}
+
+/* ===========================================================================
+ * Test inflate() with a preset dictionary
+ */
+void test_dict_inflate(compr, comprLen, uncompr, uncomprLen)
+    Byte *compr, *uncompr;
+    uLong comprLen, uncomprLen;
+{
+    int err;
+    z_stream d_stream; /* decompression stream */
+
+    strcpy((char*)uncompr, "garbage");
+
+    d_stream.zalloc = (alloc_func)0;
+    d_stream.zfree = (free_func)0;
+    d_stream.opaque = (voidpf)0;
+
+    d_stream.next_in  = compr;
+    d_stream.avail_in = (uInt)comprLen;
+
+    err = inflateInit(&d_stream);
+    CHECK_ERR(err, "inflateInit");
+
+    d_stream.next_out = uncompr;
+    d_stream.avail_out = (uInt)uncomprLen;
+
+    for (;;) {
+        err = inflate(&d_stream, Z_NO_FLUSH);
+        if (err == Z_STREAM_END) break;
+        if (err == Z_NEED_DICT) {
+            if (d_stream.adler != dictId) {
+                fprintf(stderr, "unexpected dictionary");
+                exit(1);
+            }
+            err = inflateSetDictionary(&d_stream, (const Bytef*)dictionary,
+                                       sizeof(dictionary));
+        }
+        CHECK_ERR(err, "inflate with dict");
+    }
+
+    err = inflateEnd(&d_stream);
+    CHECK_ERR(err, "inflateEnd");
+
+    if (strcmp((char*)uncompr, hello)) {
+        fprintf(stderr, "bad inflate with dict\n");
+        exit(1);
+    } else {
+        printf("inflate with dictionary: %s\n", (char *)uncompr);
+    }
+}
+
+/* ===========================================================================
+ * Usage:  example [output.gz  [input.gz]]
+ */
+
+int main(argc, argv)
+    int argc;
+    char *argv[];
+{
+    Byte *compr, *uncompr;
+    uLong comprLen = 10000*sizeof(int); /* don't overflow on MSDOS */
+    uLong uncomprLen = comprLen;
+    static const char* myVersion = ZLIB_VERSION;
+
+    if (zlibVersion()[0] != myVersion[0]) {
+        fprintf(stderr, "incompatible zlib version\n");
+        exit(1);
+
+    } else if (strcmp(zlibVersion(), ZLIB_VERSION) != 0) {
+        fprintf(stderr, "warning: different zlib version\n");
+    }
+
+    printf("zlib version %s = 0x%04x, compile flags = 0x%lx\n",
+            ZLIB_VERSION, ZLIB_VERNUM, zlibCompileFlags());
+
+    compr    = (Byte*)calloc((uInt)comprLen, 1);
+    uncompr  = (Byte*)calloc((uInt)uncomprLen, 1);
+    /* compr and uncompr are cleared to avoid reading uninitialized
+     * data and to ensure that uncompr compresses well.
+     */
+    if (compr == Z_NULL || uncompr == Z_NULL) {
+        printf("out of memory\n");
+        exit(1);
+    }
+    test_compress(compr, comprLen, uncompr, uncomprLen);
+
+    test_gzio((argc > 1 ? argv[1] : TESTFILE),
+              uncompr, uncomprLen);
+
+    test_deflate(compr, comprLen);
+    test_inflate(compr, comprLen, uncompr, uncomprLen);
+
+    test_large_deflate(compr, comprLen, uncompr, uncomprLen);
+    test_large_inflate(compr, comprLen, uncompr, uncomprLen);
+
+    test_flush(compr, &comprLen);
+    test_sync(compr, comprLen, uncompr, uncomprLen);
+    comprLen = uncomprLen;
+
+    test_dict_deflate(compr, comprLen);
+    test_dict_inflate(compr, comprLen, uncompr, uncomprLen);
+
+    free(compr);
+    free(uncompr);
+
+    return 0;
+}
diff --git a/security/nss/cmd/zlib/gzio.c b/security/nss/cmd/zlib/gzio.c
new file mode 100644
index 000000000..7e90f4928
--- /dev/null
+++ b/security/nss/cmd/zlib/gzio.c
@@ -0,0 +1,1026 @@
+/* gzio.c -- IO on .gz files
+ * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ *
+ * Compile this file with -DNO_GZCOMPRESS to avoid the compression code.
+ */
+
+/* @(#) $Id$ */
+
+#include <stdio.h>
+
+#include "zutil.h"
+
+#ifdef NO_DEFLATE       /* for compatibility with old definition */
+#  define NO_GZCOMPRESS
+#endif
+
+#ifndef NO_DUMMY_DECL
+struct internal_state {int dummy;}; /* for buggy compilers */
+#endif
+
+#ifndef Z_BUFSIZE
+#  ifdef MAXSEG_64K
+#    define Z_BUFSIZE 4096 /* minimize memory usage for 16-bit DOS */
+#  else
+#    define Z_BUFSIZE 16384
+#  endif
+#endif
+#ifndef Z_PRINTF_BUFSIZE
+#  define Z_PRINTF_BUFSIZE 4096
+#endif
+
+#ifdef __MVS__
+#  pragma map (fdopen , "\174\174FDOPEN")
+   FILE *fdopen(int, const char *);
+#endif
+
+#ifndef STDC
+extern voidp  malloc OF((uInt size));
+extern void   free   OF((voidpf ptr));
+#endif
+
+#define ALLOC(size) malloc(size)
+#define TRYFREE(p) {if (p) free(p);}
+
+static int const gz_magic[2] = {0x1f, 0x8b}; /* gzip magic header */
+
+/* gzip flag byte */
+#define ASCII_FLAG   0x01 /* bit 0 set: file probably ascii text */
+#define HEAD_CRC     0x02 /* bit 1 set: header CRC present */
+#define EXTRA_FIELD  0x04 /* bit 2 set: extra field present */
+#define ORIG_NAME    0x08 /* bit 3 set: original file name present */
+#define COMMENT      0x10 /* bit 4 set: file comment present */
+#define RESERVED     0xE0 /* bits 5..7: reserved */
+
+typedef struct gz_stream {
+    z_stream stream;
+    int      z_err;   /* error code for last stream operation */
+    int      z_eof;   /* set if end of input file */
+    FILE     *file;   /* .gz file */
+    Byte     *inbuf;  /* input buffer */
+    Byte     *outbuf; /* output buffer */
+    uLong    crc;     /* crc32 of uncompressed data */
+    char     *msg;    /* error message */
+    char     *path;   /* path name for debugging only */
+    int      transparent; /* 1 if input file is not a .gz file */
+    char     mode;    /* 'w' or 'r' */
+    z_off_t  start;   /* start of compressed data in file (header skipped) */
+    z_off_t  in;      /* bytes into deflate or inflate */
+    z_off_t  out;     /* bytes out of deflate or inflate */
+    int      back;    /* one character push-back */
+    int      last;    /* true if push-back is last character */
+} gz_stream;
+
+
+local gzFile gz_open      OF((const char *path, const char *mode, int  fd));
+local int do_flush        OF((gzFile file, int flush));
+local int    get_byte     OF((gz_stream *s));
+local void   check_header OF((gz_stream *s));
+local int    destroy      OF((gz_stream *s));
+local void   putLong      OF((FILE *file, uLong x));
+local uLong  getLong      OF((gz_stream *s));
+
+/* ===========================================================================
+     Opens a gzip (.gz) file for reading or writing. The mode parameter
+   is as in fopen ("rb" or "wb"). The file is given either by file descriptor
+   or path name (if fd == -1).
+     gz_open returns NULL if the file could not be opened or if there was
+   insufficient memory to allocate the (de)compression state; errno
+   can be checked to distinguish the two cases (if errno is zero, the
+   zlib error is Z_MEM_ERROR).
+*/
+local gzFile gz_open (path, mode, fd)
+    const char *path;
+    const char *mode;
+    int  fd;
+{
+    int err;
+    int level = Z_DEFAULT_COMPRESSION; /* compression level */
+    int strategy = Z_DEFAULT_STRATEGY; /* compression strategy */
+    char *p = (char*)mode;
+    gz_stream *s;
+    char fmode[80]; /* copy of mode, without the compression level */
+    char *m = fmode;
+
+    if (!path || !mode) return Z_NULL;
+
+    s = (gz_stream *)ALLOC(sizeof(gz_stream));
+    if (!s) return Z_NULL;
+
+    s->stream.zalloc = (alloc_func)0;
+    s->stream.zfree = (free_func)0;
+    s->stream.opaque = (voidpf)0;
+    s->stream.next_in = s->inbuf = Z_NULL;
+    s->stream.next_out = s->outbuf = Z_NULL;
+    s->stream.avail_in = s->stream.avail_out = 0;
+    s->file = NULL;
+    s->z_err = Z_OK;
+    s->z_eof = 0;
+    s->in = 0;
+    s->out = 0;
+    s->back = EOF;
+    s->crc = crc32(0L, Z_NULL, 0);
+    s->msg = NULL;
+    s->transparent = 0;
+
+    s->path = (char*)ALLOC(strlen(path)+1);
+    if (s->path == NULL) {
+        return destroy(s), (gzFile)Z_NULL;
+    }
+    strcpy(s->path, path); /* do this early for debugging */
+
+    s->mode = '\0';
+    do {
+        if (*p == 'r') s->mode = 'r';
+        if (*p == 'w' || *p == 'a') s->mode = 'w';
+        if (*p >= '0' && *p <= '9') {
+            level = *p - '0';
+        } else if (*p == 'f') {
+          strategy = Z_FILTERED;
+        } else if (*p == 'h') {
+          strategy = Z_HUFFMAN_ONLY;
+        } else if (*p == 'R') {
+          strategy = Z_RLE;
+        } else {
+            *m++ = *p; /* copy the mode */
+        }
+    } while (*p++ && m != fmode + sizeof(fmode));
+    if (s->mode == '\0') return destroy(s), (gzFile)Z_NULL;
+
+    if (s->mode == 'w') {
+#ifdef NO_GZCOMPRESS
+        err = Z_STREAM_ERROR;
+#else
+        err = deflateInit2(&(s->stream), level,
+                           Z_DEFLATED, -MAX_WBITS, DEF_MEM_LEVEL, strategy);
+        /* windowBits is passed < 0 to suppress zlib header */
+
+        s->stream.next_out = s->outbuf = (Byte*)ALLOC(Z_BUFSIZE);
+#endif
+        if (err != Z_OK || s->outbuf == Z_NULL) {
+            return destroy(s), (gzFile)Z_NULL;
+        }
+    } else {
+        s->stream.next_in  = s->inbuf = (Byte*)ALLOC(Z_BUFSIZE);
+
+        err = inflateInit2(&(s->stream), -MAX_WBITS);
+        /* windowBits is passed < 0 to tell that there is no zlib header.
+         * Note that in this case inflate *requires* an extra "dummy" byte
+         * after the compressed stream in order to complete decompression and
+         * return Z_STREAM_END. Here the gzip CRC32 ensures that 4 bytes are
+         * present after the compressed stream.
+         */
+        if (err != Z_OK || s->inbuf == Z_NULL) {
+            return destroy(s), (gzFile)Z_NULL;
+        }
+    }
+    s->stream.avail_out = Z_BUFSIZE;
+
+    errno = 0;
+    s->file = fd < 0 ? F_OPEN(path, fmode) : (FILE*)fdopen(fd, fmode);
+
+    if (s->file == NULL) {
+        return destroy(s), (gzFile)Z_NULL;
+    }
+    if (s->mode == 'w') {
+        /* Write a very simple .gz header:
+         */
+        fprintf(s->file, "%c%c%c%c%c%c%c%c%c%c", gz_magic[0], gz_magic[1],
+             Z_DEFLATED, 0 /*flags*/, 0,0,0,0 /*time*/, 0 /*xflags*/, OS_CODE);
+        s->start = 10L;
+        /* We use 10L instead of ftell(s->file) to because ftell causes an
+         * fflush on some systems. This version of the library doesn't use
+         * start anyway in write mode, so this initialization is not
+         * necessary.
+         */
+    } else {
+        check_header(s); /* skip the .gz header */
+        s->start = ftell(s->file) - s->stream.avail_in;
+    }
+
+    return (gzFile)s;
+}
+
+/* ===========================================================================
+     Opens a gzip (.gz) file for reading or writing.
+*/
+gzFile ZEXPORT gzopen (path, mode)
+    const char *path;
+    const char *mode;
+{
+    return gz_open (path, mode, -1);
+}
+
+/* ===========================================================================
+     Associate a gzFile with the file descriptor fd. fd is not dup'ed here
+   to mimic the behavio(u)r of fdopen.
+*/
+gzFile ZEXPORT gzdopen (fd, mode)
+    int fd;
+    const char *mode;
+{
+    char name[46];      /* allow for up to 128-bit integers */
+
+    if (fd < 0) return (gzFile)Z_NULL;
+    sprintf(name, "<fd:%d>", fd); /* for debugging */
+
+    return gz_open (name, mode, fd);
+}
+
+/* ===========================================================================
+ * Update the compression level and strategy
+ */
+int ZEXPORT gzsetparams (file, level, strategy)
+    gzFile file;
+    int level;
+    int strategy;
+{
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR;
+
+    /* Make room to allow flushing */
+    if (s->stream.avail_out == 0) {
+
+        s->stream.next_out = s->outbuf;
+        if (fwrite(s->outbuf, 1, Z_BUFSIZE, s->file) != Z_BUFSIZE) {
+            s->z_err = Z_ERRNO;
+        }
+        s->stream.avail_out = Z_BUFSIZE;
+    }
+
+    return deflateParams (&(s->stream), level, strategy);
+}
+
+/* ===========================================================================
+     Read a byte from a gz_stream; update next_in and avail_in. Return EOF
+   for end of file.
+   IN assertion: the stream s has been sucessfully opened for reading.
+*/
+local int get_byte(s)
+    gz_stream *s;
+{
+    if (s->z_eof) return EOF;
+    if (s->stream.avail_in == 0) {
+        errno = 0;
+        s->stream.avail_in = (uInt)fread(s->inbuf, 1, Z_BUFSIZE, s->file);
+        if (s->stream.avail_in == 0) {
+            s->z_eof = 1;
+            if (ferror(s->file)) s->z_err = Z_ERRNO;
+            return EOF;
+        }
+        s->stream.next_in = s->inbuf;
+    }
+    s->stream.avail_in--;
+    return *(s->stream.next_in)++;
+}
+
+/* ===========================================================================
+      Check the gzip header of a gz_stream opened for reading. Set the stream
+    mode to transparent if the gzip magic header is not present; set s->err
+    to Z_DATA_ERROR if the magic header is present but the rest of the header
+    is incorrect.
+    IN assertion: the stream s has already been created sucessfully;
+       s->stream.avail_in is zero for the first time, but may be non-zero
+       for concatenated .gz files.
+*/
+local void check_header(s)
+    gz_stream *s;
+{
+    int method; /* method byte */
+    int flags;  /* flags byte */
+    uInt len;
+    int c;
+
+    /* Assure two bytes in the buffer so we can peek ahead -- handle case
+       where first byte of header is at the end of the buffer after the last
+       gzip segment */
+    len = s->stream.avail_in;
+    if (len < 2) {
+        if (len) s->inbuf[0] = s->stream.next_in[0];
+        errno = 0;
+        len = (uInt)fread(s->inbuf + len, 1, Z_BUFSIZE >> len, s->file);
+        if (len == 0 && ferror(s->file)) s->z_err = Z_ERRNO;
+        s->stream.avail_in += len;
+        s->stream.next_in = s->inbuf;
+        if (s->stream.avail_in < 2) {
+            s->transparent = s->stream.avail_in;
+            return;
+        }
+    }
+
+    /* Peek ahead to check the gzip magic header */
+    if (s->stream.next_in[0] != gz_magic[0] ||
+        s->stream.next_in[1] != gz_magic[1]) {
+        s->transparent = 1;
+        return;
+    }
+    s->stream.avail_in -= 2;
+    s->stream.next_in += 2;
+
+    /* Check the rest of the gzip header */
+    method = get_byte(s);
+    flags = get_byte(s);
+    if (method != Z_DEFLATED || (flags & RESERVED) != 0) {
+        s->z_err = Z_DATA_ERROR;
+        return;
+    }
+
+    /* Discard time, xflags and OS code: */
+    for (len = 0; len < 6; len++) (void)get_byte(s);
+
+    if ((flags & EXTRA_FIELD) != 0) { /* skip the extra field */
+        len  =  (uInt)get_byte(s);
+        len += ((uInt)get_byte(s))<<8;
+        /* len is garbage if EOF but the loop below will quit anyway */
+        while (len-- != 0 && get_byte(s) != EOF) ;
+    }
+    if ((flags & ORIG_NAME) != 0) { /* skip the original file name */
+        while ((c = get_byte(s)) != 0 && c != EOF) ;
+    }
+    if ((flags & COMMENT) != 0) {   /* skip the .gz file comment */
+        while ((c = get_byte(s)) != 0 && c != EOF) ;
+    }
+    if ((flags & HEAD_CRC) != 0) {  /* skip the header crc */
+        for (len = 0; len < 2; len++) (void)get_byte(s);
+    }
+    s->z_err = s->z_eof ? Z_DATA_ERROR : Z_OK;
+}
+
+ /* ===========================================================================
+ * Cleanup then free the given gz_stream. Return a zlib error code.
+   Try freeing in the reverse order of allocations.
+ */
+local int destroy (s)
+    gz_stream *s;
+{
+    int err = Z_OK;
+
+    if (!s) return Z_STREAM_ERROR;
+
+    TRYFREE(s->msg);
+
+    if (s->stream.state != NULL) {
+        if (s->mode == 'w') {
+#ifdef NO_GZCOMPRESS
+            err = Z_STREAM_ERROR;
+#else
+            err = deflateEnd(&(s->stream));
+#endif
+        } else if (s->mode == 'r') {
+            err = inflateEnd(&(s->stream));
+        }
+    }
+    if (s->file != NULL && fclose(s->file)) {
+#ifdef ESPIPE
+        if (errno != ESPIPE) /* fclose is broken for pipes in HP/UX */
+#endif
+            err = Z_ERRNO;
+    }
+    if (s->z_err < 0) err = s->z_err;
+
+    TRYFREE(s->inbuf);
+    TRYFREE(s->outbuf);
+    TRYFREE(s->path);
+    TRYFREE(s);
+    return err;
+}
+
+/* ===========================================================================
+     Reads the given number of uncompressed bytes from the compressed file.
+   gzread returns the number of bytes actually read (0 for end of file).
+*/
+int ZEXPORT gzread (file, buf, len)
+    gzFile file;
+    voidp buf;
+    unsigned len;
+{
+    gz_stream *s = (gz_stream*)file;
+    Bytef *start = (Bytef*)buf; /* starting point for crc computation */
+    Byte  *next_out; /* == stream.next_out but not forced far (for MSDOS) */
+
+    if (s == NULL || s->mode != 'r') return Z_STREAM_ERROR;
+
+    if (s->z_err == Z_DATA_ERROR || s->z_err == Z_ERRNO) return -1;
+    if (s->z_err == Z_STREAM_END) return 0;  /* EOF */
+
+    next_out = (Byte*)buf;
+    s->stream.next_out = (Bytef*)buf;
+    s->stream.avail_out = len;
+
+    if (s->stream.avail_out && s->back != EOF) {
+        *next_out++ = s->back;
+        s->stream.next_out++;
+        s->stream.avail_out--;
+        s->back = EOF;
+        s->out++;
+        start++;
+        if (s->last) {
+            s->z_err = Z_STREAM_END;
+            return 1;
+        }
+    }
+
+    while (s->stream.avail_out != 0) {
+
+        if (s->transparent) {
+            /* Copy first the lookahead bytes: */
+            uInt n = s->stream.avail_in;
+            if (n > s->stream.avail_out) n = s->stream.avail_out;
+            if (n > 0) {
+                zmemcpy(s->stream.next_out, s->stream.next_in, n);
+                next_out += n;
+                s->stream.next_out = next_out;
+                s->stream.next_in   += n;
+                s->stream.avail_out -= n;
+                s->stream.avail_in  -= n;
+            }
+            if (s->stream.avail_out > 0) {
+                s->stream.avail_out -=
+                    (uInt)fread(next_out, 1, s->stream.avail_out, s->file);
+            }
+            len -= s->stream.avail_out;
+            s->in  += len;
+            s->out += len;
+            if (len == 0) s->z_eof = 1;
+            return (int)len;
+        }
+        if (s->stream.avail_in == 0 && !s->z_eof) {
+
+            errno = 0;
+            s->stream.avail_in = (uInt)fread(s->inbuf, 1, Z_BUFSIZE, s->file);
+            if (s->stream.avail_in == 0) {
+                s->z_eof = 1;
+                if (ferror(s->file)) {
+                    s->z_err = Z_ERRNO;
+                    break;
+                }
+            }
+            s->stream.next_in = s->inbuf;
+        }
+        s->in += s->stream.avail_in;
+        s->out += s->stream.avail_out;
+        s->z_err = inflate(&(s->stream), Z_NO_FLUSH);
+        s->in -= s->stream.avail_in;
+        s->out -= s->stream.avail_out;
+
+        if (s->z_err == Z_STREAM_END) {
+            /* Check CRC and original size */
+            s->crc = crc32(s->crc, start, (uInt)(s->stream.next_out - start));
+            start = s->stream.next_out;
+
+            if (getLong(s) != s->crc) {
+                s->z_err = Z_DATA_ERROR;
+            } else {
+                (void)getLong(s);
+                /* The uncompressed length returned by above getlong() may be
+                 * different from s->out in case of concatenated .gz files.
+                 * Check for such files:
+                 */
+                check_header(s);
+                if (s->z_err == Z_OK) {
+                    inflateReset(&(s->stream));
+                    s->crc = crc32(0L, Z_NULL, 0);
+                }
+            }
+        }
+        if (s->z_err != Z_OK || s->z_eof) break;
+    }
+    s->crc = crc32(s->crc, start, (uInt)(s->stream.next_out - start));
+
+    if (len == s->stream.avail_out &&
+        (s->z_err == Z_DATA_ERROR || s->z_err == Z_ERRNO))
+        return -1;
+    return (int)(len - s->stream.avail_out);
+}
+
+
+/* ===========================================================================
+      Reads one byte from the compressed file. gzgetc returns this byte
+   or -1 in case of end of file or error.
+*/
+int ZEXPORT gzgetc(file)
+    gzFile file;
+{
+    unsigned char c;
+
+    return gzread(file, &c, 1) == 1 ? c : -1;
+}
+
+
+/* ===========================================================================
+      Push one byte back onto the stream.
+*/
+int ZEXPORT gzungetc(c, file)
+    int c;
+    gzFile file;
+{
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL || s->mode != 'r' || c == EOF || s->back != EOF) return EOF;
+    s->back = c;
+    s->out--;
+    s->last = (s->z_err == Z_STREAM_END);
+    if (s->last) s->z_err = Z_OK;
+    s->z_eof = 0;
+    return c;
+}
+
+
+/* ===========================================================================
+      Reads bytes from the compressed file until len-1 characters are
+   read, or a newline character is read and transferred to buf, or an
+   end-of-file condition is encountered.  The string is then terminated
+   with a null character.
+      gzgets returns buf, or Z_NULL in case of error.
+
+      The current implementation is not optimized at all.
+*/
+char * ZEXPORT gzgets(file, buf, len)
+    gzFile file;
+    char *buf;
+    int len;
+{
+    char *b = buf;
+    if (buf == Z_NULL || len <= 0) return Z_NULL;
+
+    while (--len > 0 && gzread(file, buf, 1) == 1 && *buf++ != '\n') ;
+    *buf = '\0';
+    return b == buf && len > 0 ? Z_NULL : b;
+}
+
+
+#ifndef NO_GZCOMPRESS
+/* ===========================================================================
+     Writes the given number of uncompressed bytes into the compressed file.
+   gzwrite returns the number of bytes actually written (0 in case of error).
+*/
+int ZEXPORT gzwrite (file, buf, len)
+    gzFile file;
+    voidpc buf;
+    unsigned len;
+{
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR;
+
+    s->stream.next_in = (Bytef*)buf;
+    s->stream.avail_in = len;
+
+    while (s->stream.avail_in != 0) {
+
+        if (s->stream.avail_out == 0) {
+
+            s->stream.next_out = s->outbuf;
+            if (fwrite(s->outbuf, 1, Z_BUFSIZE, s->file) != Z_BUFSIZE) {
+                s->z_err = Z_ERRNO;
+                break;
+            }
+            s->stream.avail_out = Z_BUFSIZE;
+        }
+        s->in += s->stream.avail_in;
+        s->out += s->stream.avail_out;
+        s->z_err = deflate(&(s->stream), Z_NO_FLUSH);
+        s->in -= s->stream.avail_in;
+        s->out -= s->stream.avail_out;
+        if (s->z_err != Z_OK) break;
+    }
+    s->crc = crc32(s->crc, (const Bytef *)buf, len);
+
+    return (int)(len - s->stream.avail_in);
+}
+
+
+/* ===========================================================================
+     Converts, formats, and writes the args to the compressed file under
+   control of the format string, as in fprintf. gzprintf returns the number of
+   uncompressed bytes actually written (0 in case of error).
+*/
+#ifdef STDC
+#include <stdarg.h>
+
+int ZEXPORTVA gzprintf (gzFile file, const char *format, /* args */ ...)
+{
+    char buf[Z_PRINTF_BUFSIZE];
+    va_list va;
+    int len;
+
+    buf[sizeof(buf) - 1] = 0;
+    va_start(va, format);
+#ifdef NO_vsnprintf
+#  ifdef HAS_vsprintf_void
+    (void)vsprintf(buf, format, va);
+    va_end(va);
+    for (len = 0; len < sizeof(buf); len++)
+        if (buf[len] == 0) break;
+#  else
+    len = vsprintf(buf, format, va);
+    va_end(va);
+#  endif
+#else
+#  ifdef HAS_vsnprintf_void
+    (void)vsnprintf(buf, sizeof(buf), format, va);
+    va_end(va);
+    len = strlen(buf);
+#  else
+    len = vsnprintf(buf, sizeof(buf), format, va);
+    va_end(va);
+#  endif
+#endif
+    if (len <= 0 || len >= (int)sizeof(buf) || buf[sizeof(buf) - 1] != 0)
+        return 0;
+    return gzwrite(file, buf, (unsigned)len);
+}
+#else /* not ANSI C */
+
+int ZEXPORTVA gzprintf (file, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
+                       a11, a12, a13, a14, a15, a16, a17, a18, a19, a20)
+    gzFile file;
+    const char *format;
+    int a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
+        a11, a12, a13, a14, a15, a16, a17, a18, a19, a20;
+{
+    char buf[Z_PRINTF_BUFSIZE];
+    int len;
+
+    buf[sizeof(buf) - 1] = 0;
+#ifdef NO_snprintf
+#  ifdef HAS_sprintf_void
+    sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
+            a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+    for (len = 0; len < sizeof(buf); len++)
+        if (buf[len] == 0) break;
+#  else
+    len = sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
+                a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+#  endif
+#else
+#  ifdef HAS_snprintf_void
+    snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
+             a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+    len = strlen(buf);
+#  else
+    len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
+                 a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+#  endif
+#endif
+    if (len <= 0 || len >= sizeof(buf) || buf[sizeof(buf) - 1] != 0)
+        return 0;
+    return gzwrite(file, buf, len);
+}
+#endif
+
+/* ===========================================================================
+      Writes c, converted to an unsigned char, into the compressed file.
+   gzputc returns the value that was written, or -1 in case of error.
+*/
+int ZEXPORT gzputc(file, c)
+    gzFile file;
+    int c;
+{
+    unsigned char cc = (unsigned char) c; /* required for big endian systems */
+
+    return gzwrite(file, &cc, 1) == 1 ? (int)cc : -1;
+}
+
+
+/* ===========================================================================
+      Writes the given null-terminated string to the compressed file, excluding
+   the terminating null character.
+      gzputs returns the number of characters written, or -1 in case of error.
+*/
+int ZEXPORT gzputs(file, s)
+    gzFile file;
+    const char *s;
+{
+    return gzwrite(file, (char*)s, (unsigned)strlen(s));
+}
+
+
+/* ===========================================================================
+     Flushes all pending output into the compressed file. The parameter
+   flush is as in the deflate() function.
+*/
+local int do_flush (file, flush)
+    gzFile file;
+    int flush;
+{
+    uInt len;
+    int done = 0;
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR;
+
+    s->stream.avail_in = 0; /* should be zero already anyway */
+
+    for (;;) {
+        len = Z_BUFSIZE - s->stream.avail_out;
+
+        if (len != 0) {
+            if ((uInt)fwrite(s->outbuf, 1, len, s->file) != len) {
+                s->z_err = Z_ERRNO;
+                return Z_ERRNO;
+            }
+            s->stream.next_out = s->outbuf;
+            s->stream.avail_out = Z_BUFSIZE;
+        }
+        if (done) break;
+        s->out += s->stream.avail_out;
+        s->z_err = deflate(&(s->stream), flush);
+        s->out -= s->stream.avail_out;
+
+        /* Ignore the second of two consecutive flushes: */
+        if (len == 0 && s->z_err == Z_BUF_ERROR) s->z_err = Z_OK;
+
+        /* deflate has finished flushing only when it hasn't used up
+         * all the available space in the output buffer:
+         */
+        done = (s->stream.avail_out != 0 || s->z_err == Z_STREAM_END);
+
+        if (s->z_err != Z_OK && s->z_err != Z_STREAM_END) break;
+    }
+    return  s->z_err == Z_STREAM_END ? Z_OK : s->z_err;
+}
+
+int ZEXPORT gzflush (file, flush)
+     gzFile file;
+     int flush;
+{
+    gz_stream *s = (gz_stream*)file;
+    int err = do_flush (file, flush);
+
+    if (err) return err;
+    fflush(s->file);
+    return  s->z_err == Z_STREAM_END ? Z_OK : s->z_err;
+}
+#endif /* NO_GZCOMPRESS */
+
+/* ===========================================================================
+      Sets the starting position for the next gzread or gzwrite on the given
+   compressed file. The offset represents a number of bytes in the
+      gzseek returns the resulting offset location as measured in bytes from
+   the beginning of the uncompressed stream, or -1 in case of error.
+      SEEK_END is not implemented, returns error.
+      In this version of the library, gzseek can be extremely slow.
+*/
+z_off_t ZEXPORT gzseek (file, offset, whence)
+    gzFile file;
+    z_off_t offset;
+    int whence;
+{
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL || whence == SEEK_END ||
+        s->z_err == Z_ERRNO || s->z_err == Z_DATA_ERROR) {
+        return -1L;
+    }
+
+    if (s->mode == 'w') {
+#ifdef NO_GZCOMPRESS
+        return -1L;
+#else
+        if (whence == SEEK_SET) {
+            offset -= s->in;
+        }
+        if (offset < 0) return -1L;
+
+        /* At this point, offset is the number of zero bytes to write. */
+        if (s->inbuf == Z_NULL) {
+            s->inbuf = (Byte*)ALLOC(Z_BUFSIZE); /* for seeking */
+            if (s->inbuf == Z_NULL) return -1L;
+            zmemzero(s->inbuf, Z_BUFSIZE);
+        }
+        while (offset > 0)  {
+            uInt size = Z_BUFSIZE;
+            if (offset < Z_BUFSIZE) size = (uInt)offset;
+
+            size = gzwrite(file, s->inbuf, size);
+            if (size == 0) return -1L;
+
+            offset -= size;
+        }
+        return s->in;
+#endif
+    }
+    /* Rest of function is for reading only */
+
+    /* compute absolute position */
+    if (whence == SEEK_CUR) {
+        offset += s->out;
+    }
+    if (offset < 0) return -1L;
+
+    if (s->transparent) {
+        /* map to fseek */
+        s->back = EOF;
+        s->stream.avail_in = 0;
+        s->stream.next_in = s->inbuf;
+        if (fseek(s->file, offset, SEEK_SET) < 0) return -1L;
+
+        s->in = s->out = offset;
+        return offset;
+    }
+
+    /* For a negative seek, rewind and use positive seek */
+    if (offset >= s->out) {
+        offset -= s->out;
+    } else if (gzrewind(file) < 0) {
+        return -1L;
+    }
+    /* offset is now the number of bytes to skip. */
+
+    if (offset != 0 && s->outbuf == Z_NULL) {
+        s->outbuf = (Byte*)ALLOC(Z_BUFSIZE);
+        if (s->outbuf == Z_NULL) return -1L;
+    }
+    if (offset && s->back != EOF) {
+        s->back = EOF;
+        s->out++;
+        offset--;
+        if (s->last) s->z_err = Z_STREAM_END;
+    }
+    while (offset > 0)  {
+        int size = Z_BUFSIZE;
+        if (offset < Z_BUFSIZE) size = (int)offset;
+
+        size = gzread(file, s->outbuf, (uInt)size);
+        if (size <= 0) return -1L;
+        offset -= size;
+    }
+    return s->out;
+}
+
+/* ===========================================================================
+     Rewinds input file.
+*/
+int ZEXPORT gzrewind (file)
+    gzFile file;
+{
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL || s->mode != 'r') return -1;
+
+    s->z_err = Z_OK;
+    s->z_eof = 0;
+    s->back = EOF;
+    s->stream.avail_in = 0;
+    s->stream.next_in = s->inbuf;
+    s->crc = crc32(0L, Z_NULL, 0);
+    if (!s->transparent) (void)inflateReset(&s->stream);
+    s->in = 0;
+    s->out = 0;
+    return fseek(s->file, s->start, SEEK_SET);
+}
+
+/* ===========================================================================
+     Returns the starting position for the next gzread or gzwrite on the
+   given compressed file. This position represents a number of bytes in the
+   uncompressed data stream.
+*/
+z_off_t ZEXPORT gztell (file)
+    gzFile file;
+{
+    return gzseek(file, 0L, SEEK_CUR);
+}
+
+/* ===========================================================================
+     Returns 1 when EOF has previously been detected reading the given
+   input stream, otherwise zero.
+*/
+int ZEXPORT gzeof (file)
+    gzFile file;
+{
+    gz_stream *s = (gz_stream*)file;
+
+    /* With concatenated compressed files that can have embedded
+     * crc trailers, z_eof is no longer the only/best indicator of EOF
+     * on a gz_stream. Handle end-of-stream error explicitly here.
+     */
+    if (s == NULL || s->mode != 'r') return 0;
+    if (s->z_eof) return 1;
+    return s->z_err == Z_STREAM_END;
+}
+
+/* ===========================================================================
+     Returns 1 if reading and doing so transparently, otherwise zero.
+*/
+int ZEXPORT gzdirect (file)
+    gzFile file;
+{
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL || s->mode != 'r') return 0;
+    return s->transparent;
+}
+
+/* ===========================================================================
+   Outputs a long in LSB order to the given file
+*/
+local void putLong (file, x)
+    FILE *file;
+    uLong x;
+{
+    int n;
+    for (n = 0; n < 4; n++) {
+        fputc((int)(x & 0xff), file);
+        x >>= 8;
+    }
+}
+
+/* ===========================================================================
+   Reads a long in LSB order from the given gz_stream. Sets z_err in case
+   of error.
+*/
+local uLong getLong (s)
+    gz_stream *s;
+{
+    uLong x = (uLong)get_byte(s);
+    int c;
+
+    x += ((uLong)get_byte(s))<<8;
+    x += ((uLong)get_byte(s))<<16;
+    c = get_byte(s);
+    if (c == EOF) s->z_err = Z_DATA_ERROR;
+    x += ((uLong)c)<<24;
+    return x;
+}
+
+/* ===========================================================================
+     Flushes all pending output if necessary, closes the compressed file
+   and deallocates all the (de)compression state.
+*/
+int ZEXPORT gzclose (file)
+    gzFile file;
+{
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL) return Z_STREAM_ERROR;
+
+    if (s->mode == 'w') {
+#ifdef NO_GZCOMPRESS
+        return Z_STREAM_ERROR;
+#else
+        if (do_flush (file, Z_FINISH) != Z_OK)
+            return destroy((gz_stream*)file);
+
+        putLong (s->file, s->crc);
+        putLong (s->file, (uLong)(s->in & 0xffffffff));
+#endif
+    }
+    return destroy((gz_stream*)file);
+}
+
+#ifdef STDC
+#  define zstrerror(errnum) strerror(errnum)
+#else
+#  define zstrerror(errnum) ""
+#endif
+
+/* ===========================================================================
+     Returns the error message for the last error which occurred on the
+   given compressed file. errnum is set to zlib error number. If an
+   error occurred in the file system and not in the compression library,
+   errnum is set to Z_ERRNO and the application may consult errno
+   to get the exact error code.
+*/
+const char * ZEXPORT gzerror (file, errnum)
+    gzFile file;
+    int *errnum;
+{
+    char *m;
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL) {
+        *errnum = Z_STREAM_ERROR;
+        return (const char*)ERR_MSG(Z_STREAM_ERROR);
+    }
+    *errnum = s->z_err;
+    if (*errnum == Z_OK) return (const char*)"";
+
+    m = (char*)(*errnum == Z_ERRNO ? zstrerror(errno) : s->stream.msg);
+
+    if (m == NULL || *m == '\0') m = (char*)ERR_MSG(s->z_err);
+
+    TRYFREE(s->msg);
+    s->msg = (char*)ALLOC(strlen(s->path) + strlen(m) + 3);
+    if (s->msg == Z_NULL) return (const char*)ERR_MSG(Z_MEM_ERROR);
+    strcpy(s->msg, s->path);
+    strcat(s->msg, ": ");
+    strcat(s->msg, m);
+    return (const char*)s->msg;
+}
+
+/* ===========================================================================
+     Clear the error and end-of-file flags, and do the same for the real file.
+*/
+void ZEXPORT gzclearerr (file)
+    gzFile file;
+{
+    gz_stream *s = (gz_stream*)file;
+
+    if (s == NULL) return;
+    if (s->z_err != Z_STREAM_END) s->z_err = Z_OK;
+    s->z_eof = 0;
+    clearerr(s->file);
+}
diff --git a/security/nss/cmd/zlib/infback.c b/security/nss/cmd/zlib/infback.c
new file mode 100644
index 000000000..455dbc9ee
--- /dev/null
+++ b/security/nss/cmd/zlib/infback.c
@@ -0,0 +1,623 @@
+/* infback.c -- inflate using a call-back interface
+ * Copyright (C) 1995-2005 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/*
+   This code is largely copied from inflate.c.  Normally either infback.o or
+   inflate.o would be linked into an application--not both.  The interface
+   with inffast.c is retained so that optimized assembler-coded versions of
+   inflate_fast() can be used with either inflate.c or infback.c.
+ */
+
+#include "zutil.h"
+#include "inftrees.h"
+#include "inflate.h"
+#include "inffast.h"
+
+/* function prototypes */
+local void fixedtables OF((struct inflate_state FAR *state));
+
+/*
+   strm provides memory allocation functions in zalloc and zfree, or
+   Z_NULL to use the library memory allocation functions.
+
+   windowBits is in the range 8..15, and window is a user-supplied
+   window and output buffer that is 2**windowBits bytes.
+ */
+int ZEXPORT inflateBackInit_(strm, windowBits, window, version, stream_size)
+z_streamp strm;
+int windowBits;
+unsigned char FAR *window;
+const char *version;
+int stream_size;
+{
+    struct inflate_state FAR *state;
+
+    if (version == Z_NULL || version[0] != ZLIB_VERSION[0] ||
+        stream_size != (int)(sizeof(z_stream)))
+        return Z_VERSION_ERROR;
+    if (strm == Z_NULL || window == Z_NULL ||
+        windowBits < 8 || windowBits > 15)
+        return Z_STREAM_ERROR;
+    strm->msg = Z_NULL;                 /* in case we return an error */
+    if (strm->zalloc == (alloc_func)0) {
+        strm->zalloc = zcalloc;
+        strm->opaque = (voidpf)0;
+    }
+    if (strm->zfree == (free_func)0) strm->zfree = zcfree;
+    state = (struct inflate_state FAR *)ZALLOC(strm, 1,
+                                               sizeof(struct inflate_state));
+    if (state == Z_NULL) return Z_MEM_ERROR;
+    Tracev((stderr, "inflate: allocated\n"));
+    strm->state = (struct internal_state FAR *)state;
+    state->dmax = 32768U;
+    state->wbits = windowBits;
+    state->wsize = 1U << windowBits;
+    state->window = window;
+    state->write = 0;
+    state->whave = 0;
+    return Z_OK;
+}
+
+/*
+   Return state with length and distance decoding tables and index sizes set to
+   fixed code decoding.  Normally this returns fixed tables from inffixed.h.
+   If BUILDFIXED is defined, then instead this routine builds the tables the
+   first time it's called, and returns those tables the first time and
+   thereafter.  This reduces the size of the code by about 2K bytes, in
+   exchange for a little execution time.  However, BUILDFIXED should not be
+   used for threaded applications, since the rewriting of the tables and virgin
+   may not be thread-safe.
+ */
+local void fixedtables(state)
+struct inflate_state FAR *state;
+{
+#ifdef BUILDFIXED
+    static int virgin = 1;
+    static code *lenfix, *distfix;
+    static code fixed[544];
+
+    /* build fixed huffman tables if first call (may not be thread safe) */
+    if (virgin) {
+        unsigned sym, bits;
+        static code *next;
+
+        /* literal/length table */
+        sym = 0;
+        while (sym < 144) state->lens[sym++] = 8;
+        while (sym < 256) state->lens[sym++] = 9;
+        while (sym < 280) state->lens[sym++] = 7;
+        while (sym < 288) state->lens[sym++] = 8;
+        next = fixed;
+        lenfix = next;
+        bits = 9;
+        inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work);
+
+        /* distance table */
+        sym = 0;
+        while (sym < 32) state->lens[sym++] = 5;
+        distfix = next;
+        bits = 5;
+        inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work);
+
+        /* do this just once */
+        virgin = 0;
+    }
+#else /* !BUILDFIXED */
+#   include "inffixed.h"
+#endif /* BUILDFIXED */
+    state->lencode = lenfix;
+    state->lenbits = 9;
+    state->distcode = distfix;
+    state->distbits = 5;
+}
+
+/* Macros for inflateBack(): */
+
+/* Load returned state from inflate_fast() */
+#define LOAD() \
+    do { \
+        put = strm->next_out; \
+        left = strm->avail_out; \
+        next = strm->next_in; \
+        have = strm->avail_in; \
+        hold = state->hold; \
+        bits = state->bits; \
+    } while (0)
+
+/* Set state from registers for inflate_fast() */
+#define RESTORE() \
+    do { \
+        strm->next_out = put; \
+        strm->avail_out = left; \
+        strm->next_in = next; \
+        strm->avail_in = have; \
+        state->hold = hold; \
+        state->bits = bits; \
+    } while (0)
+
+/* Clear the input bit accumulator */
+#define INITBITS() \
+    do { \
+        hold = 0; \
+        bits = 0; \
+    } while (0)
+
+/* Assure that some input is available.  If input is requested, but denied,
+   then return a Z_BUF_ERROR from inflateBack(). */
+#define PULL() \
+    do { \
+        if (have == 0) { \
+            have = in(in_desc, &next); \
+            if (have == 0) { \
+                next = Z_NULL; \
+                ret = Z_BUF_ERROR; \
+                goto inf_leave; \
+            } \
+        } \
+    } while (0)
+
+/* Get a byte of input into the bit accumulator, or return from inflateBack()
+   with an error if there is no input available. */
+#define PULLBYTE() \
+    do { \
+        PULL(); \
+        have--; \
+        hold += (unsigned long)(*next++) << bits; \
+        bits += 8; \
+    } while (0)
+
+/* Assure that there are at least n bits in the bit accumulator.  If there is
+   not enough available input to do that, then return from inflateBack() with
+   an error. */
+#define NEEDBITS(n) \
+    do { \
+        while (bits < (unsigned)(n)) \
+            PULLBYTE(); \
+    } while (0)
+
+/* Return the low n bits of the bit accumulator (n < 16) */
+#define BITS(n) \
+    ((unsigned)hold & ((1U << (n)) - 1))
+
+/* Remove n bits from the bit accumulator */
+#define DROPBITS(n) \
+    do { \
+        hold >>= (n); \
+        bits -= (unsigned)(n); \
+    } while (0)
+
+/* Remove zero to seven bits as needed to go to a byte boundary */
+#define BYTEBITS() \
+    do { \
+        hold >>= bits & 7; \
+        bits -= bits & 7; \
+    } while (0)
+
+/* Assure that some output space is available, by writing out the window
+   if it's full.  If the write fails, return from inflateBack() with a
+   Z_BUF_ERROR. */
+#define ROOM() \
+    do { \
+        if (left == 0) { \
+            put = state->window; \
+            left = state->wsize; \
+            state->whave = left; \
+            if (out(out_desc, put, left)) { \
+                ret = Z_BUF_ERROR; \
+                goto inf_leave; \
+            } \
+        } \
+    } while (0)
+
+/*
+   strm provides the memory allocation functions and window buffer on input,
+   and provides information on the unused input on return.  For Z_DATA_ERROR
+   returns, strm will also provide an error message.
+
+   in() and out() are the call-back input and output functions.  When
+   inflateBack() needs more input, it calls in().  When inflateBack() has
+   filled the window with output, or when it completes with data in the
+   window, it calls out() to write out the data.  The application must not
+   change the provided input until in() is called again or inflateBack()
+   returns.  The application must not change the window/output buffer until
+   inflateBack() returns.
+
+   in() and out() are called with a descriptor parameter provided in the
+   inflateBack() call.  This parameter can be a structure that provides the
+   information required to do the read or write, as well as accumulated
+   information on the input and output such as totals and check values.
+
+   in() should return zero on failure.  out() should return non-zero on
+   failure.  If either in() or out() fails, than inflateBack() returns a
+   Z_BUF_ERROR.  strm->next_in can be checked for Z_NULL to see whether it
+   was in() or out() that caused in the error.  Otherwise,  inflateBack()
+   returns Z_STREAM_END on success, Z_DATA_ERROR for an deflate format
+   error, or Z_MEM_ERROR if it could not allocate memory for the state.
+   inflateBack() can also return Z_STREAM_ERROR if the input parameters
+   are not correct, i.e. strm is Z_NULL or the state was not initialized.
+ */
+int ZEXPORT inflateBack(strm, in, in_desc, out, out_desc)
+z_streamp strm;
+in_func in;
+void FAR *in_desc;
+out_func out;
+void FAR *out_desc;
+{
+    struct inflate_state FAR *state;
+    unsigned char FAR *next;    /* next input */
+    unsigned char FAR *put;     /* next output */
+    unsigned have, left;        /* available input and output */
+    unsigned long hold;         /* bit buffer */
+    unsigned bits;              /* bits in bit buffer */
+    unsigned copy;              /* number of stored or match bytes to copy */
+    unsigned char FAR *from;    /* where to copy match bytes from */
+    code this;                  /* current decoding table entry */
+    code last;                  /* parent table entry */
+    unsigned len;               /* length to copy for repeats, bits to drop */
+    int ret;                    /* return code */
+    static const unsigned short order[19] = /* permutation of code lengths */
+        {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
+
+    /* Check that the strm exists and that the state was initialized */
+    if (strm == Z_NULL || strm->state == Z_NULL)
+        return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+
+    /* Reset the state */
+    strm->msg = Z_NULL;
+    state->mode = TYPE;
+    state->last = 0;
+    state->whave = 0;
+    next = strm->next_in;
+    have = next != Z_NULL ? strm->avail_in : 0;
+    hold = 0;
+    bits = 0;
+    put = state->window;
+    left = state->wsize;
+
+    /* Inflate until end of block marked as last */
+    for (;;)
+        switch (state->mode) {
+        case TYPE:
+            /* determine and dispatch block type */
+            if (state->last) {
+                BYTEBITS();
+                state->mode = DONE;
+                break;
+            }
+            NEEDBITS(3);
+            state->last = BITS(1);
+            DROPBITS(1);
+            switch (BITS(2)) {
+            case 0:                             /* stored block */
+                Tracev((stderr, "inflate:     stored block%s\n",
+                        state->last ? " (last)" : ""));
+                state->mode = STORED;
+                break;
+            case 1:                             /* fixed block */
+                fixedtables(state);
+                Tracev((stderr, "inflate:     fixed codes block%s\n",
+                        state->last ? " (last)" : ""));
+                state->mode = LEN;              /* decode codes */
+                break;
+            case 2:                             /* dynamic block */
+                Tracev((stderr, "inflate:     dynamic codes block%s\n",
+                        state->last ? " (last)" : ""));
+                state->mode = TABLE;
+                break;
+            case 3:
+                strm->msg = (char *)"invalid block type";
+                state->mode = BAD;
+            }
+            DROPBITS(2);
+            break;
+
+        case STORED:
+            /* get and verify stored block length */
+            BYTEBITS();                         /* go to byte boundary */
+            NEEDBITS(32);
+            if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) {
+                strm->msg = (char *)"invalid stored block lengths";
+                state->mode = BAD;
+                break;
+            }
+            state->length = (unsigned)hold & 0xffff;
+            Tracev((stderr, "inflate:       stored length %u\n",
+                    state->length));
+            INITBITS();
+
+            /* copy stored block from input to output */
+            while (state->length != 0) {
+                copy = state->length;
+                PULL();
+                ROOM();
+                if (copy > have) copy = have;
+                if (copy > left) copy = left;
+                zmemcpy(put, next, copy);
+                have -= copy;
+                next += copy;
+                left -= copy;
+                put += copy;
+                state->length -= copy;
+            }
+            Tracev((stderr, "inflate:       stored end\n"));
+            state->mode = TYPE;
+            break;
+
+        case TABLE:
+            /* get dynamic table entries descriptor */
+            NEEDBITS(14);
+            state->nlen = BITS(5) + 257;
+            DROPBITS(5);
+            state->ndist = BITS(5) + 1;
+            DROPBITS(5);
+            state->ncode = BITS(4) + 4;
+            DROPBITS(4);
+#ifndef PKZIP_BUG_WORKAROUND
+            if (state->nlen > 286 || state->ndist > 30) {
+                strm->msg = (char *)"too many length or distance symbols";
+                state->mode = BAD;
+                break;
+            }
+#endif
+            Tracev((stderr, "inflate:       table sizes ok\n"));
+
+            /* get code length code lengths (not a typo) */
+            state->have = 0;
+            while (state->have < state->ncode) {
+                NEEDBITS(3);
+                state->lens[order[state->have++]] = (unsigned short)BITS(3);
+                DROPBITS(3);
+            }
+            while (state->have < 19)
+                state->lens[order[state->have++]] = 0;
+            state->next = state->codes;
+            state->lencode = (code const FAR *)(state->next);
+            state->lenbits = 7;
+            ret = inflate_table(CODES, state->lens, 19, &(state->next),
+                                &(state->lenbits), state->work);
+            if (ret) {
+                strm->msg = (char *)"invalid code lengths set";
+                state->mode = BAD;
+                break;
+            }
+            Tracev((stderr, "inflate:       code lengths ok\n"));
+
+            /* get length and distance code code lengths */
+            state->have = 0;
+            while (state->have < state->nlen + state->ndist) {
+                for (;;) {
+                    this = state->lencode[BITS(state->lenbits)];
+                    if ((unsigned)(this.bits) <= bits) break;
+                    PULLBYTE();
+                }
+                if (this.val < 16) {
+                    NEEDBITS(this.bits);
+                    DROPBITS(this.bits);
+                    state->lens[state->have++] = this.val;
+                }
+                else {
+                    if (this.val == 16) {
+                        NEEDBITS(this.bits + 2);
+                        DROPBITS(this.bits);
+                        if (state->have == 0) {
+                            strm->msg = (char *)"invalid bit length repeat";
+                            state->mode = BAD;
+                            break;
+                        }
+                        len = (unsigned)(state->lens[state->have - 1]);
+                        copy = 3 + BITS(2);
+                        DROPBITS(2);
+                    }
+                    else if (this.val == 17) {
+                        NEEDBITS(this.bits + 3);
+                        DROPBITS(this.bits);
+                        len = 0;
+                        copy = 3 + BITS(3);
+                        DROPBITS(3);
+                    }
+                    else {
+                        NEEDBITS(this.bits + 7);
+                        DROPBITS(this.bits);
+                        len = 0;
+                        copy = 11 + BITS(7);
+                        DROPBITS(7);
+                    }
+                    if (state->have + copy > state->nlen + state->ndist) {
+                        strm->msg = (char *)"invalid bit length repeat";
+                        state->mode = BAD;
+                        break;
+                    }
+                    while (copy--)
+                        state->lens[state->have++] = (unsigned short)len;
+                }
+            }
+
+            /* handle error breaks in while */
+            if (state->mode == BAD) break;
+
+            /* build code tables */
+            state->next = state->codes;
+            state->lencode = (code const FAR *)(state->next);
+            state->lenbits = 9;
+            ret = inflate_table(LENS, state->lens, state->nlen, &(state->next),
+                                &(state->lenbits), state->work);
+            if (ret) {
+                strm->msg = (char *)"invalid literal/lengths set";
+                state->mode = BAD;
+                break;
+            }
+            state->distcode = (code const FAR *)(state->next);
+            state->distbits = 6;
+            ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist,
+                            &(state->next), &(state->distbits), state->work);
+            if (ret) {
+                strm->msg = (char *)"invalid distances set";
+                state->mode = BAD;
+                break;
+            }
+            Tracev((stderr, "inflate:       codes ok\n"));
+            state->mode = LEN;
+
+        case LEN:
+            /* use inflate_fast() if we have enough input and output */
+            if (have >= 6 && left >= 258) {
+                RESTORE();
+                if (state->whave < state->wsize)
+                    state->whave = state->wsize - left;
+                inflate_fast(strm, state->wsize);
+                LOAD();
+                break;
+            }
+
+            /* get a literal, length, or end-of-block code */
+            for (;;) {
+                this = state->lencode[BITS(state->lenbits)];
+                if ((unsigned)(this.bits) <= bits) break;
+                PULLBYTE();
+            }
+            if (this.op && (this.op & 0xf0) == 0) {
+                last = this;
+                for (;;) {
+                    this = state->lencode[last.val +
+                            (BITS(last.bits + last.op) >> last.bits)];
+                    if ((unsigned)(last.bits + this.bits) <= bits) break;
+                    PULLBYTE();
+                }
+                DROPBITS(last.bits);
+            }
+            DROPBITS(this.bits);
+            state->length = (unsigned)this.val;
+
+            /* process literal */
+            if (this.op == 0) {
+                Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ?
+                        "inflate:         literal '%c'\n" :
+                        "inflate:         literal 0x%02x\n", this.val));
+                ROOM();
+                *put++ = (unsigned char)(state->length);
+                left--;
+                state->mode = LEN;
+                break;
+            }
+
+            /* process end of block */
+            if (this.op & 32) {
+                Tracevv((stderr, "inflate:         end of block\n"));
+                state->mode = TYPE;
+                break;
+            }
+
+            /* invalid code */
+            if (this.op & 64) {
+                strm->msg = (char *)"invalid literal/length code";
+                state->mode = BAD;
+                break;
+            }
+
+            /* length code -- get extra bits, if any */
+            state->extra = (unsigned)(this.op) & 15;
+            if (state->extra != 0) {
+                NEEDBITS(state->extra);
+                state->length += BITS(state->extra);
+                DROPBITS(state->extra);
+            }
+            Tracevv((stderr, "inflate:         length %u\n", state->length));
+
+            /* get distance code */
+            for (;;) {
+                this = state->distcode[BITS(state->distbits)];
+                if ((unsigned)(this.bits) <= bits) break;
+                PULLBYTE();
+            }
+            if ((this.op & 0xf0) == 0) {
+                last = this;
+                for (;;) {
+                    this = state->distcode[last.val +
+                            (BITS(last.bits + last.op) >> last.bits)];
+                    if ((unsigned)(last.bits + this.bits) <= bits) break;
+                    PULLBYTE();
+                }
+                DROPBITS(last.bits);
+            }
+            DROPBITS(this.bits);
+            if (this.op & 64) {
+                strm->msg = (char *)"invalid distance code";
+                state->mode = BAD;
+                break;
+            }
+            state->offset = (unsigned)this.val;
+
+            /* get distance extra bits, if any */
+            state->extra = (unsigned)(this.op) & 15;
+            if (state->extra != 0) {
+                NEEDBITS(state->extra);
+                state->offset += BITS(state->extra);
+                DROPBITS(state->extra);
+            }
+            if (state->offset > state->wsize - (state->whave < state->wsize ?
+                                                left : 0)) {
+                strm->msg = (char *)"invalid distance too far back";
+                state->mode = BAD;
+                break;
+            }
+            Tracevv((stderr, "inflate:         distance %u\n", state->offset));
+
+            /* copy match from window to output */
+            do {
+                ROOM();
+                copy = state->wsize - state->offset;
+                if (copy < left) {
+                    from = put + copy;
+                    copy = left - copy;
+                }
+                else {
+                    from = put - state->offset;
+                    copy = left;
+                }
+                if (copy > state->length) copy = state->length;
+                state->length -= copy;
+                left -= copy;
+                do {
+                    *put++ = *from++;
+                } while (--copy);
+            } while (state->length != 0);
+            break;
+
+        case DONE:
+            /* inflate stream terminated properly -- write leftover output */
+            ret = Z_STREAM_END;
+            if (left < state->wsize) {
+                if (out(out_desc, state->window, state->wsize - left))
+                    ret = Z_BUF_ERROR;
+            }
+            goto inf_leave;
+
+        case BAD:
+            ret = Z_DATA_ERROR;
+            goto inf_leave;
+
+        default:                /* can't happen, but makes compilers happy */
+            ret = Z_STREAM_ERROR;
+            goto inf_leave;
+        }
+
+    /* Return unused input */
+  inf_leave:
+    strm->next_in = next;
+    strm->avail_in = have;
+    return ret;
+}
+
+int ZEXPORT inflateBackEnd(strm)
+z_streamp strm;
+{
+    if (strm == Z_NULL || strm->state == Z_NULL || strm->zfree == (free_func)0)
+        return Z_STREAM_ERROR;
+    ZFREE(strm, strm->state);
+    strm->state = Z_NULL;
+    Tracev((stderr, "inflate: end\n"));
+    return Z_OK;
+}
diff --git a/security/nss/cmd/zlib/inffast.c b/security/nss/cmd/zlib/inffast.c
new file mode 100644
index 000000000..bbee92ed1
--- /dev/null
+++ b/security/nss/cmd/zlib/inffast.c
@@ -0,0 +1,318 @@
+/* inffast.c -- fast decoding
+ * Copyright (C) 1995-2004 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+#include "zutil.h"
+#include "inftrees.h"
+#include "inflate.h"
+#include "inffast.h"
+
+#ifndef ASMINF
+
+/* Allow machine dependent optimization for post-increment or pre-increment.
+   Based on testing to date,
+   Pre-increment preferred for:
+   - PowerPC G3 (Adler)
+   - MIPS R5000 (Randers-Pehrson)
+   Post-increment preferred for:
+   - none
+   No measurable difference:
+   - Pentium III (Anderson)
+   - M68060 (Nikl)
+ */
+#ifdef POSTINC
+#  define OFF 0
+#  define PUP(a) *(a)++
+#else
+#  define OFF 1
+#  define PUP(a) *++(a)
+#endif
+
+/*
+   Decode literal, length, and distance codes and write out the resulting
+   literal and match bytes until either not enough input or output is
+   available, an end-of-block is encountered, or a data error is encountered.
+   When large enough input and output buffers are supplied to inflate(), for
+   example, a 16K input buffer and a 64K output buffer, more than 95% of the
+   inflate execution time is spent in this routine.
+
+   Entry assumptions:
+
+        state->mode == LEN
+        strm->avail_in >= 6
+        strm->avail_out >= 258
+        start >= strm->avail_out
+        state->bits < 8
+
+   On return, state->mode is one of:
+
+        LEN -- ran out of enough output space or enough available input
+        TYPE -- reached end of block code, inflate() to interpret next block
+        BAD -- error in block data
+
+   Notes:
+
+    - The maximum input bits used by a length/distance pair is 15 bits for the
+      length code, 5 bits for the length extra, 15 bits for the distance code,
+      and 13 bits for the distance extra.  This totals 48 bits, or six bytes.
+      Therefore if strm->avail_in >= 6, then there is enough input to avoid
+      checking for available input while decoding.
+
+    - The maximum bytes that a single length/distance pair can output is 258
+      bytes, which is the maximum length that can be coded.  inflate_fast()
+      requires strm->avail_out >= 258 for each loop to avoid checking for
+      output space.
+ */
+void inflate_fast(strm, start)
+z_streamp strm;
+unsigned start;         /* inflate()'s starting value for strm->avail_out */
+{
+    struct inflate_state FAR *state;
+    unsigned char FAR *in;      /* local strm->next_in */
+    unsigned char FAR *last;    /* while in < last, enough input available */
+    unsigned char FAR *out;     /* local strm->next_out */
+    unsigned char FAR *beg;     /* inflate()'s initial strm->next_out */
+    unsigned char FAR *end;     /* while out < end, enough space available */
+#ifdef INFLATE_STRICT
+    unsigned dmax;              /* maximum distance from zlib header */
+#endif
+    unsigned wsize;             /* window size or zero if not using window */
+    unsigned whave;             /* valid bytes in the window */
+    unsigned write;             /* window write index */
+    unsigned char FAR *window;  /* allocated sliding window, if wsize != 0 */
+    unsigned long hold;         /* local strm->hold */
+    unsigned bits;              /* local strm->bits */
+    code const FAR *lcode;      /* local strm->lencode */
+    code const FAR *dcode;      /* local strm->distcode */
+    unsigned lmask;             /* mask for first level of length codes */
+    unsigned dmask;             /* mask for first level of distance codes */
+    code this;                  /* retrieved table entry */
+    unsigned op;                /* code bits, operation, extra bits, or */
+                                /*  window position, window bytes to copy */
+    unsigned len;               /* match length, unused bytes */
+    unsigned dist;              /* match distance */
+    unsigned char FAR *from;    /* where to copy match from */
+
+    /* copy state to local variables */
+    state = (struct inflate_state FAR *)strm->state;
+    in = strm->next_in - OFF;
+    last = in + (strm->avail_in - 5);
+    out = strm->next_out - OFF;
+    beg = out - (start - strm->avail_out);
+    end = out + (strm->avail_out - 257);
+#ifdef INFLATE_STRICT
+    dmax = state->dmax;
+#endif
+    wsize = state->wsize;
+    whave = state->whave;
+    write = state->write;
+    window = state->window;
+    hold = state->hold;
+    bits = state->bits;
+    lcode = state->lencode;
+    dcode = state->distcode;
+    lmask = (1U << state->lenbits) - 1;
+    dmask = (1U << state->distbits) - 1;
+
+    /* decode literals and length/distances until end-of-block or not enough
+       input data or output space */
+    do {
+        if (bits < 15) {
+            hold += (unsigned long)(PUP(in)) << bits;
+            bits += 8;
+            hold += (unsigned long)(PUP(in)) << bits;
+            bits += 8;
+        }
+        this = lcode[hold & lmask];
+      dolen:
+        op = (unsigned)(this.bits);
+        hold >>= op;
+        bits -= op;
+        op = (unsigned)(this.op);
+        if (op == 0) {                          /* literal */
+            Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ?
+                    "inflate:         literal '%c'\n" :
+                    "inflate:         literal 0x%02x\n", this.val));
+            PUP(out) = (unsigned char)(this.val);
+        }
+        else if (op & 16) {                     /* length base */
+            len = (unsigned)(this.val);
+            op &= 15;                           /* number of extra bits */
+            if (op) {
+                if (bits < op) {
+                    hold += (unsigned long)(PUP(in)) << bits;
+                    bits += 8;
+                }
+                len += (unsigned)hold & ((1U << op) - 1);
+                hold >>= op;
+                bits -= op;
+            }
+            Tracevv((stderr, "inflate:         length %u\n", len));
+            if (bits < 15) {
+                hold += (unsigned long)(PUP(in)) << bits;
+                bits += 8;
+                hold += (unsigned long)(PUP(in)) << bits;
+                bits += 8;
+            }
+            this = dcode[hold & dmask];
+          dodist:
+            op = (unsigned)(this.bits);
+            hold >>= op;
+            bits -= op;
+            op = (unsigned)(this.op);
+            if (op & 16) {                      /* distance base */
+                dist = (unsigned)(this.val);
+                op &= 15;                       /* number of extra bits */
+                if (bits < op) {
+                    hold += (unsigned long)(PUP(in)) << bits;
+                    bits += 8;
+                    if (bits < op) {
+                        hold += (unsigned long)(PUP(in)) << bits;
+                        bits += 8;
+                    }
+                }
+                dist += (unsigned)hold & ((1U << op) - 1);
+#ifdef INFLATE_STRICT
+                if (dist > dmax) {
+                    strm->msg = (char *)"invalid distance too far back";
+                    state->mode = BAD;
+                    break;
+                }
+#endif
+                hold >>= op;
+                bits -= op;
+                Tracevv((stderr, "inflate:         distance %u\n", dist));
+                op = (unsigned)(out - beg);     /* max distance in output */
+                if (dist > op) {                /* see if copy from window */
+                    op = dist - op;             /* distance back in window */
+                    if (op > whave) {
+                        strm->msg = (char *)"invalid distance too far back";
+                        state->mode = BAD;
+                        break;
+                    }
+                    from = window - OFF;
+                    if (write == 0) {           /* very common case */
+                        from += wsize - op;
+                        if (op < len) {         /* some from window */
+                            len -= op;
+                            do {
+                                PUP(out) = PUP(from);
+                            } while (--op);
+                            from = out - dist;  /* rest from output */
+                        }
+                    }
+                    else if (write < op) {      /* wrap around window */
+                        from += wsize + write - op;
+                        op -= write;
+                        if (op < len) {         /* some from end of window */
+                            len -= op;
+                            do {
+                                PUP(out) = PUP(from);
+                            } while (--op);
+                            from = window - OFF;
+                            if (write < len) {  /* some from start of window */
+                                op = write;
+                                len -= op;
+                                do {
+                                    PUP(out) = PUP(from);
+                                } while (--op);
+                                from = out - dist;      /* rest from output */
+                            }
+                        }
+                    }
+                    else {                      /* contiguous in window */
+                        from += write - op;
+                        if (op < len) {         /* some from window */
+                            len -= op;
+                            do {
+                                PUP(out) = PUP(from);
+                            } while (--op);
+                            from = out - dist;  /* rest from output */
+                        }
+                    }
+                    while (len > 2) {
+                        PUP(out) = PUP(from);
+                        PUP(out) = PUP(from);
+                        PUP(out) = PUP(from);
+                        len -= 3;
+                    }
+                    if (len) {
+                        PUP(out) = PUP(from);
+                        if (len > 1)
+                            PUP(out) = PUP(from);
+                    }
+                }
+                else {
+                    from = out - dist;          /* copy direct from output */
+                    do {                        /* minimum length is three */
+                        PUP(out) = PUP(from);
+                        PUP(out) = PUP(from);
+                        PUP(out) = PUP(from);
+                        len -= 3;
+                    } while (len > 2);
+                    if (len) {
+                        PUP(out) = PUP(from);
+                        if (len > 1)
+                            PUP(out) = PUP(from);
+                    }
+                }
+            }
+            else if ((op & 64) == 0) {          /* 2nd level distance code */
+                this = dcode[this.val + (hold & ((1U << op) - 1))];
+                goto dodist;
+            }
+            else {
+                strm->msg = (char *)"invalid distance code";
+                state->mode = BAD;
+                break;
+            }
+        }
+        else if ((op & 64) == 0) {              /* 2nd level length code */
+            this = lcode[this.val + (hold & ((1U << op) - 1))];
+            goto dolen;
+        }
+        else if (op & 32) {                     /* end-of-block */
+            Tracevv((stderr, "inflate:         end of block\n"));
+            state->mode = TYPE;
+            break;
+        }
+        else {
+            strm->msg = (char *)"invalid literal/length code";
+            state->mode = BAD;
+            break;
+        }
+    } while (in < last && out < end);
+
+    /* return unused bytes (on entry, bits < 8, so in won't go too far back) */
+    len = bits >> 3;
+    in -= len;
+    bits -= len << 3;
+    hold &= (1U << bits) - 1;
+
+    /* update state and return */
+    strm->next_in = in + OFF;
+    strm->next_out = out + OFF;
+    strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
+    strm->avail_out = (unsigned)(out < end ?
+                                 257 + (end - out) : 257 - (out - end));
+    state->hold = hold;
+    state->bits = bits;
+    return;
+}
+
+/*
+   inflate_fast() speedups that turned out slower (on a PowerPC G3 750CXe):
+   - Using bit fields for code structure
+   - Different op definition to avoid & for extra bits (do & for table bits)
+   - Three separate decoding do-loops for direct, window, and write == 0
+   - Special case for distance > 1 copies to do overlapped load and store copy
+   - Explicit branch predictions (based on measured branch probabilities)
+   - Deferring match copy and interspersed it with decoding subsequent codes
+   - Swapping literal/length else
+   - Swapping window/direct else
+   - Larger unrolled copy loops (three is about right)
+   - Moving len -= 3 statement into middle of loop
+ */
+
+#endif /* !ASMINF */
diff --git a/security/nss/cmd/zlib/inffast.h b/security/nss/cmd/zlib/inffast.h
new file mode 100644
index 000000000..1e88d2d97
--- /dev/null
+++ b/security/nss/cmd/zlib/inffast.h
@@ -0,0 +1,11 @@
+/* inffast.h -- header to use inffast.c
+ * Copyright (C) 1995-2003 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+void inflate_fast OF((z_streamp strm, unsigned start));
diff --git a/security/nss/cmd/zlib/inffixed.h b/security/nss/cmd/zlib/inffixed.h
new file mode 100644
index 000000000..75ed4b597
--- /dev/null
+++ b/security/nss/cmd/zlib/inffixed.h
@@ -0,0 +1,94 @@
+    /* inffixed.h -- table for decoding fixed codes
+     * Generated automatically by makefixed().
+     */
+
+    /* WARNING: this file should *not* be used by applications. It
+       is part of the implementation of the compression library and
+       is subject to change. Applications should only use zlib.h.
+     */
+
+    static const code lenfix[512] = {
+        {96,7,0},{0,8,80},{0,8,16},{20,8,115},{18,7,31},{0,8,112},{0,8,48},
+        {0,9,192},{16,7,10},{0,8,96},{0,8,32},{0,9,160},{0,8,0},{0,8,128},
+        {0,8,64},{0,9,224},{16,7,6},{0,8,88},{0,8,24},{0,9,144},{19,7,59},
+        {0,8,120},{0,8,56},{0,9,208},{17,7,17},{0,8,104},{0,8,40},{0,9,176},
+        {0,8,8},{0,8,136},{0,8,72},{0,9,240},{16,7,4},{0,8,84},{0,8,20},
+        {21,8,227},{19,7,43},{0,8,116},{0,8,52},{0,9,200},{17,7,13},{0,8,100},
+        {0,8,36},{0,9,168},{0,8,4},{0,8,132},{0,8,68},{0,9,232},{16,7,8},
+        {0,8,92},{0,8,28},{0,9,152},{20,7,83},{0,8,124},{0,8,60},{0,9,216},
+        {18,7,23},{0,8,108},{0,8,44},{0,9,184},{0,8,12},{0,8,140},{0,8,76},
+        {0,9,248},{16,7,3},{0,8,82},{0,8,18},{21,8,163},{19,7,35},{0,8,114},
+        {0,8,50},{0,9,196},{17,7,11},{0,8,98},{0,8,34},{0,9,164},{0,8,2},
+        {0,8,130},{0,8,66},{0,9,228},{16,7,7},{0,8,90},{0,8,26},{0,9,148},
+        {20,7,67},{0,8,122},{0,8,58},{0,9,212},{18,7,19},{0,8,106},{0,8,42},
+        {0,9,180},{0,8,10},{0,8,138},{0,8,74},{0,9,244},{16,7,5},{0,8,86},
+        {0,8,22},{64,8,0},{19,7,51},{0,8,118},{0,8,54},{0,9,204},{17,7,15},
+        {0,8,102},{0,8,38},{0,9,172},{0,8,6},{0,8,134},{0,8,70},{0,9,236},
+        {16,7,9},{0,8,94},{0,8,30},{0,9,156},{20,7,99},{0,8,126},{0,8,62},
+        {0,9,220},{18,7,27},{0,8,110},{0,8,46},{0,9,188},{0,8,14},{0,8,142},
+        {0,8,78},{0,9,252},{96,7,0},{0,8,81},{0,8,17},{21,8,131},{18,7,31},
+        {0,8,113},{0,8,49},{0,9,194},{16,7,10},{0,8,97},{0,8,33},{0,9,162},
+        {0,8,1},{0,8,129},{0,8,65},{0,9,226},{16,7,6},{0,8,89},{0,8,25},
+        {0,9,146},{19,7,59},{0,8,121},{0,8,57},{0,9,210},{17,7,17},{0,8,105},
+        {0,8,41},{0,9,178},{0,8,9},{0,8,137},{0,8,73},{0,9,242},{16,7,4},
+        {0,8,85},{0,8,21},{16,8,258},{19,7,43},{0,8,117},{0,8,53},{0,9,202},
+        {17,7,13},{0,8,101},{0,8,37},{0,9,170},{0,8,5},{0,8,133},{0,8,69},
+        {0,9,234},{16,7,8},{0,8,93},{0,8,29},{0,9,154},{20,7,83},{0,8,125},
+        {0,8,61},{0,9,218},{18,7,23},{0,8,109},{0,8,45},{0,9,186},{0,8,13},
+        {0,8,141},{0,8,77},{0,9,250},{16,7,3},{0,8,83},{0,8,19},{21,8,195},
+        {19,7,35},{0,8,115},{0,8,51},{0,9,198},{17,7,11},{0,8,99},{0,8,35},
+        {0,9,166},{0,8,3},{0,8,131},{0,8,67},{0,9,230},{16,7,7},{0,8,91},
+        {0,8,27},{0,9,150},{20,7,67},{0,8,123},{0,8,59},{0,9,214},{18,7,19},
+        {0,8,107},{0,8,43},{0,9,182},{0,8,11},{0,8,139},{0,8,75},{0,9,246},
+        {16,7,5},{0,8,87},{0,8,23},{64,8,0},{19,7,51},{0,8,119},{0,8,55},
+        {0,9,206},{17,7,15},{0,8,103},{0,8,39},{0,9,174},{0,8,7},{0,8,135},
+        {0,8,71},{0,9,238},{16,7,9},{0,8,95},{0,8,31},{0,9,158},{20,7,99},
+        {0,8,127},{0,8,63},{0,9,222},{18,7,27},{0,8,111},{0,8,47},{0,9,190},
+        {0,8,15},{0,8,143},{0,8,79},{0,9,254},{96,7,0},{0,8,80},{0,8,16},
+        {20,8,115},{18,7,31},{0,8,112},{0,8,48},{0,9,193},{16,7,10},{0,8,96},
+        {0,8,32},{0,9,161},{0,8,0},{0,8,128},{0,8,64},{0,9,225},{16,7,6},
+        {0,8,88},{0,8,24},{0,9,145},{19,7,59},{0,8,120},{0,8,56},{0,9,209},
+        {17,7,17},{0,8,104},{0,8,40},{0,9,177},{0,8,8},{0,8,136},{0,8,72},
+        {0,9,241},{16,7,4},{0,8,84},{0,8,20},{21,8,227},{19,7,43},{0,8,116},
+        {0,8,52},{0,9,201},{17,7,13},{0,8,100},{0,8,36},{0,9,169},{0,8,4},
+        {0,8,132},{0,8,68},{0,9,233},{16,7,8},{0,8,92},{0,8,28},{0,9,153},
+        {20,7,83},{0,8,124},{0,8,60},{0,9,217},{18,7,23},{0,8,108},{0,8,44},
+        {0,9,185},{0,8,12},{0,8,140},{0,8,76},{0,9,249},{16,7,3},{0,8,82},
+        {0,8,18},{21,8,163},{19,7,35},{0,8,114},{0,8,50},{0,9,197},{17,7,11},
+        {0,8,98},{0,8,34},{0,9,165},{0,8,2},{0,8,130},{0,8,66},{0,9,229},
+        {16,7,7},{0,8,90},{0,8,26},{0,9,149},{20,7,67},{0,8,122},{0,8,58},
+        {0,9,213},{18,7,19},{0,8,106},{0,8,42},{0,9,181},{0,8,10},{0,8,138},
+        {0,8,74},{0,9,245},{16,7,5},{0,8,86},{0,8,22},{64,8,0},{19,7,51},
+        {0,8,118},{0,8,54},{0,9,205},{17,7,15},{0,8,102},{0,8,38},{0,9,173},
+        {0,8,6},{0,8,134},{0,8,70},{0,9,237},{16,7,9},{0,8,94},{0,8,30},
+        {0,9,157},{20,7,99},{0,8,126},{0,8,62},{0,9,221},{18,7,27},{0,8,110},
+        {0,8,46},{0,9,189},{0,8,14},{0,8,142},{0,8,78},{0,9,253},{96,7,0},
+        {0,8,81},{0,8,17},{21,8,131},{18,7,31},{0,8,113},{0,8,49},{0,9,195},
+        {16,7,10},{0,8,97},{0,8,33},{0,9,163},{0,8,1},{0,8,129},{0,8,65},
+        {0,9,227},{16,7,6},{0,8,89},{0,8,25},{0,9,147},{19,7,59},{0,8,121},
+        {0,8,57},{0,9,211},{17,7,17},{0,8,105},{0,8,41},{0,9,179},{0,8,9},
+        {0,8,137},{0,8,73},{0,9,243},{16,7,4},{0,8,85},{0,8,21},{16,8,258},
+        {19,7,43},{0,8,117},{0,8,53},{0,9,203},{17,7,13},{0,8,101},{0,8,37},
+        {0,9,171},{0,8,5},{0,8,133},{0,8,69},{0,9,235},{16,7,8},{0,8,93},
+        {0,8,29},{0,9,155},{20,7,83},{0,8,125},{0,8,61},{0,9,219},{18,7,23},
+        {0,8,109},{0,8,45},{0,9,187},{0,8,13},{0,8,141},{0,8,77},{0,9,251},
+        {16,7,3},{0,8,83},{0,8,19},{21,8,195},{19,7,35},{0,8,115},{0,8,51},
+        {0,9,199},{17,7,11},{0,8,99},{0,8,35},{0,9,167},{0,8,3},{0,8,131},
+        {0,8,67},{0,9,231},{16,7,7},{0,8,91},{0,8,27},{0,9,151},{20,7,67},
+        {0,8,123},{0,8,59},{0,9,215},{18,7,19},{0,8,107},{0,8,43},{0,9,183},
+        {0,8,11},{0,8,139},{0,8,75},{0,9,247},{16,7,5},{0,8,87},{0,8,23},
+        {64,8,0},{19,7,51},{0,8,119},{0,8,55},{0,9,207},{17,7,15},{0,8,103},
+        {0,8,39},{0,9,175},{0,8,7},{0,8,135},{0,8,71},{0,9,239},{16,7,9},
+        {0,8,95},{0,8,31},{0,9,159},{20,7,99},{0,8,127},{0,8,63},{0,9,223},
+        {18,7,27},{0,8,111},{0,8,47},{0,9,191},{0,8,15},{0,8,143},{0,8,79},
+        {0,9,255}
+    };
+
+    static const code distfix[32] = {
+        {16,5,1},{23,5,257},{19,5,17},{27,5,4097},{17,5,5},{25,5,1025},
+        {21,5,65},{29,5,16385},{16,5,3},{24,5,513},{20,5,33},{28,5,8193},
+        {18,5,9},{26,5,2049},{22,5,129},{64,5,0},{16,5,2},{23,5,385},
+        {19,5,25},{27,5,6145},{17,5,7},{25,5,1537},{21,5,97},{29,5,24577},
+        {16,5,4},{24,5,769},{20,5,49},{28,5,12289},{18,5,13},{26,5,3073},
+        {22,5,193},{64,5,0}
+    };
diff --git a/security/nss/cmd/zlib/inflate.c b/security/nss/cmd/zlib/inflate.c
new file mode 100644
index 000000000..792fdee8e
--- /dev/null
+++ b/security/nss/cmd/zlib/inflate.c
@@ -0,0 +1,1368 @@
+/* inflate.c -- zlib decompression
+ * Copyright (C) 1995-2005 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/*
+ * Change history:
+ *
+ * 1.2.beta0    24 Nov 2002
+ * - First version -- complete rewrite of inflate to simplify code, avoid
+ *   creation of window when not needed, minimize use of window when it is
+ *   needed, make inffast.c even faster, implement gzip decoding, and to
+ *   improve code readability and style over the previous zlib inflate code
+ *
+ * 1.2.beta1    25 Nov 2002
+ * - Use pointers for available input and output checking in inffast.c
+ * - Remove input and output counters in inffast.c
+ * - Change inffast.c entry and loop from avail_in >= 7 to >= 6
+ * - Remove unnecessary second byte pull from length extra in inffast.c
+ * - Unroll direct copy to three copies per loop in inffast.c
+ *
+ * 1.2.beta2    4 Dec 2002
+ * - Change external routine names to reduce potential conflicts
+ * - Correct filename to inffixed.h for fixed tables in inflate.c
+ * - Make hbuf[] unsigned char to match parameter type in inflate.c
+ * - Change strm->next_out[-state->offset] to *(strm->next_out - state->offset)
+ *   to avoid negation problem on Alphas (64 bit) in inflate.c
+ *
+ * 1.2.beta3    22 Dec 2002
+ * - Add comments on state->bits assertion in inffast.c
+ * - Add comments on op field in inftrees.h
+ * - Fix bug in reuse of allocated window after inflateReset()
+ * - Remove bit fields--back to byte structure for speed
+ * - Remove distance extra == 0 check in inflate_fast()--only helps for lengths
+ * - Change post-increments to pre-increments in inflate_fast(), PPC biased?
+ * - Add compile time option, POSTINC, to use post-increments instead (Intel?)
+ * - Make MATCH copy in inflate() much faster for when inflate_fast() not used
+ * - Use local copies of stream next and avail values, as well as local bit
+ *   buffer and bit count in inflate()--for speed when inflate_fast() not used
+ *
+ * 1.2.beta4    1 Jan 2003
+ * - Split ptr - 257 statements in inflate_table() to avoid compiler warnings
+ * - Move a comment on output buffer sizes from inffast.c to inflate.c
+ * - Add comments in inffast.c to introduce the inflate_fast() routine
+ * - Rearrange window copies in inflate_fast() for speed and simplification
+ * - Unroll last copy for window match in inflate_fast()
+ * - Use local copies of window variables in inflate_fast() for speed
+ * - Pull out common write == 0 case for speed in inflate_fast()
+ * - Make op and len in inflate_fast() unsigned for consistency
+ * - Add FAR to lcode and dcode declarations in inflate_fast()
+ * - Simplified bad distance check in inflate_fast()
+ * - Added inflateBackInit(), inflateBack(), and inflateBackEnd() in new
+ *   source file infback.c to provide a call-back interface to inflate for
+ *   programs like gzip and unzip -- uses window as output buffer to avoid
+ *   window copying
+ *
+ * 1.2.beta5    1 Jan 2003
+ * - Improved inflateBack() interface to allow the caller to provide initial
+ *   input in strm.
+ * - Fixed stored blocks bug in inflateBack()
+ *
+ * 1.2.beta6    4 Jan 2003
+ * - Added comments in inffast.c on effectiveness of POSTINC
+ * - Typecasting all around to reduce compiler warnings
+ * - Changed loops from while (1) or do {} while (1) to for (;;), again to
+ *   make compilers happy
+ * - Changed type of window in inflateBackInit() to unsigned char *
+ *
+ * 1.2.beta7    27 Jan 2003
+ * - Changed many types to unsigned or unsigned short to avoid warnings
+ * - Added inflateCopy() function
+ *
+ * 1.2.0        9 Mar 2003
+ * - Changed inflateBack() interface to provide separate opaque descriptors
+ *   for the in() and out() functions
+ * - Changed inflateBack() argument and in_func typedef to swap the length
+ *   and buffer address return values for the input function
+ * - Check next_in and next_out for Z_NULL on entry to inflate()
+ *
+ * The history for versions after 1.2.0 are in ChangeLog in zlib distribution.
+ */
+
+#include "zutil.h"
+#include "inftrees.h"
+#include "inflate.h"
+#include "inffast.h"
+
+#ifdef MAKEFIXED
+#  ifndef BUILDFIXED
+#    define BUILDFIXED
+#  endif
+#endif
+
+/* function prototypes */
+local void fixedtables OF((struct inflate_state FAR *state));
+local int updatewindow OF((z_streamp strm, unsigned out));
+#ifdef BUILDFIXED
+   void makefixed OF((void));
+#endif
+local unsigned syncsearch OF((unsigned FAR *have, unsigned char FAR *buf,
+                              unsigned len));
+
+int ZEXPORT inflateReset(strm)
+z_streamp strm;
+{
+    struct inflate_state FAR *state;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+    strm->total_in = strm->total_out = state->total = 0;
+    strm->msg = Z_NULL;
+    strm->adler = 1;        /* to support ill-conceived Java test suite */
+    state->mode = HEAD;
+    state->last = 0;
+    state->havedict = 0;
+    state->dmax = 32768U;
+    state->head = Z_NULL;
+    state->wsize = 0;
+    state->whave = 0;
+    state->write = 0;
+    state->hold = 0;
+    state->bits = 0;
+    state->lencode = state->distcode = state->next = state->codes;
+    Tracev((stderr, "inflate: reset\n"));
+    return Z_OK;
+}
+
+int ZEXPORT inflatePrime(strm, bits, value)
+z_streamp strm;
+int bits;
+int value;
+{
+    struct inflate_state FAR *state;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+    if (bits > 16 || state->bits + bits > 32) return Z_STREAM_ERROR;
+    value &= (1L << bits) - 1;
+    state->hold += value << state->bits;
+    state->bits += bits;
+    return Z_OK;
+}
+
+int ZEXPORT inflateInit2_(strm, windowBits, version, stream_size)
+z_streamp strm;
+int windowBits;
+const char *version;
+int stream_size;
+{
+    struct inflate_state FAR *state;
+
+    if (version == Z_NULL || version[0] != ZLIB_VERSION[0] ||
+        stream_size != (int)(sizeof(z_stream)))
+        return Z_VERSION_ERROR;
+    if (strm == Z_NULL) return Z_STREAM_ERROR;
+    strm->msg = Z_NULL;                 /* in case we return an error */
+    if (strm->zalloc == (alloc_func)0) {
+        strm->zalloc = zcalloc;
+        strm->opaque = (voidpf)0;
+    }
+    if (strm->zfree == (free_func)0) strm->zfree = zcfree;
+    state = (struct inflate_state FAR *)
+            ZALLOC(strm, 1, sizeof(struct inflate_state));
+    if (state == Z_NULL) return Z_MEM_ERROR;
+    Tracev((stderr, "inflate: allocated\n"));
+    strm->state = (struct internal_state FAR *)state;
+    if (windowBits < 0) {
+        state->wrap = 0;
+        windowBits = -windowBits;
+    }
+    else {
+        state->wrap = (windowBits >> 4) + 1;
+#ifdef GUNZIP
+        if (windowBits < 48) windowBits &= 15;
+#endif
+    }
+    if (windowBits < 8 || windowBits > 15) {
+        ZFREE(strm, state);
+        strm->state = Z_NULL;
+        return Z_STREAM_ERROR;
+    }
+    state->wbits = (unsigned)windowBits;
+    state->window = Z_NULL;
+    return inflateReset(strm);
+}
+
+int ZEXPORT inflateInit_(strm, version, stream_size)
+z_streamp strm;
+const char *version;
+int stream_size;
+{
+    return inflateInit2_(strm, DEF_WBITS, version, stream_size);
+}
+
+/*
+   Return state with length and distance decoding tables and index sizes set to
+   fixed code decoding.  Normally this returns fixed tables from inffixed.h.
+   If BUILDFIXED is defined, then instead this routine builds the tables the
+   first time it's called, and returns those tables the first time and
+   thereafter.  This reduces the size of the code by about 2K bytes, in
+   exchange for a little execution time.  However, BUILDFIXED should not be
+   used for threaded applications, since the rewriting of the tables and virgin
+   may not be thread-safe.
+ */
+local void fixedtables(state)
+struct inflate_state FAR *state;
+{
+#ifdef BUILDFIXED
+    static int virgin = 1;
+    static code *lenfix, *distfix;
+    static code fixed[544];
+
+    /* build fixed huffman tables if first call (may not be thread safe) */
+    if (virgin) {
+        unsigned sym, bits;
+        static code *next;
+
+        /* literal/length table */
+        sym = 0;
+        while (sym < 144) state->lens[sym++] = 8;
+        while (sym < 256) state->lens[sym++] = 9;
+        while (sym < 280) state->lens[sym++] = 7;
+        while (sym < 288) state->lens[sym++] = 8;
+        next = fixed;
+        lenfix = next;
+        bits = 9;
+        inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work);
+
+        /* distance table */
+        sym = 0;
+        while (sym < 32) state->lens[sym++] = 5;
+        distfix = next;
+        bits = 5;
+        inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work);
+
+        /* do this just once */
+        virgin = 0;
+    }
+#else /* !BUILDFIXED */
+#   include "inffixed.h"
+#endif /* BUILDFIXED */
+    state->lencode = lenfix;
+    state->lenbits = 9;
+    state->distcode = distfix;
+    state->distbits = 5;
+}
+
+#ifdef MAKEFIXED
+#include <stdio.h>
+
+/*
+   Write out the inffixed.h that is #include'd above.  Defining MAKEFIXED also
+   defines BUILDFIXED, so the tables are built on the fly.  makefixed() writes
+   those tables to stdout, which would be piped to inffixed.h.  A small program
+   can simply call makefixed to do this:
+
+    void makefixed(void);
+
+    int main(void)
+    {
+        makefixed();
+        return 0;
+    }
+
+   Then that can be linked with zlib built with MAKEFIXED defined and run:
+
+    a.out > inffixed.h
+ */
+void makefixed()
+{
+    unsigned low, size;
+    struct inflate_state state;
+
+    fixedtables(&state);
+    puts("    /* inffixed.h -- table for decoding fixed codes");
+    puts("     * Generated automatically by makefixed().");
+    puts("     */");
+    puts("");
+    puts("    /* WARNING: this file should *not* be used by applications.");
+    puts("       It is part of the implementation of this library and is");
+    puts("       subject to change. Applications should only use zlib.h.");
+    puts("     */");
+    puts("");
+    size = 1U << 9;
+    printf("    static const code lenfix[%u] = {", size);
+    low = 0;
+    for (;;) {
+        if ((low % 7) == 0) printf("\n        ");
+        printf("{%u,%u,%d}", state.lencode[low].op, state.lencode[low].bits,
+               state.lencode[low].val);
+        if (++low == size) break;
+        putchar(',');
+    }
+    puts("\n    };");
+    size = 1U << 5;
+    printf("\n    static const code distfix[%u] = {", size);
+    low = 0;
+    for (;;) {
+        if ((low % 6) == 0) printf("\n        ");
+        printf("{%u,%u,%d}", state.distcode[low].op, state.distcode[low].bits,
+               state.distcode[low].val);
+        if (++low == size) break;
+        putchar(',');
+    }
+    puts("\n    };");
+}
+#endif /* MAKEFIXED */
+
+/*
+   Update the window with the last wsize (normally 32K) bytes written before
+   returning.  If window does not exist yet, create it.  This is only called
+   when a window is already in use, or when output has been written during this
+   inflate call, but the end of the deflate stream has not been reached yet.
+   It is also called to create a window for dictionary data when a dictionary
+   is loaded.
+
+   Providing output buffers larger than 32K to inflate() should provide a speed
+   advantage, since only the last 32K of output is copied to the sliding window
+   upon return from inflate(), and since all distances after the first 32K of
+   output will fall in the output data, making match copies simpler and faster.
+   The advantage may be dependent on the size of the processor's data caches.
+ */
+local int updatewindow(strm, out)
+z_streamp strm;
+unsigned out;
+{
+    struct inflate_state FAR *state;
+    unsigned copy, dist;
+
+    state = (struct inflate_state FAR *)strm->state;
+
+    /* if it hasn't been done already, allocate space for the window */
+    if (state->window == Z_NULL) {
+        state->window = (unsigned char FAR *)
+                        ZALLOC(strm, 1U << state->wbits,
+                               sizeof(unsigned char));
+        if (state->window == Z_NULL) return 1;
+    }
+
+    /* if window not in use yet, initialize */
+    if (state->wsize == 0) {
+        state->wsize = 1U << state->wbits;
+        state->write = 0;
+        state->whave = 0;
+    }
+
+    /* copy state->wsize or less output bytes into the circular window */
+    copy = out - strm->avail_out;
+    if (copy >= state->wsize) {
+        zmemcpy(state->window, strm->next_out - state->wsize, state->wsize);
+        state->write = 0;
+        state->whave = state->wsize;
+    }
+    else {
+        dist = state->wsize - state->write;
+        if (dist > copy) dist = copy;
+        zmemcpy(state->window + state->write, strm->next_out - copy, dist);
+        copy -= dist;
+        if (copy) {
+            zmemcpy(state->window, strm->next_out - copy, copy);
+            state->write = copy;
+            state->whave = state->wsize;
+        }
+        else {
+            state->write += dist;
+            if (state->write == state->wsize) state->write = 0;
+            if (state->whave < state->wsize) state->whave += dist;
+        }
+    }
+    return 0;
+}
+
+/* Macros for inflate(): */
+
+/* check function to use adler32() for zlib or crc32() for gzip */
+#ifdef GUNZIP
+#  define UPDATE(check, buf, len) \
+    (state->flags ? crc32(check, buf, len) : adler32(check, buf, len))
+#else
+#  define UPDATE(check, buf, len) adler32(check, buf, len)
+#endif
+
+/* check macros for header crc */
+#ifdef GUNZIP
+#  define CRC2(check, word) \
+    do { \
+        hbuf[0] = (unsigned char)(word); \
+        hbuf[1] = (unsigned char)((word) >> 8); \
+        check = crc32(check, hbuf, 2); \
+    } while (0)
+
+#  define CRC4(check, word) \
+    do { \
+        hbuf[0] = (unsigned char)(word); \
+        hbuf[1] = (unsigned char)((word) >> 8); \
+        hbuf[2] = (unsigned char)((word) >> 16); \
+        hbuf[3] = (unsigned char)((word) >> 24); \
+        check = crc32(check, hbuf, 4); \
+    } while (0)
+#endif
+
+/* Load registers with state in inflate() for speed */
+#define LOAD() \
+    do { \
+        put = strm->next_out; \
+        left = strm->avail_out; \
+        next = strm->next_in; \
+        have = strm->avail_in; \
+        hold = state->hold; \
+        bits = state->bits; \
+    } while (0)
+
+/* Restore state from registers in inflate() */
+#define RESTORE() \
+    do { \
+        strm->next_out = put; \
+        strm->avail_out = left; \
+        strm->next_in = next; \
+        strm->avail_in = have; \
+        state->hold = hold; \
+        state->bits = bits; \
+    } while (0)
+
+/* Clear the input bit accumulator */
+#define INITBITS() \
+    do { \
+        hold = 0; \
+        bits = 0; \
+    } while (0)
+
+/* Get a byte of input into the bit accumulator, or return from inflate()
+   if there is no input available. */
+#define PULLBYTE() \
+    do { \
+        if (have == 0) goto inf_leave; \
+        have--; \
+        hold += (unsigned long)(*next++) << bits; \
+        bits += 8; \
+    } while (0)
+
+/* Assure that there are at least n bits in the bit accumulator.  If there is
+   not enough available input to do that, then return from inflate(). */
+#define NEEDBITS(n) \
+    do { \
+        while (bits < (unsigned)(n)) \
+            PULLBYTE(); \
+    } while (0)
+
+/* Return the low n bits of the bit accumulator (n < 16) */
+#define BITS(n) \
+    ((unsigned)hold & ((1U << (n)) - 1))
+
+/* Remove n bits from the bit accumulator */
+#define DROPBITS(n) \
+    do { \
+        hold >>= (n); \
+        bits -= (unsigned)(n); \
+    } while (0)
+
+/* Remove zero to seven bits as needed to go to a byte boundary */
+#define BYTEBITS() \
+    do { \
+        hold >>= bits & 7; \
+        bits -= bits & 7; \
+    } while (0)
+
+/* Reverse the bytes in a 32-bit value */
+#define REVERSE(q) \
+    ((((q) >> 24) & 0xff) + (((q) >> 8) & 0xff00) + \
+     (((q) & 0xff00) << 8) + (((q) & 0xff) << 24))
+
+/*
+   inflate() uses a state machine to process as much input data and generate as
+   much output data as possible before returning.  The state machine is
+   structured roughly as follows:
+
+    for (;;) switch (state) {
+    ...
+    case STATEn:
+        if (not enough input data or output space to make progress)
+            return;
+        ... make progress ...
+        state = STATEm;
+        break;
+    ...
+    }
+
+   so when inflate() is called again, the same case is attempted again, and
+   if the appropriate resources are provided, the machine proceeds to the
+   next state.  The NEEDBITS() macro is usually the way the state evaluates
+   whether it can proceed or should return.  NEEDBITS() does the return if
+   the requested bits are not available.  The typical use of the BITS macros
+   is:
+
+        NEEDBITS(n);
+        ... do something with BITS(n) ...
+        DROPBITS(n);
+
+   where NEEDBITS(n) either returns from inflate() if there isn't enough
+   input left to load n bits into the accumulator, or it continues.  BITS(n)
+   gives the low n bits in the accumulator.  When done, DROPBITS(n) drops
+   the low n bits off the accumulator.  INITBITS() clears the accumulator
+   and sets the number of available bits to zero.  BYTEBITS() discards just
+   enough bits to put the accumulator on a byte boundary.  After BYTEBITS()
+   and a NEEDBITS(8), then BITS(8) would return the next byte in the stream.
+
+   NEEDBITS(n) uses PULLBYTE() to get an available byte of input, or to return
+   if there is no input available.  The decoding of variable length codes uses
+   PULLBYTE() directly in order to pull just enough bytes to decode the next
+   code, and no more.
+
+   Some states loop until they get enough input, making sure that enough
+   state information is maintained to continue the loop where it left off
+   if NEEDBITS() returns in the loop.  For example, want, need, and keep
+   would all have to actually be part of the saved state in case NEEDBITS()
+   returns:
+
+    case STATEw:
+        while (want < need) {
+            NEEDBITS(n);
+            keep[want++] = BITS(n);
+            DROPBITS(n);
+        }
+        state = STATEx;
+    case STATEx:
+
+   As shown above, if the next state is also the next case, then the break
+   is omitted.
+
+   A state may also return if there is not enough output space available to
+   complete that state.  Those states are copying stored data, writing a
+   literal byte, and copying a matching string.
+
+   When returning, a "goto inf_leave" is used to update the total counters,
+   update the check value, and determine whether any progress has been made
+   during that inflate() call in order to return the proper return code.
+   Progress is defined as a change in either strm->avail_in or strm->avail_out.
+   When there is a window, goto inf_leave will update the window with the last
+   output written.  If a goto inf_leave occurs in the middle of decompression
+   and there is no window currently, goto inf_leave will create one and copy
+   output to the window for the next call of inflate().
+
+   In this implementation, the flush parameter of inflate() only affects the
+   return code (per zlib.h).  inflate() always writes as much as possible to
+   strm->next_out, given the space available and the provided input--the effect
+   documented in zlib.h of Z_SYNC_FLUSH.  Furthermore, inflate() always defers
+   the allocation of and copying into a sliding window until necessary, which
+   provides the effect documented in zlib.h for Z_FINISH when the entire input
+   stream available.  So the only thing the flush parameter actually does is:
+   when flush is set to Z_FINISH, inflate() cannot return Z_OK.  Instead it
+   will return Z_BUF_ERROR if it has not reached the end of the stream.
+ */
+
+int ZEXPORT inflate(strm, flush)
+z_streamp strm;
+int flush;
+{
+    struct inflate_state FAR *state;
+    unsigned char FAR *next;    /* next input */
+    unsigned char FAR *put;     /* next output */
+    unsigned have, left;        /* available input and output */
+    unsigned long hold;         /* bit buffer */
+    unsigned bits;              /* bits in bit buffer */
+    unsigned in, out;           /* save starting available input and output */
+    unsigned copy;              /* number of stored or match bytes to copy */
+    unsigned char FAR *from;    /* where to copy match bytes from */
+    code this;                  /* current decoding table entry */
+    code last;                  /* parent table entry */
+    unsigned len;               /* length to copy for repeats, bits to drop */
+    int ret;                    /* return code */
+#ifdef GUNZIP
+    unsigned char hbuf[4];      /* buffer for gzip header crc calculation */
+#endif
+    static const unsigned short order[19] = /* permutation of code lengths */
+        {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
+
+    if (strm == Z_NULL || strm->state == Z_NULL || strm->next_out == Z_NULL ||
+        (strm->next_in == Z_NULL && strm->avail_in != 0))
+        return Z_STREAM_ERROR;
+
+    state = (struct inflate_state FAR *)strm->state;
+    if (state->mode == TYPE) state->mode = TYPEDO;      /* skip check */
+    LOAD();
+    in = have;
+    out = left;
+    ret = Z_OK;
+    for (;;)
+        switch (state->mode) {
+        case HEAD:
+            if (state->wrap == 0) {
+                state->mode = TYPEDO;
+                break;
+            }
+            NEEDBITS(16);
+#ifdef GUNZIP
+            if ((state->wrap & 2) && hold == 0x8b1f) {  /* gzip header */
+                state->check = crc32(0L, Z_NULL, 0);
+                CRC2(state->check, hold);
+                INITBITS();
+                state->mode = FLAGS;
+                break;
+            }
+            state->flags = 0;           /* expect zlib header */
+            if (state->head != Z_NULL)
+                state->head->done = -1;
+            if (!(state->wrap & 1) ||   /* check if zlib header allowed */
+#else
+            if (
+#endif
+                ((BITS(8) << 8) + (hold >> 8)) % 31) {
+                strm->msg = (char *)"incorrect header check";
+                state->mode = BAD;
+                break;
+            }
+            if (BITS(4) != Z_DEFLATED) {
+                strm->msg = (char *)"unknown compression method";
+                state->mode = BAD;
+                break;
+            }
+            DROPBITS(4);
+            len = BITS(4) + 8;
+            if (len > state->wbits) {
+                strm->msg = (char *)"invalid window size";
+                state->mode = BAD;
+                break;
+            }
+            state->dmax = 1U << len;
+            Tracev((stderr, "inflate:   zlib header ok\n"));
+            strm->adler = state->check = adler32(0L, Z_NULL, 0);
+            state->mode = hold & 0x200 ? DICTID : TYPE;
+            INITBITS();
+            break;
+#ifdef GUNZIP
+        case FLAGS:
+            NEEDBITS(16);
+            state->flags = (int)(hold);
+            if ((state->flags & 0xff) != Z_DEFLATED) {
+                strm->msg = (char *)"unknown compression method";
+                state->mode = BAD;
+                break;
+            }
+            if (state->flags & 0xe000) {
+                strm->msg = (char *)"unknown header flags set";
+                state->mode = BAD;
+                break;
+            }
+            if (state->head != Z_NULL)
+                state->head->text = (int)((hold >> 8) & 1);
+            if (state->flags & 0x0200) CRC2(state->check, hold);
+            INITBITS();
+            state->mode = TIME;
+        case TIME:
+            NEEDBITS(32);
+            if (state->head != Z_NULL)
+                state->head->time = hold;
+            if (state->flags & 0x0200) CRC4(state->check, hold);
+            INITBITS();
+            state->mode = OS;
+        case OS:
+            NEEDBITS(16);
+            if (state->head != Z_NULL) {
+                state->head->xflags = (int)(hold & 0xff);
+                state->head->os = (int)(hold >> 8);
+            }
+            if (state->flags & 0x0200) CRC2(state->check, hold);
+            INITBITS();
+            state->mode = EXLEN;
+        case EXLEN:
+            if (state->flags & 0x0400) {
+                NEEDBITS(16);
+                state->length = (unsigned)(hold);
+                if (state->head != Z_NULL)
+                    state->head->extra_len = (unsigned)hold;
+                if (state->flags & 0x0200) CRC2(state->check, hold);
+                INITBITS();
+            }
+            else if (state->head != Z_NULL)
+                state->head->extra = Z_NULL;
+            state->mode = EXTRA;
+        case EXTRA:
+            if (state->flags & 0x0400) {
+                copy = state->length;
+                if (copy > have) copy = have;
+                if (copy) {
+                    if (state->head != Z_NULL &&
+                        state->head->extra != Z_NULL) {
+                        len = state->head->extra_len - state->length;
+                        zmemcpy(state->head->extra + len, next,
+                                len + copy > state->head->extra_max ?
+                                state->head->extra_max - len : copy);
+                    }
+                    if (state->flags & 0x0200)
+                        state->check = crc32(state->check, next, copy);
+                    have -= copy;
+                    next += copy;
+                    state->length -= copy;
+                }
+                if (state->length) goto inf_leave;
+            }
+            state->length = 0;
+            state->mode = NAME;
+        case NAME:
+            if (state->flags & 0x0800) {
+                if (have == 0) goto inf_leave;
+                copy = 0;
+                do {
+                    len = (unsigned)(next[copy++]);
+                    if (state->head != Z_NULL &&
+                            state->head->name != Z_NULL &&
+                            state->length < state->head->name_max)
+                        state->head->name[state->length++] = len;
+                } while (len && copy < have);
+                if (state->flags & 0x0200)
+                    state->check = crc32(state->check, next, copy);
+                have -= copy;
+                next += copy;
+                if (len) goto inf_leave;
+            }
+            else if (state->head != Z_NULL)
+                state->head->name = Z_NULL;
+            state->length = 0;
+            state->mode = COMMENT;
+        case COMMENT:
+            if (state->flags & 0x1000) {
+                if (have == 0) goto inf_leave;
+                copy = 0;
+                do {
+                    len = (unsigned)(next[copy++]);
+                    if (state->head != Z_NULL &&
+                            state->head->comment != Z_NULL &&
+                            state->length < state->head->comm_max)
+                        state->head->comment[state->length++] = len;
+                } while (len && copy < have);
+                if (state->flags & 0x0200)
+                    state->check = crc32(state->check, next, copy);
+                have -= copy;
+                next += copy;
+                if (len) goto inf_leave;
+            }
+            else if (state->head != Z_NULL)
+                state->head->comment = Z_NULL;
+            state->mode = HCRC;
+        case HCRC:
+            if (state->flags & 0x0200) {
+                NEEDBITS(16);
+                if (hold != (state->check & 0xffff)) {
+                    strm->msg = (char *)"header crc mismatch";
+                    state->mode = BAD;
+                    break;
+                }
+                INITBITS();
+            }
+            if (state->head != Z_NULL) {
+                state->head->hcrc = (int)((state->flags >> 9) & 1);
+                state->head->done = 1;
+            }
+            strm->adler = state->check = crc32(0L, Z_NULL, 0);
+            state->mode = TYPE;
+            break;
+#endif
+        case DICTID:
+            NEEDBITS(32);
+            strm->adler = state->check = REVERSE(hold);
+            INITBITS();
+            state->mode = DICT;
+        case DICT:
+            if (state->havedict == 0) {
+                RESTORE();
+                return Z_NEED_DICT;
+            }
+            strm->adler = state->check = adler32(0L, Z_NULL, 0);
+            state->mode = TYPE;
+        case TYPE:
+            if (flush == Z_BLOCK) goto inf_leave;
+        case TYPEDO:
+            if (state->last) {
+                BYTEBITS();
+                state->mode = CHECK;
+                break;
+            }
+            NEEDBITS(3);
+            state->last = BITS(1);
+            DROPBITS(1);
+            switch (BITS(2)) {
+            case 0:                             /* stored block */
+                Tracev((stderr, "inflate:     stored block%s\n",
+                        state->last ? " (last)" : ""));
+                state->mode = STORED;
+                break;
+            case 1:                             /* fixed block */
+                fixedtables(state);
+                Tracev((stderr, "inflate:     fixed codes block%s\n",
+                        state->last ? " (last)" : ""));
+                state->mode = LEN;              /* decode codes */
+                break;
+            case 2:                             /* dynamic block */
+                Tracev((stderr, "inflate:     dynamic codes block%s\n",
+                        state->last ? " (last)" : ""));
+                state->mode = TABLE;
+                break;
+            case 3:
+                strm->msg = (char *)"invalid block type";
+                state->mode = BAD;
+            }
+            DROPBITS(2);
+            break;
+        case STORED:
+            BYTEBITS();                         /* go to byte boundary */
+            NEEDBITS(32);
+            if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) {
+                strm->msg = (char *)"invalid stored block lengths";
+                state->mode = BAD;
+                break;
+            }
+            state->length = (unsigned)hold & 0xffff;
+            Tracev((stderr, "inflate:       stored length %u\n",
+                    state->length));
+            INITBITS();
+            state->mode = COPY;
+        case COPY:
+            copy = state->length;
+            if (copy) {
+                if (copy > have) copy = have;
+                if (copy > left) copy = left;
+                if (copy == 0) goto inf_leave;
+                zmemcpy(put, next, copy);
+                have -= copy;
+                next += copy;
+                left -= copy;
+                put += copy;
+                state->length -= copy;
+                break;
+            }
+            Tracev((stderr, "inflate:       stored end\n"));
+            state->mode = TYPE;
+            break;
+        case TABLE:
+            NEEDBITS(14);
+            state->nlen = BITS(5) + 257;
+            DROPBITS(5);
+            state->ndist = BITS(5) + 1;
+            DROPBITS(5);
+            state->ncode = BITS(4) + 4;
+            DROPBITS(4);
+#ifndef PKZIP_BUG_WORKAROUND
+            if (state->nlen > 286 || state->ndist > 30) {
+                strm->msg = (char *)"too many length or distance symbols";
+                state->mode = BAD;
+                break;
+            }
+#endif
+            Tracev((stderr, "inflate:       table sizes ok\n"));
+            state->have = 0;
+            state->mode = LENLENS;
+        case LENLENS:
+            while (state->have < state->ncode) {
+                NEEDBITS(3);
+                state->lens[order[state->have++]] = (unsigned short)BITS(3);
+                DROPBITS(3);
+            }
+            while (state->have < 19)
+                state->lens[order[state->have++]] = 0;
+            state->next = state->codes;
+            state->lencode = (code const FAR *)(state->next);
+            state->lenbits = 7;
+            ret = inflate_table(CODES, state->lens, 19, &(state->next),
+                                &(state->lenbits), state->work);
+            if (ret) {
+                strm->msg = (char *)"invalid code lengths set";
+                state->mode = BAD;
+                break;
+            }
+            Tracev((stderr, "inflate:       code lengths ok\n"));
+            state->have = 0;
+            state->mode = CODELENS;
+        case CODELENS:
+            while (state->have < state->nlen + state->ndist) {
+                for (;;) {
+                    this = state->lencode[BITS(state->lenbits)];
+                    if ((unsigned)(this.bits) <= bits) break;
+                    PULLBYTE();
+                }
+                if (this.val < 16) {
+                    NEEDBITS(this.bits);
+                    DROPBITS(this.bits);
+                    state->lens[state->have++] = this.val;
+                }
+                else {
+                    if (this.val == 16) {
+                        NEEDBITS(this.bits + 2);
+                        DROPBITS(this.bits);
+                        if (state->have == 0) {
+                            strm->msg = (char *)"invalid bit length repeat";
+                            state->mode = BAD;
+                            break;
+                        }
+                        len = state->lens[state->have - 1];
+                        copy = 3 + BITS(2);
+                        DROPBITS(2);
+                    }
+                    else if (this.val == 17) {
+                        NEEDBITS(this.bits + 3);
+                        DROPBITS(this.bits);
+                        len = 0;
+                        copy = 3 + BITS(3);
+                        DROPBITS(3);
+                    }
+                    else {
+                        NEEDBITS(this.bits + 7);
+                        DROPBITS(this.bits);
+                        len = 0;
+                        copy = 11 + BITS(7);
+                        DROPBITS(7);
+                    }
+                    if (state->have + copy > state->nlen + state->ndist) {
+                        strm->msg = (char *)"invalid bit length repeat";
+                        state->mode = BAD;
+                        break;
+                    }
+                    while (copy--)
+                        state->lens[state->have++] = (unsigned short)len;
+                }
+            }
+
+            /* handle error breaks in while */
+            if (state->mode == BAD) break;
+
+            /* build code tables */
+            state->next = state->codes;
+            state->lencode = (code const FAR *)(state->next);
+            state->lenbits = 9;
+            ret = inflate_table(LENS, state->lens, state->nlen, &(state->next),
+                                &(state->lenbits), state->work);
+            if (ret) {
+                strm->msg = (char *)"invalid literal/lengths set";
+                state->mode = BAD;
+                break;
+            }
+            state->distcode = (code const FAR *)(state->next);
+            state->distbits = 6;
+            ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist,
+                            &(state->next), &(state->distbits), state->work);
+            if (ret) {
+                strm->msg = (char *)"invalid distances set";
+                state->mode = BAD;
+                break;
+            }
+            Tracev((stderr, "inflate:       codes ok\n"));
+            state->mode = LEN;
+        case LEN:
+            if (have >= 6 && left >= 258) {
+                RESTORE();
+                inflate_fast(strm, out);
+                LOAD();
+                break;
+            }
+            for (;;) {
+                this = state->lencode[BITS(state->lenbits)];
+                if ((unsigned)(this.bits) <= bits) break;
+                PULLBYTE();
+            }
+            if (this.op && (this.op & 0xf0) == 0) {
+                last = this;
+                for (;;) {
+                    this = state->lencode[last.val +
+                            (BITS(last.bits + last.op) >> last.bits)];
+                    if ((unsigned)(last.bits + this.bits) <= bits) break;
+                    PULLBYTE();
+                }
+                DROPBITS(last.bits);
+            }
+            DROPBITS(this.bits);
+            state->length = (unsigned)this.val;
+            if ((int)(this.op) == 0) {
+                Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ?
+                        "inflate:         literal '%c'\n" :
+                        "inflate:         literal 0x%02x\n", this.val));
+                state->mode = LIT;
+                break;
+            }
+            if (this.op & 32) {
+                Tracevv((stderr, "inflate:         end of block\n"));
+                state->mode = TYPE;
+                break;
+            }
+            if (this.op & 64) {
+                strm->msg = (char *)"invalid literal/length code";
+                state->mode = BAD;
+                break;
+            }
+            state->extra = (unsigned)(this.op) & 15;
+            state->mode = LENEXT;
+        case LENEXT:
+            if (state->extra) {
+                NEEDBITS(state->extra);
+                state->length += BITS(state->extra);
+                DROPBITS(state->extra);
+            }
+            Tracevv((stderr, "inflate:         length %u\n", state->length));
+            state->mode = DIST;
+        case DIST:
+            for (;;) {
+                this = state->distcode[BITS(state->distbits)];
+                if ((unsigned)(this.bits) <= bits) break;
+                PULLBYTE();
+            }
+            if ((this.op & 0xf0) == 0) {
+                last = this;
+                for (;;) {
+                    this = state->distcode[last.val +
+                            (BITS(last.bits + last.op) >> last.bits)];
+                    if ((unsigned)(last.bits + this.bits) <= bits) break;
+                    PULLBYTE();
+                }
+                DROPBITS(last.bits);
+            }
+            DROPBITS(this.bits);
+            if (this.op & 64) {
+                strm->msg = (char *)"invalid distance code";
+                state->mode = BAD;
+                break;
+            }
+            state->offset = (unsigned)this.val;
+            state->extra = (unsigned)(this.op) & 15;
+            state->mode = DISTEXT;
+        case DISTEXT:
+            if (state->extra) {
+                NEEDBITS(state->extra);
+                state->offset += BITS(state->extra);
+                DROPBITS(state->extra);
+            }
+#ifdef INFLATE_STRICT
+            if (state->offset > state->dmax) {
+                strm->msg = (char *)"invalid distance too far back";
+                state->mode = BAD;
+                break;
+            }
+#endif
+            if (state->offset > state->whave + out - left) {
+                strm->msg = (char *)"invalid distance too far back";
+                state->mode = BAD;
+                break;
+            }
+            Tracevv((stderr, "inflate:         distance %u\n", state->offset));
+            state->mode = MATCH;
+        case MATCH:
+            if (left == 0) goto inf_leave;
+            copy = out - left;
+            if (state->offset > copy) {         /* copy from window */
+                copy = state->offset - copy;
+                if (copy > state->write) {
+                    copy -= state->write;
+                    from = state->window + (state->wsize - copy);
+                }
+                else
+                    from = state->window + (state->write - copy);
+                if (copy > state->length) copy = state->length;
+            }
+            else {                              /* copy from output */
+                from = put - state->offset;
+                copy = state->length;
+            }
+            if (copy > left) copy = left;
+            left -= copy;
+            state->length -= copy;
+            do {
+                *put++ = *from++;
+            } while (--copy);
+            if (state->length == 0) state->mode = LEN;
+            break;
+        case LIT:
+            if (left == 0) goto inf_leave;
+            *put++ = (unsigned char)(state->length);
+            left--;
+            state->mode = LEN;
+            break;
+        case CHECK:
+            if (state->wrap) {
+                NEEDBITS(32);
+                out -= left;
+                strm->total_out += out;
+                state->total += out;
+                if (out)
+                    strm->adler = state->check =
+                        UPDATE(state->check, put - out, out);
+                out = left;
+                if ((
+#ifdef GUNZIP
+                     state->flags ? hold :
+#endif
+                     REVERSE(hold)) != state->check) {
+                    strm->msg = (char *)"incorrect data check";
+                    state->mode = BAD;
+                    break;
+                }
+                INITBITS();
+                Tracev((stderr, "inflate:   check matches trailer\n"));
+            }
+#ifdef GUNZIP
+            state->mode = LENGTH;
+        case LENGTH:
+            if (state->wrap && state->flags) {
+                NEEDBITS(32);
+                if (hold != (state->total & 0xffffffffUL)) {
+                    strm->msg = (char *)"incorrect length check";
+                    state->mode = BAD;
+                    break;
+                }
+                INITBITS();
+                Tracev((stderr, "inflate:   length matches trailer\n"));
+            }
+#endif
+            state->mode = DONE;
+        case DONE:
+            ret = Z_STREAM_END;
+            goto inf_leave;
+        case BAD:
+            ret = Z_DATA_ERROR;
+            goto inf_leave;
+        case MEM:
+            return Z_MEM_ERROR;
+        case SYNC:
+        default:
+            return Z_STREAM_ERROR;
+        }
+
+    /*
+       Return from inflate(), updating the total counts and the check value.
+       If there was no progress during the inflate() call, return a buffer
+       error.  Call updatewindow() to create and/or update the window state.
+       Note: a memory error from inflate() is non-recoverable.
+     */
+  inf_leave:
+    RESTORE();
+    if (state->wsize || (state->mode < CHECK && out != strm->avail_out))
+        if (updatewindow(strm, out)) {
+            state->mode = MEM;
+            return Z_MEM_ERROR;
+        }
+    in -= strm->avail_in;
+    out -= strm->avail_out;
+    strm->total_in += in;
+    strm->total_out += out;
+    state->total += out;
+    if (state->wrap && out)
+        strm->adler = state->check =
+            UPDATE(state->check, strm->next_out - out, out);
+    strm->data_type = state->bits + (state->last ? 64 : 0) +
+                      (state->mode == TYPE ? 128 : 0);
+    if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK)
+        ret = Z_BUF_ERROR;
+    return ret;
+}
+
+int ZEXPORT inflateEnd(strm)
+z_streamp strm;
+{
+    struct inflate_state FAR *state;
+    if (strm == Z_NULL || strm->state == Z_NULL || strm->zfree == (free_func)0)
+        return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+    if (state->window != Z_NULL) ZFREE(strm, state->window);
+    ZFREE(strm, strm->state);
+    strm->state = Z_NULL;
+    Tracev((stderr, "inflate: end\n"));
+    return Z_OK;
+}
+
+int ZEXPORT inflateSetDictionary(strm, dictionary, dictLength)
+z_streamp strm;
+const Bytef *dictionary;
+uInt dictLength;
+{
+    struct inflate_state FAR *state;
+    unsigned long id;
+
+    /* check state */
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+    if (state->wrap != 0 && state->mode != DICT)
+        return Z_STREAM_ERROR;
+
+    /* check for correct dictionary id */
+    if (state->mode == DICT) {
+        id = adler32(0L, Z_NULL, 0);
+        id = adler32(id, dictionary, dictLength);
+        if (id != state->check)
+            return Z_DATA_ERROR;
+    }
+
+    /* copy dictionary to window */
+    if (updatewindow(strm, strm->avail_out)) {
+        state->mode = MEM;
+        return Z_MEM_ERROR;
+    }
+    if (dictLength > state->wsize) {
+        zmemcpy(state->window, dictionary + dictLength - state->wsize,
+                state->wsize);
+        state->whave = state->wsize;
+    }
+    else {
+        zmemcpy(state->window + state->wsize - dictLength, dictionary,
+                dictLength);
+        state->whave = dictLength;
+    }
+    state->havedict = 1;
+    Tracev((stderr, "inflate:   dictionary set\n"));
+    return Z_OK;
+}
+
+int ZEXPORT inflateGetHeader(strm, head)
+z_streamp strm;
+gz_headerp head;
+{
+    struct inflate_state FAR *state;
+
+    /* check state */
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+    if ((state->wrap & 2) == 0) return Z_STREAM_ERROR;
+
+    /* save header structure */
+    state->head = head;
+    head->done = 0;
+    return Z_OK;
+}
+
+/*
+   Search buf[0..len-1] for the pattern: 0, 0, 0xff, 0xff.  Return when found
+   or when out of input.  When called, *have is the number of pattern bytes
+   found in order so far, in 0..3.  On return *have is updated to the new
+   state.  If on return *have equals four, then the pattern was found and the
+   return value is how many bytes were read including the last byte of the
+   pattern.  If *have is less than four, then the pattern has not been found
+   yet and the return value is len.  In the latter case, syncsearch() can be
+   called again with more data and the *have state.  *have is initialized to
+   zero for the first call.
+ */
+local unsigned syncsearch(have, buf, len)
+unsigned FAR *have;
+unsigned char FAR *buf;
+unsigned len;
+{
+    unsigned got;
+    unsigned next;
+
+    got = *have;
+    next = 0;
+    while (next < len && got < 4) {
+        if ((int)(buf[next]) == (got < 2 ? 0 : 0xff))
+            got++;
+        else if (buf[next])
+            got = 0;
+        else
+            got = 4 - got;
+        next++;
+    }
+    *have = got;
+    return next;
+}
+
+int ZEXPORT inflateSync(strm)
+z_streamp strm;
+{
+    unsigned len;               /* number of bytes to look at or looked at */
+    unsigned long in, out;      /* temporary to save total_in and total_out */
+    unsigned char buf[4];       /* to restore bit buffer to byte string */
+    struct inflate_state FAR *state;
+
+    /* check parameters */
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+    if (strm->avail_in == 0 && state->bits < 8) return Z_BUF_ERROR;
+
+    /* if first time, start search in bit buffer */
+    if (state->mode != SYNC) {
+        state->mode = SYNC;
+        state->hold <<= state->bits & 7;
+        state->bits -= state->bits & 7;
+        len = 0;
+        while (state->bits >= 8) {
+            buf[len++] = (unsigned char)(state->hold);
+            state->hold >>= 8;
+            state->bits -= 8;
+        }
+        state->have = 0;
+        syncsearch(&(state->have), buf, len);
+    }
+
+    /* search available input */
+    len = syncsearch(&(state->have), strm->next_in, strm->avail_in);
+    strm->avail_in -= len;
+    strm->next_in += len;
+    strm->total_in += len;
+
+    /* return no joy or set up to restart inflate() on a new block */
+    if (state->have != 4) return Z_DATA_ERROR;
+    in = strm->total_in;  out = strm->total_out;
+    inflateReset(strm);
+    strm->total_in = in;  strm->total_out = out;
+    state->mode = TYPE;
+    return Z_OK;
+}
+
+/*
+   Returns true if inflate is currently at the end of a block generated by
+   Z_SYNC_FLUSH or Z_FULL_FLUSH. This function is used by one PPP
+   implementation to provide an additional safety check. PPP uses
+   Z_SYNC_FLUSH but removes the length bytes of the resulting empty stored
+   block. When decompressing, PPP checks that at the end of input packet,
+   inflate is waiting for these length bytes.
+ */
+int ZEXPORT inflateSyncPoint(strm)
+z_streamp strm;
+{
+    struct inflate_state FAR *state;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+    return state->mode == STORED && state->bits == 0;
+}
+
+int ZEXPORT inflateCopy(dest, source)
+z_streamp dest;
+z_streamp source;
+{
+    struct inflate_state FAR *state;
+    struct inflate_state FAR *copy;
+    unsigned char FAR *window;
+    unsigned wsize;
+
+    /* check input */
+    if (dest == Z_NULL || source == Z_NULL || source->state == Z_NULL ||
+        source->zalloc == (alloc_func)0 || source->zfree == (free_func)0)
+        return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)source->state;
+
+    /* allocate space */
+    copy = (struct inflate_state FAR *)
+           ZALLOC(source, 1, sizeof(struct inflate_state));
+    if (copy == Z_NULL) return Z_MEM_ERROR;
+    window = Z_NULL;
+    if (state->window != Z_NULL) {
+        window = (unsigned char FAR *)
+                 ZALLOC(source, 1U << state->wbits, sizeof(unsigned char));
+        if (window == Z_NULL) {
+            ZFREE(source, copy);
+            return Z_MEM_ERROR;
+        }
+    }
+
+    /* copy state */
+    zmemcpy(dest, source, sizeof(z_stream));
+    zmemcpy(copy, state, sizeof(struct inflate_state));
+    if (state->lencode >= state->codes &&
+        state->lencode <= state->codes + ENOUGH - 1) {
+        copy->lencode = copy->codes + (state->lencode - state->codes);
+        copy->distcode = copy->codes + (state->distcode - state->codes);
+    }
+    copy->next = copy->codes + (state->next - state->codes);
+    if (window != Z_NULL) {
+        wsize = 1U << state->wbits;
+        zmemcpy(window, state->window, wsize);
+    }
+    copy->window = window;
+    dest->state = (struct internal_state FAR *)copy;
+    return Z_OK;
+}
diff --git a/security/nss/cmd/zlib/inflate.h b/security/nss/cmd/zlib/inflate.h
new file mode 100644
index 000000000..07bd3e78a
--- /dev/null
+++ b/security/nss/cmd/zlib/inflate.h
@@ -0,0 +1,115 @@
+/* inflate.h -- internal inflate state definition
+ * Copyright (C) 1995-2004 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+/* define NO_GZIP when compiling if you want to disable gzip header and
+   trailer decoding by inflate().  NO_GZIP would be used to avoid linking in
+   the crc code when it is not needed.  For shared libraries, gzip decoding
+   should be left enabled. */
+#ifndef NO_GZIP
+#  define GUNZIP
+#endif
+
+/* Possible inflate modes between inflate() calls */
+typedef enum {
+    HEAD,       /* i: waiting for magic header */
+    FLAGS,      /* i: waiting for method and flags (gzip) */
+    TIME,       /* i: waiting for modification time (gzip) */
+    OS,         /* i: waiting for extra flags and operating system (gzip) */
+    EXLEN,      /* i: waiting for extra length (gzip) */
+    EXTRA,      /* i: waiting for extra bytes (gzip) */
+    NAME,       /* i: waiting for end of file name (gzip) */
+    COMMENT,    /* i: waiting for end of comment (gzip) */
+    HCRC,       /* i: waiting for header crc (gzip) */
+    DICTID,     /* i: waiting for dictionary check value */
+    DICT,       /* waiting for inflateSetDictionary() call */
+        TYPE,       /* i: waiting for type bits, including last-flag bit */
+        TYPEDO,     /* i: same, but skip check to exit inflate on new block */
+        STORED,     /* i: waiting for stored size (length and complement) */
+        COPY,       /* i/o: waiting for input or output to copy stored block */
+        TABLE,      /* i: waiting for dynamic block table lengths */
+        LENLENS,    /* i: waiting for code length code lengths */
+        CODELENS,   /* i: waiting for length/lit and distance code lengths */
+            LEN,        /* i: waiting for length/lit code */
+            LENEXT,     /* i: waiting for length extra bits */
+            DIST,       /* i: waiting for distance code */
+            DISTEXT,    /* i: waiting for distance extra bits */
+            MATCH,      /* o: waiting for output space to copy string */
+            LIT,        /* o: waiting for output space to write literal */
+    CHECK,      /* i: waiting for 32-bit check value */
+    LENGTH,     /* i: waiting for 32-bit length (gzip) */
+    DONE,       /* finished check, done -- remain here until reset */
+    BAD,        /* got a data error -- remain here until reset */
+    MEM,        /* got an inflate() memory error -- remain here until reset */
+    SYNC        /* looking for synchronization bytes to restart inflate() */
+} inflate_mode;
+
+/*
+    State transitions between above modes -
+
+    (most modes can go to the BAD or MEM mode -- not shown for clarity)
+
+    Process header:
+        HEAD -> (gzip) or (zlib)
+        (gzip) -> FLAGS -> TIME -> OS -> EXLEN -> EXTRA -> NAME
+        NAME -> COMMENT -> HCRC -> TYPE
+        (zlib) -> DICTID or TYPE
+        DICTID -> DICT -> TYPE
+    Read deflate blocks:
+            TYPE -> STORED or TABLE or LEN or CHECK
+            STORED -> COPY -> TYPE
+            TABLE -> LENLENS -> CODELENS -> LEN
+    Read deflate codes:
+                LEN -> LENEXT or LIT or TYPE
+                LENEXT -> DIST -> DISTEXT -> MATCH -> LEN
+                LIT -> LEN
+    Process trailer:
+        CHECK -> LENGTH -> DONE
+ */
+
+/* state maintained between inflate() calls.  Approximately 7K bytes. */
+struct inflate_state {
+    inflate_mode mode;          /* current inflate mode */
+    int last;                   /* true if processing last block */
+    int wrap;                   /* bit 0 true for zlib, bit 1 true for gzip */
+    int havedict;               /* true if dictionary provided */
+    int flags;                  /* gzip header method and flags (0 if zlib) */
+    unsigned dmax;              /* zlib header max distance (INFLATE_STRICT) */
+    unsigned long check;        /* protected copy of check value */
+    unsigned long total;        /* protected copy of output count */
+    gz_headerp head;            /* where to save gzip header information */
+        /* sliding window */
+    unsigned wbits;             /* log base 2 of requested window size */
+    unsigned wsize;             /* window size or zero if not using window */
+    unsigned whave;             /* valid bytes in the window */
+    unsigned write;             /* window write index */
+    unsigned char FAR *window;  /* allocated sliding window, if needed */
+        /* bit accumulator */
+    unsigned long hold;         /* input bit accumulator */
+    unsigned bits;              /* number of bits in "in" */
+        /* for string and stored block copying */
+    unsigned length;            /* literal or length of data to copy */
+    unsigned offset;            /* distance back to copy string from */
+        /* for table and code decoding */
+    unsigned extra;             /* extra bits needed */
+        /* fixed and dynamic code tables */
+    code const FAR *lencode;    /* starting table for length/literal codes */
+    code const FAR *distcode;   /* starting table for distance codes */
+    unsigned lenbits;           /* index bits for lencode */
+    unsigned distbits;          /* index bits for distcode */
+        /* dynamic table building */
+    unsigned ncode;             /* number of code length code lengths */
+    unsigned nlen;              /* number of length code lengths */
+    unsigned ndist;             /* number of distance code lengths */
+    unsigned have;              /* number of code lengths in lens[] */
+    code FAR *next;             /* next available space in codes[] */
+    unsigned short lens[320];   /* temporary storage for code lengths */
+    unsigned short work[288];   /* work area for code table building */
+    code codes[ENOUGH];         /* space for code tables */
+};
diff --git a/security/nss/cmd/zlib/inftrees.c b/security/nss/cmd/zlib/inftrees.c
new file mode 100644
index 000000000..8a9c13ff0
--- /dev/null
+++ b/security/nss/cmd/zlib/inftrees.c
@@ -0,0 +1,329 @@
+/* inftrees.c -- generate Huffman trees for efficient decoding
+ * Copyright (C) 1995-2005 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+#include "zutil.h"
+#include "inftrees.h"
+
+#define MAXBITS 15
+
+const char inflate_copyright[] =
+   " inflate 1.2.3 Copyright 1995-2005 Mark Adler ";
+/*
+  If you use the zlib library in a product, an acknowledgment is welcome
+  in the documentation of your product. If for some reason you cannot
+  include such an acknowledgment, I would appreciate that you keep this
+  copyright string in the executable of your product.
+ */
+
+/*
+   Build a set of tables to decode the provided canonical Huffman code.
+   The code lengths are lens[0..codes-1].  The result starts at *table,
+   whose indices are 0..2^bits-1.  work is a writable array of at least
+   lens shorts, which is used as a work area.  type is the type of code
+   to be generated, CODES, LENS, or DISTS.  On return, zero is success,
+   -1 is an invalid code, and +1 means that ENOUGH isn't enough.  table
+   on return points to the next available entry's address.  bits is the
+   requested root table index bits, and on return it is the actual root
+   table index bits.  It will differ if the request is greater than the
+   longest code or if it is less than the shortest code.
+ */
+int inflate_table(type, lens, codes, table, bits, work)
+codetype type;
+unsigned short FAR *lens;
+unsigned codes;
+code FAR * FAR *table;
+unsigned FAR *bits;
+unsigned short FAR *work;
+{
+    unsigned len;               /* a code's length in bits */
+    unsigned sym;               /* index of code symbols */
+    unsigned min, max;          /* minimum and maximum code lengths */
+    unsigned root;              /* number of index bits for root table */
+    unsigned curr;              /* number of index bits for current table */
+    unsigned drop;              /* code bits to drop for sub-table */
+    int left;                   /* number of prefix codes available */
+    unsigned used;              /* code entries in table used */
+    unsigned huff;              /* Huffman code */
+    unsigned incr;              /* for incrementing code, index */
+    unsigned fill;              /* index for replicating entries */
+    unsigned low;               /* low bits for current root entry */
+    unsigned mask;              /* mask for low root bits */
+    code this;                  /* table entry for duplication */
+    code FAR *next;             /* next available space in table */
+    const unsigned short FAR *base;     /* base value table to use */
+    const unsigned short FAR *extra;    /* extra bits table to use */
+    int end;                    /* use base and extra for symbol > end */
+    unsigned short count[MAXBITS+1];    /* number of codes of each length */
+    unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
+    static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+        3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,
+        35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};
+    static const unsigned short lext[31] = { /* Length codes 257..285 extra */
+        16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18,
+        19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 201, 196};
+    static const unsigned short dbase[32] = { /* Distance codes 0..29 base */
+        1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,
+        257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,
+        8193, 12289, 16385, 24577, 0, 0};
+    static const unsigned short dext[32] = { /* Distance codes 0..29 extra */
+        16, 16, 16, 16, 17, 17, 18, 18, 19, 19, 20, 20, 21, 21, 22, 22,
+        23, 23, 24, 24, 25, 25, 26, 26, 27, 27,
+        28, 28, 29, 29, 64, 64};
+
+    /*
+       Process a set of code lengths to create a canonical Huffman code.  The
+       code lengths are lens[0..codes-1].  Each length corresponds to the
+       symbols 0..codes-1.  The Huffman code is generated by first sorting the
+       symbols by length from short to long, and retaining the symbol order
+       for codes with equal lengths.  Then the code starts with all zero bits
+       for the first code of the shortest length, and the codes are integer
+       increments for the same length, and zeros are appended as the length
+       increases.  For the deflate format, these bits are stored backwards
+       from their more natural integer increment ordering, and so when the
+       decoding tables are built in the large loop below, the integer codes
+       are incremented backwards.
+
+       This routine assumes, but does not check, that all of the entries in
+       lens[] are in the range 0..MAXBITS.  The caller must assure this.
+       1..MAXBITS is interpreted as that code length.  zero means that that
+       symbol does not occur in this code.
+
+       The codes are sorted by computing a count of codes for each length,
+       creating from that a table of starting indices for each length in the
+       sorted table, and then entering the symbols in order in the sorted
+       table.  The sorted table is work[], with that space being provided by
+       the caller.
+
+       The length counts are used for other purposes as well, i.e. finding
+       the minimum and maximum length codes, determining if there are any
+       codes at all, checking for a valid set of lengths, and looking ahead
+       at length counts to determine sub-table sizes when building the
+       decoding tables.
+     */
+
+    /* accumulate lengths for codes (assumes lens[] all in 0..MAXBITS) */
+    for (len = 0; len <= MAXBITS; len++)
+        count[len] = 0;
+    for (sym = 0; sym < codes; sym++)
+        count[lens[sym]]++;
+
+    /* bound code lengths, force root to be within code lengths */
+    root = *bits;
+    for (max = MAXBITS; max >= 1; max--)
+        if (count[max] != 0) break;
+    if (root > max) root = max;
+    if (max == 0) {                     /* no symbols to code at all */
+        this.op = (unsigned char)64;    /* invalid code marker */
+        this.bits = (unsigned char)1;
+        this.val = (unsigned short)0;
+        *(*table)++ = this;             /* make a table to force an error */
+        *(*table)++ = this;
+        *bits = 1;
+        return 0;     /* no symbols, but wait for decoding to report error */
+    }
+    for (min = 1; min <= MAXBITS; min++)
+        if (count[min] != 0) break;
+    if (root < min) root = min;
+
+    /* check for an over-subscribed or incomplete set of lengths */
+    left = 1;
+    for (len = 1; len <= MAXBITS; len++) {
+        left <<= 1;
+        left -= count[len];
+        if (left < 0) return -1;        /* over-subscribed */
+    }
+    if (left > 0 && (type == CODES || max != 1))
+        return -1;                      /* incomplete set */
+
+    /* generate offsets into symbol table for each length for sorting */
+    offs[1] = 0;
+    for (len = 1; len < MAXBITS; len++)
+        offs[len + 1] = offs[len] + count[len];
+
+    /* sort symbols by length, by symbol order within each length */
+    for (sym = 0; sym < codes; sym++)
+        if (lens[sym] != 0) work[offs[lens[sym]]++] = (unsigned short)sym;
+
+    /*
+       Create and fill in decoding tables.  In this loop, the table being
+       filled is at next and has curr index bits.  The code being used is huff
+       with length len.  That code is converted to an index by dropping drop
+       bits off of the bottom.  For codes where len is less than drop + curr,
+       those top drop + curr - len bits are incremented through all values to
+       fill the table with replicated entries.
+
+       root is the number of index bits for the root table.  When len exceeds
+       root, sub-tables are created pointed to by the root entry with an index
+       of the low root bits of huff.  This is saved in low to check for when a
+       new sub-table should be started.  drop is zero when the root table is
+       being filled, and drop is root when sub-tables are being filled.
+
+       When a new sub-table is needed, it is necessary to look ahead in the
+       code lengths to determine what size sub-table is needed.  The length
+       counts are used for this, and so count[] is decremented as codes are
+       entered in the tables.
+
+       used keeps track of how many table entries have been allocated from the
+       provided *table space.  It is checked when a LENS table is being made
+       against the space in *table, ENOUGH, minus the maximum space needed by
+       the worst case distance code, MAXD.  This should never happen, but the
+       sufficiency of ENOUGH has not been proven exhaustively, hence the check.
+       This assumes that when type == LENS, bits == 9.
+
+       sym increments through all symbols, and the loop terminates when
+       all codes of length max, i.e. all codes, have been processed.  This
+       routine permits incomplete codes, so another loop after this one fills
+       in the rest of the decoding tables with invalid code markers.
+     */
+
+    /* set up for code type */
+    switch (type) {
+    case CODES:
+        base = extra = work;    /* dummy value--not used */
+        end = 19;
+        break;
+    case LENS:
+        base = lbase;
+        base -= 257;
+        extra = lext;
+        extra -= 257;
+        end = 256;
+        break;
+    default:            /* DISTS */
+        base = dbase;
+        extra = dext;
+        end = -1;
+    }
+
+    /* initialize state for loop */
+    huff = 0;                   /* starting code */
+    sym = 0;                    /* starting code symbol */
+    len = min;                  /* starting code length */
+    next = *table;              /* current table to fill in */
+    curr = root;                /* current table index bits */
+    drop = 0;                   /* current bits to drop from code for index */
+    low = (unsigned)(-1);       /* trigger new sub-table when len > root */
+    used = 1U << root;          /* use root table entries */
+    mask = used - 1;            /* mask for comparing low */
+
+    /* check available table space */
+    if (type == LENS && used >= ENOUGH - MAXD)
+        return 1;
+
+    /* process all codes and make table entries */
+    for (;;) {
+        /* create table entry */
+        this.bits = (unsigned char)(len - drop);
+        if ((int)(work[sym]) < end) {
+            this.op = (unsigned char)0;
+            this.val = work[sym];
+        }
+        else if ((int)(work[sym]) > end) {
+            this.op = (unsigned char)(extra[work[sym]]);
+            this.val = base[work[sym]];
+        }
+        else {
+            this.op = (unsigned char)(32 + 64);         /* end of block */
+            this.val = 0;
+        }
+
+        /* replicate for those indices with low len bits equal to huff */
+        incr = 1U << (len - drop);
+        fill = 1U << curr;
+        min = fill;                 /* save offset to next table */
+        do {
+            fill -= incr;
+            next[(huff >> drop) + fill] = this;
+        } while (fill != 0);
+
+        /* backwards increment the len-bit code huff */
+        incr = 1U << (len - 1);
+        while (huff & incr)
+            incr >>= 1;
+        if (incr != 0) {
+            huff &= incr - 1;
+            huff += incr;
+        }
+        else
+            huff = 0;
+
+        /* go to next symbol, update count, len */
+        sym++;
+        if (--(count[len]) == 0) {
+            if (len == max) break;
+            len = lens[work[sym]];
+        }
+
+        /* create new sub-table if needed */
+        if (len > root && (huff & mask) != low) {
+            /* if first time, transition to sub-tables */
+            if (drop == 0)
+                drop = root;
+
+            /* increment past last table */
+            next += min;            /* here min is 1 << curr */
+
+            /* determine length of next table */
+            curr = len - drop;
+            left = (int)(1 << curr);
+            while (curr + drop < max) {
+                left -= count[curr + drop];
+                if (left <= 0) break;
+                curr++;
+                left <<= 1;
+            }
+
+            /* check for enough space */
+            used += 1U << curr;
+            if (type == LENS && used >= ENOUGH - MAXD)
+                return 1;
+
+            /* point entry in root table to sub-table */
+            low = huff & mask;
+            (*table)[low].op = (unsigned char)curr;
+            (*table)[low].bits = (unsigned char)root;
+            (*table)[low].val = (unsigned short)(next - *table);
+        }
+    }
+
+    /*
+       Fill in rest of table for incomplete codes.  This loop is similar to the
+       loop above in incrementing huff for table indices.  It is assumed that
+       len is equal to curr + drop, so there is no loop needed to increment
+       through high index bits.  When the current sub-table is filled, the loop
+       drops back to the root table to fill in any remaining entries there.
+     */
+    this.op = (unsigned char)64;                /* invalid code marker */
+    this.bits = (unsigned char)(len - drop);
+    this.val = (unsigned short)0;
+    while (huff != 0) {
+        /* when done with sub-table, drop back to root table */
+        if (drop != 0 && (huff & mask) != low) {
+            drop = 0;
+            len = root;
+            next = *table;
+            this.bits = (unsigned char)len;
+        }
+
+        /* put invalid code marker in table */
+        next[huff >> drop] = this;
+
+        /* backwards increment the len-bit code huff */
+        incr = 1U << (len - 1);
+        while (huff & incr)
+            incr >>= 1;
+        if (incr != 0) {
+            huff &= incr - 1;
+            huff += incr;
+        }
+        else
+            huff = 0;
+    }
+
+    /* set return parameters */
+    *table += used;
+    *bits = root;
+    return 0;
+}
diff --git a/security/nss/cmd/zlib/inftrees.h b/security/nss/cmd/zlib/inftrees.h
new file mode 100644
index 000000000..b1104c87e
--- /dev/null
+++ b/security/nss/cmd/zlib/inftrees.h
@@ -0,0 +1,55 @@
+/* inftrees.h -- header to use inftrees.c
+ * Copyright (C) 1995-2005 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+/* Structure for decoding tables.  Each entry provides either the
+   information needed to do the operation requested by the code that
+   indexed that table entry, or it provides a pointer to another
+   table that indexes more bits of the code.  op indicates whether
+   the entry is a pointer to another table, a literal, a length or
+   distance, an end-of-block, or an invalid code.  For a table
+   pointer, the low four bits of op is the number of index bits of
+   that table.  For a length or distance, the low four bits of op
+   is the number of extra bits to get after the code.  bits is
+   the number of bits in this code or part of the code to drop off
+   of the bit buffer.  val is the actual byte to output in the case
+   of a literal, the base length or distance, or the offset from
+   the current table to the next table.  Each entry is four bytes. */
+typedef struct {
+    unsigned char op;           /* operation, extra bits, table bits */
+    unsigned char bits;         /* bits in this part of the code */
+    unsigned short val;         /* offset in table or code value */
+} code;
+
+/* op values as set by inflate_table():
+    00000000 - literal
+    0000tttt - table link, tttt != 0 is the number of table index bits
+    0001eeee - length or distance, eeee is the number of extra bits
+    01100000 - end of block
+    01000000 - invalid code
+ */
+
+/* Maximum size of dynamic tree.  The maximum found in a long but non-
+   exhaustive search was 1444 code structures (852 for length/literals
+   and 592 for distances, the latter actually the result of an
+   exhaustive search).  The true maximum is not known, but the value
+   below is more than safe. */
+#define ENOUGH 2048
+#define MAXD 592
+
+/* Type of code to build for inftable() */
+typedef enum {
+    CODES,
+    LENS,
+    DISTS
+} codetype;
+
+extern int inflate_table OF((codetype type, unsigned short FAR *lens,
+                             unsigned codes, code FAR * FAR *table,
+                             unsigned FAR *bits, unsigned short FAR *work));
diff --git a/security/nss/cmd/zlib/manifest.mn b/security/nss/cmd/zlib/manifest.mn
new file mode 100644
index 000000000..ae4348295
--- /dev/null
+++ b/security/nss/cmd/zlib/manifest.mn
@@ -0,0 +1,68 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+PRIVATE_EXPORTS = zlib.h zconf.h
+
+CSRCS =	adler32.c 	\
+	compress.c 	\
+	crc32.c 	\
+	gzio.c  	\
+	uncompr.c 	\
+	deflate.c 	\
+	trees.c 	\
+	zutil.c 	\
+	inflate.c 	\
+	infback.c 	\
+	inftrees.c 	\
+	inffast.c 	\
+	$(NULL)
+
+LIBRARY_NAME = zlib
+
+PROGRAMS = example minigzip
+
+# REQUIRES = nss
+
+# Define verbose as -1 to turn off all zlib trace messages in
+# debug builds.
+DEFINES = -Dverbose=-1
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/zlib/minigzip.c b/security/nss/cmd/zlib/minigzip.c
new file mode 100644
index 000000000..4524b96a1
--- /dev/null
+++ b/security/nss/cmd/zlib/minigzip.c
@@ -0,0 +1,322 @@
+/* minigzip.c -- simulate gzip using the zlib compression library
+ * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/*
+ * minigzip is a minimal implementation of the gzip utility. This is
+ * only an example of using zlib and isn't meant to replace the
+ * full-featured gzip. No attempt is made to deal with file systems
+ * limiting names to 14 or 8+3 characters, etc... Error checking is
+ * very limited. So use minigzip only for testing; use gzip for the
+ * real thing. On MSDOS, use only on file names without extension
+ * or in pipe mode.
+ */
+
+/* @(#) $Id$ */
+
+#include <stdio.h>
+#include "zlib.h"
+
+#ifdef STDC
+#  include <string.h>
+#  include <stdlib.h>
+#endif
+
+#ifdef USE_MMAP
+#  include <sys/types.h>
+#  include <sys/mman.h>
+#  include <sys/stat.h>
+#endif
+
+#if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__)
+#  include <fcntl.h>
+#  include <io.h>
+#  define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY)
+#else
+#  define SET_BINARY_MODE(file)
+#endif
+
+#ifdef VMS
+#  define unlink delete
+#  define GZ_SUFFIX "-gz"
+#endif
+#ifdef RISCOS
+#  define unlink remove
+#  define GZ_SUFFIX "-gz"
+#  define fileno(file) file->__file
+#endif
+#if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os
+#  include <unix.h> /* for fileno */
+#endif
+
+#ifndef WIN32 /* unlink already in stdio.h for WIN32 */
+  extern int unlink OF((const char *));
+#endif
+
+#ifndef GZ_SUFFIX
+#  define GZ_SUFFIX ".gz"
+#endif
+#define SUFFIX_LEN (sizeof(GZ_SUFFIX)-1)
+
+#define BUFLEN      16384
+#define MAX_NAME_LEN 1024
+
+#ifdef MAXSEG_64K
+#  define local static
+   /* Needed for systems with limitation on stack size. */
+#else
+#  define local
+#endif
+
+char *prog;
+
+void error            OF((const char *msg));
+void gz_compress      OF((FILE   *in, gzFile out));
+#ifdef USE_MMAP
+int  gz_compress_mmap OF((FILE   *in, gzFile out));
+#endif
+void gz_uncompress    OF((gzFile in, FILE   *out));
+void file_compress    OF((char  *file, char *mode));
+void file_uncompress  OF((char  *file));
+int  main             OF((int argc, char *argv[]));
+
+/* ===========================================================================
+ * Display error message and exit
+ */
+void error(msg)
+    const char *msg;
+{
+    fprintf(stderr, "%s: %s\n", prog, msg);
+    exit(1);
+}
+
+/* ===========================================================================
+ * Compress input to output then close both files.
+ */
+
+void gz_compress(in, out)
+    FILE   *in;
+    gzFile out;
+{
+    local char buf[BUFLEN];
+    int len;
+    int err;
+
+#ifdef USE_MMAP
+    /* Try first compressing with mmap. If mmap fails (minigzip used in a
+     * pipe), use the normal fread loop.
+     */
+    if (gz_compress_mmap(in, out) == Z_OK) return;
+#endif
+    for (;;) {
+        len = (int)fread(buf, 1, sizeof(buf), in);
+        if (ferror(in)) {
+            perror("fread");
+            exit(1);
+        }
+        if (len == 0) break;
+
+        if (gzwrite(out, buf, (unsigned)len) != len) error(gzerror(out, &err));
+    }
+    fclose(in);
+    if (gzclose(out) != Z_OK) error("failed gzclose");
+}
+
+#ifdef USE_MMAP /* MMAP version, Miguel Albrecht <malbrech@eso.org> */
+
+/* Try compressing the input file at once using mmap. Return Z_OK if
+ * if success, Z_ERRNO otherwise.
+ */
+int gz_compress_mmap(in, out)
+    FILE   *in;
+    gzFile out;
+{
+    int len;
+    int err;
+    int ifd = fileno(in);
+    caddr_t buf;    /* mmap'ed buffer for the entire input file */
+    off_t buf_len;  /* length of the input file */
+    struct stat sb;
+
+    /* Determine the size of the file, needed for mmap: */
+    if (fstat(ifd, &sb) < 0) return Z_ERRNO;
+    buf_len = sb.st_size;
+    if (buf_len <= 0) return Z_ERRNO;
+
+    /* Now do the actual mmap: */
+    buf = mmap((caddr_t) 0, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0);
+    if (buf == (caddr_t)(-1)) return Z_ERRNO;
+
+    /* Compress the whole file at once: */
+    len = gzwrite(out, (char *)buf, (unsigned)buf_len);
+
+    if (len != (int)buf_len) error(gzerror(out, &err));
+
+    munmap(buf, buf_len);
+    fclose(in);
+    if (gzclose(out) != Z_OK) error("failed gzclose");
+    return Z_OK;
+}
+#endif /* USE_MMAP */
+
+/* ===========================================================================
+ * Uncompress input to output then close both files.
+ */
+void gz_uncompress(in, out)
+    gzFile in;
+    FILE   *out;
+{
+    local char buf[BUFLEN];
+    int len;
+    int err;
+
+    for (;;) {
+        len = gzread(in, buf, sizeof(buf));
+        if (len < 0) error (gzerror(in, &err));
+        if (len == 0) break;
+
+        if ((int)fwrite(buf, 1, (unsigned)len, out) != len) {
+            error("failed fwrite");
+        }
+    }
+    if (fclose(out)) error("failed fclose");
+
+    if (gzclose(in) != Z_OK) error("failed gzclose");
+}
+
+
+/* ===========================================================================
+ * Compress the given file: create a corresponding .gz file and remove the
+ * original.
+ */
+void file_compress(file, mode)
+    char  *file;
+    char  *mode;
+{
+    local char outfile[MAX_NAME_LEN];
+    FILE  *in;
+    gzFile out;
+
+    strcpy(outfile, file);
+    strcat(outfile, GZ_SUFFIX);
+
+    in = fopen(file, "rb");
+    if (in == NULL) {
+        perror(file);
+        exit(1);
+    }
+    out = gzopen(outfile, mode);
+    if (out == NULL) {
+        fprintf(stderr, "%s: can't gzopen %s\n", prog, outfile);
+        exit(1);
+    }
+    gz_compress(in, out);
+
+    unlink(file);
+}
+
+
+/* ===========================================================================
+ * Uncompress the given file and remove the original.
+ */
+void file_uncompress(file)
+    char  *file;
+{
+    local char buf[MAX_NAME_LEN];
+    char *infile, *outfile;
+    FILE  *out;
+    gzFile in;
+    uInt len = (uInt)strlen(file);
+
+    strcpy(buf, file);
+
+    if (len > SUFFIX_LEN && strcmp(file+len-SUFFIX_LEN, GZ_SUFFIX) == 0) {
+        infile = file;
+        outfile = buf;
+        outfile[len-3] = '\0';
+    } else {
+        outfile = file;
+        infile = buf;
+        strcat(infile, GZ_SUFFIX);
+    }
+    in = gzopen(infile, "rb");
+    if (in == NULL) {
+        fprintf(stderr, "%s: can't gzopen %s\n", prog, infile);
+        exit(1);
+    }
+    out = fopen(outfile, "wb");
+    if (out == NULL) {
+        perror(file);
+        exit(1);
+    }
+
+    gz_uncompress(in, out);
+
+    unlink(infile);
+}
+
+
+/* ===========================================================================
+ * Usage:  minigzip [-d] [-f] [-h] [-r] [-1 to -9] [files...]
+ *   -d : decompress
+ *   -f : compress with Z_FILTERED
+ *   -h : compress with Z_HUFFMAN_ONLY
+ *   -r : compress with Z_RLE
+ *   -1 to -9 : compression level
+ */
+
+int main(argc, argv)
+    int argc;
+    char *argv[];
+{
+    int uncompr = 0;
+    gzFile file;
+    char outmode[20];
+
+    strcpy(outmode, "wb6 ");
+
+    prog = argv[0];
+    argc--, argv++;
+
+    while (argc > 0) {
+      if (strcmp(*argv, "-d") == 0)
+        uncompr = 1;
+      else if (strcmp(*argv, "-f") == 0)
+        outmode[3] = 'f';
+      else if (strcmp(*argv, "-h") == 0)
+        outmode[3] = 'h';
+      else if (strcmp(*argv, "-r") == 0)
+        outmode[3] = 'R';
+      else if ((*argv)[0] == '-' && (*argv)[1] >= '1' && (*argv)[1] <= '9' &&
+               (*argv)[2] == 0)
+        outmode[2] = (*argv)[1];
+      else
+        break;
+      argc--, argv++;
+    }
+    if (outmode[3] == ' ')
+        outmode[3] = 0;
+    if (argc == 0) {
+        SET_BINARY_MODE(stdin);
+        SET_BINARY_MODE(stdout);
+        if (uncompr) {
+            file = gzdopen(fileno(stdin), "rb");
+            if (file == NULL) error("can't gzdopen stdin");
+            gz_uncompress(file, stdout);
+        } else {
+            file = gzdopen(fileno(stdout), outmode);
+            if (file == NULL) error("can't gzdopen stdout");
+            gz_compress(stdin, file);
+        }
+    } else {
+        do {
+            if (uncompr) {
+                file_uncompress(*argv);
+            } else {
+                file_compress(*argv, outmode);
+            }
+        } while (argv++, --argc);
+    }
+    return 0;
+}
diff --git a/security/nss/cmd/zlib/trees.c b/security/nss/cmd/zlib/trees.c
new file mode 100644
index 000000000..395e4e168
--- /dev/null
+++ b/security/nss/cmd/zlib/trees.c
@@ -0,0 +1,1219 @@
+/* trees.c -- output deflated data using Huffman coding
+ * Copyright (C) 1995-2005 Jean-loup Gailly
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/*
+ *  ALGORITHM
+ *
+ *      The "deflation" process uses several Huffman trees. The more
+ *      common source values are represented by shorter bit sequences.
+ *
+ *      Each code tree is stored in a compressed form which is itself
+ * a Huffman encoding of the lengths of all the code strings (in
+ * ascending order by source values).  The actual code strings are
+ * reconstructed from the lengths in the inflate process, as described
+ * in the deflate specification.
+ *
+ *  REFERENCES
+ *
+ *      Deutsch, L.P.,"'Deflate' Compressed Data Format Specification".
+ *      Available in ftp.uu.net:/pub/archiving/zip/doc/deflate-1.1.doc
+ *
+ *      Storer, James A.
+ *          Data Compression:  Methods and Theory, pp. 49-50.
+ *          Computer Science Press, 1988.  ISBN 0-7167-8156-5.
+ *
+ *      Sedgewick, R.
+ *          Algorithms, p290.
+ *          Addison-Wesley, 1983. ISBN 0-201-06672-6.
+ */
+
+/* @(#) $Id$ */
+
+/* #define GEN_TREES_H */
+
+#include "deflate.h"
+
+#ifdef DEBUG
+#  include <ctype.h>
+#endif
+
+/* ===========================================================================
+ * Constants
+ */
+
+#define MAX_BL_BITS 7
+/* Bit length codes must not exceed MAX_BL_BITS bits */
+
+#define END_BLOCK 256
+/* end of block literal code */
+
+#define REP_3_6      16
+/* repeat previous bit length 3-6 times (2 bits of repeat count) */
+
+#define REPZ_3_10    17
+/* repeat a zero length 3-10 times  (3 bits of repeat count) */
+
+#define REPZ_11_138  18
+/* repeat a zero length 11-138 times  (7 bits of repeat count) */
+
+local const int extra_lbits[LENGTH_CODES] /* extra bits for each length code */
+   = {0,0,0,0,0,0,0,0,1,1,1,1,2,2,2,2,3,3,3,3,4,4,4,4,5,5,5,5,0};
+
+local const int extra_dbits[D_CODES] /* extra bits for each distance code */
+   = {0,0,0,0,1,1,2,2,3,3,4,4,5,5,6,6,7,7,8,8,9,9,10,10,11,11,12,12,13,13};
+
+local const int extra_blbits[BL_CODES]/* extra bits for each bit length code */
+   = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,3,7};
+
+local const uch bl_order[BL_CODES]
+   = {16,17,18,0,8,7,9,6,10,5,11,4,12,3,13,2,14,1,15};
+/* The lengths of the bit length codes are sent in order of decreasing
+ * probability, to avoid transmitting the lengths for unused bit length codes.
+ */
+
+#define Buf_size (8 * 2*sizeof(char))
+/* Number of bits used within bi_buf. (bi_buf might be implemented on
+ * more than 16 bits on some systems.)
+ */
+
+/* ===========================================================================
+ * Local data. These are initialized only once.
+ */
+
+#define DIST_CODE_LEN  512 /* see definition of array dist_code below */
+
+#if defined(GEN_TREES_H) || !defined(STDC)
+/* non ANSI compilers may not accept trees.h */
+
+local ct_data static_ltree[L_CODES+2];
+/* The static literal tree. Since the bit lengths are imposed, there is no
+ * need for the L_CODES extra codes used during heap construction. However
+ * The codes 286 and 287 are needed to build a canonical tree (see _tr_init
+ * below).
+ */
+
+local ct_data static_dtree[D_CODES];
+/* The static distance tree. (Actually a trivial tree since all codes use
+ * 5 bits.)
+ */
+
+uch _dist_code[DIST_CODE_LEN];
+/* Distance codes. The first 256 values correspond to the distances
+ * 3 .. 258, the last 256 values correspond to the top 8 bits of
+ * the 15 bit distances.
+ */
+
+uch _length_code[MAX_MATCH-MIN_MATCH+1];
+/* length code for each normalized match length (0 == MIN_MATCH) */
+
+local int base_length[LENGTH_CODES];
+/* First normalized length for each code (0 = MIN_MATCH) */
+
+local int base_dist[D_CODES];
+/* First normalized distance for each code (0 = distance of 1) */
+
+#else
+#  include "trees.h"
+#endif /* GEN_TREES_H */
+
+struct static_tree_desc_s {
+    const ct_data *static_tree;  /* static tree or NULL */
+    const intf *extra_bits;      /* extra bits for each code or NULL */
+    int     extra_base;          /* base index for extra_bits */
+    int     elems;               /* max number of elements in the tree */
+    int     max_length;          /* max bit length for the codes */
+};
+
+local static_tree_desc  static_l_desc =
+{static_ltree, extra_lbits, LITERALS+1, L_CODES, MAX_BITS};
+
+local static_tree_desc  static_d_desc =
+{static_dtree, extra_dbits, 0,          D_CODES, MAX_BITS};
+
+local static_tree_desc  static_bl_desc =
+{(const ct_data *)0, extra_blbits, 0,   BL_CODES, MAX_BL_BITS};
+
+/* ===========================================================================
+ * Local (static) routines in this file.
+ */
+
+local void tr_static_init OF((void));
+local void init_block     OF((deflate_state *s));
+local void pqdownheap     OF((deflate_state *s, ct_data *tree, int k));
+local void gen_bitlen     OF((deflate_state *s, tree_desc *desc));
+local void gen_codes      OF((ct_data *tree, int max_code, ushf *bl_count));
+local void build_tree     OF((deflate_state *s, tree_desc *desc));
+local void scan_tree      OF((deflate_state *s, ct_data *tree, int max_code));
+local void send_tree      OF((deflate_state *s, ct_data *tree, int max_code));
+local int  build_bl_tree  OF((deflate_state *s));
+local void send_all_trees OF((deflate_state *s, int lcodes, int dcodes,
+                              int blcodes));
+local void compress_block OF((deflate_state *s, ct_data *ltree,
+                              ct_data *dtree));
+local void set_data_type  OF((deflate_state *s));
+local unsigned bi_reverse OF((unsigned value, int length));
+local void bi_windup      OF((deflate_state *s));
+local void bi_flush       OF((deflate_state *s));
+local void copy_block     OF((deflate_state *s, charf *buf, unsigned len,
+                              int header));
+
+#ifdef GEN_TREES_H
+local void gen_trees_header OF((void));
+#endif
+
+#ifndef DEBUG
+#  define send_code(s, c, tree) send_bits(s, tree[c].Code, tree[c].Len)
+   /* Send a code of the given tree. c and tree must not have side effects */
+
+#else /* DEBUG */
+#  define send_code(s, c, tree) \
+     { if (z_verbose>2) fprintf(stderr,"\ncd %3d ",(c)); \
+       send_bits(s, tree[c].Code, tree[c].Len); }
+#endif
+
+/* ===========================================================================
+ * Output a short LSB first on the stream.
+ * IN assertion: there is enough room in pendingBuf.
+ */
+#define put_short(s, w) { \
+    put_byte(s, (uch)((w) & 0xff)); \
+    put_byte(s, (uch)((ush)(w) >> 8)); \
+}
+
+/* ===========================================================================
+ * Send a value on a given number of bits.
+ * IN assertion: length <= 16 and value fits in length bits.
+ */
+#ifdef DEBUG
+local void send_bits      OF((deflate_state *s, int value, int length));
+
+local void send_bits(s, value, length)
+    deflate_state *s;
+    int value;  /* value to send */
+    int length; /* number of bits */
+{
+    Tracevv((stderr," l %2d v %4x ", length, value));
+    Assert(length > 0 && length <= 15, "invalid length");
+    s->bits_sent += (ulg)length;
+
+    /* If not enough room in bi_buf, use (valid) bits from bi_buf and
+     * (16 - bi_valid) bits from value, leaving (width - (16-bi_valid))
+     * unused bits in value.
+     */
+    if (s->bi_valid > (int)Buf_size - length) {
+        s->bi_buf |= (value << s->bi_valid);
+        put_short(s, s->bi_buf);
+        s->bi_buf = (ush)value >> (Buf_size - s->bi_valid);
+        s->bi_valid += length - Buf_size;
+    } else {
+        s->bi_buf |= value << s->bi_valid;
+        s->bi_valid += length;
+    }
+}
+#else /* !DEBUG */
+
+#define send_bits(s, value, length) \
+{ int len = length;\
+  if (s->bi_valid > (int)Buf_size - len) {\
+    int val = value;\
+    s->bi_buf |= (val << s->bi_valid);\
+    put_short(s, s->bi_buf);\
+    s->bi_buf = (ush)val >> (Buf_size - s->bi_valid);\
+    s->bi_valid += len - Buf_size;\
+  } else {\
+    s->bi_buf |= (value) << s->bi_valid;\
+    s->bi_valid += len;\
+  }\
+}
+#endif /* DEBUG */
+
+
+/* the arguments must not have side effects */
+
+/* ===========================================================================
+ * Initialize the various 'constant' tables.
+ */
+local void tr_static_init()
+{
+#if defined(GEN_TREES_H) || !defined(STDC)
+    static int static_init_done = 0;
+    int n;        /* iterates over tree elements */
+    int bits;     /* bit counter */
+    int length;   /* length value */
+    int code;     /* code value */
+    int dist;     /* distance index */
+    ush bl_count[MAX_BITS+1];
+    /* number of codes at each bit length for an optimal tree */
+
+    if (static_init_done) return;
+
+    /* For some embedded targets, global variables are not initialized: */
+    static_l_desc.static_tree = static_ltree;
+    static_l_desc.extra_bits = extra_lbits;
+    static_d_desc.static_tree = static_dtree;
+    static_d_desc.extra_bits = extra_dbits;
+    static_bl_desc.extra_bits = extra_blbits;
+
+    /* Initialize the mapping length (0..255) -> length code (0..28) */
+    length = 0;
+    for (code = 0; code < LENGTH_CODES-1; code++) {
+        base_length[code] = length;
+        for (n = 0; n < (1<<extra_lbits[code]); n++) {
+            _length_code[length++] = (uch)code;
+        }
+    }
+    Assert (length == 256, "tr_static_init: length != 256");
+    /* Note that the length 255 (match length 258) can be represented
+     * in two different ways: code 284 + 5 bits or code 285, so we
+     * overwrite length_code[255] to use the best encoding:
+     */
+    _length_code[length-1] = (uch)code;
+
+    /* Initialize the mapping dist (0..32K) -> dist code (0..29) */
+    dist = 0;
+    for (code = 0 ; code < 16; code++) {
+        base_dist[code] = dist;
+        for (n = 0; n < (1<<extra_dbits[code]); n++) {
+            _dist_code[dist++] = (uch)code;
+        }
+    }
+    Assert (dist == 256, "tr_static_init: dist != 256");
+    dist >>= 7; /* from now on, all distances are divided by 128 */
+    for ( ; code < D_CODES; code++) {
+        base_dist[code] = dist << 7;
+        for (n = 0; n < (1<<(extra_dbits[code]-7)); n++) {
+            _dist_code[256 + dist++] = (uch)code;
+        }
+    }
+    Assert (dist == 256, "tr_static_init: 256+dist != 512");
+
+    /* Construct the codes of the static literal tree */
+    for (bits = 0; bits <= MAX_BITS; bits++) bl_count[bits] = 0;
+    n = 0;
+    while (n <= 143) static_ltree[n++].Len = 8, bl_count[8]++;
+    while (n <= 255) static_ltree[n++].Len = 9, bl_count[9]++;
+    while (n <= 279) static_ltree[n++].Len = 7, bl_count[7]++;
+    while (n <= 287) static_ltree[n++].Len = 8, bl_count[8]++;
+    /* Codes 286 and 287 do not exist, but we must include them in the
+     * tree construction to get a canonical Huffman tree (longest code
+     * all ones)
+     */
+    gen_codes((ct_data *)static_ltree, L_CODES+1, bl_count);
+
+    /* The static distance tree is trivial: */
+    for (n = 0; n < D_CODES; n++) {
+        static_dtree[n].Len = 5;
+        static_dtree[n].Code = bi_reverse((unsigned)n, 5);
+    }
+    static_init_done = 1;
+
+#  ifdef GEN_TREES_H
+    gen_trees_header();
+#  endif
+#endif /* defined(GEN_TREES_H) || !defined(STDC) */
+}
+
+/* ===========================================================================
+ * Genererate the file trees.h describing the static trees.
+ */
+#ifdef GEN_TREES_H
+#  ifndef DEBUG
+#    include <stdio.h>
+#  endif
+
+#  define SEPARATOR(i, last, width) \
+      ((i) == (last)? "\n};\n\n" :    \
+       ((i) % (width) == (width)-1 ? ",\n" : ", "))
+
+void gen_trees_header()
+{
+    FILE *header = fopen("trees.h", "w");
+    int i;
+
+    Assert (header != NULL, "Can't open trees.h");
+    fprintf(header,
+            "/* header created automatically with -DGEN_TREES_H */\n\n");
+
+    fprintf(header, "local const ct_data static_ltree[L_CODES+2] = {\n");
+    for (i = 0; i < L_CODES+2; i++) {
+        fprintf(header, "{{%3u},{%3u}}%s", static_ltree[i].Code,
+                static_ltree[i].Len, SEPARATOR(i, L_CODES+1, 5));
+    }
+
+    fprintf(header, "local const ct_data static_dtree[D_CODES] = {\n");
+    for (i = 0; i < D_CODES; i++) {
+        fprintf(header, "{{%2u},{%2u}}%s", static_dtree[i].Code,
+                static_dtree[i].Len, SEPARATOR(i, D_CODES-1, 5));
+    }
+
+    fprintf(header, "const uch _dist_code[DIST_CODE_LEN] = {\n");
+    for (i = 0; i < DIST_CODE_LEN; i++) {
+        fprintf(header, "%2u%s", _dist_code[i],
+                SEPARATOR(i, DIST_CODE_LEN-1, 20));
+    }
+
+    fprintf(header, "const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {\n");
+    for (i = 0; i < MAX_MATCH-MIN_MATCH+1; i++) {
+        fprintf(header, "%2u%s", _length_code[i],
+                SEPARATOR(i, MAX_MATCH-MIN_MATCH, 20));
+    }
+
+    fprintf(header, "local const int base_length[LENGTH_CODES] = {\n");
+    for (i = 0; i < LENGTH_CODES; i++) {
+        fprintf(header, "%1u%s", base_length[i],
+                SEPARATOR(i, LENGTH_CODES-1, 20));
+    }
+
+    fprintf(header, "local const int base_dist[D_CODES] = {\n");
+    for (i = 0; i < D_CODES; i++) {
+        fprintf(header, "%5u%s", base_dist[i],
+                SEPARATOR(i, D_CODES-1, 10));
+    }
+
+    fclose(header);
+}
+#endif /* GEN_TREES_H */
+
+/* ===========================================================================
+ * Initialize the tree data structures for a new zlib stream.
+ */
+void _tr_init(s)
+    deflate_state *s;
+{
+    tr_static_init();
+
+    s->l_desc.dyn_tree = s->dyn_ltree;
+    s->l_desc.stat_desc = &static_l_desc;
+
+    s->d_desc.dyn_tree = s->dyn_dtree;
+    s->d_desc.stat_desc = &static_d_desc;
+
+    s->bl_desc.dyn_tree = s->bl_tree;
+    s->bl_desc.stat_desc = &static_bl_desc;
+
+    s->bi_buf = 0;
+    s->bi_valid = 0;
+    s->last_eob_len = 8; /* enough lookahead for inflate */
+#ifdef DEBUG
+    s->compressed_len = 0L;
+    s->bits_sent = 0L;
+#endif
+
+    /* Initialize the first block of the first file: */
+    init_block(s);
+}
+
+/* ===========================================================================
+ * Initialize a new block.
+ */
+local void init_block(s)
+    deflate_state *s;
+{
+    int n; /* iterates over tree elements */
+
+    /* Initialize the trees. */
+    for (n = 0; n < L_CODES;  n++) s->dyn_ltree[n].Freq = 0;
+    for (n = 0; n < D_CODES;  n++) s->dyn_dtree[n].Freq = 0;
+    for (n = 0; n < BL_CODES; n++) s->bl_tree[n].Freq = 0;
+
+    s->dyn_ltree[END_BLOCK].Freq = 1;
+    s->opt_len = s->static_len = 0L;
+    s->last_lit = s->matches = 0;
+}
+
+#define SMALLEST 1
+/* Index within the heap array of least frequent node in the Huffman tree */
+
+
+/* ===========================================================================
+ * Remove the smallest element from the heap and recreate the heap with
+ * one less element. Updates heap and heap_len.
+ */
+#define pqremove(s, tree, top) \
+{\
+    top = s->heap[SMALLEST]; \
+    s->heap[SMALLEST] = s->heap[s->heap_len--]; \
+    pqdownheap(s, tree, SMALLEST); \
+}
+
+/* ===========================================================================
+ * Compares to subtrees, using the tree depth as tie breaker when
+ * the subtrees have equal frequency. This minimizes the worst case length.
+ */
+#define smaller(tree, n, m, depth) \
+   (tree[n].Freq < tree[m].Freq || \
+   (tree[n].Freq == tree[m].Freq && depth[n] <= depth[m]))
+
+/* ===========================================================================
+ * Restore the heap property by moving down the tree starting at node k,
+ * exchanging a node with the smallest of its two sons if necessary, stopping
+ * when the heap property is re-established (each father smaller than its
+ * two sons).
+ */
+local void pqdownheap(s, tree, k)
+    deflate_state *s;
+    ct_data *tree;  /* the tree to restore */
+    int k;               /* node to move down */
+{
+    int v = s->heap[k];
+    int j = k << 1;  /* left son of k */
+    while (j <= s->heap_len) {
+        /* Set j to the smallest of the two sons: */
+        if (j < s->heap_len &&
+            smaller(tree, s->heap[j+1], s->heap[j], s->depth)) {
+            j++;
+        }
+        /* Exit if v is smaller than both sons */
+        if (smaller(tree, v, s->heap[j], s->depth)) break;
+
+        /* Exchange v with the smallest son */
+        s->heap[k] = s->heap[j];  k = j;
+
+        /* And continue down the tree, setting j to the left son of k */
+        j <<= 1;
+    }
+    s->heap[k] = v;
+}
+
+/* ===========================================================================
+ * Compute the optimal bit lengths for a tree and update the total bit length
+ * for the current block.
+ * IN assertion: the fields freq and dad are set, heap[heap_max] and
+ *    above are the tree nodes sorted by increasing frequency.
+ * OUT assertions: the field len is set to the optimal bit length, the
+ *     array bl_count contains the frequencies for each bit length.
+ *     The length opt_len is updated; static_len is also updated if stree is
+ *     not null.
+ */
+local void gen_bitlen(s, desc)
+    deflate_state *s;
+    tree_desc *desc;    /* the tree descriptor */
+{
+    ct_data *tree        = desc->dyn_tree;
+    int max_code         = desc->max_code;
+    const ct_data *stree = desc->stat_desc->static_tree;
+    const intf *extra    = desc->stat_desc->extra_bits;
+    int base             = desc->stat_desc->extra_base;
+    int max_length       = desc->stat_desc->max_length;
+    int h;              /* heap index */
+    int n, m;           /* iterate over the tree elements */
+    int bits;           /* bit length */
+    int xbits;          /* extra bits */
+    ush f;              /* frequency */
+    int overflow = 0;   /* number of elements with bit length too large */
+
+    for (bits = 0; bits <= MAX_BITS; bits++) s->bl_count[bits] = 0;
+
+    /* In a first pass, compute the optimal bit lengths (which may
+     * overflow in the case of the bit length tree).
+     */
+    tree[s->heap[s->heap_max]].Len = 0; /* root of the heap */
+
+    for (h = s->heap_max+1; h < HEAP_SIZE; h++) {
+        n = s->heap[h];
+        bits = tree[tree[n].Dad].Len + 1;
+        if (bits > max_length) bits = max_length, overflow++;
+        tree[n].Len = (ush)bits;
+        /* We overwrite tree[n].Dad which is no longer needed */
+
+        if (n > max_code) continue; /* not a leaf node */
+
+        s->bl_count[bits]++;
+        xbits = 0;
+        if (n >= base) xbits = extra[n-base];
+        f = tree[n].Freq;
+        s->opt_len += (ulg)f * (bits + xbits);
+        if (stree) s->static_len += (ulg)f * (stree[n].Len + xbits);
+    }
+    if (overflow == 0) return;
+
+    Trace((stderr,"\nbit length overflow\n"));
+    /* This happens for example on obj2 and pic of the Calgary corpus */
+
+    /* Find the first bit length which could increase: */
+    do {
+        bits = max_length-1;
+        while (s->bl_count[bits] == 0) bits--;
+        s->bl_count[bits]--;      /* move one leaf down the tree */
+        s->bl_count[bits+1] += 2; /* move one overflow item as its brother */
+        s->bl_count[max_length]--;
+        /* The brother of the overflow item also moves one step up,
+         * but this does not affect bl_count[max_length]
+         */
+        overflow -= 2;
+    } while (overflow > 0);
+
+    /* Now recompute all bit lengths, scanning in increasing frequency.
+     * h is still equal to HEAP_SIZE. (It is simpler to reconstruct all
+     * lengths instead of fixing only the wrong ones. This idea is taken
+     * from 'ar' written by Haruhiko Okumura.)
+     */
+    for (bits = max_length; bits != 0; bits--) {
+        n = s->bl_count[bits];
+        while (n != 0) {
+            m = s->heap[--h];
+            if (m > max_code) continue;
+            if ((unsigned) tree[m].Len != (unsigned) bits) {
+                Trace((stderr,"code %d bits %d->%d\n", m, tree[m].Len, bits));
+                s->opt_len += ((long)bits - (long)tree[m].Len)
+                              *(long)tree[m].Freq;
+                tree[m].Len = (ush)bits;
+            }
+            n--;
+        }
+    }
+}
+
+/* ===========================================================================
+ * Generate the codes for a given tree and bit counts (which need not be
+ * optimal).
+ * IN assertion: the array bl_count contains the bit length statistics for
+ * the given tree and the field len is set for all tree elements.
+ * OUT assertion: the field code is set for all tree elements of non
+ *     zero code length.
+ */
+local void gen_codes (tree, max_code, bl_count)
+    ct_data *tree;             /* the tree to decorate */
+    int max_code;              /* largest code with non zero frequency */
+    ushf *bl_count;            /* number of codes at each bit length */
+{
+    ush next_code[MAX_BITS+1]; /* next code value for each bit length */
+    ush code = 0;              /* running code value */
+    int bits;                  /* bit index */
+    int n;                     /* code index */
+
+    /* The distribution counts are first used to generate the code values
+     * without bit reversal.
+     */
+    for (bits = 1; bits <= MAX_BITS; bits++) {
+        next_code[bits] = code = (code + bl_count[bits-1]) << 1;
+    }
+    /* Check that the bit counts in bl_count are consistent. The last code
+     * must be all ones.
+     */
+    Assert (code + bl_count[MAX_BITS]-1 == (1<<MAX_BITS)-1,
+            "inconsistent bit counts");
+    Tracev((stderr,"\ngen_codes: max_code %d ", max_code));
+
+    for (n = 0;  n <= max_code; n++) {
+        int len = tree[n].Len;
+        if (len == 0) continue;
+        /* Now reverse the bits */
+        tree[n].Code = bi_reverse(next_code[len]++, len);
+
+        Tracecv(tree != static_ltree, (stderr,"\nn %3d %c l %2d c %4x (%x) ",
+             n, (isgraph(n) ? n : ' '), len, tree[n].Code, next_code[len]-1));
+    }
+}
+
+/* ===========================================================================
+ * Construct one Huffman tree and assigns the code bit strings and lengths.
+ * Update the total bit length for the current block.
+ * IN assertion: the field freq is set for all tree elements.
+ * OUT assertions: the fields len and code are set to the optimal bit length
+ *     and corresponding code. The length opt_len is updated; static_len is
+ *     also updated if stree is not null. The field max_code is set.
+ */
+local void build_tree(s, desc)
+    deflate_state *s;
+    tree_desc *desc; /* the tree descriptor */
+{
+    ct_data *tree         = desc->dyn_tree;
+    const ct_data *stree  = desc->stat_desc->static_tree;
+    int elems             = desc->stat_desc->elems;
+    int n, m;          /* iterate over heap elements */
+    int max_code = -1; /* largest code with non zero frequency */
+    int node;          /* new node being created */
+
+    /* Construct the initial heap, with least frequent element in
+     * heap[SMALLEST]. The sons of heap[n] are heap[2*n] and heap[2*n+1].
+     * heap[0] is not used.
+     */
+    s->heap_len = 0, s->heap_max = HEAP_SIZE;
+
+    for (n = 0; n < elems; n++) {
+        if (tree[n].Freq != 0) {
+            s->heap[++(s->heap_len)] = max_code = n;
+            s->depth[n] = 0;
+        } else {
+            tree[n].Len = 0;
+        }
+    }
+
+    /* The pkzip format requires that at least one distance code exists,
+     * and that at least one bit should be sent even if there is only one
+     * possible code. So to avoid special checks later on we force at least
+     * two codes of non zero frequency.
+     */
+    while (s->heap_len < 2) {
+        node = s->heap[++(s->heap_len)] = (max_code < 2 ? ++max_code : 0);
+        tree[node].Freq = 1;
+        s->depth[node] = 0;
+        s->opt_len--; if (stree) s->static_len -= stree[node].Len;
+        /* node is 0 or 1 so it does not have extra bits */
+    }
+    desc->max_code = max_code;
+
+    /* The elements heap[heap_len/2+1 .. heap_len] are leaves of the tree,
+     * establish sub-heaps of increasing lengths:
+     */
+    for (n = s->heap_len/2; n >= 1; n--) pqdownheap(s, tree, n);
+
+    /* Construct the Huffman tree by repeatedly combining the least two
+     * frequent nodes.
+     */
+    node = elems;              /* next internal node of the tree */
+    do {
+        pqremove(s, tree, n);  /* n = node of least frequency */
+        m = s->heap[SMALLEST]; /* m = node of next least frequency */
+
+        s->heap[--(s->heap_max)] = n; /* keep the nodes sorted by frequency */
+        s->heap[--(s->heap_max)] = m;
+
+        /* Create a new node father of n and m */
+        tree[node].Freq = tree[n].Freq + tree[m].Freq;
+        s->depth[node] = (uch)((s->depth[n] >= s->depth[m] ?
+                                s->depth[n] : s->depth[m]) + 1);
+        tree[n].Dad = tree[m].Dad = (ush)node;
+#ifdef DUMP_BL_TREE
+        if (tree == s->bl_tree) {
+            fprintf(stderr,"\nnode %d(%d), sons %d(%d) %d(%d)",
+                    node, tree[node].Freq, n, tree[n].Freq, m, tree[m].Freq);
+        }
+#endif
+        /* and insert the new node in the heap */
+        s->heap[SMALLEST] = node++;
+        pqdownheap(s, tree, SMALLEST);
+
+    } while (s->heap_len >= 2);
+
+    s->heap[--(s->heap_max)] = s->heap[SMALLEST];
+
+    /* At this point, the fields freq and dad are set. We can now
+     * generate the bit lengths.
+     */
+    gen_bitlen(s, (tree_desc *)desc);
+
+    /* The field len is now set, we can generate the bit codes */
+    gen_codes ((ct_data *)tree, max_code, s->bl_count);
+}
+
+/* ===========================================================================
+ * Scan a literal or distance tree to determine the frequencies of the codes
+ * in the bit length tree.
+ */
+local void scan_tree (s, tree, max_code)
+    deflate_state *s;
+    ct_data *tree;   /* the tree to be scanned */
+    int max_code;    /* and its largest code of non zero frequency */
+{
+    int n;                     /* iterates over all tree elements */
+    int prevlen = -1;          /* last emitted length */
+    int curlen;                /* length of current code */
+    int nextlen = tree[0].Len; /* length of next code */
+    int count = 0;             /* repeat count of the current code */
+    int max_count = 7;         /* max repeat count */
+    int min_count = 4;         /* min repeat count */
+
+    if (nextlen == 0) max_count = 138, min_count = 3;
+    tree[max_code+1].Len = (ush)0xffff; /* guard */
+
+    for (n = 0; n <= max_code; n++) {
+        curlen = nextlen; nextlen = tree[n+1].Len;
+        if (++count < max_count && curlen == nextlen) {
+            continue;
+        } else if (count < min_count) {
+            s->bl_tree[curlen].Freq += count;
+        } else if (curlen != 0) {
+            if (curlen != prevlen) s->bl_tree[curlen].Freq++;
+            s->bl_tree[REP_3_6].Freq++;
+        } else if (count <= 10) {
+            s->bl_tree[REPZ_3_10].Freq++;
+        } else {
+            s->bl_tree[REPZ_11_138].Freq++;
+        }
+        count = 0; prevlen = curlen;
+        if (nextlen == 0) {
+            max_count = 138, min_count = 3;
+        } else if (curlen == nextlen) {
+            max_count = 6, min_count = 3;
+        } else {
+            max_count = 7, min_count = 4;
+        }
+    }
+}
+
+/* ===========================================================================
+ * Send a literal or distance tree in compressed form, using the codes in
+ * bl_tree.
+ */
+local void send_tree (s, tree, max_code)
+    deflate_state *s;
+    ct_data *tree; /* the tree to be scanned */
+    int max_code;       /* and its largest code of non zero frequency */
+{
+    int n;                     /* iterates over all tree elements */
+    int prevlen = -1;          /* last emitted length */
+    int curlen;                /* length of current code */
+    int nextlen = tree[0].Len; /* length of next code */
+    int count = 0;             /* repeat count of the current code */
+    int max_count = 7;         /* max repeat count */
+    int min_count = 4;         /* min repeat count */
+
+    /* tree[max_code+1].Len = -1; */  /* guard already set */
+    if (nextlen == 0) max_count = 138, min_count = 3;
+
+    for (n = 0; n <= max_code; n++) {
+        curlen = nextlen; nextlen = tree[n+1].Len;
+        if (++count < max_count && curlen == nextlen) {
+            continue;
+        } else if (count < min_count) {
+            do { send_code(s, curlen, s->bl_tree); } while (--count != 0);
+
+        } else if (curlen != 0) {
+            if (curlen != prevlen) {
+                send_code(s, curlen, s->bl_tree); count--;
+            }
+            Assert(count >= 3 && count <= 6, " 3_6?");
+            send_code(s, REP_3_6, s->bl_tree); send_bits(s, count-3, 2);
+
+        } else if (count <= 10) {
+            send_code(s, REPZ_3_10, s->bl_tree); send_bits(s, count-3, 3);
+
+        } else {
+            send_code(s, REPZ_11_138, s->bl_tree); send_bits(s, count-11, 7);
+        }
+        count = 0; prevlen = curlen;
+        if (nextlen == 0) {
+            max_count = 138, min_count = 3;
+        } else if (curlen == nextlen) {
+            max_count = 6, min_count = 3;
+        } else {
+            max_count = 7, min_count = 4;
+        }
+    }
+}
+
+/* ===========================================================================
+ * Construct the Huffman tree for the bit lengths and return the index in
+ * bl_order of the last bit length code to send.
+ */
+local int build_bl_tree(s)
+    deflate_state *s;
+{
+    int max_blindex;  /* index of last bit length code of non zero freq */
+
+    /* Determine the bit length frequencies for literal and distance trees */
+    scan_tree(s, (ct_data *)s->dyn_ltree, s->l_desc.max_code);
+    scan_tree(s, (ct_data *)s->dyn_dtree, s->d_desc.max_code);
+
+    /* Build the bit length tree: */
+    build_tree(s, (tree_desc *)(&(s->bl_desc)));
+    /* opt_len now includes the length of the tree representations, except
+     * the lengths of the bit lengths codes and the 5+5+4 bits for the counts.
+     */
+
+    /* Determine the number of bit length codes to send. The pkzip format
+     * requires that at least 4 bit length codes be sent. (appnote.txt says
+     * 3 but the actual value used is 4.)
+     */
+    for (max_blindex = BL_CODES-1; max_blindex >= 3; max_blindex--) {
+        if (s->bl_tree[bl_order[max_blindex]].Len != 0) break;
+    }
+    /* Update opt_len to include the bit length tree and counts */
+    s->opt_len += 3*(max_blindex+1) + 5+5+4;
+    Tracev((stderr, "\ndyn trees: dyn %ld, stat %ld",
+            s->opt_len, s->static_len));
+
+    return max_blindex;
+}
+
+/* ===========================================================================
+ * Send the header for a block using dynamic Huffman trees: the counts, the
+ * lengths of the bit length codes, the literal tree and the distance tree.
+ * IN assertion: lcodes >= 257, dcodes >= 1, blcodes >= 4.
+ */
+local void send_all_trees(s, lcodes, dcodes, blcodes)
+    deflate_state *s;
+    int lcodes, dcodes, blcodes; /* number of codes for each tree */
+{
+    int rank;                    /* index in bl_order */
+
+    Assert (lcodes >= 257 && dcodes >= 1 && blcodes >= 4, "not enough codes");
+    Assert (lcodes <= L_CODES && dcodes <= D_CODES && blcodes <= BL_CODES,
+            "too many codes");
+    Tracev((stderr, "\nbl counts: "));
+    send_bits(s, lcodes-257, 5); /* not +255 as stated in appnote.txt */
+    send_bits(s, dcodes-1,   5);
+    send_bits(s, blcodes-4,  4); /* not -3 as stated in appnote.txt */
+    for (rank = 0; rank < blcodes; rank++) {
+        Tracev((stderr, "\nbl code %2d ", bl_order[rank]));
+        send_bits(s, s->bl_tree[bl_order[rank]].Len, 3);
+    }
+    Tracev((stderr, "\nbl tree: sent %ld", s->bits_sent));
+
+    send_tree(s, (ct_data *)s->dyn_ltree, lcodes-1); /* literal tree */
+    Tracev((stderr, "\nlit tree: sent %ld", s->bits_sent));
+
+    send_tree(s, (ct_data *)s->dyn_dtree, dcodes-1); /* distance tree */
+    Tracev((stderr, "\ndist tree: sent %ld", s->bits_sent));
+}
+
+/* ===========================================================================
+ * Send a stored block
+ */
+void _tr_stored_block(s, buf, stored_len, eof)
+    deflate_state *s;
+    charf *buf;       /* input block */
+    ulg stored_len;   /* length of input block */
+    int eof;          /* true if this is the last block for a file */
+{
+    send_bits(s, (STORED_BLOCK<<1)+eof, 3);  /* send block type */
+#ifdef DEBUG
+    s->compressed_len = (s->compressed_len + 3 + 7) & (ulg)~7L;
+    s->compressed_len += (stored_len + 4) << 3;
+#endif
+    copy_block(s, buf, (unsigned)stored_len, 1); /* with header */
+}
+
+/* ===========================================================================
+ * Send one empty static block to give enough lookahead for inflate.
+ * This takes 10 bits, of which 7 may remain in the bit buffer.
+ * The current inflate code requires 9 bits of lookahead. If the
+ * last two codes for the previous block (real code plus EOB) were coded
+ * on 5 bits or less, inflate may have only 5+3 bits of lookahead to decode
+ * the last real code. In this case we send two empty static blocks instead
+ * of one. (There are no problems if the previous block is stored or fixed.)
+ * To simplify the code, we assume the worst case of last real code encoded
+ * on one bit only.
+ */
+void _tr_align(s)
+    deflate_state *s;
+{
+    send_bits(s, STATIC_TREES<<1, 3);
+    send_code(s, END_BLOCK, static_ltree);
+#ifdef DEBUG
+    s->compressed_len += 10L; /* 3 for block type, 7 for EOB */
+#endif
+    bi_flush(s);
+    /* Of the 10 bits for the empty block, we have already sent
+     * (10 - bi_valid) bits. The lookahead for the last real code (before
+     * the EOB of the previous block) was thus at least one plus the length
+     * of the EOB plus what we have just sent of the empty static block.
+     */
+    if (1 + s->last_eob_len + 10 - s->bi_valid < 9) {
+        send_bits(s, STATIC_TREES<<1, 3);
+        send_code(s, END_BLOCK, static_ltree);
+#ifdef DEBUG
+        s->compressed_len += 10L;
+#endif
+        bi_flush(s);
+    }
+    s->last_eob_len = 7;
+}
+
+/* ===========================================================================
+ * Determine the best encoding for the current block: dynamic trees, static
+ * trees or store, and output the encoded block to the zip file.
+ */
+void _tr_flush_block(s, buf, stored_len, eof)
+    deflate_state *s;
+    charf *buf;       /* input block, or NULL if too old */
+    ulg stored_len;   /* length of input block */
+    int eof;          /* true if this is the last block for a file */
+{
+    ulg opt_lenb, static_lenb; /* opt_len and static_len in bytes */
+    int max_blindex = 0;  /* index of last bit length code of non zero freq */
+
+    /* Build the Huffman trees unless a stored block is forced */
+    if (s->level > 0) {
+
+        /* Check if the file is binary or text */
+        if (stored_len > 0 && s->strm->data_type == Z_UNKNOWN)
+            set_data_type(s);
+
+        /* Construct the literal and distance trees */
+        build_tree(s, (tree_desc *)(&(s->l_desc)));
+        Tracev((stderr, "\nlit data: dyn %ld, stat %ld", s->opt_len,
+                s->static_len));
+
+        build_tree(s, (tree_desc *)(&(s->d_desc)));
+        Tracev((stderr, "\ndist data: dyn %ld, stat %ld", s->opt_len,
+                s->static_len));
+        /* At this point, opt_len and static_len are the total bit lengths of
+         * the compressed block data, excluding the tree representations.
+         */
+
+        /* Build the bit length tree for the above two trees, and get the index
+         * in bl_order of the last bit length code to send.
+         */
+        max_blindex = build_bl_tree(s);
+
+        /* Determine the best encoding. Compute the block lengths in bytes. */
+        opt_lenb = (s->opt_len+3+7)>>3;
+        static_lenb = (s->static_len+3+7)>>3;
+
+        Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
+                opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
+                s->last_lit));
+
+        if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
+
+    } else {
+        Assert(buf != (char*)0, "lost buf");
+        opt_lenb = static_lenb = stored_len + 5; /* force a stored block */
+    }
+
+#ifdef FORCE_STORED
+    if (buf != (char*)0) { /* force stored block */
+#else
+    if (stored_len+4 <= opt_lenb && buf != (char*)0) {
+                       /* 4: two words for the lengths */
+#endif
+        /* The test buf != NULL is only necessary if LIT_BUFSIZE > WSIZE.
+         * Otherwise we can't have processed more than WSIZE input bytes since
+         * the last block flush, because compression would have been
+         * successful. If LIT_BUFSIZE <= WSIZE, it is never too late to
+         * transform a block into a stored block.
+         */
+        _tr_stored_block(s, buf, stored_len, eof);
+
+#ifdef FORCE_STATIC
+    } else if (static_lenb >= 0) { /* force static trees */
+#else
+    } else if (s->strategy == Z_FIXED || static_lenb == opt_lenb) {
+#endif
+        send_bits(s, (STATIC_TREES<<1)+eof, 3);
+        compress_block(s, (ct_data *)static_ltree, (ct_data *)static_dtree);
+#ifdef DEBUG
+        s->compressed_len += 3 + s->static_len;
+#endif
+    } else {
+        send_bits(s, (DYN_TREES<<1)+eof, 3);
+        send_all_trees(s, s->l_desc.max_code+1, s->d_desc.max_code+1,
+                       max_blindex+1);
+        compress_block(s, (ct_data *)s->dyn_ltree, (ct_data *)s->dyn_dtree);
+#ifdef DEBUG
+        s->compressed_len += 3 + s->opt_len;
+#endif
+    }
+    Assert (s->compressed_len == s->bits_sent, "bad compressed size");
+    /* The above check is made mod 2^32, for files larger than 512 MB
+     * and uLong implemented on 32 bits.
+     */
+    init_block(s);
+
+    if (eof) {
+        bi_windup(s);
+#ifdef DEBUG
+        s->compressed_len += 7;  /* align on byte boundary */
+#endif
+    }
+    Tracev((stderr,"\ncomprlen %lu(%lu) ", s->compressed_len>>3,
+           s->compressed_len-7*eof));
+}
+
+/* ===========================================================================
+ * Save the match info and tally the frequency counts. Return true if
+ * the current block must be flushed.
+ */
+int _tr_tally (s, dist, lc)
+    deflate_state *s;
+    unsigned dist;  /* distance of matched string */
+    unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
+{
+    s->d_buf[s->last_lit] = (ush)dist;
+    s->l_buf[s->last_lit++] = (uch)lc;
+    if (dist == 0) {
+        /* lc is the unmatched char */
+        s->dyn_ltree[lc].Freq++;
+    } else {
+        s->matches++;
+        /* Here, lc is the match length - MIN_MATCH */
+        dist--;             /* dist = match distance - 1 */
+        Assert((ush)dist < (ush)MAX_DIST(s) &&
+               (ush)lc <= (ush)(MAX_MATCH-MIN_MATCH) &&
+               (ush)d_code(dist) < (ush)D_CODES,  "_tr_tally: bad match");
+
+        s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
+        s->dyn_dtree[d_code(dist)].Freq++;
+    }
+
+#ifdef TRUNCATE_BLOCK
+    /* Try to guess if it is profitable to stop the current block here */
+    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
+        /* Compute an upper bound for the compressed length */
+        ulg out_length = (ulg)s->last_lit*8L;
+        ulg in_length = (ulg)((long)s->strstart - s->block_start);
+        int dcode;
+        for (dcode = 0; dcode < D_CODES; dcode++) {
+            out_length += (ulg)s->dyn_dtree[dcode].Freq *
+                (5L+extra_dbits[dcode]);
+        }
+        out_length >>= 3;
+        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
+               s->last_lit, in_length, out_length,
+               100L - out_length*100L/in_length));
+        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
+    }
+#endif
+    return (s->last_lit == s->lit_bufsize-1);
+    /* We avoid equality with lit_bufsize because of wraparound at 64K
+     * on 16 bit machines and because stored blocks are restricted to
+     * 64K-1 bytes.
+     */
+}
+
+/* ===========================================================================
+ * Send the block data compressed using the given Huffman trees
+ */
+local void compress_block(s, ltree, dtree)
+    deflate_state *s;
+    ct_data *ltree; /* literal tree */
+    ct_data *dtree; /* distance tree */
+{
+    unsigned dist;      /* distance of matched string */
+    int lc;             /* match length or unmatched char (if dist == 0) */
+    unsigned lx = 0;    /* running index in l_buf */
+    unsigned code;      /* the code to send */
+    int extra;          /* number of extra bits to send */
+
+    if (s->last_lit != 0) do {
+        dist = s->d_buf[lx];
+        lc = s->l_buf[lx++];
+        if (dist == 0) {
+            send_code(s, lc, ltree); /* send a literal byte */
+            Tracecv(isgraph(lc), (stderr," '%c' ", lc));
+        } else {
+            /* Here, lc is the match length - MIN_MATCH */
+            code = _length_code[lc];
+            send_code(s, code+LITERALS+1, ltree); /* send the length code */
+            extra = extra_lbits[code];
+            if (extra != 0) {
+                lc -= base_length[code];
+                send_bits(s, lc, extra);       /* send the extra length bits */
+            }
+            dist--; /* dist is now the match distance - 1 */
+            code = d_code(dist);
+            Assert (code < D_CODES, "bad d_code");
+
+            send_code(s, code, dtree);       /* send the distance code */
+            extra = extra_dbits[code];
+            if (extra != 0) {
+                dist -= base_dist[code];
+                send_bits(s, dist, extra);   /* send the extra distance bits */
+            }
+        } /* literal or match pair ? */
+
+        /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
+        Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
+               "pendingBuf overflow");
+
+    } while (lx < s->last_lit);
+
+    send_code(s, END_BLOCK, ltree);
+    s->last_eob_len = ltree[END_BLOCK].Len;
+}
+
+/* ===========================================================================
+ * Set the data type to BINARY or TEXT, using a crude approximation:
+ * set it to Z_TEXT if all symbols are either printable characters (33 to 255)
+ * or white spaces (9 to 13, or 32); or set it to Z_BINARY otherwise.
+ * IN assertion: the fields Freq of dyn_ltree are set.
+ */
+local void set_data_type(s)
+    deflate_state *s;
+{
+    int n;
+
+    for (n = 0; n < 9; n++)
+        if (s->dyn_ltree[n].Freq != 0)
+            break;
+    if (n == 9)
+        for (n = 14; n < 32; n++)
+            if (s->dyn_ltree[n].Freq != 0)
+                break;
+    s->strm->data_type = (n == 32) ? Z_TEXT : Z_BINARY;
+}
+
+/* ===========================================================================
+ * Reverse the first len bits of a code, using straightforward code (a faster
+ * method would use a table)
+ * IN assertion: 1 <= len <= 15
+ */
+local unsigned bi_reverse(code, len)
+    unsigned code; /* the value to invert */
+    int len;       /* its bit length */
+{
+    register unsigned res = 0;
+    do {
+        res |= code & 1;
+        code >>= 1, res <<= 1;
+    } while (--len > 0);
+    return res >> 1;
+}
+
+/* ===========================================================================
+ * Flush the bit buffer, keeping at most 7 bits in it.
+ */
+local void bi_flush(s)
+    deflate_state *s;
+{
+    if (s->bi_valid == 16) {
+        put_short(s, s->bi_buf);
+        s->bi_buf = 0;
+        s->bi_valid = 0;
+    } else if (s->bi_valid >= 8) {
+        put_byte(s, (Byte)s->bi_buf);
+        s->bi_buf >>= 8;
+        s->bi_valid -= 8;
+    }
+}
+
+/* ===========================================================================
+ * Flush the bit buffer and align the output on a byte boundary
+ */
+local void bi_windup(s)
+    deflate_state *s;
+{
+    if (s->bi_valid > 8) {
+        put_short(s, s->bi_buf);
+    } else if (s->bi_valid > 0) {
+        put_byte(s, (Byte)s->bi_buf);
+    }
+    s->bi_buf = 0;
+    s->bi_valid = 0;
+#ifdef DEBUG
+    s->bits_sent = (s->bits_sent+7) & ~7;
+#endif
+}
+
+/* ===========================================================================
+ * Copy a stored block, storing first the length and its
+ * one's complement if requested.
+ */
+local void copy_block(s, buf, len, header)
+    deflate_state *s;
+    charf    *buf;    /* the input data */
+    unsigned len;     /* its length */
+    int      header;  /* true if block header must be written */
+{
+    bi_windup(s);        /* align on byte boundary */
+    s->last_eob_len = 8; /* enough lookahead for inflate */
+
+    if (header) {
+        put_short(s, (ush)len);
+        put_short(s, (ush)~len);
+#ifdef DEBUG
+        s->bits_sent += 2*16;
+#endif
+    }
+#ifdef DEBUG
+    s->bits_sent += (ulg)len<<3;
+#endif
+    while (len--) {
+        put_byte(s, *buf++);
+    }
+}
diff --git a/security/nss/cmd/zlib/trees.h b/security/nss/cmd/zlib/trees.h
new file mode 100644
index 000000000..72facf900
--- /dev/null
+++ b/security/nss/cmd/zlib/trees.h
@@ -0,0 +1,128 @@
+/* header created automatically with -DGEN_TREES_H */
+
+local const ct_data static_ltree[L_CODES+2] = {
+{{ 12},{  8}}, {{140},{  8}}, {{ 76},{  8}}, {{204},{  8}}, {{ 44},{  8}},
+{{172},{  8}}, {{108},{  8}}, {{236},{  8}}, {{ 28},{  8}}, {{156},{  8}},
+{{ 92},{  8}}, {{220},{  8}}, {{ 60},{  8}}, {{188},{  8}}, {{124},{  8}},
+{{252},{  8}}, {{  2},{  8}}, {{130},{  8}}, {{ 66},{  8}}, {{194},{  8}},
+{{ 34},{  8}}, {{162},{  8}}, {{ 98},{  8}}, {{226},{  8}}, {{ 18},{  8}},
+{{146},{  8}}, {{ 82},{  8}}, {{210},{  8}}, {{ 50},{  8}}, {{178},{  8}},
+{{114},{  8}}, {{242},{  8}}, {{ 10},{  8}}, {{138},{  8}}, {{ 74},{  8}},
+{{202},{  8}}, {{ 42},{  8}}, {{170},{  8}}, {{106},{  8}}, {{234},{  8}},
+{{ 26},{  8}}, {{154},{  8}}, {{ 90},{  8}}, {{218},{  8}}, {{ 58},{  8}},
+{{186},{  8}}, {{122},{  8}}, {{250},{  8}}, {{  6},{  8}}, {{134},{  8}},
+{{ 70},{  8}}, {{198},{  8}}, {{ 38},{  8}}, {{166},{  8}}, {{102},{  8}},
+{{230},{  8}}, {{ 22},{  8}}, {{150},{  8}}, {{ 86},{  8}}, {{214},{  8}},
+{{ 54},{  8}}, {{182},{  8}}, {{118},{  8}}, {{246},{  8}}, {{ 14},{  8}},
+{{142},{  8}}, {{ 78},{  8}}, {{206},{  8}}, {{ 46},{  8}}, {{174},{  8}},
+{{110},{  8}}, {{238},{  8}}, {{ 30},{  8}}, {{158},{  8}}, {{ 94},{  8}},
+{{222},{  8}}, {{ 62},{  8}}, {{190},{  8}}, {{126},{  8}}, {{254},{  8}},
+{{  1},{  8}}, {{129},{  8}}, {{ 65},{  8}}, {{193},{  8}}, {{ 33},{  8}},
+{{161},{  8}}, {{ 97},{  8}}, {{225},{  8}}, {{ 17},{  8}}, {{145},{  8}},
+{{ 81},{  8}}, {{209},{  8}}, {{ 49},{  8}}, {{177},{  8}}, {{113},{  8}},
+{{241},{  8}}, {{  9},{  8}}, {{137},{  8}}, {{ 73},{  8}}, {{201},{  8}},
+{{ 41},{  8}}, {{169},{  8}}, {{105},{  8}}, {{233},{  8}}, {{ 25},{  8}},
+{{153},{  8}}, {{ 89},{  8}}, {{217},{  8}}, {{ 57},{  8}}, {{185},{  8}},
+{{121},{  8}}, {{249},{  8}}, {{  5},{  8}}, {{133},{  8}}, {{ 69},{  8}},
+{{197},{  8}}, {{ 37},{  8}}, {{165},{  8}}, {{101},{  8}}, {{229},{  8}},
+{{ 21},{  8}}, {{149},{  8}}, {{ 85},{  8}}, {{213},{  8}}, {{ 53},{  8}},
+{{181},{  8}}, {{117},{  8}}, {{245},{  8}}, {{ 13},{  8}}, {{141},{  8}},
+{{ 77},{  8}}, {{205},{  8}}, {{ 45},{  8}}, {{173},{  8}}, {{109},{  8}},
+{{237},{  8}}, {{ 29},{  8}}, {{157},{  8}}, {{ 93},{  8}}, {{221},{  8}},
+{{ 61},{  8}}, {{189},{  8}}, {{125},{  8}}, {{253},{  8}}, {{ 19},{  9}},
+{{275},{  9}}, {{147},{  9}}, {{403},{  9}}, {{ 83},{  9}}, {{339},{  9}},
+{{211},{  9}}, {{467},{  9}}, {{ 51},{  9}}, {{307},{  9}}, {{179},{  9}},
+{{435},{  9}}, {{115},{  9}}, {{371},{  9}}, {{243},{  9}}, {{499},{  9}},
+{{ 11},{  9}}, {{267},{  9}}, {{139},{  9}}, {{395},{  9}}, {{ 75},{  9}},
+{{331},{  9}}, {{203},{  9}}, {{459},{  9}}, {{ 43},{  9}}, {{299},{  9}},
+{{171},{  9}}, {{427},{  9}}, {{107},{  9}}, {{363},{  9}}, {{235},{  9}},
+{{491},{  9}}, {{ 27},{  9}}, {{283},{  9}}, {{155},{  9}}, {{411},{  9}},
+{{ 91},{  9}}, {{347},{  9}}, {{219},{  9}}, {{475},{  9}}, {{ 59},{  9}},
+{{315},{  9}}, {{187},{  9}}, {{443},{  9}}, {{123},{  9}}, {{379},{  9}},
+{{251},{  9}}, {{507},{  9}}, {{  7},{  9}}, {{263},{  9}}, {{135},{  9}},
+{{391},{  9}}, {{ 71},{  9}}, {{327},{  9}}, {{199},{  9}}, {{455},{  9}},
+{{ 39},{  9}}, {{295},{  9}}, {{167},{  9}}, {{423},{  9}}, {{103},{  9}},
+{{359},{  9}}, {{231},{  9}}, {{487},{  9}}, {{ 23},{  9}}, {{279},{  9}},
+{{151},{  9}}, {{407},{  9}}, {{ 87},{  9}}, {{343},{  9}}, {{215},{  9}},
+{{471},{  9}}, {{ 55},{  9}}, {{311},{  9}}, {{183},{  9}}, {{439},{  9}},
+{{119},{  9}}, {{375},{  9}}, {{247},{  9}}, {{503},{  9}}, {{ 15},{  9}},
+{{271},{  9}}, {{143},{  9}}, {{399},{  9}}, {{ 79},{  9}}, {{335},{  9}},
+{{207},{  9}}, {{463},{  9}}, {{ 47},{  9}}, {{303},{  9}}, {{175},{  9}},
+{{431},{  9}}, {{111},{  9}}, {{367},{  9}}, {{239},{  9}}, {{495},{  9}},
+{{ 31},{  9}}, {{287},{  9}}, {{159},{  9}}, {{415},{  9}}, {{ 95},{  9}},
+{{351},{  9}}, {{223},{  9}}, {{479},{  9}}, {{ 63},{  9}}, {{319},{  9}},
+{{191},{  9}}, {{447},{  9}}, {{127},{  9}}, {{383},{  9}}, {{255},{  9}},
+{{511},{  9}}, {{  0},{  7}}, {{ 64},{  7}}, {{ 32},{  7}}, {{ 96},{  7}},
+{{ 16},{  7}}, {{ 80},{  7}}, {{ 48},{  7}}, {{112},{  7}}, {{  8},{  7}},
+{{ 72},{  7}}, {{ 40},{  7}}, {{104},{  7}}, {{ 24},{  7}}, {{ 88},{  7}},
+{{ 56},{  7}}, {{120},{  7}}, {{  4},{  7}}, {{ 68},{  7}}, {{ 36},{  7}},
+{{100},{  7}}, {{ 20},{  7}}, {{ 84},{  7}}, {{ 52},{  7}}, {{116},{  7}},
+{{  3},{  8}}, {{131},{  8}}, {{ 67},{  8}}, {{195},{  8}}, {{ 35},{  8}},
+{{163},{  8}}, {{ 99},{  8}}, {{227},{  8}}
+};
+
+local const ct_data static_dtree[D_CODES] = {
+{{ 0},{ 5}}, {{16},{ 5}}, {{ 8},{ 5}}, {{24},{ 5}}, {{ 4},{ 5}},
+{{20},{ 5}}, {{12},{ 5}}, {{28},{ 5}}, {{ 2},{ 5}}, {{18},{ 5}},
+{{10},{ 5}}, {{26},{ 5}}, {{ 6},{ 5}}, {{22},{ 5}}, {{14},{ 5}},
+{{30},{ 5}}, {{ 1},{ 5}}, {{17},{ 5}}, {{ 9},{ 5}}, {{25},{ 5}},
+{{ 5},{ 5}}, {{21},{ 5}}, {{13},{ 5}}, {{29},{ 5}}, {{ 3},{ 5}},
+{{19},{ 5}}, {{11},{ 5}}, {{27},{ 5}}, {{ 7},{ 5}}, {{23},{ 5}}
+};
+
+const uch _dist_code[DIST_CODE_LEN] = {
+ 0,  1,  2,  3,  4,  4,  5,  5,  6,  6,  6,  6,  7,  7,  7,  7,  8,  8,  8,  8,
+ 8,  8,  8,  8,  9,  9,  9,  9,  9,  9,  9,  9, 10, 10, 10, 10, 10, 10, 10, 10,
+10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11,
+11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12,
+12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13,
+13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13,
+13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
+14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
+14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
+14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15,
+15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
+15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
+15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,  0,  0, 16, 17,
+18, 18, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22,
+23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,
+26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
+26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27,
+27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,
+27, 27, 27, 27, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
+28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
+28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
+28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
+29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
+29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
+29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29
+};
+
+const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {
+ 0,  1,  2,  3,  4,  5,  6,  7,  8,  8,  9,  9, 10, 10, 11, 11, 12, 12, 12, 12,
+13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16,
+17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19,
+19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
+21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 22, 22, 22, 22,
+22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23,
+23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,
+25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26,
+26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
+26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,
+27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28
+};
+
+local const int base_length[LENGTH_CODES] = {
+0, 1, 2, 3, 4, 5, 6, 7, 8, 10, 12, 14, 16, 20, 24, 28, 32, 40, 48, 56,
+64, 80, 96, 112, 128, 160, 192, 224, 0
+};
+
+local const int base_dist[D_CODES] = {
+    0,     1,     2,     3,     4,     6,     8,    12,    16,    24,
+   32,    48,    64,    96,   128,   192,   256,   384,   512,   768,
+ 1024,  1536,  2048,  3072,  4096,  6144,  8192, 12288, 16384, 24576
+};
+
diff --git a/security/nss/cmd/zlib/uncompr.c b/security/nss/cmd/zlib/uncompr.c
new file mode 100644
index 000000000..b59e3d0de
--- /dev/null
+++ b/security/nss/cmd/zlib/uncompr.c
@@ -0,0 +1,61 @@
+/* uncompr.c -- decompress a memory buffer
+ * Copyright (C) 1995-2003 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* @(#) $Id$ */
+
+#define ZLIB_INTERNAL
+#include "zlib.h"
+
+/* ===========================================================================
+     Decompresses the source buffer into the destination buffer.  sourceLen is
+   the byte length of the source buffer. Upon entry, destLen is the total
+   size of the destination buffer, which must be large enough to hold the
+   entire uncompressed data. (The size of the uncompressed data must have
+   been saved previously by the compressor and transmitted to the decompressor
+   by some mechanism outside the scope of this compression library.)
+   Upon exit, destLen is the actual size of the compressed buffer.
+     This function can be used to decompress a whole file at once if the
+   input file is mmap'ed.
+
+     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_BUF_ERROR if there was not enough room in the output
+   buffer, or Z_DATA_ERROR if the input data was corrupted.
+*/
+int ZEXPORT uncompress (dest, destLen, source, sourceLen)
+    Bytef *dest;
+    uLongf *destLen;
+    const Bytef *source;
+    uLong sourceLen;
+{
+    z_stream stream;
+    int err;
+
+    stream.next_in = (Bytef*)source;
+    stream.avail_in = (uInt)sourceLen;
+    /* Check for source > 64K on 16-bit machine: */
+    if ((uLong)stream.avail_in != sourceLen) return Z_BUF_ERROR;
+
+    stream.next_out = dest;
+    stream.avail_out = (uInt)*destLen;
+    if ((uLong)stream.avail_out != *destLen) return Z_BUF_ERROR;
+
+    stream.zalloc = (alloc_func)0;
+    stream.zfree = (free_func)0;
+
+    err = inflateInit(&stream);
+    if (err != Z_OK) return err;
+
+    err = inflate(&stream, Z_FINISH);
+    if (err != Z_STREAM_END) {
+        inflateEnd(&stream);
+        if (err == Z_NEED_DICT || (err == Z_BUF_ERROR && stream.avail_in == 0))
+            return Z_DATA_ERROR;
+        return err;
+    }
+    *destLen = stream.total_out;
+
+    err = inflateEnd(&stream);
+    return err;
+}
diff --git a/security/nss/cmd/zlib/zconf.h b/security/nss/cmd/zlib/zconf.h
new file mode 100644
index 000000000..03a9431c8
--- /dev/null
+++ b/security/nss/cmd/zlib/zconf.h
@@ -0,0 +1,332 @@
+/* zconf.h -- configuration of the zlib compression library
+ * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* @(#) $Id$ */
+
+#ifndef ZCONF_H
+#define ZCONF_H
+
+/*
+ * If you *really* need a unique prefix for all types and library functions,
+ * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
+ */
+#ifdef Z_PREFIX
+#  define deflateInit_          z_deflateInit_
+#  define deflate               z_deflate
+#  define deflateEnd            z_deflateEnd
+#  define inflateInit_          z_inflateInit_
+#  define inflate               z_inflate
+#  define inflateEnd            z_inflateEnd
+#  define deflateInit2_         z_deflateInit2_
+#  define deflateSetDictionary  z_deflateSetDictionary
+#  define deflateCopy           z_deflateCopy
+#  define deflateReset          z_deflateReset
+#  define deflateParams         z_deflateParams
+#  define deflateBound          z_deflateBound
+#  define deflatePrime          z_deflatePrime
+#  define inflateInit2_         z_inflateInit2_
+#  define inflateSetDictionary  z_inflateSetDictionary
+#  define inflateSync           z_inflateSync
+#  define inflateSyncPoint      z_inflateSyncPoint
+#  define inflateCopy           z_inflateCopy
+#  define inflateReset          z_inflateReset
+#  define inflateBack           z_inflateBack
+#  define inflateBackEnd        z_inflateBackEnd
+#  define compress              z_compress
+#  define compress2             z_compress2
+#  define compressBound         z_compressBound
+#  define uncompress            z_uncompress
+#  define adler32               z_adler32
+#  define crc32                 z_crc32
+#  define get_crc_table         z_get_crc_table
+#  define zError                z_zError
+
+#  define alloc_func            z_alloc_func
+#  define free_func             z_free_func
+#  define in_func               z_in_func
+#  define out_func              z_out_func
+#  define Byte                  z_Byte
+#  define uInt                  z_uInt
+#  define uLong                 z_uLong
+#  define Bytef                 z_Bytef
+#  define charf                 z_charf
+#  define intf                  z_intf
+#  define uIntf                 z_uIntf
+#  define uLongf                z_uLongf
+#  define voidpf                z_voidpf
+#  define voidp                 z_voidp
+#endif
+
+#if defined(__MSDOS__) && !defined(MSDOS)
+#  define MSDOS
+#endif
+#if (defined(OS_2) || defined(__OS2__)) && !defined(OS2)
+#  define OS2
+#endif
+#if defined(_WINDOWS) && !defined(WINDOWS)
+#  define WINDOWS
+#endif
+#if defined(_WIN32) || defined(_WIN32_WCE) || defined(__WIN32__)
+#  ifndef WIN32
+#    define WIN32
+#  endif
+#endif
+#if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32)
+#  if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__)
+#    ifndef SYS16BIT
+#      define SYS16BIT
+#    endif
+#  endif
+#endif
+
+/*
+ * Compile with -DMAXSEG_64K if the alloc function cannot allocate more
+ * than 64k bytes at a time (needed on systems with 16-bit int).
+ */
+#ifdef SYS16BIT
+#  define MAXSEG_64K
+#endif
+#ifdef MSDOS
+#  define UNALIGNED_OK
+#endif
+
+#ifdef __STDC_VERSION__
+#  ifndef STDC
+#    define STDC
+#  endif
+#  if __STDC_VERSION__ >= 199901L
+#    ifndef STDC99
+#      define STDC99
+#    endif
+#  endif
+#endif
+#if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus))
+#  define STDC
+#endif
+#if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__))
+#  define STDC
+#endif
+#if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32))
+#  define STDC
+#endif
+#if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__))
+#  define STDC
+#endif
+
+#if defined(__OS400__) && !defined(STDC)    /* iSeries (formerly AS/400). */
+#  define STDC
+#endif
+
+#ifndef STDC
+#  ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */
+#    define const       /* note: need a more gentle solution here */
+#  endif
+#endif
+
+/* Some Mac compilers merge all .h files incorrectly: */
+#if defined(__MWERKS__)||defined(applec)||defined(THINK_C)||defined(__SC__)
+#  define NO_DUMMY_DECL
+#endif
+
+/* Maximum value for memLevel in deflateInit2 */
+#ifndef MAX_MEM_LEVEL
+#  ifdef MAXSEG_64K
+#    define MAX_MEM_LEVEL 8
+#  else
+#    define MAX_MEM_LEVEL 9
+#  endif
+#endif
+
+/* Maximum value for windowBits in deflateInit2 and inflateInit2.
+ * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files
+ * created by gzip. (Files created by minigzip can still be extracted by
+ * gzip.)
+ */
+#ifndef MAX_WBITS
+#  define MAX_WBITS   15 /* 32K LZ77 window */
+#endif
+
+/* The memory requirements for deflate are (in bytes):
+            (1 << (windowBits+2)) +  (1 << (memLevel+9))
+ that is: 128K for windowBits=15  +  128K for memLevel = 8  (default values)
+ plus a few kilobytes for small objects. For example, if you want to reduce
+ the default memory requirements from 256K to 128K, compile with
+     make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7"
+ Of course this will generally degrade compression (there's no free lunch).
+
+   The memory requirements for inflate are (in bytes) 1 << windowBits
+ that is, 32K for windowBits=15 (default value) plus a few kilobytes
+ for small objects.
+*/
+
+                        /* Type declarations */
+
+#ifndef OF /* function prototypes */
+#  ifdef STDC
+#    define OF(args)  args
+#  else
+#    define OF(args)  ()
+#  endif
+#endif
+
+/* The following definitions for FAR are needed only for MSDOS mixed
+ * model programming (small or medium model with some far allocations).
+ * This was tested only with MSC; for other MSDOS compilers you may have
+ * to define NO_MEMCPY in zutil.h.  If you don't need the mixed model,
+ * just define FAR to be empty.
+ */
+#ifdef SYS16BIT
+#  if defined(M_I86SM) || defined(M_I86MM)
+     /* MSC small or medium model */
+#    define SMALL_MEDIUM
+#    ifdef _MSC_VER
+#      define FAR _far
+#    else
+#      define FAR far
+#    endif
+#  endif
+#  if (defined(__SMALL__) || defined(__MEDIUM__))
+     /* Turbo C small or medium model */
+#    define SMALL_MEDIUM
+#    ifdef __BORLANDC__
+#      define FAR _far
+#    else
+#      define FAR far
+#    endif
+#  endif
+#endif
+
+#if defined(WINDOWS) || defined(WIN32)
+   /* If building or using zlib as a DLL, define ZLIB_DLL.
+    * This is not mandatory, but it offers a little performance increase.
+    */
+#  ifdef ZLIB_DLL
+#    if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500))
+#      ifdef ZLIB_INTERNAL
+#        define ZEXTERN extern __declspec(dllexport)
+#      else
+#        define ZEXTERN extern __declspec(dllimport)
+#      endif
+#    endif
+#  endif  /* ZLIB_DLL */
+   /* If building or using zlib with the WINAPI/WINAPIV calling convention,
+    * define ZLIB_WINAPI.
+    * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI.
+    */
+#  ifdef ZLIB_WINAPI
+#    ifdef FAR
+#      undef FAR
+#    endif
+#    include <windows.h>
+     /* No need for _export, use ZLIB.DEF instead. */
+     /* For complete Windows compatibility, use WINAPI, not __stdcall. */
+#    define ZEXPORT WINAPI
+#    ifdef WIN32
+#      define ZEXPORTVA WINAPIV
+#    else
+#      define ZEXPORTVA FAR CDECL
+#    endif
+#  endif
+#endif
+
+#if defined (__BEOS__)
+#  ifdef ZLIB_DLL
+#    ifdef ZLIB_INTERNAL
+#      define ZEXPORT   __declspec(dllexport)
+#      define ZEXPORTVA __declspec(dllexport)
+#    else
+#      define ZEXPORT   __declspec(dllimport)
+#      define ZEXPORTVA __declspec(dllimport)
+#    endif
+#  endif
+#endif
+
+#ifndef ZEXTERN
+#  define ZEXTERN extern
+#endif
+#ifndef ZEXPORT
+#  define ZEXPORT
+#endif
+#ifndef ZEXPORTVA
+#  define ZEXPORTVA
+#endif
+
+#ifndef FAR
+#  define FAR
+#endif
+
+#if !defined(__MACTYPES__)
+typedef unsigned char  Byte;  /* 8 bits */
+#endif
+typedef unsigned int   uInt;  /* 16 bits or more */
+typedef unsigned long  uLong; /* 32 bits or more */
+
+#ifdef SMALL_MEDIUM
+   /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */
+#  define Bytef Byte FAR
+#else
+   typedef Byte  FAR Bytef;
+#endif
+typedef char  FAR charf;
+typedef int   FAR intf;
+typedef uInt  FAR uIntf;
+typedef uLong FAR uLongf;
+
+#ifdef STDC
+   typedef void const *voidpc;
+   typedef void FAR   *voidpf;
+   typedef void       *voidp;
+#else
+   typedef Byte const *voidpc;
+   typedef Byte FAR   *voidpf;
+   typedef Byte       *voidp;
+#endif
+
+#if 0           /* HAVE_UNISTD_H -- this line is updated by ./configure */
+#  include <sys/types.h> /* for off_t */
+#  include <unistd.h>    /* for SEEK_* and off_t */
+#  ifdef VMS
+#    include <unixio.h>   /* for off_t */
+#  endif
+#  define z_off_t off_t
+#endif
+#ifndef SEEK_SET
+#  define SEEK_SET        0       /* Seek from beginning of file.  */
+#  define SEEK_CUR        1       /* Seek from current position.  */
+#  define SEEK_END        2       /* Set file pointer to EOF plus "offset" */
+#endif
+#ifndef z_off_t
+#  define z_off_t long
+#endif
+
+#if defined(__OS400__)
+#  define NO_vsnprintf
+#endif
+
+#if defined(__MVS__)
+#  define NO_vsnprintf
+#  ifdef FAR
+#    undef FAR
+#  endif
+#endif
+
+/* MVS linker does not support external names larger than 8 bytes */
+#if defined(__MVS__)
+#   pragma map(deflateInit_,"DEIN")
+#   pragma map(deflateInit2_,"DEIN2")
+#   pragma map(deflateEnd,"DEEND")
+#   pragma map(deflateBound,"DEBND")
+#   pragma map(inflateInit_,"ININ")
+#   pragma map(inflateInit2_,"ININ2")
+#   pragma map(inflateEnd,"INEND")
+#   pragma map(inflateSync,"INSY")
+#   pragma map(inflateSetDictionary,"INSEDI")
+#   pragma map(compressBound,"CMBND")
+#   pragma map(inflate_table,"INTABL")
+#   pragma map(inflate_fast,"INFA")
+#   pragma map(inflate_copyright,"INCOPY")
+#endif
+
+#endif /* ZCONF_H */
diff --git a/security/nss/cmd/zlib/zlib.h b/security/nss/cmd/zlib/zlib.h
new file mode 100644
index 000000000..022817927
--- /dev/null
+++ b/security/nss/cmd/zlib/zlib.h
@@ -0,0 +1,1357 @@
+/* zlib.h -- interface of the 'zlib' general purpose compression library
+  version 1.2.3, July 18th, 2005
+
+  Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  Jean-loup Gailly        Mark Adler
+  jloup@gzip.org          madler@alumni.caltech.edu
+
+
+  The data format used by the zlib library is described by RFCs (Request for
+  Comments) 1950 to 1952 in the files http://www.ietf.org/rfc/rfc1950.txt
+  (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
+*/
+
+#ifndef ZLIB_H
+#define ZLIB_H
+
+#include "zconf.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define ZLIB_VERSION "1.2.3"
+#define ZLIB_VERNUM 0x1230
+
+/*
+     The 'zlib' compression library provides in-memory compression and
+  decompression functions, including integrity checks of the uncompressed
+  data.  This version of the library supports only one compression method
+  (deflation) but other algorithms will be added later and will have the same
+  stream interface.
+
+     Compression can be done in a single step if the buffers are large
+  enough (for example if an input file is mmap'ed), or can be done by
+  repeated calls of the compression function.  In the latter case, the
+  application must provide more input and/or consume the output
+  (providing more output space) before each call.
+
+     The compressed data format used by default by the in-memory functions is
+  the zlib format, which is a zlib wrapper documented in RFC 1950, wrapped
+  around a deflate stream, which is itself documented in RFC 1951.
+
+     The library also supports reading and writing files in gzip (.gz) format
+  with an interface similar to that of stdio using the functions that start
+  with "gz".  The gzip format is different from the zlib format.  gzip is a
+  gzip wrapper, documented in RFC 1952, wrapped around a deflate stream.
+
+     This library can optionally read and write gzip streams in memory as well.
+
+     The zlib format was designed to be compact and fast for use in memory
+  and on communications channels.  The gzip format was designed for single-
+  file compression on file systems, has a larger header than zlib to maintain
+  directory information, and uses a different, slower check method than zlib.
+
+     The library does not install any signal handler. The decoder checks
+  the consistency of the compressed data, so the library should never
+  crash even in case of corrupted input.
+*/
+
+typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size));
+typedef void   (*free_func)  OF((voidpf opaque, voidpf address));
+
+struct internal_state;
+
+typedef struct z_stream_s {
+    Bytef    *next_in;  /* next input byte */
+    uInt     avail_in;  /* number of bytes available at next_in */
+    uLong    total_in;  /* total nb of input bytes read so far */
+
+    Bytef    *next_out; /* next output byte should be put there */
+    uInt     avail_out; /* remaining free space at next_out */
+    uLong    total_out; /* total nb of bytes output so far */
+
+    char     *msg;      /* last error message, NULL if no error */
+    struct internal_state FAR *state; /* not visible by applications */
+
+    alloc_func zalloc;  /* used to allocate the internal state */
+    free_func  zfree;   /* used to free the internal state */
+    voidpf     opaque;  /* private data object passed to zalloc and zfree */
+
+    int     data_type;  /* best guess about the data type: binary or text */
+    uLong   adler;      /* adler32 value of the uncompressed data */
+    uLong   reserved;   /* reserved for future use */
+} z_stream;
+
+typedef z_stream FAR *z_streamp;
+
+/*
+     gzip header information passed to and from zlib routines.  See RFC 1952
+  for more details on the meanings of these fields.
+*/
+typedef struct gz_header_s {
+    int     text;       /* true if compressed data believed to be text */
+    uLong   time;       /* modification time */
+    int     xflags;     /* extra flags (not used when writing a gzip file) */
+    int     os;         /* operating system */
+    Bytef   *extra;     /* pointer to extra field or Z_NULL if none */
+    uInt    extra_len;  /* extra field length (valid if extra != Z_NULL) */
+    uInt    extra_max;  /* space at extra (only when reading header) */
+    Bytef   *name;      /* pointer to zero-terminated file name or Z_NULL */
+    uInt    name_max;   /* space at name (only when reading header) */
+    Bytef   *comment;   /* pointer to zero-terminated comment or Z_NULL */
+    uInt    comm_max;   /* space at comment (only when reading header) */
+    int     hcrc;       /* true if there was or will be a header crc */
+    int     done;       /* true when done reading gzip header (not used
+                           when writing a gzip file) */
+} gz_header;
+
+typedef gz_header FAR *gz_headerp;
+
+/*
+   The application must update next_in and avail_in when avail_in has
+   dropped to zero. It must update next_out and avail_out when avail_out
+   has dropped to zero. The application must initialize zalloc, zfree and
+   opaque before calling the init function. All other fields are set by the
+   compression library and must not be updated by the application.
+
+   The opaque value provided by the application will be passed as the first
+   parameter for calls of zalloc and zfree. This can be useful for custom
+   memory management. The compression library attaches no meaning to the
+   opaque value.
+
+   zalloc must return Z_NULL if there is not enough memory for the object.
+   If zlib is used in a multi-threaded application, zalloc and zfree must be
+   thread safe.
+
+   On 16-bit systems, the functions zalloc and zfree must be able to allocate
+   exactly 65536 bytes, but will not be required to allocate more than this
+   if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS,
+   pointers returned by zalloc for objects of exactly 65536 bytes *must*
+   have their offset normalized to zero. The default allocation function
+   provided by this library ensures this (see zutil.c). To reduce memory
+   requirements and avoid any allocation of 64K objects, at the expense of
+   compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h).
+
+   The fields total_in and total_out can be used for statistics or
+   progress reports. After compression, total_in holds the total size of
+   the uncompressed data and may be saved for use in the decompressor
+   (particularly if the decompressor wants to decompress everything in
+   a single step).
+*/
+
+                        /* constants */
+
+#define Z_NO_FLUSH      0
+#define Z_PARTIAL_FLUSH 1 /* will be removed, use Z_SYNC_FLUSH instead */
+#define Z_SYNC_FLUSH    2
+#define Z_FULL_FLUSH    3
+#define Z_FINISH        4
+#define Z_BLOCK         5
+/* Allowed flush values; see deflate() and inflate() below for details */
+
+#define Z_OK            0
+#define Z_STREAM_END    1
+#define Z_NEED_DICT     2
+#define Z_ERRNO        (-1)
+#define Z_STREAM_ERROR (-2)
+#define Z_DATA_ERROR   (-3)
+#define Z_MEM_ERROR    (-4)
+#define Z_BUF_ERROR    (-5)
+#define Z_VERSION_ERROR (-6)
+/* Return codes for the compression/decompression functions. Negative
+ * values are errors, positive values are used for special but normal events.
+ */
+
+#define Z_NO_COMPRESSION         0
+#define Z_BEST_SPEED             1
+#define Z_BEST_COMPRESSION       9
+#define Z_DEFAULT_COMPRESSION  (-1)
+/* compression levels */
+
+#define Z_FILTERED            1
+#define Z_HUFFMAN_ONLY        2
+#define Z_RLE                 3
+#define Z_FIXED               4
+#define Z_DEFAULT_STRATEGY    0
+/* compression strategy; see deflateInit2() below for details */
+
+#define Z_BINARY   0
+#define Z_TEXT     1
+#define Z_ASCII    Z_TEXT   /* for compatibility with 1.2.2 and earlier */
+#define Z_UNKNOWN  2
+/* Possible values of the data_type field (though see inflate()) */
+
+#define Z_DEFLATED   8
+/* The deflate compression method (the only one supported in this version) */
+
+#define Z_NULL  0  /* for initializing zalloc, zfree, opaque */
+
+#define zlib_version zlibVersion()
+/* for compatibility with versions < 1.0.2 */
+
+                        /* basic functions */
+
+ZEXTERN const char * ZEXPORT zlibVersion OF((void));
+/* The application can compare zlibVersion and ZLIB_VERSION for consistency.
+   If the first character differs, the library code actually used is
+   not compatible with the zlib.h header file used by the application.
+   This check is automatically made by deflateInit and inflateInit.
+ */
+
+/*
+ZEXTERN int ZEXPORT deflateInit OF((z_streamp strm, int level));
+
+     Initializes the internal stream state for compression. The fields
+   zalloc, zfree and opaque must be initialized before by the caller.
+   If zalloc and zfree are set to Z_NULL, deflateInit updates them to
+   use default allocation functions.
+
+     The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:
+   1 gives best speed, 9 gives best compression, 0 gives no compression at
+   all (the input data is simply copied a block at a time).
+   Z_DEFAULT_COMPRESSION requests a default compromise between speed and
+   compression (currently equivalent to level 6).
+
+     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_STREAM_ERROR if level is not a valid compression level,
+   Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible
+   with the version assumed by the caller (ZLIB_VERSION).
+   msg is set to null if there is no error message.  deflateInit does not
+   perform any compression: this will be done by deflate().
+*/
+
+
+ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush));
+/*
+    deflate compresses as much data as possible, and stops when the input
+  buffer becomes empty or the output buffer becomes full. It may introduce some
+  output latency (reading input without producing any output) except when
+  forced to flush.
+
+    The detailed semantics are as follows. deflate performs one or both of the
+  following actions:
+
+  - Compress more input starting at next_in and update next_in and avail_in
+    accordingly. If not all input can be processed (because there is not
+    enough room in the output buffer), next_in and avail_in are updated and
+    processing will resume at this point for the next call of deflate().
+
+  - Provide more output starting at next_out and update next_out and avail_out
+    accordingly. This action is forced if the parameter flush is non zero.
+    Forcing flush frequently degrades the compression ratio, so this parameter
+    should be set only when necessary (in interactive applications).
+    Some output may be provided even if flush is not set.
+
+  Before the call of deflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming
+  more output, and updating avail_in or avail_out accordingly; avail_out
+  should never be zero before the call. The application can consume the
+  compressed output when it wants, for example when the output buffer is full
+  (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK
+  and with zero avail_out, it must be called again after making room in the
+  output buffer because there might be more output pending.
+
+    Normally the parameter flush is set to Z_NO_FLUSH, which allows deflate to
+  decide how much data to accumualte before producing output, in order to
+  maximize compression.
+
+    If the parameter flush is set to Z_SYNC_FLUSH, all pending output is
+  flushed to the output buffer and the output is aligned on a byte boundary, so
+  that the decompressor can get all input data available so far. (In particular
+  avail_in is zero after the call if enough output space has been provided
+  before the call.)  Flushing may degrade compression for some compression
+  algorithms and so it should be used only when necessary.
+
+    If flush is set to Z_FULL_FLUSH, all output is flushed as with
+  Z_SYNC_FLUSH, and the compression state is reset so that decompression can
+  restart from this point if previous compressed data has been damaged or if
+  random access is desired. Using Z_FULL_FLUSH too often can seriously degrade
+  compression.
+
+    If deflate returns with avail_out == 0, this function must be called again
+  with the same value of the flush parameter and more output space (updated
+  avail_out), until the flush is complete (deflate returns with non-zero
+  avail_out). In the case of a Z_FULL_FLUSH or Z_SYNC_FLUSH, make sure that
+  avail_out is greater than six to avoid repeated flush markers due to
+  avail_out == 0 on return.
+
+    If the parameter flush is set to Z_FINISH, pending input is processed,
+  pending output is flushed and deflate returns with Z_STREAM_END if there
+  was enough output space; if deflate returns with Z_OK, this function must be
+  called again with Z_FINISH and more output space (updated avail_out) but no
+  more input data, until it returns with Z_STREAM_END or an error. After
+  deflate has returned Z_STREAM_END, the only possible operations on the
+  stream are deflateReset or deflateEnd.
+
+    Z_FINISH can be used immediately after deflateInit if all the compression
+  is to be done in a single step. In this case, avail_out must be at least
+  the value returned by deflateBound (see below). If deflate does not return
+  Z_STREAM_END, then it must be called again as described above.
+
+    deflate() sets strm->adler to the adler32 checksum of all input read
+  so far (that is, total_in bytes).
+
+    deflate() may update strm->data_type if it can make a good guess about
+  the input data type (Z_BINARY or Z_TEXT). In doubt, the data is considered
+  binary. This field is only for information purposes and does not affect
+  the compression algorithm in any manner.
+
+    deflate() returns Z_OK if some progress has been made (more input
+  processed or more output produced), Z_STREAM_END if all input has been
+  consumed and all output has been produced (only when flush is set to
+  Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example
+  if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible
+  (for example avail_in or avail_out was zero). Note that Z_BUF_ERROR is not
+  fatal, and deflate() can be called again with more input and more output
+  space to continue compressing.
+*/
+
+
+ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm));
+/*
+     All dynamically allocated data structures for this stream are freed.
+   This function discards any unprocessed input and does not flush any
+   pending output.
+
+     deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the
+   stream state was inconsistent, Z_DATA_ERROR if the stream was freed
+   prematurely (some input or output was discarded). In the error case,
+   msg may be set but then points to a static string (which must not be
+   deallocated).
+*/
+
+
+/*
+ZEXTERN int ZEXPORT inflateInit OF((z_streamp strm));
+
+     Initializes the internal stream state for decompression. The fields
+   next_in, avail_in, zalloc, zfree and opaque must be initialized before by
+   the caller. If next_in is not Z_NULL and avail_in is large enough (the exact
+   value depends on the compression method), inflateInit determines the
+   compression method from the zlib header and allocates all data structures
+   accordingly; otherwise the allocation will be deferred to the first call of
+   inflate.  If zalloc and zfree are set to Z_NULL, inflateInit updates them to
+   use default allocation functions.
+
+     inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_VERSION_ERROR if the zlib library version is incompatible with the
+   version assumed by the caller.  msg is set to null if there is no error
+   message. inflateInit does not perform any decompression apart from reading
+   the zlib header if present: this will be done by inflate().  (So next_in and
+   avail_in may be modified, but next_out and avail_out are unchanged.)
+*/
+
+
+ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush));
+/*
+    inflate decompresses as much data as possible, and stops when the input
+  buffer becomes empty or the output buffer becomes full. It may introduce
+  some output latency (reading input without producing any output) except when
+  forced to flush.
+
+  The detailed semantics are as follows. inflate performs one or both of the
+  following actions:
+
+  - Decompress more input starting at next_in and update next_in and avail_in
+    accordingly. If not all input can be processed (because there is not
+    enough room in the output buffer), next_in is updated and processing
+    will resume at this point for the next call of inflate().
+
+  - Provide more output starting at next_out and update next_out and avail_out
+    accordingly.  inflate() provides as much output as possible, until there
+    is no more input data or no more space in the output buffer (see below
+    about the flush parameter).
+
+  Before the call of inflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming
+  more output, and updating the next_* and avail_* values accordingly.
+  The application can consume the uncompressed output when it wants, for
+  example when the output buffer is full (avail_out == 0), or after each
+  call of inflate(). If inflate returns Z_OK and with zero avail_out, it
+  must be called again after making room in the output buffer because there
+  might be more output pending.
+
+    The flush parameter of inflate() can be Z_NO_FLUSH, Z_SYNC_FLUSH,
+  Z_FINISH, or Z_BLOCK. Z_SYNC_FLUSH requests that inflate() flush as much
+  output as possible to the output buffer. Z_BLOCK requests that inflate() stop
+  if and when it gets to the next deflate block boundary. When decoding the
+  zlib or gzip format, this will cause inflate() to return immediately after
+  the header and before the first block. When doing a raw inflate, inflate()
+  will go ahead and process the first block, and will return when it gets to
+  the end of that block, or when it runs out of data.
+
+    The Z_BLOCK option assists in appending to or combining deflate streams.
+  Also to assist in this, on return inflate() will set strm->data_type to the
+  number of unused bits in the last byte taken from strm->next_in, plus 64
+  if inflate() is currently decoding the last block in the deflate stream,
+  plus 128 if inflate() returned immediately after decoding an end-of-block
+  code or decoding the complete header up to just before the first byte of the
+  deflate stream. The end-of-block will not be indicated until all of the
+  uncompressed data from that block has been written to strm->next_out.  The
+  number of unused bits may in general be greater than seven, except when
+  bit 7 of data_type is set, in which case the number of unused bits will be
+  less than eight.
+
+    inflate() should normally be called until it returns Z_STREAM_END or an
+  error. However if all decompression is to be performed in a single step
+  (a single call of inflate), the parameter flush should be set to
+  Z_FINISH. In this case all pending input is processed and all pending
+  output is flushed; avail_out must be large enough to hold all the
+  uncompressed data. (The size of the uncompressed data may have been saved
+  by the compressor for this purpose.) The next operation on this stream must
+  be inflateEnd to deallocate the decompression state. The use of Z_FINISH
+  is never required, but can be used to inform inflate that a faster approach
+  may be used for the single inflate() call.
+
+     In this implementation, inflate() always flushes as much output as
+  possible to the output buffer, and always uses the faster approach on the
+  first call. So the only effect of the flush parameter in this implementation
+  is on the return value of inflate(), as noted below, or when it returns early
+  because Z_BLOCK is used.
+
+     If a preset dictionary is needed after this call (see inflateSetDictionary
+  below), inflate sets strm->adler to the adler32 checksum of the dictionary
+  chosen by the compressor and returns Z_NEED_DICT; otherwise it sets
+  strm->adler to the adler32 checksum of all output produced so far (that is,
+  total_out bytes) and returns Z_OK, Z_STREAM_END or an error code as described
+  below. At the end of the stream, inflate() checks that its computed adler32
+  checksum is equal to that saved by the compressor and returns Z_STREAM_END
+  only if the checksum is correct.
+
+    inflate() will decompress and check either zlib-wrapped or gzip-wrapped
+  deflate data.  The header type is detected automatically.  Any information
+  contained in the gzip header is not retained, so applications that need that
+  information should instead use raw inflate, see inflateInit2() below, or
+  inflateBack() and perform their own processing of the gzip header and
+  trailer.
+
+    inflate() returns Z_OK if some progress has been made (more input processed
+  or more output produced), Z_STREAM_END if the end of the compressed data has
+  been reached and all uncompressed output has been produced, Z_NEED_DICT if a
+  preset dictionary is needed at this point, Z_DATA_ERROR if the input data was
+  corrupted (input stream not conforming to the zlib format or incorrect check
+  value), Z_STREAM_ERROR if the stream structure was inconsistent (for example
+  if next_in or next_out was NULL), Z_MEM_ERROR if there was not enough memory,
+  Z_BUF_ERROR if no progress is possible or if there was not enough room in the
+  output buffer when Z_FINISH is used. Note that Z_BUF_ERROR is not fatal, and
+  inflate() can be called again with more input and more output space to
+  continue decompressing. If Z_DATA_ERROR is returned, the application may then
+  call inflateSync() to look for a good compression block if a partial recovery
+  of the data is desired.
+*/
+
+
+ZEXTERN int ZEXPORT inflateEnd OF((z_streamp strm));
+/*
+     All dynamically allocated data structures for this stream are freed.
+   This function discards any unprocessed input and does not flush any
+   pending output.
+
+     inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state
+   was inconsistent. In the error case, msg may be set but then points to a
+   static string (which must not be deallocated).
+*/
+
+                        /* Advanced functions */
+
+/*
+    The following functions are needed only in some special applications.
+*/
+
+/*
+ZEXTERN int ZEXPORT deflateInit2 OF((z_streamp strm,
+                                     int  level,
+                                     int  method,
+                                     int  windowBits,
+                                     int  memLevel,
+                                     int  strategy));
+
+     This is another version of deflateInit with more compression options. The
+   fields next_in, zalloc, zfree and opaque must be initialized before by
+   the caller.
+
+     The method parameter is the compression method. It must be Z_DEFLATED in
+   this version of the library.
+
+     The windowBits parameter is the base two logarithm of the window size
+   (the size of the history buffer). It should be in the range 8..15 for this
+   version of the library. Larger values of this parameter result in better
+   compression at the expense of memory usage. The default value is 15 if
+   deflateInit is used instead.
+
+     windowBits can also be -8..-15 for raw deflate. In this case, -windowBits
+   determines the window size. deflate() will then generate raw deflate data
+   with no zlib header or trailer, and will not compute an adler32 check value.
+
+     windowBits can also be greater than 15 for optional gzip encoding. Add
+   16 to windowBits to write a simple gzip header and trailer around the
+   compressed data instead of a zlib wrapper. The gzip header will have no
+   file name, no extra data, no comment, no modification time (set to zero),
+   no header crc, and the operating system will be set to 255 (unknown).  If a
+   gzip stream is being written, strm->adler is a crc32 instead of an adler32.
+
+     The memLevel parameter specifies how much memory should be allocated
+   for the internal compression state. memLevel=1 uses minimum memory but
+   is slow and reduces compression ratio; memLevel=9 uses maximum memory
+   for optimal speed. The default value is 8. See zconf.h for total memory
+   usage as a function of windowBits and memLevel.
+
+     The strategy parameter is used to tune the compression algorithm. Use the
+   value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a
+   filter (or predictor), Z_HUFFMAN_ONLY to force Huffman encoding only (no
+   string match), or Z_RLE to limit match distances to one (run-length
+   encoding). Filtered data consists mostly of small values with a somewhat
+   random distribution. In this case, the compression algorithm is tuned to
+   compress them better. The effect of Z_FILTERED is to force more Huffman
+   coding and less string matching; it is somewhat intermediate between
+   Z_DEFAULT and Z_HUFFMAN_ONLY. Z_RLE is designed to be almost as fast as
+   Z_HUFFMAN_ONLY, but give better compression for PNG image data. The strategy
+   parameter only affects the compression ratio but not the correctness of the
+   compressed output even if it is not set appropriately.  Z_FIXED prevents the
+   use of dynamic Huffman codes, allowing for a simpler decoder for special
+   applications.
+
+      deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_STREAM_ERROR if a parameter is invalid (such as an invalid
+   method). msg is set to null if there is no error message.  deflateInit2 does
+   not perform any compression: this will be done by deflate().
+*/
+
+ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm,
+                                             const Bytef *dictionary,
+                                             uInt  dictLength));
+/*
+     Initializes the compression dictionary from the given byte sequence
+   without producing any compressed output. This function must be called
+   immediately after deflateInit, deflateInit2 or deflateReset, before any
+   call of deflate. The compressor and decompressor must use exactly the same
+   dictionary (see inflateSetDictionary).
+
+     The dictionary should consist of strings (byte sequences) that are likely
+   to be encountered later in the data to be compressed, with the most commonly
+   used strings preferably put towards the end of the dictionary. Using a
+   dictionary is most useful when the data to be compressed is short and can be
+   predicted with good accuracy; the data can then be compressed better than
+   with the default empty dictionary.
+
+     Depending on the size of the compression data structures selected by
+   deflateInit or deflateInit2, a part of the dictionary may in effect be
+   discarded, for example if the dictionary is larger than the window size in
+   deflate or deflate2. Thus the strings most likely to be useful should be
+   put at the end of the dictionary, not at the front. In addition, the
+   current implementation of deflate will use at most the window size minus
+   262 bytes of the provided dictionary.
+
+     Upon return of this function, strm->adler is set to the adler32 value
+   of the dictionary; the decompressor may later use this value to determine
+   which dictionary has been used by the compressor. (The adler32 value
+   applies to the whole dictionary even if only a subset of the dictionary is
+   actually used by the compressor.) If a raw deflate was requested, then the
+   adler32 value is not computed and strm->adler is not set.
+
+     deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a
+   parameter is invalid (such as NULL dictionary) or the stream state is
+   inconsistent (for example if deflate has already been called for this stream
+   or if the compression method is bsort). deflateSetDictionary does not
+   perform any compression: this will be done by deflate().
+*/
+
+ZEXTERN int ZEXPORT deflateCopy OF((z_streamp dest,
+                                    z_streamp source));
+/*
+     Sets the destination stream as a complete copy of the source stream.
+
+     This function can be useful when several compression strategies will be
+   tried, for example when there are several ways of pre-processing the input
+   data with a filter. The streams that will be discarded should then be freed
+   by calling deflateEnd.  Note that deflateCopy duplicates the internal
+   compression state which can be quite large, so this strategy is slow and
+   can consume lots of memory.
+
+     deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
+   (such as zalloc being NULL). msg is left unchanged in both source and
+   destination.
+*/
+
+ZEXTERN int ZEXPORT deflateReset OF((z_streamp strm));
+/*
+     This function is equivalent to deflateEnd followed by deflateInit,
+   but does not free and reallocate all the internal compression state.
+   The stream will keep the same compression level and any other attributes
+   that may have been set by deflateInit2.
+
+      deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being NULL).
+*/
+
+ZEXTERN int ZEXPORT deflateParams OF((z_streamp strm,
+                                      int level,
+                                      int strategy));
+/*
+     Dynamically update the compression level and compression strategy.  The
+   interpretation of level and strategy is as in deflateInit2.  This can be
+   used to switch between compression and straight copy of the input data, or
+   to switch to a different kind of input data requiring a different
+   strategy. If the compression level is changed, the input available so far
+   is compressed with the old level (and may be flushed); the new level will
+   take effect only at the next call of deflate().
+
+     Before the call of deflateParams, the stream state must be set as for
+   a call of deflate(), since the currently available input may have to
+   be compressed and flushed. In particular, strm->avail_out must be non-zero.
+
+     deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source
+   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR
+   if strm->avail_out was zero.
+*/
+
+ZEXTERN int ZEXPORT deflateTune OF((z_streamp strm,
+                                    int good_length,
+                                    int max_lazy,
+                                    int nice_length,
+                                    int max_chain));
+/*
+     Fine tune deflate's internal compression parameters.  This should only be
+   used by someone who understands the algorithm used by zlib's deflate for
+   searching for the best matching string, and even then only by the most
+   fanatic optimizer trying to squeeze out the last compressed bit for their
+   specific input data.  Read the deflate.c source code for the meaning of the
+   max_lazy, good_length, nice_length, and max_chain parameters.
+
+     deflateTune() can be called after deflateInit() or deflateInit2(), and
+   returns Z_OK on success, or Z_STREAM_ERROR for an invalid deflate stream.
+ */
+
+ZEXTERN uLong ZEXPORT deflateBound OF((z_streamp strm,
+                                       uLong sourceLen));
+/*
+     deflateBound() returns an upper bound on the compressed size after
+   deflation of sourceLen bytes.  It must be called after deflateInit()
+   or deflateInit2().  This would be used to allocate an output buffer
+   for deflation in a single pass, and so would be called before deflate().
+*/
+
+ZEXTERN int ZEXPORT deflatePrime OF((z_streamp strm,
+                                     int bits,
+                                     int value));
+/*
+     deflatePrime() inserts bits in the deflate output stream.  The intent
+  is that this function is used to start off the deflate output with the
+  bits leftover from a previous deflate stream when appending to it.  As such,
+  this function can only be used for raw deflate, and must be used before the
+  first deflate() call after a deflateInit2() or deflateReset().  bits must be
+  less than or equal to 16, and that many of the least significant bits of
+  value will be inserted in the output.
+
+      deflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent.
+*/
+
+ZEXTERN int ZEXPORT deflateSetHeader OF((z_streamp strm,
+                                         gz_headerp head));
+/*
+      deflateSetHeader() provides gzip header information for when a gzip
+   stream is requested by deflateInit2().  deflateSetHeader() may be called
+   after deflateInit2() or deflateReset() and before the first call of
+   deflate().  The text, time, os, extra field, name, and comment information
+   in the provided gz_header structure are written to the gzip header (xflag is
+   ignored -- the extra flags are set according to the compression level).  The
+   caller must assure that, if not Z_NULL, name and comment are terminated with
+   a zero byte, and that if extra is not Z_NULL, that extra_len bytes are
+   available there.  If hcrc is true, a gzip header crc is included.  Note that
+   the current versions of the command-line version of gzip (up through version
+   1.3.x) do not support header crc's, and will report that it is a "multi-part
+   gzip file" and give up.
+
+      If deflateSetHeader is not used, the default gzip header has text false,
+   the time set to zero, and os set to 255, with no extra, name, or comment
+   fields.  The gzip header is returned to the default state by deflateReset().
+
+      deflateSetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent.
+*/
+
+/*
+ZEXTERN int ZEXPORT inflateInit2 OF((z_streamp strm,
+                                     int  windowBits));
+
+     This is another version of inflateInit with an extra parameter. The
+   fields next_in, avail_in, zalloc, zfree and opaque must be initialized
+   before by the caller.
+
+     The windowBits parameter is the base two logarithm of the maximum window
+   size (the size of the history buffer).  It should be in the range 8..15 for
+   this version of the library. The default value is 15 if inflateInit is used
+   instead. windowBits must be greater than or equal to the windowBits value
+   provided to deflateInit2() while compressing, or it must be equal to 15 if
+   deflateInit2() was not used. If a compressed stream with a larger window
+   size is given as input, inflate() will return with the error code
+   Z_DATA_ERROR instead of trying to allocate a larger window.
+
+     windowBits can also be -8..-15 for raw inflate. In this case, -windowBits
+   determines the window size. inflate() will then process raw deflate data,
+   not looking for a zlib or gzip header, not generating a check value, and not
+   looking for any check values for comparison at the end of the stream. This
+   is for use with other formats that use the deflate compressed data format
+   such as zip.  Those formats provide their own check values. If a custom
+   format is developed using the raw deflate format for compressed data, it is
+   recommended that a check value such as an adler32 or a crc32 be applied to
+   the uncompressed data as is done in the zlib, gzip, and zip formats.  For
+   most applications, the zlib format should be used as is. Note that comments
+   above on the use in deflateInit2() applies to the magnitude of windowBits.
+
+     windowBits can also be greater than 15 for optional gzip decoding. Add
+   32 to windowBits to enable zlib and gzip decoding with automatic header
+   detection, or add 16 to decode only the gzip format (the zlib format will
+   return a Z_DATA_ERROR).  If a gzip stream is being decoded, strm->adler is
+   a crc32 instead of an adler32.
+
+     inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_STREAM_ERROR if a parameter is invalid (such as a null strm). msg
+   is set to null if there is no error message.  inflateInit2 does not perform
+   any decompression apart from reading the zlib header if present: this will
+   be done by inflate(). (So next_in and avail_in may be modified, but next_out
+   and avail_out are unchanged.)
+*/
+
+ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm,
+                                             const Bytef *dictionary,
+                                             uInt  dictLength));
+/*
+     Initializes the decompression dictionary from the given uncompressed byte
+   sequence. This function must be called immediately after a call of inflate,
+   if that call returned Z_NEED_DICT. The dictionary chosen by the compressor
+   can be determined from the adler32 value returned by that call of inflate.
+   The compressor and decompressor must use exactly the same dictionary (see
+   deflateSetDictionary).  For raw inflate, this function can be called
+   immediately after inflateInit2() or inflateReset() and before any call of
+   inflate() to set the dictionary.  The application must insure that the
+   dictionary that was used for compression is provided.
+
+     inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a
+   parameter is invalid (such as NULL dictionary) or the stream state is
+   inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the
+   expected one (incorrect adler32 value). inflateSetDictionary does not
+   perform any decompression: this will be done by subsequent calls of
+   inflate().
+*/
+
+ZEXTERN int ZEXPORT inflateSync OF((z_streamp strm));
+/*
+    Skips invalid compressed data until a full flush point (see above the
+  description of deflate with Z_FULL_FLUSH) can be found, or until all
+  available input is skipped. No output is provided.
+
+    inflateSync returns Z_OK if a full flush point has been found, Z_BUF_ERROR
+  if no more input was provided, Z_DATA_ERROR if no flush point has been found,
+  or Z_STREAM_ERROR if the stream structure was inconsistent. In the success
+  case, the application may save the current current value of total_in which
+  indicates where valid compressed data was found. In the error case, the
+  application may repeatedly call inflateSync, providing more input each time,
+  until success or end of the input data.
+*/
+
+ZEXTERN int ZEXPORT inflateCopy OF((z_streamp dest,
+                                    z_streamp source));
+/*
+     Sets the destination stream as a complete copy of the source stream.
+
+     This function can be useful when randomly accessing a large stream.  The
+   first pass through the stream can periodically record the inflate state,
+   allowing restarting inflate at those points when randomly accessing the
+   stream.
+
+     inflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
+   (such as zalloc being NULL). msg is left unchanged in both source and
+   destination.
+*/
+
+ZEXTERN int ZEXPORT inflateReset OF((z_streamp strm));
+/*
+     This function is equivalent to inflateEnd followed by inflateInit,
+   but does not free and reallocate all the internal decompression state.
+   The stream will keep attributes that may have been set by inflateInit2.
+
+      inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being NULL).
+*/
+
+ZEXTERN int ZEXPORT inflatePrime OF((z_streamp strm,
+                                     int bits,
+                                     int value));
+/*
+     This function inserts bits in the inflate input stream.  The intent is
+  that this function is used to start inflating at a bit position in the
+  middle of a byte.  The provided bits will be used before any bytes are used
+  from next_in.  This function should only be used with raw inflate, and
+  should be used before the first inflate() call after inflateInit2() or
+  inflateReset().  bits must be less than or equal to 16, and that many of the
+  least significant bits of value will be inserted in the input.
+
+      inflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent.
+*/
+
+ZEXTERN int ZEXPORT inflateGetHeader OF((z_streamp strm,
+                                         gz_headerp head));
+/*
+      inflateGetHeader() requests that gzip header information be stored in the
+   provided gz_header structure.  inflateGetHeader() may be called after
+   inflateInit2() or inflateReset(), and before the first call of inflate().
+   As inflate() processes the gzip stream, head->done is zero until the header
+   is completed, at which time head->done is set to one.  If a zlib stream is
+   being decoded, then head->done is set to -1 to indicate that there will be
+   no gzip header information forthcoming.  Note that Z_BLOCK can be used to
+   force inflate() to return immediately after header processing is complete
+   and before any actual data is decompressed.
+
+      The text, time, xflags, and os fields are filled in with the gzip header
+   contents.  hcrc is set to true if there is a header CRC.  (The header CRC
+   was valid if done is set to one.)  If extra is not Z_NULL, then extra_max
+   contains the maximum number of bytes to write to extra.  Once done is true,
+   extra_len contains the actual extra field length, and extra contains the
+   extra field, or that field truncated if extra_max is less than extra_len.
+   If name is not Z_NULL, then up to name_max characters are written there,
+   terminated with a zero unless the length is greater than name_max.  If
+   comment is not Z_NULL, then up to comm_max characters are written there,
+   terminated with a zero unless the length is greater than comm_max.  When
+   any of extra, name, or comment are not Z_NULL and the respective field is
+   not present in the header, then that field is set to Z_NULL to signal its
+   absence.  This allows the use of deflateSetHeader() with the returned
+   structure to duplicate the header.  However if those fields are set to
+   allocated memory, then the application will need to save those pointers
+   elsewhere so that they can be eventually freed.
+
+      If inflateGetHeader is not used, then the header information is simply
+   discarded.  The header is always checked for validity, including the header
+   CRC if present.  inflateReset() will reset the process to discard the header
+   information.  The application would need to call inflateGetHeader() again to
+   retrieve the header from the next gzip stream.
+
+      inflateGetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent.
+*/
+
+/*
+ZEXTERN int ZEXPORT inflateBackInit OF((z_streamp strm, int windowBits,
+                                        unsigned char FAR *window));
+
+     Initialize the internal stream state for decompression using inflateBack()
+   calls.  The fields zalloc, zfree and opaque in strm must be initialized
+   before the call.  If zalloc and zfree are Z_NULL, then the default library-
+   derived memory allocation routines are used.  windowBits is the base two
+   logarithm of the window size, in the range 8..15.  window is a caller
+   supplied buffer of that size.  Except for special applications where it is
+   assured that deflate was used with small window sizes, windowBits must be 15
+   and a 32K byte window must be supplied to be able to decompress general
+   deflate streams.
+
+     See inflateBack() for the usage of these routines.
+
+     inflateBackInit will return Z_OK on success, Z_STREAM_ERROR if any of
+   the paramaters are invalid, Z_MEM_ERROR if the internal state could not
+   be allocated, or Z_VERSION_ERROR if the version of the library does not
+   match the version of the header file.
+*/
+
+typedef unsigned (*in_func) OF((void FAR *, unsigned char FAR * FAR *));
+typedef int (*out_func) OF((void FAR *, unsigned char FAR *, unsigned));
+
+ZEXTERN int ZEXPORT inflateBack OF((z_streamp strm,
+                                    in_func in, void FAR *in_desc,
+                                    out_func out, void FAR *out_desc));
+/*
+     inflateBack() does a raw inflate with a single call using a call-back
+   interface for input and output.  This is more efficient than inflate() for
+   file i/o applications in that it avoids copying between the output and the
+   sliding window by simply making the window itself the output buffer.  This
+   function trusts the application to not change the output buffer passed by
+   the output function, at least until inflateBack() returns.
+
+     inflateBackInit() must be called first to allocate the internal state
+   and to initialize the state with the user-provided window buffer.
+   inflateBack() may then be used multiple times to inflate a complete, raw
+   deflate stream with each call.  inflateBackEnd() is then called to free
+   the allocated state.
+
+     A raw deflate stream is one with no zlib or gzip header or trailer.
+   This routine would normally be used in a utility that reads zip or gzip
+   files and writes out uncompressed files.  The utility would decode the
+   header and process the trailer on its own, hence this routine expects
+   only the raw deflate stream to decompress.  This is different from the
+   normal behavior of inflate(), which expects either a zlib or gzip header and
+   trailer around the deflate stream.
+
+     inflateBack() uses two subroutines supplied by the caller that are then
+   called by inflateBack() for input and output.  inflateBack() calls those
+   routines until it reads a complete deflate stream and writes out all of the
+   uncompressed data, or until it encounters an error.  The function's
+   parameters and return types are defined above in the in_func and out_func
+   typedefs.  inflateBack() will call in(in_desc, &buf) which should return the
+   number of bytes of provided input, and a pointer to that input in buf.  If
+   there is no input available, in() must return zero--buf is ignored in that
+   case--and inflateBack() will return a buffer error.  inflateBack() will call
+   out(out_desc, buf, len) to write the uncompressed data buf[0..len-1].  out()
+   should return zero on success, or non-zero on failure.  If out() returns
+   non-zero, inflateBack() will return with an error.  Neither in() nor out()
+   are permitted to change the contents of the window provided to
+   inflateBackInit(), which is also the buffer that out() uses to write from.
+   The length written by out() will be at most the window size.  Any non-zero
+   amount of input may be provided by in().
+
+     For convenience, inflateBack() can be provided input on the first call by
+   setting strm->next_in and strm->avail_in.  If that input is exhausted, then
+   in() will be called.  Therefore strm->next_in must be initialized before
+   calling inflateBack().  If strm->next_in is Z_NULL, then in() will be called
+   immediately for input.  If strm->next_in is not Z_NULL, then strm->avail_in
+   must also be initialized, and then if strm->avail_in is not zero, input will
+   initially be taken from strm->next_in[0 .. strm->avail_in - 1].
+
+     The in_desc and out_desc parameters of inflateBack() is passed as the
+   first parameter of in() and out() respectively when they are called.  These
+   descriptors can be optionally used to pass any information that the caller-
+   supplied in() and out() functions need to do their job.
+
+     On return, inflateBack() will set strm->next_in and strm->avail_in to
+   pass back any unused input that was provided by the last in() call.  The
+   return values of inflateBack() can be Z_STREAM_END on success, Z_BUF_ERROR
+   if in() or out() returned an error, Z_DATA_ERROR if there was a format
+   error in the deflate stream (in which case strm->msg is set to indicate the
+   nature of the error), or Z_STREAM_ERROR if the stream was not properly
+   initialized.  In the case of Z_BUF_ERROR, an input or output error can be
+   distinguished using strm->next_in which will be Z_NULL only if in() returned
+   an error.  If strm->next is not Z_NULL, then the Z_BUF_ERROR was due to
+   out() returning non-zero.  (in() will always be called before out(), so
+   strm->next_in is assured to be defined if out() returns non-zero.)  Note
+   that inflateBack() cannot return Z_OK.
+*/
+
+ZEXTERN int ZEXPORT inflateBackEnd OF((z_streamp strm));
+/*
+     All memory allocated by inflateBackInit() is freed.
+
+     inflateBackEnd() returns Z_OK on success, or Z_STREAM_ERROR if the stream
+   state was inconsistent.
+*/
+
+ZEXTERN uLong ZEXPORT zlibCompileFlags OF((void));
+/* Return flags indicating compile-time options.
+
+    Type sizes, two bits each, 00 = 16 bits, 01 = 32, 10 = 64, 11 = other:
+     1.0: size of uInt
+     3.2: size of uLong
+     5.4: size of voidpf (pointer)
+     7.6: size of z_off_t
+
+    Compiler, assembler, and debug options:
+     8: DEBUG
+     9: ASMV or ASMINF -- use ASM code
+     10: ZLIB_WINAPI -- exported functions use the WINAPI calling convention
+     11: 0 (reserved)
+
+    One-time table building (smaller code, but not thread-safe if true):
+     12: BUILDFIXED -- build static block decoding tables when needed
+     13: DYNAMIC_CRC_TABLE -- build CRC calculation tables when needed
+     14,15: 0 (reserved)
+
+    Library content (indicates missing functionality):
+     16: NO_GZCOMPRESS -- gz* functions cannot compress (to avoid linking
+                          deflate code when not needed)
+     17: NO_GZIP -- deflate can't write gzip streams, and inflate can't detect
+                    and decode gzip streams (to avoid linking crc code)
+     18-19: 0 (reserved)
+
+    Operation variations (changes in library functionality):
+     20: PKZIP_BUG_WORKAROUND -- slightly more permissive inflate
+     21: FASTEST -- deflate algorithm with only one, lowest compression level
+     22,23: 0 (reserved)
+
+    The sprintf variant used by gzprintf (zero is best):
+     24: 0 = vs*, 1 = s* -- 1 means limited to 20 arguments after the format
+     25: 0 = *nprintf, 1 = *printf -- 1 means gzprintf() not secure!
+     26: 0 = returns value, 1 = void -- 1 means inferred string length returned
+
+    Remainder:
+     27-31: 0 (reserved)
+ */
+
+
+                        /* utility functions */
+
+/*
+     The following utility functions are implemented on top of the
+   basic stream-oriented functions. To simplify the interface, some
+   default options are assumed (compression level and memory usage,
+   standard memory allocation functions). The source code of these
+   utility functions can easily be modified if you need special options.
+*/
+
+ZEXTERN int ZEXPORT compress OF((Bytef *dest,   uLongf *destLen,
+                                 const Bytef *source, uLong sourceLen));
+/*
+     Compresses the source buffer into the destination buffer.  sourceLen is
+   the byte length of the source buffer. Upon entry, destLen is the total
+   size of the destination buffer, which must be at least the value returned
+   by compressBound(sourceLen). Upon exit, destLen is the actual size of the
+   compressed buffer.
+     This function can be used to compress a whole file at once if the
+   input file is mmap'ed.
+     compress returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_BUF_ERROR if there was not enough room in the output
+   buffer.
+*/
+
+ZEXTERN int ZEXPORT compress2 OF((Bytef *dest,   uLongf *destLen,
+                                  const Bytef *source, uLong sourceLen,
+                                  int level));
+/*
+     Compresses the source buffer into the destination buffer. The level
+   parameter has the same meaning as in deflateInit.  sourceLen is the byte
+   length of the source buffer. Upon entry, destLen is the total size of the
+   destination buffer, which must be at least the value returned by
+   compressBound(sourceLen). Upon exit, destLen is the actual size of the
+   compressed buffer.
+
+     compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_BUF_ERROR if there was not enough room in the output buffer,
+   Z_STREAM_ERROR if the level parameter is invalid.
+*/
+
+ZEXTERN uLong ZEXPORT compressBound OF((uLong sourceLen));
+/*
+     compressBound() returns an upper bound on the compressed size after
+   compress() or compress2() on sourceLen bytes.  It would be used before
+   a compress() or compress2() call to allocate the destination buffer.
+*/
+
+ZEXTERN int ZEXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
+                                   const Bytef *source, uLong sourceLen));
+/*
+     Decompresses the source buffer into the destination buffer.  sourceLen is
+   the byte length of the source buffer. Upon entry, destLen is the total
+   size of the destination buffer, which must be large enough to hold the
+   entire uncompressed data. (The size of the uncompressed data must have
+   been saved previously by the compressor and transmitted to the decompressor
+   by some mechanism outside the scope of this compression library.)
+   Upon exit, destLen is the actual size of the compressed buffer.
+     This function can be used to decompress a whole file at once if the
+   input file is mmap'ed.
+
+     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_BUF_ERROR if there was not enough room in the output
+   buffer, or Z_DATA_ERROR if the input data was corrupted or incomplete.
+*/
+
+
+typedef voidp gzFile;
+
+ZEXTERN gzFile ZEXPORT gzopen  OF((const char *path, const char *mode));
+/*
+     Opens a gzip (.gz) file for reading or writing. The mode parameter
+   is as in fopen ("rb" or "wb") but can also include a compression level
+   ("wb9") or a strategy: 'f' for filtered data as in "wb6f", 'h' for
+   Huffman only compression as in "wb1h", or 'R' for run-length encoding
+   as in "wb1R". (See the description of deflateInit2 for more information
+   about the strategy parameter.)
+
+     gzopen can be used to read a file which is not in gzip format; in this
+   case gzread will directly read from the file without decompression.
+
+     gzopen returns NULL if the file could not be opened or if there was
+   insufficient memory to allocate the (de)compression state; errno
+   can be checked to distinguish the two cases (if errno is zero, the
+   zlib error is Z_MEM_ERROR).  */
+
+ZEXTERN gzFile ZEXPORT gzdopen  OF((int fd, const char *mode));
+/*
+     gzdopen() associates a gzFile with the file descriptor fd.  File
+   descriptors are obtained from calls like open, dup, creat, pipe or
+   fileno (in the file has been previously opened with fopen).
+   The mode parameter is as in gzopen.
+     The next call of gzclose on the returned gzFile will also close the
+   file descriptor fd, just like fclose(fdopen(fd), mode) closes the file
+   descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode).
+     gzdopen returns NULL if there was insufficient memory to allocate
+   the (de)compression state.
+*/
+
+ZEXTERN int ZEXPORT gzsetparams OF((gzFile file, int level, int strategy));
+/*
+     Dynamically update the compression level or strategy. See the description
+   of deflateInit2 for the meaning of these parameters.
+     gzsetparams returns Z_OK if success, or Z_STREAM_ERROR if the file was not
+   opened for writing.
+*/
+
+ZEXTERN int ZEXPORT    gzread  OF((gzFile file, voidp buf, unsigned len));
+/*
+     Reads the given number of uncompressed bytes from the compressed file.
+   If the input file was not in gzip format, gzread copies the given number
+   of bytes into the buffer.
+     gzread returns the number of uncompressed bytes actually read (0 for
+   end of file, -1 for error). */
+
+ZEXTERN int ZEXPORT    gzwrite OF((gzFile file,
+                                   voidpc buf, unsigned len));
+/*
+     Writes the given number of uncompressed bytes into the compressed file.
+   gzwrite returns the number of uncompressed bytes actually written
+   (0 in case of error).
+*/
+
+ZEXTERN int ZEXPORTVA   gzprintf OF((gzFile file, const char *format, ...));
+/*
+     Converts, formats, and writes the args to the compressed file under
+   control of the format string, as in fprintf. gzprintf returns the number of
+   uncompressed bytes actually written (0 in case of error).  The number of
+   uncompressed bytes written is limited to 4095. The caller should assure that
+   this limit is not exceeded. If it is exceeded, then gzprintf() will return
+   return an error (0) with nothing written. In this case, there may also be a
+   buffer overflow with unpredictable consequences, which is possible only if
+   zlib was compiled with the insecure functions sprintf() or vsprintf()
+   because the secure snprintf() or vsnprintf() functions were not available.
+*/
+
+ZEXTERN int ZEXPORT gzputs OF((gzFile file, const char *s));
+/*
+      Writes the given null-terminated string to the compressed file, excluding
+   the terminating null character.
+      gzputs returns the number of characters written, or -1 in case of error.
+*/
+
+ZEXTERN char * ZEXPORT gzgets OF((gzFile file, char *buf, int len));
+/*
+      Reads bytes from the compressed file until len-1 characters are read, or
+   a newline character is read and transferred to buf, or an end-of-file
+   condition is encountered.  The string is then terminated with a null
+   character.
+      gzgets returns buf, or Z_NULL in case of error.
+*/
+
+ZEXTERN int ZEXPORT    gzputc OF((gzFile file, int c));
+/*
+      Writes c, converted to an unsigned char, into the compressed file.
+   gzputc returns the value that was written, or -1 in case of error.
+*/
+
+ZEXTERN int ZEXPORT    gzgetc OF((gzFile file));
+/*
+      Reads one byte from the compressed file. gzgetc returns this byte
+   or -1 in case of end of file or error.
+*/
+
+ZEXTERN int ZEXPORT    gzungetc OF((int c, gzFile file));
+/*
+      Push one character back onto the stream to be read again later.
+   Only one character of push-back is allowed.  gzungetc() returns the
+   character pushed, or -1 on failure.  gzungetc() will fail if a
+   character has been pushed but not read yet, or if c is -1. The pushed
+   character will be discarded if the stream is repositioned with gzseek()
+   or gzrewind().
+*/
+
+ZEXTERN int ZEXPORT    gzflush OF((gzFile file, int flush));
+/*
+     Flushes all pending output into the compressed file. The parameter
+   flush is as in the deflate() function. The return value is the zlib
+   error number (see function gzerror below). gzflush returns Z_OK if
+   the flush parameter is Z_FINISH and all output could be flushed.
+     gzflush should be called only when strictly necessary because it can
+   degrade compression.
+*/
+
+ZEXTERN z_off_t ZEXPORT    gzseek OF((gzFile file,
+                                      z_off_t offset, int whence));
+/*
+      Sets the starting position for the next gzread or gzwrite on the
+   given compressed file. The offset represents a number of bytes in the
+   uncompressed data stream. The whence parameter is defined as in lseek(2);
+   the value SEEK_END is not supported.
+     If the file is opened for reading, this function is emulated but can be
+   extremely slow. If the file is opened for writing, only forward seeks are
+   supported; gzseek then compresses a sequence of zeroes up to the new
+   starting position.
+
+      gzseek returns the resulting offset location as measured in bytes from
+   the beginning of the uncompressed stream, or -1 in case of error, in
+   particular if the file is opened for writing and the new starting position
+   would be before the current position.
+*/
+
+ZEXTERN int ZEXPORT    gzrewind OF((gzFile file));
+/*
+     Rewinds the given file. This function is supported only for reading.
+
+   gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET)
+*/
+
+ZEXTERN z_off_t ZEXPORT    gztell OF((gzFile file));
+/*
+     Returns the starting position for the next gzread or gzwrite on the
+   given compressed file. This position represents a number of bytes in the
+   uncompressed data stream.
+
+   gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR)
+*/
+
+ZEXTERN int ZEXPORT gzeof OF((gzFile file));
+/*
+     Returns 1 when EOF has previously been detected reading the given
+   input stream, otherwise zero.
+*/
+
+ZEXTERN int ZEXPORT gzdirect OF((gzFile file));
+/*
+     Returns 1 if file is being read directly without decompression, otherwise
+   zero.
+*/
+
+ZEXTERN int ZEXPORT    gzclose OF((gzFile file));
+/*
+     Flushes all pending output if necessary, closes the compressed file
+   and deallocates all the (de)compression state. The return value is the zlib
+   error number (see function gzerror below).
+*/
+
+ZEXTERN const char * ZEXPORT gzerror OF((gzFile file, int *errnum));
+/*
+     Returns the error message for the last error which occurred on the
+   given compressed file. errnum is set to zlib error number. If an
+   error occurred in the file system and not in the compression library,
+   errnum is set to Z_ERRNO and the application may consult errno
+   to get the exact error code.
+*/
+
+ZEXTERN void ZEXPORT gzclearerr OF((gzFile file));
+/*
+     Clears the error and end-of-file flags for file. This is analogous to the
+   clearerr() function in stdio. This is useful for continuing to read a gzip
+   file that is being written concurrently.
+*/
+
+                        /* checksum functions */
+
+/*
+     These functions are not related to compression but are exported
+   anyway because they might be useful in applications using the
+   compression library.
+*/
+
+ZEXTERN uLong ZEXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
+/*
+     Update a running Adler-32 checksum with the bytes buf[0..len-1] and
+   return the updated checksum. If buf is NULL, this function returns
+   the required initial value for the checksum.
+   An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
+   much faster. Usage example:
+
+     uLong adler = adler32(0L, Z_NULL, 0);
+
+     while (read_buffer(buffer, length) != EOF) {
+       adler = adler32(adler, buffer, length);
+     }
+     if (adler != original_adler) error();
+*/
+
+ZEXTERN uLong ZEXPORT adler32_combine OF((uLong adler1, uLong adler2,
+                                          z_off_t len2));
+/*
+     Combine two Adler-32 checksums into one.  For two sequences of bytes, seq1
+   and seq2 with lengths len1 and len2, Adler-32 checksums were calculated for
+   each, adler1 and adler2.  adler32_combine() returns the Adler-32 checksum of
+   seq1 and seq2 concatenated, requiring only adler1, adler2, and len2.
+*/
+
+ZEXTERN uLong ZEXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
+/*
+     Update a running CRC-32 with the bytes buf[0..len-1] and return the
+   updated CRC-32. If buf is NULL, this function returns the required initial
+   value for the for the crc. Pre- and post-conditioning (one's complement) is
+   performed within this function so it shouldn't be done by the application.
+   Usage example:
+
+     uLong crc = crc32(0L, Z_NULL, 0);
+
+     while (read_buffer(buffer, length) != EOF) {
+       crc = crc32(crc, buffer, length);
+     }
+     if (crc != original_crc) error();
+*/
+
+ZEXTERN uLong ZEXPORT crc32_combine OF((uLong crc1, uLong crc2, z_off_t len2));
+
+/*
+     Combine two CRC-32 check values into one.  For two sequences of bytes,
+   seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
+   calculated for each, crc1 and crc2.  crc32_combine() returns the CRC-32
+   check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
+   len2.
+*/
+
+
+                        /* various hacks, don't look :) */
+
+/* deflateInit and inflateInit are macros to allow checking the zlib version
+ * and the compiler's view of z_stream:
+ */
+ZEXTERN int ZEXPORT deflateInit_ OF((z_streamp strm, int level,
+                                     const char *version, int stream_size));
+ZEXTERN int ZEXPORT inflateInit_ OF((z_streamp strm,
+                                     const char *version, int stream_size));
+ZEXTERN int ZEXPORT deflateInit2_ OF((z_streamp strm, int  level, int  method,
+                                      int windowBits, int memLevel,
+                                      int strategy, const char *version,
+                                      int stream_size));
+ZEXTERN int ZEXPORT inflateInit2_ OF((z_streamp strm, int  windowBits,
+                                      const char *version, int stream_size));
+ZEXTERN int ZEXPORT inflateBackInit_ OF((z_streamp strm, int windowBits,
+                                         unsigned char FAR *window,
+                                         const char *version,
+                                         int stream_size));
+#define deflateInit(strm, level) \
+        deflateInit_((strm), (level),       ZLIB_VERSION, sizeof(z_stream))
+#define inflateInit(strm) \
+        inflateInit_((strm),                ZLIB_VERSION, sizeof(z_stream))
+#define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \
+        deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\
+                      (strategy),           ZLIB_VERSION, sizeof(z_stream))
+#define inflateInit2(strm, windowBits) \
+        inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream))
+#define inflateBackInit(strm, windowBits, window) \
+        inflateBackInit_((strm), (windowBits), (window), \
+        ZLIB_VERSION, sizeof(z_stream))
+
+
+#if !defined(ZUTIL_H) && !defined(NO_DUMMY_DECL)
+    struct internal_state {int dummy;}; /* hack for buggy compilers */
+#endif
+
+ZEXTERN const char   * ZEXPORT zError           OF((int));
+ZEXTERN int            ZEXPORT inflateSyncPoint OF((z_streamp z));
+ZEXTERN const uLongf * ZEXPORT get_crc_table    OF((void));
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ZLIB_H */
diff --git a/security/nss/cmd/zlib/zutil.c b/security/nss/cmd/zlib/zutil.c
new file mode 100644
index 000000000..d55f5948a
--- /dev/null
+++ b/security/nss/cmd/zlib/zutil.c
@@ -0,0 +1,318 @@
+/* zutil.c -- target dependent utility functions for the compression library
+ * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* @(#) $Id$ */
+
+#include "zutil.h"
+
+#ifndef NO_DUMMY_DECL
+struct internal_state      {int dummy;}; /* for buggy compilers */
+#endif
+
+const char * const z_errmsg[10] = {
+"need dictionary",     /* Z_NEED_DICT       2  */
+"stream end",          /* Z_STREAM_END      1  */
+"",                    /* Z_OK              0  */
+"file error",          /* Z_ERRNO         (-1) */
+"stream error",        /* Z_STREAM_ERROR  (-2) */
+"data error",          /* Z_DATA_ERROR    (-3) */
+"insufficient memory", /* Z_MEM_ERROR     (-4) */
+"buffer error",        /* Z_BUF_ERROR     (-5) */
+"incompatible version",/* Z_VERSION_ERROR (-6) */
+""};
+
+
+const char * ZEXPORT zlibVersion()
+{
+    return ZLIB_VERSION;
+}
+
+uLong ZEXPORT zlibCompileFlags()
+{
+    uLong flags;
+
+    flags = 0;
+    switch (sizeof(uInt)) {
+    case 2:     break;
+    case 4:     flags += 1;     break;
+    case 8:     flags += 2;     break;
+    default:    flags += 3;
+    }
+    switch (sizeof(uLong)) {
+    case 2:     break;
+    case 4:     flags += 1 << 2;        break;
+    case 8:     flags += 2 << 2;        break;
+    default:    flags += 3 << 2;
+    }
+    switch (sizeof(voidpf)) {
+    case 2:     break;
+    case 4:     flags += 1 << 4;        break;
+    case 8:     flags += 2 << 4;        break;
+    default:    flags += 3 << 4;
+    }
+    switch (sizeof(z_off_t)) {
+    case 2:     break;
+    case 4:     flags += 1 << 6;        break;
+    case 8:     flags += 2 << 6;        break;
+    default:    flags += 3 << 6;
+    }
+#ifdef DEBUG
+    flags += 1 << 8;
+#endif
+#if defined(ASMV) || defined(ASMINF)
+    flags += 1 << 9;
+#endif
+#ifdef ZLIB_WINAPI
+    flags += 1 << 10;
+#endif
+#ifdef BUILDFIXED
+    flags += 1 << 12;
+#endif
+#ifdef DYNAMIC_CRC_TABLE
+    flags += 1 << 13;
+#endif
+#ifdef NO_GZCOMPRESS
+    flags += 1L << 16;
+#endif
+#ifdef NO_GZIP
+    flags += 1L << 17;
+#endif
+#ifdef PKZIP_BUG_WORKAROUND
+    flags += 1L << 20;
+#endif
+#ifdef FASTEST
+    flags += 1L << 21;
+#endif
+#ifdef STDC
+#  ifdef NO_vsnprintf
+        flags += 1L << 25;
+#    ifdef HAS_vsprintf_void
+        flags += 1L << 26;
+#    endif
+#  else
+#    ifdef HAS_vsnprintf_void
+        flags += 1L << 26;
+#    endif
+#  endif
+#else
+        flags += 1L << 24;
+#  ifdef NO_snprintf
+        flags += 1L << 25;
+#    ifdef HAS_sprintf_void
+        flags += 1L << 26;
+#    endif
+#  else
+#    ifdef HAS_snprintf_void
+        flags += 1L << 26;
+#    endif
+#  endif
+#endif
+    return flags;
+}
+
+#ifdef DEBUG
+
+#  ifndef verbose
+#    define verbose 0
+#  endif
+int z_verbose = verbose;
+
+void z_error (m)
+    char *m;
+{
+    fprintf(stderr, "%s\n", m);
+    exit(1);
+}
+#endif
+
+/* exported to allow conversion of error code to string for compress() and
+ * uncompress()
+ */
+const char * ZEXPORT zError(err)
+    int err;
+{
+    return ERR_MSG(err);
+}
+
+#if defined(_WIN32_WCE)
+    /* The Microsoft C Run-Time Library for Windows CE doesn't have
+     * errno.  We define it as a global variable to simplify porting.
+     * Its value is always 0 and should not be used.
+     */
+    int errno = 0;
+#endif
+
+#ifndef HAVE_MEMCPY
+
+void zmemcpy(dest, source, len)
+    Bytef* dest;
+    const Bytef* source;
+    uInt  len;
+{
+    if (len == 0) return;
+    do {
+        *dest++ = *source++; /* ??? to be unrolled */
+    } while (--len != 0);
+}
+
+int zmemcmp(s1, s2, len)
+    const Bytef* s1;
+    const Bytef* s2;
+    uInt  len;
+{
+    uInt j;
+
+    for (j = 0; j < len; j++) {
+        if (s1[j] != s2[j]) return 2*(s1[j] > s2[j])-1;
+    }
+    return 0;
+}
+
+void zmemzero(dest, len)
+    Bytef* dest;
+    uInt  len;
+{
+    if (len == 0) return;
+    do {
+        *dest++ = 0;  /* ??? to be unrolled */
+    } while (--len != 0);
+}
+#endif
+
+
+#ifdef SYS16BIT
+
+#ifdef __TURBOC__
+/* Turbo C in 16-bit mode */
+
+#  define MY_ZCALLOC
+
+/* Turbo C malloc() does not allow dynamic allocation of 64K bytes
+ * and farmalloc(64K) returns a pointer with an offset of 8, so we
+ * must fix the pointer. Warning: the pointer must be put back to its
+ * original form in order to free it, use zcfree().
+ */
+
+#define MAX_PTR 10
+/* 10*64K = 640K */
+
+local int next_ptr = 0;
+
+typedef struct ptr_table_s {
+    voidpf org_ptr;
+    voidpf new_ptr;
+} ptr_table;
+
+local ptr_table table[MAX_PTR];
+/* This table is used to remember the original form of pointers
+ * to large buffers (64K). Such pointers are normalized with a zero offset.
+ * Since MSDOS is not a preemptive multitasking OS, this table is not
+ * protected from concurrent access. This hack doesn't work anyway on
+ * a protected system like OS/2. Use Microsoft C instead.
+ */
+
+voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
+{
+    voidpf buf = opaque; /* just to make some compilers happy */
+    ulg bsize = (ulg)items*size;
+
+    /* If we allocate less than 65520 bytes, we assume that farmalloc
+     * will return a usable pointer which doesn't have to be normalized.
+     */
+    if (bsize < 65520L) {
+        buf = farmalloc(bsize);
+        if (*(ush*)&buf != 0) return buf;
+    } else {
+        buf = farmalloc(bsize + 16L);
+    }
+    if (buf == NULL || next_ptr >= MAX_PTR) return NULL;
+    table[next_ptr].org_ptr = buf;
+
+    /* Normalize the pointer to seg:0 */
+    *((ush*)&buf+1) += ((ush)((uch*)buf-0) + 15) >> 4;
+    *(ush*)&buf = 0;
+    table[next_ptr++].new_ptr = buf;
+    return buf;
+}
+
+void  zcfree (voidpf opaque, voidpf ptr)
+{
+    int n;
+    if (*(ush*)&ptr != 0) { /* object < 64K */
+        farfree(ptr);
+        return;
+    }
+    /* Find the original pointer */
+    for (n = 0; n < next_ptr; n++) {
+        if (ptr != table[n].new_ptr) continue;
+
+        farfree(table[n].org_ptr);
+        while (++n < next_ptr) {
+            table[n-1] = table[n];
+        }
+        next_ptr--;
+        return;
+    }
+    ptr = opaque; /* just to make some compilers happy */
+    Assert(0, "zcfree: ptr not found");
+}
+
+#endif /* __TURBOC__ */
+
+
+#ifdef M_I86
+/* Microsoft C in 16-bit mode */
+
+#  define MY_ZCALLOC
+
+#if (!defined(_MSC_VER) || (_MSC_VER <= 600))
+#  define _halloc  halloc
+#  define _hfree   hfree
+#endif
+
+voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
+{
+    if (opaque) opaque = 0; /* to make compiler happy */
+    return _halloc((long)items, size);
+}
+
+void  zcfree (voidpf opaque, voidpf ptr)
+{
+    if (opaque) opaque = 0; /* to make compiler happy */
+    _hfree(ptr);
+}
+
+#endif /* M_I86 */
+
+#endif /* SYS16BIT */
+
+
+#ifndef MY_ZCALLOC /* Any system without a special alloc function */
+
+#ifndef STDC
+extern voidp  malloc OF((uInt size));
+extern voidp  calloc OF((uInt items, uInt size));
+extern void   free   OF((voidpf ptr));
+#endif
+
+voidpf zcalloc (opaque, items, size)
+    voidpf opaque;
+    unsigned items;
+    unsigned size;
+{
+    if (opaque) items += size - size; /* make compiler happy */
+    return sizeof(uInt) > 2 ? (voidpf)malloc(items * size) :
+                              (voidpf)calloc(items, size);
+}
+
+void  zcfree (opaque, ptr)
+    voidpf opaque;
+    voidpf ptr;
+{
+    free(ptr);
+    if (opaque) return; /* make compiler happy */
+}
+
+#endif /* MY_ZCALLOC */
diff --git a/security/nss/cmd/zlib/zutil.h b/security/nss/cmd/zlib/zutil.h
new file mode 100644
index 000000000..fe7a9a7c1
--- /dev/null
+++ b/security/nss/cmd/zlib/zutil.h
@@ -0,0 +1,270 @@
+/* zutil.h -- internal interface and configuration of the compression library
+ * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+/* @(#) $Id$ */
+
+#ifndef ZUTIL_H
+#define ZUTIL_H
+
+#define ZLIB_INTERNAL
+#include "zlib.h"
+
+#ifdef STDC
+#  ifndef _WIN32_WCE
+#    include <stddef.h>
+#  endif
+#  include <string.h>
+#  include <stdlib.h>
+#endif
+#ifdef NO_ERRNO_H
+#   ifdef _WIN32_WCE
+      /* The Microsoft C Run-Time Library for Windows CE doesn't have
+       * errno.  We define it as a global variable to simplify porting.
+       * Its value is always 0 and should not be used.  We rename it to
+       * avoid conflict with other libraries that use the same workaround.
+       */
+#     define errno z_errno
+#   endif
+    extern int errno;
+#else
+#  ifndef _WIN32_WCE
+#    include <errno.h>
+#  endif
+#endif
+
+#ifndef local
+#  define local static
+#endif
+/* compile with -Dlocal if your debugger can't find static symbols */
+
+typedef unsigned char  uch;
+typedef uch FAR uchf;
+typedef unsigned short ush;
+typedef ush FAR ushf;
+typedef unsigned long  ulg;
+
+extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
+/* (size given to avoid silly warnings with Visual C++) */
+
+#define ERR_MSG(err) z_errmsg[Z_NEED_DICT-(err)]
+
+#define ERR_RETURN(strm,err) \
+  return (strm->msg = (char*)ERR_MSG(err), (err))
+/* To be used only when the state is known to be valid */
+
+        /* common constants */
+
+#ifndef DEF_WBITS
+#  define DEF_WBITS MAX_WBITS
+#endif
+/* default windowBits for decompression. MAX_WBITS is for compression only */
+
+#if MAX_MEM_LEVEL >= 8
+#  define DEF_MEM_LEVEL 8
+#else
+#  define DEF_MEM_LEVEL  MAX_MEM_LEVEL
+#endif
+/* default memLevel */
+
+#define STORED_BLOCK 0
+#define STATIC_TREES 1
+#define DYN_TREES    2
+/* The three kinds of block type */
+
+#define MIN_MATCH  3
+#define MAX_MATCH  258
+/* The minimum and maximum match lengths */
+
+#define PRESET_DICT 0x20 /* preset dictionary flag in zlib header */
+
+        /* target dependencies */
+
+#if defined(MSDOS) || (defined(WINDOWS) && !defined(WIN32))
+#  define OS_CODE  0x00
+#  if defined(__TURBOC__) || defined(__BORLANDC__)
+#    if(__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__))
+       /* Allow compilation with ANSI keywords only enabled */
+       void _Cdecl farfree( void *block );
+       void *_Cdecl farmalloc( unsigned long nbytes );
+#    else
+#      include <alloc.h>
+#    endif
+#  else /* MSC or DJGPP */
+#    include <malloc.h>
+#  endif
+#endif
+
+#ifdef AMIGA
+#  define OS_CODE  0x01
+#endif
+
+#if defined(VAXC) || defined(VMS)
+#  define OS_CODE  0x02
+#  define F_OPEN(name, mode) \
+     fopen((name), (mode), "mbc=60", "ctx=stm", "rfm=fix", "mrs=512")
+#endif
+
+#if defined(ATARI) || defined(atarist)
+#  define OS_CODE  0x05
+#endif
+
+#ifdef OS2
+#  define OS_CODE  0x06
+#  ifdef M_I86
+     #include <malloc.h>
+#  endif
+#endif
+
+#if defined(MACOS) || defined(TARGET_OS_MAC)
+#  define OS_CODE  0x07
+#  if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os
+#    include <unix.h> /* for fdopen */
+#  else
+#    ifndef fdopen
+#      define fdopen(fd,mode) NULL /* No fdopen() */
+#    endif
+#  endif
+#endif
+
+#ifdef TOPS20
+#  define OS_CODE  0x0a
+#endif
+
+#ifdef WIN32
+#  ifndef __CYGWIN__  /* Cygwin is Unix, not Win32 */
+#    define OS_CODE  0x0b
+#  endif
+#endif
+
+#ifdef __50SERIES /* Prime/PRIMOS */
+#  define OS_CODE  0x0f
+#endif
+
+#if defined(_BEOS_) || defined(RISCOS)
+#  define fdopen(fd,mode) NULL /* No fdopen() */
+#endif
+
+#if (defined(_MSC_VER) && (_MSC_VER > 600))
+#  if defined(_WIN32_WCE)
+#    define fdopen(fd,mode) NULL /* No fdopen() */
+#    ifndef _PTRDIFF_T_DEFINED
+       typedef int ptrdiff_t;
+#      define _PTRDIFF_T_DEFINED
+#    endif
+#  else
+#    define fdopen(fd,type)  _fdopen(fd,type)
+#  endif
+#endif
+
+        /* common defaults */
+
+#ifndef OS_CODE
+#  define OS_CODE  0x03  /* assume Unix */
+#endif
+
+#ifndef F_OPEN
+#  define F_OPEN(name, mode) fopen((name), (mode))
+#endif
+
+         /* functions */
+
+#if defined(STDC99) || (defined(__TURBOC__) && __TURBOC__ >= 0x550) || \
+   (defined(_MSC_VER) && _MSC_VER >= 1500)
+#  ifndef HAVE_VSNPRINTF
+#    define HAVE_VSNPRINTF
+#  endif
+#endif
+#if defined(__CYGWIN__)
+#  ifndef HAVE_VSNPRINTF
+#    define HAVE_VSNPRINTF
+#  endif
+#endif
+#ifndef HAVE_VSNPRINTF
+#  ifdef MSDOS
+     /* vsnprintf may exist on some MS-DOS compilers (DJGPP?),
+        but for now we just assume it doesn't. */
+#    define NO_vsnprintf
+#  endif
+#  ifdef __TURBOC__
+#    define NO_vsnprintf
+#  endif
+#  ifdef WIN32
+     /* In Win32, vsnprintf is available as the "non-ANSI" _vsnprintf. */
+#    if !defined(vsnprintf) && !defined(NO_vsnprintf)
+#      define vsnprintf _vsnprintf
+#    endif
+#  endif
+#  ifdef __SASC
+#    define NO_vsnprintf
+#  endif
+#endif
+#ifdef VMS
+#  define NO_vsnprintf
+#endif
+
+#if defined(pyr)
+#  define NO_MEMCPY
+#endif
+#if defined(SMALL_MEDIUM) && !defined(_MSC_VER) && !defined(__SC__)
+ /* Use our own functions for small and medium model with MSC <= 5.0.
+  * You may have to use the same strategy for Borland C (untested).
+  * The __SC__ check is for Symantec.
+  */
+#  define NO_MEMCPY
+#endif
+#if defined(STDC) && !defined(HAVE_MEMCPY) && !defined(NO_MEMCPY)
+#  define HAVE_MEMCPY
+#endif
+#ifdef HAVE_MEMCPY
+#  ifdef SMALL_MEDIUM /* MSDOS small or medium model */
+#    define zmemcpy _fmemcpy
+#    define zmemcmp _fmemcmp
+#    define zmemzero(dest, len) _fmemset(dest, 0, len)
+#  else
+#    define zmemcpy memcpy
+#    define zmemcmp memcmp
+#    define zmemzero(dest, len) memset(dest, 0, len)
+#  endif
+#else
+   extern void zmemcpy  OF((Bytef* dest, const Bytef* source, uInt len));
+   extern int  zmemcmp  OF((const Bytef* s1, const Bytef* s2, uInt len));
+   extern void zmemzero OF((Bytef* dest, uInt len));
+#endif
+
+/* Diagnostic functions */
+#ifdef DEBUG
+#  include <stdio.h>
+   extern int z_verbose;
+   extern void z_error    OF((char *m));
+#  define Assert(cond,msg) {if(!(cond)) z_error(msg);}
+#  define Trace(x) {if (z_verbose>=0) fprintf x ;}
+#  define Tracev(x) {if (z_verbose>0) fprintf x ;}
+#  define Tracevv(x) {if (z_verbose>1) fprintf x ;}
+#  define Tracec(c,x) {if (z_verbose>0 && (c)) fprintf x ;}
+#  define Tracecv(c,x) {if (z_verbose>1 && (c)) fprintf x ;}
+#else
+#  define Assert(cond,msg)
+#  define Trace(x)
+#  define Tracev(x)
+#  define Tracevv(x)
+#  define Tracec(c,x)
+#  define Tracecv(c,x)
+#endif
+
+
+voidpf zcalloc OF((voidpf opaque, unsigned items, unsigned size));
+void   zcfree  OF((voidpf opaque, voidpf ptr));
+
+#define ZALLOC(strm, items, size) \
+           (*((strm)->zalloc))((strm)->opaque, (items), (size))
+#define ZFREE(strm, addr)  (*((strm)->zfree))((strm)->opaque, (voidpf)(addr))
+#define TRY_FREE(s, p) {if (p) ZFREE(s, p);}
+
+#endif /* ZUTIL_H */
diff --git a/security/nss/lib/Makefile b/security/nss/lib/Makefile
new file mode 100644
index 000000000..a111275bd
--- /dev/null
+++ b/security/nss/lib/Makefile
@@ -0,0 +1,101 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+ifeq ($(OS_TARGET), WINCE)
+DIRS := $(filter-out fortcrypt,$(DIRS))
+endif
+
+ifndef MOZILLA_CLIENT
+ifndef NSS_USE_SYSTEM_SQLITE
+DIRS := sqlite $(DIRS)
+endif
+endif
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+ifdef MOZILLA_SECURITY_BUILD
+FILES=$(shell ls -d $(CORE_DEPTH)/../../ns/security/lib/crypto/*)
+
+export::
+	if test -d $(CORE_DEPTH)/../../ns/security/lib/crypto; then \
+	    $(NSINSTALL) -D crypto; \
+	    for file in $(FILES) ; do \
+		if test -f $$file; then \
+		    $(INSTALL) -m 444 $$file crypto; \
+		fi; \
+	    done;  \
+	    $(INSTALL) -m 444 freebl/sha_fast.c crypto; \
+	    $(INSTALL) -m 444 freebl/sha_fast.h crypto; \
+	fi
+endif
diff --git a/security/nss/lib/base/Makefile b/security/nss/lib/base/Makefile
new file mode 100644
index 000000000..2d25c00f2
--- /dev/null
+++ b/security/nss/lib/base/Makefile
@@ -0,0 +1,44 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+export:: private_export
diff --git a/security/nss/lib/base/arena.c b/security/nss/lib/base/arena.c
new file mode 100644
index 000000000..15d2153d2
--- /dev/null
+++ b/security/nss/lib/base/arena.c
@@ -0,0 +1,1156 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * arena.c
+ *
+ * This contains the implementation of NSS's thread-safe arenas.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifdef ARENA_THREADMARK
+#include "prthread.h"
+#endif /* ARENA_THREADMARK */
+
+#include "prlock.h"
+#include "plarena.h"
+
+#include <string.h>
+
+/*
+ * NSSArena
+ *
+ * This is based on NSPR's arena code, but it is threadsafe.
+ *
+ * The public methods relating to this type are:
+ *
+ *  NSSArena_Create  -- constructor
+ *  NSSArena_Destroy
+ *
+ * The nonpublic methods relating to this type are:
+ *
+ *  nssArena_Create  -- constructor
+ *  nssArena_Destroy
+ *  nssArena_Mark
+ *  nssArena_Release
+ *  nssArena_Unmark
+ * 
+ *  nss_ZAlloc
+ *  nss_ZFreeIf
+ *  nss_ZRealloc
+ *
+ * In debug builds, the following calls are available:
+ *
+ *  nssArena_verifyPointer
+ *  nssArena_registerDestructor
+ *  nssArena_deregisterDestructor
+ */
+
+struct NSSArenaStr {
+  PLArenaPool pool;
+  PRLock *lock;
+#ifdef ARENA_THREADMARK
+  PRThread *marking_thread;
+  nssArenaMark *first_mark;
+  nssArenaMark *last_mark;
+#endif /* ARENA_THREADMARK */
+#ifdef ARENA_DESTRUCTOR_LIST
+  struct arena_destructor_node *first_destructor;
+  struct arena_destructor_node *last_destructor;
+#endif /* ARENA_DESTRUCTOR_LIST */
+};
+
+/*
+ * nssArenaMark
+ *
+ * This type is used to mark the current state of an NSSArena.
+ */
+
+struct nssArenaMarkStr {
+  PRUint32 magic;
+  void *mark;
+#ifdef ARENA_THREADMARK
+  nssArenaMark *next;
+#endif /* ARENA_THREADMARK */
+#ifdef ARENA_DESTRUCTOR_LIST
+  struct arena_destructor_node *next_destructor;
+  struct arena_destructor_node *prev_destructor;
+#endif /* ARENA_DESTRUCTOR_LIST */
+};
+
+#define MARK_MAGIC 0x4d41524b /* "MARK" how original */
+
+/*
+ * But first, the pointer-tracking code
+ */
+#ifdef DEBUG
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker arena_pointer_tracker;
+
+static PRStatus
+arena_add_pointer
+(
+  const NSSArena *arena
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRStatus
+arena_remove_pointer
+(
+  const NSSArena *arena
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+
+/*
+ * nssArena_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSArena object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_verifyPointer
+(
+  const NSSArena *arena
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    /*
+     * This is a little disingenious.  We have to initialize the
+     * tracker, because someone could "legitimately" try to verify
+     * an arena pointer before one is ever created.  And this step
+     * might fail, due to lack of memory.  But the only way that
+     * this step can fail is if it's doing the call_once stuff,
+     * (later calls just no-op).  And if it didn't no-op, there
+     * aren't any valid arenas.. so the argument certainly isn't one.
+     */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+#ifdef ARENA_DESTRUCTOR_LIST
+
+struct arena_destructor_node {
+  struct arena_destructor_node *next;
+  struct arena_destructor_node *prev;
+  void (*destructor)(void *argument);
+  void *arg;
+};
+
+/*
+ * nssArena_registerDestructor
+ *
+ * This routine stores a pointer to a callback and an arbitrary
+ * pointer-sized argument in the arena, at the current point in
+ * the mark stack.  If the arena is destroyed, or an "earlier"
+ * mark is released, then this destructor will be called at that
+ * time.  Note that the destructor will be called with the arena
+ * locked, which means the destructor may free memory in that
+ * arena, but it may not allocate or cause to be allocated any
+ * memory.  This callback facility was included to support our
+ * debug-version pointer-tracker feature; overuse runs counter to
+ * the the original intent of arenas.  This routine returns a 
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If 
+ * unsuccessful, it will set an error on the error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_registerDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+)
+{
+  struct arena_destructor_node *it;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+  
+  it = nss_ZNEW(arena, struct arena_destructor_node);
+  if( (struct arena_destructor_node *)NULL == it ) {
+    return PR_FAILURE;
+  }
+
+  it->prev = arena->last_destructor;
+  arena->last_destructor->next = it;
+  arena->last_destructor = it;
+  it->destructor = destructor;
+  it->arg = arg;
+
+  if( (nssArenaMark *)NULL != arena->last_mark ) {
+    arena->last_mark->prev_destructor = it->prev;
+    arena->last_mark->next_destructor = it->next;
+  }
+
+  return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssArena_deregisterDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+)
+{
+  struct arena_destructor_node *it;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  for( it = arena->first_destructor; it; it = it->next ) {
+    if( (it->destructor == destructor) && (it->arg == arg) ) {
+      break;
+    }
+  }
+
+  if( (struct arena_destructor_node *)NULL == it ) {
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+  }
+
+  if( it == arena->first_destructor ) {
+    arena->first_destructor = it->next;
+  }
+
+  if( it == arena->last_destructor ) {
+    arena->last_destructor = it->prev;
+  }
+
+  if( (struct arena_destructor_node *)NULL != it->prev ) {
+    it->prev->next = it->next;
+  }
+
+  if( (struct arena_destructor_node *)NULL != it->next ) {
+    it->next->prev = it->prev;
+  }
+
+  {
+    nssArenaMark *m;
+    for( m = arena->first_mark; m; m = m->next ) {
+      if( m->next_destructor == it ) {
+        m->next_destructor = it->next;
+      }
+      if( m->prev_destructor == it ) {
+        m->prev_destructor = it->prev;
+      }
+    }
+  }
+
+  nss_ZFreeIf(it);
+  return PR_SUCCESS;
+}
+
+static void
+nss_arena_call_destructor_chain
+(
+  struct arena_destructor_node *it
+)
+{
+  for( ; it ; it = it->next ) {
+    (*(it->destructor))(it->arg);
+  }
+}
+
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+/*
+ * NSSArena_Create
+ *
+ * This routine creates a new memory arena.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSArena upon success
+ */
+
+NSS_IMPLEMENT NSSArena *
+NSSArena_Create
+(
+  void
+)
+{
+  nss_ClearErrorStack();
+  return nssArena_Create();
+}
+
+/*
+ * nssArena_Create
+ *
+ * This routine creates a new memory arena.  This routine may return
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSArena upon success
+ */
+
+NSS_IMPLEMENT NSSArena *
+nssArena_Create
+(
+  void
+)
+{
+  NSSArena *rv = (NSSArena *)NULL;
+
+  rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
+  if( (NSSArena *)NULL == rv ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSArena *)NULL;
+  }
+
+  rv->lock = PR_NewLock();
+  if( (PRLock *)NULL == rv->lock ) {
+    (void)nss_ZFreeIf(rv);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSArena *)NULL;
+  }
+
+  /*
+   * Arena sizes.  The current security code has 229 occurrences of
+   * PORT_NewArena.  The default chunksizes specified break down as
+   *
+   *  Size    Mult.   Specified as
+   *   512       1    512
+   *  1024       7    1024
+   *  2048       5    2048
+   *  2048       5    CRMF_DEFAULT_ARENA_SIZE
+   *  2048     190    DER_DEFAULT_CHUNKSIZE
+   *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
+   *  4096       1    4096
+   *
+   * Obviously this "default chunksize" flexibility isn't very 
+   * useful to us, so I'll just pick 2048.
+   */
+
+  PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
+
+#ifdef DEBUG
+  {
+    PRStatus st;
+    st = arena_add_pointer(rv);
+    if( PR_SUCCESS != st ) {
+      PL_FinishArenaPool(&rv->pool);
+      PR_DestroyLock(rv->lock);
+      (void)nss_ZFreeIf(rv);
+      return (NSSArena *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+/*
+ * NSSArena_Destroy
+ *
+ * This routine will destroy the specified arena, freeing all memory
+ * allocated from it.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSArena_Destroy
+(
+  NSSArena *arena
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssArena_Destroy(arena);
+}
+
+/*
+ * nssArena_Destroy
+ *
+ * This routine will destroy the specified arena, freeing all memory
+ * allocated from it.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_Destroy
+(
+  NSSArena *arena
+)
+{
+  PRLock *lock;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRLock *)NULL == arena->lock ) {
+    /* Just got destroyed */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+  PR_Lock(arena->lock);
+  
+#ifdef DEBUG
+  if( PR_SUCCESS != arena_remove_pointer(arena) ) {
+    PR_Unlock(arena->lock);
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+#ifdef ARENA_DESTRUCTOR_LIST
+  /* Note that the arena is locked at this time */
+  nss_arena_call_destructor_chain(arena->first_destructor);
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+  PL_FinishArenaPool(&arena->pool);
+  lock = arena->lock;
+  arena->lock = (PRLock *)NULL;
+  PR_Unlock(lock);
+  PR_DestroyLock(lock);
+  (void)nss_ZFreeIf(arena);
+  return PR_SUCCESS;
+}
+
+static void *nss_zalloc_arena_locked(NSSArena *arena, PRUint32 size);
+
+/*
+ * nssArena_Mark
+ *
+ * This routine "marks" the current state of an arena.  Space
+ * allocated after the arena has been marked can be freed by
+ * releasing the arena back to the mark with nssArena_Release,
+ * or committed by calling nssArena_Unmark.  When successful, 
+ * this routine returns a valid nssArenaMark pointer.  This 
+ * routine may return NULL upon error, in which case it will 
+ * have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon failure
+ *  An nssArenaMark pointer upon success
+ */
+
+NSS_IMPLEMENT nssArenaMark *
+nssArena_Mark
+(
+  NSSArena *arena
+)
+{
+  nssArenaMark *rv;
+  void *p;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return (nssArenaMark *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRLock *)NULL == arena->lock ) {
+    /* Just got destroyed */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return (nssArenaMark *)NULL;
+  }
+  PR_Lock(arena->lock);
+
+#ifdef ARENA_THREADMARK
+  if( (PRThread *)NULL == arena->marking_thread ) {
+    /* Unmarked.  Store our thread ID */
+    arena->marking_thread = PR_GetCurrentThread();
+    /* This call never fails. */
+  } else {
+    /* Marked.  Verify it's the current thread */
+    if( PR_GetCurrentThread() != arena->marking_thread ) {
+      PR_Unlock(arena->lock);
+      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+      return (nssArenaMark *)NULL;
+    }
+  }
+#endif /* ARENA_THREADMARK */
+
+  p = PL_ARENA_MARK(&arena->pool);
+  /* No error possible */
+
+  /* Do this after the mark */
+  rv = (nssArenaMark *)nss_zalloc_arena_locked(arena, sizeof(nssArenaMark));
+  if( (nssArenaMark *)NULL == rv ) {
+    PR_Unlock(arena->lock);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (nssArenaMark *)NULL;
+  }
+
+#ifdef ARENA_THREADMARK
+  if ( (nssArenaMark *)NULL == arena->first_mark) {
+    arena->first_mark = rv;
+    arena->last_mark = rv;
+  } else {
+    arena->last_mark->next = rv;
+    arena->last_mark = rv;
+  }
+#endif /* ARENA_THREADMARK */
+
+  rv->mark = p;
+  rv->magic = MARK_MAGIC;
+
+#ifdef ARENA_DESTRUCTOR_LIST
+  rv->prev_destructor = arena->last_destructor;
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+  PR_Unlock(arena->lock);
+
+  return rv;
+}
+
+/*
+ * nss_arena_unmark_release
+ *
+ * This static routine implements the routines nssArena_Release
+ * ans nssArena_Unmark, which are almost identical.
+ */
+
+static PRStatus
+nss_arena_unmark_release
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark,
+  PRBool release
+)
+{
+  void *inner_mark;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( MARK_MAGIC != arenaMark->magic ) {
+    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+    return PR_FAILURE;
+  }
+
+  if( (PRLock *)NULL == arena->lock ) {
+    /* Just got destroyed */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+  PR_Lock(arena->lock);
+
+#ifdef ARENA_THREADMARK
+  if( (PRThread *)NULL != arena->marking_thread ) {
+    if( PR_GetCurrentThread() != arena->marking_thread ) {
+      PR_Unlock(arena->lock);
+      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+      return PR_FAILURE;
+    }
+  }
+#endif /* ARENA_THREADMARK */
+
+  if( MARK_MAGIC != arenaMark->magic ) {
+    /* Just got released */
+    PR_Unlock(arena->lock);
+    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+    return PR_FAILURE;
+  }
+
+  arenaMark->magic = 0;
+  inner_mark = arenaMark->mark;
+
+#ifdef ARENA_THREADMARK
+  {
+    nssArenaMark **pMark = &arena->first_mark;
+    nssArenaMark *rest;
+    nssArenaMark *last = (nssArenaMark *)NULL;
+
+    /* Find this mark */
+    while( *pMark != arenaMark ) {
+      last = *pMark;
+      pMark = &(*pMark)->next;
+    }
+
+    /* Remember the pointer, then zero it */
+    rest = (*pMark)->next;
+    *pMark = (nssArenaMark *)NULL;
+
+    arena->last_mark = last;
+
+    /* Invalidate any later marks being implicitly released */
+    for( ; (nssArenaMark *)NULL != rest; rest = rest->next ) {
+      rest->magic = 0;
+    }
+
+    /* If we just got rid of the first mark, clear the thread ID */
+    if( (nssArenaMark *)NULL == arena->first_mark ) {
+      arena->marking_thread = (PRThread *)NULL;
+    }
+  }
+#endif /* ARENA_THREADMARK */
+
+  if( release ) {
+#ifdef ARENA_DESTRUCTOR_LIST
+    if( (struct arena_destructor_node *)NULL != arenaMark->prev_destructor ) {
+      arenaMark->prev_destructor->next = (struct arena_destructor_node *)NULL;
+    }
+    arena->last_destructor = arenaMark->prev_destructor;
+
+    /* Note that the arena is locked at this time */
+    nss_arena_call_destructor_chain(arenaMark->next_destructor);
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+    PR_ARENA_RELEASE(&arena->pool, inner_mark);
+    /* No error return */
+  }
+
+  PR_Unlock(arena->lock);
+  return PR_SUCCESS;
+}
+
+/*
+ * nssArena_Release
+ *
+ * This routine invalidates and releases all memory allocated from
+ * the specified arena after the point at which the specified mark
+ * was obtained.  This routine returns a PRStatus value; if successful,
+ * it will return PR_SUCCESS.  If unsuccessful, it will set an error
+ * on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ARENA_MARK
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_Release
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+)
+{
+  return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
+}
+
+/*
+ * nssArena_Unmark
+ *
+ * This routine "commits" the indicated mark and any marks after
+ * it, making them unreleasable.  Note that any earlier marks can
+ * still be released, and such a release will invalidate these
+ * later unmarked regions.  If an arena is to be safely shared by
+ * more than one thread, all marks must be either released or
+ * unmarked.  This routine returns a PRStatus value; if successful,
+ * it will return PR_SUCCESS.  If unsuccessful, it will set an error
+ * on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ARENA_MARK
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_Unmark
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+)
+{
+  return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
+}
+
+/*
+ * We prefix this header to all allocated blocks.  It is a multiple
+ * of the alignment size.  Note that this usage of a header may make
+ * purify spew bogus warnings about "potentially leaked blocks" of
+ * memory; if that gets too annoying we can add in a pointer to the
+ * header in the header itself.  There's not a lot of safety here;
+ * maybe we should add a magic value?
+ */
+struct pointer_header {
+  NSSArena *arena;
+  PRUint32 size;
+};
+
+static void *
+nss_zalloc_arena_locked
+(
+  NSSArena *arena,
+  PRUint32 size
+)
+{
+  void *p;
+  void *rv;
+  struct pointer_header *h;
+  PRUint32 my_size = size + sizeof(struct pointer_header);
+  PR_ARENA_ALLOCATE(p, &arena->pool, my_size);
+  if( (void *)NULL == p ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (void *)NULL;
+  }
+  /* 
+   * Do this before we unlock.  This way if the user is using
+   * an arena in one thread while destroying it in another, he'll
+   * fault/FMR in his code, not ours.
+   */
+  h = (struct pointer_header *)p;
+  h->arena = arena;
+  h->size = size;
+  rv = (void *)((char *)h + sizeof(struct pointer_header));
+  (void)nsslibc_memset(rv, 0, size);
+  return rv;
+}
+
+/*
+ * nss_ZAlloc
+ *
+ * This routine allocates and zeroes a section of memory of the 
+ * size, and returns to the caller a pointer to that memory.  If
+ * the optional arena argument is non-null, the memory will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in
+ * which case it will have set an error upon the error stack.  The
+ * value specified for size may be zero; in which case a valid 
+ * zero-length block of memory will be allocated.  This block may
+ * be expanded by calling nss_ZRealloc.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the new segment of zeroed memory
+ */
+
+NSS_IMPLEMENT void *
+nss_ZAlloc
+(
+  NSSArena *arenaOpt,
+  PRUint32 size
+)
+{
+  struct pointer_header *h;
+  PRUint32 my_size = size + sizeof(struct pointer_header);
+
+  if( my_size < sizeof(struct pointer_header) ) {
+    /* Wrapped */
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (void *)NULL;
+  }
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    /* Heap allocation, no locking required. */
+    h = (struct pointer_header *)PR_Calloc(1, my_size);
+    if( (struct pointer_header *)NULL == h ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (void *)NULL;
+    }
+
+    h->arena = (NSSArena *)NULL;
+    h->size = size;
+    /* We used calloc: it's already zeroed */
+
+    return (void *)((char *)h + sizeof(struct pointer_header));
+  } else {
+    void *rv;
+    /* Arena allocation */
+#ifdef NSSDEBUG
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (void *)NULL;
+    }
+#endif /* NSSDEBUG */
+
+    if( (PRLock *)NULL == arenaOpt->lock ) {
+      /* Just got destroyed */
+      nss_SetError(NSS_ERROR_INVALID_ARENA);
+      return (void *)NULL;
+    }
+    PR_Lock(arenaOpt->lock);
+
+#ifdef ARENA_THREADMARK
+    if( (PRThread *)NULL != arenaOpt->marking_thread ) {
+      if( PR_GetCurrentThread() != arenaOpt->marking_thread ) {
+        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+        PR_Unlock(arenaOpt->lock);
+        return (void *)NULL;
+      }
+    }
+#endif /* ARENA_THREADMARK */
+
+    rv = nss_zalloc_arena_locked(arenaOpt, size);
+
+    PR_Unlock(arenaOpt->lock);
+    return rv;
+  }
+  /*NOTREACHED*/
+}
+
+/*
+ * nss_ZFreeIf
+ *
+ * If the specified pointer is non-null, then the region of memory 
+ * to which it points -- which must have been allocated with 
+ * nss_ZAlloc -- will be zeroed and released.  This routine 
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will set an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_ZFreeIf
+(
+  void *pointer
+)
+{
+  struct pointer_header *h;
+
+  if( (void *)NULL == pointer ) {
+    return PR_SUCCESS;
+  }
+
+  h = (struct pointer_header *)((char *)pointer
+    - sizeof(struct pointer_header));
+
+  /* Check any magic here */
+
+  if( (NSSArena *)NULL == h->arena ) {
+    /* Heap */
+    (void)nsslibc_memset(pointer, 0, h->size);
+    PR_Free(h);
+    return PR_SUCCESS;
+  } else {
+    /* Arena */
+#ifdef NSSDEBUG
+    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
+      return PR_FAILURE;
+    }
+#endif /* NSSDEBUG */
+
+    if( (PRLock *)NULL == h->arena->lock ) {
+      /* Just got destroyed.. so this pointer is invalid */
+      nss_SetError(NSS_ERROR_INVALID_POINTER);
+      return PR_FAILURE;
+    }
+    PR_Lock(h->arena->lock);
+
+    (void)nsslibc_memset(pointer, 0, h->size);
+
+    /* No way to "free" it within an NSPR arena. */
+
+    PR_Unlock(h->arena->lock);
+    return PR_SUCCESS;
+  }
+  /*NOTREACHED*/
+}
+
+/*
+ * nss_ZRealloc
+ *
+ * This routine reallocates a block of memory obtained by calling
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * between the new and old sizes -- which is either being newly
+ * obtained or released -- is in either case zeroed.  This routine 
+ * may return NULL upon failure, in which case it will have placed 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the replacement segment of memory
+ */
+
+NSS_EXTERN void *
+nss_ZRealloc
+(
+  void *pointer,
+  PRUint32 newSize
+)
+{
+  struct pointer_header *h, *new_h;
+  PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
+  void *rv;
+
+  if( my_newSize < sizeof(struct pointer_header) ) {
+    /* Wrapped */
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (void *)NULL;
+  }
+
+  if( (void *)NULL == pointer ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (void *)NULL;
+  }
+
+  h = (struct pointer_header *)((char *)pointer
+    - sizeof(struct pointer_header));
+
+  /* Check any magic here */
+
+  if( newSize == h->size ) {
+    /* saves thrashing */
+    return pointer;
+  }
+
+  if( (NSSArena *)NULL == h->arena ) {
+    /* Heap */
+    new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
+    if( (struct pointer_header *)NULL == new_h ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (void *)NULL;
+    }
+
+    new_h->arena = (NSSArena *)NULL;
+    new_h->size = newSize;
+    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
+
+    if( newSize > h->size ) {
+      (void)nsslibc_memcpy(rv, pointer, h->size);
+      (void)nsslibc_memset(&((char *)rv)[ h->size ], 
+                           0, (newSize - h->size));
+    } else {
+      (void)nsslibc_memcpy(rv, pointer, newSize);
+    }
+
+    (void)nsslibc_memset(pointer, 0, h->size);
+    h->size = 0;
+    PR_Free(h);
+
+    return rv;
+  } else {
+    void *p;
+    /* Arena */
+#ifdef NSSDEBUG
+    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
+      return (void *)NULL;
+    }
+#endif /* NSSDEBUG */
+
+    if( (PRLock *)NULL == h->arena->lock ) {
+      /* Just got destroyed.. so this pointer is invalid */
+      nss_SetError(NSS_ERROR_INVALID_POINTER);
+      return (void *)NULL;
+    }
+    PR_Lock(h->arena->lock);
+
+#ifdef ARENA_THREADMARK
+    if( (PRThread *)NULL != h->arena->marking_thread ) {
+      if( PR_GetCurrentThread() != h->arena->marking_thread ) {
+        PR_Unlock(h->arena->lock);
+        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+        return (void *)NULL;
+      }
+    }
+#endif /* ARENA_THREADMARK */
+
+    if( newSize < h->size ) {
+      /*
+       * We have no general way of returning memory to the arena
+       * (mark/release doesn't work because things may have been
+       * allocated after this object), so the memory is gone
+       * anyway.  We might as well just return the same pointer to
+       * the user, saying "yeah, uh-hunh, you can only use less of
+       * it now."  We'll zero the leftover part, of course.  And
+       * in fact we might as well *not* adjust h->size-- this way,
+       * if the user reallocs back up to something not greater than
+       * the original size, then voila, there's the memory!  This
+       * way a thrash big/small/big/small doesn't burn up the arena.
+       */
+      char *extra = &((char *)pointer)[ newSize ];
+      (void)nsslibc_memset(extra, 0, (h->size - newSize));
+      PR_Unlock(h->arena->lock);
+      return pointer;
+    }
+
+    PR_ARENA_ALLOCATE(p, &h->arena->pool, my_newSize);
+    if( (void *)NULL == p ) {
+      PR_Unlock(h->arena->lock);
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (void *)NULL;
+    }
+
+    new_h = (struct pointer_header *)p;
+    new_h->arena = h->arena;
+    new_h->size = newSize;
+    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
+    if (rv != pointer) {
+	(void)nsslibc_memcpy(rv, pointer, h->size);
+	(void)nsslibc_memset(pointer, 0, h->size);
+    }
+    (void)nsslibc_memset(&((char *)rv)[ h->size ], 0, (newSize - h->size));
+    h->arena = (NSSArena *)NULL;
+    h->size = 0;
+    PR_Unlock(new_h->arena->lock);
+    return rv;
+  }
+  /*NOTREACHED*/
+}
+
+PRStatus 
+nssArena_Shutdown(void)
+{
+  PRStatus rv = PR_SUCCESS;
+#ifdef DEBUG
+  rv = nssPointerTracker_finalize(&arena_pointer_tracker);
+#endif
+  return rv;
+}
diff --git a/security/nss/lib/base/base.h b/security/nss/lib/base/base.h
new file mode 100644
index 000000000..9fc519c30
--- /dev/null
+++ b/security/nss/lib/base/base.h
@@ -0,0 +1,1430 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef BASE_H
+#define BASE_H
+
+#ifdef DEBUG
+static const char BASE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * base.h
+ *
+ * This header file contains basic prototypes and preprocessor 
+ * definitions used throughout nss but not available publicly.
+ */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#include "plhash.h"
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSArena
+ *
+ * The nonpublic methods relating to this type are:
+ *
+ *  nssArena_Create  -- constructor
+ *  nssArena_Destroy
+ *  nssArena_Mark
+ *  nssArena_Release
+ *  nssArena_Unmark
+ *
+ *  nss_ZAlloc
+ *  nss_ZFreeIf
+ *  nss_ZRealloc
+ *
+ * Additionally, there are some preprocessor macros:
+ *
+ *  nss_ZNEW
+ *  nss_ZNEWARRAY
+ *
+ * In debug builds, the following calls are available:
+ *
+ *  nssArena_verifyPointer
+ *  nssArena_registerDestructor
+ *  nssArena_deregisterDestructor
+ *
+ * The following preprocessor macro is also always available:
+ *
+ *  nssArena_VERIFYPOINTER
+ *
+ * A constant PLHashAllocOps structure is available for users
+ * of the NSPL PLHashTable routines.
+ *
+ *  nssArenaHashAllocOps
+ */
+
+/*
+ * nssArena_Create
+ *
+ * This routine creates a new memory arena.  This routine may return
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSArena upon success
+ */
+
+/*
+ * XXX fgmr
+ * Arenas can be named upon creation; this is mostly of use when
+ * debugging.  Should we expose that here, allowing an optional
+ * "const char *name" argument?  Should the public version of this
+ * call (NSSArena_Create) have it too?
+ */
+
+NSS_EXTERN NSSArena *
+nssArena_Create
+(
+  void
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssArena_Destroy
+ *
+ * This routine will destroy the specified arena, freeing all memory
+ * allocated from it.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_Destroy
+(
+  NSSArena *arena
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+
+/*
+ * nssArena_Mark
+ *
+ * This routine "marks" the current state of an arena.  Space
+ * allocated after the arena has been marked can be freed by
+ * releasing the arena back to the mark with nssArena_Release,
+ * or committed by calling nssArena_Unmark.  When successful, 
+ * this routine returns a valid nssArenaMark pointer.  This 
+ * routine may return NULL upon error, in which case it will 
+ * have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon failure
+ *  An nssArenaMark pointer upon success
+ */
+
+NSS_EXTERN nssArenaMark *
+nssArena_Mark
+(
+  NSSArena *arena
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
+
+/*
+ * nssArena_Release
+ *
+ * This routine invalidates and releases all memory allocated from
+ * the specified arena after the point at which the specified mark
+ * was obtained.  This routine returns a PRStatus value; if successful,
+ * it will return PR_SUCCESS.  If unsuccessful, it will set an error
+ * on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ARENA_MARK
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_Release
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
+
+/*
+ * nssArena_Unmark
+ *
+ * This routine "commits" the indicated mark and any marks after
+ * it, making them unreleasable.  Note that any earlier marks can
+ * still be released, and such a release will invalidate these
+ * later unmarked regions.  If an arena is to be safely shared by
+ * more than one thread, all marks must be either released or
+ * unmarked.  This routine returns a PRStatus value; if successful,
+ * it will return PR_SUCCESS.  If unsuccessful, it will set an error
+ * on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ARENA_MARK
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_Unmark
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
+extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
+
+#ifdef ARENA_DESTRUCTOR_LIST
+
+/*
+ * nssArena_registerDestructor
+ *
+ * This routine stores a pointer to a callback and an arbitrary
+ * pointer-sized argument in the arena, at the current point in
+ * the mark stack.  If the arena is destroyed, or an "earlier"
+ * mark is released, then this destructor will be called at that
+ * time.  Note that the destructor will be called with the arena
+ * locked, which means the destructor may free memory in that
+ * arena, but it may not allocate or cause to be allocated any
+ * memory.  This callback facility was included to support our
+ * debug-version pointer-tracker feature; overuse runs counter to
+ * the the original intent of arenas.  This routine returns a 
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If 
+ * unsuccessful, it will set an error on the error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_registerDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssArena_deregisterDestructor
+ *
+ * This routine will remove the first destructor in the specified
+ * arena which has the specified destructor and argument values.
+ * The destructor will not be called.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If 
+ * unsuccessful, it will set an error on the error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NOT_FOUND
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_deregisterDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+);
+
+extern const NSSError NSS_ERROR_INVALID_ITEM;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+/*
+ * nss_ZAlloc
+ *
+ * This routine allocates and zeroes a section of memory of the 
+ * size, and returns to the caller a pointer to that memory.  If
+ * the optional arena argument is non-null, the memory will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in
+ * which case it will have set an error upon the error stack.  The
+ * value specified for size may be zero; in which case a valid 
+ * zero-length block of memory will be allocated.  This block may
+ * be expanded by calling nss_ZRealloc.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the new segment of zeroed memory
+ */
+
+NSS_EXTERN void *
+nss_ZAlloc
+(
+  NSSArena *arenaOpt,
+  PRUint32 size
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
+
+/*
+ * nss_ZFreeIf
+ *
+ * If the specified pointer is non-null, then the region of memory 
+ * to which it points -- which must have been allocated with 
+ * nss_ZAlloc -- will be zeroed and released.  This routine 
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will set an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nss_ZFreeIf
+(
+  void *pointer
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nss_ZRealloc
+ *
+ * This routine reallocates a block of memory obtained by calling
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * between the new and old sizes -- which is either being newly
+ * obtained or released -- is in either case zeroed.  This routine 
+ * may return NULL upon failure, in which case it will have placed 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the replacement segment of memory
+ */
+
+NSS_EXTERN void *
+nss_ZRealloc
+(
+  void *pointer,
+  PRUint32 newSize
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
+
+/*
+ * nss_ZNEW
+ *
+ * This preprocessor macro will allocate memory for a new object
+ * of the specified type with nss_ZAlloc, and will cast the
+ * return value appropriately.  If the optional arena argument is 
+ * non-null, the memory will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may 
+ * return NULL upon error, in which case it will have set an error 
+ * upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the new segment of zeroed memory
+ */
+
+/* The following line exceeds 72 characters, but emacs screws up if I split it. */
+#define nss_ZNEW(arenaOpt, type) ((type *)nss_ZAlloc((arenaOpt), sizeof(type)))
+
+/*
+ * nss_ZNEWARRAY
+ *
+ * This preprocessor macro will allocate memory for an array of
+ * new objects, and will cast the return value appropriately.
+ * If the optional arena argument is non-null, the memory will 
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have set an error upon the error 
+ * stack.  The array size may be specified as zero.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the new segment of zeroed memory
+ */
+
+/* The following line exceeds 72 characters, but emacs screws up if I split it. */
+#define nss_ZNEWARRAY(arenaOpt, type, quantity) ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
+
+/*
+ * nss_ZREALLOCARRAY
+ *
+ * This preprocessor macro will reallocate memory for an array of
+ * new objects, and will cast the return value appropriately.
+ * This routine may return NULL upon error, in which case it will 
+ *  have set an error upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the replacement segment of memory
+ */
+#define nss_ZREALLOCARRAY(p, type, quantity) ((type *)nss_ZRealloc((p), sizeof(type) * (quantity)))
+
+/*
+ * nssArena_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSArena object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssArena_verifyPointer
+(
+  const NSSArena *arena
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+#endif /* DEBUG */
+
+/*
+ * nssArena_VERIFYPOINTER
+ *
+ * This macro is always available.  In debug builds it will call
+ * nssArena_verifyPointer; in non-debug builds, it will merely
+ * check that the pointer is not null.  Note that in non-debug
+ * builds it cannot place an error on the error stack.
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+#define nssArena_VERIFYPOINTER(p) nssArena_verifyPointer(p)
+#else /* DEBUG */
+/* The following line exceeds 72 characters, but emacs screws up if I split it. */
+#define nssArena_VERIFYPOINTER(p) (((NSSArena *)NULL == (p))?PR_FAILURE:PR_SUCCESS)
+#endif /* DEBUG */
+
+/*
+ * Private function to be called by NSS_Shutdown to cleanup nssArena 
+ * bookkeeping.
+ */
+extern PRStatus
+nssArena_Shutdown(void);
+
+/*
+ * nssArenaHashAllocOps
+ *
+ * This constant structure contains allocation callbacks designed for
+ * use with the NSPL routine PL_NewHashTable.  For example:
+ *
+ *  NSSArena *hashTableArena = nssArena_Create();
+ *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare, 
+ *    value_compare, nssArenaHashAllocOps, hashTableArena);
+ */
+
+NSS_EXTERN_DATA PLHashAllocOps nssArenaHashAllocOps;
+
+/*
+ * The error stack
+ *
+ * The nonpublic methods relating to the error stack are:
+ *
+ *  nss_SetError
+ *  nss_ClearErrorStack
+ */
+
+/*
+ * nss_SetError
+ *
+ * This routine places a new error code on the top of the calling 
+ * thread's error stack.  Calling this routine wiht an error code
+ * of zero will clear the error stack.
+ */
+
+NSS_EXTERN void
+nss_SetError
+(
+  PRUint32 error
+);
+
+/*
+ * nss_ClearErrorStack
+ *
+ * This routine clears the calling thread's error stack.
+ */
+
+NSS_EXTERN void
+nss_ClearErrorStack
+(
+  void
+);
+
+/*
+ * nss_DestroyErrorStack
+ *
+ * This routine frees the calling thread's error stack.
+ */
+
+NSS_EXTERN void
+nss_DestroyErrorStack
+(
+  void
+);
+
+/*
+ * NSSItem
+ *
+ * nssItem_Create
+ * nssItem_Duplicate
+ * nssItem_Equal
+ */
+
+NSS_EXTERN NSSItem *
+nssItem_Create
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  PRUint32 length,
+  const void *data
+);
+
+NSS_EXTERN void
+nssItem_Destroy
+(
+  NSSItem *item
+);
+
+NSS_EXTERN NSSItem *
+nssItem_Duplicate
+(
+  NSSItem *obj,
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt
+);
+
+NSS_EXTERN PRBool
+nssItem_Equal
+(
+  const NSSItem *one,
+  const NSSItem *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSUTF8
+ *
+ *  nssUTF8_CaseIgnoreMatch
+ *  nssUTF8_Duplicate
+ *  nssUTF8_Size
+ *  nssUTF8_Length
+ *  nssUTF8_CopyIntoFixedBuffer
+ */
+
+/*
+ * nssUTF8_CaseIgnoreMatch
+ * 
+ * Returns true if the two UTF8-encoded strings pointed to by the 
+ * two specified NSSUTF8 pointers differ only in typcase.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssUTF8_CaseIgnoreMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssUTF8_Duplicate
+ *
+ * This routine duplicates the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
+ * not null, the memory required will be obtained from that arena;
+ * otherwise, the memory required will be obtained from the heap.
+ * A pointer to the new string will be returned.  In case of error,
+ * an error will be placed on the error stack and NULL will be 
+ * returned.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssUTF8_Duplicate
+(
+  const NSSUTF8 *s,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssUTF8_PrintableMatch
+ *
+ * Returns true if the two Printable strings pointed to by the 
+ * two specified NSSUTF8 pointers match when compared with the 
+ * rules for Printable String (leading and trailing spaces are 
+ * disregarded, extents of whitespace match irregardless of length, 
+ * and case is not significant), then PR_TRUE will be returned.
+ * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
+ * will be returned.  If the optional statusOpt argument is not
+ * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
+ * location.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssUTF8_PrintableMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssUTF8_Size
+ *
+ * This routine returns the length in bytes (including the terminating
+ * null) of the UTF8-encoded string pointed to by the specified
+ * NSSUTF8 pointer.  Zero is returned on error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *
+ * Return value:
+ *  nonzero size of the string
+ *  0 on error
+ */
+
+NSS_EXTERN PRUint32
+nssUTF8_Size
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
+
+/*
+ * nssUTF8_Length
+ *
+ * This routine returns the length in characters (not including the
+ * terminating null) of the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  length of the string (which may be zero)
+ *  0 on error
+ */
+
+NSS_EXTERN PRUint32
+nssUTF8_Length
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
+extern const NSSError NSS_ERROR_INVALID_STRING;
+
+/*
+ * nssUTF8_Create
+ *
+ * This routine creates a UTF8 string from a string in some other
+ * format.  Some types of string may include embedded null characters,
+ * so for them the length parameter must be used.  For string types
+ * that are null-terminated, the length parameter is optional; if it
+ * is zero, it will be ignored.  If the optional arena argument is
+ * non-null, the memory used for the new string will be obtained from
+ * that arena, otherwise it will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_UNSUPPORTED_TYPE
+ *
+ * Return value:
+ *  NULL upon error
+ *  A non-null pointer to a new UTF8 string otherwise
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssUTF8_Create
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  const void *inputString,
+  PRUint32 size /* in bytes, not characters */
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
+
+NSS_EXTERN NSSItem *
+nssUTF8_GetEncoding
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  nssStringType type,
+  NSSUTF8 *string
+);
+
+/*
+ * nssUTF8_CopyIntoFixedBuffer
+ *
+ * This will copy a UTF8 string into a fixed-length buffer, making 
+ * sure that the all characters are valid.  Any remaining space will
+ * be padded with the specified ASCII character, typically either 
+ * null or space.
+ *
+ * Blah, blah, blah.
+ */
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
+
+NSS_EXTERN PRStatus
+nssUTF8_CopyIntoFixedBuffer
+(
+  NSSUTF8 *string,
+  char *buffer,
+  PRUint32 bufferSize,
+  char pad
+);
+
+/*
+ * nssUTF8_Equal
+ *
+ */
+
+NSS_EXTERN PRBool
+nssUTF8_Equal
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssList
+ *
+ * The goal is to provide a simple, optionally threadsafe, linked list
+ * class.  Since NSS did not seem to use the circularity of PRCList
+ * much before, this provides a list that appears to be a linear,
+ * NULL-terminated list.
+ */
+
+/*
+ * nssList_Create
+ *
+ * If threadsafe is true, the list will be locked during modifications
+ * and traversals.
+ */
+NSS_EXTERN nssList *
+nssList_Create
+(
+  NSSArena *arenaOpt,
+  PRBool threadSafe
+);
+
+/*
+ * nssList_Destroy
+ */
+NSS_EXTERN PRStatus
+nssList_Destroy
+(
+  nssList *list
+);
+
+NSS_EXTERN void
+nssList_Clear
+(
+  nssList *list, 
+  nssListElementDestructorFunc destructor
+);
+
+/*
+ * nssList_SetCompareFunction
+ *
+ * By default, two list elements will be compared by comparing their
+ * data pointers.  By setting this function, the user can control
+ * how elements are compared.
+ */
+NSS_EXTERN void
+nssList_SetCompareFunction
+(
+  nssList *list, 
+  nssListCompareFunc compareFunc
+);
+
+/*
+ * nssList_SetSortFunction
+ *
+ * Sort function to use for an ordered list.
+ */
+NSS_EXTERN void
+nssList_SetSortFunction
+(
+  nssList *list, 
+  nssListSortFunc sortFunc
+);
+
+/*
+ * nssList_Add
+ */
+NSS_EXTERN PRStatus
+nssList_Add
+(
+  nssList *list, 
+  void *data
+);
+
+/*
+ * nssList_AddUnique
+ *
+ * This will use the compare function to see if the element is already
+ * in the list.
+ */
+NSS_EXTERN PRStatus
+nssList_AddUnique
+(
+  nssList *list, 
+  void *data
+);
+
+/*
+ * nssList_Remove
+ *
+ * Uses the compare function to locate the element and remove it.
+ */
+NSS_EXTERN PRStatus
+nssList_Remove(nssList *list, void *data);
+
+/*
+ * nssList_Get
+ *
+ * Uses the compare function to locate an element.  Also serves as
+ * nssList_Exists.
+ */
+NSS_EXTERN void *
+nssList_Get
+(
+  nssList *list, 
+  void *data
+);
+
+/*
+ * nssList_Count
+ */
+NSS_EXTERN PRUint32
+nssList_Count
+(
+  nssList *list
+);
+
+/*
+ * nssList_GetArray
+ *
+ * Fill rvArray, up to maxElements, with elements in the list.  The
+ * array is NULL-terminated, so its allocated size must be maxElements + 1.
+ */
+NSS_EXTERN PRStatus
+nssList_GetArray
+(
+  nssList *list, 
+  void **rvArray, 
+  PRUint32 maxElements
+);
+
+/*
+ * nssList_CreateIterator
+ *
+ * Create an iterator for list traversal.
+ */
+NSS_EXTERN nssListIterator *
+nssList_CreateIterator
+(
+  nssList *list
+);
+
+NSS_EXTERN nssList *
+nssList_Clone
+(
+  nssList *list
+);
+
+/*
+ * nssListIterator_Destroy
+ */
+NSS_EXTERN void
+nssListIterator_Destroy
+(
+  nssListIterator *iter
+);
+
+/*
+ * nssListIterator_Start
+ *
+ * Begin a list iteration.  After this call, if the list is threadSafe,
+ * the list is *locked*.
+ */
+NSS_EXTERN void *
+nssListIterator_Start
+(
+  nssListIterator *iter
+);
+
+/*
+ * nssListIterator_Next
+ *
+ * Continue a list iteration.
+ */
+NSS_EXTERN void *
+nssListIterator_Next
+(
+  nssListIterator *iter
+);
+
+/*
+ * nssListIterator_Finish
+ *
+ * Complete a list iteration.  This *must* be called in order for the
+ * lock to be released.
+ */
+NSS_EXTERN PRStatus
+nssListIterator_Finish
+(
+  nssListIterator *iter
+);
+
+/*
+ * nssHash
+ *
+ *  nssHash_Create
+ *  nssHash_Destroy
+ *  nssHash_Add
+ *  nssHash_Remove
+ *  nssHash_Count
+ *  nssHash_Exists
+ *  nssHash_Lookup
+ *  nssHash_Iterate
+ */
+
+/*
+ * nssHash_Create
+ *
+ */
+
+NSS_EXTERN nssHash *
+nssHash_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets,
+  PLHashFunction keyHash,
+  PLHashComparator keyCompare,
+  PLHashComparator valueCompare
+);
+
+NSS_EXTERN nssHash *
+nssHash_CreatePointer
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
+
+NSS_EXTERN nssHash *
+nssHash_CreateString
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
+
+NSS_EXTERN nssHash *
+nssHash_CreateItem
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
+
+/*
+ * nssHash_Destroy
+ *
+ */
+NSS_EXTERN void
+nssHash_Destroy
+(
+  nssHash *hash
+);
+
+/*
+ * nssHash_Add
+ *
+ */
+
+extern const NSSError NSS_ERROR_HASH_COLLISION;
+
+NSS_EXTERN PRStatus
+nssHash_Add
+(
+  nssHash *hash,
+  const void *key,
+  const void *value
+);
+
+/*
+ * nssHash_Remove
+ *
+ */
+NSS_EXTERN void
+nssHash_Remove
+(
+  nssHash *hash,
+  const void *it
+);
+
+/*
+ * nssHash_Count
+ *
+ */
+NSS_EXTERN PRUint32
+nssHash_Count
+(
+  nssHash *hash
+);
+
+/*
+ * nssHash_Exists
+ *
+ */
+NSS_EXTERN PRBool
+nssHash_Exists
+(
+  nssHash *hash,
+  const void *it
+);
+
+/*
+ * nssHash_Lookup
+ *
+ */
+NSS_EXTERN void *
+nssHash_Lookup
+(
+  nssHash *hash,
+  const void *it
+);
+
+/*
+ * nssHash_Iterate
+ *
+ */
+NSS_EXTERN void
+nssHash_Iterate
+(
+  nssHash *hash,
+  nssHashIterator fcn,
+  void *closure
+);
+
+
+/*
+ * nssPointerTracker
+ *
+ * This type and these methods are only present in debug builds.
+ * 
+ * The nonpublic methods relating to this type are:
+ *
+ *  nssPointerTracker_initialize
+ *  nssPointerTracker_finalize
+ *  nssPointerTracker_add
+ *  nssPointerTracker_remove
+ *  nssPointerTracker_verify
+ */
+
+/*
+ * nssPointerTracker_initialize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine initializes an nssPointerTracker object.  Note that
+ * the object must have been declared *static* to guarantee that it
+ * is in a zeroed state initially.  This routine is idempotent, and
+ * may even be safely called by multiple threads simultaneously with 
+ * the same argument.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  On failure it will set an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_initialize
+(
+  nssPointerTracker *tracker
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+#endif /* DEBUG */
+
+/*
+ * nssPointerTracker_finalize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine returns the nssPointerTracker object to the pre-
+ * initialized state, releasing all resources used by the object.
+ * It will *NOT* destroy the objects being tracked by the pointer
+ * (should any remain), and therefore cannot be used to "sweep up"
+ * remaining objects.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCES.  On failure it will set an
+ * error on the error stack and return PR_FAILURE.  If any objects
+ * remain in the tracker when it is finalized, that will be treated
+ * as an error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_TRACKER_NOT_EMPTY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_finalize
+(
+  nssPointerTracker *tracker
+);
+
+extern const NSSError NSS_ERROR_TRACKER_NOT_EMPTY;
+#endif /* DEBUG */
+
+/*
+ * nssPointerTracker_add
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine adds the specified pointer to the nssPointerTracker
+ * object.  It should be called in constructor objects to register
+ * new valid objects.  The nssPointerTracker is threadsafe, but this
+ * call is not idempotent.  This routine returns a PRStatus value;
+ * if successful it will return PR_SUCCESS.  On failure it will set
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_DUPLICATE_POINTER
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_add
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
+extern const NSSError NSS_ERROR_DUPLICATE_POINTER;
+#endif /* DEBUG */
+
+/*
+ * nssPointerTracker_remove
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine removes the specified pointer from the 
+ * nssPointerTracker object.  It does not call any destructor for the
+ * object; rather, this should be called from the object's destructor.
+ * The nssPointerTracker is threadsafe, but this call is not 
+ * idempotent.  This routine returns a PRStatus value; if successful 
+ * it will return PR_SUCCESS.  On failure it will set an error on the 
+ * error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_remove
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+);
+
+extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
+extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
+#endif /* DEBUG */
+
+/*
+ * nssPointerTracker_verify
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine verifies that the specified pointer has been registered
+ * with the nssPointerTracker object.  The nssPointerTracker object is
+ * threadsafe, and this call may be safely called from multiple threads
+ * simultaneously with the same arguments.  This routine returns a
+ * PRStatus value; if the pointer is registered this will return 
+ * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
+ * return PR_FAILURE.  Although the error is suitable for leaving on 
+ * the stack, callers may wish to augment the information available by 
+ * placing a more type-specific error on the stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILRUE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_verify
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+);
+
+extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
+#endif /* DEBUG */
+
+/*
+ * libc
+ *
+ * nsslibc_memcpy
+ * nsslibc_memset
+ * nsslibc_offsetof
+ */
+
+/*
+ * nsslibc_memcpy
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_EXTERN void *
+nsslibc_memcpy
+(
+  void *dest,
+  const void *source,
+  PRUint32 n
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nsslibc_memset
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_EXTERN void *
+nsslibc_memset
+(
+  void *dest,
+  PRUint8 byte,
+  PRUint32 n
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nsslibc_memequal
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if they match
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nsslibc_memequal
+(
+  const void *a,
+  const void *b,
+  PRUint32 len,
+  PRStatus *statusOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+#define nsslibc_offsetof(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
+
+PR_END_EXTERN_C
+
+#endif /* BASE_H */
diff --git a/security/nss/lib/base/baset.h b/security/nss/lib/base/baset.h
new file mode 100644
index 000000000..c6f146254
--- /dev/null
+++ b/security/nss/lib/base/baset.h
@@ -0,0 +1,161 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef BASET_H
+#define BASET_H
+
+#ifdef DEBUG
+static const char BASET_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * baset.h
+ *
+ * This file contains definitions for the basic types used throughout
+ * nss but not available publicly.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#include "plhash.h"
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * nssArenaMark
+ *
+ * This type is used to mark the current state of an NSSArena.
+ */
+
+struct nssArenaMarkStr;
+typedef struct nssArenaMarkStr nssArenaMark;
+
+#ifdef DEBUG
+/*
+ * ARENA_THREADMARK
+ * 
+ * Optionally, this arena implementation can be compiled with some
+ * runtime checking enabled, which will catch the situation where
+ * one thread "marks" the arena, another thread allocates memory,
+ * and then the mark is released.  Usually this is a surprise to
+ * the second thread, and this leads to weird runtime errors.
+ * Define ARENA_THREADMARK to catch these cases; we define it for all
+ * (internal and external) debug builds.
+ */
+#define ARENA_THREADMARK
+
+/*
+ * ARENA_DESTRUCTOR_LIST
+ *
+ * Unfortunately, our pointer-tracker facility, used in debug
+ * builds to agressively fight invalid pointers, requries that
+ * pointers be deregistered when objects are destroyed.  This
+ * conflicts with the standard arena usage where "memory-only"
+ * objects (that don't hold onto resources outside the arena)
+ * can be allocated in an arena, and never destroyed other than
+ * when the arena is destroyed.  Therefore we have added a
+ * destructor-registratio facility to our arenas.  This was not
+ * a simple decision, since we're getting ever-further away from
+ * the original arena philosophy.  However, it was felt that
+ * adding this in debug builds wouldn't be so bad; as it would
+ * discourage them from being used for "serious" purposes.
+ * This facility requires ARENA_THREADMARK to be defined.
+ */
+#ifdef ARENA_THREADMARK
+#define ARENA_DESTRUCTOR_LIST
+#endif /* ARENA_THREADMARK */
+
+#endif /* DEBUG */
+
+typedef struct nssListStr nssList;
+typedef struct nssListIteratorStr nssListIterator;
+typedef PRBool (* nssListCompareFunc)(void *a, void *b);
+typedef PRIntn (* nssListSortFunc)(void *a, void *b);
+typedef void (* nssListElementDestructorFunc)(void *el);
+
+typedef struct nssHashStr nssHash;
+typedef void (PR_CALLBACK *nssHashIterator)(const void *key, 
+                                            void *value, 
+                                            void *arg);
+
+/*
+ * nssPointerTracker
+ *
+ * This type is used in debug builds (both external and internal) to
+ * track our object pointers.  Objects of this type must be statically
+ * allocated, which means the structure size must be available to the
+ * compiler.  Therefore we must expose the contents of this structure.
+ * But please don't access elements directly; use the accessors.
+ */
+
+#ifdef DEBUG
+struct nssPointerTrackerStr {
+  PRCallOnceType once;
+  PZLock *lock;
+  PLHashTable *table;
+};
+typedef struct nssPointerTrackerStr nssPointerTracker;
+#endif /* DEBUG */
+
+/*
+ * nssStringType
+ *
+ * There are several types of strings in the real world.  We try to
+ * use only UTF8 and avoid the rest, but that's not always possible.
+ * So we have a couple converter routines to go to and from the other
+ * string types.  We have to be able to specify those string types,
+ * so we have this enumeration.
+ */
+
+enum nssStringTypeEnum {
+  nssStringType_DirectoryString,
+  nssStringType_TeletexString, /* Not "teletext" with trailing 't' */
+  nssStringType_PrintableString,
+  nssStringType_UniversalString,
+  nssStringType_BMPString,
+  nssStringType_UTF8String,
+  nssStringType_PHGString,
+  nssStringType_GeneralString,
+
+  nssStringType_Unknown = -1
+};
+typedef enum nssStringTypeEnum nssStringType;
+
+PR_END_EXTERN_C
+
+#endif /* BASET_H */
diff --git a/security/nss/lib/base/config.mk b/security/nss/lib/base/config.mk
new file mode 100644
index 000000000..f4e5b965b
--- /dev/null
+++ b/security/nss/lib/base/config.mk
@@ -0,0 +1,52 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/base/error.c b/security/nss/lib/base/error.c
new file mode 100644
index 000000000..a4286583b
--- /dev/null
+++ b/security/nss/lib/base/error.c
@@ -0,0 +1,305 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * error.c
+ *
+ * This file contains the code implementing the per-thread error 
+ * stacks upon which most NSS routines report their errors.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+#include <limits.h> /* for UINT_MAX */
+#include <string.h> /* for memmove */
+
+#define NSS_MAX_ERROR_STACK_COUNT 16 /* error codes */
+
+/*
+ * The stack itself has a header, and a sequence of integers.
+ * The header records the amount of space (as measured in stack
+ * slots) already allocated for the stack, and the count of the
+ * number of records currently being used.
+ */
+
+struct stack_header_str {
+  PRUint16 space;
+  PRUint16 count;
+};
+
+struct error_stack_str {
+  struct stack_header_str header;
+  PRInt32 stack[1];
+};
+typedef struct error_stack_str error_stack;
+
+/*
+ * error_stack_index
+ *
+ * Thread-private data must be indexed.  This is that index.
+ * See PR_NewThreadPrivateIndex for more information.
+ *
+ * Thread-private data indexes are in the range [0, 127].
+ */
+
+#define INVALID_TPD_INDEX UINT_MAX
+static PRUintn error_stack_index = INVALID_TPD_INDEX;
+
+/*
+ * call_once
+ *
+ * The thread-private index must be obtained (once!) at runtime.
+ * This block is used for that one-time call.
+ */
+
+static PRCallOnceType error_call_once;
+
+/*
+ * error_once_function
+ *
+ * This is the once-called callback.
+ */
+static PRStatus
+error_once_function ( void)
+{
+  return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
+}
+
+/*
+ * error_get_my_stack
+ *
+ * This routine returns the calling thread's error stack, creating
+ * it if necessary.  It may return NULL upon error, which implicitly
+ * means that it ran out of memory.
+ */
+
+static error_stack *
+error_get_my_stack ( void)
+{
+  PRStatus st;
+  error_stack *rv;
+  PRUintn new_size;
+  PRUint32 new_bytes;
+  error_stack *new_stack;
+
+  if( INVALID_TPD_INDEX == error_stack_index ) {
+    st = PR_CallOnce(&error_call_once, error_once_function);
+    if( PR_SUCCESS != st ) {
+      return (error_stack *)NULL;
+    }
+  }
+
+  rv = (error_stack *)PR_GetThreadPrivate(error_stack_index);
+  if( (error_stack *)NULL == rv ) {
+    /* Doesn't exist; create one */
+    new_size = 16;
+  } else if( rv->header.count == rv->header.space  &&
+             rv->header.count  < NSS_MAX_ERROR_STACK_COUNT ) {
+    /* Too small, expand it */
+    new_size = PR_MIN( rv->header.space * 2, NSS_MAX_ERROR_STACK_COUNT);
+  } else {
+    /* Okay, return it */
+    return rv;
+  }
+
+  new_bytes = (new_size * sizeof(PRInt32)) + sizeof(error_stack);
+  /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
+  new_stack = PR_Calloc(1, new_bytes);
+  
+  if( (error_stack *)NULL != new_stack ) {
+    if( (error_stack *)NULL != rv ) {
+	(void)nsslibc_memcpy(new_stack,rv,rv->header.space);
+    }
+    new_stack->header.space = new_size;
+  }
+
+  /* Set the value, whether or not the allocation worked */
+  PR_SetThreadPrivate(error_stack_index, new_stack);
+  return new_stack;
+}
+
+/*
+ * The error stack
+ *
+ * The public methods relating to the error stack are:
+ *
+ *  NSS_GetError
+ *  NSS_GetErrorStack
+ *
+ * The nonpublic methods relating to the error stack are:
+ *
+ *  nss_SetError
+ *  nss_ClearErrorStack
+ *
+ */
+
+/*
+ * NSS_GetError
+ *
+ * This routine returns the highest-level (most general) error set
+ * by the most recent NSS library routine called by the same thread
+ * calling this routine.
+ *
+ * This routine cannot fail.  However, it may return zero, which
+ * indicates that the previous NSS library call did not set an error.
+ *
+ * Return value:
+ *  0 if no error has been set
+ *  A nonzero error number
+ */
+
+NSS_IMPLEMENT PRInt32
+NSS_GetError ( void)
+{
+  error_stack *es = error_get_my_stack();
+
+  if( (error_stack *)NULL == es ) {
+    return NSS_ERROR_NO_MEMORY; /* Good guess! */
+  }
+
+  if( 0 == es->header.count ) {
+    return 0;
+  }
+
+  return es->stack[ es->header.count-1 ];
+}
+
+/*
+ * NSS_GetErrorStack
+ *
+ * This routine returns a pointer to an array of integers, containing
+ * the entire sequence or "stack" of errors set by the most recent NSS
+ * library routine called by the same thread calling this routine.
+ * NOTE: the caller DOES NOT OWN the memory pointed to by the return
+ * value.  The pointer will remain valid until the calling thread
+ * calls another NSS routine.  The lowest-level (most specific) error 
+ * is first in the array, and the highest-level is last.  The array is
+ * zero-terminated.  This routine may return NULL upon error; this
+ * indicates a low-memory situation.
+ *
+ * Return value:
+ *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
+ *  A NON-caller-owned pointer to an array of integers
+ */
+
+NSS_IMPLEMENT PRInt32 *
+NSS_GetErrorStack ( void)
+{
+  error_stack *es = error_get_my_stack();
+
+  if( (error_stack *)NULL == es ) {
+    return (PRInt32 *)NULL;
+  }
+
+  /* Make sure it's terminated */
+  es->stack[ es->header.count ] = 0;
+
+  return es->stack;
+}
+
+/*
+ * nss_SetError
+ *
+ * This routine places a new error code on the top of the calling 
+ * thread's error stack.  Calling this routine wiht an error code
+ * of zero will clear the error stack.
+ */
+
+NSS_IMPLEMENT void
+nss_SetError ( PRUint32 error)
+{
+  error_stack *es;
+
+  if( 0 == error ) {
+    nss_ClearErrorStack();
+    return;
+  }
+
+  es = error_get_my_stack();
+  if( (error_stack *)NULL == es ) {
+    /* Oh, well. */
+    return;
+  }
+
+  if (es->header.count < es->header.space) {
+    es->stack[ es->header.count++ ] = error;
+  } else {
+    memmove(es->stack, es->stack + 1, 
+		(es->header.space - 1) * (sizeof es->stack[0]));
+    es->stack[ es->header.space - 1 ] = error;
+  }
+  return;
+}
+
+/*
+ * nss_ClearErrorStack
+ *
+ * This routine clears the calling thread's error stack.
+ */
+
+NSS_IMPLEMENT void
+nss_ClearErrorStack ( void)
+{
+  error_stack *es = error_get_my_stack();
+  if( (error_stack *)NULL == es ) {
+    /* Oh, well. */
+    return;
+  }
+
+  es->header.count = 0;
+  es->stack[0] = 0;
+  return;
+}
+
+/*
+ * nss_DestroyErrorStack
+ *
+ * This routine frees the calling thread's error stack.
+ */
+
+NSS_IMPLEMENT void
+nss_DestroyErrorStack ( void)
+{
+  if( INVALID_TPD_INDEX != error_stack_index ) {
+    PR_SetThreadPrivate(error_stack_index, NULL);
+  }
+  return;
+}
diff --git a/security/nss/lib/base/errorval.c b/security/nss/lib/base/errorval.c
new file mode 100644
index 000000000..3c2d47e9b
--- /dev/null
+++ b/security/nss/lib/base/errorval.c
@@ -0,0 +1,98 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * errorval.c
+ *
+ * This file contains the actual error constants used in NSS.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+const NSSError NSS_ERROR_NO_ERROR                       =  0;
+const NSSError NSS_ERROR_INTERNAL_ERROR                 =  1;
+const NSSError NSS_ERROR_NO_MEMORY                      =  2;
+const NSSError NSS_ERROR_INVALID_POINTER                =  3;
+const NSSError NSS_ERROR_INVALID_ARENA                  =  4;
+const NSSError NSS_ERROR_INVALID_ARENA_MARK             =  5;
+const NSSError NSS_ERROR_DUPLICATE_POINTER              =  6;
+const NSSError NSS_ERROR_POINTER_NOT_REGISTERED         =  7;
+const NSSError NSS_ERROR_TRACKER_NOT_EMPTY              =  8;
+const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED        =  9;
+const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD = 10;
+const NSSError NSS_ERROR_VALUE_TOO_LARGE                = 11;
+const NSSError NSS_ERROR_UNSUPPORTED_TYPE               = 12;
+const NSSError NSS_ERROR_BUFFER_TOO_SHORT               = 13;
+const NSSError NSS_ERROR_INVALID_ATOB_CONTEXT           = 14;
+const NSSError NSS_ERROR_INVALID_BASE64                 = 15;
+const NSSError NSS_ERROR_INVALID_BTOA_CONTEXT           = 16;
+const NSSError NSS_ERROR_INVALID_ITEM                   = 17;
+const NSSError NSS_ERROR_INVALID_STRING                 = 18;
+const NSSError NSS_ERROR_INVALID_ASN1ENCODER            = 19;
+const NSSError NSS_ERROR_INVALID_ASN1DECODER            = 20;
+
+const NSSError NSS_ERROR_INVALID_BER                    = 21;
+const NSSError NSS_ERROR_INVALID_ATAV                   = 22;
+const NSSError NSS_ERROR_INVALID_ARGUMENT               = 23;
+const NSSError NSS_ERROR_INVALID_UTF8                   = 24;
+const NSSError NSS_ERROR_INVALID_NSSOID                 = 25;
+const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE              = 26;
+
+const NSSError NSS_ERROR_NOT_FOUND                      = 27;
+
+const NSSError NSS_ERROR_INVALID_PASSWORD               = 28;
+const NSSError NSS_ERROR_USER_CANCELED                  = 29;
+
+const NSSError NSS_ERROR_MAXIMUM_FOUND                  = 30;
+
+const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND   = 31;
+
+const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE           = 32;
+
+const NSSError NSS_ERROR_HASH_COLLISION                 = 33;
+const NSSError NSS_ERROR_DEVICE_ERROR                   = 34;
+const NSSError NSS_ERROR_INVALID_CERTIFICATE            = 35;
+const NSSError NSS_ERROR_BUSY                           = 36;
+const NSSError NSS_ERROR_ALREADY_INITIALIZED            = 37;
+
+const NSSError NSS_ERROR_PKCS11                         = 38;
+
diff --git a/security/nss/lib/base/hash.c b/security/nss/lib/base/hash.c
new file mode 100644
index 000000000..7c090739a
--- /dev/null
+++ b/security/nss/lib/base/hash.c
@@ -0,0 +1,409 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * hash.c
+ *
+ * This is merely a couple wrappers around NSPR's PLHashTable, using
+ * the identity hash and arena-aware allocators.
+ * This is a copy of ckfw/hash.c, with modifications to use NSS types
+ * (not Cryptoki types).  Would like for this to be a single implementation,
+ * but doesn't seem like it will work.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include "prbit.h"
+
+/*
+ * nssHash
+ *
+ *  nssHash_Create
+ *  nssHash_Destroy
+ *  nssHash_Add
+ *  nssHash_Remove
+ *  nssHash_Count
+ *  nssHash_Exists
+ *  nssHash_Lookup
+ *  nssHash_Iterate
+ */
+
+struct nssHashStr {
+  NSSArena *arena;
+  PRBool i_alloced_arena;
+  PRLock *mutex;
+
+  /*
+   * The invariant that mutex protects is:
+   *   The count accurately reflects the hashtable state.
+   */
+
+  PLHashTable *plHashTable;
+  PRUint32 count;
+};
+
+static PLHashNumber
+nss_identity_hash
+(
+  const void *key
+)
+{
+  PRUint32 i = (PRUint32)key;
+  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
+  return (PLHashNumber)i;
+}
+
+static PLHashNumber
+nss_item_hash
+(
+  const void *key
+)
+{
+  unsigned int i;
+  PLHashNumber h;
+  NSSItem *it = (NSSItem *)key;
+  h = 0;
+  for (i=0; i<it->size; i++)
+    h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)it->data)[i];
+  return h;
+}
+
+static int
+nss_compare_items(const void *v1, const void *v2)
+{
+  PRStatus ignore;
+  return (int)nssItem_Equal((NSSItem *)v1, (NSSItem *)v2, &ignore);
+}
+
+/*
+ * nssHash_create
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets,
+  PLHashFunction keyHash,
+  PLHashComparator keyCompare,
+  PLHashComparator valueCompare
+)
+{
+  nssHash *rv;
+  NSSArena *arena;
+  PRBool i_alloced;
+
+#ifdef NSSDEBUG
+  if( arenaOpt && PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (nssHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if (arenaOpt) {
+    arena = arenaOpt;
+    i_alloced = PR_FALSE;
+  } else {
+    arena = nssArena_Create();
+    i_alloced = PR_TRUE;
+  }
+
+  rv = nss_ZNEW(arena, nssHash);
+  if( (nssHash *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->mutex = PZ_NewLock(nssILockOther);
+  if( (PZLock *)NULL == rv->mutex ) {
+    goto loser;
+  }
+
+  rv->plHashTable = PL_NewHashTable(numBuckets, 
+                                    keyHash, keyCompare, valueCompare,
+                                    &nssArenaHashAllocOps, arena);
+  if( (PLHashTable *)NULL == rv->plHashTable ) {
+    (void)PZ_DestroyLock(rv->mutex);
+    goto loser;
+  }
+
+  rv->count = 0;
+  rv->arena = arena;
+  rv->i_alloced_arena = i_alloced;
+
+  return rv;
+loser:
+  (void)nss_ZFreeIf(rv);
+  return (nssHash *)NULL;
+}
+
+/*
+ * nssHash_CreatePointer
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_CreatePointer
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+  return nssHash_Create(arenaOpt, numBuckets, 
+                        nss_identity_hash, PL_CompareValues, PL_CompareValues);
+}
+
+/*
+ * nssHash_CreateString
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_CreateString
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+  return nssHash_Create(arenaOpt, numBuckets, 
+                        PL_HashString, PL_CompareStrings, PL_CompareStrings);
+}
+
+/*
+ * nssHash_CreateItem
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_CreateItem
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+  return nssHash_Create(arenaOpt, numBuckets, 
+                        nss_item_hash, nss_compare_items, PL_CompareValues);
+}
+
+/*
+ * nssHash_Destroy
+ *
+ */
+NSS_IMPLEMENT void
+nssHash_Destroy
+(
+  nssHash *hash
+)
+{
+  (void)PZ_DestroyLock(hash->mutex);
+  PL_HashTableDestroy(hash->plHashTable);
+  if (hash->i_alloced_arena) {
+    nssArena_Destroy(hash->arena);
+  } else {
+    nss_ZFreeIf(hash);
+  }
+}
+
+/*
+ * nssHash_Add
+ *
+ */
+NSS_IMPLEMENT PRStatus
+nssHash_Add
+(
+  nssHash *hash,
+  const void *key,
+  const void *value
+)
+{
+  PRStatus error = PR_FAILURE;
+  PLHashEntry *he;
+
+  PZ_Lock(hash->mutex);
+  
+  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
+  if( (PLHashEntry *)NULL == he ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+  } else if (he->value != value) {
+    nss_SetError(NSS_ERROR_HASH_COLLISION);
+  } else {
+    hash->count++;
+    error = PR_SUCCESS;
+  }
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return error;
+}
+
+/*
+ * nssHash_Remove
+ *
+ */
+NSS_IMPLEMENT void
+nssHash_Remove
+(
+  nssHash *hash,
+  const void *it
+)
+{
+  PRBool found;
+
+  PZ_Lock(hash->mutex);
+
+  found = PL_HashTableRemove(hash->plHashTable, it);
+  if( found ) {
+    hash->count--;
+  }
+
+  (void)PZ_Unlock(hash->mutex);
+  return;
+}
+
+/*
+ * nssHash_Count
+ *
+ */
+NSS_IMPLEMENT PRUint32
+nssHash_Count
+(
+  nssHash *hash
+)
+{
+  PRUint32 count;
+
+  PZ_Lock(hash->mutex);
+
+  count = hash->count;
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return count;
+}
+
+/*
+ * nssHash_Exists
+ *
+ */
+NSS_IMPLEMENT PRBool
+nssHash_Exists
+(
+  nssHash *hash,
+  const void *it
+)
+{
+  void *value;
+
+  PZ_Lock(hash->mutex);
+
+  value = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)PZ_Unlock(hash->mutex);
+
+  if( (void *)NULL == value ) {
+    return PR_FALSE;
+  } else {
+    return PR_TRUE;
+  }
+}
+
+/*
+ * nssHash_Lookup
+ *
+ */
+NSS_IMPLEMENT void *
+nssHash_Lookup
+(
+  nssHash *hash,
+  const void *it
+)
+{
+  void *rv;
+
+  PZ_Lock(hash->mutex);
+
+  rv = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return rv;
+}
+
+struct arg_str {
+  nssHashIterator fcn;
+  void *closure;
+};
+
+static PRIntn
+nss_hash_enumerator
+(
+  PLHashEntry *he,
+  PRIntn index,
+  void *arg
+)
+{
+  struct arg_str *as = (struct arg_str *)arg;
+  as->fcn(he->key, he->value, as->closure);
+  return HT_ENUMERATE_NEXT;
+}
+
+/*
+ * nssHash_Iterate
+ *
+ * NOTE that the iteration function will be called with the hashtable locked.
+ */
+NSS_IMPLEMENT void
+nssHash_Iterate
+(
+  nssHash *hash,
+  nssHashIterator fcn,
+  void *closure
+)
+{
+  struct arg_str as;
+  as.fcn = fcn;
+  as.closure = closure;
+
+  PZ_Lock(hash->mutex);
+
+  PL_HashTableEnumerateEntries(hash->plHashTable, nss_hash_enumerator, &as);
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return;
+}
diff --git a/security/nss/lib/base/hashops.c b/security/nss/lib/base/hashops.c
new file mode 100644
index 000000000..1372ea63e
--- /dev/null
+++ b/security/nss/lib/base/hashops.c
@@ -0,0 +1,120 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * hashops.c
+ *
+ * This file includes a set of PLHashAllocOps that use NSSArenas.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+static void * PR_CALLBACK
+nss_arena_hash_alloc_table
+(
+  void *pool,
+  PRSize size
+)
+{
+  NSSArena *arena = (NSSArena *)NULL;
+
+#ifdef NSSDEBUG
+  if( (void *)NULL != arena ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+      return (void *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  return nss_ZAlloc(arena, size);
+}
+
+static void PR_CALLBACK
+nss_arena_hash_free_table
+(
+  void *pool, 
+  void *item
+)
+{
+  (void)nss_ZFreeIf(item);
+}
+
+static PLHashEntry * PR_CALLBACK
+nss_arena_hash_alloc_entry
+(
+  void *pool,
+  const void *key
+)
+{
+  NSSArena *arena = NULL;
+
+#ifdef NSSDEBUG
+  if( (void *)NULL != arena ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+      return (void *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  return nss_ZNEW(arena, PLHashEntry);
+}
+
+static void PR_CALLBACK
+nss_arena_hash_free_entry
+(
+  void *pool,
+  PLHashEntry *he,
+  PRUintn flag
+)
+{
+  if( HT_FREE_ENTRY == flag ) {
+    (void)nss_ZFreeIf(he);
+  }
+}
+
+NSS_IMPLEMENT_DATA PLHashAllocOps 
+nssArenaHashAllocOps = {
+  nss_arena_hash_alloc_table,
+  nss_arena_hash_free_table,
+  nss_arena_hash_alloc_entry,
+  nss_arena_hash_free_entry
+};
diff --git a/security/nss/lib/base/item.c b/security/nss/lib/base/item.c
new file mode 100644
index 000000000..f624891f9
--- /dev/null
+++ b/security/nss/lib/base/item.c
@@ -0,0 +1,244 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * item.c
+ *
+ * This contains some item-manipulation code.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * nssItem_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *  NSS_ERROR_INVALID_POINTER
+ *  
+ * Return value:
+ *  A pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSItem *
+nssItem_Create
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  PRUint32 length,
+  const void *data
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+
+  if( (const void *)NULL == data ) {
+    if( length > 0 ) {
+      nss_SetError(NSS_ERROR_INVALID_POINTER);
+      return (NSSItem *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  if( (NSSItem *)NULL == rvOpt ) {
+    rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
+    if( (NSSItem *)NULL == rv ) {
+      goto loser;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  rv->size = length;
+  rv->data = nss_ZAlloc(arenaOpt, length);
+  if( (void *)NULL == rv->data ) {
+    goto loser;
+  }
+
+  if( length > 0 ) {
+    (void)nsslibc_memcpy(rv->data, data, length);
+  }
+
+  return rv;
+
+ loser:
+  if( rv != rvOpt ) {
+    nss_ZFreeIf(rv);
+  }
+
+  return (NSSItem *)NULL;
+}
+
+NSS_IMPLEMENT void
+nssItem_Destroy
+(
+  NSSItem *item
+)
+{
+  nss_ClearErrorStack();
+
+  nss_ZFreeIf(item->data);
+  nss_ZFreeIf(item);
+
+}
+
+/*
+ * nssItem_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *  NSS_ERROR_INVALID_ITEM
+ *  
+ * Return value:
+ *  A pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSItem *
+nssItem_Duplicate
+(
+  NSSItem *obj,
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt
+)
+{
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+
+  if( (NSSItem *)NULL == obj ) {
+    nss_SetError(NSS_ERROR_INVALID_ITEM);
+    return (NSSItem *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
+}
+
+#ifdef DEBUG
+/*
+ * nssItem_verifyPointer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssItem_verifyPointer
+(
+  const NSSItem *item
+)
+{
+  if( ((const NSSItem *)NULL == item) ||
+      (((void *)NULL == item->data) && (item->size > 0)) ) {
+    nss_SetError(NSS_ERROR_INVALID_ITEM);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+/*
+ * nssItem_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_TRUE if the items are identical
+ *  PR_FALSE if they aren't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssItem_Equal
+(
+  const NSSItem *one,
+  const NSSItem *two,
+  PRStatus *statusOpt
+)
+{
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  if( ((const NSSItem *)NULL == one) && ((const NSSItem *)NULL == two) ) {
+    return PR_TRUE;
+  }
+
+  if( ((const NSSItem *)NULL == one) || ((const NSSItem *)NULL == two) ) {
+    return PR_FALSE;
+  }
+
+  if( one->size != two->size ) {
+    return PR_FALSE;
+  }
+
+  return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
+}
diff --git a/security/nss/lib/base/libc.c b/security/nss/lib/base/libc.c
new file mode 100644
index 000000000..b37fe09cb
--- /dev/null
+++ b/security/nss/lib/base/libc.c
@@ -0,0 +1,200 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * libc.c
+ *
+ * This file contains our wrappers/reimplementations for "standard" 
+ * libc functions.  Things like "memcpy."  We add to this as we need 
+ * it.  Oh, and let's keep it in alphabetical order, should it ever 
+ * get large.  Most string/character stuff should be in utf8.c, not 
+ * here.  This file (and maybe utf8.c) should be the only ones in
+ * NSS to include files with angle brackets.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include <string.h> /* memcpy, memset */
+
+/*
+ * nsslibc_memcpy
+ * nsslibc_memset
+ * nsslibc_offsetof
+ * nsslibc_memequal
+ */
+
+/*
+ * nsslibc_memcpy
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_IMPLEMENT void *
+nsslibc_memcpy
+(
+  void *dest,
+  const void *source,
+  PRUint32 n
+)
+{
+#ifdef NSSDEBUG
+  if( ((void *)NULL == dest) || ((const void *)NULL == source) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (void *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return memcpy(dest, source, (size_t)n);
+}
+
+/*
+ * nsslibc_memset
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_IMPLEMENT void *
+nsslibc_memset
+(
+  void *dest,
+  PRUint8 byte,
+  PRUint32 n
+)
+{
+#ifdef NSSDEBUG
+  if( ((void *)NULL == dest) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (void *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return memset(dest, (int)byte, (size_t)n);
+}
+
+/*
+ * nsslibc_memequal
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if they match
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nsslibc_memequal
+(
+  const void *a,
+  const void *b,
+  PRUint32 len,
+  PRStatus *statusOpt
+)
+{
+#ifdef NSSDEBUG
+  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  if( 0 == memcmp(a, b, len) ) {
+    return PR_TRUE;
+  } else {
+    return PR_FALSE;
+  }
+}
+
+/*
+ * nsslibc_memcmp
+ */
+
+NSS_IMPLEMENT PRInt32
+nsslibc_memcmp
+(
+  const void *a,
+  const void *b,
+  PRUint32 len,
+  PRStatus *statusOpt
+)
+{
+  int v;
+
+#ifdef NSSDEBUG
+  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return -2;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  v = memcmp(a, b, len);
+  return (PRInt32)v;
+}
+
+/*
+ * offsetof is a preprocessor definition
+ */
diff --git a/security/nss/lib/base/list.c b/security/nss/lib/base/list.c
new file mode 100644
index 000000000..8a6dfe6ca
--- /dev/null
+++ b/security/nss/lib/base/list.c
@@ -0,0 +1,437 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * list.c
+ *
+ * This contains the implementation of NSS's thread-safe linked list.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+struct nssListElementStr {
+    PRCList  link;
+    void    *data;
+};
+
+typedef struct nssListElementStr nssListElement;
+
+struct nssListStr {
+    NSSArena       *arena;
+    PZLock         *lock;
+    nssListElement *head;
+    PRUint32        count;
+    nssListCompareFunc compareFunc;
+    nssListSortFunc    sortFunc;
+    PRBool i_alloced_arena;
+};
+
+struct nssListIteratorStr {
+    PZLock *lock;
+    nssList *list;
+    nssListElement *current;
+};
+
+#define NSSLIST_LOCK_IF(list) \
+    if ((list)->lock) PZ_Lock((list)->lock)
+
+#define NSSLIST_UNLOCK_IF(list) \
+    if ((list)->lock) PZ_Unlock((list)->lock)
+
+static PRBool
+pointer_compare(void *a, void *b)
+{
+    return (PRBool)(a == b);
+}
+
+static nssListElement *
+nsslist_get_matching_element(nssList *list, void *data)
+{
+    PRCList *link;
+    nssListElement *node;
+    node = list->head;
+    if (!node) {
+	return NULL;
+    }
+    link = &node->link;
+    while (node) {
+	/* using a callback slows things down when it's just compare ... */
+	if (list->compareFunc(node->data, data)) {
+	    break;
+	}
+	link = &node->link;
+	if (link == PR_LIST_TAIL(&list->head->link)) {
+	    node = NULL;
+	    break;
+	}
+	node = (nssListElement *)PR_NEXT_LINK(&node->link);
+    }
+    return node;
+}
+
+NSS_IMPLEMENT nssList *
+nssList_Create
+(
+  NSSArena *arenaOpt,
+  PRBool threadSafe
+)
+{
+    NSSArena *arena;
+    nssList *list;
+    PRBool i_alloced;
+    if (arenaOpt) {
+	arena = arenaOpt;
+	i_alloced = PR_FALSE;
+    } else {
+	arena = nssArena_Create();
+	i_alloced = PR_TRUE;
+    }
+    if (!arena) {
+	return (nssList *)NULL;
+    }
+    list = nss_ZNEW(arena, nssList);
+    if (!list) {
+	if (!arenaOpt) {
+	    NSSArena_Destroy(arena);
+	}
+	return (nssList *)NULL;
+    }
+    if (threadSafe) {
+	list->lock = PZ_NewLock(nssILockOther);
+	if (!list->lock) {
+	    if (arenaOpt) {
+		nss_ZFreeIf(list);
+	    } else {
+		NSSArena_Destroy(arena);
+	    }
+	    return (nssList *)NULL;
+	}
+    }
+    list->arena = arena;
+    list->i_alloced_arena = i_alloced;
+    list->compareFunc = pointer_compare;
+    return list;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_Destroy(nssList *list)
+{
+    if (!list->i_alloced_arena) {
+	nssList_Clear(list, NULL);
+    }
+    if (list->lock) {
+	(void)PZ_DestroyLock(list->lock);
+    }
+    if (list->i_alloced_arena) {
+	NSSArena_Destroy(list->arena);
+	list = NULL;
+    }
+    nss_ZFreeIf(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT void
+nssList_SetCompareFunction(nssList *list, nssListCompareFunc compareFunc)
+{
+    list->compareFunc = compareFunc;
+}
+
+NSS_IMPLEMENT void
+nssList_SetSortFunction(nssList *list, nssListSortFunc sortFunc)
+{
+    /* XXX if list already has elements, sort them */
+    list->sortFunc = sortFunc;
+}
+
+NSS_IMPLEMENT nssListCompareFunc
+nssList_GetCompareFunction(nssList *list)
+{
+    return list->compareFunc;
+}
+
+NSS_IMPLEMENT void
+nssList_Clear(nssList *list, nssListElementDestructorFunc destructor)
+{
+    PRCList *link;
+    nssListElement *node, *tmp;
+    NSSLIST_LOCK_IF(list);
+    node = list->head;
+    list->head = NULL;
+    while (node && list->count > 0) {
+	if (destructor) (*destructor)(node->data);
+	link = &node->link;
+	tmp = (nssListElement *)PR_NEXT_LINK(link);
+	PR_REMOVE_LINK(link);
+	nss_ZFreeIf(node);
+	node = tmp;
+	--list->count;
+    }
+    NSSLIST_UNLOCK_IF(list);
+}
+
+static PRStatus
+nsslist_add_element(nssList *list, void *data)
+{
+    nssListElement *node = nss_ZNEW(list->arena, nssListElement);
+    if (!node) {
+	return PR_FAILURE;
+    }
+    PR_INIT_CLIST(&node->link);
+    node->data = data;
+    if (list->head) {
+	if (list->sortFunc) {
+	    PRCList *link;
+	    nssListElement *currNode;
+	    currNode = list->head;
+	    /* insert in ordered list */
+	    while (currNode) {
+		link = &currNode->link;
+		if (list->sortFunc(data, currNode->data) <= 0) {
+		    /* new element goes before current node */
+		    PR_INSERT_BEFORE(&node->link, link);
+		    /* reset head if this is first */
+		    if (currNode == list->head) list->head = node;
+		    break;
+		}
+		if (link == PR_LIST_TAIL(&list->head->link)) {
+		    /* reached end of list, append */
+		    PR_INSERT_AFTER(&node->link, link);
+		    break;
+		}
+		currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
+	    }
+	} else {
+	    /* not sorting */
+	    PR_APPEND_LINK(&node->link, &list->head->link);
+	}
+    } else {
+	list->head = node;
+    }
+    ++list->count;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_Add(nssList *list, void *data)
+{
+    PRStatus nssrv;
+    NSSLIST_LOCK_IF(list);
+    nssrv = nsslist_add_element(list, data);
+    NSSLIST_UNLOCK_IF(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_AddUnique(nssList *list, void *data)
+{
+    PRStatus nssrv;
+    nssListElement *node;
+    NSSLIST_LOCK_IF(list);
+    node = nsslist_get_matching_element(list, data);
+    if (node) {
+	/* already in, finish */
+	NSSLIST_UNLOCK_IF(list);
+	return PR_SUCCESS;
+    }
+    nssrv = nsslist_add_element(list, data);
+    NSSLIST_UNLOCK_IF(list);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_Remove(nssList *list, void *data)
+{
+    nssListElement *node;
+    NSSLIST_LOCK_IF(list);
+    node = nsslist_get_matching_element(list, data);
+    if (node) {
+	if (node == list->head) {
+	    list->head = (nssListElement *)PR_NEXT_LINK(&node->link);
+	}
+	PR_REMOVE_LINK(&node->link);
+	nss_ZFreeIf(node);
+	if (--list->count == 0) {
+	    list->head = NULL;
+	}
+    }
+    NSSLIST_UNLOCK_IF(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT void *
+nssList_Get(nssList *list, void *data)
+{
+    nssListElement *node;
+    NSSLIST_LOCK_IF(list);
+    node = nsslist_get_matching_element(list, data);
+    NSSLIST_UNLOCK_IF(list);
+    return (node) ? node->data : NULL;
+}
+
+NSS_IMPLEMENT PRUint32
+nssList_Count(nssList *list)
+{
+    return list->count;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_GetArray(nssList *list, void **rvArray, PRUint32 maxElements)
+{
+    nssListElement *node;
+    PRUint32 i = 0;
+    PR_ASSERT(maxElements > 0);
+    node = list->head;
+    if (!node) {
+	return PR_SUCCESS;
+    }
+    NSSLIST_LOCK_IF(list);
+    while (node) {
+	rvArray[i++] = node->data;
+	if (i == maxElements) break;
+	node = (nssListElement *)PR_NEXT_LINK(&node->link);
+	if (node == list->head) {
+	    break;
+	}
+    }
+    NSSLIST_UNLOCK_IF(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT nssList *
+nssList_Clone(nssList *list)
+{
+    nssList *rvList;
+    nssListElement *node;
+    rvList = nssList_Create(NULL, (list->lock != NULL));
+    if (!rvList) {
+	return NULL;
+    }
+    NSSLIST_LOCK_IF(list);
+    if (list->count > 0) {
+	node = list->head;
+	while (PR_TRUE) {
+	    nssList_Add(rvList, node->data);
+	    node = (nssListElement *)PR_NEXT_LINK(&node->link);
+	    if (node == list->head) {
+		break;
+	    }
+	}
+    }
+    NSSLIST_UNLOCK_IF(list);
+    return rvList;
+}
+
+NSS_IMPLEMENT nssListIterator *
+nssList_CreateIterator(nssList *list)
+{
+    nssListIterator *rvIterator;
+    rvIterator = nss_ZNEW(NULL, nssListIterator);
+    if (!rvIterator) {
+	return NULL;
+    }
+    rvIterator->list = nssList_Clone(list);
+    if (!rvIterator->list) {
+	nss_ZFreeIf(rvIterator);
+	return NULL;
+    }
+    rvIterator->current = rvIterator->list->head;
+    if (list->lock) {
+	rvIterator->lock = PZ_NewLock(nssILockOther);
+	if (!rvIterator->lock) {
+	    nssList_Destroy(rvIterator->list);
+	    nss_ZFreeIf(rvIterator);
+	    rvIterator = NULL;
+	}
+    }
+    return rvIterator;
+}
+
+NSS_IMPLEMENT void
+nssListIterator_Destroy(nssListIterator *iter)
+{
+    if (iter->lock) {
+	(void)PZ_DestroyLock(iter->lock);
+    }
+    nssList_Destroy(iter->list);
+    nss_ZFreeIf(iter);
+}
+
+NSS_IMPLEMENT void *
+nssListIterator_Start(nssListIterator *iter)
+{
+    NSSLIST_LOCK_IF(iter);
+    if (iter->list->count == 0) {
+	return NULL;
+    }
+    iter->current = iter->list->head;
+    return iter->current->data;
+}
+
+NSS_IMPLEMENT void *
+nssListIterator_Next(nssListIterator *iter)
+{
+    nssListElement *node;
+    PRCList *link;
+    if (iter->list->count == 1 || iter->current == NULL) {
+	/* Reached the end of the list.  Don't change the state, force to
+	 * user to call nssList_Finish to clean up.
+	 */
+	return NULL;
+    }
+    node = (nssListElement *)PR_NEXT_LINK(&iter->current->link);
+    link = &node->link;
+    if (link == PR_LIST_TAIL(&iter->list->head->link)) {
+	/* Signal the end of the list. */
+	iter->current = NULL;
+	return node->data;
+    }
+    iter->current = node;
+    return node->data;
+}
+
+NSS_IMPLEMENT PRStatus
+nssListIterator_Finish(nssListIterator *iter)
+{
+    iter->current = iter->list->head;
+    return (iter->lock) ? PZ_Unlock(iter->lock) : PR_SUCCESS;
+}
+
diff --git a/security/nss/lib/base/manifest.mn b/security/nss/lib/base/manifest.mn
new file mode 100644
index 000000000..f9f9e7fd0
--- /dev/null
+++ b/security/nss/lib/base/manifest.mn
@@ -0,0 +1,71 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	baset.h		  \
+	base.h		  \
+	$(NULL)
+
+EXPORTS =	   \
+	nssbaset.h \
+	nssbase.h  \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS =		   \
+	arena.c	   \
+	error.c	   \
+	errorval.c \
+	hashops.c  \
+	libc.c	   \
+	tracker.c  \
+	item.c     \
+	utf8.c	   \
+	list.c     \
+	hash.c     \
+	$(NULL)
+
+REQUIRES = nspr
+
+LIBRARY_NAME = nssb
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/base/nssbase.h b/security/nss/lib/base/nssbase.h
new file mode 100644
index 000000000..09a154f76
--- /dev/null
+++ b/security/nss/lib/base/nssbase.h
@@ -0,0 +1,170 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSBASE_H
+#define NSSBASE_H
+
+#ifdef DEBUG
+static const char NSSBASE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssbase.h
+ *
+ * This header file contains the prototypes of the basic public
+ * NSS routines.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSArena
+ *
+ * The public methods relating to this type are:
+ *
+ *  NSSArena_Create  -- constructor
+ *  NSSArena_Destroy
+ */
+
+/*
+ * NSSArena_Create
+ *
+ * This routine creates a new memory arena.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSArena upon success
+ */
+
+NSS_EXTERN NSSArena *
+NSSArena_Create
+(
+  void
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSArena_Destroy
+ *
+ * This routine will destroy the specified arena, freeing all memory
+ * allocated from it.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSArena_Destroy
+(
+  NSSArena *arena
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+
+/*
+ * The error stack
+ *
+ * The public methods relating to the error stack are:
+ *
+ *  NSS_GetError
+ *  NSS_GetErrorStack
+ */
+
+/*
+ * NSS_GetError
+ *
+ * This routine returns the highest-level (most general) error set
+ * by the most recent NSS library routine called by the same thread
+ * calling this routine.
+ *
+ * This routine cannot fail.  It may return NSS_ERROR_NO_ERROR, which
+ * indicates that the previous NSS library call did not set an error.
+ *
+ * Return value:
+ *  0 if no error has been set
+ *  A nonzero error number
+ */
+
+NSS_EXTERN NSSError
+NSS_GetError
+(
+  void
+);
+
+extern const NSSError NSS_ERROR_NO_ERROR;
+
+/*
+ * NSS_GetErrorStack
+ *
+ * This routine returns a pointer to an array of NSSError values, 
+ * containingthe entire sequence or "stack" of errors set by the most 
+ * recent NSS library routine called by the same thread calling this 
+ * routine.  NOTE: the caller DOES NOT OWN the memory pointed to by 
+ * the return value.  The pointer will remain valid until the calling 
+ * thread calls another NSS routine.  The lowest-level (most specific) 
+ * error is first in the array, and the highest-level is last.  The 
+ * array is zero-terminated.  This routine may return NULL upon error; 
+ * this indicates a low-memory situation.
+ *
+ * Return value:
+ *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
+ *  A NON-caller-owned pointer to an array of NSSError values
+ */
+
+NSS_EXTERN NSSError *
+NSS_GetErrorStack
+(
+  void
+);
+
+PR_END_EXTERN_C
+
+#endif /* NSSBASE_H */
diff --git a/security/nss/lib/base/nssbaset.h b/security/nss/lib/base/nssbaset.h
new file mode 100644
index 000000000..6c3c485be
--- /dev/null
+++ b/security/nss/lib/base/nssbaset.h
@@ -0,0 +1,156 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSBASET_H
+#define NSSBASET_H
+
+#ifdef DEBUG
+static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssbaset.h
+ *
+ * This file contains the most low-level, fundamental public types.
+ */
+
+#include "nspr.h"
+#include "nssilock.h"
+
+/*
+ * NSS_EXTERN, NSS_IMPLEMENT, NSS_EXTERN_DATA, NSS_IMPLEMENT_DATA
+ *
+ * NSS has its own versions of these NSPR macros, in a form which
+ * does not confuse ctags and other related utilities.  NSPR 
+ * defines these macros to take the type as an argument, because
+ * of a requirement to support win16 dlls.  We do not have that
+ * requirement, so we can drop that restriction.
+ */
+
+#define DUMMY	/* dummy */
+#define NSS_EXTERN         extern
+#define NSS_EXTERN_DATA    extern
+#define NSS_IMPLEMENT      
+#define NSS_IMPLEMENT_DATA 
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSError
+ *
+ * Calls to NSS routines may result in one or more errors being placed
+ * on the calling thread's "error stack."  Every possible error that
+ * may be returned from a function is declared where the function is 
+ * prototyped.  All errors are of the following type.
+ */
+
+typedef PRInt32 NSSError;
+
+/*
+ * NSSArena
+ *
+ * Arenas are logical sets of heap memory, from which memory may be
+ * allocated.  When an arena is destroyed, all memory allocated within
+ * that arena is implicitly freed.  These arenas are thread-safe: 
+ * an arena pointer may be used by multiple threads simultaneously.
+ * However, as they are not backed by shared memory, they may only be
+ * used within one process.
+ */
+
+struct NSSArenaStr;
+typedef struct NSSArenaStr NSSArena;
+
+/*
+ * NSSItem
+ *
+ * This is the basic type used to refer to an unconstrained datum of
+ * arbitrary size.
+ */
+
+struct NSSItemStr {
+  void *data;
+  PRUint32 size;
+};
+typedef struct NSSItemStr NSSItem;
+
+
+/*
+ * NSSBER
+ *
+ * Data packed according to the Basic Encoding Rules of ASN.1.
+ */
+
+typedef NSSItem NSSBER;
+
+/*
+ * NSSDER
+ *
+ * Data packed according to the Distinguished Encoding Rules of ASN.1;
+ * this form is also known as the Canonical Encoding Rules form (CER).
+ */
+
+typedef NSSBER NSSDER;
+
+/*
+ * NSSBitString
+ *
+ * Some ASN.1 types use "bit strings," which are passed around as
+ * octet strings but whose length is counted in bits.  We use this
+ * typedef of NSSItem to point out the occasions when the length
+ * is counted in bits, not octets.
+ */
+
+typedef NSSItem NSSBitString;
+
+/*
+ * NSSUTF8
+ *
+ * Character strings encoded in UTF-8, as defined by RFC 2279.
+ */
+
+typedef char NSSUTF8;
+
+/*
+ * NSSASCII7
+ *
+ * Character strings guaranteed to be 7-bit ASCII.
+ */
+
+typedef char NSSASCII7;
+
+PR_END_EXTERN_C
+
+#endif /* NSSBASET_H */
diff --git a/security/nss/lib/base/tracker.c b/security/nss/lib/base/tracker.c
new file mode 100644
index 000000000..75e645285
--- /dev/null
+++ b/security/nss/lib/base/tracker.c
@@ -0,0 +1,447 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * tracker.c
+ * 
+ * This file contains the code used by the pointer-tracking calls used
+ * in the debug builds to catch bad pointers.  The entire contents are
+ * only available in debug builds (both internal and external builds).
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifdef DEBUG
+/*
+ * identity_hash
+ *
+ * This static callback is a PLHashFunction as defined in plhash.h
+ * It merely returns the value of the object pointer as its hash.
+ * There are no possible errors.
+ */
+
+static PLHashNumber PR_CALLBACK
+identity_hash
+(
+  const void *key
+)
+{
+  return (PLHashNumber)key;
+}
+
+/*
+ * trackerOnceFunc
+ *
+ * This function is called once, using the nssCallOnce function above.
+ * It creates a new pointer tracker object; initialising its hash
+ * table and protective lock.
+ */
+
+static PRStatus
+trackerOnceFunc
+(
+  void *arg
+)
+{
+  nssPointerTracker *tracker = (nssPointerTracker *)arg;
+
+  tracker->lock = PZ_NewLock(nssILockOther);
+  if( (PZLock *)NULL == tracker->lock ) {
+    return PR_FAILURE;
+  }
+
+  tracker->table = PL_NewHashTable(0, 
+                                   identity_hash, 
+                                   PL_CompareValues,
+                                   PL_CompareValues,
+                                   (PLHashAllocOps *)NULL, 
+                                   (void *)NULL);
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_DestroyLock(tracker->lock);
+    tracker->lock = (PZLock *)NULL;
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssPointerTracker_initialize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine initializes an nssPointerTracker object.  Note that
+ * the object must have been declared *static* to guarantee that it
+ * is in a zeroed state initially.  This routine is idempotent, and
+ * may even be safely called by multiple threads simultaneously with 
+ * the same argument.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  On failure it will set an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_initialize
+(
+  nssPointerTracker *tracker
+)
+{
+  PRStatus rv = PR_CallOnceWithArg(&tracker->once, trackerOnceFunc, tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+  }
+
+  return rv;
+}
+
+#ifdef DONT_DESTROY_EMPTY_TABLES
+/* See same #ifdef below */
+/*
+ * count_entries
+ *
+ * This static routine is a PLHashEnumerator, as defined in plhash.h.
+ * It merely causes the enumeration function to count the number of
+ * entries.
+ */
+
+static PRIntn PR_CALLBACK
+count_entries
+(
+  PLHashEntry *he,
+  PRIntn index,
+  void *arg
+)
+{
+  return HT_ENUMERATE_NEXT;
+}
+#endif /* DONT_DESTROY_EMPTY_TABLES */
+
+/*
+ * zero_once
+ *
+ * This is a guaranteed zeroed once block.  It's used to help clear
+ * the tracker.
+ */
+
+static const PRCallOnceType zero_once;
+
+/*
+ * nssPointerTracker_finalize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine returns the nssPointerTracker object to the pre-
+ * initialized state, releasing all resources used by the object.
+ * It will *NOT* destroy the objects being tracked by the pointer
+ * (should any remain), and therefore cannot be used to "sweep up"
+ * remaining objects.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCES.  On failure it will set an
+ * error on the error stack and return PR_FAILURE.  If any objects
+ * remain in the tracker when it is finalized, that will be treated
+ * as an error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_TRACKER_NOT_EMPTY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_finalize
+(
+  nssPointerTracker *tracker
+)
+{
+  PZLock *lock;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  lock = tracker->lock;
+  PZ_Lock(lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+#ifdef DONT_DESTROY_EMPTY_TABLES
+  /*
+   * I changed my mind; I think we don't want this after all.
+   * Comments?
+   */
+  count = PL_HashTableEnumerateEntries(tracker->table, 
+                                       count_entries,
+                                       (void *)NULL);
+
+  if( 0 != count ) {
+    PZ_Unlock(lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_EMPTY);
+    return PR_FAILURE;
+  }
+#endif /* DONT_DESTROY_EMPTY_TABLES */
+
+  PL_HashTableDestroy(tracker->table);
+  /* memset(tracker, 0, sizeof(nssPointerTracker)); */
+  tracker->once = zero_once;
+  tracker->lock = (PZLock *)NULL;
+  tracker->table = (PLHashTable *)NULL;
+
+  PZ_Unlock(lock);
+  PZ_DestroyLock(lock);
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssPointerTracker_add
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine adds the specified pointer to the nssPointerTracker
+ * object.  It should be called in constructor objects to register
+ * new valid objects.  The nssPointerTracker is threadsafe, but this
+ * call is not idempotent.  This routine returns a PRStatus value;
+ * if successful it will return PR_SUCCESS.  On failure it will set
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_DUPLICATE_POINTER
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_add
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+)
+{
+  void *check;
+  PLHashEntry *entry;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  PZ_Lock(tracker->lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  check = PL_HashTableLookup(tracker->table, pointer);
+  if( (void *)NULL != check ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_DUPLICATE_POINTER);
+    return PR_FAILURE;
+  }
+
+  entry = PL_HashTableAdd(tracker->table, pointer, (void *)pointer);
+
+  PZ_Unlock(tracker->lock);
+
+  if( (PLHashEntry *)NULL == entry ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+  
+/*
+ * nssPointerTracker_remove
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine removes the specified pointer from the 
+ * nssPointerTracker object.  It does not call any destructor for the
+ * object; rather, this should be called from the object's destructor.
+ * The nssPointerTracker is threadsafe, but this call is not 
+ * idempotent.  This routine returns a PRStatus value; if successful 
+ * it will return PR_SUCCESS.  On failure it will set an error on the 
+ * error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_remove
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+)
+{
+  PRBool registered;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  PZ_Lock(tracker->lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  registered = PL_HashTableRemove(tracker->table, pointer);
+  PZ_Unlock(tracker->lock);
+
+  if( !registered ) {
+    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssPointerTracker_verify
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine verifies that the specified pointer has been registered
+ * with the nssPointerTracker object.  The nssPointerTracker object is
+ * threadsafe, and this call may be safely called from multiple threads
+ * simultaneously with the same arguments.  This routine returns a
+ * PRStatus value; if the pointer is registered this will return 
+ * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
+ * return PR_FAILURE.  Although the error is suitable for leaving on 
+ * the stack, callers may wish to augment the information available by 
+ * placing a more type-specific error on the stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILRUE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_verify
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+)
+{
+  void *check;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  PZ_Lock(tracker->lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  check = PL_HashTableLookup(tracker->table, pointer);
+  PZ_Unlock(tracker->lock);
+
+  if( (void *)NULL == check ) {
+    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */
diff --git a/security/nss/lib/base/utf8.c b/security/nss/lib/base/utf8.c
new file mode 100644
index 000000000..5360a2b14
--- /dev/null
+++ b/security/nss/lib/base/utf8.c
@@ -0,0 +1,762 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * utf8.c
+ *
+ * This file contains some additional utility routines required for
+ * handling UTF8 strings.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include "plstr.h"
+
+/*
+ * NOTES:
+ *
+ * There's an "is hex string" function in pki1/atav.c.  If we need
+ * it in more places, pull that one out.
+ */
+
+/*
+ * nssUTF8_CaseIgnoreMatch
+ * 
+ * Returns true if the two UTF8-encoded strings pointed to by the 
+ * two specified NSSUTF8 pointers differ only in typcase.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssUTF8_CaseIgnoreMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+)
+{
+#ifdef NSSDEBUG
+  if( ((const NSSUTF8 *)NULL == a) ||
+      ((const NSSUTF8 *)NULL == b) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  /*
+   * XXX fgmr
+   *
+   * This is, like, so wrong!
+   */
+  if( 0 == PL_strcasecmp((const char *)a, (const char *)b) ) {
+    return PR_TRUE;
+  } else {
+    return PR_FALSE;
+  }
+}
+
+/*
+ * nssUTF8_PrintableMatch
+ *
+ * Returns true if the two Printable strings pointed to by the 
+ * two specified NSSUTF8 pointers match when compared with the 
+ * rules for Printable String (leading and trailing spaces are 
+ * disregarded, extents of whitespace match irregardless of length, 
+ * and case is not significant), then PR_TRUE will be returned.
+ * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
+ * will be returned.  If the optional statusOpt argument is not
+ * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
+ * location.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssUTF8_PrintableMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+)
+{
+  PRUint8 *c;
+  PRUint8 *d;
+
+#ifdef NSSDEBUG
+  if( ((const NSSUTF8 *)NULL == a) ||
+      ((const NSSUTF8 *)NULL == b) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  c = (PRUint8 *)a;
+  d = (PRUint8 *)b;
+
+  while( ' ' == *c ) {
+    c++;
+  }
+
+  while( ' ' == *d ) {
+    d++;
+  }
+
+  while( ('\0' != *c) && ('\0' != *d) ) {
+    PRUint8 e, f;
+
+    e = *c;
+    f = *d;
+    
+    if( ('a' <= e) && (e <= 'z') ) {
+      e -= ('a' - 'A');
+    }
+
+    if( ('a' <= f) && (f <= 'z') ) {
+      f -= ('a' - 'A');
+    }
+
+    if( e != f ) {
+      return PR_FALSE;
+    }
+
+    c++;
+    d++;
+
+    if( ' ' == *c ) {
+      while( ' ' == *c ) {
+        c++;
+      }
+      c--;
+    }
+
+    if( ' ' == *d ) {
+      while( ' ' == *d ) {
+        d++;
+      }
+      d--;
+    }
+  }
+
+  while( ' ' == *c ) {
+    c++;
+  }
+
+  while( ' ' == *d ) {
+    d++;
+  }
+
+  if( *c == *d ) {
+    /* And both '\0', btw */
+    return PR_TRUE;
+  } else {
+    return PR_FALSE;
+  }
+}
+
+/*
+ * nssUTF8_Duplicate
+ *
+ * This routine duplicates the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
+ * not null, the memory required will be obtained from that arena;
+ * otherwise, the memory required will be obtained from the heap.
+ * A pointer to the new string will be returned.  In case of error,
+ * an error will be placed on the error stack and NULL will be 
+ * returned.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssUTF8_Duplicate
+(
+  const NSSUTF8 *s,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  PRUint32 len;
+
+#ifdef NSSDEBUG
+  if( (const NSSUTF8 *)NULL == s ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  len = PL_strlen((const char *)s);
+#ifdef PEDANTIC
+  if( '\0' != ((const char *)s)[ len ] ) {
+    /* must have wrapped, e.g., too big for PRUint32 */
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* PEDANTIC */
+  len++; /* zero termination */
+
+  rv = nss_ZAlloc(arenaOpt, len);
+  if( (void *)NULL == rv ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  (void)nsslibc_memcpy(rv, s, len);
+  return rv;
+}
+
+/*
+ * nssUTF8_Size
+ *
+ * This routine returns the length in bytes (including the terminating
+ * null) of the UTF8-encoded string pointed to by the specified
+ * NSSUTF8 pointer.  Zero is returned on error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *
+ * Return value:
+ *  0 on error
+ *  nonzero length of the string.
+ */
+
+NSS_IMPLEMENT PRUint32
+nssUTF8_Size
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+)
+{
+  PRUint32 sv;
+
+#ifdef NSSDEBUG
+  if( (const NSSUTF8 *)NULL == s ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return 0;
+  }
+#endif /* NSSDEBUG */
+
+  sv = PL_strlen((const char *)s) + 1;
+#ifdef PEDANTIC
+  if( '\0' != ((const char *)s)[ sv-1 ] ) {
+    /* wrapped */
+    nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return 0;
+  }
+#endif /* PEDANTIC */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  return sv;
+}
+
+/*
+ * nssUTF8_Length
+ *
+ * This routine returns the length in characters (not including the
+ * terminating null) of the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  length of the string (which may be zero)
+ *  0 on error
+ */
+
+NSS_IMPLEMENT PRUint32
+nssUTF8_Length
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+)
+{
+  PRUint32 l = 0;
+  const PRUint8 *c = (const PRUint8 *)s;
+
+#ifdef NSSDEBUG
+  if( (const NSSUTF8 *)NULL == s ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    goto loser;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * From RFC 2044:
+   *
+   * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
+   * 0000 0000-0000 007F   0xxxxxxx
+   * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
+   * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
+   * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+   * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+   * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
+   */  
+
+  while( 0 != *c ) {
+    PRUint32 incr;
+    if( (*c & 0x80) == 0 ) {
+      incr = 1;
+    } else if( (*c & 0xE0) == 0xC0 ) {
+      incr = 2;
+    } else if( (*c & 0xF0) == 0xE0 ) {
+      incr = 3;
+    } else if( (*c & 0xF8) == 0xF0 ) {
+      incr = 4;
+    } else if( (*c & 0xFC) == 0xF8 ) {
+      incr = 5;
+    } else if( (*c & 0xFE) == 0xFC ) {
+      incr = 6;
+    } else {
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      goto loser;
+    }
+
+    l += incr;
+
+#ifdef PEDANTIC
+    if( l < incr ) {
+      /* Wrapped-- too big */
+      nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
+      goto loser;
+    }
+
+    {
+      PRUint8 *d;
+      for( d = &c[1]; d < &c[incr]; d++ ) {
+        if( (*d & 0xC0) != 0xF0 ) {
+          nss_SetError(NSS_ERROR_INVALID_STRING);
+          goto loser;
+        }
+      }
+    }
+#endif /* PEDANTIC */
+
+    c += incr;
+  }
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  return l;
+
+ loser:
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_FAILURE;
+  }
+
+  return 0;
+}
+
+
+/*
+ * nssUTF8_Create
+ *
+ * This routine creates a UTF8 string from a string in some other
+ * format.  Some types of string may include embedded null characters,
+ * so for them the length parameter must be used.  For string types
+ * that are null-terminated, the length parameter is optional; if it
+ * is zero, it will be ignored.  If the optional arena argument is
+ * non-null, the memory used for the new string will be obtained from
+ * that arena, otherwise it will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_UNSUPPORTED_TYPE
+ *
+ * Return value:
+ *  NULL upon error
+ *  A non-null pointer to a new UTF8 string otherwise
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR; /* XXX fgmr */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssUTF8_Create
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  const void *inputString,
+  PRUint32 size /* in bytes, not characters */
+)
+{
+  NSSUTF8 *rv = NULL;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+
+  if( (const void *)NULL == inputString ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  switch( type ) {
+  case nssStringType_DirectoryString:
+    /* This is a composite type requiring BER */
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    break;
+  case nssStringType_TeletexString:
+    /*
+     * draft-ietf-pkix-ipki-part1-11 says in part:
+     *
+     * In addition, many legacy implementations support names encoded 
+     * in the ISO 8859-1 character set (Latin1String) but tag them as 
+     * TeletexString.  The Latin1String includes characters used in 
+     * Western European countries which are not part of the 
+     * TeletexString charcter set.  Implementations that process 
+     * TeletexString SHOULD be prepared to handle the entire ISO 
+     * 8859-1 character set.[ISO 8859-1].
+     */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_PrintableString:
+    /*
+     * PrintableString consists of A-Za-z0-9 ,()+,-./:=?
+     * This is a subset of ASCII, which is a subset of UTF8.
+     * So we can just duplicate the string over.
+     */
+
+    if( 0 == size ) {
+      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
+    } else {
+      rv = nss_ZAlloc(arenaOpt, size+1);
+      if( (NSSUTF8 *)NULL == rv ) {
+        return (NSSUTF8 *)NULL;
+      }
+
+      (void)nsslibc_memcpy(rv, inputString, size);
+    }
+
+    break;
+  case nssStringType_UniversalString:
+    /* 4-byte unicode */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_BMPString:
+    /* Base Multilingual Plane of Unicode */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_UTF8String:
+    if( 0 == size ) {
+      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
+    } else {
+      rv = nss_ZAlloc(arenaOpt, size+1);
+      if( (NSSUTF8 *)NULL == rv ) {
+        return (NSSUTF8 *)NULL;
+      }
+
+      (void)nsslibc_memcpy(rv, inputString, size);
+    }
+
+    break;
+  case nssStringType_PHGString:
+    /* 
+     * PHGString is an IA5String (with case-insensitive comparisons).
+     * IA5 is ~almost~ ascii; ascii has dollar-sign where IA5 has
+     * currency symbol.
+     */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_GeneralString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    break;
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSItem *
+nssUTF8_GetEncoding
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  nssStringType type,
+  NSSUTF8 *string
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+  PRStatus status = PR_SUCCESS;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSItem *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  switch( type ) {
+  case nssStringType_DirectoryString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_TeletexString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_PrintableString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_UniversalString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_BMPString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_UTF8String:
+    {
+      NSSUTF8 *dup = nssUTF8_Duplicate(string, arenaOpt);
+      if( (NSSUTF8 *)NULL == dup ) {
+        return (NSSItem *)NULL;
+      }
+
+      if( (NSSItem *)NULL == rvOpt ) {
+        rv = nss_ZNEW(arenaOpt, NSSItem);
+        if( (NSSItem *)NULL == rv ) {
+          (void)nss_ZFreeIf(dup);
+          return (NSSItem *)NULL;
+        }
+      } else {
+        rv = rvOpt;
+      }
+
+      rv->data = dup;
+      dup = (NSSUTF8 *)NULL;
+      rv->size = nssUTF8_Size(rv->data, &status);
+      if( (0 == rv->size) && (PR_SUCCESS != status) ) {
+        if( (NSSItem *)NULL == rvOpt ) {
+          (void)nss_ZFreeIf(rv);
+        }
+        return (NSSItem *)NULL;
+      }
+    }
+    break;
+  case nssStringType_PHGString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    break;
+  }
+
+  return rv;
+}
+
+/*
+ * nssUTF8_CopyIntoFixedBuffer
+ *
+ * This will copy a UTF8 string into a fixed-length buffer, making 
+ * sure that the all characters are valid.  Any remaining space will
+ * be padded with the specified ASCII character, typically either 
+ * null or space.
+ *
+ * Blah, blah, blah.
+ */
+
+NSS_IMPLEMENT PRStatus
+nssUTF8_CopyIntoFixedBuffer
+(
+  NSSUTF8 *string,
+  char *buffer,
+  PRUint32 bufferSize,
+  char pad
+)
+{
+  PRUint32 stringSize = 0;
+
+#ifdef NSSDEBUG
+  if( (char *)NULL == buffer ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FALSE;
+  }
+
+  if( 0 == bufferSize ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FALSE;
+  }
+
+  if( (pad & 0x80) != 0x00 ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == string ) {
+    string = (NSSUTF8 *) "";
+  }
+
+  stringSize = nssUTF8_Size(string, (PRStatus *)NULL);
+  stringSize--; /* don't count the trailing null */
+  if( stringSize > bufferSize ) {
+    PRUint32 bs = bufferSize;
+    (void)nsslibc_memcpy(buffer, string, bufferSize);
+    
+    if( (            ((buffer[ bs-1 ] & 0x80) == 0x00)) ||
+        ((bs > 1) && ((buffer[ bs-2 ] & 0xE0) == 0xC0)) ||
+        ((bs > 2) && ((buffer[ bs-3 ] & 0xF0) == 0xE0)) ||
+        ((bs > 3) && ((buffer[ bs-4 ] & 0xF8) == 0xF0)) ||
+        ((bs > 4) && ((buffer[ bs-5 ] & 0xFC) == 0xF8)) ||
+        ((bs > 5) && ((buffer[ bs-6 ] & 0xFE) == 0xFC)) ) {
+      /* It fit exactly */
+      return PR_SUCCESS;
+    }
+
+    /* Too long.  We have to trim the last character */
+    for( /*bs*/; bs != 0; bs-- ) {
+      if( (buffer[bs-1] & 0xC0) != 0x80 ) {
+        buffer[bs-1] = pad;
+        break;
+      } else {
+        buffer[bs-1] = pad;
+      }
+    }      
+  } else {
+    (void)nsslibc_memset(buffer, pad, bufferSize);
+    (void)nsslibc_memcpy(buffer, string, stringSize);
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssUTF8_Equal
+ *
+ */
+
+NSS_IMPLEMENT PRBool
+nssUTF8_Equal
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+)
+{
+  PRUint32 la, lb;
+
+#ifdef NSSDEBUG
+  if( ((const NSSUTF8 *)NULL == a) ||
+      ((const NSSUTF8 *)NULL == b) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  la = nssUTF8_Size(a, statusOpt);
+  if( 0 == la ) {
+    return PR_FALSE;
+  }
+
+  lb = nssUTF8_Size(b, statusOpt);
+  if( 0 == lb ) {
+    return PR_FALSE;
+  }
+
+  if( la != lb ) {
+    return PR_FALSE;
+  }
+
+  return nsslibc_memequal(a, b, la, statusOpt);
+}
diff --git a/security/nss/lib/certdb/.cvsignore b/security/nss/lib/certdb/.cvsignore
new file mode 100644
index 000000000..ec60123e5
--- /dev/null
+++ b/security/nss/lib/certdb/.cvsignore
@@ -0,0 +1 @@
+nscertinit.c
diff --git a/security/nss/lib/certdb/Makefile b/security/nss/lib/certdb/Makefile
new file mode 100644
index 000000000..a41aa72c6
--- /dev/null
+++ b/security/nss/lib/certdb/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
new file mode 100644
index 000000000..739254cd9
--- /dev/null
+++ b/security/nss/lib/certdb/alg1485.c
@@ -0,0 +1,1414 @@
+/* alg1485.c - implementation of RFCs 1485, 1779 and 2253.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "prprf.h"
+#include "cert.h"
+#include "certi.h"
+#include "xconst.h"
+#include "genname.h"
+#include "secitem.h"
+#include "secerr.h"
+
+typedef struct NameToKindStr {
+    const char * name;
+    unsigned int maxLen; /* max bytes in UTF8 encoded string value */
+    SECOidTag    kind;
+    int		 valueType;
+} NameToKind;
+
+/* local type for directory string--could be printable_string or utf8 */
+#define SEC_ASN1_DS SEC_ASN1_HIGH_TAG_NUMBER
+
+/* Add new entries to this table, and maybe to function CERT_ParseRFC1485AVA */
+static const NameToKind name2kinds[] = {
+/* IANA registered type names
+ * (See: http://www.iana.org/assignments/ldap-parameters) 
+ */
+/* RFC 3280, 4630 MUST SUPPORT */
+    { "CN",             64, SEC_OID_AVA_COMMON_NAME,    SEC_ASN1_DS},
+    { "ST",            128, SEC_OID_AVA_STATE_OR_PROVINCE,
+							SEC_ASN1_DS},
+    { "O",              64, SEC_OID_AVA_ORGANIZATION_NAME,
+							SEC_ASN1_DS},
+    { "OU",             64, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
+                                                        SEC_ASN1_DS},
+    { "dnQualifier", 32767, SEC_OID_AVA_DN_QUALIFIER, SEC_ASN1_PRINTABLE_STRING},
+    { "C",               2, SEC_OID_AVA_COUNTRY_NAME, SEC_ASN1_PRINTABLE_STRING},
+    { "serialNumber",   64, SEC_OID_AVA_SERIAL_NUMBER,SEC_ASN1_PRINTABLE_STRING},
+
+/* RFC 3280, 4630 SHOULD SUPPORT */
+    { "L",             128, SEC_OID_AVA_LOCALITY,       SEC_ASN1_DS},
+    { "title",          64, SEC_OID_AVA_TITLE,          SEC_ASN1_DS},
+    { "SN",             64, SEC_OID_AVA_SURNAME,        SEC_ASN1_DS},
+    { "givenName",      64, SEC_OID_AVA_GIVEN_NAME,     SEC_ASN1_DS},
+    { "initials",       64, SEC_OID_AVA_INITIALS,       SEC_ASN1_DS},
+    { "generationQualifier",
+                        64, SEC_OID_AVA_GENERATION_QUALIFIER,
+                                                        SEC_ASN1_DS},
+/* RFC 3280, 4630 MAY SUPPORT */
+    { "DC",            128, SEC_OID_AVA_DC,             SEC_ASN1_IA5_STRING},
+    { "MAIL",          256, SEC_OID_RFC1274_MAIL,       SEC_ASN1_IA5_STRING},
+    { "UID",           256, SEC_OID_RFC1274_UID,        SEC_ASN1_DS},
+
+/* ------------------ "strict" boundary ---------------------------------
+ * In strict mode, cert_NameToAscii does not encode any of the attributes
+ * below this line. The first SECOidTag below this line must be used to
+ * conditionally define the "endKind" in function AppendAVA() below.
+ * Most new attribute names should be added below this line.
+ * Maybe this line should be up higher?  Say, after the 3280 MUSTs and 
+ * before the 3280 SHOULDs?
+ */
+
+/* values from draft-ietf-ldapbis-user-schema-05 (not in RFC 3280) */
+    { "postalAddress", 128, SEC_OID_AVA_POSTAL_ADDRESS, SEC_ASN1_DS},
+    { "postalCode",     40, SEC_OID_AVA_POSTAL_CODE,    SEC_ASN1_DS},
+    { "postOfficeBox",  40, SEC_OID_AVA_POST_OFFICE_BOX,SEC_ASN1_DS},
+    { "houseIdentifier",64, SEC_OID_AVA_HOUSE_IDENTIFIER,SEC_ASN1_DS},
+/* end of IANA registered type names */
+
+/* legacy keywords */
+    { "E",             128, SEC_OID_PKCS9_EMAIL_ADDRESS,SEC_ASN1_DS},
+
+#if 0 /* removed.  Not yet in any IETF draft or RFC. */
+    { "pseudonym",      64, SEC_OID_AVA_PSEUDONYM,      SEC_ASN1_DS},
+#endif
+
+    { 0,           256, SEC_OID_UNKNOWN                      , 0},
+};
+
+#define C_DOUBLE_QUOTE '\042'
+
+#define C_BACKSLASH '\134'
+
+#define C_EQUAL '='
+
+#define OPTIONAL_SPACE(c) \
+    (((c) == ' ') || ((c) == '\r') || ((c) == '\n'))
+
+#define SPECIAL_CHAR(c)						\
+    (((c) == ',') || ((c) == '=') || ((c) == C_DOUBLE_QUOTE) ||	\
+     ((c) == '\r') || ((c) == '\n') || ((c) == '+') ||		\
+     ((c) == '<') || ((c) == '>') || ((c) == '#') ||		\
+     ((c) == ';') || ((c) == C_BACKSLASH))
+
+
+#define IS_PRINTABLE(c)						\
+    ((((c) >= 'a') && ((c) <= 'z')) ||				\
+     (((c) >= 'A') && ((c) <= 'Z')) ||				\
+     (((c) >= '0') && ((c) <= '9')) ||				\
+     ((c) == ' ') ||						\
+     ((c) == '\'') ||						\
+     ((c) == '\050') ||				/* ( */		\
+     ((c) == '\051') ||				/* ) */		\
+     (((c) >= '+') && ((c) <= '/')) ||		/* + , - . / */	\
+     ((c) == ':') ||						\
+     ((c) == '=') ||						\
+     ((c) == '?'))
+
+int
+cert_AVAOidTagToMaxLen(SECOidTag tag)
+{
+    const NameToKind *n2k = name2kinds;
+
+    while (n2k->kind != tag && n2k->kind != SEC_OID_UNKNOWN) {
+	++n2k;
+    }
+    return (n2k->kind != SEC_OID_UNKNOWN) ? n2k->maxLen : -1;
+}
+
+static PRBool
+IsPrintable(unsigned char *data, unsigned len)
+{
+    unsigned char ch, *end;
+
+    end = data + len;
+    while (data < end) {
+	ch = *data++;
+	if (!IS_PRINTABLE(ch)) {
+	    return PR_FALSE;
+	}
+    }
+    return PR_TRUE;
+}
+
+static void
+skipSpace(char **pbp, char *endptr)
+{
+    char *bp = *pbp;
+    while (bp < endptr && OPTIONAL_SPACE(*bp)) {
+	bp++;
+    }
+    *pbp = bp;
+}
+
+static SECStatus
+scanTag(char **pbp, char *endptr, char *tagBuf, int tagBufSize)
+{
+    char *bp, *tagBufp;
+    int taglen;
+
+    PORT_Assert(tagBufSize > 0);
+    
+    /* skip optional leading space */
+    skipSpace(pbp, endptr);
+    if (*pbp == endptr) {
+	/* nothing left */
+	return SECFailure;
+    }
+    
+    /* fill tagBuf */
+    taglen = 0;
+    bp = *pbp;
+    tagBufp = tagBuf;
+    while (bp < endptr && !OPTIONAL_SPACE(*bp) && (*bp != C_EQUAL)) {
+	if (++taglen >= tagBufSize) {
+	    *pbp = bp;
+	    return SECFailure;
+	}
+	*tagBufp++ = *bp++;
+    }
+    /* null-terminate tagBuf -- guaranteed at least one space left */
+    *tagBufp++ = 0;
+    *pbp = bp;
+    
+    /* skip trailing spaces till we hit something - should be an equal sign */
+    skipSpace(pbp, endptr);
+    if (*pbp == endptr) {
+	/* nothing left */
+	return SECFailure;
+    }
+    if (**pbp != C_EQUAL) {
+	/* should be an equal sign */
+	return SECFailure;
+    }
+    /* skip over the equal sign */
+    (*pbp)++;
+    
+    return SECSuccess;
+}
+
+static SECStatus
+scanVal(char **pbp, char *endptr, char *valBuf, int valBufSize)  
+{
+    char *bp, *valBufp;
+    int vallen;
+    PRBool isQuoted;
+    
+    PORT_Assert(valBufSize > 0);
+    
+    /* skip optional leading space */
+    skipSpace(pbp, endptr);
+    if(*pbp == endptr) {
+	/* nothing left */
+	return SECFailure;
+    }
+    
+    bp = *pbp;
+    
+    /* quoted? */
+    if (*bp == C_DOUBLE_QUOTE) {
+	isQuoted = PR_TRUE;
+	/* skip over it */
+	bp++;
+    } else {
+	isQuoted = PR_FALSE;
+    }
+    
+    valBufp = valBuf;
+    vallen = 0;
+    while (bp < endptr) {
+	char c = *bp;
+	if (c == C_BACKSLASH) {
+	    /* escape character */
+	    bp++;
+	    if (bp >= endptr) {
+		/* escape charater must appear with paired char */
+		*pbp = bp;
+		return SECFailure;
+	    }
+	} else if (c == '#' && bp == *pbp) {
+	    /* ignore leading #, quotation not required for it. */
+	} else if (!isQuoted && SPECIAL_CHAR(c)) {
+	    /* unescaped special and not within quoted value */
+	    break;
+	} else if (c == C_DOUBLE_QUOTE) {
+	    /* reached unescaped double quote */
+	    break;
+	}
+	/* append character */
+        vallen++;
+	if (vallen >= valBufSize) {
+	    *pbp = bp;
+	    return SECFailure;
+	}
+	*valBufp++ = *bp++;
+    }
+    
+    /* stip trailing spaces from unquoted values */
+    if (!isQuoted) {
+	if (valBufp > valBuf) {
+	    valBufp--;
+	    while ((valBufp > valBuf) && OPTIONAL_SPACE(*valBufp)) {
+		valBufp--;
+	    }
+	    valBufp++;
+	}
+    }
+    
+    if (isQuoted) {
+	/* insist that we stopped on a double quote */
+	if (*bp != C_DOUBLE_QUOTE) {
+	    *pbp = bp;
+	    return SECFailure;
+	}
+	/* skip over the quote and skip optional space */
+	bp++;
+	skipSpace(&bp, endptr);
+    }
+    
+    *pbp = bp;
+    
+    if (valBufp == valBuf) {
+	/* empty value -- not allowed */
+	return SECFailure;
+    }
+    
+    /* null-terminate valBuf -- guaranteed at least one space left */
+    *valBufp++ = 0;
+    
+    return SECSuccess;
+}
+
+static const PRInt16 x2b[256] = 
+{
+/* #0x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #1x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #2x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #3x */  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, 
+/* #4x */ -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #5x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #6x */ -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #7x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #8x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #9x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #ax */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #bx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #cx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #dx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #ex */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #fx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1
+};
+
+/* Caller must set error code upon failure */
+static SECStatus
+hexToBin(PLArenaPool *pool, SECItem * destItem, const char * src, int len)
+{
+    PRUint8 * dest;
+
+    destItem->data = NULL; 
+    if (len <= 0 || (len & 1)) {
+	goto loser;
+    }
+    len >>= 1;
+    if (!SECITEM_AllocItem(pool, destItem, len))
+	goto loser;
+    dest = destItem->data;
+    for (; len > 0; len--, src += 2) {
+	PRInt16 bin = (x2b[(PRUint8)src[0]] << 4) | x2b[(PRUint8)src[1]]; 
+	if (bin < 0)
+	    goto loser;
+	*dest++ = (PRUint8)bin;
+    }
+    return SECSuccess;
+loser:
+    if (!pool)
+    	SECITEM_FreeItem(destItem, PR_FALSE);
+    return SECFailure;
+}
+
+
+CERTAVA *
+CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr,
+		    PRBool singleAVA) 
+{
+    CERTAVA *a;
+    const NameToKind *n2k;
+    char *bp;
+    int       vt = -1;
+    int       valLen;
+    SECOidTag kind  = SEC_OID_UNKNOWN;
+    SECStatus rv    = SECFailure;
+    SECItem   derOid = { 0, NULL, 0 };
+
+    char tagBuf[32];
+    char valBuf[384];
+
+    PORT_Assert(arena);
+    if (scanTag(pbp, endptr, tagBuf, sizeof(tagBuf)) == SECFailure ||
+	scanVal(pbp, endptr, valBuf, sizeof(valBuf)) == SECFailure) {
+	goto loser;
+    }
+
+    /* insist that if we haven't finished we've stopped on a separator */
+    bp = *pbp;
+    if (bp < endptr) {
+	if (singleAVA || (*bp != ',' && *bp != ';')) {
+	    *pbp = bp;
+	    goto loser;
+	}
+	/* ok, skip over separator */
+	bp++;
+    }
+    *pbp = bp;
+
+    /* is this a dotted decimal OID attribute type ? */
+    if (!PL_strncasecmp("oid.", tagBuf, 4)) {
+        rv = SEC_StringToOID(arena, &derOid, tagBuf, strlen(tagBuf));
+    } else {
+	for (n2k = name2kinds; n2k->name; n2k++) {
+	    SECOidData *oidrec;
+	    if (PORT_Strcasecmp(n2k->name, tagBuf) == 0) {
+		kind = n2k->kind;
+		vt   = n2k->valueType;
+		oidrec = SECOID_FindOIDByTag(kind);
+		if (oidrec == NULL)
+		    goto loser;
+		derOid = oidrec->oid;
+		break;
+	    }
+	}
+    }
+    if (kind == SEC_OID_UNKNOWN && rv != SECSuccess) 
+	goto loser;
+
+    /* Is this a hex encoding of a DER attribute value ? */
+    if ('#' == valBuf[0]) {
+    	/* convert attribute value from hex to binary */
+	SECItem  derVal = { 0, NULL, 0};
+	valLen = PORT_Strlen(valBuf+1);
+	rv = hexToBin(arena, &derVal, valBuf + 1, valLen);
+	if (rv)
+	    goto loser;
+	a = CERT_CreateAVAFromRaw(arena, &derOid, &derVal);
+    } else {
+	if (kind == SEC_OID_UNKNOWN)
+	    goto loser;
+	valLen = PORT_Strlen(valBuf);
+	if (kind == SEC_OID_AVA_COUNTRY_NAME && valLen != 2)
+	    goto loser;
+	if (vt == SEC_ASN1_PRINTABLE_STRING &&
+	    !IsPrintable((unsigned char*) valBuf, valLen)) 
+	    goto loser;
+	if (vt == SEC_ASN1_DS) {
+	    /* RFC 4630: choose PrintableString or UTF8String */
+	    if (IsPrintable((unsigned char*) valBuf, valLen))
+		vt = SEC_ASN1_PRINTABLE_STRING;
+	    else 
+		vt = SEC_ASN1_UTF8_STRING;
+	}
+
+	a = CERT_CreateAVA(arena, kind, vt, (char *)valBuf);
+    }
+    return a;
+
+loser:
+    /* matched no kind -- invalid tag */
+    PORT_SetError(SEC_ERROR_INVALID_AVA);
+    return 0;
+}
+
+static CERTName *
+ParseRFC1485Name(char *buf, int len)
+{
+    SECStatus rv;
+    CERTName *name;
+    char *bp, *e;
+    CERTAVA *ava;
+    CERTRDN *rdn;
+
+    name = CERT_CreateName(NULL);
+    if (name == NULL) {
+	return NULL;
+    }
+    
+    e = buf + len;
+    bp = buf;
+    while (bp < e) {
+	ava = CERT_ParseRFC1485AVA(name->arena, &bp, e, PR_FALSE);
+	if (ava == 0) goto loser;
+	rdn = CERT_CreateRDN(name->arena, ava, (CERTAVA *)0);
+	if (rdn == 0) goto loser;
+	rv = CERT_AddRDN(name, rdn);
+	if (rv) goto loser;
+	skipSpace(&bp, e);
+    }
+
+    if (name->rdns[0] == 0) {
+	/* empty name -- illegal */
+	goto loser;
+    }
+
+    /* Reverse order of RDNS to comply with RFC */
+    {
+	CERTRDN **firstRdn;
+	CERTRDN **lastRdn;
+	CERTRDN *tmp;
+	
+	/* get first one */
+	firstRdn = name->rdns;
+	
+	/* find last one */
+	lastRdn = name->rdns;
+	while (*lastRdn) lastRdn++;
+	lastRdn--;
+	
+	/* reverse list */
+	for ( ; firstRdn < lastRdn; firstRdn++, lastRdn--) {
+	    tmp = *firstRdn;
+	    *firstRdn = *lastRdn;
+	    *lastRdn = tmp;
+	}
+    }
+    
+    /* return result */
+    return name;
+    
+  loser:
+    CERT_DestroyName(name);
+    return NULL;
+}
+
+CERTName *
+CERT_AsciiToName(char *string)
+{
+    CERTName *name;
+    name = ParseRFC1485Name(string, PORT_Strlen(string));
+    return name;
+}
+
+/************************************************************************/
+
+typedef struct stringBufStr {
+    char *buffer;
+    unsigned offset;
+    unsigned size;
+} stringBuf;
+
+#define DEFAULT_BUFFER_SIZE 200
+
+static SECStatus
+AppendStr(stringBuf *bufp, char *str)
+{
+    char *buf;
+    unsigned bufLen, bufSize, len;
+    int size = 0;
+
+    /* Figure out how much to grow buf by (add in the '\0') */
+    buf = bufp->buffer;
+    bufLen = bufp->offset;
+    len = PORT_Strlen(str);
+    bufSize = bufLen + len;
+    if (!buf) {
+	bufSize++;
+	size = PR_MAX(DEFAULT_BUFFER_SIZE,bufSize*2);
+	buf = (char *) PORT_Alloc(size);
+	bufp->size = size;
+    } else if (bufp->size < bufSize) {
+	size = bufSize*2;
+	buf =(char *) PORT_Realloc(buf,size);
+	bufp->size = size;
+    }
+    if (!buf) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    bufp->buffer = buf;
+    bufp->offset = bufSize;
+
+    /* Concatenate str onto buf */
+    buf = buf + bufLen;
+    if (bufLen) buf--;			/* stomp on old '\0' */
+    PORT_Memcpy(buf, str, len+1);		/* put in new null */
+    return SECSuccess;
+}
+
+static int
+cert_RFC1485_GetRequiredLen(const char *src, int srclen, PRBool *pNeedsQuoting)
+{
+    int i, reqLen=0;
+    PRBool needsQuoting = PR_FALSE;
+    char lastC = 0;
+
+    /* need to make an initial pass to determine if quoting is needed */
+    for (i = 0; i < srclen; i++) {
+	char c = src[i];
+	reqLen++;
+	if (!needsQuoting && (SPECIAL_CHAR(c) ||
+	    (OPTIONAL_SPACE(c) && OPTIONAL_SPACE(lastC)))) {
+	    /* entirety will need quoting */
+	    needsQuoting = PR_TRUE;
+	}
+	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
+	    /* this char will need escaping */
+	    reqLen++;
+	}
+	lastC = c;
+    }
+    /* if it begins or ends in optional space it needs quoting */
+    if (!needsQuoting && srclen > 0 && 
+	(OPTIONAL_SPACE(src[srclen-1]) || OPTIONAL_SPACE(src[0]))) {
+	needsQuoting = PR_TRUE;
+    }
+
+    if (needsQuoting) 
+    	reqLen += 2;
+    if (pNeedsQuoting)
+    	*pNeedsQuoting = needsQuoting;
+
+    return reqLen;
+}
+
+SECStatus
+CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen)
+{
+    int i, reqLen=0;
+    char *d = dst;
+    PRBool needsQuoting = PR_FALSE;
+
+    /* space for terminal null */
+    reqLen = cert_RFC1485_GetRequiredLen(src, srclen, &needsQuoting) + 1;
+    if (reqLen > dstlen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+
+    d = dst;
+    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
+    for (i = 0; i < srclen; i++) {
+	char c = src[i];
+	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
+	    /* escape it */
+	    *d++ = C_BACKSLASH;
+	}
+	*d++ = c;
+    }
+    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
+    *d++ = 0;
+    return SECSuccess;
+}
+
+/* convert an OID to dotted-decimal representation */
+/* Returns a string that must be freed with PR_smprintf_free(), */
+char *
+CERT_GetOidString(const SECItem *oid)
+{
+    PRUint8 *end;
+    PRUint8 *d;
+    PRUint8 *e;
+    char *a         = NULL;
+    char *b;
+
+#define MAX_OID_LEN 1024 /* bytes */
+
+    if (oid->len > MAX_OID_LEN) {
+    	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return NULL;
+    }
+
+    /* d will point to the next sequence of bytes to decode */
+    d = (PRUint8 *)oid->data;
+    /* end points to one past the legitimate data */
+    end = &d[ oid->len ];
+
+    /*
+     * Check for our pseudo-encoded single-digit OIDs
+     */
+    if( (*d == 0x80) && (2 == oid->len) ) {
+	/* Funky encoding.  The second byte is the number */
+	a = PR_smprintf("%lu", (PRUint32)d[1]);
+	if( (char *)NULL == a ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return (char *)NULL;
+	}
+	return a;
+    }
+
+    for( ; d < end; d = &e[1] ) {
+    
+	for( e = d; e < end; e++ ) {
+	    if( 0 == (*e & 0x80) ) {
+		break;
+	    }
+	}
+    
+	if( ((e-d) > 4) || (((e-d) == 4) && (*d & 0x70)) ) {
+	    /* More than a 32-bit number */
+	} else {
+	    PRUint32 n = 0;
+      
+	    switch( e-d ) {
+	    case 4:
+		n |= ((PRUint32)(e[-4] & 0x0f)) << 28;
+	    case 3:
+		n |= ((PRUint32)(e[-3] & 0x7f)) << 21;
+	    case 2:
+		n |= ((PRUint32)(e[-2] & 0x7f)) << 14;
+	    case 1:
+		n |= ((PRUint32)(e[-1] & 0x7f)) <<  7;
+	    case 0:
+		n |= ((PRUint32)(e[-0] & 0x7f))      ;
+	    }
+      
+	    if( (char *)NULL == a ) {
+		/* This is the first number.. decompose it */
+		PRUint32 one = PR_MIN(n/40, 2); /* never > 2 */
+		PRUint32 two = n - one * 40;
+        
+		a = PR_smprintf("OID.%lu.%lu", one, two);
+		if( (char *)NULL == a ) {
+		    PORT_SetError(SEC_ERROR_NO_MEMORY);
+		    return (char *)NULL;
+		}
+	    } else {
+		b = PR_smprintf("%s.%lu", a, n);
+		if( (char *)NULL == b ) {
+		    PR_smprintf_free(a);
+		    PORT_SetError(SEC_ERROR_NO_MEMORY);
+		    return (char *)NULL;
+		}
+        
+		PR_smprintf_free(a);
+		a = b;
+	    }
+	}
+    }
+
+    return a;
+}
+
+/* convert DER-encoded hex to a string */
+static SECItem *
+get_hex_string(SECItem *data)
+{
+    SECItem *rv;
+    unsigned int i, j;
+    static const char hex[] = { "0123456789ABCDEF" };
+
+    /* '#' + 2 chars per octet + terminator */
+    rv = SECITEM_AllocItem(NULL, NULL, data->len*2 + 2);
+    if (!rv) {
+	return NULL;
+    }
+    rv->data[0] = '#';
+    rv->len = 1 + 2 * data->len;
+    for (i=0; i<data->len; i++) {
+	j = data->data[i];
+	rv->data[2*i+1] = hex[j >> 4];
+	rv->data[2*i+2] = hex[j & 15];
+    }
+    rv->data[rv->len] = 0;
+    return rv;
+}
+
+/* For compliance with RFC 2253, RFC 3280 and RFC 4630, we choose to 
+ * use the NAME=STRING form, rather than the OID.N.N=#hexXXXX form, 
+ * when both of these conditions are met:
+ *  1) The attribute name OID (kind) has a known name string that is 
+ *     defined in one of those RFCs, or in RFCs that they cite, AND
+ *  2) The attribute's value encoding is RFC compliant for the kind
+ *     (e.g., the value's encoding tag is correct for the kind, and
+ *     the value's length is in the range allowed for the kind, and
+ *     the value's contents are appropriate for the encoding tag).
+ *  Otherwise, we use the OID.N.N=#hexXXXX form.
+ *
+ *  If the caller prefers maximum human readability to RFC compliance,
+ *  then 
+ *  - We print the kind in NAME= string form if we know the name
+ *    string for the attribute type OID, regardless of whether the 
+ *    value is correctly encoded or not. else we use the OID.N.N= form.
+ *  - We use the non-hex STRING form for the attribute value if the
+ *    value can be represented in such a form.  Otherwise, we use 
+ *    the hex string form.
+ *  This implies that, for maximum human readability, in addition to 
+ *  the two forms allowed by the RFC, we allow two other forms of output:
+ *  - the OID.N.N=STRING form, and 
+ *  - the NAME=#hexXXXX form
+ *  When the caller prefers maximum human readability, we do not allow
+ *  the value of any attribute to exceed the length allowed by the RFC.
+ *  If the attribute value exceeds the allowed length, we truncate it to 
+ *  the allowed length and append "...".
+ *  Also in this case, we arbitrarily impose a limit on the length of the 
+ *  entire AVA encoding, regardless of the form, of 384 bytes per AVA.
+ *  This limit includes the trailing NULL character.  If the encoded 
+ *  AVA length exceeds that limit, this function reports failure to encode
+ *  the AVA.
+ *
+ *  An ASCII representation of an AVA is said to be "invertible" if 
+ *  conversion back to DER reproduces the original DER encoding exactly.
+ *  The RFC 2253 rules do not ensure that all ASCII AVAs derived according
+ *  to its rules are invertible. That is because the RFCs allow some 
+ *  attribute values to be encoded in any of a number of encodings,
+ *  and the encoding type information is lost in the non-hex STRING form.
+ *  This is particularly true of attributes of type DirectoryString.
+ *  The encoding type information is always preserved in the hex string 
+ *  form, because the hex includes the entire DER encoding of the value.
+ *
+ *  So, when the caller perfers maximum invertibility, we apply the 
+ *  RFC compliance rules stated above, and add a third required 
+ *  condition on the use of the NAME=STRING form.  
+ *   3) The attribute's kind is not is allowed to be encoded in any of 
+ *      several different encodings, such as DirectoryStrings.
+ *
+ * The chief difference between CERT_N2A_STRICT and CERT_N2A_INVERTIBLE
+ * is that the latter forces DirectoryStrings to be hex encoded.
+ *
+ * As a simplification, we assume the value is correctly encoded for 
+ * its encoding type.  That is, we do not test that all the characters
+ * in a string encoded type are allowed by that type.  We assume it.
+ */
+static SECStatus
+AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
+{
+    const NameToKind *pn2k   = name2kinds;
+    SECItem     *avaValue    = NULL;
+    char        *unknownTag  = NULL;
+    char        *encodedAVA  = NULL;
+    PRBool       useHex      = PR_FALSE;  /* use =#hexXXXX form */
+    SECOidTag    endKind;
+    SECStatus    rv;
+    unsigned int len;
+    int          nameLen, valueLen;
+    NameToKind   n2k         = { NULL, 32767, SEC_OID_UNKNOWN, SEC_ASN1_DS };
+    char         tmpBuf[384];
+
+#define tagName  n2k.name    /* non-NULL means use NAME= form */
+#define maxBytes n2k.maxLen
+#define tag      n2k.kind
+#define vt       n2k.valueType
+
+    /* READABLE mode recognizes more names from the name2kinds table
+     * than do STRICT or INVERTIBLE modes.  This assignment chooses the
+     * point in the table where the attribute type name scanning stops.
+     */
+    endKind = (strict == CERT_N2A_READABLE) ? SEC_OID_UNKNOWN
+                                            : SEC_OID_AVA_POSTAL_ADDRESS;
+    tag = CERT_GetAVATag(ava);
+    while (pn2k->kind != tag && pn2k->kind != endKind) {
+        ++pn2k;
+    }
+
+    if (pn2k->kind != endKind ) {
+        n2k = *pn2k;
+    } else if (strict != CERT_N2A_READABLE) {
+        useHex = PR_TRUE;
+    }
+    /* For invertable form, force Directory Strings to use hex form. */
+    if (strict == CERT_N2A_INVERTIBLE && vt == SEC_ASN1_DS) {
+	tagName = NULL;      /* must use OID.N form */
+	useHex = PR_TRUE;    /* must use hex string */
+    }
+    if (!useHex) {
+	avaValue = CERT_DecodeAVAValue(&ava->value);
+	if (!avaValue) {
+	    useHex = PR_TRUE;
+	    if (strict != CERT_N2A_READABLE) {
+		tagName = NULL;  /* must use OID.N form */
+	    }
+	}
+    }
+    if (!tagName) {
+	/* handle unknown attribute types per RFC 2253 */
+	tagName = unknownTag = CERT_GetOidString(&ava->type);
+	if (!tagName) {
+	    if (avaValue)
+		SECITEM_FreeItem(avaValue, PR_TRUE);
+	    return SECFailure;
+	}
+    }
+    if (useHex) {
+	avaValue = get_hex_string(&ava->value);
+	if (!avaValue) {
+	    if (unknownTag) 
+	    	PR_smprintf_free(unknownTag);
+	    return SECFailure;
+	}
+    }
+
+    if (strict == CERT_N2A_READABLE) {
+    	if (maxBytes > sizeof(tmpBuf) - 4)
+	    maxBytes = sizeof(tmpBuf) - 4;
+	/* Check value length.  Must be room for "..." */
+	if (avaValue->len > maxBytes + 3) {
+	    /* avaValue is a UTF8 string, freshly allocated and returned to us 
+	    ** by CERT_DecodeAVAValue or get_hex_string just above, so we can
+	    ** modify it here.  See if we're in the middle of a multi-byte
+	    ** UTF8 character.
+	    */
+	    len = maxBytes;
+	    while (((avaValue->data[len] & 0xc0) == 0x80) && len > 0) {
+	       len--;
+	    }
+	    /* add elipsis to signify truncation. */
+	    avaValue->data[len++] = '.'; 
+	    avaValue->data[len++] = '.';
+	    avaValue->data[len++] = '.';
+	    avaValue->data[len]   = 0;
+	    avaValue->len = len;
+	}
+    }
+
+    nameLen  = strlen(tagName);
+    valueLen = (useHex ? avaValue->len : 
+            cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len, NULL));
+    len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
+
+    if (len <= sizeof(tmpBuf)) {
+    	encodedAVA = tmpBuf;
+    } else if (strict == CERT_N2A_READABLE) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+    } else {
+	encodedAVA = PORT_Alloc(len);
+    }
+    if (!encodedAVA) {
+	SECITEM_FreeItem(avaValue, PR_TRUE);
+	if (unknownTag) 
+	    PR_smprintf_free(unknownTag);
+	return SECFailure;
+    }
+    memcpy(encodedAVA, tagName, nameLen);
+    if (unknownTag) 
+    	PR_smprintf_free(unknownTag);
+    encodedAVA[nameLen++] = '=';
+    
+    /* escape and quote as necessary - don't quote hex strings */
+    if (useHex) {
+	memcpy(encodedAVA + nameLen, (char *)avaValue->data, avaValue->len);
+	encodedAVA[nameLen + avaValue->len] = '\0';
+	rv = SECSuccess;
+    } else 
+	rv = CERT_RFC1485_EscapeAndQuote(encodedAVA + nameLen, len - nameLen, 
+		    		        (char *)avaValue->data, avaValue->len);
+    SECITEM_FreeItem(avaValue, PR_TRUE);
+    if (rv == SECSuccess)
+	rv = AppendStr(bufp, encodedAVA);
+    if (encodedAVA != tmpBuf)
+    	PORT_Free(encodedAVA);
+    return rv;
+}
+
+#undef tagName
+#undef maxBytes
+#undef tag
+#undef vt
+
+char *
+CERT_NameToAsciiInvertible(CERTName *name, CertStrictnessLevel strict)
+{
+    CERTRDN** rdns;
+    CERTRDN** lastRdn;
+    CERTRDN** rdn;
+    PRBool first = PR_TRUE;
+    stringBuf strBuf = { NULL, 0, 0 };
+    
+    rdns = name->rdns;
+    if (rdns == NULL) {
+	return NULL;
+    }
+    
+    /* find last RDN */
+    lastRdn = rdns;
+    while (*lastRdn) lastRdn++;
+    lastRdn--;
+    
+    /*
+     * Loop over name contents in _reverse_ RDN order appending to string
+     */
+    for (rdn = lastRdn; rdn >= rdns; rdn--) {
+	CERTAVA** avas = (*rdn)->avas;
+	CERTAVA* ava;
+	PRBool newRDN = PR_TRUE;
+
+	/* 
+	 * XXX Do we need to traverse the AVAs in reverse order, too?
+	 */
+	while (avas && (ava = *avas++) != NULL) {
+	    SECStatus rv;
+	    /* Put in comma or plus separator */
+	    if (!first) {
+		/* Use of spaces is deprecated in RFC 2253. */
+		rv = AppendStr(&strBuf, newRDN ? "," : "+");
+		if (rv) goto loser;
+	    } else {
+		first = PR_FALSE;
+	    }
+	    
+	    /* Add in tag type plus value into buf */
+	    rv = AppendAVA(&strBuf, ava, strict);
+	    if (rv) goto loser;
+	    newRDN = PR_FALSE;
+	}
+    }
+    return strBuf.buffer;
+loser:
+    if (strBuf.buffer) {
+	PORT_Free(strBuf.buffer);
+    }
+    return NULL;
+}
+
+char *
+CERT_NameToAscii(CERTName *name)
+{
+    return CERT_NameToAsciiInvertible(name, CERT_N2A_READABLE);
+}
+
+/*
+ * Return the string representation of a DER encoded distinguished name
+ * "dername" - The DER encoded name to convert
+ */
+char *
+CERT_DerNameToAscii(SECItem *dername)
+{
+    int rv;
+    PRArenaPool *arena = NULL;
+    CERTName name;
+    char *retstr = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( arena == NULL) {
+	goto loser;
+    }
+    
+    rv = SEC_QuickDERDecodeItem(arena, &name, CERT_NameTemplate, dername);
+    
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    retstr = CERT_NameToAscii(&name);
+
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(retstr);
+}
+
+/* RDNs are sorted from most general to most specific.
+ * This code returns the FIRST one found, the most general one found.
+ */
+static char *
+CERT_GetNameElement(PRArenaPool *arena, CERTName *name, int wantedTag)
+{
+    CERTRDN** rdns;
+    CERTRDN *rdn;
+    char *buf = 0;
+    
+    rdns = name->rdns;
+    while (rdns && (rdn = *rdns++) != 0) {
+	CERTAVA** avas = rdn->avas;
+	CERTAVA*  ava;
+	while (avas && (ava = *avas++) != 0) {
+	    int tag = CERT_GetAVATag(ava);
+	    if ( tag == wantedTag ) {
+		SECItem *decodeItem = CERT_DecodeAVAValue(&ava->value);
+		if(!decodeItem) {
+		    return NULL;
+		}
+		if (arena) {
+		    buf = (char *)PORT_ArenaZAlloc(arena,decodeItem->len + 1);
+		} else {
+		    buf = (char *)PORT_ZAlloc(decodeItem->len + 1);
+		}
+		if ( buf ) {
+		    PORT_Memcpy(buf, decodeItem->data, decodeItem->len);
+		    buf[decodeItem->len] = 0;
+		}
+		SECITEM_FreeItem(decodeItem, PR_TRUE);
+		goto done;
+	    }
+	}
+    }
+    
+  done:
+    return buf;
+}
+
+/* RDNs are sorted from most general to most specific.
+ * This code returns the LAST one found, the most specific one found.
+ * This is particularly appropriate for Common Name.  See RFC 2818.
+ */
+static char *
+CERT_GetLastNameElement(PRArenaPool *arena, CERTName *name, int wantedTag)
+{
+    CERTRDN** rdns;
+    CERTRDN *rdn;
+    CERTAVA * lastAva = NULL;
+    char *buf = 0;
+    
+    rdns = name->rdns;
+    while (rdns && (rdn = *rdns++) != 0) {
+	CERTAVA** avas = rdn->avas;
+	CERTAVA*  ava;
+	while (avas && (ava = *avas++) != 0) {
+	    int tag = CERT_GetAVATag(ava);
+	    if ( tag == wantedTag ) {
+		lastAva = ava;
+	    }
+	}
+    }
+
+    if (lastAva) {
+	SECItem *decodeItem = CERT_DecodeAVAValue(&lastAva->value);
+	if(!decodeItem) {
+	    return NULL;
+	}
+	if (arena) {
+	    buf = (char *)PORT_ArenaZAlloc(arena,decodeItem->len + 1);
+	} else {
+	    buf = (char *)PORT_ZAlloc(decodeItem->len + 1);
+	}
+	if ( buf ) {
+	    PORT_Memcpy(buf, decodeItem->data, decodeItem->len);
+	    buf[decodeItem->len] = 0;
+	}
+	SECITEM_FreeItem(decodeItem, PR_TRUE);
+    }    
+    return buf;
+}
+
+char *
+CERT_GetCertificateEmailAddress(CERTCertificate *cert)
+{
+    char *rawEmailAddr = NULL;
+    SECItem subAltName;
+    SECStatus rv;
+    CERTGeneralName *nameList = NULL;
+    CERTGeneralName *current;
+    PRArenaPool *arena = NULL;
+    int i;
+    
+    subAltName.data = NULL;
+
+    rawEmailAddr = CERT_GetNameElement(cert->arena, &(cert->subject),
+						 SEC_OID_PKCS9_EMAIL_ADDRESS);
+    if ( rawEmailAddr == NULL ) {
+	rawEmailAddr = CERT_GetNameElement(cert->arena, &(cert->subject), 
+							SEC_OID_RFC1274_MAIL);
+    }
+    if ( rawEmailAddr == NULL) {
+
+	rv = CERT_FindCertExtension(cert,  SEC_OID_X509_SUBJECT_ALT_NAME, 
+								&subAltName);
+	if (rv != SECSuccess) {
+	    goto finish;
+	}
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (!arena) {
+	    goto finish;
+	}
+	nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
+	if (!nameList ) {
+	    goto finish;
+	}
+	if (nameList != NULL) {
+	    do {
+		if (current->type == certDirectoryName) {
+		    rawEmailAddr = CERT_GetNameElement(cert->arena,
+			&(current->name.directoryName), 
+					       SEC_OID_PKCS9_EMAIL_ADDRESS);
+		    if ( rawEmailAddr == NULL ) {
+			rawEmailAddr = CERT_GetNameElement(cert->arena,
+			  &(current->name.directoryName), SEC_OID_RFC1274_MAIL);
+		    }
+		} else if (current->type == certRFC822Name) {
+		    rawEmailAddr = (char*)PORT_ArenaZAlloc(cert->arena,
+						current->name.other.len + 1);
+		    if (!rawEmailAddr) {
+			goto finish;
+		    }
+		    PORT_Memcpy(rawEmailAddr, current->name.other.data, 
+				current->name.other.len);
+		    rawEmailAddr[current->name.other.len] = '\0';
+		}
+		if (rawEmailAddr) {
+		    break;
+		}
+		current = CERT_GetNextGeneralName(current);
+	    } while (current != nameList);
+	}
+    }
+    if (rawEmailAddr) {
+	for (i = 0; i <= (int) PORT_Strlen(rawEmailAddr); i++) {
+	    rawEmailAddr[i] = tolower(rawEmailAddr[i]);
+	}
+    } 
+
+finish:
+
+    /* Don't free nameList, it's part of the arena. */
+
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    if ( subAltName.data ) {
+	SECITEM_FreeItem(&subAltName, PR_FALSE);
+    }
+
+    return(rawEmailAddr);
+}
+
+static char *
+appendStringToBuf(char *dest, char *src, PRUint32 *pRemaining)
+{
+    PRUint32 len;
+    if (dest && src && src[0] && *pRemaining > (len = PL_strlen(src))) {
+	PRUint32 i;
+	for (i = 0; i < len; ++i)
+	    dest[i] = tolower(src[i]);
+	dest[len] = 0;
+	dest        += len + 1;
+	*pRemaining -= len + 1;
+    }
+    return dest;
+}
+
+static char *
+appendItemToBuf(char *dest, SECItem *src, PRUint32 *pRemaining)
+{
+    if (dest && src && src->data && src->len && src->data[0] && 
+        *pRemaining > src->len + 1 ) {
+	PRUint32 len = src->len;
+	PRUint32 i;
+	for (i = 0; i < len && src->data[i] ; ++i)
+	    dest[i] = tolower(src->data[i]);
+	dest[len] = 0;
+	dest        += len + 1;
+	*pRemaining -= len + 1;
+    }
+    return dest;
+}
+
+/* Returns a pointer to an environment-like string, a series of 
+** null-terminated strings, terminated by a zero-length string.
+** This function is intended to be internal to NSS.
+*/
+char *
+cert_GetCertificateEmailAddresses(CERTCertificate *cert)
+{
+    char *           rawEmailAddr = NULL;
+    char *           addrBuf      = NULL;
+    char *           pBuf         = NULL;
+    PRArenaPool *    tmpArena     = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    PRUint32         maxLen       = 0;
+    PRInt32          finalLen     = 0;
+    SECStatus        rv;
+    SECItem          subAltName;
+    
+    if (!tmpArena) 
+    	return addrBuf;
+
+    subAltName.data = NULL;
+    maxLen = cert->derCert.len;
+    PORT_Assert(maxLen);
+    if (!maxLen) 
+	maxLen = 2000;  /* a guess, should never happen */
+
+    pBuf = addrBuf = (char *)PORT_ArenaZAlloc(tmpArena, maxLen + 1);
+    if (!addrBuf) 
+    	goto loser;
+
+    rawEmailAddr = CERT_GetNameElement(tmpArena, &cert->subject,
+				       SEC_OID_PKCS9_EMAIL_ADDRESS);
+    pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
+
+    rawEmailAddr = CERT_GetNameElement(tmpArena, &cert->subject, 
+				       SEC_OID_RFC1274_MAIL);
+    pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
+
+    rv = CERT_FindCertExtension(cert,  SEC_OID_X509_SUBJECT_ALT_NAME, 
+				&subAltName);
+    if (rv == SECSuccess && subAltName.data) {
+	CERTGeneralName *nameList     = NULL;
+
+	if (!!(nameList = CERT_DecodeAltNameExtension(tmpArena, &subAltName))) {
+	    CERTGeneralName *current = nameList;
+	    do {
+		if (current->type == certDirectoryName) {
+		    rawEmailAddr = CERT_GetNameElement(tmpArena,
+			                       &current->name.directoryName, 
+					       SEC_OID_PKCS9_EMAIL_ADDRESS);
+		    pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
+
+		    rawEmailAddr = CERT_GetNameElement(tmpArena,
+					      &current->name.directoryName, 
+					      SEC_OID_RFC1274_MAIL);
+		    pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
+		} else if (current->type == certRFC822Name) {
+		    pBuf = appendItemToBuf(pBuf, &current->name.other, &maxLen);
+		}
+		current = CERT_GetNextGeneralName(current);
+	    } while (current != nameList);
+	}
+	SECITEM_FreeItem(&subAltName, PR_FALSE);
+	/* Don't free nameList, it's part of the tmpArena. */
+    }
+    /* now copy superstring to cert's arena */
+    finalLen = (pBuf - addrBuf) + 1;
+    pBuf = NULL;
+    if (finalLen > 1) {
+	pBuf = PORT_ArenaAlloc(cert->arena, finalLen);
+	if (pBuf) {
+	    PORT_Memcpy(pBuf, addrBuf, finalLen);
+	}
+    }
+loser:
+    if (tmpArena)
+	PORT_FreeArena(tmpArena, PR_FALSE);
+
+    return pBuf;
+}
+
+/* returns pointer to storage in cert's arena.  Storage remains valid
+** as long as cert's reference count doesn't go to zero.
+** Caller should strdup or otherwise copy.
+*/
+const char *	/* const so caller won't muck with it. */
+CERT_GetFirstEmailAddress(CERTCertificate * cert)
+{
+    if (cert && cert->emailAddr && cert->emailAddr[0])
+    	return (const char *)cert->emailAddr;
+    return NULL;
+}
+
+/* returns pointer to storage in cert's arena.  Storage remains valid
+** as long as cert's reference count doesn't go to zero.
+** Caller should strdup or otherwise copy.
+*/
+const char *	/* const so caller won't muck with it. */
+CERT_GetNextEmailAddress(CERTCertificate * cert, const char * prev)
+{
+    if (cert && prev && prev[0]) {
+    	PRUint32 len = PL_strlen(prev);
+	prev += len + 1;
+	if (prev && prev[0])
+	    return prev;
+    }
+    return NULL;
+}
+
+/* This is seriously bogus, now that certs store their email addresses in
+** subject Alternative Name extensions. 
+** Returns a string allocated by PORT_StrDup, which the caller must free.
+*/
+char *
+CERT_GetCertEmailAddress(CERTName *name)
+{
+    char *rawEmailAddr;
+    char *emailAddr;
+
+    
+    rawEmailAddr = CERT_GetNameElement(NULL, name, SEC_OID_PKCS9_EMAIL_ADDRESS);
+    if ( rawEmailAddr == NULL ) {
+	rawEmailAddr = CERT_GetNameElement(NULL, name, SEC_OID_RFC1274_MAIL);
+    }
+    emailAddr = CERT_FixupEmailAddr(rawEmailAddr);
+    if ( rawEmailAddr ) {
+	PORT_Free(rawEmailAddr);
+    }
+    return(emailAddr);
+}
+
+/* The return value must be freed with PORT_Free. */
+char *
+CERT_GetCommonName(CERTName *name)
+{
+    return(CERT_GetLastNameElement(NULL, name, SEC_OID_AVA_COMMON_NAME));
+}
+
+char *
+CERT_GetCountryName(CERTName *name)
+{
+    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_COUNTRY_NAME));
+}
+
+char *
+CERT_GetLocalityName(CERTName *name)
+{
+    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_LOCALITY));
+}
+
+char *
+CERT_GetStateName(CERTName *name)
+{
+    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_STATE_OR_PROVINCE));
+}
+
+char *
+CERT_GetOrgName(CERTName *name)
+{
+    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_ORGANIZATION_NAME));
+}
+
+char *
+CERT_GetDomainComponentName(CERTName *name)
+{
+    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_DC));
+}
+
+char *
+CERT_GetOrgUnitName(CERTName *name)
+{
+    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME));
+}
+
+char *
+CERT_GetDnQualifier(CERTName *name)
+{
+    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_DN_QUALIFIER));
+}
+
+char *
+CERT_GetCertUid(CERTName *name)
+{
+    return(CERT_GetNameElement(NULL, name, SEC_OID_RFC1274_UID));
+}
+
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
new file mode 100644
index 000000000..ea4941ade
--- /dev/null
+++ b/security/nss/lib/certdb/cert.h
@@ -0,0 +1,1658 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * cert.h - public data structures and prototypes for the certificate library
+ *
+ * $Id$
+ */
+
+#ifndef _CERT_H_
+#define _CERT_H_
+
+#include "utilrename.h"
+#include "plarena.h"
+#include "plhash.h"
+#include "prlong.h"
+#include "prlog.h"
+
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "keyt.h"
+#include "certt.h"
+
+SEC_BEGIN_PROTOS
+   
+/****************************************************************************
+ *
+ * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
+ *
+ ****************************************************************************/
+
+/*
+** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
+*/
+extern CERTName *CERT_AsciiToName(char *string);
+
+/*
+** Convert an CERTName into its RFC1485 encoded equivalent.
+** Returns a string that must be freed with PORT_Free().
+** This version produces a string for maximum human readability,
+** not for strict RFC compliance.
+*/
+extern char *CERT_NameToAscii(CERTName *name);
+
+/*
+** Convert an CERTName into its RFC1485 encoded equivalent.
+** Returns a string that must be freed with PORT_Free().
+** Caller chooses encoding rules.
+*/
+extern char *CERT_NameToAsciiInvertible(CERTName *name, 
+                                        CertStrictnessLevel strict);
+
+extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src);
+
+/* convert an OID to dotted-decimal representation */
+/* Returns a string that must be freed with PR_smprintf_free(). */
+extern char * CERT_GetOidString(const SECItem *oid);
+
+/*
+** Examine an AVA and return the tag that refers to it. The AVA tags are
+** defined as SEC_OID_AVA*.
+*/
+extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
+
+/*
+** Compare two AVA's, returning the difference between them.
+*/
+extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b);
+
+/*
+** Create an RDN (relative-distinguished-name). The argument list is a
+** NULL terminated list of AVA's.
+*/
+extern CERTRDN *CERT_CreateRDN(PLArenaPool *arena, CERTAVA *avas, ...);
+
+/*
+** Make a copy of "src" storing it in "dest".
+*/
+extern SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *dest, CERTRDN *src);
+
+/*
+** Destory an RDN object.
+**	"rdn" the RDN to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyRDN(CERTRDN *rdn, PRBool freeit);
+
+/*
+** Add an AVA to an RDN.
+**	"rdn" the RDN to add to
+**	"ava" the AVA to add
+*/
+extern SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
+
+/*
+** Compare two RDN's, returning the difference between them.
+*/
+extern SECComparison CERT_CompareRDN(CERTRDN *a, CERTRDN *b);
+
+/*
+** Create an X.500 style name using a NULL terminated list of RDN's.
+*/
+extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
+
+/*
+** Make a copy of "src" storing it in "dest". Memory is allocated in
+** "dest" for each of the appropriate sub objects. Memory is not freed in
+** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
+** do that).
+*/
+extern SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *dest, CERTName *src);
+
+/*
+** Destroy a Name object.
+**	"name" the CERTName to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyName(CERTName *name);
+
+/*
+** Add an RDN to a name.
+**	"name" the name to add the RDN to
+**	"rdn" the RDN to add to name
+*/
+extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
+
+/*
+** Compare two names, returning the difference between them.
+*/
+extern SECComparison CERT_CompareName(CERTName *a, CERTName *b);
+
+/*
+** Convert a CERTName into something readable
+*/
+extern char *CERT_FormatName (CERTName *name);
+
+/*
+** Convert a der-encoded integer to a hex printable string form.
+** Perhaps this should be a SEC function but it's only used for certs.
+*/
+extern char *CERT_Hexify (SECItem *i, int do_colon);
+
+/******************************************************************************
+ *
+ * Certificate handling operations
+ *
+ *****************************************************************************/
+
+/*
+** Create a new validity object given two unix time values.
+**	"notBefore" the time before which the validity is not valid
+**	"notAfter" the time after which the validity is not valid
+*/
+extern CERTValidity *CERT_CreateValidity(PRTime notBefore, PRTime notAfter);
+
+/*
+** Destroy a validity object.
+**	"v" the validity to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyValidity(CERTValidity *v);
+
+/*
+** Copy the "src" object to "dest". Memory is allocated in "dest" for
+** each of the appropriate sub-objects. Memory in "dest" is not freed
+** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
+** that).
+*/
+extern SECStatus CERT_CopyValidity
+   (PLArenaPool *arena, CERTValidity *dest, CERTValidity *src);
+
+/*
+** The cert lib considers a cert or CRL valid if the "notBefore" time is
+** in the not-too-distant future, e.g. within the next 24 hours. This 
+** prevents freshly issued certificates from being considered invalid
+** because the local system's time zone is incorrectly set.  
+** The amount of "pending slop time" is adjustable by the application.
+** Units of SlopTime are seconds.  Default is 86400  (24 hours).
+** Negative SlopTime values are not allowed.
+*/
+PRInt32 CERT_GetSlopTime(void);
+
+SECStatus CERT_SetSlopTime(PRInt32 slop);
+
+/*
+** Create a new certificate object. The result must be wrapped with an
+** CERTSignedData to create a signed certificate.
+**	"serialNumber" the serial number
+**	"issuer" the name of the certificate issuer
+**	"validity" the validity period of the certificate
+**	"req" the certificate request that prompted the certificate issuance
+*/
+extern CERTCertificate *
+CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer,
+			CERTValidity *validity, CERTCertificateRequest *req);
+
+/*
+** Destroy a certificate object
+**	"cert" the certificate to destroy
+** NOTE: certificate's are reference counted. This call decrements the
+** reference count, and if the result is zero, then the object is destroyed
+** and optionally freed.
+*/
+extern void CERT_DestroyCertificate(CERTCertificate *cert);
+
+/*
+** Make a shallow copy of a certificate "c". Just increments the
+** reference count on "c".
+*/
+extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
+
+/*
+** Create a new certificate request. This result must be wrapped with an
+** CERTSignedData to create a signed certificate request.
+**	"name" the subject name (who the certificate request is from)
+**	"spki" describes/defines the public key the certificate is for
+**	"attributes" if non-zero, some optional attribute data
+*/
+extern CERTCertificateRequest *
+CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki,
+			       SECItem **attributes);
+
+/*
+** Destroy a certificate-request object
+**	"r" the certificate-request to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
+
+/*
+** Start adding extensions to a certificate request.
+*/
+void *
+CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req);
+
+/*
+** Reformat the certificate extension list into a CertificateRequest
+** attribute list.
+*/
+SECStatus
+CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req);
+
+/*
+** Extract the Extension Requests from a DER CertRequest attribute list.
+*/
+SECStatus
+CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
+                                     CERTCertExtension ***exts);
+
+/*
+** Extract a public key object from a certificate
+*/
+extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
+
+/*
+ * used to get a public key with Key Material ID. Only used for fortezza V1
+ * certificates.
+ */
+extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert);
+
+
+/*
+** Retrieve the Key Type associated with the cert we're dealing with
+*/
+
+extern KeyType CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki);
+
+/*
+** Initialize the certificate database.  This is called to create
+**  the initial list of certificates in the database.
+*/
+extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
+
+extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle);
+
+/*
+** Default certificate database routines
+*/
+extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
+
+extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
+
+extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, 
+					       PRTime time, 
+					       SECCertUsage usage);
+extern CERTCertificate *
+CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
+                         char *nickname, PRBool isperm, PRBool copyDER);
+
+
+/******************************************************************************
+ *
+ * X.500 Name handling operations
+ *
+ *****************************************************************************/
+
+/*
+** Create an AVA (attribute-value-assertion)
+**	"arena" the memory arena to alloc from
+**	"kind" is one of SEC_OID_AVA_*
+**	"valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
+**	   DER_T61_STRING
+**	"value" is the null terminated string containing the value
+*/
+extern CERTAVA *CERT_CreateAVA
+   (PLArenaPool *arena, SECOidTag kind, int valueType, char *value);
+
+/*
+** Extract the Distinguished Name from a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+**	"derName" is the SECItem that the name is returned in
+*/
+extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
+
+/*
+** Extract the Issuers Distinguished Name from a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+**	"derName" is the SECItem that the name is returned in
+*/
+extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, 
+					    SECItem *derName);
+
+extern SECItem *
+CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
+		       PLArenaPool *arena);
+
+extern CERTGeneralName *
+CERT_DecodeGeneralName(PLArenaPool *reqArena, SECItem *encodedName,
+		       CERTGeneralName  *genName);
+
+
+
+/*
+** Generate a database search key for a certificate, based on the
+** issuer and serial number.
+**	"arena" the memory arena to alloc from
+**	"derCert" the DER encoded certificate
+**	"key" the returned key
+*/
+extern SECStatus CERT_KeyFromDERCert(PLArenaPool *reqArena, SECItem *derCert,
+                                     SECItem *key);
+
+extern SECStatus CERT_KeyFromIssuerAndSN(PLArenaPool *arena, SECItem *issuer,
+					 SECItem *sn, SECItem *key);
+
+extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, 
+						SECItem *derName);
+
+
+/*
+** Generate a database search key for a crl, based on the
+** issuer.
+**	"arena" the memory arena to alloc from
+**	"derCrl" the DER encoded crl
+**	"key" the returned key
+*/
+extern SECStatus CERT_KeyFromDERCrl(PLArenaPool *arena, SECItem *derCrl, SECItem *key);
+
+/*
+** Open the certificate database.  Use callback to get name of database.
+*/
+extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
+				 CERTDBNameFunc namecb, void *cbarg);
+
+/* Open the certificate database.  Use given filename for database. */
+extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
+					 char *certdbname, PRBool readOnly);
+
+/*
+** Open and initialize a cert database that is entirely in memory.  This
+** can be used when the permanent database can not be opened or created.
+*/
+extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
+
+/*
+** Extract the list of host names, host name patters, IP address strings
+** this cert is valid for.
+** This function does NOT return nicknames.
+** Type CERTCertNicknames is being used because it's a convenient 
+** data structure to carry a list of strings and its count.
+*/
+extern CERTCertNicknames *
+  CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert);
+
+/*
+** Check the hostname to make sure that it matches the shexp that
+** is given in the common name of the certificate.
+*/
+extern SECStatus CERT_VerifyCertName(CERTCertificate *cert, const char *hostname);
+
+/*
+** Add a domain name to the list of names that the user has explicitly
+** allowed (despite cert name mismatches) for use with a server cert.
+*/
+extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname);
+
+/*
+** Decode a DER encoded certificate into an CERTCertificate structure
+**	"derSignedCert" is the DER encoded signed certificate
+**	"copyDER" is true if the DER should be copied, false if the
+**		existing copy should be referenced
+**	"nickname" is the nickname to use in the database.  If it is NULL
+**		then a temporary nickname is generated.
+*/
+extern CERTCertificate *
+CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
+/*
+** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure
+**	"derSignedCrl" is the DER encoded signed crl/krl.
+**	"type" is this a CRL or KRL.
+*/
+#define SEC_CRL_TYPE	1
+#define SEC_KRL_TYPE	0
+
+extern CERTSignedCrl *
+CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type);
+
+/*
+ * same as CERT_DecodeDERCrl, plus allow options to be passed in
+ */
+
+extern CERTSignedCrl *
+CERT_DecodeDERCrlWithFlags(PLArenaPool *narena, SECItem *derSignedCrl,
+                          int type, PRInt32 options);
+
+/* CRL options to pass */
+
+#define CRL_DECODE_DEFAULT_OPTIONS          0x00000000
+
+/* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The
+   application must then keep derSignedCrl until it destroys the
+   CRL . Ideally, it should allocate derSignedCrl in an arena
+   and pass that arena in as the first argument to
+   CERT_DecodeDERCrlWithFlags */
+
+#define CRL_DECODE_DONT_COPY_DER            0x00000001
+#define CRL_DECODE_SKIP_ENTRIES             0x00000002
+#define CRL_DECODE_KEEP_BAD_CRL             0x00000004
+#define CRL_DECODE_ADOPT_HEAP_DER           0x00000008
+
+/* complete the decoding of a partially decoded CRL, ie. decode the
+   entries. Note that entries is an optional field in a CRL, so the
+   "entries" pointer in CERTCrlStr may still be NULL even after
+   function returns SECSuccess */
+
+extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl);
+
+/* Validate CRL then import it to the dbase.  If there is already a CRL with the
+ * same CA in the dbase, it will be replaced if derCRL is more up to date.  
+ * If the process successes, a CRL will be returned.  Otherwise, a NULL will 
+ * be returned. The caller should call PORT_GetError() for the exactly error 
+ * code.
+ */
+extern CERTSignedCrl *
+CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, 
+						int type, void * wincx);
+
+extern void CERT_DestroyCrl (CERTSignedCrl *crl);
+
+/* this is a hint to flush the CRL cache. crlKey is the DER subject of
+   the issuer (CA). */
+void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey);
+
+/* add the specified DER CRL object to the CRL cache. Doing so will allow
+   certificate verification functions (such as CERT_VerifyCertificate)
+   to automatically find and make use of this CRL object.
+   Once a CRL is added to the CRL cache, the application must hold on to
+   the object's memory, because the cache will reference it directly. The
+   application can only free the object after it calls CERT_UncacheCRL to
+   remove it from the CRL cache.
+*/
+SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
+
+/* remove a previously added CRL object from the CRL cache. It is OK
+   for the application to free the memory after a successful removal
+*/
+SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
+
+/*
+** Decode a certificate and put it into the temporary certificate database
+*/
+extern CERTCertificate *
+CERT_DecodeCertificate (SECItem *derCert, char *nickname,PRBool copyDER);
+
+/*
+** Find a certificate in the database
+**	"key" is the database key to look for
+*/
+extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
+
+/*
+** Find a certificate in the database by name
+**	"name" is the distinguished name to look up
+*/
+extern CERTCertificate *
+CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name);
+
+/*
+** Find a certificate in the database by name
+**	"name" is the distinguished name to look up (in ascii)
+*/
+extern CERTCertificate *
+CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name);
+
+/*
+** Find a certificate in the database by name and keyid
+**	"name" is the distinguished name to look up
+**	"keyID" is the value of the subjectKeyID to match
+*/
+extern CERTCertificate *
+CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database.  Return the cert if found.
+**	"issuerAndSN" is the issuer and serial number to look for
+*/
+extern CERTCertificate *
+CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
+
+/*
+** Find a certificate in the database by a subject key ID
+**	"subjKeyID" is the subject Key ID to look for
+*/
+extern CERTCertificate *
+CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID);
+
+/*
+** Encode Certificate SKID (Subject Key ID) extension.
+**
+*/
+extern SECStatus 
+CERT_EncodeSubjectKeyID(PLArenaPool *arena, const SECItem* srcString,
+                        SECItem *encodedValue);
+
+/*
+** Find a certificate in the database by a nickname
+**	"nickname" is the ascii string nickname to look for
+*/
+extern CERTCertificate *
+CERT_FindCertByNickname (CERTCertDBHandle *handle, const char *nickname);
+
+/*
+** Find a certificate in the database by a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+*/
+extern CERTCertificate *
+CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert);
+
+/*
+** Find a certificate in the database by a email address
+**	"emailAddr" is the email address to look up
+*/
+CERTCertificate *
+CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr);
+
+/*
+** Find a certificate in the database by a email address or nickname
+**	"name" is the email address or nickname to look up
+*/
+CERTCertificate *
+CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name);
+
+/*
+** Find a certificate in the database by a digest of a subject public key
+**	"spkDigest" is the digest to look up
+*/
+extern CERTCertificate *
+CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest);
+
+/*
+ * Find the issuer of a cert
+ */
+CERTCertificate *
+CERT_FindCertIssuer(CERTCertificate *cert, PRTime validTime, SECCertUsage usage);
+
+/*
+** Check the validity times of a certificate vs. time 't', allowing
+** some slop for broken clocks and stuff.
+**	"cert" is the certificate to be checked
+**	"t" is the time to check against
+**	"allowOverride" if true then check to see if the invalidity has
+**		been overridden by the user.
+*/
+extern SECCertTimeValidity CERT_CheckCertValidTimes(CERTCertificate *cert,
+						    PRTime t,
+						    PRBool allowOverride);
+
+/*
+** WARNING - this function is deprecated, and will either go away or have
+**		a new API in the near future.
+**
+** Check the validity times of a certificate vs. the current time, allowing
+** some slop for broken clocks and stuff.
+**	"cert" is the certificate to be checked
+*/
+extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
+
+/*
+** Extract the validity times from a certificate
+**	"c" is the certificate
+**	"notBefore" is the start of the validity period
+**	"notAfter" is the end of the validity period
+*/
+extern SECStatus
+CERT_GetCertTimes (CERTCertificate *c, PRTime *notBefore, PRTime *notAfter);
+
+/*
+** Extract the issuer and serial number from a certificate
+*/
+extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PLArenaPool *, 
+							CERTCertificate *);
+
+/*
+** verify the signature of a signed data object with a given certificate
+**	"sd" the signed data object to be verified
+**	"cert" the certificate to use to check the signature
+*/
+extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
+				       CERTCertificate *cert,
+				       PRTime t,
+				       void *wincx);
+/*
+** verify the signature of a signed data object with the given DER publickey
+*/
+extern SECStatus
+CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
+                                       CERTSubjectPublicKeyInfo *pubKeyInfo,
+                                       void *wincx);
+
+/*
+** verify the signature of a signed data object with a SECKEYPublicKey.
+*/
+extern SECStatus
+CERT_VerifySignedDataWithPublicKey(CERTSignedData *sd,
+                                   SECKEYPublicKey *pubKey, void *wincx);
+
+/*
+** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
+** verify a certificate by checking validity times against a certain time,
+** that we trust the issuer, and that the signature on the certificate is
+** valid.
+**	"cert" the certificate to verify
+**	"checkSig" only check signatures if true
+*/
+extern SECStatus
+CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertificateUsage requiredUsages,
+                PRTime t, void *wincx, CERTVerifyLog *log,
+                SECCertificateUsage* returnedUsages);
+
+/* same as above, but uses current time */
+extern SECStatus
+CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
+		   PRBool checkSig, SECCertificateUsage requiredUsages,
+                   void *wincx, SECCertificateUsage* returnedUsages);
+
+/*
+** Verify that a CA cert can certify some (unspecified) leaf cert for a given
+** purpose. This is used by UI code to help identify where a chain may be
+** broken and why. This takes identical parameters to CERT_VerifyCert
+*/
+extern SECStatus
+CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertUsage certUsage, PRTime t,
+		void *wincx, CERTVerifyLog *log);
+
+/*
+** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
+** verify a certificate by checking validity times against a certain time,
+** that we trust the issuer, and that the signature on the certificate is
+** valid.
+**	"cert" the certificate to verify
+**	"checkSig" only check signatures if true
+*/
+extern SECStatus
+CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertUsage certUsage, PRTime t,
+		void *wincx, CERTVerifyLog *log);
+
+/* same as above, but uses current time */
+extern SECStatus
+CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
+		   PRBool checkSig, SECCertUsage certUsage, void *wincx);
+
+SECStatus
+CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
+		     PRBool checkSig, SECCertUsage certUsage, PRTime t,
+		     void *wincx, CERTVerifyLog *log);
+
+/*
+** Read a base64 ascii encoded DER certificate and convert it to our
+** internal format.
+**	"certstr" is a null-terminated string containing the certificate
+*/
+extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
+
+/*
+** Read a certificate in some foreign format, and convert it to our
+** internal format.
+**	"certbuf" is the buffer containing the certificate
+**	"certlen" is the length of the buffer
+** NOTE - currently supports netscape base64 ascii encoded raw certs
+**  and netscape binary DER typed files.
+*/
+extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
+
+extern SECStatus
+CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage);
+
+extern SECStatus
+CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage);
+
+/*
+** Read a certificate chain in some foreign format, and pass it to a 
+** callback function.
+**	"certbuf" is the buffer containing the certificate
+**	"certlen" is the length of the buffer
+**	"f" is the callback function
+**	"arg" is the callback argument
+*/
+typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc)
+   (void *arg, SECItem **certs, int numcerts);
+
+extern SECStatus
+CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f,
+		       void *arg);
+
+/* 
+** Returns the value of an AVA.  This was a formerly static 
+** function that has been exposed due to the need to decode
+** and convert unicode strings to UTF8.  
+**
+** XXX This function resides in certhtml.c, should it be
+** moved elsewhere?
+*/
+extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue);
+
+
+
+/*
+** extract various element strings from a distinguished name.
+**	"name" the distinguished name
+*/
+
+extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
+
+extern char *CERT_GetCertEmailAddress(CERTName *name);
+
+extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert);
+
+extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert, 
+                                             const char * prev);
+
+/* The return value must be freed with PORT_Free. */
+extern char *CERT_GetCommonName(CERTName *name);
+
+extern char *CERT_GetCountryName(CERTName *name);
+
+extern char *CERT_GetLocalityName(CERTName *name);
+
+extern char *CERT_GetStateName(CERTName *name);
+
+extern char *CERT_GetOrgName(CERTName *name);
+
+extern char *CERT_GetOrgUnitName(CERTName *name);
+
+extern char *CERT_GetDomainComponentName(CERTName *name);
+
+extern char *CERT_GetCertUid(CERTName *name);
+
+/* manipulate the trust parameters of a certificate */
+
+extern SECStatus CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust);
+
+extern SECStatus
+CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert,
+		      CERTCertTrust *trust);
+
+extern SECStatus
+CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert,
+			    SECCertUsage usage);
+
+/*************************************************************************
+ *
+ * manipulate the extensions of a certificate
+ *
+ ************************************************************************/
+
+/*
+** Set up a cert for adding X509v3 extensions.  Returns an opaque handle
+** used by the next two routines.
+**	"cert" is the certificate we are adding extensions to
+*/
+extern void *CERT_StartCertExtensions(CERTCertificate *cert);
+
+/*
+** Add an extension to a certificate.
+**	"exthandle" is the handle returned by the previous function
+**	"idtag" is the integer tag for the OID that should ID this extension
+**	"value" is the value of the extension
+**	"critical" is the critical extension flag
+**	"copyData" is a flag indicating whether the value data should be
+**		copied.
+*/
+extern SECStatus CERT_AddExtension (void *exthandle, int idtag, 
+			SECItem *value, PRBool critical, PRBool copyData);
+
+extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid,
+			 SECItem *value, PRBool critical, PRBool copyData);
+
+extern SECStatus CERT_EncodeAndAddExtension
+   (void *exthandle, int idtag, void *value, PRBool critical,
+    const SEC_ASN1Template *atemplate);
+
+extern SECStatus CERT_EncodeAndAddBitStrExtension
+   (void *exthandle, int idtag, SECItem *value, PRBool critical);
+
+
+extern SECStatus
+CERT_EncodeAltNameExtension(PLArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue);
+
+
+/*
+** Finish adding cert extensions.  Does final processing on extension
+** data, putting it in the right format, and freeing any temporary
+** storage.
+**	"exthandle" is the handle used to add extensions to a certificate
+*/
+extern SECStatus CERT_FinishExtensions(void *exthandle);
+
+/*
+** Merge an external list of extensions into a cert's extension list, adding one
+** only when its OID matches none of the cert's existing extensions. Call this
+** immediately before calling CERT_FinishExtensions().
+*/
+SECStatus
+CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts);
+
+/* If the extension is found, return its criticality and value.
+** This allocate storage for the returning extension value.
+*/
+extern SECStatus CERT_GetExtenCriticality
+   (CERTCertExtension **extensions, int tag, PRBool *isCritical);
+
+extern void
+CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
+
+/****************************************************************************
+ *
+ * DER encode and decode extension values
+ *
+ ****************************************************************************/
+
+/* Encode the value of the basicConstraint extension.
+**	arena - where to allocate memory for the encoded value.
+**	value - extension value to encode
+**	encodedValue - output encoded value
+*/
+extern SECStatus CERT_EncodeBasicConstraintValue
+   (PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
+
+/*
+** Encode the value of the authorityKeyIdentifier extension.
+*/
+extern SECStatus CERT_EncodeAuthKeyID
+   (PLArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
+
+/*
+** Encode the value of the crlDistributionPoints extension.
+*/
+extern SECStatus CERT_EncodeCRLDistributionPoints
+   (PLArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
+
+/*
+** Decodes a DER encoded basicConstaint extension value into a readable format
+**	value - decoded value
+**	encodedValue - value to decoded
+*/
+extern SECStatus CERT_DecodeBasicConstraintValue
+   (CERTBasicConstraints *value, SECItem *encodedValue);
+
+/* Decodes a DER encoded authorityKeyIdentifier extension value into a
+** readable format.
+**	arena - where to allocate memory for the decoded value
+**	encodedValue - value to be decoded
+**	Returns a CERTAuthKeyID structure which contains the decoded value
+*/
+extern CERTAuthKeyID *CERT_DecodeAuthKeyID 
+			(PLArenaPool *arena, SECItem *encodedValue);
+
+
+/* Decodes a DER encoded crlDistributionPoints extension value into a 
+** readable format.
+**	arena - where to allocate memory for the decoded value
+**	der - value to be decoded
+**	Returns a CERTCrlDistributionPoints structure which contains the 
+**          decoded value
+*/
+extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints
+   (PLArenaPool *arena, SECItem *der);
+
+/* Extract certain name type from a generalName */
+extern void *CERT_GetGeneralNameByType
+   (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat);
+
+
+extern CERTOidSequence *
+CERT_DecodeOidSequence(SECItem *seqItem);
+
+
+
+
+/****************************************************************************
+ *
+ * Find extension values of a certificate 
+ *
+ ***************************************************************************/
+
+extern SECStatus CERT_FindCertExtension
+   (CERTCertificate *cert, int tag, SECItem *value);
+
+extern SECStatus CERT_FindNSCertTypeExtension
+   (CERTCertificate *cert, SECItem *value);
+
+extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
+
+extern SECStatus CERT_FindIssuerCertExtension
+   (CERTCertificate *cert, int tag, SECItem *value);
+
+extern SECStatus CERT_FindCertExtensionByOID
+   (CERTCertificate *cert, SECItem *oid, SECItem *value);
+
+extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, 
+								int catag);
+
+/* Returns the decoded value of the authKeyID extension.
+**   Note that this uses passed in the arena to allocate storage for the result
+*/
+extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PLArenaPool *arena,CERTCertificate *cert);
+
+/* Returns the decoded value of the basicConstraint extension.
+ */
+extern SECStatus CERT_FindBasicConstraintExten
+   (CERTCertificate *cert, CERTBasicConstraints *value);
+
+/* Returns the decoded value of the crlDistributionPoints extension.
+**  Note that the arena in cert is used to allocate storage for the result
+*/
+extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints
+   (CERTCertificate *cert);
+
+/* Returns value of the keyUsage extension.  This uses PR_Alloc to allocate 
+** buffer for the decoded value. The caller should free up the storage 
+** allocated in value->data.
+*/
+extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert, 
+							SECItem *value);
+
+/* Return the decoded value of the subjectKeyID extension. The caller should 
+** free up the storage allocated in retItem->data.
+*/
+extern SECStatus CERT_FindSubjectKeyIDExtension (CERTCertificate *cert, 
+							   SECItem *retItem);
+
+/*
+** If cert is a v3 certificate, and a critical keyUsage extension is included,
+** then check the usage against the extension value.  If a non-critical 
+** keyUsage extension is included, this will return SECSuccess without 
+** checking, since the extension is an advisory field, not a restriction.  
+** If cert is not a v3 certificate, this will return SECSuccess.
+**	cert - certificate
+**	usage - one of the x.509 v3 the Key Usage Extension flags
+*/
+extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert, 
+							unsigned char usage);
+
+/****************************************************************************
+ *
+ *  CRL v2 Extensions supported routines
+ *
+ ****************************************************************************/
+
+extern SECStatus CERT_FindCRLExtensionByOID
+   (CERTCrl *crl, SECItem *oid, SECItem *value);
+
+extern SECStatus CERT_FindCRLExtension
+   (CERTCrl *crl, int tag, SECItem *value);
+
+extern SECStatus
+   CERT_FindInvalidDateExten (CERTCrl *crl, PRTime *value);
+
+/*
+** Set up a crl for adding X509v3 extensions.  Returns an opaque handle
+** used by routines that take an exthandle (void*) argument .
+**	"crl" is the CRL we are adding extensions to
+*/
+extern void *CERT_StartCRLExtensions(CERTCrl *crl);
+
+/*
+** Set up a crl entry for adding X509v3 extensions.  Returns an opaque handle
+** used by routines that take an exthandle (void*) argument .
+**	"crl" is the crl we are adding certs entries to
+**      "entry" is the crl entry we are adding extensions to
+*/
+extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry);
+
+extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle,
+						 int what, void *wincx);
+
+/*
+** Finds the crlNumber extension and decodes its value into 'value'
+*/
+extern SECStatus CERT_FindCRLNumberExten (PLArenaPool *arena, CERTCrl *crl,
+                                          SECItem *value);
+
+extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
+					       CERTCRLEntryReasonCode *value);
+
+extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
+
+extern PRBool CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2);
+
+extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
+							 CERTCertificate *c2);
+
+/*
+** Generate an array of the Distinguished Names that the given cert database
+** "trusts"
+*/
+extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
+
+extern void CERT_FreeDistNames(CERTDistNames *names);
+
+/*
+** Generate an array of Distinguished names from an array of nicknames
+*/
+extern CERTDistNames *CERT_DistNamesFromNicknames
+   (CERTCertDBHandle *handle, char **nicknames, int nnames);
+
+/*
+** Generate a certificate chain from a certificate.
+*/
+extern CERTCertificateList *
+CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
+		       PRBool includeRoot);
+
+extern CERTCertificateList *
+CERT_CertListFromCert(CERTCertificate *cert);
+
+extern CERTCertificateList *
+CERT_DupCertList(CERTCertificateList * oldList);
+
+extern void CERT_DestroyCertificateList(CERTCertificateList *list);
+
+/*
+** is cert a user cert? i.e. does it have CERTDB_USER trust,
+** i.e. a private key?
+*/
+PRBool CERT_IsUserCert(CERTCertificate* cert);
+
+/* is cert a newer than cert b? */
+PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
+
+/* currently a stub for address book */
+PRBool
+CERT_IsCertRevoked(CERTCertificate *cert);
+
+void
+CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
+
+/* convert an email address to lower case */
+char *CERT_FixupEmailAddr(const char *emailAddr);
+
+/* decode string representation of trust flags into trust struct */
+SECStatus
+CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts);
+
+/* encode trust struct into string representation of trust flags */
+char *
+CERT_EncodeTrustString(CERTCertTrust *trust);
+
+/* find the next or prev cert in a subject list */
+CERTCertificate *
+CERT_PrevSubjectCert(CERTCertificate *cert);
+CERTCertificate *
+CERT_NextSubjectCert(CERTCertificate *cert);
+
+/*
+ * import a collection of certs into the temporary or permanent cert
+ * database
+ */
+SECStatus
+CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
+		 unsigned int ncerts, SECItem **derCerts,
+		 CERTCertificate ***retCerts, PRBool keepCerts,
+		 PRBool caOnly, char *nickname);
+
+char *
+CERT_MakeCANickname(CERTCertificate *cert);
+
+PRBool
+CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
+
+PRBool
+CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype);
+
+PRBool
+CERT_IsRootDERCert(SECItem *derCert);
+
+SECStatus
+CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
+		      SECItem *profileTime);
+
+/*
+ * find the smime symmetric capabilities profile for a given cert
+ */
+SECItem *
+CERT_FindSMimeProfile(CERTCertificate *cert);
+
+SECStatus
+CERT_AddNewCerts(CERTCertDBHandle *handle);
+
+CERTCertificatePolicies *
+CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue);
+
+void
+CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
+
+CERTCertificatePolicyMappings *
+CERT_DecodePolicyMappingsExtension(SECItem *encodedCertPolicyMaps);
+
+SECStatus
+CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings);
+
+SECStatus
+CERT_DecodePolicyConstraintsExtension(
+    CERTCertificatePolicyConstraints *decodedValue, SECItem *encodedValue);
+
+SECStatus CERT_DecodeInhibitAnyExtension
+    (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue);
+
+CERTUserNotice *
+CERT_DecodeUserNotice(SECItem *noticeItem);
+
+extern CERTGeneralName *
+CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName);
+
+extern CERTNameConstraints *
+CERT_DecodeNameConstraintsExtension(PLArenaPool *arena, 
+                                    SECItem *encodedConstraints);
+
+/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
+extern CERTAuthInfoAccess **
+CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena,
+				   SECItem     *encodedExtension);
+
+extern CERTPrivKeyUsagePeriod *
+CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue);
+
+extern CERTGeneralName *
+CERT_GetNextGeneralName(CERTGeneralName *current);
+
+extern CERTGeneralName *
+CERT_GetPrevGeneralName(CERTGeneralName *current);
+
+CERTNameConstraint *
+CERT_GetNextNameConstraint(CERTNameConstraint *current);
+
+CERTNameConstraint *
+CERT_GetPrevNameConstraint(CERTNameConstraint *current);
+
+void
+CERT_DestroyUserNotice(CERTUserNotice *userNotice);
+
+typedef char * (* CERTPolicyStringCallback)(char *org,
+					       unsigned long noticeNumber,
+					       void *arg);
+void
+CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
+
+char *
+CERT_GetCertCommentString(CERTCertificate *cert);
+
+PRBool
+CERT_GovtApprovedBitSet(CERTCertificate *cert);
+
+SECStatus
+CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
+
+CERTCertList *
+CERT_MatchUserCert(CERTCertDBHandle *handle,
+		   SECCertUsage usage,
+		   int nCANames, char **caNames,
+		   void *proto_win);
+
+CERTCertList *
+CERT_NewCertList(void);
+
+void
+CERT_DestroyCertList(CERTCertList *certs);
+
+/* remove the node and free the cert */
+void
+CERT_RemoveCertListNode(CERTCertListNode *node);
+
+SECStatus
+CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
+
+SECStatus
+CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
+
+SECStatus
+CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert,
+							 void *appData);
+
+SECStatus
+CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert,
+							 void *appData);
+
+typedef PRBool (* CERTSortCallback)(CERTCertificate *certa,
+				    CERTCertificate *certb,
+				    void *arg);
+SECStatus
+CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
+			 CERTSortCallback f, void *arg);
+
+/* callback for CERT_AddCertToListSorted that sorts based on validity
+ * period and a given time.
+ */
+PRBool
+CERT_SortCBValidity(CERTCertificate *certa,
+		    CERTCertificate *certb,
+		    void *arg);
+
+SECStatus
+CERT_CheckForEvilCert(CERTCertificate *cert);
+
+CERTGeneralName *
+CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena);
+
+char *
+CERT_GetNickName(CERTCertificate   *cert, CERTCertDBHandle *handle, PLArenaPool *nicknameArena);
+
+/*
+ * Creates or adds to a list of all certs with a give subject name, sorted by
+ * validity time, newest first.  Invalid certs are considered older than
+ * valid certs. If validOnly is set, do not include invalid certs on list.
+ */
+CERTCertList *
+CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
+			   SECItem *name, PRTime sorttime, PRBool validOnly);
+
+/*
+ * remove certs from a list that don't have keyUsage and certType
+ * that match the given usage.
+ */
+SECStatus
+CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
+			   PRBool ca);
+
+/*
+ * check the key usage of a cert against a set of required values
+ */
+SECStatus
+CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
+
+/*
+ * return required key usage and cert type based on cert usage
+ */
+SECStatus
+CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
+				 PRBool ca,
+				 unsigned int *retKeyUsage,
+				 unsigned int *retCertType);
+/*
+ * return required trust flags for various cert usages for CAs
+ */
+SECStatus
+CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
+			      unsigned int *retFlags,
+			      SECTrustType *retTrustType);
+
+/*
+ * Find all user certificates that match the given criteria.
+ * 
+ *	"handle" - database to search
+ *	"usage" - certificate usage to match
+ *	"oneCertPerName" - if set then only return the "best" cert per
+ *			name
+ *	"validOnly" - only return certs that are curently valid
+ *	"proto_win" - window handle passed to pkcs11
+ */
+CERTCertList *
+CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
+			  SECCertUsage usage,
+			  PRBool oneCertPerName,
+			  PRBool validOnly,
+			  void *proto_win);
+
+/*
+ * Find a user certificate that matchs the given criteria.
+ * 
+ *	"handle" - database to search
+ *	"nickname" - nickname to match
+ *	"usage" - certificate usage to match
+ *	"validOnly" - only return certs that are curently valid
+ *	"proto_win" - window handle passed to pkcs11
+ */
+CERTCertificate *
+CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
+			 const char *nickname,
+			 SECCertUsage usage,
+			 PRBool validOnly,
+			 void *proto_win);
+
+/*
+ * Filter a list of certificates, removing those certs that do not have
+ * one of the named CA certs somewhere in their cert chain.
+ *
+ *	"certList" - the list of certificates to filter
+ *	"nCANames" - number of CA names
+ *	"caNames" - array of CA names in string(rfc 1485) form
+ *	"usage" - what use the certs are for, this is used when
+ *		selecting CA certs
+ */
+SECStatus
+CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
+			     char **caNames, SECCertUsage usage);
+
+/*
+ * Filter a list of certificates, removing those certs that aren't user certs
+ */
+SECStatus
+CERT_FilterCertListForUserCerts(CERTCertList *certList);
+
+/*
+ * Collect the nicknames from all certs in a CertList.  If the cert is not
+ * valid, append a string to that nickname.
+ *
+ * "certList" - the list of certificates
+ * "expiredString" - the string to append to the nickname of any expired cert
+ * "notYetGoodString" - the string to append to the nickname of any cert
+ *		that is not yet valid
+ */
+CERTCertNicknames *
+CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
+				 char *notYetGoodString);
+
+/*
+ * Extract the nickname from a nickmake string that may have either
+ * expiredString or notYetGoodString appended.
+ *
+ * Args:
+ *	"namestring" - the string containing the nickname, and possibly
+ *		one of the validity label strings
+ *	"expiredString" - the expired validity label string
+ *	"notYetGoodString" - the not yet good validity label string
+ *
+ * Returns the raw nickname
+ */
+char *
+CERT_ExtractNicknameString(char *namestring, char *expiredString,
+			   char *notYetGoodString);
+
+/*
+ * Given a certificate, return a string containing the nickname, and possibly
+ * one of the validity strings, based on the current validity state of the
+ * certificate.
+ *
+ * "arena" - arena to allocate returned string from.  If NULL, then heap
+ *	is used.
+ * "cert" - the cert to get nickname from
+ * "expiredString" - the string to append to the nickname if the cert is
+ *		expired.
+ * "notYetGoodString" - the string to append to the nickname if the cert is
+ *		not yet good.
+ */
+char *
+CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert,
+				 char *expiredString, char *notYetGoodString);
+
+/*
+ * Return the string representation of a DER encoded distinguished name
+ * "dername" - The DER encoded name to convert
+ */
+char *
+CERT_DerNameToAscii(SECItem *dername);
+
+/*
+ * Supported usage values and types:
+ *	certUsageSSLClient
+ *	certUsageSSLServer
+ *	certUsageSSLServerWithStepUp
+ *	certUsageEmailSigner
+ *	certUsageEmailRecipient
+ *	certUsageObjectSigner
+ */
+
+CERTCertificate *
+CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
+		      CERTCertOwner owner, SECCertUsage usage,
+		      PRBool preferTrusted, PRTime validTime, PRBool validOnly);
+
+/*
+ * Acquire the global lock on the cert database.
+ * This lock is currently used for the following operations:
+ *	adding or deleting a cert to either the temp or perm databases
+ *	converting a temp to perm or perm to temp
+ *	changing(maybe just adding?) the trust of a cert
+ *	adjusting the reference count of a cert
+ */
+void
+CERT_LockDB(CERTCertDBHandle *handle);
+
+/*
+ * Free the global cert database lock.
+ */
+void
+CERT_UnlockDB(CERTCertDBHandle *handle);
+
+/*
+ * Get the certificate status checking configuratino data for
+ * the certificate database
+ */
+CERTStatusConfig *
+CERT_GetStatusConfig(CERTCertDBHandle *handle);
+
+/*
+ * Set the certificate status checking information for the
+ * database.  The input structure becomes part of the certificate
+ * database and will be freed by calling the 'Destroy' function in
+ * the configuration object.
+ */
+void
+CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
+
+
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+CERT_LockCertRefCount(CERTCertificate *cert);
+
+/*
+ * Free the cert reference count lock
+ */
+void
+CERT_UnlockCertRefCount(CERTCertificate *cert);
+
+/*
+ * Acquire the cert trust lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+CERT_LockCertTrust(CERTCertificate *cert);
+
+/*
+ * Free the cert trust lock
+ */
+void
+CERT_UnlockCertTrust(CERTCertificate *cert);
+
+/*
+ * Digest the cert's subject public key using the specified algorithm.
+ * The necessary storage for the digest data is allocated.  If "fill" is
+ * non-null, the data is put there, otherwise a SECItem is allocated.
+ * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
+ * results in a NULL being returned (and an appropriate error set).
+ */ 
+extern SECItem *
+CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
+                   SECOidTag digestAlg, SECItem *fill);
+
+
+SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
+                        SECItem* dp, PRTime t, void* wincx);
+
+
+/*
+ * Add a CERTNameConstraint to the CERTNameConstraint list
+ */
+extern CERTNameConstraint *
+CERT_AddNameConstraint(CERTNameConstraint *list, 
+		       CERTNameConstraint *constraint);
+
+/*
+ * Allocate space and copy CERTNameConstraint from src to dest.
+ * Arena is used to allocate result(if dest eq NULL) and its members
+ * SECItem data.
+ */
+extern CERTNameConstraint *
+CERT_CopyNameConstraint(PLArenaPool         *arena, 
+			CERTNameConstraint  *dest, 
+			CERTNameConstraint  *src);
+
+/*
+ * Verify name against all the constraints relevant to that type of
+ * the name.
+ */
+extern SECStatus
+CERT_CheckNameSpace(PLArenaPool          *arena,
+		    CERTNameConstraints  *constraints,
+		    CERTGeneralName      *currentName);
+
+/*
+ * Extract and allocate the name constraints extension from the CA cert.
+ */
+extern SECStatus
+CERT_FindNameConstraintsExten(PLArenaPool      *arena,
+			      CERTCertificate  *cert,
+			      CERTNameConstraints **constraints);
+
+/*
+ * Initialize a new GERTGeneralName fields (link)
+ */
+extern CERTGeneralName *
+CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type);
+
+/*
+ * PKIX extension encoding routines
+ */
+extern SECStatus
+CERT_EncodePolicyConstraintsExtension(PLArenaPool *arena,
+                                      CERTCertificatePolicyConstraints *constr,
+                                      SECItem *dest);
+extern SECStatus
+CERT_EncodeInhibitAnyExtension(PLArenaPool *arena,
+                               CERTCertificateInhibitAny *inhibitAny,
+                               SECItem *dest);
+extern SECStatus
+CERT_EncodePolicyMappingExtension(PLArenaPool *arena,
+                                  CERTCertificatePolicyMappings *maps,
+                                  SECItem *dest);
+
+extern SECStatus CERT_EncodeInfoAccessExtension(PLArenaPool *arena,
+                                                    CERTAuthInfoAccess **info,
+                                                    SECItem *dest);
+extern SECStatus
+CERT_EncodeUserNotice(PLArenaPool *arena,
+                      CERTUserNotice *notice,
+                      SECItem *dest);
+
+extern SECStatus
+CERT_EncodeDisplayText(PLArenaPool *arena,
+                       SECItem *text,
+                       SECItem *dest);
+
+extern SECStatus
+CERT_EncodeCertPoliciesExtension(PLArenaPool *arena,
+                                 CERTPolicyInfo **info,
+                                 SECItem *dest);
+extern SECStatus
+CERT_EncodeNoticeReference(PLArenaPool *arena,
+                           CERTNoticeReference *reference,
+                           SECItem *dest);
+
+/*
+ * Returns a pointer to a static structure.
+ */
+extern const CERTRevocationFlags*
+CERT_GetPKIXVerifyNistRevocationPolicy();
+
+/*
+ * Returns a pointer to a static structure.
+ */
+extern const CERTRevocationFlags*
+CERT_GetClassicOCSPEnabledSoftFailurePolicy();
+
+/*
+ * Returns a pointer to a static structure.
+ */
+extern const CERTRevocationFlags*
+CERT_GetClassicOCSPEnabledHardFailurePolicy();
+
+/*
+ * Returns a pointer to a static structure.
+ */
+extern const CERTRevocationFlags*
+CERT_GetClassicOCSPDisabledPolicy();
+
+/*
+ * Verify a Cert with libpkix
+ *  paramsIn control the verification options. If a value isn't specified
+ *   in paramsIn, it reverts to the application default.
+ *  paramsOut specifies the parameters the caller would like to get back.
+ *   the caller may pass NULL, in which case no parameters are returned.
+ */
+extern SECStatus CERT_PKIXVerifyCert(
+	CERTCertificate *cert,
+	SECCertificateUsage usages,
+	CERTValInParam *paramsIn,
+	CERTValOutParam *paramsOut,
+	void *wincx);
+/*
+ * This function changes the application defaults for the Verify function.
+ * It should be called once at app initialization time, and only changes
+ * if the default configuration changes.
+ *
+ * This changes the default values for the parameters specified. These
+ * defaults can be overridden in CERT_PKIXVerifyCert() by explicitly 
+ * setting the value in paramsIn.
+ */
+extern SECStatus CERT_PKIXSetDefaults(CERTValInParam *paramsIn);
+
+/* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate)
+ * to use libpkix validation engine. The function should be called ones at
+ * application initialization time.
+ * Function is not thread safe.*/
+SECStatus CERT_SetUsePKIXForValidation(PRBool enable);
+
+/* The function return PR_TRUE if cert validation should use
+ * libpkix cert validation engine. */
+PRBool CERT_GetUsePKIXForValidation();
+
+SEC_END_PROTOS
+
+#endif /* _CERT_H_ */
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
new file mode 100644
index 000000000..076dbd617
--- /dev/null
+++ b/security/nss/lib/certdb/certdb.c
@@ -0,0 +1,3198 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *    Aaron Spangler <aaron@spangler.ods.org>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Certificate handling code
+ *
+ * $Id$
+ */
+
+#include "nssilock.h"
+#include "prmon.h"
+#include "prtime.h"
+#include "cert.h"
+#include "certi.h"
+#include "secder.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "genname.h"
+#include "keyhi.h"
+#include "secitem.h"
+#include "mcom_db.h"
+#include "certdb.h"
+#include "prprf.h"
+#include "sechash.h"
+#include "prlong.h"
+#include "certxutl.h"
+#include "portreg.h"
+#include "secerr.h"
+#include "sslerr.h"
+#include "pk11func.h"
+#include "xconst.h"   /* for  CERT_DecodeAltNameExtension */
+
+#include "pki.h"
+#include "pki3hack.h"
+
+SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_SkipTemplate)
+
+/*
+ * Certificate database handling code
+ */
+
+
+const SEC_ASN1Template CERT_CertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertExtension) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTCertExtension,id) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
+	  offsetof(CERTCertExtension,critical) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CERTCertExtension,value) },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, CERT_CertExtensionTemplate }
+};
+
+const SEC_ASN1Template CERT_TimeChoiceTemplate[] = {
+  { SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) },
+  { SEC_ASN1_UTC_TIME, 0, 0, siUTCTime },
+  { SEC_ASN1_GENERALIZED_TIME, 0, 0, siGeneralizedTime },
+  { 0 }
+};
+
+const SEC_ASN1Template CERT_ValidityTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTValidity) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+          offsetof(CERTValidity,notBefore),
+          SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+          offsetof(CERTValidity,notAfter),
+          SEC_ASN1_SUB(CERT_TimeChoiceTemplate), 0 },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_CertificateTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+      0, NULL, sizeof(CERTCertificate) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, /* XXX DER_DEFAULT */ 
+	  offsetof(CERTCertificate,version),
+	  SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCertificate,serialNumber) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTCertificate,signature),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_SAVE, 
+	  offsetof(CERTCertificate,derIssuer) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,issuer),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,validity),
+	  CERT_ValidityTemplate },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCertificate,derSubject) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,subject),
+	  CERT_NameTemplate },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCertificate,derPublicKey) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,subjectPublicKeyInfo),
+	  CERT_SubjectPublicKeyInfoTemplate },
+    { SEC_ASN1_OPTIONAL |  SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+	  offsetof(CERTCertificate,issuerID),
+	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { SEC_ASN1_OPTIONAL |  SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
+	  offsetof(CERTCertificate,subjectID),
+	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | 3,
+	  offsetof(CERTCertificate,extensions),
+	  CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_SignedCertificateTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertificate) },
+    { SEC_ASN1_SAVE, 
+	  offsetof(CERTCertificate,signatureWrap.data) },
+    { SEC_ASN1_INLINE, 
+	  0, CERT_CertificateTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTCertificate,signatureWrap.signatureAlgorithm),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTCertificate,signatureWrap.signature) },
+    { 0 }
+};
+
+/*
+ * Find the subjectName in a DER encoded certificate
+ */
+const SEC_ASN1Template SEC_CertSubjectTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECItem) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  0, SEC_ASN1_SUB(SEC_SkipTemplate) },	/* version */
+    { SEC_ASN1_SKIP },		/* serial number */
+    { SEC_ASN1_SKIP },		/* signature algorithm */
+    { SEC_ASN1_SKIP },		/* issuer */
+    { SEC_ASN1_SKIP },		/* validity */
+    { SEC_ASN1_ANY, 0, NULL },		/* subject */
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+/*
+ * Find the issuerName in a DER encoded certificate
+ */
+const SEC_ASN1Template SEC_CertIssuerTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECItem) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  0, SEC_ASN1_SUB(SEC_SkipTemplate) },	/* version */
+    { SEC_ASN1_SKIP },		/* serial number */
+    { SEC_ASN1_SKIP },		/* signature algorithm */
+    { SEC_ASN1_ANY, 0, NULL },		/* issuer */
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+/*
+ * Find the subjectName in a DER encoded certificate
+ */
+const SEC_ASN1Template SEC_CertSerialNumberTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECItem) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  0, SEC_ASN1_SUB(SEC_SkipTemplate) },	/* version */
+    { SEC_ASN1_ANY, 0, NULL }, /* serial number */
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+/*
+ * Find the issuer and serialNumber in a DER encoded certificate.
+ * This data is used as the database lookup key since its the unique
+ * identifier of a certificate.
+ */
+const SEC_ASN1Template CERT_CertKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertKey) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  0, SEC_ASN1_SUB(SEC_SkipTemplate) },	/* version */ 
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCertKey,serialNumber) },
+    { SEC_ASN1_SKIP },		/* signature algorithm */
+    { SEC_ASN1_ANY,
+	  offsetof(CERTCertKey,derIssuer) },
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_TimeChoiceTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SignedCertificateTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SequenceOfCertExtensionTemplate)
+
+SECStatus
+CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn,
+			SECItem *key)
+{
+    key->len = sn->len + issuer->len;
+
+    if ((sn->data == NULL) || (issuer->data == NULL)) {
+	goto loser;
+    }
+    
+    key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len);
+    if ( !key->data ) {
+	goto loser;
+    }
+
+    /* copy the serialNumber */
+    PORT_Memcpy(key->data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+
+/*
+ * Extract the subject name from a DER certificate
+ */
+SECStatus
+CERT_NameFromDERCert(SECItem *derCert, SECItem *derName)
+{
+    int rv;
+    PRArenaPool *arena;
+    CERTSignedData sd;
+    void *tmpptr;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+   
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(derName, 0, sizeof(SECItem));
+    rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSubjectTemplate, &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    tmpptr = derName->data;
+    derName->data = (unsigned char*)PORT_Alloc(derName->len);
+    if ( derName->data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(derName->data, tmpptr, derName->len);
+    
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECFailure);
+}
+
+SECStatus
+CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName)
+{
+    int rv;
+    PRArenaPool *arena;
+    CERTSignedData sd;
+    void *tmpptr;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+   
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(derName, 0, sizeof(SECItem));
+    rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertIssuerTemplate, &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    tmpptr = derName->data;
+    derName->data = (unsigned char*)PORT_Alloc(derName->len);
+    if ( derName->data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(derName->data, tmpptr, derName->len);
+    
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECFailure);
+}
+
+SECStatus
+CERT_SerialNumberFromDERCert(SECItem *derCert, SECItem *derName)
+{
+    int rv;
+    PRArenaPool *arena;
+    CERTSignedData sd;
+    void *tmpptr;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+   
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(derName, 0, sizeof(SECItem));
+    rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSerialNumberTemplate, &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    tmpptr = derName->data;
+    derName->data = (unsigned char*)PORT_Alloc(derName->len);
+    if ( derName->data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(derName->data, tmpptr, derName->len);
+    
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECFailure);
+}
+
+/*
+ * Generate a database key, based on serial number and issuer, from a
+ * DER certificate.
+ */
+SECStatus
+CERT_KeyFromDERCert(PRArenaPool *reqArena, SECItem *derCert, SECItem *key)
+{
+    int rv;
+    CERTSignedData sd;
+    CERTCertKey certkey;
+
+    if (!reqArena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_QuickDERDecodeItem(reqArena, &sd, CERT_SignedDataTemplate,
+                                derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(&certkey, 0, sizeof(CERTCertKey));
+    rv = SEC_QuickDERDecodeItem(reqArena, &certkey, CERT_CertKeyTemplate,
+                                &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    return(CERT_KeyFromIssuerAndSN(reqArena, &certkey.derIssuer,
+				   &certkey.serialNumber, key));
+loser:
+    return(SECFailure);
+}
+
+/*
+ * fill in keyUsage field of the cert based on the cert extension
+ * if the extension is not critical, then we allow all uses
+ */
+static SECStatus
+GetKeyUsage(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem tmpitem;
+    
+    rv = CERT_FindKeyUsageExtension(cert, &tmpitem);
+    if ( rv == SECSuccess ) {
+	/* remember the actual value of the extension */
+	cert->rawKeyUsage = tmpitem.data[0];
+	cert->keyUsagePresent = PR_TRUE;
+	cert->keyUsage = tmpitem.data[0];
+
+	PORT_Free(tmpitem.data);
+	tmpitem.data = NULL;
+	
+    } else {
+	/* if the extension is not present, then we allow all uses */
+	cert->keyUsage = KU_ALL;
+	cert->rawKeyUsage = KU_ALL;
+	cert->keyUsagePresent = PR_FALSE;
+    }
+
+    if ( CERT_GovtApprovedBitSet(cert) ) {
+	cert->keyUsage |= KU_NS_GOVT_APPROVED;
+	cert->rawKeyUsage |= KU_NS_GOVT_APPROVED;
+    }
+    
+    return(SECSuccess);
+}
+
+
+/*
+ * determine if a fortezza V1 Cert is a CA or not.
+ */
+static PRBool
+fortezzaIsCA( CERTCertificate *cert) {
+    PRBool isCA = PR_FALSE;
+    CERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo;
+    int tag;
+
+    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
+    if ((tag == SEC_OID_MISSI_KEA_DSS_OLD) ||
+       (tag == SEC_OID_MISSI_KEA_DSS) ||
+       (tag == SEC_OID_MISSI_DSS_OLD) ||
+       (tag == SEC_OID_MISSI_DSS) ) {
+	SECItem rawkey;
+	unsigned char *rawptr;
+	unsigned char *end;
+	int len;
+
+	rawkey = spki->subjectPublicKey;
+	DER_ConvertBitString(&rawkey);
+	rawptr = rawkey.data;
+	end = rawkey.data + rawkey.len;
+
+	/* version */	
+	rawptr += sizeof(((SECKEYPublicKey*)0)->u.fortezza.KMID)+2;
+
+	/* clearance (the string up to the first byte with the hi-bit on */
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+	if (rawptr >= end) { return PR_FALSE; }
+
+	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+	if (rawptr >= end) { return PR_FALSE; }
+
+	/* skip the key */
+	len = (*rawptr << 8) | rawptr[1];
+	rawptr += 2 + len;
+
+	/* shared key */
+	if (rawptr >= end) { return PR_FALSE; }
+	/* DSS Version is next */
+	rawptr += 2;
+
+	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
+	if (*rawptr & 0x30) isCA = PR_TRUE;
+	
+   }
+   return isCA;
+}
+
+static SECStatus
+findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum)
+{
+    SECItem **oids;
+    SECItem *oid;
+    SECStatus rv = SECFailure;
+    
+    if (seq != NULL) {
+	oids = seq->oids;
+	while (oids != NULL && *oids != NULL) {
+	    oid = *oids;
+	    if (SECOID_FindOIDTag(oid) == tagnum) {
+		rv = SECSuccess;
+		break;
+	    }
+	    oids++;
+	}
+    }
+    return rv;
+}
+
+/*
+ * fill in nsCertType field of the cert based on the cert extension
+ */
+SECStatus
+cert_GetCertType(CERTCertificate *cert)
+{
+    PRUint32 nsCertType;
+
+    if (cert->nsCertType) {
+        /* once set, no need to recalculate */
+        return SECSuccess;
+    }
+    nsCertType = cert_ComputeCertType(cert);
+
+    /* Assert that it is safe to cast &cert->nsCertType to "PRInt32 *" */
+    PORT_Assert(sizeof(cert->nsCertType) == sizeof(PRInt32));
+    PR_AtomicSet((PRInt32 *)&cert->nsCertType, nsCertType);
+    return SECSuccess;
+}
+
+PRUint32
+cert_ComputeCertType(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem tmpitem;
+    SECItem encodedExtKeyUsage;
+    CERTOidSequence *extKeyUsage = NULL;
+    PRBool basicConstraintPresent = PR_FALSE;
+    CERTBasicConstraints basicConstraint;
+    PRUint32 nsCertType = 0;
+
+    tmpitem.data = NULL;
+    CERT_FindNSCertTypeExtension(cert, &tmpitem);
+    encodedExtKeyUsage.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, 
+				&encodedExtKeyUsage);
+    if (rv == SECSuccess) {
+	extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
+    }
+    rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
+    if (rv == SECSuccess) {
+	basicConstraintPresent = PR_TRUE;
+    }
+    if (tmpitem.data != NULL || extKeyUsage != NULL) {
+	if (tmpitem.data == NULL) {
+	    nsCertType = 0;
+	} else {
+	    nsCertType = tmpitem.data[0];
+	}
+
+	/* free tmpitem data pointer to avoid memory leak */
+	PORT_Free(tmpitem.data);
+	tmpitem.data = NULL;
+	
+	/*
+	 * for this release, we will allow SSL certs with an email address
+	 * to be used for email
+	 */
+	if ( ( nsCertType & NS_CERT_TYPE_SSL_CLIENT ) &&
+	    cert->emailAddr && cert->emailAddr[0]) {
+	    nsCertType |= NS_CERT_TYPE_EMAIL;
+	}
+	/*
+	 * for this release, we will allow SSL intermediate CAs to be
+	 * email intermediate CAs too.
+	 */
+	if ( nsCertType & NS_CERT_TYPE_SSL_CA ) {
+	    nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+	}
+	/*
+	 * allow a cert with the extended key usage of EMail Protect
+	 * to be used for email or as an email CA, if basic constraints
+	 * indicates that it is a CA.
+	 */
+	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
+				    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
+	    SECSuccess) {
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+	    } else {
+		nsCertType |= NS_CERT_TYPE_EMAIL;
+	    }
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
+				    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) ==
+	    SECSuccess){
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		nsCertType |= NS_CERT_TYPE_SSL_CA;
+	    } else {
+		nsCertType |= NS_CERT_TYPE_SSL_SERVER;
+	    }
+	}
+	/* Treat certs with step-up OID as also having SSL server type. */
+	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
+				    SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
+	    SECSuccess){
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		nsCertType |= NS_CERT_TYPE_SSL_CA;
+	    } else {
+		nsCertType |= NS_CERT_TYPE_SSL_SERVER;
+	    }
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage,
+				    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) ==
+	    SECSuccess){
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		nsCertType |= NS_CERT_TYPE_SSL_CA;
+	    } else {
+		nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
+	    }
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage,
+				    SEC_OID_EXT_KEY_USAGE_CODE_SIGN) ==
+	    SECSuccess) {
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
+	    } else {
+		nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
+	    }
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage,
+				    SEC_OID_EXT_KEY_USAGE_TIME_STAMP) ==
+	    SECSuccess) {
+	    nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage,
+				    SEC_OID_OCSP_RESPONDER) == 
+	    SECSuccess) {
+	    nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
+	}
+    } else {
+	/* If no NS Cert Type extension and no EKU extension, then */
+	nsCertType = 0;
+	if (CERT_IsCACert(cert, &nsCertType))
+	    nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
+	/* if the basic constraint extension says the cert is a CA, then
+	   allow SSL CA and EMAIL CA and Status Responder */
+	if (basicConstraintPresent && basicConstraint.isCA ) {
+	    nsCertType |= (NS_CERT_TYPE_SSL_CA   |
+		           NS_CERT_TYPE_EMAIL_CA |
+		           EXT_KEY_USAGE_STATUS_RESPONDER);
+	}
+	/* allow any ssl or email (no ca or object signing. */
+	nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
+	              NS_CERT_TYPE_EMAIL;
+
+	/* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */
+	if (fortezzaIsCA(cert)) {
+		nsCertType |= NS_CERT_TYPE_SSL_CA;
+		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+	}
+    }
+
+    if (encodedExtKeyUsage.data != NULL) {
+	PORT_Free(encodedExtKeyUsage.data);
+    }
+    if (extKeyUsage != NULL) {
+	CERT_DestroyOidSequence(extKeyUsage);
+    }
+    return nsCertType;
+}
+
+/*
+ * cert_GetKeyID() - extract or generate the subjectKeyID from a certificate
+ */
+SECStatus
+cert_GetKeyID(CERTCertificate *cert)
+{
+    SECItem tmpitem;
+    SECStatus rv;
+    SECKEYPublicKey *key;
+    
+    cert->subjectKeyID.len = 0;
+
+    /* see of the cert has a key identifier extension */
+    rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem);
+    if ( rv == SECSuccess ) {
+	cert->subjectKeyID.data = (unsigned char*) PORT_ArenaAlloc(cert->arena, tmpitem.len);
+	if ( cert->subjectKeyID.data != NULL ) {
+	    PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len);
+	    cert->subjectKeyID.len = tmpitem.len;
+	    cert->keyIDGenerated = PR_FALSE;
+	}
+	
+	PORT_Free(tmpitem.data);
+    }
+    
+    /* if the cert doesn't have a key identifier extension and the cert is
+     * a V1 fortezza certificate, use the cert's 8 byte KMID as the
+     * key identifier.  */
+    key = CERT_KMIDPublicKey(cert);
+
+    if (key != NULL) {
+	
+	if (key->keyType == fortezzaKey) {
+
+	    cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, 8);
+	    if ( cert->subjectKeyID.data != NULL ) {
+		PORT_Memcpy(cert->subjectKeyID.data, key->u.fortezza.KMID, 8);
+		cert->subjectKeyID.len = 8;
+		cert->keyIDGenerated = PR_FALSE;
+	    }
+	}
+		
+	SECKEY_DestroyPublicKey(key);
+    }
+
+    /* if the cert doesn't have a key identifier extension, then generate one*/
+    if ( cert->subjectKeyID.len == 0 ) {
+	/*
+	 * pkix says that if the subjectKeyID is not present, then we should
+	 * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert
+	 */
+	cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH);
+	if ( cert->subjectKeyID.data != NULL ) {
+	    rv = PK11_HashBuf(SEC_OID_SHA1,cert->subjectKeyID.data,
+			      cert->derPublicKey.data,
+			      cert->derPublicKey.len);
+	    if ( rv == SECSuccess ) {
+		cert->subjectKeyID.len = SHA1_LENGTH;
+	    }
+	}
+    }
+
+    if ( cert->subjectKeyID.len == 0 ) {
+	return(SECFailure);
+    }
+    return(SECSuccess);
+
+}
+
+static PRBool
+cert_IsRootCert(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem tmpitem;
+
+    /* cache the authKeyID extension, if present */
+    cert->authKeyID = CERT_FindAuthKeyIDExten(cert->arena, cert);
+
+    /* it MUST be self-issued to be a root */
+    if (cert->derIssuer.len == 0 ||
+        !SECITEM_ItemsAreEqual(&cert->derIssuer, &cert->derSubject))
+    {
+	return PR_FALSE;
+    }
+
+    /* check the authKeyID extension */
+    if (cert->authKeyID) {
+	/* authority key identifier is present */
+	if (cert->authKeyID->keyID.len > 0) {
+	    /* the keyIdentifier field is set, look for subjectKeyID */
+	    rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem);
+	    if (rv == SECSuccess) {
+		PRBool match;
+		/* also present, they MUST match for it to be a root */
+		match = SECITEM_ItemsAreEqual(&cert->authKeyID->keyID,
+		                              &tmpitem);
+		PORT_Free(tmpitem.data);
+		if (!match) return PR_FALSE; /* else fall through */
+	    } else {
+		/* the subject key ID is required when AKI is present */
+		return PR_FALSE;
+	    }
+	}
+	if (cert->authKeyID->authCertIssuer) {
+	    SECItem *caName;
+	    caName = (SECItem *)CERT_GetGeneralNameByType(
+	                                  cert->authKeyID->authCertIssuer,
+	                                  certDirectoryName, PR_TRUE);
+	    if (caName) {
+		if (!SECITEM_ItemsAreEqual(&cert->derIssuer, caName)) {
+		    return PR_FALSE;
+		} /* else fall through */
+	    } /* else ??? could not get general name as directory name? */
+	}
+	if (cert->authKeyID->authCertSerialNumber.len > 0) {
+	    if (!SECITEM_ItemsAreEqual(&cert->serialNumber,
+	                         &cert->authKeyID->authCertSerialNumber)) {
+		return PR_FALSE;
+	    } /* else fall through */
+	}
+	/* all of the AKI fields that were present passed the test */
+	return PR_TRUE;
+    }
+    /* else the AKI was not present, so this is a root */
+    return PR_TRUE;
+}
+
+/*
+ * take a DER certificate and decode it into a certificate structure
+ */
+CERTCertificate *
+CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
+			 char *nickname)
+{
+    CERTCertificate *cert;
+    PRArenaPool *arena;
+    void *data;
+    int rv;
+    int len;
+    char *tmpname;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	return 0;
+    }
+
+    /* allocate the certificate structure */
+    cert = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
+    
+    if ( !cert ) {
+	goto loser;
+    }
+    
+    cert->arena = arena;
+    
+    if ( copyDER ) {
+	/* copy the DER data for the cert into this arena */
+	data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len);
+	if ( !data ) {
+	    goto loser;
+	}
+	cert->derCert.data = (unsigned char *)data;
+	cert->derCert.len = derSignedCert->len;
+	PORT_Memcpy(data, derSignedCert->data, derSignedCert->len);
+    } else {
+	/* point to passed in DER data */
+	cert->derCert = *derSignedCert;
+    }
+
+    /* decode the certificate info */
+    rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate,
+		    &cert->derCert);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    if (cert_HasUnknownCriticalExten (cert->extensions) == PR_TRUE) {
+        cert->options.bits.hasUnsupportedCriticalExt = PR_TRUE;
+    }
+
+    /* generate and save the database key for the cert */
+    rv = CERT_KeyFromIssuerAndSN(arena, &cert->derIssuer, &cert->serialNumber,
+			&cert->certKey);
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* set the nickname */
+    if ( nickname == NULL ) {
+	cert->nickname = NULL;
+    } else {
+	/* copy and install the nickname */
+	len = PORT_Strlen(nickname) + 1;
+	cert->nickname = (char*)PORT_ArenaAlloc(arena, len);
+	if ( cert->nickname == NULL ) {
+	    goto loser;
+	}
+
+	PORT_Memcpy(cert->nickname, nickname, len);
+    }
+
+    /* set the email address */
+    cert->emailAddr = cert_GetCertificateEmailAddresses(cert);
+    
+    /* initialize the subjectKeyID */
+    rv = cert_GetKeyID(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize keyUsage */
+    rv = GetKeyUsage(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize the certType */
+    rv = cert_GetCertType(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* determine if this is a root cert */
+    cert->isRoot = cert_IsRootCert(cert);
+
+    tmpname = CERT_NameToAscii(&cert->subject);
+    if ( tmpname != NULL ) {
+	cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname);
+	PORT_Free(tmpname);
+    }
+    
+    tmpname = CERT_NameToAscii(&cert->issuer);
+    if ( tmpname != NULL ) {
+	cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname);
+	PORT_Free(tmpname);
+    }
+    
+    cert->referenceCount = 1;
+    cert->slot = NULL;
+    cert->pkcs11ID = CK_INVALID_HANDLE;
+    cert->dbnickname = NULL;
+    
+    return(cert);
+    
+loser:
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(0);
+}
+
+CERTCertificate *
+__CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
+			 char *nickname)
+{
+    return CERT_DecodeDERCertificate(derSignedCert, copyDER, nickname);
+}
+
+
+CERTValidity *
+CERT_CreateValidity(int64 notBefore, int64 notAfter)
+{
+    CERTValidity *v;
+    int rv;
+    PRArenaPool *arena;
+
+    if (notBefore > notAfter) {
+       PORT_SetError(SEC_ERROR_INVALID_ARGS);
+       return NULL;
+    }
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	return(0);
+    }
+    
+    v = (CERTValidity*) PORT_ArenaZAlloc(arena, sizeof(CERTValidity));
+    if (v) {
+	v->arena = arena;
+	rv = DER_EncodeTimeChoice(arena, &v->notBefore, notBefore);
+	if (rv) goto loser;
+	rv = DER_EncodeTimeChoice(arena, &v->notAfter, notAfter);
+	if (rv) goto loser;
+    }
+    return v;
+
+  loser:
+    CERT_DestroyValidity(v);
+    return 0;
+}
+
+SECStatus
+CERT_CopyValidity(PRArenaPool *arena, CERTValidity *to, CERTValidity *from)
+{
+    SECStatus rv;
+
+    CERT_DestroyValidity(to);
+    to->arena = arena;
+    
+    rv = SECITEM_CopyItem(arena, &to->notBefore, &from->notBefore);
+    if (rv) return rv;
+    rv = SECITEM_CopyItem(arena, &to->notAfter, &from->notAfter);
+    return rv;
+}
+
+void
+CERT_DestroyValidity(CERTValidity *v)
+{
+    if (v && v->arena) {
+	PORT_FreeArena(v->arena, PR_FALSE);
+    }
+    return;
+}
+
+/*
+** Amount of time that a certifiate is allowed good before it is actually
+** good. This is used for pending certificates, ones that are about to be
+** valid. The slop is designed to allow for some variance in the clocks
+** of the machine checking the certificate.
+*/
+#define PENDING_SLOP (24L*60L*60L)		/* seconds per day */
+static PRInt32 pendingSlop = PENDING_SLOP;	/* seconds */
+
+PRInt32
+CERT_GetSlopTime(void)
+{
+    return pendingSlop;			/* seconds */
+}
+
+SECStatus
+CERT_SetSlopTime(PRInt32 slop)		/* seconds */
+{
+    if (slop < 0)
+	return SECFailure;
+    pendingSlop = slop;
+    return SECSuccess;
+}
+
+SECStatus
+CERT_GetCertTimes(CERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
+{
+    SECStatus rv;
+
+    if (!c || !notBefore || !notAfter) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    
+    /* convert DER not-before time */
+    rv = DER_DecodeTimeChoice(notBefore, &c->validity.notBefore);
+    if (rv) {
+	return(SECFailure);
+    }
+    
+    /* convert DER not-after time */
+    rv = DER_DecodeTimeChoice(notAfter, &c->validity.notAfter);
+    if (rv) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * Check the validity times of a certificate
+ */
+SECCertTimeValidity
+CERT_CheckCertValidTimes(CERTCertificate *c, PRTime t, PRBool allowOverride)
+{
+    PRTime notBefore, notAfter, llPendingSlop, tmp1;
+    SECStatus rv;
+
+    if (!c) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return(secCertTimeUndetermined);
+    }
+    /* if cert is already marked OK, then don't bother to check */
+    if ( allowOverride && c->timeOK ) {
+	return(secCertTimeValid);
+    }
+
+    rv = CERT_GetCertTimes(c, &notBefore, &notAfter);
+    
+    if (rv) {
+	return(secCertTimeExpired); /*XXX is this the right thing to do here?*/
+    }
+    
+    LL_I2L(llPendingSlop, pendingSlop);
+    /* convert to micro seconds */
+    LL_UI2L(tmp1, PR_USEC_PER_SEC);
+    LL_MUL(llPendingSlop, llPendingSlop, tmp1);
+    LL_SUB(notBefore, notBefore, llPendingSlop);
+    if ( LL_CMP( t, <, notBefore ) ) {
+	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
+	return(secCertTimeNotValidYet);
+    }
+    if ( LL_CMP( t, >, notAfter) ) {
+	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
+	return(secCertTimeExpired);
+    }
+
+    return(secCertTimeValid);
+}
+
+SECStatus
+SEC_GetCrlTimes(CERTCrl *date, PRTime *notBefore, PRTime *notAfter)
+{
+    int rv;
+    
+    /* convert DER not-before time */
+    rv = DER_DecodeTimeChoice(notBefore, &date->lastUpdate);
+    if (rv) {
+	return(SECFailure);
+    }
+    
+    /* convert DER not-after time */
+    if (date->nextUpdate.data) {
+	rv = DER_DecodeTimeChoice(notAfter, &date->nextUpdate);
+	if (rv) {
+	    return(SECFailure);
+	}
+    }
+    else {
+	LL_I2L(*notAfter, 0L);
+    }
+    return(SECSuccess);
+}
+
+/* These routines should probably be combined with the cert
+ * routines using an common extraction routine.
+ */
+SECCertTimeValidity
+SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) {
+    PRTime notBefore, notAfter, llPendingSlop, tmp1;
+    SECStatus rv;
+
+    rv = SEC_GetCrlTimes(crl, &notBefore, &notAfter);
+    
+    if (rv) {
+	return(secCertTimeExpired); 
+    }
+
+    LL_I2L(llPendingSlop, pendingSlop);
+    /* convert to micro seconds */
+    LL_I2L(tmp1, PR_USEC_PER_SEC);
+    LL_MUL(llPendingSlop, llPendingSlop, tmp1);
+    LL_SUB(notBefore, notBefore, llPendingSlop);
+    if ( LL_CMP( t, <, notBefore ) ) {
+	return(secCertTimeNotValidYet);
+    }
+
+    /* If next update is omitted and the test for notBefore passes, then
+       we assume that the crl is up to date.
+     */
+    if ( LL_IS_ZERO(notAfter) ) {
+	return(secCertTimeValid);
+    }
+
+    if ( LL_CMP( t, >, notAfter) ) {
+	return(secCertTimeExpired);
+    }
+
+    return(secCertTimeValid);
+}
+
+PRBool
+SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) {
+    PRTime newNotBefore, newNotAfter;
+    PRTime oldNotBefore, oldNotAfter;
+    SECStatus rv;
+
+    /* problems with the new CRL? reject it */
+    rv = SEC_GetCrlTimes(inNew, &newNotBefore, &newNotAfter);
+    if (rv) return PR_FALSE;
+
+    /* problems with the old CRL? replace it */
+    rv = SEC_GetCrlTimes(old, &oldNotBefore, &oldNotAfter);
+    if (rv) return PR_TRUE;
+
+    /* Question: what about the notAfter's? */
+    return ((PRBool)LL_CMP(oldNotBefore, <, newNotBefore));
+}
+   
+/*
+ * return required key usage and cert type based on cert usage 
+ */
+SECStatus
+CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
+				 PRBool ca,
+				 unsigned int *retKeyUsage,
+				 unsigned int *retCertType)
+{
+    unsigned int requiredKeyUsage = 0;
+    unsigned int requiredCertType = 0;
+    
+    if ( ca ) {
+	switch ( usage ) {
+	  case certUsageSSLServerWithStepUp:
+	    requiredKeyUsage = KU_NS_GOVT_APPROVED | KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageSSLClient:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageSSLServer:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageSSLCA:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageEmailSigner:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_EMAIL_CA;
+	    break;
+	  case certUsageEmailRecipient:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_EMAIL_CA;
+	    break;
+	  case certUsageObjectSigner:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA;
+	    break;
+	  case certUsageAnyCA:
+	  case certUsageVerifyCA:
+	  case certUsageStatusResponder:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA |
+		NS_CERT_TYPE_EMAIL_CA |
+		    NS_CERT_TYPE_SSL_CA;
+	    break;
+	  default:
+	    PORT_Assert(0);
+	    goto loser;
+	}
+    } else {
+	switch ( usage ) {
+	  case certUsageSSLClient:
+	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
+	    requiredCertType = NS_CERT_TYPE_SSL_CLIENT;
+	    break;
+	  case certUsageSSLServer:
+	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
+	    requiredCertType = NS_CERT_TYPE_SSL_SERVER;
+	    break;
+	  case certUsageSSLServerWithStepUp:
+	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT |
+		KU_NS_GOVT_APPROVED;
+	    requiredCertType = NS_CERT_TYPE_SSL_SERVER;
+	    break;
+	  case certUsageSSLCA:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageEmailSigner:
+	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
+	    requiredCertType = NS_CERT_TYPE_EMAIL;
+	    break;
+	  case certUsageEmailRecipient:
+	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
+	    requiredCertType = NS_CERT_TYPE_EMAIL;
+	    break;
+	  case certUsageObjectSigner:
+	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
+	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING;
+	    break;
+	  case certUsageStatusResponder:
+	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
+	    requiredCertType = EXT_KEY_USAGE_STATUS_RESPONDER;
+	    break;
+	  default:
+	    PORT_Assert(0);
+	    goto loser;
+	}
+    }
+
+    if ( retKeyUsage != NULL ) {
+	*retKeyUsage = requiredKeyUsage;
+    }
+    if ( retCertType != NULL ) {
+	*retCertType = requiredCertType;
+    }
+
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+/*
+ * check the key usage of a cert against a set of required values
+ */
+SECStatus
+CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage)
+{
+    unsigned int certKeyUsage;
+
+    if (!cert) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* choose between key agreement or key encipherment based on key
+     * type in cert
+     */
+    if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) {
+	KeyType keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo);
+	/* turn off the special bit */
+	requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT);
+
+	switch (keyType) {
+	case rsaKey:
+	    requiredUsage |= KU_KEY_ENCIPHERMENT;
+	    break;
+	case dsaKey:
+	    requiredUsage |= KU_DIGITAL_SIGNATURE;
+	    break;
+	case fortezzaKey:
+	case keaKey:
+	case dhKey:
+	    requiredUsage |= KU_KEY_AGREEMENT;
+	    break;
+	case ecKey:
+	    /* Accept either signature or agreement. */
+	    if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)))
+		 goto loser;
+	    break;
+	default:
+	    goto loser;
+	}
+    }
+
+    certKeyUsage = cert->keyUsage;
+    if (certKeyUsage & KU_NON_REPUDIATION)
+        certKeyUsage |= KU_DIGITAL_SIGNATURE;
+    if ( (certKeyUsage & requiredUsage) == requiredUsage ) 
+    	return SECSuccess;
+
+loser:
+    PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+    return SECFailure;
+}
+
+
+CERTCertificate *
+CERT_DupCertificate(CERTCertificate *c)
+{
+    if (c) {
+	NSSCertificate *tmp = STAN_GetNSSCertificate(c);
+	nssCertificate_AddRef(tmp);
+    }
+    return c;
+}
+
+/*
+ * Allow use of default cert database, so that apps(such as mozilla) don't
+ * have to pass the handle all over the place.
+ */
+static CERTCertDBHandle *default_cert_db_handle = 0;
+
+void
+CERT_SetDefaultCertDB(CERTCertDBHandle *handle)
+{
+    default_cert_db_handle = handle;
+    
+    return;
+}
+
+CERTCertDBHandle *
+CERT_GetDefaultCertDB(void)
+{
+    return(default_cert_db_handle);
+}
+
+/* XXX this would probably be okay/better as an xp routine? */
+static void
+sec_lower_string(char *s)
+{
+    if ( s == NULL ) {
+	return;
+    }
+    
+    while ( *s ) {
+	*s = PORT_Tolower(*s);
+	s++;
+    }
+    
+    return;
+}
+
+/*
+** Add a domain name to the list of names that the user has explicitly
+** allowed (despite cert name mismatches) for use with a server cert.
+*/
+SECStatus
+CERT_AddOKDomainName(CERTCertificate *cert, const char *hn)
+{
+    CERTOKDomainName *domainOK;
+    int	       newNameLen;
+
+    if (!hn || !(newNameLen = strlen(hn))) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(cert->arena, 
+				  (sizeof *domainOK) + newNameLen);
+    if (!domainOK) 
+    	return SECFailure;	/* error code is already set. */
+
+    PORT_Strcpy(domainOK->name, hn);
+    sec_lower_string(domainOK->name);
+
+    /* put at head of list. */
+    domainOK->next = cert->domainOK;
+    cert->domainOK = domainOK;
+    return SECSuccess;
+}
+
+/* returns SECSuccess if hn matches pattern cn,
+** returns SECFailure with SSL_ERROR_BAD_CERT_DOMAIN if no match,
+** returns SECFailure with some other error code if another error occurs.
+**
+** may modify cn, so caller must pass a modifiable copy.
+*/
+static SECStatus
+cert_TestHostName(char * cn, const char * hn)
+{
+    int regvalid = PORT_RegExpValid(cn);
+    if (regvalid != NON_SXP) {
+	SECStatus rv;
+	/* cn is a regular expression, try to match the shexp */
+	int match = PORT_RegExpCaseSearch(hn, cn);
+
+	if ( match == 0 ) {
+	    rv = SECSuccess;
+	} else {
+	    PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+	    rv = SECFailure;
+	}
+	return rv;
+    } 
+    /* cn is not a regular expression */
+
+    /* compare entire hn with cert name */
+    if (PORT_Strcasecmp(hn, cn) == 0) {
+	return SECSuccess;
+    }
+	    
+    PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+    return SECFailure;
+}
+
+
+SECStatus
+cert_VerifySubjectAltName(CERTCertificate *cert, const char *hn)
+{
+    PRArenaPool *     arena          = NULL;
+    CERTGeneralName * nameList       = NULL;
+    CERTGeneralName * current;
+    char *            cn;
+    int               cnBufLen;
+    unsigned int      hnLen;
+    int               DNSextCount    = 0;
+    int               IPextCount     = 0;
+    PRBool            isIPaddr       = PR_FALSE;
+    SECStatus         rv             = SECFailure;
+    SECItem           subAltName;
+    PRNetAddr         netAddr;
+    char              cnbuf[128];
+
+    subAltName.data = NULL;
+    hnLen    = strlen(hn);
+    cn       = cnbuf;
+    cnBufLen = sizeof cnbuf;
+
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
+				&subAltName);
+    if (rv != SECSuccess) {
+	goto fail;
+    }
+    isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr));
+    rv = SECFailure;
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena) 
+	goto fail;
+
+    nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
+    if (!current)
+    	goto fail;
+
+    do {
+	switch (current->type) {
+	case certDNSName:
+	    if (!isIPaddr) {
+		/* DNS name current->name.other.data is not null terminated.
+		** so must copy it.  
+		*/
+		int cnLen = current->name.other.len;
+		if (cnLen + 1 > cnBufLen) {
+		    cnBufLen = cnLen + 1;
+		    cn = (char *)PORT_ArenaAlloc(arena, cnBufLen);
+		    if (!cn)
+			goto fail;
+		}
+		PORT_Memcpy(cn, current->name.other.data, cnLen);
+		cn[cnLen] = 0;
+		rv = cert_TestHostName(cn ,hn);
+		if (rv == SECSuccess)
+		    goto finish;
+	    }
+	    DNSextCount++;
+	    break;
+	case certIPAddress:
+	    if (isIPaddr) {
+		int match = 0;
+		PRIPv6Addr v6Addr;
+		if (current->name.other.len == 4 &&         /* IP v4 address */
+		    netAddr.inet.family == PR_AF_INET) {
+		    match = !memcmp(&netAddr.inet.ip, 
+		                    current->name.other.data, 4);
+		} else if (current->name.other.len == 16 && /* IP v6 address */
+		    netAddr.ipv6.family == PR_AF_INET6) {
+		    match = !memcmp(&netAddr.ipv6.ip,
+		                     current->name.other.data, 16);
+		} else if (current->name.other.len == 16 && /* IP v6 address */
+		    netAddr.inet.family == PR_AF_INET) {
+		    /* convert netAddr to ipv6, then compare. */
+		    /* ipv4 must be in Network Byte Order on input. */
+		    PR_ConvertIPv4AddrToIPv6(netAddr.inet.ip, &v6Addr);
+		    match = !memcmp(&v6Addr, current->name.other.data, 16);
+		} else if (current->name.other.len == 4 &&  /* IP v4 address */
+		    netAddr.inet.family == PR_AF_INET6) {
+		    /* convert netAddr to ipv6, then compare. */
+		    PRUint32 ipv4 = (current->name.other.data[0] << 24) |
+		                    (current->name.other.data[1] << 16) |
+				    (current->name.other.data[2] <<  8) |
+				     current->name.other.data[3];
+		    /* ipv4 must be in Network Byte Order on input. */
+		    PR_ConvertIPv4AddrToIPv6(PR_htonl(ipv4), &v6Addr);
+		    match = !memcmp(&netAddr.ipv6.ip, &v6Addr, 16);
+		} 
+		if (match) {
+		    rv = SECSuccess;
+		    goto finish;
+		}
+	    }
+	    IPextCount++;
+	    break;
+	default:
+	    break;
+	}
+	current = CERT_GetNextGeneralName(current);
+    } while (current != nameList);
+
+fail:
+
+    if (!(isIPaddr ? IPextCount : DNSextCount)) {
+	/* no relevant value in the extension was found. */
+	PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+    } else {
+	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+    }
+    rv = SECFailure;
+
+finish:
+
+    /* Don't free nameList, it's part of the arena. */
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    if (subAltName.data) {
+	SECITEM_FreeItem(&subAltName, PR_FALSE);
+    }
+
+    return rv;
+}
+
+/*
+ * If found:
+ *   - subAltName contains the extension (caller must free)
+ *   - return value is the decoded namelist (allocated off arena)
+ * if not found, or if failure to decode:
+ *   - return value is NULL
+ */
+CERTGeneralName *
+cert_GetSubjectAltNameList(CERTCertificate *cert,
+                           PRArenaPool *arena)
+{
+    CERTGeneralName * nameList       = NULL;
+    SECStatus         rv             = SECFailure;
+    SECItem           subAltName;
+
+    if (!cert || !arena)
+      return NULL;
+
+    subAltName.data = NULL;
+
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
+                                &subAltName);
+    if (rv != SECSuccess)
+      return NULL;
+
+    nameList = CERT_DecodeAltNameExtension(arena, &subAltName);
+    SECITEM_FreeItem(&subAltName, PR_FALSE);
+    return nameList;
+}
+
+PRUint32
+cert_CountDNSPatterns(CERTGeneralName *firstName)
+{
+    CERTGeneralName * current;
+    PRUint32 count = 0;
+
+    if (!firstName)
+      return 0;
+
+    current = firstName;
+    do {
+        switch (current->type) {
+        case certDNSName:
+        case certIPAddress:
+            ++count;
+            break;
+        default:
+            break;
+        }
+        current = CERT_GetNextGeneralName(current);
+    } while (current != firstName);
+
+    return count;
+}
+
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN 46
+#endif
+
+/* will fill nickNames, 
+ * will allocate all data from nickNames->arena,
+ * numberOfGeneralNames should have been obtained from cert_CountDNSPatterns,
+ * will ensure the numberOfGeneralNames matches the number of output entries.
+ */
+SECStatus
+cert_GetDNSPatternsFromGeneralNames(CERTGeneralName *firstName,
+                                    PRUint32 numberOfGeneralNames, 
+                                    CERTCertNicknames *nickNames)
+{
+    CERTGeneralName *currentInput;
+    char **currentOutput;
+
+    if (!firstName || !nickNames || !numberOfGeneralNames)
+      return SECFailure;
+
+    nickNames->numnicknames = numberOfGeneralNames;
+    nickNames->nicknames = PORT_ArenaAlloc(nickNames->arena,
+                                       sizeof(char *) * numberOfGeneralNames);
+    if (!nickNames->nicknames)
+      return SECFailure;
+
+    currentInput = firstName;
+    currentOutput = nickNames->nicknames;
+    do {
+        char *cn = NULL;
+        char ipbuf[INET6_ADDRSTRLEN];
+        PRNetAddr addr;
+
+        if (numberOfGeneralNames < 1) {
+          /* internal consistency error */
+          return SECFailure;
+        }
+
+        switch (currentInput->type) {
+        case certDNSName:
+            /* DNS name currentInput->name.other.data is not null terminated.
+            ** so must copy it.  
+            */
+            cn = (char *)PORT_ArenaAlloc(nickNames->arena, 
+                                         currentInput->name.other.len + 1);
+            if (!cn)
+              return SECFailure;
+            PORT_Memcpy(cn, currentInput->name.other.data, 
+                            currentInput->name.other.len);
+            cn[currentInput->name.other.len + 1] = 0;
+            break;
+        case certIPAddress:
+            if (currentInput->name.other.len == 4) {
+              addr.inet.family = PR_AF_INET;
+              memcpy(&addr.inet.ip, currentInput->name.other.data, 
+                                    currentInput->name.other.len);
+            } else if (currentInput->name.other.len == 16) {
+              addr.ipv6.family = PR_AF_INET6;
+              memcpy(&addr.ipv6.ip, currentInput->name.other.data, 
+                                    currentInput->name.other.len);
+            }
+            if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf) == PR_FAILURE))
+              return SECFailure;
+            cn = PORT_ArenaStrdup(nickNames->arena, ipbuf);
+            if (!cn)
+              return SECFailure;
+            break;
+        default:
+            break;
+        }
+        if (cn) {
+          *currentOutput = cn;
+          nickNames->totallen += PORT_Strlen(cn);
+          ++currentOutput;
+          --numberOfGeneralNames;
+        }
+        currentInput = CERT_GetNextGeneralName(currentInput);
+    } while (currentInput != firstName);
+
+    return (numberOfGeneralNames == 0) ? SECSuccess : SECFailure;
+}
+
+/*
+ * Collect all valid DNS names from the given cert.
+ * The output arena will reference some temporaray data,
+ * but this saves us from dealing with two arenas.
+ * The caller may free all data by freeing CERTCertNicknames->arena.
+ */
+CERTCertNicknames *
+CERT_GetValidDNSPatternsFromCert(CERTCertificate *cert)
+{
+    CERTGeneralName *generalNames;
+    CERTCertNicknames *nickNames;
+    PRArenaPool *arena;
+    char *singleName;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+        return NULL;
+    }
+    
+    nickNames = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
+    if (!nickNames) {
+      PORT_FreeArena(arena, PR_FALSE);
+      return NULL;
+    }
+
+    /* init the structure */
+    nickNames->arena = arena;
+    nickNames->head = NULL;
+    nickNames->numnicknames = 0;
+    nickNames->nicknames = NULL;
+    nickNames->totallen = 0;
+
+    generalNames = cert_GetSubjectAltNameList(cert, arena);
+    if (generalNames) {
+      SECStatus rv_getnames = SECFailure; 
+      PRUint32 numNames = cert_CountDNSPatterns(generalNames);
+
+      if (numNames) {
+        rv_getnames = cert_GetDNSPatternsFromGeneralNames(generalNames, 
+                                                          numNames, nickNames);
+      }
+
+      /* if there were names, we'll exit now, either with success or failure */
+      if (numNames) {
+        if (rv_getnames == SECSuccess) {
+          return nickNames;
+        }
+
+        /* failure to produce output */
+        PORT_FreeArena(arena, PR_FALSE);
+        return NULL;
+      }
+    }
+
+    /* no SAN extension or no names found in extension */
+    /* now try the NS cert name extension first, then the common name */
+    singleName = 
+      CERT_FindNSStringExtension(cert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
+    if (!singleName) {
+      singleName = CERT_GetCommonName(&cert->subject);
+    }
+
+    if (singleName) {
+      nickNames->numnicknames = 1;
+      nickNames->nicknames = PORT_ArenaAlloc(arena, sizeof(char *));
+      if (nickNames->nicknames) {
+        *nickNames->nicknames = PORT_ArenaStrdup(arena, singleName);
+      }
+      PORT_Free(singleName);
+
+      /* Did we allocate both the buffer of pointers and the string? */
+      if (nickNames->nicknames && *nickNames->nicknames) {
+        return nickNames;
+      }
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+/* Make sure that the name of the host we are connecting to matches the
+ * name that is incoded in the common-name component of the certificate
+ * that they are using.
+ */
+SECStatus
+CERT_VerifyCertName(CERTCertificate *cert, const char *hn)
+{
+    char *    cn;
+    SECStatus rv;
+    CERTOKDomainName *domainOK;
+
+    if (!hn || !strlen(hn)) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* if the name is one that the user has already approved, it's OK. */
+    for (domainOK = cert->domainOK; domainOK; domainOK = domainOK->next) {
+	if (0 == PORT_Strcasecmp(hn, domainOK->name)) {
+	    return SECSuccess;
+    	}
+    }
+
+    /* Per RFC 2818, if the SubjectAltName extension is present, it must
+    ** be used as the cert's identity.
+    */
+    rv = cert_VerifySubjectAltName(cert, hn);
+    if (rv == SECSuccess || PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
+    	return rv;
+
+    /* try the cert extension first, then the common name */
+    cn = CERT_FindNSStringExtension(cert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
+    if ( !cn ) {
+	cn = CERT_GetCommonName(&cert->subject);
+    }
+    if ( cn ) {
+	rv = cert_TestHostName(cn, hn);
+	PORT_Free(cn);
+    } else 
+	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+    return rv;
+}
+
+PRBool
+CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2)
+{
+    SECComparison comp;
+    
+    comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
+    if ( comp == SECEqual ) { /* certs are the same */
+	return(PR_TRUE);
+    } else {
+	return(PR_FALSE);
+    }
+}
+
+static SECStatus
+StringsEqual(char *s1, char *s2) {
+    if ( ( s1 == NULL ) || ( s2 == NULL ) ) {
+	if ( s1 != s2 ) { /* only one is null */
+	    return(SECFailure);
+	}
+	return(SECSuccess); /* both are null */
+    }
+	
+    if ( PORT_Strcmp( s1, s2 ) != 0 ) {
+	return(SECFailure); /* not equal */
+    }
+
+    return(SECSuccess); /* strings are equal */
+}
+
+
+PRBool
+CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2)
+{
+    SECComparison comp;
+    char *c1str, *c2str;
+    SECStatus eq;
+    
+    comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
+    if ( comp == SECEqual ) { /* certs are the same */
+	return(PR_TRUE);
+    }
+	
+    /* check if they are issued by the same CA */
+    comp = SECITEM_CompareItem(&c1->derIssuer, &c2->derIssuer);
+    if ( comp != SECEqual ) { /* different issuer */
+	return(PR_FALSE);
+    }
+
+    /* check country name */
+    c1str = CERT_GetCountryName(&c1->subject);
+    c2str = CERT_GetCountryName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+
+    /* check locality name */
+    c1str = CERT_GetLocalityName(&c1->subject);
+    c2str = CERT_GetLocalityName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+	
+    /* check state name */
+    c1str = CERT_GetStateName(&c1->subject);
+    c2str = CERT_GetStateName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+
+    /* check org name */
+    c1str = CERT_GetOrgName(&c1->subject);
+    c2str = CERT_GetOrgName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+
+#ifdef NOTDEF	
+    /* check orgUnit name */
+    /*
+     * We need to revisit this and decide which fields should be allowed to be
+     * different
+     */
+    c1str = CERT_GetOrgUnitName(&c1->subject);
+    c2str = CERT_GetOrgUnitName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+#endif
+
+    return(PR_TRUE); /* all fields but common name are the same */
+}
+
+
+/* CERT_CertChainFromCert and CERT_DestroyCertificateList moved
+   to certhigh.c */
+
+
+CERTIssuerAndSN *
+CERT_GetCertIssuerAndSN(PRArenaPool *arena, CERTCertificate *cert)
+{
+    CERTIssuerAndSN *result;
+    SECStatus rv;
+
+    if ( arena == NULL ) {
+	arena = cert->arena;
+    }
+    
+    result = (CERTIssuerAndSN*)PORT_ArenaZAlloc(arena, sizeof(*result));
+    if (result == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    rv = SECITEM_CopyItem(arena, &result->derIssuer, &cert->derIssuer);
+    if (rv != SECSuccess)
+	return NULL;
+
+    rv = CERT_CopyName(arena, &result->issuer, &cert->issuer);
+    if (rv != SECSuccess)
+	return NULL;
+
+    rv = SECITEM_CopyItem(arena, &result->serialNumber, &cert->serialNumber);
+    if (rv != SECSuccess)
+	return NULL;
+
+    return result;
+}
+
+char *
+CERT_MakeCANickname(CERTCertificate *cert)
+{
+    char *firstname = NULL;
+    char *org = NULL;
+    char *nickname = NULL;
+    int count;
+    CERTCertificate *dummycert;
+    CERTCertDBHandle *handle;
+    
+    handle = cert->dbhandle;
+    
+    nickname = CERT_GetNickName(cert, handle, cert->arena);
+    if (nickname == NULL) {
+	firstname = CERT_GetCommonName(&cert->subject);
+	if ( firstname == NULL ) {
+	    firstname = CERT_GetOrgUnitName(&cert->subject);
+	}
+
+	org = CERT_GetOrgName(&cert->issuer);
+	if (org == NULL) {
+	    org = CERT_GetDomainComponentName(&cert->issuer);
+	    if (org == NULL) {
+		if (firstname) {
+		    org = firstname;
+		    firstname = NULL;
+		} else {
+		    org = PORT_Strdup("Unknown CA");
+		}
+	    }
+	}
+
+	/* can only fail if PORT_Strdup fails, in which case
+	 * we're having memory problems. */
+	if (org == NULL) {
+	    goto loser;
+	}
+
+    
+	count = 1;
+	while ( 1 ) {
+
+	    if ( firstname ) {
+		if ( count == 1 ) {
+		    nickname = PR_smprintf("%s - %s", firstname, org);
+		} else {
+		    nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
+		}
+	    } else {
+		if ( count == 1 ) {
+		    nickname = PR_smprintf("%s", org);
+		} else {
+		    nickname = PR_smprintf("%s #%d", org, count);
+		}
+	    }
+	    if ( nickname == NULL ) {
+		goto loser;
+	    }
+
+	    /* look up the nickname to make sure it isn't in use already */
+	    dummycert = CERT_FindCertByNickname(handle, nickname);
+
+	    if ( dummycert == NULL ) {
+		goto done;
+	    }
+	
+	    /* found a cert, destroy it and loop */
+	    CERT_DestroyCertificate(dummycert);
+
+	    /* free the nickname */
+	    PORT_Free(nickname);
+
+	    count++;
+	}
+    }
+loser:
+    if ( nickname ) {
+	PORT_Free(nickname);
+    }
+
+    nickname = "";
+    
+done:
+    if ( firstname ) {
+	PORT_Free(firstname);
+    }
+    if ( org ) {
+	PORT_Free(org);
+    }
+    
+    return(nickname);
+}
+
+/* CERT_Import_CAChain moved to certhigh.c */
+
+void
+CERT_DestroyCrl (CERTSignedCrl *crl)
+{
+    SEC_DestroyCrl (crl);
+}
+
+
+
+/*
+ * Does a cert belong to a CA?  We decide based on perm database trust
+ * flags, Netscape Cert Type Extension, and KeyUsage Extension.
+ */
+PRBool
+CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
+{
+    CERTCertTrust *trust;
+    SECStatus rv;
+    unsigned int type;
+    PRBool ret;
+
+    ret = PR_FALSE;
+    type = 0;
+
+    if ( cert->trust && (cert->trust->sslFlags|cert->trust->emailFlags|
+				cert->trust->objectSigningFlags)) {
+	trust = cert->trust;
+	if ( ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
+	   ( ( trust->sslFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
+	    ret = PR_TRUE;
+	    type |= NS_CERT_TYPE_SSL_CA;
+	}
+	
+	if ( ( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
+	  ( ( trust->emailFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
+	    ret = PR_TRUE;
+	    type |= NS_CERT_TYPE_EMAIL_CA;
+	}
+	
+	if ( ( ( trust->objectSigningFlags & CERTDB_VALID_CA ) 
+						== CERTDB_VALID_CA ) ||
+          ( ( trust->objectSigningFlags & CERTDB_TRUSTED_CA ) 
+						== CERTDB_TRUSTED_CA ) ) {
+	    ret = PR_TRUE;
+	    type |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
+	}
+    } else {
+	if ( cert->nsCertType &
+	    ( NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
+	     NS_CERT_TYPE_OBJECT_SIGNING_CA ) ) {
+	    ret = PR_TRUE;
+	    type = (cert->nsCertType & NS_CERT_TYPE_CA);
+	} else {
+	    CERTBasicConstraints constraints;
+	    rv = CERT_FindBasicConstraintExten(cert, &constraints);
+	    if ( rv == SECSuccess ) {
+		if ( constraints.isCA ) {
+		    ret = PR_TRUE;
+		    type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
+		}
+	    } 
+	} 
+
+	/* finally check if it's a FORTEZZA V1 CA */
+	if (ret == PR_FALSE) {
+	    if (fortezzaIsCA(cert)) {
+		ret = PR_TRUE;
+		type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
+	    }
+	}
+    }
+
+    /* the isRoot flag trumps all */
+    if (cert->isRoot) {
+	ret = PR_TRUE;
+	/* set only these by default, same as above */
+	type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
+    }
+
+    if ( rettype != NULL ) {
+	*rettype = type;
+    }
+    
+    return(ret);
+}
+
+PRBool
+CERT_IsCADERCert(SECItem *derCert, unsigned int *type) {
+    CERTCertificate *cert;
+    PRBool isCA;
+
+    /* This is okay -- only looks at extensions */
+    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if (cert == NULL) return PR_FALSE;
+
+    isCA = CERT_IsCACert(cert,type);
+    CERT_DestroyCertificate (cert);
+    return isCA;
+}
+
+PRBool
+CERT_IsRootDERCert(SECItem *derCert)
+{
+    CERTCertificate *cert;
+    PRBool isRoot;
+
+    /* This is okay -- only looks at extensions */
+    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if (cert == NULL) return PR_FALSE;
+
+    isRoot = cert->isRoot;
+    CERT_DestroyCertificate (cert);
+    return isRoot;
+}
+
+CERTCompareValidityStatus
+CERT_CompareValidityTimes(CERTValidity* val_a, CERTValidity* val_b)
+{
+    PRTime notBeforeA, notBeforeB, notAfterA, notAfterB;
+
+    if (!val_a || !val_b)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return certValidityUndetermined;
+    }
+
+    if ( SECSuccess != DER_DecodeTimeChoice(&notBeforeA, &val_a->notBefore) ||
+         SECSuccess != DER_DecodeTimeChoice(&notBeforeB, &val_b->notBefore) ||
+         SECSuccess != DER_DecodeTimeChoice(&notAfterA, &val_a->notAfter) ||
+         SECSuccess != DER_DecodeTimeChoice(&notAfterB, &val_b->notAfter) ) {
+        return certValidityUndetermined;
+    }
+
+    /* sanity check */
+    if (LL_CMP(notBeforeA,>,notAfterA) || LL_CMP(notBeforeB,>,notAfterB)) {
+        PORT_SetError(SEC_ERROR_INVALID_TIME);
+        return certValidityUndetermined;
+    }
+
+    if (LL_CMP(notAfterA,!=,notAfterB)) {
+        /* one cert validity goes farther into the future, select it */
+        return LL_CMP(notAfterA,<,notAfterB) ?
+            certValidityChooseB : certValidityChooseA;
+    }
+    /* the two certs have the same expiration date */
+    PORT_Assert(LL_CMP(notAfterA, == , notAfterB));
+    /* do they also have the same start date ? */
+    if (LL_CMP(notBeforeA,==,notBeforeB)) {
+	return certValidityEqual;
+    }
+    /* choose cert with the later start date */
+    return LL_CMP(notBeforeA,<,notBeforeB) ?
+        certValidityChooseB : certValidityChooseA;
+}
+
+/*
+ * is certa newer than certb?  If one is expired, pick the other one.
+ */
+PRBool
+CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb)
+{
+    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
+    SECStatus rv;
+    PRBool newerbefore, newerafter;
+    
+    rv = CERT_GetCertTimes(certa, &notBeforeA, &notAfterA);
+    if ( rv != SECSuccess ) {
+	return(PR_FALSE);
+    }
+    
+    rv = CERT_GetCertTimes(certb, &notBeforeB, &notAfterB);
+    if ( rv != SECSuccess ) {
+	return(PR_TRUE);
+    }
+
+    newerbefore = PR_FALSE;
+    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
+	newerbefore = PR_TRUE;
+    }
+
+    newerafter = PR_FALSE;
+    if ( LL_CMP(notAfterA, >, notAfterB) ) {
+	newerafter = PR_TRUE;
+    }
+    
+    if ( newerbefore && newerafter ) {
+	return(PR_TRUE);
+    }
+    
+    if ( ( !newerbefore ) && ( !newerafter ) ) {
+	return(PR_FALSE);
+    }
+
+    /* get current time */
+    now = PR_Now();
+
+    if ( newerbefore ) {
+	/* cert A was issued after cert B, but expires sooner */
+	/* if A is expired, then pick B */
+	if ( LL_CMP(notAfterA, <, now ) ) {
+	    return(PR_FALSE);
+	}
+	return(PR_TRUE);
+    } else {
+	/* cert B was issued after cert A, but expires sooner */
+	/* if B is expired, then pick A */
+	if ( LL_CMP(notAfterB, <, now ) ) {
+	    return(PR_TRUE);
+	}
+	return(PR_FALSE);
+    }
+}
+
+void
+CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts)
+{
+    unsigned int i;
+    
+    if ( certs ) {
+	for ( i = 0; i < ncerts; i++ ) {
+	    if ( certs[i] ) {
+		CERT_DestroyCertificate(certs[i]);
+	    }
+	}
+
+	PORT_Free(certs);
+    }
+    
+    return;
+}
+
+char *
+CERT_FixupEmailAddr(const char *emailAddr)
+{
+    char *retaddr;
+    char *str;
+
+    if ( emailAddr == NULL ) {
+	return(NULL);
+    }
+    
+    /* copy the string */
+    str = retaddr = PORT_Strdup(emailAddr);
+    if ( str == NULL ) {
+	return(NULL);
+    }
+    
+    /* make it lower case */
+    while ( *str ) {
+	*str = tolower( *str );
+	str++;
+    }
+    
+    return(retaddr);
+}
+
+/*
+ * NOTE - don't allow encode of govt-approved or invisible bits
+ */
+SECStatus
+CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts)
+{
+    unsigned int i;
+    unsigned int *pflags;
+    
+    if (!trust) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    trust->sslFlags = 0;
+    trust->emailFlags = 0;
+    trust->objectSigningFlags = 0;
+    if (!trusts) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    pflags = &trust->sslFlags;
+    
+    for (i=0; i < PORT_Strlen(trusts); i++) {
+	switch (trusts[i]) {
+	  case 'p':
+	      *pflags = *pflags | CERTDB_VALID_PEER;
+	      break;
+
+	  case 'P':
+	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_VALID_PEER;
+	      break;
+
+	  case 'w':
+	      *pflags = *pflags | CERTDB_SEND_WARN;
+	      break;
+
+	  case 'c':
+	      *pflags = *pflags | CERTDB_VALID_CA;
+	      break;
+
+	  case 'T':
+	      *pflags = *pflags | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA;
+	      break;
+
+	  case 'C' :
+	      *pflags = *pflags | CERTDB_TRUSTED_CA | CERTDB_VALID_CA;
+	      break;
+
+	  case 'u':
+	      *pflags = *pflags | CERTDB_USER;
+	      break;
+
+	  case 'i':
+	      *pflags = *pflags | CERTDB_INVISIBLE_CA;
+	      break;
+	  case 'g':
+	      *pflags = *pflags | CERTDB_GOVT_APPROVED_CA;
+	      break;
+
+	  case ',':
+	      if ( pflags == &trust->sslFlags ) {
+		  pflags = &trust->emailFlags;
+	      } else {
+		  pflags = &trust->objectSigningFlags;
+	      }
+	      break;
+	  default:
+	      return SECFailure;
+	}
+    }
+
+    return SECSuccess;
+}
+
+static void
+EncodeFlags(char *trusts, unsigned int flags)
+{
+    if (flags & CERTDB_VALID_CA)
+	if (!(flags & CERTDB_TRUSTED_CA) &&
+	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
+	    PORT_Strcat(trusts, "c");
+    if (flags & CERTDB_VALID_PEER)
+	if (!(flags & CERTDB_TRUSTED))
+	    PORT_Strcat(trusts, "p");
+    if (flags & CERTDB_TRUSTED_CA)
+	PORT_Strcat(trusts, "C");
+    if (flags & CERTDB_TRUSTED_CLIENT_CA)
+	PORT_Strcat(trusts, "T");
+    if (flags & CERTDB_TRUSTED)
+	PORT_Strcat(trusts, "P");
+    if (flags & CERTDB_USER)
+	PORT_Strcat(trusts, "u");
+    if (flags & CERTDB_SEND_WARN)
+	PORT_Strcat(trusts, "w");
+    if (flags & CERTDB_INVISIBLE_CA)
+	PORT_Strcat(trusts, "I");
+    if (flags & CERTDB_GOVT_APPROVED_CA)
+	PORT_Strcat(trusts, "G");
+    return;
+}
+
+char *
+CERT_EncodeTrustString(CERTCertTrust *trust)
+{
+    char tmpTrustSSL[32];
+    char tmpTrustEmail[32];
+    char tmpTrustSigning[32];
+    char *retstr = NULL;
+
+    if ( trust ) {
+	tmpTrustSSL[0] = '\0';
+	tmpTrustEmail[0] = '\0';
+	tmpTrustSigning[0] = '\0';
+    
+	EncodeFlags(tmpTrustSSL, trust->sslFlags);
+	EncodeFlags(tmpTrustEmail, trust->emailFlags);
+	EncodeFlags(tmpTrustSigning, trust->objectSigningFlags);
+    
+	retstr = PR_smprintf("%s,%s,%s", tmpTrustSSL, tmpTrustEmail,
+			     tmpTrustSigning);
+    }
+    
+    return(retstr);
+}
+
+SECStatus
+CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
+		 unsigned int ncerts, SECItem **derCerts,
+		 CERTCertificate ***retCerts, PRBool keepCerts,
+		 PRBool caOnly, char *nickname)
+{
+    unsigned int i;
+    CERTCertificate **certs = NULL;
+    SECStatus rv;
+    unsigned int fcerts = 0;
+
+    if ( ncerts ) {
+	certs = PORT_ZNewArray(CERTCertificate*, ncerts);
+	if ( certs == NULL ) {
+	    return(SECFailure);
+	}
+    
+	/* decode all of the certs into the temporary DB */
+	for ( i = 0, fcerts= 0; i < ncerts; i++) {
+	    certs[fcerts] = CERT_NewTempCertificate(certdb,
+	                                            derCerts[i],
+	                                            NULL,
+	                                            PR_FALSE,
+	                                            PR_TRUE);
+	    if (certs[fcerts]) fcerts++;
+	}
+
+	if ( keepCerts ) {
+	    for ( i = 0; i < fcerts; i++ ) {
+                char* canickname = NULL;
+                PRBool freeNickname = PR_FALSE;
+
+		SECKEY_UpdateCertPQG(certs[i]);
+                
+                if ( CERT_IsCACert(certs[i], NULL) ) {
+                    canickname = CERT_MakeCANickname(certs[i]);
+                    if ( canickname != NULL ) {
+                        freeNickname = PR_TRUE;
+                    }
+                }
+
+		if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) {
+		    /* if we are importing only a single cert and specifying
+		     * a nickname, we want to use that nickname if it a CA,
+		     * otherwise if there are more than one cert, we don't
+		     * know which cert it belongs to. But we still may try
+                     * the individual canickname from the cert itself.
+		     */
+		    rv = CERT_AddTempCertToPerm(certs[i], canickname, NULL);
+		} else {
+		    rv = CERT_AddTempCertToPerm(certs[i],
+                                                nickname?nickname:canickname, NULL);
+		}
+
+                if (PR_TRUE == freeNickname) {
+                    PORT_Free(canickname);
+                }
+		/* don't care if it fails - keep going */
+	    }
+	}
+    }
+
+    if ( retCerts ) {
+	*retCerts = certs;
+    } else {
+	if (certs) {
+	    CERT_DestroyCertArray(certs, fcerts);
+	}
+    }
+
+    return ((fcerts || !ncerts) ? SECSuccess : SECFailure);
+}
+
+/*
+ * a real list of certificates - need to convert CERTCertificateList
+ * stuff and ASN 1 encoder/decoder over to using this...
+ */
+CERTCertList *
+CERT_NewCertList(void)
+{
+    PRArenaPool *arena = NULL;
+    CERTCertList *ret = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    ret = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
+    if ( ret == NULL ) {
+	goto loser;
+    }
+    
+    ret->arena = arena;
+    
+    PR_INIT_CLIST(&ret->list);
+    
+    return(ret);
+
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+void
+CERT_DestroyCertList(CERTCertList *certs)
+{
+    PRCList *node;
+
+    while( !PR_CLIST_IS_EMPTY(&certs->list) ) {
+	node = PR_LIST_HEAD(&certs->list);
+	CERT_DestroyCertificate(((CERTCertListNode *)node)->cert);
+	PR_REMOVE_LINK(node);
+    }
+    
+    PORT_FreeArena(certs->arena, PR_FALSE);
+    
+    return;
+}
+
+void
+CERT_RemoveCertListNode(CERTCertListNode *node)
+{
+    CERT_DestroyCertificate(node->cert);
+    PR_REMOVE_LINK(&node->links);
+    return;
+}
+
+
+SECStatus
+CERT_AddCertToListTailWithData(CERTCertList *certs, 
+				CERTCertificate *cert, void *appData)
+{
+    CERTCertListNode *node;
+    
+    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
+						sizeof(CERTCertListNode));
+    if ( node == NULL ) {
+	goto loser;
+    }
+    
+    PR_INSERT_BEFORE(&node->links, &certs->list);
+    /* certs->count++; */
+    node->cert = cert;
+    node->appData = appData;
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+SECStatus
+CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert)
+{
+    return CERT_AddCertToListTailWithData(certs, cert, NULL);
+}
+
+SECStatus
+CERT_AddCertToListHeadWithData(CERTCertList *certs, 
+					CERTCertificate *cert, void *appData)
+{
+    CERTCertListNode *node;
+    CERTCertListNode *head;
+    
+    head = CERT_LIST_HEAD(certs);
+
+    if (head == NULL) return CERT_AddCertToListTail(certs,cert);
+
+    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
+						sizeof(CERTCertListNode));
+    if ( node == NULL ) {
+	goto loser;
+    }
+    
+    PR_INSERT_BEFORE(&node->links, &head->links);
+    /* certs->count++; */
+    node->cert = cert;
+    node->appData = appData;
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+SECStatus
+CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert)
+{
+    return CERT_AddCertToListHeadWithData(certs, cert, NULL);
+}
+
+/*
+ * Sort callback function to determine if cert a is newer than cert b.
+ * Not valid certs are considered older than valid certs.
+ */
+PRBool
+CERT_SortCBValidity(CERTCertificate *certa,
+		    CERTCertificate *certb,
+		    void *arg)
+{
+    PRTime sorttime;
+    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB;
+    SECStatus rv;
+    PRBool newerbefore, newerafter;
+    PRBool aNotValid = PR_FALSE, bNotValid = PR_FALSE;
+
+    sorttime = *(PRTime *)arg;
+    
+    rv = CERT_GetCertTimes(certa, &notBeforeA, &notAfterA);
+    if ( rv != SECSuccess ) {
+	return(PR_FALSE);
+    }
+    
+    rv = CERT_GetCertTimes(certb, &notBeforeB, &notAfterB);
+    if ( rv != SECSuccess ) {
+	return(PR_TRUE);
+    }
+    newerbefore = PR_FALSE;
+    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
+	newerbefore = PR_TRUE;
+    }
+    newerafter = PR_FALSE;
+    if ( LL_CMP(notAfterA, >, notAfterB) ) {
+	newerafter = PR_TRUE;
+    }
+
+    /* check if A is valid at sorttime */
+    if ( CERT_CheckCertValidTimes(certa, sorttime, PR_FALSE)
+	!= secCertTimeValid ) {
+	aNotValid = PR_TRUE;
+    }
+
+    /* check if B is valid at sorttime */
+    if ( CERT_CheckCertValidTimes(certb, sorttime, PR_FALSE)
+	!= secCertTimeValid ) {
+	bNotValid = PR_TRUE;
+    }
+
+    /* a is valid, b is not */
+    if ( bNotValid && ( ! aNotValid ) ) {
+	return(PR_TRUE);
+    }
+
+    /* b is valid, a is not */
+    if ( aNotValid && ( ! bNotValid ) ) {
+	return(PR_FALSE);
+    }
+    
+    /* a and b are either valid or not valid */
+    if ( newerbefore && newerafter ) {
+	return(PR_TRUE);
+    }
+    
+    if ( ( !newerbefore ) && ( !newerafter ) ) {
+	return(PR_FALSE);
+    }
+
+    if ( newerbefore ) {
+	/* cert A was issued after cert B, but expires sooner */
+	return(PR_TRUE);
+    } else {
+	/* cert B was issued after cert A, but expires sooner */
+	return(PR_FALSE);
+    }
+}
+
+
+SECStatus
+CERT_AddCertToListSorted(CERTCertList *certs,
+			 CERTCertificate *cert,
+			 CERTSortCallback f,
+			 void *arg)
+{
+    CERTCertListNode *node;
+    CERTCertListNode *head;
+    PRBool ret;
+    
+    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
+						sizeof(CERTCertListNode));
+    if ( node == NULL ) {
+	goto loser;
+    }
+    
+    head = CERT_LIST_HEAD(certs);
+    
+    while ( !CERT_LIST_END(head, certs) ) {
+
+	/* if cert is already in the list, then don't add it again */
+	if ( cert == head->cert ) {
+	    /*XXX*/
+	    /* don't keep a reference */
+	    CERT_DestroyCertificate(cert);
+	    goto done;
+	}
+	
+	ret = (* f)(cert, head->cert, arg);
+	/* if sort function succeeds, then insert before current node */
+	if ( ret ) {
+	    PR_INSERT_BEFORE(&node->links, &head->links);
+	    goto done;
+	}
+
+	head = CERT_LIST_NEXT(head);
+    }
+    /* if we get to the end, then just insert it at the tail */
+    PR_INSERT_BEFORE(&node->links, &certs->list);
+
+done:    
+    /* certs->count++; */
+    node->cert = cert;
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+/* This routine is here because pcertdb.c still has a call to it.
+ * The SMIME profile code in pcertdb.c should be split into high (find
+ * the email cert) and low (store the profile) code.  At that point, we
+ * can move this to certhigh.c where it belongs.
+ *
+ * remove certs from a list that don't have keyUsage and certType
+ * that match the given usage.
+ */
+SECStatus
+CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
+			   PRBool ca)
+{
+    unsigned int requiredKeyUsage;
+    unsigned int requiredCertType;
+    CERTCertListNode *node, *savenode;
+    SECStatus rv;
+    
+    if (certList == NULL) goto loser;
+
+    rv = CERT_KeyUsageAndTypeForCertUsage(usage, ca, &requiredKeyUsage,
+					  &requiredCertType);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    node = CERT_LIST_HEAD(certList);
+	
+    while ( !CERT_LIST_END(node, certList) ) {
+
+	PRBool bad = (PRBool)(!node->cert);
+
+	/* bad key usage ? */
+	if ( !bad && 
+	     CERT_CheckKeyUsage(node->cert, requiredKeyUsage) != SECSuccess ) {
+	    bad = PR_TRUE;
+	}
+	/* bad cert type ? */
+	if ( !bad ) {
+	    unsigned int certType = 0;
+	    if ( ca ) {
+		/* This function returns a more comprehensive cert type that
+		 * takes trust flags into consideration.  Should probably
+		 * fix the cert decoding code to do this.
+		 */
+		(void)CERT_IsCACert(node->cert, &certType);
+	    } else {
+		certType = node->cert->nsCertType;
+	    }
+	    if ( !( certType & requiredCertType ) ) {
+		bad = PR_TRUE;
+	    }
+	}
+
+	if ( bad ) {
+	    /* remove the node if it is bad */
+	    savenode = CERT_LIST_NEXT(node);
+	    CERT_RemoveCertListNode(node);
+	    node = savenode;
+	} else {
+	    node = CERT_LIST_NEXT(node);
+	}
+    }
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+PRBool CERT_IsUserCert(CERTCertificate* cert)
+{
+    if ( cert->trust &&
+        ((cert->trust->sslFlags & CERTDB_USER ) ||
+         (cert->trust->emailFlags & CERTDB_USER ) ||
+         (cert->trust->objectSigningFlags & CERTDB_USER )) ) {
+        return PR_TRUE;
+    } else {
+        return PR_FALSE;
+    }
+}
+
+SECStatus
+CERT_FilterCertListForUserCerts(CERTCertList *certList)
+{
+    CERTCertListNode *node, *freenode;
+    CERTCertificate *cert;
+
+    if (!certList) {
+        return SECFailure;
+    }
+
+    node = CERT_LIST_HEAD(certList);
+    
+    while ( ! CERT_LIST_END(node, certList) ) {
+	cert = node->cert;
+	if ( PR_TRUE != CERT_IsUserCert(cert) ) {
+	    /* Not a User Cert, so remove this cert from the list */
+	    freenode = node;
+	    node = CERT_LIST_NEXT(node);
+	    CERT_RemoveCertListNode(freenode);
+	} else {
+	    /* Is a User cert, so leave it in the list */
+	    node = CERT_LIST_NEXT(node);
+	}
+    }
+
+    return(SECSuccess);
+}
+
+static PZLock *certRefCountLock = NULL;
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+CERT_LockCertRefCount(CERTCertificate *cert)
+{
+    PORT_Assert(certRefCountLock != NULL);
+    PZ_Lock(certRefCountLock);
+    return;
+}
+
+/*
+ * Free the cert reference count lock
+ */
+void
+CERT_UnlockCertRefCount(CERTCertificate *cert)
+{
+    PRStatus prstat;
+
+    PORT_Assert(certRefCountLock != NULL);
+    
+    prstat = PZ_Unlock(certRefCountLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+static PZLock *certTrustLock = NULL;
+
+/*
+ * Acquire the cert trust lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+CERT_LockCertTrust(CERTCertificate *cert)
+{
+    PORT_Assert(certTrustLock != NULL);
+    PZ_Lock(certTrustLock);
+    return;
+}
+
+SECStatus
+cert_InitLocks(void)
+{
+    if ( certRefCountLock == NULL ) {
+        certRefCountLock = PZ_NewLock(nssILockRefLock);
+        PORT_Assert(certRefCountLock != NULL);
+        if (!certRefCountLock) {
+            return SECFailure;
+        }
+    }
+
+    if ( certTrustLock == NULL ) {
+        certTrustLock = PZ_NewLock(nssILockCertDB);
+        PORT_Assert(certTrustLock != NULL);
+        if (!certTrustLock) {
+            PZ_DestroyLock(certRefCountLock);
+            return SECFailure;
+        }
+    }    
+
+    return SECSuccess;
+}
+
+SECStatus
+cert_DestroyLocks(void)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(certRefCountLock != NULL);
+    if (certRefCountLock) {
+        PZ_DestroyLock(certRefCountLock);
+        certRefCountLock = NULL;
+    } else {
+        rv = SECFailure;
+    }
+
+    PORT_Assert(certTrustLock != NULL);
+    if (certTrustLock) {
+        PZ_DestroyLock(certTrustLock);
+        certTrustLock = NULL;
+    } else {
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+ * Free the cert trust lock
+ */
+void
+CERT_UnlockCertTrust(CERTCertificate *cert)
+{
+    PRStatus prstat;
+
+    PORT_Assert(certTrustLock != NULL);
+    
+    prstat = PZ_Unlock(certTrustLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+
+/*
+ * Get the StatusConfig data for this handle
+ */
+CERTStatusConfig *
+CERT_GetStatusConfig(CERTCertDBHandle *handle)
+{
+  return handle->statusConfig;
+}
+
+/*
+ * Set the StatusConfig data for this handle.  There
+ * should not be another configuration set.
+ */
+void
+CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig)
+{
+  PORT_Assert(handle->statusConfig == NULL);
+  handle->statusConfig = statusConfig;
+}
+
+/*
+ * Code for dealing with subjKeyID to cert mappings.
+ */
+
+static PLHashTable *gSubjKeyIDHash = NULL;
+static PRLock      *gSubjKeyIDLock = NULL;
+
+static void *cert_AllocTable(void *pool, PRSize size)
+{
+    return PORT_Alloc(size);
+}
+
+static void cert_FreeTable(void *pool, void *item)
+{
+    PORT_Free(item);
+}
+
+static PLHashEntry* cert_AllocEntry(void *pool, const void *key)
+{
+    return PORT_New(PLHashEntry);
+}
+
+static void cert_FreeEntry(void *pool, PLHashEntry *he, PRUintn flag)
+{
+    SECITEM_FreeItem((SECItem*)(he->value), PR_TRUE);
+    if (flag == HT_FREE_ENTRY) {
+        SECITEM_FreeItem((SECItem*)(he->key), PR_TRUE);
+        PORT_Free(he);
+    }
+}
+
+static PLHashAllocOps cert_AllocOps = {
+    cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry
+};
+
+SECStatus
+cert_CreateSubjectKeyIDHashTable(void)
+{
+    gSubjKeyIDHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
+                                    SECITEM_HashCompare,
+                                    &cert_AllocOps, NULL);
+    if (!gSubjKeyIDHash) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    gSubjKeyIDLock = PR_NewLock();
+    if (!gSubjKeyIDLock) {
+        PL_HashTableDestroy(gSubjKeyIDHash);
+        gSubjKeyIDHash = NULL;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    return SECSuccess;
+
+}
+
+SECStatus
+cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert)
+{
+    SECItem *newKeyID, *oldVal, *newVal;
+    SECStatus rv = SECFailure;
+
+    if (!gSubjKeyIDLock) {
+	/* If one is created, then both are there.  So only check for one. */
+	return SECFailure;
+    }
+
+    newVal = SECITEM_DupItem(&cert->derCert);
+    if (!newVal) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto done;
+    }
+    newKeyID = SECITEM_DupItem(subjKeyID);
+    if (!newKeyID) {
+        SECITEM_FreeItem(newVal, PR_TRUE);
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto done;
+    }
+
+    PR_Lock(gSubjKeyIDLock);
+    /* The hash table implementation does not free up the memory 
+     * associated with the key of an already existing entry if we add a 
+     * duplicate, so we would wind up leaking the previously allocated 
+     * key if we don't remove before adding.
+     */
+    oldVal = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID);
+    if (oldVal) {
+        PL_HashTableRemove(gSubjKeyIDHash, subjKeyID);
+    }
+
+    rv = (PL_HashTableAdd(gSubjKeyIDHash, newKeyID, newVal)) ? SECSuccess :
+                                                               SECFailure;
+    PR_Unlock(gSubjKeyIDLock);
+done:
+    return rv;
+}
+
+SECStatus
+cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID)
+{
+    SECStatus rv;
+    if (!gSubjKeyIDLock)
+        return SECFailure;
+
+    PR_Lock(gSubjKeyIDLock);
+    rv = (PL_HashTableRemove(gSubjKeyIDHash, subjKeyID)) ? SECSuccess :
+                                                           SECFailure;
+    PR_Unlock(gSubjKeyIDLock);
+    return rv;
+}
+
+SECStatus
+cert_DestroySubjectKeyIDHashTable(void)
+{
+    if (gSubjKeyIDHash) {
+        PR_Lock(gSubjKeyIDLock);
+        PL_HashTableDestroy(gSubjKeyIDHash);
+        gSubjKeyIDHash = NULL;
+        PR_Unlock(gSubjKeyIDLock);
+        PR_DestroyLock(gSubjKeyIDLock);
+        gSubjKeyIDLock = NULL;
+    }
+    return SECSuccess;
+}
+
+SECItem*
+cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID)
+{
+    SECItem   *val;
+ 
+    if (!gSubjKeyIDLock)
+        return NULL;
+
+    PR_Lock(gSubjKeyIDLock);
+    val = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID);
+    if (val) {
+        val = SECITEM_DupItem(val);
+    }
+    PR_Unlock(gSubjKeyIDLock);
+    return val;
+}
+
+CERTCertificate*
+CERT_FindCertBySubjectKeyID(CERTCertDBHandle *handle, SECItem *subjKeyID)
+{
+    CERTCertificate *cert = NULL;
+    SECItem *derCert;
+
+    derCert = cert_FindDERCertBySubjectKeyID(subjKeyID);
+    if (derCert) {
+        cert = CERT_FindCertByDERCert(handle, derCert);
+        SECITEM_FreeItem(derCert, PR_TRUE);
+    }
+    return cert;
+}
diff --git a/security/nss/lib/certdb/certdb.h b/security/nss/lib/certdb/certdb.h
new file mode 100644
index 000000000..966d665f3
--- /dev/null
+++ b/security/nss/lib/certdb/certdb.h
@@ -0,0 +1,97 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _CERTDB_H_
+#define _CERTDB_H_
+
+
+/* common flags for all types of certificates */
+#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TRUSTED		(1<<1)
+#define CERTDB_SEND_WARN	(1<<2)
+#define CERTDB_VALID_CA		(1<<3)
+#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA	(1<<5)
+#define CERTDB_USER		(1<<6)
+#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
+
+
+SEC_BEGIN_PROTOS
+
+CERTSignedCrl *
+SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey, int type);
+
+CERTSignedCrl *
+SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type);
+
+CERTSignedCrl *
+SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type);
+
+PRBool
+SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
+			 CERTCertDBHandle *handle);
+CERTSignedCrl *
+SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type);
+
+SECStatus
+SEC_DeletePermCRL(CERTSignedCrl *crl);
+
+
+SECStatus
+SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type);
+
+SECStatus 
+SEC_DestroyCrl(CERTSignedCrl *crl);
+
+CERTSignedCrl* SEC_DupCrl(CERTSignedCrl* acrl);
+
+SECStatus
+CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
+		       CERTCertTrust *trust);
+
+SECStatus SEC_DeletePermCertificate(CERTCertificate *cert);
+
+PRBool
+SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old);
+
+SECCertTimeValidity
+SEC_CheckCrlTimes(CERTCrl *crl, PRTime t);
+
+SEC_END_PROTOS
+
+#endif /* _CERTDB_H_ */
diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h
new file mode 100644
index 000000000..68f4424c0
--- /dev/null
+++ b/security/nss/lib/certdb/certi.h
@@ -0,0 +1,311 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * certi.h - private data structures for the certificate library
+ *
+ * $Id$
+ */
+#ifndef _CERTI_H_
+#define _CERTI_H_
+
+#include "certt.h"
+#include "nssrwlkt.h"
+
+/*
+#define GLOBAL_RWLOCK 1
+*/
+
+#define DPC_RWLOCK 1
+
+/* all definitions in this file are subject to change */
+
+typedef struct OpaqueCRLFieldsStr OpaqueCRLFields;
+typedef struct CRLEntryCacheStr CRLEntryCache;
+typedef struct CRLDPCacheStr CRLDPCache;
+typedef struct CRLIssuerCacheStr CRLIssuerCache;
+typedef struct CRLCacheStr CRLCache;
+typedef struct CachedCrlStr CachedCrl;
+
+struct OpaqueCRLFieldsStr {
+    PRBool partial;
+    PRBool decodingError;
+    PRBool badEntries;
+    PRBool badDER;
+    PRBool badExtensions;
+    PRBool heapDER;
+};
+
+typedef struct PreAllocatorStr PreAllocator;
+
+struct PreAllocatorStr
+{
+    PRSize len;
+    void* data;
+    PRSize used;
+    PRArenaPool* arena;
+    PRSize extra;
+};
+
+/*  CRL entry cache.
+    This is the same as an entry plus the next/prev pointers for the hash table
+*/
+
+struct CRLEntryCacheStr {
+    CERTCrlEntry entry;
+    CRLEntryCache *prev, *next;
+};
+
+#define CRL_CACHE_INVALID_CRLS              0x0001 /* this state will be set
+        if we have CRL objects with an invalid DER or signature. Can be
+        cleared if the invalid objects are deleted from the token */
+#define CRL_CACHE_LAST_FETCH_FAILED         0x0002 /* this state will be set
+        if the last CRL fetch encountered an error. Can be cleared if a
+        new fetch succeeds */
+
+#define CRL_CACHE_OUT_OF_MEMORY             0x0004 /* this state will be set
+        if we don't have enough memory to build the hash table of entries */
+
+typedef enum {
+    CRL_OriginToken = 0,    /* CRL came from PKCS#11 token */
+    CRL_OriginExplicit = 1  /* CRL was explicitly added to the cache, from RAM */
+} CRLOrigin;
+
+struct CachedCrlStr {
+    CERTSignedCrl* crl;
+    CRLOrigin origin;
+    /* hash table of entries. We use a PLHashTable and pre-allocate the
+       required amount of memory in one shot, so that our allocator can
+       simply pass offsets into it when hashing.
+
+       This won't work anymore when we support delta CRLs and iCRLs, because
+       the size of the hash table will vary over time. At that point, the best
+       solution will be to allocate large CRLEntry structures by modifying
+       the DER decoding template. The extra space would be for next/prev
+       pointers. This would allow entries from different CRLs to be mixed in
+       the same hash table.
+    */
+    PLHashTable* entries;
+    PreAllocator* prebuffer; /* big pre-allocated buffer mentioned above */
+    PRBool sigChecked; /* this CRL signature has already been checked */
+    PRBool sigValid; /* signature verification status .
+                        Only meaningful if checked is PR_TRUE . */
+    PRBool unbuildable; /* Avoid using assosiated CRL is it fails
+                         * a decoding step */
+};
+
+/*  CRL distribution point cache object
+    This is a cache of CRL entries for a given distribution point of an issuer
+    It is built from a collection of one full and 0 or more delta CRLs.
+*/
+
+struct CRLDPCacheStr {
+#ifdef DPC_RWLOCK
+    NSSRWLock* lock;
+#else
+    PRLock* lock;
+#endif
+    CERTCertificate* issuer;    /* cert issuer 
+                                   XXX there may be multiple issuer certs,
+                                       with different validity dates. Also
+                                       need to deal with SKID/AKID . See
+                                       bugzilla 217387, 233118 */
+    SECItem* subject;           /* DER of issuer subject */
+    SECItem* distributionPoint; /* DER of distribution point. This may be
+                                   NULL when distribution points aren't
+                                   in use (ie. the CA has a single CRL).
+                                   Currently not used. */
+
+    /* array of full CRLs matching this distribution point */
+    PRUint32 ncrls;              /* total number of CRLs in crls */
+    CachedCrl** crls;            /* array of all matching CRLs */
+    /* XCRL With iCRLs and multiple DPs, the CRL can be shared accross several
+       issuers. In the future, we'll need to globally recycle the CRL in a
+       separate list in order to avoid extra lookups, decodes, and copies */
+
+    /* pointers to good decoded CRLs used to build the cache */
+    CachedCrl* selected;    /* full CRL selected for use in the cache */
+#if 0
+    /* for future use */
+    PRInt32 numdeltas;      /* number of delta CRLs used for the cache */
+    CachedCrl** deltas;     /* delta CRLs used for the cache */
+#endif
+    /* cache invalidity bitflag */
+    PRUint16 invalid;       /* this state will be set if either
+             CRL_CACHE_INVALID_CRLS or CRL_CACHE_LAST_FETCH_FAILED is set.
+             In those cases, all certs are considered revoked as a
+             security precaution. The invalid state can only be cleared
+             during an update if all error states are cleared */
+    PRBool refresh;        /* manual refresh from tokens has been forced */
+    PRBool mustchoose;     /* trigger reselection algorithm, for case when
+                              RAM CRL objects are dropped from the cache */
+    PRTime lastfetch;      /* time a CRL token fetch was last performed */
+    PRTime lastcheck;      /* time CRL token objects were last checked for
+                              existence */
+};
+
+/*  CRL issuer cache object
+    This object tracks all the distribution point caches for a given issuer.
+    XCRL once we support multiple issuing distribution points, this object
+    will be a hash table. For now, it just holds the single CRL distribution
+    point cache structure.
+*/
+
+struct CRLIssuerCacheStr {
+    SECItem* subject;           /* DER of issuer subject */
+    CRLDPCache* dpp;
+#if 0
+    /* XCRL for future use.
+       We don't need to lock at the moment because we only have one DP,
+       which gets created at the same time as this object */
+    NSSRWLock* lock;
+    CRLDPCache** dps;
+    PLHashTable* distributionpoints;
+    CERTCertificate* issuer;
+#endif
+};
+
+/*  CRL revocation cache object
+    This object tracks all the issuer caches
+*/
+
+struct CRLCacheStr {
+#ifdef GLOBAL_RWLOCK
+    NSSRWLock* lock;
+#else
+    PRLock* lock;
+#endif
+    /* hash table of issuer to CRLIssuerCacheStr,
+       indexed by issuer DER subject */
+    PLHashTable* issuers;
+};
+
+SECStatus InitCRLCache(void);
+SECStatus ShutdownCRLCache(void);
+
+/* Returns a pointer to an environment-like string, a series of
+** null-terminated strings, terminated by a zero-length string.
+** This function is intended to be internal to NSS.
+*/
+extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert);
+
+/*
+ * These functions are used to map subjectKeyID extension values to certs.
+ */
+SECStatus
+cert_CreateSubjectKeyIDHashTable(void);
+
+SECStatus
+cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert);
+
+/*
+ * Call this function to remove an entry from the mapping table.
+ */
+SECStatus
+cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID);
+
+SECStatus
+cert_DestroySubjectKeyIDHashTable(void);
+
+SECItem*
+cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID);
+
+/* return maximum length of AVA value based on its type OID tag. */
+extern int cert_AVAOidTagToMaxLen(SECOidTag tag);
+
+/* Make an AVA, allocated from pool, from OID and DER encoded value */
+extern CERTAVA * CERT_CreateAVAFromRaw(PRArenaPool *pool, 
+                               const SECItem * OID, const SECItem * value);
+
+/*
+ * get a DPCache object for the given issuer subject and dp
+ * Automatically creates the cache object if it doesn't exist yet.
+ */
+SECStatus AcquireDPCache(CERTCertificate* issuer, SECItem* subject,
+                         SECItem* dp, int64 t, void* wincx,
+                         CRLDPCache** dpcache, PRBool* writeLocked);
+
+/* release a DPCache object that was previously acquired */
+void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked);
+
+/* this function assumes the caller holds a lock on the DPCache */
+SECStatus DPCache_GetAllCRLs(CRLDPCache* dpc, PRArenaPool* arena,
+                             CERTSignedCrl*** crls, PRUint16* status);
+
+/* this function assumes the caller holds a lock on the DPCache */
+SECStatus DPCache_GetCRLEntry(CRLDPCache* cache, PRBool readlocked,
+                              CERTSignedCrl* crl, SECItem* sn,
+                              CERTCrlEntry** returned);
+
+/*
+ * map Stan errors into NSS errors
+ * This function examines the stan error stack and automatically sets
+ * PORT_SetError(); to the appropriate SEC_ERROR value.
+ */
+void CERT_MapStanError();
+
+/* Interface function for libpkix cert validation engine:
+ * cert_verify wrapper. */
+SECStatus
+cert_VerifyCertChainPkix(CERTCertificate *cert,
+                         PRBool checkSig,
+                         SECCertUsage     requiredUsage,
+                         PRTime           time,
+                         void            *wincx,
+                         CERTVerifyLog   *log,
+                         PRBool          *sigError,
+                         PRBool          *revoked);
+
+SECStatus cert_InitLocks(void);
+
+SECStatus cert_DestroyLocks(void);
+
+/*
+ * fill in nsCertType field of the cert based on the cert extension
+ */
+extern SECStatus cert_GetCertType(CERTCertificate *cert);
+
+/*
+ * compute and return the value of nsCertType for cert, but do not 
+ * update the CERTCertificate.
+ */
+extern PRUint32 cert_ComputeCertType(CERTCertificate *cert);
+
+void cert_AddToVerifyLog(CERTVerifyLog *log,CERTCertificate *cert,
+                         unsigned long errorCode, unsigned int depth,
+                         void *arg);
+
+#endif /* _CERTI_H_ */
+
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
new file mode 100644
index 000000000..c1038973b
--- /dev/null
+++ b/security/nss/lib/certdb/certt.h
@@ -0,0 +1,1307 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * certt.h - public data structures for the certificate library
+ *
+ * $Id$
+ */
+#ifndef _CERTT_H_
+#define _CERTT_H_
+
+#include "prclist.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include "secmodt.h"
+#include "secoidt.h"
+#include "plarena.h"
+#include "prcvar.h"
+#include "nssilock.h"
+#include "prio.h"
+#include "prmon.h"
+
+/* Stan data types */
+struct NSSCertificateStr;
+struct NSSTrustDomainStr;
+
+/* Non-opaque objects */
+typedef struct CERTAVAStr                        CERTAVA;
+typedef struct CERTAttributeStr                  CERTAttribute;
+typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
+typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
+typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
+typedef struct NSSTrustDomainStr                 CERTCertDBHandle;
+typedef struct CERTCertExtensionStr              CERTCertExtension;
+typedef struct CERTCertKeyStr                    CERTCertKey;
+typedef struct CERTCertListStr                   CERTCertList;
+typedef struct CERTCertListNodeStr               CERTCertListNode;
+typedef struct CERTCertNicknamesStr              CERTCertNicknames;
+typedef struct CERTCertTrustStr                  CERTCertTrust;
+typedef struct CERTCertificateStr                CERTCertificate;
+typedef struct CERTCertificateListStr            CERTCertificateList;
+typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
+typedef struct CERTCrlStr                        CERTCrl;
+typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
+typedef struct CERTCrlEntryStr                   CERTCrlEntry;
+typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
+typedef struct CERTCrlKeyStr                     CERTCrlKey;
+typedef struct CERTCrlNodeStr                    CERTCrlNode;
+typedef struct CERTDERCertsStr                   CERTDERCerts;
+typedef struct CERTDistNamesStr                  CERTDistNames;
+typedef struct CERTGeneralNameStr                CERTGeneralName;
+typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
+typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
+typedef struct CERTNameStr                       CERTName;
+typedef struct CERTNameConstraintStr             CERTNameConstraint;
+typedef struct CERTNameConstraintsStr            CERTNameConstraints;
+typedef struct CERTOKDomainNameStr               CERTOKDomainName;
+typedef struct CERTPrivKeyUsagePeriodStr         CERTPrivKeyUsagePeriod;
+typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
+typedef struct CERTRDNStr                        CERTRDN;
+typedef struct CERTSignedCrlStr                  CERTSignedCrl;
+typedef struct CERTSignedDataStr                 CERTSignedData;
+typedef struct CERTStatusConfigStr               CERTStatusConfig;
+typedef struct CERTSubjectListStr                CERTSubjectList;
+typedef struct CERTSubjectNodeStr                CERTSubjectNode;
+typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
+typedef struct CERTValidityStr                   CERTValidity;
+typedef struct CERTVerifyLogStr                  CERTVerifyLog;
+typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
+typedef struct CRLDistributionPointStr           CRLDistributionPoint;
+
+/* CRL extensions type */
+typedef unsigned long CERTCrlNumber;
+
+/*
+** An X.500 AVA object
+*/
+struct CERTAVAStr {
+    SECItem type;
+    SECItem value;
+};
+
+/*
+** An X.500 RDN object
+*/
+struct CERTRDNStr {
+    CERTAVA **avas;
+};
+
+/*
+** An X.500 name object
+*/
+struct CERTNameStr {
+    PLArenaPool *arena;
+    CERTRDN **rdns;
+};
+
+/*
+** An X.509 validity object
+*/
+struct CERTValidityStr {
+    PLArenaPool *arena;
+    SECItem notBefore;
+    SECItem notAfter;
+};
+
+/*
+ * A serial number and issuer name, which is used as a database key
+ */
+struct CERTCertKeyStr {
+    SECItem serialNumber;
+    SECItem derIssuer;
+};
+
+/*
+** A signed data object. Used to implement the "signed" macro used
+** in the X.500 specs.
+*/
+struct CERTSignedDataStr {
+    SECItem data;
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;
+};
+
+/*
+** An X.509 subject-public-key-info object
+*/
+struct CERTSubjectPublicKeyInfoStr {
+    PLArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem subjectPublicKey;
+};
+
+struct CERTPublicKeyAndChallengeStr {
+    SECItem spki;
+    SECItem challenge;
+};
+
+struct CERTCertTrustStr {
+    unsigned int sslFlags;
+    unsigned int emailFlags;
+    unsigned int objectSigningFlags;
+};
+
+/*
+ * defined the types of trust that exist
+ */
+typedef enum SECTrustTypeEnum {
+    trustSSL = 0,
+    trustEmail = 1,
+    trustObjectSigning = 2,
+    trustTypeNone = 3
+} SECTrustType;
+
+#define SEC_GET_TRUST_FLAGS(trust,type) \
+        (((type)==trustSSL)?((trust)->sslFlags): \
+	 (((type)==trustEmail)?((trust)->emailFlags): \
+	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
+
+/*
+** An X.509.3 certificate extension
+*/
+struct CERTCertExtensionStr {
+    SECItem id;
+    SECItem critical;
+    SECItem value;
+};
+
+struct CERTSubjectNodeStr {
+    struct CERTSubjectNodeStr *next;
+    struct CERTSubjectNodeStr *prev;
+    SECItem certKey;
+    SECItem keyID;
+};
+
+struct CERTSubjectListStr {
+    PLArenaPool *arena;
+    int ncerts;
+    char *emailAddr;
+    CERTSubjectNode *head;
+    CERTSubjectNode *tail; /* do we need tail? */
+    void *entry;
+};
+
+/*
+** An X.509 certificate object (the unsigned form)
+*/
+struct CERTCertificateStr {
+    /* the arena is used to allocate any data structures that have the same
+     * lifetime as the cert.  This is all stuff that hangs off of the cert
+     * structure, and is all freed at the same time.  I is used when the
+     * cert is decoded, destroyed, and at some times when it changes
+     * state
+     */
+    PLArenaPool *arena;
+
+    /* The following fields are static after the cert has been decoded */
+    char *subjectName;
+    char *issuerName;
+    CERTSignedData signatureWrap;	/* XXX */
+    SECItem derCert;			/* original DER for the cert */
+    SECItem derIssuer;			/* DER for issuer name */
+    SECItem derSubject;			/* DER for subject name */
+    SECItem derPublicKey;		/* DER for the public key */
+    SECItem certKey;			/* database key for this cert */
+    SECItem version;
+    SECItem serialNumber;
+    SECAlgorithmID signature;
+    CERTName issuer;
+    CERTValidity validity;
+    CERTName subject;
+    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+    SECItem issuerID;
+    SECItem subjectID;
+    CERTCertExtension **extensions;
+    char *emailAddr;
+    CERTCertDBHandle *dbhandle;
+    SECItem subjectKeyID;	/* x509v3 subject key identifier */
+    PRBool keyIDGenerated;	/* was the keyid generated? */
+    unsigned int keyUsage;	/* what uses are allowed for this cert */
+    unsigned int rawKeyUsage;	/* value of the key usage extension */
+    PRBool keyUsagePresent;	/* was the key usage extension present */
+    PRUint32 nsCertType;	/* value of the ns cert type extension */
+				/* must be 32-bit for PR_AtomicSet */
+
+    /* these values can be set by the application to bypass certain checks
+     * or to keep the cert in memory for an entire session.
+     * XXX - need an api to set these
+     */
+    PRBool keepSession;			/* keep this cert for entire session*/
+    PRBool timeOK;			/* is the bad validity time ok? */
+    CERTOKDomainName *domainOK;		/* these domain names are ok */
+
+    /*
+     * these values can change when the cert changes state.  These state
+     * changes include transitions from temp to perm or vice-versa, and
+     * changes of trust flags
+     */
+    PRBool isperm;
+    PRBool istemp;
+    char *nickname;
+    char *dbnickname;
+    struct NSSCertificateStr *nssCertificate;	/* This is Stan stuff. */
+    CERTCertTrust *trust;
+
+    /* the reference count is modified whenever someone looks up, dups
+     * or destroys a certificate
+     */
+    int referenceCount;
+
+    /* The subject list is a list of all certs with the same subject name.
+     * It can be modified any time a cert is added or deleted from either
+     * the in-memory(temporary) or on-disk(permanent) database.
+     */
+    CERTSubjectList *subjectList;
+
+    /* these belong in the static section, but are here to maintain
+     * the structure's integrity
+     */
+    CERTAuthKeyID * authKeyID;  /* x509v3 authority key identifier */
+    PRBool isRoot;              /* cert is the end of a chain */
+
+    /* these fields are used by client GUI code to keep track of ssl sockets
+     * that are blocked waiting on GUI feedback related to this cert.
+     * XXX - these should be moved into some sort of application specific
+     *       data structure.  They are only used by the browser right now.
+     */
+    union {
+        void* apointer; /* was struct SECSocketNode* authsocketlist */
+        struct {
+            unsigned int hasUnsupportedCriticalExt :1;
+            /* add any new option bits needed here */
+        } bits;
+    } options;
+    int series; /* was int authsocketcount; record the series of the pkcs11ID */
+
+    /* This is PKCS #11 stuff. */
+    PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
+    CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
+    PRBool ownSlot;		/*true if the cert owns the slot reference */
+};
+#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
+#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
+#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
+
+#define SEC_CRL_VERSION_1		0	/* default */
+#define SEC_CRL_VERSION_2		1	/* v2 extensions */
+
+/*
+ * used to identify class of cert in mime stream code
+ */
+#define SEC_CERT_CLASS_CA	1
+#define SEC_CERT_CLASS_SERVER	2
+#define SEC_CERT_CLASS_USER	3
+#define SEC_CERT_CLASS_EMAIL	4
+
+struct CERTDERCertsStr {
+    PLArenaPool *arena;
+    int numcerts;
+    SECItem *rawCerts;
+};
+
+/*
+** A PKCS ? Attribute
+** XXX this is duplicated through out the code, it *should* be moved
+** to a central location.  Where would be appropriate?
+*/
+struct CERTAttributeStr {
+    SECItem attrType;
+    SECItem **attrValue;
+};
+
+/*
+** A PKCS#10 certificate-request object (the unsigned form)
+*/
+struct CERTCertificateRequestStr {
+    PLArenaPool *arena;
+    SECItem version;
+    CERTName subject;
+    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+    CERTAttribute **attributes;
+};
+#define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */
+
+
+/*
+** A certificate list object.
+*/
+struct CERTCertificateListStr {
+    SECItem *certs;
+    int len;					/* number of certs */
+    PLArenaPool *arena;
+};
+
+struct CERTCertListNodeStr {
+    PRCList links;
+    CERTCertificate *cert;
+    void *appData;
+};
+
+struct CERTCertListStr {
+    PRCList list;
+    PLArenaPool *arena;
+};
+
+#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
+#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
+#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
+#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
+
+struct CERTCrlEntryStr {
+    SECItem serialNumber;
+    SECItem revocationDate;
+    CERTCertExtension **extensions;    
+};
+
+struct CERTCrlStr {
+    PLArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID signatureAlg;
+    SECItem derName;
+    CERTName name;
+    SECItem lastUpdate;
+    SECItem nextUpdate;				/* optional for x.509 CRL  */
+    CERTCrlEntry **entries;
+    CERTCertExtension **extensions;    
+    /* can't add anything there for binary backwards compatibility reasons */
+};
+
+struct CERTCrlKeyStr {
+    SECItem derName;
+    SECItem dummy;			/* The decoder can not skip a primitive,
+					   this serves as a place holder for the
+					   decoder to finish its task only
+					*/
+};
+
+struct CERTSignedCrlStr {
+    PLArenaPool *arena;
+    CERTCrl crl;
+    void *reserved1;
+    PRBool reserved2;
+    PRBool isperm;
+    PRBool istemp;
+    int referenceCount;
+    CERTCertDBHandle *dbhandle;
+    CERTSignedData signatureWrap;	/* XXX */
+    char *url;
+    SECItem *derCrl;
+    PK11SlotInfo *slot;
+    CK_OBJECT_HANDLE pkcs11ID;
+    void* opaque; /* do not touch */
+};
+
+
+struct CERTCrlHeadNodeStr {
+    PLArenaPool *arena;
+    CERTCertDBHandle *dbhandle;
+    CERTCrlNode *first;
+    CERTCrlNode *last;
+};
+
+
+struct CERTCrlNodeStr {
+    CERTCrlNode *next;
+    int 	type;
+    CERTSignedCrl *crl;
+};
+
+
+/*
+ * Array of X.500 Distinguished Names
+ */
+struct CERTDistNamesStr {
+    PLArenaPool *arena;
+    int nnames;
+    SECItem  *names;
+    void *head; /* private */
+};
+
+
+#define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
+#define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
+#define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
+#define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
+#define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
+#define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
+#define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
+#define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */
+
+#define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
+#define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)
+
+#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
+			  NS_CERT_TYPE_SSL_SERVER | \
+			  NS_CERT_TYPE_EMAIL | \
+			  NS_CERT_TYPE_OBJECT_SIGNING )
+
+#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
+			 NS_CERT_TYPE_EMAIL_CA | \
+			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
+			 EXT_KEY_USAGE_STATUS_RESPONDER )
+typedef enum SECCertUsageEnum {
+    certUsageSSLClient = 0,
+    certUsageSSLServer = 1,
+    certUsageSSLServerWithStepUp = 2,
+    certUsageSSLCA = 3,
+    certUsageEmailSigner = 4,
+    certUsageEmailRecipient = 5,
+    certUsageObjectSigner = 6,
+    certUsageUserCertImport = 7,
+    certUsageVerifyCA = 8,
+    certUsageProtectedObjectSigner = 9,
+    certUsageStatusResponder = 10,
+    certUsageAnyCA = 11
+} SECCertUsage;
+
+typedef PRInt64 SECCertificateUsage;
+
+#define certificateUsageCheckAllUsages         (0x0000)
+#define certificateUsageSSLClient              (0x0001)
+#define certificateUsageSSLServer              (0x0002)
+#define certificateUsageSSLServerWithStepUp    (0x0004)
+#define certificateUsageSSLCA                  (0x0008)
+#define certificateUsageEmailSigner            (0x0010)
+#define certificateUsageEmailRecipient         (0x0020)
+#define certificateUsageObjectSigner           (0x0040)
+#define certificateUsageUserCertImport         (0x0080)
+#define certificateUsageVerifyCA               (0x0100)
+#define certificateUsageProtectedObjectSigner  (0x0200)
+#define certificateUsageStatusResponder        (0x0400)
+#define certificateUsageAnyCA                  (0x0800)
+
+#define certificateUsageHighest certificateUsageAnyCA
+
+/*
+ * Does the cert belong to the user, a peer, or a CA.
+ */
+typedef enum CERTCertOwnerEnum {
+    certOwnerUser = 0,
+    certOwnerPeer = 1,
+    certOwnerCA = 2
+} CERTCertOwner;
+
+/*
+ * This enum represents the state of validity times of a certificate
+ */
+typedef enum SECCertTimeValidityEnum {
+    secCertTimeValid = 0,
+    secCertTimeExpired = 1,
+    secCertTimeNotValidYet = 2,
+    secCertTimeUndetermined = 3 /* validity could not be decoded from the
+                                   cert, most likely because it was NULL */
+} SECCertTimeValidity;
+
+/*
+ * This is used as return status in functions that compare the validity
+ * periods of two certificates A and B, currently only
+ * CERT_CompareValidityTimes.
+ */
+
+typedef enum CERTCompareValidityStatusEnum
+{
+    certValidityUndetermined = 0, /* the function is unable to select one cert 
+                                     over another */
+    certValidityChooseB = 1,      /* cert B should be preferred */
+    certValidityEqual = 2,        /* both certs have the same validity period */
+    certValidityChooseA = 3       /* cert A should be preferred */
+} CERTCompareValidityStatus;
+
+/*
+ * Interface for getting certificate nickname strings out of the database
+ */
+
+/* these are values for the what argument below */
+#define SEC_CERT_NICKNAMES_ALL		1
+#define SEC_CERT_NICKNAMES_USER		2
+#define SEC_CERT_NICKNAMES_SERVER	3
+#define SEC_CERT_NICKNAMES_CA		4
+
+struct CERTCertNicknamesStr {
+    PLArenaPool *arena;
+    void *head;
+    int numnicknames;
+    char **nicknames;
+    int what;
+    int totallen;
+};
+
+struct CERTIssuerAndSNStr {
+    SECItem derIssuer;
+    CERTName issuer;
+    SECItem serialNumber;
+};
+
+
+/* X.509 v3 Key Usage Extension flags */
+#define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
+#define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
+#define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
+#define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
+#define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
+#define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
+#define KU_CRL_SIGN			(0x02)  /* bit 6 */
+#define KU_ENCIPHER_ONLY		(0x01)  /* bit 7 */
+#define KU_ALL				(KU_DIGITAL_SIGNATURE | \
+					 KU_NON_REPUDIATION | \
+					 KU_KEY_ENCIPHERMENT | \
+					 KU_DATA_ENCIPHERMENT | \
+					 KU_KEY_AGREEMENT | \
+					 KU_KEY_CERT_SIGN | \
+					 KU_CRL_SIGN | \
+					 KU_ENCIPHER_ONLY)
+
+/* This value will not occur in certs.  It is used internally for the case
+ * when the key type is not know ahead of time and either key agreement or
+ * key encipherment are the correct value based on key type
+ */
+#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
+
+/* internal bits that do not match bits in the x509v3 spec, but are used
+ * for similar purposes
+ */
+#define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
+/*
+ * x.509 v3 Basic Constraints Extension
+ * If isCA is false, the pathLenConstraint is ignored.
+ * Otherwise, the following pathLenConstraint values will apply:
+ *	< 0 - there is no limit to the certificate path
+ *	0   - CA can issues end-entity certificates only
+ *	> 0 - the number of certificates in the certificate path is
+ *	      limited to this number
+ */
+#define CERT_UNLIMITED_PATH_CONSTRAINT -2
+
+struct CERTBasicConstraintsStr {
+    PRBool isCA;			/* on if is CA */
+    int pathLenConstraint;		/* maximum number of certificates that can be
+					   in the cert path.  Only applies to a CA
+					   certificate; otherwise, it's ignored.
+					 */
+};
+
+/* Maximum length of a certificate chain */
+#define CERT_MAX_CERT_CHAIN 20
+
+#define CERT_MAX_SERIAL_NUMBER_BYTES  20    /* from RFC 3280 */
+#define CERT_MAX_DN_BYTES             4096  /* arbitrary */
+
+/* x.509 v3 Reason Flags, used in CRLDistributionPoint Extension */
+#define RF_UNUSED			(0x80)	/* bit 0 */
+#define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
+#define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
+#define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
+#define RF_SUPERSEDED			(0x08)  /* bit 4 */
+#define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
+#define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */
+
+/* enum for CRL Entry Reason Code */
+typedef enum CERTCRLEntryReasonCodeEnum {
+    crlEntryReasonUnspecified = 0,
+    crlEntryReasonKeyCompromise = 1,
+    crlEntryReasonCaCompromise = 2,
+    crlEntryReasonAffiliationChanged = 3,
+    crlEntryReasonSuperseded = 4,
+    crlEntryReasonCessationOfOperation = 5,
+    crlEntryReasoncertificatedHold = 6,
+    crlEntryReasonRemoveFromCRL = 8,
+    crlEntryReasonPrivilegeWithdrawn = 9,
+    crlEntryReasonAaCompromise = 10
+} CERTCRLEntryReasonCode;
+
+/* If we needed to extract the general name field, use this */
+/* General Name types */
+typedef enum CERTGeneralNameTypeEnum {
+    certOtherName = 1,
+    certRFC822Name = 2,
+    certDNSName = 3,
+    certX400Address = 4,
+    certDirectoryName = 5,
+    certEDIPartyName = 6,
+    certURI = 7,
+    certIPAddress = 8,
+    certRegisterID = 9
+} CERTGeneralNameType;
+
+
+typedef struct OtherNameStr {
+    SECItem          name;
+    SECItem          oid;
+}OtherName;
+
+
+
+struct CERTGeneralNameStr {
+    CERTGeneralNameType type;		/* name type */
+    union {
+	CERTName directoryName;         /* distinguish name */
+	OtherName  OthName;		/* Other Name */
+	SECItem other;                  /* the rest of the name forms */
+    }name;
+    SECItem derDirectoryName;		/* this is saved to simplify directory name
+					   comparison */
+    PRCList l;
+};
+
+struct CERTGeneralNameListStr {
+    PLArenaPool *arena;
+    CERTGeneralName *name;
+    int refCount;
+    int len;
+    PZLock *lock;
+};
+
+struct CERTNameConstraintStr {
+    CERTGeneralName  name;
+    SECItem          DERName;
+    SECItem          min;
+    SECItem          max;
+    PRCList          l;
+};
+
+
+struct CERTNameConstraintsStr {
+    CERTNameConstraint  *permited;
+    CERTNameConstraint  *excluded;
+    SECItem             **DERPermited;
+    SECItem             **DERExcluded;
+};
+
+
+/* Private Key Usage Period extension struct. */
+struct CERTPrivKeyUsagePeriodStr {
+    SECItem notBefore;
+    SECItem notAfter;
+    PLArenaPool *arena;
+};
+
+/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
+   issuer field, we only support URI now.
+ */
+struct CERTAuthKeyIDStr {
+    SECItem keyID;			/* unique key identifier */
+    CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
+    SECItem authCertSerialNumber;	/* CA's certificate serial number */
+    SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
+					   the authCertIssuer field. It is used
+					   by the encoding engine. It should be
+					   used as a read only field by the caller.
+					*/
+};
+
+/* x.509 v3 CRL Distributeion Point */
+
+/*
+ * defined the types of CRL Distribution points
+ */
+typedef enum DistributionPointTypesEnum {
+    generalName = 1,			/* only support this for now */
+    relativeDistinguishedName = 2
+} DistributionPointTypes;
+
+struct CRLDistributionPointStr {
+    DistributionPointTypes distPointType;
+    union {
+	CERTGeneralName *fullName;
+	CERTRDN relativeName;
+    } distPoint;
+    SECItem reasons;
+    CERTGeneralName *crlIssuer;
+    
+    /* Reserved for internal use only*/
+    SECItem derDistPoint;
+    SECItem derRelativeName;
+    SECItem **derCrlIssuer;
+    SECItem **derFullName;
+    SECItem bitsmap;
+};
+
+struct CERTCrlDistributionPointsStr {
+    CRLDistributionPoint **distPoints;
+};
+
+/*
+ * This structure is used to keep a log of errors when verifying
+ * a cert chain.  This allows multiple errors to be reported all at
+ * once.
+ */
+struct CERTVerifyLogNodeStr {
+    CERTCertificate *cert;	/* what cert had the error */
+    long error;			/* what error was it? */
+    unsigned int depth;		/* how far up the chain are we */
+    void *arg;			/* error specific argument */
+    struct CERTVerifyLogNodeStr *next; /* next in the list */
+    struct CERTVerifyLogNodeStr *prev; /* next in the list */
+};
+
+
+struct CERTVerifyLogStr {
+    PLArenaPool *arena;
+    unsigned int count;
+    struct CERTVerifyLogNodeStr *head;
+    struct CERTVerifyLogNodeStr *tail;
+};
+
+
+struct CERTOKDomainNameStr {
+    CERTOKDomainName *next;
+    char              name[1]; /* actual length may be longer. */
+};
+
+
+typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
+						    CERTCertificate *cert,
+						    PRTime time,
+						    void *pwArg);
+
+typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
+
+struct CERTStatusConfigStr {
+    CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
+    CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
+    void *statusContext;		/* cx specific to checking protocol */
+};
+
+struct CERTAuthInfoAccessStr {
+    SECItem method;
+    SECItem derLocation;
+    CERTGeneralName *location;		/* decoded location */
+};
+
+
+/* This is the typedef for the callback passed to CERT_OpenCertDB() */
+/* callback to return database name based on version number */
+typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
+
+/*
+ * types of cert packages that we can decode
+ */
+typedef enum CERTPackageTypeEnum {
+    certPackageNone = 0,
+    certPackageCert = 1,
+    certPackagePKCS7 = 2,
+    certPackageNSCertSeq = 3,
+    certPackageNSCertWrap = 4
+} CERTPackageType;
+
+/*
+ * these types are for the PKIX Certificate Policies extension
+ */
+typedef struct {
+    SECOidTag oid;
+    SECItem qualifierID;
+    SECItem qualifierValue;
+} CERTPolicyQualifier;
+
+typedef struct {
+    SECOidTag oid;
+    SECItem policyID;
+    CERTPolicyQualifier **policyQualifiers;
+} CERTPolicyInfo;
+
+typedef struct {
+    PLArenaPool *arena;
+    CERTPolicyInfo **policyInfos;
+} CERTCertificatePolicies;
+
+typedef struct {
+    SECItem organization;
+    SECItem **noticeNumbers;
+} CERTNoticeReference;
+
+typedef struct {
+    PLArenaPool *arena;
+    CERTNoticeReference noticeReference;
+    SECItem derNoticeReference;
+    SECItem displayText;
+} CERTUserNotice;
+
+typedef struct {
+    PLArenaPool *arena;
+    SECItem **oids;
+} CERTOidSequence;
+
+/*
+ * these types are for the PKIX Policy Mappings extension
+ */
+typedef struct {
+    SECItem issuerDomainPolicy;
+    SECItem subjectDomainPolicy;
+} CERTPolicyMap;
+
+typedef struct {
+    PLArenaPool *arena;
+    CERTPolicyMap **policyMaps;
+} CERTCertificatePolicyMappings;
+
+/*
+ * these types are for the PKIX inhibitAnyPolicy extension
+ */
+typedef struct {
+    SECItem inhibitAnySkipCerts;
+} CERTCertificateInhibitAny;
+
+/*
+ * these types are for the PKIX Policy Constraints extension
+ */
+typedef struct {
+    SECItem explicitPolicySkipCerts;
+    SECItem inhibitMappingSkipCerts;
+} CERTCertificatePolicyConstraints;
+
+
+/*
+ * these types are for the CERT_PKIX* Verification functions
+ * These are all optional parameters.
+ */
+
+typedef enum {
+   cert_pi_end             = 0, /* SPECIAL: signifies end of array of  
+				 * CERTValParam* */
+   cert_pi_nbioContext     = 1, /* specify a non-blocking IO context used to
+			         * resume a session. If this argument is 
+				 * specified, no other arguments should be.
+				 * Specified in value.pointer.p. If the 
+				 * operation completes the context will be 
+				 * freed. */
+   cert_pi_nbioAbort       = 2, /* specify a non-blocking IO context for an 
+				 * existing operation which the caller wants
+			         * to abort. If this argument is 
+				 * specified, no other arguments should be.
+				 * Specified in value.pointer.p. If the 
+			         * operation succeeds the context will be 
+				 * freed. */
+   cert_pi_certList        = 3, /* specify the chain to validate against. If
+				 * this value is given, then the path 
+				 * construction step in the validation is 
+				 * skipped. Specified in value.pointer.chain */
+   cert_pi_policyOID       = 4, /* validate certificate for policy OID.
+				 * Specified in value.array.oids. Cert must
+				 * be good for at least one OID in order
+				 * to validate. Default is no policyOID */
+   cert_pi_policyFlags     = 5, /* flags for each policy specified in policyOID.
+				 * Specified in value.scalar.ul. Policy flags
+				 * apply to all specified oids. 
+				 * Use CERT_POLICY_FLAG_* macros below. If not
+				 * specified policy flags default to 0 */
+   cert_pi_keyusage        = 6, /* specify what the keyusages the certificate 
+				 * will be evaluated against, specified in
+				 * value.scalar.ui. The cert must validate for
+				 * at least one of the specified key usages.
+				 * Values match the KU_  bit flags defined
+				 * in this file. Default is derived from
+				 * the 'usages' function argument */
+   cert_pi_extendedKeyusage= 7, /* specify what the required extended key 
+				 * usage of the certificate. Specified as
+				 * an array of oidTags in value.array.oids.
+				 * The cert must validate for at least one
+				 * of the specified extended key usages.
+				 * If not specified, no extended key usages
+				 * will be checked. */
+   cert_pi_date            = 8, /* validate certificate is valid as of date 
+				 * specified in value.scalar.time. A special 
+				 * value '0' indicates 'now'. default is '0' */
+   cert_pi_revocationFlags = 9, /* Specify what revocation checking to do.
+				 * See CERT_REV_FLAG_* macros below
+				 * Set in value.pointer.revocation */
+   cert_pi_certStores      = 10,/* Bitmask of Cert Store flags (see below)
+				 * Set in value.scalar.ui */
+   cert_pi_trustAnchors    = 11,/* Specify the list of trusted roots to 
+				 * validate against. If the list in NULL all
+				 * default trusted roots are used.
+				 * Specified in value.pointer.chain */
+   cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
+				 * Default is off.
+                                     * Value is in value.scalar.b */
+   cert_pi_max                  /* SPECIAL: signifies maximum allowed value,
+				 *  can increase in future releases */
+} CERTValParamInType;
+
+/*
+ * for all out parameters:
+ *  out parameters are only returned if the caller asks for them in
+ *  the CERTValOutParam array. Caller is responsible for the CERTValOutParam
+ *  array itself. The pkix verify function will allocate and other arrays
+ *  pointers, or objects. The Caller is responsible for freeing those results.
+ * If SECWouldBlock is returned, only cert_pi_nbioContext is returned.
+ */
+typedef enum {
+   cert_po_end             = 0, /* SPECIAL: signifies end of array of  
+				 * CERTValParam* */
+   cert_po_nbioContext     = 1, /* Return a nonblocking context. If no
+				 * non-blocking context is specified, then
+				 * blocking IO will be used. 
+				 * Returned in value.pointer.p. The context is 
+				 * freed after an abort or a complete operation.
+				 * This value is only returned on SECWouldBlock.
+				 */
+   cert_po_trustAnchor     = 2, /* Return the trust anchor for the chain that
+				 * was validated. Returned in 
+				 * value.pointer.cert, this value is only 
+				 * returned on SECSuccess. */
+   cert_po_certList        = 3, /* Return the entire chain that was validated.
+				 * Returned in value.pointer.certList. If no 
+				 * chain could be constructed, this value 
+				 * would be NULL. */
+   cert_po_policyOID       = 4, /* Return the policies that were found to be
+				 * valid. Returned in value.array.oids as an 
+				 * array. This is only returned on 
+				 * SECSuccess. */
+   cert_po_errorLog        = 5, /* Return a log of problems with the chain.
+				 * Returned in value.pointer.log  */
+   cert_po_usages          = 6, /* Return what usages the certificate is valid
+				   for. Returned in value.scalar.usages */
+   cert_po_keyUsage        = 7, /* Return what key usages the certificate
+				 * is valid for.
+				 * Returned in value.scalar.usage */
+   cert_po_extendedKeyusage= 8, /* Return what extended key usages the
+				 * certificate is valid for.
+				 * Returned in value.array.oids */
+   cert_po_max                  /* SPECIAL: signifies maximum allowed value,
+				 *  can increase in future releases */
+
+} CERTValParamOutType;
+
+typedef enum {
+    cert_revocation_method_crl = 0,
+    cert_revocation_method_ocsp,
+    cert_revocation_method_count
+} CERTRevocationMethodIndex;
+
+
+/*
+ * The following flags are supposed to be used to control bits in
+ * each integer contained in the array pointed to be:
+ *     CERTRevocationTests.cert_rev_flags_per_method
+ * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
+ * this is a method dependent flag.
+ */
+
+/*
+ * Whether or not to use a method for revocation testing.
+ * If set to "do not test", then all other flags are ignored.
+ */
+#define CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD     0L
+#define CERT_REV_M_TEST_USING_THIS_METHOD            1L
+
+/*
+ * Whether or not NSS is allowed to attempt to fetch fresh information
+ *         from the network.
+ * (Although fetching will never happen if fresh information for the
+ *           method is already locally available.)
+ */
+#define CERT_REV_M_ALLOW_NETWORK_FETCHING            0L
+#define CERT_REV_M_FORBID_NETWORK_FETCHING           2L
+
+/*
+ * Example for an implicit default source:
+ *         The globally configured default OCSP responder.
+ * IGNORE means:
+ *        ignore the implicit default source, whether it's configured or not.
+ * ALLOW means:
+ *       if an implicit default source is configured, 
+ *          then it overrides any available or missing source in the cert.
+ *       if no implicit default source is configured,
+ *          then we continue to use what's available (or not available) 
+ *          in the certs.
+ */ 
+#define CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE     0L
+#define CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE    4L
+
+/*
+ * Defines the behavior if no fresh information is available,
+ *   fetching from the network is allowed, but the source of revocation
+ *   information is unknown (even after considering implicit sources,
+ *   if allowed by other flags).
+ * SKIPT_TEST means:
+ *          We ignore that no fresh information is available and 
+ *          skip this test.
+ * REQUIRE_INFO means:
+ *          We still require that fresh information is available.
+ *          Other flags define what happens on missing fresh info.
+ */
+#define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE       0L
+#define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE    8L
+
+/*
+ * Defines the behavior if we are unable to obtain fresh information.
+ * INGORE means:
+ *        Return "test succeded, not revoked"
+ * FAIL means:
+ *      Return "cert revoked".
+ */
+#define CERT_REV_M_IGNORE_MISSING_FRESH_INFO         0L
+#define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO        16L
+
+/*
+ * What should happen if we were able to find fresh information using
+ * this method, and the data indicated the cert is good?
+ * STOP_TESTING means:
+ *              Our success is sufficient, do not continue testing
+ *              other methods.
+ * CONTINUE_TESTING means:
+ *                  We will continue and test the next allowed
+ *                  specified method.
+ */
+#define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO        0L
+#define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO    32L
+
+/*
+ * The following flags are supposed to be used to control bits in
+ *     CERTRevocationTests.cert_rev_method_independent_flags
+ * All Flags are prefixed by CERT_REV_M_, where _M_ indicates
+ * this is a method independent flag.
+ */
+
+/*
+ * This defines the order to checking.
+ * EACH_METHOD_SEPARATELY means:
+ *      Do all tests related to a particular allowed method
+ *      (both local information and network fetching) in a single step.
+ *      Only after testing for a particular method is done,
+ *      then switching to the next method will happen.
+ * ALL_LOCAL_INFORMATION_FIRST means:
+ *      Start by testing the information for all allowed methods
+ *      which are already locally available. Only after that is done
+ *      consider to fetch from the network (as allowed by other flags).
+ */
+#define CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY       0L
+#define CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST  1L
+
+/*
+ * Use this flag to specify that it's necessary that fresh information
+ * is available for at least one of the allowed methods, but it's
+ * irrelevant which of the mechanisms succeeded.
+ * NO_OVERALL_INFO_REQUIREMENT means:
+ *     We strictly follow the requirements for each individual method.
+ * REQUIRE_SOME_FRESH_INFO_AVAILABLE means:
+ *     After the individual tests have been executed, we must have
+ *     been able to find fresh information using at least one method.
+ *     If we were unable to find fresh info, it's a failure.
+ */
+#define CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT       0L
+#define CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 2L
+
+
+typedef struct {
+    /*
+     * The size of the array that cert_rev_flags_per_method points to,
+     * meaning, the number of methods that are known and defined
+     * by the caller.
+     */
+    PRUint32 number_of_defined_methods;
+
+    /*
+     * A pointer to an array of integers.
+     * Each integer defines revocation checking for a single method,
+     *      by having individual CERT_REV_M_* bits set or not set.
+     * The meaning of index numbers into this array are defined by 
+     *     enum CERTRevocationMethodIndex
+     * The size of the array must be specified by the caller in the separate
+     *     variable number_of_defined_methods.
+     * The size of the array may be smaller than 
+     *     cert_revocation_method_count, it can happen if a caller
+     *     is not yet aware of the latest revocation methods
+     *     (or does not want to use them).
+     */ 
+    PRUint64 *cert_rev_flags_per_method;
+
+    /*
+     * How many preferred methods are specified?
+     * This is equivalent to the size of the array that 
+     *      preferred_revocation_methods points to.
+     * It's allowed to set this value to zero,
+     *      then NSS will decide which methods to prefer.
+     */
+    PRUint32 number_of_preferred_methods;
+
+    /* Array that may specify an optional order of preferred methods.
+     * Each array entry shall contain a method identifier as defined
+     *   by CERTRevocationMethodIndex.
+     * The entry at index [0] specifies the method with highest preferrence.
+     * These methods will be tested first for locally available information.
+     * Methods allowed for downloading will be attempted in the same order.
+     */
+    CERTRevocationMethodIndex *preferred_methods;
+
+    /*
+     * An integer which defines certain aspects of revocation checking
+     * (independent of individual methods) by having individual
+     * CERT_REV_MI_* bits set or not set.
+     */
+    PRUint64 cert_rev_method_independent_flags;
+} CERTRevocationTests;
+
+typedef struct {
+    CERTRevocationTests leafTests;
+    CERTRevocationTests chainTests;
+} CERTRevocationFlags;
+
+typedef struct CERTValParamInValueStr {
+    union {
+        PRBool   b;
+        PRInt32  i;
+        PRUint32 ui;
+        PRInt64  l;
+        PRUint64 ul;
+        PRTime time;
+    } scalar;
+    union {
+        const void*    p;
+        const char*    s;
+        const CERTCertificate* cert;
+        const CERTCertList *chain;
+        const CERTRevocationFlags *revocation;
+    } pointer;
+    union {
+        const PRInt32  *pi;
+        const PRUint32 *pui;
+        const PRInt64  *pl;
+        const PRUint64 *pul;
+        const SECOidTag *oids;
+    } array;
+    int arraySize;
+} CERTValParamInValue;
+
+
+typedef struct CERTValParamOutValueStr {
+    union {
+        PRBool   b;
+        PRInt32  i;
+        PRUint32 ui;
+        PRInt64  l;
+        PRUint64 ul;
+        SECCertificateUsage usages;
+    } scalar;
+    union {
+        void*    p;
+        char*    s;
+        CERTVerifyLog *log;
+        CERTCertificate* cert;
+        CERTCertList *chain;
+    } pointer;
+    union {
+        void 	  *p;
+        SECOidTag *oids;
+    } array;
+    int arraySize;
+} CERTValParamOutValue;
+
+typedef struct {
+    CERTValParamInType type;
+    CERTValParamInValue value;
+} CERTValInParam;
+
+typedef struct {
+    CERTValParamOutType type;
+    CERTValParamOutValue value;
+} CERTValOutParam;
+
+/*
+ * Levels of standards conformance strictness for CERT_NameToAsciiInvertible
+ */
+typedef enum CertStrictnessLevels {
+    CERT_N2A_READABLE   =  0, /* maximum human readability */
+    CERT_N2A_STRICT     = 10, /* strict RFC compliance    */
+    CERT_N2A_INVERTIBLE = 20  /* maximum invertibility,
+                                 all DirectoryStrings encoded in hex */
+} CertStrictnessLevel;
+
+/*
+ * policy flag defines
+ */
+#define CERT_POLICY_FLAG_NO_MAPPING    1
+#define CERT_POLICY_FLAG_EXPLICIT      2
+#define CERT_POLICY_FLAG_NO_ANY        4
+
+/*
+ * CertStore flags
+ */
+#define CERT_ENABLE_LDAP_FETCH          1
+#define CERT_ENABLE_HTTP_FETCH          2
+
+/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
+
+#include "secasn1t.h"	/* way down here because I expect template stuff to
+			 * move out of here anyway */
+
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
+extern const SEC_ASN1Template CERT_CertificateTemplate[];
+extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
+extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
+extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
+extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
+extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
+extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
+extern const SEC_ASN1Template CERT_ValidityTemplate[];
+extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
+extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
+
+extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
+extern const SEC_ASN1Template CERT_NameTemplate[];
+extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
+extern const SEC_ASN1Template CERT_RDNTemplate[];
+extern const SEC_ASN1Template CERT_SignedDataTemplate[];
+extern const SEC_ASN1Template CERT_CrlTemplate[];
+extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
+
+/*
+** XXX should the attribute stuff be centralized for all of ns/security?
+*/
+extern const SEC_ASN1Template CERT_AttributeTemplate[];
+extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
+
+SEC_END_PROTOS
+
+#endif /* _CERTT_H_ */
diff --git a/security/nss/lib/certdb/certv3.c b/security/nss/lib/certdb/certv3.c
new file mode 100644
index 000000000..616926b21
--- /dev/null
+++ b/security/nss/lib/certdb/certv3.c
@@ -0,0 +1,399 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Code for dealing with X509.V3 extensions.
+ *
+ * $Id$
+ */
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "certxutl.h"
+#include "secerr.h"
+
+SECStatus
+CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid,
+			    SECItem *value)
+{
+    return (cert_FindExtensionByOID (cert->extensions, oid, value));
+}
+    
+
+SECStatus
+CERT_FindCertExtension(CERTCertificate *cert, int tag, SECItem *value)
+{
+    return (cert_FindExtension (cert->extensions, tag, value));
+}
+
+static void
+SetExts(void *object, CERTCertExtension **exts)
+{
+    CERTCertificate *cert = (CERTCertificate *)object;
+
+    cert->extensions = exts;
+    DER_SetUInteger (cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3);
+}
+
+void *
+CERT_StartCertExtensions(CERTCertificate *cert)
+{
+    return (cert_StartExtensions ((void *)cert, cert->arena, SetExts));
+}
+
+/* find the given extension in the certificate of the Issuer of 'cert' */
+SECStatus
+CERT_FindIssuerCertExtension(CERTCertificate *cert, int tag, SECItem *value)
+{
+    CERTCertificate *issuercert;
+    SECStatus rv;
+
+    issuercert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
+    if ( issuercert ) {
+	rv = cert_FindExtension(issuercert->extensions, tag, value);
+	CERT_DestroyCertificate(issuercert);
+    } else {
+	rv = SECFailure;
+    }
+    
+    return(rv);
+}
+
+/* find a URL extension in the cert or its CA
+ * apply the base URL string if it exists
+ */
+char *
+CERT_FindCertURLExtension(CERTCertificate *cert, int tag, int catag)
+{
+    SECStatus rv;
+    SECItem urlitem = {siBuffer,0};
+    SECItem baseitem = {siBuffer,0};
+    SECItem urlstringitem = {siBuffer,0};
+    SECItem basestringitem = {siBuffer,0};
+    PRArenaPool *arena = NULL;
+    PRBool hasbase;
+    char *urlstring;
+    char *str;
+    int len;
+    unsigned int i;
+    
+    urlstring = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( ! arena ) {
+	goto loser;
+    }
+    
+    hasbase = PR_FALSE;
+    
+    rv = cert_FindExtension(cert->extensions, tag, &urlitem);
+    if ( rv == SECSuccess ) {
+	rv = cert_FindExtension(cert->extensions, SEC_OID_NS_CERT_EXT_BASE_URL,
+				   &baseitem);
+	if ( rv == SECSuccess ) {
+	    hasbase = PR_TRUE;
+	}
+	
+    } else if ( catag ) {
+	/* if the cert doesn't have the extensions, see if the issuer does */
+	rv = CERT_FindIssuerCertExtension(cert, catag, &urlitem);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}	    
+	rv = CERT_FindIssuerCertExtension(cert, SEC_OID_NS_CERT_EXT_BASE_URL,
+					 &baseitem);
+	if ( rv == SECSuccess ) {
+	    hasbase = PR_TRUE;
+	}
+    } else {
+	goto loser;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, &urlstringitem,
+                                SEC_ASN1_GET(SEC_IA5StringTemplate), &urlitem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    if ( hasbase ) {
+	rv = SEC_QuickDERDecodeItem(arena, &basestringitem,
+                                    SEC_ASN1_GET(SEC_IA5StringTemplate),
+                                    &baseitem);
+
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+    
+    len = urlstringitem.len + ( hasbase ? basestringitem.len : 0 ) + 1;
+    
+    str = urlstring = (char *)PORT_Alloc(len);
+    if ( urlstring == NULL ) {
+	goto loser;
+    }
+    
+    /* copy the URL base first */
+    if ( hasbase ) {
+
+	/* if the urlstring has a : in it, then we assume it is an absolute
+	 * URL, and will not get the base string pre-pended
+	 */
+	for ( i = 0; i < urlstringitem.len; i++ ) {
+	    if ( urlstringitem.data[i] == ':' ) {
+		goto nobase;
+	    }
+	}
+	
+	PORT_Memcpy(str, basestringitem.data, basestringitem.len);
+	str += basestringitem.len;
+	
+    }
+
+nobase:
+    /* copy the rest (or all) of the URL */
+    PORT_Memcpy(str, urlstringitem.data, urlstringitem.len);
+    str += urlstringitem.len;
+    
+    *str = '\0';
+    goto done;
+    
+loser:
+    if ( urlstring ) {
+	PORT_Free(urlstring);
+    }
+    
+    urlstring = NULL;
+done:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if ( baseitem.data ) {
+	PORT_Free(baseitem.data);
+    }
+    if ( urlitem.data ) {
+	PORT_Free(urlitem.data);
+    }
+
+    return(urlstring);
+}
+
+/*
+ * get the value of the Netscape Certificate Type Extension
+ */
+SECStatus
+CERT_FindNSCertTypeExtension(CERTCertificate *cert, SECItem *retItem)
+{
+
+    return (CERT_FindBitStringExtension
+	    (cert->extensions, SEC_OID_NS_CERT_EXT_CERT_TYPE, retItem));    
+}
+
+
+/*
+ * get the value of a string type extension
+ */
+char *
+CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag)
+{
+    SECItem wrapperItem, tmpItem = {siBuffer,0};
+    SECStatus rv;
+    PRArenaPool *arena = NULL;
+    char *retstring = NULL;
+    
+    wrapperItem.data = NULL;
+    tmpItem.data = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	goto loser;
+    }
+    
+    rv = cert_FindExtension(cert->extensions, oidtag,
+			       &wrapperItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, &tmpItem,
+                            SEC_ASN1_GET(SEC_IA5StringTemplate), &wrapperItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    retstring = (char *)PORT_Alloc(tmpItem.len + 1 );
+    if ( retstring == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(retstring, tmpItem.data, tmpItem.len);
+    retstring[tmpItem.len] = '\0';
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    if ( wrapperItem.data ) {
+	PORT_Free(wrapperItem.data);
+    }
+
+    return(retstring);
+}
+
+/*
+ * get the value of the X.509 v3 Key Usage Extension
+ */
+SECStatus
+CERT_FindKeyUsageExtension(CERTCertificate *cert, SECItem *retItem)
+{
+
+    return (CERT_FindBitStringExtension(cert->extensions,
+					SEC_OID_X509_KEY_USAGE, retItem));    
+}
+
+/*
+ * get the value of the X.509 v3 Key Usage Extension
+ */
+SECStatus
+CERT_FindSubjectKeyIDExtension(CERTCertificate *cert, SECItem *retItem)
+{
+
+    SECStatus rv;
+    SECItem encodedValue = {siBuffer, NULL, 0 };
+    SECItem decodedValue = {siBuffer, NULL, 0 };
+
+    rv = cert_FindExtension
+	 (cert->extensions, SEC_OID_X509_SUBJECT_KEY_ID, &encodedValue);
+    if (rv == SECSuccess) {
+	PLArenaPool * tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (tmpArena) {
+	    rv = SEC_QuickDERDecodeItem(tmpArena, &decodedValue, 
+	                                SEC_ASN1_GET(SEC_OctetStringTemplate), 
+					&encodedValue);
+	    if (rv == SECSuccess) {
+	        rv = SECITEM_CopyItem(NULL, retItem, &decodedValue);
+	    }
+	    PORT_FreeArena(tmpArena, PR_FALSE);
+	} else {
+	    rv = SECFailure;
+	}
+    }
+    SECITEM_FreeItem(&encodedValue, PR_FALSE);
+    return rv;
+}
+
+SECStatus
+CERT_FindBasicConstraintExten(CERTCertificate *cert,
+			      CERTBasicConstraints *value)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS,
+			    &encodedExtenValue);
+    if ( rv != SECSuccess ) {
+	return (rv);
+    }
+
+    rv = CERT_DecodeBasicConstraintValue (value, &encodedExtenValue);
+    
+    /* free the raw extension data */
+    PORT_Free(encodedExtenValue.data);
+    encodedExtenValue.data = NULL;
+    
+    return(rv);
+}
+
+CERTAuthKeyID *
+CERT_FindAuthKeyIDExten (PRArenaPool *arena, CERTCertificate *cert)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+    CERTAuthKeyID *ret;
+    
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_AUTH_KEY_ID,
+			    &encodedExtenValue);
+    if ( rv != SECSuccess ) {
+	return (NULL);
+    }
+
+    ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
+
+    PORT_Free(encodedExtenValue.data);
+    encodedExtenValue.data = NULL;
+    
+    return(ret);
+}
+
+SECStatus
+CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
+{
+    SECItem keyUsage;
+    SECStatus rv;
+
+    /* There is no extension, v1 or v2 certificate */
+    if (cert->extensions == NULL) {
+	return (SECSuccess);
+    }
+    
+    keyUsage.data = NULL;
+
+    /* This code formerly ignored the Key Usage extension if it was
+    ** marked non-critical.  That was wrong.  Since we do understand it,
+    ** we are obligated to honor it, whether or not it is critical.
+    */
+    rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
+    if (rv == SECFailure) {
+        rv = (PORT_GetError () == SEC_ERROR_EXTENSION_NOT_FOUND) ?
+	    SECSuccess : SECFailure;
+    } else if (!(keyUsage.data[0] & usage)) {
+	PORT_SetError (SEC_ERROR_CERT_USAGES_INVALID);
+	rv = SECFailure;
+    }
+    PORT_Free (keyUsage.data);
+    return (rv);
+}
diff --git a/security/nss/lib/certdb/certxutl.c b/security/nss/lib/certdb/certxutl.c
new file mode 100644
index 000000000..c28ef211d
--- /dev/null
+++ b/security/nss/lib/certdb/certxutl.c
@@ -0,0 +1,531 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Certificate Extensions handling code
+ *
+ */
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "certxutl.h"
+#include "secerr.h"
+
+#ifdef OLD
+#include "ocspti.h"	/* XXX a better extensions interface would not
+			 * require knowledge of data structures of callers */
+#endif
+
+static CERTCertExtension *
+GetExtension (CERTCertExtension **extensions, SECItem *oid)
+{
+    CERTCertExtension **exts;
+    CERTCertExtension *ext = NULL;
+    SECComparison comp;
+
+    exts = extensions;
+    
+    if (exts) {
+	while ( *exts ) {
+	    ext = *exts;
+	    comp = SECITEM_CompareItem(oid, &ext->id);
+	    if ( comp == SECEqual ) 
+		break;
+
+	    exts++;
+	}
+	return (*exts ? ext : NULL);
+    }
+    return (NULL);
+}
+
+SECStatus
+cert_FindExtensionByOID (CERTCertExtension **extensions, SECItem *oid, SECItem *value)
+{
+    CERTCertExtension *ext;
+    SECStatus rv = SECSuccess;
+    
+    ext = GetExtension (extensions, oid);
+    if (ext == NULL) {
+	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
+	return (SECFailure);
+    }
+    if (value)
+	rv = SECITEM_CopyItem(NULL, value, &ext->value);
+    return (rv);
+}
+    
+
+SECStatus
+CERT_GetExtenCriticality (CERTCertExtension **extensions, int tag, PRBool *isCritical)
+{
+    CERTCertExtension *ext;
+    SECOidData *oid;
+
+    if (!isCritical)
+	return (SECSuccess);
+    
+    /* find the extension in the extensions list */
+    oid = SECOID_FindOIDByTag((SECOidTag)tag);
+    if ( !oid ) {
+	return(SECFailure);
+    }
+    ext = GetExtension (extensions, &oid->oid);
+    if (ext == NULL) {
+	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
+	return (SECFailure);
+    }
+
+    /* If the criticality is omitted, then it is false by default.
+       ex->critical.data is NULL */
+    if (ext->critical.data == NULL)
+	*isCritical = PR_FALSE;
+    else
+	*isCritical = (ext->critical.data[0] == 0xff) ? PR_TRUE : PR_FALSE;
+    return (SECSuccess);    
+}
+
+SECStatus
+cert_FindExtension(CERTCertExtension **extensions, int tag, SECItem *value)
+{
+    SECOidData *oid;
+    
+    oid = SECOID_FindOIDByTag((SECOidTag)tag);
+    if ( !oid ) {
+	return(SECFailure);
+    }
+
+    return(cert_FindExtensionByOID(extensions, &oid->oid, value));
+}
+
+
+typedef struct _extNode {
+    struct _extNode *next;
+    CERTCertExtension *ext;
+} extNode;
+
+typedef struct {
+    void (*setExts)(void *object, CERTCertExtension **exts);
+    void *object;
+    PRArenaPool *ownerArena;
+    PRArenaPool *arena;
+    extNode *head;
+    int count;
+}extRec;
+
+/*
+ * cert_StartExtensions
+ *
+ * NOTE: This interface changed significantly to remove knowledge
+ *   about callers data structures (owner objects)
+ */
+void *
+cert_StartExtensions(void *owner, PRArenaPool *ownerArena,
+   void (*setExts)(void *object, CERTCertExtension **exts))
+{
+    PRArenaPool *arena;
+    extRec *handle;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	return(0);
+    }
+
+    handle = (extRec *)PORT_ArenaAlloc(arena, sizeof(extRec));
+    if ( !handle ) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return(0);
+    }
+
+    handle->object = owner;
+    handle->ownerArena = ownerArena;
+    handle->setExts = setExts;
+
+    handle->arena = arena;
+    handle->head = 0;
+    handle->count = 0;
+    
+    return(handle);
+}
+
+static unsigned char hextrue = 0xff;
+
+/*
+ * Note - assumes that data pointed to by oid->data will not move
+ */
+SECStatus
+CERT_AddExtensionByOID (void *exthandle, SECItem *oid, SECItem *value,
+			PRBool critical, PRBool copyData)
+{
+    CERTCertExtension *ext;
+    SECStatus rv;
+    extNode *node;
+    extRec *handle;
+    
+    handle = (extRec *)exthandle;
+
+    /* allocate space for extension and list node */
+    ext = (CERTCertExtension*)PORT_ArenaZAlloc(handle->ownerArena,
+                                               sizeof(CERTCertExtension));
+    if ( !ext ) {
+	return(SECFailure);
+    }
+
+    node = (extNode*)PORT_ArenaAlloc(handle->arena, sizeof(extNode));
+    if ( !node ) {
+	return(SECFailure);
+    }
+
+    /* add to list */
+    node->next = handle->head;
+    handle->head = node;
+   
+    /* point to ext struct */
+    node->ext = ext;
+    
+    /* the object ID of the extension */
+    ext->id = *oid;
+    
+    /* set critical field */
+    if ( critical ) {
+	ext->critical.data = (unsigned char*)&hextrue;
+	ext->critical.len = 1;
+    }
+
+    /* set the value */
+    if ( copyData ) {
+	rv = SECITEM_CopyItem(handle->ownerArena, &ext->value, value);
+	if ( rv ) {
+	    return(SECFailure);
+	}
+    } else {
+	ext->value = *value;
+    }
+    
+    handle->count++;
+    
+    return(SECSuccess);
+
+}
+
+SECStatus
+CERT_AddExtension(void *exthandle, int idtag, SECItem *value,
+		     PRBool critical, PRBool copyData)
+{
+    SECOidData *oid;
+    
+    oid = SECOID_FindOIDByTag((SECOidTag)idtag);
+    if ( !oid ) {
+	return(SECFailure);
+    }
+
+    return(CERT_AddExtensionByOID(exthandle, &oid->oid, value, critical, copyData));
+}
+
+SECStatus
+CERT_EncodeAndAddExtension(void *exthandle, int idtag, void *value,
+			   PRBool critical, const SEC_ASN1Template *atemplate)
+{
+    extRec *handle;
+    SECItem *encitem;
+
+    handle = (extRec *)exthandle;
+
+    encitem = SEC_ASN1EncodeItem(handle->ownerArena, NULL, value, atemplate);
+    if ( encitem == NULL ) {
+	return(SECFailure);
+    }
+
+    return CERT_AddExtension(exthandle, idtag, encitem, critical, PR_FALSE);
+}
+
+void
+PrepareBitStringForEncoding (SECItem *bitsmap, SECItem *value)
+{
+  unsigned char onebyte;
+  unsigned int i, len = 0;
+
+  /* to prevent warning on some platform at compile time */ 
+  onebyte = '\0';   
+  /* Get the position of the right-most turn-on bit */ 
+  for (i = 0; i < (value->len ) * 8; ++i) {
+      if (i % 8 == 0)
+	  onebyte = value->data[i/8];
+      if (onebyte & 0x80)
+	  len = i;            
+      onebyte <<= 1;
+      
+  }
+  bitsmap->data = value->data;
+  /* Add one here since we work with base 1 */ 
+  bitsmap->len = len + 1;
+}
+
+SECStatus
+CERT_EncodeAndAddBitStrExtension (void *exthandle, int idtag,
+				  SECItem *value, PRBool critical)
+{
+  SECItem bitsmap;
+  
+  PrepareBitStringForEncoding (&bitsmap, value);
+  return (CERT_EncodeAndAddExtension
+	  (exthandle, idtag, &bitsmap, critical,
+          SEC_ASN1_GET(SEC_BitStringTemplate)));
+}
+
+SECStatus
+CERT_FinishExtensions(void *exthandle)
+{
+    extRec *handle;
+    extNode *node;
+    CERTCertExtension **exts;
+    SECStatus rv = SECFailure;
+    
+    handle = (extRec *)exthandle;
+
+    /* allocate space for extensions array */
+    exts = PORT_ArenaNewArray(handle->ownerArena, CERTCertExtension *,
+			      handle->count + 1);
+    if (exts == NULL) {
+	goto loser;
+    }
+
+    /* put extensions in owner object and update its version number */
+
+#ifdef OLD
+    switch (handle->type) {
+      case CertificateExtensions:
+	handle->owner.cert->extensions = exts;
+	DER_SetUInteger (ownerArena, &(handle->owner.cert->version),
+			 SEC_CERTIFICATE_VERSION_3);
+	break;
+      case CrlExtensions:
+	handle->owner.crl->extensions = exts;
+	DER_SetUInteger (ownerArena, &(handle->owner.crl->version),
+			 SEC_CRL_VERSION_2);
+	break;
+      case OCSPRequestExtensions:
+	handle->owner.request->tbsRequest->requestExtensions = exts;
+	break;
+      case OCSPSingleRequestExtensions:
+	handle->owner.singleRequest->singleRequestExtensions = exts;	
+	break;
+      case OCSPResponseSingleExtensions:
+	handle->owner.singleResponse->singleExtensions = exts;	
+	break;
+    }
+#endif
+
+    handle->setExts(handle->object, exts);
+	
+    /* update the version number */
+
+    /* copy each extension pointer */
+    node = handle->head;
+    while ( node ) {
+	*exts = node->ext;
+	
+	node = node->next;
+	exts++;
+    }
+
+    /* terminate the array of extensions */
+    *exts = 0;
+
+    rv = SECSuccess;
+
+loser:
+    /* free working arena */
+    PORT_FreeArena(handle->arena, PR_FALSE);
+    return rv;
+}
+
+SECStatus
+CERT_MergeExtensions(void *exthandle, CERTCertExtension **extensions)
+{
+    CERTCertExtension *ext;
+    SECStatus rv = SECSuccess;
+    SECOidTag tag;
+    extNode *node;
+    extRec *handle = exthandle;
+    
+    if (!exthandle || !extensions) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    while ((ext = *extensions++) != NULL) {
+        tag = SECOID_FindOIDTag(&ext->id);
+        for (node=handle->head; node != NULL; node=node->next) {
+            if (tag == 0) {
+                if (SECITEM_ItemsAreEqual(&ext->id, &node->ext->id))
+                    break;
+            }
+            else {
+                if (SECOID_FindOIDTag(&node->ext->id) == tag) {
+                    break;
+                }
+            }
+        }
+        if (node == NULL) {
+            PRBool critical = (ext->critical.len != 0 &&
+                            ext->critical.data[ext->critical.len - 1] != 0);
+            if (critical && tag == SEC_OID_UNKNOWN) {
+               PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
+               rv = SECFailure;
+               break;
+            }
+            /* add to list */
+            rv = CERT_AddExtensionByOID (exthandle, &ext->id, &ext->value,
+                                         critical, PR_TRUE);
+            if (rv != SECSuccess)
+                break;
+        }
+    }
+    return rv;
+}
+
+/*
+ * get the value of the Netscape Certificate Type Extension
+ */
+SECStatus
+CERT_FindBitStringExtension (CERTCertExtension **extensions, int tag,
+			     SECItem *retItem)
+{
+    SECItem wrapperItem, tmpItem = {siBuffer,0};
+    SECStatus rv;
+    PRArenaPool *arena = NULL;
+    
+    wrapperItem.data = NULL;
+    tmpItem.data = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+    
+    rv = cert_FindExtension(extensions, tag, &wrapperItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, &tmpItem,
+                                SEC_ASN1_GET(SEC_BitStringTemplate),
+                                &wrapperItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    retItem->data = (unsigned char *)PORT_Alloc( ( tmpItem.len + 7 ) >> 3 );
+    if ( retItem->data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(retItem->data, tmpItem.data, ( tmpItem.len + 7 ) >> 3);
+    retItem->len = tmpItem.len;
+    
+    rv = SECSuccess;
+    goto done;
+    
+loser:
+    rv = SECFailure;
+
+done:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    if ( wrapperItem.data ) {
+	PORT_Free(wrapperItem.data);
+    }
+
+    return(rv);
+}
+
+PRBool
+cert_HasCriticalExtension (CERTCertExtension **extensions)
+{
+    CERTCertExtension **exts;
+    CERTCertExtension *ext = NULL;
+    PRBool hasCriticalExten = PR_FALSE;
+    
+    exts = extensions;
+    
+    if (exts) {
+	while ( *exts ) {
+	    ext = *exts;
+	    /* If the criticality is omitted, it's non-critical */
+	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
+		hasCriticalExten = PR_TRUE;
+		break;
+	    }
+	    exts++;
+	}
+    }
+    return (hasCriticalExten);
+}
+
+PRBool
+cert_HasUnknownCriticalExten (CERTCertExtension **extensions)
+{
+    CERTCertExtension **exts;
+    CERTCertExtension *ext = NULL;
+    PRBool hasUnknownCriticalExten = PR_FALSE;
+    
+    exts = extensions;
+    
+    if (exts) {
+	while ( *exts ) {
+	    ext = *exts;
+	    /* If the criticality is omitted, it's non-critical.
+	       If an extension is critical, make sure that we know
+	       how to process the extension.
+             */
+	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
+		if (SECOID_KnownCertExtenOID (&ext->id) == PR_FALSE) {
+		    hasUnknownCriticalExten = PR_TRUE;
+		    break;
+		}
+	    }
+	    exts++;
+	}
+    }
+    return (hasUnknownCriticalExten);
+}
diff --git a/security/nss/lib/certdb/certxutl.h b/security/nss/lib/certdb/certxutl.h
new file mode 100644
index 000000000..9f8a1596d
--- /dev/null
+++ b/security/nss/lib/certdb/certxutl.h
@@ -0,0 +1,82 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * x.509 v3 certificate extension helper routines
+ *
+ */
+
+
+#ifndef _CERTXUTL_H_
+#define _CERTXUTL_H_
+
+#include "nspr.h"
+
+#ifdef OLD
+typedef enum {
+    CertificateExtensions,
+    CrlExtensions,
+    OCSPRequestExtensions,
+    OCSPSingleRequestExtensions,
+    OCSPResponseSingleExtensions
+} ExtensionsType;
+#endif
+
+extern PRBool
+cert_HasCriticalExtension (CERTCertExtension **extensions);
+
+extern SECStatus
+CERT_FindBitStringExtension (CERTCertExtension **extensions,
+			     int tag, SECItem *retItem);
+extern void *
+cert_StartExtensions (void *owner, PLArenaPool *arena,
+                      void (*setExts)(void *object, CERTCertExtension **exts));
+
+extern SECStatus
+cert_FindExtension (CERTCertExtension **extensions, int tag, SECItem *value);
+
+extern SECStatus
+cert_FindExtensionByOID (CERTCertExtension **extensions,
+			 SECItem *oid, SECItem *value);
+
+extern SECStatus
+cert_GetExtenCriticality (CERTCertExtension **extensions,
+			  int tag, PRBool *isCritical);
+
+extern PRBool
+cert_HasUnknownCriticalExten (CERTCertExtension **extensions);
+
+#endif
diff --git a/security/nss/lib/certdb/config.mk b/security/nss/lib/certdb/config.mk
new file mode 100644
index 000000000..665828c63
--- /dev/null
+++ b/security/nss/lib/certdb/config.mk
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
new file mode 100644
index 000000000..4ae233b18
--- /dev/null
+++ b/security/nss/lib/certdb/crl.c
@@ -0,0 +1,3128 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Moved from secpkcs7.c
+ *
+ * $Id$
+ */
+ 
+#include "cert.h"
+#include "certi.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "certxutl.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "pk11func.h"
+#include "dev.h"
+#include "dev3hack.h"
+#include "nssbase.h"
+#if defined(DPC_RWLOCK) || defined(GLOBAL_RWLOCK)
+#include "nssrwlk.h"
+#endif
+#include "pk11priv.h"
+
+const SEC_ASN1Template SEC_CERTExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertExtension) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTCertExtension,id) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
+	  offsetof(CERTCertExtension,critical), },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CERTCertExtension,value) },
+    { 0, }
+};
+
+static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0,  SEC_CERTExtensionTemplate}
+};
+
+/*
+ * XXX Also, these templates, especially the Krl/FORTEZZA ones, need to
+ * be tested; Lisa did the obvious translation but they still should be
+ * verified.
+ */
+
+const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTIssuerAndSN) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTIssuerAndSN,derIssuer) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTIssuerAndSN,issuer),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTIssuerAndSN,serialNumber) },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_KrlEntryTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrlEntry) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CERTCrlEntry,serialNumber) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrlEntry,revocationDate) },
+    { 0 }
+};
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
+
+static const SEC_ASN1Template cert_KrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrl) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTCrl,signatureAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCrl,derName) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,name),
+	  CERT_NameTemplate },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,lastUpdate) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,nextUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrl,entries),
+	  cert_KrlEntryTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_SignedKrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedCrl) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTSignedCrl,signatureWrap.data) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,crl),
+	  cert_KrlTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedCrl,signatureWrap.signature) },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrlKey) },
+    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof(CERTCrlKey,dummy) },
+    { SEC_ASN1_SKIP },
+    { SEC_ASN1_ANY, offsetof(CERTCrlKey,derName) },
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_CrlEntryTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrlEntry) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCrlEntry,serialNumber) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTCrlEntry,revocationDate),
+          SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrlEntry, extensions),
+	  SEC_CERTExtensionTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_CrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrl) },
+    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTCrl,signatureAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate)},
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCrl,derName) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,name),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTCrl,lastUpdate),
+          SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN,
+	  offsetof(CERTCrl,nextUpdate),
+          SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrl,entries),
+	  cert_CrlEntryTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+	  SEC_ASN1_EXPLICIT | 0,
+	  offsetof(CERTCrl,extensions),
+	  SEC_CERTExtensionsTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_CrlTemplateNoEntries[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrl) },
+    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTCrl,signatureAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCrl,derName) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,name),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTCrl,lastUpdate),
+          SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN,
+	  offsetof(CERTCrl,nextUpdate),
+          SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF |
+      SEC_ASN1_SKIP }, /* skip entries */
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+	  SEC_ASN1_EXPLICIT | 0,
+	  offsetof(CERTCrl,extensions),
+	  SEC_CERTExtensionsTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_CrlTemplateEntriesOnly[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrl) },
+    { SEC_ASN1_SKIP | SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL },
+    { SEC_ASN1_SKIP },
+    { SEC_ASN1_SKIP },
+    { SEC_ASN1_SKIP | SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+        offsetof(CERTCrl,lastUpdate),
+        SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
+    { SEC_ASN1_SKIP | SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN,
+        offsetof(CERTCrl,nextUpdate),
+        SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrl,entries),
+	  cert_CrlEntryTemplate }, /* decode entries */
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_SignedCrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedCrl) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTSignedCrl,signatureWrap.data) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,crl),
+	  CERT_CrlTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN ,
+	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedCrl,signatureWrap.signature) },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_SignedCrlTemplateNoEntries[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedCrl) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTSignedCrl,signatureWrap.data) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,crl),
+	  CERT_CrlTemplateNoEntries },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedCrl,signatureWrap.signature) },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, CERT_SignedCrlTemplate },
+};
+
+/* get CRL version */
+int cert_get_crl_version(CERTCrl * crl)
+{
+    /* CRL version is defaulted to v1 */
+    int version = SEC_CRL_VERSION_1;
+    if (crl && crl->version.data != 0) {
+	version = (int)DER_GetUInteger (&crl->version);
+    }
+    return version;
+}
+
+
+/* check the entries in the CRL */
+SECStatus cert_check_crl_entries (CERTCrl *crl)
+{
+    CERTCrlEntry **entries;
+    CERTCrlEntry *entry;
+    PRBool hasCriticalExten = PR_FALSE;
+    SECStatus rv = SECSuccess;
+
+    if (!crl) {
+        return SECFailure;
+    }
+
+    if (crl->entries == NULL) {
+        /* CRLs with no entries are valid */
+        return (SECSuccess);
+    }
+
+    /* Look in the crl entry extensions.  If there is a critical extension,
+       then the crl version must be v2; otherwise, it should be v1.
+     */
+    entries = crl->entries;
+    while (*entries) {
+	entry = *entries;
+	if (entry->extensions) {
+	    /* If there is a critical extension in the entries, then the
+	       CRL must be of version 2.  If we already saw a critical extension,
+	       there is no need to check the version again.
+	    */
+            if (hasCriticalExten == PR_FALSE) {
+                hasCriticalExten = cert_HasCriticalExtension (entry->extensions);
+                if (hasCriticalExten) {
+                    if (cert_get_crl_version(crl) != SEC_CRL_VERSION_2) { 
+                        /* only CRL v2 critical extensions are supported */
+                        PORT_SetError(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION);
+                        rv = SECFailure;
+                        break;
+                    }
+                }
+            }
+
+	    /* For each entry, make sure that it does not contain an unknown
+	       critical extension.  If it does, we must reject the CRL since
+	       we don't know how to process the extension.
+	    */
+	    if (cert_HasUnknownCriticalExten (entry->extensions) == PR_TRUE) {
+		PORT_SetError (SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION);
+		rv = SECFailure;
+		break;
+	    }
+	}
+	++entries;
+    }
+    return(rv);
+}
+
+/* Check the version of the CRL.  If there is a critical extension in the crl
+   or crl entry, then the version must be v2. Otherwise, it should be v1. If
+   the crl contains critical extension(s), then we must recognized the
+   extension's OID.
+   */
+SECStatus cert_check_crl_version (CERTCrl *crl)
+{
+    PRBool hasCriticalExten = PR_FALSE;
+    int version = cert_get_crl_version(crl);
+	
+    if (version > SEC_CRL_VERSION_2) {
+	PORT_SetError (SEC_ERROR_CRL_INVALID_VERSION);
+	return (SECFailure);
+    }
+
+    /* Check the crl extensions for a critial extension.  If one is found,
+       and the version is not v2, then we are done.
+     */
+    if (crl->extensions) {
+	hasCriticalExten = cert_HasCriticalExtension (crl->extensions);
+	if (hasCriticalExten) {
+            if (version != SEC_CRL_VERSION_2) {
+                /* only CRL v2 critical extensions are supported */
+                PORT_SetError(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION);
+                return (SECFailure);
+            }
+	    /* make sure that there is no unknown critical extension */
+	    if (cert_HasUnknownCriticalExten (crl->extensions) == PR_TRUE) {
+		PORT_SetError (SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION);
+		return (SECFailure);
+	    }
+	}
+    }
+
+    return (SECSuccess);
+}
+
+/*
+ * Generate a database key, based on the issuer name from a
+ * DER crl.
+ */
+SECStatus
+CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key)
+{
+    SECStatus rv;
+    CERTSignedData sd;
+    CERTCrlKey crlkey;
+    PRArenaPool* myArena;
+
+    if (!arena) {
+        /* arena needed for QuickDER */
+        myArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    } else {
+        myArena = arena;
+    }
+    PORT_Memset (&sd, 0, sizeof (sd));
+    rv = SEC_QuickDERDecodeItem (myArena, &sd, CERT_SignedDataTemplate, derCrl);
+    if (SECSuccess == rv) {
+        PORT_Memset (&crlkey, 0, sizeof (crlkey));
+        rv = SEC_QuickDERDecodeItem(myArena, &crlkey, cert_CrlKeyTemplate, &sd.data);
+    }
+
+    /* make a copy so the data doesn't point to memory inside derCrl, which
+       may be temporary */
+    if (SECSuccess == rv) {
+        rv = SECITEM_CopyItem(arena, key, &crlkey.derName);
+    }
+
+    if (myArena != arena) {
+        PORT_FreeArena(myArena, PR_FALSE);
+    }
+
+    return rv;
+}
+
+#define GetOpaqueCRLFields(x) ((OpaqueCRLFields*)x->opaque)
+
+SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl)
+{
+    SECStatus rv = SECSuccess;
+    SECItem* crldata = NULL;
+    OpaqueCRLFields* extended = NULL;
+
+    if ( (!crl) ||
+         (!(extended = (OpaqueCRLFields*) crl->opaque)) ||
+         (PR_TRUE == extended->decodingError) ) {
+        rv = SECFailure;
+    } else {
+        if (PR_FALSE == extended->partial) {
+            /* the CRL has already been fully decoded */
+            return SECSuccess;
+        }
+        if (PR_TRUE == extended->badEntries) {
+            /* the entries decoding already failed */
+            return SECFailure;
+        }
+        crldata = &crl->signatureWrap.data;
+        if (!crldata) {
+            rv = SECFailure;
+        }
+    }
+
+    if (SECSuccess == rv) {
+        rv = SEC_QuickDERDecodeItem(crl->arena,
+            &crl->crl,
+            CERT_CrlTemplateEntriesOnly,
+            crldata);
+        if (SECSuccess == rv) {
+            extended->partial = PR_FALSE; /* successful decode, avoid
+                decoding again */
+        } else {
+            extended->decodingError = PR_TRUE;
+            extended->badEntries = PR_TRUE;
+            /* cache the decoding failure. If it fails the first time,
+               it will fail again, which will grow the arena and leak
+               memory, so we want to avoid it */
+        }
+        rv = cert_check_crl_entries(&crl->crl);
+        if (rv != SECSuccess) {
+            extended->badExtensions = PR_TRUE;
+        }
+    }
+    return rv;
+}
+
+/*
+ * take a DER CRL or KRL  and decode it into a CRL structure
+ * allow reusing the input DER without making a copy
+ */
+CERTSignedCrl *
+CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl,
+                          int type, PRInt32 options)
+{
+    PRArenaPool *arena;
+    CERTSignedCrl *crl;
+    SECStatus rv;
+    OpaqueCRLFields* extended = NULL;
+    const SEC_ASN1Template* crlTemplate = CERT_SignedCrlTemplate;
+    PRInt32 testOptions = options;
+
+    PORT_Assert(derSignedCrl);
+    if (!derSignedCrl) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    /* Adopting DER requires not copying it.  Code that sets ADOPT flag 
+     * but doesn't set DONT_COPY probably doesn't know What it is doing.  
+     * That condition is a programming error in the caller.
+     */
+    testOptions &= (CRL_DECODE_ADOPT_HEAP_DER | CRL_DECODE_DONT_COPY_DER);
+    PORT_Assert(testOptions != CRL_DECODE_ADOPT_HEAP_DER);
+    if (testOptions == CRL_DECODE_ADOPT_HEAP_DER) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    /* make a new arena if needed */
+    if (narena == NULL) {
+    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if ( !arena ) {
+	    return NULL;
+	}
+    } else {
+	arena = narena;
+    }
+
+    /* allocate the CRL structure */
+    crl = (CERTSignedCrl *)PORT_ArenaZAlloc(arena, sizeof(CERTSignedCrl));
+    if ( !crl ) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    crl->arena = arena;
+
+    /* allocate opaque fields */
+    crl->opaque = (void*)PORT_ArenaZAlloc(arena, sizeof(OpaqueCRLFields));
+    if ( !crl->opaque ) {
+	goto loser;
+    }
+    extended = (OpaqueCRLFields*) crl->opaque;
+    if (options & CRL_DECODE_ADOPT_HEAP_DER) {
+        extended->heapDER = PR_TRUE;
+    }
+    if (options & CRL_DECODE_DONT_COPY_DER) {
+        crl->derCrl = derSignedCrl; /* DER is not copied . The application
+                                       must keep derSignedCrl until it
+                                       destroys the CRL */
+    } else {
+        crl->derCrl = (SECItem *)PORT_ArenaZAlloc(arena,sizeof(SECItem));
+        if (crl->derCrl == NULL) {
+            goto loser;
+        }
+        rv = SECITEM_CopyItem(arena, crl->derCrl, derSignedCrl);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+    }
+
+    /* Save the arena in the inner crl for CRL extensions support */
+    crl->crl.arena = arena;
+    if (options & CRL_DECODE_SKIP_ENTRIES) {
+        crlTemplate = cert_SignedCrlTemplateNoEntries;
+        extended->partial = PR_TRUE;
+    }
+
+    /* decode the CRL info */
+    switch (type) {
+    case SEC_CRL_TYPE:
+        rv = SEC_QuickDERDecodeItem(arena, crl, crlTemplate, crl->derCrl);
+        if (rv != SECSuccess) {
+            extended->badDER = PR_TRUE;
+            break;
+        }
+        /* check for critical extensions */
+        rv =  cert_check_crl_version (&crl->crl);
+        if (rv != SECSuccess) {
+            extended->badExtensions = PR_TRUE;
+            break;
+        }
+
+        if (PR_TRUE == extended->partial) {
+            /* partial decoding, don't verify entries */
+            break;
+        }
+
+        rv = cert_check_crl_entries(&crl->crl);
+        if (rv != SECSuccess) {
+            extended->badExtensions = PR_TRUE;
+        }
+
+        break;
+
+    case SEC_KRL_TYPE:
+	rv = SEC_QuickDERDecodeItem
+	     (arena, crl, cert_SignedKrlTemplate, derSignedCrl);
+	break;
+    default:
+	rv = SECFailure;
+	break;
+    }
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    crl->referenceCount = 1;
+    
+    return(crl);
+    
+loser:
+    if (options & CRL_DECODE_KEEP_BAD_CRL) {
+        if (extended) {
+            extended->decodingError = PR_TRUE;
+        }
+        if (crl) {
+            crl->referenceCount = 1;
+            return(crl);
+        }
+    }
+
+    if ((narena == NULL) && arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(0);
+}
+
+/*
+ * take a DER CRL or KRL  and decode it into a CRL structure
+ */
+CERTSignedCrl *
+CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
+{
+    return CERT_DecodeDERCrlWithFlags(narena, derSignedCrl, type,
+                                      CRL_DECODE_DEFAULT_OPTIONS);
+}
+
+/*
+ * Lookup a CRL in the databases. We mirror the same fast caching data base
+ *  caching stuff used by certificates....?
+ * return values :
+ *
+ * SECSuccess means we got a valid decodable DER CRL, or no CRL at all.
+ * Caller may distinguish those cases by the value returned in "decoded".
+ * When DER CRL is not found, error code will be SEC_ERROR_CRL_NOT_FOUND.
+ *
+ * SECFailure means we got a fatal error - most likely, we found a CRL,
+ * and it failed decoding, or there was an out of memory error. Do NOT ignore
+ * it and specifically do NOT treat it the same as having no CRL, as this
+ * can compromise security !!! Ideally, you should treat this case as if you
+ * received a "catch-all" CRL where all certs you were looking up are
+ * considered to be revoked
+ */
+static SECStatus
+SEC_FindCrlByKeyOnSlot(PK11SlotInfo *slot, SECItem *crlKey, int type,
+                       CERTSignedCrl** decoded, PRInt32 decodeoptions)
+{
+    SECStatus rv = SECSuccess;
+    CERTSignedCrl *crl = NULL;
+    SECItem *derCrl = NULL;
+    CK_OBJECT_HANDLE crlHandle = 0;
+    char *url = NULL;
+
+    PORT_Assert(decoded);
+    if (!decoded) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    derCrl = PK11_FindCrlByName(&slot, &crlHandle, crlKey, type, &url);
+    if (derCrl == NULL) {
+	/* if we had a problem other than the CRL just didn't exist, return
+	 * a failure to the upper level */
+	int nsserror = PORT_GetError();
+	if (nsserror != SEC_ERROR_CRL_NOT_FOUND) {
+	    rv = SECFailure;
+	}
+	goto loser;
+    }
+    PORT_Assert(crlHandle != CK_INVALID_HANDLE);
+    /* PK11_FindCrlByName obtained a slot reference. */
+    
+    /* derCRL is a fresh HEAP copy made for us by PK11_FindCrlByName.
+       Force adoption of the DER CRL from the heap - this will cause it 
+       to be automatically freed when SEC_DestroyCrl is invoked */
+    decodeoptions |= (CRL_DECODE_ADOPT_HEAP_DER | CRL_DECODE_DONT_COPY_DER);
+
+    crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl, type, decodeoptions);
+    if (crl) {
+        crl->slot = slot;
+        slot = NULL; /* adopt it */
+	derCrl = NULL; /* adopted by the crl struct */
+        crl->pkcs11ID = crlHandle;
+        if (url) {
+            crl->url = PORT_ArenaStrdup(crl->arena,url);
+        }
+    } else {
+        rv = SECFailure;
+    }
+    
+    if (url) {
+	PORT_Free(url);
+    }
+
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+
+loser:
+    if (derCrl) {
+	SECITEM_FreeItem(derCrl, PR_TRUE);
+    }
+
+    *decoded = crl;
+
+    return rv;
+}
+
+
+CERTSignedCrl *
+crl_storeCRL (PK11SlotInfo *slot,char *url,
+                  CERTSignedCrl *newCrl, SECItem *derCrl, int type)
+{
+    CERTSignedCrl *oldCrl = NULL, *crl = NULL;
+    PRBool deleteOldCrl = PR_FALSE;
+    CK_OBJECT_HANDLE crlHandle = CK_INVALID_HANDLE;
+    SECStatus rv;
+
+    PORT_Assert(newCrl);
+    PORT_Assert(derCrl);
+
+    /* we can't use the cache here because we must look in the same
+       token */
+    rv = SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
+                                &oldCrl, CRL_DECODE_SKIP_ENTRIES);
+    /* if there is an old crl on the token, make sure the one we are
+       installing is newer. If not, exit out, otherwise delete the
+       old crl.
+     */
+    if (oldCrl != NULL) {
+	/* if it's already there, quietly continue */
+	if (SECITEM_CompareItem(newCrl->derCrl, oldCrl->derCrl) 
+						== SECEqual) {
+	    crl = newCrl;
+	    crl->slot = PK11_ReferenceSlot(slot);
+	    crl->pkcs11ID = oldCrl->pkcs11ID;
+	    goto done;
+	}
+        if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
+
+            if (type == SEC_CRL_TYPE) {
+                PORT_SetError(SEC_ERROR_OLD_CRL);
+            } else {
+                PORT_SetError(SEC_ERROR_OLD_KRL);
+            }
+
+            goto done;
+        }
+
+        if ((SECITEM_CompareItem(&newCrl->crl.derName,
+                &oldCrl->crl.derName) != SECEqual) &&
+            (type == SEC_KRL_TYPE) ) {
+
+            PORT_SetError(SEC_ERROR_CKL_CONFLICT);
+            goto done;
+        }
+
+        /* if we have a url in the database, use that one */
+        if (oldCrl->url) {
+	    url = oldCrl->url;
+        }
+
+        /* really destroy this crl */
+        /* first drum it out of the permanment Data base */
+	deleteOldCrl = PR_TRUE;
+    }
+
+    /* invalidate CRL cache for this issuer */
+    CERT_CRLCacheRefreshIssuer(NULL, &newCrl->crl.derName);
+    /* Write the new entry into the data base */
+    crlHandle = PK11_PutCrl(slot, derCrl, &newCrl->crl.derName, url, type);
+    if (crlHandle != CK_INVALID_HANDLE) {
+	crl = newCrl;
+	crl->slot = PK11_ReferenceSlot(slot);
+	crl->pkcs11ID = crlHandle;
+	if (url) {
+	    crl->url = PORT_ArenaStrdup(crl->arena,url);
+	}
+    }
+
+done:
+    if (oldCrl) {
+	if (deleteOldCrl && crlHandle != CK_INVALID_HANDLE) {
+	    SEC_DeletePermCRL(oldCrl);
+	}
+	SEC_DestroyCrl(oldCrl);
+    }
+
+    return crl;
+}
+
+/*
+ *
+ * create a new CRL from DER material.
+ *
+ * The signature on this CRL must be checked before you
+ * load it. ???
+ */
+CERTSignedCrl *
+SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type)
+{
+    CERTSignedCrl* retCrl = NULL;
+    PK11SlotInfo* slot = PK11_GetInternalKeySlot();
+    retCrl = PK11_ImportCRL(slot, derCrl, url, type, NULL,
+        CRL_IMPORT_BYPASS_CHECKS, NULL, CRL_DECODE_DEFAULT_OPTIONS);
+    PK11_FreeSlot(slot);
+
+    return retCrl;
+}
+    
+CERTSignedCrl *
+SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type)
+{
+    PRArenaPool *arena;
+    SECItem crlKey;
+    SECStatus rv;
+    CERTSignedCrl *crl = NULL;
+    
+    /* create a scratch arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return(NULL);
+    }
+    
+    /* extract the database key from the cert */
+    rv = CERT_KeyFromDERCrl(arena, derCrl, &crlKey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* find the crl */
+    crl = SEC_FindCrlByName(handle, &crlKey, type);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(crl);
+}
+
+CERTSignedCrl* SEC_DupCrl(CERTSignedCrl* acrl)
+{
+    if (acrl)
+    {
+        PR_AtomicIncrement(&acrl->referenceCount);
+        return acrl;
+    }
+    return NULL;
+}
+
+SECStatus
+SEC_DestroyCrl(CERTSignedCrl *crl)
+{
+    if (crl) {
+	if (PR_AtomicDecrement(&crl->referenceCount) < 1) {
+	    if (crl->slot) {
+		PK11_FreeSlot(crl->slot);
+	    }
+            if (GetOpaqueCRLFields(crl) &&
+                PR_TRUE == GetOpaqueCRLFields(crl)->heapDER) {
+                SECITEM_FreeItem(crl->derCrl, PR_TRUE);
+            }
+            if (crl->arena) {
+                PORT_FreeArena(crl->arena, PR_FALSE);
+            }
+	}
+        return SECSuccess;
+    } else {
+        return SECFailure;
+    }
+}
+
+SECStatus
+SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type)
+{
+    CERTCrlHeadNode *head;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+
+    *nodes = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return SECFailure;
+    }
+
+    /* build a head structure */
+    head = (CERTCrlHeadNode *)PORT_ArenaAlloc(arena, sizeof(CERTCrlHeadNode));
+    head->arena = arena;
+    head->first = NULL;
+    head->last = NULL;
+    head->dbhandle = handle;
+
+    /* Look up the proper crl types */
+    *nodes = head;
+
+    rv = PK11_LookupCrls(head, type, NULL);
+    
+    if (rv != SECSuccess) {
+	if ( arena ) {
+	    PORT_FreeArena(arena, PR_FALSE);
+	    *nodes = NULL;
+	}
+    }
+
+    return rv;
+}
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_IssuerAndSNTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CrlTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedCrlTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SetOfSignedCrlTemplate)
+
+/* CRL cache code starts here */
+
+/* constructor */
+static SECStatus CachedCrl_Create(CachedCrl** returned, CERTSignedCrl* crl,
+                           CRLOrigin origin);
+/* destructor */
+static SECStatus CachedCrl_Destroy(CachedCrl* crl);
+
+/* create hash table of CRL entries */
+static SECStatus CachedCrl_Populate(CachedCrl* crlobject);
+
+/* empty the cache content */
+static SECStatus CachedCrl_Depopulate(CachedCrl* crl);
+
+/* are these CRLs the same, as far as the cache is concerned ?
+   Or are they the same token object, but with different DER ? */
+
+static SECStatus CachedCrl_Compare(CachedCrl* a, CachedCrl* b, PRBool* isDupe,
+                                PRBool* isUpdated);
+
+/* create a DPCache object */
+static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer,
+                         SECItem* subject, SECItem* dp);
+
+/* destructor for CRL DPCache object */
+static SECStatus DPCache_Destroy(CRLDPCache* cache);
+
+/* add a new CRL object to the dynamic array of CRLs of the DPCache, and
+   returns the cached CRL object . Needs write access to DPCache. */
+static SECStatus DPCache_AddCRL(CRLDPCache* cache, CachedCrl* crl,
+                                PRBool* added);
+
+/* fetch the CRL for this DP from the PKCS#11 tokens */
+static SECStatus DPCache_FetchFromTokens(CRLDPCache* cache, PRTime vfdate,
+                                         void* wincx);
+
+/* check if a particular SN is in the CRL cache and return its entry */
+static SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn,
+                                CERTCrlEntry** returned);
+
+/* update the content of the CRL cache, including fetching of CRLs, and
+   reprocessing with specified issuer and date */
+static SECStatus DPCache_GetUpToDate(CRLDPCache* cache, CERTCertificate* issuer,
+                         PRBool readlocked, PRTime vfdate, void* wincx);
+
+/* returns true if there are CRLs from PKCS#11 slots */
+static PRBool DPCache_HasTokenCRLs(CRLDPCache* cache);
+
+/* remove CRL at offset specified */
+static SECStatus DPCache_RemoveCRL(CRLDPCache* cache, PRUint32 offset);
+
+/* Pick best CRL to use . needs write access */
+static SECStatus DPCache_SelectCRL(CRLDPCache* cache);
+
+/* create an issuer cache object (per CA subject ) */
+static SECStatus IssuerCache_Create(CRLIssuerCache** returned,
+                             CERTCertificate* issuer,
+                             SECItem* subject, SECItem* dp);
+
+/* destructor for CRL IssuerCache object */
+SECStatus IssuerCache_Destroy(CRLIssuerCache* cache);
+
+/* add a DPCache to the issuer cache */
+static SECStatus IssuerCache_AddDP(CRLIssuerCache* cache,
+                                   CERTCertificate* issuer, SECItem* subject,
+                                   SECItem* dp, CRLDPCache** newdpc);
+
+/* get a particular DPCache object from an IssuerCache */
+static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache, SECItem* dp);
+
+/*
+** Pre-allocator hash allocator ops.
+*/
+
+/* allocate memory for hash table */
+static void * PR_CALLBACK
+PreAllocTable(void *pool, PRSize size)
+{
+    PreAllocator* alloc = (PreAllocator*)pool;
+    PORT_Assert(alloc);
+    if (!alloc)
+    {
+        /* no allocator, or buffer full */
+        return NULL;
+    }
+    if (size > (alloc->len - alloc->used))
+    {
+        /* initial buffer full, let's use the arena */
+        alloc->extra += size;
+        return PORT_ArenaAlloc(alloc->arena, size);
+    }
+    /* use the initial buffer */
+    alloc->used += size;
+    return (char*) alloc->data + alloc->used - size;
+}
+
+/* free hash table memory.
+   Individual PreAllocator elements cannot be freed, so this is a no-op. */
+static void PR_CALLBACK
+PreFreeTable(void *pool, void *item)
+{
+}
+
+/* allocate memory for hash table */
+static PLHashEntry * PR_CALLBACK
+PreAllocEntry(void *pool, const void *key)
+{
+    return PreAllocTable(pool, sizeof(PLHashEntry));
+}
+
+/* free hash table entry.
+   Individual PreAllocator elements cannot be freed, so this is a no-op. */
+static void PR_CALLBACK
+PreFreeEntry(void *pool, PLHashEntry *he, PRUintn flag)
+{
+}
+
+/* methods required for PL hash table functions */
+static PLHashAllocOps preAllocOps =
+{
+    PreAllocTable, PreFreeTable,
+    PreAllocEntry, PreFreeEntry
+};
+
+/* destructor for PreAllocator object */
+void PreAllocator_Destroy(PreAllocator* PreAllocator)
+{
+    if (!PreAllocator)
+    {
+        return;
+    }
+    if (PreAllocator->arena)
+    {
+        PORT_FreeArena(PreAllocator->arena, PR_TRUE);
+    }
+    if (PreAllocator->data)
+    {
+        PORT_Free(PreAllocator->data);
+    }
+    PORT_Free(PreAllocator);
+}
+
+/* constructor for PreAllocator object */
+PreAllocator* PreAllocator_Create(PRSize size)
+{
+    PreAllocator prebuffer;
+    PreAllocator* prepointer = NULL;
+    memset(&prebuffer, 0, sizeof(PreAllocator));
+    prebuffer.len = size;
+    prebuffer.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    PORT_Assert(prebuffer.arena);
+    if (!prebuffer.arena)
+    {
+        PreAllocator_Destroy(&prebuffer);
+        return NULL;
+    }
+    if (prebuffer.len)
+    {
+        prebuffer.data = PORT_Alloc(prebuffer.len);
+        if (!prebuffer.data)
+        {
+            PreAllocator_Destroy(&prebuffer);
+            return NULL;
+        }
+    }
+    else
+    {
+        prebuffer.data = NULL;
+    }
+    prepointer = (PreAllocator*)PORT_Alloc(sizeof(PreAllocator));
+    if (!prepointer)
+    {
+        PreAllocator_Destroy(&prebuffer);
+        return NULL;
+    }
+    *prepointer = prebuffer;
+    return prepointer;
+}
+
+/* global CRL cache object */
+static CRLCache crlcache = { NULL, NULL };
+
+/* initial state is off */
+static PRBool crlcache_initialized = PR_FALSE;
+
+PRTime CRLCache_Empty_TokenFetch_Interval = 60 * 1000000; /* how often
+    to query the tokens for CRL objects, in order to discover new objects, if
+    the cache does not contain any token CRLs . In microseconds */
+
+PRTime CRLCache_TokenRefetch_Interval = 600 * 1000000 ; /* how often
+    to query the tokens for CRL objects, in order to discover new objects, if
+    the cache already contains token CRLs In microseconds */
+
+PRTime CRLCache_ExistenceCheck_Interval = 60 * 1000000; /* how often to check
+    if a token CRL object still exists. In microseconds */
+
+/* this function is called at NSS initialization time */
+SECStatus InitCRLCache(void)
+{
+    if (PR_FALSE == crlcache_initialized)
+    {
+        PORT_Assert(NULL == crlcache.lock);
+        PORT_Assert(NULL == crlcache.issuers);
+        if (crlcache.lock || crlcache.issuers)
+        {
+            /* CRL cache already partially initialized */
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            return SECFailure;
+        }
+#ifdef GLOBAL_RWLOCK
+        crlcache.lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
+#else
+        crlcache.lock = PR_NewLock();
+#endif
+        if (!crlcache.lock)
+        {
+            return SECFailure;
+        }
+        crlcache.issuers = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
+                                  PL_CompareValues, NULL, NULL);
+        if (!crlcache.issuers)
+        {
+#ifdef GLOBAL_RWLOCK
+            NSSRWLock_Destroy(crlcache.lock);
+#else
+            PR_DestroyLock(crlcache.lock);
+#endif
+            crlcache.lock = NULL;
+            return SECFailure;
+        }
+        crlcache_initialized = PR_TRUE;
+        return SECSuccess;
+    }
+    else
+    {
+        PORT_Assert(crlcache.lock);
+        PORT_Assert(crlcache.issuers);
+        if ( (NULL == crlcache.lock) || (NULL == crlcache.issuers) )
+        {
+            /* CRL cache not fully initialized */
+            return SECFailure;
+        }
+        else
+        {
+            /* CRL cache already initialized */
+            return SECSuccess;
+        }
+    }
+}
+
+/* destructor for CRL DPCache object */
+static SECStatus DPCache_Destroy(CRLDPCache* cache)
+{
+    PRUint32 i = 0;
+    PORT_Assert(cache);
+    if (!cache)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    if (cache->lock)
+    {
+#ifdef DPC_RWLOCK
+        NSSRWLock_Destroy(cache->lock);
+#else
+        PR_DestroyLock(cache->lock);
+#endif
+    }
+    else
+    {
+        PORT_Assert(0);
+        return SECFailure;
+    }
+    /* destroy all our CRL objects */
+    for (i=0;i<cache->ncrls;i++)
+    {
+        if (!cache->crls || !cache->crls[i] ||
+            SECSuccess != CachedCrl_Destroy(cache->crls[i]))
+        {
+            return SECFailure;
+        }
+    }
+    /* free the array of CRLs */
+    if (cache->crls)
+    {
+	PORT_Free(cache->crls);
+    }
+    /* destroy the cert */
+    if (cache->issuer)
+    {
+        CERT_DestroyCertificate(cache->issuer);
+    }
+    /* free the subject */
+    if (cache->subject)
+    {
+        SECITEM_FreeItem(cache->subject, PR_TRUE);
+    }
+    /* free the distribution points */
+    if (cache->distributionPoint)
+    {
+        SECITEM_FreeItem(cache->distributionPoint, PR_TRUE);
+    }
+    PORT_Free(cache);
+    return SECSuccess;
+}
+
+/* destructor for CRL IssuerCache object */
+SECStatus IssuerCache_Destroy(CRLIssuerCache* cache)
+{
+    PORT_Assert(cache);
+    if (!cache)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+#ifdef XCRL
+    if (cache->lock)
+    {
+        NSSRWLock_Destroy(cache->lock);
+    }
+    else
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    if (cache->issuer)
+    {
+        CERT_DestroyCertificate(cache->issuer);
+    }
+#endif
+    /* free the subject */
+    if (cache->subject)
+    {
+        SECITEM_FreeItem(cache->subject, PR_TRUE);
+    }
+    if (SECSuccess != DPCache_Destroy(cache->dpp))
+    {
+        PORT_Assert(0);
+        return SECFailure;
+    }
+    PORT_Free(cache);
+    return SECSuccess;
+}
+
+/* callback function used in hash table destructor */
+static PRIntn PR_CALLBACK FreeIssuer(PLHashEntry *he, PRIntn i, void *arg)
+{
+    CRLIssuerCache* issuer = NULL;
+    SECStatus* rv = (SECStatus*) arg;
+
+    PORT_Assert(he);
+    if (!he)
+    {
+        return HT_ENUMERATE_NEXT;
+    }
+    issuer = (CRLIssuerCache*) he->value;
+    PORT_Assert(issuer);
+    if (issuer)
+    {
+        if (SECSuccess != IssuerCache_Destroy(issuer))
+        {
+            PORT_Assert(rv);
+            if (rv)
+            {
+                *rv = SECFailure;
+            }
+            return HT_ENUMERATE_NEXT;
+        }
+    }
+    return HT_ENUMERATE_NEXT;
+}
+
+/* needs to be called at NSS shutdown time
+   This will destroy the global CRL cache, including 
+   - the hash table of issuer cache objects
+   - the issuer cache objects
+   - DPCache objects in issuer cache objects */
+SECStatus ShutdownCRLCache(void)
+{
+    SECStatus rv = SECSuccess;
+    if (PR_FALSE == crlcache_initialized &&
+        !crlcache.lock && !crlcache.issuers)
+    {
+        /* CRL cache has already been shut down */
+        return SECSuccess;
+    }
+    if (PR_TRUE == crlcache_initialized &&
+        (!crlcache.lock || !crlcache.issuers))
+    {
+        /* CRL cache has partially been shut down */
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    /* empty the cache */
+    /* free the issuers */
+    PL_HashTableEnumerateEntries(crlcache.issuers, &FreeIssuer, &rv);
+    /* free the hash table of issuers */
+    PL_HashTableDestroy(crlcache.issuers);
+    crlcache.issuers = NULL;
+    /* free the global lock */
+#ifdef GLOBAL_RWLOCK
+    NSSRWLock_Destroy(crlcache.lock);
+#else
+    PR_DestroyLock(crlcache.lock);
+#endif
+    crlcache.lock = NULL;
+    crlcache_initialized = PR_FALSE;
+    return rv;
+}
+
+/* add a new CRL object to the dynamic array of CRLs of the DPCache, and
+   returns the cached CRL object . Needs write access to DPCache. */
+static SECStatus DPCache_AddCRL(CRLDPCache* cache, CachedCrl* newcrl,
+                                PRBool* added)
+{
+    CachedCrl** newcrls = NULL;
+    PRUint32 i = 0;
+    PORT_Assert(cache);
+    PORT_Assert(newcrl);
+    PORT_Assert(added);
+    if (!cache || !newcrl || !added)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    *added = PR_FALSE;
+    /* before adding a new CRL, check if it is a duplicate */
+    for (i=0;i<cache->ncrls;i++)
+    {
+        CachedCrl* existing = NULL;
+        SECStatus rv = SECSuccess;
+        PRBool dupe = PR_FALSE, updated = PR_FALSE;
+        if (!cache->crls)
+        {
+            PORT_Assert(0);
+            return SECFailure;
+        }
+        existing = cache->crls[i];
+        if (!existing)
+        {
+            PORT_Assert(0);
+            return SECFailure;
+        }
+        rv = CachedCrl_Compare(existing, newcrl, &dupe, &updated);
+        if (SECSuccess != rv)
+        {
+            PORT_Assert(0);
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            return SECFailure;
+        }
+        if (PR_TRUE == dupe)
+        {
+            /* dupe */
+            PORT_SetError(SEC_ERROR_CRL_ALREADY_EXISTS);
+            return SECSuccess;
+        }
+        if (PR_TRUE == updated)
+        {
+            /* this token CRL is in the same slot and has the same object ID,
+               but different content. We need to remove the old object */
+            if (SECSuccess != DPCache_RemoveCRL(cache, i))
+            {
+                PORT_Assert(0);
+                PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+                return PR_FALSE;
+            }
+        }
+    }
+
+    newcrls = (CachedCrl**)PORT_Realloc(cache->crls,
+        (cache->ncrls+1)*sizeof(CachedCrl*));
+    if (!newcrls)
+    {
+        return SECFailure;
+    }
+    cache->crls = newcrls;
+    cache->ncrls++;
+    cache->crls[cache->ncrls-1] = newcrl;
+    *added = PR_TRUE;
+    return SECSuccess;
+}
+
+/* remove CRL at offset specified */
+static SECStatus DPCache_RemoveCRL(CRLDPCache* cache, PRUint32 offset)
+{
+    CachedCrl* acrl = NULL;
+    PORT_Assert(cache);
+    if (!cache || (!cache->crls) || (!(offset<cache->ncrls)) )
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    acrl = cache->crls[offset];
+    PORT_Assert(acrl);
+    if (!acrl)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    cache->crls[offset] = cache->crls[cache->ncrls-1];
+    cache->crls[cache->ncrls-1] = NULL;
+    cache->ncrls--;
+    if (cache->selected == acrl) {
+        cache->selected = NULL;
+    }
+    if (SECSuccess != CachedCrl_Destroy(acrl))
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* check whether a CRL object stored in a PKCS#11 token still exists in
+   that token . This has to be efficient (the entire CRL value cannot be
+   transferred accross the token boundaries), so this is accomplished by
+   simply fetching the subject attribute and making sure it hasn't changed .
+   Note that technically, the CRL object could have been replaced with a new
+   PKCS#11 object of the same ID and subject (which actually happens in
+   softoken), but this function has no way of knowing that the object
+   value changed, since CKA_VALUE isn't checked. */
+static PRBool TokenCRLStillExists(CERTSignedCrl* crl)
+{
+    NSSItem newsubject;
+    SECItem subject;
+    CK_ULONG crl_class;
+    PRStatus status;
+    PK11SlotInfo* slot = NULL;
+    nssCryptokiObject instance;
+    NSSArena* arena;
+    PRBool xstatus = PR_TRUE;
+    SECItem* oldSubject = NULL;
+
+    PORT_Assert(crl);
+    if (!crl)
+    {
+        return PR_FALSE;
+    }
+    slot = crl->slot;
+    PORT_Assert(crl->slot);
+    if (!slot)
+    {
+        return PR_FALSE;
+    }
+    oldSubject = &crl->crl.derName;
+    PORT_Assert(oldSubject);
+    if (!oldSubject)
+    {
+        return PR_FALSE;
+    }
+
+    /* query subject and type attributes in order to determine if the
+       object has been deleted */
+
+    /* first, make an nssCryptokiObject */
+    instance.handle = crl->pkcs11ID;
+    PORT_Assert(instance.handle);
+    if (!instance.handle)
+    {
+        return PR_FALSE;
+    }
+    instance.token = PK11Slot_GetNSSToken(slot);
+    PORT_Assert(instance.token);
+    if (!instance.token)
+    {
+        return PR_FALSE;
+    }
+    instance.isTokenObject = PR_TRUE;
+    instance.label = NULL;
+
+    arena = NSSArena_Create();
+    PORT_Assert(arena);
+    if (!arena)
+    {
+        return PR_FALSE;
+    }
+
+    status = nssCryptokiCRL_GetAttributes(&instance,
+                                          NULL,  /* XXX sessionOpt */
+                                          arena,
+                                          NULL,
+                                          &newsubject,  /* subject */
+                                          &crl_class,   /* class */
+                                          NULL,
+                                          NULL);
+    if (PR_SUCCESS == status)
+    {
+        subject.data = newsubject.data;
+        subject.len = newsubject.size;
+        if (SECITEM_CompareItem(oldSubject, &subject) != SECEqual)
+        {
+            xstatus = PR_FALSE;
+        }
+        if (CKO_NETSCAPE_CRL != crl_class)
+        {
+            xstatus = PR_FALSE;
+        }
+    }
+    else
+    {
+        xstatus = PR_FALSE;
+    }
+    NSSArena_Destroy(arena);
+    return xstatus;
+}
+
+/* verify the signature of a CRL against its issuer at a given date */
+static SECStatus CERT_VerifyCRL(
+    CERTSignedCrl* crlobject,
+    CERTCertificate* issuer,
+    PRTime vfdate,
+    void* wincx)
+{
+    return CERT_VerifySignedData(&crlobject->signatureWrap,
+                                 issuer, vfdate, wincx);
+}
+
+/* verify a CRL and update cache state */
+static SECStatus CachedCrl_Verify(CRLDPCache* cache, CachedCrl* crlobject,
+                          PRTime vfdate, void* wincx)
+{
+    /*  Check if it is an invalid CRL
+        if we got a bad CRL, we want to cache it in order to avoid
+        subsequent fetches of this same identical bad CRL. We set
+        the cache to the invalid state to ensure that all certs
+        on this DP are considered revoked from now on. The cache
+        object will remain in this state until the bad CRL object
+        is removed from the token it was fetched from. If the cause
+        of the failure is that we didn't have the issuer cert to
+        verify the signature, this state can be cleared when
+        the issuer certificate becomes available if that causes the
+        signature to verify */
+
+    if (!cache || !crlobject)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    if (PR_TRUE == GetOpaqueCRLFields(crlobject->crl)->decodingError)
+    {
+        crlobject->sigChecked = PR_TRUE; /* we can never verify a CRL
+            with bogus DER. Mark it checked so we won't try again */
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        return SECSuccess;
+    }
+    else
+    {
+        SECStatus signstatus = SECFailure;
+        if (cache->issuer)
+        {
+            signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
+                                        wincx);
+        }
+        if (SECSuccess != signstatus)
+        {
+            if (!cache->issuer)
+            {
+                /* we tried to verify without an issuer cert . This is
+                   because this CRL came through a call to SEC_FindCrlByName.
+                   So, we don't cache this verification failure. We'll try
+                   to verify the CRL again when a certificate from that issuer
+                   becomes available */
+            } else
+            {
+                crlobject->sigChecked = PR_TRUE;
+            }
+            PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
+            return SECSuccess;
+        } else
+        {
+            crlobject->sigChecked = PR_TRUE;
+            crlobject->sigValid = PR_TRUE;
+        }
+    }
+    
+    return SECSuccess;
+}
+
+/* fetch the CRLs for this DP from the PKCS#11 tokens */
+static SECStatus DPCache_FetchFromTokens(CRLDPCache* cache, PRTime vfdate,
+                                         void* wincx)
+{
+    SECStatus rv = SECSuccess;
+    CERTCrlHeadNode head;
+    if (!cache)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    /* first, initialize list */
+    memset(&head, 0, sizeof(head));
+    head.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    rv = pk11_RetrieveCrls(&head, cache->subject, wincx);
+
+    /* if this function fails, something very wrong happened, such as an out
+       of memory error during CRL decoding. We don't want to proceed and must
+       mark the cache object invalid */
+    if (SECFailure == rv)
+    {
+        /* fetch failed, add error bit */
+        cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
+    } else
+    {
+        /* fetch was successful, clear this error bit */
+        cache->invalid &= (~CRL_CACHE_LAST_FETCH_FAILED);
+    }
+
+    /* add any CRLs found to our array */
+    if (SECSuccess == rv)
+    {
+        CERTCrlNode* crlNode = NULL;
+
+        for (crlNode = head.first; crlNode ; crlNode = crlNode->next)
+        {
+            CachedCrl* returned = NULL;
+            CERTSignedCrl* crlobject = crlNode->crl;
+            if (!crlobject)
+            {
+                PORT_Assert(0);
+                continue;
+            }
+            rv = CachedCrl_Create(&returned, crlobject, CRL_OriginToken);
+            if (SECSuccess == rv)
+            {
+                PRBool added = PR_FALSE;
+                rv = DPCache_AddCRL(cache, returned, &added);
+                if (PR_TRUE != added)
+                {
+                    rv = CachedCrl_Destroy(returned);
+                    returned = NULL;
+                }
+                else
+                {
+                    rv = CachedCrl_Verify(cache, returned, vfdate, wincx);
+                }
+            }
+            else
+            {
+                /* not enough memory to add the CRL to the cache. mark it
+                   invalid so we will try again . */
+                cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
+            }
+            if (SECFailure == rv)
+            {
+                break;
+            }
+        }
+    }
+
+    if (head.arena)
+    {
+        CERTCrlNode* crlNode = NULL;
+        /* clean up the CRL list in case we got a partial one
+           during a failed fetch */
+        for (crlNode = head.first; crlNode ; crlNode = crlNode->next)
+        {
+            if (crlNode->crl)
+            {
+                SEC_DestroyCrl(crlNode->crl); /* free the CRL. Either it got
+                   added to the cache and the refcount got bumped, or not, and
+                   thus we need to free its RAM */
+            }
+        }
+        PORT_FreeArena(head.arena, PR_FALSE); /* destroy CRL list */
+    }
+
+    return rv;
+}
+
+static SECStatus CachedCrl_GetEntry(CachedCrl* crl, SECItem* sn,
+                                    CERTCrlEntry** returned)
+{
+    CERTCrlEntry* acrlEntry;
+     
+    PORT_Assert(crl);
+    PORT_Assert(crl->entries);
+    PORT_Assert(sn);
+    PORT_Assert(returned);
+    if (!crl || !sn || !returned || !crl->entries)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    acrlEntry = PL_HashTableLookup(crl->entries, (void*)sn);
+    if (acrlEntry)
+    {
+        *returned = acrlEntry;
+    }
+    else
+    {
+        *returned = NULL;
+    }
+    return SECSuccess;
+}
+
+/* check if a particular SN is in the CRL cache and return its entry */
+static SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn,
+                                CERTCrlEntry** returned)
+{
+    if (!cache || !sn || !returned)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        /* no cache or SN to look up, or no way to return entry */
+        return SECFailure;
+    }
+    if (0 != cache->invalid)
+    {
+        /* the cache contains a bad CRL, or there was a CRL fetching error.
+           consider all certs revoked as a security measure */
+        PORT_SetError(SEC_ERROR_CRL_INVALID);
+        return SECFailure;
+    }
+    if (!cache->selected)
+    {
+        /* no CRL means no entry to return, but this is OK */
+        *returned = NULL;
+        return SECSuccess;
+    }
+    return CachedCrl_GetEntry(cache->selected, sn, returned);
+}
+
+#if defined(DPC_RWLOCK)
+
+#define DPCache_LockWrite() \
+{ \
+    if (readlocked) \
+    { \
+        NSSRWLock_UnlockRead(cache->lock); \
+    } \
+    NSSRWLock_LockWrite(cache->lock); \
+}
+
+#define DPCache_UnlockWrite() \
+{ \
+    if (readlocked) \
+    { \
+        NSSRWLock_LockRead(cache->lock); \
+    } \
+    NSSRWLock_UnlockWrite(cache->lock); \
+}
+
+#else
+
+/* with a global lock, we are always locked for read before we need write
+   access, so do nothing */
+
+#define DPCache_LockWrite() \
+{ \
+}
+
+#define DPCache_UnlockWrite() \
+{ \
+}
+
+#endif
+
+/* update the content of the CRL cache, including fetching of CRLs, and
+   reprocessing with specified issuer and date . We are always holding
+   either the read or write lock on DPCache upon entry. */
+static SECStatus DPCache_GetUpToDate(CRLDPCache* cache, CERTCertificate*
+                                     issuer, PRBool readlocked, PRTime vfdate,
+                                     void* wincx)
+{
+    /* Update the CRLDPCache now. We don't cache token CRL lookup misses
+       yet, as we have no way of getting notified of new PKCS#11 object
+       creation that happens in a token  */
+    SECStatus rv = SECSuccess;
+    PRUint32 i = 0;
+    PRBool forcedrefresh = PR_FALSE;
+    PRBool dirty = PR_FALSE; /* whether something was changed in the
+                                cache state during this update cycle */
+    PRBool hastokenCRLs = PR_FALSE;
+    PRTime now = 0;
+    PRTime lastfetch = 0;
+
+    if (!cache)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    /* first, make sure we have obtained all the CRLs we need.
+       We do an expensive token fetch in the following cases :
+       1) cache is empty because no fetch was ever performed yet
+       2) cache is explicitly set to refresh state
+       3) cache is in invalid state because last fetch failed
+       4) cache contains no token CRLs, and it's been more than one minute
+          since the last fetch
+       5) cache contains token CRLs, and it's been more than 10 minutes since
+          the last fetch
+    */
+    forcedrefresh = cache->refresh;
+    lastfetch = cache->lastfetch;
+    if (PR_TRUE != forcedrefresh && 
+        (!(cache->invalid & CRL_CACHE_LAST_FETCH_FAILED)))
+    {
+        now = PR_Now();
+        hastokenCRLs = DPCache_HasTokenCRLs(cache);
+    }
+    if ( (0 == lastfetch) ||
+
+         (PR_TRUE == forcedrefresh) ||
+
+         (cache->invalid & CRL_CACHE_LAST_FETCH_FAILED) ||
+
+         ( (PR_FALSE == hastokenCRLs) &&
+           ( (now - cache->lastfetch > CRLCache_Empty_TokenFetch_Interval) ||
+             (now < cache->lastfetch)) ) ||
+
+         ( (PR_TRUE == hastokenCRLs) &&
+           ((now - cache->lastfetch > CRLCache_TokenRefetch_Interval) ||
+            (now < cache->lastfetch)) ) )
+    {
+        /* the cache needs to be refreshed, and/or we had zero CRL for this
+           DP. Try to get one from PKCS#11 tokens */
+        DPCache_LockWrite();
+        /* check if another thread updated before us, and skip update if so */
+        if (lastfetch == cache->lastfetch)
+        {
+            /* we are the first */
+            rv = DPCache_FetchFromTokens(cache, vfdate, wincx);
+            if (PR_TRUE == cache->refresh)
+            {
+                cache->refresh = PR_FALSE; /* clear refresh state */
+            }
+            dirty = PR_TRUE;
+            cache->lastfetch = PR_Now();
+        }
+        DPCache_UnlockWrite();
+    }
+
+    /* now, make sure we have no extraneous CRLs (deleted token objects)
+       we'll do this inexpensive existence check either
+       1) if there was a token object fetch
+       2) every minute */
+    if (( PR_TRUE != dirty) && (!now) )
+    {
+        now = PR_Now();
+    }
+    if ( (PR_TRUE == dirty) ||
+         ( (now - cache->lastcheck > CRLCache_ExistenceCheck_Interval) ||
+           (now < cache->lastcheck)) )
+    {
+        PRBool mustunlock = PR_FALSE;
+        PRTime lastcheck = cache->lastcheck;
+        /* check if all CRLs still exist */
+        for (i = 0; (i < cache->ncrls) ; i++)
+        {
+            CachedCrl* savcrl = cache->crls[i];
+            if ( (!savcrl) || (savcrl && CRL_OriginToken != savcrl->origin))
+            {
+                /* we only want to check token CRLs */
+                continue;
+            }
+            if ((PR_TRUE != TokenCRLStillExists(savcrl->crl)))
+            {
+                
+                /* this CRL is gone */
+                if (PR_TRUE != mustunlock)
+                {
+                    DPCache_LockWrite();
+                    mustunlock = PR_TRUE;
+                }
+                /* first, we need to check if another thread did an update
+                   before we did */
+                if (lastcheck == cache->lastcheck)
+                {
+                    /* the CRL is gone. And we are the one to do the update */
+                    DPCache_RemoveCRL(cache, i);
+                    dirty = PR_TRUE;
+                }
+                /* stay locked here intentionally so we do all the other
+                   updates in this thread for the remaining CRLs */
+            }
+        }
+        if (PR_TRUE == mustunlock)
+        {
+            cache->lastcheck = PR_Now();
+            DPCache_UnlockWrite();
+            mustunlock = PR_FALSE;
+        }
+    }
+
+    /* add issuer certificate if it was previously unavailable */
+    if (issuer && (NULL == cache->issuer) &&
+        (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
+    {
+        /* if we didn't have a valid issuer cert yet, but we do now. add it */
+        DPCache_LockWrite();
+        if (!cache->issuer)
+        {
+            dirty = PR_TRUE;
+            cache->issuer = CERT_DupCertificate(issuer);    
+        }
+        DPCache_UnlockWrite();
+    }
+
+    /* verify CRLs that couldn't be checked when inserted into the cache
+       because the issuer cert or a verification date was unavailable.
+       These are CRLs that were inserted into the cache through
+       SEC_FindCrlByName, or through manual insertion, rather than through a
+       certificate verification (CERT_CheckCRL) */
+
+    if (cache->issuer && vfdate )
+    {
+        PRBool mustunlock = PR_FALSE;
+        /* re-process all unverified CRLs */
+        for (i = 0; i < cache->ncrls ; i++)
+        {
+            CachedCrl* savcrl = cache->crls[i];
+            if (!savcrl)
+            {
+                continue;
+            }
+            if (PR_TRUE != savcrl->sigChecked)
+            {
+                if (PR_TRUE != mustunlock)
+                {
+                    DPCache_LockWrite();
+                    mustunlock = PR_TRUE;
+                }
+                /* first, we need to check if another thread updated
+                   it before we did, and abort if it has been modified since
+                   we acquired the lock. Make sure first that the CRL is still
+                   in the array at the same position */
+                if ( (i<cache->ncrls) && (savcrl == cache->crls[i]) &&
+                     (PR_TRUE != savcrl->sigChecked) )
+                {
+                    /* the CRL is still there, unverified. Do it */
+                    CachedCrl_Verify(cache, savcrl, vfdate, wincx);
+                    dirty = PR_TRUE;
+                }
+                /* stay locked here intentionally so we do all the other
+                   updates in this thread for the remaining CRLs */
+            }
+            if (PR_TRUE == mustunlock)
+            {
+                DPCache_UnlockWrite();
+                mustunlock = PR_FALSE;
+            }
+        }
+    }
+
+    if (dirty || cache->mustchoose)
+    {
+        /* changes to the content of the CRL cache necessitate examining all
+           CRLs for selection of the most appropriate one to cache */
+        DPCache_LockWrite();
+        DPCache_SelectCRL(cache);
+        cache->mustchoose = PR_FALSE;
+        DPCache_UnlockWrite();
+    }
+
+    return rv;
+}
+
+/* callback for qsort to sort by thisUpdate */
+static int SortCRLsByThisUpdate(const void* arg1, const void* arg2)
+{
+    PRTime timea, timeb;
+    SECStatus rv = SECSuccess;
+    CachedCrl* a, *b;
+
+    a = *(CachedCrl**) arg1;
+    b = *(CachedCrl**) arg2;
+
+    if (!a || !b)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        rv = SECFailure;
+    }
+
+    if (SECSuccess == rv)
+    {
+        rv = DER_DecodeTimeChoice(&timea, &a->crl->crl.lastUpdate);
+    }                       
+    if (SECSuccess == rv)
+    {
+        rv = DER_DecodeTimeChoice(&timeb, &b->crl->crl.lastUpdate);
+    }
+    if (SECSuccess == rv)
+    {
+        if (timea > timeb)
+        {
+            return 1; /* a is better than b */
+        }
+        if (timea < timeb )
+        {
+            return -1; /* a is not as good as b */
+        }
+    }
+
+    /* if they are equal, or if all else fails, use pointer differences */
+    PORT_Assert(a != b); /* they should never be equal */
+    return a>b?1:-1;
+}
+
+/* callback for qsort to sort a set of disparate CRLs, some of which are
+   invalid DER or failed signature check.
+   
+   Validated CRLs are differentiated by thisUpdate .
+   Validated CRLs are preferred over non-validated CRLs .
+   Proper DER CRLs are preferred over non-DER data .
+*/
+static int SortImperfectCRLs(const void* arg1, const void* arg2)
+{
+    CachedCrl* a, *b;
+
+    a = *(CachedCrl**) arg1;
+    b = *(CachedCrl**) arg2;
+
+    if (!a || !b)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        PORT_Assert(0);
+    }
+    else
+    {
+        PRBool aDecoded = PR_FALSE, bDecoded = PR_FALSE;
+        if ( (PR_TRUE == a->sigValid) && (PR_TRUE == b->sigValid) )
+        {
+            /* both CRLs have been validated, choose the latest one */
+            return SortCRLsByThisUpdate(arg1, arg2);
+        }
+        if (PR_TRUE == a->sigValid)
+        {
+            return 1; /* a is greater than b */
+        }
+        if (PR_TRUE == b->sigValid)
+        {
+            return -1; /* a is not as good as b */
+        }
+        aDecoded = GetOpaqueCRLFields(a->crl)->decodingError;
+        bDecoded = GetOpaqueCRLFields(b->crl)->decodingError;
+        /* neither CRL had its signature check pass */
+        if ( (PR_FALSE == aDecoded) && (PR_FALSE == bDecoded) )
+        {
+            /* both CRLs are proper DER, choose the latest one */
+            return SortCRLsByThisUpdate(arg1, arg2);
+        }
+        if (PR_FALSE == aDecoded)
+        {
+            return 1; /* a is better than b */
+        }
+        if (PR_FALSE == bDecoded)
+        {
+            return -1; /* a is not as good as b */
+        }
+        /* both are invalid DER. sigh. */
+    }
+    /* if they are equal, or if all else fails, use pointer differences */
+    PORT_Assert(a != b); /* they should never be equal */
+    return a>b?1:-1;
+}
+
+
+/* Pick best CRL to use . needs write access */
+static SECStatus DPCache_SelectCRL(CRLDPCache* cache)
+{
+    PRUint32 i;
+    PRBool valid = PR_TRUE;
+    CachedCrl* selected = NULL;
+
+    PORT_Assert(cache);
+    if (!cache)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    /* if any invalid CRL is present, then the CRL cache is
+       considered invalid, for security reasons */
+    for (i = 0 ; i<cache->ncrls; i++)
+    {
+        if (!cache->crls[i] || !cache->crls[i]->sigChecked ||
+            !cache->crls[i]->sigValid)
+        {
+            valid = PR_FALSE;
+            break;
+        }
+    }
+    if (PR_TRUE == valid)
+    {
+        /* all CRLs are valid, clear this error */
+        cache->invalid &= (~CRL_CACHE_INVALID_CRLS);
+    } else
+    {
+        /* some CRLs are invalid, set this error */
+        cache->invalid |= CRL_CACHE_INVALID_CRLS;
+    }
+
+    if (cache->invalid)
+    {
+        /* cache is in an invalid state, so reset it */
+        if (cache->selected)
+        {
+            cache->selected = NULL;
+        }
+        /* also sort the CRLs imperfectly */
+        qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*),
+              SortImperfectCRLs);
+        return SECSuccess;
+    }
+    /* all CRLs are good, sort them by thisUpdate */
+    qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*),
+          SortCRLsByThisUpdate);
+
+    if (cache->ncrls)
+    {
+        /* pick the newest CRL */
+        selected = cache->crls[cache->ncrls-1];
+    
+        /* and populate the cache */
+        if (SECSuccess != CachedCrl_Populate(selected))
+        {
+            return SECFailure;
+        }
+    }
+
+    cache->selected = selected;
+
+    return SECSuccess;
+}
+
+/* initialize a DPCache object */
+static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer,
+                         SECItem* subject, SECItem* dp)
+{
+    CRLDPCache* cache = NULL;
+    PORT_Assert(returned);
+    /* issuer and dp are allowed to be NULL */
+    if (!returned || !subject)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    *returned = NULL;
+    cache = PORT_ZAlloc(sizeof(CRLDPCache));
+    if (!cache)
+    {
+        return SECFailure;
+    }
+#ifdef DPC_RWLOCK
+    cache->lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
+#else
+    cache->lock = PR_NewLock();
+#endif
+    if (!cache->lock)
+    {
+	PORT_Free(cache);
+        return SECFailure;
+    }
+    if (issuer)
+    {
+        cache->issuer = CERT_DupCertificate(issuer);
+    }
+    cache->distributionPoint = SECITEM_DupItem(dp);
+    cache->subject = SECITEM_DupItem(subject);
+    cache->lastfetch = 0;
+    cache->lastcheck = 0;
+    *returned = cache;
+    return SECSuccess;
+}
+
+/* create an issuer cache object (per CA subject ) */
+static SECStatus IssuerCache_Create(CRLIssuerCache** returned,
+                             CERTCertificate* issuer,
+                             SECItem* subject, SECItem* dp)
+{
+    SECStatus rv = SECSuccess;
+    CRLIssuerCache* cache = NULL;
+    PORT_Assert(returned);
+    PORT_Assert(subject);
+    /* issuer and dp are allowed to be NULL */
+    if (!returned || !subject)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    *returned = NULL;
+    cache = (CRLIssuerCache*) PORT_ZAlloc(sizeof(CRLIssuerCache));
+    if (!cache)
+    {
+        return SECFailure;
+    }
+    cache->subject = SECITEM_DupItem(subject);
+#ifdef XCRL
+    cache->lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
+    if (!cache->lock)
+    {
+        rv = SECFailure;
+    }
+    if (SECSuccess == rv && issuer)
+    {
+        cache->issuer = CERT_DupCertificate(issuer);
+        if (!cache->issuer)
+        {
+            rv = SECFailure;
+        }
+    }
+#endif
+    if (SECSuccess != rv)
+    {
+        PORT_Assert(SECSuccess == IssuerCache_Destroy(cache));
+        return SECFailure;
+    }
+    *returned = cache;
+    return SECSuccess;
+}
+
+/* add a DPCache to the issuer cache */
+static SECStatus IssuerCache_AddDP(CRLIssuerCache* cache,
+                                   CERTCertificate* issuer,
+                                   SECItem* subject, SECItem* dp,
+                                   CRLDPCache** newdpc)
+{
+    /* now create the required DP cache object */
+    if (!cache || !subject || !newdpc)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    if (!dp)
+    {
+        /* default distribution point */
+        SECStatus rv = DPCache_Create(&cache->dpp, issuer, subject, NULL);
+        if (SECSuccess == rv)
+        {
+            *newdpc = cache->dpp;
+            return SECSuccess;
+        }
+    }
+    else
+    {
+        /* we should never hit this until we support multiple DPs */
+        PORT_Assert(dp);
+        /* XCRL allocate a new distribution point cache object, initialize it,
+           and add it to the hash table of DPs */
+    }
+    return SECFailure;
+}
+
+/* add an IssuerCache to the global hash table of issuers */
+static SECStatus CRLCache_AddIssuer(CRLIssuerCache* issuer)
+{    
+    PORT_Assert(issuer);
+    PORT_Assert(crlcache.issuers);
+    if (!issuer || !crlcache.issuers)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    if (NULL == PL_HashTableAdd(crlcache.issuers, (void*) issuer->subject,
+                                (void*) issuer))
+    {
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* retrieve the issuer cache object for a given issuer subject */
+static SECStatus CRLCache_GetIssuerCache(CRLCache* cache, SECItem* subject,
+                                         CRLIssuerCache** returned)
+{
+    /* we need to look up the issuer in the hash table */
+    SECStatus rv = SECSuccess;
+    PORT_Assert(cache);
+    PORT_Assert(subject);
+    PORT_Assert(returned);
+    PORT_Assert(crlcache.issuers);
+    if (!cache || !subject || !returned || !crlcache.issuers)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        rv = SECFailure;
+    }
+
+    if (SECSuccess == rv)
+    {
+        *returned = (CRLIssuerCache*) PL_HashTableLookup(crlcache.issuers,
+                                                         (void*) subject);
+    }
+
+    return rv;
+}
+
+/* retrieve the full CRL object that best matches the content of a DPCache */
+static CERTSignedCrl* GetBestCRL(CRLDPCache* cache, PRBool entries)
+{
+    CachedCrl* acrl = NULL;
+
+    PORT_Assert(cache);
+    if (!cache)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return NULL;
+    }
+
+    if (0 == cache->ncrls)
+    {
+        /* empty cache*/
+        PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
+        return NULL;
+    }    
+
+    /* if we have a valid full CRL selected, return it */
+    if (cache->selected)
+    {
+        return SEC_DupCrl(cache->selected->crl);
+    }
+
+    /* otherwise, use latest valid DER CRL */
+    acrl = cache->crls[cache->ncrls-1];
+
+    if (acrl && (PR_FALSE == GetOpaqueCRLFields(acrl->crl)->decodingError) )
+    {
+        SECStatus rv = SECSuccess;
+        if (PR_TRUE == entries)
+        {
+            rv = CERT_CompleteCRLDecodeEntries(acrl->crl);
+        }
+        if (SECSuccess == rv)
+        {
+            return SEC_DupCrl(acrl->crl);
+        }
+    }
+
+    PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
+    return NULL;
+}
+
+/* get a particular DPCache object from an IssuerCache */
+static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache, SECItem* dp)
+{
+    CRLDPCache* dpp = NULL;
+    PORT_Assert(cache);
+    /* XCRL for now we only support the "default" DP, ie. the
+       full CRL. So we can return the global one without locking. In
+       the future we will have a lock */
+    PORT_Assert(NULL == dp);
+    if (!cache || dp)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return NULL;
+    }
+#ifdef XCRL
+    NSSRWLock_LockRead(cache->lock);
+#endif
+    dpp = cache->dpp;
+#ifdef XCRL
+    NSSRWLock_UnlockRead(cache->lock);
+#endif
+    return dpp;
+}
+
+/* get a DPCache object for the given issuer subject and dp
+   Automatically creates the cache object if it doesn't exist yet.
+   */
+SECStatus AcquireDPCache(CERTCertificate* issuer, SECItem* subject,
+                         SECItem* dp, PRTime t, void* wincx,
+                         CRLDPCache** dpcache, PRBool* writeLocked)
+{
+    SECStatus rv = SECSuccess;
+    CRLIssuerCache* issuercache = NULL;
+#ifdef GLOBAL_RWLOCK
+    PRBool globalwrite = PR_FALSE;
+#endif
+    PORT_Assert(crlcache.lock);
+    if (!crlcache.lock)
+    {
+        /* CRL cache is not initialized */
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+#ifdef GLOBAL_RWLOCK
+    NSSRWLock_LockRead(crlcache.lock);
+#else
+    PR_Lock(crlcache.lock);
+#endif
+    rv = CRLCache_GetIssuerCache(&crlcache, subject, &issuercache);
+    if (SECSuccess != rv)
+    {
+#ifdef GLOBAL_RWLOCK
+        NSSRWLock_UnlockRead(crlcache.lock);
+#else
+        PR_Unlock(crlcache.lock);
+#endif
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    if (!issuercache)
+    {
+        /* there is no cache for this issuer yet. This means this is the
+           first time we look up a cert from that issuer, and we need to
+           create the cache. */
+        
+        rv = IssuerCache_Create(&issuercache, issuer, subject, dp);
+        if (SECSuccess == rv && !issuercache)
+        {
+            PORT_Assert(issuercache);
+            rv = SECFailure;
+        }
+
+        if (SECSuccess == rv)
+        {
+            /* This is the first time we look up a cert of this issuer.
+               Create the DPCache for this DP . */
+            rv = IssuerCache_AddDP(issuercache, issuer, subject, dp, dpcache);
+        }
+
+        if (SECSuccess == rv)
+        {
+            /* lock the DPCache for write to ensure the update happens in this
+               thread */
+            *writeLocked = PR_TRUE;
+#ifdef DPC_RWLOCK
+            NSSRWLock_LockWrite((*dpcache)->lock);
+#else
+            PR_Lock((*dpcache)->lock);
+#endif
+        }
+        
+        if (SECSuccess == rv)
+        {
+            /* now add the new issuer cache to the global hash table of
+               issuers */
+#ifdef GLOBAL_RWLOCK
+            CRLIssuerCache* existing = NULL;
+            NSSRWLock_UnlockRead(crlcache.lock);
+            /* when using a r/w lock for the global cache, check if the issuer
+               already exists before adding to the hash table */
+            NSSRWLock_LockWrite(crlcache.lock);
+            globalwrite = PR_TRUE;
+            rv = CRLCache_GetIssuerCache(&crlcache, subject, &existing);
+            if (!existing)
+            {
+#endif
+                rv = CRLCache_AddIssuer(issuercache);
+                if (SECSuccess != rv)
+                {
+                    /* failure */
+                    rv = SECFailure;
+                }
+#ifdef GLOBAL_RWLOCK
+            }
+            else
+            {
+                /* somebody else updated before we did */
+                IssuerCache_Destroy(issuercache); /* destroy the new object */
+                issuercache = existing; /* use the existing one */
+                *dpcache = IssuerCache_GetDPCache(issuercache, dp);
+            }
+#endif
+        }
+
+        /* now unlock the global cache. We only want to lock the issuer hash
+           table addition. Holding it longer would hurt scalability */
+#ifdef GLOBAL_RWLOCK
+        if (PR_TRUE == globalwrite)
+        {
+            NSSRWLock_UnlockWrite(crlcache.lock);
+            globalwrite = PR_FALSE;
+        }
+        else
+        {
+            NSSRWLock_UnlockRead(crlcache.lock);
+        }
+#else
+        PR_Unlock(crlcache.lock);
+#endif
+
+        /* if there was a failure adding an issuer cache object, destroy it */
+        if (SECSuccess != rv && issuercache)
+        {
+            if (PR_TRUE == *writeLocked)
+            {
+#ifdef DPC_RWLOCK
+                NSSRWLock_UnlockWrite((*dpcache)->lock);
+#else
+                PR_Unlock((*dpcache)->lock);
+#endif
+            }
+            IssuerCache_Destroy(issuercache);
+            issuercache = NULL;
+        }
+
+        if (SECSuccess != rv)
+        {
+            return SECFailure;
+        }
+    } else
+    {
+#ifdef GLOBAL_RWLOCK
+        NSSRWLock_UnlockRead(crlcache.lock);
+#else
+        PR_Unlock(crlcache.lock);
+#endif
+        *dpcache = IssuerCache_GetDPCache(issuercache, dp);
+    }
+    /* we now have a DPCache that we can use for lookups */
+    /* lock it for read, unless we already locked for write */
+    if (PR_FALSE == *writeLocked)
+    {
+#ifdef DPC_RWLOCK
+        NSSRWLock_LockRead((*dpcache)->lock);
+#else
+        PR_Lock((*dpcache)->lock);
+#endif
+    }
+    
+    if (SECSuccess == rv)
+    {
+        /* currently there is always one and only one DPCache per issuer */
+        PORT_Assert(*dpcache);
+        if (*dpcache)
+        {
+            /* make sure the DP cache is up to date before using it */
+            rv = DPCache_GetUpToDate(*dpcache, issuer, PR_FALSE == *writeLocked,
+                                     t, wincx);
+        }
+        else
+        {
+            rv = SECFailure;
+        }
+    }
+    return rv;
+}
+
+/* unlock access to the DPCache */
+void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked)
+{
+    if (!dpcache)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return;
+    }
+#ifdef DPC_RWLOCK
+    if (PR_TRUE == writeLocked)
+    {
+        NSSRWLock_UnlockWrite(dpcache->lock);
+    }
+    else
+    {
+        NSSRWLock_UnlockRead(dpcache->lock);
+    }
+#else
+    PR_Unlock(dpcache->lock);
+#endif
+}
+
+/* check CRL revocation status of given certificate and issuer */
+SECStatus
+CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer, SECItem* dp,
+              PRTime t, void* wincx)
+{
+    PRBool lockedwrite = PR_FALSE;
+    SECStatus rv = SECSuccess;
+    CRLDPCache* dpcache = NULL;
+    if (!cert || !issuer)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    if (SECSuccess != CERT_CheckCertValidTimes(issuer, t, PR_FALSE))
+    {
+        /* we won't be able to check the CRL's signature if the issuer cert
+           is expired as of the time we are verifying. This may cause a valid
+           CRL to be cached as bad. short-circuit to avoid this case. */
+        PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
+        return SECFailure;
+    }
+
+    rv = AcquireDPCache(issuer, &issuer->derSubject, dp, t, wincx, &dpcache,
+                        &lockedwrite);
+    
+    if (SECSuccess == rv)
+    {
+        /* now look up the certificate SN in the DP cache's CRL */
+        CERTCrlEntry* entry = NULL;
+        rv = DPCache_Lookup(dpcache, &cert->serialNumber, &entry);
+        if (SECSuccess == rv && entry)
+        {
+            /* check the time if we have one */
+            if (entry->revocationDate.data && entry->revocationDate.len)
+            {
+                PRTime revocationDate = 0;
+                if (SECSuccess == DER_DecodeTimeChoice(&revocationDate,
+                                               &entry->revocationDate))
+                {
+                    /* we got a good revocation date, only consider the
+                       certificate revoked if the time we are inquiring about
+                       is past the revocation date */
+                    if (t>=revocationDate)
+                    {
+                        rv = SECFailure;
+                    }
+                } else {
+                    /* invalid revocation date, consider the certificate
+                       permanently revoked */
+                    rv = SECFailure;
+                }
+            } else {
+                /* no revocation date, certificate is permanently revoked */
+                rv = SECFailure;
+            }
+            if (SECFailure == rv)
+            {
+                PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+            }
+        }
+    }
+
+    ReleaseDPCache(dpcache, lockedwrite);
+    return rv;
+}
+
+/* retrieve full CRL object that best matches the cache status */
+CERTSignedCrl *
+SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type)
+{
+    CERTSignedCrl* acrl = NULL;
+    CRLDPCache* dpcache = NULL;
+    SECStatus rv = SECSuccess;
+    PRBool writeLocked = PR_FALSE;
+
+    if (!crlKey)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    rv = AcquireDPCache(NULL, crlKey, NULL, 0, NULL, &dpcache, &writeLocked);
+    if (SECSuccess == rv)
+    {
+        acrl = GetBestCRL(dpcache, PR_TRUE); /* decode entries, because
+        SEC_FindCrlByName always returned fully decoded CRLs in the past */
+        ReleaseDPCache(dpcache, writeLocked);
+    }
+    return acrl;
+}
+
+/* invalidate the CRL cache for a given issuer, which forces a refetch of
+   CRL objects from PKCS#11 tokens */
+void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey)
+{
+    CRLDPCache* cache = NULL;
+    SECStatus rv = SECSuccess;
+    PRBool writeLocked = PR_FALSE;
+    PRBool readlocked;
+
+    (void) dbhandle; /* silence compiler warnings */
+
+    /* XCRL we will need to refresh all the DPs of the issuer in the future,
+            not just the default one */
+    rv = AcquireDPCache(NULL, crlKey, NULL, 0, NULL, &cache, &writeLocked);
+    if (SECSuccess != rv)
+    {
+        return;
+    }
+    /* we need to invalidate the DPCache here */
+    readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
+    DPCache_LockWrite();
+    cache->refresh = PR_TRUE;
+    DPCache_UnlockWrite();
+    ReleaseDPCache(cache, writeLocked);
+    return;
+}
+
+/* add the specified RAM CRL object to the cache */
+SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newdercrl)
+{
+    CRLDPCache* cache = NULL;
+    SECStatus rv = SECSuccess;
+    PRBool writeLocked = PR_FALSE;
+    PRBool readlocked;
+    CachedCrl* returned = NULL;
+    PRBool added = PR_FALSE;
+    CERTSignedCrl* newcrl = NULL;
+    int realerror = 0;
+    
+    if (!dbhandle || !newdercrl)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* first decode the DER CRL to make sure it's OK */
+    newcrl = CERT_DecodeDERCrlWithFlags(NULL, newdercrl, SEC_CRL_TYPE,
+                                        CRL_DECODE_DONT_COPY_DER |
+                                        CRL_DECODE_SKIP_ENTRIES);
+
+    if (!newcrl)
+    {
+        return SECFailure;
+    }
+
+    rv = AcquireDPCache(NULL,
+                        &newcrl->crl.derName,
+                        NULL, 0, NULL, &cache, &writeLocked);
+    if (SECSuccess == rv)
+    {
+        readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
+    
+        rv = CachedCrl_Create(&returned, newcrl, CRL_OriginExplicit);
+        if (SECSuccess == rv && returned)
+        {
+            DPCache_LockWrite();
+            rv = DPCache_AddCRL(cache, returned, &added);
+            if (PR_TRUE != added)
+            {
+                realerror = PORT_GetError();
+                CachedCrl_Destroy(returned);
+                returned = NULL;
+            }
+            DPCache_UnlockWrite();
+        }
+    
+        ReleaseDPCache(cache, writeLocked);
+    
+        if (!added)
+        {
+            rv = SECFailure;
+        }
+    }
+    SEC_DestroyCrl(newcrl); /* free the CRL. Either it got added to the cache
+        and the refcount got bumped, or not, and thus we need to free its
+        RAM */
+    if (realerror)
+    {
+        PORT_SetError(realerror);
+    }
+    return rv;
+}
+
+/* remove the specified RAM CRL object from the cache */
+SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* olddercrl)
+{
+    CRLDPCache* cache = NULL;
+    SECStatus rv = SECSuccess;
+    PRBool writeLocked = PR_FALSE;
+    PRBool readlocked;
+    PRBool removed = PR_FALSE;
+    PRUint32 i;
+    CERTSignedCrl* oldcrl = NULL;
+    
+    if (!dbhandle || !olddercrl)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* first decode the DER CRL to make sure it's OK */
+    oldcrl = CERT_DecodeDERCrlWithFlags(NULL, olddercrl, SEC_CRL_TYPE,
+                                        CRL_DECODE_DONT_COPY_DER |
+                                        CRL_DECODE_SKIP_ENTRIES);
+
+    if (!oldcrl)
+    {
+        /* if this DER CRL can't decode, it can't be in the cache */
+        return SECFailure;
+    }
+
+    rv = AcquireDPCache(NULL,
+                        &oldcrl->crl.derName,
+                        NULL, 0, NULL, &cache, &writeLocked);
+    if (SECSuccess == rv)
+    {
+        CachedCrl* returned = NULL;
+
+        readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
+    
+        rv = CachedCrl_Create(&returned, oldcrl, CRL_OriginExplicit);
+        if (SECSuccess == rv && returned)
+        {
+            DPCache_LockWrite();
+            for (i=0;i<cache->ncrls;i++)
+            {
+                PRBool dupe = PR_FALSE, updated = PR_FALSE;
+                rv = CachedCrl_Compare(returned, cache->crls[i],
+                                                      &dupe, &updated);
+                if (SECSuccess != rv)
+                {
+                    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+                    break;
+                }
+                if (PR_TRUE == dupe)
+                {
+                    rv = DPCache_RemoveCRL(cache, i); /* got a match */
+                    if (SECSuccess == rv) {
+                        cache->mustchoose = PR_TRUE;
+                        removed = PR_TRUE;
+                    }
+                    break;
+                }
+            }
+            
+            DPCache_UnlockWrite();
+
+            if (SECSuccess != CachedCrl_Destroy(returned) ) {
+                rv = SECFailure;
+            }
+        }
+
+        ReleaseDPCache(cache, writeLocked);
+    }
+    if (SECSuccess != SEC_DestroyCrl(oldcrl) ) { 
+        /* need to do this because object is refcounted */
+        rv = SECFailure;
+    }
+    if (SECSuccess == rv && PR_TRUE != removed)
+    {
+        PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
+    }
+    return rv;
+}
+
+static SECStatus CachedCrl_Create(CachedCrl** returned, CERTSignedCrl* crl,
+                                  CRLOrigin origin)
+{
+    CachedCrl* newcrl = NULL;
+    if (!returned)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    newcrl = PORT_ZAlloc(sizeof(CachedCrl));
+    if (!newcrl)
+    {
+        return SECFailure;
+    }
+    newcrl->crl = SEC_DupCrl(crl);
+    newcrl->origin = origin;
+    *returned = newcrl;
+    return SECSuccess;
+}
+
+/* empty the cache content */
+static SECStatus CachedCrl_Depopulate(CachedCrl* crl)
+{
+    if (!crl)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+     /* destroy the hash table */
+    if (crl->entries)
+    {
+        PL_HashTableDestroy(crl->entries);
+        crl->entries = NULL;
+    }
+
+    /* free the pre buffer */
+    if (crl->prebuffer)
+    {
+        PreAllocator_Destroy(crl->prebuffer);
+        crl->prebuffer = NULL;
+    }
+    return SECSuccess;
+}
+
+static SECStatus CachedCrl_Destroy(CachedCrl* crl)
+{
+    if (!crl)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    CachedCrl_Depopulate(crl);
+    SEC_DestroyCrl(crl->crl);
+    PORT_Free(crl);
+    return SECSuccess;
+}
+
+/* create hash table of CRL entries */
+static SECStatus CachedCrl_Populate(CachedCrl* crlobject)
+{
+    SECStatus rv = SECFailure;
+    CERTCrlEntry** crlEntry = NULL;
+    PRUint32 numEntries = 0;
+
+    if (!crlobject)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    /* complete the entry decoding . XXX thread-safety of CRL object */
+    rv = CERT_CompleteCRLDecodeEntries(crlobject->crl);
+    if (SECSuccess != rv)
+    {
+        crlobject->unbuildable = PR_TRUE; /* don't try to build this again */
+        return SECFailure;
+    }
+
+    if (crlobject->entries && crlobject->prebuffer)
+    {
+        /* cache is already built */
+        return SECSuccess;
+    }
+
+    /* build the hash table from the full CRL */    
+    /* count CRL entries so we can pre-allocate space for hash table entries */
+    for (crlEntry = crlobject->crl->crl.entries; crlEntry && *crlEntry;
+         crlEntry++)
+    {
+        numEntries++;
+    }
+    crlobject->prebuffer = PreAllocator_Create(numEntries*sizeof(PLHashEntry));
+    PORT_Assert(crlobject->prebuffer);
+    if (!crlobject->prebuffer)
+    {
+        return SECFailure;
+    }
+    /* create a new hash table */
+    crlobject->entries = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
+                         PL_CompareValues, &preAllocOps, crlobject->prebuffer);
+    PORT_Assert(crlobject->entries);
+    if (!crlobject->entries)
+    {
+        return SECFailure;
+    }
+    /* add all serial numbers to the hash table */
+    for (crlEntry = crlobject->crl->crl.entries; crlEntry && *crlEntry;
+         crlEntry++)
+    {
+        PL_HashTableAdd(crlobject->entries, &(*crlEntry)->serialNumber,
+                        *crlEntry);
+    }
+
+    return SECSuccess;
+}
+
+/* returns true if there are CRLs from PKCS#11 slots */
+static PRBool DPCache_HasTokenCRLs(CRLDPCache* cache)
+{
+    PRBool answer = PR_FALSE;
+    PRUint32 i;
+    for (i=0;i<cache->ncrls;i++)
+    {
+        if (cache->crls[i] && (CRL_OriginToken == cache->crls[i]->origin) )
+        {
+            answer = PR_TRUE;
+            break;
+        }
+    }
+    return answer;
+}
+
+/* are these CRLs the same, as far as the cache is concerned ? */
+/* are these CRLs the same token object but with different DER ?
+   This can happen if the DER CRL got updated in the token, but the PKCS#11
+   object ID did not change. NSS softoken has the unfortunate property to
+   never change the object ID for CRL objects. */
+static SECStatus CachedCrl_Compare(CachedCrl* a, CachedCrl* b, PRBool* isDupe,
+                                PRBool* isUpdated)
+{
+    PORT_Assert(a);
+    PORT_Assert(b);
+    PORT_Assert(isDupe);
+    PORT_Assert(isUpdated);
+    if (!a || !b || !isDupe || !isUpdated || !a->crl || !b->crl)
+    {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    *isDupe = *isUpdated = PR_FALSE;
+
+    if (a == b)
+    {
+        /* dupe */
+        *isDupe = PR_TRUE;
+        *isUpdated = PR_FALSE;
+        return SECSuccess;
+    }
+    if (b->origin != a->origin)
+    {
+        /* CRLs of different origins are not considered dupes,
+           and can't be updated either */
+        return SECSuccess;
+    }
+    if (CRL_OriginToken == b->origin)
+    {
+        /* for token CRLs, slot and PKCS#11 object handle must match for CRL
+           to truly be a dupe */
+        if ( (b->crl->slot == a->crl->slot) &&
+             (b->crl->pkcs11ID == a->crl->pkcs11ID) )
+        {
+            /* ASN.1 DER needs to match for dupe check */
+            /* could optimize by just checking a few fields like thisUpdate */
+            if ( SECEqual == SECITEM_CompareItem(b->crl->derCrl,
+                                                 a->crl->derCrl) )
+            {
+                *isDupe = PR_TRUE;
+            }
+            else
+            {
+                *isUpdated = PR_TRUE;
+            }
+        }
+        return SECSuccess;
+    }
+    if (CRL_OriginExplicit == b->origin)
+    {
+        /* We need to make sure this is the same object that the user provided
+           to CERT_CacheCRL previously. That API takes a SECItem*, thus, we
+           just do a pointer comparison here.
+        */
+        if (b->crl->derCrl == a->crl->derCrl)
+        {
+            *isDupe = PR_TRUE;
+        }
+    }
+    return SECSuccess;
+}
+
+/* this function assumes the caller holds a read lock on the DPCache */
+SECStatus DPCache_GetAllCRLs(CRLDPCache* dpc, PRArenaPool* arena,
+                             CERTSignedCrl*** crls, PRUint16* status)
+{
+    CERTSignedCrl** allcrls;
+    PRUint32 index;
+    if (!dpc || !crls || !status)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    *status = dpc->invalid;
+    *crls = NULL;
+    if (!dpc->ncrls)
+    {
+        /* no CRLs to return */
+        return SECSuccess;
+    }
+    allcrls = PORT_ArenaZNewArray(arena, CERTSignedCrl*, dpc->ncrls +1);
+    if (!allcrls)
+    {
+        return SECFailure;
+    }
+    for (index=0; index < dpc->ncrls ; index ++) {
+        CachedCrl* cachedcrl = dpc->crls[index];
+        if (!cachedcrl || !cachedcrl->crl)
+        {
+            PORT_Assert(0); /* this should never happen */
+            continue;
+        }
+        allcrls[index] = SEC_DupCrl(cachedcrl->crl);
+    }
+    *crls = allcrls;
+    return SECSuccess;
+}
+
+static CachedCrl* DPCache_FindCRL(CRLDPCache* cache, CERTSignedCrl* crl)
+{
+    PRUint32 index;
+    CachedCrl* cachedcrl = NULL;
+    for (index=0; index < cache->ncrls ; index ++) {
+        cachedcrl = cache->crls[index];
+        if (!cachedcrl || !cachedcrl->crl)
+        {
+            PORT_Assert(0); /* this should never happen */
+            continue;
+        }
+        if (cachedcrl->crl == crl) {
+            break;
+        }
+    }
+    return cachedcrl;
+}
+
+/* this function assumes the caller holds a lock on the DPCache */
+SECStatus DPCache_GetCRLEntry(CRLDPCache* cache, PRBool readlocked,
+                              CERTSignedCrl* crl, SECItem* sn,
+                              CERTCrlEntry** returned)
+{
+    CachedCrl* cachedcrl = NULL;
+    if (!cache || !crl || !sn || !returned)
+    {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *returned = NULL;
+    /* first, we need to find the CachedCrl* that matches this CERTSignedCRL */
+    cachedcrl = DPCache_FindCRL(cache, crl);
+    if (!cachedcrl) {
+        PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
+        return SECFailure;
+    }
+
+    if (cachedcrl->unbuildable) {
+        /* this CRL could not be fully decoded */
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        return SECFailure;
+    }
+    /* now, make sure it has a hash table. Otherwise, we'll need to build one */
+    if (!cachedcrl->entries || !cachedcrl->prebuffer) {
+        DPCache_LockWrite();
+        CachedCrl_Populate(cachedcrl);
+        DPCache_UnlockWrite();
+    }
+
+    /* finally, get the CRL entry */       
+    return CachedCrl_GetEntry(cachedcrl, sn, returned);
+}
+
diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c
new file mode 100644
index 000000000..21c89fe7c
--- /dev/null
+++ b/security/nss/lib/certdb/genname.c
@@ -0,0 +1,1975 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "plarena.h"
+#include "seccomon.h"
+#include "secitem.h"
+#include "secoidt.h"
+#include "mcom_db.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "certt.h"
+#include "cert.h"
+#include "xconst.h"
+#include "secerr.h"
+#include "secoid.h"
+#include "prprf.h"
+#include "genname.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_IA5StringTemplate)
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+
+static const SEC_ASN1Template CERTNameConstraintTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraint) },
+    { SEC_ASN1_ANY, offsetof(CERTNameConstraint, DERName) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
+          offsetof(CERTNameConstraint, min),
+          SEC_ASN1_SUB(SEC_IntegerTemplate) }, 
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, 
+          offsetof(CERTNameConstraint, max),
+          SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_NameConstraintSubtreeSubTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+static const SEC_ASN1Template CERTNameConstraintsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraints) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+          offsetof(CERTNameConstraints, DERPermited), 
+	  CERT_NameConstraintSubtreeSubTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+          offsetof(CERTNameConstraints, DERExcluded), 
+	  CERT_NameConstraintSubtreeSubTemplate},
+    { 0, }
+};
+
+
+static const SEC_ASN1Template CERTOthNameTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OtherName) },
+    { SEC_ASN1_OBJECT_ID, 
+	  offsetof(OtherName, oid) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_XTRN | 0, offsetof(OtherName, name),
+          SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0, } 
+};
+
+static const SEC_ASN1Template CERTOtherNameTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0 ,
+      offsetof(CERTGeneralName, name.OthName), CERTOthNameTemplate, 
+      sizeof(CERTGeneralName) }
+};
+
+static const SEC_ASN1Template CERTOtherName2Template[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
+      0, NULL, sizeof(CERTGeneralName) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) },
+    { 0, } 
+};
+
+static const SEC_ASN1Template CERT_RFC822NameTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1 ,
+          offsetof(CERTGeneralName, name.other),
+          SEC_ASN1_SUB(SEC_IA5StringTemplate),
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_DNSNameTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2 ,
+          offsetof(CERTGeneralName, name.other),
+          SEC_ASN1_SUB(SEC_IA5StringTemplate),
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_X400AddressTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 3,
+          offsetof(CERTGeneralName, name.other), SEC_ASN1_SUB(SEC_AnyTemplate),
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_DirectoryNameTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_XTRN | 4, offsetof(CERTGeneralName, derDirectoryName),
+          SEC_ASN1_SUB(SEC_AnyTemplate), sizeof (CERTGeneralName)}
+};
+
+
+static const SEC_ASN1Template CERT_EDIPartyNameTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 5,
+          offsetof(CERTGeneralName, name.other), SEC_ASN1_SUB(SEC_AnyTemplate),
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_URITemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 6 ,
+          offsetof(CERTGeneralName, name.other),
+          SEC_ASN1_SUB(SEC_IA5StringTemplate),
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_IPAddressTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 7 ,
+          offsetof(CERTGeneralName, name.other),
+          SEC_ASN1_SUB(SEC_OctetStringTemplate),
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_RegisteredIDTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 8 ,
+          offsetof(CERTGeneralName, name.other),
+          SEC_ASN1_SUB(SEC_ObjectIDTemplate),
+          sizeof (CERTGeneralName)}
+};
+
+
+const SEC_ASN1Template CERT_GeneralNamesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN , 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+
+
+CERTGeneralName *
+CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type)
+{
+    CERTGeneralName *name = arena 
+                            ? PORT_ArenaZNew(arena, CERTGeneralName)
+	                    : PORT_ZNew(CERTGeneralName);
+    if (name) {
+	name->type = type;
+	name->l.prev = name->l.next = &name->l;
+    }
+    return name;
+}
+
+/* Copy content of one General Name to another.
+** Caller has allocated destination general name.
+** This function does not change the destinate's GeneralName's list linkage.
+*/
+SECStatus
+cert_CopyOneGeneralName(PRArenaPool      *arena, 
+		        CERTGeneralName  *dest, 
+		        CERTGeneralName  *src)
+{
+    SECStatus rv;
+    void *mark = NULL;
+
+    PORT_Assert(dest != NULL);
+    dest->type = src->type;
+
+    mark = PORT_ArenaMark(arena);
+
+    switch (src->type) {
+    case certDirectoryName: 
+	rv = SECITEM_CopyItem(arena, &dest->derDirectoryName, 
+				      &src->derDirectoryName);
+	if (rv == SECSuccess) 
+	    rv = CERT_CopyName(arena, &dest->name.directoryName, 
+				       &src->name.directoryName);
+	break;
+
+    case certOtherName: 
+	rv = SECITEM_CopyItem(arena, &dest->name.OthName.name, 
+				      &src->name.OthName.name);
+	if (rv == SECSuccess) 
+	    rv = SECITEM_CopyItem(arena, &dest->name.OthName.oid, 
+					  &src->name.OthName.oid);
+	break;
+
+    default: 
+	rv = SECITEM_CopyItem(arena, &dest->name.other, 
+				      &src->name.other);
+	break;
+
+    }
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease(arena, mark);
+    } else {
+        PORT_ArenaUnmark(arena, mark);
+    }
+    return rv;
+}
+
+
+void
+CERT_DestroyGeneralNameList(CERTGeneralNameList *list)
+{
+    PZLock *lock;
+
+    if (list != NULL) {
+	lock = list->lock;
+	PZ_Lock(lock);
+	if (--list->refCount <= 0 && list->arena != NULL) {
+	    PORT_FreeArena(list->arena, PR_FALSE);
+	    PZ_Unlock(lock);
+	    PZ_DestroyLock(lock);
+	} else {
+	    PZ_Unlock(lock);
+	}
+    }
+    return;
+}
+
+CERTGeneralNameList *
+CERT_CreateGeneralNameList(CERTGeneralName *name) {
+    PRArenaPool *arena;
+    CERTGeneralNameList *list = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto done;
+    }
+    list = PORT_ArenaZNew(arena, CERTGeneralNameList);
+    if (!list)
+    	goto loser;
+    if (name != NULL) {
+	SECStatus rv;
+	list->name = CERT_NewGeneralName(arena, (CERTGeneralNameType)0);
+	if (!list->name)
+	    goto loser;
+	rv = CERT_CopyGeneralName(arena, list->name, name);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+    list->lock = PZ_NewLock(nssILockList);
+    if (!list->lock)
+    	goto loser;
+    list->arena = arena;
+    list->refCount = 1;
+done:
+    return list;
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+CERTGeneralName *
+CERT_GetNextGeneralName(CERTGeneralName *current)
+{
+    PRCList *next;
+    
+    next = current->l.next;
+    return (CERTGeneralName *) (((char *) next) - offsetof(CERTGeneralName, l));
+}
+
+CERTGeneralName *
+CERT_GetPrevGeneralName(CERTGeneralName *current)
+{
+    PRCList *prev;
+    prev = current->l.prev;
+    return (CERTGeneralName *) (((char *) prev) - offsetof(CERTGeneralName, l));
+}
+
+CERTNameConstraint *
+CERT_GetNextNameConstraint(CERTNameConstraint *current)
+{
+    PRCList *next;
+    
+    next = current->l.next;
+    return (CERTNameConstraint *) (((char *) next) - offsetof(CERTNameConstraint, l));
+}
+
+CERTNameConstraint *
+CERT_GetPrevNameConstraint(CERTNameConstraint *current)
+{
+    PRCList *prev;
+    prev = current->l.prev;
+    return (CERTNameConstraint *) (((char *) prev) - offsetof(CERTNameConstraint, l));
+}
+
+SECItem *
+CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PRArenaPool *arena)
+{
+
+    const SEC_ASN1Template * template;
+
+    PORT_Assert(arena);
+    if (arena == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* TODO: mark arena */
+    if (dest == NULL) {
+	dest = PORT_ArenaZNew(arena, SECItem);
+	if (!dest)
+	    goto loser;
+    }
+    if (genName->type == certDirectoryName) {
+	if (genName->derDirectoryName.data == NULL) {
+	    /* The field hasn't been encoded yet. */
+            SECItem * pre_dest =
+            SEC_ASN1EncodeItem (arena, &(genName->derDirectoryName),
+                                &(genName->name.directoryName),
+                                CERT_NameTemplate);
+            if (!pre_dest)
+                goto loser;
+	}
+	if (genName->derDirectoryName.data == NULL) {
+	    goto loser;
+	}
+    }
+    switch (genName->type) {
+    case certURI:           template = CERT_URITemplate;           break;
+    case certRFC822Name:    template = CERT_RFC822NameTemplate;    break;
+    case certDNSName:       template = CERT_DNSNameTemplate;       break;
+    case certIPAddress:     template = CERT_IPAddressTemplate;     break;
+    case certOtherName:     template = CERTOtherNameTemplate;      break;
+    case certRegisterID:    template = CERT_RegisteredIDTemplate;  break;
+         /* for this type, we expect the value is already encoded */
+    case certEDIPartyName:  template = CERT_EDIPartyNameTemplate;  break;
+	 /* for this type, we expect the value is already encoded */
+    case certX400Address:   template = CERT_X400AddressTemplate;   break;
+    case certDirectoryName: template = CERT_DirectoryNameTemplate; break;
+    default:
+	PORT_Assert(0); goto loser;
+    }
+    dest = SEC_ASN1EncodeItem(arena, dest, genName, template);
+    if (!dest) {
+	goto loser;
+    }
+    /* TODO: unmark arena */
+    return dest;
+loser:
+    /* TODO: release arena back to mark */
+    return NULL;
+}
+
+SECItem **
+cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names)
+{
+    CERTGeneralName  *current_name;
+    SECItem          **items = NULL;
+    int              count = 0;
+    int              i;
+    PRCList          *head;
+
+    PORT_Assert(arena);
+    /* TODO: mark arena */
+    current_name = names;
+    if (names != NULL) {
+	count = 1;
+    }
+    head = &(names->l);
+    while (current_name->l.next != head) {
+	current_name = CERT_GetNextGeneralName(current_name);
+	++count;
+    }
+    current_name = CERT_GetNextGeneralName(current_name);
+    items = PORT_ArenaNewArray(arena, SECItem *, count + 1);
+    if (items == NULL) {
+	goto loser;
+    }
+    for (i = 0; i < count; i++) {
+	items[i] = CERT_EncodeGeneralName(current_name, (SECItem *)NULL, arena);
+	if (items[i] == NULL) {
+	    goto loser;
+	}
+	current_name = CERT_GetNextGeneralName(current_name);
+    }
+    items[i] = NULL;
+    /* TODO: unmark arena */
+    return items;
+loser:
+    /* TODO: release arena to mark */
+    return NULL;
+}
+
+CERTGeneralName *
+CERT_DecodeGeneralName(PRArenaPool      *reqArena,
+		       SECItem          *encodedName,
+		       CERTGeneralName  *genName)
+{
+    const SEC_ASN1Template *         template;
+    CERTGeneralNameType              genNameType;
+    SECStatus                        rv = SECSuccess;
+    SECItem* newEncodedName;
+
+    if (!reqArena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    /* make a copy for decoding so the data decoded with QuickDER doesn't
+       point to temporary memory */
+    newEncodedName = SECITEM_ArenaDupItem(reqArena, encodedName);
+    if (!newEncodedName) {
+        return NULL;
+    }
+    /* TODO: mark arena */
+    genNameType = (CERTGeneralNameType)((*(newEncodedName->data) & 0x0f) + 1);
+    if (genName == NULL) {
+	genName = CERT_NewGeneralName(reqArena, genNameType);
+	if (!genName)
+	    goto loser;
+    } else {
+	genName->type = genNameType;
+	genName->l.prev = genName->l.next = &genName->l;
+    }
+
+    switch (genNameType) {
+    case certURI: 		template = CERT_URITemplate;           break;
+    case certRFC822Name: 	template = CERT_RFC822NameTemplate;    break;
+    case certDNSName: 		template = CERT_DNSNameTemplate;       break;
+    case certIPAddress: 	template = CERT_IPAddressTemplate;     break;
+    case certOtherName: 	template = CERTOtherNameTemplate;      break;
+    case certRegisterID: 	template = CERT_RegisteredIDTemplate;  break;
+    case certEDIPartyName: 	template = CERT_EDIPartyNameTemplate;  break;
+    case certX400Address: 	template = CERT_X400AddressTemplate;   break;
+    case certDirectoryName: 	template = CERT_DirectoryNameTemplate; break;
+    default: 
+        goto loser;
+    }
+    rv = SEC_QuickDERDecodeItem(reqArena, genName, template, newEncodedName);
+    if (rv != SECSuccess) 
+	goto loser;
+    if (genNameType == certDirectoryName) {
+	rv = SEC_QuickDERDecodeItem(reqArena, &(genName->name.directoryName), 
+				CERT_NameTemplate, 
+				&(genName->derDirectoryName));
+        if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    /* TODO: unmark arena */
+    return genName;
+loser:
+    /* TODO: release arena to mark */
+    return NULL;
+}
+
+CERTGeneralName *
+cert_DecodeGeneralNames (PRArenaPool  *arena,
+			 SECItem      **encodedGenName)
+{
+    PRCList                           *head = NULL;
+    PRCList                           *tail = NULL;
+    CERTGeneralName                   *currentName = NULL;
+
+    PORT_Assert(arena);
+    if (!encodedGenName || !arena) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* TODO: mark arena */
+    while (*encodedGenName != NULL) {
+	currentName = CERT_DecodeGeneralName(arena, *encodedGenName, NULL);
+	if (currentName == NULL)
+	    break;
+	if (head == NULL) {
+	    head = &(currentName->l);
+	    tail = head;
+	}
+	currentName->l.next = head;
+	currentName->l.prev = tail;
+	tail = head->prev = tail->next = &(currentName->l);
+	encodedGenName++;
+    }
+    if (currentName) {
+	/* TODO: unmark arena */
+	return CERT_GetNextGeneralName(currentName);
+    }
+    /* TODO: release arena to mark */
+    return NULL;
+}
+
+void
+CERT_DestroyGeneralName(CERTGeneralName *name)
+{
+    cert_DestroyGeneralNames(name);
+}
+
+SECStatus
+cert_DestroyGeneralNames(CERTGeneralName *name)
+{
+    CERTGeneralName    *first;
+    CERTGeneralName    *next = NULL;
+
+
+    first = name;
+    do {
+	next = CERT_GetNextGeneralName(name);
+	PORT_Free(name);
+	name = next;
+    } while (name != first);
+    return SECSuccess;
+}
+
+static SECItem *
+cert_EncodeNameConstraint(CERTNameConstraint  *constraint, 
+			 SECItem             *dest,
+			 PRArenaPool         *arena)
+{
+    PORT_Assert(arena);
+    if (dest == NULL) {
+	dest = PORT_ArenaZNew(arena, SECItem);
+	if (dest == NULL) {
+	    return NULL;
+	}
+    }
+    CERT_EncodeGeneralName(&(constraint->name), &(constraint->DERName), arena);
+    
+    dest = SEC_ASN1EncodeItem (arena, dest, constraint,
+			       CERTNameConstraintTemplate);
+    return dest;
+} 
+
+SECStatus 
+cert_EncodeNameConstraintSubTree(CERTNameConstraint  *constraints,
+			         PRArenaPool         *arena,
+				 SECItem             ***dest,
+				 PRBool              permited)
+{
+    CERTNameConstraint  *current_constraint = constraints;
+    SECItem             **items = NULL;
+    int                 count = 0;
+    int                 i;
+    PRCList             *head;
+
+    PORT_Assert(arena);
+    /* TODO: mark arena */
+    if (constraints != NULL) {
+	count = 1;
+    }
+    head = &constraints->l;
+    while (current_constraint->l.next != head) {
+	current_constraint = CERT_GetNextNameConstraint(current_constraint);
+	++count;
+    }
+    current_constraint = CERT_GetNextNameConstraint(current_constraint);
+    items = PORT_ArenaZNewArray(arena, SECItem *, count + 1);
+    if (items == NULL) {
+	goto loser;
+    }
+    for (i = 0; i < count; i++) {
+	items[i] = cert_EncodeNameConstraint(current_constraint, 
+					     (SECItem *) NULL, arena);
+	if (items[i] == NULL) {
+	    goto loser;
+	}
+	current_constraint = CERT_GetNextNameConstraint(current_constraint);
+    }
+    *dest = items;
+    if (*dest == NULL) {
+	goto loser;
+    }
+    /* TODO: unmark arena */
+    return SECSuccess;
+loser:
+    /* TODO: release arena to mark */
+    return SECFailure;
+}
+
+SECStatus 
+cert_EncodeNameConstraints(CERTNameConstraints  *constraints,
+			   PRArenaPool          *arena,
+			   SECItem              *dest)
+{
+    SECStatus    rv = SECSuccess;
+
+    PORT_Assert(arena);
+    /* TODO: mark arena */
+    if (constraints->permited != NULL) {
+	rv = cert_EncodeNameConstraintSubTree(constraints->permited, arena,
+					      &constraints->DERPermited, 
+					      PR_TRUE);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+    }
+    if (constraints->excluded != NULL) {
+	rv = cert_EncodeNameConstraintSubTree(constraints->excluded, arena,
+					      &constraints->DERExcluded, 
+					      PR_FALSE);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+    }
+    dest = SEC_ASN1EncodeItem(arena, dest, constraints, 
+			      CERTNameConstraintsTemplate);
+    if (dest == NULL) {
+	goto loser;
+    }
+    /* TODO: unmark arena */
+    return SECSuccess;
+loser:
+    /* TODO: release arena to mark */
+    return SECFailure;
+}
+
+
+CERTNameConstraint *
+cert_DecodeNameConstraint(PRArenaPool       *reqArena,
+			  SECItem           *encodedConstraint)
+{
+    CERTNameConstraint     *constraint;
+    SECStatus              rv = SECSuccess;
+    CERTGeneralName        *temp;
+    SECItem*               newEncodedConstraint;
+
+    if (!reqArena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    newEncodedConstraint = SECITEM_ArenaDupItem(reqArena, encodedConstraint);
+    if (!newEncodedConstraint) {
+        return NULL;
+    }
+    /* TODO: mark arena */
+    constraint = PORT_ArenaZNew(reqArena, CERTNameConstraint);
+    if (!constraint)
+    	goto loser;
+    rv = SEC_QuickDERDecodeItem(reqArena, constraint,
+                                CERTNameConstraintTemplate,
+                                newEncodedConstraint);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    temp = CERT_DecodeGeneralName(reqArena, &(constraint->DERName),
+                                  &(constraint->name));
+    if (temp != &(constraint->name)) {
+	goto loser;
+    }
+
+    /* ### sjlee: since the name constraint contains only one 
+     *            CERTGeneralName, the list within CERTGeneralName shouldn't 
+     *            point anywhere else.  Otherwise, bad things will happen.
+     */
+    constraint->name.l.prev = constraint->name.l.next = &(constraint->name.l);
+    /* TODO: unmark arena */
+    return constraint;
+loser:
+    /* TODO: release arena back to mark */
+    return NULL;
+}
+
+CERTNameConstraint *
+cert_DecodeNameConstraintSubTree(PRArenaPool   *arena,
+				 SECItem       **subTree,
+				 PRBool        permited)
+{
+    CERTNameConstraint   *current = NULL;
+    CERTNameConstraint   *first = NULL;
+    CERTNameConstraint   *last = NULL;
+    int                  i = 0;
+
+    PORT_Assert(arena);
+    /* TODO: mark arena */
+    while (subTree[i] != NULL) {
+	current = cert_DecodeNameConstraint(arena, subTree[i]);
+	if (current == NULL) {
+	    goto loser;
+	}
+	if (last == NULL) {
+	    first = last = current;
+	}
+	current->l.prev = &(last->l);
+	current->l.next = last->l.next;
+	last->l.next = &(current->l);
+	i++;
+    }
+    first->l.prev = &(current->l);
+    /* TODO: unmark arena */
+    return first;
+loser:
+    /* TODO: release arena back to mark */
+    return NULL;
+}
+
+CERTNameConstraints *
+cert_DecodeNameConstraints(PRArenaPool   *reqArena,
+			   SECItem       *encodedConstraints)
+{
+    CERTNameConstraints   *constraints;
+    SECStatus             rv;
+    SECItem*              newEncodedConstraints;
+
+    if (!reqArena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    PORT_Assert(encodedConstraints);
+    newEncodedConstraints = SECITEM_ArenaDupItem(reqArena, encodedConstraints);
+
+    /* TODO: mark arena */
+    constraints = PORT_ArenaZNew(reqArena, CERTNameConstraints);
+    if (constraints == NULL) {
+	goto loser;
+    }
+    rv = SEC_QuickDERDecodeItem(reqArena, constraints,
+                                CERTNameConstraintsTemplate,
+                                newEncodedConstraints);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    if (constraints->DERPermited != NULL && 
+        constraints->DERPermited[0] != NULL) {
+	constraints->permited = 
+	    cert_DecodeNameConstraintSubTree(reqArena,
+                                             constraints->DERPermited,
+                                             PR_TRUE);
+	if (constraints->permited == NULL) {
+	    goto loser;
+	}
+    }
+    if (constraints->DERExcluded != NULL && 
+        constraints->DERExcluded[0] != NULL) {
+	constraints->excluded = 
+	    cert_DecodeNameConstraintSubTree(reqArena,
+                                             constraints->DERExcluded,
+                                             PR_FALSE);
+	if (constraints->excluded == NULL) {
+	    goto loser;
+	}
+    }
+    /* TODO: unmark arena */
+    return constraints;
+loser:
+    /* TODO: release arena back to mark */
+    return NULL;
+}
+
+/* Copy a chain of one or more general names to a destination chain.
+** Caller has allocated at least the first destination GeneralName struct. 
+** Both source and destination chains are circular doubly-linked lists.
+** The first source struct is copied to the first destination struct.
+** If the source chain has more than one member, and the destination chain 
+** has only one member, then this function allocates new structs for all but 
+** the first copy from the arena and links them into the destination list.  
+** If the destination struct is part of a list with more than one member,
+** then this function traverses both the source and destination lists,
+** copying each source struct to the corresponding dest struct.
+** In that case, the destination list MUST contain at least as many 
+** structs as the source list or some dest entries will be overwritten.
+*/
+SECStatus
+CERT_CopyGeneralName(PRArenaPool      *arena, 
+		     CERTGeneralName  *dest, 
+		     CERTGeneralName  *src)
+{
+    SECStatus rv;
+    CERTGeneralName *destHead = dest;
+    CERTGeneralName *srcHead = src;
+
+    PORT_Assert(dest != NULL);
+    if (!dest) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    /* TODO: mark arena */
+    do {
+	rv = cert_CopyOneGeneralName(arena, dest, src);
+	if (rv != SECSuccess)
+	    goto loser;
+	src = CERT_GetNextGeneralName(src);
+	/* if there is only one general name, we shouldn't do this */
+	if (src != srcHead) {
+	    if (dest->l.next == &destHead->l) {
+		CERTGeneralName *temp;
+		temp = CERT_NewGeneralName(arena, (CERTGeneralNameType)0);
+		if (!temp) 
+		    goto loser;
+		temp->l.next = &destHead->l;
+		temp->l.prev = &dest->l;
+		destHead->l.prev = &temp->l;
+		dest->l.next = &temp->l;
+		dest = temp;
+	    } else {
+		dest = CERT_GetNextGeneralName(dest);
+	    }
+	}
+    } while (src != srcHead && rv == SECSuccess);
+    /* TODO: unmark arena */
+    return rv;
+loser:
+    /* TODO: release back to mark */
+    return SECFailure;
+}
+
+
+CERTGeneralNameList *
+CERT_DupGeneralNameList(CERTGeneralNameList *list)
+{
+    if (list != NULL) {
+	PZ_Lock(list->lock);
+	list->refCount++;
+	PZ_Unlock(list->lock);
+    }
+    return list;
+}
+
+/* Allocate space and copy CERTNameConstraint from src to dest */
+CERTNameConstraint *
+CERT_CopyNameConstraint(PRArenaPool         *arena, 
+			CERTNameConstraint  *dest, 
+			CERTNameConstraint  *src)
+{
+    SECStatus  rv;
+    
+    /* TODO: mark arena */
+    if (dest == NULL) {
+	dest = PORT_ArenaZNew(arena, CERTNameConstraint);
+	if (!dest)
+	    goto loser;
+	/* mark that it is not linked */
+	dest->name.l.prev = dest->name.l.next = &(dest->name.l);
+    }
+    rv = CERT_CopyGeneralName(arena, &dest->name, &src->name);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &dest->DERName, &src->DERName);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &dest->min, &src->min);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &dest->max, &src->max);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    dest->l.prev = dest->l.next = &dest->l;
+    /* TODO: unmark arena */
+    return dest;
+loser:
+    /* TODO: release arena to mark */
+    return NULL;
+}
+
+
+CERTGeneralName *
+cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2)
+{
+    PRCList *begin1;
+    PRCList *begin2;
+    PRCList *end1;
+    PRCList *end2;
+
+    if (list1 == NULL){
+	return list2;
+    } else if (list2 == NULL) {
+	return list1;
+    } else {
+	begin1 = &list1->l;
+	begin2 = &list2->l;
+	end1 = list1->l.prev;
+	end2 = list2->l.prev;
+	end1->next = begin2;
+	end2->next = begin1;
+	begin1->prev = end2;
+	begin2->prev = end1;
+	return list1;
+    }
+}
+
+
+CERTNameConstraint *
+cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2)
+{
+    PRCList *begin1;
+    PRCList *begin2;
+    PRCList *end1;
+    PRCList *end2;
+
+    if (list1 == NULL){
+	return list2;
+    } else if (list2 == NULL) {
+	return list1;
+    } else {
+	begin1 = &list1->l;
+	begin2 = &list2->l;
+	end1 = list1->l.prev;
+	end2 = list2->l.prev;
+	end1->next = begin2;
+	end2->next = begin1;
+	begin1->prev = end2;
+	begin2->prev = end1;
+	return list1;
+    }
+}
+
+
+/* Add a CERTNameConstraint to the CERTNameConstraint list */
+CERTNameConstraint *
+CERT_AddNameConstraint(CERTNameConstraint *list, 
+		       CERTNameConstraint *constraint)
+{
+    PORT_Assert(constraint != NULL);
+    constraint->l.next = constraint->l.prev = &constraint->l;
+    list = cert_CombineConstraintsLists(list, constraint);
+    return list;
+}
+
+
+SECStatus
+CERT_GetNameConstraintByType (CERTNameConstraint *constraints,
+			      CERTGeneralNameType type, 
+			      CERTNameConstraint **returnList,
+			      PRArenaPool *arena)
+{
+    CERTNameConstraint *current = NULL;
+    void               *mark = NULL;
+
+    *returnList = NULL;
+    if (!constraints)
+	return SECSuccess;
+
+    mark = PORT_ArenaMark(arena);
+
+    current = constraints;
+    do {
+	PORT_Assert(current->name.type);
+	if (current->name.type == type) {
+	    CERTNameConstraint *temp;
+	    temp = CERT_CopyNameConstraint(arena, NULL, current);
+	    if (temp == NULL) 
+		goto loser;
+	    *returnList = CERT_AddNameConstraint(*returnList, temp);
+	}
+	current = CERT_GetNextNameConstraint(current);
+    } while (current != constraints);
+    PORT_ArenaUnmark(arena, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return SECFailure;
+}
+
+void *
+CERT_GetGeneralNameByType (CERTGeneralName *genNames,
+			   CERTGeneralNameType type, PRBool derFormat)
+{
+    CERTGeneralName *current;
+    
+    if (!genNames)
+	return NULL;
+    current = genNames;
+
+    do {
+	if (current->type == type) {
+	    switch (type) {
+	    case certDNSName:
+	    case certEDIPartyName:
+	    case certIPAddress:
+	    case certRegisterID:
+	    case certRFC822Name:
+	    case certX400Address:
+	    case certURI: 
+		return (void *)&current->name.other;           /* SECItem * */
+
+	    case certOtherName: 
+		return (void *)&current->name.OthName;         /* OthName * */
+
+	    case certDirectoryName: 
+		return derFormat 
+		       ? (void *)&current->derDirectoryName    /* SECItem * */
+		       : (void *)&current->name.directoryName; /* CERTName * */
+	    }
+	    PORT_Assert(0); 
+	    return NULL;
+	}
+	current = CERT_GetNextGeneralName(current);
+    } while (current != genNames);
+    return NULL;
+}
+
+int
+CERT_GetNamesLength(CERTGeneralName *names)
+{
+    int              length = 0;
+    CERTGeneralName  *first;
+
+    first = names;
+    if (names != NULL) {
+	do {
+	    length++;
+	    names = CERT_GetNextGeneralName(names);
+	} while (names != first);
+    }
+    return length;
+}
+
+/* Creates new GeneralNames for any email addresses found in the 
+** input DN, and links them onto the list for the DN.
+*/
+SECStatus
+cert_ExtractDNEmailAddrs(CERTGeneralName *name, PLArenaPool *arena)
+{
+    CERTGeneralName *nameList = NULL;
+    const CERTRDN  **nRDNs = (const CERTRDN **)(name->name.directoryName.rdns);
+    SECStatus        rv        = SECSuccess;
+
+    PORT_Assert(name->type == certDirectoryName);
+    if (name->type != certDirectoryName) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* TODO: mark arena */
+    while (nRDNs && *nRDNs) { /* loop over RDNs */
+	const CERTRDN *nRDN = *nRDNs++;
+	CERTAVA **nAVAs = nRDN->avas;
+	while (nAVAs && *nAVAs) { /* loop over AVAs */
+	    int tag;
+	    CERTAVA *nAVA = *nAVAs++;
+	    tag = CERT_GetAVATag(nAVA);
+	    if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS ||
+		 tag == SEC_OID_RFC1274_MAIL) { /* email AVA */
+		CERTGeneralName *newName = NULL;
+		SECItem *avaValue = CERT_DecodeAVAValue(&nAVA->value);
+		if (!avaValue)
+		    goto loser;
+		rv = SECFailure;
+                newName = CERT_NewGeneralName(arena, certRFC822Name);
+		if (newName) {
+		   rv = SECITEM_CopyItem(arena, &newName->name.other, avaValue);
+		}
+		SECITEM_FreeItem(avaValue, PR_TRUE);
+		if (rv != SECSuccess)
+		    goto loser;
+		nameList = cert_CombineNamesLists(nameList, newName);
+	    } /* handle one email AVA */
+	} /* loop over AVAs */
+    } /* loop over RDNs */
+    /* combine new names with old one. */
+    name = cert_CombineNamesLists(name, nameList);
+    /* TODO: unmark arena */
+    return SECSuccess;
+
+loser:
+    /* TODO: release arena back to mark */
+    return SECFailure;
+}
+
+/* This function is called by CERT_VerifyCertChain to extract all
+** names from a cert in preparation for a name constraints test.
+*/
+CERTGeneralName *
+CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena)
+{
+    CERTGeneralName  *DN;
+    CERTGeneralName  *altName         = NULL;
+    SECItem          altNameExtension = {siBuffer, NULL, 0 };
+    SECStatus        rv;
+
+    /* TODO: mark arena */
+    DN = CERT_NewGeneralName(arena, certDirectoryName);
+    if (DN == NULL) {
+	goto loser;
+    }
+    rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    /* Extract email addresses from DN, construct CERTGeneralName structs 
+    ** for them, add them to the name list 
+    */
+    rv = cert_ExtractDNEmailAddrs(DN, arena);
+    if (rv != SECSuccess)
+        goto loser;
+
+    /* Now extract any GeneralNames from the subject name names extension. */
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
+				&altNameExtension);
+    if (rv == SECSuccess) {
+	altName = CERT_DecodeAltNameExtension(arena, &altNameExtension);
+	rv = altName ? SECSuccess : SECFailure;
+    }
+    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND)
+	rv = SECSuccess;
+    if (altNameExtension.data)
+	SECITEM_FreeItem(&altNameExtension, PR_FALSE);
+    if (rv != SECSuccess)
+        goto loser;
+    DN = cert_CombineNamesLists(DN, altName);
+
+    /* TODO: unmark arena */
+    return DN;
+loser:
+    /* TODO: release arena to mark */
+    return NULL;
+}
+
+/* Returns SECSuccess if name matches constraint per RFC 3280 rules for 
+** URI name constraints.  SECFailure otherwise.
+** If the constraint begins with a dot, it is a domain name, otherwise
+** It is a host name.  Examples:
+**  Constraint            Name             Result
+** ------------      ---------------      --------
+**  foo.bar.com          foo.bar.com      matches
+**  foo.bar.com          FoO.bAr.CoM      matches
+**  foo.bar.com      www.foo.bar.com      no match
+**  foo.bar.com        nofoo.bar.com      no match
+** .foo.bar.com      www.foo.bar.com      matches
+** .foo.bar.com        nofoo.bar.com      no match
+** .foo.bar.com          foo.bar.com      no match
+** .foo.bar.com     www..foo.bar.com      no match
+*/
+static SECStatus
+compareURIN2C(const SECItem *name, const SECItem *constraint)
+{
+    int offset;
+    /* The spec is silent on intepreting zero-length constraints.
+    ** We interpret them as matching no URI names.
+    */
+    if (!constraint->len)
+        return SECFailure;
+    if (constraint->data[0] != '.') { 
+    	/* constraint is a host name. */
+    	if (name->len != constraint->len ||
+	    PL_strncasecmp((char *)name->data, 
+			   (char *)constraint->data, constraint->len))
+	    return SECFailure;
+    	return SECSuccess;
+    }
+    /* constraint is a domain name. */
+    if (name->len < constraint->len)
+        return SECFailure;
+    offset = name->len - constraint->len;
+    if (PL_strncasecmp((char *)(name->data + offset), 
+		       (char *)constraint->data, constraint->len))
+        return SECFailure;
+    if (!offset || 
+        (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
+	return SECSuccess;
+    return SECFailure;
+}
+
+/* for DNSname constraints, RFC 3280 says, (section 4.2.1.11, page 38)
+**
+** DNS name restrictions are expressed as foo.bar.com.  Any DNS name
+** that can be constructed by simply adding to the left hand side of the
+** name satisfies the name constraint.  For example, www.foo.bar.com
+** would satisfy the constraint but foo1.bar.com would not.
+**
+** But NIST's PKITS test suite requires that the constraint be treated
+** as a domain name, and requires that any name added to the left hand
+** side end in a dot ".".  Sensible, but not strictly following the RFC.
+**
+**  Constraint            Name            RFC 3280  NIST PKITS
+** ------------      ---------------      --------  ----------
+**  foo.bar.com          foo.bar.com      matches    matches
+**  foo.bar.com          FoO.bAr.CoM      matches    matches
+**  foo.bar.com      www.foo.bar.com      matches    matches
+**  foo.bar.com        nofoo.bar.com      MATCHES    NO MATCH
+** .foo.bar.com      www.foo.bar.com      matches    matches? disallowed?
+** .foo.bar.com          foo.bar.com      no match   no match
+** .foo.bar.com     www..foo.bar.com      matches    probably not 
+**
+** We will try to conform to NIST's PKITS tests, and the unstated 
+** rules they imply.
+*/
+static SECStatus
+compareDNSN2C(const SECItem *name, const SECItem *constraint)
+{
+    int offset;
+    /* The spec is silent on intepreting zero-length constraints.
+    ** We interpret them as matching all DNSnames.
+    */
+    if (!constraint->len)
+        return SECSuccess;
+    if (name->len < constraint->len)
+        return SECFailure;
+    offset = name->len - constraint->len;
+    if (PL_strncasecmp((char *)(name->data + offset), 
+		       (char *)constraint->data, constraint->len))
+        return SECFailure;
+    if (!offset || 
+        (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
+	return SECSuccess;
+    return SECFailure;
+}
+
+/* Returns SECSuccess if name matches constraint per RFC 3280 rules for
+** internet email addresses.  SECFailure otherwise.
+** If constraint contains a '@' then the two strings much match exactly.
+** Else if constraint starts with a '.'. then it must match the right-most
+** substring of the name, 
+** else constraint string must match entire name after the name's '@'.
+** Empty constraint string matches all names. All comparisons case insensitive.
+*/
+static SECStatus
+compareRFC822N2C(const SECItem *name, const SECItem *constraint)
+{
+    int offset;
+    if (!constraint->len)
+        return SECSuccess;
+    if (name->len < constraint->len)
+        return SECFailure;
+    if (constraint->len == 1 && constraint->data[0] == '.')
+        return SECSuccess;
+    for (offset = constraint->len - 1; offset >= 0; --offset) {
+    	if (constraint->data[offset] == '@') {
+	    return (name->len == constraint->len && 
+	        !PL_strncasecmp((char *)name->data, 
+				(char *)constraint->data, constraint->len))
+		? SECSuccess : SECFailure;
+	}
+    }
+    offset = name->len - constraint->len;
+    if (PL_strncasecmp((char *)(name->data + offset), 
+		       (char *)constraint->data, constraint->len))
+        return SECFailure;
+    if (constraint->data[0] == '.')
+        return SECSuccess;
+    if (offset > 0 && name->data[offset - 1] == '@')
+        return SECSuccess;
+    return SECFailure;
+}
+
+/* name contains either a 4 byte IPv4 address or a 16 byte IPv6 address.
+** constraint contains an address of the same length, and a subnet mask
+** of the same length.  Compare name's address to the constraint's 
+** address, subject to the mask.
+** Return SECSuccess if they match, SECFailure if they don't. 
+*/
+static SECStatus
+compareIPaddrN2C(const SECItem *name, const SECItem *constraint)
+{
+    int i;
+    if (name->len == 4 && constraint->len == 8) { /* ipv4 addr */
+        for (i = 0; i < 4; i++) {
+	    if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+4])
+	        goto loser;
+	}
+	return SECSuccess;
+    }
+    if (name->len == 16 && constraint->len == 32) { /* ipv6 addr */
+        for (i = 0; i < 16; i++) {
+	    if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+16])
+	        goto loser;
+	}
+	return SECSuccess;
+    }
+loser:
+    return SECFailure;
+}
+
+/* start with a SECItem that points to a URI.  Parse it lookingg for 
+** a hostname.  Modify item->data and item->len to define the hostname,
+** but do not modify and data at item->data.  
+** If anything goes wrong, the contents of *item are undefined.
+*/
+static SECStatus
+parseUriHostname(SECItem * item)
+{
+    int i;
+    PRBool found = PR_FALSE;
+    for (i = 0; (unsigned)(i+2) < item->len; ++i) {
+	if (item->data[i  ] == ':' &&
+	    item->data[i+1] == '/' &&
+	    item->data[i+2] == '/') {
+	    i += 3;
+	    item->data += i;
+	    item->len  -= i;
+	    found = PR_TRUE;
+	    break;
+	}
+    }
+    if (!found) 
+        return SECFailure;
+    /* now look for a '/', which is an upper bound in the end of the name */
+    for (i = 0; (unsigned)i < item->len; ++i) {
+	if (item->data[i] == '/') {
+	    item->len = i;
+	    break;
+	}
+    }
+    /* now look for a ':', which marks the end of the name */
+    for (i = item->len; --i >= 0; ) {
+        if (item->data[i] == ':') {
+	    item->len = i;
+	    break;
+	}
+    }
+    /* now look for an '@', which marks the beginning of the hostname */
+    for (i = 0; (unsigned)i < item->len; ++i) {
+	if (item->data[i] == '@') {
+	    ++i;
+	    item->data += i;
+	    item->len  -= i;
+	    break;
+	}
+    }
+    return item->len ? SECSuccess : SECFailure;
+}
+
+/* This function takes one name, and a list of constraints.
+** It searches the constraints looking for a match.
+** It returns SECSuccess if the name satisfies the constraints, i.e.,
+** if excluded, then the name does not match any constraint, 
+** if permitted, then the name matches at least one constraint.
+** It returns SECFailure if the name fails to satisfy the constraints,
+** or if some code fails (e.g. out of memory, or invalid constraint)
+*/
+SECStatus
+cert_CompareNameWithConstraints(CERTGeneralName     *name, 
+				CERTNameConstraint  *constraints,
+				PRBool              excluded)
+{
+    SECStatus           rv     = SECSuccess;
+    SECStatus           matched = SECFailure;
+    CERTNameConstraint  *current;
+
+    PORT_Assert(constraints);  /* caller should not call with NULL */
+    if (!constraints) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    current = constraints;
+    do {
+	rv = SECSuccess;
+	matched = SECFailure;
+	PORT_Assert(name->type == current->name.type);
+	switch (name->type) {
+
+	case certDNSName:
+	    matched = compareDNSN2C(&name->name.other, 
+	                            &current->name.name.other);
+	    break;
+
+	case certRFC822Name:
+	    matched = compareRFC822N2C(&name->name.other, 
+	                               &current->name.name.other);
+	    break;
+
+	case certURI:
+	    {
+		/* make a modifiable copy of the URI SECItem. */
+		SECItem uri = name->name.other;
+		/* find the hostname in the URI */
+		rv = parseUriHostname(&uri);
+		if (rv == SECSuccess) {
+		    /* does our hostname meet the constraint? */
+		    matched = compareURIN2C(&uri, &current->name.name.other);
+		}
+	    }
+	    break;
+
+	case certDirectoryName:
+	    /* Determine if the constraint directory name is a "prefix"
+	    ** for the directory name being tested. 
+	    */
+	  {
+	    /* status defaults to SECEqual, so that a constraint with 
+	    ** no AVAs will be a wildcard, matching all directory names.
+	    */
+	    SECComparison   status = SECEqual;
+	    const CERTRDN **cRDNs = 
+		    (const CERTRDN **)current->name.name.directoryName.rdns;  
+	    const CERTRDN **nRDNs = 
+		    (const CERTRDN **)name->name.directoryName.rdns;
+	    while (cRDNs && *cRDNs && nRDNs && *nRDNs) { 
+		/* loop over name RDNs and constraint RDNs in lock step */
+		const CERTRDN *cRDN = *cRDNs++;
+		const CERTRDN *nRDN = *nRDNs++;
+		CERTAVA **cAVAs = cRDN->avas;
+		while (cAVAs && *cAVAs) { /* loop over constraint AVAs */
+		    CERTAVA *cAVA = *cAVAs++;
+		    CERTAVA **nAVAs = nRDN->avas;
+		    while (nAVAs && *nAVAs) { /* loop over name AVAs */
+			CERTAVA *nAVA = *nAVAs++;
+			status = CERT_CompareAVA(cAVA, nAVA);
+			if (status == SECEqual) 
+			    break;
+		    } /* loop over name AVAs */
+		    if (status != SECEqual) 
+			break;
+		} /* loop over constraint AVAs */
+		if (status != SECEqual) 
+		    break;
+	    } /* loop over name RDNs and constraint RDNs */
+	    matched = (status == SECEqual) ? SECSuccess : SECFailure;
+	    break;
+	  }
+
+	case certIPAddress:	/* type 8 */
+	    matched = compareIPaddrN2C(&name->name.other, 
+	                               &current->name.name.other);
+	    break;
+
+	/* NSS does not know how to compare these "Other" type names with 
+	** their respective constraints.  But it does know how to tell
+	** if the constraint applies to the type of name (by comparing
+	** the constraint OID to the name OID).  NSS makes no use of "Other"
+	** type names at all, so NSS errs on the side of leniency for these 
+	** types, provided that their OIDs match.  So, when an "Other"
+	** name constraint appears in an excluded subtree, it never causes
+	** a name to fail.  When an "Other" name constraint appears in a
+	** permitted subtree, AND the constraint's OID matches the name's
+	** OID, then name is treated as if it matches the constraint.
+	*/
+	case certOtherName:	/* type 1 */
+	    matched = (!excluded &&
+		       name->type == current->name.type &&
+		       SECITEM_ItemsAreEqual(&name->name.OthName.oid,
+					     &current->name.name.OthName.oid))
+		 ? SECSuccess : SECFailure;
+	    break;
+
+	/* NSS does not know how to compare these types of names with their
+	** respective constraints.  But NSS makes no use of these types of 
+	** names at all, so it errs on the side of leniency for these types.
+	** Constraints for these types of names never cause the name to 
+	** fail the constraints test.  NSS behaves as if the name matched
+	** for permitted constraints, and did not match for excluded ones.
+	*/
+	case certX400Address:	/* type 4 */
+	case certEDIPartyName:  /* type 6 */
+	case certRegisterID:	/* type 9 */
+	    matched = excluded ? SECFailure : SECSuccess;
+	    break;
+
+	default: /* non-standard types are not supported */
+	    rv = SECFailure;
+	    break;
+	}
+	if (matched == SECSuccess || rv != SECSuccess)
+	    break;
+	current = CERT_GetNextNameConstraint(current);
+    } while (current != constraints);
+    if (rv == SECSuccess) {
+        if (matched == SECSuccess) 
+	    rv = excluded ? SECFailure : SECSuccess;
+	else
+	    rv = excluded ? SECSuccess : SECFailure;
+	return rv;
+    }
+
+    return SECFailure;
+}
+
+/* Add and link a CERTGeneralName to a CERTNameConstraint list. Most
+** likely the CERTNameConstraint passed in is either the permitted
+** list or the excluded list of a CERTNameConstraints.
+*/
+SECStatus
+CERT_AddNameConstraintByGeneralName(PLArenaPool *arena,
+                                    CERTNameConstraint **constraints,
+                                    CERTGeneralName *name)
+{
+    SECStatus rv;
+    CERTNameConstraint *current = NULL;
+    CERTNameConstraint *first = *constraints;
+    void *mark = NULL;
+
+    mark = PORT_ArenaMark(arena);
+
+    current = PORT_ArenaZNew(arena, CERTNameConstraint);
+    if (current == NULL) {
+        rv = SECFailure;
+        goto done;
+    }
+    
+    rv = cert_CopyOneGeneralName(arena, &current->name, name);
+    if (rv != SECSuccess) {
+        goto done;
+    }
+    
+    current->name.l.prev = current->name.l.next = &(current->name.l);
+    
+    if (first == NULL) {
+        *constraints = current;
+        PR_INIT_CLIST(&current->l);
+    } else {
+        PR_INSERT_BEFORE(&current->l, &first->l);
+    }
+
+done:
+    if (rv == SECFailure) {
+        PORT_ArenaRelease(arena, mark);
+    } else {
+        PORT_ArenaUnmark(arena, mark);
+    }
+    return rv;
+}
+
+/* Extract the name constraints extension from the CA cert. */
+SECStatus
+CERT_FindNameConstraintsExten(PRArenaPool      *arena,
+                              CERTCertificate  *cert,
+                              CERTNameConstraints **constraints)
+{
+    SECStatus            rv = SECSuccess;
+    SECItem              constraintsExtension;
+    void                *mark = NULL;
+    
+    *constraints = NULL;
+
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, 
+                                &constraintsExtension);
+    if (rv != SECSuccess) {
+        if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
+            rv = SECSuccess;
+        }
+        return rv;
+    }
+
+    mark = PORT_ArenaMark(arena);
+
+    *constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
+    if (*constraints == NULL) { /* decode failed */
+        rv = SECFailure;
+    }
+    PORT_Free (constraintsExtension.data);
+
+    if (rv == SECFailure) {
+        PORT_ArenaRelease(arena, mark);
+    } else {
+        PORT_ArenaUnmark(arena, mark);
+    }
+
+    return rv;
+}
+
+/* Verify name against all the constraints relevant to that type of
+** the name.
+*/
+SECStatus
+CERT_CheckNameSpace(PRArenaPool          *arena,
+                    CERTNameConstraints  *constraints,
+                    CERTGeneralName      *currentName)
+{
+    CERTNameConstraint  *matchingConstraints;
+    SECStatus            rv = SECSuccess;
+    
+    if (constraints->excluded != NULL) {
+        rv = CERT_GetNameConstraintByType(constraints->excluded, 
+                                          currentName->type, 
+                                          &matchingConstraints, arena);
+        if (rv == SECSuccess && matchingConstraints != NULL) {
+            rv = cert_CompareNameWithConstraints(currentName, 
+                                                 matchingConstraints,
+                                                 PR_TRUE);
+        }
+        if (rv != SECSuccess) {
+            return(rv);
+        }
+    }
+    
+    if (constraints->permited != NULL) {
+        rv = CERT_GetNameConstraintByType(constraints->permited, 
+                                          currentName->type, 
+                                          &matchingConstraints, arena);
+        if (rv == SECSuccess && matchingConstraints != NULL) {
+            rv = cert_CompareNameWithConstraints(currentName, 
+                                                 matchingConstraints,
+                                                 PR_FALSE);
+        }
+        if (rv != SECSuccess) {
+            return(rv);
+        }
+    }
+
+    return(SECSuccess);
+}
+
+/* Extract the name constraints extension from the CA cert.
+** Test each and every name in namesList against all the constraints
+** relevant to that type of name.
+** Returns NULL in pBadCert for success, if all names are acceptable.
+** If some name is not acceptable, returns a pointer to the cert that
+** contained that name.
+*/
+SECStatus
+CERT_CompareNameSpace(CERTCertificate  *cert,
+		      CERTGeneralName  *namesList,
+ 		      CERTCertificate **certsList,
+ 		      PRArenaPool      *reqArena,
+ 		      CERTCertificate **pBadCert)
+{
+    SECStatus            rv = SECSuccess;
+    CERTNameConstraints  *constraints;
+    CERTGeneralName      *currentName;
+    int                  count = 0;
+    CERTCertificate      *badCert = NULL;
+
+    /* If no names to check, then no names can be bad. */
+    if (!namesList)
+    	goto done;
+    rv = CERT_FindNameConstraintsExten(reqArena, cert, &constraints);
+    if (rv != SECSuccess) {
+	count = -1;
+	goto done;
+    }
+
+    currentName = namesList;
+    do {
+	if (constraints){
+	    rv = CERT_CheckNameSpace(reqArena, constraints, currentName);
+	    if (rv != SECSuccess) {
+		break;
+	    }
+	}
+ 	currentName = CERT_GetNextGeneralName(currentName);
+ 	count ++;
+    } while (currentName != namesList);
+
+done:
+    if (rv != SECSuccess) {
+	badCert = (count >= 0) ? certsList[count] : cert;
+    }
+    if (pBadCert)
+	*pBadCert = badCert;
+
+    return rv;
+}
+
+/* Search the cert for an X509_SUBJECT_ALT_NAME extension.
+** ASN1 Decode it into a list of alternate names.
+** Search the list of alternate names for one with the NETSCAPE_NICKNAME OID.
+** ASN1 Decode that name.  Turn the result into a zString.  
+** Look for duplicate nickname already in the certdb. 
+** If one is found, create a nickname string that is not a duplicate.
+*/
+char *
+CERT_GetNickName(CERTCertificate   *cert,
+ 		 CERTCertDBHandle  *handle,
+		 PRArenaPool      *nicknameArena)
+{ 
+    CERTGeneralName  *current;
+    CERTGeneralName  *names;
+    char             *nickname   = NULL;
+    char             *returnName = NULL;
+    char             *basename   = NULL;
+    PRArenaPool      *arena      = NULL;
+    CERTCertificate  *tmpcert;
+    SECStatus        rv;
+    int              count;
+    int              found = 0;
+    SECItem          altNameExtension;
+    SECItem          nick;
+
+    if (handle == NULL) {
+	handle = CERT_GetDefaultCertDB();
+    }
+    altNameExtension.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
+				&altNameExtension);
+    if (rv != SECSuccess) { 
+	goto loser; 
+    }
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+    names = CERT_DecodeAltNameExtension(arena, &altNameExtension);
+    if (names == NULL) {
+	goto loser;
+    } 
+    current = names;
+    do {
+	if (current->type == certOtherName && 
+	    SECOID_FindOIDTag(&current->name.OthName.oid) == 
+	      SEC_OID_NETSCAPE_NICKNAME) {
+	    found = 1;
+	    break;
+	}
+	current = CERT_GetNextGeneralName(current);
+    } while (current != names);
+    if (!found)
+    	goto loser;
+
+    rv = SEC_QuickDERDecodeItem(arena, &nick,
+                            SEC_ASN1_GET(SEC_IA5StringTemplate),
+			    &current->name.OthName.name);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* make a null terminated string out of nick, with room enough at
+    ** the end to add on a number of up to 21 digits in length, (a signed
+    ** 64-bit number in decimal) plus a space and a "#". 
+    */
+    nickname = (char*)PORT_ZAlloc(nick.len + 24);
+    if (!nickname) 
+	goto loser;
+    PORT_Strncpy(nickname, (char *)nick.data, nick.len);
+
+    /* Don't let this cert's nickname duplicate one already in the DB.
+    ** If it does, create a variant of the nickname that doesn't.
+    */
+    count = 0;
+    while ((tmpcert = CERT_FindCertByNickname(handle, nickname)) != NULL) {
+	CERT_DestroyCertificate(tmpcert);
+	if (!basename) {
+	    basename = PORT_Strdup(nickname);
+	    if (!basename)
+		goto loser;
+	}
+	count++;
+	sprintf(nickname, "%s #%d", basename, count);
+    }
+
+    /* success */
+    if (nicknameArena) {
+	returnName =  PORT_ArenaStrdup(nicknameArena, nickname);
+    } else {
+	returnName = nickname;
+	nickname = NULL;
+    }
+loser:
+    if (arena != NULL) 
+	PORT_FreeArena(arena, PR_FALSE);
+    if (nickname)
+	PORT_Free(nickname);
+    if (basename)
+	PORT_Free(basename);
+    if (altNameExtension.data)
+    	PORT_Free(altNameExtension.data);
+    return returnName;
+}
+
+#if 0
+/* not exported from shared libs, not used.  Turn on if we ever need it. */
+SECStatus
+CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b)
+{
+    CERTGeneralName *currentA;
+    CERTGeneralName *currentB;
+    PRBool found;
+
+    currentA = a;
+    currentB = b;
+    if (a != NULL) {
+	do { 
+	    if (currentB == NULL) {
+		return SECFailure;
+	    }
+	    currentB = CERT_GetNextGeneralName(currentB);
+	    currentA = CERT_GetNextGeneralName(currentA);
+	} while (currentA != a);
+    }
+    if (currentB != b) {
+	return SECFailure;
+    }
+    currentA = a;
+    do {
+	currentB = b;
+	found = PR_FALSE;
+	do {
+	    if (currentB->type == currentA->type) {
+		switch (currentB->type) {
+		  case certDNSName:
+		  case certEDIPartyName:
+		  case certIPAddress:
+		  case certRegisterID:
+		  case certRFC822Name:
+		  case certX400Address:
+		  case certURI:
+		    if (SECITEM_CompareItem(&currentA->name.other,
+					    &currentB->name.other) 
+			== SECEqual) {
+			found = PR_TRUE;
+		    }
+		    break;
+		  case certOtherName:
+		    if (SECITEM_CompareItem(&currentA->name.OthName.oid,
+					    &currentB->name.OthName.oid) 
+			== SECEqual &&
+			SECITEM_CompareItem(&currentA->name.OthName.name,
+					    &currentB->name.OthName.name)
+			== SECEqual) {
+			found = PR_TRUE;
+		    }
+		    break;
+		  case certDirectoryName:
+		    if (CERT_CompareName(&currentA->name.directoryName,
+					 &currentB->name.directoryName)
+			== SECEqual) {
+			found = PR_TRUE;
+		    }
+		}
+		    
+	    }
+	    currentB = CERT_GetNextGeneralName(currentB);
+	} while (currentB != b && found != PR_TRUE);
+	if (found != PR_TRUE) {
+	    return SECFailure;
+	}
+	currentA = CERT_GetNextGeneralName(currentA);
+    } while (currentA != a);
+    return SECSuccess;
+}
+
+SECStatus
+CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b)
+{
+    SECStatus rv;
+
+    if (a == b) {
+	return SECSuccess;
+    }
+    if (a != NULL && b != NULL) {
+	PZ_Lock(a->lock);
+	PZ_Lock(b->lock);
+	rv = CERT_CompareGeneralName(a->name, b->name);
+	PZ_Unlock(a->lock);
+	PZ_Unlock(b->lock);
+    } else {
+	rv = SECFailure;
+    }
+    return rv;
+}
+#endif
+
+#if 0
+/* This function is not exported from NSS shared libraries, and is not
+** used inside of NSS.
+** XXX it doesn't check for failed allocations. :-(
+*/
+void *
+CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
+				  CERTGeneralNameType type,
+				  PRArenaPool *arena)
+{
+    CERTName *name = NULL; 
+    SECItem *item = NULL;
+    OtherName *other = NULL;
+    OtherName *tmpOther = NULL;
+    void *data;
+
+    PZ_Lock(list->lock);
+    data = CERT_GetGeneralNameByType(list->name, type, PR_FALSE);
+    if (data != NULL) {
+	switch (type) {
+	  case certDNSName:
+	  case certEDIPartyName:
+	  case certIPAddress:
+	  case certRegisterID:
+	  case certRFC822Name:
+	  case certX400Address:
+	  case certURI:
+	    if (arena != NULL) {
+		item = PORT_ArenaNew(arena, SECItem);
+		if (item != NULL) {
+XXX		    SECITEM_CopyItem(arena, item, (SECItem *) data);
+		}
+	    } else { 
+		item = SECITEM_DupItem((SECItem *) data);
+	    }
+	    PZ_Unlock(list->lock);
+	    return item;
+	  case certOtherName:
+	    other = (OtherName *) data;
+	    if (arena != NULL) {
+		tmpOther = PORT_ArenaNew(arena, OtherName);
+	    } else {
+		tmpOther = PORT_New(OtherName);
+	    }
+	    if (tmpOther != NULL) {
+XXX		SECITEM_CopyItem(arena, &tmpOther->oid, &other->oid);
+XXX		SECITEM_CopyItem(arena, &tmpOther->name, &other->name);
+	    }
+	    PZ_Unlock(list->lock);
+	    return tmpOther;
+	  case certDirectoryName:
+	    if (arena) {
+		name = PORT_ArenaZNew(list->arena, CERTName);
+		if (name) {
+XXX		    CERT_CopyName(arena, name, (CERTName *) data);
+		}
+	    }
+	    PZ_Unlock(list->lock);
+	    return name;
+	}
+    }
+    PZ_Unlock(list->lock);
+    return NULL;
+}
+#endif
+
+#if 0
+/* This function is not exported from NSS shared libraries, and is not
+** used inside of NSS.
+** XXX it should NOT be a void function, since it does allocations
+** that can fail.
+*/
+void
+CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
+			  CERTGeneralNameType type,
+			  void *data, SECItem *oid)
+{
+    CERTGeneralName *name;
+
+    if (list != NULL && data != NULL) {
+	PZ_Lock(list->lock);
+	name = CERT_NewGeneralName(list->arena, type);
+	if (!name)
+	    goto done;
+	switch (type) {
+	  case certDNSName:
+	  case certEDIPartyName:
+	  case certIPAddress:
+	  case certRegisterID:
+	  case certRFC822Name:
+	  case certX400Address:
+	  case certURI:
+XXX	    SECITEM_CopyItem(list->arena, &name->name.other, (SECItem *)data);
+	    break;
+	  case certOtherName:
+XXX	    SECITEM_CopyItem(list->arena, &name->name.OthName.name,
+			     (SECItem *) data);
+XXX	    SECITEM_CopyItem(list->arena, &name->name.OthName.oid,
+			     oid);
+	    break;
+	  case certDirectoryName:
+XXX	    CERT_CopyName(list->arena, &name->name.directoryName,
+			  (CERTName *) data);
+	    break;
+	}
+	list->name = cert_CombineNamesLists(list->name, name);
+	list->len++;
+done:
+	PZ_Unlock(list->lock);
+    }
+    return;
+}
+#endif
diff --git a/security/nss/lib/certdb/genname.h b/security/nss/lib/certdb/genname.h
new file mode 100644
index 000000000..d7ab0f108
--- /dev/null
+++ b/security/nss/lib/certdb/genname.h
@@ -0,0 +1,138 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _GENAME_H_
+#define _GENAME_H_
+
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "certt.h"
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template CERT_GeneralNamesTemplate[];
+
+extern SECItem **
+cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names);
+
+extern CERTGeneralName *
+cert_DecodeGeneralNames(PRArenaPool *arena, SECItem **encodedGenName);
+
+extern SECStatus
+cert_DestroyGeneralNames(CERTGeneralName *name);
+
+extern SECStatus 
+cert_EncodeNameConstraints(CERTNameConstraints *constraints, PRArenaPool *arena,
+			   SECItem *dest);
+
+extern CERTNameConstraints *
+cert_DecodeNameConstraints(PRArenaPool *arena, SECItem *encodedConstraints);
+
+extern CERTGeneralName *
+cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2);
+
+extern CERTNameConstraint *
+cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2);
+
+/*********************************************************************/
+/* A thread safe implementation of General Names                     */
+/*********************************************************************/
+
+/* Destroy a Single CERTGeneralName */
+void
+CERT_DestroyGeneralName(CERTGeneralName *name);
+
+SECStatus
+CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b);
+
+SECStatus
+CERT_CopyGeneralName(PRArenaPool      *arena, 
+		     CERTGeneralName  *dest, 
+		     CERTGeneralName  *src);
+
+/* General Name Lists are a thread safe, reference counting layer to 
+ * general names */
+
+/* Destroys a CERTGeneralNameList */
+void
+CERT_DestroyGeneralNameList(CERTGeneralNameList *list);
+
+/* Creates a CERTGeneralNameList */
+CERTGeneralNameList *
+CERT_CreateGeneralNameList(CERTGeneralName *name);
+
+/* Compares two CERTGeneralNameList */
+SECStatus
+CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b);
+
+/* returns a copy of the first name of the type requested */
+void *
+CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
+				  CERTGeneralNameType type,
+				  PRArenaPool *arena);
+
+/* Adds a name to the tail of the list */
+void
+CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
+			  CERTGeneralNameType type,
+			  void *data, SECItem *oid);
+
+/* returns a duplicate of the CERTGeneralNameList */
+CERTGeneralNameList *
+CERT_DupGeneralNameList(CERTGeneralNameList *list);
+
+/* returns the number of CERTGeneralName objects in the  doubly linked
+** list of which *names is a member.
+*/
+extern int
+CERT_GetNamesLength(CERTGeneralName *names);
+
+/************************************************************************/
+
+SECStatus
+CERT_CompareNameSpace(CERTCertificate  *cert,
+		      CERTGeneralName  *namesList,
+ 		      CERTCertificate **certsList,
+ 		      PRArenaPool      *reqArena,
+ 		      CERTCertificate **pBadCert);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/certdb/manifest.mn b/security/nss/lib/certdb/manifest.mn
new file mode 100644
index 000000000..258af04b6
--- /dev/null
+++ b/security/nss/lib/certdb/manifest.mn
@@ -0,0 +1,74 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	cert.h \
+	certt.h \
+	certdb.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	genname.h \
+	xconst.h \
+	certxutl.h \
+	certi.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	alg1485.c \
+	certdb.c \
+	certv3.c \
+	certxutl.c \
+	crl.c \
+	genname.c \
+	stanpcertdb.c \
+	polcyxtn.c \
+	secname.c \
+	xauthkid.c \
+	xbsconst.c \
+	xconst.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = certdb
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/certdb/polcyxtn.c b/security/nss/lib/certdb/polcyxtn.c
new file mode 100644
index 000000000..a8aed3e8f
--- /dev/null
+++ b/security/nss/lib/certdb/polcyxtn.c
@@ -0,0 +1,860 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Support for various policy related extensions
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "secport.h"
+#include "secder.h"
+#include "cert.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "nspr.h"
+
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
+
+const SEC_ASN1Template CERT_DisplayTextTypeTemplate[] = {
+    { SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) },
+    { SEC_ASN1_IA5_STRING, 0, 0, siAsciiString},
+    { SEC_ASN1_VISIBLE_STRING , 0, 0, siVisibleString},
+    { SEC_ASN1_BMP_STRING  , 0, 0, siBMPString },
+    { SEC_ASN1_UTF8_STRING , 0, 0, siUTF8String },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_NoticeReferenceTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTNoticeReference) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTNoticeReference, organization),
+           CERT_DisplayTextTypeTemplate, 0 },
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN,
+           offsetof(CERTNoticeReference, noticeNumbers),
+           SEC_ASN1_SUB(SEC_IntegerTemplate) }, 
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_UserNoticeTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTUserNotice) },
+    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
+	  offsetof(CERTUserNotice, noticeReference),
+           CERT_NoticeReferenceTemplate, 0 },
+    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
+	  offsetof(CERTUserNotice, displayText),
+           CERT_DisplayTextTypeTemplate, 0 }, 
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_PolicyQualifierTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTPolicyQualifier) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyQualifier, qualifierID) },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTPolicyQualifier, qualifierValue) },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_PolicyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTPolicyInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyInfo, policyID) },
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL,
+	  offsetof(CERTPolicyInfo, policyQualifiers),
+	  CERT_PolicyQualifierTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_CertificatePoliciesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCertificatePolicies, policyInfos),
+	  CERT_PolicyInfoTemplate, sizeof(CERTCertificatePolicies)  }
+};
+
+const SEC_ASN1Template CERT_PolicyMapTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTPolicyMap) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyMap, issuerDomainPolicy) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyMap, subjectDomainPolicy) },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_PolicyMappingsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCertificatePolicyMappings, policyMaps),
+	  CERT_PolicyMapTemplate, sizeof(CERTPolicyMap)  }
+};
+
+const SEC_ASN1Template CERT_PolicyConstraintsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTCertificatePolicyConstraints) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  offsetof(CERTCertificatePolicyConstraints, explicitPolicySkipCerts),
+	  SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+	  offsetof(CERTCertificatePolicyConstraints, inhibitMappingSkipCerts),
+	  SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_InhibitAnyTemplate[] = {
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCertificateInhibitAny, inhibitAnySkipCerts),
+	  NULL, sizeof(CERTCertificateInhibitAny)  }
+};
+
+static void
+breakLines(char *string)
+{
+    char *tmpstr;
+    char *lastspace = NULL;
+    int curlen = 0;
+    int c;
+    
+    tmpstr = string;
+
+    while ( ( c = *tmpstr ) != '\0' ) {
+	switch ( c ) {
+	  case ' ':
+	    lastspace = tmpstr;
+	    break;
+	  case '\n':
+	    lastspace = NULL;
+	    curlen = 0;
+	    break;
+	}
+	
+	if ( ( curlen >= 55 ) && ( lastspace != NULL ) ) {
+	    *lastspace = '\n';
+	    curlen = ( tmpstr - lastspace );
+	    lastspace = NULL;
+	}
+	
+	curlen++;
+	tmpstr++;
+    }
+    
+    return;
+}
+
+CERTCertificatePolicies *
+CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTCertificatePolicies *policies;
+    CERTPolicyInfo **policyInfos, *policyInfo;
+    CERTPolicyQualifier **policyQualifiers, *policyQualifier;
+    SECItem newExtnValue;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the certificate policies structure */
+    policies = (CERTCertificatePolicies *)
+	PORT_ArenaZAlloc(arena, sizeof(CERTCertificatePolicies));
+    
+    if ( policies == NULL ) {
+	goto loser;
+    }
+    
+    policies->arena = arena;
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* decode the policy info */
+    rv = SEC_QuickDERDecodeItem(arena, policies, CERT_CertificatePoliciesTemplate,
+			    &newExtnValue);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize the oid tags */
+    policyInfos = policies->policyInfos;
+    while (*policyInfos != NULL ) {
+	policyInfo = *policyInfos;
+	policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID);
+	policyQualifiers = policyInfo->policyQualifiers;
+	while ( policyQualifiers != NULL && *policyQualifiers != NULL ) {
+	    policyQualifier = *policyQualifiers;
+	    policyQualifier->oid =
+		SECOID_FindOIDTag(&policyQualifier->qualifierID);
+	    policyQualifiers++;
+	}
+	policyInfos++;
+    }
+
+    return(policies);
+    
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+void
+CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies)
+{
+    if ( policies != NULL ) {
+	PORT_FreeArena(policies->arena, PR_FALSE);
+    }
+    return;
+}
+
+CERTCertificatePolicyMappings *
+CERT_DecodePolicyMappingsExtension(SECItem *extnValue)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTCertificatePolicyMappings *mappings;
+    SECItem newExtnValue;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+        goto loser;
+    }
+
+    /* allocate the policy mappings structure */
+    mappings = (CERTCertificatePolicyMappings *)
+        PORT_ArenaZAlloc(arena, sizeof(CERTCertificatePolicyMappings));
+    if ( mappings == NULL ) {
+        goto loser;
+    }
+    mappings->arena = arena;
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
+    if ( rv != SECSuccess ) {
+        goto loser;
+    }
+
+    /* decode the policy mappings */
+    rv = SEC_QuickDERDecodeItem
+        (arena, mappings, CERT_PolicyMappingsTemplate, &newExtnValue);
+    if ( rv != SECSuccess ) {
+        goto loser;
+    }
+
+    return(mappings);
+    
+loser:
+    if ( arena != NULL ) {
+        PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+SECStatus
+CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings)
+{
+    if ( mappings != NULL ) {
+        PORT_FreeArena(mappings->arena, PR_FALSE);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CERT_DecodePolicyConstraintsExtension
+                             (CERTCertificatePolicyConstraints *decodedValue,
+                              SECItem *encodedValue)
+{
+    CERTCertificatePolicyConstraints decodeContext;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+
+    /* initialize so we can tell when an optional component is omitted */
+    PORT_Memset(&decodeContext, 0, sizeof(decodeContext));
+
+    /* make a new arena */
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (!arena) {
+        return SECFailure;
+    }
+
+    do {
+        /* decode the policy constraints */
+        rv = SEC_QuickDERDecodeItem(arena,
+                &decodeContext, CERT_PolicyConstraintsTemplate, encodedValue);
+
+        if ( rv != SECSuccess ) {
+            break;
+        }
+
+        if (decodeContext.explicitPolicySkipCerts.len == 0) {
+            *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data = -1;
+        } else {
+            *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data =
+                    DER_GetInteger(&decodeContext.explicitPolicySkipCerts);
+        }
+
+        if (decodeContext.inhibitMappingSkipCerts.len == 0) {
+            *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data = -1;
+        } else {
+            *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data =
+                    DER_GetInteger(&decodeContext.inhibitMappingSkipCerts);
+        }
+
+        if ((*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
+                PR_INT32_MIN) ||
+            (*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
+                PR_INT32_MAX) ||
+            (*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data ==
+                PR_INT32_MIN) ||
+            (*(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data ==
+                PR_INT32_MAX)) {
+            rv = SECFailure;
+        }
+    
+    } while (0);
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(rv);
+}
+
+SECStatus CERT_DecodeInhibitAnyExtension
+        (CERTCertificateInhibitAny *decodedValue, SECItem *encodedValue)
+{
+    CERTCertificateInhibitAny decodeContext;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+
+    /* make a new arena */
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if ( !arena ) {
+        return SECFailure;
+    }
+
+    do {
+
+        /* decode the policy mappings */
+        decodeContext.inhibitAnySkipCerts.type = siUnsignedInteger;
+        rv = SEC_QuickDERDecodeItem(arena,
+                &decodeContext, CERT_InhibitAnyTemplate, encodedValue);
+
+        if ( rv != SECSuccess ) {
+            break;
+        }
+
+        *(PRInt32 *)decodedValue->inhibitAnySkipCerts.data =
+                DER_GetInteger(&decodeContext.inhibitAnySkipCerts);
+
+    } while (0);
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(rv);
+}
+
+CERTUserNotice *
+CERT_DecodeUserNotice(SECItem *noticeItem)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTUserNotice *userNotice;
+    SECItem newNoticeItem;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the userNotice structure */
+    userNotice = (CERTUserNotice *)PORT_ArenaZAlloc(arena,
+						    sizeof(CERTUserNotice));
+    
+    if ( userNotice == NULL ) {
+	goto loser;
+    }
+    
+    userNotice->arena = arena;
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newNoticeItem, noticeItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* decode the user notice */
+    rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
+			    &newNoticeItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    if (userNotice->derNoticeReference.data != NULL) {
+
+        rv = SEC_QuickDERDecodeItem(arena, &userNotice->noticeReference,
+                                    CERT_NoticeReferenceTemplate,
+                                    &userNotice->derNoticeReference);
+        if (rv == SECFailure) {
+            goto loser;
+    	}
+    }
+
+    return(userNotice);
+    
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+void
+CERT_DestroyUserNotice(CERTUserNotice *userNotice)
+{
+    if ( userNotice != NULL ) {
+	PORT_FreeArena(userNotice->arena, PR_FALSE);
+    }
+    return;
+}
+
+static CERTPolicyStringCallback policyStringCB = NULL;
+static void *policyStringCBArg = NULL;
+
+void
+CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg)
+{
+    policyStringCB = cb;
+    policyStringCBArg = cbarg;
+    return;
+}
+
+char *
+stringFromUserNotice(SECItem *noticeItem)
+{
+    SECItem *org;
+    unsigned int len, headerlen;
+    char *stringbuf;
+    CERTUserNotice *userNotice;
+    char *policystr;
+    char *retstr = NULL;
+    SECItem *displayText;
+    SECItem **noticeNumbers;
+    unsigned int strnum;
+    
+    /* decode the user notice */
+    userNotice = CERT_DecodeUserNotice(noticeItem);
+    if ( userNotice == NULL ) {
+	return(NULL);
+    }
+    
+    org = &userNotice->noticeReference.organization;
+    if ( (org->len != 0 ) && ( policyStringCB != NULL ) ) {
+	/* has a noticeReference */
+
+	/* extract the org string */
+	len = org->len;
+	stringbuf = (char*)PORT_Alloc(len + 1);
+	if ( stringbuf != NULL ) {
+	    PORT_Memcpy(stringbuf, org->data, len);
+	    stringbuf[len] = '\0';
+
+	    noticeNumbers = userNotice->noticeReference.noticeNumbers;
+	    while ( *noticeNumbers != NULL ) {
+		/* XXX - only one byte integers right now*/
+		strnum = (*noticeNumbers)->data[0];
+		policystr = (* policyStringCB)(stringbuf,
+					       strnum,
+					       policyStringCBArg);
+		if ( policystr != NULL ) {
+		    if ( retstr != NULL ) {
+			retstr = PR_sprintf_append(retstr, "\n%s", policystr);
+		    } else {
+			retstr = PR_sprintf_append(retstr, "%s", policystr);
+		    }
+
+		    PORT_Free(policystr);
+		}
+		
+		noticeNumbers++;
+	    }
+
+	    PORT_Free(stringbuf);
+	}
+    }
+
+    if ( retstr == NULL ) {
+	if ( userNotice->displayText.len != 0 ) {
+	    displayText = &userNotice->displayText;
+
+	    if ( displayText->len > 2 ) {
+		if ( displayText->data[0] == SEC_ASN1_VISIBLE_STRING ) {
+		    headerlen = 2;
+		    if ( displayText->data[1] & 0x80 ) {
+			/* multibyte length */
+			headerlen += ( displayText->data[1] & 0x7f );
+		    }
+
+		    len = displayText->len - headerlen;
+		    retstr = (char*)PORT_Alloc(len + 1);
+		    if ( retstr != NULL ) {
+			PORT_Memcpy(retstr, &displayText->data[headerlen],len);
+			retstr[len] = '\0';
+		    }
+		}
+	    }
+	}
+    }
+    
+    CERT_DestroyUserNotice(userNotice);
+    
+    return(retstr);
+}
+
+char *
+CERT_GetCertCommentString(CERTCertificate *cert)
+{
+    char *retstring = NULL;
+    SECStatus rv;
+    SECItem policyItem;
+    CERTCertificatePolicies *policies = NULL;
+    CERTPolicyInfo **policyInfos;
+    CERTPolicyQualifier **policyQualifiers, *qualifier;
+
+    policyItem.data = NULL;
+    
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_CERTIFICATE_POLICIES,
+				&policyItem);
+    if ( rv != SECSuccess ) {
+	goto nopolicy;
+    }
+
+    policies = CERT_DecodeCertificatePoliciesExtension(&policyItem);
+    if ( policies == NULL ) {
+	goto nopolicy;
+    }
+
+    policyInfos = policies->policyInfos;
+    /* search through policyInfos looking for the verisign policy */
+    while (*policyInfos != NULL ) {
+	if ( (*policyInfos)->oid == SEC_OID_VERISIGN_USER_NOTICES ) {
+	    policyQualifiers = (*policyInfos)->policyQualifiers;
+	    /* search through the policy qualifiers looking for user notice */
+	    while ( policyQualifiers != NULL && *policyQualifiers != NULL ) {
+		qualifier = *policyQualifiers;
+		if ( qualifier->oid == SEC_OID_PKIX_USER_NOTICE_QUALIFIER ) {
+		    retstring =
+			stringFromUserNotice(&qualifier->qualifierValue);
+		    break;
+		}
+
+		policyQualifiers++;
+	    }
+	    break;
+	}
+	policyInfos++;
+    }
+
+nopolicy:
+    if ( policyItem.data != NULL ) {
+	PORT_Free(policyItem.data);
+    }
+
+    if ( policies != NULL ) {
+	CERT_DestroyCertificatePoliciesExtension(policies);
+    }
+    
+    if ( retstring == NULL ) {
+	retstring = CERT_FindNSStringExtension(cert,
+					       SEC_OID_NS_CERT_EXT_COMMENT);
+    }
+    
+    if ( retstring != NULL ) {
+	breakLines(retstring);
+    }
+    
+    return(retstring);
+}
+
+
+const SEC_ASN1Template CERT_OidSeqTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN,
+	  offsetof(CERTOidSequence, oids),
+	  SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
+};
+
+CERTOidSequence *
+CERT_DecodeOidSequence(SECItem *seqItem)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTOidSequence *oidSeq;
+    SECItem newSeqItem;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the userNotice structure */
+    oidSeq = (CERTOidSequence *)PORT_ArenaZAlloc(arena,
+						 sizeof(CERTOidSequence));
+    
+    if ( oidSeq == NULL ) {
+	goto loser;
+    }
+    
+    oidSeq->arena = arena;
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newSeqItem, seqItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* decode the user notice */
+    rv = SEC_QuickDERDecodeItem(arena, oidSeq, CERT_OidSeqTemplate, &newSeqItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    return(oidSeq);
+    
+loser:
+    return(NULL);
+}
+
+
+void
+CERT_DestroyOidSequence(CERTOidSequence *oidSeq)
+{
+    if ( oidSeq != NULL ) {
+	PORT_FreeArena(oidSeq->arena, PR_FALSE);
+    }
+    return;
+}
+
+PRBool
+CERT_GovtApprovedBitSet(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem extItem;
+    CERTOidSequence *oidSeq = NULL;
+    PRBool ret;
+    SECItem **oids;
+    SECItem *oid;
+    SECOidTag oidTag;
+    
+    extItem.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    oidSeq = CERT_DecodeOidSequence(&extItem);
+    if ( oidSeq == NULL ) {
+	goto loser;
+    }
+
+    oids = oidSeq->oids;
+    while ( oids != NULL && *oids != NULL ) {
+	oid = *oids;
+	
+	oidTag = SECOID_FindOIDTag(oid);
+	
+	if ( oidTag == SEC_OID_NS_KEY_USAGE_GOVT_APPROVED ) {
+	    goto success;
+	}
+	
+	oids++;
+    }
+
+loser:
+    ret = PR_FALSE;
+    goto done;
+success:
+    ret = PR_TRUE;
+done:
+    if ( oidSeq != NULL ) {
+	CERT_DestroyOidSequence(oidSeq);
+    }
+    if (extItem.data != NULL) {
+	PORT_Free(extItem.data);
+    }
+    return(ret);
+}
+
+
+SECStatus
+CERT_EncodePolicyConstraintsExtension(PRArenaPool *arena,
+                                      CERTCertificatePolicyConstraints *constr,
+                                      SECItem *dest)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(constr != NULL && dest != NULL);
+    if (constr == NULL || dest == NULL) {
+	return SECFailure;
+    }
+
+    if (SEC_ASN1EncodeItem (arena, dest, constr,
+                            CERT_PolicyConstraintsTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    return(rv);
+}
+
+SECStatus
+CERT_EncodePolicyMappingExtension(PRArenaPool *arena,
+                                  CERTCertificatePolicyMappings *mapping,
+                                  SECItem *dest)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(mapping != NULL && dest != NULL);
+    if (mapping == NULL || dest == NULL) {
+	return SECFailure;
+    }
+
+    if (SEC_ASN1EncodeItem (arena, dest, mapping,
+                            CERT_PolicyMappingsTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    return(rv);
+}
+
+
+
+SECStatus
+CERT_EncodeCertPoliciesExtension(PRArenaPool *arena,
+                                 CERTPolicyInfo **info,
+                                 SECItem *dest)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(info != NULL && dest != NULL);
+    if (info == NULL || dest == NULL) {
+	return SECFailure;
+    }
+
+    if (SEC_ASN1EncodeItem (arena, dest, info,
+                            CERT_CertificatePoliciesTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    return(rv);
+}
+
+SECStatus
+CERT_EncodeUserNotice(PRArenaPool *arena,
+                      CERTUserNotice *notice,
+                      SECItem *dest)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(notice != NULL && dest != NULL);
+    if (notice == NULL || dest == NULL) {
+	return SECFailure;
+    }
+
+    if (SEC_ASN1EncodeItem(arena, dest,
+                           notice, CERT_UserNoticeTemplate) == NULL) {
+	rv = SECFailure;
+    }
+
+    return(rv);
+}
+
+SECStatus
+CERT_EncodeNoticeReference(PRArenaPool *arena,
+                           CERTNoticeReference *reference,
+                           SECItem *dest)
+{
+    SECStatus rv = SECSuccess;
+    
+    PORT_Assert(reference != NULL && dest != NULL);
+    if (reference == NULL || dest == NULL) {
+	return SECFailure;
+    }
+
+    if (SEC_ASN1EncodeItem (arena, dest, reference,
+                            CERT_NoticeReferenceTemplate) == NULL) {
+	rv = SECFailure;
+    }
+
+    return(rv);
+}
+
+SECStatus
+CERT_EncodeInhibitAnyExtension(PRArenaPool *arena,
+                               CERTCertificateInhibitAny *certInhibitAny,
+                               SECItem *dest)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(certInhibitAny != NULL && dest != NULL);
+    if (certInhibitAny == NULL || dest == NULL) {
+	return SECFailure;
+    }
+
+    if (SEC_ASN1EncodeItem (arena, dest, certInhibitAny,
+                            CERT_InhibitAnyTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    return(rv);
+}
diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c
new file mode 100644
index 000000000..2a3f7b9d4
--- /dev/null
+++ b/security/nss/lib/certdb/secname.c
@@ -0,0 +1,730 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   John Gardiner Myers <jgmyers@speakeasy.net>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "cert.h"
+#include "secoid.h"
+#include "secder.h"	/* XXX remove this when remove the DERTemplates */
+#include "secasn1.h"
+#include "secitem.h"
+#include <stdarg.h>
+#include "secerr.h"
+#include "certi.h"
+
+static const SEC_ASN1Template cert_AVATemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTAVA) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTAVA,type), },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTAVA,value), },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_RDNTemplate[] = {
+    { SEC_ASN1_SET_OF,
+	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
+};
+
+
+static int
+CountArray(void **array)
+{
+    int count = 0;
+    if (array) {
+	while (*array++) {
+	    count++;
+	}
+    }
+    return count;
+}
+
+static void **
+AddToArray(PRArenaPool *arena, void **array, void *element)
+{
+    unsigned count;
+    void **ap;
+
+    /* Count up number of slots already in use in the array */
+    count = 0;
+    ap = array;
+    if (ap) {
+	while (*ap++) {
+	    count++;
+	}
+    }
+
+    if (array) {
+	array = (void**) PORT_ArenaGrow(arena, array,
+					(count + 1) * sizeof(void *),
+					(count + 2) * sizeof(void *));
+    } else {
+	array = (void**) PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *));
+    }
+    if (array) {
+	array[count] = element;
+	array[count+1] = 0;
+    }
+    return array;
+}
+
+
+SECOidTag
+CERT_GetAVATag(CERTAVA *ava)
+{
+    SECOidData *oid;
+    if (!ava->type.data) return (SECOidTag)-1;
+
+    oid = SECOID_FindOID(&ava->type);
+    
+    if ( oid ) {
+	return(oid->offset);
+    }
+    return (SECOidTag)-1;
+}
+
+static SECStatus
+SetupAVAType(PRArenaPool *arena, SECOidTag type, SECItem *it, unsigned *maxLenp)
+{
+    unsigned char *oid;
+    unsigned oidLen;
+    unsigned char *cp;
+    int      maxLen;
+    SECOidData *oidrec;
+
+    oidrec = SECOID_FindOIDByTag(type);
+    if (oidrec == NULL)
+	return SECFailure;
+
+    oid = oidrec->oid.data;
+    oidLen = oidrec->oid.len;
+
+    maxLen = cert_AVAOidTagToMaxLen(type);
+    if (maxLen < 0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, oidLen);
+    if (cp == NULL) {
+	return SECFailure;
+    }
+    it->len = oidLen;
+    PORT_Memcpy(cp, oid, oidLen);
+    *maxLenp = (unsigned)maxLen;
+    return SECSuccess;
+}
+
+static SECStatus
+SetupAVAValue(PRArenaPool *arena, int valueType, char *value, SECItem *it,
+	      unsigned maxLen)
+{
+    unsigned valueLen, valueLenLen, total;
+    unsigned ucs4Len = 0, ucs4MaxLen;
+    unsigned char *cp, *ucs4Val;
+
+    switch (valueType) {
+      case SEC_ASN1_PRINTABLE_STRING:
+      case SEC_ASN1_IA5_STRING:
+      case SEC_ASN1_T61_STRING:
+      case SEC_ASN1_UTF8_STRING: /* no conversion required */
+	valueLen = PORT_Strlen(value);
+	break;
+      case SEC_ASN1_UNIVERSAL_STRING:
+	valueLen = PORT_Strlen(value);
+	ucs4MaxLen = valueLen * 6;
+	ucs4Val = (unsigned char *)PORT_ArenaZAlloc(arena, ucs4MaxLen);
+	if(!ucs4Val || !PORT_UCS4_UTF8Conversion(PR_TRUE, 
+	                                (unsigned char *)value, valueLen,
+					ucs4Val, ucs4MaxLen, &ucs4Len)) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	value = (char *)ucs4Val;
+	valueLen = ucs4Len;
+    	maxLen *= 4;
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (valueLen > maxLen) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    } 
+
+    valueLenLen = DER_LengthLength(valueLen);
+    total = 1 + valueLenLen + valueLen;
+    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, total);
+    if (!cp) {
+	return SECFailure;
+    }
+    it->len = total;
+    cp = (unsigned char*) DER_StoreHeader(cp, valueType, valueLen);
+    PORT_Memcpy(cp, value, valueLen);
+    return SECSuccess;
+}
+
+CERTAVA *
+CERT_CreateAVAFromRaw(PRArenaPool *pool, const SECItem * OID, 
+                      const SECItem * value)
+{
+    CERTAVA *ava;
+    int rv;
+
+    ava = PORT_ArenaZNew(pool, CERTAVA);
+    if (ava) {
+	rv = SECITEM_CopyItem(pool, &ava->type, OID);
+	if (rv) 
+	    return NULL;
+
+	rv = SECITEM_CopyItem(pool, &ava->value, value);
+	if (rv) 
+	    return NULL;
+    }
+    return ava;
+}
+
+CERTAVA *
+CERT_CreateAVA(PRArenaPool *arena, SECOidTag kind, int valueType, char *value)
+{
+    CERTAVA *ava;
+    int rv;
+    unsigned maxLen;
+
+    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
+    if (ava) {
+	rv = SetupAVAType(arena, kind, &ava->type, &maxLen);
+	if (rv) {
+	    /* Illegal AVA type */
+	    return 0;
+	}
+	rv = SetupAVAValue(arena, valueType, value, &ava->value, maxLen);
+	if (rv) {
+	    /* Illegal value type */
+	    return 0;
+	}
+    }
+    return ava;
+}
+
+CERTAVA *
+CERT_CopyAVA(PRArenaPool *arena, CERTAVA *from)
+{
+    CERTAVA *ava;
+    int rv;
+
+    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
+    if (ava) {
+	rv = SECITEM_CopyItem(arena, &ava->type, &from->type);
+	if (rv) goto loser;
+	rv = SECITEM_CopyItem(arena, &ava->value, &from->value);
+	if (rv) goto loser;
+    }
+    return ava;
+
+  loser:
+    return 0;
+}
+
+/************************************************************************/
+/* XXX This template needs to go away in favor of the new SEC_ASN1 version. */
+static const SEC_ASN1Template cert_RDNTemplate[] = {
+    { SEC_ASN1_SET_OF,
+	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
+};
+
+
+CERTRDN *
+CERT_CreateRDN(PRArenaPool *arena, CERTAVA *ava0, ...)
+{
+    CERTAVA *ava;
+    CERTRDN *rdn;
+    va_list ap;
+    unsigned count;
+    CERTAVA **avap;
+
+    rdn = (CERTRDN*) PORT_ArenaAlloc(arena, sizeof(CERTRDN));
+    if (rdn) {
+	/* Count number of avas going into the rdn */
+	count = 0;
+	if (ava0) {
+	    count++;
+	    va_start(ap, ava0);
+	    while ((ava = va_arg(ap, CERTAVA*)) != 0) {
+		count++;
+	    }
+	    va_end(ap);
+	}
+
+	/* Now fill in the pointers */
+	rdn->avas = avap =
+	    (CERTAVA**) PORT_ArenaAlloc( arena, (count + 1)*sizeof(CERTAVA*));
+	if (!avap) {
+	    return 0;
+	}
+	if (ava0) {
+	    *avap++ = ava0;
+	    va_start(ap, ava0);
+	    while ((ava = va_arg(ap, CERTAVA*)) != 0) {
+		*avap++ = ava;
+	    }
+	    va_end(ap);
+	}
+	*avap++ = 0;
+    }
+    return rdn;
+}
+
+SECStatus
+CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava)
+{
+    rdn->avas = (CERTAVA**) AddToArray(arena, (void**) rdn->avas, ava);
+    return rdn->avas ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_CopyRDN(PRArenaPool *arena, CERTRDN *to, CERTRDN *from)
+{
+    CERTAVA **avas, *fava, *tava;
+    SECStatus rv = SECSuccess;
+
+    /* Copy each ava from from */
+    avas = from->avas;
+    if (avas) {
+	if (avas[0] == NULL) {
+	    rv = CERT_AddAVA(arena, to, NULL);
+	    return rv;
+	}
+	while ((fava = *avas++) != 0) {
+	    tava = CERT_CopyAVA(arena, fava);
+	    if (!tava) {
+	    	rv = SECFailure;
+		break;
+	    }
+	    rv = CERT_AddAVA(arena, to, tava);
+	    if (rv != SECSuccess) 
+	    	break;
+	}
+    }
+    return rv;
+}
+
+/************************************************************************/
+
+const SEC_ASN1Template CERT_NameTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTName,rdns), CERT_RDNTemplate, sizeof(CERTName) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_NameTemplate)
+
+CERTName *
+CERT_CreateName(CERTRDN *rdn0, ...)
+{
+    CERTRDN *rdn;
+    CERTName *name;
+    va_list ap;
+    unsigned count;
+    CERTRDN **rdnp;
+    PRArenaPool *arena;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	return(0);
+    }
+    
+    name = (CERTName*) PORT_ArenaAlloc(arena, sizeof(CERTName));
+    if (name) {
+	name->arena = arena;
+	
+	/* Count number of RDNs going into the Name */
+	if (!rdn0) {
+	    count = 0;
+	} else {
+	    count = 1;
+	    va_start(ap, rdn0);
+	    while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
+		count++;
+	    }
+	    va_end(ap);
+	}
+
+	/* Allocate space (including space for terminal null ptr) */
+	name->rdns = rdnp =
+	    (CERTRDN**) PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTRDN*));
+	if (!name->rdns) {
+	    goto loser;
+	}
+
+	/* Now fill in the pointers */
+	if (count > 0) {
+	    *rdnp++ = rdn0;
+	    va_start(ap, rdn0);
+	    while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
+		*rdnp++ = rdn;
+	    }
+	    va_end(ap);
+	}
+
+	/* null terminate the list */
+	*rdnp++ = 0;
+    }
+    return name;
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(0);
+}
+
+void
+CERT_DestroyName(CERTName *name)
+{
+    if (name)
+    {
+        PRArenaPool *arena = name->arena;
+        name->rdns = NULL;
+	name->arena = NULL;
+	if (arena) PORT_FreeArena(arena, PR_FALSE);
+    }
+}
+
+SECStatus
+CERT_AddRDN(CERTName *name, CERTRDN *rdn)
+{
+    name->rdns = (CERTRDN**) AddToArray(name->arena, (void**) name->rdns, rdn);
+    return name->rdns ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_CopyName(PRArenaPool *arena, CERTName *to, CERTName *from)
+{
+    CERTRDN **rdns, *frdn, *trdn;
+    SECStatus rv = SECSuccess;
+
+    if (!to || !from) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    CERT_DestroyName(to);
+    to->arena = arena;
+
+    /* Copy each rdn from from */
+    rdns = from->rdns;
+    if (rdns) {
+    	if (rdns[0] == NULL) {
+	    rv = CERT_AddRDN(to, NULL);
+	    return rv;
+	}
+	while ((frdn = *rdns++) != NULL) {
+	    trdn = CERT_CreateRDN(arena, NULL);
+	    if (!trdn) {
+		rv = SECFailure;
+		break;
+	    }
+	    rv = CERT_CopyRDN(arena, trdn, frdn);
+	    if (rv != SECSuccess) 
+	        break;
+	    rv = CERT_AddRDN(to, trdn);
+	    if (rv != SECSuccess) 
+	        break;
+	}
+    }
+    return rv;
+}
+
+/************************************************************************/
+
+static void
+canonicalize(SECItem * foo)
+{
+    int ch, lastch, len, src, dest;
+
+    /* strip trailing whitespace. */
+    len = foo->len;
+    while (len > 0 && ((ch = foo->data[len - 1]) == ' ' || 
+           ch == '\t' || ch == '\r' || ch == '\n')) {
+	len--;
+    }
+
+    src = 0;
+    /* strip leading whitespace. */
+    while (src < len && ((ch = foo->data[src]) == ' ' || 
+           ch == '\t' || ch == '\r' || ch == '\n')) {
+	src++;
+    }
+    dest = 0; lastch = ' ';
+    while (src < len) {
+        ch = foo->data[src++];
+	if (ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n') {
+	    ch = ' ';
+	    if (ch == lastch)
+	        continue;
+	} else if (ch >= 'A' && ch <= 'Z') {
+	    ch |= 0x20;  /* downshift */
+	}
+	foo->data[dest++] = lastch = ch;
+    }
+    foo->len = dest;
+}
+
+/* SECItems a and b contain DER-encoded printable strings. */
+SECComparison
+CERT_CompareDERPrintableStrings(const SECItem *a, const SECItem *b)
+{
+    SECComparison rv = SECLessThan;
+    SECItem * aVal = CERT_DecodeAVAValue(a);
+    SECItem * bVal = CERT_DecodeAVAValue(b);
+
+    if (aVal && aVal->len && aVal->data &&
+	bVal && bVal->len && bVal->data) {
+	canonicalize(aVal);
+	canonicalize(bVal);
+	rv = SECITEM_CompareItem(aVal, bVal);
+    }
+    SECITEM_FreeItem(aVal, PR_TRUE);
+    SECITEM_FreeItem(bVal, PR_TRUE);
+    return rv;
+}
+
+SECComparison
+CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b)
+{
+    SECComparison rv;
+
+    rv = SECITEM_CompareItem(&a->type, &b->type);
+    if (SECEqual != rv)
+	return rv;  /* Attribute types don't match. */
+    /* Let's be optimistic.  Maybe the values will just compare equal. */
+    rv = SECITEM_CompareItem(&a->value, &b->value);
+    if (SECEqual == rv)
+        return rv;  /* values compared exactly. */
+    if (a->value.len && a->value.data && b->value.len && b->value.data) {
+	/* Here, the values did not match.  
+	** If the values had different encodings, convert them to the same
+	** encoding and compare that way.
+	*/
+	if (a->value.data[0] != b->value.data[0]) {
+	    /* encodings differ.  Convert both to UTF-8 and compare. */
+	    SECItem * aVal = CERT_DecodeAVAValue(&a->value);
+	    SECItem * bVal = CERT_DecodeAVAValue(&b->value);
+	    if (aVal && aVal->len && aVal->data &&
+	        bVal && bVal->len && bVal->data) {
+		rv = SECITEM_CompareItem(aVal, bVal);
+	    }
+	    SECITEM_FreeItem(aVal, PR_TRUE);
+	    SECITEM_FreeItem(bVal, PR_TRUE);
+	} else if (a->value.data[0] == 0x13) { /* both are printable strings. */
+	    /* printable strings */
+	    rv = CERT_CompareDERPrintableStrings(&a->value, &b->value);
+	}
+    }
+    return rv;
+}
+
+SECComparison
+CERT_CompareRDN(CERTRDN *a, CERTRDN *b)
+{
+    CERTAVA **aavas, *aava;
+    CERTAVA **bavas, *bava;
+    int ac, bc;
+    SECComparison rv = SECEqual;
+
+    aavas = a->avas;
+    bavas = b->avas;
+
+    /*
+    ** Make sure array of ava's are the same length. If not, then we are
+    ** not equal
+    */
+    ac = CountArray((void**) aavas);
+    bc = CountArray((void**) bavas);
+    if (ac < bc) return SECLessThan;
+    if (ac > bc) return SECGreaterThan;
+
+    while (NULL != (aava = *aavas++)) {
+	for (bavas = b->avas; bava = *bavas++; ) {
+	    rv = SECITEM_CompareItem(&aava->type, &bava->type);
+	    if (SECEqual == rv) {
+		rv = CERT_CompareAVA(aava, bava);
+		if (SECEqual != rv) 
+		    return rv;
+		break;
+	    }
+    	}
+	if (!bava)  /* didn't find a match */
+	    return SECGreaterThan;
+    }
+    return rv;
+}
+
+SECComparison
+CERT_CompareName(CERTName *a, CERTName *b)
+{
+    CERTRDN **ardns, *ardn;
+    CERTRDN **brdns, *brdn;
+    int ac, bc;
+    SECComparison rv = SECEqual;
+
+    ardns = a->rdns;
+    brdns = b->rdns;
+
+    /*
+    ** Make sure array of rdn's are the same length. If not, then we are
+    ** not equal
+    */
+    ac = CountArray((void**) ardns);
+    bc = CountArray((void**) brdns);
+    if (ac < bc) return SECLessThan;
+    if (ac > bc) return SECGreaterThan;
+
+    for (;;) {
+	ardn = *ardns++;
+	brdn = *brdns++;
+	if (!ardn) {
+	    break;
+	}
+	rv = CERT_CompareRDN(ardn, brdn);
+	if (rv) return rv;
+    }
+    return rv;
+}
+
+/* Moved from certhtml.c */
+SECItem *
+CERT_DecodeAVAValue(const SECItem *derAVAValue)
+{
+          SECItem          *retItem; 
+    const SEC_ASN1Template *theTemplate       = NULL;
+          enum { conv_none, conv_ucs4, conv_ucs2, conv_iso88591 } convert = conv_none;
+          SECItem           avaValue          = {siBuffer, 0}; 
+          PLArenaPool      *newarena          = NULL;
+
+    if (!derAVAValue || !derAVAValue->len || !derAVAValue->data) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    switch(derAVAValue->data[0]) {
+	case SEC_ASN1_UNIVERSAL_STRING:
+	    convert = conv_ucs4;
+	    theTemplate = SEC_ASN1_GET(SEC_UniversalStringTemplate);
+	    break;
+	case SEC_ASN1_IA5_STRING:
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
+	    break;
+	case SEC_ASN1_PRINTABLE_STRING:
+	    theTemplate = SEC_ASN1_GET(SEC_PrintableStringTemplate);
+	    break;
+	case SEC_ASN1_T61_STRING:
+	    /*
+	     * Per common practice, we're not decoding actual T.61, but instead
+	     * treating T61-labeled strings as containing ISO-8859-1.
+	     */
+	    convert = conv_iso88591;
+	    theTemplate = SEC_ASN1_GET(SEC_T61StringTemplate);
+	    break;
+	case SEC_ASN1_BMP_STRING:
+	    convert = conv_ucs2;
+	    theTemplate = SEC_ASN1_GET(SEC_BMPStringTemplate);
+	    break;
+	case SEC_ASN1_UTF8_STRING:
+	    /* No conversion needed ! */
+	    theTemplate = SEC_ASN1_GET(SEC_UTF8StringTemplate);
+	    break;
+	default:
+	    PORT_SetError(SEC_ERROR_INVALID_AVA);
+	    return NULL;
+    }
+
+    PORT_Memset(&avaValue, 0, sizeof(SECItem));
+    newarena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!newarena) {
+        return NULL;
+    }
+    if(SEC_QuickDERDecodeItem(newarena, &avaValue, theTemplate, derAVAValue) 
+				!= SECSuccess) {
+	PORT_FreeArena(newarena, PR_FALSE);
+	return NULL;
+    }
+
+    if (convert != conv_none) {
+	unsigned int   utf8ValLen = avaValue.len * 3;
+	unsigned char *utf8Val    = (unsigned char*)
+				    PORT_ArenaZAlloc(newarena, utf8ValLen);
+
+        switch (convert) {
+        case conv_ucs4:
+           if(avaValue.len % 4 != 0 ||
+              !PORT_UCS4_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
+					utf8Val, utf8ValLen, &utf8ValLen)) {
+                PORT_FreeArena(newarena, PR_FALSE);
+                PORT_SetError(SEC_ERROR_INVALID_AVA);
+		return NULL;
+	   }
+	   break;
+	case conv_ucs2:
+           if(avaValue.len % 2 != 0 ||
+              !PORT_UCS2_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
+					utf8Val, utf8ValLen, &utf8ValLen)) {
+                PORT_FreeArena(newarena, PR_FALSE);
+                PORT_SetError(SEC_ERROR_INVALID_AVA);
+		return NULL;
+	   }
+	   break;
+	case conv_iso88591:
+           if(!PORT_ISO88591_UTF8Conversion(avaValue.data, avaValue.len,
+					utf8Val, utf8ValLen, &utf8ValLen)) {
+                PORT_FreeArena(newarena, PR_FALSE);
+                PORT_SetError(SEC_ERROR_INVALID_AVA);
+		return NULL;
+	   }
+	   break;
+	case conv_none:
+	   PORT_Assert(0); /* not reached */
+	   break;
+	}
+	  
+	avaValue.data = utf8Val;
+	avaValue.len = utf8ValLen;
+    }
+
+    retItem = SECITEM_DupItem(&avaValue);
+    PORT_FreeArena(newarena, PR_FALSE);
+    return retItem;
+}
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
new file mode 100644
index 000000000..6b48ca169
--- /dev/null
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -0,0 +1,1032 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "prtime.h"
+
+#include "cert.h"
+#include "mcom_db.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "secder.h"
+
+/* Call to PK11_FreeSlot below */
+
+#include "secasn1.h"
+#include "secerr.h"
+#include "nssilock.h"
+#include "prmon.h"
+#include "base64.h"
+#include "sechash.h"
+#include "plhash.h"
+#include "pk11func.h" /* sigh */
+
+#include "nsspki.h"
+#include "pki.h"
+#include "pkim.h"
+#include "pki3hack.h"
+#include "ckhelper.h"
+#include "base.h"
+#include "pkistore.h"
+#include "dev3hack.h"
+#include "dev.h"
+
+PRBool
+SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
+			 CERTCertDBHandle *handle)
+{
+    CERTCertificate *cert;
+    PRBool conflict = PR_FALSE;
+
+    cert=CERT_FindCertByNickname(handle, nickname);
+
+    if (!cert) {
+	return conflict;
+    }
+
+    conflict = !SECITEM_ItemsAreEqual(derSubject,&cert->derSubject);
+    CERT_DestroyCertificate(cert);
+    return conflict;
+}
+
+SECStatus
+SEC_DeletePermCertificate(CERTCertificate *cert)
+{
+    PRStatus nssrv;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    NSSCertificate *c = STAN_GetNSSCertificate(cert);
+
+    if (c == NULL) {
+        /* error code is set */
+        return SECFailure;
+    }
+
+    /* get rid of the token instances */
+    nssrv = NSSCertificate_DeleteStoredObject(c, NULL);
+
+    /* get rid of the cache entry */
+    nssTrustDomain_LockCertCache(td);
+    nssTrustDomain_RemoveCertFromCacheLOCKED(td, c);
+    nssTrustDomain_UnlockCertCache(td);
+
+    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust)
+{
+    SECStatus rv;
+    CERT_LockCertTrust(cert);
+    if ( cert->trust == NULL ) {
+	rv = SECFailure;
+    } else {
+	*trust = *cert->trust;
+	rv = SECSuccess;
+    }
+    CERT_UnlockCertTrust(cert);
+    return(rv);
+}
+
+extern const NSSError NSS_ERROR_NO_ERROR;
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
+extern const NSSError NSS_ERROR_DUPLICATE_POINTER;
+extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
+extern const NSSError NSS_ERROR_TRACKER_NOT_EMPTY;
+extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
+extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
+extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
+extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
+extern const NSSError NSS_ERROR_BUFFER_TOO_SHORT;
+extern const NSSError NSS_ERROR_INVALID_ATOB_CONTEXT;
+extern const NSSError NSS_ERROR_INVALID_BASE64;
+extern const NSSError NSS_ERROR_INVALID_BTOA_CONTEXT;
+extern const NSSError NSS_ERROR_INVALID_ITEM;
+extern const NSSError NSS_ERROR_INVALID_STRING;
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
+extern const NSSError NSS_ERROR_INVALID_UTF8;
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE;
+extern const NSSError NSS_ERROR_NOT_FOUND;
+extern const NSSError NSS_ERROR_INVALID_PASSWORD;
+extern const NSSError NSS_ERROR_USER_CANCELED;
+extern const NSSError NSS_ERROR_MAXIMUM_FOUND;
+extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND;
+extern const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE;
+extern const NSSError NSS_ERROR_HASH_COLLISION;
+extern const NSSError NSS_ERROR_DEVICE_ERROR;
+extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
+extern const NSSError NSS_ERROR_BUSY;
+extern const NSSError NSS_ERROR_ALREADY_INITIALIZED;
+extern const NSSError NSS_ERROR_PKCS11;
+
+
+/* Look at the stan error stack and map it to NSS 3 errors */
+#define STAN_MAP_ERROR(x,y)   \
+ else if (error == (x)) {     \
+  secError = y;               \
+ }                            \
+
+/* 
+ * map Stan errors into NSS errors
+ * This function examines the stan error stack and automatically sets
+ * PORT_SetError(); to the appropriate SEC_ERROR value.
+ */
+void
+CERT_MapStanError()
+{
+    PRInt32 *errorStack;
+    NSSError error, prevError;
+    int secError;
+    int i;
+
+    error = 0;
+
+    errorStack = NSS_GetErrorStack();
+    if (errorStack == 0) {
+	PORT_SetError(0);
+	return;
+    } 
+    error = prevError = CKR_GENERAL_ERROR;
+    /* get the 'top 2' error codes from the stack */
+    for (i=0; errorStack[i]; i++) {
+	prevError = error;
+	error = errorStack[i];
+    }
+    if (error == NSS_ERROR_PKCS11) {
+	/* map it */
+	secError = PK11_MapError(prevError);
+    }
+	STAN_MAP_ERROR(NSS_ERROR_NO_ERROR, 0)
+	STAN_MAP_ERROR(NSS_ERROR_NO_MEMORY, SEC_ERROR_NO_MEMORY)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_BASE64, SEC_ERROR_BAD_DATA)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_BER, SEC_ERROR_BAD_DER)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_ATAV, SEC_ERROR_INVALID_AVA)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_PASSWORD,SEC_ERROR_BAD_PASSWORD)
+	STAN_MAP_ERROR(NSS_ERROR_BUSY, SEC_ERROR_BUSY)
+	STAN_MAP_ERROR(NSS_ERROR_DEVICE_ERROR, SEC_ERROR_IO)
+	STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND, 
+			SEC_ERROR_UNKNOWN_ISSUER)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_CERTIFICATE, SEC_ERROR_CERT_NOT_VALID)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_UTF8, SEC_ERROR_BAD_DATA)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_NSSOID, SEC_ERROR_BAD_DATA)
+
+	/* these are library failure for lack of a better error code */
+	STAN_MAP_ERROR(NSS_ERROR_NOT_FOUND, SEC_ERROR_LIBRARY_FAILURE)
+	STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_IN_CACHE,
+						 SEC_ERROR_LIBRARY_FAILURE)
+	STAN_MAP_ERROR(NSS_ERROR_MAXIMUM_FOUND, SEC_ERROR_LIBRARY_FAILURE)
+	STAN_MAP_ERROR(NSS_ERROR_USER_CANCELED, SEC_ERROR_LIBRARY_FAILURE)
+	STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_INITIALIZED,
+						 SEC_ERROR_LIBRARY_FAILURE)
+	STAN_MAP_ERROR(NSS_ERROR_ALREADY_INITIALIZED, SEC_ERROR_LIBRARY_FAILURE)
+	STAN_MAP_ERROR(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD,
+						 SEC_ERROR_LIBRARY_FAILURE)
+	STAN_MAP_ERROR(NSS_ERROR_HASH_COLLISION, SEC_ERROR_LIBRARY_FAILURE)
+
+	STAN_MAP_ERROR(NSS_ERROR_INTERNAL_ERROR, SEC_ERROR_LIBRARY_FAILURE)
+
+	/* these are all invalid arguments */
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_ARGUMENT, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_POINTER, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA_MARK, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_DUPLICATE_POINTER, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_POINTER_NOT_REGISTERED, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_EMPTY, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_VALUE_TOO_LARGE, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_UNSUPPORTED_TYPE, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_BUFFER_TOO_SHORT, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_ATOB_CONTEXT, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_BTOA_CONTEXT, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_ITEM, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_STRING, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1ENCODER, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1DECODER, SEC_ERROR_INVALID_ARGS)
+	STAN_MAP_ERROR(NSS_ERROR_UNKNOWN_ATTRIBUTE, SEC_ERROR_INVALID_ARGS)
+    else {
+	secError = SEC_ERROR_LIBRARY_FAILURE;
+    }
+    PORT_SetError(secError);
+}
+
+    
+
+SECStatus
+CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert,
+		    CERTCertTrust *trust)
+{
+    SECStatus rv = SECSuccess;
+    PRStatus ret;
+
+    CERT_LockCertTrust(cert);
+    ret = STAN_ChangeCertTrust(cert, trust);
+    CERT_UnlockCertTrust(cert);
+    if (ret != PR_SUCCESS) {
+	rv = SECFailure;
+	CERT_MapStanError();
+    }
+    return rv;
+}
+
+extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
+
+SECStatus
+__CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
+		       CERTCertTrust *trust)
+{
+    NSSUTF8 *stanNick;
+    PK11SlotInfo *slot;
+    NSSToken *internal;
+    NSSCryptoContext *context;
+    nssCryptokiObject *permInstance;
+    NSSCertificate *c = STAN_GetNSSCertificate(cert);
+    nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
+    nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
+    SECStatus rv;
+    PRStatus ret;
+
+    if (c == NULL) {
+	CERT_MapStanError();
+        return SECFailure;
+    }
+
+    context = c->object.cryptoContext;
+    if (!context) {
+	PORT_SetError(SEC_ERROR_ADDING_CERT); 
+	return SECFailure; /* wasn't a temp cert */
+    }
+    stanNick = nssCertificate_GetNickname(c, NULL);
+    if (stanNick && nickname && strcmp(nickname, stanNick) != 0) {
+	/* take the new nickname */
+	cert->nickname = NULL;
+	stanNick = NULL;
+    }
+    if (!stanNick && nickname) {
+	stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, c->object.arena);
+    }
+    /* Delete the temp instance */
+    nssCertificateStore_Lock(context->certStore, &lockTrace);
+    nssCertificateStore_RemoveCertLOCKED(context->certStore, c);
+    nssCertificateStore_Unlock(context->certStore, &lockTrace, &unlockTrace);
+    c->object.cryptoContext = NULL;
+    /* Import the perm instance onto the internal token */
+    slot = PK11_GetInternalKeySlot();
+    internal = PK11Slot_GetNSSToken(slot);
+    permInstance = nssToken_ImportCertificate(internal, NULL,
+                                              NSSCertificateType_PKIX,
+                                              &c->id,
+                                              stanNick,
+                                              &c->encoding,
+                                              &c->issuer,
+                                              &c->subject,
+                                              &c->serial,
+					      cert->emailAddr,
+                                              PR_TRUE);
+    PK11_FreeSlot(slot);
+    if (!permInstance) {
+	if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) {
+	    PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
+	}
+	return SECFailure;
+    }
+    nssPKIObject_AddInstance(&c->object, permInstance);
+    nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
+    /* reset the CERTCertificate fields */
+    cert->nssCertificate = NULL;
+    cert = STAN_GetCERTCertificateOrRelease(c); /* should return same pointer */
+    if (!cert) {
+	CERT_MapStanError();
+        return SECFailure;
+    }
+    cert->istemp = PR_FALSE;
+    cert->isperm = PR_TRUE;
+    if (!trust) {
+	return SECSuccess;
+    }
+    ret = STAN_ChangeCertTrust(cert, trust);
+    rv = SECSuccess;
+    if (ret != PR_SUCCESS) {
+	rv = SECFailure;
+	CERT_MapStanError();
+    }
+    return rv;
+}
+
+SECStatus
+CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
+		       CERTCertTrust *trust)
+{
+    return __CERT_AddTempCertToPerm(cert, nickname, trust);
+}
+
+CERTCertificate *
+CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
+			char *nickname, PRBool isperm, PRBool copyDER)
+{
+    NSSCertificate *c;
+    CERTCertificate *cc;
+    NSSCertificate *tempCert = NULL;
+    nssPKIObject *pkio;
+    NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
+    NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain();
+    if (!isperm) {
+	NSSDER encoding;
+	NSSITEM_FROM_SECITEM(&encoding, derCert);
+	/* First, see if it is already a temp cert */
+	c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC, 
+	                                                       &encoding);
+	if (!c) {
+	    /* Then, see if it is already a perm cert */
+	    c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, 
+	                                                           &encoding);
+	}
+	if (c) {
+	    /* actually, that search ends up going by issuer/serial,
+	     * so it is still possible to return a cert with the same
+	     * issuer/serial but a different encoding, and we're
+	     * going to reject that
+	     */
+	    if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
+		nssCertificate_Destroy(c);
+		PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
+		cc = NULL;
+	    } else {
+    		cc = STAN_GetCERTCertificateOrRelease(c);
+		if (cc == NULL) {
+		    CERT_MapStanError();
+		}
+	    }
+	    return cc;
+	}
+    }
+    pkio = nssPKIObject_Create(NULL, NULL, gTD, gCC, nssPKIMonitor);
+    if (!pkio) {
+	CERT_MapStanError();
+	return NULL;
+    }
+    c = nss_ZNEW(pkio->arena, NSSCertificate);
+    if (!c) {
+	CERT_MapStanError();
+	nssPKIObject_Destroy(pkio);
+	return NULL;
+    }
+    c->object = *pkio;
+    if (copyDER) {
+	nssItem_Create(c->object.arena, &c->encoding, 
+	               derCert->len, derCert->data);
+    } else {
+	NSSITEM_FROM_SECITEM(&c->encoding, derCert);
+    }
+    /* Forces a decoding of the cert in order to obtain the parts used
+     * below
+     */
+    /* 'c' is not adopted here, if we fail loser frees what has been
+     * allocated so far for 'c' */
+    cc = STAN_GetCERTCertificate(c);
+    if (!cc) {
+	CERT_MapStanError();
+        goto loser;
+    }
+    nssItem_Create(c->object.arena, 
+                   &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
+    nssItem_Create(c->object.arena, 
+                   &c->subject, cc->derSubject.len, cc->derSubject.data);
+    if (PR_TRUE) {
+	/* CERTCertificate stores serial numbers decoded.  I need the DER
+	* here.  sigh.
+	*/
+	SECItem derSerial = { 0 };
+	CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+	if (!derSerial.data) goto loser;
+	nssItem_Create(c->object.arena, &c->serial, derSerial.len, derSerial.data);
+	PORT_Free(derSerial.data);
+    }
+    if (nickname) {
+	c->object.tempName = nssUTF8_Create(c->object.arena, 
+                                            nssStringType_UTF8String, 
+                                            (NSSUTF8 *)nickname, 
+                                            PORT_Strlen(nickname));
+    }
+    if (cc->emailAddr && cc->emailAddr[0]) {
+	c->email = nssUTF8_Create(c->object.arena, 
+	                          nssStringType_PrintableString, 
+	                          (NSSUTF8 *)cc->emailAddr, 
+	                          PORT_Strlen(cc->emailAddr));
+    }
+
+    tempCert = NSSCryptoContext_FindOrImportCertificate(gCC, c);
+    if (!tempCert) {
+	CERT_MapStanError();
+	goto loser;
+    }
+    /* destroy our copy */
+    NSSCertificate_Destroy(c);
+    /* and use the stored entry */
+    c = tempCert;
+    cc = STAN_GetCERTCertificateOrRelease(c);
+    if (!cc) {
+	/* STAN_GetCERTCertificateOrRelease destroys c on failure. */
+	CERT_MapStanError();
+	return NULL;
+    }
+
+    cc->istemp = PR_TRUE;
+    cc->isperm = PR_FALSE;
+    return cc;
+loser:
+    /* Perhaps this should be nssCertificate_Destroy(c) */
+    nssPKIObject_Destroy(&c->object);
+    return NULL;
+}
+
+/* This symbol is exported for backward compatibility. */
+CERTCertificate *
+__CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
+			  char *nickname, PRBool isperm, PRBool copyDER)
+{
+    return CERT_NewTempCertificate(handle, derCert, nickname,
+                                   isperm, copyDER);
+}
+
+/* maybe all the wincx's should be some const for internal token login? */
+CERTCertificate *
+CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN)
+{
+    PK11SlotInfo *slot;
+    CERTCertificate *cert;
+
+    cert = PK11_FindCertByIssuerAndSN(&slot,issuerAndSN,NULL);
+    if (cert && slot) {
+        PK11_FreeSlot(slot);
+    }
+
+    return cert;
+}
+
+static NSSCertificate *
+get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
+{
+    NSSUsage usage;
+    NSSCertificate *arr[3];
+    if (!ct) {
+	return nssCertificate_AddRef(cp);
+    } else if (!cp) {
+	return nssCertificate_AddRef(ct);
+    }
+    arr[0] = ct;
+    arr[1] = cp;
+    arr[2] = NULL;
+    usage.anyUsage = PR_TRUE;
+    return nssCertificateArray_FindBestCertificate(arr, NULL, &usage, NULL);
+}
+
+CERTCertificate *
+CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name)
+{
+    NSSCertificate *cp, *ct, *c;
+    NSSDER subject;
+    NSSUsage usage;
+    NSSCryptoContext *cc;
+    NSSITEM_FROM_SECITEM(&subject, name);
+    usage.anyUsage = PR_TRUE;
+    cc = STAN_GetDefaultCryptoContext();
+    ct = NSSCryptoContext_FindBestCertificateBySubject(cc, &subject, 
+                                                       NULL, &usage, NULL);
+    cp = NSSTrustDomain_FindBestCertificateBySubject(handle, &subject, 
+                                                     NULL, &usage, NULL);
+    c = get_best_temp_or_perm(ct, cp);
+    if (ct) {
+	CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
+    }
+    if (cp) {
+	CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(cp));
+    }
+    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
+}
+
+CERTCertificate *
+CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID)
+{
+    CERTCertList *list;
+    CERTCertificate *cert = NULL;
+    CERTCertListNode *node, *head;
+
+    list = CERT_CreateSubjectCertList(NULL,handle,name,0,PR_FALSE);
+    if (list == NULL) return NULL;
+
+    node = head = CERT_LIST_HEAD(list);
+    if (head) {
+	do {
+	    if (node->cert && 
+		SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID) ) {
+		cert = CERT_DupCertificate(node->cert);
+		goto done;
+	    }
+	    node = CERT_LIST_NEXT(node);
+	} while (node && head != node);
+    }
+    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+done:
+    if (list) {
+        CERT_DestroyCertList(list);
+    }
+    return cert;
+}
+
+CERTCertificate *
+CERT_FindCertByNickname(CERTCertDBHandle *handle, const char *nickname)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate *c, *ct;
+    CERTCertificate *cert;
+    NSSUsage usage;
+    usage.anyUsage = PR_TRUE;
+    cc = STAN_GetDefaultCryptoContext();
+    ct = NSSCryptoContext_FindBestCertificateByNickname(cc, nickname, 
+                                                       NULL, &usage, NULL);
+    cert = PK11_FindCertFromNickname(nickname, NULL);
+    c = NULL;
+    if (cert) {
+	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
+	CERT_DestroyCertificate(cert);
+	if (ct) {
+	    CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
+	}
+    } else {
+	c = ct;
+    }
+    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
+}
+
+CERTCertificate *
+CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate *c;
+    NSSDER encoding;
+    NSSITEM_FROM_SECITEM(&encoding, derCert);
+    cc = STAN_GetDefaultCryptoContext();
+    c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
+    if (!c) {
+	c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, 
+	                                                       &encoding);
+	if (!c) return NULL;
+    }
+    return STAN_GetCERTCertificateOrRelease(c);
+}
+
+CERTCertificate *
+CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate *c, *ct;
+    CERTCertificate *cert;
+    NSSUsage usage;
+
+    if (NULL == name) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    usage.anyUsage = PR_TRUE;
+    cc = STAN_GetDefaultCryptoContext();
+    ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name, 
+                                                       NULL, &usage, NULL);
+    if (!ct && PORT_Strchr(name, '@') != NULL) {
+        char* lowercaseName = CERT_FixupEmailAddr(name);
+        if (lowercaseName) {
+	    ct = NSSCryptoContext_FindBestCertificateByEmail(cc, lowercaseName, 
+							    NULL, &usage, NULL);
+            PORT_Free(lowercaseName);
+        }
+    }
+    cert = PK11_FindCertFromNickname(name, NULL);
+    if (cert) {
+	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
+	CERT_DestroyCertificate(cert);
+	if (ct) {
+	    CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
+	}
+    } else {
+	c = ct;
+    }
+    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
+}
+
+static void 
+add_to_subject_list(CERTCertList *certList, CERTCertificate *cert,
+                    PRBool validOnly, int64 sorttime)
+{
+    SECStatus secrv;
+    if (!validOnly ||
+	CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) 
+	 == secCertTimeValid) {
+	    secrv = CERT_AddCertToListSorted(certList, cert, 
+	                                     CERT_SortCBValidity, 
+	                                     (void *)&sorttime);
+	    if (secrv != SECSuccess) {
+		CERT_DestroyCertificate(cert);
+	    }
+    } else {
+	CERT_DestroyCertificate(cert);
+    }
+}
+
+CERTCertList *
+CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
+			   SECItem *name, int64 sorttime, PRBool validOnly)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate **tSubjectCerts, **pSubjectCerts;
+    NSSCertificate **ci;
+    CERTCertificate *cert;
+    NSSDER subject;
+    PRBool myList = PR_FALSE;
+    cc = STAN_GetDefaultCryptoContext();
+    NSSITEM_FROM_SECITEM(&subject, name);
+    /* Collect both temp and perm certs for the subject */
+    tSubjectCerts = NSSCryptoContext_FindCertificatesBySubject(cc,
+                                                               &subject,
+                                                               NULL,
+                                                               0,
+                                                               NULL);
+    pSubjectCerts = NSSTrustDomain_FindCertificatesBySubject(handle,
+                                                             &subject,
+                                                             NULL,
+                                                             0,
+                                                             NULL);
+    if (!tSubjectCerts && !pSubjectCerts) {
+	return NULL;
+    }
+    if (certList == NULL) {
+	certList = CERT_NewCertList();
+	myList = PR_TRUE;
+	if (!certList) goto loser;
+    }
+    /* Iterate over the matching temp certs.  Add them to the list */
+    ci = tSubjectCerts;
+    while (ci && *ci) {
+	cert = STAN_GetCERTCertificateOrRelease(*ci);
+	/* *ci may be invalid at this point, don't reference it again */
+        if (cert) {
+	    /* NOTE: add_to_subject_list adopts the incoming cert. */
+	    add_to_subject_list(certList, cert, validOnly, sorttime);
+        }
+	ci++;
+    }
+    /* Iterate over the matching perm certs.  Add them to the list */
+    ci = pSubjectCerts;
+    while (ci && *ci) {
+	cert = STAN_GetCERTCertificateOrRelease(*ci);
+	/* *ci may be invalid at this point, don't reference it again */
+        if (cert) {
+	    /* NOTE: add_to_subject_list adopts the incoming cert. */
+	    add_to_subject_list(certList, cert, validOnly, sorttime);
+        }
+	ci++;
+    }
+    /* all the references have been adopted or freed at this point, just
+     * free the arrays now */
+    nss_ZFreeIf(tSubjectCerts);
+    nss_ZFreeIf(pSubjectCerts);
+    return certList;
+loser:
+    /* need to free the references in tSubjectCerts and pSubjectCerts! */
+    nssCertificateArray_Destroy(tSubjectCerts);
+    nssCertificateArray_Destroy(pSubjectCerts);
+    if (myList && certList != NULL) {
+	CERT_DestroyCertList(certList);
+    }
+    return NULL;
+}
+
+void
+CERT_DestroyCertificate(CERTCertificate *cert)
+{
+    if ( cert ) {
+	/* don't use STAN_GetNSSCertificate because we don't want to
+	 * go to the trouble of translating the CERTCertificate into
+	 * an NSSCertificate just to destroy it.  If it hasn't been done
+	 * yet, don't do it at all.
+	 */
+	NSSCertificate *tmp = cert->nssCertificate;
+	if (tmp) {
+	    /* delete the NSSCertificate */
+	    NSSCertificate_Destroy(tmp);
+	} else if (cert->arena) {
+	    PORT_FreeArena(cert->arena, PR_FALSE);
+	}
+    }
+    return;
+}
+
+int
+CERT_GetDBContentVersion(CERTCertDBHandle *handle)
+{
+    /* should read the DB content version from the pkcs #11 device */
+    return 0;
+}
+
+SECStatus
+certdb_SaveSingleProfile(CERTCertificate *cert, const char *emailAddr, 
+				SECItem *emailProfile, SECItem *profileTime)
+{
+    int64 oldtime;
+    int64 newtime;
+    SECStatus rv = SECFailure;
+    PRBool saveit;
+    SECItem oldprof, oldproftime;
+    SECItem *oldProfile = NULL;
+    SECItem *oldProfileTime = NULL;
+    PK11SlotInfo *slot = NULL;
+    NSSCertificate *c;
+    NSSCryptoContext *cc;
+    nssSMIMEProfile *stanProfile = NULL;
+    PRBool freeOldProfile = PR_FALSE;
+
+    c = STAN_GetNSSCertificate(cert);
+    if (!c) return SECFailure;
+    cc = c->object.cryptoContext;
+    if (cc != NULL) {
+	stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
+	if (stanProfile) {
+	    PORT_Assert(stanProfile->profileData);
+	    SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData);
+	    oldProfile = &oldprof;
+	    SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime);
+	    oldProfileTime = &oldproftime;
+	}
+    } else {
+	oldProfile = PK11_FindSMimeProfile(&slot, (char *)emailAddr, 
+					&cert->derSubject, &oldProfileTime); 
+	freeOldProfile = PR_TRUE;
+    }
+
+    saveit = PR_FALSE;
+    
+    /* both profileTime and emailProfile have to exist or not exist */
+    if ( emailProfile == NULL ) {
+	profileTime = NULL;
+    } else if ( profileTime == NULL ) {
+	emailProfile = NULL;
+    }
+   
+    if ( oldProfileTime == NULL ) {
+	saveit = PR_TRUE;
+    } else {
+	/* there was already a profile for this email addr */
+	if ( profileTime ) {
+	    /* we have an old and new profile - save whichever is more recent*/
+	    if ( oldProfileTime->len == 0 ) {
+		/* always replace if old entry doesn't have a time */
+		oldtime = LL_MININT;
+	    } else {
+		rv = DER_UTCTimeToTime(&oldtime, oldProfileTime);
+		if ( rv != SECSuccess ) {
+		    goto loser;
+		}
+	    }
+	    
+	    rv = DER_UTCTimeToTime(&newtime, profileTime);
+	    if ( rv != SECSuccess ) {
+		goto loser;
+	    }
+	
+	    if ( LL_CMP(newtime, >, oldtime ) ) {
+		/* this is a newer profile, save it and cert */
+		saveit = PR_TRUE;
+	    }
+	} else {
+	    saveit = PR_TRUE;
+	}
+    }
+
+
+    if (saveit) {
+	if (cc) {
+	    if (stanProfile) {
+		/* stanProfile is already stored in the crypto context,
+		 * overwrite the data
+		 */
+		NSSArena *arena = stanProfile->object.arena;
+		stanProfile->profileTime = nssItem_Create(arena, 
+		                                          NULL,
+		                                          profileTime->len,
+		                                          profileTime->data);
+		stanProfile->profileData = nssItem_Create(arena, 
+		                                          NULL,
+		                                          emailProfile->len,
+		                                          emailProfile->data);
+	    } else if (profileTime && emailProfile) {
+		PRStatus nssrv;
+		NSSItem profTime, profData;
+		NSSITEM_FROM_SECITEM(&profTime, profileTime);
+		NSSITEM_FROM_SECITEM(&profData, emailProfile);
+		stanProfile = nssSMIMEProfile_Create(c, &profTime, &profData);
+		if (!stanProfile) goto loser;
+		nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile);
+		rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+	    }
+	} else {
+	    rv = PK11_SaveSMimeProfile(slot, (char *)emailAddr, 
+				&cert->derSubject, emailProfile, profileTime);
+	}
+    } else {
+	rv = SECSuccess;
+    }
+
+loser:
+    if (oldProfile && freeOldProfile) {
+    	SECITEM_FreeItem(oldProfile,PR_TRUE);
+    }
+    if (oldProfileTime && freeOldProfile) {
+    	SECITEM_FreeItem(oldProfileTime,PR_TRUE);
+    }
+    if (stanProfile) {
+	nssSMIMEProfile_Destroy(stanProfile);
+    }
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    
+    return(rv);
+}
+
+/*
+ *
+ * Manage S/MIME profiles
+ *
+ */
+
+SECStatus
+CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
+		      SECItem *profileTime)
+{
+    const char *emailAddr;
+    SECStatus rv;
+
+    if (!cert) {
+        return SECFailure;
+    }
+
+    if (cert->slot &&  !PK11_IsInternal(cert->slot)) {
+        /* this cert comes from an external source, we need to add it
+        to the cert db before creating an S/MIME profile */
+        PK11SlotInfo* internalslot = PK11_GetInternalKeySlot();
+        if (!internalslot) {
+            return SECFailure;
+        }
+        rv = PK11_ImportCert(internalslot, cert,
+            CK_INVALID_HANDLE, NULL, PR_FALSE);
+
+        PK11_FreeSlot(internalslot);
+        if (rv != SECSuccess ) {
+            return SECFailure;
+        }
+    }
+
+    if (cert->slot && cert->isperm && CERT_IsUserCert(cert) &&
+	(!emailProfile || !emailProfile->len)) {
+	/* Don't clobber emailProfile for user certs. */
+    	return SECSuccess;
+    }
+
+    for (emailAddr = CERT_GetFirstEmailAddress(cert); emailAddr != NULL;
+		emailAddr = CERT_GetNextEmailAddress(cert,emailAddr)) {
+	rv = certdb_SaveSingleProfile(cert,emailAddr,emailProfile,profileTime);
+	if (rv != SECSuccess) {
+	   return SECFailure;
+	}
+    }
+    return SECSuccess;
+
+}
+
+
+SECItem *
+CERT_FindSMimeProfile(CERTCertificate *cert)
+{
+    PK11SlotInfo *slot = NULL;
+    NSSCertificate *c;
+    NSSCryptoContext *cc;
+    SECItem *rvItem = NULL;
+
+    if (!cert || !cert->emailAddr || !cert->emailAddr[0]) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    c = STAN_GetNSSCertificate(cert);
+    if (!c) return NULL;
+    cc = c->object.cryptoContext;
+    if (cc != NULL) {
+	nssSMIMEProfile *stanProfile;
+	stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
+	if (stanProfile) {
+	    rvItem = SECITEM_AllocItem(NULL, NULL, 
+	                               stanProfile->profileData->size);
+	    if (rvItem) {
+		rvItem->data = stanProfile->profileData->data;
+	    }
+	    nssSMIMEProfile_Destroy(stanProfile);
+	}
+	return rvItem;
+    }
+    rvItem =
+	PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL);
+    if (slot) {
+    	PK11_FreeSlot(slot);
+    }
+    return rvItem;
+}
+
+/*
+ * deprecated functions that are now just stubs.
+ */
+/*
+ * Close the database
+ */
+void
+__CERT_ClosePermCertDB(CERTCertDBHandle *handle)
+{
+    PORT_Assert("CERT_ClosePermCertDB is Deprecated" == NULL);
+    return;
+}
+
+SECStatus
+CERT_OpenCertDBFilename(CERTCertDBHandle *handle, char *certdbname,
+                        PRBool readOnly)
+{
+    PORT_Assert("CERT_OpenCertDBFilename is Deprecated" == NULL);
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+SECItem *
+SECKEY_HashPassword(char *pw, SECItem *salt)
+{
+    PORT_Assert("SECKEY_HashPassword is Deprecated" == NULL);
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+}
+
+SECStatus
+__CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle,
+                                 SECItem *derSubject,
+                                 void *cb, void *cbarg)
+{
+    PORT_Assert("CERT_TraversePermCertsForSubject is Deprecated" == NULL);
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+
+SECStatus
+__CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
+                                  void *cb, void *cbarg)
+{
+    PORT_Assert("CERT_TraversePermCertsForNickname is Deprecated" == NULL);
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+
+
diff --git a/security/nss/lib/certdb/xauthkid.c b/security/nss/lib/certdb/xauthkid.c
new file mode 100644
index 000000000..2e7a9a38f
--- /dev/null
+++ b/security/nss/lib/certdb/xauthkid.c
@@ -0,0 +1,161 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * X.509 v3 Subject Key Usage Extension 
+ *
+ */
+
+#include "prtypes.h"
+#include "mcom_db.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "secport.h"
+#include "certt.h"  
+#include "genname.h"
+#include "secerr.h"
+
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+
+const SEC_ASN1Template CERTAuthKeyIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAuthKeyID) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  offsetof(CERTAuthKeyID,keyID), SEC_ASN1_SUB(SEC_OctetStringTemplate)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
+          offsetof(CERTAuthKeyID, DERAuthCertIssuer), CERT_GeneralNamesTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
+	  offsetof(CERTAuthKeyID,authCertSerialNumber),
+          SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { 0 }
+};
+
+
+
+SECStatus CERT_EncodeAuthKeyID (PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue)
+{
+    SECStatus rv = SECFailure;
+ 
+    PORT_Assert (value);
+    PORT_Assert (arena);
+    PORT_Assert (value->DERAuthCertIssuer == NULL);
+    PORT_Assert (encodedValue);
+
+    do {
+	
+	/* If both of the authCertIssuer and the serial number exist, encode
+	   the name first.  Otherwise, it is an error if one exist and the other
+	   is not.
+	 */
+	if (value->authCertIssuer) {
+	    if (!value->authCertSerialNumber.data) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		break;
+	    }
+
+	    value->DERAuthCertIssuer = cert_EncodeGeneralNames
+		(arena, value->authCertIssuer);
+	    if (!value->DERAuthCertIssuer) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		break;
+	    }
+	}
+	else if (value->authCertSerialNumber.data) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		break;
+	}
+
+	if (SEC_ASN1EncodeItem (arena, encodedValue, value,
+				CERTAuthKeyIDTemplate) == NULL)
+	    break;
+	rv = SECSuccess;
+
+    } while (0);
+     return(rv);
+}
+
+CERTAuthKeyID *
+CERT_DecodeAuthKeyID (PRArenaPool *arena, SECItem *encodedValue)
+{
+    CERTAuthKeyID * value = NULL;
+    SECStatus       rv    = SECFailure;
+    void *          mark;
+    SECItem         newEncodedValue;
+
+    PORT_Assert (arena);
+   
+    do {
+	mark = PORT_ArenaMark (arena);
+	value = (CERTAuthKeyID*)PORT_ArenaZAlloc (arena, sizeof (*value));
+	if (value == NULL)
+	    break;
+	value->DERAuthCertIssuer = NULL;
+        /* copy the DER into the arena, since Quick DER returns data that points
+           into the DER input, which may get freed by the caller */
+        rv = SECITEM_CopyItem(arena, &newEncodedValue, encodedValue);
+        if ( rv != SECSuccess ) {
+	    break;
+        }
+
+        rv = SEC_QuickDERDecodeItem
+	     (arena, value, CERTAuthKeyIDTemplate, &newEncodedValue);
+	if (rv != SECSuccess)
+	    break;
+
+        value->authCertIssuer = cert_DecodeGeneralNames (arena, value->DERAuthCertIssuer);
+	if (value->authCertIssuer == NULL)
+	    break;
+	
+	/* what if the general name contains other format but not URI ?
+	   hl
+	 */
+	if ((value->authCertSerialNumber.data && !value->authCertIssuer) ||
+	    (!value->authCertSerialNumber.data && value->authCertIssuer)){
+	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+	    break;
+	}
+    } while (0);
+
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease (arena, mark);
+	return ((CERTAuthKeyID *)NULL);	    
+    } 
+    PORT_ArenaUnmark(arena, mark);
+    return (value);
+}
diff --git a/security/nss/lib/certdb/xbsconst.c b/security/nss/lib/certdb/xbsconst.c
new file mode 100644
index 000000000..a6c08b371
--- /dev/null
+++ b/security/nss/lib/certdb/xbsconst.c
@@ -0,0 +1,177 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * X.509 v3 Basic Constraints Extension 
+ */
+
+#include "prtypes.h"
+#include "mcom_db.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "certt.h"
+#include "secder.h"
+#include "prprf.h"
+#include "secerr.h"
+
+typedef struct EncodedContext{
+    SECItem isCA;
+    SECItem pathLenConstraint;
+    SECItem encodedValue;
+    PRArenaPool *arena;
+}EncodedContext;
+
+static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(EncodedContext) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
+	  offsetof(EncodedContext,isCA)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
+	  offsetof(EncodedContext,pathLenConstraint) },
+    { 0, }
+};
+
+static unsigned char hexTrue = 0xff;
+static unsigned char hexFalse = 0x00;
+
+#define GEN_BREAK(status) rv = status; break;
+
+SECStatus CERT_EncodeBasicConstraintValue
+   (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue)
+{
+    EncodedContext encodeContext;
+    PRArenaPool *our_pool = NULL;   
+    SECStatus rv = SECSuccess;
+
+    do {
+	PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
+	if (!value->isCA && value->pathLenConstraint >= 0) {
+	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+	    GEN_BREAK (SECFailure);
+	}
+
+        encodeContext.arena = arena;
+	if (value->isCA == PR_TRUE) {
+	    encodeContext.isCA.data =  &hexTrue ;
+	    encodeContext.isCA.len = 1;
+	}
+
+	/* If the pathLenConstraint is less than 0, then it should be
+	 * omitted from the encoding.
+	 */
+	if (value->isCA && value->pathLenConstraint >= 0) {
+	    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	    if (our_pool == NULL) {
+		PORT_SetError (SEC_ERROR_NO_MEMORY);
+		GEN_BREAK (SECFailure);
+	    }
+	    if (SEC_ASN1EncodeUnsignedInteger
+		(our_pool, &encodeContext.pathLenConstraint,
+		 (unsigned long)value->pathLenConstraint) == NULL) {
+		PORT_SetError (SEC_ERROR_NO_MEMORY);
+		GEN_BREAK (SECFailure);
+	    }
+	}
+	if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
+				CERTBasicConstraintsTemplate) == NULL) {
+	    GEN_BREAK (SECFailure);
+	}
+    } while (0);
+    if (our_pool)
+	PORT_FreeArena (our_pool, PR_FALSE);
+    return(rv);
+
+}
+
+SECStatus CERT_DecodeBasicConstraintValue
+   (CERTBasicConstraints *value, SECItem *encodedValue)
+{
+    EncodedContext decodeContext;
+    PRArenaPool *our_pool;
+    SECStatus rv = SECSuccess;
+
+    do {
+	PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
+	/* initialize the value just in case we got "0x30 00", or when the
+	   pathLenConstraint is omitted.
+         */
+	decodeContext.isCA.data =&hexFalse;
+	decodeContext.isCA.len = 1;
+	
+	our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	if (our_pool == NULL) {
+	    PORT_SetError (SEC_ERROR_NO_MEMORY);
+	    GEN_BREAK (SECFailure);
+	}
+
+        rv = SEC_QuickDERDecodeItem
+	     (our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue);
+	if (rv == SECFailure)
+	    break;
+	
+	value->isCA = decodeContext.isCA.data 
+	              ? (PRBool)(decodeContext.isCA.data[0] != 0)
+		      : PR_FALSE;
+	if (decodeContext.pathLenConstraint.data == NULL) {
+	    /* if the pathLenConstraint is not encoded, and the current setting
+	      is CA, then the pathLenConstraint should be set to a negative number
+	      for unlimited certificate path.
+	     */
+	    if (value->isCA)
+		value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
+	} else if (value->isCA) {
+	    long len = DER_GetInteger (&decodeContext.pathLenConstraint);
+	    if (len < 0 || len == LONG_MAX) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		GEN_BREAK (SECFailure);
+	    }
+	    value->pathLenConstraint = len;
+	} else {
+	    /* here we get an error where the subject is not a CA, but
+	       the pathLenConstraint is set */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    GEN_BREAK (SECFailure);
+	    break;
+	}
+	 
+    } while (0);
+    PORT_FreeArena (our_pool, PR_FALSE);
+    return (rv);
+
+}
diff --git a/security/nss/lib/certdb/xconst.c b/security/nss/lib/certdb/xconst.c
new file mode 100644
index 000000000..226b04e69
--- /dev/null
+++ b/security/nss/lib/certdb/xconst.c
@@ -0,0 +1,319 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * X.509 Extension Encoding  
+ */
+
+#include "prtypes.h"
+#include "mcom_db.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "secder.h"
+#include "prprf.h"
+#include "xconst.h"
+#include "genname.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+
+static const SEC_ASN1Template CERTSubjectKeyIDTemplate[] = {
+    { SEC_ASN1_OCTET_STRING }
+};
+
+
+static const SEC_ASN1Template CERTIA5TypeTemplate[] = {
+    { SEC_ASN1_IA5_STRING }
+};
+
+SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate)
+
+static const SEC_ASN1Template CERTPrivateKeyUsagePeriodTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+      0, NULL, sizeof(CERTPrivKeyUsagePeriod) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | SEC_ASN1_XTRN | 0,
+	  offsetof(CERTPrivKeyUsagePeriod, notBefore), 
+	  SEC_ASN1_SUB(SEC_GeneralizedTimeTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | SEC_ASN1_XTRN | 1,
+	  offsetof(CERTPrivKeyUsagePeriod, notAfter), 
+	  SEC_ASN1_SUB(SEC_GeneralizedTimeTemplate)},
+    { 0, } 
+};
+
+
+const SEC_ASN1Template CERTAltNameTemplate[] = {
+    { SEC_ASN1_CONSTRUCTED, offsetof(CERTAltNameEncodedContext, encodedGenName), 
+      CERT_GeneralNamesTemplate}
+};
+
+const SEC_ASN1Template CERTAuthInfoAccessItemTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+      0, NULL, sizeof(CERTAuthInfoAccess) },
+    { SEC_ASN1_OBJECT_ID,
+      offsetof(CERTAuthInfoAccess, method) },
+    { SEC_ASN1_ANY,
+      offsetof(CERTAuthInfoAccess, derLocation) },
+    { 0, }
+};
+
+const SEC_ASN1Template CERTAuthInfoAccessTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, CERTAuthInfoAccessItemTemplate }
+};
+
+
+SECStatus 
+CERT_EncodeSubjectKeyID(PRArenaPool *arena, const SECItem* srcString,
+                        SECItem *encodedValue)
+{
+    SECStatus rv = SECSuccess;
+
+    if (!srcString) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    if (SEC_ASN1EncodeItem (arena, encodedValue, srcString,
+			    CERTSubjectKeyIDTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    
+    return(rv);
+}
+
+
+SECStatus
+CERT_EncodePrivateKeyUsagePeriod(PRArenaPool *arena, 
+                                CERTPrivKeyUsagePeriod *pkup, 
+				SECItem *encodedValue)
+{
+    SECStatus rv = SECSuccess;
+
+    if (SEC_ASN1EncodeItem (arena, encodedValue, pkup,
+			    CERTPrivateKeyUsagePeriodTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    return(rv);
+}
+
+CERTPrivKeyUsagePeriod *
+CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue)
+{
+    SECStatus rv;
+    CERTPrivKeyUsagePeriod *pPeriod;
+    SECItem newExtnValue;
+
+    /* allocate the certificate policies structure */
+    pPeriod = PORT_ArenaZNew(arena, CERTPrivKeyUsagePeriod);
+    if ( pPeriod == NULL ) {
+	goto loser;
+    }
+    
+    pPeriod->arena = arena;
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, pPeriod, 
+                                CERTPrivateKeyUsagePeriodTemplate,
+			        &newExtnValue);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    return pPeriod;
+    
+loser:
+    return NULL;
+}
+
+
+SECStatus 
+CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue)
+{
+    SECItem encodeContext;
+    SECStatus rv = SECSuccess;
+
+
+    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
+    
+    if (value != NULL) {
+	encodeContext.data = (unsigned char *)value;
+	encodeContext.len = strlen(value);
+    }
+    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
+			    CERTIA5TypeTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    
+    return(rv);
+}
+
+SECStatus
+CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue)
+{
+    SECItem                **encodedGenName;
+    SECStatus              rv = SECSuccess;
+
+    encodedGenName = cert_EncodeGeneralNames(arena, value);
+    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodedGenName,
+			    CERT_GeneralNamesTemplate) == NULL) {
+	rv = SECFailure;
+    }
+
+    return rv;
+}
+
+CERTGeneralName *
+CERT_DecodeAltNameExtension(PRArenaPool *reqArena, SECItem *EncodedAltName)
+{
+    SECStatus                  rv = SECSuccess;
+    CERTAltNameEncodedContext  encodedContext;
+    SECItem*                   newEncodedAltName;
+
+    if (!reqArena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    newEncodedAltName = SECITEM_ArenaDupItem(reqArena, EncodedAltName);
+    if (!newEncodedAltName) {
+        return NULL;
+    }
+
+    encodedContext.encodedGenName = NULL;
+    PORT_Memset(&encodedContext, 0, sizeof(CERTAltNameEncodedContext));
+    rv = SEC_QuickDERDecodeItem (reqArena, &encodedContext,
+                                 CERT_GeneralNamesTemplate, newEncodedAltName);
+    if (rv == SECFailure) {
+	goto loser;
+    }
+    if (encodedContext.encodedGenName && encodedContext.encodedGenName[0])
+	return cert_DecodeGeneralNames(reqArena,
+                                       encodedContext.encodedGenName);
+    /* Extension contained an empty GeneralNames sequence */
+    /* Treat as extension not found */
+    PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+loser:
+    return NULL;
+}
+
+
+SECStatus
+CERT_EncodeNameConstraintsExtension(PRArenaPool          *arena, 
+				    CERTNameConstraints  *value,
+				    SECItem              *encodedValue)
+{
+    SECStatus     rv = SECSuccess;
+    
+    rv = cert_EncodeNameConstraints(value, arena, encodedValue);
+    return rv;
+}
+
+
+CERTNameConstraints *
+CERT_DecodeNameConstraintsExtension(PRArenaPool          *arena,
+				    SECItem              *encodedConstraints)
+{
+    return cert_DecodeNameConstraints(arena, encodedConstraints);
+}
+
+
+CERTAuthInfoAccess **
+CERT_DecodeAuthInfoAccessExtension(PRArenaPool *reqArena,
+				   SECItem     *encodedExtension)
+{
+    CERTAuthInfoAccess **info = NULL;
+    SECStatus rv;
+    int i;
+    SECItem* newEncodedExtension;
+
+    if (!reqArena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    newEncodedExtension = SECITEM_ArenaDupItem(reqArena, encodedExtension);
+    if (!newEncodedExtension) {
+        return NULL;
+    }
+
+    rv = SEC_QuickDERDecodeItem(reqArena, &info, CERTAuthInfoAccessTemplate, 
+			    newEncodedExtension);
+    if (rv != SECSuccess || info == NULL) {
+	return NULL;
+    }
+
+    for (i = 0; info[i] != NULL; i++) {
+	info[i]->location = CERT_DecodeGeneralName(reqArena,
+						   &(info[i]->derLocation),
+						   NULL);
+    }
+    return info;
+}
+
+SECStatus
+CERT_EncodeInfoAccessExtension(PRArenaPool *arena,
+				   CERTAuthInfoAccess **info,
+				   SECItem *dest)
+{
+    SECItem *dummy;
+    int i;
+
+    PORT_Assert(info != NULL);
+    PORT_Assert(dest != NULL);
+    if (info == NULL || dest == NULL) {
+	return SECFailure;
+    }
+
+    for (i = 0; info[i] != NULL; i++) {
+	if (CERT_EncodeGeneralName(info[i]->location, &(info[i]->derLocation),
+				   arena) == NULL)
+	    /* Note that this may leave some of the locations filled in. */
+	    return SECFailure;
+    }
+    dummy = SEC_ASN1EncodeItem(arena, dest, &info,
+			       CERTAuthInfoAccessTemplate);
+    if (dummy == NULL) {
+	return SECFailure;
+    }
+    return SECSuccess;
+}
diff --git a/security/nss/lib/certdb/xconst.h b/security/nss/lib/certdb/xconst.h
new file mode 100644
index 000000000..59cc0d764
--- /dev/null
+++ b/security/nss/lib/certdb/xconst.h
@@ -0,0 +1,68 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _XCONST_H_
+#define _XCONST_H_
+
+#include "certt.h"
+
+typedef struct CERTAltNameEncodedContextStr {
+    SECItem **encodedGenName;
+} CERTAltNameEncodedContext;
+
+
+
+SEC_BEGIN_PROTOS
+
+extern SECStatus
+CERT_EncodePrivateKeyUsagePeriod(PRArenaPool *arena, 
+                                CERTPrivKeyUsagePeriod *pkup,
+				SECItem *encodedValue);
+
+extern SECStatus
+CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, 
+                                    CERTNameConstraints  *value,
+			            SECItem *encodedValue);
+
+extern SECStatus 
+CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, 
+                            SECItem *encodedValue);
+
+SECStatus
+cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena,
+				   CERTAuthInfoAccess **info,
+				   SECItem *dest);
+SEC_END_PROTOS
+#endif
diff --git a/security/nss/lib/certhigh/Makefile b/security/nss/lib/certhigh/Makefile
new file mode 100644
index 000000000..7e0b30282
--- /dev/null
+++ b/security/nss/lib/certhigh/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c
new file mode 100644
index 000000000..6f4963f7e
--- /dev/null
+++ b/security/nss/lib/certhigh/certhigh.c
@@ -0,0 +1,1130 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "nspr.h"
+#include "secerr.h"
+#include "secasn1.h"
+#include "seccomon.h"
+#include "pk11func.h"
+#include "certdb.h"
+#include "certt.h"
+#include "cert.h"
+#include "certxutl.h"
+
+#include "nsspki.h"
+#include "pki.h"
+#include "pkit.h"
+#include "pkitm.h"
+#include "pki3hack.h"
+
+
+PRBool
+CERT_MatchNickname(char *name1, char *name2) {
+    char *nickname1= NULL;
+    char *nickname2 = NULL;
+    char *token1;
+    char *token2;
+    char *token = NULL;
+    int len;
+
+    /* first deal with the straight comparison */
+    if (PORT_Strcmp(name1, name2) == 0) {
+	return PR_TRUE;
+    }
+    /* we need to handle the case where one name has an explicit token and the other
+     * doesn't */
+    token1 = PORT_Strchr(name1,':');
+    token2 = PORT_Strchr(name2,':');
+    if ((token1 && token2) || (!token1 && !token2)) {
+	/* either both token names are specified or neither are, not match */
+	return PR_FALSE;
+    }
+    if (token1) {
+	token=name1;
+	nickname1=token1;
+	nickname2=name2;
+    } else {
+	token=name2;
+	nickname1=token2;
+	nickname2=name1;
+    }
+    len = nickname1-token;
+    nickname1++;
+    if (PORT_Strcmp(nickname1,nickname2) != 0) {
+	return PR_FALSE;
+    }
+    /* compare the other token with the internal slot here */
+    return PR_TRUE;
+}
+
+/*
+ * Find all user certificates that match the given criteria.
+ * 
+ *	"handle" - database to search
+ *	"usage" - certificate usage to match
+ *	"oneCertPerName" - if set then only return the "best" cert per
+ *			name
+ *	"validOnly" - only return certs that are curently valid
+ *	"proto_win" - window handle passed to pkcs11
+ */
+CERTCertList *
+CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
+			  SECCertUsage usage,
+			  PRBool oneCertPerName,
+			  PRBool validOnly,
+			  void *proto_win)
+{
+    CERTCertNicknames *nicknames = NULL;
+    char **nnptr;
+    int nn;
+    CERTCertificate *cert = NULL;
+    CERTCertList *certList = NULL;
+    SECStatus rv;
+    int64 time;
+    CERTCertListNode *node = NULL;
+    CERTCertListNode *freenode = NULL;
+    int n;
+    
+    time = PR_Now();
+    
+    nicknames = CERT_GetCertNicknames(handle, SEC_CERT_NICKNAMES_USER,
+				      proto_win);
+    
+    if ( ( nicknames == NULL ) || ( nicknames->numnicknames == 0 ) ) {
+	goto loser;
+    }
+
+    nnptr = nicknames->nicknames;
+    nn = nicknames->numnicknames;
+
+    while ( nn > 0 ) {
+	cert = NULL;
+	/* use the pk11 call so that we pick up any certs on tokens,
+	 * which may require login
+	 */
+	if ( proto_win != NULL ) {
+	    cert = PK11_FindCertFromNickname(*nnptr,proto_win);
+	}
+
+	/* Sigh, It turns out if the cert is already in the temp db, because
+	 * it's in the perm db, then the nickname lookup doesn't work.
+	 * since we already have the cert here, though, than we can just call
+	 * CERT_CreateSubjectCertList directly. For those cases where we didn't
+	 * find the cert in pkcs #11 (because we didn't have a password arg,
+	 * or because the nickname is for a peer, server, or CA cert, then we
+	 * go look the cert up.
+	 */
+	if (cert == NULL) { 
+	    cert = CERT_FindCertByNickname(handle,*nnptr);
+	}
+
+	if ( cert != NULL ) {
+	   /* collect certs for this nickname, sorting them into the list */
+	    certList = CERT_CreateSubjectCertList(certList, handle, 
+				&cert->derSubject, time, validOnly);
+
+	    CERT_FilterCertListForUserCerts(certList);
+	
+	    /* drop the extra reference */
+	    CERT_DestroyCertificate(cert);
+	}
+	
+	nnptr++;
+	nn--;
+    }
+
+    /* remove certs with incorrect usage */
+    rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* remove any extra certs for each name */
+    if ( oneCertPerName ) {
+	PRBool *flags;
+
+	nn = nicknames->numnicknames;
+	nnptr = nicknames->nicknames;
+	
+	flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn);
+	if ( flags == NULL ) {
+	    goto loser;
+	}
+	
+	node = CERT_LIST_HEAD(certList);
+	
+	/* treverse all certs in the list */
+	while ( !CERT_LIST_END(node, certList) ) {
+
+	    /* find matching nickname index */
+	    for ( n = 0; n < nn; n++ ) {
+		if ( CERT_MatchNickname(nnptr[n], node->cert->nickname) ) {
+		    /* We found a match.  If this is the first one, then
+		     * set the flag and move on to the next cert.  If this
+		     * is not the first one then delete it from the list.
+		     */
+		    if ( flags[n] ) {
+			/* We have already seen a cert with this nickname,
+			 * so delete this one.
+			 */
+			freenode = node;
+			node = CERT_LIST_NEXT(node);
+			CERT_RemoveCertListNode(freenode);
+		    } else {
+			/* keep the first cert for each nickname, but set the
+			 * flag so we know to delete any others with the same
+			 * nickname.
+			 */
+			flags[n] = PR_TRUE;
+			node = CERT_LIST_NEXT(node);
+		    }
+		    break;
+		}
+	    }
+	    if ( n == nn ) {
+		/* if we get here it means that we didn't find a matching
+		 * nickname, which should not happen.
+		 */
+		PORT_Assert(0);
+		node = CERT_LIST_NEXT(node);
+	    }
+	}
+	PORT_Free(flags);
+    }
+
+    goto done;
+    
+loser:
+    if ( certList != NULL ) {
+	CERT_DestroyCertList(certList);
+	certList = NULL;
+    }
+
+done:
+    if ( nicknames != NULL ) {
+	CERT_FreeNicknames(nicknames);
+    }
+
+    return(certList);
+}
+
+/*
+ * Find a user certificate that matchs the given criteria.
+ * 
+ *	"handle" - database to search
+ *	"nickname" - nickname to match
+ *	"usage" - certificate usage to match
+ *	"validOnly" - only return certs that are curently valid
+ *	"proto_win" - window handle passed to pkcs11
+ */
+CERTCertificate *
+CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
+			 const char *nickname,
+			 SECCertUsage usage,
+			 PRBool validOnly,
+			 void *proto_win)
+{
+    CERTCertificate *cert = NULL;
+    CERTCertList *certList = NULL;
+    SECStatus rv;
+    int64 time;
+    
+    time = PR_Now();
+    
+    /* use the pk11 call so that we pick up any certs on tokens,
+     * which may require login
+     */
+    /* XXX - why is this restricted? */
+    if ( proto_win != NULL ) {
+	cert = PK11_FindCertFromNickname(nickname,proto_win);
+    }
+
+
+    /* sigh, There are still problems find smart cards from the temp
+     * db. This will get smart cards working again. The real fix
+     * is to make sure we can search the temp db by their token nickname.
+     */
+    if (cert == NULL) {
+	cert = CERT_FindCertByNickname(handle,nickname);
+    }
+
+    if ( cert != NULL ) {
+	unsigned int requiredKeyUsage;
+	unsigned int requiredCertType;
+
+	rv = CERT_KeyUsageAndTypeForCertUsage(usage, PR_FALSE,
+					&requiredKeyUsage, &requiredCertType);
+	if ( rv != SECSuccess ) {
+	    /* drop the extra reference */
+	    CERT_DestroyCertificate(cert);
+	    cert = NULL;
+	    goto loser;
+	}
+	/* If we already found the right cert, just return it */
+	if ( (!validOnly || CERT_CheckCertValidTimes(cert, time, PR_FALSE)
+	      == secCertTimeValid) &&
+	     (CERT_CheckKeyUsage(cert, requiredKeyUsage) == SECSuccess) &&
+	     (cert->nsCertType & requiredCertType) &&
+	      CERT_IsUserCert(cert) ) {
+	    return(cert);
+	}
+
+ 	/* collect certs for this nickname, sorting them into the list */
+	certList = CERT_CreateSubjectCertList(certList, handle, 
+					&cert->derSubject, time, validOnly);
+
+	CERT_FilterCertListForUserCerts(certList);
+
+	/* drop the extra reference */
+	CERT_DestroyCertificate(cert);
+	cert = NULL;
+    }
+	
+    if ( certList == NULL ) {
+	goto loser;
+    }
+    
+    /* remove certs with incorrect usage */
+    rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    if ( ! CERT_LIST_END(CERT_LIST_HEAD(certList), certList) ) {
+	cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert);
+    }
+    
+loser:
+    if ( certList != NULL ) {
+	CERT_DestroyCertList(certList);
+    }
+
+    return(cert);
+}
+
+CERTCertList *
+CERT_MatchUserCert(CERTCertDBHandle *handle,
+		   SECCertUsage usage,
+		   int nCANames, char **caNames,
+		   void *proto_win)
+{
+    CERTCertList *certList = NULL;
+    SECStatus rv;
+
+    certList = CERT_FindUserCertsByUsage(handle, usage, PR_TRUE, PR_TRUE,
+					 proto_win);
+    if ( certList == NULL ) {
+	goto loser;
+    }
+    
+    rv = CERT_FilterCertListByCANames(certList, nCANames, caNames, usage);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    goto done;
+    
+loser:
+    if ( certList != NULL ) {
+	CERT_DestroyCertList(certList);
+	certList = NULL;
+    }
+
+done:
+
+    return(certList);
+}
+
+
+typedef struct stringNode {
+    struct stringNode *next;
+    char *string;
+} stringNode;
+    
+static PRStatus
+CollectNicknames( NSSCertificate *c, void *data)
+{
+    CERTCertNicknames *names;
+    PRBool saveit = PR_FALSE;
+    stringNode *node;
+    int len;
+#ifdef notdef
+    NSSTrustDomain *td;
+    NSSTrust *trust;
+#endif
+    char *stanNickname;
+    char *nickname = NULL;
+    
+    names = (CERTCertNicknames *)data;
+
+    stanNickname = nssCertificate_GetNickname(c,NULL);
+    
+    if ( stanNickname ) {
+	if (names->what == SEC_CERT_NICKNAMES_USER) {
+	    saveit = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL);
+	}
+#ifdef notdef
+	  else {
+	    td = NSSCertificate_GetTrustDomain(c);
+	    if (!td) {
+		return PR_SUCCESS;
+	    }
+	    trust = nssTrustDomain_FindTrustForCertificate(td,c);
+	
+	    switch(names->what) {
+	     case SEC_CERT_NICKNAMES_ALL:
+		if ((trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
+		 (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
+		 (trust->objectSigningFlags & 
+					(CERTDB_VALID_CA|CERTDB_VALID_PEER))) {
+		    saveit = PR_TRUE;
+		}
+	    
+		break;
+	     case SEC_CERT_NICKNAMES_SERVER:
+		if ( trust->sslFlags & CERTDB_VALID_PEER ) {
+		    saveit = PR_TRUE;
+		}
+	    
+		break;
+	     case SEC_CERT_NICKNAMES_CA:
+		if (((trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA)||
+		 ((trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA) ||
+		 ((trust->objectSigningFlags & CERTDB_VALID_CA ) 
+							== CERTDB_VALID_CA)) {
+		    saveit = PR_TRUE;
+		}
+		break;
+	    }
+	}
+#endif
+    }
+
+    /* traverse the list of collected nicknames and make sure we don't make
+     * a duplicate
+     */
+    if ( saveit ) {
+	nickname = STAN_GetCERTCertificateName(NULL, c);
+	/* nickname can only be NULL here if we are having memory 
+	 * alloc problems */
+	if (nickname == NULL) {
+	    return PR_FAILURE;
+	}
+	node = (stringNode *)names->head;
+	while ( node != NULL ) {
+	    if ( PORT_Strcmp(nickname, node->string) == 0 ) { 
+		/* if the string matches, then don't save this one */
+		saveit = PR_FALSE;
+		break;
+	    }
+	    node = node->next;
+	}
+    }
+
+    if ( saveit ) {
+	
+	/* allocate the node */
+	node = (stringNode*)PORT_ArenaAlloc(names->arena, sizeof(stringNode));
+	if ( node == NULL ) {
+	    PORT_Free(nickname);
+	    return PR_FAILURE;
+	}
+
+	/* copy the string */
+	len = PORT_Strlen(nickname) + 1;
+	node->string = (char*)PORT_ArenaAlloc(names->arena, len);
+	if ( node->string == NULL ) {
+	    PORT_Free(nickname);
+	    return PR_FAILURE;
+	}
+	PORT_Memcpy(node->string, nickname, len);
+
+	/* link it into the list */
+	node->next = (stringNode *)names->head;
+	names->head = (void *)node;
+
+	/* bump the count */
+	names->numnicknames++;
+    }
+    
+    if (nickname) PORT_Free(nickname);
+    return(PR_SUCCESS);
+}
+
+CERTCertNicknames *
+CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx)
+{
+    PRArenaPool *arena;
+    CERTCertNicknames *names;
+    int i;
+    stringNode *node;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return(NULL);
+    }
+    
+    names = (CERTCertNicknames *)PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
+    if ( names == NULL ) {
+	goto loser;
+    }
+
+    names->arena = arena;
+    names->head = NULL;
+    names->numnicknames = 0;
+    names->nicknames = NULL;
+    names->what = what;
+    names->totallen = 0;
+
+    /* make sure we are logged in */
+    (void) pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, wincx);
+   
+    NSSTrustDomain_TraverseCertificates(handle,
+					    CollectNicknames, (void *)names);
+    if ( names->numnicknames ) {
+	names->nicknames = (char**)PORT_ArenaAlloc(arena,
+					 names->numnicknames * sizeof(char *));
+
+	if ( names->nicknames == NULL ) {
+	    goto loser;
+	}
+    
+	node = (stringNode *)names->head;
+	
+	for ( i = 0; i < names->numnicknames; i++ ) {
+	    PORT_Assert(node != NULL);
+	    
+	    names->nicknames[i] = node->string;
+	    names->totallen += PORT_Strlen(node->string);
+	    node = node->next;
+	}
+
+	PORT_Assert(node == NULL);
+    }
+
+    return(names);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(NULL);
+}
+
+void
+CERT_FreeNicknames(CERTCertNicknames *nicknames)
+{
+    PORT_FreeArena(nicknames->arena, PR_FALSE);
+    
+    return;
+}
+
+/* [ FROM pcertdb.c ] */
+
+typedef struct dnameNode {
+    struct dnameNode *next;
+    SECItem name;
+} dnameNode;
+
+void
+CERT_FreeDistNames(CERTDistNames *names)
+{
+    PORT_FreeArena(names->arena, PR_FALSE);
+    
+    return;
+}
+
+static SECStatus
+CollectDistNames( CERTCertificate *cert, SECItem *k, void *data)
+{
+    CERTDistNames *names;
+    PRBool saveit = PR_FALSE;
+    CERTCertTrust *trust;
+    dnameNode *node;
+    int len;
+    
+    names = (CERTDistNames *)data;
+    
+    if ( cert->trust ) {
+	trust = cert->trust;
+	
+	/* only collect names of CAs trusted for issuing SSL clients */
+	if (  trust->sslFlags &  CERTDB_TRUSTED_CLIENT_CA )  {
+	    saveit = PR_TRUE;
+	}
+    }
+
+    if ( saveit ) {
+	/* allocate the node */
+	node = (dnameNode*)PORT_ArenaAlloc(names->arena, sizeof(dnameNode));
+	if ( node == NULL ) {
+	    return(SECFailure);
+	}
+
+	/* copy the name */
+	node->name.len = len = cert->derSubject.len;
+	node->name.type = siBuffer;
+	node->name.data = (unsigned char*)PORT_ArenaAlloc(names->arena, len);
+	if ( node->name.data == NULL ) {
+	    return(SECFailure);
+	}
+	PORT_Memcpy(node->name.data, cert->derSubject.data, len);
+
+	/* link it into the list */
+	node->next = (dnameNode *)names->head;
+	names->head = (void *)node;
+
+	/* bump the count */
+	names->nnames++;
+    }
+    
+    return(SECSuccess);
+}
+
+/*
+ * Return all of the CAs that are "trusted" for SSL.
+ */
+CERTDistNames *
+CERT_GetSSLCACerts(CERTCertDBHandle *handle)
+{
+    PRArenaPool *arena;
+    CERTDistNames *names;
+    int i;
+    SECStatus rv;
+    dnameNode *node;
+    
+    /* allocate an arena to use */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return(NULL);
+    }
+    
+    /* allocate the header structure */
+    names = (CERTDistNames *)PORT_ArenaAlloc(arena, sizeof(CERTDistNames));
+    if ( names == NULL ) {
+	goto loser;
+    }
+
+    /* initialize the header struct */
+    names->arena = arena;
+    names->head = NULL;
+    names->nnames = 0;
+    names->names = NULL;
+    
+    /* collect the names from the database */
+    rv = PK11_TraverseSlotCerts(CollectDistNames, (void *)names, NULL);
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* construct the array from the list */
+    if ( names->nnames ) {
+	names->names = (SECItem*)PORT_ArenaAlloc(arena, names->nnames * sizeof(SECItem));
+
+	if ( names->names == NULL ) {
+	    goto loser;
+	}
+    
+	node = (dnameNode *)names->head;
+	
+	for ( i = 0; i < names->nnames; i++ ) {
+	    PORT_Assert(node != NULL);
+	    
+	    names->names[i] = node->name;
+	    node = node->next;
+	}
+
+	PORT_Assert(node == NULL);
+    }
+
+    return(names);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(NULL);
+}
+
+CERTDistNames *
+CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames,
+			   int nnames)
+{
+    CERTDistNames *dnames = NULL;
+    PRArenaPool *arena;
+    int i, rv;
+    SECItem *names = NULL;
+    CERTCertificate *cert = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) goto loser;
+    dnames = PORT_ArenaZNew(arena, CERTDistNames);
+    if (dnames == NULL) goto loser;
+
+    dnames->arena = arena;
+    dnames->nnames = nnames;
+    dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, nnames);
+    if (names == NULL) goto loser;
+    
+    for (i = 0; i < nnames; i++) {
+	cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]);
+	if (cert == NULL) goto loser;
+	rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject);
+	if (rv == SECFailure) goto loser;
+	CERT_DestroyCertificate(cert);
+    }
+    return dnames;
+    
+loser:
+    if (cert != NULL)
+	CERT_DestroyCertificate(cert);
+    if (arena != NULL)
+	PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+/* [ from pcertdb.c - calls Ascii to Name ] */
+/*
+ * Lookup a certificate in the database by name
+ */
+CERTCertificate *
+CERT_FindCertByNameString(CERTCertDBHandle *handle, char *nameStr)
+{
+    CERTName *name;
+    SECItem *nameItem;
+    CERTCertificate *cert = NULL;
+    PRArenaPool *arena = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    name = CERT_AsciiToName(nameStr);
+    
+    if ( name ) {
+	nameItem = SEC_ASN1EncodeItem (arena, NULL, (void *)name,
+				       CERT_NameTemplate);
+	if ( nameItem != NULL ) {
+            cert = CERT_FindCertByName(handle, nameItem);
+	}
+	CERT_DestroyName(name);
+    }
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(cert);
+}
+
+/* From certv3.c */
+
+CERTCrlDistributionPoints *
+CERT_FindCRLDistributionPoints (CERTCertificate *cert)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+    CERTCrlDistributionPoints *dps;
+
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_CRL_DIST_POINTS,
+			    &encodedExtenValue);
+    if ( rv != SECSuccess ) {
+	return (NULL);
+    }
+
+    dps = CERT_DecodeCRLDistributionPoints(cert->arena, &encodedExtenValue);
+
+    PORT_Free(encodedExtenValue.data);
+
+    return dps;
+}
+
+/* From crl.c */
+CERTSignedCrl * CERT_ImportCRL
+   (CERTCertDBHandle *handle, SECItem *derCRL, char *url, int type, void *wincx)
+{
+    CERTSignedCrl* retCrl = NULL;
+    PK11SlotInfo* slot = PK11_GetInternalKeySlot();
+    retCrl = PK11_ImportCRL(slot, derCRL, url, type, wincx,
+        CRL_IMPORT_DEFAULT_OPTIONS, NULL, CRL_DECODE_DEFAULT_OPTIONS);
+    PK11_FreeSlot(slot);
+
+    return retCrl;
+}
+
+/* From certdb.c */
+static SECStatus
+cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool trusted)
+{
+    SECStatus rv;
+    SECItem *derCert;
+    CERTCertificate *cert = NULL;
+    CERTCertificate *newcert = NULL;
+    CERTCertDBHandle *handle;
+    CERTCertTrust trust;
+    PRBool isca;
+    char *nickname;
+    unsigned int certtype;
+    
+    handle = CERT_GetDefaultCertDB();
+    
+    while (numcerts--) {
+	derCert = certs;
+	certs++;
+
+	/* decode my certificate */
+	/* This use is ok -- only looks at decoded parts, calls NewTemp later */
+	newcert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+	if ( newcert == NULL ) {
+	    goto loser;
+	}
+
+	if (!trusted) {
+	    /* make sure that cert is valid */
+	    rv = CERT_CertTimesValid(newcert);
+	    if ( rv == SECFailure ) {
+		goto endloop;
+	    }
+	}
+
+	/* does it have the CA extension */
+	
+	/*
+	 * Make sure that if this is an intermediate CA in the chain that
+	 * it was given permission by its signer to be a CA.
+	 */
+	isca = CERT_IsCACert(newcert, &certtype);
+
+	if ( !isca ) {
+	    if (!trusted) {
+		goto endloop;
+	    }
+	    trust.sslFlags = CERTDB_VALID_CA;
+	    trust.emailFlags = CERTDB_VALID_CA;
+	    trust.objectSigningFlags = CERTDB_VALID_CA;
+	} else {
+	    /* SSL ca's must have the ssl bit set */
+	    if ( ( certUsage == certUsageSSLCA ) &&
+		(( certtype & NS_CERT_TYPE_SSL_CA ) != NS_CERT_TYPE_SSL_CA )) {
+		goto endloop;
+	    }
+
+	    /* it passed all of the tests, so lets add it to the database */
+	    /* mark it as a CA */
+	    PORT_Memset((void *)&trust, 0, sizeof(trust));
+	    switch ( certUsage ) {
+	      case certUsageSSLCA:
+		trust.sslFlags = CERTDB_VALID_CA;
+		break;
+	      case certUsageUserCertImport:
+		if ((certtype & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
+		    trust.sslFlags = CERTDB_VALID_CA;
+		}
+		if ((certtype & NS_CERT_TYPE_EMAIL_CA) 
+						== NS_CERT_TYPE_EMAIL_CA ) {
+		    trust.emailFlags = CERTDB_VALID_CA;
+		}
+		if ( ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) ==
+					NS_CERT_TYPE_OBJECT_SIGNING_CA ) {
+		     trust.objectSigningFlags = CERTDB_VALID_CA;
+		}
+		break;
+	      default:
+		PORT_Assert(0);
+		break;
+	    }
+	}
+	
+	cert = CERT_NewTempCertificate(handle, derCert, NULL, 
+							PR_FALSE, PR_FALSE);
+	if ( cert == NULL ) {
+	    goto loser;
+	}
+	
+	/* if the cert is temp, make it perm; otherwise we're done */
+	if (cert->istemp) {
+	    /* get a default nickname for it */
+	    nickname = CERT_MakeCANickname(cert);
+
+	    rv = CERT_AddTempCertToPerm(cert, nickname, &trust);
+
+	    /* free the nickname */
+	    if ( nickname ) {
+		PORT_Free(nickname);
+	    }
+	} else {
+	    rv = SECSuccess;
+	}
+
+	CERT_DestroyCertificate(cert);
+	cert = NULL;
+	
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+
+endloop:
+	if ( newcert ) {
+	    CERT_DestroyCertificate(newcert);
+	    newcert = NULL;
+	}
+	
+    }
+
+    rv = SECSuccess;
+    goto done;
+loser:
+    rv = SECFailure;
+done:
+    
+    if ( newcert ) {
+	CERT_DestroyCertificate(newcert);
+	newcert = NULL;
+    }
+    
+    if ( cert ) {
+	CERT_DestroyCertificate(cert);
+	cert = NULL;
+    }
+    
+    return(rv);
+}
+
+SECStatus
+CERT_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage)
+{
+    return cert_ImportCAChain(certs, numcerts, certUsage, PR_FALSE);
+}
+
+SECStatus
+CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage) {
+    return cert_ImportCAChain(certs, numcerts, certUsage, PR_TRUE);
+}
+
+/* Moved from certdb.c */
+/*
+** CERT_CertChainFromCert
+**
+** Construct a CERTCertificateList consisting of the given certificate and all
+** of the issuer certs until we either get to a self-signed cert or can't find
+** an issuer.  Since we don't know how many certs are in the chain we have to
+** build a linked list first as we count them.
+*/
+
+typedef struct certNode {
+    struct certNode *next;
+    CERTCertificate *cert;
+} certNode;
+
+CERTCertificateList *
+CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
+		       PRBool includeRoot)
+{
+    CERTCertificateList *chain = NULL;
+    NSSCertificate **stanChain;
+    NSSCertificate *stanCert;
+    PRArenaPool *arena;
+    NSSUsage nssUsage;
+    int i, len;
+    NSSTrustDomain *td   = STAN_GetDefaultTrustDomain();
+    NSSCryptoContext *cc = STAN_GetDefaultCryptoContext();
+
+    stanCert = STAN_GetNSSCertificate(cert);
+    if (!stanCert) {
+        /* error code is set */
+        return NULL;
+    }
+    nssUsage.anyUsage = PR_FALSE;
+    nssUsage.nss3usage = usage;
+    nssUsage.nss3lookingForCA = PR_FALSE;
+    stanChain = NSSCertificate_BuildChain(stanCert, NULL, &nssUsage, NULL, NULL,
+					  CERT_MAX_CERT_CHAIN, NULL, NULL, td, cc);
+    if (!stanChain) {
+	PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+	return NULL;
+    }
+
+    len = 0;
+    stanCert = stanChain[0];
+    while (stanCert) {
+	stanCert = stanChain[++len];
+    }
+
+    arena = PORT_NewArena(4096);
+    if (arena == NULL) {
+	goto loser;
+    }
+
+    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, 
+                                                 sizeof(CERTCertificateList));
+    if (!chain) goto loser;
+    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
+    if (!chain->certs) goto loser;
+    i = 0;
+    stanCert = stanChain[i];
+    while (stanCert) {
+	SECItem derCert;
+	CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
+	if (!cCert) {
+	    goto loser;
+	}
+	derCert.len = (unsigned int)stanCert->encoding.size;
+	derCert.data = (unsigned char *)stanCert->encoding.data;
+	derCert.type = siBuffer;
+	SECITEM_CopyItem(arena, &chain->certs[i], &derCert);
+	stanCert = stanChain[++i];
+	if (!stanCert && !cCert->isRoot) {
+	    /* reached the end of the chain, but the final cert is
+	     * not a root.  Don't discard it.
+	     */
+	    includeRoot = PR_TRUE;
+	}
+	CERT_DestroyCertificate(cCert);
+    }
+    if ( !includeRoot && len > 1) {
+	chain->len = len - 1;
+    } else {
+	chain->len = len;
+    }
+    
+    chain->arena = arena;
+    nss_ZFreeIf(stanChain);
+    return chain;
+loser:
+    i = 0;
+    stanCert = stanChain[i];
+    while (stanCert) {
+	CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
+	if (cCert) {
+	    CERT_DestroyCertificate(cCert);
+	}
+	stanCert = stanChain[++i];
+    }
+    nss_ZFreeIf(stanChain);
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+/* Builds a CERTCertificateList holding just one DER-encoded cert, namely
+** the one for the cert passed as an argument.
+*/
+CERTCertificateList *
+CERT_CertListFromCert(CERTCertificate *cert)
+{
+    CERTCertificateList *chain = NULL;
+    int rv;
+    PRArenaPool *arena;
+
+    /* arena for SecCertificateList */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) goto no_memory;
+
+    /* build the CERTCertificateList */
+    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
+    if (chain == NULL) goto no_memory;
+    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, 1 * sizeof(SECItem));
+    if (chain->certs == NULL) goto no_memory;
+    rv = SECITEM_CopyItem(arena, chain->certs, &(cert->derCert));
+    if (rv < 0) goto loser;
+    chain->len = 1;
+    chain->arena = arena;
+
+    return chain;
+
+no_memory:
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+CERTCertificateList *
+CERT_DupCertList(CERTCertificateList * oldList)
+{
+    CERTCertificateList *newList = NULL;
+    PRArenaPool         *arena   = NULL;
+    SECItem             *newItem;
+    SECItem             *oldItem;
+    int                 len      = oldList->len;
+    int                 rv;
+
+    /* arena for SecCertificateList */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) 
+	goto no_memory;
+
+    /* now build the CERTCertificateList */
+    newList = PORT_ArenaNew(arena, CERTCertificateList);
+    if (newList == NULL) 
+	goto no_memory;
+    newList->arena = arena;
+    newItem = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
+    if (newItem == NULL) 
+	goto no_memory;
+    newList->certs = newItem;
+    newList->len   = len;
+
+    for (oldItem = oldList->certs; len > 0; --len, ++newItem, ++oldItem) {
+	rv = SECITEM_CopyItem(arena, newItem, oldItem);
+	if (rv < 0) 
+	    goto loser;
+    }
+    return newList;
+
+no_memory:
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+void
+CERT_DestroyCertificateList(CERTCertificateList *list)
+{
+    PORT_FreeArena(list->arena, PR_FALSE);
+}
+
diff --git a/security/nss/lib/certhigh/certhtml.c b/security/nss/lib/certhigh/certhtml.c
new file mode 100644
index 000000000..bfc800e63
--- /dev/null
+++ b/security/nss/lib/certhigh/certhtml.c
@@ -0,0 +1,312 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * certhtml.c --- convert a cert to html
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "sechash.h"
+#include "cert.h"
+#include "keyhi.h"
+#include "secder.h"
+#include "prprf.h"
+#include "secport.h"
+#include "secasn1.h"
+#include "pk11func.h"
+
+static char *hex = "0123456789ABCDEF";
+
+/*
+** Convert a der-encoded integer to a hex printable string form
+*/
+char *CERT_Hexify (SECItem *i, int do_colon)
+{
+    unsigned char *cp, *end;
+    char *rv, *o;
+
+    if (!i->len) {
+	return PORT_Strdup("00");
+    }
+
+    rv = o = (char*) PORT_Alloc(i->len * 3);
+    if (!rv) return rv;
+
+    cp = i->data;
+    end = cp + i->len;
+    while (cp < end) {
+	unsigned char ch = *cp++;
+	*o++ = hex[(ch >> 4) & 0xf];
+	*o++ = hex[ch & 0xf];
+	if (cp != end) {
+	    if (do_colon) {
+		*o++ = ':';
+	    }
+	} 
+    }
+    *o = 0;           /* Null terminate the string */
+    return rv;
+}
+
+#define BREAK "<br>"
+#define BREAKLEN 4
+#define COMMA ", "
+#define COMMALEN 2
+
+#define MAX_OUS 20
+#define MAX_DC MAX_OUS
+
+
+char *CERT_FormatName (CERTName *name)
+{
+    CERTRDN** rdns;
+    CERTRDN * rdn;
+    CERTAVA** avas;
+    CERTAVA*  ava;
+    char *    buf	= 0;
+    char *    tmpbuf	= 0;
+    SECItem * cn	= 0;
+    SECItem * email	= 0;
+    SECItem * org	= 0;
+    SECItem * loc	= 0;
+    SECItem * state	= 0;
+    SECItem * country	= 0;
+    SECItem * dq     	= 0;
+
+    unsigned  len 	= 0;
+    int       tag;
+    int       i;
+    int       ou_count = 0;
+    int       dc_count = 0;
+    PRBool    first;
+    SECItem * orgunit[MAX_OUS];
+    SECItem * dc[MAX_DC];
+
+    /* Loop over name components and gather the interesting ones */
+    rdns = name->rdns;
+    while ((rdn = *rdns++) != 0) {
+	avas = rdn->avas;
+	while ((ava = *avas++) != 0) {
+	    tag = CERT_GetAVATag(ava);
+	    switch(tag) {
+	      case SEC_OID_AVA_COMMON_NAME:
+		cn = CERT_DecodeAVAValue(&ava->value);
+		if (!cn) {
+ 			goto loser;
+		}
+		len += cn->len;
+		break;
+	      case SEC_OID_AVA_COUNTRY_NAME:
+		country = CERT_DecodeAVAValue(&ava->value);
+		if (!country) {
+ 			goto loser;
+		}
+		len += country->len;
+		break;
+	      case SEC_OID_AVA_LOCALITY:
+		loc = CERT_DecodeAVAValue(&ava->value);
+		if (!loc) {
+ 			goto loser;
+		}
+		len += loc->len;
+		break;
+	      case SEC_OID_AVA_STATE_OR_PROVINCE:
+		state = CERT_DecodeAVAValue(&ava->value);
+		if (!state) {
+ 			goto loser;
+		}
+		len += state->len;
+		break;
+	      case SEC_OID_AVA_ORGANIZATION_NAME:
+		org = CERT_DecodeAVAValue(&ava->value);
+		if (!org) {
+ 			goto loser;
+		}
+		len += org->len;
+		break;
+	      case SEC_OID_AVA_DN_QUALIFIER:
+		dq = CERT_DecodeAVAValue(&ava->value);
+		if (!dq) {
+ 			goto loser;
+		}
+		len += dq->len;
+		break;
+	      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
+		if (ou_count < MAX_OUS) {
+			orgunit[ou_count] = CERT_DecodeAVAValue(&ava->value);
+			if (!orgunit[ou_count]) {
+				goto loser;
+                        }
+			len += orgunit[ou_count++]->len;
+		}
+		break;
+	      case SEC_OID_AVA_DC:
+		if (dc_count < MAX_DC) {
+			dc[dc_count] = CERT_DecodeAVAValue(&ava->value);
+			if (!dc[dc_count]) {
+				goto loser;
+			}
+			len += dc[dc_count++]->len;
+		}
+		break;
+	      case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	      case SEC_OID_RFC1274_MAIL:
+		email = CERT_DecodeAVAValue(&ava->value);
+		if (!email) {
+			goto loser;
+		}
+		len += email->len;
+		break;
+	      default:
+		break;
+	    }
+	}
+    }
+
+    /* XXX - add some for formatting */
+    len += 128;
+
+    /* allocate buffer */
+    buf = (char *)PORT_Alloc(len);
+    if ( !buf ) {
+	return(0);
+    }
+
+    tmpbuf = buf;
+    
+    if ( cn ) {
+	PORT_Memcpy(tmpbuf, cn->data, cn->len);
+	tmpbuf += cn->len;
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+    }
+    if ( email ) {
+	PORT_Memcpy(tmpbuf, email->data, email->len);
+	tmpbuf += ( email->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+    }
+    for (i=ou_count-1; i >= 0; i--) {
+	PORT_Memcpy(tmpbuf, orgunit[i]->data, orgunit[i]->len);
+	tmpbuf += ( orgunit[i]->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+    }
+    if ( dq ) {
+	PORT_Memcpy(tmpbuf, dq->data, dq->len);
+	tmpbuf += ( dq->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+    }
+    if ( org ) {
+	PORT_Memcpy(tmpbuf, org->data, org->len);
+	tmpbuf += ( org->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+    }
+    for (i=dc_count-1; i >= 0; i--) {
+	PORT_Memcpy(tmpbuf, dc[i]->data, dc[i]->len);
+	tmpbuf += ( dc[i]->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+    }
+    first = PR_TRUE;
+    if ( loc ) {
+	PORT_Memcpy(tmpbuf, loc->data,  loc->len);
+	tmpbuf += ( loc->len );
+	first = PR_FALSE;
+    }
+    if ( state ) {
+	if ( !first ) {
+	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
+	    tmpbuf += COMMALEN;
+	}
+	PORT_Memcpy(tmpbuf, state->data, state->len);
+	tmpbuf += ( state->len );
+	first = PR_FALSE;
+    }
+    if ( country ) {
+	if ( !first ) {
+	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
+	    tmpbuf += COMMALEN;
+	}
+	PORT_Memcpy(tmpbuf, country->data, country->len);
+	tmpbuf += ( country->len );
+	first = PR_FALSE;
+    }
+    if ( !first ) {
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+    }
+
+    *tmpbuf = 0;
+
+    /* fall through and clean */
+loser:
+    if ( cn ) {
+	SECITEM_FreeItem(cn, PR_TRUE);
+    }
+    if ( email ) {
+	SECITEM_FreeItem(email, PR_TRUE);
+    }
+    for (i=ou_count-1; i >= 0; i--) {
+	SECITEM_FreeItem(orgunit[i], PR_TRUE);
+    }
+    if ( dq ) {
+	SECITEM_FreeItem(dq, PR_TRUE);
+    }
+    if ( org ) {
+	SECITEM_FreeItem(org, PR_TRUE);
+    }
+    for (i=dc_count-1; i >= 0; i--) {
+	SECITEM_FreeItem(dc[i], PR_TRUE);
+    }
+    if ( loc ) {
+	SECITEM_FreeItem(loc, PR_TRUE);
+    }
+    if ( state ) {
+	SECITEM_FreeItem(state, PR_TRUE);
+    }
+    if ( country ) {
+	SECITEM_FreeItem(country, PR_TRUE);
+    }
+
+    return(buf);
+}
+
diff --git a/security/nss/lib/certhigh/certreq.c b/security/nss/lib/certhigh/certreq.c
new file mode 100644
index 000000000..fc7a7dd15
--- /dev/null
+++ b/security/nss/lib/certhigh/certreq.c
@@ -0,0 +1,352 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "cert.h"
+#include "certt.h"
+#include "secder.h"
+#include "key.h"
+#include "secitem.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+
+const SEC_ASN1Template CERT_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(CERTAttribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(CERTAttribute, attrValue),
+	SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, CERT_AttributeTemplate },
+};
+
+const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertificateRequest) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCertificateRequest,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificateRequest,subject),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificateRequest,subjectPublicKeyInfo),
+	  CERT_SubjectPublicKeyInfoTemplate },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(CERTCertificateRequest,attributes), 
+	  CERT_SetOfAttributeTemplate },
+    { 0 }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate)
+
+CERTCertificate *
+CERT_CreateCertificate(unsigned long serialNumber,
+		      CERTName *issuer,
+		      CERTValidity *validity,
+		      CERTCertificateRequest *req)
+{
+    CERTCertificate *c;
+    int rv;
+    PRArenaPool *arena;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	return(0);
+    }
+
+    c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
+    
+    if (c) {
+	c->referenceCount = 1;
+	c->arena = arena;
+
+	/*
+	 * Default is a plain version 1.
+	 * If extensions are added, it will get changed as appropriate.
+	 */
+	rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1);
+	if (rv) goto loser;
+
+	rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber);
+	if (rv) goto loser;
+
+	rv = CERT_CopyName(arena, &c->issuer, issuer);
+	if (rv) goto loser;
+
+	rv = CERT_CopyValidity(arena, &c->validity, validity);
+	if (rv) goto loser;
+
+	rv = CERT_CopyName(arena, &c->subject, &req->subject);
+	if (rv) goto loser;
+	rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo,
+					  &req->subjectPublicKeyInfo);
+	if (rv) goto loser;
+    }
+    return c;
+
+  loser:
+    CERT_DestroyCertificate(c);
+    return 0;
+}
+
+/************************************************************************/
+/* It's clear from the comments that the original author of this 
+ * function expected the template for certificate requests to treat
+ * the attributes as a SET OF ANY.  This function expected to be 
+ * passed an array of SECItems each of which contained an already encoded
+ * Attribute.  But the cert request template does not treat the 
+ * Attributes as a SET OF ANY, and AFAIK never has.  Instead the template
+ * encodes attributes as a SET OF xxxxxxx.  That is, it expects to encode
+ * each of the Attributes, not have them pre-encoded.  Consequently an 
+ * array of SECItems containing encoded Attributes is of no value to this 
+ * function.  But we cannot change the signature of this public function.
+ * It must continue to take SECItems.
+ *
+ * I have recoded this function so that each SECItem contains an 
+ * encoded cert extension.  The encoded cert extensions form the list for the
+ * single attribute of the cert request. In this implementation there is at most
+ * one attribute and it is always of type SEC_OID_PKCS9_EXTENSION_REQUEST.
+ */
+
+CERTCertificateRequest *
+CERT_CreateCertificateRequest(CERTName *subject,
+			     CERTSubjectPublicKeyInfo *spki,
+			     SECItem **attributes)
+{
+    CERTCertificateRequest *certreq;
+    PRArenaPool *arena;
+    CERTAttribute * attribute;
+    SECOidData * oidData;
+    SECStatus rv;
+    int i = 0;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return NULL;
+    }
+    
+    certreq = PORT_ArenaZNew(arena, CERTCertificateRequest);
+    if (!certreq) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return NULL;
+    }
+    /* below here it is safe to goto loser */
+
+    certreq->arena = arena;
+    
+    rv = DER_SetUInteger(arena, &certreq->version,
+			 SEC_CERTIFICATE_REQUEST_VERSION);
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = CERT_CopyName(arena, &certreq->subject, subject);
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = SECKEY_CopySubjectPublicKeyInfo(arena,
+				      &certreq->subjectPublicKeyInfo,
+				      spki);
+    if (rv != SECSuccess)
+	goto loser;
+
+    certreq->attributes = PORT_ArenaZNewArray(arena, CERTAttribute*, 2);
+    if(!certreq->attributes) 
+	goto loser;
+
+    /* Copy over attribute information */
+    if (!attributes || !attributes[0]) {
+	/*
+	 ** Invent empty attribute information. According to the
+	 ** pkcs#10 spec, attributes has this ASN.1 type:
+	 **
+	 ** attributes [0] IMPLICIT Attributes
+	 ** 
+	 ** Which means, we should create a NULL terminated list
+	 ** with the first entry being NULL;
+	 */
+	certreq->attributes[0] = NULL;
+	return certreq;
+    }	
+
+    /* allocate space for attributes */
+    attribute = PORT_ArenaZNew(arena, CERTAttribute);
+    if (!attribute) 
+	goto loser;
+
+    oidData = SECOID_FindOIDByTag( SEC_OID_PKCS9_EXTENSION_REQUEST );
+    PORT_Assert(oidData);
+    if (!oidData)
+	goto loser;
+    rv = SECITEM_CopyItem(arena, &attribute->attrType, &oidData->oid);
+    if (rv != SECSuccess)
+	goto loser;
+
+    for (i = 0; attributes[i] != NULL ; i++) 
+	;
+    attribute->attrValue = PORT_ArenaZNewArray(arena, SECItem *, i+1);
+    if (!attribute->attrValue) 
+	goto loser;
+
+    /* copy attributes */
+    for (i = 0; attributes[i]; i++) {
+	/*
+	** Attributes are a SetOf Attribute which implies
+	** lexigraphical ordering.  It is assumes that the
+	** attributes are passed in sorted.  If we need to
+	** add functionality to sort them, there is an
+	** example in the PKCS 7 code.
+	*/
+	attribute->attrValue[i] = SECITEM_ArenaDupItem(arena, attributes[i]);
+	if(!attribute->attrValue[i]) 
+	    goto loser;
+    }
+
+    certreq->attributes[0] = attribute;
+
+    return certreq;
+
+loser:
+    CERT_DestroyCertificateRequest(certreq);
+    return NULL;
+}
+
+void
+CERT_DestroyCertificateRequest(CERTCertificateRequest *req)
+{
+    if (req && req->arena) {
+	PORT_FreeArena(req->arena, PR_FALSE);
+    }
+    return;
+}
+
+static void
+setCRExt(void *o, CERTCertExtension **exts)
+{
+    ((CERTCertificateRequest *)o)->attributes = (struct CERTAttributeStr **)exts;
+}
+
+/*
+** Set up to start gathering cert extensions for a cert request.
+** The list is created as CertExtensions and converted to an
+** attribute list by CERT_FinishCRAttributes().
+ */
+extern void *cert_StartExtensions(void *owner, PRArenaPool *ownerArena,
+                       void (*setExts)(void *object, CERTCertExtension **exts));
+void *
+CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req)
+{
+    return (cert_StartExtensions ((void *)req, req->arena, setCRExt));
+}
+
+/*
+** At entry req->attributes actually contains an list of cert extensions--
+** req-attributes is overloaded until the list is DER encoded (the first
+** ...EncodeItem() below).
+** We turn this into an attribute list by encapsulating it
+** in a PKCS 10 Attribute structure
+ */
+SECStatus
+CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req)
+{   SECItem *extlist;
+    SECOidData *oidrec;
+    CERTAttribute *attribute;
+   
+    if (!req || !req->arena) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    if (req->attributes == NULL || req->attributes[0] == NULL)
+        return SECSuccess;
+
+    extlist = SEC_ASN1EncodeItem(req->arena, NULL, &req->attributes,
+                            SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate));
+    if (extlist == NULL)
+        return(SECFailure);
+
+    oidrec = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
+    if (oidrec == NULL)
+	return SECFailure;
+
+    /* now change the list of cert extensions into a list of attributes
+     */
+    req->attributes = PORT_ArenaZNewArray(req->arena, CERTAttribute*, 2);
+
+    attribute = PORT_ArenaZNew(req->arena, CERTAttribute);
+    
+    if (req->attributes == NULL || attribute == NULL ||
+        SECITEM_CopyItem(req->arena, &attribute->attrType, &oidrec->oid) != 0) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    attribute->attrValue = PORT_ArenaZNewArray(req->arena, SECItem*, 2);
+
+    if (attribute->attrValue == NULL)
+        return SECFailure;
+
+    attribute->attrValue[0] = extlist;
+    attribute->attrValue[1] = NULL;
+    req->attributes[0] = attribute;
+    req->attributes[1] = NULL;
+
+    return SECSuccess;
+}
+
+SECStatus
+CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
+                                        CERTCertExtension ***exts)
+{
+    if (req == NULL || exts == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    
+    if (req->attributes == NULL || *req->attributes == NULL)
+        return SECSuccess;
+    
+    if ((*req->attributes)->attrValue == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    return(SEC_ASN1DecodeItem(req->arena, exts, 
+            SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate),
+            (*req->attributes)->attrValue[0]));
+}
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c
new file mode 100644
index 000000000..7deec426d
--- /dev/null
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -0,0 +1,1985 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "nspr.h"
+#include "secerr.h"
+#include "secport.h"
+#include "seccomon.h"
+#include "secoid.h"
+#include "sslerr.h"
+#include "genname.h"
+#include "keyhi.h"
+#include "cert.h"
+#include "certdb.h"
+#include "certi.h"
+#include "cryptohi.h"
+#include "pkix.h"
+/*#include "pkix_sample_modules.h" */
+#include "pkix_pl_cert.h"
+
+
+#include "nsspki.h"
+#include "pkitm.h"
+#include "pkim.h"
+#include "pki3hack.h"
+#include "base.h"
+
+/*
+ * Check the validity times of a certificate
+ */
+SECStatus
+CERT_CertTimesValid(CERTCertificate *c)
+{
+    SECCertTimeValidity valid = CERT_CheckCertValidTimes(c, PR_Now(), PR_TRUE);
+    return (valid == secCertTimeValid) ? SECSuccess : SECFailure;
+}
+
+/*
+ * verify the signature of a signed data object with the given DER publickey
+ */
+SECStatus
+CERT_VerifySignedDataWithPublicKey(CERTSignedData *sd, 
+                                   SECKEYPublicKey *pubKey,
+		                   void *wincx)
+{
+    SECStatus        rv;
+    SECItem          sig;
+
+    if ( !pubKey || !sd ) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+
+    /* check the signature */
+    sig = sd->signature;
+    /* convert sig->len from bit counts to byte count. */
+    DER_ConvertBitString(&sig);
+
+    rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey, 
+			&sig, &sd->signatureAlgorithm, NULL, wincx);
+
+    return rv ? SECFailure : SECSuccess;
+}
+
+/*
+ * verify the signature of a signed data object with the given DER publickey
+ */
+SECStatus
+CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, 
+                                       CERTSubjectPublicKeyInfo *pubKeyInfo,
+		                       void *wincx)
+{
+    SECKEYPublicKey *pubKey;
+    SECStatus        rv		= SECFailure;
+
+    /* get cert's public key */
+    pubKey = SECKEY_ExtractPublicKey(pubKeyInfo);
+    if (pubKey) {
+	rv =  CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx);
+	SECKEY_DestroyPublicKey(pubKey);
+    }
+    return rv;
+}
+
+/*
+ * verify the signature of a signed data object with the given certificate
+ */
+SECStatus
+CERT_VerifySignedData(CERTSignedData *sd, CERTCertificate *cert,
+		      int64 t, void *wincx)
+{
+    SECKEYPublicKey *pubKey = 0;
+    SECStatus        rv     = SECFailure;
+    SECCertTimeValidity validity;
+
+    /* check the certificate's validity */
+    validity = CERT_CheckCertValidTimes(cert, t, PR_FALSE);
+    if ( validity != secCertTimeValid ) {
+	return rv;
+    }
+
+    /* get cert's public key */
+    pubKey = CERT_ExtractPublicKey(cert);
+    if (pubKey) {
+	rv =  CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx);
+	SECKEY_DestroyPublicKey(pubKey);
+    }
+    return rv;
+}
+
+
+/* Software FORTEZZA installation hack. The software fortezza installer does
+ * not have access to the krl and cert.db file. Accept FORTEZZA Certs without
+ * KRL's in this case. 
+ */
+static int dont_use_krl = 0;
+/* not a public exposed function... */
+void sec_SetCheckKRLState(int value) { dont_use_krl = value; }
+
+SECStatus
+SEC_CheckKRL(CERTCertDBHandle *handle,SECKEYPublicKey *key,
+	     CERTCertificate *rootCert, int64 t, void * wincx)
+{
+    CERTSignedCrl *crl = NULL;
+    SECStatus rv = SECFailure;
+    SECStatus rv2;
+    CERTCrlEntry **crlEntry;
+    SECCertTimeValidity validity;
+    CERTCertificate *issuerCert = NULL;
+
+    if (dont_use_krl) return SECSuccess;
+
+    /* first look up the KRL */
+    crl = SEC_FindCrlByName(handle,&rootCert->derSubject, SEC_KRL_TYPE);
+    if (crl == NULL) {
+	PORT_SetError(SEC_ERROR_NO_KRL);
+	goto done;
+    }
+
+    /* get the issuing certificate */
+    issuerCert = CERT_FindCertByName(handle, &crl->crl.derName);
+    if (issuerCert == NULL) {
+        PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
+        goto done;
+    }
+
+
+    /* now verify the KRL signature */
+    rv2 = CERT_VerifySignedData(&crl->signatureWrap, issuerCert, t, wincx);
+    if (rv2 != SECSuccess) {
+	PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
+    	goto done;
+    }
+
+    /* Verify the date validity of the KRL */
+    validity = SEC_CheckCrlTimes(&crl->crl, t);
+    if (validity == secCertTimeExpired) {
+	PORT_SetError(SEC_ERROR_KRL_EXPIRED);
+	goto done;
+    }
+
+    /* now make sure the key in this cert is still valid */
+    if (key->keyType != fortezzaKey) {
+	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+	goto done; /* This should be an assert? */
+    }
+
+    /* now make sure the key is not on the revocation list */
+    for (crlEntry = crl->crl.entries; crlEntry && *crlEntry; crlEntry++) {
+	if (PORT_Memcmp((*crlEntry)->serialNumber.data,
+				key->u.fortezza.KMID,
+				    (*crlEntry)->serialNumber.len) == 0) {
+	    PORT_SetError(SEC_ERROR_REVOKED_KEY);
+	    goto done;
+	}
+    }
+    rv = SECSuccess;
+
+done:
+    if (issuerCert) CERT_DestroyCertificate(issuerCert);
+    if (crl) SEC_DestroyCrl(crl);
+    return rv;
+}
+
+SECStatus
+SEC_CheckCRL(CERTCertDBHandle *handle,CERTCertificate *cert,
+	     CERTCertificate *caCert, int64 t, void * wincx)
+{
+    return CERT_CheckCRL(cert, caCert, NULL, t, wincx);
+}
+
+/*
+ * Find the issuer of a cert.  Use the authorityKeyID if it exists.
+ */
+CERTCertificate *
+CERT_FindCertIssuer(CERTCertificate *cert, int64 validTime, SECCertUsage usage)
+{
+    NSSCertificate *me;
+    NSSTime *nssTime;
+    NSSTrustDomain *td;
+    NSSCryptoContext *cc;
+    NSSCertificate *chain[3];
+    NSSUsage nssUsage;
+    PRStatus status;
+
+    me = STAN_GetNSSCertificate(cert);
+    if (!me) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    nssTime = NSSTime_SetPRTime(NULL, validTime);
+    nssUsage.anyUsage = PR_FALSE;
+    nssUsage.nss3usage = usage;
+    nssUsage.nss3lookingForCA = PR_TRUE;
+    memset(chain, 0, 3*sizeof(NSSCertificate *));
+    td   = STAN_GetDefaultTrustDomain();
+    cc = STAN_GetDefaultCryptoContext();
+    (void)NSSCertificate_BuildChain(me, nssTime, &nssUsage, NULL, 
+                                    chain, 2, NULL, &status, td, cc);
+    nss_ZFreeIf(nssTime);
+    if (status == PR_SUCCESS) {
+	PORT_Assert(me == chain[0]);
+	/* if it's a root, the chain will only have one cert */
+	if (!chain[1]) {
+	    /* already has a reference from the call to BuildChain */
+	    return cert;
+	} 
+	NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */
+	return STAN_GetCERTCertificate(chain[1]); /* return the 2nd */
+    } 
+    if (chain[0]) {
+	PORT_Assert(me == chain[0]);
+	NSSCertificate_Destroy(chain[0]); /* the first cert in the chain */
+    }
+    PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
+    return NULL;
+}
+
+/*
+ * return required trust flags for various cert usages for CAs
+ */
+SECStatus
+CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
+			      unsigned int *retFlags,
+			      SECTrustType *retTrustType)
+{
+    unsigned int requiredFlags;
+    SECTrustType trustType;
+
+    switch ( usage ) {
+      case certUsageSSLClient:
+	requiredFlags = CERTDB_TRUSTED_CLIENT_CA;
+	trustType = trustSSL;
+        break;
+      case certUsageSSLServer:
+      case certUsageSSLCA:
+	requiredFlags = CERTDB_TRUSTED_CA;
+	trustType = trustSSL;
+        break;
+      case certUsageSSLServerWithStepUp:
+	requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
+	trustType = trustSSL;
+        break;
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+	requiredFlags = CERTDB_TRUSTED_CA;
+	trustType = trustEmail;
+	break;
+      case certUsageObjectSigner:
+	requiredFlags = CERTDB_TRUSTED_CA;
+	trustType = trustObjectSigning;
+	break;
+      case certUsageVerifyCA:
+      case certUsageAnyCA:
+      case certUsageStatusResponder:
+	requiredFlags = CERTDB_TRUSTED_CA;
+	trustType = trustTypeNone;
+	break;
+      default:
+	PORT_Assert(0);
+	goto loser;
+    }
+    if ( retFlags != NULL ) {
+	*retFlags = requiredFlags;
+    }
+    if ( retTrustType != NULL ) {
+	*retTrustType = trustType;
+    }
+    
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+void
+cert_AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, unsigned long error,
+	       unsigned int depth, void *arg)
+{
+    CERTVerifyLogNode *node, *tnode;
+
+    PORT_Assert(log != NULL);
+    
+    node = (CERTVerifyLogNode *)PORT_ArenaAlloc(log->arena,
+						sizeof(CERTVerifyLogNode));
+    if ( node != NULL ) {
+	node->cert = CERT_DupCertificate(cert);
+	node->error = error;
+	node->depth = depth;
+	node->arg = arg;
+	
+	if ( log->tail == NULL ) {
+	    /* empty list */
+	    log->head = log->tail = node;
+	    node->prev = NULL;
+	    node->next = NULL;
+	} else if ( depth >= log->tail->depth ) {
+	    /* add to tail */
+	    node->prev = log->tail;
+	    log->tail->next = node;
+	    log->tail = node;
+	    node->next = NULL;
+	} else if ( depth < log->head->depth ) {
+	    /* add at head */
+	    node->prev = NULL;
+	    node->next = log->head;
+	    log->head->prev = node;
+	    log->head = node;
+	} else {
+	    /* add in middle */
+	    tnode = log->tail;
+	    while ( tnode != NULL ) {
+		if ( depth >= tnode->depth ) {
+		    /* insert after tnode */
+		    node->prev = tnode;
+		    node->next = tnode->next;
+		    tnode->next->prev = node;
+		    tnode->next = node;
+		    break;
+		}
+
+		tnode = tnode->prev;
+	    }
+	}
+
+	log->count++;
+    }
+    return;
+}
+
+#define EXIT_IF_NOT_LOGGING(log) \
+    if ( log == NULL ) { \
+	goto loser; \
+    }
+
+#define LOG_ERROR_OR_EXIT(log,cert,depth,arg) \
+    if ( log != NULL ) { \
+	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+    } else { \
+	goto loser; \
+    }
+
+#define LOG_ERROR(log,cert,depth,arg) \
+    if ( log != NULL ) { \
+	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+    }
+
+
+typedef enum { cbd_None, cbd_User, cbd_CA } cbd_FortezzaType;
+
+static SECStatus
+cert_VerifyFortezzaV1Cert(CERTCertDBHandle *handle, CERTCertificate *cert,
+	cbd_FortezzaType *next_type, cbd_FortezzaType last_type,
+	int64 t, void *wincx)
+{
+    unsigned char priv = 0;
+    SECKEYPublicKey *key;
+    SECStatus rv;
+
+    *next_type = cbd_CA;
+
+    /* read the key */
+    key = CERT_ExtractPublicKey(cert);
+
+    /* Cant' get Key? fail. */
+    if (key == NULL) {
+    	PORT_SetError(SEC_ERROR_BAD_KEY);
+	return SECFailure;
+    }
+
+
+    /* if the issuer is not an old fortezza cert, we bail */
+    if (key->keyType != fortezzaKey) {
+    	SECKEY_DestroyPublicKey(key);
+	/* CA Cert not fortezza */
+    	PORT_SetError(SEC_ERROR_NOT_FORTEZZA_ISSUER);
+	return SECFailure;
+    }
+
+    /* get the privilege mask */
+    if (key->u.fortezza.DSSpriviledge.len > 0) {
+	priv = key->u.fortezza.DSSpriviledge.data[0];
+    }
+
+    /*
+     * make sure the CA's keys are OK
+     */
+            
+    rv = SEC_CheckKRL(handle, key, NULL, t, wincx);
+    SECKEY_DestroyPublicKey(key);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    switch (last_type) {
+      case cbd_User:
+	/* first check for subordination */
+	/*rv = FortezzaSubordinateCheck(cert,issuerCert);*/
+	rv = SECSuccess;
+
+	/* now check for issuer privilege */
+	if ((rv != SECSuccess) || ((priv & 0x10) == 0)) {
+	    /* bail */
+	    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
+	    return SECFailure;
+	}
+	break;
+      case cbd_CA:
+	if ((priv & 0x20) == 0) {
+	    /* bail */
+	    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
+	    return SECFailure;
+	}
+	break;
+      case cbd_None:
+	*next_type = (priv & 0x30) ? cbd_CA : cbd_User;
+	break;
+      default:
+	/* bail */ /* shouldn't ever happen */
+    	PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+static SECStatus
+cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
+		     PRBool checkSig, PRBool* sigerror,
+                     SECCertUsage certUsage, int64 t, void *wincx,
+                     CERTVerifyLog *log, PRBool* revoked)
+{
+    SECTrustType trustType;
+    CERTBasicConstraints basicConstraint;
+    CERTCertificate *issuerCert = NULL;
+    CERTCertificate *subjectCert = NULL;
+    CERTCertificate *badCert = NULL;
+    PRBool isca;
+    PRBool isFortezzaV1 = PR_FALSE;
+    SECStatus rv;
+    SECStatus rvFinal = SECSuccess;
+    int count;
+    int currentPathLen = 0;
+    int pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
+    unsigned int caCertType;
+    unsigned int requiredCAKeyUsage;
+    unsigned int requiredFlags;
+    PRArenaPool *arena = NULL;
+    CERTGeneralName *namesList = NULL;
+    CERTCertificate **certsList      = NULL;
+    int certsListLen = 16;
+    int namesCount = 0;
+    PRBool subjectCertIsSelfIssued;
+
+    cbd_FortezzaType last_type = cbd_None;
+
+    if (revoked) {
+        *revoked = PR_FALSE;
+    }
+
+    if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
+					 &requiredCAKeyUsage,
+					 &caCertType)
+	!= SECSuccess ) {
+	PORT_Assert(0);
+	EXIT_IF_NOT_LOGGING(log);
+	requiredCAKeyUsage = 0;
+	caCertType = 0;
+    }
+
+    switch ( certUsage ) {
+      case certUsageSSLClient:
+      case certUsageSSLServer:
+      case certUsageSSLCA:
+      case certUsageSSLServerWithStepUp:
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+      case certUsageObjectSigner:
+      case certUsageVerifyCA:
+      case certUsageStatusResponder:
+	if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
+					   &trustType) != SECSuccess ) {
+	    PORT_Assert(0);
+	    EXIT_IF_NOT_LOGGING(log);
+	    requiredFlags = 0;
+	    trustType = trustSSL;
+	}
+	break;
+      default:
+	PORT_Assert(0);
+	EXIT_IF_NOT_LOGGING(log);
+	requiredFlags = 0;
+	trustType = trustSSL;/* This used to be 0, but we need something
+			      * that matches the enumeration type.
+			      */
+	caCertType = 0;
+    }
+    
+    subjectCert = CERT_DupCertificate(cert);
+    if ( subjectCert == NULL ) {
+	goto loser;
+    }
+
+    /* determine if the cert is fortezza.
+     */
+    isFortezzaV1 = (PRBool)
+	(CERT_GetCertKeyType(&subjectCert->subjectPublicKeyInfo) 
+							== fortezzaKey);
+
+    if (isFortezzaV1) {
+	rv = cert_VerifyFortezzaV1Cert(handle, subjectCert, &last_type, 
+						cbd_None, t, wincx);
+	if (rv == SECFailure) {
+	    /**** PORT_SetError is already set by cert_VerifyFortezzaV1Cert **/
+	    LOG_ERROR_OR_EXIT(log,subjectCert,0,0);
+	}
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+
+    certsList = PORT_ZNewArray(CERTCertificate *, certsListLen);
+    if (certsList == NULL)
+	goto loser;
+
+    /* RFC 3280 says that the name constraints will apply to the names
+    ** in the leaf (EE) cert, whether it is self issued or not, so
+    ** we pretend that it is not.
+    */
+    subjectCertIsSelfIssued = PR_FALSE;
+    for ( count = 0; count < CERT_MAX_CERT_CHAIN; count++ ) {
+	PRBool validCAOverride = PR_FALSE;
+
+	/* Construct a list of names for the current and all previous 
+	 * certifcates (except leaf (EE) certs, root CAs, and self-issued
+	 * intermediate CAs) to be verified against the name constraints 
+	 * extension of the issuer certificate. 
+	 */
+	if (subjectCertIsSelfIssued == PR_FALSE) {
+	    CERTGeneralName *subjectNameList;
+	    int subjectNameListLen;
+	    int i;
+	    subjectNameList    = CERT_GetCertificateNames(subjectCert, arena);
+	    if (!subjectNameList)
+		goto loser;
+	    subjectNameListLen = CERT_GetNamesLength(subjectNameList);
+	    if (!subjectNameListLen)
+		goto loser;
+	    if (certsListLen <= namesCount + subjectNameListLen) {
+		CERTCertificate **tmpCertsList;
+		certsListLen = (namesCount + subjectNameListLen) * 2;
+		tmpCertsList = 
+		    (CERTCertificate **)PORT_Realloc(certsList, 
+	                            certsListLen * sizeof(CERTCertificate *));
+		if (tmpCertsList == NULL) {
+		    goto loser;
+		}
+		certsList = tmpCertsList;
+	    }
+	    for (i = 0; i < subjectNameListLen; i++) {
+		certsList[namesCount + i] = subjectCert;
+	    }
+	    namesCount += subjectNameListLen;
+	    namesList = cert_CombineNamesLists(namesList, subjectNameList);
+	}
+
+        /* check if the cert has an unsupported critical extension */
+	if ( subjectCert->options.bits.hasUnsupportedCriticalExt ) {
+	    PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
+	    LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
+	}
+
+	/* find the certificate of the issuer */
+	issuerCert = CERT_FindCertIssuer(subjectCert, t, certUsage);
+	if ( ! issuerCert ) {
+	    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+	    LOG_ERROR(log,subjectCert,count,0);
+	    goto loser;
+	}
+
+	/* verify the signature on the cert */
+	if ( checkSig ) {
+	    rv = CERT_VerifySignedData(&subjectCert->signatureWrap,
+				       issuerCert, t, wincx);
+    
+	    if ( rv != SECSuccess ) {
+                if (sigerror) {
+                    *sigerror = PR_TRUE;
+                }
+		if ( PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE ) {
+		    PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
+		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+		} else {
+		    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		    LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
+		}
+	    }
+	}
+
+	/*
+	 * XXX - fortezza may need error logging stuff added
+	 */
+	if (isFortezzaV1) {
+	    rv = cert_VerifyFortezzaV1Cert(handle, issuerCert, &last_type, 
+					last_type, t, wincx);
+	    if (rv == SECFailure) {
+		/**** PORT_SetError is already set by *
+		 * cert_VerifyFortezzaV1Cert **/
+		LOG_ERROR_OR_EXIT(log,subjectCert,0,0);
+	    }
+	}
+
+	/* If the basicConstraint extension is included in an immediate CA
+	 * certificate, make sure that the isCA flag is on.  If the
+	 * pathLenConstraint component exists, it must be greater than the
+	 * number of CA certificates we have seen so far.  If the extension
+	 * is omitted, we will assume that this is a CA certificate with
+	 * an unlimited pathLenConstraint (since it already passes the
+	 * netscape-cert-type extension checking).
+	 *
+	 * In the fortezza (V1) case, we've already checked the CA bits
+	 * in the key, so we're presumed to be a CA; however we really don't
+	 * want to bypass Basic constraint or netscape extension parsing.
+         * 
+         * In Fortezza V2, basicConstraint will be set for every CA,PCA,PAA
+	 */
+
+	rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint);
+	if ( rv != SECSuccess ) {
+	    if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+	    } 
+	    pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
+	    /* no basic constraints found, if we're fortezza, CA bit is already
+	     * verified (isca = PR_TRUE). otherwise, we aren't (yet) a ca
+	     * isca = PR_FALSE */
+	    isca = isFortezzaV1;
+	} else  {
+	    if ( basicConstraint.isCA == PR_FALSE ) {
+		PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+	    }
+	    pathLengthLimit = basicConstraint.pathLenConstraint;
+	    isca = PR_TRUE;
+	}    
+	/* make sure that the path len constraint is properly set.*/
+	if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) {
+	    PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
+	    LOG_ERROR_OR_EXIT(log, issuerCert, count+1, pathLengthLimit);
+	}
+	
+	/* XXX - the error logging may need to go down into CRL stuff at some
+	 * point
+	 */
+	/* check revoked list (issuer) */
+        rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx);
+        if (rv == SECFailure) {
+            if (revoked) {
+                *revoked = PR_TRUE;
+            }
+            LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
+        } else if (rv == SECWouldBlock) {
+            /* We found something fishy, so we intend to issue an
+             * error to the user, but the user may wish to continue
+             * processing, in which case we better make sure nothing
+             * worse has happened... so keep cranking the loop */
+            rvFinal = SECFailure;
+            if (revoked) {
+                *revoked = PR_TRUE;
+            }
+            LOG_ERROR(log,subjectCert,count,0);
+        }
+
+	if ( issuerCert->trust ) {
+	    /* we have some trust info, but this does NOT imply that this
+	     * cert is actually trusted for any purpose.  The cert may be
+	     * explicitly UNtrusted.  We won't know until we examine the
+	     * trust bits.
+	     */
+	    unsigned int flags;
+
+	    if (certUsage != certUsageAnyCA &&
+	        certUsage != certUsageStatusResponder) {
+
+	        /*
+	         * check the trust parms of the issuer
+	         */
+	        if ( certUsage == certUsageVerifyCA ) {
+	            if ( subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA ) {
+	                trustType = trustEmail;
+	            } else if ( subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
+	                trustType = trustSSL;
+	            } else {
+	                trustType = trustObjectSigning;
+	            }
+	        }
+
+	        flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+
+	        if (flags & CERTDB_VALID_CA) {
+	            if ( ( flags & requiredFlags ) == requiredFlags) {
+	                /* we found a trusted one, so return */
+	                rv = rvFinal; 
+	                goto done;
+	            }
+	            validCAOverride = PR_TRUE;
+	        }
+	    } else {
+                /* Check if we have any valid trust when cheching for
+                 * certUsageAnyCA or certUsageStatusResponder. */
+                for (trustType = trustSSL; trustType < trustTypeNone;
+                     trustType++) {
+                    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+                    if ((flags & requiredFlags) == requiredFlags) {
+	                rv = rvFinal; 
+	                goto done;
+                    }
+                    if (flags & CERTDB_VALID_CA)
+                        validCAOverride = PR_TRUE;
+                }
+            }
+        }
+
+	if (!validCAOverride) {
+	    /*
+	     * Make sure that if this is an intermediate CA in the chain that
+	     * it was given permission by its signer to be a CA.
+	     */
+	    /*
+	     * if basicConstraints says it is a ca, then we check the
+	     * nsCertType.  If the nsCertType has any CA bits set, then
+	     * it must have the right one.
+	     */
+	    if (!isca || (issuerCert->nsCertType & NS_CERT_TYPE_CA)) {
+		isca = (issuerCert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
+	    }
+	
+	    if (  !isca  ) {
+		PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+	    }
+
+	    /* make sure key usage allows cert signing */
+	    if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
+		PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage);
+	    }
+	}
+
+	/* make sure that the entire chain is within the name space of the 
+	** current issuer certificate.
+	*/
+	rv = CERT_CompareNameSpace(issuerCert, namesList, certsList, 
+	                           arena, &badCert);
+	if (rv != SECSuccess || badCert != NULL) {
+	    PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
+            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
+	    goto loser;
+	}
+	/* make sure that the issuer is not self signed.  If it is, then
+	 * stop here to prevent looping.
+	 */
+	if (issuerCert->isRoot) {
+	    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
+	    LOG_ERROR(log, issuerCert, count+1, 0);
+	    goto loser;
+	} 
+	/* The issuer cert will be the subject cert in the next loop.
+	 * A cert is self-issued if its subject and issuer are equal and
+	 * both are of non-zero length. 
+	 */
+	subjectCertIsSelfIssued = (PRBool)
+	    SECITEM_ItemsAreEqual(&issuerCert->derIssuer, 
+				  &issuerCert->derSubject) &&
+	    issuerCert->derSubject.len > 0;
+	if (subjectCertIsSelfIssued == PR_FALSE) {
+	    /* RFC 3280 says only non-self-issued intermediate CA certs 
+	     * count in path length.
+	     */
+	    ++currentPathLen;
+	}
+
+	CERT_DestroyCertificate(subjectCert);
+	subjectCert = issuerCert;
+	issuerCert = NULL;
+    }
+
+    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+    LOG_ERROR(log,subjectCert,count,0);
+loser:
+    rv = SECFailure;
+done:
+    if (certsList != NULL) {
+	PORT_Free(certsList);
+    }
+    if ( issuerCert ) {
+	CERT_DestroyCertificate(issuerCert);
+    }
+    
+    if ( subjectCert ) {
+	CERT_DestroyCertificate(subjectCert);
+    }
+
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return rv;
+}
+
+SECStatus
+cert_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
+                     PRBool checkSig, PRBool* sigerror,
+                     SECCertUsage certUsage, int64 t, void *wincx,
+                     CERTVerifyLog *log, PRBool* revoked)
+{
+    if (CERT_GetUsePKIXForValidation()) {
+        return cert_VerifyCertChainPkix(cert, checkSig, certUsage, t,
+                                        wincx, log, sigerror, revoked);
+    }
+    return cert_VerifyCertChainOld(handle, cert, checkSig, sigerror,
+                                   certUsage, t, wincx, log, revoked);
+}
+
+SECStatus
+CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
+		     PRBool checkSig, SECCertUsage certUsage, int64 t,
+		     void *wincx, CERTVerifyLog *log)
+{
+    return cert_VerifyCertChain(handle, cert, checkSig, NULL, certUsage, t,
+			 wincx, log, NULL);
+}
+
+/*
+ * verify that a CA can sign a certificate with the requested usage.
+ */
+SECStatus
+CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertUsage certUsage, int64 t,
+		void *wincx, CERTVerifyLog *log)
+{
+    SECTrustType trustType;
+    CERTBasicConstraints basicConstraint;
+    PRBool isca;
+    PRBool validCAOverride = PR_FALSE;
+    SECStatus rv;
+    SECStatus rvFinal = SECSuccess;
+    int flags;
+    unsigned int caCertType;
+    unsigned int requiredCAKeyUsage;
+    unsigned int requiredFlags;
+    CERTCertificate *issuerCert;
+
+
+    if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
+					 &requiredCAKeyUsage,
+					 &caCertType) != SECSuccess ) {
+	PORT_Assert(0);
+	EXIT_IF_NOT_LOGGING(log);
+	requiredCAKeyUsage = 0;
+	caCertType = 0;
+    }
+
+    switch ( certUsage ) {
+      case certUsageSSLClient:
+      case certUsageSSLServer:
+      case certUsageSSLCA:
+      case certUsageSSLServerWithStepUp:
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+      case certUsageObjectSigner:
+      case certUsageVerifyCA:
+      case certUsageStatusResponder:
+	if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
+					   &trustType) != SECSuccess ) {
+	    PORT_Assert(0);
+	    EXIT_IF_NOT_LOGGING(log);
+	    requiredFlags = 0;
+	    trustType = trustSSL;
+	}
+	break;
+      default:
+	PORT_Assert(0);
+	EXIT_IF_NOT_LOGGING(log);
+	requiredFlags = 0;
+	trustType = trustSSL;/* This used to be 0, but we need something
+			      * that matches the enumeration type.
+			      */
+	caCertType = 0;
+    }
+    
+    /* If the basicConstraint extension is included in an intermmediate CA
+     * certificate, make sure that the isCA flag is on.  If the
+     * pathLenConstraint component exists, it must be greater than the
+     * number of CA certificates we have seen so far.  If the extension
+     * is omitted, we will assume that this is a CA certificate with
+     * an unlimited pathLenConstraint (since it already passes the
+     * netscape-cert-type extension checking).
+     *
+     * In the fortezza (V1) case, we've already checked the CA bits
+     * in the key, so we're presumed to be a CA; however we really don't
+     * want to bypass Basic constraint or netscape extension parsing.
+     * 
+     * In Fortezza V2, basicConstraint will be set for every CA,PCA,PAA
+     */
+
+    rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
+    if ( rv != SECSuccess ) {
+	if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
+	    LOG_ERROR_OR_EXIT(log,cert,0,0);
+	} 
+	/* no basic constraints found, if we're fortezza, CA bit is already
+	 * verified (isca = PR_TRUE). otherwise, we aren't (yet) a ca
+	 * isca = PR_FALSE */
+	isca = PR_FALSE;
+    } else  {
+	if ( basicConstraint.isCA == PR_FALSE ) {
+	    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
+	    LOG_ERROR_OR_EXIT(log,cert,0,0);
+	}
+
+	/* can't check path length if we don't know the previous path */
+	isca = PR_TRUE;
+    }
+	
+    if ( cert->trust ) {
+	/* we have some trust info, but this does NOT imply that this
+	 * cert is actually trusted for any purpose.  The cert may be
+	 * explicitly UNtrusted.  We won't know until we examine the
+	 * trust bits.
+	 */
+        if (certUsage == certUsageStatusResponder) {
+	    /* Check the special case of certUsageStatusResponder */
+            issuerCert = CERT_FindCertIssuer(cert, t, certUsage);
+            if (issuerCert) {
+                if (SEC_CheckCRL(handle, cert, issuerCert, t, wincx) 
+		    != SECSuccess) {
+                    PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+                    CERT_DestroyCertificate(issuerCert);
+                    goto loser;
+                }
+                CERT_DestroyCertificate(issuerCert);
+            }
+	    /* XXX We have NOT determined that this cert is trusted.
+	     * For years, NSS has treated this as trusted, 
+	     * but it seems incorrect.
+	     */
+	    rv = rvFinal; 
+	    goto done;
+        }
+
+	/*
+	 * check the trust parms of the issuer
+	 */
+	flags = SEC_GET_TRUST_FLAGS(cert->trust, trustType);
+	    
+	if (flags & CERTDB_VALID_CA) {
+	    if ( ( flags & requiredFlags ) == requiredFlags) {
+		/* we found a trusted one, so return */
+		rv = rvFinal; 
+		goto done;
+	    }
+	    validCAOverride = PR_TRUE;
+	}
+    }
+    if (!validCAOverride) {
+	/*
+	 * Make sure that if this is an intermediate CA in the chain that
+	 * it was given permission by its signer to be a CA.
+	 */
+	/*
+	 * if basicConstraints says it is a ca, then we check the
+	 * nsCertType.  If the nsCertType has any CA bits set, then
+	 * it must have the right one.
+	 */
+	if (!isca || (cert->nsCertType & NS_CERT_TYPE_CA)) {
+	    isca = (cert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
+	}
+	
+	if (!isca) {
+	    PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
+	    LOG_ERROR_OR_EXIT(log,cert,0,0);
+	}
+	    
+	/* make sure key usage allows cert signing */
+	if (CERT_CheckKeyUsage(cert, requiredCAKeyUsage) != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+	    LOG_ERROR_OR_EXIT(log,cert,0,requiredCAKeyUsage);
+	}
+    }
+    /* make sure that the issuer is not self signed.  If it is, then
+     * stop here to prevent looping.
+     */
+    if (cert->isRoot) {
+	    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
+	    LOG_ERROR(log, cert, 0, 0);
+	    goto loser;
+    }
+
+    return CERT_VerifyCertChain(handle, cert, checkSig, certUsage, t, 
+		     					wincx, log);
+loser:
+    rv = SECFailure;
+done:
+    return rv;
+}
+
+#define NEXT_USAGE() { \
+    i*=2; \
+    certUsage++; \
+    continue; \
+}
+
+#define VALID_USAGE() { \
+    NEXT_USAGE(); \
+}
+
+#define INVALID_USAGE() { \
+    if (returnedUsages) { \
+        *returnedUsages &= (~i); \
+    } \
+    if (PR_TRUE == requiredUsage) { \
+        valid = SECFailure; \
+    } \
+    NEXT_USAGE(); \
+}
+
+/*
+ * verify a certificate by checking if it's valid and that we
+ * trust the issuer.
+ *
+ * certificateUsage contains a bitfield of all cert usages that are
+ * required for verification to succeed
+ *
+ * a bitfield of cert usages is returned in *returnedUsages
+ * if requiredUsages is non-zero, the returned bitmap is only
+ * for those required usages, otherwise it is for all usages
+ *
+ */
+SECStatus
+CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertificateUsage requiredUsages, int64 t,
+		void *wincx, CERTVerifyLog *log, SECCertificateUsage* returnedUsages)
+{
+    SECStatus rv;
+    SECStatus valid;
+    unsigned int requiredKeyUsage;
+    unsigned int requiredCertType;
+    unsigned int flags;
+    unsigned int certType;
+    PRBool       allowOverride;
+    SECCertTimeValidity validity;
+    CERTStatusConfig *statusConfig;
+    PRInt32 i;
+    SECCertUsage certUsage = 0;
+    PRBool checkedOCSP = PR_FALSE;
+    PRBool checkAllUsages = PR_FALSE;
+    PRBool revoked = PR_FALSE;
+    PRBool sigerror = PR_FALSE;
+
+    if (!requiredUsages) {
+        /* there are no required usages, so the user probably wants to
+           get status for all usages */
+        checkAllUsages = PR_TRUE;
+    }
+
+    if (returnedUsages) {
+        *returnedUsages = 0;
+    } else {
+        /* we don't have a place to return status for all usages,
+           so we can skip checks for usages that aren't required */
+        checkAllUsages = PR_FALSE;
+    }
+    valid = SECSuccess ; /* start off assuming cert is valid */
+   
+    /* make sure that the cert is valid at time t */
+    allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
+                             (requiredUsages & certificateUsageSSLServerWithStepUp));
+    validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
+    if ( validity != secCertTimeValid ) {
+        valid = SECFailure;
+        LOG_ERROR_OR_EXIT(log,cert,0,validity);
+    }
+
+    /* check key usage and netscape cert type */
+    cert_GetCertType(cert);
+    certType = cert->nsCertType;
+
+    for (i=1; i<=certificateUsageHighest && 
+              (SECSuccess == valid || returnedUsages || log) ; ) {
+        PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;
+        if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {
+            NEXT_USAGE();
+        }
+        if (returnedUsages) {
+            *returnedUsages |= i; /* start off assuming this usage is valid */
+        }
+        switch ( certUsage ) {
+          case certUsageSSLClient:
+          case certUsageSSLServer:
+          case certUsageSSLServerWithStepUp:
+          case certUsageSSLCA:
+          case certUsageEmailSigner:
+          case certUsageEmailRecipient:
+          case certUsageObjectSigner:
+          case certUsageStatusResponder:
+            rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
+                                                  &requiredKeyUsage,
+                                                  &requiredCertType);
+            if ( rv != SECSuccess ) {
+                PORT_Assert(0);
+                /* EXIT_IF_NOT_LOGGING(log); XXX ??? */
+                requiredKeyUsage = 0;
+                requiredCertType = 0;
+                INVALID_USAGE();
+            }
+            break;
+
+          case certUsageAnyCA:
+          case certUsageProtectedObjectSigner:
+          case certUsageUserCertImport:
+          case certUsageVerifyCA:
+              /* these usages cannot be verified */
+              NEXT_USAGE();
+
+          default:
+            PORT_Assert(0);
+            requiredKeyUsage = 0;
+            requiredCertType = 0;
+            INVALID_USAGE();
+        }
+        if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) {
+            if (PR_TRUE == requiredUsage) {
+                PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+            }
+            LOG_ERROR(log,cert,0,requiredKeyUsage);
+            INVALID_USAGE();
+        }
+        if ( !( certType & requiredCertType ) ) {
+            if (PR_TRUE == requiredUsage) {
+                PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
+            }
+            LOG_ERROR(log,cert,0,requiredCertType);
+            INVALID_USAGE();
+        }
+
+        /* check trust flags to see if this cert is directly trusted */
+        if ( cert->trust ) { /* the cert is in the DB */
+            switch ( certUsage ) {
+              case certUsageSSLClient:
+              case certUsageSSLServer:
+                flags = cert->trust->sslFlags;
+
+                /* is the cert directly trusted or not trusted ? */
+                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
+                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+                        VALID_USAGE();
+                    } else { /* don't trust this cert */
+                        if (PR_TRUE == requiredUsage) {
+                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+                        }
+                        LOG_ERROR(log,cert,0,flags);
+                        INVALID_USAGE();
+                    }
+                }
+                break;
+              case certUsageSSLServerWithStepUp:
+                /* XXX - step up certs can't be directly trusted */
+                break;
+              case certUsageSSLCA:
+                break;
+              case certUsageEmailSigner:
+              case certUsageEmailRecipient:
+                flags = cert->trust->emailFlags;
+
+                /* is the cert directly trusted or not trusted ? */
+                if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
+                    ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
+                    VALID_USAGE();
+                }
+                break;
+              case certUsageObjectSigner:
+                flags = cert->trust->objectSigningFlags;
+
+                /* is the cert directly trusted or not trusted ? */
+                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
+                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+                        VALID_USAGE();
+                    } else { /* don't trust this cert */
+                        if (PR_TRUE == requiredUsage) {
+                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+                        }
+                        LOG_ERROR(log,cert,0,flags);
+                        INVALID_USAGE();
+                    }
+                }
+                break;
+              case certUsageVerifyCA:
+              case certUsageStatusResponder:
+                flags = cert->trust->sslFlags;
+                /* is the cert directly trusted or not trusted ? */
+                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+                    VALID_USAGE();
+                }
+                flags = cert->trust->emailFlags;
+                /* is the cert directly trusted or not trusted ? */
+                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+                    VALID_USAGE();
+                }
+                flags = cert->trust->objectSigningFlags;
+                /* is the cert directly trusted or not trusted ? */
+                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+                    VALID_USAGE();
+                }
+                break;
+              case certUsageAnyCA:
+              case certUsageProtectedObjectSigner:
+              case certUsageUserCertImport:
+                /* XXX to make the compiler happy.  Should these be
+                 * explicitly handled?
+                 */
+                break;
+            }
+        }
+
+        if (PR_TRUE == revoked || PR_TRUE == sigerror) {
+            INVALID_USAGE();
+        }
+
+        rv = cert_VerifyCertChain(handle, cert,
+            checkSig, &sigerror,
+            certUsage, t, wincx, log,
+            &revoked);
+
+        if (rv != SECSuccess) {
+            /* EXIT_IF_NOT_LOGGING(log); XXX ???? */
+            INVALID_USAGE();
+        }
+
+        /*
+         * Check OCSP revocation status, but only if the cert we are checking
+         * is not a status reponder itself.  We only do this in the case
+         * where we checked the cert chain (above); explicit trust "wins"
+         * (avoids status checking, just as it avoids CRL checking) by
+         * bypassing this code.
+         */
+
+        if (PR_FALSE == checkedOCSP) {
+            checkedOCSP = PR_TRUE; /* only check OCSP once */
+            statusConfig = CERT_GetStatusConfig(handle);
+            if (requiredUsages != certificateUsageStatusResponder &&
+                statusConfig != NULL) {
+                if (statusConfig->statusChecker != NULL) {
+                    rv = (* statusConfig->statusChecker)(handle, cert,
+                                                                 t, wincx);
+                    if (rv != SECSuccess) {
+                        LOG_ERROR(log,cert,0,0);
+                        revoked = PR_TRUE;
+                        INVALID_USAGE();
+                    }
+                }
+            }
+        }
+
+        NEXT_USAGE();
+    }
+    
+loser:
+    return(valid);
+}
+
+SECStatus
+CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertUsage certUsage, int64 t,
+		void *wincx, CERTVerifyLog *log)
+{
+    SECStatus rv;
+    unsigned int requiredKeyUsage;
+    unsigned int requiredCertType;
+    unsigned int flags;
+    unsigned int certType;
+    PRBool       allowOverride;
+    SECCertTimeValidity validity;
+    CERTStatusConfig *statusConfig;
+   
+#ifdef notdef 
+    /* check if this cert is in the Evil list */
+    rv = CERT_CheckForEvilCert(cert);
+    if ( rv != SECSuccess ) {
+	PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+	LOG_ERROR_OR_EXIT(log,cert,0,0);
+    }
+#endif
+    
+    /* make sure that the cert is valid at time t */
+    allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
+                             (certUsage == certUsageSSLServerWithStepUp));
+    validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
+    if ( validity != secCertTimeValid ) {
+	LOG_ERROR_OR_EXIT(log,cert,0,validity);
+    }
+
+    /* check key usage and netscape cert type */
+    cert_GetCertType(cert);
+    certType = cert->nsCertType;
+    switch ( certUsage ) {
+      case certUsageSSLClient:
+      case certUsageSSLServer:
+      case certUsageSSLServerWithStepUp:
+      case certUsageSSLCA:
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+      case certUsageObjectSigner:
+      case certUsageStatusResponder:
+	rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
+					      &requiredKeyUsage,
+					      &requiredCertType);
+	if ( rv != SECSuccess ) {
+	    PORT_Assert(0);
+	    EXIT_IF_NOT_LOGGING(log);
+	    requiredKeyUsage = 0;
+	    requiredCertType = 0;
+	}
+	break;
+      case certUsageVerifyCA:
+	requiredKeyUsage = KU_KEY_CERT_SIGN;
+	requiredCertType = NS_CERT_TYPE_CA;
+	if ( ! ( certType & NS_CERT_TYPE_CA ) ) {
+	    certType |= NS_CERT_TYPE_CA;
+	}
+	break;
+      default:
+	PORT_Assert(0);
+	EXIT_IF_NOT_LOGGING(log);
+	requiredKeyUsage = 0;
+	requiredCertType = 0;
+    }
+    if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) {
+	PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+	LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage);
+    }
+    if ( !( certType & requiredCertType ) ) {
+	PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
+	LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
+    }
+
+    /* check trust flags to see if this cert is directly trusted */
+    if ( cert->trust ) { /* the cert is in the DB */
+	switch ( certUsage ) {
+	  case certUsageSSLClient:
+	  case certUsageSSLServer:
+	    flags = cert->trust->sslFlags;
+	    
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    goto winner;
+		} else { /* don't trust this cert */
+		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
+		}
+	    }
+	    break;
+	  case certUsageSSLServerWithStepUp:
+	    /* XXX - step up certs can't be directly trusted */
+	    break;
+	  case certUsageSSLCA:
+	    break;
+	  case certUsageEmailSigner:
+	  case certUsageEmailRecipient:
+	    flags = cert->trust->emailFlags;
+	    
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
+		( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
+		goto winner;
+	    }
+	    break;
+	  case certUsageObjectSigner:
+	    flags = cert->trust->objectSigningFlags;
+
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    goto winner;
+		} else { /* don't trust this cert */
+		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
+		}
+	    }
+	    break;
+	  case certUsageVerifyCA:
+	  case certUsageStatusResponder:
+	    flags = cert->trust->sslFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		goto winner;
+	    }
+	    flags = cert->trust->emailFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		goto winner;
+	    }
+	    flags = cert->trust->objectSigningFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		goto winner;
+	    }
+	    break;
+	  case certUsageAnyCA:
+	  case certUsageProtectedObjectSigner:
+	  case certUsageUserCertImport:
+	    /* XXX to make the compiler happy.  Should these be
+	     * explicitly handled?
+	     */
+	    break;
+	}
+    }
+
+    rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
+			      t, wincx, log);
+    if (rv != SECSuccess) {
+	EXIT_IF_NOT_LOGGING(log);
+    }
+
+    /*
+     * Check revocation status, but only if the cert we are checking
+     * is not a status reponder itself.  We only do this in the case
+     * where we checked the cert chain (above); explicit trust "wins"
+     * (avoids status checking, just as it avoids CRL checking, which
+     * is all done inside VerifyCertChain) by bypassing this code.
+     */
+    statusConfig = CERT_GetStatusConfig(handle);
+    if (certUsage != certUsageStatusResponder && statusConfig != NULL) {
+	if (statusConfig->statusChecker != NULL) {
+	    rv = (* statusConfig->statusChecker)(handle, cert,
+							 t, wincx);
+	    if (rv != SECSuccess) {
+		LOG_ERROR_OR_EXIT(log,cert,0,0);
+	    }
+	}
+    }
+
+winner:
+    return(SECSuccess);
+
+loser:
+    rv = SECFailure;
+    
+    return(rv);
+}
+
+/*
+ * verify a certificate by checking if its valid and that we
+ * trust the issuer.  Verify time against now.
+ */
+SECStatus
+CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
+		   PRBool checkSig, SECCertificateUsage requiredUsages,
+                   void *wincx, SECCertificateUsage* returnedUsages)
+{
+    return(CERT_VerifyCertificate(handle, cert, checkSig, 
+		   requiredUsages, PR_Now(), wincx, NULL, returnedUsages));
+}
+
+/* obsolete, do not use for new code */
+SECStatus
+CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
+		   PRBool checkSig, SECCertUsage certUsage, void *wincx)
+{
+    return(CERT_VerifyCert(handle, cert, checkSig, 
+		   certUsage, PR_Now(), wincx, NULL));
+}
+
+
+/* [ FROM pcertdb.c ] */
+/*
+ * Supported usage values and types:
+ *	certUsageSSLClient
+ *	certUsageSSLServer
+ *	certUsageSSLServerWithStepUp
+ *	certUsageEmailSigner
+ *	certUsageEmailRecipient
+ *	certUsageObjectSigner
+ */
+
+CERTCertificate *
+CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
+		      CERTCertOwner owner, SECCertUsage usage,
+		      PRBool preferTrusted, int64 validTime, PRBool validOnly)
+{
+    CERTCertList *certList = NULL;
+    CERTCertificate *cert = NULL;
+    unsigned int requiredTrustFlags;
+    SECTrustType requiredTrustType;
+    unsigned int flags;
+    
+    PRBool lookingForCA = PR_FALSE;
+    SECStatus rv;
+    CERTCertListNode *node;
+    CERTCertificate *saveUntrustedCA = NULL;
+    
+    /* if preferTrusted is set, must be a CA cert */
+    PORT_Assert( ! ( preferTrusted && ( owner != certOwnerCA ) ) );
+    
+    if ( owner == certOwnerCA ) {
+	lookingForCA = PR_TRUE;
+	if ( preferTrusted ) {
+	    rv = CERT_TrustFlagsForCACertUsage(usage, &requiredTrustFlags,
+					       &requiredTrustType);
+	    if ( rv != SECSuccess ) {
+		goto loser;
+	    }
+	    requiredTrustFlags |= CERTDB_VALID_CA;
+	}
+    }
+
+    certList = CERT_CreateSubjectCertList(NULL, handle, derName, validTime,
+					  validOnly);
+    if ( certList != NULL ) {
+	rv = CERT_FilterCertListByUsage(certList, usage, lookingForCA);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+	
+	node = CERT_LIST_HEAD(certList);
+	
+	while ( !CERT_LIST_END(node, certList) ) {
+	    cert = node->cert;
+
+	    /* looking for a trusted CA cert */
+	    if ( ( owner == certOwnerCA ) && preferTrusted &&
+		( requiredTrustType != trustTypeNone ) ) {
+
+		if ( cert->trust == NULL ) {
+		    flags = 0;
+		} else {
+		    flags = SEC_GET_TRUST_FLAGS(cert->trust, requiredTrustType);
+		}
+
+		if ( ( flags & requiredTrustFlags ) != requiredTrustFlags ) {
+		    /* cert is not trusted */
+		    /* if this is the first cert to get this far, then save
+		     * it, so we can use it if we can't find a trusted one
+		     */
+		    if ( saveUntrustedCA == NULL ) {
+			saveUntrustedCA = cert;
+		    }
+		    goto endloop;
+		}
+	    }
+	    /* if we got this far, then this cert meets all criteria */
+	    break;
+	    
+endloop:
+	    node = CERT_LIST_NEXT(node);
+	    cert = NULL;
+	}
+
+	/* use the saved one if we have it */
+	if ( cert == NULL ) {
+	    cert = saveUntrustedCA;
+	}
+
+	/* if we found one then bump the ref count before freeing the list */
+	if ( cert != NULL ) {
+	    /* bump the ref count */
+	    cert = CERT_DupCertificate(cert);
+	}
+	
+	CERT_DestroyCertList(certList);
+    }
+
+    return(cert);
+
+loser:
+    if ( certList != NULL ) {
+	CERT_DestroyCertList(certList);
+    }
+
+    return(NULL);
+}
+
+
+/* [ From certdb.c ] */
+/*
+ * Filter a list of certificates, removing those certs that do not have
+ * one of the named CA certs somewhere in their cert chain.
+ *
+ *	"certList" - the list of certificates to filter
+ *	"nCANames" - number of CA names
+ *	"caNames" - array of CA names in string(rfc 1485) form
+ *	"usage" - what use the certs are for, this is used when
+ *		selecting CA certs
+ */
+SECStatus
+CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
+			     char **caNames, SECCertUsage usage)
+{
+    CERTCertificate *issuerCert = NULL;
+    CERTCertificate *subjectCert;
+    CERTCertListNode *node, *freenode;
+    CERTCertificate *cert;
+    int n;
+    char **names;
+    PRBool found;
+    int64 time;
+    
+    if ( nCANames <= 0 ) {
+	return(SECSuccess);
+    }
+
+    time = PR_Now();
+    
+    node = CERT_LIST_HEAD(certList);
+    
+    while ( ! CERT_LIST_END(node, certList) ) {
+	cert = node->cert;
+	
+	subjectCert = CERT_DupCertificate(cert);
+
+	/* traverse the CA certs for this cert */
+	found = PR_FALSE;
+	while ( subjectCert != NULL ) {
+	    n = nCANames;
+	    names = caNames;
+	   
+            if (subjectCert->issuerName != NULL) { 
+	        while ( n > 0 ) {
+		    if ( PORT_Strcmp(*names, subjectCert->issuerName) == 0 ) {
+		        found = PR_TRUE;
+		        break;
+		    }
+
+		    n--;
+		    names++;
+                }
+	    }
+
+	    if ( found ) {
+		break;
+	    }
+	    
+	    issuerCert = CERT_FindCertIssuer(subjectCert, time, usage);
+	    if ( issuerCert == subjectCert ) {
+		CERT_DestroyCertificate(issuerCert);
+		issuerCert = NULL;
+		break;
+	    }
+	    CERT_DestroyCertificate(subjectCert);
+	    subjectCert = issuerCert;
+
+	}
+	CERT_DestroyCertificate(subjectCert);
+	if ( !found ) {
+	    /* CA was not found, so remove this cert from the list */
+	    freenode = node;
+	    node = CERT_LIST_NEXT(node);
+	    CERT_RemoveCertListNode(freenode);
+	} else {
+	    /* CA was found, so leave it in the list */
+	    node = CERT_LIST_NEXT(node);
+	}
+    }
+    
+    return(SECSuccess);
+}
+
+/*
+ * Given a certificate, return a string containing the nickname, and possibly
+ * one of the validity strings, based on the current validity state of the
+ * certificate.
+ *
+ * "arena" - arena to allocate returned string from.  If NULL, then heap
+ *	is used.
+ * "cert" - the cert to get nickname from
+ * "expiredString" - the string to append to the nickname if the cert is
+ *		expired.
+ * "notYetGoodString" - the string to append to the nickname if the cert is
+ *		not yet good.
+ */
+char *
+CERT_GetCertNicknameWithValidity(PRArenaPool *arena, CERTCertificate *cert,
+				 char *expiredString, char *notYetGoodString)
+{
+    SECCertTimeValidity validity;
+    char *nickname = NULL, *tmpstr = NULL;
+    
+    validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE);
+
+    /* if the cert is good, then just use the nickname directly */
+    if ( validity == secCertTimeValid ) {
+	if ( arena == NULL ) {
+	    nickname = PORT_Strdup(cert->nickname);
+	} else {
+	    nickname = PORT_ArenaStrdup(arena, cert->nickname);
+	}
+	
+	if ( nickname == NULL ) {
+	    goto loser;
+	}
+    } else {
+	    
+	/* if the cert is not valid, then tack one of the strings on the
+	 * end
+	 */
+	if ( validity == secCertTimeExpired ) {
+	    tmpstr = PR_smprintf("%s%s", cert->nickname,
+				 expiredString);
+	} else if ( validity == secCertTimeNotValidYet ) {
+	    /* not yet valid */
+	    tmpstr = PR_smprintf("%s%s", cert->nickname,
+				 notYetGoodString);
+        } else {
+            /* undetermined */
+	    tmpstr = PR_smprintf("%s",
+                        "(NULL) (Validity Unknown)");
+        }
+
+	if ( tmpstr == NULL ) {
+	    goto loser;
+	}
+
+	if ( arena ) {
+	    /* copy the string into the arena and free the malloc'd one */
+	    nickname = PORT_ArenaStrdup(arena, tmpstr);
+	    PORT_Free(tmpstr);
+	} else {
+	    nickname = tmpstr;
+	}
+	if ( nickname == NULL ) {
+	    goto loser;
+	}
+    }    
+    return(nickname);
+
+loser:
+    return(NULL);
+}
+
+/*
+ * Collect the nicknames from all certs in a CertList.  If the cert is not
+ * valid, append a string to that nickname.
+ *
+ * "certList" - the list of certificates
+ * "expiredString" - the string to append to the nickname of any expired cert
+ * "notYetGoodString" - the string to append to the nickname of any cert
+ *		that is not yet valid
+ */
+CERTCertNicknames *
+CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
+				 char *notYetGoodString)
+{
+    CERTCertNicknames *names;
+    PRArenaPool *arena;
+    CERTCertListNode *node;
+    char **nn;
+    
+    /* allocate an arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return(NULL);
+    }
+    
+    /* allocate the structure */
+    names = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
+    if ( names == NULL ) {
+	goto loser;
+    }
+
+    /* init the structure */
+    names->arena = arena;
+    names->head = NULL;
+    names->numnicknames = 0;
+    names->nicknames = NULL;
+    names->totallen = 0;
+
+    /* count the certs in the list */
+    node = CERT_LIST_HEAD(certList);
+    while ( ! CERT_LIST_END(node, certList) ) {
+	names->numnicknames++;
+	node = CERT_LIST_NEXT(node);
+    }
+    
+    /* allocate nicknames array */
+    names->nicknames = PORT_ArenaAlloc(arena,
+				       sizeof(char *) * names->numnicknames);
+    if ( names->nicknames == NULL ) {
+	goto loser;
+    }
+
+    /* just in case printf can't deal with null strings */
+    if (expiredString == NULL ) {
+	expiredString = "";
+    }
+
+    if ( notYetGoodString == NULL ) {
+	notYetGoodString = "";
+    }
+    
+    /* traverse the list of certs and collect the nicknames */
+    nn = names->nicknames;
+    node = CERT_LIST_HEAD(certList);
+    while ( ! CERT_LIST_END(node, certList) ) {
+	*nn = CERT_GetCertNicknameWithValidity(arena, node->cert,
+					       expiredString,
+					       notYetGoodString);
+	if ( *nn == NULL ) {
+	    goto loser;
+	}
+
+	names->totallen += PORT_Strlen(*nn);
+	
+	nn++;
+	node = CERT_LIST_NEXT(node);
+    }
+
+    return(names);
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(NULL);
+}
+
+/*
+ * Extract the nickname from a nickmake string that may have either
+ * expiredString or notYetGoodString appended.
+ *
+ * Args:
+ *	"namestring" - the string containing the nickname, and possibly
+ *		one of the validity label strings
+ *	"expiredString" - the expired validity label string
+ *	"notYetGoodString" - the not yet good validity label string
+ *
+ * Returns the raw nickname
+ */
+char *
+CERT_ExtractNicknameString(char *namestring, char *expiredString,
+			   char *notYetGoodString)
+{
+    int explen, nyglen, namelen;
+    int retlen;
+    char *retstr;
+    
+    namelen = PORT_Strlen(namestring);
+    explen = PORT_Strlen(expiredString);
+    nyglen = PORT_Strlen(notYetGoodString);
+    
+    if ( namelen > explen ) {
+	if ( PORT_Strcmp(expiredString, &namestring[namelen-explen]) == 0 ) {
+	    retlen = namelen - explen;
+	    retstr = (char *)PORT_Alloc(retlen+1);
+	    if ( retstr == NULL ) {
+		goto loser;
+	    }
+	    
+	    PORT_Memcpy(retstr, namestring, retlen);
+	    retstr[retlen] = '\0';
+	    goto done;
+	}
+    }
+
+    if ( namelen > nyglen ) {
+	if ( PORT_Strcmp(notYetGoodString, &namestring[namelen-nyglen]) == 0) {
+	    retlen = namelen - nyglen;
+	    retstr = (char *)PORT_Alloc(retlen+1);
+	    if ( retstr == NULL ) {
+		goto loser;
+	    }
+	    
+	    PORT_Memcpy(retstr, namestring, retlen);
+	    retstr[retlen] = '\0';
+	    goto done;
+	}
+    }
+
+    /* if name string is shorter than either invalid string, then it must
+     * be a raw nickname
+     */
+    retstr = PORT_Strdup(namestring);
+    
+done:
+    return(retstr);
+
+loser:
+    return(NULL);
+}
+
+CERTCertList *
+CERT_GetCertChainFromCert(CERTCertificate *cert, int64 time, SECCertUsage usage)
+{
+    CERTCertList *chain = NULL;
+
+    if (NULL == cert) {
+        return NULL;
+    }
+    
+    cert = CERT_DupCertificate(cert);
+    if (NULL == cert) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    chain = CERT_NewCertList();
+    if (NULL == chain) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    while (cert != NULL) {
+	if (SECSuccess != CERT_AddCertToListTail(chain, cert)) {
+            /* return partial chain */
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+            return chain;
+        }
+
+	if (cert->isRoot) {
+            /* return complete chain */
+	    return chain;
+	}
+
+	cert = CERT_FindCertIssuer(cert, time, usage);
+    }
+
+    /* return partial chain */
+    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+    return chain;
+}
diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c
new file mode 100644
index 000000000..686b87546
--- /dev/null
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -0,0 +1,2280 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * nss_pkix_proxy.h
+ *
+ * PKIX - NSS proxy functions
+ *
+ * NOTE: All structures, functions, data types are parts of library private
+ * api and are subjects to change in any following releases.
+ *
+ */
+#include "prerror.h"
+#include "prprf.h"
+ 
+#include "nspr.h"
+#include "pk11func.h"
+#include "certdb.h"
+#include "cert.h"
+#include "secerr.h"
+#include "nssb64.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "pkit.h"
+
+#include "pkix_pl_common.h"
+#include "pkix_pl_ekuchecker.h"
+
+extern PRLogModuleInfo *pkixLog;
+
+#ifdef DEBUG_volkov
+/* Temporary declarations of functioins. Will be removed with fix for
+ * 391183 */
+extern char *
+pkix_Error2ASCII(PKIX_Error *error, void *plContext);
+
+extern void
+cert_PrintCert(PKIX_PL_Cert *pkixCert, void *plContext);
+
+extern PKIX_Error *
+cert_PrintCertChain(PKIX_List *pkixCertChain, void *plContext);
+
+#endif /* DEBUG */
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+
+extern PKIX_UInt32
+pkix_pl_lifecycle_ObjectLeakCheck(int *);
+
+extern SECStatus
+pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
+
+PRInt32 parallelFnInvocationCount;
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+
+static PRBool usePKIXValidationEngine = PR_FALSE;
+
+/*
+ * FUNCTION: CERT_SetUsePKIXForValidation
+ * DESCRIPTION:
+ *
+ * Enables or disables use of libpkix for certificate validation
+ *
+ * PARAMETERS:
+ *  "enable"
+ *      PR_TRUE: enables use of libpkix for cert validation.
+ *      PR_FALSE: disables.
+ * THREAD SAFETY:
+ *  NOT Thread Safe.
+ * RETURNS:
+ *  Returns SECSuccess if successfully enabled
+ */
+SECStatus
+CERT_SetUsePKIXForValidation(PRBool enable)
+{
+    usePKIXValidationEngine = (enable > 0) ? PR_TRUE : PR_FALSE;
+    return SECSuccess;
+}
+
+/*
+ * FUNCTION: CERT_GetUsePKIXForValidation
+ * DESCRIPTION:
+ *
+ * Checks if libpkix building function should be use for certificate
+ * chain building.
+ *
+ * PARAMETERS:
+ *  NONE
+ * THREAD SAFETY:
+ *  NOT Thread Safe
+ * RETURNS:
+ *  Returns PR_TRUE if libpkix should be used. PR_FALSE otherwise.
+ */
+PRBool
+CERT_GetUsePKIXForValidation()
+{
+    return usePKIXValidationEngine;
+}
+
+/*
+ * FUNCTION: cert_NssKeyUsagesToPkix
+ * DESCRIPTION:
+ *
+ * Converts nss key usage bit field(PRUint32) to pkix key usage
+ * bit field.
+ *
+ * PARAMETERS:
+ *  "nssKeyUsage"
+ *      Nss key usage bit field.
+ *  "pkixKeyUsage"
+ *      Pkix key usage big field.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error*
+cert_NssKeyUsagesToPkix(
+    PRUint32 nssKeyUsage,
+    PKIX_UInt32 *pPkixKeyUsage,
+    void *plContext)
+{
+    PKIX_UInt32 pkixKeyUsage = 0;
+
+    PKIX_ENTER(CERTVFYPKIX, "cert_NssKeyUsagesToPkix");
+    PKIX_NULLCHECK_ONE(pPkixKeyUsage);
+
+    *pPkixKeyUsage = 0;
+
+    if (nssKeyUsage & KU_DIGITAL_SIGNATURE) {
+        pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE;
+    }
+    
+    if (nssKeyUsage & KU_NON_REPUDIATION) {
+        pkixKeyUsage |= PKIX_NON_REPUDIATION;
+    }
+
+    if (nssKeyUsage & KU_KEY_ENCIPHERMENT) {
+        pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT;
+    }
+    
+    if (nssKeyUsage & KU_DATA_ENCIPHERMENT) {
+        pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT;
+    }
+    
+    if (nssKeyUsage & KU_KEY_AGREEMENT) {
+        pkixKeyUsage |= PKIX_KEY_AGREEMENT;
+    }
+    
+    if (nssKeyUsage & KU_KEY_CERT_SIGN) {
+        pkixKeyUsage |= PKIX_KEY_CERT_SIGN;
+    }
+    
+    if (nssKeyUsage & KU_CRL_SIGN) {
+        pkixKeyUsage |= PKIX_CRL_SIGN;
+    }
+
+    if (nssKeyUsage & KU_ENCIPHER_ONLY) {
+        pkixKeyUsage |= PKIX_ENCIPHER_ONLY;
+    }
+    
+    /* Not supported. XXX we should support this once it is
+     * fixed in NSS */
+    /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */
+
+    *pPkixKeyUsage = pkixKeyUsage;
+
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+extern char* ekuOidStrings[];
+
+enum {
+    ekuIndexSSLServer = 0,
+    ekuIndexSSLClient,
+    ekuIndexCodeSigner,
+    ekuIndexEmail,
+    ekuIndexTimeStamp,
+    ekuIndexStatusResponder,
+    ekuIndexUnknown
+} ekuIndex;
+
+typedef struct {
+    SECCertUsage certUsage;
+    PRUint32 ekuStringIndex;
+} SECCertUsageToEku;
+
+const SECCertUsageToEku certUsageEkuStringMap[] = {
+    {certUsageSSLClient,             ekuIndexSSLClient},
+    {certUsageSSLServer,             ekuIndexSSLServer},
+    {certUsageSSLServerWithStepUp,   ekuIndexSSLServer}, /* need to add oids to
+                                                          * the list of eku.
+                                                          * see 390381*/
+    {certUsageSSLCA,                 ekuIndexSSLServer},
+    {certUsageEmailSigner,           ekuIndexEmail},
+    {certUsageEmailRecipient,        ekuIndexEmail},
+    {certUsageObjectSigner,          ekuIndexCodeSigner},
+    {certUsageUserCertImport,        ekuIndexUnknown},
+    {certUsageVerifyCA,              ekuIndexUnknown},
+    {certUsageProtectedObjectSigner, ekuIndexUnknown},
+    {certUsageStatusResponder,       ekuIndexStatusResponder},
+    {certUsageAnyCA,                 ekuIndexUnknown},
+};
+
+#define CERT_USAGE_EKU_STRING_MAPS_TOTAL       12
+
+/*
+ * FUNCTION: cert_NssCertificateUsageToPkixKUAndEKU
+ * DESCRIPTION:
+ *
+ * Converts nss CERTCertificateUsage bit field to pkix key and
+ * extended key usages.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Pointer to CERTCertificate structure of validating cert.
+ *  "requiredCertUsages"
+ *      Required usage that will be converted to pkix eku and ku. 
+ *  "requiredKeyUsage",
+ *      Additional key usages impose to cert.
+ *  "isCA",
+ *      it true, convert usages for cert that is a CA cert.  
+ *  "ppkixEKUList"
+ *      Returned address of a list of pkix extended key usages.
+ *  "ppkixKU"
+ *      Returned address of pkix required key usages bit field. 
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Verify Error if the function fails in an unrecoverable way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error*
+cert_NssCertificateUsageToPkixKUAndEKU(
+    CERTCertificate *cert,
+    SECCertUsage     requiredCertUsage,
+    PRUint32         requiredKeyUsages,
+    PRBool           isCA,
+    PKIX_List      **ppkixEKUList,
+    PKIX_UInt32     *ppkixKU,
+    void            *plContext)
+{
+    PKIX_List           *ekuOidsList = NULL;
+    PKIX_PL_OID         *ekuOid = NULL;
+    int                  i = 0;
+    int                  ekuIndex = ekuIndexUnknown;
+
+    PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku");
+    PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU);
+    
+    PKIX_CHECK(
+        PKIX_List_Create(&ekuOidsList, plContext),
+        PKIX_LISTCREATEFAILED);
+
+    for (;i < CERT_USAGE_EKU_STRING_MAPS_TOTAL;i++) {
+        const SECCertUsageToEku *usageToEkuElem =
+            &certUsageEkuStringMap[i];
+        if (usageToEkuElem->certUsage == requiredCertUsage) {
+            ekuIndex = usageToEkuElem->ekuStringIndex;
+            break;
+        }
+    }
+    if (ekuIndex != ekuIndexUnknown) {
+        PRUint32             reqKeyUsage = 0;
+        PRUint32             reqCertType = 0;
+
+        CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA,
+                                         &reqKeyUsage,
+                                         &reqCertType);
+        
+        requiredKeyUsages |= reqKeyUsage;
+        
+        PKIX_CHECK(
+            PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid,
+                               plContext),
+            PKIX_OIDCREATEFAILED);
+        
+        PKIX_CHECK(
+            PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid,
+                                 plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+        
+        PKIX_DECREF(ekuOid);
+    }
+
+    PKIX_CHECK(
+        cert_NssKeyUsagesToPkix(requiredKeyUsages, ppkixKU, plContext),
+        PKIX_NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED);
+
+    *ppkixEKUList = ekuOidsList;
+    ekuOidsList = NULL;
+
+cleanup:
+    
+    PKIX_DECREF(ekuOid);
+    PKIX_DECREF(ekuOidsList);
+
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+
+/*
+ * FUNCTION: cert_ProcessingParamsSetKuAndEku
+ * DESCRIPTION:
+ *
+ * Converts cert usage to pkix KU and EKU types and sets
+ * converted data into PKIX_ProcessingParams object. It also sets
+ * proper cert usage into nsscontext object.
+ *
+ * PARAMETERS:
+ *  "procParams"
+ *      Pointer to PKIX_ProcessingParams used during validation.
+ *  "requiredCertUsage"
+ *      Required certificate usages the certificate and chain is built and
+ *      validated for.
+ *  "requiredKeyUsage"
+ *      Request additional key usages the certificate should be validated for.
+ *  "isCA"
+ *      Should the cert be verifyed as CA cert for the usages.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Verify Error if the function fails in an unrecoverable way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error*
+cert_ProcessingParamsSetKuAndEku(
+    PKIX_ProcessingParams *procParams,
+    CERTCertificate       *cert,
+    PRBool                 isCA,
+    SECCertUsage           requiredCertUsage,
+    PRUint32               requiredKeyUsages,
+    void                  *plContext)
+{
+    PKIX_List             *extKeyUsage = NULL;
+    PKIX_CertSelector     *certSelector = NULL;
+    PKIX_ComCertSelParams *certSelParams = NULL;
+    PKIX_PL_NssContext    *nssContext = (PKIX_PL_NssContext*)plContext;
+    PKIX_UInt32            keyUsage = 0;
+ 
+    PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKuAndEku");
+    PKIX_NULLCHECK_TWO(procParams, nssContext);
+    
+    PKIX_CHECK(
+        pkix_pl_NssContext_SetCertUsage(
+	    ((SECCertificateUsage)1) << requiredCertUsage, nssContext),
+	    PKIX_NSSCONTEXTSETCERTUSAGEFAILED);
+
+    PKIX_CHECK(
+        cert_NssCertificateUsageToPkixKUAndEKU(cert, requiredCertUsage,
+                                               requiredKeyUsages, isCA, 
+                                               &extKeyUsage, &keyUsage,
+                                               plContext),
+        PKIX_CANNOTCONVERTCERTUSAGETOPKIXKEYANDEKUSAGES);
+
+    PKIX_CHECK(
+        PKIX_ProcessingParams_GetTargetCertConstraints(procParams,
+                                                       &certSelector, plContext),
+        PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
+
+    PKIX_CHECK(
+        PKIX_CertSelector_GetCommonCertSelectorParams(certSelector,
+                                                      &certSelParams, plContext),
+        PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
+    
+
+    PKIX_CHECK(
+        PKIX_ComCertSelParams_SetKeyUsage(certSelParams, keyUsage,
+                                          plContext),
+        PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED);
+
+    PKIX_CHECK(
+        PKIX_ComCertSelParams_SetExtendedKeyUsage(certSelParams,
+                                                  extKeyUsage,
+                                                  plContext),
+        PKIX_COMCERTSELPARAMSSETEXTKEYUSAGEFAILED);
+
+    PKIX_CHECK(
+        PKIX_PL_EkuChecker_Create(procParams, plContext),
+        PKIX_EKUCHECKERINITIALIZEFAILED);
+
+cleanup:
+    PKIX_DECREF(extKeyUsage);
+    PKIX_DECREF(certSelector);
+    PKIX_DECREF(certSelParams);
+
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+/*
+ * Unused parameters: 
+ *
+ *  CERTCertList *initialChain,
+ *  CERTCertStores certStores,
+ *  CERTCertRevCheckers certRevCheckers,
+ *  CERTCertChainCheckers certChainCheckers,
+ *  SECItem *initPolicies,
+ *  PRBool policyQualifierRejected,
+ *  PRBool anyPolicyInhibited,
+ *  PRBool reqExplicitPolicy,
+ *  PRBool policyMappingInhibited,
+ *  PKIX_CertSelector certConstraints,
+ */
+
+/*
+ * FUNCTION: cert_CreatePkixProcessingParams
+ * DESCRIPTION:
+ *
+ * Creates and fills in PKIX_ProcessingParams structure to be used
+ * for certificate chain building.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Pointer to the CERTCertificate: the leaf certificate of a chain.
+ *  "time"
+ *      Validity time.
+ *  "wincx"
+ *      Nss db password token.
+ *  "useArena"
+ *      Flags to use arena for data allocation during chain building process.
+ *  "pprocParams"
+ *      Address to return created processing parameters.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Verify Error if the function fails in an unrecoverable way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error*
+cert_CreatePkixProcessingParams(
+    CERTCertificate        *cert,
+    PRBool                  checkSig, /* not used yet. See bug 391476 */
+    PRTime                  time,
+    void                   *wincx,
+    PRBool                  useArena,
+#ifdef DEBUG_volkov
+    PRBool                  checkAllCertsOCSP,
+#endif
+    PKIX_ProcessingParams **pprocParams,
+    void                  **pplContext)
+{
+    PKIX_List             *anchors = NULL;
+    PKIX_PL_Cert          *targetCert = NULL;
+    PKIX_PL_Date          *date = NULL;
+    PKIX_ProcessingParams *procParams = NULL;
+    PKIX_CertSelector     *certSelector = NULL;
+    PKIX_ComCertSelParams *certSelParams = NULL;
+    PKIX_CertStore        *certStore = NULL;
+    PKIX_List             *certStores = NULL;
+#ifdef DEBUG_volkov
+    PKIX_RevocationChecker *ocspChecker = NULL;
+#endif
+    void                  *plContext = NULL;
+    
+    PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams");
+    PKIX_NULLCHECK_TWO(cert, pprocParams);
+ 
+    PKIX_CHECK(
+        PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext),
+        PKIX_NSSCONTEXTCREATEFAILED);
+
+    *pplContext = plContext;
+
+#ifdef PKIX_NOTDEF 
+    /* Functions should be implemented in patch for 390532 */
+    PKIX_CHECK(
+        pkix_pl_NssContext_SetCertSignatureCheck(checkSig,
+                                                 (PKIX_PL_NssContext*)plContext),
+        PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED);
+
+#endif /* PKIX_NOTDEF */
+
+    PKIX_CHECK(
+        PKIX_ProcessingParams_Create(&procParams, plContext),
+        PKIX_PROCESSINGPARAMSCREATEFAILED);
+    
+    PKIX_CHECK(
+        PKIX_ComCertSelParams_Create(&certSelParams, plContext),
+        PKIX_COMCERTSELPARAMSCREATEFAILED);
+    
+    PKIX_CHECK(
+        PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext),
+        PKIX_CERTCREATEWITHNSSCERTFAILED);
+
+    PKIX_CHECK(
+        PKIX_ComCertSelParams_SetCertificate(certSelParams,
+                                             targetCert, plContext),
+        PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED);
+    
+    PKIX_CHECK(
+        PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext),
+        PKIX_COULDNOTCREATECERTSELECTOROBJECT);
+    
+    PKIX_CHECK(
+        PKIX_CertSelector_SetCommonCertSelectorParams(certSelector,
+                                                      certSelParams, plContext),
+        PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
+    
+    PKIX_CHECK(
+        PKIX_ProcessingParams_SetTargetCertConstraints(procParams,
+                                                       certSelector, plContext),
+        PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
+
+    PKIX_CHECK(
+        PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
+        PKIX_PK11CERTSTORECREATEFAILED);
+    
+    PKIX_CHECK(
+        PKIX_List_Create(&certStores, plContext),
+        PKIX_UNABLETOCREATELIST);
+    
+    PKIX_CHECK(
+        PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore,
+                             plContext),
+        PKIX_LISTAPPENDITEMFAILED);
+
+    PKIX_CHECK(
+        PKIX_ProcessingParams_SetCertStores(procParams, certStores,
+                                            plContext),
+        PKIX_PROCESSINGPARAMSADDCERTSTOREFAILED);
+
+    PKIX_CHECK(
+        PKIX_PL_Date_CreateFromPRTime(time, &date, plContext),
+        PKIX_DATECREATEFROMPRTIMEFAILED);
+
+    PKIX_CHECK(
+        PKIX_ProcessingParams_SetDate(procParams, date, plContext),
+        PKIX_PROCESSINGPARAMSSETDATEFAILED);
+    
+    PKIX_CHECK(
+        PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled(procParams,
+                                                             PKIX_FALSE,
+                                                             plContext),
+        PKIX_PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED);
+
+#ifdef DEBUG_volkov1
+    /* Enables ocsp rev checking of the chain cert through pkix OCSP
+     * implementation. */
+    if (checkAllCertsOCSP) {
+        PKIX_CHECK(
+            PKIX_OcspChecker_Initialize(date, NULL, NULL, 
+                                        &ocspChecker, plContext),
+            PKIX_PROCESSINGPARAMSSETDATEFAILED);
+        
+        PKIX_CHECK(
+            PKIX_ProcessingParams_AddRevocationChecker(procParams,
+                                                       ocspChecker, plContext),
+            PKIX_PROCESSINGPARAMSSETDATEFAILED);
+    }
+#endif
+
+    PKIX_CHECK(
+        PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE,
+                                                    plContext),
+        PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED);
+
+    PKIX_CHECK(
+        PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE,
+                                                       plContext),
+        PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED);
+
+    PKIX_CHECK(
+        PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, PR_FALSE,
+                                                        plContext),
+        PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED);
+ 
+    *pprocParams = procParams;
+    procParams = NULL;
+
+cleanup:
+    PKIX_DECREF(anchors);
+    PKIX_DECREF(targetCert);
+    PKIX_DECREF(date);
+    PKIX_DECREF(certSelector);
+    PKIX_DECREF(certSelParams);
+    PKIX_DECREF(certStore);
+    PKIX_DECREF(certStores);
+    PKIX_DECREF(procParams);
+#ifdef DEBUG_volkov    
+    PKIX_DECREF(ocspChecker);
+#endif
+
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+/*
+ * FUNCTION: cert_PkixToNssCertsChain
+ * DESCRIPTION:
+ *
+ * Converts pkix cert list into nss cert list.
+ * 
+ * PARAMETERS:
+ *  "pkixCertChain"
+ *      Pkix certificate list.     
+ *  "pvalidChain"
+ *      An address of returned nss certificate list.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Verify Error if the function fails in an unrecoverable way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error*
+cert_PkixToNssCertsChain(
+    PKIX_List *pkixCertChain, 
+    CERTCertList **pvalidChain, 
+    void *plContext)
+{
+    PRArenaPool     *arena = NULL;
+    CERTCertificate *nssCert = NULL;
+    CERTCertList    *validChain = NULL;
+    PKIX_PL_Object  *certItem = NULL;
+    PKIX_UInt32      length = 0;
+    PKIX_UInt32      i = 0;
+
+    PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain");
+    PKIX_NULLCHECK_ONE(pvalidChain);
+
+    if (pkixCertChain == NULL) {
+        goto cleanup;
+    }
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+        PKIX_ERROR(PKIX_OUTOFMEMORY);
+    }
+    validChain = (CERTCertList*)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
+    if (validChain == NULL) {
+        PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+    }
+    PR_INIT_CLIST(&validChain->list);
+    validChain->arena = arena;
+    arena = NULL;
+
+    PKIX_CHECK(
+        PKIX_List_GetLength(pkixCertChain, &length, plContext),
+        PKIX_LISTGETLENGTHFAILED);
+
+    for (i = 0; i < length; i++){
+        CERTCertListNode *node = NULL;
+
+        PKIX_CHECK(
+            PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext),
+            PKIX_LISTGETITEMFAILED);
+        
+        PKIX_CHECK(
+            PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert*)certItem, &nssCert,
+                                    plContext),
+            PKIX_CERTGETCERTCERTIFICATEFAILED);
+        
+        node =
+            (CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena,
+                                                 sizeof(CERTCertListNode));
+        if ( node == NULL ) {
+            PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+        }
+
+        PR_INSERT_BEFORE(&node->links, &validChain->list);
+
+        node->cert = nssCert;
+        nssCert = NULL;
+
+        PKIX_DECREF(certItem);
+    }
+
+    *pvalidChain = validChain;
+
+cleanup:
+    if (PKIX_ERROR_RECEIVED){
+        if (validChain) {
+            CERT_DestroyCertList(validChain);
+        } else if (arena) {
+            PORT_FreeArena(arena, PR_FALSE);
+        }
+        if (nssCert) {
+            CERT_DestroyCertificate(nssCert);
+        }
+    }
+    PKIX_DECREF(certItem);
+
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+
+/*
+ * FUNCTION: cert_BuildAndValidateChain
+ * DESCRIPTION:
+ *
+ * The function builds and validates a cert chain based on certificate
+ * selection criterias from procParams. This function call PKIX_BuildChain
+ * to accomplish chain building. If PKIX_BuildChain returns with incomplete
+ * IO, the function waits with PR_Poll until the blocking IO is finished and
+ * return control back to PKIX_BuildChain.
+ *
+ * PARAMETERS:
+ *  "procParams"
+ *      Processing parameters to be used during chain building.
+ *  "pResult"
+ *      Returned build result.
+ *  "pVerifyNode"
+ *      Returned pointed to verify node structure: the tree-like structure
+ *      that reports points of chain building failures.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Verify Error if the function fails in an unrecoverable way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error*
+cert_BuildAndValidateChain(
+    PKIX_ProcessingParams *procParams,
+    PKIX_BuildResult **pResult,
+    PKIX_VerifyNode **pVerifyNode,
+    void *plContext)
+{
+    PKIX_BuildResult *result = NULL;
+    PKIX_VerifyNode  *verifyNode = NULL;
+    void             *nbioContext = NULL;
+    void             *state = NULL;
+    
+    PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain");
+    PKIX_NULLCHECK_TWO(procParams, pResult);
+ 
+    do {
+        if (nbioContext && state) {
+            /* PKIX-XXX: need to test functionality of NBIO handling in libPkix.
+             * See bug 391180 */
+            PRInt32 filesReady = 0;
+            PRPollDesc *pollDesc = (PRPollDesc*)nbioContext;
+            filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT);
+            if (filesReady <= 0) {
+                PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM);
+            }
+        }
+
+        PKIX_CHECK(
+            PKIX_BuildChain(procParams, &nbioContext, &state,
+                            &result, &verifyNode, plContext),
+            PKIX_UNABLETOBUILDCHAIN);
+        
+    } while (nbioContext && state);
+
+    *pResult = result;
+
+cleanup:
+    if (pVerifyNode) {
+        *pVerifyNode = verifyNode;
+    }
+
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+
+/*
+ * FUNCTION: cert_PkixErrorToNssCode
+ * DESCRIPTION:
+ *
+ * Converts pkix error(PKIX_Error) structure to PR error codes.
+ *
+ * PKIX-XXX to be implemented. See 391183.
+ *
+ * PARAMETERS:
+ *  "error"
+ *      Pkix error that will be converted.
+ *  "nssCode"
+ *      Corresponding nss error code.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Verify Error if the function fails in an unrecoverable way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+cert_PkixErrorToNssCode(
+    PKIX_Error *error,
+    SECErrorCodes *pNssErr,
+    void *plContext)
+{
+    int errLevel = 0;
+    PKIX_UInt32 nssErr = 0;
+    PKIX_Error *errPtr = error;
+
+    PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode");
+    PKIX_NULLCHECK_TWO(error, pNssErr);
+    
+    /* Loop until we find at least one error with non-null
+     * plErr code, that is going to be nss error code. */
+    while (errPtr) {
+        if (errPtr->plErr && !nssErr) {
+            nssErr = errPtr->plErr;
+            if (!pkixLog) break;
+        }
+        if (pkixLog) {
+            PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel,
+                                PKIX_ErrorText[errPtr->errCode]));
+        }
+        errPtr = errPtr->cause;
+        errLevel += 1; 
+    }
+    PORT_Assert(nssErr);
+    if (!nssErr) {
+        *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL;
+    } else {
+        *pNssErr = nssErr;
+    }
+
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+/*
+ * FUNCTION: cert_GetLogFromVerifyNode
+ * DESCRIPTION:
+ *
+ * Recursive function that converts verify node tree-like set of structures
+ * to CERTVerifyLog.
+ *
+ * PARAMETERS:
+ *  "log"
+ *      Pointed to already allocated CERTVerifyLog structure. 
+ *  "node"
+ *      A node of PKIX_VerifyNode tree.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Verify Error if the function fails in an unrecoverable way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+cert_GetLogFromVerifyNode(
+    CERTVerifyLog *log,
+    PKIX_VerifyNode *node,
+    void *plContext)
+{
+    PKIX_List       *children = NULL;
+    PKIX_VerifyNode *childNode = NULL;
+
+    PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode");
+
+    children = node->children;
+
+    if (children == NULL) {
+        PKIX_ERRORCODE errCode = PKIX_ANCHORDIDNOTCHAINTOCERT;
+        if (node->error && node->error->errCode != errCode) {
+#ifdef DEBUG_volkov
+            char *string = pkix_Error2ASCII(node->error, plContext);
+            fprintf(stderr, "Branch search finished with error: \t%s\n", string);
+            PKIX_PL_Free(string, NULL);
+#endif
+            if (log != NULL) {
+                SECErrorCodes nssErrorCode = 0;
+                CERTCertificate *cert = NULL;
+
+                cert = node->verifyCert->nssCert;
+
+                PKIX_CHECK(
+                    cert_PkixErrorToNssCode(node->error, &nssErrorCode,
+                                            plContext),
+                    PKIX_GETPKIXERRORCODEFAILED);
+                
+                cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL);
+            }
+        }
+        PKIX_RETURN(CERTVFYPKIX);
+    } else {
+        PRUint32      i = 0;
+        PKIX_UInt32   length = 0;
+
+        PKIX_CHECK(
+            PKIX_List_GetLength(children, &length, plContext),
+            PKIX_LISTGETLENGTHFAILED);
+        
+        for (i = 0; i < length; i++){
+
+            PKIX_CHECK(
+                PKIX_List_GetItem(children, i, (PKIX_PL_Object**)&childNode,
+                                  plContext),
+                PKIX_LISTGETITEMFAILED);
+            
+            PKIX_CHECK(
+                cert_GetLogFromVerifyNode(log, childNode, plContext),
+                PKIX_ERRORINRECURSIVEEQUALSCALL);
+
+            PKIX_DECREF(childNode);
+        }
+    }
+
+cleanup:
+    PKIX_DECREF(childNode);
+
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+/*
+ * FUNCTION: cert_GetBuildResults
+ * DESCRIPTION:
+ *
+ * Converts pkix build results to nss results. This function is called
+ * regardless of build result.
+ *
+ * If it called after chain was successfully constructed, then it will
+ * convert:
+ *   * pkix cert list that represent the chain to nss cert list
+ *   * trusted root the chain was anchored to nss certificate.
+ *
+ * In case of failure it will convert:
+ *   * pkix error to PR error code(will set it with PORT_SetError)
+ *   * pkix validation log to nss CERTVerifyLog
+ *   
+ * PARAMETERS:
+ *  "buildResult"
+ *      Build results returned by PKIX_BuildChain.
+ *  "verifyNode"
+ *      Tree-like structure of chain building/validation failures
+ *      returned by PKIX_BuildChain. Ignored in case of success.
+ *  "error"
+ *      Final error returned by PKIX_BuildChain. Should be NULL in
+ *      case of success.
+ *  "log"
+ *      Address of pre-allocated(if not NULL) CERTVerifyLog structure.
+ *  "ptrustedRoot"
+ *      Address of returned trusted root the chain was anchored to.
+ *  "pvalidChain"
+ *      Address of returned valid chain.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Verify Error if the function fails in an unrecoverable way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error*
+cert_GetBuildResults(
+    PKIX_BuildResult *buildResult,
+    PKIX_VerifyNode  *verifyNode,
+    PKIX_Error       *error,
+    CERTVerifyLog    *log,
+    CERTCertificate **ptrustedRoot,
+    CERTCertList    **pvalidChain,
+    void             *plContext)
+{
+    PKIX_ValidateResult *validResult = NULL;
+    CERTCertList        *validChain = NULL;
+    CERTCertificate     *trustedRoot = NULL;
+    PKIX_TrustAnchor    *trustAnchor = NULL;
+    PKIX_PL_Cert        *trustedCert = NULL;
+    PKIX_List           *pkixCertChain = NULL;
+#ifdef DEBUG_volkov
+    PKIX_Error          *tmpPkixError = NULL;
+#endif /* DEBUG */
+            
+    PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults");
+    if (buildResult == NULL && error == NULL) {
+        PKIX_ERROR(PKIX_NULLARGUMENT);
+    }
+
+    if (error) {
+        SECErrorCodes nssErrorCode = 0;
+#ifdef DEBUG_volkov        
+        char *temp = pkix_Error2ASCII(error, plContext);
+        fprintf(stderr, "BUILD ERROR:\n%s\n", temp);
+        PKIX_PL_Free(temp, NULL);
+#endif /* DEBUG */
+        if (verifyNode) {
+            PKIX_Error *tmpError =
+                cert_GetLogFromVerifyNode(log, verifyNode, plContext);
+            if (tmpError) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
+            }
+        }
+        cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
+        PORT_SetError(nssErrorCode);
+        goto cleanup;
+    }
+
+    if (pvalidChain) {
+        PKIX_CHECK(
+            PKIX_BuildResult_GetCertChain(buildResult, &pkixCertChain,
+                                          plContext),
+            PKIX_BUILDRESULTGETCERTCHAINFAILED);
+
+#ifdef DEBUG_volkov
+        tmpPkixError = cert_PrintCertChain(pkixCertChain, plContext);
+        if (tmpPkixError) {
+            PKIX_PL_Object_DecRef((PKIX_PL_Object*)tmpPkixError, plContext);
+        }
+#endif        
+
+        PKIX_CHECK(
+            cert_PkixToNssCertsChain(pkixCertChain, &validChain, plContext),
+            PKIX_CERTCHAINTONSSCHAINFAILED);
+    }
+
+    if (ptrustedRoot) {
+        PKIX_CHECK(
+            PKIX_BuildResult_GetValidateResult(buildResult, &validResult,
+                                               plContext),
+            PKIX_BUILDRESULTGETVALIDATERESULTFAILED);
+
+        PKIX_CHECK(
+            PKIX_ValidateResult_GetTrustAnchor(validResult, &trustAnchor,
+                                               plContext),
+            PKIX_VALIDATERESULTGETTRUSTANCHORFAILED);
+
+        PKIX_CHECK(
+            PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustedCert,
+                                            plContext),
+            PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+
+#ifdef DEBUG_volkov
+        if (pvalidChain == NULL) {
+            cert_PrintCert(trustedCert, plContext);
+        }
+#endif        
+
+       PKIX_CHECK(
+            PKIX_PL_Cert_GetCERTCertificate(trustedCert, &trustedRoot,
+                                            plContext),
+            PKIX_CERTGETCERTCERTIFICATEFAILED);
+    }
+ 
+    PORT_Assert(!PKIX_ERROR_RECEIVED);
+
+    if (trustedRoot) {
+        *ptrustedRoot = trustedRoot;
+    }
+    if (validChain) {
+        *pvalidChain = validChain;
+    }
+
+cleanup:
+    if (PKIX_ERROR_RECEIVED) {
+        if (trustedRoot) {
+            CERT_DestroyCertificate(trustedRoot);
+        }
+        if (validChain) {
+            CERT_DestroyCertList(validChain);
+        }
+    }
+    PKIX_DECREF(trustAnchor);
+    PKIX_DECREF(trustedCert);
+    PKIX_DECREF(pkixCertChain);
+    PKIX_DECREF(validResult);
+    PKIX_DECREF(error);
+    PKIX_DECREF(verifyNode);
+    PKIX_DECREF(buildResult);
+    
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+/*
+ * FUNCTION: cert_VerifyCertChainPkix
+ * DESCRIPTION:
+ *
+ * The main wrapper function that is called from CERT_VerifyCert and
+ * CERT_VerifyCACertForUsage functions to validate cert with libpkix.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Leaf certificate of a chain we want to build.
+ *  "checkSig"
+ *      Certificate signatures will not be verified if this
+ *      flag is set to PR_FALSE.
+ *  "requiredUsage"
+ *      Required usage for certificate and chain.
+ *  "time"
+ *      Validity time.
+ *  "wincx"
+ *      Nss database password token.
+ *  "log"
+ *      Address of already allocated CERTVerifyLog structure. Not
+ *      used if NULL;
+ *  "pSigerror"
+ *      Address of PRBool. If not NULL, returns true is cert chain
+ *      was invalidated because of bad certificate signature.
+ *  "pRevoked"
+ *      Address of PRBool. If not NULL, returns true is cert chain
+ *      was invalidated because a revoked certificate was found in
+ *      the chain.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  SECFailure is chain building process has failed. SECSuccess otherwise.
+ */
+SECStatus
+cert_VerifyCertChainPkix(
+    CERTCertificate *cert,
+    PRBool           checkSig,
+    SECCertUsage     requiredUsage,
+    PRTime           time,
+    void            *wincx,
+    CERTVerifyLog   *log,
+    PRBool          *pSigerror,
+    PRBool          *pRevoked)
+{
+    PKIX_ProcessingParams *procParams = NULL;
+    PKIX_BuildResult      *result = NULL;
+    PKIX_VerifyNode       *verifyNode = NULL;
+    PKIX_Error            *error = NULL;
+
+    SECStatus              rv = SECFailure;
+    void                  *plContext = NULL;
+#ifdef DEBUG_volkov
+    CERTCertificate       *trustedRoot = NULL;
+    CERTCertList          *validChain = NULL;
+#endif /* DEBUG */
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+    int  leakedObjNum = 0;
+    int  memLeakLoopCount = 0;
+    int  objCountTable[PKIX_NUMTYPES]; 
+    int  fnInvLocalCount = 0;
+
+    testStartFnStackPosition = 2;
+    fnStackNameArr[0] = "cert_VerifyCertChainPkix";
+    fnStackInvCountArr[0] = 0;
+    PKIX_Boolean abortOnLeak = 
+        (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
+                                                   PKIX_FALSE : PKIX_TRUE;
+    runningLeakTest = PKIX_TRUE;
+
+    /* Prevent multi-threaded run of object leak test */
+    fnInvLocalCount = PR_AtomicIncrement(&parallelFnInvocationCount);
+    PORT_Assert(fnInvLocalCount == 1);
+
+do {
+    rv = SECFailure;
+    plContext = NULL;
+    procParams = NULL;
+    result = NULL;
+    verifyNode = NULL;
+    error = NULL;
+#ifdef DEBUG_volkov
+    trustedRoot = NULL;
+    validChain = NULL;
+#endif /* DEBUG */
+    errorGenerated = PKIX_FALSE;
+    stackPosition = 0;
+
+    if (leakedObjNum) {
+        pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); 
+    }
+
+    PR_LOG(pkixLog, 1, ("Memory leak test: Loop %d\n", memLeakLoopCount++));
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+    error =
+        cert_CreatePkixProcessingParams(cert, checkSig, time, wincx,
+                                        PR_FALSE/*use arena*/,
+#ifdef DEBUG_volkov
+                                        /* If in DEBUG_volkov, then enable OCSP
+                                         * check for all certs in the chain
+                                         * using libpkix ocsp code.
+                                         * (except for certUsageStatusResponder). */
+                                        requiredUsage != certUsageStatusResponder,
+#endif
+                                        &procParams, &plContext);
+    if (error) {
+        goto cleanup;
+    }
+
+    error =
+        cert_ProcessingParamsSetKuAndEku(procParams, cert, PR_TRUE,
+                                         requiredUsage, 0, plContext);
+    if (error) {
+        goto cleanup;
+    }
+
+    error = 
+        cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext);
+    if (error) {
+        goto cleanup;
+    }
+    
+    if (pRevoked) {
+        /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
+        *pRevoked = PR_FALSE;
+    }
+    if (pSigerror) {
+        /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
+        *pSigerror = PR_FALSE;
+    }
+    rv = SECSuccess;
+
+cleanup:
+    error = cert_GetBuildResults(result, verifyNode, error, log,
+#ifdef DEBUG_volkov                                 
+                                 &trustedRoot, &validChain,
+#else
+                                 NULL, NULL,
+#endif /* DEBUG */
+                                 plContext);
+    if (error) {
+#ifdef DEBUG_volkov        
+        char *temp = pkix_Error2ASCII(error, plContext);
+        fprintf(stderr, "GET BUILD RES ERRORS:\n%s\n", temp);
+        PKIX_PL_Free(temp, NULL);
+#endif /* DEBUG */
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+    }
+#ifdef DEBUG_volkov
+    if (trustedRoot) {
+        CERT_DestroyCertificate(trustedRoot);
+    }
+    if (validChain) {
+        CERT_DestroyCertList(validChain);
+    }
+#endif /* DEBUG */
+    if (procParams) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
+    }
+    if (plContext) {
+        PKIX_PL_NssContext_Destroy(plContext);
+    }
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+    leakedObjNum =
+        pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
+    
+    if (pkixLog && leakedObjNum) {
+        PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. "
+                            "Stack %s\n", errorFnStackString));
+    }
+    PR_Free(errorFnStackString);
+    errorFnStackString = NULL;
+    if (abortOnLeak) {
+        PORT_Assert(leakedObjNum == 0);
+    }
+
+} while (errorGenerated);
+
+    runningLeakTest = PKIX_FALSE; 
+    PR_AtomicDecrement(&parallelFnInvocationCount);
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+    return rv;
+}
+
+PKIX_CertSelector *
+cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext) 
+{
+    PKIX_ComCertSelParams *certSelParams = NULL;
+    PKIX_CertSelector *certSelector = NULL;
+    PKIX_CertSelector *r= NULL;
+    PKIX_PL_Cert *eeCert = NULL;
+    PKIX_Error *error = NULL;
+
+    error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext);
+    if (error != NULL) goto cleanup;
+
+    error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext);
+    if (error != NULL) goto cleanup;
+
+    error = PKIX_ComCertSelParams_Create(&certSelParams, plContext);
+    if (error != NULL) goto cleanup;
+
+    error = PKIX_ComCertSelParams_SetCertificate(
+                                certSelParams, eeCert, plContext);
+    if (error != NULL) goto cleanup;
+
+    error = PKIX_CertSelector_SetCommonCertSelectorParams
+        (certSelector, certSelParams, plContext);
+    if (error != NULL) goto cleanup;
+
+    error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext);
+    if (error == NULL) r = certSelector;
+
+cleanup:
+    if (certSelParams != NULL) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext);
+
+    if (eeCert != NULL) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext);
+
+    if (certSelector != NULL) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
+
+    if (error != NULL) {
+	SECErrorCodes nssErr;
+
+	cert_PkixErrorToNssCode(error, &nssErr, plContext);
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+	PORT_SetError(nssErr);
+    }
+
+    return r;
+}
+
+static PKIX_List *
+cert_GetCertStores(void *plContext)
+{
+    PKIX_CertStore *certStore = NULL;
+    PKIX_List *certStores = NULL;
+    PKIX_List *r = NULL;
+    PKIX_Error *error = NULL;
+
+    error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext);
+    if (error != NULL) goto cleanup;
+
+    error = PKIX_List_Create(&certStores, plContext);
+    if (error != NULL)  goto cleanup;
+
+    error = PKIX_List_AppendItem( certStores, 
+                          (PKIX_PL_Object *)certStore, plContext);
+    if (error != NULL)  goto cleanup;
+
+    error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext);
+    if (error == NULL) r = certStores;
+
+cleanup:
+    if (certStores != NULL) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
+
+    if (certStore != NULL) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext);
+
+    if (error != NULL) {
+	SECErrorCodes nssErr;
+
+	cert_PkixErrorToNssCode(error, &nssErr, plContext);
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+	PORT_SetError(nssErr);
+    }
+
+    return r;
+}
+
+/* XXX
+ *  There is no NSS SECItem -> PKIX OID
+ *  conversion function. For now, I go via the ascii
+ *  representation 
+ *  this should be in PKIX_PL_*
+ */
+
+PKIX_PL_OID *
+CERT_PKIXOIDFromNSSOid(SECOidTag tag, void*plContext)
+{
+    char *oidstring = NULL;
+    char *oidstring_adj = NULL;
+    PKIX_PL_OID *policyOID = NULL;
+    SECOidData *data;
+
+    data =  SECOID_FindOIDByTag(tag);
+    if (data != NULL) {
+        oidstring = CERT_GetOidString(&data->oid);
+        if (oidstring == NULL) {
+            goto cleanup;
+        }
+        oidstring_adj = oidstring;
+        if (PORT_Strncmp("OID.",oidstring_adj,4) == 0) {
+            oidstring_adj += 4;
+        }
+
+        PKIX_PL_OID_Create(oidstring_adj, &policyOID, plContext);
+    }
+cleanup:
+    if (oidstring != NULL) PR_smprintf_free(oidstring);
+
+    return policyOID;
+}
+
+struct fake_PKIX_PL_CertStruct {
+        CERTCertificate *nssCert;
+};
+
+/* This needs to be part of the PKIX_PL_* */
+/* This definitely needs to go away, and be replaced with
+   a real accessor function in PKIX */
+CERTCertificate *
+cert_NSSCertFromPKIXCert(const PKIX_PL_Cert *pkix_cert, void *plContext)
+{
+    struct fake_PKIX_PL_CertStruct *fcert = NULL;
+
+    fcert = (struct fake_PKIX_PL_CertStruct*)pkix_cert;
+
+    return CERT_DupCertificate(fcert->nssCert);
+}
+
+PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext)
+{
+    PKIX_List *r = NULL;
+    PKIX_List *policyList = NULL;
+    PKIX_PL_OID *policyOID = NULL;
+    PKIX_Error *error = NULL;
+    int i;
+
+    error = PKIX_List_Create(&policyList, plContext);
+    if (error != NULL) {
+	goto cleanup;
+    }
+
+    for (i=0; i<oidCount; i++) {
+        policyOID = CERT_PKIXOIDFromNSSOid(oids[i],plContext);
+        if (policyOID == NULL) {
+            goto cleanup;
+        }
+        error = PKIX_List_AppendItem(policyList, 
+                (PKIX_PL_Object *)policyOID, plContext);
+        if (error != NULL) {
+            PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
+            goto cleanup;
+        }
+    }
+
+    error = PKIX_List_SetImmutable(policyList, plContext);
+    if (error != NULL) goto cleanup;
+
+    error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext);
+    if (error == NULL) r = policyList;
+
+cleanup:
+    if (policyOID != NULL)  {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
+    }
+    if (policyList != NULL)  {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext);
+    }
+    if (error != NULL)  {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+    }
+
+    return r;
+}
+
+CERTValOutParam *
+cert_pkix_FindOutputParam(CERTValOutParam *params, const CERTValParamOutType t)
+{
+    CERTValOutParam *i;
+    if (params == NULL) {
+        return NULL;
+    }
+    for (i = params; i->type != cert_po_end; i++) {
+        if (i->type == t) {
+             return i;
+        }
+    }
+    return NULL;
+}
+
+SECStatus
+cert_pkixSetParam(PKIX_ProcessingParams *procParams, 
+  const CERTValInParam *param, void *plContext)
+{
+    PKIX_Error * error = NULL;
+    SECStatus r=SECSuccess;
+    PKIX_PL_Date *date = NULL;
+    PKIX_List *policyOIDList = NULL;
+    PKIX_RevocationChecker *ocspChecker = NULL;
+    PKIX_List *certListPkix = NULL;
+    const CERTRevocationFlags *flags;
+    SECErrorCodes errCode = SEC_ERROR_INVALID_ARGS;
+    const CERTCertList *certList = NULL;
+    CERTCertListNode *node;
+    PKIX_PL_Cert *certPkix = NULL;
+    PKIX_TrustAnchor *trustAnchor = NULL;
+
+    /* XXX we need a way to map generic PKIX error to generic NSS errors */
+
+    switch (param->type) {
+
+        case cert_pi_policyOID:
+
+            /* needed? */
+            error = PKIX_ProcessingParams_SetExplicitPolicyRequired(
+                                procParams, PKIX_TRUE, plContext);
+
+            if (error != NULL) { 
+                break;
+            }
+
+            policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids,
+                                param->value.arraySize,plContext);
+	    if (policyOIDList == NULL) {
+		r = SECFailure;
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		break;
+	    }
+
+            error = PKIX_ProcessingParams_SetInitialPolicies(
+                                procParams,policyOIDList,plContext);
+            break;
+
+        case cert_pi_date:
+            if (param->value.scalar.time == 0) {
+                error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext);
+                if (error != NULL) {
+                    errCode = SEC_ERROR_INVALID_TIME;
+                    break;
+                }
+            } else {
+                error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time,
+                                                       &date, plContext);
+                if (error != NULL) {
+                    errCode = SEC_ERROR_INVALID_TIME;
+                    break;
+                }
+            }
+
+            error = PKIX_ProcessingParams_SetDate(procParams, date, plContext);
+            if (error != NULL) {
+                errCode = SEC_ERROR_INVALID_TIME;
+            }
+            break;
+
+        case cert_pi_revocationFlags:
+        {
+            PRBool ocspTurnedOnForLeaf = PR_FALSE;
+            PRBool ocspTurnedOnForChain = PR_FALSE;
+            PRBool crlTurnedOnForLeaf = PR_FALSE;
+            PRBool crlTurnedOnForChain = PR_FALSE;
+            PRBool crlHardFailure = PR_FALSE;
+
+            flags = param->value.pointer.revocation;
+            if (!flags) {
+                PORT_SetError(errCode);
+                r = SECFailure;
+                break;
+            }
+
+            if (
+                /* caller did define OCSP leaf behavior */
+                (flags->leafTests.number_of_defined_methods >
+                    cert_revocation_method_ocsp)
+                &&
+                /* caller allows OCSP testing for the leaf */
+                (flags->leafTests.cert_rev_flags_per_method
+                    [cert_revocation_method_ocsp]
+                    & CERT_REV_M_TEST_USING_THIS_METHOD)) {
+                ocspTurnedOnForLeaf = PR_TRUE;
+            }
+
+            if (
+                /* caller did define OCSP chain behavior */
+                (flags->chainTests.number_of_defined_methods >
+                    cert_revocation_method_ocsp)
+                &&
+                /* caller allows OCSP testing for the chain */
+                (flags->chainTests.cert_rev_flags_per_method
+                    [cert_revocation_method_ocsp]
+                    & CERT_REV_M_TEST_USING_THIS_METHOD)) {
+                ocspTurnedOnForChain = PR_TRUE;
+            }
+
+            if (
+                /* caller did define CRL leaf behavior */
+                (flags->leafTests.number_of_defined_methods >
+                    cert_revocation_method_crl)
+                &&
+                /* caller allows CRL testing for the chain */
+                (flags->leafTests.cert_rev_flags_per_method
+                    [cert_revocation_method_crl]
+                    & CERT_REV_M_TEST_USING_THIS_METHOD)) {
+                crlTurnedOnForLeaf = PR_TRUE;
+            }
+
+            if (
+                /* caller did define CRL chain behavior */
+                (flags->chainTests.number_of_defined_methods >
+                    cert_revocation_method_crl)
+                &&
+                /* caller allows CRL testing for the chain */
+                (flags->chainTests.cert_rev_flags_per_method
+                    [cert_revocation_method_crl]
+                    & CERT_REV_M_TEST_USING_THIS_METHOD)) {
+                crlTurnedOnForChain = PR_TRUE;
+            }
+
+            if (
+                /* caller did define CRL chain behavior */
+                (flags->chainTests.number_of_defined_methods >
+                    cert_revocation_method_crl)
+                &&
+                /* caller requests hard failure on missing (fresh) CRL */
+                (flags->chainTests.cert_rev_flags_per_method
+                    [cert_revocation_method_crl]
+                    & CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO)) {
+                /* FIXME: should also consider flag
+                 *        CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
+                 */
+                crlHardFailure = PR_TRUE;
+            }
+
+            if (!ocspTurnedOnForChain) {
+                /* OCSP off either because: 
+                 * 1) we didn't  turn ocsp on, or
+                 * 2) we are only checking ocsp on the leaf cert only.
+                 * The caller needs to handle the leaf case once we add leaf
+                 * checking there */
+
+                /* currently OCSP is the only external revocation checker */
+                error = PKIX_ProcessingParams_SetRevocationCheckers(procParams,
+                        NULL, plContext);
+            } else {
+                /* FIXME: What should be done if !ocspTurnedOnForLeaf ? */
+
+                /* OCSP is on for the whole chain */
+                if (date == NULL) {
+                    error = PKIX_ProcessingParams_GetDate
+                                        (procParams, &date, plContext );
+                    if (error != NULL) {
+                        errCode = SEC_ERROR_INVALID_TIME;
+                        break;
+                    }
+                }
+                error = PKIX_OcspChecker_Initialize(date, NULL, NULL, 
+                                &ocspChecker, plContext);
+                if (error != NULL) {
+                    break;
+                }
+
+                error = PKIX_ProcessingParams_AddRevocationChecker(procParams,
+                        ocspChecker, plContext);
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)ocspChecker, plContext);
+                ocspChecker=NULL;
+
+                /* FIXME: add support for other revocation flags when underlying
+                 * pkix supports it */
+            }
+            if (error != NULL) {
+                break;
+            }
+            if (!crlTurnedOnForChain) {
+                /* CRL checking is off either because: 
+                 * 1) we didn't turn crl checking on, or
+                 * 2) we are only checking crls on the leaf cert only.
+                 * The caller needs to handle the leaf case once we add leaf
+                 * checking there */
+
+                /* this function only affects the built-in CRL checker */
+                error = PKIX_ProcessingParams_SetRevocationEnabled(procParams,
+                        PKIX_FALSE, plContext);
+                if (error != NULL) {
+                    break;
+                }
+                /* make sure NIST Revocation Policy is off as well */
+                error = PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled
+                        (procParams, PKIX_FALSE, plContext);
+            } else {
+                /* FIXME: What should be done if !crlTurnedOnForLeaf ? */
+
+                /* CRL checking is on for the whole chain */
+                error = PKIX_ProcessingParams_SetRevocationEnabled(procParams,
+                        PKIX_TRUE, plContext);
+                if (error != NULL) {
+                    break;
+                }
+                error = PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled
+                    (procParams, 
+                     crlHardFailure ? PKIX_TRUE : PKIX_FALSE,
+                     plContext);
+            }
+        }
+        break;
+
+        case cert_pi_trustAnchors:
+            certList = param->value.pointer.chain;
+
+            error = PKIX_List_Create(&certListPkix, plContext);
+            if (error != NULL) {
+                break;
+            }
+            for(node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
+                node = CERT_LIST_NEXT(node) ) {
+                error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert,
+                                                      &certPkix, plContext);
+                if (error) {
+                    break;
+                }
+                error = PKIX_TrustAnchor_CreateWithCert(certPkix, &trustAnchor,
+                                                        plContext);
+                if (error) {
+                    break;
+                }
+                error = PKIX_List_AppendItem(certListPkix,
+                                 (PKIX_PL_Object*)trustAnchor, plContext);
+                 if (error) {
+                    break;
+                }
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
+                trustAnchor = NULL;
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
+                certPkix = NULL;
+            }
+            error =
+                PKIX_ProcessingParams_SetTrustAnchors(procParams, certListPkix,
+                                                      plContext);
+            break;
+
+        case cert_pi_useAIACertFetch:
+            error =
+                PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
+                                     (PRBool)(param->value.scalar.b != 0),
+                                                               plContext);
+            break;
+            
+        default:
+            PORT_SetError(errCode);
+            r = SECFailure;
+    }
+
+    if (policyOIDList != NULL)
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext);
+
+    if (date != NULL) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext);
+
+    if (ocspChecker != NULL) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)ocspChecker, plContext);
+
+    if (certListPkix) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext);
+
+    if (trustAnchor) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
+
+    if (certPkix) 
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
+
+    if (error != NULL) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+        PORT_SetError(errCode);
+        r = SECFailure;
+    }
+
+    return r; 
+
+}
+
+void
+cert_pkixDestroyValOutParam(CERTValOutParam *params)
+{
+    CERTValOutParam *i;
+
+    if (params == NULL) {
+        return;
+    }
+    for (i = params; i->type != cert_po_end; i++) {
+        switch (i->type) {
+        case cert_po_trustAnchor:
+            if (i->value.pointer.cert) {
+                CERT_DestroyCertificate(i->value.pointer.cert);
+                i->value.pointer.cert = NULL;
+            }
+            break;
+
+        case cert_po_certList:
+            if (i->value.pointer.chain) {
+                CERT_DestroyCertList(i->value.pointer.chain);
+                i->value.pointer.chain = NULL;
+            }
+            break;
+
+        default:
+            break;
+        }
+    }
+}
+
+static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags[2] = {
+  /* crl */
+  CERT_REV_M_TEST_USING_THIS_METHOD 
+  | CERT_REV_M_FORBID_NETWORK_FETCHING
+  | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+  /* ocsp */
+  CERT_REV_M_TEST_USING_THIS_METHOD
+};
+
+static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags[2] = {
+  /* crl */
+  CERT_REV_M_TEST_USING_THIS_METHOD
+  | CERT_REV_M_FORBID_NETWORK_FETCHING
+  | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+  /* ocsp */
+  0
+};
+
+static CERTRevocationMethodIndex 
+certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = {
+  cert_revocation_method_crl
+};
+
+static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy = {
+  {
+    /* leafTests */
+    2,
+    certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags,
+    1,
+    &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference,
+    0
+  },
+  {
+    /* chainTests */
+    2,
+    certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
+    0,
+    0,
+    0
+  }
+};
+
+extern const CERTRevocationFlags*
+CERT_GetClassicOCSPEnabledSoftFailurePolicy()
+{
+    return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy;
+}
+
+
+static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
+  /* crl */
+  CERT_REV_M_TEST_USING_THIS_METHOD 
+  | CERT_REV_M_FORBID_NETWORK_FETCHING
+  | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+  /* ocsp */
+  CERT_REV_M_TEST_USING_THIS_METHOD
+  | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+};
+
+static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
+  /* crl */
+  CERT_REV_M_TEST_USING_THIS_METHOD
+  | CERT_REV_M_FORBID_NETWORK_FETCHING
+  | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+  /* ocsp */
+  0
+};
+
+static CERTRevocationMethodIndex 
+certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = {
+  cert_revocation_method_crl
+};
+
+static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy = {
+  {
+    /* leafTests */
+    2,
+    certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags,
+    1,
+    &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference,
+    0
+  },
+  {
+    /* chainTests */
+    2,
+    certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
+    0,
+    0,
+    0
+  }
+};
+
+extern const CERTRevocationFlags*
+CERT_GetClassicOCSPEnabledHardFailurePolicy()
+{
+    return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy;
+}
+
+
+static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = {
+  /* crl */
+  CERT_REV_M_TEST_USING_THIS_METHOD
+  | CERT_REV_M_FORBID_NETWORK_FETCHING
+  | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+  /* ocsp */
+  0
+};
+
+static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags[2] = {
+  /* crl */
+  CERT_REV_M_TEST_USING_THIS_METHOD
+  | CERT_REV_M_FORBID_NETWORK_FETCHING
+  | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+  /* ocsp */
+  0
+};
+
+static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Disabled_Policy = {
+  {
+    /* leafTests */
+    2,
+    certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags,
+    0,
+    0,
+    0
+  },
+  {
+    /* chainTests */
+    2,
+    certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags,
+    0,
+    0,
+    0
+  }
+};
+
+extern const CERTRevocationFlags*
+CERT_GetClassicOCSPDisabledPolicy()
+{
+    return &certRev_NSS_3_11_Ocsp_Disabled_Policy;
+}
+
+
+static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = {
+  /* crl */
+  CERT_REV_M_TEST_USING_THIS_METHOD
+  | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+  | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
+  /* ocsp */
+  0
+};
+
+static PRUint64 certRev_PKIX_Verify_Nist_Policy_ChainFlags[2] = {
+  /* crl */
+  CERT_REV_M_TEST_USING_THIS_METHOD
+  | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+  | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
+  /* ocsp */
+  0
+};
+
+static const CERTRevocationFlags certRev_PKIX_Verify_Nist_Policy = {
+  {
+    /* leafTests */
+    2,
+    certRev_PKIX_Verify_Nist_Policy_LeafFlags,
+    0,
+    0,
+    0
+  },
+  {
+    /* chainTests */
+    2,
+    certRev_PKIX_Verify_Nist_Policy_ChainFlags,
+    0,
+    0,
+    0
+  }
+};
+
+extern const CERTRevocationFlags*
+CERT_GetPKIXVerifyNistRevocationPolicy()
+{
+    return &certRev_PKIX_Verify_Nist_Policy;
+}
+
+
+/*
+ * CERT_PKIXVerifyCert
+ *
+ * Verify a Certificate using the PKIX library.
+ *
+ * Parameters:
+ *  cert    - the target certificate to verify. Must be non-null
+ *  params  - an array of type/value parameters which can be
+ *            used to modify the behavior of the validation
+ *            algorithm, or supply additional constraints.
+ *
+ *  outputTrustAnchor - the trust anchor which the certificate
+ *                      chains to. The caller is responsible
+ *                      for freeing this.
+ *
+ * Example Usage:
+ *    CERTValParam args[3];
+ *    args[0].type = cvpt_policyOID;
+ *    args[0].value.si = oid;
+ *    args[1].type = revCheckRequired;
+ *    args[1].value.b = PR_TRUE;
+ *    args[2].type = cvpt_end;
+ *
+ *    CERT_PKIXVerifyCert(cert, &output, args
+ */
+SECStatus CERT_PKIXVerifyCert(
+ CERTCertificate *cert,
+ SECCertificateUsage usages,
+ CERTValInParam *paramsIn,
+ CERTValOutParam *paramsOut,
+ void *wincx)
+{
+    SECStatus             r = SECFailure;
+    PKIX_Error *          error = NULL;
+    PKIX_ProcessingParams *procParams = NULL;
+    PKIX_BuildResult *    buildResult = NULL;
+    void *                nbioContext = NULL;  /* for non-blocking IO */
+    void *                buildState = NULL;   /* for non-blocking IO */
+    PKIX_CertSelector *   certSelector = NULL;
+    PKIX_List *           certStores = NULL;
+    PKIX_ValidateResult * valResult = NULL;
+    PKIX_VerifyNode     * verifyNode = NULL;
+    PKIX_TrustAnchor *    trustAnchor = NULL;
+    PKIX_PL_Cert *        trustAnchorCert = NULL;
+    PKIX_List *           builtCertList = NULL;
+    CERTValOutParam *     oparam = NULL;
+    int i=0;
+
+    void *plContext = NULL;
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+    int  leakedObjNum = 0;
+    int  memLeakLoopCount = 0;
+    int  objCountTable[PKIX_NUMTYPES];
+    int  fnInvLocalCount = 0;
+    testStartFnStackPosition = 1;
+    fnStackNameArr[0] = "CERT_PKIXVerifyCert";
+    fnStackInvCountArr[0] = 0;
+    PKIX_Boolean abortOnLeak = 
+        (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
+                                                   PKIX_FALSE : PKIX_TRUE;
+    runningLeakTest = PKIX_TRUE;
+
+    /* Prevent multi-threaded run of object leak test */
+    fnInvLocalCount = PR_AtomicIncrement(&parallelFnInvocationCount);
+    PORT_Assert(fnInvLocalCount == 1);
+
+do {
+    r = SECFailure;
+    error = NULL;
+    procParams = NULL;
+    buildResult = NULL;
+    nbioContext = NULL;  /* for non-blocking IO */
+    buildState = NULL;   /* for non-blocking IO */
+    certSelector = NULL;
+    certStores = NULL;
+    valResult = NULL;
+    verifyNode = NULL;
+    trustAnchor = NULL;
+    trustAnchorCert = NULL;
+    builtCertList = NULL;
+    oparam = NULL;
+    i=0;
+    errorGenerated = PKIX_FALSE;
+    stackPosition = 0;
+
+    if (leakedObjNum) {
+        pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
+    }
+
+    PR_LOG(pkixLog, 1, ("Memory leak test: Loop %d\n", memLeakLoopCount++));
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+    error = PKIX_PL_NssContext_Create(
+            0, PR_FALSE /*use arena*/, wincx, &plContext);
+    if (error != NULL) {        /* need pkix->nss error map */
+        PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
+        goto cleanup;
+    }
+
+    error = pkix_pl_NssContext_SetCertUsage(usages, plContext);
+    if (error != NULL) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto cleanup;
+    }
+
+    error = PKIX_ProcessingParams_Create(&procParams, plContext);
+    if (error != NULL) {              /* need pkix->nss error map */
+        PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
+        goto cleanup;
+    }
+
+
+    /* now process the extensible input parameters structure */
+    if (paramsIn != NULL) {
+        i=0;
+        while (paramsIn[i].type != cert_pi_end) {
+            if (paramsIn[i].type >= cert_pi_max) {
+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                goto cleanup;
+            }
+            if (cert_pkixSetParam(procParams,
+                     &paramsIn[i],plContext) != SECSuccess) {
+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                goto cleanup;
+            }
+            i++;
+        }
+    }
+
+
+    certSelector = cert_GetTargetCertConstraints(cert, plContext);
+    if (certSelector == NULL) {
+        goto cleanup;
+    }
+    error = PKIX_ProcessingParams_SetTargetCertConstraints
+        (procParams, certSelector, plContext);
+    if (error != NULL) {
+        goto cleanup;
+    }
+
+    certStores = cert_GetCertStores(plContext);
+    if (certStores == NULL) {
+        goto cleanup;
+    }
+    error = PKIX_ProcessingParams_SetCertStores
+        (procParams, certStores, plContext);
+    if (error != NULL) {
+        goto cleanup;
+    }
+
+    error = PKIX_BuildChain( procParams, &nbioContext,
+                             &buildState, &buildResult, &verifyNode,
+                             plContext);
+    if (error != NULL) {
+        goto cleanup;
+    }
+
+    error = PKIX_BuildResult_GetValidateResult( buildResult, &valResult,
+                                                plContext);
+    if (error != NULL) {
+        goto cleanup;
+    }
+
+    error = PKIX_ValidateResult_GetTrustAnchor( valResult, &trustAnchor,
+                                                plContext);
+    if (error != NULL) {
+        goto cleanup;
+    }
+
+    error = PKIX_TrustAnchor_GetTrustedCert( trustAnchor, &trustAnchorCert,
+                                                plContext);
+    if (error != NULL) {
+        goto cleanup;
+    }
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+    PORT_Assert(!errorGenerated);
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+    oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor);
+    if (oparam != NULL) {
+        oparam->value.pointer.cert = 
+                cert_NSSCertFromPKIXCert(trustAnchorCert,plContext);
+    }
+
+    error = PKIX_BuildResult_GetCertChain( buildResult, &builtCertList,
+                                                plContext);
+    if (error != NULL) {
+        goto cleanup;
+    }
+
+    oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList);
+    if (oparam != NULL) {
+        error = cert_PkixToNssCertsChain(builtCertList,
+                                         &oparam->value.pointer.chain,
+                                         plContext);
+        if (error) goto cleanup;
+    }
+
+    r = SECSuccess;
+
+cleanup:
+    if (verifyNode) {
+        /* Return validation log only upon error. */
+        oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog);
+#ifdef PKIX_OBJECT_LEAK_TEST
+        if (!errorGenerated)
+#endif /* PKIX_OBJECT_LEAK_TEST */
+        if (r && oparam != NULL) {
+            PKIX_Error *tmpError =
+                cert_GetLogFromVerifyNode(oparam->value.pointer.log,
+                                          verifyNode, plContext);
+            if (tmpError) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
+            }
+        }
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext);
+    }
+
+    if (procParams != NULL) 
+       PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
+
+    if (trustAnchorCert != NULL) 
+       PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext);
+
+    if (trustAnchor != NULL) 
+       PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
+
+    if (valResult != NULL) 
+       PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext);
+
+    if (buildResult != NULL) 
+       PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext);
+
+    if (certStores != NULL) 
+       PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
+
+    if (certSelector != NULL) 
+       PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
+
+    if (builtCertList != NULL) 
+       PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
+
+    if (error != NULL) {
+        SECErrorCodes         nssErrorCode = 0;
+
+        cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
+        cert_pkixDestroyValOutParam(paramsOut);
+        PORT_SetError(nssErrorCode);
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+    }
+
+    PKIX_PL_NssContext_Destroy(plContext);
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+    leakedObjNum =
+        pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
+
+    if (pkixLog && leakedObjNum) {
+        PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. "
+                            "Stack %s\n", errorFnStackString));
+    }
+    PR_Free(errorFnStackString);
+    errorFnStackString = NULL;
+    if (abortOnLeak) {
+        PORT_Assert(leakedObjNum == 0);
+    }
+    
+} while (errorGenerated);
+
+    runningLeakTest = PKIX_FALSE; 
+    PR_AtomicDecrement(&parallelFnInvocationCount);
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+    return r;
+}
diff --git a/security/nss/lib/certhigh/certvfypkixprint.c b/security/nss/lib/certhigh/certvfypkixprint.c
new file mode 100644
index 000000000..1d59310a9
--- /dev/null
+++ b/security/nss/lib/certhigh/certvfypkixprint.c
@@ -0,0 +1,239 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * nss_pkix_proxy.h
+ *
+ * PKIX - NSS proxy functions
+ *
+ */
+#include "cert.h"
+#include "pkix_pl_common.h"
+
+#ifdef DEBUG
+
+char *
+pkix_Error2ASCII(PKIX_Error *error, void *plContext)
+{
+        PKIX_UInt32 length;
+        char *asciiString = NULL;
+        PKIX_PL_String *pkixString = NULL;
+        PKIX_Error *errorResult = NULL;
+
+        errorResult = PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)error, &pkixString, plContext);
+        if (errorResult) goto cleanup;
+
+        errorResult = PKIX_PL_String_GetEncoded
+                (pkixString,
+                PKIX_ESCASCII,
+                (void **)&asciiString,
+                &length,
+                plContext);
+
+cleanup:
+
+        if (pkixString){
+                if (PKIX_PL_Object_DecRef
+                    ((PKIX_PL_Object*)pkixString, plContext)){
+                        return (NULL);
+                }
+        }
+
+        if (errorResult){
+            PKIX_PL_Object_DecRef((PKIX_PL_Object*)errorResult, plContext);
+            return (NULL);
+        }
+
+        return (asciiString);
+}
+
+char *
+pkix_Object2ASCII(PKIX_PL_Object *object)
+{
+        PKIX_UInt32 length;
+        char *asciiString = NULL;
+        PKIX_PL_String *pkixString = NULL;
+        PKIX_Error *errorResult = NULL;
+
+        errorResult = PKIX_PL_Object_ToString
+                (object, &pkixString, NULL);
+        if (errorResult) goto cleanup;
+
+        errorResult = PKIX_PL_String_GetEncoded
+            (pkixString, PKIX_ESCASCII, (void **)&asciiString, &length, NULL);
+
+cleanup:
+
+        if (pkixString){
+                if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixString, NULL)){
+                        return (NULL);
+                }
+        }
+
+        if (errorResult){
+                return (NULL);
+        }
+
+        return (asciiString);
+}
+
+char *
+pkix_Cert2ASCII(PKIX_PL_Cert *cert)
+{
+        PKIX_PL_X500Name *issuer = NULL;
+        void *issuerAscii = NULL;
+        PKIX_PL_X500Name *subject = NULL;
+        void *subjectAscii = NULL;
+        void *asciiString = NULL;
+        PKIX_Error *errorResult = NULL;
+        PKIX_UInt32 numChars;
+        PKIX_UInt32 refCount = 0;
+
+        /* Issuer */
+        errorResult = PKIX_PL_Cert_GetIssuer(cert, &issuer, NULL);
+        if (errorResult) goto cleanup;
+
+        issuerAscii = pkix_Object2ASCII((PKIX_PL_Object*)issuer);
+
+        /* Subject */
+        errorResult = PKIX_PL_Cert_GetSubject(cert, &subject, NULL);
+        if (errorResult) goto cleanup;
+
+        if (subject){
+                subjectAscii = pkix_Object2ASCII((PKIX_PL_Object*)subject);
+        }
+
+/*         errorResult = PKIX_PL_Object_GetRefCount((PKIX_PL_Object*)cert, &refCount, NULL); */
+        if (errorResult) goto cleanup;
+
+        errorResult = PKIX_PL_Malloc(200, &asciiString, NULL);
+        if (errorResult) goto cleanup;
+
+        numChars =
+                PR_snprintf
+                (asciiString,
+                200,
+                "Ref: %d   Issuer=%s\nSubject=%s\n",
+                 refCount,
+                issuerAscii,
+                subjectAscii);
+
+        if (!numChars) goto cleanup;
+
+cleanup:
+
+        if (issuer){
+                if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)issuer, NULL)){
+                        return (NULL);
+                }
+        }
+
+        if (subject){
+                if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)subject, NULL)){
+                        return (NULL);
+                }
+        }
+
+        if (PKIX_PL_Free((PKIX_PL_Object*)issuerAscii, NULL)){
+                return (NULL);
+        }
+
+        if (PKIX_PL_Free((PKIX_PL_Object*)subjectAscii, NULL)){
+                return (NULL);
+        }
+
+        if (errorResult){
+                return (NULL);
+        }
+
+        return (asciiString);
+}
+
+PKIX_Error *
+cert_PrintCertChain(
+    PKIX_List *pkixCertChain,
+    void *plContext)
+{
+    PKIX_PL_Cert *cert = NULL;
+    PKIX_UInt32 numCerts = 0, i = 0;
+    char *asciiResult = NULL;
+    
+    PKIX_ENTER(CERTVFYPKIX, "cert_PrintCertChain");
+
+    PKIX_CHECK(
+        PKIX_List_GetLength(pkixCertChain, &numCerts, plContext),
+        PKIX_LISTGETLENGTHFAILED);
+    
+    fprintf(stderr, "\n");
+    
+    for (i = 0; i < numCerts; i++){
+        PKIX_CHECK
+            (PKIX_List_GetItem
+             (pkixCertChain, i, (PKIX_PL_Object**)&cert, plContext),
+             PKIX_LISTGETITEMFAILED);
+        
+        asciiResult = pkix_Cert2ASCII(cert);
+        
+        fprintf(stderr, "CERT[%d]:\n%s\n", i, asciiResult);
+        
+        PKIX_PL_Free(asciiResult, plContext);
+        asciiResult = NULL;
+        
+        PKIX_DECREF(cert);
+    }
+
+cleanup:
+    PKIX_DECREF(cert);
+
+    PKIX_RETURN(CERTVFYPKIX);
+}
+
+void
+cert_PrintCert(
+    PKIX_PL_Cert *pkixCert,
+    void *plContext)
+{
+    char *asciiResult = NULL;
+    
+    asciiResult = pkix_Cert2ASCII(pkixCert);
+    
+    fprintf(stderr, "CERT[0]:\n%s\n", asciiResult);
+    
+    PKIX_PL_Free(asciiResult, plContext);
+}
+
+#endif /* DEBUG */
diff --git a/security/nss/lib/certhigh/config.mk b/security/nss/lib/certhigh/config.mk
new file mode 100644
index 000000000..665828c63
--- /dev/null
+++ b/security/nss/lib/certhigh/config.mk
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/certhigh/crlv2.c b/security/nss/lib/certhigh/crlv2.c
new file mode 100644
index 000000000..6cf9d2af8
--- /dev/null
+++ b/security/nss/lib/certhigh/crlv2.c
@@ -0,0 +1,194 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Code for dealing with x.509 v3 crl and crl entries extensions.
+ *
+ * $Id$
+ */
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secoidt.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "certxutl.h"
+
+SECStatus
+CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid, SECItem *value)
+{
+    return (cert_FindExtensionByOID (crl->extensions, oid, value));
+}
+    
+
+SECStatus
+CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value)
+{
+    return (cert_FindExtension (crl->extensions, tag, value));
+}
+
+
+/* Callback to set extensions and adjust verison */
+static void
+SetCrlExts(void *object, CERTCertExtension **exts)
+{
+    CERTCrl *crl = (CERTCrl *)object;
+
+    crl->extensions = exts;
+    DER_SetUInteger (crl->arena, &crl->version, SEC_CRL_VERSION_2);
+}
+
+void *
+CERT_StartCRLExtensions(CERTCrl *crl)
+{
+    return (cert_StartExtensions ((void *)crl, crl->arena, SetCrlExts));
+}
+
+static void
+SetCrlEntryExts(void *object, CERTCertExtension **exts)
+{
+    CERTCrlEntry *crlEntry = (CERTCrlEntry *)object;
+
+    crlEntry->extensions = exts;
+}
+
+void *
+CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry)
+{
+    return (cert_StartExtensions (entry, crl->arena, SetCrlEntryExts));
+}
+
+SECStatus CERT_FindCRLNumberExten (PRArenaPool *arena, CERTCrl *crl,
+                                   SECItem *value)
+{
+    SECItem encodedExtenValue;
+    SECItem *tmpItem = NULL;
+    SECStatus rv;
+    void *mark = NULL;
+
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(crl->extensions, SEC_OID_X509_CRL_NUMBER,
+			  &encodedExtenValue);
+    if ( rv != SECSuccess )
+	return (rv);
+
+    mark = PORT_ArenaMark(arena);
+
+    tmpItem = SECITEM_ArenaDupItem(arena, &encodedExtenValue);
+    if (tmpItem) {
+        rv = SEC_QuickDERDecodeItem (arena, value,
+                                     SEC_ASN1_GET(SEC_IntegerTemplate),
+                                     tmpItem);
+    } else {
+        rv = SECFailure;
+    }
+
+    PORT_Free (encodedExtenValue.data);
+    if (rv == SECFailure) {
+        PORT_ArenaRelease(arena, mark);
+    } else {
+        PORT_ArenaUnmark(arena, mark);
+    }
+    return (rv);
+}
+
+SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry,
+                                        CERTCRLEntryReasonCode *value)
+{
+    SECItem wrapperItem = {siBuffer,0};
+    SECItem tmpItem = {siBuffer,0};
+    SECStatus rv;
+    PRArenaPool *arena = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);   
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+    
+    rv = cert_FindExtension(crlEntry->extensions, SEC_OID_X509_REASON_CODE, 
+                            &wrapperItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, &tmpItem,
+                                SEC_ASN1_GET(SEC_EnumeratedTemplate),
+                                &wrapperItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    *value = (CERTCRLEntryReasonCode) DER_GetInteger(&tmpItem);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    if ( wrapperItem.data ) {
+	PORT_Free(wrapperItem.data);
+    }
+
+    return (rv);
+}
+
+SECStatus CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value)
+{
+    SECItem encodedExtenValue;
+    SECItem decodedExtenValue = {siBuffer,0};
+    SECStatus rv;
+
+    encodedExtenValue.data = decodedExtenValue.data = NULL;
+    encodedExtenValue.len = decodedExtenValue.len = 0;
+
+    rv = cert_FindExtension
+	 (crl->extensions, SEC_OID_X509_INVALID_DATE, &encodedExtenValue);
+    if ( rv != SECSuccess )
+	return (rv);
+
+    rv = SEC_ASN1DecodeItem (NULL, &decodedExtenValue,
+			     SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
+                             &encodedExtenValue);
+    if (rv == SECSuccess)
+	rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue);
+    PORT_Free (decodedExtenValue.data);
+    PORT_Free (encodedExtenValue.data);
+    return (rv);
+}
diff --git a/security/nss/lib/certhigh/manifest.mn b/security/nss/lib/certhigh/manifest.mn
new file mode 100644
index 000000000..9c4b42679
--- /dev/null
+++ b/security/nss/lib/certhigh/manifest.mn
@@ -0,0 +1,68 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	ocsp.h \
+	ocspt.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	ocspti.h \
+	ocspi.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	certhtml.c \
+	certreq.c \
+	crlv2.c \
+	ocsp.c \
+	certhigh.c \
+ 	certvfy.c \
+ 	certvfypkix.c \
+ 	certvfypkixprint.c \
+ 	xcrldist.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = certhi
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
new file mode 100644
index 000000000..187e0ab71
--- /dev/null
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -0,0 +1,5495 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Kai Engert (kengert@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Implementation of OCSP services, for both client and server.
+ * (XXX, really, mostly just for client right now, but intended to do both.)
+ *
+ * $Id$
+ */
+
+#include "prerror.h"
+#include "prprf.h"
+#include "plarena.h"
+#include "prnetdb.h"
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "secoidt.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "cert.h"
+#include "xconst.h"
+#include "secerr.h"
+#include "secoid.h"
+#include "hasht.h"
+#include "sechash.h"
+#include "secasn1.h"
+#include "keyhi.h"
+#include "cryptohi.h"
+#include "ocsp.h"
+#include "ocspti.h"
+#include "ocspi.h"
+#include "genname.h"
+#include "certxutl.h"
+#include "pk11func.h"	/* for PK11_HashBuf */
+#include <stdarg.h>
+#include <plhash.h>
+
+#define DEFAULT_OCSP_CACHE_SIZE 1000
+#define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1*60*60L
+#define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24*60*60L
+#define DEFAULT_OSCP_TIMEOUT_SECONDS 60
+#define MICROSECONDS_PER_SECOND 1000000L
+
+typedef struct OCSPCacheItemStr OCSPCacheItem;
+typedef struct OCSPCacheDataStr OCSPCacheData;
+
+struct OCSPCacheItemStr {
+    /* LRU linking */
+    OCSPCacheItem *moreRecent;
+    OCSPCacheItem *lessRecent;
+
+    /* key */
+    CERTOCSPCertID *certID;
+    /* CertID's arena also used to allocate "this" cache item */
+
+    /* cache control information */
+    PRTime nextFetchAttemptTime;
+
+    /* Cached contents. Use a separate arena, because lifetime is different */
+    PRArenaPool *certStatusArena; /* NULL means: no cert status cached */
+    ocspCertStatus certStatus;
+
+    /* This may contain an error code when no OCSP response is available. */
+    SECErrorCodes missingResponseError;
+
+    PRPackedBool haveThisUpdate;
+    PRPackedBool haveNextUpdate;
+    PRTime thisUpdate;
+    PRTime nextUpdate;
+};
+
+struct OCSPCacheDataStr {
+    PLHashTable *entries;
+    PRUint32 numberOfEntries;
+    OCSPCacheItem *MRUitem; /* most recently used cache item */
+    OCSPCacheItem *LRUitem; /* least recently used cache item */
+};
+
+static struct OCSPGlobalStruct {
+    PRMonitor *monitor;
+    const SEC_HttpClientFcn *defaultHttpClientFcn;
+    PRInt32 maxCacheEntries;
+    PRUint32 minimumSecondsToNextFetchAttempt;
+    PRUint32 maximumSecondsToNextFetchAttempt;
+    PRUint32 timeoutSeconds;
+    OCSPCacheData cache;
+    SEC_OcspFailureMode ocspFailureMode;
+} OCSP_Global = { NULL, 
+                  NULL, 
+                  DEFAULT_OCSP_CACHE_SIZE, 
+                  DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT,
+                  DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT,
+                  DEFAULT_OSCP_TIMEOUT_SECONDS,
+                  {NULL, 0, NULL, NULL},
+                  ocspMode_FailureIsVerificationFailure
+                };
+
+/* Forward declarations */
+static SECItem *
+ocsp_GetEncodedOCSPResponseFromRequest(PRArenaPool *arena, 
+                                       CERTOCSPRequest *request,
+                                       char *location, int64 time,
+                                       PRBool addServiceLocator,
+                                       void *pwArg,
+                                       CERTOCSPRequest **pRequest);
+static SECStatus
+ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, 
+                              CERTOCSPCertID *certID, 
+                              CERTCertificate *cert, 
+                              int64 time, 
+                              void *pwArg,
+                              PRBool *certIDWasConsumed,
+                              SECStatus *rv_ocsp);
+static SECStatus
+ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 
+                                        CERTOCSPResponse *response, 
+                                        CERTOCSPCertID   *certID,
+                                        CERTCertificate  *signerCert,
+                                        int64             time,
+                                        CERTOCSPSingleResponse **pSingleResponse);
+
+#ifndef DEBUG
+#define OCSP_TRACE(msg)
+#define OCSP_TRACE_TIME(msg, time)
+#define OCSP_TRACE_CERT(cert)
+#define OCSP_TRACE_CERTID(certid)
+#else
+#define OCSP_TRACE(msg) ocsp_Trace msg
+#define OCSP_TRACE_TIME(msg, time) ocsp_dumpStringWithTime(msg, time)
+#define OCSP_TRACE_CERT(cert) dumpCertificate(cert)
+#define OCSP_TRACE_CERTID(certid) dumpCertID(certid)
+
+#if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) \
+     || defined(XP_MACOSX)) && !defined(_WIN32_WCE)
+#define NSS_HAVE_GETENV 1
+#endif
+
+static PRBool wantOcspTrace()
+{
+    static PRBool firstTime = PR_TRUE;
+    static PRBool wantTrace = PR_FALSE;
+
+#ifdef NSS_HAVE_GETENV
+    if (firstTime) {
+        char *ev = getenv("NSS_TRACE_OCSP");
+        if (ev && ev[0]) {
+            wantTrace = PR_TRUE;
+        }
+        firstTime = PR_FALSE;
+    }
+#endif
+    return wantTrace;
+}
+
+static void
+ocsp_Trace(const char *format, ...)
+{
+    char buf[2000];
+    va_list args;
+  
+    if (!wantOcspTrace())
+        return;
+    va_start(args, format);
+    PR_vsnprintf(buf, sizeof(buf), format, args);
+    va_end(args);
+    PR_LogPrint("%s", buf);
+}
+
+static void
+ocsp_dumpStringWithTime(const char *str, int64 time)
+{
+    PRExplodedTime timePrintable;
+    char timestr[256];
+
+    if (!wantOcspTrace())
+        return;
+    PR_ExplodeTime(time, PR_GMTParameters, &timePrintable);
+    if (PR_FormatTime(timestr, 256, "%a %b %d %H:%M:%S %Y", &timePrintable)) {
+        ocsp_Trace("OCSP %s %s\n", str, timestr);
+    }
+}
+
+static void
+printHexString(const char *prefix, SECItem *hexval)
+{
+    unsigned int i;
+    char *hexbuf = NULL;
+
+    for (i = 0; i < hexval->len; i++) {
+        if (i != hexval->len - 1) {
+            hexbuf = PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]);
+        } else {
+            hexbuf = PR_sprintf_append(hexbuf, "%02x", hexval->data[i]);
+        }
+    }
+    if (hexbuf) {
+        ocsp_Trace("%s %s\n", prefix, hexbuf);
+        PR_smprintf_free(hexbuf);
+    }
+}
+
+static void
+dumpCertificate(CERTCertificate *cert)
+{
+    if (!wantOcspTrace())
+        return;
+
+    ocsp_Trace("OCSP ----------------\n");
+    ocsp_Trace("OCSP ## SUBJECT:  %s\n", cert->subjectName);
+    {
+        int64 timeBefore, timeAfter;
+        PRExplodedTime beforePrintable, afterPrintable;
+        char beforestr[256], afterstr[256];
+        PRStatus rv1, rv2;
+        DER_DecodeTimeChoice(&timeBefore, &cert->validity.notBefore);
+        DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter);
+        PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable);
+        PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable);
+        rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y", 
+                      &beforePrintable);
+        rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y", 
+                      &afterPrintable);
+        ocsp_Trace("OCSP ## VALIDITY:  %s to %s\n", rv1 ? beforestr : "",
+                   rv2 ? afterstr : "");
+    }
+    ocsp_Trace("OCSP ## ISSUER:  %s\n", cert->issuerName);
+    printHexString("OCSP ## SERIAL NUMBER:", &cert->serialNumber);
+}
+
+static void
+dumpCertID(CERTOCSPCertID *certID)
+{
+    if (!wantOcspTrace())
+        return;
+
+    printHexString("OCSP certID issuer", &certID->issuerNameHash);
+    printHexString("OCSP certID serial", &certID->serialNumber);
+}
+#endif
+
+SECStatus
+SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable)
+{
+    if (!OCSP_Global.monitor) {
+      PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+      return SECFailure;
+    }
+    
+    PR_EnterMonitor(OCSP_Global.monitor);
+    OCSP_Global.defaultHttpClientFcn = fcnTable;
+    PR_ExitMonitor(OCSP_Global.monitor);
+    
+    return SECSuccess;
+}
+
+static PLHashNumber PR_CALLBACK
+ocsp_CacheKeyHashFunction(const void *key)
+{
+    CERTOCSPCertID *cid = (CERTOCSPCertID *)key;
+    PLHashNumber hash = 0;
+    unsigned int i;
+    unsigned char *walk;
+  
+    /* a very simple hash calculation for the initial coding phase */
+    walk = (unsigned char*)cid->issuerNameHash.data;
+    for (i=0; i < cid->issuerNameHash.len; ++i, ++walk) {
+        hash += *walk;
+    }
+    walk = (unsigned char*)cid->issuerKeyHash.data;
+    for (i=0; i < cid->issuerKeyHash.len; ++i, ++walk) {
+        hash += *walk;
+    }
+    walk = (unsigned char*)cid->serialNumber.data;
+    for (i=0; i < cid->serialNumber.len; ++i, ++walk) {
+        hash += *walk;
+    }
+    return hash;
+}
+
+static PRIntn PR_CALLBACK
+ocsp_CacheKeyCompareFunction(const void *v1, const void *v2)
+{
+    CERTOCSPCertID *cid1 = (CERTOCSPCertID *)v1;
+    CERTOCSPCertID *cid2 = (CERTOCSPCertID *)v2;
+  
+    return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash, 
+                                            &cid2->issuerNameHash)
+            && SECEqual == SECITEM_CompareItem(&cid1->issuerKeyHash, 
+                                               &cid2->issuerKeyHash)
+            && SECEqual == SECITEM_CompareItem(&cid1->serialNumber, 
+                                               &cid2->serialNumber));
+}
+
+static SECStatus
+ocsp_CopyRevokedInfo(PRArenaPool *arena, ocspCertStatus *dest, 
+                     ocspRevokedInfo *src)
+{
+    SECStatus rv = SECFailure;
+    void *mark;
+  
+    mark = PORT_ArenaMark(arena);
+  
+    dest->certStatusInfo.revokedInfo = 
+        (ocspRevokedInfo *) PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo));
+    if (!dest->certStatusInfo.revokedInfo) {
+        goto loser;
+    }
+  
+    rv = SECITEM_CopyItem(arena, 
+                          &dest->certStatusInfo.revokedInfo->revocationTime, 
+                          &src->revocationTime);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+  
+    if (src->revocationReason) {
+        dest->certStatusInfo.revokedInfo->revocationReason = 
+            SECITEM_ArenaDupItem(arena, src->revocationReason);
+        if (!dest->certStatusInfo.revokedInfo->revocationReason) {
+            goto loser;
+        }
+    }  else {
+        dest->certStatusInfo.revokedInfo->revocationReason = NULL;
+    }
+  
+    PORT_ArenaUnmark(arena, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return SECFailure;
+}
+
+static SECStatus
+ocsp_CopyCertStatus(PRArenaPool *arena, ocspCertStatus *dest, 
+                    ocspCertStatus*src)
+{
+    SECStatus rv = SECFailure;
+    dest->certStatusType = src->certStatusType;
+  
+    switch (src->certStatusType) {
+    case ocspCertStatus_good:
+        dest->certStatusInfo.goodInfo = 
+            SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo);
+        if (dest->certStatusInfo.goodInfo != NULL) {
+            rv = SECSuccess;
+        }
+        break;
+    case ocspCertStatus_revoked:
+        rv = ocsp_CopyRevokedInfo(arena, dest, 
+                                  src->certStatusInfo.revokedInfo);
+        break;
+    case ocspCertStatus_unknown:
+        dest->certStatusInfo.unknownInfo = 
+            SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo);
+        if (dest->certStatusInfo.unknownInfo != NULL) {
+            rv = SECSuccess;
+        }
+        break;
+    case ocspCertStatus_other:
+    default:
+        PORT_Assert(src->certStatusType == ocspCertStatus_other);
+        dest->certStatusInfo.otherInfo = 
+            SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo);
+        if (dest->certStatusInfo.otherInfo != NULL) {
+            rv = SECSuccess;
+        }
+        break;
+    }
+    return rv;
+}
+
+static void
+ocsp_AddCacheItemToLinkedList(OCSPCacheData *cache, OCSPCacheItem *new_most_recent)
+{
+    PR_EnterMonitor(OCSP_Global.monitor);
+
+    if (!cache->LRUitem) {
+        cache->LRUitem = new_most_recent;
+    }
+    new_most_recent->lessRecent = cache->MRUitem;
+    new_most_recent->moreRecent = NULL;
+
+    if (cache->MRUitem) {
+        cache->MRUitem->moreRecent = new_most_recent;
+    }
+    cache->MRUitem = new_most_recent;
+
+    PR_ExitMonitor(OCSP_Global.monitor);
+}
+
+static void
+ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item)
+{
+    PR_EnterMonitor(OCSP_Global.monitor);
+
+    if (!item->lessRecent && !item->moreRecent) {
+        /*
+         * Fail gracefully on attempts to remove an item from the list,
+         * which is currently not part of the list.
+         * But check for the edge case it is the single entry in the list.
+         */
+        if (item == cache->LRUitem &&
+            item == cache->MRUitem) {
+            /* remove the single entry */
+            PORT_Assert(cache->numberOfEntries == 1);
+            PORT_Assert(item->moreRecent == NULL);
+            cache->MRUitem = NULL;
+            cache->LRUitem = NULL;
+        }
+        PR_ExitMonitor(OCSP_Global.monitor);
+        return;
+    }
+
+    PORT_Assert(cache->numberOfEntries > 1);
+  
+    if (item == cache->LRUitem) {
+        PORT_Assert(item != cache->MRUitem);
+        PORT_Assert(item->lessRecent == NULL);
+        PORT_Assert(item->moreRecent != NULL);
+        PORT_Assert(item->moreRecent->lessRecent == item);
+        cache->LRUitem = item->moreRecent;
+        cache->LRUitem->lessRecent = NULL;
+    }
+    else if (item == cache->MRUitem) {
+        PORT_Assert(item->moreRecent == NULL);
+        PORT_Assert(item->lessRecent != NULL);
+        PORT_Assert(item->lessRecent->moreRecent == item);
+        cache->MRUitem = item->lessRecent;
+        cache->MRUitem->moreRecent = NULL;
+    } else {
+        /* remove an entry in the middle of the list */
+        PORT_Assert(item->moreRecent != NULL);
+        PORT_Assert(item->lessRecent != NULL);
+        PORT_Assert(item->lessRecent->moreRecent == item);
+        PORT_Assert(item->moreRecent->lessRecent == item);
+        item->moreRecent->lessRecent = item->lessRecent;
+        item->lessRecent->moreRecent = item->moreRecent;
+    }
+
+    item->lessRecent = NULL;
+    item->moreRecent = NULL;
+
+    PR_ExitMonitor(OCSP_Global.monitor);
+}
+
+static void
+ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, OCSPCacheItem *new_most_recent)
+{
+    OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n", 
+                PR_GetCurrentThread()));
+    PR_EnterMonitor(OCSP_Global.monitor);
+    if (cache->MRUitem == new_most_recent) {
+        OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent ALREADY MOST\n"));
+        PR_ExitMonitor(OCSP_Global.monitor);
+        return;
+    }
+    OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent NEW entry\n"));
+    ocsp_RemoveCacheItemFromLinkedList(cache, new_most_recent);
+    ocsp_AddCacheItemToLinkedList(cache, new_most_recent);
+    PR_ExitMonitor(OCSP_Global.monitor);
+}
+
+static PRBool
+ocsp_IsCacheDisabled()
+{
+    /* 
+     * maxCacheEntries == 0 means unlimited cache entries
+     * maxCacheEntries  < 0 means cache is disabled
+     */
+    PRBool retval;
+    PR_EnterMonitor(OCSP_Global.monitor);
+    retval = (OCSP_Global.maxCacheEntries < 0);
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return retval;
+}
+
+static OCSPCacheItem *
+ocsp_FindCacheEntry(OCSPCacheData *cache, CERTOCSPCertID *certID)
+{
+    OCSPCacheItem *found_ocsp_item = NULL;
+    OCSP_TRACE(("OCSP ocsp_FindCacheEntry\n"));
+    OCSP_TRACE_CERTID(certID);
+    PR_EnterMonitor(OCSP_Global.monitor);
+    if (ocsp_IsCacheDisabled())
+        goto loser;
+  
+    found_ocsp_item = (OCSPCacheItem *)PL_HashTableLookup(
+                          cache->entries, certID);
+    if (!found_ocsp_item)
+        goto loser;
+  
+    OCSP_TRACE(("OCSP ocsp_FindCacheEntry FOUND!\n"));
+    ocsp_MakeCacheEntryMostRecent(cache, found_ocsp_item);
+
+loser:
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return found_ocsp_item;
+}
+
+static void
+ocsp_FreeCacheItem(OCSPCacheItem *item)
+{
+    OCSP_TRACE(("OCSP ocsp_FreeCacheItem\n"));
+    if (item->certStatusArena) {
+        PORT_FreeArena(item->certStatusArena, PR_FALSE);
+    }
+    if (item->certID->poolp) {
+        /* freeing this poolp arena will also free item */
+        PORT_FreeArena(item->certID->poolp, PR_FALSE);
+    }
+}
+
+static void
+ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item)
+{
+    /* The item we're removing could be either the least recently used item,
+     * or it could be an item that couldn't get updated with newer status info
+     * because of an allocation failure, or it could get removed because we're 
+     * cleaning up.
+     */
+    PRBool couldRemoveFromHashTable;
+    OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread()));
+    PR_EnterMonitor(OCSP_Global.monitor);
+
+    ocsp_RemoveCacheItemFromLinkedList(cache, item);
+    couldRemoveFromHashTable = PL_HashTableRemove(cache->entries, 
+                                                  item->certID);
+    PORT_Assert(couldRemoveFromHashTable);
+    --cache->numberOfEntries;
+    ocsp_FreeCacheItem(item);
+    PR_ExitMonitor(OCSP_Global.monitor);
+}
+
+static void
+ocsp_CheckCacheSize(OCSPCacheData *cache)
+{
+    OCSP_TRACE(("OCSP ocsp_CheckCacheSize\n"));
+    PR_EnterMonitor(OCSP_Global.monitor);
+    if (OCSP_Global.maxCacheEntries <= 0) /* disabled or unlimited */
+        return;
+    while (cache->numberOfEntries > OCSP_Global.maxCacheEntries) {
+        ocsp_RemoveCacheItem(cache, cache->LRUitem);
+    }
+    PR_ExitMonitor(OCSP_Global.monitor);
+}
+
+SECStatus
+CERT_ClearOCSPCache()
+{
+    OCSP_TRACE(("OCSP CERT_ClearOCSPCache\n"));
+    PR_EnterMonitor(OCSP_Global.monitor);
+    while (OCSP_Global.cache.numberOfEntries > 0) {
+        ocsp_RemoveCacheItem(&OCSP_Global.cache, 
+                             OCSP_Global.cache.LRUitem);
+    }
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return SECSuccess;
+}
+
+static SECStatus
+ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache,
+                                     CERTOCSPCertID *certID, 
+                                     OCSPCacheItem **pCacheItem)
+{
+    PRArenaPool *arena;
+    void *mark;
+    PLHashEntry *new_hash_entry;
+    OCSPCacheItem *item;
+  
+    PORT_Assert(pCacheItem != NULL);
+    *pCacheItem = NULL;
+
+    PR_EnterMonitor(OCSP_Global.monitor);
+    arena = certID->poolp;
+    mark = PORT_ArenaMark(arena);
+  
+    /* ZAlloc will init all Bools to False and all Pointers to NULL
+       and all error codes to zero/good. */
+    item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp, 
+                                             sizeof(OCSPCacheItem));
+    if (!item) {
+        goto loser; 
+    }
+    item->certID = certID;
+    new_hash_entry = PL_HashTableAdd(cache->entries, item->certID, 
+                                     item);
+    if (!new_hash_entry) {
+        goto loser;
+    }
+    ++cache->numberOfEntries;
+    PORT_ArenaUnmark(arena, mark);
+    ocsp_AddCacheItemToLinkedList(cache, item);
+    *pCacheItem = item;
+
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return SECSuccess;
+  
+loser:
+    PORT_ArenaRelease(arena, mark);
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return SECFailure;
+}
+
+static SECStatus
+ocsp_SetCacheItemResponse(OCSPCacheItem *item,
+                          const CERTOCSPSingleResponse *response)
+{
+    if (item->certStatusArena) {
+        PORT_FreeArena(item->certStatusArena, PR_FALSE);
+        item->certStatusArena = NULL;
+    }
+    item->haveThisUpdate = item->haveNextUpdate = PR_FALSE;
+    if (response) {
+        SECStatus rv;
+        item->certStatusArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (item->certStatusArena == NULL) {
+            return SECFailure;
+        }
+        rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus, 
+                                 response->certStatus);
+        if (rv != SECSuccess) {
+            PORT_FreeArena(item->certStatusArena, PR_FALSE);
+            item->certStatusArena = NULL;
+            return rv;
+        }
+        item->missingResponseError = 0;
+        rv = DER_GeneralizedTimeToTime(&item->thisUpdate, 
+                                       &response->thisUpdate);
+        item->haveThisUpdate = (rv == SECSuccess);
+        if (response->nextUpdate) {
+            rv = DER_GeneralizedTimeToTime(&item->nextUpdate, 
+                                           response->nextUpdate);
+            item->haveNextUpdate = (rv == SECSuccess);
+        } else {
+            item->haveNextUpdate = PR_FALSE;
+        }
+    }
+    return SECSuccess;
+}
+
+static void
+ocsp_FreshenCacheItemNextFetchAttemptTime(OCSPCacheItem *cacheItem)
+{
+    PRTime now;
+    PRTime earliestAllowedNextFetchAttemptTime;
+    PRTime latestTimeWhenResponseIsConsideredFresh;
+  
+    OCSP_TRACE(("OCSP ocsp_FreshenCacheItemNextFetchAttemptTime\n"));
+
+    PR_EnterMonitor(OCSP_Global.monitor);
+  
+    now = PR_Now();
+    OCSP_TRACE_TIME("now:", now);
+  
+    if (cacheItem->haveThisUpdate) {
+        OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate);
+        latestTimeWhenResponseIsConsideredFresh = cacheItem->thisUpdate +
+            OCSP_Global.maximumSecondsToNextFetchAttempt * 
+                MICROSECONDS_PER_SECOND;
+        OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:", 
+                        latestTimeWhenResponseIsConsideredFresh);
+    } else {
+        latestTimeWhenResponseIsConsideredFresh = now +
+            OCSP_Global.minimumSecondsToNextFetchAttempt *
+                MICROSECONDS_PER_SECOND;
+        OCSP_TRACE_TIME("no thisUpdate, "
+                        "latestTimeWhenResponseIsConsideredFresh:", 
+                        latestTimeWhenResponseIsConsideredFresh);
+    }
+  
+    if (cacheItem->haveNextUpdate) {
+        OCSP_TRACE_TIME("have nextUpdate:", cacheItem->thisUpdate);
+    }
+  
+    if (cacheItem->haveNextUpdate &&
+        cacheItem->nextUpdate < latestTimeWhenResponseIsConsideredFresh) {
+        latestTimeWhenResponseIsConsideredFresh = cacheItem->nextUpdate;
+        OCSP_TRACE_TIME("nextUpdate is smaller than latestFresh, setting "
+                        "latestTimeWhenResponseIsConsideredFresh:", 
+                        latestTimeWhenResponseIsConsideredFresh);
+    }
+  
+    earliestAllowedNextFetchAttemptTime = now +
+        OCSP_Global.minimumSecondsToNextFetchAttempt * 
+            MICROSECONDS_PER_SECOND;
+    OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:", 
+                    earliestAllowedNextFetchAttemptTime);
+  
+    if (latestTimeWhenResponseIsConsideredFresh < 
+        earliestAllowedNextFetchAttemptTime) {
+        latestTimeWhenResponseIsConsideredFresh = 
+            earliestAllowedNextFetchAttemptTime;
+        OCSP_TRACE_TIME("latest < earliest, setting latest to:", 
+                        latestTimeWhenResponseIsConsideredFresh);
+    }
+  
+    cacheItem->nextFetchAttemptTime = 
+        latestTimeWhenResponseIsConsideredFresh;
+    OCSP_TRACE_TIME("nextFetchAttemptTime", 
+        latestTimeWhenResponseIsConsideredFresh);
+
+    PR_ExitMonitor(OCSP_Global.monitor);
+}
+
+static PRBool
+ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem)
+{
+    PRTime now;
+    PRBool retval;
+
+    PR_EnterMonitor(OCSP_Global.monitor);
+    now = PR_Now();
+    retval = (cacheItem->nextFetchAttemptTime > now);
+    OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", retval));
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return retval;
+}
+
+/*
+ * Status in *certIDWasConsumed will always be correct, regardless of 
+ * return value.
+ */
+static SECStatus
+ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, 
+                              CERTOCSPCertID *certID,
+                              CERTOCSPSingleResponse *single,
+                              PRBool *certIDWasConsumed)
+{
+    SECStatus rv;
+    OCSPCacheItem *cacheItem;
+    OCSP_TRACE(("OCSP ocsp_CreateOrUpdateCacheEntry\n"));
+  
+    if (!certIDWasConsumed) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *certIDWasConsumed = PR_FALSE;
+  
+    PR_EnterMonitor(OCSP_Global.monitor);
+    PORT_Assert(OCSP_Global.maxCacheEntries >= 0);
+  
+    cacheItem = ocsp_FindCacheEntry(cache, certID);
+    if (!cacheItem) {
+        rv = ocsp_CreateCacheItemAndConsumeCertID(cache, certID, 
+                                                  &cacheItem);
+        if (rv != SECSuccess) {
+            PR_ExitMonitor(OCSP_Global.monitor);
+            return rv;
+        }
+        *certIDWasConsumed = PR_TRUE;
+    }
+    if (single) {
+        rv = ocsp_SetCacheItemResponse(cacheItem, single);
+        if (rv != SECSuccess) {
+            ocsp_RemoveCacheItem(cache, cacheItem);
+            PR_ExitMonitor(OCSP_Global.monitor);
+            return rv;
+        }
+    } else {
+        cacheItem->missingResponseError = PORT_GetError();
+    }
+    ocsp_FreshenCacheItemNextFetchAttemptTime(cacheItem);
+    ocsp_CheckCacheSize(cache);
+
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return SECSuccess;
+}
+
+extern SECStatus
+CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode)
+{
+    switch (ocspFailureMode) {
+    case ocspMode_FailureIsVerificationFailure:
+    case ocspMode_FailureIsNotAVerificationFailure:
+        break;
+    default:
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    PR_EnterMonitor(OCSP_Global.monitor);
+    OCSP_Global.ocspFailureMode = ocspFailureMode;
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return SECSuccess;
+}
+
+SECStatus
+CERT_OCSPCacheSettings(PRInt32 maxCacheEntries,
+                       PRUint32 minimumSecondsToNextFetchAttempt,
+                       PRUint32 maximumSecondsToNextFetchAttempt)
+{
+    if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt
+        || maxCacheEntries < -1) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+  
+    PR_EnterMonitor(OCSP_Global.monitor);
+  
+    if (maxCacheEntries < 0) {
+        OCSP_Global.maxCacheEntries = -1; /* disable cache */
+    } else if (maxCacheEntries == 0) {
+        OCSP_Global.maxCacheEntries = 0; /* unlimited cache entries */
+    } else {
+        OCSP_Global.maxCacheEntries = maxCacheEntries;
+    }
+  
+    if (minimumSecondsToNextFetchAttempt < 
+            OCSP_Global.minimumSecondsToNextFetchAttempt
+        || maximumSecondsToNextFetchAttempt < 
+            OCSP_Global.maximumSecondsToNextFetchAttempt) {
+        /*
+         * Ensure our existing cache entries are not used longer than the 
+         * new settings allow, we're lazy and just clear the cache
+         */
+        CERT_ClearOCSPCache();
+    }
+  
+    OCSP_Global.minimumSecondsToNextFetchAttempt = 
+        minimumSecondsToNextFetchAttempt;
+    OCSP_Global.maximumSecondsToNextFetchAttempt = 
+        maximumSecondsToNextFetchAttempt;
+    ocsp_CheckCacheSize(&OCSP_Global.cache);
+  
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return SECSuccess;
+}
+
+SECStatus
+CERT_SetOCSPTimeout(PRUint32 seconds)
+{
+    /* no locking, see bug 406120 */
+    OCSP_Global.timeoutSeconds = seconds;
+    return SECSuccess;
+}
+
+/* this function is called at NSS initialization time */
+SECStatus OCSP_InitGlobal(void)
+{
+    SECStatus rv = SECFailure;
+
+    if (OCSP_Global.monitor == NULL) {
+        OCSP_Global.monitor = PR_NewMonitor();
+    }
+    if (!OCSP_Global.monitor)
+        return SECFailure;
+
+    PR_EnterMonitor(OCSP_Global.monitor);
+    if (!OCSP_Global.cache.entries) {
+        OCSP_Global.cache.entries = 
+            PL_NewHashTable(0, 
+                            ocsp_CacheKeyHashFunction, 
+                            ocsp_CacheKeyCompareFunction, 
+                            PL_CompareValues, 
+                            NULL, 
+                            NULL);
+        OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure;
+        OCSP_Global.cache.numberOfEntries = 0;
+        OCSP_Global.cache.MRUitem = NULL;
+        OCSP_Global.cache.LRUitem = NULL;
+    } else {
+        /*
+         * NSS might call this function twice while attempting to init.
+         * But it's not allowed to call this again after any activity.
+         */
+        PORT_Assert(OCSP_Global.cache.numberOfEntries == 0);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+    }
+    if (OCSP_Global.cache.entries)
+        rv = SECSuccess;
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return rv;
+}
+
+SECStatus OCSP_ShutdownGlobal(void)
+{
+    if (!OCSP_Global.monitor)
+        return SECSuccess;
+
+    PR_EnterMonitor(OCSP_Global.monitor);
+    if (OCSP_Global.cache.entries) {
+        CERT_ClearOCSPCache();
+        PL_HashTableDestroy(OCSP_Global.cache.entries);
+        OCSP_Global.cache.entries = NULL;
+    }
+    PORT_Assert(OCSP_Global.cache.numberOfEntries == 0);
+    OCSP_Global.cache.MRUitem = NULL;
+    OCSP_Global.cache.LRUitem = NULL;
+
+    OCSP_Global.defaultHttpClientFcn = NULL;
+    OCSP_Global.maxCacheEntries = DEFAULT_OCSP_CACHE_SIZE;
+    OCSP_Global.minimumSecondsToNextFetchAttempt = 
+      DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
+    OCSP_Global.maximumSecondsToNextFetchAttempt =
+      DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT;
+    OCSP_Global.ocspFailureMode =
+      ocspMode_FailureIsVerificationFailure;
+    PR_ExitMonitor(OCSP_Global.monitor);
+
+    PR_DestroyMonitor(OCSP_Global.monitor);
+    OCSP_Global.monitor = NULL;
+    return SECSuccess;
+}
+
+/*
+ * A return value of NULL means: 
+ *   The application did not register it's own HTTP client.
+ */
+const SEC_HttpClientFcn *SEC_GetRegisteredHttpClient()
+{
+    const SEC_HttpClientFcn *retval;
+
+    if (!OCSP_Global.monitor) {
+      PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+      return NULL;
+    }
+
+    PR_EnterMonitor(OCSP_Global.monitor);
+    retval = OCSP_Global.defaultHttpClientFcn;
+    PR_ExitMonitor(OCSP_Global.monitor);
+    
+    return retval;
+}
+
+/*
+ * The following structure is only used internally.  It is allocated when
+ * someone turns on OCSP checking, and hangs off of the status-configuration
+ * structure in the certdb structure.  We use it to keep configuration
+ * information specific to OCSP checking.
+ */
+typedef struct ocspCheckingContextStr {
+    PRBool useDefaultResponder;
+    char *defaultResponderURI;
+    char *defaultResponderNickname;
+    CERTCertificate *defaultResponderCert;
+} ocspCheckingContext;
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_NullTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_PointerToAnyTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_SequenceOfAnyTemplate)
+SEC_ASN1_MKSUB(SEC_PointerToGeneralizedTimeTemplate)
+SEC_ASN1_MKSUB(SEC_PointerToEnumeratedTemplate)
+
+/*
+ * Forward declarations of sub-types, so I can lay out the types in the
+ * same order as the ASN.1 is laid out in the OCSP spec itself.
+ *
+ * These are in alphabetical order (case-insensitive); please keep it that way!
+ */
+extern const SEC_ASN1Template ocsp_CertIDTemplate[];
+extern const SEC_ASN1Template ocsp_PointerToSignatureTemplate[];
+extern const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[];
+extern const SEC_ASN1Template ocsp_ResponseDataTemplate[];
+extern const SEC_ASN1Template ocsp_RevokedInfoTemplate[];
+extern const SEC_ASN1Template ocsp_SingleRequestTemplate[];
+extern const SEC_ASN1Template ocsp_SingleResponseTemplate[];
+extern const SEC_ASN1Template ocsp_TBSRequestTemplate[];
+
+
+/*
+ * Request-related templates...
+ */
+
+/*
+ * OCSPRequest	::=	SEQUENCE {
+ *	tbsRequest		TBSRequest,
+ *	optionalSignature	[0] EXPLICIT Signature OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(CERTOCSPRequest) },
+    { SEC_ASN1_POINTER,
+	offsetof(CERTOCSPRequest, tbsRequest),
+	ocsp_TBSRequestTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(CERTOCSPRequest, optionalSignature),
+	ocsp_PointerToSignatureTemplate },
+    { 0 }
+};
+
+/*
+ * TBSRequest	::=	SEQUENCE {
+ *	version			[0] EXPLICIT Version DEFAULT v1,
+ *	requestorName		[1] EXPLICIT GeneralName OPTIONAL,
+ *	requestList		SEQUENCE OF Request,
+ *	requestExtensions	[2] EXPLICIT Extensions OPTIONAL }
+ *
+ * Version	::=	INTEGER { v1(0) }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_TBSRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspTBSRequest) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |		/* XXX DER_DEFAULT */
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	offsetof(ocspTBSRequest, version),
+	SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+	offsetof(ocspTBSRequest, derRequestorName),
+	SEC_ASN1_SUB(SEC_PointerToAnyTemplate) },
+    { SEC_ASN1_SEQUENCE_OF,
+	offsetof(ocspTBSRequest, requestList),
+	ocsp_SingleRequestTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	offsetof(ocspTBSRequest, requestExtensions),
+	CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+/*
+ * Signature	::=	SEQUENCE {
+ *	signatureAlgorithm	AlgorithmIdentifier,
+ *	signature		BIT STRING,
+ *	certs			[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_SignatureTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspSignature) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	offsetof(ocspSignature, signatureAlgorithm),
+	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING,
+	offsetof(ocspSignature, signature) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	offsetof(ocspSignature, derCerts), 
+	SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
+    { 0 }
+};
+
+/*
+ * This template is just an extra level to use in an explicitly-tagged
+ * reference to a Signature.
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = {
+    { SEC_ASN1_POINTER, 0, ocsp_SignatureTemplate }
+};
+
+/*
+ * Request	::=	SEQUENCE {
+ *	reqCert			CertID,
+ *	singleRequestExtensions	[0] EXPLICIT Extensions OPTIONAL }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_SingleRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(ocspSingleRequest) },
+    { SEC_ASN1_POINTER,
+	offsetof(ocspSingleRequest, reqCert),
+	ocsp_CertIDTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(ocspSingleRequest, singleRequestExtensions),
+	CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+
+/*
+ * This data structure and template (CertID) is used by both OCSP
+ * requests and responses.  It is the only one that is shared.
+ *
+ * CertID	::=	SEQUENCE {
+ *	hashAlgorithm		AlgorithmIdentifier,
+ *	issuerNameHash		OCTET STRING,	-- Hash of Issuer DN
+ *	issuerKeyHash		OCTET STRING,	-- Hash of Issuer public key
+ *	serialNumber		CertificateSerialNumber }
+ *
+ * CertificateSerialNumber ::=	INTEGER
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_CertIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(CERTOCSPCertID) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	offsetof(CERTOCSPCertID, hashAlgorithm),
+	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(CERTOCSPCertID, issuerNameHash) },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(CERTOCSPCertID, issuerKeyHash) },
+    { SEC_ASN1_INTEGER, 
+	offsetof(CERTOCSPCertID, serialNumber) },
+    { 0 }
+};
+
+
+/*
+ * Response-related templates...
+ */
+
+/*
+ * OCSPResponse	::=	SEQUENCE {
+ *	responseStatus		OCSPResponseStatus,
+ *	responseBytes		[0] EXPLICIT ResponseBytes OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(CERTOCSPResponse) },
+    { SEC_ASN1_ENUMERATED, 
+	offsetof(CERTOCSPResponse, responseStatus) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(CERTOCSPResponse, responseBytes),
+	ocsp_PointerToResponseBytesTemplate },
+    { 0 }
+};
+
+/*
+ * ResponseBytes	::=	SEQUENCE {
+ *	responseType		OBJECT IDENTIFIER,
+ *	response		OCTET STRING }
+ */
+static const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspResponseBytes) },
+    { SEC_ASN1_OBJECT_ID,
+	offsetof(ocspResponseBytes, responseType) },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(ocspResponseBytes, response) },
+    { 0 }
+};
+
+/*
+ * This template is just an extra level to use in an explicitly-tagged
+ * reference to a ResponseBytes.
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = {
+    { SEC_ASN1_POINTER, 0, ocsp_ResponseBytesTemplate }
+};
+
+/*
+ * BasicOCSPResponse	::=	SEQUENCE {
+ *	tbsResponseData		ResponseData,
+ *	signatureAlgorithm	AlgorithmIdentifier,
+ *	signature		BIT STRING,
+ *	certs			[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspBasicOCSPResponse) },
+    { SEC_ASN1_ANY | SEC_ASN1_SAVE,
+	offsetof(ocspBasicOCSPResponse, tbsResponseDataDER) },
+    { SEC_ASN1_POINTER,
+	offsetof(ocspBasicOCSPResponse, tbsResponseData),
+	ocsp_ResponseDataTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
+	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING,
+	offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
+	SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) },
+    { 0 }
+};
+
+/*
+ * ResponseData	::=	SEQUENCE {
+ *	version			[0] EXPLICIT Version DEFAULT v1,
+ *	responderID		ResponderID,
+ *	producedAt		GeneralizedTime,
+ *	responses		SEQUENCE OF SingleResponse,
+ *	responseExtensions	[1] EXPLICIT Extensions OPTIONAL }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_ResponseDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspResponseData) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |		/* XXX DER_DEFAULT */
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	offsetof(ocspResponseData, version),
+	SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { SEC_ASN1_ANY,
+	offsetof(ocspResponseData, derResponderID) },
+    { SEC_ASN1_GENERALIZED_TIME,
+	offsetof(ocspResponseData, producedAt) },
+    { SEC_ASN1_SEQUENCE_OF,
+	offsetof(ocspResponseData, responses),
+	ocsp_SingleResponseTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(ocspResponseData, responseExtensions),
+	CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+/*
+ * ResponderID	::=	CHOICE {
+ *	byName			[1] EXPLICIT Name,
+ *	byKey			[2] EXPLICIT KeyHash }
+ *
+ * KeyHash ::=	OCTET STRING -- SHA-1 hash of responder's public key
+ * (excluding the tag and length fields)
+ *
+ * XXX Because the ASN.1 encoder and decoder currently do not provide
+ * a way to automatically handle a CHOICE, we need to do it in two
+ * steps, looking at the type tag and feeding the exact choice back
+ * to the ASN.1 code.  Hopefully that will change someday and this
+ * can all be simplified down into a single template.  Anyway, for
+ * now we list each choice as its own template:
+ */
+static const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(ocspResponderID, responderIDValue.name),
+	CERT_NameTemplate }
+};
+static const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        SEC_ASN1_XTRN | 2,
+	offsetof(ocspResponderID, responderIDValue.keyHash),
+	SEC_ASN1_SUB(SEC_OctetStringTemplate) }
+};
+static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = {
+    { SEC_ASN1_ANY,
+	offsetof(ocspResponderID, responderIDValue.other) }
+};
+
+/* Decode choice container, but leave x509 name object encoded */
+static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        SEC_ASN1_XTRN | 1, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+/*
+ * SingleResponse	::=	SEQUENCE {
+ *	certID			CertID,
+ *	certStatus		CertStatus,
+ *	thisUpdate		GeneralizedTime,
+ *	nextUpdate		[0] EXPLICIT GeneralizedTime OPTIONAL,
+ *	singleExtensions	[1] EXPLICIT Extensions OPTIONAL }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_SingleResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(CERTOCSPSingleResponse) },
+    { SEC_ASN1_POINTER,
+	offsetof(CERTOCSPSingleResponse, certID),
+	ocsp_CertIDTemplate },
+    { SEC_ASN1_ANY,
+	offsetof(CERTOCSPSingleResponse, derCertStatus) },
+    { SEC_ASN1_GENERALIZED_TIME,
+	offsetof(CERTOCSPSingleResponse, thisUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	offsetof(CERTOCSPSingleResponse, nextUpdate),
+	SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(CERTOCSPSingleResponse, singleExtensions),
+	CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+/*
+ * CertStatus	::=	CHOICE {
+ *	good			[0] IMPLICIT NULL,
+ *	revoked			[1] IMPLICIT RevokedInfo,
+ *	unknown			[2] IMPLICIT UnknownInfo }
+ *
+ * Because the ASN.1 encoder and decoder currently do not provide
+ * a way to automatically handle a CHOICE, we need to do it in two
+ * steps, looking at the type tag and feeding the exact choice back
+ * to the ASN.1 code.  Hopefully that will change someday and this
+ * can all be simplified down into a single template.  Anyway, for
+ * now we list each choice as its own template:
+ */
+static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	offsetof(ocspCertStatus, certStatusInfo.goodInfo),
+	SEC_ASN1_SUB(SEC_NullTemplate) }
+};
+static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+	offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
+	ocsp_RevokedInfoTemplate }
+};
+static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
+	offsetof(ocspCertStatus, certStatusInfo.unknownInfo),
+	SEC_ASN1_SUB(SEC_NullTemplate) }
+};
+static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	offsetof(ocspCertStatus, certStatusInfo.otherInfo),
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+/*
+ * RevokedInfo	::=	SEQUENCE {
+ *	revocationTime		GeneralizedTime,
+ *	revocationReason	[0] EXPLICIT CRLReason OPTIONAL }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspRevokedInfo) },
+    { SEC_ASN1_GENERALIZED_TIME,
+	offsetof(ocspRevokedInfo, revocationTime) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        SEC_ASN1_XTRN | 0,
+	offsetof(ocspRevokedInfo, revocationReason), 
+	SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate) },
+    { 0 }
+};
+
+
+/*
+ * OCSP-specific extension templates:
+ */
+
+/*
+ * ServiceLocator	::=	SEQUENCE {
+ *	issuer			Name,
+ *	locator			AuthorityInfoAccessSyntax OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspServiceLocator) },
+    { SEC_ASN1_POINTER,
+	offsetof(ocspServiceLocator, issuer),
+	CERT_NameTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	offsetof(ocspServiceLocator, locator) },
+    { 0 }
+};
+
+
+/*
+ * REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy):
+ */
+
+/* 
+ * FUNCTION: CERT_EncodeOCSPRequest
+ *   DER encodes an OCSP Request, possibly adding a signature as well.
+ *   XXX Signing is not yet supported, however; see comments in code.
+ * INPUTS: 
+ *   PRArenaPool *arena
+ *     The return value is allocated from here.
+ *     If a NULL is passed in, allocation is done from the heap instead.
+ *   CERTOCSPRequest *request
+ *     The request to be encoded.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * RETURN:
+ *   Returns a NULL on error and a pointer to the SECItem with the
+ *   encoded value otherwise.  Any error is likely to be low-level
+ *   (e.g. no memory).
+ */
+SECItem *
+CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
+		       void *pwArg)
+{
+    ocspTBSRequest *tbsRequest;
+    SECStatus rv;
+
+    /* XXX All of these should generate errors if they fail. */
+    PORT_Assert(request);
+    PORT_Assert(request->tbsRequest);
+
+    tbsRequest = request->tbsRequest;
+
+    if (request->tbsRequest->extensionHandle != NULL) {
+	rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
+	request->tbsRequest->extensionHandle = NULL;
+	if (rv != SECSuccess)
+	    return NULL;
+    }
+
+    /*
+     * XXX When signed requests are supported and request->optionalSignature
+     * is not NULL:
+     *  - need to encode tbsRequest->requestorName
+     *  - need to encode tbsRequest
+     *  - need to sign that encoded result (using cert in sig), filling in the
+     *    request->optionalSignature structure with the result, the signing
+     *    algorithm and (perhaps?) the cert (and its chain?) in derCerts
+     */
+
+    return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate);
+}
+
+
+/*
+ * FUNCTION: CERT_DecodeOCSPRequest
+ *   Decode a DER encoded OCSP Request.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Request.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
+ *   On error, returns NULL.  Most likely error is trouble decoding
+ *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
+ */
+CERTOCSPRequest *
+CERT_DecodeOCSPRequest(SECItem *src)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECFailure;
+    CERTOCSPRequest *dest = NULL;
+    int i;
+    SECItem newSrc;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+    dest = (CERTOCSPRequest *) PORT_ArenaZAlloc(arena, 
+						sizeof(CERTOCSPRequest));
+    if (dest == NULL) {
+	goto loser;
+    }
+    dest->arena = arena;
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newSrc, src);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, dest, ocsp_OCSPRequestTemplate, &newSrc);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_BAD_DER)
+	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+	goto loser;
+    }
+
+    /*
+     * XXX I would like to find a way to get rid of the necessity
+     * of doing this copying of the arena pointer.
+     */
+    for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) {
+	dest->tbsRequest->requestList[i]->arena = arena;
+    }
+
+    return dest;
+
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus
+CERT_DestroyOCSPCertID(CERTOCSPCertID* certID)
+{
+    if (certID && certID->poolp) {
+	PORT_FreeArena(certID->poolp, PR_FALSE);
+	return SECSuccess;
+    }
+    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    return SECFailure;
+}
+
+/*
+ * Digest data using the specified algorithm.
+ * The necessary storage for the digest data is allocated.  If "fill" is
+ * non-null, the data is put there, otherwise a SECItem is allocated.
+ * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
+ * results in a NULL being returned (and an appropriate error set).
+ */
+
+static SECItem *
+ocsp_DigestValue(PRArenaPool *arena, SECOidTag digestAlg, 
+                 SECItem *fill, const SECItem *src)
+{
+    const SECHashObject *digestObject;
+    SECItem *result = NULL;
+    void *mark = NULL;
+    void *digestBuff = NULL;
+
+    if ( arena != NULL ) {
+        mark = PORT_ArenaMark(arena);
+    }
+
+    digestObject = HASH_GetHashObjectByOidTag(digestAlg);
+    if ( digestObject == NULL ) {
+        goto loser;
+    }
+
+    if (fill == NULL || fill->data == NULL) {
+	result = SECITEM_AllocItem(arena, fill, digestObject->length);
+	if ( result == NULL ) {
+	   goto loser;
+	}
+	digestBuff = result->data;
+    } else {
+	if (fill->len < digestObject->length) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    goto loser;
+	}
+	digestBuff = fill->data;
+    }
+
+    if (PK11_HashBuf(digestAlg, digestBuff,
+                     src->data, src->len) != SECSuccess) {
+        goto loser;
+    }
+
+    if ( arena != NULL ) {
+        PORT_ArenaUnmark(arena, mark);
+    }
+
+    if (result == NULL) {
+        result = fill;
+    }
+    return result;
+
+loser:
+    if (arena != NULL) {
+        PORT_ArenaRelease(arena, mark);
+    } else {
+        if (result != NULL) {
+            SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE);
+        }
+    }
+    return(NULL);
+}
+
+/*
+ * Digest the cert's subject public key using the specified algorithm.
+ * The necessary storage for the digest data is allocated.  If "fill" is
+ * non-null, the data is put there, otherwise a SECItem is allocated.
+ * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
+ * results in a NULL being returned (and an appropriate error set).
+ */
+SECItem *
+CERT_GetSPKIDigest(PRArenaPool *arena, const CERTCertificate *cert,
+                           SECOidTag digestAlg, SECItem *fill)
+{
+    SECItem spk;
+
+    /*
+     * Copy just the length and data pointer (nothing needs to be freed)
+     * of the subject public key so we can convert the length from bits
+     * to bytes, which is what the digest function expects.
+     */
+    spk = cert->subjectPublicKeyInfo.subjectPublicKey;
+    DER_ConvertBitString(&spk);
+
+    return ocsp_DigestValue(arena, digestAlg, fill, &spk);
+}
+
+/*
+ * Digest the cert's subject name using the specified algorithm.
+ */
+static SECItem *
+cert_GetSubjectNameDigest(PRArenaPool *arena, const CERTCertificate *cert,
+                           SECOidTag digestAlg, SECItem *fill)
+{
+    SECItem name;
+
+    /*
+     * Copy just the length and data pointer (nothing needs to be freed)
+     * of the subject name
+     */
+    name = cert->derSubject;
+
+    return ocsp_DigestValue(arena, digestAlg, fill, &name);
+}
+
+/*
+ * Create and fill-in a CertID.  This function fills in the hash values
+ * (issuerNameHash and issuerKeyHash), and is hardwired to use SHA1.
+ * Someday it might need to be more flexible about hash algorithm, but
+ * for now we have no intention/need to create anything else.
+ *
+ * Error causes a null to be returned; most likely cause is trouble
+ * finding the certificate issuer (SEC_ERROR_UNKNOWN_ISSUER).
+ * Other errors are low-level problems (no memory, bad database, etc.).
+ */
+static CERTOCSPCertID *
+ocsp_CreateCertID(PRArenaPool *arena, CERTCertificate *cert, int64 time)
+{
+    CERTOCSPCertID *certID;
+    CERTCertificate *issuerCert = NULL;
+    void *mark = PORT_ArenaMark(arena);
+    SECStatus rv;
+
+    PORT_Assert(arena != NULL);
+
+    certID = PORT_ArenaZNew(arena, CERTOCSPCertID);
+    if (certID == NULL) {
+	goto loser;
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1,
+			       NULL);
+    if (rv != SECSuccess) {
+	goto loser; 
+    }
+
+    issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
+    if (issuerCert == NULL) {
+	goto loser;
+    }
+
+    if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1,
+                                  &(certID->issuerNameHash)) == NULL) {
+        goto loser;
+    }
+    certID->issuerSHA1NameHash.data = certID->issuerNameHash.data;
+    certID->issuerSHA1NameHash.len = certID->issuerNameHash.len;
+
+    if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5,
+                                  &(certID->issuerMD5NameHash)) == NULL) {
+        goto loser;
+    }
+
+    if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2,
+                                  &(certID->issuerMD2NameHash)) == NULL) {
+        goto loser;
+    }
+
+    if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_SHA1,
+				   &(certID->issuerKeyHash)) == NULL) {
+	goto loser;
+    }
+    certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
+    certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
+    /* cache the other two hash algorithms as well */
+    if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD5,
+				   &(certID->issuerMD5KeyHash)) == NULL) {
+	goto loser;
+    }
+    if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD2,
+				   &(certID->issuerMD2KeyHash)) == NULL) {
+	goto loser;
+    }
+
+
+    /* now we are done with issuerCert */
+    CERT_DestroyCertificate(issuerCert);
+    issuerCert = NULL;
+
+    rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber);
+    if (rv != SECSuccess) {
+	goto loser; 
+    }
+
+    PORT_ArenaUnmark(arena, mark);
+    return certID;
+
+loser:
+    if (issuerCert != NULL) {
+	CERT_DestroyCertificate(issuerCert);
+    }
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+CERTOCSPCertID*
+CERT_CreateOCSPCertID(CERTCertificate *cert, int64 time)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    CERTOCSPCertID *certID;
+    PORT_Assert(arena != NULL);
+    if (!arena)
+	return NULL;
+    
+    certID = ocsp_CreateCertID(arena, cert, time);
+    if (!certID) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return NULL;
+    }
+    certID->poolp = arena;
+    return certID;
+}
+
+/*
+ * Callback to set Extensions in request object
+ */
+void SetSingleReqExts(void *object, CERTCertExtension **exts)
+{
+  ocspSingleRequest *singleRequest =
+    (ocspSingleRequest *)object;
+
+  singleRequest->singleRequestExtensions = exts;
+}
+
+/*
+ * Add the Service Locator extension to the singleRequestExtensions
+ * for the given singleRequest.
+ *
+ * All errors are internal or low-level problems (e.g. no memory).
+ */
+static SECStatus
+ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
+				CERTCertificate *cert)
+{
+    ocspServiceLocator *serviceLocator = NULL;
+    void *extensionHandle = NULL;
+    SECStatus rv = SECFailure;
+
+    serviceLocator = PORT_ZNew(ocspServiceLocator);
+    if (serviceLocator == NULL)
+	goto loser;
+
+    /*
+     * Normally it would be a bad idea to do a direct reference like
+     * this rather than allocate and copy the name *or* at least dup
+     * a reference of the cert.  But all we need is to be able to read
+     * the issuer name during the encoding we are about to do, so a
+     * copy is just a waste of time.
+     */
+    serviceLocator->issuer = &cert->issuer;
+
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
+				&serviceLocator->locator);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
+	    goto loser;
+    }
+
+    /* prepare for following loser gotos */
+    rv = SECFailure;
+    PORT_SetError(0);
+
+    extensionHandle = cert_StartExtensions(singleRequest,
+                       singleRequest->arena, SetSingleReqExts);
+    if (extensionHandle == NULL)
+	goto loser;
+
+    rv = CERT_EncodeAndAddExtension(extensionHandle,
+				    SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
+				    serviceLocator, PR_FALSE,
+				    ocsp_ServiceLocatorTemplate);
+
+loser:
+    if (extensionHandle != NULL) {
+	/*
+	 * Either way we have to finish out the extension context (so it gets
+	 * freed).  But careful not to override any already-set bad status.
+	 */
+	SECStatus tmprv = CERT_FinishExtensions(extensionHandle);
+	if (rv == SECSuccess)
+	    rv = tmprv;
+    }
+
+    /*
+     * Finally, free the serviceLocator structure itself and we are done.
+     */
+    if (serviceLocator != NULL) {
+	if (serviceLocator->locator.data != NULL)
+	    SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE);
+	PORT_Free(serviceLocator);
+    }
+
+    return rv;
+}
+
+/*
+ * Creates an array of ocspSingleRequest based on a list of certs.
+ * Note that the code which later compares the request list with the
+ * response expects this array to be in the exact same order as the
+ * certs are found in the list.  It would be harder to change that
+ * order than preserve it, but since the requirement is not obvious,
+ * it deserves to be mentioned.
+ *
+ * Any problem causes a null return and error set:
+ *      SEC_ERROR_UNKNOWN_ISSUER
+ * Other errors are low-level problems (no memory, bad database, etc.).
+ */
+static ocspSingleRequest **
+ocsp_CreateSingleRequestList(PRArenaPool *arena, CERTCertList *certList,
+                             int64 time, PRBool includeLocator)
+{
+    ocspSingleRequest **requestList = NULL;
+    CERTCertListNode *node = NULL;
+    int i, count;
+    void *mark = PORT_ArenaMark(arena);
+ 
+    node = CERT_LIST_HEAD(certList);
+    for (count = 0; !CERT_LIST_END(node, certList); count++) {
+        node = CERT_LIST_NEXT(node);
+    }
+
+    if (count == 0)
+	goto loser;
+
+    requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1);
+    if (requestList == NULL)
+	goto loser;
+
+    node = CERT_LIST_HEAD(certList);
+    for (i = 0; !CERT_LIST_END(node, certList); i++) {
+        requestList[i] = PORT_ArenaZNew(arena, ocspSingleRequest);
+        if (requestList[i] == NULL)
+            goto loser;
+
+        OCSP_TRACE(("OCSP CERT_CreateOCSPRequest %s\n", node->cert->subjectName));
+        requestList[i]->arena = arena;
+        requestList[i]->reqCert = ocsp_CreateCertID(arena, node->cert, time);
+        if (requestList[i]->reqCert == NULL)
+            goto loser;
+
+        if (includeLocator == PR_TRUE) {
+            SECStatus rv;
+
+            rv = ocsp_AddServiceLocatorExtension(requestList[i], node->cert);
+            if (rv != SECSuccess)
+                goto loser;
+        }
+
+        node = CERT_LIST_NEXT(node);
+    }
+
+    PORT_Assert(i == count);
+
+    PORT_ArenaUnmark(arena, mark);
+    requestList[i] = NULL;
+    return requestList;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+static ocspSingleRequest **
+ocsp_CreateRequestFromCert(PRArenaPool *arena, 
+                           CERTOCSPCertID *certID, 
+                           CERTCertificate *singleCert,
+                           int64 time, 
+                           PRBool includeLocator)
+{
+    ocspSingleRequest **requestList = NULL;
+    void *mark = PORT_ArenaMark(arena);
+    PORT_Assert(certID != NULL && singleCert != NULL);
+
+    /* meaning of value 2: one entry + one end marker */
+    requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, 2);
+    if (requestList == NULL)
+        goto loser;
+    requestList[0] = PORT_ArenaZNew(arena, ocspSingleRequest);
+    if (requestList[0] == NULL)
+        goto loser;
+    requestList[0]->arena = arena;
+    /* certID will live longer than the request */
+    requestList[0]->reqCert = certID; 
+
+    if (includeLocator == PR_TRUE) {
+        SECStatus rv;
+        rv = ocsp_AddServiceLocatorExtension(requestList[0], singleCert);
+        if (rv != SECSuccess)
+            goto loser;
+    }
+
+    PORT_ArenaUnmark(arena, mark);
+    requestList[1] = NULL;
+    return requestList;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+static CERTOCSPRequest *
+ocsp_prepareEmptyOCSPRequest()
+{
+    PRArenaPool *arena = NULL;
+    CERTOCSPRequest *request = NULL;
+    ocspTBSRequest *tbsRequest = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+        goto loser;
+    }
+    request = PORT_ArenaZNew(arena, CERTOCSPRequest);
+    if (request == NULL) {
+        goto loser;
+    }
+    request->arena = arena;
+
+    tbsRequest = PORT_ArenaZNew(arena, ocspTBSRequest);
+    if (tbsRequest == NULL) {
+        goto loser;
+    }
+    request->tbsRequest = tbsRequest;
+    /* version 1 is the default, so we need not fill in a version number */
+    return request;
+
+loser:
+    if (arena != NULL) {
+        PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+CERTOCSPRequest *
+cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, 
+                                 CERTCertificate *singleCert, 
+                                 int64 time, 
+                                 PRBool addServiceLocator,
+                                 CERTCertificate *signerCert)
+{
+    CERTOCSPRequest *request;
+    OCSP_TRACE(("OCSP cert_CreateSingleCertOCSPRequest %s\n", singleCert->subjectName));
+
+    /* XXX Support for signerCert may be implemented later,
+     * see also the comment in CERT_CreateOCSPRequest.
+     */
+    if (signerCert != NULL) {
+        PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+        return NULL;
+    }
+
+    request = ocsp_prepareEmptyOCSPRequest();
+    if (!request)
+        return NULL;
+    /*
+     * Version 1 is the default, so we need not fill in a version number.
+     * Now create the list of single requests, one for each cert.
+     */
+    request->tbsRequest->requestList = 
+        ocsp_CreateRequestFromCert(request->arena, 
+                                   certID,
+                                   singleCert,
+                                   time,
+                                   addServiceLocator);
+    if (request->tbsRequest->requestList == NULL) {
+        PORT_FreeArena(request->arena, PR_FALSE);
+        return NULL;
+    }
+    return request;
+}
+
+/*
+ * FUNCTION: CERT_CreateOCSPRequest
+ *   Creates a CERTOCSPRequest, requesting the status of the certs in 
+ *   the given list.
+ * INPUTS:
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   int64 time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no effect on the request itself.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *     XXX note that request signing is not yet supported; see comment in code
+ * RETURN:
+ *   A pointer to a CERTOCSPRequest structure containing an OCSP request
+ *   for the cert list.  On error, null is returned, with an error set
+ *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
+ *   (The issuer is needed to create a request for the certificate.)
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+CERTOCSPRequest *
+CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
+		       PRBool addServiceLocator,
+		       CERTCertificate *signerCert)
+{
+    CERTOCSPRequest *request = NULL;
+
+    if (!certList) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    /*
+     * XXX When we are prepared to put signing of requests back in, 
+     * we will need to allocate a signature
+     * structure for the request, fill in the "derCerts" field in it,
+     * save the signerCert there, as well as fill in the "requestorName"
+     * field of the tbsRequest.
+     */
+    if (signerCert != NULL) {
+        PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+        return NULL;
+    }
+    request = ocsp_prepareEmptyOCSPRequest();
+    if (!request)
+        return NULL;
+    /*
+     * Now create the list of single requests, one for each cert.
+     */
+    request->tbsRequest->requestList = 
+        ocsp_CreateSingleRequestList(request->arena, 
+                                     certList,
+                                     time,
+                                     addServiceLocator);
+    if (request->tbsRequest->requestList == NULL) {
+        PORT_FreeArena(request->arena, PR_FALSE);
+        return NULL;
+    }
+    return request;
+}
+
+/*
+ * FUNCTION: CERT_AddOCSPAcceptableResponses
+ *   Add the AcceptableResponses extension to an OCSP Request.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     The request to which the extension should be added.
+ *   ...
+ *     A list (of one or more) of SECOidTag -- each of the response types
+ *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
+ *     (This marks the end of the list, and it must be specified because a
+ *     client conforming to the OCSP standard is required to handle the basic
+ *     response type.)  The OIDs are not checked in any way.
+ * RETURN:
+ *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
+ *   All errors are internal or low-level problems (e.g. no memory).
+ */
+
+void SetRequestExts(void *object, CERTCertExtension **exts)
+{
+  CERTOCSPRequest *request = (CERTOCSPRequest *)object;
+
+  request->tbsRequest->requestExtensions = exts;
+}
+
+SECStatus
+CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
+				SECOidTag responseType0, ...)
+{
+    void *extHandle;
+    va_list ap;
+    int i, count;
+    SECOidTag responseType;
+    SECOidData *responseOid;
+    SECItem **acceptableResponses = NULL;
+    SECStatus rv = SECFailure;
+
+    extHandle = request->tbsRequest->extensionHandle;
+    if (extHandle == NULL) {
+	extHandle = cert_StartExtensions(request, request->arena, SetRequestExts);
+	if (extHandle == NULL)
+	    goto loser;
+    }
+
+    /* Count number of OIDS going into the extension value. */
+    count = 1;
+    if (responseType0 != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) {
+	va_start(ap, responseType0);
+	do {
+	    count++;
+	    responseType = va_arg(ap, SECOidTag);
+	} while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+	va_end(ap);
+    }
+
+    acceptableResponses = PORT_NewArray(SECItem *, count + 1);
+    if (acceptableResponses == NULL)
+	goto loser;
+
+    i = 0;
+    responseOid = SECOID_FindOIDByTag(responseType0);
+    acceptableResponses[i++] = &(responseOid->oid);
+    if (count > 1) {
+	va_start(ap, responseType0);
+	for ( ; i < count; i++) {
+	    responseType = va_arg(ap, SECOidTag);
+	    responseOid = SECOID_FindOIDByTag(responseType);
+	    acceptableResponses[i] = &(responseOid->oid);
+	}
+	va_end(ap);
+    }
+    acceptableResponses[i] = NULL;
+
+    rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE,
+                                &acceptableResponses, PR_FALSE,
+                                SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate));
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_Free(acceptableResponses);
+    if (request->tbsRequest->extensionHandle == NULL)
+	request->tbsRequest->extensionHandle = extHandle;
+    return SECSuccess;
+
+loser:
+    if (acceptableResponses != NULL)
+	PORT_Free(acceptableResponses);
+    if (extHandle != NULL)
+	(void) CERT_FinishExtensions(extHandle);
+    return rv;
+}
+
+
+/*
+ * FUNCTION: CERT_DestroyOCSPRequest
+ *   Frees an OCSP Request structure.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     Pointer to CERTOCSPRequest to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+void
+CERT_DestroyOCSPRequest(CERTOCSPRequest *request)
+{
+    if (request == NULL)
+	return;
+
+    if (request->tbsRequest != NULL) {
+	if (request->tbsRequest->requestorName != NULL)
+	    CERT_DestroyGeneralNameList(request->tbsRequest->requestorName);
+	if (request->tbsRequest->extensionHandle != NULL)
+	    (void) CERT_FinishExtensions(request->tbsRequest->extensionHandle);
+    }
+
+    if (request->optionalSignature != NULL) {
+	if (request->optionalSignature->cert != NULL)
+	    CERT_DestroyCertificate(request->optionalSignature->cert);
+
+	/*
+	 * XXX Need to free derCerts?  Or do they come out of arena?
+	 * (Currently we never fill in derCerts, which is why the
+	 * answer is not obvious.  Once we do, add any necessary code
+	 * here and remove this comment.)
+	 */
+    }
+
+    /*
+     * We should actually never have a request without an arena,
+     * but check just in case.  (If there isn't one, there is not
+     * much we can do about it...)
+     */
+    PORT_Assert(request->arena != NULL);
+    if (request->arena != NULL)
+	PORT_FreeArena(request->arena, PR_FALSE);
+}
+
+
+/*
+ * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy):
+ */
+
+/*
+ * Helper function for encoding or decoding a ResponderID -- based on the
+ * given type, return the associated template for that choice.
+ */
+static const SEC_ASN1Template *
+ocsp_ResponderIDTemplateByType(ocspResponderIDType responderIDType)
+{
+    const SEC_ASN1Template *responderIDTemplate;
+
+    switch (responderIDType) {
+	case ocspResponderID_byName:
+	    responderIDTemplate = ocsp_ResponderIDByNameTemplate;
+	    break;
+	case ocspResponderID_byKey:
+	    responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
+	    break;
+	case ocspResponderID_other:
+	default:
+	    PORT_Assert(responderIDType == ocspResponderID_other);
+	    responderIDTemplate = ocsp_ResponderIDOtherTemplate;
+	    break;
+    }
+
+    return responderIDTemplate;
+}
+
+/*
+ * Helper function for encoding or decoding a CertStatus -- based on the
+ * given type, return the associated template for that choice.
+ */
+static const SEC_ASN1Template *
+ocsp_CertStatusTemplateByType(ocspCertStatusType certStatusType)
+{
+    const SEC_ASN1Template *certStatusTemplate;
+
+    switch (certStatusType) {
+	case ocspCertStatus_good:
+	    certStatusTemplate = ocsp_CertStatusGoodTemplate;
+	    break;
+	case ocspCertStatus_revoked:
+	    certStatusTemplate = ocsp_CertStatusRevokedTemplate;
+	    break;
+	case ocspCertStatus_unknown:
+	    certStatusTemplate = ocsp_CertStatusUnknownTemplate;
+	    break;
+	case ocspCertStatus_other:
+	default:
+	    PORT_Assert(certStatusType == ocspCertStatus_other);
+	    certStatusTemplate = ocsp_CertStatusOtherTemplate;
+	    break;
+    }
+
+    return certStatusTemplate;
+}
+
+/*
+ * Helper function for decoding a certStatus -- turn the actual DER tag
+ * into our local translation.
+ */
+static ocspCertStatusType
+ocsp_CertStatusTypeByTag(int derTag)
+{
+    ocspCertStatusType certStatusType;
+
+    switch (derTag) {
+	case 0:
+	    certStatusType = ocspCertStatus_good;
+	    break;
+	case 1:
+	    certStatusType = ocspCertStatus_revoked;
+	    break;
+	case 2:
+	    certStatusType = ocspCertStatus_unknown;
+	    break;
+	default:
+	    certStatusType = ocspCertStatus_other;
+	    break;
+    }
+
+    return certStatusType;
+}
+
+/*
+ * Helper function for decoding SingleResponses -- they each contain
+ * a status which is encoded as CHOICE, which needs to be decoded "by hand".
+ *
+ * Note -- on error, this routine does not release the memory it may
+ * have allocated; it expects its caller to do that.
+ */
+static SECStatus
+ocsp_FinishDecodingSingleResponses(PRArenaPool *reqArena,
+				   CERTOCSPSingleResponse **responses)
+{
+    ocspCertStatus *certStatus;
+    ocspCertStatusType certStatusType;
+    const SEC_ASN1Template *certStatusTemplate;
+    int derTag;
+    int i;
+    SECStatus rv = SECFailure;
+
+    if (!reqArena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (responses == NULL)			/* nothing to do */
+	return SECSuccess;
+
+    for (i = 0; responses[i] != NULL; i++) {
+        SECItem* newStatus;
+	/*
+	 * The following assert points out internal errors (problems in
+	 * the template definitions or in the ASN.1 decoder itself, etc.).
+	 */
+	PORT_Assert(responses[i]->derCertStatus.data != NULL);
+
+	derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK;
+	certStatusType = ocsp_CertStatusTypeByTag(derTag);
+	certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType);
+
+	certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus));
+	if (certStatus == NULL) {
+	    goto loser;
+	}
+        newStatus = SECITEM_ArenaDupItem(reqArena, &responses[i]->derCertStatus);
+        if (!newStatus) {
+            goto loser;
+        }
+	rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate,
+				newStatus);
+	if (rv != SECSuccess) {
+	    if (PORT_GetError() == SEC_ERROR_BAD_DER)
+		PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	    goto loser;
+	}
+
+	certStatus->certStatusType = certStatusType;
+	responses[i]->certStatus = certStatus;
+    }
+
+    return SECSuccess;
+
+loser:
+    return rv;
+}
+
+/*
+ * Helper function for decoding a responderID -- turn the actual DER tag
+ * into our local translation.
+ */
+static ocspResponderIDType
+ocsp_ResponderIDTypeByTag(int derTag)
+{
+    ocspResponderIDType responderIDType;
+
+    switch (derTag) {
+	case 1:
+	    responderIDType = ocspResponderID_byName;
+	    break;
+	case 2:
+	    responderIDType = ocspResponderID_byKey;
+	    break;
+	default:
+	    responderIDType = ocspResponderID_other;
+	    break;
+    }
+
+    return responderIDType;
+}
+
+/*
+ * Decode "src" as a BasicOCSPResponse, returning the result.
+ */
+static ocspBasicOCSPResponse *
+ocsp_DecodeBasicOCSPResponse(PRArenaPool *arena, SECItem *src)
+{
+    void *mark;
+    ocspBasicOCSPResponse *basicResponse;
+    ocspResponseData *responseData;
+    ocspResponderID *responderID;
+    ocspResponderIDType responderIDType;
+    const SEC_ASN1Template *responderIDTemplate;
+    int derTag;
+    SECStatus rv;
+    SECItem newsrc;
+
+    mark = PORT_ArenaMark(arena);
+
+    basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse));
+    if (basicResponse == NULL) {
+	goto loser;
+    }
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newsrc, src);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, basicResponse,
+			    ocsp_BasicOCSPResponseTemplate, &newsrc);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_BAD_DER)
+	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	goto loser;
+    }
+
+    responseData = basicResponse->tbsResponseData;
+
+    /*
+     * The following asserts point out internal errors (problems in
+     * the template definitions or in the ASN.1 decoder itself, etc.).
+     */
+    PORT_Assert(responseData != NULL);
+    PORT_Assert(responseData->derResponderID.data != NULL);
+
+    /*
+     * XXX Because responderID is a CHOICE, which is not currently handled
+     * by our ASN.1 decoder, we have to decode it "by hand".
+     */
+    derTag = responseData->derResponderID.data[0] & SEC_ASN1_TAGNUM_MASK;
+    responderIDType = ocsp_ResponderIDTypeByTag(derTag);
+    responderIDTemplate = ocsp_ResponderIDTemplateByType(responderIDType);
+
+    responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID));
+    if (responderID == NULL) {
+	goto loser;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, responderID, responderIDTemplate,
+			    &responseData->derResponderID);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_BAD_DER)
+	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	goto loser;
+    }
+
+    responderID->responderIDType = responderIDType;
+    responseData->responderID = responderID;
+
+    /*
+     * XXX Each SingleResponse also contains a CHOICE, which has to be
+     * fixed up by hand.
+     */
+    rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(arena, mark);
+    return basicResponse;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+
+/*
+ * Decode the responseBytes based on the responseType found in "rbytes",
+ * leaving the resulting translated/decoded information in there as well.
+ */
+static SECStatus
+ocsp_DecodeResponseBytes(PRArenaPool *arena, ocspResponseBytes *rbytes)
+{
+    PORT_Assert(rbytes != NULL);		/* internal error, really */
+    if (rbytes == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);	/* XXX set better error? */
+	return SECFailure;
+    }
+
+    rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType);
+    switch (rbytes->responseTypeTag) {
+	case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
+	    {
+		ocspBasicOCSPResponse *basicResponse;
+
+		basicResponse = ocsp_DecodeBasicOCSPResponse(arena,
+							     &rbytes->response);
+		if (basicResponse == NULL)
+		    return SECFailure;
+
+		rbytes->decodedResponse.basic = basicResponse;
+	    }
+	    break;
+
+	/*
+	 * Add new/future response types here.
+	 */
+
+	default:
+	    PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
+	    return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_DecodeOCSPResponse
+ *   Decode a DER encoded OCSP Response.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Response.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
+ *   the caller is responsible for destroying it.  Or NULL if error (either
+ *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
+ *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
+ *   or a low-level or internal error occurred).
+ */
+CERTOCSPResponse *
+CERT_DecodeOCSPResponse(SECItem *src)
+{
+    PRArenaPool *arena = NULL;
+    CERTOCSPResponse *response = NULL;
+    SECStatus rv = SECFailure;
+    ocspResponseStatus sv;
+    SECItem newSrc;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+    response = (CERTOCSPResponse *) PORT_ArenaZAlloc(arena,
+						     sizeof(CERTOCSPResponse));
+    if (response == NULL) {
+	goto loser;
+    }
+    response->arena = arena;
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newSrc, src);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, response, ocsp_OCSPResponseTemplate, &newSrc);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_BAD_DER)
+	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	goto loser;
+    }
+
+    sv = (ocspResponseStatus) DER_GetInteger(&response->responseStatus);
+    response->statusValue = sv;
+    if (sv != ocspResponse_successful) {
+	/*
+	 * If the response status is anything but successful, then we
+	 * are all done with decoding; the status is all there is.
+	 */
+	return response;
+    }
+
+    /*
+     * A successful response contains much more information, still encoded.
+     * Now we need to decode that.
+     */
+    rv = ocsp_DecodeResponseBytes(arena, response->responseBytes);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    return response;
+
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+/*
+ * The way an OCSPResponse is defined, there are many levels to descend
+ * before getting to the actual response information.  And along the way
+ * we need to check that the response *type* is recognizable, which for
+ * now means that it is a BasicOCSPResponse, because that is the only
+ * type currently defined.  Rather than force all routines to perform
+ * a bunch of sanity checking every time they want to work on a response,
+ * this function isolates that and gives back the interesting part.
+ * Note that no copying is done, this just returns a pointer into the
+ * substructure of the response which is passed in.
+ *
+ * XXX This routine only works when a valid response structure is passed
+ * into it; this is checked with many assertions.  Assuming the response
+ * was creating by decoding, it wouldn't make it this far without being
+ * okay.  That is a sufficient assumption since the entire OCSP interface
+ * is only used internally.  When this interface is officially exported,
+ * each assertion below will need to be followed-up with setting an error
+ * and returning (null).
+ *
+ * FUNCTION: ocsp_GetResponseData
+ *   Returns ocspResponseData structure and a pointer to tbs response
+ *   data DER from a valid ocsp response. 
+ * INPUTS:
+ *   CERTOCSPResponse *response
+ *     structure of a valid ocsp response
+ * RETURN:
+ *   Returns a pointer to ocspResponseData structure: decoded OCSP response
+ *   data, and a pointer(tbsResponseDataDER) to its undecoded data DER.
+ */
+ocspResponseData *
+ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER)
+{
+    ocspBasicOCSPResponse *basic;
+    ocspResponseData *responseData;
+
+    PORT_Assert(response != NULL);
+
+    PORT_Assert(response->responseBytes != NULL);
+
+    PORT_Assert(response->responseBytes->responseTypeTag
+		== SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+
+    basic = response->responseBytes->decodedResponse.basic;
+    PORT_Assert(basic != NULL);
+
+    responseData = basic->tbsResponseData;
+    PORT_Assert(responseData != NULL);
+
+    if (tbsResponseDataDER) {
+        *tbsResponseDataDER = &basic->tbsResponseDataDER;
+
+        PORT_Assert((*tbsResponseDataDER)->data != NULL);
+        PORT_Assert((*tbsResponseDataDER)->len != 0);
+    }
+
+    return responseData;
+}
+
+/*
+ * Much like the routine above, except it returns the response signature.
+ * Again, no copy is done.
+ */
+ocspSignature *
+ocsp_GetResponseSignature(CERTOCSPResponse *response)
+{
+    ocspBasicOCSPResponse *basic;
+
+    PORT_Assert(response != NULL);
+    if (NULL == response->responseBytes) {
+        return NULL;
+    }
+    PORT_Assert(response->responseBytes != NULL);
+    PORT_Assert(response->responseBytes->responseTypeTag
+		== SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+
+    basic = response->responseBytes->decodedResponse.basic;
+    PORT_Assert(basic != NULL);
+
+    return &(basic->responseSignature);
+}
+
+
+/*
+ * FUNCTION: CERT_DestroyOCSPResponse
+ *   Frees an OCSP Response structure.
+ * INPUTS:
+ *   CERTOCSPResponse *request
+ *     Pointer to CERTOCSPResponse to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+void
+CERT_DestroyOCSPResponse(CERTOCSPResponse *response)
+{
+    if (response != NULL) {
+	ocspSignature *signature = ocsp_GetResponseSignature(response);
+	if (signature && signature->cert != NULL)
+	    CERT_DestroyCertificate(signature->cert);
+
+	/*
+	 * We should actually never have a response without an arena,
+	 * but check just in case.  (If there isn't one, there is not
+	 * much we can do about it...)
+	 */
+	PORT_Assert(response->arena != NULL);
+	if (response->arena != NULL) {
+	    PORT_FreeArena(response->arena, PR_FALSE);
+	}
+    }
+}
+
+
+/*
+ * OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response):
+ */
+
+
+/*
+ * Pick apart a URL, saving the important things in the passed-in pointers.
+ *
+ * We expect to find "http://<hostname>[:<port>]/[path]", though we will
+ * tolerate that final slash character missing, as well as beginning and
+ * trailing whitespace, and any-case-characters for "http".  All of that
+ * tolerance is what complicates this routine.  What we want is just to
+ * pick out the hostname, the port, and the path.
+ *
+ * On a successful return, the caller will need to free the output pieces
+ * of hostname and path, which are copies of the values found in the url.
+ */
+static SECStatus
+ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
+{
+    unsigned short port = 80;		/* default, in case not in url */
+    char *hostname = NULL;
+    char *path = NULL;
+    const char *save;
+    char c;
+    int len;
+
+    if (url == NULL)
+	goto loser;
+
+    /*
+     * Skip beginning whitespace.
+     */
+    c = *url;
+    while ((c == ' ' || c == '\t') && c != '\0') {
+	url++;
+	c = *url;
+    }
+    if (c == '\0')
+	goto loser;
+
+    /*
+     * Confirm, then skip, protocol.  (Since we only know how to do http,
+     * that is all we will accept).
+     */
+    if (PORT_Strncasecmp(url, "http://", 7) != 0)
+	goto loser;
+    url += 7;
+
+    /*
+     * Whatever comes next is the hostname (or host IP address).  We just
+     * save it aside and then search for its end so we can determine its
+     * length and copy it.
+     *
+     * XXX Note that because we treat a ':' as a terminator character
+     * (and below, we expect that to mean there is a port specification
+     * immediately following), we will not handle IPv6 addresses.  That is
+     * apparently an acceptable limitation, for the time being.  Some day,
+     * when there is a clear way to specify a URL with an IPv6 address that
+     * can be parsed unambiguously, this code should be made to do that.
+     */
+    save = url;
+    c = *url;
+    while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') {
+	url++;
+	c = *url;
+    }
+    len = url - save;
+    hostname = PORT_Alloc(len + 1);
+    if (hostname == NULL)
+	goto loser;
+    PORT_Memcpy(hostname, save, len);
+    hostname[len] = '\0';
+
+    /*
+     * Now we figure out if there was a port specified or not.
+     * If so, we need to parse it (as a number) and skip it.
+     */
+    if (c == ':') {
+	url++;
+	port = (unsigned short) PORT_Atoi(url);
+	c = *url;
+	while (c != '/' && c != '\0' && c != ' ' && c != '\t') {
+	    if (c < '0' || c > '9')
+		goto loser;
+	    url++;
+	    c = *url;
+	}
+    }
+
+    /*
+     * Last thing to find is a path.  There *should* be a slash,
+     * if nothing else -- but if there is not we provide one.
+     */
+    if (c == '/') {
+	save = url;
+	while (c != '\0' && c != ' ' && c != '\t') {
+	    url++;
+	    c = *url;
+	}
+	len = url - save;
+	path = PORT_Alloc(len + 1);
+	if (path == NULL)
+	    goto loser;
+	PORT_Memcpy(path, save, len);
+	path[len] = '\0';
+    } else {
+	path = PORT_Strdup("/");
+	if (path == NULL)
+	    goto loser;
+    }
+
+    *pHostname = hostname;
+    *pPort = port;
+    *pPath = path;
+    return SECSuccess;
+
+loser:
+    if (hostname != NULL)
+	PORT_Free(hostname);
+    PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+    return SECFailure;
+}
+
+/*
+ * Open a socket to the specified host on the specified port, and return it.
+ * The host is either a hostname or an IP address.
+ */
+static PRFileDesc *
+ocsp_ConnectToHost(const char *host, PRUint16 port)
+{
+    PRFileDesc *sock = NULL;
+    PRIntervalTime timeout;
+    PRNetAddr addr;
+    char *netdbbuf = NULL;
+
+    sock = PR_NewTCPSocket();
+    if (sock == NULL)
+	goto loser;
+
+    /* XXX Some day need a way to set (and get?) the following value */
+    timeout = PR_SecondsToInterval(30);
+
+    /*
+     * If the following converts an IP address string in "dot notation"
+     * into a PRNetAddr.  If it fails, we assume that is because we do not
+     * have such an address, but instead a host *name*.  In that case we
+     * then lookup the host by name.  Using the NSPR function this way
+     * means we do not have to have our own logic for distinguishing a
+     * valid numerical IP address from a hostname.
+     */
+    if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) {
+	PRIntn hostIndex;
+	PRHostEnt hostEntry;
+
+	netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE);
+	if (netdbbuf == NULL)
+	    goto loser;
+
+	if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE,
+			     &hostEntry) != PR_SUCCESS)
+	    goto loser;
+
+	hostIndex = 0;
+	do {
+	    hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
+	    if (hostIndex <= 0)
+		goto loser;
+	} while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS);
+
+	PORT_Free(netdbbuf);
+    } else {
+	/*
+	 * First put the port into the address, then connect.
+	 */
+	if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
+	    goto loser;
+	if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
+	    goto loser;
+    }
+
+    return sock;
+
+loser:
+    if (sock != NULL)
+	PR_Close(sock);
+    if (netdbbuf != NULL)
+	PORT_Free(netdbbuf);
+    return NULL;
+}
+
+/*
+ * Sends an encoded OCSP request to the server identified by "location",
+ * and returns the socket on which it was sent (so can listen for the reply).
+ * "location" is expected to be a valid URL -- an error parsing it produces
+ * SEC_ERROR_CERT_BAD_ACCESS_LOCATION.  Other errors are likely problems
+ * connecting to it, or writing to it, or allocating memory, and the low-level
+ * errors appropriate to the problem will be set.
+ */
+static PRFileDesc *
+ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest)
+{
+    char *hostname = NULL;
+    char *path = NULL;
+    PRUint16 port;
+    SECStatus rv;
+    PRFileDesc *sock = NULL;
+    PRFileDesc *returnSock = NULL;
+    char *header = NULL;
+
+    /*
+     * Take apart the location, getting the hostname, port, and path.
+     */
+    rv = ocsp_ParseURL(location, &hostname, &port, &path);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_Assert(hostname != NULL);
+    PORT_Assert(path != NULL);
+
+    sock = ocsp_ConnectToHost(hostname, port);
+    if (sock == NULL)
+	goto loser;
+
+    header = PR_smprintf("POST %s HTTP/1.0\r\n"
+			 "Host: %s:%d\r\n"
+			 "Content-Type: application/ocsp-request\r\n"
+			 "Content-Length: %u\r\n\r\n",
+			 path, hostname, port, encodedRequest->len);
+    if (header == NULL)
+	goto loser;
+
+    /*
+     * The NSPR documentation promises that if it can, it will write the full
+     * amount; this will not return a partial value expecting us to loop.
+     */
+    if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
+	goto loser;
+
+    if (PR_Write(sock, encodedRequest->data,
+		 (PRInt32) encodedRequest->len) < 0)
+	goto loser;
+
+    returnSock = sock;
+    sock = NULL;
+
+loser:
+    if (header != NULL)
+	PORT_Free(header);
+    if (sock != NULL)
+	PR_Close(sock);
+    if (path != NULL)
+	PORT_Free(path);
+    if (hostname != NULL)
+	PORT_Free(hostname);
+
+    return returnSock;
+}
+
+/*
+ * Read from "fd" into "buf" -- expect/attempt to read a given number of bytes
+ * Obviously, stop if hit end-of-stream. Timeout is passed in.
+ */
+
+static int
+ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout)
+{
+    int total = 0;
+
+    while (total < toread)
+    {
+        PRInt32 got;
+
+        got = PR_Recv(fd, buf + total, (PRInt32) (toread - total), 0, timeout);
+        if (got < 0)
+        {
+            if (0 == total)
+            {
+                total = -1; /* report the error if we didn't read anything yet */
+            }
+            break;
+        }
+        else
+        if (got == 0)
+        {			/* EOS */
+            break;
+        }
+
+        total += got;
+    }
+
+    return total;
+}
+
+#define OCSP_BUFSIZE 1024
+
+#define AbortHttpDecode(error) \
+{ \
+        if (inBuffer) \
+            PORT_Free(inBuffer); \
+        PORT_SetError(error); \
+        return NULL; \
+}
+
+
+/*
+ * Reads on the given socket and returns an encoded response when received.
+ * Properly formatted HTTP/1.0 response headers are expected to be read
+ * from the socket, preceding a binary-encoded OCSP response.  Problems
+ * with parsing cause the error SEC_ERROR_OCSP_BAD_HTTP_RESPONSE to be
+ * set; any other problems are likely low-level i/o or memory allocation
+ * errors.
+ */
+static SECItem *
+ocsp_GetEncodedResponse(PRArenaPool *arena, PRFileDesc *sock)
+{
+    /* first read HTTP status line and headers */
+
+    char* inBuffer = NULL;
+    PRInt32 offset = 0;
+    PRInt32 inBufsize = 0;
+    const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */
+    const PRInt32 maxBufSize = 8 * bufSizeIncrement ; /* 8 KB max */
+    const char* CRLF = "\r\n";
+    const PRInt32 CRLFlen = strlen(CRLF);
+    const char* headerEndMark = "\r\n\r\n";
+    const PRInt32 markLen = strlen(headerEndMark);
+    const PRIntervalTime ocsptimeout =
+        PR_SecondsToInterval(30); /* hardcoded to 30s for now */
+    char* headerEnd = NULL;
+    PRBool EOS = PR_FALSE;
+    const char* httpprotocol = "HTTP/";
+    const PRInt32 httplen = strlen(httpprotocol);
+    const char* httpcode = NULL;
+    const char* contenttype = NULL;
+    PRInt32 contentlength = 0;
+    PRInt32 bytesRead = 0;
+    char* statusLineEnd = NULL;
+    char* space = NULL;
+    char* nextHeader = NULL;
+    SECItem* result = NULL;
+
+    /* read up to at least the end of the HTTP headers */
+    do
+    {
+        inBufsize += bufSizeIncrement;
+        inBuffer = PORT_Realloc(inBuffer, inBufsize+1);
+        if (NULL == inBuffer)
+        {
+            AbortHttpDecode(SEC_ERROR_NO_MEMORY);
+        }
+        bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement,
+            ocsptimeout);
+        if (bytesRead > 0)
+        {
+            PRInt32 searchOffset = (offset - markLen) >0 ? offset-markLen : 0;
+            offset += bytesRead;
+            *(inBuffer + offset) = '\0'; /* NULL termination */
+            headerEnd = strstr((const char*)inBuffer + searchOffset, headerEndMark);
+            if (bytesRead < bufSizeIncrement)
+            {
+                /* we read less data than requested, therefore we are at
+                   EOS or there was a read error */
+                EOS = PR_TRUE;
+            }
+        }
+        else
+        {
+            /* recv error or EOS */
+            EOS = PR_TRUE;
+        }
+    } while ( (!headerEnd) && (PR_FALSE == EOS) &&
+              (inBufsize < maxBufSize) );
+
+    if (!headerEnd)
+    {
+        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+    }
+
+    /* parse the HTTP status line  */
+    statusLineEnd = strstr((const char*)inBuffer, CRLF);
+    if (!statusLineEnd)
+    {
+        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+    }
+    *statusLineEnd = '\0';
+
+    /* check for HTTP/ response */
+    space = strchr((const char*)inBuffer, ' ');
+    if (!space || PORT_Strncasecmp((const char*)inBuffer, httpprotocol, httplen) != 0 )
+    {
+        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+    }
+
+    /* check the HTTP status code of 200 */
+    httpcode = space +1;
+    space = strchr(httpcode, ' ');
+    if (!space)
+    {
+        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+    }
+    *space = 0;
+    if (0 != strcmp(httpcode, "200"))
+    {
+        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+    }
+
+    /* parse the HTTP headers in the buffer . We only care about
+       content-type and content-length
+    */
+
+    nextHeader = statusLineEnd + CRLFlen;
+    *headerEnd = '\0'; /* terminate */
+    do
+    {
+        char* thisHeaderEnd = NULL;
+        char* value = NULL;
+        char* colon = strchr(nextHeader, ':');
+        
+        if (!colon)
+        {
+            AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+        }
+
+        *colon = '\0';
+        value = colon + 1;
+
+        /* jpierre - note : the following code will only handle the basic form
+           of HTTP/1.0 response headers, of the form "name: value" . Headers
+           split among multiple lines are not supported. This is not common
+           and should not be an issue, but it could become one in the
+           future */
+
+        if (*value != ' ')
+        {
+            AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+        }
+
+        value++;
+        thisHeaderEnd  = strstr(value, CRLF);
+        if (thisHeaderEnd )
+        {
+            *thisHeaderEnd  = '\0';
+        }
+
+        if (0 == PORT_Strcasecmp(nextHeader, "content-type"))
+        {
+            contenttype = value;
+        }
+        else
+        if (0 == PORT_Strcasecmp(nextHeader, "content-length"))
+        {
+            contentlength = atoi(value);
+        }
+
+        if (thisHeaderEnd )
+        {
+            nextHeader = thisHeaderEnd + CRLFlen;
+        }
+        else
+        {
+            nextHeader = NULL;
+        }
+
+    } while (nextHeader && (nextHeader < (headerEnd + CRLFlen) ) );
+
+    /* check content-type */
+    if (!contenttype ||
+        (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response")) )
+    {
+        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+    }
+
+    /* read the body of the OCSP response */
+    offset = offset - (PRInt32) (headerEnd - (const char*)inBuffer) - markLen;
+    if (offset)
+    {
+        /* move all data to the beginning of the buffer */
+        PORT_Memmove(inBuffer, headerEnd + markLen, offset);
+    }
+
+    /* resize buffer to only what's needed to hold the current response */
+    inBufsize = (1 + (offset-1) / bufSizeIncrement ) * bufSizeIncrement ;
+
+    while ( (PR_FALSE == EOS) &&
+            ( (contentlength == 0) || (offset < contentlength) ) &&
+            (inBufsize < maxBufSize)
+            )
+    {
+        /* we still need to receive more body data */
+        inBufsize += bufSizeIncrement;
+        inBuffer = PORT_Realloc(inBuffer, inBufsize+1);
+        if (NULL == inBuffer)
+        {
+            AbortHttpDecode(SEC_ERROR_NO_MEMORY);
+        }
+        bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement,
+                              ocsptimeout);
+        if (bytesRead > 0)
+        {
+            offset += bytesRead;
+            if (bytesRead < bufSizeIncrement)
+            {
+                /* we read less data than requested, therefore we are at
+                   EOS or there was a read error */
+                EOS = PR_TRUE;
+            }
+        }
+        else
+        {
+            /* recv error or EOS */
+            EOS = PR_TRUE;
+        }
+    }
+
+    if (0 == offset)
+    {
+        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+    }
+
+    /*
+     * Now allocate the item to hold the data.
+     */
+    result = SECITEM_AllocItem(arena, NULL, offset);
+    if (NULL == result)
+    {
+        AbortHttpDecode(SEC_ERROR_NO_MEMORY);
+    }
+
+    /*
+     * And copy the data left in the buffer.
+    */
+    PORT_Memcpy(result->data, inBuffer, offset);
+
+    /* and free the temporary buffer */
+    PORT_Free(inBuffer);
+    return result;
+}
+
+SECStatus
+CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath)
+{
+    return ocsp_ParseURL(url, pHostname, pPort, pPath);
+}
+
+/*
+ * Limit the size of http responses we are willing to accept.
+ */
+#define MAX_WANTED_OCSP_RESPONSE_LEN 64*1024
+
+static SECItem *
+fetchOcspHttpClientV1(PRArenaPool *arena, 
+                      const SEC_HttpClientFcnV1 *hcv1, 
+                      char *location, 
+                      SECItem *encodedRequest)
+{
+    char *hostname = NULL;
+    char *path = NULL;
+    PRUint16 port;
+    SECItem *encodedResponse = NULL;
+    SEC_HTTP_SERVER_SESSION pServerSession = NULL;
+    SEC_HTTP_REQUEST_SESSION pRequestSession = NULL;
+    PRUint16 myHttpResponseCode;
+    const char *myHttpResponseData;
+    PRUint32 myHttpResponseDataLen;
+
+    if (ocsp_ParseURL(location, &hostname, &port, &path) == SECFailure) {
+        PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+        goto loser;
+    }
+    
+    PORT_Assert(hostname != NULL);
+    PORT_Assert(path != NULL);
+
+    if ((*hcv1->createSessionFcn)(
+            hostname, 
+            port, 
+            &pServerSession) != SECSuccess) {
+        PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+        goto loser;
+    }
+
+    /* We use a non-zero timeout, which means:
+       - the client will use blocking I/O
+       - TryFcn will not return WOULD_BLOCK nor a poll descriptor
+       - it's sufficient to call TryFcn once
+       No lock for accessing OCSP_Global.timeoutSeconds, bug 406120
+    */
+
+    if ((*hcv1->createFcn)(
+            pServerSession,
+            "http",
+            path,
+            "POST",
+            PR_TicksPerSecond() * OCSP_Global.timeoutSeconds,
+            &pRequestSession) != SECSuccess) {
+        PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+        goto loser;
+    }
+
+    if ((*hcv1->setPostDataFcn)(
+            pRequestSession, 
+            (char*)encodedRequest->data,
+            encodedRequest->len,
+            "application/ocsp-request") != SECSuccess) {
+        PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+        goto loser;
+    }
+
+    /* we don't want result objects larger than this: */
+    myHttpResponseDataLen = MAX_WANTED_OCSP_RESPONSE_LEN;
+
+    OCSP_TRACE(("OCSP trySendAndReceive %s\n", location));
+
+    if ((*hcv1->trySendAndReceiveFcn)(
+            pRequestSession, 
+            NULL,
+            &myHttpResponseCode,
+            NULL,
+            NULL,
+            &myHttpResponseData,
+            &myHttpResponseDataLen) != SECSuccess) {
+        PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+        goto loser;
+    }
+
+    OCSP_TRACE(("OCSP trySendAndReceive result http %d\n", myHttpResponseCode));
+
+    if (myHttpResponseCode != 200) {
+        PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+        goto loser;
+    }
+
+    encodedResponse = SECITEM_AllocItem(arena, NULL, myHttpResponseDataLen);
+
+    if (!encodedResponse) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto loser;
+    }
+
+    PORT_Memcpy(encodedResponse->data, myHttpResponseData, myHttpResponseDataLen);
+
+loser:
+    if (pRequestSession != NULL) 
+        (*hcv1->freeFcn)(pRequestSession);
+    if (pServerSession != NULL)
+        (*hcv1->freeSessionFcn)(pServerSession);
+    if (path != NULL)
+	PORT_Free(path);
+    if (hostname != NULL)
+	PORT_Free(hostname);
+    
+    return encodedResponse;
+}
+
+/*
+ * FUNCTION: CERT_GetEncodedOCSPResponse
+ *   Creates and sends a request to an OCSP responder, then reads and
+ *   returns the (encoded) response.
+ * INPUTS:
+ *   PRArenaPool *arena
+ *     Pointer to arena from which return value will be allocated.
+ *     If NULL, result will be allocated from the heap (and thus should
+ *     be freed via SECITEM_FreeItem).
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   char *location
+ *     The location of the OCSP responder (a URL).
+ *   int64 time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no other bearing on the operation.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * OUTPUTS:
+ *   CERTOCSPRequest **pRequest
+ *     Pointer in which to store the OCSP request created for the given
+ *     list of certificates.  It is only filled in if the entire operation
+ *     is successful and the pointer is not null -- and in that case the
+ *     caller is then reponsible for destroying it.
+ * RETURN:
+ *   Returns a pointer to the SECItem holding the response.
+ *   On error, returns null with error set describing the reason:
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+SECItem *
+CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
+			    char *location, int64 time,
+			    PRBool addServiceLocator,
+			    CERTCertificate *signerCert, void *pwArg,
+			    CERTOCSPRequest **pRequest)
+{
+    CERTOCSPRequest *request;
+    request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
+                                     signerCert);
+    if (!request)
+        return NULL;
+    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, 
+                                                  time, addServiceLocator, 
+                                                  pwArg, pRequest);
+}
+
+static SECItem *
+ocsp_GetEncodedOCSPResponseFromRequest(PRArenaPool *arena, 
+                                       CERTOCSPRequest *request,
+                                       char *location, int64 time,
+                                       PRBool addServiceLocator,
+                                       void *pwArg,
+                                       CERTOCSPRequest **pRequest)
+{
+    SECItem *encodedRequest = NULL;
+    SECItem *encodedResponse = NULL;
+    PRFileDesc *sock = NULL;
+    SECStatus rv;
+    const SEC_HttpClientFcn *registeredHttpClient = NULL;
+
+    rv = CERT_AddOCSPAcceptableResponses(request,
+					 SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+    if (rv != SECSuccess)
+	goto loser;
+
+    encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
+    if (encodedRequest == NULL)
+	goto loser;
+
+    registeredHttpClient = SEC_GetRegisteredHttpClient();
+
+    if (registeredHttpClient
+            &&
+            registeredHttpClient->version == 1) {
+        encodedResponse = fetchOcspHttpClientV1(
+                              arena,
+                              &registeredHttpClient->fcnTable.ftable1,
+                              location,
+                              encodedRequest);
+    }
+    else {
+      /* use internal http client */
+    
+      sock = ocsp_SendEncodedRequest(location, encodedRequest);
+      if (sock == NULL)
+	  goto loser;
+
+      encodedResponse = ocsp_GetEncodedResponse(arena, sock);
+    }
+
+    if (encodedResponse != NULL && pRequest != NULL) {
+	*pRequest = request;
+	request = NULL;			/* avoid destroying below */
+    }
+
+loser:
+    if (request != NULL)
+	CERT_DestroyOCSPRequest(request);
+    if (encodedRequest != NULL)
+	SECITEM_FreeItem(encodedRequest, PR_TRUE);
+    if (sock != NULL)
+	PR_Close(sock);
+
+    return encodedResponse;
+}
+
+static SECItem *
+ocsp_GetEncodedOCSPResponseForSingleCert(PRArenaPool *arena, 
+                                         CERTOCSPCertID *certID, 
+                                         CERTCertificate *singleCert, 
+                                         char *location, int64 time,
+                                         PRBool addServiceLocator,
+                                         void *pwArg,
+                                         CERTOCSPRequest **pRequest)
+{
+    CERTOCSPRequest *request;
+    request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time, 
+                                               addServiceLocator, NULL);
+    if (!request)
+        return NULL;
+    return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, 
+                                                  time, addServiceLocator, 
+                                                  pwArg, pRequest);
+}
+
+/* Checks a certificate for the key usage extension of OCSP signer. */
+static PRBool
+ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem extItem;
+    SECItem **oids;
+    SECItem *oid;
+    SECOidTag oidTag;
+    PRBool retval;
+    CERTOidSequence *oidSeq = NULL;
+
+
+    extItem.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    oidSeq = CERT_DecodeOidSequence(&extItem);
+    if ( oidSeq == NULL ) {
+	goto loser;
+    }
+
+    oids = oidSeq->oids;
+    while ( *oids != NULL ) {
+	oid = *oids;
+	
+	oidTag = SECOID_FindOIDTag(oid);
+	
+	if ( oidTag == SEC_OID_OCSP_RESPONDER ) {
+	    goto success;
+	}
+	
+	oids++;
+    }
+
+loser:
+    retval = PR_FALSE;
+    PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
+    goto done;
+success:
+    retval = PR_TRUE;
+done:
+    if ( extItem.data != NULL ) {
+	PORT_Free(extItem.data);
+    }
+    if ( oidSeq != NULL ) {
+	CERT_DestroyOidSequence(oidSeq);
+    }
+    
+    return(retval);
+}
+
+
+#ifdef LATER	/*
+		 * XXX This function is not currently used, but will
+		 * be needed later when we do revocation checking of
+		 * the responder certificate.  Of course, it may need
+		 * revising then, if the cert extension interface has
+		 * changed.  (Hopefully it will!)
+		 */
+
+/* Checks a certificate to see if it has the OCSP no check extension. */
+static PRBool
+ocsp_CertHasNoCheckExtension(CERTCertificate *cert)
+{
+    SECStatus rv;
+    
+    rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK, 
+				NULL);
+    if (rv == SECSuccess) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+#endif	/* LATER */
+
+static PRBool
+ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
+{
+    SECItem item;
+    unsigned char buf[HASH_LENGTH_MAX];
+
+    item.data = buf;
+    item.len = SHA1_LENGTH;
+
+    if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_SHA1, &item) == NULL) {
+	return PR_FALSE;
+    }
+    if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
+	return PR_TRUE;
+    }
+    if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD5, &item) == NULL) {
+	return PR_FALSE;
+    }
+    if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
+	return PR_TRUE;
+    }
+    if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD2, &item) == NULL) {
+	return PR_FALSE;
+    }
+    if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
+	return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+static CERTCertificate *
+ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle,CERTOCSPCertID *certID);
+
+CERTCertificate *
+ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
+                          ocspSignature *signature, CERTCertificate *issuer)
+{
+    CERTCertificate **certs = NULL;
+    CERTCertificate *signerCert = NULL;
+    SECStatus rv = SECFailure;
+    PRBool lookupByName = PR_TRUE;
+    void *certIndex = NULL;
+    int certCount = 0;
+
+    PORT_Assert(tbsData->responderID != NULL);
+    switch (tbsData->responderID->responderIDType) {
+    case ocspResponderID_byName:
+	lookupByName = PR_TRUE;
+	certIndex = &tbsData->derResponderID;
+	break;
+    case ocspResponderID_byKey:
+	lookupByName = PR_FALSE;
+	certIndex = &tbsData->responderID->responderIDValue.keyHash;
+	break;
+    case ocspResponderID_other:
+    default:
+	PORT_Assert(0);
+	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	return NULL;
+    }
+
+    /*
+     * If the signature contains some certificates as well, temporarily
+     * import them in case they are needed for verification.
+     *
+     * Note that the result of this is that each cert in "certs" needs
+     * to be destroyed.
+     */
+    if (signature->derCerts != NULL) {
+	for (; signature->derCerts[certCount] != NULL; certCount++) {
+	    /* just counting */
+	}
+	rv = CERT_ImportCerts(handle, certUsageStatusResponder, certCount,
+	                      signature->derCerts, &certs,
+	                      PR_FALSE, PR_FALSE, NULL);
+	if (rv != SECSuccess)
+	     goto finish;
+    }
+
+    /*
+     * Now look up the certificate that did the signing.
+     * The signer can be specified either by name or by key hash.
+     */
+    if (lookupByName) {
+	SECItem *crIndex = (SECItem*)certIndex;
+	SECItem encodedName;
+	PLArenaPool *arena;
+
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (arena != NULL) {
+
+	    rv = SEC_QuickDERDecodeItem(arena, &encodedName,
+	                                ocsp_ResponderIDDerNameTemplate,
+	                                crIndex);
+	    if (rv != SECSuccess) {
+	        if (PORT_GetError() == SEC_ERROR_BAD_DER)
+	            PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	    } else {
+	            signerCert = CERT_FindCertByName(handle, &encodedName);
+	    }
+	    PORT_FreeArena(arena, PR_FALSE);
+	}
+    } else {
+	/*
+	 * The signer is either 1) a known issuer CA we passed in,
+	 * 2) the default OCSP responder, or 3) an intermediate CA
+	 * passed in the cert list to use. Figure out which it is.
+	 */
+	int i;
+	CERTCertificate *responder = 
+            ocsp_CertGetDefaultResponder(handle, NULL);
+	if (responder && ocsp_matchcert(certIndex,responder)) {
+	    signerCert = CERT_DupCertificate(responder);
+	} else if (issuer && ocsp_matchcert(certIndex,issuer)) {
+	    signerCert = CERT_DupCertificate(issuer);
+	} 
+	for (i=0; (signerCert == NULL) && (i < certCount); i++) {
+	    if (ocsp_matchcert(certIndex,certs[i])) {
+		signerCert = CERT_DupCertificate(certs[i]);
+	    }
+	}
+    }
+
+finish:
+    if (certs != NULL) {
+	CERT_DestroyCertArray(certs, certCount);
+    }
+
+    return signerCert;
+}
+
+SECStatus
+ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
+                             ocspSignature *signature,
+                             SECItem *tbsResponseDataDER,
+                             void *pwArg)
+{
+    SECItem rawSignature;
+    SECKEYPublicKey *signerKey = NULL;
+    SECStatus rv = SECFailure;
+
+    /*
+     * Now get the public key from the signer's certificate; we need
+     * it to perform the verification.
+     */
+    signerKey = CERT_ExtractPublicKey(signerCert);
+    if (signerKey == NULL)
+	return SECFailure;
+    /*
+     * We copy the signature data *pointer* and length, so that we can
+     * modify the length without damaging the original copy.  This is a
+     * simple copy, not a dup, so no destroy/free is necessary.
+     */
+    rawSignature = signature->signature;
+    /*
+     * The raw signature is a bit string, but we need to represent its
+     * length in bytes, because that is what the verify function expects.
+     */
+    DER_ConvertBitString(&rawSignature);
+
+    rv = VFY_VerifyDataWithAlgorithmID(tbsResponseDataDER->data,
+                                       tbsResponseDataDER->len,
+                                       signerKey, &rawSignature,
+                                       &signature->signatureAlgorithm,
+                                       NULL, pwArg);
+    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_BAD_SIGNATURE) {
+        PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE);
+    }
+    
+    if (signerKey != NULL) {
+        SECKEY_DestroyPublicKey(signerKey);
+    }
+
+    return rv;
+}
+
+
+/*
+ * FUNCTION: CERT_VerifyOCSPResponseSignature
+ *   Check the signature on an OCSP Response.  Will also perform a
+ *   verification of the signer's certificate.  Note, however, that a
+ *   successful verification does not make any statement about the
+ *   signer's *authority* to provide status for the certificate(s),
+ *   that must be checked individually for each certificate.
+ * INPUTS:
+ *   CERTOCSPResponse *response
+ *     Pointer to response structure with signature to be checked.
+ *   CERTCertDBHandle *handle
+ *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.
+ * OUTPUTS:
+ *   CERTCertificate **pSignerCert
+ *     Pointer in which to store signer's certificate; only filled-in if
+ *     non-null.
+ * RETURN:
+ *   Returns SECSuccess when signature is valid, anything else means invalid.
+ *   Possible errors set:
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
+ *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
+ *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
+ *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (no memory, etc.)
+ */
+SECStatus
+CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
+				 CERTCertDBHandle *handle, void *pwArg,
+				 CERTCertificate **pSignerCert,
+				 CERTCertificate *issuer)
+{
+    SECItem *tbsResponseDataDER;
+    CERTCertificate *signerCert = NULL;
+    SECStatus rv = SECFailure;
+    int64 producedAt;
+
+    /* ocsp_DecodeBasicOCSPResponse will fail if asn1 decoder is unable
+     * to properly decode tbsData (see the function and
+     * ocsp_BasicOCSPResponseTemplate). Thus, tbsData can not be
+     * equal to null */
+    ocspResponseData *tbsData = ocsp_GetResponseData(response,
+                                                     &tbsResponseDataDER);
+    ocspSignature *signature = ocsp_GetResponseSignature(response);
+
+    if (!signature) {
+        PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE);
+        return SECFailure;
+    }
+
+    /*
+     * If this signature has already gone through verification, just
+     * return the cached result.
+     */
+    if (signature->wasChecked) {
+	if (signature->status == SECSuccess) {
+	    if (pSignerCert != NULL)
+		*pSignerCert = CERT_DupCertificate(signature->cert);
+	} else {
+	    PORT_SetError(signature->failureReason);
+	}
+	return signature->status;
+    }
+
+    signerCert = ocsp_GetSignerCertificate(handle, tbsData,
+                                           signature, issuer);
+    if (signerCert == NULL) {
+	rv = SECFailure;
+	if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
+	    /* Make the error a little more specific. */
+	    PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
+	}
+	goto finish;
+    }
+
+    /*
+     * We could mark this true at the top of this function, or always
+     * below at "finish", but if the problem was just that we could not
+     * find the signer's cert, leave that as if the signature hasn't
+     * been checked in case a subsequent call might have better luck.
+     */
+    signature->wasChecked = PR_TRUE;
+
+    /*
+     * The function will also verify the signer certificate; we
+     * need to tell it *when* that certificate must be valid -- for our
+     * purposes we expect it to be valid when the response was signed.
+     * The value of "producedAt" is the signing time.
+     */
+    rv = DER_GeneralizedTimeToTime(&producedAt, &tbsData->producedAt);
+    if (rv != SECSuccess)
+        goto finish;
+
+    /*
+     * Just because we have a cert does not mean it is any good; check
+     * it for validity, trust and usage.
+     */
+    if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) {
+        rv = SECSuccess;
+    } else {
+        SECCertUsage certUsage;
+        if (CERT_IsCACert(signerCert, NULL)) {
+            certUsage = certUsageVerifyCA;
+        } else {
+            certUsage = certUsageStatusResponder;
+        }
+        rv = CERT_VerifyCert(handle, signerCert, PR_TRUE,
+                             certUsage, producedAt, pwArg, NULL);
+        if (rv != SECSuccess) {
+            PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
+            goto finish;
+        }
+    }
+
+    rv = ocsp_VerifyResponseSignature(signerCert, signature,
+                                      tbsResponseDataDER,
+                                      pwArg);
+
+finish:
+    if (signature->wasChecked)
+	signature->status = rv;
+
+    if (rv != SECSuccess) {
+	signature->failureReason = PORT_GetError();
+	if (signerCert != NULL)
+	    CERT_DestroyCertificate(signerCert);
+    } else {
+	/*
+	 * Save signer's certificate in signature.
+	 */
+	signature->cert = signerCert;
+	if (pSignerCert != NULL) {
+	    /*
+	     * Pass pointer to signer's certificate back to our caller,
+	     * who is also now responsible for destroying it.
+	     */
+	    *pSignerCert = CERT_DupCertificate(signerCert);
+	}
+    }
+
+    return rv;
+}
+
+/*
+ * See if the request's certID and the single response's certID match.
+ * This can be easy or difficult, depending on whether the same hash
+ * algorithm was used.
+ */
+static PRBool
+ocsp_CertIDsMatch(CERTCertDBHandle *handle,
+		  CERTOCSPCertID *requestCertID,
+		  CERTOCSPCertID *responseCertID)
+{
+    PRBool match = PR_FALSE;
+    SECOidTag hashAlg;
+    SECItem *keyHash = NULL;
+    SECItem *nameHash = NULL;
+
+    /*
+     * In order to match, they must have the same issuer and the same
+     * serial number.
+     *
+     * We just compare the easier things first.
+     */
+    if (SECITEM_CompareItem(&requestCertID->serialNumber,
+			    &responseCertID->serialNumber) != SECEqual) {
+	goto done;
+    }
+
+    /*
+     * Make sure the "parameters" are not too bogus.  Since we encoded
+     * requestCertID->hashAlgorithm, we don't need to check it.
+     */
+    if (responseCertID->hashAlgorithm.parameters.len > 2) {
+	goto done;
+    }
+    if (SECITEM_CompareItem(&requestCertID->hashAlgorithm.algorithm,
+		&responseCertID->hashAlgorithm.algorithm) == SECEqual) {
+	/*
+	 * If the hash algorithms match then we can do a simple compare
+	 * of the hash values themselves.
+	 */
+	if ((SECITEM_CompareItem(&requestCertID->issuerNameHash,
+				&responseCertID->issuerNameHash) == SECEqual)
+	    && (SECITEM_CompareItem(&requestCertID->issuerKeyHash,
+				&responseCertID->issuerKeyHash) == SECEqual)) {
+	    match = PR_TRUE;
+	}
+	goto done;
+    }
+
+    hashAlg = SECOID_FindOIDTag(&responseCertID->hashAlgorithm.algorithm);
+    switch (hashAlg) {
+    case SEC_OID_SHA1:
+	keyHash = &requestCertID->issuerSHA1KeyHash;
+	nameHash = &requestCertID->issuerSHA1NameHash;
+	break;
+    case SEC_OID_MD5:
+	keyHash = &requestCertID->issuerMD5KeyHash;
+	nameHash = &requestCertID->issuerMD5NameHash;
+	break;
+    case SEC_OID_MD2:
+	keyHash = &requestCertID->issuerMD2KeyHash;
+	nameHash = &requestCertID->issuerMD2NameHash;
+	break;
+    default:
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ 	return SECFailure;
+    }
+
+    if ((keyHash != NULL)
+	&& (SECITEM_CompareItem(nameHash,
+				&responseCertID->issuerNameHash) == SECEqual)
+	&& (SECITEM_CompareItem(keyHash,
+				&responseCertID->issuerKeyHash) == SECEqual)) {
+	match = PR_TRUE;
+    }
+
+done:
+    return match;
+}
+
+/*
+ * Find the single response for the cert specified by certID.
+ * No copying is done; this just returns a pointer to the appropriate
+ * response within responses, if it is found (and null otherwise).
+ * This is fine, of course, since this function is internal-use only.
+ */
+static CERTOCSPSingleResponse *
+ocsp_GetSingleResponseForCertID(CERTOCSPSingleResponse **responses,
+				CERTCertDBHandle *handle,
+				CERTOCSPCertID *certID)
+{
+    CERTOCSPSingleResponse *single;
+    int i;
+
+    if (responses == NULL)
+	return NULL;
+
+    for (i = 0; responses[i] != NULL; i++) {
+	single = responses[i];
+	if (ocsp_CertIDsMatch(handle, certID, single->certID)) {
+	    return single;
+	}
+    }
+
+    /*
+     * The OCSP server should have included a response even if it knew
+     * nothing about the certificate in question.  Since it did not,
+     * this will make it look as if it had.
+     * 
+     * XXX Should we make this a separate error to notice the server's
+     * bad behavior?
+     */
+    PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
+    return NULL;
+}
+
+static ocspCheckingContext *
+ocsp_GetCheckingContext(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig;
+    ocspCheckingContext *ocspcx = NULL;
+
+    statusConfig = CERT_GetStatusConfig(handle);
+    if (statusConfig != NULL) {
+	ocspcx = statusConfig->statusContext;
+
+	/*
+	 * This is actually an internal error, because we should never
+	 * have a good statusConfig without a good statusContext, too.
+	 * For lack of anything better, though, we just assert and use
+	 * the same error as if there were no statusConfig (set below).
+	 */
+	PORT_Assert(ocspcx != NULL);
+    }
+
+    if (ocspcx == NULL)
+	PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
+
+    return ocspcx;
+}
+
+/*
+ * Return cert reference if the given signerCert is the default responder for
+ * the given certID.  If not, or if any error, return NULL.
+ */
+static CERTCertificate *
+ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID)
+{
+    ocspCheckingContext *ocspcx;
+
+    ocspcx = ocsp_GetCheckingContext(handle);
+    if (ocspcx == NULL)
+	goto loser;
+
+   /*
+    * Right now we have only one default responder.  It applies to
+    * all certs when it is used, so the check is simple and certID
+    * has no bearing on the answer.  Someday in the future we may
+    * allow configuration of different responders for different
+    * issuers, and then we would have to use the issuer specified
+    * in certID to determine if signerCert is the right one.
+    */
+    if (ocspcx->useDefaultResponder) {
+	PORT_Assert(ocspcx->defaultResponderCert != NULL);
+	return ocspcx->defaultResponderCert;
+    }
+
+loser:
+    return NULL;
+}
+
+/*
+ * Return true if the cert is one of the default responders configured for
+ * ocsp context. If not, or if any error, return false.
+ */
+PRBool
+ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert)
+{
+    ocspCheckingContext *ocspcx;
+
+    ocspcx = ocsp_GetCheckingContext(handle);
+    if (ocspcx == NULL)
+	return PR_FALSE;
+
+   /*
+    * Right now we have only one default responder.  It applies to
+    * all certs when it is used, so the check is simple and certID
+    * has no bearing on the answer.  Someday in the future we may
+    * allow configuration of different responders for different
+    * issuers, and then we would have to use the issuer specified
+    * in certID to determine if signerCert is the right one.
+    */
+    if (ocspcx->useDefaultResponder &&
+        CERT_CompareCerts(ocspcx->defaultResponderCert, cert)) {
+	return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+/*
+ * Check that the given signer certificate is authorized to sign status
+ * information for the given certID.  Return true if it is, false if not
+ * (or if there is any error along the way).  If false is returned because
+ * the signer is not authorized, the following error will be set:
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+ * Other errors are low-level problems (no memory, bad database, etc.).
+ *
+ * There are three ways to be authorized.  In the order in which we check,
+ * using the terms used in the OCSP spec, the signer must be one of:
+ *  1.  A "trusted responder" -- it matches a local configuration
+ *      of OCSP signing authority for the certificate in question.
+ *  2.  The CA who issued the certificate in question.
+ *  3.  A "CA designated responder", aka an "authorized responder" -- it
+ *      must be represented by a special cert issued by the CA who issued
+ *      the certificate in question.
+ */
+static PRBool
+ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
+				  CERTCertificate *signerCert,
+				  CERTOCSPCertID *certID,
+				  int64 thisUpdate)
+{
+    CERTCertificate *issuerCert = NULL, *defRespCert;
+    SECItem *keyHash = NULL;
+    SECItem *nameHash = NULL;
+    SECOidTag hashAlg;
+    PRBool keyHashEQ = PR_FALSE, nameHashEQ = PR_FALSE;
+
+    /*
+     * Check first for a trusted responder, which overrides everything else.
+     */
+    if ((defRespCert = ocsp_CertGetDefaultResponder(handle, certID)) &&
+        CERT_CompareCerts(defRespCert, signerCert)) {
+        return PR_TRUE;
+    }
+
+    /*
+     * In the other two cases, we need to do an issuer comparison.
+     * How we do it depends on whether the signer certificate has the
+     * special extension (for a designated responder) or not.
+     *
+     * First, lets check if signer of the response is the actual issuer
+     * of the cert. For that we will use signer cert key hash and cert subj
+     * name hash and will compare them with already calculated issuer key
+     * hash and issuer name hash. The hash algorithm is picked from response
+     * certID hash to avoid second hash calculation.
+     */
+
+    hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm);
+
+    keyHash = CERT_GetSPKIDigest(NULL, signerCert, hashAlg, NULL);
+    if (keyHash != NULL) {
+
+        keyHashEQ =
+            (SECITEM_CompareItem(keyHash,
+                                 &certID->issuerKeyHash) == SECEqual);
+        SECITEM_FreeItem(keyHash, PR_TRUE);
+    }
+    if (keyHashEQ &&
+        (nameHash = cert_GetSubjectNameDigest(NULL, signerCert,
+                                              hashAlg, NULL))) {
+        nameHashEQ =
+            (SECITEM_CompareItem(nameHash,
+                                 &certID->issuerNameHash) == SECEqual);
+            
+        SECITEM_FreeItem(nameHash, PR_TRUE);
+        if (nameHashEQ) {
+            /* The issuer of the cert is the the signer of the response */
+            return PR_TRUE;
+        }
+    }
+
+
+    keyHashEQ = PR_FALSE;
+    nameHashEQ = PR_FALSE;
+
+    if (!ocsp_CertIsOCSPDesignatedResponder(signerCert)) {
+        PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
+        return PR_FALSE;
+    }
+
+    /*
+     * The signer is a designated responder.  Its issuer must match
+     * the issuer of the cert being checked.
+     */
+    issuerCert = CERT_FindCertIssuer(signerCert, thisUpdate,
+                                     certUsageAnyCA);
+    if (issuerCert == NULL) {
+        /*
+         * We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone,
+         * but the following will give slightly more information.
+         * Once we have an error stack, things will be much better.
+         */
+        PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
+        return PR_FALSE;
+    }
+
+    keyHash = CERT_GetSPKIDigest(NULL, issuerCert, hashAlg, NULL);
+    nameHash = cert_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL);
+
+    CERT_DestroyCertificate(issuerCert);
+
+    if (keyHash != NULL && nameHash != NULL) {
+        keyHashEQ = 
+            (SECITEM_CompareItem(keyHash,
+                                 &certID->issuerKeyHash) == SECEqual);
+
+        nameHashEQ =
+            (SECITEM_CompareItem(nameHash,
+                                 &certID->issuerNameHash) == SECEqual);
+    }
+
+    if (keyHash) {
+        SECITEM_FreeItem(keyHash, PR_TRUE);
+    }
+    if (nameHash) {
+        SECITEM_FreeItem(nameHash, PR_TRUE);
+    }
+
+    if (keyHashEQ && nameHashEQ) {
+        return PR_TRUE;
+    }
+
+    PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
+    return PR_FALSE;
+}
+
+/*
+ * We need to check that a responder gives us "recent" information.
+ * Since a responder can pre-package responses, we need to pick an amount
+ * of time that is acceptable to us, and reject any response that is
+ * older than that.
+ *
+ * XXX This *should* be based on some configuration parameter, so that
+ * different usages could specify exactly what constitutes "sufficiently
+ * recent".  But that is not going to happen right away.  For now, we
+ * want something from within the last 24 hours.  This macro defines that
+ * number in seconds.
+ */
+#define OCSP_ALLOWABLE_LAPSE_SECONDS	(24L * 60L * 60L)
+
+static PRBool
+ocsp_TimeIsRecent(int64 checkTime)
+{
+    int64 now = PR_Now();
+    int64 lapse, tmp;
+
+    LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS);
+    LL_I2L(tmp, PR_USEC_PER_SEC);
+    LL_MUL(lapse, lapse, tmp);		/* allowable lapse in microseconds */
+
+    LL_ADD(checkTime, checkTime, lapse);
+    if (LL_CMP(now, >, checkTime))
+	return PR_FALSE;
+
+    return PR_TRUE;
+}
+
+#define OCSP_SLOP (5L*60L) /* OCSP responses are allowed to be 5 minutes
+                              in the future by default */
+
+static PRUint32 ocspsloptime = OCSP_SLOP;	/* seconds */
+
+/*
+ * Check that this single response is okay.  A return of SECSuccess means:
+ *   1. The signer (represented by "signerCert") is authorized to give status
+ *	for the cert represented by the individual response in "single".
+ *   2. The value of thisUpdate is earlier than now.
+ *   3. The value of producedAt is later than or the same as thisUpdate.
+ *   4. If nextUpdate is given:
+ *	- The value of nextUpdate is later than now.
+ *	- The value of producedAt is earlier than nextUpdate.
+ *	Else if no nextUpdate:
+ *	- The value of thisUpdate is fairly recent.
+ *	- The value of producedAt is fairly recent.
+ *	However we do not need to perform an explicit check for this last
+ *	constraint because it is already guaranteed by checking that
+ *	producedAt is later than thisUpdate and thisUpdate is recent.
+ * Oh, and any responder is "authorized" to say that a cert is unknown to it.
+ *
+ * If any of those checks fail, SECFailure is returned and an error is set:
+ *	SEC_ERROR_OCSP_FUTURE_RESPONSE
+ *	SEC_ERROR_OCSP_OLD_RESPONSE
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+ * Other errors are low-level problems (no memory, bad database, etc.).
+ */ 
+static SECStatus
+ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
+			  CERTCertDBHandle *handle,
+			  CERTCertificate *signerCert,
+			  int64 producedAt)
+{
+    CERTOCSPCertID *certID = single->certID;
+    int64 now, thisUpdate, nextUpdate, tmstamp, tmp;
+    SECStatus rv;
+
+    OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n", 
+               ((single->nextUpdate) != 0)));
+    /*
+     * If all the responder said was that the given cert was unknown to it,
+     * that is a valid response.  Not very interesting to us, of course,
+     * but all this function is concerned with is validity of the response,
+     * not the status of the cert.
+     */
+    PORT_Assert(single->certStatus != NULL);
+    if (single->certStatus->certStatusType == ocspCertStatus_unknown)
+	return SECSuccess;
+
+    /*
+     * We need to extract "thisUpdate" for use below and to pass along
+     * to AuthorizedResponderForCertID in case it needs it for doing an
+     * issuer look-up.
+     */
+    rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate);
+    if (rv != SECSuccess)
+	return rv;
+
+    /*
+     * First confirm that signerCert is authorized to give this status.
+     */
+    if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID,
+					  thisUpdate) != PR_TRUE)
+	return SECFailure;
+
+    /*
+     * Now check the time stuff, as described above.
+     */
+    now = PR_Now();
+    /* allow slop time for future response */
+    LL_UI2L(tmstamp, ocspsloptime); /* get slop time in seconds */
+    LL_UI2L(tmp, PR_USEC_PER_SEC);
+    LL_MUL(tmp, tmstamp, tmp); /* convert the slop time to PRTime */
+    LL_ADD(tmstamp, tmp, now); /* add current time to it */
+
+    if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) {
+	PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE);
+	return SECFailure;
+    }
+    if (single->nextUpdate != NULL) {
+	rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
+	if (rv != SECSuccess)
+	    return rv;
+
+	LL_ADD(tmp, tmp, nextUpdate);
+	if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate)) {
+	    PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
+	    return SECFailure;
+	}
+    } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
+	PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
+ *   Get the value of the URI of the OCSP responder for the given cert.
+ *   This is found in the (optional) Authority Information Access extension
+ *   in the cert.
+ * INPUTS:
+ *   CERTCertificate *cert
+ *     The certificate being examined.
+ * RETURN:
+ *   char *
+ *     A copy of the URI for the OCSP method, if found.  If either the
+ *     extension is not present or it does not contain an entry for OCSP,
+ *     SEC_ERROR_CERT_BAD_ACCESS_LOCATION will be set and a NULL returned.
+ *     Any other error will also result in a NULL being returned.
+ *     
+ *     This result should be freed (via PORT_Free) when no longer in use.
+ */
+char *
+CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert)
+{
+    CERTGeneralName *locname = NULL;
+    SECItem *location = NULL;
+    SECItem *encodedAuthInfoAccess = NULL;
+    CERTAuthInfoAccess **authInfoAccess = NULL;
+    char *locURI = NULL;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    int i;
+
+    /*
+     * Allocate this one from the heap because it will get filled in
+     * by CERT_FindCertExtension which will also allocate from the heap,
+     * and we can free the entire thing on our way out.
+     */
+    encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0);
+    if (encodedAuthInfoAccess == NULL)
+	goto loser;
+
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
+				encodedAuthInfoAccess);
+    if (rv == SECFailure) {
+	PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+	goto loser;
+    }
+
+    /*
+     * The rest of the things allocated in the routine will come out of
+     * this arena, which is temporary just for us to decode and get at the
+     * AIA extension.  The whole thing will be destroyed on our way out,
+     * after we have copied the location string (url) itself (if found).
+     */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	goto loser;
+
+    authInfoAccess = CERT_DecodeAuthInfoAccessExtension(arena,
+							encodedAuthInfoAccess);
+    if (authInfoAccess == NULL)
+	goto loser;
+
+    for (i = 0; authInfoAccess[i] != NULL; i++) {
+	if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP)
+	    locname = authInfoAccess[i]->location;
+    }
+
+    /*
+     * If we found an AIA extension, but it did not include an OCSP method,
+     * that should look to our caller as if we did not find the extension
+     * at all, because it is only an OCSP method that we care about.
+     * So set the same error that would be set if the AIA extension was
+     * not there at all.
+     */
+    if (locname == NULL) {
+	PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+	goto loser;
+    }
+
+    /*
+     * The following is just a pointer back into locname (i.e. not a copy);
+     * thus it should not be freed.
+     */
+    location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE);
+    if (location == NULL) {
+	/*
+	 * XXX Appears that CERT_GetGeneralNameByType does not set an
+	 * error if there is no name by that type.  For lack of anything
+	 * better, act as if the extension was not found.  In the future
+	 * this should probably be something more like the extension was
+	 * badly formed.
+	 */
+	PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+	goto loser;
+    }
+
+    /*
+     * That location is really a string, but it has a specified length
+     * without a null-terminator.  We need a real string that does have
+     * a null-terminator, and we need a copy of it anyway to return to
+     * our caller -- so allocate and copy.
+     */
+    locURI = PORT_Alloc(location->len + 1);
+    if (locURI == NULL) {
+	goto loser;
+    }
+    PORT_Memcpy(locURI, location->data, location->len);
+    locURI[location->len] = '\0';
+
+loser:
+    if (arena != NULL)
+	PORT_FreeArena(arena, PR_FALSE);
+
+    if (encodedAuthInfoAccess != NULL)
+	SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE);
+
+    return locURI;
+}
+
+
+/*
+ * Figure out where we should go to find out the status of the given cert
+ * via OCSP.  If a default responder is set up, that is our answer.
+ * If not, see if the certificate has an Authority Information Access (AIA)
+ * extension for OCSP, and return the value of that.  Otherwise return NULL.
+ * We also let our caller know whether or not the responder chosen was
+ * a default responder or not through the output variable isDefault;
+ * its value has no meaning unless a good (non-null) value is returned
+ * for the location.
+ *
+ * The result needs to be freed (PORT_Free) when no longer in use.
+ */
+char *
+ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
+			  PRBool *isDefault)
+{
+    ocspCheckingContext *ocspcx;
+
+    ocspcx = ocsp_GetCheckingContext(handle);
+    if (ocspcx != NULL && ocspcx->useDefaultResponder) {
+	/*
+	 * A default responder wins out, if specified.
+	 * XXX Someday this may be a more complicated determination based
+	 * on the cert's issuer.  (That is, we could have different default
+	 * responders configured for different issuers.)
+	 */
+	PORT_Assert(ocspcx->defaultResponderURI != NULL);
+	*isDefault = PR_TRUE;
+	return (PORT_Strdup(ocspcx->defaultResponderURI));
+    }
+
+    /*
+     * No default responder set up, so go see if we can find an AIA
+     * extension that has a value for OCSP, and get the url from that.
+     */
+    *isDefault = PR_FALSE;
+    return CERT_GetOCSPAuthorityInfoAccessLocation(cert);
+}
+
+/*
+ * Return SECSuccess if the cert was revoked *after* "time",
+ * SECFailure otherwise.
+ */
+static SECStatus
+ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, int64 time)
+{
+    int64 revokedTime;
+    SECStatus rv;
+
+    rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime);
+    if (rv != SECSuccess)
+	return rv;
+
+    /*
+     * Set the error even if we will return success; someone might care.
+     */
+    PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+
+    if (LL_CMP(revokedTime, >, time))
+	return SECSuccess;
+
+    return SECFailure;
+}
+
+/*
+ * See if the cert represented in the single response had a good status
+ * at the specified time.
+ */
+static SECStatus
+ocsp_CertHasGoodStatus(ocspCertStatus *status, int64 time)
+{
+    SECStatus rv;
+    switch (status->certStatusType) {
+    case ocspCertStatus_good:
+        rv = SECSuccess;
+        break;
+    case ocspCertStatus_revoked:
+        rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time);
+        break;
+    case ocspCertStatus_unknown:
+        PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
+        rv = SECFailure;
+        break;
+    case ocspCertStatus_other:
+    default:
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+        rv = SECFailure;
+        break;
+    }
+    return rv;
+}
+
+static SECStatus
+ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single, 
+                                     int64 time)
+{
+    return ocsp_CertHasGoodStatus(single->certStatus, time);
+}
+
+/* Return value SECFailure means: not found or not fresh.
+ * On SECSuccess, the out parameters contain the OCSP status.
+ * rvOcsp contains the overall result of the OCSP operation.
+ * Depending on input parameter ignoreGlobalOcspFailureSetting,
+ * a soft failure might be converted into *rvOcsp=SECSuccess.
+ * If the cached attempt to obtain OCSP information had resulted
+ * in a failure, missingResponseError shows the error code of
+ * that failure.
+ */
+SECStatus
+ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, 
+                                        int64 time, 
+                                        PRBool ignoreGlobalOcspFailureSetting,
+                                        SECStatus *rvOcsp,
+                                        SECErrorCodes *missingResponseError)
+{
+    OCSPCacheItem *cacheItem = NULL;
+    SECStatus rv = SECFailure;
+  
+    if (!certID || !missingResponseError || !rvOcsp) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *rvOcsp = SECFailure;
+    *missingResponseError = 0;
+  
+    PR_EnterMonitor(OCSP_Global.monitor);
+    cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID);
+    if (cacheItem && ocsp_IsCacheItemFresh(cacheItem)) {
+        /* having an arena means, we have a cached certStatus */
+        if (cacheItem->certStatusArena) {
+            *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time);
+            rv = SECSuccess;
+        } else {
+            /*
+             * No status cached, the previous attempt failed.
+             * If OCSP is required, we never decide based on a failed attempt 
+             * However, if OCSP is optional, a recent OCSP failure is
+             * an allowed good state.
+             */
+            if (!ignoreGlobalOcspFailureSetting &&
+                OCSP_Global.ocspFailureMode == 
+                    ocspMode_FailureIsNotAVerificationFailure) {
+                rv = SECSuccess;
+                *rvOcsp = SECSuccess;
+            }
+            *missingResponseError = cacheItem->missingResponseError;
+        }
+    }
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return rv;
+}
+
+/*
+ * FUNCTION: CERT_CheckOCSPStatus
+ *   Checks the status of a certificate via OCSP.  Will only check status for
+ *   a certificate that has an AIA (Authority Information Access) extension
+ *   for OCSP *or* when a "default responder" is specified and enabled.
+ *   (If no AIA extension for OCSP and no default responder in place, the
+ *   cert is considered to have a good status and SECSuccess is returned.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     certificate DB of the cert that is being checked
+ *   CERTCertificate *cert
+ *     the certificate being checked
+ *   XXX in the long term also need a boolean parameter that specifies
+ *	whether to check the cert chain, as well; for now we check only
+ *	the leaf (the specified certificate)
+ *   int64 time
+ *     time for which status is to be determined
+ *   void *pwArg
+ *     argument for password prompting, if needed
+ * RETURN:
+ *   Returns SECSuccess if an approved OCSP responder "knows" the cert
+ *   *and* returns a non-revoked status for it; SECFailure otherwise,
+ *   with an error set describing the reason:
+ *
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *	SEC_ERROR_OCSP_FUTURE_RESPONSE
+ *	SEC_ERROR_OCSP_MALFORMED_REQUEST
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
+ *	SEC_ERROR_OCSP_OLD_RESPONSE
+ *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
+ *	SEC_ERROR_OCSP_SERVER_ERROR
+ *	SEC_ERROR_OCSP_TRY_SERVER_LATER
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+ *	SEC_ERROR_OCSP_UNKNOWN_CERT
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
+ *
+ *	SEC_ERROR_BAD_SIGNATURE
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_INVALID_TIME
+ *	SEC_ERROR_REVOKED_CERTIFICATE
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_UNKNOWN_SIGNER
+ *
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (error allocating
+ *   memory, error performing ASN.1 decoding, etc.).
+ */    
+SECStatus 
+CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
+		     int64 time, void *pwArg)
+{
+    CERTOCSPCertID *certID;
+    PRBool certIDWasConsumed = PR_FALSE;
+    SECStatus rv = SECFailure;
+    SECStatus rvOcsp;
+    SECErrorCodes dummy_error_code; /* we ignore this */
+  
+    OCSP_TRACE_CERT(cert);
+    OCSP_TRACE_TIME("## requested validity time:", time);
+  
+    certID = CERT_CreateOCSPCertID(cert, time);
+    if (!certID)
+        return SECFailure;
+    rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
+        certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
+        &rvOcsp, &dummy_error_code);
+    if (rv == SECSuccess) {
+        CERT_DestroyOCSPCertID(certID);
+        return rvOcsp;
+    }
+    rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg, 
+                                       &certIDWasConsumed, 
+                                       &rvOcsp);
+    if (rv != SECSuccess) {
+        /* we were unable to obtain ocsp status */
+        PR_EnterMonitor(OCSP_Global.monitor);
+        rvOcsp = (OCSP_Global.ocspFailureMode 
+                  == ocspMode_FailureIsVerificationFailure)
+            ? SECFailure : SECSuccess;
+        PR_ExitMonitor(OCSP_Global.monitor);
+    }
+    if (!certIDWasConsumed) {
+        CERT_DestroyOCSPCertID(certID);
+    }
+    return rvOcsp;
+}
+
+/*
+ * Status in *certIDWasConsumed will always be correct, regardless of 
+ * return value.
+ */
+static SECStatus
+ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle, 
+                              CERTOCSPCertID *certID, 
+                              CERTCertificate *cert, 
+                              int64 time, 
+                              void *pwArg,
+                              PRBool *certIDWasConsumed,
+                              SECStatus *rv_ocsp)
+{
+    char *location = NULL;
+    PRBool locationIsDefault;
+    SECItem *encodedResponse = NULL;
+    CERTOCSPRequest *request = NULL;
+    CERTOCSPResponse *response = NULL;
+    CERTCertificate *signerCert = NULL;
+    CERTCertificate *issuerCert = NULL;
+    SECStatus rv = SECFailure;
+    CERTOCSPSingleResponse *single = NULL;
+
+    if (!certIDWasConsumed || !rv_ocsp) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *certIDWasConsumed = PR_FALSE;
+    *rv_ocsp = SECFailure;
+
+    /*
+     * The first thing we need to do is find the location of the responder.
+     * This will be the value of the default responder (if enabled), else
+     * it will come out of the AIA extension in the cert (if present).
+     * If we have no such location, then this cert does not "deserve" to
+     * be checked -- that is, we consider it a success and just return.
+     * The way we tell that is by looking at the error number to see if
+     * the problem was no AIA extension was found; any other error was
+     * a true failure that we unfortunately have to treat as an overall
+     * failure here.
+     */
+    location = ocsp_GetResponderLocation(handle, cert, &locationIsDefault);
+    if (location == NULL) {
+       int err = PORT_GetError();
+       if (err == SEC_ERROR_EXTENSION_NOT_FOUND ||
+           err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
+           PORT_SetError(0);
+           *rv_ocsp = SECSuccess;
+           return SECSuccess;
+       }
+       return SECFailure;
+    }
+
+    /*
+     * XXX In the fullness of time, we will want/need to handle a
+     * certificate chain.  This will be done either when a new parameter
+     * tells us to, or some configuration variable tells us to.  In any
+     * case, handling it is complicated because we may need to send as
+     * many requests (and receive as many responses) as we have certs
+     * in the chain.  If we are going to talk to a default responder,
+     * and we only support one default responder, we can put all of the
+     * certs together into one request.  Otherwise, we must break them up
+     * into multiple requests.  (Even if all of the requests will go to
+     * the same location, the signature on each response will be different,
+     * because each issuer is different.  Carefully read the OCSP spec
+     * if you do not understand this.)
+     */
+
+    /*
+     * XXX If/when signing of requests is supported, that second NULL
+     * should be changed to be the signer certificate.  Not sure if that
+     * should be passed into this function or retrieved via some operation
+     * on the handle/context.
+     */
+    encodedResponse = 
+        ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert, location,
+                                                 time, locationIsDefault,
+                                                 pwArg, &request);
+    if (encodedResponse == NULL) {
+        goto loser;
+    }
+
+    response = CERT_DecodeOCSPResponse(encodedResponse);
+    if (response == NULL) {
+	goto loser;
+    }
+
+    /*
+     * Okay, we at least have a response that *looks* like a response!
+     * Now see if the overall response status value is good or not.
+     * If not, we set an error and give up.  (It means that either the
+     * server had a problem, or it didn't like something about our
+     * request.  Either way there is nothing to do but give up.)
+     * Otherwise, we continue to find the actual per-cert status
+     * in the response.
+     */
+    if (CERT_GetOCSPResponseStatus(response) != SECSuccess) {
+	goto loser;
+    }
+
+    /*
+     * If we've made it this far, we expect a response with a good signature.
+     * So, check for that.
+     */
+    issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
+    rv = CERT_VerifyOCSPResponseSignature(response, handle, pwArg, &signerCert,
+			issuerCert);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_Assert(signerCert != NULL);	/* internal consistency check */
+    /* XXX probably should set error, return failure if signerCert is null */
+
+
+    /*
+     * Again, we are only doing one request for one cert.
+     * XXX When we handle cert chains, the following code will obviously
+     * have to be modified, in coordation with the code above that will
+     * have to determine how to make multiple requests, etc. 
+     */
+
+    rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID, 
+                                                 signerCert, time, &single);
+    if (rv != SECSuccess)
+        goto loser;
+
+    *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(single, time);
+
+loser:
+    PR_EnterMonitor(OCSP_Global.monitor);
+    if (OCSP_Global.maxCacheEntries >= 0) {
+        /* single == NULL means: remember response failure */
+        ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single, 
+                                      certIDWasConsumed);
+        /* ignore cache update failures */
+    }
+    PR_ExitMonitor(OCSP_Global.monitor);
+
+    if (issuerCert != NULL)
+	CERT_DestroyCertificate(issuerCert);
+    if (signerCert != NULL)
+	CERT_DestroyCertificate(signerCert);
+    if (response != NULL)
+	CERT_DestroyOCSPResponse(response);
+    if (request != NULL)
+	CERT_DestroyOCSPRequest(request);
+    if (encodedResponse != NULL)
+	SECITEM_FreeItem(encodedResponse, PR_TRUE);
+    if (location != NULL)
+	PORT_Free(location);
+    return rv;
+}
+
+static SECStatus
+ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, 
+                                        CERTOCSPResponse *response, 
+                                        CERTOCSPCertID   *certID,
+                                        CERTCertificate  *signerCert,
+                                        int64             time,
+                                        CERTOCSPSingleResponse 
+                                            **pSingleResponse)
+{
+    SECStatus rv;
+    ocspResponseData *responseData;
+    int64 producedAt;
+    CERTOCSPSingleResponse *single;
+
+    /*
+     * The ResponseData part is the real guts of the response.
+     */
+    responseData = ocsp_GetResponseData(response, NULL);
+    if (responseData == NULL) {
+        rv = SECFailure;
+        goto loser;
+    }
+
+    /*
+     * There is one producedAt time for the entire response (and a separate
+     * thisUpdate time for each individual single response).  We need to
+     * compare them, so get the overall time to pass into the check of each
+     * single response.
+     */
+    rv = DER_GeneralizedTimeToTime(&producedAt, &responseData->producedAt);
+    if (rv != SECSuccess)
+        goto loser;
+
+    single = ocsp_GetSingleResponseForCertID(responseData->responses,
+                                             handle, certID);
+    if (single == NULL) {
+        rv = SECFailure;
+        goto loser;
+    }
+
+    rv = ocsp_VerifySingleResponse(single, handle, signerCert, producedAt);
+    if (rv != SECSuccess)
+        goto loser;
+    *pSingleResponse = single;
+
+loser:
+    return rv;
+}
+
+SECStatus
+CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, 
+                            CERTOCSPResponse *response, 
+                            CERTOCSPCertID   *certID,
+                            CERTCertificate  *signerCert,
+                            int64             time)
+{
+    /*
+     * We do not update the cache, because:
+     *
+     * CERT_GetOCSPStatusForCertID is an old exported API that was introduced
+     * before the OCSP cache got implemented.
+     *
+     * The implementation of helper function cert_ProcessOCSPResponse
+     * requires the ability to transfer ownership of the the given certID to
+     * the cache. The external API doesn't allow us to prevent the caller from
+     * destroying the certID. We don't have the original certificate available,
+     * therefore we are unable to produce another certID object (that could 
+     * be stored in the cache).
+     *
+     * Should we ever implement code to produce a deep copy of certID,
+     * then this could be changed to allow updating the cache.
+     * The duplication would have to be done in 
+     * cert_ProcessOCSPResponse, if the out parameter to indicate
+     * a transfer of ownership is NULL.
+     */
+    return cert_ProcessOCSPResponse(handle, response, certID, 
+                                    signerCert, time, 
+                                    NULL, NULL);
+}
+
+/*
+ * The first 5 parameters match the definition of CERT_GetOCSPStatusForCertID.
+ */
+SECStatus
+cert_ProcessOCSPResponse(CERTCertDBHandle *handle, 
+                         CERTOCSPResponse *response, 
+                         CERTOCSPCertID   *certID,
+                         CERTCertificate  *signerCert,
+                         int64             time,
+                         PRBool           *certIDWasConsumed,
+                         SECStatus        *cacheUpdateStatus)
+{
+    SECStatus rv;
+    SECStatus rv_cache;
+    CERTOCSPSingleResponse *single = NULL;
+
+    rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID, 
+                                                 signerCert, time, &single);
+    if (rv == SECSuccess) {
+        /*
+         * Check whether the status says revoked, and if so 
+         * how that compares to the time value passed into this routine.
+         */
+        rv = ocsp_SingleResponseCertHasGoodStatus(single, time);
+    }
+
+    if (certIDWasConsumed) {
+        /*
+         * We don't have copy-of-certid implemented. In order to update 
+         * the cache, the caller must supply an out variable 
+         * certIDWasConsumed, allowing us to return ownership status.
+         */
+  
+        PR_EnterMonitor(OCSP_Global.monitor);
+        if (OCSP_Global.maxCacheEntries >= 0) {
+            /* single == NULL means: remember response failure */
+            rv_cache = 
+                ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID,
+                                              single, certIDWasConsumed);
+        }
+        PR_ExitMonitor(OCSP_Global.monitor);
+        if (cacheUpdateStatus) {
+            *cacheUpdateStatus = rv_cache;
+        }
+    }
+
+    return rv;
+}
+
+SECStatus
+cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
+                                   PRBool         *certIDWasConsumed)
+{
+    SECStatus rv = SECSuccess;
+    PR_EnterMonitor(OCSP_Global.monitor);
+    if (OCSP_Global.maxCacheEntries >= 0) {
+        rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL, 
+                                           certIDWasConsumed);
+    }
+    PR_ExitMonitor(OCSP_Global.monitor);
+    return rv;
+}
+
+/*
+ * Disable status checking and destroy related structures/data.
+ */
+static SECStatus
+ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig)
+{
+    ocspCheckingContext *statusContext;
+
+    /*
+     * Disable OCSP checking
+     */
+    statusConfig->statusChecker = NULL;
+
+    statusContext = statusConfig->statusContext;
+    PORT_Assert(statusContext != NULL);
+    if (statusContext == NULL)
+	return SECFailure;
+
+    if (statusContext->defaultResponderURI != NULL)
+	PORT_Free(statusContext->defaultResponderURI);
+    if (statusContext->defaultResponderNickname != NULL)
+	PORT_Free(statusContext->defaultResponderNickname);
+
+    PORT_Free(statusContext);
+    statusConfig->statusContext = NULL;
+
+    PORT_Free(statusConfig);
+
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_DisableOCSPChecking
+ *   Turns off OCSP checking for the given certificate database.
+ *   This routine disables OCSP checking.  Though it will return
+ *   SECFailure if OCSP checking is not enabled, it is "safe" to
+ *   call it that way and just ignore the return value, if it is
+ *   easier to just call it than to "remember" whether it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be disabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (usually means that OCSP
+ *   checking was not enabled or status contexts were not initialized --
+ *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
+ */
+SECStatus
+CERT_DisableOCSPChecking(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig;
+    ocspCheckingContext *statusContext;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    statusConfig = CERT_GetStatusConfig(handle);
+    statusContext = ocsp_GetCheckingContext(handle);
+    if (statusContext == NULL)
+	return SECFailure;
+
+    if (statusConfig->statusChecker != CERT_CheckOCSPStatus) {
+	/*
+	 * Status configuration is present, but either not currently
+	 * enabled or not for OCSP.
+	 */
+	PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
+	return SECFailure;
+    }
+
+    /* cache no longer necessary */
+    CERT_ClearOCSPCache();
+
+    /*
+     * This is how we disable status checking.  Everything else remains
+     * in place in case we are enabled again.
+     */
+    statusConfig->statusChecker = NULL;
+
+    return SECSuccess;
+}
+
+/*
+ * Allocate and initialize the informational structures for status checking.
+ * This is done when some configuration of OCSP is being done or when OCSP
+ * checking is being turned on, whichever comes first.
+ */
+static SECStatus
+ocsp_InitStatusChecking(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig = NULL;
+    ocspCheckingContext *statusContext = NULL;
+
+    PORT_Assert(CERT_GetStatusConfig(handle) == NULL);
+    if (CERT_GetStatusConfig(handle) != NULL) {
+	/* XXX or call statusConfig->statusDestroy and continue? */
+	return SECFailure;
+    }
+
+    statusConfig = PORT_ZNew(CERTStatusConfig);
+    if (statusConfig == NULL)
+	goto loser;
+
+    statusContext = PORT_ZNew(ocspCheckingContext);
+    if (statusContext == NULL)
+	goto loser;
+
+    statusConfig->statusDestroy = ocsp_DestroyStatusChecking;
+    statusConfig->statusContext = statusContext;
+
+    CERT_SetStatusConfig(handle, statusConfig);
+
+    return SECSuccess;
+
+loser:
+    if (statusConfig != NULL)
+	PORT_Free(statusConfig);
+    return SECFailure;
+}
+
+
+/*
+ * FUNCTION: CERT_EnableOCSPChecking
+ *   Turns on OCSP checking for the given certificate database.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be enabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (likely only problem
+ *   allocating memory); SECSuccess otherwise.
+ */
+SECStatus
+CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig;
+    
+    SECStatus rv;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    statusConfig = CERT_GetStatusConfig(handle);
+    if (statusConfig == NULL) {
+	rv = ocsp_InitStatusChecking(handle);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/* Get newly established value */
+	statusConfig = CERT_GetStatusConfig(handle);
+	PORT_Assert(statusConfig != NULL);
+    }
+
+    /*
+     * Setting the checker function is what really enables the checking
+     * when each cert verification is done.
+     */
+    statusConfig->statusChecker = CERT_CheckOCSPStatus;
+
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_SetOCSPDefaultResponder
+ *   Specify the location and cert of the default responder.
+ *   If OCSP checking is already enabled *and* use of a default responder
+ *   is also already enabled, all OCSP checking from now on will go directly
+ *   to the specified responder.  If OCSP checking is not enabled, or if
+ *   it is but use of a default responder is not enabled, the information
+ *   will be recorded and take effect whenever both are enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ *   char *url
+ *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
+ *     Note that the location will not be tested until the first attempt
+ *     to send a request there.
+ *   char *name
+ *     The nickname of the cert to trust (expected) to sign the OCSP responses.
+ *     If the corresponding cert cannot be found, SECFailure is returned.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   The most likely error is that the cert for "name" could not be found
+ *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
+ *   bad database, etc.).
+ */
+SECStatus
+CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
+			     const char *url, const char *name)
+{
+    CERTCertificate *cert;
+    ocspCheckingContext *statusContext;
+    char *url_copy = NULL;
+    char *name_copy = NULL;
+    SECStatus rv;
+
+    if (handle == NULL || url == NULL || name == NULL) {
+	/*
+	 * XXX When interface is exported, probably want better errors;
+	 * perhaps different one for each parameter.
+	 */
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /*
+     * Find the certificate for the specified nickname.  Do this first
+     * because it seems the most likely to fail.
+     *
+     * XXX Shouldn't need that cast if the FindCertByNickname interface
+     * used const to convey that it does not modify the name.  Maybe someday.
+     */
+    cert = CERT_FindCertByNickname(handle, (char *) name);
+    if (cert == NULL) {
+      /*
+       * look for the cert on an external token.
+       */
+      cert = PK11_FindCertFromNickname((char *)name, NULL);
+    }
+    if (cert == NULL)
+	return SECFailure;
+
+    /*
+     * Make a copy of the url and nickname.
+     */
+    url_copy = PORT_Strdup(url);
+    name_copy = PORT_Strdup(name);
+    if (url_copy == NULL || name_copy == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    statusContext = ocsp_GetCheckingContext(handle);
+
+    /*
+     * Allocate and init the context if it doesn't already exist.
+     */
+    if (statusContext == NULL) {
+	rv = ocsp_InitStatusChecking(handle);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	statusContext = ocsp_GetCheckingContext(handle);
+	PORT_Assert(statusContext != NULL);	/* extreme paranoia */
+    }
+
+    /*
+     * Note -- we do not touch the status context until after all of
+     * the steps which could cause errors.  If something goes wrong,
+     * we want to leave things as they were.
+     */
+
+    /*
+     * Get rid of old url and name if there.
+     */
+    if (statusContext->defaultResponderNickname != NULL)
+	PORT_Free(statusContext->defaultResponderNickname);
+    if (statusContext->defaultResponderURI != NULL)
+	PORT_Free(statusContext->defaultResponderURI);
+
+    /*
+     * And replace them with the new ones.
+     */
+    statusContext->defaultResponderURI = url_copy;
+    statusContext->defaultResponderNickname = name_copy;
+
+    /*
+     * If there was already a cert in place, get rid of it and replace it.
+     * Otherwise, we are not currently enabled, so we don't want to save it;
+     * it will get re-found and set whenever use of a default responder is
+     * enabled.
+     */
+    if (statusContext->defaultResponderCert != NULL) {
+	CERT_DestroyCertificate(statusContext->defaultResponderCert);
+	statusContext->defaultResponderCert = cert;
+        /*OCSP enabled, switching responder: clear cache*/
+        CERT_ClearOCSPCache();
+    } else {
+	PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
+	CERT_DestroyCertificate(cert);
+        /*OCSP currently not enabled, no need to clear cache*/
+    }
+
+    return SECSuccess;
+
+loser:
+    CERT_DestroyCertificate(cert);
+    if (url_copy != NULL)
+	PORT_Free(url_copy);
+    if (name_copy != NULL)
+	PORT_Free(name_copy);
+    return rv;
+}
+
+
+/*
+ * FUNCTION: CERT_EnableOCSPDefaultResponder
+ *   Turns on use of a default responder when OCSP checking.
+ *   If OCSP checking is already enabled, this will make subsequent checks
+ *   go directly to the default responder.  (The location of the responder
+ *   and the nickname of the responder cert must already be specified.)
+ *   If OCSP checking is not enabled, this will be recorded and take effect
+ *   whenever it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   No errors are especially likely unless the caller did not previously
+ *   perform a successful call to SetOCSPDefaultResponder (in which case
+ *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
+ */
+SECStatus
+CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
+{
+    ocspCheckingContext *statusContext;
+    CERTCertificate *cert;
+    SECStatus rv;
+    SECCertificateUsage usage;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    statusContext = ocsp_GetCheckingContext(handle);
+
+    if (statusContext == NULL) {
+	/*
+	 * Strictly speaking, the error already set is "correct",
+	 * but cover over it with one more helpful in this context.
+	 */
+	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+	return SECFailure;
+    }
+
+    if (statusContext->defaultResponderURI == NULL) {
+	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+	return SECFailure;
+    }
+
+    if (statusContext->defaultResponderNickname == NULL) {
+	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+	return SECFailure;
+    }
+
+    /*
+     * Find the cert for the nickname.
+     */
+    cert = CERT_FindCertByNickname(handle,
+				   statusContext->defaultResponderNickname);
+    if (cert == NULL) {
+        cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname,
+                                         NULL);
+    }
+    /*
+     * We should never have trouble finding the cert, because its
+     * existence should have been proven by SetOCSPDefaultResponder.
+     */
+    PORT_Assert(cert != NULL);
+    if (cert == NULL)
+	return SECFailure;
+
+   /*
+    * Supplied cert should at least have  a signing capability in order for us
+    * to use it as a trusted responder cert. Ability to sign is guaranteed  if
+    * cert is validated to have any set of the usages below.
+    */
+    rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE,
+                                   certificateUsageCheckAllUsages,
+                                   NULL, &usage);
+    if (rv != SECSuccess || (usage & (certificateUsageSSLClient |
+                                      certificateUsageSSLServer |
+                                      certificateUsageSSLServerWithStepUp |
+                                      certificateUsageEmailSigner |
+                                      certificateUsageObjectSigner |
+                                      certificateUsageStatusResponder |
+                                      certificateUsageSSLCA)) == 0) {
+	PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID);
+	return SECFailure;
+    }
+
+    /*
+     * And hang onto it.
+     */
+    statusContext->defaultResponderCert = cert;
+
+    /* we don't allow a mix of cache entries from different responders */
+    CERT_ClearOCSPCache();
+
+    /*
+     * Finally, record the fact that we now have a default responder enabled.
+     */
+    statusContext->useDefaultResponder = PR_TRUE;
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_DisableOCSPDefaultResponder
+ *   Turns off use of a default responder when OCSP checking.
+ *   (Does nothing if use of a default responder is not enabled.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should stop using a default
+ *     responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   Errors very unlikely (like random memory corruption...).
+ */
+SECStatus
+CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig;
+    ocspCheckingContext *statusContext;
+    CERTCertificate *tmpCert;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    statusConfig = CERT_GetStatusConfig(handle);
+    if (statusConfig == NULL)
+	return SECSuccess;
+
+    statusContext = ocsp_GetCheckingContext(handle);
+    PORT_Assert(statusContext != NULL);
+    if (statusContext == NULL)
+	return SECFailure;
+
+    tmpCert = statusContext->defaultResponderCert;
+    if (tmpCert) {
+	statusContext->defaultResponderCert = NULL;
+	CERT_DestroyCertificate(tmpCert);
+        /* we don't allow a mix of cache entries from different responders */
+        CERT_ClearOCSPCache();
+    }
+
+    /*
+     * Finally, record the fact.
+     */
+    statusContext->useDefaultResponder = PR_FALSE;
+    return SECSuccess;
+}
+
+
+SECStatus
+CERT_GetOCSPResponseStatus(CERTOCSPResponse *response)
+{
+    PORT_Assert(response);
+    if (response->statusValue == ocspResponse_successful)
+	return SECSuccess;
+
+    switch (response->statusValue) {
+      case ocspResponse_malformedRequest:
+	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+	break;
+      case ocspResponse_internalError:
+	PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+	break;
+      case ocspResponse_tryLater:
+	PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
+	break;
+      case ocspResponse_sigRequired:
+	/* XXX We *should* retry with a signature, if possible. */
+	PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
+	break;
+      case ocspResponse_unauthorized:
+	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
+	break;
+      case ocspResponse_other:
+      case ocspResponse_unused:
+      default:
+	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
+	break;
+    }
+    return SECFailure;
+}
diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h
new file mode 100644
index 000000000..8095f9c1a
--- /dev/null
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -0,0 +1,616 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Interface to the OCSP implementation.
+ *
+ * $Id$
+ */
+
+#ifndef _OCSP_H_
+#define _OCSP_H_
+
+
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "keyt.h"
+#include "certt.h"
+#include "ocspt.h"
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * This function registers the HttpClient with whose functions the
+ * HttpClientFcn structure has been populated as the default Http
+ * client.
+ *
+ * The function table must be a global object.
+ * The caller must ensure that NSS will be able to call
+ * the registered functions for the lifetime of the process.
+ */
+extern SECStatus
+SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable);
+
+/*
+ * This function obtains the HttpClient which has been registered
+ * by an earlier call to SEC_RegisterDefaultHttpClient.
+ */
+extern const SEC_HttpClientFcn *
+SEC_GetRegisteredHttpClient(void);
+
+/*
+ * Sets parameters that control NSS' internal OCSP cache.
+ * maxCacheEntries, special varlues are:
+ *   -1 disable cache
+ *   0 unlimited cache entries
+ * minimumSecondsToNextFetchAttempt:
+ *   whenever an OCSP request was attempted or completed over the network,
+ *   wait at least this number of seconds before trying to fetch again.
+ * maximumSecondsToNextFetchAttempt:
+ *   this is the maximum age of a cached response we allow, until we try
+ *   to fetch an updated response, even if the OCSP responder expects
+ *   that newer information update will not be available yet.
+ */
+extern SECStatus
+CERT_OCSPCacheSettings(PRInt32 maxCacheEntries,
+                       PRUint32 minimumSecondsToNextFetchAttempt,
+                       PRUint32 maximumSecondsToNextFetchAttempt);
+
+/*
+ * Set the desired behaviour on OCSP failures.
+ * See definition of ocspFailureMode for allowed choices.
+ */
+extern SECStatus
+CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode);
+
+/*
+ * Configure the maximum time NSS will wait for an OCSP response.
+ */
+extern SECStatus
+CERT_SetOCSPTimeout(PRUint32 seconds);
+
+/*
+ * Removes all items currently stored in the OCSP cache.
+ */
+extern SECStatus
+CERT_ClearOCSPCache(void);
+
+/*
+ * FUNCTION: CERT_EnableOCSPChecking
+ *   Turns on OCSP checking for the given certificate database.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be enabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (likely only problem
+ *   allocating memory); SECSuccess otherwise.
+ */
+extern SECStatus
+CERT_EnableOCSPChecking(CERTCertDBHandle *handle);
+
+/*
+ * FUNCTION: CERT_DisableOCSPChecking
+ *   Turns off OCSP checking for the given certificate database.
+ *   This routine disables OCSP checking.  Though it will return
+ *   SECFailure if OCSP checking is not enabled, it is "safe" to
+ *   call it that way and just ignore the return value, if it is
+ *   easier to just call it than to "remember" whether it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be disabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (usually means that OCSP
+ *   checking was not enabled or status contexts were not initialized --
+ *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
+ */
+extern SECStatus
+CERT_DisableOCSPChecking(CERTCertDBHandle *handle);
+
+/*
+ * FUNCTION: CERT_SetOCSPDefaultResponder
+ *   Specify the location and cert of the default responder.
+ *   If OCSP checking is already enabled *and* use of a default responder
+ *   is also already enabled, all OCSP checking from now on will go directly
+ *   to the specified responder.  If OCSP checking is not enabled, or if
+ *   it is but use of a default responder is not enabled, the information
+ *   will be recorded and take effect whenever both are enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ *   char *url
+ *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
+ *     Note that the location will not be tested until the first attempt
+ *     to send a request there.
+ *   char *name
+ *     The nickname of the cert to trust (expected) to sign the OCSP responses.
+ *     If the corresponding cert cannot be found, SECFailure is returned.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   The most likely error is that the cert for "name" could not be found
+ *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
+ *   bad database, etc.).
+ */
+extern SECStatus
+CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
+			     const char *url, const char *name);
+
+/*
+ * FUNCTION: CERT_EnableOCSPDefaultResponder
+ *   Turns on use of a default responder when OCSP checking.
+ *   If OCSP checking is already enabled, this will make subsequent checks
+ *   go directly to the default responder.  (The location of the responder
+ *   and the nickname of the responder cert must already be specified.)
+ *   If OCSP checking is not enabled, this will be recorded and take effect
+ *   whenever it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   No errors are especially likely unless the caller did not previously
+ *   perform a successful call to SetOCSPDefaultResponder (in which case
+ *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
+ */
+extern SECStatus
+CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle);
+
+/*
+ * FUNCTION: CERT_DisableOCSPDefaultResponder
+ *   Turns off use of a default responder when OCSP checking.
+ *   (Does nothing if use of a default responder is not enabled.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should stop using a default
+ *     responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   Errors very unlikely (like random memory corruption...).
+ */
+extern SECStatus
+CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
+
+/*
+ * -------------------------------------------------------
+ * The Functions above are those expected to be used by a client
+ * providing OCSP status checking along with every cert verification.
+ * The functions below are for OCSP testing, debugging, or clients
+ * or servers performing more specialized OCSP tasks.
+ * -------------------------------------------------------
+ */
+
+/*
+ * FUNCTION: CERT_CreateOCSPRequest
+ *   Creates a CERTOCSPRequest, requesting the status of the certs in 
+ *   the given list.
+ * INPUTS:
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   PRTime time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no effect on the request itself.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *     XXX note that request signing is not yet supported; see comment in code
+ * RETURN:
+ *   A pointer to a CERTOCSPRequest structure containing an OCSP request
+ *   for the cert list.  On error, null is returned, with an error set
+ *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
+ *   (The issuer is needed to create a request for the certificate.)
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+extern CERTOCSPRequest *
+CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, 
+		       PRBool addServiceLocator,
+		       CERTCertificate *signerCert);
+
+/*
+ * FUNCTION: CERT_AddOCSPAcceptableResponses
+ *   Add the AcceptableResponses extension to an OCSP Request.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     The request to which the extension should be added.
+ *   SECOidTag responseType0, ...
+ *     A list (of one or more) of SECOidTag -- each of the response types
+ *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
+ *     (This marks the end of the list, and it must be specified because a
+ *     client conforming to the OCSP standard is required to handle the basic
+ *     response type.)  The OIDs are not checked in any way.
+ * RETURN:
+ *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
+ *   All errors are internal or low-level problems (e.g. no memory).
+ */
+extern SECStatus
+CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
+				SECOidTag responseType0, ...);
+
+/* 
+ * FUNCTION: CERT_EncodeOCSPRequest
+ *   DER encodes an OCSP Request, possibly adding a signature as well.
+ *   XXX Signing is not yet supported, however; see comments in code.
+ * INPUTS: 
+ *   PLArenaPool *arena
+ *     The return value is allocated from here.
+ *     If a NULL is passed in, allocation is done from the heap instead.
+ *   CERTOCSPRequest *request
+ *     The request to be encoded.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * RETURN:
+ *   Returns a NULL on error and a pointer to the SECItem with the
+ *   encoded value otherwise.  Any error is likely to be low-level
+ *   (e.g. no memory).
+ */
+extern SECItem *
+CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, 
+		       void *pwArg);
+
+/*
+ * FUNCTION: CERT_DecodeOCSPRequest
+ *   Decode a DER encoded OCSP Request.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Request.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
+ *   On error, returns NULL.  Most likely error is trouble decoding
+ *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
+ */
+extern CERTOCSPRequest *
+CERT_DecodeOCSPRequest(SECItem *src);
+
+/*
+ * FUNCTION: CERT_DestroyOCSPRequest
+ *   Frees an OCSP Request structure.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     Pointer to CERTOCSPRequest to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+extern void
+CERT_DestroyOCSPRequest(CERTOCSPRequest *request);
+
+/*
+ * FUNCTION: CERT_DecodeOCSPResponse
+ *   Decode a DER encoded OCSP Response.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Response.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
+ *   the caller is responsible for destroying it.  Or NULL if error (either
+ *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
+ *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
+ *   or a low-level or internal error occurred).
+ */
+extern CERTOCSPResponse *
+CERT_DecodeOCSPResponse(SECItem *src);
+
+/*
+ * FUNCTION: CERT_DestroyOCSPResponse
+ *   Frees an OCSP Response structure.
+ * INPUTS:
+ *   CERTOCSPResponse *request
+ *     Pointer to CERTOCSPResponse to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+extern void
+CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
+
+/*
+ * FUNCTION: CERT_GetEncodedOCSPResponse
+ *   Creates and sends a request to an OCSP responder, then reads and
+ *   returns the (encoded) response.
+ * INPUTS:
+ *   PLArenaPool *arena
+ *     Pointer to arena from which return value will be allocated.
+ *     If NULL, result will be allocated from the heap (and thus should
+ *     be freed via SECITEM_FreeItem).
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   char *location
+ *     The location of the OCSP responder (a URL).
+ *   PRTime time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no other bearing on the operation.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * OUTPUTS:
+ *   CERTOCSPRequest **pRequest
+ *     Pointer in which to store the OCSP request created for the given
+ *     list of certificates.  It is only filled in if the entire operation
+ *     is successful and the pointer is not null -- and in that case the
+ *     caller is then reponsible for destroying it.
+ * RETURN:
+ *   Returns a pointer to the SECItem holding the response.
+ *   On error, returns null with error set describing the reason:
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+extern SECItem *
+CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
+			    char *location, PRTime time,
+			    PRBool addServiceLocator,
+			    CERTCertificate *signerCert, void *pwArg,
+			    CERTOCSPRequest **pRequest);
+
+/*
+ * FUNCTION: CERT_VerifyOCSPResponseSignature
+ *   Check the signature on an OCSP Response.  Will also perform a
+ *   verification of the signer's certificate.  Note, however, that a
+ *   successful verification does not make any statement about the
+ *   signer's *authority* to provide status for the certificate(s),
+ *   that must be checked individually for each certificate.
+ * INPUTS:
+ *   CERTOCSPResponse *response
+ *     Pointer to response structure with signature to be checked.
+ *   CERTCertDBHandle *handle
+ *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.
+ *   CERTCertificate *issuerCert
+ *     Issuer of the certificate that generated the OCSP request.
+ * OUTPUTS:
+ *   CERTCertificate **pSignerCert
+ *     Pointer in which to store signer's certificate; only filled-in if
+ *     non-null.
+ * RETURN:
+ *   Returns SECSuccess when signature is valid, anything else means invalid.
+ *   Possible errors set:
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
+ *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
+ *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
+ *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (no memory, etc.)
+ */
+extern SECStatus
+CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
+				 CERTCertDBHandle *handle, void *pwArg,
+				 CERTCertificate **pSignerCert,
+				 CERTCertificate *issuerCert);
+
+/*
+ * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
+ *   Get the value of the URI of the OCSP responder for the given cert.
+ *   This is found in the (optional) Authority Information Access extension
+ *   in the cert.
+ * INPUTS:
+ *   CERTCertificate *cert
+ *     The certificate being examined.
+ * RETURN:
+ *   char *
+ *     A copy of the URI for the OCSP method, if found.  If either the
+ *     extension is not present or it does not contain an entry for OCSP,
+ *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
+ *     Any other error will also result in a NULL being returned.
+ *     
+ *     This result should be freed (via PORT_Free) when no longer in use.
+ */
+extern char *
+CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert);
+
+/*
+ * FUNCTION: CERT_ParseURL
+ *   Parse the URI of a OCSP responder into hostname, port, and path.
+ * INPUTS:
+ *   const char *location
+ *     The URI to be parsed
+ * OUTPUTS:
+ *   char *pHostname
+ *     Pointer to store the hostname obtained from the URI.
+ *     This result should be freed (via PORT_Free) when no longer in use.
+ *   PRUint16 *pPort
+ *     Pointer to store the port number obtained from the URI.
+ *   char *pPath
+ *     Pointer to store the path obtained from the URI.
+ *     This result should be freed (via PORT_Free) when no longer in use.
+ * RETURN:
+ *   Returns SECSuccess when parsing was successful. Anything else means
+ *   problems were encountered.
+ *     
+ */
+extern SECStatus
+CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath);
+
+/*
+ * FUNCTION: CERT_CheckOCSPStatus
+ *   Checks the status of a certificate via OCSP.  Will only check status for
+ *   a certificate that has an AIA (Authority Information Access) extension
+ *   for OCSP *or* when a "default responder" is specified and enabled.
+ *   (If no AIA extension for OCSP and no default responder in place, the
+ *   cert is considered to have a good status and SECSuccess is returned.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     certificate DB of the cert that is being checked
+ *   CERTCertificate *cert
+ *     the certificate being checked
+ *   XXX in the long term also need a boolean parameter that specifies
+ *	whether to check the cert chain, as well; for now we check only
+ *	the leaf (the specified certificate)
+ *   PRTime time
+ *     time for which status is to be determined
+ *   void *pwArg
+ *     argument for password prompting, if needed
+ * RETURN:
+ *   Returns SECSuccess if an approved OCSP responder "knows" the cert
+ *   *and* returns a non-revoked status for it; SECFailure otherwise,
+ *   with an error set describing the reason:
+ *
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *	SEC_ERROR_OCSP_FUTURE_RESPONSE
+ *	SEC_ERROR_OCSP_MALFORMED_REQUEST
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
+ *	SEC_ERROR_OCSP_OLD_RESPONSE
+ *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
+ *	SEC_ERROR_OCSP_SERVER_ERROR
+ *	SEC_ERROR_OCSP_TRY_SERVER_LATER
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+ *	SEC_ERROR_OCSP_UNKNOWN_CERT
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
+ *
+ *	SEC_ERROR_BAD_SIGNATURE
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_INVALID_TIME
+ *	SEC_ERROR_REVOKED_CERTIFICATE
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_UNKNOWN_SIGNER
+ *
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (error allocating
+ *   memory, error performing ASN.1 decoding, etc.).
+ */    
+extern SECStatus 
+CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
+		     PRTime time, void *pwArg);
+/*
+ * FUNCTION: CERT_GetOCSPStatusForCertID
+ *  Returns the OCSP status contained in the passed in paramter response
+ *  that corresponds to the certID passed in.
+ * INPUTS:
+ *  CERTCertDBHandle *handle
+ *    certificate DB of the cert that is being checked
+ *  CERTOCSPResponse *response
+ *    the OCSP response we want to retrieve status from.
+ *  CERTOCSPCertID *certID
+ *    the ID we want to look for from the response.
+ *  CERTCertificate *signerCert
+ *    the certificate that was used to sign the OCSP response.
+ *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
+ *  PRTime time
+ *    The time at which we're checking the status for.
+ *  RETURN:
+ *    Return values are the same as those for CERT_CheckOCSPStatus
+ */
+extern SECStatus
+CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, 
+			    CERTOCSPResponse *response,
+			    CERTOCSPCertID   *certID,
+			    CERTCertificate  *signerCert,
+                            PRTime            time);
+
+/*
+ * FUNCTION CERT_GetOCSPResponseStatus
+ *   Returns the response status for the response passed.
+ * INPUTS:
+ *   CERTOCSPResponse *response
+ *     The response to query for status
+ *  RETURN:
+ *    Returns SECSuccess if the response has a successful status value.
+ *    Otherwise it returns SECFailure and sets one of the following error
+ *    codes via PORT_SetError
+ *        SEC_ERROR_OCSP_MALFORMED_REQUEST
+ *        SEC_ERROR_OCSP_SERVER_ERROR
+ *        SEC_ERROR_OCSP_TRY_SERVER_LATER
+ *        SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
+ *        SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
+ *        SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
+ */
+extern SECStatus
+CERT_GetOCSPResponseStatus(CERTOCSPResponse *response);
+
+/*
+ * FUNCTION CERT_CreateOCSPCertID
+ *  Returns the OCSP certID for the certificate passed in.
+ * INPUTS:
+ *  CERTCertificate *cert
+ *    The certificate for which to create the certID for.
+ *  PRTime time
+ *    The time at which the id is requested for.  This is used
+ *    to determine the appropriate issuer for the cert since
+ *    the issuing CA may be an older expired certificate.
+ *  RETURN:
+ *    A new copy of a CERTOCSPCertID*.  The memory for this certID
+ *    should be freed by calling CERT_DestroyOCSPCertID when the 
+ *    certID is no longer necessary.
+ */
+extern CERTOCSPCertID*
+CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time);
+
+/*
+ * FUNCTION: CERT_DestroyOCSPCertID
+ *  Frees the memory associated with the certID passed in.
+ * INPUTS:
+ *  CERTOCSPCertID* certID
+ *    The certID that the caller no longer needs and wants to 
+ *    free the associated memory.
+ * RETURN:
+ *  SECSuccess if freeing the memory was successful.  Returns
+ *  SECFailure if the memory passed in was not allocated with
+ *  a call to CERT_CreateOCSPCertID.
+ */
+extern SECStatus
+CERT_DestroyOCSPCertID(CERTOCSPCertID* certID);
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _OCSP_H_ */
diff --git a/security/nss/lib/certhigh/ocspi.h b/security/nss/lib/certhigh/ocspi.h
new file mode 100644
index 000000000..913cc81ef
--- /dev/null
+++ b/security/nss/lib/certhigh/ocspi.h
@@ -0,0 +1,162 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * ocspi.h - NSS internal interfaces to OCSP code
+ *
+ * $Id$
+ */
+
+#ifndef _OCSPI_H_
+#define _OCSPI_H_
+
+SECStatus OCSP_InitGlobal(void);
+SECStatus OCSP_ShutdownGlobal(void);
+
+ocspResponseData *
+ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER);
+
+ocspSignature *
+ocsp_GetResponseSignature(CERTOCSPResponse *response);
+
+PRBool
+ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert);
+
+CERTCertificate *
+ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData,
+                          ocspSignature *signature, CERTCertificate *issuer);
+
+SECStatus
+ocsp_VerifyResponseSignature(CERTCertificate *signerCert,
+                             ocspSignature *signature,
+                             SECItem *tbsResponseDataDER,
+                             void *pwArg);
+
+CERTOCSPRequest *
+cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, 
+                                 CERTCertificate *singleCert, 
+                                 int64 time, 
+                                 PRBool addServiceLocator,
+                                 CERTCertificate *signerCert);
+
+SECStatus
+ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, 
+                                        int64 time, 
+                                        PRBool ignoreOcspFailureMode,
+                                        SECStatus *rvOcsp,
+                                        SECErrorCodes *missingResponseError);
+
+/*
+ * FUNCTION: cert_ProcessOCSPResponse
+ *  Same behavior and basic parameters as CERT_GetOCSPStatusForCertID.
+ *  In addition it can update the OCSP cache (using information
+ *  available internally to this function).
+ * INPUTS:
+ *  CERTCertDBHandle *handle
+ *    certificate DB of the cert that is being checked
+ *  CERTOCSPResponse *response
+ *    the OCSP response we want to retrieve status from.
+ *  CERTOCSPCertID *certID
+ *    the ID we want to look for from the response.
+ *  CERTCertificate *signerCert
+ *    the certificate that was used to sign the OCSP response.
+ *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
+ *  int64 time
+ *    The time at which we're checking the status for.
+ *  PRBool *certIDWasConsumed
+ *    In and Out parameter.
+ *    If certIDWasConsumed is NULL on input,
+ *    this function might produce a deep copy of cert ID
+ *    for storing it in the cache.
+ *    If out value is true, ownership of parameter certID was
+ *    transferred to the OCSP cache.
+ *  SECStatus *cacheUpdateStatus
+ *    This optional out parameter will contain the result
+ *    of the cache update operation (if requested).
+ *  RETURN:
+ *    The return value is not influenced by the cache operation,
+ *    it matches the documentation for CERT_CheckOCSPStatus
+ */
+
+SECStatus
+cert_ProcessOCSPResponse(CERTCertDBHandle *handle, 
+                         CERTOCSPResponse *response, 
+                         CERTOCSPCertID   *certID,
+                         CERTCertificate  *signerCert,
+                         int64             time,
+                         PRBool           *certIDWasConsumed,
+                         SECStatus        *cacheUpdateStatus);
+
+/*
+ * FUNCTION: cert_RememberOCSPProcessingFailure
+ *  If an application notices a failure during OCSP processing,
+ *  it should finally call this function. The failure will be recorded
+ *  in the OCSP cache in order to avoid repetitive failures.
+ * INPUTS:
+ *  CERTOCSPCertID *certID
+ *    the ID that was used for the failed OCSP processing
+ *  PRBool *certIDWasConsumed
+ *    Out parameter, if set to true, ownership of parameter certID was
+ *    transferred to the OCSP cache.
+ *  RETURN:
+ *    Status of the cache update operation.
+ */
+
+SECStatus
+cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID,
+                                   PRBool         *certIDWasConsumed);
+
+/*
+ * FUNCTION: ocsp_GetResponderLocation
+ *  Check ocspx context for user-designated responder URI first. If not
+ *  found, checks cert AIA extension.
+ * INPUTS:
+ *  CERTCertDBHandle *handle
+ *    certificate DB of the cert that is being checked
+ *  CERTCertificate *cert
+ *     The certificate being examined.
+ *  PRBool *certIDWasConsumed
+ *    Out parameter, if set to true, URI of default responder is
+ *    returned.
+ *  RETURN:
+ *    Responder URI.
+ */
+char *
+ocsp_GetResponderLocation(CERTCertDBHandle *handle,
+                          CERTCertificate *cert,
+                          PRBool *isDefault);
+
+
+#endif /* _OCSPI_H_ */
diff --git a/security/nss/lib/certhigh/ocspt.h b/security/nss/lib/certhigh/ocspt.h
new file mode 100644
index 000000000..19aaf98ee
--- /dev/null
+++ b/security/nss/lib/certhigh/ocspt.h
@@ -0,0 +1,316 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Public header for exported OCSP types.
+ *
+ * $Id$
+ */
+
+#ifndef _OCSPT_H_
+#define _OCSPT_H_
+
+/*
+ * The following are all opaque types.  If someone needs to get at
+ * a field within, then we need to fix the API.  Try very hard not
+ * make the type available to them.
+ */
+typedef struct CERTOCSPRequestStr CERTOCSPRequest;
+typedef struct CERTOCSPResponseStr CERTOCSPResponse;
+
+/*
+ * XXX I think only those first two above should need to be exported,
+ * but until I know for certain I am leaving the rest of these here, too.
+ */
+typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
+typedef struct CERTOCSPCertStatusStr CERTOCSPCertStatus;
+typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
+
+/*
+ * This interface is described in terms of an HttpClient which
+ * supports at least a specified set of functions. (An implementer may
+ * provide HttpClients with additional functionality accessible only to
+ * users with a particular implementation in mind.) The basic behavior
+ * is provided by defining a set of functions, listed in an
+ * SEC_HttpServerFcnStruct. If the implementor of a SpecificHttpClient
+ * registers his SpecificHttpClient as the default HttpClient, then his
+ * functions will be called by the user of an HttpClient, such as an
+ * OCSPChecker.
+ *
+ * The implementer of a specific HttpClient (e.g., the NSS-provided
+ * DefaultHttpClient), populates an SEC_HttpClientFcnStruct, uses it to
+ * register his client, and waits for his functions to be called.
+ *
+ * For future expandability, the SEC_HttpClientFcnStruct is defined as a
+ * union, with the version field acting as a selector. The proposed
+ * initial version of the structure is given following the definition
+ * of the union. The HttpClientState structure is implementation-
+ * dependent, and should be opaque to the user.
+ */
+
+typedef void * SEC_HTTP_SERVER_SESSION;
+typedef void * SEC_HTTP_REQUEST_SESSION;
+
+/*
+ * This function creates a SEC_HTTP_SERVER_SESSION object. The implementer of a
+ * specific HttpClient will allocate the necessary space, when this
+ * function is called, and will free it when the corresponding FreeFcn
+ * is called. The SEC_HTTP_SERVER_SESSION object is passed, as an opaque object,
+ * to subsequent calls.
+ *
+ * If the function returns SECSuccess, the returned SEC_HTTP_SERVER_SESSION
+ * must be cleaned up with a call to SEC_HttpServer_FreeSession,
+ * after processing is finished.
+ */
+typedef SECStatus (*SEC_HttpServer_CreateSessionFcn)(
+   const char *host,
+   PRUint16 portnum,
+   SEC_HTTP_SERVER_SESSION *pSession);
+
+/*
+ * This function is called to allow the implementation to attempt to keep
+ * the connection alive. Depending on the underlying platform, it might
+ * immediately return SECSuccess without having performed any operations.
+ * (If a connection has not been kept alive, a subsequent call to
+ * SEC_HttpRequest_TrySendAndReceiveFcn should reopen the connection
+ * automatically.)
+ *
+ * If the connection uses nonblocking I/O, this function may return
+ * SECWouldBlock and store a nonzero value at "pPollDesc". In that case
+ * the caller may wait on the poll descriptor, and should call this function
+ * again until SECSuccess (and a zero value at "pPollDesc") is obtained.
+ */ 
+typedef SECStatus (*SEC_HttpServer_KeepAliveSessionFcn)(
+   SEC_HTTP_SERVER_SESSION session,
+   PRPollDesc **pPollDesc);
+
+/*
+ * This function frees the client SEC_HTTP_SERVER_SESSION object, closes all
+ * SEC_HTTP_REQUEST_SESSIONs created for that server, discards all partial results,
+ * frees any memory that was allocated by the client, and invalidates any
+ * response pointers that might have been returned by prior server or request
+ * functions.
+ */ 
+typedef SECStatus (*SEC_HttpServer_FreeSessionFcn)(
+   SEC_HTTP_SERVER_SESSION session);
+
+/*
+ * This function creates a SEC_HTTP_REQUEST_SESSION object. The implementer of a
+ * specific HttpClient will allocate the necessary space, when this
+ * function is called, and will free it when the corresponding FreeFcn
+ * is called. The SEC_HTTP_REQUEST_SESSION object is passed, as an opaque object,
+ * to subsequent calls.
+ *
+ * An implementation that does not support the requested protocol variant
+ * (usually "http", but could eventually allow "https") or request method
+ * should return SECFailure.
+ *
+ * Timeout values may include the constants PR_INTERVAL_NO_TIMEOUT (wait
+ * forever) or PR_INTERVAL_NO_WAIT (nonblocking I/O).
+ *
+ * If the function returns SECSuccess, the returned SEC_HTTP_REQUEST_SESSION
+ * must be cleaned up with a call to SEC_HttpRequest_FreeSession,
+ * after processing is finished.
+ */
+typedef SECStatus (*SEC_HttpRequest_CreateFcn)(
+   SEC_HTTP_SERVER_SESSION session,
+   const char *http_protocol_variant, /* usually "http" */
+   const char *path_and_query_string,
+   const char *http_request_method, 
+   const PRIntervalTime timeout, 
+   SEC_HTTP_REQUEST_SESSION *pRequest);
+
+/*
+ * This function sets data to be sent to the server for an HTTP request
+ * of http_request_method == POST. If a particular implementation 
+ * supports it, the details for the POST request can be set by calling 
+ * this function, prior to activating the request with TrySendAndReceiveFcn.
+ *
+ * An implementation that does not support the POST method should 
+ * implement a SetPostDataFcn function that returns immediately.
+ *
+ * Setting http_content_type is optional, the parameter may
+ * by NULL or the empty string.
+ */ 
+typedef SECStatus (*SEC_HttpRequest_SetPostDataFcn)(
+   SEC_HTTP_REQUEST_SESSION request,
+   const char *http_data, 
+   const PRUint32 http_data_len,
+   const char *http_content_type);
+
+/*
+ * This function sets an additional HTTP protocol request header.
+ * If a particular implementation supports it, one or multiple headers
+ * can be added to the request by calling this function once or multiple
+ * times, prior to activating the request with TryFcn.
+ *
+ * An implementation that does not support setting additional headers
+ * should implement an AddRequestHeaderFcn function that returns immediately.
+ */ 
+typedef SECStatus (*SEC_HttpRequest_AddHeaderFcn)(
+   SEC_HTTP_REQUEST_SESSION request,
+   const char *http_header_name, 
+   const char *http_header_value);
+
+/*
+ * This function initiates or continues an HTTP request. After
+ * parameters have been set with the Create function and, optionally,
+ * modified or enhanced with the AddParams function, this call creates
+ * the socket connection and initiates the communication.
+ *
+ * If a timeout value of zero is specified, indicating non-blocking
+ * I/O, the client creates a non-blocking socket, and returns a status
+ * of SECWouldBlock and a non-NULL PRPollDesc if the operation is not
+ * complete. In that case all other return parameters are undefined.
+ * The caller is expected to repeat the call, possibly after using
+ * PRPoll to determine that a completion has occurred, until a return
+ * value of SECSuccess (and a NULL value for pPollDesc) or a return
+ * value of SECFailure (indicating failure on the network level)
+ * is obtained.
+ *
+ * http_response_data_len is both input and output parameter.
+ * If a pointer to a PRUint32 is supplied, the http client is
+ * expected to check the given integer value and always set an out
+ * value, even on failure.
+ * An input value of zero means, the caller will accept any response len.
+ * A different input value indicates the maximum response value acceptable
+ * to the caller.
+ * If data is successfully read and the size is acceptable to the caller,
+ * the function will return SECSuccess and set http_response_data_len to
+ * the size of the block returned in http_response_data.
+ * If the data read from the http server is larger than the acceptable
+ * size, the function will return SECFailure.
+ * http_response_data_len will be set to a value different from zero to
+ * indicate the reason of the failure.
+ * An out value of "0" means, the failure was unrelated to the 
+ * acceptable size.
+ * An out value of "1" means, the result data is larger than the
+ * accpeptable size, but the real size is not yet known to the http client 
+ * implementation and it stopped retrieving it,
+ * Any other out value combined with a return value of SECFailure
+ * will indicate the actual size of the server data.
+ *
+ * The caller is permitted to provide NULL values for any of the
+ * http_response arguments, indicating the caller is not interested in
+ * those values. If the caller does provide an address, the HttpClient
+ * stores at that address a pointer to the corresponding argument, at
+ * the completion of the operation.
+ *
+ * All returned pointers will be owned by the the HttpClient
+ * implementation and will remain valid until the call to 
+ * SEC_HttpRequest_FreeFcn.
+ */ 
+typedef SECStatus (*SEC_HttpRequest_TrySendAndReceiveFcn)(
+   SEC_HTTP_REQUEST_SESSION request,
+   PRPollDesc **pPollDesc,
+   PRUint16 *http_response_code, 
+   const char **http_response_content_type, 
+   const char **http_response_headers, 
+   const char **http_response_data, 
+   PRUint32 *http_response_data_len); 
+
+/*
+ * Calling CancelFcn asks for premature termination of the request.
+ *
+ * Future calls to SEC_HttpRequest_TrySendAndReceive should
+ * by avoided, but in this case the HttpClient implementation 
+ * is expected to return immediately with SECFailure.
+ *
+ * After calling CancelFcn, a separate call to SEC_HttpRequest_FreeFcn 
+ * is still necessary to free resources.
+ */ 
+typedef SECStatus (*SEC_HttpRequest_CancelFcn)(
+   SEC_HTTP_REQUEST_SESSION request);
+
+/*
+ * Before calling this function, it must be assured the request
+ * has been completed, i.e. either SEC_HttpRequest_TrySendAndReceiveFcn has
+ * returned SECSuccess, or the request has been canceled with
+ * a call to SEC_HttpRequest_CancelFcn.
+ * 
+ * This function frees the client state object, closes all sockets, 
+ * discards all partial results, frees any memory that was allocated 
+ * by the client, and invalidates all response pointers that might
+ * have been returned by SEC_HttpRequest_TrySendAndReceiveFcn
+ */ 
+typedef SECStatus (*SEC_HttpRequest_FreeFcn)(
+   SEC_HTTP_REQUEST_SESSION request);
+
+typedef struct SEC_HttpClientFcnV1Struct {
+   SEC_HttpServer_CreateSessionFcn createSessionFcn;
+   SEC_HttpServer_KeepAliveSessionFcn keepAliveSessionFcn;
+   SEC_HttpServer_FreeSessionFcn freeSessionFcn;
+   SEC_HttpRequest_CreateFcn createFcn;
+   SEC_HttpRequest_SetPostDataFcn setPostDataFcn;
+   SEC_HttpRequest_AddHeaderFcn addHeaderFcn;
+   SEC_HttpRequest_TrySendAndReceiveFcn trySendAndReceiveFcn;
+   SEC_HttpRequest_CancelFcn cancelFcn;
+   SEC_HttpRequest_FreeFcn freeFcn;
+} SEC_HttpClientFcnV1;
+
+typedef struct SEC_HttpClientFcnStruct {
+   PRInt16 version;
+   union {
+      SEC_HttpClientFcnV1 ftable1;
+      /* SEC_HttpClientFcnV2 ftable2; */
+      /* ...                      */
+   } fcnTable;
+} SEC_HttpClientFcn;
+
+/*
+ * ocspMode_FailureIsVerificationFailure:
+ * This is the classic behaviour of NSS.
+ * Any OCSP failure is a verification failure (classic mode, default).
+ * Without a good response, OCSP networking will be retried each time
+ * it is required for verifying a cert.
+ *
+ * ocspMode_FailureIsNotAVerificationFailure:
+ * If we fail to obtain a valid OCSP response, consider the
+ * cert as good.
+ * Failed OCSP attempts might get cached and not retried until
+ * minimumSecondsToNextFetchAttempt.
+ * If we are able to obtain a valid response, the cert
+ * will be considered good, if either status is "good"
+ * or the cert was not yet revoked at verification time.
+ *
+ * Additional failure modes might be added in the future.
+ */
+typedef enum {
+    ocspMode_FailureIsVerificationFailure = 0,
+    ocspMode_FailureIsNotAVerificationFailure = 1
+} SEC_OcspFailureMode;
+
+#endif /* _OCSPT_H_ */
diff --git a/security/nss/lib/certhigh/ocspti.h b/security/nss/lib/certhigh/ocspti.h
new file mode 100644
index 000000000..11b87c64b
--- /dev/null
+++ b/security/nss/lib/certhigh/ocspti.h
@@ -0,0 +1,409 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Private header defining OCSP types.
+ *
+ * $Id$
+ */
+
+#ifndef _OCSPTI_H_
+#define _OCSPTI_H_
+
+#include "ocspt.h"
+
+#include "certt.h"
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+
+
+/*
+ * Some notes about naming conventions...
+ *
+ * The public data types all start with "CERTOCSP" (e.g. CERTOCSPRequest).
+ * (Even the public types are opaque, however.  Only their names are
+ * "exported".)
+ *
+ * Internal-only data types drop the "CERT" prefix and use only the
+ * lower-case "ocsp" (e.g. ocspTBSRequest), for brevity sake.
+ *
+ * In either case, the base/suffix of the type name usually matches the
+ * name as defined in the OCSP specification.  The exceptions to this are:
+ *  - When there is overlap between the "OCSP" or "ocsp" prefix and
+ *    the name used in the standard.  That is, you cannot strip off the
+ *    "CERTOCSP" or "ocsp" prefix and necessarily get the name of the
+ *    type as it is defined in the standard; the "real" name will be
+ *    *either* "OCSPSuffix" or just "Suffix".
+ *  - When the name in the standard was a little too generic.  (e.g. The
+ *    standard defines "Request" but we call it a "SingleRequest".)
+ *    In this case a comment above the type definition calls attention
+ *    to the difference.
+ *
+ * The definitions laid out in this header file are intended to follow
+ * the same order as the definitions in the OCSP specification itself.
+ * With the OCSP standard in hand, you should be able to move through
+ * this file and follow along.  To future modifiers of this file: please
+ * try to keep it that way.  The only exceptions are the few cases where
+ * we need to define a type before it is referenced (e.g. enumerations),
+ * whereas in the OCSP specification these are usually defined the other
+ * way around (reference before definition).
+ */
+
+
+/*
+ * Forward-declarations of internal-only data structures.
+ *
+ * These are in alphabetical order (case-insensitive); please keep it that way!
+ */
+typedef struct ocspBasicOCSPResponseStr ocspBasicOCSPResponse;
+typedef struct ocspCertStatusStr ocspCertStatus;
+typedef struct ocspResponderIDStr ocspResponderID;
+typedef struct ocspResponseBytesStr ocspResponseBytes;
+typedef struct ocspResponseDataStr ocspResponseData;
+typedef struct ocspRevokedInfoStr ocspRevokedInfo;
+typedef struct ocspServiceLocatorStr ocspServiceLocator;
+typedef struct ocspSignatureStr ocspSignature;
+typedef struct ocspSingleRequestStr ocspSingleRequest;
+typedef struct ocspSingleResponseStr ocspSingleResponse;
+typedef struct ocspTBSRequestStr ocspTBSRequest;
+
+
+/*
+ * An OCSPRequest; this is what is sent (encoded) to an OCSP responder.
+ */
+struct CERTOCSPRequestStr {
+    PRArenaPool *arena;			/* local; not part of encoding */
+    ocspTBSRequest *tbsRequest;
+    ocspSignature *optionalSignature;
+};
+
+/*
+ * A TBSRequest; when an OCSPRequest is signed, the encoding of this
+ * is what the signature is actually applied to.  ("TBS" == To Be Signed)
+ * Whether signed or not, however, this structure will be present, and
+ * is the "meat" of the OCSPRequest.
+ *
+ * Note that the "requestorName" field cannot be encoded/decoded in the
+ * same pass as the entire request -- it needs to be handled with a special
+ * call to convert to/from our internal form of a GeneralName.  Thus the
+ * "derRequestorName" field, which is the actual DER-encoded bytes.
+ *
+ * The "extensionHandle" field is used on creation only; it holds
+ * in-progress extensions as they are optionally added to the request.
+ */
+struct ocspTBSRequestStr {
+    SECItem version;			/* an INTEGER */
+    SECItem *derRequestorName;		/* encoded GeneralName; see above */
+    CERTGeneralNameList *requestorName;	/* local; not part of encoding */
+    ocspSingleRequest **requestList;
+    CERTCertExtension **requestExtensions;
+    void *extensionHandle;		/* local; not part of encoding */
+};
+
+/*
+ * This is the actual signature information for an OCSPRequest (applied to
+ * the TBSRequest structure) or for a BasicOCSPResponse (applied to a
+ * ResponseData structure).
+ *
+ * Note that the "signature" field itself is a BIT STRING; operations on
+ * it need to keep that in mind, converting the length to bytes as needed
+ * and back again afterward (so that the length is usually expressing bits).
+ *
+ * The "cert" field is the signer's certificate.  In the case of a received
+ * signature, it will be filled in when the signature is verified.  In the
+ * case of a created signature, it is filled in on creation and will be the
+ * cert used to create the signature when the signing-and-encoding occurs,
+ * as well as the cert (and its chain) to fill in derCerts if requested.
+ *
+ * The extra fields cache information about the signature after we have
+ * attempted a verification.  "wasChecked", if true, means the signature
+ * has been checked against the appropriate data and thus that "status"
+ * contains the result of that verification.  If "status" is not SECSuccess,
+ * "failureReason" is a copy of the error code that was set at the time;
+ * presumably it tells why the signature verification failed.
+ */
+struct ocspSignatureStr {
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;			/* a BIT STRING */
+    SECItem **derCerts;			/* a SEQUENCE OF Certificate */
+    CERTCertificate *cert;		/* local; not part of encoding */
+    PRBool wasChecked;			/* local; not part of encoding */
+    SECStatus status;			/* local; not part of encoding */
+    int failureReason;			/* local; not part of encoding */
+};
+
+/*
+ * An OCSPRequest contains a SEQUENCE OF these, one for each certificate
+ * whose status is being checked.
+ *
+ * Note that in the OCSP specification this is just called "Request",
+ * but since that seemed confusing (vs. an OCSPRequest) and to be more
+ * consistent with the parallel type "SingleResponse", I called it a
+ * "SingleRequest".
+ * 
+ * XXX figure out how to get rid of that arena -- there must be a way
+ */
+struct ocspSingleRequestStr {
+    PRArenaPool *arena;			/* just a copy of the response arena,
+					 * needed here for extension handling
+					 * routines, on creation only */
+    CERTOCSPCertID *reqCert;
+    CERTCertExtension **singleRequestExtensions;
+};
+
+/*
+ * A CertID is the means of identifying a certificate, used both in requests
+ * and in responses.
+ *
+ * When in a SingleRequest it specifies the certificate to be checked.
+ * When in a SingleResponse it is the cert whose status is being given.
+ */
+struct CERTOCSPCertIDStr {
+    SECAlgorithmID hashAlgorithm;
+    SECItem issuerNameHash;		/* an OCTET STRING */
+    SECItem issuerKeyHash;		/* an OCTET STRING */
+    SECItem serialNumber;		/* an INTEGER */
+    SECItem issuerSHA1NameHash;		/* keep other hashes around when */
+    SECItem issuerMD5NameHash;              /* we have them */
+    SECItem issuerMD2NameHash;
+    SECItem issuerSHA1KeyHash;		/* keep other hashes around when */
+    SECItem issuerMD5KeyHash;              /* we have them */
+    SECItem issuerMD2KeyHash;
+    PRArenaPool *poolp;
+};
+
+/*
+ * This describes the value of the responseStatus field in an OCSPResponse.
+ * The corresponding ASN.1 definition is:
+ *
+ * OCSPResponseStatus	::=	ENUMERATED {
+ *	successful		(0),	--Response has valid confirmations
+ *	malformedRequest	(1),	--Illegal confirmation request
+ *	internalError		(2),	--Internal error in issuer
+ *	tryLater		(3),	--Try again later
+ *					--(4) is not used
+ *	sigRequired		(5),	--Must sign the request
+ *	unauthorized		(6),	--Request unauthorized
+ * }
+ */
+typedef enum {
+    ocspResponse_successful = 0,
+    ocspResponse_malformedRequest = 1,
+    ocspResponse_internalError = 2,
+    ocspResponse_tryLater = 3,
+    ocspResponse_unused = 4,
+    ocspResponse_sigRequired = 5,
+    ocspResponse_unauthorized = 6,
+    ocspResponse_other			/* unknown/unrecognized value */
+} ocspResponseStatus;
+
+/*
+ * An OCSPResponse is what is sent (encoded) by an OCSP responder.
+ *
+ * The field "responseStatus" is the ASN.1 encoded value; the field
+ * "statusValue" is simply that same value translated into our local
+ * type ocspResponseStatus.
+ */
+struct CERTOCSPResponseStr {
+    PRArenaPool *arena;			/* local; not part of encoding */
+    SECItem responseStatus;		/* an ENUMERATED, see above */
+    ocspResponseStatus statusValue;	/* local; not part of encoding */
+    ocspResponseBytes *responseBytes;	/* only when status is successful */
+};
+
+/*
+ * A ResponseBytes (despite appearances) is what contains the meat
+ * of a successful response -- but still in encoded form.  The type
+ * given as "responseType" tells you how to decode the string.
+ *
+ * We look at the OID and translate it into our local OID representation
+ * "responseTypeTag", and use that value to tell us how to decode the
+ * actual response itself.  For now the only kind of OCSP response we
+ * know about is a BasicOCSPResponse.  However, the intention in the
+ * OCSP specification is to allow for other response types, so we are
+ * building in that flexibility from the start and thus put a pointer
+ * to that data structure inside of a union.  Whenever OCSP adds more
+ * response types, just add them to the union.
+ */
+struct ocspResponseBytesStr {
+    SECItem responseType;		/* an OBJECT IDENTIFIER */
+    SECOidTag responseTypeTag;		/* local; not part of encoding */
+    SECItem response;			/* an OCTET STRING */
+    union {
+	ocspBasicOCSPResponse *basic;	/* when type is id-pkix-ocsp-basic */
+    } decodedResponse;			/* local; not part of encoding */
+};
+
+/*
+ * A BasicOCSPResponse -- when the responseType in a ResponseBytes is
+ * id-pkix-ocsp-basic, the "response" OCTET STRING above is the DER
+ * encoding of one of these.
+ *
+ * Note that in the OCSP specification, the signature fields are not
+ * part of a separate sub-structure.  But since they are the same fields
+ * as we define for the signature in a request, it made sense to share
+ * the C data structure here and in some shared code to operate on them.
+ */
+struct ocspBasicOCSPResponseStr {
+    SECItem tbsResponseDataDER;
+    ocspResponseData *tbsResponseData;	/* "tbs" == To Be Signed */
+    ocspSignature responseSignature;
+};
+
+/*
+ * A ResponseData is the part of a BasicOCSPResponse that is signed
+ * (after it is DER encoded).  It contains the real details of the response
+ * (a per-certificate status).
+ */
+struct ocspResponseDataStr {
+    SECItem version;			/* an INTEGER */
+    SECItem derResponderID;
+    ocspResponderID *responderID;	/* local; not part of encoding */
+    SECItem producedAt;			/* a GeneralizedTime */
+    CERTOCSPSingleResponse **responses;
+    CERTCertExtension **responseExtensions;
+};
+
+/*
+ * A ResponderID identifies the responder -- or more correctly, the
+ * signer of the response.  The ASN.1 definition of a ResponderID is:
+ *
+ * ResponderID	::=	CHOICE {
+ *	byName			[1] EXPLICIT Name,
+ *	byKey			[2] EXPLICIT KeyHash }
+ *
+ * Because it is CHOICE, the type of identification used and the
+ * identification itself are actually encoded together.  To represent
+ * this same information internally, we explicitly define a type and
+ * save it, along with the value, into a data structure.
+ */
+
+typedef enum {
+    ocspResponderID_byName,
+    ocspResponderID_byKey,
+    ocspResponderID_other		/* unknown kind of responderID */
+} ocspResponderIDType;
+
+struct ocspResponderIDStr {
+    ocspResponderIDType responderIDType;/* local; not part of encoding */
+    union {
+	CERTName name;			/* when ocspResponderID_byName */
+	SECItem keyHash;		/* when ocspResponderID_byKey */
+	SECItem other;			/* when ocspResponderID_other */
+    } responderIDValue;
+};
+
+/*
+ * The ResponseData in a BasicOCSPResponse contains a SEQUENCE OF
+ * SingleResponse -- one for each certificate whose status is being supplied.
+ * 
+ * XXX figure out how to get rid of that arena -- there must be a way
+ */
+struct CERTOCSPSingleResponseStr {
+    PRArenaPool *arena;			/* just a copy of the response arena,
+					 * needed here for extension handling
+					 * routines, on creation only */
+    CERTOCSPCertID *certID;
+    SECItem derCertStatus;
+    ocspCertStatus *certStatus;		/* local; not part of encoding */
+    SECItem thisUpdate;			/* a GeneralizedTime */
+    SECItem *nextUpdate;		/* a GeneralizedTime */
+    CERTCertExtension **singleExtensions;
+};
+
+/*
+ * A CertStatus is the actual per-certificate status.  Its ASN.1 definition:
+ *
+ * CertStatus	::=	CHOICE {
+ *	good			[0] IMPLICIT NULL,
+ *	revoked			[1] IMPLICIT RevokedInfo,
+ *	unknown			[2] IMPLICIT UnknownInfo }
+ *
+ * (where for now UnknownInfo is defined to be NULL but in the
+ * future may be replaced with an enumeration).
+ *
+ * Because it is CHOICE, the status value and its associated information
+ * (if any) are actually encoded together.  To represent this same
+ * information internally, we explicitly define a type and save it,
+ * along with the value, into a data structure.
+ */
+
+typedef enum {
+    ocspCertStatus_good,		/* cert is not revoked */
+    ocspCertStatus_revoked,		/* cert is revoked */
+    ocspCertStatus_unknown,		/* cert was unknown to the responder */
+    ocspCertStatus_other		/* status was not an expected value */
+} ocspCertStatusType;
+
+/*
+ * This is the actual per-certificate status.
+ *
+ * The "goodInfo" and "unknownInfo" items are only place-holders for a NULL.
+ * (Though someday OCSP may replace UnknownInfo with an enumeration that
+ * gives more detailed information.)
+ */
+struct ocspCertStatusStr {
+    ocspCertStatusType certStatusType;	/* local; not part of encoding */
+    union {
+	SECItem *goodInfo;		/* when ocspCertStatus_good */
+	ocspRevokedInfo *revokedInfo;	/* when ocspCertStatus_revoked */
+	SECItem *unknownInfo;		/* when ocspCertStatus_unknown */
+	SECItem *otherInfo;		/* when ocspCertStatus_other */
+    } certStatusInfo; 
+};
+
+/*
+ * A RevokedInfo gives information about a revoked certificate -- when it
+ * was revoked and why.
+ */
+struct ocspRevokedInfoStr {
+    SECItem revocationTime;		/* a GeneralizedTime */
+    SECItem *revocationReason;		/* a CRLReason; ignored for now */
+};
+
+/*
+ * ServiceLocator can be included as one of the singleRequestExtensions.
+ * When added, it specifies the (name of the) issuer of the cert being
+ * checked, and optionally the value of the AuthorityInfoAccess extension
+ * if the cert has one.
+ */
+struct ocspServiceLocatorStr {
+    CERTName *issuer;
+    SECItem locator;	/* DER encoded authInfoAccess extension from cert */
+};
+
+#endif /* _OCSPTI_H_ */
diff --git a/security/nss/lib/certhigh/xcrldist.c b/security/nss/lib/certhigh/xcrldist.c
new file mode 100644
index 000000000..d4d098ae4
--- /dev/null
+++ b/security/nss/lib/certhigh/xcrldist.c
@@ -0,0 +1,249 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Code for dealing with x.509 v3 CRL Distribution Point extension.
+ */
+#include "genname.h"
+#include "certt.h"
+#include "secerr.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+
+extern void PrepareBitStringForEncoding (SECItem *bitMap, SECItem *value);
+
+static const SEC_ASN1Template FullNameTemplate[] = {
+    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
+	offsetof (CRLDistributionPoint,derFullName), 
+	CERT_GeneralNamesTemplate}
+};
+
+static const SEC_ASN1Template RelativeNameTemplate[] = {
+    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, 
+	offsetof (CRLDistributionPoint,distPoint.relativeName), 
+	CERT_RDNTemplate}
+};
+
+static const SEC_ASN1Template DistributionPointNameTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	offsetof(CRLDistributionPoint, distPointType), NULL,
+	sizeof(CRLDistributionPoint) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
+	offsetof (CRLDistributionPoint, derFullName), 
+	CERT_GeneralNamesTemplate, generalName },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, 
+	offsetof (CRLDistributionPoint, distPoint.relativeName), 
+	CERT_RDNTemplate, relativeDistinguishedName },
+    { 0 }
+};
+
+static const SEC_ASN1Template CRLDistributionPointTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRLDistributionPoint) },
+	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
+	    SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | SEC_ASN1_XTRN | 0,
+	    offsetof(CRLDistributionPoint,derDistPoint),
+            SEC_ASN1_SUB(SEC_AnyTemplate)},
+	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+	    offsetof(CRLDistributionPoint,bitsmap),
+            SEC_ASN1_SUB(SEC_BitStringTemplate) },
+	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
+	    SEC_ASN1_CONSTRUCTED | 2,
+	    offsetof(CRLDistributionPoint, derCrlIssuer), 
+	    CERT_GeneralNamesTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CERTCRLDistributionPointsTemplate[] = {
+    {SEC_ASN1_SEQUENCE_OF, 0, CRLDistributionPointTemplate}
+};
+
+SECStatus
+CERT_EncodeCRLDistributionPoints (PLArenaPool *arena, 
+				  CERTCrlDistributionPoints *value,
+				  SECItem *derValue)
+{
+    CRLDistributionPoint **pointList, *point;
+    PLArenaPool *ourPool = NULL;
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert (derValue);
+    PORT_Assert (value && value->distPoints);
+
+    do {
+	ourPool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	if (ourPool == NULL) {
+	    rv = SECFailure;
+	    break;
+	}    
+	
+	pointList = value->distPoints;
+	while (*pointList) {
+	    point = *pointList;
+	    point->derFullName = NULL;
+	    point->derDistPoint.data = NULL;
+
+	    switch (point->distPointType) {
+	    case generalName:
+		point->derFullName = cert_EncodeGeneralNames
+		    (ourPool, point->distPoint.fullName);
+		
+		if (!point->derFullName ||
+		    !SEC_ASN1EncodeItem (ourPool, &point->derDistPoint,
+			  point, FullNameTemplate))
+		    rv = SECFailure;
+		break;
+
+	    case relativeDistinguishedName:
+		if (!SEC_ASN1EncodeItem(ourPool, &point->derDistPoint, 
+		      point, RelativeNameTemplate)) 
+		    rv = SECFailure;
+		break;
+
+	    /* distributionPointName is omitted */
+	    case 0: break;
+
+	    default:
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		rv = SECFailure;
+		break;
+	    }
+
+	    if (rv != SECSuccess)
+		break;
+
+	    if (point->reasons.data)
+		PrepareBitStringForEncoding (&point->bitsmap, &point->reasons);
+
+	    if (point->crlIssuer) {
+		point->derCrlIssuer = cert_EncodeGeneralNames
+		    (ourPool, point->crlIssuer);
+		if (!point->derCrlIssuer) {
+		    rv = SECFailure;
+		    break;
+	    	}
+	    }
+	    ++pointList;
+	}
+	if (rv != SECSuccess)
+	    break;
+	if (!SEC_ASN1EncodeItem(arena, derValue, value, 
+		CERTCRLDistributionPointsTemplate)) {
+	    rv = SECFailure;
+	    break;
+	}
+    } while (0);
+    PORT_FreeArena (ourPool, PR_FALSE);
+    return rv;
+}
+
+CERTCrlDistributionPoints *
+CERT_DecodeCRLDistributionPoints (PLArenaPool *arena, SECItem *encodedValue)
+{
+   CERTCrlDistributionPoints *value = NULL;    
+   CRLDistributionPoint **pointList, *point;    
+   SECStatus rv = SECSuccess;
+   SECItem newEncodedValue;
+
+   PORT_Assert (arena);
+   do {
+	value = PORT_ArenaZNew(arena, CERTCrlDistributionPoints);
+	if (value == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+
+        /* copy the DER into the arena, since Quick DER returns data that points
+           into the DER input, which may get freed by the caller */
+        rv = SECITEM_CopyItem(arena, &newEncodedValue, encodedValue);
+        if (rv != SECSuccess)
+	    break;
+
+	rv = SEC_QuickDERDecodeItem(arena, &value->distPoints, 
+		CERTCRLDistributionPointsTemplate, &newEncodedValue);
+	if (rv != SECSuccess)
+	    break;
+
+	pointList = value->distPoints;
+	while (NULL != (point = *pointList)) {
+
+	    /* get the data if the distributionPointName is not omitted */
+	    if (point->derDistPoint.data != NULL) {
+		rv = SEC_QuickDERDecodeItem(arena, point, 
+			DistributionPointNameTemplate, &(point->derDistPoint));
+		if (rv != SECSuccess)
+		    break;
+
+		switch (point->distPointType) {
+		case generalName:
+		    point->distPoint.fullName = 
+			cert_DecodeGeneralNames(arena, point->derFullName);
+		    rv = point->distPoint.fullName ? SECSuccess : SECFailure;
+		    break;
+
+		case relativeDistinguishedName:
+		    break;
+
+		default:
+		    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		    rv = SECFailure;
+		    break;
+		} /* end switch */
+		if (rv != SECSuccess)
+		    break;
+	    } /* end if */
+
+	    /* Get the reason code if it's not omitted in the encoding */
+	    if (point->bitsmap.data != NULL) {
+	    	SECItem bitsmap = point->bitsmap;
+		DER_ConvertBitString(&bitsmap);
+		rv = SECITEM_CopyItem(arena, &point->reasons, &bitsmap);
+		if (rv != SECSuccess)
+		    break;
+	    }
+
+	    /* Get the crl issuer name if it's not omitted in the encoding */
+	    if (point->derCrlIssuer != NULL) {
+		point->crlIssuer = cert_DecodeGeneralNames(arena, 
+			           point->derCrlIssuer);
+		if (!point->crlIssuer)
+		    break;
+	    }
+	    ++pointList;
+	} /* end while points remain */
+   } while (0);
+   return (rv == SECSuccess ? value : NULL);
+}
diff --git a/security/nss/lib/ckfw/Makefile b/security/nss/lib/ckfw/Makefile
new file mode 100644
index 000000000..b31371a02
--- /dev/null
+++ b/security/nss/lib/ckfw/Makefile
@@ -0,0 +1,72 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+ifdef MOZILLA_CLIENT
+NSS_BUILD_CAPI = 1
+endif
+
+# This'll need some help from a build person.
+
+# The generated files are checked in, and differ from what ckapi.perl
+# will produce.  ckapi.perl is currently newer than the targets, so
+# these rules are invoked, causing the wrong files to be generated.
+# Turning off to fix builds.
+#
+# nssckepv.h: ck.api ckapi.perl
+# nssckft.h: ck.api ckapi.perl
+# nssckg.h: ck.api ckapi.perl
+# nssck.api: ck.api ckapi.perl
+# 	$(PERL) ckapi.perl ck.api
+
+export:: private_export
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+ifdef NSS_BUILD_CAPI
+DIRS += capi
+endif
+endif
+
+#ifeq ($(OS_ARCH), Darwin)
+#DIRS += nssmkey
+#endif
diff --git a/security/nss/lib/ckfw/capi/Makefile b/security/nss/lib/ckfw/capi/Makefile
new file mode 100644
index 000000000..222dec098
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/Makefile
@@ -0,0 +1,105 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+
+EXTRA_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+ifdef NS_USE_GCC
+EXTRA_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else 
+EXTRA_SHARED_LIBS += \
+        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+        crypt32.lib \
+	advapi32.lib \
+	rpcrt4.lib \
+        $(NULL)
+endif # NS_USE_GCC
+else
+
+EXTRA_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# Generate certdata.c.
+generate:
+	$(PERL) certdata.perl < certdata.txt
+
+# This'll need some help from a build person.
+
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
+DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
+EXTRA_DSO_LDOPTS        = -lc
+MKSHLIB                 = xlC $(DSO_LDOPTS)
+
+$(SHARED_LIBRARY): $(OBJS)
+	@$(MAKE_OBJDIR)
+	rm -f $@
+	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
+	chmod +x $@
+
+endif
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
+LD      += -G
+endif 
+
+
diff --git a/security/nss/lib/ckfw/capi/README b/security/nss/lib/ckfw/capi/README
new file mode 100644
index 000000000..9fc5720a9
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/README
@@ -0,0 +1,7 @@
+This Cryptoki module provides acces to certs and keys stored in
+Microsofts CAPI certificate store.
+
+It does not import or export CA Root trust from the CAPI.
+It does not import or export CRLs from the CAPI.
+It does not handle S/MIME objects (pkcs #7 in capi terms?).
+It does not yet handle it's own PIN. (CAPI does all the pin prompting).
diff --git a/security/nss/lib/ckfw/capi/anchor.c b/security/nss/lib/ckfw/capi/anchor.c
new file mode 100644
index 000000000..e21006621
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/anchor.c
@@ -0,0 +1,55 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * capi/canchor.c
+ *
+ * This file "anchors" the actual cryptoki entry points in this module's
+ * shared library, which is required for dynamic loading.  See the 
+ * comments in nssck.api for more information.
+ */
+
+#include "ckcapi.h"
+
+#define MODULE_NAME ckcapi
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckcapi_mdInstance
+#include "nssck.api"
diff --git a/security/nss/lib/ckfw/capi/cfind.c b/security/nss/lib/ckfw/capi/cfind.c
new file mode 100644
index 000000000..9673d5560
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/cfind.c
@@ -0,0 +1,618 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef CKCAPI_H
+#include "ckcapi.h"
+#endif /* CKCAPI_H */
+
+/*
+ * ckcapi/cfind.c
+ *
+ * This file implements the NSSCKMDFindObjects object for the
+ * "capi" cryptoki module.
+ */
+
+struct ckcapiFOStr {
+  NSSArena *arena;
+  CK_ULONG n;
+  CK_ULONG i;
+  ckcapiInternalObject **objs;
+};
+
+static void
+ckcapi_mdFindObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
+  NSSArena *arena = fo->arena;
+  PRUint32 i;
+
+  /* walk down an free the unused 'objs' */
+  for (i=fo->i; i < fo->n ; i++) {
+    nss_ckcapi_DestroyInternalObject(fo->objs[i]);
+  }
+
+  nss_ZFreeIf(fo->objs);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(mdFindObjects);
+  if ((NSSArena *)NULL != arena) {
+    NSSArena_Destroy(arena);
+  }
+
+  return;
+}
+
+static NSSCKMDObject *
+ckcapi_mdFindObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
+  ckcapiInternalObject *io;
+
+  if( fo->i == fo->n ) {
+    *pError = CKR_OK;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  io = fo->objs[ fo->i ];
+  fo->i++;
+
+  return nss_ckcapi_CreateMDObject(arena, io, pError);
+}
+
+static CK_BBOOL
+ckcapi_attrmatch
+(
+  CK_ATTRIBUTE_PTR a,
+  ckcapiInternalObject *o
+)
+{
+  PRBool prb;
+  const NSSItem *b;
+
+  b = nss_ckcapi_FetchAttribute(o, a->type);
+  if (b == NULL) {
+    return CK_FALSE;
+  }
+
+  if( a->ulValueLen != b->size ) {
+    /* match a decoded serial number */
+    if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
+	int len;
+	unsigned char *data;
+
+	data = nss_ckcapi_DERUnwrap(b->data, b->size, &len, NULL);
+	if ((len == a->ulValueLen) && 
+		nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
+	    return CK_TRUE;
+	}
+    }
+    return CK_FALSE;
+  }
+
+  prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
+
+  if( PR_TRUE == prb ) {
+    return CK_TRUE;
+  } else {
+    return CK_FALSE;
+  }
+}
+
+
+static CK_BBOOL
+ckcapi_match
+(
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  ckcapiInternalObject *o
+)
+{
+  CK_ULONG i;
+
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if (CK_FALSE == ckcapi_attrmatch(&pTemplate[i], o)) {
+      return CK_FALSE;
+    }
+  }
+
+  /* Every attribute passed */
+  return CK_TRUE;
+}
+
+#define CKAPI_ITEM_CHUNK  20
+
+#define PUT_Object(obj,err) \
+  { \
+    if (count >= size) { \
+    *listp = *listp ? \
+		nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
+		               (size+CKAPI_ITEM_CHUNK) ) : \
+		nss_ZNEWARRAY(NULL, ckcapiInternalObject *, \
+		               (size+CKAPI_ITEM_CHUNK) ) ; \
+      if ((ckcapiInternalObject **)NULL == *listp) { \
+        err = CKR_HOST_MEMORY; \
+        goto loser; \
+      } \
+      size += CKAPI_ITEM_CHUNK; \
+    } \
+    (*listp)[ count ] = (obj); \
+    count++; \
+  }
+
+
+/*
+ * pass parameters back through the callback.
+ */
+typedef struct BareCollectParamsStr {
+  CK_OBJECT_CLASS objClass;
+  CK_ATTRIBUTE_PTR pTemplate;
+  CK_ULONG ulAttributeCount;
+  ckcapiInternalObject ***listp;
+  PRUint32 size;
+  PRUint32 count;
+} BareCollectParams;
+
+/* collect_bare's callback. Called for each object that
+ * supposedly has a PROVINDER_INFO property */
+static BOOL WINAPI
+doBareCollect
+(
+  const CRYPT_HASH_BLOB *msKeyID,
+  DWORD flags,
+  void *reserved,
+  void *args,
+  DWORD cProp,
+  DWORD *propID,
+  void **propData,
+  DWORD *propSize
+)
+{
+  BareCollectParams *bcp = (BareCollectParams *) args;
+  PRUint32 size = bcp->size;
+  PRUint32 count = bcp->count;
+  ckcapiInternalObject ***listp = bcp->listp;
+  ckcapiInternalObject *io = NULL;
+  DWORD i;
+  CRYPT_KEY_PROV_INFO *keyProvInfo = NULL;
+  void *idData;
+  CK_RV error;
+ 
+  /* make sure there is a Key Provider Info property */
+  for (i=0; i < cProp; i++) {
+    if (CERT_KEY_PROV_INFO_PROP_ID == propID[i]) {
+	keyProvInfo = (CRYPT_KEY_PROV_INFO *)propData[i];
+	break;
+    }
+  }
+  if ((CRYPT_KEY_PROV_INFO *)NULL == keyProvInfo) {
+    return 1;
+  }
+
+  /* copy the key ID */
+  idData = nss_ZNEWARRAY(NULL, char, msKeyID->cbData);
+  if ((void *)NULL == idData) {
+     goto loser;
+  }
+  nsslibc_memcpy(idData, msKeyID->pbData, msKeyID->cbData);
+
+  /* build a bare internal object */  
+  io = nss_ZNEW(NULL, ckcapiInternalObject);
+  if ((ckcapiInternalObject *)NULL == io) {
+     goto loser;
+  }
+  io->type = ckcapiBareKey;
+  io->objClass = bcp->objClass;
+  io->u.key.provInfo = *keyProvInfo;
+  io->u.key.provInfo.pwszContainerName = 
+			nss_ckcapi_WideDup(keyProvInfo->pwszContainerName);
+  io->u.key.provInfo.pwszProvName = 
+			nss_ckcapi_WideDup(keyProvInfo->pwszProvName);
+  io->u.key.provName = nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
+  io->u.key.containerName = 
+                        nss_ckcapi_WideToUTF8(keyProvInfo->pwszContainerName);
+  io->u.key.hProv = 0;
+  io->idData = idData;
+  io->id.data = idData;
+  io->id.size = msKeyID->cbData;
+  idData = NULL;
+
+  /* see if it matches */ 
+  if( CK_FALSE == ckcapi_match(bcp->pTemplate, bcp->ulAttributeCount, io) ) {
+    goto loser;
+  }
+  PUT_Object(io, error);
+  bcp->size = size;
+  bcp->count = count;
+  return 1;
+
+loser:
+  if (io) {
+    nss_ckcapi_DestroyInternalObject(io);
+  }
+  nss_ZFreeIf(idData);
+  return 1;
+}
+
+/*
+ * collect the bare keys running around
+ */
+static PRUint32
+collect_bare(
+  CK_OBJECT_CLASS objClass,
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckcapiInternalObject ***listp,
+  PRUint32 *sizep,
+  PRUint32 count,
+  CK_RV *pError
+)
+{
+  BOOL rc;
+  BareCollectParams bareCollectParams;
+
+  bareCollectParams.objClass = objClass;
+  bareCollectParams.pTemplate = pTemplate;
+  bareCollectParams.ulAttributeCount = ulAttributeCount;
+  bareCollectParams.listp = listp;
+  bareCollectParams.size = *sizep;
+  bareCollectParams.count = count;
+
+  rc = CryptEnumKeyIdentifierProperties(NULL, CERT_KEY_PROV_INFO_PROP_ID, 0,
+       NULL, NULL, &bareCollectParams, doBareCollect);
+
+  *sizep = bareCollectParams.size;
+  return bareCollectParams.count;
+}
+
+/* find all the certs that represent the appropriate object (cert, priv key, or
+ *  pub key) in the cert store.
+ */
+static PRUint32
+collect_class(
+  CK_OBJECT_CLASS objClass,
+  LPCSTR storeStr,
+  PRBool hasID,
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckcapiInternalObject ***listp,
+  PRUint32 *sizep,
+  PRUint32 count,
+  CK_RV *pError
+)
+{
+  PRUint32 size = *sizep;
+  ckcapiInternalObject *next = NULL;
+  HCERTSTORE hStore;
+  PCCERT_CONTEXT certContext = NULL;
+  PRBool  isKey = 
+     (objClass == CKO_PUBLIC_KEY) | (objClass == CKO_PRIVATE_KEY);
+
+  hStore = CertOpenSystemStore((HCRYPTPROV)NULL, storeStr);
+  if (NULL == hStore) {
+     return count; /* none found does not imply an error */
+  }
+
+  /* FUTURE: use CertFindCertificateInStore to filter better -- so we don't
+   * have to enumerate all the certificates */
+  while ((PCERT_CONTEXT) NULL != 
+         (certContext= CertEnumCertificatesInStore(hStore, certContext))) {
+    /* first filter out non user certs if we are looking for keys */
+    if (isKey) {
+      /* make sure there is a Key Provider Info property */
+      CRYPT_KEY_PROV_INFO *keyProvInfo;
+      DWORD size = 0;
+      BOOL rv;
+      rv =CertGetCertificateContextProperty(certContext,
+        CERT_KEY_PROV_INFO_PROP_ID, NULL, &size);
+      if (!rv) {
+	int reason = GetLastError();
+        /* we only care if it exists, we don't really need to fetch it yet */
+	if (reason == CRYPT_E_NOT_FOUND) {
+	  continue;
+	}
+      }
+      /* filter out the non-microsoft providers */
+      keyProvInfo = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size);
+      if (keyProvInfo) {
+        rv =CertGetCertificateContextProperty(certContext,
+          CERT_KEY_PROV_INFO_PROP_ID, keyProvInfo, &size);
+        if (rv) {
+	  char *provName = nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
+          nss_ZFreeIf(keyProvInfo);
+
+	  if (provName && 
+		(strncmp(provName, "Microsoft", sizeof("Microsoft")-1) != 0)) {
+	    continue;
+	  }
+	} else {
+	  int reason = GetLastError();
+          /* we only care if it exists, we don't really need to fetch it yet */
+          nss_ZFreeIf(keyProvInfo);
+	  if (reason == CRYPT_E_NOT_FOUND) {
+	   continue;
+	  }
+	  
+        }
+      }
+    }
+    
+    if ((ckcapiInternalObject *)NULL == next) {
+      next = nss_ZNEW(NULL, ckcapiInternalObject);
+      if ((ckcapiInternalObject *)NULL == next) {
+        *pError = CKR_HOST_MEMORY;
+        goto loser;
+      }
+    }
+    next->type = ckcapiCert;
+    next->objClass = objClass;
+    next->u.cert.certContext = certContext;
+    next->u.cert.hasID = hasID;
+    next->u.cert.certStore = storeStr;
+    if( CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, next) ) {
+      /* clear cached values that may be dependent on our old certContext */
+      memset(&next->u.cert, 0, sizeof(next->u.cert));
+      /* get a 'permanent' context */
+      next->u.cert.certContext = CertDuplicateCertificateContext(certContext);
+      next->objClass = objClass;
+      next->u.cert.certContext = certContext;
+      next->u.cert.hasID = hasID;
+      next->u.cert.certStore = storeStr;
+      PUT_Object(next, *pError);
+      next = NULL; /* need to allocate a new one now */
+    } else {
+      /* don't cache the values we just loaded */
+      memset(&next->u.cert, 0, sizeof(next->u.cert));
+    }
+  }
+loser:
+  CertCloseStore(hStore, 0);
+  nss_ZFreeIf(next);
+  *sizep = size;
+  return count;
+}
+
+NSS_IMPLEMENT PRUint32
+nss_ckcapi_collect_all_certs(
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckcapiInternalObject ***listp,
+  PRUint32 *sizep,
+  PRUint32 count,
+  CK_RV *pError
+)
+{
+  count = collect_class(CKO_CERTIFICATE, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, sizep, count, pError);
+  /*count = collect_class(CKO_CERTIFICATE, "AddressBook", PR_FALSE, pTemplate, 
+                        ulAttributeCount, listp, sizep, count, pError); */
+  count = collect_class(CKO_CERTIFICATE, "CA", PR_FALSE, pTemplate, 
+			ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "Root", PR_FALSE, pTemplate, 
+			ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "Trust", PR_FALSE, pTemplate, 
+			ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "TrustedPeople", PR_FALSE, pTemplate, 
+                        ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "AuthRoot", PR_FALSE, pTemplate, 
+                        ulAttributeCount, listp, sizep, count, pError);
+  return count;
+}
+
+CK_OBJECT_CLASS
+ckcapi_GetObjectClass(CK_ATTRIBUTE_PTR pTemplate, 
+                      CK_ULONG ulAttributeCount)
+{
+  CK_ULONG i;
+
+  for (i=0; i < ulAttributeCount; i++)
+  {
+    if (pTemplate[i].type == CKA_CLASS) {
+      return *(CK_OBJECT_CLASS *) pTemplate[i].pValue;
+    }
+  }
+  /* need to return a value that says 'fetch them all' */
+  return CK_INVALID_HANDLE;
+}
+
+static PRUint32
+collect_objects(
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckcapiInternalObject ***listp,
+  CK_RV *pError
+)
+{
+  PRUint32 i;
+  PRUint32 count = 0;
+  PRUint32 size = 0;
+  CK_OBJECT_CLASS objClass;
+
+  /*
+   * first handle the static build in objects (if any)
+   */
+  for( i = 0; i < nss_ckcapi_nObjects; i++ ) {
+    ckcapiInternalObject *o = (ckcapiInternalObject *)&nss_ckcapi_data[i];
+
+    if( CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, o) ) {
+      PUT_Object(o, *pError);
+    }
+  }
+
+  /*
+   * now handle the various object types
+   */
+  objClass = ckcapi_GetObjectClass(pTemplate, ulAttributeCount);
+  *pError = CKR_OK;
+  switch (objClass) {
+  case CKO_CERTIFICATE:
+    count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    break;
+  case CKO_PUBLIC_KEY:
+    count = collect_class(objClass, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, &size, count, pError);
+    count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
+			&size, count, pError);
+    break;
+  case CKO_PRIVATE_KEY:
+    count = collect_class(objClass, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, &size, count, pError);
+    count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
+			&size, count, pError);
+    break;
+  /* all of them */
+  case CK_INVALID_HANDLE:
+    count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    count = collect_class(CKO_PUBLIC_KEY, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, &size, count, pError);
+    count = collect_bare(CKO_PUBLIC_KEY, pTemplate, ulAttributeCount, listp,
+			&size, count, pError);
+    count = collect_class(CKO_PRIVATE_KEY, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, &size, count, pError);
+    count = collect_bare(CKO_PRIVATE_KEY, pTemplate, ulAttributeCount, listp,
+			&size, count, pError);
+    break;
+  default:
+    goto done; /* no other object types we understand in this module */
+  }
+  if (CKR_OK != *pError) {
+    goto loser;
+  }
+
+
+done:
+  return count;
+loser:
+  nss_ZFreeIf(*listp);
+  return 0;
+}
+
+
+
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nss_ckcapi_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  /* This could be made more efficient.  I'm rather rushed. */
+  NSSArena *arena;
+  NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
+  struct ckcapiFOStr *fo = (struct ckcapiFOStr *)NULL;
+  ckcapiInternalObject **temp = (ckcapiInternalObject **)NULL;
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    goto loser;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo = nss_ZNEW(arena, struct ckcapiFOStr);
+  if( (struct ckcapiFOStr *)NULL == fo ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo->arena = arena;
+  /* fo->n and fo->i are already zero */
+
+  rv->etc = (void *)fo;
+  rv->Final = ckcapi_mdFindObjects_Final;
+  rv->Next = ckcapi_mdFindObjects_Next;
+  rv->null = (void *)NULL;
+
+  fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError);
+  if (*pError != CKR_OK) {
+    goto loser;
+  }
+
+  fo->objs = nss_ZNEWARRAY(arena, ckcapiInternalObject *, fo->n);
+  if( (ckcapiInternalObject **)NULL == fo->objs ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  (void)nsslibc_memcpy(fo->objs, temp, sizeof(ckcapiInternalObject *) * fo->n);
+  nss_ZFreeIf(temp);
+  temp = (ckcapiInternalObject **)NULL;
+
+  return rv;
+
+ loser:
+  nss_ZFreeIf(temp);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(rv);
+  if ((NSSArena *)NULL != arena) {
+     NSSArena_Destroy(arena);
+  }
+  return (NSSCKMDFindObjects *)NULL;
+}
+
diff --git a/security/nss/lib/ckfw/capi/cinst.c b/security/nss/lib/ckfw/capi/cinst.c
new file mode 100644
index 000000000..fe5c3d25e
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/cinst.c
@@ -0,0 +1,148 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+
+/*
+ * ckcapi/cinstance.c
+ *
+ * This file implements the NSSCKMDInstance object for the 
+ * "capi" cryptoki module.
+ */
+
+/*
+ * NSSCKMDInstance methods
+ */
+
+static CK_ULONG
+ckcapi_mdInstance_GetNSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (CK_ULONG)1;
+}
+
+static CK_VERSION
+ckcapi_mdInstance_GetCryptokiVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_CryptokiVersion;
+}
+
+static NSSUTF8 *
+ckcapi_mdInstance_GetManufacturerID
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
+}
+
+static NSSUTF8 *
+ckcapi_mdInstance_GetLibraryDescription
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_LibraryDescription;
+}
+
+static CK_VERSION
+ckcapi_mdInstance_GetLibraryVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_LibraryVersion;
+}
+
+static CK_RV
+ckcapi_mdInstance_GetSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *slots[]
+)
+{
+  slots[0] = (NSSCKMDSlot *)&nss_ckcapi_mdSlot;
+  return CKR_OK;
+}
+
+static CK_BBOOL
+ckcapi_mdInstance_ModuleHandlesSessionObjects
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  /* we don't want to allow any session object creation, at least
+   * until we can investigate whether or not we can use those objects
+   */
+  return CK_TRUE;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDInstance
+nss_ckcapi_mdInstance = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Finalize */
+  ckcapi_mdInstance_GetNSlots,
+  ckcapi_mdInstance_GetCryptokiVersion,
+  ckcapi_mdInstance_GetManufacturerID,
+  ckcapi_mdInstance_GetLibraryDescription,
+  ckcapi_mdInstance_GetLibraryVersion,
+  ckcapi_mdInstance_ModuleHandlesSessionObjects, 
+  /*NULL, /* HandleSessionObjects */
+  ckcapi_mdInstance_GetSlots,
+  NULL, /* WaitForSlotEvent */
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/capi/ckcapi.h b/security/nss/lib/ckfw/capi/ckcapi.h
new file mode 100644
index 000000000..1e033ca90
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/ckcapi.h
@@ -0,0 +1,309 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef CKCAPI_H
+#define CKCAPI_H 1
+
+#ifdef DEBUG
+static const char CKCAPI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "nssckmdt.h"
+#include "nssckfw.h"
+
+/*
+ * I'm including this for access to the arena functions.
+ * Looks like we should publish that API.
+ */
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * This is where the Netscape extensions live, at least for now.
+ */
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+#include "wtypes.h"
+#include "wincrypt.h"
+
+/*
+ * statically defined raw objects. Allows us to data description objects
+ * to this PKCS #11 module.
+ */
+struct ckcapiRawObjectStr {
+  CK_ULONG n;
+  const CK_ATTRIBUTE_TYPE *types;
+  const NSSItem *items;
+};
+typedef struct ckcapiRawObjectStr ckcapiRawObject;
+
+
+/*
+ * common values needed for both bare keys and cert referenced keys.
+ */
+struct ckcapiKeyParamsStr {
+  NSSItem	  modulus;
+  NSSItem	  exponent;
+  NSSItem	  privateExponent;
+  NSSItem	  prime1;
+  NSSItem	  prime2;
+  NSSItem	  exponent1;
+  NSSItem	  exponent2;
+  NSSItem	  coefficient;
+  unsigned char   publicExponentData[sizeof(CK_ULONG)];
+  void		  *privateKey;
+  void		  *pubKey;
+};
+typedef struct ckcapiKeyParamsStr ckcapiKeyParams;
+
+/*
+ * Key objects. Handles bare keys which do not yet have certs associated
+ * with them. These are usually short lived, but may exist for several days
+ * while the CA is issuing the certificate.
+ */
+struct ckcapiKeyObjectStr {
+  CRYPT_KEY_PROV_INFO provInfo;
+  char            *provName;
+  char            *containerName;
+  HCRYPTPROV      hProv;
+  ckcapiKeyParams key;
+};
+typedef struct ckcapiKeyObjectStr ckcapiKeyObject;
+
+/*
+ * Certificate and certificate referenced keys.
+ */
+struct ckcapiCertObjectStr {
+  PCCERT_CONTEXT  certContext;
+  PRBool          hasID;
+  const char	  *certStore;
+  NSSItem	  label;
+  NSSItem	  subject;
+  NSSItem	  issuer;
+  NSSItem	  serial;
+  NSSItem	  derCert;
+  ckcapiKeyParams key;
+  unsigned char   *labelData;
+  /* static data: to do, make this dynamic like labelData */
+  unsigned char   derSerial[128];
+};
+typedef struct ckcapiCertObjectStr ckcapiCertObject;
+
+typedef enum {
+  ckcapiRaw,
+  ckcapiCert,
+  ckcapiBareKey
+} ckcapiObjectType;
+
+/*
+ * all the various types of objects are abstracted away in cobject and
+ * cfind as ckcapiInternalObjects.
+ */
+struct ckcapiInternalObjectStr {
+  ckcapiObjectType type;
+  union {
+    ckcapiRawObject  raw;
+    ckcapiCertObject cert;
+    ckcapiKeyObject  key;
+  } u;
+  CK_OBJECT_CLASS objClass;
+  NSSItem	  hashKey;
+  NSSItem	  id;
+  void		  *idData;
+  unsigned char   hashKeyData[128];
+  NSSCKMDObject mdObject;
+};
+typedef struct ckcapiInternalObjectStr ckcapiInternalObject;
+
+/* our raw object data array */
+NSS_EXTERN_DATA ckcapiInternalObject nss_ckcapi_data[];
+NSS_EXTERN_DATA const PRUint32               nss_ckcapi_nObjects;
+
+NSS_EXTERN_DATA const CK_VERSION   nss_ckcapi_CryptokiVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_ManufacturerID;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_LibraryDescription;
+NSS_EXTERN_DATA const CK_VERSION   nss_ckcapi_LibraryVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_SlotDescription;
+NSS_EXTERN_DATA const CK_VERSION   nss_ckcapi_HardwareVersion;
+NSS_EXTERN_DATA const CK_VERSION   nss_ckcapi_FirmwareVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_TokenLabel;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_TokenModel;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_TokenSerialNumber;
+
+NSS_EXTERN_DATA const NSSCKMDInstance  nss_ckcapi_mdInstance;
+NSS_EXTERN_DATA const NSSCKMDSlot      nss_ckcapi_mdSlot;
+NSS_EXTERN_DATA const NSSCKMDToken     nss_ckcapi_mdToken;
+NSS_EXTERN_DATA const NSSCKMDMechanism nss_ckcapi_mdMechanismRSA;
+
+NSS_EXTERN NSSCKMDSession *
+nss_ckcapi_CreateSession
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nss_ckcapi_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+/*
+ * Object Utilities
+ */
+NSS_EXTERN NSSCKMDObject *
+nss_ckcapi_CreateMDObject
+(
+  NSSArena *arena,
+  ckcapiInternalObject *io,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDObject *
+nss_ckcapi_CreateObject
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+NSS_EXTERN const NSSItem *
+nss_ckcapi_FetchAttribute
+(
+  ckcapiInternalObject *io, 
+  CK_ATTRIBUTE_TYPE type
+);
+
+NSS_EXTERN void
+nss_ckcapi_DestroyInternalObject
+(
+  ckcapiInternalObject *io
+);
+
+NSS_EXTERN CK_RV
+nss_ckcapi_FetchKeyContainer
+(
+  ckcapiInternalObject *iKey,
+  HCRYPTPROV  *hProv,
+  DWORD       *keySpec,
+  HCRYPTKEY   *hKey
+);
+
+/*
+ * generic utilities
+ */
+
+/*
+ * So everyone else in the worlds stores their bignum data MSB first, but not
+ * Microsoft, we need to byte swap everything coming into and out of CAPI.
+ */
+void
+ckcapi_ReverseData
+(
+  NSSItem *item
+);
+
+/*
+ * unwrap a single DER value
+ */
+char *
+nss_ckcapi_DERUnwrap
+(
+  char *src, 
+  int size, 
+  int *outSize, 
+  char **next
+);
+
+/*
+ * Return the size in bytes of a wide string
+ */
+int 
+nss_ckcapi_WideSize
+(
+  LPCWSTR wide
+);
+
+/*
+ * Covert a Unicode wide character string to a UTF8 string
+ */
+char *
+nss_ckcapi_WideToUTF8
+(
+  LPCWSTR wide 
+);
+
+/*
+ * Return a Wide String duplicated with nss allocated memory.
+ */
+LPWSTR
+nss_ckcapi_WideDup
+(
+  LPCWSTR wide
+);
+
+/*
+ * Covert a UTF8 string to Unicode wide character
+ */
+LPWSTR
+nss_ckcapi_UTF8ToWide
+(
+  char *buf
+);
+
+
+NSS_EXTERN PRUint32
+nss_ckcapi_collect_all_certs(
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckcapiInternalObject ***listp,
+  PRUint32 *sizep,
+  PRUint32 count,
+  CK_RV *pError
+);
+
+#define NSS_CKCAPI_ARRAY_SIZE(x) ((sizeof (x))/(sizeof ((x)[0])))
+ 
+#endif
diff --git a/security/nss/lib/ckfw/capi/ckcapiver.c b/security/nss/lib/ckfw/capi/ckcapiver.c
new file mode 100644
index 000000000..d69290575
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/ckcapiver.c
@@ -0,0 +1,59 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* Library identity and versioning */
+
+#include "nsscapi.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_ckcapi_rcsid[] = "$Header: NSS Access to Microsoft Certificate Store "
+        NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_ckcapi_sccsid[] = "@(#)NSS Access to Microsoft Certificate Store "
+        NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/ckfw/capi/cobject.c b/security/nss/lib/ckfw/capi/cobject.c
new file mode 100644
index 000000000..c12971ff5
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/cobject.c
@@ -0,0 +1,2346 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+#include "nssbase.h"
+
+/*
+ * ckcapi/cobject.c
+ *
+ * This file implements the NSSCKMDObject object for the
+ * "nss to capi objects" cryptoki module.
+ */
+
+const CK_ATTRIBUTE_TYPE certAttrs[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_MODIFIABLE,
+    CKA_LABEL,
+    CKA_CERTIFICATE_TYPE,
+    CKA_SUBJECT,
+    CKA_ISSUER,
+    CKA_SERIAL_NUMBER,
+    CKA_VALUE
+};
+const PRUint32 certAttrsCount = NSS_CKCAPI_ARRAY_SIZE(certAttrs);
+
+/* private keys, for now only support RSA */
+const CK_ATTRIBUTE_TYPE privKeyAttrs[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_MODIFIABLE,
+    CKA_LABEL,
+    CKA_KEY_TYPE,
+    CKA_DERIVE,
+    CKA_LOCAL,
+    CKA_SUBJECT,
+    CKA_SENSITIVE,
+    CKA_DECRYPT,
+    CKA_SIGN,
+    CKA_SIGN_RECOVER,
+    CKA_UNWRAP,
+    CKA_EXTRACTABLE,
+    CKA_ALWAYS_SENSITIVE,
+    CKA_NEVER_EXTRACTABLE,
+    CKA_MODULUS,
+    CKA_PUBLIC_EXPONENT,
+};
+const PRUint32 privKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(privKeyAttrs);
+
+/* public keys, for now only support RSA */
+const CK_ATTRIBUTE_TYPE pubKeyAttrs[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_MODIFIABLE,
+    CKA_LABEL,
+    CKA_KEY_TYPE,
+    CKA_DERIVE,
+    CKA_LOCAL,
+    CKA_SUBJECT,
+    CKA_ENCRYPT,
+    CKA_VERIFY,
+    CKA_VERIFY_RECOVER,
+    CKA_WRAP,
+    CKA_MODULUS,
+    CKA_PUBLIC_EXPONENT,
+};
+const PRUint32 pubKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(pubKeyAttrs);
+static const CK_BBOOL ck_true = CK_TRUE;
+static const CK_BBOOL ck_false = CK_FALSE;
+static const CK_CERTIFICATE_TYPE ckc_x509 = CKC_X_509;
+static const CK_KEY_TYPE ckk_rsa = CKK_RSA;
+static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
+static const CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
+static const CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
+static const NSSItem ckcapi_trueItem = { 
+  (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) };
+static const NSSItem ckcapi_falseItem = { 
+  (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) };
+static const NSSItem ckcapi_x509Item = { 
+  (void *)&ckc_x509, (PRUint32)sizeof(CKC_X_509) };
+static const NSSItem ckcapi_rsaItem = { 
+  (void *)&ckk_rsa, (PRUint32)sizeof(CK_KEY_TYPE) };
+static const NSSItem ckcapi_certClassItem = { 
+  (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) };
+static const NSSItem ckcapi_privKeyClassItem = {
+  (void *)&cko_private_key, (PRUint32)sizeof(CK_OBJECT_CLASS) };
+static const NSSItem ckcapi_pubKeyClassItem = {
+  (void *)&cko_public_key, (PRUint32)sizeof(CK_OBJECT_CLASS) };
+static const NSSItem ckcapi_emptyItem = { 
+  (void *)&ck_true, 0};
+
+/*
+ * these are utilities. The chould be moved to a new utilities file.
+ */
+
+/*
+ * unwrap a single DER value
+ */
+char *
+nss_ckcapi_DERUnwrap
+(
+  char *src, 
+  int size, 
+  int *outSize, 
+  char **next
+)
+{
+  unsigned char *start = src;
+  unsigned char *end = src+size;
+  unsigned int len = 0;
+
+  /* initialize error condition return values */
+  *outSize = 0;
+  if (next) {
+    *next = src;
+  }
+
+  if (size < 2) {
+    return start;
+  }
+  src ++ ; /* skip the tag -- should check it against an expected value! */
+  len = (unsigned) *src++;
+  if (len & 0x80) {
+    int count = len & 0x7f;
+    len =0;
+
+    if (count+2 > size) {
+      return start;
+    }
+    while (count-- > 0) {
+      len = (len << 8) | (unsigned) *src++;
+    }
+  }
+  if (len + (src-start) > (unsigned int)size) {
+    return start;
+  }
+  if (next) {
+    *next = src+len;
+  }
+  *outSize = len;
+
+  return src;
+}
+
+/*
+ * convert a PKCS #11 bytestrin into a CK_ULONG, the byte stream must be
+ * less than sizeof (CK_ULONG).
+ */
+CK_ULONG  
+nss_ckcapi_DataToInt
+(
+  NSSItem *data,
+  CK_RV *pError
+)
+{
+  CK_ULONG value = 0;
+  unsigned long count = data->size;
+  unsigned char *dataPtr = data->data;
+  unsigned long size = 0;
+
+  *pError = CKR_OK;
+
+  while (count--) {
+    value = value << 8;
+    value = value + *dataPtr++;
+    if (size || value) {
+      size++;
+    }
+  }
+  if (size > sizeof(CK_ULONG)) {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+  }
+  return value;
+}
+
+/*
+ * convert a CK_ULONG to a bytestream. Data is stored in the buffer 'buf'
+ * and must be at least CK_ULONG. Caller must provide buf.
+ */
+CK_ULONG  
+nss_ckcapi_IntToData
+(
+  CK_ULONG value,
+  NSSItem *data,
+  unsigned char *dataPtr,
+  CK_RV *pError
+)
+{
+  unsigned long count = 0;
+  unsigned long i;
+#define SHIFT ((sizeof(CK_ULONG)-1)*8)
+  PRBool first = 0;
+
+  *pError = CKR_OK;
+
+  data->data = dataPtr;
+  for (i=0; i < sizeof(CK_ULONG); i++) {
+    unsigned char digit = (unsigned char)((value >> SHIFT) & 0xff);
+
+    value = value << 8;
+
+    /* drop leading zero bytes */
+    if (first && (0 == digit)) {
+	continue;
+    }
+    *dataPtr++ = digit;
+    count++;
+  }
+  data->size = count;
+  return count;
+}
+
+/*
+ * get an attribute from a template. Value is returned in NSS item.
+ * data for the item is owned by the template.
+ */
+CK_RV
+nss_ckcapi_GetAttribute
+(
+  CK_ATTRIBUTE_TYPE type,
+  CK_ATTRIBUTE *template,
+  CK_ULONG templateSize, 
+  NSSItem *item
+)
+{
+  CK_ULONG i;
+
+  for (i=0; i < templateSize; i++) {
+    if (template[i].type == type) {
+      item->data = template[i].pValue;
+      item->size = template[i].ulValueLen;
+      return CKR_OK;
+    }
+  }
+  return CKR_TEMPLATE_INCOMPLETE;
+}
+
+/*
+ * get an attribute which is type CK_ULONG.
+ */
+CK_ULONG
+nss_ckcapi_GetULongAttribute
+(
+  CK_ATTRIBUTE_TYPE type,
+  CK_ATTRIBUTE *template,
+  CK_ULONG templateSize, 
+  CK_RV *pError
+)
+{
+  NSSItem item;
+
+  *pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item);
+  if (CKR_OK != *pError) {
+    return (CK_ULONG) 0;
+  }
+  if (item.size != sizeof(CK_ULONG)) {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+    return (CK_ULONG) 0;
+  }
+  return *(CK_ULONG *)item.data;
+}
+
+/*
+ * get an attribute which is type CK_BBOOL.
+ */
+CK_BBOOL
+nss_ckcapi_GetBoolAttribute
+(
+  CK_ATTRIBUTE_TYPE type,
+  CK_ATTRIBUTE *template,
+  CK_ULONG templateSize, 
+  CK_RV *pError
+)
+{
+  NSSItem item;
+
+  *pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item);
+  if (CKR_OK != *pError) {
+    return (CK_BBOOL) 0;
+  }
+  if (item.size != sizeof(CK_BBOOL)) {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+    return (CK_BBOOL) 0;
+  }
+  return *(CK_BBOOL *)item.data;
+}
+
+/*
+ * get an attribute which is type CK_BBOOL.
+ */
+char *
+nss_ckcapi_GetStringAttribute
+(
+  CK_ATTRIBUTE_TYPE type,
+  CK_ATTRIBUTE *template,
+  CK_ULONG templateSize, 
+  CK_RV *pError
+)
+{
+  NSSItem item;
+  char *str;
+
+  /* get the attribute */
+  *pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item);
+  if (CKR_OK != *pError) {
+    return (char *)NULL;
+  }
+  /* make sure it is null terminated */
+  str = nss_ZNEWARRAY(NULL, char, item.size+1);
+  if ((char *)NULL == str) {
+    *pError = CKR_HOST_MEMORY;
+    return (char *)NULL;
+  }
+
+  nsslibc_memcpy(str, item.data, item.size);
+  str[item.size] = 0;
+
+  return str;
+}
+
+/*
+ * Return the size in bytes of a wide string
+ */
+int
+nss_ckcapi_WideSize
+(
+  LPCWSTR wide
+)
+{
+  DWORD size;
+
+  if ((LPWSTR)NULL == wide) {
+    return 0;
+  }
+  size = wcslen(wide)+1;
+  return size*2;
+}
+
+/*
+ * Covert a Unicode wide character string to a UTF8 string
+ */
+char *
+nss_ckcapi_WideToUTF8
+(
+  LPCWSTR wide 
+)
+{
+  DWORD len;
+  DWORD size;
+  char *buf;
+
+  if ((LPWSTR)NULL == wide) {
+    return (char *)NULL;
+  }
+
+  len = nss_ckcapi_WideSize(wide);
+
+  size = WideCharToMultiByte(CP_UTF8, 0, wide, len, NULL, 0, NULL, 0);
+  if (size == 0) {
+    return (char *)NULL;
+  }
+  buf = nss_ZNEWARRAY(NULL, char, size);
+  size = WideCharToMultiByte(CP_UTF8, 0, wide, len, buf, size, NULL, 0);
+  if (size == 0) {
+    nss_ZFreeIf(buf);
+    return (char *)NULL;
+  }
+  return buf;
+}
+
+/*
+ * Return a Wide String duplicated with nss allocated memory.
+ */
+LPWSTR
+nss_ckcapi_WideDup
+(
+  LPCWSTR wide
+)
+{
+  DWORD len = nss_ckcapi_WideSize(wide);
+  LPWSTR buf;
+
+  if ((LPWSTR)NULL == wide) {
+    return (LPWSTR)NULL;
+  }
+
+  len = nss_ckcapi_WideSize(wide);
+
+  buf = (LPWSTR) nss_ZNEWARRAY(NULL, char, len);
+  if ((LPWSTR) NULL == buf) {
+    return buf;
+  }
+  nsslibc_memcpy(buf, wide, len);
+  return buf;
+}
+
+/*
+ * Covert a UTF8 string to Unicode wide character
+ */
+LPWSTR
+nss_ckcapi_UTF8ToWide
+(
+  char *buf
+)
+{
+  DWORD size;
+  DWORD len = strlen(buf)+1;
+  LPWSTR wide;
+
+  if ((char *)NULL == buf) {
+    return (LPWSTR) NULL;
+  }
+    
+  len = strlen(buf)+1;
+
+  size = MultiByteToWideChar(CP_UTF8, 0, buf, len, NULL, 0);
+  if (size == 0) {
+    return (LPWSTR) NULL;
+  }
+  wide = nss_ZNEWARRAY(NULL, WCHAR, size);
+  size = MultiByteToWideChar(CP_UTF8, 0, buf, len, wide, size);
+  if (size == 0) {
+    nss_ZFreeIf(wide);
+    return (LPWSTR) NULL;
+  }
+  return wide;
+}
+
+
+/*
+ * keep all the knowlege of how the internalObject is laid out in this function
+ *
+ * nss_ckcapi_FetchKeyContainer
+ *
+ * fetches the Provider container and info as well as a key handle for a
+ * private key. If something other than a private key is passed in,
+ * this function fails with CKR_KEY_TYPE_INCONSISTENT
+ */
+NSS_EXTERN CK_RV
+nss_ckcapi_FetchKeyContainer
+(
+  ckcapiInternalObject *iKey,
+  HCRYPTPROV *hProv, 
+  DWORD *keySpec,
+  HCRYPTKEY *hKey
+)
+{
+  ckcapiCertObject *co;
+  ckcapiKeyObject *ko;
+  BOOL rc, dummy;
+  DWORD msError;
+
+
+  switch (iKey->type) {
+  default:
+  case ckcapiRaw:
+     /* can't have raw private keys */
+     return CKR_KEY_TYPE_INCONSISTENT;
+  case ckcapiCert:
+    if (iKey->objClass != CKO_PRIVATE_KEY) {
+      /* Only private keys have private key provider handles */
+      return CKR_KEY_TYPE_INCONSISTENT;
+    }
+    co = &iKey->u.cert;
+
+    /* OK, get the Provider */
+    rc = CryptAcquireCertificatePrivateKey(co->certContext,
+      CRYPT_ACQUIRE_CACHE_FLAG|CRYPT_ACQUIRE_COMPARE_KEY_FLAG, NULL, hProv, 
+      keySpec, &dummy);
+    if (!rc) {
+      goto loser;
+    }
+    break;
+  case ckcapiBareKey:
+    if (iKey->objClass != CKO_PRIVATE_KEY) {
+       /* Only private keys have private key provider handles */
+       return CKR_KEY_TYPE_INCONSISTENT;
+    }
+    ko = &iKey->u.key;
+
+    /* OK, get the Provider */
+    if (0 == ko->hProv) {
+      rc = CryptAcquireContext(hProv,
+			       ko->containerName, 
+			       ko->provName,
+                               ko->provInfo.dwProvType , 0);
+      if (!rc) {
+        goto loser;
+      }
+    } else {
+      *hProv = ko->hProv;
+    }
+    *keySpec = ko->provInfo.dwKeySpec;
+    break;
+  }
+
+  /* and get the crypto handle */
+  rc = CryptGetUserKey(*hProv, *keySpec, hKey);
+  if (!rc) {
+    goto loser;
+  }
+  return CKR_OK;
+loser:
+  /* map the microsoft error before leaving */
+  msError = GetLastError();
+  switch (msError) {
+  case ERROR_INVALID_HANDLE:
+  case ERROR_INVALID_PARAMETER:
+  case NTE_BAD_KEY:
+  case NTE_NO_KEY:
+  case NTE_BAD_PUBLIC_KEY:
+  case NTE_BAD_KEYSET:
+  case NTE_KEYSET_NOT_DEF:
+    return CKR_KEY_TYPE_INCONSISTENT;
+  case NTE_BAD_UID:
+  case NTE_KEYSET_ENTRY_BAD:
+    return CKR_DEVICE_ERROR;
+  }
+  return CKR_GENERAL_ERROR;
+}
+
+
+/*
+ * take a DER PUBLIC Key block and return the modulus and exponent
+ */
+static void
+ckcapi_CertPopulateModulusExponent
+(
+  ckcapiInternalObject *io
+)
+{
+  ckcapiKeyParams *kp = &io->u.cert.key;
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  char *pkData = certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData;
+  CK_ULONG size= certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData;
+  CK_ULONG newSize;
+  char *ptr, *newptr;
+
+  /* find the start of the modulus -- this will not give good results if
+   * the key isn't an rsa key! */
+  ptr = nss_ckcapi_DERUnwrap(pkData, size, &newSize, NULL);
+  kp->modulus.data = nss_ckcapi_DERUnwrap(ptr, newSize, 
+                                           &kp->modulus.size, &newptr);
+  /* changed from signed to unsigned int */
+  if (0 == *(char *)kp->modulus.data) {
+    kp->modulus.data = ((char *)kp->modulus.data)+1;
+    kp->modulus.size = kp->modulus.size - 1;
+  }
+  /* changed from signed to unsigned int */
+  kp->exponent.data = nss_ckcapi_DERUnwrap(newptr, (newptr-ptr)+newSize, 
+						&kp->exponent.size, NULL);
+  if (0 == *(char *)kp->exponent.data) {
+    kp->exponent.data = ((char *)kp->exponent.data)+1;
+    kp->exponent.size = kp->exponent.size - 1;
+  }
+  return;
+}
+
+typedef struct _CAPI_RSA_KEY_BLOB {
+  PUBLICKEYSTRUC header;
+  RSAPUBKEY  rsa;
+  char	     data[1];
+} CAPI_RSA_KEY_BLOB;
+
+#define CAPI_MODULUS_OFFSET(modSize)     0
+#define CAPI_PRIME_1_OFFSET(modSize)     (modSize)
+#define CAPI_PRIME_2_OFFSET(modSize)     ((modSize)+(modSize)/2)
+#define CAPI_EXPONENT_1_OFFSET(modSize)  ((modSize)*2)
+#define CAPI_EXPONENT_2_OFFSET(modSize)  ((modSize)*2+(modSize)/2)
+#define CAPI_COEFFICIENT_OFFSET(modSize) ((modSize)*3)
+#define CAPI_PRIVATE_EXP_OFFSET(modSize) ((modSize)*3+(modSize)/2)
+
+void
+ckcapi_FetchPublicKey
+(
+  ckcapiInternalObject *io
+)
+{
+  ckcapiKeyParams *kp;
+  HCRYPTPROV hProv;
+  DWORD keySpec;
+  HCRYPTKEY hKey = 0;
+  CK_RV error;
+  DWORD bufLen;
+  BOOL rc;
+  unsigned long modulus;
+  char *buf = NULL;
+  CAPI_RSA_KEY_BLOB *blob;
+
+  error = nss_ckcapi_FetchKeyContainer(io, &hProv, &keySpec, &hKey);
+  if (CKR_OK != error) {
+    goto loser;
+  }
+  kp = (ckcapiCert == io->type) ?  &io->u.cert.key : &io->u.key.key;
+
+  rc = CryptExportKey(hKey, 0, PUBLICKEYBLOB, 0, buf, &bufLen);
+  if (!rc) {
+    goto loser;
+  }
+  buf = nss_ZNEWARRAY(NULL, char, bufLen);
+  rc = CryptExportKey(hKey, 0, PUBLICKEYBLOB, 0, buf, &bufLen);
+  if (!rc) {
+    goto loser;
+  }
+  /* validate the blob */
+  blob = (CAPI_RSA_KEY_BLOB *)buf;
+  if ((PUBLICKEYBLOB != blob->header.bType) ||
+      (0x02 != blob->header.bVersion) ||
+      (0x31415352 != blob->rsa.magic)) {
+    goto loser;
+  }
+  modulus = blob->rsa.bitlen/8;
+  kp->pubKey = buf;
+  buf = NULL;
+
+  kp->modulus.data = &blob->data[CAPI_MODULUS_OFFSET(modulus)];
+  kp->modulus.size = modulus;
+  ckcapi_ReverseData(&kp->modulus);
+  nss_ckcapi_IntToData(blob->rsa.pubexp, &kp->exponent,
+                     kp->publicExponentData, &error);
+
+loser:
+  nss_ZFreeIf(buf);
+  if (0 != hKey) {
+     CryptDestroyKey(hKey);
+  }
+  return;
+}
+
+void
+ckcapi_FetchPrivateKey
+(
+  ckcapiInternalObject *io
+)
+{
+  ckcapiKeyParams *kp;
+  HCRYPTPROV hProv;
+  DWORD keySpec;
+  HCRYPTKEY hKey = 0;
+  CK_RV error;
+  DWORD bufLen;
+  BOOL rc;
+  unsigned long modulus;
+  char *buf = NULL;
+  CAPI_RSA_KEY_BLOB *blob;
+
+  error = nss_ckcapi_FetchKeyContainer(io, &hProv, &keySpec, &hKey);
+  if (CKR_OK != error) {
+    goto loser;
+  }
+  kp = (ckcapiCert == io->type) ?  &io->u.cert.key : &io->u.key.key;
+
+  rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen);
+  if (!rc) {
+    goto loser;
+  }
+  buf = nss_ZNEWARRAY(NULL, char, bufLen);
+  rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen);
+  if (!rc) {
+    goto loser;
+  }
+  /* validate the blob */
+  blob = (CAPI_RSA_KEY_BLOB *)buf;
+  if ((PRIVATEKEYBLOB != blob->header.bType) ||
+      (0x02 != blob->header.bVersion) ||
+      (0x32415352 != blob->rsa.magic)) {
+    goto loser;
+  }
+  modulus = blob->rsa.bitlen/8;
+  kp->privateKey = buf;
+  buf = NULL;
+
+  kp->privateExponent.data = &blob->data[CAPI_PRIVATE_EXP_OFFSET(modulus)];
+  kp->privateExponent.size = modulus;
+  ckcapi_ReverseData(&kp->privateExponent);
+  kp->prime1.data = &blob->data[CAPI_PRIME_1_OFFSET(modulus)];
+  kp->prime1.size = modulus/2;
+  ckcapi_ReverseData(&kp->prime1);
+  kp->prime2.data = &blob->data[CAPI_PRIME_2_OFFSET(modulus)];
+  kp->prime2.size = modulus/2;
+  ckcapi_ReverseData(&kp->prime2);
+  kp->exponent1.data = &blob->data[CAPI_EXPONENT_1_OFFSET(modulus)];
+  kp->exponent1.size = modulus/2;
+  ckcapi_ReverseData(&kp->exponent1);
+  kp->exponent2.data = &blob->data[CAPI_EXPONENT_2_OFFSET(modulus)];
+  kp->exponent2.size = modulus/2;
+  ckcapi_ReverseData(&kp->exponent2);
+  kp->coefficient.data = &blob->data[CAPI_COEFFICIENT_OFFSET(modulus)];
+  kp->coefficient.size = modulus/2;
+  ckcapi_ReverseData(&kp->coefficient);
+
+loser:
+  nss_ZFreeIf(buf);
+  if (0 != hKey) {
+     CryptDestroyKey(hKey);
+  }
+  return;
+}
+
+
+void
+ckcapi_PopulateModulusExponent
+(
+  ckcapiInternalObject *io
+)
+{
+  if (ckcapiCert == io->type) {
+    ckcapi_CertPopulateModulusExponent(io);
+  } else {
+    ckcapi_FetchPublicKey(io);
+  } 
+  return;
+}
+
+/*
+ * fetch the friendly name attribute.
+ * can only be called with ckcapiCert type objects!
+ */
+void
+ckcapi_FetchLabel
+(
+  ckcapiInternalObject *io
+)
+{
+  ckcapiCertObject *co = &io->u.cert;
+  char *label;
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  char labelDataUTF16[128];
+  DWORD size = sizeof(labelDataUTF16);
+  DWORD size8 = sizeof(co->labelData);
+  BOOL rv;
+
+  rv = CertGetCertificateContextProperty(certContext,
+	CERT_FRIENDLY_NAME_PROP_ID, labelDataUTF16, &size);
+  if (rv) {
+    co->labelData = nss_ckcapi_WideToUTF8((LPCWSTR)labelDataUTF16);
+    if ((CHAR *)NULL == co->labelData) {
+      rv = 0;
+    } else {
+      size = strlen(co->labelData);
+    }
+  }
+  label = co->labelData;
+  /* we are presuming a user cert, make sure it has a nickname, even if
+   * Microsoft never gave it one */
+  if (!rv && co->hasID) {
+    DWORD mserror = GetLastError();
+#define DEFAULT_NICKNAME "no Microsoft nickname"
+    label = DEFAULT_NICKNAME;
+    size = sizeof(DEFAULT_NICKNAME);
+    rv = 1;
+  }
+    
+  if (rv) {
+    co->label.data = label;
+    co->label.size = size;
+  }
+  return;
+}
+
+void
+ckcapi_FetchSerial
+(
+  ckcapiInternalObject *io
+)
+{
+  ckcapiCertObject *co = &io->u.cert;
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  DWORD size = sizeof(co->derSerial);
+
+  BOOL rc = CryptEncodeObject(X509_ASN_ENCODING,
+                         X509_MULTI_BYTE_INTEGER,
+                         &certContext->pCertInfo->SerialNumber,
+			 co->derSerial,
+                         &size);
+  if (rc) {
+    co->serial.data = co->derSerial;
+    co->serial.size = size;
+  }
+  return;
+}
+
+/*
+ * fetch the key ID.
+ */
+void
+ckcapi_FetchID
+(
+  ckcapiInternalObject *io
+)
+{
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  DWORD size = 0;
+  BOOL rc;
+
+  rc = CertGetCertificateContextProperty(certContext,
+	CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
+  if (!rc) {
+    return;
+  }
+  io->idData = nss_ZNEWARRAY(NULL, char, size);
+  if (io->idData == NULL) {
+    return;
+  }
+
+  rc = CertGetCertificateContextProperty(certContext,
+	CERT_KEY_IDENTIFIER_PROP_ID, io->idData, &size);
+  if (!rc) {
+    nss_ZFreeIf(io->idData);
+    io->idData = NULL;
+    return;
+  }
+  io->id.data = io->idData;
+  io->id.size = size;
+  return;
+}
+
+/*
+ * fetch the hash key.
+ */
+void
+ckcapi_CertFetchHashKey
+(
+  ckcapiInternalObject *io
+)
+{
+  ckcapiCertObject *co = &io->u.cert;
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  DWORD size = certContext->cbCertEncoded;
+  DWORD max = sizeof(io->hashKeyData)-1;
+  DWORD offset = 0;
+
+  /* make sure we don't over flow. NOTE: cutting the top of a cert is
+   * not a big issue because the signature for will be unique for the cert */
+  if (size > max) {
+    offset = size - max;
+    size = max;
+  }
+
+  nsslibc_memcpy(io->hashKeyData,certContext->pbCertEncoded+offset, size);
+  io->hashKeyData[size] = (char)(io->objClass & 0xff);
+
+  io->hashKey.data = io->hashKeyData;
+  io->hashKey.size = size+1;
+  return;
+}
+
+/*
+ * fetch the hash key.
+ */
+void
+ckcapi_KeyFetchHashKey
+(
+  ckcapiInternalObject *io
+)
+{
+  ckcapiKeyObject *ko = &io->u.key;
+  DWORD size;
+  DWORD max = sizeof(io->hashKeyData)-2;
+  DWORD offset = 0;
+  DWORD provLen = strlen(ko->provName);
+  DWORD containerLen = strlen(ko->containerName);
+
+ 
+  size = provLen + containerLen; 
+
+  /* make sure we don't overflow, try to keep things unique */
+  if (size > max) {
+    DWORD diff = ((size - max)+1)/2;
+    provLen -= diff;
+    containerLen -= diff;
+    size = provLen+containerLen;
+  }
+
+  nsslibc_memcpy(io->hashKeyData, ko->provName, provLen);
+  nsslibc_memcpy(&io->hashKeyData[provLen],
+                 ko->containerName,
+		 containerLen);
+  io->hashKeyData[size] = (char)(io->objClass & 0xff);
+  io->hashKeyData[size+1] = (char)(ko->provInfo.dwKeySpec & 0xff);
+
+  io->hashKey.data = io->hashKeyData;
+  io->hashKey.size = size+2;
+  return;
+}
+
+/*
+ * fetch the hash key.
+ */
+void
+ckcapi_FetchHashKey
+(
+  ckcapiInternalObject *io
+)
+{
+  if (ckcapiCert == io->type) {
+    ckcapi_CertFetchHashKey(io);
+  } else {
+    ckcapi_KeyFetchHashKey(io);
+  } 
+  return;
+}
+ 
+const NSSItem *
+ckcapi_FetchCertAttribute
+(
+  ckcapiInternalObject *io,
+  CK_ATTRIBUTE_TYPE type
+)
+{
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  switch(type) {
+  case CKA_CLASS:
+    return &ckcapi_certClassItem;
+  case CKA_TOKEN:
+    return &ckcapi_trueItem;
+  case CKA_MODIFIABLE:
+  case CKA_PRIVATE:
+    return &ckcapi_falseItem;
+  case CKA_CERTIFICATE_TYPE:
+    return &ckcapi_x509Item;
+  case CKA_LABEL:
+    if (0 == io->u.cert.label.size) {
+      ckcapi_FetchLabel(io);
+    }
+    return &io->u.cert.label;
+  case CKA_SUBJECT:
+    if (0 == io->u.cert.subject.size) {
+      io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData;
+      io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData;
+    }
+    return &io->u.cert.subject;
+  case CKA_ISSUER:
+    if (0 == io->u.cert.issuer.size) {
+      io->u.cert.issuer.data = certContext->pCertInfo->Issuer.pbData;
+      io->u.cert.issuer.size = certContext->pCertInfo->Issuer.cbData;
+    }
+    return &io->u.cert.issuer;
+  case CKA_SERIAL_NUMBER:
+    if (0 == io->u.cert.serial.size) {
+      /* not exactly right. This should be the encoded serial number, but
+       * it's the decoded serial number! */
+      ckcapi_FetchSerial(io);
+    }
+    return &io->u.cert.serial;
+  case CKA_VALUE:
+    if (0 == io->u.cert.derCert.size) {
+      io->u.cert.derCert.data = io->u.cert.certContext->pbCertEncoded;
+      io->u.cert.derCert.size = io->u.cert.certContext->cbCertEncoded;
+    }
+    return &io->u.cert.derCert;
+  case CKA_ID:
+    if (!io->u.cert.hasID) {
+      return NULL;
+    }
+    if (0 == io->id.size) {
+      ckcapi_FetchID(io);
+    }
+    return &io->id;
+  default:
+    break;
+  }
+  return NULL;
+}
+
+const NSSItem *
+ckcapi_FetchPubKeyAttribute
+(
+  ckcapiInternalObject *io, 
+  CK_ATTRIBUTE_TYPE type
+)
+{
+  PRBool isCertType = (ckcapiCert == io->type);
+  ckcapiKeyParams *kp = isCertType ? &io->u.cert.key : &io->u.key.key;
+  
+  switch(type) {
+  case CKA_CLASS:
+    return &ckcapi_pubKeyClassItem;
+  case CKA_TOKEN:
+  case CKA_LOCAL:
+  case CKA_ENCRYPT:
+  case CKA_VERIFY:
+  case CKA_VERIFY_RECOVER:
+    return &ckcapi_trueItem;
+  case CKA_PRIVATE:
+  case CKA_MODIFIABLE:
+  case CKA_DERIVE:
+  case CKA_WRAP:
+    return &ckcapi_falseItem;
+  case CKA_KEY_TYPE:
+    return &ckcapi_rsaItem;
+  case CKA_LABEL:
+    if (!isCertType) {
+      return &ckcapi_emptyItem;
+    }
+    if (0 == io->u.cert.label.size) {
+      ckcapi_FetchLabel(io);
+    }
+    return &io->u.cert.label;
+  case CKA_SUBJECT:
+    if (!isCertType) {
+      return &ckcapi_emptyItem;
+    }
+    if (0 == io->u.cert.subject.size) {
+      PCCERT_CONTEXT certContext= io->u.cert.certContext;
+      io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData;
+      io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData;
+    }
+    return &io->u.cert.subject;
+  case CKA_MODULUS:
+    if (0 == kp->modulus.size) {
+	ckcapi_PopulateModulusExponent(io);
+    }
+    return &kp->modulus;
+  case CKA_PUBLIC_EXPONENT:
+    if (0 == kp->modulus.size) {
+	ckcapi_PopulateModulusExponent(io);
+    }
+    return &kp->exponent;
+  case CKA_ID:
+    if (0 == io->id.size) {
+      ckcapi_FetchID(io);
+    }
+    return &io->id;
+  default:
+    break;
+  }
+  return NULL;
+}
+
+const NSSItem *
+ckcapi_FetchPrivKeyAttribute
+(
+  ckcapiInternalObject *io, 
+  CK_ATTRIBUTE_TYPE type
+)
+{
+  PRBool isCertType = (ckcapiCert == io->type);
+  ckcapiKeyParams *kp = isCertType ? &io->u.cert.key : &io->u.key.key;
+
+  switch(type) {
+  case CKA_CLASS:
+    return &ckcapi_privKeyClassItem;
+  case CKA_TOKEN:
+  case CKA_LOCAL:
+  case CKA_SIGN:
+  case CKA_DECRYPT:
+  case CKA_SIGN_RECOVER:
+    return &ckcapi_trueItem;
+  case CKA_SENSITIVE:
+  case CKA_PRIVATE:    /* should move in the future */
+  case CKA_MODIFIABLE:
+  case CKA_DERIVE:
+  case CKA_UNWRAP:
+  case CKA_EXTRACTABLE: /* will probably move in the future */
+  case CKA_ALWAYS_SENSITIVE:
+  case CKA_NEVER_EXTRACTABLE:
+    return &ckcapi_falseItem;
+  case CKA_KEY_TYPE:
+    return &ckcapi_rsaItem;
+  case CKA_LABEL:
+    if (!isCertType) {
+      return &ckcapi_emptyItem;
+    }
+    if (0 == io->u.cert.label.size) {
+      ckcapi_FetchLabel(io);
+    }
+    return &io->u.cert.label;
+  case CKA_SUBJECT:
+    if (!isCertType) {
+      return &ckcapi_emptyItem;
+    }
+    if (0 == io->u.cert.subject.size) {
+      PCCERT_CONTEXT certContext= io->u.cert.certContext;
+      io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData;
+      io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData;
+    }
+    return &io->u.cert.subject;
+  case CKA_MODULUS:
+    if (0 == kp->modulus.size) {
+      ckcapi_PopulateModulusExponent(io);
+    }
+    return &kp->modulus;
+  case CKA_PUBLIC_EXPONENT:
+    if (0 == kp->modulus.size) {
+      ckcapi_PopulateModulusExponent(io);
+    }
+    return &kp->exponent;
+  case CKA_PRIVATE_EXPONENT:
+    if (0 == kp->privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &kp->privateExponent;
+  case CKA_PRIME_1:
+    if (0 == kp->privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &kp->prime1;
+  case CKA_PRIME_2:
+    if (0 == kp->privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &kp->prime2;
+  case CKA_EXPONENT_1:
+    if (0 == kp->privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &kp->exponent1;
+  case CKA_EXPONENT_2:
+    if (0 == kp->privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &kp->exponent2;
+  case CKA_COEFFICIENT:
+    if (0 == kp->privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &kp->coefficient;
+  case CKA_ID:
+    if (0 == io->id.size) {
+      ckcapi_FetchID(io);
+    }
+    return &io->id;
+  default:
+    return NULL;
+  }
+}
+
+const NSSItem *
+nss_ckcapi_FetchAttribute
+(
+  ckcapiInternalObject *io, 
+  CK_ATTRIBUTE_TYPE type
+)
+{
+  CK_ULONG i;
+
+  if (io->type == ckcapiRaw) {
+    for( i = 0; i < io->u.raw.n; i++ ) {
+      if( type == io->u.raw.types[i] ) {
+        return &io->u.raw.items[i];
+      }
+    }
+    return NULL;
+  }
+  /* deal with the common attributes */
+  switch (io->objClass) {
+  case CKO_CERTIFICATE:
+   return ckcapi_FetchCertAttribute(io, type); 
+  case CKO_PRIVATE_KEY:
+   return ckcapi_FetchPrivKeyAttribute(io, type); 
+  case CKO_PUBLIC_KEY:
+   return ckcapi_FetchPubKeyAttribute(io, type); 
+  }
+  return NULL;
+}
+
+/*
+ * check to see if the certificate already exists
+ */
+static PRBool
+ckcapi_cert_exists(
+  NSSItem *value,
+  ckcapiInternalObject **io
+)
+{
+  int count,i;
+  PRUint32 size = 0;
+  ckcapiInternalObject **listp = NULL;
+  CK_ATTRIBUTE myTemplate[2];
+  CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
+  CK_ULONG templateCount = 2;
+  CK_RV error;
+  PRBool found = PR_FALSE;
+
+  myTemplate[0].type = CKA_CLASS;
+  myTemplate[0].pValue = &cert_class;
+  myTemplate[0].ulValueLen = sizeof(cert_class);
+  myTemplate[1].type = CKA_VALUE;
+  myTemplate[1].pValue = value->data;
+  myTemplate[1].ulValueLen = value->size;
+
+  count = nss_ckcapi_collect_all_certs(myTemplate, templateCount, &listp, 
+			&size, 0, &error);
+
+  /* free them */
+  if (count > 1) {
+    *io = listp[0];
+    found = PR_TRUE;
+  }
+    
+  for (i=1; i < count; i++) {
+    nss_ckcapi_DestroyInternalObject(listp[i]);
+  }
+  nss_ZFreeIf(listp);
+  return found;
+}
+
+static PRBool
+ckcapi_cert_hasEmail
+(
+  PCCERT_CONTEXT certContext
+)
+{
+  int count;
+
+  count = CertGetNameString(certContext, CERT_NAME_EMAIL_TYPE, 
+                            0, NULL, NULL, 0);
+
+  return count > 1 ? PR_TRUE : PR_FALSE;
+}
+
+static PRBool
+ckcapi_cert_isRoot
+(
+  PCCERT_CONTEXT certContext
+)
+{
+  return CertCompareCertificateName(certContext->dwCertEncodingType,
+	&certContext->pCertInfo->Issuer, &certContext->pCertInfo->Subject);
+}
+
+static PRBool
+ckcapi_cert_isCA
+(
+  PCCERT_CONTEXT certContext
+)
+{
+  PCERT_EXTENSION extension;
+  CERT_BASIC_CONSTRAINTS2_INFO basicInfo;
+  DWORD size = sizeof(basicInfo);
+  BOOL rc;
+
+  extension = CertFindExtension (szOID_BASIC_CONSTRAINTS,
+				certContext->pCertInfo->cExtension,
+				certContext->pCertInfo->rgExtension);
+  if ((PCERT_EXTENSION) NULL == extension ) {
+    return PR_FALSE;
+  }
+  rc = CryptDecodeObject(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS2,
+          extension->Value.pbData, extension->Value.cbData, 
+          0, &basicInfo, &size);
+  if (!rc) {
+    return PR_FALSE;
+  }
+  return (PRBool) basicInfo.fCA;
+}
+
+static CRYPT_KEY_PROV_INFO *
+ckcapi_cert_getPrivateKeyInfo
+(
+  PCCERT_CONTEXT certContext,
+  NSSItem *keyID
+)
+{
+  BOOL rc;
+  CRYPT_HASH_BLOB msKeyID;
+  DWORD size = 0;
+  CRYPT_KEY_PROV_INFO *prov = NULL;
+
+  msKeyID.cbData = keyID->size;
+  msKeyID.pbData = keyID->data;
+
+  rc = CryptGetKeyIdentifierProperty(
+	  &msKeyID,
+       	  CERT_KEY_PROV_INFO_PROP_ID,
+	  0, NULL, NULL, NULL, &size);
+  if (!rc) {
+    return (CRYPT_KEY_PROV_INFO *)NULL;
+  }
+  prov = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size);
+  if ((CRYPT_KEY_PROV_INFO *)prov == NULL) {
+    return (CRYPT_KEY_PROV_INFO *) NULL;
+  }
+  rc = CryptGetKeyIdentifierProperty(
+	  &msKeyID,
+       	  CERT_KEY_PROV_INFO_PROP_ID,
+	  0, NULL, NULL, prov, &size);
+  if (!rc) {
+    nss_ZFreeIf(prov);
+    return (CRYPT_KEY_PROV_INFO *)NULL;
+  }
+  
+  return prov;
+}
+
+static CRYPT_KEY_PROV_INFO *
+ckcapi_cert_getProvInfo
+(
+  ckcapiInternalObject *io
+)
+{
+  BOOL rc;
+  DWORD size = 0;
+  CRYPT_KEY_PROV_INFO *prov = NULL;
+
+  rc = CertGetCertificateContextProperty(
+	  io->u.cert.certContext,
+       	  CERT_KEY_PROV_INFO_PROP_ID,
+	  NULL, &size);
+  if (!rc) {
+    return (CRYPT_KEY_PROV_INFO *)NULL;
+  }
+  prov = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size);
+  if ((CRYPT_KEY_PROV_INFO *)prov == NULL) {
+    return (CRYPT_KEY_PROV_INFO *) NULL;
+  }
+  rc = CertGetCertificateContextProperty(
+	  io->u.cert.certContext,
+       	  CERT_KEY_PROV_INFO_PROP_ID,
+	  prov, &size);
+  if (!rc) {
+    nss_ZFreeIf(prov);
+    return (CRYPT_KEY_PROV_INFO *)NULL;
+  }
+
+  return prov;
+}
+  
+/* forward declaration */
+static void
+ckcapi_removeObjectFromHash
+(
+  ckcapiInternalObject *io
+);
+
+/*
+ * Finalize - unneeded
+ * Destroy 
+ * IsTokenObject - CK_TRUE
+ * GetAttributeCount
+ * GetAttributeTypes
+ * GetAttributeSize
+ * GetAttribute
+ * SetAttribute
+ * GetObjectSize
+ */
+
+static CK_RV
+ckcapi_mdObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+  CK_OBJECT_CLASS objClass;
+  BOOL rc;
+  DWORD provType;
+  DWORD msError;
+  PRBool isCertType = (PRBool)(ckcapiCert == io->type);
+  HCERTSTORE hStore = 0;
+
+  if (ckcapiRaw == io->type) {
+    /* there is not 'object write protected' error, use the next best thing */
+    return CKR_TOKEN_WRITE_PROTECTED;
+  }
+
+  objClass = io->objClass;
+  if (CKO_CERTIFICATE == objClass) {
+    PCCERT_CONTEXT certContext;
+
+    /* get the store */
+    hStore = CertOpenSystemStore(0, io->u.cert.certStore);
+    if (0 == hStore) {
+      rc = 0;
+      goto loser;
+    }
+    certContext = CertFindCertificateInStore(hStore, X509_ASN_ENCODING, 0, 
+      CERT_FIND_EXISTING, io->u.cert.certContext, NULL); 
+    if ((PCCERT_CONTEXT)NULL ==  certContext) {
+      rc = 0;
+      goto loser;
+    }
+    rc = CertDeleteCertificateFromStore(certContext);
+    CertFreeCertificateContext(certContext);
+  } else {
+    char *provName = NULL;
+    char *containerName = NULL;
+    HCRYPTPROV hProv;
+    CRYPT_HASH_BLOB msKeyID;
+
+    if (0 == io->id.size) {
+      ckcapi_FetchID(io);
+    }
+
+    if (isCertType) {
+      CRYPT_KEY_PROV_INFO * provInfo = ckcapi_cert_getProvInfo(io);
+      provName = nss_ckcapi_WideToUTF8(provInfo->pwszProvName);
+      containerName = nss_ckcapi_WideToUTF8(provInfo->pwszContainerName);
+      provType = provInfo->dwProvType;
+      nss_ZFreeIf(provInfo);
+    } else {
+      provName = io->u.key.provName;
+      containerName = io->u.key.containerName;
+      provType = io->u.key.provInfo.dwProvType;
+      io->u.key.provName = NULL;
+      io->u.key.containerName = NULL;
+    }
+    /* first remove the key id pointer */
+    msKeyID.cbData = io->id.size;
+    msKeyID.pbData = io->id.data;
+    rc = CryptSetKeyIdentifierProperty(&msKeyID, 
+	CERT_KEY_PROV_INFO_PROP_ID, CRYPT_KEYID_DELETE_FLAG, NULL, NULL, NULL);
+    if (rc) {
+      rc = CryptAcquireContext(&hProv, containerName, provName, provType,
+		CRYPT_DELETEKEYSET);
+    }
+    nss_ZFreeIf(provName);
+    nss_ZFreeIf(containerName);
+  }
+loser:
+
+  if (hStore) {
+    CertCloseStore(hStore, 0);
+  }
+  if (!rc) {
+    msError = GetLastError();
+    return CKR_GENERAL_ERROR;
+  }
+
+  /* remove it from the hash */
+  ckcapi_removeObjectFromHash(io);
+
+  /* free the puppy.. */
+  nss_ckcapi_DestroyInternalObject(io);
+  return CKR_OK;
+}
+
+static CK_BBOOL
+ckcapi_mdObject_IsTokenObject
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_ULONG
+ckcapi_mdObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+
+  if (ckcapiRaw == io->type) {
+     return io->u.raw.n;
+  }
+  switch (io->objClass) {
+  case CKO_CERTIFICATE:
+    return certAttrsCount;
+  case CKO_PUBLIC_KEY:
+    return pubKeyAttrsCount;
+  case CKO_PRIVATE_KEY:
+    return privKeyAttrsCount;
+  default:
+    break;
+  }
+  return 0;
+}
+
+static CK_RV
+ckcapi_mdObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+  CK_ULONG i;
+  CK_RV error = CKR_OK;
+  const CK_ATTRIBUTE_TYPE *attrs = NULL;
+  CK_ULONG size = ckcapi_mdObject_GetAttributeCount(
+			mdObject, fwObject, mdSession, fwSession, 
+			mdToken, fwToken, mdInstance, fwInstance, &error);
+
+  if( size != ulCount ) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+  if (io->type == ckcapiRaw) {
+    attrs = io->u.raw.types;
+  } else switch(io->objClass) {
+    case CKO_CERTIFICATE:
+      attrs = certAttrs;
+      break;
+    case CKO_PUBLIC_KEY:
+      attrs = pubKeyAttrs;
+      break;
+    case CKO_PRIVATE_KEY:
+      attrs = privKeyAttrs;
+      break;
+    default:
+      return CKR_OK;
+  }
+  
+  for( i = 0; i < size; i++) {
+    typeArray[i] = attrs[i];
+  }
+
+  return CKR_OK;
+}
+
+static CK_ULONG
+ckcapi_mdObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+
+  const NSSItem *b;
+
+  b = nss_ckcapi_FetchAttribute(io, attribute);
+
+  if ((const NSSItem *)NULL == b) {
+    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+    return 0;
+  }
+  return b->size;
+}
+
+static CK_RV
+ckcapi_mdObject_SetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem           *value
+)
+{
+  return CKR_OK;
+}
+
+static NSSCKFWItem
+ckcapi_mdObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  NSSCKFWItem mdItem;
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+
+  mdItem.needsFreeing = PR_FALSE;
+  mdItem.item = (NSSItem*)nss_ckcapi_FetchAttribute(io, attribute);
+
+  if ((NSSItem *)NULL == mdItem.item) {
+    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  }
+
+  return mdItem;
+}
+
+static CK_ULONG
+ckcapi_mdObject_GetObjectSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+  CK_ULONG rv = 1;
+
+  /* size is irrelevant to this token */
+  return rv;
+}
+
+static const NSSCKMDObject
+ckcapi_prototype_mdObject = {
+  (void *)NULL, /* etc */
+  NULL, /* Finalize */
+  ckcapi_mdObject_Destroy,
+  ckcapi_mdObject_IsTokenObject,
+  ckcapi_mdObject_GetAttributeCount,
+  ckcapi_mdObject_GetAttributeTypes,
+  ckcapi_mdObject_GetAttributeSize,
+  ckcapi_mdObject_GetAttribute,
+  NULL, /* FreeAttribute */
+  ckcapi_mdObject_SetAttribute,
+  ckcapi_mdObject_GetObjectSize,
+  (void *)NULL /* null terminator */
+};
+
+static nssHash *ckcapiInternalObjectHash = NULL;
+
+NSS_IMPLEMENT NSSCKMDObject *
+nss_ckcapi_CreateMDObject
+(
+  NSSArena *arena,
+  ckcapiInternalObject *io,
+  CK_RV *pError
+)
+{
+  if ((nssHash *)NULL == ckcapiInternalObjectHash) {
+    ckcapiInternalObjectHash = nssHash_CreateItem(NULL, 10);
+  }
+  if (ckcapiCert == io->type) {
+    /* the hash key, not a cryptographic key */
+    NSSItem *key = &io->hashKey;
+    ckcapiInternalObject *old_o = NULL;
+
+    if (key->size == 0) {
+      ckcapi_FetchHashKey(io);
+    }
+    old_o = (ckcapiInternalObject *) 
+              nssHash_Lookup(ckcapiInternalObjectHash, key);
+    if (!old_o) {
+      nssHash_Add(ckcapiInternalObjectHash, key, io);
+    } else if (old_o != io) {
+      nss_ckcapi_DestroyInternalObject(io);
+      io = old_o;
+    }
+  }
+    
+  if ( (void*)NULL == io->mdObject.etc) {
+    (void) nsslibc_memcpy(&io->mdObject,&ckcapi_prototype_mdObject,
+					sizeof(ckcapi_prototype_mdObject));
+    io->mdObject.etc = (void *)io;
+  }
+  return &io->mdObject;
+}
+
+static void
+ckcapi_removeObjectFromHash
+(
+  ckcapiInternalObject *io
+)
+{
+  NSSItem *key = &io->hashKey;
+
+  if ((nssHash *)NULL == ckcapiInternalObjectHash) {
+    return;
+  }
+  if (key->size == 0) {
+    ckcapi_FetchHashKey(io);
+  }
+  nssHash_Remove(ckcapiInternalObjectHash, key);
+  return;
+}
+
+void
+nss_ckcapi_DestroyInternalObject
+(
+  ckcapiInternalObject *io
+)
+{
+  switch (io->type) {
+  case ckcapiRaw:
+    return;
+  case ckcapiCert:
+    CertFreeCertificateContext(io->u.cert.certContext);
+    nss_ZFreeIf(io->u.cert.labelData);
+    nss_ZFreeIf(io->u.cert.key.privateKey);
+    nss_ZFreeIf(io->u.cert.key.pubKey);
+    nss_ZFreeIf(io->idData);
+    break;
+  case ckcapiBareKey:
+    nss_ZFreeIf(io->u.key.provInfo.pwszContainerName);
+    nss_ZFreeIf(io->u.key.provInfo.pwszProvName);
+    nss_ZFreeIf(io->u.key.provName);
+    nss_ZFreeIf(io->u.key.containerName);
+    nss_ZFreeIf(io->u.key.key.privateKey);
+    nss_ZFreeIf(io->u.key.key.pubKey);
+    if (0 != io->u.key.hProv) {
+      CryptReleaseContext(io->u.key.hProv, 0);
+    }
+    nss_ZFreeIf(io->idData);
+    break;
+  }
+  nss_ZFreeIf(io);
+  return;
+}
+
+static ckcapiInternalObject *
+nss_ckcapi_CreateCertificate
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  NSSItem value;
+  NSSItem keyID;
+  char *storeStr;
+  ckcapiInternalObject *io = NULL;
+  PCCERT_CONTEXT certContext = NULL;
+  PCCERT_CONTEXT storedCertContext = NULL;
+  CRYPT_KEY_PROV_INFO *prov_info = NULL;
+  char *nickname = NULL;
+  HCERTSTORE hStore = 0;
+  DWORD msError = 0;
+  PRBool hasID;
+  CK_RV dummy;
+  BOOL rc;
+
+  *pError = nss_ckcapi_GetAttribute(CKA_VALUE, pTemplate, 
+				  ulAttributeCount, &value);
+
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+
+  *pError = nss_ckcapi_GetAttribute(CKA_ID, pTemplate, 
+				  ulAttributeCount, &keyID);
+
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+
+  if (ckcapi_cert_exists(&value, &io)) {
+    return io;
+  }
+
+  /* OK, we are creating a new one, figure out what store it belongs to.. 
+   * first get a certContext handle.. */
+  certContext = CertCreateCertificateContext(X509_ASN_ENCODING, 
+                                             value.data, value.size);
+  if ((PCCERT_CONTEXT) NULL == certContext) {
+    msError = GetLastError();
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+    goto loser;
+  }
+
+  /* do we have a private key laying around... */
+  prov_info = ckcapi_cert_getPrivateKeyInfo(certContext, &keyID);
+  if (prov_info) {
+    CRYPT_DATA_BLOB msKeyID;
+    storeStr = "My";
+    hasID = PR_TRUE;
+    rc = CertSetCertificateContextProperty(certContext,
+       	        CERT_KEY_PROV_INFO_PROP_ID,
+                0, prov_info);
+    nss_ZFreeIf(prov_info);
+    if (!rc) {
+      msError = GetLastError();
+      *pError = CKR_DEVICE_ERROR;
+      goto loser;
+    }
+    msKeyID.cbData = keyID.size;
+    msKeyID.pbData = keyID.data;
+    rc = CertSetCertificateContextProperty(certContext,
+       	        CERT_KEY_IDENTIFIER_PROP_ID,
+                0, &msKeyID);
+    if (!rc) {
+      msError = GetLastError();
+      *pError = CKR_DEVICE_ERROR;
+      goto loser;
+    }
+    
+  /* does it look like a CA */
+  } else if (ckcapi_cert_isCA(certContext)) {
+    storeStr = ckcapi_cert_isRoot(certContext) ? "CA" : "Root";
+  /* does it look like an S/MIME cert */
+  } else if (ckcapi_cert_hasEmail(certContext)) {
+    storeStr = "AddressBook";
+  } else {
+  /* just pick a store */
+    storeStr = "CA";
+  }
+
+  /* get the nickname, not an error if we can't find it */
+  nickname = nss_ckcapi_GetStringAttribute(CKA_LABEL, pTemplate, 
+				  ulAttributeCount, &dummy);
+  if (nickname) {
+    LPWSTR nicknameUTF16 = NULL;
+    CRYPT_DATA_BLOB nicknameBlob;
+
+    nicknameUTF16 = nss_ckcapi_UTF8ToWide(nickname);
+    nss_ZFreeIf(nickname);
+    nickname = NULL;
+    if ((LPWSTR)NULL == nicknameUTF16) {
+      *pError = CKR_HOST_MEMORY;
+      goto loser;
+    }
+    nicknameBlob.cbData = nss_ckcapi_WideSize(nicknameUTF16);
+    nicknameBlob.pbData = (BYTE *)nicknameUTF16;
+    rc = CertSetCertificateContextProperty(certContext,
+	CERT_FRIENDLY_NAME_PROP_ID, 0, &nicknameBlob);
+    nss_ZFreeIf(nicknameUTF16);
+    if (!rc) {
+      msError = GetLastError();
+      *pError = CKR_DEVICE_ERROR;
+      goto loser;
+    }
+  }
+
+  hStore = CertOpenSystemStore((HCRYPTPROV) NULL, storeStr);
+  if (0 == hStore) {
+    msError = GetLastError();
+    *pError = CKR_DEVICE_ERROR;
+    goto loser;
+  }
+
+  rc = CertAddCertificateContextToStore(hStore, certContext, 
+       CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES, &storedCertContext);
+  CertFreeCertificateContext(certContext);
+  certContext = NULL;
+  CertCloseStore(hStore, 0);
+  hStore = 0;
+  if (!rc) {
+    msError = GetLastError();
+    *pError = CKR_DEVICE_ERROR;
+    goto loser;
+  }
+
+  io = nss_ZNEW(NULL, ckcapiInternalObject);
+  if ((ckcapiInternalObject *)NULL == io) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+  io->type = ckcapiCert;
+  io->objClass = CKO_CERTIFICATE;
+  io->u.cert.certContext = storedCertContext;
+  io->u.cert.hasID = hasID;
+  return io;
+
+loser:
+  if (certContext) {
+    CertFreeCertificateContext(certContext);
+    certContext = NULL;
+  }
+  if (storedCertContext) {
+    CertFreeCertificateContext(storedCertContext);
+    storedCertContext = NULL;
+  }
+  if (0 != hStore) {
+    CertCloseStore(hStore, 0);
+  }
+  return (ckcapiInternalObject *)NULL;
+
+}
+
+static char *
+ckcapi_getDefaultProvider
+(
+  CK_RV *pError
+)
+{
+  char *name = NULL;
+  BOOL rc;
+  DWORD nameLength = 0;
+
+  rc = CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_USER_DEFAULT, NULL,
+		&nameLength);
+  if (!rc) {
+    return (char *)NULL;
+  }
+
+  name = nss_ZNEWARRAY(NULL, char, nameLength);
+  if ((char *)NULL == name ) {
+    return (char *)NULL;
+  }
+  rc = CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_USER_DEFAULT, name,
+		&nameLength);
+  if (!rc) {
+    nss_ZFreeIf(name);
+    return (char *)NULL;
+  }
+
+  return name;
+}
+
+static char *
+ckcapi_getContainer
+(
+  CK_RV *pError,
+  NSSItem *id
+)
+{
+  RPC_STATUS rstat;
+  UUID uuid;
+  char *uuidStr;
+  char *container;
+
+  rstat = UuidCreate(&uuid);
+  rstat = UuidToString(&uuid, &uuidStr);
+
+  /* convert it from rcp memory to our own */
+  container = nssUTF8_Duplicate(uuidStr, NULL);
+  RpcStringFree(&uuidStr);
+  
+  return container;
+}
+
+static CK_RV
+ckcapi_buildPrivateKeyBlob
+(
+  NSSItem  *keyBlob, 
+  NSSItem  *modulus,
+  NSSItem  *publicExponent,
+  NSSItem  *privateExponent,
+  NSSItem  *prime1,
+  NSSItem  *prime2,
+  NSSItem  *exponent1,
+  NSSItem  *exponent2,
+  NSSItem  *coefficient, 
+  PRBool   isKeyExchange
+)
+{
+  CAPI_RSA_KEY_BLOB *keyBlobData = NULL;
+  unsigned char *target;
+  unsigned long modSize = modulus->size;
+  unsigned long dataSize;
+  CK_RV error = CKR_OK;
+
+  /* validate extras */
+  if (privateExponent->size != modSize) {
+    error = CKR_ATTRIBUTE_VALUE_INVALID;
+    goto loser;
+  }
+  if (prime1->size != modSize/2) {
+    error = CKR_ATTRIBUTE_VALUE_INVALID;
+    goto loser;
+  }
+  if (prime2->size != modSize/2) {
+    error = CKR_ATTRIBUTE_VALUE_INVALID;
+    goto loser;
+  }
+  if (exponent1->size != modSize/2) {
+    error = CKR_ATTRIBUTE_VALUE_INVALID;
+    goto loser;
+  }
+  if (exponent2->size != modSize/2) {
+    error = CKR_ATTRIBUTE_VALUE_INVALID;
+    goto loser;
+  }
+  if (coefficient->size != modSize/2) {
+    error = CKR_ATTRIBUTE_VALUE_INVALID;
+    goto loser;
+  }
+  dataSize = (modSize*4)+(modSize/2) + sizeof(CAPI_RSA_KEY_BLOB);
+  keyBlobData = (CAPI_RSA_KEY_BLOB *)nss_ZAlloc(NULL, dataSize);
+  if ((CAPI_RSA_KEY_BLOB *)NULL == keyBlobData) {
+    error = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  keyBlobData->header.bType = PRIVATEKEYBLOB;
+  keyBlobData->header.bVersion = 0x02;
+  keyBlobData->header.reserved = 0x00;
+  keyBlobData->header.aiKeyAlg = isKeyExchange ? CALG_RSA_KEYX:CALG_RSA_SIGN;
+  keyBlobData->rsa.magic = 0x32415352;
+  keyBlobData->rsa.bitlen = modSize * 8;
+  keyBlobData->rsa.pubexp = nss_ckcapi_DataToInt(publicExponent,&error);
+  if (CKR_OK != error) {
+    goto loser;
+  }
+
+  target = &keyBlobData->data[CAPI_MODULUS_OFFSET(modSize)];
+  nsslibc_memcpy(target, modulus->data, modulus->size);
+  modulus->data = target;
+  ckcapi_ReverseData(modulus);
+
+  target = &keyBlobData->data[CAPI_PRIVATE_EXP_OFFSET(modSize)];
+  nsslibc_memcpy(target, privateExponent->data, privateExponent->size);
+  privateExponent->data = target;
+  ckcapi_ReverseData(privateExponent);
+
+  target = &keyBlobData->data[CAPI_PRIME_1_OFFSET(modSize)];
+  nsslibc_memcpy(target, prime1->data, prime1->size);
+  prime1->data = target;
+  ckcapi_ReverseData(prime1);
+
+  target = &keyBlobData->data[CAPI_PRIME_2_OFFSET(modSize)];
+  nsslibc_memcpy(target, prime2->data, prime2->size);
+  prime2->data = target;
+  ckcapi_ReverseData(prime2);
+
+  target = &keyBlobData->data[CAPI_EXPONENT_1_OFFSET(modSize)];
+  nsslibc_memcpy(target, exponent1->data, exponent1->size);
+  exponent1->data = target;
+  ckcapi_ReverseData(exponent1);
+
+  target = &keyBlobData->data[CAPI_EXPONENT_2_OFFSET(modSize)];
+  nsslibc_memcpy(target, exponent2->data, exponent2->size);
+  exponent2->data = target;
+  ckcapi_ReverseData(exponent2);
+
+  target = &keyBlobData->data[CAPI_COEFFICIENT_OFFSET(modSize)];
+  nsslibc_memcpy(target, coefficient->data, coefficient->size);
+  coefficient->data = target;
+  ckcapi_ReverseData(coefficient);
+
+  keyBlob->data = keyBlobData;
+  keyBlob->size = dataSize;
+
+  return CKR_OK;
+
+loser:
+  nss_ZFreeIf(keyBlobData);
+  return error;
+}
+
+static ckcapiInternalObject *
+nss_ckcapi_CreatePrivateKey
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  NSSItem modulus;
+  NSSItem publicExponent;
+  NSSItem privateExponent;
+  NSSItem exponent1;
+  NSSItem exponent2;
+  NSSItem prime1;
+  NSSItem prime2;
+  NSSItem coefficient;
+  NSSItem keyID;
+  NSSItem keyBlob;
+  ckcapiInternalObject *io = NULL;
+  char *providerName = NULL;
+  char *containerName = NULL;
+  char *idData = NULL;
+  CRYPT_KEY_PROV_INFO provInfo;
+  CRYPT_HASH_BLOB msKeyID;
+  CK_KEY_TYPE keyType;
+  HCRYPTPROV hProv = 0;
+  HCRYPTKEY hKey = 0;
+  PRBool decrypt;
+  DWORD keySpec;
+  DWORD msError;
+  BOOL rc;
+
+  keyType = nss_ckcapi_GetULongAttribute
+                  (CKA_KEY_TYPE, pTemplate, ulAttributeCount, pError);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  if (CKK_RSA != keyType) {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+    return (ckcapiInternalObject *)NULL;
+  }
+
+  decrypt = nss_ckcapi_GetBoolAttribute(CKA_DECRYPT, 
+				pTemplate, ulAttributeCount, pError);
+  if (CKR_TEMPLATE_INCOMPLETE == *pError) {
+    decrypt = PR_TRUE; /* default to true */
+  }
+  decrypt = decrypt || nss_ckcapi_GetBoolAttribute(CKA_UNWRAP, 
+				pTemplate, ulAttributeCount, pError);
+  if (CKR_TEMPLATE_INCOMPLETE == *pError) {
+    decrypt = PR_TRUE; /* default to true */
+  }
+  keySpec = decrypt ? AT_KEYEXCHANGE : AT_SIGNATURE;
+
+  *pError = nss_ckcapi_GetAttribute(CKA_MODULUS, pTemplate, 
+				  ulAttributeCount, &modulus);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  *pError = nss_ckcapi_GetAttribute(CKA_PUBLIC_EXPONENT, pTemplate, 
+				  ulAttributeCount, &publicExponent);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  *pError = nss_ckcapi_GetAttribute(CKA_PRIVATE_EXPONENT, pTemplate, 
+				  ulAttributeCount, &privateExponent);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  *pError = nss_ckcapi_GetAttribute(CKA_PRIME_1, pTemplate, 
+				  ulAttributeCount, &prime1);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  *pError = nss_ckcapi_GetAttribute(CKA_PRIME_2, pTemplate, 
+				  ulAttributeCount, &prime2);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  *pError = nss_ckcapi_GetAttribute(CKA_EXPONENT_1, pTemplate, 
+				  ulAttributeCount, &exponent1);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  *pError = nss_ckcapi_GetAttribute(CKA_EXPONENT_2, pTemplate, 
+				  ulAttributeCount, &exponent2);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  *pError = nss_ckcapi_GetAttribute(CKA_COEFFICIENT, pTemplate, 
+				  ulAttributeCount, &coefficient);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  *pError = nss_ckcapi_GetAttribute(CKA_ID, pTemplate, 
+				  ulAttributeCount, &keyID);
+  if (CKR_OK != *pError) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  providerName = ckcapi_getDefaultProvider(pError);
+  if ((char *)NULL == providerName ) {
+    return (ckcapiInternalObject *)NULL;
+  }
+  containerName = ckcapi_getContainer(pError, &keyID);
+  if ((char *)NULL == providerName ) {
+    goto loser;
+  }
+  rc = CryptAcquireContext(&hProv, containerName, providerName, 
+                           PROV_RSA_FULL, CRYPT_NEWKEYSET);
+  if (!rc) {
+    msError = GetLastError();
+    *pError = CKR_DEVICE_ERROR;
+    goto loser;
+  }
+
+  *pError = ckcapi_buildPrivateKeyBlob(
+		&keyBlob, 
+		&modulus, 
+		&publicExponent, 
+		&privateExponent,
+		&prime1,
+		&prime2, 
+		&exponent1, 
+		&exponent2, 
+		&coefficient, 
+		decrypt);
+  if (CKR_OK != *pError) {
+    goto loser;
+  }
+
+  rc = CryptImportKey(hProv, keyBlob.data, keyBlob.size, 
+		      0, CRYPT_EXPORTABLE, &hKey);
+  if (!rc) {
+    msError = GetLastError();
+    *pError = CKR_DEVICE_ERROR;
+    goto loser;
+  }
+
+  idData = nss_ZNEWARRAY(NULL, char, keyID.size);
+  if ((void *)NULL == idData) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+  nsslibc_memcpy(idData, keyID.data, keyID.size);
+
+  provInfo.pwszContainerName = nss_ckcapi_UTF8ToWide(containerName);
+  provInfo.pwszProvName = nss_ckcapi_UTF8ToWide(providerName);
+  provInfo.dwProvType = PROV_RSA_FULL;
+  provInfo.dwFlags = 0;
+  provInfo.cProvParam = 0;
+  provInfo.rgProvParam = NULL;
+  provInfo.dwKeySpec = keySpec;
+
+  msKeyID.cbData = keyID.size;
+  msKeyID.pbData = keyID.data;
+
+  rc = CryptSetKeyIdentifierProperty(&msKeyID, CERT_KEY_PROV_INFO_PROP_ID,
+                                     0, NULL, NULL, &provInfo);
+  if (!rc) {
+    goto loser;
+  }
+
+  /* handle error here */
+  io = nss_ZNEW(NULL, ckcapiInternalObject);
+  if ((ckcapiInternalObject *)NULL == io) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+  io->type = ckcapiBareKey;
+  io->objClass = CKO_PRIVATE_KEY;
+  io->u.key.provInfo = provInfo;
+  io->u.key.provName = providerName;
+  io->u.key.containerName = containerName;
+  io->u.key.hProv = hProv; /* save the handle */
+  io->idData = idData;
+  io->id.data = idData;
+  io->id.size = keyID.size;
+  /* done with the key handle */
+  CryptDestroyKey(hKey);
+  return io;
+
+loser:
+  nss_ZFreeIf(containerName);
+  nss_ZFreeIf(providerName);
+  nss_ZFreeIf(idData);
+  if (0 != hProv) {
+    CryptReleaseContext(hProv, 0);
+  }
+  if (0 != hKey) {
+    CryptDestroyKey(hKey);
+  }
+  return (ckcapiInternalObject *)NULL;
+}
+
+
+NSS_EXTERN NSSCKMDObject *
+nss_ckcapi_CreateObject
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  CK_OBJECT_CLASS objClass;
+  ckcapiInternalObject *io;
+  CK_BBOOL isToken;
+
+  /*
+   * only create token objects
+   */
+  isToken = nss_ckcapi_GetBoolAttribute(CKA_TOKEN, pTemplate, 
+					ulAttributeCount, pError);
+  if (CKR_OK != *pError) {
+    return (NSSCKMDObject *) NULL;
+  }
+  if (!isToken) {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+    return (NSSCKMDObject *) NULL;
+  }
+
+  /*
+   * only create keys and certs.
+   */
+  objClass = nss_ckcapi_GetULongAttribute(CKA_CLASS, pTemplate, 
+					  ulAttributeCount, pError);
+  if (CKR_OK != *pError) {
+    return (NSSCKMDObject *) NULL;
+  }
+#ifdef notdef
+  if (objClass == CKO_PUBLIC_KEY) {
+    return CKR_OK; /* fake public key creation, happens as a side effect of
+                    * private key creation */
+  }
+#endif
+  if (objClass == CKO_CERTIFICATE) {
+    io = nss_ckcapi_CreateCertificate(fwSession, pTemplate, 
+				      ulAttributeCount, pError);
+  } else if (objClass == CKO_PRIVATE_KEY) {
+    io = nss_ckcapi_CreatePrivateKey(fwSession, pTemplate, 
+                                     ulAttributeCount, pError);
+  } else {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+  }
+
+  if ((ckcapiInternalObject *)NULL == io) {
+    return (NSSCKMDObject *) NULL;
+  }
+  return nss_ckcapi_CreateMDObject(NULL, io, pError);
+}
diff --git a/security/nss/lib/ckfw/capi/config.mk b/security/nss/lib/ckfw/capi/config.mk
new file mode 100644
index 000000000..fdfc8cf09
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/config.mk
@@ -0,0 +1,71 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+#
+#  Override TARGETS variable so that only shared libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(SHARED_LIBRARY)
+LIBRARY        =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+    SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+    RES = $(OBJDIR)/$(LIBRARY_NAME).res
+    RESNAME = $(LIBRARY_NAME).rc
+endif
+
+ifdef BUILD_IDG
+    DEFINES += -DNSSDEBUG
+endif
+
+#
+# To create a loadable module on Darwin, we must use -bundle.
+#
+ifeq ($(OS_TARGET),Darwin)
+DSO_LDOPTS = -bundle
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+endif
+
diff --git a/security/nss/lib/ckfw/capi/constants.c b/security/nss/lib/ckfw/capi/constants.c
new file mode 100644
index 000000000..4e509da65
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/constants.c
@@ -0,0 +1,98 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * ckcapi/constants.c
+ *
+ * Identification and other constants, all collected here in one place.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCAPI_H
+#include "nsscapi.h"
+#endif /* NSSCAPI_H */
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckcapi_CryptokiVersion =  {
+		NSS_CKCAPI_CRYPTOKI_VERSION_MAJOR,
+		NSS_CKCAPI_CRYPTOKI_VERSION_MINOR };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_ManufacturerID = (NSSUTF8 *) "Mozilla Foundation";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_LibraryDescription = (NSSUTF8 *) "NSS Access to Microsoft Certificate Store";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckcapi_LibraryVersion = {
+	NSS_CKCAPI_LIBRARY_VERSION_MAJOR,
+	NSS_CKCAPI_LIBRARY_VERSION_MINOR};
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_SlotDescription = (NSSUTF8 *) "Microsoft Certificate Store";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckcapi_HardwareVersion = { 
+	NSS_CKCAPI_HARDWARE_VERSION_MAJOR,
+	NSS_CKCAPI_HARDWARE_VERSION_MINOR };
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckcapi_FirmwareVersion = { 
+	NSS_CKCAPI_FIRMWARE_VERSION_MAJOR,
+	NSS_CKCAPI_FIRMWARE_VERSION_MINOR };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_TokenLabel = (NSSUTF8 *) "Microsoft Certificate Store";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_TokenModel = (NSSUTF8 *) "1";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_TokenSerialNumber = (NSSUTF8 *) "1";
+
diff --git a/security/nss/lib/ckfw/capi/crsa.c b/security/nss/lib/ckfw/capi/crsa.c
new file mode 100644
index 000000000..ce0f42797
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/crsa.c
@@ -0,0 +1,748 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+#include "secdert.h"
+
+#define SSL3_SHAMD5_HASH_SIZE  36 /* LEN_MD5 (16) + LEN_SHA1 (20) */
+
+/*
+ * ckcapi/crsa.c
+ *
+ * This file implements the NSSCKMDMechnaism and NSSCKMDCryptoOperation objects
+ * for the RSA operation on the CAPI cryptoki module.
+ */
+
+/*
+ * write a Decimal value to a string
+ */
+
+static char *
+putDecimalString(char *cstr, unsigned long value)
+{
+  unsigned long tenpower;
+  int first = 1;
+
+  for (tenpower=10000000; tenpower; tenpower /= 10) {
+    unsigned char digit = (unsigned char )(value/tenpower);
+    value = value % tenpower;
+
+    /* drop leading zeros */
+    if (first && (0 == digit)) {
+      continue;
+    }
+    first = 0;
+    *cstr++ = digit + '0';
+  }
+
+  /* if value was zero, put one of them out */
+  if (first) {
+    *cstr++ = '0';
+  }
+  return cstr;
+}
+
+
+/*
+ * Create a Capi OID string value from a DER OID
+ */
+static char *
+nss_ckcapi_GetOidString
+(
+  unsigned char *oidTag,
+  int oidTagSize,
+  CK_RV *pError
+)
+{
+  unsigned char *oid;
+  char *oidStr;
+  char *cstr;
+  unsigned long value;
+  int oidSize;
+
+  if (DER_OBJECT_ID != *oidTag) {
+    /* wasn't an oid */
+    *pError = CKR_DATA_INVALID;
+    return NULL;
+  }
+  oid = nss_ckcapi_DERUnwrap(oidTag, oidTagSize, &oidSize, NULL);
+
+  if (oidSize < 2) {
+    *pError = CKR_DATA_INVALID;
+    return NULL;
+  }
+
+  oidStr = nss_ZNEWARRAY( NULL, char, oidSize*4 );
+  if ((char *)NULL == oidStr) {
+    *pError = CKR_HOST_MEMORY;
+    return NULL;
+  }
+  cstr = oidStr;
+  cstr = putDecimalString(cstr, (*oid) / 40);
+  *cstr++ = '.';
+  cstr = putDecimalString(cstr, (*oid) % 40);
+  oidSize--;
+
+  value = 0;
+  while (oidSize--) {
+    oid++;
+    value = (value << 7) + (*oid & 0x7f);
+    if (0 == (*oid & 0x80)) {
+      *cstr++ = '.';
+      cstr = putDecimalString(cstr, value);
+      value = 0;
+    }
+  }
+
+  *cstr = 0; /* NULL terminate */
+
+  if (value != 0) {
+    nss_ZFreeIf(oidStr);
+    *pError = CKR_DATA_INVALID;
+    return NULL;
+  }
+  return oidStr;
+}
+
+
+/*
+ * PKCS #11 sign for RSA expects to take a fully DER-encoded hash value, 
+ * which includes the hash OID. CAPI expects to take a Hash Context. While 
+ * CAPI does have the capability of setting a raw hash value, it does not 
+ * have the ability to sign an arbitrary value. This function tries to
+ * reduce the passed in data into something that CAPI could actually sign.
+ */
+static CK_RV
+ckcapi_GetRawHash
+(
+  const NSSItem *input,
+  NSSItem *hash, 
+  ALG_ID *hashAlg
+)
+{
+   unsigned char *current;
+   unsigned char *algid;
+   unsigned char *oid;
+   unsigned char *hashData;
+   char *oidStr;
+   CK_RV error;
+   int oidSize;
+   int size;
+   /*
+    * there are 2 types of hashes NSS typically tries to sign, regular
+    * RSA signature format (with encoded DER_OIDS), and SSL3 Signed hashes.
+    * CAPI knows not to add any oids to SSL3_Signed hashes, so if we have any
+    * random hash that is exactly the same size as an SSL3 hash, then we can
+    * just pass the data through. CAPI has know way of knowing if the value
+    * is really a combined hash or some other arbitrary data, so it's safe to
+    * handle this case first.
+    */
+  if (SSL3_SHAMD5_HASH_SIZE == input->size) {
+    hash->data = input->data;
+    hash->size = input->size;
+    *hashAlg = CALG_SSL3_SHAMD5;
+    return CKR_OK;
+  }
+
+  current = (unsigned char *)input->data;
+
+  /* make sure we have a sequence tag */
+  if ((DER_SEQUENCE|DER_CONSTRUCTED) != *current) {
+    return CKR_DATA_INVALID;
+  }
+
+  /* parse the input block to get 1) the hash oid, and 2) the raw hash value.
+   * unfortunatly CAPI doesn't have a builtin function to do this work, so
+   * we go ahead and do it by hand here.
+   *
+   * format is:
+   *  SEQUENCE {
+   *     SECQUENCE { // algid
+   *       OID {}    // oid
+   *       ANY {}    // optional params 
+   *     }
+   *     OCTECT {}   // hash
+   */
+
+  /* unwrap */
+  algid = nss_ckcapi_DERUnwrap(current,input->size, &size, NULL);
+  
+  if (algid+size != current+input->size) {
+    /* make sure there is not extra data at the end */
+    return CKR_DATA_INVALID;
+  }
+
+  if ((DER_SEQUENCE|DER_CONSTRUCTED) != *algid) {
+    /* wasn't an algid */
+    return CKR_DATA_INVALID;
+  }
+  oid = nss_ckcapi_DERUnwrap(algid, size, &oidSize, &hashData);
+
+  if (DER_OCTET_STRING != *hashData) {
+    /* wasn't a hash */
+    return CKR_DATA_INVALID;
+  }
+
+  /* get the real hash */
+  current = hashData;
+  size = size - (hashData-algid);
+  hash->data = nss_ckcapi_DERUnwrap(current, size, &hash->size, NULL);
+
+  /* get the real oid as a string. Again, Microsoft does not
+   * export anything that does this for us */
+  oidStr = nss_ckcapi_GetOidString(oid, oidSize, &error);
+  if ((char *)NULL == oidStr ) {
+    return error;
+  }
+
+  /* look up the hash alg from the oid (fortunately CAPI does to this) */ 
+  *hashAlg = CertOIDToAlgId(oidStr);
+  nss_ZFreeIf(oidStr);
+  if (0 == *hashAlg) {
+    return CKR_HOST_MEMORY;
+  }
+
+  /* hash looks reasonably consistent, we should be able to sign it now */
+  return CKR_OK;
+}
+
+/*
+ * So everyone else in the worlds stores their bignum data MSB first, but not
+ * Microsoft, we need to byte swap everything coming into and out of CAPI.
+ */
+void
+ckcapi_ReverseData(NSSItem *item)
+{
+  int end = (item->size)-1;
+  int middle = (item->size)/2;
+  unsigned char *buf = item->data;
+  int i;
+
+  for (i=0; i < middle; i++) {
+    unsigned char  tmp = buf[i];
+    buf[i] = buf[end-i];
+    buf[end-i] = tmp;
+  }
+  return;
+}
+
+typedef struct ckcapiInternalCryptoOperationRSAPrivStr 
+               ckcapiInternalCryptoOperationRSAPriv;
+struct ckcapiInternalCryptoOperationRSAPrivStr
+{
+  NSSCKMDCryptoOperation mdOperation;
+  NSSCKMDMechanism     *mdMechanism;
+  ckcapiInternalObject *iKey;
+  HCRYPTPROV           hProv;
+  DWORD                keySpec;
+  HCRYPTKEY            hKey;
+  NSSItem	       *buffer;
+};
+
+/*
+ * ckcapi_mdCryptoOperationRSAPriv_Create
+ */
+static NSSCKMDCryptoOperation *
+ckcapi_mdCryptoOperationRSAPriv_Create
+(
+  const NSSCKMDCryptoOperation *proto,
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKMDObject *mdKey,
+  CK_RV *pError
+)
+{
+  ckcapiInternalObject *iKey = (ckcapiInternalObject *)mdKey->etc;
+  const NSSItem *classItem = nss_ckcapi_FetchAttribute(iKey, CKA_CLASS);
+  const NSSItem *keyType = nss_ckcapi_FetchAttribute(iKey, CKA_KEY_TYPE);
+  ckcapiInternalCryptoOperationRSAPriv *iOperation;
+  CK_RV   error;
+  HCRYPTPROV  hProv;
+  DWORD       keySpec;
+  HCRYPTKEY   hKey;
+
+  /* make sure we have the right objects */
+  if (((const NSSItem *)NULL == classItem) ||
+      (sizeof(CK_OBJECT_CLASS) != classItem->size) ||
+      (CKO_PRIVATE_KEY != *(CK_OBJECT_CLASS *)classItem->data) ||
+      ((const NSSItem *)NULL == keyType) ||
+      (sizeof(CK_KEY_TYPE) != keyType->size) ||
+      (CKK_RSA != *(CK_KEY_TYPE *)keyType->data)) {
+    *pError =  CKR_KEY_TYPE_INCONSISTENT;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+
+  error = nss_ckcapi_FetchKeyContainer(iKey, &hProv, &keySpec, &hKey);
+  if (error != CKR_OK) {
+    *pError = error;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+
+  iOperation = nss_ZNEW(NULL, ckcapiInternalCryptoOperationRSAPriv);
+  if ((ckcapiInternalCryptoOperationRSAPriv *)NULL == iOperation) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+  iOperation->mdMechanism = mdMechanism;
+  iOperation->iKey = iKey;
+  iOperation->hProv = hProv;
+  iOperation->keySpec = keySpec;
+  iOperation->hKey = hKey;
+
+  nsslibc_memcpy(&iOperation->mdOperation, 
+                 proto, sizeof(NSSCKMDCryptoOperation));
+  iOperation->mdOperation.etc = iOperation;
+
+  return &iOperation->mdOperation;
+}
+
+static CK_RV
+ckcapi_mdCryptoOperationRSAPriv_Destroy
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+
+  if (iOperation->hKey) {
+    CryptDestroyKey(iOperation->hKey);
+  }
+  if (iOperation->buffer) {
+    nssItem_Destroy(iOperation->buffer);
+  }
+  nss_ZFreeIf(iOperation);
+  return CKR_OK;
+}
+
+static CK_ULONG
+ckcapi_mdCryptoOperationRSA_GetFinalLength
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  const NSSItem *modulus = 
+       nss_ckcapi_FetchAttribute(iOperation->iKey, CKA_MODULUS);
+
+  return modulus->size;
+}
+
+
+/*
+ * ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength
+ * we won't know the length until we actually decrypt the
+ * input block. Since we go to all the work to decrypt the
+ * the block, we'll save if for when the block is asked for
+ */
+static CK_ULONG
+ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  const NSSItem *input,
+  CK_RV *pError
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  BOOL rc;
+
+  /* Microsoft's Decrypt operation works in place. Since we don't want
+   * to trash our input buffer, we make a copy of it */
+  iOperation->buffer = nssItem_Duplicate((NSSItem *)input, NULL, NULL);
+  if ((NSSItem *) NULL == iOperation->buffer) {
+    *pError = CKR_HOST_MEMORY;
+    return 0;
+  }
+  /* Sigh, reverse it */
+  ckcapi_ReverseData(iOperation->buffer);
+  
+  rc = CryptDecrypt(iOperation->hKey, 0, TRUE, 0, 
+		    iOperation->buffer->data, &iOperation->buffer->size);
+  if (!rc) {
+    DWORD msError = GetLastError();
+    switch (msError) {
+    case NTE_BAD_DATA:
+      *pError = CKR_ENCRYPTED_DATA_INVALID;
+      break;
+    case NTE_FAIL:
+    case NTE_BAD_UID:
+      *pError = CKR_DEVICE_ERROR;
+      break;
+    default:
+      *pError = CKR_GENERAL_ERROR; 
+    }
+    return 0;
+  }
+
+  return iOperation->buffer->size;
+}
+
+/*
+ * ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal
+ *
+ * NOTE: ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength is presumed to 
+ * have been called previously.
+ */
+static CK_RV
+ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  const NSSItem *input,
+  NSSItem *output
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  NSSItem *buffer = iOperation->buffer;
+
+  if ((NSSItem *)NULL == buffer) {
+    return CKR_GENERAL_ERROR;
+  }
+  nsslibc_memcpy(output->data, buffer->data, buffer->size);
+  output->size = buffer->size;
+  return CKR_OK;
+}
+
+/*
+ * ckcapi_mdCryptoOperationRSASign_UpdateFinal
+ *
+ */
+static CK_RV
+ckcapi_mdCryptoOperationRSASign_UpdateFinal
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  const NSSItem *input,
+  NSSItem *output
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  CK_RV error = CKR_OK;
+  DWORD msError;
+  NSSItem hash;
+  HCRYPTHASH hHash = 0;
+  ALG_ID  hashAlg;
+  DWORD  hashSize;
+  DWORD  len; /* temp length value we throw away */
+  BOOL   rc;
+
+  /*
+   * PKCS #11 sign for RSA expects to take a fully DER-encoded hash value, 
+   * which includes the hash OID. CAPI expects to take a Hash Context. While 
+   * CAPI does have the capability of setting a raw hash value, it does not 
+   * have the ability to sign an arbitrary value. This function tries to
+   * reduce the passed in data into something that CAPI could actually sign.
+   */
+  error = ckcapi_GetRawHash(input, &hash, &hashAlg);
+  if (CKR_OK != error) {
+    goto loser;
+  }
+
+  rc = CryptCreateHash(iOperation->hProv, hashAlg, 0, 0, &hHash);
+  if (!rc) {
+    goto loser;
+  }
+
+  /* make sure the hash lens match before we set it */
+  len = sizeof(DWORD);
+  rc = CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&hashSize, &len, 0);
+  if (!rc) {
+    goto loser;
+  }
+
+  if (hash.size != hashSize) {
+    /* The input must have been bad for this to happen */
+    error = CKR_DATA_INVALID;
+    goto loser;
+  }
+
+  /* we have an explicit hash, set it, note that the length is
+   * implicit by the hashAlg used in create */
+  rc = CryptSetHashParam(hHash, HP_HASHVAL, hash.data, 0);
+  if (!rc) {
+    goto loser;
+  }
+
+  /* OK, we have the data in a hash structure, sign it! */
+  rc = CryptSignHash(hHash, iOperation->keySpec, NULL, 0,
+                     output->data, &output->size);
+  if (!rc) {
+    goto loser;
+  }
+
+  /* Don't return a signature that might have been broken because of a cosmic
+   * ray, or a broken processor, verify that it is valid... */
+  rc = CryptVerifySignature(hHash, output->data, output->size, 
+                            iOperation->hKey, NULL, 0);
+  if (!rc) {
+    goto loser;
+  }
+
+  /* OK, Microsoft likes to do things completely differently than anyone
+   * else. We need to reverse the data we recieved here */
+  ckcapi_ReverseData(output);
+  CryptDestroyHash(hHash);
+  return CKR_OK;
+
+loser:
+  /* map the microsoft error */
+  if (CKR_OK == error) {
+    msError = GetLastError();
+    switch (msError) {
+    case ERROR_NOT_ENOUGH_MEMORY:
+      error = CKR_HOST_MEMORY;
+      break;
+    case NTE_NO_MEMORY:
+      error = CKR_DEVICE_MEMORY;
+      break;
+    case ERROR_MORE_DATA:
+      return CKR_BUFFER_TOO_SMALL;
+    case ERROR_INVALID_PARAMETER: /* these params were derived from the */
+    case ERROR_INVALID_HANDLE:    /* inputs, so if they are bad, the input */ 
+    case NTE_BAD_ALGID:           /* data is bad */
+    case NTE_BAD_HASH:
+      error = CKR_DATA_INVALID;
+      break;
+    case ERROR_BUSY:
+    case NTE_FAIL:
+    case NTE_BAD_UID:
+      error = CKR_DEVICE_ERROR;
+      break;
+    default:
+      error = CKR_GENERAL_ERROR;
+      break;
+    }
+  }
+  if (hHash) {
+    CryptDestroyHash(hHash);
+  }
+  return error;
+}
+  
+
+NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
+ckcapi_mdCryptoOperationRSADecrypt_proto = {
+  NULL, /* etc */
+  ckcapi_mdCryptoOperationRSAPriv_Destroy,
+  NULL, /* GetFinalLengh - not needed for one shot Decrypt/Encrypt */
+  ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength,
+  NULL, /* Final - not needed for one shot operation */
+  NULL, /* Update - not needed for one shot operation */
+  NULL, /* DigetUpdate - not needed for one shot operation */
+  ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal,
+  NULL, /* UpdateCombo - not needed for one shot operation */
+  NULL, /* DigetKey - not needed for one shot operation */
+  (void *)NULL /* null terminator */
+};
+
+NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
+ckcapi_mdCryptoOperationRSASign_proto = {
+  NULL, /* etc */
+  ckcapi_mdCryptoOperationRSAPriv_Destroy,
+  ckcapi_mdCryptoOperationRSA_GetFinalLength,
+  NULL, /* GetOperationLengh - not needed for one shot Sign/Verify */
+  NULL, /* Final - not needed for one shot operation */
+  NULL, /* Update - not needed for one shot operation */
+  NULL, /* DigetUpdate - not needed for one shot operation */
+  ckcapi_mdCryptoOperationRSASign_UpdateFinal,
+  NULL, /* UpdateCombo - not needed for one shot operation */
+  NULL, /* DigetKey - not needed for one shot operation */
+  (void *)NULL /* null terminator */
+};
+
+/********** NSSCKMDMechansim functions ***********************/
+/*
+ * ckcapi_mdMechanismRSA_Destroy
+ */
+static void
+ckcapi_mdMechanismRSA_Destroy
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_ZFreeIf(fwMechanism);
+}
+
+/*
+ * ckcapi_mdMechanismRSA_GetMinKeySize
+ */
+static CK_ULONG
+ckcapi_mdMechanismRSA_GetMinKeySize
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return 384;
+}
+
+/*
+ * ckcapi_mdMechanismRSA_GetMaxKeySize
+ */
+static CK_ULONG
+ckcapi_mdMechanismRSA_GetMaxKeySize
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return 16384;
+}
+
+/*
+ * ckcapi_mdMechanismRSA_DecryptInit
+ */
+static NSSCKMDCryptoOperation * 
+ckcapi_mdMechanismRSA_DecryptInit
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDObject *mdKey,
+  NSSCKFWObject *fwKey,
+  CK_RV *pError
+)
+{
+  return ckcapi_mdCryptoOperationRSAPriv_Create(
+		&ckcapi_mdCryptoOperationRSADecrypt_proto,
+		mdMechanism, mdKey, pError);
+}
+
+/*
+ * ckcapi_mdMechanismRSA_SignInit
+ */
+static NSSCKMDCryptoOperation * 
+ckcapi_mdMechanismRSA_SignInit
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDObject *mdKey,
+  NSSCKFWObject *fwKey,
+  CK_RV *pError
+)
+{
+  return ckcapi_mdCryptoOperationRSAPriv_Create(
+		&ckcapi_mdCryptoOperationRSASign_proto,
+		mdMechanism, mdKey, pError);
+}
+
+
+NSS_IMPLEMENT_DATA const NSSCKMDMechanism
+nss_ckcapi_mdMechanismRSA = {
+  (void *)NULL, /* etc */
+  ckcapi_mdMechanismRSA_Destroy,
+  ckcapi_mdMechanismRSA_GetMinKeySize,
+  ckcapi_mdMechanismRSA_GetMaxKeySize,
+  NULL, /* GetInHardware - default false */
+  NULL, /* EncryptInit - default errs */
+  ckcapi_mdMechanismRSA_DecryptInit,
+  NULL, /* DigestInit - default errs*/
+  ckcapi_mdMechanismRSA_SignInit,
+  NULL, /* VerifyInit - default errs */
+  ckcapi_mdMechanismRSA_SignInit,  /* SignRecoverInit */
+  NULL, /* VerifyRecoverInit - default errs */
+  NULL, /* GenerateKey - default errs */
+  NULL, /* GenerateKeyPair - default errs */
+  NULL, /* GetWrapKeyLength - default errs */
+  NULL, /* WrapKey - default errs */
+  NULL, /* UnwrapKey - default errs */
+  NULL, /* DeriveKey - default errs */
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/capi/csession.c b/security/nss/lib/ckfw/capi/csession.c
new file mode 100644
index 000000000..f0abd6d0b
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/csession.c
@@ -0,0 +1,131 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+
+/*
+ * ckcapi/csession.c
+ *
+ * This file implements the NSSCKMDSession object for the 
+ * "nss to capi" cryptoki module.
+ */
+
+static NSSCKMDFindObjects *
+ckcapi_mdSession_FindObjectsInit
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  return nss_ckcapi_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
+}
+
+static NSSCKMDObject *
+ckcapi_mdSession_CreateObject
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena        *arena,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  return nss_ckcapi_CreateObject(fwSession, pTemplate, ulAttributeCount, pError);
+}
+
+NSS_IMPLEMENT NSSCKMDSession *
+nss_ckcapi_CreateSession
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  NSSCKMDSession *rv;
+
+  arena = NSSCKFWSession_GetArena(fwSession, pError);
+  if( (NSSArena *)NULL == arena ) {
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDSession);
+  if( (NSSCKMDSession *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  /* 
+   * rv was zeroed when allocated, so we only 
+   * need to set the non-zero members.
+   */
+
+  rv->etc = (void *)fwSession;
+  /* rv->Close */
+  /* rv->GetDeviceError */
+  /* rv->Login */
+  /* rv->Logout */
+  /* rv->InitPIN */
+  /* rv->SetPIN */
+  /* rv->GetOperationStateLen */
+  /* rv->GetOperationState */
+  /* rv->SetOperationState */
+  rv->CreateObject = ckcapi_mdSession_CreateObject;
+  /* rv->CopyObject */
+  rv->FindObjectsInit = ckcapi_mdSession_FindObjectsInit;
+  /* rv->SeedRandom */
+  /* rv->GetRandom */
+  /* rv->null */
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/capi/cslot.c b/security/nss/lib/ckfw/capi/cslot.c
new file mode 100644
index 000000000..1c42c107d
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/cslot.c
@@ -0,0 +1,129 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+
+/*
+ * ckcapi/cslot.c
+ *
+ * This file implements the NSSCKMDSlot object for the
+ * "nss to capi" cryptoki module.
+ */
+
+static NSSUTF8 *
+ckcapi_mdSlot_GetSlotDescription
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_SlotDescription;
+}
+
+static NSSUTF8 *
+ckcapi_mdSlot_GetManufacturerID
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
+}
+
+static CK_VERSION
+ckcapi_mdSlot_GetHardwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_HardwareVersion;
+}
+
+static CK_VERSION
+ckcapi_mdSlot_GetFirmwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_FirmwareVersion;
+}
+
+static NSSCKMDToken *
+ckcapi_mdSlot_GetToken
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSCKMDToken *)&nss_ckcapi_mdToken;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDSlot
+nss_ckcapi_mdSlot = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Destroy */
+  ckcapi_mdSlot_GetSlotDescription,
+  ckcapi_mdSlot_GetManufacturerID,
+  NULL, /* GetTokenPresent -- defaults to true */
+  NULL, /* GetRemovableDevice -- defaults to false */
+  NULL, /* GetHardwareSlot -- defaults to false */
+  ckcapi_mdSlot_GetHardwareVersion,
+  ckcapi_mdSlot_GetFirmwareVersion,
+  ckcapi_mdSlot_GetToken,
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/capi/ctoken.c b/security/nss/lib/ckfw/capi/ctoken.c
new file mode 100644
index 000000000..bce2c17e2
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/ctoken.c
@@ -0,0 +1,246 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+
+/*
+ * ckcapi/ctoken.c
+ *
+ * This file implements the NSSCKMDToken object for the
+ * "nss to capi" cryptoki module.
+ */
+
+static NSSUTF8 *
+ckcapi_mdToken_GetLabel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_TokenLabel;
+}
+
+static NSSUTF8 *
+ckcapi_mdToken_GetManufacturerID
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
+}
+
+static NSSUTF8 *
+ckcapi_mdToken_GetModel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_TokenModel;
+}
+
+static NSSUTF8 *
+ckcapi_mdToken_GetSerialNumber
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_TokenSerialNumber;
+}
+
+static CK_BBOOL
+ckcapi_mdToken_GetIsWriteProtected
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_FALSE;
+}
+
+/* fake out Mozilla so we don't try to initialize the token */
+static CK_BBOOL
+ckcapi_mdToken_GetUserPinInitialized
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_VERSION
+ckcapi_mdToken_GetHardwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_HardwareVersion;
+}
+
+static CK_VERSION
+ckcapi_mdToken_GetFirmwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_FirmwareVersion;
+}
+
+static NSSCKMDSession *
+ckcapi_mdToken_OpenSession
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  return nss_ckcapi_CreateSession(fwSession, pError);
+}
+
+static CK_ULONG
+ckcapi_mdToken_GetMechanismCount
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return (CK_ULONG)1;
+}
+
+static CK_RV
+ckcapi_mdToken_GetMechanismTypes
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_MECHANISM_TYPE types[]
+)
+{
+  types[0] = CKM_RSA_PKCS;
+  return CKR_OK;
+}
+
+static NSSCKMDMechanism *
+ckcapi_mdToken_GetMechanism
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_MECHANISM_TYPE which,
+  CK_RV *pError
+)
+{
+  if (which != CKM_RSA_PKCS) {
+    *pError = CKR_MECHANISM_INVALID;
+    return (NSSCKMDMechanism *)NULL;
+  }
+  return (NSSCKMDMechanism *)&nss_ckcapi_mdMechanismRSA;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDToken
+nss_ckcapi_mdToken = {
+  (void *)NULL, /* etc */
+  NULL, /* Setup */
+  NULL, /* Invalidate */
+  NULL, /* InitToken -- default errs */
+  ckcapi_mdToken_GetLabel,
+  ckcapi_mdToken_GetManufacturerID,
+  ckcapi_mdToken_GetModel,
+  ckcapi_mdToken_GetSerialNumber,
+  NULL, /* GetHasRNG -- default is false */
+  ckcapi_mdToken_GetIsWriteProtected,
+  NULL, /* GetLoginRequired -- default is false */
+  ckcapi_mdToken_GetUserPinInitialized,
+  NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
+  NULL, /* GetHasClockOnToken -- default is false */
+  NULL, /* GetHasProtectedAuthenticationPath -- default is false */
+  NULL, /* GetSupportsDualCryptoOperations -- default is false */
+  NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxPinLen -- irrelevant */
+  NULL, /* GetMinPinLen -- irrelevant */
+  NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  ckcapi_mdToken_GetHardwareVersion,
+  ckcapi_mdToken_GetFirmwareVersion,
+  NULL, /* GetUTCTime -- no clock */
+  ckcapi_mdToken_OpenSession,
+  ckcapi_mdToken_GetMechanismCount,
+  ckcapi_mdToken_GetMechanismTypes,
+  ckcapi_mdToken_GetMechanism,
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/capi/manifest.mn b/security/nss/lib/ckfw/capi/manifest.mn
new file mode 100644
index 000000000..8959e5d2d
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/manifest.mn
@@ -0,0 +1,66 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+CORE_DEPTH = ../../../..
+
+MODULE = nss
+MAPFILE = $(OBJDIR)/nsscapi.def
+
+EXPORTS =		\
+	nsscapi.h	\
+	$(NULL)
+
+CSRCS =			\
+	anchor.c	\
+	constants.c	\
+	cfind.c		\
+	cinst.c 	\
+	cobject.c	\
+	crsa.c		\
+	csession.c	\
+	cslot.c		\
+	ctoken.c	\
+	ckcapiver.c	\
+	staticobj.c	\
+	$(NULL)
+
+REQUIRES = nspr
+
+LIBRARY_NAME = nsscapi
+
+#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/capi/nsscapi.def b/security/nss/lib/ckfw/capi/nsscapi.def
new file mode 100644
index 000000000..0e6106c62
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/nsscapi.def
@@ -0,0 +1,58 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2003
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#     line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSS_3.1 {       # NSS 3.1 release
+;+    global:
+LIBRARY nsscapi ;-
+EXPORTS ;-
+C_GetFunctionList;
+;+    local:
+;+*;
+;+};
diff --git a/security/nss/lib/ckfw/capi/nsscapi.h b/security/nss/lib/ckfw/capi/nsscapi.h
new file mode 100644
index 000000000..1d80487e9
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/nsscapi.h
@@ -0,0 +1,75 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSCAPI_H
+#define NSSCAPI_H
+
+/*
+ * NSS CKCAPI Version numbers.
+ *
+ * These are the version numbers for the capi module packaged with
+ * this release on NSS. To determine the version numbers of the builtin
+ * module you are using, use the appropriate PKCS #11 calls.
+ *
+ * These version numbers detail changes to the PKCS #11 interface. They map
+ * to the PKCS #11 spec versions.
+ */
+#define NSS_CKCAPI_CRYPTOKI_VERSION_MAJOR 2
+#define NSS_CKCAPI_CRYPTOKI_VERSION_MINOR 20
+
+/* These version numbers detail the changes 
+ * to the list of trusted certificates.
+ *
+ * NSS_CKCAPI_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+ * whether we may use its full range (0-255) or only 0-99 because
+ * of the comment in the CK_VERSION type definition.
+ */
+#define NSS_CKCAPI_LIBRARY_VERSION_MAJOR 1
+#define NSS_CKCAPI_LIBRARY_VERSION_MINOR 1
+#define NSS_CKCAPI_LIBRARY_VERSION "1.1"
+
+/* These version numbers detail the semantic changes to the ckfw engine. */
+#define NSS_CKCAPI_HARDWARE_VERSION_MAJOR 1
+#define NSS_CKCAPI_HARDWARE_VERSION_MINOR 0
+
+/* These version numbers detail the semantic changes to ckbi itself 
+ * (new PKCS #11 objects), etc. */
+#define NSS_CKCAPI_FIRMWARE_VERSION_MAJOR 1
+#define NSS_CKCAPI_FIRMWARE_VERSION_MINOR 0
+
+#endif /* NSSCKBI_H */
diff --git a/security/nss/lib/ckfw/capi/nsscapi.rc b/security/nss/lib/ckfw/capi/nsscapi.rc
new file mode 100644
index 000000000..254599f75
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/nsscapi.rc
@@ -0,0 +1,96 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2004
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsscapi.h"
+#include <winver.h>
+
+#define MY_LIBNAME "nsscapi"
+#define MY_FILEDESCRIPTION "NSS Access to Microsoft CAPI"
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_CKCAPI_LIBRARY_VERSION_MAJOR,NSS_CKCAPI_LIBRARY_VERSION_MINOR,0,0
+ PRODUCTVERSION NSS_CKCAPI_LIBRARY_VERSION_MAJOR,NSS_CKCAPI_LIBRARY_VERSION_MINOR,0,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_CKCAPI_LIBRARY_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_CKCAPI_LIBRARY_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/ckfw/capi/staticobj.c b/security/nss/lib/ckfw/capi/staticobj.c
new file mode 100644
index 000000000..19ff37617
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/staticobj.c
@@ -0,0 +1,74 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$""; @(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef CKCAPI_H
+#include "ckcapi.h"
+#endif /* CKCAPI_H */
+
+static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
+static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
+static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
+static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
+static const CK_BBOOL ck_true = CK_TRUE;
+static const CK_OBJECT_CLASS cko_data = CKO_DATA;
+static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
+static const CK_BBOOL ck_false = CK_FALSE;
+static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+
+/* example of a static object */
+static const CK_ATTRIBUTE_TYPE nss_ckcapi_types_1 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL
+};
+
+static const NSSItem nss_ckcapi_items_1 [] = {
+  { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Mozilla CAPI Access", (PRUint32)20 }
+};
+
+ckcapiInternalObject nss_ckcapi_data[] = {
+  { ckcapiRaw, { 5, nss_ckcapi_types_1, nss_ckcapi_items_1} , {NULL} },
+};
+
+const PRUint32 nss_ckcapi_nObjects = 1;
diff --git a/security/nss/lib/ckfw/ck.api b/security/nss/lib/ckfw/ck.api
new file mode 100644
index 000000000..501cbb0c8
--- /dev/null
+++ b/security/nss/lib/ckfw/ck.api
@@ -0,0 +1,575 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# This file is in part derived from a file "pkcs11f.h" made available
+# by RSA Security at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/pkcs11f.h
+
+CVS_ID "@(#) $RCSfile$ $Revision$ $Date$"
+
+# Fields
+#  FUNCTION introduces a Cryptoki function
+#  CK_type specifies and introduces an argument
+#
+
+# General-purpose
+
+# C_Initialize initializes the Cryptoki library.
+FUNCTION C_Initialize
+CK_VOID_PTR pInitArgs   # if this is not NULL_PTR, it gets
+                        # cast to CK_C_INITIALIZE_ARGS_PTR
+                        # and dereferenced
+
+# C_Finalize indicates that an application is done with the
+# Cryptoki library.
+FUNCTION C_Finalize
+CK_VOID_PTR pReserved   # reserved.  Should be NULL_PTR
+
+# C_GetInfo returns general information about Cryptoki. 
+FUNCTION C_GetInfo
+CK_INFO_PTR pInfo       # location that receives information
+
+# C_GetFunctionList returns the function list. 
+FUNCTION C_GetFunctionList
+CK_FUNCTION_LIST_PTR_PTR ppFunctionList # receives pointer to function 
+                                        # list
+
+
+# Slot and token management 
+
+# C_GetSlotList obtains a list of slots in the system. 
+FUNCTION C_GetSlotList
+CK_BBOOL       tokenPresent # only slots with tokens? 
+CK_SLOT_ID_PTR pSlotList    # receives array of slot IDs 
+CK_ULONG_PTR   pulCount     # receives number of slots 
+
+# C_GetSlotInfo obtains information about a particular slot in the 
+# system.
+FUNCTION C_GetSlotInfo
+CK_SLOT_ID       slotID     # the ID of the slot 
+CK_SLOT_INFO_PTR pInfo      # receives the slot information 
+
+# C_GetTokenInfo obtains information about a particular token in the 
+# system. 
+FUNCTION C_GetTokenInfo
+CK_SLOT_ID        slotID    # ID of the token's slot 
+CK_TOKEN_INFO_PTR pInfo     # receives the token information 
+
+# C_GetMechanismList obtains a list of mechanism types supported by a 
+# token. 
+FUNCTION C_GetMechanismList
+CK_SLOT_ID            slotID            # ID of token's slot 
+CK_MECHANISM_TYPE_PTR pMechanismList    # gets mech. array 
+CK_ULONG_PTR          pulCount          # gets # of mechs. 
+
+# C_GetMechanismInfo obtains information about a particular mechanism 
+# possibly supported by a token. 
+FUNCTION C_GetMechanismInfo
+CK_SLOT_ID            slotID    # ID of the token's slot 
+CK_MECHANISM_TYPE     type      # type of mechanism 
+CK_MECHANISM_INFO_PTR pInfo     # receives mechanism info 
+
+# C_InitToken initializes a token. 
+FUNCTION C_InitToken
+CK_SLOT_ID  slotID      # ID of the token's slot 
+CK_CHAR_PTR pPin        # the SO's initial PIN 
+CK_ULONG    ulPinLen    # length in bytes of the PIN 
+CK_CHAR_PTR pLabel      # 32-byte token label (blank padded) 
+
+# C_InitPIN initializes the normal user's PIN. 
+FUNCTION C_InitPIN
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_CHAR_PTR       pPin      # the normal user's PIN 
+CK_ULONG          ulPinLen  # length in bytes of the PIN 
+
+# C_SetPIN modifies the PIN of the user who is logged in. 
+FUNCTION C_SetPIN
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_CHAR_PTR       pOldPin   # the old PIN 
+CK_ULONG          ulOldLen  # length of the old PIN 
+CK_CHAR_PTR       pNewPin   # the new PIN 
+CK_ULONG          ulNewLen  # length of the new PIN 
+
+
+# Session management 
+
+# C_OpenSession opens a session between an application and a token. 
+FUNCTION C_OpenSession
+CK_SLOT_ID            slotID        # the slot's ID 
+CK_FLAGS              flags         # from CK_SESSION_INFO 
+CK_VOID_PTR           pApplication  # passed to callback 
+CK_NOTIFY             Notify        # callback function 
+CK_SESSION_HANDLE_PTR phSession     # gets session handle 
+
+# C_CloseSession closes a session between an application and a token. 
+FUNCTION C_CloseSession
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+# C_CloseAllSessions closes all sessions with a token. 
+FUNCTION C_CloseAllSessions
+CK_SLOT_ID slotID   # the token's slot 
+
+# C_GetSessionInfo obtains information about the session. 
+FUNCTION C_GetSessionInfo
+CK_SESSION_HANDLE   hSession    # the session's handle 
+CK_SESSION_INFO_PTR pInfo       # receives session info 
+
+# C_GetOperationState obtains the state of the cryptographic 
+# operation in a session. 
+FUNCTION C_GetOperationState
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pOperationState       # gets state 
+CK_ULONG_PTR      pulOperationStateLen  # gets state length 
+
+# C_SetOperationState restores the state of the cryptographic 
+# operation in a session. 
+FUNCTION C_SetOperationState
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR      pOperationState        # holds state 
+CK_ULONG         ulOperationStateLen    # holds state length 
+CK_OBJECT_HANDLE hEncryptionKey         # en/decryption key 
+CK_OBJECT_HANDLE hAuthenticationKey     # sign/verify key 
+
+# C_Login logs a user into a token. 
+FUNCTION C_Login
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_USER_TYPE      userType  # the user type 
+CK_CHAR_PTR       pPin      # the user's PIN 
+CK_ULONG          ulPinLen  # the length of the PIN 
+
+# C_Logout logs a user out from a token. 
+FUNCTION C_Logout
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+
+# Object management 
+
+# C_CreateObject creates a new object. 
+FUNCTION C_CreateObject
+CK_SESSION_HANDLE    hSession   # the session's handle 
+CK_ATTRIBUTE_PTR     pTemplate  # the object's template 
+CK_ULONG             ulCount    # attributes in template 
+CK_OBJECT_HANDLE_PTR phObject   # gets new object's handle. 
+
+# C_CopyObject copies an object, creating a new object for the copy.
+FUNCTION C_CopyObject
+CK_SESSION_HANDLE    hSession       # the session's handle 
+CK_OBJECT_HANDLE     hObject        # the object's handle 
+CK_ATTRIBUTE_PTR     pTemplate      # template for new object 
+CK_ULONG             ulCount        # attributes in template 
+CK_OBJECT_HANDLE_PTR phNewObject    # receives handle of copy 
+
+# C_DestroyObject destroys an object. 
+FUNCTION C_DestroyObject
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_OBJECT_HANDLE  hObject   # the object's handle 
+
+# C_GetObjectSize gets the size of an object in bytes. 
+FUNCTION C_GetObjectSize
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_OBJECT_HANDLE  hObject   # the object's handle 
+CK_ULONG_PTR      pulSize   # receives size of object 
+
+# C_GetAttributeValue obtains the value of one or more object 
+# attributes. 
+FUNCTION C_GetAttributeValue
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_OBJECT_HANDLE  hObject     # the object's handle 
+CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs; gets vals 
+CK_ULONG          ulCount     # attributes in template 
+
+# C_SetAttributeValue modifies the value of one or more object 
+# attributes 
+FUNCTION C_SetAttributeValue
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_OBJECT_HANDLE  hObject     # the object's handle 
+CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs and values 
+CK_ULONG          ulCount     # attributes in template 
+
+# C_FindObjectsInit initializes a search for token and session 
+# objects that match a template. 
+FUNCTION C_FindObjectsInit
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_ATTRIBUTE_PTR  pTemplate   # attribute values to match 
+CK_ULONG          ulCount     # attrs in search template 
+
+# C_FindObjects continues a search for token and session objects that 
+# match a template, obtaining additional object handles. 
+FUNCTION C_FindObjects
+CK_SESSION_HANDLE    hSession           # session's handle 
+CK_OBJECT_HANDLE_PTR phObject           # gets obj. handles 
+CK_ULONG             ulMaxObjectCount   # max handles to get 
+CK_ULONG_PTR         pulObjectCount     # actual # returned 
+
+# C_FindObjectsFinal finishes a search for token and session objects. 
+FUNCTION C_FindObjectsFinal
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+
+# Encryption and decryption 
+
+# C_EncryptInit initializes an encryption operation. 
+FUNCTION C_EncryptInit
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_MECHANISM_PTR  pMechanism  # the encryption mechanism 
+CK_OBJECT_HANDLE  hKey        # handle of encryption key 
+
+# C_Encrypt encrypts single-part data. 
+FUNCTION C_Encrypt
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pData                 # the plaintext data 
+CK_ULONG          ulDataLen             # bytes of plaintext 
+CK_BYTE_PTR       pEncryptedData        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedDataLen   # gets c-text size 
+
+# C_EncryptUpdate continues a multiple-part encryption operation. 
+FUNCTION C_EncryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pPart                 # the plaintext data 
+CK_ULONG          ulPartLen             # plaintext data len 
+CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text size 
+
+# C_EncryptFinal finishes a multiple-part encryption operation. 
+FUNCTION C_EncryptFinal
+CK_SESSION_HANDLE hSession                  # session handle 
+CK_BYTE_PTR       pLastEncryptedPart        # last c-text 
+CK_ULONG_PTR      pulLastEncryptedPartLen   # gets last size 
+
+# C_DecryptInit initializes a decryption operation. 
+FUNCTION C_DecryptInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the decryption mechanism 
+CK_OBJECT_HANDLE  hKey          # handle of decryption key 
+
+# C_Decrypt decrypts encrypted data in a single part. 
+FUNCTION C_Decrypt
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedData        # ciphertext 
+CK_ULONG          ulEncryptedDataLen    # ciphertext length 
+CK_BYTE_PTR       pData                 # gets plaintext 
+CK_ULONG_PTR      pulDataLen            # gets p-text size 
+
+# C_DecryptUpdate continues a multiple-part decryption operation. 
+FUNCTION C_DecryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedPart        # encrypted data 
+CK_ULONG          ulEncryptedPartLen    # input length 
+CK_BYTE_PTR       pPart                 # gets plaintext 
+CK_ULONG_PTR      pulPartLen            # p-text size 
+
+# C_DecryptFinal finishes a multiple-part decryption operation. 
+FUNCTION C_DecryptFinal
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pLastPart         # gets plaintext 
+CK_ULONG_PTR      pulLastPartLen    # p-text size 
+
+
+# Message digesting 
+
+# C_DigestInit initializes a message-digesting operation. 
+FUNCTION C_DigestInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the digesting mechanism 
+
+# C_Digest digests data in a single part. 
+FUNCTION C_Digest
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_BYTE_PTR       pData         # data to be digested 
+CK_ULONG          ulDataLen     # bytes of data to digest 
+CK_BYTE_PTR       pDigest       # gets the message digest 
+CK_ULONG_PTR      pulDigestLen  # gets digest length 
+
+# C_DigestUpdate continues a multiple-part message-digesting operation.
+FUNCTION C_DigestUpdate
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pPart     # data to be digested 
+CK_ULONG          ulPartLen # bytes of data to be digested 
+
+# C_DigestKey continues a multi-part message-digesting operation, by 
+# digesting the value of a secret key as part of the data already 
+# digested. 
+FUNCTION C_DigestKey
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_OBJECT_HANDLE  hKey      # secret key to digest 
+
+# C_DigestFinal finishes a multiple-part message-digesting operation. 
+FUNCTION C_DigestFinal
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_BYTE_PTR       pDigest       # gets the message digest 
+CK_ULONG_PTR      pulDigestLen  # gets byte count of digest 
+
+
+# Signing and MACing 
+
+# C_SignInit initializes a signature (private key encryption) 
+# operation, where the signature is (will be) an appendix to the 
+# data, and plaintext cannot be recovered from the signature. 
+FUNCTION C_SignInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
+CK_OBJECT_HANDLE  hKey          # handle of signature key 
+
+# C_Sign signs (encrypts with private key) data in a single part, 
+# where the signature is (will be) an appendix to the data, and 
+# plaintext cannot be recovered from the signature. 
+FUNCTION C_Sign
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pData             # the data to sign 
+CK_ULONG          ulDataLen         # count of bytes to sign 
+CK_BYTE_PTR       pSignature        # gets the signature 
+CK_ULONG_PTR      pulSignatureLen   # gets signature length 
+
+# C_SignUpdate continues a multiple-part signature operation, where 
+# the signature is (will be) an appendix to the data, and plaintext 
+# cannot be recovered from the signature. 
+FUNCTION C_SignUpdate
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pPart     # the data to sign 
+CK_ULONG          ulPartLen # count of bytes to sign 
+
+# C_SignFinal finishes a multiple-part signature operation, returning 
+# the signature. 
+FUNCTION C_SignFinal
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pSignature        # gets the signature 
+CK_ULONG_PTR      pulSignatureLen   # gets signature length 
+
+# C_SignRecoverInit initializes a signature operation, where the data 
+# can be recovered from the signature. 
+FUNCTION C_SignRecoverInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
+CK_OBJECT_HANDLE  hKey          # handle of the signature key 
+
+# C_SignRecover signs data in a single operation, where the data can 
+# be recovered from the signature. 
+FUNCTION C_SignRecover
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pData             # the data to sign 
+CK_ULONG          ulDataLen         # count of bytes to sign 
+CK_BYTE_PTR       pSignature        # gets the signature 
+CK_ULONG_PTR      pulSignatureLen   # gets signature length 
+
+
+# Verifying signatures and MACs 
+
+# C_VerifyInit initializes a verification operation, where the 
+# signature is an appendix to the data, and plaintext cannot cannot 
+# be recovered from the signature (e.g. DSA). 
+FUNCTION C_VerifyInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
+CK_OBJECT_HANDLE  hKey          # verification key  
+
+# C_Verify verifies a signature in a single-part operation, where the 
+# signature is an appendix to the data, and plaintext cannot be 
+# recovered from the signature. 
+FUNCTION C_Verify
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pData             # signed data 
+CK_ULONG          ulDataLen         # length of signed data 
+CK_BYTE_PTR       pSignature        # signature 
+CK_ULONG          ulSignatureLen    # signature length
+
+# C_VerifyUpdate continues a multiple-part verification operation, 
+# where the signature is an appendix to the data, and plaintext cannot be 
+# recovered from the signature. 
+FUNCTION C_VerifyUpdate
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pPart     # signed data 
+CK_ULONG          ulPartLen # length of signed data 
+
+# C_VerifyFinal finishes a multiple-part verification operation, 
+# checking the signature. 
+FUNCTION C_VerifyFinal
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pSignature        # signature to verify 
+CK_ULONG          ulSignatureLen    # signature length 
+
+# C_VerifyRecoverInit initializes a signature verification operation, 
+# where the data is recovered from the signature. 
+FUNCTION C_VerifyRecoverInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
+CK_OBJECT_HANDLE  hKey          # verification key 
+
+# C_VerifyRecover verifies a signature in a single-part operation, 
+# where the data is recovered from the signature. 
+FUNCTION C_VerifyRecover
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pSignature        # signature to verify 
+CK_ULONG          ulSignatureLen    # signature length 
+CK_BYTE_PTR       pData             # gets signed data 
+CK_ULONG_PTR      pulDataLen        # gets signed data len 
+
+
+# Dual-function cryptographic operations 
+
+# C_DigestEncryptUpdate continues a multiple-part digesting and 
+# encryption operation. 
+FUNCTION C_DigestEncryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pPart                 # the plaintext data 
+CK_ULONG          ulPartLen             # plaintext length 
+CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
+
+# C_DecryptDigestUpdate continues a multiple-part decryption and 
+# digesting operation. 
+FUNCTION C_DecryptDigestUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedPart        # ciphertext 
+CK_ULONG          ulEncryptedPartLen    # ciphertext length 
+CK_BYTE_PTR       pPart                 # gets plaintext 
+CK_ULONG_PTR      pulPartLen            # gets plaintext len 
+
+# C_SignEncryptUpdate continues a multiple-part signing and 
+# encryption operation. 
+FUNCTION C_SignEncryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pPart                 # the plaintext data 
+CK_ULONG          ulPartLen             # plaintext length 
+CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
+
+# C_DecryptVerifyUpdate continues a multiple-part decryption and 
+# verify operation. 
+FUNCTION C_DecryptVerifyUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedPart        # ciphertext 
+CK_ULONG          ulEncryptedPartLen    # ciphertext length 
+CK_BYTE_PTR       pPart                 # gets plaintext 
+CK_ULONG_PTR      pulPartLen            # gets p-text length 
+
+
+# Key management 
+
+# C_GenerateKey generates a secret key, creating a new key object. 
+FUNCTION C_GenerateKey
+CK_SESSION_HANDLE    hSession   # the session's handle 
+CK_MECHANISM_PTR     pMechanism # key generation mech. 
+CK_ATTRIBUTE_PTR     pTemplate  # template for new key 
+CK_ULONG             ulCount    # # of attrs in template 
+CK_OBJECT_HANDLE_PTR phKey      # gets handle of new key 
+
+# C_GenerateKeyPair generates a public-key/private-key pair, creating 
+# new key objects. 
+FUNCTION C_GenerateKeyPair
+CK_SESSION_HANDLE    hSession                   # session handle
+CK_MECHANISM_PTR     pMechanism                 # key-gen mech.
+CK_ATTRIBUTE_PTR     pPublicKeyTemplate         # template for pub. key
+CK_ULONG             ulPublicKeyAttributeCount  # # pub. attrs.
+CK_ATTRIBUTE_PTR     pPrivateKeyTemplate        # template for priv. key
+CK_ULONG             ulPrivateKeyAttributeCount # # priv. attrs.
+CK_OBJECT_HANDLE_PTR phPublicKey                # gets pub. key handle
+CK_OBJECT_HANDLE_PTR phPrivateKey               # gets priv. key handle
+
+# C_WrapKey wraps (i.e., encrypts) a key. 
+FUNCTION C_WrapKey
+CK_SESSION_HANDLE hSession         # the session's handle 
+CK_MECHANISM_PTR  pMechanism       # the wrapping mechanism 
+CK_OBJECT_HANDLE  hWrappingKey     # wrapping key 
+CK_OBJECT_HANDLE  hKey             # key to be wrapped 
+CK_BYTE_PTR       pWrappedKey      # gets wrapped key 
+CK_ULONG_PTR      pulWrappedKeyLen # gets wrapped key size 
+
+# C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key 
+# object. 
+FUNCTION C_UnwrapKey
+CK_SESSION_HANDLE    hSession           # session's handle 
+CK_MECHANISM_PTR     pMechanism         # unwrapping mech. 
+CK_OBJECT_HANDLE     hUnwrappingKey     # unwrapping key 
+CK_BYTE_PTR          pWrappedKey        # the wrapped key 
+CK_ULONG             ulWrappedKeyLen    # wrapped key len 
+CK_ATTRIBUTE_PTR     pTemplate          # new key template 
+CK_ULONG             ulAttributeCount   # template length 
+CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
+
+# C_DeriveKey derives a key from a base key, creating a new key object.
+FUNCTION C_DeriveKey
+CK_SESSION_HANDLE    hSession           # session's handle 
+CK_MECHANISM_PTR     pMechanism         # key deriv. mech. 
+CK_OBJECT_HANDLE     hBaseKey           # base key 
+CK_ATTRIBUTE_PTR     pTemplate          # new key template 
+CK_ULONG             ulAttributeCount   # template length 
+CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
+
+
+# Random number generation 
+
+# C_SeedRandom mixes additional seed material into the token's random 
+# number generator. 
+FUNCTION C_SeedRandom
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pSeed     # the seed material 
+CK_ULONG          ulSeedLen # length of seed material 
+
+# C_GenerateRandom generates random data. 
+FUNCTION C_GenerateRandom
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_BYTE_PTR       RandomData    # receives the random data 
+CK_ULONG          ulRandomLen   # # of bytes to generate 
+
+
+# Parallel function management 
+
+# C_GetFunctionStatus is a legacy function; it obtains an updated 
+# status of a function running in parallel with an application.
+FUNCTION C_GetFunctionStatus
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+# C_CancelFunction is a legacy function; it cancels a function running 
+# in parallel. 
+FUNCTION C_CancelFunction
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+
+# Functions added in for Cryptoki Version 2.01 or later 
+
+# C_WaitForSlotEvent waits for a slot event (token insertion, removal, 
+# etc.) to occur. 
+FUNCTION C_WaitForSlotEvent
+CK_FLAGS       flags    # blocking/nonblocking flag 
+CK_SLOT_ID_PTR pSlot    # location that receives the slot ID 
+CK_VOID_PTR    pRserved # reserved.  Should be NULL_PTR 
+
+## C_ConfigureSlot passes an installation-specified bytestring to a 
+## slot. 
+#FUNCTION C_ConfigureSlot
+#CK_SLOT_ID slotID      # the slot to configure 
+#CK_BYTE_PTR pConfig    # the configuration string 
+#CK_ULONG ulConfigLen   # length of the config string 
diff --git a/security/nss/lib/ckfw/ck.h b/security/nss/lib/ckfw/ck.h
new file mode 100644
index 000000000..7314292cb
--- /dev/null
+++ b/security/nss/lib/ckfw/ck.h
@@ -0,0 +1,124 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef CK_H
+#define CK_H
+
+#ifdef DEBUG
+static const char CK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * ck.h
+ *
+ * This header file consolidates all header files needed by the source
+ * files implementing the NSS Cryptoki Framework.  This makes managing
+ * the source files a bit easier.
+ */
+
+/* Types */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFT_H
+#include "nssckft.h"
+#endif /* NSSCKFT_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKMDT_H
+#include "nssckmdt.h"
+#endif /* NSSCKMDT_H */
+
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+#ifndef CKFWTM_H
+#include "ckfwtm.h"
+#endif /* CKFWTM_H */
+
+/* Prototypes */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef NSSCKG_H
+#include "nssckg.h"
+#endif /* NSSCKG_H */
+
+#ifndef NSSCKFW_H
+#include "nssckfw.h"
+#endif /* NSSCKFW_H */
+
+#ifndef NSSCKFWC_H
+#include "nssckfwc.h"
+#endif /* NSSCKFWC_H */
+
+#ifndef CKFW_H
+#include "ckfw.h"
+#endif /* CKFW_H */
+
+#ifndef CKFWM_H
+#include "ckfwm.h"
+#endif /* CKFWM_H */
+
+#ifndef CKMD_H
+#include "ckmd.h"
+#endif /* CKMD_H */
+
+/* NSS-private */
+
+/* nss_ZNEW and the like.  We might want to publish the memory APIs.. */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#endif /* CK_H */
diff --git a/security/nss/lib/ckfw/ckapi.perl b/security/nss/lib/ckfw/ckapi.perl
new file mode 100644
index 000000000..927737510
--- /dev/null
+++ b/security/nss/lib/ckfw/ckapi.perl
@@ -0,0 +1,515 @@
+#!perl
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+$cvs_id = '@(#) $RCSfile$ $Revision$ $Date$';
+
+$copyright = '/* THIS IS A GENERATED FILE */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+';
+
+$count = -1;
+$i = 0;
+
+open(INPUT, "<$ARGV[0]") || die "Can't open $ARGV[0]: $!";
+
+while(<INPUT>) {
+  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
+  next if (/^\s*$/);
+
+#  print;
+
+  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
+  $name = $1;
+  $value = $2;
+
+  if( ($name =~ "FUNCTION") && !($name =~ "CK_FUNCTION") ) {
+    $count++;
+    $x[$count]{name} = $value;
+    $i = 0;
+  } else {
+    if( $count < 0 ) {
+      $value =~ s/"//g;
+      $g{$name} = $value;
+    } else {
+      $x[$count]{args}[$i]{type} = $name;
+      $x[$count]{args}[$i]{name} = $value;
+      $i++;
+      $x[$count]{nargs} = $i; # rewritten each time, oh well
+    }
+  }
+}
+
+close INPUT;
+
+# dodump();
+doprint();
+
+sub dodump {
+  for( $j = 0; $j <= $count; $j++ ) {
+    print "CK_RV CK_ENTRY $x[$j]{name}\n";
+    for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+      print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+      if( $i == ($x[$j]{nargs} - 1) ) {
+        print "\n";
+      } else {
+        print ",\n";
+      }
+    }
+  }
+}
+
+sub doprint {
+open(PROTOTYPE, ">nssckg.h") || die "Can't open nssckg.h: $!";
+open(TYPEDEF, ">nssckft.h") || die "Can't open nssckft.h: $!";
+open(EPV, ">nssckepv.h") || die "Can't open nssckepv.h: $!";
+open(API, ">nssck.api") || die "Can't open nssck.api: $!";
+
+select PROTOTYPE;
+
+print $copyright;
+print <<EOD
+#ifndef NSSCKG_H
+#define NSSCKG_H
+
+#ifdef DEBUG
+static const char NSSCKG_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssckg.h
+ *
+ * This automatically-generated header file prototypes the Cryptoki
+ * functions specified by PKCS#11.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+  print "CK_RV CK_ENTRY $x[$j]{name}\n";
+  print "(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ");\n\n";
+}
+
+print <<EOD
+#endif /* NSSCKG_H */
+EOD
+    ;
+
+select TYPEDEF;
+
+print $copyright;
+print <<EOD
+#ifndef NSSCKFT_H
+#define NSSCKFT_H
+
+#ifdef DEBUG
+static const char NSSCKFT_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssckft.h
+ *
+ * The automatically-generated header file declares a typedef
+ * each of the Cryptoki functions specified by PKCS#11.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+#  print "typedef CK_RV (CK_ENTRY *CK_$x[$j]{name})(\n";
+  print "typedef CK_CALLBACK_FUNCTION(CK_RV, CK_$x[$j]{name})(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ");\n\n";
+}
+
+print <<EOD
+#endif /* NSSCKFT_H */
+EOD
+    ;
+
+select EPV;
+
+print $copyright;
+print <<EOD
+#ifndef NSSCKEPV_H
+#define NSSCKEPV_H
+
+#ifdef DEBUG
+static const char NSSCKEPV_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssckepv.h
+ *
+ * This automatically-generated header file defines the type
+ * CK_FUNCTION_LIST specified by PKCS#11.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFT_H
+#include "nssckft.h"
+#endif /* NSSCKFT_H */
+
+#include "nssckp.h"
+
+struct CK_FUNCTION_LIST {
+  CK_VERSION version;
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+  print "  CK_$x[$j]{name} $x[$j]{name};\n";
+}
+
+print <<EOD
+};
+
+#include "nsscku.h"
+
+#endif /* NSSCKEPV_H */
+EOD
+    ;
+
+select API;
+
+print $copyright;
+print <<EOD
+
+#ifdef DEBUG
+static const char NSSCKAPI_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssck.api
+ *
+ * This automatically-generated file is used to generate a set of
+ * Cryptoki entry points within the object space of a Module using
+ * the NSS Cryptoki Framework.
+ *
+ * The Module should have a .c file with the following:
+ *
+ *  #define MODULE_NAME name
+ *  #define INSTANCE_NAME instance
+ *  #include "nssck.api"
+ *
+ * where "name" is some module-specific name that can be used to
+ * disambiguate various modules.  This included file will then
+ * define the actual Cryptoki routines which pass through to the
+ * Framework calls.  All routines, except C_GetFunctionList, will
+ * be prefixed with the name; C_GetFunctionList will be generated
+ * to return an entry-point vector with these routines.  The
+ * instance specified should be the basic instance of NSSCKMDInstance.
+ *
+ * If, prior to including nssck.api, the .c file also specifies
+ *
+ *  #define DECLARE_STRICT_CRYTPOKI_NAMES
+ *
+ * Then a set of "stub" routines not prefixed with the name will
+ * be included.  This would allow the combined module and framework
+ * to be used in applications which are hard-coded to use the
+ * PKCS#11 names (instead of going through the EPV).  Please note
+ * that such applications should be careful resolving symbols when
+ * more than one PKCS#11 module is loaded.
+ */
+
+#ifndef MODULE_NAME
+#error "Error: MODULE_NAME must be defined."
+#endif /* MODULE_NAME */
+
+#ifndef INSTANCE_NAME
+#error "Error: INSTANCE_NAME must be defined."
+#endif /* INSTANCE_NAME */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKFWC_H
+#include "nssckfwc.h"
+#endif /* NSSCKFWC_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#define ADJOIN(x,y) x##y
+
+#define __ADJOIN(x,y) ADJOIN(x,y)
+
+/*
+ * The anchor.  This object is used to store an "anchor" pointer in
+ * the Module's object space, so the wrapper functions can relate
+ * back to this instance.
+ */
+
+static NSSCKFWInstance *fwInstance = (NSSCKFWInstance *)0;
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Initialize)
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return NSSCKFWC_Initialize(&fwInstance, INSTANCE_NAME, pInitArgs);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY 
+C_Initialize
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Initialize)(pInitArgs);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Finalize)
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return NSSCKFWC_Finalize(&fwInstance);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Finalize
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Finalize)(pReserved);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetInfo)
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetInfo(fwInstance, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetInfo
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetInfo)(pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+/*
+ * C_GetFunctionList is defined at the end.
+ */
+
+EOD
+    ;
+
+for( $j = 4; $j <= $count; $j++ ) {
+  print "static CK_RV CK_ENTRY\n";
+  print "__ADJOIN(MODULE_NAME,$x[$j]{name})\n";
+  print "(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ")\n";
+  print "{\n";
+  print "  return NSSCKFW$x[$j]{name}(fwInstance, ";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "$x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print ");\n";
+    } else {
+      print ", ";
+    }
+  }
+  print "}\n\n";
+
+  print "#ifdef DECLARE_STRICT_CRYPTOKI_NAMES\n";
+  print "CK_RV CK_ENTRY\n";
+  print "$x[$j]{name}\n";
+  print "(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ")\n";
+  print "{\n";
+  print "  return __ADJOIN(MODULE_NAME,$x[$j]{name})(";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "$x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print ");\n";
+    } else {
+      print ", ";
+    }
+  }
+  print "}\n";
+  print "#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */\n\n";
+}
+
+print <<EOD
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+);
+
+static CK_FUNCTION_LIST FunctionList = {
+  { 2, 1 },
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+  print "__ADJOIN(MODULE_NAME,$x[$j]{name})";
+  if( $j < $count ) {
+    print ",\n";
+  } else {
+    print "\n};\n\n";
+  }
+}
+
+print <<EOD
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  *ppFunctionList = &FunctionList;
+  return CKR_OK;
+}
+
+/* This one is always present */
+CK_RV CK_ENTRY
+C_GetFunctionList
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
+}
+
+#undef __ADJOIN
+
+EOD
+    ;
+
+select STDOUT;
+
+}
diff --git a/security/nss/lib/ckfw/ckfw.h b/security/nss/lib/ckfw/ckfw.h
new file mode 100644
index 000000000..a6dfcede3
--- /dev/null
+++ b/security/nss/lib/ckfw/ckfw.h
@@ -0,0 +1,2462 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef CKFW_H
+#define CKFW_H
+
+#ifdef DEBUG
+static const char CKFW_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * ckfw.h
+ *
+ * This file prototypes the private calls of the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKMDT_H
+#include "nssckmdt.h"
+#endif /* NSSCKMDT_H */
+
+/*
+ * NSSCKFWInstance
+ *
+ *  -- create/destroy --
+ *  nssCKFWInstance_Create
+ *  nssCKFWInstance_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWInstance_GetMDInstance
+ *  nssCKFWInstance_GetArena
+ *  nssCKFWInstance_MayCreatePthreads
+ *  nssCKFWInstance_CreateMutex
+ *  nssCKFWInstance_GetConfigurationData
+ *  nssCKFWInstance_GetInitArgs 
+ *
+ *  -- private accessors --
+ *  nssCKFWInstance_CreateSessionHandle
+ *  nssCKFWInstance_ResolveSessionHandle
+ *  nssCKFWInstance_DestroySessionHandle
+ *  nssCKFWInstance_FindSessionHandle
+ *  nssCKFWInstance_CreateObjectHandle
+ *  nssCKFWInstance_ResolveObjectHandle
+ *  nssCKFWInstance_DestroyObjectHandle
+ *  nssCKFWInstance_FindObjectHandle
+ *
+ *  -- module fronts --
+ *  nssCKFWInstance_GetNSlots
+ *  nssCKFWInstance_GetCryptokiVersion
+ *  nssCKFWInstance_GetManufacturerID
+ *  nssCKFWInstance_GetFlags
+ *  nssCKFWInstance_GetLibraryDescription
+ *  nssCKFWInstance_GetLibraryVersion
+ *  nssCKFWInstance_GetModuleHandlesSessionObjects
+ *  nssCKFWInstance_GetSlots
+ *  nssCKFWInstance_WaitForSlotEvent
+ *
+ *  -- debugging versions only --
+ *  nssCKFWInstance_verifyPointer
+ */
+
+/*
+ * nssCKFWInstance_Create
+ *
+ */
+NSS_EXTERN NSSCKFWInstance *
+nssCKFWInstance_Create
+(
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
+  CryptokiLockingState LockingState,
+  NSSCKMDInstance *mdInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_Destroy
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetMDInstance
+ *
+ */
+NSS_EXTERN NSSCKMDInstance *
+nssCKFWInstance_GetMDInstance
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+nssCKFWInstance_GetArena
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_MayCreatePthreads
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWInstance_MayCreatePthreads
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_CreateMutex
+ *
+ */
+NSS_EXTERN NSSCKFWMutex *
+nssCKFWInstance_CreateMutex
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_GetConfigurationData
+ *
+ */
+NSS_EXTERN NSSUTF8 *
+nssCKFWInstance_GetConfigurationData
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetInitArgs
+ *
+ */
+NSS_EXTERN CK_C_INITIALIZE_ARGS_PTR
+nssCKFWInstance_GetInitArgs
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_CreateSessionHandle
+ *
+ */
+NSS_EXTERN CK_SESSION_HANDLE
+nssCKFWInstance_CreateSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_ResolveSessionHandle
+ *
+ */
+NSS_EXTERN NSSCKFWSession *
+nssCKFWInstance_ResolveSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * nssCKFWInstance_DestroySessionHandle
+ *
+ */
+NSS_EXTERN void
+nssCKFWInstance_DestroySessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * nssCKFWInstance_FindSessionHandle
+ *
+ */
+NSS_EXTERN CK_SESSION_HANDLE
+nssCKFWInstance_FindSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWInstance_CreateObjectHandle
+ *
+ */
+NSS_EXTERN CK_OBJECT_HANDLE
+nssCKFWInstance_CreateObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_ResolveObjectHandle
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWInstance_ResolveObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject
+);
+
+/*
+ * nssCKFWInstance_ReassignObjectHandle
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_ReassignObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject,
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWInstance_DestroyObjectHandle
+ *
+ */
+NSS_EXTERN void
+nssCKFWInstance_DestroyObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject
+);
+
+/*
+ * nssCKFWInstance_FindObjectHandle
+ *
+ */
+NSS_EXTERN CK_OBJECT_HANDLE
+nssCKFWInstance_FindObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWInstance_GetNSlots
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWInstance_GetNSlots
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_GetCryptokiVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWInstance_GetCryptokiVersion
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetManufacturerID
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_GetManufacturerID
+(
+  NSSCKFWInstance *fwInstance,
+  CK_CHAR manufacturerID[32]
+);
+
+/*
+ * nssCKFWInstance_GetFlags
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWInstance_GetFlags
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetLibraryDescription
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_GetLibraryDescription
+(
+  NSSCKFWInstance *fwInstance,
+  CK_CHAR libraryDescription[32]
+);
+
+/*
+ * nssCKFWInstance_GetLibraryVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWInstance_GetLibraryVersion
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetModuleHandlesSessionObjects
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWInstance_GetModuleHandlesSessionObjects
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetSlots
+ *
+ */
+NSS_EXTERN NSSCKFWSlot **
+nssCKFWInstance_GetSlots
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_WaitForSlotEvent
+ *
+ */
+NSS_EXTERN NSSCKFWSlot *
+nssCKFWInstance_WaitForSlotEvent
+(
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL block,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_verifyPointer
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_verifyPointer
+(
+  const NSSCKFWInstance *fwInstance
+);
+
+
+/*
+ * NSSCKFWSlot
+ *
+ *  -- create/destroy --
+ *  nssCKFWSlot_Create
+ *  nssCKFWSlot_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWSlot_GetMDSlot
+ *  nssCKFWSlot_GetFWInstance
+ *  nssCKFWSlot_GetMDInstance
+ *
+ *  -- private accessors --
+ *  nssCKFWSlot_GetSlotID
+ *
+ *  -- module fronts --
+ *  nssCKFWSlot_GetSlotDescription
+ *  nssCKFWSlot_GetManufacturerID
+ *  nssCKFWSlot_GetTokenPresent
+ *  nssCKFWSlot_GetRemovableDevice
+ *  nssCKFWSlot_GetHardwareSlot
+ *  nssCKFWSlot_GetHardwareVersion
+ *  nssCKFWSlot_GetFirmwareVersion
+ *  nssCKFWSlot_GetToken
+ */
+
+/*
+ * nssCKFWSlot_Create
+ *
+ */
+NSS_EXTERN NSSCKFWSlot *
+nssCKFWSlot_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *mdSlot,
+  CK_SLOT_ID slotID,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSlot_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSlot_Destroy
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetMDSlot
+ *
+ */
+NSS_EXTERN NSSCKMDSlot *
+nssCKFWSlot_GetMDSlot
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetFWInstance
+ *
+ */
+
+NSS_EXTERN NSSCKFWInstance *
+nssCKFWSlot_GetFWInstance
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetMDInstance
+ *
+ */
+
+NSS_EXTERN NSSCKMDInstance *
+nssCKFWSlot_GetMDInstance
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetSlotID
+ *
+ */
+NSS_EXTERN CK_SLOT_ID
+nssCKFWSlot_GetSlotID
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetSlotDescription
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSlot_GetSlotDescription
+(
+  NSSCKFWSlot *fwSlot,
+  CK_CHAR slotDescription[64]
+);
+
+/*
+ * nssCKFWSlot_GetManufacturerID
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSlot_GetManufacturerID
+(
+  NSSCKFWSlot *fwSlot,
+  CK_CHAR manufacturerID[32]
+);
+
+/*
+ * nssCKFWSlot_GetTokenPresent
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSlot_GetTokenPresent
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetRemovableDevice
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSlot_GetRemovableDevice
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetHardwareSlot
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSlot_GetHardwareSlot
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetHardwareVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWSlot_GetHardwareVersion
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetFirmwareVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWSlot_GetFirmwareVersion
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetToken
+ * 
+ */
+NSS_EXTERN NSSCKFWToken *
+nssCKFWSlot_GetToken
+(
+  NSSCKFWSlot *fwSlot,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSlot_ClearToken
+ *
+ */
+NSS_EXTERN void
+nssCKFWSlot_ClearToken
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * NSSCKFWToken
+ *
+ *  -- create/destroy --
+ *  nssCKFWToken_Create
+ *  nssCKFWToken_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWToken_GetMDToken
+ *  nssCKFWToken_GetFWSlot
+ *  nssCKFWToken_GetMDSlot
+ *  nssCKFWToken_GetSessionState
+ *
+ *  -- private accessors --
+ *  nssCKFWToken_SetSessionState
+ *  nssCKFWToken_RemoveSession
+ *  nssCKFWToken_CloseAllSessions
+ *  nssCKFWToken_GetSessionCount
+ *  nssCKFWToken_GetRwSessionCount
+ *  nssCKFWToken_GetRoSessionCount
+ *  nssCKFWToken_GetSessionObjectHash
+ *  nssCKFWToken_GetMDObjectHash
+ *  nssCKFWToken_GetObjectHandleHash
+ *
+ *  -- module fronts --
+ *  nssCKFWToken_InitToken
+ *  nssCKFWToken_GetLabel
+ *  nssCKFWToken_GetManufacturerID
+ *  nssCKFWToken_GetModel
+ *  nssCKFWToken_GetSerialNumber
+ *  nssCKFWToken_GetHasRNG
+ *  nssCKFWToken_GetIsWriteProtected
+ *  nssCKFWToken_GetLoginRequired
+ *  nssCKFWToken_GetUserPinInitialized
+ *  nssCKFWToken_GetRestoreKeyNotNeeded
+ *  nssCKFWToken_GetHasClockOnToken
+ *  nssCKFWToken_GetHasProtectedAuthenticationPath
+ *  nssCKFWToken_GetSupportsDualCryptoOperations
+ *  nssCKFWToken_GetMaxSessionCount
+ *  nssCKFWToken_GetMaxRwSessionCount
+ *  nssCKFWToken_GetMaxPinLen
+ *  nssCKFWToken_GetMinPinLen
+ *  nssCKFWToken_GetTotalPublicMemory
+ *  nssCKFWToken_GetFreePublicMemory
+ *  nssCKFWToken_GetTotalPrivateMemory
+ *  nssCKFWToken_GetFreePrivateMemory
+ *  nssCKFWToken_GetHardwareVersion
+ *  nssCKFWToken_GetFirmwareVersion
+ *  nssCKFWToken_GetUTCTime
+ *  nssCKFWToken_OpenSession
+ *  nssCKFWToken_GetMechanismCount
+ *  nssCKFWToken_GetMechanismTypes
+ *  nssCKFWToken_GetMechanism
+ */
+
+/*
+ * nssCKFWToken_Create
+ *
+ */
+NSS_EXTERN NSSCKFWToken *
+nssCKFWToken_Create
+(
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDToken *mdToken,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWToken_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_Destroy
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMDToken
+ *
+ */
+NSS_EXTERN NSSCKMDToken *
+nssCKFWToken_GetMDToken
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+nssCKFWToken_GetArena
+(
+  NSSCKFWToken *fwToken,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWToken_GetFWSlot
+ *
+ */
+NSS_EXTERN NSSCKFWSlot *
+nssCKFWToken_GetFWSlot
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMDSlot
+ *
+ */
+NSS_EXTERN NSSCKMDSlot *
+nssCKFWToken_GetMDSlot
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetSessionState
+ *
+ */
+NSS_EXTERN CK_STATE
+nssCKFWToken_GetSessionState
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_InitToken
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_InitToken
+(
+  NSSCKFWToken *fwToken,
+  NSSItem *pin,
+  NSSUTF8 *label
+);
+
+/*
+ * nssCKFWToken_GetLabel
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetLabel
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR label[32]
+);
+
+/*
+ * nssCKFWToken_GetManufacturerID
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetManufacturerID
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR manufacturerID[32]
+);
+
+/*
+ * nssCKFWToken_GetModel
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetModel
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR model[16]
+);
+
+/*
+ * nssCKFWToken_GetSerialNumber
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetSerialNumber
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR serialNumber[16]
+);
+
+/*
+ * nssCKFWToken_GetHasRNG
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetHasRNG
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetIsWriteProtected
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetIsWriteProtected
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetLoginRequired
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetLoginRequired
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetUserPinInitialized
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetUserPinInitialized
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetRestoreKeyNotNeeded
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetRestoreKeyNotNeeded
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetHasClockOnToken
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetHasClockOnToken
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetHasProtectedAuthenticationPath
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetHasProtectedAuthenticationPath
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetSupportsDualCryptoOperations
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetSupportsDualCryptoOperations
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMaxSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMaxSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMaxRwSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMaxRwSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMaxPinLen
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMaxPinLen
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMinPinLen
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMinPinLen
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetTotalPublicMemory
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetTotalPublicMemory
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetFreePublicMemory
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetFreePublicMemory
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetTotalPrivateMemory
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetTotalPrivateMemory
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetFreePrivateMemory
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetFreePrivateMemory
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetHardwareVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWToken_GetHardwareVersion
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetFirmwareVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWToken_GetFirmwareVersion
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetUTCTime
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetUTCTime
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR utcTime[16]
+);
+
+/*
+ * nssCKFWToken_OpenSession
+ *
+ */
+NSS_EXTERN NSSCKFWSession *
+nssCKFWToken_OpenSession
+(
+  NSSCKFWToken *fwToken,
+  CK_BBOOL rw,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWToken_GetMechanismCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMechanismCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMechanismTypes
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetMechanismTypes
+(
+  NSSCKFWToken *fwToken,
+  CK_MECHANISM_TYPE types[]
+);
+
+/*
+ * nssCKFWToken_GetMechanism
+ *
+ */
+NSS_EXTERN NSSCKFWMechanism *
+nssCKFWToken_GetMechanism
+(
+  NSSCKFWToken *fwToken,
+  CK_MECHANISM_TYPE which,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWToken_SetSessionState
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_SetSessionState
+(
+  NSSCKFWToken *fwToken,
+  CK_STATE newState
+);
+
+/*
+ * nssCKFWToken_RemoveSession
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_RemoveSession
+(
+  NSSCKFWToken *fwToken,
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWToken_CloseAllSessions
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_CloseAllSessions
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetRwSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetRwSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetRoSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetRoSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetSessionObjectHash
+ *
+ */
+NSS_EXTERN nssCKFWHash *
+nssCKFWToken_GetSessionObjectHash
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMDObjectHash
+ *
+ */
+NSS_EXTERN nssCKFWHash *
+nssCKFWToken_GetMDObjectHash
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetObjectHandleHash
+ *
+ */
+NSS_EXTERN nssCKFWHash *
+nssCKFWToken_GetObjectHandleHash
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWMechanism
+ *
+ *  -- create/destroy --
+ *  nssCKFWMechanism_Create
+ *  nssCKFWMechanism_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWMechanism_GetMDMechanism
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ *  nssCKFWMechanism_GetMinKeySize
+ *  nssCKFWMechanism_GetMaxKeySize
+ *  nssCKFWMechanism_GetInHardware
+ *  nssCKFWMechanism_GetCanEncrypt
+ *  nssCKFWMechanism_GetCanDecrypt
+ *  nssCKFWMechanism_GetCanDigest
+ *  nssCKFWMechanism_GetCanSignRecover
+ *  nssCKFWMechanism_GetCanVerify
+ *  nssCKFWMechanism_GetCanVerifyRecover
+ *  nssCKFWMechanism_GetCanGenerate
+ *  nssCKFWMechanism_GetCanGenerateKeyPair
+ *  nssCKFWMechanism_GetCanWrap
+ *  nssCKFWMechanism_GetCanUnwrap
+ *  nssCKFWMechanism_GetCanDerive
+ *  nssCKFWMechanism_EncryptInit
+ *  nssCKFWMechanism_DecryptInit
+ *  nssCKFWMechanism_DigestInit
+ *  nssCKFWMechanism_SignInit
+ *  nssCKFWMechanism_SignRecoverInit
+ *  nssCKFWMechanism_VerifyInit
+ *  nssCKFWMechanism_VerifyRecoverInit
+ *  nssCKFWMechanism_GenerateKey
+ *  nssCKFWMechanism_GenerateKeyPair
+ *  nssCKFWMechanism_GetWrapKeyLength
+ *  nssCKFWMechanism_WrapKey
+ *  nssCKFWMechanism_UnwrapKey
+ *  nssCKFWMechanism_DeriveKey
+ */
+
+/*
+ * nssCKFWMechanism_Create
+ *
+ */
+NSS_EXTERN NSSCKFWMechanism *
+nssCKFWMechanism_Create
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWMechanism_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWMechanism_Destroy
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * nssCKFWMechanism_GetMDMechanism
+ *
+ */
+
+NSS_EXTERN NSSCKMDMechanism *
+nssCKFWMechanism_GetMDMechanism
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * nssCKFWMechanism_GetMinKeySize
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWMechanism_GetMinKeySize
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetMaxKeySize
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWMechanism_GetMaxKeySize
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetInHardware
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetInHardware
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * the following are determined automatically by which of the cryptographic
+ * functions are defined for this mechanism.
+ */
+/*
+ * nssCKFWMechanism_GetCanEncrypt
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanEncrypt
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanDecrypt
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanDecrypt
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanDigest
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanDigest
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanSign
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanSign
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanSignRecover
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanSignRecover
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanVerify
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanVerify
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanVerifyRecover
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanVerifyRecover
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanGenerate
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanGenerate
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanGenerateKeyPair
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanGenerateKeyPair
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanWrap
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanWrap
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanUnwrap
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanUnwrap
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMechanism_GetCanDerive
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanDerive
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+);
+
+/*
+ *  nssCKFWMechanism_EncryptInit
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_EncryptInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM      *pMechanism,
+  NSSCKFWSession    *fwSession,
+  NSSCKFWObject     *fwObject
+);
+
+/*
+ *  nssCKFWMechanism_DecryptInit
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_DecryptInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM      *pMechanism,
+  NSSCKFWSession    *fwSession,
+  NSSCKFWObject     *fwObject
+);
+
+/*
+ *  nssCKFWMechanism_DigestInit
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_DigestInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM      *pMechanism,
+  NSSCKFWSession    *fwSession
+);
+
+/*
+ *  nssCKFWMechanism_SignInit
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_SignInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM      *pMechanism,
+  NSSCKFWSession    *fwSession,
+  NSSCKFWObject     *fwObject
+);
+
+/*
+ *  nssCKFWMechanism_SignRecoverInit
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_SignRecoverInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM      *pMechanism,
+  NSSCKFWSession    *fwSession,
+  NSSCKFWObject     *fwObject
+);
+
+/*
+ *  nssCKFWMechanism_VerifyInit
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_VerifyInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM      *pMechanism,
+  NSSCKFWSession    *fwSession,
+  NSSCKFWObject     *fwObject
+);
+
+/*
+ *  nssCKFWMechanism_VerifyRecoverInit
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_VerifyRecoverInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM      *pMechanism,
+  NSSCKFWSession    *fwSession,
+  NSSCKFWObject     *fwObject
+);
+
+/*
+ * nssCKFWMechanism_GenerateKey
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWMechanism_GenerateKey
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG         ulAttributeCount,
+  CK_RV            *pError
+);
+
+/*
+ * nssCKFWMechanism_GenerateKeyPair
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_GenerateKeyPair
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG         ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG         ulPrivateKeyAttributeCount,
+  NSSCKFWObject    **fwPublicKeyObject,
+  NSSCKFWObject    **fwPrivateKeyObject
+);
+
+/*
+ * nssCKFWMechanism_GetWrapKeyLength
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWMechanism_GetWrapKeyLength
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwWrappingKeyObject,
+  NSSCKFWObject    *fwObject,
+  CK_RV		   *pError
+);
+
+/*
+ * nssCKFWMechanism_WrapKey
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_WrapKey
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwWrappingKeyObject,
+  NSSCKFWObject    *fwObject,
+  NSSItem          *wrappedKey
+);
+
+/*
+ * nssCKFWMechanism_UnwrapKey
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWMechanism_UnwrapKey
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwWrappingKeyObject,
+  NSSItem          *wrappedKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG         ulAttributeCount,
+  CK_RV            *pError
+);
+
+/* 
+ * nssCKFWMechanism_DeriveKey
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWMechanism_DeriveKey
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwBaseKeyObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG         ulAttributeCount,
+  CK_RV            *pError
+);
+
+/*
+ * NSSCKFWCryptoOperation
+ *
+ *  -- create/destroy --
+ *  nssCKFWCryptoOperation_Create
+ *  nssCKFWCryptoOperation_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWCryptoOperation_GetMDCryptoOperation
+ *  nssCKFWCryptoOperation_GetType
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ * nssCKFWCryptoOperation_GetFinalLength
+ * nssCKFWCryptoOperation_GetOperationLength
+ * nssCKFWCryptoOperation_Final
+ * nssCKFWCryptoOperation_Update
+ * nssCKFWCryptoOperation_DigestUpdate
+ * nssCKFWCryptoOperation_DigestKey
+ * nssCKFWCryptoOperation_UpdateFinal
+ */
+
+/*
+ *  nssCKFWCrytoOperation_Create
+ */
+NSS_EXTERN NSSCKFWCryptoOperation *
+nssCKFWCryptoOperation_Create
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWCryptoOperationType type,
+  CK_RV *pError
+);
+
+/*
+ *  nssCKFWCryptoOperation_Destroy
+ */
+NSS_EXTERN void
+nssCKFWCryptoOperation_Destroy
+(
+  NSSCKFWCryptoOperation *fwOperation
+);
+
+/*
+ *  nssCKFWCryptoOperation_GetMDCryptoOperation
+ */
+NSS_EXTERN NSSCKMDCryptoOperation *
+nssCKFWCryptoOperation_GetMDCryptoOperation
+(
+  NSSCKFWCryptoOperation *fwOperation
+);
+
+/*
+ *  nssCKFWCryptoOperation_GetType
+ */
+NSS_EXTERN NSSCKFWCryptoOperationType
+nssCKFWCryptoOperation_GetType
+(
+  NSSCKFWCryptoOperation *fwOperation
+);
+
+/*
+ * nssCKFWCryptoOperation_GetFinalLength
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWCryptoOperation_GetFinalLength
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWCryptoOperation_GetOperationLength
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWCryptoOperation_GetOperationLength
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *inputBuffer,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWCryptoOperation_Final
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_Final
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *outputBuffer
+);
+
+/*
+ * nssCKFWCryptoOperation_Update
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_Update
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *inputBuffer,
+  NSSItem *outputBuffer
+);
+
+/*
+ * nssCKFWCryptoOperation_DigestUpdate
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_DigestUpdate
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *inputBuffer
+);
+
+/*
+ * nssCKFWCryptoOperation_DigestKey
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_DigestKey
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKFWObject *fwKey
+);
+
+/*
+ * nssCKFWCryptoOperation_UpdateFinal
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_UpdateFinal
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *inputBuffer,
+  NSSItem *outputBuffer
+);
+
+/*
+ * nssCKFWCryptoOperation_UpdateCombo
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_UpdateCombo
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKFWCryptoOperation *fwPeerOperation,
+  NSSItem *inputBuffer,
+  NSSItem *outputBuffer
+);
+
+/*
+ * NSSCKFWSession
+ *
+ *  -- create/destroy --
+ *  nssCKFWSession_Create
+ *  nssCKFWSession_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWSession_GetMDSession
+ *  nssCKFWSession_GetArena
+ *  nssCKFWSession_CallNotification
+ *  nssCKFWSession_IsRWSession
+ *  nssCKFWSession_IsSO
+ *  nssCKFWSession_GetCurrentCryptoOperation
+ *
+ *  -- private accessors --
+ *  nssCKFWSession_GetFWSlot
+ *  nssCKFWSession_GetSessionState
+ *  nssCKFWSession_SetFWFindObjects
+ *  nssCKFWSession_GetFWFindObjects
+ *  nssCKFWSession_SetMDSession
+ *  nssCKFWSession_SetHandle
+ *  nssCKFWSession_GetHandle
+ *  nssCKFWSession_RegisterSessionObject
+ *  nssCKFWSession_DeregisterSessionObject
+ *  nssCKFWSession_SetCurrentCryptoOperation
+ *
+ *  -- module fronts --
+ *  nssCKFWSession_GetDeviceError
+ *  nssCKFWSession_Login
+ *  nssCKFWSession_Logout
+ *  nssCKFWSession_InitPIN
+ *  nssCKFWSession_SetPIN
+ *  nssCKFWSession_GetOperationStateLen
+ *  nssCKFWSession_GetOperationState
+ *  nssCKFWSession_SetOperationState
+ *  nssCKFWSession_CreateObject
+ *  nssCKFWSession_CopyObject
+ *  nssCKFWSession_FindObjectsInit
+ *  nssCKFWSession_SeedRandom
+ *  nssCKFWSession_GetRandom
+ *  nssCKFWSession_Final
+ *  nssCKFWSession_Update
+ *  nssCKFWSession_DigestUpdate
+ *  nssCKFWSession_DigestKey
+ *  nssCKFWSession_UpdateFinal
+ *  nssCKFWSession_UpdateCombo
+ */
+
+/*
+ * nssCKFWSession_Create
+ *
+ */
+NSS_EXTERN NSSCKFWSession *
+nssCKFWSession_Create
+(
+  NSSCKFWToken *fwToken,
+  CK_BBOOL rw,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_Destroy
+(
+  NSSCKFWSession *fwSession,
+  CK_BBOOL removeFromTokenHash
+);
+
+/*
+ * nssCKFWSession_GetMDSession
+ *
+ */
+NSS_EXTERN NSSCKMDSession *
+nssCKFWSession_GetMDSession
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+nssCKFWSession_GetArena
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_CallNotification
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_CallNotification
+(
+  NSSCKFWSession *fwSession,
+  CK_NOTIFICATION event
+);
+
+/*
+ * nssCKFWSession_IsRWSession
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSession_IsRWSession
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_IsSO
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSession_IsSO
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_GetFWSlot
+ *
+ */
+NSS_EXTERN NSSCKFWSlot *
+nssCKFWSession_GetFWSlot
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCFKWSession_GetSessionState
+ *
+ */
+NSS_EXTERN CK_STATE
+nssCKFWSession_GetSessionState
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_SetFWFindObjects
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetFWFindObjects
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWFindObjects *fwFindObjects
+);
+
+/*
+ * nssCKFWSession_GetFWFindObjects
+ *
+ */
+NSS_EXTERN NSSCKFWFindObjects *
+nssCKFWSession_GetFWFindObjects
+(
+  NSSCKFWSession *fwSesssion,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_SetMDSession
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetMDSession
+(
+  NSSCKFWSession *fwSession,
+  NSSCKMDSession *mdSession
+);
+
+/*
+ * nssCKFWSession_SetHandle
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetHandle
+(
+  NSSCKFWSession *fwSession,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * nssCKFWSession_GetHandle
+ *
+ */
+NSS_EXTERN CK_SESSION_HANDLE
+nssCKFWSession_GetHandle
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_RegisterSessionObject
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_RegisterSessionObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWSession_DeregisterSessionObject
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_DeregisterSessionObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWSession_GetDeviceError
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWSession_GetDeviceError
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_Login
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_Login
+(
+  NSSCKFWSession *fwSession,
+  CK_USER_TYPE userType,
+  NSSItem *pin
+);
+
+/*
+ * nssCKFWSession_Logout
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_Logout
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_InitPIN
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_InitPIN
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *pin
+);
+
+/*
+ * nssCKFWSession_SetPIN
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetPIN
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *newPin,
+  NSSItem *oldPin
+);
+
+/*
+ * nssCKFWSession_GetOperationStateLen
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWSession_GetOperationStateLen
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_GetOperationState
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_GetOperationState
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *buffer
+);
+
+/*
+ * nssCKFWSession_SetOperationState
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetOperationState
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *state,
+  NSSCKFWObject *encryptionKey,
+  NSSCKFWObject *authenticationKey
+);
+
+/*
+ * nssCKFWSession_CreateObject
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWSession_CreateObject
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_CopyObject
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWSession_CopyObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *object,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_FindObjectsInit
+ *
+ */
+NSS_EXTERN NSSCKFWFindObjects *
+nssCKFWSession_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_SetCurrentCryptoOperation
+ */
+NSS_IMPLEMENT void
+nssCKFWSession_SetCurrentCryptoOperation
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperation * fwOperation,
+  NSSCKFWCryptoOperationState state
+);
+
+/*
+ * nssCKFWSession_GetCurrentCryptoOperation
+ */
+NSS_IMPLEMENT NSSCKFWCryptoOperation *
+nssCKFWSession_GetCurrentCryptoOperation
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationState state
+);
+
+/*
+ * nssCKFWSession_Final
+ * (terminate a cryptographic operation and get the result)
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Final
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType type,
+  NSSCKFWCryptoOperationState state,
+  CK_BYTE_PTR  outBuf,
+  CK_ULONG_PTR outBufLen
+);
+
+/*
+ * nssCKFWSession_Update
+ * (get the next step of an encrypt/decrypt operation)
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Update
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType type,
+  NSSCKFWCryptoOperationState state,
+  CK_BYTE_PTR  inBuf,
+  CK_ULONG     inBufLen,
+  CK_BYTE_PTR  outBuf,
+  CK_ULONG_PTR outBufLen
+);
+
+/*
+ * nssCKFWSession_DigestUpdate
+ * (do the next step of an digest/sign/verify operation)
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_DigestUpdate
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType type,
+  NSSCKFWCryptoOperationState state,
+  CK_BYTE_PTR  inBuf,
+  CK_ULONG     inBufLen
+);
+
+/*
+ * nssCKFWSession_DigestKey
+ * (do the next step of an digest/sign/verify operation)
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_DigestKey
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwKey
+);
+
+/*
+ * nssCKFWSession_UpdateFinal
+ * (do a single-step of a cryptographic operation and get the result)
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_UpdateFinal
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType type,
+  NSSCKFWCryptoOperationState state,
+  CK_BYTE_PTR  inBuf,
+  CK_ULONG     inBufLen,
+  CK_BYTE_PTR  outBuf,
+  CK_ULONG_PTR outBufLen
+);
+
+/*
+ * nssCKFWSession_UpdateCombo
+ * (do a combination encrypt/decrypt and sign/digest/verify operation)
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_UpdateCombo
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType encryptType,
+  NSSCKFWCryptoOperationType digestType,
+  NSSCKFWCryptoOperationState digestState,
+  CK_BYTE_PTR  inBuf,
+  CK_ULONG     inBufLen,
+  CK_BYTE_PTR  outBuf,
+  CK_ULONG_PTR outBufLen
+);
+
+/*
+ * nssCKFWSession_SeedRandom
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SeedRandom
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *seed
+);
+
+/*
+ * nssCKFWSession_GetRandom
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_GetRandom
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *buffer
+);
+
+/*
+ * NSSCKFWObject
+ *
+ * -- create/destroy --
+ *  nssCKFWObject_Create
+ *  nssCKFWObject_Finalize
+ *  nssCKFWObject_Destroy
+ *
+ * -- implement public accessors --
+ *  nssCKFWObject_GetMDObject
+ *  nssCKFWObject_GetArena
+ *
+ * -- private accessors --
+ *  nssCKFWObject_SetHandle
+ *  nssCKFWObject_GetHandle
+ *
+ * -- module fronts --
+ *  nssCKFWObject_IsTokenObject
+ *  nssCKFWObject_GetAttributeCount
+ *  nssCKFWObject_GetAttributeTypes
+ *  nssCKFWObject_GetAttributeSize
+ *  nssCKFWObject_GetAttribute
+ *  nssCKFWObject_SetAttribute
+ *  nssCKFWObject_GetObjectSize
+ */
+
+/*
+ * nssCKFWObject_Create
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWObject_Create
+(
+  NSSArena *arena,
+  NSSCKMDObject *mdObject,
+  NSSCKFWSession *fwSession,
+  NSSCKFWToken *fwToken,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_Finalize
+ *
+ */
+NSS_EXTERN void
+nssCKFWObject_Finalize
+(
+  NSSCKFWObject *fwObject,
+  PRBool removeFromHash
+);
+
+/*
+ * nssCKFWObject_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWObject_Destroy
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWObject_GetMDObject
+ *
+ */
+NSS_EXTERN NSSCKMDObject *
+nssCKFWObject_GetMDObject
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWObject_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+nssCKFWObject_GetArena
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_SetHandle
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWObject_SetHandle
+(
+  NSSCKFWObject *fwObject,
+  CK_OBJECT_HANDLE hObject
+);
+
+/*
+ * nssCKFWObject_GetHandle
+ *
+ */
+NSS_EXTERN CK_OBJECT_HANDLE
+nssCKFWObject_GetHandle
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWObject_IsTokenObject
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWObject_IsTokenObject
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWObject_GetAttributeCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWObject_GetAttributeCount
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_GetAttributeTypes
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWObject_GetAttributeTypes
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+);
+
+/*
+ * nssCKFWObject_GetAttributeSize
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWObject_GetAttributeSize
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_GetAttribute
+ *
+ * Usual NSS allocation rules:
+ * If itemOpt is not NULL, it will be returned; otherwise an NSSItem
+ * will be allocated.  If itemOpt is not NULL but itemOpt->data is,
+ * the buffer will be allocated; otherwise, the buffer will be used.
+ * Any allocations will come from the optional arena, if one is
+ * specified.
+ */
+NSS_EXTERN NSSItem *
+nssCKFWObject_GetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *itemOpt,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_SetAttribute
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWObject_SetAttribute
+(
+  NSSCKFWObject *fwObject,
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+);
+
+/*
+ * nssCKFWObject_GetObjectSize
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWObject_GetObjectSize
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWFindObjects
+ *
+ *  -- create/destroy --
+ *  nssCKFWFindObjects_Create
+ *  nssCKFWFindObjects_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWFindObjects_GetMDFindObjects
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ *  nssCKFWFindObjects_Next
+ */
+
+/*
+ * nssCKFWFindObjects_Create
+ *
+ */
+NSS_EXTERN NSSCKFWFindObjects *
+nssCKFWFindObjects_Create
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWToken *fwToken,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDFindObjects *mdFindObjects1,
+  NSSCKMDFindObjects *mdFindObjects2,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWFindObjects_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWFindObjects_Destroy
+(
+  NSSCKFWFindObjects *fwFindObjects
+);
+
+/*
+ * nssCKFWFindObjects_GetMDFindObjects
+ *
+ */
+NSS_EXTERN NSSCKMDFindObjects *
+nssCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *fwFindObjects
+);
+
+/*
+ * nssCKFWFindObjects_Next
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWFindObjects_Next
+(
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWMutex
+ *
+ *  nssCKFWMutex_Create
+ *  nssCKFWMutex_Destroy
+ *  nssCKFWMutex_Lock
+ *  nssCKFWMutex_Unlock
+ *
+ */
+
+/*
+ * nssCKFWMutex_Create
+ *
+ */
+NSS_EXTERN NSSCKFWMutex *
+nssCKFWMutex_Create
+(
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
+  CryptokiLockingState LockingState,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMutex_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Destroy
+(
+  NSSCKFWMutex *mutex
+);
+
+/*
+ * nssCKFWMutex_Lock
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Lock
+(
+  NSSCKFWMutex *mutex
+);
+
+/*
+ * nssCKFWMutex_Unlock
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Unlock
+(
+  NSSCKFWMutex *mutex
+);
+
+#endif /* CKFW_H */
diff --git a/security/nss/lib/ckfw/ckfwm.h b/security/nss/lib/ckfw/ckfwm.h
new file mode 100644
index 000000000..542bc390c
--- /dev/null
+++ b/security/nss/lib/ckfw/ckfwm.h
@@ -0,0 +1,164 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef CKFWM_H
+#define CKFWM_H
+
+#ifdef DEBUG
+static const char CKFWM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * ckfwm.h
+ *
+ * This file prototypes the module-private calls of the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+/*
+ * nssCKFWHash
+ *
+ *  nssCKFWHash_Create
+ *  nssCKFWHash_Destroy
+ *  nssCKFWHash_Add
+ *  nssCKFWHash_Remove
+ *  nssCKFWHash_Count
+ *  nssCKFWHash_Exists
+ *  nssCKFWHash_Lookup
+ *  nssCKFWHash_Iterate
+ */
+
+/*
+ * nssCKFWHash_Create
+ *
+ */
+NSS_EXTERN nssCKFWHash *
+nssCKFWHash_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWHash_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWHash_Destroy
+(
+  nssCKFWHash *hash
+);
+
+/*
+ * nssCKFWHash_Add
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWHash_Add
+(
+  nssCKFWHash *hash,
+  const void *key,
+  const void *value
+);
+
+/*
+ * nssCKFWHash_Remove
+ *
+ */
+NSS_EXTERN void
+nssCKFWHash_Remove
+(
+  nssCKFWHash *hash,
+  const void *it
+);
+
+/*
+ * nssCKFWHash_Count
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWHash_Count
+(
+  nssCKFWHash *hash
+);
+
+/*
+ * nssCKFWHash_Exists
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWHash_Exists
+(
+  nssCKFWHash *hash,
+  const void *it
+);
+
+/*
+ * nssCKFWHash_Lookup
+ *
+ */
+NSS_EXTERN void *
+nssCKFWHash_Lookup
+(
+  nssCKFWHash *hash,
+  const void *it
+);
+
+/*
+ * nssCKFWHash_Iterate
+ *
+ */
+NSS_EXTERN void
+nssCKFWHash_Iterate
+(
+  nssCKFWHash *hash,
+  nssCKFWHashIterator fcn,
+  void *closure
+);
+
+#endif /* CKFWM_H */
diff --git a/security/nss/lib/ckfw/ckfwtm.h b/security/nss/lib/ckfw/ckfwtm.h
new file mode 100644
index 000000000..b3eee1edb
--- /dev/null
+++ b/security/nss/lib/ckfw/ckfwtm.h
@@ -0,0 +1,59 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef CKFWTM_H
+#define CKFWTM_H
+
+#ifdef DEBUG
+static const char CKFWTM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * ckfwtm.h
+ *
+ * This file declares the module-private types of the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+struct nssCKFWHashStr;
+typedef struct nssCKFWHashStr nssCKFWHash;
+
+typedef void (PR_CALLBACK *nssCKFWHashIterator)(const void *key, void *value, void *closure);
+
+#endif /* CKFWTM_H */
diff --git a/security/nss/lib/ckfw/ckmd.h b/security/nss/lib/ckfw/ckmd.h
new file mode 100644
index 000000000..0c6b14311
--- /dev/null
+++ b/security/nss/lib/ckfw/ckmd.h
@@ -0,0 +1,68 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef CKMD_H
+#define CKMD_H
+
+#ifdef DEBUG
+static const char CKMD_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * ckmd.h
+ *
+ */
+
+NSS_EXTERN NSSCKMDObject *
+nssCKMDSessionObject_Create
+(
+  NSSCKFWToken *fwToken,
+  NSSArena *arena,
+  CK_ATTRIBUTE_PTR attributes,
+  CK_ULONG ulCount,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nssCKMDFindSessionObjects_Create
+(
+  NSSCKFWToken *fwToken,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_RV *pError
+);
+
+#endif /* CKMD_H */
diff --git a/security/nss/lib/ckfw/ckt.h b/security/nss/lib/ckfw/ckt.h
new file mode 100644
index 000000000..f2e631679
--- /dev/null
+++ b/security/nss/lib/ckfw/ckt.h
@@ -0,0 +1,40 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* get back to just one set of PKCS #11 headers. Use the onese that
+ * are easiest to maintain from the RSA website */
+/* this one is the one that defines NSS specific data */
+#include "pkcs11n.h"
diff --git a/security/nss/lib/ckfw/config.mk b/security/nss/lib/ckfw/config.mk
new file mode 100644
index 000000000..5202c7103
--- /dev/null
+++ b/security/nss/lib/ckfw/config.mk
@@ -0,0 +1,58 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+# Hack to see if everything still builds
+#
+
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+
diff --git a/security/nss/lib/ckfw/crypto.c b/security/nss/lib/ckfw/crypto.c
new file mode 100644
index 000000000..1794224fd
--- /dev/null
+++ b/security/nss/lib/ckfw/crypto.c
@@ -0,0 +1,377 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * crypto.c
+ *
+ * This file implements the NSSCKFWCryptoOperation type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWCryptoOperation
+ *
+ *  -- create/destroy --
+ *  nssCKFWCrytoOperation_Create
+ *  nssCKFWCryptoOperation_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWCryptoOperation_GetMDCryptoOperation
+ *  nssCKFWCryptoOperation_GetType
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ * nssCKFWCryptoOperation_GetFinalLength
+ * nssCKFWCryptoOperation_GetOperationLength
+ * nssCKFWCryptoOperation_Final
+ * nssCKFWCryptoOperation_Update
+ * nssCKFWCryptoOperation_DigestUpdate
+ * nssCKFWCryptoOperation_UpdateFinal
+ */
+
+struct NSSCKFWCryptoOperationStr {
+  /* NSSArena *arena; */
+  NSSCKMDCryptoOperation *mdOperation;
+  NSSCKMDSession *mdSession;
+  NSSCKFWSession *fwSession;
+  NSSCKMDToken *mdToken;
+  NSSCKFWToken *fwToken;
+  NSSCKMDInstance *mdInstance;
+  NSSCKFWInstance *fwInstance;
+  NSSCKFWCryptoOperationType type;
+};
+
+/*
+ *  nssCKFWCrytoOperation_Create
+ */
+NSS_EXTERN NSSCKFWCryptoOperation *
+nssCKFWCryptoOperation_Create(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWCryptoOperationType type,
+  CK_RV *pError
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  fwOperation = nss_ZNEW(NULL, NSSCKFWCryptoOperation);
+  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWCryptoOperation *)NULL;
+  }
+  fwOperation->mdOperation = mdOperation; 
+  fwOperation->mdSession = mdSession; 
+  fwOperation->fwSession = fwSession; 
+  fwOperation->mdToken = mdToken; 
+  fwOperation->fwToken = fwToken; 
+  fwOperation->mdInstance = mdInstance; 
+  fwOperation->fwInstance = fwInstance; 
+  fwOperation->type = type; 
+  return fwOperation;
+}
+
+/*
+ *  nssCKFWCryptoOperation_Destroy
+ */
+NSS_EXTERN void
+nssCKFWCryptoOperation_Destroy
+(
+  NSSCKFWCryptoOperation *fwOperation
+)
+{
+  if ((NSSCKMDCryptoOperation *) NULL != fwOperation->mdOperation) {
+    if ((void *) NULL != (void *)fwOperation->mdOperation->Destroy) {
+      fwOperation->mdOperation->Destroy(
+                                fwOperation->mdOperation,
+                                fwOperation,
+                                fwOperation->mdInstance,
+                                fwOperation->fwInstance);
+    }
+  }
+  nss_ZFreeIf(fwOperation);
+}
+
+/*
+ *  nssCKFWCryptoOperation_GetMDCryptoOperation
+ */
+NSS_EXTERN NSSCKMDCryptoOperation *
+nssCKFWCryptoOperation_GetMDCryptoOperation
+(
+  NSSCKFWCryptoOperation *fwOperation
+)
+{
+  return fwOperation->mdOperation;
+}
+
+/*
+ *  nssCKFWCryptoOperation_GetType
+ */
+NSS_EXTERN NSSCKFWCryptoOperationType
+nssCKFWCryptoOperation_GetType
+(
+  NSSCKFWCryptoOperation *fwOperation
+)
+{
+  return fwOperation->type;
+}
+
+/*
+ * nssCKFWCryptoOperation_GetFinalLength
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWCryptoOperation_GetFinalLength
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  CK_RV *pError
+)
+{
+  if ((void *) NULL == (void *)fwOperation->mdOperation->GetFinalLength) {
+    *pError = CKR_FUNCTION_FAILED;
+    return 0;
+  }
+  return fwOperation->mdOperation->GetFinalLength(
+                fwOperation->mdOperation,
+                fwOperation,
+                fwOperation->mdSession,
+                fwOperation->fwSession,
+                fwOperation->mdToken,
+                fwOperation->fwToken,
+                fwOperation->mdInstance,
+                fwOperation->fwInstance,
+                pError);
+}
+
+/*
+ * nssCKFWCryptoOperation_GetOperationLength
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWCryptoOperation_GetOperationLength
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *inputBuffer,
+  CK_RV *pError
+)
+{
+  if ((void *) NULL == (void *)fwOperation->mdOperation->GetOperationLength) {
+    *pError = CKR_FUNCTION_FAILED;
+    return 0;
+  }
+  return fwOperation->mdOperation->GetOperationLength(
+                fwOperation->mdOperation,
+                fwOperation,
+                fwOperation->mdSession,
+                fwOperation->fwSession,
+                fwOperation->mdToken,
+                fwOperation->fwToken,
+                fwOperation->mdInstance,
+                fwOperation->fwInstance,
+                inputBuffer,
+                pError);
+}
+
+/*
+ * nssCKFWCryptoOperation_Final
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_Final
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *outputBuffer
+)
+{
+  if ((void *) NULL == (void *)fwOperation->mdOperation->Final) {
+    return CKR_FUNCTION_FAILED;
+  }
+  return fwOperation->mdOperation->Final(
+                fwOperation->mdOperation,
+                fwOperation,
+                fwOperation->mdSession,
+                fwOperation->fwSession,
+                fwOperation->mdToken,
+                fwOperation->fwToken,
+                fwOperation->mdInstance,
+                fwOperation->fwInstance,
+                outputBuffer);
+}
+
+/*
+ * nssCKFWCryptoOperation_Update
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_Update
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *inputBuffer,
+  NSSItem *outputBuffer
+)
+{
+  if ((void *) NULL == (void *)fwOperation->mdOperation->Update) {
+    return CKR_FUNCTION_FAILED;
+  }
+  return fwOperation->mdOperation->Update(
+                fwOperation->mdOperation,
+                fwOperation,
+                fwOperation->mdSession,
+                fwOperation->fwSession,
+                fwOperation->mdToken,
+                fwOperation->fwToken,
+                fwOperation->mdInstance,
+                fwOperation->fwInstance,
+                inputBuffer,
+                outputBuffer);
+}
+
+/*
+ * nssCKFWCryptoOperation_DigestUpdate
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_DigestUpdate
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *inputBuffer
+)
+{
+  if ((void *) NULL == (void *)fwOperation->mdOperation->DigestUpdate) {
+    return CKR_FUNCTION_FAILED;
+  }
+  return fwOperation->mdOperation->DigestUpdate(
+                fwOperation->mdOperation,
+                fwOperation,
+                fwOperation->mdSession,
+                fwOperation->fwSession,
+                fwOperation->mdToken,
+                fwOperation->fwToken,
+                fwOperation->mdInstance,
+                fwOperation->fwInstance,
+                inputBuffer);
+}
+
+/*
+ * nssCKFWCryptoOperation_DigestKey
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_DigestKey
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKFWObject *fwObject /* Key */
+)
+{
+  NSSCKMDObject *mdObject;
+
+  if ((void *) NULL == (void *)fwOperation->mdOperation->DigestKey) {
+    return CKR_FUNCTION_FAILED;
+  }
+  mdObject = nssCKFWObject_GetMDObject(fwObject);
+  return fwOperation->mdOperation->DigestKey(
+                fwOperation->mdOperation,
+                fwOperation,
+                fwOperation->mdToken,
+                fwOperation->fwToken,
+                fwOperation->mdInstance,
+                fwOperation->fwInstance,
+                mdObject,
+                fwObject);
+}
+
+/*
+ * nssCKFWCryptoOperation_UpdateFinal
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_UpdateFinal
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSItem *inputBuffer,
+  NSSItem *outputBuffer
+)
+{
+  if ((void *) NULL == (void *)fwOperation->mdOperation->UpdateFinal) {
+    return CKR_FUNCTION_FAILED;
+  }
+  return fwOperation->mdOperation->UpdateFinal(
+                fwOperation->mdOperation,
+                fwOperation,
+                fwOperation->mdSession,
+                fwOperation->fwSession,
+                fwOperation->mdToken,
+                fwOperation->fwToken,
+                fwOperation->mdInstance,
+                fwOperation->fwInstance,
+                inputBuffer,
+                outputBuffer);
+}
+
+/*
+ * nssCKFWCryptoOperation_UpdateCombo
+ */
+NSS_EXTERN CK_RV
+nssCKFWCryptoOperation_UpdateCombo
+(
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKFWCryptoOperation *fwPeerOperation,
+  NSSItem *inputBuffer,
+  NSSItem *outputBuffer
+)
+{
+  if ((void *) NULL == (void *)fwOperation->mdOperation->UpdateCombo) {
+    return CKR_FUNCTION_FAILED;
+  }
+  return fwOperation->mdOperation->UpdateCombo(
+                fwOperation->mdOperation,
+                fwOperation,
+                fwPeerOperation->mdOperation,
+                fwPeerOperation,
+                fwOperation->mdSession,
+                fwOperation->fwSession,
+                fwOperation->mdToken,
+                fwOperation->fwToken,
+                fwOperation->mdInstance,
+                fwOperation->fwInstance,
+                inputBuffer,
+                outputBuffer);
+}
diff --git a/security/nss/lib/ckfw/dbm/Makefile b/security/nss/lib/ckfw/dbm/Makefile
new file mode 100644
index 000000000..0df6bf84e
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/Makefile
@@ -0,0 +1,42 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+include manifest.mn
+include config.mk
+include $(CORE_DEPTH)/coreconf/config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/lib/ckfw/dbm/anchor.c b/security/nss/lib/ckfw/dbm/anchor.c
new file mode 100644
index 000000000..26f5a3fc6
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/anchor.c
@@ -0,0 +1,53 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * dbm/anchor.c
+ *
+ * This file "anchors" the actual cryptoki entry points in this module's
+ * shared library, which is required for dynamic loading.  See the 
+ * comments in nssck.api for more information.
+ */
+
+#include "ckdbm.h"
+
+#define MODULE_NAME dbm
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_dbm_mdInstance
+#include "nssck.api"
diff --git a/security/nss/lib/ckfw/dbm/ckdbm.h b/security/nss/lib/ckfw/dbm/ckdbm.h
new file mode 100644
index 000000000..d0b723c14
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/ckdbm.h
@@ -0,0 +1,284 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CKDBM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef CKDBM_H
+#define CKDBM_H
+
+#include "nssckmdt.h"
+#include "nssckfw.h"
+
+/*
+ * I'm including this for access to the arena functions.
+ * Looks like we should publish that API.
+ */
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * This is where the Netscape extensions live, at least for now.
+ */
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+#include "mcom_db.h"
+
+NSS_EXTERN_DATA NSSCKMDInstance nss_dbm_mdInstance;
+
+typedef struct nss_dbm_db_struct nss_dbm_db_t;
+struct nss_dbm_db_struct {
+  DB *db;
+  NSSCKFWMutex *crustylock;
+};
+
+typedef struct nss_dbm_dbt_struct nss_dbm_dbt_t;
+struct nss_dbm_dbt_struct {
+  DBT dbt;
+  nss_dbm_db_t *my_db;
+};
+
+typedef struct nss_dbm_instance_struct nss_dbm_instance_t;
+struct nss_dbm_instance_struct {
+  NSSArena *arena;
+  CK_ULONG nSlots;
+  char **filenames;
+  int *flags; /* e.g. O_RDONLY, O_RDWR */
+};
+
+typedef struct nss_dbm_slot_struct nss_dbm_slot_t;
+struct nss_dbm_slot_struct {
+  nss_dbm_instance_t *instance;
+  char *filename;
+  int flags;
+  nss_dbm_db_t *token_db;
+};
+
+typedef struct nss_dbm_token_struct nss_dbm_token_t;
+struct nss_dbm_token_struct {
+  NSSArena *arena;
+  nss_dbm_slot_t *slot;
+  nss_dbm_db_t *session_db;
+  NSSUTF8 *label;
+};
+
+struct nss_dbm_dbt_node {
+  struct nss_dbm_dbt_node *next;
+  nss_dbm_dbt_t *dbt;
+};
+
+typedef struct nss_dbm_session_struct nss_dbm_session_t;
+struct nss_dbm_session_struct {
+  NSSArena *arena;
+  nss_dbm_token_t *token;
+  CK_ULONG deviceError;
+  struct nss_dbm_dbt_node *session_objects;
+  NSSCKFWMutex *list_lock;
+};
+
+typedef struct nss_dbm_object_struct nss_dbm_object_t;
+struct nss_dbm_object_struct {
+  NSSArena *arena; /* token or session */
+  nss_dbm_dbt_t *handle;
+};
+
+typedef struct nss_dbm_find_struct nss_dbm_find_t;
+struct nss_dbm_find_struct {
+  NSSArena *arena;
+  struct nss_dbm_dbt_node *found;
+  NSSCKFWMutex *list_lock;
+};
+
+NSS_EXTERN NSSCKMDSlot *
+nss_dbm_mdSlot_factory
+(
+  nss_dbm_instance_t *instance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDToken *
+nss_dbm_mdToken_factory
+(
+  nss_dbm_slot_t *slot,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDSession *
+nss_dbm_mdSession_factory
+(
+  nss_dbm_token_t *token,
+  NSSCKFWSession *fwSession,
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL rw,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDObject *
+nss_dbm_mdObject_factory
+(
+  nss_dbm_object_t *object,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nss_dbm_mdFindObjects_factory
+(
+  nss_dbm_find_t *find,
+  CK_RV *pError
+);
+
+NSS_EXTERN nss_dbm_db_t *
+nss_dbm_db_open
+(
+  NSSArena *arena,
+  NSSCKFWInstance *fwInstance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+);
+
+NSS_EXTERN void
+nss_dbm_db_close
+(
+  nss_dbm_db_t *db
+);
+
+NSS_EXTERN CK_VERSION
+nss_dbm_db_get_format_version
+(
+  nss_dbm_db_t *db
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_set_label
+(
+  nss_dbm_db_t *db,
+  NSSUTF8 *label
+);
+
+NSS_EXTERN NSSUTF8 *
+nss_dbm_db_get_label
+(
+  nss_dbm_db_t *db,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_delete_object
+(
+  nss_dbm_dbt_t *dbt
+);
+
+NSS_EXTERN nss_dbm_dbt_t *
+nss_dbm_db_create_object
+(
+  NSSArena *arena,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_find_objects
+(
+  nss_dbm_find_t *find,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_BBOOL
+nss_dbm_db_object_still_exists
+(
+  nss_dbm_dbt_t *dbt
+);
+
+NSS_EXTERN CK_ULONG
+nss_dbm_db_get_object_attribute_count
+(
+  nss_dbm_dbt_t *dbt,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_get_object_attribute_types
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_ULONG
+nss_dbm_db_get_object_attribute_size
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN NSSItem *
+nss_dbm_db_get_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  NSSArena *arena,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_set_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  NSSItem *value,
+  CK_ULONG *pdbrv
+);
+
+#endif /* CKDBM_H */
diff --git a/security/nss/lib/ckfw/dbm/config.mk b/security/nss/lib/ckfw/dbm/config.mk
new file mode 100644
index 000000000..a885d8663
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/config.mk
@@ -0,0 +1,41 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
diff --git a/security/nss/lib/ckfw/dbm/db.c b/security/nss/lib/ckfw/dbm/db.c
new file mode 100644
index 000000000..6abdce6af
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/db.c
@@ -0,0 +1,1068 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+#define PREFIX_METADATA "0000"
+#define PREFIX_OBJECT   "0001"
+#define PREFIX_INDEX    "0002"
+
+static CK_VERSION nss_dbm_db_format_version = { 1, 0 };
+struct handle {
+  char prefix[4];
+  CK_ULONG id;
+};
+
+NSS_IMPLEMENT nss_dbm_db_t *
+nss_dbm_db_open
+(
+  NSSArena *arena,
+  NSSCKFWInstance *fwInstance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+)
+{
+  nss_dbm_db_t *rv;
+  CK_VERSION db_version;
+
+  rv = nss_ZNEW(arena, nss_dbm_db_t);
+  if( (nss_dbm_db_t *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nss_dbm_db_t *)NULL;
+  }
+
+  rv->db = dbopen(filename, flags, 0600, DB_HASH, (const void *)NULL);
+  if( (DB *)NULL == rv->db ) {
+    *pError = CKR_TOKEN_NOT_PRESENT;
+    return (nss_dbm_db_t *)NULL;
+  }
+
+  rv->crustylock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == rv->crustylock ) {
+    return (nss_dbm_db_t *)NULL;
+  }
+
+  db_version = nss_dbm_db_get_format_version(rv);
+  if( db_version.major != nss_dbm_db_format_version.major ) {
+    nss_dbm_db_close(rv);
+    *pError = CKR_TOKEN_NOT_RECOGNIZED;
+    return (nss_dbm_db_t *)NULL;
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT void
+nss_dbm_db_close
+(
+  nss_dbm_db_t *db
+)
+{
+  if( (NSSCKFWMutex *)NULL != db->crustylock ) {
+    (void)NSSCKFWMutex_Destroy(db->crustylock);
+  }
+
+  if( (DB *)NULL != db->db ) {
+    (void)db->db->close(db->db);
+  }
+
+  nss_ZFreeIf(db);
+}
+
+NSS_IMPLEMENT CK_VERSION
+nss_dbm_db_get_format_version
+(
+  nss_dbm_db_t *db
+)
+{
+  CK_VERSION rv;
+  DBT k, v;
+  int dbrv;
+  char buffer[64];
+
+  rv.major = rv.minor = 0;
+
+  k.data = PREFIX_METADATA "FormatVersion";
+  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
+  (void)memset(&v, 0, sizeof(v));
+
+  /* Locked region */ 
+  {
+    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
+      return rv;
+    }
+
+    dbrv = db->db->get(db->db, &k, &v, 0);
+    if( dbrv == 0 ) {
+      CK_ULONG major = 0, minor = 0;
+      (void)PR_sscanf(v.data, "%ld.%ld", &major, &minor);
+      rv.major = major;
+      rv.minor = minor;
+    } else if( dbrv > 0 ) {
+      (void)PR_snprintf(buffer, sizeof(buffer), "%ld.%ld", nss_dbm_db_format_version.major,
+                        nss_dbm_db_format_version.minor);
+      v.data = buffer;
+      v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
+      dbrv = db->db->put(db->db, &k, &v, 0);
+      (void)db->db->sync(db->db, 0);
+      rv = nss_dbm_db_format_version;
+    } else {
+      /* No error return.. */
+      ;
+    }
+
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_set_label
+(
+  nss_dbm_db_t *db,
+  NSSUTF8 *label
+)
+{
+  CK_RV rv;
+  DBT k, v;
+  int dbrv;
+
+  k.data = PREFIX_METADATA "Label";
+  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
+  v.data = label;
+  v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
+
+  /* Locked region */ 
+  {
+    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
+      return rv;
+    }
+
+    dbrv = db->db->put(db->db, &k, &v, 0);
+    if( 0 != dbrv ) {
+      rv = CKR_DEVICE_ERROR;
+    }
+
+    dbrv = db->db->sync(db->db, 0);
+    if( 0 != dbrv ) {
+      rv = CKR_DEVICE_ERROR;
+    }
+
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+nss_dbm_db_get_label
+(
+  nss_dbm_db_t *db,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  NSSUTF8 *rv = (NSSUTF8 *)NULL;
+  DBT k, v;
+  int dbrv;
+
+  k.data = PREFIX_METADATA "Label";
+  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
+
+  /* Locked region */ 
+  {
+    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
+      return rv;
+    }
+
+    dbrv = db->db->get(db->db, &k, &v, 0);
+    if( 0 == dbrv ) {
+      rv = nssUTF8_Duplicate((NSSUTF8 *)v.data, arena);
+      if( (NSSUTF8 *)NULL == rv ) {
+        *pError = CKR_HOST_MEMORY;
+      }
+    } else if( dbrv > 0 ) {
+      /* Just return null */
+      ;
+    } else {
+      *pError = CKR_DEVICE_ERROR;
+      ;
+    }
+
+
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_delete_object
+(
+  nss_dbm_dbt_t *dbt
+)
+{
+  CK_RV rv;
+  int dbrv;
+
+  /* Locked region */
+  {
+    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != rv ) {
+      return rv;
+    }
+
+    dbrv = dbt->my_db->db->del(dbt->my_db->db, &dbt->dbt, 0);
+    if( 0 != dbrv ) {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    dbrv = dbt->my_db->db->sync(dbt->my_db->db, 0);
+    if( 0 != dbrv ) {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+  return rv;
+}
+
+static CK_ULONG
+nss_dbm_db_new_handle
+(
+  nss_dbm_db_t *db,
+  DBT *dbt, /* pre-allocated */
+  CK_RV *pError
+)
+{
+  CK_ULONG rv;
+  DBT k, v;
+  CK_ULONG align = 0, id, myid;
+  struct handle *hp;
+
+  if( sizeof(struct handle) != dbt->size ) {
+    return EINVAL;
+  }
+
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(db->crustylock);
+    if( CKR_OK != *pError ) {
+      return EINVAL;
+    }
+
+    k.data = PREFIX_METADATA "LastID";
+    k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
+    (void)memset(&v, 0, sizeof(v));
+
+    rv = db->db->get(db->db, &k, &v, 0);
+    if( 0 == rv ) {
+      (void)memcpy(&align, v.data, sizeof(CK_ULONG));
+      id = ntohl(align);
+    } else if( rv > 0 ) {
+      id = 0;
+    } else {
+      goto done;
+    }
+
+    myid = id;
+    id++;
+    align = htonl(id);
+    v.data = &align;
+    v.size = sizeof(CK_ULONG);
+
+    rv = db->db->put(db->db, &k, &v, 0);
+    if( 0 != rv ) {
+      goto done;
+    }
+
+    rv = db->db->sync(db->db, 0);
+    if( 0 != rv ) {
+      goto done;
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  if( 0 != rv ) {
+    return rv;
+  }
+
+  hp = (struct handle *)dbt->data;
+  (void)memcpy(&hp->prefix[0], PREFIX_OBJECT, 4);
+  hp->id = myid;
+
+  return 0;
+}
+
+/*
+ * This attribute-type-dependent swapping should probably
+ * be in the Framework, because it'll be a concern of just
+ * about every Module.  Of course any Framework implementation
+ * will have to be augmentable or overridable by a Module.
+ */
+
+enum swap_type { type_byte, type_short, type_long, type_opaque };
+
+static enum swap_type
+nss_dbm_db_swap_type
+(
+  CK_ATTRIBUTE_TYPE type
+)
+{
+  switch( type ) {
+  case CKA_CLASS: return type_long;
+  case CKA_TOKEN: return type_byte;
+  case CKA_PRIVATE: return type_byte;
+  case CKA_LABEL: return type_opaque;
+  case CKA_APPLICATION: return type_opaque;
+  case CKA_VALUE: return type_opaque;
+  case CKA_CERTIFICATE_TYPE: return type_long;
+  case CKA_ISSUER: return type_opaque;
+  case CKA_SERIAL_NUMBER: return type_opaque;
+  case CKA_KEY_TYPE: return type_long;
+  case CKA_SUBJECT: return type_opaque;
+  case CKA_ID: return type_opaque;
+  case CKA_SENSITIVE: return type_byte;
+  case CKA_ENCRYPT: return type_byte;
+  case CKA_DECRYPT: return type_byte;
+  case CKA_WRAP: return type_byte;
+  case CKA_UNWRAP: return type_byte;
+  case CKA_SIGN: return type_byte;
+  case CKA_SIGN_RECOVER: return type_byte;
+  case CKA_VERIFY: return type_byte;
+  case CKA_VERIFY_RECOVER: return type_byte;
+  case CKA_DERIVE: return type_byte;
+  case CKA_START_DATE: return type_opaque;
+  case CKA_END_DATE: return type_opaque;
+  case CKA_MODULUS: return type_opaque;
+  case CKA_MODULUS_BITS: return type_long;
+  case CKA_PUBLIC_EXPONENT: return type_opaque;
+  case CKA_PRIVATE_EXPONENT: return type_opaque;
+  case CKA_PRIME_1: return type_opaque;
+  case CKA_PRIME_2: return type_opaque;
+  case CKA_EXPONENT_1: return type_opaque;
+  case CKA_EXPONENT_2: return type_opaque;
+  case CKA_COEFFICIENT: return type_opaque;
+  case CKA_PRIME: return type_opaque;
+  case CKA_SUBPRIME: return type_opaque;
+  case CKA_BASE: return type_opaque;
+  case CKA_VALUE_BITS: return type_long;
+  case CKA_VALUE_LEN: return type_long;
+  case CKA_EXTRACTABLE: return type_byte;
+  case CKA_LOCAL: return type_byte;
+  case CKA_NEVER_EXTRACTABLE: return type_byte;
+  case CKA_ALWAYS_SENSITIVE: return type_byte;
+  case CKA_MODIFIABLE: return type_byte;
+  case CKA_NETSCAPE_URL: return type_opaque;
+  case CKA_NETSCAPE_EMAIL: return type_opaque;
+  case CKA_NETSCAPE_SMIME_INFO: return type_opaque;
+  case CKA_NETSCAPE_SMIME_TIMESTAMP: return type_opaque;
+  case CKA_NETSCAPE_PKCS8_SALT: return type_opaque;
+  case CKA_NETSCAPE_PASSWORD_CHECK: return type_opaque;
+  case CKA_NETSCAPE_EXPIRES: return type_opaque;
+  case CKA_TRUST_DIGITAL_SIGNATURE: return type_long;
+  case CKA_TRUST_NON_REPUDIATION: return type_long;
+  case CKA_TRUST_KEY_ENCIPHERMENT: return type_long;
+  case CKA_TRUST_DATA_ENCIPHERMENT: return type_long;
+  case CKA_TRUST_KEY_AGREEMENT: return type_long;
+  case CKA_TRUST_KEY_CERT_SIGN: return type_long;
+  case CKA_TRUST_CRL_SIGN: return type_long;
+  case CKA_TRUST_SERVER_AUTH: return type_long;
+  case CKA_TRUST_CLIENT_AUTH: return type_long;
+  case CKA_TRUST_CODE_SIGNING: return type_long;
+  case CKA_TRUST_EMAIL_PROTECTION: return type_long;
+  case CKA_TRUST_IPSEC_END_SYSTEM: return type_long;
+  case CKA_TRUST_IPSEC_TUNNEL: return type_long;
+  case CKA_TRUST_IPSEC_USER: return type_long;
+  case CKA_TRUST_TIME_STAMPING: return type_long;
+  case CKA_NETSCAPE_DB: return type_opaque;
+  case CKA_NETSCAPE_TRUST: return type_opaque;
+  default: return type_opaque;
+  }
+}
+
+static void
+nss_dbm_db_swap_copy
+(
+  CK_ATTRIBUTE_TYPE type,
+  void *dest,
+  void *src,
+  CK_ULONG len
+)
+{
+  switch( nss_dbm_db_swap_type(type) ) {
+  case type_byte:
+  case type_opaque:
+    (void)memcpy(dest, src, len);
+    break;
+  case type_short:
+    {
+      CK_USHORT s, d;
+      (void)memcpy(&s, src, sizeof(CK_USHORT));
+      d = htons(s);
+      (void)memcpy(dest, &d, sizeof(CK_USHORT));
+      break;
+    }
+  case type_long:
+    {
+      CK_ULONG s, d;
+      (void)memcpy(&s, src, sizeof(CK_ULONG));
+      d = htonl(s);
+      (void)memcpy(dest, &d, sizeof(CK_ULONG));
+      break;
+    }
+  }
+}
+
+static CK_RV
+nss_dbm_db_wrap_object
+(
+  NSSArena *arena,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  DBT *object
+)
+{
+  CK_ULONG object_size;
+  CK_ULONG i;
+  CK_ULONG *pulData;
+  char *pcData;
+  CK_ULONG offset;
+
+  object_size = (1 + ulAttributeCount*3) * sizeof(CK_ULONG);
+  offset = object_size;
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    object_size += pTemplate[i].ulValueLen;
+  }
+
+  object->size = object_size;
+  object->data = nss_ZAlloc(arena, object_size);
+  if( (void *)NULL == object->data ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  pulData = (CK_ULONG *)object->data;
+  pcData = (char *)object->data;
+
+  pulData[0] = htonl(ulAttributeCount);
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    CK_ULONG len = pTemplate[i].ulValueLen;
+    pulData[1 + i*3] = htonl(pTemplate[i].type);
+    pulData[2 + i*3] = htonl(len);
+    pulData[3 + i*3] = htonl(offset);
+    nss_dbm_db_swap_copy(pTemplate[i].type, &pcData[offset], pTemplate[i].pValue, len);
+    offset += len;
+  }
+
+  return CKR_OK;
+}
+
+static CK_RV
+nss_dbm_db_unwrap_object
+(
+  NSSArena *arena,
+  DBT *object,
+  CK_ATTRIBUTE_PTR *ppTemplate,
+  CK_ULONG *pulAttributeCount
+)
+{
+  CK_ULONG *pulData;
+  char *pcData;
+  CK_ULONG n, i;
+  CK_ATTRIBUTE_PTR pTemplate;
+
+  pulData = (CK_ULONG *)object->data;
+  pcData = (char *)object->data;
+
+  n = ntohl(pulData[0]);
+  *pulAttributeCount = n;
+  pTemplate = nss_ZNEWARRAY(arena, CK_ATTRIBUTE, n);
+  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  for( i = 0; i < n; i++ ) {
+    CK_ULONG len;
+    CK_ULONG offset;
+    void *p;
+
+    pTemplate[i].type = ntohl(pulData[1 + i*3]);
+    len = ntohl(pulData[2 + i*3]);
+    offset = ntohl(pulData[3 +  i*3]);
+    
+    p = nss_ZAlloc(arena, len);
+    if( (void *)NULL == p ) {
+      return CKR_HOST_MEMORY;
+    }
+    
+    nss_dbm_db_swap_copy(pTemplate[i].type, p, &pcData[offset], len);
+    pTemplate[i].ulValueLen = len;
+    pTemplate[i].pValue = p;
+  }
+
+  *ppTemplate = pTemplate;
+  return CKR_OK;
+}
+
+
+NSS_IMPLEMENT nss_dbm_dbt_t *
+nss_dbm_db_create_object
+(
+  NSSArena *arena,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+)
+{
+  NSSArena *tmparena = (NSSArena *)NULL;
+  nss_dbm_dbt_t *rv = (nss_dbm_dbt_t *)NULL;
+  DBT object;
+
+  rv = nss_ZNEW(arena, nss_dbm_dbt_t);
+  if( (nss_dbm_dbt_t *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nss_dbm_dbt_t *)NULL;
+  }
+
+  rv->my_db = db;
+  rv->dbt.size = sizeof(struct handle);
+  rv->dbt.data = nss_ZAlloc(arena, rv->dbt.size);
+  if( (void *)NULL == rv->dbt.data ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nss_dbm_dbt_t *)NULL;
+  }
+
+  *pdbrv = nss_dbm_db_new_handle(db, &rv->dbt, pError);
+  if( 0 != *pdbrv ) {
+    return (nss_dbm_dbt_t *)NULL;
+  }
+
+  tmparena = NSSArena_Create();
+  if( (NSSArena *)NULL == tmparena ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nss_dbm_dbt_t *)NULL;
+  }
+
+  *pError = nss_dbm_db_wrap_object(tmparena, pTemplate, ulAttributeCount, &object);
+  if( CKR_OK != *pError ) {
+    return (nss_dbm_dbt_t *)NULL;
+  }
+  
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(db->crustylock);
+    if( CKR_OK != *pError ) {
+      goto loser;
+    }
+
+    *pdbrv = db->db->put(db->db, &rv->dbt, &object, 0);
+    if( 0 != *pdbrv ) {
+      *pError = CKR_DEVICE_ERROR;
+    }
+
+    (void)db->db->sync(db->db, 0);
+
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+ loser:  
+  if( (NSSArena *)NULL != tmparena ) {
+    (void)NSSArena_Destroy(tmparena);
+  }
+
+  return rv;
+}
+
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_find_objects
+(
+  nss_dbm_find_t *find,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_ULONG *pdbrv
+)
+{
+  CK_RV rv = CKR_OK;
+
+  if( (nss_dbm_db_t *)NULL != db ) {
+    DBT k, v;
+
+    rv = NSSCKFWMutex_Lock(db->crustylock);
+    if( CKR_OK != rv ) {
+      return rv;
+    }
+
+    *pdbrv = db->db->seq(db->db, &k, &v, R_FIRST);
+    while( 0 == *pdbrv ) {
+      CK_ULONG i, j;
+      NSSArena *tmparena = (NSSArena *)NULL;
+      CK_ULONG ulac;
+      CK_ATTRIBUTE_PTR pt;
+
+      if( (k.size < 4) || (0 != memcmp(k.data, PREFIX_OBJECT, 4)) ) {
+        goto nomatch;
+      }
+
+      tmparena = NSSArena_Create();
+
+      rv = nss_dbm_db_unwrap_object(tmparena, &v, &pt, &ulac);
+      if( CKR_OK != rv ) {
+        goto loser;
+      }
+
+      for( i = 0; i < ulAttributeCount; i++ ) {
+        for( j = 0; j < ulac; j++ ) {
+          if( pTemplate[i].type == pt[j].type ) {
+            if( pTemplate[i].ulValueLen != pt[j].ulValueLen ) {
+              goto nomatch;
+            }
+            if( 0 != memcmp(pTemplate[i].pValue, pt[j].pValue, pt[j].ulValueLen) ) {
+              goto nomatch;
+            }
+            break;
+          }
+        }
+        if( j == ulac ) {
+          goto nomatch;
+        }
+      }
+
+      /* entire template matches */
+      {
+        struct nss_dbm_dbt_node *node;
+
+        node = nss_ZNEW(find->arena, struct nss_dbm_dbt_node);
+        if( (struct nss_dbm_dbt_node *)NULL == node ) {
+          rv = CKR_HOST_MEMORY;
+          goto loser;
+        }
+
+        node->dbt = nss_ZNEW(find->arena, nss_dbm_dbt_t);
+        if( (nss_dbm_dbt_t *)NULL == node->dbt ) {
+          rv = CKR_HOST_MEMORY;
+          goto loser;
+        }
+        
+        node->dbt->dbt.size = k.size;
+        node->dbt->dbt.data = nss_ZAlloc(find->arena, k.size);
+        if( (void *)NULL == node->dbt->dbt.data ) {
+          rv = CKR_HOST_MEMORY;
+          goto loser;
+        }
+
+        (void)memcpy(node->dbt->dbt.data, k.data, k.size);
+
+        node->dbt->my_db = db;
+
+        node->next = find->found;
+        find->found = node;
+      }
+
+    nomatch:
+      if( (NSSArena *)NULL != tmparena ) {
+        (void)NSSArena_Destroy(tmparena);
+      }
+      *pdbrv = db->db->seq(db->db, &k, &v, R_NEXT);
+    }
+
+    if( *pdbrv < 0 ) {
+      rv = CKR_DEVICE_ERROR;
+      goto loser;
+    }
+
+    rv = CKR_OK;
+
+  loser:
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_BBOOL
+nss_dbm_db_object_still_exists
+(
+  nss_dbm_dbt_t *dbt
+)
+{
+  CK_BBOOL rv;
+  CK_RV ckrv;
+  int dbrv;
+  DBT object;
+
+  ckrv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+  if( CKR_OK != ckrv ) {
+    return CK_FALSE;
+  }
+
+  dbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+  if( 0 == dbrv ) {
+    rv = CK_TRUE;
+  } else {
+    rv = CK_FALSE;
+  }
+
+  (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_ULONG
+nss_dbm_db_get_object_attribute_count
+(
+  nss_dbm_dbt_t *dbt,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+)
+{
+  CK_ULONG rv = 0;
+  DBT object;
+  CK_ULONG *pulData;
+
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != *pError ) {
+      return rv;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      *pError = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      *pError = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    pulData = (CK_ULONG *)object.data;
+    rv = ntohl(pulData[0]);
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_get_object_attribute_types
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount,
+  CK_ULONG *pdbrv
+)
+{
+  CK_RV rv = CKR_OK;
+  DBT object;
+  CK_ULONG *pulData;
+  CK_ULONG n, i;
+
+  /* Locked region */
+  {
+    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != rv ) {
+      return rv;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      rv = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    pulData = (CK_ULONG *)object.data;
+    n = ntohl(pulData[0]);
+
+    if( ulCount < n ) {
+      rv = CKR_BUFFER_TOO_SMALL;
+      goto done;
+    }
+
+    for( i = 0; i < n; i++ ) {
+      typeArray[i] = ntohl(pulData[1 + i*3]);
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_ULONG
+nss_dbm_db_get_object_attribute_size
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+)
+{
+  CK_ULONG rv = 0;
+  DBT object;
+  CK_ULONG *pulData;
+  CK_ULONG n, i;
+
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != *pError ) {
+      return rv;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      *pError = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      *pError = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    pulData = (CK_ULONG *)object.data;
+    n = ntohl(pulData[0]);
+
+    for( i = 0; i < n; i++ ) {
+      if( type == ntohl(pulData[1 + i*3]) ) {
+        rv = ntohl(pulData[2 + i*3]);
+      }
+    }
+
+    if( i == n ) {
+      *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+      goto done;
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSItem *
+nss_dbm_db_get_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  NSSArena *arena,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+  DBT object;
+  CK_ULONG i;
+  NSSArena *tmp = NSSArena_Create();
+  CK_ATTRIBUTE_PTR pTemplate;
+  CK_ULONG ulAttributeCount;
+
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != *pError ) {
+      goto loser;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      *pError = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      *pError = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    *pError = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
+    if( CKR_OK != *pError ) {
+      goto done;
+    }
+
+    for( i = 0; i < ulAttributeCount; i++ ) {
+      if( type == pTemplate[i].type ) {
+        rv = nss_ZNEW(arena, NSSItem);
+        if( (NSSItem *)NULL == rv ) {
+          *pError = CKR_HOST_MEMORY;
+          goto done;
+        }
+        rv->size = pTemplate[i].ulValueLen;
+        rv->data = nss_ZAlloc(arena, rv->size);
+        if( (void *)NULL == rv->data ) {
+          *pError = CKR_HOST_MEMORY;
+          goto done;
+        }
+        (void)memcpy(rv->data, pTemplate[i].pValue, rv->size);
+        break;
+      }
+    }
+    if( ulAttributeCount == i ) {
+      *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+      goto done;
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+ loser:
+  if( (NSSArena *)NULL != tmp ) {
+    NSSArena_Destroy(tmp);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_set_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  NSSItem *value,
+  CK_ULONG *pdbrv
+)
+{
+  CK_RV rv = CKR_OK;
+  DBT object;
+  CK_ULONG i;
+  NSSArena *tmp = NSSArena_Create();
+  CK_ATTRIBUTE_PTR pTemplate;
+  CK_ULONG ulAttributeCount;
+
+  /* Locked region */
+  {
+    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != rv ) {
+      goto loser;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      rv = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    rv = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
+    if( CKR_OK != rv ) {
+      goto done;
+    }
+
+    for( i = 0; i < ulAttributeCount; i++ ) {
+      if( type == pTemplate[i].type ) {
+        /* Replacing an existing attribute */
+        pTemplate[i].ulValueLen = value->size;
+        pTemplate[i].pValue = value->data;
+        break;
+      }
+    }
+
+    if( i == ulAttributeCount ) {
+      /* Adding a new attribute */
+      CK_ATTRIBUTE_PTR npt = nss_ZNEWARRAY(tmp, CK_ATTRIBUTE, ulAttributeCount+1);
+      if( (CK_ATTRIBUTE_PTR)NULL == npt ) {
+        rv = CKR_DEVICE_ERROR;
+        goto done;
+      }
+
+      for( i = 0; i < ulAttributeCount; i++ ) {
+        npt[i] = pTemplate[i];
+      }
+
+      npt[ulAttributeCount].type = type;
+      npt[ulAttributeCount].ulValueLen = value->size;
+      npt[ulAttributeCount].pValue = value->data;
+
+      pTemplate = npt;
+      ulAttributeCount++;
+    }
+
+    rv = nss_dbm_db_wrap_object(tmp, pTemplate, ulAttributeCount, &object);
+    if( CKR_OK != rv ) {
+      goto done;
+    }
+
+    *pdbrv = dbt->my_db->db->put(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 != *pdbrv ) {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    (void)dbt->my_db->db->sync(dbt->my_db->db, 0);
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+ loser:
+  if( (NSSArena *)NULL != tmp ) {
+    NSSArena_Destroy(tmp);
+  }
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/find.c b/security/nss/lib/ckfw/dbm/find.c
new file mode 100644
index 000000000..6979e029b
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/find.c
@@ -0,0 +1,169 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static void
+nss_dbm_mdFindObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
+
+  /* Locks might have system resources associated */
+  (void)NSSCKFWMutex_Destroy(find->list_lock);
+  (void)NSSArena_Destroy(find->arena);
+}
+
+
+static NSSCKMDObject *
+nss_dbm_mdFindObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
+  struct nss_dbm_dbt_node *node;
+  nss_dbm_object_t *object;
+  NSSCKMDObject *rv;
+
+  while(1) {
+    /* Lock */
+    {
+      *pError = NSSCKFWMutex_Lock(find->list_lock);
+      if( CKR_OK != *pError ) {
+        return (NSSCKMDObject *)NULL;
+      }
+      
+      node = find->found;
+      if( (struct nss_dbm_dbt_node *)NULL != node ) {
+        find->found = node->next;
+      }
+      
+      *pError = NSSCKFWMutex_Unlock(find->list_lock);
+      if( CKR_OK != *pError ) {
+        /* screwed now */
+        return (NSSCKMDObject *)NULL;
+      }
+    }
+
+    if( (struct nss_dbm_dbt_node *)NULL == node ) {
+      break;
+    }
+
+    if( nss_dbm_db_object_still_exists(node->dbt) ) {
+      break;
+    }
+  }
+
+  if( (struct nss_dbm_dbt_node *)NULL == node ) {
+    *pError = CKR_OK;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object = nss_ZNEW(arena, nss_dbm_object_t);
+  if( (nss_dbm_object_t *)NULL == object ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object->arena = arena;
+  object->handle = nss_ZNEW(arena, nss_dbm_dbt_t);
+  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object->handle->my_db = node->dbt->my_db;
+  object->handle->dbt.size = node->dbt->dbt.size;
+  object->handle->dbt.data = nss_ZAlloc(arena, node->dbt->dbt.size);
+  if( (void *)NULL == object->handle->dbt.data ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  (void)memcpy(object->handle->dbt.data, node->dbt->dbt.data, node->dbt->dbt.size);
+
+  rv = nss_dbm_mdObject_factory(object, pError);
+  if( (NSSCKMDObject *)NULL == rv ) {
+    return (NSSCKMDObject *)NULL;
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nss_dbm_mdFindObjects_factory
+(
+  nss_dbm_find_t *find,
+  CK_RV *pError
+)
+{
+  NSSCKMDFindObjects *rv;
+
+  rv = nss_ZNEW(find->arena, NSSCKMDFindObjects);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  rv->etc = (void *)find;
+  rv->Final = nss_dbm_mdFindObjects_Final;
+  rv->Next = nss_dbm_mdFindObjects_Next;
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/instance.c b/security/nss/lib/ckfw/dbm/instance.c
new file mode 100644
index 000000000..f1fced615
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/instance.c
@@ -0,0 +1,199 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static CK_RV
+nss_dbm_mdInstance_Initialize
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  NSSUTF8 *configurationData
+)
+{
+  CK_RV rv = CKR_OK;
+  NSSArena *arena;
+  nss_dbm_instance_t *instance;
+
+  arena = NSSCKFWInstance_GetArena(fwInstance, &rv);
+  if( ((NSSArena *)NULL == arena) && (CKR_OK != rv) ) {
+    return rv;
+  }
+
+  instance = nss_ZNEW(arena, nss_dbm_instance_t);
+  if( (nss_dbm_instance_t *)NULL == instance ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  instance->arena = arena;
+
+  /*
+   * This should parse the configuration data for information on
+   * number and locations of databases, modes (e.g. readonly), etc.
+   * But for now, we'll have one slot with a creatable read-write
+   * database called "cert8.db."
+   */
+
+  instance->nSlots = 1;
+  instance->filenames = nss_ZNEWARRAY(arena, char *, instance->nSlots);
+  if( (char **)NULL == instance->filenames ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  instance->flags = nss_ZNEWARRAY(arena, int, instance->nSlots);
+  if( (int *)NULL == instance->flags ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  instance->filenames[0] = "cert8.db";
+  instance->flags[0] = O_RDWR|O_CREAT;
+
+  mdInstance->etc = (void *)instance;
+  return CKR_OK;
+}
+
+/* nss_dbm_mdInstance_Finalize is not required */
+
+static CK_ULONG
+nss_dbm_mdInstance_GetNSlots
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  return instance->nSlots;
+}
+
+static CK_VERSION
+nss_dbm_mdInstance_GetCryptokiVersion
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  static CK_VERSION rv = { 2, 1 };
+  return rv;
+}
+
+static NSSUTF8 *
+nss_dbm_mdInstance_GetManufacturerID
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Mozilla Foundation";
+}
+
+static NSSUTF8 *
+nss_dbm_mdInstance_GetLibraryDescription
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Berkeley Database Module";
+}
+
+static CK_VERSION
+nss_dbm_mdInstance_GetLibraryVersion
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  static CK_VERSION rv = { 1, 0 }; /* My own version number */
+  return rv;
+}
+
+static CK_BBOOL
+nss_dbm_mdInstance_ModuleHandlesSessionObjects
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_RV
+nss_dbm_mdInstance_GetSlots
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *slots[]
+)
+{
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  CK_ULONG i;
+  CK_RV rv = CKR_OK;
+
+  for( i = 0; i < instance->nSlots; i++ ) {
+    slots[i] = nss_dbm_mdSlot_factory(instance, instance->filenames[i], 
+                                      instance->flags[i], &rv);
+    if( (NSSCKMDSlot *)NULL == slots[i] ) {
+      return rv;
+    }
+  }
+
+  return rv;
+}
+
+/* nss_dbm_mdInstance_WaitForSlotEvent is not relevant */
+
+NSS_IMPLEMENT_DATA NSSCKMDInstance 
+nss_dbm_mdInstance = {
+  NULL, /* etc; filled in later */
+  nss_dbm_mdInstance_Initialize,
+  NULL, /* nss_dbm_mdInstance_Finalize */
+  nss_dbm_mdInstance_GetNSlots,
+  nss_dbm_mdInstance_GetCryptokiVersion,
+  nss_dbm_mdInstance_GetManufacturerID,
+  nss_dbm_mdInstance_GetLibraryDescription,
+  nss_dbm_mdInstance_GetLibraryVersion,
+  nss_dbm_mdInstance_ModuleHandlesSessionObjects,
+  nss_dbm_mdInstance_GetSlots,
+  NULL, /* nss_dbm_mdInstance_WaitForSlotEvent */
+  NULL /* terminator */
+};
diff --git a/security/nss/lib/ckfw/dbm/manifest.mn b/security/nss/lib/ckfw/dbm/manifest.mn
new file mode 100644
index 000000000..0bee9e620
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/manifest.mn
@@ -0,0 +1,58 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+CORE_DEPTH = ../../../..
+
+MODULE = nss
+
+CSRCS =		   \
+	anchor.c   \
+	instance.c \
+	slot.c	   \
+	token.c	   \
+	session.c  \
+	object.c   \
+	find.c	   \
+	db.c	   \
+	$(NULL)
+
+REQUIRES = dbm nspr
+
+LIBRARY_NAME = nssckdbm
+
+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -ldbm -lnspr4 -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/dbm/object.c b/security/nss/lib/ckfw/dbm/object.c
new file mode 100644
index 000000000..1a8f76ed3
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/object.c
@@ -0,0 +1,207 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static void
+nss_dbm_mdObject_Finalize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  ;
+}
+
+static CK_RV
+nss_dbm_mdObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  return nss_dbm_db_delete_object(object->handle);
+}
+
+static CK_ULONG
+nss_dbm_mdObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute_count(object->handle, pError, 
+                                               &session->deviceError);
+}
+
+static CK_RV
+nss_dbm_mdObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute_types(object->handle, typeArray,
+                                               ulCount, &session->deviceError);
+}
+
+static CK_ULONG
+nss_dbm_mdObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute_size(object->handle, attribute, pError, 
+                                              &session->deviceError);
+}
+
+static NSSItem *
+nss_dbm_mdObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute(object->handle, object->arena, attribute,
+                                         pError, &session->deviceError);
+}
+
+static CK_RV
+nss_dbm_mdObject_SetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_set_object_attribute(object->handle, attribute, value,
+                                         &session->deviceError);
+}
+
+NSS_IMPLEMENT NSSCKMDObject *
+nss_dbm_mdObject_factory
+(
+  nss_dbm_object_t *object,
+  CK_RV *pError
+)
+{
+  NSSCKMDObject *rv;
+
+  rv = nss_ZNEW(object->arena, NSSCKMDObject);
+  if( (NSSCKMDObject *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  rv->etc = (void *)object;
+  rv->Finalize = nss_dbm_mdObject_Finalize;
+  rv->Destroy = nss_dbm_mdObject_Destroy;
+  /*  IsTokenObject can be deferred */
+  rv->GetAttributeCount = nss_dbm_mdObject_GetAttributeCount;
+  rv->GetAttributeTypes = nss_dbm_mdObject_GetAttributeTypes;
+  rv->GetAttributeSize = nss_dbm_mdObject_GetAttributeSize;
+  rv->GetAttribute = nss_dbm_mdObject_GetAttribute;
+  rv->SetAttribute = nss_dbm_mdObject_SetAttribute;
+  /*  GetObjectSize can be deferred */
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/session.c b/security/nss/lib/ckfw/dbm/session.c
new file mode 100644
index 000000000..371a94adc
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/session.c
@@ -0,0 +1,301 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static void
+nss_dbm_mdSession_Close
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+
+  struct nss_dbm_dbt_node *w;
+
+  /* Lock */
+  {
+    if( CKR_OK != NSSCKFWMutex_Lock(session->list_lock) ) {
+      return;
+    }
+
+    w = session->session_objects;
+    session->session_objects = (struct nss_dbm_dbt_node *)NULL; /* sanity */
+    
+    (void)NSSCKFWMutex_Unlock(session->list_lock);
+  }
+
+  for( ; (struct nss_dbm_dbt_node *)NULL != w; w = w->next ) {
+    (void)nss_dbm_db_delete_object(w->dbt);
+  }
+}
+
+static CK_ULONG
+nss_dbm_mdSession_GetDeviceError
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return session->deviceError;
+}
+
+/* Login isn't needed */
+/* Logout isn't needed */
+/* InitPIN is irrelevant */
+/* SetPIN is irrelevant */
+/* GetOperationStateLen is irrelevant */
+/* GetOperationState is irrelevant */
+/* SetOperationState is irrelevant */
+
+static NSSCKMDObject *
+nss_dbm_mdSession_CreateObject
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *handyArenaPointer,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  CK_ULONG i;
+  CK_BBOOL isToken = CK_FALSE; /* defaults to false */
+  NSSCKMDObject *rv;
+  struct nss_dbm_dbt_node *node = (struct nss_dbm_dbt_node *)NULL;
+  nss_dbm_object_t *object;
+  nss_dbm_db_t *which_db;
+
+  /* This framework should really pass this to me */
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if( CKA_TOKEN == pTemplate[i].type ) {
+      isToken = *(CK_BBOOL *)pTemplate[i].pValue;
+      break;
+    }
+  }
+
+  object = nss_ZNEW(handyArenaPointer, nss_dbm_object_t);
+  if( (nss_dbm_object_t *)NULL == object ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object->arena = handyArenaPointer;
+  which_db = isToken ? token->slot->token_db : token->session_db;
+
+  /* Do this before the actual database call; it's easier to recover from */
+  rv = nss_dbm_mdObject_factory(object, pError);
+  if( (NSSCKMDObject *)NULL == rv ) {
+    return (NSSCKMDObject *)NULL;
+  }
+
+  if( CK_FALSE == isToken ) {
+    node = nss_ZNEW(session->arena, struct nss_dbm_dbt_node);
+    if( (struct nss_dbm_dbt_node *)NULL == node ) {
+      *pError = CKR_HOST_MEMORY;
+      return (NSSCKMDObject *)NULL;
+    }
+  }
+
+  object->handle = nss_dbm_db_create_object(handyArenaPointer, which_db, 
+                                            pTemplate, ulAttributeCount,
+                                            pError, &session->deviceError);
+  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
+    return (NSSCKMDObject *)NULL;
+  }
+
+  if( CK_FALSE == isToken ) {
+    node->dbt = object->handle;
+    /* Lock */
+    {
+      *pError = NSSCKFWMutex_Lock(session->list_lock);
+      if( CKR_OK != *pError ) {
+        (void)nss_dbm_db_delete_object(object->handle);
+        return (NSSCKMDObject *)NULL;
+      }
+      
+      node->next = session->session_objects;
+      session->session_objects = node;
+      
+      *pError = NSSCKFWMutex_Unlock(session->list_lock);
+    }
+  }
+
+  return rv;
+}
+
+/* CopyObject isn't needed; the framework will use CreateObject */
+
+static NSSCKMDFindObjects *
+nss_dbm_mdSession_FindObjectsInit
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  NSSArena *arena;
+  nss_dbm_find_t *find;
+  NSSCKMDFindObjects *rv;
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  find = nss_ZNEW(arena, nss_dbm_find_t);
+  if( (nss_dbm_find_t *)NULL == find ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  find->arena = arena;
+  find->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == find->list_lock ) {
+    goto loser;
+  }
+
+  *pError = nss_dbm_db_find_objects(find, token->slot->token_db, pTemplate, 
+                                    ulAttributeCount, &session->deviceError);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+  *pError = nss_dbm_db_find_objects(find, token->session_db, pTemplate, 
+                                    ulAttributeCount, &session->deviceError);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+  rv = nss_dbm_mdFindObjects_factory(find, pError);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    goto loser;
+  }
+
+  return rv;
+
+ loser:
+  if( (NSSArena *)NULL != arena ) {
+    (void)NSSArena_Destroy(arena);
+  }
+
+  return (NSSCKMDFindObjects *)NULL;
+}
+
+/* SeedRandom is irrelevant */
+/* GetRandom is irrelevant */
+
+NSS_IMPLEMENT NSSCKMDSession *
+nss_dbm_mdSession_factory
+(
+  nss_dbm_token_t *token,
+  NSSCKFWSession *fwSession,
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  nss_dbm_session_t *session;
+  NSSCKMDSession *rv;
+
+  arena = NSSCKFWSession_GetArena(fwSession, pError);
+
+  session = nss_ZNEW(arena, nss_dbm_session_t);
+  if( (nss_dbm_session_t *)NULL == session ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDSession);
+  if( (NSSCKMDSession *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  session->arena = arena;
+  session->token = token;
+  session->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == session->list_lock ) {
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv->etc = (void *)session;
+  rv->Close = nss_dbm_mdSession_Close;
+  rv->GetDeviceError = nss_dbm_mdSession_GetDeviceError;
+  /*  Login isn't needed */
+  /*  Logout isn't needed */
+  /*  InitPIN is irrelevant */
+  /*  SetPIN is irrelevant */
+  /*  GetOperationStateLen is irrelevant */
+  /*  GetOperationState is irrelevant */
+  /*  SetOperationState is irrelevant */
+  rv->CreateObject = nss_dbm_mdSession_CreateObject;
+  /*  CopyObject isn't needed; the framework will use CreateObject */
+  rv->FindObjectsInit = nss_dbm_mdSession_FindObjectsInit;
+  rv->null = NULL;
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/slot.c b/security/nss/lib/ckfw/dbm/slot.c
new file mode 100644
index 000000000..e43700c75
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/slot.c
@@ -0,0 +1,217 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static CK_RV
+nss_dbm_mdSlot_Initialize
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  CK_RV rv = CKR_OK;
+
+  slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, slot->filename, 
+                                   slot->flags, &rv);
+  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
+    if( CKR_TOKEN_NOT_PRESENT == rv ) {
+      /* This is not an error-- just means "the token isn't there" */
+      rv = CKR_OK;
+    }
+  }
+
+  return rv;
+}
+
+static void
+nss_dbm_mdSlot_Destroy
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+
+  if( (nss_dbm_db_t *)NULL != slot->token_db ) {
+    nss_dbm_db_close(slot->token_db);
+    slot->token_db = (nss_dbm_db_t *)NULL;
+  }
+}
+
+static NSSUTF8 *
+nss_dbm_mdSlot_GetSlotDescription
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Database";
+}
+
+static NSSUTF8 *
+nss_dbm_mdSlot_GetManufacturerID
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Berkeley";
+}
+
+static CK_BBOOL
+nss_dbm_mdSlot_GetTokenPresent
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+
+  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
+    return CK_FALSE;
+  } else {
+    return CK_TRUE;
+  }
+}
+
+static CK_BBOOL
+nss_dbm_mdSlot_GetRemovableDevice
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  /*
+   * Well, this supports "tokens" (databases) that aren't there, so in
+   * that sense they're removable.  It'd be nice to handle databases
+   * that suddenly disappear (NFS-mounted home directories and network
+   * errors, for instance) but that's a harder problem.  We'll say
+   * we support removable devices, badly.
+   */
+
+  return CK_TRUE;
+}
+
+/* nss_dbm_mdSlot_GetHardwareSlot defaults to CK_FALSE */
+/* 
+ * nss_dbm_mdSlot_GetHardwareVersion
+ * nss_dbm_mdSlot_GetFirmwareVersion
+ *
+ * These are kinda fuzzy concepts here.  I suppose we could return the
+ * Berkeley DB version for one of them, if we had an actual number we
+ * were confident in.  But mcom's "dbm" has been hacked enough that I
+ * don't really know from what "real" version it stems..
+ */
+
+static NSSCKMDToken *
+nss_dbm_mdSlot_GetToken
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+  return nss_dbm_mdToken_factory(slot, pError);
+}
+
+NSS_IMPLEMENT NSSCKMDSlot *
+nss_dbm_mdSlot_factory
+(
+  nss_dbm_instance_t *instance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+)
+{
+  nss_dbm_slot_t *slot;
+  NSSCKMDSlot *rv;
+
+  slot = nss_ZNEW(instance->arena, nss_dbm_slot_t);
+  if( (nss_dbm_slot_t *)NULL == slot ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSlot *)NULL;
+  }
+
+  slot->instance = instance;
+  slot->filename = filename;
+  slot->flags = flags;
+  slot->token_db = (nss_dbm_db_t *)NULL;
+
+  rv = nss_ZNEW(instance->arena, NSSCKMDSlot);
+  if( (NSSCKMDSlot *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSlot *)NULL;
+  }
+
+  rv->etc = (void *)slot;
+  rv->Initialize = nss_dbm_mdSlot_Initialize;
+  rv->Destroy = nss_dbm_mdSlot_Destroy;
+  rv->GetSlotDescription = nss_dbm_mdSlot_GetSlotDescription;
+  rv->GetManufacturerID = nss_dbm_mdSlot_GetManufacturerID;
+  rv->GetTokenPresent = nss_dbm_mdSlot_GetTokenPresent;
+  rv->GetRemovableDevice = nss_dbm_mdSlot_GetRemovableDevice;
+  /*  GetHardwareSlot */
+  /*  GetHardwareVersion */
+  /*  GetFirmwareVersion */
+  rv->GetToken = nss_dbm_mdSlot_GetToken;
+  rv->null = (void *)NULL;
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/token.c b/security/nss/lib/ckfw/dbm/token.c
new file mode 100644
index 000000000..16bd2b3fc
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/token.c
@@ -0,0 +1,318 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static CK_RV
+nss_dbm_mdToken_Setup
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  CK_RV rv = CKR_OK;
+
+  token->arena = NSSCKFWToken_GetArena(fwToken, &rv);
+  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
+                                      O_RDWR|O_CREAT, &rv);
+  if( (nss_dbm_db_t *)NULL == token->session_db ) {
+    return rv;
+  }
+
+  /* Add a label record if there isn't one? */
+
+  return CKR_OK;
+}
+
+static void
+nss_dbm_mdToken_Invalidate
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+
+  if( (nss_dbm_db_t *)NULL != token->session_db ) {
+    nss_dbm_db_close(token->session_db);
+    token->session_db = (nss_dbm_db_t *)NULL;
+  }
+}
+
+static CK_RV
+nss_dbm_mdToken_InitToken
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSItem *pin,
+  NSSUTF8 *label
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  CK_RV rv;
+
+  /* Wipe the session object data */
+  
+  if( (nss_dbm_db_t *)NULL != token->session_db ) {
+    nss_dbm_db_close(token->session_db);
+  }
+
+  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
+                                      O_RDWR|O_CREAT, &rv);
+  if( (nss_dbm_db_t *)NULL == token->session_db ) {
+    return rv;
+  }
+
+  /* Wipe the token object data */
+
+  if( token->slot->flags & O_RDWR ) {
+    if( (nss_dbm_db_t *)NULL != token->slot->token_db ) {
+      nss_dbm_db_close(token->slot->token_db);
+    }
+
+    token->slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, 
+                                            token->slot->filename,
+                                            token->slot->flags | O_CREAT | O_TRUNC, 
+                                            &rv);
+    if( (nss_dbm_db_t *)NULL == token->slot->token_db ) {
+      return rv;
+    }
+
+    /* PIN is irrelevant */
+
+    rv = nss_dbm_db_set_label(token->slot->token_db, label);
+    if( CKR_OK != rv ) {
+      return rv;
+    }
+  }
+
+  return CKR_OK;
+}
+
+static NSSUTF8 *
+nss_dbm_mdToken_GetLabel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+
+  if( (NSSUTF8 *)NULL == token->label ) {
+    token->label = nss_dbm_db_get_label(token->slot->token_db, token->arena, pError);
+  }
+
+  /* If no label has been set, return *something* */
+  if( (NSSUTF8 *)NULL == token->label ) {
+    return token->slot->filename;
+  }
+
+  return token->label;
+}
+
+static NSSUTF8 *
+nss_dbm_mdToken_GetManufacturerID
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "mozilla.org NSS";
+}
+
+static NSSUTF8 *
+nss_dbm_mdToken_GetModel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "dbm";
+}
+
+/* GetSerialNumber is irrelevant */
+/* GetHasRNG defaults to CK_FALSE */
+
+static CK_BBOOL
+nss_dbm_mdToken_GetIsWriteProtected
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+
+  if( token->slot->flags & O_RDWR ) {
+    return CK_FALSE;
+  } else {
+    return CK_TRUE;
+  }
+}
+
+/* GetLoginRequired defaults to CK_FALSE */
+/* GetUserPinInitialized defaults to CK_FALSE */
+/* GetRestoreKeyNotNeeded is irrelevant */
+/* GetHasClockOnToken defaults to CK_FALSE */
+/* GetHasProtectedAuthenticationPath defaults to CK_FALSE */
+/* GetSupportsDualCryptoOperations is irrelevant */
+
+static CK_ULONG
+nss_dbm_mdToken_effectively_infinite
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_EFFECTIVELY_INFINITE;
+}
+
+static CK_VERSION
+nss_dbm_mdToken_GetHardwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  return nss_dbm_db_get_format_version(token->slot->token_db);
+}
+
+/* GetFirmwareVersion is irrelevant */
+/* GetUTCTime is irrelevant */
+
+static NSSCKMDSession *
+nss_dbm_mdToken_OpenSession
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  return nss_dbm_mdSession_factory(token, fwSession, fwInstance, rw, pError);
+}
+
+/* GetMechanismCount defaults to zero */
+/* GetMechanismTypes is irrelevant */
+/* GetMechanism is irrelevant */
+
+NSS_IMPLEMENT NSSCKMDToken *
+nss_dbm_mdToken_factory
+(
+  nss_dbm_slot_t *slot,
+  CK_RV *pError
+)
+{
+  nss_dbm_token_t *token;
+  NSSCKMDToken *rv;
+
+  token = nss_ZNEW(slot->instance->arena, nss_dbm_token_t);
+  if( (nss_dbm_token_t *)NULL == token ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDToken *)NULL;
+  }
+
+  rv = nss_ZNEW(slot->instance->arena, NSSCKMDToken);
+  if( (NSSCKMDToken *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDToken *)NULL;
+  }
+
+  token->slot = slot;
+
+  rv->etc = (void *)token;
+  rv->Setup = nss_dbm_mdToken_Setup;
+  rv->Invalidate = nss_dbm_mdToken_Invalidate;
+  rv->InitToken = nss_dbm_mdToken_InitToken;
+  rv->GetLabel = nss_dbm_mdToken_GetLabel;
+  rv->GetManufacturerID = nss_dbm_mdToken_GetManufacturerID;
+  rv->GetModel = nss_dbm_mdToken_GetModel;
+  /*  GetSerialNumber is irrelevant */
+  /*  GetHasRNG defaults to CK_FALSE */
+  rv->GetIsWriteProtected = nss_dbm_mdToken_GetIsWriteProtected;
+  /*  GetLoginRequired defaults to CK_FALSE */
+  /*  GetUserPinInitialized defaults to CK_FALSE */
+  /*  GetRestoreKeyNotNeeded is irrelevant */
+  /*  GetHasClockOnToken defaults to CK_FALSE */
+  /*  GetHasProtectedAuthenticationPath defaults to CK_FALSE */
+  /*  GetSupportsDualCryptoOperations is irrelevant */
+  rv->GetMaxSessionCount = nss_dbm_mdToken_effectively_infinite;
+  rv->GetMaxRwSessionCount = nss_dbm_mdToken_effectively_infinite;
+  /*  GetMaxPinLen is irrelevant */
+  /*  GetMinPinLen is irrelevant */
+  /*  GetTotalPublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  /*  GetFreePublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  /*  GetTotalPrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  /*  GetFreePrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  rv->GetHardwareVersion = nss_dbm_mdToken_GetHardwareVersion;
+  /*  GetFirmwareVersion is irrelevant */
+  /*  GetUTCTime is irrelevant */
+  rv->OpenSession = nss_dbm_mdToken_OpenSession;
+  rv->null = NULL;
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/find.c b/security/nss/lib/ckfw/find.c
new file mode 100644
index 000000000..46ab978ef
--- /dev/null
+++ b/security/nss/lib/ckfw/find.c
@@ -0,0 +1,415 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * find.c
+ *
+ * This file implements the nssCKFWFindObjects type and methods.
+ */
+
+#ifndef CK_H
+#include "ck.h"
+#endif /* CK_H */
+
+/*
+ * NSSCKFWFindObjects
+ *
+ *  -- create/destroy --
+ *  nssCKFWFindObjects_Create
+ *  nssCKFWFindObjects_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWFindObjects_GetMDFindObjects
+ * 
+ *  -- implement public accessors --
+ *  nssCKFWFindObjects_GetMDFindObjects
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ *  nssCKFWFindObjects_Next
+ */
+
+struct NSSCKFWFindObjectsStr {
+  NSSCKFWMutex *mutex; /* merely to serialise the MDObject calls */
+  NSSCKMDFindObjects *mdfo1;
+  NSSCKMDFindObjects *mdfo2;
+  NSSCKFWSession *fwSession;
+  NSSCKMDSession *mdSession;
+  NSSCKFWToken *fwToken;
+  NSSCKMDToken *mdToken;
+  NSSCKFWInstance *fwInstance;
+  NSSCKMDInstance *mdInstance;
+
+  NSSCKMDFindObjects *mdFindObjects; /* varies */
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do these routines as no-ops.
+ */
+
+static CK_RV
+findObjects_add_pointer
+(
+  const NSSCKFWFindObjects *fwFindObjects
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+findObjects_remove_pointer
+(
+  const NSSCKFWFindObjects *fwFindObjects
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWFindObjects_verifyPointer
+(
+  const NSSCKFWFindObjects *fwFindObjects
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWFindObjects_Create
+ *
+ */
+NSS_EXTERN NSSCKFWFindObjects *
+nssCKFWFindObjects_Create
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWToken *fwToken,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDFindObjects *mdFindObjects1,
+  NSSCKMDFindObjects *mdFindObjects2,
+  CK_RV *pError
+)
+{
+  NSSCKFWFindObjects *fwFindObjects = NULL;
+  NSSCKMDSession *mdSession;
+  NSSCKMDToken *mdToken;
+  NSSCKMDInstance *mdInstance;
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdToken = nssCKFWToken_GetMDToken(fwToken);
+  mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
+
+  fwFindObjects = nss_ZNEW(NULL, NSSCKFWFindObjects);
+  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fwFindObjects->mdfo1 = mdFindObjects1;
+  fwFindObjects->mdfo2 = mdFindObjects2;
+  fwFindObjects->fwSession = fwSession;
+  fwFindObjects->mdSession = mdSession;
+  fwFindObjects->fwToken = fwToken;
+  fwFindObjects->mdToken = mdToken;
+  fwFindObjects->fwInstance = fwInstance;
+  fwFindObjects->mdInstance = mdInstance;
+
+  fwFindObjects->mutex = nssCKFWInstance_CreateMutex(fwInstance, NULL, pError);
+  if( (NSSCKFWMutex *)NULL == fwFindObjects->mutex ) {
+    goto loser;
+  }
+
+#ifdef DEBUG
+  *pError = findObjects_add_pointer(fwFindObjects);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return fwFindObjects;
+
+ loser:
+  if( fwFindObjects ) {
+    if( NULL != mdFindObjects1 ) {
+      if( NULL != mdFindObjects1->Final ) {
+        fwFindObjects->mdFindObjects = mdFindObjects1;
+        mdFindObjects1->Final(mdFindObjects1, fwFindObjects, mdSession, 
+          fwSession, mdToken, fwToken, mdInstance, fwInstance);
+      }
+    }
+
+    if( NULL != mdFindObjects2 ) {
+      if( NULL != mdFindObjects2->Final ) {
+        fwFindObjects->mdFindObjects = mdFindObjects2;
+        mdFindObjects2->Final(mdFindObjects2, fwFindObjects, mdSession, 
+          fwSession, mdToken, fwToken, mdInstance, fwInstance);
+      }
+    }
+
+    nss_ZFreeIf(fwFindObjects);
+  }
+
+  if( CKR_OK == *pError ) {
+    *pError = CKR_GENERAL_ERROR;
+  }
+
+  return (NSSCKFWFindObjects *)NULL;
+}
+
+
+/*
+ * nssCKFWFindObjects_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWFindObjects_Destroy
+(
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwFindObjects->mutex);
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Final ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
+      fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
+        fwFindObjects->mdSession, fwFindObjects->fwSession, 
+        fwFindObjects->mdToken, fwFindObjects->fwToken,
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+    }
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Final ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
+      fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
+        fwFindObjects->mdSession, fwFindObjects->fwSession, 
+        fwFindObjects->mdToken, fwFindObjects->fwToken,
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+    }
+  }
+
+  nss_ZFreeIf(fwFindObjects);
+
+#ifdef DEBUG
+  (void)findObjects_remove_pointer(fwFindObjects);
+#endif /* DEBUG */
+
+  return;
+}
+
+/*
+ * nssCKFWFindObjects_GetMDFindObjects
+ *
+ */
+NSS_EXTERN NSSCKMDFindObjects *
+nssCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwFindObjects->mdFindObjects;
+}
+
+/*
+ * nssCKFWFindObjects_Next
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWFindObjects_Next
+(
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+)
+{
+  NSSCKMDObject *mdObject;
+  NSSCKFWObject *fwObject = (NSSCKFWObject *)NULL;
+  NSSArena *objArena;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWFindObjects_verifyPointer(fwFindObjects);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwFindObjects->mutex);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Next ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
+      mdObject = fwFindObjects->mdfo1->Next(fwFindObjects->mdfo1,
+        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
+        fwFindObjects->mdToken, fwFindObjects->fwToken, 
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
+        arenaOpt, pError);
+      if( (NSSCKMDObject *)NULL == mdObject ) {
+        if( CKR_OK != *pError ) {
+          goto done;
+        }
+
+        /* All done. */
+        fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
+          fwFindObjects->mdSession, fwFindObjects->fwSession,
+          fwFindObjects->mdToken, fwFindObjects->fwToken, 
+          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+        fwFindObjects->mdfo1 = (NSSCKMDFindObjects *)NULL;
+      } else {
+        goto wrap;
+      }
+    }
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Next ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
+      mdObject = fwFindObjects->mdfo2->Next(fwFindObjects->mdfo2,
+        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
+        fwFindObjects->mdToken, fwFindObjects->fwToken, 
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
+        arenaOpt, pError);
+      if( (NSSCKMDObject *)NULL == mdObject ) {
+        if( CKR_OK != *pError ) {
+          goto done;
+        }
+
+        /* All done. */
+        fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
+          fwFindObjects->mdSession, fwFindObjects->fwSession,
+          fwFindObjects->mdToken, fwFindObjects->fwToken, 
+          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+        fwFindObjects->mdfo2 = (NSSCKMDFindObjects *)NULL;
+      } else {
+        goto wrap;
+      }
+    }
+  }
+  
+  /* No more objects */
+  *pError = CKR_OK;
+  goto done;
+
+ wrap:
+  /*
+   * This seems is less than ideal-- we should determine if it's a token
+   * object or a session object, and use the appropriate arena.
+   * But that duplicates logic in nssCKFWObject_IsTokenObject.
+   * Also we should lookup the real session the object was created on
+   * if the object was a session object... however this code is actually
+   * correct because nssCKFWObject_Create will return a cached version of
+   * the object from it's hash. This is necessary because 1) we don't want
+   * to create an arena style leak (where our arena grows with every search),
+   * and 2) we want the same object to always have the same ID. This means
+   * the only case the nssCKFWObject_Create() will need the objArena and the
+   * Session is in the case of token objects (session objects should already
+   * exist in the cache from their initial creation). So this code is correct,
+   * but it depends on nssCKFWObject_Create caching all objects.
+   */
+  objArena = nssCKFWToken_GetArena(fwFindObjects->fwToken, pError);
+  if( (NSSArena *)NULL == objArena ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_HOST_MEMORY;
+    }
+    goto done;
+  }
+
+  fwObject = nssCKFWObject_Create(objArena, mdObject,
+               NULL, fwFindObjects->fwToken, 
+               fwFindObjects->fwInstance, pError);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwFindObjects->mutex);
+  return fwObject;
+}
+
+/*
+ * NSSCKFWFindObjects_GetMDFindObjects
+ *
+ */
+
+NSS_EXTERN NSSCKMDFindObjects *
+NSSCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWFindObjects_GetMDFindObjects(fwFindObjects);
+}
diff --git a/security/nss/lib/ckfw/hash.c b/security/nss/lib/ckfw/hash.c
new file mode 100644
index 000000000..501299cd8
--- /dev/null
+++ b/security/nss/lib/ckfw/hash.c
@@ -0,0 +1,337 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * hash.c
+ *
+ * This is merely a couple wrappers around NSPR's PLHashTable, using
+ * the identity hash and arena-aware allocators.  The reason I did
+ * this is that hash tables are used in a few places throughout the
+ * NSS Cryptoki Framework in a fairly stereotyped way, and this allows
+ * me to pull the commonalities into one place.  Should we ever want
+ * to change the implementation, it's all right here.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * nssCKFWHash
+ *
+ *  nssCKFWHash_Create
+ *  nssCKFWHash_Destroy
+ *  nssCKFWHash_Add
+ *  nssCKFWHash_Remove
+ *  nssCKFWHash_Count
+ *  nssCKFWHash_Exists
+ *  nssCKFWHash_Lookup
+ *  nssCKFWHash_Iterate
+ */
+
+struct nssCKFWHashStr {
+  NSSCKFWMutex *mutex;
+
+  /*
+   * The invariant that mutex protects is:
+   *   The count accurately reflects the hashtable state.
+   */
+
+  PLHashTable *plHashTable;
+  CK_ULONG count;
+};
+
+static PLHashNumber
+nss_ckfw_identity_hash
+(
+  const void *key
+)
+{
+  PRUint32 i = (PRUint32)key;
+  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
+  return (PLHashNumber)i;
+}
+
+/*
+ * nssCKFWHash_Create
+ *
+ */
+NSS_IMPLEMENT nssCKFWHash *
+nssCKFWHash_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  nssCKFWHash *rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (nssCKFWHash *)NULL;
+  }
+
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (nssCKFWHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  rv = nss_ZNEW(arena, nssCKFWHash);
+  if( (nssCKFWHash *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nssCKFWHash *)NULL;
+  }
+
+  rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == rv->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (nssCKFWHash *)NULL;
+  }
+
+  rv->plHashTable = PL_NewHashTable(0, nss_ckfw_identity_hash, 
+    PL_CompareValues, PL_CompareValues, &nssArenaHashAllocOps, arena);
+  if( (PLHashTable *)NULL == rv->plHashTable ) {
+    (void)nssCKFWMutex_Destroy(rv->mutex);
+    (void)nss_ZFreeIf(rv);
+    *pError = CKR_HOST_MEMORY;
+    return (nssCKFWHash *)NULL;
+  }
+
+  rv->count = 0;
+
+  return rv;
+}
+
+/*
+ * nssCKFWHash_Destroy
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWHash_Destroy
+(
+  nssCKFWHash *hash
+)
+{
+  (void)nssCKFWMutex_Destroy(hash->mutex);
+  PL_HashTableDestroy(hash->plHashTable);
+  (void)nss_ZFreeIf(hash);
+}
+
+/*
+ * nssCKFWHash_Add
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWHash_Add
+(
+  nssCKFWHash *hash,
+  const void *key,
+  const void *value
+)
+{
+  CK_RV error = CKR_OK;
+  PLHashEntry *he;
+
+  error = nssCKFWMutex_Lock(hash->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+  
+  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
+  if( (PLHashEntry *)NULL == he ) {
+    error = CKR_HOST_MEMORY;
+  } else {
+    hash->count++;
+  }
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return error;
+}
+
+/*
+ * nssCKFWHash_Remove
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWHash_Remove
+(
+  nssCKFWHash *hash,
+  const void *it
+)
+{
+  PRBool found;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return;
+  }
+
+  found = PL_HashTableRemove(hash->plHashTable, it);
+  if( found ) {
+    hash->count--;
+  }
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+  return;
+}
+
+/*
+ * nssCKFWHash_Count
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWHash_Count
+(
+  nssCKFWHash *hash
+)
+{
+  CK_ULONG count;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return (CK_ULONG)0;
+  }
+
+  count = hash->count;
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return count;
+}
+
+/*
+ * nssCKFWHash_Exists
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWHash_Exists
+(
+  nssCKFWHash *hash,
+  const void *it
+)
+{
+  void *value;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return CK_FALSE;
+  }
+
+  value = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  if( (void *)NULL == value ) {
+    return CK_FALSE;
+  } else {
+    return CK_TRUE;
+  }
+}
+
+/*
+ * nssCKFWHash_Lookup
+ *
+ */
+NSS_IMPLEMENT void *
+nssCKFWHash_Lookup
+(
+  nssCKFWHash *hash,
+  const void *it
+)
+{
+  void *rv;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return (void *)NULL;
+  }
+
+  rv = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return rv;
+}
+
+struct arg_str {
+  nssCKFWHashIterator fcn;
+  void *closure;
+};
+
+static PRIntn
+nss_ckfwhash_enumerator
+(
+  PLHashEntry *he,
+  PRIntn index,
+  void *arg
+)
+{
+  struct arg_str *as = (struct arg_str *)arg;
+  as->fcn(he->key, he->value, as->closure);
+  return HT_ENUMERATE_NEXT;
+}
+
+/*
+ * nssCKFWHash_Iterate
+ *
+ * NOTE that the iteration function will be called with the hashtable locked.
+ */
+NSS_IMPLEMENT void
+nssCKFWHash_Iterate
+(
+  nssCKFWHash *hash,
+  nssCKFWHashIterator fcn,
+  void *closure
+)
+{
+  struct arg_str as;
+  as.fcn = fcn;
+  as.closure = closure;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return;
+  }
+
+  PL_HashTableEnumerateEntries(hash->plHashTable, nss_ckfwhash_enumerator, &as);
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return;
+}
diff --git a/security/nss/lib/ckfw/instance.c b/security/nss/lib/ckfw/instance.c
new file mode 100644
index 000000000..1f4703da8
--- /dev/null
+++ b/security/nss/lib/ckfw/instance.c
@@ -0,0 +1,1372 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * instance.c
+ *
+ * This file implements the NSSCKFWInstance type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWInstance
+ *
+ *  -- create/destroy --
+ *  nssCKFWInstance_Create
+ *  nssCKFWInstance_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWInstance_GetMDInstance
+ *  NSSCKFWInstance_GetArena
+ *  NSSCKFWInstance_MayCreatePthreads
+ *  NSSCKFWInstance_CreateMutex
+ *  NSSCKFWInstance_GetConfigurationData
+ *  NSSCKFWInstance_GetInitArgs
+ *
+ *  -- implement public accessors --
+ *  nssCKFWInstance_GetMDInstance
+ *  nssCKFWInstance_GetArena
+ *  nssCKFWInstance_MayCreatePthreads
+ *  nssCKFWInstance_CreateMutex
+ *  nssCKFWInstance_GetConfigurationData
+ *  nssCKFWInstance_GetInitArgs 
+ *
+ *  -- private accessors --
+ *  nssCKFWInstance_CreateSessionHandle
+ *  nssCKFWInstance_ResolveSessionHandle
+ *  nssCKFWInstance_DestroySessionHandle
+ *  nssCKFWInstance_FindSessionHandle
+ *  nssCKFWInstance_CreateObjectHandle
+ *  nssCKFWInstance_ResolveObjectHandle
+ *  nssCKFWInstance_DestroyObjectHandle
+ *
+ *  -- module fronts --
+ *  nssCKFWInstance_GetNSlots
+ *  nssCKFWInstance_GetCryptokiVersion
+ *  nssCKFWInstance_GetManufacturerID
+ *  nssCKFWInstance_GetFlags
+ *  nssCKFWInstance_GetLibraryDescription
+ *  nssCKFWInstance_GetLibraryVersion
+ *  nssCKFWInstance_GetModuleHandlesSessionObjects
+ *  nssCKFWInstance_GetSlots
+ *  nssCKFWInstance_WaitForSlotEvent
+ *
+ *  -- debugging versions only --
+ *  nssCKFWInstance_verifyPointer
+ */
+
+struct NSSCKFWInstanceStr {
+  NSSCKFWMutex *mutex;
+  NSSArena *arena;
+  NSSCKMDInstance *mdInstance;
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs;
+  CK_C_INITIALIZE_ARGS initArgs;
+  CryptokiLockingState LockingState;
+  CK_BBOOL mayCreatePthreads;
+  NSSUTF8 *configurationData;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **fwSlotList;
+  NSSCKMDSlot **mdSlotList;
+  CK_BBOOL moduleHandlesSessionObjects;
+
+  /*
+   * Everything above is set at creation time, and then not modified.
+   * The invariants the mutex protects are:
+   *
+   *  1) Each of the cached descriptions (versions, etc.) are in an
+   *     internally consistant state.
+   *
+   *  2) The session handle hashes and count are consistant
+   *
+   *  3) The object handle hashes and count are consistant.
+   *
+   * I could use multiple locks, but let's wait to see if that's 
+   * really necessary.
+   *
+   * Note that the calls accessing the cached descriptions will 
+   * call the NSSCKMDInstance methods with the mutex locked.  Those
+   * methods may then call the public NSSCKFWInstance routines.
+   * Those public routines only access the constant data above, so
+   * there's no problem.  But be careful if you add to this object;
+   * mutexes are in general not reentrant, so don't create deadlock
+   * situations.
+   */
+
+  CK_VERSION cryptokiVersion;
+  NSSUTF8 *manufacturerID;
+  NSSUTF8 *libraryDescription;
+  CK_VERSION libraryVersion;
+
+  CK_ULONG lastSessionHandle;
+  nssCKFWHash *sessionHandleHash;
+
+  CK_ULONG lastObjectHandle;
+  nssCKFWHash *objectHandleHash;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+instance_add_pointer
+(
+  const NSSCKFWInstance *fwInstance
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+instance_remove_pointer
+(
+  const NSSCKFWInstance *fwInstance
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_verifyPointer
+(
+  const NSSCKFWInstance *fwInstance
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWInstance_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWInstance *
+nssCKFWInstance_Create
+(
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
+  CryptokiLockingState LockingState,
+  NSSCKMDInstance *mdInstance,
+  CK_RV *pError
+)
+{
+  NSSCKFWInstance *fwInstance;
+  NSSArena *arena = (NSSArena *)NULL;
+  CK_ULONG i;
+  CK_BBOOL called_Initialize = CK_FALSE;
+
+#ifdef NSSDEBUG
+  if( (CK_RV)NULL == pError ) {
+    return (NSSCKFWInstance *)NULL;
+  }
+
+  if( (NSSCKMDInstance *)NULL == mdInstance ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWInstance *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWInstance *)NULL;
+  }
+
+  fwInstance = nss_ZNEW(arena, NSSCKFWInstance);
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    goto nomem;
+  }
+
+  fwInstance->arena = arena;
+  fwInstance->mdInstance = mdInstance;
+
+  fwInstance->LockingState = LockingState;
+  if( (CK_C_INITIALIZE_ARGS_PTR)NULL != pInitArgs ) {
+    fwInstance->initArgs = *pInitArgs;
+    fwInstance->pInitArgs = &fwInstance->initArgs;
+    if( pInitArgs->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS ) {
+      fwInstance->mayCreatePthreads = CK_FALSE;
+    } else {
+      fwInstance->mayCreatePthreads = CK_TRUE;
+    }
+    fwInstance->configurationData = (NSSUTF8 *)(pInitArgs->pReserved);
+  } else {
+    fwInstance->mayCreatePthreads = CK_TRUE;
+  }
+
+  fwInstance->mutex = nssCKFWMutex_Create(pInitArgs, LockingState, arena,
+                                          pError);
+  if( (NSSCKFWMutex *)NULL == fwInstance->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  if( (void *)NULL != (void *)mdInstance->Initialize ) {
+    *pError = mdInstance->Initialize(mdInstance, fwInstance, fwInstance->configurationData);
+    if( CKR_OK != *pError ) {
+      goto loser;
+    }
+
+    called_Initialize = CK_TRUE;
+  }
+
+  if( (void *)NULL != (void *)mdInstance->ModuleHandlesSessionObjects ) {
+    fwInstance->moduleHandlesSessionObjects = 
+      mdInstance->ModuleHandlesSessionObjects(mdInstance, fwInstance);
+  } else {
+    fwInstance->moduleHandlesSessionObjects = CK_FALSE;
+  }
+
+  if( (void *)NULL == (void *)mdInstance->GetNSlots ) {
+    /* That routine is required */
+    *pError = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  fwInstance->nSlots = mdInstance->GetNSlots(mdInstance, fwInstance, pError);
+  if( (CK_ULONG)0 == fwInstance->nSlots ) {
+    if( CKR_OK == *pError ) {
+      /* Zero is not a legitimate answer */
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  fwInstance->fwSlotList = nss_ZNEWARRAY(arena, NSSCKFWSlot *, fwInstance->nSlots);
+  if( (NSSCKFWSlot **)NULL == fwInstance->fwSlotList ) {
+    goto nomem;
+  }
+
+  fwInstance->mdSlotList = nss_ZNEWARRAY(arena, NSSCKMDSlot *, fwInstance->nSlots);
+  if( (NSSCKMDSlot **)NULL == fwInstance->mdSlotList ) {
+    goto nomem;
+  }
+
+  fwInstance->sessionHandleHash = nssCKFWHash_Create(fwInstance, 
+    fwInstance->arena, pError);
+  if( (nssCKFWHash *)NULL == fwInstance->sessionHandleHash ) {
+    goto loser;
+  }
+
+  fwInstance->objectHandleHash = nssCKFWHash_Create(fwInstance,
+    fwInstance->arena, pError);
+  if( (nssCKFWHash *)NULL == fwInstance->objectHandleHash ) {
+    goto loser;
+  }
+
+  if( (void *)NULL == (void *)mdInstance->GetSlots ) {
+    /* That routine is required */
+    *pError = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  *pError = mdInstance->GetSlots(mdInstance, fwInstance, fwInstance->mdSlotList);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+  for( i = 0; i < fwInstance->nSlots; i++ ) {
+    NSSCKMDSlot *mdSlot = fwInstance->mdSlotList[i];
+
+    if( (NSSCKMDSlot *)NULL == mdSlot ) {
+      *pError = CKR_GENERAL_ERROR;
+      goto loser;
+    }
+
+    fwInstance->fwSlotList[i] = nssCKFWSlot_Create(fwInstance, mdSlot, i, pError);
+    if( CKR_OK != *pError ) {
+      CK_ULONG j;
+
+      for( j = 0; j < i; j++ ) {
+        (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[j]);
+      }
+
+      for( j = i; j < fwInstance->nSlots; j++ ) {
+        NSSCKMDSlot *mds = fwInstance->mdSlotList[j];
+        if( (void *)NULL != (void *)mds->Destroy ) {
+          mds->Destroy(mds, (NSSCKFWSlot *)NULL, mdInstance, fwInstance);
+        }
+      }
+
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  *pError = instance_add_pointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    for( i = 0; i < fwInstance->nSlots; i++ ) {
+      (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]);
+    }
+    
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  *pError = CKR_OK;
+  return fwInstance;
+
+ nomem:
+  *pError = CKR_HOST_MEMORY;
+  /*FALLTHROUGH*/
+ loser:
+
+  if( CK_TRUE == called_Initialize ) {
+    if( (void *)NULL != (void *)mdInstance->Finalize ) {
+      mdInstance->Finalize(mdInstance, fwInstance);
+    }
+  }
+
+  if (arena) {
+    (void)NSSArena_Destroy(arena);
+  }
+  return (NSSCKFWInstance *)NULL;
+}
+
+/*
+ * nssCKFWInstance_Destroy
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_Destroy
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+  CK_ULONG i;
+
+#ifdef NSSDEBUG
+  error = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  nssCKFWMutex_Destroy(fwInstance->mutex);
+
+  for( i = 0; i < fwInstance->nSlots; i++ ) {
+    (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]);
+  }
+
+  if( (void *)NULL != (void *)fwInstance->mdInstance->Finalize ) {
+    fwInstance->mdInstance->Finalize(fwInstance->mdInstance, fwInstance);
+  }
+
+  if (fwInstance->sessionHandleHash) {
+     nssCKFWHash_Destroy(fwInstance->sessionHandleHash);
+  }
+
+  if (fwInstance->objectHandleHash) {
+     nssCKFWHash_Destroy(fwInstance->objectHandleHash);
+  }
+
+#ifdef DEBUG
+  (void)instance_remove_pointer(fwInstance);
+#endif /* DEBUG */
+
+  (void)NSSArena_Destroy(fwInstance->arena);
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWInstance_GetMDInstance
+ *
+ */
+NSS_IMPLEMENT NSSCKMDInstance *
+nssCKFWInstance_GetMDInstance
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSCKMDInstance *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->mdInstance;
+}
+
+/*
+ * nssCKFWInstance_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+nssCKFWInstance_GetArena
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = CKR_OK;
+  return fwInstance->arena;
+}
+
+/*
+ * nssCKFWInstance_MayCreatePthreads
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWInstance_MayCreatePthreads
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->mayCreatePthreads;
+}
+
+/*
+ * nssCKFWInstance_CreateMutex
+ *
+ */
+NSS_IMPLEMENT NSSCKFWMutex *
+nssCKFWInstance_CreateMutex
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  NSSCKFWMutex *mutex;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWMutex *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWMutex *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  mutex = nssCKFWMutex_Create(fwInstance->pInitArgs, fwInstance->LockingState,
+                              arena, pError);
+  if( (NSSCKFWMutex *)NULL == mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+
+    return (NSSCKFWMutex *)NULL;
+  }
+
+  return mutex;
+}
+
+/*
+ * nssCKFWInstance_GetConfigurationData
+ *
+ */
+NSS_IMPLEMENT NSSUTF8 *
+nssCKFWInstance_GetConfigurationData
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->configurationData;
+}
+
+/*
+ * nssCKFWInstance_GetInitArgs
+ *
+ */
+CK_C_INITIALIZE_ARGS_PTR
+nssCKFWInstance_GetInitArgs
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_C_INITIALIZE_ARGS_PTR)NULL;
+  }
+#endif /* NSSDEBUG */
+
+    return fwInstance->pInitArgs;
+}
+
+/*
+ * nssCKFWInstance_CreateSessionHandle
+ *
+ */
+NSS_IMPLEMENT CK_SESSION_HANDLE
+nssCKFWInstance_CreateSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+  CK_SESSION_HANDLE hSession;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+
+  hSession = ++(fwInstance->lastSessionHandle);
+
+  /* Alan would say I should unlock for this call. */
+  
+  *pError = nssCKFWSession_SetHandle(fwSession, hSession);
+  if( CKR_OK != *pError ) {
+    goto done;
+  }
+
+  *pError = nssCKFWHash_Add(fwInstance->sessionHandleHash, 
+              (const void *)hSession, (const void *)fwSession);
+  if( CKR_OK != *pError ) {
+    hSession = (CK_SESSION_HANDLE)0;
+    goto done;
+  }
+
+ done:
+  nssCKFWMutex_Unlock(fwInstance->mutex);
+  return hSession;
+}
+
+/*
+ * nssCKFWInstance_ResolveSessionHandle
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSession *
+nssCKFWInstance_ResolveSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  NSSCKFWSession *fwSession;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSCKFWSession *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
+                fwInstance->sessionHandleHash, (const void *)hSession);
+
+  /* Assert(hSession == nssCKFWSession_GetHandle(fwSession)) */
+
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+
+  return fwSession;
+}
+
+/*
+ * nssCKFWInstance_DestroySessionHandle
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWInstance_DestroySessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  NSSCKFWSession *fwSession;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    return;
+  }
+
+  fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
+                fwInstance->sessionHandleHash, (const void *)hSession);
+  if (fwSession) {
+    nssCKFWHash_Remove(fwInstance->sessionHandleHash, (const void *)hSession);
+    nssCKFWSession_SetHandle(fwSession, (CK_SESSION_HANDLE)0);
+  }
+
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+
+  return;
+}
+
+/*
+ * nssCKFWInstance_FindSessionHandle
+ *
+ */
+NSS_IMPLEMENT CK_SESSION_HANDLE
+nssCKFWInstance_FindSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+
+  return nssCKFWSession_GetHandle(fwSession);
+  /* look it up and assert? */
+}
+
+/*
+ * nssCKFWInstance_CreateObjectHandle
+ *
+ */
+NSS_IMPLEMENT CK_OBJECT_HANDLE
+nssCKFWInstance_CreateObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+  CK_OBJECT_HANDLE hObject;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+
+  hObject = ++(fwInstance->lastObjectHandle);
+
+  *pError = nssCKFWObject_SetHandle(fwObject, hObject);
+  if( CKR_OK != *pError ) {
+    hObject = (CK_OBJECT_HANDLE)0;
+    goto done;
+  }
+
+  *pError = nssCKFWHash_Add(fwInstance->objectHandleHash, 
+              (const void *)hObject, (const void *)fwObject);
+  if( CKR_OK != *pError ) {
+    hObject = (CK_OBJECT_HANDLE)0;
+    goto done;
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return hObject;
+}
+
+/*
+ * nssCKFWInstance_ResolveObjectHandle
+ *
+ */
+NSS_IMPLEMENT NSSCKFWObject *
+nssCKFWInstance_ResolveObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  NSSCKFWObject *fwObject;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
+                fwInstance->objectHandleHash, (const void *)hObject);
+
+  /* Assert(hObject == nssCKFWObject_GetHandle(fwObject)) */
+
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return fwObject;
+}
+
+/*
+ * nssCKFWInstance_ReassignObjectHandle
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_ReassignObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject,
+  NSSCKFWObject *fwObject
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWObject *oldObject;
+
+#ifdef NSSDEBUG
+  error = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  oldObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
+                 fwInstance->objectHandleHash, (const void *)hObject);
+  if(oldObject) {
+    /* Assert(hObject == nssCKFWObject_GetHandle(oldObject) */
+    (void)nssCKFWObject_SetHandle(oldObject, (CK_SESSION_HANDLE)0);
+    nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)hObject);
+  }
+
+  error = nssCKFWObject_SetHandle(fwObject, hObject);
+  if( CKR_OK != error ) {
+    goto done;
+  }
+  error = nssCKFWHash_Add(fwInstance->objectHandleHash, 
+            (const void *)hObject, (const void *)fwObject);
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWInstance_DestroyObjectHandle
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWInstance_DestroyObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  NSSCKFWObject *fwObject;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    return;
+  }
+
+  fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
+                fwInstance->objectHandleHash, (const void *)hObject);
+  if (fwObject) {
+    /* Assert(hObject = nssCKFWObject_GetHandle(fwObject)) */
+    nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)hObject);
+    (void)nssCKFWObject_SetHandle(fwObject, (CK_SESSION_HANDLE)0);
+  }
+
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return;
+}
+
+/*
+ * nssCKFWInstance_FindObjectHandle
+ *
+ */
+NSS_IMPLEMENT CK_OBJECT_HANDLE
+nssCKFWInstance_FindObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+  
+  return nssCKFWObject_GetHandle(fwObject);
+}
+
+/*
+ * nssCKFWInstance_GetNSlots
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWInstance_GetNSlots
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = CKR_OK;
+  return fwInstance->nSlots;
+}  
+
+/*
+ * nssCKFWInstance_GetCryptokiVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWInstance_GetCryptokiVersion
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwInstance->cryptokiVersion.major) ||
+      (0 != fwInstance->cryptokiVersion.minor) ) {
+    rv = fwInstance->cryptokiVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwInstance->mdInstance->GetCryptokiVersion ) {
+    fwInstance->cryptokiVersion = fwInstance->mdInstance->GetCryptokiVersion(
+      fwInstance->mdInstance, fwInstance);
+  } else {
+    fwInstance->cryptokiVersion.major = 2;
+    fwInstance->cryptokiVersion.minor = 1;
+  }
+
+  rv = fwInstance->cryptokiVersion;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWInstance_GetManufacturerID
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_GetManufacturerID
+(
+  NSSCKFWInstance *fwInstance,
+  CK_CHAR manufacturerID[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwInstance->manufacturerID ) {
+    if( (void *)NULL != (void *)fwInstance->mdInstance->GetManufacturerID ) {
+      fwInstance->manufacturerID = fwInstance->mdInstance->GetManufacturerID(
+        fwInstance->mdInstance, fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwInstance->manufacturerID) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwInstance->manufacturerID = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->manufacturerID, (char *)manufacturerID, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWInstance_GetFlags
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWInstance_GetFlags
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  /* No "instance flags" are yet defined by Cryptoki. */
+  return (CK_ULONG)0;
+}
+
+/*
+ * nssCKFWInstance_GetLibraryDescription
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_GetLibraryDescription
+(
+  NSSCKFWInstance *fwInstance,
+  CK_CHAR libraryDescription[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == libraryDescription ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwInstance->libraryDescription ) {
+    if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryDescription ) {
+      fwInstance->libraryDescription = fwInstance->mdInstance->GetLibraryDescription(
+        fwInstance->mdInstance, fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwInstance->libraryDescription) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwInstance->libraryDescription = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->libraryDescription, (char *)libraryDescription, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWInstance_GetLibraryVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWInstance_GetLibraryVersion
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwInstance->libraryVersion.major) ||
+      (0 != fwInstance->libraryVersion.minor) ) {
+    rv = fwInstance->libraryVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryVersion ) {
+    fwInstance->libraryVersion = fwInstance->mdInstance->GetLibraryVersion(
+      fwInstance->mdInstance, fwInstance);
+  } else {
+    fwInstance->libraryVersion.major = 0;
+    fwInstance->libraryVersion.minor = 3;
+  }
+
+  rv = fwInstance->libraryVersion;
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWInstance_GetModuleHandlesSessionObjects
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWInstance_GetModuleHandlesSessionObjects
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->moduleHandlesSessionObjects;
+}
+
+/*
+ * nssCKFWInstance_GetSlots
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot **
+nssCKFWInstance_GetSlots
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSlot **)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSlot **)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->fwSlotList;
+}
+
+/*
+ * nssCKFWInstance_WaitForSlotEvent
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot *
+nssCKFWInstance_WaitForSlotEvent
+(
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL block,
+  CK_RV *pError
+)
+{
+  NSSCKFWSlot *fwSlot = (NSSCKFWSlot *)NULL;
+  NSSCKMDSlot *mdSlot;
+  CK_ULONG i, n;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  switch( block ) {
+  case CK_TRUE:
+  case CK_FALSE:
+    break;
+  default:
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwInstance->mdInstance->WaitForSlotEvent ) {
+    *pError = CKR_NO_EVENT;
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  mdSlot = fwInstance->mdInstance->WaitForSlotEvent(
+    fwInstance->mdInstance,
+    fwInstance,
+    block,
+    pError
+  );
+
+  if( (NSSCKMDSlot *)NULL == mdSlot ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  n = nssCKFWInstance_GetNSlots(fwInstance, pError);
+  if( ((CK_ULONG)0 == n) && (CKR_OK != *pError) ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  for( i = 0; i < n; i++ ) {
+    if( fwInstance->mdSlotList[i] == mdSlot ) {
+      fwSlot = fwInstance->fwSlotList[i];
+      break;
+    }
+  }
+
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    /* Internal error */
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  return fwSlot;
+}
+
+/*
+ * NSSCKFWInstance_GetMDInstance
+ *
+ */
+NSS_IMPLEMENT NSSCKMDInstance *
+NSSCKFWInstance_GetMDInstance
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSCKMDInstance *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_GetMDInstance(fwInstance);
+}
+
+/*
+ * NSSCKFWInstance_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+NSSCKFWInstance_GetArena
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_GetArena(fwInstance, pError);
+}
+
+/*
+ * NSSCKFWInstance_MayCreatePthreads
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+NSSCKFWInstance_MayCreatePthreads
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return CK_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_MayCreatePthreads(fwInstance);
+}
+
+/*
+ * NSSCKFWInstance_CreateMutex
+ *
+ */
+NSS_IMPLEMENT NSSCKFWMutex *
+NSSCKFWInstance_CreateMutex
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWMutex *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWMutex *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
+}
+
+/*
+ * NSSCKFWInstance_GetConfigurationData
+ *
+ */
+NSS_IMPLEMENT NSSUTF8 *
+NSSCKFWInstance_GetConfigurationData
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_GetConfigurationData(fwInstance);
+}
+
+/*
+ * NSSCKFWInstance_GetInitArgs
+ *
+ */
+NSS_IMPLEMENT CK_C_INITIALIZE_ARGS_PTR
+NSSCKFWInstance_GetInitArgs
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_C_INITIALIZE_ARGS_PTR)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_GetInitArgs(fwInstance);
+}
+
diff --git a/security/nss/lib/ckfw/manifest.mn b/security/nss/lib/ckfw/manifest.mn
new file mode 100644
index 000000000..977e07082
--- /dev/null
+++ b/security/nss/lib/ckfw/manifest.mn
@@ -0,0 +1,86 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+CORE_DEPTH = ../../..
+
+DIRS = builtins 
+
+PRIVATE_EXPORTS = \
+	ck.h		  \
+	ckfw.h		  \
+	ckfwm.h		  \
+	ckfwtm.h	  \
+	ckmd.h		  \
+	ckt.h		  \
+	$(NULL)
+
+EXPORTS =	   \
+	nssck.api  \
+	nssckepv.h \
+	nssckft.h  \
+	nssckfw.h  \
+	nssckfwc.h \
+	nssckfwt.h \
+	nssckg.h   \
+	nssckmdt.h \
+	nssckt.h   \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS =		   \
+	crypto.c   \
+	find.c	   \
+	hash.c	   \
+	instance.c \
+	mutex.c	   \
+	object.c   \
+	session.c  \
+	sessobj.c  \
+	slot.c	   \
+	token.c	   \
+	wrap.c	   \
+	mechanism.c \
+	$(NULL)
+
+REQUIRES = nspr
+
+LIBRARY_NAME = nssckfw
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/ckfw/mechanism.c b/security/nss/lib/ckfw/mechanism.c
new file mode 100644
index 000000000..066278f07
--- /dev/null
+++ b/security/nss/lib/ckfw/mechanism.c
@@ -0,0 +1,1218 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * mechanism.c
+ *
+ * This file implements the NSSCKFWMechanism type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWMechanism
+ *
+ *  -- create/destroy --
+ *  nssCKFWMechanism_Create
+ *  nssCKFWMechanism_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWMechanism_GetMDMechanism
+ *  nssCKFWMechanism_GetParameter
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ *  nssCKFWMechanism_GetMinKeySize
+ *  nssCKFWMechanism_GetMaxKeySize
+ *  nssCKFWMechanism_GetInHardware
+ *  nssCKFWMechanism_GetCanEncrypt
+ *  nssCKFWMechanism_GetCanDecrypt
+ *  nssCKFWMechanism_GetCanDigest
+ *  nssCKFWMechanism_GetCanSign
+ *  nssCKFWMechanism_GetCanSignRecover
+ *  nssCKFWMechanism_GetCanVerify
+ *  nssCKFWMechanism_GetCanGenerate
+ *  nssCKFWMechanism_GetCanGenerateKeyPair
+ *  nssCKFWMechanism_GetCanUnwrap
+ *  nssCKFWMechanism_GetCanWrap
+ *  nssCKFWMechanism_GetCanDerive
+ *  nssCKFWMechanism_EncryptInit
+ *  nssCKFWMechanism_DecryptInit
+ *  nssCKFWMechanism_DigestInit
+ *  nssCKFWMechanism_SignInit
+ *  nssCKFWMechanism_VerifyInit
+ *  nssCKFWMechanism_SignRecoverInit
+ *  nssCKFWMechanism_VerifyRecoverInit
+ *  nssCKFWMechanism_GenerateKey
+ *  nssCKFWMechanism_GenerateKeyPair
+ *  nssCKFWMechanism_GetWrapKeyLength
+ *  nssCKFWMechanism_WrapKey
+ *  nssCKFWMechanism_UnwrapKey
+ *  nssCKFWMechanism_DeriveKey
+ */
+
+
+struct NSSCKFWMechanismStr {
+   NSSCKMDMechanism *mdMechanism;
+   NSSCKMDToken *mdToken;
+   NSSCKFWToken *fwToken;
+   NSSCKMDInstance *mdInstance;
+   NSSCKFWInstance *fwInstance;
+};
+
+/*
+ * nssCKFWMechanism_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWMechanism *
+nssCKFWMechanism_Create
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  NSSCKFWMechanism *fwMechanism;
+
+
+  fwMechanism = nss_ZNEW(NULL, NSSCKFWMechanism);
+  if ((NSSCKFWMechanism *)NULL == fwMechanism) {
+    return (NSSCKFWMechanism *)NULL;
+  }
+  fwMechanism->mdMechanism = mdMechanism;
+  fwMechanism->mdToken = mdToken;
+  fwMechanism->fwToken = fwToken;
+  fwMechanism->mdInstance = mdInstance;
+  fwMechanism->fwInstance = fwInstance;
+  return fwMechanism;
+}
+
+/*
+ * nssCKFWMechanism_Destroy
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWMechanism_Destroy
+(
+  NSSCKFWMechanism *fwMechanism
+)
+{
+  /* destroy any fw resources held by nssCKFWMechanism (currently none) */
+
+  if ((void *)NULL == (void *)fwMechanism->mdMechanism->Destroy) {
+    /* destroys it's parent as well */
+    fwMechanism->mdMechanism->Destroy(
+        fwMechanism->mdMechanism, 
+        fwMechanism,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance);
+  }
+  /* if the Destroy function wasn't supplied, then the mechanism is 'static',
+   * and there is nothing to destroy */
+  return;
+}
+
+/*
+ * nssCKFWMechanism_GetMDMechanism
+ *
+ */
+NSS_IMPLEMENT NSSCKMDMechanism *
+nssCKFWMechanism_GetMDMechanism
+(
+  NSSCKFWMechanism *fwMechanism
+)
+{
+  return fwMechanism->mdMechanism;
+}
+
+/*
+ * nssCKFWMechanism_GetMinKeySize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWMechanism_GetMinKeySize
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GetMinKeySize) {
+    return 0;
+  }
+
+  return fwMechanism->mdMechanism->GetMinKeySize(fwMechanism->mdMechanism,
+    fwMechanism, fwMechanism->mdToken, fwMechanism->fwToken, 
+    fwMechanism->mdInstance, fwMechanism->fwInstance, pError);
+}
+
+/*
+ * nssCKFWMechanism_GetMaxKeySize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWMechanism_GetMaxKeySize
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GetMaxKeySize) {
+    return 0;
+  }
+
+  return fwMechanism->mdMechanism->GetMaxKeySize(fwMechanism->mdMechanism,
+    fwMechanism, fwMechanism->mdToken, fwMechanism->fwToken, 
+    fwMechanism->mdInstance, fwMechanism->fwInstance, pError);
+}
+
+/*
+ * nssCKFWMechanism_GetInHardware
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWMechanism_GetInHardware
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GetInHardware) {
+    return CK_FALSE;
+  }
+
+  return fwMechanism->mdMechanism->GetInHardware(fwMechanism->mdMechanism,
+    fwMechanism, fwMechanism->mdToken, fwMechanism->fwToken, 
+    fwMechanism->mdInstance, fwMechanism->fwInstance, pError);
+}
+
+
+/*
+ * the following are determined automatically by which of the cryptographic
+ * functions are defined for this mechanism.
+ */
+/*
+ * nssCKFWMechanism_GetCanEncrypt
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanEncrypt
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->EncryptInit) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanDecrypt
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanDecrypt
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DecryptInit) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanDigest
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanDigest
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DigestInit) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanSign
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanSign
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignInit) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanSignRecover
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanSignRecover
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignRecoverInit) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanVerify
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanVerify
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyInit) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanVerifyRecover
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanVerifyRecover
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyRecoverInit) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanGenerate
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanGenerate
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKey) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanGenerateKeyPair
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanGenerateKeyPair
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKeyPair) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanUnwrap
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanUnwrap
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->UnwrapKey) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanWrap
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanWrap
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->WrapKey) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * nssCKFWMechanism_GetCanDerive
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetCanDerive
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_RV *pError
+)
+{
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DeriveKey) {
+    return CK_FALSE;
+  }
+  return CK_TRUE;
+}
+
+/*
+ * These are the actual crypto operations
+ */
+
+/* 
+ * nssCKFWMechanism_EncryptInit
+ *  Start an encryption session.
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_EncryptInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwObject
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSCKMDCryptoOperation *mdOperation;
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdObject;
+  CK_RV  error = CKR_OK;
+
+
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                        NSSCKFWCryptoOperationState_EncryptDecrypt);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    return CKR_OPERATION_ACTIVE;
+  }
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->EncryptInit) {
+    return CKR_FUNCTION_FAILED;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdObject = nssCKFWObject_GetMDObject(fwObject);
+  mdOperation = fwMechanism->mdMechanism->EncryptInit(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdObject,
+        fwObject,
+        &error
+  );
+  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+    goto loser;
+  }
+
+  fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
+        mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
+        fwMechanism->mdInstance, fwMechanism->fwInstance,
+        NSSCKFWCryptoOperationType_Encrypt, &error);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
+                NSSCKFWCryptoOperationState_EncryptDecrypt);
+  }
+
+loser:
+  return error;
+}
+
+/* 
+ * nssCKFWMechanism_DecryptInit
+ *  Start an encryption session.
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_DecryptInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwObject
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSCKMDCryptoOperation *mdOperation;
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdObject;
+  CK_RV  error = CKR_OK;
+
+
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                        NSSCKFWCryptoOperationState_EncryptDecrypt);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    return CKR_OPERATION_ACTIVE;
+  }
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DecryptInit) {
+    return CKR_FUNCTION_FAILED;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdObject = nssCKFWObject_GetMDObject(fwObject);
+  mdOperation = fwMechanism->mdMechanism->DecryptInit(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdObject,
+        fwObject,
+        &error
+  );
+  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+    goto loser;
+  }
+
+  fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
+        mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
+        fwMechanism->mdInstance, fwMechanism->fwInstance,
+        NSSCKFWCryptoOperationType_Decrypt, &error);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
+                NSSCKFWCryptoOperationState_EncryptDecrypt);
+  }
+
+loser:
+  return error;
+}
+
+/* 
+ * nssCKFWMechanism_DigestInit
+ *  Start an encryption session.
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_DigestInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKFWSession   *fwSession
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSCKMDCryptoOperation *mdOperation;
+  NSSCKMDSession *mdSession;
+  CK_RV  error = CKR_OK;
+
+
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                        NSSCKFWCryptoOperationState_Digest);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    return CKR_OPERATION_ACTIVE;
+  }
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DigestInit) {
+    return CKR_FUNCTION_FAILED;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdOperation = fwMechanism->mdMechanism->DigestInit(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        &error
+  );
+  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+    goto loser;
+  }
+
+  fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
+        mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
+        fwMechanism->mdInstance, fwMechanism->fwInstance,
+        NSSCKFWCryptoOperationType_Digest, &error);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
+                NSSCKFWCryptoOperationState_Digest);
+  }
+
+loser:
+  return error;
+}
+
+/* 
+ * nssCKFWMechanism_SignInit
+ *  Start an encryption session.
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_SignInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwObject
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSCKMDCryptoOperation *mdOperation;
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdObject;
+  CK_RV  error = CKR_OK;
+
+
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                        NSSCKFWCryptoOperationState_SignVerify);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    return CKR_OPERATION_ACTIVE;
+  }
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignInit) {
+    return CKR_FUNCTION_FAILED;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdObject = nssCKFWObject_GetMDObject(fwObject);
+  mdOperation = fwMechanism->mdMechanism->SignInit(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdObject,
+        fwObject,
+        &error
+  );
+  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+    goto loser;
+  }
+
+  fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
+        mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
+        fwMechanism->mdInstance, fwMechanism->fwInstance,
+        NSSCKFWCryptoOperationType_Sign, &error);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
+                NSSCKFWCryptoOperationState_SignVerify);
+  }
+
+loser:
+  return error;
+}
+
+/* 
+ * nssCKFWMechanism_VerifyInit
+ *  Start an encryption session.
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_VerifyInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwObject
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSCKMDCryptoOperation *mdOperation;
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdObject;
+  CK_RV  error = CKR_OK;
+
+
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                        NSSCKFWCryptoOperationState_SignVerify);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    return CKR_OPERATION_ACTIVE;
+  }
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyInit) {
+    return CKR_FUNCTION_FAILED;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdObject = nssCKFWObject_GetMDObject(fwObject);
+  mdOperation = fwMechanism->mdMechanism->VerifyInit(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdObject,
+        fwObject,
+        &error
+  );
+  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+    goto loser;
+  }
+
+  fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
+        mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
+        fwMechanism->mdInstance, fwMechanism->fwInstance,
+        NSSCKFWCryptoOperationType_Verify, &error);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
+                NSSCKFWCryptoOperationState_SignVerify);
+  }
+
+loser:
+  return error;
+}
+
+/* 
+ * nssCKFWMechanism_SignRecoverInit
+ *  Start an encryption session.
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_SignRecoverInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwObject
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSCKMDCryptoOperation *mdOperation;
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdObject;
+  CK_RV  error = CKR_OK;
+
+
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                        NSSCKFWCryptoOperationState_SignVerify);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    return CKR_OPERATION_ACTIVE;
+  }
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignRecoverInit) {
+    return CKR_FUNCTION_FAILED;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdObject = nssCKFWObject_GetMDObject(fwObject);
+  mdOperation = fwMechanism->mdMechanism->SignRecoverInit(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdObject,
+        fwObject,
+        &error
+  );
+  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+    goto loser;
+  }
+
+  fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
+        mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
+        fwMechanism->mdInstance, fwMechanism->fwInstance,
+        NSSCKFWCryptoOperationType_SignRecover, &error);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
+                NSSCKFWCryptoOperationState_SignVerify);
+  }
+
+loser:
+  return error;
+}
+
+/* 
+ * nssCKFWMechanism_VerifyRecoverInit
+ *  Start an encryption session.
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_VerifyRecoverInit
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwObject
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSCKMDCryptoOperation *mdOperation;
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdObject;
+  CK_RV  error = CKR_OK;
+
+
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                        NSSCKFWCryptoOperationState_SignVerify);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    return CKR_OPERATION_ACTIVE;
+  }
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyRecoverInit) {
+    return CKR_FUNCTION_FAILED;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdObject = nssCKFWObject_GetMDObject(fwObject);
+  mdOperation = fwMechanism->mdMechanism->VerifyRecoverInit(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdObject,
+        fwObject,
+        &error
+  );
+  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+    goto loser;
+  }
+
+  fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
+        mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
+        fwMechanism->mdInstance, fwMechanism->fwInstance,
+        NSSCKFWCryptoOperationType_VerifyRecover, &error);
+  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+    nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
+                NSSCKFWCryptoOperationState_SignVerify);
+  }
+
+loser:
+  return error;
+}
+
+/*
+ * nssCKFWMechanism_GenerateKey
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWMechanism_GenerateKey
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG         ulAttributeCount,
+  CK_RV            *pError
+)
+{
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdObject;
+  NSSCKFWObject  *fwObject = NULL;
+  NSSArena       *arena;
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKey) {
+    *pError = CKR_FUNCTION_FAILED;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  arena = nssCKFWToken_GetArena(fwMechanism->fwToken, pError);
+  if ((NSSArena *)NULL == arena) {
+    if (CKR_OK == *pError) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (NSSCKFWObject *)NULL;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdObject = fwMechanism->mdMechanism->GenerateKey(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        pTemplate,
+        ulAttributeCount,
+        pError);
+
+  if ((NSSCKMDObject *)NULL == mdObject) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  fwObject = nssCKFWObject_Create(arena, mdObject, 
+        fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, pError);
+
+  return fwObject;
+}
+
+/*
+ * nssCKFWMechanism_GenerateKeyPair
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_GenerateKeyPair
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG         ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG         ulPrivateKeyAttributeCount,
+  NSSCKFWObject    **fwPublicKeyObject,
+  NSSCKFWObject    **fwPrivateKeyObject
+)
+{
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdPublicKeyObject;
+  NSSCKMDObject  *mdPrivateKeyObject;
+  NSSArena       *arena;
+  CK_RV         error = CKR_OK;
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKey) {
+    return CKR_FUNCTION_FAILED;
+  }
+
+  arena = nssCKFWToken_GetArena(fwMechanism->fwToken, &error);
+  if ((NSSArena *)NULL == arena) {
+    if (CKR_OK == error) {
+      error = CKR_GENERAL_ERROR;
+    }
+    return error;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  error = fwMechanism->mdMechanism->GenerateKeyPair(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        pPublicKeyTemplate,
+        ulPublicKeyAttributeCount,
+        pPrivateKeyTemplate,
+        ulPrivateKeyAttributeCount,
+        &mdPublicKeyObject,
+        &mdPrivateKeyObject);
+
+  if (CKR_OK != error) {
+    return error;
+  }
+
+  *fwPublicKeyObject = nssCKFWObject_Create(arena, mdPublicKeyObject, 
+        fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, &error);
+  if ((NSSCKFWObject *)NULL == *fwPublicKeyObject) {
+    return error;
+  }
+  *fwPrivateKeyObject = nssCKFWObject_Create(arena, mdPrivateKeyObject, 
+        fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, &error);
+
+  return error;
+}
+
+/*
+ * nssCKFWMechanism_GetWrapKeyLength
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWMechanism_GetWrapKeyLength
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwWrappingKeyObject,
+  NSSCKFWObject    *fwKeyObject,
+  CK_RV                   *pError
+)
+{
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdWrappingKeyObject;
+  NSSCKMDObject  *mdKeyObject;
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->WrapKey) {
+    *pError = CKR_FUNCTION_FAILED;
+    return (CK_ULONG) 0;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdWrappingKeyObject = nssCKFWObject_GetMDObject(fwWrappingKeyObject);
+  mdKeyObject = nssCKFWObject_GetMDObject(fwKeyObject);
+  return fwMechanism->mdMechanism->GetWrapKeyLength(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdWrappingKeyObject,
+        fwWrappingKeyObject,
+        mdKeyObject,
+        fwKeyObject,
+        pError);
+}
+
+/*
+ * nssCKFWMechanism_WrapKey
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_WrapKey
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwWrappingKeyObject,
+  NSSCKFWObject    *fwKeyObject,
+  NSSItem          *wrappedKey
+)
+{
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdWrappingKeyObject;
+  NSSCKMDObject  *mdKeyObject;
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->WrapKey) {
+    return CKR_FUNCTION_FAILED;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdWrappingKeyObject = nssCKFWObject_GetMDObject(fwWrappingKeyObject);
+  mdKeyObject = nssCKFWObject_GetMDObject(fwKeyObject);
+  return fwMechanism->mdMechanism->WrapKey(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdWrappingKeyObject,
+        fwWrappingKeyObject,
+        mdKeyObject,
+        fwKeyObject,
+        wrappedKey);
+}
+
+/*
+ * nssCKFWMechanism_UnwrapKey
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWMechanism_UnwrapKey
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwWrappingKeyObject,
+  NSSItem          *wrappedKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG         ulAttributeCount,
+  CK_RV            *pError
+)
+{
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdObject;
+  NSSCKMDObject  *mdWrappingKeyObject;
+  NSSCKFWObject  *fwObject = NULL;
+  NSSArena       *arena;
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->UnwrapKey) {
+    /* we could simulate UnwrapKey using Decrypt and Create object, but
+     * 1) it's not clear that would work well, and 2) the low level token
+     * may want to restrict unwrap key for a reason, so just fail it it
+     * can't be done */
+    *pError = CKR_FUNCTION_FAILED;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  arena = nssCKFWToken_GetArena(fwMechanism->fwToken, pError);
+  if ((NSSArena *)NULL == arena) {
+    if (CKR_OK == *pError) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (NSSCKFWObject *)NULL;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdWrappingKeyObject = nssCKFWObject_GetMDObject(fwWrappingKeyObject);
+  mdObject = fwMechanism->mdMechanism->UnwrapKey(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdWrappingKeyObject,
+        fwWrappingKeyObject,
+        wrappedKey,
+        pTemplate,
+        ulAttributeCount,
+        pError);
+
+  if ((NSSCKMDObject *)NULL == mdObject) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  fwObject = nssCKFWObject_Create(arena, mdObject, 
+        fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, pError);
+
+  return fwObject;
+}
+
+/* 
+ * nssCKFWMechanism_DeriveKey
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWMechanism_DeriveKey
+(
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM_PTR pMechanism,
+  NSSCKFWSession   *fwSession,
+  NSSCKFWObject    *fwBaseKeyObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG         ulAttributeCount,
+  CK_RV            *pError
+)
+{
+  NSSCKMDSession *mdSession;
+  NSSCKMDObject  *mdObject;
+  NSSCKMDObject  *mdBaseKeyObject;
+  NSSCKFWObject  *fwObject = NULL;
+  NSSArena       *arena;
+
+  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DeriveKey) {
+    *pError = CKR_FUNCTION_FAILED;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  arena = nssCKFWToken_GetArena(fwMechanism->fwToken, pError);
+  if ((NSSArena *)NULL == arena) {
+    if (CKR_OK == *pError) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (NSSCKFWObject *)NULL;
+  }
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdBaseKeyObject = nssCKFWObject_GetMDObject(fwBaseKeyObject);
+  mdObject = fwMechanism->mdMechanism->DeriveKey(
+        fwMechanism->mdMechanism,
+        fwMechanism,
+        pMechanism,
+        mdSession,
+        fwSession,
+        fwMechanism->mdToken,
+        fwMechanism->fwToken,
+        fwMechanism->mdInstance,
+        fwMechanism->fwInstance,
+        mdBaseKeyObject,
+        fwBaseKeyObject,
+        pTemplate,
+        ulAttributeCount,
+        pError);
+
+  if ((NSSCKMDObject *)NULL == mdObject) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  fwObject = nssCKFWObject_Create(arena, mdObject, 
+        fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, pError);
+
+  return fwObject;
+}
+
diff --git a/security/nss/lib/ckfw/mutex.c b/security/nss/lib/ckfw/mutex.c
new file mode 100644
index 000000000..806f54a1f
--- /dev/null
+++ b/security/nss/lib/ckfw/mutex.c
@@ -0,0 +1,305 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * mutex.c
+ *
+ * This file implements a mutual-exclusion locking facility for Modules
+ * using the NSS Cryptoki Framework.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWMutex
+ *
+ *  NSSCKFWMutex_Destroy
+ *  NSSCKFWMutex_Lock
+ *  NSSCKFWMutex_Unlock
+ *
+ *  nssCKFWMutex_Create
+ *  nssCKFWMutex_Destroy
+ *  nssCKFWMutex_Lock
+ *  nssCKFWMutex_Unlock
+ *
+ *  -- debugging versions only --
+ *  nssCKFWMutex_verifyPointer
+ *
+ */
+
+struct NSSCKFWMutexStr {
+  PRLock *lock;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+mutex_add_pointer
+(
+  const NSSCKFWMutex *fwMutex
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+mutex_remove_pointer
+(
+  const NSSCKFWMutex *fwMutex
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWMutex_verifyPointer
+(
+  const NSSCKFWMutex *fwMutex
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWMutex_Create
+ *
+ */
+NSS_EXTERN NSSCKFWMutex *
+nssCKFWMutex_Create
+(
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
+  CryptokiLockingState LockingState,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  NSSCKFWMutex *mutex;
+  
+  mutex = nss_ZNEW(arena, NSSCKFWMutex);
+  if( (NSSCKFWMutex *)NULL == mutex ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWMutex *)NULL;
+  }
+  *pError = CKR_OK;
+  mutex->lock = NULL;
+  if (LockingState == MultiThreaded) {
+    mutex->lock = PR_NewLock();
+    if (!mutex->lock) {
+      *pError = CKR_HOST_MEMORY; /* we couldn't get the resource */
+    }
+  }
+    
+  if( CKR_OK != *pError ) {
+    (void)nss_ZFreeIf(mutex);
+    return (NSSCKFWMutex *)NULL;
+  }
+
+#ifdef DEBUG
+  *pError = mutex_add_pointer(mutex);
+  if( CKR_OK != *pError ) {
+    if (mutex->lock) {
+      PR_DestroyLock(mutex->lock);
+    }
+    (void)nss_ZFreeIf(mutex);
+    return (NSSCKFWMutex *)NULL;
+  }
+#endif /* DEBUG */
+
+  return mutex;
+}  
+
+/*
+ * nssCKFWMutex_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Destroy
+(
+  NSSCKFWMutex *mutex
+)
+{
+  CK_RV rv = CKR_OK;
+
+#ifdef NSSDEBUG
+  rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* NSSDEBUG */
+ 
+  if (mutex->lock) {
+    PR_DestroyLock(mutex->lock);
+  } 
+
+#ifdef DEBUG
+  (void)mutex_remove_pointer(mutex);
+#endif /* DEBUG */
+
+  (void)nss_ZFreeIf(mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWMutex_Lock
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Lock
+(
+  NSSCKFWMutex *mutex
+)
+{
+#ifdef NSSDEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* NSSDEBUG */
+  if (mutex->lock) {
+    PR_Lock(mutex->lock);
+  }
+  
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWMutex_Unlock
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Unlock
+(
+  NSSCKFWMutex *mutex
+)
+{
+  PRStatus nrv;
+#ifdef NSSDEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if (!mutex->lock) 
+    return CKR_OK;
+
+  nrv =  PR_Unlock(mutex->lock);
+
+  /* if unlock fails, either we have a programming error, or we have
+   * some sort of hardware failure... in either case return CKR_DEVICE_ERROR.
+   */
+  return nrv == PR_SUCCESS ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/*
+ * NSSCKFWMutex_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Destroy
+(
+  NSSCKFWMutex *mutex
+)
+{
+#ifdef DEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* DEBUG */
+  
+  return nssCKFWMutex_Destroy(mutex);
+}
+
+/*
+ * NSSCKFWMutex_Lock
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Lock
+(
+  NSSCKFWMutex *mutex
+)
+{
+#ifdef DEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* DEBUG */
+  
+  return nssCKFWMutex_Lock(mutex);
+}
+
+/*
+ * NSSCKFWMutex_Unlock
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Unlock
+(
+  NSSCKFWMutex *mutex
+)
+{
+#ifdef DEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWMutex_Unlock(mutex);
+}
+
diff --git a/security/nss/lib/ckfw/nssck.api b/security/nss/lib/ckfw/nssck.api
new file mode 100644
index 000000000..d0b15ff45
--- /dev/null
+++ b/security/nss/lib/ckfw/nssck.api
@@ -0,0 +1,1890 @@
+/* THIS IS A GENERATED FILE */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char NSSCKAPI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ ; @(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssck.api
+ *
+ * This automatically-generated file is used to generate a set of
+ * Cryptoki entry points within the object space of a Module using
+ * the NSS Cryptoki Framework.
+ *
+ * The Module should have a .c file with the following:
+ *
+ *  #define MODULE_NAME name
+ *  #define INSTANCE_NAME instance
+ *  #include "nssck.api"
+ *
+ * where "name" is some module-specific name that can be used to
+ * disambiguate various modules.  This included file will then
+ * define the actual Cryptoki routines which pass through to the
+ * Framework calls.  All routines, except C_GetFunctionList, will
+ * be prefixed with the name; C_GetFunctionList will be generated
+ * to return an entry-point vector with these routines.  The
+ * instance specified should be the basic instance of NSSCKMDInstance.
+ *
+ * If, prior to including nssck.api, the .c file also specifies
+ *
+ *  #define DECLARE_STRICT_CRYTPOKI_NAMES
+ *
+ * Then a set of "stub" routines not prefixed with the name will
+ * be included.  This would allow the combined module and framework
+ * to be used in applications which are hard-coded to use the
+ * PKCS#11 names (instead of going through the EPV).  Please note
+ * that such applications should be careful resolving symbols when
+ * more than one PKCS#11 module is loaded.
+ */
+
+#ifndef MODULE_NAME
+#error "Error: MODULE_NAME must be defined."
+#endif /* MODULE_NAME */
+
+#ifndef INSTANCE_NAME
+#error "Error: INSTANCE_NAME must be defined."
+#endif /* INSTANCE_NAME */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKFWC_H
+#include "nssckfwc.h"
+#endif /* NSSCKFWC_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#define ADJOIN(x,y) x##y
+
+#define __ADJOIN(x,y) ADJOIN(x,y)
+
+/*
+ * The anchor.  This object is used to store an "anchor" pointer in
+ * the Module's object space, so the wrapper functions can relate
+ * back to this instance.
+ */
+
+static NSSCKFWInstance *fwInstance = (NSSCKFWInstance *)0;
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Initialize)
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return NSSCKFWC_Initialize(&fwInstance, INSTANCE_NAME, pInitArgs);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY 
+C_Initialize
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Initialize)(pInitArgs);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Finalize)
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return NSSCKFWC_Finalize(&fwInstance);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Finalize
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Finalize)(pReserved);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetInfo)
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetInfo(fwInstance, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetInfo
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetInfo)(pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+/*
+ * C_GetFunctionList is defined at the end.
+ */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetSlotList)
+(
+  CK_BBOOL tokenPresent,
+  CK_SLOT_ID_PTR pSlotList,
+  CK_ULONG_PTR pulCount
+)
+{
+  return NSSCKFWC_GetSlotList(fwInstance, tokenPresent, pSlotList, pulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetSlotList
+(
+  CK_BBOOL tokenPresent,
+  CK_SLOT_ID_PTR pSlotList,
+  CK_ULONG_PTR pulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetSlotList)(tokenPresent, pSlotList, pulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetSlotInfo)
+(
+  CK_SLOT_ID slotID,
+  CK_SLOT_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetSlotInfo(fwInstance, slotID, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetSlotInfo
+(
+  CK_SLOT_ID slotID,
+  CK_SLOT_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetSlotInfo)(slotID, pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetTokenInfo)
+(
+  CK_SLOT_ID slotID,
+  CK_TOKEN_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetTokenInfo(fwInstance, slotID, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetTokenInfo
+(
+  CK_SLOT_ID slotID,
+  CK_TOKEN_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetTokenInfo)(slotID, pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetMechanismList)
+(
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE_PTR pMechanismList,
+  CK_ULONG_PTR pulCount
+)
+{
+  return NSSCKFWC_GetMechanismList(fwInstance, slotID, pMechanismList, pulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetMechanismList
+(
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE_PTR pMechanismList,
+  CK_ULONG_PTR pulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetMechanismList)(slotID, pMechanismList, pulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetMechanismInfo)
+(
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE type,
+  CK_MECHANISM_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetMechanismInfo(fwInstance, slotID, type, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetMechanismInfo
+(
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE type,
+  CK_MECHANISM_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetMechanismInfo)(slotID, type, pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_InitToken)
+(
+  CK_SLOT_ID slotID,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen,
+  CK_CHAR_PTR pLabel
+)
+{
+  return NSSCKFWC_InitToken(fwInstance, slotID, pPin, ulPinLen, pLabel);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_InitToken
+(
+  CK_SLOT_ID slotID,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen,
+  CK_CHAR_PTR pLabel
+)
+{
+  return __ADJOIN(MODULE_NAME,C_InitToken)(slotID, pPin, ulPinLen, pLabel);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_InitPIN)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  return NSSCKFWC_InitPIN(fwInstance, hSession, pPin, ulPinLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_InitPIN
+(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_InitPIN)(hSession, pPin, ulPinLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SetPIN)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pOldPin,
+  CK_ULONG ulOldLen,
+  CK_CHAR_PTR pNewPin,
+  CK_ULONG ulNewLen
+)
+{
+  return NSSCKFWC_SetPIN(fwInstance, hSession, pOldPin, ulOldLen, pNewPin, ulNewLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SetPIN
+(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pOldPin,
+  CK_ULONG ulOldLen,
+  CK_CHAR_PTR pNewPin,
+  CK_ULONG ulNewLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SetPIN)(hSession, pOldPin, ulOldLen, pNewPin, ulNewLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_OpenSession)
+(
+  CK_SLOT_ID slotID,
+  CK_FLAGS flags,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_SESSION_HANDLE_PTR phSession
+)
+{
+  return NSSCKFWC_OpenSession(fwInstance, slotID, flags, pApplication, Notify, phSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_OpenSession
+(
+  CK_SLOT_ID slotID,
+  CK_FLAGS flags,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_SESSION_HANDLE_PTR phSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_OpenSession)(slotID, flags, pApplication, Notify, phSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CloseSession)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_CloseSession(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CloseSession
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CloseSession)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CloseAllSessions)
+(
+  CK_SLOT_ID slotID
+)
+{
+  return NSSCKFWC_CloseAllSessions(fwInstance, slotID);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CloseAllSessions
+(
+  CK_SLOT_ID slotID
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CloseAllSessions)(slotID);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetSessionInfo)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_SESSION_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetSessionInfo(fwInstance, hSession, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetSessionInfo
+(
+  CK_SESSION_HANDLE hSession,
+  CK_SESSION_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetSessionInfo)(hSession, pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetOperationState)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG_PTR pulOperationStateLen
+)
+{
+  return NSSCKFWC_GetOperationState(fwInstance, hSession, pOperationState, pulOperationStateLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetOperationState
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG_PTR pulOperationStateLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetOperationState)(hSession, pOperationState, pulOperationStateLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SetOperationState)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG ulOperationStateLen,
+  CK_OBJECT_HANDLE hEncryptionKey,
+  CK_OBJECT_HANDLE hAuthenticationKey
+)
+{
+  return NSSCKFWC_SetOperationState(fwInstance, hSession, pOperationState, ulOperationStateLen, hEncryptionKey, hAuthenticationKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SetOperationState
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG ulOperationStateLen,
+  CK_OBJECT_HANDLE hEncryptionKey,
+  CK_OBJECT_HANDLE hAuthenticationKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SetOperationState)(hSession, pOperationState, ulOperationStateLen, hEncryptionKey, hAuthenticationKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Login)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_USER_TYPE userType,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  return NSSCKFWC_Login(fwInstance, hSession, userType, pPin, ulPinLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Login
+(
+  CK_SESSION_HANDLE hSession,
+  CK_USER_TYPE userType,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Login)(hSession, userType, pPin, ulPinLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Logout)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_Logout(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Logout
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Logout)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CreateObject)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phObject
+)
+{
+  return NSSCKFWC_CreateObject(fwInstance, hSession, pTemplate, ulCount, phObject);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CreateObject
+(
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phObject
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CreateObject)(hSession, pTemplate, ulCount, phObject);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CopyObject)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phNewObject
+)
+{
+  return NSSCKFWC_CopyObject(fwInstance, hSession, hObject, pTemplate, ulCount, phNewObject);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CopyObject
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phNewObject
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CopyObject)(hSession, hObject, pTemplate, ulCount, phNewObject);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DestroyObject)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  return NSSCKFWC_DestroyObject(fwInstance, hSession, hObject);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DestroyObject
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DestroyObject)(hSession, hObject);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetObjectSize)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ULONG_PTR pulSize
+)
+{
+  return NSSCKFWC_GetObjectSize(fwInstance, hSession, hObject, pulSize);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetObjectSize
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ULONG_PTR pulSize
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetObjectSize)(hSession, hObject, pulSize);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetAttributeValue)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return NSSCKFWC_GetAttributeValue(fwInstance, hSession, hObject, pTemplate, ulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetAttributeValue
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetAttributeValue)(hSession, hObject, pTemplate, ulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SetAttributeValue)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return NSSCKFWC_SetAttributeValue(fwInstance, hSession, hObject, pTemplate, ulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SetAttributeValue
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SetAttributeValue)(hSession, hObject, pTemplate, ulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_FindObjectsInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return NSSCKFWC_FindObjectsInit(fwInstance, hSession, pTemplate, ulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_FindObjectsInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_FindObjectsInit)(hSession, pTemplate, ulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_FindObjects)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE_PTR phObject,
+  CK_ULONG ulMaxObjectCount,
+  CK_ULONG_PTR pulObjectCount
+)
+{
+  return NSSCKFWC_FindObjects(fwInstance, hSession, phObject, ulMaxObjectCount, pulObjectCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_FindObjects
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE_PTR phObject,
+  CK_ULONG ulMaxObjectCount,
+  CK_ULONG_PTR pulObjectCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_FindObjects)(hSession, phObject, ulMaxObjectCount, pulObjectCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_FindObjectsFinal)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_FindObjectsFinal(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_FindObjectsFinal
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_FindObjectsFinal)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_EncryptInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_EncryptInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_EncryptInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_EncryptInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Encrypt)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG_PTR pulEncryptedDataLen
+)
+{
+  return NSSCKFWC_Encrypt(fwInstance, hSession, pData, ulDataLen, pEncryptedData, pulEncryptedDataLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Encrypt
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG_PTR pulEncryptedDataLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Encrypt)(hSession, pData, ulDataLen, pEncryptedData, pulEncryptedDataLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_EncryptUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return NSSCKFWC_EncryptUpdate(fwInstance, hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_EncryptUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_EncryptUpdate)(hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_EncryptFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastEncryptedPart,
+  CK_ULONG_PTR pulLastEncryptedPartLen
+)
+{
+  return NSSCKFWC_EncryptFinal(fwInstance, hSession, pLastEncryptedPart, pulLastEncryptedPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_EncryptFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastEncryptedPart,
+  CK_ULONG_PTR pulLastEncryptedPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_EncryptFinal)(hSession, pLastEncryptedPart, pulLastEncryptedPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_DecryptInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Decrypt)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG ulEncryptedDataLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return NSSCKFWC_Decrypt(fwInstance, hSession, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Decrypt
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG ulEncryptedDataLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Decrypt)(hSession, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return NSSCKFWC_DecryptUpdate(fwInstance, hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptUpdate)(hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastPart,
+  CK_ULONG_PTR pulLastPartLen
+)
+{
+  return NSSCKFWC_DecryptFinal(fwInstance, hSession, pLastPart, pulLastPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastPart,
+  CK_ULONG_PTR pulLastPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptFinal)(hSession, pLastPart, pulLastPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism
+)
+{
+  return NSSCKFWC_DigestInit(fwInstance, hSession, pMechanism);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestInit)(hSession, pMechanism);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Digest)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return NSSCKFWC_Digest(fwInstance, hSession, pData, ulDataLen, pDigest, pulDigestLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Digest
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Digest)(hSession, pData, ulDataLen, pDigest, pulDigestLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return NSSCKFWC_DigestUpdate(fwInstance, hSession, pPart, ulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestUpdate)(hSession, pPart, ulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_DigestKey(fwInstance, hSession, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestKey)(hSession, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return NSSCKFWC_DigestFinal(fwInstance, hSession, pDigest, pulDigestLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestFinal)(hSession, pDigest, pulDigestLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_SignInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Sign)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return NSSCKFWC_Sign(fwInstance, hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Sign
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Sign)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return NSSCKFWC_SignUpdate(fwInstance, hSession, pPart, ulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignUpdate)(hSession, pPart, ulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return NSSCKFWC_SignFinal(fwInstance, hSession, pSignature, pulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignFinal)(hSession, pSignature, pulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignRecoverInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_SignRecoverInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignRecoverInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignRecoverInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignRecover)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return NSSCKFWC_SignRecover(fwInstance, hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignRecover
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignRecover)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_VerifyInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Verify)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return NSSCKFWC_Verify(fwInstance, hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Verify
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Verify)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return NSSCKFWC_VerifyUpdate(fwInstance, hSession, pPart, ulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyUpdate)(hSession, pPart, ulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return NSSCKFWC_VerifyFinal(fwInstance, hSession, pSignature, ulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyFinal)(hSession, pSignature, ulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyRecoverInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_VerifyRecoverInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyRecoverInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyRecoverInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyRecover)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return NSSCKFWC_VerifyRecover(fwInstance, hSession, pSignature, ulSignatureLen, pData, pulDataLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyRecover
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyRecover)(hSession, pSignature, ulSignatureLen, pData, pulDataLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestEncryptUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return NSSCKFWC_DigestEncryptUpdate(fwInstance, hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestEncryptUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestEncryptUpdate)(hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptDigestUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return NSSCKFWC_DecryptDigestUpdate(fwInstance, hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptDigestUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptDigestUpdate)(hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignEncryptUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return NSSCKFWC_SignEncryptUpdate(fwInstance, hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignEncryptUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignEncryptUpdate)(hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptVerifyUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return NSSCKFWC_DecryptVerifyUpdate(fwInstance, hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptVerifyUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptVerifyUpdate)(hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GenerateKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return NSSCKFWC_GenerateKey(fwInstance, hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GenerateKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GenerateKey)(hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GenerateKeyPair)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG ulPrivateKeyAttributeCount,
+  CK_OBJECT_HANDLE_PTR phPublicKey,
+  CK_OBJECT_HANDLE_PTR phPrivateKey
+)
+{
+  return NSSCKFWC_GenerateKeyPair(fwInstance, hSession, pMechanism, pPublicKeyTemplate, ulPublicKeyAttributeCount, pPrivateKeyTemplate, ulPrivateKeyAttributeCount, phPublicKey, phPrivateKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GenerateKeyPair
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG ulPrivateKeyAttributeCount,
+  CK_OBJECT_HANDLE_PTR phPublicKey,
+  CK_OBJECT_HANDLE_PTR phPrivateKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GenerateKeyPair)(hSession, pMechanism, pPublicKeyTemplate, ulPublicKeyAttributeCount, pPrivateKeyTemplate, ulPrivateKeyAttributeCount, phPublicKey, phPrivateKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_WrapKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hWrappingKey,
+  CK_OBJECT_HANDLE hKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG_PTR pulWrappedKeyLen
+)
+{
+  return NSSCKFWC_WrapKey(fwInstance, hSession, pMechanism, hWrappingKey, hKey, pWrappedKey, pulWrappedKeyLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_WrapKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hWrappingKey,
+  CK_OBJECT_HANDLE hKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG_PTR pulWrappedKeyLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_WrapKey)(hSession, pMechanism, hWrappingKey, hKey, pWrappedKey, pulWrappedKeyLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_UnwrapKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hUnwrappingKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG ulWrappedKeyLen,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return NSSCKFWC_UnwrapKey(fwInstance, hSession, pMechanism, hUnwrappingKey, pWrappedKey, ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_UnwrapKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hUnwrappingKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG ulWrappedKeyLen,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_UnwrapKey)(hSession, pMechanism, hUnwrappingKey, pWrappedKey, ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DeriveKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hBaseKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return NSSCKFWC_DeriveKey(fwInstance, hSession, pMechanism, hBaseKey, pTemplate, ulAttributeCount, phKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DeriveKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hBaseKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DeriveKey)(hSession, pMechanism, hBaseKey, pTemplate, ulAttributeCount, phKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SeedRandom)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSeed,
+  CK_ULONG ulSeedLen
+)
+{
+  return NSSCKFWC_SeedRandom(fwInstance, hSession, pSeed, ulSeedLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SeedRandom
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSeed,
+  CK_ULONG ulSeedLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SeedRandom)(hSession, pSeed, ulSeedLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GenerateRandom)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR RandomData,
+  CK_ULONG ulRandomLen
+)
+{
+  return NSSCKFWC_GenerateRandom(fwInstance, hSession, RandomData, ulRandomLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GenerateRandom
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR RandomData,
+  CK_ULONG ulRandomLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GenerateRandom)(hSession, RandomData, ulRandomLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionStatus)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_GetFunctionStatus(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetFunctionStatus
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetFunctionStatus)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CancelFunction)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_CancelFunction(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CancelFunction
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CancelFunction)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
+(
+  CK_FLAGS flags,
+  CK_SLOT_ID_PTR pSlot,
+  CK_VOID_PTR pRserved
+)
+{
+  return NSSCKFWC_WaitForSlotEvent(fwInstance, flags, pSlot, pRserved);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_WaitForSlotEvent
+(
+  CK_FLAGS flags,
+  CK_SLOT_ID_PTR pSlot,
+  CK_VOID_PTR pRserved
+)
+{
+  return __ADJOIN(MODULE_NAME,C_WaitForSlotEvent)(flags, pSlot, pRserved);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+);
+
+static CK_FUNCTION_LIST FunctionList = {
+  { 2, 1 },
+__ADJOIN(MODULE_NAME,C_Initialize),
+__ADJOIN(MODULE_NAME,C_Finalize),
+__ADJOIN(MODULE_NAME,C_GetInfo),
+__ADJOIN(MODULE_NAME,C_GetFunctionList),
+__ADJOIN(MODULE_NAME,C_GetSlotList),
+__ADJOIN(MODULE_NAME,C_GetSlotInfo),
+__ADJOIN(MODULE_NAME,C_GetTokenInfo),
+__ADJOIN(MODULE_NAME,C_GetMechanismList),
+__ADJOIN(MODULE_NAME,C_GetMechanismInfo),
+__ADJOIN(MODULE_NAME,C_InitToken),
+__ADJOIN(MODULE_NAME,C_InitPIN),
+__ADJOIN(MODULE_NAME,C_SetPIN),
+__ADJOIN(MODULE_NAME,C_OpenSession),
+__ADJOIN(MODULE_NAME,C_CloseSession),
+__ADJOIN(MODULE_NAME,C_CloseAllSessions),
+__ADJOIN(MODULE_NAME,C_GetSessionInfo),
+__ADJOIN(MODULE_NAME,C_GetOperationState),
+__ADJOIN(MODULE_NAME,C_SetOperationState),
+__ADJOIN(MODULE_NAME,C_Login),
+__ADJOIN(MODULE_NAME,C_Logout),
+__ADJOIN(MODULE_NAME,C_CreateObject),
+__ADJOIN(MODULE_NAME,C_CopyObject),
+__ADJOIN(MODULE_NAME,C_DestroyObject),
+__ADJOIN(MODULE_NAME,C_GetObjectSize),
+__ADJOIN(MODULE_NAME,C_GetAttributeValue),
+__ADJOIN(MODULE_NAME,C_SetAttributeValue),
+__ADJOIN(MODULE_NAME,C_FindObjectsInit),
+__ADJOIN(MODULE_NAME,C_FindObjects),
+__ADJOIN(MODULE_NAME,C_FindObjectsFinal),
+__ADJOIN(MODULE_NAME,C_EncryptInit),
+__ADJOIN(MODULE_NAME,C_Encrypt),
+__ADJOIN(MODULE_NAME,C_EncryptUpdate),
+__ADJOIN(MODULE_NAME,C_EncryptFinal),
+__ADJOIN(MODULE_NAME,C_DecryptInit),
+__ADJOIN(MODULE_NAME,C_Decrypt),
+__ADJOIN(MODULE_NAME,C_DecryptUpdate),
+__ADJOIN(MODULE_NAME,C_DecryptFinal),
+__ADJOIN(MODULE_NAME,C_DigestInit),
+__ADJOIN(MODULE_NAME,C_Digest),
+__ADJOIN(MODULE_NAME,C_DigestUpdate),
+__ADJOIN(MODULE_NAME,C_DigestKey),
+__ADJOIN(MODULE_NAME,C_DigestFinal),
+__ADJOIN(MODULE_NAME,C_SignInit),
+__ADJOIN(MODULE_NAME,C_Sign),
+__ADJOIN(MODULE_NAME,C_SignUpdate),
+__ADJOIN(MODULE_NAME,C_SignFinal),
+__ADJOIN(MODULE_NAME,C_SignRecoverInit),
+__ADJOIN(MODULE_NAME,C_SignRecover),
+__ADJOIN(MODULE_NAME,C_VerifyInit),
+__ADJOIN(MODULE_NAME,C_Verify),
+__ADJOIN(MODULE_NAME,C_VerifyUpdate),
+__ADJOIN(MODULE_NAME,C_VerifyFinal),
+__ADJOIN(MODULE_NAME,C_VerifyRecoverInit),
+__ADJOIN(MODULE_NAME,C_VerifyRecover),
+__ADJOIN(MODULE_NAME,C_DigestEncryptUpdate),
+__ADJOIN(MODULE_NAME,C_DecryptDigestUpdate),
+__ADJOIN(MODULE_NAME,C_SignEncryptUpdate),
+__ADJOIN(MODULE_NAME,C_DecryptVerifyUpdate),
+__ADJOIN(MODULE_NAME,C_GenerateKey),
+__ADJOIN(MODULE_NAME,C_GenerateKeyPair),
+__ADJOIN(MODULE_NAME,C_WrapKey),
+__ADJOIN(MODULE_NAME,C_UnwrapKey),
+__ADJOIN(MODULE_NAME,C_DeriveKey),
+__ADJOIN(MODULE_NAME,C_SeedRandom),
+__ADJOIN(MODULE_NAME,C_GenerateRandom),
+__ADJOIN(MODULE_NAME,C_GetFunctionStatus),
+__ADJOIN(MODULE_NAME,C_CancelFunction),
+__ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
+};
+
+static CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  *ppFunctionList = &FunctionList;
+  return CKR_OK;
+}
+
+/* This one is always present */
+CK_RV CK_ENTRY
+C_GetFunctionList
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
+}
+
+#undef __ADJOIN
+
diff --git a/security/nss/lib/ckfw/nssckepv.h b/security/nss/lib/ckfw/nssckepv.h
new file mode 100644
index 000000000..c65260829
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckepv.h
@@ -0,0 +1,42 @@
+/* THIS IS A GENERATED FILE */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef NSSCKEPV_H
+#define NSSCKEPV_H
+
+#include "pkcs11.h"
+
+#endif /* NSSCKEPV_H */
diff --git a/security/nss/lib/ckfw/nssckft.h b/security/nss/lib/ckfw/nssckft.h
new file mode 100644
index 000000000..506992c3f
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckft.h
@@ -0,0 +1,43 @@
+/* THIS IS A GENERATED FILE */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _NSSCKFT_H_
+#define _NSSCKFT_H_ 1
+
+#include "pkcs11t.h"
+
+#endif /* _NSSCKFT_H_ */
diff --git a/security/nss/lib/ckfw/nssckfw.h b/security/nss/lib/ckfw/nssckfw.h
new file mode 100644
index 000000000..e8149bb5d
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckfw.h
@@ -0,0 +1,526 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSCKFW_H
+#define NSSCKFW_H
+
+#ifdef DEBUG
+static const char NSSCKFW_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssckfw.h
+ *
+ * This file prototypes the publicly available calls of the 
+ * NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+/*
+ * NSSCKFWInstance
+ *
+ *  NSSCKFWInstance_GetMDInstance
+ *  NSSCKFWInstance_GetArena
+ *  NSSCKFWInstance_MayCreatePthreads
+ *  NSSCKFWInstance_CreateMutex
+ *  NSSCKFWInstance_GetConfigurationData
+ */
+
+/*
+ * NSSCKFWInstance_GetMDInstance
+ *
+ */
+
+NSS_EXTERN NSSCKMDInstance *
+NSSCKFWInstance_GetMDInstance
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * NSSCKFWInstance_GetArena
+ *
+ */
+
+NSS_EXTERN NSSArena *
+NSSCKFWInstance_GetArena
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWInstance_MayCreatePthreads
+ *
+ */
+
+NSS_EXTERN CK_BBOOL
+NSSCKFWInstance_MayCreatePthreads
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * NSSCKFWInstance_CreateMutex
+ *
+ */
+
+NSS_EXTERN NSSCKFWMutex *
+NSSCKFWInstance_CreateMutex
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWInstance_GetConfigurationData
+ *
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSCKFWInstance_GetConfigurationData
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * NSSCKFWInstance_GetInitArgs
+ *
+ */
+
+NSS_EXTERN CK_C_INITIALIZE_ARGS_PTR
+NSSCKFWInstance_GetInitArgs
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * NSSCKFWSlot
+ *
+ *  NSSCKFWSlot_GetMDSlot
+ *  NSSCKFWSlot_GetFWInstance
+ *  NSSCKFWSlot_GetMDInstance
+ *
+ */
+
+/*
+ * NSSCKFWSlot_GetMDSlot
+ *
+ */
+
+NSS_EXTERN NSSCKMDSlot *
+NSSCKFWSlot_GetMDSlot
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * NSSCKFWSlot_GetFWInstance
+ *
+ */
+
+NSS_EXTERN NSSCKFWInstance *
+NSSCKFWSlot_GetFWInstance
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * NSSCKFWSlot_GetMDInstance
+ *
+ */
+
+NSS_EXTERN NSSCKMDInstance *
+NSSCKFWSlot_GetMDInstance
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * NSSCKFWToken
+ *
+ *  NSSCKFWToken_GetMDToken
+ *  NSSCKFWToken_GetFWSlot
+ *  NSSCKFWToken_GetMDSlot
+ *  NSSCKFWToken_GetSessionState
+ *
+ */
+
+/*
+ * NSSCKFWToken_GetMDToken
+ *
+ */
+
+NSS_EXTERN NSSCKMDToken *
+NSSCKFWToken_GetMDToken
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWToken_GetArena
+ *
+ */
+
+NSS_EXTERN NSSArena *
+NSSCKFWToken_GetArena
+(
+  NSSCKFWToken *fwToken,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWToken_GetFWSlot
+ *
+ */
+
+NSS_EXTERN NSSCKFWSlot *
+NSSCKFWToken_GetFWSlot
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWToken_GetMDSlot
+ *
+ */
+
+NSS_EXTERN NSSCKMDSlot *
+NSSCKFWToken_GetMDSlot
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWToken_GetSessionState
+ *
+ */
+
+NSS_EXTERN CK_STATE
+NSSCKFWToken_GetSessionState
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWMechanism
+ *
+ *  NSSKCFWMechanism_GetMDMechanism
+ *  NSSCKFWMechanism_GetParameter
+ *
+ */
+
+/*
+ * NSSKCFWMechanism_GetMDMechanism
+ *
+ */
+
+NSS_EXTERN NSSCKMDMechanism *
+NSSCKFWMechanism_GetMDMechanism
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * NSSCKFWMechanism_GetParameter
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCKFWMechanism_GetParameter
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * NSSCKFWSession
+ *
+ *  NSSCKFWSession_GetMDSession
+ *  NSSCKFWSession_GetArena
+ *  NSSCKFWSession_CallNotification
+ *  NSSCKFWSession_IsRWSession
+ *  NSSCKFWSession_IsSO
+ *  NSSCKFWSession_GetCurrentCryptoOperation
+ *
+ */
+
+/*
+ * NSSCKFWSession_GetMDSession
+ *
+ */
+
+NSS_EXTERN NSSCKMDSession *
+NSSCKFWSession_GetMDSession
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * NSSCKFWSession_GetArena
+ *
+ */
+
+NSS_EXTERN NSSArena *
+NSSCKFWSession_GetArena
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWSession_CallNotification
+ *
+ */
+
+NSS_EXTERN CK_RV
+NSSCKFWSession_CallNotification
+(
+  NSSCKFWSession *fwSession,
+  CK_NOTIFICATION event
+);
+
+/*
+ * NSSCKFWSession_IsRWSession
+ *
+ */
+
+NSS_EXTERN CK_BBOOL
+NSSCKFWSession_IsRWSession
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * NSSCKFWSession_IsSO
+ *
+ */
+
+NSS_EXTERN CK_BBOOL
+NSSCKFWSession_IsSO
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * NSSCKFWSession_GetCurrentCryptoOperation
+ *
+ */
+
+NSS_EXTERN NSSCKFWCryptoOperation *
+NSSCKFWSession_GetCurrentCryptoOperation
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationState state
+);
+
+/*
+ * NSSCKFWObject
+ *
+ *  NSSCKFWObject_GetMDObject
+ *  NSSCKFWObject_GetArena
+ *  NSSCKFWObject_IsTokenObject
+ *  NSSCKFWObject_GetAttributeCount
+ *  NSSCKFWObject_GetAttributeTypes
+ *  NSSCKFWObject_GetAttributeSize
+ *  NSSCKFWObject_GetAttribute
+ *  NSSCKFWObject_GetObjectSize
+ */
+
+/*
+ * NSSCKFWObject_GetMDObject
+ *
+ */
+NSS_EXTERN NSSCKMDObject *
+NSSCKFWObject_GetMDObject
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * NSSCKFWObject_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+NSSCKFWObject_GetArena
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWObject_IsTokenObject
+ *
+ */
+NSS_EXTERN CK_BBOOL
+NSSCKFWObject_IsTokenObject
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * NSSCKFWObject_GetAttributeCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+NSSCKFWObject_GetAttributeCount
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWObject_GetAttributeTypes
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWObject_GetAttributeTypes
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+);
+
+/*
+ * NSSCKFWObject_GetAttributeSize
+ *
+ */
+NSS_EXTERN CK_ULONG
+NSSCKFWObject_GetAttributeSize
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWObject_GetAttribute
+ *
+ */
+NSS_EXTERN NSSItem *
+NSSCKFWObject_GetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *itemOpt,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWObject_GetObjectSize
+ *
+ */
+NSS_EXTERN CK_ULONG
+NSSCKFWObject_GetObjectSize
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWFindObjects
+ *
+ *  NSSCKFWFindObjects_GetMDFindObjects
+ *
+ */
+
+/*
+ * NSSCKFWFindObjects_GetMDFindObjects
+ *
+ */
+
+NSS_EXTERN NSSCKMDFindObjects *
+NSSCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *
+);
+
+/*
+ * NSSCKFWMutex
+ *
+ *  NSSCKFWMutex_Destroy
+ *  NSSCKFWMutex_Lock
+ *  NSSCKFWMutex_Unlock
+ *
+ */
+
+/*
+ * NSSCKFWMutex_Destroy
+ *
+ */
+
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Destroy
+(
+  NSSCKFWMutex *mutex
+);
+
+/*
+ * NSSCKFWMutex_Lock
+ *
+ */
+
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Lock
+(
+  NSSCKFWMutex *mutex
+);
+
+/*
+ * NSSCKFWMutex_Unlock
+ *
+ */
+
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Unlock
+(
+  NSSCKFWMutex *mutex
+);
+
+#endif /* NSSCKFW_H */
+
diff --git a/security/nss/lib/ckfw/nssckfwc.h b/security/nss/lib/ckfw/nssckfwc.h
new file mode 100644
index 000000000..965fb2a02
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckfwc.h
@@ -0,0 +1,1049 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSCKFWC_H
+#define NSSCKFWC_H
+
+#ifdef DEBUG
+static const char NSSCKFWC_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssckfwc.h
+ *
+ * This file prototypes all of the NSS Cryptoki Framework "wrapper" 
+ * which implement the PKCS#11 API.  Technically, these are public
+ * routines (with capital "NSS" prefixes), since they are called
+ * from (generated) code within a Module using the Framework.
+ * However, they should not be called except from those generated
+ * calls.  Hence, the prototypes have been split out into this file.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKMDT_H
+#include "nssckmdt.h"
+#endif /* NSSCKMDT_H */
+
+/*
+ * NSSCKFWC_Initialize
+ * NSSCKFWC_Finalize
+ * NSSCKFWC_GetInfo
+ * -- NSSCKFWC_GetFunctionList -- see the API insert file
+ * NSSCKFWC_GetSlotList
+ * NSSCKFWC_GetSlotInfo
+ * NSSCKFWC_GetTokenInfo
+ * NSSCKFWC_WaitForSlotEvent
+ * NSSCKFWC_GetMechanismList
+ * NSSCKFWC_GetMechanismInfo
+ * NSSCKFWC_InitToken
+ * NSSCKFWC_InitPIN
+ * NSSCKFWC_SetPIN
+ * NSSCKFWC_OpenSession
+ * NSSCKFWC_CloseSession
+ * NSSCKFWC_CloseAllSessions
+ * NSSCKFWC_GetSessionInfo
+ * NSSCKFWC_GetOperationState
+ * NSSCKFWC_SetOperationState
+ * NSSCKFWC_Login
+ * NSSCKFWC_Logout
+ * NSSCKFWC_CreateObject
+ * NSSCKFWC_CopyObject
+ * NSSCKFWC_DestroyObject
+ * NSSCKFWC_GetObjectSize
+ * NSSCKFWC_GetAttributeValue
+ * NSSCKFWC_SetAttributeValue
+ * NSSCKFWC_FindObjectsInit
+ * NSSCKFWC_FindObjects
+ * NSSCKFWC_FindObjectsFinal
+ * NSSCKFWC_EncryptInit
+ * NSSCKFWC_Encrypt
+ * NSSCKFWC_EncryptUpdate
+ * NSSCKFWC_EncryptFinal
+ * NSSCKFWC_DecryptInit
+ * NSSCKFWC_Decrypt
+ * NSSCKFWC_DecryptUpdate
+ * NSSCKFWC_DecryptFinal
+ * NSSCKFWC_DigestInit
+ * NSSCKFWC_Digest
+ * NSSCKFWC_DigestUpdate
+ * NSSCKFWC_DigestKey
+ * NSSCKFWC_DigestFinal
+ * NSSCKFWC_SignInit
+ * NSSCKFWC_Sign
+ * NSSCKFWC_SignUpdate
+ * NSSCKFWC_SignFinal
+ * NSSCKFWC_SignRecoverInit
+ * NSSCKFWC_SignRecover
+ * NSSCKFWC_VerifyInit
+ * NSSCKFWC_Verify
+ * NSSCKFWC_VerifyUpdate
+ * NSSCKFWC_VerifyFinal
+ * NSSCKFWC_VerifyRecoverInit
+ * NSSCKFWC_VerifyRecover
+ * NSSCKFWC_DigestEncryptUpdate
+ * NSSCKFWC_DecryptDigestUpdate
+ * NSSCKFWC_SignEncryptUpdate
+ * NSSCKFWC_DecryptVerifyUpdate
+ * NSSCKFWC_GenerateKey
+ * NSSCKFWC_GenerateKeyPair
+ * NSSCKFWC_WrapKey
+ * NSSCKFWC_UnwrapKey
+ * NSSCKFWC_DeriveKey
+ * NSSCKFWC_SeedRandom
+ * NSSCKFWC_GenerateRandom
+ * NSSCKFWC_GetFunctionStatus
+ * NSSCKFWC_CancelFunction
+ */
+
+/*
+ * NSSCKFWC_Initialize
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Initialize
+(
+  NSSCKFWInstance **pFwInstance,
+  NSSCKMDInstance *mdInstance,
+  CK_VOID_PTR pInitArgs
+);
+
+/*
+ * NSSCKFWC_Finalize
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Finalize
+(
+  NSSCKFWInstance **pFwInstance
+);
+
+/*
+ * NSSCKFWC_GetInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_INFO_PTR pInfo
+);
+  
+/*
+ * C_GetFunctionList is implemented entirely in the Module's file which
+ * includes the Framework API insert file.  It requires no "actual"
+ * NSSCKFW routine.
+ */
+
+/*
+ * NSSCKFWC_GetSlotList
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetSlotList
+(
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL tokenPresent,
+  CK_SLOT_ID_PTR pSlotList,
+  CK_ULONG_PTR pulCount
+);
+ 
+/*
+ * NSSCKFWC_GetSlotInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetSlotInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_SLOT_INFO_PTR pInfo
+);
+
+/*
+ * NSSCKFWC_GetTokenInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetTokenInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_TOKEN_INFO_PTR pInfo
+);
+
+/*
+ * NSSCKFWC_WaitForSlotEvent
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_WaitForSlotEvent
+(
+  NSSCKFWInstance *fwInstance,
+  CK_FLAGS flags,
+  CK_SLOT_ID_PTR pSlot,
+  CK_VOID_PTR pReserved
+);
+
+/*
+ * NSSCKFWC_GetMechanismList
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetMechanismList
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE_PTR pMechanismList,
+  CK_ULONG_PTR pulCount
+);
+
+/*
+ * NSSCKFWC_GetMechanismInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetMechanismInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE type,
+  CK_MECHANISM_INFO_PTR pInfo
+);
+
+/*
+ * NSSCKFWC_InitToken
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_InitToken
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen,
+  CK_CHAR_PTR pLabel
+);
+
+/*
+ * NSSCKFWC_InitPIN
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_InitPIN
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+);
+
+/*
+ * NSSCKFWC_SetPIN
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SetPIN
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pOldPin,
+  CK_ULONG ulOldLen,
+  CK_CHAR_PTR pNewPin,
+  CK_ULONG ulNewLen
+);
+
+/*
+ * NSSCKFWC_OpenSession
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_OpenSession
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_FLAGS flags,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_SESSION_HANDLE_PTR phSession
+);
+
+/*
+ * NSSCKFWC_CloseSession
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CloseSession
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * NSSCKFWC_CloseAllSessions
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CloseAllSessions
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID
+);
+
+/*
+ * NSSCKFWC_GetSessionInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetSessionInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_SESSION_INFO_PTR pInfo
+);
+
+/*
+ * NSSCKFWC_GetOperationState
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetOperationState
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG_PTR pulOperationStateLen
+);
+
+/*
+ * NSSCKFWC_SetOperationState
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SetOperationState
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG ulOperationStateLen,
+  CK_OBJECT_HANDLE hEncryptionKey,
+  CK_OBJECT_HANDLE hAuthenticationKey
+);
+
+/*
+ * NSSCKFWC_Login
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Login
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_USER_TYPE userType,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+);
+
+/*
+ * NSSCKFWC_Logout
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Logout
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * NSSCKFWC_CreateObject
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CreateObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phObject
+);
+
+/*
+ * NSSCKFWC_CopyObject
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CopyObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phNewObject
+);
+
+/*
+ * NSSCKFWC_DestroyObject
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DestroyObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject
+);
+
+/*
+ * NSSCKFWC_GetObjectSize
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetObjectSize
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ULONG_PTR pulSize
+);
+
+/*
+ * NSSCKFWC_GetAttributeValue
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetAttributeValue
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+);
+  
+/*
+ * NSSCKFWC_SetAttributeValue
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SetAttributeValue
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+);
+
+/*
+ * NSSCKFWC_FindObjectsInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_FindObjectsInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+);
+
+/*
+ * NSSCKFWC_FindObjects
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_FindObjects
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE_PTR phObject,
+  CK_ULONG ulMaxObjectCount,
+  CK_ULONG_PTR pulObjectCount
+);
+
+/*
+ * NSSCKFWC_FindObjectsFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_FindObjectsFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * NSSCKFWC_EncryptInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_EncryptInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_Encrypt
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Encrypt
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG_PTR pulEncryptedDataLen
+);
+
+/*
+ * NSSCKFWC_EncryptUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_EncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+);
+
+/*
+ * NSSCKFWC_EncryptFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_EncryptFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastEncryptedPart,
+  CK_ULONG_PTR pulLastEncryptedPartLen
+);
+
+/*
+ * NSSCKFWC_DecryptInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_Decrypt
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Decrypt
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG ulEncryptedDataLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+);
+
+/*
+ * NSSCKFWC_DecryptUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+);
+
+/*
+ * NSSCKFWC_DecryptFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastPart,
+  CK_ULONG_PTR pulLastPartLen
+);
+
+/*
+ * NSSCKFWC_DigestInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism
+);
+
+/*
+ * NSSCKFWC_Digest
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Digest
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+);
+
+/*
+ * NSSCKFWC_DigestUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen
+);
+
+/*
+ * NSSCKFWC_DigestKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_DigestFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+);
+
+/*
+ * NSSCKFWC_SignInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_Sign
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Sign
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+);
+
+/*
+ * NSSCKFWC_SignUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+);
+
+/*
+ * NSSCKFWC_SignFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+);
+
+/*
+ * NSSCKFWC_SignRecoverInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignRecoverInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_SignRecover
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignRecover
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+);
+
+/*
+ * NSSCKFWC_VerifyInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_Verify
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Verify
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+);
+
+/*
+ * NSSCKFWC_VerifyUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+);
+
+/*
+ * NSSCKFWC_VerifyFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+);
+
+/*
+ * NSSCKFWC_VerifyRecoverInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyRecoverInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_VerifyRecover
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyRecover
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+);
+
+/*
+ * NSSCKFWC_DigestEncryptUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestEncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+);
+
+/*
+ * NSSCKFWC_DecryptDigestUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptDigestUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+);
+
+/*
+ * NSSCKFWC_SignEncryptUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignEncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+);
+
+/*
+ * NSSCKFWC_DecryptVerifyUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptVerifyUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+);
+
+/*
+ * NSSCKFWC_GenerateKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GenerateKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phKey
+);
+
+/*
+ * NSSCKFWC_GenerateKeyPair
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GenerateKeyPair
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG ulPrivateKeyAttributeCount,
+  CK_OBJECT_HANDLE_PTR phPublicKey,
+  CK_OBJECT_HANDLE_PTR phPrivateKey
+);
+
+/*
+ * NSSCKFWC_WrapKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_WrapKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hWrappingKey,
+  CK_OBJECT_HANDLE hKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG_PTR pulWrappedKeyLen
+);
+
+/*
+ * NSSCKFWC_UnwrapKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_UnwrapKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hUnwrappingKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG ulWrappedKeyLen,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+);
+
+/*
+ * NSSCKFWC_DeriveKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DeriveKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hBaseKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+);
+
+/*
+ * NSSCKFWC_SeedRandom
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SeedRandom
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSeed,
+  CK_ULONG ulSeedLen
+);
+
+/*
+ * NSSCKFWC_GenerateRandom
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GenerateRandom
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pRandomData,
+  CK_ULONG ulRandomLen
+);
+
+/*
+ * NSSCKFWC_GetFunctionStatus
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetFunctionStatus
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * NSSCKFWC_CancelFunction
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CancelFunction
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+#endif /* NSSCKFWC_H */
diff --git a/security/nss/lib/ckfw/nssckfwt.h b/security/nss/lib/ckfw/nssckfwt.h
new file mode 100644
index 000000000..2645b4631
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckfwt.h
@@ -0,0 +1,146 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSCKFWT_H
+#define NSSCKFWT_H
+
+#ifdef DEBUG
+static const char NSSCKFWT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssckfwt.h
+ *
+ * This file declares the public types used by the NSS Cryptoki Framework.
+ */
+
+/*
+ * NSSCKFWInstance
+ *
+ */
+
+struct NSSCKFWInstanceStr;
+typedef struct NSSCKFWInstanceStr NSSCKFWInstance;
+
+/*
+ * NSSCKFWSlot
+ *
+ */
+
+struct NSSCKFWSlotStr;
+typedef struct NSSCKFWSlotStr NSSCKFWSlot;
+
+/*
+ * NSSCKFWToken
+ *
+ */
+
+struct NSSCKFWTokenStr;
+typedef struct NSSCKFWTokenStr NSSCKFWToken;
+
+/*
+ * NSSCKFWMechanism
+ *
+ */
+
+struct NSSCKFWMechanismStr;
+typedef struct NSSCKFWMechanismStr NSSCKFWMechanism;
+
+/*
+ * NSSCKFWCryptoOperation
+ *
+ */
+
+struct NSSCKFWCryptoOperationStr;
+typedef struct NSSCKFWCryptoOperationStr NSSCKFWCryptoOperation;
+
+
+/*
+ * NSSCKFWSession
+ *
+ */
+
+struct NSSCKFWSessionStr;
+typedef struct NSSCKFWSessionStr NSSCKFWSession;
+
+/*
+ * NSSCKFWObject
+ *
+ */
+
+struct NSSCKFWObjectStr;
+typedef struct NSSCKFWObjectStr NSSCKFWObject;
+
+/*
+ * NSSCKFWFindObjects
+ *
+ */
+
+struct NSSCKFWFindObjectsStr;
+typedef struct NSSCKFWFindObjectsStr NSSCKFWFindObjects;
+
+/*
+ * NSSCKFWMutex
+ *
+ */
+
+struct NSSCKFWMutexStr;
+typedef struct NSSCKFWMutexStr NSSCKFWMutex;
+
+typedef enum {
+    SingleThreaded,
+    MultiThreaded
+} CryptokiLockingState ;
+
+/* used as an index into an array, make sure it starts at '0' */
+typedef enum {
+    NSSCKFWCryptoOperationState_EncryptDecrypt = 0,
+    NSSCKFWCryptoOperationState_SignVerify,
+    NSSCKFWCryptoOperationState_Digest,
+    NSSCKFWCryptoOperationState_Max
+} NSSCKFWCryptoOperationState;
+
+typedef enum {
+    NSSCKFWCryptoOperationType_Encrypt,
+    NSSCKFWCryptoOperationType_Decrypt,
+    NSSCKFWCryptoOperationType_Digest,
+    NSSCKFWCryptoOperationType_Sign,
+    NSSCKFWCryptoOperationType_Verify,
+    NSSCKFWCryptoOperationType_SignRecover,
+    NSSCKFWCryptoOperationType_VerifyRecover
+} NSSCKFWCryptoOperationType;
+
+#endif /* NSSCKFWT_H */
diff --git a/security/nss/lib/ckfw/nssckg.h b/security/nss/lib/ckfw/nssckg.h
new file mode 100644
index 000000000..f6d55243c
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckg.h
@@ -0,0 +1,42 @@
+/* THIS IS A GENERATED FILE */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef NSSCKG_H
+#define NSSCKG_H
+
+#include "pkcs11.h"
+
+#endif /* NSSCKG_H */
diff --git a/security/nss/lib/ckfw/nssckmdt.h b/security/nss/lib/ckfw/nssckmdt.h
new file mode 100644
index 000000000..96fa0853d
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckmdt.h
@@ -0,0 +1,1981 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSCKMDT_H
+#define NSSCKMDT_H
+
+#ifdef DEBUG
+static const char NSSCKMDT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssckmdt.h
+ *
+ * This file specifies the basic types that must be implemented by
+ * any Module using the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+typedef struct NSSCKMDInstanceStr NSSCKMDInstance;
+typedef struct NSSCKMDSlotStr NSSCKMDSlot;
+typedef struct NSSCKMDTokenStr NSSCKMDToken;
+typedef struct NSSCKMDSessionStr NSSCKMDSession;
+typedef struct NSSCKMDCryptoOperationStr NSSCKMDCryptoOperation;
+typedef struct NSSCKMDFindObjectsStr NSSCKMDFindObjects;
+typedef struct NSSCKMDMechanismStr NSSCKMDMechanism;
+typedef struct NSSCKMDObjectStr NSSCKMDObject;
+
+/*
+ * NSSCKFWItem
+ *
+ * This is a structure used by modules to return object attributes.
+ * The needsFreeing bit indicates whether the object needs to be freed.
+ * If so, the framework will call the FreeAttribute function on the item
+ * after it is done using it.
+ *
+ */
+
+typedef struct {
+  PRBool needsFreeing;
+  NSSItem* item;
+} NSSCKFWItem ;
+
+/*
+ * NSSCKMDInstance
+ *
+ * This is the basic handle for an instance of a PKCS#11 Module.
+ * It is returned by the Module's CreateInstance routine, and
+ * may be obtained from the corresponding NSSCKFWInstance object.
+ * It contains a pointer for use by the Module, to store any
+ * instance-related data, and it contains the EPV for a set of
+ * routines which the Module may implement for use by the Framework.
+ * Some of these routines are optional; others are mandatory.
+ */
+
+struct NSSCKMDInstanceStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called by the Framework to initialize
+   * the Module.  This routine is optional; if unimplemented,
+   * it won't be called.  If this routine returns an error,
+   * then the initialization will fail.
+   */
+  CK_RV (PR_CALLBACK *Initialize)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    NSSUTF8 *configurationData
+  );
+
+  /*
+   * This routine is called when the Framework is finalizing
+   * the PKCS#11 Module.  It is the last thing called before
+   * the NSSCKFWInstance's NSSArena is destroyed.  This routine
+   * is optional; if unimplemented, it merely won't be called.
+   */
+  void (PR_CALLBACK *Finalize)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine gets the number of slots.  This value must
+   * never change, once the instance is initialized.  This 
+   * routine must be implemented.  It may return zero on error.
+   */
+  CK_ULONG (PR_CALLBACK *GetNSlots)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns the version of the Cryptoki standard
+   * to which this Module conforms.  This routine is optional;
+   * if unimplemented, the Framework uses the version to which
+   * ~it~ was implemented.
+   */
+  CK_VERSION (PR_CALLBACK *GetCryptokiVersion)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing the manufacturer ID for this Module.  Only
+   * the characters completely encoded in the first thirty-
+   * two bytes are significant.  This routine is optional.
+   * The string returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing a description of this Module library.  Only
+   * the characters completely encoded in the first thirty-
+   * two bytes are significant.  This routine is optional.
+   * The string returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetLibraryDescription)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns the version of this Module library.
+   * This routine is optional; if unimplemented, the Framework
+   * will assume a Module library version of 0.1.
+   */
+  CK_VERSION (PR_CALLBACK *GetLibraryVersion)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the Module wishes to
+   * handle session objects.  This routine is optional.
+   * If this routine is NULL, or if it exists but returns
+   * CK_FALSE, the Framework will assume responsibility
+   * for managing session objects.
+   */
+  CK_BBOOL (PR_CALLBACK *ModuleHandlesSessionObjects)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine stuffs pointers to NSSCKMDSlot objects into
+   * the specified array; one for each slot supported by this
+   * instance.  The Framework will determine the size needed
+   * for the array by calling GetNSlots.  This routine is
+   * required.
+   */
+  CK_RV (PR_CALLBACK *GetSlots)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDSlot *slots[]
+  );
+
+  /*
+   * This call returns a pointer to the slot in which an event
+   * has occurred.  If the block argument is CK_TRUE, the call 
+   * should block until a slot event occurs; if CK_FALSE, it 
+   * should check to see if an event has occurred, occurred, 
+   * but return NULL (and set *pError to CK_NO_EVENT) if one 
+   * hasn't.  This routine is optional; if unimplemented, the
+   * Framework will assume that no event has happened.  This
+   * routine may return NULL upon error.
+   */
+  NSSCKMDSlot *(PR_CALLBACK *WaitForSlotEvent)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_BBOOL block,
+    CK_RV *pError
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+
+/*
+ * NSSCKMDSlot
+ *
+ * This is the basic handle for a PKCS#11 Module Slot.  It is
+ * created by the NSSCKMDInstance->GetSlots call, and may be
+ * obtained from the Framework's corresponding NSSCKFWSlot
+ * object.  It contains a pointer for use by the Module, to
+ * store any slot-related data, and it contains the EPV for
+ * a set of routines which the Module may implement for use
+ * by the Framework.  Some of these routines are optional.
+ */
+
+struct NSSCKMDSlotStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called during the Framework initialization
+   * step, after the Framework Instance has obtained the list
+   * of slots (by calling NSSCKMDInstance->GetSlots).  Any slot-
+   * specific initialization can be done here.  This routine is
+   * optional; if unimplemented, it won't be called.  Note that
+   * if this routine returns an error, the entire Framework
+   * initialization for this Module will fail.
+   */
+  CK_RV (PR_CALLBACK *Initialize)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is called when the Framework is finalizing
+   * the PKCS#11 Module.  This call (for each of the slots)
+   * is the last thing called before NSSCKMDInstance->Finalize.
+   * This routine is optional; if unimplemented, it merely 
+   * won't be called.  Note: In the rare circumstance that
+   * the Framework initialization cannot complete (due to,
+   * for example, memory limitations), this can be called with
+   * a NULL value for fwSlot.
+   */
+  void (PR_CALLBACK *Destroy)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing a description of this slot.  Only the characters
+   * completely encoded in the first sixty-four bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetSlotDescription)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing a description of the manufacturer of this slot.
+   * Only the characters completely encoded in the first thirty-
+   * two bytes are significant.  This routine is optional.  
+   * The string  returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns CK_TRUE if a token is present in this
+   * slot.  This routine is optional; if unimplemented, CK_TRUE
+   * is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetTokenPresent)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the slot supports removable
+   * tokens.  This routine is optional; if unimplemented, CK_FALSE
+   * is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetRemovableDevice)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if this slot is a hardware
+   * device, or CK_FALSE if this slot is a software device.  This
+   * routine is optional; if unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetHardwareSlot)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the version of this slot's hardware.
+   * This routine is optional; if unimplemented, the Framework
+   * will assume a hardware version of 0.1.
+   */
+  CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the version of this slot's firmware.
+   * This routine is optional; if unimplemented, the Framework
+   * will assume a hardware version of 0.1.
+   */
+  CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine should return a pointer to an NSSCKMDToken
+   * object corresponding to the token in the specified slot.
+   * The NSSCKFWToken object passed in has an NSSArena
+   * available which is dedicated for this token.  This routine
+   * must be implemented.  This routine may return NULL upon
+   * error.
+   */
+  NSSCKMDToken *(PR_CALLBACK *GetToken)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDToken
+ *
+ * This is the basic handle for a PKCS#11 Token.  It is created by
+ * the NSSCKMDSlot->GetToken call, and may be obtained from the
+ * Framework's corresponding NSSCKFWToken object.  It contains a
+ * pointer for use by the Module, to store any token-related
+ * data, and it contains the EPV for a set of routines which the
+ * Module may implement for use by the Framework.  Some of these
+ * routines are optional.
+ */
+
+struct NSSCKMDTokenStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is used to prepare a Module token object for
+   * use.  It is called after the NSSCKMDToken object is obtained
+   * from NSSCKMDSlot->GetToken.  It is named "Setup" here because
+   * Cryptoki already defines "InitToken" to do the process of
+   * wiping out any existing state on a token and preparing it for
+   * a new use.  This routine is optional; if unimplemented, it
+   * merely won't be called.
+   */
+  CK_RV (PR_CALLBACK *Setup)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is called by the Framework whenever it notices
+   * that the token object is invalid.  (Typically this is when a 
+   * routine indicates an error such as CKR_DEVICE_REMOVED).  This
+   * call is the last thing called before the NSSArena in the
+   * corresponding NSSCKFWToken is destroyed.  This routine is
+   * optional; if unimplemented, it merely won't be called.
+   */
+  void (PR_CALLBACK *Invalidate)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine initialises the token in the specified slot.
+   * This routine is optional; if unimplemented, the Framework
+   * will fail this operation with an error of CKR_DEVICE_ERROR.
+   */
+
+  CK_RV (PR_CALLBACK *InitToken)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *pin,
+    NSSUTF8 *label
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing this token's label.  Only the characters
+   * completely encoded in the first thirty-two bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetLabel)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing this token's manufacturer ID.  Only the characters
+   * completely encoded in the first thirty-two bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing this token's model name.  Only the characters
+   * completely encoded in the first thirty-two bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetModel)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing this token's serial number.  Only the characters
+   * completely encoded in the first thirty-two bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetSerialNumber)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns CK_TRUE if the token has its own
+   * random number generator.  This routine is optional; if
+   * unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetHasRNG)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if this token is write-protected.
+   * This routine is optional; if unimplemented, CK_FALSE is
+   * assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetIsWriteProtected)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if this token requires a login.
+   * This routine is optional; if unimplemented, CK_FALSE is
+   * assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetLoginRequired)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the normal user's PIN on this
+   * token has been initialised.  This routine is optional; if
+   * unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetUserPinInitialized)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if a successful save of a
+   * session's cryptographic operations state ~always~ contains
+   * all keys needed to restore the state of the session.  This
+   * routine is optional; if unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetRestoreKeyNotNeeded)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the token has its own
+   * hardware clock.  This routine is optional; if unimplemented,
+   * CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetHasClockOnToken)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the token has a protected
+   * authentication path.  This routine is optional; if
+   * unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetHasProtectedAuthenticationPath)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the token supports dual
+   * cryptographic operations within a single session.  This
+   * routine is optional; if unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetSupportsDualCryptoOperations)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * XXX fgmr-- should we have a call to return all the flags
+   * at once, for folks who already know about Cryptoki?
+   */
+
+  /*
+   * This routine returns the maximum number of sessions that
+   * may be opened on this token.  This routine is optional;
+   * if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
+   * is assumed.  XXX fgmr-- or CK_EFFECTIVELY_INFINITE?
+   */
+  CK_ULONG (PR_CALLBACK *GetMaxSessionCount)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the maximum number of read/write
+   * sesisons that may be opened on this token.  This routine
+   * is optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.  XXX fgmr-- or 
+   * CK_EFFECTIVELY_INFINITE?
+   */
+  CK_ULONG (PR_CALLBACK *GetMaxRwSessionCount)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the maximum PIN code length that is
+   * supported on this token.  This routine is optional;
+   * if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
+   * is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetMaxPinLen)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the minimum PIN code length that is
+   * supported on this token.  This routine is optional; if
+   * unimplemented, the special value CK_UNAVAILABLE_INFORMATION
+   *  is assumed.  XXX fgmr-- or 0?
+   */
+  CK_ULONG (PR_CALLBACK *GetMinPinLen)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the total amount of memory on the token
+   * in which public objects may be stored.  This routine is
+   * optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetTotalPublicMemory)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the amount of unused memory on the
+   * token in which public objects may be stored.  This routine
+   * is optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetFreePublicMemory)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the total amount of memory on the token
+   * in which private objects may be stored.  This routine is
+   * optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetTotalPrivateMemory)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the amount of unused memory on the
+   * token in which private objects may be stored.  This routine
+   * is optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetFreePrivateMemory)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the version number of this token's
+   * hardware.  This routine is optional; if unimplemented,
+   * the value 0.1 is assumed.
+   */
+  CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the version number of this token's
+   * firmware.  This routine is optional; if unimplemented,
+   * the value 0.1 is assumed.
+   */
+  CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine stuffs the current UTC time, as obtained from
+   * the token, into the sixteen-byte buffer in the form
+   * YYYYMMDDhhmmss00.  This routine need only be implemented
+   * by token which indicate that they have a real-time clock.
+   * XXX fgmr-- think about time formats.
+   */
+  CK_RV (PR_CALLBACK *GetUTCTime)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_CHAR utcTime[16]
+  );
+
+  /*
+   * This routine creates a session on the token, and returns
+   * the corresponding NSSCKMDSession object.  The value of
+   * rw will be CK_TRUE if the session is to be a read/write 
+   * session, or CK_FALSE otherwise.  An NSSArena dedicated to
+   * the new session is available from the specified NSSCKFWSession.
+   * This routine may return NULL upon error.
+   */
+  NSSCKMDSession *(PR_CALLBACK *OpenSession)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKFWSession *fwSession,
+    CK_BBOOL rw,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns the number of PKCS#11 Mechanisms
+   * supported by this token.  This routine is optional; if
+   * unimplemented, zero is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetMechanismCount)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine stuffs into the specified array the types
+   * of the mechanisms supported by this token.  The Framework
+   * determines the size of the array by calling GetMechanismCount.
+   */
+  CK_RV (PR_CALLBACK *GetMechanismTypes)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_MECHANISM_TYPE types[]
+  );
+
+  /*
+   * This routine returns a pointer to a Module mechanism
+   * object corresponding to a specified type.  This routine
+   * need only exist for tokens implementing at least one
+   * mechanism.
+   */
+  NSSCKMDMechanism *(PR_CALLBACK *GetMechanism)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_MECHANISM_TYPE which,
+    CK_RV *pError
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDSession
+ *
+ * This is the basic handle for a session on a PKCS#11 Token.  It
+ * is created by NSSCKMDToken->OpenSession, and may be obtained
+ * from the Framework's corresponding NSSCKFWSession object.  It
+ * contains a pointer for use by the Module, to store any session-
+ * realted data, and it contains the EPV for a set of routines
+ * which the Module may implement for use by the Framework.  Some
+ * of these routines are optional.
+ */
+
+struct NSSCKMDSessionStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called by the Framework when a session is
+   * closed.  This call is the last thing called before the
+   * NSSArena in the correspoinding NSSCKFWSession is destroyed.
+   * This routine is optional; if unimplemented, it merely won't
+   * be called.
+   */
+  void (PR_CALLBACK *Close)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is used to get any device-specific error.
+   * This routine is optional.
+   */
+  CK_ULONG (PR_CALLBACK *GetDeviceError)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is used to log in a user to the token.  This
+   * routine is optional, since the Framework's NSSCKFWSession
+   * object keeps track of the login state.
+   */
+  CK_RV (PR_CALLBACK *Login)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_USER_TYPE userType,
+    NSSItem *pin,
+    CK_STATE oldState,
+    CK_STATE newState
+  );
+
+  /*
+   * This routine is used to log out a user from the token.  This
+   * routine is optional, since the Framework's NSSCKFWSession
+   * object keeps track of the login state.
+   */
+  CK_RV (PR_CALLBACK *Logout)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_STATE oldState,
+    CK_STATE newState
+  );
+
+  /*
+   * This routine is used to initialize the normal user's PIN or
+   * password.  This will only be called in the "read/write
+   * security officer functions" state.  If this token has a
+   * protected authentication path, then the pin argument will
+   * be NULL.  This routine is optional; if unimplemented, the
+   * Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
+   */
+  CK_RV (PR_CALLBACK *InitPIN)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *pin
+  );
+
+  /*
+   * This routine is used to modify a user's PIN or password.  This
+   * routine will only be called in the "read/write security officer
+   * functions" or "read/write user functions" state.  If this token
+   * has a protected authentication path, then the pin arguments
+   * will be NULL.  This routine is optional; if unimplemented, the
+   * Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
+   */
+  CK_RV (PR_CALLBACK *SetPIN)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *oldPin,
+    NSSItem *newPin
+  );
+
+  /*
+   * This routine is used to find out how much space would be required
+   * to save the current operational state.  This routine is optional;
+   * if unimplemented, the Framework will reject any attempts to save
+   * the operational state with the error CKR_STATE_UNSAVEABLE.  This
+   * routine may return zero on error.
+   */
+  CK_ULONG (PR_CALLBACK *GetOperationStateLen)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine is used to store the current operational state.  This
+   * routine is only required if GetOperationStateLen is implemented 
+   * and can return a nonzero value.  The buffer in the specified item
+   * will be pre-allocated, and the length will specify the amount of
+   * space available (which may be more than GetOperationStateLen
+   * asked for, but which will not be smaller).
+   */
+  CK_RV (PR_CALLBACK *GetOperationState)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *buffer
+  );
+
+  /*
+   * This routine is used to restore an operational state previously
+   * obtained with GetOperationState.  The Framework will take pains
+   * to be sure that the state is (or was at one point) valid; if the
+   * Module notices that the state is invalid, it should return an
+   * error, but it is not required to be paranoid about the issue.
+   * [XXX fgmr-- should (can?) the framework verify the keys match up?]
+   * This routine is required only if GetOperationState is implemented.
+   */
+  CK_RV (PR_CALLBACK *SetOperationState)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *state,
+    NSSCKMDObject *mdEncryptionKey,
+    NSSCKFWObject *fwEncryptionKey,
+    NSSCKMDObject *mdAuthenticationKey,
+    NSSCKFWObject *fwAuthenticationKey
+  );
+
+  /*
+   * This routine is used to create an object.  The specified template
+   * will only specify a session object if the Module has indicated 
+   * that it wishes to handle its own session objects.  This routine
+   * is optional; if unimplemented, the Framework will reject the
+   * operation with the error CKR_TOKEN_WRITE_PROTECTED.  Space for
+   * token objects should come from the NSSArena available from the
+   * NSSCKFWToken object; space for session objects (if supported)
+   * should come from the NSSArena available from the NSSCKFWSession
+   * object.  The appropriate NSSArena pointer will, as a convenience,
+   * be passed as the handyArenaPointer argument.  This routine may
+   * return NULL upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *CreateObject)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSArena *handyArenaPointer,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine is used to make a copy of an object.  It is entirely
+   * optional; if unimplemented, the Framework will try to use
+   * CreateObject instead.  If the Module has indicated that it does
+   * not wish to handle session objects, then this routine will only
+   * be called to copy a token object to another token object.
+   * Otherwise, either the original object or the new may be of
+   * either the token or session variety.  As with CreateObject, the
+   * handyArenaPointer will point to the appropriate arena for the
+   * new object.  This routine may return NULL upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *CopyObject)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdOldObject,
+    NSSCKFWObject *fwOldObject,
+    NSSArena *handyArenaPointer,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine is used to begin an object search.  This routine may
+   * be unimplemented only if the Module does not handle session 
+   * objects, and if none of its tokens have token objects.  The
+   * NSSCKFWFindObjects pointer has an NSSArena that may be used for
+   * storage for the life of this "find" operation.  This routine may
+   * return NULL upon error.  If the Module can determine immediately
+   * that the search will not find any matching objects, it may return
+   * NULL, and specify CKR_OK as the error.
+   */
+  NSSCKMDFindObjects *(PR_CALLBACK *FindObjectsInit)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine seeds the random-number generator.  It is
+   * optional, even if GetRandom is implemented.  If unimplemented,
+   * the Framework will issue the error CKR_RANDOM_SEED_NOT_SUPPORTED.
+   */
+  CK_RV (PR_CALLBACK *SeedRandom)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *seed
+  );
+
+  /*
+   * This routine gets random data.  It is optional.  If unimplemented,
+   * the Framework will issue the error CKR_RANDOM_NO_RNG.
+   */
+  CK_RV (PR_CALLBACK *GetRandom)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *buffer
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDFindObjects
+ *
+ * This is the basic handle for an object search.  It is
+ * created by NSSCKMDSession->FindObjectsInit, and may be
+ * obtained from the Framework's corresponding object.
+ * It contains a pointer for use by the Module, to store
+ * any search-related data, and it contains the EPV for a
+ * set of routines which the Module may implement for use
+ * by the Framework.  Some of these routines are optional.
+ */
+
+struct NSSCKMDFindObjectsStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called by the Framework to finish a
+   * search operation.  Note that the Framework may finish
+   * a search before it has completed.  This routine is
+   * optional; if unimplemented, it merely won't be called.
+   */
+  void (PR_CALLBACK *Final)(
+    NSSCKMDFindObjects *mdFindObjects,
+    NSSCKFWFindObjects *fwFindObjects,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is used to obtain another pointer to an
+   * object matching the search criteria.  This routine is
+   * required.  If no (more) objects match the search, it
+   * should return NULL and set the error to CKR_OK.
+   */
+  NSSCKMDObject *(PR_CALLBACK *Next)(
+    NSSCKMDFindObjects *mdFindObjects,
+    NSSCKFWFindObjects *fwFindObjects,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSArena *arena,
+    CK_RV *pError
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDCryptoOperaion
+ *
+ * This is the basic handle for an encryption, decryption,
+ * sign, verify, or hash opertion.
+ * created by NSSCKMDMechanism->XXXXInit, and may be
+ * obtained from the Framework's corresponding object.
+ * It contains a pointer for use by the Module, to store
+ * any intermediate data, and it contains the EPV for a
+ * set of routines which the Module may implement for use
+ * by the Framework.  Some of these routines are optional.
+ */
+
+struct NSSCKMDCryptoOperationStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called by the Framework clean up the mdCryptoOperation
+   * structure.
+   * This routine is optional; if unimplemented, it will be ignored.
+   */
+  void (PR_CALLBACK *Destroy)(
+    NSSCKMDCryptoOperation *mdCryptoOperation,
+    NSSCKFWCryptoOperation *fwCryptoOperation,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+
+  /*
+   * how many bytes do we need to finish this buffer?
+   * must be implemented if Final is implemented.
+   */
+  CK_ULONG (PR_CALLBACK *GetFinalLength)(
+    NSSCKMDCryptoOperation *mdCryptoOperation,
+    NSSCKFWCryptoOperation *fwCryptoOperation,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * how many bytes do we need to complete the next operation.
+   * used in both Update and UpdateFinal.
+   */
+  CK_ULONG (PR_CALLBACK *GetOperationLength)(
+    NSSCKMDCryptoOperation *mdCryptoOperation,
+    NSSCKFWCryptoOperation *fwCryptoOperation,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    const NSSItem   *inputBuffer,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine is called by the Framework to finish a
+   * search operation.  Note that the Framework may finish
+   * a search before it has completed.  This routine is
+   * optional; if unimplemented, it merely won't be called.
+   * The respective final call with fail with CKR_FUNCTION_FAILED
+   * Final should not free the mdCryptoOperation.
+   */
+  CK_RV(PR_CALLBACK *Final)(
+    NSSCKMDCryptoOperation *mdCryptoOperation,
+    NSSCKFWCryptoOperation *fwCryptoOperation,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem       *outputBuffer
+  );
+
+
+  /*
+   * This routine is called by the Framework to complete the
+   * next step in an encryption/decryption operation.
+   * This routine is optional; if unimplemented, the respective
+   * update call with fail with CKR_FUNCTION_FAILED.
+   * Update should not be implemented for signing/verification/digest
+   * mechanisms.
+   */
+  CK_RV(PR_CALLBACK *Update)(
+    NSSCKMDCryptoOperation *mdCryptoOperation,
+    NSSCKFWCryptoOperation *fwCryptoOperation,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    const NSSItem   *inputBuffer,
+    NSSItem   *outputBuffer
+  );
+
+  /*
+   * This routine is called by the Framework to complete the
+   * next step in a signing/verification/digest operation.
+   * This routine is optional; if unimplemented, the respective
+   * update call with fail with CKR_FUNCTION_FAILED
+   * Update should not be implemented for encryption/decryption
+   * mechanisms.
+   */
+  CK_RV(PR_CALLBACK *DigestUpdate)(
+    NSSCKMDCryptoOperation *mdCryptoOperation,
+    NSSCKFWCryptoOperation *fwCryptoOperation,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    const NSSItem   *inputBuffer
+  );
+
+  /*
+   * This routine is called by the Framework to complete a
+   * single step operation. This routine is optional; if unimplemented, 
+   * the framework will use the Update and Final functions to complete
+   * the operation.
+   */
+  CK_RV(PR_CALLBACK *UpdateFinal)(
+    NSSCKMDCryptoOperation *mdCryptoOperation,
+    NSSCKFWCryptoOperation *fwCryptoOperation,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    const NSSItem   *inputBuffer,
+    NSSItem   *outputBuffer
+  );
+
+  /*
+   * This routine is called by the Framework to complete next
+   * step in a combined operation. The Decrypt/Encrypt mechanism
+   * should define and drive the combo step.
+   * This routine is optional; if unimplemented, 
+   * the framework will use the appropriate Update functions to complete
+   * the operation.
+   */
+  CK_RV(PR_CALLBACK *UpdateCombo)(
+    NSSCKMDCryptoOperation *mdCryptoOperation,
+    NSSCKFWCryptoOperation *fwCryptoOperation,
+    NSSCKMDCryptoOperation *mdPeerCryptoOperation,
+    NSSCKFWCryptoOperation *fwPeerCryptoOperation,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    const NSSItem   *inputBuffer,
+    NSSItem   *outputBuffer
+  );
+
+  /*
+   * Hash a key directly into the digest
+   */
+  CK_RV(PR_CALLBACK *DigestKey)(
+    NSSCKMDCryptoOperation *mdCryptoOperation,
+    NSSCKFWCryptoOperation *fwCryptoOperation,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDMechanism
+ *
+ */
+
+struct NSSCKMDMechanismStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This also frees the fwMechanism if appropriate.
+   * If it is not supplied, the Framework will assume that the Token
+   * Manages a static list of mechanisms and the function will not be called.
+   */
+  void (PR_CALLBACK *Destroy)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+
+  /*
+   * This routine returns the minimum key size allowed for
+   * this mechanism.  This routine is optional; if unimplemented,
+   * zero will be assumed.  This routine may return zero on
+   * error; if the error is CKR_OK, zero will be accepted as
+   * a valid response.
+   */
+  CK_ULONG (PR_CALLBACK *GetMinKeySize)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns the maximum key size allowed for
+   * this mechanism.  This routine is optional; if unimplemented,
+   * zero will be assumed.  This routine may return zero on
+   * error; if the error is CKR_OK, zero will be accepted as
+   * a valid response.
+   */
+  CK_ULONG (PR_CALLBACK *GetMaxKeySize)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine is called to determine if the mechanism is
+   * implemented in hardware or software.  It returns CK_TRUE
+   * if it is done in hardware.
+   */
+  CK_BBOOL (PR_CALLBACK *GetInHardware)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * The crypto routines themselves.  Most crypto operations may
+   * be performed in two ways, streaming and single-part.  The
+   * streaming operations involve the use of (typically) three
+   * calls-- an Init method to set up the operation, an Update
+   * method to feed data to the operation, and a Final method to
+   * obtain the final result.  Single-part operations involve
+   * one method, to perform the crypto operation all at once.
+   *
+   * The NSS Cryptoki Framework can implement the single-part
+   * operations in terms of the streaming operations on behalf
+   * of the Module.  There are a few variances.
+   *
+   * Only the Init Functions are defined by the mechanism. Each
+   * init function will return a NSSCKFWCryptoOperation which
+   * can supply update, final, the single part updateFinal, and
+   * the combo updateCombo functions.
+   * 
+   * For simplicity, the routines are listed in summary here:
+   *
+   *  EncryptInit,
+   *  DecryptInit,
+   *  DigestInit,
+   *  SignInit, 
+   *  SignRecoverInit;
+   *  VerifyInit,
+   *  VerifyRecoverInit;
+   *
+   * The key-management routines are
+   *
+   *  GenerateKey
+   *  GenerateKeyPair
+   *  WrapKey
+   *  UnwrapKey
+   *  DeriveKey
+   *
+   * All of these routines based on the Cryptoki API; 
+   * see PKCS#11 for further information.
+   */
+
+  /*
+   */
+  NSSCKMDCryptoOperation * (PR_CALLBACK *EncryptInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    CK_RV *pError
+  );
+
+  /*
+   */
+  NSSCKMDCryptoOperation * (PR_CALLBACK *DecryptInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    CK_RV *pError
+  );
+
+  /*
+   */
+  NSSCKMDCryptoOperation * (PR_CALLBACK *DigestInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+
+  /*
+   */
+  NSSCKMDCryptoOperation * (PR_CALLBACK *SignInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    CK_RV *pError
+  );
+
+  /*
+   */
+  NSSCKMDCryptoOperation * (PR_CALLBACK *VerifyInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    CK_RV *pError
+  );
+
+  /*
+   */
+  NSSCKMDCryptoOperation * (PR_CALLBACK *SignRecoverInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    CK_RV *pError
+  );
+
+  /*
+   */
+  NSSCKMDCryptoOperation * (PR_CALLBACK *VerifyRecoverInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    CK_RV *pError
+  );
+
+  /*
+   * Key management operations.
+   */
+
+  /*
+   * This routine generates a key.  This routine may return NULL
+   * upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *GenerateKey)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine generates a key pair.
+   */
+  CK_RV (PR_CALLBACK *GenerateKeyPair)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+    CK_ULONG ulPublicKeyAttributeCount,
+    CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+    CK_ULONG ulPrivateKeyAttributeCount,
+    NSSCKMDObject **pPublicKey,
+    NSSCKMDObject **pPrivateKey
+  );
+
+  /*
+   * This routine wraps a key.
+   */
+  CK_ULONG (PR_CALLBACK *GetWrapKeyLength)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdWrappingKey,
+    NSSCKFWObject *fwWrappingKey,
+    NSSCKMDObject *mdWrappedKey,
+    NSSCKFWObject *fwWrappedKey,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine wraps a key.
+   */
+  CK_RV (PR_CALLBACK *WrapKey)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdWrappingKey,
+    NSSCKFWObject *fwWrappingKey,
+    NSSCKMDObject *mdKeyObject,
+    NSSCKFWObject *fwKeyObject,
+    NSSItem *wrappedKey
+  );
+
+  /*
+   * This routine unwraps a key.  This routine may return NULL
+   * upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *UnwrapKey)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdWrappingKey,
+    NSSCKFWObject *fwWrappingKey,
+    NSSItem *wrappedKey,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );    
+    
+  /*
+   * This routine derives a key.  This routine may return NULL
+   * upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *DeriveKey)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_PTR  pMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdBaseKey,
+    NSSCKFWObject *fwBaseKey,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );    
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDObject
+ *
+ * This is the basic handle for any object used by a PKCS#11 Module.
+ * Modules must implement it if they support their own objects, and
+ * the Framework supports it for Modules that do not handle session
+ * objects.  This type contains a pointer for use by the implementor,
+ * to store any object-specific data, and it contains an EPV for a
+ * set of routines used to access the object.
+ */
+
+struct NSSCKMDObjectStr {
+  /*
+   * The implementation my use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called by the Framework when it is letting
+   * go of an object handle.  It can be used by the Module to
+   * free any resources tied up by an object "in use."  It is
+   * optional.
+   */
+  void (PR_CALLBACK *Finalize)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is used to completely destroy an object.
+   * It is optional.  The parameter fwObject might be NULL
+   * if the framework runs out of memory at the wrong moment.
+   */
+  CK_RV (PR_CALLBACK *Destroy)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This helper routine is used by the Framework, and is especially
+   * useful when it is managing session objects on behalf of the
+   * Module.  This routine is optional; if unimplemented, the
+   * Framework will actually look up the CKA_TOKEN attribute.  In the
+   * event of an error, just make something up-- the Framework will
+   * find out soon enough anyway.
+   */
+  CK_BBOOL (PR_CALLBACK *IsTokenObject)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the number of attributes of which this
+   * object consists.  It is mandatory.  It can return zero on
+   * error.
+   */
+  CK_ULONG (PR_CALLBACK *GetAttributeCount)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine stuffs the attribute types into the provided array.
+   * The array size (as obtained from GetAttributeCount) is passed in
+   * as a check; return CKR_BUFFER_TOO_SMALL if the count is wrong
+   * (either too big or too small).
+   */
+  CK_RV (PR_CALLBACK *GetAttributeTypes)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_TYPE_PTR typeArray,
+    CK_ULONG ulCount
+  );
+
+  /*
+   * This routine returns the size (in bytes) of the specified
+   * attribute.  It can return zero on error.
+   */
+  CK_ULONG (PR_CALLBACK *GetAttributeSize)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_TYPE attribute,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns an NSSCKFWItem structure.
+   * The item pointer points to an NSSItem containing the attribute value.
+   * The needsFreeing bit tells the framework whether to call the
+   * FreeAttribute function . Upon error, an NSSCKFWItem structure
+   * with a NULL NSSItem item pointer will be returned
+   */
+  NSSCKFWItem (PR_CALLBACK *GetAttribute)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_TYPE attribute,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns CKR_OK if the attribute could be freed.
+   */
+  CK_RV (PR_CALLBACK *FreeAttribute)(
+    NSSCKFWItem * item
+  );
+
+  /*
+   * This routine changes the specified attribute.  If unimplemented,
+   * the object will be considered read-only.
+   */
+  CK_RV (PR_CALLBACK *SetAttribute)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_TYPE attribute,
+    NSSItem *value
+  );
+
+  /*
+   * This routine returns the storage requirements of this object,
+   * in bytes.  Cryptoki doesn't strictly define the definition,
+   * but it should relate to the values returned by the "Get Memory"
+   * routines of the NSSCKMDToken.  This routine is optional; if
+   * unimplemented, the Framework will consider this information
+   * sensitive.  This routine may return zero on error.  If the
+   * specified error is CKR_OK, zero will be accepted as a valid
+   * response.
+   */
+  CK_ULONG (PR_CALLBACK *GetObjectSize)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+
+#endif /* NSSCKMDT_H */
diff --git a/security/nss/lib/ckfw/nssckt.h b/security/nss/lib/ckfw/nssckt.h
new file mode 100644
index 000000000..9e67f7fdf
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckt.h
@@ -0,0 +1,45 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _NSSCKT_H_
+#define _NSSCKT_H_ 1
+
+#include "pkcs11t.h"
+
+typedef CK_ATTRIBUTE_TYPE CK_PTR CK_ATTRIBUTE_TYPE_PTR;
+#define CK_ENTRY
+
+#endif /* _NSSCKT_H_ */
+
diff --git a/security/nss/lib/ckfw/nssmkey/Makefile b/security/nss/lib/ckfw/nssmkey/Makefile
new file mode 100644
index 000000000..2f489aa9c
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/Makefile
@@ -0,0 +1,105 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+
+EXTRA_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+ifdef NS_USE_GCC
+EXTRA_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else 
+EXTRA_SHARED_LIBS += \
+        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+        $(NULL)
+endif # NS_USE_GCC
+else
+
+EXTRA_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	-framework Security \
+	-framework CoreServices \
+	$(NULL)
+endif
+
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# Generate certdata.c.
+generate:
+	perl certdata.perl < certdata.txt
+
+# This'll need some help from a build person.
+
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
+DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
+EXTRA_DSO_LDOPTS        = -lc
+MKSHLIB                 = xlC $(DSO_LDOPTS)
+
+$(SHARED_LIBRARY): $(OBJS)
+	@$(MAKE_OBJDIR)
+	rm -f $@
+	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
+	chmod +x $@
+
+endif
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
+LD      += -G
+endif 
+
+
diff --git a/security/nss/lib/ckfw/nssmkey/README b/security/nss/lib/ckfw/nssmkey/README
new file mode 100644
index 000000000..c060d9c3c
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/README
@@ -0,0 +1,21 @@
+This Cryptoki module provides acces to certs and keys stored in
+Macintosh key Ring.
+
+- It does not yet export PKCS #12 keys. To get this to work should be 
+  implemented using exporting the key object in PKCS #8 wrapped format.
+  PSM work needs to happen before this can be completed.
+- It does not import or export CA Root trust from the mac keychain.
+- It does not handle S/MIME objects (pkcs #7 in mac keychain terms?).
+- The AuthRoots don't show up on the default list.
+- Only RSA keys are supported currently.
+
+There are a number of things that have not been tested that other PKCS #11
+apps may need:
+- reading Modulus and Public Exponents from private keys and public keys.
+- storing public keys.
+- setting attributes other than CKA_ID and CKA_LABEL.
+
+Other TODOs:
+- Check for and plug memory leaks.
+- Need to map mac errors into something more intellegible than 
+  CKR_GENERAL_ERROR.
diff --git a/security/nss/lib/ckfw/nssmkey/ckmk.h b/security/nss/lib/ckfw/nssmkey/ckmk.h
new file mode 100644
index 000000000..1eeba5986
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/ckmk.h
@@ -0,0 +1,236 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef CKMK_H
+#define CKMK_H 1
+
+#ifdef DEBUG
+static const char CKMK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include <Security/SecKeychainSearch.h>
+#include <Security/SecKeychainItem.h>
+#include <Security/SecKeychain.h>
+#include <Security/cssmtype.h>
+#include <Security/cssmapi.h>
+#include <Security/SecKey.h>
+#include <Security/SecCertificate.h>
+
+#define NTO
+
+#include "nssckmdt.h"
+#include "nssckfw.h"
+/*
+ * I'm including this for access to the arena functions.
+ * Looks like we should publish that API.
+ */
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+/*
+ * This is where the Netscape extensions live, at least for now.
+ */
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+/*
+ * statically defined raw objects. Allows us to data description objects
+ * to this PKCS #11 module.
+ */
+struct ckmkRawObjectStr {
+  CK_ULONG n;
+  const CK_ATTRIBUTE_TYPE *types;
+  const NSSItem *items;
+};
+typedef struct ckmkRawObjectStr ckmkRawObject;
+
+/*
+ * Key/Cert Items
+ */
+struct ckmkItemObjectStr {
+  SecKeychainItemRef itemRef;
+  SecItemClass    itemClass;
+  PRBool          hasID;
+  NSSItem	  modify;
+  NSSItem	  private;
+  NSSItem	  encrypt;
+  NSSItem	  decrypt;
+  NSSItem	  derive;
+  NSSItem	  sign;
+  NSSItem	  signRecover;
+  NSSItem	  verify;
+  NSSItem	  verifyRecover;
+  NSSItem	  wrap;
+  NSSItem	  unwrap;
+  NSSItem	  label;
+  NSSItem	  subject;
+  NSSItem	  issuer;
+  NSSItem	  serial;
+  NSSItem	  derCert;
+  NSSItem	  id;
+  NSSItem	  modulus;
+  NSSItem	  exponent;
+  NSSItem	  privateExponent;
+  NSSItem	  prime1;
+  NSSItem	  prime2;
+  NSSItem	  exponent1;
+  NSSItem	  exponent2;
+  NSSItem	  coefficient;
+};
+typedef struct ckmkItemObjectStr ckmkItemObject;
+
+typedef enum {
+  ckmkRaw,
+  ckmkItem,
+} ckmkObjectType;
+
+/*
+ * all the various types of objects are abstracted away in cobject and
+ * cfind as ckmkInternalObjects.
+ */
+struct ckmkInternalObjectStr {
+  ckmkObjectType type;
+  union {
+    ckmkRawObject  raw;
+    ckmkItemObject item;
+  } u;
+  CK_OBJECT_CLASS objClass;
+  NSSItem	  hashKey;
+  unsigned char   hashKeyData[128];
+  NSSCKMDObject mdObject;
+};
+typedef struct ckmkInternalObjectStr ckmkInternalObject;
+
+/* our raw object data array */
+NSS_EXTERN_DATA ckmkInternalObject nss_ckmk_data[];
+NSS_EXTERN_DATA const PRUint32               nss_ckmk_nObjects;
+
+NSS_EXTERN_DATA const CK_VERSION   nss_ckmk_CryptokiVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckmk_ManufacturerID;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckmk_LibraryDescription;
+NSS_EXTERN_DATA const CK_VERSION   nss_ckmk_LibraryVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckmk_SlotDescription;
+NSS_EXTERN_DATA const CK_VERSION   nss_ckmk_HardwareVersion;
+NSS_EXTERN_DATA const CK_VERSION   nss_ckmk_FirmwareVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckmk_TokenLabel;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckmk_TokenModel;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_ckmk_TokenSerialNumber;
+
+NSS_EXTERN_DATA const NSSCKMDInstance  nss_ckmk_mdInstance;
+NSS_EXTERN_DATA const NSSCKMDSlot      nss_ckmk_mdSlot;
+NSS_EXTERN_DATA const NSSCKMDToken     nss_ckmk_mdToken;
+NSS_EXTERN_DATA const NSSCKMDMechanism nss_ckmk_mdMechanismRSA;
+
+NSS_EXTERN NSSCKMDSession *
+nss_ckmk_CreateSession
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nss_ckmk_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+/*
+ * Object Utilities
+ */
+NSS_EXTERN NSSCKMDObject *
+nss_ckmk_CreateMDObject
+(
+  NSSArena *arena,
+  ckmkInternalObject *io,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDObject *
+nss_ckmk_CreateObject
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+NSS_EXTERN const NSSItem *
+nss_ckmk_FetchAttribute
+(
+  ckmkInternalObject *io, 
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError
+);
+
+NSS_EXTERN void
+nss_ckmk_DestroyInternalObject
+(
+  ckmkInternalObject *io
+);
+
+unsigned char *
+nss_ckmk_DERUnwrap
+(
+  unsigned char *src,
+  int size,
+  int *outSize,
+  unsigned char **next
+);
+
+CK_ULONG
+nss_ckmk_GetULongAttribute
+(
+  CK_ATTRIBUTE_TYPE type,
+  CK_ATTRIBUTE *template,
+  CK_ULONG templateSize,
+  CK_RV *pError
+);
+
+#define NSS_CKMK_ARRAY_SIZE(x) ((sizeof (x))/(sizeof ((x)[0])))
+
+#ifdef DEBUG
+#define CKMK_MACERR(str,err) cssmPerror(str,err)
+#else
+#define CKMK_MACERR(str,err) 
+#endif
+ 
+#endif
diff --git a/security/nss/lib/ckfw/nssmkey/ckmkver.c b/security/nss/lib/ckfw/nssmkey/ckmkver.c
new file mode 100644
index 000000000..9cbb2d2e0
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/ckmkver.c
@@ -0,0 +1,59 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* Library identity and versioning */
+
+#include "nssmkey.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_ckmk_rcsid[] = "$Header: NSS Access to the MAC OS X Key Ring "
+        NSS_CKMK_LIBRARY_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_ckmk_sccsid[] = "@(#)NSS Access to the MAC OS X Key Ring "
+        NSS_CKMK_LIBRARY_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/ckfw/nssmkey/config.mk b/security/nss/lib/ckfw/nssmkey/config.mk
new file mode 100644
index 000000000..e329b6b55
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/config.mk
@@ -0,0 +1,57 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+ifdef NS_USE_CKFW_TRACE
+DEFINES += -DTRACE
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+
diff --git a/security/nss/lib/ckfw/nssmkey/manchor.c b/security/nss/lib/ckfw/nssmkey/manchor.c
new file mode 100644
index 000000000..7d50186cd
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/manchor.c
@@ -0,0 +1,55 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssmkey/manchor.c
+ *
+ * This file "anchors" the actual cryptoki entry points in this module's
+ * shared library, which is required for dynamic loading.  See the 
+ * comments in nssck.api for more information.
+ */
+
+#include "ckmk.h"
+
+#define MODULE_NAME ckmk
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckmk_mdInstance
+#include "nssck.api"
diff --git a/security/nss/lib/ckfw/nssmkey/manifest.mn b/security/nss/lib/ckfw/nssmkey/manifest.mn
new file mode 100644
index 000000000..4d0c72369
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/manifest.mn
@@ -0,0 +1,66 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+CORE_DEPTH = ../../../..
+
+MODULE = nss
+MAPFILE = $(OBJDIR)/nssmkey.def
+
+EXPORTS =		\
+	nssmkey.h	\
+	$(NULL)
+
+CSRCS =			\
+	manchor.c	\
+	mconstants.c	\
+	mfind.c		\
+	minst.c 	\
+	mobject.c	\
+	mrsa.c		\
+	msession.c	\
+	mslot.c		\
+	mtoken.c	\
+	ckmkver.c	\
+	staticobj.c	\
+	$(NULL)
+
+REQUIRES = nspr
+
+LIBRARY_NAME = nssmkey
+
+#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/nssmkey/mconstants.c b/security/nss/lib/ckfw/nssmkey/mconstants.c
new file mode 100644
index 000000000..ff2aba6a6
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/mconstants.c
@@ -0,0 +1,96 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssmkey/constants.c
+ *
+ * Identification and other constants, all collected here in one place.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#include "nssmkey.h"
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckmk_CryptokiVersion =  {
+		NSS_CKMK_CRYPTOKI_VERSION_MAJOR,
+		NSS_CKMK_CRYPTOKI_VERSION_MINOR };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckmk_ManufacturerID = (NSSUTF8 *) "Mozilla Foundation";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckmk_LibraryDescription = (NSSUTF8 *) "NSS Access to Mac OS X Key Ring";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckmk_LibraryVersion = {
+	NSS_CKMK_LIBRARY_VERSION_MAJOR,
+	NSS_CKMK_LIBRARY_VERSION_MINOR};
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckmk_SlotDescription = (NSSUTF8 *) "Mac OS X Key Ring";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckmk_HardwareVersion = { 
+	NSS_CKMK_HARDWARE_VERSION_MAJOR,
+	NSS_CKMK_HARDWARE_VERSION_MINOR };
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckmk_FirmwareVersion = { 
+	NSS_CKMK_FIRMWARE_VERSION_MAJOR,
+	NSS_CKMK_FIRMWARE_VERSION_MINOR };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckmk_TokenLabel = (NSSUTF8 *) "Mac OS X Key Ring";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckmk_TokenModel = (NSSUTF8 *) "1";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckmk_TokenSerialNumber = (NSSUTF8 *) "1";
+
diff --git a/security/nss/lib/ckfw/nssmkey/mfind.c b/security/nss/lib/ckfw/nssmkey/mfind.c
new file mode 100644
index 000000000..4eb9efc10
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/mfind.c
@@ -0,0 +1,404 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef CKMK_H
+#include "ckmk.h"
+#endif /* CKMK_H */
+
+/*
+ * nssmkey/mfind.c
+ *
+ * This file implements the NSSCKMDFindObjects object for the
+ * "nssmkey" cryptoki module.
+ */
+
+struct ckmkFOStr {
+  NSSArena *arena;
+  CK_ULONG n;
+  CK_ULONG i;
+  ckmkInternalObject **objs;
+};
+
+static void
+ckmk_mdFindObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  struct ckmkFOStr *fo = (struct ckmkFOStr *)mdFindObjects->etc;
+  NSSArena *arena = fo->arena;
+  PRUint32 i;
+
+  /* walk down an free the unused 'objs' */
+  for (i=fo->i; i < fo->n ; i++) {
+    nss_ckmk_DestroyInternalObject(fo->objs[i]);
+  }
+
+  nss_ZFreeIf(fo->objs);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(mdFindObjects);
+  if ((NSSArena *)NULL != arena) {
+    NSSArena_Destroy(arena);
+  }
+
+  return;
+}
+
+static NSSCKMDObject *
+ckmk_mdFindObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  struct ckmkFOStr *fo = (struct ckmkFOStr *)mdFindObjects->etc;
+  ckmkInternalObject *io;
+
+  if( fo->i == fo->n ) {
+    *pError = CKR_OK;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  io = fo->objs[ fo->i ];
+  fo->i++;
+
+  return nss_ckmk_CreateMDObject(arena, io, pError);
+}
+
+static CK_BBOOL
+ckmk_attrmatch
+(
+  CK_ATTRIBUTE_PTR a,
+  ckmkInternalObject *o
+)
+{
+  PRBool prb;
+  const NSSItem *b;
+  CK_RV error;
+
+  b = nss_ckmk_FetchAttribute(o, a->type,  &error);
+  if (b == NULL) {
+    return CK_FALSE;
+  }
+
+  if( a->ulValueLen != b->size ) {
+    /* match a decoded serial number */
+    if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
+	int len;
+	unsigned char *data;
+
+	data = nss_ckmk_DERUnwrap(b->data, b->size, &len, NULL);
+	if ((len == a->ulValueLen) && 
+		nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
+	    return CK_TRUE;
+	}
+    }
+    return CK_FALSE;
+  }
+
+  prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
+
+  if( PR_TRUE == prb ) {
+    return CK_TRUE;
+  } else {
+    return CK_FALSE;
+  }
+}
+
+
+static CK_BBOOL
+ckmk_match
+(
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  ckmkInternalObject *o
+)
+{
+  CK_ULONG i;
+
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if (CK_FALSE == ckmk_attrmatch(&pTemplate[i], o)) {
+      return CK_FALSE;
+    }
+  }
+
+  /* Every attribute passed */
+  return CK_TRUE;
+}
+
+#define CKMK_ITEM_CHUNK  20
+
+#define PUT_OBJECT(obj, err, size, count, list) \
+  { \
+    if (count >= size) { \
+    (list) = (list) ? \
+		nss_ZREALLOCARRAY(list, ckmkInternalObject *, \
+		               ((size)+CKMK_ITEM_CHUNK) ) : \
+		nss_ZNEWARRAY(NULL, ckmkInternalObject *, \
+		               ((size)+CKMK_ITEM_CHUNK) ) ; \
+      if ((ckmkInternalObject **)NULL == list) { \
+        err = CKR_HOST_MEMORY; \
+        goto loser; \
+      } \
+      (size) += CKMK_ITEM_CHUNK; \
+    } \
+    (list)[ count ] = (obj); \
+    count++; \
+  }
+
+
+/* find all the certs that represent the appropriate object (cert, priv key, or
+ *  pub key) in the cert store.
+ */
+static PRUint32
+collect_class(
+  CK_OBJECT_CLASS objClass,
+  SecItemClass itemClass,
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckmkInternalObject ***listp,
+  PRUint32 *sizep,
+  PRUint32 count,
+  CK_RV *pError
+)
+{
+  ckmkInternalObject *next = NULL;
+  SecKeychainSearchRef searchRef = 0;
+  SecKeychainItemRef itemRef = 0;
+  OSStatus error;
+
+  /* future, build the attribute list based on the template
+   * so we can refine the search */
+  error = SecKeychainSearchCreateFromAttributes( 
+		NULL, itemClass, NULL, &searchRef);
+
+  while (noErr == SecKeychainSearchCopyNext(searchRef, &itemRef)) {
+    /* if we don't have an internal object structure, get one */
+    if ((ckmkInternalObject *)NULL == next) {
+      next = nss_ZNEW(NULL, ckmkInternalObject);
+      if ((ckmkInternalObject *)NULL == next) {
+        *pError = CKR_HOST_MEMORY;
+        goto loser;
+      }
+    }
+    /* fill in the relevant object data */
+    next->type = ckmkItem;
+    next->objClass = objClass;
+    next->u.item.itemRef = itemRef;
+    next->u.item.itemClass = itemClass;
+
+    /* see if this is one of the objects we are looking for */
+    if( CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, next) ) {
+      /* yes, put it on the list */
+      PUT_OBJECT(next, *pError, *sizep, count, *listp);
+      next = NULL; /* this one is on the list, need to allocate a new one now */
+    } else {
+      /* no , release the current item and clear out the structure for reuse */
+      CFRelease(itemRef);
+      /* don't cache the values we just loaded */
+      nsslibc_memset(next, 0, sizeof(*next));
+    }
+  }
+loser:
+  if (searchRef) {
+    CFRelease(searchRef);
+  }
+  nss_ZFreeIf(next);
+  return count;
+}
+
+static PRUint32
+collect_objects(
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckmkInternalObject ***listp,
+  CK_RV *pError
+)
+{
+  PRUint32 i;
+  PRUint32 count = 0;
+  PRUint32 size = 0;
+  CK_OBJECT_CLASS objClass;
+
+  /*
+   * first handle the static build in objects (if any)
+   */
+  for( i = 0; i < nss_ckmk_nObjects; i++ ) {
+    ckmkInternalObject *o = (ckmkInternalObject *)&nss_ckmk_data[i];
+
+    if( CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, o) ) {
+      PUT_OBJECT(o, *pError, size, count, *listp);
+    }
+  }
+
+  /*
+   * now handle the various object types
+   */
+  objClass = nss_ckmk_GetULongAttribute(CKA_CLASS, 
+		pTemplate, ulAttributeCount, pError);
+  if (CKR_OK != *pError) {
+    objClass = CK_INVALID_HANDLE;
+  }
+  *pError = CKR_OK;
+  switch (objClass) {
+  case CKO_CERTIFICATE:
+    count = collect_class(objClass, kSecCertificateItemClass,
+                              pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    break;
+  case CKO_PUBLIC_KEY:
+    count = collect_class(objClass,  CSSM_DL_DB_RECORD_PUBLIC_KEY,
+                              pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    break;
+  case CKO_PRIVATE_KEY:
+    count = collect_class(objClass,  CSSM_DL_DB_RECORD_PRIVATE_KEY,
+                              pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    break;
+  /* all of them */
+  case CK_INVALID_HANDLE:
+    count = collect_class(CKO_CERTIFICATE, kSecCertificateItemClass,
+                              pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    count = collect_class(CKO_PUBLIC_KEY,  CSSM_DL_DB_RECORD_PUBLIC_KEY,
+                              pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    count = collect_class(CKO_PUBLIC_KEY,  CSSM_DL_DB_RECORD_PRIVATE_KEY,
+                              pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    break;
+  default:
+    break;
+  }
+  if (CKR_OK != *pError) {
+    goto loser;
+  }
+
+  return count;
+loser:
+  nss_ZFreeIf(*listp);
+  return 0;
+}
+
+
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nss_ckmk_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  /* This could be made more efficient.  I'm rather rushed. */
+  NSSArena *arena;
+  NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
+  struct ckmkFOStr *fo = (struct ckmkFOStr *)NULL;
+  ckmkInternalObject **temp = (ckmkInternalObject **)NULL;
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    goto loser;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo = nss_ZNEW(arena, struct ckmkFOStr);
+  if( (struct ckmkFOStr *)NULL == fo ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo->arena = arena;
+  /* fo->n and fo->i are already zero */
+
+  rv->etc = (void *)fo;
+  rv->Final = ckmk_mdFindObjects_Final;
+  rv->Next = ckmk_mdFindObjects_Next;
+  rv->null = (void *)NULL;
+
+  fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError);
+  if (*pError != CKR_OK) {
+    goto loser;
+  }
+
+  fo->objs = nss_ZNEWARRAY(arena, ckmkInternalObject *, fo->n);
+  if( (ckmkInternalObject **)NULL == fo->objs ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  (void)nsslibc_memcpy(fo->objs, temp, sizeof(ckmkInternalObject *) * fo->n);
+  nss_ZFreeIf(temp);
+  temp = (ckmkInternalObject **)NULL;
+
+  return rv;
+
+ loser:
+  nss_ZFreeIf(temp);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(rv);
+  if ((NSSArena *)NULL != arena) {
+     NSSArena_Destroy(arena);
+  }
+  return (NSSCKMDFindObjects *)NULL;
+}
+
diff --git a/security/nss/lib/ckfw/nssmkey/minst.c b/security/nss/lib/ckfw/nssmkey/minst.c
new file mode 100644
index 000000000..0e81358a1
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/minst.c
@@ -0,0 +1,148 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckmk.h"
+
+/*
+ * nssmkey/minstance.c
+ *
+ * This file implements the NSSCKMDInstance object for the 
+ * "nssmkey" cryptoki module.
+ */
+
+/*
+ * NSSCKMDInstance methods
+ */
+
+static CK_ULONG
+ckmk_mdInstance_GetNSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (CK_ULONG)1;
+}
+
+static CK_VERSION
+ckmk_mdInstance_GetCryptokiVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckmk_CryptokiVersion;
+}
+
+static NSSUTF8 *
+ckmk_mdInstance_GetManufacturerID
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckmk_ManufacturerID;
+}
+
+static NSSUTF8 *
+ckmk_mdInstance_GetLibraryDescription
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckmk_LibraryDescription;
+}
+
+static CK_VERSION
+ckmk_mdInstance_GetLibraryVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckmk_LibraryVersion;
+}
+
+static CK_RV
+ckmk_mdInstance_GetSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *slots[]
+)
+{
+  slots[0] = (NSSCKMDSlot *)&nss_ckmk_mdSlot;
+  return CKR_OK;
+}
+
+static CK_BBOOL
+ckmk_mdInstance_ModuleHandlesSessionObjects
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  /* we don't want to allow any session object creation, at least
+   * until we can investigate whether or not we can use those objects
+   */
+  return CK_TRUE;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDInstance
+nss_ckmk_mdInstance = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Finalize */
+  ckmk_mdInstance_GetNSlots,
+  ckmk_mdInstance_GetCryptokiVersion,
+  ckmk_mdInstance_GetManufacturerID,
+  ckmk_mdInstance_GetLibraryDescription,
+  ckmk_mdInstance_GetLibraryVersion,
+  ckmk_mdInstance_ModuleHandlesSessionObjects, 
+  /*NULL, /* HandleSessionObjects */
+  ckmk_mdInstance_GetSlots,
+  NULL, /* WaitForSlotEvent */
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/nssmkey/mobject.c b/security/nss/lib/ckfw/nssmkey/mobject.c
new file mode 100644
index 000000000..ee6c34fff
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/mobject.c
@@ -0,0 +1,1961 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckmk.h"
+#include "nssbase.h"
+
+#include "secdert.h" /* for DER_INTEGER */
+#include "string.h"
+
+/* asn1 encoder (to build pkcs#8 blobs) */
+#include <seccomon.h>
+#include <secitem.h>
+#include <blapit.h>
+#include <secoid.h>
+#include <secasn1.h>
+
+/* for importing the keys */
+#include <CoreFoundation/CoreFoundation.h>
+#include <security/SecImportExport.h>
+
+/*
+ * nssmkey/mobject.c
+ *
+ * This file implements the NSSCKMDObject object for the
+ * "nssmkey" cryptoki module.
+ */
+
+const CK_ATTRIBUTE_TYPE certAttrs[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_MODIFIABLE,
+    CKA_LABEL,
+    CKA_CERTIFICATE_TYPE,
+    CKA_SUBJECT,
+    CKA_ISSUER,
+    CKA_SERIAL_NUMBER,
+    CKA_VALUE
+};
+const PRUint32 certAttrsCount = NSS_CKMK_ARRAY_SIZE(certAttrs);
+
+/* private keys, for now only support RSA */
+const CK_ATTRIBUTE_TYPE privKeyAttrs[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_MODIFIABLE,
+    CKA_LABEL,
+    CKA_KEY_TYPE,
+    CKA_DERIVE,
+    CKA_LOCAL,
+    CKA_SUBJECT,
+    CKA_SENSITIVE,
+    CKA_DECRYPT,
+    CKA_SIGN,
+    CKA_SIGN_RECOVER,
+    CKA_UNWRAP,
+    CKA_EXTRACTABLE,
+    CKA_ALWAYS_SENSITIVE,
+    CKA_NEVER_EXTRACTABLE,
+    CKA_MODULUS,
+    CKA_PUBLIC_EXPONENT,
+};
+const PRUint32 privKeyAttrsCount = NSS_CKMK_ARRAY_SIZE(privKeyAttrs);
+
+/* public keys, for now only support RSA */
+const CK_ATTRIBUTE_TYPE pubKeyAttrs[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_MODIFIABLE,
+    CKA_LABEL,
+    CKA_KEY_TYPE,
+    CKA_DERIVE,
+    CKA_LOCAL,
+    CKA_SUBJECT,
+    CKA_ENCRYPT,
+    CKA_VERIFY,
+    CKA_VERIFY_RECOVER,
+    CKA_WRAP,
+    CKA_MODULUS,
+    CKA_PUBLIC_EXPONENT,
+};
+const PRUint32 pubKeyAttrsCount = NSS_CKMK_ARRAY_SIZE(pubKeyAttrs);
+static const CK_BBOOL ck_true = CK_TRUE;
+static const CK_BBOOL ck_false = CK_FALSE;
+static const CK_CERTIFICATE_TYPE ckc_x509 = CKC_X_509;
+static const CK_KEY_TYPE ckk_rsa = CKK_RSA;
+static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
+static const CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
+static const CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
+static const NSSItem ckmk_trueItem = { 
+  (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) };
+static const NSSItem ckmk_falseItem = { 
+  (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) };
+static const NSSItem ckmk_x509Item = { 
+  (void *)&ckc_x509, (PRUint32)sizeof(CKC_X_509) };
+static const NSSItem ckmk_rsaItem = { 
+  (void *)&ckk_rsa, (PRUint32)sizeof(CK_KEY_TYPE) };
+static const NSSItem ckmk_certClassItem = { 
+  (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) };
+static const NSSItem ckmk_privKeyClassItem = {
+  (void *)&cko_private_key, (PRUint32)sizeof(CK_OBJECT_CLASS) };
+static const NSSItem ckmk_pubKeyClassItem = {
+  (void *)&cko_public_key, (PRUint32)sizeof(CK_OBJECT_CLASS) };
+static const NSSItem ckmk_emptyItem = { 
+  (void *)&ck_true, 0};
+
+/*
+ * these are utilities. The chould be moved to a new utilities file.
+ */
+#ifdef DEBUG
+static void
+itemdump(char *str, void *data, int size, CK_RV error) 
+{
+  unsigned char *ptr = (unsigned char *)data;
+  int i;
+  fprintf(stderr,str);
+  for (i=0; i < size; i++) {
+    fprintf(stderr,"%02x ",(unsigned int) ptr[i]);
+  }
+  fprintf(stderr," (error = %d)\n", (int ) error);
+}
+#endif
+
+/*
+ * unwrap a single DER value
+ * now that we have util linked in, we should probably use
+ * the ANS1_Decoder for this work...
+ */
+unsigned char *
+nss_ckmk_DERUnwrap
+(
+  unsigned char *src, 
+  int size, 
+  int *outSize, 
+  unsigned char **next
+)
+{
+  unsigned char *start = src;
+  unsigned int len = 0;
+
+  /* initialize error condition return values */
+  *outSize = 0;
+  if (next) {
+    *next = src;
+  }
+
+  if (size < 2) {
+    return start;
+  }
+  src ++ ; /* skip the tag -- should check it against an expected value! */
+  len = (unsigned) *src++;
+  if (len & 0x80) {
+    int count = len & 0x7f;
+    len =0;
+
+    if (count+2 > size) {
+      return start;
+    }
+    while (count-- > 0) {
+      len = (len << 8) | (unsigned) *src++;
+    }
+  }
+  if (len + (src-start) > (unsigned int)size) {
+    return start;
+  }
+  if (next) {
+    *next = src+len;
+  }
+  *outSize = len;
+
+  return src;
+}
+
+/*
+ * get an attribute from a template. Value is returned in NSS item.
+ * data for the item is owned by the template.
+ */
+CK_RV
+nss_ckmk_GetAttribute
+(
+  CK_ATTRIBUTE_TYPE type,
+  CK_ATTRIBUTE *template,
+  CK_ULONG templateSize, 
+  NSSItem *item
+)
+{
+  CK_ULONG i;
+
+  for (i=0; i < templateSize; i++) {
+    if (template[i].type == type) {
+      item->data = template[i].pValue;
+      item->size = template[i].ulValueLen;
+      return CKR_OK;
+    }
+  }
+  return CKR_TEMPLATE_INCOMPLETE;
+}
+
+/*
+ * get an attribute which is type CK_ULONG.
+ */
+CK_ULONG
+nss_ckmk_GetULongAttribute
+(
+  CK_ATTRIBUTE_TYPE type,
+  CK_ATTRIBUTE *template,
+  CK_ULONG templateSize, 
+  CK_RV *pError
+)
+{
+  NSSItem item;
+
+  *pError = nss_ckmk_GetAttribute(type, template, templateSize, &item);
+  if (CKR_OK != *pError) {
+    return (CK_ULONG) 0;
+  }
+  if (item.size != sizeof(CK_ULONG)) {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+    return (CK_ULONG) 0;
+  }
+  return *(CK_ULONG *)item.data;
+}
+
+/*
+ * get an attribute which is type CK_BBOOL.
+ */
+CK_BBOOL
+nss_ckmk_GetBoolAttribute
+(
+  CK_ATTRIBUTE_TYPE type,
+  CK_ATTRIBUTE *template,
+  CK_ULONG templateSize, 
+  CK_BBOOL defaultBool
+)
+{
+  NSSItem item;
+  CK_RV error;
+
+  error = nss_ckmk_GetAttribute(type, template, templateSize, &item);
+  if (CKR_OK != error) {
+    return defaultBool;
+  }
+  if (item.size != sizeof(CK_BBOOL)) {
+    return defaultBool;
+  }
+  return *(CK_BBOOL *)item.data;
+}
+
+/*
+ * get an attribute as a NULL terminated string. Caller is responsible to
+ * free the string.
+ */
+char *
+nss_ckmk_GetStringAttribute
+(
+  CK_ATTRIBUTE_TYPE type,
+  CK_ATTRIBUTE *template,
+  CK_ULONG templateSize, 
+  CK_RV *pError
+)
+{
+  NSSItem item;
+  char *str;
+
+  /* get the attribute */
+  *pError = nss_ckmk_GetAttribute(type, template, templateSize, &item);
+  if (CKR_OK != *pError) {
+    return (char *)NULL;
+  }
+  /* make sure it is null terminated */
+  str = nss_ZNEWARRAY(NULL, char, item.size+1);
+  if ((char *)NULL == str) {
+    *pError = CKR_HOST_MEMORY;
+    return (char *)NULL;
+  }
+
+  nsslibc_memcpy(str, item.data, item.size);
+  str[item.size] = 0;
+
+  return str;
+}
+
+/*
+ * Apple doesn't seem to have a public interface to the DER encoder,
+ * wip out a quick one for integers only (anything more complicated,
+ * we should use one of the 3 in lib/util). -- especially since we
+ * now link with it.
+ */
+static CK_RV
+ckmk_encodeInt(NSSItem *dest, void *src, int srcLen)
+{                 
+  int dataLen = srcLen;
+  int lenLen = 1;
+  int encLen;
+  int isSigned = 0;
+  int offset = 0;
+  unsigned char *data = NULL;
+  int i;
+
+  if (*(unsigned char *)src & 0x80) {
+    dataLen++;
+    isSigned = 1;
+  }
+   
+  /* calculate the length of the length specifier */
+  /* (NOTE: destroys dataLen value) */ 
+  if (dataLen > 0x7f) {
+    do {
+      lenLen++;
+      dataLen >>= 8;
+    } while (dataLen);
+  }
+
+  /* calculate our total length */
+  dataLen = isSigned + srcLen;
+  encLen = 1 + lenLen + dataLen;
+  data  = nss_ZNEWARRAY(NULL, unsigned char, encLen);
+  if ((unsigned char *)NULL == data) {
+    return CKR_HOST_MEMORY;
+  }
+  data[0] = DER_INTEGER;
+  if (1 == lenLen) {
+    data[1] = dataLen;
+  } else {
+    data[1] = 0x80 + lenLen;
+    for (i=0; i < lenLen; i++) {
+      data[i+1] = ((dataLen >> ((lenLen-i-1)*8)) & 0xff);
+    }
+  }
+  offset = lenLen+1;
+
+  if (isSigned) {
+    data[offset++] = 0;
+  }
+  nsslibc_memcpy(&data[offset], src, srcLen);
+  dest->data = data;
+  dest->size = encLen;
+  return CKR_OK;
+}
+
+
+/*
+ * Get a Keyring attribute. If content is set to true, then we get the
+ * content, not the attribute.
+ */
+static CK_RV
+ckmk_GetCommonAttribute
+(
+  ckmkInternalObject *io,
+  SecItemAttr itemAttr,
+  PRBool content,
+  NSSItem *item,
+  char *dbString
+)
+{
+  SecKeychainAttributeList *attrList = NULL;
+  SecKeychainAttributeInfo attrInfo;
+  PRUint32 len = 0;
+  PRUint32 dataLen = 0;
+  PRUint32 attrFormat = 0;
+  void *dataVal = 0;
+  void *out = NULL;
+  CK_RV error = CKR_OK;
+  OSStatus macErr;
+
+  attrInfo.count = 1;
+  attrInfo.tag = &itemAttr;
+  attrInfo.format = &attrFormat;
+
+  macErr = SecKeychainItemCopyAttributesAndData(io->u.item.itemRef, 
+                                &attrInfo, NULL, &attrList, &len, &out);
+  if (noErr != macErr) {
+    CKMK_MACERR(dbString, macErr);
+    return CKR_ATTRIBUTE_TYPE_INVALID;
+  }
+  dataLen = content ? len : attrList->attr->length;
+  dataVal = content ? out : attrList->attr->data;
+
+  /* Apple's documentation says this value is DER Encoded, but it clearly isn't
+   * der encode it before we ship it back off to NSS
+   */
+  if ( kSecSerialNumberItemAttr == itemAttr ) {
+    error = ckmk_encodeInt(item, dataVal, dataLen);
+    goto loser; /* logically 'done' if error == CKR_OK */
+  }
+  item->data = nss_ZNEWARRAY(NULL, char, dataLen);
+  if (NULL == item->data) {
+    error = CKR_HOST_MEMORY;
+    goto loser;
+  }
+  nsslibc_memcpy(item->data, dataVal, dataLen);
+  item->size = dataLen;
+
+loser:
+  SecKeychainItemFreeAttributesAndData(attrList, out);
+  return error;
+}
+
+/*
+ * change an attribute (does not operate on the content).
+ */
+static CK_RV
+ckmk_updateAttribute
+(
+  SecKeychainItemRef itemRef,
+  SecItemAttr itemAttr,
+  void *data,
+  PRUint32 len,
+  char *dbString
+)
+{
+  SecKeychainAttributeList attrList;
+  SecKeychainAttribute     attrAttr;
+  OSStatus macErr;
+  CK_RV error = CKR_OK;
+
+  attrList.count = 1;
+  attrList.attr = &attrAttr;
+  attrAttr.tag = itemAttr;
+  attrAttr.data = data;
+  attrAttr.length = len;
+  macErr = SecKeychainItemModifyAttributesAndData(itemRef, &attrList, 0, NULL);
+  if (noErr != macErr) {
+    CKMK_MACERR(dbString, macErr);
+    error = CKR_ATTRIBUTE_TYPE_INVALID;
+  }
+  return error;
+}
+
+/*
+ * get an attribute (does not operate on the content)
+ */
+static CK_RV
+ckmk_GetDataAttribute
+(
+  ckmkInternalObject *io,
+  SecItemAttr itemAttr,
+  NSSItem *item,
+  char *dbString
+)
+{
+  return ckmk_GetCommonAttribute(io, itemAttr, PR_FALSE, item, dbString);
+}
+
+/*
+ * get an attribute we know is a BOOL.
+ */
+static CK_RV
+ckmk_GetBoolAttribute
+(
+  ckmkInternalObject *io,
+  SecItemAttr itemAttr,
+  NSSItem *item,
+  char *dbString
+)
+{
+  SecKeychainAttribute attr;
+  SecKeychainAttributeList attrList;
+  CK_BBOOL *boolp = NULL;
+  PRUint32 len = 0;;
+  void *out = NULL;
+  CK_RV error = CKR_OK;
+  OSStatus macErr;
+
+  attr.tag = itemAttr;
+  attr.length = 0;
+  attr.data = NULL;
+  attrList.count = 1;
+  attrList.attr = &attr;
+
+  boolp = nss_ZNEW(NULL, CK_BBOOL);
+  if ((CK_BBOOL *)NULL == boolp) {
+    error = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  macErr = SecKeychainItemCopyContent(io->u.item.itemRef, NULL, 
+                                      &attrList, &len, &out);
+  if (noErr != macErr) {
+    CKMK_MACERR(dbString, macErr);
+    error = CKR_ATTRIBUTE_TYPE_INVALID;
+    goto loser;
+  }
+  if (sizeof(PRUint32) != attr.length) {
+    error = CKR_ATTRIBUTE_TYPE_INVALID;
+    goto loser;
+  }
+  *boolp = *(PRUint32 *)attr.data ? 1 : 0;
+  item->data =  boolp;
+  boolp = NULL;
+  item->size = sizeof(CK_BBOOL);
+
+loser:
+  nss_ZFreeIf(boolp);
+  SecKeychainItemFreeContent(&attrList, out);
+  return error;
+}
+
+
+/*
+ * macros for fetching attributes into a cache and returning the
+ * appropriate value. These operate inside switch statements
+ */
+#define CKMK_HANDLE_ITEM(func, io, type, loc, item, error, str) \
+    if (0 == (item)->loc.size) { \
+      error = func(io, type, &(item)->loc, str); \
+    } \
+    return (CKR_OK == (error)) ? &(item)->loc : NULL;
+
+#define CKMK_HANDLE_OPT_ITEM(func, io, type, loc, item, error, str) \
+    if (0 == (item)->loc.size) { \
+      (void) func(io, type, &(item)->loc, str); \
+    } \
+    return &(item)->loc ;
+
+#define CKMK_HANDLE_BOOL_ITEM(io, type, loc, item, error, str) \
+    CKMK_HANDLE_ITEM(ckmk_GetBoolAttribute, io, type, loc, item, error, str)
+#define CKMK_HANDLE_DATA_ITEM(io, type, loc, item, error, str) \
+    CKMK_HANDLE_ITEM(ckmk_GetDataAttribute, io, type, loc, item, error, str)
+#define CKMK_HANDLE_OPT_DATA_ITEM(io, type, loc, item, error, str) \
+    CKMK_HANDLE_OPT_ITEM(ckmk_GetDataAttribute, io, type, loc, item, error, str)
+
+/*
+ * fetch the unique identifier for each object type.
+ */
+static void
+ckmk_FetchHashKey
+(
+  ckmkInternalObject *io
+)
+{
+  NSSItem *key = &io->hashKey;
+
+  if (io->objClass == CKO_CERTIFICATE) {
+    ckmk_GetCommonAttribute(io, kSecCertEncodingItemAttr, 
+                            PR_TRUE, key, "Fetching HashKey (cert)");
+  } else {
+    ckmk_GetCommonAttribute(io, kSecKeyLabel,
+                            PR_FALSE, key, "Fetching HashKey (key)");
+  }
+}
+
+/*
+ * Apple mucks with the actual subject and issuer, so go fetch
+ * the real ones ourselves.
+ */
+static void 
+ckmk_fetchCert
+(
+  ckmkInternalObject *io
+)
+{
+  CK_RV error;
+  unsigned char * cert, *next;
+  int certSize, thisEntrySize;
+
+  error = ckmk_GetCommonAttribute(io, kSecCertEncodingItemAttr, PR_TRUE, 
+                        &io->u.item.derCert, "Fetching Value (cert)");
+  if (CKR_OK != error) {
+    return;
+  }
+  /* unwrap the cert bundle */
+  cert  = nss_ckmk_DERUnwrap((unsigned char *)io->u.item.derCert.data,
+                            io->u.item.derCert.size,
+                            &certSize, NULL);
+  /* unwrap the cert itself */
+  /* cert == certdata */
+  cert = nss_ckmk_DERUnwrap(cert, certSize, &certSize, NULL);
+
+  /* skip the optional version */
+  if ((cert[0] & 0xa0) == 0xa0) {
+    nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
+    certSize -= next - cert;
+    cert = next;
+  }
+  /* skip the serial number */
+  nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
+  certSize -= next - cert;
+  cert = next;
+
+  /* skip the OID */
+  nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
+  certSize -= next - cert;
+  cert = next;
+
+  /* save the (wrapped) issuer */
+  io->u.item.issuer.data = cert;
+  nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
+  io->u.item.issuer.size = next - cert;
+  certSize -= io->u.item.issuer.size;
+  cert = next;
+
+  /* skip the OID */
+  nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
+  certSize -= next - cert;
+  cert = next;
+
+  /* save the (wrapped) subject */
+  io->u.item.subject.data = cert;
+  nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
+  io->u.item.subject.size = next - cert;
+  certSize -= io->u.item.subject.size;
+  cert = next;
+}
+
+static void 
+ckmk_fetchModulus
+(
+  ckmkInternalObject *io
+)
+{
+  NSSItem item;
+  PRInt32 modLen;
+  CK_RV error;
+
+  /* we can't reliably get the modulus for private keys through CSSM (sigh).
+   * For NSS this is OK because we really only use this to get the modulus
+   * length (unless we are trying to get a public key from a private keys, 
+   * something CSSM ALSO does not do!).
+   */
+  error = ckmk_GetDataAttribute(io, kSecKeyKeySizeInBits, &item, 
+                        "Key Fetch Modulus");
+  if (CKR_OK != error) {
+    return;
+  }
+
+  modLen = *(PRInt32 *)item.data;
+  modLen = modLen/8; /* convert from bits to bytes */
+
+  nss_ZFreeIf(item.data);
+  io->u.item.modulus.data = nss_ZNEWARRAY(NULL, char, modLen);
+  if (NULL == io->u.item.modulus.data) {
+    return;
+  }
+  *(char *)io->u.item.modulus.data = 0x80; /* fake NSS out or it will 
+                                              * drop the first byte */
+  io->u.item.modulus.size = modLen;
+  return;
+}
+
+const NSSItem *
+ckmk_FetchCertAttribute
+(
+  ckmkInternalObject *io,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError
+)
+{
+  ckmkItemObject *item = &io->u.item;
+  *pError = CKR_OK;
+  switch(type) {
+  case CKA_CLASS:
+    return &ckmk_certClassItem;
+  case CKA_TOKEN:
+  case CKA_MODIFIABLE:
+    return &ckmk_trueItem;
+  case CKA_PRIVATE:
+    return &ckmk_falseItem;
+  case CKA_CERTIFICATE_TYPE:
+    return &ckmk_x509Item;
+  case CKA_LABEL:
+    CKMK_HANDLE_OPT_DATA_ITEM(io, kSecLabelItemAttr, label, item, *pError,
+                              "Cert:Label attr")
+  case CKA_SUBJECT:
+    /* OK, well apple does provide an subject and issuer attribute, but they
+     * decided to cannonicalize that value. Probably a good move for them,
+     * but makes it useless for most users of PKCS #11.. Get the real subject
+     * from the certificate */
+    if (0 == item->derCert.size) {
+      ckmk_fetchCert(io);
+    }
+    return &item->subject;
+  case CKA_ISSUER:
+    if (0 == item->derCert.size) {
+      ckmk_fetchCert(io);
+    }
+    return &item->issuer;
+  case CKA_SERIAL_NUMBER:
+    CKMK_HANDLE_DATA_ITEM(io, kSecSerialNumberItemAttr, serial, item, *pError,
+                          "Cert:Serial Number attr")
+  case CKA_VALUE:
+    if (0 == item->derCert.size) {
+      ckmk_fetchCert(io);
+    }
+    return &item->derCert;
+  case CKA_ID:
+    CKMK_HANDLE_OPT_DATA_ITEM(io, kSecPublicKeyHashItemAttr, id, item, *pError,
+                              "Cert:ID attr")
+  default:
+    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+    break;
+  }
+  return NULL;
+}
+
+const NSSItem *
+ckmk_FetchPubKeyAttribute
+(
+  ckmkInternalObject *io, 
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError
+)
+{
+  ckmkItemObject *item = &io->u.item;
+  *pError = CKR_OK;
+  
+  switch(type) {
+  case CKA_CLASS:
+    return &ckmk_pubKeyClassItem;
+  case CKA_TOKEN:
+  case CKA_LOCAL:
+    return &ckmk_trueItem;
+  case CKA_KEY_TYPE:
+    return &ckmk_rsaItem;
+  case CKA_LABEL:
+    CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyPrintName, label, item, *pError,
+                              "PubKey:Label attr")
+  case CKA_ENCRYPT:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyEncrypt, encrypt, item, *pError,
+                              "PubKey:Encrypt attr")
+  case CKA_VERIFY:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyVerify, verify, item, *pError,
+                              "PubKey:Verify attr")
+  case CKA_VERIFY_RECOVER:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyVerifyRecover, verifyRecover, 
+                          item, *pError, "PubKey:VerifyRecover attr")
+  case CKA_PRIVATE:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyPrivate, private, item, *pError,
+                              "PubKey:Private attr")
+  case CKA_MODIFIABLE:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyModifiable, modify, item, *pError,
+                              "PubKey:Modify attr")
+  case CKA_DERIVE:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyDerive, derive, item, *pError,
+                              "PubKey:Derive attr")
+  case CKA_WRAP:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyWrap, wrap, item, *pError,
+                              "PubKey:Wrap attr")
+  case CKA_SUBJECT:
+    CKMK_HANDLE_OPT_DATA_ITEM(io, kSecSubjectItemAttr, subject, item, *pError,
+                              "PubKey:Subect attr")
+  case CKA_MODULUS:
+    return &ckmk_emptyItem;
+  case CKA_PUBLIC_EXPONENT:
+    return &ckmk_emptyItem;
+  case CKA_ID:
+    CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyLabel, id, item, *pError,
+                              "PubKey:ID attr")
+  default:
+    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+    break;
+  }
+  return NULL;
+}
+
+const NSSItem *
+ckmk_FetchPrivKeyAttribute
+(
+  ckmkInternalObject *io, 
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError
+)
+{
+  ckmkItemObject *item = &io->u.item;
+  *pError = CKR_OK;
+
+  switch(type) {
+  case CKA_CLASS:
+    return &ckmk_privKeyClassItem;
+  case CKA_TOKEN:
+  case CKA_LOCAL:
+    return &ckmk_trueItem;
+  case CKA_SENSITIVE:
+  case CKA_EXTRACTABLE: /* will probably move in the future */
+  case CKA_ALWAYS_SENSITIVE:
+  case CKA_NEVER_EXTRACTABLE:
+    return &ckmk_falseItem;
+  case CKA_KEY_TYPE:
+    return &ckmk_rsaItem;
+  case CKA_LABEL:
+    CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyPrintName, label, item, *pError,
+                              "PrivateKey:Label attr")
+  case CKA_DECRYPT:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyDecrypt, decrypt, item, *pError,
+                              "PrivateKey:Decrypt attr") 
+  case CKA_SIGN:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeySign, sign, item, *pError,
+                              "PrivateKey:Sign attr") 
+  case CKA_SIGN_RECOVER:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeySignRecover, signRecover, item, *pError,
+                              "PrivateKey:Sign Recover attr") 
+  case CKA_PRIVATE:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyPrivate, private, item, *pError,
+                              "PrivateKey:Private attr") 
+  case CKA_MODIFIABLE:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyModifiable, modify, item, *pError,
+                              "PrivateKey:Modify attr") 
+  case CKA_DERIVE:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyDerive, derive, item, *pError,
+                              "PrivateKey:Derive attr")
+  case CKA_UNWRAP:
+    CKMK_HANDLE_BOOL_ITEM(io, kSecKeyUnwrap, unwrap, item, *pError,
+                              "PrivateKey:Unwrap attr") 
+  case CKA_SUBJECT:
+    CKMK_HANDLE_OPT_DATA_ITEM(io, kSecSubjectItemAttr, subject, item, *pError,
+                              "PrivateKey:Subject attr")
+  case CKA_MODULUS:
+    if (0 == item->modulus.size) {
+      ckmk_fetchModulus(io);
+    }
+    return &item->modulus;
+  case CKA_PUBLIC_EXPONENT:
+    return &ckmk_emptyItem;
+#ifdef notdef
+  /* the following are sensitive attributes. We could implment them for 
+   * sensitive keys using the key export function, but it's better to
+   * just support wrap through this token. That will more reliably allow us
+   * to export any private key that is truly exportable.
+   */
+  case CKA_PRIVATE_EXPONENT:
+    CKMK_HANDLE_DATA_ITEM(io, kSecPrivateExponentItemAttr, privateExponent, 
+                          item, *pError)
+  case CKA_PRIME_1:
+    CKMK_HANDLE_DATA_ITEM(io, kSecPrime1ItemAttr, prime1, item, *pError)
+  case CKA_PRIME_2:
+    CKMK_HANDLE_DATA_ITEM(io, kSecPrime2ItemAttr, prime2, item, *pError)
+  case CKA_EXPONENT_1:
+    CKMK_HANDLE_DATA_ITEM(io, kSecExponent1ItemAttr, exponent1, item, *pError)
+  case CKA_EXPONENT_2:
+    CKMK_HANDLE_DATA_ITEM(io, kSecExponent2ItemAttr, exponent2, item, *pError)
+  case CKA_COEFFICIENT:
+    CKMK_HANDLE_DATA_ITEM(io, kSecCoefficientItemAttr, coefficient, 
+                          item, *pError)
+#endif
+  case CKA_ID:
+    CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyLabel, id, item, *pError,
+                              "PrivateKey:ID attr")
+  default:
+    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+    return NULL;
+  }
+}
+
+const NSSItem *
+nss_ckmk_FetchAttribute
+(
+  ckmkInternalObject *io, 
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError
+)
+{
+  CK_ULONG i;
+  const NSSItem * value = NULL;
+
+  if (io->type == ckmkRaw) {
+    for( i = 0; i < io->u.raw.n; i++ ) {
+      if( type == io->u.raw.types[i] ) {
+        return &io->u.raw.items[i];
+      }
+    }
+    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+    return NULL;
+  }
+  /* deal with the common attributes */
+  switch (io->objClass) {
+  case CKO_CERTIFICATE:
+   value = ckmk_FetchCertAttribute(io, type, pError); 
+   break;
+  case CKO_PRIVATE_KEY:
+   value = ckmk_FetchPrivKeyAttribute(io, type, pError); 
+   break;
+  case CKO_PUBLIC_KEY:
+   value = ckmk_FetchPubKeyAttribute(io, type, pError); 
+   break;
+  default:
+    *pError = CKR_OBJECT_HANDLE_INVALID;
+    return NULL;
+ }
+
+#ifdef DEBUG
+  if (CKA_ID == type) {
+    itemdump("id: ", value->data, value->size, *pError);
+  }
+#endif
+  return value;
+}
+
+static void 
+ckmk_removeObjectFromHash
+(
+  ckmkInternalObject *io
+);
+
+/*
+ *
+ * These are the MSObject functions we need to implement
+ *
+ * Finalize - unneeded (actually we should clean up the hashtables)
+ * Destroy 
+ * IsTokenObject - CK_TRUE
+ * GetAttributeCount
+ * GetAttributeTypes
+ * GetAttributeSize
+ * GetAttribute
+ * SetAttribute
+ * GetObjectSize
+ */
+
+static CK_RV
+ckmk_mdObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
+  OSStatus macErr;
+
+  if (ckmkRaw == io->type) {
+    /* there is not 'object write protected' error, use the next best thing */
+    return CKR_TOKEN_WRITE_PROTECTED;
+  }
+
+  /* This API is done well. The following 4 lines are the complete apple
+   * specific part of this implementation */
+  macErr = SecKeychainItemDelete(io->u.item.itemRef);
+  if (noErr != macErr) {
+    CKMK_MACERR("Delete object", macErr);
+  }
+
+  /* remove it from the hash */
+  ckmk_removeObjectFromHash(io);
+
+  /* free the puppy.. */
+  nss_ckmk_DestroyInternalObject(io);
+
+  return CKR_OK;
+}
+
+static CK_BBOOL
+ckmk_mdObject_IsTokenObject
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_ULONG
+ckmk_mdObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
+
+  if (ckmkRaw == io->type) {
+     return io->u.raw.n;
+  }
+  switch (io->objClass) {
+  case CKO_CERTIFICATE:
+    return certAttrsCount;
+  case CKO_PUBLIC_KEY:
+    return pubKeyAttrsCount;
+  case CKO_PRIVATE_KEY:
+    return privKeyAttrsCount;
+  default:
+    break;
+  }
+  return 0;
+}
+
+static CK_RV
+ckmk_mdObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
+  CK_ULONG i;
+  CK_RV error = CKR_OK;
+  const CK_ATTRIBUTE_TYPE *attrs = NULL;
+  CK_ULONG size = ckmk_mdObject_GetAttributeCount(
+                        mdObject, fwObject, mdSession, fwSession, 
+                        mdToken, fwToken, mdInstance, fwInstance, &error);
+
+  if( size != ulCount ) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+  if (io->type == ckmkRaw) {
+    attrs = io->u.raw.types;
+  } else switch(io->objClass) {
+    case CKO_CERTIFICATE:
+      attrs = certAttrs;
+      break;
+    case CKO_PUBLIC_KEY:
+      attrs = pubKeyAttrs;
+      break;
+    case CKO_PRIVATE_KEY:
+      attrs = privKeyAttrs;
+      break;
+    default:
+      return CKR_OK;
+  }
+  
+  for( i = 0; i < size; i++) {
+    typeArray[i] = attrs[i];
+  }
+
+  return CKR_OK;
+}
+
+static CK_ULONG
+ckmk_mdObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
+
+  const NSSItem *b;
+
+  b = nss_ckmk_FetchAttribute(io, attribute, pError);
+
+  if ((const NSSItem *)NULL == b) {
+    return 0;
+  }
+  return b->size;
+}
+
+static CK_RV
+ckmk_mdObject_SetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem           *value
+)
+{
+  ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
+  SecKeychainItemRef itemRef;
+
+  if (io->type == ckmkRaw) {
+    return CKR_TOKEN_WRITE_PROTECTED;
+  }
+  itemRef = io->u.item.itemRef;
+
+  switch (io->objClass) {
+  case CKO_PRIVATE_KEY:
+  case CKO_PUBLIC_KEY:
+    switch (attribute) {
+    case CKA_ID:
+      ckmk_updateAttribute(itemRef, kSecKeyLabel, 
+                              value->data, value->size, "Set Attr Key ID");
+#ifdef DEBUG
+      itemdump("key id: ", value->data, value->size, CKR_OK);
+#endif
+      break;
+    case CKA_LABEL:
+      ckmk_updateAttribute(itemRef, kSecKeyPrintName, value->data, 
+                              value->size, "Set Attr Key Label");
+      break;
+    default:
+      break;
+    }
+    break;
+
+  case CKO_CERTIFICATE:
+    switch (attribute) {
+    case CKA_ID:
+      ckmk_updateAttribute(itemRef, kSecPublicKeyHashItemAttr, 
+                              value->data, value->size, "Set Attr Cert ID");
+      break;
+    case CKA_LABEL:
+      ckmk_updateAttribute(itemRef, kSecLabelItemAttr, value->data, 
+                              value->size, "Set Attr Cert Label");
+      break;
+    default:
+      break;
+    }
+    break;
+
+   default:
+    break;
+  } 
+  return CKR_OK;
+}
+
+static NSSCKFWItem
+ckmk_mdObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  NSSCKFWItem mdItem;
+  ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
+
+  mdItem.needsFreeing = PR_FALSE;
+  mdItem.item = (NSSItem*)nss_ckmk_FetchAttribute(io, attribute, pError);
+
+
+  return mdItem;
+}
+
+static CK_ULONG
+ckmk_mdObject_GetObjectSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  CK_ULONG rv = 1;
+
+  /* size is irrelevant to this token */
+  return rv;
+}
+
+static const NSSCKMDObject
+ckmk_prototype_mdObject = {
+  (void *)NULL, /* etc */
+  NULL, /* Finalize */
+  ckmk_mdObject_Destroy,
+  ckmk_mdObject_IsTokenObject,
+  ckmk_mdObject_GetAttributeCount,
+  ckmk_mdObject_GetAttributeTypes,
+  ckmk_mdObject_GetAttributeSize,
+  ckmk_mdObject_GetAttribute,
+  NULL, /* FreeAttribute */
+  ckmk_mdObject_SetAttribute,
+  ckmk_mdObject_GetObjectSize,
+  (void *)NULL /* null terminator */
+};
+
+static nssHash *ckmkInternalObjectHash = NULL;
+
+NSS_IMPLEMENT NSSCKMDObject *
+nss_ckmk_CreateMDObject
+(
+  NSSArena *arena,
+  ckmkInternalObject *io,
+  CK_RV *pError
+)
+{
+  if ((nssHash *)NULL == ckmkInternalObjectHash) {
+    ckmkInternalObjectHash = nssHash_CreateItem(NULL, 10);
+  }
+  if (ckmkItem == io->type) {
+    /* the hash key, not a cryptographic key */
+    NSSItem *key = &io->hashKey;
+    ckmkInternalObject *old_o = NULL;
+
+    if (key->size == 0) {
+      ckmk_FetchHashKey(io);
+    }
+    old_o = (ckmkInternalObject *) 
+              nssHash_Lookup(ckmkInternalObjectHash, key);
+    if (!old_o) {
+      nssHash_Add(ckmkInternalObjectHash, key, io);
+    } else if (old_o != io) {
+      nss_ckmk_DestroyInternalObject(io);
+      io = old_o;
+    }
+  }
+    
+  if ( (void*)NULL == io->mdObject.etc) {
+    (void) nsslibc_memcpy(&io->mdObject,&ckmk_prototype_mdObject,
+                                        sizeof(ckmk_prototype_mdObject));
+    io->mdObject.etc = (void *)io;
+  }
+  return &io->mdObject;
+}
+
+static void
+ckmk_removeObjectFromHash
+(
+  ckmkInternalObject *io
+)
+{
+  NSSItem *key = &io->hashKey;
+
+  if ((nssHash *)NULL == ckmkInternalObjectHash) {
+    return;
+  }
+  if (key->size == 0) {
+    ckmk_FetchHashKey(io);
+  }
+  nssHash_Remove(ckmkInternalObjectHash, key);
+  return;
+}
+
+
+void
+nss_ckmk_DestroyInternalObject
+(
+  ckmkInternalObject *io
+)
+{
+  switch (io->type) {
+  case ckmkRaw:
+    return;
+  case ckmkItem:
+    nss_ZFreeIf(io->u.item.modify.data);
+    nss_ZFreeIf(io->u.item.private.data);
+    nss_ZFreeIf(io->u.item.encrypt.data);
+    nss_ZFreeIf(io->u.item.decrypt.data);
+    nss_ZFreeIf(io->u.item.derive.data);
+    nss_ZFreeIf(io->u.item.sign.data);
+    nss_ZFreeIf(io->u.item.signRecover.data);
+    nss_ZFreeIf(io->u.item.verify.data);
+    nss_ZFreeIf(io->u.item.verifyRecover.data);
+    nss_ZFreeIf(io->u.item.wrap.data);
+    nss_ZFreeIf(io->u.item.unwrap.data);
+    nss_ZFreeIf(io->u.item.label.data);
+    /*nss_ZFreeIf(io->u.item.subject.data); */
+    /*nss_ZFreeIf(io->u.item.issuer.data); */
+    nss_ZFreeIf(io->u.item.serial.data);
+    nss_ZFreeIf(io->u.item.modulus.data);
+    nss_ZFreeIf(io->u.item.exponent.data);
+    nss_ZFreeIf(io->u.item.privateExponent.data);
+    nss_ZFreeIf(io->u.item.prime1.data);
+    nss_ZFreeIf(io->u.item.prime2.data);
+    nss_ZFreeIf(io->u.item.exponent1.data);
+    nss_ZFreeIf(io->u.item.exponent2.data);
+    nss_ZFreeIf(io->u.item.coefficient.data);
+    break;
+  }
+  nss_ZFreeIf(io);
+  return;
+}
+
+
+static ckmkInternalObject *
+nss_ckmk_NewInternalObject
+(
+  CK_OBJECT_CLASS objClass,
+  SecKeychainItemRef itemRef,
+  SecItemClass itemClass,
+  CK_RV *pError
+)
+{
+  ckmkInternalObject *io = nss_ZNEW(NULL, ckmkInternalObject);
+
+  if ((ckmkInternalObject *)NULL == io) {
+    *pError = CKR_HOST_MEMORY;
+    return io;
+  }
+  io->type = ckmkItem;
+  io->objClass = objClass;
+  io->u.item.itemRef = itemRef;
+  io->u.item.itemClass = itemClass;
+  return io;
+}
+
+/*
+ * Apple doesn't alway have a default keyChain set by the OS, use the 
+ * SearchList to try to find one.
+ */
+static CK_RV
+ckmk_GetSafeDefaultKeychain
+(
+  SecKeychainRef *keychainRef
+)
+{
+  OSStatus macErr;
+  CFArrayRef searchList = 0;
+  CK_RV error = CKR_OK;
+
+  macErr = SecKeychainCopyDefault(keychainRef);
+  if (noErr != macErr) {
+    int searchCount = 0;
+    if (errSecNoDefaultKeychain != macErr) {
+      CKMK_MACERR("Getting default key chain", macErr);
+      error = CKR_GENERAL_ERROR;
+      goto loser;
+    }
+    /* ok, we don't have a default key chain, find one */
+    macErr = SecKeychainCopySearchList(&searchList);
+    if (noErr != macErr) {
+      CKMK_MACERR("failed to find a keyring searchList", macErr);
+      error = CKR_DEVICE_REMOVED;
+      goto loser;
+    }
+    searchCount = CFArrayGetCount(searchList);
+    if (searchCount < 1) {
+      error = CKR_DEVICE_REMOVED;
+      goto loser;
+    }
+    *keychainRef = 
+        (SecKeychainRef)CFRetain(CFArrayGetValueAtIndex(searchList, 0));
+    if (0 == *keychainRef) {
+      error = CKR_DEVICE_REMOVED;
+      goto loser;
+    }
+    /* should we set it as default? */
+  }
+loser:
+  if (0 != searchList) {
+    CFRelease(searchList);
+  }
+  return error;
+}
+static ckmkInternalObject *
+nss_ckmk_CreateCertificate
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  NSSItem value;
+  ckmkInternalObject *io = NULL; 
+  OSStatus macErr;
+  SecCertificateRef certRef;
+  SecKeychainItemRef itemRef;
+  SecKeychainRef keychainRef;
+  CSSM_DATA certData;
+
+  *pError = nss_ckmk_GetAttribute(CKA_VALUE, pTemplate, 
+                                  ulAttributeCount, &value);
+  if (CKR_OK != *pError) {
+    goto loser;
+  }
+
+  certData.Data = value.data;
+  certData.Length = value.size;
+  macErr = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, 
+                              CSSM_CERT_ENCODING_BER, &certRef);
+  if (noErr != macErr) {
+    CKMK_MACERR("Create cert from data Failed", macErr);
+    *pError = CKR_GENERAL_ERROR; /* need to map macErr */
+    goto loser;
+  }
+
+  *pError = ckmk_GetSafeDefaultKeychain(&keychainRef);
+  if (CKR_OK != *pError) {
+    goto loser;
+  }
+
+  macErr = SecCertificateAddToKeychain( certRef, keychainRef);
+  itemRef = (SecKeychainItemRef) certRef;
+  if (errSecDuplicateItem != macErr) {
+    NSSItem keyID = { NULL, 0 };
+    char *nickname = NULL;
+    CK_RV dummy;
+
+    if (noErr != macErr) {
+      CKMK_MACERR("Add cert to keychain Failed", macErr);
+      *pError = CKR_GENERAL_ERROR; /* need to map macErr */
+      goto loser;
+    }
+    /* these two are optional */
+    nickname = nss_ckmk_GetStringAttribute(CKA_LABEL, pTemplate, 
+                                  ulAttributeCount, &dummy);
+    /* we've added a new one, update the attributes in the key ring */
+    if (nickname) {
+      ckmk_updateAttribute(itemRef, kSecLabelItemAttr, nickname, 
+                              strlen(nickname)+1, "Modify Cert Label");
+      nss_ZFreeIf(nickname);
+    }
+    dummy = nss_ckmk_GetAttribute(CKA_ID, pTemplate, 
+                                  ulAttributeCount, &keyID);
+    if (CKR_OK == dummy) {
+      dummy = ckmk_updateAttribute(itemRef, kSecPublicKeyHashItemAttr, 
+                              keyID.data, keyID.size, "Modify Cert ID");
+    }
+  }
+
+  io = nss_ckmk_NewInternalObject(CKO_CERTIFICATE, itemRef, 
+                                  kSecCertificateItemClass, pError);
+  if ((ckmkInternalObject *)NULL != io) {
+    itemRef = 0;
+  }
+
+loser:
+  if (0 != itemRef) {
+    CFRelease(itemRef);
+  }
+  if (0 != keychainRef) {
+    CFRelease(keychainRef);
+  }
+
+  return io;
+}
+
+/*
+ * PKCS #8 attributes
+ */
+struct ckmk_AttributeStr {
+    SECItem attrType;
+    SECItem *attrValue;
+};
+typedef struct ckmk_AttributeStr ckmk_Attribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct PrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID algorithm;
+    SECItem privateKey;
+    ckmk_Attribute **attributes;
+};
+typedef struct PrivateKeyInfoStr PrivateKeyInfo;
+
+const SEC_ASN1Template ckmk_RSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(RSAPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,version) },
+    { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,modulus) },
+    { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,publicExponent) },
+    { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,privateExponent) },
+    { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,prime1) },
+    { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,prime2) },
+    { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,exponent1) },
+    { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,exponent2) },
+    { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,coefficient) },
+    { 0 }                                                                     
+}; 
+
+const SEC_ASN1Template ckmk_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ckmk_Attribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(ckmk_Attribute, attrType) },
+    { SEC_ASN1_SET_OF, offsetof(ckmk_Attribute, attrValue), 
+        SEC_AnyTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template ckmk_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, ckmk_AttributeTemplate },
+};
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+/* ASN1 Templates for new decoder/encoder */
+const SEC_ASN1Template ckmk_PrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PrivateKeyInfo) },
+    { SEC_ASN1_INTEGER, offsetof(PrivateKeyInfo,version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(PrivateKeyInfo,algorithm),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING, offsetof(PrivateKeyInfo,privateKey) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        offsetof(PrivateKeyInfo, attributes), ckmk_SetOfAttributeTemplate },
+    { 0 }
+};
+
+#define CKMK_PRIVATE_KEY_INFO_VERSION 0
+static CK_RV
+ckmk_CreateRSAKeyBlob
+(
+  RSAPrivateKey *lk,
+  NSSItem *keyBlob
+)
+{
+  PrivateKeyInfo *pki = NULL;
+  PLArenaPool *arena = NULL;
+  SECOidTag algorithm = SEC_OID_UNKNOWN;
+  void *dummy;
+  SECStatus rv;
+  SECItem *encodedKey = NULL;
+  CK_RV error = CKR_OK;
+
+  arena = PORT_NewArena(2048);         /* XXX different size? */
+  if(!arena) {
+    error = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  pki = (PrivateKeyInfo*)PORT_ArenaZAlloc(arena, sizeof(PrivateKeyInfo));
+  if(!pki) {
+    error = CKR_HOST_MEMORY;
+    goto loser;
+  }
+  pki->arena = arena;
+
+  dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
+                             ckmk_RSAPrivateKeyTemplate);
+  algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
+ 
+  if (!dummy) {
+    error = CKR_DEVICE_ERROR; /* should map NSS SECError */
+    goto loser;
+  }
+    
+  rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, algorithm, 
+                             (SECItem*)NULL);
+  if (rv != SECSuccess) {
+    error = CKR_DEVICE_ERROR; /* should map NSS SECError */
+    goto loser;
+  }
+
+  dummy = SEC_ASN1EncodeInteger(arena, &pki->version, 
+                                CKMK_PRIVATE_KEY_INFO_VERSION);
+  if (!dummy) {
+    error = CKR_DEVICE_ERROR; /* should map NSS SECError */
+    goto loser;
+  }
+
+  encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki, 
+                                  ckmk_PrivateKeyInfoTemplate);
+  if (!encodedKey) {
+    error = CKR_DEVICE_ERROR;
+    goto loser;
+  }
+
+  keyBlob->data = nss_ZNEWARRAY(NULL, char, encodedKey->len);
+  if (NULL == keyBlob->data) {
+    error = CKR_HOST_MEMORY;
+    goto loser;
+  }
+  nsslibc_memcpy(keyBlob->data, encodedKey->data, encodedKey->len);
+  keyBlob->size = encodedKey->len;
+
+loser:
+  if(arena) {
+    PORT_FreeArena(arena, PR_TRUE);
+  }
+  if (encodedKey) {
+    SECITEM_FreeItem(encodedKey, PR_TRUE);
+  }
+ 
+  return error;
+}
+/*
+ * There MUST be a better way to do this. For now, find the key based on the
+ * default name Apple gives it once we import.
+ */
+#define IMPORTED_NAME "Imported Private Key"
+static CK_RV
+ckmk_FindImportedKey
+(
+  SecKeychainRef keychainRef,
+  SecItemClass itemClass,
+  SecKeychainItemRef *outItemRef
+)
+{
+  OSStatus macErr;
+  SecKeychainSearchRef searchRef = 0;
+  SecKeychainItemRef newItemRef;
+
+  macErr = SecKeychainSearchCreateFromAttributes(keychainRef, itemClass,
+           NULL, &searchRef);
+  if (noErr != macErr) {
+    CKMK_MACERR("Can't search for Key", macErr);
+    return CKR_GENERAL_ERROR;
+  }
+  while (noErr == SecKeychainSearchCopyNext(searchRef, &newItemRef)) {
+    SecKeychainAttributeList *attrList = NULL;
+    SecKeychainAttributeInfo attrInfo;
+    SecItemAttr itemAttr = kSecKeyPrintName;
+    PRUint32 attrFormat = 0;
+    OSStatus macErr;
+
+    attrInfo.count = 1;
+    attrInfo.tag = &itemAttr;
+    attrInfo.format = &attrFormat;
+
+    macErr = SecKeychainItemCopyAttributesAndData(newItemRef,
+                                &attrInfo, NULL, &attrList, NULL, NULL);
+    if (noErr == macErr) {
+      if (nsslibc_memcmp(attrList->attr->data, IMPORTED_NAME, 
+                         attrList->attr->length, NULL) == 0) {
+        *outItemRef = newItemRef;
+        CFRelease (searchRef);
+        SecKeychainItemFreeAttributesAndData(attrList, NULL);
+        return CKR_OK;
+      }
+      SecKeychainItemFreeAttributesAndData(attrList, NULL);
+    }
+    CFRelease(newItemRef);
+  }
+  CFRelease (searchRef);
+  return CKR_GENERAL_ERROR; /* we can come up with something better! */
+}
+
+static ckmkInternalObject *
+nss_ckmk_CreatePrivateKey
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  NSSItem attribute;
+  RSAPrivateKey lk;
+  NSSItem keyID;
+  char *nickname = NULL;
+  ckmkInternalObject *io = NULL;
+  CK_KEY_TYPE keyType;
+  OSStatus macErr;
+  SecKeychainItemRef itemRef = 0;
+  NSSItem keyBlob = { NULL, 0 };
+  CFDataRef dataRef = 0;
+  SecExternalFormat inputFormat = kSecFormatBSAFE; 
+  /*SecExternalFormat inputFormat = kSecFormatOpenSSL;  */
+  SecExternalItemType itemType = kSecItemTypePrivateKey;
+  SecKeyImportExportParameters keyParams ;
+  SecKeychainRef targetKeychain = 0;
+  unsigned char zero = 0;
+  CK_RV error;
+  
+  keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+  keyParams.flags = 0;
+  keyParams.passphrase = 0;
+  keyParams.alertTitle = 0;
+  keyParams.alertPrompt = 0;
+  keyParams.accessRef = 0; /* default */
+  keyParams.keyUsage = 0; /* will get filled in */
+  keyParams.keyAttributes = CSSM_KEYATTR_PERMANENT; /* will get filled in */
+  keyType = nss_ckmk_GetULongAttribute
+                  (CKA_KEY_TYPE, pTemplate, ulAttributeCount, pError);
+  if (CKR_OK != *pError) {
+    return (ckmkInternalObject *)NULL;
+  }
+  if (CKK_RSA != keyType) {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+    return (ckmkInternalObject *)NULL;
+  }
+  if (nss_ckmk_GetBoolAttribute(CKA_DECRYPT, 
+                                pTemplate, ulAttributeCount, CK_TRUE)) {
+    keyParams.keyUsage |= CSSM_KEYUSE_DECRYPT;
+  }
+  if (nss_ckmk_GetBoolAttribute(CKA_UNWRAP, 
+                                pTemplate, ulAttributeCount, CK_TRUE)) {
+    keyParams.keyUsage |=  CSSM_KEYUSE_UNWRAP;
+  }
+  if (nss_ckmk_GetBoolAttribute(CKA_SIGN, 
+                                pTemplate, ulAttributeCount, CK_TRUE)) {
+    keyParams.keyUsage |= CSSM_KEYUSE_SIGN;
+  }
+  if (nss_ckmk_GetBoolAttribute(CKA_DERIVE, 
+                                pTemplate, ulAttributeCount, CK_FALSE)) {
+    keyParams.keyUsage |= CSSM_KEYUSE_DERIVE;
+  }
+  if (nss_ckmk_GetBoolAttribute(CKA_SENSITIVE, 
+                                pTemplate, ulAttributeCount, CK_TRUE)) {
+    keyParams.keyAttributes |= CSSM_KEYATTR_SENSITIVE; 
+  }
+  if (nss_ckmk_GetBoolAttribute(CKA_EXTRACTABLE, 
+                                pTemplate, ulAttributeCount, CK_TRUE)) {
+    keyParams.keyAttributes |= CSSM_KEYATTR_EXTRACTABLE;
+  }
+
+  lk.version.type = siUnsignedInteger;
+  lk.version.data = &zero;
+  lk.version.len = 1;
+
+  *pError = nss_ckmk_GetAttribute(CKA_MODULUS, pTemplate, 
+                                  ulAttributeCount, &attribute);
+  if (CKR_OK != *pError) {
+    return (ckmkInternalObject *)NULL;
+  }
+  lk.modulus.type = siUnsignedInteger;
+  lk.modulus.data = attribute.data;
+  lk.modulus.len = attribute.size;
+
+  *pError = nss_ckmk_GetAttribute(CKA_PUBLIC_EXPONENT, pTemplate, 
+                                  ulAttributeCount, &attribute);
+  if (CKR_OK != *pError) {
+    return (ckmkInternalObject *)NULL;
+  }
+  lk.publicExponent.type = siUnsignedInteger;
+  lk.publicExponent.data = attribute.data;
+  lk.publicExponent.len = attribute.size;
+
+  *pError = nss_ckmk_GetAttribute(CKA_PRIVATE_EXPONENT, pTemplate, 
+                                  ulAttributeCount, &attribute);
+  if (CKR_OK != *pError) {
+    return (ckmkInternalObject *)NULL;
+  }
+  lk.privateExponent.type = siUnsignedInteger;
+  lk.privateExponent.data = attribute.data;
+  lk.privateExponent.len = attribute.size;
+
+  *pError = nss_ckmk_GetAttribute(CKA_PRIME_1, pTemplate, 
+                                  ulAttributeCount, &attribute);
+  if (CKR_OK != *pError) {
+    return (ckmkInternalObject *)NULL;
+  }
+  lk.prime1.type = siUnsignedInteger;
+  lk.prime1.data = attribute.data;
+  lk.prime1.len = attribute.size;
+
+  *pError = nss_ckmk_GetAttribute(CKA_PRIME_2, pTemplate, 
+                                  ulAttributeCount, &attribute);
+  if (CKR_OK != *pError) {
+    return (ckmkInternalObject *)NULL;
+  }
+  lk.prime2.type = siUnsignedInteger;
+  lk.prime2.data = attribute.data;
+  lk.prime2.len = attribute.size;
+
+  *pError = nss_ckmk_GetAttribute(CKA_EXPONENT_1, pTemplate, 
+                                  ulAttributeCount, &attribute);
+  if (CKR_OK != *pError) {
+    return (ckmkInternalObject *)NULL;
+  }
+  lk.exponent1.type = siUnsignedInteger;
+  lk.exponent1.data = attribute.data;
+  lk.exponent1.len = attribute.size;
+
+  *pError = nss_ckmk_GetAttribute(CKA_EXPONENT_2, pTemplate, 
+                                  ulAttributeCount, &attribute);
+  if (CKR_OK != *pError) {
+    return (ckmkInternalObject *)NULL;
+  }
+  lk.exponent2.type = siUnsignedInteger;
+  lk.exponent2.data = attribute.data;
+  lk.exponent2.len = attribute.size;
+
+  *pError = nss_ckmk_GetAttribute(CKA_COEFFICIENT, pTemplate, 
+                                  ulAttributeCount, &attribute);
+  if (CKR_OK != *pError) {
+    return (ckmkInternalObject *)NULL;
+  }
+  lk.coefficient.type = siUnsignedInteger;
+  lk.coefficient.data = attribute.data;
+  lk.coefficient.len = attribute.size;
+
+  /* ASN1 Encode the pkcs8 structure... look at softoken to see how this
+   * is done... */
+  error = ckmk_CreateRSAKeyBlob(&lk, &keyBlob);
+  if (CKR_OK != error) {
+    goto loser;
+  }
+
+  dataRef = CFDataCreate(NULL, (UInt8 *)keyBlob.data, keyBlob.size);
+  if (0 == dataRef) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  *pError == ckmk_GetSafeDefaultKeychain(&targetKeychain);
+  if (CKR_OK != *pError) {
+    goto loser;
+  }
+
+
+  /* the itemArray that is returned is useless. the item does not
+   * is 'not on the key chain' so none of the modify calls work on it.
+   * It also has a key that isn't the same key as the one in the actual
+   * key chain. In short it isn't the item we want, and it gives us zero
+   * information about the item we want, so don't even bother with it...
+   */
+  macErr = SecKeychainItemImport(dataRef, NULL, &inputFormat, &itemType, 0,
+        &keyParams, targetKeychain, NULL);
+  if (noErr != macErr) {
+    CKMK_MACERR("Import Private Key", macErr);
+    *pError = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  *pError = ckmk_FindImportedKey(targetKeychain, 
+                                 CSSM_DL_DB_RECORD_PRIVATE_KEY,
+                                 &itemRef);
+  if (CKR_OK != *pError) {
+#ifdef DEBUG
+    fprintf(stderr,"couldn't find key in keychain \n");
+#endif
+    goto loser;
+  }
+
+
+  /* set the CKA_ID and  the CKA_LABEL */
+  error = nss_ckmk_GetAttribute(CKA_ID, pTemplate, 
+                                  ulAttributeCount, &keyID);
+  if (CKR_OK == error) {
+    error = ckmk_updateAttribute(itemRef, kSecKeyLabel, 
+                              keyID.data, keyID.size, "Modify Key ID");
+#ifdef DEBUG
+    itemdump("key id: ", keyID.data, keyID.size, error);
+#endif
+  }
+  nickname = nss_ckmk_GetStringAttribute(CKA_LABEL, pTemplate, 
+                                  ulAttributeCount, &error);
+  if (nickname) {
+    ckmk_updateAttribute(itemRef, kSecKeyPrintName, nickname, 
+                              strlen(nickname)+1, "Modify Key Label");
+  } else {
+#define DEFAULT_NICKNAME "NSS Imported Key"
+    ckmk_updateAttribute(itemRef, kSecKeyPrintName, DEFAULT_NICKNAME, 
+                              sizeof(DEFAULT_NICKNAME), "Modify Key Label");
+  }
+
+  io = nss_ckmk_NewInternalObject(CKO_PRIVATE_KEY, itemRef, 
+                                  CSSM_DL_DB_RECORD_PRIVATE_KEY, pError);
+  if ((ckmkInternalObject *)NULL == io) {
+    CFRelease(itemRef);
+  }
+
+  return io;
+
+loser:
+  /* free the key blob */
+  if (keyBlob.data) {
+    nss_ZFreeIf(keyBlob.data);
+  }
+  if (0 != targetKeychain) {
+    CFRelease(targetKeychain);
+  }
+  if (0 != dataRef) {
+    CFRelease(dataRef);
+  }
+  return io;
+}
+
+
+NSS_EXTERN NSSCKMDObject *
+nss_ckmk_CreateObject
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  CK_OBJECT_CLASS objClass;
+  ckmkInternalObject *io;
+  CK_BBOOL isToken;
+
+  /*
+   * only create token objects
+   */
+  isToken = nss_ckmk_GetBoolAttribute(CKA_TOKEN, pTemplate, 
+                                      ulAttributeCount, CK_FALSE);
+  if (!isToken) {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+    return (NSSCKMDObject *) NULL;
+  }
+
+  /*
+   * only create keys and certs.
+   */
+  objClass = nss_ckmk_GetULongAttribute(CKA_CLASS, pTemplate, 
+                                        ulAttributeCount, pError);
+  if (CKR_OK != *pError) {
+    return (NSSCKMDObject *) NULL;
+  }
+#ifdef notdef
+  if (objClass == CKO_PUBLIC_KEY) {
+    return CKR_OK; /* fake public key creation, happens as a side effect of
+                    * private key creation */
+  }
+#endif
+  if (objClass == CKO_CERTIFICATE) {
+    io = nss_ckmk_CreateCertificate(fwSession, pTemplate, 
+                                    ulAttributeCount, pError);
+  } else if (objClass == CKO_PRIVATE_KEY) {
+    io = nss_ckmk_CreatePrivateKey(fwSession, pTemplate, 
+                                   ulAttributeCount, pError);
+  } else {
+    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+  }
+
+  if ((ckmkInternalObject *)NULL == io) {
+    return (NSSCKMDObject *) NULL;
+  }
+  return nss_ckmk_CreateMDObject(NULL, io, pError);
+}
diff --git a/security/nss/lib/ckfw/nssmkey/mrsa.c b/security/nss/lib/ckfw/nssmkey/mrsa.c
new file mode 100644
index 000000000..7292b22a1
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/mrsa.c
@@ -0,0 +1,547 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckmk.h"
+
+/* Sigh, For all the talk about 'ease of use', apple has hidden the interfaces
+ * needed to be able to truly use CSSM. These came from their modification
+ * to NSS's S/MIME code. The following two functions currently are not
+ * part of the SecKey.h interface.
+ */
+OSStatus 
+SecKeyGetCredentials
+(
+  SecKeyRef keyRef,
+  CSSM_ACL_AUTHORIZATION_TAG authTag,
+  int type,
+  const CSSM_ACCESS_CREDENTIALS **creds
+);
+
+/* this function could be implemented using 'SecKeychainItemCopyKeychain' and
+ * 'SecKeychainGetCSPHandle' */
+OSStatus 
+SecKeyGetCSPHandle
+(
+  SecKeyRef keyRef,
+  CSSM_CSP_HANDLE *cspHandle
+);
+
+
+typedef struct ckmkInternalCryptoOperationRSAPrivStr 
+               ckmkInternalCryptoOperationRSAPriv;
+struct ckmkInternalCryptoOperationRSAPrivStr
+{
+  NSSCKMDCryptoOperation mdOperation;
+  NSSCKMDMechanism     *mdMechanism;
+  ckmkInternalObject *iKey;
+  NSSItem  *buffer;
+  CSSM_CC_HANDLE cssmContext;
+};
+
+typedef enum {
+  CKMK_DECRYPT,
+  CKMK_SIGN
+} ckmkRSAOpType;
+
+/*
+ * ckmk_mdCryptoOperationRSAPriv_Create
+ */
+static NSSCKMDCryptoOperation *
+ckmk_mdCryptoOperationRSAPriv_Create
+(
+  const NSSCKMDCryptoOperation *proto,
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKMDObject *mdKey,
+  ckmkRSAOpType type,
+  CK_RV *pError
+)
+{
+  ckmkInternalObject *iKey = (ckmkInternalObject *)mdKey->etc;
+  const NSSItem *classItem = nss_ckmk_FetchAttribute(iKey, CKA_CLASS, pError);
+  const NSSItem *keyType = nss_ckmk_FetchAttribute(iKey, CKA_KEY_TYPE, pError);
+  ckmkInternalCryptoOperationRSAPriv *iOperation;
+  SecKeyRef privateKey;
+  OSStatus macErr;
+  CSSM_RETURN cssmErr;
+  const CSSM_KEY *cssmKey;
+  CSSM_CSP_HANDLE cspHandle;
+  const CSSM_ACCESS_CREDENTIALS *creds = NULL;
+  CSSM_CC_HANDLE cssmContext;
+  CSSM_ACL_AUTHORIZATION_TAG authType;
+
+  /* make sure we have the right objects */
+  if (((const NSSItem *)NULL == classItem) ||
+      (sizeof(CK_OBJECT_CLASS) != classItem->size) ||
+      (CKO_PRIVATE_KEY != *(CK_OBJECT_CLASS *)classItem->data) ||
+      ((const NSSItem *)NULL == keyType) ||
+      (sizeof(CK_KEY_TYPE) != keyType->size) ||
+      (CKK_RSA != *(CK_KEY_TYPE *)keyType->data)) {
+    *pError =  CKR_KEY_TYPE_INCONSISTENT;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+
+  privateKey = (SecKeyRef) iKey->u.item.itemRef;
+  macErr = SecKeyGetCSSMKey(privateKey, &cssmKey);
+  if (noErr != macErr) {
+    CKMK_MACERR("Getting CSSM Key", macErr);
+    *pError = CKR_KEY_HANDLE_INVALID;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+  macErr = SecKeyGetCSPHandle(privateKey, &cspHandle);
+  if (noErr != macErr) {
+    CKMK_MACERR("Getting CSP for Key", macErr);
+    *pError = CKR_KEY_HANDLE_INVALID;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+  switch (type) {
+  case CKMK_DECRYPT:
+    authType = CSSM_ACL_AUTHORIZATION_DECRYPT;
+    break;
+  case CKMK_SIGN:
+    authType = CSSM_ACL_AUTHORIZATION_SIGN;
+    break;
+  default:
+    *pError = CKR_GENERAL_ERROR;
+#ifdef DEBUG
+    fprintf(stderr,"RSAPriv_Create: bad type = %d\n", type);
+#endif
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+
+  macErr = SecKeyGetCredentials(privateKey, authType, 0, &creds);
+  if (noErr != macErr) {
+    CKMK_MACERR("Getting Credentials for Key", macErr);
+    *pError = CKR_KEY_HANDLE_INVALID;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+  
+  switch (type) {
+  case CKMK_DECRYPT:
+    cssmErr = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA,
+                        creds, cssmKey, CSSM_PADDING_PKCS1, &cssmContext);
+    break;
+  case CKMK_SIGN:
+    cssmErr = CSSM_CSP_CreateSignatureContext(cspHandle, CSSM_ALGID_RSA,
+                                              creds, cssmKey, &cssmContext);
+    break;
+  default:
+    *pError = CKR_GENERAL_ERROR;
+#ifdef DEBUG
+    fprintf(stderr,"RSAPriv_Create: bad type = %d\n", type);
+#endif
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+  if (noErr != cssmErr) {
+    CKMK_MACERR("Getting Context for Key", cssmErr);
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+
+  iOperation = nss_ZNEW(NULL, ckmkInternalCryptoOperationRSAPriv);
+  if ((ckmkInternalCryptoOperationRSAPriv *)NULL == iOperation) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+  iOperation->mdMechanism = mdMechanism;
+  iOperation->iKey = iKey;
+  iOperation->cssmContext = cssmContext;
+
+  nsslibc_memcpy(&iOperation->mdOperation, 
+                 proto, sizeof(NSSCKMDCryptoOperation));
+  iOperation->mdOperation.etc = iOperation;
+
+  return &iOperation->mdOperation;
+}
+
+static void
+ckmk_mdCryptoOperationRSAPriv_Destroy
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  ckmkInternalCryptoOperationRSAPriv *iOperation =
+       (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc;
+
+  if (iOperation->buffer) {
+    nssItem_Destroy(iOperation->buffer);
+  }
+  if (iOperation->cssmContext) {
+    CSSM_DeleteContext(iOperation->cssmContext);
+  }
+  nss_ZFreeIf(iOperation);
+  return;
+}
+
+static CK_ULONG
+ckmk_mdCryptoOperationRSA_GetFinalLength
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  ckmkInternalCryptoOperationRSAPriv *iOperation =
+       (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  const NSSItem *modulus = 
+       nss_ckmk_FetchAttribute(iOperation->iKey, CKA_MODULUS, pError);
+
+  return modulus->size;
+}
+
+
+/*
+ * ckmk_mdCryptoOperationRSADecrypt_GetOperationLength
+ * we won't know the length until we actually decrypt the
+ * input block. Since we go to all the work to decrypt the
+ * the block, we'll save if for when the block is asked for
+ */
+static CK_ULONG
+ckmk_mdCryptoOperationRSADecrypt_GetOperationLength
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  const NSSItem *input,
+  CK_RV *pError
+)
+{
+  ckmkInternalCryptoOperationRSAPriv *iOperation =
+       (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc; 
+  CSSM_DATA cssmInput;
+  CSSM_DATA cssmOutput = { 0, NULL };
+  PRUint32  bytesDecrypted;
+  CSSM_DATA remainder = { 0, NULL };
+  NSSItem output;
+  CSSM_RETURN cssmErr;
+
+  if (iOperation->buffer) {
+    return iOperation->buffer->size;
+  }
+
+  cssmInput.Data = input->data;
+  cssmInput.Length = input->size;
+
+  cssmErr = CSSM_DecryptData(iOperation->cssmContext, 
+			     &cssmInput, 1, &cssmOutput, 1,
+			     &bytesDecrypted, &remainder);
+  if (CSSM_OK != cssmErr) {
+    CKMK_MACERR("Decrypt Failed", cssmErr);
+    *pError = CKR_DATA_INVALID;
+    return 0;
+  }
+  /* we didn't suppy any buffers, so it should all be in remainder */
+  output.data = nss_ZNEWARRAY(NULL, char, bytesDecrypted + remainder.Length);
+  if (NULL == output.data) {
+    free(cssmOutput.Data);
+    free(remainder.Data);
+    *pError = CKR_HOST_MEMORY;
+    return 0;
+  }
+  output.size = bytesDecrypted + remainder.Length;
+
+  if (0 != bytesDecrypted) {
+    nsslibc_memcpy(output.data, cssmOutput.Data, bytesDecrypted);
+    free(cssmOutput.Data);
+  }
+  if (0 != remainder.Length) {
+    nsslibc_memcpy(((char *)output.data)+bytesDecrypted, 
+	           remainder.Data, remainder.Length);
+    free(remainder.Data);
+  }
+  
+  iOperation->buffer = nssItem_Duplicate(&output, NULL, NULL);
+  nss_ZFreeIf(output.data);
+  if ((NSSItem *) NULL == iOperation->buffer) {
+    *pError = CKR_HOST_MEMORY;
+    return 0;
+  }
+
+  return iOperation->buffer->size;
+}
+
+/*
+ * ckmk_mdCryptoOperationRSADecrypt_UpdateFinal
+ *
+ * NOTE: ckmk_mdCryptoOperationRSADecrypt_GetOperationLength is presumed to 
+ * have been called previously.
+ */
+static CK_RV
+ckmk_mdCryptoOperationRSADecrypt_UpdateFinal
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  const NSSItem *input,
+  NSSItem *output
+)
+{
+  ckmkInternalCryptoOperationRSAPriv *iOperation =
+       (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc; 
+  NSSItem *buffer = iOperation->buffer;
+
+  if ((NSSItem *)NULL == buffer) {
+    return CKR_GENERAL_ERROR;
+  }
+  nsslibc_memcpy(output->data, buffer->data, buffer->size);
+  output->size = buffer->size;
+  return CKR_OK;
+}
+
+/*
+ * ckmk_mdCryptoOperationRSASign_UpdateFinal
+ *
+ */
+static CK_RV
+ckmk_mdCryptoOperationRSASign_UpdateFinal
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  const NSSItem *input,
+  NSSItem *output
+)
+{
+  ckmkInternalCryptoOperationRSAPriv *iOperation =
+       (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  CSSM_DATA cssmInput;
+  CSSM_DATA cssmOutput = { 0, NULL };
+  CSSM_RETURN cssmErr;
+
+  cssmInput.Data = input->data;
+  cssmInput.Length = input->size; 
+
+  cssmErr = CSSM_SignData(iOperation->cssmContext, &cssmInput, 1,
+                          CSSM_ALGID_NONE, &cssmOutput);
+  if (CSSM_OK != cssmErr) {
+    CKMK_MACERR("Signed Failed", cssmErr);
+    return CKR_FUNCTION_FAILED;
+  }
+  if (cssmOutput.Length > output->size) {
+    free(cssmOutput.Data);
+    return CKR_BUFFER_TOO_SMALL;
+  }
+  nsslibc_memcpy(output->data, cssmOutput.Data, cssmOutput.Length);
+  free(cssmOutput.Data);
+  output->size = cssmOutput.Length;
+
+  return CKR_OK;
+}
+  
+
+NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
+ckmk_mdCryptoOperationRSADecrypt_proto = {
+  NULL, /* etc */
+  ckmk_mdCryptoOperationRSAPriv_Destroy,
+  NULL, /* GetFinalLengh - not needed for one shot Decrypt/Encrypt */
+  ckmk_mdCryptoOperationRSADecrypt_GetOperationLength,
+  NULL, /* Final - not needed for one shot operation */
+  NULL, /* Update - not needed for one shot operation */
+  NULL, /* DigetUpdate - not needed for one shot operation */
+  ckmk_mdCryptoOperationRSADecrypt_UpdateFinal,
+  NULL, /* UpdateCombo - not needed for one shot operation */
+  NULL, /* DigetKey - not needed for one shot operation */
+  (void *)NULL /* null terminator */
+};
+
+NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
+ckmk_mdCryptoOperationRSASign_proto = {
+  NULL, /* etc */
+  ckmk_mdCryptoOperationRSAPriv_Destroy,
+  ckmk_mdCryptoOperationRSA_GetFinalLength,
+  NULL, /* GetOperationLengh - not needed for one shot Sign/Verify */
+  NULL, /* Final - not needed for one shot operation */
+  NULL, /* Update - not needed for one shot operation */
+  NULL, /* DigetUpdate - not needed for one shot operation */
+  ckmk_mdCryptoOperationRSASign_UpdateFinal,
+  NULL, /* UpdateCombo - not needed for one shot operation */
+  NULL, /* DigetKey - not needed for one shot operation */
+  (void *)NULL /* null terminator */
+};
+
+/********** NSSCKMDMechansim functions ***********************/
+/*
+ * ckmk_mdMechanismRSA_Destroy
+ */
+static void
+ckmk_mdMechanismRSA_Destroy
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_ZFreeIf(fwMechanism);
+}
+
+/*
+ * ckmk_mdMechanismRSA_GetMinKeySize
+ */
+static CK_ULONG
+ckmk_mdMechanismRSA_GetMinKeySize
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return 384;
+}
+
+/*
+ * ckmk_mdMechanismRSA_GetMaxKeySize
+ */
+static CK_ULONG
+ckmk_mdMechanismRSA_GetMaxKeySize
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return 16384;
+}
+
+/*
+ * ckmk_mdMechanismRSA_DecryptInit
+ */
+static NSSCKMDCryptoOperation * 
+ckmk_mdMechanismRSA_DecryptInit
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDObject *mdKey,
+  NSSCKFWObject *fwKey,
+  CK_RV *pError
+)
+{
+  return ckmk_mdCryptoOperationRSAPriv_Create(
+		&ckmk_mdCryptoOperationRSADecrypt_proto,
+		mdMechanism, mdKey, CKMK_DECRYPT, pError);
+}
+
+/*
+ * ckmk_mdMechanismRSA_SignInit
+ */
+static NSSCKMDCryptoOperation * 
+ckmk_mdMechanismRSA_SignInit
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDObject *mdKey,
+  NSSCKFWObject *fwKey,
+  CK_RV *pError
+)
+{
+  return ckmk_mdCryptoOperationRSAPriv_Create(
+		&ckmk_mdCryptoOperationRSASign_proto,
+		mdMechanism, mdKey, CKMK_SIGN, pError);
+}
+
+
+NSS_IMPLEMENT_DATA const NSSCKMDMechanism
+nss_ckmk_mdMechanismRSA = {
+  (void *)NULL, /* etc */
+  ckmk_mdMechanismRSA_Destroy,
+  ckmk_mdMechanismRSA_GetMinKeySize,
+  ckmk_mdMechanismRSA_GetMaxKeySize,
+  NULL, /* GetInHardware - default false */
+  NULL, /* EncryptInit - default errs */
+  ckmk_mdMechanismRSA_DecryptInit,
+  NULL, /* DigestInit - default errs*/
+  ckmk_mdMechanismRSA_SignInit,
+  NULL, /* VerifyInit - default errs */
+  ckmk_mdMechanismRSA_SignInit,  /* SignRecoverInit */
+  NULL, /* VerifyRecoverInit - default errs */
+  NULL, /* GenerateKey - default errs */
+  NULL, /* GenerateKeyPair - default errs */
+  NULL, /* GetWrapKeyLength - default errs */
+  NULL, /* WrapKey - default errs */
+  NULL, /* UnwrapKey - default errs */
+  NULL, /* DeriveKey - default errs */
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/nssmkey/msession.c b/security/nss/lib/ckfw/nssmkey/msession.c
new file mode 100644
index 000000000..c64ae23db
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/msession.c
@@ -0,0 +1,131 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckmk.h"
+
+/*
+ * nssmkey/msession.c
+ *
+ * This file implements the NSSCKMDSession object for the 
+ * "nssmkey" cryptoki module.
+ */
+
+static NSSCKMDFindObjects *
+ckmk_mdSession_FindObjectsInit
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  return nss_ckmk_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
+}
+
+static NSSCKMDObject *
+ckmk_mdSession_CreateObject
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena        *arena,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  return nss_ckmk_CreateObject(fwSession, pTemplate, ulAttributeCount, pError);
+}
+
+NSS_IMPLEMENT NSSCKMDSession *
+nss_ckmk_CreateSession
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  NSSCKMDSession *rv;
+
+  arena = NSSCKFWSession_GetArena(fwSession, pError);
+  if( (NSSArena *)NULL == arena ) {
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDSession);
+  if( (NSSCKMDSession *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  /* 
+   * rv was zeroed when allocated, so we only 
+   * need to set the non-zero members.
+   */
+
+  rv->etc = (void *)fwSession;
+  /* rv->Close */
+  /* rv->GetDeviceError */
+  /* rv->Login */
+  /* rv->Logout */
+  /* rv->InitPIN */
+  /* rv->SetPIN */
+  /* rv->GetOperationStateLen */
+  /* rv->GetOperationState */
+  /* rv->SetOperationState */
+  rv->CreateObject = ckmk_mdSession_CreateObject;
+  /* rv->CopyObject */
+  rv->FindObjectsInit = ckmk_mdSession_FindObjectsInit;
+  /* rv->SeedRandom */
+  /* rv->GetRandom */
+  /* rv->null */
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/nssmkey/mslot.c b/security/nss/lib/ckfw/nssmkey/mslot.c
new file mode 100644
index 000000000..e237e103b
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/mslot.c
@@ -0,0 +1,129 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckmk.h"
+
+/*
+ * nssmkey/mslot.c
+ *
+ * This file implements the NSSCKMDSlot object for the
+ * "nssmkey" cryptoki module.
+ */
+
+static NSSUTF8 *
+ckmk_mdSlot_GetSlotDescription
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckmk_SlotDescription;
+}
+
+static NSSUTF8 *
+ckmk_mdSlot_GetManufacturerID
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckmk_ManufacturerID;
+}
+
+static CK_VERSION
+ckmk_mdSlot_GetHardwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckmk_HardwareVersion;
+}
+
+static CK_VERSION
+ckmk_mdSlot_GetFirmwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckmk_FirmwareVersion;
+}
+
+static NSSCKMDToken *
+ckmk_mdSlot_GetToken
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSCKMDToken *)&nss_ckmk_mdToken;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDSlot
+nss_ckmk_mdSlot = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Destroy */
+  ckmk_mdSlot_GetSlotDescription,
+  ckmk_mdSlot_GetManufacturerID,
+  NULL, /* GetTokenPresent -- defaults to true */
+  NULL, /* GetRemovableDevice -- defaults to false */
+  NULL, /* GetHardwareSlot -- defaults to false */
+  ckmk_mdSlot_GetHardwareVersion,
+  ckmk_mdSlot_GetFirmwareVersion,
+  ckmk_mdSlot_GetToken,
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/nssmkey/mtoken.c b/security/nss/lib/ckfw/nssmkey/mtoken.c
new file mode 100644
index 000000000..25b5ccdca
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/mtoken.c
@@ -0,0 +1,246 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckmk.h"
+
+/*
+ * nssmkey/mtoken.c
+ *
+ * This file implements the NSSCKMDToken object for the
+ * "nssmkey" cryptoki module.
+ */
+
+static NSSUTF8 *
+ckmk_mdToken_GetLabel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckmk_TokenLabel;
+}
+
+static NSSUTF8 *
+ckmk_mdToken_GetManufacturerID
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckmk_ManufacturerID;
+}
+
+static NSSUTF8 *
+ckmk_mdToken_GetModel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckmk_TokenModel;
+}
+
+static NSSUTF8 *
+ckmk_mdToken_GetSerialNumber
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckmk_TokenSerialNumber;
+}
+
+static CK_BBOOL
+ckmk_mdToken_GetIsWriteProtected
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_FALSE;
+}
+
+/* fake out Mozilla so we don't try to initialize the token */
+static CK_BBOOL
+ckmk_mdToken_GetUserPinInitialized
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_VERSION
+ckmk_mdToken_GetHardwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckmk_HardwareVersion;
+}
+
+static CK_VERSION
+ckmk_mdToken_GetFirmwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckmk_FirmwareVersion;
+}
+
+static NSSCKMDSession *
+ckmk_mdToken_OpenSession
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  return nss_ckmk_CreateSession(fwSession, pError);
+}
+
+static CK_ULONG
+ckmk_mdToken_GetMechanismCount
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return (CK_ULONG)1;
+}
+
+static CK_RV
+ckmk_mdToken_GetMechanismTypes
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_MECHANISM_TYPE types[]
+)
+{
+  types[0] = CKM_RSA_PKCS;
+  return CKR_OK;
+}
+
+static NSSCKMDMechanism *
+ckmk_mdToken_GetMechanism
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_MECHANISM_TYPE which,
+  CK_RV *pError
+)
+{
+  if (which != CKM_RSA_PKCS) {
+    *pError = CKR_MECHANISM_INVALID;
+    return (NSSCKMDMechanism *)NULL;
+  }
+  return (NSSCKMDMechanism *)&nss_ckmk_mdMechanismRSA;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDToken
+nss_ckmk_mdToken = {
+  (void *)NULL, /* etc */
+  NULL, /* Setup */
+  NULL, /* Invalidate */
+  NULL, /* InitToken -- default errs */
+  ckmk_mdToken_GetLabel,
+  ckmk_mdToken_GetManufacturerID,
+  ckmk_mdToken_GetModel,
+  ckmk_mdToken_GetSerialNumber,
+  NULL, /* GetHasRNG -- default is false */
+  ckmk_mdToken_GetIsWriteProtected,
+  NULL, /* GetLoginRequired -- default is false */
+  ckmk_mdToken_GetUserPinInitialized,
+  NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
+  NULL, /* GetHasClockOnToken -- default is false */
+  NULL, /* GetHasProtectedAuthenticationPath -- default is false */
+  NULL, /* GetSupportsDualCryptoOperations -- default is false */
+  NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxPinLen -- irrelevant */
+  NULL, /* GetMinPinLen -- irrelevant */
+  NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  ckmk_mdToken_GetHardwareVersion,
+  ckmk_mdToken_GetFirmwareVersion,
+  NULL, /* GetUTCTime -- no clock */
+  ckmk_mdToken_OpenSession,
+  ckmk_mdToken_GetMechanismCount,
+  ckmk_mdToken_GetMechanismTypes,
+  ckmk_mdToken_GetMechanism,
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/nssmkey/nssmkey.def b/security/nss/lib/ckfw/nssmkey/nssmkey.def
new file mode 100644
index 000000000..054fbd82a
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/nssmkey.def
@@ -0,0 +1,58 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2003
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#     line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSSMKEY_3.0 {       # First release of nssmkey
+;+    global:
+LIBRARY nssmkey ;-
+EXPORTS ;-
+C_GetFunctionList;
+;+    local:
+;+*;
+;+};
diff --git a/security/nss/lib/ckfw/nssmkey/nssmkey.h b/security/nss/lib/ckfw/nssmkey/nssmkey.h
new file mode 100644
index 000000000..5bf181222
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/nssmkey.h
@@ -0,0 +1,75 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSMKEY_H
+#define NSSMKEY_H
+
+/*
+ * NSS CKMK Version numbers.
+ *
+ * These are the version numbers for the nssmkey module packaged with
+ * this release on NSS. To determine the version numbers of the builtin
+ * module you are using, use the appropriate PKCS #11 calls.
+ *
+ * These version numbers detail changes to the PKCS #11 interface. They map
+ * to the PKCS #11 spec versions.
+ */
+#define NSS_CKMK_CRYPTOKI_VERSION_MAJOR 2
+#define NSS_CKMK_CRYPTOKI_VERSION_MINOR 20
+
+/* These version numbers detail the changes 
+ * to the list of trusted certificates.
+ *
+ * NSS_CKMK_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+ * whether we may use its full range (0-255) or only 0-99 because
+ * of the comment in the CK_VERSION type definition.
+ */
+#define NSS_CKMK_LIBRARY_VERSION_MAJOR 1
+#define NSS_CKMK_LIBRARY_VERSION_MINOR 1
+#define NSS_CKMK_LIBRARY_VERSION "1.1"
+
+/* These version numbers detail the semantic changes to the ckfw engine. */
+#define NSS_CKMK_HARDWARE_VERSION_MAJOR 1
+#define NSS_CKMK_HARDWARE_VERSION_MINOR 0
+
+/* These version numbers detail the semantic changes to ckbi itself 
+ * (new PKCS #11 objects), etc. */
+#define NSS_CKMK_FIRMWARE_VERSION_MAJOR 1
+#define NSS_CKMK_FIRMWARE_VERSION_MINOR 0
+
+#endif /* NSSMKEY_H */
diff --git a/security/nss/lib/ckfw/nssmkey/staticobj.c b/security/nss/lib/ckfw/nssmkey/staticobj.c
new file mode 100644
index 000000000..ad9f1dff6
--- /dev/null
+++ b/security/nss/lib/ckfw/nssmkey/staticobj.c
@@ -0,0 +1,74 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$""; @(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef CKMK_H
+#include "ckmk.h"
+#endif /* CKMK_H */
+
+static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
+static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
+static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
+static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
+static const CK_BBOOL ck_true = CK_TRUE;
+static const CK_OBJECT_CLASS cko_data = CKO_DATA;
+static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
+static const CK_BBOOL ck_false = CK_FALSE;
+static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+
+/* example of a static object */
+static const CK_ATTRIBUTE_TYPE nss_ckmk_types_1 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL
+};
+
+static const NSSItem nss_ckmk_items_1 [] = {
+  { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Mozilla Mac Key Ring Access", (PRUint32)28 }
+};
+
+ckmkInternalObject nss_ckmk_data[] = {
+  { ckmkRaw, {{ 5, nss_ckmk_types_1, nss_ckmk_items_1}} , CKO_DATA, {NULL} },
+};
+
+const PRUint32 nss_ckmk_nObjects = 1;
diff --git a/security/nss/lib/ckfw/object.c b/security/nss/lib/ckfw/object.c
new file mode 100644
index 000000000..f7f000cf5
--- /dev/null
+++ b/security/nss/lib/ckfw/object.c
@@ -0,0 +1,1059 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * object.c
+ *
+ * This file implements the NSSCKFWObject type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWObject
+ *
+ * -- create/destroy --
+ *  nssCKFWObject_Create
+ *  nssCKFWObject_Finalize
+ *  nssCKFWObject_Destroy
+ *
+ * -- public accessors --
+ *  NSSCKFWObject_GetMDObject
+ *  NSSCKFWObject_GetArena
+ *  NSSCKFWObject_IsTokenObject
+ *  NSSCKFWObject_GetAttributeCount
+ *  NSSCKFWObject_GetAttributeTypes
+ *  NSSCKFWObject_GetAttributeSize
+ *  NSSCKFWObject_GetAttribute
+ *  NSSCKFWObject_SetAttribute
+ *  NSSCKFWObject_GetObjectSize
+ *
+ * -- implement public accessors --
+ *  nssCKFWObject_GetMDObject
+ *  nssCKFWObject_GetArena
+ *
+ * -- private accessors --
+ *  nssCKFWObject_SetHandle
+ *  nssCKFWObject_GetHandle
+ *
+ * -- module fronts --
+ *  nssCKFWObject_IsTokenObject
+ *  nssCKFWObject_GetAttributeCount
+ *  nssCKFWObject_GetAttributeTypes
+ *  nssCKFWObject_GetAttributeSize
+ *  nssCKFWObject_GetAttribute
+ *  nssCKFWObject_SetAttribute
+ *  nssCKFWObject_GetObjectSize
+ */
+
+struct NSSCKFWObjectStr {
+  NSSCKFWMutex *mutex; /* merely to serialise the MDObject calls */
+  NSSArena *arena;
+  NSSCKMDObject *mdObject;
+  NSSCKMDSession *mdSession;
+  NSSCKFWSession *fwSession;
+  NSSCKMDToken *mdToken;
+  NSSCKFWToken *fwToken;
+  NSSCKMDInstance *mdInstance;
+  NSSCKFWInstance *fwInstance;
+  CK_OBJECT_HANDLE hObject;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+object_add_pointer
+(
+  const NSSCKFWObject *fwObject
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+object_remove_pointer
+(
+  const NSSCKFWObject *fwObject
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWObject_verifyPointer
+(
+  const NSSCKFWObject *fwObject
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+
+/*
+ * nssCKFWObject_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWObject *
+nssCKFWObject_Create
+(
+  NSSArena *arena,
+  NSSCKMDObject *mdObject,
+  NSSCKFWSession *fwSession,
+  NSSCKFWToken *fwToken,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  NSSCKFWObject *fwObject;
+  nssCKFWHash *mdObjectHash;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWObject *)NULL;
+  }
+  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwToken);
+  if( (nssCKFWHash *)NULL == mdObjectHash ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( nssCKFWHash_Exists(mdObjectHash, mdObject) ) {
+    fwObject = nssCKFWHash_Lookup(mdObjectHash, mdObject);
+    return fwObject;
+  }
+
+  fwObject = nss_ZNEW(arena, NSSCKFWObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  fwObject->arena = arena;
+  fwObject->mdObject = mdObject;
+  fwObject->fwSession = fwSession;
+
+  if( (NSSCKFWSession *)NULL != fwSession ) {
+    fwObject->mdSession = nssCKFWSession_GetMDSession(fwSession);
+  }
+
+  fwObject->fwToken = fwToken;
+  fwObject->mdToken = nssCKFWToken_GetMDToken(fwToken);
+  fwObject->fwInstance = fwInstance;
+  fwObject->mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
+  fwObject->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == fwObject->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWHash_Add(mdObjectHash, mdObject, fwObject);
+  if( CKR_OK != *pError ) {
+    nss_ZFreeIf(fwObject);
+    return (NSSCKFWObject *)NULL;
+  }
+
+#ifdef DEBUG
+  *pError = object_add_pointer(fwObject);
+  if( CKR_OK != *pError ) {
+    nssCKFWHash_Remove(mdObjectHash, mdObject);
+    nss_ZFreeIf(fwObject);
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* DEBUG */
+
+  *pError = CKR_OK;
+  return fwObject;
+}
+
+/*
+ * nssCKFWObject_Finalize
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWObject_Finalize
+(
+  NSSCKFWObject *fwObject,
+  PRBool removeFromHash
+)
+{
+  nssCKFWHash *mdObjectHash;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwObject->mutex);
+
+  if( (void *)NULL != (void *)fwObject->mdObject->Finalize ) {
+    fwObject->mdObject->Finalize(fwObject->mdObject, fwObject,
+      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
+      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
+  }
+
+  if (removeFromHash) {
+    mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
+    if( (nssCKFWHash *)NULL != mdObjectHash ) {
+      nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
+    }
+ }
+
+  if (fwObject->fwSession) {
+    nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
+  }
+  nss_ZFreeIf(fwObject);
+
+#ifdef DEBUG
+  (void)object_remove_pointer(fwObject);
+#endif /* DEBUG */
+
+  return;
+}
+
+/*
+ * nssCKFWObject_Destroy
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWObject_Destroy
+(
+  NSSCKFWObject *fwObject
+)
+{
+  nssCKFWHash *mdObjectHash;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwObject->mutex);
+
+  if( (void *)NULL != (void *)fwObject->mdObject->Destroy ) {
+    fwObject->mdObject->Destroy(fwObject->mdObject, fwObject,
+      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
+      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
+  }
+
+  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
+  if( (nssCKFWHash *)NULL != mdObjectHash ) {
+    nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
+  }
+
+  if (fwObject->fwSession) {
+    nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
+  }
+  nss_ZFreeIf(fwObject);
+
+#ifdef DEBUG
+  (void)object_remove_pointer(fwObject);
+#endif /* DEBUG */
+
+  return;
+}
+
+/*
+ * nssCKFWObject_GetMDObject
+ *
+ */
+NSS_IMPLEMENT NSSCKMDObject *
+nssCKFWObject_GetMDObject
+(
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return (NSSCKMDObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwObject->mdObject;
+}
+
+/*
+ * nssCKFWObject_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+nssCKFWObject_GetArena
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwObject->arena;
+}
+
+/*
+ * nssCKFWObject_SetHandle
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWObject_SetHandle
+(
+  NSSCKFWObject *fwObject,
+  CK_OBJECT_HANDLE hObject
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( (CK_OBJECT_HANDLE)0 != fwObject->hObject ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  fwObject->hObject = hObject;
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWObject_GetHandle
+ *
+ */
+NSS_IMPLEMENT CK_OBJECT_HANDLE
+nssCKFWObject_GetHandle
+(
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+
+  return fwObject->hObject;
+}
+
+/*
+ * nssCKFWObject_IsTokenObject
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWObject_IsTokenObject
+(
+  NSSCKFWObject *fwObject
+)
+{
+  CK_BBOOL b = CK_FALSE;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->IsTokenObject ) {
+    NSSItem item;
+    NSSItem *pItem;
+    CK_RV rv = CKR_OK;
+
+    item.data = (void *)&b;
+    item.size = sizeof(b);
+
+    pItem = nssCKFWObject_GetAttribute(fwObject, CKA_TOKEN, &item, 
+      (NSSArena *)NULL, &rv);
+    if( (NSSItem *)NULL == pItem ) {
+      /* Error of some type */
+      b = CK_FALSE;
+      goto done;
+    }
+
+    goto done;
+  }
+
+  b = fwObject->mdObject->IsTokenObject(fwObject->mdObject, fwObject, 
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
+
+ done:
+  return b;
+}
+
+/*
+ * nssCKFWObject_GetAttributeCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWObject_GetAttributeCount
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeCount ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwObject->mdObject->GetAttributeCount(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    pError);
+
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWObject_GetAttributeTypes
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWObject_GetAttributeTypes
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == typeArray ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeTypes ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  error = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  error = fwObject->mdObject->GetAttributeTypes(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    typeArray, ulCount);
+
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWObject_GetAttributeSize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWObject_GetAttributeSize
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeSize ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (CK_ULONG )0;
+  }
+
+  *pError = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwObject->mdObject->GetAttributeSize(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    attribute, pError);
+
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWObject_GetAttribute
+ *
+ * Usual NSS allocation rules:
+ * If itemOpt is not NULL, it will be returned; otherwise an NSSItem
+ * will be allocated.  If itemOpt is not NULL but itemOpt->data is,
+ * the buffer will be allocated; otherwise, the buffer will be used.
+ * Any allocations will come from the optional arena, if one is
+ * specified.
+ */
+NSS_IMPLEMENT NSSItem *
+nssCKFWObject_GetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *itemOpt,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+  NSSCKFWItem mdItem;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSItem *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSItem *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetAttribute ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSItem *)NULL;
+  }
+
+  *pError = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != *pError ) {
+    return (NSSItem *)NULL;
+  }
+
+  mdItem = fwObject->mdObject->GetAttribute(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    attribute, pError);
+
+  if( (NSSItem *)NULL == mdItem.item ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+
+    goto done;
+  }
+
+  if( (NSSItem *)NULL == itemOpt ) {
+    rv = nss_ZNEW(arenaOpt, NSSItem);
+    if( (NSSItem *)NULL == rv ) {
+      *pError = CKR_HOST_MEMORY;
+      goto done;
+    }
+  } else {
+    rv = itemOpt;
+  }
+
+  if( (void *)NULL == rv->data ) {
+    rv->size = mdItem.item->size;
+    rv->data = nss_ZAlloc(arenaOpt, rv->size);
+    if( (void *)NULL == rv->data ) {
+      *pError = CKR_HOST_MEMORY;
+      if( (NSSItem *)NULL == itemOpt ) {
+        nss_ZFreeIf(rv);
+      }
+      rv = (NSSItem *)NULL;
+      goto done;
+    }
+  } else {
+    if( rv->size >= mdItem.item->size ) {
+      rv->size = mdItem.item->size;
+    } else {
+      *pError = CKR_BUFFER_TOO_SMALL;
+      /* Should we set rv->size to mdItem->size? */
+      /* rv can't have been allocated */
+      rv = (NSSItem *)NULL;
+      goto done;
+    }
+  }
+
+  (void)nsslibc_memcpy(rv->data, mdItem.item->data, rv->size);
+
+  if (PR_TRUE == mdItem.needsFreeing) {
+    PR_ASSERT(fwObject->mdObject->FreeAttribute);
+    if (fwObject->mdObject->FreeAttribute) {
+      *pError = fwObject->mdObject->FreeAttribute(&mdItem);
+    }
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWObject_SetAttribute
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWObject_SetAttribute
+(
+  NSSCKFWObject *fwObject,
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKA_TOKEN == attribute ) {
+    /*
+     * We're changing from a session object to a token object or 
+     * vice-versa.
+     */
+
+    CK_ATTRIBUTE a;
+    NSSCKFWObject *newFwObject;
+    NSSCKFWObject swab;
+
+    a.type = CKA_TOKEN;
+    a.pValue = value->data;
+    a.ulValueLen = value->size;
+
+    newFwObject = nssCKFWSession_CopyObject(fwSession, fwObject,
+                    &a, 1, &error);
+    if( (NSSCKFWObject *)NULL == newFwObject ) {
+      if( CKR_OK == error ) {
+        error = CKR_GENERAL_ERROR;
+      }
+      return error;
+    }
+
+    /*
+     * Actually, I bet the locking is worse than this.. this part of
+     * the code could probably use some scrutiny and reworking.
+     */
+    error = nssCKFWMutex_Lock(fwObject->mutex);
+    if( CKR_OK != error ) {
+      nssCKFWObject_Destroy(newFwObject);
+      return error;
+    }
+
+    error = nssCKFWMutex_Lock(newFwObject->mutex);
+    if( CKR_OK != error ) {
+      nssCKFWMutex_Unlock(fwObject->mutex);
+      nssCKFWObject_Destroy(newFwObject);
+      return error;
+    }
+
+    /* 
+     * Now, we have our new object, but it has a new fwObject pointer,
+     * while we have to keep the existing one.  So quick swap the contents.
+     */
+    swab = *fwObject;
+    *fwObject = *newFwObject;
+    *newFwObject = swab;
+
+    /* But keep the mutexes the same */
+    swab.mutex = fwObject->mutex;
+    fwObject->mutex = newFwObject->mutex;
+    newFwObject->mutex = swab.mutex;
+
+    (void)nssCKFWMutex_Unlock(newFwObject->mutex);
+    (void)nssCKFWMutex_Unlock(fwObject->mutex);
+
+    /*
+     * Either remove or add this to the list of session objects
+     */
+
+    if( CK_FALSE == *(CK_BBOOL *)value->data ) {
+      /* 
+       * New one is a session object, except since we "stole" the fwObject, it's
+       * not in the list.  Add it.
+       */
+      nssCKFWSession_RegisterSessionObject(fwSession, fwObject);
+    } else {
+      /*
+       * New one is a token object, except since we "stole" the fwObject, it's
+       * in the list.  Remove it.
+       */
+      if (fwObject->fwSession) {
+        nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
+      }
+    }
+
+    /*
+     * Now delete the old object.  Remember the names have changed.
+     */
+    nssCKFWObject_Destroy(newFwObject);
+
+    return CKR_OK;
+  } else {
+    /*
+     * An "ordinary" change.
+     */
+    if( (void *)NULL == (void *)fwObject->mdObject->SetAttribute ) {
+      /* We could fake it with copying, like above.. later */
+      return CKR_ATTRIBUTE_READ_ONLY;
+    }
+
+    error = nssCKFWMutex_Lock(fwObject->mutex);
+    if( CKR_OK != error ) {
+      return error;
+    }
+
+    error = fwObject->mdObject->SetAttribute(fwObject->mdObject, fwObject,
+      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+      attribute, value);
+
+    (void)nssCKFWMutex_Unlock(fwObject->mutex);
+
+    return error;
+  }
+}
+
+/*
+ * nssCKFWObject_GetObjectSize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWObject_GetObjectSize
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetObjectSize ) {
+    *pError = CKR_INFORMATION_SENSITIVE;
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwObject->mdObject->GetObjectSize(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    pError);
+
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return rv;
+}
+
+/*
+ * NSSCKFWObject_GetMDObject
+ *
+ */
+NSS_IMPLEMENT NSSCKMDObject *
+NSSCKFWObject_GetMDObject
+(
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return (NSSCKMDObject *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetMDObject(fwObject);
+}
+
+/*
+ * NSSCKFWObject_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+NSSCKFWObject_GetArena
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetArena(fwObject, pError);
+}
+
+/*
+ * NSSCKFWObject_IsTokenObject
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+NSSCKFWObject_IsTokenObject
+(
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return CK_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_IsTokenObject(fwObject);
+}
+
+/*
+ * NSSCKFWObject_GetAttributeCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+NSSCKFWObject_GetAttributeCount
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetAttributeCount(fwObject, pError);
+}
+
+/*
+ * NSSCKFWObject_GetAttributeTypes
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWObject_GetAttributeTypes
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+#ifdef DEBUG
+  CK_RV error = CKR_OK;
+
+  error = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == typeArray ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetAttributeTypes(fwObject, typeArray, ulCount);
+}
+
+/*
+ * NSSCKFWObject_GetAttributeSize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+NSSCKFWObject_GetAttributeSize
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetAttributeSize(fwObject, attribute, pError);
+}
+
+/*
+ * NSSCKFWObject_GetAttribute
+ *
+ */
+NSS_IMPLEMENT NSSItem *
+NSSCKFWObject_GetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *itemOpt,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSItem *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSItem *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetAttribute(fwObject, attribute, itemOpt, arenaOpt, pError);
+}
+
+/*
+ * NSSCKFWObject_GetObjectSize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+NSSCKFWObject_GetObjectSize
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetObjectSize(fwObject, pError);
+}
diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c
new file mode 100644
index 000000000..2fc65c712
--- /dev/null
+++ b/security/nss/lib/ckfw/session.c
@@ -0,0 +1,2496 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * session.c
+ *
+ * This file implements the NSSCKFWSession type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWSession
+ *
+ *  -- create/destroy --
+ *  nssCKFWSession_Create
+ *  nssCKFWSession_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWSession_GetMDSession
+ *  NSSCKFWSession_GetArena
+ *  NSSCKFWSession_CallNotification
+ *  NSSCKFWSession_IsRWSession
+ *  NSSCKFWSession_IsSO
+ *
+ *  -- implement public accessors --
+ *  nssCKFWSession_GetMDSession
+ *  nssCKFWSession_GetArena
+ *  nssCKFWSession_CallNotification
+ *  nssCKFWSession_IsRWSession
+ *  nssCKFWSession_IsSO
+ *
+ *  -- private accessors --
+ *  nssCKFWSession_GetSlot
+ *  nssCKFWSession_GetSessionState
+ *  nssCKFWSession_SetFWFindObjects
+ *  nssCKFWSession_GetFWFindObjects
+ *  nssCKFWSession_SetMDSession
+ *  nssCKFWSession_SetHandle
+ *  nssCKFWSession_GetHandle
+ *  nssCKFWSession_RegisterSessionObject
+ *  nssCKFWSession_DeegisterSessionObject
+ *
+ *  -- module fronts --
+ *  nssCKFWSession_GetDeviceError
+ *  nssCKFWSession_Login
+ *  nssCKFWSession_Logout
+ *  nssCKFWSession_InitPIN
+ *  nssCKFWSession_SetPIN
+ *  nssCKFWSession_GetOperationStateLen
+ *  nssCKFWSession_GetOperationState
+ *  nssCKFWSession_SetOperationState
+ *  nssCKFWSession_CreateObject
+ *  nssCKFWSession_CopyObject
+ *  nssCKFWSession_FindObjectsInit
+ *  nssCKFWSession_SeedRandom
+ *  nssCKFWSession_GetRandom
+ */
+
+struct NSSCKFWSessionStr {
+  NSSArena *arena;
+  NSSCKMDSession *mdSession;
+  NSSCKFWToken *fwToken;
+  NSSCKMDToken *mdToken;
+  NSSCKFWInstance *fwInstance;
+  NSSCKMDInstance *mdInstance;
+  CK_VOID_PTR pApplication;
+  CK_NOTIFY Notify;
+
+  /*
+   * Everything above is set at creation time, and then not modified.
+   * The items below are atomic.  No locking required.  If we fear
+   * about pointer-copies being nonatomic, we'll lock fwFindObjects.
+   */
+
+  CK_BBOOL rw;
+  NSSCKFWFindObjects *fwFindObjects;
+  NSSCKFWCryptoOperation *fwOperationArray[NSSCKFWCryptoOperationState_Max];
+  nssCKFWHash *sessionObjectHash;
+  CK_SESSION_HANDLE hSession;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+session_add_pointer
+(
+  const NSSCKFWSession *fwSession
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+session_remove_pointer
+(
+  const NSSCKFWSession *fwSession
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_verifyPointer
+(
+  const NSSCKFWSession *fwSession
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWSession_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSession *
+nssCKFWSession_Create
+(
+  NSSCKFWToken *fwToken,
+  CK_BBOOL rw,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_RV *pError
+)
+{
+  NSSArena *arena = (NSSArena *)NULL;
+  NSSCKFWSession *fwSession;
+  NSSCKFWSlot *fwSlot;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  *pError = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWSession *)NULL;
+  }
+
+  fwSession = nss_ZNEW(arena, NSSCKFWSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fwSession->arena = arena;
+  fwSession->mdSession = (NSSCKMDSession *)NULL; /* set later */
+  fwSession->fwToken = fwToken;
+  fwSession->mdToken = nssCKFWToken_GetMDToken(fwToken);
+
+  fwSlot = nssCKFWToken_GetFWSlot(fwToken);
+  fwSession->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
+  fwSession->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
+
+  fwSession->rw = rw;
+  fwSession->pApplication = pApplication;
+  fwSession->Notify = Notify;
+
+  fwSession->fwFindObjects = (NSSCKFWFindObjects *)NULL;
+
+  fwSession->sessionObjectHash = nssCKFWHash_Create(fwSession->fwInstance, arena, pError);
+  if( (nssCKFWHash *)NULL == fwSession->sessionObjectHash ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+#ifdef DEBUG
+  *pError = session_add_pointer(fwSession);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return fwSession;
+
+ loser:
+  if( (NSSArena *)NULL != arena ) {
+    if( fwSession && (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
+      (void)nssCKFWHash_Destroy(fwSession->sessionObjectHash);
+    }
+    NSSArena_Destroy(arena);
+  }
+
+  return (NSSCKFWSession *)NULL;
+}
+
+static void
+nss_ckfw_session_object_destroy_iterator
+(
+  const void *key,
+  void *value,
+  void *closure
+)
+{
+  NSSCKFWObject *fwObject = (NSSCKFWObject *)value;
+  nssCKFWObject_Finalize(fwObject, PR_TRUE);
+}
+
+/*
+ * nssCKFWSession_Destroy
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Destroy
+(
+  NSSCKFWSession *fwSession,
+  CK_BBOOL removeFromTokenHash
+)
+{
+  CK_RV error = CKR_OK;
+  nssCKFWHash *sessionObjectHash;
+  NSSCKFWCryptoOperationState i;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( removeFromTokenHash ) {
+    error = nssCKFWToken_RemoveSession(fwSession->fwToken, fwSession);
+  }
+
+  /*
+   * Invalidate session objects
+   */
+
+  sessionObjectHash = fwSession->sessionObjectHash;
+  fwSession->sessionObjectHash = (nssCKFWHash *)NULL;
+
+  nssCKFWHash_Iterate(sessionObjectHash, 
+                      nss_ckfw_session_object_destroy_iterator, 
+                      (void *)NULL);
+
+  for (i=0; i < NSSCKFWCryptoOperationState_Max; i++) {
+    if ((NSSCKFWCryptoOperation *)NULL != fwSession->fwOperationArray[i]) {
+      nssCKFWCryptoOperation_Destroy(fwSession->fwOperationArray[i]);
+    }
+  }
+
+#ifdef DEBUG
+  (void)session_remove_pointer(fwSession);
+#endif /* DEBUG */
+  (void)nssCKFWHash_Destroy(sessionObjectHash);
+  NSSArena_Destroy(fwSession->arena);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_GetMDSession
+ *
+ */
+NSS_IMPLEMENT NSSCKMDSession *
+nssCKFWSession_GetMDSession
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (NSSCKMDSession *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSession->mdSession;
+}
+
+/*
+ * nssCKFWSession_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+nssCKFWSession_GetArena
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSession->arena;
+}
+
+/*
+ * nssCKFWSession_CallNotification
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_CallNotification
+(
+  NSSCKFWSession *fwSession,
+  CK_NOTIFICATION event
+)
+{
+  CK_RV error = CKR_OK;
+  CK_SESSION_HANDLE handle;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( (CK_NOTIFY)NULL == fwSession->Notify ) {
+    return CKR_OK;
+  }
+
+  handle = nssCKFWInstance_FindSessionHandle(fwSession->fwInstance, fwSession);
+  if( (CK_SESSION_HANDLE)0 == handle ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  error = fwSession->Notify(handle, event, fwSession->pApplication);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_IsRWSession
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSession_IsRWSession
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSession->rw;
+}
+
+/*
+ * nssCKFWSession_IsSO
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSession_IsSO
+(
+  NSSCKFWSession *fwSession
+)
+{
+  CK_STATE state;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
+  switch( state ) {
+  case CKS_RO_PUBLIC_SESSION:
+  case CKS_RO_USER_FUNCTIONS:
+  case CKS_RW_PUBLIC_SESSION:
+  case CKS_RW_USER_FUNCTIONS:
+    return CK_FALSE;
+  case CKS_RW_SO_FUNCTIONS:
+    return CK_TRUE;
+  default:
+    return CK_FALSE;
+  }
+}
+
+/*
+ * nssCKFWSession_GetFWSlot
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot *
+nssCKFWSession_GetFWSlot
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return nssCKFWToken_GetFWSlot(fwSession->fwToken);
+}
+
+/*
+ * nssCFKWSession_GetSessionState
+ *
+ */
+NSS_IMPLEMENT CK_STATE
+nssCKFWSession_GetSessionState
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CKS_RO_PUBLIC_SESSION; /* whatever */
+  }
+#endif /* NSSDEBUG */
+
+  return nssCKFWToken_GetSessionState(fwSession->fwToken);
+}
+
+/*
+ * nssCKFWSession_SetFWFindObjects
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetFWFindObjects
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /* fwFindObjects may be null */
+#endif /* NSSDEBUG */
+
+  if( ((NSSCKFWFindObjects *)NULL != fwSession->fwFindObjects) &&
+      ((NSSCKFWFindObjects *)NULL != fwFindObjects) ) {
+    return CKR_OPERATION_ACTIVE;
+  }
+
+  fwSession->fwFindObjects = fwFindObjects;
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_GetFWFindObjects
+ *
+ */
+NSS_IMPLEMENT NSSCKFWFindObjects *
+nssCKFWSession_GetFWFindObjects
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWFindObjects *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSCKFWFindObjects *)NULL == fwSession->fwFindObjects ) {
+    *pError = CKR_OPERATION_NOT_INITIALIZED;
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  return fwSession->fwFindObjects;
+}
+
+/*
+ * nssCKFWSession_SetMDSession
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetMDSession
+(
+  NSSCKFWSession *fwSession,
+  NSSCKMDSession *mdSession
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == mdSession ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSCKMDSession *)NULL != fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  fwSession->mdSession = mdSession;
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_SetHandle
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetHandle
+(
+  NSSCKFWSession *fwSession,
+  CK_SESSION_HANDLE hSession
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( (CK_SESSION_HANDLE)0 != fwSession->hSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  fwSession->hSession = hSession;
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_GetHandle
+ *
+ */
+NSS_IMPLEMENT CK_SESSION_HANDLE
+nssCKFWSession_GetHandle
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSession->hSession;
+}
+
+/*
+ * nssCKFWSession_RegisterSessionObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_RegisterSessionObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject
+)
+{
+  CK_RV rv = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
+    rv = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
+  }
+
+  return rv;
+}
+
+/*
+ * nssCKFWSession_DeregisterSessionObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_DeregisterSessionObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
+    nssCKFWHash_Remove(fwSession->sessionObjectHash, fwObject);
+  }
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_GetDeviceError
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWSession_GetDeviceError
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (CK_ULONG)0;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->GetDeviceError ) {
+    return (CK_ULONG)0;
+  }
+
+  return fwSession->mdSession->GetDeviceError(fwSession->mdSession, 
+    fwSession, fwSession->mdToken, fwSession->fwToken, 
+    fwSession->mdInstance, fwSession->fwInstance);
+}
+
+/*
+ * nssCKFWSession_Login
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Login
+(
+  NSSCKFWSession *fwSession,
+  CK_USER_TYPE userType,
+  NSSItem *pin
+)
+{
+  CK_RV error = CKR_OK;
+  CK_STATE oldState;
+  CK_STATE newState;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  switch( userType ) {
+  case CKU_SO:
+  case CKU_USER:
+    break;
+  default:
+    return CKR_USER_TYPE_INVALID;
+  }
+
+  if( (NSSItem *)NULL == pin ) {
+    if( CK_TRUE != nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken) ) {
+      return CKR_ARGUMENTS_BAD;
+    }
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
+
+  /*
+   * It's not clear what happens when you're already logged in.
+   * I'll just fail; but if we decide to change, the logic is
+   * all right here.
+   */
+
+  if( CKU_SO == userType ) {
+    switch( oldState ) {
+    case CKS_RO_PUBLIC_SESSION:      
+      /*
+       * There's no such thing as a read-only security officer
+       * session, so fail.  The error should be CKR_SESSION_READ_ONLY,
+       * except that C_Login isn't defined to return that.  So we'll
+       * do CKR_SESSION_READ_ONLY_EXISTS, which is what is documented.
+       */
+      return CKR_SESSION_READ_ONLY_EXISTS;
+    case CKS_RO_USER_FUNCTIONS:
+      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
+    case CKS_RW_PUBLIC_SESSION:
+      newState = CKS_RW_SO_FUNCTIONS;
+      break;
+    case CKS_RW_USER_FUNCTIONS:
+      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
+    case CKS_RW_SO_FUNCTIONS:
+      return CKR_USER_ALREADY_LOGGED_IN;
+    default:
+      return CKR_GENERAL_ERROR;
+    }
+  } else /* CKU_USER == userType */ {
+    switch( oldState ) {
+    case CKS_RO_PUBLIC_SESSION:      
+      newState = CKS_RO_USER_FUNCTIONS;
+      break;
+    case CKS_RO_USER_FUNCTIONS:
+      return CKR_USER_ALREADY_LOGGED_IN;
+    case CKS_RW_PUBLIC_SESSION:
+      newState = CKS_RW_USER_FUNCTIONS;
+      break;
+    case CKS_RW_USER_FUNCTIONS:
+      return CKR_USER_ALREADY_LOGGED_IN;
+    case CKS_RW_SO_FUNCTIONS:
+      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
+    default:
+      return CKR_GENERAL_ERROR;
+    }
+  }
+
+  /*
+   * So now we're in one of three cases:
+   *
+   * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_SO_FUNCTIONS;
+   * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_USER_FUNCTIONS;
+   * Old == CKS_RO_PUBLIC_SESSION, New == CKS_RO_USER_FUNCTIONS;
+   */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->Login ) {
+    /*
+     * The Module doesn't want to be informed (or check the pin)
+     * it'll just rely on the Framework as needed.
+     */
+    ;
+  } else {
+    error = fwSession->mdSession->Login(fwSession->mdSession, fwSession,
+      fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+      fwSession->fwInstance, userType, pin, oldState, newState);
+    if( CKR_OK != error ) {
+      return error;
+    }
+  }
+
+  (void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_Logout
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Logout
+(
+  NSSCKFWSession *fwSession
+)
+{
+  CK_RV error = CKR_OK;
+  CK_STATE oldState;
+  CK_STATE newState;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
+
+  switch( oldState ) {
+  case CKS_RO_PUBLIC_SESSION:
+    return CKR_USER_NOT_LOGGED_IN;
+  case CKS_RO_USER_FUNCTIONS:
+    newState = CKS_RO_PUBLIC_SESSION;
+    break;
+  case CKS_RW_PUBLIC_SESSION:
+    return CKR_USER_NOT_LOGGED_IN;
+  case CKS_RW_USER_FUNCTIONS:
+    newState = CKS_RW_PUBLIC_SESSION;
+    break;
+  case CKS_RW_SO_FUNCTIONS:
+    newState = CKS_RW_PUBLIC_SESSION;
+    break;
+  default:
+    return CKR_GENERAL_ERROR;
+  }
+
+  /*
+   * So now we're in one of three cases:
+   *
+   * Old == CKS_RW_SO_FUNCTIONS,   New == CKS_RW_PUBLIC_SESSION;
+   * Old == CKS_RW_USER_FUNCTIONS, New == CKS_RW_PUBLIC_SESSION;
+   * Old == CKS_RO_USER_FUNCTIONS, New == CKS_RO_PUBLIC_SESSION;
+   */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->Logout ) {
+    /*
+     * The Module doesn't want to be informed.  Okay.
+     */
+    ;
+  } else {
+    error = fwSession->mdSession->Logout(fwSession->mdSession, fwSession,
+      fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+      fwSession->fwInstance, oldState, newState);
+    if( CKR_OK != error ) {
+      /*
+       * Now what?!  A failure really should end up with the Framework
+       * considering it logged out, right?
+       */
+      ;
+    }
+  }
+
+  (void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
+  return error;
+}
+
+/*
+ * nssCKFWSession_InitPIN
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_InitPIN
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *pin
+)
+{
+  CK_RV error = CKR_OK;
+  CK_STATE state;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
+  if( CKS_RW_SO_FUNCTIONS != state ) {
+    return CKR_USER_NOT_LOGGED_IN;
+  }
+
+  if( (NSSItem *)NULL == pin ) {
+    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
+    if( CK_TRUE != has ) {
+      return CKR_ARGUMENTS_BAD;
+    }
+  }
+
+  if( (void *)NULL == (void *)fwSession->mdSession->InitPIN ) {
+    return CKR_TOKEN_WRITE_PROTECTED;
+  }
+
+  error = fwSession->mdSession->InitPIN(fwSession->mdSession, fwSession,
+    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, pin);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_SetPIN
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetPIN
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *newPin,
+  NSSItem *oldPin
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSItem *)NULL == newPin ) {
+    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
+    if( CK_TRUE != has ) {
+      return CKR_ARGUMENTS_BAD;
+    }
+  }
+
+  if( (NSSItem *)NULL == oldPin ) {
+    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
+    if( CK_TRUE != has ) {
+      return CKR_ARGUMENTS_BAD;
+    }
+  }
+
+  if( (void *)NULL == (void *)fwSession->mdSession->SetPIN ) {
+    return CKR_TOKEN_WRITE_PROTECTED;
+  }
+
+  error = fwSession->mdSession->SetPIN(fwSession->mdSession, fwSession,
+    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, newPin, oldPin);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_GetOperationStateLen
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWSession_GetOperationStateLen
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+  CK_ULONG mdAmt;
+  CK_ULONG fwAmt;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationStateLen ) {
+    *pError = CKR_STATE_UNSAVEABLE;
+    return (CK_ULONG)0;
+  }
+
+  /*
+   * We could check that the session is actually in some state..
+   */
+
+  mdAmt = fwSession->mdSession->GetOperationStateLen(fwSession->mdSession,
+    fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, pError);
+
+  if( ((CK_ULONG)0 == mdAmt) && (CKR_OK != *pError) ) {
+    return (CK_ULONG)0;
+  }
+
+  /*
+   * Add a bit of sanity-checking
+   */
+  fwAmt = mdAmt + 2*sizeof(CK_ULONG);
+
+  return fwAmt;
+}
+
+/*
+ * nssCKFWSession_GetOperationState
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_GetOperationState
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *buffer
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG fwAmt;
+  CK_ULONG *ulBuffer;
+  NSSItem i2;
+  CK_ULONG n, i;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSItem *)NULL == buffer ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (void *)NULL == buffer->data ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationState ) {
+    return CKR_STATE_UNSAVEABLE;
+  }
+
+  /*
+   * Sanity-check the caller's buffer.
+   */
+
+  error = CKR_OK;
+  fwAmt = nssCKFWSession_GetOperationStateLen(fwSession, &error);
+  if( ((CK_ULONG)0 == fwAmt) && (CKR_OK != error) ) {
+    return error;
+  }
+
+  if( buffer->size < fwAmt ) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+
+  ulBuffer = (CK_ULONG *)buffer->data;
+
+  i2.size = buffer->size - 2*sizeof(CK_ULONG);
+  i2.data = (void *)&ulBuffer[2];
+
+  error = fwSession->mdSession->GetOperationState(fwSession->mdSession,
+    fwSession, fwSession->mdToken, fwSession->fwToken, 
+    fwSession->mdInstance, fwSession->fwInstance, &i2);
+
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /*
+   * Add a little integrety/identity check.  
+   * NOTE: right now, it's pretty stupid.  
+   * A CRC or something would be better.
+   */
+
+  ulBuffer[0] = 0x434b4657; /* CKFW */
+  ulBuffer[1] = 0;
+  n = i2.size/sizeof(CK_ULONG);
+  for( i = 0; i < n; i++ ) {
+    ulBuffer[1] ^= ulBuffer[2+i];
+  }
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_SetOperationState
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetOperationState
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *state,
+  NSSCKFWObject *encryptionKey,
+  NSSCKFWObject *authenticationKey
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG *ulBuffer;
+  CK_ULONG n, i;
+  CK_ULONG x;
+  NSSItem s;
+  NSSCKMDObject *mdek;
+  NSSCKMDObject *mdak;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSItem *)NULL == state ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (void *)NULL == state->data ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (NSSCKFWObject *)NULL != encryptionKey ) {
+    error = nssCKFWObject_verifyPointer(encryptionKey);
+    if( CKR_OK != error ) {
+      return error;
+    }
+  }
+
+  if( (NSSCKFWObject *)NULL != authenticationKey ) {
+    error = nssCKFWObject_verifyPointer(authenticationKey);
+    if( CKR_OK != error ) {
+      return error;
+    }
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  ulBuffer = (CK_ULONG *)state->data;
+  if( 0x43b4657 != ulBuffer[0] ) {
+    return CKR_SAVED_STATE_INVALID;
+  }
+  n = (state->size / sizeof(CK_ULONG)) - 2;
+  x = (CK_ULONG)0;
+  for( i = 0; i < n; i++ ) {
+    x ^= ulBuffer[2+i];
+  }
+
+  if( x != ulBuffer[1] ) {
+    return CKR_SAVED_STATE_INVALID;
+  }
+
+  if( (void *)NULL == (void *)fwSession->mdSession->SetOperationState ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  s.size = state->size - 2*sizeof(CK_ULONG);
+  s.data = (void *)&ulBuffer[2];
+
+  if( (NSSCKFWObject *)NULL != encryptionKey ) {
+    mdek = nssCKFWObject_GetMDObject(encryptionKey);
+  } else {
+    mdek = (NSSCKMDObject *)NULL;
+  }
+
+  if( (NSSCKFWObject *)NULL != authenticationKey ) {
+    mdak = nssCKFWObject_GetMDObject(authenticationKey);
+  } else {
+    mdak = (NSSCKMDObject *)NULL;
+  }
+
+  error = fwSession->mdSession->SetOperationState(fwSession->mdSession, 
+    fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, &s, mdek, encryptionKey, mdak, authenticationKey);
+
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /*
+   * Here'd we restore any session data
+   */
+  
+  return CKR_OK;
+}
+
+static CK_BBOOL
+nss_attributes_form_token_object
+(
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount
+)
+{
+  CK_ULONG i;
+  CK_BBOOL rv;
+
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if( CKA_TOKEN == pTemplate[i].type ) {
+      /* If we sanity-check, we can remove this sizeof check */
+      if( sizeof(CK_BBOOL) == pTemplate[i].ulValueLen ) {
+        (void)nsslibc_memcpy(&rv, pTemplate[i].pValue, sizeof(CK_BBOOL));
+        return rv;
+      } else {
+        return CK_FALSE;
+      }
+    }
+  }
+
+  return CK_FALSE;
+}
+
+/*
+ * nssCKFWSession_CreateObject
+ *
+ */
+NSS_IMPLEMENT NSSCKFWObject *
+nssCKFWSession_CreateObject
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  NSSCKMDObject *mdObject;
+  NSSCKFWObject *fwObject;
+  CK_BBOOL isTokenObject;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * Here would be an excellent place to sanity-check the object.
+   */
+
+  isTokenObject = nss_attributes_form_token_object(pTemplate, ulAttributeCount);
+  if( CK_TRUE == isTokenObject ) {
+    /* === TOKEN OBJECT === */
+
+    if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
+      *pError = CKR_TOKEN_WRITE_PROTECTED;
+      return (NSSCKFWObject *)NULL;
+    }
+
+    arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
+    if( (NSSArena *)NULL == arena ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWObject *)NULL;
+    }
+
+    goto callmdcreateobject;
+  } else {
+    /* === SESSION OBJECT === */
+
+    arena = nssCKFWSession_GetArena(fwSession, pError);
+    if( (NSSArena *)NULL == arena ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWObject *)NULL;
+    }
+
+    if( CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
+                     fwSession->fwInstance) ) {
+      /* --- module handles the session object -- */
+
+      if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
+        *pError = CKR_GENERAL_ERROR;
+        return (NSSCKFWObject *)NULL;
+      }
+      
+      goto callmdcreateobject;
+    } else {
+      /* --- framework handles the session object -- */
+      mdObject = nssCKMDSessionObject_Create(fwSession->fwToken, 
+        arena, pTemplate, ulAttributeCount, pError);
+      goto gotmdobject;
+    }
+  }
+
+ callmdcreateobject:
+  mdObject = fwSession->mdSession->CreateObject(fwSession->mdSession,
+    fwSession, fwSession->mdToken, fwSession->fwToken,
+    fwSession->mdInstance, fwSession->fwInstance, arena, pTemplate,
+    ulAttributeCount, pError);
+
+ gotmdobject:
+  if( (NSSCKMDObject *)NULL == mdObject ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (NSSCKFWObject *)NULL;
+  }
+
+  fwObject = nssCKFWObject_Create(arena, mdObject, 
+    isTokenObject ? NULL : fwSession, 
+    fwSession->fwToken, fwSession->fwInstance, pError);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    
+    if( (void *)NULL != (void *)mdObject->Destroy ) {
+      (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
+        fwSession->mdSession, fwSession, fwSession->mdToken,
+        fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance);
+    }
+    
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( CK_FALSE == isTokenObject ) {
+    if( CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, fwObject) ) {
+      *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
+      if( CKR_OK != *pError ) {
+        nssCKFWObject_Finalize(fwObject, PR_TRUE);
+        return (NSSCKFWObject *)NULL;
+      }
+    }
+  }
+  
+  return fwObject;
+}
+
+/*
+ * nssCKFWSession_CopyObject
+ *
+ */
+NSS_IMPLEMENT NSSCKFWObject *
+nssCKFWSession_CopyObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  CK_BBOOL oldIsToken;
+  CK_BBOOL newIsToken;
+  CK_ULONG i;
+  NSSCKFWObject *rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * Sanity-check object
+   */
+
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  oldIsToken = nssCKFWObject_IsTokenObject(fwObject);
+
+  newIsToken = oldIsToken;
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if( CKA_TOKEN == pTemplate[i].type ) {
+      /* Since we sanity-checked the object, we know this is the right size. */
+      (void)nsslibc_memcpy(&newIsToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
+      break;
+    }
+  }
+
+  /*
+   * If the Module handles its session objects, or if both the new
+   * and old object are token objects, use CopyObject if it exists.
+   */
+
+  if( ((void *)NULL != (void *)fwSession->mdSession->CopyObject) &&
+      (((CK_TRUE == oldIsToken) && (CK_TRUE == newIsToken)) ||
+       (CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
+                     fwSession->fwInstance))) ) {
+    /* use copy object */
+    NSSArena *arena;
+    NSSCKMDObject *mdOldObject;
+    NSSCKMDObject *mdObject;
+
+    mdOldObject = nssCKFWObject_GetMDObject(fwObject);
+
+    if( CK_TRUE == newIsToken ) {
+      arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
+    } else {
+      arena = nssCKFWSession_GetArena(fwSession, pError);
+    }
+    if( (NSSArena *)NULL == arena ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWObject *)NULL;
+    }
+
+    mdObject = fwSession->mdSession->CopyObject(fwSession->mdSession,
+      fwSession, fwSession->mdToken, fwSession->fwToken,
+      fwSession->mdInstance, fwSession->fwInstance, mdOldObject,
+      fwObject, arena, pTemplate, ulAttributeCount, pError);
+    if( (NSSCKMDObject *)NULL == mdObject ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWObject *)NULL;
+    }
+
+    rv = nssCKFWObject_Create(arena, mdObject, 
+      newIsToken ? NULL : fwSession,
+      fwSession->fwToken, fwSession->fwInstance, pError);
+
+    if( CK_FALSE == newIsToken ) {
+      if( CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, rv) ) {
+        *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, rv, rv);
+        if( CKR_OK != *pError ) {
+          nssCKFWObject_Finalize(rv, PR_TRUE);
+          return (NSSCKFWObject *)NULL;
+        }
+      }
+    }
+
+    return rv;
+  } else {
+    /* use create object */
+    NSSArena *tmpArena;
+    CK_ATTRIBUTE_PTR newTemplate;
+    CK_ULONG i, j, n, newLength, k;
+    CK_ATTRIBUTE_TYPE_PTR oldTypes;
+    NSSCKFWObject *rv;
+    
+    tmpArena = NSSArena_Create();
+    if( (NSSArena *)NULL == tmpArena ) {
+      *pError = CKR_HOST_MEMORY;
+      return (NSSCKFWObject *)NULL;
+    }
+
+    n = nssCKFWObject_GetAttributeCount(fwObject, pError);
+    if( (0 == n) && (CKR_OK != *pError) ) {
+      return (NSSCKFWObject *)NULL;
+    }
+
+    oldTypes = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE_TYPE, n);
+    if( (CK_ATTRIBUTE_TYPE_PTR)NULL == oldTypes ) {
+      NSSArena_Destroy(tmpArena);
+      *pError = CKR_HOST_MEMORY;
+      return (NSSCKFWObject *)NULL;
+    }
+
+    *pError = nssCKFWObject_GetAttributeTypes(fwObject, oldTypes, n);
+    if( CKR_OK != *pError ) {
+      NSSArena_Destroy(tmpArena);
+      return (NSSCKFWObject *)NULL;
+    }
+
+    newLength = n;
+    for( i = 0; i < ulAttributeCount; i++ ) {
+      for( j = 0; j < n; j++ ) {
+        if( oldTypes[j] == pTemplate[i].type ) {
+          if( (CK_VOID_PTR)NULL == pTemplate[i].pValue ) {
+            /* Removing the attribute */
+            newLength--;
+          }
+          break;
+        }
+      }
+      if( j == n ) {
+        /* Not found */
+        newLength++;
+      }
+    }
+
+    newTemplate = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE, newLength);
+    if( (CK_ATTRIBUTE_PTR)NULL == newTemplate ) {
+      NSSArena_Destroy(tmpArena);
+      *pError = CKR_HOST_MEMORY;
+      return (NSSCKFWObject *)NULL;
+    }
+
+    k = 0;
+    for( j = 0; j < n; j++ ) {
+      for( i = 0; i < ulAttributeCount; i++ ) {
+        if( oldTypes[j] == pTemplate[i].type ) {
+          if( (CK_VOID_PTR)NULL == pTemplate[i].pValue ) {
+            /* This attribute is being deleted */
+            ;
+          } else {
+            /* This attribute is being replaced */
+            newTemplate[k].type = pTemplate[i].type;
+            newTemplate[k].pValue = pTemplate[i].pValue;
+            newTemplate[k].ulValueLen = pTemplate[i].ulValueLen;
+            k++;
+          }
+          break;
+        }
+      }
+      if( i == ulAttributeCount ) {
+        /* This attribute is being copied over from the old object */
+        NSSItem item, *it;
+        item.size = 0;
+        item.data = (void *)NULL;
+        it = nssCKFWObject_GetAttribute(fwObject, oldTypes[j],
+          &item, tmpArena, pError);
+        if( (NSSItem *)NULL == it ) {
+          if( CKR_OK == *pError ) {
+            *pError = CKR_GENERAL_ERROR;
+          }
+          NSSArena_Destroy(tmpArena);
+          return (NSSCKFWObject *)NULL;
+        }
+        newTemplate[k].type = oldTypes[j];
+        newTemplate[k].pValue = it->data;
+        newTemplate[k].ulValueLen = it->size;
+        k++;
+      }
+    }
+    /* assert that k == newLength */
+
+    rv = nssCKFWSession_CreateObject(fwSession, newTemplate, newLength, pError);
+    if( (NSSCKFWObject *)NULL == rv ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      NSSArena_Destroy(tmpArena);
+      return (NSSCKFWObject *)NULL;
+    }
+
+    NSSArena_Destroy(tmpArena);
+    return rv;
+  }
+}
+
+/*
+ * nssCKFWSession_FindObjectsInit
+ *
+ */
+NSS_IMPLEMENT NSSCKFWFindObjects *
+nssCKFWSession_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  NSSCKMDFindObjects *mdfo1 = (NSSCKMDFindObjects *)NULL;
+  NSSCKMDFindObjects *mdfo2 = (NSSCKMDFindObjects *)NULL;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  if( ((CK_ATTRIBUTE_PTR)NULL == pTemplate) && (ulAttributeCount != 0) ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWFindObjects *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
+                   fwSession->fwInstance) ) {
+    CK_ULONG i;
+
+    /*
+     * Does the search criteria restrict us to token or session
+     * objects?
+     */
+
+    for( i = 0; i < ulAttributeCount; i++ ) {
+      if( CKA_TOKEN == pTemplate[i].type ) {
+        /* Yes, it does. */
+        CK_BBOOL isToken;
+        if( sizeof(CK_BBOOL) != pTemplate[i].ulValueLen ) {
+          *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+          return (NSSCKFWFindObjects *)NULL;
+        }
+        (void)nsslibc_memcpy(&isToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
+
+        if( CK_TRUE == isToken ) {
+          /* Pass it on to the module's search routine */
+          if( (void *)NULL == (void *)fwSession->mdSession->FindObjectsInit ) {
+            goto wrap;
+          }
+
+          mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
+                    fwSession, fwSession->mdToken, fwSession->fwToken,
+                    fwSession->mdInstance, fwSession->fwInstance, 
+                    pTemplate, ulAttributeCount, pError);
+        } else {
+          /* Do the search ourselves */
+          mdfo1 = nssCKMDFindSessionObjects_Create(fwSession->fwToken, 
+                    pTemplate, ulAttributeCount, pError);
+        }
+
+        if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
+          if( CKR_OK == *pError ) {
+            *pError = CKR_GENERAL_ERROR;
+          }
+          return (NSSCKFWFindObjects *)NULL;
+        }
+        
+        goto wrap;
+      }
+    }
+
+    if( i == ulAttributeCount ) {
+      /* No, it doesn't.  Do a hybrid search. */
+      mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
+                fwSession, fwSession->mdToken, fwSession->fwToken,
+                fwSession->mdInstance, fwSession->fwInstance, 
+                pTemplate, ulAttributeCount, pError);
+
+      if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
+        if( CKR_OK == *pError ) {
+          *pError = CKR_GENERAL_ERROR;
+        }
+        return (NSSCKFWFindObjects *)NULL;
+      }
+
+      mdfo2 = nssCKMDFindSessionObjects_Create(fwSession->fwToken,
+                pTemplate, ulAttributeCount, pError);
+      if( (NSSCKMDFindObjects *)NULL == mdfo2 ) {
+        if( CKR_OK == *pError ) {
+          *pError = CKR_GENERAL_ERROR;
+        }
+        if( (void *)NULL != (void *)mdfo1->Final ) {
+          mdfo1->Final(mdfo1, (NSSCKFWFindObjects *)NULL, fwSession->mdSession,
+            fwSession, fwSession->mdToken, fwSession->fwToken, 
+            fwSession->mdInstance, fwSession->fwInstance);
+        }
+        return (NSSCKFWFindObjects *)NULL;
+      }
+
+      goto wrap;
+    }
+    /*NOTREACHED*/
+  } else {
+    /* Module handles all its own objects.  Pass on to module's search */
+    mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
+              fwSession, fwSession->mdToken, fwSession->fwToken,
+              fwSession->mdInstance, fwSession->fwInstance, 
+              pTemplate, ulAttributeCount, pError);
+
+    if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWFindObjects *)NULL;
+    }
+
+    goto wrap;
+  }
+
+ wrap:
+  return nssCKFWFindObjects_Create(fwSession, fwSession->fwToken,
+           fwSession->fwInstance, mdfo1, mdfo2, pError);
+}
+
+/*
+ * nssCKFWSession_SeedRandom
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SeedRandom
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *seed
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSItem *)NULL == seed ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (void *)NULL == seed->data ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( 0 == seed->size ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->SeedRandom ) {
+    return CKR_RANDOM_SEED_NOT_SUPPORTED;
+  }
+
+  error = fwSession->mdSession->SeedRandom(fwSession->mdSession, fwSession,
+    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, seed);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_GetRandom
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_GetRandom
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *buffer
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSItem *)NULL == buffer ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (void *)NULL == buffer->data ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->GetRandom ) {
+    if( CK_TRUE == nssCKFWToken_GetHasRNG(fwSession->fwToken) ) {
+      return CKR_GENERAL_ERROR;
+    } else {
+      return CKR_RANDOM_NO_RNG;
+    }
+  }
+
+  if( 0 == buffer->size ) {
+    return CKR_OK;
+  }
+
+  error = fwSession->mdSession->GetRandom(fwSession->mdSession, fwSession,
+    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, buffer);
+
+  return error;
+}
+
+
+/*
+ * nssCKFWSession_SetCurrentCryptoOperation
+ */
+NSS_IMPLEMENT void
+nssCKFWSession_SetCurrentCryptoOperation
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperation * fwOperation,
+  NSSCKFWCryptoOperationState state
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return;
+  }
+
+  if ( state >= NSSCKFWCryptoOperationState_Max) {
+    return;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+  fwSession->fwOperationArray[state] = fwOperation;
+  return;
+}
+
+/*
+ * nssCKFWSession_GetCurrentCryptoOperation
+ */
+NSS_IMPLEMENT NSSCKFWCryptoOperation *
+nssCKFWSession_GetCurrentCryptoOperation
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationState state
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return (NSSCKFWCryptoOperation *)NULL;
+  }
+
+  if ( state >= NSSCKFWCryptoOperationState_Max) {
+    return (NSSCKFWCryptoOperation *)NULL;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return (NSSCKFWCryptoOperation *)NULL;
+  }
+#endif /* NSSDEBUG */
+  return fwSession->fwOperationArray[state];
+}
+
+/*
+ * nssCKFWSession_Final
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Final
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType type,
+  NSSCKFWCryptoOperationState state,
+  CK_BYTE_PTR  outBuf,
+  CK_ULONG_PTR outBufLen
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSItem outputBuffer;
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  /* make sure we have a valid operation initialized */
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
+  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  /* make sure it's the correct type */
+  if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  /* handle buffer issues, note for Verify, the type is an input buffer. */
+  if (NSSCKFWCryptoOperationType_Verify == type) {
+    if ((CK_BYTE_PTR)NULL == outBuf) {
+      error = CKR_ARGUMENTS_BAD;
+      goto done;
+    }
+  } else {
+    CK_ULONG len = nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
+    CK_ULONG maxBufLen = *outBufLen;
+
+    if (CKR_OK != error) {
+       goto done;
+    }
+    *outBufLen = len;
+    if ((CK_BYTE_PTR)NULL == outBuf) {
+      return CKR_OK;
+    }
+
+    if (len > maxBufLen) {
+      return CKR_BUFFER_TOO_SMALL;
+    }
+  }
+  outputBuffer.data = outBuf;
+  outputBuffer.size = *outBufLen;
+
+  error = nssCKFWCryptoOperation_Final(fwOperation, &outputBuffer);
+done:
+  if (CKR_BUFFER_TOO_SMALL == error) {
+    return error;
+  }
+  /* clean up our state */
+  nssCKFWCryptoOperation_Destroy(fwOperation);
+  nssCKFWSession_SetCurrentCryptoOperation(fwSession, NULL, state);
+  return error;
+}
+
+/*
+ * nssCKFWSession_Update
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Update
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType type,
+  NSSCKFWCryptoOperationState state,
+  CK_BYTE_PTR  inBuf,
+  CK_ULONG     inBufLen,
+  CK_BYTE_PTR  outBuf,
+  CK_ULONG_PTR outBufLen
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSItem inputBuffer;
+  NSSItem outputBuffer;
+  CK_ULONG len;
+  CK_ULONG maxBufLen;
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  /* make sure we have a valid operation initialized */
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
+  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  /* make sure it's the correct type */
+  if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  inputBuffer.data = inBuf;
+  inputBuffer.size = inBufLen;
+
+  /* handle buffer issues, note for Verify, the type is an input buffer. */
+  len = nssCKFWCryptoOperation_GetOperationLength(fwOperation, &inputBuffer, 
+                                                  &error);
+  if (CKR_OK != error) {
+    return error;
+  }
+  maxBufLen = *outBufLen;
+
+  *outBufLen = len;
+  if ((CK_BYTE_PTR)NULL == outBuf) {
+    return CKR_OK;
+  }
+
+  if (len > maxBufLen) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+  outputBuffer.data = outBuf;
+  outputBuffer.size = *outBufLen;
+
+  return nssCKFWCryptoOperation_Update(fwOperation,
+                                       &inputBuffer, &outputBuffer);
+}
+
+/*
+ * nssCKFWSession_DigestUpdate
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_DigestUpdate
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType type,
+  NSSCKFWCryptoOperationState state,
+  CK_BYTE_PTR  inBuf,
+  CK_ULONG     inBufLen
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSItem inputBuffer;
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  /* make sure we have a valid operation initialized */
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
+  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  /* make sure it's the correct type */
+  if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  inputBuffer.data = inBuf;
+  inputBuffer.size = inBufLen;
+
+
+  error = nssCKFWCryptoOperation_DigestUpdate(fwOperation, &inputBuffer);
+  return error;
+}
+
+/*
+ * nssCKFWSession_DigestUpdate
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_DigestKey
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwKey
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSItem *inputBuffer;
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  /* make sure we have a valid operation initialized */
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                                 NSSCKFWCryptoOperationState_Digest);
+  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  /* make sure it's the correct type */
+  if (NSSCKFWCryptoOperationType_Digest != 
+      nssCKFWCryptoOperation_GetType(fwOperation)) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  error = nssCKFWCryptoOperation_DigestKey(fwOperation, fwKey);
+  if (CKR_FUNCTION_FAILED != error) {
+    return error;
+  }
+
+  /* no machine depended way for this to happen, do it by hand */
+  inputBuffer=nssCKFWObject_GetAttribute(fwKey, CKA_VALUE, NULL, NULL, &error);
+  if ((NSSItem *)NULL == inputBuffer) {
+    /* couldn't get the value, just fail then */
+    return error;
+  }
+  error = nssCKFWCryptoOperation_DigestUpdate(fwOperation, inputBuffer);
+  nssItem_Destroy(inputBuffer);
+  return error;
+}
+
+/*
+ * nssCKFWSession_UpdateFinal
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_UpdateFinal
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType type,
+  NSSCKFWCryptoOperationState state,
+  CK_BYTE_PTR  inBuf,
+  CK_ULONG     inBufLen,
+  CK_BYTE_PTR  outBuf,
+  CK_ULONG_PTR outBufLen
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSItem inputBuffer;
+  NSSItem outputBuffer;
+  PRBool isEncryptDecrypt;
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  /* make sure we have a valid operation initialized */
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
+  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  /* make sure it's the correct type */
+  if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  inputBuffer.data = inBuf;
+  inputBuffer.size = inBufLen;
+  isEncryptDecrypt = (PRBool) ((NSSCKFWCryptoOperationType_Encrypt == type) || 
+                               (NSSCKFWCryptoOperationType_Decrypt == type)) ;
+
+  /* handle buffer issues, note for Verify, the type is an input buffer. */
+  if (NSSCKFWCryptoOperationType_Verify == type) {
+    if ((CK_BYTE_PTR)NULL == outBuf) {
+      error = CKR_ARGUMENTS_BAD;
+      goto done;
+    }
+  } else {
+    CK_ULONG maxBufLen = *outBufLen;
+    CK_ULONG len;
+
+    len = (isEncryptDecrypt) ?
+      nssCKFWCryptoOperation_GetOperationLength(fwOperation, 
+                                                &inputBuffer, &error) :
+      nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
+
+    if (CKR_OK != error) {
+      goto done;
+    }
+
+    *outBufLen = len;
+    if ((CK_BYTE_PTR)NULL == outBuf) {
+      return CKR_OK;
+    }
+
+    if (len > maxBufLen) {
+      return CKR_BUFFER_TOO_SMALL;
+    }
+  }
+  outputBuffer.data = outBuf;
+  outputBuffer.size = *outBufLen;
+
+  error = nssCKFWCryptoOperation_UpdateFinal(fwOperation, 
+                                             &inputBuffer, &outputBuffer);
+
+  /* UpdateFinal isn't support, manually use Update and Final */
+  if (CKR_FUNCTION_FAILED == error) {
+    error = isEncryptDecrypt ? 
+      nssCKFWCryptoOperation_Update(fwOperation, &inputBuffer, &outputBuffer) :
+      nssCKFWCryptoOperation_DigestUpdate(fwOperation, &inputBuffer);
+
+    if (CKR_OK == error) {
+      error = nssCKFWCryptoOperation_Final(fwOperation, &outputBuffer);
+    }
+  }
+
+
+done:
+  if (CKR_BUFFER_TOO_SMALL == error) {
+    /* if we return CKR_BUFFER_TOO_SMALL, we the caller is not expecting.
+     * the crypto state to be freed */
+    return error;
+  }
+
+  /* clean up our state */
+  nssCKFWCryptoOperation_Destroy(fwOperation);
+  nssCKFWSession_SetCurrentCryptoOperation(fwSession, NULL, state);
+  return error;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_UpdateCombo
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationType encryptType,
+  NSSCKFWCryptoOperationType digestType,
+  NSSCKFWCryptoOperationState digestState,
+  CK_BYTE_PTR  inBuf,
+  CK_ULONG     inBufLen,
+  CK_BYTE_PTR  outBuf,
+  CK_ULONG_PTR outBufLen
+)
+{
+  NSSCKFWCryptoOperation *fwOperation;
+  NSSCKFWCryptoOperation *fwPeerOperation;
+  NSSItem inputBuffer;
+  NSSItem outputBuffer;
+  CK_ULONG maxBufLen = *outBufLen;
+  CK_ULONG len;
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  /* make sure we have a valid operation initialized */
+  fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                NSSCKFWCryptoOperationState_EncryptDecrypt);
+  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  /* make sure it's the correct type */
+  if (encryptType != nssCKFWCryptoOperation_GetType(fwOperation)) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+  /* make sure we have a valid operation initialized */
+  fwPeerOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
+                  digestState);
+  if ((NSSCKFWCryptoOperation *)NULL == fwPeerOperation) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  /* make sure it's the correct type */
+  if (digestType != nssCKFWCryptoOperation_GetType(fwOperation)) {
+    return CKR_OPERATION_NOT_INITIALIZED;
+  }
+
+  inputBuffer.data = inBuf;
+  inputBuffer.size = inBufLen;
+  len = nssCKFWCryptoOperation_GetOperationLength(fwOperation, 
+                                                &inputBuffer, &error);
+  if (CKR_OK != error) {
+    return error;
+  }
+
+  *outBufLen = len;
+  if ((CK_BYTE_PTR)NULL == outBuf) {
+    return CKR_OK;
+  }
+
+  if (len > maxBufLen) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+
+  outputBuffer.data = outBuf;
+  outputBuffer.size = *outBufLen;
+
+  error = nssCKFWCryptoOperation_UpdateCombo(fwOperation, fwPeerOperation,
+                                             &inputBuffer, &outputBuffer);
+  if (CKR_FUNCTION_FAILED == error) {
+    PRBool isEncrypt = 
+           (PRBool) (NSSCKFWCryptoOperationType_Encrypt == encryptType);
+
+    if (isEncrypt) {
+      error = nssCKFWCryptoOperation_DigestUpdate(fwPeerOperation, 
+                                                  &inputBuffer);
+      if (CKR_OK != error) {
+        return error;
+      }
+    }
+    error = nssCKFWCryptoOperation_Update(fwOperation, 
+                                          &inputBuffer, &outputBuffer);
+    if (CKR_OK != error) {
+      return error;
+    }
+    if (!isEncrypt) {
+      error = nssCKFWCryptoOperation_DigestUpdate(fwPeerOperation,
+                                                  &outputBuffer);
+    }
+  }
+  return error;
+}
+
+
+/*
+ * NSSCKFWSession_GetMDSession
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDSession *
+NSSCKFWSession_GetMDSession
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (NSSCKMDSession *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_GetMDSession(fwSession);
+}
+
+/*
+ * NSSCKFWSession_GetArena
+ *
+ */
+
+NSS_IMPLEMENT NSSArena *
+NSSCKFWSession_GetArena
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_GetArena(fwSession, pError);
+}
+
+/*
+ * NSSCKFWSession_CallNotification
+ *
+ */
+
+NSS_IMPLEMENT CK_RV
+NSSCKFWSession_CallNotification
+(
+  NSSCKFWSession *fwSession,
+  CK_NOTIFICATION event
+)
+{
+#ifdef DEBUG
+  CK_RV error = CKR_OK;
+
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_CallNotification(fwSession, event);
+}
+
+/*
+ * NSSCKFWSession_IsRWSession
+ *
+ */
+
+NSS_IMPLEMENT CK_BBOOL
+NSSCKFWSession_IsRWSession
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CK_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_IsRWSession(fwSession);
+}
+
+/*
+ * NSSCKFWSession_IsSO
+ *
+ */
+
+NSS_IMPLEMENT CK_BBOOL
+NSSCKFWSession_IsSO
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CK_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_IsSO(fwSession);
+}
+
+NSS_IMPLEMENT NSSCKFWCryptoOperation *
+NSSCKFWSession_GetCurrentCryptoOperation
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWCryptoOperationState state
+)
+{
+#ifdef DEBUG
+  CK_RV error = CKR_OK;
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return (NSSCKFWCryptoOperation *)NULL;
+  }
+
+  if ( state >= NSSCKFWCryptoOperationState_Max) {
+    return (NSSCKFWCryptoOperation *)NULL;
+  }
+#endif /* DEBUG */
+  return nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
+}
diff --git a/security/nss/lib/ckfw/sessobj.c b/security/nss/lib/ckfw/sessobj.c
new file mode 100644
index 000000000..1c73c8035
--- /dev/null
+++ b/security/nss/lib/ckfw/sessobj.c
@@ -0,0 +1,1114 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * sessobj.c
+ *
+ * This file contains an NSSCKMDObject implementation for session 
+ * objects.  The framework uses this implementation to manage
+ * session objects when a Module doesn't wish to be bothered.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * nssCKMDSessionObject
+ *
+ *  -- create --
+ *  nssCKMDSessionObject_Create
+ *
+ *  -- EPV calls --
+ *  nss_ckmdSessionObject_Finalize
+ *  nss_ckmdSessionObject_IsTokenObject
+ *  nss_ckmdSessionObject_GetAttributeCount
+ *  nss_ckmdSessionObject_GetAttributeTypes
+ *  nss_ckmdSessionObject_GetAttributeSize
+ *  nss_ckmdSessionObject_GetAttribute
+ *  nss_ckmdSessionObject_SetAttribute
+ *  nss_ckmdSessionObject_GetObjectSize
+ */
+
+struct nssCKMDSessionObjectStr {
+  CK_ULONG n;
+  NSSArena *arena;
+  NSSItem *attributes;
+  CK_ATTRIBUTE_TYPE_PTR types;
+  nssCKFWHash *hash;
+};
+typedef struct nssCKMDSessionObjectStr nssCKMDSessionObject;
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+nss_ckmdSessionObject_add_pointer
+(
+  const NSSCKMDObject *mdObject
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+nss_ckmdSessionObject_remove_pointer
+(
+  const NSSCKMDObject *mdObject
+)
+{
+  return CKR_OK;
+}
+
+#ifdef NSS_DEBUG
+static CK_RV
+nss_ckmdSessionObject_verifyPointer
+(
+  const NSSCKMDObject *mdObject
+)
+{
+  return CKR_OK;
+}
+#endif
+
+#endif /* DEBUG */
+
+/*
+ * We must forward-declare these routines
+ */
+static void
+nss_ckmdSessionObject_Finalize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+);
+
+static CK_RV
+nss_ckmdSessionObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+);
+
+static CK_BBOOL
+nss_ckmdSessionObject_IsTokenObject
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+);
+
+static CK_ULONG
+nss_ckmdSessionObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+static CK_RV
+nss_ckmdSessionObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+);
+
+static CK_ULONG
+nss_ckmdSessionObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+);
+
+static NSSCKFWItem
+nss_ckmdSessionObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+);
+
+static CK_RV
+nss_ckmdSessionObject_SetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+);
+
+static CK_ULONG
+nss_ckmdSessionObject_GetObjectSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKMDSessionObject_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKMDObject *
+nssCKMDSessionObject_Create
+(
+  NSSCKFWToken *fwToken,
+  NSSArena *arena,
+  CK_ATTRIBUTE_PTR attributes,
+  CK_ULONG ulCount,
+  CK_RV *pError
+)
+{
+  NSSCKMDObject *mdObject = (NSSCKMDObject *)NULL;
+  nssCKMDSessionObject *mdso = (nssCKMDSessionObject *)NULL;
+  CK_ULONG i;
+  nssCKFWHash *hash;
+
+  *pError = CKR_OK;
+
+  mdso = nss_ZNEW(arena, nssCKMDSessionObject);
+  if( (nssCKMDSessionObject *)NULL == mdso ) {
+    goto loser;
+  }
+
+  mdso->arena = arena;
+  mdso->n = ulCount;
+  mdso->attributes = nss_ZNEWARRAY(arena, NSSItem, ulCount);
+  if( (NSSItem *)NULL == mdso->attributes ) {
+    goto loser;
+  }
+
+  mdso->types = nss_ZNEWARRAY(arena, CK_ATTRIBUTE_TYPE, ulCount);
+  if (!mdso->types) {
+    goto loser;
+  }
+  for( i = 0; i < ulCount; i++ ) {
+    mdso->types[i] = attributes[i].type;
+    mdso->attributes[i].size = attributes[i].ulValueLen;
+    mdso->attributes[i].data = nss_ZAlloc(arena, attributes[i].ulValueLen);
+    if( (void *)NULL == mdso->attributes[i].data ) {
+      goto loser;
+    }
+    (void)nsslibc_memcpy(mdso->attributes[i].data, attributes[i].pValue,
+      attributes[i].ulValueLen);
+  }
+
+  mdObject = nss_ZNEW(arena, NSSCKMDObject);
+  if( (NSSCKMDObject *)NULL == mdObject ) {
+    goto loser;
+  }
+
+  mdObject->etc = (void *)mdso;
+  mdObject->Finalize = nss_ckmdSessionObject_Finalize;
+  mdObject->Destroy = nss_ckmdSessionObject_Destroy;
+  mdObject->IsTokenObject = nss_ckmdSessionObject_IsTokenObject;
+  mdObject->GetAttributeCount = nss_ckmdSessionObject_GetAttributeCount;
+  mdObject->GetAttributeTypes = nss_ckmdSessionObject_GetAttributeTypes;
+  mdObject->GetAttributeSize = nss_ckmdSessionObject_GetAttributeSize;
+  mdObject->GetAttribute = nss_ckmdSessionObject_GetAttribute;
+  mdObject->SetAttribute = nss_ckmdSessionObject_SetAttribute;
+  mdObject->GetObjectSize = nss_ckmdSessionObject_GetObjectSize;
+
+  hash = nssCKFWToken_GetSessionObjectHash(fwToken);
+  if( (nssCKFWHash *)NULL == hash ) {
+    *pError = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  mdso->hash = hash;
+
+  *pError = nssCKFWHash_Add(hash, mdObject, mdObject);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+#ifdef DEBUG
+  if(( *pError = nss_ckmdSessionObject_add_pointer(mdObject)) != CKR_OK ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return mdObject;
+
+ loser:
+  if( (nssCKMDSessionObject *)NULL != mdso ) {
+    if( (NSSItem *)NULL != mdso->attributes ) {
+      for( i = 0; i < ulCount; i++ ) {
+        nss_ZFreeIf(mdso->attributes[i].data);
+      }
+      nss_ZFreeIf(mdso->attributes);
+    }
+    nss_ZFreeIf(mdso->types);
+    nss_ZFreeIf(mdso);
+  }
+
+  nss_ZFreeIf(mdObject);
+  if (*pError == CKR_OK) {
+      *pError = CKR_HOST_MEMORY;
+  }
+  return (NSSCKMDObject *)NULL;
+}
+
+/*
+ * nss_ckmdSessionObject_Finalize
+ *
+ */
+static void
+nss_ckmdSessionObject_Finalize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  /* This shouldn't ever be called */
+  return;
+}
+
+/*
+ * nss_ckmdSessionObject_Destroy
+ *
+ */
+
+static CK_RV
+nss_ckmdSessionObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+  nssCKMDSessionObject *mdso;
+  CK_ULONG i;
+
+#ifdef NSSDEBUG
+  error = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  mdso = (nssCKMDSessionObject *)mdObject->etc;
+
+  nssCKFWHash_Remove(mdso->hash, mdObject);
+
+  for( i = 0; i < mdso->n; i++ ) {
+    nss_ZFreeIf(mdso->attributes[i].data);
+  }
+  nss_ZFreeIf(mdso->attributes);
+  nss_ZFreeIf(mdso->types);
+  nss_ZFreeIf(mdso);
+  nss_ZFreeIf(mdObject);
+
+#ifdef DEBUG
+  (void)nss_ckmdSessionObject_remove_pointer(mdObject);
+#endif /* DEBUG */
+
+  return CKR_OK;
+}
+
+/*
+ * nss_ckmdSessionObject_IsTokenObject
+ *
+ */
+
+static CK_BBOOL
+nss_ckmdSessionObject_IsTokenObject
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nss_ckmdSessionObject_verifyPointer(mdObject) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * This implementation is only ever used for session objects.
+   */
+  return CK_FALSE;
+}
+
+/*
+ * nss_ckmdSessionObject_GetAttributeCount
+ *
+ */
+static CK_ULONG
+nss_ckmdSessionObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nssCKMDSessionObject *obj;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return 0;
+  }
+
+  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != *pError ) {
+    return 0;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  return obj->n;
+}
+
+/*
+ * nss_ckmdSessionObject_GetAttributeTypes
+ *
+ */
+static CK_RV
+nss_ckmdSessionObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+  nssCKMDSessionObject *obj;
+
+#ifdef NSSDEBUG
+  error = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  if( ulCount < obj->n ) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+
+  (void)nsslibc_memcpy(typeArray, obj->types, 
+    sizeof(CK_ATTRIBUTE_TYPE) * obj->n);
+
+  return CKR_OK;
+}
+
+/*
+ * nss_ckmdSessionObject_GetAttributeSize
+ *
+ */
+static CK_ULONG
+nss_ckmdSessionObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  nssCKMDSessionObject *obj;
+  CK_ULONG i;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return 0;
+  }
+
+  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != *pError ) {
+    return 0;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  for( i = 0; i < obj->n; i++ ) {
+    if( attribute == obj->types[i] ) {
+      return (CK_ULONG)(obj->attributes[i].size);
+    }
+  }
+
+  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  return 0;
+}
+
+/*
+ * nss_ckmdSessionObject_GetAttribute
+ *
+ */
+static NSSCKFWItem
+nss_ckmdSessionObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  NSSCKFWItem item;
+  nssCKMDSessionObject *obj;
+  CK_ULONG i;
+
+  item.needsFreeing = PR_FALSE;
+  item.item = NULL;
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return item;
+  }
+
+  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != *pError ) {
+    return item;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  for( i = 0; i < obj->n; i++ ) {
+    if( attribute == obj->types[i] ) {
+      item.item = &obj->attributes[i];
+      return item;
+    }
+  }
+
+  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  return item;
+}
+
+/*
+ * nss_ckmdSessionObject_SetAttribute
+ *
+ */
+
+/*
+ * Okay, so this implementation sucks.  It doesn't support removing
+ * an attribute (if value == NULL), and could be more graceful about
+ * memory.  It should allow "blank" slots in the arrays, with some
+ * invalid attribute type, and then it could support removal much
+ * more easily.  Do this later.
+ */
+static CK_RV
+nss_ckmdSessionObject_SetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+)
+{
+  nssCKMDSessionObject *obj;
+  CK_ULONG i;
+  NSSItem n;
+  NSSItem *ra;
+  CK_ATTRIBUTE_TYPE_PTR rt;
+#ifdef NSSDEBUG
+  CK_RV error;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != error ) {
+    return 0;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  n.size = value->size;
+  n.data = nss_ZAlloc(obj->arena, n.size);
+  if( (void *)NULL == n.data ) {
+    return CKR_HOST_MEMORY;
+  }
+  (void)nsslibc_memcpy(n.data, value->data, n.size);
+
+  for( i = 0; i < obj->n; i++ ) {
+    if( attribute == obj->types[i] ) {
+      nss_ZFreeIf(obj->attributes[i].data);
+      obj->attributes[i] = n;
+      return CKR_OK;
+    }
+  }
+
+  /*
+   * It's new.
+   */
+
+  ra = (NSSItem *)nss_ZRealloc(obj->attributes, sizeof(NSSItem) * (obj->n + 1));
+  if( (NSSItem *)NULL == ra ) {
+    nss_ZFreeIf(n.data);
+    return CKR_HOST_MEMORY;
+  }
+
+  rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, (obj->n + 1));
+  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) {
+    nss_ZFreeIf(n.data);
+    obj->attributes = (NSSItem *)nss_ZRealloc(ra, sizeof(NSSItem) * obj->n);
+    if( (NSSItem *)NULL == obj->attributes ) {
+      return CKR_GENERAL_ERROR;
+    }
+    return CKR_HOST_MEMORY;
+  }
+
+  obj->attributes = ra;
+  obj->types = rt;
+  obj->attributes[obj->n] = n;
+  obj->types[obj->n] = attribute;
+  obj->n++;
+
+  return CKR_OK;
+}
+
+/*
+ * nss_ckmdSessionObject_GetObjectSize
+ *
+ */
+static CK_ULONG
+nss_ckmdSessionObject_GetObjectSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nssCKMDSessionObject *obj;
+  CK_ULONG i;
+  CK_ULONG rv = (CK_ULONG)0;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return 0;
+  }
+
+  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != *pError ) {
+    return 0;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  for( i = 0; i < obj->n; i++ ) {
+    rv += obj->attributes[i].size;
+  }
+
+  rv += sizeof(NSSItem) * obj->n;
+  rv += sizeof(CK_ATTRIBUTE_TYPE) * obj->n;
+  rv += sizeof(nssCKMDSessionObject);
+
+  return rv;
+}
+
+/*
+ * nssCKMDFindSessionObjects
+ *
+ *  -- create --
+ *  nssCKMDFindSessionObjects_Create
+ *
+ *  -- EPV calls --
+ *  nss_ckmdFindSessionObjects_Final
+ *  nss_ckmdFindSessionObjects_Next
+ */
+
+struct nodeStr {
+  struct nodeStr *next;
+  NSSCKMDObject *mdObject;
+};
+
+struct nssCKMDFindSessionObjectsStr {
+  NSSArena *arena;
+  CK_RV error;
+  CK_ATTRIBUTE_PTR pTemplate;
+  CK_ULONG ulCount;
+  struct nodeStr *list;
+  nssCKFWHash *hash;
+
+};
+typedef struct nssCKMDFindSessionObjectsStr nssCKMDFindSessionObjects;
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+nss_ckmdFindSessionObjects_add_pointer
+(
+  const NSSCKMDFindObjects *mdFindObjects
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+nss_ckmdFindSessionObjects_remove_pointer
+(
+  const NSSCKMDFindObjects *mdFindObjects
+)
+{
+  return CKR_OK;
+}
+
+#ifdef NSS_DEBUG
+static CK_RV
+nss_ckmdFindSessionObjects_verifyPointer
+(
+  const NSSCKMDFindObjects *mdFindObjects
+)
+{
+  return CKR_OK;
+}
+#endif
+
+#endif /* DEBUG */
+
+/*
+ * We must forward-declare these routines.
+ */
+static void
+nss_ckmdFindSessionObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+);
+
+static NSSCKMDObject *
+nss_ckmdFindSessionObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+static CK_BBOOL
+items_match
+(
+  NSSItem *a,
+  CK_VOID_PTR pValue,
+  CK_ULONG ulValueLen
+)
+{
+  if( a->size != ulValueLen ) {
+    return CK_FALSE;
+  }
+
+  if( PR_TRUE == nsslibc_memequal(a->data, pValue, ulValueLen, (PRStatus *)NULL) ) {
+    return CK_TRUE;
+  } else {
+    return CK_FALSE;
+  }
+}
+
+/*
+ * Our hashtable iterator
+ */
+static void
+findfcn
+(
+  const void *key,
+  void *value,
+  void *closure
+)
+{
+  NSSCKMDObject *mdObject = (NSSCKMDObject *)value;
+  nssCKMDSessionObject *mdso = (nssCKMDSessionObject *)mdObject->etc;
+  nssCKMDFindSessionObjects *mdfso = (nssCKMDFindSessionObjects *)closure;
+  CK_ULONG i, j;
+  struct nodeStr *node;
+
+  if( CKR_OK != mdfso->error ) {
+    return;
+  }
+
+  for( i = 0; i < mdfso->ulCount; i++ ) {
+    CK_ATTRIBUTE_PTR p = &mdfso->pTemplate[i];
+
+    for( j = 0; j < mdso->n; j++ ) {
+      if( mdso->types[j] == p->type ) {
+        if( !items_match(&mdso->attributes[j], p->pValue, p->ulValueLen) ) {
+          return;
+        } else {
+          break;
+        }
+      }
+    }
+
+    if( j == mdso->n ) {
+      /* Attribute not found */
+      return;
+    }
+  }
+
+  /* Matches */
+  node = nss_ZNEW(mdfso->arena, struct nodeStr);
+  if( (struct nodeStr *)NULL == node ) {
+    mdfso->error = CKR_HOST_MEMORY;
+    return;
+  }
+
+  node->mdObject = mdObject;
+  node->next = mdfso->list;
+  mdfso->list = node;
+
+  return;
+}
+
+/*
+ * nssCKMDFindSessionObjects_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nssCKMDFindSessionObjects_Create
+(
+  NSSCKFWToken *fwToken,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  nssCKMDFindSessionObjects *mdfso;
+  nssCKFWHash *hash;
+  NSSCKMDFindObjects *rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  *pError = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != *pError ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = CKR_OK;
+
+  hash = nssCKFWToken_GetSessionObjectHash(fwToken);
+  if( (nssCKFWHash *)NULL == hash ) {
+    *pError= CKR_GENERAL_ERROR;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  mdfso = nss_ZNEW(arena, nssCKMDFindSessionObjects);
+  if( (nssCKMDFindSessionObjects *)NULL == mdfso ) {
+    goto loser;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
+  if(rv == NULL) {
+    goto loser;
+  }
+
+  mdfso->error = CKR_OK;
+  mdfso->pTemplate = pTemplate;
+  mdfso->ulCount = ulCount;
+  mdfso->hash = hash;
+
+  nssCKFWHash_Iterate(hash, findfcn, mdfso);
+
+  if( CKR_OK != mdfso->error ) {
+    goto loser;
+  }
+
+  rv->etc = (void *)mdfso;
+  rv->Final = nss_ckmdFindSessionObjects_Final;
+  rv->Next = nss_ckmdFindSessionObjects_Next;
+
+#ifdef DEBUG
+  if( (*pError = nss_ckmdFindSessionObjects_add_pointer(rv)) != CKR_OK ) {
+    goto loser;
+  }
+#endif /* DEBUG */    
+  mdfso->arena = arena;
+
+  return rv;
+
+loser:
+  if (arena) {
+    NSSArena_Destroy(arena);
+  }
+  if (*pError == CKR_OK) {
+      *pError = CKR_HOST_MEMORY;
+  }
+  return NULL;
+}
+
+static void
+nss_ckmdFindSessionObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nssCKMDFindSessionObjects *mdfso;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nss_ckmdFindSessionObjects_verifyPointer(mdFindObjects) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc;
+  if (mdfso->arena) NSSArena_Destroy(mdfso->arena);
+
+#ifdef DEBUG
+  (void)nss_ckmdFindSessionObjects_remove_pointer(mdFindObjects);
+#endif /* DEBUG */
+
+  return;
+}
+
+static NSSCKMDObject *
+nss_ckmdFindSessionObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  nssCKMDFindSessionObjects *mdfso;
+  NSSCKMDObject *rv = (NSSCKMDObject *)NULL;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nss_ckmdFindSessionObjects_verifyPointer(mdFindObjects) ) {
+    return (NSSCKMDObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc;
+
+  while( (NSSCKMDObject *)NULL == rv ) {
+    if( (struct nodeStr *)NULL == mdfso->list ) {
+      *pError = CKR_OK;
+      return (NSSCKMDObject *)NULL;
+    }
+
+    if( nssCKFWHash_Exists(mdfso->hash, mdfso->list->mdObject) ) {
+      rv = mdfso->list->mdObject;
+    }
+
+    mdfso->list = mdfso->list->next;
+  }
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/slot.c b/security/nss/lib/ckfw/slot.c
new file mode 100644
index 000000000..442452b39
--- /dev/null
+++ b/security/nss/lib/ckfw/slot.c
@@ -0,0 +1,759 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * slot.c
+ *
+ * This file implements the NSSCKFWSlot type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWSlot
+ *
+ *  -- create/destroy --
+ *  nssCKFWSlot_Create
+ *  nssCKFWSlot_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWSlot_GetMDSlot
+ *  NSSCKFWSlot_GetFWInstance
+ *  NSSCKFWSlot_GetMDInstance
+ *
+ *  -- implement public accessors --
+ *  nssCKFWSlot_GetMDSlot
+ *  nssCKFWSlot_GetFWInstance
+ *  nssCKFWSlot_GetMDInstance
+ *
+ *  -- private accessors --
+ *  nssCKFWSlot_GetSlotID
+ *  nssCKFWSlot_ClearToken
+ *
+ *  -- module fronts --
+ *  nssCKFWSlot_GetSlotDescription
+ *  nssCKFWSlot_GetManufacturerID
+ *  nssCKFWSlot_GetTokenPresent
+ *  nssCKFWSlot_GetRemovableDevice
+ *  nssCKFWSlot_GetHardwareSlot
+ *  nssCKFWSlot_GetHardwareVersion
+ *  nssCKFWSlot_GetFirmwareVersion
+ *  nssCKFWSlot_InitToken
+ *  nssCKFWSlot_GetToken
+ */
+
+struct NSSCKFWSlotStr {
+  NSSCKFWMutex *mutex;
+  NSSCKMDSlot *mdSlot;
+  NSSCKFWInstance *fwInstance;
+  NSSCKMDInstance *mdInstance;
+  CK_SLOT_ID slotID;
+
+  /*
+   * Everything above is set at creation time, and then not modified.
+   * The invariants the mutex protects are:
+   *
+   * 1) Each of the cached descriptions (versions, etc.) are in an
+   *    internally consistant state.
+   *
+   * 2) The fwToken points to the token currently in the slot, and
+   *    it is in a consistant state.
+   *
+   * Note that the calls accessing the cached descriptions will
+   * call the NSSCKMDSlot methods with the mutex locked.  Those
+   * methods may then call the public NSSCKFWSlot routines.  Those
+   * public routines only access the constant data above, so there's
+   * no problem.  But be careful if you add to this object; mutexes
+   * are in general not reentrant, so don't create deadlock situations.
+   */
+
+  NSSUTF8 *slotDescription;
+  NSSUTF8 *manufacturerID;
+  CK_VERSION hardwareVersion;
+  CK_VERSION firmwareVersion;
+  NSSCKFWToken *fwToken;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+slot_add_pointer
+(
+  const NSSCKFWSlot *fwSlot
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+slot_remove_pointer
+(
+  const NSSCKFWSlot *fwSlot
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWSlot_verifyPointer
+(
+  const NSSCKFWSlot *fwSlot
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWSlot_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot *
+nssCKFWSlot_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *mdSlot,
+  CK_SLOT_ID slotID,
+  CK_RV *pError
+)
+{
+  NSSCKFWSlot *fwSlot;
+  NSSCKMDInstance *mdInstance;
+  NSSArena *arena;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
+  if( (NSSCKMDInstance *)NULL == mdInstance ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  arena = nssCKFWInstance_GetArena(fwInstance, pError);
+  if( (NSSArena *)NULL == arena ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+  }
+
+  fwSlot = nss_ZNEW(arena, NSSCKFWSlot);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  fwSlot->mdSlot = mdSlot;
+  fwSlot->fwInstance = fwInstance;
+  fwSlot->mdInstance = mdInstance;
+  fwSlot->slotID = slotID;
+
+  fwSlot->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == fwSlot->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    (void)nss_ZFreeIf(fwSlot);
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  if( (void *)NULL != (void *)mdSlot->Initialize ) {
+    *pError = CKR_OK;
+    *pError = mdSlot->Initialize(mdSlot, fwSlot, mdInstance, fwInstance);
+    if( CKR_OK != *pError ) {
+      (void)nssCKFWMutex_Destroy(fwSlot->mutex);
+      (void)nss_ZFreeIf(fwSlot);
+      return (NSSCKFWSlot *)NULL;
+    }
+  }
+
+#ifdef DEBUG
+  *pError = slot_add_pointer(fwSlot);
+  if( CKR_OK != *pError ) {
+    if( (void *)NULL != (void *)mdSlot->Destroy ) {
+      mdSlot->Destroy(mdSlot, fwSlot, mdInstance, fwInstance);
+    }
+
+    (void)nssCKFWMutex_Destroy(fwSlot->mutex);
+    (void)nss_ZFreeIf(fwSlot);
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* DEBUG */
+
+  return fwSlot;
+}
+
+/*
+ * nssCKFWSlot_Destroy
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSlot_Destroy
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSlot_verifyPointer(fwSlot);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+  if (fwSlot->fwToken) {
+    nssCKFWToken_Destroy(fwSlot->fwToken);
+  }
+
+  (void)nssCKFWMutex_Destroy(fwSlot->mutex);
+
+  if( (void *)NULL != (void *)fwSlot->mdSlot->Destroy ) {
+    fwSlot->mdSlot->Destroy(fwSlot->mdSlot, fwSlot, 
+      fwSlot->mdInstance, fwSlot->fwInstance);
+  }
+
+#ifdef DEBUG
+  error = slot_remove_pointer(fwSlot);
+#endif /* DEBUG */
+  (void)nss_ZFreeIf(fwSlot);
+  return error;
+}
+
+/*
+ * nssCKFWSlot_GetMDSlot
+ *
+ */
+NSS_IMPLEMENT NSSCKMDSlot *
+nssCKFWSlot_GetMDSlot
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKMDSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSlot->mdSlot;
+}
+
+/*
+ * nssCKFWSlot_GetFWInstance
+ *
+ */
+
+NSS_IMPLEMENT NSSCKFWInstance *
+nssCKFWSlot_GetFWInstance
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKFWInstance *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSlot->fwInstance;
+}
+
+/*
+ * nssCKFWSlot_GetMDInstance
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDInstance *
+nssCKFWSlot_GetMDInstance
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKMDInstance *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSlot->mdInstance;
+}
+
+/*
+ * nssCKFWSlot_GetSlotID
+ *
+ */
+NSS_IMPLEMENT CK_SLOT_ID
+nssCKFWSlot_GetSlotID
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (CK_SLOT_ID)0;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSlot->slotID;
+}
+
+/*
+ * nssCKFWSlot_GetSlotDescription
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSlot_GetSlotDescription
+(
+  NSSCKFWSlot *fwSlot,
+  CK_CHAR slotDescription[64]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == slotDescription ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWSlot_verifyPointer(fwSlot);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwSlot->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwSlot->slotDescription ) {
+    if( (void *)NULL != (void *)fwSlot->mdSlot->GetSlotDescription ) {
+      fwSlot->slotDescription = fwSlot->mdSlot->GetSlotDescription(
+        fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
+        fwSlot->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwSlot->slotDescription) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwSlot->slotDescription = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->slotDescription, (char *)slotDescription, 64, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWSlot_GetManufacturerID
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSlot_GetManufacturerID
+(
+  NSSCKFWSlot *fwSlot,
+  CK_CHAR manufacturerID[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWSlot_verifyPointer(fwSlot);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwSlot->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwSlot->manufacturerID ) {
+    if( (void *)NULL != (void *)fwSlot->mdSlot->GetManufacturerID ) {
+      fwSlot->manufacturerID = fwSlot->mdSlot->GetManufacturerID(
+        fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
+        fwSlot->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwSlot->manufacturerID) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwSlot->manufacturerID = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->manufacturerID, (char *)manufacturerID, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWSlot_GetTokenPresent
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSlot_GetTokenPresent
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSlot->mdSlot->GetTokenPresent ) {
+    return CK_TRUE;
+  }
+
+  return fwSlot->mdSlot->GetTokenPresent(fwSlot->mdSlot, fwSlot,
+    fwSlot->mdInstance, fwSlot->fwInstance);
+}
+
+/*
+ * nssCKFWSlot_GetRemovableDevice
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSlot_GetRemovableDevice
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSlot->mdSlot->GetRemovableDevice ) {
+    return CK_FALSE;
+  }
+
+  return fwSlot->mdSlot->GetRemovableDevice(fwSlot->mdSlot, fwSlot,
+    fwSlot->mdInstance, fwSlot->fwInstance);
+}
+
+/*
+ * nssCKFWSlot_GetHardwareSlot
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSlot_GetHardwareSlot
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSlot->mdSlot->GetHardwareSlot ) {
+    return CK_FALSE;
+  }
+
+  return fwSlot->mdSlot->GetHardwareSlot(fwSlot->mdSlot, fwSlot,
+    fwSlot->mdInstance, fwSlot->fwInstance);
+}
+
+/*
+ * nssCKFWSlot_GetHardwareVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWSlot_GetHardwareVersion
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwSlot->hardwareVersion.major) ||
+      (0 != fwSlot->hardwareVersion.minor) ) {
+    rv = fwSlot->hardwareVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwSlot->mdSlot->GetHardwareVersion ) {
+    fwSlot->hardwareVersion = fwSlot->mdSlot->GetHardwareVersion(
+      fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
+  } else {
+    fwSlot->hardwareVersion.major = 0;
+    fwSlot->hardwareVersion.minor = 1;
+  }
+
+  rv = fwSlot->hardwareVersion;
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWSlot_GetFirmwareVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWSlot_GetFirmwareVersion
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwSlot->firmwareVersion.major) ||
+      (0 != fwSlot->firmwareVersion.minor) ) {
+    rv = fwSlot->firmwareVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwSlot->mdSlot->GetFirmwareVersion ) {
+    fwSlot->firmwareVersion = fwSlot->mdSlot->GetFirmwareVersion(
+      fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
+  } else {
+    fwSlot->firmwareVersion.major = 0;
+    fwSlot->firmwareVersion.minor = 1;
+  }
+
+  rv = fwSlot->firmwareVersion;
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWSlot_GetToken
+ * 
+ */
+NSS_IMPLEMENT NSSCKFWToken *
+nssCKFWSlot_GetToken
+(
+  NSSCKFWSlot *fwSlot,
+  CK_RV *pError
+)
+{
+  NSSCKMDToken *mdToken;
+  NSSCKFWToken *fwToken;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWToken *)NULL;
+  }
+
+  *pError = nssCKFWSlot_verifyPointer(fwSlot);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWToken *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwSlot->mutex);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWToken *)NULL;
+  }
+
+  if( (NSSCKFWToken *)NULL == fwSlot->fwToken ) {
+    if( (void *)NULL == (void *)fwSlot->mdSlot->GetToken ) {
+      *pError = CKR_GENERAL_ERROR;
+      fwToken = (NSSCKFWToken *)NULL;
+      goto done;
+    }
+
+    mdToken = fwSlot->mdSlot->GetToken(fwSlot->mdSlot, fwSlot,
+      fwSlot->mdInstance, fwSlot->fwInstance, pError);
+    if( (NSSCKMDToken *)NULL == mdToken ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWToken *)NULL;
+    }
+
+    fwToken = nssCKFWToken_Create(fwSlot, mdToken, pError);
+    fwSlot->fwToken = fwToken;
+  } else {
+    fwToken = fwSlot->fwToken;
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return fwToken;
+}
+
+/*
+ * nssCKFWSlot_ClearToken
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWSlot_ClearToken
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
+    /* Now what? */
+    return;
+  }
+
+  fwSlot->fwToken = (NSSCKFWToken *)NULL;
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return;
+}
+
+/*
+ * NSSCKFWSlot_GetMDSlot
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDSlot *
+NSSCKFWSlot_GetMDSlot
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKMDSlot *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSlot_GetMDSlot(fwSlot);
+}
+
+/*
+ * NSSCKFWSlot_GetFWInstance
+ *
+ */
+
+NSS_IMPLEMENT NSSCKFWInstance *
+NSSCKFWSlot_GetFWInstance
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKFWInstance *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSlot_GetFWInstance(fwSlot);
+}
+
+/*
+ * NSSCKFWSlot_GetMDInstance
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDInstance *
+NSSCKFWSlot_GetMDInstance
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKMDInstance *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSlot_GetMDInstance(fwSlot);
+}
diff --git a/security/nss/lib/ckfw/token.c b/security/nss/lib/ckfw/token.c
new file mode 100644
index 000000000..e12225532
--- /dev/null
+++ b/security/nss/lib/ckfw/token.c
@@ -0,0 +1,1928 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * token.c
+ *
+ * This file implements the NSSCKFWToken type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWToken
+ *
+ *  -- create/destroy --
+ *  nssCKFWToken_Create
+ *  nssCKFWToken_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWToken_GetMDToken
+ *  NSSCKFWToken_GetFWSlot
+ *  NSSCKFWToken_GetMDSlot
+ *  NSSCKFWToken_GetSessionState
+ *
+ *  -- implement public accessors --
+ *  nssCKFWToken_GetMDToken
+ *  nssCKFWToken_GetFWSlot
+ *  nssCKFWToken_GetMDSlot
+ *  nssCKFWToken_GetSessionState
+ *  nssCKFWToken_SetSessionState
+ *
+ *  -- private accessors --
+ *  nssCKFWToken_SetSessionState
+ *  nssCKFWToken_RemoveSession
+ *  nssCKFWToken_CloseAllSessions
+ *  nssCKFWToken_GetSessionCount
+ *  nssCKFWToken_GetRwSessionCount
+ *  nssCKFWToken_GetRoSessionCount
+ *  nssCKFWToken_GetSessionObjectHash
+ *  nssCKFWToken_GetMDObjectHash
+ *  nssCKFWToken_GetObjectHandleHash
+ *
+ *  -- module fronts --
+ *  nssCKFWToken_InitToken
+ *  nssCKFWToken_GetLabel
+ *  nssCKFWToken_GetManufacturerID
+ *  nssCKFWToken_GetModel
+ *  nssCKFWToken_GetSerialNumber
+ *  nssCKFWToken_GetHasRNG
+ *  nssCKFWToken_GetIsWriteProtected
+ *  nssCKFWToken_GetLoginRequired
+ *  nssCKFWToken_GetUserPinInitialized
+ *  nssCKFWToken_GetRestoreKeyNotNeeded
+ *  nssCKFWToken_GetHasClockOnToken
+ *  nssCKFWToken_GetHasProtectedAuthenticationPath
+ *  nssCKFWToken_GetSupportsDualCryptoOperations
+ *  nssCKFWToken_GetMaxSessionCount
+ *  nssCKFWToken_GetMaxRwSessionCount
+ *  nssCKFWToken_GetMaxPinLen
+ *  nssCKFWToken_GetMinPinLen
+ *  nssCKFWToken_GetTotalPublicMemory
+ *  nssCKFWToken_GetFreePublicMemory
+ *  nssCKFWToken_GetTotalPrivateMemory
+ *  nssCKFWToken_GetFreePrivateMemory
+ *  nssCKFWToken_GetHardwareVersion
+ *  nssCKFWToken_GetFirmwareVersion
+ *  nssCKFWToken_GetUTCTime
+ *  nssCKFWToken_OpenSession
+ *  nssCKFWToken_GetMechanismCount
+ *  nssCKFWToken_GetMechanismTypes
+ *  nssCKFWToken_GetMechanism
+ */
+
+struct NSSCKFWTokenStr {
+  NSSCKFWMutex *mutex;
+  NSSArena *arena;
+  NSSCKMDToken *mdToken;
+  NSSCKFWSlot *fwSlot;
+  NSSCKMDSlot *mdSlot;
+  NSSCKFWInstance *fwInstance;
+  NSSCKMDInstance *mdInstance;
+
+  /*
+   * Everything above is set at creation time, and then not modified.
+   * The invariants the mutex protects are:
+   *
+   * 1) Each of the cached descriptions (versions, etc.) are in an
+   *    internally consistant state.
+   *
+   * 2) The session counts and hashes are consistant.
+   *
+   * 3) The object hashes are consistant.
+   *
+   * Note that the calls accessing the cached descriptions will call
+   * the NSSCKMDToken methods with the mutex locked.  Those methods
+   * may then call the public NSSCKFWToken routines.  Those public
+   * routines only access the constant data above and the atomic
+   * CK_STATE session state variable below, so there's no problem.
+   * But be careful if you add to this object; mutexes are in
+   * general not reentrant, so don't create deadlock situations.
+   */
+
+  NSSUTF8 *label;
+  NSSUTF8 *manufacturerID;
+  NSSUTF8 *model;
+  NSSUTF8 *serialNumber;
+  CK_VERSION hardwareVersion;
+  CK_VERSION firmwareVersion;
+
+  CK_ULONG sessionCount;
+  CK_ULONG rwSessionCount;
+  nssCKFWHash *sessions;
+  nssCKFWHash *sessionObjectHash;
+  nssCKFWHash *mdObjectHash;
+  nssCKFWHash *mdMechanismHash;
+
+  CK_STATE state;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+token_add_pointer
+(
+  const NSSCKFWToken *fwToken
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+token_remove_pointer
+(
+  const NSSCKFWToken *fwToken
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_verifyPointer
+(
+  const NSSCKFWToken *fwToken
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWToken_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWToken *
+nssCKFWToken_Create
+(
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDToken *mdToken,
+  CK_RV *pError
+)
+{
+  NSSArena *arena = (NSSArena *)NULL;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  CK_BBOOL called_setup = CK_FALSE;
+
+  /*
+   * We have already verified the arguments in nssCKFWSlot_GetToken.
+   */
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fwToken = nss_ZNEW(arena, NSSCKFWToken);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }    
+
+  fwToken->arena = arena;
+  fwToken->mdToken = mdToken;
+  fwToken->fwSlot = fwSlot;
+  fwToken->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
+  fwToken->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
+  fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
+  fwToken->sessionCount = 0;
+  fwToken->rwSessionCount = 0;
+
+  fwToken->mutex = nssCKFWInstance_CreateMutex(fwToken->fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == fwToken->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, arena, pError);
+  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
+                   fwToken->fwInstance) ) {
+    fwToken->sessionObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
+                                   arena, pError);
+    if( (nssCKFWHash *)NULL == fwToken->sessionObjectHash ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      goto loser;
+    }
+  }
+
+  fwToken->mdObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
+                            arena, pError);
+  if( (nssCKFWHash *)NULL == fwToken->mdObjectHash ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  fwToken->mdMechanismHash = nssCKFWHash_Create(fwToken->fwInstance, 
+                            arena, pError);
+  if( (nssCKFWHash *)NULL == fwToken->mdMechanismHash ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  /* More here */
+
+  if( (void *)NULL != (void *)mdToken->Setup ) {
+    *pError = mdToken->Setup(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
+    if( CKR_OK != *pError ) {
+      goto loser;
+    }
+  }
+
+  called_setup = CK_TRUE;
+
+#ifdef DEBUG
+  *pError = token_add_pointer(fwToken);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  *pError = CKR_OK;
+  return fwToken;
+
+ loser:
+
+  if( CK_TRUE == called_setup ) {
+    if( (void *)NULL != (void *)mdToken->Invalidate ) {
+      mdToken->Invalidate(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
+    }
+  }
+
+  if( (NSSArena *)NULL != arena ) {
+    (void)NSSArena_Destroy(arena);
+  }
+
+  return (NSSCKFWToken *)NULL;
+}
+
+static void
+nss_ckfwtoken_session_iterator
+(
+  const void *key,
+  void *value,
+  void *closure
+)
+{
+  /*
+   * Remember that the fwToken->mutex is locked
+   */
+  NSSCKFWSession *fwSession = (NSSCKFWSession *)value;
+  (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
+  return;
+}
+
+static void
+nss_ckfwtoken_object_iterator
+(
+  const void *key,
+  void *value,
+  void *closure
+)
+{
+  /*
+   * Remember that the fwToken->mutex is locked
+   */
+  NSSCKFWObject *fwObject = (NSSCKFWObject *)value;
+  (void)nssCKFWObject_Finalize(fwObject, CK_FALSE);
+  return;
+}
+
+/*
+ * nssCKFWToken_Destroy
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_Destroy
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwToken->mutex);
+  
+  if( (void *)NULL != (void *)fwToken->mdToken->Invalidate ) {
+    fwToken->mdToken->Invalidate(fwToken->mdToken, fwToken,
+      fwToken->mdInstance, fwToken->fwInstance);
+  }
+  /* we can destroy the list without locking now because no one else is 
+   * referencing us (or _Destroy was invalidly called!)
+   */
+  nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator, 
+                                                                (void *)NULL);
+  nssCKFWHash_Destroy(fwToken->sessions);
+
+  /* session objects go away when their sessions are removed */
+  if (fwToken->sessionObjectHash) {
+    nssCKFWHash_Destroy(fwToken->sessionObjectHash);
+  }
+
+  /* free up the token objects */
+  nssCKFWHash_Iterate(fwToken->mdObjectHash, nss_ckfwtoken_object_iterator, 
+                                                                (void *)NULL);
+  if (fwToken->mdObjectHash) {
+    nssCKFWHash_Destroy(fwToken->mdObjectHash);
+  }
+  if (fwToken->mdMechanismHash) {
+    nssCKFWHash_Destroy(fwToken->mdMechanismHash);
+  }
+
+  nssCKFWSlot_ClearToken(fwToken->fwSlot);
+  
+#ifdef DEBUG
+  error = token_remove_pointer(fwToken);
+#endif /* DEBUG */
+
+  (void)NSSArena_Destroy(fwToken->arena);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetMDToken
+ *
+ */
+NSS_IMPLEMENT NSSCKMDToken *
+nssCKFWToken_GetMDToken
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKMDToken *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->mdToken;
+}
+
+/*
+ * nssCKFWToken_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+nssCKFWToken_GetArena
+(
+  NSSCKFWToken *fwToken,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->arena;
+}
+
+/*
+ * nssCKFWToken_GetFWSlot
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot *
+nssCKFWToken_GetFWSlot
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->fwSlot;
+}
+
+/*
+ * nssCKFWToken_GetMDSlot
+ *
+ */
+NSS_IMPLEMENT NSSCKMDSlot *
+nssCKFWToken_GetMDSlot
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKMDSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->mdSlot;
+}
+
+/*
+ * nssCKFWToken_GetSessionState
+ *
+ */
+NSS_IMPLEMENT CK_STATE
+nssCKFWToken_GetSessionState
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CKS_RO_PUBLIC_SESSION; /* whatever */
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * BTW, do not lock the token in this method.
+   */
+
+  /*
+   * Theoretically, there is no state if there aren't any
+   * sessions open.  But then we'd need to worry about
+   * reporting an error, etc.  What the heck-- let's just
+   * revert to CKR_RO_PUBLIC_SESSION as the "default."
+   */
+
+  return fwToken->state;
+}
+
+/*
+ * nssCKFWToken_InitToken
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_InitToken
+(
+  NSSCKFWToken *fwToken,
+  NSSItem *pin,
+  NSSUTF8 *label
+)
+{
+  CK_RV error;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( fwToken->sessionCount > 0 ) {
+    error = CKR_SESSION_EXISTS;
+    goto done;
+  }
+
+  if( (void *)NULL == (void *)fwToken->mdToken->InitToken ) {
+    error = CKR_DEVICE_ERROR;
+    goto done;
+  }
+
+  if( (NSSItem *)NULL == pin ) {
+    if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) {
+      ; /* okay */
+    } else {
+      error = CKR_PIN_INCORRECT;
+      goto done;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == label ) {
+    label = (NSSUTF8 *) "";
+  }
+
+  error = fwToken->mdToken->InitToken(fwToken->mdToken, fwToken,
+            fwToken->mdInstance, fwToken->fwInstance, pin, label);
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetLabel
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetLabel
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR label[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == label ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwToken->label ) {
+    if( (void *)NULL != (void *)fwToken->mdToken->GetLabel ) {
+      fwToken->label = fwToken->mdToken->GetLabel(fwToken->mdToken, fwToken,
+        fwToken->mdInstance, fwToken->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwToken->label) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwToken->label = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->label, (char *)label, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetManufacturerID
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetManufacturerID
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR manufacturerID[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwToken->manufacturerID ) {
+    if( (void *)NULL != (void *)fwToken->mdToken->GetManufacturerID ) {
+      fwToken->manufacturerID = fwToken->mdToken->GetManufacturerID(fwToken->mdToken,
+        fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwToken->manufacturerID) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwToken->manufacturerID = (NSSUTF8 *)"";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->manufacturerID, (char *)manufacturerID, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetModel
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetModel
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR model[16]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == model ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwToken->model ) {
+    if( (void *)NULL != (void *)fwToken->mdToken->GetModel ) {
+      fwToken->model = fwToken->mdToken->GetModel(fwToken->mdToken, fwToken,
+        fwToken->mdInstance, fwToken->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwToken->model) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwToken->model = (NSSUTF8 *)"";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->model, (char *)model, 16, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetSerialNumber
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetSerialNumber
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR serialNumber[16]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == serialNumber ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwToken->serialNumber ) {
+    if( (void *)NULL != (void *)fwToken->mdToken->GetSerialNumber ) {
+      fwToken->serialNumber = fwToken->mdToken->GetSerialNumber(fwToken->mdToken, 
+        fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwToken->serialNumber) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwToken->serialNumber = (NSSUTF8 *)"";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->serialNumber, (char *)serialNumber, 16, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+
+/*
+ * nssCKFWToken_GetHasRNG
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetHasRNG
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetHasRNG ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetHasRNG(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetIsWriteProtected
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetIsWriteProtected
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetIsWriteProtected ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetIsWriteProtected(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetLoginRequired
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetLoginRequired
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetLoginRequired ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetLoginRequired(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetUserPinInitialized
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetUserPinInitialized
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetUserPinInitialized ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetUserPinInitialized(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetRestoreKeyNotNeeded
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetRestoreKeyNotNeeded
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetRestoreKeyNotNeeded ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetRestoreKeyNotNeeded(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetHasClockOnToken
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetHasClockOnToken
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetHasClockOnToken ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetHasClockOnToken(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetHasProtectedAuthenticationPath
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetHasProtectedAuthenticationPath
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetHasProtectedAuthenticationPath ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetHasProtectedAuthenticationPath(fwToken->mdToken, 
+    fwToken, fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetSupportsDualCryptoOperations
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetSupportsDualCryptoOperations
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetSupportsDualCryptoOperations ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetSupportsDualCryptoOperations(fwToken->mdToken, 
+    fwToken, fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMaxSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMaxSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxSessionCount ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetMaxSessionCount(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMaxRwSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMaxRwSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxRwSessionCount ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetMaxRwSessionCount(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMaxPinLen
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMaxPinLen
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxPinLen ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetMaxPinLen(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMinPinLen
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMinPinLen
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMinPinLen ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetMinPinLen(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetTotalPublicMemory
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetTotalPublicMemory
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPublicMemory ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetTotalPublicMemory(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetFreePublicMemory
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetFreePublicMemory
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePublicMemory ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetFreePublicMemory(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetTotalPrivateMemory
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetTotalPrivateMemory
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPrivateMemory ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetTotalPrivateMemory(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetFreePrivateMemory
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetFreePrivateMemory
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePrivateMemory ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetFreePrivateMemory(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetHardwareVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWToken_GetHardwareVersion
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwToken->hardwareVersion.major) ||
+      (0 != fwToken->hardwareVersion.minor) ) {
+    rv = fwToken->hardwareVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwToken->mdToken->GetHardwareVersion ) {
+    fwToken->hardwareVersion = fwToken->mdToken->GetHardwareVersion(
+      fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
+  } else {
+    fwToken->hardwareVersion.major = 0;
+    fwToken->hardwareVersion.minor = 1;
+  }
+
+  rv = fwToken->hardwareVersion;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetFirmwareVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWToken_GetFirmwareVersion
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwToken->firmwareVersion.major) ||
+      (0 != fwToken->firmwareVersion.minor) ) {
+    rv = fwToken->firmwareVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwToken->mdToken->GetFirmwareVersion ) {
+    fwToken->firmwareVersion = fwToken->mdToken->GetFirmwareVersion(
+      fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
+  } else {
+    fwToken->firmwareVersion.major = 0;
+    fwToken->firmwareVersion.minor = 1;
+  }
+
+  rv = fwToken->firmwareVersion;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetUTCTime
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetUTCTime
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR utcTime[16]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (CK_CHAR_PTR)NULL == utcTime ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* DEBUG */
+
+  if( CK_TRUE != nssCKFWToken_GetHasClockOnToken(fwToken) ) {
+    /* return CKR_DEVICE_ERROR; */
+    (void)nssUTF8_CopyIntoFixedBuffer((NSSUTF8 *)NULL, (char *)utcTime, 16, ' ');
+    return CKR_OK;
+  }
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetUTCTime ) {
+    /* It said it had one! */
+    return CKR_GENERAL_ERROR;
+  }
+
+  error = fwToken->mdToken->GetUTCTime(fwToken->mdToken, fwToken, 
+            fwToken->mdInstance, fwToken->fwInstance, utcTime);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /* Sanity-check the data */
+  {
+    /* Format is YYYYMMDDhhmmss00 */
+    int i;
+    int Y, M, D, h, m, s, z;
+    static int dims[] = { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
+
+    for( i = 0; i < 16; i++ ) {
+      if( (utcTime[i] < '0') || (utcTime[i] > '9') ) {
+        goto badtime;
+      }
+    }
+
+    Y = ((utcTime[ 0] - '0') * 1000) + ((utcTime[1] - '0') * 100) +
+        ((utcTime[ 2] - '0') * 10) + (utcTime[ 3] - '0');
+    M = ((utcTime[ 4] - '0') * 10) + (utcTime[ 5] - '0');
+    D = ((utcTime[ 6] - '0') * 10) + (utcTime[ 7] - '0');
+    h = ((utcTime[ 8] - '0') * 10) + (utcTime[ 9] - '0');
+    m = ((utcTime[10] - '0') * 10) + (utcTime[11] - '0');
+    s = ((utcTime[12] - '0') * 10) + (utcTime[13] - '0');
+    z = ((utcTime[14] - '0') * 10) + (utcTime[15] - '0');
+
+    if( (Y < 1990) || (Y > 3000) ) goto badtime; /* Y3K problem.  heh heh heh */
+    if( (M < 1) || (M > 12) ) goto badtime;
+    if( (D < 1) || (D > 31) ) goto badtime;
+
+    if( D > dims[M-1] ) goto badtime; /* per-month check */
+    if( (2 == M) && (((Y%4)||!(Y%100))&&(Y%400)) && (D > 28) ) goto badtime; /* leap years */
+
+    if( (h < 0) || (h > 23) ) goto badtime;
+    if( (m < 0) || (m > 60) ) goto badtime;
+    if( (s < 0) || (s > 61) ) goto badtime;
+
+    /* 60m and 60 or 61s is only allowed for leap seconds. */
+    if( (60 == m) || (s >= 60) ) {
+      if( (23 != h) || (60 != m) || (s < 60) ) goto badtime;
+      /* leap seconds can only happen on June 30 or Dec 31.. I think */
+      /* if( ((6 != M) || (30 != D)) && ((12 != M) || (31 != D)) ) goto badtime; */
+    }
+  }
+
+  return CKR_OK;
+
+ badtime:
+  return CKR_GENERAL_ERROR;
+}
+
+/*
+ * nssCKFWToken_OpenSession
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSession *
+nssCKFWToken_OpenSession
+(
+  NSSCKFWToken *fwToken,
+  CK_BBOOL rw,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_RV *pError
+)
+{
+  NSSCKFWSession *fwSession = (NSSCKFWSession *)NULL;
+  NSSCKMDSession *mdSession;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  *pError = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  switch( rw ) {
+  case CK_TRUE:
+  case CK_FALSE:
+    break;
+  default:
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWSession *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  if( CK_TRUE == rw ) {
+    /* Read-write session desired */
+    if( CK_TRUE == nssCKFWToken_GetIsWriteProtected(fwToken) ) {
+      *pError = CKR_TOKEN_WRITE_PROTECTED;
+      goto done;
+    }
+  } else {
+    /* Read-only session desired */
+    if( CKS_RW_SO_FUNCTIONS == nssCKFWToken_GetSessionState(fwToken) ) {
+      *pError = CKR_SESSION_READ_WRITE_SO_EXISTS;
+      goto done;
+    }
+  }
+
+  /* We could compare sesion counts to any limits we know of, I guess.. */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->OpenSession ) {
+    /*
+     * I'm not sure that the Module actually needs to implement
+     * mdSessions -- the Framework can keep track of everything 
+     * needed, really.  But I'll sort out that detail later..
+     */
+    *pError = CKR_GENERAL_ERROR;
+    goto done;
+  }
+
+  fwSession = nssCKFWSession_Create(fwToken, rw, pApplication, Notify, pError);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto done;
+  }
+
+  mdSession = fwToken->mdToken->OpenSession(fwToken->mdToken, fwToken,
+                fwToken->mdInstance, fwToken->fwInstance, fwSession,
+                rw, pError);
+  if( (NSSCKMDSession *)NULL == mdSession ) {
+    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto done;
+  }
+
+  *pError = nssCKFWSession_SetMDSession(fwSession, mdSession);
+  if( CKR_OK != *pError ) {
+    if( (void *)NULL != (void *)mdSession->Close ) {
+      mdSession->Close(mdSession, fwSession, fwToken->mdToken, fwToken,
+      fwToken->mdInstance, fwToken->fwInstance);
+    }
+    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
+    goto done;
+  }
+
+  *pError = nssCKFWHash_Add(fwToken->sessions, fwSession, fwSession);
+  if( CKR_OK != *pError ) {
+    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
+    fwSession = (NSSCKFWSession *)NULL;
+    goto done;
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return fwSession;
+}
+
+/*
+ * nssCKFWToken_GetMechanismCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMechanismCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return 0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismCount ) {
+    return 0;
+  }
+
+  return fwToken->mdToken->GetMechanismCount(fwToken->mdToken, fwToken,
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMechanismTypes
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetMechanismTypes
+(
+  NSSCKFWToken *fwToken,
+  CK_MECHANISM_TYPE types[]
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (CK_MECHANISM_TYPE *)NULL == types ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismTypes ) {
+    /*
+     * This should only be called with a sufficiently-large
+     * "types" array, which can only be done if GetMechanismCount
+     * is implemented.  If that's implemented (and returns nonzero),
+     * then this should be too.  So return an error.
+     */
+    return CKR_GENERAL_ERROR;
+  }
+
+  return fwToken->mdToken->GetMechanismTypes(fwToken->mdToken, fwToken,
+    fwToken->mdInstance, fwToken->fwInstance, types);
+}
+
+
+/*
+ * nssCKFWToken_GetMechanism
+ *
+ */
+NSS_IMPLEMENT NSSCKFWMechanism *
+nssCKFWToken_GetMechanism
+(
+  NSSCKFWToken *fwToken,
+  CK_MECHANISM_TYPE which,
+  CK_RV *pError
+)
+{
+  NSSCKMDMechanism *mdMechanism;
+  if ((nssCKFWHash *)NULL == fwToken->mdMechanismHash) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWMechanism *)NULL;
+  }
+  
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanism ) {
+    /*
+     * If we don't implement any GetMechanism function, then we must
+     * not support any.
+     */
+    *pError = CKR_MECHANISM_INVALID;
+    return (NSSCKFWMechanism *)NULL;
+  }
+
+  /* lookup in hash table */
+  mdMechanism = fwToken->mdToken->GetMechanism(fwToken->mdToken, fwToken,
+    fwToken->mdInstance, fwToken->fwInstance, which, pError);
+  if ((NSSCKMDMechanism *)NULL == mdMechanism) {
+    return (NSSCKFWMechanism *) NULL;
+  }
+  /* store in hash table */
+  return nssCKFWMechanism_Create(mdMechanism, fwToken->mdToken, fwToken,
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_SetSessionState
+(
+  NSSCKFWToken *fwToken,
+  CK_STATE newState
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  switch( newState ) {
+  case CKS_RO_PUBLIC_SESSION:
+  case CKS_RO_USER_FUNCTIONS:
+  case CKS_RW_PUBLIC_SESSION:
+  case CKS_RW_USER_FUNCTIONS:
+  case CKS_RW_SO_FUNCTIONS:
+    break;
+  default:
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  fwToken->state = newState;
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWToken_RemoveSession
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_RemoveSession
+(
+  NSSCKFWToken *fwToken,
+  NSSCKFWSession *fwSession
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( CK_TRUE != nssCKFWHash_Exists(fwToken->sessions, fwSession) ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto done;
+  }
+
+  nssCKFWHash_Remove(fwToken->sessions, fwSession);
+  fwToken->sessionCount--;
+
+  if( nssCKFWSession_IsRWSession(fwSession) ) {
+    fwToken->rwSessionCount--;
+  }
+
+  if( 0 == fwToken->sessionCount ) {
+    fwToken->rwSessionCount = 0; /* sanity */
+    fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
+  }
+
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+
+/*
+ * nssCKFWToken_CloseAllSessions
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_CloseAllSessions
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator, (void *)NULL);
+
+  nssCKFWHash_Destroy(fwToken->sessions);
+
+  fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, fwToken->arena, &error);
+  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
+    if( CKR_OK == error ) {
+      error = CKR_GENERAL_ERROR;
+    }
+    goto done;
+  }
+
+  fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
+  fwToken->sessionCount = 0;
+  fwToken->rwSessionCount = 0;
+
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwToken->sessionCount;
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetRwSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetRwSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwToken->rwSessionCount;
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetRoSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetRoSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwToken->sessionCount - fwToken->rwSessionCount;
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetSessionObjectHash
+ *
+ */
+NSS_IMPLEMENT nssCKFWHash *
+nssCKFWToken_GetSessionObjectHash
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (nssCKFWHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->sessionObjectHash;
+}
+
+/*
+ * nssCKFWToken_GetMDObjectHash
+ *
+ */
+NSS_IMPLEMENT nssCKFWHash *
+nssCKFWToken_GetMDObjectHash
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (nssCKFWHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->mdObjectHash;
+}
+
+/*
+ * nssCKFWToken_GetObjectHandleHash
+ *
+ */
+NSS_IMPLEMENT nssCKFWHash *
+nssCKFWToken_GetObjectHandleHash
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (nssCKFWHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->mdObjectHash;
+}
+
+/*
+ * NSSCKFWToken_GetMDToken
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDToken *
+NSSCKFWToken_GetMDToken
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKMDToken *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetMDToken(fwToken);
+}
+
+/*
+ * NSSCKFWToken_GetArena
+ *
+ */
+
+NSS_IMPLEMENT NSSArena *
+NSSCKFWToken_GetArena
+(
+  NSSCKFWToken *fwToken,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSArena *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetArena(fwToken, pError);
+}
+
+/*
+ * NSSCKFWToken_GetFWSlot
+ *
+ */
+
+NSS_IMPLEMENT NSSCKFWSlot *
+NSSCKFWToken_GetFWSlot
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetFWSlot(fwToken);
+}
+
+/*
+ * NSSCKFWToken_GetMDSlot
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDSlot *
+NSSCKFWToken_GetMDSlot
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKMDSlot *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetMDSlot(fwToken);
+}
+
+/*
+ * NSSCKFWToken_GetSessionState
+ *
+ */
+
+NSS_IMPLEMENT CK_STATE
+NSSCKFWSession_GetSessionState
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CKS_RO_PUBLIC_SESSION;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetSessionState(fwToken);
+}
diff --git a/security/nss/lib/ckfw/wrap.c b/security/nss/lib/ckfw/wrap.c
new file mode 100644
index 000000000..02a8130ab
--- /dev/null
+++ b/security/nss/lib/ckfw/wrap.c
@@ -0,0 +1,5705 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * wrap.c
+ *
+ * This file contains the routines that actually implement the cryptoki
+ * API, using the internal APIs of the NSS Cryptoki Framework.  There is
+ * one routine here for every cryptoki routine.  For linking reasons
+ * the actual entry points passed back with C_GetFunctionList have to
+ * exist in one of the Module's source files; however, those are merely
+ * simple wrappers that call these routines.  The intelligence of the
+ * implementations is here.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWC_Initialize
+ * NSSCKFWC_Finalize
+ * NSSCKFWC_GetInfo
+ * -- NSSCKFWC_GetFunctionList -- see the API insert file
+ * NSSCKFWC_GetSlotList
+ * NSSCKFWC_GetSlotInfo
+ * NSSCKFWC_GetTokenInfo
+ * NSSCKFWC_WaitForSlotEvent
+ * NSSCKFWC_GetMechanismList
+ * NSSCKFWC_GetMechanismInfo
+ * NSSCKFWC_InitToken
+ * NSSCKFWC_InitPIN
+ * NSSCKFWC_SetPIN
+ * NSSCKFWC_OpenSession
+ * NSSCKFWC_CloseSession
+ * NSSCKFWC_CloseAllSessions
+ * NSSCKFWC_GetSessionInfo
+ * NSSCKFWC_GetOperationState
+ * NSSCKFWC_SetOperationState
+ * NSSCKFWC_Login
+ * NSSCKFWC_Logout
+ * NSSCKFWC_CreateObject
+ * NSSCKFWC_CopyObject
+ * NSSCKFWC_DestroyObject
+ * NSSCKFWC_GetObjectSize
+ * NSSCKFWC_GetAttributeValue
+ * NSSCKFWC_SetAttributeValue
+ * NSSCKFWC_FindObjectsInit
+ * NSSCKFWC_FindObjects
+ * NSSCKFWC_FindObjectsFinal
+ * NSSCKFWC_EncryptInit
+ * NSSCKFWC_Encrypt
+ * NSSCKFWC_EncryptUpdate
+ * NSSCKFWC_EncryptFinal
+ * NSSCKFWC_DecryptInit
+ * NSSCKFWC_Decrypt
+ * NSSCKFWC_DecryptUpdate
+ * NSSCKFWC_DecryptFinal
+ * NSSCKFWC_DigestInit
+ * NSSCKFWC_Digest
+ * NSSCKFWC_DigestUpdate
+ * NSSCKFWC_DigestKey
+ * NSSCKFWC_DigestFinal
+ * NSSCKFWC_SignInit
+ * NSSCKFWC_Sign
+ * NSSCKFWC_SignUpdate
+ * NSSCKFWC_SignFinal
+ * NSSCKFWC_SignRecoverInit
+ * NSSCKFWC_SignRecover
+ * NSSCKFWC_VerifyInit
+ * NSSCKFWC_Verify
+ * NSSCKFWC_VerifyUpdate
+ * NSSCKFWC_VerifyFinal
+ * NSSCKFWC_VerifyRecoverInit
+ * NSSCKFWC_VerifyRecover
+ * NSSCKFWC_DigestEncryptUpdate
+ * NSSCKFWC_DecryptDigestUpdate
+ * NSSCKFWC_SignEncryptUpdate
+ * NSSCKFWC_DecryptVerifyUpdate
+ * NSSCKFWC_GenerateKey
+ * NSSCKFWC_GenerateKeyPair
+ * NSSCKFWC_WrapKey
+ * NSSCKFWC_UnwrapKey
+ * NSSCKFWC_DeriveKey
+ * NSSCKFWC_SeedRandom
+ * NSSCKFWC_GenerateRandom
+ * NSSCKFWC_GetFunctionStatus
+ * NSSCKFWC_CancelFunction
+ */
+
+/* figure out out locking semantics */
+static CK_RV
+nssCKFW_GetThreadSafeState(CK_C_INITIALIZE_ARGS_PTR pInitArgs,
+                           CryptokiLockingState *pLocking_state) {
+  int functionCount = 0;
+
+  /* parsed according to (PKCS #11 Section 11.4) */
+  /* no args, the degenerate version of case 1 */
+  if (!pInitArgs) {
+    *pLocking_state = SingleThreaded;
+    return CKR_OK;
+  } 
+
+  /* CKF_OS_LOCKING_OK set, Cases 2 and 4 */
+  if (pInitArgs->flags & CKF_OS_LOCKING_OK) {
+    *pLocking_state = MultiThreaded;
+    return CKR_OK;
+  }
+  if ((CK_CREATEMUTEX) NULL != pInitArgs->CreateMutex) functionCount++;
+  if ((CK_DESTROYMUTEX) NULL != pInitArgs->DestroyMutex) functionCount++;
+  if ((CK_LOCKMUTEX) NULL != pInitArgs->LockMutex) functionCount++;
+  if ((CK_UNLOCKMUTEX) NULL != pInitArgs->UnlockMutex) functionCount++;
+
+  /* CKF_OS_LOCKING_OK is not set, and not functions supplied, 
+   * explicit case 1 */
+  if (0 == functionCount) {
+    *pLocking_state = SingleThreaded;
+    return CKR_OK;
+  }
+
+  /* OS_LOCKING_OK is not set and functions have been supplied. Since
+   * ckfw uses nssbase library which explicitly calls NSPR, and since 
+   * there is no way to reliably override these explicit calls to NSPR,
+   * therefore we can't support applications which have their own threading 
+   * module.  Return CKR_CANT_LOCK if they supplied the correct number of 
+   * arguments, or CKR_ARGUMENTS_BAD if they did not in either case we will 
+   * fail the initialize */
+  return (4 == functionCount) ? CKR_CANT_LOCK : CKR_ARGUMENTS_BAD;
+}
+
+static PRInt32 liveInstances;
+
+/*
+ * NSSCKFWC_Initialize
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Initialize
+(
+  NSSCKFWInstance **pFwInstance,
+  NSSCKMDInstance *mdInstance,
+  CK_VOID_PTR pInitArgs
+)
+{
+  CK_RV error = CKR_OK;
+  CryptokiLockingState locking_state;
+
+  if( (NSSCKFWInstance **)NULL == pFwInstance ) {
+    error = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  if( (NSSCKFWInstance *)NULL != *pFwInstance ) {
+    error = CKR_CRYPTOKI_ALREADY_INITIALIZED;
+    goto loser;
+  }
+
+  if( (NSSCKMDInstance *)NULL == mdInstance ) {
+    error = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  error = nssCKFW_GetThreadSafeState(pInitArgs,&locking_state);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  *pFwInstance = nssCKFWInstance_Create(pInitArgs, locking_state, mdInstance, &error);
+  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
+    goto loser;
+  }
+  PR_AtomicIncrement(&liveInstances);
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CANT_LOCK:
+  case CKR_CRYPTOKI_ALREADY_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_NEED_TO_CREATE_THREADS:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_Finalize
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Finalize
+(
+  NSSCKFWInstance **pFwInstance
+)
+{
+  CK_RV error = CKR_OK;
+
+  if( (NSSCKFWInstance **)NULL == pFwInstance ) {
+    error = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  error = nssCKFWInstance_Destroy(*pFwInstance);
+
+  /* In any case */
+  *pFwInstance = (NSSCKFWInstance *)NULL;
+
+ loser:
+  switch( error ) {
+  PRInt32 remainingInstances;
+  case CKR_OK:
+    remainingInstances = PR_AtomicDecrement(&liveInstances);
+    if (!remainingInstances) {
+	nssArena_Shutdown();
+    }
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+    break;
+  default:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  /*
+   * A thread's error stack is automatically destroyed when the thread
+   * terminates or, for the primordial thread, by PR_Cleanup.  On
+   * Windows with MinGW, the thread private data destructor PR_Free
+   * registered by this module is actually a thunk for PR_Free defined
+   * in this module.  When the thread that unloads this module terminates
+   * or calls PR_Cleanup, the thunk for PR_Free is already gone with the
+   * module.  Therefore we need to destroy the error stack before the
+   * module is unloaded.
+   */
+  nss_DestroyErrorStack();
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+
+  if( (CK_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here means a caller error
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_INFO));
+
+  pInfo->cryptokiVersion = nssCKFWInstance_GetCryptokiVersion(fwInstance);
+
+  error = nssCKFWInstance_GetManufacturerID(fwInstance, pInfo->manufacturerID);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  pInfo->flags = nssCKFWInstance_GetFlags(fwInstance);
+
+  error = nssCKFWInstance_GetLibraryDescription(fwInstance, pInfo->libraryDescription);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  pInfo->libraryVersion = nssCKFWInstance_GetLibraryVersion(fwInstance);
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+    break;
+  default:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+  
+/*
+ * C_GetFunctionList is implemented entirely in the Module's file which
+ * includes the Framework API insert file.  It requires no "actual"
+ * NSSCKFW routine.
+ */
+
+/*
+ * NSSCKFWC_GetSlotList
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetSlotList
+(
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL tokenPresent,
+  CK_SLOT_ID_PTR pSlotList,
+  CK_ULONG_PTR pulCount
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  switch( tokenPresent ) {
+  case CK_TRUE:
+  case CK_FALSE:
+    break;
+  default:
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  if( (CK_ULONG_PTR)CK_NULL_PTR == pulCount ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (CK_SLOT_ID_PTR)CK_NULL_PTR == pSlotList ) {
+    *pulCount = nSlots;
+    return CKR_OK;
+  } 
+    
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pSlotList, 0, *pulCount * sizeof(CK_SLOT_ID));
+
+  if( *pulCount < nSlots ) {
+    *pulCount = nSlots;
+    error = CKR_BUFFER_TOO_SMALL;
+    goto loser;
+  } else {
+    CK_ULONG i;
+    *pulCount = nSlots;
+    
+    /* 
+     * Our secret "mapping": CK_SLOT_IDs are integers [1,N], and we
+     * just index one when we need it.
+     */
+
+    for( i = 0; i < nSlots; i++ ) {
+      pSlotList[i] = i+1;
+    }
+
+    return CKR_OK;
+  }
+
+ loser:
+  switch( error ) {
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+ 
+/*
+ * NSSCKFWC_GetSlotInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetSlotInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_SLOT_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  if( (CK_SLOT_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_SLOT_INFO));
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  error = nssCKFWSlot_GetSlotDescription(fwSlot, pInfo->slotDescription);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  error = nssCKFWSlot_GetManufacturerID(fwSlot, pInfo->manufacturerID);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  if( nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    pInfo->flags |= CKF_TOKEN_PRESENT;
+  }
+
+  if( nssCKFWSlot_GetRemovableDevice(fwSlot) ) {
+    pInfo->flags |= CKF_REMOVABLE_DEVICE;
+  }
+
+  if( nssCKFWSlot_GetHardwareSlot(fwSlot) ) {
+    pInfo->flags |= CKF_HW_SLOT;
+  }
+
+  pInfo->hardwareVersion = nssCKFWSlot_GetHardwareVersion(fwSlot);
+  pInfo->firmwareVersion = nssCKFWSlot_GetFirmwareVersion(fwSlot);
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SLOT_ID_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetTokenInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetTokenInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_TOKEN_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  if( (CK_TOKEN_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_TOKEN_INFO));
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_GetLabel(fwToken, pInfo->label);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_GetManufacturerID(fwToken, pInfo->manufacturerID);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_GetModel(fwToken, pInfo->model);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_GetSerialNumber(fwToken, pInfo->serialNumber);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  if( nssCKFWToken_GetHasRNG(fwToken) ) {
+    pInfo->flags |= CKF_RNG;
+  }
+
+  if( nssCKFWToken_GetIsWriteProtected(fwToken) ) {
+    pInfo->flags |= CKF_WRITE_PROTECTED;
+  }
+
+  if( nssCKFWToken_GetLoginRequired(fwToken) ) {
+    pInfo->flags |= CKF_LOGIN_REQUIRED;
+  }
+
+  if( nssCKFWToken_GetUserPinInitialized(fwToken) ) {
+    pInfo->flags |= CKF_USER_PIN_INITIALIZED;
+  }
+
+  if( nssCKFWToken_GetRestoreKeyNotNeeded(fwToken) ) {
+    pInfo->flags |= CKF_RESTORE_KEY_NOT_NEEDED;
+  }
+
+  if( nssCKFWToken_GetHasClockOnToken(fwToken) ) {
+    pInfo->flags |= CKF_CLOCK_ON_TOKEN;
+  }
+
+  if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) {
+    pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
+  }
+
+  if( nssCKFWToken_GetSupportsDualCryptoOperations(fwToken) ) {
+    pInfo->flags |= CKF_DUAL_CRYPTO_OPERATIONS;
+  }
+
+  pInfo->ulMaxSessionCount = nssCKFWToken_GetMaxSessionCount(fwToken);
+  pInfo->ulSessionCount = nssCKFWToken_GetSessionCount(fwToken);
+  pInfo->ulMaxRwSessionCount = nssCKFWToken_GetMaxRwSessionCount(fwToken);
+  pInfo->ulRwSessionCount= nssCKFWToken_GetRwSessionCount(fwToken);
+  pInfo->ulMaxPinLen = nssCKFWToken_GetMaxPinLen(fwToken);
+  pInfo->ulMinPinLen = nssCKFWToken_GetMinPinLen(fwToken);
+  pInfo->ulTotalPublicMemory = nssCKFWToken_GetTotalPublicMemory(fwToken);
+  pInfo->ulFreePublicMemory = nssCKFWToken_GetFreePublicMemory(fwToken);
+  pInfo->ulTotalPrivateMemory = nssCKFWToken_GetTotalPrivateMemory(fwToken);
+  pInfo->ulFreePrivateMemory = nssCKFWToken_GetFreePrivateMemory(fwToken);
+  pInfo->hardwareVersion = nssCKFWToken_GetHardwareVersion(fwToken);
+  pInfo->firmwareVersion = nssCKFWToken_GetFirmwareVersion(fwToken);
+  
+  error = nssCKFWToken_GetUTCTime(fwToken, pInfo->utcTime);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+  case CKR_TOKEN_NOT_PRESENT:
+    if (fwToken)
+      nssCKFWToken_Destroy(fwToken);
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_WaitForSlotEvent
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_WaitForSlotEvent
+(
+  NSSCKFWInstance *fwInstance,
+  CK_FLAGS flags,
+  CK_SLOT_ID_PTR pSlot,
+  CK_VOID_PTR pReserved
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  CK_BBOOL block;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  CK_ULONG i;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  if( flags & ~CKF_DONT_BLOCK ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  block = (flags & CKF_DONT_BLOCK) ? CK_TRUE : CK_FALSE;
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (CK_SLOT_ID_PTR)CK_NULL_PTR == pSlot ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  if( (CK_VOID_PTR)CK_NULL_PTR != pReserved ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = nssCKFWInstance_WaitForSlotEvent(fwInstance, block, &error);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    goto loser;
+  }
+
+  for( i = 0; i < nSlots; i++ ) {
+    if( fwSlot == slots[i] ) {
+      *pSlot = (CK_SLOT_ID)(CK_ULONG)(i+1);
+      return CKR_OK;
+    }
+  }
+
+  error = CKR_GENERAL_ERROR; /* returned something not in the slot list */
+
+ loser:
+  switch( error ) {
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_NO_EVENT:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetMechanismList
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetMechanismList
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE_PTR pMechanismList,
+  CK_ULONG_PTR pulCount
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  CK_ULONG count;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ULONG_PTR)CK_NULL_PTR == pulCount ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  count = nssCKFWToken_GetMechanismCount(fwToken);
+
+  if( (CK_MECHANISM_TYPE_PTR)CK_NULL_PTR == pMechanismList ) {
+    *pulCount = count;
+    return CKR_OK;
+  }
+
+  if( *pulCount < count ) {
+    *pulCount = count;
+    error = CKR_BUFFER_TOO_SMALL;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pMechanismList, 0, *pulCount * sizeof(CK_MECHANISM_TYPE));
+
+  *pulCount = count;
+
+  if( 0 != count ) {
+    error = nssCKFWToken_GetMechanismTypes(fwToken, pMechanismList);
+  } else {
+    error = CKR_OK;
+  }
+
+  if( CKR_OK == error ) {
+    return CKR_OK;
+  }
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+  case CKR_TOKEN_NOT_PRESENT:
+    if (fwToken)
+      nssCKFWToken_Destroy(fwToken);
+    break;
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetMechanismInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetMechanismInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE type,
+  CK_MECHANISM_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  if( (CK_MECHANISM_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_MECHANISM_INFO));
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, type, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  pInfo->ulMinKeySize = nssCKFWMechanism_GetMinKeySize(fwMechanism, &error);
+  pInfo->ulMaxKeySize = nssCKFWMechanism_GetMaxKeySize(fwMechanism, &error);
+
+  if( nssCKFWMechanism_GetInHardware(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_HW;
+  }
+  if( nssCKFWMechanism_GetCanEncrypt(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_ENCRYPT;
+  }
+  if( nssCKFWMechanism_GetCanDecrypt(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_DECRYPT;
+  }
+  if( nssCKFWMechanism_GetCanDigest(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_DIGEST;
+  }
+  if( nssCKFWMechanism_GetCanSign(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_SIGN;
+  }
+  if( nssCKFWMechanism_GetCanSignRecover(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_SIGN_RECOVER;
+  }
+  if( nssCKFWMechanism_GetCanVerify(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_VERIFY;
+  }
+  if( nssCKFWMechanism_GetCanVerifyRecover(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_VERIFY_RECOVER;
+  }
+  if( nssCKFWMechanism_GetCanGenerate(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_GENERATE;
+  }
+  if( nssCKFWMechanism_GetCanGenerateKeyPair(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_GENERATE_KEY_PAIR;
+  }
+  if( nssCKFWMechanism_GetCanWrap(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_WRAP;
+  }
+  if( nssCKFWMechanism_GetCanUnwrap(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_UNWRAP;
+  }
+  if( nssCKFWMechanism_GetCanDerive(fwMechanism, &error) ) {
+    pInfo->flags |= CKF_DERIVE;
+  }
+  nssCKFWMechanism_Destroy(fwMechanism);
+
+  return error;
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+  case CKR_TOKEN_NOT_PRESENT:
+    if (fwToken)
+      nssCKFWToken_Destroy(fwToken);
+    break;
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_MECHANISM_INVALID:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_InitToken
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_InitToken
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen,
+  CK_CHAR_PTR pLabel
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  NSSItem pin;
+  NSSUTF8 *label;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  pin.size = (PRUint32)ulPinLen;
+  pin.data = (void *)pPin;
+  label = (NSSUTF8 *)pLabel; /* identity conversion */
+
+  error = nssCKFWToken_InitToken(fwToken, &pin, label);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+  case CKR_TOKEN_NOT_PRESENT:
+    if (fwToken)
+      nssCKFWToken_Destroy(fwToken);
+    break;
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_PIN_INCORRECT:
+  case CKR_PIN_LOCKED:
+  case CKR_SESSION_EXISTS:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_InitPIN
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_InitPIN
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem pin, *arg;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
+    arg = (NSSItem *)NULL;
+  } else {
+    arg = &pin;
+    pin.size = (PRUint32)ulPinLen;
+    pin.data = (void *)pPin;
+  }
+
+  error = nssCKFWSession_InitPIN(fwSession, arg);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_PIN_INVALID:
+  case CKR_PIN_LEN_RANGE:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_SetPIN
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SetPIN
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pOldPin,
+  CK_ULONG ulOldLen,
+  CK_CHAR_PTR pNewPin,
+  CK_ULONG ulNewLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem oldPin, newPin, *oldArg, *newArg;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_CHAR_PTR)CK_NULL_PTR == pOldPin ) {
+    oldArg = (NSSItem *)NULL;
+  } else {
+    oldArg = &oldPin;
+    oldPin.size = (PRUint32)ulOldLen;
+    oldPin.data = (void *)pOldPin;
+  }
+
+  if( (CK_CHAR_PTR)CK_NULL_PTR == pNewPin ) {
+    newArg = (NSSItem *)NULL;
+  } else {
+    newArg = &newPin;
+    newPin.size = (PRUint32)ulNewLen;
+    newPin.data = (void *)pNewPin;
+  }
+
+  error = nssCKFWSession_SetPIN(fwSession, oldArg, newArg);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_PIN_INCORRECT:
+  case CKR_PIN_INVALID:
+  case CKR_PIN_LEN_RANGE:
+  case CKR_PIN_LOCKED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_OpenSession
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_OpenSession
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_FLAGS flags,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_SESSION_HANDLE_PTR phSession
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  NSSCKFWSession *fwSession;
+  CK_BBOOL rw;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  if( flags & CKF_RW_SESSION ) {
+    rw = CK_TRUE;
+  } else {
+    rw = CK_FALSE;
+  }
+
+  if( flags & CKF_SERIAL_SESSION ) {
+    ;
+  } else {
+    error = CKR_SESSION_PARALLEL_NOT_SUPPORTED;
+    goto loser;
+  }
+
+  if( flags & ~(CKF_RW_SESSION|CKF_SERIAL_SESSION) ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  if( (CK_SESSION_HANDLE_PTR)CK_NULL_PTR == phSession ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  *phSession = (CK_SESSION_HANDLE)0;
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwSession = nssCKFWToken_OpenSession(fwToken, rw, pApplication,
+               Notify, &error);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    goto loser;
+  }
+
+  *phSession = nssCKFWInstance_CreateSessionHandle(fwInstance,
+                 fwSession, &error);
+  if( (CK_SESSION_HANDLE)0 == *phSession ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_COUNT:
+  case CKR_SESSION_EXISTS:
+  case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
+  case CKR_SESSION_READ_WRITE_SO_EXISTS:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_PRESENT:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_CloseSession
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CloseSession
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  nssCKFWInstance_DestroySessionHandle(fwInstance, hSession);
+  error = nssCKFWSession_Destroy(fwSession, CK_TRUE);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_CloseAllSessions
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CloseAllSessions
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_CloseAllSessions(fwToken);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_PRESENT:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetSessionInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetSessionInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_SESSION_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWSlot *fwSlot;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_SESSION_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_SESSION_INFO));
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  pInfo->slotID = nssCKFWSlot_GetSlotID(fwSlot);
+  pInfo->state = nssCKFWSession_GetSessionState(fwSession);
+
+  if( CK_TRUE == nssCKFWSession_IsRWSession(fwSession) ) {
+    pInfo->flags |= CKF_RW_SESSION;
+  }
+
+  pInfo->flags |= CKF_SERIAL_SESSION; /* Always true */
+
+  pInfo->ulDeviceError = nssCKFWSession_GetDeviceError(fwSession);
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetOperationState
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetOperationState
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG_PTR pulOperationStateLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  CK_ULONG len;
+  NSSItem buf;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ULONG_PTR)CK_NULL_PTR == pulOperationStateLen ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  len = nssCKFWSession_GetOperationStateLen(fwSession, &error);
+  if( ((CK_ULONG)0 == len) && (CKR_OK != error) ) {
+    goto loser;
+  }
+
+  if( (CK_BYTE_PTR)CK_NULL_PTR == pOperationState ) {
+    *pulOperationStateLen = len;
+    return CKR_OK;
+  }
+
+  if( *pulOperationStateLen < len ) {
+    *pulOperationStateLen = len;
+    error = CKR_BUFFER_TOO_SMALL;
+    goto loser;
+  }
+
+  buf.size = (PRUint32)*pulOperationStateLen;
+  buf.data = (void *)pOperationState;
+  *pulOperationStateLen = len;
+  error = nssCKFWSession_GetOperationState(fwSession, &buf);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_STATE_UNSAVEABLE:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_SetOperationState
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SetOperationState
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG ulOperationStateLen,
+  CK_OBJECT_HANDLE hEncryptionKey,
+  CK_OBJECT_HANDLE hAuthenticationKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *eKey;
+  NSSCKFWObject *aKey;
+  NSSItem state;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  if( (CK_BYTE_PTR)CK_NULL_PTR == pOperationState ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /* 
+   * We could loop through the buffer, to catch any purify errors
+   * in a place with a "user error" note.
+   */
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_OBJECT_HANDLE)0 == hEncryptionKey ) {
+    eKey = (NSSCKFWObject *)NULL;
+  } else {
+    eKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hEncryptionKey);
+    if( (NSSCKFWObject *)NULL == eKey ) {
+      error = CKR_KEY_HANDLE_INVALID;
+      goto loser;
+    }
+  }
+
+  if( (CK_OBJECT_HANDLE)0 == hAuthenticationKey ) {
+    aKey = (NSSCKFWObject *)NULL;
+  } else {
+    aKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hAuthenticationKey);
+    if( (NSSCKFWObject *)NULL == aKey ) {
+      error = CKR_KEY_HANDLE_INVALID;
+      goto loser;
+    }
+  }
+
+  error = nssCKFWSession_SetOperationState(fwSession, &state, eKey, aKey);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_CHANGED:
+  case CKR_KEY_NEEDED:
+  case CKR_KEY_NOT_NEEDED:
+  case CKR_SAVED_STATE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_Login
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Login
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_USER_TYPE userType,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem pin, *arg;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
+    arg = (NSSItem *)NULL;
+  } else {
+    arg = &pin;
+    pin.size = (PRUint32)ulPinLen;
+    pin.data = (void *)pPin;
+  }
+
+  error = nssCKFWSession_Login(fwSession, userType, arg);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_PIN_EXPIRED:
+  case CKR_PIN_INCORRECT:
+  case CKR_PIN_LOCKED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY_EXISTS:
+  case CKR_USER_ALREADY_LOGGED_IN:
+  case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
+  case CKR_USER_PIN_NOT_INITIALIZED:
+  case CKR_USER_TOO_MANY_TYPES:
+  case CKR_USER_TYPE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_Logout
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Logout
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_Logout(fwSession);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_CreateObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CreateObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phObject
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  *phObject = (CK_OBJECT_HANDLE)0;
+
+  fwObject = nssCKFWSession_CreateObject(fwSession, pTemplate,
+               ulCount, &error);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    goto loser;
+  }
+
+  *phObject = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
+  if( (CK_OBJECT_HANDLE)0 == *phObject ) {
+    nssCKFWObject_Destroy(fwObject);
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCOMPLETE:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_CopyObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CopyObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phNewObject
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWObject *fwNewObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phNewObject ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  *phNewObject = (CK_OBJECT_HANDLE)0;
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwNewObject = nssCKFWSession_CopyObject(fwSession, fwObject,
+                  pTemplate, ulCount, &error);
+  if( (NSSCKFWObject *)NULL == fwNewObject ) {
+    goto loser;
+  }
+
+  *phNewObject = nssCKFWInstance_CreateObjectHandle(fwInstance, 
+                   fwNewObject, &error);
+  if( (CK_OBJECT_HANDLE)0 == *phNewObject ) {
+    nssCKFWObject_Destroy(fwNewObject);
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_DestroyObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DestroyObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  nssCKFWInstance_DestroyObjectHandle(fwInstance, hObject);
+  nssCKFWObject_Destroy(fwObject);
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetObjectSize
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetObjectSize
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ULONG_PTR pulSize
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ULONG_PTR)CK_NULL_PTR == pulSize ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  *pulSize = (CK_ULONG)0;
+
+  *pulSize = nssCKFWObject_GetObjectSize(fwObject, &error);
+  if( ((CK_ULONG)0 == *pulSize) && (CKR_OK != error) ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_INFORMATION_SENSITIVE:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetAttributeValue
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetAttributeValue
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  CK_BBOOL sensitive = CK_FALSE;
+  CK_BBOOL invalid = CK_FALSE;
+  CK_BBOOL tooSmall = CK_FALSE;
+  CK_ULONG i;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  for( i = 0; i < ulCount; i++ ) {
+    CK_ULONG size = nssCKFWObject_GetAttributeSize(fwObject, 
+                      pTemplate[i].type, &error);
+    if( (CK_ULONG)0 == size ) {
+      switch( error ) {
+      case CKR_ATTRIBUTE_SENSITIVE:
+      case CKR_INFORMATION_SENSITIVE:
+        sensitive = CK_TRUE;
+        pTemplate[i].ulValueLen = (CK_ULONG)(-1);
+        continue;
+      case CKR_ATTRIBUTE_TYPE_INVALID:
+        invalid = CK_TRUE;
+        pTemplate[i].ulValueLen = (CK_ULONG)(-1);
+        continue;
+      case CKR_OK:
+        break;
+      default:
+        goto loser;
+      }
+    }
+
+    if( (CK_VOID_PTR)CK_NULL_PTR == pTemplate[i].pValue ) {
+      pTemplate[i].ulValueLen = size;
+    } else {
+      NSSItem it, *p;
+
+      if( pTemplate[i].ulValueLen < size ) {
+        tooSmall = CK_TRUE;
+        continue;
+      }
+
+      it.size = (PRUint32)pTemplate[i].ulValueLen;
+      it.data = (void *)pTemplate[i].pValue;
+      p = nssCKFWObject_GetAttribute(fwObject, pTemplate[i].type, &it, 
+            (NSSArena *)NULL, &error);
+      if( (NSSItem *)NULL == p ) {
+        switch( error ) {
+        case CKR_ATTRIBUTE_SENSITIVE:
+        case CKR_INFORMATION_SENSITIVE:
+          sensitive = CK_TRUE;
+          pTemplate[i].ulValueLen = (CK_ULONG)(-1);
+          continue;
+        case CKR_ATTRIBUTE_TYPE_INVALID:
+          invalid = CK_TRUE;
+          pTemplate[i].ulValueLen = (CK_ULONG)(-1);
+          continue;
+        default:
+          goto loser;
+        }
+      }
+
+      pTemplate[i].ulValueLen = size;
+    }
+  }
+
+  if( sensitive ) {
+    error = CKR_ATTRIBUTE_SENSITIVE;
+    goto loser;
+  } else if( invalid ) {
+    error = CKR_ATTRIBUTE_TYPE_INVALID;
+    goto loser;
+  } else if( tooSmall ) {
+    error = CKR_BUFFER_TOO_SMALL;
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_SENSITIVE:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+  
+/*
+ * NSSCKFWC_SetAttributeValue
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SetAttributeValue
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  CK_ULONG i;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  for (i=0; i < ulCount; i++) {
+    NSSItem value;
+
+    value.data = pTemplate[i].pValue;
+    value.size = pTemplate[i].ulValueLen;
+
+    error = nssCKFWObject_SetAttribute(fwObject, fwSession, 
+                                       pTemplate[i].type, &value);
+
+    if( CKR_OK != error ) {
+      goto loser;
+    }
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_FindObjectsInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_FindObjectsInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWFindObjects *fwFindObjects;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( ((CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate) && (ulCount != 0) ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
+  if( (NSSCKFWFindObjects *)NULL != fwFindObjects ) {
+    error = CKR_OPERATION_ACTIVE;
+    goto loser;
+  }
+
+  if( CKR_OPERATION_NOT_INITIALIZED != error ) {
+    goto loser;
+  }
+
+  fwFindObjects = nssCKFWSession_FindObjectsInit(fwSession,
+                    pTemplate, ulCount, &error);
+  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+    goto loser;
+  }
+
+  error = nssCKFWSession_SetFWFindObjects(fwSession, fwFindObjects);
+
+  if( CKR_OK != error ) {
+    nssCKFWFindObjects_Destroy(fwFindObjects);
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_FindObjects
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_FindObjects
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE_PTR phObject,
+  CK_ULONG ulMaxObjectCount,
+  CK_ULONG_PTR pulObjectCount
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWFindObjects *fwFindObjects;
+  CK_ULONG i;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(phObject, 0, sizeof(CK_OBJECT_HANDLE) * ulMaxObjectCount);
+  *pulObjectCount = (CK_ULONG)0;
+
+  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
+  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+    goto loser;
+  }
+
+  for( i = 0; i < ulMaxObjectCount; i++ ) {
+    NSSCKFWObject *fwObject = nssCKFWFindObjects_Next(fwFindObjects,
+                                NULL, &error);
+    if( (NSSCKFWObject *)NULL == fwObject ) {
+      break;
+    }
+
+    phObject[i] = nssCKFWInstance_FindObjectHandle(fwInstance, fwObject);
+    if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
+      phObject[i] = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
+    }
+    if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
+      /* This isn't right either, is it? */
+      nssCKFWObject_Destroy(fwObject);
+      goto loser;
+    }
+  }
+
+  *pulObjectCount = i;
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_FindObjectsFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_FindObjectsFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWFindObjects *fwFindObjects;
+  
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
+  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+    error = CKR_OPERATION_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nssCKFWFindObjects_Destroy(fwFindObjects);
+  error = nssCKFWSession_SetFWFindObjects(fwSession, 
+                                          (NSSCKFWFindObjects *)NULL);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_EncryptInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_EncryptInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  error = nssCKFWMechanism_EncryptInit(fwMechanism, pMechanism,
+                                        fwSession, fwObject);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_FUNCTION_NOT_PERMITTED:
+  case CKR_KEY_HANDLE_INVALID:
+  case CKR_KEY_SIZE_RANGE:
+  case CKR_KEY_TYPE_INCONSISTENT:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_Encrypt
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Encrypt
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG_PTR pulEncryptedDataLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateFinal(fwSession,
+           NSSCKFWCryptoOperationType_Encrypt, 
+           NSSCKFWCryptoOperationState_EncryptDecrypt,
+           pData, ulDataLen, pEncryptedData, pulEncryptedDataLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_INVALID:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_CLOSED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_EncryptUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_EncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_Update(fwSession,
+           NSSCKFWCryptoOperationType_Encrypt, 
+           NSSCKFWCryptoOperationState_EncryptDecrypt,
+           pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_EncryptFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_EncryptFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastEncryptedPart,
+  CK_ULONG_PTR pulLastEncryptedPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_Final(fwSession,
+           NSSCKFWCryptoOperationType_Encrypt, 
+           NSSCKFWCryptoOperationState_EncryptDecrypt,
+           pLastEncryptedPart, pulLastEncryptedPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DecryptInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  error = nssCKFWMechanism_DecryptInit(fwMechanism, pMechanism, 
+                                       fwSession, fwObject);
+  nssCKFWMechanism_Destroy(fwMechanism);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_FUNCTION_NOT_PERMITTED:
+  case CKR_KEY_HANDLE_INVALID:
+  case CKR_KEY_SIZE_RANGE:
+  case CKR_KEY_TYPE_INCONSISTENT:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_Decrypt
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Decrypt
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG ulEncryptedDataLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateFinal(fwSession,
+           NSSCKFWCryptoOperationType_Decrypt, 
+           NSSCKFWCryptoOperationState_EncryptDecrypt,
+           pEncryptedData, ulEncryptedDataLen, pData, pulDataLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_ENCRYPTED_DATA_INVALID:
+  case CKR_ENCRYPTED_DATA_LEN_RANGE:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  case CKR_DATA_LEN_RANGE:
+    error = CKR_ENCRYPTED_DATA_LEN_RANGE;
+    break;
+  case CKR_DATA_INVALID:
+    error = CKR_ENCRYPTED_DATA_INVALID;
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DecryptUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_Update(fwSession,
+           NSSCKFWCryptoOperationType_Decrypt, 
+           NSSCKFWCryptoOperationState_EncryptDecrypt,
+           pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_ENCRYPTED_DATA_INVALID:
+  case CKR_ENCRYPTED_DATA_LEN_RANGE:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  case CKR_DATA_LEN_RANGE:
+    error = CKR_ENCRYPTED_DATA_LEN_RANGE;
+    break;
+  case CKR_DATA_INVALID:
+    error = CKR_ENCRYPTED_DATA_INVALID;
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DecryptFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastPart,
+  CK_ULONG_PTR pulLastPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_Final(fwSession,
+           NSSCKFWCryptoOperationType_Decrypt, 
+           NSSCKFWCryptoOperationState_EncryptDecrypt,
+           pLastPart, pulLastPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_ENCRYPTED_DATA_INVALID:
+  case CKR_ENCRYPTED_DATA_LEN_RANGE:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  case CKR_DATA_LEN_RANGE:
+    error = CKR_ENCRYPTED_DATA_LEN_RANGE;
+    break;
+  case CKR_DATA_INVALID:
+    error = CKR_ENCRYPTED_DATA_INVALID;
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DigestInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  error = nssCKFWMechanism_DigestInit(fwMechanism, pMechanism, fwSession);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_Digest
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Digest
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateFinal(fwSession,
+           NSSCKFWCryptoOperationType_Digest, 
+           NSSCKFWCryptoOperationState_Digest,
+           pData, ulDataLen, pDigest, pulDigestLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DigestUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_DigestUpdate(fwSession,
+           NSSCKFWCryptoOperationType_Digest, 
+           NSSCKFWCryptoOperationState_Digest,
+           pData, ulDataLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DigestKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_DigestKey(fwSession, fwObject);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_HANDLE_INVALID:
+  case CKR_KEY_INDIGESTIBLE:
+  case CKR_KEY_SIZE_RANGE:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DigestFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_Final(fwSession,
+           NSSCKFWCryptoOperationType_Digest, 
+           NSSCKFWCryptoOperationState_Digest,
+           pDigest, pulDigestLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_SignInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  error = nssCKFWMechanism_SignInit(fwMechanism, pMechanism, fwSession, 
+                                    fwObject);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_FUNCTION_NOT_PERMITTED:
+  case CKR_KEY_HANDLE_INVALID:
+  case CKR_KEY_SIZE_RANGE:
+  case CKR_KEY_TYPE_INCONSISTENT:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_Sign
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Sign
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateFinal(fwSession,
+           NSSCKFWCryptoOperationType_Sign, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pData, ulDataLen, pSignature, pulSignatureLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_INVALID:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+  case CKR_FUNCTION_REJECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_SignUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_DigestUpdate(fwSession,
+           NSSCKFWCryptoOperationType_Sign, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pPart, ulPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_SignFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_Final(fwSession,
+           NSSCKFWCryptoOperationType_Sign, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pSignature, pulSignatureLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+  case CKR_FUNCTION_REJECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_SignRecoverInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignRecoverInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  error = nssCKFWMechanism_SignRecoverInit(fwMechanism, pMechanism, fwSession, 
+                                           fwObject);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_FUNCTION_NOT_PERMITTED:
+  case CKR_KEY_HANDLE_INVALID:
+  case CKR_KEY_SIZE_RANGE:
+  case CKR_KEY_TYPE_INCONSISTENT:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_SignRecover
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignRecover
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateFinal(fwSession,
+           NSSCKFWCryptoOperationType_SignRecover, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pData, ulDataLen, pSignature, pulSignatureLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_INVALID:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_VerifyInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  error = nssCKFWMechanism_VerifyInit(fwMechanism, pMechanism, fwSession,
+                                      fwObject);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_FUNCTION_NOT_PERMITTED:
+  case CKR_KEY_HANDLE_INVALID:
+  case CKR_KEY_SIZE_RANGE:
+  case CKR_KEY_TYPE_INCONSISTENT:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_Verify
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Verify
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateFinal(fwSession,
+           NSSCKFWCryptoOperationType_Verify, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pData, ulDataLen, pSignature, &ulSignatureLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_INVALID:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SIGNATURE_INVALID:
+  case CKR_SIGNATURE_LEN_RANGE:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_VerifyUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_DigestUpdate(fwSession,
+           NSSCKFWCryptoOperationType_Verify, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pPart, ulPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_VerifyFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_Final(fwSession,
+           NSSCKFWCryptoOperationType_Verify, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pSignature, &ulSignatureLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SIGNATURE_INVALID:
+  case CKR_SIGNATURE_LEN_RANGE:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_VerifyRecoverInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyRecoverInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  error = nssCKFWMechanism_VerifyRecoverInit(fwMechanism, pMechanism, 
+                                             fwSession, fwObject);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_FUNCTION_NOT_PERMITTED:
+  case CKR_KEY_HANDLE_INVALID:
+  case CKR_KEY_SIZE_RANGE:
+  case CKR_KEY_TYPE_INCONSISTENT:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_CLOSED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_VerifyRecover
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyRecover
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateFinal(fwSession,
+           NSSCKFWCryptoOperationType_VerifyRecover, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pSignature, ulSignatureLen, pData, pulDataLen);
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_INVALID:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SIGNATURE_INVALID:
+  case CKR_SIGNATURE_LEN_RANGE:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DigestEncryptUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestEncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateCombo(fwSession,
+           NSSCKFWCryptoOperationType_Encrypt, 
+           NSSCKFWCryptoOperationType_Digest, 
+           NSSCKFWCryptoOperationState_Digest,
+           pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DecryptDigestUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptDigestUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateCombo(fwSession,
+           NSSCKFWCryptoOperationType_Decrypt, 
+           NSSCKFWCryptoOperationType_Digest, 
+           NSSCKFWCryptoOperationState_Digest,
+           pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_ENCRYPTED_DATA_INVALID:
+  case CKR_ENCRYPTED_DATA_LEN_RANGE:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  case CKR_DATA_INVALID:
+    error = CKR_ENCRYPTED_DATA_INVALID;
+    break;
+  case CKR_DATA_LEN_RANGE:
+    error = CKR_ENCRYPTED_DATA_LEN_RANGE;
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_SignEncryptUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignEncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateCombo(fwSession,
+           NSSCKFWCryptoOperationType_Encrypt, 
+           NSSCKFWCryptoOperationType_Sign, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DecryptVerifyUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptVerifyUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_UpdateCombo(fwSession,
+           NSSCKFWCryptoOperationType_Decrypt, 
+           NSSCKFWCryptoOperationType_Verify, 
+           NSSCKFWCryptoOperationState_SignVerify,
+           pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DATA_LEN_RANGE:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_ENCRYPTED_DATA_INVALID:
+  case CKR_ENCRYPTED_DATA_LEN_RANGE:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  case CKR_DATA_INVALID:
+    error = CKR_ENCRYPTED_DATA_INVALID;
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_GenerateKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GenerateKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  fwObject = nssCKFWMechanism_GenerateKey(
+                fwMechanism, 
+                pMechanism, 
+                fwSession, 
+                pTemplate, 
+                ulCount, 
+                &error);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+  if ((NSSCKFWObject *)NULL == fwObject) {
+    goto loser;
+  }
+  *phKey= nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCOMPLETE:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_GenerateKeyPair
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GenerateKeyPair
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG ulPrivateKeyAttributeCount,
+  CK_OBJECT_HANDLE_PTR phPublicKey,
+  CK_OBJECT_HANDLE_PTR phPrivateKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwPrivateKeyObject;
+  NSSCKFWObject *fwPublicKeyObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  error= nssCKFWMechanism_GenerateKeyPair(
+                fwMechanism, 
+                pMechanism, 
+                fwSession, 
+                pPublicKeyTemplate, 
+                ulPublicKeyAttributeCount, 
+                pPublicKeyTemplate, 
+                ulPublicKeyAttributeCount, 
+                &fwPublicKeyObject,
+                &fwPrivateKeyObject);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+  if (CKR_OK != error) {
+    goto loser;
+  }
+  *phPublicKey = nssCKFWInstance_CreateObjectHandle(fwInstance, 
+                                                 fwPublicKeyObject, 
+                                                 &error);
+  if (CKR_OK != error) {
+    goto loser;
+  }
+  *phPrivateKey = nssCKFWInstance_CreateObjectHandle(fwInstance, 
+                                                 fwPrivateKeyObject, 
+                                                 &error);
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_DOMAIN_PARAMS_INVALID:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCOMPLETE:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_WrapKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_WrapKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hWrappingKey,
+  CK_OBJECT_HANDLE hKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG_PTR pulWrappedKeyLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwKeyObject;
+  NSSCKFWObject *fwWrappingKeyObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+  NSSItem  wrappedKey;
+  CK_ULONG wrappedKeyLength = 0;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwWrappingKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance,
+                                                            hWrappingKey);
+  if( (NSSCKFWObject *)NULL == fwWrappingKeyObject ) {
+    error = CKR_WRAPPING_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
+  if( (NSSCKFWObject *)NULL == fwKeyObject ) {
+    error = CKR_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  /*
+   * first get the length...
+   */
+  wrappedKeyLength = nssCKFWMechanism_GetWrapKeyLength(
+                fwMechanism, 
+                pMechanism, 
+                fwSession, 
+                fwWrappingKeyObject,
+                fwKeyObject,
+                &error);
+  if ((CK_ULONG) 0 == wrappedKeyLength) {
+    nssCKFWMechanism_Destroy(fwMechanism);
+    goto loser;
+  }
+  if ((CK_BYTE_PTR)NULL == pWrappedKey) {
+    *pulWrappedKeyLen = wrappedKeyLength;
+    nssCKFWMechanism_Destroy(fwMechanism);
+    return CKR_OK;
+  }
+  if (wrappedKeyLength > *pulWrappedKeyLen) {
+    *pulWrappedKeyLen = wrappedKeyLength;
+    nssCKFWMechanism_Destroy(fwMechanism);
+    error = CKR_BUFFER_TOO_SMALL;
+    goto loser;
+  }
+    
+
+  wrappedKey.data = pWrappedKey;
+  wrappedKey.size = wrappedKeyLength;
+
+  error = nssCKFWMechanism_WrapKey(
+                fwMechanism, 
+                pMechanism, 
+                fwSession, 
+                fwWrappingKeyObject,
+                fwKeyObject,
+                &wrappedKey);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+  *pulWrappedKeyLen = wrappedKey.size;
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_HANDLE_INVALID:
+  case CKR_KEY_NOT_WRAPPABLE:
+  case CKR_KEY_SIZE_RANGE:
+  case CKR_KEY_UNEXTRACTABLE:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_WRAPPING_KEY_HANDLE_INVALID:
+  case CKR_WRAPPING_KEY_SIZE_RANGE:
+  case CKR_WRAPPING_KEY_TYPE_INCONSISTENT:
+    break;
+  case CKR_KEY_TYPE_INCONSISTENT:
+    error = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_UnwrapKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_UnwrapKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hUnwrappingKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG ulWrappedKeyLen,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWObject *fwWrappingKeyObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+  NSSItem  wrappedKey;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwWrappingKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance,
+                                                            hUnwrappingKey);
+  if( (NSSCKFWObject *)NULL == fwWrappingKeyObject ) {
+    error = CKR_WRAPPING_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  wrappedKey.data = pWrappedKey;
+  wrappedKey.size = ulWrappedKeyLen;
+
+  fwObject = nssCKFWMechanism_UnwrapKey(
+                fwMechanism, 
+                pMechanism, 
+                fwSession, 
+                fwWrappingKeyObject,
+                &wrappedKey,
+                pTemplate, 
+                ulAttributeCount, 
+                &error);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+  if ((NSSCKFWObject *)NULL == fwObject) {
+    goto loser;
+  }
+  *phKey = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_DOMAIN_PARAMS_INVALID:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCOMPLETE:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_UNWRAPPING_KEY_HANDLE_INVALID:
+  case CKR_UNWRAPPING_KEY_SIZE_RANGE:
+  case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT:
+  case CKR_USER_NOT_LOGGED_IN:
+  case CKR_WRAPPED_KEY_INVALID:
+  case CKR_WRAPPED_KEY_LEN_RANGE:
+    break;
+  case CKR_KEY_HANDLE_INVALID:
+    error = CKR_UNWRAPPING_KEY_HANDLE_INVALID;
+    break;
+  case CKR_KEY_SIZE_RANGE:
+    error = CKR_UNWRAPPING_KEY_SIZE_RANGE;
+    break;
+  case CKR_KEY_TYPE_INCONSISTENT:
+    error = CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT;
+    break;
+  case CKR_ENCRYPTED_DATA_INVALID:
+    error = CKR_WRAPPED_KEY_INVALID;
+    break;
+  case CKR_ENCRYPTED_DATA_LEN_RANGE:
+    error = CKR_WRAPPED_KEY_LEN_RANGE;
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_DeriveKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DeriveKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hBaseKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWObject *fwBaseKeyObject;
+  NSSCKFWSlot  *fwSlot;
+  NSSCKFWToken  *fwToken;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwBaseKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hBaseKey);
+  if( (NSSCKFWObject *)NULL == fwBaseKeyObject ) {
+    error = CKR_KEY_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR; /* should never happen! */
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  fwObject = nssCKFWMechanism_DeriveKey(
+                fwMechanism, 
+                pMechanism, 
+                fwSession, 
+                fwBaseKeyObject,
+                pTemplate, 
+                ulAttributeCount, 
+                &error);
+
+  nssCKFWMechanism_Destroy(fwMechanism);
+  if ((NSSCKFWObject *)NULL == fwObject) {
+    goto loser;
+  }
+  *phKey = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
+
+  if (CKR_OK == error) {
+    return CKR_OK;
+  }
+
+loser:
+  /* verify error */
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_DEVICE_REMOVED:
+  case CKR_DOMAIN_PARAMS_INVALID:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_HANDLE_INVALID:
+  case CKR_KEY_SIZE_RANGE:
+  case CKR_KEY_TYPE_INCONSISTENT:
+  case CKR_MECHANISM_INVALID:
+  case CKR_MECHANISM_PARAM_INVALID:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_PIN_EXPIRED:
+  case CKR_SESSION_CLOSED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCOMPLETE:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+  return error;
+}
+
+/*
+ * NSSCKFWC_SeedRandom
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SeedRandom
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSeed,
+  CK_ULONG ulSeedLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem seed;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_BYTE_PTR)CK_NULL_PTR == pSeed ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /* We could read through the buffer in a Purify trap */
+
+  seed.size = (PRUint32)ulSeedLen;
+  seed.data = (void *)pSeed;
+
+  error = nssCKFWSession_SeedRandom(fwSession, &seed);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_RANDOM_SEED_NOT_SUPPORTED:
+  case CKR_RANDOM_NO_RNG:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GenerateRandom
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GenerateRandom
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pRandomData,
+  CK_ULONG ulRandomLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem buffer;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_BYTE_PTR)CK_NULL_PTR == pRandomData ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pRandomData, 0, ulRandomLen);
+
+  buffer.size = (PRUint32)ulRandomLen;
+  buffer.data = (void *)pRandomData;
+
+  error = nssCKFWSession_GetRandom(fwSession, &buffer);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_RANDOM_NO_RNG:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetFunctionStatus
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetFunctionStatus
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+/*
+ * NSSCKFWC_CancelFunction
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CancelFunction
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  return CKR_FUNCTION_NOT_PARALLEL;
+}
diff --git a/security/nss/lib/crmf/Makefile b/security/nss/lib/crmf/Makefile
new file mode 100644
index 000000000..2f09fd1b7
--- /dev/null
+++ b/security/nss/lib/crmf/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+export:: private_export
diff --git a/security/nss/lib/crmf/asn1cmn.c b/security/nss/lib/crmf/asn1cmn.c
new file mode 100644
index 000000000..8cebff016
--- /dev/null
+++ b/security/nss/lib/crmf/asn1cmn.c
@@ -0,0 +1,252 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_SignedCertificateTemplate)
+
+static const SEC_ASN1Template CMMFCertResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertResponse)},
+    { SEC_ASN1_INTEGER, offsetof(CMMFCertResponse, certReqId)},
+    { SEC_ASN1_INLINE, offsetof(CMMFCertResponse, status), 
+      CMMFPKIStatusInfoTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER, 
+      offsetof(CMMFCertResponse, certifiedKeyPair),
+      CMMFCertifiedKeyPairTemplate},
+    { 0 }
+};
+
+static const SEC_ASN1Template CMMFCertOrEncCertTemplate[] = {
+    { SEC_ASN1_ANY, offsetof(CMMFCertOrEncCert, derValue), NULL, 
+      sizeof(CMMFCertOrEncCert)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertifiedKeyPair)},
+    { SEC_ASN1_INLINE, offsetof(CMMFCertifiedKeyPair, certOrEncCert),
+      CMMFCertOrEncCertTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 0,
+      offsetof(CMMFCertifiedKeyPair, privateKey),
+      CRMFEncryptedValueTemplate},
+    { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+      SEC_ASN1_XTRN | 1,
+      offsetof (CMMFCertifiedKeyPair, derPublicationInfo),
+      SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFPKIStatusInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFPKIStatusInfo)},
+    { SEC_ASN1_INTEGER, offsetof(CMMFPKIStatusInfo, status)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_UTF8_STRING, 
+      offsetof(CMMFPKIStatusInfo, statusString)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BIT_STRING, 
+      offsetof(CMMFPKIStatusInfo, failInfo)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFSequenceOfCertsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF| SEC_ASN1_XTRN, 0, 
+			SEC_ASN1_SUB(SEC_SignedCertificateTemplate)}
+};
+
+const SEC_ASN1Template CMMFRandTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFRand)},
+    { SEC_ASN1_INTEGER, offsetof(CMMFRand, integer)},
+    { SEC_ASN1_OCTET_STRING, offsetof(CMMFRand, senderHash)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFPOPODecKeyRespContentTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 
+      offsetof(CMMFPOPODecKeyRespContent, responses),
+      SEC_ASN1_SUB(SEC_IntegerTemplate), 
+      sizeof(CMMFPOPODecKeyRespContent)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFCertOrEncCertEncryptedCertTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
+      0,
+      CRMFEncryptedValueTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFCertOrEncCertCertificateTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+      0,
+      SEC_ASN1_SUB(SEC_SignedCertificateTemplate)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFCertRepContentTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertRepContent)},
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL |
+      SEC_ASN1_CONTEXT_SPECIFIC | 1,
+      offsetof(CMMFCertRepContent, caPubs),
+      CMMFSequenceOfCertsTemplate },
+    { SEC_ASN1_SEQUENCE_OF, offsetof(CMMFCertRepContent, response),
+      CMMFCertResponseTemplate},
+    { 0 }
+};
+
+static const SEC_ASN1Template CMMFChallengeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFChallenge)},
+    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN, 
+      offsetof(CMMFChallenge, owf),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, witness) },
+    { SEC_ASN1_ANY, offsetof(CMMFChallenge, senderDER) },
+    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, key) },
+    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, challenge) },
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFPOPODecKeyChallContentTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,offsetof(CMMFPOPODecKeyChallContent, challenges),
+      CMMFChallengeTemplate, sizeof(CMMFPOPODecKeyChallContent) },
+    { 0 }
+};
+
+SECStatus
+cmmf_decode_process_cert_response(PRArenaPool      *poolp, 
+				  CERTCertDBHandle *db,
+				  CMMFCertResponse *inCertResp)
+{
+    SECStatus rv = SECSuccess;
+  
+    if (inCertResp->certifiedKeyPair != NULL) {
+        rv = cmmf_decode_process_certified_key_pair(poolp, 
+						    db,
+						inCertResp->certifiedKeyPair);
+    }
+    return rv;
+}
+
+static CERTCertificate*
+cmmf_DecodeDERCertificate(CERTCertDBHandle *db, SECItem *derCert)
+{
+    CERTCertificate *newCert;
+
+    newCert = CERT_NewTempCertificate(db, derCert, NULL, PR_FALSE, PR_TRUE);
+    return newCert;
+}
+
+static CMMFCertOrEncCertChoice
+cmmf_get_certorenccertchoice_from_der(SECItem *der)
+{
+    CMMFCertOrEncCertChoice retChoice; 
+
+    switch(der->data[0] & 0x0f) {
+    case 0:
+        retChoice = cmmfCertificate;
+	break;
+    case 1:
+        retChoice = cmmfEncryptedCert;
+	break;
+    default:
+        retChoice = cmmfNoCertOrEncCert;
+	break;
+    }
+    return retChoice;
+}
+
+static SECStatus
+cmmf_decode_process_certorenccert(PRArenaPool       *poolp,
+				  CERTCertDBHandle  *db,
+				  CMMFCertOrEncCert *inCertOrEncCert)
+{
+    SECStatus rv = SECSuccess;
+
+    inCertOrEncCert->choice = 
+        cmmf_get_certorenccertchoice_from_der(&inCertOrEncCert->derValue);
+
+    switch (inCertOrEncCert->choice) {
+    case cmmfCertificate:
+        {
+	    /* The DER has implicit tagging, so we gotta switch it to 
+	     * un-tagged in order for the ASN1 parser to understand it.
+	     * Saving the bits that were changed.
+	     */ 
+	    inCertOrEncCert->derValue.data[0] = 0x30;
+	    inCertOrEncCert->cert.certificate = 
+	        cmmf_DecodeDERCertificate(db, &inCertOrEncCert->derValue);
+	    if (inCertOrEncCert->cert.certificate == NULL) {
+	        rv = SECFailure;
+	    }
+	
+	}
+	break;
+    case cmmfEncryptedCert:
+	PORT_Assert(poolp);
+	if (!poolp) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	    break;
+	}
+        inCertOrEncCert->cert.encryptedCert =
+	    PORT_ArenaZNew(poolp, CRMFEncryptedValue);
+	if (inCertOrEncCert->cert.encryptedCert == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	rv = SEC_ASN1Decode(poolp, inCertOrEncCert->cert.encryptedCert, 
+			    CMMFCertOrEncCertEncryptedCertTemplate, 
+			    (const char*)inCertOrEncCert->derValue.data,
+			    inCertOrEncCert->derValue.len);
+	break;
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus 
+cmmf_decode_process_certified_key_pair(PRArenaPool          *poolp,
+				       CERTCertDBHandle     *db,
+				       CMMFCertifiedKeyPair *inCertKeyPair)
+{
+    return cmmf_decode_process_certorenccert (poolp,
+					      db,
+					      &inCertKeyPair->certOrEncCert);
+}
+
+
diff --git a/security/nss/lib/crmf/challcli.c b/security/nss/lib/crmf/challcli.c
new file mode 100644
index 000000000..a567452d5
--- /dev/null
+++ b/security/nss/lib/crmf/challcli.c
@@ -0,0 +1,274 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secder.h"
+#include "sechash.h"
+
+CMMFPOPODecKeyChallContent*
+CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len)
+{
+    PRArenaPool                *poolp;
+    CMMFPOPODecKeyChallContent *challContent;
+    SECStatus                   rv;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    challContent = PORT_ArenaZNew(poolp, CMMFPOPODecKeyChallContent);
+    if (challContent == NULL) {
+        goto loser;
+    }
+    challContent->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, challContent, 
+			CMMFPOPODecKeyChallContentTemplate, buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (challContent->challenges) {
+      while (challContent->challenges[challContent->numChallenges] != NULL) {
+	  challContent->numChallenges++;
+      }
+      challContent->numAllocated = challContent->numChallenges;
+    }
+    return challContent;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+int
+CMMF_POPODecKeyChallContentGetNumChallenges 
+                              (CMMFPOPODecKeyChallContent *inKeyChallCont)
+{
+    PORT_Assert(inKeyChallCont != NULL);
+    if (inKeyChallCont == NULL) {
+        return 0;
+    }
+    return inKeyChallCont->numChallenges;
+}
+
+SECItem* 
+CMMF_POPODecKeyChallContentGetPublicValue
+                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
+				    int                         inIndex)
+{
+    PORT_Assert(inKeyChallCont != NULL);
+    if (inKeyChallCont == NULL || (inIndex > inKeyChallCont->numChallenges-1)||
+	inIndex < 0) {
+        return NULL;
+    }
+    return SECITEM_DupItem(&inKeyChallCont->challenges[inIndex]->key);
+}
+
+static SECAlgorithmID*
+cmmf_get_owf(CMMFPOPODecKeyChallContent *inChalCont, 
+	     int                         inIndex)
+{
+   int i;
+   
+   for (i=inIndex; i >= 0; i--) {
+       if (inChalCont->challenges[i]->owf != NULL) {
+	   return inChalCont->challenges[i]->owf;
+       }
+   }
+   return NULL;
+}
+
+SECStatus 
+CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
+					 int                         inIndex,
+					 SECKEYPrivateKey           *inPrivKey)
+{
+    CMMFChallenge  *challenge;
+    SECItem        *decryptedRand=NULL;
+    PRArenaPool    *poolp  = NULL;
+    SECAlgorithmID *owf;
+    SECStatus       rv     = SECFailure;
+    SECOidTag       tag;
+    CMMFRand        randStr;
+    SECItem         hashItem;
+    unsigned char   hash[HASH_LENGTH_MAX]; 
+
+    PORT_Assert(inChalCont != NULL && inPrivKey != NULL);
+    if (inChalCont == NULL || inIndex <0 || inIndex > inChalCont->numChallenges
+	|| inPrivKey == NULL){
+        return SECFailure;
+    }
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+
+    challenge = inChalCont->challenges[inIndex];
+    decryptedRand = SECITEM_AllocItem(poolp, NULL, challenge->challenge.len);
+    if (decryptedRand == NULL) {
+        goto loser;
+    }
+    rv = PK11_PrivDecryptPKCS1(inPrivKey, decryptedRand->data, 
+    			&decryptedRand->len, decryptedRand->len, 
+			challenge->challenge.data, challenge->challenge.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = SEC_ASN1DecodeItem(poolp, &randStr, CMMFRandTemplate,
+			    decryptedRand); 
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = SECFailure; /* Just so that when we do go to loser,
+		      * I won't have to set it again.
+		      */
+    owf = cmmf_get_owf(inChalCont, inIndex);
+    if (owf == NULL) {
+        /* No hashing algorithm came with the challenges.  Can't verify */
+        goto loser;
+    }
+    /* Verify the hashes in the challenge */
+    tag = SECOID_FindOIDTag(&owf->algorithm);
+    hashItem.len = HASH_ResultLenByOidTag(tag);
+    if (!hashItem.len)
+        goto loser;	/* error code has been set */
+
+    rv = PK11_HashBuf(tag, hash, randStr.integer.data, randStr.integer.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    hashItem.data = hash;
+    if (SECITEM_CompareItem(&hashItem, &challenge->witness) != SECEqual) {
+        /* The hash for the data we decrypted doesn't match the hash provided
+	 * in the challenge.  Bail out.
+	 */
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+        rv = SECFailure;
+	goto loser;
+    }
+    rv = PK11_HashBuf(tag, hash, challenge->senderDER.data, 
+		      challenge->senderDER.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (SECITEM_CompareItem(&hashItem, &randStr.senderHash) != SECEqual) {
+        /* The hash for the data we decrypted doesn't match the hash provided
+	 * in the challenge.  Bail out.
+	 */
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+        rv = SECFailure;
+	goto loser;
+    }
+    /* All of the hashes have verified, so we can now store the integer away.*/
+    rv = SECITEM_CopyItem(inChalCont->poolp, &challenge->randomNumber,
+			  &randStr.integer);
+ loser:
+    if (poolp) {
+    	PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return rv;
+}
+
+SECStatus
+CMMF_POPODecKeyChallContentGetRandomNumber
+                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
+				    int                          inIndex,
+				    long                        *inDest)
+{
+    CMMFChallenge *challenge;
+    
+    PORT_Assert(inKeyChallCont != NULL);
+    if (inKeyChallCont == NULL || inIndex > 0 || inIndex >= 
+	inKeyChallCont->numChallenges) {
+        return SECFailure;
+    }
+    challenge = inKeyChallCont->challenges[inIndex];
+    if (challenge->randomNumber.data == NULL) {
+        /* There is no random number here, nothing to see. */
+        return SECFailure;
+    }
+    *inDest = DER_GetInteger(&challenge->randomNumber);
+    return (*inDest == -1) ? SECFailure : SECSuccess;
+}
+
+SECStatus 
+CMMF_EncodePOPODecKeyRespContent(long                     *inDecodedRand,
+				 int                       inNumRand,
+				 CRMFEncoderOutputCallback inCallback,
+				 void                     *inArg)
+{
+    PRArenaPool *poolp;
+    CMMFPOPODecKeyRespContent *response;
+    SECItem *currItem;
+    SECStatus rv=SECFailure;
+    int i;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return SECFailure;
+    }
+    response = PORT_ArenaZNew(poolp, CMMFPOPODecKeyRespContent);
+    if (response == NULL) {
+        goto loser;
+    }
+    response->responses = PORT_ArenaZNewArray(poolp, SECItem*, inNumRand+1);
+    if (response->responses == NULL) {
+        goto loser;
+    }
+    for (i=0; i<inNumRand; i++) {
+        currItem = response->responses[i] = PORT_ArenaZNew(poolp,SECItem);
+	if (currItem == NULL) {
+	    goto loser;
+	}
+	currItem = SEC_ASN1EncodeInteger(poolp, currItem, inDecodedRand[i]);
+	if (currItem == NULL) {
+	    goto loser;
+	}
+    }
+    rv = cmmf_user_encode(response, inCallback, inArg,
+			  CMMFPOPODecKeyRespContentTemplate);
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return rv;
+}
diff --git a/security/nss/lib/crmf/cmmf.h b/security/nss/lib/crmf/cmmf.h
new file mode 100644
index 000000000..fdaa850fc
--- /dev/null
+++ b/security/nss/lib/crmf/cmmf.h
@@ -0,0 +1,1122 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _CMMF_H_
+#define _CMMF_H_
+/*
+ * These are the functions exported by the security library for 
+ * implementing Certificate Management Message Formats (CMMF).
+ *
+ * This API is designed against July 1998 CMMF draft.  Please read this
+ * draft before trying to use this API in an application that use CMMF.
+ */
+#include "seccomon.h"
+#include "cmmft.h"
+#include "crmf.h"
+
+SEC_BEGIN_PROTOS
+
+/******************* Creation Functions *************************/
+
+/*
+ * FUNCTION: CMMF_CreateCertRepContent
+ * INPUTS:
+ *    NONE
+ * NOTES:
+ *    This function will create an empty CMMFCertRepContent Structure.  
+ *    The client of the library must set the CMMFCertResponses.
+ *    Call CMMF_CertRepContentSetCertResponse to accomplish this task.
+ *    If the client of the library also wants to include the chain of 
+ *    CA certs required to make the certificates in CMMFCertResponse valid, 
+ *    then the user must also set the caPubs field of CMMFCertRepContent.
+ *    Call CMMF_CertRepContentSetCAPubs to accomplish this.  After setting
+ *    the desired fields, the user can then call CMMF_EncodeCertRepContent 
+ *    to DER-encode the CertRepContent.
+ * RETURN:
+ *    A pointer to the CMMFCertRepContent.  A NULL return value indicates 
+ *    an error in allocating memory or failure to initialize the structure.
+ */
+extern CMMFCertRepContent* CMMF_CreateCertRepContent(void);
+
+/*
+ * FUNCTION: CMMF_CreateCertRepContentFromDER
+ * INPUTS
+ *    db
+ *        The certificate database where the certificates will be placed.
+ *        The certificates will be placed in the temporary database associated
+ *        with the handle. 
+ *    buf
+ *        A buffer to the DER-encoded CMMFCertRepContent
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES:
+ *    This function passes the buffer to the ASN1 decoder and creates a
+ *    CMMFCertRepContent structure.  The user must call 
+ *    CMMF_DestroyCertRepContent after the return value is no longer needed.
+ *
+ * RETURN:
+ *    A pointer to the CMMFCertRepContent structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CMMFCertRepContent* 
+       CMMF_CreateCertRepContentFromDER(CERTCertDBHandle *db, 
+					const char       *buf, 
+					long              len);
+
+/*
+ * FUNCTION: CMMF_CreateCertResponse
+ * INPUTS:
+ *    inCertReqId
+ *        The Certificate Request Id this response is for.
+ * NOTES:
+ *    This creates a CMMFCertResponse.  This response should correspond
+ *    to a request that was received via CRMF.  From the CRMF message you
+ *    can get the Request Id to pass in as inCertReqId, in essence binding 
+ *    a CMRFCertRequest message to the CMMFCertResponse created by this
+ *    function.  If no requuest id is associated with the response to create
+ *    then the user should pass in -1 for 'inCertReqId'.
+ *
+ * RETURN:
+ *    A pointer to the new CMMFCertResponse corresponding to the request id 
+ *    passed in.  A NULL return value indicates an error while trying to 
+ *    create the CMMFCertResponse.
+ */
+extern CMMFCertResponse* CMMF_CreateCertResponse(long inCertReqId);
+
+/*
+ * FUNCTION: CMMF_CreateKeyRecRepContent
+ * INPUTS:
+ *    NONE
+ * NOTES:
+ *    This function creates a new empty CMMFKeyRecRepContent structure.
+ *    At the very minimum, the user  must call 
+ *    CMMF_KeyRecRepContentSetPKIStatusInfoStatus field to have an
+ *    encodable structure.  Depending on what the response is, the user may
+ *    have to set other fields as well to properly build up the structure so
+ *    that it can be encoded.  Refer to the CMMF draft for how to properly
+ *    set up a CMMFKeyRecRepContent. This is the structure that an RA returns
+ *    to an end entity when doing key recovery.
+
+ *    The user must call CMMF_DestroyKeyRecRepContent when the return value
+ *    is no longer needed.
+ * RETURN:
+ *    A pointer to the empty CMMFKeyRecRepContent.  A return value of NULL
+ *    indicates an error in allocating memory or initializing the structure.
+ */
+extern CMMFKeyRecRepContent *CMMF_CreateKeyRecRepContent(void);
+
+/*
+ * FUNCTION: CMMF_CreateKeyRecRepContentFromDER
+ * INPUTS:
+ *    db
+ *        The handle for the certificate database where the decoded 
+ *        certificates will be placed.  The decoded certificates will
+ *        be placed in the temporary database associated with the 
+ *        handle.
+ *    buf
+ *        A buffer contatining the DER-encoded CMMFKeyRecRepContent
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES
+ *    This function passes the buffer to the ASN1 decoder and creates a 
+ *    CMMFKeyRecRepContent structure.
+ *
+ * RETURN:
+ *    A pointer to the CMMFKeyRecRepContent structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CMMFKeyRecRepContent* 
+       CMMF_CreateKeyRecRepContentFromDER(CERTCertDBHandle *db,
+					  const char       *buf,
+					  long              len);
+
+/*
+ * FUNCTION: CMMF_CreatePOPODecKeyChallContent
+ * INPUTS:
+ *    NONE
+ * NOTES:
+ *    This function creates an empty CMMFPOPODecKeyChallContent.  The user
+ *    must add the challenges individually specifying the random number to
+ *    be used and the public key to be used when creating each individual 
+ *    challenge.  User can accomplish this by calling the function 
+ *    CMMF_POPODecKeyChallContentSetNextChallenge.
+ * RETURN:
+ *    A pointer to a CMMFPOPODecKeyChallContent structure.  Ther user can
+ *    then call CMMF_EncodePOPODecKeyChallContent passing in the return
+ *    value from this function after setting all of the challenges.  A 
+ *    return value of NULL indicates an error while creating the 
+ *    CMMFPOPODecKeyChallContent structure.
+ */
+extern CMMFPOPODecKeyChallContent*
+       CMMF_CreatePOPODecKeyChallContent(void);
+
+/*
+ * FUNCTION: CMMF_CreatePOPODecKeyChallContentFromDER
+ * INPUTS
+ *    buf
+ *        A buffer containing the DER-encoded CMMFPOPODecKeyChallContent
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES:
+ *    This function passes the buffer to the ASN1 decoder and creates a
+ *    CMMFPOPODecKeyChallContent structure.  
+ *
+ * RETURN:
+ *    A pointer to the CMMFPOPODecKeyChallContent structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CMMFPOPODecKeyChallContent*
+       CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len);
+
+/*
+ * FUNCTION: CMMF_CreatePOPODecKeyRespContentFromDER
+ * INPUTS:
+ *    buf
+ *        A buffer contatining the DER-encoded CMMFPOPODecKeyRespContent
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES
+ *    This function passes the buffer to the ASN1 decoder and creates a 
+ *    CMMFPOPODecKeyRespContent structure.
+ *
+ * RETURN:
+ *    A pointer to the CMMFPOPODecKeyRespContent structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CMMFPOPODecKeyRespContent*
+       CMMF_CreatePOPODecKeyRespContentFromDER(const char *buf, long len);
+
+/************************** Set Functions *************************/
+
+/*
+ * FUNCTION: CMMF_CertRepContentSetCertResponses
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to operate on.
+ *    inCertResponses
+ *        An array of pointers to CMMFCertResponse structures to 
+ *        add to the CMMFCertRepContent structure.
+ *    inNumResponses
+ *        The length of the array 'inCertResponses'
+ * NOTES:
+ *    This function will add the CMMFCertResponse structure to the 
+ *    CMMFCertRepContent passed in.  The CMMFCertResponse field of 
+ *    CMMFCertRepContent is required, so the client must call this function
+ *    before calling CMMF_EncodeCertRepContent.  If the user calls 
+ *    CMMF_EncodeCertRepContent before calling this function, 
+ *    CMMF_EncodeCertRepContent will fail.
+ *
+ * RETURN:
+ *    SECSuccess if adding the CMMFCertResponses to the CMMFCertRepContent
+ *    structure was successful.  Any other return value indicates an error
+ *    while trying to add the CMMFCertResponses.
+ */
+extern SECStatus 
+      CMMF_CertRepContentSetCertResponses(CMMFCertRepContent *inCertRepContent,
+					  CMMFCertResponse  **inCertResponses,
+					  int                 inNumResponses);
+
+/*
+ * FUNCTION: CMMF_CertRepContentSetCAPubs
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to operate on.
+ *    inCAPubs
+ *        The certificate list which makes up the chain of CA certificates
+ *        required to make the issued cert valid.
+ * NOTES:
+ *    This function will set the the certificates in the CA chain as part
+ *    of the CMMFCertRepContent.  This field is an optional member of the 
+ *    CMMFCertRepContent structure, so the client is not required to call
+ *    this function before calling CMMF_EncodeCertRepContent.
+ *
+ * RETURN:
+ *    SECSuccess if adding the 'inCAPubs' to the CERTRepContent was successful.
+ *    Any other return value indicates an error while adding 'inCAPubs' to the 
+ *    CMMFCertRepContent structure.
+ * 
+ */
+extern SECStatus 
+       CMMF_CertRepContentSetCAPubs (CMMFCertRepContent  *inCertRepContent,
+				     CERTCertList        *inCAPubs);
+
+/*
+ * FUNCTION: CMMF_CertResponseSetPKIStatusInfoStatus
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to operate on.
+ *     inPKIStatus
+ *        The value to set for the PKIStatusInfo.status field.
+ * NOTES:
+ *    This function will set the CertResponse.status.status field of 
+ *    the CMMFCertResponse structure.  (View the definition of CertResponse
+ *    in the CMMF draft to see exactly which value this talks about.)  This
+ *    field is a required member of the structure, so the user must call this
+ *    function in order to have a CMMFCertResponse that can be encoded.
+ *
+ * RETURN:
+ *    SECSuccess if setting the field with the passed in value was successful.
+ *    Any other return value indicates an error while trying to set the field.
+ */
+extern SECStatus 
+     CMMF_CertResponseSetPKIStatusInfoStatus (CMMFCertResponse *inCertResp,
+					      CMMFPKIStatus     inPKIStatus);
+
+/*
+ * FUNCTION: CMMF_CertResponseSetCertificate
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to operate on.
+ *    inCertificate
+ *        The certificate to add to the 
+ *        CertResponse.CertifiedKeyPair.certOrEncCert.certificate field.
+ * NOTES:
+ *    This function will take the certificate and make it a member of the
+ *    CMMFCertResponse.  The certificate should be the actual certificate
+ *    being issued via the response.
+ *
+ * RETURN:
+ *    SECSuccess if adding the certificate to the response was successful.
+ *    Any other return value indicates an error in adding the certificate to
+ *    the CertResponse.
+ */
+extern SECStatus 
+       CMMF_CertResponseSetCertificate (CMMFCertResponse *inCertResp,
+					CERTCertificate  *inCertificate);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentSetPKIStatusInfoStatus
+ * INPUTS: 
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inPKIStatus
+ *        The value to set the PKIStatusInfo.status field to.
+ * NOTES:
+ *    This function sets the only required field for the KeyRecRepContent.
+ *    In most cases, the user will set this field and other fields of the
+ *    structure to properly create the CMMFKeyRecRepContent structure.  
+ *    Refer to the CMMF draft to see which fields need to be set in order
+ *    to create the desired CMMFKeyRecRepContent.
+ * 
+ * RETURN:
+ *    SECSuccess if setting the PKIStatusInfo.status field was successful.
+ *    Any other return value indicates an error in setting the field.
+ */
+extern SECStatus 
+CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
+					    CMMFPKIStatus         inPKIStatus);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentSetNewSignCert
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inNewSignCert
+ *        The new signing cert to add to the CMMFKeyRecRepContent structure.
+ * NOTES:
+ *    This function sets the new signeing cert in the CMMFKeyRecRepContent
+ *    structure.
+ *
+ * RETURN:
+ *    SECSuccess if setting the new signing cert was successful.  Any other 
+ *    return value indicates an error occurred while trying to add the
+ *    new signing certificate.
+ */
+extern SECStatus 
+       CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
+					   CERTCertificate     *inNewSignCert);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentSetCACerts
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inCACerts
+ *        The list of CA certificates required to construct a valid 
+ *        certificate chain with the certificates that will be returned
+ *        to the end user via this KeyRecRepContent.
+ * NOTES:
+ *    This function sets the caCerts that are required to form a chain with the
+ *    end entity certificates that are being re-issued in this 
+ *    CMMFKeyRecRepContent structure.
+ *
+ * RETURN:
+ *    SECSuccess if adding the caCerts was successful.  Any other return value
+ *    indicates an error while tring to add the caCerts.
+ */
+extern SECStatus 
+       CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
+				       CERTCertList         *inCACerts);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentSetCertifiedKeyPair
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inCert
+ *        The certificate to add to the CMMFKeyRecRepContent structure.
+ *    inPrivKey
+ *        The private key associated with the certificate above passed in.
+ *    inPubKey
+ *        The public key to use for wrapping the private key.
+ * NOTES:
+ *    This function adds another certificate-key pair to the 
+ *    CMMFKeyRecRepcontent structure.  There may be more than one 
+ *    certificate-key pair in the structure, so the user must call this 
+ *    function multiple times to add more than one cert-key pair.
+ *
+ * RETURN:
+ *    SECSuccess if adding the certified key pair was successful.  Any other
+ *    return value indicates an error in adding certified key pair to 
+ *    CMMFKeyRecRepContent structure.
+ */
+extern SECStatus 
+    CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
+					     CERTCertificate      *inCert,
+					     SECKEYPrivateKey     *inPrivKey,
+					     SECKEYPublicKey      *inPubKey);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentSetNextChallenge
+ * INPUTS:
+ *    inDecKeyChall
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inRandom
+ *        The random number to use when generating the challenge,
+ *    inSender
+ *        The GeneralName representation of the sender of the challenge.
+ *    inPubKey
+ *        The public key to use when encrypting the challenge.
+ *    passwdArg
+ *        This value will be passed to the function used for getting a
+ *        password.  The password for getting a password should be registered
+ *        by calling PK11_SetPasswordFunc before this function is called. 
+ *        If no password callback is registered and the library needs to 
+ *        authenticate to the slot for any reason, this function will fail.
+ * NOTES:
+ *    This function adds a challenge to the end of the list of challenges
+ *    contained by 'inDecKeyChall'.  Refer to the CMMF draft on how the
+ *    the random number passed in and the sender's GeneralName are used
+ *    to generate the challenge and witness fields of the challenge.  This
+ *    library will use SHA1 as the one-way function for generating the 
+ *    witess field of the challenge.
+ *
+ * RETURN:
+ *    SECSuccess if generating the challenge and adding to the end of list
+ *    of challenges was successful.  Any other return value indicates an error
+ *    while trying to generate the challenge.
+ */
+extern SECStatus
+CMMF_POPODecKeyChallContentSetNextChallenge
+                                   (CMMFPOPODecKeyChallContent *inDecKeyChall,
+				    long                        inRandom,
+				    CERTGeneralName            *inSender,
+				    SECKEYPublicKey            *inPubKey,
+				    void                       *passwdArg);
+
+
+/************************** Encoding Functions *************************/
+
+/*
+ * FUNCTION: CMMF_EncodeCertRepContent
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to DER-encode.
+ *    inCallback
+ *        A callback function that the ASN1 encoder will call whenever it 
+ *        wants to write out DER-encoded bytes.  Look at the defintion of 
+ *        CRMFEncoderOutputCallback in crmft.h for a description of the
+ *        parameters to the function.
+ *    inArg
+ *        An opaque pointer to a user-supplied argument that will be passed
+ *        to the callback funtion whenever the function is called.
+ * NOTES:
+ *    The CMMF library will use the same DER-encoding scheme as the CRMF 
+ *    library.  In other words, when reading CRMF comments that pertain to
+ *    encoding, those comments apply to the CMMF libray as well.  
+ *    The callback function will be called multiple times, each time supplying
+ *    the next chunk of DER-encoded bytes.  The user must concatenate the 
+ *    output of each successive call to the callback in order to get the
+ *    entire DER-encoded CMMFCertRepContent structure.
+ *
+ * RETURN:
+ *    SECSuccess if encoding the CMMFCertRepContent was successful.  Any 
+ *    other return value indicates an error while decoding the structure.
+ */
+extern SECStatus 
+       CMMF_EncodeCertRepContent (CMMFCertRepContent        *inCertRepContent,
+				  CRMFEncoderOutputCallback  inCallback,
+				  void                      *inArg);
+
+/*
+ * FUNCTION: CMMF_EncodeKeyRecRepContent
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRepContent to DER-encode.
+ *    inCallback
+ *        A callback function that the ASN1 encoder will call whenever it 
+ *        wants to write out DER-encoded bytes.  Look at the defintion of 
+ *        CRMFEncoderOutputCallback in crmft.h for a description of the
+ *        parameters to the function.
+ *    inArg
+ *        An opaque pointer to a user-supplied argument that will be passed
+ *        to the callback funtion whenever the function is called.
+ * NOTES:
+ *    The CMMF library will use the same DER-encoding scheme as the CRMF 
+ *    library.  In other words, when reading CRMF comments that pertain to
+ *    encoding, those comments apply to the CMMF libray as well.  
+ *    The callback function will be called multiple times, each time supplying
+ *    the next chunk of DER-encoded bytes.  The user must concatenate the 
+ *    output of each successive call to the callback in order to get the
+ *    entire DER-encoded CMMFCertRepContent structure.
+ *
+ * RETURN:
+ *    SECSuccess if encoding the CMMFKeyRecRepContent was successful.  Any 
+ *    other return value indicates an error while decoding the structure.
+ */
+extern SECStatus
+       CMMF_EncodeKeyRecRepContent(CMMFKeyRecRepContent      *inKeyRecRep,
+				   CRMFEncoderOutputCallback  inCallback,
+				   void                      *inArg);
+
+/*
+ * FUNCTION: CMMF_EncodePOPODecKeyChallContent
+ * INPUTS:
+ *    inDecKeyChall
+ *        The CMMFDecKeyChallContent to operate on.
+ *    inCallback
+ *        A callback function that the ASN1 encoder will call whenever it 
+ *        wants to write out DER-encoded bytes.  Look at the defintion of 
+ *        CRMFEncoderOutputCallback in crmft.h for a description of the
+ *        parameters to the function.
+ *    inArg
+ *        An opaque pointer to a user-supplied argument that will be passed
+ *        to the callback function whenever the function is called.
+ * NOTES:
+ *    The CMMF library will use the same DER-encoding scheme as the CRMF 
+ *    library.  In other words, when reading CRMF comments that pertain to
+ *    encoding, those comments apply to the CMMF libray as well.  
+ *    The callback function will be called multiple times, each time supplying
+ *    the next chunk of DER-encoded bytes.  The user must concatenate the 
+ *    output of each successive call to the callback in order to get the
+ *    entire DER-encoded CMMFCertRepContent structure.
+ *    The DER will be an encoding of the type POPODecKeyChallContents, which
+ *    is just a sequence of challenges.
+ *
+ * RETURN:
+ *    SECSuccess if encoding was successful.  Any other return value indicates
+ *    an error in trying to encode the Challenges.
+ */
+extern SECStatus 
+CMMF_EncodePOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyChall,
+				  CRMFEncoderOutputCallback inCallback,
+				  void                     *inArg);
+
+/*
+ * FUNCTION: CMMF_EncodePOPODecKeyRespContent
+ * INPUTS:
+ *    inDecodedRand
+ *        An array of integers to encode as the responses to 
+ *        CMMFPOPODecKeyChallContent.  The integers must be in the same order
+ *        as the challenges extracted from CMMFPOPODecKeyChallContent.
+ *    inNumRand
+ *        The number of random integers contained in the array 'inDecodedRand'
+ *    inCallback
+ *        A callback function that the ASN1 encoder will call whenever it 
+ *        wants to write out DER-encoded bytes.  Look at the defintion of 
+ *        CRMFEncoderOutputCallback in crmft.h for a description of the
+ *        parameters to the function.
+ *    inArg
+ *        An opaque pointer to a user-supplied argument that will be passed
+ *        to the callback funtion whenever the function is called.
+ * NOTES:
+ *    The CMMF library will use the same DER-encoding scheme as the CRMF 
+ *    library.  In other words, when reading CRMF comments that pertain to
+ *    encoding, those comments apply to the CMMF libray as well.  
+ *    The callback function will be called multiple times, each time supplying
+ *    the next chunk of DER-encoded bytes.  The user must concatenate the 
+ *    output of each successive call to the callback in order to get the
+ *    entire DER-encoded  POPODecKeyRespContent.
+ *
+ * RETURN:
+ *    SECSuccess if encoding was successful.  Any other return value indicates
+ *    an error in trying to encode the Challenges.
+ */
+extern SECStatus 
+      CMMF_EncodePOPODecKeyRespContent(long                     *inDecodedRand,
+				       int                       inNumRand,
+				       CRMFEncoderOutputCallback inCallback,
+				       void                     *inArg); 
+
+/***************  Accessor function  ***********************************/
+
+/*
+ * FUNCTION: CMMF_CertRepContentGetCAPubs
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to extract the caPubs from.
+ * NOTES:
+ *    This function will return a copy of the list of certificates that
+ *    make up the chain of CA's required to make the cert issued valid.
+ *    The user must call CERT_DestroyCertList on the return value when 
+ *    done using the return value.  
+ *
+ *    Only call this function on a CertRepContent that has been decoded.
+ *    The client must call CERT_DestroyCertList when the certificate list
+ *    is no longer needed. 
+ *
+ *    The certs in the list will not be in the temporary database.  In order
+ *    to make these certificates a part of the permanent CA internal database,
+ *    the user must collect the der for all of these certs and call 
+ *    CERT_ImportCAChain.  Afterwards the certs will be part of the permanent
+ *    database.
+ *    
+ * RETURN:
+ *    A pointer to the CERTCertList representing the CA chain associated 
+ *    with the issued cert.  A NULL return value indicates  that no CA Pubs
+ *    were available in the CMMFCertRepContent structure. 
+ */
+extern CERTCertList* 
+       CMMF_CertRepContentGetCAPubs (CMMFCertRepContent *inCertRepContent);
+
+
+/*
+ * FUNCTION: CMMF_CertRepContentGetNumResponses
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to operate on.
+ * NOTES:
+ *    This function will return the number of CertResponses that are contained
+ *    by the CMMFCertRepContent passed in.
+ * 
+ * RETURN:
+ *    The number of CMMFCertResponses contained in the structure passed in.
+ */
+extern int 
+ CMMF_CertRepContentGetNumResponses (CMMFCertRepContent *inCertRepContent);
+
+/*
+ * FUNCTION: CMMF_CertRepContentGetResponseAtIndex
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to operate on.
+ *    inIndex
+ *        The index of the CMMFCertResponse the user wants a copy of.
+ * NOTES:
+ *    This funciton creates a copy of the CMMFCertResponse at the index 
+ *    corresponding to the parameter 'inIndex'.  Indexing is done like a
+ *    traditional C array, ie the valid indexes are (0...numResponses-1).
+ *    The user must call CMMF_DestroyCertResponse after the return value is 
+ *    no longer needed.
+ *
+ * RETURN:
+ *    A pointer to the CMMFCertResponse at the index corresponding to 
+ *    'inIndex'.  A return value of NULL indicates an error in copying 
+ *    the CMMFCertResponse.
+ */
+extern CMMFCertResponse*
+CMMF_CertRepContentGetResponseAtIndex (CMMFCertRepContent *inCertRepContent,
+				       int                 inIndex);
+
+/*
+ * FUNCTION: CMMF_CertResponseGetCertReqId
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to operate on.
+ * NOTES:
+ *    This function returns the CertResponse.certReqId from the 
+ *    CMMFCertResponse structure passed in.  If the return value is -1, that
+ *    means there is no associated certificate request with the CertResponse.
+ * RETURN:
+ *    A long representing the id of the certificate request this 
+ *    CMMFCertResponse corresponds to.  A return value of -1 indicates an
+ *    error in extracting the value of the integer.
+ */
+extern long CMMF_CertResponseGetCertReqId(CMMFCertResponse *inCertResp);
+
+/*
+ * FUNCTION: CMMF_CertResponseGetPKIStatusInfoStatus
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to operate on.
+ * NOTES:
+ *    This function returns the CertResponse.status.status field of the 
+ *    CMMFCertResponse structure.
+ *
+ * RETURN:
+ *    The enumerated value corresponding to the PKIStatus defined in the CMMF
+ *    draft.  See the CMMF draft for the definition of PKIStatus.  See crmft.h
+ *    for the definition of CMMFPKIStatus.
+ */
+extern CMMFPKIStatus 
+       CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp);
+
+/*
+ * FUNCTION: CMMF_CertResponseGetCertificate
+ * INPUTS:
+ *    inCertResp
+ *        The Certificate Response to operate on.
+ *    inCertdb
+ *        This is the certificate database where the function will place the
+ *        newly issued certificate.
+ * NOTES:
+ *    This function retrieves the CertResponse.certifiedKeyPair.certificate
+ *    from the CMMFCertResponse.  The user will get a copy of that certificate
+ *    so  the user must call CERT_DestroyCertificate when the return value is 
+ *    no longer needed.  The certificate returned will be in the temporary 
+ *    certificate database.
+ *
+ * RETURN:
+ *    A pointer to a copy of the certificate contained within the 
+ *    CMMFCertResponse.  A return value of NULL indicates an error while trying
+ *    to make a copy of the certificate.
+ */
+extern CERTCertificate*
+       CMMF_CertResponseGetCertificate(CMMFCertResponse *inCertResp,
+                                       CERTCertDBHandle *inCertdb);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetPKIStatusInfoStatus
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent structure to operate on.
+ * NOTES:
+ *    This function retrieves the KeyRecRepContent.status.status field of 
+ *    the CMMFKeyRecRepContent structure.
+ * RETURN:
+ *    The CMMFPKIStatus corresponding to the value held in the 
+ *    CMMFKeyRecRepContent structure.
+ */
+extern CMMFPKIStatus 
+CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetNewSignCert
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ * NOTES:
+ *    This function retrieves the KeyRecRepContent.newSignCert field of the
+ *    CMMFKeyRecRepContent structure.  The user must call 
+ *    CERT_DestroyCertificate when the return value is no longer needed. The
+ *    returned certificate will be in the temporary database.  The user 
+ *    must then place the certificate permanently in whatever token the
+ *    user determines is the proper destination.  A return value of NULL
+ *    indicates the newSigCert field was not present.
+ */
+extern CERTCertificate*
+       CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetCACerts
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ * NOTES:
+ *    This function returns a CERTCertList which contains all of the 
+ *    certficates that are in the sequence KeyRecRepContent.caCerts
+ *    User must call CERT_DestroyCertList when the return value is no longer 
+ *    needed.  All of these certificates will be placed in the tempoaray
+ *    database.
+ *
+ * RETURN:
+ *    A pointer to the list of caCerts contained in the CMMFKeyRecRepContent
+ *    structure.  A return value of NULL indicates the library was not able to 
+ *    make a copy of the certifcates.  This may be because there are no caCerts
+ *    included in the CMMFKeyRecRepContent strucure or an internal error.  Call
+ *    CMMF_KeyRecRepContentHasCACerts to find out if there are any caCerts 
+ *    included in 'inKeyRecRep'.
+ */
+extern CERTCertList*
+       CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetNumKeyPairs
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ * RETURN:
+ *    This function returns the number of CMMFCertifiedKeyPair structures that
+ *    that are stored in the KeyRecRepContent structure.
+ */
+extern int 
+       CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetCertKeyAtIndex
+ * INPUTS:
+ *    inKeyRecRepContent
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inIndex
+ *        The index of the desired CMMFCertifiedKeyPair
+ * NOTES:
+ *    This function retrieves the CMMFCertifiedKeyPair structure at the index
+ *    'inIndex'.  Valid indexes are 0...(numKeyPairs-1)  The user must call 
+ *    CMMF_DestroyCertifiedKeyPair when the return value is no longer needed.
+ *
+ * RETURN:
+ *    A pointer to the Certified Key Pair at the desired index.  A return value
+ *    of NULL indicates an error in extracting the Certified Key Pair at the 
+ *    desired index.
+ */
+extern CMMFCertifiedKeyPair*
+      CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
+					     int                   inIndex);
+
+/*
+ * FUNCTION: CMMF_CertifiedKeyPairGetCertificate
+ * INPUTS:
+ *    inCertKeyPair
+ *        The CMMFCertifiedKeyPair to operate on.
+ *    inCertdb
+ *        The database handle for the database you want this certificate
+ *        to wind up in.
+ * NOTES:
+ *    This function retrieves the certificate at 
+ *    CertifiedKeyPair.certOrEncCert.certificate
+ *    The user must call CERT_DestroyCertificate when the return value is no
+ *    longer needed.  The user must import this certificate as a token object
+ *    onto PKCS#11 slot in order to make it a permanent object.  The returned
+ *    certificate will be in the temporary database.
+ * 
+ * RETURN:
+ *    A pointer to the certificate contained within the certified key pair.
+ *    A return value of NULL indicates an error in creating the copy of the 
+ *    certificate.
+ */
+extern CERTCertificate*
+      CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
+					  CERTCertDBHandle     *inCertdb);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentGetNumChallenges
+ * INPUTS:
+ *    inKeyChallCont
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ * RETURN:
+ *    This function returns the number of CMMFChallenges are contained in 
+ *    the CMMFPOPODecKeyChallContent structure.
+ */
+extern int CMMF_POPODecKeyChallContentGetNumChallenges
+                                  (CMMFPOPODecKeyChallContent *inKeyChallCont);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentGetPublicValue
+ * ---------------------------------------------------
+ * INPUTS:
+ *    inKeyChallCont
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inIndex
+ *        The index of the Challenge within inKeyChallCont to operate on.
+ *        Indexes start from 0, ie the Nth Challenge corresponds to index
+ *        N-1.
+ * NOTES:
+ * This function retrieves the public value stored away in the Challenge at
+ * index inIndex of inKeyChallCont.
+ * RETURN:
+ * A pointer to a SECItem containing the public value.  User must call 
+ * SECITEM_FreeItem on the return value when the value is no longer necessary.
+ * A return value of NULL indicates an error while retrieving the public value.
+ */
+extern SECItem* CMMF_POPODecKeyChallContentGetPublicValue
+                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
+				    int                         inIndex);
+
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentGetRandomNumber
+ * INPUTS:
+ *    inChallContent
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inIndex
+ *        The index of the challenge to look at.  Valid indexes are 0 through
+ *        (CMMF_POPODecKeyChallContentGetNumChallenges(inChallContent) - 1).
+ *    inDest
+ *        A pointer to a user supplied buffer where the library
+ *        can place a copy of the random integer contatained in the
+ *        challenge.
+ * NOTES:
+ *    This function returns the value held in the decrypted Rand structure
+ *    corresponding to the random integer.  The user must call 
+ *    CMMF_POPODecKeyChallContentDecryptChallenge before calling this function.  Call 
+ *    CMMF_ChallengeIsDecrypted to find out if the challenge has been 
+ *    decrypted.
+ *
+ * RETURN:
+ *    SECSuccess indicates the witness field has been previously decrypted
+ *    and the value for the random integer was successfully placed at *inDest.
+ *    Any other return value indicates an error and that the value at *inDest
+ *    is not a valid value.
+ */
+extern SECStatus CMMF_POPODecKeyChallContentGetRandomNumber
+                                      (CMMFPOPODecKeyChallContent *inKeyChallCont,
+				       int                          inIndex,
+				       long                        *inDest);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyRespContentGetNumResponses
+ * INPUTS:
+ *    inRespCont
+ *        The POPODecKeyRespContent to operate on.
+ * RETURN:
+ * This function returns the number of responses contained in inRespContent.
+ */
+extern int 
+ CMMF_POPODecKeyRespContentGetNumResponses(CMMFPOPODecKeyRespContent *inRespCont);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyRespContentGetResponse
+ * INPUTS:
+ *    inRespCont
+ *        The POPODecKeyRespContent to operate on.
+ *    inIndex
+ *        The index of the response to retrieve.
+ *        The Nth response is at index N-1, ie the 1st response is at index 0,
+ *        the 2nd response is at index 1, and so on.
+ *    inDest
+ *        A pointer to a pre-allocated buffer where the library can put the 
+ *        value of the response located at inIndex.
+ * NOTES:
+ * The function returns the response contained at index inIndex.  
+ * CMMFPOPODecKeyRespContent is a structure that the server will generally 
+ * get in response to a CMMFPOPODecKeyChallContent.  The server will expect
+ * to see the responses in the same order as it constructed them in 
+ * the CMMFPOPODecKeyChallContent structure.
+ * RETURN:
+ * SECSuccess if getting the response at the desired index was successful.  Any
+ * other return value indicates an errror.
+ */
+extern SECStatus
+     CMMF_POPODecKeyRespContentGetResponse (CMMFPOPODecKeyRespContent *inRespCont,
+					    int                        inIndex,
+					    long                      *inDest);
+
+/************************* Destructor Functions ******************************/
+
+/*
+ * FUNCTION: CMMF_DestroyCertResponse
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to destroy.
+ * NOTES:
+ *    This function frees all the memory associated with the CMMFCertResponse
+ *    passed in.
+ * RETURN:
+ *    SECSuccess if freeing the memory was successful.  Any other return value
+ *    indicates an error while freeing the memory.
+ */
+extern SECStatus CMMF_DestroyCertResponse(CMMFCertResponse *inCertResp);
+
+/*
+ * FUNCTION: CMMF_DestroyCertRepContent
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to destroy
+ * NOTES:
+ *    This function frees the memory associated with the CMMFCertRepContent
+ *    passed in.
+ * RETURN:
+ *    SECSuccess if freeing all the memory associated with the 
+ *    CMMFCertRepContent passed in is successful.  Any other return value 
+ *    indicates an error while freeing the memory.
+ */
+extern SECStatus 
+       CMMF_DestroyCertRepContent (CMMFCertRepContent *inCertRepContent);
+
+/*
+ * FUNCTION: CMMF_DestroyKeyRecRepContent
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to destroy.
+ * NOTES:
+ *    This function destroys all the memory associated with the 
+ *    CMMFKeyRecRepContent passed in.
+ *
+ * RETURN:
+ *    SECSuccess if freeing all the memory is successful.  Any other return 
+ *    value indicates an error in freeing the memory.
+ */
+extern SECStatus 
+       CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_DestroyCertifiedKeyPair
+ * INPUTS:
+ *    inCertKeyPair
+ *        The CMMFCertifiedKeyPair to operate on.
+ * NOTES: 
+ *    This function frees up all the memory associated with 'inCertKeyPair'
+ *
+ * RETURN:
+ *    SECSuccess if freeing all the memory associated with 'inCertKeyPair'
+ *    is successful.  Any other return value indicates an error while trying
+ *    to free the memory.
+ */
+extern SECStatus 
+       CMMF_DestroyCertifiedKeyPair(CMMFCertifiedKeyPair *inCertKeyPair);
+
+/*
+ * FUNCTION: CMMF_DestroyPOPODecKeyRespContent
+ * INPUTS:
+ *    inDecKeyResp
+ *        The CMMFPOPODecKeyRespContent structure to free.
+ * NOTES:
+ *    This function frees up all the memory associate with the 
+ *    CMMFPOPODecKeyRespContent.
+ *
+ * RETURN:
+ *    SECSuccess if freeing up all the memory associated with the
+ *    CMMFPOPODecKeyRespContent structure is successful.  Any other
+ *    return value indicates an error while freeing the memory.
+ */
+extern SECStatus
+       CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp);
+
+
+/************************** Miscellaneous Functions *************************/
+ 
+/*
+ * FUNCTION: CMMF_CertifiedKeyPairUnwrapPrivKey
+ * INPUTS:
+ *    inCertKeyPair
+ *        The CMMFCertifiedKeyPair to operate on.
+ *    inPrivKey
+ *        The private key to use to un-wrap the private key
+ *    inNickName
+ *        This is the nickname that will be associated with the private key
+ *        to be unwrapped.
+ *    inSlot
+ *        The PKCS11 slot where the unwrapped private key should end up.
+ *    inCertdb
+ *        The Certificate database with which the new key will be associated.
+ *    destPrivKey
+ *        A pointer to memory where the library can place a pointer to the
+ *        private key after importing the key onto the specified slot.
+ *    wincx
+ *        An opaque pointer that the library will use in a callback function
+ *        to get the password if necessary.
+ *    
+ * NOTES:
+ *    This function uses the private key passed in to unwrap the private key
+ *    contained within the CMMFCertifiedKeyPair structure. After this 
+ *    function successfully returns, the private key has been unwrapped and
+ *    placed in the specified slot. 
+ *
+ * RETURN:
+ *    SECSuccess if unwrapping the private key was successful.  Any other 
+ *    return value indicates an error while trying to un-wrap the private key.
+ */
+extern SECStatus 
+       CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
+					  SECKEYPrivateKey     *inPrivKey,
+					  SECItem              *inNickName,
+					  PK11SlotInfo         *inSlot,
+                                          CERTCertDBHandle     *inCertdb,
+					  SECKEYPrivateKey    **destPrivKey,
+					  void                 *wincx);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentHasCACerts
+ * INPUTS:
+ *    inKeyRecRecp
+ *        The CMMFKeyRecRepContent to operate on.
+ * RETURN:
+ *    This function returns PR_TRUE if there are one or more certificates in 
+ *    the sequence KeyRecRepContent.caCerts within the CMMFKeyRecRepContent
+ *    structure.  The function will return PR_FALSE if there are 0 certificate
+ *    in the above mentioned sequence.
+ */
+extern PRBool 
+       CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContDecryptChallenge
+ * INPUTS:
+ *    inChalCont
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inIndex
+ *        The index of the Challenge to operate on.  The 1st Challenge is
+ *        at index 0, the second at index 1 and so forth.
+ *    inPrivKey
+ *        The private key to use to decrypt the witness field.
+ * NOTES:
+ *    This function uses the private key to decrypt the challenge field
+ *    contained in the appropriate challenge.  Make sure the private key matches 
+ *    the public key that was used to encrypt the witness.  Use 
+ *    CMMF_POPODecKeyChallContentGetPublicValue to get the public value of
+ *    the key used to encrypt the witness and then use that to determine the
+ *    appropriate private key.  This can be done by calling PK11_MakeIDFromPubKey
+ *    and then passing that return value to PK11_FindKeyByKeyID.  The creator of 
+ *    the challenge will most likely be an RA that has the public key
+ *    from a Cert request.  So the private key should be the private key
+ *    associated with public key in that request.  This function will also
+ *    verify the witness field of the challenge.  This function also verifies
+ *    that the sender and witness hashes match within the challenge.
+ *
+ * RETURN:
+ *    SECSuccess if decrypting the witness field was successful.  This does
+ *    not indicate that the decrypted data is valid, since the private key 
+ *    passed in may not be the actual key needed to properly decrypt the 
+ *    witness field.  Meaning that there is a decrypted structure now, but
+ *    may be garbage because the private key was incorrect.
+ *    Any other return value indicates the function could not complete the
+ *    decryption process.
+ */
+extern SECStatus 
+  CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
+					   int                         inIndex,
+					   SECKEYPrivateKey           *inPrivKey);
+
+/*
+ * FUNCTION: CMMF_DestroyPOPODecKeyChallContent
+ * INPUTS:
+ *    inDecKeyCont
+ *        The CMMFPOPODecKeyChallContent to free
+ * NOTES:
+ *    This function frees up all the memory associated with the 
+ *    CMMFPOPODecKeyChallContent 
+ * RETURN:
+ *    SECSuccess if freeing up all the memory associatd with the 
+ *    CMMFPOPODecKeyChallContent is successful.  Any other return value
+ *    indicates an error while freeing the memory.
+ *
+ */
+extern SECStatus 
+ CMMF_DestroyPOPODecKeyChallContent (CMMFPOPODecKeyChallContent *inDecKeyCont);
+
+SEC_END_PROTOS
+#endif /* _CMMF_H_ */
diff --git a/security/nss/lib/crmf/cmmfasn1.c b/security/nss/lib/crmf/cmmfasn1.c
new file mode 100644
index 000000000..8f080f08c
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfasn1.c
@@ -0,0 +1,164 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secasn1.h"
+#include "secitem.h"
+
+SEC_ASN1_MKSUB(SEC_SignedCertificateTemplate)
+
+static const SEC_ASN1Template CMMFSequenceOfCertifiedKeyPairsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, CMMFCertifiedKeyPairTemplate}
+};
+
+static const SEC_ASN1Template CMMFKeyRecRepContentTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFKeyRecRepContent)},
+    { SEC_ASN1_INLINE, offsetof(CMMFKeyRecRepContent, status), 
+      CMMFPKIStatusInfoTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+		SEC_ASN1_XTRN | 0,
+      offsetof(CMMFKeyRecRepContent, newSigCert),
+      SEC_ASN1_SUB(SEC_SignedCertificateTemplate)},
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+      offsetof(CMMFKeyRecRepContent, caCerts),
+      CMMFSequenceOfCertsTemplate},
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+      offsetof(CMMFKeyRecRepContent, keyPairHist),
+      CMMFSequenceOfCertifiedKeyPairsTemplate},
+    { 0 }
+};
+
+SECStatus
+CMMF_EncodeCertRepContent (CMMFCertRepContent        *inCertRepContent,
+			   CRMFEncoderOutputCallback  inCallback,
+			   void                      *inArg)
+{
+    return cmmf_user_encode(inCertRepContent, inCallback, inArg,
+			    CMMFCertRepContentTemplate);
+}
+
+SECStatus
+CMMF_EncodePOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyChall,
+				  CRMFEncoderOutputCallback inCallback,
+				  void                     *inArg)
+{
+    return cmmf_user_encode(inDecKeyChall, inCallback, inArg,
+			    CMMFPOPODecKeyChallContentTemplate);
+}
+
+CMMFPOPODecKeyRespContent*
+CMMF_CreatePOPODecKeyRespContentFromDER(const char *buf, long len)
+{
+    PRArenaPool               *poolp;
+    CMMFPOPODecKeyRespContent *decKeyResp;
+    SECStatus                  rv;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    decKeyResp = PORT_ArenaZNew(poolp, CMMFPOPODecKeyRespContent);
+    if (decKeyResp == NULL) {
+        goto loser;
+    }
+    decKeyResp->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, decKeyResp, CMMFPOPODecKeyRespContentTemplate,
+			buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return decKeyResp;
+    
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus
+CMMF_EncodeKeyRecRepContent(CMMFKeyRecRepContent      *inKeyRecRep,
+			    CRMFEncoderOutputCallback  inCallback,
+			    void                      *inArg)
+{
+    return cmmf_user_encode(inKeyRecRep, inCallback, inArg,
+			    CMMFKeyRecRepContentTemplate);
+}
+
+CMMFKeyRecRepContent* 
+CMMF_CreateKeyRecRepContentFromDER(CERTCertDBHandle *db, const char *buf, 
+				   long len)
+{
+    PRArenaPool          *poolp;
+    CMMFKeyRecRepContent *keyRecContent;
+    SECStatus             rv;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
+    if (keyRecContent == NULL) {
+        goto loser;
+    }
+    keyRecContent->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, keyRecContent, CMMFKeyRecRepContentTemplate,
+			buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (keyRecContent->keyPairHist != NULL) {
+        while(keyRecContent->keyPairHist[keyRecContent->numKeyPairs] != NULL) {
+	    rv = cmmf_decode_process_certified_key_pair(poolp, db,
+		       keyRecContent->keyPairHist[keyRecContent->numKeyPairs]);
+	    if (rv != SECSuccess) {
+	        goto loser;
+	    }
+	    keyRecContent->numKeyPairs++;
+	}
+	keyRecContent->allocKeyPairs = keyRecContent->numKeyPairs;
+    }
+    keyRecContent->isDecoded = PR_TRUE;
+    return keyRecContent;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
diff --git a/security/nss/lib/crmf/cmmfchal.c b/security/nss/lib/crmf/cmmfchal.c
new file mode 100644
index 000000000..8d2149b6d
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfchal.c
@@ -0,0 +1,322 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "sechash.h"
+#include "genname.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "secitem.h"
+#include "secmod.h"
+#include "keyhi.h"
+
+static int
+cmmf_create_witness_and_challenge(PRArenaPool     *poolp,
+				  CMMFChallenge   *challenge,
+				  long             inRandom,
+				  SECItem         *senderDER,
+				  SECKEYPublicKey *inPubKey,
+				  void            *passwdArg)
+{
+    SECItem       *encodedRandNum;
+    SECItem        encodedRandStr = {siBuffer, NULL, 0};
+    SECItem       *dummy;
+    unsigned char *randHash, *senderHash, *encChal=NULL;
+    unsigned       modulusLen = 0;
+    SECStatus      rv = SECFailure;
+    CMMFRand       randStr= { {siBuffer, NULL, 0}, {siBuffer, NULL, 0}};
+    PK11SlotInfo  *slot;
+    PK11SymKey    *symKey = NULL;
+    CK_OBJECT_HANDLE id;
+    CERTSubjectPublicKeyInfo *spki = NULL;
+
+    
+    encodedRandNum = SEC_ASN1EncodeInteger(poolp, &challenge->randomNumber,
+					   inRandom);
+    encodedRandNum = &challenge->randomNumber;
+    randHash   = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
+    senderHash = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
+    if (randHash == NULL) {
+        goto loser;
+    }
+    rv = PK11_HashBuf(SEC_OID_SHA1, randHash, encodedRandNum->data, 
+		      (PRUint32)encodedRandNum->len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = PK11_HashBuf(SEC_OID_SHA1, senderHash, senderDER->data,
+		      (PRUint32)senderDER->len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    challenge->witness.data = randHash;
+    challenge->witness.len  = SHA1_LENGTH;
+
+    randStr.integer    = *encodedRandNum;
+    randStr.senderHash.data = senderHash;
+    randStr.senderHash.len  = SHA1_LENGTH;
+    dummy = SEC_ASN1EncodeItem(NULL, &encodedRandStr, &randStr, 
+			       CMMFRandTemplate);
+    if (dummy != &encodedRandStr) {
+        rv = SECFailure;
+        goto loser;
+    }
+    /* XXXX Now I have to encrypt encodedRandStr and stash it away. */
+    modulusLen = SECKEY_PublicKeyStrength(inPubKey);
+    encChal = PORT_ArenaNewArray(poolp, unsigned char, modulusLen);
+    if (encChal == NULL) {
+        rv = SECFailure;
+        goto loser;
+    }
+    slot =PK11_GetBestSlot(CKM_RSA_PKCS, passwdArg);
+    if (slot == NULL) {
+        rv = SECFailure;
+        goto loser;
+    }
+    id = PK11_ImportPublicKey(slot, inPubKey, PR_FALSE);
+    /* In order to properly encrypt the data, we import as a symmetric
+     * key, and then wrap that key.  That in essence encrypts the data.
+     * This is the method recommended in the PK11 world in order
+     * to prevent threading issues as well as breaking any other semantics
+     * the PK11 libraries depend on.
+     */
+    symKey = PK11_ImportSymKey(slot, CKM_RSA_PKCS, PK11_OriginGenerated,
+			       CKA_VALUE, &encodedRandStr, passwdArg);
+    if (symKey == NULL) {
+        rv = SECFailure;
+	goto loser;
+    }
+    challenge->challenge.data = encChal;
+    challenge->challenge.len  = modulusLen;
+    rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, inPubKey, symKey, 
+			    &challenge->challenge);
+    PK11_FreeSlot(slot);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &challenge->senderDER, senderDER);
+    crmf_get_public_value(inPubKey, &challenge->key);
+    /* Fall through */
+ loser:
+    if (spki != NULL) {
+        SECKEY_DestroySubjectPublicKeyInfo(spki);
+    }
+    if (encodedRandStr.data != NULL) {
+        PORT_Free(encodedRandStr.data);
+    }
+    if (encodedRandNum != NULL) {
+        SECITEM_FreeItem(encodedRandNum, PR_TRUE);
+    }
+    if (symKey != NULL) {
+        PK11_FreeSymKey(symKey);
+    }
+    return rv;
+}
+
+static SECStatus
+cmmf_create_first_challenge(CMMFPOPODecKeyChallContent *challContent, 
+			    long                        inRandom, 
+			    SECItem                    *senderDER, 
+			    SECKEYPublicKey            *inPubKey,
+			    void                       *passwdArg)
+{
+    SECOidData     *oidData;
+    CMMFChallenge  *challenge;
+    SECAlgorithmID *algId;
+    PRArenaPool    *poolp;
+    SECStatus       rv;
+
+    oidData = SECOID_FindOIDByTag(SEC_OID_SHA1);
+    if (oidData == NULL) {
+        return SECFailure;
+    }
+    poolp = challContent->poolp;
+    challenge = PORT_ArenaZNew(poolp, CMMFChallenge);
+    if (challenge == NULL) {
+        return SECFailure;
+    }
+    algId = challenge->owf = PORT_ArenaZNew(poolp, SECAlgorithmID);
+    if (algId == NULL) {
+        return SECFailure;
+    }
+    rv = SECITEM_CopyItem(poolp, &algId->algorithm, &oidData->oid);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    rv = cmmf_create_witness_and_challenge(poolp, challenge, inRandom, 
+					   senderDER, inPubKey, passwdArg);
+    challContent->challenges[0] = (rv == SECSuccess) ? challenge : NULL;
+    challContent->numChallenges++;
+    return rv ;
+}
+
+CMMFPOPODecKeyChallContent*
+CMMF_CreatePOPODecKeyChallContent (void)
+{
+    PRArenaPool *poolp;
+    CMMFPOPODecKeyChallContent *challContent;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    challContent = PORT_ArenaZNew(poolp, CMMFPOPODecKeyChallContent);
+    if (challContent == NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+	return NULL;
+    }
+    challContent->poolp = poolp;
+    return challContent;
+}
+
+SECStatus
+CMMF_POPODecKeyChallContentSetNextChallenge
+                                    (CMMFPOPODecKeyChallContent *inDecKeyChall,
+				     long                        inRandom,
+				     CERTGeneralName            *inSender,
+				     SECKEYPublicKey            *inPubKey,
+				     void                       *passwdArg)
+{
+    CMMFChallenge               *curChallenge;
+    PRArenaPool                 *genNamePool = NULL, *poolp;
+    SECStatus                    rv;
+    SECItem                     *genNameDER;
+    void                        *mark;
+
+    PORT_Assert (inDecKeyChall != NULL &&
+		 inSender      != NULL &&
+		 inPubKey      != NULL);
+
+    if (inDecKeyChall == NULL || 
+	inSender      == NULL || inPubKey == NULL) {
+        return SECFailure;
+    }
+    poolp = inDecKeyChall->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    genNamePool = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    genNameDER = CERT_EncodeGeneralName(inSender, NULL, genNamePool);
+    if (genNameDER == NULL) {
+        rv = SECFailure;
+        goto loser;
+    }
+    if (inDecKeyChall->challenges == NULL) {
+        inDecKeyChall->challenges =
+	    PORT_ArenaZNewArray(poolp, CMMFChallenge*,(CMMF_MAX_CHALLENGES+1));
+	inDecKeyChall->numAllocated = CMMF_MAX_CHALLENGES;
+    }
+
+    if (inDecKeyChall->numChallenges >= inDecKeyChall->numAllocated) {
+        rv = SECFailure;
+        goto loser;
+    }
+
+    if (inDecKeyChall->numChallenges == 0) {
+        rv = cmmf_create_first_challenge(inDecKeyChall, inRandom, 
+					 genNameDER, inPubKey, passwdArg);
+    } else {
+        curChallenge = PORT_ArenaZNew(poolp, CMMFChallenge);
+	if (curChallenge == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	rv = cmmf_create_witness_and_challenge(poolp, curChallenge, inRandom, 
+					       genNameDER, inPubKey, 
+					       passwdArg);
+	if (rv == SECSuccess) {
+	    inDecKeyChall->challenges[inDecKeyChall->numChallenges] =
+	        curChallenge;
+	    inDecKeyChall->numChallenges++;
+	}
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    PORT_FreeArena(genNamePool, PR_FALSE);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    if (genNamePool != NULL) {
+        PORT_FreeArena(genNamePool, PR_FALSE);
+    }
+    PORT_Assert(rv != SECSuccess);
+    return rv;
+}
+
+SECStatus
+CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp)
+{
+    PORT_Assert(inDecKeyResp != NULL);
+    if (inDecKeyResp != NULL && inDecKeyResp->poolp != NULL) {
+        PORT_FreeArena(inDecKeyResp->poolp, PR_FALSE);
+    }
+    return SECSuccess;
+}
+
+int 
+CMMF_POPODecKeyRespContentGetNumResponses(CMMFPOPODecKeyRespContent *inRespCont)
+{
+    int numResponses = 0;
+
+    PORT_Assert(inRespCont != NULL);
+    if (inRespCont == NULL) {
+        return 0;
+    }
+
+    while (inRespCont->responses[numResponses] != NULL) {
+        numResponses ++;
+    }
+    return numResponses;
+}
+
+SECStatus
+CMMF_POPODecKeyRespContentGetResponse (CMMFPOPODecKeyRespContent *inRespCont,
+				       int                        inIndex,
+				       long                      *inDest)
+{
+    PORT_Assert(inRespCont != NULL);
+    
+    if (inRespCont == NULL || inIndex < 0 || 
+	inIndex >= CMMF_POPODecKeyRespContentGetNumResponses(inRespCont)) {
+        return SECFailure;
+    }
+    *inDest = DER_GetInteger(inRespCont->responses[inIndex]);
+    return (*inDest == -1) ? SECFailure : SECSuccess;
+}
diff --git a/security/nss/lib/crmf/cmmfi.h b/security/nss/lib/crmf/cmmfi.h
new file mode 100644
index 000000000..2677c8e56
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfi.h
@@ -0,0 +1,130 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * These are the definitions needed by the library internally to implement
+ * CMMF.  Most of these will be helper utilities for manipulating internal
+ * data strucures.
+ */
+#ifndef _CMMFI_H_
+#define _CMMFI_H_
+#include "cmmfit.h"
+#include "crmfi.h"
+
+#define CMMF_MAX_CHALLENGES 10
+#define CMMF_MAX_KEY_PAIRS  50
+
+/*
+ * Some templates that the code will need to implement CMMF.
+ */
+extern const SEC_ASN1Template CMMFCertOrEncCertCertificateTemplate[];
+extern const SEC_ASN1Template CMMFCertOrEncCertEncryptedCertTemplate[];
+extern const SEC_ASN1Template CMMFPOPODecKeyRespContentTemplate[];
+extern const SEC_ASN1Template CMMFRandTemplate[];
+extern const SEC_ASN1Template CMMFSequenceOfCertsTemplate[];
+extern const SEC_ASN1Template CMMFPKIStatusInfoTemplate[];
+extern const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[];
+
+
+/*
+ * Some utility functions that are shared by multiple files in this 
+ * implementation.
+ */
+
+extern SECStatus cmmf_CopyCertResponse (PRArenaPool      *poolp, 
+					CMMFCertResponse *dest, 
+					CMMFCertResponse *src);
+
+extern SECStatus cmmf_CopyPKIStatusInfo (PRArenaPool       *poolp, 
+					 CMMFPKIStatusInfo *dest,
+					 CMMFPKIStatusInfo *src);
+
+extern SECStatus cmmf_CopyCertifiedKeyPair(PRArenaPool          *poolp, 
+					   CMMFCertifiedKeyPair *dest,
+					   CMMFCertifiedKeyPair *src);
+
+extern SECStatus cmmf_DestroyPKIStatusInfo(CMMFPKIStatusInfo *info, 
+					   PRBool freeit);
+
+extern SECStatus cmmf_DestroyCertOrEncCert(CMMFCertOrEncCert *certOrEncCert, 
+					   PRBool freeit);
+
+extern SECStatus cmmf_PKIStatusInfoSetStatus(CMMFPKIStatusInfo    *statusInfo,
+					     PRArenaPool          *poolp,
+					     CMMFPKIStatus         inStatus);
+
+extern SECStatus cmmf_ExtractCertsFromList(CERTCertList      *inCertList,
+					   PRArenaPool       *poolp,
+					   CERTCertificate ***certArray);
+
+extern SECStatus 
+       cmmf_CertOrEncCertSetCertificate(CMMFCertOrEncCert *certOrEncCert,
+					PRArenaPool       *poolp,
+					CERTCertificate   *inCert);
+
+extern CMMFPKIStatus 
+       cmmf_PKIStatusInfoGetStatus(CMMFPKIStatusInfo *inStatus);
+
+extern CERTCertList*
+       cmmf_MakeCertList(CERTCertificate **inCerts);
+
+extern CERTCertificate*
+cmmf_CertOrEncCertGetCertificate(CMMFCertOrEncCert *certOrEncCert,
+                                 CERTCertDBHandle  *certdb);
+
+extern SECStatus
+cmmf_decode_process_cert_response(PRArenaPool      *poolp, 
+				  CERTCertDBHandle *db,
+				  CMMFCertResponse *inCertResp);
+
+extern SECStatus
+cmmf_decode_process_certified_key_pair(PRArenaPool          *poolp,
+				       CERTCertDBHandle     *db,
+				       CMMFCertifiedKeyPair *inCertKeyPair);
+
+extern SECStatus
+cmmf_user_encode(void *src, CRMFEncoderOutputCallback inCallback, void *inArg,
+		 const SEC_ASN1Template *inTemplate);
+
+extern SECStatus
+cmmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src);
+#endif /*_CMMFI_H_*/
+
+
+
+
+
diff --git a/security/nss/lib/crmf/cmmfit.h b/security/nss/lib/crmf/cmmfit.h
new file mode 100644
index 000000000..7cf7ea7e2
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfit.h
@@ -0,0 +1,148 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _CMMFIT_H_
+#define _CMMFIT_H_
+
+/*
+ * All fields marked by a PKIStausInfo in comments is an integer
+ * with the following possible values.
+ *
+ *  Integer Value          Meaning
+ *  -------------          -------
+ *         0               granted- got exactly what you asked for.
+ *
+ *         1               grantedWithMods-got something like what you asked 
+ *                          for;requester is responsible for ascertainging the
+ *                          differences.
+ *
+ *         2               rejection-you don't get what you asked for; more 
+ *                          information elsewhere in the message
+ *
+ *         3               waiting-the request body part has not yet been 
+ *                          processed, expect to hear more later.
+ *
+ *         4               revocationWarning-this message contains a warning 
+ *                          that a revocation is imminent.
+ *
+ *         5               revocationNotification-notification that a 
+ *                          revocation has occurred.
+ *
+ *         6               keyUpdateWarning-update already done for the 
+ *                          oldCertId specified in FullCertTemplate.
+ */
+
+struct CMMFPKIStatusInfoStr {
+    SECItem status;
+    SECItem statusString;
+    SECItem failInfo;
+};
+
+struct CMMFCertOrEncCertStr {
+    union { 
+        CERTCertificate    *certificate;
+        CRMFEncryptedValue *encryptedCert;
+    } cert;
+    CMMFCertOrEncCertChoice choice;
+    SECItem                 derValue;
+};
+
+struct CMMFCertifiedKeyPairStr {
+    CMMFCertOrEncCert   certOrEncCert;
+    CRMFEncryptedValue *privateKey;
+    SECItem             derPublicationInfo; /* We aren't creating 
+					     * PKIPublicationInfo's, so 
+					     * we'll store away the der 
+					     * here if we decode one that
+					     * does have pubInfo.
+					     */
+    SECItem unwrappedPrivKey;
+};
+
+struct CMMFCertResponseStr {
+    SECItem               certReqId;
+    CMMFPKIStatusInfo     status; /*PKIStatusInfo*/
+    CMMFCertifiedKeyPair *certifiedKeyPair;
+};
+
+struct CMMFCertRepContentStr {
+    CERTCertificate  **caPubs;
+    CMMFCertResponse **response;
+    PRArenaPool       *poolp;
+    PRBool             isDecoded;
+};
+
+struct CMMFChallengeStr {
+    SECAlgorithmID  *owf;
+    SECItem          witness;
+    SECItem          senderDER;
+    SECItem          key;
+    SECItem          challenge;
+    SECItem          randomNumber;
+};
+
+struct CMMFRandStr {
+    SECItem          integer;
+    SECItem          senderHash;
+    CERTGeneralName *sender;
+};
+
+struct CMMFPOPODecKeyChallContentStr {
+    CMMFChallenge **challenges;
+    PRArenaPool    *poolp;
+    int             numChallenges;
+    int             numAllocated;
+};
+
+struct CMMFPOPODecKeyRespContentStr {
+    SECItem     **responses;
+    PRArenaPool  *poolp;
+};
+
+struct CMMFKeyRecRepContentStr {
+    CMMFPKIStatusInfo      status; /* PKIStatusInfo */
+    CERTCertificate       *newSigCert;
+    CERTCertificate      **caCerts;
+    CMMFCertifiedKeyPair **keyPairHist;
+    PRArenaPool           *poolp;
+    int                    numKeyPairs;
+    int                    allocKeyPairs;
+    PRBool                 isDecoded;
+};
+
+#endif /* _CMMFIT_H_ */
+
diff --git a/security/nss/lib/crmf/cmmfrec.c b/security/nss/lib/crmf/cmmfrec.c
new file mode 100644
index 000000000..6e80d7f0e
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfrec.c
@@ -0,0 +1,350 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This file will implement the functions related to key recovery in 
+ * CMMF
+ */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secitem.h"
+#include "keyhi.h"
+
+CMMFKeyRecRepContent*
+CMMF_CreateKeyRecRepContent(void)
+{
+    PRArenaPool          *poolp;
+    CMMFKeyRecRepContent *keyRecContent;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
+    if (keyRecContent == NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+	return NULL;
+    }
+    keyRecContent->poolp = poolp;
+    return keyRecContent;
+}
+
+SECStatus
+CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep != NULL && inKeyRecRep->poolp != NULL) {
+	int i;
+
+	if (!inKeyRecRep->isDecoded && inKeyRecRep->newSigCert != NULL) {
+	    CERT_DestroyCertificate(inKeyRecRep->newSigCert);
+	}
+	if (inKeyRecRep->caCerts != NULL) {
+	    for (i=0; inKeyRecRep->caCerts[i] != NULL; i++) {
+		CERT_DestroyCertificate(inKeyRecRep->caCerts[i]);
+	    }
+	}
+	if (inKeyRecRep->keyPairHist != NULL) {
+	    for (i=0; inKeyRecRep->keyPairHist[i] != NULL; i++) {
+	        if (inKeyRecRep->keyPairHist[i]->certOrEncCert.choice ==
+			cmmfCertificate) {
+		    CERT_DestroyCertificate(inKeyRecRep->keyPairHist[i]->
+					       certOrEncCert.cert.certificate);
+		}
+	    }
+	}
+        PORT_FreeArena(inKeyRecRep->poolp, PR_TRUE);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
+					    CMMFPKIStatus         inPKIStatus)
+{
+    PORT_Assert(inKeyRecRep != NULL && inPKIStatus >= cmmfGranted &&
+		inPKIStatus < cmmfNumPKIStatus);
+    if (inKeyRecRep == NULL) {
+        return SECFailure;
+    }
+    
+    return cmmf_PKIStatusInfoSetStatus(&inKeyRecRep->status, 
+				       inKeyRecRep->poolp,
+				       inPKIStatus);
+}
+
+SECStatus
+CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
+				    CERTCertificate      *inNewSignCert)
+{
+    PORT_Assert (inKeyRecRep != NULL && inNewSignCert != NULL);
+    if (inKeyRecRep == NULL || inNewSignCert == NULL) {
+        return SECFailure;
+    }
+    if (!inKeyRecRep->isDecoded && inKeyRecRep->newSigCert) {
+	CERT_DestroyCertificate(inKeyRecRep->newSigCert);
+    }
+    inKeyRecRep->isDecoded = PR_FALSE;
+    inKeyRecRep->newSigCert = CERT_DupCertificate(inNewSignCert);
+    return (inKeyRecRep->newSigCert == NULL) ? SECFailure : SECSuccess;    
+}
+
+SECStatus
+CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
+				CERTCertList         *inCACerts)
+{
+    SECStatus rv;
+    void *mark;
+
+    PORT_Assert (inKeyRecRep != NULL && inCACerts != NULL);
+    if (inKeyRecRep == NULL || inCACerts == NULL) {
+        return SECFailure;
+    }
+    mark = PORT_ArenaMark(inKeyRecRep->poolp);
+    rv = cmmf_ExtractCertsFromList(inCACerts, inKeyRecRep->poolp,
+				   &inKeyRecRep->caCerts);
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease(inKeyRecRep->poolp, mark);
+    } else {
+        PORT_ArenaUnmark(inKeyRecRep->poolp, mark);
+    }
+    return rv;
+}
+
+SECStatus
+CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
+					 CERTCertificate      *inCert,
+					 SECKEYPrivateKey     *inPrivKey,
+					 SECKEYPublicKey      *inPubKey)
+{
+    CMMFCertifiedKeyPair *keyPair;
+    CRMFEncryptedValue   *dummy;
+    PRArenaPool          *poolp;
+    void                 *mark;
+    SECStatus             rv;
+
+    PORT_Assert (inKeyRecRep != NULL &&
+		 inCert      != NULL &&
+		 inPrivKey   != NULL &&
+		 inPubKey    != NULL);
+    if (inKeyRecRep == NULL ||
+	inCert      == NULL ||
+	inPrivKey   == NULL ||
+	inPubKey    == NULL) {
+        return SECFailure;
+    }
+    poolp = inKeyRecRep->poolp;
+    mark = PORT_ArenaMark(poolp);
+    if (inKeyRecRep->keyPairHist == NULL) {
+        inKeyRecRep->keyPairHist = PORT_ArenaNewArray(poolp, 
+						      CMMFCertifiedKeyPair*,
+						      (CMMF_MAX_KEY_PAIRS+1));
+	if (inKeyRecRep->keyPairHist == NULL) {
+	    goto loser;
+	}
+	inKeyRecRep->allocKeyPairs = CMMF_MAX_KEY_PAIRS;
+	inKeyRecRep->numKeyPairs   = 0;
+    }
+
+    if (inKeyRecRep->allocKeyPairs == inKeyRecRep->numKeyPairs) {
+        goto loser;
+    }
+    
+    keyPair = PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
+    if (keyPair == NULL) {
+        goto loser;
+    }
+    rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert,
+					  poolp, inCert);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    keyPair->privateKey = PORT_ArenaZNew(poolp, CRMFEncryptedValue);
+    if (keyPair->privateKey == NULL) {
+        goto loser;
+    }
+    dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey, inPubKey, 
+							keyPair->privateKey);
+    PORT_Assert(dummy == keyPair->privateKey);
+    if (dummy != keyPair->privateKey) {
+        crmf_destroy_encrypted_value(dummy, PR_TRUE);
+	goto loser;
+    }
+    inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = keyPair;
+    inKeyRecRep->numKeyPairs++;
+    inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = NULL;
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+CMMFPKIStatus
+CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep == NULL) {
+        return cmmfNoPKIStatus;
+    }
+    return cmmf_PKIStatusInfoGetStatus(&inKeyRecRep->status);
+}
+
+CERTCertificate*
+CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep             == NULL ||
+	inKeyRecRep->newSigCert == NULL) {
+        return NULL;
+    }
+    /* newSigCert may not be a real certificate, it may be a hand decoded
+     * cert structure. This code makes sure we hand off a real, fully formed
+     * CERTCertificate to the caller. TODO: This should move into the decode
+     * portion so that we never wind up with a half formed CERTCertificate
+     * here. In this case the call would be to CERT_DupCertificate.
+     */
+    return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
+			          &inKeyRecRep->newSigCert->signatureWrap.data,
+				   NULL, PR_FALSE, PR_TRUE);
+}
+
+CERTCertList*
+CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep == NULL || inKeyRecRep->caCerts == NULL) {
+        return NULL;
+    }
+    return cmmf_MakeCertList(inKeyRecRep->caCerts);
+}
+
+int 
+CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    return (inKeyRecRep == NULL) ? 0 : inKeyRecRep->numKeyPairs;
+}
+
+PRBool
+cmmf_KeyRecRepContentIsValidIndex(CMMFKeyRecRepContent *inKeyRecRep,
+				  int                   inIndex)
+{
+    int numKeyPairs = CMMF_KeyRecRepContentGetNumKeyPairs(inKeyRecRep);
+    
+    return (PRBool)(inIndex >= 0 && inIndex < numKeyPairs);
+}
+
+CMMFCertifiedKeyPair*
+CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
+				       int                   inIndex)
+{
+    CMMFCertifiedKeyPair *newKeyPair;
+    SECStatus             rv;
+
+    PORT_Assert(inKeyRecRep != NULL &&
+		cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex));
+    if (inKeyRecRep == NULL ||
+	!cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex)) {
+        return NULL;
+    }
+    newKeyPair = PORT_ZNew(CMMFCertifiedKeyPair);
+    if (newKeyPair == NULL) {
+        return NULL;
+    }
+    rv = cmmf_CopyCertifiedKeyPair(NULL, newKeyPair, 
+				   inKeyRecRep->keyPairHist[inIndex]);
+    if (rv != SECSuccess) {
+        CMMF_DestroyCertifiedKeyPair(newKeyPair);
+	newKeyPair = NULL;
+    }
+    return newKeyPair;
+}
+
+SECStatus 
+CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
+				   SECKEYPrivateKey     *inPrivKey,
+				   SECItem              *inNickName,
+				   PK11SlotInfo         *inSlot,
+				   CERTCertDBHandle     *inCertdb,
+				   SECKEYPrivateKey    **destPrivKey,
+				   void                 *wincx)
+{
+    CERTCertificate *cert;
+    SECItem keyUsageValue = {siBuffer, NULL, 0};
+    unsigned char keyUsage = 0x0;
+    SECKEYPublicKey *pubKey;
+    SECStatus rv;
+
+    PORT_Assert(inKeyPair != NULL &&
+		inPrivKey != NULL && inCertdb != NULL);
+    if (inKeyPair             == NULL ||
+	inPrivKey             == NULL ||
+	inKeyPair->privateKey == NULL ||
+	inCertdb              == NULL) {
+        return SECFailure;
+    }
+    
+    cert = CMMF_CertifiedKeyPairGetCertificate(inKeyPair, inCertdb);
+    CERT_FindKeyUsageExtension(cert, &keyUsageValue);
+    if (keyUsageValue.data != NULL) {
+        keyUsage = keyUsageValue.data[3];
+	PORT_Free(keyUsageValue.data);
+    }
+    pubKey = CERT_ExtractPublicKey(cert);
+    rv = crmf_encrypted_value_unwrap_priv_key(NULL, inKeyPair->privateKey,
+					      inPrivKey, pubKey, 
+					      inNickName, inSlot, keyUsage, 
+					      destPrivKey, wincx);
+    SECKEY_DestroyPublicKey(pubKey);
+    CERT_DestroyCertificate(cert);
+    return rv;
+}
+
+
+PRBool 
+CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep == NULL) {
+        return PR_FALSE;
+    }
+    return (PRBool)(inKeyRecRep->caCerts    != NULL && 
+		    inKeyRecRep->caCerts[0] != NULL);
+}
diff --git a/security/nss/lib/crmf/cmmfresp.c b/security/nss/lib/crmf/cmmfresp.c
new file mode 100644
index 000000000..c77c5774d
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfresp.c
@@ -0,0 +1,315 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This file will contain all routines dealing with creating a 
+ * CMMFCertRepContent structure through Create/Set functions.
+ */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "crmf.h"
+#include "crmfi.h"
+#include "secitem.h"
+#include "secder.h"
+
+CMMFCertRepContent*
+CMMF_CreateCertRepContent(void)
+{
+    CMMFCertRepContent *retCertRep;
+    PRArenaPool        *poolp;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    retCertRep = PORT_ArenaZNew(poolp, CMMFCertRepContent);
+    if (retCertRep == NULL) {
+        goto loser;
+    }
+    retCertRep->poolp = poolp;
+    return retCertRep;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus 
+cmmf_CertOrEncCertSetCertificate(CMMFCertOrEncCert *certOrEncCert,
+				 PRArenaPool       *poolp,
+				 CERTCertificate   *inCert)
+{
+    SECItem               *derDest = NULL;
+    SECStatus             rv = SECFailure;
+
+    if (inCert->derCert.data == NULL) {
+        derDest = SEC_ASN1EncodeItem(NULL, NULL, inCert, 
+				     CMMFCertOrEncCertCertificateTemplate);
+	if (derDest == NULL) {
+	    goto loser;
+	}
+    } else {
+        derDest = SECITEM_DupItem(&inCert->derCert);
+	if (derDest == NULL) {
+	    goto loser;
+	}
+    }
+    PORT_Assert(certOrEncCert->cert.certificate == NULL);
+    certOrEncCert->cert.certificate = CERT_DupCertificate(inCert);
+    certOrEncCert->choice = cmmfCertificate;
+    if (poolp != NULL) {
+        rv = SECITEM_CopyItem(poolp, &certOrEncCert->derValue, derDest);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+        certOrEncCert->derValue = *derDest;
+    }
+    PORT_Free(derDest);
+    return SECSuccess;
+ loser:
+    if (derDest != NULL) {
+        SECITEM_FreeItem(derDest, PR_TRUE);
+    }
+    return rv;
+}
+
+SECStatus
+cmmf_ExtractCertsFromList(CERTCertList      *inCertList,
+			  PRArenaPool       *poolp,
+			  CERTCertificate ***certArray)
+{
+    CERTCertificate  **arrayLocalCopy;
+    CERTCertListNode  *node;
+    int                numNodes = 0, i;
+
+    for (node = CERT_LIST_HEAD(inCertList); !CERT_LIST_END(node, inCertList);
+	 node = CERT_LIST_NEXT(node)) {
+        numNodes++;
+    }
+
+    arrayLocalCopy = *certArray = (poolp == NULL) ?
+                    PORT_NewArray(CERTCertificate*, (numNodes+1)) :
+                    PORT_ArenaNewArray(poolp, CERTCertificate*, (numNodes+1));
+    if (arrayLocalCopy == NULL) {
+        return SECFailure;
+    }
+    for (node = CERT_LIST_HEAD(inCertList), i=0; 
+	 !CERT_LIST_END(node, inCertList);
+	 node = CERT_LIST_NEXT(node), i++) {
+        arrayLocalCopy[i] = CERT_DupCertificate(node->cert);
+	if (arrayLocalCopy[i] == NULL) {
+	    int j;
+	    
+	    for (j=0; j<i; j++) {
+	        CERT_DestroyCertificate(arrayLocalCopy[j]);
+	    }
+	    if (poolp == NULL) {
+	        PORT_Free(arrayLocalCopy);
+	    }
+	    *certArray = NULL;
+	    return SECFailure;
+	}
+    }
+    arrayLocalCopy[numNodes] = NULL;
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_CertRepContentSetCertResponses(CMMFCertRepContent *inCertRepContent,
+				    CMMFCertResponse  **inCertResponses,
+				    int                 inNumResponses)
+{
+    PRArenaPool       *poolp;
+    CMMFCertResponse **respArr, *newResp;
+    void              *mark;
+    SECStatus          rv;
+    int                i;
+
+    PORT_Assert (inCertRepContent != NULL &&
+		 inCertResponses  != NULL &&
+		 inNumResponses    > 0);
+    if (inCertRepContent == NULL ||
+	inCertResponses  == NULL ||
+	inCertRepContent->response != NULL) {
+        return SECFailure;
+    }
+    poolp = inCertRepContent->poolp;
+    mark = PORT_ArenaMark(poolp);
+    respArr = inCertRepContent->response = 
+        PORT_ArenaZNewArray(poolp, CMMFCertResponse*, (inNumResponses+1));
+    if (respArr == NULL) {
+        goto loser;
+    }
+    for (i=0; i<inNumResponses; i++) {
+        newResp = PORT_ArenaZNew(poolp, CMMFCertResponse);
+	if (newResp == NULL) {
+	    goto loser;
+	}
+        rv = cmmf_CopyCertResponse(poolp, newResp, inCertResponses[i]);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+	respArr[i] = newResp;
+    }
+    respArr[inNumResponses] = NULL;
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+CMMFCertResponse*
+CMMF_CreateCertResponse(long inCertReqId)
+{
+    SECItem          *dummy;
+    CMMFCertResponse *newResp;
+    
+    newResp = PORT_ZNew(CMMFCertResponse);
+    if (newResp == NULL) {
+        goto loser;
+    }
+    dummy = SEC_ASN1EncodeInteger(NULL, &newResp->certReqId, inCertReqId);
+    if (dummy != &newResp->certReqId) {
+        goto loser;
+    }
+    return newResp;
+
+ loser:
+    if (newResp != NULL) {
+        CMMF_DestroyCertResponse(newResp);
+    }
+    return NULL;
+}
+
+SECStatus
+CMMF_CertResponseSetPKIStatusInfoStatus(CMMFCertResponse *inCertResp,
+					CMMFPKIStatus     inPKIStatus)
+{
+    PORT_Assert (inCertResp != NULL && inPKIStatus >= cmmfGranted
+		 && inPKIStatus < cmmfNumPKIStatus);
+
+    if  (inCertResp == NULL) {
+        return SECFailure;
+    }
+    return cmmf_PKIStatusInfoSetStatus(&inCertResp->status, NULL,
+				       inPKIStatus);
+}
+
+SECStatus
+CMMF_CertResponseSetCertificate (CMMFCertResponse *inCertResp,
+				 CERTCertificate  *inCertificate)
+{
+    CMMFCertifiedKeyPair *keyPair = NULL;
+    SECStatus             rv = SECFailure;
+
+    PORT_Assert(inCertResp != NULL && inCertificate != NULL);
+    if (inCertResp == NULL || inCertificate == NULL) {
+        return SECFailure;
+    }
+    if (inCertResp->certifiedKeyPair == NULL) {
+        keyPair = inCertResp->certifiedKeyPair = 
+	    PORT_ZNew(CMMFCertifiedKeyPair);
+    } else {
+        keyPair = inCertResp->certifiedKeyPair;
+    }
+    if (keyPair == NULL) {
+        goto loser;
+    }
+    rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert, NULL,
+					  inCertificate);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return SECSuccess;
+ loser:
+    if (keyPair) {
+        if (keyPair->certOrEncCert.derValue.data) {
+	    PORT_Free(keyPair->certOrEncCert.derValue.data);
+	}
+	PORT_Free(keyPair);
+    }
+    return rv;
+}
+
+
+SECStatus
+CMMF_CertRepContentSetCAPubs(CMMFCertRepContent *inCertRepContent,
+			     CERTCertList       *inCAPubs)
+{
+    PRArenaPool      *poolp;
+    void             *mark;
+    SECStatus         rv;
+
+    PORT_Assert(inCertRepContent != NULL &&
+		inCAPubs         != NULL &&
+		inCertRepContent->caPubs == NULL);
+    
+    if (inCertRepContent == NULL ||
+	inCAPubs == NULL || inCertRepContent == NULL) {
+        return SECFailure;
+    }
+
+    poolp = inCertRepContent->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    rv = cmmf_ExtractCertsFromList(inCAPubs, poolp,
+				   &inCertRepContent->caPubs);
+
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease(poolp, mark);
+    } else {
+        PORT_ArenaUnmark(poolp, mark);
+    }
+    return rv;
+}
+
+CERTCertificate*
+CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
+				    CERTCertDBHandle     *inCertdb)
+{
+    PORT_Assert(inCertKeyPair != NULL);
+    if (inCertKeyPair == NULL) {
+        return NULL;
+    }
+    return cmmf_CertOrEncCertGetCertificate(&inCertKeyPair->certOrEncCert,
+					    inCertdb);
+}
diff --git a/security/nss/lib/crmf/cmmft.h b/security/nss/lib/crmf/cmmft.h
new file mode 100644
index 000000000..0590b7a78
--- /dev/null
+++ b/security/nss/lib/crmf/cmmft.h
@@ -0,0 +1,105 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _CMMFT_H_
+#define _CMMFT_H_
+
+#include "secasn1.h"
+
+/*
+ * These are the enumerations used to distinguish between the different
+ * choices available for the CMMFCertOrEncCert structure.
+ */
+typedef enum {
+    cmmfNoCertOrEncCert = 0,
+    cmmfCertificate = 1,
+    cmmfEncryptedCert = 2
+} CMMFCertOrEncCertChoice;
+
+/*
+ * This is the enumeration and the corresponding values used to 
+ * represent the CMMF type PKIStatus
+ */
+typedef enum {
+    cmmfNoPKIStatus = -1,
+    cmmfGranted = 0,
+    cmmfGrantedWithMods = 1,
+    cmmfRejection = 2,
+    cmmfWaiting = 3,
+    cmmfRevocationWarning = 4,
+    cmmfRevocationNotification = 5,
+    cmmfKeyUpdateWarning = 6,
+    cmmfNumPKIStatus
+} CMMFPKIStatus;
+
+/*
+ * These enumerations are used to represent the corresponding values
+ * in PKIFailureInfo defined in CMMF.
+ */
+typedef enum {
+    cmmfBadAlg = 0,
+    cmmfBadMessageCheck = 1,
+    cmmfBadRequest = 2,
+    cmmfBadTime = 3,
+    cmmfBadCertId = 4,
+    cmmfBadDataFormat = 5,
+    cmmfWrongAuthority = 6,
+    cmmfIncorrectData = 7,
+    cmmfMissingTimeStamp = 8,
+    cmmfNoFailureInfo = 9
+} CMMFPKIFailureInfo;
+
+typedef struct CMMFPKIStatusInfoStr          CMMFPKIStatusInfo;
+typedef struct CMMFCertOrEncCertStr          CMMFCertOrEncCert;
+typedef struct CMMFCertifiedKeyPairStr       CMMFCertifiedKeyPair;
+typedef struct CMMFCertResponseStr           CMMFCertResponse;
+typedef struct CMMFCertResponseSeqStr        CMMFCertResponseSeq;
+typedef struct CMMFPOPODecKeyChallContentStr CMMFPOPODecKeyChallContent;
+typedef struct CMMFChallengeStr              CMMFChallenge;
+typedef struct CMMFRandStr                   CMMFRand;
+typedef struct CMMFPOPODecKeyRespContentStr  CMMFPOPODecKeyRespContent;
+typedef struct CMMFKeyRecRepContentStr       CMMFKeyRecRepContent;
+typedef struct CMMFCertRepContentStr         CMMFCertRepContent;
+
+/* Export this so people can call SEC_ASN1EncodeItem instead of having to 
+ * write callbacks that are passed in to the high level encode function
+ * for CMMFCertRepContent.
+ */
+extern const SEC_ASN1Template CMMFCertRepContentTemplate[];
+extern const SEC_ASN1Template CMMFPOPODecKeyChallContentTemplate[];
+
+#endif /*_CMMFT_H_*/
diff --git a/security/nss/lib/crmf/config.mk b/security/nss/lib/crmf/config.mk
new file mode 100644
index 000000000..9554ab4a5
--- /dev/null
+++ b/security/nss/lib/crmf/config.mk
@@ -0,0 +1,48 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/crmf/crmf.h b/security/nss/lib/crmf/crmf.h
new file mode 100644
index 000000000..315100702
--- /dev/null
+++ b/security/nss/lib/crmf/crmf.h
@@ -0,0 +1,1782 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#ifndef _CRMF_H_
+#define _CRMF_H_
+
+#include "seccomon.h"
+#include "cert.h"
+#include "crmft.h"
+#include "secoid.h"
+#include "secpkcs7.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * FUNCTION: CRMF_EncodeCertReqMsg
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to be encoded.
+ *    fn
+ *        A Callback function that the ASN1 encoder calls whenever
+ *        the encoder wants to write out some DER encoded bytes.
+ *    arg
+ *        An opaque pointer that gets passed to the function fn
+ * OUTPUT:
+ *    The function fn will be called multiple times.  Look at the
+ *    comments in crmft.h where the CRMFEncoderOutputCallback type is 
+ *    defined for information on proper behavior of the function fn.
+ * RETURN:
+ *    SECSuccess if encoding was successful.  Any other return value
+ *    indicates an error occurred during encoding.
+ */
+extern SECStatus 
+        CRMF_EncodeCertReqMsg (CRMFCertReqMsg            *inCertReqMsg, 
+			       CRMFEncoderOutputCallback  fn,
+			       void                      *arg);
+
+/*
+ * FUNCTION: CRMF_EncoderCertRequest
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to be encoded.
+ *    fn
+ *        A Callback function that the ASN1 encoder calls whenever
+ *        the encoder wants to write out some DER encoded bytes.
+ *    arg
+ *        An opaque pointer that gets passed to the function fn.
+ * OUTPUT:
+ *    The function fn will be called, probably multiple times whenever 
+ *    the ASN1 encoder wants to write out DER-encoded bytes.  Look at the 
+ *    comments in crmft.h where the CRMFEncoderOuputCallback type is
+ *    defined for information on proper behavior of the funciton fn.
+ * RETURN:
+ *    SECSuccess if encoding was successful.  Any other return value 
+ *    indicates an error occured during encoding.
+ */
+extern SECStatus CRMF_EncodeCertRequest (CRMFCertRequest           *inCertReq,
+					 CRMFEncoderOutputCallback  fn,
+					 void                      *arg);
+/*
+ * FUNCTION: CRMF_EncodeCertReqMessages
+ * INPUTS:
+ *    inCertReqMsgs
+ *        An array of pointers to the Certificate Request Messages
+ *        to encode.  The user must place a NULL pointer in the index
+ *        after the last message to be encoded.  When the library runs
+ *        into the NULL pointer, the library assumes there are no more
+ *        messages to encode.
+ *    fn
+ *        A Callback function that the ASN1 encoder calls whenever
+ *        the encoder wants to write out some DER encoded byts.
+ *    arg
+ *        An opaque pointer that gets passed to the function fn.
+ *
+ * NOTES:
+ *    The parameter inCertReqMsgs needs to be an array with a NULL pointer
+ *    to signal the end of messages.  An array in the form of 
+ *    {m1, m2, m3, NULL, m4, ...} will only encode the messages m1, m2, and
+ *    m3.  All messages from m4 on will not be looked at by the library.
+ *
+ * OUTPUT:
+ *    The function fn will be called, probably multiple times.  Look at the 
+ *    comments in crmft.h where the CRMFEncoderOuputCallback type is
+ *    defined for information on proper behavior of the funciton fn.
+ *
+ * RETURN:
+ * SECSuccess if encoding the Certificate Request Messages was successful. 
+ * Any other return value indicates an error occurred while encoding the
+ * certificate request messages.
+ */
+extern SECStatus 
+       CRMF_EncodeCertReqMessages(CRMFCertReqMsg           **inCertReqMsgs,
+				  CRMFEncoderOutputCallback  fn,
+				  void                      *arg);
+
+
+/*
+ * FUNCTION: CRMF_CreateCertReqMsg
+ * INPUTS:
+ *    NONE
+ * OUTPUT:
+ *    An empty CRMF Certificate Request Message.
+ *    Before encoding this message, the user must set
+ *    the ProofOfPossession field and the certificate 
+ *    request which are necessary for the full message.
+ *    After the user no longer needs this CertReqMsg,
+ *    the user must call CRMF_DestroyCertReqMsg to free
+ *    all memory associated with the Certificate Request
+ *    Message.
+ * RETURN:
+ *    A pointer to a Certificate Request Message.  The user 
+ *    must pass the return value of this function to 
+ *    CRMF_DestroyCertReqMsg after the Certificate Request
+ *    Message is no longer necessary.
+ */
+extern CRMFCertReqMsg* CRMF_CreateCertReqMsg(void);
+
+/*
+ * FUNCTION: CRMF_DestroyCertReqMsg
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to destroy.
+ *  NOTES:
+ *    This function frees all the memory used for the Certificate
+ *    Request Message and all the memory used in making copies of
+ *    fields of elelments of the message, eg. the Proof Of Possession
+ *    filed and the Cetificate Request.  
+ * RETURN:
+ *    SECSuccess if destruction was successful.  Any other return value
+ *    indicates an error while trying to free the memory associated
+ *    with inCertReqMsg.
+ *    
+ */
+extern SECStatus CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetCertRequest
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message that the function will set
+ *        the certificate request for.
+ *    inCertReq
+ *        The Certificate Request that will be added to the Certificate
+ *        Request Message.
+ * NOTES:
+ *    This function will make a copy of the Certificate Request passed in
+ *    and store it as part of the Certificate Request Message.  Therefore,
+ *    the user must not call this function until the Certificate Request
+ *    has been fully built and is ready to be encoded.
+ * RETURN:
+ *    SECSuccess 
+ *        If copying the Certificate as a member of the Certificate
+ *        request message was successful.
+ *    Any other return value indicates a failure to copy the Certificate
+ *    Request and make it a part of the Certificate Request Message.
+ */
+extern SECStatus CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg  *inCertReqMsg, 
+					       CRMFCertRequest *inCertReq);
+
+/*
+ * FUNCTION: CRMF_CreateCertRequest
+ * INPUTS:
+ *    inRequestID
+ *        The ID that will be associated with this certificate request.
+ * OUTPUTS:
+ *    A certificate request which only has the requestID set.
+ * NOTES:
+ *    The user must call the function CRMF_DestroyCertRequest when
+ *    the returned value is no longer needed.  This is usually the
+ *    case after fully constructing the Certificate Request and then
+ *    calling the function CRMF_CertReqMsgSetCertRequest.
+ * RETURN:
+ *    A pointer to the new Certificate Request.  A NULL return value
+ *    indicates an error in creating the Certificate Request.
+ */
+extern CRMFCertRequest *CRMF_CreateCertRequest (PRUint32 inRequestID);
+
+/*
+ * FUNCTION: CRMF_DestroyCertRequest
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request that will be destroyed.
+ * RETURN:
+ *    SECSuccess
+ *        If freeing the memory associated with the certificate request 
+ *        was successful.
+ *    Any other return value indicates an error while trying to free the 
+ *    memory.
+ */
+extern SECStatus CRMF_DestroyCertRequest (CRMFCertRequest *inCertReq);
+
+/*
+ * FUNCTION: CRMF_CreateCertExtension
+ * INPUTS:
+ *    id
+ *        The SECOidTag to associate with this CertExtension.  This must
+ *        correspond to a valid Certificate Extension, if not the function
+ *        will fail.
+ *    isCritical
+ *        A boolean value stating if the extension value is crtical.  PR_TRUE
+ *        means the value is crtical.  PR_FALSE indicates the value is not 
+ *        critical.
+ *    data
+ *        This is the data associated with the extension.  The user of the
+ *        library is responsible for making sure the value passed in is a
+ *        valid interpretation of the certificate extension.
+ * NOTES:
+ * Use this function to create CRMFCertExtension Structures which will 
+ * then be passed to CRMF_AddFieldToCertTemplate as part of the 
+ * CRMFCertCreationInfo.extensions  The user must call 
+ * CRMF_DestroyCertExtension after the extension has been added to a certifcate
+ * and the extension is no longer needed.
+ *
+ * RETURN:
+ * A pointer to a newly created CertExtension.  A return value of NULL
+ * indicates the id passed in was an invalid certificate extension.
+ */
+extern CRMFCertExtension *CRMF_CreateCertExtension(SECOidTag      id, 
+						   PRBool         isCritical,
+						   SECItem       *data);
+
+/*
+ * FUNCTION: CMRF_DestroyCertExtension
+ * INPUTS:
+ *    inExtension
+ *        The Cert Extension to destroy
+ * NOTES:
+ * Destroy a structure allocated by CRMF_CreateCertExtension.
+ *
+ * RETURN:
+ * SECSuccess if freeing the memory associated with the certificate extension
+ * was successful.  Any other error indicates an error while freeing the 
+ * memory.
+ */
+extern SECStatus CRMF_DestroyCertExtension(CRMFCertExtension *inExtension);
+
+/* 
+ * FUNCTION: CRMF_CertRequestSetTemplateField
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    inTemplateField
+ *        An enumeration that indicates which field of the Certificate
+ *        template to add.
+ *    data
+ *        A generic pointer that will be type cast according to the
+ *        table under NOTES and used as the key for adding to the
+ *        certificate template;
+ * NOTES:
+ *
+ * Below is a table that tells what type to pass in as data
+ * depending on the template field one wants to set.
+ *
+ * Look in crmft.h for the definition of CRMFCertTemplateField.
+ * 
+ * In all cases, the library makes copies of the data passed in.
+ *
+ *   CRMFCertTemplateField    Type of data    What data means
+ *   ---------------------    ------------    ---------------
+ *   crmfVersion              long *          The version of
+ *                                            the certificate
+ *                                            to be created.
+ *
+ *   crmfSerialNumber         long *          The serial number
+ *                                            for the cert to be
+ *                                            created.
+ *   
+ *   crmfSigningAlg           SECAlgorithm *  The ASN.1 object ID for
+ *                                            the algorithm used in encoding
+ *                                            the certificate.
+ *
+ *   crmfIssuer               CERTName *      Certificate Library 
+ *                                            representation of the ASN1 type
+ *                                            Name from X.509
+ *
+ *   crmfValidity     CRMFValidityCreationInfo *  At least one of the two
+ *                                                fields in the structure must
+ *                                                be present.  A NULL pointer 
+ *                                                in the structure indicates
+ *                                                that member should not be 
+ *                                                added.
+ *
+ *   crmfSubject              CERTName *      Certificate Library 
+ *                                            representation of the ASN1 type
+ *                                            Name from X.509
+ *
+ *   crmfPublicKey    CERTSubjectPublicKeyInfo *  The public key info for the
+ *                                                certificate being requested.
+ *
+ *   crmfIssuerUID            SECItem *           A bit string representation
+ *                                                of the issuer UID. NOTE: The
+ *                                                length is the number of bits
+ *                                                and not the number of bytes.
+ *
+ *   crmfSubjectUID           SECItem*            A bit string representation
+ *                                                of the subject UID. NOTE: The
+ *                                                length is the number of bits
+ *                                                and not the number of bytes.
+ *
+ *   crmfExtension   CRMFCertExtCreationInfo *     A pointer to the structure
+ *                                                 populated with an array of 
+ *                                                 of certificate extensions
+ *                                                 and an integer that tells
+ *                                                 how many elements are in the
+ *                                                 array. Look in crmft.h for
+ *                                                 the definition of 
+ *                                                 CRMFCertExtCreationInfo
+ * RETURN:
+ *    SECSuccess if adding the desired field to the template was successful.
+ *    Any other return value indicates failure when trying to add the field 
+ *    to the template.
+ *                                                
+ */
+extern SECStatus
+  CRMF_CertRequestSetTemplateField(CRMFCertRequest       *inCertReq, 
+				   CRMFCertTemplateField  inTemplateField,
+				   void                  *data);
+
+/*
+ * FUNCTION: CRMF_CertRequestIsFieldPresent
+ * INPUTS:
+ *    inCertReq
+ *        The certificate request to operate on.
+ *    inTemplateField
+ *        The enumeration for the template field the user wants to query
+ *        about.
+ * NOTES:
+ * This function checks to see if the the field associated with inTemplateField
+ * enumeration is already present in the certificate request passed in.
+ *
+ * RETURN:
+ * The function returns PR_TRUE if the field associated with inTemplateField
+ * is already present in the certificate request.  If the field is not present
+ * the function returns PR_FALSE.
+ */
+extern PRBool
+  CRMF_CertRequestIsFieldPresent(CRMFCertRequest       *inCertReq,
+				 CRMFCertTemplateField  inTemplateField);
+
+/*
+ * FUNCTION: CRMF_CertRequestIsControlPresent
+ * INPUTS:
+ *    inCertReq
+ *        The certificate request to operate on.
+ *    inControlType
+ *        The type of control to look for.
+ * NOTES:
+ * This function looks at the control present in the certificate request
+ * and returns PR_TRUE iff a control of type inControlType already exists.
+ * The CRMF draft does not explicitly state that two controls of the same
+ * type can not exist within the same request.  So the library will not
+ * cause an error if you try to add a control and one of the same type
+ * already exists.  It is up to the application to ensure that multiple
+ * controls of the same type do not exist, if that is the desired behavior
+ * by the application.
+ *
+ * RETURN:
+ * The function returns PR_TRUE if a control of type inControlType already
+ * exists in the certificate request.  If a control of type inControlType
+ * does not exist, the function will return PR_FALSE.
+ */
+extern PRBool
+  CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
+				   CRMFControlType  inControlType);
+				   
+
+/*
+ * FUNCTION: CRMF_CertRequestSetRegTokenControl
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    value
+ *        The UTF8 value which will be the Registration Token Control
+ *        for this Certificate Request.
+ * NOTES:
+ *    The library does no verification that the value passed in is 
+ *    a valid UTF8 value.  The caller must make sure of this in order
+ *    to get an encoding that is valid.  The library will ultimately
+ *    encode this value as it was passed in.
+ * RETURN:
+ *    SECSucces on successful addition of the Registration Token Control.
+ *    Any other return value indicates an unsuccessful attempt to add the
+ *    control.
+ *
+ */
+extern SECStatus CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq,
+						    SECItem         *value);
+
+/*
+ * FUNCTION: CRMF_CertRequestSetAuthenticatorControl
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    value
+ *        The UTF8 value that will become the Authenticator Control
+ *        for the passed in Certificate Request.
+ * NOTES:
+ *    The library does no verification that the value passed in is 
+ *    a valid UTF8 value.  The caller must make sure of this in order
+ *    to get an encoding that is valid.  The library will ultimately
+ *    encode this value as it was passed in.
+ * RETURN:
+ *    SECSucces on successful addition of the Authenticator Control.
+ *    Any other return value indicates an unsuccessful attempt to add the
+ *    control.
+ */
+extern SECStatus 
+       CRMF_CertRequestSetAuthenticatorControl (CRMFCertRequest *inCertReq,
+						SECItem         *value);
+
+/*
+ * FUNCTION: CRMF_CreateEncryptedKeyWithencryptedValue
+ * INPUTS:
+ *    inPrivKey
+ *        This is the private key associated with a certificate that is
+ *        being requested.  This structure will eventually wind up as 
+ *        a part of the PKIArchiveOptions Control.  
+ *    inCACert
+ *        This is the certificate for the CA that will be receiving the 
+ *        certificate request for the private key passed in.
+ * OUTPUT:
+ *    A CRMFEncryptedKey that can ultimately be used as part of the 
+ *    PKIArchiveOptions Control.
+ *
+ * RETURN:
+ *    A pointer to a CRMFEncyptedKey.  A NULL return value indicates an erro
+ *    during the creation of the encrypted key.
+ */
+extern CRMFEncryptedKey* 
+       CRMF_CreateEncryptedKeyWithEncryptedValue(SECKEYPrivateKey *inPrivKey,
+						 CERTCertificate  *inCACert);
+
+/*
+ * FUNCTION: CRMF_DestroyEncryptedKey
+ * INPUTS:
+ *    inEncrKey
+ *        The CRMFEncryptedKey to be destroyed.
+ * NOTES:
+ *    Frees all memory associated with the CRMFEncryptedKey passed in.
+ * RETURN:
+ *    SECSuccess if freeing the memory was successful.  Any other return
+ *    value indicates an error while freeig the memroy.
+ */
+extern SECStatus CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey);
+						
+/*
+ * FUNCTION: CRMF_CreatePKIArchiveOptions
+ * INPUTS:
+ *    inType
+ *        An enumeration value indicating which option for 
+ *        PKIArchiveOptions to use.
+ *    data
+ *        A pointer that will be type-cast and de-referenced according
+ *        to the table under NOTES.
+ * NOTES:
+ * A table listing what should be passed in as data
+ * ------------------------------------------------
+ *
+ * inType                            data
+ * ------                            ----
+ * crmfEncryptedPrivateKey           CRMFEncryptedKey*
+ * crmfKeyGenParameters              SECItem*(This needs to be an octet string)
+ * crmfArchiveRemGenPrivKey          PRBool*
+ *
+ * RETURN:
+ *    A pointer the a CRMFPKIArchiveOptions that can be added to a Certificate
+ *    Request.  A NULL pointer indicates an error occurred while creating
+ *    the CRMFPKIArchiveOptions Structure.
+ */
+extern CRMFPKIArchiveOptions*
+       CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType  inType,
+				    void                      *data);
+/*
+ * FUNCTION: CRMF_DestroyPKIArchiveOptions
+ * INPUTS:
+ *    inArchOpt
+ *        A pointer to the CRMFPKIArchiveOptions structure to free.
+ * NOTES:
+ *    Will free all memory associated with 'inArchOpt'.
+ * RETURN:
+ *    SECSuccess if successful in freeing the memory used by 'inArchOpt'
+ *    Any other return value indicates an error while freeing the memory.
+ */
+extern SECStatus 
+       CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOpt);
+
+/*
+ * FUNCTION: CRMF_CertRequestSetPKIArchiveOptions
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to add the the options to.
+ *    inOptions
+ *        The Archive Options to add to the Certificate Request.
+ * NOTES:
+ *    Adds the PKIArchiveOption to the Certificate Request.  This is what
+ *    enables Key Escrow to take place through CRMF.  The library makes
+ *    its own copy of the information.
+ * RETURN:
+ *    SECSuccess if successful in adding the ArchiveOptions to the Certificate
+ *    request.  Any other return value indicates an error when trying to add
+ *    the Archive Options  to the Certificate Request.
+ */
+extern SECStatus 
+       CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest       *inCertReq,
+					    CRMFPKIArchiveOptions *inOptions);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetPOPType
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to operate on.
+ * NOTES:
+ *    Returns an enumeration value indicating the method of Proof
+ *    of Possession that was used for the passed in Certificate Request
+ *    Message.
+ * RETURN:
+ *    An enumeration indicating what method for Proof Of Possession is
+ *    being used in this Certificate Request Message.  Look in the file
+ *    crmft.h for the definition of CRMFPOPChoice for the possible return
+ *    values.
+ */
+extern CRMFPOPChoice CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetRAVerifiedPOP
+ * INPUT:
+ *    InCertReqMsg
+ *        The Certificate Request Message to operate on.
+ * NOTES:
+ *    This function will set the method of Proof Of Possession to 
+ *    crmfRAVerified which means the RA has already verified the 
+ *    requester does possess the private key.
+ * RETURN:
+ *    SECSuccess if adding RAVerified to the message is successful.  
+ *    Any other message indicates an error while trying to add RAVerified
+ *    as the Proof of Possession.
+ */
+extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetSignaturePOP
+ * INPUT:
+ *    inCertReqMsg
+ *        The Certificate Request Message to add the SignaturePOP to.
+ *    inPrivKey
+ *        The Private Key which corresponds to the the Certificate Request
+ *        Message.
+ *    inPubKey
+ *        The Public Key which corresponds to the Private Key passed in.
+ *    inCertForInput
+ *        A Certificate that in the future may be used to create 
+ *        POPOSigningKeyInput.
+ *    fn
+ *        A callback for retrieving a password which may be used in the
+ *       future to generate POPOSigningKeyInput.
+ *    arg
+ *        An opaque pointer that would be passed to fn whenever it is
+ *        called.
+ * NOTES:
+ * Adds Proof Of Possession to the CertRequest using the signature field 
+ * of the ProofOfPossession field.  NOTE: In order to use this option, 
+ * the certificate template must contain the publicKey at the very minimum.
+ * 
+ * If you don't want the function to generate POPOSigningKeyInput, then
+ * make sure the cert template already contains the subject and public key
+ * values.  Currently creating POPOSigningKeyInput is not supported, so 
+ * a Message passed to this function must have the publicKey and the subject
+ * as part of the template
+ *
+ * This will take care of creating the entire POPOSigningKey structure
+ * that will become part of the message.
+ *
+ * inPrivKey is the key to be used in the signing operation when creating
+ * POPOSigningKey structure.  This should be the key corresponding to
+ * the certificate being requested.
+ *
+ * inCertForInput will be used if POPOSigningKeyInput needs to be generated.
+ * It will be used in generating the authInfo.sender field.  If the parameter
+ * is not passed in then authInfo.publicKeyMAC will be generated instead.
+ * If passed in, this certificate needs to be a valid certificate.
+ *
+ * The last 3 arguments are for future compatibility in case we ever want to
+ * support generating POPOSigningKeyInput.  Pass in NULL for all 3 if you 
+ * definitely don't want the funciton to even try to generate 
+ * POPOSigningKeyInput.  If you try to use POPOSigningKeyInput, the function
+ * will fail.
+ *
+ * RETURN:
+ *    SECSuccess if adding the Signature Proof Of Possession worked.
+ *    Any other return value indicates an error in trying to add
+ *    the Signature Proof Of Possession.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg   *inCertReqMsg,
+				      SECKEYPrivateKey *inPrivKey,
+				      SECKEYPublicKey  *inPubKey,
+				      CERTCertificate  *inCertForInput,
+				      CRMFMACPasswordCallback  fn,
+				      void                    *arg);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetKeyEnciphermentPOP
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to operate on.
+ *    inKeyChoice
+ *        An enumeration indicating which POPOPrivKey Choice to use
+ *        in constructing the KeyEnciphermentPOP.
+ *    subseqMess
+ *        This parameter must be provided iff inKeyChoice is 
+ *        crmfSubsequentMessage.  This details how the RA is to respond
+ *        in order to perform Proof Of Possession.  Look in crmft.h under
+ *        the definition of CRMFSubseqMessOptions for possible values.
+ *    encPrivKey
+ *        This parameter only needs to be provided if inKeyChoice is
+ *        crmfThisMessage.  The item should contain the encrypted private
+ *        key.
+ *        
+ * NOTES:
+ * Adds Proof Of Possession using the keyEncipherment field of
+ * ProofOfPossession.
+ *
+ * The funciton looks at the the inKeyChoice parameter and interprets it in
+ * in the following manner.
+ *
+ * If a parameter is not mentioned under interpretation, the funciton will not
+ * look at its value when implementing that case.
+ *
+ * inKeyChoice          Interpretation
+ * -----------          --------------
+ * crmfThisMessage      This options requires that the encrypted private key
+ *                      be included in the thisMessage field of POPOPrivKey.
+ *                      We don't support this yet, so any clients who want
+ *                      to use this feature have to implement a wrapping
+ *                      function and agree with the server on how to properly
+ *                      wrap the key.  That encrypted key must be passed in
+ *                      as the encPrivKey parameter.
+ *
+ * crmfSubequentMessage Must pass in a value for subseqMess.  The value must
+ *                      be either CRMFEncrCert or CRMFChallengeResp.  The
+ *                      parameter encPrivKey will not be looked at in this
+ *                      case.
+ *
+ * crmfDHMAC            This is not a valid option for this function.  Passing
+ *                      in this value will result in the function returning
+ *                      SECFailure.
+ * RETURN:
+ *    SECSuccess if adding KeyEnciphermentPOP was successful.  Any other return
+ *    value indicates an error in adding KeyEnciphermentPOP.
+ */
+extern SECStatus 
+      CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg        *inCertReqMsg,
+					   CRMFPOPOPrivKeyChoice  inKeyChoice,
+					   CRMFSubseqMessOptions  subseqMess,
+					   SECItem               *encPrivKey);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetKeyAgreementPOP
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to operate on.
+ *    inKeyChoice
+ *        An enumeration indicating which POPOPrivKey Choice to use
+ *        in constructing the KeyAgreementPOP.
+ *    subseqMess
+ *        This parameter must be provided iff inKeyChoice is 
+ *        crmfSubsequentMessage.  This details how the RA is to respond
+ *        in order to perform Proof Of Possession.  Look in crmft.h under
+ *        the definition of CRMFSubseqMessOptions for possible values.
+ *    encPrivKey
+ *        This parameter only needs to be provided if inKeyChoice is
+ *        crmfThisMessage.  The item should contain the encrypted private
+ *        key.
+ * Adds Proof Of Possession using the keyAgreement field of
+ * ProofOfPossession.
+ *
+ * The funciton looks at the the inKeyChoice parameter and interprets it in
+ * in the following manner.
+ *
+ * If a parameter is not mentioned under interpretation, the funciton will not
+ * look at its value when implementing that case.
+ *
+ * inKeyChoice          Interpretation
+ * -----------          --------------
+ * crmfThisMessage      This options requires that the encrypted private key
+ *                      be included in the thisMessage field of POPOPrivKey.
+ *                      We don't support this yet, so any clients who want
+ *                      to use this feature have to implement a wrapping
+ *                      function and agree with the server on how to properly
+ *                      wrap the key.  That encrypted key must be passed in
+ *                      as the encPrivKey parameter.
+ *
+ * crmfSubequentMessage Must pass in a value for subseqMess.  The value must
+ *                      be either crmfEncrCert or crmfChallengeResp.  The
+ *                      parameter encPrivKey will not be looked at in this
+ *                      case.
+ *
+ * crmfDHMAC            This option is not supported.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgSetKeyAgreementPOP(CRMFCertReqMsg        *inCertReqMsg,
+					 CRMFPOPOPrivKeyChoice  inKeyChoice,
+					 CRMFSubseqMessOptions  subseqMess,
+					 SECItem               *encPrivKey);
+
+/*
+ * FUNCTION: CRMF_CreateCertReqMsgFromDER
+ * INPUTS:
+ *    buf
+ *        A buffer to the DER-encoded Certificate Request Message.
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES:
+ * This function passes the buffer to the ASN1 decoder and creates a 
+ * CRMFCertReqMsg structure.  Do not try adding any fields to a message
+ * returned from this function.  Specifically adding more Controls or 
+ * Extensions may cause your program to crash.
+ *
+ * RETURN:
+ *    A pointer to the Certificate Request Message structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CRMFCertReqMsg* CRMF_CreateCertReqMsgFromDER(const char *buf, long len);
+
+/*
+ * FUNCTION: CRMF_CreateCertReqMessagesFromDER
+ * INPUTS:
+ *    buf
+ *        A buffer to the DER-encoded Certificate Request Messages.
+ *    len
+ *        The length in bytes of buf
+ * NOTES:
+ * This function passes the buffer to the ASN1 decoder and creates a 
+ * CRMFCertReqMessages structure.  Do not try adding any fields to a message
+ * derived from this function.  Specifically adding more Controls or 
+ * Extensions may cause your program to crash.
+ * The user must call CRMF_DestroyCertReqMessages after the return value is 
+ * no longer needed, ie when all individual messages have been extracted.
+ *  
+ * RETURN:
+ *    A pointer to the Certificate Request Messages structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */ 
+extern CRMFCertReqMessages*
+       CRMF_CreateCertReqMessagesFromDER(const char *buf, long len);
+
+/*
+ * FUNCTION: CRMF_DestroyCertReqMessages
+ * INPUTS
+ *    inCertReqMsgs
+ *        The Messages to destroy.
+ * RETURN:
+ *    SECSuccess if freeing the memory was done successfully.  Any other
+ *    return value indicates an error in freeing up memory.
+ */ 
+extern SECStatus 
+       CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs);
+
+/*
+ * FUNCTION: CRMF_CertReqMessagesGetNumMessages
+ * INPUTS:
+ *    inCertReqMsgs
+ *        The Request Messages to operate on.
+ * RETURN:
+ *    The number of messages contained in the in the Request Messages 
+ *    strucure.
+ */
+extern int 
+       CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs);
+
+/*
+ * FUNCTION: CRMF_CertReqMessagesGetCertReqMsgAtIndex
+ * INPUTS:
+ *    inReqMsgs
+ *        The Certificate Request Messages to operate on.
+ *    index
+ *        The index of the single message the user wants a copy of.
+ * NOTES:
+ * This function returns a copy of the request messages stored at the 
+ * index corresponding to the parameter 'index'.  Indexing of the messages
+ * is done in the same manner as a C array.  Meaning the valid index are 
+ * 0...numMessages-1.  User must call CRMF_DestroyCertReqMsg when done using
+ * the return value of this function.
+ *
+ * RETURN:
+ * SECSuccess if copying the message at the requested index was successful.
+ * Any other return value indicates an invalid index or error while copying
+ * the single request message.
+ */
+extern CRMFCertReqMsg*
+       CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
+						int                  index);
+
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetID
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to get the ID from.
+ *    destID
+ *        A pointer to where the library can place the ID of the Message.
+ * RETURN:
+ *    SECSuccess if the function was able to retrieve the ID and place it
+ *    at *destID.  Any other return value indicates an error meaning the value
+ *    in *destId is un-reliable and should not be used by the caller of this 
+ *    function.
+ *    
+ */
+extern SECStatus CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg, 
+				      long           *destID);
+
+/*
+ * FUNCTION: CRMF_DoesRequestHaveField
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    inField
+ *        An enumeration indicating which filed of the certificate template
+ *        to look for.
+ * NOTES:
+ * All the fields in a certificate template are optional.  This function
+ * checks to see if the requested field is present.  Look in crmft.h at the
+ * definition of CRMFCertTemplateField for possible values for possible 
+ * querying.
+ *
+ * RETURN:
+ * PR_TRUE iff the field corresponding to 'inField' has been specified as part
+ *         of 'inCertReq'
+ * PR_FALSE iff the field corresponding to 'inField' has not been speicified
+ *          as part of 'inCertReq'
+ *        
+ */
+extern PRBool CRMF_DoesRequestHaveField(CRMFCertRequest       *inCertReq,
+					CRMFCertTemplateField  inField);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetCertRequest
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to operate on.
+ * NOTES:
+ *    This function returns a copy of the Certificate Request to the user.
+ *    The user can keep adding to this request and then making it a part
+ *    of another message.  After the user no longer wants to use the
+ *    returned request, the user must call CRMF_DestroyCertRequest and
+ *    pass it the request returned by this function.
+ * RETURN:
+ *    A pointer to a copy of the certificate request contained by the message.
+ *    A NULL return value indicates an error occurred while copying the 
+ *   certificate request.
+ */
+extern CRMFCertRequest *
+       CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateVersion
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    version
+ *        A pointer to where the library can store the version contatined
+ *        in the certificate template within the certifcate request.
+ * RETURN:
+ *    SECSuccess if the Certificate template contains the version field.  In 
+ *    this case, *version will hold the value of the certificate template 
+ *    version.
+ *    SECFailure indicates that version field was not present as part of
+ *    of the certificate template.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq, 
+					      long            *version);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateSerialNumber
+ * INPUTS:
+ *    inCertReq
+ *        The certificate request to operate on.
+ *    serialNumber
+ *        A pointer where the library can put the serial number contained
+ *        in the certificate request's certificate template.
+ * RETURN:
+ * If a serial number exists in the CertTemplate of the request, the function 
+ * returns SECSuccess and the value at *serialNumber contains the serial 
+ * number.
+ * If no serial number is present, then the function returns SECFailure and
+ * the value at *serialNumber is un-changed.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq, 
+						   long         *serialNumber);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateSigningAlg
+ * INPUT:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    destAlg
+ *        A Pointer to where the library can place a copy of the signing alg
+ *        used in the cert request's cert template.
+ * RETURN:
+ * If the signingAlg is present in the CertRequest's CertTemplate, then
+ * the function returns SECSuccess and places a copy of sigingAlg in 
+ * *destAlg.
+ * If no signingAlg is present, then the function returns SECFailure and
+ * the value at *destAlg is un-changed
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
+						 SECAlgorithmID  *destAlg);
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateIssuer
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    destIssuer
+ *        A pointer to where the library can place a copy of the cert
+ *        request's cert template issuer field.
+ * RETURN:
+ * If the issuer is present in the cert request cert template, the function 
+ * returns SECSuccess and places a  copy of the issuer in *destIssuer.
+ * If there is no issuer present, the funciton returns SECFailure and the
+ * value at *destIssuer is unchanged.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
+					     CERTName        *destIssuer);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateValidity
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    destValdity
+ *        A pointer to where the library can place a copy of the validity
+ *        info in the cert request cert template.
+ * NOTES:
+ * Pass the pointer to 
+ * RETURN: 
+ * If there is an OptionalValidity field, the function will return SECSuccess
+ * and place the appropriate values in *destValidity->notBefore and 
+ * *destValidity->notAfter. (Each field is optional, but at least one will
+ * be present if the function returns SECSuccess)
+ *
+ * If there is no OptionalValidity field, the function will return SECFailure
+ * and the values at *destValidity will be un-changed.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
+					       CRMFGetValidity *destValidity);
+/*
+ * FUNCTION: CRMF_DestroyGetValidity
+ * INPUTS:
+ *    inValidity
+ *        A pointer to the memroy to be freed.
+ * NOTES:
+ * The function will free the memory allocated by the function 
+ * CRMF_CertRequestGetCertTemplateValidity.  That means only memory pointed
+ * to within the CRMFGetValidity structure.  Since 
+ * CRMF_CertRequestGetCertTemplateValidity does not allocate memory for the
+ * structure passed into it, it will not free it.  Meaning this function will
+ * free the memory at inValidity->notBefore and inValidity->notAfter, but not
+ * the memory directly at inValdity.
+ *
+ * RETURN:
+ * SECSuccess if freeing the memory was successful.  Any other return value
+ * indicates an error while freeing the memory.
+ */
+extern SECStatus 
+       CRMF_DestroyGetValidity(CRMFGetValidity *inValidity);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateSubject
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    destSubject
+ *        A pointer to where the library can place a copy of the subject
+ *        contained in the request's cert template.
+ * RETURN:
+ * If there is a subject in the CertTemplate, then the function returns 
+ * SECSuccess and a copy of the subject is placed in *destSubject.
+ *
+ * If there is no subject, the function returns SECFailure and the values at
+ * *destSubject is unchanged.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateSubject (CRMFCertRequest *inCertReq,
+					       CERTName        *destSubject);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplatePublicKey
+ * INPUTS:
+ *    inCertReq
+ *        The Cert request to operate on.
+ *    destPublicKey
+ *        A pointer to where the library can place a copy of the request's
+ *        cert template public key.
+ * RETURN:
+ * If there is a publicKey parameter in the CertRequest, the function returns
+ * SECSuccess, and places a copy of the publicKey in *destPublicKey.
+ *
+ * If there is no publicKey, the function returns SECFailure and the value
+ * at *destPublicKey is un-changed.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest *inCertReq,
+				      CERTSubjectPublicKeyInfo *destPublicKey);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateIssuerUID
+ * INPUTS:
+ *    inCertReq
+ *        The Cert request to operate on.
+ *    destIssuerUID
+ *        A pointer to where the library can store a copy of the request's
+ *        cert template destIssuerUID.
+ *
+ * NOTES: 
+ * destIssuerUID is a bit string and will be returned in a SECItem as
+ * a bit string.  Meaning the len field contains the number of valid bits as
+ * opposed to the number of bytes allocated.
+ *
+ * RETURN:
+ * If the CertTemplate has an issuerUID, the function returns SECSuccess and
+ * places a copy of the issuerUID in *destIssuerUID.
+ *
+ * If there is no issuerUID, the function returns SECFailure and the value
+ * *destIssuerUID is unchanged.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
+						SECItem        *destIssuerUID);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateSubjectUID
+ *    inCertReq
+ *        The Cert request to operate on.
+ *    destSubjectUID
+ *        A pointer to where the library can store a copy of the request's
+ *        cert template destIssuerUID.
+ *
+ * NOTES: 
+ * destSubjectUID is a bit string and will be returned in a SECItem as
+ * a bit string.  Meaning the len field contains the number of valid bits as
+ * opposed to the number of bytes allocated.
+ *
+ * RETURN:
+ * If the CertTemplate has an issuerUID, the function returns SECSuccess and
+ * places a copy of the issuerUID in *destIssuerUID.
+ *
+ * If there is no issuerUID, the function returns SECSuccess and the value
+ * *destIssuerUID is unchanged.
+ */
+extern SECStatus CRMF_GetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
+						SECItem       *destSubjectUID);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetNumberOfExtensions
+ * INPUTS:
+ *    inCertReq
+ *        The cert request to operate on.
+ * RETURN:
+ *    Returns the number of extensions contained by the Cert Request.
+ */
+extern int CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetExtensionAtIndex
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate request to operate on.
+ *    index
+ *        The index of the extension array whihc the user wants to access.
+ * NOTES:
+ * This function retrieves the extension at the index corresponding to the 
+ * parameter "index" indicates.  Indexing is done like a C array.  
+ * (0 ... numElements-1)
+ *
+ * Call CRMF_DestroyCertExtension when done using the return value.
+ *
+ * RETURN:
+ *    A pointer to a copy of the extension at the desired index.  A NULL 
+ *    return value indicates an invalid index or an error while copying 
+ *    the extension.
+ */
+extern CRMFCertExtension *
+       CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
+					   int              index);
+/*
+ * FUNCTION: CRMF_CertExtensionGetOidTag
+ * INPUTS:
+ *    inExtension
+
+ *        The extension to operate on.
+ * RETURN:
+ *    Returns the SECOidTag associated with the cert extension passed in.
+ */
+extern SECOidTag CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension);
+
+/*
+ * FUNCTION: CRMF_CertExtensionGetIsCritical
+ * INPUT:
+ *    inExt
+ *        The cert extension to operate on.
+ *
+ * RETURN:
+ * PR_TRUE if the extension is critical.
+ * PR_FALSE if the extension is not critical.
+ */
+extern PRBool CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt);
+             
+/*
+ * FUNCTION: CRMF_CertExtensionGetValue
+ * INPUT:
+ *    inExtension
+ *        The extension to operate on.
+ * NOTES:
+ * Caller is responsible for freeing the memory associated with the return
+ * value.  Call SECITEM_FreeItem(retVal, PR_TRUE) when done using the return
+ * value.
+ *
+ * RETURN:
+ * A pointer to an item containig the value for the certificate extension.
+ * A NULL return value indicates an error in copying the information.
+ */
+extern SECItem*  CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetPOPOSigningKey
+ * INPUTS:
+ *    inCertReqMsg
+ *        The certificate request message to operate on.
+ *    destKey
+ *        A pointer to where the library can place a pointer to
+ *        a copy of the Proof Of Possession Signing Key used 
+ *        by the message.
+ *
+ * RETURN:
+ * Get the POPOSigningKey associated with this CRMFCertReqMsg.  
+ * If the CertReqMsg does not have a pop, the function returns
+ * SECFailure and the value at *destKey is un-changed..
+ *
+ * If the CertReqMsg does have a pop, then the CertReqMsg's 
+ * POPOSigningKey will be placed at *destKey.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg      *inCertReqMsg,
+					CRMFPOPOSigningKey **destKey);
+
+/*
+ * FUNCTION: CRMF_DestroyPOPOSigningKey
+ * INPUTS:
+ *    inKey
+ *        The signing key to free.
+ *
+ * RETURN:
+ * SECSuccess if freeing the memory was successful.  Any other return value
+ * indicates an error while freeing memory.
+ */
+extern SECStatus CRMF_DestroyPOPOSigningKey (CRMFPOPOSigningKey *inKey);
+
+/*
+ * FUNCTION: CRMF_POPOSigningKeyGetAlgID
+ * INPUTS:
+ *    inSignKey
+ *        The Signing Key to operate on.
+ * RETURN:
+ * Return the algorithmID used by the CRMFPOPOSigningKey.  User must
+ * call SECOID_DestroyAlgorithmID(destID, PR_TRUE) when done using the
+ * return value.
+ */
+extern SECAlgorithmID* 
+       CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey);
+
+/*
+ * FUNCTION: CRMF_POPOSigningKeyGetSignature
+ * INPUTS:
+ *    inSignKey
+ *        The Signing Key to operate on.
+ *
+ * RETURN:        
+ * Get the actual signature stored away in the CRMFPOPOSigningKey.  SECItem
+ * returned is a BIT STRING, so the len field is the number of bits as opposed
+ * to the total number of bytes allocatd.  User must call 
+ * SECITEM_FreeItem(retVal,PR_TRUE) when done using the return value.
+ */
+extern SECItem* CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey);
+
+/*
+ * FUNCTION: CRMF_POPOSigningKeyGetInput
+ * INPUTS:
+ *    inSignKey
+ *        The Signing Key to operate on.
+ * NOTES:
+ * This function will return the der encoded input that was read in while 
+ * decoding.  The API does not support this option when creating, so you
+ * cannot add this field.
+ *
+ * RETURN:
+ * Get the poposkInput that is part of the of the POPOSigningKey. If the
+ * optional field is not part of the POPOSigningKey, the function returns
+ * NULL.
+ *
+ * If the optional field is part of the POPOSingingKey, the function will
+ * return a copy of the der encoded poposkInput.
+ */
+extern SECItem* CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetPOPKeyEncipherment
+ * INPUTS:
+ *    inCertReqMsg
+ *        The certificate request message to operate on.
+ *    destKey
+ *        A pointer to where the library can place a pointer to a 
+ *        copy of the POPOPrivKey representing Key Encipherment 
+ *        Proof of Possession.
+ *NOTES:
+ * This function gets the POPOPrivKey associated with this CRMFCertReqMsg 
+ * for Key Encipherment.  
+ *
+ * RETURN:
+ * If the CertReqMsg did not use Key Encipherment for Proof Of Possession, the
+ * function returns SECFailure and the value at *destKey is un-changed.
+ *
+ * If the CertReqMsg did use Key Encipherment for ProofOfPossession, the
+ * function returns SECSuccess and places the POPOPrivKey representing the
+ * Key Encipherment Proof Of Possessin at *destKey.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg   *inCertReqMsg,
+					    CRMFPOPOPrivKey **destKey);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetPOPKeyAgreement
+ * INPUTS:
+ *    inCertReqMsg
+ *        The certificate request message to operate on.
+ *    destKey
+ *        A pointer to where the library can place a pointer to a 
+ *        copy of the POPOPrivKey representing Key Agreement 
+ *        Proof of Possession.
+ * NOTES:
+ * This function gets the POPOPrivKey associated with this CRMFCertReqMsg for 
+ * Key Agreement.  
+ *
+ * RETURN:
+ * If the CertReqMsg used Key Agreement for Proof Of Possession, the
+ * function returns SECSuccess and the POPOPrivKey for Key Agreement
+ * is placed at *destKey.
+ *
+ * If the CertReqMsg did not use Key Agreement for Proof Of Possession, the
+ * function return SECFailure and the value at *destKey is unchanged.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg   *inCertReqMsg,
+					 CRMFPOPOPrivKey **destKey);
+
+/* 
+ * FUNCTION: CRMF_DestroyPOPOPrivKey
+ * INPUTS:
+ *    inPrivKey
+ *        The POPOPrivKey to destroy.
+ * NOTES:
+ * Destroy a structure allocated by CRMF_GetPOPKeyEncipherment or
+ * CRMF_GetPOPKeyAgreement.
+ *
+ * RETURN:
+ * SECSuccess on successful destruction of the POPOPrivKey.
+ * Any other return value indicates an error in freeing the 
+ * memory.
+ */
+extern SECStatus CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey);
+
+/* 
+ * FUNCTION: CRMF_POPOPrivKeyGetChoice
+ * INPUT:
+ *    inKey
+ *        The POPOPrivKey to operate on.
+ * RETURN:
+ * Returns which choice was used in constructing the POPPOPrivKey. Look at
+ * the definition of CRMFPOPOPrivKeyChoice in crmft.h for the possible return
+ * values.
+ */
+extern CRMFPOPOPrivKeyChoice CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inKey);
+
+/*
+ * FUNCTION: CRMF_POPOPrivKeyGetThisMessage
+ * INPUTS:
+ *    inKey
+ *        The POPOPrivKey to operate on.
+ *    destString
+ *        A pointer to where the library can place a copy of the This Message
+ *        field stored in the POPOPrivKey
+ *
+ * RETURN:
+ * Returns the field thisMessage from the POPOPrivKey.  
+ * If the POPOPrivKey did not use the field thisMessage, the function
+ * returns SECFailure and the value at *destString is unchanged.
+ *
+ * If the POPOPrivKey did use the field thisMessage, the function returns
+ * SECSuccess and the BIT STRING representing thisMessage is placed
+ * at *destString. BIT STRING representation means the len field is the
+ * number of valid bits as opposed to the total number of bytes.
+ */
+extern SECStatus CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey  *inKey,
+						SECItem          *destString);
+
+/*
+ * FUNCTION: CRMF_POPOPrivKeyGetSubseqMess
+ * INPUTS:
+ *    inKey
+ *        The POPOPrivKey to operate on.
+ *    destOpt
+ *        A pointer to where the library can place the value of the 
+ *        Subsequent Message option used by POPOPrivKey.
+ *
+ * RETURN:
+ * Retrieves the field subsequentMessage from the POPOPrivKey.  
+ * If the POPOPrivKey used the subsequentMessage option, the function 
+ * returns SECSuccess and places the appropriate enumerated value at
+ * *destMessageOption.
+ *
+ * If the POPOPrivKey did not use the subsequenMessage option, the function
+ * returns SECFailure and the value at *destOpt is un-changed.
+ */
+extern SECStatus CRMF_POPOPrivKeyGetSubseqMess(CRMFPOPOPrivKey       *inKey,
+					       CRMFSubseqMessOptions *destOpt);
+
+/*
+ * FUNCTION: CRMF_POPOPrivKeyGetDHMAC
+ * INPUTS:
+ *    inKey
+ *        The POPOPrivKey to operate on.
+ *    destMAC
+ *        A pointer to where the library can place a copy of the dhMAC
+ *        field of the POPOPrivKey.
+ *        
+ * NOTES:
+ * Returns the field dhMAC from the POPOPrivKey.  The populated SECItem 
+ * is in BIT STRING format.
+ *
+ * RETURN:
+ * If the POPOPrivKey used the dhMAC option, the function returns SECSuccess
+ * and the BIT STRING for dhMAC will be placed at *destMAC.  The len field in
+ * destMAC (ie destMAC->len) will be the valid number of bits as opposed to
+ * the number of allocated bytes.
+ *
+ * If the POPOPrivKey did not use the dhMAC option, the function returns
+ * SECFailure and the value at *destMAC is unchanged.
+ * 
+ */
+extern SECStatus CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey,
+					  SECItem         *destMAC);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetNumControls
+ * INPUTS: 
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ * RETURN:
+ * Returns the number of Controls registered with this CertRequest.
+ */
+extern int CRMF_CertRequestGetNumControls (CRMFCertRequest *inCertReq);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetControlAtIndex
+ * INPUTS:
+ *    inCertReq
+ *        The certificate request to operate on.
+ *    index
+ *        The index of the control the user wants a copy of.
+ * NOTES:
+ * Function retrieves the Control at located at index.  The Controls 
+ * are numbered like a traditional C array (0 ... numElements-1)
+ *
+ * RETURN:
+ * Returns a copy of the control at the index specified.  This is a copy
+ * so the user must call CRMF_DestroyControl after the return value is no 
+ * longer needed.  A return value of NULL indicates an error while copying
+ * the control or that the index was invalid.
+ */
+extern CRMFControl* 
+       CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq, 
+					 int              index);
+
+/*
+ * FUNCTION: CRMF_DestroyControl
+ * INPUTS:
+ *    inControl
+ *        The Control to destroy.
+ * NOTES:
+ * Destroy a CRMFControl allocated by CRMF_GetControlAtIndex.
+ *
+ * RETURN:
+ * SECSuccess if freeing the memory was successful.  Any other return
+ * value indicates an error while freeing the memory.
+ */
+extern SECStatus CRMF_DestroyControl(CRMFControl *inControl);
+
+/*
+ * FUNCTION: CRMF_ControlGetControlType
+ * INPUTS:
+ *    inControl
+ *        The control to operate on.
+ * NOTES:
+ * The function returns an enumertion which indicates the type of control
+ * 'inControl'.
+ *
+ * RETURN:
+ * Look in crmft.h at the definition of the enumerated type CRMFControlType
+ * for the possible return values.
+ */
+extern CRMFControlType CRMF_ControlGetControlType(CRMFControl *inControl);
+
+/*
+ * FUNCTION: CRMF_ControlGetRegTokenControlValue
+ * INPUTS:
+ *    inControl
+ *        The Control to operate on.
+ * NOTES:
+ * The user must call SECITEM_FreeItem passing in the return value
+ * after the returnvalue is no longer needed.
+
+ * RETURN:
+ * Return the value for a Registration Token Control.
+ * The SECItem returned should be in UTF8 format.  A NULL
+ * return value indicates there was no Registration Control associated
+ * with the Control.
+ * (This library will not verify format.  It assumes the client properly 
+ * formatted the strings when adding it or the message decoded was properly 
+ * formatted.  The library will just give back the bytes it was given.)
+ */
+extern SECItem* CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl);
+
+/*
+ * FUNCTION: CRMF_ControlGetAuthenticatorControlValue
+ * INPUTS:
+ *    inControl
+ *        The Control to operate on.
+ * NOTES:
+ * The user must call SECITEM_FreeItem passing in the return value
+ * after the returnvalue is no longer needed.
+ *
+ * RETURN:
+ * Return the value for the Authenticator Control.
+ * The SECItem returned should be in UTF8 format.  A NULL
+ * return value indicates there was no Authenticator Control associated
+ * with the CRMFControl..
+ * (This library will not verify format.  It assumes the client properly 
+ * formatted the strings when adding it or the message decoded was properly 
+ * formatted.  The library will just give back the bytes it was given.)
+ */
+extern SECItem* CRMF_ControlGetAuthicatorControlValue(CRMFControl *inControl);
+
+/*
+ * FUNCTION: CRMF_ControlGetPKIArchiveOptions
+ * INPUTS:inControl
+ *    The Control tooperate on.
+ * NOTES:
+ * This function returns a copy of the PKIArchiveOptions.  The user must call
+ * the function CRMF_DestroyPKIArchiveOptions when the return value is no
+ * longer needed.
+ *
+ * RETURN:
+ * Get the PKIArchiveOptions associated with the Control.  A return
+ * value of NULL indicates the Control was not a PKIArchiveOptions 
+ * Control.
+ */
+extern CRMFPKIArchiveOptions* 
+       CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl);
+  
+/*
+ * FUNCTION: CMRF_DestroyPKIArchiveOptions
+ * INPUTS:
+ *    inOptions
+ *        The ArchiveOptions to destroy.
+ * NOTE:
+ * Destroy the CRMFPKIArchiveOptions structure.
+ *
+ * RETURN:
+ * SECSuccess if successful in freeing all the memory associated with 
+ * the PKIArchiveOptions.  Any other return value indicates an error while
+ * freeing the PKIArchiveOptions.
+ */
+extern SECStatus 
+       CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inOptions);
+
+/*
+ * FUNCTION: CRMF_PKIArchiveOptionsGetOptionType
+ * INPUTS:
+ *    inOptions
+ *        The PKIArchiveOptions to operate on.
+ * RETURN:
+ * Returns the choice used for the PKIArchiveOptions.  Look at the definition
+ * of CRMFPKIArchiveOptionsType in crmft.h for possible return values.
+ */
+extern CRMFPKIArchiveOptionsType
+       CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions);
+
+/*
+ * FUNCTION: CRMF_PKIArchiveOptionsGetEncryptedPrivKey
+ * INPUTS:
+ *    inOpts
+ *        The PKIArchiveOptions to operate on.
+ * 
+ * NOTES:
+ * The user must call CRMF_DestroyEncryptedKey when done using this return
+ * value.
+ *
+ * RETURN:
+ * Get the encryptedPrivKey field of the PKIArchiveOptions structure.
+ * A return value of NULL indicates that encryptedPrivKey was not used as
+ * the choice for this PKIArchiveOptions.
+ */
+extern CRMFEncryptedKey*
+      CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts);
+
+/*
+ * FUNCTION: CRMF_EncryptedKeyGetChoice
+ * INPUTS:
+ *    inEncrKey
+ *        The EncryptedKey to operate on.
+ *
+ * NOTES:
+ * Get the choice used for representing the EncryptedKey.
+ *
+ * RETURN:
+ * Returns the Choice used in representing the EncryptedKey.  Look in 
+ * crmft.h at the definition of CRMFEncryptedKeyChoice for possible return
+ * values.
+ */
+extern CRMFEncryptedKeyChoice 
+       CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey);
+
+
+/*
+ * FUNCTION: CRMF_EncryptedKeyGetEncryptedValue
+ * INPUTS:
+ *    inKey
+ *        The EncryptedKey to operate on.
+ *
+ * NOTES:
+ * The user must call CRMF_DestroyEncryptedValue passing in 
+ * CRMF_GetEncryptedValue's return value.
+ *
+ * RETURN:
+ * A pointer to a copy of the EncryptedValue contained as a member of
+ * the EncryptedKey.
+ */
+extern CRMFEncryptedValue* 
+       CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inKey);
+
+/*
+ * FUNCTION: CRMF_DestroyEncryptedValue
+ * INPUTS:
+ *    inEncrValue
+ *        The EncryptedValue to destroy.
+ *
+ * NOTES:
+ * Free up all memory associated with 'inEncrValue'.
+ *
+ * RETURN:
+ * SECSuccess if freeing up the memory associated with the EncryptedValue
+ * is successful. Any other return value indicates an error while freeing the
+ * memory.
+ */
+extern SECStatus CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue);
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetEncValue
+ * INPUTS:
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ * NOTES:
+ * Function retrieves the encValue from an EncryptedValue structure.
+ *
+ * RETURN:
+ * A poiner to a SECItem containing the encValue of the EncryptedValue
+ * structure.  The return value is in BIT STRING format, meaning the
+ * len field of the return structure represents the number of valid bits
+ * as opposed to the allocated number of bytes.
+ * ANULL return value indicates an error in copying the encValue field.
+ */
+extern SECItem* CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncValue);
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetIntendedAlg
+ * INPUTS
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ * NOTES:
+ * Retrieve the IntendedAlg field from the EncryptedValue structure.
+ * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
+ * the return value.  When present, this alogorithm is the alogrithm for
+ * which the private key will be used.
+ *
+ * RETURN:
+ * A Copy of the intendedAlg field.  A NULL return value indicates the
+ * optional field was not present in the structure.
+ */
+extern SECAlgorithmID* 
+       CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue  *inEncValue);
+
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetSymmAlg
+ * INPUTS
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ * NOTES:
+ * Retrieve the symmAlg field from the EncryptedValue structure.
+ * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
+ * the return value.  When present, this is algorithm used to
+ * encrypt the encValue of the EncryptedValue.
+ *
+ * RETURN:
+ * A Copy of the symmAlg field.  A NULL return value indicates the
+ * optional field was not present in the structure.
+ */
+extern SECAlgorithmID* 
+       CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue  *inEncValue);
+
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetKeyAlg
+ * INPUTS
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ * NOTES:
+ * Retrieve the keyAlg field from the EncryptedValue structure.
+ * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
+ * the return value.  When present, this is the algorithm used to encrypt
+ * the symmetric key in the encSymmKey field of the EncryptedValue structure.
+ *
+ * RETURN:
+ * A Copy of the keyAlg field.  A NULL return value indicates the
+ * optional field was not present in the structure.
+ */
+extern SECAlgorithmID* 
+       CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue);
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetValueHint
+ * INPUTS:
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ *
+ * NOTES:
+ * Return a copy of the der-encoded value hint.
+ * User must call SECITEM_FreeItem(retVal, PR_TRUE) when done using the
+ * return value.  When, present, this is a value that the client which
+ * originally issued a certificate request can use to reproduce any data
+ * it wants.  The RA does not know how to interpret this data.
+ *
+ * RETURN:
+ * A copy of the valueHint field of the EncryptedValue.  A NULL return
+ * value indicates the optional valueHint field is not present in the
+ * EncryptedValue.
+ */
+extern SECItem* 
+       CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue  *inEncValue);
+
+/*
+ * FUNCTION: CRMF_EncrypteValueGetEncSymmKey
+ * INPUTS: 
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ *
+ * NOTES:
+ * Return a copy of the encSymmKey field. This field is the encrypted
+ * symmetric key that the client uses in doing Public Key wrap of a private
+ * key.  When present, this is the symmetric key that was used to wrap the
+ * private key.  (The encrypted private key will be stored in encValue
+ * of the same EncryptedValue structure.)  The user must call 
+ * SECITEM_FreeItem(retVal, PR_TRUE) when the return value is no longer
+ * needed.
+ *
+ * RETURN:
+ * A copy of the optional encSymmKey field of the EncryptedValue structure.
+ * The return value will be in BIT STRING format, meaning the len field will
+ * be the number of valid bits as opposed to the number of bytes. A return 
+ * value of NULL means the optional encSymmKey field was not present in
+ * the EncryptedValue structure.
+ */
+extern SECItem* 
+       CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue);
+
+/*
+ * FUNCTION: CRMF_PKIArchiveOptionsGetKeyGenParameters
+ * INPUTS:
+ *    inOptions
+ *        The PKiArchiveOptions to operate on.
+ *
+ * NOTES:
+ * User must call SECITEM_FreeItem(retVal, PR_TRUE) after the return 
+ * value is no longer needed.
+ *
+ * RETURN:
+ * Get the keyGenParameters field of the PKIArchiveOptions.
+ * A NULL return value indicates that keyGenParameters was not 
+ * used as the choice for this PKIArchiveOptions.
+ *
+ * The SECItem returned is in BIT STRING format (ie, the len field indicates
+ * number of valid bits as opposed to allocated number of bytes.)
+ */
+extern SECItem* 
+   CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions);
+
+/*
+ * FUNCTION: CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey
+ * INPUTS:
+ *    inOpt
+ *        The PKIArchiveOptions to operate on.
+ *    destVal
+ *        A pointer to where the library can place the value for 
+ *        arciveRemGenPrivKey
+ * RETURN:
+ * If the PKIArchiveOptions used the archiveRemGenPrivKey field, the
+ * function returns SECSuccess and fills the value at *destValue with either
+ * PR_TRUE or PR_FALSE, depending on what the PKIArchiveOptions has as a 
+ * value. 
+ *
+ * If the PKIArchiveOptions does not use the archiveRemGenPrivKey field, the
+ * function returns SECFailure and the value at *destValue is unchanged.
+ */
+extern SECStatus 
+    CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt,
+						  PRBool             *destVal);
+
+/* Helper functions that can be used by other libraries. */
+/*
+ * A quick helper funciton to get the best wrap mechanism.
+ */
+extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot); 
+
+/*
+ * A helper function to get a randomly generated IV from a mechanism 
+ * type.
+ */
+extern SECItem* CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType);
+ 
+SEC_END_PROTOS
+#endif /*_CRMF_H_*/
+
+
diff --git a/security/nss/lib/crmf/crmfcont.c b/security/nss/lib/crmf/crmfcont.c
new file mode 100644
index 000000000..3f096f545
--- /dev/null
+++ b/security/nss/lib/crmf/crmfcont.c
@@ -0,0 +1,1190 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "pk11func.h"
+#include "keyhi.h"
+#include "secoid.h"
+
+static SECStatus
+crmf_modify_control_array (CRMFCertRequest *inCertReq, int count)
+{
+    if (count > 0) {
+        void *dummy = PORT_Realloc(inCertReq->controls, 
+				   sizeof(CRMFControl*)*(count+2));
+	if (dummy == NULL) {
+	    return SECFailure;
+	}
+	inCertReq->controls = dummy;
+    } else {
+        inCertReq->controls = PORT_ZNewArray(CRMFControl*, 2);
+    }
+    return (inCertReq->controls == NULL) ? SECFailure : SECSuccess ;
+}
+
+static SECStatus
+crmf_add_new_control(CRMFCertRequest *inCertReq,SECOidTag inTag,
+		     CRMFControl **destControl)
+{
+    SECOidData  *oidData;
+    SECStatus    rv;
+    PRArenaPool *poolp;
+    int          numControls = 0;
+    CRMFControl *newControl;
+    CRMFControl **controls;
+    void        *mark;
+
+    poolp = inCertReq->poolp;
+    if (poolp == NULL) {
+        return SECFailure;
+    }
+    mark = PORT_ArenaMark(poolp);
+    if (inCertReq->controls != NULL) {
+        while (inCertReq->controls[numControls] != NULL)
+	    numControls++;
+    }
+    rv = crmf_modify_control_array(inCertReq, numControls);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    controls = inCertReq->controls;
+    oidData = SECOID_FindOIDByTag(inTag);
+    newControl = *destControl = PORT_ArenaZNew(poolp,CRMFControl);
+    if (newControl == NULL) {
+        goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &newControl->derTag, &oidData->oid);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    newControl->tag = inTag;
+    controls[numControls] = newControl;
+    controls[numControls+1] = NULL;
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    *destControl = NULL;
+    return SECFailure;
+			  
+}
+
+static SECStatus
+crmf_add_secitem_control(CRMFCertRequest *inCertReq, SECItem *value,
+			 SECOidTag inTag)
+{
+    SECStatus    rv;
+    CRMFControl *newControl;
+    void        *mark;
+
+    rv = crmf_add_new_control(inCertReq, inTag, &newControl);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    mark = PORT_ArenaMark(inCertReq->poolp);
+    rv = SECITEM_CopyItem(inCertReq->poolp, &newControl->derValue, value);
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease(inCertReq->poolp, mark);
+	return rv;
+    }
+    PORT_ArenaUnmark(inCertReq->poolp, mark);
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq, SECItem *value)
+{
+    return crmf_add_secitem_control(inCertReq, value, 
+				    SEC_OID_PKIX_REGCTRL_REGTOKEN);
+}
+
+SECStatus
+CRMF_CertRequestSetAuthenticatorControl (CRMFCertRequest *inCertReq, 
+					 SECItem         *value)
+{
+    return crmf_add_secitem_control(inCertReq, value, 
+				    SEC_OID_PKIX_REGCTRL_AUTHENTICATOR);
+}
+
+SECStatus
+crmf_destroy_encrypted_value(CRMFEncryptedValue *inEncrValue, PRBool freeit)
+{
+    if (inEncrValue != NULL) {
+        if (inEncrValue->intendedAlg) {
+	    SECOID_DestroyAlgorithmID(inEncrValue->intendedAlg, PR_TRUE);
+	    inEncrValue->intendedAlg = NULL;
+	}
+	if (inEncrValue->symmAlg) {
+	    SECOID_DestroyAlgorithmID(inEncrValue->symmAlg, PR_TRUE);
+	    inEncrValue->symmAlg = NULL;
+	}
+        if (inEncrValue->encSymmKey.data) {
+	    PORT_Free(inEncrValue->encSymmKey.data);
+	    inEncrValue->encSymmKey.data = NULL;
+	}
+	if (inEncrValue->keyAlg) {
+	    SECOID_DestroyAlgorithmID(inEncrValue->keyAlg, PR_TRUE);
+	    inEncrValue->keyAlg = NULL;
+	}
+	if (inEncrValue->valueHint.data) {
+	    PORT_Free(inEncrValue->valueHint.data);
+	    inEncrValue->valueHint.data = NULL;
+	}
+        if (inEncrValue->encValue.data) {
+	    PORT_Free(inEncrValue->encValue.data);
+	    inEncrValue->encValue.data = NULL;
+	}
+	if (freeit) {
+	    PORT_Free(inEncrValue);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue)
+{
+    return crmf_destroy_encrypted_value(inEncrValue, PR_TRUE);
+}
+
+SECStatus
+crmf_copy_encryptedvalue_secalg(PRArenaPool     *poolp,
+				SECAlgorithmID  *srcAlgId,
+				SECAlgorithmID **destAlgId)
+{
+    SECAlgorithmID *newAlgId;
+    SECStatus rv;
+
+    newAlgId = (poolp != NULL) ? PORT_ArenaZNew(poolp, SECAlgorithmID) :
+                                 PORT_ZNew(SECAlgorithmID);
+    if (newAlgId == NULL) {
+        return SECFailure;
+    }
+    
+    rv = SECOID_CopyAlgorithmID(poolp, newAlgId, srcAlgId);
+    if (rv != SECSuccess) {
+        if (!poolp) {
+            SECOID_DestroyAlgorithmID(newAlgId, PR_TRUE);
+        }
+        return rv;
+    }
+    *destAlgId = newAlgId;
+    
+    return rv;
+}
+
+SECStatus
+crmf_copy_encryptedvalue(PRArenaPool        *poolp,
+			 CRMFEncryptedValue *srcValue,
+			 CRMFEncryptedValue *destValue)
+{
+    SECStatus           rv;
+
+    if (srcValue->intendedAlg != NULL) {
+        rv = crmf_copy_encryptedvalue_secalg(poolp,
+					     srcValue->intendedAlg,
+					     &destValue->intendedAlg);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->symmAlg != NULL) {
+        rv = crmf_copy_encryptedvalue_secalg(poolp, 
+					     srcValue->symmAlg,
+					     &destValue->symmAlg);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->encSymmKey.data != NULL) {
+        rv = crmf_make_bitstring_copy(poolp, 
+				      &destValue->encSymmKey,
+				      &srcValue->encSymmKey);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->keyAlg != NULL) {
+        rv = crmf_copy_encryptedvalue_secalg(poolp,
+					     srcValue->keyAlg,
+					     &destValue->keyAlg);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->valueHint.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, 
+			      &destValue->valueHint,
+			      &srcValue->valueHint);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->encValue.data != NULL) {
+        rv = crmf_make_bitstring_copy(poolp,
+				      &destValue->encValue,
+				      &srcValue->encValue);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    return SECSuccess;
+ loser:
+    if (poolp == NULL && destValue != NULL) {
+        crmf_destroy_encrypted_value(destValue, PR_FALSE);
+    }
+    return SECFailure;
+}
+
+SECStatus 
+crmf_copy_encryptedkey(PRArenaPool       *poolp,
+		       CRMFEncryptedKey  *srcEncrKey,
+		       CRMFEncryptedKey  *destEncrKey)
+{
+    SECStatus          rv;
+    void              *mark = NULL;
+
+    if (poolp != NULL) {
+        mark = PORT_ArenaMark(poolp);
+    }
+
+    switch (srcEncrKey->encKeyChoice) {
+    case crmfEncryptedValueChoice:
+        rv = crmf_copy_encryptedvalue(poolp, 
+				      &srcEncrKey->value.encryptedValue,
+				      &destEncrKey->value.encryptedValue);
+	break;
+    case crmfEnvelopedDataChoice:
+        destEncrKey->value.envelopedData = 
+	    SEC_PKCS7CopyContentInfo(srcEncrKey->value.envelopedData);
+        rv = (destEncrKey->value.envelopedData != NULL) ? SECSuccess:
+	                                                  SECFailure;
+        break;
+    default:
+        rv = SECFailure;
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    destEncrKey->encKeyChoice = srcEncrKey->encKeyChoice;
+    if (mark) {
+    	PORT_ArenaUnmark(poolp, mark);
+    }
+    return SECSuccess;
+
+ loser:
+    if (mark) {
+        PORT_ArenaRelease(poolp, mark);
+    }
+    return SECFailure;
+}
+
+static CRMFPKIArchiveOptions*
+crmf_create_encr_pivkey_option(CRMFEncryptedKey *inEncryptedKey)
+{
+    CRMFPKIArchiveOptions *newArchOpt;
+    SECStatus              rv;
+
+    newArchOpt = PORT_ZNew(CRMFPKIArchiveOptions);
+    if (newArchOpt == NULL) {
+        goto loser;
+    }
+
+    rv = crmf_copy_encryptedkey(NULL, inEncryptedKey,
+				&newArchOpt->option.encryptedKey);
+    
+    if (rv != SECSuccess) {
+      goto loser;
+    }
+    newArchOpt->archOption = crmfEncryptedPrivateKey;
+    return newArchOpt;
+ loser:
+    if (newArchOpt != NULL) {
+        CRMF_DestroyPKIArchiveOptions(newArchOpt);
+    }
+    return NULL;
+}
+
+static CRMFPKIArchiveOptions*
+crmf_create_keygen_param_option(SECItem *inKeyGenParams)
+{
+    CRMFPKIArchiveOptions *newArchOptions;
+    SECStatus              rv;
+
+    newArchOptions = PORT_ZNew(CRMFPKIArchiveOptions);
+    if (newArchOptions == NULL) {
+        goto loser;
+    }
+    newArchOptions->archOption = crmfKeyGenParameters;
+    rv = SECITEM_CopyItem(NULL, &newArchOptions->option.keyGenParameters,
+			  inKeyGenParams);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newArchOptions;
+ loser:
+    if (newArchOptions != NULL) {
+        CRMF_DestroyPKIArchiveOptions(newArchOptions);
+    }
+    return NULL;
+}
+
+static CRMFPKIArchiveOptions*
+crmf_create_arch_rem_gen_privkey(PRBool archiveRemGenPrivKey)
+{
+    unsigned char          value;
+    SECItem               *dummy;
+    CRMFPKIArchiveOptions *newArchOptions;
+
+    value = (archiveRemGenPrivKey) ? hexTrue : hexFalse;
+    newArchOptions = PORT_ZNew(CRMFPKIArchiveOptions);
+    if (newArchOptions == NULL) {
+        goto loser;
+    }
+    dummy = SEC_ASN1EncodeItem(NULL, 
+			       &newArchOptions->option.archiveRemGenPrivKey,
+			       &value, SEC_ASN1_GET(SEC_BooleanTemplate));
+    PORT_Assert (dummy == &newArchOptions->option.archiveRemGenPrivKey);
+    if (dummy != &newArchOptions->option.archiveRemGenPrivKey) {
+        SECITEM_FreeItem (dummy, PR_TRUE);
+	goto loser;
+    }
+    newArchOptions->archOption = crmfArchiveRemGenPrivKey;
+    return newArchOptions;
+ loser:
+    if (newArchOptions != NULL) {
+        CRMF_DestroyPKIArchiveOptions(newArchOptions);
+    }
+    return NULL;
+}
+
+CRMFPKIArchiveOptions*
+CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType inType, void *data)
+{
+    CRMFPKIArchiveOptions* retOptions;
+
+    PORT_Assert(data != NULL);
+    if (data == NULL) {
+        return NULL;
+    }
+    switch(inType) {
+    case crmfEncryptedPrivateKey:
+        retOptions = crmf_create_encr_pivkey_option((CRMFEncryptedKey*)data);
+	break;
+    case crmfKeyGenParameters:
+        retOptions = crmf_create_keygen_param_option((SECItem*)data);
+	break;
+    case crmfArchiveRemGenPrivKey:
+        retOptions = crmf_create_arch_rem_gen_privkey(*(PRBool*)data);
+	break;
+    default:
+        retOptions = NULL;
+    }
+    return retOptions;
+}
+
+static SECStatus
+crmf_destroy_encrypted_key(CRMFEncryptedKey *inEncrKey, PRBool freeit)
+{ 
+    PORT_Assert(inEncrKey != NULL);
+    if (inEncrKey != NULL) {
+        switch (inEncrKey->encKeyChoice){
+	case crmfEncryptedValueChoice:
+            crmf_destroy_encrypted_value(&inEncrKey->value.encryptedValue, 
+					 PR_FALSE);
+	    break;
+	case crmfEnvelopedDataChoice:
+	    SEC_PKCS7DestroyContentInfo(inEncrKey->value.envelopedData);
+            break;
+        default:
+            break;
+        }
+        if (freeit) {
+            PORT_Free(inEncrKey);
+        }
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+crmf_destroy_pkiarchiveoptions(CRMFPKIArchiveOptions *inArchOptions, 
+			       PRBool                 freeit)
+{
+    PORT_Assert(inArchOptions != NULL);
+    if (inArchOptions != NULL) {
+        switch (inArchOptions->archOption) {
+	case crmfEncryptedPrivateKey:
+	    crmf_destroy_encrypted_key(&inArchOptions->option.encryptedKey,
+				       PR_FALSE);
+	    break;
+	case crmfKeyGenParameters:
+	case crmfArchiveRemGenPrivKey:
+	    /* This is a union, so having a pointer to one is like
+	     * having a pointer to both.  
+	     */
+	    SECITEM_FreeItem(&inArchOptions->option.keyGenParameters, 
+			     PR_FALSE);
+	    break;
+        case crmfNoArchiveOptions:
+            break;
+	}
+	if (freeit) {
+	    PORT_Free(inArchOptions);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOptions) 
+{
+    return crmf_destroy_pkiarchiveoptions(inArchOptions, PR_TRUE);
+}
+
+static CK_MECHANISM_TYPE
+crmf_get_non_pad_mechanism(CK_MECHANISM_TYPE type)
+{
+    switch (type) {
+    case CKM_DES3_CBC_PAD:
+        return CKM_DES3_CBC;
+    case CKM_CAST5_CBC_PAD:
+        return CKM_CAST5_CBC;
+    case CKM_DES_CBC_PAD:
+        return CKM_DES_CBC;
+    case CKM_IDEA_CBC_PAD:
+        return CKM_IDEA_CBC;
+    case CKM_CAST3_CBC_PAD:
+        return CKM_CAST3_CBC;
+    case CKM_CAST_CBC_PAD:
+        return CKM_CAST_CBC;
+    case CKM_RC5_CBC_PAD:
+        return CKM_RC5_CBC;
+    case CKM_RC2_CBC_PAD:
+        return CKM_RC2_CBC;
+    case CKM_CDMF_CBC_PAD:
+        return CKM_CDMF_CBC;
+    }
+    return type;
+}
+
+static CK_MECHANISM_TYPE
+crmf_get_pad_mech_from_tag(SECOidTag oidTag)
+{
+    CK_MECHANISM_TYPE  mechType;
+    SECOidData        *oidData;
+
+    oidData = SECOID_FindOIDByTag(oidTag);
+    mechType = (CK_MECHANISM_TYPE)oidData->mechanism;
+    return PK11_GetPadMechanism(mechType);
+}
+
+static CK_MECHANISM_TYPE
+crmf_get_best_privkey_wrap_mechanism(PK11SlotInfo *slot) 
+{
+    CK_MECHANISM_TYPE privKeyPadMechs[] = { CKM_DES3_CBC_PAD,
+					    CKM_CAST5_CBC_PAD,
+					    CKM_DES_CBC_PAD,
+					    CKM_IDEA_CBC_PAD,
+					    CKM_CAST3_CBC_PAD,
+					    CKM_CAST_CBC_PAD,
+					    CKM_RC5_CBC_PAD,
+					    CKM_RC2_CBC_PAD,
+					    CKM_CDMF_CBC_PAD };
+    int mechCount = sizeof(privKeyPadMechs)/sizeof(privKeyPadMechs[0]);
+    int i;
+
+    for (i=0; i < mechCount; i++) {
+        if (PK11_DoesMechanism(slot, privKeyPadMechs[i])) {
+	    return privKeyPadMechs[i];
+	}
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+CK_MECHANISM_TYPE
+CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot)
+{
+    return crmf_get_best_privkey_wrap_mechanism(slot);
+}
+
+static SECItem*
+crmf_get_iv(CK_MECHANISM_TYPE mechType)
+{
+    int        iv_size = PK11_GetIVLength(mechType);
+    SECItem   *iv;
+    SECStatus  rv; 
+
+    iv = PORT_ZNew(SECItem);
+    if (iv == NULL) {
+        return NULL;
+    }
+    if (iv_size == 0) {
+        iv->data = NULL;
+	iv->len  = 0;
+	return iv;
+    }
+    iv->data = PORT_NewArray(unsigned char, iv_size);
+    if (iv->data == NULL) {
+        iv->len = 0;
+	return iv;
+    }
+    iv->len = iv_size;
+    rv = PK11_GenerateRandom(iv->data, iv->len);
+    if (rv != SECSuccess) {
+        PORT_Free(iv->data);
+	iv->data = NULL;
+	iv->len  = 0;
+    }
+    return iv;
+}
+
+SECItem*
+CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType)
+{
+    return crmf_get_iv(mechType);
+}
+
+CK_MECHANISM_TYPE
+crmf_get_mechanism_from_public_key(SECKEYPublicKey *inPubKey)
+{
+    CERTSubjectPublicKeyInfo *spki = NULL;
+    SECOidTag                 tag;
+    
+
+    spki = SECKEY_CreateSubjectPublicKeyInfo(inPubKey);
+    if (spki == NULL) {
+        return CKM_INVALID_MECHANISM;
+    }
+    tag = SECOID_FindOIDTag(&spki->algorithm.algorithm);
+    SECKEY_DestroySubjectPublicKeyInfo(spki);
+    spki = NULL;
+    return PK11_AlgtagToMechanism(tag);
+}
+
+SECItem*
+crmf_get_public_value(SECKEYPublicKey *pubKey, SECItem *dest)
+{
+    SECItem *src;
+
+    switch(pubKey->keyType) {
+    case dsaKey:
+	src =  &pubKey->u.dsa.publicValue;
+	break;
+    case rsaKey:
+	src =  &pubKey->u.rsa.modulus;
+	break;
+    case dhKey:
+	src =  &pubKey->u.dh.publicValue;
+	break;
+    default:
+	src = NULL;
+	break;
+    }
+    if (!src) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    if (dest != NULL) {
+	SECStatus rv = SECITEM_CopyItem(NULL, dest, src);
+	if (rv != SECSuccess) {
+	    dest = NULL;
+	}
+    } else {
+        dest = SECITEM_ArenaDupItem(NULL, src);
+    }
+    return dest;
+}
+
+static SECItem*
+crmf_decode_params(SECItem *inParams)
+{
+    SECItem     *params;
+    SECStatus    rv      = SECFailure;
+    PRArenaPool *poolp;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    
+    params = PORT_ArenaZNew(poolp, SECItem);
+    if (params) {
+	rv = SEC_ASN1DecodeItem(poolp, params, 
+				SEC_ASN1_GET(SEC_OctetStringTemplate),
+				inParams);
+    }
+    params = (rv == SECSuccess) ? SECITEM_ArenaDupItem(NULL, params) : NULL;
+    PORT_FreeArena(poolp, PR_FALSE);
+    return params;
+}
+
+static int
+crmf_get_key_size_from_mech(CK_MECHANISM_TYPE mechType)
+{
+    CK_MECHANISM_TYPE keyGen = PK11_GetKeyGen(mechType);
+
+    switch (keyGen) {
+    case CKM_CDMF_KEY_GEN:
+    case CKM_DES_KEY_GEN:
+        return 8;
+    case CKM_DES2_KEY_GEN:
+	return 16;
+    case CKM_DES3_KEY_GEN:
+	return 24;
+    }
+    return 0;
+}
+
+SECStatus
+crmf_encrypted_value_unwrap_priv_key(PRArenaPool        *poolp,
+				     CRMFEncryptedValue *encValue,
+				     SECKEYPrivateKey   *privKey,
+				     SECKEYPublicKey    *newPubKey,
+				     SECItem            *nickname,
+				     PK11SlotInfo       *slot,
+				     unsigned char       keyUsage,
+				     SECKEYPrivateKey  **unWrappedKey,
+				     void               *wincx)
+{
+    PK11SymKey        *wrappingKey = NULL;
+    CK_MECHANISM_TYPE  wrapMechType;
+    SECOidTag          oidTag;
+    SECItem           *params = NULL, *publicValue = NULL;
+    int                keySize, origLen;
+    CK_KEY_TYPE        keyType;
+    CK_ATTRIBUTE_TYPE *usage = NULL;
+    CK_ATTRIBUTE_TYPE rsaUsage[] = {
+      CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
+    CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
+    CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
+    int usageCount = 0;
+
+    oidTag = SECOID_GetAlgorithmTag(encValue->symmAlg);
+    wrapMechType = crmf_get_pad_mech_from_tag(oidTag);
+    keySize = crmf_get_key_size_from_mech(wrapMechType);
+    wrappingKey = PK11_PubUnwrapSymKey(privKey, &encValue->encSymmKey, 
+				       wrapMechType, CKA_UNWRAP, keySize);
+    if (wrappingKey == NULL) {
+        goto loser;
+    }/* Make the length a byte length instead of bit length*/
+    params = (encValue->symmAlg != NULL) ? 
+              crmf_decode_params(&encValue->symmAlg->parameters) : NULL;
+    origLen = encValue->encValue.len;
+    encValue->encValue.len = CRMF_BITS_TO_BYTES(origLen);
+    publicValue = crmf_get_public_value(newPubKey, NULL);
+    switch(newPubKey->keyType) {
+    default:
+    case rsaKey:
+        keyType = CKK_RSA;
+        switch  (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) {
+        case KU_KEY_ENCIPHERMENT:
+            usage = rsaUsage;
+            usageCount = 2;
+            break;
+        case KU_DIGITAL_SIGNATURE:
+            usage = &rsaUsage[2];
+            usageCount = 2;
+            break;
+        case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE:
+        case 0: /* default to everything */
+            usage = rsaUsage;
+            usageCount = 4;
+            break;
+        }
+	break;
+    case dhKey:
+        keyType = CKK_DH;
+        usage = dhUsage;
+        usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]);
+        break;
+    case dsaKey:
+        keyType = CKK_DSA;
+        usage = dsaUsage;
+        usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]);
+        break;
+    }
+    PORT_Assert(usage != NULL);
+    PORT_Assert(usageCount != 0);
+    *unWrappedKey = PK11_UnwrapPrivKey(slot, wrappingKey, wrapMechType, params,
+				       &encValue->encValue, nickname,
+				       publicValue, PR_TRUE,PR_TRUE, 
+				       keyType, usage, usageCount, wincx);
+    encValue->encValue.len = origLen;
+    if (*unWrappedKey == NULL) {
+        goto loser;
+    }
+    SECITEM_FreeItem (publicValue, PR_TRUE);
+    if (params!= NULL) {
+        SECITEM_FreeItem(params, PR_TRUE);
+    } 
+    PK11_FreeSymKey(wrappingKey);
+    return SECSuccess;
+ loser:
+    *unWrappedKey = NULL;
+    return SECFailure;
+}
+
+CRMFEncryptedValue *
+crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey   *inPrivKey,
+					    SECKEYPublicKey    *inCAKey,
+					    CRMFEncryptedValue *destValue)
+{
+    SECItem                   wrappedPrivKey, wrappedSymKey;
+    SECItem                   encodedParam, *dummy;
+    SECStatus                 rv;
+    CK_MECHANISM_TYPE         pubMechType, symKeyType;
+    unsigned char            *wrappedSymKeyBits;
+    unsigned char            *wrappedPrivKeyBits;
+    SECItem                  *iv = NULL;
+    SECOidTag                 tag;
+    PK11SymKey               *symKey;
+    PK11SlotInfo             *slot;
+    SECAlgorithmID           *symmAlg;
+    CRMFEncryptedValue       *myEncrValue = NULL;
+
+    encodedParam.data = NULL;
+    wrappedSymKeyBits  = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
+    wrappedPrivKeyBits = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
+    if (wrappedSymKeyBits == NULL || wrappedPrivKeyBits == NULL) {
+        goto loser;
+    }
+    if (destValue == NULL) {
+        myEncrValue = destValue = PORT_ZNew(CRMFEncryptedValue);
+	if (destValue == NULL) {
+	    goto loser;
+	}
+    }
+
+    pubMechType = crmf_get_mechanism_from_public_key(inCAKey);
+    if (pubMechType == CKM_INVALID_MECHANISM) {
+        /* XXX I should probably do something here for non-RSA 
+	 *     keys that are in certs. (ie DSA)
+	 * XXX or at least SET AN ERROR CODE.
+	 */
+        goto loser;
+    }
+    slot = inPrivKey->pkcs11Slot; 
+    PORT_Assert(slot != NULL);
+    symKeyType = crmf_get_best_privkey_wrap_mechanism(slot);
+    symKey = PK11_KeyGen(slot, symKeyType, NULL, 0, NULL);
+    if (symKey == NULL) {
+        goto loser;
+    }
+
+    wrappedSymKey.data = wrappedSymKeyBits;
+    wrappedSymKey.len  = MAX_WRAPPED_KEY_LEN;
+    rv = PK11_PubWrapSymKey(pubMechType, inCAKey, symKey, &wrappedSymKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Make the length of the result a Bit String length. */
+    wrappedSymKey.len <<= 3;
+
+    wrappedPrivKey.data = wrappedPrivKeyBits;
+    wrappedPrivKey.len  = MAX_WRAPPED_KEY_LEN;
+    iv = crmf_get_iv(symKeyType);
+    rv = PK11_WrapPrivKey(slot, symKey, inPrivKey, symKeyType, iv, 
+			  &wrappedPrivKey, NULL);
+    PK11_FreeSymKey(symKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Make the length of the result a Bit String length. */
+    wrappedPrivKey.len <<= 3;
+    rv = crmf_make_bitstring_copy(NULL, 
+				  &destValue->encValue, 
+				  &wrappedPrivKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_make_bitstring_copy(NULL,
+				  &destValue->encSymmKey, 
+				  &wrappedSymKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    destValue->symmAlg = symmAlg = PORT_ZNew(SECAlgorithmID);
+    if (symmAlg == NULL) {
+        goto loser;
+    }
+
+    dummy = SEC_ASN1EncodeItem(NULL, &encodedParam, iv, 
+                               SEC_ASN1_GET(SEC_OctetStringTemplate));
+    if (dummy != &encodedParam) {
+        SECITEM_FreeItem(dummy, PR_TRUE);
+	goto loser;
+    }
+
+    symKeyType = crmf_get_non_pad_mechanism(symKeyType);
+    tag = PK11_MechanismToAlgtag(symKeyType);
+    rv = SECOID_SetAlgorithmID(NULL, symmAlg, tag, &encodedParam);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    SECITEM_FreeItem(&encodedParam, PR_FALSE);
+    PORT_Free(wrappedPrivKeyBits);
+    PORT_Free(wrappedSymKeyBits);
+    SECITEM_FreeItem(iv, PR_TRUE);
+    return destValue;
+ loser:
+    if (iv != NULL) {
+	SECITEM_FreeItem(iv, PR_TRUE);
+    }
+    if (myEncrValue != NULL) {
+        crmf_destroy_encrypted_value(myEncrValue, PR_TRUE);
+    }
+    if (wrappedSymKeyBits != NULL) {
+        PORT_Free(wrappedSymKeyBits);
+    }
+    if (wrappedPrivKeyBits != NULL) {
+        PORT_Free(wrappedPrivKeyBits);
+    }
+    if (encodedParam.data != NULL) {
+	SECITEM_FreeItem(&encodedParam, PR_FALSE);
+    }
+    return NULL;
+}
+
+CRMFEncryptedKey*
+CRMF_CreateEncryptedKeyWithEncryptedValue (SECKEYPrivateKey *inPrivKey,
+					   CERTCertificate  *inCACert)
+{
+    SECKEYPublicKey          *caPubKey = NULL;
+    CRMFEncryptedKey         *encKey = NULL;
+    CRMFEncryptedValue       *dummy;
+
+    PORT_Assert(inPrivKey != NULL && inCACert != NULL);
+    if (inPrivKey == NULL || inCACert == NULL) {
+        return NULL;
+    }
+
+    caPubKey = CERT_ExtractPublicKey(inCACert);
+    if (caPubKey == NULL) {
+        goto loser;
+    }
+
+    encKey = PORT_ZNew(CRMFEncryptedKey);
+    if (encKey == NULL) {
+        goto loser;
+    }
+    dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey,
+							caPubKey,
+					       &encKey->value.encryptedValue);
+    PORT_Assert(dummy == &encKey->value.encryptedValue);
+    /* We won't add the der value here, but rather when it 
+     * becomes part of a certificate request.
+     */
+    SECKEY_DestroyPublicKey(caPubKey);
+    encKey->encKeyChoice = crmfEncryptedValueChoice;
+    return encKey;
+ loser:
+    if (encKey != NULL) {
+        CRMF_DestroyEncryptedKey(encKey);
+    }
+    if (caPubKey != NULL) {
+        SECKEY_DestroyPublicKey(caPubKey);
+    }
+    return NULL;
+}
+
+SECStatus
+CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey)
+{
+    return crmf_destroy_encrypted_key(inEncrKey, PR_TRUE);
+}
+
+SECStatus
+crmf_copy_pkiarchiveoptions(PRArenaPool           *poolp,
+			    CRMFPKIArchiveOptions *destOpt,
+			    CRMFPKIArchiveOptions *srcOpt)
+{
+    SECStatus rv;
+    destOpt->archOption = srcOpt->archOption;
+    switch (srcOpt->archOption) {
+    case crmfEncryptedPrivateKey:
+        rv = crmf_copy_encryptedkey(poolp,
+				    &srcOpt->option.encryptedKey,
+				    &destOpt->option.encryptedKey);
+        break;
+    case crmfKeyGenParameters:
+    case crmfArchiveRemGenPrivKey:
+        /* We've got a union, so having a pointer to one is just
+	 * like having a pointer to the other one.
+	 */
+        rv = SECITEM_CopyItem(poolp, 
+			      &destOpt->option.keyGenParameters,
+			      &srcOpt->option.keyGenParameters);
+	break;
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+static SECStatus
+crmf_check_and_adjust_archoption(CRMFControl *inControl)
+{
+    CRMFPKIArchiveOptions *options;
+
+    options = &inControl->value.archiveOptions;
+    if (options->archOption == crmfNoArchiveOptions) {
+        /* It hasn't been set, so figure it out from the 
+	 * der.
+	 */
+        switch (inControl->derValue.data[0] & 0x0f) {
+	case 0:
+	    options->archOption = crmfEncryptedPrivateKey;
+	    break;
+	case 1:
+	    options->archOption = crmfKeyGenParameters;
+	    break;
+	case 2:
+	    options->archOption = crmfArchiveRemGenPrivKey;
+	    break;
+	default:
+	    /* We've got bad DER.  Return an error. */
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+static const SEC_ASN1Template *
+crmf_get_pkiarchive_subtemplate(CRMFControl *inControl)
+{
+    const SEC_ASN1Template *retTemplate;
+    SECStatus               rv;
+    /*
+     * We could be in the process of decoding, in which case the
+     * archOption field will not be set.  Let's check it and set 
+     * it accordingly.
+     */
+
+    rv = crmf_check_and_adjust_archoption(inControl);
+    if (rv != SECSuccess) {
+        return NULL;
+    }
+
+    switch (inControl->value.archiveOptions.archOption) {
+    case crmfEncryptedPrivateKey:
+        retTemplate = CRMFEncryptedKeyWithEncryptedValueTemplate;
+	inControl->value.archiveOptions.option.encryptedKey.encKeyChoice =
+	  crmfEncryptedValueChoice;
+	break;
+    default:
+        retTemplate = NULL;
+    }
+    return retTemplate;
+}
+
+const SEC_ASN1Template*
+crmf_get_pkiarchiveoptions_subtemplate(CRMFControl *inControl)
+{
+    const SEC_ASN1Template *retTemplate;
+
+    switch (inControl->tag) {
+    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
+    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
+        retTemplate = SEC_ASN1_GET(SEC_UTF8StringTemplate);
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+        retTemplate = crmf_get_pkiarchive_subtemplate(inControl);
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
+    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
+    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
+        /* We don't support these controls, so we fail for now.*/
+        retTemplate = NULL;
+	break;
+    default:
+        retTemplate = NULL;
+    }
+    return retTemplate;
+}
+
+static SECStatus
+crmf_encode_pkiarchiveoptions(PRArenaPool *poolp, CRMFControl *inControl)
+{
+    const SEC_ASN1Template *asn1Template;
+
+    asn1Template = crmf_get_pkiarchiveoptions_subtemplate(inControl);
+    /* We've got a union, so passing a pointer to one element of the 
+     * union, is the same as passing a pointer to any of the other
+     * members of the union.
+     */
+    SEC_ASN1EncodeItem(poolp, &inControl->derValue,
+                       &inControl->value.archiveOptions, asn1Template);
+
+    if (inControl->derValue.data == NULL) {
+        goto loser;
+    }
+    return SECSuccess;
+ loser:
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest       *inCertReq,
+				     CRMFPKIArchiveOptions *inOptions)
+{
+    CRMFControl *newControl;
+    PRArenaPool *poolp;
+    SECStatus    rv;
+    void        *mark;
+    
+    PORT_Assert(inCertReq != NULL && inOptions != NULL);
+    if (inCertReq == NULL || inOptions == NULL) {
+        return SECFailure;
+    }
+    poolp = inCertReq->poolp;
+    mark = PORT_ArenaMark(poolp);
+    rv = crmf_add_new_control(inCertReq, 
+			      SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
+			      &newControl);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_copy_pkiarchiveoptions(poolp, 
+				     &newControl->value.archiveOptions,
+				     inOptions);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_encode_pkiarchiveoptions(poolp, newControl); 
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+static SECStatus
+crmf_destroy_control(CRMFControl *inControl, PRBool freeit)
+{
+    PORT_Assert(inControl != NULL);
+    if (inControl != NULL) {
+        SECITEM_FreeItem(&inControl->derTag, PR_FALSE);
+        SECITEM_FreeItem(&inControl->derValue, PR_FALSE);
+	/* None of the other tags require special processing at 
+	 * the moment when freeing because they are not supported,
+	 * but if/when they are, add the necessary routines here.  
+	 * If all controls are supported, then every member of the 
+	 * union inControl->value will have a case that deals with 
+	 * it in the following switch statement.
+	 */
+	switch (inControl->tag) {
+	case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+	    crmf_destroy_pkiarchiveoptions(&inControl->value.archiveOptions,
+					   PR_FALSE);
+	    break;
+        default:
+           /* Put this here to get rid of all those annoying warnings.*/
+           break;
+	}
+	if (freeit) {
+	    PORT_Free(inControl);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyControl(CRMFControl *inControl)
+{
+    return crmf_destroy_control(inControl, PR_TRUE);
+}
+
+static SECOidTag
+crmf_controltype_to_tag(CRMFControlType inControlType)
+{
+    SECOidTag retVal;
+
+    switch(inControlType) {
+    case crmfRegTokenControl:
+      retVal = SEC_OID_PKIX_REGCTRL_REGTOKEN; 
+      break;
+    case crmfAuthenticatorControl:
+      retVal = SEC_OID_PKIX_REGCTRL_AUTHENTICATOR;
+      break;
+    case crmfPKIPublicationInfoControl:
+      retVal = SEC_OID_PKIX_REGCTRL_PKIPUBINFO;
+      break;
+    case crmfPKIArchiveOptionsControl:
+      retVal = SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS;
+      break;
+    case crmfOldCertIDControl:
+      retVal = SEC_OID_PKIX_REGCTRL_OLD_CERT_ID;
+      break;
+    case crmfProtocolEncrKeyControl:
+      retVal = SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY;
+      break;
+    default:
+      retVal = SEC_OID_UNKNOWN;
+      break;
+    }
+    return retVal;
+}
+
+PRBool
+CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
+				 CRMFControlType  inControlType)
+{
+    SECOidTag controlTag;
+    int       i;
+
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL || inCertReq->controls == NULL) {
+        return PR_FALSE;
+    }
+    controlTag = crmf_controltype_to_tag(inControlType);
+    for (i=0; inCertReq->controls[i] != NULL; i++) {
+        if (inCertReq->controls[i]->tag == controlTag) {
+	    return PR_TRUE;
+	}
+    }
+    return PR_FALSE;
+}
+
diff --git a/security/nss/lib/crmf/crmfdec.c b/security/nss/lib/crmf/crmfdec.c
new file mode 100644
index 000000000..b7a5aa6ef
--- /dev/null
+++ b/security/nss/lib/crmf/crmfdec.c
@@ -0,0 +1,393 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "secitem.h"
+
+static CRMFPOPChoice
+crmf_get_popchoice_from_der(SECItem *derPOP)
+{
+    CRMFPOPChoice retChoice;
+
+    switch (derPOP->data[0] & 0x0f) {
+    case 0:
+        retChoice = crmfRAVerified;
+	break;
+    case 1:
+        retChoice = crmfSignature;
+	break;
+    case 2:
+        retChoice = crmfKeyEncipherment;
+	break;
+    case 3:
+        retChoice = crmfKeyAgreement;
+	break;
+    default:
+        retChoice = crmfNoPOPChoice;
+	break;
+    }
+    return retChoice;
+}
+
+static SECStatus
+crmf_decode_process_raverified(CRMFCertReqMsg *inCertReqMsg)
+{   
+    CRMFProofOfPossession *pop;
+    /* Just set up the structure so that the message structure
+     * looks like one that was created using the API
+     */
+    pop = inCertReqMsg->pop;
+    pop->popChoice.raVerified.data = NULL;
+    pop->popChoice.raVerified.len  = 0;
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_decode_process_signature(CRMFCertReqMsg *inCertReqMsg)
+{
+    PORT_Assert(inCertReqMsg->poolp);
+    if (!inCertReqMsg->poolp) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    return SEC_ASN1Decode(inCertReqMsg->poolp,
+			  &inCertReqMsg->pop->popChoice.signature,
+			  CRMFPOPOSigningKeyTemplate, 
+			  (const char*)inCertReqMsg->derPOP.data,
+			  inCertReqMsg->derPOP.len);
+}
+
+static CRMFPOPOPrivKeyChoice
+crmf_get_messagechoice_from_der(SECItem *derPOP)
+{
+    CRMFPOPOPrivKeyChoice retChoice;
+
+    switch (derPOP->data[2] & 0x0f) {
+    case 0:
+        retChoice = crmfThisMessage;
+	break;
+    case 1:
+        retChoice = crmfSubsequentMessage;
+	break;
+    case 2:
+        retChoice = crmfDHMAC;
+	break;
+    default:
+        retChoice = crmfNoMessage;
+    }
+    return retChoice;
+}
+
+static SECStatus
+crmf_decode_process_popoprivkey(CRMFCertReqMsg *inCertReqMsg)
+{
+    /* We've got a union, so a pointer to one POPOPrivKey
+     * struct is the same as having a pointer to the other 
+     * one.
+     */
+    CRMFPOPOPrivKey *popoPrivKey = 
+                    &inCertReqMsg->pop->popChoice.keyEncipherment;
+    SECItem         *derPOP, privKeyDer;
+    SECStatus        rv;
+
+    derPOP = &inCertReqMsg->derPOP;
+    popoPrivKey->messageChoice = crmf_get_messagechoice_from_der(derPOP);
+    if (popoPrivKey->messageChoice == crmfNoMessage) {
+        return SECFailure;
+    }
+    /* If we ever encounter BER encodings of this, we'll get in trouble*/
+    switch (popoPrivKey->messageChoice) {
+    case crmfThisMessage:
+    case crmfDHMAC:
+        privKeyDer.data = &derPOP->data[5];
+	privKeyDer.len  = derPOP->len - 5;
+	break;
+    case crmfSubsequentMessage:
+        privKeyDer.data = &derPOP->data[4];
+	privKeyDer.len  = derPOP->len - 4;
+	break;
+    default:
+        rv = SECFailure;
+    }
+
+    rv = SECITEM_CopyItem(inCertReqMsg->poolp, 
+			  &popoPrivKey->message.subsequentMessage,
+			  &privKeyDer);
+
+    if (rv != SECSuccess) {
+        return rv;
+    }
+
+    if (popoPrivKey->messageChoice == crmfThisMessage ||
+	popoPrivKey->messageChoice == crmfDHMAC) {
+
+        popoPrivKey->message.thisMessage.len = 
+	    CRMF_BYTES_TO_BITS(privKeyDer.len) - (int)derPOP->data[4];
+        
+    }
+    return SECSuccess;    
+}
+
+static SECStatus
+crmf_decode_process_keyagreement(CRMFCertReqMsg *inCertReqMsg)
+{
+    return crmf_decode_process_popoprivkey(inCertReqMsg);
+}
+
+static SECStatus
+crmf_decode_process_keyencipherment(CRMFCertReqMsg *inCertReqMsg)
+{
+    SECStatus rv;
+
+    rv = crmf_decode_process_popoprivkey(inCertReqMsg);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    if (inCertReqMsg->pop->popChoice.keyEncipherment.messageChoice == 
+	crmfDHMAC) {
+        /* Key Encipherment can not use the dhMAC option for
+	 * POPOPrivKey. 
+	 */
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_decode_process_pop(CRMFCertReqMsg *inCertReqMsg)
+{
+     SECItem               *derPOP;
+     PRArenaPool           *poolp;
+     CRMFProofOfPossession *pop;
+     void                  *mark;
+     SECStatus              rv;
+
+     derPOP = &inCertReqMsg->derPOP;
+     poolp  = inCertReqMsg->poolp;
+     if (derPOP->data == NULL) {
+         /* There is no Proof of Possession field in this message. */
+         return SECSuccess;
+     }
+     mark = PORT_ArenaMark(poolp);
+     pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+     if (pop == NULL) {
+         goto loser;
+     }
+     pop->popUsed = crmf_get_popchoice_from_der(derPOP);
+     if (pop->popUsed == crmfNoPOPChoice) {
+         /* A bad encoding of CRMF.  Not a valid tag was given to the
+	  * Proof Of Possession field.
+	  */
+         goto loser;
+     }
+     inCertReqMsg->pop = pop;
+     switch (pop->popUsed) {
+     case crmfRAVerified:
+         rv = crmf_decode_process_raverified(inCertReqMsg);
+	 break;
+     case crmfSignature:
+         rv = crmf_decode_process_signature(inCertReqMsg);
+	 break;
+     case crmfKeyEncipherment:
+         rv = crmf_decode_process_keyencipherment(inCertReqMsg);
+	 break;
+     case crmfKeyAgreement:
+         rv = crmf_decode_process_keyagreement(inCertReqMsg);
+	 break;
+     default:
+         rv = SECFailure;
+     }
+     if (rv != SECSuccess) {
+         goto loser;
+     }
+     PORT_ArenaUnmark(poolp, mark);
+     return SECSuccess;
+
+ loser:
+     PORT_ArenaRelease(poolp, mark);
+     inCertReqMsg->pop = NULL;
+     return SECFailure;
+     
+}
+
+static SECStatus
+crmf_decode_process_single_control(PRArenaPool *poolp, 
+				   CRMFControl *inControl)
+{
+    const SEC_ASN1Template *asn1Template = NULL;
+
+    inControl->tag = SECOID_FindOIDTag(&inControl->derTag);
+    asn1Template = crmf_get_pkiarchiveoptions_subtemplate(inControl);
+
+    PORT_Assert (asn1Template != NULL);
+    PORT_Assert (poolp != NULL);
+    if (!asn1Template || !poolp) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* We've got a union, so passing a pointer to one element of the
+     * union is the same as passing a pointer to any of the other
+     * members of the union.
+     */
+    return SEC_ASN1Decode(poolp, &inControl->value.archiveOptions, 
+			  asn1Template, (const char*)inControl->derValue.data,
+			  inControl->derValue.len);
+}
+
+static SECStatus 
+crmf_decode_process_controls(CRMFCertReqMsg *inCertReqMsg)
+{
+    int           i, numControls;
+    SECStatus     rv;
+    PRArenaPool  *poolp;
+    CRMFControl **controls;
+    
+    numControls = CRMF_CertRequestGetNumControls(inCertReqMsg->certReq);
+    controls = inCertReqMsg->certReq->controls;
+    poolp    = inCertReqMsg->poolp;
+    for (i=0; i < numControls; i++) {
+        rv = crmf_decode_process_single_control(poolp, controls[i]);
+	if (rv != SECSuccess) {
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_decode_process_single_reqmsg(CRMFCertReqMsg *inCertReqMsg)
+{
+    SECStatus rv;
+
+    rv = crmf_decode_process_pop(inCertReqMsg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_decode_process_controls(inCertReqMsg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    inCertReqMsg->certReq->certTemplate.numExtensions = 
+        CRMF_CertRequestGetNumberOfExtensions(inCertReqMsg->certReq);
+    inCertReqMsg->isDecoded = PR_TRUE;
+    rv = SECSuccess;
+ loser:
+    return rv;
+}
+
+CRMFCertReqMsg*
+CRMF_CreateCertReqMsgFromDER (const char * buf, long len)
+{
+    PRArenaPool    *poolp;
+    CRMFCertReqMsg *certReqMsg;
+    SECStatus       rv;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    certReqMsg = PORT_ArenaZNew (poolp, CRMFCertReqMsg);
+    if (certReqMsg == NULL) {
+        goto loser;
+    }
+    certReqMsg->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, certReqMsg, CRMFCertReqMsgTemplate, buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_decode_process_single_reqmsg(certReqMsg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    return certReqMsg;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+CRMFCertReqMessages*
+CRMF_CreateCertReqMessagesFromDER(const char *buf, long len)
+{
+    long                 arenaSize;
+    int                  i;
+    SECStatus            rv;
+    PRArenaPool         *poolp;
+    CRMFCertReqMessages *certReqMsgs;
+
+    PORT_Assert (buf != NULL);
+    /* Wanna make sure the arena is big enough to store all of the requests
+     * coming in.  We'll guestimate according to the length of the buffer.
+     */
+    arenaSize = len + len/2;
+    poolp = PORT_NewArena(arenaSize);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    certReqMsgs = PORT_ArenaZNew(poolp, CRMFCertReqMessages);
+    if (certReqMsgs == NULL) {
+        goto loser;
+    }
+    certReqMsgs->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, certReqMsgs, CRMFCertReqMessagesTemplate,
+			buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    for (i=0; certReqMsgs->messages[i] != NULL; i++) {
+        /* The sub-routines expect the individual messages to have 
+	 * an arena.  We'll give them one temporarily.
+	 */
+        certReqMsgs->messages[i]->poolp = poolp;
+        rv = crmf_decode_process_single_reqmsg(certReqMsgs->messages[i]);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+        certReqMsgs->messages[i]->poolp = NULL;
+    }
+    return certReqMsgs;
+
+ loser:
+    PORT_FreeArena(poolp, PR_FALSE);
+    return NULL;
+}
diff --git a/security/nss/lib/crmf/crmfenc.c b/security/nss/lib/crmf/crmfenc.c
new file mode 100644
index 000000000..939192a3d
--- /dev/null
+++ b/security/nss/lib/crmf/crmfenc.c
@@ -0,0 +1,87 @@
+/* -*- Mode: C; tab-width: 8 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#include "crmf.h"
+#include "crmfi.h"
+
+SECStatus 
+CRMF_EncodeCertReqMsg(CRMFCertReqMsg            *inCertReqMsg,
+		      CRMFEncoderOutputCallback  fn,
+		      void                      *arg)
+{
+    struct crmfEncoderOutput output;
+
+    output.fn        = fn;
+    output.outputArg = arg;
+    return SEC_ASN1Encode(inCertReqMsg,CRMFCertReqMsgTemplate, 
+			  crmf_encoder_out, &output);
+    
+}
+
+
+SECStatus
+CRMF_EncodeCertRequest(CRMFCertRequest           *inCertReq,
+		       CRMFEncoderOutputCallback  fn,
+		       void                      *arg)
+{
+    struct crmfEncoderOutput output;
+
+    output.fn        = fn;
+    output.outputArg = arg;
+    return SEC_ASN1Encode(inCertReq, CRMFCertRequestTemplate, 
+			  crmf_encoder_out, &output);
+}
+
+SECStatus
+CRMF_EncodeCertReqMessages(CRMFCertReqMsg              **inCertReqMsgs,
+			   CRMFEncoderOutputCallback     fn,
+			   void                         *arg)
+{
+    struct crmfEncoderOutput output;
+    CRMFCertReqMessages msgs;
+    
+    output.fn        = fn;
+    output.outputArg = arg;
+    msgs.messages = inCertReqMsgs;
+    return SEC_ASN1Encode(&msgs, CRMFCertReqMessagesTemplate,
+			  crmf_encoder_out, &output);
+}
+
+
+
+
diff --git a/security/nss/lib/crmf/crmffut.h b/security/nss/lib/crmf/crmffut.h
new file mode 100644
index 000000000..c605f04f7
--- /dev/null
+++ b/security/nss/lib/crmf/crmffut.h
@@ -0,0 +1,393 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * These functions to be implemented in the future if the features
+ * which these functions would implement wind up being needed.
+ */
+
+/*
+ * Use this functionto create the CRMFSinglePubInfo* variables that will 
+ * populate the inPubInfoArray paramter for the funciton
+ * CRMF_CreatePKIPublicationInfo.
+ *
+ * "inPubMethod" specifies which publication method will be used
+ * "pubLocation" is a representation of the location where 
+ */
+extern CRMFSinglePubInfo* 
+      CRMF_CreateSinglePubInfo(CRMFPublicationMethod  inPubMethod,
+			       CRMFGeneralName       *pubLocation);
+
+/*
+ * Create a PKIPublicationInfo that can later be passed to the function
+ * CRMFAddPubInfoControl.
+ */
+extern CRMFPKIPublicationInfo *
+     CRMF_CreatePKIPublicationInfo(CRMFPublicationAction  inAction,
+				   CRMFSinglePubInfo    **inPubInfoArray,
+				   int                    numPubInfo);
+
+/*
+ * Only call this function on a CRMFPublicationInfo that was created by
+ * CRMF_CreatePKIPublicationInfo that was passed in NULL for arena.
+ */
+
+extern SECStatus 
+       CRMF_DestroyPKIPublicationInfo(CRMFPKIPublicationInfo *inPubInfo);
+
+extern SECStatus CRMF_AddPubInfoControl(CRMFCertRequest        *inCertReq,
+					CRMFPKIPublicationInfo *inPubInfo);
+
+/*
+ * This is to create a Cert ID Control which can later be added to 
+ * a certificate request.
+ */
+extern CRMFCertID* CRMF_CreateCertID(CRMFGeneralName *issuer,
+				     long             serialNumber);
+
+extern SECStatus CRMF_DestroyCertID(CRMFCertID* certID);
+
+extern SECStatus CRMF_AddCertIDControl(CRMFCertRequest *inCertReq,
+				       CRMFCertID      *certID);
+
+extern SECStatus 
+       CRMF_AddProtocolEncryptioKeyControl(CRMFCertRequest          *inCertReq,
+					   CERTSubjectPublicKeyInfo *spki);
+
+/*
+ * Add the ASCII Pairs Registration Info to the Certificate Request.
+ * The SECItem must be an OCTET string representation.
+ */
+extern SECStatus
+       CRMF_AddUTF8PairsRegInfo(CRMFCertRequest *inCertReq,
+				 SECItem         *asciiPairs);
+
+/*
+ * This takes a CertRequest and adds it to another CertRequest.  
+ */
+extern SECStatus
+       CRMF_AddCertReqToRegInfo(CRMFCertRequest *certReqToAddTo,
+				CRMFCertRequest *certReqBeingAdded);
+
+/*
+ * Returns which option was used for the authInfo field of POPOSigningKeyInput
+ */
+extern CRMFPOPOSkiInputAuthChoice 
+       CRMF_GetSignKeyInputAuthChoice(CRMFPOPOSigningKeyInput *inKeyInput);
+
+/*
+ * Gets the PKMACValue associated with the POPOSigningKeyInput.
+ * If the POPOSigningKeyInput did not use authInfo.publicKeyMAC 
+ * the function returns SECFailure and the value at *destValue is unchanged.
+ *
+ * If the POPOSigningKeyInput did use authInfo.publicKeyMAC, the function
+ * returns SECSuccess and places the PKMACValue at *destValue.
+ */
+extern SECStatus 
+       CRMF_GetSignKeyInputPKMACValue(CRMFPOPOSigningKeyInput *inKeyInput,
+				      CRMFPKMACValue          **destValue);
+/*
+ * Gets the SubjectPublicKeyInfo from the POPOSigningKeyInput
+ */
+extern CERTSubjectPublicKeyInfo *
+       CRMF_GetSignKeyInputPublicKey(CRMFPOPOSigningKeyInput *inKeyInput);
+
+
+/*
+ * Return the value for the PKIPublicationInfo Control.
+ * A return value of NULL indicates that the Control was 
+ * not a PKIPublicationInfo Control.  Call 
+ * CRMF_DestroyPKIPublicationInfo on the return value when done
+ * using the pointer.
+ */
+extern CRMFPKIPublicationInfo* CRMF_GetPKIPubInfo(CRMFControl *inControl);
+
+/*
+ * Free up a CRMFPKIPublicationInfo structure.
+ */
+extern SECStatus 
+       CRMF_DestroyPKIPublicationInfo(CRMFPKIPublicationInfo *inPubInfo);
+
+/*
+ * Get the choice used for action in this PKIPublicationInfo.
+ */
+extern CRMFPublicationAction 
+       CRMF_GetPublicationAction(CRMFPKIPublicationInfo *inPubInfo);
+
+/*
+ * Get the number of pubInfos are stored in the PKIPubicationInfo.
+ */
+extern int CRMF_GetNumPubInfos(CRMFPKIPublicationInfo *inPubInfo);
+
+/*
+ * Get the pubInfo at index for the given PKIPubicationInfo.
+ * Indexing is done like a traditional C Array. (0 .. numElements-1)
+ */
+extern CRMFSinglePubInfo* 
+       CRMF_GetPubInfoAtIndex(CRMFPKIPublicationInfo *inPubInfo,
+			      int                     index);
+
+/*
+ * Destroy the CRMFSinglePubInfo.
+ */
+extern SECStatus CRMF_DestroySinglePubInfo(CRMFSinglePubInfo *inPubInfo);
+
+/*
+ * Get the pubMethod used by the SinglePubInfo.
+ */
+extern CRMFPublicationMethod 
+       CRMF_GetPublicationMethod(CRMFSinglePubInfo *inPubInfo);
+
+/*
+ * Get the pubLocation associated with the SinglePubInfo.
+ * A NULL return value indicates there was no pubLocation associated
+ * with the SinglePuInfo.
+ */
+extern CRMFGeneralName* CRMF_GetPubLocation(CRMFSinglePubInfo *inPubInfo);
+
+/*
+ * Get the authInfo.sender field out of the POPOSigningKeyInput.
+ * If the POPOSigningKeyInput did not use the authInfo the function
+ * returns SECFailure and the value at *destName is unchanged.
+ *
+ * If the POPOSigningKeyInput did use authInfo.sender, the function returns
+ * SECSuccess and puts the authInfo.sender at *destName/
+ */
+extern SECStatus CRMF_GetSignKeyInputSender(CRMFPOPOSigningKeyInput *keyInput,
+					    CRMFGeneralName        **destName);
+
+/**************** CMMF Functions that need to be added. **********************/
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentSetNextChallenge
+ * INPUTS:
+ *    inDecKeyChall
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inRandom
+ *        The random number to use when generating the challenge,
+ *    inSender
+ *        The GeneralName representation of the sender of the challenge.
+ *    inPubKey
+ *        The public key to use when encrypting the challenge.
+ * NOTES:
+ *    This function adds a challenge to the end of the list of challenges
+ *    contained by 'inDecKeyChall'.  Refer to the CMMF draft on how the
+ *    the random number passed in and the sender's GeneralName are used
+ *    to generate the challenge and witness fields of the challenge.  This
+ *    library will use SHA1 as the one-way function for generating the 
+ *    witess field of the challenge.
+ *
+ * RETURN:
+ *    SECSuccess if generating the challenge and adding to the end of list
+ *    of challenges was successful.  Any other return value indicates an error
+ *    while trying to generate the challenge.
+ */
+extern SECStatus
+CMMF_POPODecKeyChallContentSetNextChallenge
+                                   (CMMFPOPODecKeyChallContent *inDecKeyChall,
+				    long                        inRandom,
+				    CERTGeneralName            *inSender,
+				    SECKEYPublicKey            *inPubKey);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentGetNumChallenges
+ * INPUTS:
+ *    inKeyChallCont
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ * RETURN:
+ *    This function returns the number of CMMFChallenges are contained in 
+ *    the CMMFPOPODecKeyChallContent structure.
+ */
+extern int CMMF_POPODecKeyChallContentGetNumChallenges
+                                  (CMMFPOPODecKeyChallContent *inKeyChallCont);
+
+/*
+ * FUNCTION: CMMF_ChallengeGetRandomNumber
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to operate on.
+ *    inDest
+ *        A pointer to a user supplied buffer where the library
+ *        can place a copy of the random integer contatained in the
+ *        challenge.
+ * NOTES:
+ *    This function returns the value held in the decrypted Rand structure
+ *    corresponding to the random integer.  The user must call 
+ *    CMMF_ChallengeDecryptWitness before calling this function.  Call 
+ *    CMMF_ChallengeIsDecrypted to find out if the challenge has been 
+ *    decrypted.
+ *
+ * RETURN:
+ *    SECSuccess indicates the witness field has been previously decrypted
+ *    and the value for the random integer was successfully placed at *inDest.
+ *    Any other return value indicates an error and that the value at *inDest
+ *    is not a valid value.
+ */
+extern SECStatus CMMF_ChallengeGetRandomNumber(CMMFChallenge *inChallenge,
+					       long          *inDest);
+
+/*
+ * FUNCTION: CMMF_ChallengeGetSender
+ * INPUTS:
+ *    inChallenge
+ *        the CMMFChallenge to operate on.
+ * NOTES:
+ *    This function returns the value held in the decrypted Rand structure
+ *    corresponding to the sender.  The user must call 
+ *    CMMF_ChallengeDecryptWitness before calling this function.  Call 
+ *    CMMF_ChallengeIsDecrypted to find out if the witness field has been
+ *    decrypted.  The user must call CERT_DestroyGeneralName after the return
+ *    value is no longer needed.
+ *
+ * RETURN:
+ *    A pointer to a copy of the sender CERTGeneralName.  A return value of
+ *    NULL indicates an error in trying to copy the information or that the
+ *    witness field has not been decrypted.
+ */
+extern CERTGeneralName* CMMF_ChallengeGetSender(CMMFChallenge *inChallenge);
+
+/*
+ * FUNCTION: CMMF_ChallengeGetAlgId
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to operate on.
+ *    inDestAlgId
+ *        A pointer to memory where a pointer to a copy of the algorithm
+ *        id can be placed.
+ * NOTES:
+ *    This function retrieves the one way function algorithm identifier 
+ *    contained within the CMMFChallenge if the optional field is present.
+ *
+ * RETURN:
+ *    SECSucces indicates the function was able to place a pointer to a copy of
+ *    the alogrithm id at *inAlgId.  If the value at *inDestAlgId is NULL, 
+ *    that means there was no algorithm identifier present in the 
+ *    CMMFChallenge.  Any other return value indicates the function was not 
+ *    able to make a copy of the algorithm identifier.  In this case the value 
+ *    at *inDestAlgId is not valid.
+ */
+extern SECStatus CMMF_ChallengeGetAlgId(CMMFChallenge  *inChallenge,
+					SECAlgorithmID *inAlgId);
+
+/*
+ * FUNCTION: CMMF_DestroyChallenge
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to free up.
+ * NOTES:
+ *    This function frees up all the memory associated with the CMMFChallenge 
+ *    passed in.
+ * RETURN:
+ *    SECSuccess if freeing all the memory associated with the CMMFChallenge
+ *    passed in is successful.  Any other return value indicates an error 
+ *    while freeing the memory.
+ */
+extern SECStatus CMMF_DestroyChallenge (CMMFChallenge *inChallenge);
+
+/*
+ * FUNCTION: CMMF_DestroyPOPODecKeyRespContent
+ * INPUTS:
+ *    inDecKeyResp
+ *        The CMMFPOPODecKeyRespContent structure to free.
+ * NOTES:
+ *    This function frees up all the memory associate with the 
+ *    CMMFPOPODecKeyRespContent.
+ *
+ * RETURN:
+ *    SECSuccess if freeint up all the memory associated with the
+ *    CMMFPOPODecKeyRespContent structure is successful.  Any other
+ *    return value indicates an error while freeing the memory.
+ */
+extern SECStatus
+     CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp);
+
+/*
+ * FUNCTION: CMMF_ChallengeDecryptWitness
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to operate on.
+ *    inPrivKey
+ *        The private key to use to decrypt the witness field.
+ * NOTES:
+ *    This function uses the private key to decrypt the challenge field
+ *    contained in the CMMFChallenge.  Make sure the private key matches the
+ *    public key that was used to encrypt the witness.  The creator of 
+ *    the challenge will most likely be an RA that has the public key
+ *    from a Cert request.  So the private key should be the private key
+ *    associated with public key in that request.  This function will also
+ *    verify the witness field of the challenge.
+ *
+ * RETURN:
+ *    SECSuccess if decrypting the witness field was successful.  This does
+ *    not indicate that the decrypted data is valid, since the private key 
+ *    passed in may not be the actual key needed to properly decrypt the 
+ *    witness field.  Meaning that there is a decrypted structure now, but
+ *    may be garbage because the private key was incorrect.
+ *    Any other return value indicates the function could not complete the
+ *    decryption process.
+ */
+extern SECStatus CMMF_ChallengeDecryptWitness(CMMFChallenge    *inChallenge,
+					      SECKEYPrivateKey *inPrivKey);
+
+/*
+ * FUNCTION: CMMF_ChallengeIsDecrypted
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to operate on.
+ * RETURN:
+ *    This is a predicate function that returns PR_TRUE if the decryption 
+ *    process has already been performed.  The function return PR_FALSE if 
+ *    the decryption process has not been performed yet.
+ */
+extern PRBool CMMF_ChallengeIsDecrypted(CMMFChallenge *inChallenge);
+
+/*
+ * FUNCTION: CMMF_DestroyPOPODecKeyChallContent
+ * INPUTS:
+ *    inDecKeyCont
+ *        The CMMFPOPODecKeyChallContent to free
+ * NOTES:
+ *    This function frees up all the memory associated with the 
+ *    CMMFPOPODecKeyChallContent 
+ * RETURN:
+ *    SECSuccess if freeing up all the memory associatd with the 
+ *    CMMFPOPODecKeyChallContent is successful.  Any other return value
+ *    indicates an error while freeing the memory.
+ *
+ */
+extern SECStatus 
+ CMMF_DestroyPOPODecKeyChallContent (CMMFPOPODecKeyChallContent *inDecKeyCont);
+
diff --git a/security/nss/lib/crmf/crmfget.c b/security/nss/lib/crmf/crmfget.c
new file mode 100644
index 000000000..05d8e7d54
--- /dev/null
+++ b/security/nss/lib/crmf/crmfget.c
@@ -0,0 +1,482 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "keyhi.h"
+#include "secder.h"
+
+
+CRMFPOPChoice
+CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg)
+{
+    PORT_Assert(inCertReqMsg != NULL);
+    if (inCertReqMsg != NULL && inCertReqMsg->pop != NULL) {
+        return inCertReqMsg->pop->popUsed;
+    }
+    return crmfNoPOPChoice;
+}
+
+static SECStatus
+crmf_destroy_validity(CRMFOptionalValidity *inValidity, PRBool freeit)
+{
+    if (inValidity != NULL){
+        if (inValidity->notBefore.data != NULL) {
+	    PORT_Free(inValidity->notBefore.data);
+	}
+	if (inValidity->notAfter.data != NULL) {
+	    PORT_Free(inValidity->notAfter.data);
+	}
+	if (freeit) {
+	    PORT_Free(inValidity);
+	}
+    }
+    return SECSuccess;
+}
+
+static SECStatus 
+crmf_copy_cert_request_validity(PRArenaPool           *poolp,
+				CRMFOptionalValidity **destValidity,
+				CRMFOptionalValidity  *srcValidity)
+{
+    CRMFOptionalValidity *myValidity = NULL;
+    SECStatus             rv;
+
+    *destValidity = myValidity = (poolp == NULL) ?
+                                  PORT_ZNew(CRMFOptionalValidity) :
+                                  PORT_ArenaZNew(poolp, CRMFOptionalValidity);
+    if (myValidity == NULL) {
+        goto loser;
+    }
+    if (srcValidity->notBefore.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &myValidity->notBefore, 
+			      &srcValidity->notBefore);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValidity->notAfter.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &myValidity->notAfter, 
+			      &srcValidity->notAfter);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    return SECSuccess;
+ loser:
+    if (myValidity != NULL && poolp == NULL) {
+        crmf_destroy_validity(myValidity, PR_TRUE);
+    }
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_extensions(PRArenaPool        *poolp, 
+		     CRMFCertTemplate   *destTemplate,
+		     CRMFCertExtension **srcExt)
+{
+    int       numExt = 0, i;
+    CRMFCertExtension **myExtArray = NULL;
+
+    while (srcExt[numExt] != NULL) {
+        numExt++;
+    }
+    if (numExt == 0) {
+        /*No extensions to copy.*/
+        destTemplate->extensions = NULL;
+	destTemplate->numExtensions = 0;
+        return SECSuccess;
+    }
+    destTemplate->extensions = myExtArray = 
+                           PORT_NewArray(CRMFCertExtension*, numExt+1);
+    if (myExtArray == NULL) {
+        goto loser;
+    }
+     
+    for (i=0; i<numExt; i++) {
+        myExtArray[i] = crmf_copy_cert_extension(poolp, srcExt[i]);
+	if (myExtArray[i] == NULL) {
+	    goto loser;
+	}
+    }
+    destTemplate->numExtensions = numExt;
+    myExtArray[numExt] = NULL;
+    return SECSuccess;
+ loser:
+    if (myExtArray != NULL) {
+        if (poolp == NULL) {
+	    for (i=0; myExtArray[i] != NULL; i++) {
+	        CRMF_DestroyCertExtension(myExtArray[i]);
+	    }
+	}
+	PORT_Free(myExtArray);
+    }
+    destTemplate->extensions = NULL;
+    destTemplate->numExtensions = 0;
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_cert_request_template(PRArenaPool      *poolp, 
+				CRMFCertTemplate *destTemplate,
+				CRMFCertTemplate *srcTemplate)
+{
+    SECStatus rv;
+
+    if (srcTemplate->version.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &destTemplate->version, 
+			      &srcTemplate->version);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->serialNumber.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &destTemplate->serialNumber,
+			      &srcTemplate->serialNumber);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->signingAlg != NULL) {
+        rv = crmf_template_copy_secalg(poolp, &destTemplate->signingAlg,
+				       srcTemplate->signingAlg);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->issuer != NULL) {
+        rv = crmf_copy_cert_name(poolp, &destTemplate->issuer,
+				 srcTemplate->issuer);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->validity != NULL) {
+        rv = crmf_copy_cert_request_validity(poolp, &destTemplate->validity,
+					     srcTemplate->validity);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->subject != NULL) {
+        rv = crmf_copy_cert_name(poolp, &destTemplate->subject, 
+				 srcTemplate->subject);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->publicKey != NULL) {
+        rv = crmf_template_add_public_key(poolp, &destTemplate->publicKey,
+					  srcTemplate->publicKey);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->issuerUID.data != NULL) {
+        rv = crmf_make_bitstring_copy(poolp, &destTemplate->issuerUID,
+				      &srcTemplate->issuerUID);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->subjectUID.data != NULL) {
+        rv = crmf_make_bitstring_copy(poolp, &destTemplate->subjectUID,
+				      &srcTemplate->subjectUID);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->extensions != NULL) {
+        rv = crmf_copy_extensions(poolp, destTemplate,
+				  srcTemplate->extensions);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    return SECSuccess;
+ loser:
+    return SECFailure;
+}
+
+static CRMFControl*
+crmf_copy_control(PRArenaPool *poolp, CRMFControl *srcControl)
+{
+    CRMFControl *newControl;
+    SECStatus    rv;
+
+    newControl = (poolp == NULL) ? PORT_ZNew(CRMFControl) :
+                                   PORT_ArenaZNew(poolp, CRMFControl);
+    if (newControl == NULL) {
+        goto loser;
+    }
+    newControl->tag = srcControl->tag;
+    rv = SECITEM_CopyItem(poolp, &newControl->derTag, &srcControl->derTag);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &newControl->derValue, &srcControl->derValue);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* We only handle PKIArchiveOptions Control right now.  But if in
+     * the future, more controls that are part of the union are added,
+     * then they need to be handled here as well.
+     */
+    switch (newControl->tag) {
+    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+        rv = crmf_copy_pkiarchiveoptions(poolp, 
+					 &newControl->value.archiveOptions,
+					 &srcControl->value.archiveOptions);
+      break;
+    default:
+        rv = SECSuccess;
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newControl;
+
+ loser:
+    if (poolp == NULL && newControl != NULL) {
+        CRMF_DestroyControl(newControl);
+    }
+    return NULL;
+}
+
+static SECStatus
+crmf_copy_cert_request_controls(PRArenaPool     *poolp, 
+				CRMFCertRequest *destReq, 
+				CRMFCertRequest *srcReq)
+{
+    int           numControls, i;
+    CRMFControl **myControls = NULL;
+
+    numControls = CRMF_CertRequestGetNumControls(srcReq);
+    if (numControls == 0) {
+        /* No Controls To Copy*/
+        return SECSuccess;
+    }
+    myControls = destReq->controls = PORT_NewArray(CRMFControl*, 
+						   numControls+1);
+    if (myControls == NULL) {
+        goto loser;
+    }
+    for (i=0; i<numControls; i++) {
+        myControls[i] = crmf_copy_control(poolp, srcReq->controls[i]);
+	if (myControls[i] == NULL) {
+	    goto loser;
+	}
+    }
+    myControls[numControls] = NULL;
+    return SECSuccess;
+ loser:
+    if (myControls != NULL) {
+        if (poolp == NULL) {
+	    for (i=0; myControls[i] != NULL; i++) {
+	        CRMF_DestroyControl(myControls[i]);
+	    }
+	}
+	PORT_Free(myControls);
+    }
+    return SECFailure;
+}
+
+
+CRMFCertRequest*
+crmf_copy_cert_request(PRArenaPool *poolp, CRMFCertRequest *srcReq)
+{
+    CRMFCertRequest *newReq = NULL;
+    SECStatus        rv;
+
+    if (srcReq == NULL) {
+        return NULL;
+    }
+    newReq = (poolp == NULL) ? PORT_ZNew(CRMFCertRequest) :
+                               PORT_ArenaZNew(poolp, CRMFCertRequest);
+    if (newReq == NULL) {
+        goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &newReq->certReqId, &srcReq->certReqId);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = crmf_copy_cert_request_template(poolp, &newReq->certTemplate, 
+					 &srcReq->certTemplate);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = crmf_copy_cert_request_controls(poolp, newReq, srcReq);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newReq;
+ loser:
+    if (newReq != NULL && poolp == NULL) {
+        CRMF_DestroyCertRequest(newReq);
+        PORT_Free(newReq);
+    }
+    return NULL;
+}
+
+SECStatus 
+CRMF_DestroyGetValidity(CRMFGetValidity *inValidity)
+{
+    PORT_Assert(inValidity != NULL);
+    if (inValidity != NULL) {
+        if (inValidity->notAfter) {
+	    PORT_Free(inValidity->notAfter);
+	    inValidity->notAfter = NULL;
+	}
+	if (inValidity->notBefore) {
+	    PORT_Free(inValidity->notBefore);
+	    inValidity->notBefore = NULL;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+crmf_make_bitstring_copy(PRArenaPool *arena, SECItem *dest, SECItem *src)
+{
+    int origLenBits;
+    int bytesToCopy;
+    SECStatus rv;
+
+    origLenBits = src->len;
+    bytesToCopy = CRMF_BITS_TO_BYTES(origLenBits);
+    src->len = bytesToCopy;         
+    rv = SECITEM_CopyItem(arena, dest, src);
+    src->len = origLenBits;
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    dest->len = origLenBits;
+    return SECSuccess;
+}
+
+int
+CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq)
+{
+    CRMFCertTemplate *certTemplate;
+    int count = 0;
+    
+    certTemplate = &inCertReq->certTemplate;
+    if (certTemplate->extensions) {
+        while (certTemplate->extensions[count] != NULL)
+	    count++;
+    }
+    return count;
+}
+
+SECOidTag
+CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension)
+{
+    PORT_Assert(inExtension != NULL);
+    if (inExtension == NULL) {
+        return SEC_OID_UNKNOWN;
+    }
+    return SECOID_FindOIDTag(&inExtension->id);
+}
+
+PRBool
+CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt)
+{
+    PORT_Assert(inExt != NULL);
+    if (inExt == NULL) {
+        return PR_FALSE;
+    }
+    return inExt->critical.data != NULL;
+}
+
+SECItem*
+CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension)
+{
+    PORT_Assert(inExtension != NULL);
+    if (inExtension == NULL) {
+        return NULL;
+    }
+    
+    return SECITEM_DupItem(&inExtension->value);
+}
+			  
+
+SECStatus
+CRMF_DestroyPOPOSigningKey(CRMFPOPOSigningKey *inKey)
+{
+    PORT_Assert(inKey != NULL);
+    if (inKey != NULL) {
+        if (inKey->derInput.data != NULL) {
+	    SECITEM_FreeItem(&inKey->derInput, PR_FALSE);
+	}
+	if (inKey->algorithmIdentifier != NULL) {
+	    SECOID_DestroyAlgorithmID(inKey->algorithmIdentifier, PR_TRUE);
+	}
+	if (inKey->signature.data != NULL) {
+	    SECITEM_FreeItem(&inKey->signature, PR_FALSE);
+	}
+	PORT_Free(inKey);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey)
+{
+    PORT_Assert(inPrivKey != NULL);
+    if (inPrivKey != NULL) {
+        SECITEM_FreeItem(&inPrivKey->message.thisMessage, PR_FALSE);
+	PORT_Free(inPrivKey);
+    }
+    return SECSuccess;
+}
+
+int
+CRMF_CertRequestGetNumControls(CRMFCertRequest *inCertReq)
+{
+    int              count = 0;
+
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return 0;
+    }
+    if (inCertReq->controls) {
+        while (inCertReq->controls[count] != NULL)
+	    count++;
+    }
+    return count;
+}
+
diff --git a/security/nss/lib/crmf/crmfi.h b/security/nss/lib/crmf/crmfi.h
new file mode 100644
index 000000000..1b8a311d6
--- /dev/null
+++ b/security/nss/lib/crmf/crmfi.h
@@ -0,0 +1,190 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#ifndef _CRMFI_H_
+#define _CRMFI_H_
+/* This file will contain all declarations common to both 
+ * encoding and decoding of CRMF Cert Requests.  This header 
+ * file should only be included internally by CRMF implementation
+ * files.
+ */
+#include "secasn1.h"
+#include "crmfit.h"
+#include "secerr.h"
+
+#define CRMF_DEFAULT_ARENA_SIZE   1024
+#define MAX_WRAPPED_KEY_LEN       2048
+
+
+#define CRMF_BITS_TO_BYTES(bits) (((bits)+7)/8)
+#define CRMF_BYTES_TO_BITS(bytes) ((bytes)*8)
+
+struct crmfEncoderArg {
+    SECItem *buffer;
+    long     allocatedLen;
+};
+
+struct crmfEncoderOutput {
+    CRMFEncoderOutputCallback fn;
+    void *outputArg;
+};
+
+/*
+ * This funciton is used by the API for encoding functions that are 
+ * exposed through the API, ie all of the CMMF_Encode* and CRMF_Encode*
+ * functions.
+ */
+extern void
+       crmf_encoder_out(void *arg, const char *buf, unsigned long len,
+                        int depth, SEC_ASN1EncodingPart data_kind);
+
+/*
+ * This function is used when we want to encode something locally within
+ * the library, ie the CertRequest so that we can produce its signature.
+ */
+extern SECStatus 
+       crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg,
+				       SECItem               *derDest);
+
+/*
+ * This is the callback function we feed to the ASN1 encoder when doing
+ * internal DER-encodings.  ie, encoding the cert request so we can 
+ * produce a signature.
+ */
+extern void
+crmf_generic_encoder_callback(void *arg, const char* buf, unsigned long len,
+			      int depth, SEC_ASN1EncodingPart data_kind);
+
+/* The ASN1 templates that need to be seen by internal files
+ * in order to implement CRMF.
+ */
+extern const SEC_ASN1Template CRMFCertReqMsgTemplate[];
+extern const SEC_ASN1Template CRMFRAVerifiedTemplate[];
+extern const SEC_ASN1Template CRMFPOPOSigningKeyTemplate[];
+extern const SEC_ASN1Template CRMFPOPOKeyEnciphermentTemplate[];
+extern const SEC_ASN1Template CRMFPOPOKeyAgreementTemplate[];
+extern const SEC_ASN1Template CRMFThisMessageTemplate[];
+extern const SEC_ASN1Template CRMFSubsequentMessageTemplate[];
+extern const SEC_ASN1Template CRMFDHMACTemplate[];
+extern const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate[];
+extern const SEC_ASN1Template CRMFEncryptedValueTemplate[];
+
+/*
+ * Use these two values for encoding Boolean values.
+ */
+extern const unsigned char hexTrue;
+extern const unsigned char hexFalse;
+/*
+ * Prototypes for helper routines used internally by multiple files.
+ */
+extern SECStatus crmf_encode_integer(PRArenaPool *poolp, SECItem *dest, 
+				     long value);
+extern SECStatus crmf_make_bitstring_copy(PRArenaPool *arena, SECItem *dest, 
+					  SECItem *src);
+
+extern SECStatus crmf_copy_pkiarchiveoptions(PRArenaPool           *poolp, 
+					     CRMFPKIArchiveOptions *destOpt,
+					     CRMFPKIArchiveOptions *srcOpt);
+extern SECStatus  
+       crmf_destroy_pkiarchiveoptions(CRMFPKIArchiveOptions *inArchOptions,
+				      PRBool                 freeit);
+extern const SEC_ASN1Template*
+       crmf_get_pkiarchiveoptions_subtemplate(CRMFControl *inControl);
+
+extern SECStatus crmf_copy_encryptedkey(PRArenaPool       *poolp,
+					CRMFEncryptedKey  *srcEncrKey,
+					CRMFEncryptedKey  *destEncrKey);
+extern SECStatus
+crmf_copy_encryptedvalue(PRArenaPool        *poolp,
+			 CRMFEncryptedValue *srcValue,
+			 CRMFEncryptedValue *destValue);
+
+extern SECStatus
+crmf_copy_encryptedvalue_secalg(PRArenaPool     *poolp,
+				SECAlgorithmID  *srcAlgId,
+				SECAlgorithmID **destAlgId);
+
+extern SECStatus crmf_template_copy_secalg(PRArenaPool *poolp, 
+					   SECAlgorithmID **dest,
+					   SECAlgorithmID *src);
+
+extern SECStatus crmf_copy_cert_name(PRArenaPool *poolp, CERTName **dest, 
+				     CERTName *src);
+
+extern SECStatus crmf_template_add_public_key(PRArenaPool               *poolp,
+					      CERTSubjectPublicKeyInfo **dest,
+					      CERTSubjectPublicKeyInfo  *pubKey);
+
+extern CRMFCertExtension* crmf_create_cert_extension(PRArenaPool *poolp, 
+						     SECOidTag    tag, 
+						     PRBool       isCritical,
+						     SECItem     *data);
+extern CRMFCertRequest*
+crmf_copy_cert_request(PRArenaPool *poolp, CRMFCertRequest *srcReq);
+
+extern SECStatus crmf_destroy_encrypted_value(CRMFEncryptedValue *inEncrValue, 
+					      PRBool freeit);
+
+extern CRMFEncryptedValue *
+crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey   *inPrivKey,
+					    SECKEYPublicKey    *inPubKey,
+					    CRMFEncryptedValue *destValue);
+
+extern CK_MECHANISM_TYPE 
+       crmf_get_mechanism_from_public_key(SECKEYPublicKey *inPubKey);
+
+extern SECStatus
+crmf_encrypted_value_unwrap_priv_key(PRArenaPool        *poolp,
+				     CRMFEncryptedValue *encValue,
+				     SECKEYPrivateKey   *privKey,
+				     SECKEYPublicKey    *newPubKey,
+				     SECItem            *nickname,
+				     PK11SlotInfo       *slot,
+				     unsigned char       keyUsage,
+				     SECKEYPrivateKey  **unWrappedKey,
+				     void               *wincx);
+
+extern SECItem*
+crmf_get_public_value(SECKEYPublicKey *pubKey, SECItem *dest);
+
+extern CRMFCertExtension*
+crmf_copy_cert_extension(PRArenaPool *poolp, CRMFCertExtension *inExtension);
+
+extern SECStatus
+crmf_create_prtime(SECItem *src, PRTime **dest);
+#endif /*_CRMFI_H_*/
diff --git a/security/nss/lib/crmf/crmfit.h b/security/nss/lib/crmf/crmfit.h
new file mode 100644
index 000000000..2f9be4946
--- /dev/null
+++ b/security/nss/lib/crmf/crmfit.h
@@ -0,0 +1,219 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#ifndef _CRMFIT_H_
+#define _CRMFIT_H_
+
+struct CRMFCertReqMessagesStr {
+    CRMFCertReqMsg **messages;
+    PRArenaPool     *poolp;
+};
+
+struct CRMFCertExtensionStr {
+    SECItem id;
+    SECItem critical;
+    SECItem value;
+};
+
+
+struct CRMFOptionalValidityStr {
+    SECItem notBefore; 
+    SECItem notAfter;
+};
+
+struct CRMFCertTemplateStr {
+    SECItem                   version;
+    SECItem                   serialNumber;
+    SECAlgorithmID           *signingAlg;
+    CERTName                 *issuer;
+    CRMFOptionalValidity     *validity;
+    CERTName                 *subject;
+    CERTSubjectPublicKeyInfo *publicKey;
+    SECItem                   issuerUID;
+    SECItem                   subjectUID; 
+    CRMFCertExtension       **extensions;
+    int                       numExtensions;
+};
+
+struct CRMFCertIDStr {
+    SECItem issuer; /* General Name */
+    SECItem serialNumber; /*INTEGER*/
+};
+
+struct CRMFEncryptedValueStr {
+    SECAlgorithmID *intendedAlg;
+    SECAlgorithmID *symmAlg;
+    SECItem         encSymmKey; /*BIT STRING   */
+    SECAlgorithmID *keyAlg;
+    SECItem         valueHint;  /*OCTET STRING */
+    SECItem         encValue;   /*BIT STRING   */
+};
+
+/*
+ * The field derValue will contain the actual der
+ * to include in the encoding or that was read in
+ * from a der blob. 
+ */
+struct CRMFEncryptedKeyStr {
+    union {
+        SEC_PKCS7ContentInfo   *envelopedData;
+        CRMFEncryptedValue      encryptedValue; 
+    } value;
+    CRMFEncryptedKeyChoice encKeyChoice;
+    SECItem derValue;
+};
+
+/* ASN1 must only have one of the following 3 options. */
+struct CRMFPKIArchiveOptionsStr {
+    union {
+        CRMFEncryptedKey  encryptedKey;
+        SECItem           keyGenParameters;
+        SECItem           archiveRemGenPrivKey; /* BOOLEAN */
+    } option;
+    CRMFPKIArchiveOptionsType archOption;
+};
+
+struct CRMFPKIPublicationInfoStr {
+    SECItem action; /* Possible values                    */
+                    /* dontPublish (0), pleasePublish (1) */
+    CRMFSinglePubInfo **pubInfos; 
+};
+
+struct CRMFControlStr {
+    SECOidTag  tag;
+    SECItem    derTag;
+    SECItem    derValue;
+    /* These will be C structures used to represent the various 
+     * options.  Values that can't be stored as der right away.
+     * After creating these structures, we'll place their der
+     * encoding in derValue so the encoder knows how to get to
+     * it.
+     */
+    union {
+        CRMFCertID              oldCertId;
+        CRMFPKIArchiveOptions   archiveOptions;
+        CRMFPKIPublicationInfo  pubInfo;
+        CRMFProtocolEncrKey     protEncrKey; 
+    } value;
+};
+
+struct CRMFCertRequestStr {
+    SECItem            certReqId;
+    CRMFCertTemplate   certTemplate;
+    CRMFControl      **controls;
+    /* The following members are used by the internal implementation, but
+     * are not part of the encoding.
+     */
+    PRArenaPool *poolp;
+    PRUint32     requestID; /* This is the value that will be encoded into
+			     * the certReqId field.
+			     */
+};                                   
+
+struct CRMFAttributeStr {
+    SECItem derTag;
+    SECItem derValue;
+};
+
+struct CRMFCertReqMsgStr {
+    CRMFCertRequest            *certReq;
+    CRMFProofOfPossession      *pop;
+    CRMFAttribute             **regInfo;
+    SECItem                     derPOP;
+    /* This arena will be used for allocating memory when decoding.
+     */
+    PRArenaPool *poolp;
+    PRBool       isDecoded;
+};
+
+struct CRMFPOPOSigningKeyInputStr {
+    /* ASN1 must have only one of the next 2 options */
+    union {
+        SECItem          sender; /*General Name*/
+        CRMFPKMACValue  *publicKeyMAC;
+    }authInfo;
+    CERTSubjectPublicKeyInfo publicKey;
+};
+
+struct CRMFPOPOSigningKeyStr {
+    SECItem                  derInput; /*If in the future we support 
+                                        *POPOSigningKeyInput, this will
+                                        *a C structure representation
+                                        *instead.
+                                        */
+    SECAlgorithmID          *algorithmIdentifier;
+    SECItem                  signature; /* This is a BIT STRING. Remember */
+};                                      /* that when interpreting.        */
+
+/* ASN1 must only choose one of these members */
+struct CRMFPOPOPrivKeyStr {
+    union {
+        SECItem thisMessage; /* BIT STRING */
+        SECItem subsequentMessage; /*INTEGER*/ 
+        SECItem dhMAC; /*BIT STRING*/
+    } message;
+    CRMFPOPOPrivKeyChoice messageChoice;
+};
+
+/* ASN1 must only have one of these options. */
+struct CRMFProofOfPossessionStr {
+    union {
+        SECItem             raVerified;
+        CRMFPOPOSigningKey  signature;
+        CRMFPOPOPrivKey     keyEncipherment;
+        CRMFPOPOPrivKey     keyAgreement;
+    } popChoice;
+    CRMFPOPChoice       popUsed; /*Not part of encoding*/
+};
+
+struct CRMFPKMACValueStr {
+    SECAlgorithmID algID;
+    SECItem        value; /*BIT STRING*/
+};
+
+struct CRMFSinglePubInfoStr {
+    SECItem pubMethod; /* Possible Values:
+			*   dontCare (0)
+			*   x500     (1)
+			*   web      (2)
+			*   ldap     (3)
+			*/
+    CERTGeneralName *pubLocation; /* General Name */
+};
+
+#endif /* _CRMFIT_H_ */
diff --git a/security/nss/lib/crmf/crmfpop.c b/security/nss/lib/crmf/crmfpop.c
new file mode 100644
index 000000000..201f6bcd0
--- /dev/null
+++ b/security/nss/lib/crmf/crmfpop.c
@@ -0,0 +1,632 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "secasn1.h"
+#include "keyhi.h"
+#include "cryptohi.h"
+
+#define CRMF_DEFAULT_ALLOC_SIZE 1024
+
+SECStatus
+crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg, 
+				SECItem               *derDest) 
+{
+    derDest->data = PORT_ZNewArray(unsigned char, CRMF_DEFAULT_ALLOC_SIZE);
+    if (derDest->data == NULL) {
+        return SECFailure;
+    }
+    derDest->len = 0;
+    encoderArg->allocatedLen = CRMF_DEFAULT_ALLOC_SIZE;
+    encoderArg->buffer = derDest;
+    return SECSuccess;
+
+}
+
+/* Caller should release or unmark the pool, instead of doing it here.
+** But there are NO callers of this function at present...
+*/
+SECStatus 
+CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg)
+{
+    SECItem               *dummy;
+    CRMFProofOfPossession *pop;
+    PRArenaPool           *poolp;
+    void                  *mark;
+
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
+    poolp = inCertReqMsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice) {
+        return SECFailure;
+    }
+    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (pop == NULL) {
+        goto loser;
+    }
+    pop->popUsed = crmfRAVerified;
+    pop->popChoice.raVerified.data = NULL;
+    pop->popChoice.raVerified.len  = 0;
+    inCertReqMsg->pop = pop;
+    dummy = SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP),
+			       &(pop->popChoice.raVerified),
+			       CRMFRAVerifiedTemplate);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+static SECOidTag
+crmf_get_key_sign_tag(SECKEYPublicKey *inPubKey)
+{
+    /* maintain backward compatibility with older
+     * implementations */
+    if (inPubKey->keyType == rsaKey) {
+        return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+    }
+    return SEC_GetSignatureAlgorithmOidTag(inPubKey->keyType, SEC_OID_UNKNOWN);
+}
+
+static SECAlgorithmID*
+crmf_create_poposignkey_algid(PRArenaPool      *poolp,
+			      SECKEYPublicKey  *inPubKey)
+{
+    SECAlgorithmID *algID;
+    SECOidTag       tag;
+    SECStatus       rv;
+    void           *mark;
+
+    mark = PORT_ArenaMark(poolp);
+    algID = PORT_ArenaZNew(poolp, SECAlgorithmID);
+    if (algID == NULL) {
+        goto loser;
+    }
+    tag = crmf_get_key_sign_tag(inPubKey);
+    if (tag == SEC_OID_UNKNOWN) {
+        goto loser;
+    }
+    rv = SECOID_SetAlgorithmID(poolp, algID, tag, NULL);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return algID;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+static CRMFPOPOSigningKeyInput*
+crmf_create_poposigningkeyinput(PRArenaPool *poolp, CERTCertificate *inCert,
+				CRMFMACPasswordCallback fn, void *arg)
+{
+  /* PSM isn't going to do this, so we'll fail here for now.*/
+     return NULL;
+}
+
+void
+crmf_generic_encoder_callback(void *arg, const char* buf, unsigned long len,
+			      int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct crmfEncoderArg *encoderArg = (struct crmfEncoderArg*)arg;
+    unsigned char *cursor;
+    
+   if (encoderArg->buffer->len + len > encoderArg->allocatedLen) {
+        int newSize = encoderArg->buffer->len+CRMF_DEFAULT_ALLOC_SIZE;
+        void *dummy = PORT_Realloc(encoderArg->buffer->data, newSize);
+	if (dummy == NULL) {
+	    /* I really want to return an error code here */
+	    PORT_Assert(0);
+	    return;
+	}
+	encoderArg->buffer->data = dummy;
+	encoderArg->allocatedLen = newSize;
+    }
+    cursor = &(encoderArg->buffer->data[encoderArg->buffer->len]);
+    PORT_Memcpy (cursor, buf, len);
+    encoderArg->buffer->len += len;    
+}
+
+static SECStatus
+crmf_encode_certreq(CRMFCertRequest *inCertReq, SECItem *derDest)
+{
+    struct crmfEncoderArg encoderArg;
+    SECStatus             rv;
+  
+    rv = crmf_init_encoder_callback_arg (&encoderArg, derDest);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    return SEC_ASN1Encode(inCertReq, CRMFCertRequestTemplate, 
+			  crmf_generic_encoder_callback, &encoderArg);
+}
+
+static SECStatus
+crmf_sign_certreq(PRArenaPool        *poolp, 
+		  CRMFPOPOSigningKey *crmfSignKey, 
+		  CRMFCertRequest    *certReq,
+		  SECKEYPrivateKey   *inKey,
+		  SECAlgorithmID     *inAlgId)
+{
+    SECItem                      derCertReq = { siBuffer, NULL, 0 };
+    SECItem                      certReqSig = { siBuffer, NULL, 0 };
+    SECStatus                    rv = SECSuccess;
+
+    rv = crmf_encode_certreq(certReq, &derCertReq);
+    if (rv != SECSuccess) {
+       goto loser;
+    }
+    rv = SEC_SignData(&certReqSig, derCertReq.data, derCertReq.len,
+		      inKey,SECOID_GetAlgorithmTag(inAlgId));
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+ 
+    /* Now make it a part of the POPOSigningKey */
+    rv = SECITEM_CopyItem(poolp, &(crmfSignKey->signature), &certReqSig);
+    /* Convert this length to number of bits */
+    crmfSignKey->signature.len <<= 3; 
+   
+ loser:
+    if (derCertReq.data != NULL) {
+        PORT_Free(derCertReq.data);
+    }
+    if (certReqSig.data != NULL) {
+        PORT_Free(certReqSig.data);
+    }
+    return rv;
+}
+
+static SECStatus
+crmf_create_poposignkey(PRArenaPool             *poolp, 
+			CRMFCertReqMsg          *inCertReqMsg, 
+			CRMFPOPOSigningKeyInput *signKeyInput, 
+			SECKEYPrivateKey        *inPrivKey,
+			SECAlgorithmID          *inAlgID,
+			CRMFPOPOSigningKey      *signKey) 
+{
+    CRMFCertRequest    *certReq;
+    void               *mark;
+    PRBool              useSignKeyInput;
+    SECStatus           rv;
+    
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->certReq != NULL);
+    mark = PORT_ArenaMark(poolp);
+    if (signKey == NULL) {
+        goto loser;
+    }
+    certReq = inCertReqMsg->certReq;
+    useSignKeyInput = !(CRMF_DoesRequestHaveField(certReq,crmfSubject)  &&
+			CRMF_DoesRequestHaveField(certReq,crmfPublicKey));
+
+    if (useSignKeyInput) {
+        goto loser; 
+    } else {
+        rv = crmf_sign_certreq(poolp, signKey, certReq,inPrivKey, inAlgID);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    PORT_ArenaUnmark(poolp,mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp,mark);
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg   *inCertReqMsg,
+			       SECKEYPrivateKey *inPrivKey,
+			       SECKEYPublicKey  *inPubKey,
+			       CERTCertificate  *inCertForInput,
+			       CRMFMACPasswordCallback  fn,
+			       void                    *arg)
+{
+    SECAlgorithmID  *algID;
+    PRArenaPool     *poolp;
+    SECItem          derTemp = {siBuffer, NULL, 0};
+    void            *mark;
+    SECStatus        rv;
+    CRMFPOPOSigningKeyInput *signKeyInput = NULL;
+    CRMFCertRequest         *certReq;
+    CRMFProofOfPossession   *pop;
+    struct crmfEncoderArg    encoderArg;
+
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->certReq != NULL &&
+		inCertReqMsg->pop == NULL);
+    certReq = inCertReqMsg->certReq;
+    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice || 
+	!CRMF_DoesRequestHaveField(certReq, crmfPublicKey)) {
+        return SECFailure;
+    } 
+    poolp = inCertReqMsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+    algID = crmf_create_poposignkey_algid(poolp, inPubKey);
+
+    if(!CRMF_DoesRequestHaveField(certReq,crmfSubject)) {
+        signKeyInput = crmf_create_poposigningkeyinput(poolp, inCertForInput,
+						       fn, arg);
+	if (signKeyInput == NULL) {
+	    goto loser;
+	}
+    }
+
+    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (pop == NULL) {
+        goto loser;
+    }
+    
+    rv = crmf_create_poposignkey(poolp, inCertReqMsg, 
+				 signKeyInput, inPrivKey, algID,
+				 &(pop->popChoice.signature));
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    pop->popUsed = crmfSignature;
+    pop->popChoice.signature.algorithmIdentifier = algID;
+    inCertReqMsg->pop = pop;
+  
+    rv = crmf_init_encoder_callback_arg (&encoderArg, &derTemp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = SEC_ASN1Encode(&pop->popChoice.signature, 
+			CRMFPOPOSigningKeyTemplate,
+			crmf_generic_encoder_callback, &encoderArg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &(inCertReqMsg->derPOP), &derTemp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_Free (derTemp.data);
+    PORT_ArenaUnmark(poolp,mark);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp,mark);
+    if (derTemp.data != NULL) {
+        PORT_Free(derTemp.data);
+    }
+    return SECFailure;
+}
+
+static const SEC_ASN1Template*
+crmf_get_popoprivkey_subtemplate(CRMFPOPOPrivKey *inPrivKey) 
+{
+    const SEC_ASN1Template *retTemplate = NULL;
+
+    switch (inPrivKey->messageChoice) {
+    case crmfThisMessage:
+        retTemplate = CRMFThisMessageTemplate;
+	break;
+    case crmfSubsequentMessage:
+        retTemplate = CRMFSubsequentMessageTemplate;
+	break;
+    case crmfDHMAC:
+        retTemplate = CRMFDHMACTemplate;
+	break;
+    default:
+        retTemplate = NULL;
+    }
+    return retTemplate;
+}
+
+static SECStatus
+crmf_encode_popoprivkey(PRArenaPool            *poolp, 
+			CRMFCertReqMsg         *inCertReqMsg,
+			CRMFPOPOPrivKey        *popoPrivKey,
+			const SEC_ASN1Template *privKeyTemplate)
+{
+    struct crmfEncoderArg   encoderArg;
+    SECItem                 derTemp = { siBuffer, NULL, 0 };
+    SECStatus               rv;
+    void                   *mark;
+    const SEC_ASN1Template *subDerTemplate;
+
+    mark = PORT_ArenaMark(poolp);
+    rv = crmf_init_encoder_callback_arg(&encoderArg, &derTemp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    subDerTemplate = crmf_get_popoprivkey_subtemplate(popoPrivKey);
+    /* We've got a union, so a pointer to one item is a pointer to 
+     * all the items in the union.
+     */
+    rv = SEC_ASN1Encode(&popoPrivKey->message.thisMessage, 
+			subDerTemplate,
+			crmf_generic_encoder_callback, &encoderArg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (encoderArg.allocatedLen > derTemp.len+2) {
+        void *dummy = PORT_Realloc(derTemp.data, derTemp.len+2);
+	if (dummy == NULL) {
+	    goto loser;
+	}
+	derTemp.data = dummy;
+    }
+    PORT_Memmove(&derTemp.data[2], &derTemp.data[0], derTemp.len);
+    /* I couldn't figure out how to get the ASN1 encoder to implicitly
+     * tag an implicitly tagged der blob.  So I'm putting in the outter-
+     * most tag myself. -javi
+     */
+    derTemp.data[0] = (unsigned char)privKeyTemplate->kind;
+    derTemp.data[1] = (unsigned char)derTemp.len;
+    derTemp.len += 2;
+    rv = SECITEM_CopyItem(poolp, &inCertReqMsg->derPOP, &derTemp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_Free(derTemp.data);
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    if (derTemp.data) {
+        PORT_Free(derTemp.data);
+    }
+    return SECFailure;
+}
+
+static const SEC_ASN1Template*
+crmf_get_template_for_privkey(CRMFPOPChoice inChoice) 
+{
+    switch (inChoice) {
+    case crmfKeyAgreement:
+        return CRMFPOPOKeyAgreementTemplate;
+    case crmfKeyEncipherment:
+        return CRMFPOPOKeyEnciphermentTemplate;
+    default:
+        break;
+    }
+    return NULL;
+}
+
+static SECStatus
+crmf_add_privkey_thismessage(CRMFCertReqMsg *inCertReqMsg, SECItem *encPrivKey,
+			     CRMFPOPChoice inChoice)
+{
+    PRArenaPool           *poolp;
+    void                  *mark;
+    CRMFPOPOPrivKey       *popoPrivKey;
+    CRMFProofOfPossession *pop;
+    SECStatus              rv;
+
+    PORT_Assert(inCertReqMsg != NULL && encPrivKey != NULL);
+    poolp = inCertReqMsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (pop == NULL) {
+        goto loser;
+    }
+    pop->popUsed = inChoice;
+    /* popChoice is a union, so getting a pointer to one
+     * field gives me a pointer to the other fields as
+     * well.  This in essence points to both 
+     * pop->popChoice.keyEncipherment and
+     * pop->popChoice.keyAgreement
+     */
+    popoPrivKey = &pop->popChoice.keyEncipherment;
+
+    rv = SECITEM_CopyItem(poolp, &(popoPrivKey->message.thisMessage),
+			  encPrivKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    popoPrivKey->message.thisMessage.len <<= 3;
+    popoPrivKey->messageChoice = crmfThisMessage;
+    inCertReqMsg->pop = pop;
+    rv = crmf_encode_popoprivkey(poolp, inCertReqMsg, popoPrivKey,
+				 crmf_get_template_for_privkey(inChoice));
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+    
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+static SECStatus
+crmf_add_privkey_dhmac(CRMFCertReqMsg *inCertReqMsg, SECItem *dhmac,
+                             CRMFPOPChoice inChoice)
+{
+    PRArenaPool           *poolp;
+    void                  *mark;
+    CRMFPOPOPrivKey       *popoPrivKey;
+    CRMFProofOfPossession *pop;
+    SECStatus              rv;
+
+    PORT_Assert(inCertReqMsg != NULL && dhmac != NULL);
+    poolp = inCertReqMsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (pop == NULL) {
+        goto loser;
+    }
+    pop->popUsed = inChoice;
+    popoPrivKey = &pop->popChoice.keyAgreement;
+
+    rv = SECITEM_CopyItem(poolp, &(popoPrivKey->message.dhMAC),
+                          dhmac);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    popoPrivKey->message.dhMAC.len <<= 3;
+    popoPrivKey->messageChoice = crmfDHMAC;
+    inCertReqMsg->pop = pop;
+    rv = crmf_encode_popoprivkey(poolp, inCertReqMsg, popoPrivKey,
+                                 crmf_get_template_for_privkey(inChoice));
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+    
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+static SECStatus
+crmf_add_privkey_subseqmessage(CRMFCertReqMsg        *inCertReqMsg,
+			       CRMFSubseqMessOptions  subsequentMessage,
+			       CRMFPOPChoice          inChoice)
+{
+    void                  *mark;
+    PRArenaPool           *poolp;
+    CRMFProofOfPossession *pop;
+    CRMFPOPOPrivKey       *popoPrivKey;
+    SECStatus              rv;
+    const SEC_ASN1Template *privKeyTemplate;
+
+    if (subsequentMessage == crmfNoSubseqMess) {
+        return SECFailure;
+    }
+    poolp = inCertReqMsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (pop == NULL) {
+        goto loser;
+    }
+
+    pop->popUsed = inChoice;
+    /* 
+     * We have a union, so a pointer to one member of the union
+     * is also a member to another member of that same union.
+     */
+    popoPrivKey = &pop->popChoice.keyEncipherment;
+
+    switch (subsequentMessage) {
+    case crmfEncrCert:
+        rv = crmf_encode_integer(poolp, 
+				 &(popoPrivKey->message.subsequentMessage),
+				 0);
+	break;
+    case crmfChallengeResp:
+        rv = crmf_encode_integer(poolp,
+				 &(popoPrivKey->message.subsequentMessage),
+				 1);
+	break;
+    default:
+        goto loser;
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    popoPrivKey->messageChoice = crmfSubsequentMessage;
+    privKeyTemplate = crmf_get_template_for_privkey(inChoice);
+    inCertReqMsg->pop = pop;
+    rv = crmf_encode_popoprivkey(poolp, inCertReqMsg, popoPrivKey,
+				 privKeyTemplate);
+
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+SECStatus 
+CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg        *inCertReqMsg,
+				     CRMFPOPOPrivKeyChoice  inKeyChoice,
+				     CRMFSubseqMessOptions  subseqMess,
+				     SECItem               *encPrivKey)
+{
+    SECStatus rv;
+
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
+    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice) {
+        return SECFailure;
+    }
+    switch (inKeyChoice) {    
+    case crmfThisMessage:
+        rv = crmf_add_privkey_thismessage(inCertReqMsg, encPrivKey,
+					  crmfKeyEncipherment);
+	break;
+    case crmfSubsequentMessage:
+        rv = crmf_add_privkey_subseqmessage(inCertReqMsg, subseqMess, 
+					    crmfKeyEncipherment);
+        break;
+    case crmfDHMAC:
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus 
+CRMF_CertReqMsgSetKeyAgreementPOP (CRMFCertReqMsg        *inCertReqMsg,
+				   CRMFPOPOPrivKeyChoice  inKeyChoice,
+				   CRMFSubseqMessOptions  subseqMess,
+				   SECItem               *encPrivKey)
+{
+    SECStatus rv;
+
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
+    switch (inKeyChoice) {    
+    case crmfThisMessage:
+        rv = crmf_add_privkey_thismessage(inCertReqMsg, encPrivKey,
+					  crmfKeyAgreement);
+	break;
+    case crmfSubsequentMessage:
+        rv = crmf_add_privkey_subseqmessage(inCertReqMsg, subseqMess, 
+					    crmfKeyAgreement);
+	break;
+    case crmfDHMAC:
+        /* In this case encPrivKey should be the calculated dhMac
+         * as specified in RFC 2511 */
+        rv = crmf_add_privkey_dhmac(inCertReqMsg, encPrivKey,
+                                    crmfKeyAgreement);
+        break;
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
diff --git a/security/nss/lib/crmf/crmfreq.c b/security/nss/lib/crmf/crmfreq.c
new file mode 100644
index 000000000..6e30a0af2
--- /dev/null
+++ b/security/nss/lib/crmf/crmfreq.c
@@ -0,0 +1,702 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "keyhi.h"
+#include "secder.h"
+
+/*
+ * Macro that returns PR_TRUE if the pointer is not NULL.
+ * If the pointer is NULL, then the macro will return PR_FALSE.
+ */
+#define IS_NOT_NULL(ptr) ((ptr) == NULL) ? PR_FALSE : PR_TRUE
+
+const unsigned char hexTrue  = 0xff;
+const unsigned char hexFalse = 0x00;
+
+
+SECStatus
+crmf_encode_integer(PRArenaPool *poolp, SECItem *dest, long value) 
+{
+    SECItem *dummy;
+
+    dummy = SEC_ASN1EncodeInteger(poolp, dest, value);
+    PORT_Assert (dummy == dest);
+    if (dummy == NULL) {
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+crmf_encode_unsigned_integer(PRArenaPool *poolp, SECItem *dest, 
+                             unsigned long value) 
+{
+    SECItem *dummy;
+
+    dummy = SEC_ASN1EncodeUnsignedInteger(poolp, dest, value);
+    PORT_Assert (dummy == dest);
+    if (dummy != dest) {
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src)
+{
+    return  SECITEM_CopyItem (poolp, dest, src); 
+}
+
+PRBool
+CRMF_DoesRequestHaveField (CRMFCertRequest       *inCertReq, 
+			   CRMFCertTemplateField  inField)
+{
+  
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return PR_FALSE;
+    }
+    switch (inField) {
+    case crmfVersion:
+        return inCertReq->certTemplate.version.data != NULL;
+    case crmfSerialNumber:
+        return inCertReq->certTemplate.serialNumber.data != NULL;
+    case crmfSigningAlg:
+        return inCertReq->certTemplate.signingAlg != NULL;
+    case crmfIssuer:
+        return inCertReq->certTemplate.issuer != NULL;
+    case crmfValidity:
+        return inCertReq->certTemplate.validity != NULL;
+    case crmfSubject:
+        return inCertReq->certTemplate.subject != NULL;
+    case crmfPublicKey:
+        return inCertReq->certTemplate.publicKey != NULL;
+    case crmfIssuerUID:
+        return inCertReq->certTemplate.issuerUID.data != NULL;
+    case crmfSubjectUID:
+        return inCertReq->certTemplate.subjectUID.data != NULL;
+    case crmfExtension:
+        return CRMF_CertRequestGetNumberOfExtensions(inCertReq) != 0;
+    }
+    return PR_FALSE;
+}
+
+CRMFCertRequest *
+CRMF_CreateCertRequest (PRUint32 inRequestID)
+{
+    PRArenaPool     *poolp;
+    CRMFCertRequest *certReq;
+    SECStatus        rv;
+    
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    
+    certReq=PORT_ArenaZNew(poolp,CRMFCertRequest);
+    if (certReq == NULL) {
+        goto loser;
+    }
+
+    certReq->poolp = poolp;
+    certReq->requestID = inRequestID;
+    
+    rv = crmf_encode_unsigned_integer(poolp, &(certReq->certReqId), 
+                                      inRequestID);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    return certReq;
+ loser:
+    if (poolp) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus
+CRMF_DestroyCertRequest(CRMFCertRequest *inCertReq)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq != NULL) {
+        if (inCertReq->certTemplate.extensions) {
+	    PORT_Free(inCertReq->certTemplate.extensions);
+	}
+	if (inCertReq->controls) {
+	    /* Right now we don't support EnveloppedData option,
+	     * so we won't go through and delete each occurrence of 
+	     * an EnveloppedData in the control.
+	     */
+	    PORT_Free(inCertReq->controls);
+	}
+	if (inCertReq->poolp) {
+	    PORT_FreeArena(inCertReq->poolp, PR_TRUE);
+	}
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_template_add_version(PRArenaPool *poolp, SECItem *dest, long version)
+{
+    return (crmf_encode_integer(poolp, dest, version));
+}
+
+static SECStatus
+crmf_template_add_serialnumber(PRArenaPool *poolp, SECItem *dest, long serial)
+{
+    return (crmf_encode_integer(poolp, dest, serial));
+}
+
+SECStatus
+crmf_template_copy_secalg (PRArenaPool *poolp, SECAlgorithmID **dest, 
+			   SECAlgorithmID* src)
+{
+    SECStatus         rv;
+    void             *mark = NULL;
+    SECAlgorithmID   *mySecAlg;
+
+    if (!poolp) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(poolp);
+    *dest = mySecAlg = PORT_ArenaZNew(poolp, SECAlgorithmID);
+    if (mySecAlg == NULL) {
+        goto loser;
+    }
+    rv = SECOID_CopyAlgorithmID(poolp, mySecAlg, src);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (mark) {
+        PORT_ArenaUnmark(poolp, mark);
+    }
+    return SECSuccess;
+
+ loser:
+    *dest = NULL;
+    if (mark) {
+        PORT_ArenaRelease(poolp, mark);
+    }
+    return SECFailure;
+}
+
+SECStatus
+crmf_copy_cert_name(PRArenaPool *poolp, CERTName **dest, 
+		    CERTName *src)
+{
+    CERTName *newName;
+    SECStatus rv;
+    void     *mark;
+
+    mark = PORT_ArenaMark(poolp);
+    *dest = newName = PORT_ArenaZNew(poolp, CERTName);
+    if (newName == NULL) {
+        goto loser;
+    }
+
+    rv = CERT_CopyName(poolp, newName, src);
+    if (rv != SECSuccess) {
+      goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    *dest = NULL;
+    return SECFailure;
+}
+
+static SECStatus
+crmf_template_add_issuer (PRArenaPool *poolp, CERTName **dest, 
+			  CERTName* issuerName)
+{
+    return crmf_copy_cert_name(poolp, dest, issuerName);
+}
+
+
+static SECStatus
+crmf_template_add_validity (PRArenaPool *poolp, CRMFOptionalValidity **dest,
+			    CRMFValidityCreationInfo *info)
+{
+    SECStatus             rv;
+    void                 *mark; 
+    CRMFOptionalValidity *myValidity;
+
+    /*First off, let's make sure at least one of the two fields is present*/
+    if (!info  || (!info->notBefore && !info->notAfter)) {
+        return SECFailure;
+    }
+    mark = PORT_ArenaMark (poolp);
+    *dest = myValidity = PORT_ArenaZNew(poolp, CRMFOptionalValidity);
+    if (myValidity == NULL) {
+        goto loser;
+    }
+
+    if (info->notBefore) {
+        rv = DER_EncodeTimeChoice (poolp, &myValidity->notBefore, 
+				  *info->notBefore);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (info->notAfter) {
+        rv = DER_EncodeTimeChoice (poolp, &myValidity->notAfter,
+				  *info->notAfter);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    *dest = NULL;
+    return SECFailure;
+}
+
+static SECStatus
+crmf_template_add_subject (PRArenaPool *poolp, CERTName **dest,
+			   CERTName *subject)
+{
+    return crmf_copy_cert_name(poolp, dest, subject);
+}
+
+SECStatus
+crmf_template_add_public_key(PRArenaPool *poolp, 
+			     CERTSubjectPublicKeyInfo **dest,
+			     CERTSubjectPublicKeyInfo  *pubKey)
+{
+    CERTSubjectPublicKeyInfo *spki;
+    SECStatus rv;
+
+    *dest = spki = (poolp == NULL) ?
+                              PORT_ZNew(CERTSubjectPublicKeyInfo) :
+                              PORT_ArenaZNew (poolp, CERTSubjectPublicKeyInfo);
+    if (spki == NULL) {
+        goto loser;
+    }
+    rv = SECKEY_CopySubjectPublicKeyInfo (poolp, spki, pubKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return SECSuccess;
+ loser:
+    if (poolp == NULL && spki != NULL) {
+        SECKEY_DestroySubjectPublicKeyInfo(spki);
+    }
+    *dest = NULL;
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_bitstring (PRArenaPool *poolp, SECItem *dest, const SECItem *src)
+{
+    SECStatus rv;
+    SECItem  byteSrc;
+    
+    byteSrc = *src;
+    byteSrc.len = CRMF_BITS_TO_BYTES(byteSrc.len);
+    rv = crmf_copy_secitem(poolp, dest, &byteSrc);
+    dest->len = src->len;
+    return rv;
+}
+
+static SECStatus
+crmf_template_add_issuer_uid(PRArenaPool *poolp, SECItem *dest,
+			     const SECItem *issuerUID)
+{
+    return crmf_copy_bitstring (poolp, dest, issuerUID);
+}
+
+static SECStatus
+crmf_template_add_subject_uid(PRArenaPool *poolp, SECItem *dest, 
+			      const SECItem *subjectUID)
+{
+    return crmf_copy_bitstring (poolp, dest, subjectUID);
+}
+
+static void
+crmf_zeroize_new_extensions (CRMFCertExtension **extensions,
+			     int numToZeroize) 
+{
+    PORT_Memset((void*)extensions, 0, sizeof(CERTCertExtension*)*numToZeroize);
+}
+
+/*
+ * The strategy for adding templates will differ from all the other
+ * attributes in the template.  First, we want to allow the client
+ * of this API to set extensions more than just once.  So we will
+ * need the ability grow the array of extensions.  Since arenas don't
+ * give us the realloc function, we'll use the generic PORT_* functions
+ * to allocate the array of pointers *ONLY*.  Then we will allocate each
+ * individual extension from the arena that comes along with the certReq
+ * structure that owns this template.
+ */
+static SECStatus
+crmf_template_add_extensions(PRArenaPool *poolp, CRMFCertTemplate *inTemplate,
+			     CRMFCertExtCreationInfo *extensions)
+{
+    void               *mark;
+    int                 newSize, oldSize, i;
+    SECStatus           rv;
+    CRMFCertExtension **extArray;
+    CRMFCertExtension  *newExt, *currExt;
+
+    mark = PORT_ArenaMark(poolp);
+    if (inTemplate->extensions == NULL) {
+        newSize = extensions->numExtensions;
+        extArray = PORT_ZNewArray(CRMFCertExtension*,newSize+1);
+    } else {
+        newSize = inTemplate->numExtensions + extensions->numExtensions;
+        extArray = PORT_Realloc(inTemplate->extensions, 
+				sizeof(CRMFCertExtension*)*(newSize+1));
+    }
+    if (extArray == NULL) {
+        goto loser;
+    }
+    oldSize                   = inTemplate->numExtensions;
+    inTemplate->extensions    = extArray;
+    inTemplate->numExtensions = newSize;
+    for (i=oldSize; i < newSize; i++) {
+        newExt = PORT_ArenaZNew(poolp, CRMFCertExtension);
+	if (newExt == NULL) {
+	    goto loser2;
+	}
+	currExt = extensions->extensions[i-oldSize];
+	rv = crmf_copy_secitem(poolp, &(newExt->id), &(currExt->id));
+	if (rv != SECSuccess) {
+	    goto loser2;
+	}
+	rv = crmf_copy_secitem(poolp, &(newExt->critical),
+			       &(currExt->critical));
+	if (rv != SECSuccess) {
+	    goto loser2;
+	}
+	rv = crmf_copy_secitem(poolp, &(newExt->value), &(currExt->value));
+	if (rv != SECSuccess) {
+	    goto loser2;
+	}
+	extArray[i] = newExt;
+    }
+    extArray[newSize] = NULL;
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser2:
+    crmf_zeroize_new_extensions (&(inTemplate->extensions[oldSize]),
+				 extensions->numExtensions);
+    inTemplate->numExtensions = oldSize;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestSetTemplateField(CRMFCertRequest       *inCertReq, 
+				 CRMFCertTemplateField  inTemplateField,
+				 void                  *data)
+{
+    CRMFCertTemplate *certTemplate;
+    PRArenaPool      *poolp;
+    SECStatus         rv = SECFailure;
+    void             *mark;
+    
+
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+
+    certTemplate = &(inCertReq->certTemplate);
+
+    poolp = inCertReq->poolp;
+    mark = PORT_ArenaMark(poolp);
+    switch (inTemplateField) {
+    case crmfVersion:
+      rv = crmf_template_add_version(poolp,&(certTemplate->version), 
+				     *(long*)data);
+      break;
+    case crmfSerialNumber:
+      rv = crmf_template_add_serialnumber(poolp, 
+					  &(certTemplate->serialNumber),
+					  *(long*)data);
+      break;
+    case crmfSigningAlg:
+      rv = crmf_template_copy_secalg (poolp, &(certTemplate->signingAlg),
+				      (SECAlgorithmID*)data);
+      break;
+    case crmfIssuer:
+      rv = crmf_template_add_issuer (poolp, &(certTemplate->issuer), 
+				     (CERTName*)data);
+      break;
+    case crmfValidity:
+      rv = crmf_template_add_validity (poolp, &(certTemplate->validity),
+				       (CRMFValidityCreationInfo*)data);
+      break;
+    case crmfSubject:
+      rv = crmf_template_add_subject (poolp, &(certTemplate->subject),
+				      (CERTName*)data);
+      break;
+    case crmfPublicKey:
+      rv = crmf_template_add_public_key(poolp, &(certTemplate->publicKey),
+					(CERTSubjectPublicKeyInfo*)data);
+      break;
+    case crmfIssuerUID:
+      rv = crmf_template_add_issuer_uid(poolp, &(certTemplate->issuerUID),
+					(SECItem*)data);
+      break;
+    case crmfSubjectUID:
+      rv = crmf_template_add_subject_uid(poolp, &(certTemplate->subjectUID),
+					 (SECItem*)data);
+      break;
+    case crmfExtension:
+      rv = crmf_template_add_extensions(poolp, certTemplate, 
+					(CRMFCertExtCreationInfo*)data);
+      break;
+    }
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease(poolp, mark);
+    } else {
+        PORT_ArenaUnmark(poolp, mark);
+    }
+    return rv;
+}
+
+SECStatus
+CRMF_CertReqMsgSetCertRequest (CRMFCertReqMsg  *inCertReqMsg, 
+			       CRMFCertRequest *inCertReq)
+{
+    PORT_Assert (inCertReqMsg != NULL && inCertReq != NULL);
+    if (inCertReqMsg == NULL || inCertReq == NULL) {
+        return SECFailure;
+    }
+    inCertReqMsg->certReq = crmf_copy_cert_request(inCertReqMsg->poolp,
+						   inCertReq);
+    return (inCertReqMsg->certReq == NULL) ? SECFailure : SECSuccess;
+}
+
+CRMFCertReqMsg*
+CRMF_CreateCertReqMsg(void)
+{
+    PRArenaPool    *poolp;
+    CRMFCertReqMsg *reqMsg;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    reqMsg = PORT_ArenaZNew(poolp, CRMFCertReqMsg);
+    if (reqMsg == NULL) {
+        goto loser;
+    }
+    reqMsg->poolp = poolp;
+    return reqMsg;
+    
+ loser:
+    if (poolp) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus 
+CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg)
+{
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->poolp != NULL);
+    if (!inCertReqMsg->isDecoded) {
+        if (inCertReqMsg->certReq->certTemplate.extensions != NULL) {
+	    PORT_Free(inCertReqMsg->certReq->certTemplate.extensions);
+	}
+	if (inCertReqMsg->certReq->controls != NULL) {
+	    PORT_Free(inCertReqMsg->certReq->controls);
+	}
+    }
+    PORT_FreeArena(inCertReqMsg->poolp, PR_TRUE);
+    return SECSuccess;
+}
+
+CRMFCertExtension*
+crmf_create_cert_extension(PRArenaPool *poolp, 
+			   SECOidTag    id,
+			   PRBool       isCritical,
+			   SECItem     *data)
+{
+    CRMFCertExtension *newExt;
+    SECOidData        *oidData;
+    SECStatus          rv;
+
+    newExt = (poolp == NULL) ? PORT_ZNew(CRMFCertExtension) :
+                               PORT_ArenaZNew(poolp, CRMFCertExtension);
+    if (newExt == NULL) {
+        goto loser;
+    }
+    oidData = SECOID_FindOIDByTag(id);
+    if (oidData == NULL || 
+	oidData->supportedExtension != SUPPORTED_CERT_EXTENSION) {
+       goto loser;
+    }
+
+    rv = SECITEM_CopyItem(poolp, &(newExt->id), &(oidData->oid));
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = SECITEM_CopyItem(poolp, &(newExt->value), data);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    if (isCritical) {
+        newExt->critical.data = (poolp == NULL) ? 
+	                                PORT_New(unsigned char) :
+	                                PORT_ArenaNew(poolp, unsigned char);
+	if (newExt->critical.data == NULL) {
+	    goto loser;
+	}
+	newExt->critical.data[0] = hexTrue;
+	newExt->critical.len = 1;
+    }
+    return newExt;
+ loser:
+    if (newExt != NULL && poolp == NULL) {
+        CRMF_DestroyCertExtension(newExt);
+    }
+    return NULL;
+}
+
+CRMFCertExtension *
+CRMF_CreateCertExtension(SECOidTag id,
+			 PRBool    isCritical,
+			 SECItem  *data) 
+{
+    return crmf_create_cert_extension(NULL, id, isCritical, data);
+}
+
+static SECStatus
+crmf_destroy_cert_extension(CRMFCertExtension *inExtension, PRBool freeit)
+{
+    if (inExtension != NULL) {
+        SECITEM_FreeItem (&(inExtension->id), PR_FALSE);
+	SECITEM_FreeItem (&(inExtension->value), PR_FALSE);
+	SECITEM_FreeItem (&(inExtension->critical), PR_FALSE);
+	if (freeit) {
+	    PORT_Free(inExtension);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyCertExtension(CRMFCertExtension *inExtension)
+{
+    return crmf_destroy_cert_extension(inExtension, PR_TRUE);
+}
+
+SECStatus
+CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs) 
+{
+    PORT_Assert (inCertReqMsgs != NULL);
+    if (inCertReqMsgs != NULL) {
+        PORT_FreeArena(inCertReqMsgs->poolp, PR_TRUE);
+    }
+    return SECSuccess;
+}
+
+static PRBool
+crmf_item_has_data(SECItem *item)
+{
+    if (item != NULL && item->data != NULL) {
+        return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+PRBool
+CRMF_CertRequestIsFieldPresent(CRMFCertRequest       *inCertReq,
+			       CRMFCertTemplateField  inTemplateField)
+{
+    PRBool             retVal;
+    CRMFCertTemplate *certTemplate;
+
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        /* This is probably some kind of error, but this is 
+	 * the safest return value for this function.
+	 */
+        return PR_FALSE;
+    }
+    certTemplate = &inCertReq->certTemplate;
+    switch (inTemplateField) {
+    case crmfVersion:
+      retVal = crmf_item_has_data(&certTemplate->version);
+      break;
+    case crmfSerialNumber:
+      retVal = crmf_item_has_data(&certTemplate->serialNumber);
+      break;
+    case crmfSigningAlg:
+      retVal = IS_NOT_NULL(certTemplate->signingAlg);
+      break;
+    case crmfIssuer:
+      retVal = IS_NOT_NULL(certTemplate->issuer);
+      break;
+    case crmfValidity:
+      retVal = IS_NOT_NULL(certTemplate->validity);
+      break;
+    case crmfSubject:
+      retVal = IS_NOT_NULL(certTemplate->subject);
+      break;
+    case crmfPublicKey:
+      retVal = IS_NOT_NULL(certTemplate->publicKey);
+      break;
+    case crmfIssuerUID:
+      retVal = crmf_item_has_data(&certTemplate->issuerUID);
+      break;
+    case crmfSubjectUID:
+      retVal = crmf_item_has_data(&certTemplate->subjectUID);
+      break;
+    case crmfExtension:
+      retVal = IS_NOT_NULL(certTemplate->extensions);
+      break;
+    default:
+      retVal = PR_FALSE;
+    }
+    return retVal;
+}
diff --git a/security/nss/lib/crmf/crmft.h b/security/nss/lib/crmf/crmft.h
new file mode 100644
index 000000000..5ea0d01ac
--- /dev/null
+++ b/security/nss/lib/crmf/crmft.h
@@ -0,0 +1,220 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+/* Header file with all of the structures and types that will be exported 
+ * by the security library for implementation of CRMF.
+ */
+
+#ifndef _CRMFT_H_
+#define _CRMFT_H_
+
+/* Use these enumerated values for adding fields to the certificate request */
+typedef enum {
+    crmfVersion = 0,
+    crmfSerialNumber = 1,
+    crmfSigningAlg = 2,
+    crmfIssuer = 3,
+    crmfValidity = 4,
+    crmfSubject = 5,
+    crmfPublicKey = 6,
+    crmfIssuerUID = 7,
+    crmfSubjectUID = 8,
+    crmfExtension = 9
+} CRMFCertTemplateField;
+
+/*
+ * An enumeration for the different types of controls.
+ */
+typedef enum {
+    crmfNoControl = 0,
+    crmfRegTokenControl = 1,
+    crmfAuthenticatorControl = 2,
+    crmfPKIPublicationInfoControl = 3,
+    crmfPKIArchiveOptionsControl = 4,
+    crmfOldCertIDControl = 5,
+    crmfProtocolEncrKeyControl = 6
+} CRMFControlType;
+
+/*
+ * The possible values that are passed into CRMF_CreatePKIPublicationInfo
+ */
+typedef enum {
+    crmfDontPublish = 0,
+    crmfPleasePublish = 1
+} CRMFPublicationAction;
+
+/*
+ * An enumeration for the possible for pubMethod which is a part of 
+ * the SinglePubInfo ASN1 type.
+ */
+typedef enum {
+    crmfDontCare = 0,
+    crmfX500 = 1,
+    crmfWeb = 2,
+    crmfLdap = 3
+} CRMFPublicationMethod;
+
+/*
+ * An enumeration for the different options for PKIArchiveOptions type.
+ */
+typedef enum {
+    crmfNoArchiveOptions = 0,
+    crmfEncryptedPrivateKey = 1,
+    crmfKeyGenParameters = 2,
+    crmfArchiveRemGenPrivKey = 3
+} CRMFPKIArchiveOptionsType;
+
+/*
+ * An enumeration for the different options for ProofOfPossession
+ */
+typedef enum {
+    crmfNoPOPChoice = 0,
+    crmfRAVerified = 1,
+    crmfSignature = 2,
+    crmfKeyEncipherment = 3,
+    crmfKeyAgreement = 4
+} CRMFPOPChoice;
+
+/*
+ * An enumertion type for options for the authInfo field of the 
+ * CRMFPOPOSigningKeyInput structure.
+ */
+typedef enum {
+    crmfSender = 0,
+    crmfPublicKeyMAC = 1
+} CRMFPOPOSkiInputAuthChoice;
+
+/*
+ * An enumeration for the SubsequentMessage Options.
+ */
+typedef enum {
+    crmfNoSubseqMess = 0,
+    crmfEncrCert = 1,
+    crmfChallengeResp = 2
+} CRMFSubseqMessOptions;
+
+/*
+ * An enumeration for the choice used by POPOPrivKey.
+ */
+typedef enum {
+    crmfNoMessage = 0,
+    crmfThisMessage = 1,
+    crmfSubsequentMessage = 2,
+    crmfDHMAC = 3
+} CRMFPOPOPrivKeyChoice;
+
+/*
+ * An enumeration for the choices for the EncryptedKey type.
+ */
+typedef enum {
+    crmfNoEncryptedKeyChoice = 0,
+    crmfEncryptedValueChoice = 1,
+    crmfEnvelopedDataChoice = 2
+} CRMFEncryptedKeyChoice;
+
+/*
+ * TYPE: CRMFEncoderOutputCallback
+ *     This function type defines a prototype for a function that the CRMF
+ *     library expects when encoding is performed.
+ *
+ * ARGUMENTS:
+ *     arg
+ *         This will be a pointer the user passed into an encoding function.
+ *         The user of the library is free to use this pointer in any way.
+ *         The most common use is to keep around a buffer for writing out
+ *         the DER encoded bytes.
+ *     buf
+ *         The DER encoded bytes that should be written out.
+ *     len
+ *         The number of DER encoded bytes to write out.
+ *
+ */
+typedef void (*CRMFEncoderOutputCallback) (void *arg,
+					   const char *buf,
+					   unsigned long len);
+
+/*
+ * Type for the function that gets a password.  Just in case we ever
+ * need to support publicKeyMAC for POPOSigningKeyInput
+ */
+typedef SECItem* (*CRMFMACPasswordCallback) (void *arg);
+
+typedef struct CRMFOptionalValidityStr      CRMFOptionalValidity;
+typedef struct CRMFValidityCreationInfoStr  CRMFGetValidity;
+typedef struct CRMFCertTemplateStr          CRMFCertTemplate;
+typedef struct CRMFCertRequestStr           CRMFCertRequest;
+typedef struct CRMFCertReqMsgStr            CRMFCertReqMsg;
+typedef struct CRMFCertReqMessagesStr       CRMFCertReqMessages;
+typedef struct CRMFProofOfPossessionStr     CRMFProofOfPossession;
+typedef struct CRMFPOPOSigningKeyStr        CRMFPOPOSigningKey;
+typedef struct CRMFPOPOSigningKeyInputStr   CRMFPOPOSigningKeyInput;
+typedef struct CRMFPOPOPrivKeyStr           CRMFPOPOPrivKey;
+typedef struct CRMFPKIPublicationInfoStr    CRMFPKIPublicationInfo;
+typedef struct CRMFSinglePubInfoStr         CRMFSinglePubInfo;
+typedef struct CRMFPKIArchiveOptionsStr     CRMFPKIArchiveOptions;
+typedef struct CRMFEncryptedKeyStr          CRMFEncryptedKey;
+typedef struct CRMFEncryptedValueStr        CRMFEncryptedValue;
+typedef struct CRMFCertIDStr                CRMFCertID;
+typedef struct CRMFCertIDStr                CRMFOldCertID;
+typedef CERTSubjectPublicKeyInfo            CRMFProtocolEncrKey;
+typedef struct CRMFValidityCreationInfoStr  CRMFValidityCreationInfo;
+typedef struct CRMFCertExtCreationInfoStr   CRMFCertExtCreationInfo;
+typedef struct CRMFPKMACValueStr            CRMFPKMACValue;
+typedef struct CRMFAttributeStr             CRMFAttribute;
+typedef struct CRMFControlStr               CRMFControl;
+typedef CERTGeneralName                     CRMFGeneralName;
+typedef struct CRMFCertExtensionStr         CRMFCertExtension;
+
+struct CRMFValidityCreationInfoStr {
+    PRTime *notBefore;
+    PRTime *notAfter;
+};
+
+struct CRMFCertExtCreationInfoStr {
+    CRMFCertExtension **extensions;
+    int numExtensions;
+};
+
+/*
+ * Some ASN1 Templates that may be needed.
+ */
+extern const SEC_ASN1Template CRMFCertReqMessagesTemplate[];
+extern const SEC_ASN1Template CRMFCertRequestTemplate[];
+
+
+#endif /*_CRMFT_H_*/
diff --git a/security/nss/lib/crmf/crmftmpl.c b/security/nss/lib/crmf/crmftmpl.c
new file mode 100644
index 000000000..296975c96
--- /dev/null
+++ b/security/nss/lib/crmf/crmftmpl.c
@@ -0,0 +1,302 @@
+/* -*- Mode: C; tab-width: 8 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "secoid.h"
+#include "secasn1.h"
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_NullTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
+SEC_ASN1_MKSUB(CERT_SubjectPublicKeyInfoTemplate)
+SEC_ASN1_MKSUB(CERT_NameTemplate)
+
+/* 
+ * It's all implicit tagging.
+ */
+
+const SEC_ASN1Template CRMFControlTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFControl)},
+    { SEC_ASN1_OBJECT_ID, offsetof(CRMFControl, derTag)},
+    { SEC_ASN1_ANY, offsetof(CRMFControl, derValue) },
+    { 0 }
+};
+
+static const SEC_ASN1Template CRMFCertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CRMFCertExtension) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CRMFCertExtension,id) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,
+	  offsetof(CRMFCertExtension,critical) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CRMFCertExtension,value) },
+    { 0, }
+};
+
+static const SEC_ASN1Template CRMFSequenceOfCertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, CRMFCertExtensionTemplate }
+};
+
+static const SEC_ASN1Template CRMFOptionalValidityTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFOptionalValidity) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_NO_STREAM |
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 0, 
+      offsetof (CRMFOptionalValidity, notBefore),
+      SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_NO_STREAM |
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 1, 
+      offsetof (CRMFOptionalValidity, notAfter),
+      SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template crmfPointerToNameTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(CERT_NameTemplate)},
+    { 0 }
+};
+
+static const SEC_ASN1Template CRMFCertTemplateTemplate[] = {
+   { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFCertTemplate) },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
+     offsetof(CRMFCertTemplate, version), 
+     SEC_ASN1_SUB(SEC_IntegerTemplate) },
+   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 1 ,
+     offsetof (CRMFCertTemplate, serialNumber), 
+     SEC_ASN1_SUB(SEC_IntegerTemplate) },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+     SEC_ASN1_XTRN | 2, 
+     offsetof (CRMFCertTemplate, signingAlg), 
+     SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+     SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 3, 
+     offsetof (CRMFCertTemplate, issuer), crmfPointerToNameTemplate },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 4, 
+     offsetof (CRMFCertTemplate, validity), 
+     CRMFOptionalValidityTemplate },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+     SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 5, 
+     offsetof (CRMFCertTemplate, subject), crmfPointerToNameTemplate },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+     SEC_ASN1_XTRN | 6, 
+     offsetof (CRMFCertTemplate, publicKey), 
+     SEC_ASN1_SUB(CERT_SubjectPublicKeyInfoTemplate) }, 
+   { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 
+     SEC_ASN1_XTRN | 7,
+     offsetof (CRMFCertTemplate, issuerUID), 
+     SEC_ASN1_SUB(SEC_BitStringTemplate) },
+   { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL |
+     SEC_ASN1_XTRN | 8,
+     offsetof (CRMFCertTemplate, subjectUID), 
+     SEC_ASN1_SUB(SEC_BitStringTemplate) },
+   { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | 
+     SEC_ASN1_CONTEXT_SPECIFIC | 9, 
+     offsetof (CRMFCertTemplate, extensions), 
+     CRMFSequenceOfCertExtensionTemplate },
+   { 0 }
+};
+
+static const SEC_ASN1Template CRMFAttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFAttribute)},
+    { SEC_ASN1_OBJECT_ID, offsetof(CRMFAttribute, derTag)},
+    { SEC_ASN1_ANY, offsetof(CRMFAttribute, derValue) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFCertRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFCertRequest) },
+    { SEC_ASN1_INTEGER, offsetof(CRMFCertRequest, certReqId)},
+    { SEC_ASN1_INLINE, offsetof(CRMFCertRequest, certTemplate), 
+      CRMFCertTemplateTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+      offsetof(CRMFCertRequest,controls), 
+      CRMFControlTemplate}, /* SEQUENCE SIZE (1...MAX)*/
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFCertReqMsgTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFCertReqMsg) },
+    { SEC_ASN1_POINTER, offsetof(CRMFCertReqMsg, certReq),
+      CRMFCertRequestTemplate },
+    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
+      offsetof(CRMFCertReqMsg, derPOP) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+      offsetof(CRMFCertReqMsg, regInfo), 
+      CRMFAttributeTemplate}, /* SEQUENCE SIZE (1...MAX)*/
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFCertReqMessagesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, offsetof(CRMFCertReqMessages, messages), 
+      CRMFCertReqMsgTemplate, sizeof (CRMFCertReqMessages)}
+};
+
+static const SEC_ASN1Template CRMFPOPOSigningKeyInputTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL,sizeof(CRMFPOPOSigningKeyInput) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+      SEC_ASN1_CONTEXT_SPECIFIC | 0,
+      offsetof(CRMFPOPOSigningKeyInput, authInfo.sender) },
+    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL | 1,
+      offsetof (CRMFPOPOSigningKeyInput, authInfo.publicKeyMAC) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, 
+      offsetof(CRMFPOPOSigningKeyInput, publicKey), 
+      SEC_ASN1_SUB(CERT_SubjectPublicKeyInfoTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFRAVerifiedTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_XTRN, 
+      0,
+      SEC_ASN1_SUB(SEC_NullTemplate) },
+    { 0 }
+};
+
+
+/* This template will need to add POPOSigningKeyInput eventually, maybe*/
+static const SEC_ASN1Template crmfPOPOSigningKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPOPOSigningKey) },
+    { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+      SEC_ASN1_XTRN | 0,
+      offsetof(CRMFPOPOSigningKey, derInput), 
+      SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN, 
+      offsetof(CRMFPOPOSigningKey, algorithmIdentifier),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING | SEC_ASN1_XTRN, 
+      offsetof(CRMFPOPOSigningKey, signature),
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFPOPOSigningKeyTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
+      0,
+      crmfPOPOSigningKeyTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFThisMessageTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+      0,
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFSubsequentMessageTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+      0, 
+      SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFDHMACTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
+      0,
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFPOPOKeyEnciphermentTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
+      0,
+      SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFPOPOKeyAgreementTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 3,
+      0,
+      SEC_ASN1_SUB(SEC_AnyTemplate)},
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFEncryptedValueTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFEncryptedValue)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+      SEC_ASN1_XTRN | 0,
+      offsetof(CRMFEncryptedValue, intendedAlg), 
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+      SEC_ASN1_XTRN | 1,
+      offsetof (CRMFEncryptedValue, symmAlg), 
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 
+      SEC_ASN1_XTRN | 2, 
+      offsetof(CRMFEncryptedValue, encSymmKey), 
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+      SEC_ASN1_XTRN | 3,
+      offsetof(CRMFEncryptedValue, keyAlg), 
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+      SEC_ASN1_XTRN | 4,
+      offsetof(CRMFEncryptedValue, valueHint),
+      SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+    { SEC_ASN1_BIT_STRING, offsetof(CRMFEncryptedValue, encValue) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate [] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
+      SEC_ASN1_CONTEXT_SPECIFIC | 0,
+      0,
+      CRMFEncryptedValueTemplate},
+    { 0 }
+};
+
+static const SEC_ASN1Template CRMFSinglePubInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFSinglePubInfo)},
+    { SEC_ASN1_INTEGER, offsetof(CRMFSinglePubInfo, pubMethod) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC,
+      offsetof(CRMFSinglePubInfo, pubLocation) },
+    { 0 }
+};
+
+static const SEC_ASN1Template CRMFPublicationInfoTemplate[] ={ 
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPKIPublicationInfo) },
+    { SEC_ASN1_INTEGER, offsetof(CRMFPKIPublicationInfo, action) },
+    { SEC_ASN1_POINTER, offsetof(CRMFPKIPublicationInfo, pubInfos),
+      CRMFSinglePubInfoTemplate},
+    { 0 }
+};
diff --git a/security/nss/lib/crmf/encutil.c b/security/nss/lib/crmf/encutil.c
new file mode 100644
index 000000000..2e324b681
--- /dev/null
+++ b/security/nss/lib/crmf/encutil.c
@@ -0,0 +1,66 @@
+/* -*- Mode: C; tab-width: 8 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secasn1.h"
+#include "crmf.h"
+#include "crmfi.h"
+
+void
+crmf_encoder_out(void *arg, const char *buf, unsigned long len,
+		 int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct crmfEncoderOutput *output;
+
+    output = (struct crmfEncoderOutput*) arg;
+    output->fn (output->outputArg, buf, len);
+}
+
+SECStatus
+cmmf_user_encode(void *src, CRMFEncoderOutputCallback inCallback, void *inArg,
+		 const SEC_ASN1Template *inTemplate)
+{
+    struct crmfEncoderOutput output;
+
+    PORT_Assert(src != NULL);
+    if (src == NULL) {
+        return SECFailure;
+    }
+    output.fn        = inCallback;
+    output.outputArg = inArg;
+    return SEC_ASN1Encode(src, inTemplate, crmf_encoder_out, &output);    
+}
+
diff --git a/security/nss/lib/crmf/manifest.mn b/security/nss/lib/crmf/manifest.mn
new file mode 100644
index 000000000..dabc8d5c7
--- /dev/null
+++ b/security/nss/lib/crmf/manifest.mn
@@ -0,0 +1,78 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+EXPORTS = \
+	crmf.h	\
+	crmft.h	\
+	cmmf.h  \
+	cmmft.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	crmfi.h   \
+	crmfit.h  \
+	cmmfi.h   \
+	cmmfit.h  \
+	$(NULL)
+
+CSRCS = crmfenc.c	\
+	crmftmpl.c	\
+	crmfreq.c	\
+	crmfpop.c	\
+	crmfdec.c	\
+	crmfget.c	\
+	crmfcont.c	\
+	cmmfasn1.c	\
+	cmmfresp.c	\
+	cmmfrec.c	\
+	cmmfchal.c	\
+	servget.c	\
+	encutil.c	\
+	respcli.c	\
+	respcmn.c	\
+	challcli.c	\
+	asn1cmn.c	\
+	$(NULL)
+
+LIBRARY_NAME = crmf
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/crmf/respcli.c b/security/nss/lib/crmf/respcli.c
new file mode 100644
index 000000000..e1176a797
--- /dev/null
+++ b/security/nss/lib/crmf/respcli.c
@@ -0,0 +1,169 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+/*
+ * This file will contain all routines needed by a client that has 
+ * to parse a CMMFCertRepContent structure and retirieve the appropriate
+ * data.
+ */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "crmf.h"
+#include "crmfi.h"
+#include "secitem.h"
+#include "secder.h"
+#include "secasn1.h"
+
+CMMFCertRepContent*
+CMMF_CreateCertRepContentFromDER(CERTCertDBHandle *db, const char *buf, 
+				 long len)
+{
+    PRArenaPool        *poolp;
+    CMMFCertRepContent *certRepContent;
+    SECStatus           rv;
+    int                 i;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    certRepContent = PORT_ArenaZNew(poolp, CMMFCertRepContent);
+    if (certRepContent == NULL) {
+        goto loser;
+    }
+    certRepContent->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, certRepContent, CMMFCertRepContentTemplate,
+			buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (certRepContent->response != NULL) {
+        for (i=0; certRepContent->response[i] != NULL; i++) {
+	    rv = cmmf_decode_process_cert_response(poolp, db,
+					       certRepContent->response[i]);
+	    if (rv != SECSuccess) {
+	        goto loser;
+	    }
+	}
+    }
+    certRepContent->isDecoded = PR_TRUE;
+    return certRepContent;
+ loser:
+    PORT_FreeArena(poolp, PR_FALSE);
+    return NULL;
+}
+
+long
+CMMF_CertResponseGetCertReqId(CMMFCertResponse *inCertResp)
+{
+    PORT_Assert(inCertResp != NULL);
+    if (inCertResp == NULL) {
+        return -1;
+    }
+    return DER_GetInteger(&inCertResp->certReqId);
+}
+
+PRBool
+cmmf_CertRepContentIsIndexValid(CMMFCertRepContent *inCertRepContent,
+                                int                 inIndex)
+{
+    int numResponses;
+
+    PORT_Assert(inCertRepContent != NULL);
+    numResponses = CMMF_CertRepContentGetNumResponses(inCertRepContent);
+    return (PRBool)(inIndex >= 0 && inIndex < numResponses);
+}
+
+CMMFCertResponse*
+CMMF_CertRepContentGetResponseAtIndex(CMMFCertRepContent *inCertRepContent,
+				      int                 inIndex)
+{
+    CMMFCertResponse *certResponse;
+    SECStatus         rv;
+
+    PORT_Assert(inCertRepContent != NULL &&
+		cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex));
+    if (inCertRepContent == NULL ||
+	!cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex)) {
+        return NULL;
+    }
+    certResponse = PORT_ZNew(CMMFCertResponse);
+    rv = cmmf_CopyCertResponse(NULL, certResponse, 
+			       inCertRepContent->response[inIndex]);
+    if (rv != SECSuccess) {
+        CMMF_DestroyCertResponse(certResponse);
+	certResponse = NULL;
+    }
+    return certResponse;
+}
+
+CMMFPKIStatus
+CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp)
+{
+    PORT_Assert(inCertResp != NULL);
+    if (inCertResp == NULL) {
+        return cmmfNoPKIStatus;
+    }
+    return cmmf_PKIStatusInfoGetStatus(&inCertResp->status);
+}
+
+CERTCertificate*
+CMMF_CertResponseGetCertificate(CMMFCertResponse *inCertResp,
+				CERTCertDBHandle *inCertdb)
+{
+    PORT_Assert(inCertResp != NULL);
+    if (inCertResp == NULL || inCertResp->certifiedKeyPair == NULL) {
+        return NULL;
+    }
+    
+    return cmmf_CertOrEncCertGetCertificate(
+		&inCertResp->certifiedKeyPair->certOrEncCert, inCertdb);
+				   
+}
+
+CERTCertList*
+CMMF_CertRepContentGetCAPubs (CMMFCertRepContent *inCertRepContent)
+{
+    PORT_Assert (inCertRepContent != NULL);
+    if (inCertRepContent == NULL || inCertRepContent->caPubs == NULL) {
+        return NULL;
+    }
+    return cmmf_MakeCertList(inCertRepContent->caPubs);
+}
+
diff --git a/security/nss/lib/crmf/respcmn.c b/security/nss/lib/crmf/respcmn.c
new file mode 100644
index 000000000..1152e74d0
--- /dev/null
+++ b/security/nss/lib/crmf/respcmn.c
@@ -0,0 +1,438 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secitem.h"
+#include "secder.h"
+
+SECStatus 
+cmmf_DestroyPKIStatusInfo (CMMFPKIStatusInfo *info, PRBool freeit)
+{
+    if (info->status.data != NULL) {
+        PORT_Free(info->status.data);
+        info->status.data = NULL;
+    }
+    if (info->statusString.data != NULL) {
+        PORT_Free(info->statusString.data);
+        info->statusString.data = NULL;
+    }
+    if (info->failInfo.data != NULL) {
+        PORT_Free(info->failInfo.data);
+        info->failInfo.data = NULL;
+    }
+    if (freeit) {
+        PORT_Free(info);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_DestroyCertResponse(CMMFCertResponse *inCertResp)
+{
+    PORT_Assert(inCertResp != NULL);
+    if (inCertResp != NULL) {
+        if (inCertResp->certReqId.data != NULL) {
+	    PORT_Free(inCertResp->certReqId.data);
+	}
+	cmmf_DestroyPKIStatusInfo(&inCertResp->status, PR_FALSE);
+	if (inCertResp->certifiedKeyPair != NULL) {
+	    CMMF_DestroyCertifiedKeyPair(inCertResp->certifiedKeyPair);
+	}
+	PORT_Free(inCertResp);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_DestroyCertRepContent(CMMFCertRepContent *inCertRepContent)
+{
+    PORT_Assert(inCertRepContent != NULL);
+    if (inCertRepContent != NULL) {
+        CMMFCertResponse   **pResponse = inCertRepContent->response;
+        if (pResponse != NULL) {
+            for (; *pResponse != NULL; pResponse++) {
+	        CMMFCertifiedKeyPair *certKeyPair = (*pResponse)->certifiedKeyPair;
+		/* XXX Why not call CMMF_DestroyCertifiedKeyPair or
+		** XXX cmmf_DestroyCertOrEncCert ?  
+		*/
+                if (certKeyPair != NULL                    &&
+                    certKeyPair->certOrEncCert.choice == cmmfCertificate &&
+                    certKeyPair->certOrEncCert.cert.certificate != NULL) {
+                    CERT_DestroyCertificate
+                                 (certKeyPair->certOrEncCert.cert.certificate);
+		    certKeyPair->certOrEncCert.cert.certificate = NULL;
+                }
+            }
+        }
+	if (inCertRepContent->caPubs) {
+	    CERTCertificate     **caPubs = inCertRepContent->caPubs;
+	    for (; *caPubs; ++caPubs) {
+		CERT_DestroyCertificate(*caPubs);
+		*caPubs = NULL;
+	    }
+	}
+	if (inCertRepContent->poolp != NULL) {
+	    PORT_FreeArena(inCertRepContent->poolp, PR_TRUE);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_DestroyPOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyCont)
+{
+    PORT_Assert(inDecKeyCont != NULL);
+    if (inDecKeyCont != NULL && inDecKeyCont->poolp) {
+        PORT_FreeArena(inDecKeyCont->poolp, PR_FALSE);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+crmf_create_prtime(SECItem *src, PRTime **dest)
+{
+   *dest = PORT_ZNew(PRTime);
+    return DER_DecodeTimeChoice(*dest, src);
+}
+
+CRMFCertExtension*
+crmf_copy_cert_extension(PRArenaPool *poolp, CRMFCertExtension *inExtension)
+{
+    PRBool             isCritical;
+    SECOidTag          id;
+    SECItem           *data;
+    CRMFCertExtension *newExt;
+
+    PORT_Assert(inExtension != NULL);
+    if (inExtension == NULL) {
+        return NULL;
+    }
+    id         = CRMF_CertExtensionGetOidTag(inExtension);
+    isCritical = CRMF_CertExtensionGetIsCritical(inExtension);
+    data       = CRMF_CertExtensionGetValue(inExtension);
+    newExt = crmf_create_cert_extension(poolp, id, 
+					isCritical,
+					data);
+    SECITEM_FreeItem(data, PR_TRUE);
+    return newExt;    
+}
+
+static SECItem*
+cmmf_encode_certificate(CERTCertificate *inCert)
+{
+    return SEC_ASN1EncodeItem(NULL, NULL, inCert, 
+			      SEC_ASN1_GET(SEC_SignedCertificateTemplate));
+}
+
+CERTCertList*
+cmmf_MakeCertList(CERTCertificate **inCerts)
+{
+    CERTCertList    *certList;
+    CERTCertificate *currCert;
+    SECItem         *derCert, *freeCert = NULL;
+    SECStatus        rv;
+    int              i;
+
+    certList = CERT_NewCertList();
+    if (certList == NULL) {
+        return NULL;
+    }
+    for (i=0; inCerts[i] != NULL; i++) {
+        derCert = &inCerts[i]->derCert;
+	if (derCert->data == NULL) {
+	    derCert = freeCert = cmmf_encode_certificate(inCerts[i]);
+	}
+	currCert=CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
+	                                 derCert, NULL, PR_FALSE, PR_TRUE);
+	if (freeCert != NULL) {
+	    SECITEM_FreeItem(freeCert, PR_TRUE);
+	    freeCert = NULL;
+	}
+	if (currCert == NULL) {
+	    goto loser;
+	}
+	rv = CERT_AddCertToListTail(certList, currCert);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    return certList;
+ loser:
+    CERT_DestroyCertList(certList);
+    return NULL;
+}
+
+CMMFPKIStatus
+cmmf_PKIStatusInfoGetStatus(CMMFPKIStatusInfo *inStatus)
+{
+    long derVal;
+
+    derVal = DER_GetInteger(&inStatus->status);
+    if (derVal == -1 || derVal < cmmfGranted || derVal >= cmmfNumPKIStatus) {
+        return cmmfNoPKIStatus;
+    }
+    return (CMMFPKIStatus)derVal;
+}
+
+int
+CMMF_CertRepContentGetNumResponses(CMMFCertRepContent *inCertRepContent)
+{
+    int numResponses = 0;
+    PORT_Assert (inCertRepContent != NULL);
+    if (inCertRepContent != NULL && inCertRepContent->response != NULL) {
+        while (inCertRepContent->response[numResponses] != NULL) {
+	    numResponses++;
+	}
+    }
+    return numResponses;
+}
+
+
+SECStatus
+cmmf_DestroyCertOrEncCert(CMMFCertOrEncCert *certOrEncCert, PRBool freeit)
+{
+    switch (certOrEncCert->choice) {
+    case cmmfCertificate:
+        CERT_DestroyCertificate(certOrEncCert->cert.certificate);
+	certOrEncCert->cert.certificate = NULL;
+	break;
+    case cmmfEncryptedCert:
+        crmf_destroy_encrypted_value(certOrEncCert->cert.encryptedCert,
+				     PR_TRUE);
+        certOrEncCert->cert.encryptedCert = NULL;
+	break;
+    default:
+        break;
+    }
+    if (freeit) {
+        PORT_Free(certOrEncCert);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+cmmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src)
+{
+    SECStatus rv;
+
+    if (src->data != NULL) {
+        rv = SECITEM_CopyItem(poolp, dest, src);
+    } else {
+        dest->data = NULL;
+	dest->len  = 0;
+	rv = SECSuccess;
+    }
+    return rv;
+}
+
+SECStatus
+CMMF_DestroyCertifiedKeyPair(CMMFCertifiedKeyPair *inCertKeyPair)
+{
+    PORT_Assert(inCertKeyPair != NULL);
+    if (inCertKeyPair != NULL) {
+        cmmf_DestroyCertOrEncCert(&inCertKeyPair->certOrEncCert, PR_FALSE);
+        if (inCertKeyPair->privateKey) {
+            crmf_destroy_encrypted_value(inCertKeyPair->privateKey, PR_TRUE);
+        }
+        if (inCertKeyPair->derPublicationInfo.data) {
+            PORT_Free(inCertKeyPair->derPublicationInfo.data);
+        }
+        PORT_Free(inCertKeyPair);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+cmmf_CopyCertResponse(PRArenaPool      *poolp, 
+		      CMMFCertResponse *dest,
+		      CMMFCertResponse *src)
+{
+    SECStatus rv;
+
+    if (src->certReqId.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &dest->certReqId, &src->certReqId);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+    }
+    rv = cmmf_CopyPKIStatusInfo(poolp, &dest->status, &src->status);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    if (src->certifiedKeyPair != NULL) {
+	CMMFCertifiedKeyPair *destKeyPair;
+
+	destKeyPair = (poolp == NULL) ? PORT_ZNew(CMMFCertifiedKeyPair) :
+	                        PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
+	if (!destKeyPair) {
+	    return SECFailure;
+	}
+	rv = cmmf_CopyCertifiedKeyPair(poolp, destKeyPair,
+				       src->certifiedKeyPair);
+	if (rv != SECSuccess) {
+	    if (!poolp) {
+	        CMMF_DestroyCertifiedKeyPair(destKeyPair);
+	    }
+	    return rv;
+	}
+	dest->certifiedKeyPair = destKeyPair;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+cmmf_CopyCertOrEncCert(PRArenaPool *poolp, CMMFCertOrEncCert *dest,
+		       CMMFCertOrEncCert *src)
+{
+    SECStatus           rv = SECSuccess;
+    CRMFEncryptedValue *encVal;
+
+    dest->choice = src->choice;
+    rv = cmmf_copy_secitem(poolp, &dest->derValue, &src->derValue);
+    switch (src->choice) {
+    case cmmfCertificate:
+        dest->cert.certificate = CERT_DupCertificate(src->cert.certificate);
+	break;
+    case cmmfEncryptedCert:
+ 	encVal = (poolp == NULL) ? PORT_ZNew(CRMFEncryptedValue) :
+	                           PORT_ArenaZNew(poolp, CRMFEncryptedValue);
+	if (encVal == NULL) {
+	    return SECFailure;
+	}
+        rv = crmf_copy_encryptedvalue(poolp, src->cert.encryptedCert, encVal);
+	if (rv != SECSuccess) {
+	    if (!poolp) {
+	        crmf_destroy_encrypted_value(encVal, PR_TRUE);
+	    }
+	    return rv;
+	}
+	dest->cert.encryptedCert = encVal;        
+	break;
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus
+cmmf_CopyCertifiedKeyPair(PRArenaPool *poolp, CMMFCertifiedKeyPair *dest,
+			  CMMFCertifiedKeyPair *src)
+{
+    SECStatus rv;
+
+    rv = cmmf_CopyCertOrEncCert(poolp, &dest->certOrEncCert, 
+				&src->certOrEncCert);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+
+    if (src->privateKey != NULL) {
+	CRMFEncryptedValue *encVal;
+
+	encVal = (poolp == NULL) ? PORT_ZNew(CRMFEncryptedValue) :
+	                           PORT_ArenaZNew(poolp, CRMFEncryptedValue);
+	if (encVal == NULL) {
+	    return SECFailure;
+	}
+	rv = crmf_copy_encryptedvalue(poolp, src->privateKey, 
+				      encVal);
+	if (rv != SECSuccess) {
+	    if (!poolp) {
+	        crmf_destroy_encrypted_value(encVal, PR_TRUE);
+	    }
+	    return rv;
+	}
+	dest->privateKey = encVal;
+    }
+    rv = cmmf_copy_secitem(poolp, &dest->derPublicationInfo, 
+			   &src->derPublicationInfo);
+    return rv;
+}
+
+SECStatus
+cmmf_CopyPKIStatusInfo(PRArenaPool *poolp, CMMFPKIStatusInfo *dest,
+		       CMMFPKIStatusInfo *src)
+{
+    SECStatus rv;
+
+    rv = cmmf_copy_secitem (poolp, &dest->status, &src->status);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    rv = cmmf_copy_secitem (poolp, &dest->statusString, &src->statusString);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    rv = cmmf_copy_secitem (poolp, &dest->failInfo, &src->failInfo);
+    return rv;
+}
+
+CERTCertificate*
+cmmf_CertOrEncCertGetCertificate(CMMFCertOrEncCert *certOrEncCert,
+				 CERTCertDBHandle  *certdb)
+{
+    if (certOrEncCert->choice           != cmmfCertificate || 
+	certOrEncCert->cert.certificate == NULL) {
+        return NULL;
+    }
+    return CERT_NewTempCertificate(certdb,
+				   &certOrEncCert->cert.certificate->derCert,
+				   NULL, PR_FALSE, PR_TRUE);
+}
+
+SECStatus 
+cmmf_PKIStatusInfoSetStatus(CMMFPKIStatusInfo    *statusInfo,
+			    PRArenaPool          *poolp,
+			    CMMFPKIStatus         inStatus)
+{
+    SECItem *dummy;
+    
+    if (inStatus <cmmfGranted || inStatus >= cmmfNumPKIStatus) {
+        return SECFailure;
+    }
+
+    dummy = SEC_ASN1EncodeInteger(poolp, &statusInfo->status, inStatus); 
+    PORT_Assert(dummy == &statusInfo->status);
+    if (dummy != &statusInfo->status) {
+        SECITEM_FreeItem(dummy, PR_TRUE);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
diff --git a/security/nss/lib/crmf/servget.c b/security/nss/lib/crmf/servget.c
new file mode 100644
index 000000000..85be9e556
--- /dev/null
+++ b/security/nss/lib/crmf/servget.c
@@ -0,0 +1,1009 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secitem.h"
+#include "keyhi.h"
+#include "secder.h"
+
+CRMFEncryptedKeyChoice
+CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey)
+{
+    PORT_Assert(inEncrKey != NULL);
+    if (inEncrKey == NULL) {
+        return crmfNoEncryptedKeyChoice;
+    }
+    return inEncrKey->encKeyChoice;
+}
+
+CRMFEncryptedValue*
+CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inEncrKey)
+{
+    CRMFEncryptedValue *newEncrValue = NULL;
+    SECStatus           rv;
+
+    PORT_Assert(inEncrKey != NULL);
+    if (inEncrKey == NULL ||
+	CRMF_EncryptedKeyGetChoice(inEncrKey) != crmfEncryptedValueChoice) {
+        goto loser;
+    }
+    newEncrValue = PORT_ZNew(CRMFEncryptedValue);
+    if (newEncrValue == NULL) {
+        goto loser;
+    }
+    rv = crmf_copy_encryptedvalue(NULL, &inEncrKey->value.encryptedValue,
+				  newEncrValue);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newEncrValue;
+ loser:
+    if (newEncrValue != NULL) {
+        CRMF_DestroyEncryptedValue(newEncrValue);
+    }
+    return NULL;
+}
+
+static SECItem*
+crmf_get_encvalue_bitstring(SECItem *srcItem)
+{
+    SECItem   *newItem = NULL;
+    SECStatus rv;
+    
+    if (srcItem->data == NULL) {
+        return NULL;
+    }
+    newItem = PORT_ZNew(SECItem);
+    if (newItem == NULL) {
+        goto loser;
+    }
+    rv = crmf_make_bitstring_copy(NULL, newItem, srcItem);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newItem;
+ loser:
+    if (newItem != NULL) {
+        SECITEM_FreeItem(newItem, PR_TRUE);
+    }
+    return NULL;
+}
+
+SECItem*
+CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_bitstring(&inEncValue->encSymmKey);
+}
+
+SECItem*
+CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncrValue)
+{
+    if (inEncrValue == NULL || inEncrValue->encValue.data == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_bitstring(&inEncrValue->encValue);
+}
+
+static SECAlgorithmID*
+crmf_get_encvalue_algid(SECAlgorithmID *srcAlg)
+{
+    SECStatus       rv;
+    SECAlgorithmID *newAlgID;
+    
+    if (srcAlg == NULL) {
+        return NULL;
+    }
+    rv = crmf_copy_encryptedvalue_secalg(NULL, srcAlg, &newAlgID);
+    if (rv != SECSuccess) {
+        return NULL;
+    }
+    return newAlgID;
+}
+
+SECAlgorithmID*
+CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_algid(inEncValue->intendedAlg);
+}
+
+SECAlgorithmID*
+CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_algid(inEncValue->keyAlg);
+}
+
+SECAlgorithmID*
+CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_algid(inEncValue->symmAlg);
+}
+
+SECItem*
+CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL || inEncValue->valueHint.data == NULL) {
+        return NULL;
+    }
+    return SECITEM_DupItem(&inEncValue->valueHint);
+}
+
+SECStatus
+CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt, 
+					      PRBool                *destVal)
+{
+    if (inOpt == NULL || destVal == NULL ||
+	CRMF_PKIArchiveOptionsGetOptionType(inOpt) != crmfArchiveRemGenPrivKey){
+        return SECFailure;
+    }
+    *destVal = (inOpt->option.archiveRemGenPrivKey.data[0] == hexFalse) 
+                                                                 ? PR_FALSE:
+                                                                   PR_TRUE;
+    return SECSuccess;
+}
+			     
+CRMFEncryptedKey*
+CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts)
+{
+    CRMFEncryptedKey *newEncrKey = NULL;
+    SECStatus         rv;
+
+    PORT_Assert(inOpts != NULL);
+    if (inOpts == NULL ||
+	CRMF_PKIArchiveOptionsGetOptionType(inOpts) != crmfEncryptedPrivateKey){
+        return NULL;
+    }
+    newEncrKey = PORT_ZNew(CRMFEncryptedKey);
+    if (newEncrKey == NULL) {
+        goto loser;
+    }
+    rv = crmf_copy_encryptedkey(NULL, &inOpts->option.encryptedKey,
+				newEncrKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newEncrKey;
+ loser:
+    if (newEncrKey != NULL) {
+        CRMF_DestroyEncryptedKey(newEncrKey);
+    }
+    return NULL;
+}
+
+SECItem*
+CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions)
+{
+    if (inOptions == NULL ||
+	CRMF_PKIArchiveOptionsGetOptionType(inOptions) != crmfKeyGenParameters ||
+	inOptions->option.keyGenParameters.data == NULL) {
+        return NULL;
+    }
+    return SECITEM_DupItem(&inOptions->option.keyGenParameters);
+}
+
+CRMFPKIArchiveOptionsType
+CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions)
+{
+    PORT_Assert (inOptions != NULL);
+    if (inOptions == NULL) {
+        return crmfNoArchiveOptions;
+    }
+    return inOptions->archOption;
+}
+
+static SECStatus
+crmf_extract_long_from_item(SECItem *intItem, long *destLong)
+{
+    *destLong = DER_GetInteger(intItem);
+    return (*destLong == -1) ? SECFailure : SECSuccess;
+}
+
+SECStatus
+CRMF_POPOPrivGetKeySubseqMess(CRMFPOPOPrivKey       *inKey,
+			      CRMFSubseqMessOptions *destOpt)
+{
+    long      value;
+    SECStatus rv;
+
+    PORT_Assert(inKey != NULL);
+    if (inKey == NULL ||
+	inKey->messageChoice != crmfSubsequentMessage) {
+        return SECFailure;
+    }
+    rv = crmf_extract_long_from_item(&inKey->message.subsequentMessage,&value);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    switch (value) {
+    case 0:
+        *destOpt = crmfEncrCert;
+	break;
+    case 1:
+        *destOpt = crmfChallengeResp;
+	break;
+    default:
+        rv = SECFailure;
+    }
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    return SECSuccess;
+}
+
+CRMFPOPOPrivKeyChoice
+CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inPrivKey)
+{
+    PORT_Assert(inPrivKey != NULL);
+    if (inPrivKey != NULL) {
+        return inPrivKey->messageChoice;
+    }
+    return crmfNoMessage;
+}
+
+SECStatus
+CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey, SECItem *destMAC)
+{
+    PORT_Assert(inKey != NULL);
+    if (inKey == NULL || inKey->message.dhMAC.data == NULL) {
+        return SECFailure;
+    }
+    return crmf_make_bitstring_copy(NULL, destMAC, &inKey->message.dhMAC);
+}
+
+SECStatus
+CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey  *inKey,
+			       SECItem          *destString)
+{
+    PORT_Assert(inKey != NULL);
+    if (inKey == NULL           ||
+	inKey->messageChoice != crmfThisMessage) {
+        return SECFailure;
+    }
+
+    return crmf_make_bitstring_copy(NULL, destString, 
+				    &inKey->message.thisMessage);
+}
+
+SECAlgorithmID*
+CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey)
+{
+    SECAlgorithmID *newAlgId = NULL;
+    SECStatus       rv;
+
+    PORT_Assert(inSignKey != NULL);
+    if (inSignKey == NULL) {
+        return NULL;
+    }
+    newAlgId = PORT_ZNew(SECAlgorithmID);
+    if (newAlgId == NULL) {
+        goto loser;
+    }
+    rv = SECOID_CopyAlgorithmID(NULL, newAlgId, 
+				inSignKey->algorithmIdentifier);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newAlgId;
+
+ loser:
+    if (newAlgId != NULL) {
+        SECOID_DestroyAlgorithmID(newAlgId, PR_TRUE);
+    }
+    return NULL;
+}
+
+SECItem*
+CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey)
+{
+    PORT_Assert(inSignKey != NULL);
+    if (inSignKey == NULL || inSignKey->derInput.data == NULL) {
+        return NULL;
+    }
+    return SECITEM_DupItem(&inSignKey->derInput);
+}
+
+SECItem*
+CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey)
+{
+    SECItem   *newSig = NULL;
+    SECStatus  rv;
+
+    PORT_Assert(inSignKey != NULL);
+    if (inSignKey == NULL) {
+        return NULL;
+    }
+    newSig = PORT_ZNew(SECItem);
+    if (newSig == NULL) {
+        goto loser;
+    }
+    rv = crmf_make_bitstring_copy(NULL, newSig, &inSignKey->signature);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newSig;
+ loser:
+    if (newSig != NULL) {
+        SECITEM_FreeItem(newSig, PR_TRUE);
+    }
+    return NULL;
+}
+
+static SECStatus 
+crmf_copy_poposigningkey(PRArenaPool        *poolp, 
+			 CRMFPOPOSigningKey *inPopoSignKey,
+			 CRMFPOPOSigningKey *destPopoSignKey)
+{
+    SECStatus rv;
+
+    /* We don't support use of the POPOSigningKeyInput, so we'll only 
+     * store away the DER encoding.
+     */
+    if (inPopoSignKey->derInput.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &destPopoSignKey->derInput, 
+			      &inPopoSignKey->derInput);
+    }
+    destPopoSignKey->algorithmIdentifier = (poolp == NULL) ? 
+                                         PORT_ZNew(SECAlgorithmID) :
+                                         PORT_ArenaZNew(poolp, SECAlgorithmID);
+
+    if (destPopoSignKey->algorithmIdentifier == NULL) {
+        goto loser;
+    }
+    rv = SECOID_CopyAlgorithmID(poolp, destPopoSignKey->algorithmIdentifier,
+				inPopoSignKey->algorithmIdentifier);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    
+    rv = crmf_make_bitstring_copy(poolp, &destPopoSignKey->signature, 
+				  &inPopoSignKey->signature);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return SECSuccess;
+ loser:
+    if (poolp == NULL) {
+        CRMF_DestroyPOPOSigningKey(destPopoSignKey);
+    }
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_popoprivkey(PRArenaPool     *poolp,
+		      CRMFPOPOPrivKey *srcPrivKey,
+		      CRMFPOPOPrivKey *destPrivKey)
+{
+    SECStatus        rv;
+
+    destPrivKey->messageChoice = srcPrivKey->messageChoice;
+    switch (destPrivKey->messageChoice) {
+    case crmfThisMessage:
+    case crmfDHMAC:
+        /* I've got a union, so taking the address of one, will also give
+	 * me a pointer to the other (eg, message.dhMAC)
+	 */
+        rv = crmf_make_bitstring_copy(poolp, &destPrivKey->message.thisMessage,
+				      &srcPrivKey->message.thisMessage);
+	break;
+    case crmfSubsequentMessage:
+        rv = SECITEM_CopyItem(poolp, &destPrivKey->message.subsequentMessage,
+			      &srcPrivKey->message.subsequentMessage);
+	break;
+    default:
+        rv = SECFailure;
+    }
+
+    if (rv != SECSuccess && poolp == NULL) {
+        CRMF_DestroyPOPOPrivKey(destPrivKey);
+    }
+    return rv;
+}
+
+static CRMFProofOfPossession*
+crmf_copy_pop(PRArenaPool *poolp, CRMFProofOfPossession *srcPOP)
+{
+    CRMFProofOfPossession *newPOP;
+    SECStatus              rv;
+
+    /* 
+     * Proof Of Possession structures are always part of the Request
+     * message, so there will always be an arena for allocating memory.
+     */
+    if (poolp == NULL) {
+        return NULL;
+    }
+    newPOP = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (newPOP == NULL) {
+        return NULL;
+    }
+    switch (srcPOP->popUsed) {
+    case crmfRAVerified:
+        newPOP->popChoice.raVerified.data = NULL;
+	newPOP->popChoice.raVerified.len  = 0;
+	break;
+    case crmfSignature:
+        rv = crmf_copy_poposigningkey(poolp, &srcPOP->popChoice.signature,
+				      &newPOP->popChoice.signature);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+	break;
+    case crmfKeyEncipherment:
+    case crmfKeyAgreement:
+        /* We've got a union, so a pointer to one, is a pointer to the
+	 * other one.
+	 */
+        rv = crmf_copy_popoprivkey(poolp, &srcPOP->popChoice.keyEncipherment,
+				   &newPOP->popChoice.keyEncipherment);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+	break;
+    default:
+        goto loser;
+    }
+    newPOP->popUsed = srcPOP->popUsed;
+    return newPOP;
+
+ loser:
+    return NULL;
+}
+
+static CRMFCertReqMsg*
+crmf_copy_cert_req_msg(CRMFCertReqMsg *srcReqMsg)
+{
+    CRMFCertReqMsg *newReqMsg;
+    PRArenaPool    *poolp;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    newReqMsg = PORT_ArenaZNew(poolp, CRMFCertReqMsg);
+    if (newReqMsg == NULL) {
+        goto loser;
+    }
+
+    newReqMsg->poolp = poolp;
+    newReqMsg->certReq = crmf_copy_cert_request(poolp, srcReqMsg->certReq);
+    if (newReqMsg->certReq == NULL) {
+        goto loser;
+    }
+    newReqMsg->pop = crmf_copy_pop(poolp, srcReqMsg->pop);
+    if (newReqMsg->pop == NULL) {
+        goto loser;
+    }
+    /* None of my set/get routines operate on the regInfo field, so
+     * for now, that won't get copied over.
+     */
+    return newReqMsg;
+
+ loser:
+    if (newReqMsg != NULL) {
+        CRMF_DestroyCertReqMsg(newReqMsg);
+    }
+    return NULL;
+}
+
+CRMFCertReqMsg*
+CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
+					 int                  index)
+{
+    int numMsgs;
+
+    PORT_Assert(inReqMsgs != NULL && index >= 0);
+    if (inReqMsgs == NULL) {
+        return NULL;
+    }
+    numMsgs = CRMF_CertReqMessagesGetNumMessages(inReqMsgs);
+    if (index < 0 || index >= numMsgs) {
+        return NULL;
+    }
+    return crmf_copy_cert_req_msg(inReqMsgs->messages[index]);
+}
+
+int
+CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs)
+{
+    int numMessages = 0;
+
+    PORT_Assert(inCertReqMsgs != NULL);
+    if (inCertReqMsgs == NULL) {
+        return 0;
+    }
+    while (inCertReqMsgs->messages[numMessages] != NULL) {
+        numMessages++;
+    }
+    return numMessages;
+}
+
+CRMFCertRequest*
+CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg)
+{
+    PRArenaPool     *poolp      = NULL;
+    CRMFCertRequest *newCertReq = NULL;
+
+    PORT_Assert(inCertReqMsg != NULL);
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    newCertReq = crmf_copy_cert_request(poolp, inCertReqMsg->certReq);
+    if (newCertReq == NULL) {
+        goto loser;
+    }
+    newCertReq->poolp = poolp;
+    return newCertReq;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus
+CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg, long *destID)
+{
+    PORT_Assert(inCertReqMsg != NULL && destID != NULL);
+    if (inCertReqMsg == NULL || inCertReqMsg->certReq == NULL) {
+        return SECFailure;
+    }
+    return crmf_extract_long_from_item(&inCertReqMsg->certReq->certReqId, 
+				       destID);
+}
+
+SECStatus
+CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg   *inCertReqMsg,
+				  CRMFPOPOPrivKey **destKey)
+{
+    PORT_Assert(inCertReqMsg != NULL && destKey != NULL);
+    if (inCertReqMsg == NULL || destKey == NULL ||
+	CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfKeyAgreement) {
+        return SECFailure;
+    }
+    *destKey = PORT_ZNew(CRMFPOPOPrivKey);
+    if (*destKey == NULL) {
+        return SECFailure;
+    }
+    return crmf_copy_popoprivkey(NULL,
+				 &inCertReqMsg->pop->popChoice.keyAgreement,
+				 *destKey);
+}
+
+SECStatus
+CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg   *inCertReqMsg,
+				     CRMFPOPOPrivKey **destKey)
+{
+    PORT_Assert(inCertReqMsg != NULL && destKey != NULL);
+    if (inCertReqMsg == NULL || destKey == NULL ||
+	CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfKeyEncipherment) {
+        return SECFailure;
+    }
+    *destKey = PORT_ZNew(CRMFPOPOPrivKey);
+    if (destKey == NULL) {
+       return SECFailure;
+    }
+    return crmf_copy_popoprivkey(NULL,
+				 &inCertReqMsg->pop->popChoice.keyEncipherment,
+				 *destKey);
+}
+
+SECStatus
+CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg      *inCertReqMsg,
+				 CRMFPOPOSigningKey **destKey)
+{
+    CRMFProofOfPossession *pop;
+    PORT_Assert(inCertReqMsg != NULL);
+    if (inCertReqMsg  == NULL) {
+        return SECFailure;
+    }
+    pop = inCertReqMsg->pop;;
+    if (pop->popUsed != crmfSignature) {
+        return SECFailure;
+    }
+    *destKey = PORT_ZNew(CRMFPOPOSigningKey);
+    if (*destKey == NULL) {
+        return SECFailure;
+    }
+    return crmf_copy_poposigningkey(NULL,&pop->popChoice.signature, *destKey);
+}
+
+static SECStatus
+crmf_copy_name(CERTName *destName, CERTName *srcName)
+{
+  PRArenaPool *poolp = NULL;
+  SECStatus rv;
+
+  if (destName->arena != NULL) {
+    poolp = destName->arena;
+  } else {
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+  }
+  if (poolp == NULL) {
+    return SECFailure;
+  }
+  /* Need to do this so that CERT_CopyName doesn't free out
+   * the arena from underneath us.
+   */
+  destName->arena = NULL;
+  rv = CERT_CopyName(poolp, destName, srcName); 
+  destName->arena = poolp;
+  return rv;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
+				      CERTName        *destIssuer)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfIssuer)) {
+        return crmf_copy_name(destIssuer, 
+			      inCertReq->certTemplate.issuer);
+    }
+    return SECFailure;
+}
+
+SECStatus 
+CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
+					 SECItem         *destIssuerUID)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfIssuerUID)) {
+        return crmf_make_bitstring_copy(NULL, destIssuerUID,
+					&inCertReq->certTemplate.issuerUID);
+    }
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest          *inCertReq,
+				       CERTSubjectPublicKeyInfo *destPublicKey)
+{
+    PORT_Assert (inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfPublicKey)) {
+        return SECKEY_CopySubjectPublicKeyInfo(NULL, destPublicKey,
+					inCertReq->certTemplate.publicKey);
+    }
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq,
+					    long            *serialNumber)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfSerialNumber)) {
+        return 
+	  crmf_extract_long_from_item(&inCertReq->certTemplate.serialNumber,
+				      serialNumber);
+    }
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
+					  SECAlgorithmID  *destAlg)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfSigningAlg)) {
+        return SECOID_CopyAlgorithmID(NULL, destAlg, 
+				      inCertReq->certTemplate.signingAlg);
+    }
+    return SECFailure;
+}
+
+SECStatus 
+CRMF_CertRequestGetCertTemplateSubject(CRMFCertRequest *inCertReq,
+				       CERTName        *destSubject)
+{
+  PORT_Assert(inCertReq != NULL);
+  if (inCertReq == NULL) {
+      return SECFailure;
+  }
+  if (CRMF_DoesRequestHaveField(inCertReq, crmfSubject)) {
+      return crmf_copy_name(destSubject, inCertReq->certTemplate.subject);
+  }
+  return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
+					  SECItem         *destSubjectUID)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfSubjectUID)) {
+        return crmf_make_bitstring_copy(NULL, destSubjectUID, 
+					&inCertReq->certTemplate.subjectUID);
+    }
+    return SECFailure;
+}
+
+SECStatus 
+CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq, 
+				       long            *version)
+{
+    PORT_Assert (inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfVersion)) {
+        return crmf_extract_long_from_item(&inCertReq->certTemplate.version,
+					   version);
+    } 
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_validity(CRMFGetValidity      *destValidity,
+		   CRMFOptionalValidity *src)
+{
+    SECStatus rv;
+    
+    destValidity->notBefore = destValidity->notAfter = NULL;
+    if (src->notBefore.data != NULL) {
+        rv = crmf_create_prtime(&src->notBefore, 
+				&destValidity->notBefore);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+    }
+    if (src->notAfter.data != NULL) {
+        rv = crmf_create_prtime(&src->notAfter,
+				&destValidity->notAfter);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
+					CRMFGetValidity *destValidity)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfValidity)) {
+        return crmf_copy_validity(destValidity, 
+				  inCertReq->certTemplate.validity);
+    }
+    return SECFailure;
+}
+
+CRMFControl*
+CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq, int index)
+{
+    CRMFControl *newControl, *srcControl;
+    int          numControls;
+    SECStatus    rv;
+
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return NULL;
+    }
+    numControls = CRMF_CertRequestGetNumControls(inCertReq);
+    if (index >= numControls || index < 0) {
+        return NULL;
+    }
+    newControl = PORT_ZNew(CRMFControl);
+    if (newControl == NULL) {
+        return NULL;
+    }
+    srcControl = inCertReq->controls[index];
+    newControl->tag = srcControl->tag;
+    rv = SECITEM_CopyItem (NULL, &newControl->derTag, &srcControl->derTag);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = SECITEM_CopyItem(NULL, &newControl->derValue, 
+			  &srcControl->derValue);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Copy over the PKIArchiveOptions stuff */
+    switch (srcControl->tag) {
+    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
+    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
+        /* No further processing necessary for these types. */
+        rv = SECSuccess;
+	break;
+    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
+    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
+    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
+        /* These aren't supported yet, so no post-processing will
+	 * be done at this time.  But we don't want to fail in case
+	 * we read in DER that has one of these options.
+	 */
+        rv = SECSuccess;
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+        rv = crmf_copy_pkiarchiveoptions(NULL, 
+					 &newControl->value.archiveOptions,
+					 &srcControl->value.archiveOptions);
+	break;
+    default:
+        rv = SECFailure;
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newControl;
+ loser:
+    if (newControl != NULL) {
+        CRMF_DestroyControl(newControl);
+    }
+    return NULL;
+}
+
+static SECItem*
+crmf_copy_control_value(CRMFControl *inControl)
+{
+    return SECITEM_DupItem(&inControl->derValue);
+}
+
+SECItem*
+CRMF_ControlGetAuthenticatorControlValue(CRMFControl *inControl)
+{
+    PORT_Assert (inControl!= NULL);
+    if (inControl == NULL ||
+	CRMF_ControlGetControlType(inControl) != crmfAuthenticatorControl) {
+        return NULL;
+    }
+    return crmf_copy_control_value(inControl);
+}
+
+CRMFControlType
+CRMF_ControlGetControlType(CRMFControl *inControl)
+{
+    CRMFControlType retType;
+
+    PORT_Assert(inControl != NULL);
+    switch (inControl->tag) {
+    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
+        retType = crmfRegTokenControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
+        retType = crmfAuthenticatorControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
+        retType = crmfPKIPublicationInfoControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+        retType = crmfPKIArchiveOptionsControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
+        retType = crmfOldCertIDControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
+        retType = crmfProtocolEncrKeyControl;
+	break;
+    default:
+        retType = crmfNoControl;
+    }
+    return retType;
+}
+
+CRMFPKIArchiveOptions*
+CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl)
+{
+    CRMFPKIArchiveOptions *newOpt = NULL;
+    SECStatus rv;
+
+    PORT_Assert(inControl != NULL);
+    if (inControl == NULL ||
+	CRMF_ControlGetControlType(inControl) != crmfPKIArchiveOptionsControl){
+        goto loser;
+    }
+    newOpt = PORT_ZNew(CRMFPKIArchiveOptions);
+    if (newOpt == NULL) {
+        goto loser;
+    }
+    rv = crmf_copy_pkiarchiveoptions(NULL, newOpt, 
+				     &inControl->value.archiveOptions);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+ loser:
+    if (newOpt != NULL) {
+        CRMF_DestroyPKIArchiveOptions(newOpt);
+    }
+    return NULL;
+}
+
+SECItem*
+CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl)
+{
+    PORT_Assert(inControl != NULL);
+    if (inControl == NULL ||
+	CRMF_ControlGetControlType(inControl) != crmfRegTokenControl) {
+        return NULL;
+    }
+    return crmf_copy_control_value(inControl);;
+}
+
+CRMFCertExtension*
+CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
+				    int              index)
+{
+    int numExtensions;
+
+    PORT_Assert(inCertReq != NULL);
+    numExtensions = CRMF_CertRequestGetNumberOfExtensions(inCertReq);
+    if (index >= numExtensions || index < 0) {
+        return NULL;
+    }
+    return 
+      crmf_copy_cert_extension(NULL, 
+			       inCertReq->certTemplate.extensions[index]);
+}
+
diff --git a/security/nss/lib/cryptohi/Makefile b/security/nss/lib/cryptohi/Makefile
new file mode 100644
index 000000000..e0c68c26e
--- /dev/null
+++ b/security/nss/lib/cryptohi/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+export:: private_export
+
diff --git a/security/nss/lib/cryptohi/config.mk b/security/nss/lib/cryptohi/config.mk
new file mode 100644
index 000000000..665828c63
--- /dev/null
+++ b/security/nss/lib/cryptohi/config.mk
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h
new file mode 100644
index 000000000..df33fb947
--- /dev/null
+++ b/security/nss/lib/cryptohi/cryptohi.h
@@ -0,0 +1,401 @@
+/*
+ * crypto.h - public data structures and prototypes for the crypto library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _CRYPTOHI_H_
+#define _CRYPTOHI_H_
+
+#include "blapit.h"
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "cryptoht.h"
+#include "keyt.h"
+#include "certt.h"
+
+
+SEC_BEGIN_PROTOS
+
+
+/****************************************/
+/*
+** DER encode/decode (EC)DSA signatures
+*/
+
+/* ANSI X9.57 defines DSA signatures as DER encoded data.  Our DSA code (and
+ * most of the rest of the world) just generates 40 bytes of raw data.  These
+ * functions convert between formats.
+ */
+extern SECStatus DSAU_EncodeDerSig(SECItem *dest, SECItem *src);
+extern SECItem *DSAU_DecodeDerSig(const SECItem *item);
+
+/*
+ * Unlike DSA, raw ECDSA signatures do not have a fixed length.
+ * Rather they contain two integers r and s whose length depends
+ * on the size of the EC key used for signing.
+ *
+ * We can reuse the DSAU_EncodeDerSig interface to DER encode
+ * raw ECDSA signature keeping in mind that the length of r 
+ * is the same as that of s and exactly half of src->len.
+ *
+ * For decoding, we need to pass the length of the desired
+ * raw signature (twice the key size) explicitly.
+ */
+extern SECStatus DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src, 
+					  unsigned int len);
+extern SECItem *DSAU_DecodeDerSigToLen(const SECItem *item, unsigned int len);
+
+/****************************************/
+/*
+** Signature creation operations
+*/
+
+/*
+** Create a new signature context used for signing a data stream.
+**	"alg" the signature algorithm to use (e.g. SEC_OID_RSA_WITH_MD5)
+**	"privKey" the private key to use
+*/
+extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey);
+
+/*
+** Destroy a signature-context object
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void SGN_DestroyContext(SGNContext *cx, PRBool freeit);
+
+/*
+** Reset the signing context "cx" to its initial state, preparing it for
+** another stream of data.
+*/
+extern SECStatus SGN_Begin(SGNContext *cx);
+
+/*
+** Update the signing context with more data to sign.
+**	"cx" the context
+**	"input" the input data to sign
+**	"inputLen" the length of the input data
+*/
+extern SECStatus SGN_Update(SGNContext *cx, unsigned char *input,
+			   unsigned int inputLen);
+
+/*
+** Finish the signature process. Use either k0 or k1 to sign the data
+** stream that was input using SGN_Update. The resulting signature is
+** formatted using PKCS#1 and then encrypted using RSA private or public
+** encryption.
+**	"cx" the context
+**	"result" the final signature data (memory is allocated)
+*/
+extern SECStatus SGN_End(SGNContext *cx, SECItem *result);
+
+/*
+** Sign a single block of data using private key encryption and given
+** signature/hash algorithm.
+**	"result" the final signature data (memory is allocated)
+**	"buf" the input data to sign
+**	"len" the amount of data to sign
+**	"pk" the private key to encrypt with
+**	"algid" the signature/hash algorithm to sign with 
+**		(must be compatible with the key type).
+*/
+extern SECStatus SEC_SignData(SECItem *result, unsigned char *buf, int len,
+			     SECKEYPrivateKey *pk, SECOidTag algid);
+
+/*
+** Sign a pre-digested block of data using private key encryption, encoding
+**  The given signature/hash algorithm.
+**	"result" the final signature data (memory is allocated)
+**	"digest" the digest to sign
+**	"pk" the private key to encrypt with
+**	"algtag" The algorithm tag to encode (need for RSA only)
+*/
+extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey,
+                SECOidTag algtag, SECItem *result, SECItem *digest);
+
+/*
+** DER sign a single block of data using private key encryption and the
+** MD5 hashing algorithm. This routine first computes a digital signature
+** using SEC_SignData, then wraps it with an CERTSignedData and then der
+** encodes the result.
+**	"arena" is the memory arena to use to allocate data from
+** 	"result" the final der encoded data (memory is allocated)
+** 	"buf" the input data to sign
+** 	"len" the amount of data to sign
+** 	"pk" the private key to encrypt with
+*/
+extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result,
+				unsigned char *buf, int len,
+				SECKEYPrivateKey *pk, SECOidTag algid);
+
+/*
+** Destroy a signed-data object.
+**	"sd" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void SEC_DestroySignedData(CERTSignedData *sd, PRBool freeit);
+
+/*
+** Get the signature algorithm tag number for the given key type and hash
+** algorithm tag. Returns SEC_OID_UNKNOWN if key type and hash algorithm
+** do not match or are not supported.
+*/
+extern SECOidTag SEC_GetSignatureAlgorithmOidTag(KeyType keyType,
+                                                 SECOidTag hashAlgTag);
+
+/****************************************/
+/*
+** Signature verification operations
+*/
+
+/*
+** Create a signature verification context. This version is deprecated,
+**  This function is deprecated. Use VFY_CreateContextDirect or 
+**  VFY_CreateContextWithAlgorithmID instead.
+**	"key" the public key to verify with
+**	"sig" the encrypted signature data if sig is NULL then
+**	   VFY_EndWithSignature must be called with the correct signature at
+**	   the end of the processing.
+**	"sigAlg" specifies the signing algorithm to use (including the 
+**         hash algorthim).  This must match the key type.
+**	"wincx" void pointer to the window context
+*/
+extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig,
+				     SECOidTag sigAlg, void *wincx);
+/*
+** Create a signature verification context.
+**	"key" the public key to verify with
+**	"sig" the encrypted signature data if sig is NULL then
+**	   VFY_EndWithSignature must be called with the correct signature at
+**	   the end of the processing.
+**	"pubkAlg" specifies the cryptographic signing algorithm to use (the
+**         raw algorithm without any hash specified.  This must match the key 
+**         type.
+**	"hashAlg" specifies the hashing algorithm used. If the key is an 
+**	   RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN.
+**	   the hash is selected from data in the sig.
+**	"hash" optional pointer to return the actual hash algorithm used.
+**	   in practice this should always match the passed in hashAlg (the
+**	   exception is the case where hashAlg is SEC_OID_UNKNOWN above).
+**         If this value is NULL no, hash oid is returned.
+**	"wincx" void pointer to the window context
+*/
+extern VFYContext *VFY_CreateContextDirect(const SECKEYPublicKey *key,
+					   const SECItem *sig,
+	     				   SECOidTag pubkAlg, 
+					   SECOidTag hashAlg, 
+					   SECOidTag *hash, void *wincx);
+/*
+** Create a signature verification context from a algorithm ID.
+**	"key" the public key to verify with
+**	"sig" the encrypted signature data if sig is NULL then
+**	   VFY_EndWithSignature must be called with the correct signature at
+**	   the end of the processing.
+**	"algid" specifies the signing algorithm and parameters to use.
+**         This must match the key type.
+**      "hash" optional pointer to return the oid of the actual hash used in 
+**         the signature. If this value is NULL no, hash oid is returned.
+**	"wincx" void pointer to the window context
+*/
+extern VFYContext *VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, 
+				     const SECItem *sig,
+				     const SECAlgorithmID *algid, 
+				     SECOidTag *hash,
+				     void *wincx);
+
+/*
+** Destroy a verification-context object.
+**	"cx" the context to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void VFY_DestroyContext(VFYContext *cx, PRBool freeit);
+
+extern SECStatus VFY_Begin(VFYContext *cx);
+
+/*
+** Update a verification context with more input data. The input data
+** is fed to a secure hash function (depending on what was in the
+** encrypted signature data).
+**	"cx" the context
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus VFY_Update(VFYContext *cx, const unsigned char *input,
+			    unsigned int inputLen);
+
+/*
+** Finish the verification process. The return value is a status which
+** indicates success or failure. On success, the SECSuccess value is
+** returned. Otherwise, SECFailure is returned and the error code found
+** using PORT_GetError() indicates what failure occurred.
+** 	"cx" the context
+*/
+extern SECStatus VFY_End(VFYContext *cx);
+
+/*
+** Finish the verification process. The return value is a status which
+** indicates success or failure. On success, the SECSuccess value is
+** returned. Otherwise, SECFailure is returned and the error code found
+** using PORT_GetError() indicates what failure occurred. If signature is
+** supplied the verification uses this signature to verify, otherwise the
+** signature passed in VFY_CreateContext() is used. 
+** VFY_EndWithSignature(cx,NULL); is identical to VFY_End(cx);.
+** 	"cx" the context
+** 	"sig" the encrypted signature data
+*/
+extern SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig);
+
+
+/*
+** Verify the signature on a block of data for which we already have
+** the digest. The signature data is an RSA private key encrypted
+** block of data formatted according to PKCS#1.
+**  This function is deprecated. Use VFY_VerifyDigestDirect or 
+**  VFY_VerifyDigestWithAlgorithmID instead.
+** 	"dig" the digest
+** 	"key" the public key to check the signature with
+** 	"sig" the encrypted signature data
+**	"sigAlg" specifies the signing algorithm to use.  This must match
+**	    the key type.
+**	"wincx" void pointer to the window context
+**/
+extern SECStatus VFY_VerifyDigest(SECItem *dig, SECKEYPublicKey *key,
+				  SECItem *sig, SECOidTag sigAlg, void *wincx);
+/*
+** Verify the signature on a block of data for which we already have
+** the digest. The signature data is an RSA private key encrypted
+** block of data formatted according to PKCS#1.
+** 	"dig" the digest
+** 	"key" the public key to check the signature with
+** 	"sig" the encrypted signature data
+**	"pubkAlg" specifies the cryptographic signing algorithm to use (the
+**         raw algorithm without any hash specified.  This must match the key 
+**         type.
+**	"hashAlg" specifies the hashing algorithm used.
+**	"wincx" void pointer to the window context
+**/
+extern SECStatus VFY_VerifyDigestDirect(const SECItem *dig, 
+					const SECKEYPublicKey *key,
+					const SECItem *sig, SECOidTag pubkAlg, 
+					SECOidTag hashAlg, void *wincx);
+/*
+** Verify the signature on a block of data for which we already have
+** the digest. The signature data is an RSA private key encrypted
+** block of data formatted according to PKCS#1.
+**	"key" the public key to verify with
+**	"sig" the encrypted signature data if sig is NULL then
+**	   VFY_EndWithSignature must be called with the correct signature at
+**	   the end of the processing.
+**	"algid" specifies the signing algorithm and parameters to use.
+**         This must match the key type.
+**      "hash" oid of the actual hash used to create digest. If this  value is
+**         not set to SEC_OID_UNKNOWN, it must match the hash of the signature.
+**	"wincx" void pointer to the window context
+*/
+extern SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *dig, 
+				const SECKEYPublicKey *key, const SECItem *sig,
+				const SECAlgorithmID *algid, SECOidTag hash,
+				void *wincx);
+
+/*
+** Verify the signature on a block of data. The signature data is an RSA
+** private key encrypted block of data formatted according to PKCS#1.
+**   This function is deprecated. Use VFY_VerifyDataDirect or 
+**   VFY_VerifyDataWithAlgorithmID instead.
+** 	"buf" the input data
+** 	"len" the length of the input data
+** 	"key" the public key to check the signature with
+** 	"sig" the encrypted signature data
+**	"sigAlg" specifies the signing algorithm to use.  This must match
+**	    the key type.
+**	"wincx" void pointer to the window context
+*/
+extern SECStatus VFY_VerifyData(unsigned char *buf, int len,
+				SECKEYPublicKey *key, SECItem *sig,
+				SECOidTag sigAlg, void *wincx);
+/*
+** Verify the signature on a block of data. The signature data is an RSA
+** private key encrypted block of data formatted according to PKCS#1.
+** 	"buf" the input data
+** 	"len" the length of the input data
+** 	"key" the public key to check the signature with
+** 	"sig" the encrypted signature data
+**	"pubkAlg" specifies the cryptographic signing algorithm to use (the
+**         raw algorithm without any hash specified.  This must match the key 
+**         type.
+**	"hashAlg" specifies the hashing algorithm used. If the key is an 
+**	   RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN.
+**	   the hash is selected from data in the sig.
+**	"hash" optional pointer to return the actual hash algorithm used.
+**	   in practice this should always match the passed in hashAlg (the
+**	   exception is the case where hashAlg is SEC_OID_UNKNOWN above).
+**         If this value is NULL no, hash oid is returned.
+**	"wincx" void pointer to the window context
+*/
+extern SECStatus VFY_VerifyDataDirect(const unsigned char *buf, int len,
+				      const SECKEYPublicKey *key, 
+				      const SECItem *sig,
+				      SECOidTag pubkAlg, SECOidTag hashAlg, 
+				      SECOidTag *hash, void *wincx);
+
+/*
+** Verify the signature on a block of data. The signature data is an RSA
+** private key encrypted block of data formatted according to PKCS#1.
+** 	"buf" the input data
+** 	"len" the length of the input data
+** 	"key" the public key to check the signature with
+** 	"sig" the encrypted signature data
+**	"algid" specifies the signing algorithm and parameters to use.
+**         This must match the key type.
+**      "hash" optional pointer to return the oid of the actual hash used in 
+**         the signature. If this value is NULL no, hash oid is returned.
+**	"wincx" void pointer to the window context
+*/
+extern SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, 
+				int len, const SECKEYPublicKey *key,
+				 const SECItem *sig,
+				const SECAlgorithmID *algid, SECOidTag *hash,
+				void *wincx);
+
+
+SEC_END_PROTOS
+
+#endif /* _CRYPTOHI_H_ */
diff --git a/security/nss/lib/cryptohi/cryptoht.h b/security/nss/lib/cryptohi/cryptoht.h
new file mode 100644
index 000000000..c5aab7ac6
--- /dev/null
+++ b/security/nss/lib/cryptohi/cryptoht.h
@@ -0,0 +1,48 @@
+/*
+ * cryptoht.h - public data structures for the crypto library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _CRYPTOHT_H_
+#define _CRYPTOHT_H_
+
+typedef struct SGNContextStr SGNContext;
+typedef struct VFYContextStr VFYContext;
+
+
+#endif /* _CRYPTOHT_H_ */
diff --git a/security/nss/lib/cryptohi/dsautil.c b/security/nss/lib/cryptohi/dsautil.c
new file mode 100644
index 000000000..231a793b4
--- /dev/null
+++ b/security/nss/lib/cryptohi/dsautil.c
@@ -0,0 +1,300 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "cryptohi.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "prerr.h"
+
+#ifndef DSA_SUBPRIME_LEN
+#define DSA_SUBPRIME_LEN 20	/* bytes */
+#endif
+
+typedef struct {
+    SECItem r;
+    SECItem s;
+} DSA_ASN1Signature;
+
+const SEC_ASN1Template DSA_SignatureTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(DSA_ASN1Signature) },
+    { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,r) },
+    { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,s) },
+    { 0, }
+};
+
+/* Input is variable length multi-byte integer, MSB first (big endian).
+** Most signficant bit of first byte is NOT treated as a sign bit. 
+** May be one or more leading bytes of zeros. 
+** Output is variable length multi-byte integer, MSB first (big endian).
+** Most significant bit of first byte will be zero (positive sign bit)
+** No more than one leading zero byte.
+** Caller supplies dest buffer, and assures that it is long enough,
+** e.g. at least one byte longer that src's buffer.
+*/
+void
+DSAU_ConvertUnsignedToSigned(SECItem *dest, SECItem *src)
+{
+    unsigned char *pSrc = src->data;
+    unsigned char *pDst = dest->data;
+    unsigned int   cntSrc = src->len;
+
+    /* skip any leading zeros. */
+    while (cntSrc && !(*pSrc)) { 
+    	pSrc++; 
+	cntSrc--;
+    }
+    if (!cntSrc) {
+    	*pDst = 0; 
+	dest->len = 1; 
+	return; 
+    }
+
+    if (*pSrc & 0x80)
+    	*pDst++ = 0;
+
+    PORT_Memcpy(pDst, pSrc, cntSrc);
+    dest->len = (pDst - dest->data) + cntSrc;
+}
+
+/*
+** src is a buffer holding a signed variable length integer.
+** dest is a buffer which will be filled with an unsigned integer,
+** MSB first (big endian) with leading zeros, so that the last byte
+** of src will be the LSB of the integer.  The result will be exactly
+** the length specified by the caller in dest->len.
+** src can be shorter than dest.  src can be longer than dst, but only
+** if the extra leading bytes are zeros.
+*/
+SECStatus
+DSAU_ConvertSignedToFixedUnsigned(SECItem *dest, SECItem *src)
+{
+    unsigned char *pSrc = src->data;
+    unsigned char *pDst = dest->data;
+    unsigned int   cntSrc = src->len;
+    unsigned int   cntDst = dest->len;
+    int            zCount = cntDst - cntSrc;
+
+    if (zCount > 0) {
+    	PORT_Memset(pDst, 0, zCount);
+	PORT_Memcpy(pDst + zCount, pSrc, cntSrc);
+	return SECSuccess;
+    }
+    if (zCount <= 0) {
+	/* Source is longer than destination.  Check for leading zeros. */
+	while (zCount++ < 0) {
+	    if (*pSrc++ != 0)
+		goto loser;
+	}
+    }
+    PORT_Memcpy(pDst, pSrc, cntDst);
+    return SECSuccess;
+
+loser:
+    PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
+    return SECFailure;
+}
+
+/* src is a "raw" ECDSA or DSA signature, the first half contains r
+ * and the second half contains s. dest is the DER encoded signature.
+*/
+static SECStatus
+common_EncodeDerSig(SECItem *dest, SECItem *src)
+{
+    SECItem *         item;
+    SECItem           srcItem;
+    DSA_ASN1Signature sig;
+    unsigned char     *signedR;
+    unsigned char     *signedS;
+    unsigned int len;
+
+    /* Allocate memory with room for an extra byte that
+     * may be required if the top bit in the first byte
+     * is already set.
+     */
+    len = src->len/2;
+    signedR = (unsigned char *) PORT_Alloc(len + 1);
+    if (!signedR) return SECFailure;
+    signedS = (unsigned char *) PORT_ZAlloc(len + 1);
+    if (!signedS) {
+        if (signedR) PORT_Free(signedR);
+	return SECFailure;
+    }
+
+    PORT_Memset(&sig, 0, sizeof(sig));
+
+    /* Must convert r and s from "unsigned" integers to "signed" integers.
+    ** If the high order bit of the first byte (MSB) is 1, then must
+    ** prepend with leading zero.  
+    ** Must remove all but one leading zero byte from numbers.
+    */
+    sig.r.type = siUnsignedInteger;
+    sig.r.data = signedR;
+    sig.r.len  = sizeof signedR;
+    sig.s.type = siUnsignedInteger;
+    sig.s.data = signedS;
+    sig.s.len  = sizeof signedR;
+
+    srcItem.data = src->data;
+    srcItem.len  = len;
+
+    DSAU_ConvertUnsignedToSigned(&sig.r, &srcItem);
+    srcItem.data += len;
+    DSAU_ConvertUnsignedToSigned(&sig.s, &srcItem);
+
+    item = SEC_ASN1EncodeItem(NULL, dest, &sig, DSA_SignatureTemplate);
+    if (signedR) PORT_Free(signedR);
+    if (signedS) PORT_Free(signedS);
+    if (item == NULL)
+	return SECFailure;
+
+    /* XXX leak item? */
+    return SECSuccess;
+}
+
+/* src is a DER-encoded ECDSA or DSA signature.
+** Returns a newly-allocated SECItem structure, pointing at a newly allocated
+** buffer containing the "raw" signature, which is len bytes of r,
+** followed by len bytes of s. For DSA, len is always DSA_SUBPRIME_LEN.
+** For ECDSA, len depends on the key size used to create the signature.
+*/
+static SECItem *
+common_DecodeDerSig(const SECItem *item, unsigned int len)
+{
+    SECItem *         result = NULL;
+    SECStatus         status;
+    DSA_ASN1Signature sig;
+    SECItem           dst;
+
+    PORT_Memset(&sig, 0, sizeof(sig));
+
+    result = PORT_ZNew(SECItem);
+    if (result == NULL)
+	goto loser;
+
+    result->len  = 2 * len;
+    result->data = (unsigned char*)PORT_Alloc(2 * len);
+    if (result->data == NULL)
+	goto loser;
+
+    sig.r.type = siUnsignedInteger;
+    sig.s.type = siUnsignedInteger;
+    status = SEC_ASN1DecodeItem(NULL, &sig, DSA_SignatureTemplate, item);
+    if (status != SECSuccess)
+	goto loser;
+
+    /* Convert sig.r and sig.s from variable  length signed integers to 
+    ** fixed length unsigned integers.
+    */
+    dst.data = result->data;
+    dst.len  = len;
+    status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.r);
+    if (status != SECSuccess)
+    	goto loser;
+
+    dst.data += len;
+    status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.s);
+    if (status != SECSuccess)
+    	goto loser;
+
+done:
+    if (sig.r.data != NULL)
+	PORT_Free(sig.r.data);
+    if (sig.s.data != NULL)
+	PORT_Free(sig.s.data);
+
+    return result;
+
+loser:
+    if (result != NULL) {
+	SECITEM_FreeItem(result, PR_TRUE);
+	result = NULL;
+    }
+    goto done;
+}
+
+/* src is a "raw" DSA signature, 20 bytes of r followed by 20 bytes of s.
+** dest is the signature DER encoded. ?
+*/
+SECStatus
+DSAU_EncodeDerSig(SECItem *dest, SECItem *src)
+{
+    PORT_Assert(src->len == 2 * DSA_SUBPRIME_LEN);
+    if (src->len != 2 * DSA_SUBPRIME_LEN) {
+    	PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
+	return SECFailure;
+    }
+
+    return common_EncodeDerSig(dest, src);
+}
+
+/* src is a "raw" DSA signature of length len (len/2 bytes of r followed
+** by len/2 bytes of s). dest is the signature DER encoded.
+*/
+SECStatus
+DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src, unsigned int len)
+{
+
+    PORT_Assert((src->len == len) && (len % 2 == 0));
+    if ((src->len != len) || (src->len % 2 != 0)) {
+    	PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
+	return SECFailure;
+    }
+
+    return common_EncodeDerSig(dest, src);
+}
+
+/* src is a DER-encoded DSA signature.
+** Returns a newly-allocated SECItem structure, pointing at a newly allocated
+** buffer containing the "raw" DSA signature, which is 20 bytes of r,
+** followed by 20 bytes of s.
+*/
+SECItem *
+DSAU_DecodeDerSig(const SECItem *item)
+{
+    return common_DecodeDerSig(item, DSA_SUBPRIME_LEN);
+}
+
+/* src is a DER-encoded ECDSA signature.
+** Returns a newly-allocated SECItem structure, pointing at a newly allocated
+** buffer containing the "raw" ECDSA signature of length len containing
+** r followed by s (both padded to take up exactly len/2 bytes).
+*/
+SECItem *
+DSAU_DecodeDerSigToLen(const SECItem *item, unsigned int len)
+{
+    return common_DecodeDerSig(item, len/2);
+}
diff --git a/security/nss/lib/cryptohi/hasht.h b/security/nss/lib/cryptohi/hasht.h
new file mode 100644
index 000000000..6df38b49a
--- /dev/null
+++ b/security/nss/lib/cryptohi/hasht.h
@@ -0,0 +1,102 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _HASHT_H_
+#define _HASHT_H_
+
+/* Opaque objects */
+typedef struct SECHashObjectStr SECHashObject;
+typedef struct HASHContextStr HASHContext;
+
+/*
+ * The hash functions the security library supports
+ * NOTE the order must match the definition of SECHashObjects[]!
+ */
+typedef enum {
+    HASH_AlgNULL   = 0,
+    HASH_AlgMD2    = 1,
+    HASH_AlgMD5    = 2,
+    HASH_AlgSHA1   = 3,
+    HASH_AlgSHA256 = 4,
+    HASH_AlgSHA384 = 5,
+    HASH_AlgSHA512 = 6,
+    HASH_AlgTOTAL
+} HASH_HashType;
+
+/*
+ * Number of bytes each hash algorithm produces
+ */
+#define MD2_LENGTH	16
+#define MD5_LENGTH	16
+#define SHA1_LENGTH	20
+#define SHA256_LENGTH 	32
+#define SHA384_LENGTH 	48
+#define SHA512_LENGTH 	64
+#define HASH_LENGTH_MAX SHA512_LENGTH
+
+/*
+ * Structure to hold hash computation info and routines
+ */
+struct SECHashObjectStr {
+    unsigned int length;  /* hash output length (in bytes) */
+    void * (*create)(void);
+    void * (*clone)(void *);
+    void (*destroy)(void *, PRBool);
+    void (*begin)(void *);
+    void (*update)(void *, const unsigned char *, unsigned int);
+    void (*end)(void *, unsigned char *, unsigned int *, unsigned int);
+    unsigned int blocklength;  /* hash input block size (in bytes) */
+    HASH_HashType type;
+};
+
+struct HASHContextStr {
+    const struct SECHashObjectStr *hashobj;
+    void *hash_context;
+};
+
+/* This symbol is NOT exported from the NSS DLL.  Code that needs a 
+ * pointer to one of the SECHashObjects should call HASH_GetHashObject()
+ * instead. See "sechash.h".
+ */
+extern const SECHashObject SECHashObjects[];
+
+/* Only those functions below the PKCS #11 line should use SECRawHashObjects.
+ * This symbol is not exported from the NSS DLL.
+ */
+extern const SECHashObject SECRawHashObjects[];
+
+#endif /* _HASHT_H_ */
diff --git a/security/nss/lib/cryptohi/key.h b/security/nss/lib/cryptohi/key.h
new file mode 100644
index 000000000..1094bd082
--- /dev/null
+++ b/security/nss/lib/cryptohi/key.h
@@ -0,0 +1,43 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _KEY_H_
+#define _KEY_H_
+
+#include "keyhi.h"
+
+#endif /* _KEY_H_ */
diff --git a/security/nss/lib/cryptohi/keyhi.h b/security/nss/lib/cryptohi/keyhi.h
new file mode 100644
index 000000000..f1ca02235
--- /dev/null
+++ b/security/nss/lib/cryptohi/keyhi.h
@@ -0,0 +1,311 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _KEYHI_H_
+#define _KEYHI_H_
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "keythi.h"
+#include "certt.h"
+/*#include "secpkcs5.h" */
+
+SEC_BEGIN_PROTOS
+
+
+/*
+** Destroy a subject-public-key-info object.
+*/
+extern void SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki);
+
+/*
+** Copy subject-public-key-info "src" to "dst". "dst" is filled in
+** appropriately (memory is allocated for each of the sub objects).
+*/
+extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PLArenaPool *arena,
+					     CERTSubjectPublicKeyInfo *dst,
+					     CERTSubjectPublicKeyInfo *src);
+
+/*
+** Update the PQG parameters for a cert's public key.
+** Only done for DSA and Fortezza certs
+*/
+extern SECStatus
+SECKEY_UpdateCertPQG(CERTCertificate * subjectCert);
+
+
+/* Compare the KEA parameters of two public keys.  
+ * Only used by fortezza.      */
+
+extern SECStatus
+SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2);
+
+/*
+** Return the strength of the public key in bytes
+*/
+extern unsigned SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk);
+
+/*
+** Return the strength of the public key in bits
+*/
+extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
+
+/*
+** Return the length of the signature in bytes
+*/
+extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);
+
+/*
+** Make a copy of the private key "privKey"
+*/
+extern SECKEYPrivateKey *SECKEY_CopyPrivateKey(const SECKEYPrivateKey *privKey);
+
+/*
+** Make a copy of the public key "pubKey"
+*/
+extern SECKEYPublicKey *SECKEY_CopyPublicKey(const SECKEYPublicKey *pubKey);
+
+/*
+** Convert a private key "privateKey" into a public key
+*/
+extern SECKEYPublicKey *SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privateKey);
+
+/*
+ * create a new RSA key pair. The private Key is returned...
+ */
+SECKEYPrivateKey *SECKEY_CreateRSAPrivateKey(int keySizeInBits,
+					   SECKEYPublicKey **pubk, void *cx);
+	
+/*
+ * create a new DH key pair. The private Key is returned...
+ */
+SECKEYPrivateKey *SECKEY_CreateDHPrivateKey(SECKEYDHParams *param,
+					   SECKEYPublicKey **pubk, void *cx);
+
+/*
+ * create a new EC key pair. The private Key is returned...
+ */
+SECKEYPrivateKey *SECKEY_CreateECPrivateKey(SECKEYECParams *param,
+                                           SECKEYPublicKey **pubk, void *cx);
+
+/*
+** Create a subject-public-key-info based on a public key.
+*/
+extern CERTSubjectPublicKeyInfo *
+SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *k);
+
+/*
+** Decode a DER encoded public key into an SECKEYPublicKey structure.
+*/
+extern SECKEYPublicKey *SECKEY_DecodeDERPublicKey(SECItem *pubkder);
+
+/*
+** Convert a base64 ascii encoded DER public key to our internal format.
+*/
+extern SECKEYPublicKey *SECKEY_ConvertAndDecodePublicKey(char *pubkstr);
+
+/*
+** Convert a base64 ascii encoded DER public key and challenge to spki,
+** and verify the signature and challenge data are correct
+*/
+extern CERTSubjectPublicKeyInfo *
+SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge,
+								void *cx);
+
+/*
+** Encode a  CERTSubjectPublicKeyInfo structure. into a
+** DER encoded subject public key info. 
+*/
+SECItem *
+SECKEY_EncodeDERSubjectPublicKeyInfo(SECKEYPublicKey *pubk);
+
+/*
+** Decode a DER encoded subject public key info into a
+** CERTSubjectPublicKeyInfo structure.
+*/
+extern CERTSubjectPublicKeyInfo *
+SECKEY_DecodeDERSubjectPublicKeyInfo(SECItem *spkider);
+
+/*
+** Convert a base64 ascii encoded DER subject public key info to our
+** internal format.
+*/
+extern CERTSubjectPublicKeyInfo *
+SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(char *spkistr);
+
+/*
+ * extract the public key from a subject Public Key info structure.
+ * (used by JSS).
+ */
+extern SECKEYPublicKey *
+SECKEY_ExtractPublicKey(CERTSubjectPublicKeyInfo *);
+
+/*
+** Destroy a private key object.
+**	"key" the object
+*/
+extern void SECKEY_DestroyPrivateKey(SECKEYPrivateKey *key);
+
+
+/*
+** Destroy a public key object.
+**	"key" the object
+*/
+extern void SECKEY_DestroyPublicKey(SECKEYPublicKey *key);
+
+/* Destroy and zero out a private key info structure.  for now this
+ * function zero's out memory allocated in an arena for the key 
+ * since PORT_FreeArena does not currently do this.  
+ *
+ * NOTE -- If a private key info is allocated in an arena, one should 
+ * not call this function with freeit = PR_FALSE.  The function should 
+ * destroy the arena.  
+ */
+extern void
+SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk, PRBool freeit);
+
+/* Destroy and zero out an encrypted private key info.
+ *
+ * NOTE -- If a encrypted private key info is allocated in an arena, one should 
+ * not call this function with freeit = PR_FALSE.  The function should 
+ * destroy the arena.  
+ */
+extern void
+SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
+				      PRBool freeit);
+
+/* Copy private key info structure.  
+ *  poolp is the arena into which the contents of from is to be copied.
+ *	NULL is a valid entry.
+ *  to is the destination private key info
+ *  from is the source private key info
+ * if either from or to is NULL or an error occurs, SECFailure is 
+ * returned.  otherwise, SECSuccess is returned.
+ */
+extern SECStatus
+SECKEY_CopyPrivateKeyInfo(PLArenaPool *poolp,
+			  SECKEYPrivateKeyInfo *to,
+			  SECKEYPrivateKeyInfo *from);
+
+extern SECStatus
+SECKEY_CacheStaticFlags(SECKEYPrivateKey* key);
+
+/* Copy encrypted private key info structure.  
+ *  poolp is the arena into which the contents of from is to be copied.
+ *	NULL is a valid entry.
+ *  to is the destination encrypted private key info
+ *  from is the source encrypted private key info
+ * if either from or to is NULL or an error occurs, SECFailure is 
+ * returned.  otherwise, SECSuccess is returned.
+ */
+extern SECStatus
+SECKEY_CopyEncryptedPrivateKeyInfo(PLArenaPool *poolp,
+				   SECKEYEncryptedPrivateKeyInfo *to,
+				   SECKEYEncryptedPrivateKeyInfo *from);
+/*
+ * Accessor functions for key type of public and private keys.
+ */
+KeyType SECKEY_GetPrivateKeyType(SECKEYPrivateKey *privKey);
+KeyType SECKEY_GetPublicKeyType(SECKEYPublicKey *pubKey);
+
+/*
+ * Creates a PublicKey from its DER encoding.
+ * Currently only supports RSA and DSA keys.
+ */
+SECKEYPublicKey*
+SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type);
+
+SECKEYPrivateKeyList*
+SECKEY_NewPrivateKeyList(void);
+
+void
+SECKEY_DestroyPrivateKeyList(SECKEYPrivateKeyList *keys);
+
+void
+SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node);
+
+SECStatus
+SECKEY_AddPrivateKeyToListTail( SECKEYPrivateKeyList *list,
+                                SECKEYPrivateKey *key);
+
+#define PRIVKEY_LIST_HEAD(l) ((SECKEYPrivateKeyListNode*)PR_LIST_HEAD(&l->list))
+#define PRIVKEY_LIST_NEXT(n) ((SECKEYPrivateKeyListNode *)n->links.next)
+#define PRIVKEY_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
+
+SECKEYPublicKeyList*
+SECKEY_NewPublicKeyList(void);
+
+void
+SECKEY_DestroyPublicKeyList(SECKEYPublicKeyList *keys);
+
+void
+SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node);
+
+SECStatus
+SECKEY_AddPublicKeyToListTail( SECKEYPublicKeyList *list,
+                                SECKEYPublicKey *key);
+
+#define PUBKEY_LIST_HEAD(l) ((SECKEYPublicKeyListNode*)PR_LIST_HEAD(&l->list))
+#define PUBKEY_LIST_NEXT(n) ((SECKEYPublicKeyListNode *)n->links.next)
+#define PUBKEY_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
+
+/*
+ * Length in bits of the EC's field size.  This is also the length of
+ * the x and y coordinates of EC points, such as EC public keys and
+ * base points.
+ *
+ * Return 0 on failure (unknown EC domain parameters).
+ */
+extern int SECKEY_ECParamsToKeySize(const SECItem *params);
+
+/*
+ * Length in bits of the EC base point order, usually denoted n.  This
+ * is also the length of EC private keys and ECDSA signature components
+ * r and s.
+ *
+ * Return 0 on failure (unknown EC domain parameters).
+ */
+extern int SECKEY_ECParamsToBasePointOrderLen(const SECItem *params);
+
+SEC_END_PROTOS
+
+#endif /* _KEYHI_H_ */
diff --git a/security/nss/lib/cryptohi/keyi.h b/security/nss/lib/cryptohi/keyi.h
new file mode 100644
index 000000000..d3994b81b
--- /dev/null
+++ b/security/nss/lib/cryptohi/keyi.h
@@ -0,0 +1,57 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Bob Relyea, Red Hat
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _KEYI_H_
+#define _KEYI_H_
+
+
+SEC_BEGIN_PROTOS
+/* NSS private functions */
+/* map an oid to a keytype... actually this function and it's converse
+ *  are good candidates for public functions..  */
+KeyType seckey_GetKeyType(SECOidTag pubKeyOid);
+
+/* extract the 'encryption' (could be signing) and hash oids from and
+ * algorithm, key and parameters (parameters is the parameters field
+ * of a algorithm ID structure (SECAlgorithmID)*/
+SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+             const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg);
+
+SEC_END_PROTOS
+
+#endif /* _KEYHI_H_ */
diff --git a/security/nss/lib/cryptohi/keyt.h b/security/nss/lib/cryptohi/keyt.h
new file mode 100644
index 000000000..634fb9c3e
--- /dev/null
+++ b/security/nss/lib/cryptohi/keyt.h
@@ -0,0 +1,43 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _KEYT_H_
+#define _KEYT_H_
+
+#include "keythi.h"
+
+#endif /* _KEYT_H_ */
diff --git a/security/nss/lib/cryptohi/keythi.h b/security/nss/lib/cryptohi/keythi.h
new file mode 100644
index 000000000..52d8cdd99
--- /dev/null
+++ b/security/nss/lib/cryptohi/keythi.h
@@ -0,0 +1,258 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _KEYTHI_H_
+#define _KEYTHI_H_ 1
+
+#include "plarena.h"
+#include "pkcs11t.h"
+#include "secmodt.h"
+#include "prclist.h"
+
+typedef enum { 
+    nullKey = 0, 
+    rsaKey = 1, 
+    dsaKey = 2, 
+    fortezzaKey = 3,
+    dhKey = 4, 
+    keaKey = 5,
+    ecKey = 6
+} KeyType;
+
+/*
+** Template Definitions
+**/
+
+SEC_BEGIN_PROTOS
+extern const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_DHParamKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[];
+extern const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[];
+
+/* Windows DLL accessor functions */
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_DSAPublicKeyTemplate;
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_RSAPublicKeyTemplate;
+SEC_END_PROTOS
+
+
+/*
+** RSA Public Key structures
+** member names from PKCS#1, section 7.1 
+*/
+
+struct SECKEYRSAPublicKeyStr {
+    PLArenaPool * arena;
+    SECItem modulus;
+    SECItem publicExponent;
+};
+typedef struct SECKEYRSAPublicKeyStr SECKEYRSAPublicKey;
+
+
+/*
+** DSA Public Key and related structures
+*/
+
+struct SECKEYPQGParamsStr {
+    PLArenaPool *arena;
+    SECItem prime;    /* p */
+    SECItem subPrime; /* q */
+    SECItem base;     /* g */
+    /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
+};
+typedef struct SECKEYPQGParamsStr SECKEYPQGParams;
+
+struct SECKEYDSAPublicKeyStr {
+    SECKEYPQGParams params;
+    SECItem publicValue;
+};
+typedef struct SECKEYDSAPublicKeyStr SECKEYDSAPublicKey;
+
+
+/*
+** Diffie-Hellman Public Key structure
+** Structure member names suggested by PKCS#3.
+*/
+struct SECKEYDHParamsStr {
+    PLArenaPool * arena;
+    SECItem prime; /* p */
+    SECItem base; /* g */
+};
+typedef struct SECKEYDHParamsStr SECKEYDHParams;
+
+struct SECKEYDHPublicKeyStr {
+    PLArenaPool * arena;
+    SECItem prime;
+    SECItem base;
+    SECItem publicValue;
+};
+typedef struct SECKEYDHPublicKeyStr SECKEYDHPublicKey;
+
+/*
+** Elliptic curve Public Key structure
+** The PKCS#11 layer needs DER encoding of ANSI X9.62
+** parameters value
+*/
+typedef SECItem SECKEYECParams;
+
+struct SECKEYECPublicKeyStr {
+    SECKEYECParams DEREncodedParams;
+    int     size;             /* size in bits */
+    SECItem publicValue;      /* encoded point */
+    /* XXX Even though the PKCS#11 interface takes encoded parameters,
+     * we may still wish to decode them above PKCS#11 for things like
+     * printing key information. For named curves, which is what
+     * we initially support, we ought to have the curve name at the
+     * very least.
+     */
+};
+typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey;
+
+/*
+** FORTEZZA Public Key structures
+*/
+struct SECKEYFortezzaPublicKeyStr {
+    int      KEAversion;
+    int      DSSversion;
+    unsigned char    KMID[8];
+    SECItem clearance;
+    SECItem KEApriviledge;
+    SECItem DSSpriviledge;
+    SECItem KEAKey;
+    SECItem DSSKey;
+    SECKEYPQGParams params;
+    SECKEYPQGParams keaParams;
+};
+typedef struct SECKEYFortezzaPublicKeyStr SECKEYFortezzaPublicKey;
+
+struct SECKEYDiffPQGParamsStr {
+    SECKEYPQGParams DiffKEAParams;
+    SECKEYPQGParams DiffDSAParams;
+};
+typedef struct SECKEYDiffPQGParamsStr SECKEYDiffPQGParams;
+
+struct SECKEYPQGDualParamsStr {
+    SECKEYPQGParams CommParams;
+    SECKEYDiffPQGParams DiffParams;
+};
+typedef struct SECKEYPQGDualParamsStr SECKEYPQGDualParams;
+
+struct SECKEYKEAParamsStr {
+    PLArenaPool *arena;
+    SECItem hash;
+};
+typedef struct SECKEYKEAParamsStr SECKEYKEAParams;
+ 
+struct SECKEYKEAPublicKeyStr {
+    SECKEYKEAParams params;
+    SECItem publicValue;
+};
+typedef struct SECKEYKEAPublicKeyStr SECKEYKEAPublicKey;
+
+/*
+** A Generic  public key object.
+*/
+struct SECKEYPublicKeyStr {
+    PLArenaPool *arena;
+    KeyType keyType;
+    PK11SlotInfo *pkcs11Slot;
+    CK_OBJECT_HANDLE pkcs11ID;
+    union {
+        SECKEYRSAPublicKey rsa;
+	SECKEYDSAPublicKey dsa;
+	SECKEYDHPublicKey  dh;
+        SECKEYKEAPublicKey kea;
+        SECKEYFortezzaPublicKey fortezza;
+	SECKEYECPublicKey  ec;
+    } u;
+};
+typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
+
+#define CachedAttribute(attribute,setbit) \
+static const PRUint32 SECKEY_##attribute = 1 << setbit;
+
+/* bit flag definitions for staticflags */
+#define SECKEY_Attributes_Cached 0x1    /* bit 0 states
+                                           whether attributes are cached */
+CachedAttribute(CKA_PRIVATE,1) /* bit 1 is the value of CKA_PRIVATE */
+
+#define SECKEY_ATTRIBUTES_CACHED(key) \
+     (0 != (key->staticflags & SECKEY_Attributes_Cached))
+
+#define SECKEY_ATTRIBUTE_VALUE(key,attribute) \
+     (0 != (key->staticflags & SECKEY_##attribute))
+
+#define SECKEY_HAS_ATTRIBUTE_SET(key,attribute) \
+    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \
+    (0 != (key->staticflags & SECKEY_##attribute)) : \
+    PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute)
+
+/*
+** A generic key structure
+*/ 
+struct SECKEYPrivateKeyStr {
+    PLArenaPool *arena;
+    KeyType keyType;
+    PK11SlotInfo *pkcs11Slot;	/* pkcs11 slot this key lives in */
+    CK_OBJECT_HANDLE pkcs11ID;  /* ID of pkcs11 object */
+    PRBool pkcs11IsTemp;	/* temp pkcs11 object, delete it when done */
+    void *wincx;		/* context for errors and pw prompts */
+    PRUint32 staticflags;       /* bit flag of cached PKCS#11 attributes */
+};
+typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey;
+
+typedef struct {
+    PRCList links;
+    SECKEYPrivateKey *key;
+} SECKEYPrivateKeyListNode;
+
+typedef struct {
+    PRCList list;
+    PLArenaPool *arena;
+} SECKEYPrivateKeyList;
+
+typedef struct {
+    PRCList links;
+    SECKEYPublicKey *key;
+} SECKEYPublicKeyListNode;
+
+typedef struct {
+    PRCList list;
+    PLArenaPool *arena;
+} SECKEYPublicKeyList;
+#endif /* _KEYTHI_H_ */
+
diff --git a/security/nss/lib/cryptohi/manifest.mn b/security/nss/lib/cryptohi/manifest.mn
new file mode 100644
index 000000000..9c66d93a9
--- /dev/null
+++ b/security/nss/lib/cryptohi/manifest.mn
@@ -0,0 +1,70 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+REQUIRES = dbm
+
+LIBRARY_NAME = cryptohi
+
+EXPORTS = \
+	cryptohi.h \
+	cryptoht.h \
+	hasht.h   \
+	key.h     \
+	keyhi.h   \
+	keyt.h    \
+	keythi.h  \
+	sechash.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	$(NULL)
+
+LIBSRCS = \
+	sechash.c \
+	seckey.c  \
+	secsign.c \
+	secvfy.c  \
+	dsautil.c \
+	$(NULL)
+
+CSRCS = $(LIBSRCS)
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/cryptohi/sechash.c b/security/nss/lib/cryptohi/sechash.c
new file mode 100644
index 000000000..dc069ed58
--- /dev/null
+++ b/security/nss/lib/cryptohi/sechash.c
@@ -0,0 +1,422 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "sechash.h"
+#include "secoidt.h"
+#include "secerr.h"
+#include "blapi.h"
+#include "pk11func.h"	/* for the PK11_ calls below. */
+
+static void *
+null_hash_new_context(void)
+{
+    return NULL;
+}
+
+static void *
+null_hash_clone_context(void *v)
+{
+    PORT_Assert(v == NULL);
+    return NULL;
+}
+
+static void
+null_hash_begin(void *v)
+{
+}
+
+static void
+null_hash_update(void *v, const unsigned char *input, unsigned int length)
+{
+}
+
+static void
+null_hash_end(void *v, unsigned char *output, unsigned int *outLen,
+	      unsigned int maxOut)
+{
+    *outLen = 0;
+}
+
+static void
+null_hash_destroy_context(void *v, PRBool b)
+{
+    PORT_Assert(v == NULL);
+}
+
+
+static void *
+md2_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_MD2);
+}
+
+static void *
+md5_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_MD5);
+}
+
+static void *
+sha1_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_SHA1);
+}
+
+static void *
+sha256_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_SHA256);
+}
+
+static void *
+sha384_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_SHA384);
+}
+
+static void *
+sha512_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_SHA512);
+}
+
+const SECHashObject SECHashObjects[] = {
+  { 0,
+    (void * (*)(void)) null_hash_new_context,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) null_hash_destroy_context,
+    (void (*)(void *)) null_hash_begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) null_hash_update,
+    (void (*)(void *, unsigned char *, unsigned int *,
+	      unsigned int)) null_hash_end,
+    0,
+    HASH_AlgNULL
+  },
+  { MD2_LENGTH,
+    (void * (*)(void)) md2_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
+							PK11_DigestFinal,
+    MD2_BLOCK_LENGTH,
+    HASH_AlgMD2
+  },
+  { MD5_LENGTH,
+    (void * (*)(void)) md5_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
+							PK11_DigestFinal,
+    MD5_BLOCK_LENGTH,
+    HASH_AlgMD5
+  },
+  { SHA1_LENGTH,
+    (void * (*)(void)) sha1_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
+							PK11_DigestFinal,
+    SHA1_BLOCK_LENGTH,
+    HASH_AlgSHA1
+  },
+  { SHA256_LENGTH,
+    (void * (*)(void)) sha256_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
+							PK11_DigestFinal,
+    SHA256_BLOCK_LENGTH,
+    HASH_AlgSHA256
+  },
+  { SHA384_LENGTH,
+    (void * (*)(void)) sha384_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
+							PK11_DigestFinal,
+    SHA384_BLOCK_LENGTH,
+    HASH_AlgSHA384
+  },
+  { SHA512_LENGTH,
+    (void * (*)(void)) sha512_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
+							PK11_DigestFinal,
+    SHA512_BLOCK_LENGTH,
+    HASH_AlgSHA512
+  },
+};
+
+const SECHashObject * 
+HASH_GetHashObject(HASH_HashType type)
+{
+    return &SECHashObjects[type];
+}
+
+HASH_HashType
+HASH_GetHashTypeByOidTag(SECOidTag hashOid)
+{
+    HASH_HashType ht	= HASH_AlgNULL;
+
+    switch(hashOid) {
+    case SEC_OID_MD2:	 ht = HASH_AlgMD2;    break;
+    case SEC_OID_MD5:	 ht = HASH_AlgMD5;    break;
+    case SEC_OID_SHA1:	 ht = HASH_AlgSHA1;   break;
+    case SEC_OID_SHA256: ht = HASH_AlgSHA256; break;
+    case SEC_OID_SHA384: ht = HASH_AlgSHA384; break;
+    case SEC_OID_SHA512: ht = HASH_AlgSHA512; break;
+    default:             ht = HASH_AlgNULL;   
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	break;
+    }
+    return ht;
+}
+
+SECOidTag
+HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
+{
+    SECOidTag hashOid = SEC_OID_UNKNOWN;
+
+    switch(hmacOid) {
+    /* no oid exists for HMAC_MD2 */
+    /* NSS does not define a oid for HMAC_MD4 */
+    case SEC_OID_HMAC_SHA1:   hashOid = SEC_OID_SHA1;   break;
+    case SEC_OID_HMAC_SHA256: hashOid = SEC_OID_SHA256; break;
+    case SEC_OID_HMAC_SHA384: hashOid = SEC_OID_SHA384; break;
+    case SEC_OID_HMAC_SHA512: hashOid = SEC_OID_SHA512; break;
+    default:                  hashOid = SEC_OID_UNKNOWN;   
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	break;
+    }
+    return hashOid;
+}
+
+SECOidTag
+HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
+{
+    SECOidTag hmacOid = SEC_OID_UNKNOWN;
+
+    switch(hmacOid) {
+    /* no oid exists for HMAC_MD2 */
+    /* NSS does not define a oid for HMAC_MD4 */
+    case SEC_OID_SHA1:   hmacOid = SEC_OID_HMAC_SHA1;   break;
+    case SEC_OID_SHA256: hmacOid = SEC_OID_HMAC_SHA256; break;
+    case SEC_OID_SHA384: hmacOid = SEC_OID_HMAC_SHA384; break;
+    case SEC_OID_SHA512: hmacOid = SEC_OID_HMAC_SHA512; break;
+    default:             hmacOid = SEC_OID_UNKNOWN;   
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	break;
+    }
+    return hmacOid;
+}
+
+const SECHashObject * 
+HASH_GetHashObjectByOidTag(SECOidTag hashOid)
+{
+    HASH_HashType ht	= HASH_GetHashTypeByOidTag(hashOid);
+
+    return (ht == HASH_AlgNULL) ? NULL : &SECHashObjects[ht];
+}
+
+/* returns zero for unknown hash OID */
+unsigned int
+HASH_ResultLenByOidTag(SECOidTag hashOid)
+{
+    const SECHashObject * hashObject = HASH_GetHashObjectByOidTag(hashOid);
+    unsigned int          resultLen = 0;
+
+    if (hashObject)
+    	resultLen = hashObject->length;
+    return resultLen;
+}
+
+/* returns zero if hash type invalid. */
+unsigned int
+HASH_ResultLen(HASH_HashType type)
+{
+    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return(0);
+    }
+    
+    return(SECHashObjects[type].length);
+}
+
+unsigned int
+HASH_ResultLenContext(HASHContext *context)
+{
+    return(context->hashobj->length);
+}
+
+
+
+SECStatus
+HASH_HashBuf(HASH_HashType type,
+	     unsigned char *dest,
+	     unsigned char *src,
+	     PRUint32 src_len)
+{
+    HASHContext *cx;
+    unsigned int part;
+    
+    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
+	return(SECFailure);
+    }
+    
+    cx = HASH_Create(type);
+    if ( cx == NULL ) {
+	return(SECFailure);
+    }
+    HASH_Begin(cx);
+    HASH_Update(cx, src, src_len);
+    HASH_End(cx, dest, &part, HASH_ResultLenContext(cx));
+    HASH_Destroy(cx);
+
+    return(SECSuccess);
+}
+
+HASHContext *
+HASH_Create(HASH_HashType type)
+{
+    void *hash_context = NULL;
+    HASHContext *ret = NULL;
+    
+    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
+	return(NULL);
+    }
+    
+    hash_context = (* SECHashObjects[type].create)();
+    if ( hash_context == NULL ) {
+	goto loser;
+    }
+
+    ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext));
+    if ( ret == NULL ) {
+	goto loser;
+    }
+
+    ret->hash_context = hash_context;
+    ret->hashobj = &SECHashObjects[type];
+    
+    return(ret);
+    
+loser:
+    if ( hash_context != NULL ) {
+	(* SECHashObjects[type].destroy)(hash_context, PR_TRUE);
+    }
+    
+    return(NULL);
+}
+
+
+HASHContext *
+HASH_Clone(HASHContext *context)
+{
+    void *hash_context = NULL;
+    HASHContext *ret = NULL;
+    
+    hash_context = (* context->hashobj->clone)(context->hash_context);
+    if ( hash_context == NULL ) {
+	goto loser;
+    }
+
+    ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext));
+    if ( ret == NULL ) {
+	goto loser;
+    }
+
+    ret->hash_context = hash_context;
+    ret->hashobj = context->hashobj;
+    
+    return(ret);
+    
+loser:
+    if ( hash_context != NULL ) {
+	(* context->hashobj->destroy)(hash_context, PR_TRUE);
+    }
+    
+    return(NULL);
+
+}
+
+void
+HASH_Destroy(HASHContext *context)
+{
+    (* context->hashobj->destroy)(context->hash_context, PR_TRUE);
+    PORT_Free(context);
+    return;
+}
+
+
+void
+HASH_Begin(HASHContext *context)
+{
+    (* context->hashobj->begin)(context->hash_context);
+    return;
+}
+
+
+void
+HASH_Update(HASHContext *context,
+	    const unsigned char *src,
+	    unsigned int len)
+{
+    (* context->hashobj->update)(context->hash_context, src, len);
+    return;
+}
+
+void
+HASH_End(HASHContext *context,
+	 unsigned char *result,
+	 unsigned int *result_len,
+	 unsigned int max_result_len)
+{
+    (* context->hashobj->end)(context->hash_context, result, result_len,
+			      max_result_len);
+    return;
+}
+
+HASH_HashType
+HASH_GetType(HASHContext *context)
+{
+    return(context->hashobj->type);
+}
diff --git a/security/nss/lib/cryptohi/sechash.h b/security/nss/lib/cryptohi/sechash.h
new file mode 100644
index 000000000..ba166c185
--- /dev/null
+++ b/security/nss/lib/cryptohi/sechash.h
@@ -0,0 +1,90 @@
+#ifndef _HASH_H_
+#define _HASH_H_
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "seccomon.h"
+#include "hasht.h"
+#include "secoidt.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** Generic hash api.  
+*/
+
+extern unsigned int  HASH_ResultLen(HASH_HashType type);
+
+extern unsigned int  HASH_ResultLenContext(HASHContext *context);
+
+extern unsigned int  HASH_ResultLenByOidTag(SECOidTag hashOid);
+
+extern SECStatus     HASH_HashBuf(HASH_HashType type,
+				 unsigned char *dest,
+				 unsigned char *src,
+				 PRUint32 src_len);
+
+extern HASHContext * HASH_Create(HASH_HashType type);
+
+extern HASHContext * HASH_Clone(HASHContext *context);
+
+extern void          HASH_Destroy(HASHContext *context);
+
+extern void          HASH_Begin(HASHContext *context);
+
+extern void          HASH_Update(HASHContext *context,
+				const unsigned char *src,
+				unsigned int len);
+
+extern void          HASH_End(HASHContext *context,
+			     unsigned char *result,
+			     unsigned int *result_len,
+			     unsigned int max_result_len);
+			     
+extern HASH_HashType HASH_GetType(HASHContext *context);
+
+extern const SECHashObject * HASH_GetHashObject(HASH_HashType type);
+
+extern const SECHashObject * HASH_GetHashObjectByOidTag(SECOidTag hashOid);
+
+extern HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid);
+extern SECOidTag HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid);
+extern SECOidTag HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid);
+
+SEC_END_PROTOS
+
+#endif /* _HASH_H_ */
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
new file mode 100644
index 000000000..963b985de
--- /dev/null
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -0,0 +1,2524 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secder.h"
+#include "base64.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "secdig.h"
+#include "prtime.h"
+#include "ec.h"
+#include "keyi.h"
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSubjectPublicKeyInfo) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTSubjectPublicKeyInfo,algorithm),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSubjectPublicKeyInfo,subjectPublicKey), },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPublicKeyAndChallenge) },
+    { SEC_ASN1_ANY, offsetof(CERTPublicKeyAndChallenge,spki) },
+    { SEC_ASN1_IA5_STRING, offsetof(CERTPublicKeyAndChallenge,challenge) },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPublicKey) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.modulus), },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.publicExponent), },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dsa.publicValue), },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.publicValue), },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_DHParamKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,  0, NULL, sizeof(SECKEYPublicKey) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.prime), },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.base), },
+    /* XXX chrisk: this needs to be expanded for decoding of j and validationParms (RFC2459 7.3.2) */
+    { SEC_ASN1_SKIP_REST },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_FortezzaParameterTemplate[] = {
+    { SEC_ASN1_SEQUENCE,  0, NULL, sizeof(SECKEYPQGParams) },
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,prime), },
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,subPrime), },
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,base), },
+    { 0 },
+};
+ 
+const SEC_ASN1Template SECKEY_FortezzaDiffParameterTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYDiffPQGParams) },
+    { SEC_ASN1_INLINE, offsetof(SECKEYDiffPQGParams,DiffKEAParams), 
+                       SECKEY_FortezzaParameterTemplate},
+    { SEC_ASN1_INLINE, offsetof(SECKEYDiffPQGParams,DiffDSAParams), 
+                       SECKEY_FortezzaParameterTemplate},
+    { 0 },
+};
+
+const SEC_ASN1Template SECKEY_FortezzaPreParamTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_CONTEXT_SPECIFIC | 1, offsetof(SECKEYPQGDualParams,CommParams),
+                SECKEY_FortezzaParameterTemplate},
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_FortezzaAltPreParamTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(SECKEYPQGDualParams,DiffParams),
+                SECKEY_FortezzaDiffParameterTemplate},
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_KEAPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.kea.publicValue), },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_KEAParamsTemplate[] = {
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPublicKey,u.kea.params.hash), }, 
+    { 0, }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SubjectPublicKeyInfoTemplate)
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+static void
+prepare_rsa_pub_key_for_asn1(SECKEYPublicKey *pubk)
+{
+    pubk->u.rsa.modulus.type = siUnsignedInteger;
+    pubk->u.rsa.publicExponent.type = siUnsignedInteger;
+}
+
+static void
+prepare_dsa_pub_key_for_asn1(SECKEYPublicKey *pubk)
+{
+    pubk->u.dsa.publicValue.type = siUnsignedInteger;
+}
+
+static void
+prepare_pqg_params_for_asn1(SECKEYPQGParams *params)
+{
+    params->prime.type = siUnsignedInteger;
+    params->subPrime.type = siUnsignedInteger;
+    params->base.type = siUnsignedInteger;
+}
+
+static void
+prepare_dh_pub_key_for_asn1(SECKEYPublicKey *pubk)
+{
+    pubk->u.dh.prime.type = siUnsignedInteger;
+    pubk->u.dh.base.type = siUnsignedInteger;
+    pubk->u.dh.publicValue.type = siUnsignedInteger;
+}
+
+static void
+prepare_kea_pub_key_for_asn1(SECKEYPublicKey *pubk)
+{
+    pubk->u.kea.publicValue.type = siUnsignedInteger;
+}
+
+/* Create an RSA key pair is any slot able to do so.
+** The created keys are "session" (temporary), not "token" (permanent), 
+** and they are "sensitive", which makes them costly to move to another token.
+*/
+SECKEYPrivateKey *
+SECKEY_CreateRSAPrivateKey(int keySizeInBits,SECKEYPublicKey **pubk, void *cx)
+{
+    SECKEYPrivateKey *privk;
+    PK11RSAGenParams param;
+    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN,cx);
+    if (!slot) {
+	return NULL;
+    }
+
+    param.keySizeInBits = keySizeInBits;
+    param.pe = 65537L;
+    
+    privk = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN,&param,pubk,
+					PR_FALSE, PR_TRUE, cx);
+    PK11_FreeSlot(slot);
+    return(privk);
+}
+
+/* Create a DH key pair in any slot able to do so, 
+** This is a "session" (temporary), not "token" (permanent) key. 
+** Because of the high probability that this key will need to be moved to
+** another token, and the high cost of moving "sensitive" keys, we attempt
+** to create this key pair without the "sensitive" attribute, but revert to 
+** creating a "sensitive" key if necessary.
+*/
+SECKEYPrivateKey *
+SECKEY_CreateDHPrivateKey(SECKEYDHParams *param, SECKEYPublicKey **pubk, void *cx)
+{
+    SECKEYPrivateKey *privk;
+    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN,cx);
+    if (!slot) {
+	return NULL;
+    }
+
+    privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, 
+                                 pubk, PR_FALSE, PR_FALSE, cx);
+    if (!privk) 
+	privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, 
+	                             pubk, PR_FALSE, PR_TRUE, cx);
+
+    PK11_FreeSlot(slot);
+    return(privk);
+}
+
+/* Create an EC key pair in any slot able to do so, 
+** This is a "session" (temporary), not "token" (permanent) key. 
+** Because of the high probability that this key will need to be moved to
+** another token, and the high cost of moving "sensitive" keys, we attempt
+** to create this key pair without the "sensitive" attribute, but revert to 
+** creating a "sensitive" key if necessary.
+*/
+SECKEYPrivateKey *
+SECKEY_CreateECPrivateKey(SECKEYECParams *param, SECKEYPublicKey **pubk, void *cx)
+{
+    SECKEYPrivateKey *privk;
+    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_EC_KEY_PAIR_GEN,cx);
+    if (!slot) {
+	return NULL;
+    }
+
+    privk = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, param, 
+                                 pubk, PR_FALSE, PR_FALSE, cx);
+    if (!privk) 
+	privk = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, param, 
+	                             pubk, PR_FALSE, PR_TRUE, cx);
+
+    PK11_FreeSlot(slot);
+    return(privk);
+}
+
+void
+SECKEY_DestroyPrivateKey(SECKEYPrivateKey *privk)
+{
+    if (privk) {
+	if (privk->pkcs11Slot) {
+	    if (privk->pkcs11IsTemp) {
+	    	PK11_DestroyObject(privk->pkcs11Slot,privk->pkcs11ID);
+	    }
+	    PK11_FreeSlot(privk->pkcs11Slot);
+
+	}
+    	if (privk->arena) {
+	    PORT_FreeArena(privk->arena, PR_TRUE);
+	}
+    }
+}
+
+void
+SECKEY_DestroyPublicKey(SECKEYPublicKey *pubk)
+{
+    if (pubk) {
+	if (pubk->pkcs11Slot) {
+	    if (!PK11_IsPermObject(pubk->pkcs11Slot,pubk->pkcs11ID)) {
+		PK11_DestroyObject(pubk->pkcs11Slot,pubk->pkcs11ID);
+	    }
+	    PK11_FreeSlot(pubk->pkcs11Slot);
+	}
+    	if (pubk->arena) {
+	    PORT_FreeArena(pubk->arena, PR_FALSE);
+	}
+    }
+}
+
+SECStatus
+SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena,
+			     CERTSubjectPublicKeyInfo *to,
+			     CERTSubjectPublicKeyInfo *from)
+{
+    SECStatus rv;
+    SECItem spk;
+
+    rv = SECOID_CopyAlgorithmID(arena, &to->algorithm, &from->algorithm);
+    if (rv == SECSuccess) {
+	/*
+	 * subjectPublicKey is a bit string, whose length is in bits.
+	 * Convert the length from bits to bytes for SECITEM_CopyItem.
+	 */
+	spk = from->subjectPublicKey;
+	DER_ConvertBitString(&spk);
+	rv = SECITEM_CopyItem(arena, &to->subjectPublicKey, &spk);
+	/* Set the length back to bits. */
+	if (rv == SECSuccess) {
+	    to->subjectPublicKey.len = from->subjectPublicKey.len;
+	}
+    }
+
+    return rv;
+}
+
+SECStatus
+SECKEY_KEASetParams(SECKEYKEAParams * params, SECKEYPublicKey * pubKey) {
+
+    if (pubKey->keyType == fortezzaKey) {
+        /* the key is a fortezza V1 public key  */
+
+	/* obtain hash of pubkey->u.fortezza.params.prime.data +
+		          pubkey->u.fortezza.params.subPrime.data +
+			  pubkey->u.fortezza.params.base.data  */
+
+	/* store hash in params->hash */
+
+    } else if (pubKey->keyType == keaKey) {
+
+        /* the key is a new fortezza KEA public key. */
+        SECITEM_CopyItem(pubKey->arena, &params->hash, 
+	                 &pubKey->u.kea.params.hash );
+
+    } else {
+
+	/* the key has no KEA parameters */
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+SECStatus
+SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2) 
+{
+
+    SECStatus rv;
+
+    SECKEYPublicKey *pubKey1 = 0;
+    SECKEYPublicKey *pubKey2 = 0;
+
+    SECKEYKEAParams params1;
+    SECKEYKEAParams params2;
+
+
+    rv = SECFailure;
+
+    /* get cert1's public key */
+    pubKey1 = CERT_ExtractPublicKey(cert1);
+    if ( !pubKey1 ) {
+	return(SECFailure);
+    }
+    
+
+    /* get cert2's public key */
+    pubKey2 = CERT_ExtractPublicKey(cert2);
+    if ( !pubKey2 ) {
+	return(SECFailure);
+    }
+
+    /* handle the case when both public keys are new
+     * fortezza KEA public keys.    */
+
+    if ((pubKey1->keyType == keaKey) &&
+        (pubKey2->keyType == keaKey) ) {
+
+        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.kea.params.hash,
+	                         &pubKey2->u.kea.params.hash);
+	goto done;
+    }
+
+    /* handle the case when both public keys are old fortezza
+     * public keys.              */
+
+    if ((pubKey1->keyType == fortezzaKey) &&
+        (pubKey2->keyType == fortezzaKey) ) {
+
+        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.prime,
+	                         &pubKey2->u.fortezza.keaParams.prime);
+
+	if (rv == SECEqual) {
+	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.subPrime,
+	                             &pubKey2->u.fortezza.keaParams.subPrime);
+	}
+
+	if (rv == SECEqual) {
+	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.base,
+	                             &pubKey2->u.fortezza.keaParams.base);
+	}
+	
+	goto done;
+    }
+
+
+    /* handle the case when the public keys are a mixture of 
+     * old and new.                          */
+
+    rv = SECKEY_KEASetParams(&params1, pubKey1);
+    if (rv != SECSuccess) return rv;
+
+    rv = SECKEY_KEASetParams(&params2, pubKey2);
+    if (rv != SECSuccess) return rv;
+
+    rv = (SECStatus)SECITEM_CompareItem(&params1.hash, &params2.hash);
+
+done:
+    SECKEY_DestroyPublicKey(pubKey1);
+    SECKEY_DestroyPublicKey(pubKey2);
+
+    return rv;   /* returns SECEqual if parameters are equal */
+
+}
+
+
+/* Procedure to update the pqg parameters for a cert's public key.
+ * pqg parameters only need to be updated for DSA and fortezza certificates.
+ * The procedure uses calls to itself recursively to update a certificate
+ * issuer's pqg parameters.  Some important rules are:
+ *    - Do nothing if the cert already has PQG parameters.
+ *    - If the cert does not have PQG parameters, obtain them from the issuer.
+ *    - A valid cert chain cannot have a DSA or Fortezza cert without
+ *      pqg parameters that has a parent that is not a DSA or Fortezza cert.
+ *    - pqg paramters are stored in two different formats: the standard
+ *      DER encoded format and the fortezza-only wrapped format.  The params
+ *      should be copied from issuer to subject cert without modifying the
+ *      formats.  The public key extraction code will deal with the different
+ *      formats at the time of extraction.  */
+
+static SECStatus
+seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
+{
+    SECStatus rv;
+    SECOidData *oid=NULL;
+    int tag;
+    CERTSubjectPublicKeyInfo * subjectSpki=NULL;
+    CERTSubjectPublicKeyInfo * issuerSpki=NULL;
+    CERTCertificate *issuerCert = NULL;
+
+    rv = SECSuccess;
+
+    /* increment cert chain length counter*/
+    count++;
+
+    /* check if cert chain length exceeds the maximum length*/
+    if (count > CERT_MAX_CERT_CHAIN) {
+	return SECFailure;
+    }
+
+    oid = SECOID_FindOID(&subjectCert->subjectPublicKeyInfo.algorithm.algorithm);            
+    if (oid != NULL) {  
+        tag = oid->offset;
+             
+        /* Check if cert has a DSA or Fortezza public key. If not, return
+         * success since no PQG params need to be updated.  */
+
+	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
+	     (tag != SEC_OID_MISSI_DSS_OLD) &&
+             (tag != SEC_OID_MISSI_KEA_DSS) &&
+             (tag != SEC_OID_MISSI_DSS) &&               
+             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
+             (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {
+            
+            return SECSuccess;
+        }
+    } else {
+        return SECFailure;  /* return failure if oid is NULL */  
+    }
+
+    /* if cert has PQG parameters, return success */
+
+    subjectSpki=&subjectCert->subjectPublicKeyInfo;
+
+    if (subjectSpki->algorithm.parameters.len != 0) {
+        return SECSuccess;
+    }
+
+    /* check if the cert is self-signed */
+    if (subjectCert->isRoot) {
+      /* fail since cert is self-signed and has no pqg params. */
+	return SECFailure;     
+    }
+     
+    /* get issuer cert */
+    issuerCert = CERT_FindCertIssuer(subjectCert, PR_Now(), certUsageAnyCA);
+    if ( ! issuerCert ) {
+	return SECFailure;
+    }
+
+    /* if parent is not DSA or fortezza, return failure since
+       we don't allow this case. */
+
+    oid = SECOID_FindOID(&issuerCert->subjectPublicKeyInfo.algorithm.algorithm);
+    if (oid != NULL) {  
+        tag = oid->offset;
+             
+        /* Check if issuer cert has a DSA or Fortezza public key. If not,
+         * return failure.   */
+
+	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
+	     (tag != SEC_OID_MISSI_DSS_OLD) &&
+             (tag != SEC_OID_MISSI_KEA_DSS) &&
+             (tag != SEC_OID_MISSI_DSS) &&               
+             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
+             (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {            
+            rv = SECFailure;
+            goto loser;
+        }
+    } else {
+        rv = SECFailure;  /* return failure if oid is NULL */  
+        goto loser;
+    }
+
+
+    /* at this point the subject cert has no pqg parameters and the
+     * issuer cert has a DSA or fortezza public key.  Update the issuer's
+     * pqg parameters with a recursive call to this same function. */
+
+    rv = seckey_UpdateCertPQGChain(issuerCert, count);
+    if (rv != SECSuccess) {
+        rv = SECFailure;
+        goto loser;
+    }
+
+    /* ensure issuer has pqg parameters */
+
+    issuerSpki=&issuerCert->subjectPublicKeyInfo;
+    if (issuerSpki->algorithm.parameters.len == 0) {
+        rv = SECFailure; 
+    }
+
+    /* if update was successful and pqg params present, then copy the
+     * parameters to the subject cert's key. */
+
+    if (rv == SECSuccess) {
+        rv = SECITEM_CopyItem(subjectCert->arena,
+                              &subjectSpki->algorithm.parameters, 
+	   		      &issuerSpki->algorithm.parameters);
+    }
+
+loser:
+    if (issuerCert) {
+        CERT_DestroyCertificate(issuerCert);
+    }
+    return rv;
+
+}
+ 
+
+SECStatus
+SECKEY_UpdateCertPQG(CERTCertificate * subjectCert)
+{
+    if (!subjectCert) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    return seckey_UpdateCertPQGChain(subjectCert,0);
+}
+   
+
+/* Decode the PQG parameters.  The params could be stored in two
+ * possible formats, the old fortezza-only wrapped format or
+ * the standard DER encoded format.   Store the decoded parameters in an
+ * old fortezza cert data structure */
+ 
+SECStatus
+SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk,
+                              SECItem *params) {
+    SECStatus rv;
+    SECKEYPQGDualParams dual_params;
+    SECItem newparams;
+
+    PORT_Assert(arena);
+
+    if (params == NULL) return SECFailure; 
+    
+    if (params->data == NULL) return SECFailure;
+
+    /* make a copy of the data into the arena so QuickDER output is valid */
+    rv = SECITEM_CopyItem(arena, &newparams, params);
+
+    /* Check if params use the standard format.
+     * The value 0xa1 will appear in the first byte of the parameter data
+     * if the PQG parameters are not using the standard format. This
+     * code should be changed to use a better method to detect non-standard
+     * parameters.    */
+
+    if ((newparams.data[0] != 0xa1) &&
+        (newparams.data[0] != 0xa0)) {
+
+        if (SECSuccess == rv) {
+            /* PQG params are in the standard format */
+
+	    /* Store DSA PQG parameters */
+	    prepare_pqg_params_for_asn1(&pubk->u.fortezza.params);
+            rv = SEC_QuickDERDecodeItem(arena, &pubk->u.fortezza.params,
+                              SECKEY_PQGParamsTemplate,
+                              &newparams);
+        }
+
+	if (SECSuccess == rv) {
+
+	    /* Copy the DSA PQG parameters to the KEA PQG parameters. */
+	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
+                                  &pubk->u.fortezza.params.prime);
+        }
+        if (SECSuccess == rv) {
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
+                                  &pubk->u.fortezza.params.subPrime);
+        }
+        if (SECSuccess == rv) {
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
+                                  &pubk->u.fortezza.params.base);
+        }
+    } else {
+
+	dual_params.CommParams.prime.len = 0;
+        dual_params.CommParams.subPrime.len = 0;
+	dual_params.CommParams.base.len = 0;
+	dual_params.DiffParams.DiffDSAParams.prime.len = 0;
+        dual_params.DiffParams.DiffDSAParams.subPrime.len = 0;
+	dual_params.DiffParams.DiffDSAParams.base.len = 0;
+
+        /* else the old fortezza-only wrapped format is used. */
+
+        if (SECSuccess == rv) {
+	    if (newparams.data[0] == 0xa1) {
+                rv = SEC_QuickDERDecodeItem(arena, &dual_params, 
+				    SECKEY_FortezzaPreParamTemplate, &newparams);
+	    } else {
+                rv = SEC_QuickDERDecodeItem(arena, &dual_params, 
+	   			        SECKEY_FortezzaAltPreParamTemplate, &newparams);
+            }
+        }
+	
+        if ( (dual_params.CommParams.prime.len > 0) &&
+             (dual_params.CommParams.subPrime.len > 0) && 
+             (dual_params.CommParams.base.len > 0) ) {
+            /* copy in common params */
+	    if (SECSuccess == rv) {
+	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
+                                      &dual_params.CommParams.prime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
+                                      &dual_params.CommParams.subPrime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
+                                      &dual_params.CommParams.base);
+            }
+
+	    /* Copy the DSA PQG parameters to the KEA PQG parameters. */
+            if (SECSuccess == rv) {
+	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
+                                      &pubk->u.fortezza.params.prime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
+                                      &pubk->u.fortezza.params.subPrime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
+                                      &pubk->u.fortezza.params.base);
+            }
+        } else {
+
+	    /* else copy in different params */
+
+	    /* copy DSA PQG parameters */
+            if (SECSuccess == rv) {
+	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
+                                  &dual_params.DiffParams.DiffDSAParams.prime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
+                                  &dual_params.DiffParams.DiffDSAParams.subPrime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
+                                  &dual_params.DiffParams.DiffDSAParams.base);
+            }
+
+	    /* copy KEA PQG parameters */
+
+            if (SECSuccess == rv) {
+	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
+                                  &dual_params.DiffParams.DiffKEAParams.prime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
+                                  &dual_params.DiffParams.DiffKEAParams.subPrime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
+                                  &dual_params.DiffParams.DiffKEAParams.base);
+            }
+        }
+    }
+    return rv;
+}
+
+
+/* Decode the DSA PQG parameters.  The params could be stored in two
+ * possible formats, the old fortezza-only wrapped format or
+ * the normal standard format.  Store the decoded parameters in
+ * a V3 certificate data structure.  */ 
+
+SECStatus
+SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) {
+    SECStatus rv;
+    SECKEYPQGDualParams dual_params;
+    SECItem newparams;
+
+    if (params == NULL) return SECFailure; 
+    
+    if (params->data == NULL) return SECFailure;
+
+    PORT_Assert(arena);
+
+    /* make a copy of the data into the arena so QuickDER output is valid */
+    rv = SECITEM_CopyItem(arena, &newparams, params);
+
+    /* Check if params use the standard format.
+     * The value 0xa1 will appear in the first byte of the parameter data
+     * if the PQG parameters are not using the standard format.  This
+     * code should be changed to use a better method to detect non-standard
+     * parameters.    */
+
+    if ((newparams.data[0] != 0xa1) &&
+        (newparams.data[0] != 0xa0)) {
+    
+        if (SECSuccess == rv) {
+             /* PQG params are in the standard format */
+             prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
+             rv = SEC_QuickDERDecodeItem(arena, &pubk->u.dsa.params,
+                                 SECKEY_PQGParamsTemplate,
+                                 &newparams);
+        }
+    } else {
+
+	dual_params.CommParams.prime.len = 0;
+        dual_params.CommParams.subPrime.len = 0;
+	dual_params.CommParams.base.len = 0;
+	dual_params.DiffParams.DiffDSAParams.prime.len = 0;
+        dual_params.DiffParams.DiffDSAParams.subPrime.len = 0;
+	dual_params.DiffParams.DiffDSAParams.base.len = 0;
+
+        if (SECSuccess == rv) {
+            /* else the old fortezza-only wrapped format is used. */
+            if (newparams.data[0] == 0xa1) {
+                rv = SEC_QuickDERDecodeItem(arena, &dual_params, 
+				    SECKEY_FortezzaPreParamTemplate, &newparams);
+	    } else {
+                rv = SEC_QuickDERDecodeItem(arena, &dual_params, 
+	   			        SECKEY_FortezzaAltPreParamTemplate, &newparams);
+            }
+        }
+
+        if ( (dual_params.CommParams.prime.len > 0) &&
+             (dual_params.CommParams.subPrime.len > 0) && 
+             (dual_params.CommParams.base.len > 0) ) {
+            /* copy in common params */
+
+            if (SECSuccess == rv) {	    
+	        rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+                                      &dual_params.CommParams.prime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+                                      &dual_params.CommParams.subPrime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+                                    &dual_params.CommParams.base);
+            }
+        } else {
+
+	    /* else copy in different params */
+
+	    /* copy DSA PQG parameters */
+            if (SECSuccess == rv) {
+	        rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+                                      &dual_params.DiffParams.DiffDSAParams.prime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+                                      &dual_params.DiffParams.DiffDSAParams.subPrime);
+            }
+            if (SECSuccess == rv) {
+                rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+                                      &dual_params.DiffParams.DiffDSAParams.base);
+            }
+        }
+    }
+    return rv;
+}
+
+
+/* Decodes the DER encoded fortezza public key and stores the results in a
+ * structure of type SECKEYPublicKey. */
+
+SECStatus
+SECKEY_FortezzaDecodeCertKey(PRArenaPool *arena, SECKEYPublicKey *pubk,
+                             SECItem *rawkey, SECItem *params) {
+
+	unsigned char *rawptr = rawkey->data;
+	unsigned char *end = rawkey->data + rawkey->len;
+	unsigned char *clearptr;
+
+	/* first march down and decode the raw key data */
+
+	/* version */	
+	pubk->u.fortezza.KEAversion = *rawptr++;
+	if (*rawptr++ != 0x01) {
+		return SECFailure;
+	}
+
+	/* KMID */
+	PORT_Memcpy(pubk->u.fortezza.KMID,rawptr,
+				sizeof(pubk->u.fortezza.KMID));
+	rawptr += sizeof(pubk->u.fortezza.KMID);
+
+	/* clearance (the string up to the first byte with the hi-bit on */
+	clearptr = rawptr;
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+
+	if (rawptr >= end) { return SECFailure; }
+	pubk->u.fortezza.clearance.len = rawptr - clearptr;
+	pubk->u.fortezza.clearance.data = 
+		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.clearance.len);
+	if (pubk->u.fortezza.clearance.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.clearance.data,clearptr,
+					pubk->u.fortezza.clearance.len);
+
+	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
+	clearptr = rawptr;
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+	if (rawptr >= end) { return SECFailure; }
+	pubk->u.fortezza.KEApriviledge.len = rawptr - clearptr;
+	pubk->u.fortezza.KEApriviledge.data = 
+		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEApriviledge.len);
+	if (pubk->u.fortezza.KEApriviledge.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.KEApriviledge.data,clearptr,
+				pubk->u.fortezza.KEApriviledge.len);
+
+
+	/* now copy the key. The next to bytes are the key length, and the
+	 * key follows */
+	pubk->u.fortezza.KEAKey.len = (*rawptr << 8) | rawptr[1];
+
+	rawptr += 2;
+	if (rawptr+pubk->u.fortezza.KEAKey.len > end) { return SECFailure; }
+	pubk->u.fortezza.KEAKey.data = 
+			(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEAKey.len);
+	if (pubk->u.fortezza.KEAKey.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.KEAKey.data,rawptr,
+					pubk->u.fortezza.KEAKey.len);
+	rawptr += pubk->u.fortezza.KEAKey.len;
+
+	/* shared key */
+	if (rawptr >= end) {
+	    pubk->u.fortezza.DSSKey.len = pubk->u.fortezza.KEAKey.len;
+	    /* this depends on the fact that we are going to get freed with an
+	     * ArenaFree call. We cannot free DSSKey and KEAKey separately */
+	    pubk->u.fortezza.DSSKey.data=
+					pubk->u.fortezza.KEAKey.data;
+	    pubk->u.fortezza.DSSpriviledge.len = 
+				pubk->u.fortezza.KEApriviledge.len;
+	    pubk->u.fortezza.DSSpriviledge.data =
+			pubk->u.fortezza.DSSpriviledge.data;
+	    goto done;
+	}
+		
+
+	/* DSS Version is next */
+	pubk->u.fortezza.DSSversion = *rawptr++;
+
+	if (*rawptr++ != 2) {
+		return SECFailure;
+	}
+
+	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
+	clearptr = rawptr;
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+	if (rawptr >= end) { return SECFailure; }
+	pubk->u.fortezza.DSSpriviledge.len = rawptr - clearptr;
+	pubk->u.fortezza.DSSpriviledge.data = 
+		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSpriviledge.len);
+	if (pubk->u.fortezza.DSSpriviledge.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.DSSpriviledge.data,clearptr,
+				pubk->u.fortezza.DSSpriviledge.len);
+
+	/* finally copy the DSS key. The next to bytes are the key length,
+	 *  and the key follows */
+	pubk->u.fortezza.DSSKey.len = (*rawptr << 8) | rawptr[1];
+
+	rawptr += 2;
+	if (rawptr+pubk->u.fortezza.DSSKey.len > end){ return SECFailure; }
+	pubk->u.fortezza.DSSKey.data = 
+			(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSKey.len);
+	if (pubk->u.fortezza.DSSKey.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.DSSKey.data,rawptr,
+					pubk->u.fortezza.DSSKey.len);
+
+	/* ok, now we decode the parameters */
+done:
+
+        return SECKEY_FortezzaDecodePQGtoOld(arena, pubk, params);
+}
+
+
+/* Function used to make an oid tag to a key type */
+KeyType 
+seckey_GetKeyType (SECOidTag tag) {
+    KeyType keyType;
+
+    switch (tag) {
+      case SEC_OID_X500_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	keyType = rsaKey;
+	break;
+      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+	keyType = dsaKey;
+	break;
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_DSS_OLD:
+      case SEC_OID_MISSI_DSS:  
+	keyType = fortezzaKey;
+	break;
+      case SEC_OID_MISSI_KEA:
+      case SEC_OID_MISSI_ALT_KEA:
+	keyType = keaKey;
+	break;
+      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+	keyType = dhKey;
+	break;
+      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+	keyType = ecKey;
+	break;
+      default:
+	keyType = nullKey;
+    }
+    return keyType;
+}
+
+/* Function used to determine what kind of cert we are dealing with. */
+KeyType 
+CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki) 
+{
+    return seckey_GetKeyType(SECOID_GetAlgorithmTag(&spki->algorithm));
+}
+
+static SECKEYPublicKey *
+seckey_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki)
+{
+    SECKEYPublicKey *pubk;
+    SECItem os, newOs, newParms;
+    SECStatus rv;
+    PRArenaPool *arena;
+    SECOidTag tag;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	return NULL;
+
+    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
+    if (pubk == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+
+    pubk->arena = arena;
+    pubk->pkcs11Slot = 0;
+    pubk->pkcs11ID = CK_INVALID_HANDLE;
+
+
+    /* Convert bit string length from bits to bytes */
+    os = spki->subjectPublicKey;
+    DER_ConvertBitString (&os);
+
+    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newOs, &os);
+    if ( rv == SECSuccess )
+    switch ( tag ) {
+      case SEC_OID_X500_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	pubk->keyType = rsaKey;
+	prepare_rsa_pub_key_for_asn1(pubk);        
+        rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate, &newOs);
+	if (rv == SECSuccess)
+	    return pubk;
+	break;
+      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+      case SEC_OID_SDN702_DSA_SIGNATURE:
+	pubk->keyType = dsaKey;
+	prepare_dsa_pub_key_for_asn1(pubk);
+	rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DSAPublicKeyTemplate, &newOs);
+	if (rv != SECSuccess) break;
+
+        rv = SECKEY_DSADecodePQG(arena, pubk,
+                                 &spki->algorithm.parameters); 
+
+	if (rv == SECSuccess) return pubk;
+	break;
+      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+	pubk->keyType = dhKey;
+	prepare_dh_pub_key_for_asn1(pubk);
+	rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DHPublicKeyTemplate, &newOs);
+	if (rv != SECSuccess) break;
+
+        /* copy the DER into the arena, since Quick DER returns data that points
+           into the DER input, which may get freed by the caller */
+        rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters);
+        if ( rv != SECSuccess )
+            break;
+
+        rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DHParamKeyTemplate,
+                                 &newParms); 
+
+	if (rv == SECSuccess) return pubk;
+	break;
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_DSS_OLD:
+      case SEC_OID_MISSI_DSS:
+	pubk->keyType = fortezzaKey;
+	rv = SECKEY_FortezzaDecodeCertKey(arena, pubk, &newOs,
+				          &spki->algorithm.parameters);
+	if (rv == SECSuccess)
+	    return pubk;
+	break;
+
+      case SEC_OID_MISSI_KEA:
+	pubk->keyType = keaKey;
+
+	prepare_kea_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(arena, pubk,
+                                SECKEY_KEAPublicKeyTemplate, &newOs);
+        if (rv != SECSuccess) break;
+
+        /* copy the DER into the arena, since Quick DER returns data that points
+           into the DER input, which may get freed by the caller */
+        rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters);
+        if ( rv != SECSuccess )
+            break;
+
+        rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_KEAParamsTemplate,
+                        &newParms);
+
+	if (rv == SECSuccess)
+	    return pubk;
+
+        break;
+
+      case SEC_OID_MISSI_ALT_KEA:
+	pubk->keyType = keaKey;
+
+        rv = SECITEM_CopyItem(arena,&pubk->u.kea.publicValue,&newOs);
+        if (rv != SECSuccess) break;
+ 
+        /* copy the DER into the arena, since Quick DER returns data that points
+           into the DER input, which may get freed by the caller */
+        rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters);
+        if ( rv != SECSuccess )
+            break;
+
+        rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_KEAParamsTemplate,
+                        &newParms);
+
+	if (rv == SECSuccess)
+	    return pubk;
+
+        break;
+
+      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+	pubk->keyType = ecKey;
+	pubk->u.ec.size = 0;
+
+	/* Since PKCS#11 directly takes the DER encoding of EC params
+	 * and public value, we don't need any decoding here.
+	 */
+        rv = SECITEM_CopyItem(arena, &pubk->u.ec.DEREncodedParams, 
+	    &spki->algorithm.parameters);
+        if ( rv != SECSuccess )
+            break;
+        rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &newOs);
+	if (rv == SECSuccess) return pubk;
+	break;
+
+      default:
+	rv = SECFailure;
+	break;
+    }
+
+    SECKEY_DestroyPublicKey (pubk);
+    return NULL;
+}
+
+
+/* required for JSS */
+SECKEYPublicKey *
+SECKEY_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki)
+{
+    return seckey_ExtractPublicKey(spki);
+}
+
+SECKEYPublicKey *
+CERT_ExtractPublicKey(CERTCertificate *cert)
+{
+    SECStatus rv;
+
+    if (!cert) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    rv = SECKEY_UpdateCertPQG(cert);
+    if (rv != SECSuccess) return NULL;
+
+    return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
+}
+
+/*
+ * Get the public key for the fortezza KMID. NOTE this requires the
+ * PQG paramters to be set. We probably should have a fortezza call that 
+ * just extracts the kmid for us directly so this function can work
+ * without having the whole cert chain
+ */
+SECKEYPublicKey *
+CERT_KMIDPublicKey(CERTCertificate *cert)
+{
+    return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
+}
+
+int
+SECKEY_ECParamsToKeySize(const SECItem *encodedParams)
+{
+    SECOidTag tag;
+    SECItem oid = { siBuffer, NULL, 0};
+	
+    /* The encodedParams data contains 0x06 (SEC_ASN1_OBJECT_ID),
+     * followed by the length of the curve oid and the curve oid.
+     */
+    oid.len = encodedParams->data[1];
+    oid.data = encodedParams->data + 2;
+    if ((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)
+	return 0;
+
+    switch (tag) {
+    case SEC_OID_SECG_EC_SECP112R1:
+    case SEC_OID_SECG_EC_SECP112R2:
+        return 112;
+
+    case SEC_OID_SECG_EC_SECT113R1:
+    case SEC_OID_SECG_EC_SECT113R2:
+	return 113;
+
+    case SEC_OID_SECG_EC_SECP128R1:
+    case SEC_OID_SECG_EC_SECP128R2:
+	return 128;
+
+    case SEC_OID_SECG_EC_SECT131R1:
+    case SEC_OID_SECG_EC_SECT131R2:
+	return 131;
+
+    case SEC_OID_SECG_EC_SECP160K1:
+    case SEC_OID_SECG_EC_SECP160R1:
+    case SEC_OID_SECG_EC_SECP160R2:
+	return 160;
+
+    case SEC_OID_SECG_EC_SECT163K1:
+    case SEC_OID_SECG_EC_SECT163R1:
+    case SEC_OID_SECG_EC_SECT163R2:
+    case SEC_OID_ANSIX962_EC_C2PNB163V1:
+    case SEC_OID_ANSIX962_EC_C2PNB163V2:
+    case SEC_OID_ANSIX962_EC_C2PNB163V3:
+	return 163;
+
+    case SEC_OID_ANSIX962_EC_C2PNB176V1:
+	return 176;
+
+    case SEC_OID_ANSIX962_EC_C2TNB191V1:
+    case SEC_OID_ANSIX962_EC_C2TNB191V2:
+    case SEC_OID_ANSIX962_EC_C2TNB191V3:
+    case SEC_OID_ANSIX962_EC_C2ONB191V4:
+    case SEC_OID_ANSIX962_EC_C2ONB191V5:
+	return 191;
+
+    case SEC_OID_SECG_EC_SECP192K1:
+    case SEC_OID_ANSIX962_EC_PRIME192V1:
+    case SEC_OID_ANSIX962_EC_PRIME192V2:
+    case SEC_OID_ANSIX962_EC_PRIME192V3:
+	return 192;
+
+    case SEC_OID_SECG_EC_SECT193R1:
+    case SEC_OID_SECG_EC_SECT193R2:
+	return 193;
+
+    case SEC_OID_ANSIX962_EC_C2PNB208W1:
+	return 208;
+
+    case SEC_OID_SECG_EC_SECP224K1:
+    case SEC_OID_SECG_EC_SECP224R1:
+	return 224;
+
+    case SEC_OID_SECG_EC_SECT233K1:
+    case SEC_OID_SECG_EC_SECT233R1:
+	return 233;
+
+    case SEC_OID_SECG_EC_SECT239K1:
+    case SEC_OID_ANSIX962_EC_C2TNB239V1:
+    case SEC_OID_ANSIX962_EC_C2TNB239V2:
+    case SEC_OID_ANSIX962_EC_C2TNB239V3:
+    case SEC_OID_ANSIX962_EC_C2ONB239V4:
+    case SEC_OID_ANSIX962_EC_C2ONB239V5:
+    case SEC_OID_ANSIX962_EC_PRIME239V1:
+    case SEC_OID_ANSIX962_EC_PRIME239V2:
+    case SEC_OID_ANSIX962_EC_PRIME239V3:
+	return 239;
+
+    case SEC_OID_SECG_EC_SECP256K1:
+    case SEC_OID_ANSIX962_EC_PRIME256V1:
+	return 256;
+
+    case SEC_OID_ANSIX962_EC_C2PNB272W1:
+	return 272;
+
+    case SEC_OID_SECG_EC_SECT283K1:
+    case SEC_OID_SECG_EC_SECT283R1:
+	return 283;
+
+    case SEC_OID_ANSIX962_EC_C2PNB304W1:
+	return 304;
+
+    case SEC_OID_ANSIX962_EC_C2TNB359V1:
+	return 359;
+
+    case SEC_OID_ANSIX962_EC_C2PNB368W1:
+	return 368;
+
+    case SEC_OID_SECG_EC_SECP384R1:
+	return 384;
+
+    case SEC_OID_SECG_EC_SECT409K1:
+    case SEC_OID_SECG_EC_SECT409R1:
+	return 409;
+
+    case SEC_OID_ANSIX962_EC_C2TNB431R1:
+	return 431;
+
+    case SEC_OID_SECG_EC_SECP521R1:
+	return 521;
+
+    case SEC_OID_SECG_EC_SECT571K1:
+    case SEC_OID_SECG_EC_SECT571R1:
+	return 571;
+
+    default:
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	return 0;
+    }
+}
+
+int
+SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams)
+{
+    SECOidTag tag;
+    SECItem oid = { siBuffer, NULL, 0};
+	
+    /* The encodedParams data contains 0x06 (SEC_ASN1_OBJECT_ID),
+     * followed by the length of the curve oid and the curve oid.
+     */
+    oid.len = encodedParams->data[1];
+    oid.data = encodedParams->data + 2;
+    if ((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)
+	return 0;
+
+    switch (tag) {
+    case SEC_OID_SECG_EC_SECP112R1:
+        return 112;
+    case SEC_OID_SECG_EC_SECP112R2:
+        return 110;
+
+    case SEC_OID_SECG_EC_SECT113R1:
+    case SEC_OID_SECG_EC_SECT113R2:
+	return 113;
+
+    case SEC_OID_SECG_EC_SECP128R1:
+	return 128;
+    case SEC_OID_SECG_EC_SECP128R2:
+	return 126;
+
+    case SEC_OID_SECG_EC_SECT131R1:
+    case SEC_OID_SECG_EC_SECT131R2:
+	return 131;
+
+    case SEC_OID_SECG_EC_SECP160K1:
+    case SEC_OID_SECG_EC_SECP160R1:
+    case SEC_OID_SECG_EC_SECP160R2:
+	return 161;
+
+    case SEC_OID_SECG_EC_SECT163K1:
+	return 163;
+    case SEC_OID_SECG_EC_SECT163R1:
+	return 162;
+    case SEC_OID_SECG_EC_SECT163R2:
+    case SEC_OID_ANSIX962_EC_C2PNB163V1:
+	return 163;
+    case SEC_OID_ANSIX962_EC_C2PNB163V2:
+    case SEC_OID_ANSIX962_EC_C2PNB163V3:
+	return 162;
+
+    case SEC_OID_ANSIX962_EC_C2PNB176V1:
+	return 161;
+
+    case SEC_OID_ANSIX962_EC_C2TNB191V1:
+	return 191;
+    case SEC_OID_ANSIX962_EC_C2TNB191V2:
+	return 190;
+    case SEC_OID_ANSIX962_EC_C2TNB191V3:
+	return 189;
+    case SEC_OID_ANSIX962_EC_C2ONB191V4:
+	return 191;
+    case SEC_OID_ANSIX962_EC_C2ONB191V5:
+	return 188;
+
+    case SEC_OID_SECG_EC_SECP192K1:
+    case SEC_OID_ANSIX962_EC_PRIME192V1:
+    case SEC_OID_ANSIX962_EC_PRIME192V2:
+    case SEC_OID_ANSIX962_EC_PRIME192V3:
+	return 192;
+
+    case SEC_OID_SECG_EC_SECT193R1:
+    case SEC_OID_SECG_EC_SECT193R2:
+	return 193;
+
+    case SEC_OID_ANSIX962_EC_C2PNB208W1:
+	return 193;
+
+    case SEC_OID_SECG_EC_SECP224K1:
+	return 225;
+    case SEC_OID_SECG_EC_SECP224R1:
+	return 224;
+
+    case SEC_OID_SECG_EC_SECT233K1:
+	return 232;
+    case SEC_OID_SECG_EC_SECT233R1:
+	return 233;
+
+    case SEC_OID_SECG_EC_SECT239K1:
+    case SEC_OID_ANSIX962_EC_C2TNB239V1:
+	return 238;
+    case SEC_OID_ANSIX962_EC_C2TNB239V2:
+	return 237;
+    case SEC_OID_ANSIX962_EC_C2TNB239V3:
+	return 236;
+    case SEC_OID_ANSIX962_EC_C2ONB239V4:
+	return 238;
+    case SEC_OID_ANSIX962_EC_C2ONB239V5:
+	return 237;
+    case SEC_OID_ANSIX962_EC_PRIME239V1:
+    case SEC_OID_ANSIX962_EC_PRIME239V2:
+    case SEC_OID_ANSIX962_EC_PRIME239V3:
+	return 239;
+
+    case SEC_OID_SECG_EC_SECP256K1:
+    case SEC_OID_ANSIX962_EC_PRIME256V1:
+	return 256;
+
+    case SEC_OID_ANSIX962_EC_C2PNB272W1:
+	return 257;
+
+    case SEC_OID_SECG_EC_SECT283K1:
+	return 281;
+    case SEC_OID_SECG_EC_SECT283R1:
+	return 282;
+
+    case SEC_OID_ANSIX962_EC_C2PNB304W1:
+	return 289;
+
+    case SEC_OID_ANSIX962_EC_C2TNB359V1:
+	return 353;
+
+    case SEC_OID_ANSIX962_EC_C2PNB368W1:
+	return 353;
+
+    case SEC_OID_SECG_EC_SECP384R1:
+	return 384;
+
+    case SEC_OID_SECG_EC_SECT409K1:
+	return 407;
+    case SEC_OID_SECG_EC_SECT409R1:
+	return 409;
+
+    case SEC_OID_ANSIX962_EC_C2TNB431R1:
+	return 418;
+
+    case SEC_OID_SECG_EC_SECP521R1:
+	return 521;
+
+    case SEC_OID_SECG_EC_SECT571K1:
+    case SEC_OID_SECG_EC_SECT571R1:
+	return 570;
+
+    default:
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	return 0;
+    }
+}
+
+/* returns key strength in bytes (not bits) */
+unsigned
+SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk)
+{
+    unsigned char b0;
+    unsigned size;
+
+    /* interpret modulus length as key strength... in
+     * fortezza that's the public key length */
+
+    switch (pubk->keyType) {
+    case rsaKey:
+    	b0 = pubk->u.rsa.modulus.data[0];
+    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+    case dsaKey:
+    	b0 = pubk->u.dsa.publicValue.data[0];
+    	return b0 ? pubk->u.dsa.publicValue.len :
+	    pubk->u.dsa.publicValue.len - 1;
+    case dhKey:
+    	b0 = pubk->u.dh.publicValue.data[0];
+    	return b0 ? pubk->u.dh.publicValue.len :
+	    pubk->u.dh.publicValue.len - 1;
+    case fortezzaKey:
+	return PR_MAX(pubk->u.fortezza.KEAKey.len, pubk->u.fortezza.DSSKey.len);
+    case ecKey:
+	/* Get the key size in bits and adjust */
+	size =	SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
+	return (size + 7)/8;
+    default:
+	break;
+    }
+    PORT_SetError(SEC_ERROR_INVALID_KEY);
+    return 0;
+}
+
+/* returns key strength in bits */
+unsigned
+SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk)
+{
+    unsigned size;
+    switch (pubk->keyType) {
+    case rsaKey:
+    case dsaKey:
+    case dhKey:
+    case fortezzaKey:
+	return SECKEY_PublicKeyStrength(pubk) * 8; /* 1 byte = 8 bits */
+    case ecKey:
+	size = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
+	return size;
+    default:
+	break;
+    }
+    PORT_SetError(SEC_ERROR_INVALID_KEY);
+    return 0;
+}
+
+/* returns signature length in bytes (not bits) */
+unsigned
+SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
+{
+    unsigned char b0;
+    unsigned size;
+
+    switch (pubk->keyType) {
+    case rsaKey:
+    	b0 = pubk->u.rsa.modulus.data[0];
+    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+    case fortezzaKey:
+    case dsaKey:
+    	return DSA_SIGNATURE_LEN;
+    case ecKey:
+	/* Get the base point order length in bits and adjust */
+	size =	SECKEY_ECParamsToBasePointOrderLen(
+		&pubk->u.ec.DEREncodedParams);
+	return ((size + 7)/8) * 2;
+    default:
+	break;
+    }
+    PORT_SetError(SEC_ERROR_INVALID_KEY);
+    return 0;
+}
+
+SECKEYPrivateKey *
+SECKEY_CopyPrivateKey(const SECKEYPrivateKey *privk)
+{
+    SECKEYPrivateKey *copyk;
+    PRArenaPool *arena;
+    
+    if (!privk || !privk->pkcs11Slot) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    copyk = (SECKEYPrivateKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPrivateKey));
+    if (copyk) {
+	copyk->arena = arena;
+	copyk->keyType = privk->keyType;
+
+	/* copy the PKCS #11 parameters */
+	copyk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot);
+	/* if the key we're referencing was a temparary key we have just
+	 * created, that we want to go away when we're through, we need
+	 * to make a copy of it */
+	if (privk->pkcs11IsTemp) {
+	    copyk->pkcs11ID = 
+			PK11_CopyKey(privk->pkcs11Slot,privk->pkcs11ID);
+	    if (copyk->pkcs11ID == CK_INVALID_HANDLE) goto fail;
+	} else {
+	    copyk->pkcs11ID = privk->pkcs11ID;
+	}
+	copyk->pkcs11IsTemp = privk->pkcs11IsTemp;
+	copyk->wincx = privk->wincx;
+	copyk->staticflags = privk->staticflags;
+	return copyk;
+    } else {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+    }
+
+fail:
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+SECKEYPublicKey *
+SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk)
+{
+    SECKEYPublicKey *copyk;
+    PRArenaPool *arena;
+    SECStatus rv = SECSuccess;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    copyk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey));
+    if (!copyk) {
+        PORT_FreeArena (arena, PR_FALSE);
+        PORT_SetError (SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    copyk->arena = arena;
+    copyk->keyType = pubk->keyType;
+    if (pubk->pkcs11Slot && 
+        PK11_IsPermObject(pubk->pkcs11Slot,pubk->pkcs11ID)) {
+        copyk->pkcs11Slot = PK11_ReferenceSlot(pubk->pkcs11Slot);
+        copyk->pkcs11ID = pubk->pkcs11ID;
+    } else {
+        copyk->pkcs11Slot = NULL;	/* go get own reference */
+        copyk->pkcs11ID = CK_INVALID_HANDLE;
+    }
+    switch (pubk->keyType) {
+      case rsaKey:
+          rv = SECITEM_CopyItem(arena, &copyk->u.rsa.modulus,
+                                &pubk->u.rsa.modulus);
+          if (rv == SECSuccess) {
+              rv = SECITEM_CopyItem (arena, &copyk->u.rsa.publicExponent,
+                                     &pubk->u.rsa.publicExponent);
+              if (rv == SECSuccess)
+                  return copyk;
+          }
+          break;
+      case dsaKey:
+          rv = SECITEM_CopyItem(arena, &copyk->u.dsa.publicValue,
+                                &pubk->u.dsa.publicValue);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.prime,
+                                &pubk->u.dsa.params.prime);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.subPrime,
+                                &pubk->u.dsa.params.subPrime);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.base,
+                                &pubk->u.dsa.params.base);
+          break;
+      case keaKey:
+          rv = SECITEM_CopyItem(arena, &copyk->u.kea.publicValue,
+                                &pubk->u.kea.publicValue);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.kea.params.hash,
+                                &pubk->u.kea.params.hash);
+          break;
+      case fortezzaKey:
+          copyk->u.fortezza.KEAversion = pubk->u.fortezza.KEAversion;
+          copyk->u.fortezza.DSSversion = pubk->u.fortezza.DSSversion;
+          PORT_Memcpy(copyk->u.fortezza.KMID, pubk->u.fortezza.KMID,
+                      sizeof(pubk->u.fortezza.KMID));
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.clearance, 
+                                &pubk->u.fortezza.clearance);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEApriviledge, 
+                                &pubk->u.fortezza.KEApriviledge);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSpriviledge, 
+                                &pubk->u.fortezza.DSSpriviledge);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEAKey, 
+                                &pubk->u.fortezza.KEAKey);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSKey, 
+                                &pubk->u.fortezza.DSSKey);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.prime, 
+                                &pubk->u.fortezza.params.prime);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.subPrime, 
+                                &pubk->u.fortezza.params.subPrime);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.base, 
+                                &pubk->u.fortezza.params.base);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.prime, 
+                                &pubk->u.fortezza.keaParams.prime);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.subPrime, 
+                                &pubk->u.fortezza.keaParams.subPrime);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.base, 
+                                &pubk->u.fortezza.keaParams.base);
+          break;
+      case dhKey:
+          rv = SECITEM_CopyItem(arena,&copyk->u.dh.prime,&pubk->u.dh.prime);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena,&copyk->u.dh.base,&pubk->u.dh.base);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena, &copyk->u.dh.publicValue, 
+                                &pubk->u.dh.publicValue);
+          break;
+      case ecKey:
+          copyk->u.ec.size = pubk->u.ec.size;
+          rv = SECITEM_CopyItem(arena,&copyk->u.ec.DEREncodedParams,
+                                &pubk->u.ec.DEREncodedParams);
+          if (rv != SECSuccess) break;
+          rv = SECITEM_CopyItem(arena,&copyk->u.ec.publicValue,
+                                &pubk->u.ec.publicValue);
+          break;
+      case nullKey:
+          return copyk;
+      default:
+          rv = SECFailure;
+          break;
+    }
+    if (rv == SECSuccess)
+        return copyk;
+
+    SECKEY_DestroyPublicKey (copyk);
+    return NULL;
+}
+
+
+SECKEYPublicKey *
+SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
+{
+    SECKEYPublicKey *pubk;
+    PRArenaPool *arena;
+    CERTCertificate *cert;
+    SECStatus rv;
+
+    /*
+     * First try to look up the cert.
+     */
+    cert = PK11_GetCertFromPrivateKey(privk);
+    if (cert) {
+	pubk = CERT_ExtractPublicKey(cert);
+	CERT_DestroyCertificate(cert);
+	return pubk;
+    }
+
+    /* couldn't find the cert, build pub key by hand */
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    pubk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						   sizeof (SECKEYPublicKey));
+    if (pubk == NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    pubk->keyType = privk->keyType;
+    pubk->pkcs11Slot = NULL;
+    pubk->pkcs11ID = CK_INVALID_HANDLE;
+    pubk->arena = arena;
+
+    /*
+     * fortezza is at the head of this switch, since we don't want to
+     * allocate an arena... CERT_ExtractPublicKey will to that for us.
+     */
+    switch(privk->keyType) {
+      case fortezzaKey:
+      case nullKey:
+      case dhKey:
+      case dsaKey:
+	/* Nothing to query, if the cert isn't there, we're done -- no way
+	 * to get the public key */
+	break;
+      case rsaKey:
+	rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID,
+				CKA_MODULUS,arena,&pubk->u.rsa.modulus);
+	if (rv != SECSuccess)  break;
+	rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID,
+			CKA_PUBLIC_EXPONENT,arena,&pubk->u.rsa.publicExponent);
+	if (rv != SECSuccess)  break;
+	return pubk;
+	break;
+    default:
+	break;
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+CERTSubjectPublicKeyInfo *
+SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
+{
+    CERTSubjectPublicKeyInfo *spki;
+    PRArenaPool *arena;
+    SECItem params = { siBuffer, NULL, 0 };
+
+    if (!pubk) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    spki = (CERTSubjectPublicKeyInfo *) PORT_ArenaZAlloc(arena, sizeof (*spki));
+    if (spki != NULL) {
+	SECStatus rv;
+	SECItem *rv_item;
+	
+	spki->arena = arena;
+	switch(pubk->keyType) {
+	  case rsaKey:
+	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
+				     SEC_OID_PKCS1_RSA_ENCRYPTION, 0);
+	    if (rv == SECSuccess) {
+		/*
+		 * DER encode the public key into the subjectPublicKeyInfo.
+		 */
+		prepare_rsa_pub_key_for_asn1(pubk);
+		rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey,
+					     pubk, SECKEY_RSAPublicKeyTemplate);
+		if (rv_item != NULL) {
+		    /*
+		     * The stored value is supposed to be a BIT_STRING,
+		     * so convert the length.
+		     */
+		    spki->subjectPublicKey.len <<= 3;
+		    /*
+		     * We got a good one; return it.
+		     */
+		    return spki;
+		}
+	    }
+	    break;
+	  case dsaKey:
+	    /* DER encode the params. */
+	    prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
+	    rv_item = SEC_ASN1EncodeItem(arena, &params, &pubk->u.dsa.params,
+					 SECKEY_PQGParamsTemplate);
+	    if (rv_item != NULL) {
+		rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
+					   SEC_OID_ANSIX9_DSA_SIGNATURE,
+					   &params);
+		if (rv == SECSuccess) {
+		    /*
+		     * DER encode the public key into the subjectPublicKeyInfo.
+		     */
+		    prepare_dsa_pub_key_for_asn1(pubk);
+		    rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey,
+						 pubk,
+						 SECKEY_DSAPublicKeyTemplate);
+		    if (rv_item != NULL) {
+			/*
+			 * The stored value is supposed to be a BIT_STRING,
+			 * so convert the length.
+			 */
+			spki->subjectPublicKey.len <<= 3;
+			/*
+			 * We got a good one; return it.
+			 */
+			return spki;
+		    }
+		}
+	    }
+	    SECITEM_FreeItem(&params, PR_FALSE);
+	    break;
+	  case ecKey:
+	    rv = SECITEM_CopyItem(arena, &params, 
+				  &pubk->u.ec.DEREncodedParams);
+	    if (rv != SECSuccess) break;
+
+	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
+				       SEC_OID_ANSIX962_EC_PUBLIC_KEY,
+				       &params);
+	    if (rv != SECSuccess) break;
+
+	    rv = SECITEM_CopyItem(arena, &spki->subjectPublicKey,
+				  &pubk->u.ec.publicValue);
+
+	    if (rv == SECSuccess) {
+	        /*
+		 * The stored value is supposed to be a BIT_STRING,
+		 * so convert the length.
+		 */
+	        spki->subjectPublicKey.len <<= 3;
+		/*
+		 * We got a good one; return it.
+		 */
+		return spki;
+	    }
+	    break;
+	  case keaKey:
+	  case dhKey: /* later... */
+
+	  break;  
+	  case fortezzaKey:
+#ifdef notdef
+	    /* encode the DSS parameters (PQG) */
+	    rv = FortezzaBuildParams(&params,pubk);
+	    if (rv != SECSuccess) break;
+
+	    /* set the algorithm */
+	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
+				       SEC_OID_MISSI_KEA_DSS, &params);
+	    PORT_Free(params.data);
+	    if (rv == SECSuccess) {
+		/*
+		 * Encode the public key into the subjectPublicKeyInfo.
+		 * Fortezza key material is not standard DER
+		 */
+		rv = FortezzaEncodeCertKey(arena,&spki->subjectPublicKey,pubk);
+		if (rv == SECSuccess) {
+		    /*
+		     * The stored value is supposed to be a BIT_STRING,
+		     * so convert the length.
+		     */
+		    spki->subjectPublicKey.len <<= 3;
+
+		    /*
+		     * We got a good one; return it.
+		     */
+		    return spki;
+		}
+	    }
+#endif
+	    break;
+	  default:
+	    break;
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+void
+SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki)
+{
+    if (spki && spki->arena) {
+	PORT_FreeArena(spki->arena, PR_FALSE);
+    }
+}
+
+/*
+ * this only works for RSA keys... need to do something
+ * similiar to CERT_ExtractPublicKey for other key times.
+ */
+SECKEYPublicKey *
+SECKEY_DecodeDERPublicKey(SECItem *pubkder)
+{
+    PRArenaPool *arena;
+    SECKEYPublicKey *pubk;
+    SECStatus rv;
+    SECItem newPubkder;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey));
+    if (pubk != NULL) {
+	pubk->arena = arena;
+	pubk->pkcs11Slot = NULL;
+	pubk->pkcs11ID = 0;
+	prepare_rsa_pub_key_for_asn1(pubk);
+        /* copy the DER into the arena, since Quick DER returns data that points
+           into the DER input, which may get freed by the caller */
+        rv = SECITEM_CopyItem(arena, &newPubkder, pubkder);
+        if ( rv == SECSuccess ) {
+	    rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate,
+				&newPubkder);
+        }
+	if (rv == SECSuccess)
+	    return pubk;
+	SECKEY_DestroyPublicKey (pubk);
+    } else {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+/*
+ * Decode a base64 ascii encoded DER encoded public key.
+ */
+SECKEYPublicKey *
+SECKEY_ConvertAndDecodePublicKey(char *pubkstr)
+{
+    SECKEYPublicKey *pubk;
+    SECStatus rv;
+    SECItem der;
+
+    rv = ATOB_ConvertAsciiToItem (&der, pubkstr);
+    if (rv != SECSuccess)
+	return NULL;
+
+    pubk = SECKEY_DecodeDERPublicKey (&der);
+
+    PORT_Free (der.data);
+    return pubk;
+}
+
+SECItem *
+SECKEY_EncodeDERSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
+{
+    CERTSubjectPublicKeyInfo *spki=NULL;
+    SECItem *spkiDER=NULL;
+
+    /* get the subjectpublickeyinfo */
+    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
+    if( spki == NULL ) {
+	goto finish;
+    }
+
+    /* DER-encode the subjectpublickeyinfo */
+    spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL/*dest*/, spki,
+					CERT_SubjectPublicKeyInfoTemplate);
+finish:
+    if (spki!=NULL) {
+	SECKEY_DestroySubjectPublicKeyInfo(spki);
+    }
+    return spkiDER;
+}
+
+
+CERTSubjectPublicKeyInfo *
+SECKEY_DecodeDERSubjectPublicKeyInfo(SECItem *spkider)
+{
+    PRArenaPool *arena;
+    CERTSubjectPublicKeyInfo *spki;
+    SECStatus rv;
+    SECItem newSpkider;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    spki = (CERTSubjectPublicKeyInfo *)
+		PORT_ArenaZAlloc(arena, sizeof (CERTSubjectPublicKeyInfo));
+    if (spki != NULL) {
+	spki->arena = arena;
+
+        /* copy the DER into the arena, since Quick DER returns data that points
+           into the DER input, which may get freed by the caller */
+        rv = SECITEM_CopyItem(arena, &newSpkider, spkider);
+        if ( rv == SECSuccess ) {
+            rv = SEC_QuickDERDecodeItem(arena,spki,
+				    CERT_SubjectPublicKeyInfoTemplate, &newSpkider);
+        }
+	if (rv == SECSuccess)
+	    return spki;
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+/*
+ * Decode a base64 ascii encoded DER encoded subject public key info.
+ */
+CERTSubjectPublicKeyInfo *
+SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(char *spkistr)
+{
+    CERTSubjectPublicKeyInfo *spki;
+    SECStatus rv;
+    SECItem der;
+
+    rv = ATOB_ConvertAsciiToItem(&der, spkistr);
+    if (rv != SECSuccess)
+	return NULL;
+
+    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der);
+
+    PORT_Free(der.data);
+    return spki;
+}
+
+/*
+ * Decode a base64 ascii encoded DER encoded public key and challenge
+ * Verify digital signature and make sure challenge matches
+ */
+CERTSubjectPublicKeyInfo *
+SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge,
+								void *wincx)
+{
+    CERTSubjectPublicKeyInfo *spki = NULL;
+    CERTPublicKeyAndChallenge pkac;
+    SECStatus rv;
+    SECItem signedItem;
+    PRArenaPool *arena = NULL;
+    CERTSignedData sd;
+    SECItem sig;
+    SECKEYPublicKey *pubKey = NULL;
+    unsigned int len;
+    
+    signedItem.data = NULL;
+    
+    /* convert the base64 encoded data to binary */
+    rv = ATOB_ConvertAsciiToItem(&signedItem, pkacstr);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* create an arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+
+    /* decode the outer wrapping of signed data */
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, &signedItem );
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* decode the public key and challenge wrapper */
+    PORT_Memset(&pkac, 0, sizeof(CERTPublicKeyAndChallenge));
+    rv = SEC_QuickDERDecodeItem(arena, &pkac, CERT_PublicKeyAndChallengeTemplate, 
+			    &sd.data);
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* decode the subject public key info */
+    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&pkac.spki);
+    if ( spki == NULL ) {
+	goto loser;
+    }
+    
+    /* get the public key */
+    pubKey = seckey_ExtractPublicKey(spki);
+    if ( pubKey == NULL ) {
+	goto loser;
+    }
+
+    /* check the signature */
+    sig = sd.signature;
+    DER_ConvertBitString(&sig);
+    rv = VFY_VerifyDataWithAlgorithmID(sd.data.data, sd.data.len, pubKey, &sig,
+			&(sd.signatureAlgorithm), NULL, wincx);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    /* check the challenge */
+    if ( challenge ) {
+	len = PORT_Strlen(challenge);
+	/* length is right */
+	if ( len != pkac.challenge.len ) {
+	    goto loser;
+	}
+	/* actual data is right */
+	if ( PORT_Memcmp(challenge, pkac.challenge.data, len) != 0 ) {
+	    goto loser;
+	}
+    }
+    goto done;
+
+loser:
+    /* make sure that we return null if we got an error */
+    if ( spki ) {
+	SECKEY_DestroySubjectPublicKeyInfo(spki);
+    }
+    spki = NULL;
+    
+done:
+    if ( signedItem.data ) {
+	PORT_Free(signedItem.data);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if ( pubKey ) {
+	SECKEY_DestroyPublicKey(pubKey);
+    }
+    
+    return spki;
+}
+
+void
+SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk,
+			     PRBool freeit)
+{
+    PRArenaPool *poolp;
+
+    if(pvk != NULL) {
+	if(pvk->arena) {
+	    poolp = pvk->arena;
+	    /* zero structure since PORT_FreeArena does not support
+	     * this yet.
+	     */
+	    PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len);
+	    PORT_Memset((char *)pvk, 0, sizeof(*pvk));
+	    if(freeit == PR_TRUE) {
+		PORT_FreeArena(poolp, PR_TRUE);
+	    } else {
+		pvk->arena = poolp;
+	    }
+	} else {
+	    SECITEM_ZfreeItem(&pvk->version, PR_FALSE);
+	    SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE);
+	    SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE);
+	    PORT_Memset((char *)pvk, 0, sizeof(pvk));
+	    if(freeit == PR_TRUE) {
+		PORT_Free(pvk);
+	    }
+	}
+    }
+}
+
+void
+SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
+				      PRBool freeit)
+{
+    PRArenaPool *poolp;
+
+    if(epki != NULL) {
+	if(epki->arena) {
+	    poolp = epki->arena;
+	    /* zero structure since PORT_FreeArena does not support
+	     * this yet.
+	     */
+	    PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len);
+	    PORT_Memset((char *)epki, 0, sizeof(*epki));
+	    if(freeit == PR_TRUE) {
+		PORT_FreeArena(poolp, PR_TRUE);
+	    } else {
+		epki->arena = poolp;
+	    }
+	} else {
+	    SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE);
+	    SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE);
+	    PORT_Memset((char *)epki, 0, sizeof(epki));
+	    if(freeit == PR_TRUE) {
+		PORT_Free(epki);
+	    }
+	}
+    }
+}
+
+SECStatus
+SECKEY_CopyPrivateKeyInfo(PRArenaPool *poolp,
+			  SECKEYPrivateKeyInfo *to,
+			  SECKEYPrivateKeyInfo *from)
+{
+    SECStatus rv = SECFailure;
+
+    if((to == NULL) || (from == NULL)) {
+	return SECFailure;
+    }
+
+    rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm);
+    if(rv != SECSuccess) {
+	return SECFailure;
+    }
+    rv = SECITEM_CopyItem(poolp, &to->privateKey, &from->privateKey);
+    if(rv != SECSuccess) {
+	return SECFailure;
+    }
+    rv = SECITEM_CopyItem(poolp, &to->version, &from->version);
+
+    return rv;
+}
+
+SECStatus
+SECKEY_CopyEncryptedPrivateKeyInfo(PRArenaPool *poolp, 
+				   SECKEYEncryptedPrivateKeyInfo *to,
+				   SECKEYEncryptedPrivateKeyInfo *from)
+{
+    SECStatus rv = SECFailure;
+
+    if((to == NULL) || (from == NULL)) {
+	return SECFailure;
+    }
+
+    rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm);
+    if(rv != SECSuccess) {
+	return SECFailure;
+    }
+    rv = SECITEM_CopyItem(poolp, &to->encryptedData, &from->encryptedData);
+
+    return rv;
+}
+
+KeyType
+SECKEY_GetPrivateKeyType(SECKEYPrivateKey *privKey)
+{
+   return privKey->keyType;
+}
+
+KeyType
+SECKEY_GetPublicKeyType(SECKEYPublicKey *pubKey)
+{
+   return pubKey->keyType;
+}
+
+SECKEYPublicKey*
+SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type)
+{
+    SECKEYPublicKey *pubk = NULL;
+    SECStatus rv = SECFailure;
+    SECItem newDerKey;
+
+    if (!derKey) {
+        return NULL;
+    } 
+
+    pubk = PORT_ZNew(SECKEYPublicKey);
+    if(pubk == NULL) {
+        goto finish;
+    }
+    pubk->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (NULL == pubk->arena) {
+        goto finish;
+    }
+    rv = SECITEM_CopyItem(pubk->arena, &newDerKey, derKey);
+    if (SECSuccess != rv) {
+        goto finish;
+    }
+
+    pubk->pkcs11Slot = NULL;
+    pubk->pkcs11ID = CK_INVALID_HANDLE;
+
+    switch( type ) {
+      case CKK_RSA:
+	prepare_rsa_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_RSAPublicKeyTemplate, &newDerKey);
+        pubk->keyType = rsaKey;
+        break;
+      case CKK_DSA:
+	prepare_dsa_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_DSAPublicKeyTemplate, &newDerKey);
+        pubk->keyType = dsaKey;
+        break;
+      case CKK_DH:
+	prepare_dh_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_DHPublicKeyTemplate, &newDerKey);
+        pubk->keyType = dhKey;
+        break;
+      default:
+        rv = SECFailure;
+        break;
+    }
+
+finish:
+    if( rv != SECSuccess && pubk != NULL) {
+        if (pubk->arena) {
+            PORT_FreeArena(pubk->arena, PR_TRUE);
+        }
+        PORT_Free(pubk);
+        pubk = NULL;
+    }
+    return pubk;
+}
+
+SECKEYPrivateKeyList*
+SECKEY_NewPrivateKeyList(void)
+{
+    PRArenaPool *arena = NULL;
+    SECKEYPrivateKeyList *ret = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+        goto loser;
+    }
+
+    ret = (SECKEYPrivateKeyList *)PORT_ArenaZAlloc(arena,
+                sizeof(SECKEYPrivateKeyList));
+    if ( ret == NULL ) {
+        goto loser;
+    }
+
+    ret->arena = arena;
+
+    PR_INIT_CLIST(&ret->list);
+
+    return(ret);
+
+loser:
+    if ( arena != NULL ) {
+        PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    return(NULL);
+}
+
+void
+SECKEY_DestroyPrivateKeyList(SECKEYPrivateKeyList *keys)
+{
+    while( !PR_CLIST_IS_EMPTY(&keys->list) ) {
+        SECKEY_RemovePrivateKeyListNode(
+            (SECKEYPrivateKeyListNode*)(PR_LIST_HEAD(&keys->list)) );
+    }
+
+    PORT_FreeArena(keys->arena, PR_FALSE);
+
+    return;
+}
+
+
+void
+SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node)
+{
+    PR_ASSERT(node->key);
+    SECKEY_DestroyPrivateKey(node->key);
+    node->key = NULL;
+    PR_REMOVE_LINK(&node->links);
+    return;
+
+}
+
+SECStatus
+SECKEY_AddPrivateKeyToListTail( SECKEYPrivateKeyList *list,
+                                SECKEYPrivateKey *key)
+{
+    SECKEYPrivateKeyListNode *node;
+
+    node = (SECKEYPrivateKeyListNode *)PORT_ArenaZAlloc(list->arena,
+                sizeof(SECKEYPrivateKeyListNode));
+    if ( node == NULL ) {
+        goto loser;
+    }
+
+    PR_INSERT_BEFORE(&node->links, &list->list);
+    node->key = key;
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+
+SECKEYPublicKeyList*
+SECKEY_NewPublicKeyList(void)
+{
+    PRArenaPool *arena = NULL;
+    SECKEYPublicKeyList *ret = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+        goto loser;
+    }
+
+    ret = (SECKEYPublicKeyList *)PORT_ArenaZAlloc(arena,
+                sizeof(SECKEYPublicKeyList));
+    if ( ret == NULL ) {
+        goto loser;
+    }
+
+    ret->arena = arena;
+
+    PR_INIT_CLIST(&ret->list);
+
+    return(ret);
+
+loser:
+    if ( arena != NULL ) {
+        PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    return(NULL);
+}
+
+void
+SECKEY_DestroyPublicKeyList(SECKEYPublicKeyList *keys)
+{
+    while( !PR_CLIST_IS_EMPTY(&keys->list) ) {
+        SECKEY_RemovePublicKeyListNode(
+            (SECKEYPublicKeyListNode*)(PR_LIST_HEAD(&keys->list)) );
+    }
+
+    PORT_FreeArena(keys->arena, PR_FALSE);
+
+    return;
+}
+
+
+void
+SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node)
+{
+    PR_ASSERT(node->key);
+    SECKEY_DestroyPublicKey(node->key);
+    node->key = NULL;
+    PR_REMOVE_LINK(&node->links);
+    return;
+
+}
+
+SECStatus
+SECKEY_AddPublicKeyToListTail( SECKEYPublicKeyList *list,
+                                SECKEYPublicKey *key)
+{
+    SECKEYPublicKeyListNode *node;
+
+    node = (SECKEYPublicKeyListNode *)PORT_ArenaZAlloc(list->arena,
+                sizeof(SECKEYPublicKeyListNode));
+    if ( node == NULL ) {
+        goto loser;
+    }
+
+    PR_INSERT_BEFORE(&node->links, &list->list);
+    node->key = key;
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+#define SECKEY_CacheAttribute(key, attribute) \
+    if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute)) { \
+        key->staticflags |= SECKEY_##attribute; \
+    } else { \
+        key->staticflags &= (~SECKEY_##attribute); \
+    }
+
+SECStatus
+SECKEY_CacheStaticFlags(SECKEYPrivateKey* key)
+{
+    SECStatus rv = SECFailure;
+    if (key && key->pkcs11Slot && key->pkcs11ID) {
+        key->staticflags |= SECKEY_Attributes_Cached;
+        SECKEY_CacheAttribute(key, CKA_PRIVATE);
+        rv = SECSuccess;
+    }
+    return rv;
+}
diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c
new file mode 100644
index 000000000..d596ebb90
--- /dev/null
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -0,0 +1,518 @@
+/*
+ * Signature stuff.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include "cryptohi.h"
+#include "sechash.h"
+#include "secder.h"
+#include "keyhi.h"
+#include "secoid.h"
+#include "secdig.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "keyi.h"
+
+struct SGNContextStr {
+    SECOidTag signalg;
+    SECOidTag hashalg;
+    void *hashcx;
+    const SECHashObject *hashobj;
+    SECKEYPrivateKey *key;
+};
+
+SGNContext *
+SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
+{
+    SGNContext *cx;
+    SECOidTag hashalg, signalg;
+    KeyType keyType;
+    SECStatus rv;
+
+    /* OK, map a PKCS #7 hash and encrypt algorithm into
+     * a standard hashing algorithm. Why did we pass in the whole
+     * PKCS #7 algTag if we were just going to change here you might
+     * ask. Well the answer is for some cards we may have to do the
+     * hashing on card. It may not support CKM_RSA_PKCS sign algorithm,
+     * it may just support CKM_RSA_PKCS_WITH_SHA1 and/or CKM_RSA_PKCS_WITH_MD5.
+     */
+    /* we have a private key, not a public key, so don't pass it in */
+    rv =  sec_DecodeSigAlg(NULL, alg, NULL, &signalg, &hashalg);
+    if (rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return 0;
+    }
+    keyType = seckey_GetKeyType(signalg);
+
+    /* verify our key type */
+    if (key->keyType != keyType &&
+	!((key->keyType == dsaKey) && (keyType == fortezzaKey)) &&
+	!((key->keyType == fortezzaKey) && (keyType == dsaKey)) ) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return 0;
+    }
+
+#ifndef NSS_ECC_MORE_THAN_SUITE_B
+    if (key->keyType == ecKey) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return 0;
+    }
+#endif
+
+    cx = (SGNContext*) PORT_ZAlloc(sizeof(SGNContext));
+    if (cx) {
+	cx->hashalg = hashalg;
+	cx->signalg = signalg;
+	cx->key = key;
+    }
+    return cx;
+}
+
+void
+SGN_DestroyContext(SGNContext *cx, PRBool freeit)
+{
+    if (cx) {
+	if (cx->hashcx != NULL) {
+	    (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
+	    cx->hashcx = NULL;
+	}
+	if (freeit) {
+	    PORT_ZFree(cx, sizeof(SGNContext));
+	}
+    }
+}
+
+SECStatus
+SGN_Begin(SGNContext *cx)
+{
+    if (cx->hashcx != NULL) {
+	(*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
+	cx->hashcx = NULL;
+    }
+
+    cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashalg);
+    if (!cx->hashobj)
+	return SECFailure;	/* error code is already set */
+
+    cx->hashcx = (*cx->hashobj->create)();
+    if (cx->hashcx == NULL)
+	return SECFailure;
+
+    (*cx->hashobj->begin)(cx->hashcx);
+    return SECSuccess;
+}
+
+SECStatus
+SGN_Update(SGNContext *cx, unsigned char *input, unsigned inputLen)
+{
+    if (cx->hashcx == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    (*cx->hashobj->update)(cx->hashcx, input, inputLen);
+    return SECSuccess;
+}
+
+/* XXX Old template; want to expunge it eventually. */
+static DERTemplate SECAlgorithmIDTemplate[] = {
+    { DER_SEQUENCE,
+	  0, NULL, sizeof(SECAlgorithmID) },
+    { DER_OBJECT_ID,
+	  offsetof(SECAlgorithmID,algorithm), },
+    { DER_OPTIONAL | DER_ANY,
+	  offsetof(SECAlgorithmID,parameters), },
+    { 0, }
+};
+
+/*
+ * XXX OLD Template.  Once all uses have been switched over to new one,
+ * remove this.
+ */
+static DERTemplate SGNDigestInfoTemplate[] = {
+    { DER_SEQUENCE,
+	  0, NULL, sizeof(SGNDigestInfo) },
+    { DER_INLINE,
+	  offsetof(SGNDigestInfo,digestAlgorithm),
+	  SECAlgorithmIDTemplate, },
+    { DER_OCTET_STRING,
+	  offsetof(SGNDigestInfo,digest), },
+    { 0, }
+};
+
+SECStatus
+SGN_End(SGNContext *cx, SECItem *result)
+{
+    unsigned char digest[HASH_LENGTH_MAX];
+    unsigned part1;
+    int signatureLen;
+    SECStatus rv;
+    SECItem digder, sigitem;
+    PRArenaPool *arena = 0;
+    SECKEYPrivateKey *privKey = cx->key;
+    SGNDigestInfo *di = 0;
+
+    result->data = 0;
+    digder.data = 0;
+
+    /* Finish up digest function */
+    if (cx->hashcx == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    (*cx->hashobj->end)(cx->hashcx, digest, &part1, sizeof(digest));
+
+
+    if (privKey->keyType == rsaKey) {
+
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if ( !arena ) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+    
+	/* Construct digest info */
+	di = SGN_CreateDigestInfo(cx->hashalg, digest, part1);
+	if (!di) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* Der encode the digest as a DigestInfo */
+        rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate,
+                        di);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	digder.data = digest;
+	digder.len = part1;
+    }
+
+    /*
+    ** Encrypt signature after constructing appropriate PKCS#1 signature
+    ** block
+    */
+    signatureLen = PK11_SignatureLen(privKey);
+    if (signatureLen <= 0) {
+	PORT_SetError(SEC_ERROR_INVALID_KEY);
+	rv = SECFailure;
+	goto loser;
+    }
+    sigitem.len = signatureLen;
+    sigitem.data = (unsigned char*) PORT_Alloc(signatureLen);
+
+    if (sigitem.data == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = PK11_Sign(privKey, &sigitem, &digder);
+    if (rv != SECSuccess) {
+	PORT_Free(sigitem.data);
+	sigitem.data = NULL;
+	goto loser;
+    }
+
+    if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) ||
+        (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+        /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */
+	rv = DSAU_EncodeDerSigWithLen(result, &sigitem, sigitem.len); 
+	PORT_Free(sigitem.data);
+	if (rv != SECSuccess)
+	    goto loser;
+    } else {
+	result->len = sigitem.len;
+	result->data = sigitem.data;
+    }
+
+  loser:
+    SGN_DestroyDigestInfo(di);
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return rv;
+}
+
+/************************************************************************/
+
+/*
+** Sign a block of data returning in result a bunch of bytes that are the
+** signature. Returns zero on success, an error code on failure.
+*/
+SECStatus
+SEC_SignData(SECItem *res, unsigned char *buf, int len,
+	     SECKEYPrivateKey *pk, SECOidTag algid)
+{
+    SECStatus rv;
+    SGNContext *sgn;
+
+
+    sgn = SGN_NewContext(algid, pk);
+
+    if (sgn == NULL)
+	return SECFailure;
+
+    rv = SGN_Begin(sgn);
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = SGN_Update(sgn, buf, len);
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = SGN_End(sgn, res);
+
+  loser:
+    SGN_DestroyContext(sgn, PR_TRUE);
+    return rv;
+}
+
+/************************************************************************/
+    
+DERTemplate CERTSignedDataTemplate[] =
+{
+    { DER_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedData) },
+    { DER_ANY,
+	  offsetof(CERTSignedData,data), },
+    { DER_INLINE,
+	  offsetof(CERTSignedData,signatureAlgorithm),
+	  SECAlgorithmIDTemplate, },
+    { DER_BIT_STRING,
+	  offsetof(CERTSignedData,signature), },
+    { 0, }
+};
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+const SEC_ASN1Template CERT_SignedDataTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedData) },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTSignedData,data), },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(CERTSignedData,signatureAlgorithm),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate), },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedData,signature), },
+    { 0, }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate)
+
+
+SECStatus
+SEC_DerSignData(PRArenaPool *arena, SECItem *result, 
+	unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algID)
+{
+    SECItem it;
+    CERTSignedData sd;
+    SECStatus rv;
+
+    it.data = 0;
+
+    /* XXX We should probably have some asserts here to make sure the key type
+     * and algID match
+     */
+
+    if (algID == SEC_OID_UNKNOWN) {
+	switch(pk->keyType) {
+	  case rsaKey:
+	    algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+	    break;
+	  case dsaKey:
+	    algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+	    break;
+	  case ecKey:
+	    algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
+	    break;
+	  default:
+	    PORT_SetError(SEC_ERROR_INVALID_KEY);
+	    return SECFailure;
+	}
+    }
+
+    /* Sign input buffer */
+    rv = SEC_SignData(&it, buf, len, pk, algID);
+    if (rv) goto loser;
+
+    /* Fill out SignedData object */
+    PORT_Memset(&sd, 0, sizeof(sd));
+    sd.data.data = buf;
+    sd.data.len = len;
+    sd.signature.data = it.data;
+    sd.signature.len = it.len << 3;		/* convert to bit string */
+    rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algID, 0);
+    if (rv) goto loser;
+
+    /* DER encode the signed data object */
+    rv = DER_Encode(arena, result, CERTSignedDataTemplate, &sd);
+    /* FALL THROUGH */
+
+  loser:
+    PORT_Free(it.data);
+    return rv;
+}
+
+SECStatus
+SGN_Digest(SECKEYPrivateKey *privKey,
+		SECOidTag algtag, SECItem *result, SECItem *digest)
+{
+    int modulusLen;
+    SECStatus rv;
+    SECItem digder;
+    PRArenaPool *arena = 0;
+    SGNDigestInfo *di = 0;
+
+
+    result->data = 0;
+
+    if (privKey->keyType == rsaKey) {
+
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if ( !arena ) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+    
+	/* Construct digest info */
+	di = SGN_CreateDigestInfo(algtag, digest->data, digest->len);
+	if (!di) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* Der encode the digest as a DigestInfo */
+        rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate,
+                        di);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	digder.data = digest->data;
+	digder.len = digest->len;
+    }
+
+    /*
+    ** Encrypt signature after constructing appropriate PKCS#1 signature
+    ** block
+    */
+    modulusLen = PK11_SignatureLen(privKey);
+    if (modulusLen <= 0) {
+	PORT_SetError(SEC_ERROR_INVALID_KEY);
+	rv = SECFailure;
+	goto loser;
+    }
+    result->len = modulusLen;
+    result->data = (unsigned char*) PORT_Alloc(modulusLen);
+
+    if (result->data == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = PK11_Sign(privKey, result, &digder);
+    if (rv != SECSuccess) {
+	PORT_Free(result->data);
+	result->data = NULL;
+    }
+
+  loser:
+    SGN_DestroyDigestInfo(di);
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return rv;
+}
+
+SECOidTag
+SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag)
+{
+    SECOidTag sigTag = SEC_OID_UNKNOWN;
+
+    switch (keyType) {
+    case rsaKey:
+	switch (hashAlgTag) {
+	case SEC_OID_MD2:
+	    sigTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;	break;
+	case SEC_OID_MD5:
+	    sigTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;	break;
+	case SEC_OID_UNKNOWN:	/* default for RSA if not specified */
+	case SEC_OID_SHA1:
+	    sigTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;	break;
+	case SEC_OID_SHA256:
+	    sigTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;	break;
+	case SEC_OID_SHA384:
+	    sigTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;	break;
+	case SEC_OID_SHA512:
+	    sigTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;	break;
+	default:
+	    break;
+	}
+	break;
+    case dsaKey:
+	switch (hashAlgTag) {
+	case SEC_OID_UNKNOWN:	/* default for DSA if not specified */
+	case SEC_OID_SHA1:
+	    sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; break;
+	default:
+	    break;
+	}
+	break;
+    case ecKey:
+	switch (hashAlgTag) {
+	case SEC_OID_UNKNOWN:	/* default for ECDSA if not specified */
+	case SEC_OID_SHA1:
+            sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; break;
+	case SEC_OID_SHA256:
+            sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; break;
+	case SEC_OID_SHA384:
+            sigTag = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE; break;
+	case SEC_OID_SHA512:
+            sigTag = SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE; break;
+	default:
+	break;
+	}
+    default:
+    	break;
+    }
+    return sigTag;
+}
diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c
new file mode 100644
index 000000000..606a8bbf7
--- /dev/null
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -0,0 +1,750 @@
+/*
+ * Verification stuff.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include "cryptohi.h"
+#include "sechash.h"
+#include "keyhi.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secdig.h"
+#include "secerr.h"
+#include "keyi.h"
+
+/*
+** Decrypt signature block using public key
+** Store the hash algorithm oid tag in *tagp
+** Store the digest in the digest buffer
+** Store the digest length in *digestlen
+** XXX this is assuming that the signature algorithm has WITH_RSA_ENCRYPTION
+*/
+static SECStatus
+DecryptSigBlock(SECOidTag *tagp, unsigned char *digest,
+		unsigned int *digestlen, unsigned int maxdigestlen,
+		SECKEYPublicKey *key, const SECItem *sig, char *wincx)
+{
+    SGNDigestInfo *di   = NULL;
+    unsigned char *buf  = NULL;
+    SECStatus      rv;
+    SECOidTag      tag;
+    SECItem        it;
+
+    if (key == NULL) goto loser;
+
+    it.len  = SECKEY_PublicKeyStrength(key);
+    if (!it.len) goto loser;
+    it.data = buf = (unsigned char *)PORT_Alloc(it.len);
+    if (!buf) goto loser;
+
+    /* decrypt the block */
+    rv = PK11_VerifyRecover(key, (SECItem *)sig, &it, wincx);
+    if (rv != SECSuccess) goto loser;
+
+    di = SGN_DecodeDigestInfo(&it);
+    if (di == NULL) goto sigloser;
+
+    /*
+    ** Finally we have the digest info; now we can extract the algorithm
+    ** ID and the signature block
+    */
+    tag = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
+    /* Check that tag is an appropriate algorithm */
+    if (tag == SEC_OID_UNKNOWN) {
+	goto sigloser;
+    }
+    /* make sure the "parameters" are not too bogus. */
+    if (di->digestAlgorithm.parameters.len > 2) {
+	goto sigloser;
+    }
+    if (di->digest.len > maxdigestlen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	goto loser;
+    }
+    PORT_Memcpy(digest, di->digest.data, di->digest.len);
+    *tagp = tag;
+    *digestlen = di->digest.len;
+    goto done;
+
+  sigloser:
+    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+
+  loser:
+    rv = SECFailure;
+
+  done:
+    if (di   != NULL) SGN_DestroyDigestInfo(di);
+    if (buf  != NULL) PORT_Free(buf);
+    
+    return rv;
+}
+
+
+struct VFYContextStr {
+    SECOidTag hashAlg;  /* the hash algorithm */
+    SECKEYPublicKey *key;
+    /*
+     * This buffer holds either the digest or the full signature
+     * depending on the type of the signature (key->keyType).  It is
+     * defined as a union to make sure it always has enough space.
+     *
+     * Use the "buffer" union member to reference the buffer.
+     * Note: do not take the size of the "buffer" union member.  Take
+     * the size of the union or some other union member instead.
+     */
+    union {
+	unsigned char buffer[1];
+
+	/* the digest in the decrypted RSA signature */
+	unsigned char rsadigest[HASH_LENGTH_MAX];
+	/* the full DSA signature... 40 bytes */
+	unsigned char dsasig[DSA_SIGNATURE_LEN];
+	/* the full ECDSA signature */
+	unsigned char ecdsasig[2 * MAX_ECKEY_LEN];
+    } u;
+    unsigned int rsadigestlen;
+    void * wincx;
+    void *hashcx;
+    const SECHashObject *hashobj;
+    SECOidTag encAlg;  /* enc alg */
+    PRBool hasSignature;  /* true if the signature was provided in the
+                           * VFY_CreateContext call.  If false, the
+                           * signature must be provided with a
+                           * VFY_EndWithSignature call. */
+};
+
+/*
+ * decode the ECDSA or DSA signature from it's DER wrapping.
+ * The unwrapped/raw signature is placed in the buffer pointed
+ * to by dsig and has enough room for len bytes.
+ */
+static SECStatus
+decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
+		       unsigned int len) {
+    SECItem *dsasig = NULL; /* also used for ECDSA */
+    SECStatus rv=SECSuccess;
+
+    if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+	(algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {
+        if (sig->len != len) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return SECFailure;
+	} 
+
+	PORT_Memcpy(dsig, sig->data, sig->len);
+	return SECSuccess;
+    }
+
+    if (algid ==  SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+	if (len > MAX_ECKEY_LEN * 2) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return SECFailure;
+	}
+    }
+    dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+
+    if ((dsasig == NULL) || (dsasig->len != len)) {
+	rv = SECFailure;
+    } else {
+	PORT_Memcpy(dsig, dsasig->data, dsasig->len);
+    }
+
+    if (dsasig != NULL) SECITEM_FreeItem(dsasig, PR_TRUE);
+    if (rv == SECFailure) PORT_SetError(SEC_ERROR_BAD_DER);
+    return rv;
+}
+
+const SEC_ASN1Template hashParameterTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) },
+    { SEC_ASN1_OBJECT_ID, 0 },
+    { SEC_ASN1_SKIP_REST },
+    { 0, }
+};
+
+/*
+ * Pulls the hash algorithm, signing algorithm, and key type out of a
+ * composite algorithm.
+ *
+ * sigAlg: the composite algorithm to dissect.
+ * hashalg: address of a SECOidTag which will be set with the hash algorithm.
+ * encalg: address of a SECOidTag which will be set with the signing alg.
+ *
+ * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the
+ *	algorithm was not found or was not a signing algorithm.
+ */
+SECStatus
+sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, 
+             const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
+{
+    int len;
+    PRArenaPool *arena;
+    SECStatus rv;
+    SECItem oid;
+
+    PR_ASSERT(hashalg!=NULL);
+    PR_ASSERT(encalg!=NULL);
+
+    switch (sigAlg) {
+      /* We probably shouldn't be generating MD2 signatures either */
+      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+        *hashalg = SEC_OID_MD2;
+	break;
+      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+        *hashalg = SEC_OID_MD5;
+	break;
+      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+      case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
+      case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
+        *hashalg = SEC_OID_SHA1;
+	break;
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+        *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */
+	break;
+
+      case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+      case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+	*hashalg = SEC_OID_SHA256;
+	break;
+      case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
+      case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+	*hashalg = SEC_OID_SHA384;
+	break;
+      case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
+      case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+	*hashalg = SEC_OID_SHA512;
+	break;
+
+      /* what about normal DSA? */
+      case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+      case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+      case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+        *hashalg = SEC_OID_SHA1;
+	break;
+      case SEC_OID_MISSI_DSS:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_DSS_OLD:
+        *hashalg = SEC_OID_SHA1;
+	break;
+      case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
+	/* This is an EC algorithm. Recommended means the largest
+	 * hash algorithm that is not reduced by the keysize of 
+	 * the EC algorithm. Note that key strength is in bytes and
+	 * algorithms are specified in bits. Never use an algorithm
+	 * weaker than sha1. */
+	len = SECKEY_PublicKeyStrength(key);
+	if (len < 28) { /* 28 bytes == 224 bits */
+	    *hashalg = SEC_OID_SHA1;
+	} else if (len < 32) { /* 32 bytes == 256 bits */
+	    /* SHA 224 not supported in NSS */
+	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    return SECFailure;
+	} else if (len < 48) { /* 48 bytes == 384 bits */
+	    *hashalg = SEC_OID_SHA256;
+	} else if (len < 64) { /* 48 bytes == 512 bits */
+	    *hashalg = SEC_OID_SHA384;
+	} else {
+	    /* use the largest in this case */
+	    *hashalg = SEC_OID_SHA512;
+	}
+	break;
+      case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
+	if (param == NULL) {
+	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    return SECFailure;
+	}
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (arena == NULL) {
+	    return SECFailure;
+	}
+	rv = SEC_QuickDERDecodeItem(arena, &oid, hashParameterTemplate, param);
+	if (rv != SECSuccess) {
+	    PORT_FreeArena(arena, PR_FALSE);
+	    return rv;
+	}
+	*hashalg = SECOID_FindOIDTag(&oid);
+	/* only accept hash algorithms */
+	if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) {
+	    /* error set by HASH_GetHashTypeByOidTag */
+	    return SECFailure;
+	}
+	break;
+      /* we don't implement MD4 hashes */
+      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+    /* get the "encryption" algorithm */ 
+    switch (sigAlg) {
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+      case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
+      case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
+      case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+	*encalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
+	break;
+
+      /* what about normal DSA? */
+      case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+      case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+	*encalg = SEC_OID_ANSIX9_DSA_SIGNATURE;
+	break;
+      case SEC_OID_MISSI_DSS:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_DSS_OLD:
+	*encalg = SEC_OID_MISSI_DSS;
+	break;
+      case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+      case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+      case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
+      case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
+      case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
+      case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
+	*encalg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
+	break;
+      /* we don't implement MD4 hashes */
+      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * we can verify signatures that come from 2 different sources:
+ *  one in with the signature contains a signature oid, and the other
+ *  in which the signature is managed by a Public key (encAlg) oid
+ *  and a hash oid. The latter is the more basic, so that's what
+ *  our base vfyCreate function takes.
+ *
+ * There is one noteworthy corner case, if we are using an RSA key, and the
+ * signature block is provided, then the hashAlg can be specified as 
+ * SEC_OID_UNKNOWN. In this case, verify will use the hash oid supplied
+ * in the RSA signature block.
+ */
+static VFYContext *
+vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, 
+	SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx)
+{
+    VFYContext *cx;
+    SECStatus rv;
+    unsigned int sigLen;
+    KeyType type;
+
+    /* make sure the encryption algorithm matches the key type */
+    type = seckey_GetKeyType(encAlg);
+    if (key->keyType != type) {
+	PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);
+	return NULL;
+    }
+
+    cx = (VFYContext*) PORT_ZAlloc(sizeof(VFYContext));
+    if (cx == NULL) {
+	goto loser;
+    }
+
+    cx->wincx = wincx;
+    cx->hasSignature = (sig != NULL);
+    cx->encAlg = encAlg;
+    cx->hashAlg = hashAlg;
+    cx->key = SECKEY_CopyPublicKey(key);
+    rv = SECSuccess;
+    if (sig) {
+	switch (key->keyType) {
+	case rsaKey:
+	    rv = DecryptSigBlock(&cx->hashAlg, cx->u.buffer, &cx->rsadigestlen,
+			HASH_LENGTH_MAX, cx->key, sig, (char*)wincx);
+	    if (cx->hashAlg != hashAlg && hashAlg != SEC_OID_UNKNOWN) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		rv = SECFailure;	
+	    }
+	    break;
+	case dsaKey:
+	case ecKey:
+	    sigLen = SECKEY_SignatureLen(key);
+	    if (sigLen == 0) {
+		/* error set by SECKEY_SignatureLen */
+		rv = SECFailure;	
+		break;
+	    }
+	    rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+ 	    break;
+	default:
+	    rv = SECFailure;
+	    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	    break;
+	}
+    }
+
+    if (rv) goto loser;
+
+    /* check hash alg again, RSA may have changed it.*/
+    if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
+	/* error set by HASH_GetHashTypeByOidTag */
+	goto loser;
+    }
+
+    if (hash) {
+	*hash = cx->hashAlg;
+    }
+    return cx;
+
+  loser:
+    if (cx) {
+	VFY_DestroyContext(cx, PR_TRUE);
+    }
+    return 0;
+}
+
+VFYContext *
+VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag sigAlg,
+		  void *wincx)
+{
+    SECOidTag encAlg, hashAlg;
+    SECStatus rv = sec_DecodeSigAlg(key, sigAlg, NULL, &encAlg, &hashAlg);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+    return vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+}
+
+VFYContext *
+VFY_CreateContextDirect(const SECKEYPublicKey *key, const SECItem *sig, 
+			SECOidTag encAlg, SECOidTag hashAlg, 
+			SECOidTag *hash, void *wincx)
+{
+  return vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx);
+}
+
+VFYContext *
+VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, const SECItem *sig,
+	      const SECAlgorithmID *sigAlgorithm, SECOidTag *hash, void *wincx)
+{
+    SECOidTag encAlg, hashAlg;
+    SECStatus rv = sec_DecodeSigAlg(key, 
+		    SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), 
+		    &sigAlgorithm->parameters, &encAlg, &hashAlg);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+    return vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx);
+}
+
+void
+VFY_DestroyContext(VFYContext *cx, PRBool freeit)
+{
+    if (cx) {
+	if (cx->hashcx != NULL) {
+	    (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
+	    cx->hashcx = NULL;
+	}
+	if (cx->key) {
+	    SECKEY_DestroyPublicKey(cx->key);
+	}
+	if (freeit) {
+	    PORT_ZFree(cx, sizeof(VFYContext));
+	}
+    }
+}
+
+SECStatus
+VFY_Begin(VFYContext *cx)
+{
+    if (cx->hashcx != NULL) {
+	(*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
+	cx->hashcx = NULL;
+    }
+
+    cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashAlg);
+    if (!cx->hashobj) 
+	return SECFailure;	/* error code is set */
+
+    cx->hashcx = (*cx->hashobj->create)();
+    if (cx->hashcx == NULL)
+	return SECFailure;
+
+    (*cx->hashobj->begin)(cx->hashcx);
+    return SECSuccess;
+}
+
+SECStatus
+VFY_Update(VFYContext *cx, const unsigned char *input, unsigned inputLen)
+{
+    if (cx->hashcx == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    (*cx->hashobj->update)(cx->hashcx, input, inputLen);
+    return SECSuccess;
+}
+
+SECStatus
+VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
+{
+    unsigned char final[HASH_LENGTH_MAX];
+    unsigned part;
+    SECItem hash,dsasig; /* dsasig is also used for ECDSA */
+    SECStatus rv;
+
+    if ((cx->hasSignature == PR_FALSE) && (sig == NULL)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (cx->hashcx == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final));
+    switch (cx->key->keyType) {
+      case ecKey:
+      case dsaKey:
+	dsasig.data = cx->u.buffer;
+	dsasig.len = SECKEY_SignatureLen(cx->key);
+	if (dsasig.len == 0) {
+	    return SECFailure;
+	} 
+	if (sig) {
+	    rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
+					dsasig.len);
+	    if (rv != SECSuccess) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		return SECFailure;
+	    }
+	} 
+	hash.data = final;
+	hash.len = part;
+	if (PK11_Verify(cx->key,&dsasig,&hash,cx->wincx) != SECSuccess) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		return SECFailure;
+	}
+	break;
+      case rsaKey:
+	if (sig) {
+	    SECOidTag hashid = SEC_OID_UNKNOWN;
+	    rv = DecryptSigBlock(&hashid, cx->u.buffer, &cx->rsadigestlen,
+		    HASH_LENGTH_MAX, cx->key, sig, (char*)cx->wincx);
+	    if ((rv != SECSuccess) || (hashid != cx->hashAlg)) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		return SECFailure;
+	    }
+	}
+	if ((part != cx->rsadigestlen) ||
+	    PORT_Memcmp(final, cx->u.buffer, part)) {
+	    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	    return SECFailure;
+	}
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	return SECFailure; /* shouldn't happen */
+    }
+    return SECSuccess;
+}
+
+SECStatus
+VFY_End(VFYContext *cx)
+{
+    return VFY_EndWithSignature(cx,NULL);
+}
+
+/************************************************************************/
+/*
+ * Verify that a previously-computed digest matches a signature.
+ */
+static SECStatus
+vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, 
+		 const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg,
+		 void *wincx)
+{
+    SECStatus rv;
+    VFYContext *cx;
+    SECItem dsasig; /* also used for ECDSA */
+
+    rv = SECFailure;
+
+    cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+    if (cx != NULL) {
+	switch (key->keyType) {
+	case rsaKey:
+	    if ((digest->len != cx->rsadigestlen) ||
+		PORT_Memcmp(digest->data, cx->u.buffer, digest->len)) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	    } else {
+		rv = SECSuccess;
+	    }
+	    break;
+	case dsaKey:
+	case ecKey:
+	    dsasig.data = cx->u.buffer;
+	    dsasig.len = SECKEY_SignatureLen(cx->key);
+	    if (dsasig.len == 0) {
+		break;
+	    }
+	    if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx)
+		!= SECSuccess) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	    } else {
+		rv = SECSuccess;
+	    }
+	    break;
+	default:
+	    break;
+	}
+	VFY_DestroyContext(cx, PR_TRUE);
+    }
+    return rv;
+}
+
+SECStatus
+VFY_VerifyDigestDirect(const SECItem *digest, const SECKEYPublicKey *key, 
+		       const SECItem *sig, SECOidTag encAlg, 
+		       SECOidTag hashAlg, void *wincx)
+{
+    return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx);
+}
+
+SECStatus
+VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig,
+		 SECOidTag algid, void *wincx)
+{
+    SECOidTag encAlg, hashAlg;
+    SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg);
+    if (rv != SECSuccess) {
+	return SECFailure;
+    }
+    return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx);
+}
+
+/*
+ * this function takes an optional hash oid, which the digest function
+ * will be compared with our target hash value.
+ */
+SECStatus
+VFY_VerifyDigestWithAlgorithmID(const SECItem *digest, 
+		const SECKEYPublicKey *key, const SECItem *sig, 
+		const SECAlgorithmID *sigAlgorithm, 
+		SECOidTag hashCmp, void *wincx)
+{
+    SECOidTag encAlg, hashAlg;
+    SECStatus rv = sec_DecodeSigAlg(key, 
+		    SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), 
+		    &sigAlgorithm->parameters, &encAlg, &hashAlg);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    if ( hashCmp != SEC_OID_UNKNOWN && 
+	 hashAlg != SEC_OID_UNKNOWN &&
+	 hashCmp != hashAlg) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	return SECFailure;
+    }
+    return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx);
+}
+
+static SECStatus
+vfy_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key,
+	       const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg,
+	       SECOidTag *hash, void *wincx)
+{
+    SECStatus rv;
+    VFYContext *cx;
+
+    cx = vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx);
+    if (cx == NULL)
+	return SECFailure;
+
+    rv = VFY_Begin(cx);
+    if (rv == SECSuccess) {
+	rv = VFY_Update(cx, (unsigned char *)buf, len);
+	if (rv == SECSuccess)
+	    rv = VFY_End(cx);
+    }
+
+    VFY_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
+VFY_VerifyDataDirect(const unsigned char *buf, int len, 
+		     const SECKEYPublicKey *key, const SECItem *sig,
+		     SECOidTag encAlg, SECOidTag hashAlg,
+		     SECOidTag *hash, void *wincx)
+{
+    return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, hash, wincx);
+}
+
+SECStatus
+VFY_VerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
+	       SECItem *sig, SECOidTag algid, void *wincx)
+{
+    SECOidTag encAlg, hashAlg;
+    SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, NULL, wincx);
+}
+
+SECStatus
+VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, int len, 
+			      const SECKEYPublicKey *key,
+			      const SECItem *sig, 
+			      const SECAlgorithmID *sigAlgorithm, 
+			      SECOidTag *hash, void *wincx)
+{
+    SECOidTag encAlg, hashAlg;
+    SECOidTag sigAlg = SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm);
+    SECStatus rv     = sec_DecodeSigAlg(key, sigAlg, 
+		                &sigAlgorithm->parameters, &encAlg, &hashAlg);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, hash, wincx);
+}
diff --git a/security/nss/lib/dev/Makefile b/security/nss/lib/dev/Makefile
new file mode 100644
index 000000000..051a89a26
--- /dev/null
+++ b/security/nss/lib/dev/Makefile
@@ -0,0 +1,57 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
+# ckhelper.c in 64-bit mode for unknown reasons.  A workaround is
+# to compile it with optimizations turned on.  (Bugzilla bug #63815)
+ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
+ifeq ($(USE_64),1)
+ifndef BUILD_OPT
+$(OBJDIR)/ckhelper.o: ckhelper.c
+	@$(MAKE_OBJDIR)
+	$(CC) -o $@ -c -O2 $(CFLAGS) $<
+endif
+endif
+endif
+
+export:: private_export
diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c
new file mode 100644
index 000000000..499b114c9
--- /dev/null
+++ b/security/nss/lib/dev/ckhelper.c
@@ -0,0 +1,620 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+extern const NSSError NSS_ERROR_DEVICE_ERROR;
+
+static const CK_BBOOL s_true = CK_TRUE;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_true = { (CK_VOID_PTR)&s_true, sizeof(s_true) };
+
+static const CK_BBOOL s_false = CK_FALSE;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_false = { (CK_VOID_PTR)&s_false, sizeof(s_false) };
+
+static const CK_OBJECT_CLASS s_class_cert = CKO_CERTIFICATE;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_class_cert = { (CK_VOID_PTR)&s_class_cert, sizeof(s_class_cert) };
+
+static const CK_OBJECT_CLASS s_class_pubkey = CKO_PUBLIC_KEY;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_class_pubkey = { (CK_VOID_PTR)&s_class_pubkey, sizeof(s_class_pubkey) };
+
+static const CK_OBJECT_CLASS s_class_privkey = CKO_PRIVATE_KEY;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_class_privkey = { (CK_VOID_PTR)&s_class_privkey, sizeof(s_class_privkey) };
+
+static PRBool
+is_string_attribute (
+  CK_ATTRIBUTE_TYPE aType
+)
+{
+    PRBool isString;
+    switch (aType) {
+    case CKA_LABEL:
+    case CKA_NETSCAPE_EMAIL:
+	isString = PR_TRUE;
+	break;
+    default:
+	isString = PR_FALSE;
+	break;
+    }
+    return isString;
+}
+
+NSS_IMPLEMENT PRStatus 
+nssCKObject_GetAttributes (
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG count,
+  NSSArena *arenaOpt,
+  nssSession *session,
+  NSSSlot *slot
+)
+{
+    nssArenaMark *mark = NULL;
+    CK_SESSION_HANDLE hSession;
+    CK_ULONG i = 0;
+    CK_RV ckrv;
+    PRStatus nssrv;
+    PRBool alloced = PR_FALSE;
+    void *epv = nssSlot_GetCryptokiEPV(slot);
+    hSession = session->handle; 
+    if (arenaOpt) {
+	mark = nssArena_Mark(arenaOpt);
+	if (!mark) {
+	    goto loser;
+	}
+    }
+    nssSession_EnterMonitor(session);
+    /* XXX kinda hacky, if the storage size is already in the first template
+     * item, then skip the alloc portion
+     */
+    if (obj_template[0].ulValueLen == 0) {
+	/* Get the storage size needed for each attribute */
+	ckrv = CKAPI(epv)->C_GetAttributeValue(hSession,
+	                                       object, obj_template, count);
+	if (ckrv != CKR_OK && 
+	    ckrv != CKR_ATTRIBUTE_TYPE_INVALID &&
+	    ckrv != CKR_ATTRIBUTE_SENSITIVE) 
+	{
+	    nssSession_ExitMonitor(session);
+	    nss_SetError(NSS_ERROR_DEVICE_ERROR);
+	    goto loser;
+	}
+	/* Allocate memory for each attribute. */
+	for (i=0; i<count; i++) {
+	    CK_ULONG ulValueLen = obj_template[i].ulValueLen;
+	    if (ulValueLen == 0) continue;
+	    if (ulValueLen == (CK_ULONG) -1) {
+		obj_template[i].ulValueLen = 0;
+		continue;
+	    }
+	    if (is_string_attribute(obj_template[i].type)) {
+		ulValueLen++;
+	    }
+	    obj_template[i].pValue = nss_ZAlloc(arenaOpt, ulValueLen);
+	    if (!obj_template[i].pValue) {
+		nssSession_ExitMonitor(session);
+		goto loser;
+	    }
+	}
+	alloced = PR_TRUE;
+    }
+    /* Obtain the actual attribute values. */
+    ckrv = CKAPI(epv)->C_GetAttributeValue(hSession,
+                                           object, obj_template, count);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK && 
+        ckrv != CKR_ATTRIBUTE_TYPE_INVALID &&
+        ckrv != CKR_ATTRIBUTE_SENSITIVE) 
+    {
+	nss_SetError(NSS_ERROR_DEVICE_ERROR);
+	goto loser;
+    }
+    if (alloced && arenaOpt) {
+	nssrv = nssArena_Unmark(arenaOpt, mark);
+	if (nssrv != PR_SUCCESS) {
+	    goto loser;
+	}
+    }
+
+    if (count > 1 && ((ckrv == CKR_ATTRIBUTE_TYPE_INVALID) || 
+					(ckrv == CKR_ATTRIBUTE_SENSITIVE))) {
+	/* old tokens would keep the length of '0' and not deal with any
+	 * of the attributes we passed. For those tokens read them one at
+	 * a time */
+	for (i=0; i < count; i++) {
+	    if ((obj_template[i].ulValueLen == 0) 
+				|| (obj_template[i].ulValueLen == -1)) {
+		obj_template[i].ulValueLen=0;
+		(void) nssCKObject_GetAttributes(object,&obj_template[i], 1,
+			arenaOpt, session, slot);
+	    }
+	}
+    }
+    return PR_SUCCESS;
+loser:
+    if (alloced) {
+	if (arenaOpt) {
+	    /* release all arena memory allocated before the failure. */
+	    (void)nssArena_Release(arenaOpt, mark);
+	} else {
+	    CK_ULONG j;
+	    /* free each heap object that was allocated before the failure. */
+	    for (j=0; j<i; j++) {
+		nss_ZFreeIf(obj_template[j].pValue);
+	    }
+	}
+    }
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCKObject_GetAttributeItem (
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSArena *arenaOpt,
+  nssSession *session,
+  NSSSlot *slot,
+  NSSItem *rvItem
+)
+{
+    CK_ATTRIBUTE attr = { 0, NULL, 0 };
+    PRStatus nssrv;
+    attr.type = attribute;
+    nssrv = nssCKObject_GetAttributes(object, &attr, 1, 
+                                      arenaOpt, session, slot);
+    if (nssrv != PR_SUCCESS) {
+	return nssrv;
+    }
+    rvItem->data = (void *)attr.pValue;
+    rvItem->size = (PRUint32)attr.ulValueLen;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRBool
+nssCKObject_IsAttributeTrue (
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_TYPE attribute,
+  nssSession *session,
+  NSSSlot *slot,
+  PRStatus *rvStatus
+)
+{
+    CK_BBOOL bool;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE atemplate = { 0, NULL, 0 };
+    CK_RV ckrv;
+    void *epv = nssSlot_GetCryptokiEPV(slot);
+    attr = &atemplate;
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, attribute, bool);
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_GetAttributeValue(session->handle, object, 
+                                           &atemplate, 1);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	*rvStatus = PR_FAILURE;
+	return PR_FALSE;
+    }
+    *rvStatus = PR_SUCCESS;
+    return (PRBool)(bool == CK_TRUE);
+}
+
+NSS_IMPLEMENT PRStatus 
+nssCKObject_SetAttributes (
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG count,
+  nssSession *session,
+  NSSSlot  *slot
+)
+{
+    CK_RV ckrv;
+    void *epv = nssSlot_GetCryptokiEPV(slot);
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_SetAttributeValue(session->handle, object, 
+                                           obj_template, count);
+    nssSession_ExitMonitor(session);
+    if (ckrv == CKR_OK) {
+	return PR_SUCCESS;
+    } else {
+	return PR_FAILURE;
+    }
+}
+
+NSS_IMPLEMENT PRBool
+nssCKObject_IsTokenObjectTemplate (
+  CK_ATTRIBUTE_PTR objectTemplate, 
+  CK_ULONG otsize
+)
+{
+    CK_ULONG ul;
+    for (ul=0; ul<otsize; ul++) {
+	if (objectTemplate[ul].type == CKA_TOKEN) {
+	    return (*((CK_BBOOL*)objectTemplate[ul].pValue) == CK_TRUE);
+	}
+    }
+    return PR_FALSE;
+}
+
+static NSSCertificateType
+nss_cert_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib)
+{
+    CK_CERTIFICATE_TYPE ckCertType;
+    if (!attrib->pValue) {
+	/* default to PKIX */
+	return NSSCertificateType_PKIX;
+    }
+    ckCertType = *((CK_ULONG *)attrib->pValue);
+    switch (ckCertType) {
+    case CKC_X_509:
+	return NSSCertificateType_PKIX;
+    default:
+	break;
+    }
+    return NSSCertificateType_Unknown;
+}
+
+/* incoming pointers must be valid */
+NSS_IMPLEMENT PRStatus
+nssCryptokiCertificate_GetAttributes (
+  nssCryptokiObject *certObject,
+  nssSession *sessionOpt,
+  NSSArena *arenaOpt,
+  NSSCertificateType *certTypeOpt,
+  NSSItem *idOpt,
+  NSSDER *encodingOpt,
+  NSSDER *issuerOpt,
+  NSSDER *serialOpt,
+  NSSDER *subjectOpt
+)
+{
+    PRStatus status;
+    PRUint32 i;
+    nssSession *session;
+    NSSSlot *slot;
+    CK_ULONG template_size;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_template[6];
+    /* Set up a template of all options chosen by caller */
+    NSS_CK_TEMPLATE_START(cert_template, attr, template_size);
+    if (certTypeOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_CERTIFICATE_TYPE);
+    }
+    if (idOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_ID);
+    }
+    if (encodingOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE);
+    }
+    if (issuerOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_ISSUER);
+    }
+    if (serialOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SERIAL_NUMBER);
+    }
+    if (subjectOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SUBJECT);
+    }
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, template_size);
+    if (template_size == 0) {
+	/* caller didn't want anything */
+	return PR_SUCCESS;
+    }
+
+    status = nssToken_GetCachedObjectAttributes(certObject->token, arenaOpt,
+                                                certObject, CKO_CERTIFICATE,
+                                                cert_template, template_size);
+    if (status != PR_SUCCESS) {
+
+	session = sessionOpt ? 
+	          sessionOpt : 
+	          nssToken_GetDefaultSession(certObject->token);
+	if (!session) {
+	    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+	    return PR_FAILURE;
+	}
+
+	slot = nssToken_GetSlot(certObject->token);
+	status = nssCKObject_GetAttributes(certObject->handle, 
+	                                   cert_template, template_size,
+	                                   arenaOpt, session, slot);
+	nssSlot_Destroy(slot);
+	if (status != PR_SUCCESS) {
+	    return status;
+	}
+    }
+
+    i=0;
+    if (certTypeOpt) {
+	*certTypeOpt = nss_cert_type_from_ck_attrib(&cert_template[i]); i++;
+    }
+    if (idOpt) {
+	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], idOpt); i++;
+    }
+    if (encodingOpt) {
+	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], encodingOpt); i++;
+    }
+    if (issuerOpt) {
+	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], issuerOpt); i++;
+    }
+    if (serialOpt) {
+	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], serialOpt); i++;
+    }
+    if (subjectOpt) {
+	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], subjectOpt); i++;
+    }
+    return PR_SUCCESS;
+}
+
+static nssTrustLevel 
+get_nss_trust (
+  CK_TRUST ckt
+)
+{
+    nssTrustLevel t;
+    switch (ckt) {
+    case CKT_NETSCAPE_UNTRUSTED: t = nssTrustLevel_NotTrusted; break;
+    case CKT_NETSCAPE_TRUSTED_DELEGATOR: t = nssTrustLevel_TrustedDelegator; 
+	break;
+    case CKT_NETSCAPE_VALID_DELEGATOR: t = nssTrustLevel_ValidDelegator; break;
+    case CKT_NETSCAPE_TRUSTED: t = nssTrustLevel_Trusted; break;
+    case CKT_NETSCAPE_VALID: t = nssTrustLevel_Valid; break;
+    case CKT_NETSCAPE_MUST_VERIFY:
+    case CKT_NETSCAPE_TRUST_UNKNOWN:
+    default:
+	t = nssTrustLevel_Unknown; break;
+    }
+    return t;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCryptokiTrust_GetAttributes (
+  nssCryptokiObject *trustObject,
+  nssSession *sessionOpt,
+  NSSItem *sha1_hash,
+  nssTrustLevel *serverAuth,
+  nssTrustLevel *clientAuth,
+  nssTrustLevel *codeSigning,
+  nssTrustLevel *emailProtection,
+  PRBool *stepUpApproved
+)
+{
+    PRStatus status;
+    NSSSlot *slot;
+    nssSession *session;
+    CK_BBOOL isToken = PR_FALSE;
+    CK_BBOOL stepUp = PR_FALSE;
+    CK_TRUST saTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST caTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST epTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST csTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE trust_template[7];
+    CK_ULONG trust_size;
+
+    /* Use the trust object to find the trust settings */
+    NSS_CK_TEMPLATE_START(trust_template, attr, trust_size);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TOKEN,                  isToken);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH,      saTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH,      caTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, epTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING,     csTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_STEP_UP_APPROVED, stepUp);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH,     sha1_hash);
+    NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size);
+
+    status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
+                                                trustObject, 
+                                                CKO_NETSCAPE_TRUST,
+                                                trust_template, trust_size);
+    if (status != PR_SUCCESS) {
+	session = sessionOpt ? 
+	          sessionOpt : 
+	          nssToken_GetDefaultSession(trustObject->token);
+	if (!session) {
+	    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+	    return PR_FAILURE;
+	}
+
+	slot = nssToken_GetSlot(trustObject->token);
+	status = nssCKObject_GetAttributes(trustObject->handle,
+	                                   trust_template, trust_size,
+	                                   NULL, session, slot);
+	nssSlot_Destroy(slot);
+	if (status != PR_SUCCESS) {
+	    return status;
+	}
+    }
+
+    *serverAuth = get_nss_trust(saTrust);
+    *clientAuth = get_nss_trust(caTrust);
+    *emailProtection = get_nss_trust(epTrust);
+    *codeSigning = get_nss_trust(csTrust);
+    *stepUpApproved = stepUp;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCryptokiCRL_GetAttributes (
+  nssCryptokiObject *crlObject,
+  nssSession *sessionOpt,
+  NSSArena *arenaOpt,
+  NSSItem *encodingOpt,
+  NSSItem *subjectOpt,
+  CK_ULONG* crl_class,
+  NSSUTF8 **urlOpt,
+  PRBool *isKRLOpt
+)
+{
+    PRStatus status;
+    NSSSlot *slot;
+    nssSession *session;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE crl_template[7];
+    CK_ULONG crl_size;
+    PRUint32 i;
+
+    NSS_CK_TEMPLATE_START(crl_template, attr, crl_size);
+    if (crl_class) {
+        NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_CLASS);
+    }
+    if (encodingOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE);
+    }
+    if (urlOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_URL);
+    }
+    if (isKRLOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_KRL);
+    }
+    if (subjectOpt) {
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SUBJECT);
+    }
+    NSS_CK_TEMPLATE_FINISH(crl_template, attr, crl_size);
+
+    status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL,
+                                                crlObject, 
+                                                CKO_NETSCAPE_CRL,
+                                                crl_template, crl_size);
+    if (status != PR_SUCCESS) {
+	session = sessionOpt ? 
+	          sessionOpt : 
+	          nssToken_GetDefaultSession(crlObject->token);
+	if (session == NULL) {
+	    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+	    return PR_FAILURE;
+	}
+
+	slot = nssToken_GetSlot(crlObject->token);
+	status = nssCKObject_GetAttributes(crlObject->handle, 
+	                                   crl_template, crl_size,
+	                                   arenaOpt, session, slot);
+	nssSlot_Destroy(slot);
+	if (status != PR_SUCCESS) {
+	    return status;
+	}
+    }
+
+    i=0;
+    if (crl_class) {
+        NSS_CK_ATTRIBUTE_TO_ULONG(&crl_template[i], *crl_class); i++;
+    }
+    if (encodingOpt) {
+	NSS_CK_ATTRIBUTE_TO_ITEM(&crl_template[i], encodingOpt); i++;
+    }
+    if (urlOpt) {
+	NSS_CK_ATTRIBUTE_TO_UTF8(&crl_template[i], *urlOpt); i++;
+    }
+    if (isKRLOpt) {
+	NSS_CK_ATTRIBUTE_TO_BOOL(&crl_template[i], *isKRLOpt); i++;
+    }
+    if (subjectOpt) {
+	NSS_CK_ATTRIBUTE_TO_ITEM(&crl_template[i], subjectOpt); i++;
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCryptokiPrivateKey_SetCertificate (
+  nssCryptokiObject *keyObject,
+  nssSession *sessionOpt,
+  const NSSUTF8 *nickname,
+  NSSItem *id,
+  NSSDER *subject
+)
+{
+    CK_RV ckrv;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE key_template[3];
+    CK_ULONG key_size;
+    void *epv = nssToken_GetCryptokiEPV(keyObject->token);
+    nssSession *session;
+    NSSToken *token = keyObject->token;
+    nssSession *defaultSession = nssToken_GetDefaultSession(token);
+    PRBool createdSession = PR_FALSE;
+
+    NSS_CK_TEMPLATE_START(key_template, attr, key_size);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
+    NSS_CK_TEMPLATE_FINISH(key_template, attr, key_size);
+
+    if (sessionOpt) {
+	if (!nssSession_IsReadWrite(sessionOpt)) {
+	    return PR_FAILURE;
+	} 
+	session = sessionOpt;
+    } else if (defaultSession && nssSession_IsReadWrite(defaultSession)) {
+	session = defaultSession;
+    } else {
+	NSSSlot *slot = nssToken_GetSlot(token);
+	session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
+	nssSlot_Destroy(slot);
+	if (!session) {
+	    return PR_FAILURE;
+	}
+	createdSession = PR_TRUE;
+    }
+
+    ckrv = CKAPI(epv)->C_SetAttributeValue(session->handle,
+                                           keyObject->handle,
+                                           key_template,
+                                           key_size);
+
+    if (createdSession) {
+	nssSession_Destroy(session);
+    }
+
+    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
+}
+
diff --git a/security/nss/lib/dev/ckhelper.h b/security/nss/lib/dev/ckhelper.h
new file mode 100644
index 000000000..52f2cd9c9
--- /dev/null
+++ b/security/nss/lib/dev/ckhelper.h
@@ -0,0 +1,197 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * ckhelper.h
+ *
+ * This file contains some helper utilities for interaction with cryptoki.
+ */
+
+#ifndef CKHELPER_H
+#define CKHELPER_H
+
+#ifdef DEBUG
+static const char CKHELPER_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+PR_BEGIN_EXTERN_C
+
+/* Some globals to keep from constantly redeclaring common cryptoki
+ * attribute types on the stack.
+ */
+
+/* Boolean values */
+NSS_EXTERN_DATA const NSSItem g_ck_true;
+NSS_EXTERN_DATA const NSSItem g_ck_false;
+
+/* Object classes */
+NSS_EXTERN_DATA const NSSItem g_ck_class_cert;
+NSS_EXTERN_DATA const NSSItem g_ck_class_pubkey;
+NSS_EXTERN_DATA const NSSItem g_ck_class_privkey;
+
+#define NSS_CK_TEMPLATE_START(_template, attr, size)   \
+    attr = _template;                                  \
+    size = 0;
+
+#define NSS_CK_SET_ATTRIBUTE_ITEM(pattr, kind, item)  \
+    (pattr)->type = kind;                             \
+    (pattr)->pValue = (CK_VOID_PTR)(item)->data;      \
+    (pattr)->ulValueLen = (CK_ULONG)(item)->size;     \
+    (pattr)++;
+
+#define NSS_CK_SET_ATTRIBUTE_UTF8(pattr, kind, utf8)  \
+    (pattr)->type = kind;                             \
+    (pattr)->pValue = (CK_VOID_PTR)utf8;              \
+    (pattr)->ulValueLen = (CK_ULONG)nssUTF8_Size(utf8, NULL); \
+    if ((pattr)->ulValueLen) ((pattr)->ulValueLen)--; \
+    (pattr)++;
+
+#define NSS_CK_SET_ATTRIBUTE_VAR(pattr, kind, var)    \
+    (pattr)->type = kind;                             \
+    (pattr)->pValue = (CK_VOID_PTR)&var;              \
+    (pattr)->ulValueLen = (CK_ULONG)sizeof(var);      \
+    (pattr)++;
+
+#define NSS_CK_SET_ATTRIBUTE_NULL(pattr, kind)        \
+    (pattr)->type = kind;                             \
+    (pattr)->pValue = (CK_VOID_PTR)NULL;              \
+    (pattr)->ulValueLen = 0;                          \
+    (pattr)++;
+
+#define NSS_CK_TEMPLATE_FINISH(_template, attr, size) \
+    size = (attr) - (_template);                      \
+    PR_ASSERT(size <= sizeof(_template)/sizeof(_template[0]));
+
+/* NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)
+ *
+ * Convert a CK_ATTRIBUTE to an NSSItem.
+ */
+#define NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)         \
+    if ((CK_LONG)(attrib)->ulValueLen > 0) {           \
+	(item)->data = (void *)(attrib)->pValue;       \
+	(item)->size = (PRUint32)(attrib)->ulValueLen; \
+    } else {                                           \
+	(item)->data = 0;                              \
+	(item)->size = 0;                              \
+    }
+
+#define NSS_CK_ATTRIBUTE_TO_BOOL(attrib, boolvar)        \
+    if ((attrib)->ulValueLen > 0) {                      \
+	if (*((CK_BBOOL*)(attrib)->pValue) == CK_TRUE) { \
+	    boolvar = PR_TRUE;                           \
+	} else {                                         \
+	    boolvar = PR_FALSE;                          \
+	}                                                \
+    }
+
+#define NSS_CK_ATTRIBUTE_TO_ULONG(attrib, ulongvar)      \
+    if ((attrib)->ulValueLen > 0) {                      \
+	ulongvar = *((CK_ULONG*)(attrib)->pValue);       \
+    }
+
+/* NSS_CK_ATTRIBUTE_TO_UTF8(attrib, str)
+ *
+ * Convert a CK_ATTRIBUTE to a string.
+ */
+#define NSS_CK_ATTRIBUTE_TO_UTF8(attrib, str)      \
+    str = (NSSUTF8 *)((attrib)->pValue);
+
+/* NSS_CK_ITEM_TO_ATTRIBUTE(item, attrib)
+ *
+ * Convert an NSSItem to a  CK_ATTRIBUTE.
+ */
+#define NSS_CK_ITEM_TO_ATTRIBUTE(item, attrib)     \
+    (attrib)->pValue = (CK_VOID_PTR)(item)->data;  \
+    (attrib)->ulValueLen = (CK_ULONG)(item)->size; \
+
+/* Get an array of attributes from an object. */
+NSS_EXTERN PRStatus 
+nssCKObject_GetAttributes
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG count,
+  NSSArena *arenaOpt,
+  nssSession *session,
+  NSSSlot *slot
+);
+
+/* Get a single attribute as an item. */
+NSS_EXTERN PRStatus
+nssCKObject_GetAttributeItem
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSArena *arenaOpt,
+  nssSession *session,
+  NSSSlot *slot,
+  NSSItem *rvItem
+);
+
+NSS_EXTERN PRBool
+nssCKObject_IsAttributeTrue
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_TYPE attribute,
+  nssSession *session,
+  NSSSlot *slot,
+  PRStatus *rvStatus
+);
+
+NSS_EXTERN PRStatus 
+nssCKObject_SetAttributes
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG count,
+  nssSession *session,
+  NSSSlot  *slot
+);
+
+NSS_EXTERN PRBool
+nssCKObject_IsTokenObjectTemplate
+(
+  CK_ATTRIBUTE_PTR objectTemplate, 
+  CK_ULONG otsize
+);
+
+PR_END_EXTERN_C
+
+#endif /* CKHELPER_H */
diff --git a/security/nss/lib/dev/config.mk b/security/nss/lib/dev/config.mk
new file mode 100644
index 000000000..f4e5b965b
--- /dev/null
+++ b/security/nss/lib/dev/config.mk
@@ -0,0 +1,52 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h
new file mode 100644
index 000000000..c2010c0ff
--- /dev/null
+++ b/security/nss/lib/dev/dev.h
@@ -0,0 +1,978 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef DEV_H
+#define DEV_H
+
+/*
+ * dev.h
+ *
+ * Low-level methods for interaction with cryptoki devices
+ */
+
+#ifdef DEBUG
+static const char DEV_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSDEV_H
+#include "nssdev.h"
+#endif /* NSSDEV_H */
+
+#ifndef DEVT_H
+#include "devt.h"
+#endif /* DEVT_H */
+
+PR_BEGIN_EXTERN_C
+
+/* the global module list
+ *
+ * These functions are for managing the global set of modules.  Trust Domains,
+ * etc., will draw from this set.  These functions are completely internal
+ * and only invoked when there are changes to the global module state
+ * (load or unload).
+ *
+ * nss_InitializeGlobalModuleList
+ * nss_DestroyGlobalModuleList
+ * nss_GetLoadedModules
+ *
+ * nssGlobalModuleList_Add
+ * nssGlobalModuleList_Remove
+ * nssGlobalModuleList_FindModuleByName
+ * nssGlobalModuleList_FindSlotByName
+ * nssGlobalModuleList_FindTokenByName
+ */
+
+NSS_EXTERN PRStatus
+nss_InitializeGlobalModuleList
+(
+  void
+);
+
+NSS_EXTERN PRStatus
+nss_DestroyGlobalModuleList
+(
+  void
+);
+
+NSS_EXTERN NSSModule **
+nss_GetLoadedModules
+(
+  void
+);
+
+NSS_EXTERN PRStatus
+nssGlobalModuleList_Add
+(
+  NSSModule *module
+);
+
+NSS_EXTERN PRStatus
+nssGlobalModuleList_Remove
+(
+  NSSModule *module
+);
+
+NSS_EXTERN NSSModule *
+nssGlobalModuleList_FindModuleByName
+(
+  NSSUTF8 *moduleName
+);
+
+NSS_EXTERN NSSSlot *
+nssGlobalModuleList_FindSlotByName
+(
+  NSSUTF8 *slotName
+);
+
+NSS_EXTERN NSSToken *
+nssGlobalModuleList_FindTokenByName
+(
+  NSSUTF8 *tokenName
+);
+
+NSS_EXTERN NSSToken *
+nss_GetDefaultCryptoToken
+(
+  void
+);
+
+NSS_EXTERN NSSToken *
+nss_GetDefaultDatabaseToken
+(
+  void
+);
+
+/*
+ *  |-----------|<---> NSSSlot <--> NSSToken
+ *  | NSSModule |<---> NSSSlot <--> NSSToken
+ *  |-----------|<---> NSSSlot <--> NSSToken
+ */
+
+/* NSSModule
+ *
+ * nssModule_Create
+ * nssModule_CreateFromSpec
+ * nssModule_AddRef
+ * nssModule_GetName
+ * nssModule_GetSlots
+ * nssModule_FindSlotByName
+ * nssModule_FindTokenByName
+ * nssModule_GetCertOrder
+ */
+
+NSS_EXTERN NSSModule *
+nssModule_Create
+(
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void    *reserved
+);
+
+/* This is to use the new loading mechanism. */
+NSS_EXTERN NSSModule *
+nssModule_CreateFromSpec
+(
+  NSSUTF8 *moduleSpec,
+  NSSModule *parent,
+  PRBool loadSubModules
+);
+
+NSS_EXTERN PRStatus
+nssModule_Destroy
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN NSSModule *
+nssModule_AddRef
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN NSSUTF8 *
+nssModule_GetName
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN NSSSlot **
+nssModule_GetSlots
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN NSSSlot *
+nssModule_FindSlotByName
+(
+  NSSModule *mod,
+  NSSUTF8 *slotName
+);
+
+NSS_EXTERN NSSToken *
+nssModule_FindTokenByName
+(
+  NSSModule *mod,
+  NSSUTF8 *tokenName
+);
+
+NSS_EXTERN PRInt32
+nssModule_GetCertOrder
+(
+  NSSModule *module
+);
+
+/* NSSSlot
+ *
+ * nssSlot_Destroy
+ * nssSlot_AddRef
+ * nssSlot_GetName
+ * nssSlot_GetTokenName
+ * nssSlot_IsTokenPresent
+ * nssSlot_IsPermanent
+ * nssSlot_IsFriendly
+ * nssSlot_IsHardware
+ * nssSlot_Refresh
+ * nssSlot_GetModule
+ * nssSlot_GetToken
+ * nssSlot_Login
+ * nssSlot_Logout
+ * nssSlot_SetPassword
+ * nssSlot_CreateSession
+ */
+
+NSS_EXTERN PRStatus
+nssSlot_Destroy
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN NSSSlot *
+nssSlot_AddRef
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN void
+nssSlot_ResetDelay
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN NSSUTF8 *
+nssSlot_GetName
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN NSSUTF8 *
+nssSlot_GetTokenName
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN NSSModule *
+nssSlot_GetModule
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN NSSToken *
+nssSlot_GetToken
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN PRBool
+nssSlot_IsTokenPresent
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN PRBool
+nssSlot_IsPermanent
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN PRBool
+nssSlot_IsFriendly
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN PRBool
+nssSlot_IsHardware
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN PRBool
+nssSlot_IsLoggedIn
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN PRStatus
+nssSlot_Refresh
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN PRStatus
+nssSlot_Login
+(
+  NSSSlot *slot,
+  NSSCallback *pwcb
+);
+extern const NSSError NSS_ERROR_INVALID_PASSWORD;
+extern const NSSError NSS_ERROR_USER_CANCELED;
+
+NSS_EXTERN PRStatus
+nssSlot_Logout
+(
+  NSSSlot *slot,
+  nssSession *sessionOpt
+);
+
+NSS_EXTERN void
+nssSlot_EnterMonitor
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN void
+nssSlot_ExitMonitor
+(
+  NSSSlot *slot
+);
+
+#define NSSSLOT_ASK_PASSWORD_FIRST_TIME -1
+#define NSSSLOT_ASK_PASSWORD_EVERY_TIME  0
+NSS_EXTERN void
+nssSlot_SetPasswordDefaults
+(
+  NSSSlot *slot,
+  PRInt32 askPasswordTimeout
+);
+
+NSS_EXTERN PRStatus
+nssSlot_SetPassword
+(
+  NSSSlot *slot,
+  NSSUTF8 *oldPasswordOpt,
+  NSSUTF8 *newPassword
+);
+extern const NSSError NSS_ERROR_INVALID_PASSWORD;
+extern const NSSError NSS_ERROR_USER_CANCELED;
+
+/*
+ * nssSlot_IsLoggedIn
+ */
+
+NSS_EXTERN nssSession *
+nssSlot_CreateSession
+(
+  NSSSlot *slot,
+  NSSArena *arenaOpt,
+  PRBool readWrite /* so far, this is the only flag used */
+);
+
+/* NSSToken
+ *
+ * nssToken_Destroy
+ * nssToken_AddRef
+ * nssToken_GetName
+ * nssToken_GetModule
+ * nssToken_GetSlot
+ * nssToken_NeedsPINInitialization
+ * nssToken_ImportCertificate
+ * nssToken_ImportTrust
+ * nssToken_ImportCRL
+ * nssToken_GenerateKeyPair
+ * nssToken_GenerateSymmetricKey
+ * nssToken_DeleteStoredObject
+ * nssToken_FindObjects
+ * nssToken_FindCertificatesBySubject
+ * nssToken_FindCertificatesByNickname
+ * nssToken_FindCertificatesByEmail
+ * nssToken_FindCertificateByIssuerAndSerialNumber
+ * nssToken_FindCertificateByEncodedCertificate
+ * nssToken_FindTrustForCertificate
+ * nssToken_FindCRLsBySubject
+ * nssToken_FindPrivateKeys
+ * nssToken_FindPrivateKeyByID
+ * nssToken_Digest
+ * nssToken_BeginDigest
+ * nssToken_ContinueDigest
+ * nssToken_FinishDigest
+ */
+
+NSS_EXTERN PRStatus
+nssToken_Destroy
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN NSSToken *
+nssToken_AddRef
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN NSSUTF8 *
+nssToken_GetName
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN NSSModule *
+nssToken_GetModule
+(
+  NSSToken *token
+);
+
+NSS_EXTERN NSSSlot *
+nssToken_GetSlot
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRBool
+nssToken_NeedsPINInitialization
+(
+  NSSToken *token
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssToken_ImportCertificate
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSCertificateType certType,
+  NSSItem *id,
+  const NSSUTF8 *nickname,
+  NSSDER *encoding,
+  NSSDER *issuer,
+  NSSDER *subject,
+  NSSDER *serial,
+  NSSASCII7 *emailAddr,
+  PRBool asTokenObject
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssToken_ImportTrust
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSDER *certEncoding,
+  NSSDER *certIssuer,
+  NSSDER *certSerial,
+  nssTrustLevel serverAuth,
+  nssTrustLevel clientAuth,
+  nssTrustLevel codeSigning,
+  nssTrustLevel emailProtection,
+  PRBool stepUpApproved,
+  PRBool asTokenObject
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssToken_ImportCRL
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *subject,
+  NSSDER *encoding,
+  PRBool isKRL,
+  NSSUTF8 *url,
+  PRBool asTokenObject
+);
+
+/* Permanently remove an object from the token. */
+NSS_EXTERN PRStatus
+nssToken_DeleteStoredObject
+(
+  nssCryptokiObject *instance
+);
+
+NSS_EXTERN nssCryptokiObject **
+nssToken_FindObjects
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  CK_OBJECT_CLASS objclass,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN nssCryptokiObject **
+nssToken_FindCertificatesBySubject
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *subject,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN nssCryptokiObject **
+nssToken_FindCertificatesByNickname
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  const NSSUTF8 *name,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN nssCryptokiObject **
+nssToken_FindCertificatesByEmail
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSASCII7 *email,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN nssCryptokiObject **
+nssToken_FindCertificatesByID
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSItem *id,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssToken_FindCertificateByIssuerAndSerialNumber
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *issuer,
+  NSSDER *serial,
+  nssTokenSearchType searchType,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssToken_FindCertificateByEncodedCertificate
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSBER *encodedCertificate,
+  nssTokenSearchType searchType,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssToken_FindTrustForCertificate
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *certEncoding,
+  NSSDER *certIssuer,
+  NSSDER *certSerial,
+  nssTokenSearchType searchType
+);
+
+NSS_EXTERN nssCryptokiObject **
+nssToken_FindCRLsBySubject
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *subject,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN nssCryptokiObject **
+nssToken_FindPrivateKeys
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssToken_FindPrivateKeyByID
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSItem *keyID
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssToken_FindPublicKeyByID
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSItem *keyID
+);
+
+NSS_EXTERN NSSItem *
+nssToken_Digest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSAlgorithmAndParameters *ap,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN PRStatus
+nssToken_BeginDigest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSAlgorithmAndParameters *ap
+);
+
+NSS_EXTERN PRStatus
+nssToken_ContinueDigest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSItem *item
+);
+
+NSS_EXTERN NSSItem *
+nssToken_FinishDigest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/* nssSession
+ *
+ * nssSession_Destroy
+ * nssSession_EnterMonitor
+ * nssSession_ExitMonitor
+ * nssSession_IsReadWrite
+ */
+
+NSS_EXTERN PRStatus
+nssSession_Destroy
+(
+  nssSession *s
+);
+
+/* would like to inline */
+NSS_EXTERN PRStatus
+nssSession_EnterMonitor
+(
+  nssSession *s
+);
+
+/* would like to inline */
+NSS_EXTERN PRStatus
+nssSession_ExitMonitor
+(
+  nssSession *s
+);
+
+/* would like to inline */
+NSS_EXTERN PRBool
+nssSession_IsReadWrite
+(
+  nssSession *s
+);
+
+/* nssCryptokiObject
+ *
+ * An object living on a cryptoki token.
+ * Not really proper to mix up the object types just because 
+ * nssCryptokiObject itself is generic, but doing so anyway.
+ *
+ * nssCryptokiObject_Destroy
+ * nssCryptokiObject_Equal
+ * nssCryptokiObject_Clone
+ * nssCryptokiCertificate_GetAttributes
+ * nssCryptokiPrivateKey_GetAttributes
+ * nssCryptokiPublicKey_GetAttributes
+ * nssCryptokiTrust_GetAttributes
+ * nssCryptokiCRL_GetAttributes
+ */
+
+NSS_EXTERN void
+nssCryptokiObject_Destroy
+(
+  nssCryptokiObject *object
+);
+
+NSS_EXTERN PRBool
+nssCryptokiObject_Equal
+(
+  nssCryptokiObject *object1,
+  nssCryptokiObject *object2
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssCryptokiObject_Clone
+(
+  nssCryptokiObject *object
+);
+
+NSS_EXTERN PRStatus
+nssCryptokiCertificate_GetAttributes
+(
+  nssCryptokiObject *object,
+  nssSession *sessionOpt,
+  NSSArena *arenaOpt,
+  NSSCertificateType *certTypeOpt,
+  NSSItem *idOpt,
+  NSSDER *encodingOpt,
+  NSSDER *issuerOpt,
+  NSSDER *serialOpt,
+  NSSDER *subjectOpt
+);
+
+NSS_EXTERN PRStatus
+nssCryptokiTrust_GetAttributes
+(
+  nssCryptokiObject *trustObject,
+  nssSession *sessionOpt,
+  NSSItem *sha1_hash,
+  nssTrustLevel *serverAuth,
+  nssTrustLevel *clientAuth,
+  nssTrustLevel *codeSigning,
+  nssTrustLevel *emailProtection,
+  PRBool *stepUpApproved
+);
+
+NSS_EXTERN PRStatus
+nssCryptokiCRL_GetAttributes
+(
+  nssCryptokiObject *crlObject,
+  nssSession *sessionOpt,
+  NSSArena *arenaOpt,
+  NSSItem *encodingOpt,
+  NSSItem * subjectOpt,
+  CK_ULONG * crl_class,
+  NSSUTF8 **urlOpt,
+  PRBool *isKRLOpt
+);
+
+/* I'm including this to handle import of certificates in NSS 3.5.  This
+ * function will set the cert-related attributes of a key, in order to
+ * associate it with a cert.  Does it stay like this for 4.0?
+ */
+NSS_EXTERN PRStatus
+nssCryptokiPrivateKey_SetCertificate
+(
+  nssCryptokiObject *keyObject,
+  nssSession *sessionOpt,
+  const NSSUTF8 *nickname,
+  NSSItem *id,
+  NSSDER *subject
+);
+
+NSS_EXTERN void
+nssModuleArray_Destroy
+(
+  NSSModule **modules
+);
+
+/* nssSlotArray
+ *
+ * nssSlotArray_Destroy
+ */
+
+NSS_EXTERN void
+nssSlotArray_Destroy
+(
+  NSSSlot **slots
+);
+
+/* nssTokenArray
+ *
+ * nssTokenArray_Destroy
+ */
+
+NSS_EXTERN void
+nssTokenArray_Destroy
+(
+  NSSToken **tokens
+);
+
+/* nssCryptokiObjectArray
+ *
+ * nssCryptokiObjectArray_Destroy
+ */
+NSS_EXTERN void
+nssCryptokiObjectArray_Destroy
+(
+  nssCryptokiObject **object
+);
+
+/* nssSlotList
+*
+ * An ordered list of slots.  The order can be anything, it is set in the
+ * Add methods.  Perhaps it should be CreateInCertOrder, ...?
+ *
+ * nssSlotList_Create
+ * nssSlotList_Destroy
+ * nssSlotList_Add
+ * nssSlotList_AddModuleSlots
+ * nssSlotList_GetSlots
+ * nssSlotList_FindSlotByName
+ * nssSlotList_FindTokenByName
+ * nssSlotList_GetBestSlot
+ * nssSlotList_GetBestSlotForAlgorithmAndParameters
+ * nssSlotList_GetBestSlotForAlgorithmsAndParameters
+ */
+
+/* nssSlotList_Create
+ */
+NSS_EXTERN nssSlotList *
+nssSlotList_Create
+(
+  NSSArena *arenaOpt
+);
+
+/* nssSlotList_Destroy
+ */
+NSS_EXTERN void
+nssSlotList_Destroy
+(
+  nssSlotList *slotList
+);
+
+/* nssSlotList_Add
+ *
+ * Add the given slot in the given order.
+ */
+NSS_EXTERN PRStatus
+nssSlotList_Add
+(
+  nssSlotList *slotList,
+  NSSSlot *slot,
+  PRUint32 order
+);
+
+/* nssSlotList_AddModuleSlots
+ *
+ * Add all slots in the module, in the given order (the slots will have
+ * equal weight).
+ */
+NSS_EXTERN PRStatus
+nssSlotList_AddModuleSlots
+(
+  nssSlotList *slotList,
+  NSSModule *module,
+  PRUint32 order
+);
+
+/* nssSlotList_GetSlots
+ */
+NSS_EXTERN NSSSlot **
+nssSlotList_GetSlots
+(
+  nssSlotList *slotList
+);
+
+/* nssSlotList_FindSlotByName
+ */
+NSS_EXTERN NSSSlot *
+nssSlotList_FindSlotByName
+(
+  nssSlotList *slotList,
+  NSSUTF8 *slotName
+);
+
+/* nssSlotList_FindTokenByName
+ */
+NSS_EXTERN NSSToken *
+nssSlotList_FindTokenByName
+(
+  nssSlotList *slotList,
+  NSSUTF8 *tokenName
+);
+
+/* nssSlotList_GetBestSlot
+ *
+ * The best slot is the highest ranking in order, i.e., the first in the
+ * list.
+ */
+NSS_EXTERN NSSSlot *
+nssSlotList_GetBestSlot
+(
+  nssSlotList *slotList
+);
+
+/* nssSlotList_GetBestSlotForAlgorithmAndParameters
+ *
+ * Highest-ranking slot than can handle algorithm/parameters.
+ */
+NSS_EXTERN NSSSlot *
+nssSlotList_GetBestSlotForAlgorithmAndParameters
+(
+  nssSlotList *slotList,
+  NSSAlgorithmAndParameters *ap
+);
+
+/* nssSlotList_GetBestSlotForAlgorithmsAndParameters
+ *
+ * Highest-ranking slot than can handle all algorithms/parameters.
+ */
+NSS_EXTERN NSSSlot *
+nssSlotList_GetBestSlotForAlgorithmsAndParameters
+(
+  nssSlotList *slotList,
+  NSSAlgorithmAndParameters **ap
+);
+
+NSS_EXTERN PRBool
+nssToken_IsPresent
+(
+  NSSToken *token
+);
+
+NSS_EXTERN nssSession *
+nssToken_GetDefaultSession
+(
+  NSSToken *token
+);
+
+NSS_EXTERN PRStatus
+nssToken_GetTrustOrder
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRStatus
+nssToken_NotifyCertsNotVisible
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRStatus
+nssToken_TraverseCertificates
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  nssTokenSearchType searchType,
+  PRStatus (* callback)(nssCryptokiObject *instance, void *arg),
+  void *arg
+);
+
+NSS_EXTERN PRBool
+nssToken_IsPrivateKeyAvailable
+(
+  NSSToken *token,
+  NSSCertificate *c,
+  nssCryptokiObject *instance
+);
+
+PR_END_EXTERN_C
+
+#endif /* DEV_H */
diff --git a/security/nss/lib/dev/devm.h b/security/nss/lib/dev/devm.h
new file mode 100644
index 000000000..faf61b35d
--- /dev/null
+++ b/security/nss/lib/dev/devm.h
@@ -0,0 +1,245 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef DEVM_H
+#define DEVM_H
+
+#ifdef DEBUG
+static const char DEVM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef DEVTM_H
+#include "devtm.h"
+#endif /* DEVTM_H */
+
+PR_BEGIN_EXTERN_C
+
+/* Shortcut to cryptoki API functions. */
+#define CKAPI(epv) \
+    ((CK_FUNCTION_LIST_PTR)(epv))
+
+NSS_EXTERN void
+nssDevice_AddRef
+(
+ struct nssDeviceBaseStr *device
+);
+
+NSS_EXTERN PRBool
+nssDevice_Destroy
+(
+ struct nssDeviceBaseStr *device
+);
+
+NSS_EXTERN PRBool
+nssModule_IsThreadSafe
+(
+  NSSModule *module
+);
+
+NSS_EXTERN PRBool
+nssModule_IsInternal
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN PRBool
+nssModule_IsModuleDBOnly
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN void *
+nssModule_GetCryptokiEPV
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN NSSSlot *
+nssSlot_Create
+(
+  CK_SLOT_ID slotId,
+  NSSModule *parent
+);
+
+NSS_EXTERN void *
+nssSlot_GetCryptokiEPV
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN NSSToken *
+nssToken_Create
+(
+  CK_SLOT_ID slotID,
+  NSSSlot *peer
+);
+
+NSS_EXTERN void *
+nssToken_GetCryptokiEPV
+(
+  NSSToken *token
+);
+
+NSS_EXTERN nssSession *
+nssToken_GetDefaultSession
+(
+  NSSToken *token
+);
+
+NSS_EXTERN PRBool
+nssToken_IsLoginRequired
+(
+  NSSToken *token
+);
+
+NSS_EXTERN void
+nssToken_Remove
+(
+  NSSToken *token
+);
+
+NSS_EXTERN nssCryptokiObject *
+nssCryptokiObject_Create
+(
+  NSSToken *t, 
+  nssSession *session,
+  CK_OBJECT_HANDLE h
+);
+
+NSS_EXTERN nssTokenObjectCache *
+nssTokenObjectCache_Create
+(
+  NSSToken *token,
+  PRBool cacheCerts,
+  PRBool cacheTrust,
+  PRBool cacheCRLs
+);
+
+NSS_EXTERN void
+nssTokenObjectCache_Destroy
+(
+  nssTokenObjectCache *cache
+);
+
+NSS_EXTERN void
+nssTokenObjectCache_Clear
+(
+  nssTokenObjectCache *cache
+);
+
+NSS_EXTERN PRBool
+nssTokenObjectCache_HaveObjectClass
+(
+  nssTokenObjectCache *cache,
+  CK_OBJECT_CLASS objclass
+);
+
+NSS_EXTERN nssCryptokiObject **
+nssTokenObjectCache_FindObjectsByTemplate
+(
+  nssTokenObjectCache *cache,
+  CK_OBJECT_CLASS objclass,
+  CK_ATTRIBUTE_PTR otemplate,
+  CK_ULONG otlen,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN PRStatus
+nssTokenObjectCache_GetObjectAttributes
+(
+  nssTokenObjectCache *cache,
+  NSSArena *arenaOpt,
+  nssCryptokiObject *object,
+  CK_OBJECT_CLASS objclass,
+  CK_ATTRIBUTE_PTR atemplate,
+  CK_ULONG atlen
+);
+
+NSS_EXTERN PRStatus
+nssTokenObjectCache_ImportObject
+(
+  nssTokenObjectCache *cache,
+  nssCryptokiObject *object,
+  CK_OBJECT_CLASS objclass,
+  CK_ATTRIBUTE_PTR ot,
+  CK_ULONG otlen
+);
+
+NSS_EXTERN void
+nssTokenObjectCache_RemoveObject
+(
+  nssTokenObjectCache *cache,
+  nssCryptokiObject *object
+);
+
+/* XXX allows peek back into token */
+NSS_EXTERN PRStatus
+nssToken_GetCachedObjectAttributes
+(
+  NSSToken *token,
+  NSSArena *arenaOpt,
+  nssCryptokiObject *object,
+  CK_OBJECT_CLASS objclass,
+  CK_ATTRIBUTE_PTR atemplate,
+  CK_ULONG atlen
+);
+
+/* PKCS#11 stores strings in a fixed-length buffer padded with spaces.  This
+ * function gets the length of the actual string.
+ */
+NSS_EXTERN PRUint32
+nssPKCS11String_Length
+(
+  CK_CHAR *pkcs11str, 
+  PRUint32 bufLen
+);
+
+PR_END_EXTERN_C
+
+#endif /* DEV_H */
diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c
new file mode 100644
index 000000000..4ba45bfc2
--- /dev/null
+++ b/security/nss/lib/dev/devslot.c
@@ -0,0 +1,296 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+#include "pk11pub.h"
+
+/* measured in seconds */
+#define NSSSLOT_TOKEN_DELAY_TIME 1
+
+/* this should track global and per-transaction login information */
+
+#define NSSSLOT_IS_FRIENDLY(slot) \
+  (slot->base.flags & NSSSLOT_FLAGS_FRIENDLY)
+
+/* measured as interval */
+static PRIntervalTime s_token_delay_time = 0;
+
+/* The flags needed to open a read-only session. */
+static const CK_FLAGS s_ck_readonly_flags = CKF_SERIAL_SESSION;
+
+NSS_IMPLEMENT PRStatus
+nssSlot_Destroy (
+  NSSSlot *slot
+)
+{
+    if (slot) {
+	if (PR_AtomicDecrement(&slot->base.refCount) == 0) {
+	    PZ_DestroyLock(slot->base.lock);
+	    return nssArena_Destroy(slot->base.arena);
+	}
+    }
+    return PR_SUCCESS;
+}
+
+void
+nssSlot_EnterMonitor(NSSSlot *slot)
+{
+    if (slot->lock) {
+	PZ_Lock(slot->lock);
+    }
+}
+
+void
+nssSlot_ExitMonitor(NSSSlot *slot)
+{
+    if (slot->lock) {
+	PZ_Unlock(slot->lock);
+    }
+}
+
+NSS_IMPLEMENT void
+NSSSlot_Destroy (
+  NSSSlot *slot
+)
+{
+    (void)nssSlot_Destroy(slot);
+}
+
+NSS_IMPLEMENT NSSSlot *
+nssSlot_AddRef (
+  NSSSlot *slot
+)
+{
+    PR_AtomicIncrement(&slot->base.refCount);
+    return slot;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+nssSlot_GetName (
+  NSSSlot *slot
+)
+{
+    return slot->base.name;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+nssSlot_GetTokenName (
+  NSSSlot *slot
+)
+{
+    return nssToken_GetName(slot->token);
+}
+
+NSS_IMPLEMENT void
+nssSlot_ResetDelay (
+  NSSSlot *slot
+)
+{
+    slot->lastTokenPing = 0;
+}
+
+static PRBool
+within_token_delay_period(NSSSlot *slot)
+{
+    PRIntervalTime time, lastTime;
+    /* Set the delay time for checking the token presence */
+    if (s_token_delay_time == 0) {
+	s_token_delay_time = PR_SecondsToInterval(NSSSLOT_TOKEN_DELAY_TIME);
+    }
+    time = PR_IntervalNow();
+    lastTime = slot->lastTokenPing;
+    if ((lastTime) && ((time - lastTime) < s_token_delay_time)) {
+	return PR_TRUE;
+    }
+    slot->lastTokenPing = time;
+    return PR_FALSE;
+}
+
+NSS_IMPLEMENT PRBool
+nssSlot_IsTokenPresent (
+  NSSSlot *slot
+)
+{
+    CK_RV ckrv;
+    PRStatus nssrv;
+    /* XXX */
+    nssSession *session;
+    CK_SLOT_INFO slotInfo;
+    void *epv;
+    /* permanent slots are always present unless they're disabled */
+    if (nssSlot_IsPermanent(slot)) {
+	return !PK11_IsDisabled(slot->pk11slot);
+    }
+    /* avoid repeated calls to check token status within set interval */
+    if (within_token_delay_period(slot)) {
+	return ((slot->ckFlags & CKF_TOKEN_PRESENT) != 0);
+    }
+
+    /* First obtain the slot info */
+    epv = slot->epv;
+    if (!epv) {
+	return PR_FALSE;
+    }
+    nssSlot_EnterMonitor(slot);
+    ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
+    nssSlot_ExitMonitor(slot);
+    if (ckrv != CKR_OK) {
+	slot->token->base.name[0] = 0; /* XXX */
+	return PR_FALSE;
+    }
+    slot->ckFlags = slotInfo.flags;
+    /* check for the presence of the token */
+    if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
+	if (!slot->token) {
+	    /* token was never present */
+	    return PR_FALSE;
+	}
+	session = nssToken_GetDefaultSession(slot->token);
+	if (session) {
+	    nssSession_EnterMonitor(session);
+	    /* token is not present */
+	    if (session->handle != CK_INVALID_SESSION) {
+		/* session is valid, close and invalidate it */
+		CKAPI(epv)->C_CloseSession(session->handle);
+		session->handle = CK_INVALID_SESSION;
+	    }
+	    nssSession_ExitMonitor(session);
+	}
+	if (slot->token->base.name[0] != 0) {
+	    /* notify the high-level cache that the token is removed */
+	    slot->token->base.name[0] = 0; /* XXX */
+	    nssToken_NotifyCertsNotVisible(slot->token);
+	}
+	slot->token->base.name[0] = 0; /* XXX */
+	/* clear the token cache */
+	nssToken_Remove(slot->token);
+	return PR_FALSE;
+    }
+    /* token is present, use the session info to determine if the card
+     * has been removed and reinserted.
+     */
+    session = nssToken_GetDefaultSession(slot->token);
+    if (session) {
+	nssSession_EnterMonitor(session);
+	if (session->handle != CK_INVALID_SESSION) {
+	    CK_SESSION_INFO sessionInfo;
+	    ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo);
+	    if (ckrv != CKR_OK) {
+		/* session is screwy, close and invalidate it */
+		CKAPI(epv)->C_CloseSession(session->handle);
+		session->handle = CK_INVALID_SESSION;
+	    }
+	}
+	nssSession_ExitMonitor(session);
+	/* token not removed, finished */
+	if (session->handle != CK_INVALID_SESSION)
+	    return PR_TRUE;
+    } 
+    /* the token has been removed, and reinserted, or the slot contains
+     * a token it doesn't recognize. invalidate all the old
+     * information we had on this token, if we can't refresh, clear
+     * the present flag */
+    nssToken_NotifyCertsNotVisible(slot->token);
+    nssToken_Remove(slot->token);
+    /* token has been removed, need to refresh with new session */
+    nssrv = nssSlot_Refresh(slot);
+    if (nssrv != PR_SUCCESS) {
+        slot->token->base.name[0] = 0; /* XXX */
+        slot->ckFlags &= ~CKF_TOKEN_PRESENT;
+        return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+NSS_IMPLEMENT void *
+nssSlot_GetCryptokiEPV (
+  NSSSlot *slot
+)
+{
+    return slot->epv;
+}
+
+NSS_IMPLEMENT NSSToken *
+nssSlot_GetToken (
+  NSSSlot *slot
+)
+{
+    if (nssSlot_IsTokenPresent(slot)) {
+	return nssToken_AddRef(slot->token);
+    }
+    return (NSSToken *)NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSession_EnterMonitor (
+  nssSession *s
+)
+{
+    if (s->lock) PZ_Lock(s->lock);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSession_ExitMonitor (
+  nssSession *s
+)
+{
+    return (s->lock) ? PZ_Unlock(s->lock) : PR_SUCCESS;
+}
+
+NSS_EXTERN PRBool
+nssSession_IsReadWrite (
+  nssSession *s
+)
+{
+    return s->isRW;
+}
+
diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h
new file mode 100644
index 000000000..ac9f87c92
--- /dev/null
+++ b/security/nss/lib/dev/devt.h
@@ -0,0 +1,196 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef DEVT_H
+#define DEVT_H
+
+#ifdef DEBUG
+static const char DEVT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * devt.h
+ *
+ * This file contains definitions for the low-level cryptoki devices.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#include "secmodt.h"
+
+PR_BEGIN_EXTERN_C
+
+typedef struct nssSessionStr nssSession;
+
+/* XXX until NSSTokenStr is moved */
+struct nssDeviceBaseStr
+{
+  NSSArena *arena;
+  PZLock *lock;
+  PRInt32 refCount;
+  NSSUTF8 *name;
+  PRUint32 flags;
+};
+
+typedef struct nssTokenObjectCacheStr nssTokenObjectCache;
+
+/* XXX until devobject.c goes away */
+struct NSSTokenStr
+{
+    struct nssDeviceBaseStr base;
+    NSSSlot *slot;  /* Parent (or peer, if you will) */
+    CK_FLAGS ckFlags; /* from CK_TOKEN_INFO.flags */
+    PRUint32 flags;
+    void *epv;
+    nssSession *defaultSession;
+    NSSTrustDomain *trustDomain;
+    PRIntervalTime lastTime;
+    nssTokenObjectCache *cache;
+    PK11SlotInfo *pk11slot;
+};
+
+typedef enum {
+  nssSlotAskPasswordTimes_FirstTime = 0,
+  nssSlotAskPasswordTimes_EveryTime = 1,
+  nssSlotAskPasswordTimes_Timeout = 2
+} 
+nssSlotAskPasswordTimes;
+
+struct nssSlotAuthInfoStr
+{
+  PRTime lastLogin;
+  nssSlotAskPasswordTimes askTimes;
+  PRIntervalTime askPasswordTimeout;
+};
+
+struct NSSSlotStr
+{
+  struct nssDeviceBaseStr base;
+  NSSModule *module; /* Parent */
+  NSSToken *token;  /* Peer */
+  CK_SLOT_ID slotID;
+  CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */
+  struct nssSlotAuthInfoStr authInfo;
+  PRIntervalTime lastTokenPing;
+  PZLock *lock;
+  void *epv;
+  PK11SlotInfo *pk11slot;
+};
+
+struct nssSessionStr
+{
+  PZLock *lock;
+  CK_SESSION_HANDLE handle;
+  NSSSlot *slot;
+  PRBool isRW;
+  PRBool ownLock;
+};
+
+typedef enum {
+    NSSCertificateType_Unknown = 0,
+    NSSCertificateType_PKIX = 1
+} NSSCertificateType;
+
+typedef enum {
+    nssTrustLevel_Unknown = 0,
+    nssTrustLevel_NotTrusted = 1,
+    nssTrustLevel_Trusted = 2,
+    nssTrustLevel_TrustedDelegator = 3,
+    nssTrustLevel_Valid = 4,
+    nssTrustLevel_ValidDelegator = 5
+} nssTrustLevel;
+
+typedef struct nssCryptokiInstanceStr nssCryptokiInstance;
+
+struct nssCryptokiInstanceStr
+{
+    CK_OBJECT_HANDLE handle;
+    NSSToken *token;
+    PRBool isTokenObject;
+    NSSUTF8 *label;
+};
+
+typedef struct nssCryptokiInstanceStr nssCryptokiObject;
+
+typedef struct nssTokenCertSearchStr nssTokenCertSearch;
+
+typedef enum {
+    nssTokenSearchType_AllObjects = 0,
+    nssTokenSearchType_SessionOnly = 1,
+    nssTokenSearchType_TokenOnly = 2,
+    nssTokenSearchType_TokenForced = 3
+} nssTokenSearchType;
+
+struct nssTokenCertSearchStr
+{
+    nssTokenSearchType searchType;
+    PRStatus (* callback)(NSSCertificate *c, void *arg);
+    void *cbarg;
+    nssList *cached;
+    /* TODO: add a cache query callback if the list would be large 
+     *       (traversal) 
+     */
+};
+
+struct nssSlotListStr;
+typedef struct nssSlotListStr nssSlotList;
+
+struct NSSAlgorithmAndParametersStr
+{
+    CK_MECHANISM mechanism;
+};
+
+PR_END_EXTERN_C
+
+#endif /* DEVT_H */
diff --git a/security/nss/lib/dev/devtm.h b/security/nss/lib/dev/devtm.h
new file mode 100644
index 000000000..330ed3311
--- /dev/null
+++ b/security/nss/lib/dev/devtm.h
@@ -0,0 +1,61 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef DEVTM_H
+#define DEVTM_H
+
+#ifdef DEBUG
+static const char DEVTM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * devtm.h
+ *
+ * This file contains module-private definitions for the low-level 
+ * cryptoki devices.
+ */
+
+#ifndef DEVT_H
+#include "devt.h"
+#endif /* DEVT_H */
+
+PR_BEGIN_EXTERN_C
+
+#define MAX_LOCAL_CACHE_OBJECTS 10
+
+PR_END_EXTERN_C
+
+#endif /* DEVTM_H */
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
new file mode 100644
index 000000000..f93fca36b
--- /dev/null
+++ b/security/nss/lib/dev/devtoken.c
@@ -0,0 +1,1602 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+#include "pk11func.h"
+#include "dev3hack.h"
+#include "secerr.h"
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
+extern const NSSError NSS_ERROR_PKCS11;
+
+/* The number of object handles to grab during each call to C_FindObjects */
+#define OBJECT_STACK_SIZE 16
+
+NSS_IMPLEMENT PRStatus
+nssToken_Destroy (
+  NSSToken *tok
+)
+{
+    if (tok) {
+	if (PR_AtomicDecrement(&tok->base.refCount) == 0) {
+	    PZ_DestroyLock(tok->base.lock);
+	    nssTokenObjectCache_Destroy(tok->cache);
+	    /* The token holds the first/last reference to the slot.
+	     * When the token is actually destroyed, that ref must go too.
+	     */
+	    (void)nssSlot_Destroy(tok->slot);
+	    return nssArena_Destroy(tok->base.arena);
+	}
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT void
+nssToken_Remove (
+  NSSToken *tok
+)
+{
+    nssTokenObjectCache_Clear(tok->cache);
+}
+
+NSS_IMPLEMENT void
+NSSToken_Destroy (
+  NSSToken *tok
+)
+{
+    (void)nssToken_Destroy(tok);
+}
+
+NSS_IMPLEMENT NSSToken *
+nssToken_AddRef (
+  NSSToken *tok
+)
+{
+    PR_AtomicIncrement(&tok->base.refCount);
+    return tok;
+}
+
+NSS_IMPLEMENT NSSSlot *
+nssToken_GetSlot (
+  NSSToken *tok
+)
+{
+    return nssSlot_AddRef(tok->slot);
+}
+
+NSS_IMPLEMENT void *
+nssToken_GetCryptokiEPV (
+  NSSToken *token
+)
+{
+    return nssSlot_GetCryptokiEPV(token->slot);
+}
+
+NSS_IMPLEMENT nssSession *
+nssToken_GetDefaultSession (
+  NSSToken *token
+)
+{
+    return token->defaultSession;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+nssToken_GetName (
+  NSSToken *tok
+)
+{
+    if (tok == NULL) {
+	return "";
+    }
+    if (tok->base.name[0] == 0) {
+	(void) nssSlot_IsTokenPresent(tok->slot);
+    } 
+    return tok->base.name;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSToken_GetName (
+  NSSToken *token
+)
+{
+    return nssToken_GetName(token);
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_IsLoginRequired (
+  NSSToken *token
+)
+{
+    return (token->ckFlags & CKF_LOGIN_REQUIRED);
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_NeedsPINInitialization (
+  NSSToken *token
+)
+{
+    return (!(token->ckFlags & CKF_USER_PIN_INITIALIZED));
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_DeleteStoredObject (
+  nssCryptokiObject *instance
+)
+{
+    CK_RV ckrv;
+    PRStatus status;
+    PRBool createdSession = PR_FALSE;
+    NSSToken *token = instance->token;
+    nssSession *session = NULL;
+    void *epv = nssToken_GetCryptokiEPV(instance->token);
+    if (token->cache) {
+	nssTokenObjectCache_RemoveObject(token->cache, instance);
+    }
+    if (instance->isTokenObject) {
+       if (token->defaultSession && 
+           nssSession_IsReadWrite(token->defaultSession)) {
+	   session = token->defaultSession;
+       } else {
+	   session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
+	   createdSession = PR_TRUE;
+       }
+    }
+    if (session == NULL) {
+	return PR_FAILURE;
+    }
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_DestroyObject(session->handle, instance->handle);
+    nssSession_ExitMonitor(session);
+    if (createdSession) {
+	nssSession_Destroy(session);
+    }
+    status = PR_SUCCESS;
+    if (ckrv != CKR_OK) {
+	status = PR_FAILURE;
+	/* use the error stack to pass the PKCS #11 error out  */
+	nss_SetError(ckrv);
+	nss_SetError(NSS_ERROR_PKCS11);
+    }
+    return status;
+}
+
+static nssCryptokiObject *
+import_object (
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  CK_ATTRIBUTE_PTR objectTemplate,
+  CK_ULONG otsize
+)
+{
+    nssSession *session = NULL;
+    PRBool createdSession = PR_FALSE;
+    nssCryptokiObject *object = NULL;
+    CK_OBJECT_HANDLE handle;
+    CK_RV ckrv;
+    void *epv = nssToken_GetCryptokiEPV(tok);
+    if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) {
+	if (sessionOpt) {
+	    if (!nssSession_IsReadWrite(sessionOpt)) {
+		nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+		return NULL;
+	    }
+	    session = sessionOpt;
+	} else if (tok->defaultSession && 
+	           nssSession_IsReadWrite(tok->defaultSession)) {
+	    session = tok->defaultSession;
+	} else {
+	    session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE);
+	    createdSession = PR_TRUE;
+	}
+    } else {
+	session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    }
+    if (session == NULL) {
+	nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+	return NULL;
+    }
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_CreateObject(session->handle, 
+                                      objectTemplate, otsize,
+                                      &handle);
+    nssSession_ExitMonitor(session);
+    if (ckrv == CKR_OK) {
+	object = nssCryptokiObject_Create(tok, session, handle);
+    } else {
+	nss_SetError(ckrv);
+	nss_SetError(NSS_ERROR_PKCS11);
+    }
+    if (createdSession) {
+	nssSession_Destroy(session);
+    }
+    return object;
+}
+
+static nssCryptokiObject **
+create_objects_from_handles (
+  NSSToken *tok,
+  nssSession *session,
+  CK_OBJECT_HANDLE *handles,
+  PRUint32 numH
+)
+{
+    nssCryptokiObject **objects;
+    objects = nss_ZNEWARRAY(NULL, nssCryptokiObject *, numH + 1);
+    if (objects) {
+	PRInt32 i;
+	for (i=0; i<(PRInt32)numH; i++) {
+	    objects[i] = nssCryptokiObject_Create(tok, session, handles[i]);
+	    if (!objects[i]) {
+		for (--i; i>0; --i) {
+		    nssCryptokiObject_Destroy(objects[i]);
+		}
+		nss_ZFreeIf(objects);
+		objects = NULL;
+		break;
+	    }
+	}
+    }
+    return objects;
+}
+
+static nssCryptokiObject **
+find_objects (
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG otsize,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    CK_RV ckrv = CKR_OK;
+    CK_ULONG count;
+    CK_OBJECT_HANDLE *objectHandles = NULL;
+    CK_OBJECT_HANDLE staticObjects[OBJECT_STACK_SIZE];
+    PRUint32 arraySize, numHandles;
+    void *epv = nssToken_GetCryptokiEPV(tok);
+    nssCryptokiObject **objects;
+    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	ckrv = CKR_SESSION_HANDLE_INVALID;
+	goto loser;                
+    }
+
+    /* the arena is only for the array of object handles */
+    if (maximumOpt > 0) {
+	arraySize = maximumOpt;
+    } else {
+	arraySize = OBJECT_STACK_SIZE;
+    }
+    numHandles = 0;
+    if (arraySize <= OBJECT_STACK_SIZE) {
+	objectHandles = staticObjects;
+    } else {
+	objectHandles = nss_ZNEWARRAY(NULL, CK_OBJECT_HANDLE, arraySize);
+    }
+    if (!objectHandles) {
+	ckrv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    nssSession_EnterMonitor(session); /* ==== session lock === */
+    /* Initialize the find with the template */
+    ckrv = CKAPI(epv)->C_FindObjectsInit(session->handle, 
+                                         obj_template, otsize);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	goto loser;
+    }
+    while (PR_TRUE) {
+	/* Issue the find for up to arraySize - numHandles objects */
+	ckrv = CKAPI(epv)->C_FindObjects(session->handle, 
+	                                 objectHandles + numHandles, 
+	                                 arraySize - numHandles, 
+	                                 &count);
+	if (ckrv != CKR_OK) {
+	    nssSession_ExitMonitor(session);
+	    goto loser;
+	}
+	/* bump the number of found objects */
+	numHandles += count;
+	if (maximumOpt > 0 || numHandles < arraySize) {
+	    /* When a maximum is provided, the search is done all at once,
+	     * so the search is finished.  If the number returned was less 
+	     * than the number sought, the search is finished.
+	     */
+	    break;
+	}
+	/* the array is filled, double it and continue */
+	arraySize *= 2;
+	if (objectHandles == staticObjects) {
+	    objectHandles = nss_ZNEWARRAY(NULL,CK_OBJECT_HANDLE, arraySize);
+	    if (objectHandles) {
+		PORT_Memcpy(objectHandles, staticObjects, 
+			OBJECT_STACK_SIZE * sizeof(objectHandles[1]));
+	    }
+	} else {
+	    objectHandles = nss_ZREALLOCARRAY(objectHandles, 
+	                                  CK_OBJECT_HANDLE, 
+	                                  arraySize);
+	}
+	if (!objectHandles) {
+	    nssSession_ExitMonitor(session);
+	    ckrv = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+    }
+    ckrv = CKAPI(epv)->C_FindObjectsFinal(session->handle);
+    nssSession_ExitMonitor(session); /* ==== end session lock === */
+    if (ckrv != CKR_OK) {
+	goto loser;
+    }
+    if (numHandles > 0) {
+	objects = create_objects_from_handles(tok, session,
+	                                      objectHandles, numHandles);
+    } else {
+	nss_SetError(NSS_ERROR_NOT_FOUND);
+	objects = NULL;
+    }
+    if (objectHandles && objectHandles != staticObjects) {
+	nss_ZFreeIf(objectHandles);
+    }
+    if (statusOpt) *statusOpt = PR_SUCCESS;
+    return objects;
+loser:
+    if (objectHandles && objectHandles != staticObjects) {
+	nss_ZFreeIf(objectHandles);
+    }
+    /*
+     * These errors should be treated the same as if the objects just weren't
+     * found..
+     */
+    if ((ckrv == CKR_ATTRIBUTE_TYPE_INVALID) ||
+	(ckrv == CKR_ATTRIBUTE_VALUE_INVALID) ||
+	(ckrv == CKR_DATA_INVALID) ||
+	(ckrv == CKR_DATA_LEN_RANGE) ||
+	(ckrv == CKR_FUNCTION_NOT_SUPPORTED) ||
+	(ckrv == CKR_TEMPLATE_INCOMPLETE) ||
+	(ckrv == CKR_TEMPLATE_INCONSISTENT)) {
+
+	nss_SetError(NSS_ERROR_NOT_FOUND);
+	if (statusOpt) *statusOpt = PR_SUCCESS;
+    } else {
+	nss_SetError(ckrv);
+	nss_SetError(NSS_ERROR_PKCS11);
+	if (statusOpt) *statusOpt = PR_FAILURE;
+    }
+    return (nssCryptokiObject **)NULL;
+}
+
+static nssCryptokiObject **
+find_objects_by_template (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG otsize,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    CK_OBJECT_CLASS objclass = (CK_OBJECT_CLASS)-1;
+    nssCryptokiObject **objects = NULL;
+    PRUint32 i;
+    for (i=0; i<otsize; i++) {
+	if (obj_template[i].type == CKA_CLASS) {
+	    objclass = *(CK_OBJECT_CLASS *)obj_template[i].pValue;
+	    break;
+	}
+    }
+    PR_ASSERT(i < otsize);
+    if (i == otsize) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	if (statusOpt) *statusOpt = PR_FAILURE;
+	return NULL;
+    }
+    /* If these objects are being cached, try looking there first */
+    if (token->cache && 
+        nssTokenObjectCache_HaveObjectClass(token->cache, objclass)) 
+    {
+	PRStatus status;
+	objects = nssTokenObjectCache_FindObjectsByTemplate(token->cache,
+	                                                    objclass,
+	                                                    obj_template,
+	                                                    otsize,
+	                                                    maximumOpt,
+	                                                    &status);
+	if (status == PR_SUCCESS) {
+	    if (statusOpt) *statusOpt = status;
+	    return objects;
+	}
+    }
+    /* Either they are not cached, or cache failed; look on token. */
+    objects = find_objects(token, sessionOpt, 
+                           obj_template, otsize, 
+                           maximumOpt, statusOpt);
+    return objects;
+}
+
+extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
+
+NSS_IMPLEMENT nssCryptokiObject *
+nssToken_ImportCertificate (
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSCertificateType certType,
+  NSSItem *id,
+  const NSSUTF8 *nickname,
+  NSSDER *encoding,
+  NSSDER *issuer,
+  NSSDER *subject,
+  NSSDER *serial,
+  NSSASCII7 *email,
+  PRBool asTokenObject
+)
+{
+    PRStatus status;
+    CK_CERTIFICATE_TYPE cert_type;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_tmpl[10];
+    CK_ULONG ctsize;
+    nssTokenSearchType searchType;
+    nssCryptokiObject *rvObject = NULL;
+
+    if (certType == NSSCertificateType_PKIX) {
+	cert_type = CKC_X_509;
+    } else {
+	return (nssCryptokiObject *)NULL;
+    }
+    NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
+    if (asTokenObject) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+	searchType = nssTokenSearchType_TokenOnly;
+    } else {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+	searchType = nssTokenSearchType_SessionOnly;
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS,            &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CERTIFICATE_TYPE,  cert_type);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID,                id);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL,             nickname);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE,             encoding);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,            issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT,           subject);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,     serial);
+    if (email) {
+	NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL,    email);
+    }
+    NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
+    /* see if the cert is already there */
+    rvObject = nssToken_FindCertificateByIssuerAndSerialNumber(tok,
+                                                               sessionOpt,
+                                                               issuer,
+                                                               serial,
+                                                               searchType,
+                                                               NULL);
+    if (rvObject) {
+	NSSItem existingDER;
+	NSSSlot *slot = nssToken_GetSlot(tok);
+	nssSession *session = nssSlot_CreateSession(slot, NULL, PR_TRUE);
+	if (!session) {
+	    nssCryptokiObject_Destroy(rvObject);
+	    nssSlot_Destroy(slot);
+	    return (nssCryptokiObject *)NULL;
+	}
+	/* Reject any attempt to import a new cert that has the same
+	 * issuer/serial as an existing cert, but does not have the
+	 * same encoding
+	 */
+	NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE);
+	NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
+	status = nssCKObject_GetAttributes(rvObject->handle, 
+	                                   cert_tmpl, ctsize, NULL,
+	                                   session, slot);
+	NSS_CK_ATTRIBUTE_TO_ITEM(cert_tmpl, &existingDER);
+	if (status == PR_SUCCESS) {
+	    if (!nssItem_Equal(encoding, &existingDER, NULL)) {
+		nss_SetError(NSS_ERROR_INVALID_CERTIFICATE);
+		status = PR_FAILURE;
+	    }
+	    nss_ZFreeIf(existingDER.data);
+	}
+	if (status == PR_FAILURE) {
+	    nssCryptokiObject_Destroy(rvObject);
+	    nssSession_Destroy(session);
+	    nssSlot_Destroy(slot);
+	    return (nssCryptokiObject *)NULL;
+	}
+	/* according to PKCS#11, label, ID, issuer, and serial number 
+	 * may change after the object has been created.  For PKIX, the
+	 * last two attributes can't change, so for now we'll only worry
+	 * about the first two.
+	 */
+	NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID,    id);
+	NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
+	NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
+	/* reset the mutable attributes on the token */
+	nssCKObject_SetAttributes(rvObject->handle, 
+	                          cert_tmpl, ctsize,
+	                          session, slot);
+	if (!rvObject->label && nickname) {
+	    rvObject->label = nssUTF8_Duplicate(nickname, NULL);
+	}
+	nssSession_Destroy(session);
+	nssSlot_Destroy(slot);
+    } else {
+	/* Import the certificate onto the token */
+	rvObject = import_object(tok, sessionOpt, cert_tmpl, ctsize);
+    }
+    if (rvObject && tok->cache) {
+	/* The cache will overwrite the attributes if the object already
+	 * exists.
+	 */
+	nssTokenObjectCache_ImportObject(tok->cache, rvObject,
+	                                 CKO_CERTIFICATE,
+	                                 cert_tmpl, ctsize);
+    }
+    return rvObject;
+}
+
+/* traverse all objects of the given class - this should only happen
+ * if the token has been marked as "traversable"
+ */
+NSS_IMPLEMENT nssCryptokiObject **
+nssToken_FindObjects (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  CK_OBJECT_CLASS objclass,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE obj_template[2];
+    CK_ULONG obj_size;
+    nssCryptokiObject **objects;
+    NSS_CK_TEMPLATE_START(obj_template, attr, obj_size);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly ||
+               searchType == nssTokenSearchType_TokenForced) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, objclass);
+    NSS_CK_TEMPLATE_FINISH(obj_template, attr, obj_size);
+
+    if (searchType == nssTokenSearchType_TokenForced) {
+	objects = find_objects(token, sessionOpt,
+	                       obj_template, obj_size,
+	                       maximumOpt, statusOpt);
+    } else {
+	objects = find_objects_by_template(token, sessionOpt,
+	                                   obj_template, obj_size,
+	                                   maximumOpt, statusOpt);
+    }
+    return objects;
+}
+
+NSS_IMPLEMENT nssCryptokiObject **
+nssToken_FindCertificatesBySubject (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *subject,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE subj_template[3];
+    CK_ULONG stsize;
+    nssCryptokiObject **objects;
+    NSS_CK_TEMPLATE_START(subj_template, attr, stsize);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
+    NSS_CK_TEMPLATE_FINISH(subj_template, attr, stsize);
+    /* now locate the token certs matching this template */
+    objects = find_objects_by_template(token, sessionOpt,
+                                       subj_template, stsize,
+                                       maximumOpt, statusOpt);
+    return objects;
+}
+
+NSS_IMPLEMENT nssCryptokiObject **
+nssToken_FindCertificatesByNickname (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  const NSSUTF8 *name,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE nick_template[3];
+    CK_ULONG ntsize;
+    nssCryptokiObject **objects;
+    NSS_CK_TEMPLATE_START(nick_template, attr, ntsize);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, name);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(nick_template, attr, ntsize);
+    /* now locate the token certs matching this template */
+    objects = find_objects_by_template(token, sessionOpt,
+                                       nick_template, ntsize, 
+                                       maximumOpt, statusOpt);
+    if (!objects) {
+	/* This is to workaround the fact that PKCS#11 doesn't specify
+	 * whether the '\0' should be included.  XXX Is that still true?
+	 * im - this is not needed by the current softoken.  However, I'm 
+	 * leaving it in until I have surveyed more tokens to see if it needed.
+	 * well, its needed by the builtin token...
+	 */
+	nick_template[0].ulValueLen++;
+	objects = find_objects_by_template(token, sessionOpt,
+	                                   nick_template, ntsize, 
+	                                   maximumOpt, statusOpt);
+    }
+    return objects;
+}
+
+/* XXX
+ * This function *does not* use the token object cache, because not even
+ * the softoken will return a value for CKA_NETSCAPE_EMAIL from a call
+ * to GetAttributes.  The softoken does allow searches with that attribute,
+ * it just won't return a value for it.
+ */
+NSS_IMPLEMENT nssCryptokiObject **
+nssToken_FindCertificatesByEmail (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSASCII7 *email,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE email_template[3];
+    CK_ULONG etsize;
+    nssCryptokiObject **objects;
+    NSS_CK_TEMPLATE_START(email_template, attr, etsize);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL, email);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(email_template, attr, etsize);
+    /* now locate the token certs matching this template */
+    objects = find_objects(token, sessionOpt,
+                           email_template, etsize,
+                           maximumOpt, statusOpt);
+    if (!objects) {
+	/* This is to workaround the fact that PKCS#11 doesn't specify
+	 * whether the '\0' should be included.  XXX Is that still true?
+	 * im - this is not needed by the current softoken.  However, I'm 
+	 * leaving it in until I have surveyed more tokens to see if it needed.
+	 * well, its needed by the builtin token...
+	 */
+	email_template[0].ulValueLen++;
+	objects = find_objects(token, sessionOpt,
+	                       email_template, etsize,
+	                       maximumOpt, statusOpt);
+    }
+    return objects;
+}
+
+NSS_IMPLEMENT nssCryptokiObject **
+nssToken_FindCertificatesByID (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSItem *id,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE id_template[3];
+    CK_ULONG idtsize;
+    nssCryptokiObject **objects;
+    NSS_CK_TEMPLATE_START(id_template, attr, idtsize);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(id_template, attr, idtsize);
+    /* now locate the token certs matching this template */
+    objects = find_objects_by_template(token, sessionOpt,
+                                       id_template, idtsize,
+                                       maximumOpt, statusOpt);
+    return objects;
+}
+
+/*
+ * decode the serial item and return our result.
+ * NOTE serialDecode's data is really stored in serial. Don't free it.
+ */
+static PRStatus
+nssToken_decodeSerialItem(NSSItem *serial, NSSItem *serialDecode)
+{
+    unsigned char *data = (unsigned char *)serial->data;
+    int data_left, data_len, index;
+
+    if ((serial->size >= 3) && (data[0] == 0x2)) {
+	/* remove the der encoding of the serial number before generating the
+	 * key.. */
+	data_left = serial->size-2;
+	data_len = data[1];
+	index = 2;
+
+	/* extended length ? (not very likely for a serial number) */
+	if (data_len & 0x80) {
+	    int len_count = data_len & 0x7f;
+
+	    data_len = 0;
+	    data_left -= len_count;
+	    if (data_left > 0) {
+		while (len_count --) {
+		    data_len = (data_len << 8) | data[index++];
+		}
+	    } 
+	}
+	/* XXX leaving any leading zeros on the serial number for backwards
+	 * compatibility
+	 */
+	/* not a valid der, must be just an unlucky serial number value */
+	if (data_len == data_left) {
+	    serialDecode->size = data_len;
+	    serialDecode->data = &data[index];
+	    return PR_SUCCESS;
+	}
+    }
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT nssCryptokiObject *
+nssToken_FindCertificateByIssuerAndSerialNumber (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *issuer,
+  NSSDER *serial,
+  nssTokenSearchType searchType,
+  PRStatus *statusOpt
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE_PTR serialAttr;
+    CK_ATTRIBUTE cert_template[4];
+    CK_ULONG ctsize;
+    nssCryptokiObject **objects;
+    nssCryptokiObject *rvObject = NULL;
+    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if ((searchType == nssTokenSearchType_TokenOnly) ||
+               (searchType == nssTokenSearchType_TokenForced)) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    /* Set the unique id */
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS,         &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         issuer);
+    serialAttr = attr;
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,  serial);
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+    /* get the object handle */
+    if (searchType == nssTokenSearchType_TokenForced) {
+	objects = find_objects(token, sessionOpt,
+	                       cert_template, ctsize,
+	                       1, statusOpt);
+    } else {
+	objects = find_objects_by_template(token, sessionOpt,
+                                       cert_template, ctsize,
+                                       1, statusOpt);
+    }
+    if (objects) {
+	rvObject = objects[0];
+	nss_ZFreeIf(objects);
+    }
+
+    /*
+     * NSS used to incorrectly store serial numbers in their decoded form.
+     * because of this old tokens have decoded serial numbers.
+     */
+    if (!objects) {
+	NSSItem serialDecode;
+	PRStatus status;
+
+	status = nssToken_decodeSerialItem(serial, &serialDecode);
+	if (status != PR_SUCCESS) {
+	    return NULL;
+	}
+    	NSS_CK_SET_ATTRIBUTE_ITEM(serialAttr,CKA_SERIAL_NUMBER,&serialDecode);
+	if (searchType == nssTokenSearchType_TokenForced) {
+	    objects = find_objects(token, sessionOpt,
+	                       cert_template, ctsize,
+	                       1, statusOpt);
+	} else {
+	    objects = find_objects_by_template(token, sessionOpt,
+                                       cert_template, ctsize,
+                                       1, statusOpt);
+	}
+	if (objects) {
+	    rvObject = objects[0];
+	    nss_ZFreeIf(objects);
+	}
+    }
+    return rvObject;
+}
+
+NSS_IMPLEMENT nssCryptokiObject *
+nssToken_FindCertificateByEncodedCertificate (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSBER *encodedCertificate,
+  nssTokenSearchType searchType,
+  PRStatus *statusOpt
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_template[3];
+    CK_ULONG ctsize;
+    nssCryptokiObject **objects;
+    nssCryptokiObject *rvObject = NULL;
+    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encodedCertificate);
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+    /* get the object handle */
+    objects = find_objects_by_template(token, sessionOpt,
+                                       cert_template, ctsize,
+                                       1, statusOpt);
+    if (objects) {
+	rvObject = objects[0];
+	nss_ZFreeIf(objects);
+    }
+    return rvObject;
+}
+
+NSS_IMPLEMENT nssCryptokiObject **
+nssToken_FindPrivateKeys (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE key_template[2];
+    CK_ULONG ktsize;
+    nssCryptokiObject **objects;
+
+    NSS_CK_TEMPLATE_START(key_template, attr, ktsize);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_privkey);
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize);
+
+    objects = find_objects_by_template(token, sessionOpt,
+                                       key_template, ktsize, 
+                                       maximumOpt, statusOpt);
+    return objects;
+}
+
+/* XXX ?there are no session cert objects, so only search token objects */
+NSS_IMPLEMENT nssCryptokiObject *
+nssToken_FindPrivateKeyByID (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSItem *keyID
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE key_template[3];
+    CK_ULONG ktsize;
+    nssCryptokiObject **objects;
+    nssCryptokiObject *rvKey = NULL;
+
+    NSS_CK_TEMPLATE_START(key_template, attr, ktsize);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_privkey);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, keyID);
+    NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize);
+
+    objects = find_objects_by_template(token, sessionOpt,
+                                       key_template, ktsize, 
+                                       1, NULL);
+    if (objects) {
+	rvKey = objects[0];
+	nss_ZFreeIf(objects);
+    }
+    return rvKey;
+}
+
+/* XXX ?there are no session cert objects, so only search token objects */
+NSS_IMPLEMENT nssCryptokiObject *
+nssToken_FindPublicKeyByID (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSItem *keyID
+)
+{
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE key_template[3];
+    CK_ULONG ktsize;
+    nssCryptokiObject **objects;
+    nssCryptokiObject *rvKey = NULL;
+
+    NSS_CK_TEMPLATE_START(key_template, attr, ktsize);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_pubkey);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, keyID);
+    NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize);
+
+    objects = find_objects_by_template(token, sessionOpt,
+                                       key_template, ktsize, 
+                                       1, NULL);
+    if (objects) {
+	rvKey = objects[0];
+	nss_ZFreeIf(objects);
+    }
+    return rvKey;
+}
+
+static void
+sha1_hash(NSSItem *input, NSSItem *output)
+{
+    NSSAlgorithmAndParameters *ap;
+    PK11SlotInfo *internal = PK11_GetInternalSlot();
+    NSSToken *token = PK11Slot_GetNSSToken(internal);
+    ap = NSSAlgorithmAndParameters_CreateSHA1Digest(NULL);
+    (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
+    PK11_FreeSlot(token->pk11slot);
+    nss_ZFreeIf(ap);
+}
+
+static void
+md5_hash(NSSItem *input, NSSItem *output)
+{
+    NSSAlgorithmAndParameters *ap;
+    PK11SlotInfo *internal = PK11_GetInternalSlot();
+    NSSToken *token = PK11Slot_GetNSSToken(internal);
+    ap = NSSAlgorithmAndParameters_CreateMD5Digest(NULL);
+    (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
+    PK11_FreeSlot(token->pk11slot);
+    nss_ZFreeIf(ap);
+}
+
+static CK_TRUST
+get_ck_trust (
+  nssTrustLevel nssTrust
+)
+{
+    CK_TRUST t;
+    switch (nssTrust) {
+    case nssTrustLevel_NotTrusted: t = CKT_NETSCAPE_UNTRUSTED; break;
+    case nssTrustLevel_TrustedDelegator: t = CKT_NETSCAPE_TRUSTED_DELEGATOR; 
+	break;
+    case nssTrustLevel_ValidDelegator: t = CKT_NETSCAPE_VALID_DELEGATOR; break;
+    case nssTrustLevel_Trusted: t = CKT_NETSCAPE_TRUSTED; break;
+    case nssTrustLevel_Valid: t = CKT_NETSCAPE_VALID; break;
+    case nssTrustLevel_Unknown:
+    default: t = CKT_NETSCAPE_TRUST_UNKNOWN; break;
+    }
+    return t;
+}
+ 
+NSS_IMPLEMENT nssCryptokiObject *
+nssToken_ImportTrust (
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSDER *certEncoding,
+  NSSDER *certIssuer,
+  NSSDER *certSerial,
+  nssTrustLevel serverAuth,
+  nssTrustLevel clientAuth,
+  nssTrustLevel codeSigning,
+  nssTrustLevel emailProtection,
+  PRBool stepUpApproved,
+  PRBool asTokenObject
+)
+{
+    nssCryptokiObject *object;
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_TRUST ckSA, ckCA, ckCS, ckEP;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE trust_tmpl[11];
+    CK_ULONG tsize;
+    PRUint8 sha1[20]; /* this is cheating... */
+    PRUint8 md5[16];
+    NSSItem sha1_result, md5_result;
+    sha1_result.data = sha1; sha1_result.size = sizeof sha1;
+    md5_result.data = md5; md5_result.size = sizeof md5;
+    sha1_hash(certEncoding, &sha1_result);
+    md5_hash(certEncoding, &md5_result);
+    ckSA = get_ck_trust(serverAuth);
+    ckCA = get_ck_trust(clientAuth);
+    ckCS = get_ck_trust(codeSigning);
+    ckEP = get_ck_trust(emailProtection);
+    NSS_CK_TEMPLATE_START(trust_tmpl, attr, tsize);
+    if (asTokenObject) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    } else {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    }
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,           tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,          certIssuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,   certSerial);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, &sha1_result);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_MD5_HASH,  &md5_result);
+    /* now set the trust values */
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH,      ckSA);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH,      ckCA);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING,     ckCS);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, ckEP);
+    if (stepUpApproved) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TRUST_STEP_UP_APPROVED, 
+	                          &g_ck_true);
+    } else {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TRUST_STEP_UP_APPROVED, 
+	                          &g_ck_false);
+    }
+    NSS_CK_TEMPLATE_FINISH(trust_tmpl, attr, tsize);
+    /* import the trust object onto the token */
+    object = import_object(tok, sessionOpt, trust_tmpl, tsize);
+    if (object && tok->cache) {
+	nssTokenObjectCache_ImportObject(tok->cache, object, tobjc,
+	                                 trust_tmpl, tsize);
+    }
+    return object;
+}
+
+NSS_IMPLEMENT nssCryptokiObject *
+nssToken_FindTrustForCertificate (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *certEncoding,
+  NSSDER *certIssuer,
+  NSSDER *certSerial,
+  nssTokenSearchType searchType
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[5];
+    CK_ULONG tobj_size;
+    nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
+    nssCryptokiObject *object = NULL, **objects;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return object;
+    }
+
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,          tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         certIssuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER , certSerial);
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+    objects = find_objects_by_template(token, session,
+                                       tobj_template, tobj_size,
+                                       1, NULL);
+    if (objects) {
+	object = objects[0];
+	nss_ZFreeIf(objects);
+    }
+    return object;
+}
+ 
+NSS_IMPLEMENT nssCryptokiObject *
+nssToken_ImportCRL (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *subject,
+  NSSDER *encoding,
+  PRBool isKRL,
+  NSSUTF8 *url,
+  PRBool asTokenObject
+)
+{
+    nssCryptokiObject *object;
+    CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE crl_tmpl[6];
+    CK_ULONG crlsize;
+
+    NSS_CK_TEMPLATE_START(crl_tmpl, attr, crlsize);
+    if (asTokenObject) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    } else {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    }
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,        crlobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT,      subject);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE,        encoding);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_URL, url);
+    if (isKRL) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_true);
+    } else {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_false);
+    }
+    NSS_CK_TEMPLATE_FINISH(crl_tmpl, attr, crlsize);
+
+    /* import the crl object onto the token */
+    object = import_object(token, sessionOpt, crl_tmpl, crlsize);
+    if (object && token->cache) {
+	nssTokenObjectCache_ImportObject(token->cache, object, crlobjc,
+	                                 crl_tmpl, crlsize);
+    }
+    return object;
+}
+
+NSS_IMPLEMENT nssCryptokiObject **
+nssToken_FindCRLsBySubject (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *subject,
+  nssTokenSearchType searchType,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE crlobj_template[3];
+    CK_ULONG crlobj_size;
+    nssCryptokiObject **objects = NULL;
+    nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return objects;
+    }
+
+    NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size);
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly ||
+               searchType == nssTokenSearchType_TokenForced) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, crlobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
+    NSS_CK_TEMPLATE_FINISH(crlobj_template, attr, crlobj_size);
+
+    objects = find_objects_by_template(token, session,
+                                       crlobj_template, crlobj_size,
+                                       maximumOpt, statusOpt);
+    return objects;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_GetCachedObjectAttributes (
+  NSSToken *token,
+  NSSArena *arenaOpt,
+  nssCryptokiObject *object,
+  CK_OBJECT_CLASS objclass,
+  CK_ATTRIBUTE_PTR atemplate,
+  CK_ULONG atlen
+)
+{
+    if (!token->cache) {
+	return PR_FAILURE;
+    }
+    return nssTokenObjectCache_GetObjectAttributes(token->cache, arenaOpt,
+                                                   object, objclass,
+                                                   atemplate, atlen);
+}
+
+NSS_IMPLEMENT NSSItem *
+nssToken_Digest (
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSAlgorithmAndParameters *ap,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    CK_RV ckrv;
+    CK_ULONG digestLen;
+    CK_BYTE_PTR digest;
+    NSSItem *rvItem = NULL;
+    void *epv = nssToken_GetCryptokiEPV(tok);
+    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return rvItem;
+    }
+
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	return NULL;
+    }
+#if 0
+    /* XXX the standard says this should work, but it doesn't */
+    ckrv = CKAPI(epv)->C_Digest(session->handle, NULL, 0, NULL, &digestLen);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	return NULL;
+    }
+#endif
+    digestLen = 0; /* XXX for now */
+    digest = NULL;
+    if (rvOpt) {
+	if (rvOpt->size > 0 && rvOpt->size < digestLen) {
+	    nssSession_ExitMonitor(session);
+	    /* the error should be bad args */
+	    return NULL;
+	}
+	if (rvOpt->data) {
+	    digest = rvOpt->data;
+	}
+	digestLen = rvOpt->size;
+    }
+    if (!digest) {
+	digest = (CK_BYTE_PTR)nss_ZAlloc(arenaOpt, digestLen);
+	if (!digest) {
+	    nssSession_ExitMonitor(session);
+	    return NULL;
+	}
+    }
+    ckrv = CKAPI(epv)->C_Digest(session->handle, 
+                                (CK_BYTE_PTR)data->data, 
+                                (CK_ULONG)data->size,
+                                (CK_BYTE_PTR)digest,
+                                &digestLen);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	nss_ZFreeIf(digest);
+	return NULL;
+    }
+    if (!rvOpt) {
+	rvItem = nssItem_Create(arenaOpt, NULL, digestLen, (void *)digest);
+    }
+    return rvItem;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_BeginDigest (
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSAlgorithmAndParameters *ap
+)
+{
+    CK_RV ckrv;
+    void *epv = nssToken_GetCryptokiEPV(tok);
+    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return PR_FAILURE;
+    }
+
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
+    nssSession_ExitMonitor(session);
+    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_ContinueDigest (
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSItem *item
+)
+{
+    CK_RV ckrv;
+    void *epv = nssToken_GetCryptokiEPV(tok);
+    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return PR_FAILURE;
+    }
+
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_DigestUpdate(session->handle, 
+                                      (CK_BYTE_PTR)item->data, 
+                                      (CK_ULONG)item->size);
+    nssSession_ExitMonitor(session);
+    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+nssToken_FinishDigest (
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    CK_RV ckrv;
+    CK_ULONG digestLen;
+    CK_BYTE_PTR digest;
+    NSSItem *rvItem = NULL;
+    void *epv = nssToken_GetCryptokiEPV(tok);
+    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return NULL;
+    }
+
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(epv)->C_DigestFinal(session->handle, NULL, &digestLen);
+    if (ckrv != CKR_OK || digestLen == 0) {
+	nssSession_ExitMonitor(session);
+	return NULL;
+    }
+    digest = NULL;
+    if (rvOpt) {
+	if (rvOpt->size > 0 && rvOpt->size < digestLen) {
+	    nssSession_ExitMonitor(session);
+	    /* the error should be bad args */
+	    return NULL;
+	}
+	if (rvOpt->data) {
+	    digest = rvOpt->data;
+	}
+	digestLen = rvOpt->size;
+    }
+    if (!digest) {
+	digest = (CK_BYTE_PTR)nss_ZAlloc(arenaOpt, digestLen);
+	if (!digest) {
+	    nssSession_ExitMonitor(session);
+	    return NULL;
+	}
+    }
+    ckrv = CKAPI(epv)->C_DigestFinal(session->handle, digest, &digestLen);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	nss_ZFreeIf(digest);
+	return NULL;
+    }
+    if (!rvOpt) {
+	rvItem = nssItem_Create(arenaOpt, NULL, digestLen, (void *)digest);
+    }
+    return rvItem;
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_IsPresent (
+  NSSToken *token
+)
+{
+    return nssSlot_IsTokenPresent(token->slot);
+}
+
+/* Sigh.  The methods to find objects declared above cause problems with
+ * the low-level object cache in the softoken -- the objects are found in 
+ * toto, then one wave of GetAttributes is done, then another.  Having a 
+ * large number of objects causes the cache to be thrashed, as the objects 
+ * are gone before there's any chance to ask for their attributes.
+ * So, for now, bringing back traversal methods for certs.  This way all of 
+ * the cert's attributes can be grabbed immediately after finding it,
+ * increasing the likelihood that the cache takes care of it.
+ */
+NSS_IMPLEMENT PRStatus
+nssToken_TraverseCertificates (
+  NSSToken *token,
+  nssSession *sessionOpt,
+  nssTokenSearchType searchType,
+  PRStatus (* callback)(nssCryptokiObject *instance, void *arg),
+  void *arg
+)
+{
+    CK_RV ckrv;
+    CK_ULONG count;
+    CK_OBJECT_HANDLE *objectHandles;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_template[2];
+    CK_ULONG ctsize;
+    NSSArena *arena;
+    PRStatus status;
+    PRUint32 arraySize, numHandles;
+    nssCryptokiObject **objects;
+    void *epv = nssToken_GetCryptokiEPV(token);
+    nssSession *session = (sessionOpt) ? sessionOpt : token->defaultSession;
+
+    /* Don't ask the module to use an invalid session handle. */
+    if (!session || session->handle == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return PR_FAILURE;
+    }
+
+    /* template for all certs */
+    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly ||
+               searchType == nssTokenSearchType_TokenForced) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+
+    /* the arena is only for the array of object handles */
+    arena = nssArena_Create();
+    if (!arena) {
+	return PR_FAILURE;
+    }
+    arraySize = OBJECT_STACK_SIZE;
+    numHandles = 0;
+    objectHandles = nss_ZNEWARRAY(arena, CK_OBJECT_HANDLE, arraySize);
+    if (!objectHandles) {
+	goto loser;
+    }
+    nssSession_EnterMonitor(session); /* ==== session lock === */
+    /* Initialize the find with the template */
+    ckrv = CKAPI(epv)->C_FindObjectsInit(session->handle, 
+                                         cert_template, ctsize);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	goto loser;
+    }
+    while (PR_TRUE) {
+	/* Issue the find for up to arraySize - numHandles objects */
+	ckrv = CKAPI(epv)->C_FindObjects(session->handle, 
+	                                 objectHandles + numHandles, 
+	                                 arraySize - numHandles, 
+	                                 &count);
+	if (ckrv != CKR_OK) {
+	    nssSession_ExitMonitor(session);
+	    goto loser;
+	}
+	/* bump the number of found objects */
+	numHandles += count;
+	if (numHandles < arraySize) {
+	    break;
+	}
+	/* the array is filled, double it and continue */
+	arraySize *= 2;
+	objectHandles = nss_ZREALLOCARRAY(objectHandles, 
+	                                  CK_OBJECT_HANDLE, 
+	                                  arraySize);
+	if (!objectHandles) {
+	    nssSession_ExitMonitor(session);
+	    goto loser;
+	}
+    }
+    ckrv = CKAPI(epv)->C_FindObjectsFinal(session->handle);
+    nssSession_ExitMonitor(session); /* ==== end session lock === */
+    if (ckrv != CKR_OK) {
+	goto loser;
+    }
+    if (numHandles > 0) {
+	objects = create_objects_from_handles(token, session,
+	                                      objectHandles, numHandles);
+	if (objects) {
+	    nssCryptokiObject **op;
+	    for (op = objects; *op; op++) {
+		status = (*callback)(*op, arg);
+	    }
+	    nss_ZFreeIf(objects);
+	}
+    }
+    nssArena_Destroy(arena);
+    return PR_SUCCESS;
+loser:
+    nssArena_Destroy(arena);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_IsPrivateKeyAvailable (
+  NSSToken *token,
+  NSSCertificate *c,
+  nssCryptokiObject *instance
+)
+{
+    CK_OBJECT_CLASS theClass;
+
+    if (token == NULL) return PR_FALSE;
+    if (c == NULL) return PR_FALSE;
+
+    theClass = CKO_PRIVATE_KEY;
+    if (!nssSlot_IsLoggedIn(token->slot)) {
+	theClass = CKO_PUBLIC_KEY;
+    }
+    if (PK11_MatchItem(token->pk11slot, instance->handle, theClass) 
+						!= CK_INVALID_HANDLE) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c
new file mode 100644
index 000000000..eb7148aeb
--- /dev/null
+++ b/security/nss/lib/dev/devutil.c
@@ -0,0 +1,1045 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+NSS_IMPLEMENT nssCryptokiObject *
+nssCryptokiObject_Create (
+  NSSToken *t, 
+  nssSession *session,
+  CK_OBJECT_HANDLE h
+)
+{
+    PRStatus status;
+    NSSSlot *slot;
+    nssCryptokiObject *object;
+    CK_BBOOL *isTokenObject;
+    CK_ATTRIBUTE cert_template[] = {
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_LABEL, NULL, 0 }
+    };
+    slot = nssToken_GetSlot(t);
+    status = nssCKObject_GetAttributes(h, cert_template, 2,
+                                       NULL, session, slot);
+    nssSlot_Destroy(slot);
+    if (status != PR_SUCCESS) {
+	/* a failure here indicates a device error */
+	return (nssCryptokiObject *)NULL;
+    }
+    object = nss_ZNEW(NULL, nssCryptokiObject);
+    if (!object) {
+	return (nssCryptokiObject *)NULL;
+    }
+    object->handle = h;
+    object->token = nssToken_AddRef(t);
+    isTokenObject = (CK_BBOOL *)cert_template[0].pValue;
+    object->isTokenObject = *isTokenObject;
+    nss_ZFreeIf(isTokenObject);
+    NSS_CK_ATTRIBUTE_TO_UTF8(&cert_template[1], object->label);
+    return object;
+}
+
+NSS_IMPLEMENT void
+nssCryptokiObject_Destroy (
+  nssCryptokiObject *object
+)
+{
+    if (object) {
+	nssToken_Destroy(object->token);
+	nss_ZFreeIf(object->label);
+	nss_ZFreeIf(object);
+    }
+}
+
+NSS_IMPLEMENT nssCryptokiObject *
+nssCryptokiObject_Clone (
+  nssCryptokiObject *object
+)
+{
+    nssCryptokiObject *rvObject;
+    rvObject = nss_ZNEW(NULL, nssCryptokiObject);
+    if (rvObject) {
+	rvObject->handle = object->handle;
+	rvObject->token = nssToken_AddRef(object->token);
+	rvObject->isTokenObject = object->isTokenObject;
+	if (object->label) {
+	    rvObject->label = nssUTF8_Duplicate(object->label, NULL);
+	}
+    }
+    return rvObject;
+}
+
+NSS_EXTERN PRBool
+nssCryptokiObject_Equal (
+  nssCryptokiObject *o1,
+  nssCryptokiObject *o2
+)
+{
+    return (o1->token == o2->token && o1->handle == o2->handle);
+}
+
+NSS_IMPLEMENT PRUint32
+nssPKCS11String_Length(CK_CHAR *pkcs11Str, PRUint32 bufLen)
+{
+    PRInt32 i;
+    for (i = bufLen - 1; i>=0; ) {
+	if (pkcs11Str[i] != ' ' && pkcs11Str[i] != '\0') break;
+	--i;
+    }
+    return (PRUint32)(i + 1);
+}
+
+/*
+ * Slot arrays
+ */
+
+NSS_IMPLEMENT NSSSlot **
+nssSlotArray_Clone (
+  NSSSlot **slots
+)
+{
+    NSSSlot **rvSlots = NULL;
+    NSSSlot **sp = slots;
+    PRUint32 count = 0;
+    while (sp && *sp) count++;
+    if (count > 0) {
+	rvSlots = nss_ZNEWARRAY(NULL, NSSSlot *, count + 1);
+	if (rvSlots) {
+	    sp = slots;
+	    count = 0;
+	    for (sp = slots; *sp; sp++) {
+		rvSlots[count++] = nssSlot_AddRef(*sp);
+	    }
+	}
+    }
+    return rvSlots;
+}
+
+NSS_IMPLEMENT void
+nssSlotArray_Destroy (
+  NSSSlot **slots
+)
+{
+    if (slots) {
+	NSSSlot **slotp;
+	for (slotp = slots; *slotp; slotp++) {
+	    nssSlot_Destroy(*slotp);
+	}
+	nss_ZFreeIf(slots);
+    }
+}
+
+NSS_IMPLEMENT void
+NSSSlotArray_Destroy (
+  NSSSlot **slots
+)
+{
+    nssSlotArray_Destroy(slots);
+}
+
+NSS_IMPLEMENT void
+nssTokenArray_Destroy (
+  NSSToken **tokens
+)
+{
+    if (tokens) {
+	NSSToken **tokenp;
+	for (tokenp = tokens; *tokenp; tokenp++) {
+	    nssToken_Destroy(*tokenp);
+	}
+	nss_ZFreeIf(tokens);
+    }
+}
+
+NSS_IMPLEMENT void
+NSSTokenArray_Destroy (
+  NSSToken **tokens
+)
+{
+    nssTokenArray_Destroy(tokens);
+}
+
+NSS_IMPLEMENT void
+nssCryptokiObjectArray_Destroy (
+  nssCryptokiObject **objects
+)
+{
+    if (objects) {
+	nssCryptokiObject **op;
+	for (op = objects; *op; op++) {
+	    nssCryptokiObject_Destroy(*op);
+	}
+	nss_ZFreeIf(objects);
+    }
+}
+
+/* object cache for token */
+
+typedef struct
+{
+  NSSArena *arena;
+  nssCryptokiObject *object;
+  CK_ATTRIBUTE_PTR attributes;
+  CK_ULONG numAttributes;
+}
+nssCryptokiObjectAndAttributes;
+
+enum {
+  cachedCerts = 0,
+  cachedTrust = 1,
+  cachedCRLs = 2
+} cachedObjectType;
+
+struct nssTokenObjectCacheStr
+{
+  NSSToken *token;
+  PZLock *lock;
+  PRBool loggedIn;
+  PRBool doObjectType[3];
+  PRBool searchedObjectType[3];
+  nssCryptokiObjectAndAttributes **objects[3];
+};
+
+NSS_IMPLEMENT nssTokenObjectCache *
+nssTokenObjectCache_Create (
+  NSSToken *token,
+  PRBool cacheCerts,
+  PRBool cacheTrust,
+  PRBool cacheCRLs
+)
+{
+    nssTokenObjectCache *rvCache;
+    rvCache = nss_ZNEW(NULL, nssTokenObjectCache);
+    if (!rvCache) {
+	goto loser;
+    }
+    rvCache->lock = PZ_NewLock(nssILockOther); /* XXX */
+    if (!rvCache->lock) {
+	goto loser;
+    }
+    rvCache->doObjectType[cachedCerts] = cacheCerts;
+    rvCache->doObjectType[cachedTrust] = cacheTrust;
+    rvCache->doObjectType[cachedCRLs] = cacheCRLs;
+    rvCache->token = token; /* cache goes away with token */
+    return rvCache;
+loser:
+    return (nssTokenObjectCache *)NULL;
+}
+
+static void
+clear_cache (
+  nssTokenObjectCache *cache
+)
+{
+    nssCryptokiObjectAndAttributes **oa;
+    PRUint32 objectType;
+    for (objectType = cachedCerts; objectType <= cachedCRLs; objectType++) {
+	cache->searchedObjectType[objectType] = PR_FALSE;
+	if (!cache->objects[objectType]) {
+	    continue;
+	}
+	for (oa = cache->objects[objectType]; *oa; oa++) {
+	    /* prevent the token from being destroyed */
+	    (*oa)->object->token = NULL;
+	    nssCryptokiObject_Destroy((*oa)->object);
+	    nssArena_Destroy((*oa)->arena);
+	}
+	nss_ZFreeIf(cache->objects[objectType]);
+	cache->objects[objectType] = NULL;
+    }
+}
+
+NSS_IMPLEMENT void
+nssTokenObjectCache_Clear (
+  nssTokenObjectCache *cache
+)
+{
+    if (cache) {
+	PZ_Lock(cache->lock);
+	clear_cache(cache);
+	PZ_Unlock(cache->lock);
+    }
+}
+
+NSS_IMPLEMENT void
+nssTokenObjectCache_Destroy (
+  nssTokenObjectCache *cache
+)
+{
+    if (cache) {
+	clear_cache(cache);
+	PZ_DestroyLock(cache->lock);
+	nss_ZFreeIf(cache);
+    }
+}
+
+NSS_IMPLEMENT PRBool
+nssTokenObjectCache_HaveObjectClass (
+  nssTokenObjectCache *cache,
+  CK_OBJECT_CLASS objclass
+)
+{
+    PRBool haveIt;
+    PZ_Lock(cache->lock);
+    switch (objclass) {
+    case CKO_CERTIFICATE:    haveIt = cache->doObjectType[cachedCerts]; break;
+    case CKO_NETSCAPE_TRUST: haveIt = cache->doObjectType[cachedTrust]; break;
+    case CKO_NETSCAPE_CRL:   haveIt = cache->doObjectType[cachedCRLs];  break;
+    default:                 haveIt = PR_FALSE;
+    }
+    PZ_Unlock(cache->lock);
+    return haveIt;
+}
+
+static nssCryptokiObjectAndAttributes **
+create_object_array (
+  nssCryptokiObject **objects,
+  PRBool *doObjects,
+  PRUint32 *numObjects,
+  PRStatus *status
+)
+{
+    nssCryptokiObjectAndAttributes **rvOandA = NULL;
+    *numObjects = 0;
+    /* There are no objects for this type */
+    if (!objects || !*objects) {
+	*status = PR_SUCCESS;
+	return rvOandA;
+    }
+    while (*objects++) (*numObjects)++;
+    if (*numObjects >= MAX_LOCAL_CACHE_OBJECTS) {
+	/* Hit the maximum allowed, so don't use a cache (there are
+	 * too many objects to make caching worthwhile, presumably, if
+	 * the token can handle that many objects, it can handle searching.
+	 */
+	*doObjects = PR_FALSE;
+	*status = PR_FAILURE;
+	*numObjects = 0;
+    } else {
+	rvOandA = nss_ZNEWARRAY(NULL, 
+	                        nssCryptokiObjectAndAttributes *, 
+	                        *numObjects + 1);
+	*status = rvOandA ? PR_SUCCESS : PR_FAILURE;
+    }
+    return rvOandA;
+}
+
+static nssCryptokiObjectAndAttributes *
+create_object (
+  nssCryptokiObject *object,
+  const CK_ATTRIBUTE_TYPE *types,
+  PRUint32 numTypes,
+  PRStatus *status
+)
+{
+    PRUint32 j;
+    NSSArena *arena;
+    NSSSlot *slot = NULL;
+    nssSession *session = NULL;
+    nssCryptokiObjectAndAttributes *rvCachedObject = NULL;
+
+    slot = nssToken_GetSlot(object->token);
+    if (!slot) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        goto loser;
+    }
+    session = nssToken_GetDefaultSession(object->token);
+    if (!session) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        goto loser;
+    }
+    arena = nssArena_Create();
+    if (!arena) {
+	goto loser;
+    }
+    rvCachedObject = nss_ZNEW(arena, nssCryptokiObjectAndAttributes);
+    if (!rvCachedObject) {
+	goto loser;
+    }
+    rvCachedObject->arena = arena;
+    /* The cache is tied to the token, and therefore the objects
+     * in it should not hold references to the token.
+     */
+    nssToken_Destroy(object->token);
+    rvCachedObject->object = object;
+    rvCachedObject->attributes = nss_ZNEWARRAY(arena, CK_ATTRIBUTE, numTypes);
+    if (!rvCachedObject->attributes) {
+	goto loser;
+    }
+    for (j=0; j<numTypes; j++) {
+	rvCachedObject->attributes[j].type = types[j];
+    }
+    *status = nssCKObject_GetAttributes(object->handle,
+                                        rvCachedObject->attributes,
+                                        numTypes,
+                                        arena,
+                                        session,
+                                        slot);
+    if (*status != PR_SUCCESS) {
+	goto loser;
+    }
+    rvCachedObject->numAttributes = numTypes;
+    *status = PR_SUCCESS;
+    nssSlot_Destroy(slot);
+
+    return rvCachedObject;
+loser:
+    *status = PR_FAILURE;
+    if (slot) {
+	nssSlot_Destroy(slot);
+    }
+    if (arena)
+	nssArena_Destroy(arena);
+    return (nssCryptokiObjectAndAttributes *)NULL;
+}
+
+/*
+ *
+ * State diagram for cache:
+ *
+ *            token !present            token removed
+ *        +-------------------------+<----------------------+
+ *        |                         ^                       |
+ *        v                         |                       |
+ *  +----------+   slot friendly    |  token present   +----------+ 
+ *  |   cache  | -----------------> % ---------------> |   cache  |
+ *  | unloaded |                                       |  loaded  |
+ *  +----------+                                       +----------+
+ *    ^   |                                                 ^   |
+ *    |   |   slot !friendly           slot logged in       |   |
+ *    |   +-----------------------> % ----------------------+   |
+ *    |                             |                           |
+ *    | slot logged out             v  slot !friendly           |
+ *    +-----------------------------+<--------------------------+
+ *
+ */
+
+/* This function must not be called with cache->lock locked. */
+static PRBool
+token_is_present (
+  nssTokenObjectCache *cache
+)
+{
+    NSSSlot *slot = nssToken_GetSlot(cache->token);
+    PRBool tokenPresent = nssSlot_IsTokenPresent(slot);
+    nssSlot_Destroy(slot);
+    return tokenPresent;
+}
+
+static PRBool
+search_for_objects (
+  nssTokenObjectCache *cache
+)
+{
+    PRBool doSearch = PR_FALSE;
+    NSSSlot *slot = nssToken_GetSlot(cache->token);
+    /* Handle non-friendly slots (slots which require login for objects) */
+    if (!nssSlot_IsFriendly(slot)) {
+	if (nssSlot_IsLoggedIn(slot)) {
+	    /* Either no state change, or went from !logged in -> logged in */
+	    cache->loggedIn = PR_TRUE;
+	    doSearch = PR_TRUE;
+	} else {
+	    if (cache->loggedIn) {
+		/* went from logged in -> !logged in, destroy cached objects */
+		clear_cache(cache);
+		cache->loggedIn = PR_FALSE;
+	    } /* else no state change, still not logged in, so exit */
+	}
+    } else {
+	/* slot is friendly, thus always available for search */
+	doSearch = PR_TRUE;
+    }
+    nssSlot_Destroy(slot);
+    return doSearch;
+}
+
+static nssCryptokiObjectAndAttributes *
+create_cert (
+  nssCryptokiObject *object,
+  PRStatus *status
+)
+{
+    static const CK_ATTRIBUTE_TYPE certAttr[] = {
+	CKA_CLASS,
+	CKA_TOKEN,
+	CKA_LABEL,
+	CKA_CERTIFICATE_TYPE,
+	CKA_ID,
+	CKA_VALUE,
+	CKA_ISSUER,
+	CKA_SERIAL_NUMBER,
+	CKA_SUBJECT,
+	CKA_NETSCAPE_EMAIL
+    };
+    static const PRUint32 numCertAttr = sizeof(certAttr) / sizeof(certAttr[0]);
+    return create_object(object, certAttr, numCertAttr, status);
+}
+
+static nssCryptokiObjectAndAttributes *
+create_trust (
+  nssCryptokiObject *object,
+  PRStatus *status
+)
+{
+    static const CK_ATTRIBUTE_TYPE trustAttr[] = {
+	CKA_CLASS,
+	CKA_TOKEN,
+	CKA_LABEL,
+	CKA_CERT_SHA1_HASH,
+	CKA_CERT_MD5_HASH,
+	CKA_ISSUER,
+	CKA_SUBJECT,
+	CKA_TRUST_SERVER_AUTH,
+	CKA_TRUST_CLIENT_AUTH,
+	CKA_TRUST_EMAIL_PROTECTION,
+	CKA_TRUST_CODE_SIGNING
+    };
+    static const PRUint32 numTrustAttr = sizeof(trustAttr) / sizeof(trustAttr[0]);
+    return create_object(object, trustAttr, numTrustAttr, status);
+}
+
+static nssCryptokiObjectAndAttributes *
+create_crl (
+  nssCryptokiObject *object,
+  PRStatus *status
+)
+{
+    static const CK_ATTRIBUTE_TYPE crlAttr[] = {
+	CKA_CLASS,
+	CKA_TOKEN,
+	CKA_LABEL,
+	CKA_VALUE,
+	CKA_SUBJECT,
+	CKA_NETSCAPE_KRL,
+	CKA_NETSCAPE_URL
+    };
+    static const PRUint32 numCRLAttr = sizeof(crlAttr) / sizeof(crlAttr[0]);
+    return create_object(object, crlAttr, numCRLAttr, status);
+}
+
+/* Dispatch to the create function for the object type */
+static nssCryptokiObjectAndAttributes *
+create_object_of_type (
+  nssCryptokiObject *object,
+  PRUint32 objectType,
+  PRStatus *status
+)
+{
+    if (objectType == cachedCerts) {
+	return create_cert(object, status);
+    }
+    if (objectType == cachedTrust) {
+	return create_trust(object, status);
+    }
+    if (objectType == cachedCRLs) {
+	return create_crl(object, status);
+    }
+    return (nssCryptokiObjectAndAttributes *)NULL;
+}
+
+static PRStatus
+get_token_objects_for_cache (
+  nssTokenObjectCache *cache,
+  PRUint32 objectType,
+  CK_OBJECT_CLASS objclass
+)
+{
+    PRStatus status;
+    nssCryptokiObject **objects;
+    PRBool *doIt = &cache->doObjectType[objectType];
+    PRUint32 i, numObjects;
+
+    if (!search_for_objects(cache) || 
+         cache->searchedObjectType[objectType] || 
+        !cache->doObjectType[objectType]) 
+    {
+	/* Either there was a state change that prevents a search
+	 * (token logged out), or the search was already done,
+	 * or objects of this type are not being cached.
+	 */
+	return PR_SUCCESS;
+    }
+    objects = nssToken_FindObjects(cache->token, NULL, objclass,
+                                   nssTokenSearchType_TokenForced,
+                                   MAX_LOCAL_CACHE_OBJECTS, &status);
+    if (status != PR_SUCCESS) {
+	return status;
+    }
+    cache->objects[objectType] = create_object_array(objects,
+                                                     doIt,
+                                                     &numObjects,
+                                                     &status);
+    if (status != PR_SUCCESS) {
+	return status;
+    }
+    for (i=0; i<numObjects; i++) {
+	cache->objects[objectType][i] = create_object_of_type(objects[i],
+	                                                      objectType,
+	                                                      &status);
+	if (status != PR_SUCCESS) {
+	    break;
+	}
+    }
+    if (status == PR_SUCCESS) {
+	nss_ZFreeIf(objects);
+    } else {
+	PRUint32 j;
+	for (j=0; j<i; j++) {
+	    /* sigh */
+	    nssToken_AddRef(cache->objects[objectType][j]->object->token);
+	    nssArena_Destroy(cache->objects[objectType][j]->arena);
+	}
+	nss_ZFreeIf(cache->objects[objectType]);
+	cache->objects[objectType] = NULL;
+	nssCryptokiObjectArray_Destroy(objects);
+    }
+    cache->searchedObjectType[objectType] = PR_TRUE;
+    return status;
+}
+
+static CK_ATTRIBUTE_PTR
+find_attribute_in_object (
+  nssCryptokiObjectAndAttributes *obj,
+  CK_ATTRIBUTE_TYPE attrType
+)
+{
+    PRUint32 j;
+    for (j=0; j<obj->numAttributes; j++) {
+	if (attrType == obj->attributes[j].type) {
+	    return &obj->attributes[j];
+	}
+    }
+    return (CK_ATTRIBUTE_PTR)NULL;
+}
+
+/* Find all objects in the array that match the supplied template */
+static nssCryptokiObject **
+find_objects_in_array (
+  nssCryptokiObjectAndAttributes **objArray,
+  CK_ATTRIBUTE_PTR ot,
+  CK_ULONG otlen,
+  PRUint32 maximumOpt
+)
+{
+    PRIntn oi = 0;
+    PRUint32 i;
+    NSSArena *arena;
+    PRUint32 size = 8;
+    PRUint32 numMatches = 0;
+    nssCryptokiObject **objects = NULL;
+    nssCryptokiObjectAndAttributes **matches = NULL;
+    CK_ATTRIBUTE_PTR attr;
+
+    if (!objArray) {
+	return (nssCryptokiObject **)NULL;
+    }
+    arena = nssArena_Create();
+    if (!arena) {
+	return (nssCryptokiObject **)NULL;
+    }
+    matches = nss_ZNEWARRAY(arena, nssCryptokiObjectAndAttributes *, size);
+    if (!matches) {
+	goto loser;
+    }
+    if (maximumOpt == 0) maximumOpt = ~0;
+    /* loop over the cached objects */
+    for (; *objArray && numMatches < maximumOpt; objArray++) {
+	nssCryptokiObjectAndAttributes *obj = *objArray;
+	/* loop over the test template */
+	for (i=0; i<otlen; i++) {
+	    /* see if the object has the attribute */
+	    attr = find_attribute_in_object(obj, ot[i].type);
+	    if (!attr) {
+		/* nope, match failed */
+		break;
+	    }
+	    /* compare the attribute against the test value */
+	    if (ot[i].ulValueLen != attr->ulValueLen ||
+	        !nsslibc_memequal(ot[i].pValue, 
+	                          attr->pValue,
+	                          attr->ulValueLen, NULL))
+	    {
+		/* nope, match failed */
+		break;
+	    }
+	}
+	if (i == otlen) {
+	    /* all of the attributes in the test template were found
+	     * in the object's template, and they all matched
+	     */
+	    matches[numMatches++] = obj;
+	    if (numMatches == size) {
+		size *= 2;
+		matches = nss_ZREALLOCARRAY(matches, 
+		                            nssCryptokiObjectAndAttributes *, 
+		                            size);
+		if (!matches) {
+		    goto loser;
+		}
+	    }
+	}
+    }
+    if (numMatches > 0) {
+	objects = nss_ZNEWARRAY(NULL, nssCryptokiObject *, numMatches + 1);
+	if (!objects) {
+	    goto loser;
+	}
+	for (oi=0; oi<(PRIntn)numMatches; oi++) {
+	    objects[oi] = nssCryptokiObject_Clone(matches[oi]->object);
+	    if (!objects[oi]) {
+		goto loser;
+	    }
+	}
+    }
+    nssArena_Destroy(arena);
+    return objects;
+loser:
+    if (objects) {
+	for (--oi; oi>=0; --oi) {
+	    nssCryptokiObject_Destroy(objects[oi]);
+	}
+    }
+    nssArena_Destroy(arena);
+    return (nssCryptokiObject **)NULL;
+}
+
+NSS_IMPLEMENT nssCryptokiObject **
+nssTokenObjectCache_FindObjectsByTemplate (
+  nssTokenObjectCache *cache,
+  CK_OBJECT_CLASS objclass,
+  CK_ATTRIBUTE_PTR otemplate,
+  CK_ULONG otlen,
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
+)
+{
+    PRStatus status = PR_FAILURE;
+    nssCryptokiObject **rvObjects = NULL;
+    PRUint32 objectType;
+    if (!token_is_present(cache)) {
+	status = PR_SUCCESS;
+	goto finish;
+    }
+    switch (objclass) {
+    case CKO_CERTIFICATE:    objectType = cachedCerts; break;
+    case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break;
+    case CKO_NETSCAPE_CRL:   objectType = cachedCRLs;  break;
+    default: goto finish;
+    }
+    PZ_Lock(cache->lock);
+    if (cache->doObjectType[objectType]) {
+	status = get_token_objects_for_cache(cache, objectType, objclass);
+	if (status == PR_SUCCESS) {
+	    rvObjects = find_objects_in_array(cache->objects[objectType], 
+	                                      otemplate, otlen, maximumOpt);
+	}
+    }
+    PZ_Unlock(cache->lock);
+finish:
+    if (statusOpt) {
+	*statusOpt = status;
+    }
+    return rvObjects;
+}
+
+static PRBool
+cache_available_for_object_type (
+  nssTokenObjectCache *cache,
+  PRUint32 objectType
+)
+{
+    if (!cache->doObjectType[objectType]) {
+	/* not caching this object kind */
+	return PR_FALSE;
+    }
+    if (!cache->searchedObjectType[objectType]) {
+	/* objects are not cached yet */
+	return PR_FALSE;
+    }
+    if (!search_for_objects(cache)) {
+	/* not logged in */
+	return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssTokenObjectCache_GetObjectAttributes (
+  nssTokenObjectCache *cache,
+  NSSArena *arenaOpt,
+  nssCryptokiObject *object,
+  CK_OBJECT_CLASS objclass,
+  CK_ATTRIBUTE_PTR atemplate,
+  CK_ULONG atlen
+)
+{
+    PRUint32 i, j;
+    NSSArena *arena = NULL;
+    nssArenaMark *mark = NULL;
+    nssCryptokiObjectAndAttributes *cachedOA = NULL;
+    nssCryptokiObjectAndAttributes **oa = NULL;
+    PRUint32 objectType;
+    if (!token_is_present(cache)) {
+	return PR_FAILURE;
+    }
+    PZ_Lock(cache->lock);
+    switch (objclass) {
+    case CKO_CERTIFICATE:    objectType = cachedCerts; break;
+    case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break;
+    case CKO_NETSCAPE_CRL:   objectType = cachedCRLs;  break;
+    default: goto loser;
+    }
+    if (!cache_available_for_object_type(cache, objectType)) {
+	goto loser;
+    }
+    oa = cache->objects[objectType];
+    if (!oa) {
+	goto loser;
+    }
+    for (; *oa; oa++) {
+	if (nssCryptokiObject_Equal((*oa)->object, object)) {
+	    cachedOA = *oa;
+	    break;
+	}
+    }
+    if (!cachedOA) {
+	goto loser; /* don't have this object */
+    }
+    if (arenaOpt) {
+	arena = arenaOpt;
+	mark = nssArena_Mark(arena);
+    }
+    for (i=0; i<atlen; i++) {
+	for (j=0; j<cachedOA->numAttributes; j++) {
+	    if (atemplate[i].type == cachedOA->attributes[j].type) {
+		CK_ATTRIBUTE_PTR attr = &cachedOA->attributes[j];
+		if (cachedOA->attributes[j].ulValueLen == 0 ||
+		    cachedOA->attributes[j].ulValueLen == (CK_ULONG)-1) 
+		{
+		    break; /* invalid attribute */
+		}
+		if (atemplate[i].ulValueLen > 0) {
+		    if (atemplate[i].pValue == NULL ||
+		        atemplate[i].ulValueLen < attr->ulValueLen) 
+		    {
+			goto loser;
+		    }
+		} else {
+		    atemplate[i].pValue = nss_ZAlloc(arena, attr->ulValueLen);
+		    if (!atemplate[i].pValue) {
+			goto loser;
+		    }
+		}
+		nsslibc_memcpy(atemplate[i].pValue,
+		               attr->pValue, attr->ulValueLen);
+		atemplate[i].ulValueLen = attr->ulValueLen;
+		break;
+	    }
+	}
+	if (j == cachedOA->numAttributes) {
+	    atemplate[i].ulValueLen = (CK_ULONG)-1;
+	}
+    }
+    PZ_Unlock(cache->lock);
+    if (mark) {
+	nssArena_Unmark(arena, mark);
+    }
+    return PR_SUCCESS;
+loser:
+    PZ_Unlock(cache->lock);
+    if (mark) {
+	nssArena_Release(arena, mark);
+    }
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssTokenObjectCache_ImportObject (
+  nssTokenObjectCache *cache,
+  nssCryptokiObject *object,
+  CK_OBJECT_CLASS objclass,
+  CK_ATTRIBUTE_PTR ot,
+  CK_ULONG otlen
+)
+{
+    PRStatus status = PR_SUCCESS;
+    PRUint32 count;
+    nssCryptokiObjectAndAttributes **oa, ***otype;
+    PRUint32 objectType;
+    PRBool haveIt = PR_FALSE;
+
+    if (!token_is_present(cache)) {
+	return PR_SUCCESS; /* cache not active, ignored */
+    }
+    PZ_Lock(cache->lock);
+    switch (objclass) {
+    case CKO_CERTIFICATE:    objectType = cachedCerts; break;
+    case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break;
+    case CKO_NETSCAPE_CRL:   objectType = cachedCRLs;  break;
+    default:
+	PZ_Unlock(cache->lock);
+	return PR_SUCCESS; /* don't need to import it here */
+    }
+    if (!cache_available_for_object_type(cache, objectType)) {
+	PZ_Unlock(cache->lock);
+	return PR_SUCCESS; /* cache not active, ignored */
+    }
+    count = 0;
+    otype = &cache->objects[objectType]; /* index into array of types */
+    oa = *otype; /* the array of objects for this type */
+    while (oa && *oa) {
+	if (nssCryptokiObject_Equal((*oa)->object, object)) {
+	    haveIt = PR_TRUE;
+	    break;
+	}
+	count++;
+	oa++;
+    }
+    if (haveIt) {
+	/* Destroy the old entry */
+	(*oa)->object->token = NULL;
+	nssCryptokiObject_Destroy((*oa)->object);
+	nssArena_Destroy((*oa)->arena);
+    } else {
+	/* Create space for a new entry */
+	if (count > 0) {
+	    *otype = nss_ZREALLOCARRAY(*otype,
+	                               nssCryptokiObjectAndAttributes *, 
+	                               count + 2);
+	} else {
+	    *otype = nss_ZNEWARRAY(NULL, nssCryptokiObjectAndAttributes *, 2);
+	}
+    }
+    if (*otype) {
+	nssCryptokiObject *copyObject = nssCryptokiObject_Clone(object);
+	(*otype)[count] = create_object_of_type(copyObject, objectType,
+	                                        &status);
+    } else {
+	status = PR_FAILURE;
+    }
+    PZ_Unlock(cache->lock);
+    return status;
+}
+
+NSS_IMPLEMENT void
+nssTokenObjectCache_RemoveObject (
+  nssTokenObjectCache *cache,
+  nssCryptokiObject *object
+)
+{
+    PRUint32 oType;
+    nssCryptokiObjectAndAttributes **oa, **swp = NULL;
+    if (!token_is_present(cache)) {
+	return;
+    }
+    PZ_Lock(cache->lock);
+    for (oType=0; oType<3; oType++) {
+	if (!cache_available_for_object_type(cache, oType) ||
+	    !cache->objects[oType])
+	{
+	    continue;
+	}
+	for (oa = cache->objects[oType]; *oa; oa++) {
+	    if (nssCryptokiObject_Equal((*oa)->object, object)) {
+		swp = oa; /* the entry to remove */
+		while (oa[1]) oa++; /* go to the tail */
+		(*swp)->object->token = NULL;
+		nssCryptokiObject_Destroy((*swp)->object);
+		nssArena_Destroy((*swp)->arena); /* destroy it */
+		*swp = *oa; /* swap the last with the removed */
+		*oa = NULL; /* null-terminate the array */
+		break;
+	    }
+	}
+	if (swp) {
+	    break;
+	}
+    }
+    if ((oType <3) &&
+		cache->objects[oType] && cache->objects[oType][0] == NULL) {
+	nss_ZFreeIf(cache->objects[oType]); /* no entries remaining */
+	cache->objects[oType] = NULL;
+    }
+    PZ_Unlock(cache->lock);
+}
+
+/* These two hash algorithms are presently sufficient.
+** They are used for fingerprints of certs which are stored as the 
+** CKA_CERT_SHA1_HASH and CKA_CERT_MD5_HASH attributes.
+** We don't need to add SHAxxx to these now.
+*/
+/* XXX of course this doesn't belong here */
+NSS_IMPLEMENT NSSAlgorithmAndParameters *
+NSSAlgorithmAndParameters_CreateSHA1Digest (
+  NSSArena *arenaOpt
+)
+{
+    NSSAlgorithmAndParameters *rvAP = NULL;
+    rvAP = nss_ZNEW(arenaOpt, NSSAlgorithmAndParameters);
+    if (rvAP) {
+	rvAP->mechanism.mechanism = CKM_SHA_1;
+	rvAP->mechanism.pParameter = NULL;
+	rvAP->mechanism.ulParameterLen = 0;
+    }
+    return rvAP;
+}
+
+NSS_IMPLEMENT NSSAlgorithmAndParameters *
+NSSAlgorithmAndParameters_CreateMD5Digest (
+  NSSArena *arenaOpt
+)
+{
+    NSSAlgorithmAndParameters *rvAP = NULL;
+    rvAP = nss_ZNEW(arenaOpt, NSSAlgorithmAndParameters);
+    if (rvAP) {
+	rvAP->mechanism.mechanism = CKM_MD5;
+	rvAP->mechanism.pParameter = NULL;
+	rvAP->mechanism.ulParameterLen = 0;
+    }
+    return rvAP;
+}
+
diff --git a/security/nss/lib/dev/manifest.mn b/security/nss/lib/dev/manifest.mn
new file mode 100644
index 000000000..b357387eb
--- /dev/null
+++ b/security/nss/lib/dev/manifest.mn
@@ -0,0 +1,68 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	ckhelper.h \
+	devm.h     \
+	devtm.h    \
+	devt.h     \
+	dev.h      \
+	nssdevt.h  \
+	nssdev.h   \
+	$(NULL)
+
+EXPORTS =	   \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS =		        \
+	devslot.c       \
+	devtoken.c      \
+	devutil.c       \
+	ckhelper.c      \
+	$(NULL)
+
+REQUIRES = nspr
+
+LIBRARY_NAME = nssdev
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/dev/nssdev.h b/security/nss/lib/dev/nssdev.h
new file mode 100644
index 000000000..0ce4d3e33
--- /dev/null
+++ b/security/nss/lib/dev/nssdev.h
@@ -0,0 +1,75 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSDEV_H
+#define NSSDEV_H
+
+#ifdef DEBUG
+static const char NSSDEV_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+/*
+ * nssdev.h
+ *
+ * High-level methods for interaction with cryptoki devices
+ */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+PR_BEGIN_EXTERN_C
+
+/* NSSAlgorithmAndParameters
+ *
+ * NSSAlgorithmAndParameters_CreateSHA1Digest
+ * NSSAlgorithmAndParameters_CreateMD5Digest
+ */
+
+NSS_EXTERN NSSAlgorithmAndParameters *
+NSSAlgorithmAndParameters_CreateSHA1Digest
+(
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSAlgorithmAndParameters *
+NSSAlgorithmAndParameters_CreateMD5Digest
+(
+  NSSArena *arenaOpt
+);
+
+PR_END_EXTERN_C
+
+#endif /* DEV_H */
diff --git a/security/nss/lib/dev/nssdevt.h b/security/nss/lib/dev/nssdevt.h
new file mode 100644
index 000000000..e2c9e18ca
--- /dev/null
+++ b/security/nss/lib/dev/nssdevt.h
@@ -0,0 +1,72 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSDEVT_H
+#define NSSDEVT_H
+
+#ifdef DEBUG
+static const char NSSDEVT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nssdevt.h
+ *
+ * This file contains definitions for the low-level cryptoki devices.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSModule and NSSSlot -- placeholders for the PKCS#11 types
+ */
+
+typedef struct NSSModuleStr NSSModule;
+
+typedef struct NSSSlotStr NSSSlot;
+
+typedef struct NSSTokenStr NSSToken;
+
+PR_END_EXTERN_C
+
+#endif /* NSSDEVT_H */
diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
new file mode 100644
index 000000000..bf65098f4
--- /dev/null
+++ b/security/nss/lib/freebl/Makefile
@@ -0,0 +1,584 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Stephen Fung <fungstep@hotmail.com> and
+#   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+# default for all platforms
+# unset this on those that have multiple freebl libraries
+FREEBL_BUILD_SINGLE_SHLIB = 1
+
+ifdef USE_64
+	DEFINES += -DNSS_USE_64
+endif
+
+ifdef USE_ABI32_FPU
+	DEFINES += -DNSS_USE_ABI32_FPU
+endif
+
+# des.c wants _X86_ defined for intel CPUs.  
+# coreconf does this for windows, but not for Linux, FreeBSD, etc.
+ifeq ($(CPU_ARCH),x86)
+ifneq (,$(filter-out WIN%,$(OS_TARGET)))
+	OS_REL_CFLAGS += -D_X86_
+endif
+endif
+
+ifeq ($(OS_TARGET),OSF1)
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD
+    MPI_SRCS += mpvalpha.c
+endif
+
+ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))  #omits WIN16 and WINCE
+ifndef USE_64
+ifdef NS_USE_GCC
+# Ideally, we want to use assembler
+#     ASFILES  = mpi_x86.s
+#     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE \
+#                -DMP_ASSEMBLY_DIV_2DX1D
+# but we haven't figured out how to make it work, so we are not
+# using assembler right now.
+    ASFILES  =
+    DEFINES += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT
+else
+    MPI_SRCS += mpi_x86_asm.c
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+    ifdef BUILD_OPT
+	OPTIMIZER += -Ox  # maximum optimization for freebl
+    endif
+endif
+endif
+endif
+
+ifeq ($(OS_TARGET),WINCE)
+    DEFINES += -DMP_ARGCHK=0	# no assert in WinCE
+    DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
+endif
+
+ifeq ($(OS_TARGET),IRIX)
+ifeq ($(USE_N32),1)
+    ASFILES  = mpi_mips.s
+    ifeq ($(NS_USE_GCC),1)
+	ASFLAGS = -Wp,-P -Wp,-traditional -O -mips3
+    else
+	ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 
+    endif
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+    DEFINES += -DMP_USE_UINT_DIGIT
+endif
+endif
+
+ifeq ($(OS_TARGET),Linux)
+ifeq ($(CPU_ARCH),x86_64)
+    ASFILES  = arcfour-amd64-gas.s mpi_amd64_gas.s
+    ASFLAGS += -march=opteron -m64 -fPIC
+    DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
+    DEFINES += -DNSS_USE_COMBA
+    DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
+#   DEFINES += -DMPI_AMD64_ADD
+    MPI_SRCS += mpi_amd64.c mp_comba.c
+endif
+ifeq ($(CPU_ARCH),x86)
+    ASFILES  = mpi_x86.s
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
+    DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
+    # The floating point ECC code doesn't work on Linux x86 (bug 311432).
+    #ECL_USE_FP = 1
+endif
+endif # Linux
+
+ifeq ($(OS_TARGET),AIX)
+    DEFINES += -DMP_USE_UINT_DIGIT
+    ifndef USE_64
+	DEFINES += -DMP_NO_DIV_WORD -DMP_NO_ADD_WORD -DMP_NO_SUB_WORD
+    endif
+endif # AIX
+
+ifeq ($(OS_TARGET), HP-UX)
+ifneq ($(OS_TEST), ia64)
+# PA-RISC
+ASFILES += ret_cr16.s
+ifndef USE_64
+    FREEBL_BUILD_SINGLE_SHLIB = 
+    HAVE_ABI32_INT32 = 1
+    HAVE_ABI32_FPU = 1
+endif
+ifdef FREEBL_CHILD_BUILD
+ifdef USE_ABI32_INT32
+# build for DA1.1 (HP PA 1.1) 32-bit ABI build with 32-bit arithmetic
+    DEFINES  += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+    DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
+else
+ifdef USE_64
+# this builds for DA2.0W (HP PA 2.0 Wide), the LP64 ABI, using 64-bit digits 
+    MPI_SRCS += mpi_hp.c 
+    ASFILES  += hpma512.s hppa20.s 
+    DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+else
+# this builds for DA2.0 (HP PA 2.0 Narrow) ABI32_FPU model 
+# (the 32-bit ABI with 64-bit registers) using 64-bit digits
+    MPI_SRCS += mpi_hp.c 
+    ASFILES  += hpma512.s hppa20.s 
+    DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+    ARCHFLAG = -Aa +e +DA2.0 +DS2.0
+endif
+endif
+endif
+endif
+endif
+
+# The blapi functions are defined not only in the freebl shared
+# libraries but also in the shared libraries linked with loader.c
+# (libsoftokn3.so and libssl3.so).  We need to use GNU ld's
+# -Bsymbolic option or the equivalent option for other linkers
+# to bind the blapi function references in FREEBLVector vector
+# (ldvector.c) to the blapi functions defined in the freebl
+# shared libraries.
+ifeq (,$(filter-out BSD_OS FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
+    MKSHLIB += -Wl,-Bsymbolic
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+ifdef NS_USE_GCC
+    ifdef GCC_USE_GNU_LD
+	MKSHLIB += -Wl,-Bsymbolic,-z,now,-z,text
+    else
+	MKSHLIB += -Wl,-B,symbolic,-z,now,-z,text
+    endif # GCC_USE_GNU_LD
+else
+    MKSHLIB += -B symbolic -z now -z text
+endif # NS_USE_GCC
+
+# Sun's WorkShop defines v8, v8plus and v9 architectures.
+# gcc on Solaris defines v8 and v9 "cpus".  
+# gcc's v9 is equivalent to Workshop's v8plus.
+# gcc's -m64 is equivalent to Workshop's v9
+# We always use Sun's assembler, which uses Sun's naming convention.
+ifeq ($(CPU_ARCH),sparc)
+    FREEBL_BUILD_SINGLE_SHLIB=
+    ifdef USE_64
+        HAVE_ABI64_INT = 1
+        HAVE_ABI64_FPU = 1
+    else
+        HAVE_ABI32_INT32 = 1
+        HAVE_ABI32_FPU = 1
+        HAVE_ABI32_INT64 = 1
+    endif
+    SYSV_SPARC = 1
+    SOLARIS_AS = /usr/ccs/bin/as
+    #### set arch, asm, c flags
+    ifdef NS_USE_GCC
+	ifdef USE_ABI32_INT32
+	    # default ARCHFLAG=-mcpu=v8 set by coreconf/sunOS5.mk
+	endif
+	ifdef USE_ABI32_INT64
+	    ARCHFLAG=-mcpu=v9 -Wa,-xarch=v8plus
+	    SOLARIS_AS_FLAGS = -xarch=v8plus -K PIC
+	endif
+	ifdef USE_ABI32_FPU
+	    ARCHFLAG=-mcpu=v9 -Wa,-xarch=v8plusa
+	    SOLARIS_AS_FLAGS = -xarch=v8plusa -K PIC
+	endif # USE_ABI32_FPU
+	ifdef USE_ABI64_INT
+	    # this builds for Sparc v9a pure 64-bit architecture
+	    ARCHFLAG += -mcpu=v9 -Wa,-xarch=v9
+	    SOLARIS_AS_FLAGS = -xarch=v9 -K PIC
+	endif
+	ifdef USE_ABI64_FPU
+	    # this builds for Sparc v9a pure 64-bit architecture
+	    # It uses floating point, and 32-bit word size
+	    ARCHFLAG += -mcpu=v9 -Wa,-xarch=v9a
+	    SOLARIS_AS_FLAGS = -xarch=v9a -K PIC
+	endif
+    else # NS_USE_GCC
+	# FPU_TARGET_OPTIMIZER specifies the target processor and cache
+	# properties of the ABI32_FPU and ABI64_FPU architectures for use
+	# by the optimizer.
+	ifeq (,$(findstring Sun WorkShop 6,$(shell $(CC) -V 2>&1)))
+	    # if the compiler is not Forte 6
+	    FPU_TARGET_OPTIMIZER = -xcache=64/32/4:1024/64/4 -xchip=ultra3
+	else
+	    # Forte 6 C compiler generates incorrect code for rijndael.c
+	    # if -xchip=ultra3 is used (Bugzilla bug 333925).  So we revert
+	    # to what we used in NSS 3.10.
+	    FPU_TARGET_OPTIMIZER = -xchip=ultra2
+	endif
+	ifdef USE_ABI32_INT32
+	    #ARCHFLAG=-xarch=v8 set in coreconf/sunOS5.mk
+	endif
+	ifdef USE_ABI32_INT64
+	    # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
+	    # 32-bit ABI, it uses 64-bit words, integer arithmetic,
+	    # no FPU (non-VIS cpus).
+	    # These flags were suggested by the compiler group for building
+	    # with SunStudio 10.
+	    ifdef BUILD_OPT
+                SOL_CFLAGS += -xO4
+	    endif
+ 	    SOL_CFLAGS += -xtarget=generic
+	    ARCHFLAG = -xarch=v8plus
+	    SOLARIS_AS_FLAGS = -xarch=v8plus -K PIC
+	endif
+	ifdef USE_ABI32_FPU
+	    # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
+	    # 32-bit ABI, it uses FPU code, and 32-bit word size.
+	    # these flags were determined by running cc -### -fast and copying
+	    # the generated flag settings
+	    SOL_CFLAGS += -fsingle -xmemalign=8s
+	    ifdef BUILD_OPT
+                SOL_CFLAGS += -D__MATHERR_ERRNO_DONTCARE -fsimple=1
+                SOL_CFLAGS += -xalias_level=basic -xbuiltin=%all
+                SOL_CFLAGS += $(FPU_TARGET_OPTIMIZER) -xdepend
+                SOL_CFLAGS += -xlibmil -xO5
+	    endif
+	    ARCHFLAG = -xarch=v8plusa
+	    SOLARIS_AS_FLAGS = -xarch=v8plusa -K PIC
+	endif
+	ifdef USE_ABI64_INT
+	    # this builds for Sparc v9a pure 64-bit architecture,
+	    # no FPU (non-VIS cpus). For building with SunStudio 10.
+	    ifdef BUILD_OPT
+                SOL_CFLAGS += -xO4
+	    endif
+ 	    SOL_CFLAGS += -xtarget=generic
+	    ARCHFLAG = -xarch=v9
+	    SOLARIS_AS_FLAGS = -xarch=v9 -K PIC
+	endif
+	ifdef USE_ABI64_FPU
+	    # this builds for Sparc v9a pure 64-bit architecture
+	    # It uses floating point, and 32-bit word size.
+	    # See comment for USE_ABI32_FPU.
+	    SOL_CFLAGS += -fsingle -xmemalign=8s
+	    ifdef BUILD_OPT
+                SOL_CFLAGS += -D__MATHERR_ERRNO_DONTCARE -fsimple=1
+                SOL_CFLAGS += -xalias_level=basic -xbuiltin=%all
+                SOL_CFLAGS += $(FPU_TARGET_OPTIMIZER) -xdepend
+                SOL_CFLAGS += -xlibmil -xO5
+	    endif
+	    ARCHFLAG = -xarch=v9a
+	    SOLARIS_AS_FLAGS = -xarch=v9a -K PIC
+	endif
+    endif # NS_USE_GCC
+
+    ### set flags for both GCC and Sun cc
+    ifdef USE_ABI32_INT32
+	# this builds for Sparc v8 pure 32-bit architecture
+	DEFINES += -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY
+	ASFILES  = mpv_sparcv8x.s
+	DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
+    endif
+    ifdef USE_ABI32_INT64
+	# this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
+	# 32-bit ABI, it uses 64-bit words, integer arithmetic, no FPU
+	# best times are with no MP_ flags specified
+    endif
+    ifdef USE_ABI32_FPU
+	# this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
+	# 32-bit ABI, it uses FPU code, and 32-bit word size
+	MPI_SRCS += mpi_sparc.c
+	ASFILES  = mpv_sparcv8.s montmulfv8.s
+	DEFINES  += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY
+	DEFINES  += -DMP_USING_MONT_MULF -DMP_MONT_USE_MP_MUL
+	ECL_USE_FP = 1
+    endif
+    ifdef USE_ABI64_INT
+	# this builds for Sparc v9a pure 64-bit architecture
+	# best times are with no MP_ flags specified
+    endif
+    ifdef USE_ABI64_FPU
+	# this builds for Sparc v9a pure 64-bit architecture
+	# It uses floating point, and 32-bit word size
+	MPI_SRCS += mpi_sparc.c
+	ASFILES   = mpv_sparcv9.s montmulfv9.s
+	DEFINES  += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY
+	DEFINES  += -DMP_USING_MONT_MULF -DMP_MONT_USE_MP_MUL
+	ECL_USE_FP = 1
+    endif
+
+else
+    # Solaris for non-sparc family CPUs
+    ifdef NS_USE_GCC
+	LD = gcc
+	AS = gcc
+	ASFLAGS =
+    endif
+    ifeq ($(USE_64),1)
+	# Solaris for AMD64
+	ifdef NS_USE_GCC
+	    ASFILES  = arcfour-amd64-gas.s mpi_amd64_gas.s
+	    ASFLAGS += -march=opteron -m64 -fPIC
+	    MPI_SRCS += mp_comba.c
+	else
+	    ASFILES  = arcfour-amd64-sun.s mpi_amd64_sun.s sha-fast-amd64-sun.s
+ 	    ASFILES += mp_comba_amd64_sun.s mpcpucache_amd64.s
+	    ASFLAGS += -xarch=generic64 -K PIC
+            SOL_CFLAGS += -xprefetch=no
+	    SHA_SRCS =
+ 	    MPCPU_SRCS =
+	endif
+	DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
+	DEFINES += -DNSS_USE_COMBA -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
+	MPI_SRCS += mpi_amd64.c
+    else
+	# Solaris x86
+	DEFINES += -D_X86_
+	DEFINES += -DMP_USE_UINT_DIGIT
+	DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+	DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
+	ASFILES  = mpi_i86pc.s
+ 	ifndef NS_USE_GCC
+ 	   MPCPU_SRCS =
+ 	   ASFILES += mpcpucache_x86.s
+ 	endif
+    endif
+endif # Solaris for non-sparc family CPUs
+endif # target == SunOS
+
+ifdef NSS_ENABLE_ECC
+    ifdef ECL_USE_FP
+	#enable floating point ECC code	
+	DEFINES  += -DECL_USE_FP
+	ECL_SRCS += ecp_fp160.c ecp_fp192.c ecp_fp224.c ecp_fp.c
+	ECL_HDRS += ecp_fp.h
+    endif
+endif # NSS_ENABLE_ECC
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+rijndael_tables:
+	$(CC) -o $(OBJDIR)/make_rijndael_tab rijndael_tables.c \
+	         $(DEFINES) $(INCLUDES) $(OBJDIR)/libfreebl.a
+	$(OBJDIR)/make_rijndael_tab
+
+vpath %.h mpi ecl
+vpath %.c mpi ecl
+vpath %.S mpi ecl
+vpath %.s mpi ecl
+INCLUDES += -Impi -Iecl
+
+
+DEFINES += -DMP_API_COMPATIBLE
+
+MPI_USERS = dh.c pqg.c dsa.c rsa.c ec.c
+
+MPI_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_SRCS:.c=$(OBJ_SUFFIX)))
+MPI_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_USERS:.c=$(OBJ_SUFFIX)))
+
+$(MPI_OBJS): $(MPI_HDRS)
+
+ECL_USERS = ec.c
+
+ECL_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_SRCS:.c=$(OBJ_SUFFIX)) $(ECL_ASM_SRCS:$(ASM_SUFFIX)=$(OBJ_SUFFIX)))
+ECL_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_USERS:.c=$(OBJ_SUFFIX)))
+
+$(ECL_OBJS): $(ECL_HDRS)
+
+
+
+$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c os2_rand.c
+
+$(OBJDIR)/$(PROG_PREFIX)mpprime$(OBJ_SUFFIX): primes.c
+
+$(OBJDIR)/ldvector$(OBJ_SUFFIX) $(OBJDIR)/loader$(OBJ_SUFFIX) : loader.h
+
+ifeq ($(SYSV_SPARC),1)
+
+$(OBJDIR)/mpv_sparcv8.o $(OBJDIR)/mpv_sparcv8x.o $(OBJDIR)/montmulfv8.o : $(OBJDIR)/%.o : %.s
+	@$(MAKE_OBJDIR)
+	$(SOLARIS_AS) -o $@ $(SOLARIS_AS_FLAGS) $<
+
+$(OBJDIR)/mpv_sparcv9.o $(OBJDIR)/montmulfv9.o : $(OBJDIR)/%.o : %.s
+	@$(MAKE_OBJDIR)
+	$(SOLARIS_AS) -o $@ $(SOLARIS_AS_FLAGS) $<
+
+$(OBJDIR)/mpmontg.o: mpmontg.c montmulf.h
+
+endif
+
+ifndef FREEBL_CHILD_BUILD
+
+# Parent build. This is where we decide which shared libraries to build
+
+ifdef FREEBL_BUILD_SINGLE_SHLIB
+
+################### Single shared lib stuff #########################
+SINGLE_SHLIB_DIR = $(OBJDIR)/$(OS_TARGET)_SINGLE_SHLIB
+ALL_TRASH += $(SINGLE_SHLIB_DIR) 
+
+$(SINGLE_SHLIB_DIR):
+	-mkdir $(SINGLE_SHLIB_DIR)
+
+release_md libs:: $(SINGLE_SHLIB_DIR)
+	$(MAKE) FREEBL_CHILD_BUILD=1 \
+ OBJDIR=$(SINGLE_SHLIB_DIR) $@
+######################## common stuff #########################
+
+endif
+
+# multiple shared libraries
+
+######################## ABI32_FPU stuff #########################
+ifdef HAVE_ABI32_FPU
+ABI32_FPU_DIR = $(OBJDIR)/$(OS_TARGET)_ABI32_FPU
+ALL_TRASH += $(ABI32_FPU_DIR) 
+
+$(ABI32_FPU_DIR):
+	-mkdir $(ABI32_FPU_DIR)
+
+release_md libs:: $(ABI32_FPU_DIR)
+	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI32_FPU=1 \
+ OBJDIR=$(ABI32_FPU_DIR) $@
+endif
+
+######################## ABI32_INT32 stuff #########################
+ifdef HAVE_ABI32_INT32
+ABI32_INT32_DIR = $(OBJDIR)/$(OS_TARGET)_ABI32_INT32
+ALL_TRASH += $(ABI32_INT32_DIR) 
+
+$(ABI32_INT32_DIR):
+	-mkdir $(ABI32_INT32_DIR)
+
+release_md libs:: $(ABI32_INT32_DIR)
+	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI32_INT32=1 \
+ OBJDIR=$(ABI32_INT32_DIR) $@
+endif
+
+######################## ABI32_INT64 stuff #########################
+ifdef HAVE_ABI32_INT64
+ABI32_INT64_DIR = $(OBJDIR)/$(OS_TARGET)_ABI32_INT64
+ALL_TRASH += $(ABI32_INT64_DIR) 
+
+$(ABI32_INT64_DIR):
+	-mkdir $(ABI32_INT64_DIR)
+
+release_md libs:: $(ABI32_INT64_DIR)
+	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI32_INT64=1\
+ OBJDIR=$(ABI32_INT64_DIR) $@
+endif
+
+######################## END of 32-bit stuff #########################
+
+# above is 32-bit builds, below is 64-bit builds
+
+######################## ABI64_FPU stuff #########################
+ifdef HAVE_ABI64_FPU
+ABI64_FPU_DIR = $(OBJDIR)/$(OS_TARGET)_ABI64_FPU
+ALL_TRASH += $(ABI64_FPU_DIR) 
+
+$(ABI64_FPU_DIR):
+	-mkdir $(ABI64_FPU_DIR)
+
+release_md libs:: $(ABI64_FPU_DIR)
+	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI64_FPU=1 \
+ OBJDIR=$(ABI64_FPU_DIR) $@
+endif
+
+######################## ABI64_INT stuff #########################
+ifdef HAVE_ABI64_INT
+ABI64_INT_DIR = $(OBJDIR)/$(OS_TARGET)_ABI64_INT
+ALL_TRASH += $(ABI64_INT_DIR) 
+
+$(ABI64_INT_DIR):
+	-mkdir $(ABI64_INT_DIR)
+
+release_md libs:: $(ABI64_INT_DIR)
+	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI64_INT=1 \
+ OBJDIR=$(ABI64_INT_DIR) $@
+endif
+
+endif  # FREEBL_CHILD_BUILD
+
+
+# Bugzilla Bug 333917: the non-x86 code in desblapi.c seems to violate
+# ANSI C's strict aliasing rules.
+ifeq ($(OS_TARGET),Linux)
+ifneq ($(CPU_ARCH),x86)
+$(OBJDIR)/$(PROG_PREFIX)desblapi$(OBJ_SUFFIX): desblapi.c
+	@$(MAKE_OBJDIR)
+ifdef NEED_ABSOLUTE_PATH
+	$(CC) -o $@ -c $(CFLAGS) -fno-strict-aliasing $(call core_abspath,$<)
+else
+	$(CC) -o $@ -c $(CFLAGS) -fno-strict-aliasing $<
+endif
+endif
+endif
diff --git a/security/nss/lib/freebl/aeskeywrap.c b/security/nss/lib/freebl/aeskeywrap.c
new file mode 100644
index 000000000..c61a94a4d
--- /dev/null
+++ b/security/nss/lib/freebl/aeskeywrap.c
@@ -0,0 +1,413 @@
+/*
+ * aeskeywrap.c - implement AES Key Wrap algorithm from RFC 3394
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2002
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/* $Id$ */
+
+#include "prcpucfg.h"
+#if defined(IS_LITTLE_ENDIAN) || defined(SHA_NO_LONG_LONG)
+#define BIG_ENDIAN_WITH_64_BIT_REGISTERS 0
+#else
+#define BIG_ENDIAN_WITH_64_BIT_REGISTERS 1
+#endif
+#include "prtypes.h"	/* for PRUintXX */
+#include "secport.h"	/* for PORT_XXX */
+#include "secerr.h"
+#include "blapi.h"	/* for AES_ functions */
+#include "rijndael.h"
+
+struct AESKeyWrapContextStr {
+     unsigned char iv[AES_KEY_WRAP_IV_BYTES];
+     AESContext    aescx;
+};
+
+/******************************************/
+/*
+** AES key wrap algorithm, RFC 3394
+*/
+
+AESKeyWrapContext * 
+AESKeyWrap_AllocateContext(void)
+{
+    AESKeyWrapContext * cx = PORT_New(AESKeyWrapContext);
+    return cx;
+}
+
+SECStatus  
+AESKeyWrap_InitContext(AESKeyWrapContext *cx, 
+		       const unsigned char *key, 
+		       unsigned int keylen,
+		       const unsigned char *iv, 
+		       int x1,
+		       unsigned int encrypt,
+		       unsigned int x2)
+{
+    SECStatus rv = SECFailure;
+    if (!cx) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    	return SECFailure;
+    }
+    if (iv) {
+    	memcpy(cx->iv, iv, sizeof cx->iv);
+    } else {
+	memset(cx->iv, 0xA6, sizeof cx->iv);
+    }
+    rv = AES_InitContext(&cx->aescx, key, keylen, NULL, NSS_AES, encrypt, 
+                                  AES_BLOCK_SIZE);
+    return rv;
+}
+
+/*
+** Create a new AES context suitable for AES encryption/decryption.
+** 	"key" raw key data
+** 	"keylen" the number of bytes of key data (16, 24, or 32)
+*/
+extern AESKeyWrapContext *
+AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 
+                         int encrypt, unsigned int keylen)
+{
+    SECStatus rv;
+    AESKeyWrapContext * cx = AESKeyWrap_AllocateContext();
+    if (!cx) 
+    	return NULL;	/* error is already set */
+    rv = AESKeyWrap_InitContext(cx, key, keylen, iv, 0, encrypt, 0);
+    if (rv != SECSuccess) {
+        PORT_Free(cx);
+	cx = NULL; 	/* error should already be set */
+    }
+    return cx;
+}
+
+/*
+** Destroy a AES KeyWrap context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void 
+AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit)
+{
+    if (cx) {
+	AES_DestroyContext(&cx->aescx, PR_FALSE);
+/*	memset(cx, 0, sizeof *cx); */
+	if (freeit)
+	    PORT_Free(cx);
+    }
+}
+
+#if !BIG_ENDIAN_WITH_64_BIT_REGISTERS
+
+/* The AES Key Wrap algorithm has 64-bit values that are ALWAYS big-endian
+** (Most significant byte first) in memory.  The only ALU operations done
+** on them are increment, decrement, and XOR.  So, on little-endian CPUs,
+** and on CPUs that lack 64-bit registers, these big-endian 64-bit operations
+** are simulated in the following code.  This is thought to be faster and
+** simpler than trying to convert the data to little-endian and back.
+*/
+
+/* A and T point to two 64-bit values stored most signficant byte first
+** (big endian).  This function increments the 64-bit value T, and then
+** XORs it with A, changing A.
+*/ 
+static void
+increment_and_xor(unsigned char *A, unsigned char *T)
+{
+    if (!++T[7])
+        if (!++T[6])
+	    if (!++T[5])
+		if (!++T[4])
+		    if (!++T[3])
+			if (!++T[2])
+			    if (!++T[1])
+				 ++T[0];
+
+    A[0] ^= T[0];
+    A[1] ^= T[1];
+    A[2] ^= T[2];
+    A[3] ^= T[3];
+    A[4] ^= T[4];
+    A[5] ^= T[5];
+    A[6] ^= T[6];
+    A[7] ^= T[7];
+}
+
+/* A and T point to two 64-bit values stored most signficant byte first
+** (big endian).  This function XORs T with A, giving a new A, then 
+** decrements the 64-bit value T.
+*/ 
+static void
+xor_and_decrement(unsigned char *A, unsigned char *T)
+{
+    A[0] ^= T[0];
+    A[1] ^= T[1];
+    A[2] ^= T[2];
+    A[3] ^= T[3];
+    A[4] ^= T[4];
+    A[5] ^= T[5];
+    A[6] ^= T[6];
+    A[7] ^= T[7];
+
+    if (!T[7]--)
+        if (!T[6]--)
+	    if (!T[5]--)
+		if (!T[4]--)
+		    if (!T[3]--)
+			if (!T[2]--)
+			    if (!T[1]--)
+				 T[0]--;
+
+}
+
+/* Given an unsigned long t (in host byte order), store this value as a
+** 64-bit big-endian value (MSB first) in *pt.
+*/
+static void
+set_t(unsigned char *pt, unsigned long t)
+{
+    pt[7] = (unsigned char)t; t >>= 8;
+    pt[6] = (unsigned char)t; t >>= 8;
+    pt[5] = (unsigned char)t; t >>= 8;
+    pt[4] = (unsigned char)t; t >>= 8;
+    pt[3] = (unsigned char)t; t >>= 8;
+    pt[2] = (unsigned char)t; t >>= 8;
+    pt[1] = (unsigned char)t; t >>= 8;
+    pt[0] = (unsigned char)t;
+}
+
+#endif
+
+/*
+** Perform AES key wrap.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output,
+            unsigned int *pOutputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+    PRUint64 *     R          = NULL;
+    unsigned int   nBlocks;
+    unsigned int   i, j;
+    unsigned int   aesLen     = AES_BLOCK_SIZE;
+    unsigned int   outLen     = inputLen + AES_KEY_WRAP_BLOCK_SIZE;
+    SECStatus      s          = SECFailure;
+    /* These PRUint64s are ALWAYS big endian, regardless of CPU orientation. */
+    PRUint64       t;
+    PRUint64       B[2];
+
+#define A B[0]
+
+    /* Check args */
+    if (!inputLen || 0 != inputLen % AES_KEY_WRAP_BLOCK_SIZE) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return s;
+    }
+#ifdef maybe
+    if (!output && pOutputLen) {	/* caller is asking for output size */
+    	*pOutputLen = outLen;
+	return SECSuccess;
+    }
+#endif
+    if (maxOutputLen < outLen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return s;
+    }
+    if (cx == NULL || output == NULL || input == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return s;
+    }
+    nBlocks = inputLen / AES_KEY_WRAP_BLOCK_SIZE;
+    R = PORT_NewArray(PRUint64, nBlocks + 1);
+    if (!R)
+    	return s;	/* error is already set. */
+    /* 
+    ** 1) Initialize variables.
+    */
+    memcpy(&A, cx->iv, AES_KEY_WRAP_IV_BYTES);
+    memcpy(&R[1], input, inputLen);
+#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
+    t = 0;
+#else
+    memset(&t, 0, sizeof t);
+#endif
+    /* 
+    ** 2) Calculate intermediate values.
+    */
+    for (j = 0; j < 6; ++j) {
+    	for (i = 1; i <= nBlocks; ++i) {
+	    B[1] = R[i];
+	    s = AES_Encrypt(&cx->aescx, (unsigned char *)B, &aesLen, 
+	                    sizeof B,  (unsigned char *)B, sizeof B);
+	    if (s != SECSuccess) 
+	        break;
+	    R[i] = B[1];
+	    /* here, increment t and XOR A with t (in big endian order); */
+#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
+   	    A ^= ++t; 
+#else
+	    increment_and_xor((unsigned char *)&A, (unsigned char *)&t);
+#endif
+	}
+    }
+    /* 
+    ** 3) Output the results.
+    */
+    if (s == SECSuccess) {
+    	R[0] =  A;
+	memcpy(output, &R[0], outLen);
+	if (pOutputLen)
+	    *pOutputLen = outLen;
+    } else if (pOutputLen) {
+    	*pOutputLen = 0;
+    }
+    PORT_ZFree(R, outLen);
+    return s;
+}
+#undef A
+
+/*
+** Perform AES key unwrap.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output,
+            unsigned int *pOutputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+    PRUint64 *     R          = NULL;
+    unsigned int   nBlocks;
+    unsigned int   i, j;
+    unsigned int   aesLen     = AES_BLOCK_SIZE;
+    unsigned int   outLen;
+    SECStatus      s          = SECFailure;
+    /* These PRUint64s are ALWAYS big endian, regardless of CPU orientation. */
+    PRUint64       t;
+    PRUint64       B[2];
+
+#define A B[0]
+
+    /* Check args */
+    if (inputLen < 3 * AES_KEY_WRAP_BLOCK_SIZE || 
+        0 != inputLen % AES_KEY_WRAP_BLOCK_SIZE) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return s;
+    }
+    outLen = inputLen - AES_KEY_WRAP_BLOCK_SIZE;
+#ifdef maybe
+    if (!output && pOutputLen) {	/* caller is asking for output size */
+    	*pOutputLen = outLen;
+	return SECSuccess;
+    }
+#endif
+    if (maxOutputLen < outLen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return s;
+    }
+    if (cx == NULL || output == NULL || input == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return s;
+    }
+    nBlocks = inputLen / AES_KEY_WRAP_BLOCK_SIZE;
+    R = PORT_NewArray(PRUint64, nBlocks);
+    if (!R)
+    	return s;	/* error is already set. */
+    nBlocks--;
+    /* 
+    ** 1) Initialize variables.
+    */
+    memcpy(&R[0], input, inputLen);
+    A = R[0];
+#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
+    t = 6UL * nBlocks;
+#else
+    set_t((unsigned char *)&t, 6UL * nBlocks);
+#endif
+    /* 
+    ** 2) Calculate intermediate values.
+    */
+    for (j = 0; j < 6; ++j) {
+    	for (i = nBlocks; i; --i) {
+	    /* here, XOR A with t (in big endian order) and decrement t; */
+#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
+   	    A ^= t--; 
+#else
+	    xor_and_decrement((unsigned char *)&A, (unsigned char *)&t);
+#endif
+	    B[1] = R[i];
+	    s = AES_Decrypt(&cx->aescx, (unsigned char *)B, &aesLen, 
+	                    sizeof B,  (unsigned char *)B, sizeof B);
+	    if (s != SECSuccess) 
+	        break;
+	    R[i] = B[1];
+	}
+    }
+    /* 
+    ** 3) Output the results.
+    */
+    if (s == SECSuccess) {
+	int bad = memcmp(&A, cx->iv, AES_KEY_WRAP_IV_BYTES);
+	if (!bad) {
+	    memcpy(output, &R[1], outLen);
+	    if (pOutputLen)
+		*pOutputLen = outLen;
+	} else {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	    if (pOutputLen) 
+		*pOutputLen = 0;
+    	}
+    } else if (pOutputLen) {
+    	*pOutputLen = 0;
+    }
+    PORT_ZFree(R, inputLen);
+    return s;
+}
+#undef A
diff --git a/security/nss/lib/freebl/alg2268.c b/security/nss/lib/freebl/alg2268.c
new file mode 100644
index 000000000..dcc5418dc
--- /dev/null
+++ b/security/nss/lib/freebl/alg2268.c
@@ -0,0 +1,515 @@
+/*
+ * alg2268.c - implementation of the algorithm in RFC 2268
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* $Id$ */
+
+#include "blapi.h"
+#include "secerr.h"
+#ifdef XP_UNIX_XXX
+#include <stddef.h>	/* for ptrdiff_t */
+#endif
+
+/*
+** RC2 symmetric block cypher
+*/
+
+typedef SECStatus (rc2Func)(RC2Context *cx, unsigned char *output,
+		           const unsigned char *input, unsigned int inputLen);
+
+/* forward declarations */
+static rc2Func rc2_EncryptECB;
+static rc2Func rc2_DecryptECB;
+static rc2Func rc2_EncryptCBC;
+static rc2Func rc2_DecryptCBC;
+
+typedef union {
+    PRUint32	l[2];
+    PRUint16	s[4];
+    PRUint8	b[8];
+} RC2Block;
+
+struct RC2ContextStr {
+    union {
+    	PRUint8  Kb[128];
+	PRUint16 Kw[64];
+    } u;
+    RC2Block     iv;
+    rc2Func      *enc;
+    rc2Func      *dec;
+};
+
+#define B u.Kb
+#define K u.Kw
+#define BYTESWAP(x) ((x) << 8 | (x) >> 8)
+#define SWAPK(i)  cx->K[i] = (tmpS = cx->K[i], BYTESWAP(tmpS))
+#define RC2_BLOCK_SIZE 8
+
+#define LOAD_HARD(R) \
+    R[0] = (PRUint16)input[1] << 8 | input[0]; \
+    R[1] = (PRUint16)input[3] << 8 | input[2]; \
+    R[2] = (PRUint16)input[5] << 8 | input[4]; \
+    R[3] = (PRUint16)input[7] << 8 | input[6];
+#define LOAD_EASY(R) \
+    R[0] = ((PRUint16 *)input)[0]; \
+    R[1] = ((PRUint16 *)input)[1]; \
+    R[2] = ((PRUint16 *)input)[2]; \
+    R[3] = ((PRUint16 *)input)[3];
+#define STORE_HARD(R) \
+    output[0] =  (PRUint8)(R[0]);   output[1] = (PRUint8)(R[0] >> 8); \
+    output[2] =  (PRUint8)(R[1]);   output[3] = (PRUint8)(R[1] >> 8); \
+    output[4] =  (PRUint8)(R[2]);   output[5] = (PRUint8)(R[2] >> 8); \
+    output[6] =  (PRUint8)(R[3]);   output[7] = (PRUint8)(R[3] >> 8);
+#define STORE_EASY(R) \
+    ((PRUint16 *)output)[0] =  R[0]; \
+    ((PRUint16 *)output)[1] =  R[1]; \
+    ((PRUint16 *)output)[2] =  R[2]; \
+    ((PRUint16 *)output)[3] =  R[3];   
+
+#if defined (_X86_)
+#define LOAD(R)  LOAD_EASY(R)
+#define STORE(R) STORE_EASY(R)
+#elif !defined(IS_LITTLE_ENDIAN)
+#define LOAD(R)  LOAD_HARD(R)
+#define STORE(R) STORE_HARD(R)
+#else
+#define LOAD(R) if ((ptrdiff_t)input & 1) { LOAD_HARD(R) } else { LOAD_EASY(R) }
+#define STORE(R) if ((ptrdiff_t)input & 1) { STORE_HARD(R) } else { STORE_EASY(R) }
+#endif
+
+static const PRUint8 S[256] = {
+0331,0170,0371,0304,0031,0335,0265,0355,0050,0351,0375,0171,0112,0240,0330,0235,
+0306,0176,0067,0203,0053,0166,0123,0216,0142,0114,0144,0210,0104,0213,0373,0242,
+0027,0232,0131,0365,0207,0263,0117,0023,0141,0105,0155,0215,0011,0201,0175,0062,
+0275,0217,0100,0353,0206,0267,0173,0013,0360,0225,0041,0042,0134,0153,0116,0202,
+0124,0326,0145,0223,0316,0140,0262,0034,0163,0126,0300,0024,0247,0214,0361,0334,
+0022,0165,0312,0037,0073,0276,0344,0321,0102,0075,0324,0060,0243,0074,0266,0046,
+0157,0277,0016,0332,0106,0151,0007,0127,0047,0362,0035,0233,0274,0224,0103,0003,
+0370,0021,0307,0366,0220,0357,0076,0347,0006,0303,0325,0057,0310,0146,0036,0327,
+0010,0350,0352,0336,0200,0122,0356,0367,0204,0252,0162,0254,0065,0115,0152,0052,
+0226,0032,0322,0161,0132,0025,0111,0164,0113,0237,0320,0136,0004,0030,0244,0354,
+0302,0340,0101,0156,0017,0121,0313,0314,0044,0221,0257,0120,0241,0364,0160,0071,
+0231,0174,0072,0205,0043,0270,0264,0172,0374,0002,0066,0133,0045,0125,0227,0061,
+0055,0135,0372,0230,0343,0212,0222,0256,0005,0337,0051,0020,0147,0154,0272,0311,
+0323,0000,0346,0317,0341,0236,0250,0054,0143,0026,0001,0077,0130,0342,0211,0251,
+0015,0070,0064,0033,0253,0063,0377,0260,0273,0110,0014,0137,0271,0261,0315,0056,
+0305,0363,0333,0107,0345,0245,0234,0167,0012,0246,0040,0150,0376,0177,0301,0255
+};
+
+RC2Context * RC2_AllocateContext(void)
+{
+    return PORT_ZNew(RC2Context);
+}
+SECStatus   
+RC2_InitContext(RC2Context *cx, const unsigned char *key, unsigned int len,
+	        const unsigned char *input, int mode, unsigned int efLen8, 
+		unsigned int unused)
+{
+    PRUint8    *L,*L2;
+    int         i;
+#if !defined(IS_LITTLE_ENDIAN)
+    PRUint16    tmpS;
+#endif
+    PRUint8     tmpB;
+
+    if (!key || !cx || !len || len > (sizeof cx->B) || 
+	efLen8 > (sizeof cx->B)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    	return SECFailure;
+    }
+    if (mode == NSS_RC2) {
+    	/* groovy */
+    } else if (mode == NSS_RC2_CBC) {
+    	if (!input) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (mode == NSS_RC2_CBC) {
+    	cx->enc = & rc2_EncryptCBC;
+	cx->dec = & rc2_DecryptCBC;
+	LOAD(cx->iv.s);
+    } else {
+    	cx->enc = & rc2_EncryptECB;
+	cx->dec = & rc2_DecryptECB;
+    }
+
+    /* Step 0. Copy key into table. */
+    memcpy(cx->B, key, len);
+
+    /* Step 1. Compute all values to the right of the key. */
+    L2 = cx->B;
+    L = L2 + len;
+    tmpB = L[-1];
+    for (i = (sizeof cx->B) - len; i > 0; --i) {
+	*L++ = tmpB = S[ (PRUint8)(tmpB + *L2++) ];
+    }
+
+    /* step 2. Adjust left most byte of effective key. */
+    i = (sizeof cx->B) - efLen8;
+    L = cx->B + i;
+    *L = tmpB = S[*L];				/* mask is always 0xff */
+
+    /* step 3. Recompute all values to the left of effective key. */
+    L2 = --L + efLen8;
+    while(L >= cx->B) {
+	*L-- = tmpB = S[ tmpB ^ *L2-- ];
+    }
+
+#if !defined(IS_LITTLE_ENDIAN)
+    for (i = 63; i >= 0; --i) {
+        SWAPK(i);		/* candidate for unrolling */
+    }
+#endif
+    return SECSuccess;
+}
+
+/*
+** Create a new RC2 context suitable for RC2 encryption/decryption.
+** 	"key" raw key data
+** 	"len" the number of bytes of key data
+** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
+** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
+**	"effectiveKeyLen" in bytes, not bits.
+**
+** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
+** chaining" mode.
+*/
+RC2Context *
+RC2_CreateContext(const unsigned char *key, unsigned int len,
+		  const unsigned char *iv, int mode, unsigned efLen8)
+{
+    RC2Context *cx = PORT_ZNew(RC2Context);
+    if (cx) {
+	SECStatus rv = RC2_InitContext(cx, key, len, iv, mode, efLen8, 0);
+	if (rv != SECSuccess) {
+	    RC2_DestroyContext(cx, PR_TRUE);
+	    cx = NULL;
+	}
+    }
+    return cx;
+}
+
+/*
+** Destroy an RC2 encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+void 
+RC2_DestroyContext(RC2Context *cx, PRBool freeit)
+{
+    if (cx) {
+	memset(cx, 0, sizeof *cx);
+	if (freeit) {
+	    PORT_Free(cx);
+	}
+    }
+}
+
+#define ROL(x,k) (x << k | x >> (16-k))
+#define MIX(j) \
+    R0 = R0 + cx->K[ 4*j+0] + (R3 & R2) + (~R3 & R1);  R0 = ROL(R0,1);\
+    R1 = R1 + cx->K[ 4*j+1] + (R0 & R3) + (~R0 & R2);  R1 = ROL(R1,2);\
+    R2 = R2 + cx->K[ 4*j+2] + (R1 & R0) + (~R1 & R3);  R2 = ROL(R2,3);\
+    R3 = R3 + cx->K[ 4*j+3] + (R2 & R1) + (~R2 & R0);  R3 = ROL(R3,5)
+#define MASH \
+    R0 = R0 + cx->K[R3 & 63];\
+    R1 = R1 + cx->K[R0 & 63];\
+    R2 = R2 + cx->K[R1 & 63];\
+    R3 = R3 + cx->K[R2 & 63]
+
+/* Encrypt one block */
+static void 
+rc2_Encrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
+{
+    register PRUint16 R0, R1, R2, R3;
+
+    /* step 1. Initialize input. */
+    R0 = input->s[0];
+    R1 = input->s[1];
+    R2 = input->s[2];
+    R3 = input->s[3];
+
+    /* step 2.  Expand Key (already done, in context) */
+    /* step 3.  j = 0 */
+    /* step 4.  Perform 5 mixing rounds. */
+
+    MIX(0);
+    MIX(1);
+    MIX(2);
+    MIX(3);
+    MIX(4);
+
+    /* step 5. Perform 1 mashing round. */
+    MASH;
+
+    /* step 6. Perform 6 mixing rounds. */
+
+    MIX(5);
+    MIX(6);
+    MIX(7);
+    MIX(8);
+    MIX(9);
+    MIX(10);
+
+    /* step 7. Perform 1 mashing round. */
+    MASH;
+
+    /* step 8. Perform 5 mixing rounds. */
+
+    MIX(11);
+    MIX(12);
+    MIX(13);
+    MIX(14);
+    MIX(15);
+
+    /* output results */
+    output->s[0] = R0;
+    output->s[1] = R1;
+    output->s[2] = R2;
+    output->s[3] = R3;
+}
+
+#define ROR(x,k) (x >> k | x << (16-k))
+#define R_MIX(j) \
+    R3 = ROR(R3,5); R3 = R3 - cx->K[ 4*j+3] - (R2 & R1) - (~R2 & R0);  \
+    R2 = ROR(R2,3); R2 = R2 - cx->K[ 4*j+2] - (R1 & R0) - (~R1 & R3);  \
+    R1 = ROR(R1,2); R1 = R1 - cx->K[ 4*j+1] - (R0 & R3) - (~R0 & R2);  \
+    R0 = ROR(R0,1); R0 = R0 - cx->K[ 4*j+0] - (R3 & R2) - (~R3 & R1)
+#define R_MASH \
+    R3 = R3 - cx->K[R2 & 63];\
+    R2 = R2 - cx->K[R1 & 63];\
+    R1 = R1 - cx->K[R0 & 63];\
+    R0 = R0 - cx->K[R3 & 63]
+
+/* Encrypt one block */
+static void 
+rc2_Decrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
+{
+    register PRUint16 R0, R1, R2, R3;
+
+    /* step 1. Initialize input. */
+    R0 = input->s[0];
+    R1 = input->s[1];
+    R2 = input->s[2];
+    R3 = input->s[3];
+
+    /* step 2.  Expand Key (already done, in context) */
+    /* step 3.  j = 63 */
+    /* step 4.  Perform 5 r_mixing rounds. */
+    R_MIX(15);
+    R_MIX(14);
+    R_MIX(13);
+    R_MIX(12);
+    R_MIX(11);
+
+    /* step 5.  Perform 1 r_mashing round. */
+    R_MASH;
+
+    /* step 6.  Perform 6 r_mixing rounds. */
+    R_MIX(10);
+    R_MIX(9);
+    R_MIX(8);
+    R_MIX(7);
+    R_MIX(6);
+    R_MIX(5);
+
+    /* step 7.  Perform 1 r_mashing round. */
+    R_MASH;
+
+    /* step 8.  Perform 5 r_mixing rounds. */
+    R_MIX(4);
+    R_MIX(3);
+    R_MIX(2);
+    R_MIX(1);
+    R_MIX(0);
+
+    /* output results */
+    output->s[0] = R0;
+    output->s[1] = R1;
+    output->s[2] = R2;
+    output->s[3] = R3;
+}
+
+static SECStatus
+rc2_EncryptECB(RC2Context *cx, unsigned char *output,
+	       const unsigned char *input, unsigned int inputLen)
+{
+    RC2Block  iBlock;
+
+    while (inputLen > 0) {
+    	LOAD(iBlock.s)
+	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
+	STORE(iBlock.s)
+	output   += RC2_BLOCK_SIZE;
+	input    += RC2_BLOCK_SIZE;
+	inputLen -= RC2_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+rc2_DecryptECB(RC2Context *cx, unsigned char *output,
+	       const unsigned char *input, unsigned int inputLen)
+{
+    RC2Block  iBlock;
+
+    while (inputLen > 0) {
+    	LOAD(iBlock.s)
+	rc2_Decrypt1Block(cx, &iBlock, &iBlock);
+	STORE(iBlock.s)
+	output   += RC2_BLOCK_SIZE;
+	input    += RC2_BLOCK_SIZE;
+	inputLen -= RC2_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+rc2_EncryptCBC(RC2Context *cx, unsigned char *output,
+	       const unsigned char *input, unsigned int inputLen)
+{
+    RC2Block  iBlock;
+
+    while (inputLen > 0) {
+
+	LOAD(iBlock.s)
+	iBlock.l[0] ^= cx->iv.l[0];
+	iBlock.l[1] ^= cx->iv.l[1];
+	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
+	cx->iv = iBlock;
+	STORE(iBlock.s)
+	output   += RC2_BLOCK_SIZE;
+	input    += RC2_BLOCK_SIZE;
+	inputLen -= RC2_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+rc2_DecryptCBC(RC2Context *cx, unsigned char *output,
+	       const unsigned char *input, unsigned int inputLen)
+{
+    RC2Block  iBlock;
+    RC2Block  oBlock;
+
+    while (inputLen > 0) {
+	LOAD(iBlock.s)
+	rc2_Decrypt1Block(cx, &oBlock, &iBlock);
+	oBlock.l[0] ^= cx->iv.l[0];
+	oBlock.l[1] ^= cx->iv.l[1];
+	cx->iv = iBlock;
+	STORE(oBlock.s)
+	output   += RC2_BLOCK_SIZE;
+	input    += RC2_BLOCK_SIZE;
+	inputLen -= RC2_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+
+/*
+** Perform RC2 encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
+		      unsigned int *outputLen, unsigned int maxOutputLen,
+		      const unsigned char *input, unsigned int inputLen)
+{
+    SECStatus rv = SECSuccess;
+    if (inputLen) {
+	if (inputLen % RC2_BLOCK_SIZE) {
+	    PORT_SetError(SEC_ERROR_INPUT_LEN);
+	    return SECFailure;
+	}
+	if (maxOutputLen < inputLen) {
+	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	    return SECFailure;
+	}
+	rv = (*cx->enc)(cx, output, input, inputLen);
+    }
+    if (rv == SECSuccess) {
+    	*outputLen = inputLen;
+    }
+    return rv;
+}
+
+/*
+** Perform RC2 decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
+		      unsigned int *outputLen, unsigned int maxOutputLen,
+		      const unsigned char *input, unsigned int inputLen)
+{
+    SECStatus rv = SECSuccess;
+    if (inputLen) {
+	if (inputLen % RC2_BLOCK_SIZE) {
+	    PORT_SetError(SEC_ERROR_INPUT_LEN);
+	    return SECFailure;
+	}
+	if (maxOutputLen < inputLen) {
+	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	    return SECFailure;
+	}
+	rv = (*cx->dec)(cx, output, input, inputLen);
+    }
+    if (rv == SECSuccess) {
+	*outputLen = inputLen;
+    }
+    return rv;
+}
+
diff --git a/security/nss/lib/freebl/alghmac.c b/security/nss/lib/freebl/alghmac.c
new file mode 100644
index 000000000..b1174f460
--- /dev/null
+++ b/security/nss/lib/freebl/alghmac.c
@@ -0,0 +1,193 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secport.h"
+#include "hasht.h"
+#include "blapit.h"
+#include "alghmac.h"
+#include "secerr.h"
+
+#define HMAC_PAD_SIZE HASH_BLOCK_LENGTH_MAX
+
+struct HMACContextStr {
+    void *hash;
+    const SECHashObject *hashobj;
+    PRBool        wasAllocated;
+    unsigned char ipad[HMAC_PAD_SIZE];
+    unsigned char opad[HMAC_PAD_SIZE];
+};
+
+void
+HMAC_Destroy(HMACContext *cx, PRBool freeit)
+{
+    if (cx == NULL)
+	return;
+
+    PORT_Assert(!freeit == !cx->wasAllocated);
+    if (cx->hash != NULL) {
+	cx->hashobj->destroy(cx->hash, PR_TRUE);
+	PORT_Memset(cx, 0, sizeof *cx);
+    }
+    if (freeit)
+	PORT_Free(cx);
+}
+
+SECStatus
+HMAC_Init( HMACContext * cx, const SECHashObject *hash_obj, 
+	   const unsigned char *secret, unsigned int secret_len, PRBool isFIPS)
+{
+    unsigned int i;
+    unsigned char hashed_secret[HASH_LENGTH_MAX];
+
+    /* required by FIPS 198 Section 3 */
+    if (isFIPS && secret_len < hash_obj->length/2) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (cx == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    cx->wasAllocated = PR_FALSE;
+    cx->hashobj = hash_obj;
+    cx->hash = cx->hashobj->create();
+    if (cx->hash == NULL)
+	goto loser;
+
+    if (secret_len > cx->hashobj->blocklength) {
+	cx->hashobj->begin( cx->hash);
+	cx->hashobj->update(cx->hash, secret, secret_len);
+	PORT_Assert(cx->hashobj->length <= sizeof hashed_secret);
+	cx->hashobj->end(   cx->hash, hashed_secret, &secret_len, 
+	                 sizeof hashed_secret);
+	if (secret_len != cx->hashobj->length) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    goto loser;
+	}
+	secret = (const unsigned char *)&hashed_secret[0];
+    }
+
+    PORT_Memset(cx->ipad, 0x36, cx->hashobj->blocklength);
+    PORT_Memset(cx->opad, 0x5c, cx->hashobj->blocklength);
+
+    /* fold secret into padding */
+    for (i = 0; i < secret_len; i++) {
+	cx->ipad[i] ^= secret[i];
+	cx->opad[i] ^= secret[i];
+    }
+    PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
+    return SECSuccess;
+
+loser:
+    PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
+    if (cx->hash != NULL)
+	cx->hashobj->destroy(cx->hash, PR_TRUE);
+    return SECFailure;
+}
+
+HMACContext *
+HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret, 
+            unsigned int secret_len, PRBool isFIPS)
+{
+    SECStatus rv;
+    HMACContext * cx = PORT_ZNew(HMACContext);
+    if (cx == NULL)
+	return NULL;
+    rv = HMAC_Init(cx, hash_obj, secret, secret_len, isFIPS);
+    cx->wasAllocated = PR_TRUE;
+    if (rv != SECSuccess) {
+	PORT_Free(cx); /* contains no secret info */
+	cx = NULL;
+    }
+    return cx;
+}
+
+void
+HMAC_Begin(HMACContext *cx)
+{
+    /* start inner hash */
+    cx->hashobj->begin(cx->hash);
+    cx->hashobj->update(cx->hash, cx->ipad, cx->hashobj->blocklength);
+}
+
+void
+HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len)
+{
+    cx->hashobj->update(cx->hash, data, data_len);
+}
+
+SECStatus
+HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
+	    unsigned int max_result_len)
+{
+    if (max_result_len < cx->hashobj->length) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    cx->hashobj->end(cx->hash, result, result_len, max_result_len);
+    if (*result_len != cx->hashobj->length)
+	return SECFailure;
+
+    cx->hashobj->begin(cx->hash);
+    cx->hashobj->update(cx->hash, cx->opad, cx->hashobj->blocklength);
+    cx->hashobj->update(cx->hash, result, *result_len);
+    cx->hashobj->end(cx->hash, result, result_len, max_result_len);
+    return SECSuccess;
+}
+
+HMACContext *
+HMAC_Clone(HMACContext *cx)
+{
+    HMACContext *newcx;
+
+    newcx = (HMACContext*)PORT_ZAlloc(sizeof(HMACContext));
+    if (newcx == NULL)
+	goto loser;
+
+    newcx->wasAllocated = PR_TRUE;
+    newcx->hashobj = cx->hashobj;
+    newcx->hash = cx->hashobj->clone(cx->hash);
+    if (newcx->hash == NULL)
+	goto loser;
+    PORT_Memcpy(newcx->ipad, cx->ipad, cx->hashobj->blocklength);
+    PORT_Memcpy(newcx->opad, cx->opad, cx->hashobj->blocklength);
+    return newcx;
+
+loser:
+    HMAC_Destroy(newcx, PR_TRUE);
+    return NULL;
+}
diff --git a/security/nss/lib/freebl/alghmac.h b/security/nss/lib/freebl/alghmac.h
new file mode 100644
index 000000000..81c5bfa50
--- /dev/null
+++ b/security/nss/lib/freebl/alghmac.h
@@ -0,0 +1,96 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _ALGHMAC_H_
+#define _ALGHMAC_H_
+
+typedef struct HMACContextStr HMACContext;
+
+SEC_BEGIN_PROTOS
+
+/* destroy HMAC context */
+extern void
+HMAC_Destroy(HMACContext *cx, PRBool freeit);
+
+/* create HMAC context
+ *  hash_obj    hash object from SECRawHashObjects[]
+ *  secret	the secret with which the HMAC is performed.
+ *  secret_len	the length of the secret.
+ *  isFIPS	true if conforming to FIPS 198.
+ *
+ * NULL is returned if an error occurs.
+ */
+extern HMACContext *
+HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret, 
+	    unsigned int secret_len, PRBool isFIPS);
+
+/* like HMAC_Create, except caller allocates HMACContext. */
+SECStatus
+HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj, 
+	  const unsigned char *secret, unsigned int secret_len, PRBool isFIPS);
+
+/* reset HMAC for a fresh round */
+extern void
+HMAC_Begin(HMACContext *cx);
+
+/* update HMAC 
+ *  cx		HMAC Context
+ *  data	the data to perform HMAC on
+ *  data_len	the length of the data to process
+ */
+extern void 
+HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len);
+
+/* Finish HMAC -- place the results within result
+ *  cx		HMAC context
+ *  result	buffer for resulting hmac'd data
+ *  result_len	where the resultant hmac length is stored
+ *  max_result_len  maximum possible length that can be stored in result
+ */
+extern SECStatus
+HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
+	    unsigned int max_result_len);
+
+/* clone a copy of the HMAC state.  this is usefult when you would
+ * need to keep a running hmac but also need to extract portions 
+ * partway through the process.
+ */
+extern HMACContext *
+HMAC_Clone(HMACContext *cx);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/freebl/arcfive.c b/security/nss/lib/freebl/arcfive.c
new file mode 100644
index 000000000..42e6bf7e3
--- /dev/null
+++ b/security/nss/lib/freebl/arcfive.c
@@ -0,0 +1,117 @@
+/*
+ * arcfive.c - stubs for RC5 - NOT a working implementation!
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "blapi.h"
+#include "prerror.h"
+
+/******************************************/
+/*
+** RC5 symmetric block cypher -- 64-bit block size
+*/
+
+/*
+** Create a new RC5 context suitable for RC5 encryption/decryption.
+**      "key" raw key data
+**      "len" the number of bytes of key data
+**      "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC)
+**      "mode" one of NSS_RC5 or NSS_RC5_CBC
+**
+** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block
+** chaining" mode.
+*/
+RC5Context *
+RC5_CreateContext(const SECItem *key, unsigned int rounds,
+                  unsigned int wordSize, const unsigned char *iv, int mode)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+}
+
+/*
+** Destroy an RC5 encryption/decryption context.
+**      "cx" the context
+**      "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+void 
+RC5_DestroyContext(RC5Context *cx, PRBool freeit) 
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+}
+
+/*
+** Perform RC5 encryption.
+**      "cx" the context
+**      "output" the output buffer to store the encrypted data.
+**      "outputLen" how much data is stored in "output". Set by the routine
+**         after some data is stored in output.
+**      "maxOutputLen" the maximum amount of data that can ever be
+**         stored in "output"
+**      "input" the input data
+**      "inputLen" the amount of input data
+*/
+SECStatus 
+RC5_Encrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, 
+	    const unsigned char *input, unsigned int inputLen)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+/*
+** Perform RC5 decryption.
+**      "cx" the context
+**      "output" the output buffer to store the decrypted data.
+**      "outputLen" how much data is stored in "output". Set by the routine
+**         after some data is stored in output.
+**      "maxOutputLen" the maximum amount of data that can ever be
+**         stored in "output"
+**      "input" the input data
+**      "inputLen" the amount of input data
+*/
+SECStatus 
+RC5_Decrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
diff --git a/security/nss/lib/freebl/arcfour-amd64-gas.s b/security/nss/lib/freebl/arcfour-amd64-gas.s
new file mode 100644
index 000000000..e131fd16a
--- /dev/null
+++ b/security/nss/lib/freebl/arcfour-amd64-gas.s
@@ -0,0 +1,120 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is "Marc Bevand's fast AMD64 ARCFOUR source"
+#
+# The Initial Developer of the Original Code is
+# Marc Bevand <bevand_m@epita.fr> .
+# Portions created by the Initial Developer are 
+# Copyright (C) 2004 the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# ** ARCFOUR implementation optimized for AMD64.
+# **
+# ** The throughput achieved by this code is about 320 MBytes/sec, on
+# ** a 1.8 GHz AMD Opteron (rev C0) processor.
+
+.text
+.align 16
+.globl ARCFOUR
+.type ARCFOUR,@function
+ARCFOUR:
+	pushq	%rbp
+	pushq	%rbx
+	movq	%rdi,		%rbp	# key = ARG(key)
+	movq	%rsi,		%rbx	# rbx = ARG(len)
+	movq	%rdx,		%rsi	# in = ARG(in)
+	movq	%rcx,		%rdi	# out = ARG(out)
+	movq	(%rbp),		%rcx	# x = key->x
+	movq	8(%rbp),	%rdx	# y = key->y
+	addq	$16,		%rbp	# d = key->data
+	incq	%rcx			# x++
+	andq	$255,		%rcx	# x &= 0xff
+	leaq	-8(%rbx,%rsi),	%rbx	# rbx = in+len-8
+	movq	%rbx,		%r9	# tmp = in+len-8
+	movq	0(%rbp,%rcx,8),	%rax	# tx = d[x]
+	cmpq	%rsi,		%rbx	# cmp in with in+len-8
+	jl	.Lend			# jump if (in+len-8 < in)
+
+.Lstart:
+	addq	$8,		%rsi		# increment in
+	addq	$8,		%rdi		# increment out
+
+	# generate the next 8 bytes of the rc4 stream into %r8
+	movq	$8,		%r11		# byte counter
+1:	addb	%al,		%dl		# y += tx
+	movl	0(%rbp,%rdx,8),	%ebx		# ty = d[y]
+	movl	%ebx,		0(%rbp,%rcx,8)	# d[x] = ty
+	addb	%al,		%bl		# val = ty + tx
+	movl	%eax,		0(%rbp,%rdx,8)	# d[y] = tx
+	incb	%cl				# x++		(NEXT ROUND)
+	movl	0(%rbp,%rcx,8),	%eax		# tx = d[x]	(NEXT ROUND)
+	movb	0(%rbp,%rbx,8),	%r8b		# val = d[val]
+	decb	%r11b
+	rorq	$8,		%r8		# (ror does not change ZF)
+	jnz 	1b
+
+	# xor 8 bytes
+	xorq	-8(%rsi),	%r8
+	cmpq	%r9,		%rsi		# cmp in+len-8 with in
+	movq	%r8,		-8(%rdi)
+	jle	.Lstart				# jump if (in <= in+len-8)
+
+.Lend:
+	addq	$8,		%r9		# tmp = in+len
+
+	# handle the last bytes, one by one
+1:	cmpq	%rsi,		%r9		# cmp in with in+len
+	jle	.Lfinished			# jump if (in+len <= in)
+	addb	%al,		%dl		# y += tx
+	movl	0(%rbp,%rdx,8),	%ebx		# ty = d[y]
+	movl	%ebx,		0(%rbp,%rcx,8)	# d[x] = ty
+	addb	%al,		%bl		# val = ty + tx
+	movl	%eax,		0(%rbp,%rdx,8)	# d[y] = tx
+	incb	%cl				# x++		(NEXT ROUND)
+	movl	0(%rbp,%rcx,8),	%eax		# tx = d[x]	(NEXT ROUND)
+	movb	0(%rbp,%rbx,8),	%r8b		# val = d[val]
+	xorb	(%rsi),		%r8b		# xor 1 byte
+	movb	%r8b,		(%rdi)
+	incq	%rsi				# in++
+	incq	%rdi				# out++
+	jmp 1b
+
+.Lfinished:
+	decq	%rcx				# x--
+	movb	%dl,		-8(%rbp)	# key->y = y
+	movb	%cl,		-16(%rbp)	# key->x = x
+	popq	%rbx
+	popq	%rbp
+	ret
+.L_ARCFOUR_end:
+.size ARCFOUR,.L_ARCFOUR_end-ARCFOUR
+
+# Magic indicating no need for an executable stack
+.section .note.GNU-stack,"",@progbits
+.previous
diff --git a/security/nss/lib/freebl/arcfour-amd64-sun.s b/security/nss/lib/freebl/arcfour-amd64-sun.s
new file mode 100644
index 000000000..7f684d222
--- /dev/null
+++ b/security/nss/lib/freebl/arcfour-amd64-sun.s
@@ -0,0 +1,116 @@
+/ ***** BEGIN LICENSE BLOCK *****
+/ Version: MPL 1.1/GPL 2.0/LGPL 2.1
+/
+/ The contents of this file are subject to the Mozilla Public License Version
+/ 1.1 (the "License"); you may not use this file except in compliance with
+/ the License. You may obtain a copy of the License at
+/ http://www.mozilla.org/MPL/
+/
+/ Software distributed under the License is distributed on an "AS IS" basis,
+/ WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+/ for the specific language governing rights and limitations under the
+/ License.
+/
+/ The Original Code is "Marc Bevand's fast AMD64 ARCFOUR source"
+/
+/ The Initial Developer of the Original Code is
+/ Marc Bevand <bevand_m@epita.fr> .
+/ Portions created by the Initial Developer are 
+/ Copyright (C) 2004 the Initial Developer. All Rights Reserved.
+/
+/ Contributor(s):
+/
+/ Alternatively, the contents of this file may be used under the terms of
+/ either the GNU General Public License Version 2 or later (the "GPL"), or
+/ the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+/ in which case the provisions of the GPL or the LGPL are applicable instead
+/ of those above. If you wish to allow use of your version of this file only
+/ under the terms of either the GPL or the LGPL, and not to allow others to
+/ use your version of this file under the terms of the MPL, indicate your
+/ decision by deleting the provisions above and replace them with the notice
+/ and other provisions required by the GPL or the LGPL. If you do not delete
+/ the provisions above, a recipient may use your version of this file under
+/ the terms of any one of the MPL, the GPL or the LGPL.
+/
+/ ***** END LICENSE BLOCK *****
+
+/ ** ARCFOUR implementation optimized for AMD64.
+/ **
+/ ** The throughput achieved by this code is about 320 MBytes/sec, on
+/ ** a 1.8 GHz AMD Opteron (rev C0) processor.
+
+.text
+.align 16
+.globl ARCFOUR
+.type ARCFOUR,@function
+ARCFOUR:
+	pushq	%rbp
+	pushq	%rbx
+	movq	%rdi,		%rbp	/ key = ARG(key)
+	movq	%rsi,		%rbx	/ rbx = ARG(len)
+	movq	%rdx,		%rsi	/ in = ARG(in)
+	movq	%rcx,		%rdi	/ out = ARG(out)
+	movq	(%rbp),		%rcx	/ x = key->x
+	movq	8(%rbp),	%rdx	/ y = key->y
+	addq	$16,		%rbp	/ d = key->data
+	incq	%rcx			/ x++
+	andq	$255,		%rcx	/ x &= 0xff
+	leaq	-8(%rbx,%rsi),	%rbx	/ rbx = in+len-8
+	movq	%rbx,		%r9	/ tmp = in+len-8
+	movq	0(%rbp,%rcx,8),	%rax	/ tx = d[x]
+	cmpq	%rsi,		%rbx	/ cmp in with in+len-8
+	jl	.Lend			/ jump if (in+len-8 < in)
+
+.Lstart:
+	addq	$8,		%rsi		/ increment in
+	addq	$8,		%rdi		/ increment out
+
+	/ generate the next 8 bytes of the rc4 stream into %r8
+	movq	$8,		%r11		/ byte counter
+1:	addb	%al,		%dl		/ y += tx
+	movl	0(%rbp,%rdx,8),	%ebx		/ ty = d[y]
+	movl	%ebx,		0(%rbp,%rcx,8)	/ d[x] = ty
+	addb	%al,		%bl		/ val = ty + tx
+	movl	%eax,		0(%rbp,%rdx,8)	/ d[y] = tx
+	incb	%cl				/ x++		(NEXT ROUND)
+	movl	0(%rbp,%rcx,8),	%eax		/ tx = d[x]	(NEXT ROUND)
+	movb	0(%rbp,%rbx,8),	%r8b		/ val = d[val]
+	decb	%r11b
+	rorq	$8,		%r8		/ (ror does not change ZF)
+	jnz 	1b
+
+	/ xor 8 bytes
+	xorq	-8(%rsi),	%r8
+	cmpq	%r9,		%rsi		/ cmp in+len-8 with in
+	movq	%r8,		-8(%rdi)
+	jle	.Lstart				/ jump if (in <= in+len-8)
+
+.Lend:
+	addq	$8,		%r9		/ tmp = in+len
+
+	/ handle the last bytes, one by one
+1:	cmpq	%rsi,		%r9		/ cmp in with in+len
+	jle	.Lfinished			/ jump if (in+len <= in)
+	addb	%al,		%dl		/ y += tx
+	movl	0(%rbp,%rdx,8),	%ebx		/ ty = d[y]
+	movl	%ebx,		0(%rbp,%rcx,8)	/ d[x] = ty
+	addb	%al,		%bl		/ val = ty + tx
+	movl	%eax,		0(%rbp,%rdx,8)	/ d[y] = tx
+	incb	%cl				/ x++		(NEXT ROUND)
+	movl	0(%rbp,%rcx,8),	%eax		/ tx = d[x]	(NEXT ROUND)
+	movb	0(%rbp,%rbx,8),	%r8b		/ val = d[val]
+	xorb	(%rsi),		%r8b		/ xor 1 byte
+	movb	%r8b,		(%rdi)
+	incq	%rsi				/ in++
+	incq	%rdi				/ out++
+	jmp 1b
+
+.Lfinished:
+	decq	%rcx				/ x--
+	movb	%dl,		-8(%rbp)	/ key->y = y
+	movb	%cl,		-16(%rbp)	/ key->x = x
+	popq	%rbx
+	popq	%rbp
+	ret
+.L_ARCFOUR_end:
+.size ARCFOUR,.L_ARCFOUR_end-ARCFOUR
diff --git a/security/nss/lib/freebl/arcfour.c b/security/nss/lib/freebl/arcfour.c
new file mode 100644
index 000000000..52329beda
--- /dev/null
+++ b/security/nss/lib/freebl/arcfour.c
@@ -0,0 +1,639 @@
+/* arcfour.c - the arc four algorithm.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* See NOTES ON UMRs, Unititialized Memory Reads, below. */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "blapi.h"
+
+/* Architecture-dependent defines */
+
+#if defined(SOLARIS) || defined(HPUX) || defined(i386) || defined(IRIX)
+/* Convert the byte-stream to a word-stream */
+#define CONVERT_TO_WORDS
+#endif
+
+#if defined(AIX) || defined(OSF1) || defined(NSS_BEVAND_ARCFOUR)
+/* Treat array variables as longs, not bytes, on CPUs that take 
+ * much longer to write bytes than to write longs, or when using 
+ * assembler code that required it.
+ */
+#define USE_LONG
+#endif
+
+#if defined(_WIN32_WCE)
+#undef WORD
+#define WORD ARC4WORD
+#endif
+
+#if defined(IS_64) && !defined(__sparc) && !defined(NSS_USE_64) 
+typedef unsigned long long WORD;
+#else
+typedef unsigned long WORD;
+#endif
+#define WORDSIZE sizeof(WORD)
+
+#ifdef USE_LONG
+typedef unsigned long Stype;
+#else
+typedef PRUint8 Stype;
+#endif
+
+#define ARCFOUR_STATE_SIZE 256
+
+#define MASK1BYTE (WORD)(0xff)
+
+#define SWAP(a, b) \
+	tmp = a; \
+	a = b; \
+	b = tmp;
+
+/*
+ * State information for stream cipher.
+ */
+struct RC4ContextStr
+{
+#if defined(NSS_ARCFOUR_IJ_B4_S) || defined(NSS_BEVAND_ARCFOUR)
+	Stype i;
+	Stype j;
+	Stype S[ARCFOUR_STATE_SIZE];
+#else
+	Stype S[ARCFOUR_STATE_SIZE];
+	Stype i;
+	Stype j;
+#endif
+};
+
+/*
+ * array indices [0..255] to initialize cx->S array (faster than loop).
+ */
+static const Stype Kinit[256] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+	0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+	0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+	0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
+	0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
+	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
+	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
+	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
+	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
+};
+
+RC4Context *
+RC4_AllocateContext(void)
+{
+    return PORT_ZNew(RC4Context);
+}
+
+SECStatus   
+RC4_InitContext(RC4Context *cx, const unsigned char *key, unsigned int len,
+	        const unsigned char * unused1, int unused2, 
+		unsigned int unused3, unsigned int unused4)
+{
+	int i;
+	PRUint8 j, tmp;
+	PRUint8 K[256];
+	PRUint8 *L;
+	/* verify the key length. */
+	PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
+	if (len < 0 || len >= ARCFOUR_STATE_SIZE) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if (cx == NULL) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	/* Initialize the state using array indices. */
+	memcpy(cx->S, Kinit, sizeof cx->S);
+	/* Fill in K repeatedly with values from key. */
+	L = K;
+	for (i = sizeof K; i > len; i-= len) {
+		memcpy(L, key, len);
+		L += len;
+	}
+	memcpy(L, key, i);
+	/* Stir the state of the generator.  At this point it is assumed
+	 * that the key is the size of the state buffer.  If this is not
+	 * the case, the key bytes are repeated to fill the buffer.
+	 */
+	j = 0;
+#define ARCFOUR_STATE_STIR(ii) \
+	j = j + cx->S[ii] + K[ii]; \
+	SWAP(cx->S[ii], cx->S[j]);
+	for (i=0; i<ARCFOUR_STATE_SIZE; i++) {
+		ARCFOUR_STATE_STIR(i);
+	}
+	cx->i = 0;
+	cx->j = 0;
+	return SECSuccess;
+}
+
+
+/*
+ * Initialize a new generator.
+ */
+RC4Context *
+RC4_CreateContext(const unsigned char *key, int len)
+{
+    RC4Context *cx = RC4_AllocateContext();
+    if (cx) {
+	SECStatus rv = RC4_InitContext(cx, key, len, NULL, 0, 0, 0);
+	if (rv != SECSuccess) {
+	    PORT_ZFree(cx, sizeof(*cx));
+	    cx = NULL;
+	}
+    }
+    return cx;
+}
+
+void 
+RC4_DestroyContext(RC4Context *cx, PRBool freeit)
+{
+	if (freeit)
+		PORT_ZFree(cx, sizeof(*cx));
+}
+
+#if defined(NSS_BEVAND_ARCFOUR)
+extern void ARCFOUR(RC4Context *cx, unsigned long inputLen, 
+	const unsigned char *input, unsigned char *output);
+#else
+/*
+ * Generate the next byte in the stream.
+ */
+#define ARCFOUR_NEXT_BYTE() \
+	tmpSi = cx->S[++tmpi]; \
+	tmpj += tmpSi; \
+	tmpSj = cx->S[tmpj]; \
+	cx->S[tmpi] = tmpSj; \
+	cx->S[tmpj] = tmpSi; \
+	t = tmpSi + tmpSj;
+
+#ifdef CONVERT_TO_WORDS
+/*
+ * Straight ARCFOUR op.  No optimization.
+ */
+static SECStatus 
+rc4_no_opt(RC4Context *cx, unsigned char *output,
+           unsigned int *outputLen, unsigned int maxOutputLen,
+           const unsigned char *input, unsigned int inputLen)
+{
+    PRUint8 t;
+	Stype tmpSi, tmpSj;
+	register PRUint8 tmpi = cx->i;
+	register PRUint8 tmpj = cx->j;
+	unsigned int index;
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	for (index=0; index < inputLen; index++) {
+		/* Generate next byte from stream. */
+		ARCFOUR_NEXT_BYTE();
+		/* output = next stream byte XOR next input byte */
+		output[index] = cx->S[t] ^ input[index];
+	}
+	*outputLen = inputLen;
+	cx->i = tmpi;
+	cx->j = tmpj;
+	return SECSuccess;
+}
+#endif
+
+#ifndef CONVERT_TO_WORDS
+/*
+ * Byte-at-a-time ARCFOUR, unrolling the loop into 8 pieces.
+ */
+static SECStatus 
+rc4_unrolled(RC4Context *cx, unsigned char *output,
+             unsigned int *outputLen, unsigned int maxOutputLen,
+             const unsigned char *input, unsigned int inputLen)
+{
+	PRUint8 t;
+	Stype tmpSi, tmpSj;
+	register PRUint8 tmpi = cx->i;
+	register PRUint8 tmpj = cx->j;
+	int index;
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	for (index = inputLen / 8; index-- > 0; input += 8, output += 8) {
+		ARCFOUR_NEXT_BYTE();
+		output[0] = cx->S[t] ^ input[0];
+		ARCFOUR_NEXT_BYTE();
+		output[1] = cx->S[t] ^ input[1];
+		ARCFOUR_NEXT_BYTE();
+		output[2] = cx->S[t] ^ input[2];
+		ARCFOUR_NEXT_BYTE();
+		output[3] = cx->S[t] ^ input[3];
+		ARCFOUR_NEXT_BYTE();
+		output[4] = cx->S[t] ^ input[4];
+		ARCFOUR_NEXT_BYTE();
+		output[5] = cx->S[t] ^ input[5];
+		ARCFOUR_NEXT_BYTE();
+		output[6] = cx->S[t] ^ input[6];
+		ARCFOUR_NEXT_BYTE();
+		output[7] = cx->S[t] ^ input[7];
+	}
+	index = inputLen % 8;
+	if (index) {
+		input += index;
+		output += index;
+		switch (index) {
+		case 7:
+			ARCFOUR_NEXT_BYTE();
+			output[-7] = cx->S[t] ^ input[-7]; /* FALLTHRU */
+		case 6:
+			ARCFOUR_NEXT_BYTE();
+			output[-6] = cx->S[t] ^ input[-6]; /* FALLTHRU */
+		case 5:
+			ARCFOUR_NEXT_BYTE();
+			output[-5] = cx->S[t] ^ input[-5]; /* FALLTHRU */
+		case 4:
+			ARCFOUR_NEXT_BYTE();
+			output[-4] = cx->S[t] ^ input[-4]; /* FALLTHRU */
+		case 3:
+			ARCFOUR_NEXT_BYTE();
+			output[-3] = cx->S[t] ^ input[-3]; /* FALLTHRU */
+		case 2:
+			ARCFOUR_NEXT_BYTE();
+			output[-2] = cx->S[t] ^ input[-2]; /* FALLTHRU */
+		case 1:
+			ARCFOUR_NEXT_BYTE();
+			output[-1] = cx->S[t] ^ input[-1]; /* FALLTHRU */
+		default:
+			/* FALLTHRU */
+			; /* hp-ux build breaks without this */
+		}
+	}
+	cx->i = tmpi;
+	cx->j = tmpj;
+	*outputLen = inputLen;
+	return SECSuccess;
+}
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+#define ARCFOUR_NEXT4BYTES_L(n) \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n     ); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n +  8); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 16); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 24);
+#else
+#define ARCFOUR_NEXT4BYTES_B(n) \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 24); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 16); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n +  8); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n     );
+#endif
+
+#if (defined(IS_64) && !defined(__sparc)) || defined(NSS_USE_64)
+/* 64-bit wordsize */
+#ifdef IS_LITTLE_ENDIAN
+#define ARCFOUR_NEXT_WORD() \
+	{ streamWord = 0; ARCFOUR_NEXT4BYTES_L(0); ARCFOUR_NEXT4BYTES_L(32); }
+#else
+#define ARCFOUR_NEXT_WORD() \
+	{ streamWord = 0; ARCFOUR_NEXT4BYTES_B(32); ARCFOUR_NEXT4BYTES_B(0); }
+#endif
+#else
+/* 32-bit wordsize */
+#ifdef IS_LITTLE_ENDIAN
+#define ARCFOUR_NEXT_WORD() \
+	{ streamWord = 0; ARCFOUR_NEXT4BYTES_L(0); }
+#else
+#define ARCFOUR_NEXT_WORD() \
+	{ streamWord = 0; ARCFOUR_NEXT4BYTES_B(0); }
+#endif
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+#define RSH <<
+#define LSH >>
+#else
+#define RSH >>
+#define LSH <<
+#endif
+
+#ifdef CONVERT_TO_WORDS
+/* NOTE about UMRs, Uninitialized Memory Reads.
+ *
+ * This code reads all input data a WORD at a time, rather than byte at 
+ * a time, and writes all output data a WORD at a time.  Shifting and 
+ * masking is used to remove unwanted data and realign bytes when 
+ * needed.  The first and last words of output are read, modified, and
+ * written when needed to preserve any unchanged bytes.  This is a huge
+ * win on machines with high memory latency.  
+ *
+ * However, when the input and output buffers do not begin and end on WORD 
+ * boundaries, and the WORDS in memory that contain the first and last 
+ * bytes of those buffers contain uninitialized data, then this code will 
+ * read those uninitialized bytes, causing a UMR error to be reported by 
+ * some tools.  
+ *
+ * These UMRs are NOT a problem, NOT errors, and do NOT need to be "fixed".
+ * 
+ * All the words read and written contain at least one byte that is 
+ * part of the input data or output data.  No words are read or written
+ * that do not contain data that is part of the buffer.  Therefore, 
+ * these UMRs cannot cause page faults or other problems unless the 
+ * buffers have been assigned to improper addresses that would cause
+ * page faults with or without UMRs.  
+ */
+static SECStatus 
+rc4_wordconv(RC4Context *cx, unsigned char *output,
+             unsigned int *outputLen, unsigned int maxOutputLen,
+             const unsigned char *input, unsigned int inputLen)
+{
+	ptrdiff_t inOffset = (ptrdiff_t)input % WORDSIZE;
+	ptrdiff_t outOffset = (ptrdiff_t)output % WORDSIZE;
+	register WORD streamWord, mask;
+	register WORD *pInWord, *pOutWord;
+	register WORD inWord, nextInWord;
+	PRUint8 t;
+	register Stype tmpSi, tmpSj;
+	register PRUint8 tmpi = cx->i;
+	register PRUint8 tmpj = cx->j;
+	unsigned int byteCount;
+	unsigned int bufShift, invBufShift;
+	int i;
+
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if (inputLen < 2*WORDSIZE) {
+		/* Ignore word conversion, do byte-at-a-time */
+		return rc4_no_opt(cx, output, outputLen, maxOutputLen, input, inputLen);
+	}
+	*outputLen = inputLen;
+	pInWord = (WORD *)(input - inOffset);
+	if (inOffset < outOffset) {
+		bufShift = 8*(outOffset - inOffset);
+		invBufShift = 8*WORDSIZE - bufShift;
+	} else {
+		invBufShift = 8*(inOffset - outOffset);
+		bufShift = 8*WORDSIZE - invBufShift;
+	}
+	/*****************************************************************/
+	/* Step 1:                                                       */
+	/* If the first output word is partial, consume the bytes in the */
+	/* first partial output word by loading one or two words of      */
+	/* input and shifting them accordingly.  Otherwise, just load    */
+	/* in the first word of input.  At the end of this block, at     */
+	/* least one partial word of input should ALWAYS be loaded.      */
+	/*****************************************************************/
+	if (outOffset) {
+		/* Generate input and stream words aligned relative to the
+		 * partial output buffer.
+		 */
+		byteCount = WORDSIZE - outOffset; 
+		pOutWord = (WORD *)(output - outOffset);
+		mask = streamWord = 0;
+#ifdef IS_LITTLE_ENDIAN
+		for (i = WORDSIZE - byteCount; i < WORDSIZE; i++) {
+#else
+		for (i = byteCount - 1; i >= 0; --i) {
+#endif
+			ARCFOUR_NEXT_BYTE();
+			streamWord |= (WORD)(cx->S[t]) << 8*i;
+			mask |= MASK1BYTE << 8*i;
+		} /* } */
+		inWord = *pInWord++; /* UMR? see comments above. */
+		/* If buffers are relatively misaligned, shift the bytes in inWord
+		 * to be aligned to the output buffer.
+		 */
+		nextInWord = 0;
+		if (inOffset < outOffset) {
+			/* Have more bytes than needed, shift remainder into nextInWord */
+			nextInWord = inWord LSH 8*(inOffset + byteCount);
+			inWord = inWord RSH bufShift;
+		} else if (inOffset > outOffset) {
+			/* Didn't get enough bytes from current input word, load another
+			 * word and then shift remainder into nextInWord.
+			 */
+			nextInWord = *pInWord++;
+			inWord = (inWord LSH invBufShift) | 
+			         (nextInWord RSH bufShift);
+			nextInWord = nextInWord LSH invBufShift;
+		}
+		/* Store output of first partial word */
+		*pOutWord = (*pOutWord & ~mask) | ((inWord ^ streamWord) & mask);
+		/* UMR?  See comments above. */
+
+		/* Consumed byteCount bytes of input */
+		inputLen -= byteCount;
+		/* move to next word of output */
+		pOutWord++;
+		/* inWord has been consumed, but there may be bytes in nextInWord */
+		inWord = nextInWord;
+	} else {
+		/* output is word-aligned */
+		pOutWord = (WORD *)output;
+		if (inOffset) {
+			/* Input is not word-aligned.  The first word load of input 
+			 * will not produce a full word of input bytes, so one word
+			 * must be pre-loaded.  The main loop below will load in the
+			 * next input word and shift some of its bytes into inWord
+			 * in order to create a full input word.  Note that the main
+			 * loop must execute at least once because the input must
+			 * be at least two words.
+			 */
+			inWord = *pInWord++; /* UMR? see comments above. */
+			inWord = inWord LSH invBufShift;
+		} else {
+			/* Input is word-aligned.  The first word load of input 
+			 * will produce a full word of input bytes, so nothing
+			 * needs to be loaded here.
+			 */
+			inWord = 0;
+		}
+	}
+	/* Output buffer is aligned, inOffset is now measured relative to
+	 * outOffset (and not a word boundary).
+	 */
+	inOffset = (inOffset + WORDSIZE - outOffset) % WORDSIZE;
+	/*****************************************************************/
+	/* Step 2: main loop                                             */
+	/* At this point the output buffer is word-aligned.  Any unused  */
+	/* bytes from above will be in inWord (shifted correctly).  If   */
+	/* the input buffer is unaligned relative to the output buffer,  */
+	/* shifting has to be done.                                      */
+	/*****************************************************************/
+	if (inOffset) {
+		for (; inputLen >= WORDSIZE; inputLen -= WORDSIZE) {
+			nextInWord = *pInWord++;
+			inWord |= nextInWord RSH bufShift;
+			nextInWord = nextInWord LSH invBufShift;
+			ARCFOUR_NEXT_WORD();
+			*pOutWord++ = inWord ^ streamWord;
+			inWord = nextInWord;
+		}
+		if (inputLen == 0) {
+			/* Nothing left to do. */
+			cx->i = tmpi;
+			cx->j = tmpj;
+			return SECSuccess;
+		}
+		/* If the amount of remaining input is greater than the amount
+		 * bytes pulled from the current input word, need to do another
+		 * word load.  What's left in inWord will be consumed in step 3.
+		 */
+		if (inputLen > WORDSIZE - inOffset)
+			inWord |= *pInWord RSH bufShift; /* UMR?  See above. */
+	} else {
+		for (; inputLen >= WORDSIZE; inputLen -= WORDSIZE) {
+			inWord = *pInWord++;
+			ARCFOUR_NEXT_WORD();
+			*pOutWord++ = inWord ^ streamWord;
+		}
+		if (inputLen == 0) {
+			/* Nothing left to do. */
+			cx->i = tmpi;
+			cx->j = tmpj;
+			return SECSuccess;
+		} else {
+			/* A partial input word remains at the tail.  Load it. 
+			 * The relevant bytes will be consumed in step 3.
+			 */
+			inWord = *pInWord; /* UMR?  See comments above */
+		}
+	}
+	/*****************************************************************/
+	/* Step 3:                                                       */
+	/* A partial word of input remains, and it is already loaded     */
+	/* into nextInWord.  Shift appropriately and consume the bytes   */
+	/* used in the partial word.                                     */
+	/*****************************************************************/
+	mask = streamWord = 0;
+#ifdef IS_LITTLE_ENDIAN
+	for (i = 0; i < inputLen; ++i) {
+#else
+	for (i = WORDSIZE - 1; i >= WORDSIZE - inputLen; --i) {
+#endif
+		ARCFOUR_NEXT_BYTE();
+		streamWord |= (WORD)(cx->S[t]) << 8*i;
+		mask |= MASK1BYTE << 8*i;
+	} /* } */
+	/* UMR?  See comments above. */
+	*pOutWord = (*pOutWord & ~mask) | ((inWord ^ streamWord) & mask);
+	cx->i = tmpi;
+	cx->j = tmpj;
+	return SECSuccess;
+}
+#endif
+#endif /* NSS_BEVAND_ARCFOUR */
+
+SECStatus 
+RC4_Encrypt(RC4Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+#if defined(NSS_BEVAND_ARCFOUR)
+	ARCFOUR(cx, inputLen, input, output);
+        *outputLen = inputLen;
+	return SECSuccess;
+#elif defined( CONVERT_TO_WORDS )
+	/* Convert the byte-stream to a word-stream */
+	return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
+#else
+	/* Operate on bytes, but unroll the main loop */
+	return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
+#endif
+}
+
+SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
+                      unsigned int *outputLen, unsigned int maxOutputLen,
+                      const unsigned char *input, unsigned int inputLen)
+{
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	/* decrypt and encrypt are same operation. */
+#if defined(NSS_BEVAND_ARCFOUR)
+	ARCFOUR(cx, inputLen, input, output);
+        *outputLen = inputLen;
+	return SECSuccess;
+#elif defined( CONVERT_TO_WORDS )
+	/* Convert the byte-stream to a word-stream */
+	return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
+#else
+	/* Operate on bytes, but unroll the main loop */
+	return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
+#endif
+}
+
+#undef CONVERT_TO_WORDS
+#undef USE_LONG
diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h
new file mode 100644
index 000000000..50771adc4
--- /dev/null
+++ b/security/nss/lib/freebl/blapi.h
@@ -0,0 +1,1174 @@
+/*
+ * crypto.h - public data structures and prototypes for the crypto library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _BLAPI_H_
+#define _BLAPI_H_
+
+#include "blapit.h"
+#include "hasht.h"
+#include "alghmac.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** RSA encryption/decryption. When encrypting/decrypting the output
+** buffer must be at least the size of the public key modulus.
+*/
+
+/*
+** Generate and return a new RSA public and private key.
+**	Both keys are encoded in a single RSAPrivateKey structure.
+**	"cx" is the random number generator context
+**	"keySizeInBits" is the size of the key to be generated, in bits.
+**	   512, 1024, etc.
+**	"publicExponent" when not NULL is a pointer to some data that
+**	   represents the public exponent to use. The data is a byte
+**	   encoded integer, in "big endian" order.
+*/
+extern RSAPrivateKey *RSA_NewKey(int         keySizeInBits,
+				 SECItem *   publicExponent);
+
+/*
+** Perform a raw public-key operation 
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+extern SECStatus RSA_PublicKeyOp(RSAPublicKey *   key,
+				 unsigned char *  output,
+				 const unsigned char *  input);
+
+/*
+** Perform a raw private-key operation 
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+extern SECStatus RSA_PrivateKeyOp(RSAPrivateKey *  key,
+				  unsigned char *  output,
+				  const unsigned char *  input);
+
+/*
+** Perform a raw private-key operation, and check the parameters used in
+** the operation for validity by performing a test operation first.
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+extern SECStatus RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *  key,
+				               unsigned char *  output,
+				               const unsigned char *  input);
+
+/*
+** Perform a check of private key parameters for consistency.
+*/
+extern SECStatus RSA_PrivateKeyCheck(RSAPrivateKey *key);
+
+
+/********************************************************************
+** DSA signing algorithm
+*/
+
+/*
+** Generate and return a new DSA public and private key pair,
+**	both of which are encoded into a single DSAPrivateKey struct.
+**	"params" is a pointer to the PQG parameters for the domain
+**	Uses a random seed.
+*/
+extern SECStatus DSA_NewKey(const PQGParams *     params, 
+		            DSAPrivateKey **      privKey);
+
+/* signature is caller-supplied buffer of at least 20 bytes.
+** On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+** On output, signature->len == size of signature in buffer.
+** Uses a random seed.
+*/
+extern SECStatus DSA_SignDigest(DSAPrivateKey *   key,
+				SECItem *         signature,
+				const SECItem *   digest);
+
+/* signature is caller-supplied buffer of at least 20 bytes.
+** On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+*/
+extern SECStatus DSA_VerifyDigest(DSAPublicKey *  key,
+				  const SECItem * signature,
+				  const SECItem * digest);
+
+/* For FIPS compliance testing. Seed must be exactly 20 bytes long */
+extern SECStatus DSA_NewKeyFromSeed(const PQGParams *params, 
+                                    const unsigned char * seed,
+                                    DSAPrivateKey **privKey);
+
+/* For FIPS compliance testing. Seed must be exactly 20 bytes. */
+extern SECStatus DSA_SignDigestWithSeed(DSAPrivateKey * key,
+                                        SECItem *       signature,
+                                        const SECItem * digest,
+                                        const unsigned char * seed);
+
+/******************************************************
+** Diffie Helman key exchange algorithm 
+*/
+
+/* Generates parameters for Diffie-Helman key generation.
+**	primeLen is the length in bytes of prime P to be generated.
+*/
+extern SECStatus DH_GenParam(int primeLen, DHParams ** params);
+
+/* Generates a public and private key, both of which are encoded in a single
+**	DHPrivateKey struct. Params is input, privKey are output.  
+**	This is Phase 1 of Diffie Hellman.
+*/
+extern SECStatus DH_NewKey(DHParams *           params, 
+                           DHPrivateKey **	privKey);
+
+/* 
+** DH_Derive does the Diffie-Hellman phase 2 calculation, using the 
+** other party's publicValue, and the prime and our privateValue.
+** maxOutBytes is the requested length of the generated secret in bytes.  
+** A zero value means produce a value of any length up to the size of 
+** the prime.   If successful, derivedSecret->data is set 
+** to the address of the newly allocated buffer containing the derived 
+** secret, and derivedSecret->len is the size of the secret produced.
+** The size of the secret produced will never be larger than the length
+** of the prime, and it may be smaller than maxOutBytes.
+** It is the caller's responsibility to free the allocated buffer 
+** containing the derived secret.
+*/
+extern SECStatus DH_Derive(SECItem *    publicValue, 
+		           SECItem *    prime, 
+			   SECItem *    privateValue, 
+			   SECItem *    derivedSecret,
+			   unsigned int maxOutBytes);
+
+/* 
+** KEA_CalcKey returns octet string with the private key for a dual
+** Diffie-Helman  key generation as specified for government key exchange.
+*/
+extern SECStatus KEA_Derive(SECItem *prime, 
+                            SECItem *public1, 
+                            SECItem *public2, 
+			    SECItem *private1, 
+			    SECItem *private2,
+			    SECItem *derivedSecret);
+
+/*
+ * verify that a KEA or DSA public key is a valid key for this prime and
+ * subprime domain.
+ */
+extern PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime);
+
+/******************************************************
+** Elliptic Curve algorithms
+*/
+
+/* Generates a public and private key, both of which are encoded 
+** in a single ECPrivateKey struct. Params is input, privKey are
+** output.
+*/
+extern SECStatus EC_NewKey(ECParams *          params, 
+                           ECPrivateKey **     privKey);
+
+extern SECStatus EC_NewKeyFromSeed(ECParams *  params, 
+                           ECPrivateKey **     privKey,
+                           const unsigned char* seed,
+                           int                 seedlen);
+
+/* Validates an EC public key as described in Section 5.2.2 of
+ * X9.62. Such validation prevents against small subgroup attacks
+ * when the ECDH primitive is used with the cofactor.
+ */
+extern SECStatus EC_ValidatePublicKey(ECParams * params, 
+                           SECItem *           publicValue);
+
+/* 
+** ECDH_Derive performs a scalar point multiplication of a point
+** representing a (peer's) public key and a large integer representing
+** a private key (its own). Both keys must use the same elliptic curve
+** parameters. If the withCofactor parameter is true, the
+** multiplication also uses the cofactor associated with the curve
+** parameters.  The output of this scheme is the x-coordinate of the
+** resulting point. If successful, derivedSecret->data is set to the
+** address of the newly allocated buffer containing the derived
+** secret, and derivedSecret->len is the size of the secret
+** produced. It is the caller's responsibility to free the allocated
+** buffer containing the derived secret.
+*/
+extern SECStatus ECDH_Derive(SECItem *       publicValue,
+                             ECParams *      params,
+                             SECItem *       privateValue,
+                             PRBool          withCofactor,
+                             SECItem *       derivedSecret);
+
+/* On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+** On output, signature->len == size of signature in buffer.
+** Uses a random seed.
+*/
+extern SECStatus ECDSA_SignDigest(ECPrivateKey  *key, 
+                                  SECItem       *signature, 
+                                  const SECItem *digest);
+
+/* On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+*/
+extern SECStatus ECDSA_VerifyDigest(ECPublicKey   *key, 
+                                    const SECItem *signature, 
+                                    const SECItem *digest);
+
+/* Uses the provided seed. */
+extern SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey        *key,
+                                          SECItem             *signature,
+                                          const SECItem       *digest,
+                                          const unsigned char *seed, 
+                                          const int           seedlen);
+
+/******************************************/
+/*
+** RC4 symmetric stream cypher
+*/
+
+/*
+** Create a new RC4 context suitable for RC4 encryption/decryption.
+**	"key" raw key data
+**	"len" the number of bytes of key data
+*/
+extern RC4Context *RC4_CreateContext(const unsigned char *key, int len);
+
+extern RC4Context *RC4_AllocateContext(void);
+extern SECStatus   RC4_InitContext(RC4Context *cx, 
+				   const unsigned char *key, 
+				   unsigned int keylen,
+				   const unsigned char *, 
+				   int, 
+				   unsigned int ,
+				   unsigned int );
+
+/*
+** Destroy an RC4 encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void RC4_DestroyContext(RC4Context *cx, PRBool freeit);
+
+/*
+** Perform RC4 encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus RC4_Encrypt(RC4Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform RC4 decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/******************************************/
+/*
+** RC2 symmetric block cypher
+*/
+
+/*
+** Create a new RC2 context suitable for RC2 encryption/decryption.
+** 	"key" raw key data
+** 	"len" the number of bytes of key data
+** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
+** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
+**	"effectiveKeyLen" is the effective key length (as specified in 
+**	    RFC 2268) in bytes (not bits).
+**
+** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
+** chaining" mode.
+*/
+extern RC2Context *RC2_CreateContext(const unsigned char *key, unsigned int len,
+				     const unsigned char *iv, int mode, 
+				     unsigned effectiveKeyLen);
+extern RC2Context *RC2_AllocateContext(void);
+extern SECStatus   RC2_InitContext(RC2Context *cx,
+				   const unsigned char *key, 
+				   unsigned int keylen,
+				   const unsigned char *iv, 
+				   int mode, 
+				   unsigned int effectiveKeyLen,
+				   unsigned int );
+
+/*
+** Destroy an RC2 encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void RC2_DestroyContext(RC2Context *cx, PRBool freeit);
+
+/*
+** Perform RC2 encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform RC2 decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/******************************************/
+/*
+** RC5 symmetric block cypher -- 64-bit block size
+*/
+
+/*
+** Create a new RC5 context suitable for RC5 encryption/decryption.
+**      "key" raw key data
+**      "len" the number of bytes of key data
+**      "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC)
+**      "mode" one of NSS_RC5 or NSS_RC5_CBC
+**
+** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block
+** chaining" mode.
+*/
+extern RC5Context *RC5_CreateContext(const SECItem *key, unsigned int rounds,
+                     unsigned int wordSize, const unsigned char *iv, int mode);
+extern RC5Context *RC5_AllocateContext(void);
+extern SECStatus   RC5_InitContext(RC5Context *cx, 
+				   const unsigned char *key, 
+				   unsigned int keylen,
+				   const unsigned char *iv, 
+				   int mode,
+				   unsigned int rounds, 
+				   unsigned int wordSize);
+
+/*
+** Destroy an RC5 encryption/decryption context.
+**      "cx" the context
+**      "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void RC5_DestroyContext(RC5Context *cx, PRBool freeit);
+
+/*
+** Perform RC5 encryption.
+**      "cx" the context
+**      "output" the output buffer to store the encrypted data.
+**      "outputLen" how much data is stored in "output". Set by the routine
+**         after some data is stored in output.
+**      "maxOutputLen" the maximum amount of data that can ever be
+**         stored in "output"
+**      "input" the input data
+**      "inputLen" the amount of input data
+*/
+extern SECStatus RC5_Encrypt(RC5Context *cx, unsigned char *output,
+                            unsigned int *outputLen, unsigned int maxOutputLen,
+                            const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform RC5 decryption.
+**      "cx" the context
+**      "output" the output buffer to store the decrypted data.
+**      "outputLen" how much data is stored in "output". Set by the routine
+**         after some data is stored in output.
+**      "maxOutputLen" the maximum amount of data that can ever be
+**         stored in "output"
+**      "input" the input data
+**      "inputLen" the amount of input data
+*/
+
+extern SECStatus RC5_Decrypt(RC5Context *cx, unsigned char *output,
+                            unsigned int *outputLen, unsigned int maxOutputLen,
+                            const unsigned char *input, unsigned int inputLen);
+
+
+
+/******************************************/
+/*
+** DES symmetric block cypher
+*/
+
+/*
+** Create a new DES context suitable for DES encryption/decryption.
+** 	"key" raw key data
+** 	"len" the number of bytes of key data
+** 	"iv" is the CBC initialization vector (if mode is NSS_DES_CBC or
+** 	   mode is DES_EDE3_CBC)
+** 	"mode" one of NSS_DES, NSS_DES_CBC, NSS_DES_EDE3 or NSS_DES_EDE3_CBC
+**	"encrypt" is PR_TRUE if the context will be used for encryption
+**
+** When mode is set to NSS_DES_CBC or NSS_DES_EDE3_CBC then the DES
+** cipher is run in "cipher block chaining" mode.
+*/
+extern DESContext *DES_CreateContext(const unsigned char *key, 
+                                     const unsigned char *iv,
+				     int mode, PRBool encrypt);
+extern DESContext *DES_AllocateContext(void);
+extern SECStatus   DES_InitContext(DESContext *cx,
+				   const unsigned char *key, 
+				   unsigned int keylen,
+				   const unsigned char *iv, 
+				   int mode,
+				   unsigned int encrypt,
+				   unsigned int );
+
+/*
+** Destroy an DES encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void DES_DestroyContext(DESContext *cx, PRBool freeit);
+
+/*
+** Perform DES encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+**
+** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
+*/
+extern SECStatus DES_Encrypt(DESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform DES decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+**
+** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
+*/
+extern SECStatus DES_Decrypt(DESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/******************************************/
+/*
+** AES symmetric block cypher (Rijndael)
+*/
+
+/*
+** Create a new AES context suitable for AES encryption/decryption.
+** 	"key" raw key data
+** 	"keylen" the number of bytes of key data (16, 24, or 32)
+**      "blocklen" is the blocksize to use (16, 24, or 32)
+**                        XXX currently only blocksize==16 has been tested!
+*/
+extern AESContext *
+AES_CreateContext(const unsigned char *key, const unsigned char *iv, 
+                  int mode, int encrypt,
+                  unsigned int keylen, unsigned int blocklen);
+extern AESContext *AES_AllocateContext(void);
+extern SECStatus   AES_InitContext(AESContext *cx,
+				   const unsigned char *key, 
+				   unsigned int keylen, 
+				   const unsigned char *iv, 
+				   int mode, 
+				   unsigned int encrypt,
+				   unsigned int blocklen);
+
+/*
+** Destroy a AES encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void 
+AES_DestroyContext(AESContext *cx, PRBool freeit);
+
+/*
+** Perform AES encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+AES_Encrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform AES decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+AES_Decrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen);
+
+/******************************************/
+/*
+** AES key wrap algorithm, RFC 3394
+*/
+
+/*
+** Create a new AES context suitable for AES encryption/decryption.
+** 	"key" raw key data
+**      "iv"  The 8 byte "initial value"
+**      "encrypt", a boolean, true for key wrapping, false for unwrapping.
+** 	"keylen" the number of bytes of key data (16, 24, or 32)
+*/
+extern AESKeyWrapContext *
+AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 
+                         int encrypt, unsigned int keylen);
+extern AESKeyWrapContext * AESKeyWrap_AllocateContext(void);
+extern SECStatus  
+     AESKeyWrap_InitContext(AESKeyWrapContext *cx, 
+				   const unsigned char *key, 
+				   unsigned int keylen,
+				   const unsigned char *iv, 
+				   int ,
+				   unsigned int encrypt,
+				   unsigned int );
+
+/*
+** Destroy a AES KeyWrap context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void 
+AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit);
+
+/*
+** Perform AES key wrap.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform AES key unwrap.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen);
+
+ /******************************************/
+/*
+** Camellia symmetric block cypher
+*/
+
+/*
+** Create a new Camellia context suitable for Camellia encryption/decryption.
+** 	"key" raw key data
+** 	"keylen" the number of bytes of key data (16, 24, or 32)
+*/
+extern CamelliaContext *
+Camellia_CreateContext(const unsigned char *key, const unsigned char *iv, 
+		       int mode, int encrypt, unsigned int keylen);
+
+extern CamelliaContext *Camellia_AllocateContext(void);
+extern SECStatus   Camellia_InitContext(CamelliaContext *cx,
+					const unsigned char *key, 
+					unsigned int keylen, 
+					const unsigned char *iv, 
+					int mode, 
+					unsigned int encrypt,
+					unsigned int unused);
+/*
+** Destroy a Camellia encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void 
+Camellia_DestroyContext(CamelliaContext *cx, PRBool freeit);
+
+/*
+** Perform Camellia encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+Camellia_Encrypt(CamelliaContext *cx, unsigned char *output,
+		 unsigned int *outputLen, unsigned int maxOutputLen,
+		 const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform Camellia decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+Camellia_Decrypt(CamelliaContext *cx, unsigned char *output,
+		 unsigned int *outputLen, unsigned int maxOutputLen,
+		 const unsigned char *input, unsigned int inputLen);
+
+
+/******************************************/
+/*
+** MD5 secure hash function
+*/
+
+/*
+** Hash a null terminated string "src" into "dest" using MD5
+*/
+extern SECStatus MD5_Hash(unsigned char *dest, const char *src);
+
+/*
+** Hash a non-null terminated string "src" into "dest" using MD5
+*/
+extern SECStatus MD5_HashBuf(unsigned char *dest, const unsigned char *src,
+			     uint32 src_length);
+
+/*
+** Create a new MD5 context
+*/
+extern MD5Context *MD5_NewContext(void);
+
+
+/*
+** Destroy an MD5 secure hash context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void MD5_DestroyContext(MD5Context *cx, PRBool freeit);
+
+/*
+** Reset an MD5 context, preparing it for a fresh round of hashing
+*/
+extern void MD5_Begin(MD5Context *cx);
+
+/*
+** Update the MD5 hash function with more data.
+**	"cx" the context
+**	"input" the data to hash
+**	"inputLen" the amount of data to hash
+*/
+extern void MD5_Update(MD5Context *cx,
+		       const unsigned char *input, unsigned int inputLen);
+
+/*
+** Finish the MD5 hash function. Produce the digested results in "digest"
+**	"cx" the context
+**	"digest" where the 16 bytes of digest data are stored
+**	"digestLen" where the digest length (16) is stored
+**	"maxDigestLen" the maximum amount of data that can ever be
+**	   stored in "digest"
+*/
+extern void MD5_End(MD5Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen);
+
+/*
+ * Return the the size of a buffer needed to flatten the MD5 Context into
+ *    "cx" the context
+ *  returns size;
+ */
+extern unsigned int MD5_FlattenSize(MD5Context *cx);
+
+/*
+ * Flatten the MD5 Context into a buffer:
+ *    "cx" the context
+ *    "space" the buffer to flatten to
+ *  returns status;
+ */
+extern SECStatus MD5_Flatten(MD5Context *cx,unsigned char *space);
+
+/*
+ * Resurrect a flattened context into a MD5 Context
+ *    "space" the buffer of the flattend buffer
+ *    "arg" ptr to void used by cryptographic resurrect
+ *  returns resurected context;
+ */
+extern MD5Context * MD5_Resurrect(unsigned char *space, void *arg);
+extern void MD5_Clone(MD5Context *dest, MD5Context *src);
+
+/*
+** trace the intermediate state info of the MD5 hash.
+*/
+extern void MD5_TraceState(MD5Context *cx);
+
+
+/******************************************/
+/*
+** MD2 secure hash function
+*/
+
+/*
+** Hash a null terminated string "src" into "dest" using MD2
+*/
+extern SECStatus MD2_Hash(unsigned char *dest, const char *src);
+
+/*
+** Create a new MD2 context
+*/
+extern MD2Context *MD2_NewContext(void);
+
+
+/*
+** Destroy an MD2 secure hash context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void MD2_DestroyContext(MD2Context *cx, PRBool freeit);
+
+/*
+** Reset an MD2 context, preparing it for a fresh round of hashing
+*/
+extern void MD2_Begin(MD2Context *cx);
+
+/*
+** Update the MD2 hash function with more data.
+**	"cx" the context
+**	"input" the data to hash
+**	"inputLen" the amount of data to hash
+*/
+extern void MD2_Update(MD2Context *cx,
+		       const unsigned char *input, unsigned int inputLen);
+
+/*
+** Finish the MD2 hash function. Produce the digested results in "digest"
+**	"cx" the context
+**	"digest" where the 16 bytes of digest data are stored
+**	"digestLen" where the digest length (16) is stored
+**	"maxDigestLen" the maximum amount of data that can ever be
+**	   stored in "digest"
+*/
+extern void MD2_End(MD2Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen);
+
+/*
+ * Return the the size of a buffer needed to flatten the MD2 Context into
+ *    "cx" the context
+ *  returns size;
+ */
+extern unsigned int MD2_FlattenSize(MD2Context *cx);
+
+/*
+ * Flatten the MD2 Context into a buffer:
+ *    "cx" the context
+ *    "space" the buffer to flatten to
+ *  returns status;
+ */
+extern SECStatus MD2_Flatten(MD2Context *cx,unsigned char *space);
+
+/*
+ * Resurrect a flattened context into a MD2 Context
+ *    "space" the buffer of the flattend buffer
+ *    "arg" ptr to void used by cryptographic resurrect
+ *  returns resurected context;
+ */
+extern MD2Context * MD2_Resurrect(unsigned char *space, void *arg);
+extern void MD2_Clone(MD2Context *dest, MD2Context *src);
+
+/******************************************/
+/*
+** SHA-1 secure hash function
+*/
+
+/*
+** Hash a null terminated string "src" into "dest" using SHA-1
+*/
+extern SECStatus SHA1_Hash(unsigned char *dest, const char *src);
+
+/*
+** Hash a non-null terminated string "src" into "dest" using SHA-1
+*/
+extern SECStatus SHA1_HashBuf(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+
+/*
+** Create a new SHA-1 context
+*/
+extern SHA1Context *SHA1_NewContext(void);
+
+
+/*
+** Destroy a SHA-1 secure hash context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void SHA1_DestroyContext(SHA1Context *cx, PRBool freeit);
+
+/*
+** Reset a SHA-1 context, preparing it for a fresh round of hashing
+*/
+extern void SHA1_Begin(SHA1Context *cx);
+
+/*
+** Update the SHA-1 hash function with more data.
+**	"cx" the context
+**	"input" the data to hash
+**	"inputLen" the amount of data to hash
+*/
+extern void SHA1_Update(SHA1Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+
+/*
+** Finish the SHA-1 hash function. Produce the digested results in "digest"
+**	"cx" the context
+**	"digest" where the 16 bytes of digest data are stored
+**	"digestLen" where the digest length (20) is stored
+**	"maxDigestLen" the maximum amount of data that can ever be
+**	   stored in "digest"
+*/
+extern void SHA1_End(SHA1Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+
+/*
+** trace the intermediate state info of the SHA1 hash.
+*/
+extern void SHA1_TraceState(SHA1Context *cx);
+
+/*
+ * Return the the size of a buffer needed to flatten the SHA-1 Context into
+ *    "cx" the context
+ *  returns size;
+ */
+extern unsigned int SHA1_FlattenSize(SHA1Context *cx);
+
+/*
+ * Flatten the SHA-1 Context into a buffer:
+ *    "cx" the context
+ *    "space" the buffer to flatten to
+ *  returns status;
+ */
+extern SECStatus SHA1_Flatten(SHA1Context *cx,unsigned char *space);
+
+/*
+ * Resurrect a flattened context into a SHA-1 Context
+ *    "space" the buffer of the flattend buffer
+ *    "arg" ptr to void used by cryptographic resurrect
+ *  returns resurected context;
+ */
+extern SHA1Context * SHA1_Resurrect(unsigned char *space, void *arg);
+extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src);
+
+/******************************************/
+
+extern SHA256Context *SHA256_NewContext(void);
+extern void SHA256_DestroyContext(SHA256Context *cx, PRBool freeit);
+extern void SHA256_Begin(SHA256Context *cx);
+extern void SHA256_Update(SHA256Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+extern void SHA256_End(SHA256Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+extern SECStatus SHA256_HashBuf(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+extern SECStatus SHA256_Hash(unsigned char *dest, const char *src);
+extern void SHA256_TraceState(SHA256Context *cx);
+extern unsigned int SHA256_FlattenSize(SHA256Context *cx);
+extern SECStatus SHA256_Flatten(SHA256Context *cx,unsigned char *space);
+extern SHA256Context * SHA256_Resurrect(unsigned char *space, void *arg);
+extern void SHA256_Clone(SHA256Context *dest, SHA256Context *src);
+
+/******************************************/
+
+extern SHA512Context *SHA512_NewContext(void);
+extern void SHA512_DestroyContext(SHA512Context *cx, PRBool freeit);
+extern void SHA512_Begin(SHA512Context *cx);
+extern void SHA512_Update(SHA512Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+extern void SHA512_End(SHA512Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+extern SECStatus SHA512_HashBuf(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+extern SECStatus SHA512_Hash(unsigned char *dest, const char *src);
+extern void SHA512_TraceState(SHA512Context *cx);
+extern unsigned int SHA512_FlattenSize(SHA512Context *cx);
+extern SECStatus SHA512_Flatten(SHA512Context *cx,unsigned char *space);
+extern SHA512Context * SHA512_Resurrect(unsigned char *space, void *arg);
+extern void SHA512_Clone(SHA512Context *dest, SHA512Context *src);
+
+/******************************************/
+
+extern SHA384Context *SHA384_NewContext(void);
+extern void SHA384_DestroyContext(SHA384Context *cx, PRBool freeit);
+extern void SHA384_Begin(SHA384Context *cx);
+extern void SHA384_Update(SHA384Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+extern void SHA384_End(SHA384Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+extern SECStatus SHA384_HashBuf(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+extern SECStatus SHA384_Hash(unsigned char *dest, const char *src);
+extern void SHA384_TraceState(SHA384Context *cx);
+extern unsigned int SHA384_FlattenSize(SHA384Context *cx);
+extern SECStatus SHA384_Flatten(SHA384Context *cx,unsigned char *space);
+extern SHA384Context * SHA384_Resurrect(unsigned char *space, void *arg);
+extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src);
+
+/****************************************
+ * implement TLS Pseudo Random Function (PRF)
+ */
+
+extern SECStatus
+TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, 
+         SECItem *result, PRBool isFIPS);
+
+/******************************************/
+/*
+** Pseudo Random Number Generation.  FIPS compliance desirable.
+*/
+
+/*
+** Initialize the global RNG context and give it some seed input taken
+** from the system.  This function is thread-safe and will only allow
+** the global context to be initialized once.  The seed input is likely
+** small, so it is imperative that RNG_RandomUpdate() be called with
+** additional seed data before the generator is used.  A good way to
+** provide the generator with additional entropy is to call
+** RNG_SystemInfoForRNG().  Note that NSS_Init() does exactly that.
+*/
+extern SECStatus RNG_RNGInit(void);
+
+/*
+** Update the global random number generator with more seeding
+** material
+*/
+extern SECStatus RNG_RandomUpdate(const void *data, size_t bytes);
+
+/*
+** Generate some random bytes, using the global random number generator
+** object.
+*/
+extern SECStatus RNG_GenerateGlobalRandomBytes(void *dest, size_t len);
+
+/* Destroy the global RNG context.  After a call to RNG_RNGShutdown()
+** a call to RNG_RNGInit() is required in order to use the generator again,
+** along with seed data (see the comment above RNG_RNGInit()).
+*/
+extern void  RNG_RNGShutdown(void);
+
+extern void RNG_SystemInfoForRNG(void);
+
+/*
+ * FIPS 186-2 Change Notice 1 RNG Algorithm 1, used both to
+ * generate the DSA X parameter and as a generic purpose RNG.
+ *
+ * The following two FIPS186Change functions are needed for
+ * NIST RNG Validation System.
+ */
+
+/*
+ * Given the seed-key and the seed, generate the random output.
+ *
+ * Parameters:
+ *   XKEY [input/output]: the state of the RNG (seed-key)
+ *   XSEEDj [input]: optional user input (seed)
+ *   x_j [output]: output of the RNG
+ *
+ * Return value:
+ * This function usually returns SECSuccess.  The only reason
+ * this function returns SECFailure is that XSEEDj equals
+ * XKEY, including the intermediate XKEY value between the two
+ * iterations.  (This test is actually a FIPS 140-2 requirement
+ * and not required for FIPS algorithm testing, but it is too
+ * hard to separate from this function.)  If this function fails,
+ * XKEY is not updated, but some data may have been written to
+ * x_j, which should be ignored.
+ */
+extern SECStatus
+FIPS186Change_GenerateX(unsigned char *XKEY,
+                        const unsigned char *XSEEDj,
+                        unsigned char *x_j);
+
+/*
+ * When generating the DSA X parameter, we generate 2*GSIZE bytes
+ * of random output and reduce it mod q.
+ *
+ * Input: w, 2*GSIZE bytes
+ *        q, DSA_SUBPRIME_LEN bytes
+ * Output: xj, DSA_SUBPRIME_LEN bytes
+ */
+extern SECStatus
+FIPS186Change_ReduceModQForDSA(const unsigned char *w,
+                               const unsigned char *q,
+                               unsigned char *xj);
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of seed and length of h both equal length of P. 
+ * All lengths are specified by "j", according to the table above.
+ */
+extern SECStatus
+PQG_ParamGen(unsigned int j, 	   /* input : determines length of P. */
+             PQGParams **pParams,  /* output: P Q and G returned here */
+	     PQGVerify **pVfy);    /* output: counter and seed. */
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of P specified by j.  Length of h will match length of P.
+ * Length of SEED in bytes specified in seedBytes.
+ * seedBbytes must be in the range [20..255] or an error will result.
+ */
+extern SECStatus
+PQG_ParamGenSeedLen(
+             unsigned int j, 	     /* input : determines length of P. */
+	     unsigned int seedBytes, /* input : length of seed in bytes.*/
+             PQGParams **pParams,    /* output: P Q and G returned here */
+	     PQGVerify **pVfy);      /* output: counter and seed. */
+
+
+/*  Test PQGParams for validity as DSS PQG values.
+ *  If vfy is non-NULL, test PQGParams to make sure they were generated
+ *       using the specified seed, counter, and h values.
+ *
+ *  Return value indicates whether Verification operation ran succesfully
+ *  to completion, but does not indicate if PQGParams are valid or not.
+ *  If return value is SECSuccess, then *pResult has these meanings:
+ *       SECSuccess: PQGParams are valid.
+ *       SECFailure: PQGParams are invalid.
+ *
+ * Verify the following 12 facts about PQG counter SEED g and h
+ * 1.  Q is 160 bits long.
+ * 2.  P is one of the 9 valid lengths.
+ * 3.  G < P
+ * 4.  P % Q == 1
+ * 5.  Q is prime
+ * 6.  P is prime
+ * Steps 7-12 are done only if the optional PQGVerify is supplied.
+ * 7.  counter < 4096
+ * 8.  g >= 160 and g < 2048   (g is length of seed in bits)
+ * 9.  Q generated from SEED matches Q in PQGParams.
+ * 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams.
+ * 11. 1 < h < P-1
+ * 12. G generated from h matches G in PQGParams.
+ */
+
+extern SECStatus   PQG_VerifyParams(const PQGParams *params, 
+                                    const PQGVerify *vfy, SECStatus *result);
+
+extern void PQG_DestroyParams(PQGParams *params);
+
+extern void PQG_DestroyVerify(PQGVerify *vfy);
+
+
+/*
+ * clean-up any global tables freebl may have allocated after it starts up.
+ * This function is not thread safe and should be called only after the
+ * library has been quiessed.
+ */
+extern void BL_Cleanup(void);
+
+/* unload freebl shared library from memory */
+extern void BL_Unload(void);
+
+/**************************************************************************
+ *  Verify a given Shared library signature                               *
+ **************************************************************************/
+PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr);
+
+/**************************************************************************
+ *  Verify Are Own Shared library signature                               *
+ **************************************************************************/
+PRBool BLAPI_VerifySelf(const char *name);
+
+/*********************************************************************/
+extern const SECHashObject * HASH_GetRawHashObject(HASH_HashType hashType);
+
+SEC_END_PROTOS
+
+#endif /* _BLAPI_H_ */
diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h
new file mode 100644
index 000000000..ba7f7a470
--- /dev/null
+++ b/security/nss/lib/freebl/blapit.h
@@ -0,0 +1,380 @@
+/*
+ * blapit.h - public data structures for the crypto library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _BLAPIT_H_
+#define _BLAPIT_H_
+
+#include "seccomon.h"
+#include "prlink.h"
+#include "plarena.h"
+#include "ecl-exp.h"
+
+
+/* RC2 operation modes */
+#define NSS_RC2			0
+#define NSS_RC2_CBC		1
+
+/* RC5 operation modes */
+#define NSS_RC5                 0
+#define NSS_RC5_CBC             1
+
+/* DES operation modes */
+#define NSS_DES			0
+#define NSS_DES_CBC		1
+#define NSS_DES_EDE3		2
+#define NSS_DES_EDE3_CBC	3
+
+#define DES_KEY_LENGTH		8	/* Bytes */
+
+/* AES operation modes */
+#define NSS_AES                 0
+#define NSS_AES_CBC             1
+
+/* Camellia operation modes */
+#define NSS_CAMELLIA                 0
+#define NSS_CAMELLIA_CBC             1
+
+#define DSA_SIGNATURE_LEN 	40	/* Bytes */
+#define DSA_SUBPRIME_LEN	20	/* Bytes */
+
+/* XXX We shouldn't have to hard code this limit. For
+ * now, this is the quickest way to support ECDSA signature
+ * processing (ECDSA signature lengths depend on curve
+ * size). This limit is sufficient for curves upto
+ * 576 bits.
+ */
+#define MAX_ECKEY_LEN 	        72	/* Bytes */
+
+/*
+ * Number of bytes each hash algorithm produces
+ */
+#define MD2_LENGTH		16	/* Bytes */
+#define MD5_LENGTH		16	/* Bytes */
+#define SHA1_LENGTH		20	/* Bytes */
+#define SHA256_LENGTH 		32 	/* bytes */
+#define SHA384_LENGTH 		48 	/* bytes */
+#define SHA512_LENGTH 		64 	/* bytes */
+#define HASH_LENGTH_MAX         SHA512_LENGTH
+
+/*
+ * Input block size for each hash algorithm.
+ */
+
+#define MD2_BLOCK_LENGTH 	 64 	/* bytes */
+#define MD5_BLOCK_LENGTH 	 64 	/* bytes */
+#define SHA1_BLOCK_LENGTH 	 64 	/* bytes */
+#define SHA256_BLOCK_LENGTH 	 64 	/* bytes */
+#define SHA384_BLOCK_LENGTH 	128 	/* bytes */
+#define SHA512_BLOCK_LENGTH 	128 	/* bytes */
+#define HASH_BLOCK_LENGTH_MAX 	SHA512_BLOCK_LENGTH
+
+#define AES_KEY_WRAP_IV_BYTES    8
+#define AES_KEY_WRAP_BLOCK_SIZE  8  /* bytes */
+#define AES_BLOCK_SIZE          16  /* bytes */
+
+#define CAMELLIA_BLOCK_SIZE          16  /* bytes */
+
+#define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
+
+/*
+ * These values come from the initial key size limits from the PKCS #11
+ * module. They may be arbitrarily adjusted to any value freebl supports.
+ */
+#define RSA_MIN_MODULUS_BITS   128
+#define RSA_MAX_MODULUS_BITS  8192
+#define RSA_MAX_EXPONENT_BITS   64
+#define DH_MIN_P_BITS	       128
+#define DH_MAX_P_BITS         2236
+
+/*
+ * The FIPS 186 algorithm for generating primes P and Q allows only 9
+ * distinct values for the length of P, and only one value for the
+ * length of Q.
+ * The algorithm uses a variable j to indicate which of the 9 lengths
+ * of P is to be used.
+ * The following table relates j to the lengths of P and Q in bits.
+ *
+ *	j	bits in P	bits in Q
+ *	_	_________	_________
+ *	0	 512		160
+ *	1	 576		160
+ *	2	 640		160
+ *	3	 704		160
+ *	4	 768		160
+ *	5	 832		160
+ *	6	 896		160
+ *	7	 960		160
+ *	8	1024		160
+ *
+ * The FIPS-186 compliant PQG generator takes j as an input parameter.
+ */
+
+#define DSA_Q_BITS       160
+#define DSA_MAX_P_BITS	1024
+#define DSA_MIN_P_BITS	 512
+
+/*
+ * function takes desired number of bits in P,
+ * returns index (0..8) or -1 if number of bits is invalid.
+ */
+#define PQG_PBITS_TO_INDEX(bits) \
+    (((bits) < 512 || (bits) > 1024 || (bits) % 64) ? \
+    -1 : (int)((bits)-512)/64)
+
+/*
+ * function takes index (0-8)
+ * returns number of bits in P for that index, or -1 if index is invalid.
+ */
+#define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))
+
+
+/***************************************************************************
+** Opaque objects 
+*/
+
+struct DESContextStr        ;
+struct RC2ContextStr        ;
+struct RC4ContextStr        ;
+struct RC5ContextStr        ;
+struct AESContextStr        ;
+struct CamelliaContextStr   ;
+struct MD2ContextStr        ;
+struct MD5ContextStr        ;
+struct SHA1ContextStr       ;
+struct SHA256ContextStr     ;
+struct SHA512ContextStr     ;
+struct AESKeyWrapContextStr ;
+
+typedef struct DESContextStr        DESContext;
+typedef struct RC2ContextStr        RC2Context;
+typedef struct RC4ContextStr        RC4Context;
+typedef struct RC5ContextStr        RC5Context;
+typedef struct AESContextStr        AESContext;
+typedef struct CamelliaContextStr   CamelliaContext;
+typedef struct MD2ContextStr        MD2Context;
+typedef struct MD5ContextStr        MD5Context;
+typedef struct SHA1ContextStr       SHA1Context;
+typedef struct SHA256ContextStr     SHA256Context;
+typedef struct SHA512ContextStr     SHA512Context;
+/* SHA384Context is really a SHA512ContextStr.  This is not a mistake. */
+typedef struct SHA512ContextStr     SHA384Context;
+typedef struct AESKeyWrapContextStr AESKeyWrapContext;
+
+/***************************************************************************
+** RSA Public and Private Key structures
+*/
+
+/* member names from PKCS#1, section 7.1 */
+struct RSAPublicKeyStr {
+    PLArenaPool * arena;
+    SECItem modulus;
+    SECItem publicExponent;
+};
+typedef struct RSAPublicKeyStr RSAPublicKey;
+
+/* member names from PKCS#1, section 7.2 */
+struct RSAPrivateKeyStr {
+    PLArenaPool * arena;
+    SECItem version;
+    SECItem modulus;
+    SECItem publicExponent;
+    SECItem privateExponent;
+    SECItem prime1;
+    SECItem prime2;
+    SECItem exponent1;
+    SECItem exponent2;
+    SECItem coefficient;
+};
+typedef struct RSAPrivateKeyStr RSAPrivateKey;
+
+
+/***************************************************************************
+** DSA Public and Private Key and related structures
+*/
+
+struct PQGParamsStr {
+    PLArenaPool *arena;
+    SECItem prime;    /* p */
+    SECItem subPrime; /* q */
+    SECItem base;     /* g */
+    /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
+};
+typedef struct PQGParamsStr PQGParams;
+
+struct PQGVerifyStr {
+    PLArenaPool * arena;	/* includes this struct, seed, & h. */
+    unsigned int  counter;
+    SECItem       seed;
+    SECItem       h;
+};
+typedef struct PQGVerifyStr PQGVerify;
+
+struct DSAPublicKeyStr {
+    PQGParams params;
+    SECItem publicValue;
+};
+typedef struct DSAPublicKeyStr DSAPublicKey;
+
+struct DSAPrivateKeyStr {
+    PQGParams params;
+    SECItem publicValue;
+    SECItem privateValue;
+};
+typedef struct DSAPrivateKeyStr DSAPrivateKey;
+
+/***************************************************************************
+** Diffie-Hellman Public and Private Key and related structures
+** Structure member names suggested by PKCS#3.
+*/
+
+struct DHParamsStr {
+    PLArenaPool * arena;
+    SECItem prime; /* p */
+    SECItem base; /* g */
+};
+typedef struct DHParamsStr DHParams;
+
+struct DHPublicKeyStr {
+    PLArenaPool * arena;
+    SECItem prime;
+    SECItem base;
+    SECItem publicValue;
+};
+typedef struct DHPublicKeyStr DHPublicKey;
+
+struct DHPrivateKeyStr {
+    PLArenaPool * arena;
+    SECItem prime;
+    SECItem base;
+    SECItem publicValue;
+    SECItem privateValue;
+};
+typedef struct DHPrivateKeyStr DHPrivateKey;
+
+/***************************************************************************
+** Data structures used for elliptic curve parameters and
+** public and private keys.
+*/
+
+/*
+** The ECParams data structures can encode elliptic curve 
+** parameters for both GFp and GF2m curves.
+*/
+
+typedef enum { ec_params_explicit,
+	       ec_params_named
+} ECParamsType;
+
+typedef enum { ec_field_GFp = 1,
+               ec_field_GF2m
+} ECFieldType;
+
+struct ECFieldIDStr {
+    int         size;   /* field size in bits */
+    ECFieldType type;
+    union {
+        SECItem  prime; /* prime p for (GFp) */
+        SECItem  poly;  /* irreducible binary polynomial for (GF2m) */
+    } u;
+    int         k1;     /* first coefficient of pentanomial or
+                         * the only coefficient of trinomial 
+                         */
+    int         k2;     /* two remaining coefficients of pentanomial */
+    int         k3;
+};
+typedef struct ECFieldIDStr ECFieldID;
+
+struct ECCurveStr {
+    SECItem a;          /* contains octet stream encoding of
+                         * field element (X9.62 section 4.3.3) 
+			 */
+    SECItem b;
+    SECItem seed;
+};
+typedef struct ECCurveStr ECCurve;
+
+struct ECParamsStr {
+    PLArenaPool * arena;
+    ECParamsType  type;
+    ECFieldID     fieldID;
+    ECCurve       curve; 
+    SECItem       base;
+    SECItem       order; 
+    int           cofactor;
+    SECItem       DEREncoding;
+    ECCurveName   name;
+    SECItem       curveOID;
+};
+typedef struct ECParamsStr ECParams;
+
+struct ECPublicKeyStr {
+    ECParams ecParams;   
+    SECItem publicValue;   /* elliptic curve point encoded as 
+			    * octet stream.
+			    */
+};
+typedef struct ECPublicKeyStr ECPublicKey;
+
+struct ECPrivateKeyStr {
+    ECParams ecParams;   
+    SECItem publicValue;   /* encoded ec point */
+    SECItem privateValue;  /* private big integer */
+    SECItem version;       /* As per SEC 1, Appendix C, Section C.4 */
+};
+typedef struct ECPrivateKeyStr ECPrivateKey;
+
+typedef void * (*BLapiAllocateFunc)(void);
+typedef void (*BLapiDestroyContextFunc)(void *cx, PRBool freeit);
+typedef SECStatus (*BLapiInitContextFunc)(void *cx, 
+				   const unsigned char *key, 
+				   unsigned int keylen,
+				   const unsigned char *, 
+				   int, 
+				   unsigned int ,
+				   unsigned int );
+typedef SECStatus (*BLapiEncrypt)(void *cx, unsigned char *output,
+				unsigned int *outputLen, 
+				unsigned int maxOutputLen,
+				const unsigned char *input, 
+				unsigned int inputLen);
+
+#endif /* _BLAPIT_H_ */
diff --git a/security/nss/lib/freebl/camellia.c b/security/nss/lib/freebl/camellia.c
new file mode 100644
index 000000000..f02e515cd
--- /dev/null
+++ b/security/nss/lib/freebl/camellia.c
@@ -0,0 +1,1791 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Camellia code.
+ *
+ * The Initial Developer of the Original Code is
+ * NTT(Nippon Telegraph and Telephone Corporation).
+ *
+ * Portions created by the Initial Developer are Copyright (C) 2006
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * $Id$
+ */
+
+#include "prinit.h"
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "blapi.h"
+#include "camellia.h"
+
+
+/* key constants */
+
+#define CAMELLIA_SIGMA1L (0xA09E667FL)
+#define CAMELLIA_SIGMA1R (0x3BCC908BL)
+#define CAMELLIA_SIGMA2L (0xB67AE858L)
+#define CAMELLIA_SIGMA2R (0x4CAA73B2L)
+#define CAMELLIA_SIGMA3L (0xC6EF372FL)
+#define CAMELLIA_SIGMA3R (0xE94F82BEL)
+#define CAMELLIA_SIGMA4L (0x54FF53A5L)
+#define CAMELLIA_SIGMA4R (0xF1D36F1CL)
+#define CAMELLIA_SIGMA5L (0x10E527FAL)
+#define CAMELLIA_SIGMA5R (0xDE682D1DL)
+#define CAMELLIA_SIGMA6L (0xB05688C2L)
+#define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
+
+/*
+ *  macros
+ */
+
+
+#if defined(_MSC_VER)
+
+# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
+# define GETU32(p) SWAP(*((PRUint32 *)(p)))
+# define PUTU32(ct, st) {*((PRUint32 *)(ct)) = SWAP((st));}
+
+#else /* not MS-VC */
+
+# define GETU32(pt)					\
+    (((PRUint32)(pt)[0] << 24)				\
+     ^ ((PRUint32)(pt)[1] << 16)			\
+     ^ ((PRUint32)(pt)[2] <<  8)			\
+     ^ ((PRUint32)(pt)[3]))
+
+# define PUTU32(ct, st)  {				\
+	(ct)[0] = (PRUint8)((st) >> 24);		\
+	(ct)[1] = (PRUint8)((st) >> 16);		\
+	(ct)[2] = (PRUint8)((st) >>  8);		\
+	(ct)[3] = (PRUint8)(st); }
+
+#endif
+
+#define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
+#define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
+
+/* rotation right shift 1byte */
+#define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
+/* rotation left shift 1bit */
+#define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
+/* rotation left shift 1byte */
+#define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
+
+#define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)	\
+    do {						\
+	w0 = ll;					\
+	ll = (ll << bits) + (lr >> (32 - bits));	\
+	lr = (lr << bits) + (rl >> (32 - bits));	\
+	rl = (rl << bits) + (rr >> (32 - bits));	\
+	rr = (rr << bits) + (w0 >> (32 - bits));	\
+    } while(0)
+
+#define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits)	\
+    do {						\
+	w0 = ll;					\
+	w1 = lr;					\
+	ll = (lr << (bits - 32)) + (rl >> (64 - bits));	\
+	lr = (rl << (bits - 32)) + (rr >> (64 - bits));	\
+	rl = (rr << (bits - 32)) + (w0 >> (64 - bits));	\
+	rr = (w0 << (bits - 32)) + (w1 >> (64 - bits));	\
+    } while(0)
+
+#define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
+#define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
+#define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
+#define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
+
+#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
+    do {							\
+	il = xl ^ kl;						\
+	ir = xr ^ kr;						\
+	t0 = il >> 16;						\
+	t1 = ir >> 16;						\
+	yl = CAMELLIA_SP1110(ir & 0xff)				\
+	    ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)			\
+	    ^ CAMELLIA_SP3033(t1 & 0xff)			\
+	    ^ CAMELLIA_SP4404((ir >> 8) & 0xff);		\
+	yr = CAMELLIA_SP1110((t0 >> 8) & 0xff)			\
+	    ^ CAMELLIA_SP0222(t0 & 0xff)			\
+	    ^ CAMELLIA_SP3033((il >> 8) & 0xff)			\
+	    ^ CAMELLIA_SP4404(il & 0xff);			\
+	yl ^= yr;						\
+	yr = CAMELLIA_RR8(yr);					\
+	yr ^= yl;						\
+    } while(0)
+
+
+/*
+ * for speed up
+ *
+ */
+#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
+    do {								\
+	t0 = kll;							\
+	t0 &= ll;							\
+	lr ^= CAMELLIA_RL1(t0);						\
+	t1 = klr;							\
+	t1 |= lr;							\
+	ll ^= t1;							\
+									\
+	t2 = krr;							\
+	t2 |= rr;							\
+	rl ^= t2;							\
+	t3 = krl;							\
+	t3 &= rl;							\
+	rr ^= CAMELLIA_RL1(t3);						\
+    } while(0)
+
+#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
+    do {								\
+	ir = CAMELLIA_SP1110(xr & 0xff)					\
+	    ^ CAMELLIA_SP0222((xr >> 24) & 0xff)			\
+	    ^ CAMELLIA_SP3033((xr >> 16) & 0xff)			\
+	    ^ CAMELLIA_SP4404((xr >> 8) & 0xff);			\
+	il = CAMELLIA_SP1110((xl >> 24) & 0xff)				\
+	    ^ CAMELLIA_SP0222((xl >> 16) & 0xff)			\
+	    ^ CAMELLIA_SP3033((xl >> 8) & 0xff)				\
+	    ^ CAMELLIA_SP4404(xl & 0xff);				\
+	il ^= kl;							\
+	ir ^= kr;							\
+	ir ^= il;							\
+	il = CAMELLIA_RR8(il);						\
+	il ^= ir;							\
+	yl ^= ir;							\
+	yr ^= il;							\
+    } while(0)
+
+
+static const PRUint32 camellia_sp1110[256] = {
+    0x70707000,0x82828200,0x2c2c2c00,0xececec00,
+    0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
+    0xe4e4e400,0x85858500,0x57575700,0x35353500,
+    0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
+    0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
+    0x45454500,0x19191900,0xa5a5a500,0x21212100,
+    0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
+    0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
+    0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
+    0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
+    0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
+    0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
+    0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
+    0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
+    0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
+    0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
+    0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
+    0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
+    0x74747400,0x12121200,0x2b2b2b00,0x20202000,
+    0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
+    0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
+    0x34343400,0x7e7e7e00,0x76767600,0x05050500,
+    0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
+    0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
+    0x14141400,0x58585800,0x3a3a3a00,0x61616100,
+    0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
+    0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
+    0x53535300,0x18181800,0xf2f2f200,0x22222200,
+    0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
+    0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
+    0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
+    0x60606000,0xfcfcfc00,0x69696900,0x50505000,
+    0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
+    0xa1a1a100,0x89898900,0x62626200,0x97979700,
+    0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
+    0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
+    0x10101000,0xc4c4c400,0x00000000,0x48484800,
+    0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
+    0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
+    0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
+    0x87878700,0x5c5c5c00,0x83838300,0x02020200,
+    0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
+    0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
+    0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
+    0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
+    0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
+    0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
+    0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
+    0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
+    0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
+    0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
+    0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
+    0x78787800,0x98989800,0x06060600,0x6a6a6a00,
+    0xe7e7e700,0x46464600,0x71717100,0xbababa00,
+    0xd4d4d400,0x25252500,0xababab00,0x42424200,
+    0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
+    0x72727200,0x07070700,0xb9b9b900,0x55555500,
+    0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
+    0x36363600,0x49494900,0x2a2a2a00,0x68686800,
+    0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
+    0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
+    0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
+    0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
+    0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
+};
+
+static const PRUint32 camellia_sp0222[256] = {
+    0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
+    0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
+    0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
+    0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
+    0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
+    0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
+    0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
+    0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
+    0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
+    0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
+    0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
+    0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
+    0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
+    0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
+    0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
+    0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
+    0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
+    0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
+    0x00e8e8e8,0x00242424,0x00565656,0x00404040,
+    0x00e1e1e1,0x00636363,0x00090909,0x00333333,
+    0x00bfbfbf,0x00989898,0x00979797,0x00858585,
+    0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
+    0x00dadada,0x006f6f6f,0x00535353,0x00626262,
+    0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
+    0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
+    0x00bdbdbd,0x00363636,0x00222222,0x00383838,
+    0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
+    0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
+    0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
+    0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
+    0x00484848,0x00101010,0x00d1d1d1,0x00515151,
+    0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
+    0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
+    0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
+    0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
+    0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
+    0x00202020,0x00898989,0x00000000,0x00909090,
+    0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
+    0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
+    0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
+    0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
+    0x009b9b9b,0x00949494,0x00212121,0x00666666,
+    0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
+    0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
+    0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
+    0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
+    0x00030303,0x002d2d2d,0x00dedede,0x00969696,
+    0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
+    0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
+    0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
+    0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
+    0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
+    0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
+    0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
+    0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
+    0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
+    0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
+    0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
+    0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
+    0x00787878,0x00707070,0x00e3e3e3,0x00494949,
+    0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
+    0x00777777,0x00939393,0x00868686,0x00838383,
+    0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
+    0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
+};
+
+static const PRUint32 camellia_sp3033[256] = {
+    0x38003838,0x41004141,0x16001616,0x76007676,
+    0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
+    0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
+    0x75007575,0x06000606,0x57005757,0xa000a0a0,
+    0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
+    0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
+    0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
+    0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
+    0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
+    0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
+    0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
+    0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
+    0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
+    0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
+    0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
+    0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
+    0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
+    0xfd00fdfd,0x66006666,0x58005858,0x96009696,
+    0x3a003a3a,0x09000909,0x95009595,0x10001010,
+    0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
+    0xef00efef,0x26002626,0xe500e5e5,0x61006161,
+    0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
+    0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
+    0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
+    0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
+    0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
+    0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
+    0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
+    0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
+    0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
+    0x12001212,0x04000404,0x74007474,0x54005454,
+    0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
+    0x55005555,0x68006868,0x50005050,0xbe00bebe,
+    0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
+    0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
+    0x70007070,0xff00ffff,0x32003232,0x69006969,
+    0x08000808,0x62006262,0x00000000,0x24002424,
+    0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
+    0x45004545,0x81008181,0x73007373,0x6d006d6d,
+    0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
+    0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
+    0xe600e6e6,0x25002525,0x48004848,0x99009999,
+    0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
+    0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
+    0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
+    0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
+    0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
+    0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
+    0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
+    0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
+    0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
+    0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
+    0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
+    0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
+    0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
+    0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
+    0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
+    0x7c007c7c,0x77007777,0x56005656,0x05000505,
+    0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
+    0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
+    0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
+    0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
+    0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
+    0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
+};
+
+static const PRUint32 camellia_sp4404[256] = {
+    0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0,
+    0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae,
+    0x23230023,0x6b6b006b,0x45450045,0xa5a500a5,
+    0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092,
+    0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f,
+    0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b,
+    0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d,
+    0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c,
+    0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0,
+    0x74740074,0x2b2b002b,0xf0f000f0,0x84840084,
+    0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076,
+    0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004,
+    0x14140014,0x3a3a003a,0xdede00de,0x11110011,
+    0x32320032,0x9c9c009c,0x53530053,0xf2f200f2,
+    0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a,
+    0x24240024,0xe8e800e8,0x60600060,0x69690069,
+    0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062,
+    0x54540054,0x1e1e001e,0xe0e000e0,0x64640064,
+    0x10100010,0x00000000,0xa3a300a3,0x75750075,
+    0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd,
+    0x87870087,0x83830083,0xcdcd00cd,0x90900090,
+    0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf,
+    0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6,
+    0x81810081,0x6f6f006f,0x13130013,0x63630063,
+    0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc,
+    0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4,
+    0x78780078,0x06060006,0xe7e700e7,0x71710071,
+    0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d,
+    0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac,
+    0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1,
+    0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043,
+    0x15150015,0xadad00ad,0x77770077,0x80800080,
+    0x82820082,0xecec00ec,0x27270027,0xe5e500e5,
+    0x85850085,0x35350035,0x0c0c000c,0x41410041,
+    0xefef00ef,0x93930093,0x19190019,0x21210021,
+    0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd,
+    0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce,
+    0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a,
+    0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d,
+    0x01010001,0xd6d600d6,0x56560056,0x4d4d004d,
+    0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d,
+    0x12120012,0x20200020,0xb1b100b1,0x99990099,
+    0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005,
+    0xb7b700b7,0x31310031,0x17170017,0xd7d700d7,
+    0x58580058,0x61610061,0x1b1b001b,0x1c1c001c,
+    0x0f0f000f,0x16160016,0x18180018,0x22220022,
+    0x44440044,0xb2b200b2,0xb5b500b5,0x91910091,
+    0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050,
+    0xd0d000d0,0x7d7d007d,0x89890089,0x97970097,
+    0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2,
+    0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db,
+    0x03030003,0xdada00da,0x3f3f003f,0x94940094,
+    0x5c5c005c,0x02020002,0x4a4a004a,0x33330033,
+    0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2,
+    0x9b9b009b,0x26260026,0x37370037,0x3b3b003b,
+    0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e,
+    0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e,
+    0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059,
+    0x98980098,0x6a6a006a,0x46460046,0xbaba00ba,
+    0x25250025,0x42420042,0xa2a200a2,0xfafa00fa,
+    0x07070007,0x55550055,0xeeee00ee,0x0a0a000a,
+    0x49490049,0x68680068,0x38380038,0xa4a400a4,
+    0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1,
+    0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e,
+};
+
+
+/**
+ * Stuff related to the Camellia key schedule
+ */
+#define subl(x) subL[(x)]
+#define subr(x) subR[(x)]
+
+void camellia_setup128(const unsigned char *key, PRUint32 *subkey)
+{
+    PRUint32 kll, klr, krl, krr;
+    PRUint32 il, ir, t0, t1, w0, w1;
+    PRUint32 kw4l, kw4r, dw, tl, tr;
+    PRUint32 subL[26];
+    PRUint32 subR[26];
+
+    /**
+     *  k == kll || klr || krl || krr (|| is concatination)
+     */
+    kll = GETU32(key     );
+    klr = GETU32(key +  4);
+    krl = GETU32(key +  8);
+    krr = GETU32(key + 12);
+    /**
+     * generate KL dependent subkeys
+     */
+    subl(0) = kll; subr(0) = klr;
+    subl(1) = krl; subr(1) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
+    subl(4) = kll; subr(4) = klr;
+    subl(5) = krl; subr(5) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
+    subl(10) = kll; subr(10) = klr;
+    subl(11) = krl; subr(11) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
+    subl(13) = krl; subr(13) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
+    subl(16) = kll; subr(16) = klr;
+    subl(17) = krl; subr(17) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
+    subl(18) = kll; subr(18) = klr;
+    subl(19) = krl; subr(19) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
+    subl(22) = kll; subr(22) = klr;
+    subl(23) = krl; subr(23) = krr;
+
+    /* generate KA */
+    kll = subl(0); klr = subr(0);
+    krl = subl(1); krr = subr(1);
+    CAMELLIA_F(kll, klr,
+	       CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
+	       w0, w1, il, ir, t0, t1);
+    krl ^= w0; krr ^= w1;
+    CAMELLIA_F(krl, krr,
+	       CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
+	       kll, klr, il, ir, t0, t1);
+    CAMELLIA_F(kll, klr,
+	       CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
+	       krl, krr, il, ir, t0, t1);
+    krl ^= w0; krr ^= w1;
+    CAMELLIA_F(krl, krr,
+	       CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
+	       w0, w1, il, ir, t0, t1);
+    kll ^= w0; klr ^= w1;
+
+    /* generate KA dependent subkeys */
+    subl(2) = kll; subr(2) = klr;
+    subl(3) = krl; subr(3) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
+    subl(6) = kll; subr(6) = klr;
+    subl(7) = krl; subr(7) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
+    subl(8) = kll; subr(8) = klr;
+    subl(9) = krl; subr(9) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
+    subl(12) = kll; subr(12) = klr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
+    subl(14) = kll; subr(14) = klr;
+    subl(15) = krl; subr(15) = krr;
+    CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
+    subl(20) = kll; subr(20) = klr;
+    subl(21) = krl; subr(21) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
+    subl(24) = kll; subr(24) = klr;
+    subl(25) = krl; subr(25) = krr;
+
+
+    /* absorb kw2 to other subkeys */
+    subl(3) ^= subl(1); subr(3) ^= subr(1);
+    subl(5) ^= subl(1); subr(5) ^= subr(1);
+    subl(7) ^= subl(1); subr(7) ^= subr(1);
+    subl(1) ^= subr(1) & ~subr(9);
+    dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
+    subl(11) ^= subl(1); subr(11) ^= subr(1);
+    subl(13) ^= subl(1); subr(13) ^= subr(1);
+    subl(15) ^= subl(1); subr(15) ^= subr(1);
+    subl(1) ^= subr(1) & ~subr(17);
+    dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
+    subl(19) ^= subl(1); subr(19) ^= subr(1);
+    subl(21) ^= subl(1); subr(21) ^= subr(1);
+    subl(23) ^= subl(1); subr(23) ^= subr(1);
+    subl(24) ^= subl(1); subr(24) ^= subr(1);
+
+    /* absorb kw4 to other subkeys */
+    kw4l = subl(25); kw4r = subr(25);
+    subl(22) ^= kw4l; subr(22) ^= kw4r;
+    subl(20) ^= kw4l; subr(20) ^= kw4r;
+    subl(18) ^= kw4l; subr(18) ^= kw4r;
+    kw4l ^= kw4r & ~subr(16);
+    dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
+    subl(14) ^= kw4l; subr(14) ^= kw4r;
+    subl(12) ^= kw4l; subr(12) ^= kw4r;
+    subl(10) ^= kw4l; subr(10) ^= kw4r;
+    kw4l ^= kw4r & ~subr(8);
+    dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
+    subl(6) ^= kw4l; subr(6) ^= kw4r;
+    subl(4) ^= kw4l; subr(4) ^= kw4r;
+    subl(2) ^= kw4l; subr(2) ^= kw4r;
+    subl(0) ^= kw4l; subr(0) ^= kw4r;
+
+    /* key XOR is end of F-function */
+    CamelliaSubkeyL(0) = subl(0) ^ subl(2);
+    CamelliaSubkeyR(0) = subr(0) ^ subr(2);
+    CamelliaSubkeyL(2) = subl(3);
+    CamelliaSubkeyR(2) = subr(3);
+    CamelliaSubkeyL(3) = subl(2) ^ subl(4);
+    CamelliaSubkeyR(3) = subr(2) ^ subr(4);
+    CamelliaSubkeyL(4) = subl(3) ^ subl(5);
+    CamelliaSubkeyR(4) = subr(3) ^ subr(5);
+    CamelliaSubkeyL(5) = subl(4) ^ subl(6);
+    CamelliaSubkeyR(5) = subr(4) ^ subr(6);
+    CamelliaSubkeyL(6) = subl(5) ^ subl(7);
+    CamelliaSubkeyR(6) = subr(5) ^ subr(7);
+    tl = subl(10) ^ (subr(10) & ~subr(8));
+    dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(7) = subl(6) ^ tl;
+    CamelliaSubkeyR(7) = subr(6) ^ tr;
+    CamelliaSubkeyL(8) = subl(8);
+    CamelliaSubkeyR(8) = subr(8);
+    CamelliaSubkeyL(9) = subl(9);
+    CamelliaSubkeyR(9) = subr(9);
+    tl = subl(7) ^ (subr(7) & ~subr(9));
+    dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(10) = tl ^ subl(11);
+    CamelliaSubkeyR(10) = tr ^ subr(11);
+    CamelliaSubkeyL(11) = subl(10) ^ subl(12);
+    CamelliaSubkeyR(11) = subr(10) ^ subr(12);
+    CamelliaSubkeyL(12) = subl(11) ^ subl(13);
+    CamelliaSubkeyR(12) = subr(11) ^ subr(13);
+    CamelliaSubkeyL(13) = subl(12) ^ subl(14);
+    CamelliaSubkeyR(13) = subr(12) ^ subr(14);
+    CamelliaSubkeyL(14) = subl(13) ^ subl(15);
+    CamelliaSubkeyR(14) = subr(13) ^ subr(15);
+    tl = subl(18) ^ (subr(18) & ~subr(16));
+    dw = tl & subl(16),	tr = subr(18) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(15) = subl(14) ^ tl;
+    CamelliaSubkeyR(15) = subr(14) ^ tr;
+    CamelliaSubkeyL(16) = subl(16);
+    CamelliaSubkeyR(16) = subr(16);
+    CamelliaSubkeyL(17) = subl(17);
+    CamelliaSubkeyR(17) = subr(17);
+    tl = subl(15) ^ (subr(15) & ~subr(17));
+    dw = tl & subl(17),	tr = subr(15) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(18) = tl ^ subl(19);
+    CamelliaSubkeyR(18) = tr ^ subr(19);
+    CamelliaSubkeyL(19) = subl(18) ^ subl(20);
+    CamelliaSubkeyR(19) = subr(18) ^ subr(20);
+    CamelliaSubkeyL(20) = subl(19) ^ subl(21);
+    CamelliaSubkeyR(20) = subr(19) ^ subr(21);
+    CamelliaSubkeyL(21) = subl(20) ^ subl(22);
+    CamelliaSubkeyR(21) = subr(20) ^ subr(22);
+    CamelliaSubkeyL(22) = subl(21) ^ subl(23);
+    CamelliaSubkeyR(22) = subr(21) ^ subr(23);
+    CamelliaSubkeyL(23) = subl(22);
+    CamelliaSubkeyR(23) = subr(22);
+    CamelliaSubkeyL(24) = subl(24) ^ subl(23);
+    CamelliaSubkeyR(24) = subr(24) ^ subr(23);
+
+    /* apply the inverse of the last half of P-function */
+    dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
+    dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
+    dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
+    dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
+    dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
+    dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
+    dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
+    dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
+    dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
+    dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
+    dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
+    dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
+    dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
+    dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
+    dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
+    dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
+    dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
+    dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
+
+    return;
+}
+
+void camellia_setup256(const unsigned char *key, PRUint32 *subkey)
+{
+    PRUint32 kll,klr,krl,krr;           /* left half of key */
+    PRUint32 krll,krlr,krrl,krrr;       /* right half of key */
+    PRUint32 il, ir, t0, t1, w0, w1;    /* temporary variables */
+    PRUint32 kw4l, kw4r, dw, tl, tr;
+    PRUint32 subL[34];
+    PRUint32 subR[34];
+
+    /**
+     *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
+     *  (|| is concatination)
+     */
+
+    kll  = GETU32(key     );
+    klr  = GETU32(key +  4);
+    krl  = GETU32(key +  8);
+    krr  = GETU32(key + 12);
+    krll = GETU32(key + 16);
+    krlr = GETU32(key + 20);
+    krrl = GETU32(key + 24);
+    krrr = GETU32(key + 28);
+
+    /* generate KL dependent subkeys */
+    subl(0) = kll; subr(0) = klr;
+    subl(1) = krl; subr(1) = krr;
+    CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 45);
+    subl(12) = kll; subr(12) = klr;
+    subl(13) = krl; subr(13) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
+    subl(16) = kll; subr(16) = klr;
+    subl(17) = krl; subr(17) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 17);
+    subl(22) = kll; subr(22) = klr;
+    subl(23) = krl; subr(23) = krr;
+    CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 34);
+    subl(30) = kll; subr(30) = klr;
+    subl(31) = krl; subr(31) = krr;
+
+    /* generate KR dependent subkeys */
+    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
+    subl(4) = krll; subr(4) = krlr;
+    subl(5) = krrl; subr(5) = krrr;
+    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 15);
+    subl(8) = krll; subr(8) = krlr;
+    subl(9) = krrl; subr(9) = krrr;
+    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
+    subl(18) = krll; subr(18) = krlr;
+    subl(19) = krrl; subr(19) = krrr;
+    CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
+    subl(26) = krll; subr(26) = krlr;
+    subl(27) = krrl; subr(27) = krrr;
+    CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 34);
+
+    /* generate KA */
+    kll = subl(0) ^ krll; klr = subr(0) ^ krlr;
+    krl = subl(1) ^ krrl; krr = subr(1) ^ krrr;
+    CAMELLIA_F(kll, klr,
+	       CAMELLIA_SIGMA1L, CAMELLIA_SIGMA1R,
+	       w0, w1, il, ir, t0, t1);
+    krl ^= w0; krr ^= w1;
+    CAMELLIA_F(krl, krr,
+	       CAMELLIA_SIGMA2L, CAMELLIA_SIGMA2R,
+	       kll, klr, il, ir, t0, t1);
+    kll ^= krll; klr ^= krlr;
+    CAMELLIA_F(kll, klr,
+	       CAMELLIA_SIGMA3L, CAMELLIA_SIGMA3R,
+	       krl, krr, il, ir, t0, t1);
+    krl ^= w0 ^ krrl; krr ^= w1 ^ krrr;
+    CAMELLIA_F(krl, krr,
+	       CAMELLIA_SIGMA4L, CAMELLIA_SIGMA4R,
+	       w0, w1, il, ir, t0, t1);
+    kll ^= w0; klr ^= w1;
+
+    /* generate KB */
+    krll ^= kll; krlr ^= klr;
+    krrl ^= krl; krrr ^= krr;
+    CAMELLIA_F(krll, krlr,
+	       CAMELLIA_SIGMA5L, CAMELLIA_SIGMA5R,
+	       w0, w1, il, ir, t0, t1);
+    krrl ^= w0; krrr ^= w1;
+    CAMELLIA_F(krrl, krrr,
+	       CAMELLIA_SIGMA6L, CAMELLIA_SIGMA6R,
+	       w0, w1, il, ir, t0, t1);
+    krll ^= w0; krlr ^= w1;
+
+    /* generate KA dependent subkeys */
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 15);
+    subl(6) = kll; subr(6) = klr;
+    subl(7) = krl; subr(7) = krr;
+    CAMELLIA_ROLDQ(kll, klr, krl, krr, w0, w1, 30);
+    subl(14) = kll; subr(14) = klr;
+    subl(15) = krl; subr(15) = krr;
+    subl(24) = klr; subr(24) = krl;
+    subl(25) = krr; subr(25) = kll;
+    CAMELLIA_ROLDQo32(kll, klr, krl, krr, w0, w1, 49);
+    subl(28) = kll; subr(28) = klr;
+    subl(29) = krl; subr(29) = krr;
+
+    /* generate KB dependent subkeys */
+    subl(2) = krll; subr(2) = krlr;
+    subl(3) = krrl; subr(3) = krrr;
+    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
+    subl(10) = krll; subr(10) = krlr;
+    subl(11) = krrl; subr(11) = krrr;
+    CAMELLIA_ROLDQ(krll, krlr, krrl, krrr, w0, w1, 30);
+    subl(20) = krll; subr(20) = krlr;
+    subl(21) = krrl; subr(21) = krrr;
+    CAMELLIA_ROLDQo32(krll, krlr, krrl, krrr, w0, w1, 51);
+    subl(32) = krll; subr(32) = krlr;
+    subl(33) = krrl; subr(33) = krrr;
+
+    /* absorb kw2 to other subkeys */
+    subl(3) ^= subl(1); subr(3) ^= subr(1);
+    subl(5) ^= subl(1); subr(5) ^= subr(1);
+    subl(7) ^= subl(1); subr(7) ^= subr(1);
+    subl(1) ^= subr(1) & ~subr(9);
+    dw = subl(1) & subl(9), subr(1) ^= CAMELLIA_RL1(dw);
+    subl(11) ^= subl(1); subr(11) ^= subr(1);
+    subl(13) ^= subl(1); subr(13) ^= subr(1);
+    subl(15) ^= subl(1); subr(15) ^= subr(1);
+    subl(1) ^= subr(1) & ~subr(17);
+    dw = subl(1) & subl(17), subr(1) ^= CAMELLIA_RL1(dw);
+    subl(19) ^= subl(1); subr(19) ^= subr(1);
+    subl(21) ^= subl(1); subr(21) ^= subr(1);
+    subl(23) ^= subl(1); subr(23) ^= subr(1);
+    subl(1) ^= subr(1) & ~subr(25);
+    dw = subl(1) & subl(25), subr(1) ^= CAMELLIA_RL1(dw);
+    subl(27) ^= subl(1); subr(27) ^= subr(1);
+    subl(29) ^= subl(1); subr(29) ^= subr(1);
+    subl(31) ^= subl(1); subr(31) ^= subr(1);
+    subl(32) ^= subl(1); subr(32) ^= subr(1);
+
+    /* absorb kw4 to other subkeys */
+    kw4l = subl(33); kw4r = subr(33);
+    subl(30) ^= kw4l; subr(30) ^= kw4r;
+    subl(28) ^= kw4l; subr(28) ^= kw4r;
+    subl(26) ^= kw4l; subr(26) ^= kw4r;
+    kw4l ^= kw4r & ~subr(24);
+    dw = kw4l & subl(24), kw4r ^= CAMELLIA_RL1(dw);
+    subl(22) ^= kw4l; subr(22) ^= kw4r;
+    subl(20) ^= kw4l; subr(20) ^= kw4r;
+    subl(18) ^= kw4l; subr(18) ^= kw4r;
+    kw4l ^= kw4r & ~subr(16);
+    dw = kw4l & subl(16), kw4r ^= CAMELLIA_RL1(dw);
+    subl(14) ^= kw4l; subr(14) ^= kw4r;
+    subl(12) ^= kw4l; subr(12) ^= kw4r;
+    subl(10) ^= kw4l; subr(10) ^= kw4r;
+    kw4l ^= kw4r & ~subr(8);
+    dw = kw4l & subl(8), kw4r ^= CAMELLIA_RL1(dw);
+    subl(6) ^= kw4l; subr(6) ^= kw4r;
+    subl(4) ^= kw4l; subr(4) ^= kw4r;
+    subl(2) ^= kw4l; subr(2) ^= kw4r;
+    subl(0) ^= kw4l; subr(0) ^= kw4r;
+
+    /* key XOR is end of F-function */
+    CamelliaSubkeyL(0) = subl(0) ^ subl(2);
+    CamelliaSubkeyR(0) = subr(0) ^ subr(2);
+    CamelliaSubkeyL(2) = subl(3);
+    CamelliaSubkeyR(2) = subr(3);
+    CamelliaSubkeyL(3) = subl(2) ^ subl(4);
+    CamelliaSubkeyR(3) = subr(2) ^ subr(4);
+    CamelliaSubkeyL(4) = subl(3) ^ subl(5);
+    CamelliaSubkeyR(4) = subr(3) ^ subr(5);
+    CamelliaSubkeyL(5) = subl(4) ^ subl(6);
+    CamelliaSubkeyR(5) = subr(4) ^ subr(6);
+    CamelliaSubkeyL(6) = subl(5) ^ subl(7);
+    CamelliaSubkeyR(6) = subr(5) ^ subr(7);
+    tl = subl(10) ^ (subr(10) & ~subr(8));
+    dw = tl & subl(8), tr = subr(10) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(7) = subl(6) ^ tl;
+    CamelliaSubkeyR(7) = subr(6) ^ tr;
+    CamelliaSubkeyL(8) = subl(8);
+    CamelliaSubkeyR(8) = subr(8);
+    CamelliaSubkeyL(9) = subl(9);
+    CamelliaSubkeyR(9) = subr(9);
+    tl = subl(7) ^ (subr(7) & ~subr(9));
+    dw = tl & subl(9), tr = subr(7) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(10) = tl ^ subl(11);
+    CamelliaSubkeyR(10) = tr ^ subr(11);
+    CamelliaSubkeyL(11) = subl(10) ^ subl(12);
+    CamelliaSubkeyR(11) = subr(10) ^ subr(12);
+    CamelliaSubkeyL(12) = subl(11) ^ subl(13);
+    CamelliaSubkeyR(12) = subr(11) ^ subr(13);
+    CamelliaSubkeyL(13) = subl(12) ^ subl(14);
+    CamelliaSubkeyR(13) = subr(12) ^ subr(14);
+    CamelliaSubkeyL(14) = subl(13) ^ subl(15);
+    CamelliaSubkeyR(14) = subr(13) ^ subr(15);
+    tl = subl(18) ^ (subr(18) & ~subr(16));
+    dw = tl & subl(16), tr = subr(18) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(15) = subl(14) ^ tl;
+    CamelliaSubkeyR(15) = subr(14) ^ tr;
+    CamelliaSubkeyL(16) = subl(16);
+    CamelliaSubkeyR(16) = subr(16);
+    CamelliaSubkeyL(17) = subl(17);
+    CamelliaSubkeyR(17) = subr(17);
+    tl = subl(15) ^ (subr(15) & ~subr(17));
+    dw = tl & subl(17), tr = subr(15) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(18) = tl ^ subl(19);
+    CamelliaSubkeyR(18) = tr ^ subr(19);
+    CamelliaSubkeyL(19) = subl(18) ^ subl(20);
+    CamelliaSubkeyR(19) = subr(18) ^ subr(20);
+    CamelliaSubkeyL(20) = subl(19) ^ subl(21);
+    CamelliaSubkeyR(20) = subr(19) ^ subr(21);
+    CamelliaSubkeyL(21) = subl(20) ^ subl(22);
+    CamelliaSubkeyR(21) = subr(20) ^ subr(22);
+    CamelliaSubkeyL(22) = subl(21) ^ subl(23);
+    CamelliaSubkeyR(22) = subr(21) ^ subr(23);
+    tl = subl(26) ^ (subr(26) & ~subr(24));
+    dw = tl & subl(24), tr = subr(26) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(23) = subl(22) ^ tl;
+    CamelliaSubkeyR(23) = subr(22) ^ tr;
+    CamelliaSubkeyL(24) = subl(24);
+    CamelliaSubkeyR(24) = subr(24);
+    CamelliaSubkeyL(25) = subl(25);
+    CamelliaSubkeyR(25) = subr(25);
+    tl = subl(23) ^ (subr(23) &  ~subr(25));
+    dw = tl & subl(25), tr = subr(23) ^ CAMELLIA_RL1(dw);
+    CamelliaSubkeyL(26) = tl ^ subl(27);
+    CamelliaSubkeyR(26) = tr ^ subr(27);
+    CamelliaSubkeyL(27) = subl(26) ^ subl(28);
+    CamelliaSubkeyR(27) = subr(26) ^ subr(28);
+    CamelliaSubkeyL(28) = subl(27) ^ subl(29);
+    CamelliaSubkeyR(28) = subr(27) ^ subr(29);
+    CamelliaSubkeyL(29) = subl(28) ^ subl(30);
+    CamelliaSubkeyR(29) = subr(28) ^ subr(30);
+    CamelliaSubkeyL(30) = subl(29) ^ subl(31);
+    CamelliaSubkeyR(30) = subr(29) ^ subr(31);
+    CamelliaSubkeyL(31) = subl(30);
+    CamelliaSubkeyR(31) = subr(30);
+    CamelliaSubkeyL(32) = subl(32) ^ subl(31);
+    CamelliaSubkeyR(32) = subr(32) ^ subr(31);
+
+    /* apply the inverse of the last half of P-function */
+    dw = CamelliaSubkeyL(2) ^ CamelliaSubkeyR(2), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(2) = CamelliaSubkeyL(2) ^ dw, CamelliaSubkeyL(2) = dw;
+    dw = CamelliaSubkeyL(3) ^ CamelliaSubkeyR(3), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(3) = CamelliaSubkeyL(3) ^ dw, CamelliaSubkeyL(3) = dw;
+    dw = CamelliaSubkeyL(4) ^ CamelliaSubkeyR(4), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(4) = CamelliaSubkeyL(4) ^ dw, CamelliaSubkeyL(4) = dw;
+    dw = CamelliaSubkeyL(5) ^ CamelliaSubkeyR(5), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(5) = CamelliaSubkeyL(5) ^ dw, CamelliaSubkeyL(5) = dw;
+    dw = CamelliaSubkeyL(6) ^ CamelliaSubkeyR(6), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(6) = CamelliaSubkeyL(6) ^ dw, CamelliaSubkeyL(6) = dw;
+    dw = CamelliaSubkeyL(7) ^ CamelliaSubkeyR(7), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(7) = CamelliaSubkeyL(7) ^ dw, CamelliaSubkeyL(7) = dw;
+    dw = CamelliaSubkeyL(10) ^ CamelliaSubkeyR(10), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(10) = CamelliaSubkeyL(10) ^ dw, CamelliaSubkeyL(10) = dw;
+    dw = CamelliaSubkeyL(11) ^ CamelliaSubkeyR(11), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(11) = CamelliaSubkeyL(11) ^ dw, CamelliaSubkeyL(11) = dw;
+    dw = CamelliaSubkeyL(12) ^ CamelliaSubkeyR(12), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(12) = CamelliaSubkeyL(12) ^ dw, CamelliaSubkeyL(12) = dw;
+    dw = CamelliaSubkeyL(13) ^ CamelliaSubkeyR(13), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(13) = CamelliaSubkeyL(13) ^ dw, CamelliaSubkeyL(13) = dw;
+    dw = CamelliaSubkeyL(14) ^ CamelliaSubkeyR(14), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(14) = CamelliaSubkeyL(14) ^ dw, CamelliaSubkeyL(14) = dw;
+    dw = CamelliaSubkeyL(15) ^ CamelliaSubkeyR(15), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(15) = CamelliaSubkeyL(15) ^ dw, CamelliaSubkeyL(15) = dw;
+    dw = CamelliaSubkeyL(18) ^ CamelliaSubkeyR(18), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(18) = CamelliaSubkeyL(18) ^ dw, CamelliaSubkeyL(18) = dw;
+    dw = CamelliaSubkeyL(19) ^ CamelliaSubkeyR(19), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(19) = CamelliaSubkeyL(19) ^ dw, CamelliaSubkeyL(19) = dw;
+    dw = CamelliaSubkeyL(20) ^ CamelliaSubkeyR(20), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(20) = CamelliaSubkeyL(20) ^ dw, CamelliaSubkeyL(20) = dw;
+    dw = CamelliaSubkeyL(21) ^ CamelliaSubkeyR(21), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(21) = CamelliaSubkeyL(21) ^ dw, CamelliaSubkeyL(21) = dw;
+    dw = CamelliaSubkeyL(22) ^ CamelliaSubkeyR(22), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(22) = CamelliaSubkeyL(22) ^ dw, CamelliaSubkeyL(22) = dw;
+    dw = CamelliaSubkeyL(23) ^ CamelliaSubkeyR(23), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(23) = CamelliaSubkeyL(23) ^ dw, CamelliaSubkeyL(23) = dw;
+    dw = CamelliaSubkeyL(26) ^ CamelliaSubkeyR(26), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(26) = CamelliaSubkeyL(26) ^ dw, CamelliaSubkeyL(26) = dw;
+    dw = CamelliaSubkeyL(27) ^ CamelliaSubkeyR(27), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(27) = CamelliaSubkeyL(27) ^ dw, CamelliaSubkeyL(27) = dw;
+    dw = CamelliaSubkeyL(28) ^ CamelliaSubkeyR(28), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(28) = CamelliaSubkeyL(28) ^ dw, CamelliaSubkeyL(28) = dw;
+    dw = CamelliaSubkeyL(29) ^ CamelliaSubkeyR(29), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(29) = CamelliaSubkeyL(29) ^ dw, CamelliaSubkeyL(29) = dw;
+    dw = CamelliaSubkeyL(30) ^ CamelliaSubkeyR(30), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw, CamelliaSubkeyL(30) = dw;
+    dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31), dw = CAMELLIA_RL8(dw);
+    CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,CamelliaSubkeyL(31) = dw;
+    
+    return;
+}
+
+void camellia_setup192(const unsigned char *key, PRUint32 *subkey)
+{
+    unsigned char kk[32];
+    PRUint32 krll, krlr, krrl,krrr;
+
+    memcpy(kk, key, 24);
+    memcpy((unsigned char *)&krll, key+16,4);
+    memcpy((unsigned char *)&krlr, key+20,4);
+    krrl = ~krll;
+    krrr = ~krlr;
+    memcpy(kk+24, (unsigned char *)&krrl, 4);
+    memcpy(kk+28, (unsigned char *)&krrr, 4);
+    camellia_setup256(kk, subkey);
+    return;
+}
+
+
+/**
+ * Stuff related to camellia encryption/decryption
+ *
+ */
+SECStatus
+camellia_encrypt128(const PRUint32 *subkey,
+		    unsigned char *output,
+		    const unsigned char *input)
+{
+    PRUint32 il, ir, t0, t1;
+    PRUint32 io[4];
+
+    io[0] = GETU32(input);
+    io[1] = GETU32(input+4);
+    io[2] = GETU32(input+8);
+    io[3] = GETU32(input+12);
+
+    /* pre whitening but absorb kw2*/
+    io[0] ^= CamelliaSubkeyL(0);
+    io[1] ^= CamelliaSubkeyR(0);
+    /* main iteration */
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(2),CamelliaSubkeyR(2),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(3),CamelliaSubkeyR(3),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(4),CamelliaSubkeyR(4),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(5),CamelliaSubkeyR(5),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(6),CamelliaSubkeyR(6),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(7),CamelliaSubkeyR(7),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
+		 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(10),CamelliaSubkeyR(10),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(11),CamelliaSubkeyR(11),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(12),CamelliaSubkeyR(12),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(13),CamelliaSubkeyR(13),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(14),CamelliaSubkeyR(14),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(15),CamelliaSubkeyR(15),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
+		 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(18),CamelliaSubkeyR(18),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(19),CamelliaSubkeyR(19),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(20),CamelliaSubkeyR(20),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(21),CamelliaSubkeyR(21),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(22),CamelliaSubkeyR(22),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(23),CamelliaSubkeyR(23),
+		     io[0],io[1],il,ir,t0,t1);
+
+    /* post whitening but kw4 */
+    io[2] ^= CamelliaSubkeyL(24);
+    io[3] ^= CamelliaSubkeyR(24);
+
+    t0 = io[0];
+    t1 = io[1];
+    io[0] = io[2];
+    io[1] = io[3];
+    io[2] = t0;
+    io[3] = t1;
+
+    PUTU32(output, io[0]);
+    PUTU32(output+4, io[1]);
+    PUTU32(output+8, io[2]);
+    PUTU32(output+12, io[3]);
+
+    return SECSuccess;
+}
+
+SECStatus
+camellia_decrypt128(const PRUint32 *subkey,
+		    unsigned char *output,
+		    const unsigned char *input)
+{
+    PRUint32 il,ir,t0,t1;               /* temporary valiables */
+    PRUint32 io[4];
+
+    io[0] = GETU32(input);
+    io[1] = GETU32(input+4);
+    io[2] = GETU32(input+8);
+    io[3] = GETU32(input+12);
+
+    /* pre whitening but absorb kw2*/
+    io[0] ^= CamelliaSubkeyL(24);
+    io[1] ^= CamelliaSubkeyR(24);
+
+    /* main iteration */
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(23),CamelliaSubkeyR(23),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(22),CamelliaSubkeyR(22),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(21),CamelliaSubkeyR(21),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(20),CamelliaSubkeyR(20),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(19),CamelliaSubkeyR(19),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(18),CamelliaSubkeyR(18),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
+		 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(15),CamelliaSubkeyR(15),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(14),CamelliaSubkeyR(14),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(13),CamelliaSubkeyR(13),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(12),CamelliaSubkeyR(12),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(11),CamelliaSubkeyR(11),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(10),CamelliaSubkeyR(10),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
+		 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(7),CamelliaSubkeyR(7),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(6),CamelliaSubkeyR(6),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(5),CamelliaSubkeyR(5),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(4),CamelliaSubkeyR(4),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(3),CamelliaSubkeyR(3),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(2),CamelliaSubkeyR(2),
+		     io[0],io[1],il,ir,t0,t1);
+
+    /* post whitening but kw4 */
+    io[2] ^= CamelliaSubkeyL(0);
+    io[3] ^= CamelliaSubkeyR(0);
+
+    t0 = io[0];
+    t1 = io[1];
+    io[0] = io[2];
+    io[1] = io[3];
+    io[2] = t0;
+    io[3] = t1;
+
+    PUTU32(output, io[0]);
+    PUTU32(output+4, io[1]);
+    PUTU32(output+8, io[2]);
+    PUTU32(output+12, io[3]);
+
+    return SECSuccess;
+}
+
+/**
+ * stuff for 192 and 256bit encryption/decryption
+ */
+SECStatus
+camellia_encrypt256(const PRUint32 *subkey,
+		    unsigned char *output,
+		    const unsigned char *input)
+{
+    PRUint32 il,ir,t0,t1;           /* temporary valiables */
+    PRUint32 io[4];
+
+    io[0] = GETU32(input);
+    io[1] = GETU32(input+4);
+    io[2] = GETU32(input+8);
+    io[3] = GETU32(input+12);
+
+    /* pre whitening but absorb kw2*/
+    io[0] ^= CamelliaSubkeyL(0);
+    io[1] ^= CamelliaSubkeyR(0);
+
+    /* main iteration */
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(2),CamelliaSubkeyR(2),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(3),CamelliaSubkeyR(3),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(4),CamelliaSubkeyR(4),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(5),CamelliaSubkeyR(5),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(6),CamelliaSubkeyR(6),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(7),CamelliaSubkeyR(7),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
+		 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(10),CamelliaSubkeyR(10),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(11),CamelliaSubkeyR(11),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(12),CamelliaSubkeyR(12),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(13),CamelliaSubkeyR(13),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(14),CamelliaSubkeyR(14),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(15),CamelliaSubkeyR(15),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
+		 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(18),CamelliaSubkeyR(18),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(19),CamelliaSubkeyR(19),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(20),CamelliaSubkeyR(20),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(21),CamelliaSubkeyR(21),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(22),CamelliaSubkeyR(22),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(23),CamelliaSubkeyR(23),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(24),CamelliaSubkeyR(24),
+		 CamelliaSubkeyL(25),CamelliaSubkeyR(25),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(26),CamelliaSubkeyR(26),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(27),CamelliaSubkeyR(27),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(28),CamelliaSubkeyR(28),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(29),CamelliaSubkeyR(29),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(30),CamelliaSubkeyR(30),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(31),CamelliaSubkeyR(31),
+		     io[0],io[1],il,ir,t0,t1);
+
+    /* post whitening but kw4 */
+    io[2] ^= CamelliaSubkeyL(32);
+    io[3] ^= CamelliaSubkeyR(32);
+
+    t0 = io[0];
+    t1 = io[1];
+    io[0] = io[2];
+    io[1] = io[3];
+    io[2] = t0;
+    io[3] = t1;
+
+    PUTU32(output, io[0]);
+    PUTU32(output+4, io[1]);
+    PUTU32(output+8, io[2]);
+    PUTU32(output+12, io[3]);
+
+    return SECSuccess;
+}
+
+SECStatus
+camellia_decrypt256(const PRUint32 *subkey,
+		    unsigned char *output,
+		    const unsigned char *input)
+{
+    PRUint32 il,ir,t0,t1;           /* temporary valiables */
+    PRUint32 io[4];
+
+    io[0] = GETU32(input);
+    io[1] = GETU32(input+4);
+    io[2] = GETU32(input+8);
+    io[3] = GETU32(input+12);
+
+    /* pre whitening but absorb kw2*/
+    io[0] ^= CamelliaSubkeyL(32);
+    io[1] ^= CamelliaSubkeyR(32);
+	
+    /* main iteration */
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(31),CamelliaSubkeyR(31),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(30),CamelliaSubkeyR(30),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(29),CamelliaSubkeyR(29),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(28),CamelliaSubkeyR(28),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(27),CamelliaSubkeyR(27),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(26),CamelliaSubkeyR(26),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(25),CamelliaSubkeyR(25),
+		 CamelliaSubkeyL(24),CamelliaSubkeyR(24),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(23),CamelliaSubkeyR(23),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(22),CamelliaSubkeyR(22),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(21),CamelliaSubkeyR(21),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(20),CamelliaSubkeyR(20),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(19),CamelliaSubkeyR(19),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(18),CamelliaSubkeyR(18),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(17),CamelliaSubkeyR(17),
+		 CamelliaSubkeyL(16),CamelliaSubkeyR(16),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(15),CamelliaSubkeyR(15),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(14),CamelliaSubkeyR(14),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(13),CamelliaSubkeyR(13),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(12),CamelliaSubkeyR(12),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(11),CamelliaSubkeyR(11),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(10),CamelliaSubkeyR(10),
+		     io[0],io[1],il,ir,t0,t1);
+
+    CAMELLIA_FLS(io[0],io[1],io[2],io[3],
+		 CamelliaSubkeyL(9),CamelliaSubkeyR(9),
+		 CamelliaSubkeyL(8),CamelliaSubkeyR(8),
+		 t0,t1,il,ir);
+
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(7),CamelliaSubkeyR(7),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(6),CamelliaSubkeyR(6),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(5),CamelliaSubkeyR(5),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(4),CamelliaSubkeyR(4),
+		     io[0],io[1],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[0],io[1],
+		     CamelliaSubkeyL(3),CamelliaSubkeyR(3),
+		     io[2],io[3],il,ir,t0,t1);
+    CAMELLIA_ROUNDSM(io[2],io[3],
+		     CamelliaSubkeyL(2),CamelliaSubkeyR(2),
+		     io[0],io[1],il,ir,t0,t1);
+
+    /* post whitening but kw4 */
+    io[2] ^= CamelliaSubkeyL(0);
+    io[3] ^= CamelliaSubkeyR(0);
+
+    t0 = io[0];
+    t1 = io[1];
+    io[0] = io[2];
+    io[1] = io[3];
+    io[2] = t0;
+    io[3] = t1;
+
+    PUTU32(output, io[0]);
+    PUTU32(output+4, io[1]);
+    PUTU32(output+8, io[2]);
+    PUTU32(output+12, io[3]);
+
+    return SECSuccess;
+}
+
+
+/**************************************************************************
+ *
+ * Stuff related to the Camellia key schedule
+ *
+ *************************************************************************/
+
+SECStatus 
+camellia_key_expansion(CamelliaContext *cx, 
+                       const unsigned char *key, 
+                       const unsigned int keysize)
+{
+    cx->keysize = keysize;
+
+    switch(keysize) {
+    case 16:
+	camellia_setup128(key, cx->expandedKey);
+	break;
+    case 24:
+	camellia_setup192(key, cx->expandedKey);
+	break;
+    case 32:
+	camellia_setup256(key, cx->expandedKey);
+	break;
+    default:
+	break;
+    }
+    return SECSuccess;
+}
+
+
+/**************************************************************************
+ *
+ *  Camellia modes of operation (ECB and CBC)
+ *
+ *************************************************************************/
+
+SECStatus 
+camellia_encryptECB(CamelliaContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen)
+{
+    CamelliaBlockFunc *encryptor;
+
+    encryptor = (cx->keysize == 16)
+	? &camellia_encrypt128
+	: &camellia_encrypt256;
+
+    while (inputLen > 0) {
+	(*encryptor)(cx->expandedKey, output, input);
+    
+	output += CAMELLIA_BLOCK_SIZE;
+	input += CAMELLIA_BLOCK_SIZE;
+	inputLen -= CAMELLIA_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+camellia_encryptCBC(CamelliaContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen)
+{
+    unsigned int j;
+    unsigned char *lastblock;
+    unsigned char inblock[CAMELLIA_BLOCK_SIZE];
+    CamelliaBlockFunc *encryptor;
+
+    if (!inputLen)
+	return SECSuccess;
+    lastblock = cx->iv;
+
+    encryptor = (cx->keysize == 16)
+	? &camellia_encrypt128
+	: &camellia_encrypt256;
+
+    while (inputLen > 0) {
+	/* XOR with the last block (IV if first block) */
+	for (j=0; j<CAMELLIA_BLOCK_SIZE; ++j)
+	    inblock[j] = input[j] ^ lastblock[j];
+	/* encrypt */
+	(*encryptor)(cx->expandedKey, output, inblock);
+
+	/* move to the next block */
+	lastblock = output;
+	output += CAMELLIA_BLOCK_SIZE;
+	input += CAMELLIA_BLOCK_SIZE;
+	inputLen -= CAMELLIA_BLOCK_SIZE;
+    }
+    memcpy(cx->iv, lastblock, CAMELLIA_BLOCK_SIZE);
+    return SECSuccess;
+}
+
+SECStatus 
+camellia_decryptECB(CamelliaContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen)
+{
+    CamelliaBlockFunc *decryptor;
+
+    decryptor = (cx->keysize == 16)
+	? &camellia_decrypt128
+	: &camellia_decrypt256;
+
+
+    while (inputLen > 0) {
+
+	(*decryptor)(cx->expandedKey, output, input);
+
+	output += CAMELLIA_BLOCK_SIZE;
+	input += CAMELLIA_BLOCK_SIZE;
+	inputLen -= CAMELLIA_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+camellia_decryptCBC(CamelliaContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen)
+{
+    const unsigned char *in;
+    unsigned char *out;
+    unsigned int j;
+    unsigned char newIV[CAMELLIA_BLOCK_SIZE];
+    CamelliaBlockFunc *decryptor;
+
+
+
+    if (!inputLen) 
+	return SECSuccess;
+
+    PORT_Assert(output - input >= 0 || input - output >= (int)inputLen );
+
+    in  = input  + (inputLen - CAMELLIA_BLOCK_SIZE);
+    memcpy(newIV, in, CAMELLIA_BLOCK_SIZE);
+    out = output + (inputLen - CAMELLIA_BLOCK_SIZE);
+
+    decryptor = (cx->keysize == 16)
+	? &camellia_decrypt128
+	: &camellia_decrypt256;
+
+    while (inputLen > CAMELLIA_BLOCK_SIZE) {
+	(*decryptor)(cx->expandedKey, out, in);
+
+	for (j=0; j<CAMELLIA_BLOCK_SIZE; ++j)
+	    out[j] ^= in[(int)(j - CAMELLIA_BLOCK_SIZE)];
+
+	out -= CAMELLIA_BLOCK_SIZE;
+	in -= CAMELLIA_BLOCK_SIZE;
+	inputLen -= CAMELLIA_BLOCK_SIZE;
+    }
+    if (in == input) {
+	(*decryptor)(cx->expandedKey, out, in);
+
+	for (j=0; j<CAMELLIA_BLOCK_SIZE; ++j)
+	    out[j] ^= cx->iv[j];
+    }
+    memcpy(cx->iv, newIV, CAMELLIA_BLOCK_SIZE);
+    return SECSuccess;
+}
+
+/**************************************************************************
+ *
+ * BLAPI Interface functions
+ *
+ *************************************************************************/
+
+CamelliaContext *
+Camellia_AllocateContext(void)
+{
+    return PORT_ZNew(CamelliaContext);
+}
+
+SECStatus   
+Camellia_InitContext(CamelliaContext *cx, const unsigned char *key,
+		     unsigned int keysize, 
+		     const unsigned char *iv, int mode, unsigned int encrypt,
+		     unsigned int unused)
+{
+    if (key == NULL ||
+	(keysize != 16 && keysize != 24 && keysize != 32)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (mode != NSS_CAMELLIA && mode != NSS_CAMELLIA_CBC) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (mode == NSS_CAMELLIA_CBC && iv == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (!cx) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    	return SECFailure;
+    }
+    if (mode == NSS_CAMELLIA_CBC) {
+	memcpy(cx->iv, iv, CAMELLIA_BLOCK_SIZE);
+	cx->worker = (encrypt) ? &camellia_encryptCBC : &camellia_decryptCBC;
+    } else {
+	cx->worker = (encrypt) ? &camellia_encryptECB : &camellia_decryptECB;
+    }
+
+    /* Generate expanded key */
+    if (camellia_key_expansion(cx, key, keysize) != SECSuccess)
+	goto cleanup;
+
+    return SECSuccess;
+cleanup:
+    return SECFailure;
+}
+
+/*
+ * Camellia_CreateContext
+ * create a new context for Camellia operations
+ */
+
+
+CamelliaContext *
+Camellia_CreateContext(const unsigned char *key, const unsigned char *iv, 
+                       int mode, int encrypt,
+                       unsigned int keysize)
+{
+    CamelliaContext *cx;
+
+    if (key == NULL ||
+	(keysize != 16 && keysize != 24 && keysize != 32)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    if (mode != NSS_CAMELLIA && mode != NSS_CAMELLIA_CBC) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    if (mode == NSS_CAMELLIA_CBC && iv == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    cx = PORT_ZNew(CamelliaContext);
+    if (!cx) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    /* copy in the iv, if neccessary */
+    if (mode == NSS_CAMELLIA_CBC) {
+	memcpy(cx->iv, iv, CAMELLIA_BLOCK_SIZE);
+	cx->worker = (encrypt) ? &camellia_encryptCBC : &camellia_decryptCBC;
+    } else {
+	cx->worker = (encrypt) ? &camellia_encryptECB : &camellia_decryptECB;
+    }
+    /* copy keysize */
+    cx->keysize = keysize;
+
+    /* Generate expanded key */
+    if (camellia_key_expansion(cx, key, keysize) != SECSuccess)
+	goto cleanup;
+
+    return cx;
+  cleanup:
+    PORT_ZFree(cx, sizeof *cx);
+    return NULL;
+}
+
+/*
+ * Camellia_DestroyContext
+ * 
+ * Zero an Camellia cipher context.  If freeit is true, also free the pointer
+ * to the context.
+ */
+void 
+Camellia_DestroyContext(CamelliaContext *cx, PRBool freeit)
+{
+    if (cx)
+	memset(cx, 0, sizeof *cx);
+    if (freeit)
+	PORT_Free(cx);
+}
+
+/*
+ * Camellia_Encrypt
+ *
+ * Encrypt an arbitrary-length buffer.  The output buffer must already be
+ * allocated to at least inputLen.
+ */
+SECStatus 
+Camellia_Encrypt(CamelliaContext *cx, unsigned char *output,
+                 unsigned int *outputLen, unsigned int maxOutputLen,
+                 const unsigned char *input, unsigned int inputLen)
+{
+
+    /* Check args */
+    if (cx == NULL || output == NULL || input == NULL ||
+	outputLen == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (inputLen % CAMELLIA_BLOCK_SIZE != 0) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return SECFailure;
+    }
+    if (maxOutputLen < inputLen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    *outputLen = inputLen;
+
+    return (*cx->worker)(cx, output, outputLen, maxOutputLen,	
+			 input, inputLen);
+}
+
+/*
+ * Camellia_Decrypt
+ *
+ * Decrypt and arbitrary-length buffer.  The output buffer must already be
+ * allocated to at least inputLen.
+ */
+SECStatus 
+Camellia_Decrypt(CamelliaContext *cx, unsigned char *output,
+                 unsigned int *outputLen, unsigned int maxOutputLen,
+                 const unsigned char *input, unsigned int inputLen)
+{
+
+    /* Check args */
+    if (cx == NULL || output == NULL || input == NULL
+	|| outputLen == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (inputLen % CAMELLIA_BLOCK_SIZE != 0) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return SECFailure;
+    }
+    if (maxOutputLen < inputLen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    *outputLen = inputLen;
+
+    return (*cx->worker)(cx, output, outputLen, maxOutputLen,	
+			 input, inputLen);
+}
diff --git a/security/nss/lib/freebl/camellia.h b/security/nss/lib/freebl/camellia.h
new file mode 100644
index 000000000..dc5e195ae
--- /dev/null
+++ b/security/nss/lib/freebl/camellia.h
@@ -0,0 +1,79 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Camellia code.
+ *
+ * The Initial Developer of the Original Code is
+ * NTT(Nippon Telegraph and Telephone Corporation).
+ *
+ * Portions created by the Initial Developer are Copyright (C) 2006
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * $Id$
+ */
+
+#ifndef _CAMELLIA_H_
+#define _CAMELLIA_H_ 1
+
+#define CAMELLIA_BLOCK_SIZE 16  /* bytes */
+#define CAMELLIA_MIN_KEYSIZE 16 /* bytes */
+#define CAMELLIA_MAX_KEYSIZE 32 /* bytes */
+
+#define CAMELLIA_MAX_EXPANDEDKEY (34*2) /* 32bit unit */
+
+typedef PRUint32 KEY_TABLE_TYPE[CAMELLIA_MAX_EXPANDEDKEY];
+
+typedef SECStatus CamelliaFunc(CamelliaContext *cx, unsigned char *output,
+			       unsigned int *outputLen,
+			       unsigned int maxOutputLen,
+			       const unsigned char *input,
+			       unsigned int inputLen);
+
+typedef SECStatus CamelliaBlockFunc(const PRUint32 *subkey, 
+				    unsigned char *output,
+				    const unsigned char *input);
+
+/* CamelliaContextStr
+ *
+ * Values which maintain the state for Camellia encryption/decryption.
+ *
+ * keysize     - the number of key bits
+ * worker      - the encryption/decryption function to use with this context
+ * iv          - initialization vector for CBC mode
+ * expandedKey - the round keys in 4-byte words
+ */
+struct CamelliaContextStr
+{
+    PRUint32  keysize; /* bytes */
+    CamelliaFunc  *worker;
+    PRUint32      expandedKey[CAMELLIA_MAX_EXPANDEDKEY];
+    PRUint8 iv[CAMELLIA_BLOCK_SIZE];
+};
+
+#endif /* _CAMELLIA_H_ */
diff --git a/security/nss/lib/freebl/config.mk b/security/nss/lib/freebl/config.mk
new file mode 100644
index 000000000..dc2797ea0
--- /dev/null
+++ b/security/nss/lib/freebl/config.mk
@@ -0,0 +1,117 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# only do this in the outermost freebl build.
+ifndef FREEBL_CHILD_BUILD
+
+# We're going to change this build so that it builds libfreebl.a with
+# just loader.c.  Then we have to build this directory twice again to 
+# build the two DSOs.
+# To build libfreebl.a with just loader.c, we must now override many
+# of the make variables setup by the prior inclusion of CORECONF's config.mk
+
+CSRCS		= loader.c 
+SIMPLE_OBJS 	= $(CSRCS:.c=$(OBJ_SUFFIX))
+OBJS 		= $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(SIMPLE_OBJS))
+ALL_TRASH :=    $(TARGETS) $(OBJS) $(OBJDIR) LOGS TAGS $(GARBAGE) \
+                $(NOSUCHFILE) so_locations 
+
+# this is not a recursive child make.  We make a static lib. (archive)
+
+# Override the values defined in coreconf's ruleset.mk.
+#
+# - (1) LIBRARY: a static (archival) library
+# - (2) SHARED_LIBRARY: a shared (dynamic link) library
+# - (3) IMPORT_LIBRARY: an import library, used only on Windows
+# - (4) PROGRAM: an executable binary
+#
+# override these variables to prevent building a DSO/DLL.
+  TARGETS        = $(LIBRARY)
+  SHARED_LIBRARY =
+  IMPORT_LIBRARY =
+  PROGRAM        =
+
+else
+# This is a recursive child make. We build the shared lib.
+
+TARGETS      = $(SHARED_LIBRARY)
+LIBRARY      =
+IMPORT_LIBRARY =
+PROGRAM      =
+
+ifeq ($(OS_TARGET), SunOS)
+OS_LIBS += -lkstat
+endif
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+
+RES     = $(OBJDIR)/$(LIBRARY_NAME).res
+RESNAME = freebl.rc
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/nssutil3.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+else
+
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lnspr4 \
+	$(NULL)
+
+endif
+
+ifeq ($(OS_ARCH), Darwin)
+EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib
+endif
+
+endif
diff --git a/security/nss/lib/freebl/des.c b/security/nss/lib/freebl/des.c
new file mode 100644
index 000000000..92c84692b
--- /dev/null
+++ b/security/nss/lib/freebl/des.c
@@ -0,0 +1,689 @@
+/*
+ *  des.c
+ *
+ *  core source file for DES-150 library
+ *  Make key schedule from DES key.
+ *  Encrypt/Decrypt one 8-byte block.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is
+ * Nelson B. Bolyard, nelsonb@iname.com.
+ * Portions created by the Initial Developer are Copyright (C) 1990
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "des.h"
+#include <stddef.h>	/* for ptrdiff_t */
+/* #define USE_INDEXING 1 */
+
+/*
+ * The tables below are the 8 sbox functions, with the 6-bit input permutation 
+ * and the 32-bit output permutation pre-computed.
+ * They are shifted circularly to the left 3 bits, which removes 2 shifts
+ * and an or from each round by reducing the number of sboxes whose
+ * indices cross word broundaries from 2 to 1.  
+ */
+
+static const HALF SP[8][64] = {
+/* Box S1 */ { 
+	0x04041000, 0x00000000, 0x00040000, 0x04041010, 
+	0x04040010, 0x00041010, 0x00000010, 0x00040000, 
+	0x00001000, 0x04041000, 0x04041010, 0x00001000, 
+	0x04001010, 0x04040010, 0x04000000, 0x00000010, 
+	0x00001010, 0x04001000, 0x04001000, 0x00041000, 
+	0x00041000, 0x04040000, 0x04040000, 0x04001010, 
+	0x00040010, 0x04000010, 0x04000010, 0x00040010, 
+	0x00000000, 0x00001010, 0x00041010, 0x04000000, 
+	0x00040000, 0x04041010, 0x00000010, 0x04040000, 
+	0x04041000, 0x04000000, 0x04000000, 0x00001000, 
+	0x04040010, 0x00040000, 0x00041000, 0x04000010, 
+	0x00001000, 0x00000010, 0x04001010, 0x00041010, 
+	0x04041010, 0x00040010, 0x04040000, 0x04001010, 
+	0x04000010, 0x00001010, 0x00041010, 0x04041000, 
+	0x00001010, 0x04001000, 0x04001000, 0x00000000, 
+	0x00040010, 0x00041000, 0x00000000, 0x04040010
+    },
+/* Box S2 */ { 
+	0x00420082, 0x00020002, 0x00020000, 0x00420080, 
+	0x00400000, 0x00000080, 0x00400082, 0x00020082, 
+	0x00000082, 0x00420082, 0x00420002, 0x00000002, 
+	0x00020002, 0x00400000, 0x00000080, 0x00400082, 
+	0x00420000, 0x00400080, 0x00020082, 0x00000000, 
+	0x00000002, 0x00020000, 0x00420080, 0x00400002, 
+	0x00400080, 0x00000082, 0x00000000, 0x00420000, 
+	0x00020080, 0x00420002, 0x00400002, 0x00020080, 
+	0x00000000, 0x00420080, 0x00400082, 0x00400000, 
+	0x00020082, 0x00400002, 0x00420002, 0x00020000, 
+	0x00400002, 0x00020002, 0x00000080, 0x00420082, 
+	0x00420080, 0x00000080, 0x00020000, 0x00000002, 
+	0x00020080, 0x00420002, 0x00400000, 0x00000082, 
+	0x00400080, 0x00020082, 0x00000082, 0x00400080, 
+	0x00420000, 0x00000000, 0x00020002, 0x00020080, 
+	0x00000002, 0x00400082, 0x00420082, 0x00420000 
+    },
+/* Box S3 */ { 
+	0x00000820, 0x20080800, 0x00000000, 0x20080020, 
+	0x20000800, 0x00000000, 0x00080820, 0x20000800, 
+	0x00080020, 0x20000020, 0x20000020, 0x00080000, 
+	0x20080820, 0x00080020, 0x20080000, 0x00000820, 
+	0x20000000, 0x00000020, 0x20080800, 0x00000800, 
+	0x00080800, 0x20080000, 0x20080020, 0x00080820, 
+	0x20000820, 0x00080800, 0x00080000, 0x20000820, 
+	0x00000020, 0x20080820, 0x00000800, 0x20000000, 
+	0x20080800, 0x20000000, 0x00080020, 0x00000820, 
+	0x00080000, 0x20080800, 0x20000800, 0x00000000, 
+	0x00000800, 0x00080020, 0x20080820, 0x20000800, 
+	0x20000020, 0x00000800, 0x00000000, 0x20080020, 
+	0x20000820, 0x00080000, 0x20000000, 0x20080820, 
+	0x00000020, 0x00080820, 0x00080800, 0x20000020, 
+	0x20080000, 0x20000820, 0x00000820, 0x20080000, 
+	0x00080820, 0x00000020, 0x20080020, 0x00080800 
+    },
+/* Box S4 */ { 
+	0x02008004, 0x00008204, 0x00008204, 0x00000200, 
+	0x02008200, 0x02000204, 0x02000004, 0x00008004, 
+	0x00000000, 0x02008000, 0x02008000, 0x02008204, 
+	0x00000204, 0x00000000, 0x02000200, 0x02000004, 
+	0x00000004, 0x00008000, 0x02000000, 0x02008004, 
+	0x00000200, 0x02000000, 0x00008004, 0x00008200, 
+	0x02000204, 0x00000004, 0x00008200, 0x02000200, 
+	0x00008000, 0x02008200, 0x02008204, 0x00000204, 
+	0x02000200, 0x02000004, 0x02008000, 0x02008204, 
+	0x00000204, 0x00000000, 0x00000000, 0x02008000, 
+	0x00008200, 0x02000200, 0x02000204, 0x00000004, 
+	0x02008004, 0x00008204, 0x00008204, 0x00000200, 
+	0x02008204, 0x00000204, 0x00000004, 0x00008000, 
+	0x02000004, 0x00008004, 0x02008200, 0x02000204, 
+	0x00008004, 0x00008200, 0x02000000, 0x02008004, 
+	0x00000200, 0x02000000, 0x00008000, 0x02008200 
+    },
+/* Box S5 */ { 
+	0x00000400, 0x08200400, 0x08200000, 0x08000401, 
+	0x00200000, 0x00000400, 0x00000001, 0x08200000, 
+	0x00200401, 0x00200000, 0x08000400, 0x00200401, 
+	0x08000401, 0x08200001, 0x00200400, 0x00000001, 
+	0x08000000, 0x00200001, 0x00200001, 0x00000000, 
+	0x00000401, 0x08200401, 0x08200401, 0x08000400, 
+	0x08200001, 0x00000401, 0x00000000, 0x08000001, 
+	0x08200400, 0x08000000, 0x08000001, 0x00200400, 
+	0x00200000, 0x08000401, 0x00000400, 0x08000000, 
+	0x00000001, 0x08200000, 0x08000401, 0x00200401, 
+	0x08000400, 0x00000001, 0x08200001, 0x08200400, 
+	0x00200401, 0x00000400, 0x08000000, 0x08200001, 
+	0x08200401, 0x00200400, 0x08000001, 0x08200401, 
+	0x08200000, 0x00000000, 0x00200001, 0x08000001, 
+	0x00200400, 0x08000400, 0x00000401, 0x00200000, 
+	0x00000000, 0x00200001, 0x08200400, 0x00000401
+    },
+/* Box S6 */ { 
+	0x80000040, 0x81000000, 0x00010000, 0x81010040, 
+	0x81000000, 0x00000040, 0x81010040, 0x01000000, 
+	0x80010000, 0x01010040, 0x01000000, 0x80000040, 
+	0x01000040, 0x80010000, 0x80000000, 0x00010040, 
+	0x00000000, 0x01000040, 0x80010040, 0x00010000, 
+	0x01010000, 0x80010040, 0x00000040, 0x81000040, 
+	0x81000040, 0x00000000, 0x01010040, 0x81010000, 
+	0x00010040, 0x01010000, 0x81010000, 0x80000000, 
+	0x80010000, 0x00000040, 0x81000040, 0x01010000, 
+	0x81010040, 0x01000000, 0x00010040, 0x80000040, 
+	0x01000000, 0x80010000, 0x80000000, 0x00010040, 
+	0x80000040, 0x81010040, 0x01010000, 0x81000000, 
+	0x01010040, 0x81010000, 0x00000000, 0x81000040, 
+	0x00000040, 0x00010000, 0x81000000, 0x01010040, 
+	0x00010000, 0x01000040, 0x80010040, 0x00000000, 
+	0x81010000, 0x80000000, 0x01000040, 0x80010040 
+    },
+/* Box S7 */ { 
+	0x00800000, 0x10800008, 0x10002008, 0x00000000, 
+	0x00002000, 0x10002008, 0x00802008, 0x10802000, 
+	0x10802008, 0x00800000, 0x00000000, 0x10000008, 
+	0x00000008, 0x10000000, 0x10800008, 0x00002008, 
+	0x10002000, 0x00802008, 0x00800008, 0x10002000, 
+	0x10000008, 0x10800000, 0x10802000, 0x00800008, 
+	0x10800000, 0x00002000, 0x00002008, 0x10802008, 
+	0x00802000, 0x00000008, 0x10000000, 0x00802000, 
+	0x10000000, 0x00802000, 0x00800000, 0x10002008, 
+	0x10002008, 0x10800008, 0x10800008, 0x00000008, 
+	0x00800008, 0x10000000, 0x10002000, 0x00800000, 
+	0x10802000, 0x00002008, 0x00802008, 0x10802000, 
+	0x00002008, 0x10000008, 0x10802008, 0x10800000, 
+	0x00802000, 0x00000000, 0x00000008, 0x10802008, 
+	0x00000000, 0x00802008, 0x10800000, 0x00002000, 
+	0x10000008, 0x10002000, 0x00002000, 0x00800008 
+    },
+/* Box S8 */ { 
+	0x40004100, 0x00004000, 0x00100000, 0x40104100, 
+	0x40000000, 0x40004100, 0x00000100, 0x40000000, 
+	0x00100100, 0x40100000, 0x40104100, 0x00104000, 
+	0x40104000, 0x00104100, 0x00004000, 0x00000100, 
+	0x40100000, 0x40000100, 0x40004000, 0x00004100, 
+	0x00104000, 0x00100100, 0x40100100, 0x40104000, 
+	0x00004100, 0x00000000, 0x00000000, 0x40100100, 
+	0x40000100, 0x40004000, 0x00104100, 0x00100000, 
+	0x00104100, 0x00100000, 0x40104000, 0x00004000, 
+	0x00000100, 0x40100100, 0x00004000, 0x00104100, 
+	0x40004000, 0x00000100, 0x40000100, 0x40100000, 
+	0x40100100, 0x40000000, 0x00100000, 0x40004100, 
+	0x00000000, 0x40104100, 0x00100100, 0x40000100, 
+	0x40100000, 0x40004000, 0x40004100, 0x00000000, 
+	0x40104100, 0x00104000, 0x00104000, 0x00004100, 
+	0x00004100, 0x00100100, 0x40000000, 0x40104000 
+    }
+};
+
+static const HALF PC2[8][64] = {
+/* table 0 */ {
+    0x00000000, 0x00001000, 0x04000000, 0x04001000, 
+    0x00100000, 0x00101000, 0x04100000, 0x04101000, 
+    0x00008000, 0x00009000, 0x04008000, 0x04009000, 
+    0x00108000, 0x00109000, 0x04108000, 0x04109000, 
+    0x00000004, 0x00001004, 0x04000004, 0x04001004, 
+    0x00100004, 0x00101004, 0x04100004, 0x04101004, 
+    0x00008004, 0x00009004, 0x04008004, 0x04009004, 
+    0x00108004, 0x00109004, 0x04108004, 0x04109004, 
+    0x08000000, 0x08001000, 0x0c000000, 0x0c001000, 
+    0x08100000, 0x08101000, 0x0c100000, 0x0c101000, 
+    0x08008000, 0x08009000, 0x0c008000, 0x0c009000, 
+    0x08108000, 0x08109000, 0x0c108000, 0x0c109000, 
+    0x08000004, 0x08001004, 0x0c000004, 0x0c001004, 
+    0x08100004, 0x08101004, 0x0c100004, 0x0c101004, 
+    0x08008004, 0x08009004, 0x0c008004, 0x0c009004, 
+    0x08108004, 0x08109004, 0x0c108004, 0x0c109004
+  },
+/* table 1 */ {
+    0x00000000, 0x00002000, 0x80000000, 0x80002000, 
+    0x00000008, 0x00002008, 0x80000008, 0x80002008, 
+    0x00200000, 0x00202000, 0x80200000, 0x80202000, 
+    0x00200008, 0x00202008, 0x80200008, 0x80202008, 
+    0x20000000, 0x20002000, 0xa0000000, 0xa0002000, 
+    0x20000008, 0x20002008, 0xa0000008, 0xa0002008, 
+    0x20200000, 0x20202000, 0xa0200000, 0xa0202000, 
+    0x20200008, 0x20202008, 0xa0200008, 0xa0202008, 
+    0x00000400, 0x00002400, 0x80000400, 0x80002400, 
+    0x00000408, 0x00002408, 0x80000408, 0x80002408, 
+    0x00200400, 0x00202400, 0x80200400, 0x80202400, 
+    0x00200408, 0x00202408, 0x80200408, 0x80202408, 
+    0x20000400, 0x20002400, 0xa0000400, 0xa0002400, 
+    0x20000408, 0x20002408, 0xa0000408, 0xa0002408, 
+    0x20200400, 0x20202400, 0xa0200400, 0xa0202400, 
+    0x20200408, 0x20202408, 0xa0200408, 0xa0202408
+  },
+/* table 2 */ {
+    0x00000000, 0x00004000, 0x00000020, 0x00004020, 
+    0x00080000, 0x00084000, 0x00080020, 0x00084020, 
+    0x00000800, 0x00004800, 0x00000820, 0x00004820, 
+    0x00080800, 0x00084800, 0x00080820, 0x00084820, 
+    0x00000010, 0x00004010, 0x00000030, 0x00004030, 
+    0x00080010, 0x00084010, 0x00080030, 0x00084030, 
+    0x00000810, 0x00004810, 0x00000830, 0x00004830, 
+    0x00080810, 0x00084810, 0x00080830, 0x00084830, 
+    0x00400000, 0x00404000, 0x00400020, 0x00404020, 
+    0x00480000, 0x00484000, 0x00480020, 0x00484020, 
+    0x00400800, 0x00404800, 0x00400820, 0x00404820, 
+    0x00480800, 0x00484800, 0x00480820, 0x00484820, 
+    0x00400010, 0x00404010, 0x00400030, 0x00404030, 
+    0x00480010, 0x00484010, 0x00480030, 0x00484030, 
+    0x00400810, 0x00404810, 0x00400830, 0x00404830, 
+    0x00480810, 0x00484810, 0x00480830, 0x00484830 
+  },
+/* table 3 */ {
+    0x00000000, 0x40000000, 0x00000080, 0x40000080, 
+    0x00040000, 0x40040000, 0x00040080, 0x40040080, 
+    0x00000040, 0x40000040, 0x000000c0, 0x400000c0, 
+    0x00040040, 0x40040040, 0x000400c0, 0x400400c0, 
+    0x10000000, 0x50000000, 0x10000080, 0x50000080, 
+    0x10040000, 0x50040000, 0x10040080, 0x50040080, 
+    0x10000040, 0x50000040, 0x100000c0, 0x500000c0, 
+    0x10040040, 0x50040040, 0x100400c0, 0x500400c0, 
+    0x00800000, 0x40800000, 0x00800080, 0x40800080, 
+    0x00840000, 0x40840000, 0x00840080, 0x40840080, 
+    0x00800040, 0x40800040, 0x008000c0, 0x408000c0, 
+    0x00840040, 0x40840040, 0x008400c0, 0x408400c0, 
+    0x10800000, 0x50800000, 0x10800080, 0x50800080, 
+    0x10840000, 0x50840000, 0x10840080, 0x50840080, 
+    0x10800040, 0x50800040, 0x108000c0, 0x508000c0, 
+    0x10840040, 0x50840040, 0x108400c0, 0x508400c0 
+  },
+/* table 4 */ {
+    0x00000000, 0x00000008, 0x08000000, 0x08000008, 
+    0x00040000, 0x00040008, 0x08040000, 0x08040008, 
+    0x00002000, 0x00002008, 0x08002000, 0x08002008, 
+    0x00042000, 0x00042008, 0x08042000, 0x08042008, 
+    0x80000000, 0x80000008, 0x88000000, 0x88000008, 
+    0x80040000, 0x80040008, 0x88040000, 0x88040008, 
+    0x80002000, 0x80002008, 0x88002000, 0x88002008, 
+    0x80042000, 0x80042008, 0x88042000, 0x88042008, 
+    0x00080000, 0x00080008, 0x08080000, 0x08080008, 
+    0x000c0000, 0x000c0008, 0x080c0000, 0x080c0008, 
+    0x00082000, 0x00082008, 0x08082000, 0x08082008, 
+    0x000c2000, 0x000c2008, 0x080c2000, 0x080c2008, 
+    0x80080000, 0x80080008, 0x88080000, 0x88080008, 
+    0x800c0000, 0x800c0008, 0x880c0000, 0x880c0008, 
+    0x80082000, 0x80082008, 0x88082000, 0x88082008, 
+    0x800c2000, 0x800c2008, 0x880c2000, 0x880c2008 
+  },
+/* table 5 */ {
+    0x00000000, 0x00400000, 0x00008000, 0x00408000, 
+    0x40000000, 0x40400000, 0x40008000, 0x40408000, 
+    0x00000020, 0x00400020, 0x00008020, 0x00408020, 
+    0x40000020, 0x40400020, 0x40008020, 0x40408020, 
+    0x00001000, 0x00401000, 0x00009000, 0x00409000, 
+    0x40001000, 0x40401000, 0x40009000, 0x40409000, 
+    0x00001020, 0x00401020, 0x00009020, 0x00409020, 
+    0x40001020, 0x40401020, 0x40009020, 0x40409020, 
+    0x00100000, 0x00500000, 0x00108000, 0x00508000, 
+    0x40100000, 0x40500000, 0x40108000, 0x40508000, 
+    0x00100020, 0x00500020, 0x00108020, 0x00508020, 
+    0x40100020, 0x40500020, 0x40108020, 0x40508020, 
+    0x00101000, 0x00501000, 0x00109000, 0x00509000, 
+    0x40101000, 0x40501000, 0x40109000, 0x40509000, 
+    0x00101020, 0x00501020, 0x00109020, 0x00509020, 
+    0x40101020, 0x40501020, 0x40109020, 0x40509020 
+  },
+/* table 6 */ {
+    0x00000000, 0x00000040, 0x04000000, 0x04000040, 
+    0x00000800, 0x00000840, 0x04000800, 0x04000840, 
+    0x00800000, 0x00800040, 0x04800000, 0x04800040, 
+    0x00800800, 0x00800840, 0x04800800, 0x04800840, 
+    0x10000000, 0x10000040, 0x14000000, 0x14000040, 
+    0x10000800, 0x10000840, 0x14000800, 0x14000840, 
+    0x10800000, 0x10800040, 0x14800000, 0x14800040, 
+    0x10800800, 0x10800840, 0x14800800, 0x14800840, 
+    0x00000080, 0x000000c0, 0x04000080, 0x040000c0, 
+    0x00000880, 0x000008c0, 0x04000880, 0x040008c0, 
+    0x00800080, 0x008000c0, 0x04800080, 0x048000c0, 
+    0x00800880, 0x008008c0, 0x04800880, 0x048008c0, 
+    0x10000080, 0x100000c0, 0x14000080, 0x140000c0, 
+    0x10000880, 0x100008c0, 0x14000880, 0x140008c0, 
+    0x10800080, 0x108000c0, 0x14800080, 0x148000c0, 
+    0x10800880, 0x108008c0, 0x14800880, 0x148008c0 
+  },
+/* table 7 */ {
+    0x00000000, 0x00000010, 0x00000400, 0x00000410, 
+    0x00000004, 0x00000014, 0x00000404, 0x00000414, 
+    0x00004000, 0x00004010, 0x00004400, 0x00004410, 
+    0x00004004, 0x00004014, 0x00004404, 0x00004414, 
+    0x20000000, 0x20000010, 0x20000400, 0x20000410, 
+    0x20000004, 0x20000014, 0x20000404, 0x20000414, 
+    0x20004000, 0x20004010, 0x20004400, 0x20004410, 
+    0x20004004, 0x20004014, 0x20004404, 0x20004414, 
+    0x00200000, 0x00200010, 0x00200400, 0x00200410, 
+    0x00200004, 0x00200014, 0x00200404, 0x00200414, 
+    0x00204000, 0x00204010, 0x00204400, 0x00204410, 
+    0x00204004, 0x00204014, 0x00204404, 0x00204414, 
+    0x20200000, 0x20200010, 0x20200400, 0x20200410, 
+    0x20200004, 0x20200014, 0x20200404, 0x20200414, 
+    0x20204000, 0x20204010, 0x20204400, 0x20204410, 
+    0x20204004, 0x20204014, 0x20204404, 0x20204414 
+  }
+};
+
+/*
+ * The PC-1 Permutation
+ * If we number the bits of the 8 bytes of key input like this (in octal):
+ *     00 01 02 03 04 05 06 07 
+ *     10 11 12 13 14 15 16 17 
+ *     20 21 22 23 24 25 26 27 
+ *     30 31 32 33 34 35 36 37 
+ *     40 41 42 43 44 45 46 47 
+ *     50 51 52 53 54 55 56 57 
+ *     60 61 62 63 64 65 66 67 
+ *     70 71 72 73 74 75 76 77 
+ * then after the PC-1 permutation, 
+ * C0 is
+ *     70 60 50 40 30 20 10 00 
+ *     71 61 51 41 31 21 11 01 
+ *     72 62 52 42 32 22 12 02 
+ *     73 63 53 43 
+ * D0 is
+ *     76 66 56 46 36 26 16 06 
+ *     75 65 55 45 35 25 15 05 
+ *     74 64 54 44 34 24 14 04 
+ *                 33 23 13 03 
+ * and these parity bits have been discarded:
+ *     77 67 57 47 37 27 17 07 
+ * 
+ * We achieve this by flipping the input matrix about the diagonal from 70-07,
+ * getting left = 
+ *     77 67 57 47 37 27 17 07 	(these are the parity bits)
+ *     76 66 56 46 36 26 16 06 
+ *     75 65 55 45 35 25 15 05 
+ *     74 64 54 44 34 24 14 04 
+ * right = 
+ *     73 63 53 43 33 23 13 03 
+ *     72 62 52 42 32 22 12 02 
+ *     71 61 51 41 31 21 11 01 
+ *     70 60 50 40 30 20 10 00 
+ * then byte swap right, ala htonl() on a little endian machine.
+ * right = 
+ *     70 60 50 40 30 20 10 00 
+ *     71 67 57 47 37 27 11 07 
+ *     72 62 52 42 32 22 12 02 
+ *     73 63 53 43 33 23 13 03 
+ * then
+ *     c0 = right >> 4;
+ *     d0 = ((left & 0x00ffffff) << 4) | (right & 0xf);
+*/
+
+#define FLIP_RIGHT_DIAGONAL(word, temp) \
+    temp  = (word ^ (word >> 18)) & 0x00003333; \
+    word ^=  temp | (temp << 18); \
+    temp  = (word ^ (word >> 9)) & 0x00550055; \
+    word ^=  temp | (temp << 9);
+
+#define BYTESWAP(word, temp) \
+    word = (word >> 16) | (word << 16); \
+    temp = 0x00ff00ff; \
+    word = ((word & temp) << 8) | ((word >> 8) & temp); 
+
+#define PC1(left, right, c0, d0, temp) \
+    right ^= temp = ((left >> 4) ^ right) & 0x0f0f0f0f; \
+    left  ^= temp << 4; \
+    FLIP_RIGHT_DIAGONAL(left, temp); \
+    FLIP_RIGHT_DIAGONAL(right, temp); \
+    BYTESWAP(right, temp); \
+    c0 = right >> 4; \
+    d0 = ((left & 0x00ffffff) << 4) | (right & 0xf); 
+
+#define LEFT_SHIFT_1( reg ) (((reg << 1) | (reg >> 27)) & 0x0FFFFFFF)
+#define LEFT_SHIFT_2( reg ) (((reg << 2) | (reg >> 26)) & 0x0FFFFFFF)
+
+/*
+ *   setup key schedules from key
+ */
+
+void 
+DES_MakeSchedule( HALF * ks, const BYTE * key,   DESDirection direction)
+{
+    register HALF left, right;
+    register HALF c0, d0;
+    register HALF temp;
+    int           delta;
+    unsigned int  ls;
+
+#if defined(_X86_)
+    left  = HALFPTR(key)[0]; 
+    right = HALFPTR(key)[1]; 
+    BYTESWAP(left, temp);
+    BYTESWAP(right, temp);
+#else
+    if (((ptrdiff_t)key & 0x03) == 0) {
+	left  = HALFPTR(key)[0]; 
+	right = HALFPTR(key)[1]; 
+#if defined(IS_LITTLE_ENDIAN)
+	BYTESWAP(left, temp);
+	BYTESWAP(right, temp);
+#endif
+    } else {
+	left    = ((HALF)key[0] << 24) | ((HALF)key[1] << 16) | 
+		  ((HALF)key[2] << 8)  | key[3];
+	right   = ((HALF)key[4] << 24) | ((HALF)key[5] << 16) | 
+		  ((HALF)key[6] << 8)  | key[7];
+    }
+#endif
+
+    PC1(left, right, c0, d0, temp);
+
+    if (direction == DES_ENCRYPT) {
+	delta = 2 * (int)sizeof(HALF);
+    } else {
+	ks += 30;
+	delta = (-2) * (int)sizeof(HALF);
+    }
+
+    for (ls = 0x8103; ls; ls >>= 1) {
+	if ( ls & 1 ) {
+	    c0 = LEFT_SHIFT_1( c0 );
+	    d0 = LEFT_SHIFT_1( d0 );
+	} else {
+	    c0 = LEFT_SHIFT_2( c0 );
+	    d0 = LEFT_SHIFT_2( d0 );
+	}
+
+#ifdef USE_INDEXING
+#define PC2LOOKUP(b,c) PC2[b][c]
+
+	left   = PC2LOOKUP(0, ((c0 >> 22) & 0x3F) );
+	left  |= PC2LOOKUP(1, ((c0 >> 13) & 0x3F) );
+	left  |= PC2LOOKUP(2, ((c0 >>  4) & 0x38) | (c0 & 0x7) );
+	left  |= PC2LOOKUP(3, ((c0>>18)&0xC) | ((c0>>11)&0x3) | (c0&0x30));
+
+	right  = PC2LOOKUP(4, ((d0 >> 22) & 0x3F) );
+	right |= PC2LOOKUP(5, ((d0 >> 15) & 0x30) | ((d0 >> 14) & 0xf) );
+	right |= PC2LOOKUP(6, ((d0 >>  7) & 0x3F) );
+	right |= PC2LOOKUP(7, ((d0 >>  1) & 0x3C) | (d0 & 0x3));
+#else
+#define PC2LOOKUP(b,c) *(HALF *)((BYTE *)&PC2[b][0]+(c))
+
+	left   = PC2LOOKUP(0, ((c0 >> 20) & 0xFC) );
+	left  |= PC2LOOKUP(1, ((c0 >> 11) & 0xFC) );
+	left  |= PC2LOOKUP(2, ((c0 >>  2) & 0xE0) | ((c0 <<  2) & 0x1C) );
+	left  |= PC2LOOKUP(3, ((c0>>16)&0x30)|((c0>>9)&0xC)|((c0<<2)&0xC0));
+
+	right  = PC2LOOKUP(4, ((d0 >> 20) & 0xFC) );
+	right |= PC2LOOKUP(5, ((d0 >> 13) & 0xC0) | ((d0 >> 12) & 0x3C) );
+	right |= PC2LOOKUP(6, ((d0 >>  5) & 0xFC) );
+	right |= PC2LOOKUP(7, ((d0 <<  1) & 0xF0) | ((d0 << 2) & 0x0C));
+#endif
+	/* left  contains key bits for S1 S3 S2 S4 */
+	/* right contains key bits for S6 S8 S5 S7 */
+	temp = (left  << 16)        /* S2 S4 XX XX */
+	     | (right >> 16);       /* XX XX S6 S8 */
+	ks[0] = temp;
+
+	temp = (left  & 0xffff0000) /* S1 S3 XX XX */
+	     | (right & 0x0000ffff);/* XX XX S5 S7 */
+	ks[1] = temp;
+
+	ks = (HALF*)((BYTE *)ks + delta);
+    }
+}
+
+/*
+ * The DES Initial Permutation
+ * if we number the bits of the 8 bytes of input like this (in octal):
+ *     00 01 02 03 04 05 06 07 
+ *     10 11 12 13 14 15 16 17 
+ *     20 21 22 23 24 25 26 27 
+ *     30 31 32 33 34 35 36 37 
+ *     40 41 42 43 44 45 46 47 
+ *     50 51 52 53 54 55 56 57 
+ *     60 61 62 63 64 65 66 67 
+ *     70 71 72 73 74 75 76 77 
+ * then after the initial permutation, they will be in this order. 
+ *     71 61 51 41 31 21 11 01 
+ *     73 63 53 43 33 23 13 03 
+ *     75 65 55 45 35 25 15 05 
+ *     77 67 57 47 37 27 17 07 
+ *     70 60 50 40 30 20 10 00 
+ *     72 62 52 42 32 22 12 02 
+ *     74 64 54 44 34 24 14 04 
+ *     76 66 56 46 36 26 16 06 
+ *
+ * One way to do this is in two steps:
+ * 1. Flip this matrix about the diagonal from 70-07 as done for PC1.
+ * 2. Rearrange the bytes (rows in the matrix above) with the following code.
+ *
+ * #define swapHiLo(word, temp) \
+ *   temp  = (word ^ (word >> 24)) & 0x000000ff; \
+ *   word ^=  temp | (temp << 24); 
+ *
+ *   right ^= temp = ((left << 8) ^ right) & 0xff00ff00; 
+ *   left  ^= temp >> 8; 
+ *   swapHiLo(left, temp);
+ *   swapHiLo(right,temp);
+ *
+ * However, the two steps can be combined, so that the rows are rearranged
+ * while the matrix is being flipped, reducing the number of bit exchange
+ * operations from 8 ot 5.  
+ *
+ * Initial Permutation */
+#define IP(left, right, temp) \
+    right ^= temp = ((left >> 4) ^  right) & 0x0f0f0f0f; \
+    left  ^= temp << 4; \
+    right ^= temp = ((left >> 16) ^ right) & 0x0000ffff; \
+    left  ^= temp << 16; \
+    right ^= temp = ((left << 2) ^ right) & 0xcccccccc; \
+    left  ^= temp >> 2; \
+    right ^= temp = ((left << 8) ^ right) & 0xff00ff00; \
+    left  ^= temp >> 8; \
+    right ^= temp = ((left >> 1) ^ right) & 0x55555555; \
+    left  ^= temp << 1; 
+
+/* The Final (Inverse Initial) permutation is done by reversing the 
+** steps of the Initital Permutation 
+*/
+
+#define FP(left, right, temp) \
+    right ^= temp = ((left >> 1) ^ right) & 0x55555555; \
+    left  ^= temp << 1; \
+    right ^= temp = ((left << 8) ^ right) & 0xff00ff00; \
+    left  ^= temp >> 8; \
+    right ^= temp = ((left << 2) ^ right) & 0xcccccccc; \
+    left  ^= temp >> 2; \
+    right ^= temp = ((left >> 16) ^ right) & 0x0000ffff; \
+    left  ^= temp << 16; \
+    right ^= temp = ((left >> 4) ^  right) & 0x0f0f0f0f; \
+    left  ^= temp << 4; 
+
+void 
+DES_Do1Block(HALF * ks, const BYTE * inbuf, BYTE * outbuf)
+{
+    register HALF left, right;
+    register HALF temp;
+
+#if defined(_X86_)
+    left  = HALFPTR(inbuf)[0]; 
+    right = HALFPTR(inbuf)[1]; 
+    BYTESWAP(left, temp);
+    BYTESWAP(right, temp);
+#else
+    if (((ptrdiff_t)inbuf & 0x03) == 0) {
+	left  = HALFPTR(inbuf)[0]; 
+	right = HALFPTR(inbuf)[1]; 
+#if defined(IS_LITTLE_ENDIAN)
+	BYTESWAP(left, temp);
+	BYTESWAP(right, temp);
+#endif
+    } else {
+	left    = ((HALF)inbuf[0] << 24) | ((HALF)inbuf[1] << 16) | 
+		  ((HALF)inbuf[2] << 8)  | inbuf[3];
+	right   = ((HALF)inbuf[4] << 24) | ((HALF)inbuf[5] << 16) | 
+		  ((HALF)inbuf[6] << 8)  | inbuf[7];
+    }
+#endif
+
+    IP(left, right, temp);
+
+    /* shift the values left circularly 3 bits. */
+    left  = (left  << 3) | (left  >> 29);
+    right = (right << 3) | (right >> 29);
+
+#ifdef USE_INDEXING
+#define KSLOOKUP(s,b) SP[s][((temp >> (b+2)) & 0x3f)]
+#else
+#define KSLOOKUP(s,b) *(HALF*)((BYTE*)&SP[s][0]+((temp >> b) & 0xFC))
+#endif
+#define ROUND(out, in, r) \
+    temp  = in ^ ks[2*r]; \
+    out ^= KSLOOKUP( 1,  24 ); \
+    out ^= KSLOOKUP( 3,  16 ); \
+    out ^= KSLOOKUP( 5,   8 ); \
+    out ^= KSLOOKUP( 7,   0 ); \
+    temp  = ((in >> 4) | (in << 28)) ^ ks[2*r+1]; \
+    out ^= KSLOOKUP( 0,  24 ); \
+    out ^= KSLOOKUP( 2,  16 ); \
+    out ^= KSLOOKUP( 4,   8 ); \
+    out ^= KSLOOKUP( 6,   0 ); 
+
+    /* Do the 16 Feistel rounds */
+    ROUND(left, right, 0)
+    ROUND(right, left, 1)
+    ROUND(left, right, 2)
+    ROUND(right, left, 3)
+    ROUND(left, right, 4)
+    ROUND(right, left, 5)
+    ROUND(left, right, 6)
+    ROUND(right, left, 7)
+    ROUND(left, right, 8)
+    ROUND(right, left, 9)
+    ROUND(left, right, 10)
+    ROUND(right, left, 11)
+    ROUND(left, right, 12)
+    ROUND(right, left, 13)
+    ROUND(left, right, 14)
+    ROUND(right, left, 15)
+
+    /* now shift circularly right 3 bits to undo the shifting done 
+    ** above.  switch left and right here. 
+    */
+    temp  = (left >> 3) | (left << 29); 
+    left  = (right >> 3) | (right << 29); 
+    right = temp;
+
+    FP(left, right, temp);
+
+#if defined(_X86_)
+    BYTESWAP(left, temp);
+    BYTESWAP(right, temp);
+    HALFPTR(outbuf)[0]  = left; 
+    HALFPTR(outbuf)[1]  = right; 
+#else
+    if (((ptrdiff_t)outbuf & 0x03) == 0) {
+#if defined(IS_LITTLE_ENDIAN)
+	BYTESWAP(left, temp);
+	BYTESWAP(right, temp);
+#endif
+	HALFPTR(outbuf)[0]  = left; 
+	HALFPTR(outbuf)[1]  = right; 
+    } else {
+	outbuf[0] = (BYTE)(left >> 24);
+	outbuf[1] = (BYTE)(left >> 16);
+	outbuf[2] = (BYTE)(left >>  8);
+	outbuf[3] = (BYTE)(left      );
+
+	outbuf[4] = (BYTE)(right >> 24);
+	outbuf[5] = (BYTE)(right >> 16);
+	outbuf[6] = (BYTE)(right >>  8);
+	outbuf[7] = (BYTE)(right      );
+    }
+#endif
+
+}
+
+/* Ackowledgements:
+** Two ideas used in this implementation were shown to me by Dennis Ferguson 
+** in 1990.  He credits them to Richard Outerbridge and Dan Hoey.  They were:
+** 1. The method of computing the Initial and Final permutations.
+** 2. Circularly rotating the SP tables and the initial values of left and 
+**	right to reduce the number of shifts required during the 16 rounds.
+*/
diff --git a/security/nss/lib/freebl/des.h b/security/nss/lib/freebl/des.h
new file mode 100644
index 000000000..1191f026e
--- /dev/null
+++ b/security/nss/lib/freebl/des.h
@@ -0,0 +1,75 @@
+/*
+ *  des.h
+ *
+ *  header file for DES-150 library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is
+ * Nelson B. Bolyard, nelsonb@iname.com.
+ * Portions created by the Initial Developer are Copyright (C) 1990
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _DES_H_
+#define _DES_H_ 1
+
+#include "blapi.h"
+
+typedef unsigned char BYTE;
+typedef unsigned int  HALF;
+
+#define HALFPTR(x) ((HALF *)(x))
+#define SHORTPTR(x) ((unsigned short *)(x))
+#define BYTEPTR(x) ((BYTE *)(x))
+
+typedef enum {
+    DES_ENCRYPT = 0x5555,
+    DES_DECRYPT = 0xAAAA
+} DESDirection;
+
+typedef void DESFunc(struct DESContextStr *cx, BYTE *out, const BYTE *in, 
+                     unsigned int len);
+
+struct DESContextStr {
+    /* key schedule, 16 internal keys, each with 8 6-bit parts */
+    HALF ks0 [32];
+    HALF ks1 [32];
+    HALF ks2 [32];
+    HALF iv  [2];
+    DESDirection direction;
+    DESFunc  *worker;
+};
+
+void DES_MakeSchedule( HALF * ks, const BYTE * key,   DESDirection direction);
+void DES_Do1Block(     HALF * ks, const BYTE * inbuf, BYTE * outbuf);
+
+#endif
diff --git a/security/nss/lib/freebl/desblapi.c b/security/nss/lib/freebl/desblapi.c
new file mode 100644
index 000000000..b9b3288ac
--- /dev/null
+++ b/security/nss/lib/freebl/desblapi.c
@@ -0,0 +1,301 @@
+/*
+ *  desblapi.c
+ *
+ *  core source file for DES-150 library
+ *  Implement DES Modes of Operation and Triple-DES.
+ *  Adapt DES-150 to blapi API.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is
+ * Nelson B. Bolyard, nelsonb@iname.com.
+ * Portions created by the Initial Developer are Copyright (C) 1990
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "des.h"
+#include <stddef.h>
+#include "secerr.h"
+
+#if defined(_X86_)
+/* Intel X86 CPUs do unaligned loads and stores without complaint. */
+#define COPY8B(to, from, ptr) \
+    	HALFPTR(to)[0] = HALFPTR(from)[0]; \
+    	HALFPTR(to)[1] = HALFPTR(from)[1]; 
+#elif defined(USE_MEMCPY)
+#define COPY8B(to, from, ptr) memcpy(to, from, 8)
+#else
+#define COPY8B(to, from, ptr) \
+    if (((ptrdiff_t)(ptr) & 0x3) == 0) { \
+    	HALFPTR(to)[0] = HALFPTR(from)[0]; \
+    	HALFPTR(to)[1] = HALFPTR(from)[1]; \
+    } else if (((ptrdiff_t)(ptr) & 0x1) == 0) { \
+    	SHORTPTR(to)[0] = SHORTPTR(from)[0]; \
+    	SHORTPTR(to)[1] = SHORTPTR(from)[1]; \
+    	SHORTPTR(to)[2] = SHORTPTR(from)[2]; \
+    	SHORTPTR(to)[3] = SHORTPTR(from)[3]; \
+    } else { \
+    	BYTEPTR(to)[0] = BYTEPTR(from)[0]; \
+    	BYTEPTR(to)[1] = BYTEPTR(from)[1]; \
+    	BYTEPTR(to)[2] = BYTEPTR(from)[2]; \
+    	BYTEPTR(to)[3] = BYTEPTR(from)[3]; \
+    	BYTEPTR(to)[4] = BYTEPTR(from)[4]; \
+    	BYTEPTR(to)[5] = BYTEPTR(from)[5]; \
+    	BYTEPTR(to)[6] = BYTEPTR(from)[6]; \
+    	BYTEPTR(to)[7] = BYTEPTR(from)[7]; \
+    } 
+#endif
+#define COPY8BTOHALF(to, from) COPY8B(to, from, from)
+#define COPY8BFROMHALF(to, from) COPY8B(to, from, to)
+
+static void 
+DES_ECB(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    while (len) {
+	DES_Do1Block(cx->ks0, in, out);
+	len -= 8;
+	in  += 8;
+	out += 8;
+    }
+}
+
+static void 
+DES_EDE3_ECB(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    while (len) {
+	DES_Do1Block(cx->ks0,  in, out);
+	len -= 8;
+	in  += 8;
+	DES_Do1Block(cx->ks1, out, out);
+	DES_Do1Block(cx->ks2, out, out);
+	out += 8;
+    }
+}
+
+static void 
+DES_CBCEn(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    const BYTE * bufend = in + len;
+    HALF  vec[2];
+
+    while (in != bufend) {
+	COPY8BTOHALF(vec, in);
+	in += 8;
+	vec[0] ^= cx->iv[0];
+	vec[1] ^= cx->iv[1];
+	DES_Do1Block( cx->ks0, (BYTE *)vec, (BYTE *)cx->iv);
+	COPY8BFROMHALF(out, cx->iv);
+	out += 8;
+    }
+}
+
+static void 
+DES_CBCDe(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    const BYTE * bufend;
+    HALF oldciphertext[2];
+    HALF plaintext    [2];
+
+    for (bufend = in + len; in != bufend; ) {
+	oldciphertext[0] = cx->iv[0];
+	oldciphertext[1] = cx->iv[1];
+	COPY8BTOHALF(cx->iv, in);
+	in += 8;
+	DES_Do1Block(cx->ks0, (BYTE *)cx->iv, (BYTE *)plaintext);
+	plaintext[0] ^= oldciphertext[0];
+	plaintext[1] ^= oldciphertext[1];
+	COPY8BFROMHALF(out, plaintext);
+	out += 8;
+    }
+}
+
+static void 
+DES_EDE3CBCEn(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    const BYTE * bufend = in + len;
+    HALF  vec[2];
+
+    while (in != bufend) {
+	COPY8BTOHALF(vec, in);
+	in += 8;
+	vec[0] ^= cx->iv[0];
+	vec[1] ^= cx->iv[1];
+	DES_Do1Block( cx->ks0, (BYTE *)vec,    (BYTE *)cx->iv);
+	DES_Do1Block( cx->ks1, (BYTE *)cx->iv, (BYTE *)cx->iv);
+	DES_Do1Block( cx->ks2, (BYTE *)cx->iv, (BYTE *)cx->iv);
+	COPY8BFROMHALF(out, cx->iv);
+	out += 8;
+    }
+}
+
+static void 
+DES_EDE3CBCDe(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    const BYTE * bufend;
+    HALF oldciphertext[2];
+    HALF plaintext    [2];
+
+    for (bufend = in + len; in != bufend; ) {
+	oldciphertext[0] = cx->iv[0];
+	oldciphertext[1] = cx->iv[1];
+	COPY8BTOHALF(cx->iv, in);
+	in += 8;
+	DES_Do1Block(cx->ks0, (BYTE *)cx->iv,    (BYTE *)plaintext);
+	DES_Do1Block(cx->ks1, (BYTE *)plaintext, (BYTE *)plaintext);
+	DES_Do1Block(cx->ks2, (BYTE *)plaintext, (BYTE *)plaintext);
+	plaintext[0] ^= oldciphertext[0];
+	plaintext[1] ^= oldciphertext[1];
+	COPY8BFROMHALF(out, plaintext);
+	out += 8;
+    }
+}
+
+DESContext *
+DES_AllocateContext(void)
+{
+    return PORT_ZNew(DESContext);
+}
+
+SECStatus   
+DES_InitContext(DESContext *cx, const unsigned char *key, unsigned int keylen,
+	        const unsigned char *iv, int mode, unsigned int encrypt,
+	        unsigned int unused)
+{
+    DESDirection opposite;
+    if (!cx) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    	return SECFailure;
+    }
+    cx->direction = encrypt ? DES_ENCRYPT : DES_DECRYPT;
+    opposite      = encrypt ? DES_DECRYPT : DES_ENCRYPT;
+    switch (mode) {
+    case NSS_DES:	/* DES ECB */
+	DES_MakeSchedule( cx->ks0, key, cx->direction);
+	cx->worker = &DES_ECB;
+	break;
+
+    case NSS_DES_EDE3:	/* DES EDE ECB */
+	cx->worker = &DES_EDE3_ECB;
+	if (encrypt) {
+	    DES_MakeSchedule(cx->ks0, key,      cx->direction);
+	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
+	    DES_MakeSchedule(cx->ks2, key + 16, cx->direction);
+	} else {
+	    DES_MakeSchedule(cx->ks2, key,      cx->direction);
+	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
+	    DES_MakeSchedule(cx->ks0, key + 16, cx->direction);
+	}
+	break;
+
+    case NSS_DES_CBC:	/* DES CBC */
+	COPY8BTOHALF(cx->iv, iv);
+	cx->worker = encrypt ? &DES_CBCEn : &DES_CBCDe;
+	DES_MakeSchedule(cx->ks0, key, cx->direction);
+	break;
+
+    case NSS_DES_EDE3_CBC:	/* DES EDE CBC */
+	COPY8BTOHALF(cx->iv, iv);
+	if (encrypt) {
+	    cx->worker = &DES_EDE3CBCEn;
+	    DES_MakeSchedule(cx->ks0, key,      cx->direction);
+	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
+	    DES_MakeSchedule(cx->ks2, key + 16, cx->direction);
+	} else {
+	    cx->worker = &DES_EDE3CBCDe;
+	    DES_MakeSchedule(cx->ks2, key,      cx->direction);
+	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
+	    DES_MakeSchedule(cx->ks0, key + 16, cx->direction);
+	}
+	break;
+
+    default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+DESContext *
+DES_CreateContext(const BYTE * key, const BYTE *iv, int mode, PRBool encrypt)
+{
+    DESContext *cx = PORT_ZNew(DESContext);
+    SECStatus rv   = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0);
+
+    if (rv != SECSuccess) {
+    	PORT_ZFree(cx, sizeof *cx);
+	cx = NULL;
+    }
+    return cx;
+}
+
+void
+DES_DestroyContext(DESContext *cx, PRBool freeit)
+{
+    if (cx) {
+    	memset(cx, 0, sizeof *cx);
+	if (freeit)
+	    PORT_Free(cx);
+    }
+}
+
+SECStatus
+DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
+            unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
+{
+
+    if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx || 
+        cx->direction != DES_ENCRYPT) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    cx->worker(cx, out, in, inLen);
+    if (outLen)
+	*outLen = inLen;
+    return SECSuccess;
+}
+
+SECStatus
+DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
+            unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
+{
+
+    if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx || 
+        cx->direction != DES_DECRYPT) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    cx->worker(cx, out, in, inLen);
+    if (outLen)
+	*outLen = inLen;
+    return SECSuccess;
+}
diff --git a/security/nss/lib/freebl/dh.c b/security/nss/lib/freebl/dh.c
new file mode 100644
index 000000000..4f9a3a746
--- /dev/null
+++ b/security/nss/lib/freebl/dh.c
@@ -0,0 +1,388 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Diffie-Hellman parameter generation, key generation, and secret derivation.
+ * KEA secret generation and verification.
+ *
+ * $Id$
+ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "blapi.h"
+#include "secitem.h"
+#include "mpi.h"
+#include "mpprime.h"
+#include "secmpi.h"
+
+#define DH_SECRET_KEY_LEN      20
+#define KEA_DERIVED_SECRET_LEN 128
+
+SECStatus 
+DH_GenParam(int primeLen, DHParams **params)
+{
+    PRArenaPool *arena;
+    DHParams *dhparams;
+    unsigned char *pb = NULL;
+    unsigned char *ab = NULL;
+    unsigned long counter = 0;
+    mp_int p, q, a, h, psub1, test;
+    mp_err err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    if (!params || primeLen < 0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    dhparams = (DHParams *)PORT_ArenaZAlloc(arena, sizeof(DHParams));
+    if (!dhparams) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+    dhparams->arena = arena;
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&q) = 0;
+    MP_DIGITS(&a) = 0;
+    MP_DIGITS(&h) = 0;
+    MP_DIGITS(&psub1) = 0;
+    MP_DIGITS(&test) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&q) );
+    CHECK_MPI_OK( mp_init(&a) );
+    CHECK_MPI_OK( mp_init(&h) );
+    CHECK_MPI_OK( mp_init(&psub1) );
+    CHECK_MPI_OK( mp_init(&test) );
+    /* generate prime with MPI, uses Miller-Rabin to generate strong prime. */
+    pb = PORT_Alloc(primeLen);
+    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) );
+    pb[0]          |= 0x80; /* set high-order bit */
+    pb[primeLen-1] |= 0x01; /* set low-order bit  */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&p, pb, primeLen) );
+    CHECK_MPI_OK( mpp_make_prime(&p, primeLen * 8, PR_TRUE, &counter) );
+    /* construct Sophie-Germain prime q = (p-1)/2. */
+    CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
+    CHECK_MPI_OK( mp_div_2(&psub1, &q)    );
+    /* construct a generator from the prime. */
+    ab = PORT_Alloc(primeLen);
+    /* generate a candidate number a in p's field */
+    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(ab, primeLen) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&a, ab, primeLen) );
+    /* force a < p (note that quot(a/p) <= 1) */
+    if ( mp_cmp(&a, &p) > 0 )
+	CHECK_MPI_OK( mp_sub(&a, &p, &a) );
+    do {
+	/* check that a is in the range [2..p-1] */
+	if ( mp_cmp_d(&a, 2) < 0 || mp_cmp(&a, &psub1) >= 0) {
+	    /* a is outside of the allowed range.  Set a=3 and keep going. */
+            mp_set(&a, 3);
+	}
+	/* if a**q mod p != 1 then a is a generator */
+	CHECK_MPI_OK( mp_exptmod(&a, &q, &p, &test) );
+	if ( mp_cmp_d(&test, 1) != 0 )
+	    break;
+	/* increment the candidate and try again. */
+	CHECK_MPI_OK( mp_add_d(&a, 1, &a) );
+    } while (PR_TRUE);
+    MPINT_TO_SECITEM(&p, &dhparams->prime, arena);
+    MPINT_TO_SECITEM(&a, &dhparams->base, arena);
+    *params = dhparams;
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&a);
+    mp_clear(&h);
+    mp_clear(&psub1);
+    mp_clear(&test);
+    if (pb) PORT_ZFree(pb, primeLen);
+    if (ab) PORT_ZFree(ab, primeLen);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    if (rv)
+	PORT_FreeArena(arena, PR_TRUE);
+    return rv;
+}
+
+SECStatus 
+DH_NewKey(DHParams *params, DHPrivateKey **privKey)
+{
+    PRArenaPool *arena;
+    DHPrivateKey *key;
+    mp_int g, xa, p, Ya;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    if (!params || !privKey) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    key = (DHPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DHPrivateKey));
+    if (!key) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+    key->arena = arena;
+    MP_DIGITS(&g)  = 0;
+    MP_DIGITS(&xa) = 0;
+    MP_DIGITS(&p)  = 0;
+    MP_DIGITS(&Ya) = 0;
+    CHECK_MPI_OK( mp_init(&g)  );
+    CHECK_MPI_OK( mp_init(&xa) );
+    CHECK_MPI_OK( mp_init(&p)  );
+    CHECK_MPI_OK( mp_init(&Ya) );
+    /* Set private key's p */
+    CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->prime, &params->prime) );
+    SECITEM_TO_MPINT(key->prime, &p);
+    /* Set private key's g */
+    CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->base, &params->base) );
+    SECITEM_TO_MPINT(key->base, &g);
+    /* Generate private key xa */
+    SECITEM_AllocItem(arena, &key->privateValue, DH_SECRET_KEY_LEN);
+    RNG_GenerateGlobalRandomBytes(key->privateValue.data, 
+                                  key->privateValue.len);
+    SECITEM_TO_MPINT( key->privateValue, &xa );
+    /* xa < p */
+    CHECK_MPI_OK( mp_mod(&xa, &p, &xa) );
+    /* Compute public key Ya = g ** xa mod p */
+    CHECK_MPI_OK( mp_exptmod(&g, &xa, &p, &Ya) );
+    MPINT_TO_SECITEM(&Ya, &key->publicValue, key->arena);
+    *privKey = key;
+cleanup:
+    mp_clear(&g);
+    mp_clear(&xa);
+    mp_clear(&p);
+    mp_clear(&Ya);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    if (rv)
+	PORT_FreeArena(arena, PR_TRUE);
+    return rv;
+}
+
+SECStatus 
+DH_Derive(SECItem *publicValue, 
+          SECItem *prime, 
+          SECItem *privateValue, 
+          SECItem *derivedSecret, 
+          unsigned int maxOutBytes)
+{
+    mp_int p, Xa, Yb, ZZ;
+    mp_err err = MP_OKAY;
+    unsigned int len = 0, nb;
+    unsigned char *secret = NULL;
+    if (!publicValue || !prime || !privateValue || !derivedSecret) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    memset(derivedSecret, 0, sizeof *derivedSecret);
+    MP_DIGITS(&p)  = 0;
+    MP_DIGITS(&Xa) = 0;
+    MP_DIGITS(&Yb) = 0;
+    MP_DIGITS(&ZZ) = 0;
+    CHECK_MPI_OK( mp_init(&p)  );
+    CHECK_MPI_OK( mp_init(&Xa) );
+    CHECK_MPI_OK( mp_init(&Yb) );
+    CHECK_MPI_OK( mp_init(&ZZ) );
+    SECITEM_TO_MPINT(*publicValue,  &Yb);
+    SECITEM_TO_MPINT(*privateValue, &Xa);
+    SECITEM_TO_MPINT(*prime,        &p);
+    /* ZZ = (Yb)**Xa mod p */
+    CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
+    /* number of bytes in the derived secret */
+    len = mp_unsigned_octet_size(&ZZ);
+    /* allocate a buffer which can hold the entire derived secret. */
+    secret = PORT_Alloc(len);
+    /* grab the derived secret */
+    err = mp_to_unsigned_octets(&ZZ, secret, len);
+    if (err >= 0) err = MP_OKAY;
+    /* Take minimum of bytes requested and bytes in derived secret,
+    ** if maxOutBytes is 0 take all of the bytes from the derived secret.
+    */
+    if (maxOutBytes > 0)
+	nb = PR_MIN(len, maxOutBytes);
+    else
+	nb = len;
+    SECITEM_AllocItem(NULL, derivedSecret, nb);
+    memcpy(derivedSecret->data, secret, nb);
+cleanup:
+    mp_clear(&p);
+    mp_clear(&Xa);
+    mp_clear(&Yb);
+    mp_clear(&ZZ);
+    if (secret) {
+	/* free the buffer allocated for the full secret. */
+	PORT_ZFree(secret, len);
+    }
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	if (derivedSecret->data) 
+	    PORT_ZFree(derivedSecret->data, derivedSecret->len);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+KEA_Derive(SECItem *prime, 
+           SECItem *public1, 
+           SECItem *public2, 
+           SECItem *private1, 
+           SECItem *private2,
+           SECItem *derivedSecret)
+{
+    mp_int p, Y, R, r, x, t, u, w;
+    mp_err err;
+    unsigned char *secret = NULL;
+    unsigned int len = 0, offset;
+    if (!prime || !public1 || !public2 || !private1 || !private2 ||
+        !derivedSecret) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    memset(derivedSecret, 0, sizeof *derivedSecret);
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&Y) = 0;
+    MP_DIGITS(&R) = 0;
+    MP_DIGITS(&r) = 0;
+    MP_DIGITS(&x) = 0;
+    MP_DIGITS(&t) = 0;
+    MP_DIGITS(&u) = 0;
+    MP_DIGITS(&w) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&Y) );
+    CHECK_MPI_OK( mp_init(&R) );
+    CHECK_MPI_OK( mp_init(&r) );
+    CHECK_MPI_OK( mp_init(&x) );
+    CHECK_MPI_OK( mp_init(&t) );
+    CHECK_MPI_OK( mp_init(&u) );
+    CHECK_MPI_OK( mp_init(&w) );
+    SECITEM_TO_MPINT(*prime,    &p);
+    SECITEM_TO_MPINT(*public1,  &Y);
+    SECITEM_TO_MPINT(*public2,  &R);
+    SECITEM_TO_MPINT(*private1, &r);
+    SECITEM_TO_MPINT(*private2, &x);
+    /* t = DH(Y, r, p) = Y ** r mod p */
+    CHECK_MPI_OK( mp_exptmod(&Y, &r, &p, &t) );
+    /* u = DH(R, x, p) = R ** x mod p */
+    CHECK_MPI_OK( mp_exptmod(&R, &x, &p, &u) );
+    /* w = (t + u) mod p */
+    CHECK_MPI_OK( mp_addmod(&t, &u, &p, &w) );
+    /* allocate a buffer for the full derived secret */
+    len = mp_unsigned_octet_size(&w);
+    secret = PORT_Alloc(len);
+    /* grab the secret */
+    err = mp_to_unsigned_octets(&w, secret, len);
+    if (err > 0) err = MP_OKAY;
+    /* allocate output buffer */
+    SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN);
+    memset(derivedSecret->data, 0, derivedSecret->len);
+    /* copy in the 128 lsb of the secret */
+    if (len >= KEA_DERIVED_SECRET_LEN) {
+	memcpy(derivedSecret->data, secret + (len - KEA_DERIVED_SECRET_LEN),
+	       KEA_DERIVED_SECRET_LEN);
+    } else {
+	offset = KEA_DERIVED_SECRET_LEN - len;
+	memcpy(derivedSecret->data + offset, secret, len);
+    }
+cleanup:
+    mp_clear(&p);
+    mp_clear(&Y);
+    mp_clear(&R);
+    mp_clear(&r);
+    mp_clear(&x);
+    mp_clear(&t);
+    mp_clear(&u);
+    mp_clear(&w);
+    if (secret)
+	PORT_ZFree(secret, len);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+PRBool 
+KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
+{
+    mp_int p, q, y, r;
+    mp_err err;
+    int cmp = 1;  /* default is false */
+    if (!Y || !prime || !subPrime) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&q) = 0;
+    MP_DIGITS(&y) = 0;
+    MP_DIGITS(&r) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&q) );
+    CHECK_MPI_OK( mp_init(&y) );
+    CHECK_MPI_OK( mp_init(&r) );
+    SECITEM_TO_MPINT(*prime,    &p);
+    SECITEM_TO_MPINT(*subPrime, &q);
+    SECITEM_TO_MPINT(*Y,        &y);
+    /* compute r = y**q mod p */
+    CHECK_MPI_OK( mp_exptmod(&y, &q, &p, &r) );
+    /* compare to 1 */
+    cmp = mp_cmp_d(&r, 1);
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&y);
+    mp_clear(&r);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return PR_FALSE;
+    }
+    return (cmp == 0) ? PR_TRUE : PR_FALSE;
+}
diff --git a/security/nss/lib/freebl/dsa.c b/security/nss/lib/freebl/dsa.c
new file mode 100644
index 000000000..7f4c42863
--- /dev/null
+++ b/security/nss/lib/freebl/dsa.c
@@ -0,0 +1,450 @@
+/*
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "prinit.h"
+#include "blapi.h"
+#include "nssilock.h"
+#include "secitem.h"
+#include "blapi.h"
+#include "mpi.h"
+#include "secmpi.h"
+
+ /* XXX to be replaced by define in blapit.h */
+#define NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE 2048
+
+/* DSA-specific random number function defined in prng_fips1861.c. */
+extern SECStatus 
+DSA_GenerateGlobalRandomBytes(void *dest, size_t len, const unsigned char *q);
+
+static void translate_mpi_error(mp_err err)
+{
+    MP_TO_SEC_ERROR(err);
+}
+
+SECStatus 
+dsa_NewKey(const PQGParams *params, DSAPrivateKey **privKey, 
+           const unsigned char *xb)
+{
+    mp_int p, g;
+    mp_int x, y;
+    mp_err err;
+    PRArenaPool *arena;
+    DSAPrivateKey *key;
+    /* Check args. */
+    if (!params || !privKey) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* Initialize an arena for the DSA key. */
+    arena = PORT_NewArena(NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
+    if (!key) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+    key->params.arena = arena;
+    /* Initialize MPI integers. */
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&g) = 0;
+    MP_DIGITS(&x) = 0;
+    MP_DIGITS(&y) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&g) );
+    CHECK_MPI_OK( mp_init(&x) );
+    CHECK_MPI_OK( mp_init(&y) );
+    /* Copy over the PQG params */
+    CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.prime,
+                                          &params->prime) );
+    CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.subPrime,
+                                          &params->subPrime) );
+    CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.base, &params->base) );
+    /* Convert stored p, g, and received x into MPI integers. */
+    SECITEM_TO_MPINT(params->prime, &p);
+    SECITEM_TO_MPINT(params->base,  &g);
+    OCTETS_TO_MPINT(xb, &x, DSA_SUBPRIME_LEN);
+    /* Store x in private key */
+    SECITEM_AllocItem(arena, &key->privateValue, DSA_SUBPRIME_LEN);
+    memcpy(key->privateValue.data, xb, DSA_SUBPRIME_LEN);
+    /* Compute public key y = g**x mod p */
+    CHECK_MPI_OK( mp_exptmod(&g, &x, &p, &y) );
+    /* Store y in public key */
+    MPINT_TO_SECITEM(&y, &key->publicValue, arena);
+    *privKey = key;
+    key = NULL;
+cleanup:
+    mp_clear(&p);
+    mp_clear(&g);
+    mp_clear(&x);
+    mp_clear(&y);
+    if (key)
+	PORT_FreeArena(key->params.arena, PR_TRUE);
+    if (err) {
+	translate_mpi_error(err);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+** Generate and return a new DSA public and private key pair,
+**	both of which are encoded into a single DSAPrivateKey struct.
+**	"params" is a pointer to the PQG parameters for the domain
+**	Uses a random seed.
+*/
+SECStatus 
+DSA_NewKey(const PQGParams *params, DSAPrivateKey **privKey)
+{
+    SECStatus rv;
+    unsigned char seed[DSA_SUBPRIME_LEN];
+    int retries = 10;
+    int i;
+    PRBool good;
+
+    do {
+	/* Generate seed bytes for x according to FIPS 186-1 appendix 3 */
+	if (DSA_GenerateGlobalRandomBytes(seed, DSA_SUBPRIME_LEN,
+					  params->subPrime.data))
+	    return SECFailure;
+	/* Disallow values of 0 and 1 for x. */
+	good = PR_FALSE;
+	for (i = 0; i < DSA_SUBPRIME_LEN-1; i++) {
+	    if (seed[i] != 0) {
+		good = PR_TRUE;
+		break;
+	    }
+	}
+	if (!good && seed[i] > 1) {
+	    good = PR_TRUE;
+	}
+    } while (!good && --retries > 0);
+
+    if (!good) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	return SECFailure;
+    }
+
+    /* Generate a new DSA key using random seed. */
+    rv = dsa_NewKey(params, privKey, seed);
+    return rv;
+}
+
+/* For FIPS compliance testing. Seed must be exactly 20 bytes long */
+SECStatus 
+DSA_NewKeyFromSeed(const PQGParams *params, 
+                   const unsigned char *seed,
+                   DSAPrivateKey **privKey)
+{
+    SECStatus rv;
+    rv = dsa_NewKey(params, privKey, seed);
+    return rv;
+}
+
+static SECStatus 
+dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
+               const unsigned char *kb)
+{
+    mp_int p, q, g;  /* PQG parameters */
+    mp_int x, k;     /* private key & pseudo-random integer */
+    mp_int r, s;     /* tuple (r, s) is signature) */
+    mp_err err   = MP_OKAY;
+    SECStatus rv = SECSuccess;
+
+    /* FIPS-compliance dictates that digest is a SHA1 hash. */
+    /* Check args. */
+    if (!key || !signature || !digest ||
+        (signature->len < DSA_SIGNATURE_LEN) ||
+	(digest->len != SHA1_LENGTH)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* Initialize MPI integers. */
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&q) = 0;
+    MP_DIGITS(&g) = 0;
+    MP_DIGITS(&x) = 0;
+    MP_DIGITS(&k) = 0;
+    MP_DIGITS(&r) = 0;
+    MP_DIGITS(&s) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&q) );
+    CHECK_MPI_OK( mp_init(&g) );
+    CHECK_MPI_OK( mp_init(&x) );
+    CHECK_MPI_OK( mp_init(&k) );
+    CHECK_MPI_OK( mp_init(&r) );
+    CHECK_MPI_OK( mp_init(&s) );
+    /*
+    ** Convert stored PQG and private key into MPI integers.
+    */
+    SECITEM_TO_MPINT(key->params.prime,    &p);
+    SECITEM_TO_MPINT(key->params.subPrime, &q);
+    SECITEM_TO_MPINT(key->params.base,     &g);
+    SECITEM_TO_MPINT(key->privateValue,    &x);
+    OCTETS_TO_MPINT(kb, &k, DSA_SUBPRIME_LEN);
+    /*
+    ** FIPS 186-1, Section 5, Step 1
+    **
+    ** r = (g**k mod p) mod q
+    */
+    CHECK_MPI_OK( mp_exptmod(&g, &k, &p, &r) ); /* r = g**k mod p */
+    CHECK_MPI_OK(     mp_mod(&r, &q, &r) );     /* r = r mod q    */
+    /*                                  
+    ** FIPS 186-1, Section 5, Step 2
+    **
+    ** s = (k**-1 * (SHA1(M) + x*r)) mod q
+    */
+    SECITEM_TO_MPINT(*digest, &s);         /* s = SHA1(M)     */
+    CHECK_MPI_OK( mp_invmod(&k, &q, &k) );      /* k = k**-1 mod q */
+    CHECK_MPI_OK( mp_mulmod(&x, &r, &q, &x) );  /* x = x * r mod q */
+    CHECK_MPI_OK( mp_addmod(&s, &x, &q, &s) );  /* s = s + x mod q */
+    CHECK_MPI_OK( mp_mulmod(&s, &k, &q, &s) );  /* s = s * k mod q */
+    /*
+    ** verify r != 0 and s != 0
+    ** mentioned as optional in FIPS 186-1.
+    */
+    if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	rv = SECFailure;
+	goto cleanup;
+    }
+    /*
+    ** Step 4
+    **
+    ** Signature is tuple (r, s)
+    */
+    err = mp_to_fixlen_octets(&r, signature->data, DSA_SUBPRIME_LEN);
+    if (err < 0) goto cleanup; 
+    err = mp_to_fixlen_octets(&s, signature->data + DSA_SUBPRIME_LEN, 
+                                  DSA_SUBPRIME_LEN);
+    if (err < 0) goto cleanup; 
+    err = MP_OKAY;
+    signature->len = DSA_SIGNATURE_LEN;
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&g);
+    mp_clear(&x);
+    mp_clear(&k);
+    mp_clear(&r);
+    mp_clear(&s);
+    if (err) {
+	translate_mpi_error(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/* signature is caller-supplied buffer of at least 40 bytes.
+** On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+** On output, signature->len == size of signature in buffer.
+** Uses a random seed.
+*/
+SECStatus 
+DSA_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest)
+{
+    SECStatus rv;
+    int       retries = 10;
+    unsigned char kSeed[DSA_SUBPRIME_LEN];
+    int       i;
+    PRBool    good;
+
+    PORT_SetError(0);
+    do {
+	rv = DSA_GenerateGlobalRandomBytes(kSeed, DSA_SUBPRIME_LEN, 
+					   key->params.subPrime.data);
+	if (rv != SECSuccess) 
+	    break;
+	/* Disallow a value of 0 for k. */
+	good = PR_FALSE;
+	for (i = 0; i < DSA_SUBPRIME_LEN; i++) {
+	    if (kSeed[i] != 0) {
+		good = PR_TRUE;
+		break;
+	    }
+	}
+	if (!good) {
+	    PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	    rv = SECFailure;
+	    continue;
+	}
+	rv = dsa_SignDigest(key, signature, digest, kSeed);
+    } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
+	     --retries > 0);
+    return rv;
+}
+
+/* For FIPS compliance testing. Seed must be exactly 20 bytes. */
+SECStatus 
+DSA_SignDigestWithSeed(DSAPrivateKey * key,
+                       SECItem *       signature,
+                       const SECItem * digest,
+                       const unsigned char * seed)
+{
+    SECStatus rv;
+    rv = dsa_SignDigest(key, signature, digest, seed);
+    return rv;
+}
+
+/* signature is caller-supplied buffer of at least 20 bytes.
+** On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+*/
+SECStatus 
+DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature, 
+                 const SECItem *digest)
+{
+    /* FIPS-compliance dictates that digest is a SHA1 hash. */
+    mp_int p, q, g;      /* PQG parameters */
+    mp_int r_, s_;       /* tuple (r', s') is received signature) */
+    mp_int u1, u2, v, w; /* intermediate values used in verification */
+    mp_int y;            /* public key */
+    mp_err err;
+    SECStatus verified = SECFailure;
+
+    /* Check args. */
+    if (!key || !signature || !digest ||
+        (signature->len != DSA_SIGNATURE_LEN) ||
+	(digest->len != SHA1_LENGTH)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* Initialize MPI integers. */
+    MP_DIGITS(&p)  = 0;
+    MP_DIGITS(&q)  = 0;
+    MP_DIGITS(&g)  = 0;
+    MP_DIGITS(&y)  = 0;
+    MP_DIGITS(&r_) = 0;
+    MP_DIGITS(&s_) = 0;
+    MP_DIGITS(&u1) = 0;
+    MP_DIGITS(&u2) = 0;
+    MP_DIGITS(&v)  = 0;
+    MP_DIGITS(&w)  = 0;
+    CHECK_MPI_OK( mp_init(&p)  );
+    CHECK_MPI_OK( mp_init(&q)  );
+    CHECK_MPI_OK( mp_init(&g)  );
+    CHECK_MPI_OK( mp_init(&y)  );
+    CHECK_MPI_OK( mp_init(&r_) );
+    CHECK_MPI_OK( mp_init(&s_) );
+    CHECK_MPI_OK( mp_init(&u1) );
+    CHECK_MPI_OK( mp_init(&u2) );
+    CHECK_MPI_OK( mp_init(&v)  );
+    CHECK_MPI_OK( mp_init(&w)  );
+    /*
+    ** Convert stored PQG and public key into MPI integers.
+    */
+    SECITEM_TO_MPINT(key->params.prime,    &p);
+    SECITEM_TO_MPINT(key->params.subPrime, &q);
+    SECITEM_TO_MPINT(key->params.base,     &g);
+    SECITEM_TO_MPINT(key->publicValue,     &y);
+    /*
+    ** Convert received signature (r', s') into MPI integers.
+    */
+    OCTETS_TO_MPINT(signature->data, &r_, DSA_SUBPRIME_LEN);
+    OCTETS_TO_MPINT(signature->data + DSA_SUBPRIME_LEN, &s_, DSA_SUBPRIME_LEN);
+    /*
+    ** Verify that 0 < r' < q and 0 < s' < q
+    */
+    if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||
+        mp_cmp(&r_, &q) >= 0 || mp_cmp(&s_, &q) >= 0) {
+	/* err is zero here. */
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	goto cleanup; /* will return verified == SECFailure */
+    }
+    /*
+    ** FIPS 186-1, Section 6, Step 1
+    **
+    ** w = (s')**-1 mod q
+    */
+    CHECK_MPI_OK( mp_invmod(&s_, &q, &w) );      /* w = (s')**-1 mod q */
+    /*
+    ** FIPS 186-1, Section 6, Step 2
+    **
+    ** u1 = ((SHA1(M')) * w) mod q
+    */
+    SECITEM_TO_MPINT(*digest, &u1);              /* u1 = SHA1(M')     */
+    CHECK_MPI_OK( mp_mulmod(&u1, &w, &q, &u1) ); /* u1 = u1 * w mod q */
+    /*
+    ** FIPS 186-1, Section 6, Step 3
+    **
+    ** u2 = ((r') * w) mod q
+    */
+    CHECK_MPI_OK( mp_mulmod(&r_, &w, &q, &u2) );
+    /*
+    ** FIPS 186-1, Section 6, Step 4
+    **
+    ** v = ((g**u1 * y**u2) mod p) mod q
+    */
+    CHECK_MPI_OK( mp_exptmod(&g, &u1, &p, &g) ); /* g = g**u1 mod p */
+    CHECK_MPI_OK( mp_exptmod(&y, &u2, &p, &y) ); /* y = y**u2 mod p */
+    CHECK_MPI_OK(  mp_mulmod(&g, &y, &p, &v)  ); /* v = g * y mod p */
+    CHECK_MPI_OK(     mp_mod(&v, &q, &v)      ); /* v = v mod q     */
+    /*
+    ** Verification:  v == r'
+    */
+    if (mp_cmp(&v, &r_)) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	verified = SECFailure; /* Signature failed to verify. */
+    } else {
+	verified = SECSuccess; /* Signature verified. */
+    }
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&g);
+    mp_clear(&y);
+    mp_clear(&r_);
+    mp_clear(&s_);
+    mp_clear(&u1);
+    mp_clear(&u2);
+    mp_clear(&v);
+    mp_clear(&w);
+    if (err) {
+	translate_mpi_error(err);
+    }
+    return verified;
+}
diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c
new file mode 100644
index 000000000..29409bf4c
--- /dev/null
+++ b/security/nss/lib/freebl/ec.c
@@ -0,0 +1,1076 @@
+/*
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Elliptic Curve Cryptography library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "blapi.h"
+#include "prerr.h"
+#include "secerr.h"
+#include "secmpi.h"
+#include "secitem.h"
+#include "mplogic.h"
+#include "ec.h"
+#include "ecl.h"
+
+#ifdef NSS_ENABLE_ECC
+
+/* 
+ * Returns true if pointP is the point at infinity, false otherwise
+ */
+PRBool
+ec_point_at_infinity(SECItem *pointP)
+{
+    unsigned int i;
+
+    for (i = 1; i < pointP->len; i++) {
+	if (pointP->data[i] != 0x00) return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
+/* 
+ * Computes scalar point multiplication pointQ = k1 * G + k2 * pointP for
+ * the curve whose parameters are encoded in params with base point G.
+ */
+SECStatus 
+ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2,
+             const SECItem *pointP, SECItem *pointQ)
+{
+    mp_int Px, Py, Qx, Qy;
+    mp_int Gx, Gy, order, irreducible, a, b;
+#if 0 /* currently don't support non-named curves */
+    unsigned int irr_arr[5];
+#endif
+    ECGroup *group = NULL;
+    SECStatus rv = SECFailure;
+    mp_err err = MP_OKAY;
+    int len;
+
+#if EC_DEBUG
+    int i;
+    char mpstr[256];
+
+    printf("ec_points_mul: params [len=%d]:", params->DEREncoding.len);
+    for (i = 0; i < params->DEREncoding.len; i++) 
+	    printf("%02x:", params->DEREncoding.data[i]);
+    printf("\n");
+
+	if (k1 != NULL) {
+		mp_tohex(k1, mpstr);
+		printf("ec_points_mul: scalar k1: %s\n", mpstr);
+		mp_todecimal(k1, mpstr);
+		printf("ec_points_mul: scalar k1: %s (dec)\n", mpstr);
+	}
+
+	if (k2 != NULL) {
+		mp_tohex(k2, mpstr);
+		printf("ec_points_mul: scalar k2: %s\n", mpstr);
+		mp_todecimal(k2, mpstr);
+		printf("ec_points_mul: scalar k2: %s (dec)\n", mpstr);
+	}
+
+	if (pointP != NULL) {
+		printf("ec_points_mul: pointP [len=%d]:", pointP->len);
+		for (i = 0; i < pointP->len; i++) 
+			printf("%02x:", pointP->data[i]);
+		printf("\n");
+	}
+#endif
+
+	/* NOTE: We only support uncompressed points for now */
+	len = (params->fieldID.size + 7) >> 3;
+	if (pointP != NULL) {
+		if ((pointP->data[0] != EC_POINT_FORM_UNCOMPRESSED) ||
+			(pointP->len != (2 * len + 1))) {
+			return SECFailure;
+		};
+	}
+
+	MP_DIGITS(&Px) = 0;
+	MP_DIGITS(&Py) = 0;
+	MP_DIGITS(&Qx) = 0;
+	MP_DIGITS(&Qy) = 0;
+	MP_DIGITS(&Gx) = 0;
+	MP_DIGITS(&Gy) = 0;
+	MP_DIGITS(&order) = 0;
+	MP_DIGITS(&irreducible) = 0;
+	MP_DIGITS(&a) = 0;
+	MP_DIGITS(&b) = 0;
+	CHECK_MPI_OK( mp_init(&Px) );
+	CHECK_MPI_OK( mp_init(&Py) );
+	CHECK_MPI_OK( mp_init(&Qx) );
+	CHECK_MPI_OK( mp_init(&Qy) );
+	CHECK_MPI_OK( mp_init(&Gx) );
+	CHECK_MPI_OK( mp_init(&Gy) );
+	CHECK_MPI_OK( mp_init(&order) );
+	CHECK_MPI_OK( mp_init(&irreducible) );
+	CHECK_MPI_OK( mp_init(&a) );
+	CHECK_MPI_OK( mp_init(&b) );
+
+	if ((k2 != NULL) && (pointP != NULL)) {
+		/* Initialize Px and Py */
+		CHECK_MPI_OK( mp_read_unsigned_octets(&Px, pointP->data + 1, (mp_size) len) );
+		CHECK_MPI_OK( mp_read_unsigned_octets(&Py, pointP->data + 1 + len, (mp_size) len) );
+	}
+
+	/* construct from named params, if possible */
+	if (params->name != ECCurve_noName) {
+		group = ECGroup_fromName(params->name);
+	}
+
+#if 0 /* currently don't support non-named curves */
+	if (group == NULL) {
+		/* Set up mp_ints containing the curve coefficients */
+		CHECK_MPI_OK( mp_read_unsigned_octets(&Gx, params->base.data + 1, 
+										  (mp_size) len) );
+		CHECK_MPI_OK( mp_read_unsigned_octets(&Gy, params->base.data + 1 + len, 
+										  (mp_size) len) );
+		SECITEM_TO_MPINT( params->order, &order );
+		SECITEM_TO_MPINT( params->curve.a, &a );
+		SECITEM_TO_MPINT( params->curve.b, &b );
+		if (params->fieldID.type == ec_field_GFp) {
+			SECITEM_TO_MPINT( params->fieldID.u.prime, &irreducible );
+			group = ECGroup_consGFp(&irreducible, &a, &b, &Gx, &Gy, &order, params->cofactor);
+		} else {
+			SECITEM_TO_MPINT( params->fieldID.u.poly, &irreducible );
+			irr_arr[0] = params->fieldID.size;
+			irr_arr[1] = params->fieldID.k1;
+			irr_arr[2] = params->fieldID.k2;
+			irr_arr[3] = params->fieldID.k3;
+			irr_arr[4] = 0;
+			group = ECGroup_consGF2m(&irreducible, irr_arr, &a, &b, &Gx, &Gy, &order, params->cofactor);
+		}
+	}
+#endif
+	if (group == NULL)
+		goto cleanup;
+
+	if ((k2 != NULL) && (pointP != NULL)) {
+		CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy) );
+	} else {
+		CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy) );
+    }
+
+    /* Construct the SECItem representation of point Q */
+    pointQ->data[0] = EC_POINT_FORM_UNCOMPRESSED;
+    CHECK_MPI_OK( mp_to_fixlen_octets(&Qx, pointQ->data + 1,
+	                              (mp_size) len) );
+    CHECK_MPI_OK( mp_to_fixlen_octets(&Qy, pointQ->data + 1 + len,
+	                              (mp_size) len) );
+
+    rv = SECSuccess;
+
+#if EC_DEBUG
+    printf("ec_points_mul: pointQ [len=%d]:", pointQ->len);
+    for (i = 0; i < pointQ->len; i++) 
+	    printf("%02x:", pointQ->data[i]);
+    printf("\n");
+#endif
+
+cleanup:
+    ECGroup_free(group);
+    mp_clear(&Px);
+    mp_clear(&Py);
+    mp_clear(&Qx);
+    mp_clear(&Qy);
+    mp_clear(&Gx);
+    mp_clear(&Gy);
+    mp_clear(&order);
+    mp_clear(&irreducible);
+    mp_clear(&a);
+    mp_clear(&b);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+
+    return rv;
+}
+#endif /* NSS_ENABLE_ECC */
+
+/* Generates a new EC key pair. The private key is a supplied
+ * value and the public key is the result of performing a scalar 
+ * point multiplication of that value with the curve's base point.
+ */
+SECStatus 
+ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey, 
+    const unsigned char *privKeyBytes, int privKeyLen)
+{
+    SECStatus rv = SECFailure;
+#ifdef NSS_ENABLE_ECC
+    PRArenaPool *arena;
+    ECPrivateKey *key;
+    mp_int k;
+    mp_err err = MP_OKAY;
+    int len;
+
+#if EC_DEBUG
+    printf("ec_NewKey called\n");
+#endif
+
+    if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* Initialize an arena for the EC key. */
+    if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)))
+	return SECFailure;
+
+    key = (ECPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(ECPrivateKey));
+    if (!key) {
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+
+    /* Set the version number (SEC 1 section C.4 says it should be 1) */
+    SECITEM_AllocItem(arena, &key->version, 1);
+    key->version.data[0] = 1;
+
+    /* Copy all of the fields from the ECParams argument to the
+     * ECParams structure within the private key.
+     */
+    key->ecParams.arena = arena;
+    key->ecParams.type = ecParams->type;
+    key->ecParams.fieldID.size = ecParams->fieldID.size;
+    key->ecParams.fieldID.type = ecParams->fieldID.type;
+    if (ecParams->fieldID.type == ec_field_GFp) {
+	CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.prime,
+	    &ecParams->fieldID.u.prime));
+    } else {
+	CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.poly,
+	    &ecParams->fieldID.u.poly));
+    }
+    key->ecParams.fieldID.k1 = ecParams->fieldID.k1;
+    key->ecParams.fieldID.k2 = ecParams->fieldID.k2;
+    key->ecParams.fieldID.k3 = ecParams->fieldID.k3;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.a,
+	&ecParams->curve.a));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.b,
+	&ecParams->curve.b));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.seed,
+	&ecParams->curve.seed));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.base,
+	&ecParams->base));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.order,
+	&ecParams->order));
+    key->ecParams.cofactor = ecParams->cofactor;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.DEREncoding,
+	&ecParams->DEREncoding));
+    key->ecParams.name = ecParams->name;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curveOID,
+	&ecParams->curveOID));
+
+    len = (ecParams->fieldID.size + 7) >> 3;
+    SECITEM_AllocItem(arena, &key->publicValue, 2*len + 1);
+    len = ecParams->order.len;
+    SECITEM_AllocItem(arena, &key->privateValue, len);
+
+    /* Copy private key */
+    if (privKeyLen >= len) {
+	memcpy(key->privateValue.data, privKeyBytes, len);
+    } else {
+	memset(key->privateValue.data, 0, (len - privKeyLen));
+	memcpy(key->privateValue.data + (len - privKeyLen), privKeyBytes, privKeyLen);
+    }
+
+    /* Compute corresponding public key */
+    MP_DIGITS(&k) = 0;
+    CHECK_MPI_OK( mp_init(&k) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data, 
+	(mp_size) len) );
+
+    rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue));
+    if (rv != SECSuccess) goto cleanup;
+    *privKey = key;
+
+cleanup:
+    mp_clear(&k);
+    if (rv)
+	PORT_FreeArena(arena, PR_TRUE);
+
+#if EC_DEBUG
+    printf("ec_NewKey returning %s\n", 
+	(rv == SECSuccess) ? "success" : "failure");
+#endif
+#else
+    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+#endif /* NSS_ENABLE_ECC */
+
+    return rv;
+
+}
+
+/* Generates a new EC key pair. The private key is a supplied
+ * random value (in seed) and the public key is the result of 
+ * performing a scalar point multiplication of that value with 
+ * the curve's base point.
+ */
+SECStatus 
+EC_NewKeyFromSeed(ECParams *ecParams, ECPrivateKey **privKey, 
+    const unsigned char *seed, int seedlen)
+{
+    SECStatus rv = SECFailure;
+#ifdef NSS_ENABLE_ECC
+    rv = ec_NewKey(ecParams, privKey, seed, seedlen);
+#else
+    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+#endif /* NSS_ENABLE_ECC */
+    return rv;
+}
+
+#ifdef NSS_ENABLE_ECC
+/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62,
+ * modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the
+ * random number generator.
+ *
+ * Parameters
+ * - order: a buffer that holds the curve's group order
+ * - len: the length in octets of the order buffer
+ *
+ * Return Value
+ * Returns a buffer of len octets that holds the private key. The caller
+ * is responsible for freeing the buffer with PORT_ZFree.
+ */
+static unsigned char *
+ec_GenerateRandomPrivateKey(const unsigned char *order, int len)
+{
+    SECStatus rv = SECSuccess;
+    mp_err err;
+    unsigned char *privKeyBytes = NULL;
+    mp_int privKeyVal, order_1, one;
+
+    MP_DIGITS(&privKeyVal) = 0;
+    MP_DIGITS(&order_1) = 0;
+    MP_DIGITS(&one) = 0;
+    CHECK_MPI_OK( mp_init(&privKeyVal) );
+    CHECK_MPI_OK( mp_init(&order_1) );
+    CHECK_MPI_OK( mp_init(&one) );
+
+    /* Generates 2*len random bytes using the global random bit generator
+     * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
+     * reduces modulo the group order.
+     */
+    if ((privKeyBytes = PORT_Alloc(2*len)) == NULL) goto cleanup;
+    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(privKeyBytes, 2*len) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2*len) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&order_1, order, len) );
+    CHECK_MPI_OK( mp_set_int(&one, 1) );
+    CHECK_MPI_OK( mp_sub(&order_1, &one, &order_1) );
+    CHECK_MPI_OK( mp_mod(&privKeyVal, &order_1, &privKeyVal) );
+    CHECK_MPI_OK( mp_add(&privKeyVal, &one, &privKeyVal) );
+    CHECK_MPI_OK( mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len) );
+    memset(privKeyBytes+len, 0, len);
+cleanup:
+    mp_clear(&privKeyVal);
+    mp_clear(&order_1);
+    mp_clear(&one);
+    if (err < MP_OKAY) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    if (rv != SECSuccess && privKeyBytes) {
+	PORT_Free(privKeyBytes);
+	privKeyBytes = NULL;
+    }
+    return privKeyBytes;
+}
+#endif /* NSS_ENABLE_ECC */
+
+/* Generates a new EC key pair. The private key is a random value and
+ * the public key is the result of performing a scalar point multiplication
+ * of that value with the curve's base point.
+ */
+SECStatus 
+EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
+{
+    SECStatus rv = SECFailure;
+#ifdef NSS_ENABLE_ECC
+    int len;
+    unsigned char *privKeyBytes = NULL;
+
+    if (!ecParams) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    len = ecParams->order.len;
+    privKeyBytes = ec_GenerateRandomPrivateKey(ecParams->order.data, len);
+    if (privKeyBytes == NULL) goto cleanup;
+    /* generate public key */
+    CHECK_SEC_OK( ec_NewKey(ecParams, privKey, privKeyBytes, len) );
+
+cleanup:
+    if (privKeyBytes) {
+	PORT_ZFree(privKeyBytes, len);
+    }
+#if EC_DEBUG
+    printf("EC_NewKey returning %s\n", 
+	(rv == SECSuccess) ? "success" : "failure");
+#endif
+#else
+    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+#endif /* NSS_ENABLE_ECC */
+    
+    return rv;
+}
+
+/* Validates an EC public key as described in Section 5.2.2 of
+ * X9.62. The ECDH primitive when used without the cofactor does
+ * not address small subgroup attacks, which may occur when the
+ * public key is not valid. These attacks can be prevented by 
+ * validating the public key before using ECDH.
+ */
+SECStatus 
+EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue)
+{
+#ifdef NSS_ENABLE_ECC
+    mp_int Px, Py;
+    ECGroup *group = NULL;
+    SECStatus rv = SECFailure;
+    mp_err err = MP_OKAY;
+    int len;
+
+    if (!ecParams || !publicValue) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+	
+    /* NOTE: We only support uncompressed points for now */
+    len = (ecParams->fieldID.size + 7) >> 3;
+    if (publicValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);
+	return SECFailure;
+    } else if (publicValue->len != (2 * len + 1)) {
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	return SECFailure;
+    }
+
+    MP_DIGITS(&Px) = 0;
+    MP_DIGITS(&Py) = 0;
+    CHECK_MPI_OK( mp_init(&Px) );
+    CHECK_MPI_OK( mp_init(&Py) );
+
+    /* Initialize Px and Py */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&Px, publicValue->data + 1, (mp_size) len) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&Py, publicValue->data + 1 + len, (mp_size) len) );
+
+    /* construct from named params */
+    group = ECGroup_fromName(ecParams->name);
+    if (group == NULL) {
+	/*
+	 * ECGroup_fromName fails if ecParams->name is not a valid
+	 * ECCurveName value, or if we run out of memory, or perhaps
+	 * for other reasons.  Unfortunately if ecParams->name is a
+	 * valid ECCurveName value, we don't know what the right error
+	 * code should be because ECGroup_fromName doesn't return an
+	 * error code to the caller.  Set err to MP_UNDEF because
+	 * that's what ECGroup_fromName uses internally.
+	 */
+	if ((ecParams->name <= ECCurve_noName) ||
+	    (ecParams->name >= ECCurve_pastLastCurve)) {
+	    err = MP_BADARG;
+	} else {
+	    err = MP_UNDEF;
+	}
+	goto cleanup;
+    }
+
+    /* validate public point */
+    if ((err = ECPoint_validate(group, &Px, &Py)) < MP_YES) {
+	if (err == MP_NO) {
+	    PORT_SetError(SEC_ERROR_BAD_KEY);
+	    rv = SECFailure;
+	    err = MP_OKAY;  /* don't change the error code */
+	}
+	goto cleanup;
+    }
+
+    rv = SECSuccess;
+
+cleanup:
+    ECGroup_free(group);
+    mp_clear(&Px);
+    mp_clear(&Py);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+#else
+    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+    return SECFailure;
+#endif /* NSS_ENABLE_ECC */
+}
+
+/* 
+** Performs an ECDH key derivation by computing the scalar point
+** multiplication of privateValue and publicValue (with or without the
+** cofactor) and returns the x-coordinate of the resulting elliptic
+** curve point in derived secret.  If successful, derivedSecret->data
+** is set to the address of the newly allocated buffer containing the
+** derived secret, and derivedSecret->len is the size of the secret
+** produced. It is the caller's responsibility to free the allocated
+** buffer containing the derived secret.
+*/
+SECStatus 
+ECDH_Derive(SECItem  *publicValue, 
+            ECParams *ecParams,
+            SECItem  *privateValue,
+            PRBool    withCofactor,
+            SECItem  *derivedSecret)
+{
+    SECStatus rv = SECFailure;
+#ifdef NSS_ENABLE_ECC
+    unsigned int len = 0;
+    SECItem pointQ = {siBuffer, NULL, 0};
+    mp_int k; /* to hold the private value */
+    mp_int cofactor;
+    mp_err err = MP_OKAY;
+#if EC_DEBUG
+    int i;
+#endif
+
+    if (!publicValue || !ecParams || !privateValue || 
+	!derivedSecret) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    memset(derivedSecret, 0, sizeof *derivedSecret);
+    len = (ecParams->fieldID.size + 7) >> 3;  
+    pointQ.len = 2*len + 1;
+    if ((pointQ.data = PORT_Alloc(2*len + 1)) == NULL) goto cleanup;
+
+    MP_DIGITS(&k) = 0;
+    CHECK_MPI_OK( mp_init(&k) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&k, privateValue->data, 
+	                                  (mp_size) privateValue->len) );
+
+    if (withCofactor && (ecParams->cofactor != 1)) {
+	    /* multiply k with the cofactor */
+	    MP_DIGITS(&cofactor) = 0;
+	    CHECK_MPI_OK( mp_init(&cofactor) );
+	    mp_set(&cofactor, ecParams->cofactor);
+	    CHECK_MPI_OK( mp_mul(&k, &cofactor, &k) );
+    }
+
+    /* Multiply our private key and peer's public point */
+    if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ) != SECSuccess) ||
+	ec_point_at_infinity(&pointQ))
+	goto cleanup;
+
+    /* Allocate memory for the derived secret and copy
+     * the x co-ordinate of pointQ into it.
+     */
+    SECITEM_AllocItem(NULL, derivedSecret, len);
+    memcpy(derivedSecret->data, pointQ.data + 1, len);
+
+    rv = SECSuccess;
+
+#if EC_DEBUG
+    printf("derived_secret:\n");
+    for (i = 0; i < derivedSecret->len; i++) 
+	printf("%02x:", derivedSecret->data[i]);
+    printf("\n");
+#endif
+
+cleanup:
+    mp_clear(&k);
+
+    if (pointQ.data) {
+	PORT_ZFree(pointQ.data, 2*len + 1);
+    }
+#else
+    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+#endif /* NSS_ENABLE_ECC */
+
+    return rv;
+}
+
+/* Computes the ECDSA signature (a concatenation of two values r and s)
+ * on the digest using the given key and the random value kb (used in
+ * computing s).
+ */
+SECStatus 
+ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, 
+    const SECItem *digest, const unsigned char *kb, const int kblen)
+{
+    SECStatus rv = SECFailure;
+#ifdef NSS_ENABLE_ECC
+    mp_int x1;
+    mp_int d, k;     /* private key, random integer */
+    mp_int r, s;     /* tuple (r, s) is the signature */
+    mp_int n;
+    mp_err err = MP_OKAY;
+    ECParams *ecParams = NULL;
+    SECItem kGpoint = { siBuffer, NULL, 0};
+    int flen = 0;    /* length in bytes of the field size */
+    unsigned olen;   /* length in bytes of the base point order */
+
+#if EC_DEBUG
+    char mpstr[256];
+#endif
+
+    /* Initialize MPI integers. */
+    /* must happen before the first potential call to cleanup */
+    MP_DIGITS(&x1) = 0;
+    MP_DIGITS(&d) = 0;
+    MP_DIGITS(&k) = 0;
+    MP_DIGITS(&r) = 0;
+    MP_DIGITS(&s) = 0;
+    MP_DIGITS(&n) = 0;
+
+    /* Check args */
+    if (!key || !signature || !digest || !kb || (kblen < 0)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	goto cleanup;
+    }
+
+    ecParams = &(key->ecParams);
+    flen = (ecParams->fieldID.size + 7) >> 3;
+    olen = ecParams->order.len;  
+    if (signature->data == NULL) {
+	/* a call to get the signature length only */
+	goto finish;
+    }
+    if (signature->len < 2*olen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	goto cleanup;
+    }
+
+
+    CHECK_MPI_OK( mp_init(&x1) );
+    CHECK_MPI_OK( mp_init(&d) );
+    CHECK_MPI_OK( mp_init(&k) );
+    CHECK_MPI_OK( mp_init(&r) );
+    CHECK_MPI_OK( mp_init(&s) );
+    CHECK_MPI_OK( mp_init(&n) );
+
+    SECITEM_TO_MPINT( ecParams->order, &n );
+    SECITEM_TO_MPINT( key->privateValue, &d );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) );
+    /* Make sure k is in the interval [1, n-1] */
+    if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) {
+#if EC_DEBUG
+        printf("k is outside [1, n-1]\n");
+        mp_tohex(&k, mpstr);
+	printf("k : %s \n", mpstr);
+        mp_tohex(&n, mpstr);
+	printf("n : %s \n", mpstr);
+#endif
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	goto cleanup;
+    }
+
+    /* 
+    ** ANSI X9.62, Section 5.3.2, Step 2
+    **
+    ** Compute kG
+    */
+    kGpoint.len = 2*flen + 1;
+    kGpoint.data = PORT_Alloc(2*flen + 1);
+    if ((kGpoint.data == NULL) ||
+	(ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint)
+	    != SECSuccess))
+	goto cleanup;
+
+    /* 
+    ** ANSI X9.62, Section 5.3.3, Step 1
+    **
+    ** Extract the x co-ordinate of kG into x1
+    */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&x1, kGpoint.data + 1, 
+	                                  (mp_size) flen) );
+
+    /* 
+    ** ANSI X9.62, Section 5.3.3, Step 2
+    **
+    ** r = x1 mod n  NOTE: n is the order of the curve
+    */
+    CHECK_MPI_OK( mp_mod(&x1, &n, &r) );
+
+    /*
+    ** ANSI X9.62, Section 5.3.3, Step 3
+    **
+    ** verify r != 0 
+    */
+    if (mp_cmp_z(&r) == 0) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	goto cleanup;
+    }
+
+    /*                                  
+    ** ANSI X9.62, Section 5.3.3, Step 4
+    **
+    ** s = (k**-1 * (HASH(M) + d*r)) mod n 
+    */
+    SECITEM_TO_MPINT(*digest, &s);        /* s = HASH(M)     */
+
+    /* In the definition of EC signing, digests are truncated
+     * to the length of n in bits. 
+     * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
+    if (digest->len*8 > ecParams->fieldID.size) {
+	mpl_rsh(&s,&s,digest->len*8 - ecParams->fieldID.size);
+    }
+
+#if EC_DEBUG
+    mp_todecimal(&n, mpstr);
+    printf("n : %s (dec)\n", mpstr);
+    mp_todecimal(&d, mpstr);
+    printf("d : %s (dec)\n", mpstr);
+    mp_tohex(&x1, mpstr);
+    printf("x1: %s\n", mpstr);
+    mp_todecimal(&s, mpstr);
+    printf("digest: %s (decimal)\n", mpstr);
+    mp_todecimal(&r, mpstr);
+    printf("r : %s (dec)\n", mpstr);
+    mp_tohex(&r, mpstr);
+    printf("r : %s\n", mpstr);
+#endif
+
+    CHECK_MPI_OK( mp_invmod(&k, &n, &k) );      /* k = k**-1 mod n */
+    CHECK_MPI_OK( mp_mulmod(&d, &r, &n, &d) );  /* d = d * r mod n */
+    CHECK_MPI_OK( mp_addmod(&s, &d, &n, &s) );  /* s = s + d mod n */
+    CHECK_MPI_OK( mp_mulmod(&s, &k, &n, &s) );  /* s = s * k mod n */
+
+#if EC_DEBUG
+    mp_todecimal(&s, mpstr);
+    printf("s : %s (dec)\n", mpstr);
+    mp_tohex(&s, mpstr);
+    printf("s : %s\n", mpstr);
+#endif
+
+    /*
+    ** ANSI X9.62, Section 5.3.3, Step 5
+    **
+    ** verify s != 0
+    */
+    if (mp_cmp_z(&s) == 0) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	goto cleanup;
+    }
+
+   /*
+    **
+    ** Signature is tuple (r, s)
+    */
+    CHECK_MPI_OK( mp_to_fixlen_octets(&r, signature->data, olen) );
+    CHECK_MPI_OK( mp_to_fixlen_octets(&s, signature->data + olen, olen) );
+finish:
+    signature->len = 2*olen;
+
+    rv = SECSuccess;
+    err = MP_OKAY;
+cleanup:
+    mp_clear(&x1);
+    mp_clear(&d);
+    mp_clear(&k);
+    mp_clear(&r);
+    mp_clear(&s);
+    mp_clear(&n);
+
+    if (kGpoint.data) {
+	PORT_ZFree(kGpoint.data, 2*flen + 1);
+    }
+
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+
+#if EC_DEBUG
+    printf("ECDSA signing with seed %s\n",
+	(rv == SECSuccess) ? "succeeded" : "failed");
+#endif
+#else
+    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+#endif /* NSS_ENABLE_ECC */
+
+   return rv;
+}
+
+/*
+** Computes the ECDSA signature on the digest using the given key 
+** and a random seed.
+*/
+SECStatus 
+ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
+{
+    SECStatus rv = SECFailure;
+#ifdef NSS_ENABLE_ECC
+    int len;
+    unsigned char *kBytes= NULL;
+
+    if (!key) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* Generate random value k */
+    len = key->ecParams.order.len;
+    kBytes = ec_GenerateRandomPrivateKey(key->ecParams.order.data, len);
+    if (kBytes == NULL) goto cleanup;
+
+    /* Generate ECDSA signature with the specified k value */
+    rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len);
+
+cleanup:    
+    if (kBytes) {
+	PORT_ZFree(kBytes, len);
+    }
+
+#if EC_DEBUG
+    printf("ECDSA signing %s\n",
+	(rv == SECSuccess) ? "succeeded" : "failed");
+#endif
+#else
+    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+#endif /* NSS_ENABLE_ECC */
+
+    return rv;
+}
+
+/*
+** Checks the signature on the given digest using the key provided.
+*/
+SECStatus 
+ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, 
+                 const SECItem *digest)
+{
+    SECStatus rv = SECFailure;
+#ifdef NSS_ENABLE_ECC
+    mp_int r_, s_;           /* tuple (r', s') is received signature) */
+    mp_int c, u1, u2, v;     /* intermediate values used in verification */
+    mp_int x1;
+    mp_int n;
+    mp_err err = MP_OKAY;
+    ECParams *ecParams = NULL;
+    SECItem pointC = { siBuffer, NULL, 0 };
+    int slen;       /* length in bytes of a half signature (r or s) */
+    int flen;       /* length in bytes of the field size */
+    unsigned olen;  /* length in bytes of the base point order */
+
+#if EC_DEBUG
+    char mpstr[256];
+    printf("ECDSA verification called\n");
+#endif
+
+    /* Initialize MPI integers. */
+    /* must happen before the first potential call to cleanup */
+    MP_DIGITS(&r_) = 0;
+    MP_DIGITS(&s_) = 0;
+    MP_DIGITS(&c) = 0;
+    MP_DIGITS(&u1) = 0;
+    MP_DIGITS(&u2) = 0;
+    MP_DIGITS(&x1) = 0;
+    MP_DIGITS(&v)  = 0;
+    MP_DIGITS(&n)  = 0;
+
+    /* Check args */
+    if (!key || !signature || !digest) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	goto cleanup;
+    }
+
+    ecParams = &(key->ecParams);
+    flen = (ecParams->fieldID.size + 7) >> 3;  
+    olen = ecParams->order.len;  
+    if (signature->len == 0 || signature->len%2 != 0 ||
+	signature->len > 2*olen) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	goto cleanup;
+    }
+    slen = signature->len/2;
+
+    SECITEM_AllocItem(NULL, &pointC, 2*flen + 1);
+    if (pointC.data == NULL)
+	goto cleanup;
+
+    CHECK_MPI_OK( mp_init(&r_) );
+    CHECK_MPI_OK( mp_init(&s_) );
+    CHECK_MPI_OK( mp_init(&c)  );
+    CHECK_MPI_OK( mp_init(&u1) );
+    CHECK_MPI_OK( mp_init(&u2) );
+    CHECK_MPI_OK( mp_init(&x1)  );
+    CHECK_MPI_OK( mp_init(&v)  );
+    CHECK_MPI_OK( mp_init(&n)  );
+
+    /*
+    ** Convert received signature (r', s') into MPI integers.
+    */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&r_, signature->data, slen) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&s_, signature->data + slen, slen) );
+                                          
+    /* 
+    ** ANSI X9.62, Section 5.4.2, Steps 1 and 2
+    **
+    ** Verify that 0 < r' < n and 0 < s' < n
+    */
+    SECITEM_TO_MPINT(ecParams->order, &n);
+    if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||
+        mp_cmp(&r_, &n) >= 0 || mp_cmp(&s_, &n) >= 0) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	goto cleanup; /* will return rv == SECFailure */
+    }
+
+    /*
+    ** ANSI X9.62, Section 5.4.2, Step 3
+    **
+    ** c = (s')**-1 mod n
+    */
+    CHECK_MPI_OK( mp_invmod(&s_, &n, &c) );      /* c = (s')**-1 mod n */
+
+    /*
+    ** ANSI X9.62, Section 5.4.2, Step 4
+    **
+    ** u1 = ((HASH(M')) * c) mod n
+    */
+    SECITEM_TO_MPINT(*digest, &u1);                  /* u1 = HASH(M)     */
+
+    /* In the definition of EC signing, digests are truncated
+     * to the length of n in bits. 
+     * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
+    if (digest->len*8 > ecParams->fieldID.size) {  /* u1 = HASH(M')     */
+	mpl_rsh(&u1,&u1,digest->len*8- ecParams->fieldID.size);
+    }
+
+#if EC_DEBUG
+    mp_todecimal(&r_, mpstr);
+    printf("r_: %s (dec)\n", mpstr);
+    mp_todecimal(&s_, mpstr);
+    printf("s_: %s (dec)\n", mpstr);
+    mp_todecimal(&c, mpstr);
+    printf("c : %s (dec)\n", mpstr);
+    mp_todecimal(&u1, mpstr);
+    printf("digest: %s (dec)\n", mpstr);
+#endif
+
+    CHECK_MPI_OK( mp_mulmod(&u1, &c, &n, &u1) );  /* u1 = u1 * c mod n */
+
+    /*
+    ** ANSI X9.62, Section 5.4.2, Step 4
+    **
+    ** u2 = ((r') * c) mod n
+    */
+    CHECK_MPI_OK( mp_mulmod(&r_, &c, &n, &u2) );
+
+    /*
+    ** ANSI X9.62, Section 5.4.3, Step 1
+    **
+    ** Compute u1*G + u2*Q
+    ** Here, A = u1.G     B = u2.Q    and   C = A + B
+    ** If the result, C, is the point at infinity, reject the signature
+    */
+    if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC)
+	!= SECSuccess) {
+	rv = SECFailure;
+	goto cleanup;
+    }
+    if (ec_point_at_infinity(&pointC)) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	rv = SECFailure;
+	goto cleanup;
+    }
+
+    CHECK_MPI_OK( mp_read_unsigned_octets(&x1, pointC.data + 1, flen) );
+
+    /*
+    ** ANSI X9.62, Section 5.4.4, Step 2
+    **
+    ** v = x1 mod n
+    */
+    CHECK_MPI_OK( mp_mod(&x1, &n, &v) );
+
+#if EC_DEBUG
+    mp_todecimal(&r_, mpstr);
+    printf("r_: %s (dec)\n", mpstr);
+    mp_todecimal(&v, mpstr);
+    printf("v : %s (dec)\n", mpstr);
+#endif
+
+    /*
+    ** ANSI X9.62, Section 5.4.4, Step 3
+    **
+    ** Verification:  v == r'
+    */
+    if (mp_cmp(&v, &r_)) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	rv = SECFailure; /* Signature failed to verify. */
+    } else {
+	rv = SECSuccess; /* Signature verified. */
+    }
+
+#if EC_DEBUG
+    mp_todecimal(&u1, mpstr);
+    printf("u1: %s (dec)\n", mpstr);
+    mp_todecimal(&u2, mpstr);
+    printf("u2: %s (dec)\n", mpstr);
+    mp_tohex(&x1, mpstr);
+    printf("x1: %s\n", mpstr);
+    mp_todecimal(&v, mpstr);
+    printf("v : %s (dec)\n", mpstr);
+#endif
+
+cleanup:
+    mp_clear(&r_);
+    mp_clear(&s_);
+    mp_clear(&c);
+    mp_clear(&u1);
+    mp_clear(&u2);
+    mp_clear(&x1);
+    mp_clear(&v);
+    mp_clear(&n);
+
+    if (pointC.data) SECITEM_FreeItem(&pointC, PR_FALSE);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+
+#if EC_DEBUG
+    printf("ECDSA verification %s\n",
+	(rv == SECSuccess) ? "succeeded" : "failed");
+#endif
+#else
+    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+#endif /* NSS_ENABLE_ECC */
+
+    return rv;
+}
+
diff --git a/security/nss/lib/freebl/ec.h b/security/nss/lib/freebl/ec.h
new file mode 100644
index 000000000..3de424145
--- /dev/null
+++ b/security/nss/lib/freebl/ec.h
@@ -0,0 +1,52 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Elliptic Curve Cryptography library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __ec_h_
+#define __ec_h_
+
+#define EC_DEBUG                          0
+#define EC_POINT_FORM_COMPRESSED_Y0    0x02
+#define EC_POINT_FORM_COMPRESSED_Y1    0x03
+#define EC_POINT_FORM_UNCOMPRESSED     0x04
+#define EC_POINT_FORM_HYBRID_Y0        0x06
+#define EC_POINT_FORM_HYBRID_Y1        0x07
+
+#define ANSI_X962_CURVE_OID_TOTAL_LEN    10
+#define SECG_CURVE_OID_TOTAL_LEN          7
+
+#endif /* __ec_h_ */
diff --git a/security/nss/lib/freebl/ecl/Makefile b/security/nss/lib/freebl/ecl/Makefile
new file mode 100644
index 000000000..9ada3eba1
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/Makefile
@@ -0,0 +1,230 @@
+#
+# Makefile for elliptic curve library
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the elliptic curve math library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are Copyright (C) 2003
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Douglas Stebila <douglas@stebila.ca>
+#   Michael J. Fromberger <sting@linguist.dartmouth.edu>
+#   Netscape Communications Corporation
+#   Richard C. Swift        (swift@netscape.com)
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+## Define CC to be the C compiler you wish to use.  The GNU cc
+## compiler (gcc) should work, at the very least
+#CC=cc
+#CC=gcc
+
+## 
+## Define PERL to point to your local Perl interpreter.  It
+## should be Perl 5.x, although it's conceivable that Perl 4
+## might work ... I haven't tested it.
+##
+#PERL=/usr/bin/perl
+#PERL=perl
+
+include ../mpi/target.mk
+
+##
+## Define platform-dependent variables for use of floating-point code.
+##
+ifeq ($(TARGET),v9SOLARIS)
+ECL_USE_FP=1
+else
+ifeq ($(TARGET),v8plusSOLARIS)
+ECL_USE_FP=1
+else
+ifeq ($(TARGET),v8SOLARIS)
+ECL_USE_FP=1
+else
+ifeq ($(TARGET),x86LINUX)
+ECL_USE_FP=1
+endif
+endif
+endif
+endif
+
+##
+## Add to definition of CFLAGS depending on use of floating-point code.
+##
+ifeq ($(ECL_USE_FP),1)
+CFLAGS+= -DECL_USE_FP
+endif
+
+##
+## Define LIBS to include any libraries you need to link against.
+## If NO_TABLE is define, LIBS should include '-lm' or whatever is
+## necessary to bring in the math library.  Otherwise, it can be
+## left alone, unless your system has other peculiar requirements.
+##
+LIBS=-L../mpi -lmpi -lm#-lmalloc#-lefence
+
+##
+## Define INCLUDES to include any include directories you need to 
+## compile with.  
+##
+INCLUDES=-I../mpi
+CFLAGS+= $(INCLUDES) $(XCFLAGS)
+
+## 
+## Define RANLIB to be the library header randomizer; you might not
+## need this on some systems (just set it to 'echo' on these systems,
+## such as IRIX)
+##
+RANLIB=echo
+
+## 
+## Define LIBOBJS to be the object files that will be created during
+## the build process.
+##
+LIBOBJS = ecl.o ecl_curve.o ecl_mult.o ecl_gf.o \
+	ec2_aff.o ec2_mont.o ec2_proj.o \
+	ec2_163.o ec2_193.o ec2_233.o \
+	ecp_aff.o ecp_jac.o ecp_mont.o \
+	ec_naf.o ecp_jm.o \
+	ecp_192.o ecp_224.o ecp_256.o ecp_384.o ecp_521.o
+ifeq ($(ECL_USE_FP),1)
+LIBOBJS+= ecp_fp160.o ecp_fp192.o ecp_fp224.o ecp_fp.o
+endif
+
+## The headers contained in this library.
+LIBHDRS = ecl-exp.h ecl.h ec2.h ecp.h ecl-priv.h ecl-curve.h
+APPHDRS = ecl-exp.h ecl.h ec2.h ecp.h ecl-priv.h ecl-curve.h
+ifeq ($(ECL_GFP_ASSEMBLY_FP),1)
+LIBHDRS += ecp_fp.h
+APPHDRS += ecp_fp.h
+endif
+
+
+help:
+	@ echo ""
+	@ echo "The following targets can be built with this Makefile:"
+	@ echo ""
+	@ echo "libecl.a     - elliptic curve library"
+	@ echo "tests        - build command line tests"
+	@ echo "test         - run command line tests"
+	@ echo "clean        - clean up objects and such"
+	@ echo ""
+
+.SUFFIXES: .c .o .i
+
+.c.i:
+	$(CC) $(CFLAGS) -E $< > $@
+
+#---------------------------------------
+
+$(LIBOBJS): $(LIBHDRS)
+
+ecl.o: ecl.c $(LIBHDRS)
+ecl_curve.o: ecl_curve.c $(LIBHDRS)
+ecl_mult.o: ecl_mult.c $(LIBHDRS)
+ecl_gf.o: ecl_gf.c $(LIBHDRS)
+ec2_aff.o: ec2_aff.c $(LIBHDRS)
+ec2_mont.o: ec2_mont.c $(LIBHDRS)
+ec2_proj.o: ec2_proj.c $(LIBHDRS)
+ec2_163.o: ec2_163.c $(LIBHDRS)
+ec2_193.o: ec2_193.c $(LIBHDRS)
+ec2_233.o: ec2_233.c $(LIBHDRS)
+ecp_aff.o: ecp_aff.c $(LIBHDRS)
+ecp_jac.o: ecp_jac.c $(LIBHDRS)
+ecp_jm.o: ecp_jm.c $(LIBHDRS)
+ecp_mont.o: ecp_mont.c $(LIBHDRS)
+ecp_192.o: ecp_192.c $(LIBHDRS)
+ecp_224.o: ecp_224.c $(LIBHDRS)
+ecp_256.o: ecp_256.c $(LIBHDRS)
+ecp_384.o: ecp_384.c $(LIBHDRS)
+ecp_521.o: ecp_521.c $(LIBHDRS)
+ecp_fp.o: ecp_fp.c $(LIBHDRS)
+ifeq ($(ECL_USE_FP),1)
+ecp_fp160.o: ecp_fp160.c ecp_fpinc.c $(LIBHDRS)
+ecp_fp192.o: ecp_fp192.c ecp_fpinc.c $(LIBHDRS)
+ecp_fp224.o: ecp_fp224.c ecp_fpinc.c $(LIBHDRS)
+endif
+
+libecl.a: $(LIBOBJS)
+	ar -cvr libecl.a $(LIBOBJS)
+	$(RANLIB) libecl.a
+
+lib libs: libecl.a
+
+ecl.i: ecl.h
+
+#---------------------------------------
+
+ECLTESTOBJS = ec2_test.o ecp_test.o ec_naft.o
+ifeq ($(ECL_USE_FP),1)
+ECLTESTOBJS+= ecp_fpt.o
+endif
+ECLTESTS = $(ECLTESTOBJS:.o=)
+
+$(ECLTESTOBJS): %.o: tests/%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -o $@ -c $<  $(INCLUDES)
+
+$(ECLTESTS): %: %.o libecl.a
+	$(CC) $(CFLAGS) -o $@ $^  $(LIBS)
+
+ifeq ($(ECL_USE_FP),1)
+tests: ec2_test ecp_test ec_naft ecp_fpt 
+else
+tests: ec2_test ecp_test ec_naft
+endif
+
+#---------------------------------------
+
+ifeq ($(ECL_USE_FP),1)
+test: tests
+	./ecp_test
+	./ec2_test
+	./ec_naft
+	./ecp_fpt
+else
+test: tests
+	./ecp_test
+	./ec_naft
+	./ec2_test
+endif
+
+#---------------------------------------
+
+alltests: tests
+
+clean:
+	rm -f *.o *.a *.i
+	rm -f core
+	rm -f *~ .*~
+	rm -f $(ECLTESTS)
+
+clobber: clean
+
+# END
diff --git a/security/nss/lib/freebl/ecl/README b/security/nss/lib/freebl/ecl/README
new file mode 100644
index 000000000..b4c92400d
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/README
@@ -0,0 +1,330 @@
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version
+1.1 (the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the elliptic curve math library.
+
+The Initial Developer of the Original Code is Sun Microsystems, Inc.
+Portions created by Sun Microsystems, Inc. are Copyright (C) 2003
+Sun Microsystems, Inc. All Rights Reserved.
+
+Contributor(s):
+    Stephen Fung <fungstep@hotmail.com> and
+    Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+ 
+The ECL exposes routines for constructing and converting curve
+parameters for internal use.
+
+
+HEADER FILES
+============
+
+ecl-exp.h - Exports data structures and curve names. For use by code
+that does not have access to mp_ints.
+
+ecl-curve.h - Provides hex encodings (in the form of ECCurveParams
+structs) of standardizes elliptic curve domain parameters and mappings
+from ECCurveName to ECCurveParams. For use by code that does not have
+access to mp_ints.
+
+ecl.h - Interface to constructors for curve parameters and group object,
+and point multiplication operations. Used by higher level algorithms
+(like ECDH and ECDSA) to actually perform elliptic curve cryptography.
+
+ecl-priv.h - Data structures and functions for internal use within the
+library.
+
+ec2.h - Internal header file that contains all functions for point
+arithmetic over binary polynomial fields.
+
+ecp.h - Internal header file that contains all functions for point
+arithmetic over prime fields.
+
+DATA STRUCTURES AND TYPES
+=========================
+
+ECCurveName (from ecl-exp.h) - Opaque name for standardized elliptic
+curve domain parameters.
+
+ECCurveParams (from ecl-exp.h) - Provides hexadecimal encoding
+of elliptic curve domain parameters. Can be generated by a user
+and passed to ECGroup_fromHex or can be generated from a name by
+EC_GetNamedCurveParams. ecl-curve.h contains ECCurveParams structs for
+the standardized curves defined by ECCurveName.
+
+ECGroup (from ecl.h and ecl-priv.h) - Opaque data structure that
+represents a group of elliptic curve points for a particular set of
+elliptic curve domain parameters. Contains all domain parameters (curve
+a and b, field, base point) as well as pointers to the functions that
+should be used for point arithmetic and the underlying field GFMethod.
+Generated by either ECGroup_fromHex or ECGroup_fromName.
+
+GFMethod (from ecl-priv.h) - Represents a field underlying a set of
+elliptic curve domain parameters. Contains the irreducible that defines
+the field (either the prime or the binary polynomial) as well as
+pointers to the functions that should be used for field arithmetic.
+
+ARITHMETIC FUNCTIONS
+====================
+
+Higher-level algorithms (like ECDH and ECDSA) should call ECPoint_mul
+or ECPoints_mul (from ecl.h) to do point arithmetic. These functions
+will choose which underlying algorithms to use, based on the ECGroup
+structure.
+
+Point Multiplication
+--------------------
+
+ecl_mult.c provides the ECPoints_mul and ECPoint_mul wrappers.
+It also provides two implementations for the pts_mul operation -
+ec_pts_mul_basic (which computes kP, lQ, and then adds kP + lQ) and
+ec_pts_mul_simul_w2 (which does a simultaneous point multiplication
+using a table with window size 2*2).
+
+ec_naf.c provides an implementation of an algorithm to calculate a
+non-adjacent form of a scalar, minimizing the number of point
+additions that need to be done in a point multiplication.
+
+Point Arithmetic over Prime Fields
+----------------------------------
+
+ecp_aff.c provides point arithmetic using affine coordinates.
+
+ecp_jac.c provides point arithmetic using Jacobian projective
+coordinates and mixed Jacobian-affine coordinates. (Jacobian projective
+coordinates represent a point (x, y) as (X, Y, Z), where x=X/Z^2,
+y=Y/Z^3).
+
+ecp_jm.c provides point arithmetic using Modified Jacobian
+coordinates and mixed Modified_Jacobian-affine coordinates.
+(Modified Jacobian coordinates represent a point (x, y)
+as (X, Y, Z, a*Z^4), where x=X/Z^2, y=Y/Z^3, and a is
+the linear coefficient in the curve defining equation).
+
+ecp_192.c and ecp_224.c provide optimized field arithmetic.
+
+Point Arithmetic over Binary Polynomial Fields
+----------------------------------------------
+
+ec2_aff.c provides point arithmetic using affine coordinates.
+
+ec2_proj.c provides point arithmetic using projective coordinates.
+(Projective coordinates represent a point (x, y) as (X, Y, Z), where
+x=X/Z, y=Y/Z^2).
+
+ec2_mont.c provides point multiplication using Montgomery projective
+coordinates.
+
+ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field arithmetic.
+
+Field Arithmetic
+----------------
+
+ecl_gf.c provides constructors for field objects (GFMethod) with the
+functions GFMethod_cons*. It also provides wrappers around the basic
+field operations.
+
+Prime Field Arithmetic
+----------------------
+
+The mpi library provides the basic prime field arithmetic.
+
+ecp_mont.c provides wrappers around the Montgomery multiplication
+functions from the mpi library and adds encoding and decoding functions.
+It also provides the function to construct a GFMethod object using
+Montgomery multiplication.
+
+ecp_192.c and ecp_224.c provide optimized modular reduction for the
+fields defined by nistp192 and nistp224 primes.
+
+ecl_gf.c provides wrappers around the basic field operations.
+
+Binary Polynomial Field Arithmetic
+----------------------------------
+
+../mpi/mp_gf2m.c provides basic binary polynomial field arithmetic,
+including addition, multiplication, squaring, mod, and division, as well
+as conversion ob polynomial representations between bitstring and int[].
+
+ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field mod, mul,
+and sqr operations.
+
+ecl_gf.c provides wrappers around the basic field operations.
+
+Field Encoding
+--------------
+
+By default, field elements are encoded in their basic form. It is
+possible to use an alternative encoding, however. For example, it is
+possible to Montgomery representation of prime field elements and
+take advantage of the fast modular multiplication that Montgomery
+representation provides. The process of converting from basic form to
+Montgomery representation is called field encoding, and the opposite
+process would be field decoding. All internal point operations assume
+that the operands are field encoded as appropriate. By rewiring the
+underlying field arithmetic to perform operations on these encoded
+values, the same overlying point arithmetic operations can be used
+regardless of field representation.
+
+ALGORITHM WIRING
+================
+
+The EC library allows point and field arithmetic algorithms to be
+substituted ("wired-in") on a fine-grained basis. This allows for
+generic algorithms and algorithms that are optimized for a particular
+curve, field, or architecture, to coexist and to be automatically
+selected at runtime.
+
+Wiring Mechanism
+----------------
+
+The ECGroup and GFMethod structure contain pointers to the point and
+field arithmetic functions, respectively, that are to be used in
+operations.
+
+The selection of algorithms to use is handled in the function
+ecgroup_fromNameAndHex in ecl.c.
+
+Default Wiring
+--------------
+
+Curves over prime fields by default use montgomery field arithmetic,
+point multiplication using 5-bit window non-adjacent-form with 
+Modified Jacobian coordinates, and 2*2-bit simultaneous point 
+multiplication using Jacobian coordinates.
+(Wiring in function ECGroup_consGFp_mont in ecl.c.)
+
+Curves over prime fields that have optimized modular reduction (i.e.,
+secp160r1, nistp192, and nistp224) do not use Montgomery field
+arithmetic. Instead, they use basic field arithmetic with their
+optimized reduction (as in ecp_192.c and ecp_224.c). They
+use the same point multiplication and simultaneous point multiplication
+algorithms as other curves over prime fields.
+
+Curves over binary polynomial fields by default use generic field
+arithmetic with montgomery point multiplication and basic kP + lQ
+computation (multiply, multiply, and add). (Wiring in function
+ECGroup_cons_GF2m in ecl.c.)
+
+Curves over binary polynomial fields that have optimized field
+arithmetic (i.e., any 163-, 193, or 233-bit field) use their optimized
+field arithmetic. They use the same point multiplication and
+simultaneous point multiplication algorithms as other curves over binary
+fields.
+
+Example
+-------
+
+We provide an example for plugging in an optimized implementation for
+the Koblitz curve nistk163.
+
+Suppose the file ec2_k163.c contains the optimized implementation. In
+particular it contains a point multiplication function:
+
+	mp_err ec_GF2m_nistk163_pt_mul(const mp_int *n, const mp_int *px, 
+		const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group);
+
+Since only a pt_mul function is provided, the generic pt_add function
+will be used.
+
+There are two options for handling the optimized field arithmetic used
+by the ..._pt_mul function. Say the optimized field arithmetic includes
+the following functions:
+
+	mp_err ec_GF2m_nistk163_add(const mp_int *a, const mp_int *b,
+		mp_int *r, const GFMethod *meth);
+	mp_err ec_GF2m_nistk163_mul(const mp_int *a, const mp_int *b,
+		mp_int *r, const GFMethod *meth);
+	mp_err ec_GF2m_nistk163_sqr(const mp_int *a, const mp_int *b,
+		mp_int *r, const GFMethod *meth);
+	mp_err ec_GF2m_nistk163_div(const mp_int *a, const mp_int *b,
+		mp_int *r, const GFMethod *meth);
+
+First, the optimized field arithmetic could simply be called directly
+by the ..._pt_mul function. This would be accomplished by changing
+the ecgroup_fromNameAndHex function in ecl.c to include the following
+statements:
+
+	if (name == ECCurve_NIST_K163) {
+		group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx,
+			&geny, &order, params->cofactor);
+		if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+		MP_CHECKOK( ec_group_set_nistk163(group) );
+	}
+
+and including in ec2_k163.c the following function:
+
+	mp_err ec_group_set_nistk163(ECGroup *group) {
+		group->point_mul = &ec_GF2m_nistk163_pt_mul;
+		return MP_OKAY;
+	}
+
+As a result, ec_GF2m_pt_add and similar functions would use the
+basic binary polynomial field arithmetic ec_GF2m_add, ec_GF2m_mul,
+ec_GF2m_sqr, and ec_GF2m_div.
+
+Alternatively, the optimized field arithmetic could be wired into the
+group's GFMethod. This would be accomplished by putting the following
+function in ec2_k163.c:
+
+	mp_err ec_group_set_nistk163(ECGroup *group) {
+		group->meth->field_add = &ec_GF2m_nistk163_add;
+		group->meth->field_mul = &ec_GF2m_nistk163_mul;
+		group->meth->field_sqr = &ec_GF2m_nistk163_sqr;
+		group->meth->field_div = &ec_GF2m_nistk163_div;
+		group->point_mul = &ec_GF2m_nistk163_pt_mul;
+		return MP_OKAY;
+	}
+
+For an example of functions that use special field encodings, take a
+look at ecp_mont.c.
+
+TESTING
+=======
+
+The ecl/tests directory contains a collection of standalone tests that
+verify the correctness of the elliptic curve library.
+
+Both ecp_test and ec2_test take the following arguments:
+
+	--print     Print out results of each point arithmetic test.
+	--time      Benchmark point operations and print results.
+
+The set of curves over which ecp_test and ec2_test run is coded into the
+program, but can be changed by editing the source files.
+
+BUILDING
+========
+
+The ecl can be built as a standalone library, separate from NSS,
+dependent only on the mpi library. To build the library:
+
+	> cd ../mpi
+	> make libs
+	> cd ../ecl
+	> make libs
+	> make tests # to build test files
+	> make test  # to run automated tests
diff --git a/security/nss/lib/freebl/ecl/README.FP b/security/nss/lib/freebl/ecl/README.FP
new file mode 100644
index 000000000..858ac67b8
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/README.FP
@@ -0,0 +1,317 @@
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version
+1.1 (the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the elliptic curve math library.
+
+The Initial Developer of the Original Code is Sun Microsystems, Inc.
+Portions created by Sun Microsystems, Inc. are Copyright (C) 2003
+Sun Microsystems, Inc. All Rights Reserved.
+
+Contributor(s):
+     Stephen Fung <fungstep@hotmail.com> and
+     Nils Gura <nils.gura@sun.com>, Sun Microsystems Laboratories
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+The ECL exposes routines for constructing and converting curve
+parameters for internal use.
+
+The floating point code of the ECL provides algorithms for performing
+elliptic-curve point multiplications in floating point.
+
+The point multiplication algorithms perform calculations almost
+exclusively in floating point for efficiency, but have the same
+(integer) interface as the ECL for compatibility and to be easily
+wired-in to the ECL.  Please see README file (not this README.FP file)
+for information on wiring-in.
+
+This has been implemented for 3 curves as specified in [1]:
+	secp160r1
+	secp192r1
+	secp224r1
+
+RATIONALE
+=========
+Calculations are done in the  floating-point unit (FPU) since it
+gives better performance on the UltraSPARC III chips.  This is
+because the FPU allows for faster multiplication than the integer unit.
+The integer unit has a longer multiplication instruction latency, and
+does not allow full pipelining, as described in [2].
+Since performance is an important selling feature of Elliptic Curve
+Cryptography (ECC), this implementation was created.
+
+DATA REPRESENTATION
+===================
+Data is primarily represented in an array of double-precision floating
+point numbers.  Generally, each array element has 24 bits of precision
+(i.e. be x * 2^y, where x is an integer of at most 24 bits, y some positive
+integer), although the actual implementation details are more complicated.
+
+e.g. a way to store an 80 bit number might be:
+double p[4] = { 632613 * 2^0, 329841 * 2^24, 9961 * 2^48, 51 * 2^64 };
+See section ARITHMETIC OPERATIONS for more details.
+
+This implementation assumes that the floating-point unit rounding mode 
+is round-to-even as specified in IEEE 754
+(as opposed to chopping, rounding up, or rounding down).
+When subtracting integers represented as arrays of floating point 
+numbers, some coefficients (array elements) may become negative.
+This effectively gives an extra bit of precision that is important
+for correctness in some cases.
+
+The described number presentation limits the size of integers to 1023 bits.
+This is due to an upper bound of 1024 for the exponent of a double precision
+floating point number as specified in IEEE-754.
+However, this is acceptable for ECC key sizes of the foreseeable future.
+
+DATA STRUCTURES
+===============
+For more information on coordinate representations, see [3].
+
+ecfp_aff_pt
+-----------
+Affine EC Point Representation.  This is the basic 
+representation (x, y) of an elliptic curve point.
+
+ecfp_jac_pt
+-----------
+Jacobian EC Point.  This stores a point as (X, Y, Z), where
+the affine point corresponds to (X/Z^2, Y/Z^3).  This allows
+for fewer inversions in calculations.
+
+ecfp_chud_pt
+------------
+Chudnovsky Jacobian Point.  This representation stores a point
+as (X, Y, Z, Z^2, Z^3), the same as a Jacobian representation
+but also storing Z^2 and Z^3 for faster point additions.
+
+ecfp_jm_pt
+----------
+Modified Jacobian Point.  This representation stores a point
+as (X, Y, Z, a*Z^4), the same as Jacobian representation but
+also storing a*Z^4 for faster point doublings.  Here "a" represents
+the linear coefficient of x defining the curve.
+
+EC_group_fp
+-----------
+Stores information on the elliptic curve group for floating
+point calculations.  Contains curve specific information, as
+well as function pointers to routines, allowing different
+optimizations to be easily wired in.
+This should be made accessible from an ECGroup for the floating
+point implementations of point multiplication.
+
+POINT MULTIPLICATION ALGORITHMS
+===============================
+Elliptic Curve Point multiplication can be done at a higher level orthogonal
+to the implementation of point additions and point doublings.  There
+are a variety of algorithms that can be used.
+
+The following algorithms have been implemented:
+
+4-bit Window (Jacobian Coordinates)
+Double & Add (Jacobian & Affine Coordinates)
+5-bit Non-Adjacent Form (Modified Jacobian & Chudnovsky Jacobian)
+
+Currently, the fastest algorithm for multiplying a generic point
+is the 5-bit Non-Adjacent Form.
+
+See comments in ecp_fp.c for more details and references.
+
+SOURCE / HEADER FILES
+=====================
+
+ecp_fp.c
+--------
+Main source file for floating point calculations.  Contains routines
+to convert from floating-point to integer (mp_int format), point
+multiplication algorithms, and several other routines.
+
+ecp_fp.h
+--------
+Main header file.  Contains most constants used and function prototypes.
+
+ecp_fp[160, 192, 224].c
+-----------------------
+Source files for specific curves.  Contains curve specific code such
+as specialized reduction based on the field defining prime.  Contains
+code wiring-in different algorithms and optimizations.
+
+ecp_fpinc.c
+-----------
+Source file that is included by ecp_fp[160, 192, 224].c.  This generates
+functions with different preprocessor-defined names and loop iterations,
+allowing for static linking and strong compiler optimizations without
+code duplication.
+
+TESTING
+=======
+The test suite can be found in ecl/tests/ecp_fpt.  This tests and gets
+timings of the different algorithms for the curves implemented.
+
+ARITHMETIC OPERATIONS
+---------------------
+The primary operations in ECC over the prime fields are modular arithmetic:
+i.e. n * m (mod p) and n + m (mod p).  In this implementation, multiplication,
+addition, and reduction are implemented as separate functions.  This
+enables computation of formulae with fewer reductions, e.g.
+(a * b) + (c * d) (mod p) rather than:
+((a * b) (mod p)) + ((c * d) (mod p)) (mod p)
+This takes advantage of the fact that the double precision mantissa in
+floating point can hold numbers up to 2^53, i.e. it has some leeway to
+store larger intermediate numbers.  See further detail in the section on 
+FLOATING POINT PRECISION.
+
+Multiplication
+--------------
+Multiplication is implemented in a standard polynomial multiplication
+fashion.  The terms in opposite factors are pairwise multiplied and
+added together appropriately.  Note that the result requires twice 
+as many doubles for storage, as the bit size of the product is twice
+that of the multiplicands.
+e.g. suppose we have double n[3], m[3], r[6], and want to calculate r = n * m
+r[0] = n[0] * m[0]
+r[1] = n[0] * m[1] + n[1] * m[0]
+r[2] = n[0] * m[2] + n[1] * m[1] + n[2] * m[0]
+r[3] = n[1] * m[2] + n[2] * m[1]
+r[4] = n[2] * m[2]
+r[5] = 0 (This is used later to hold spillover from r[4], see tidying in
+the reduction section.)
+
+Addition
+--------
+Addition is done term by term.  The only caveat is to be careful with
+the number of terms that need to be added.  When adding results of
+multiplication (before reduction), twice as many terms need to be added
+together.  This is done in the addLong function.
+e.g. for double n[4], m[4], r[4]:  r = n + m
+r[0] = n[0] + m[0]
+r[1] = n[1] + m[1]
+r[2] = n[2] + m[2]
+r[3] = n[3] + m[3]
+
+Modular Reduction
+-----------------
+For the curves implemented, reduction is possible by fast reduction
+for Generalized Mersenne Primes, as described in [4].  For the 
+floating point implementation, a significant step of the reduction 
+process is tidying:  that is, the propagation of carry bits from 
+low-order to high-order coefficients to reduce the precision of each 
+coefficient to 24 bits.
+This is done by adding and then subtracting
+ecfp_alpha, a large floating point number that induces precision roundoff.
+See [5] for more details on tidying using floating point arithmetic.
+e.g. suppose we have r = 961838 * 2^24 + 519308
+then if we set alpha = 3 * 2^51 * 2^24,
+FP(FP(r + alpha) - alpha) = 961838 * 2^24, because the precision for
+the intermediate results is limited.  Our values of alpha are chosen
+to truncate to a desired number of bits.
+
+The reduction is then performed as in [4], adding multiples of prime p.
+e.g. suppose we are working over a polynomial of 10^2.  Take the number
+2 * 10^8 + 11 * 10^6 + 53 * 10^4 + 23 * 10^2 + 95, stored in 5 elements
+for coefficients of 10^0, 10^2, ..., 10^8.
+We wish to reduce modulo p = 10^6 - 2 * 10^4 + 1
+We can subtract off from the higher terms
+(2 * 10^8 + 11 * 10^6 + 53 * 10^4 + 23 * 10^2 + 95) - (2 * 10^2) * (10^6 - 2 * 10^4 + 1)
+= 15 * 10^6 + 53 * 10^4 + 21 * 10^2 + 95
+= 15 * 10^6 + 53 * 10^4 + 21 * 10^2 + 95 - (15) * (10^6 - 2 * 10^4 + 1)
+= 83 * 10^4 + 21 * 10^2 + 80
+
+Integrated Example
+------------------
+This example shows how multiplication, addition, tidying, and reduction
+work together in our modular arithmetic.  This is simplified from the
+actual implementation, but should convey the main concepts.  
+Working over polynomials of 10^2 and with p as in the prior example,
+Let a = 16 * 10^4 + 53 * 10^2 + 33
+let b = 81 * 10^4 + 31 * 10^2 + 49
+let c = 22 * 10^4 +  0 * 10^2 + 95
+And suppose we want to compute a * b + c mod p.  
+We first do a multiplication:  then a * b =
+0 * 10^10 + 1296 * 10^8 + 4789 * 10^6 + 5100 * 10^4 + 3620 * 10^2 + 1617
+Then we add in c before doing reduction, allowing us to get a * b + c =
+0 * 10^10 + 1296 * 10^8 + 4789 * 10^6 + 5122 * 10^4 + 3620 * 10^2 + 1712
+We then perform a tidying on the upper half of the terms:
+0 * 10^10 + 1296 * 10^8 + 4789 * 10^6
+0 * 10^10 + (1296 + 47) * 10^8 + 89 * 10^6
+0 * 10^10 + 1343 * 10^8 + 89 * 10^6
+13 * 10^10 + 43 * 10^8 + 89 * 10^6
+which then gives us
+13 * 10^10 + 43 * 10^8 + 89 * 10^6 + 5122 * 10^4 + 3620 * 10^2 + 1712
+we then reduce modulo p similar to the reduction example above:
+13 * 10^10 + 43 * 10^8 + 89 * 10^6 + 5122 * 10^4 + 3620 * 10^2 + 1712 
+	- (13 * 10^4 * p)
+69 * 10^8 + 89 * 10^6 + 5109 * 10^4 + 3620 * 10^2 + 1712
+	- (69 * 10^2 * p)
+227 * 10^6 + 5109 * 10^4 + 3551 * 10^2 + 1712
+	- (227 * p)
+5563 * 10^4 + 3551 * 10^2 + 1485
+finally, we do tidying to get the precision of each term down to 2 digits
+5563 * 10^4 + 3565 * 10^2 + 85
+5598 * 10^4 + 65 * 10^2 + 85
+55 * 10^6 + 98 * 10^4 + 65 * 10^2 + 85
+and perform another reduction step
+	- (55 * p)
+208 * 10^4 + 65 * 10^2 + 30
+There may be a small number of further reductions that could be done at
+this point, but this is typically done only at the end when converting
+from floating point  to an integer unit representation.
+
+FLOATING POINT PRECISION
+========================
+This section discusses the precision of floating point numbers, which
+one writing new formulae or a larger bit size should be aware of.  The
+danger is that an intermediate result may be required to store a
+mantissa larger than 53 bits, which would cause error by rounding off.
+
+Note that the tidying with IEEE rounding mode set to round-to-even
+allows negative numbers, which actually reduces the size of the double
+mantissa to 23 bits - since it rounds the mantissa to the nearest number 
+modulo 2^24, i.e. roughly between -2^23 and 2^23.
+A multiplication increases the bit size to 2^46 * n, where n is the number
+of doubles to store a number.  For the 224 bit curve, n = 10.  This gives 
+doubles of size 5 * 2^47.  Adding two of these doubles gives a result
+of size 5 * 2^48, which is less than 2^53, so this is safe.  
+Similar analysis can be done for other formulae to ensure numbers remain
+below 2^53.
+
+Extended-Precision Floating Point
+---------------------------------
+Some platforms, notably x86 Linux, may use an extended-precision floating
+point representation that has a 64-bit mantissa.  [6]  Although this
+implementation is optimized for the IEEE standard 53-bit mantissa,
+it should work with the 64-bit mantissa.  A check is done at run-time
+in the function ec_set_fp_precision that detects if the precision is
+greater than 53 bits, and runs code for the 64-bit mantissa accordingly.
+
+REFERENCES
+==========
+[1] Certicom Corp., "SEC 2: Recommended Elliptic Curve Domain Parameters", Sept. 20, 2000.  www.secg.org
+[2] Sun Microsystems Inc.  UltraSPARC III Cu User's Manual, Version 1.0, May 2002, Table 4.4
+[3] H. Cohen, A. Miyaji, and T. Ono, "Efficient Elliptic Curve Exponentiation Using Mixed Coordinates".
+[4] Henk C.A. van Tilborg, Generalized Mersenne Prime.  http://www.win.tue.nl/~henkvt/GenMersenne.pdf
+[5] Daniel J. Bernstein, Floating-Point Arithmetic and Message Authentication, Journal of Cryptology, March 2000, Section 2.
+[6] Daniel J. Bernstein, Floating-Point Arithmetic and Message Authentication, Journal of Cryptology, March 2000, Section 2 Notes.
diff --git a/security/nss/lib/freebl/ecl/ec2.h b/security/nss/lib/freebl/ecl/ec2.h
new file mode 100644
index 000000000..2ca8418b3
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ec2.h
@@ -0,0 +1,126 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for binary polynomial field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __ec2_h_
+#define __ec2_h_
+
+#include "ecl-priv.h"
+
+/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_is_inf_aff(const mp_int *px, const mp_int *py);
+
+/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_set_inf_aff(mp_int *px, mp_int *py);
+
+/* Computes R = P + Q where R is (rx, ry), P is (px, py) and Q is (qx,
+ * qy). Uses affine coordinates. */
+mp_err ec_GF2m_pt_add_aff(const mp_int *px, const mp_int *py,
+						  const mp_int *qx, const mp_int *qy, mp_int *rx,
+						  mp_int *ry, const ECGroup *group);
+
+/* Computes R = P - Q.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_sub_aff(const mp_int *px, const mp_int *py,
+						  const mp_int *qx, const mp_int *qy, mp_int *rx,
+						  mp_int *ry, const ECGroup *group);
+
+/* Computes R = 2P.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
+						  mp_int *ry, const ECGroup *group);
+
+/* Validates a point on a GF2m curve. */
+mp_err ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group);
+
+/* by default, this routine is unused and thus doesn't need to be compiled */
+#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the irreducible that 
+ * determines the field GF2m.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px,
+						  const mp_int *py, mp_int *rx, mp_int *ry,
+						  const ECGroup *group);
+#endif
+
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the irreducible that 
+ * determines the field GF2m.  Uses Montgomery projective coordinates. */
+mp_err ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px,
+						   const mp_int *py, mp_int *rx, mp_int *ry,
+						   const ECGroup *group);
+
+#ifdef ECL_ENABLE_GF2M_PROJ
+/* Converts a point P(px, py) from affine coordinates to projective
+ * coordinates R(rx, ry, rz). */
+mp_err ec_GF2m_pt_aff2proj(const mp_int *px, const mp_int *py, mp_int *rx,
+						   mp_int *ry, mp_int *rz, const ECGroup *group);
+
+/* Converts a point P(px, py, pz) from projective coordinates to affine
+ * coordinates R(rx, ry). */
+mp_err ec_GF2m_pt_proj2aff(const mp_int *px, const mp_int *py,
+						   const mp_int *pz, mp_int *rx, mp_int *ry,
+						   const ECGroup *group);
+
+/* Checks if point P(px, py, pz) is at infinity.  Uses projective
+ * coordinates. */
+mp_err ec_GF2m_pt_is_inf_proj(const mp_int *px, const mp_int *py,
+							  const mp_int *pz);
+
+/* Sets P(px, py, pz) to be the point at infinity.  Uses projective
+ * coordinates. */
+mp_err ec_GF2m_pt_set_inf_proj(mp_int *px, mp_int *py, mp_int *pz);
+
+/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
+ * (qx, qy, qz).  Uses projective coordinates. */
+mp_err ec_GF2m_pt_add_proj(const mp_int *px, const mp_int *py,
+						   const mp_int *pz, const mp_int *qx,
+						   const mp_int *qy, mp_int *rx, mp_int *ry,
+						   mp_int *rz, const ECGroup *group);
+
+/* Computes R = 2P.  Uses projective coordinates. */
+mp_err ec_GF2m_pt_dbl_proj(const mp_int *px, const mp_int *py,
+						   const mp_int *pz, mp_int *rx, mp_int *ry,
+						   mp_int *rz, const ECGroup *group);
+
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the prime that
+ * determines the field GF2m.  Uses projective coordinates. */
+mp_err ec_GF2m_pt_mul_proj(const mp_int *n, const mp_int *px,
+						   const mp_int *py, mp_int *rx, mp_int *ry,
+						   const ECGroup *group);
+#endif
+
+#endif							/* __ec2_h_ */
diff --git a/security/nss/lib/freebl/ecl/ec2_163.c b/security/nss/lib/freebl/ecl/ec2_163.c
new file mode 100644
index 000000000..641632146
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ec2_163.c
@@ -0,0 +1,259 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for binary polynomial field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
+ *   Stephen Fung <fungstep@hotmail.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ec2.h"
+#include "mp_gf2m.h"
+#include "mp_gf2m-priv.h"
+#include "mpi.h"
+#include "mpi-priv.h"
+#include <stdlib.h>
+
+/* Fast reduction for polynomials over a 163-bit curve. Assumes reduction
+ * polynomial with terms {163, 7, 6, 3, 0}. */
+mp_err
+ec_GF2m_163_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit *u, z;
+
+	if (a != r) {
+		MP_CHECKOK(mp_copy(a, r));
+	}
+#ifdef ECL_SIXTY_FOUR_BIT
+	if (MP_USED(r) < 6) {
+		MP_CHECKOK(s_mp_pad(r, 6));
+	}
+	u = MP_DIGITS(r);
+	MP_USED(r) = 6;
+
+	/* u[5] only has 6 significant bits */
+	z = u[5];
+	u[2] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
+	z = u[4];
+	u[2] ^= (z >> 28) ^ (z >> 29) ^ (z >> 32) ^ (z >> 35);
+	u[1] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
+	z = u[3];
+	u[1] ^= (z >> 28) ^ (z >> 29) ^ (z >> 32) ^ (z >> 35);
+	u[0] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
+	z = u[2] >> 35;				/* z only has 29 significant bits */
+	u[0] ^= (z << 7) ^ (z << 6) ^ (z << 3) ^ z;
+	/* clear bits above 163 */
+	u[5] = u[4] = u[3] = 0;
+	u[2] ^= z << 35;
+#else
+	if (MP_USED(r) < 11) {
+		MP_CHECKOK(s_mp_pad(r, 11));
+	}
+	u = MP_DIGITS(r);
+	MP_USED(r) = 11;
+
+	/* u[11] only has 6 significant bits */
+	z = u[10];
+	u[5] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
+	u[4] ^= (z << 29);
+	z = u[9];
+	u[5] ^= (z >> 28) ^ (z >> 29);
+	u[4] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
+	u[3] ^= (z << 29);
+	z = u[8];
+	u[4] ^= (z >> 28) ^ (z >> 29);
+	u[3] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
+	u[2] ^= (z << 29);
+	z = u[7];
+	u[3] ^= (z >> 28) ^ (z >> 29);
+	u[2] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
+	u[1] ^= (z << 29);
+	z = u[6];
+	u[2] ^= (z >> 28) ^ (z >> 29);
+	u[1] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
+	u[0] ^= (z << 29);
+	z = u[5] >> 3;				/* z only has 29 significant bits */
+	u[1] ^= (z >> 25) ^ (z >> 26);
+	u[0] ^= (z << 7) ^ (z << 6) ^ (z << 3) ^ z;
+	/* clear bits above 163 */
+	u[11] = u[10] = u[9] = u[8] = u[7] = u[6] = 0;
+	u[5] ^= z << 3;
+#endif
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/* Fast squaring for polynomials over a 163-bit curve. Assumes reduction
+ * polynomial with terms {163, 7, 6, 3, 0}. */
+mp_err
+ec_GF2m_163_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit *u, *v;
+
+	v = MP_DIGITS(a);
+
+#ifdef ECL_SIXTY_FOUR_BIT
+	if (MP_USED(a) < 3) {
+		return mp_bsqrmod(a, meth->irr_arr, r);
+	}
+	if (MP_USED(r) < 6) {
+		MP_CHECKOK(s_mp_pad(r, 6));
+	}
+	MP_USED(r) = 6;
+#else
+	if (MP_USED(a) < 6) {
+		return mp_bsqrmod(a, meth->irr_arr, r);
+	}
+	if (MP_USED(r) < 12) {
+		MP_CHECKOK(s_mp_pad(r, 12));
+	}
+	MP_USED(r) = 12;
+#endif
+	u = MP_DIGITS(r);
+
+#ifdef ECL_THIRTY_TWO_BIT
+	u[11] = gf2m_SQR1(v[5]);
+	u[10] = gf2m_SQR0(v[5]);
+	u[9] = gf2m_SQR1(v[4]);
+	u[8] = gf2m_SQR0(v[4]);
+	u[7] = gf2m_SQR1(v[3]);
+	u[6] = gf2m_SQR0(v[3]);
+#endif
+	u[5] = gf2m_SQR1(v[2]);
+	u[4] = gf2m_SQR0(v[2]);
+	u[3] = gf2m_SQR1(v[1]);
+	u[2] = gf2m_SQR0(v[1]);
+	u[1] = gf2m_SQR1(v[0]);
+	u[0] = gf2m_SQR0(v[0]);
+	return ec_GF2m_163_mod(r, r, meth);
+
+  CLEANUP:
+	return res;
+}
+
+/* Fast multiplication for polynomials over a 163-bit curve. Assumes
+ * reduction polynomial with terms {163, 7, 6, 3, 0}. */
+mp_err
+ec_GF2m_163_mul(const mp_int *a, const mp_int *b, mp_int *r,
+				const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit a2 = 0, a1 = 0, a0, b2 = 0, b1 = 0, b0;
+
+#ifdef ECL_THIRTY_TWO_BIT
+	mp_digit a5 = 0, a4 = 0, a3 = 0, b5 = 0, b4 = 0, b3 = 0;
+	mp_digit rm[6];
+#endif
+
+	if (a == b) {
+		return ec_GF2m_163_sqr(a, r, meth);
+	} else {
+		switch (MP_USED(a)) {
+#ifdef ECL_THIRTY_TWO_BIT
+		case 6:
+			a5 = MP_DIGIT(a, 5);
+		case 5:
+			a4 = MP_DIGIT(a, 4);
+		case 4:
+			a3 = MP_DIGIT(a, 3);
+#endif
+		case 3:
+			a2 = MP_DIGIT(a, 2);
+		case 2:
+			a1 = MP_DIGIT(a, 1);
+		default:
+			a0 = MP_DIGIT(a, 0);
+		}
+		switch (MP_USED(b)) {
+#ifdef ECL_THIRTY_TWO_BIT
+		case 6:
+			b5 = MP_DIGIT(b, 5);
+		case 5:
+			b4 = MP_DIGIT(b, 4);
+		case 4:
+			b3 = MP_DIGIT(b, 3);
+#endif
+		case 3:
+			b2 = MP_DIGIT(b, 2);
+		case 2:
+			b1 = MP_DIGIT(b, 1);
+		default:
+			b0 = MP_DIGIT(b, 0);
+		}
+#ifdef ECL_SIXTY_FOUR_BIT
+		MP_CHECKOK(s_mp_pad(r, 6));
+		s_bmul_3x3(MP_DIGITS(r), a2, a1, a0, b2, b1, b0);
+		MP_USED(r) = 6;
+		s_mp_clamp(r);
+#else
+		MP_CHECKOK(s_mp_pad(r, 12));
+		s_bmul_3x3(MP_DIGITS(r) + 6, a5, a4, a3, b5, b4, b3);
+		s_bmul_3x3(MP_DIGITS(r), a2, a1, a0, b2, b1, b0);
+		s_bmul_3x3(rm, a5 ^ a2, a4 ^ a1, a3 ^ a0, b5 ^ b2, b4 ^ b1,
+				   b3 ^ b0);
+		rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 11);
+		rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 10);
+		rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 9);
+		rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 8);
+		rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 7);
+		rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 6);
+		MP_DIGIT(r, 8) ^= rm[5];
+		MP_DIGIT(r, 7) ^= rm[4];
+		MP_DIGIT(r, 6) ^= rm[3];
+		MP_DIGIT(r, 5) ^= rm[2];
+		MP_DIGIT(r, 4) ^= rm[1];
+		MP_DIGIT(r, 3) ^= rm[0];
+		MP_USED(r) = 12;
+		s_mp_clamp(r);
+#endif
+		return ec_GF2m_163_mod(r, r, meth);
+	}
+
+  CLEANUP:
+	return res;
+}
+
+/* Wire in fast field arithmetic for 163-bit curves. */
+mp_err
+ec_group_set_gf2m163(ECGroup *group, ECCurveName name)
+{
+	group->meth->field_mod = &ec_GF2m_163_mod;
+	group->meth->field_mul = &ec_GF2m_163_mul;
+	group->meth->field_sqr = &ec_GF2m_163_sqr;
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ec2_193.c b/security/nss/lib/freebl/ecl/ec2_193.c
new file mode 100644
index 000000000..1a1e8189e
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ec2_193.c
@@ -0,0 +1,276 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for binary polynomial field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
+ *   Stephen Fung <fungstep@hotmail.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ec2.h"
+#include "mp_gf2m.h"
+#include "mp_gf2m-priv.h"
+#include "mpi.h"
+#include "mpi-priv.h"
+#include <stdlib.h>
+
+/* Fast reduction for polynomials over a 193-bit curve. Assumes reduction
+ * polynomial with terms {193, 15, 0}. */
+mp_err
+ec_GF2m_193_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit *u, z;
+
+	if (a != r) {
+		MP_CHECKOK(mp_copy(a, r));
+	}
+#ifdef ECL_SIXTY_FOUR_BIT
+	if (MP_USED(r) < 7) {
+		MP_CHECKOK(s_mp_pad(r, 7));
+	}
+	u = MP_DIGITS(r);
+	MP_USED(r) = 7;
+
+	/* u[6] only has 2 significant bits */
+	z = u[6];
+	u[3] ^= (z << 14) ^ (z >> 1);
+	u[2] ^= (z << 63);
+	z = u[5];
+	u[3] ^= (z >> 50);
+	u[2] ^= (z << 14) ^ (z >> 1);
+	u[1] ^= (z << 63);
+	z = u[4];
+	u[2] ^= (z >> 50);
+	u[1] ^= (z << 14) ^ (z >> 1);
+	u[0] ^= (z << 63);
+	z = u[3] >> 1;				/* z only has 63 significant bits */
+	u[1] ^= (z >> 49);
+	u[0] ^= (z << 15) ^ z;
+	/* clear bits above 193 */
+	u[6] = u[5] = u[4] = 0;
+	u[3] ^= z << 1;
+#else
+	if (MP_USED(r) < 13) {
+		MP_CHECKOK(s_mp_pad(r, 13));
+	}
+	u = MP_DIGITS(r);
+	MP_USED(r) = 13;
+
+	/* u[12] only has 2 significant bits */
+	z = u[12];
+	u[6] ^= (z << 14) ^ (z >> 1);
+	u[5] ^= (z << 31);
+	z = u[11];
+	u[6] ^= (z >> 18);
+	u[5] ^= (z << 14) ^ (z >> 1);
+	u[4] ^= (z << 31);
+	z = u[10];
+	u[5] ^= (z >> 18);
+	u[4] ^= (z << 14) ^ (z >> 1);
+	u[3] ^= (z << 31);
+	z = u[9];
+	u[4] ^= (z >> 18);
+	u[3] ^= (z << 14) ^ (z >> 1);
+	u[2] ^= (z << 31);
+	z = u[8];
+	u[3] ^= (z >> 18);
+	u[2] ^= (z << 14) ^ (z >> 1);
+	u[1] ^= (z << 31);
+	z = u[7];
+	u[2] ^= (z >> 18);
+	u[1] ^= (z << 14) ^ (z >> 1);
+	u[0] ^= (z << 31);
+	z = u[6] >> 1;				/* z only has 31 significant bits */
+	u[1] ^= (z >> 17);
+	u[0] ^= (z << 15) ^ z;
+	/* clear bits above 193 */
+	u[12] = u[11] = u[10] = u[9] = u[8] = u[7] = 0;
+	u[6] ^= z << 1;
+#endif
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/* Fast squaring for polynomials over a 193-bit curve. Assumes reduction
+ * polynomial with terms {193, 15, 0}. */
+mp_err
+ec_GF2m_193_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit *u, *v;
+
+	v = MP_DIGITS(a);
+
+#ifdef ECL_SIXTY_FOUR_BIT
+	if (MP_USED(a) < 4) {
+		return mp_bsqrmod(a, meth->irr_arr, r);
+	}
+	if (MP_USED(r) < 7) {
+		MP_CHECKOK(s_mp_pad(r, 7));
+	}
+	MP_USED(r) = 7;
+#else
+	if (MP_USED(a) < 7) {
+		return mp_bsqrmod(a, meth->irr_arr, r);
+	}
+	if (MP_USED(r) < 13) {
+		MP_CHECKOK(s_mp_pad(r, 13));
+	}
+	MP_USED(r) = 13;
+#endif
+	u = MP_DIGITS(r);
+
+#ifdef ECL_THIRTY_TWO_BIT
+	u[12] = gf2m_SQR0(v[6]);
+	u[11] = gf2m_SQR1(v[5]);
+	u[10] = gf2m_SQR0(v[5]);
+	u[9] = gf2m_SQR1(v[4]);
+	u[8] = gf2m_SQR0(v[4]);
+	u[7] = gf2m_SQR1(v[3]);
+#endif
+	u[6] = gf2m_SQR0(v[3]);
+	u[5] = gf2m_SQR1(v[2]);
+	u[4] = gf2m_SQR0(v[2]);
+	u[3] = gf2m_SQR1(v[1]);
+	u[2] = gf2m_SQR0(v[1]);
+	u[1] = gf2m_SQR1(v[0]);
+	u[0] = gf2m_SQR0(v[0]);
+	return ec_GF2m_193_mod(r, r, meth);
+
+  CLEANUP:
+	return res;
+}
+
+/* Fast multiplication for polynomials over a 193-bit curve. Assumes
+ * reduction polynomial with terms {193, 15, 0}. */
+mp_err
+ec_GF2m_193_mul(const mp_int *a, const mp_int *b, mp_int *r,
+				const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit a3 = 0, a2 = 0, a1 = 0, a0, b3 = 0, b2 = 0, b1 = 0, b0;
+
+#ifdef ECL_THIRTY_TWO_BIT
+	mp_digit a6 = 0, a5 = 0, a4 = 0, b6 = 0, b5 = 0, b4 = 0;
+	mp_digit rm[8];
+#endif
+
+	if (a == b) {
+		return ec_GF2m_193_sqr(a, r, meth);
+	} else {
+		switch (MP_USED(a)) {
+#ifdef ECL_THIRTY_TWO_BIT
+		case 7:
+			a6 = MP_DIGIT(a, 6);
+		case 6:
+			a5 = MP_DIGIT(a, 5);
+		case 5:
+			a4 = MP_DIGIT(a, 4);
+#endif
+		case 4:
+			a3 = MP_DIGIT(a, 3);
+		case 3:
+			a2 = MP_DIGIT(a, 2);
+		case 2:
+			a1 = MP_DIGIT(a, 1);
+		default:
+			a0 = MP_DIGIT(a, 0);
+		}
+		switch (MP_USED(b)) {
+#ifdef ECL_THIRTY_TWO_BIT
+		case 7:
+			b6 = MP_DIGIT(b, 6);
+		case 6:
+			b5 = MP_DIGIT(b, 5);
+		case 5:
+			b4 = MP_DIGIT(b, 4);
+#endif
+		case 4:
+			b3 = MP_DIGIT(b, 3);
+		case 3:
+			b2 = MP_DIGIT(b, 2);
+		case 2:
+			b1 = MP_DIGIT(b, 1);
+		default:
+			b0 = MP_DIGIT(b, 0);
+		}
+#ifdef ECL_SIXTY_FOUR_BIT
+		MP_CHECKOK(s_mp_pad(r, 8));
+		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
+		MP_USED(r) = 8;
+		s_mp_clamp(r);
+#else
+		MP_CHECKOK(s_mp_pad(r, 14));
+		s_bmul_3x3(MP_DIGITS(r) + 8, a6, a5, a4, b6, b5, b4);
+		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
+		s_bmul_4x4(rm, a3, a6 ^ a2, a5 ^ a1, a4 ^ a0, b3, b6 ^ b2, b5 ^ b1,
+				   b4 ^ b0);
+		rm[7] ^= MP_DIGIT(r, 7);
+		rm[6] ^= MP_DIGIT(r, 6);
+		rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 13);
+		rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 12);
+		rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 11);
+		rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 10);
+		rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 9);
+		rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 8);
+		MP_DIGIT(r, 11) ^= rm[7];
+		MP_DIGIT(r, 10) ^= rm[6];
+		MP_DIGIT(r, 9) ^= rm[5];
+		MP_DIGIT(r, 8) ^= rm[4];
+		MP_DIGIT(r, 7) ^= rm[3];
+		MP_DIGIT(r, 6) ^= rm[2];
+		MP_DIGIT(r, 5) ^= rm[1];
+		MP_DIGIT(r, 4) ^= rm[0];
+		MP_USED(r) = 14;
+		s_mp_clamp(r);
+#endif
+		return ec_GF2m_193_mod(r, r, meth);
+	}
+
+  CLEANUP:
+	return res;
+}
+
+/* Wire in fast field arithmetic for 193-bit curves. */
+mp_err
+ec_group_set_gf2m193(ECGroup *group, ECCurveName name)
+{
+	group->meth->field_mod = &ec_GF2m_193_mod;
+	group->meth->field_mul = &ec_GF2m_193_mul;
+	group->meth->field_sqr = &ec_GF2m_193_sqr;
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ec2_233.c b/security/nss/lib/freebl/ecl/ec2_233.c
new file mode 100644
index 000000000..3ecea93ff
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ec2_233.c
@@ -0,0 +1,299 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for binary polynomial field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
+ *   Stephen Fung <fungstep@hotmail.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ec2.h"
+#include "mp_gf2m.h"
+#include "mp_gf2m-priv.h"
+#include "mpi.h"
+#include "mpi-priv.h"
+#include <stdlib.h>
+
+/* Fast reduction for polynomials over a 233-bit curve. Assumes reduction
+ * polynomial with terms {233, 74, 0}. */
+mp_err
+ec_GF2m_233_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit *u, z;
+
+	if (a != r) {
+		MP_CHECKOK(mp_copy(a, r));
+	}
+#ifdef ECL_SIXTY_FOUR_BIT
+	if (MP_USED(r) < 8) {
+		MP_CHECKOK(s_mp_pad(r, 8));
+	}
+	u = MP_DIGITS(r);
+	MP_USED(r) = 8;
+
+	/* u[7] only has 18 significant bits */
+	z = u[7];
+	u[4] ^= (z << 33) ^ (z >> 41);
+	u[3] ^= (z << 23);
+	z = u[6];
+	u[4] ^= (z >> 31);
+	u[3] ^= (z << 33) ^ (z >> 41);
+	u[2] ^= (z << 23);
+	z = u[5];
+	u[3] ^= (z >> 31);
+	u[2] ^= (z << 33) ^ (z >> 41);
+	u[1] ^= (z << 23);
+	z = u[4];
+	u[2] ^= (z >> 31);
+	u[1] ^= (z << 33) ^ (z >> 41);
+	u[0] ^= (z << 23);
+	z = u[3] >> 41;				/* z only has 23 significant bits */
+	u[1] ^= (z << 10);
+	u[0] ^= z;
+	/* clear bits above 233 */
+	u[7] = u[6] = u[5] = u[4] = 0;
+	u[3] ^= z << 41;
+#else
+	if (MP_USED(r) < 15) {
+		MP_CHECKOK(s_mp_pad(r, 15));
+	}
+	u = MP_DIGITS(r);
+	MP_USED(r) = 15;
+
+	/* u[14] only has 18 significant bits */
+	z = u[14];
+	u[9] ^= (z << 1);
+	u[7] ^= (z >> 9);
+	u[6] ^= (z << 23);
+	z = u[13];
+	u[9] ^= (z >> 31);
+	u[8] ^= (z << 1);
+	u[6] ^= (z >> 9);
+	u[5] ^= (z << 23);
+	z = u[12];
+	u[8] ^= (z >> 31);
+	u[7] ^= (z << 1);
+	u[5] ^= (z >> 9);
+	u[4] ^= (z << 23);
+	z = u[11];
+	u[7] ^= (z >> 31);
+	u[6] ^= (z << 1);
+	u[4] ^= (z >> 9);
+	u[3] ^= (z << 23);
+	z = u[10];
+	u[6] ^= (z >> 31);
+	u[5] ^= (z << 1);
+	u[3] ^= (z >> 9);
+	u[2] ^= (z << 23);
+	z = u[9];
+	u[5] ^= (z >> 31);
+	u[4] ^= (z << 1);
+	u[2] ^= (z >> 9);
+	u[1] ^= (z << 23);
+	z = u[8];
+	u[4] ^= (z >> 31);
+	u[3] ^= (z << 1);
+	u[1] ^= (z >> 9);
+	u[0] ^= (z << 23);
+	z = u[7] >> 9;				/* z only has 23 significant bits */
+	u[3] ^= (z >> 22);
+	u[2] ^= (z << 10);
+	u[0] ^= z;
+	/* clear bits above 233 */
+	u[14] = u[13] = u[12] = u[11] = u[10] = u[9] = u[8] = 0;
+	u[7] ^= z << 9;
+#endif
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/* Fast squaring for polynomials over a 233-bit curve. Assumes reduction
+ * polynomial with terms {233, 74, 0}. */
+mp_err
+ec_GF2m_233_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit *u, *v;
+
+	v = MP_DIGITS(a);
+
+#ifdef ECL_SIXTY_FOUR_BIT
+	if (MP_USED(a) < 4) {
+		return mp_bsqrmod(a, meth->irr_arr, r);
+	}
+	if (MP_USED(r) < 8) {
+		MP_CHECKOK(s_mp_pad(r, 8));
+	}
+	MP_USED(r) = 8;
+#else
+	if (MP_USED(a) < 8) {
+		return mp_bsqrmod(a, meth->irr_arr, r);
+	}
+	if (MP_USED(r) < 15) {
+		MP_CHECKOK(s_mp_pad(r, 15));
+	}
+	MP_USED(r) = 15;
+#endif
+	u = MP_DIGITS(r);
+
+#ifdef ECL_THIRTY_TWO_BIT
+	u[14] = gf2m_SQR0(v[7]);
+	u[13] = gf2m_SQR1(v[6]);
+	u[12] = gf2m_SQR0(v[6]);
+	u[11] = gf2m_SQR1(v[5]);
+	u[10] = gf2m_SQR0(v[5]);
+	u[9] = gf2m_SQR1(v[4]);
+	u[8] = gf2m_SQR0(v[4]);
+#endif
+	u[7] = gf2m_SQR1(v[3]);
+	u[6] = gf2m_SQR0(v[3]);
+	u[5] = gf2m_SQR1(v[2]);
+	u[4] = gf2m_SQR0(v[2]);
+	u[3] = gf2m_SQR1(v[1]);
+	u[2] = gf2m_SQR0(v[1]);
+	u[1] = gf2m_SQR1(v[0]);
+	u[0] = gf2m_SQR0(v[0]);
+	return ec_GF2m_233_mod(r, r, meth);
+
+  CLEANUP:
+	return res;
+}
+
+/* Fast multiplication for polynomials over a 233-bit curve. Assumes
+ * reduction polynomial with terms {233, 74, 0}. */
+mp_err
+ec_GF2m_233_mul(const mp_int *a, const mp_int *b, mp_int *r,
+				const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit a3 = 0, a2 = 0, a1 = 0, a0, b3 = 0, b2 = 0, b1 = 0, b0;
+
+#ifdef ECL_THIRTY_TWO_BIT
+	mp_digit a7 = 0, a6 = 0, a5 = 0, a4 = 0, b7 = 0, b6 = 0, b5 = 0, b4 =
+		0;
+	mp_digit rm[8];
+#endif
+
+	if (a == b) {
+		return ec_GF2m_233_sqr(a, r, meth);
+	} else {
+		switch (MP_USED(a)) {
+#ifdef ECL_THIRTY_TWO_BIT
+		case 8:
+			a7 = MP_DIGIT(a, 7);
+		case 7:
+			a6 = MP_DIGIT(a, 6);
+		case 6:
+			a5 = MP_DIGIT(a, 5);
+		case 5:
+			a4 = MP_DIGIT(a, 4);
+#endif
+		case 4:
+			a3 = MP_DIGIT(a, 3);
+		case 3:
+			a2 = MP_DIGIT(a, 2);
+		case 2:
+			a1 = MP_DIGIT(a, 1);
+		default:
+			a0 = MP_DIGIT(a, 0);
+		}
+		switch (MP_USED(b)) {
+#ifdef ECL_THIRTY_TWO_BIT
+		case 8:
+			b7 = MP_DIGIT(b, 7);
+		case 7:
+			b6 = MP_DIGIT(b, 6);
+		case 6:
+			b5 = MP_DIGIT(b, 5);
+		case 5:
+			b4 = MP_DIGIT(b, 4);
+#endif
+		case 4:
+			b3 = MP_DIGIT(b, 3);
+		case 3:
+			b2 = MP_DIGIT(b, 2);
+		case 2:
+			b1 = MP_DIGIT(b, 1);
+		default:
+			b0 = MP_DIGIT(b, 0);
+		}
+#ifdef ECL_SIXTY_FOUR_BIT
+		MP_CHECKOK(s_mp_pad(r, 8));
+		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
+		MP_USED(r) = 8;
+		s_mp_clamp(r);
+#else
+		MP_CHECKOK(s_mp_pad(r, 16));
+		s_bmul_4x4(MP_DIGITS(r) + 8, a7, a6, a5, a4, b7, b6, b5, b4);
+		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
+		s_bmul_4x4(rm, a7 ^ a3, a6 ^ a2, a5 ^ a1, a4 ^ a0, b7 ^ b3,
+				   b6 ^ b2, b5 ^ b1, b4 ^ b0);
+		rm[7] ^= MP_DIGIT(r, 7) ^ MP_DIGIT(r, 15);
+		rm[6] ^= MP_DIGIT(r, 6) ^ MP_DIGIT(r, 14);
+		rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 13);
+		rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 12);
+		rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 11);
+		rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 10);
+		rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 9);
+		rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 8);
+		MP_DIGIT(r, 11) ^= rm[7];
+		MP_DIGIT(r, 10) ^= rm[6];
+		MP_DIGIT(r, 9) ^= rm[5];
+		MP_DIGIT(r, 8) ^= rm[4];
+		MP_DIGIT(r, 7) ^= rm[3];
+		MP_DIGIT(r, 6) ^= rm[2];
+		MP_DIGIT(r, 5) ^= rm[1];
+		MP_DIGIT(r, 4) ^= rm[0];
+		MP_USED(r) = 16;
+		s_mp_clamp(r);
+#endif
+		return ec_GF2m_233_mod(r, r, meth);
+	}
+
+  CLEANUP:
+	return res;
+}
+
+/* Wire in fast field arithmetic for 233-bit curves. */
+mp_err
+ec_group_set_gf2m233(ECGroup *group, ECCurveName name)
+{
+	group->meth->field_mod = &ec_GF2m_233_mod;
+	group->meth->field_mul = &ec_GF2m_233_mul;
+	group->meth->field_sqr = &ec_GF2m_233_sqr;
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ec2_aff.c b/security/nss/lib/freebl/ecl/ec2_aff.c
new file mode 100644
index 000000000..64bb6fecc
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ec2_aff.c
@@ -0,0 +1,346 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for binary polynomial field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ec2.h"
+#include "mplogic.h"
+#include "mp_gf2m.h"
+#include <stdlib.h>
+
+/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
+mp_err
+ec_GF2m_pt_is_inf_aff(const mp_int *px, const mp_int *py)
+{
+
+	if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) {
+		return MP_YES;
+	} else {
+		return MP_NO;
+	}
+
+}
+
+/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
+mp_err
+ec_GF2m_pt_set_inf_aff(mp_int *px, mp_int *py)
+{
+	mp_zero(px);
+	mp_zero(py);
+	return MP_OKAY;
+}
+
+/* Computes R = P + Q based on IEEE P1363 A.10.2. Elliptic curve points P, 
+ * Q, and R can all be identical. Uses affine coordinates. */
+mp_err
+ec_GF2m_pt_add_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
+				   const mp_int *qy, mp_int *rx, mp_int *ry,
+				   const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int lambda, tempx, tempy;
+
+	MP_DIGITS(&lambda) = 0;
+	MP_DIGITS(&tempx) = 0;
+	MP_DIGITS(&tempy) = 0;
+	MP_CHECKOK(mp_init(&lambda));
+	MP_CHECKOK(mp_init(&tempx));
+	MP_CHECKOK(mp_init(&tempy));
+	/* if P = inf, then R = Q */
+	if (ec_GF2m_pt_is_inf_aff(px, py) == 0) {
+		MP_CHECKOK(mp_copy(qx, rx));
+		MP_CHECKOK(mp_copy(qy, ry));
+		res = MP_OKAY;
+		goto CLEANUP;
+	}
+	/* if Q = inf, then R = P */
+	if (ec_GF2m_pt_is_inf_aff(qx, qy) == 0) {
+		MP_CHECKOK(mp_copy(px, rx));
+		MP_CHECKOK(mp_copy(py, ry));
+		res = MP_OKAY;
+		goto CLEANUP;
+	}
+	/* if px != qx, then lambda = (py+qy) / (px+qx), tempx = a + lambda^2
+	 * + lambda + px + qx */
+	if (mp_cmp(px, qx) != 0) {
+		MP_CHECKOK(group->meth->field_add(py, qy, &tempy, group->meth));
+		MP_CHECKOK(group->meth->field_add(px, qx, &tempx, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_div(&tempy, &tempx, &lambda, group->meth));
+		MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_add(&tempx, &lambda, &tempx, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_add(&tempx, &group->curvea, &tempx, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_add(&tempx, px, &tempx, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_add(&tempx, qx, &tempx, group->meth));
+	} else {
+		/* if py != qy or qx = 0, then R = inf */
+		if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qx) == 0)) {
+			mp_zero(rx);
+			mp_zero(ry);
+			res = MP_OKAY;
+			goto CLEANUP;
+		}
+		/* lambda = qx + qy / qx */
+		MP_CHECKOK(group->meth->field_div(qy, qx, &lambda, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_add(&lambda, qx, &lambda, group->meth));
+		/* tempx = a + lambda^2 + lambda */
+		MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_add(&tempx, &lambda, &tempx, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_add(&tempx, &group->curvea, &tempx, group->meth));
+	}
+	/* ry = (qx + tempx) * lambda + tempx + qy */
+	MP_CHECKOK(group->meth->field_add(qx, &tempx, &tempy, group->meth));
+	MP_CHECKOK(group->meth->
+			   field_mul(&tempy, &lambda, &tempy, group->meth));
+	MP_CHECKOK(group->meth->
+			   field_add(&tempy, &tempx, &tempy, group->meth));
+	MP_CHECKOK(group->meth->field_add(&tempy, qy, ry, group->meth));
+	/* rx = tempx */
+	MP_CHECKOK(mp_copy(&tempx, rx));
+
+  CLEANUP:
+	mp_clear(&lambda);
+	mp_clear(&tempx);
+	mp_clear(&tempy);
+	return res;
+}
+
+/* Computes R = P - Q. Elliptic curve points P, Q, and R can all be
+ * identical. Uses affine coordinates. */
+mp_err
+ec_GF2m_pt_sub_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
+				   const mp_int *qy, mp_int *rx, mp_int *ry,
+				   const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int nqy;
+
+	MP_DIGITS(&nqy) = 0;
+	MP_CHECKOK(mp_init(&nqy));
+	/* nqy = qx+qy */
+	MP_CHECKOK(group->meth->field_add(qx, qy, &nqy, group->meth));
+	MP_CHECKOK(group->point_add(px, py, qx, &nqy, rx, ry, group));
+  CLEANUP:
+	mp_clear(&nqy);
+	return res;
+}
+
+/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses
+ * affine coordinates. */
+mp_err
+ec_GF2m_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
+				   mp_int *ry, const ECGroup *group)
+{
+	return group->point_add(px, py, px, py, rx, ry, group);
+}
+
+/* by default, this routine is unused and thus doesn't need to be compiled */
+#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
+/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and 
+ * R can be identical. Uses affine coordinates. */
+mp_err
+ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py,
+				   mp_int *rx, mp_int *ry, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int k, k3, qx, qy, sx, sy;
+	int b1, b3, i, l;
+
+	MP_DIGITS(&k) = 0;
+	MP_DIGITS(&k3) = 0;
+	MP_DIGITS(&qx) = 0;
+	MP_DIGITS(&qy) = 0;
+	MP_DIGITS(&sx) = 0;
+	MP_DIGITS(&sy) = 0;
+	MP_CHECKOK(mp_init(&k));
+	MP_CHECKOK(mp_init(&k3));
+	MP_CHECKOK(mp_init(&qx));
+	MP_CHECKOK(mp_init(&qy));
+	MP_CHECKOK(mp_init(&sx));
+	MP_CHECKOK(mp_init(&sy));
+
+	/* if n = 0 then r = inf */
+	if (mp_cmp_z(n) == 0) {
+		mp_zero(rx);
+		mp_zero(ry);
+		res = MP_OKAY;
+		goto CLEANUP;
+	}
+	/* Q = P, k = n */
+	MP_CHECKOK(mp_copy(px, &qx));
+	MP_CHECKOK(mp_copy(py, &qy));
+	MP_CHECKOK(mp_copy(n, &k));
+	/* if n < 0 then Q = -Q, k = -k */
+	if (mp_cmp_z(n) < 0) {
+		MP_CHECKOK(group->meth->field_add(&qx, &qy, &qy, group->meth));
+		MP_CHECKOK(mp_neg(&k, &k));
+	}
+#ifdef ECL_DEBUG				/* basic double and add method */
+	l = mpl_significant_bits(&k) - 1;
+	MP_CHECKOK(mp_copy(&qx, &sx));
+	MP_CHECKOK(mp_copy(&qy, &sy));
+	for (i = l - 1; i >= 0; i--) {
+		/* S = 2S */
+		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
+		/* if k_i = 1, then S = S + Q */
+		if (mpl_get_bit(&k, i) != 0) {
+			MP_CHECKOK(group->
+					   point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
+		}
+	}
+#else							/* double and add/subtract method from
+								 * standard */
+	/* k3 = 3 * k */
+	MP_CHECKOK(mp_set_int(&k3, 3));
+	MP_CHECKOK(mp_mul(&k, &k3, &k3));
+	/* S = Q */
+	MP_CHECKOK(mp_copy(&qx, &sx));
+	MP_CHECKOK(mp_copy(&qy, &sy));
+	/* l = index of high order bit in binary representation of 3*k */
+	l = mpl_significant_bits(&k3) - 1;
+	/* for i = l-1 downto 1 */
+	for (i = l - 1; i >= 1; i--) {
+		/* S = 2S */
+		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
+		b3 = MP_GET_BIT(&k3, i);
+		b1 = MP_GET_BIT(&k, i);
+		/* if k3_i = 1 and k_i = 0, then S = S + Q */
+		if ((b3 == 1) && (b1 == 0)) {
+			MP_CHECKOK(group->
+					   point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
+			/* if k3_i = 0 and k_i = 1, then S = S - Q */
+		} else if ((b3 == 0) && (b1 == 1)) {
+			MP_CHECKOK(group->
+					   point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group));
+		}
+	}
+#endif
+	/* output S */
+	MP_CHECKOK(mp_copy(&sx, rx));
+	MP_CHECKOK(mp_copy(&sy, ry));
+
+  CLEANUP:
+	mp_clear(&k);
+	mp_clear(&k3);
+	mp_clear(&qx);
+	mp_clear(&qy);
+	mp_clear(&sx);
+	mp_clear(&sy);
+	return res;
+}
+#endif
+
+/* Validates a point on a GF2m curve. */
+mp_err 
+ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group)
+{
+	mp_err res = MP_NO;
+	mp_int accl, accr, tmp, pxt, pyt;
+
+	MP_DIGITS(&accl) = 0;
+	MP_DIGITS(&accr) = 0;
+	MP_DIGITS(&tmp) = 0;
+	MP_DIGITS(&pxt) = 0;
+	MP_DIGITS(&pyt) = 0;
+	MP_CHECKOK(mp_init(&accl));
+	MP_CHECKOK(mp_init(&accr));
+	MP_CHECKOK(mp_init(&tmp));
+	MP_CHECKOK(mp_init(&pxt));
+	MP_CHECKOK(mp_init(&pyt));
+
+    /* 1: Verify that publicValue is not the point at infinity */
+	if (ec_GF2m_pt_is_inf_aff(px, py) == MP_YES) {
+		res = MP_NO;
+		goto CLEANUP;
+	}
+    /* 2: Verify that the coordinates of publicValue are elements 
+     *    of the field.
+     */
+	if ((MP_SIGN(px) == MP_NEG) || (mp_cmp(px, &group->meth->irr) >= 0) || 
+		(MP_SIGN(py) == MP_NEG) || (mp_cmp(py, &group->meth->irr) >= 0)) {
+		res = MP_NO;
+		goto CLEANUP;
+	}
+    /* 3: Verify that publicValue is on the curve. */
+	if (group->meth->field_enc) {
+		group->meth->field_enc(px, &pxt, group->meth);
+		group->meth->field_enc(py, &pyt, group->meth);
+	} else {
+		mp_copy(px, &pxt);
+		mp_copy(py, &pyt);
+	}
+	/* left-hand side: y^2 + x*y  */
+	MP_CHECKOK( group->meth->field_sqr(&pyt, &accl, group->meth) );
+	MP_CHECKOK( group->meth->field_mul(&pxt, &pyt, &tmp, group->meth) );
+	MP_CHECKOK( group->meth->field_add(&accl, &tmp, &accl, group->meth) );
+	/* right-hand side: x^3 + a*x^2 + b */
+	MP_CHECKOK( group->meth->field_sqr(&pxt, &tmp, group->meth) );
+	MP_CHECKOK( group->meth->field_mul(&pxt, &tmp, &accr, group->meth) );
+	MP_CHECKOK( group->meth->field_mul(&group->curvea, &tmp, &tmp, group->meth) );
+	MP_CHECKOK( group->meth->field_add(&tmp, &accr, &accr, group->meth) );
+	MP_CHECKOK( group->meth->field_add(&accr, &group->curveb, &accr, group->meth) );
+	/* check LHS - RHS == 0 */
+	MP_CHECKOK( group->meth->field_add(&accl, &accr, &accr, group->meth) );
+	if (mp_cmp_z(&accr) != 0) {
+		res = MP_NO;
+		goto CLEANUP;
+	}
+    /* 4: Verify that the order of the curve times the publicValue
+     *    is the point at infinity.
+     */
+	MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
+	if (ec_GF2m_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	res = MP_YES;
+
+CLEANUP:
+	mp_clear(&accl);
+	mp_clear(&accr);
+	mp_clear(&tmp);
+	mp_clear(&pxt);
+	mp_clear(&pyt);
+	return res;
+}
diff --git a/security/nss/lib/freebl/ecl/ec2_mont.c b/security/nss/lib/freebl/ecl/ec2_mont.c
new file mode 100644
index 000000000..7167a9879
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ec2_mont.c
@@ -0,0 +1,274 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for binary polynomial field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
+ *   Stephen Fung <fungstep@hotmail.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ec2.h"
+#include "mplogic.h"
+#include "mp_gf2m.h"
+#include <stdlib.h>
+
+/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery
+ * projective coordinates. Uses algorithm Mdouble in appendix of Lopez, J. 
+ * and Dahab, R.  "Fast multiplication on elliptic curves over GF(2^m)
+ * without precomputation". modified to not require precomputation of
+ * c=b^{2^{m-1}}. */
+static mp_err
+gf2m_Mdouble(mp_int *x, mp_int *z, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int t1;
+
+	MP_DIGITS(&t1) = 0;
+	MP_CHECKOK(mp_init(&t1));
+
+	MP_CHECKOK(group->meth->field_sqr(x, x, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(z, &t1, group->meth));
+	MP_CHECKOK(group->meth->field_mul(x, &t1, z, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(x, x, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(&t1, &t1, group->meth));
+	MP_CHECKOK(group->meth->
+			   field_mul(&group->curveb, &t1, &t1, group->meth));
+	MP_CHECKOK(group->meth->field_add(x, &t1, x, group->meth));
+
+  CLEANUP:
+	mp_clear(&t1);
+	return res;
+}
+
+/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in
+ * Montgomery projective coordinates. Uses algorithm Madd in appendix of
+ * Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over
+ * GF(2^m) without precomputation". */
+static mp_err
+gf2m_Madd(const mp_int *x, mp_int *x1, mp_int *z1, mp_int *x2, mp_int *z2,
+		  const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int t1, t2;
+
+	MP_DIGITS(&t1) = 0;
+	MP_DIGITS(&t2) = 0;
+	MP_CHECKOK(mp_init(&t1));
+	MP_CHECKOK(mp_init(&t2));
+
+	MP_CHECKOK(mp_copy(x, &t1));
+	MP_CHECKOK(group->meth->field_mul(x1, z2, x1, group->meth));
+	MP_CHECKOK(group->meth->field_mul(z1, x2, z1, group->meth));
+	MP_CHECKOK(group->meth->field_mul(x1, z1, &t2, group->meth));
+	MP_CHECKOK(group->meth->field_add(z1, x1, z1, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(z1, z1, group->meth));
+	MP_CHECKOK(group->meth->field_mul(z1, &t1, x1, group->meth));
+	MP_CHECKOK(group->meth->field_add(x1, &t2, x1, group->meth));
+
+  CLEANUP:
+	mp_clear(&t1);
+	mp_clear(&t2);
+	return res;
+}
+
+/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2)
+ * using Montgomery point multiplication algorithm Mxy() in appendix of
+ * Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over
+ * GF(2^m) without precomputation". Returns: 0 on error 1 if return value
+ * should be the point at infinity 2 otherwise */
+static int
+gf2m_Mxy(const mp_int *x, const mp_int *y, mp_int *x1, mp_int *z1,
+		 mp_int *x2, mp_int *z2, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	int ret = 0;
+	mp_int t3, t4, t5;
+
+	MP_DIGITS(&t3) = 0;
+	MP_DIGITS(&t4) = 0;
+	MP_DIGITS(&t5) = 0;
+	MP_CHECKOK(mp_init(&t3));
+	MP_CHECKOK(mp_init(&t4));
+	MP_CHECKOK(mp_init(&t5));
+
+	if (mp_cmp_z(z1) == 0) {
+		mp_zero(x2);
+		mp_zero(z2);
+		ret = 1;
+		goto CLEANUP;
+	}
+
+	if (mp_cmp_z(z2) == 0) {
+		MP_CHECKOK(mp_copy(x, x2));
+		MP_CHECKOK(group->meth->field_add(x, y, z2, group->meth));
+		ret = 2;
+		goto CLEANUP;
+	}
+
+	MP_CHECKOK(mp_set_int(&t5, 1));
+	if (group->meth->field_enc) {
+		MP_CHECKOK(group->meth->field_enc(&t5, &t5, group->meth));
+	}
+
+	MP_CHECKOK(group->meth->field_mul(z1, z2, &t3, group->meth));
+
+	MP_CHECKOK(group->meth->field_mul(z1, x, z1, group->meth));
+	MP_CHECKOK(group->meth->field_add(z1, x1, z1, group->meth));
+	MP_CHECKOK(group->meth->field_mul(z2, x, z2, group->meth));
+	MP_CHECKOK(group->meth->field_mul(z2, x1, x1, group->meth));
+	MP_CHECKOK(group->meth->field_add(z2, x2, z2, group->meth));
+
+	MP_CHECKOK(group->meth->field_mul(z2, z1, z2, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(x, &t4, group->meth));
+	MP_CHECKOK(group->meth->field_add(&t4, y, &t4, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&t4, &t3, &t4, group->meth));
+	MP_CHECKOK(group->meth->field_add(&t4, z2, &t4, group->meth));
+
+	MP_CHECKOK(group->meth->field_mul(&t3, x, &t3, group->meth));
+	MP_CHECKOK(group->meth->field_div(&t5, &t3, &t3, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&t3, &t4, &t4, group->meth));
+	MP_CHECKOK(group->meth->field_mul(x1, &t3, x2, group->meth));
+	MP_CHECKOK(group->meth->field_add(x2, x, z2, group->meth));
+
+	MP_CHECKOK(group->meth->field_mul(z2, &t4, z2, group->meth));
+	MP_CHECKOK(group->meth->field_add(z2, y, z2, group->meth));
+
+	ret = 2;
+
+  CLEANUP:
+	mp_clear(&t3);
+	mp_clear(&t4);
+	mp_clear(&t5);
+	if (res == MP_OKAY) {
+		return ret;
+	} else {
+		return 0;
+	}
+}
+
+/* Computes R = nP based on algorithm 2P of Lopex, J. and Dahab, R.  "Fast 
+ * multiplication on elliptic curves over GF(2^m) without
+ * precomputation". Elliptic curve points P and R can be identical. Uses
+ * Montgomery projective coordinates. */
+mp_err
+ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px, const mp_int *py,
+					mp_int *rx, mp_int *ry, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int x1, x2, z1, z2;
+	int i, j;
+	mp_digit top_bit, mask;
+
+	MP_DIGITS(&x1) = 0;
+	MP_DIGITS(&x2) = 0;
+	MP_DIGITS(&z1) = 0;
+	MP_DIGITS(&z2) = 0;
+	MP_CHECKOK(mp_init(&x1));
+	MP_CHECKOK(mp_init(&x2));
+	MP_CHECKOK(mp_init(&z1));
+	MP_CHECKOK(mp_init(&z2));
+
+	/* if result should be point at infinity */
+	if ((mp_cmp_z(n) == 0) || (ec_GF2m_pt_is_inf_aff(px, py) == MP_YES)) {
+		MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry));
+		goto CLEANUP;
+	}
+
+	MP_CHECKOK(mp_copy(px, &x1));	/* x1 = px */
+	MP_CHECKOK(mp_set_int(&z1, 1));	/* z1 = 1 */
+	MP_CHECKOK(group->meth->field_sqr(&x1, &z2, group->meth));	/* z2 =
+																 * x1^2 =
+																 * px^2 */
+	MP_CHECKOK(group->meth->field_sqr(&z2, &x2, group->meth));
+	MP_CHECKOK(group->meth->field_add(&x2, &group->curveb, &x2, group->meth));	/* x2 
+																				 * = 
+																				 * px^4 
+																				 * + 
+																				 * b 
+																				 */
+
+	/* find top-most bit and go one past it */
+	i = MP_USED(n) - 1;
+	j = MP_DIGIT_BIT - 1;
+	top_bit = 1;
+	top_bit <<= MP_DIGIT_BIT - 1;
+	mask = top_bit;
+	while (!(MP_DIGITS(n)[i] & mask)) {
+		mask >>= 1;
+		j--;
+	}
+	mask >>= 1;
+	j--;
+
+	/* if top most bit was at word break, go to next word */
+	if (!mask) {
+		i--;
+		j = MP_DIGIT_BIT - 1;
+		mask = top_bit;
+	}
+
+	for (; i >= 0; i--) {
+		for (; j >= 0; j--) {
+			if (MP_DIGITS(n)[i] & mask) {
+				MP_CHECKOK(gf2m_Madd(px, &x1, &z1, &x2, &z2, group));
+				MP_CHECKOK(gf2m_Mdouble(&x2, &z2, group));
+			} else {
+				MP_CHECKOK(gf2m_Madd(px, &x2, &z2, &x1, &z1, group));
+				MP_CHECKOK(gf2m_Mdouble(&x1, &z1, group));
+			}
+			mask >>= 1;
+		}
+		j = MP_DIGIT_BIT - 1;
+		mask = top_bit;
+	}
+
+	/* convert out of "projective" coordinates */
+	i = gf2m_Mxy(px, py, &x1, &z1, &x2, &z2, group);
+	if (i == 0) {
+		res = MP_BADARG;
+		goto CLEANUP;
+	} else if (i == 1) {
+		MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry));
+	} else {
+		MP_CHECKOK(mp_copy(&x2, rx));
+		MP_CHECKOK(mp_copy(&z2, ry));
+	}
+
+  CLEANUP:
+	mp_clear(&x1);
+	mp_clear(&x2);
+	mp_clear(&z1);
+	mp_clear(&z2);
+	return res;
+}
diff --git a/security/nss/lib/freebl/ecl/ec2_proj.c b/security/nss/lib/freebl/ecl/ec2_proj.c
new file mode 100644
index 000000000..340e47d08
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ec2_proj.c
@@ -0,0 +1,369 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for binary polynomial field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
+ *   Stephen Fung <fungstep@hotmail.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ec2.h"
+#include "mplogic.h"
+#include "mp_gf2m.h"
+#include <stdlib.h>
+#ifdef ECL_DEBUG
+#include <assert.h>
+#endif
+
+/* by default, these routines are unused and thus don't need to be compiled */
+#ifdef ECL_ENABLE_GF2M_PROJ
+/* Converts a point P(px, py) from affine coordinates to projective
+ * coordinates R(rx, ry, rz). Assumes input is already field-encoded using 
+ * field_enc, and returns output that is still field-encoded. */
+mp_err
+ec_GF2m_pt_aff2proj(const mp_int *px, const mp_int *py, mp_int *rx,
+					mp_int *ry, mp_int *rz, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_copy(px, rx));
+	MP_CHECKOK(mp_copy(py, ry));
+	MP_CHECKOK(mp_set_int(rz, 1));
+	if (group->meth->field_enc) {
+		MP_CHECKOK(group->meth->field_enc(rz, rz, group->meth));
+	}
+  CLEANUP:
+	return res;
+}
+
+/* Converts a point P(px, py, pz) from projective coordinates to affine
+ * coordinates R(rx, ry).  P and R can share x and y coordinates. Assumes
+ * input is already field-encoded using field_enc, and returns output that
+ * is still field-encoded. */
+mp_err
+ec_GF2m_pt_proj2aff(const mp_int *px, const mp_int *py, const mp_int *pz,
+					mp_int *rx, mp_int *ry, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int z1, z2;
+
+	MP_DIGITS(&z1) = 0;
+	MP_DIGITS(&z2) = 0;
+	MP_CHECKOK(mp_init(&z1));
+	MP_CHECKOK(mp_init(&z2));
+
+	/* if point at infinity, then set point at infinity and exit */
+	if (ec_GF2m_pt_is_inf_proj(px, py, pz) == MP_YES) {
+		MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry));
+		goto CLEANUP;
+	}
+
+	/* transform (px, py, pz) into (px / pz, py / pz^2) */
+	if (mp_cmp_d(pz, 1) == 0) {
+		MP_CHECKOK(mp_copy(px, rx));
+		MP_CHECKOK(mp_copy(py, ry));
+	} else {
+		MP_CHECKOK(group->meth->field_div(NULL, pz, &z1, group->meth));
+		MP_CHECKOK(group->meth->field_sqr(&z1, &z2, group->meth));
+		MP_CHECKOK(group->meth->field_mul(px, &z1, rx, group->meth));
+		MP_CHECKOK(group->meth->field_mul(py, &z2, ry, group->meth));
+	}
+
+  CLEANUP:
+	mp_clear(&z1);
+	mp_clear(&z2);
+	return res;
+}
+
+/* Checks if point P(px, py, pz) is at infinity. Uses projective
+ * coordinates. */
+mp_err
+ec_GF2m_pt_is_inf_proj(const mp_int *px, const mp_int *py,
+					   const mp_int *pz)
+{
+	return mp_cmp_z(pz);
+}
+
+/* Sets P(px, py, pz) to be the point at infinity.  Uses projective
+ * coordinates. */
+mp_err
+ec_GF2m_pt_set_inf_proj(mp_int *px, mp_int *py, mp_int *pz)
+{
+	mp_zero(pz);
+	return MP_OKAY;
+}
+
+/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
+ * (qx, qy, 1).  Elliptic curve points P, Q, and R can all be identical.
+ * Uses mixed projective-affine coordinates. Assumes input is already
+ * field-encoded using field_enc, and returns output that is still
+ * field-encoded. Uses equation (3) from Hankerson, Hernandez, Menezes.
+ * Software Implementation of Elliptic Curve Cryptography Over Binary
+ * Fields. */
+mp_err
+ec_GF2m_pt_add_proj(const mp_int *px, const mp_int *py, const mp_int *pz,
+					const mp_int *qx, const mp_int *qy, mp_int *rx,
+					mp_int *ry, mp_int *rz, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int A, B, C, D, E, F, G;
+
+	/* If either P or Q is the point at infinity, then return the other
+	 * point */
+	if (ec_GF2m_pt_is_inf_proj(px, py, pz) == MP_YES) {
+		return ec_GF2m_pt_aff2proj(qx, qy, rx, ry, rz, group);
+	}
+	if (ec_GF2m_pt_is_inf_aff(qx, qy) == MP_YES) {
+		MP_CHECKOK(mp_copy(px, rx));
+		MP_CHECKOK(mp_copy(py, ry));
+		return mp_copy(pz, rz);
+	}
+
+	MP_DIGITS(&A) = 0;
+	MP_DIGITS(&B) = 0;
+	MP_DIGITS(&C) = 0;
+	MP_DIGITS(&D) = 0;
+	MP_DIGITS(&E) = 0;
+	MP_DIGITS(&F) = 0;
+	MP_DIGITS(&G) = 0;
+	MP_CHECKOK(mp_init(&A));
+	MP_CHECKOK(mp_init(&B));
+	MP_CHECKOK(mp_init(&C));
+	MP_CHECKOK(mp_init(&D));
+	MP_CHECKOK(mp_init(&E));
+	MP_CHECKOK(mp_init(&F));
+	MP_CHECKOK(mp_init(&G));
+
+	/* D = pz^2 */
+	MP_CHECKOK(group->meth->field_sqr(pz, &D, group->meth));
+
+	/* A = qy * pz^2 + py */
+	MP_CHECKOK(group->meth->field_mul(qy, &D, &A, group->meth));
+	MP_CHECKOK(group->meth->field_add(&A, py, &A, group->meth));
+
+	/* B = qx * pz + px */
+	MP_CHECKOK(group->meth->field_mul(qx, pz, &B, group->meth));
+	MP_CHECKOK(group->meth->field_add(&B, px, &B, group->meth));
+
+	/* C = pz * B */
+	MP_CHECKOK(group->meth->field_mul(pz, &B, &C, group->meth));
+
+	/* D = B^2 * (C + a * pz^2) (using E as a temporary variable) */
+	MP_CHECKOK(group->meth->
+			   field_mul(&group->curvea, &D, &D, group->meth));
+	MP_CHECKOK(group->meth->field_add(&C, &D, &D, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(&B, &E, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&E, &D, &D, group->meth));
+
+	/* rz = C^2 */
+	MP_CHECKOK(group->meth->field_sqr(&C, rz, group->meth));
+
+	/* E = A * C */
+	MP_CHECKOK(group->meth->field_mul(&A, &C, &E, group->meth));
+
+	/* rx = A^2 + D + E */
+	MP_CHECKOK(group->meth->field_sqr(&A, rx, group->meth));
+	MP_CHECKOK(group->meth->field_add(rx, &D, rx, group->meth));
+	MP_CHECKOK(group->meth->field_add(rx, &E, rx, group->meth));
+
+	/* F = rx + qx * rz */
+	MP_CHECKOK(group->meth->field_mul(qx, rz, &F, group->meth));
+	MP_CHECKOK(group->meth->field_add(rx, &F, &F, group->meth));
+
+	/* G = rx + qy * rz */
+	MP_CHECKOK(group->meth->field_mul(qy, rz, &G, group->meth));
+	MP_CHECKOK(group->meth->field_add(rx, &G, &G, group->meth));
+
+	/* ry = E * F + rz * G (using G as a temporary variable) */
+	MP_CHECKOK(group->meth->field_mul(rz, &G, &G, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&E, &F, ry, group->meth));
+	MP_CHECKOK(group->meth->field_add(ry, &G, ry, group->meth));
+
+  CLEANUP:
+	mp_clear(&A);
+	mp_clear(&B);
+	mp_clear(&C);
+	mp_clear(&D);
+	mp_clear(&E);
+	mp_clear(&F);
+	mp_clear(&G);
+	return res;
+}
+
+/* Computes R = 2P.  Elliptic curve points P and R can be identical.  Uses 
+ * projective coordinates.
+ *
+ * Assumes input is already field-encoded using field_enc, and returns 
+ * output that is still field-encoded.
+ *
+ * Uses equation (3) from Hankerson, Hernandez, Menezes. Software 
+ * Implementation of Elliptic Curve Cryptography Over Binary Fields.
+ */
+mp_err
+ec_GF2m_pt_dbl_proj(const mp_int *px, const mp_int *py, const mp_int *pz,
+					mp_int *rx, mp_int *ry, mp_int *rz,
+					const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int t0, t1;
+
+	if (ec_GF2m_pt_is_inf_proj(px, py, pz) == MP_YES) {
+		return ec_GF2m_pt_set_inf_proj(rx, ry, rz);
+	}
+
+	MP_DIGITS(&t0) = 0;
+	MP_DIGITS(&t1) = 0;
+	MP_CHECKOK(mp_init(&t0));
+	MP_CHECKOK(mp_init(&t1));
+
+	/* t0 = px^2 */
+	/* t1 = pz^2 */
+	MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(pz, &t1, group->meth));
+
+	/* rz = px^2 * pz^2 */
+	MP_CHECKOK(group->meth->field_mul(&t0, &t1, rz, group->meth));
+
+	/* t0 = px^4 */
+	/* t1 = b * pz^4 */
+	MP_CHECKOK(group->meth->field_sqr(&t0, &t0, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(&t1, &t1, group->meth));
+	MP_CHECKOK(group->meth->
+			   field_mul(&group->curveb, &t1, &t1, group->meth));
+
+	/* rx = px^4 + b * pz^4 */
+	MP_CHECKOK(group->meth->field_add(&t0, &t1, rx, group->meth));
+
+	/* ry = b * pz^4 * rz + rx * (a * rz + py^2 + b * pz^4) */
+	MP_CHECKOK(group->meth->field_sqr(py, ry, group->meth));
+	MP_CHECKOK(group->meth->field_add(ry, &t1, ry, group->meth));
+	/* t0 = a * rz */
+	MP_CHECKOK(group->meth->
+			   field_mul(&group->curvea, rz, &t0, group->meth));
+	MP_CHECKOK(group->meth->field_add(&t0, ry, ry, group->meth));
+	MP_CHECKOK(group->meth->field_mul(rx, ry, ry, group->meth));
+	/* t1 = b * pz^4 * rz */
+	MP_CHECKOK(group->meth->field_mul(&t1, rz, &t1, group->meth));
+	MP_CHECKOK(group->meth->field_add(&t1, ry, ry, group->meth));
+
+  CLEANUP:
+	mp_clear(&t0);
+	mp_clear(&t1);
+	return res;
+}
+
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the prime that
+ * determines the field GF2m.  Elliptic curve points P and R can be
+ * identical.  Uses mixed projective-affine coordinates. Assumes input is
+ * already field-encoded using field_enc, and returns output that is still
+ * field-encoded. Uses 4-bit window method. */
+mp_err
+ec_GF2m_pt_mul_proj(const mp_int *n, const mp_int *px, const mp_int *py,
+					mp_int *rx, mp_int *ry, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int precomp[16][2], rz;
+	mp_digit precomp_arr[ECL_MAX_FIELD_SIZE_DIGITS * 16 * 2], *t;
+	int i, ni, d;
+
+	ARGCHK(group != NULL, MP_BADARG);
+	ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
+
+	/* initialize precomputation table */
+	t = precomp_arr;
+	for (i = 0; i < 16; i++) {
+		/* x co-ord */
+		MP_SIGN(&precomp[i][0]) = MP_ZPOS;
+		MP_ALLOC(&precomp[i][0]) = ECL_MAX_FIELD_SIZE_DIGITS;
+		MP_USED(&precomp[i][0]) = 1;
+		*t = 0;
+		MP_DIGITS(&precomp[i][0]) = t;
+		t += ECL_MAX_FIELD_SIZE_DIGITS;
+		/* y co-ord */
+		MP_SIGN(&precomp[i][1]) = MP_ZPOS;
+		MP_ALLOC(&precomp[i][1]) = ECL_MAX_FIELD_SIZE_DIGITS;
+		MP_USED(&precomp[i][1]) = 1;
+		*t = 0;
+		MP_DIGITS(&precomp[i][1]) = t;
+		t += ECL_MAX_FIELD_SIZE_DIGITS;
+	}
+
+	/* fill precomputation table */
+	mp_zero(&precomp[0][0]);
+	mp_zero(&precomp[0][1]);
+	MP_CHECKOK(mp_copy(px, &precomp[1][0]));
+	MP_CHECKOK(mp_copy(py, &precomp[1][1]));
+	for (i = 2; i < 16; i++) {
+		MP_CHECKOK(group->
+				   point_add(&precomp[1][0], &precomp[1][1],
+							 &precomp[i - 1][0], &precomp[i - 1][1],
+							 &precomp[i][0], &precomp[i][1], group));
+	}
+
+	d = (mpl_significant_bits(n) + 3) / 4;
+
+	/* R = inf */
+	MP_DIGITS(&rz) = 0;
+	MP_CHECKOK(mp_init(&rz));
+	MP_CHECKOK(ec_GF2m_pt_set_inf_proj(rx, ry, &rz));
+
+	for (i = d - 1; i >= 0; i--) {
+		/* compute window ni */
+		ni = MP_GET_BIT(n, 4 * i + 3);
+		ni <<= 1;
+		ni |= MP_GET_BIT(n, 4 * i + 2);
+		ni <<= 1;
+		ni |= MP_GET_BIT(n, 4 * i + 1);
+		ni <<= 1;
+		ni |= MP_GET_BIT(n, 4 * i);
+		/* R = 2^4 * R */
+		MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
+		MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
+		MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
+		MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
+		/* R = R + (ni * P) */
+		MP_CHECKOK(ec_GF2m_pt_add_proj
+				   (rx, ry, &rz, &precomp[ni][0], &precomp[ni][1], rx, ry,
+					&rz, group));
+	}
+
+	/* convert result S to affine coordinates */
+	MP_CHECKOK(ec_GF2m_pt_proj2aff(rx, ry, &rz, rx, ry, group));
+
+  CLEANUP:
+	mp_clear(&rz);
+	return res;
+}
+#endif
diff --git a/security/nss/lib/freebl/ecl/ec_naf.c b/security/nss/lib/freebl/ecl/ec_naf.c
new file mode 100644
index 000000000..9ef3a55f2
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ec_naf.c
@@ -0,0 +1,103 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecl-priv.h"
+
+/* Returns 2^e as an integer. This is meant to be used for small powers of 
+ * two. */
+int
+ec_twoTo(int e)
+{
+	int a = 1;
+	int i;
+
+	for (i = 0; i < e; i++) {
+		a *= 2;
+	}
+	return a;
+}
+
+/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should
+ * be an array of signed char's to output to, bitsize should be the number 
+ * of bits of out, in is the original scalar, and w is the window size.
+ * NAF is discussed in the paper: D. Hankerson, J. Hernandez and A.
+ * Menezes, "Software implementation of elliptic curve cryptography over
+ * binary fields", Proc. CHES 2000. */
+mp_err
+ec_compute_wNAF(signed char *out, int bitsize, const mp_int *in, int w)
+{
+	mp_int k;
+	mp_err res = MP_OKAY;
+	int i, twowm1, mask;
+
+	twowm1 = ec_twoTo(w - 1);
+	mask = 2 * twowm1 - 1;
+
+	MP_DIGITS(&k) = 0;
+	MP_CHECKOK(mp_init_copy(&k, in));
+
+	i = 0;
+	/* Compute wNAF form */
+	while (mp_cmp_z(&k) > 0) {
+		if (mp_isodd(&k)) {
+			out[i] = MP_DIGIT(&k, 0) & mask;
+			if (out[i] >= twowm1)
+				out[i] -= 2 * twowm1;
+
+			/* Subtract off out[i].  Note mp_sub_d only works with
+			 * unsigned digits */
+			if (out[i] >= 0) {
+				mp_sub_d(&k, out[i], &k);
+			} else {
+				mp_add_d(&k, -(out[i]), &k);
+			}
+		} else {
+			out[i] = 0;
+		}
+		mp_div_2(&k, &k);
+		i++;
+	}
+	/* Zero out the remaining elements of the out array. */
+	for (; i < bitsize + 1; i++) {
+		out[i] = 0;
+	}
+  CLEANUP:
+	mp_clear(&k);
+	return res;
+
+}
diff --git a/security/nss/lib/freebl/ecl/ecl-curve.h b/security/nss/lib/freebl/ecl/ecl-curve.h
new file mode 100644
index 000000000..3a01dc835
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecl-curve.h
@@ -0,0 +1,144 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecl-exp.h"
+#include <stdlib.h>
+
+#ifndef __ecl_curve_h_
+#define __ecl_curve_h_
+
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+#error This source file is for Basic ECC only .
+#endif
+
+static const ECCurveParams ecCurve_NIST_P256 = {
+	"NIST-P256", ECField_GFp, 256,
+	"FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
+	"FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
+	"5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
+	"6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
+	"4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
+	"FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 1
+};
+
+static const ECCurveParams ecCurve_NIST_P384 = {
+	"NIST-P384", ECField_GFp, 384,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC",
+	"B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF",
+	"AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
+	"3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973",
+	1
+};
+
+static const ECCurveParams ecCurve_NIST_P521 = {
+	"NIST-P521", ECField_GFp, 521,
+	"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+	"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
+	"0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
+	"00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
+	"011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
+	"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
+	1
+};
+
+/* mapping between ECCurveName enum and pointers to ECCurveParams */
+static const ECCurveParams *ecCurve_map[] = {
+	NULL,			/* ECCurve_noName */
+	NULL,			/* ECCurve_NIST_P192 */
+	NULL,			/* ECCurve_NIST_P224 */
+	&ecCurve_NIST_P256,	/* ECCurve_NIST_P256 */
+	&ecCurve_NIST_P384,	/* ECCurve_NIST_P384 */
+	&ecCurve_NIST_P521,	/* ECCurve_NIST_P521 */
+	NULL,			/* ECCurve_NIST_K163 */
+	NULL,			/* ECCurve_NIST_B163 */
+	NULL,			/* ECCurve_NIST_K233 */
+	NULL,			/* ECCurve_NIST_B233 */
+	NULL,			/* ECCurve_NIST_K283 */
+	NULL,			/* ECCurve_NIST_B283 */
+	NULL,			/* ECCurve_NIST_K409 */
+	NULL,			/* ECCurve_NIST_B409 */
+	NULL,			/* ECCurve_NIST_K571 */
+	NULL,			/* ECCurve_NIST_B571 */
+	NULL,			/* ECCurve_X9_62_PRIME_192V2 */
+	NULL,			/* ECCurve_X9_62_PRIME_192V3 */
+	NULL,			/* ECCurve_X9_62_PRIME_239V1 */
+	NULL,			/* ECCurve_X9_62_PRIME_239V2 */
+	NULL,			/* ECCurve_X9_62_PRIME_239V3 */
+	NULL,			/* ECCurve_X9_62_CHAR2_PNB163V1 */
+	NULL,			/* ECCurve_X9_62_CHAR2_PNB163V2 */
+	NULL,			/* ECCurve_X9_62_CHAR2_PNB163V3 */
+	NULL,			/* ECCurve_X9_62_CHAR2_PNB176V1 */
+	NULL,			/* ECCurve_X9_62_CHAR2_TNB191V1 */
+	NULL,			/* ECCurve_X9_62_CHAR2_TNB191V2 */
+	NULL,			/* ECCurve_X9_62_CHAR2_TNB191V3 */
+	NULL,			/* ECCurve_X9_62_CHAR2_PNB208W1 */
+	NULL,			/* ECCurve_X9_62_CHAR2_TNB239V1 */
+	NULL,			/* ECCurve_X9_62_CHAR2_TNB239V2 */
+	NULL,			/* ECCurve_X9_62_CHAR2_TNB239V3 */
+	NULL,			/* ECCurve_X9_62_CHAR2_PNB272W1 */
+	NULL,			/* ECCurve_X9_62_CHAR2_PNB304W1 */
+	NULL,			/* ECCurve_X9_62_CHAR2_TNB359V1 */
+	NULL,			/* ECCurve_X9_62_CHAR2_PNB368W1 */
+	NULL,			/* ECCurve_X9_62_CHAR2_TNB431R1 */
+	NULL,			/* ECCurve_SECG_PRIME_112R1 */
+	NULL,			/* ECCurve_SECG_PRIME_112R2 */
+	NULL,			/* ECCurve_SECG_PRIME_128R1 */
+	NULL,			/* ECCurve_SECG_PRIME_128R2 */
+	NULL,			/* ECCurve_SECG_PRIME_160K1 */
+	NULL,			/* ECCurve_SECG_PRIME_160R1 */
+	NULL,			/* ECCurve_SECG_PRIME_160R2 */
+	NULL,			/* ECCurve_SECG_PRIME_192K1 */
+	NULL,			/* ECCurve_SECG_PRIME_224K1 */
+	NULL,			/* ECCurve_SECG_PRIME_256K1 */
+	NULL,			/* ECCurve_SECG_CHAR2_113R1 */
+	NULL,			/* ECCurve_SECG_CHAR2_113R2 */
+	NULL,			/* ECCurve_SECG_CHAR2_131R1 */
+	NULL,			/* ECCurve_SECG_CHAR2_131R2 */
+	NULL,			/* ECCurve_SECG_CHAR2_163R1 */
+	NULL,			/* ECCurve_SECG_CHAR2_193R1 */
+	NULL,			/* ECCurve_SECG_CHAR2_193R2 */
+	NULL,			/* ECCurve_SECG_CHAR2_239K1 */
+	NULL,			/* ECCurve_WTLS_1 */
+	NULL,			/* ECCurve_WTLS_8 */
+	NULL,			/* ECCurve_WTLS_9 */
+	NULL			/* ECCurve_pastLastCurve */
+};
+
+#endif
diff --git a/security/nss/lib/freebl/ecl/ecl-exp.h b/security/nss/lib/freebl/ecl/ecl-exp.h
new file mode 100644
index 000000000..77f3ebb12
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecl-exp.h
@@ -0,0 +1,196 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __ecl_exp_h_
+#define __ecl_exp_h_
+
+/* Curve field type */
+typedef enum {
+	ECField_GFp,
+	ECField_GF2m
+} ECField;
+
+/* Hexadecimal encoding of curve parameters */
+struct ECCurveParamsStr {
+	char *text;
+	ECField field;
+	unsigned int size;
+	char *irr;
+	char *curvea;
+	char *curveb;
+	char *genx;
+	char *geny;
+	char *order;
+	int cofactor;
+};
+typedef struct ECCurveParamsStr ECCurveParams;
+
+/* Named curve parameters */
+typedef enum {
+
+	ECCurve_noName = 0,
+
+	/* NIST prime curves */
+	ECCurve_NIST_P192,
+	ECCurve_NIST_P224,
+	ECCurve_NIST_P256,
+	ECCurve_NIST_P384,
+	ECCurve_NIST_P521,
+
+	/* NIST binary curves */
+	ECCurve_NIST_K163,
+	ECCurve_NIST_B163,
+	ECCurve_NIST_K233,
+	ECCurve_NIST_B233,
+	ECCurve_NIST_K283,
+	ECCurve_NIST_B283,
+	ECCurve_NIST_K409,
+	ECCurve_NIST_B409,
+	ECCurve_NIST_K571,
+	ECCurve_NIST_B571,
+
+	/* ANSI X9.62 prime curves */
+	/* ECCurve_X9_62_PRIME_192V1 == ECCurve_NIST_P192 */
+	ECCurve_X9_62_PRIME_192V2,
+	ECCurve_X9_62_PRIME_192V3,
+	ECCurve_X9_62_PRIME_239V1,
+	ECCurve_X9_62_PRIME_239V2,
+	ECCurve_X9_62_PRIME_239V3,
+	/* ECCurve_X9_62_PRIME_256V1 == ECCurve_NIST_P256 */
+
+	/* ANSI X9.62 binary curves */
+	ECCurve_X9_62_CHAR2_PNB163V1,
+	ECCurve_X9_62_CHAR2_PNB163V2,
+	ECCurve_X9_62_CHAR2_PNB163V3,
+	ECCurve_X9_62_CHAR2_PNB176V1,
+	ECCurve_X9_62_CHAR2_TNB191V1,
+	ECCurve_X9_62_CHAR2_TNB191V2,
+	ECCurve_X9_62_CHAR2_TNB191V3,
+	ECCurve_X9_62_CHAR2_PNB208W1,
+	ECCurve_X9_62_CHAR2_TNB239V1,
+	ECCurve_X9_62_CHAR2_TNB239V2,
+	ECCurve_X9_62_CHAR2_TNB239V3,
+	ECCurve_X9_62_CHAR2_PNB272W1,
+	ECCurve_X9_62_CHAR2_PNB304W1,
+	ECCurve_X9_62_CHAR2_TNB359V1,
+	ECCurve_X9_62_CHAR2_PNB368W1,
+	ECCurve_X9_62_CHAR2_TNB431R1,
+
+	/* SEC2 prime curves */
+	ECCurve_SECG_PRIME_112R1,
+	ECCurve_SECG_PRIME_112R2,
+	ECCurve_SECG_PRIME_128R1,
+	ECCurve_SECG_PRIME_128R2,
+	ECCurve_SECG_PRIME_160K1,
+	ECCurve_SECG_PRIME_160R1,
+	ECCurve_SECG_PRIME_160R2,
+	ECCurve_SECG_PRIME_192K1,
+	/* ECCurve_SECG_PRIME_192R1 == ECCurve_NIST_P192 */
+	ECCurve_SECG_PRIME_224K1,
+	/* ECCurve_SECG_PRIME_224R1 == ECCurve_NIST_P224 */
+	ECCurve_SECG_PRIME_256K1,
+	/* ECCurve_SECG_PRIME_256R1 == ECCurve_NIST_P256 */
+	/* ECCurve_SECG_PRIME_384R1 == ECCurve_NIST_P384 */
+	/* ECCurve_SECG_PRIME_521R1 == ECCurve_NIST_P521 */
+
+	/* SEC2 binary curves */
+	ECCurve_SECG_CHAR2_113R1,
+	ECCurve_SECG_CHAR2_113R2,
+	ECCurve_SECG_CHAR2_131R1,
+	ECCurve_SECG_CHAR2_131R2,
+	/* ECCurve_SECG_CHAR2_163K1 == ECCurve_NIST_K163 */
+	ECCurve_SECG_CHAR2_163R1,
+	/* ECCurve_SECG_CHAR2_163R2 == ECCurve_NIST_B163 */
+	ECCurve_SECG_CHAR2_193R1,
+	ECCurve_SECG_CHAR2_193R2,
+	/* ECCurve_SECG_CHAR2_233K1 == ECCurve_NIST_K233 */
+	/* ECCurve_SECG_CHAR2_233R1 == ECCurve_NIST_B233 */
+	ECCurve_SECG_CHAR2_239K1,
+	/* ECCurve_SECG_CHAR2_283K1 == ECCurve_NIST_K283 */
+	/* ECCurve_SECG_CHAR2_283R1 == ECCurve_NIST_B283 */
+	/* ECCurve_SECG_CHAR2_409K1 == ECCurve_NIST_K409 */
+	/* ECCurve_SECG_CHAR2_409R1 == ECCurve_NIST_B409 */
+	/* ECCurve_SECG_CHAR2_571K1 == ECCurve_NIST_K571 */
+	/* ECCurve_SECG_CHAR2_571R1 == ECCurve_NIST_B571 */
+
+	/* WTLS curves */
+	ECCurve_WTLS_1,
+	/* there is no WTLS 2 curve */
+	/* ECCurve_WTLS_3 == ECCurve_NIST_K163 */
+	/* ECCurve_WTLS_4 == ECCurve_SECG_CHAR2_113R1 */
+	/* ECCurve_WTLS_5 == ECCurve_X9_62_CHAR2_PNB163V1 */
+	/* ECCurve_WTLS_6 == ECCurve_SECG_PRIME_112R1 */
+	/* ECCurve_WTLS_7 == ECCurve_SECG_PRIME_160R1 */
+	ECCurve_WTLS_8,
+	ECCurve_WTLS_9,
+	/* ECCurve_WTLS_10 == ECCurve_NIST_K233 */
+	/* ECCurve_WTLS_11 == ECCurve_NIST_B233 */
+	/* ECCurve_WTLS_12 == ECCurve_NIST_P224 */
+
+	ECCurve_pastLastCurve
+} ECCurveName;
+
+/* Aliased named curves */
+
+#define ECCurve_X9_62_PRIME_192V1 ECCurve_NIST_P192
+#define ECCurve_X9_62_PRIME_256V1 ECCurve_NIST_P256
+#define ECCurve_SECG_PRIME_192R1 ECCurve_NIST_P192
+#define ECCurve_SECG_PRIME_224R1 ECCurve_NIST_P224
+#define ECCurve_SECG_PRIME_256R1 ECCurve_NIST_P256
+#define ECCurve_SECG_PRIME_384R1 ECCurve_NIST_P384
+#define ECCurve_SECG_PRIME_521R1 ECCurve_NIST_P521
+#define ECCurve_SECG_CHAR2_163K1 ECCurve_NIST_K163
+#define ECCurve_SECG_CHAR2_163R2 ECCurve_NIST_B163
+#define ECCurve_SECG_CHAR2_233K1 ECCurve_NIST_K233
+#define ECCurve_SECG_CHAR2_233R1 ECCurve_NIST_B233
+#define ECCurve_SECG_CHAR2_283K1 ECCurve_NIST_K283
+#define ECCurve_SECG_CHAR2_283R1 ECCurve_NIST_B283
+#define ECCurve_SECG_CHAR2_409K1 ECCurve_NIST_K409
+#define ECCurve_SECG_CHAR2_409R1 ECCurve_NIST_B409
+#define ECCurve_SECG_CHAR2_571K1 ECCurve_NIST_K571
+#define ECCurve_SECG_CHAR2_571R1 ECCurve_NIST_B571
+#define ECCurve_WTLS_3 ECCurve_NIST_K163
+#define ECCurve_WTLS_4 ECCurve_SECG_CHAR2_113R1
+#define ECCurve_WTLS_5 ECCurve_X9_62_CHAR2_PNB163V1
+#define ECCurve_WTLS_6 ECCurve_SECG_PRIME_112R1
+#define ECCurve_WTLS_7 ECCurve_SECG_PRIME_160R1
+#define ECCurve_WTLS_10 ECCurve_NIST_K233
+#define ECCurve_WTLS_11 ECCurve_NIST_B233
+#define ECCurve_WTLS_12 ECCurve_NIST_P224
+
+#endif							/* __ecl_exp_h_ */
diff --git a/security/nss/lib/freebl/ecl/ecl-priv.h b/security/nss/lib/freebl/ecl/ecl-priv.h
new file mode 100644
index 000000000..05abb4dff
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecl-priv.h
@@ -0,0 +1,281 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __ecl_priv_h_
+#define __ecl_priv_h_
+
+#include "ecl.h"
+#include "mpi.h"
+#include "mplogic.h"
+
+/* MAX_FIELD_SIZE_DIGITS is the maximum size of field element supported */
+/* the following needs to go away... */
+#if defined(MP_USE_LONG_LONG_DIGIT) || defined(MP_USE_LONG_DIGIT)
+#define ECL_SIXTY_FOUR_BIT
+#else
+#define ECL_THIRTY_TWO_BIT
+#endif
+
+#define ECL_CURVE_DIGITS(curve_size_in_bits) \
+	(((curve_size_in_bits)+(sizeof(mp_digit)*8-1))/(sizeof(mp_digit)*8))
+#define ECL_BITS (sizeof(mp_digit)*8)
+#define ECL_MAX_FIELD_SIZE_DIGITS (80/sizeof(mp_digit))
+
+/* Gets the i'th bit in the binary representation of a. If i >= length(a), 
+ * then return 0. (The above behaviour differs from mpl_get_bit, which
+ * causes an error if i >= length(a).) */
+#define MP_GET_BIT(a, i) \
+	((i) >= mpl_significant_bits((a))) ? 0 : mpl_get_bit((a), (i))
+
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+#define MP_ADD_CARRY(a1, a2, s, cin, cout)   \
+    { mp_word w; \
+    w = ((mp_word)(cin)) + (a1) + (a2); \
+    s = ACCUM(w); \
+    cout = CARRYOUT(w); }
+
+#define MP_SUB_BORROW(a1, a2, s, bin, bout)   \
+    { mp_word w; \
+    w = ((mp_word)(a1)) - (a2) - (bin); \
+    s = ACCUM(w); \
+    bout = (w >> MP_DIGIT_BIT) & 1; }
+
+#else
+/* NOTE, 
+ * cin and cout could be the same variable.
+ * bin and bout could be the same variable.
+ * a1 or a2 and s could be the same variable.
+ * don't trash those outputs until their respective inputs have
+ * been read. */
+#define MP_ADD_CARRY(a1, a2, s, cin, cout)   \
+    { mp_digit tmp,sum; \
+    tmp = (a1); \
+    sum = tmp + (a2); \
+    tmp = (sum < tmp);                     /* detect overflow */ \
+    s = sum += (cin); \
+    cout = tmp + (sum < (cin)); }
+
+#define MP_SUB_BORROW(a1, a2, s, bin, bout)   \
+    { mp_digit tmp; \
+    tmp = (a1); \
+    s = tmp - (a2); \
+    tmp = (s > tmp);                    /* detect borrow */ \
+    if ((bin) && !s--) tmp++;	\
+    bout = tmp; }
+#endif
+
+
+struct GFMethodStr;
+typedef struct GFMethodStr GFMethod;
+struct GFMethodStr {
+	/* Indicates whether the structure was constructed from dynamic memory 
+	 * or statically created. */
+	int constructed;
+	/* Irreducible that defines the field. For prime fields, this is the
+	 * prime p. For binary polynomial fields, this is the bitstring
+	 * representation of the irreducible polynomial. */
+	mp_int irr;
+	/* For prime fields, the value irr_arr[0] is the number of bits in the 
+	 * field. For binary polynomial fields, the irreducible polynomial
+	 * f(t) is represented as an array of unsigned int[], where f(t) is
+	 * of the form: f(t) = t^p[0] + t^p[1] + ... + t^p[4] where m = p[0]
+	 * > p[1] > ... > p[4] = 0. */
+	unsigned int irr_arr[5];
+	/* Field arithmetic methods. All methods (except field_enc and
+	 * field_dec) are assumed to take field-encoded parameters and return
+	 * field-encoded values. All methods (except field_enc and field_dec)
+	 * are required to be implemented. */
+	mp_err (*field_add) (const mp_int *a, const mp_int *b, mp_int *r,
+						 const GFMethod *meth);
+	mp_err (*field_neg) (const mp_int *a, mp_int *r, const GFMethod *meth);
+	mp_err (*field_sub) (const mp_int *a, const mp_int *b, mp_int *r,
+						 const GFMethod *meth);
+	mp_err (*field_mod) (const mp_int *a, mp_int *r, const GFMethod *meth);
+	mp_err (*field_mul) (const mp_int *a, const mp_int *b, mp_int *r,
+						 const GFMethod *meth);
+	mp_err (*field_sqr) (const mp_int *a, mp_int *r, const GFMethod *meth);
+	mp_err (*field_div) (const mp_int *a, const mp_int *b, mp_int *r,
+						 const GFMethod *meth);
+	mp_err (*field_enc) (const mp_int *a, mp_int *r, const GFMethod *meth);
+	mp_err (*field_dec) (const mp_int *a, mp_int *r, const GFMethod *meth);
+	/* Extra storage for implementation-specific data.  Any memory
+	 * allocated to these extra fields will be cleared by extra_free. */
+	void *extra1;
+	void *extra2;
+	void (*extra_free) (GFMethod *meth);
+};
+
+/* Construct generic GFMethods. */
+GFMethod *GFMethod_consGFp(const mp_int *irr);
+GFMethod *GFMethod_consGFp_mont(const mp_int *irr);
+GFMethod *GFMethod_consGF2m(const mp_int *irr,
+							const unsigned int irr_arr[5]);
+/* Free the memory allocated (if any) to a GFMethod object. */
+void GFMethod_free(GFMethod *meth);
+
+struct ECGroupStr {
+	/* Indicates whether the structure was constructed from dynamic memory 
+	 * or statically created. */
+	int constructed;
+	/* Field definition and arithmetic. */
+	GFMethod *meth;
+	/* Textual representation of curve name, if any. */
+	char *text;
+	/* Curve parameters, field-encoded. */
+	mp_int curvea, curveb;
+	/* x and y coordinates of the base point, field-encoded. */
+	mp_int genx, geny;
+	/* Order and cofactor of the base point. */
+	mp_int order;
+	int cofactor;
+	/* Point arithmetic methods. All methods are assumed to take
+	 * field-encoded parameters and return field-encoded values. All
+	 * methods (except base_point_mul and points_mul) are required to be
+	 * implemented. */
+	mp_err (*point_add) (const mp_int *px, const mp_int *py,
+						 const mp_int *qx, const mp_int *qy, mp_int *rx,
+						 mp_int *ry, const ECGroup *group);
+	mp_err (*point_sub) (const mp_int *px, const mp_int *py,
+						 const mp_int *qx, const mp_int *qy, mp_int *rx,
+						 mp_int *ry, const ECGroup *group);
+	mp_err (*point_dbl) (const mp_int *px, const mp_int *py, mp_int *rx,
+						 mp_int *ry, const ECGroup *group);
+	mp_err (*point_mul) (const mp_int *n, const mp_int *px,
+						 const mp_int *py, mp_int *rx, mp_int *ry,
+						 const ECGroup *group);
+	mp_err (*base_point_mul) (const mp_int *n, mp_int *rx, mp_int *ry,
+							  const ECGroup *group);
+	mp_err (*points_mul) (const mp_int *k1, const mp_int *k2,
+						  const mp_int *px, const mp_int *py, mp_int *rx,
+						  mp_int *ry, const ECGroup *group);
+	mp_err (*validate_point) (const mp_int *px, const mp_int *py, const ECGroup *group);
+	/* Extra storage for implementation-specific data.  Any memory
+	 * allocated to these extra fields will be cleared by extra_free. */
+	void *extra1;
+	void *extra2;
+	void (*extra_free) (ECGroup *group);
+};
+
+/* Wrapper functions for generic prime field arithmetic. */
+mp_err ec_GFp_add(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+mp_err ec_GFp_neg(const mp_int *a, mp_int *r, const GFMethod *meth);
+mp_err ec_GFp_sub(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+
+/* fixed length in-line adds. Count is in words */
+mp_err ec_GFp_add_3(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+mp_err ec_GFp_add_4(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+mp_err ec_GFp_add_5(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+mp_err ec_GFp_add_6(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+mp_err ec_GFp_sub_3(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+mp_err ec_GFp_sub_4(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+mp_err ec_GFp_sub_5(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+mp_err ec_GFp_sub_6(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+
+mp_err ec_GFp_mod(const mp_int *a, mp_int *r, const GFMethod *meth);
+mp_err ec_GFp_mul(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+mp_err ec_GFp_sqr(const mp_int *a, mp_int *r, const GFMethod *meth);
+mp_err ec_GFp_div(const mp_int *a, const mp_int *b, mp_int *r,
+				  const GFMethod *meth);
+/* Wrapper functions for generic binary polynomial field arithmetic. */
+mp_err ec_GF2m_add(const mp_int *a, const mp_int *b, mp_int *r,
+				   const GFMethod *meth);
+mp_err ec_GF2m_neg(const mp_int *a, mp_int *r, const GFMethod *meth);
+mp_err ec_GF2m_mod(const mp_int *a, mp_int *r, const GFMethod *meth);
+mp_err ec_GF2m_mul(const mp_int *a, const mp_int *b, mp_int *r,
+				   const GFMethod *meth);
+mp_err ec_GF2m_sqr(const mp_int *a, mp_int *r, const GFMethod *meth);
+mp_err ec_GF2m_div(const mp_int *a, const mp_int *b, mp_int *r,
+				   const GFMethod *meth);
+
+/* Montgomery prime field arithmetic. */
+mp_err ec_GFp_mul_mont(const mp_int *a, const mp_int *b, mp_int *r,
+					   const GFMethod *meth);
+mp_err ec_GFp_sqr_mont(const mp_int *a, mp_int *r, const GFMethod *meth);
+mp_err ec_GFp_div_mont(const mp_int *a, const mp_int *b, mp_int *r,
+					   const GFMethod *meth);
+mp_err ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth);
+mp_err ec_GFp_dec_mont(const mp_int *a, mp_int *r, const GFMethod *meth);
+void ec_GFp_extra_free_mont(GFMethod *meth);
+
+/* point multiplication */
+mp_err ec_pts_mul_basic(const mp_int *k1, const mp_int *k2,
+						const mp_int *px, const mp_int *py, mp_int *rx,
+						mp_int *ry, const ECGroup *group);
+mp_err ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2,
+						   const mp_int *px, const mp_int *py, mp_int *rx,
+						   mp_int *ry, const ECGroup *group);
+
+/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should
+ * be an array of signed char's to output to, bitsize should be the number 
+ * of bits of out, in is the original scalar, and w is the window size.
+ * NAF is discussed in the paper: D. Hankerson, J. Hernandez and A.
+ * Menezes, "Software implementation of elliptic curve cryptography over
+ * binary fields", Proc. CHES 2000. */
+mp_err ec_compute_wNAF(signed char *out, int bitsize, const mp_int *in,
+					   int w);
+
+/* Optimized field arithmetic */
+mp_err ec_group_set_gfp192(ECGroup *group, ECCurveName);
+mp_err ec_group_set_gfp224(ECGroup *group, ECCurveName);
+mp_err ec_group_set_gfp256(ECGroup *group, ECCurveName);
+mp_err ec_group_set_gfp384(ECGroup *group, ECCurveName);
+mp_err ec_group_set_gfp521(ECGroup *group, ECCurveName);
+mp_err ec_group_set_gf2m163(ECGroup *group, ECCurveName name);
+mp_err ec_group_set_gf2m193(ECGroup *group, ECCurveName name);
+mp_err ec_group_set_gf2m233(ECGroup *group, ECCurveName name);
+
+/* Optimized floating-point arithmetic */
+#ifdef ECL_USE_FP
+mp_err ec_group_set_secp160r1_fp(ECGroup *group);
+mp_err ec_group_set_nistp192_fp(ECGroup *group);
+mp_err ec_group_set_nistp224_fp(ECGroup *group);
+#endif
+
+#endif							/* __ecl_priv_h_ */
diff --git a/security/nss/lib/freebl/ecl/ecl.c b/security/nss/lib/freebl/ecl/ecl.c
new file mode 100644
index 000000000..84080df3c
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecl.c
@@ -0,0 +1,429 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "ecl.h"
+#include "ecl-priv.h"
+#include "ec2.h"
+#include "ecp.h"
+#include <stdlib.h>
+#include <string.h>
+
+/* Allocate memory for a new ECGroup object. */
+ECGroup *
+ECGroup_new()
+{
+	mp_err res = MP_OKAY;
+	ECGroup *group;
+	group = (ECGroup *) malloc(sizeof(ECGroup));
+	if (group == NULL)
+		return NULL;
+	group->constructed = MP_YES;
+        group->meth = NULL;
+	group->text = NULL;
+	MP_DIGITS(&group->curvea) = 0;
+	MP_DIGITS(&group->curveb) = 0;
+	MP_DIGITS(&group->genx) = 0;
+	MP_DIGITS(&group->geny) = 0;
+	MP_DIGITS(&group->order) = 0;
+	group->base_point_mul = NULL;
+	group->points_mul = NULL;
+	group->validate_point = NULL;
+	group->extra1 = NULL;
+	group->extra2 = NULL;
+	group->extra_free = NULL;
+	MP_CHECKOK(mp_init(&group->curvea));
+	MP_CHECKOK(mp_init(&group->curveb));
+	MP_CHECKOK(mp_init(&group->genx));
+	MP_CHECKOK(mp_init(&group->geny));
+	MP_CHECKOK(mp_init(&group->order));
+
+  CLEANUP:
+	if (res != MP_OKAY) {
+		ECGroup_free(group);
+		return NULL;
+	}
+	return group;
+}
+
+/* Construct a generic ECGroup for elliptic curves over prime fields. */
+ECGroup *
+ECGroup_consGFp(const mp_int *irr, const mp_int *curvea,
+				const mp_int *curveb, const mp_int *genx,
+				const mp_int *geny, const mp_int *order, int cofactor)
+{
+	mp_err res = MP_OKAY;
+	ECGroup *group = NULL;
+
+	group = ECGroup_new();
+	if (group == NULL)
+		return NULL;
+
+	group->meth = GFMethod_consGFp(irr);
+	if (group->meth == NULL) {
+		res = MP_MEM;
+		goto CLEANUP;
+	}
+	MP_CHECKOK(mp_copy(curvea, &group->curvea));
+	MP_CHECKOK(mp_copy(curveb, &group->curveb));
+	MP_CHECKOK(mp_copy(genx, &group->genx));
+	MP_CHECKOK(mp_copy(geny, &group->geny));
+	MP_CHECKOK(mp_copy(order, &group->order));
+	group->cofactor = cofactor;
+	group->point_add = &ec_GFp_pt_add_aff;
+	group->point_sub = &ec_GFp_pt_sub_aff;
+	group->point_dbl = &ec_GFp_pt_dbl_aff;
+	group->point_mul = &ec_GFp_pt_mul_jm_wNAF;
+	group->base_point_mul = NULL;
+	group->points_mul = &ec_GFp_pts_mul_jac;
+	group->validate_point = &ec_GFp_validate_point;
+
+  CLEANUP:
+	if (res != MP_OKAY) {
+		ECGroup_free(group);
+		return NULL;
+	}
+	return group;
+}
+
+/* Construct a generic ECGroup for elliptic curves over prime fields with
+ * field arithmetic implemented in Montgomery coordinates. */
+ECGroup *
+ECGroup_consGFp_mont(const mp_int *irr, const mp_int *curvea,
+					 const mp_int *curveb, const mp_int *genx,
+					 const mp_int *geny, const mp_int *order, int cofactor)
+{
+	mp_err res = MP_OKAY;
+	ECGroup *group = NULL;
+
+	group = ECGroup_new();
+	if (group == NULL)
+		return NULL;
+
+	group->meth = GFMethod_consGFp_mont(irr);
+	if (group->meth == NULL) {
+		res = MP_MEM;
+		goto CLEANUP;
+	}
+	MP_CHECKOK(group->meth->
+			   field_enc(curvea, &group->curvea, group->meth));
+	MP_CHECKOK(group->meth->
+			   field_enc(curveb, &group->curveb, group->meth));
+	MP_CHECKOK(group->meth->field_enc(genx, &group->genx, group->meth));
+	MP_CHECKOK(group->meth->field_enc(geny, &group->geny, group->meth));
+	MP_CHECKOK(mp_copy(order, &group->order));
+	group->cofactor = cofactor;
+	group->point_add = &ec_GFp_pt_add_aff;
+	group->point_sub = &ec_GFp_pt_sub_aff;
+	group->point_dbl = &ec_GFp_pt_dbl_aff;
+	group->point_mul = &ec_GFp_pt_mul_jm_wNAF;
+	group->base_point_mul = NULL;
+	group->points_mul = &ec_GFp_pts_mul_jac;
+	group->validate_point = &ec_GFp_validate_point;
+
+  CLEANUP:
+	if (res != MP_OKAY) {
+		ECGroup_free(group);
+		return NULL;
+	}
+	return group;
+}
+
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+/* Construct a generic ECGroup for elliptic curves over binary polynomial
+ * fields. */
+ECGroup *
+ECGroup_consGF2m(const mp_int *irr, const unsigned int irr_arr[5],
+				 const mp_int *curvea, const mp_int *curveb,
+				 const mp_int *genx, const mp_int *geny,
+				 const mp_int *order, int cofactor)
+{
+	mp_err res = MP_OKAY;
+	ECGroup *group = NULL;
+
+	group = ECGroup_new();
+	if (group == NULL)
+		return NULL;
+
+	group->meth = GFMethod_consGF2m(irr, irr_arr);
+	if (group->meth == NULL) {
+		res = MP_MEM;
+		goto CLEANUP;
+	}
+	MP_CHECKOK(mp_copy(curvea, &group->curvea));
+	MP_CHECKOK(mp_copy(curveb, &group->curveb));
+	MP_CHECKOK(mp_copy(genx, &group->genx));
+	MP_CHECKOK(mp_copy(geny, &group->geny));
+	MP_CHECKOK(mp_copy(order, &group->order));
+	group->cofactor = cofactor;
+	group->point_add = &ec_GF2m_pt_add_aff;
+	group->point_sub = &ec_GF2m_pt_sub_aff;
+	group->point_dbl = &ec_GF2m_pt_dbl_aff;
+	group->point_mul = &ec_GF2m_pt_mul_mont;
+	group->base_point_mul = NULL;
+	group->points_mul = &ec_pts_mul_basic;
+	group->validate_point = &ec_GF2m_validate_point;
+
+  CLEANUP:
+	if (res != MP_OKAY) {
+		ECGroup_free(group);
+		return NULL;
+	}
+	return group;
+}
+#endif
+
+/* Construct ECGroup from hex parameters and name, if any. Called by
+ * ECGroup_fromHex and ECGroup_fromName. */
+ECGroup *
+ecgroup_fromNameAndHex(const ECCurveName name,
+					   const ECCurveParams * params)
+{
+	mp_int irr, curvea, curveb, genx, geny, order;
+	int bits;
+	ECGroup *group = NULL;
+	mp_err res = MP_OKAY;
+
+	/* initialize values */
+	MP_DIGITS(&irr) = 0;
+	MP_DIGITS(&curvea) = 0;
+	MP_DIGITS(&curveb) = 0;
+	MP_DIGITS(&genx) = 0;
+	MP_DIGITS(&geny) = 0;
+	MP_DIGITS(&order) = 0;
+	MP_CHECKOK(mp_init(&irr));
+	MP_CHECKOK(mp_init(&curvea));
+	MP_CHECKOK(mp_init(&curveb));
+	MP_CHECKOK(mp_init(&genx));
+	MP_CHECKOK(mp_init(&geny));
+	MP_CHECKOK(mp_init(&order));
+	MP_CHECKOK(mp_read_radix(&irr, params->irr, 16));
+	MP_CHECKOK(mp_read_radix(&curvea, params->curvea, 16));
+	MP_CHECKOK(mp_read_radix(&curveb, params->curveb, 16));
+	MP_CHECKOK(mp_read_radix(&genx, params->genx, 16));
+	MP_CHECKOK(mp_read_radix(&geny, params->geny, 16));
+	MP_CHECKOK(mp_read_radix(&order, params->order, 16));
+
+	/* determine number of bits */
+	bits = mpl_significant_bits(&irr) - 1;
+	if (bits < MP_OKAY) {
+		res = bits;
+		goto CLEANUP;
+	}
+
+	/* determine which optimizations (if any) to use */
+	if (params->field == ECField_GFp) {
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+	    switch (name) {
+#ifdef ECL_USE_FP
+		case ECCurve_SECG_PRIME_160R1:
+			group =
+				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
+								&order, params->cofactor);
+			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+			MP_CHECKOK(ec_group_set_secp160r1_fp(group));
+			break;
+#endif
+		case ECCurve_SECG_PRIME_192R1:
+#ifdef ECL_USE_FP
+			group =
+				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
+								&order, params->cofactor);
+			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+			MP_CHECKOK(ec_group_set_nistp192_fp(group));
+#else
+			group =
+				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
+								&order, params->cofactor);
+			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+			MP_CHECKOK(ec_group_set_gfp192(group, name));
+#endif
+			break;
+		case ECCurve_SECG_PRIME_224R1:
+#ifdef ECL_USE_FP
+			group =
+				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
+								&order, params->cofactor);
+			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+			MP_CHECKOK(ec_group_set_nistp224_fp(group));
+#else
+			group =
+				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
+								&order, params->cofactor);
+			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+			MP_CHECKOK(ec_group_set_gfp224(group, name));
+#endif
+			break;
+		case ECCurve_SECG_PRIME_256R1:
+			group =
+				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
+								&order, params->cofactor);
+			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+			MP_CHECKOK(ec_group_set_gfp256(group, name));
+			break;
+		case ECCurve_SECG_PRIME_521R1:
+			group =
+				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
+								&order, params->cofactor);
+			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+			MP_CHECKOK(ec_group_set_gfp521(group, name));
+			break;
+		default:
+			/* use generic arithmetic */
+#endif
+			group =
+				ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny,
+									 &order, params->cofactor);
+			if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+		}
+	} else if (params->field == ECField_GF2m) {
+		group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx, &geny, &order, params->cofactor);
+		if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
+		if ((name == ECCurve_NIST_K163) ||
+		    (name == ECCurve_NIST_B163) ||
+		    (name == ECCurve_SECG_CHAR2_163R1)) {
+			MP_CHECKOK(ec_group_set_gf2m163(group, name));
+		} else if ((name == ECCurve_SECG_CHAR2_193R1) ||
+		           (name == ECCurve_SECG_CHAR2_193R2)) {
+			MP_CHECKOK(ec_group_set_gf2m193(group, name));
+		} else if ((name == ECCurve_NIST_K233) ||
+		           (name == ECCurve_NIST_B233)) {
+			MP_CHECKOK(ec_group_set_gf2m233(group, name));
+		}
+#endif
+	} else {
+		res = MP_UNDEF;
+		goto CLEANUP;
+	}
+
+	/* set name, if any */
+	if ((group != NULL) && (params->text != NULL)) {
+		group->text = strdup(params->text);
+		if (group->text == NULL) {
+			res = MP_MEM;
+		}
+	}
+
+  CLEANUP:
+	mp_clear(&irr);
+	mp_clear(&curvea);
+	mp_clear(&curveb);
+	mp_clear(&genx);
+	mp_clear(&geny);
+	mp_clear(&order);
+	if (res != MP_OKAY) {
+		ECGroup_free(group);
+		return NULL;
+	}
+	return group;
+}
+
+/* Construct ECGroup from hexadecimal representations of parameters. */
+ECGroup *
+ECGroup_fromHex(const ECCurveParams * params)
+{
+	return ecgroup_fromNameAndHex(ECCurve_noName, params);
+}
+
+/* Construct ECGroup from named parameters. */
+ECGroup *
+ECGroup_fromName(const ECCurveName name)
+{
+	ECGroup *group = NULL;
+	ECCurveParams *params = NULL;
+	mp_err res = MP_OKAY;
+
+	params = EC_GetNamedCurveParams(name);
+	if (params == NULL) {
+		res = MP_UNDEF;
+		goto CLEANUP;
+	}
+
+	/* construct actual group */
+	group = ecgroup_fromNameAndHex(name, params);
+	if (group == NULL) {
+		res = MP_UNDEF;
+		goto CLEANUP;
+	}
+
+  CLEANUP:
+	EC_FreeCurveParams(params);
+	if (res != MP_OKAY) {
+		ECGroup_free(group);
+		return NULL;
+	}
+	return group;
+}
+
+/* Validates an EC public key as described in Section 5.2.2 of X9.62. */
+mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const 
+					mp_int *py)
+{
+    /* 1: Verify that publicValue is not the point at infinity */
+    /* 2: Verify that the coordinates of publicValue are elements 
+     *    of the field.
+     */
+    /* 3: Verify that publicValue is on the curve. */
+    /* 4: Verify that the order of the curve times the publicValue
+     *    is the point at infinity.
+     */
+	return group->validate_point(px, py, group);
+}
+
+/* Free the memory allocated (if any) to an ECGroup object. */
+void
+ECGroup_free(ECGroup *group)
+{
+	if (group == NULL)
+		return;
+	GFMethod_free(group->meth);
+	if (group->constructed == MP_NO)
+		return;
+	mp_clear(&group->curvea);
+	mp_clear(&group->curveb);
+	mp_clear(&group->genx);
+	mp_clear(&group->geny);
+	mp_clear(&group->order);
+	if (group->text != NULL)
+		free(group->text);
+	if (group->extra_free != NULL)
+		group->extra_free(group);
+	free(group);
+}
diff --git a/security/nss/lib/freebl/ecl/ecl.h b/security/nss/lib/freebl/ecl/ecl.h
new file mode 100644
index 000000000..dbd86c253
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecl.h
@@ -0,0 +1,91 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Although this is not an exported header file, code which uses elliptic
+ * curve point operations will need to include it. */
+
+#ifndef __ecl_h_
+#define __ecl_h_
+
+#include "ecl-exp.h"
+#include "mpi.h"
+
+struct ECGroupStr;
+typedef struct ECGroupStr ECGroup;
+
+/* Construct ECGroup from hexadecimal representations of parameters. */
+ECGroup *ECGroup_fromHex(const ECCurveParams * params);
+
+/* Construct ECGroup from named parameters. */
+ECGroup *ECGroup_fromName(const ECCurveName name);
+
+/* Free an allocated ECGroup. */
+void ECGroup_free(ECGroup *group);
+
+/* Construct ECCurveParams from an ECCurveName */
+ECCurveParams *EC_GetNamedCurveParams(const ECCurveName name);
+
+/* Duplicates an ECCurveParams */
+ECCurveParams *ECCurveParams_dup(const ECCurveParams * params);
+
+/* Free an allocated ECCurveParams */
+void EC_FreeCurveParams(ECCurveParams * params);
+
+/* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k * P(x, 
+ * y).  If x, y = NULL, then P is assumed to be the generator (base point) 
+ * of the group of points on the elliptic curve. Input and output values
+ * are assumed to be NOT field-encoded. */
+mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
+				   const mp_int *py, mp_int *qx, mp_int *qy);
+
+/* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k1 * G + 
+ * k2 * P(x, y), where G is the generator (base point) of the group of
+ * points on the elliptic curve. Input and output values are assumed to
+ * be NOT field-encoded. */
+mp_err ECPoints_mul(const ECGroup *group, const mp_int *k1,
+					const mp_int *k2, const mp_int *px, const mp_int *py,
+					mp_int *qx, mp_int *qy);
+
+/* Validates an EC public key as described in Section 5.2.2 of X9.62.
+ * Returns MP_YES if the public key is valid, MP_NO if the public key
+ * is invalid, or an error code if the validation could not be
+ * performed. */
+mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const 
+					mp_int *py);
+
+#endif							/* __ecl_h_ */
diff --git a/security/nss/lib/freebl/ecl/ecl_curve.c b/security/nss/lib/freebl/ecl/ecl_curve.c
new file mode 100644
index 000000000..a0a7bd316
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecl_curve.c
@@ -0,0 +1,123 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecl.h"
+#include "ecl-curve.h"
+#include "ecl-priv.h"
+#include <stdlib.h>
+#include <string.h>
+
+#define CHECK(func) if ((func) == NULL) { res = 0; goto CLEANUP; }
+
+/* Duplicates an ECCurveParams */
+ECCurveParams *
+ECCurveParams_dup(const ECCurveParams * params)
+{
+	int res = 1;
+	ECCurveParams *ret = NULL;
+
+	CHECK(ret = (ECCurveParams *) calloc(1, sizeof(ECCurveParams)));
+	if (params->text != NULL) {
+		CHECK(ret->text = strdup(params->text));
+	}
+	ret->field = params->field;
+	ret->size = params->size;
+	if (params->irr != NULL) {
+		CHECK(ret->irr = strdup(params->irr));
+	}
+	if (params->curvea != NULL) {
+		CHECK(ret->curvea = strdup(params->curvea));
+	}
+	if (params->curveb != NULL) {
+		CHECK(ret->curveb = strdup(params->curveb));
+	}
+	if (params->genx != NULL) {
+		CHECK(ret->genx = strdup(params->genx));
+	}
+	if (params->geny != NULL) {
+		CHECK(ret->geny = strdup(params->geny));
+	}
+	if (params->order != NULL) {
+		CHECK(ret->order = strdup(params->order));
+	}
+	ret->cofactor = params->cofactor;
+
+  CLEANUP:
+	if (res != 1) {
+		EC_FreeCurveParams(ret);
+		return NULL;
+	}
+	return ret;
+}
+
+#undef CHECK
+
+/* Construct ECCurveParams from an ECCurveName */
+ECCurveParams *
+EC_GetNamedCurveParams(const ECCurveName name)
+{
+	if ((name <= ECCurve_noName) || (ECCurve_pastLastCurve <= name) ||
+					(ecCurve_map[name] == NULL)) {
+		return NULL;
+	} else {
+		return ECCurveParams_dup(ecCurve_map[name]);
+	}
+}
+
+/* Free the memory allocated (if any) to an ECCurveParams object. */
+void
+EC_FreeCurveParams(ECCurveParams * params)
+{
+	if (params == NULL)
+		return;
+	if (params->text != NULL)
+		free(params->text);
+	if (params->irr != NULL)
+		free(params->irr);
+	if (params->curvea != NULL)
+		free(params->curvea);
+	if (params->curveb != NULL)
+		free(params->curveb);
+	if (params->genx != NULL)
+		free(params->genx);
+	if (params->geny != NULL)
+		free(params->geny);
+	if (params->order != NULL)
+		free(params->order);
+	free(params);
+}
diff --git a/security/nss/lib/freebl/ecl/ecl_gf.c b/security/nss/lib/freebl/ecl/ecl_gf.c
new file mode 100644
index 000000000..08fa0c3e0
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecl_gf.c
@@ -0,0 +1,1032 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi.h"
+#include "mp_gf2m.h"
+#include "ecl-priv.h"
+#include "mpi-priv.h"
+#include <stdlib.h>
+
+/* Allocate memory for a new GFMethod object. */
+GFMethod *
+GFMethod_new()
+{
+	mp_err res = MP_OKAY;
+	GFMethod *meth;
+	meth = (GFMethod *) malloc(sizeof(GFMethod));
+	if (meth == NULL)
+		return NULL;
+	meth->constructed = MP_YES;
+	MP_DIGITS(&meth->irr) = 0;
+	meth->extra_free = NULL;
+	MP_CHECKOK(mp_init(&meth->irr));
+
+  CLEANUP:
+	if (res != MP_OKAY) {
+		GFMethod_free(meth);
+		return NULL;
+	}
+	return meth;
+}
+
+/* Construct a generic GFMethod for arithmetic over prime fields with
+ * irreducible irr. */
+GFMethod *
+GFMethod_consGFp(const mp_int *irr)
+{
+	mp_err res = MP_OKAY;
+	GFMethod *meth = NULL;
+
+	meth = GFMethod_new();
+	if (meth == NULL)
+		return NULL;
+
+	MP_CHECKOK(mp_copy(irr, &meth->irr));
+	meth->irr_arr[0] = mpl_significant_bits(irr);
+	meth->irr_arr[1] = meth->irr_arr[2] = meth->irr_arr[3] =
+		meth->irr_arr[4] = 0;
+	switch(MP_USED(&meth->irr)) {
+	/* maybe we need 1 and 2 words here as well?*/
+	case 3:
+		meth->field_add = &ec_GFp_add_3;
+		meth->field_sub = &ec_GFp_sub_3;
+		break;
+	case 4:
+		meth->field_add = &ec_GFp_add_4;
+		meth->field_sub = &ec_GFp_sub_4;
+		break;
+	case 5:
+		meth->field_add = &ec_GFp_add_5;
+		meth->field_sub = &ec_GFp_sub_5;
+		break;
+	case 6:
+		meth->field_add = &ec_GFp_add_6;
+		meth->field_sub = &ec_GFp_sub_6;
+		break;
+	default:
+		meth->field_add = &ec_GFp_add;
+		meth->field_sub = &ec_GFp_sub;
+	}
+	meth->field_neg = &ec_GFp_neg;
+	meth->field_mod = &ec_GFp_mod;
+	meth->field_mul = &ec_GFp_mul;
+	meth->field_sqr = &ec_GFp_sqr;
+	meth->field_div = &ec_GFp_div;
+	meth->field_enc = NULL;
+	meth->field_dec = NULL;
+	meth->extra1 = NULL;
+	meth->extra2 = NULL;
+	meth->extra_free = NULL;
+
+  CLEANUP:
+	if (res != MP_OKAY) {
+		GFMethod_free(meth);
+		return NULL;
+	}
+	return meth;
+}
+
+/* Construct a generic GFMethod for arithmetic over binary polynomial
+ * fields with irreducible irr that has array representation irr_arr (see
+ * ecl-priv.h for description of the representation).  If irr_arr is NULL, 
+ * then it is constructed from the bitstring representation. */
+GFMethod *
+GFMethod_consGF2m(const mp_int *irr, const unsigned int irr_arr[5])
+{
+	mp_err res = MP_OKAY;
+	int ret;
+	GFMethod *meth = NULL;
+
+	meth = GFMethod_new();
+	if (meth == NULL)
+		return NULL;
+
+	MP_CHECKOK(mp_copy(irr, &meth->irr));
+	if (irr_arr != NULL) {
+		/* Irreducible polynomials are either trinomials or pentanomials. */
+		meth->irr_arr[0] = irr_arr[0];
+		meth->irr_arr[1] = irr_arr[1];
+		meth->irr_arr[2] = irr_arr[2];
+		if (irr_arr[2] > 0) {
+			meth->irr_arr[3] = irr_arr[3];
+			meth->irr_arr[4] = irr_arr[4];
+		} else {
+			meth->irr_arr[3] = meth->irr_arr[4] = 0;
+		}
+	} else {
+		ret = mp_bpoly2arr(irr, meth->irr_arr, 5);
+		/* Irreducible polynomials are either trinomials or pentanomials. */
+		if ((ret != 5) && (ret != 3)) {
+			res = MP_UNDEF;
+			goto CLEANUP;
+		}
+	}
+	meth->field_add = &ec_GF2m_add;
+	meth->field_neg = &ec_GF2m_neg;
+	meth->field_sub = &ec_GF2m_add;
+	meth->field_mod = &ec_GF2m_mod;
+	meth->field_mul = &ec_GF2m_mul;
+	meth->field_sqr = &ec_GF2m_sqr;
+	meth->field_div = &ec_GF2m_div;
+	meth->field_enc = NULL;
+	meth->field_dec = NULL;
+	meth->extra1 = NULL;
+	meth->extra2 = NULL;
+	meth->extra_free = NULL;
+
+  CLEANUP:
+	if (res != MP_OKAY) {
+		GFMethod_free(meth);
+		return NULL;
+	}
+	return meth;
+}
+
+/* Free the memory allocated (if any) to a GFMethod object. */
+void
+GFMethod_free(GFMethod *meth)
+{
+	if (meth == NULL)
+		return;
+	if (meth->constructed == MP_NO)
+		return;
+	mp_clear(&meth->irr);
+	if (meth->extra_free != NULL)
+		meth->extra_free(meth);
+	free(meth);
+}
+
+/* Wrapper functions for generic prime field arithmetic. */
+
+/* Add two field elements.  Assumes that 0 <= a, b < meth->irr */
+mp_err
+ec_GFp_add(const mp_int *a, const mp_int *b, mp_int *r,
+		   const GFMethod *meth)
+{
+	/* PRE: 0 <= a, b < p = meth->irr POST: 0 <= r < p, r = a + b (mod p) */
+	mp_err res;
+
+	if ((res = mp_add(a, b, r)) != MP_OKAY) {
+		return res;
+	}
+	if (mp_cmp(r, &meth->irr) >= 0) {
+		return mp_sub(r, &meth->irr, r);
+	}
+	return res;
+}
+
+/* Negates a field element.  Assumes that 0 <= a < meth->irr */
+mp_err
+ec_GFp_neg(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	/* PRE: 0 <= a < p = meth->irr POST: 0 <= r < p, r = -a (mod p) */
+
+	if (mp_cmp_z(a) == 0) {
+		mp_zero(r);
+		return MP_OKAY;
+	}
+	return mp_sub(&meth->irr, a, r);
+}
+
+/* Subtracts two field elements.  Assumes that 0 <= a, b < meth->irr */
+mp_err
+ec_GFp_sub(const mp_int *a, const mp_int *b, mp_int *r,
+		   const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	/* PRE: 0 <= a, b < p = meth->irr POST: 0 <= r < p, r = a - b (mod p) */
+	res = mp_sub(a, b, r);
+	if (res == MP_RANGE) {
+		MP_CHECKOK(mp_sub(b, a, r));
+		if (mp_cmp_z(r) < 0) {
+			MP_CHECKOK(mp_add(r, &meth->irr, r));
+		}
+		MP_CHECKOK(ec_GFp_neg(r, r, meth));
+	}
+	if (mp_cmp_z(r) < 0) {
+		MP_CHECKOK(mp_add(r, &meth->irr, r));
+	}
+  CLEANUP:
+	return res;
+}
+/* 
+ * Inline adds for small curve lengths.
+ */
+/* 3 words */
+mp_err
+ec_GFp_add_3(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit a0 = 0, a1 = 0, a2 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0;
+	mp_digit carry;
+
+	switch(MP_USED(a)) {
+	case 3:
+		a2 = MP_DIGIT(a,2);
+	case 2:
+		a1 = MP_DIGIT(a,1);
+	case 1:
+		a0 = MP_DIGIT(a,0);
+	}
+	switch(MP_USED(b)) {
+	case 3:
+		r2 = MP_DIGIT(b,2);
+	case 2:
+		r1 = MP_DIGIT(b,1);
+	case 1:
+		r0 = MP_DIGIT(b,0);
+	}
+
+#ifndef MPI_AMD64_ADD
+	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
+	MP_ADD_CARRY(a1, r1, r1, carry, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry, carry);
+#else
+	__asm__ (
+                "xorq   %3,%3           \n\t"
+                "addq   %4,%0           \n\t"
+                "adcq   %5,%1           \n\t"
+                "adcq   %6,%2           \n\t"
+                "adcq   $0,%3           \n\t"
+                : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(carry)
+                : "r" (a0), "r" (a1), "r" (a2),
+		  "0" (r0), "1" (r1), "2" (r2)
+                : "%cc" );
+#endif
+
+	MP_CHECKOK(s_mp_pad(r, 3));
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 3;
+
+	/* Do quick 'subract' if we've gone over 
+	 * (add the 2's complement of the curve field) */
+	 a2 = MP_DIGIT(&meth->irr,2);
+	if (carry ||  r2 >  a2 ||
+		((r2 == a2) && mp_cmp(r,&meth->irr) != MP_LT)) {
+		a1 = MP_DIGIT(&meth->irr,1);
+		a0 = MP_DIGIT(&meth->irr,0);
+#ifndef MPI_AMD64_ADD
+		MP_SUB_BORROW(r0, a0, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a1, r1, carry, carry);
+		MP_SUB_BORROW(r2, a2, r2, carry, carry);
+#else
+		__asm__ (
+			"subq   %3,%0           \n\t"
+			"sbbq   %4,%1           \n\t"
+			"sbbq   %5,%2           \n\t"
+			: "=r"(r0), "=r"(r1), "=r"(r2)
+			: "r" (a0), "r" (a1), "r" (a2),
+			  "0" (r0), "1" (r1), "2" (r2)
+			: "%cc" );
+#endif
+		MP_DIGIT(r, 2) = r2;
+		MP_DIGIT(r, 1) = r1;
+		MP_DIGIT(r, 0) = r0;
+	}
+	
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/* 4 words */
+mp_err
+ec_GFp_add_4(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit a0 = 0, a1 = 0, a2 = 0, a3 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0;
+	mp_digit carry;
+
+	switch(MP_USED(a)) {
+	case 4:
+		a3 = MP_DIGIT(a,3);
+	case 3:
+		a2 = MP_DIGIT(a,2);
+	case 2:
+		a1 = MP_DIGIT(a,1);
+	case 1:
+		a0 = MP_DIGIT(a,0);
+	}
+	switch(MP_USED(b)) {
+	case 4:
+		r3 = MP_DIGIT(b,3);
+	case 3:
+		r2 = MP_DIGIT(b,2);
+	case 2:
+		r1 = MP_DIGIT(b,1);
+	case 1:
+		r0 = MP_DIGIT(b,0);
+	}
+
+#ifndef MPI_AMD64_ADD
+	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
+	MP_ADD_CARRY(a1, r1, r1, carry, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry, carry);
+	MP_ADD_CARRY(a3, r3, r3, carry, carry);
+#else
+	__asm__ (
+                "xorq   %4,%4           \n\t"
+                "addq   %5,%0           \n\t"
+                "adcq   %6,%1           \n\t"
+                "adcq   %7,%2           \n\t"
+                "adcq   %8,%3           \n\t"
+                "adcq   $0,%4           \n\t"
+                : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3), "=r"(carry)
+                : "r" (a0), "r" (a1), "r" (a2), "r" (a3),
+		  "0" (r0), "1" (r1), "2" (r2), "3" (r3)
+                : "%cc" );
+#endif
+
+	MP_CHECKOK(s_mp_pad(r, 4));
+	MP_DIGIT(r, 3) = r3;
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 4;
+
+	/* Do quick 'subract' if we've gone over 
+	 * (add the 2's complement of the curve field) */
+	 a3 = MP_DIGIT(&meth->irr,3);
+	if (carry ||  r3 >  a3 ||
+		((r3 == a3) && mp_cmp(r,&meth->irr) != MP_LT)) {
+		a2 = MP_DIGIT(&meth->irr,2);
+		a1 = MP_DIGIT(&meth->irr,1);
+		a0 = MP_DIGIT(&meth->irr,0);
+#ifndef MPI_AMD64_ADD
+		MP_SUB_BORROW(r0, a0, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a1, r1, carry, carry);
+		MP_SUB_BORROW(r2, a2, r2, carry, carry);
+		MP_SUB_BORROW(r3, a3, r3, carry, carry);
+#else
+		__asm__ (
+			"subq   %4,%0           \n\t"
+			"sbbq   %5,%1           \n\t"
+			"sbbq   %6,%2           \n\t"
+			"sbbq   %7,%3           \n\t"
+			: "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3)
+			: "r" (a0), "r" (a1), "r" (a2), "r" (a3),
+			  "0" (r0), "1" (r1), "2" (r2), "3" (r3)
+			: "%cc" );
+#endif
+		MP_DIGIT(r, 3) = r3;
+		MP_DIGIT(r, 2) = r2;
+		MP_DIGIT(r, 1) = r1;
+		MP_DIGIT(r, 0) = r0;
+	}
+	
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/* 5 words */
+mp_err
+ec_GFp_add_5(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit a0 = 0, a1 = 0, a2 = 0, a3 = 0, a4 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0, r4 = 0;
+	mp_digit carry;
+
+	switch(MP_USED(a)) {
+	case 5:
+		a4 = MP_DIGIT(a,4);
+	case 4:
+		a3 = MP_DIGIT(a,3);
+	case 3:
+		a2 = MP_DIGIT(a,2);
+	case 2:
+		a1 = MP_DIGIT(a,1);
+	case 1:
+		a0 = MP_DIGIT(a,0);
+	}
+	switch(MP_USED(b)) {
+	case 5:
+		r4 = MP_DIGIT(b,4);
+	case 4:
+		r3 = MP_DIGIT(b,3);
+	case 3:
+		r2 = MP_DIGIT(b,2);
+	case 2:
+		r1 = MP_DIGIT(b,1);
+	case 1:
+		r0 = MP_DIGIT(b,0);
+	}
+
+	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
+	MP_ADD_CARRY(a1, r1, r1, carry, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry, carry);
+	MP_ADD_CARRY(a3, r3, r3, carry, carry);
+	MP_ADD_CARRY(a4, r4, r4, carry, carry);
+
+	MP_CHECKOK(s_mp_pad(r, 5));
+	MP_DIGIT(r, 4) = r4;
+	MP_DIGIT(r, 3) = r3;
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 5;
+
+	/* Do quick 'subract' if we've gone over 
+	 * (add the 2's complement of the curve field) */
+	 a4 = MP_DIGIT(&meth->irr,4);
+	if (carry ||  r4 >  a4 ||
+		((r4 == a4) && mp_cmp(r,&meth->irr) != MP_LT)) {
+		a3 = MP_DIGIT(&meth->irr,3);
+		a2 = MP_DIGIT(&meth->irr,2);
+		a1 = MP_DIGIT(&meth->irr,1);
+		a0 = MP_DIGIT(&meth->irr,0);
+		MP_SUB_BORROW(r0, a0, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a1, r1, carry, carry);
+		MP_SUB_BORROW(r2, a2, r2, carry, carry);
+		MP_SUB_BORROW(r3, a3, r3, carry, carry);
+		MP_SUB_BORROW(r4, a4, r4, carry, carry);
+		MP_DIGIT(r, 4) = r4;
+		MP_DIGIT(r, 3) = r3;
+		MP_DIGIT(r, 2) = r2;
+		MP_DIGIT(r, 1) = r1;
+		MP_DIGIT(r, 0) = r0;
+	}
+	
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/* 6 words */
+mp_err
+ec_GFp_add_6(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit a0 = 0, a1 = 0, a2 = 0, a3 = 0, a4 = 0, a5 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0, r4 = 0, r5 = 0;
+	mp_digit carry;
+
+	switch(MP_USED(a)) {
+	case 6:
+		a5 = MP_DIGIT(a,5);
+	case 5:
+		a4 = MP_DIGIT(a,4);
+	case 4:
+		a3 = MP_DIGIT(a,3);
+	case 3:
+		a2 = MP_DIGIT(a,2);
+	case 2:
+		a1 = MP_DIGIT(a,1);
+	case 1:
+		a0 = MP_DIGIT(a,0);
+	}
+	switch(MP_USED(b)) {
+	case 6:
+		r5 = MP_DIGIT(b,5);
+	case 5:
+		r4 = MP_DIGIT(b,4);
+	case 4:
+		r3 = MP_DIGIT(b,3);
+	case 3:
+		r2 = MP_DIGIT(b,2);
+	case 2:
+		r1 = MP_DIGIT(b,1);
+	case 1:
+		r0 = MP_DIGIT(b,0);
+	}
+
+	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
+	MP_ADD_CARRY(a1, r1, r1, carry, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry, carry);
+	MP_ADD_CARRY(a3, r3, r3, carry, carry);
+	MP_ADD_CARRY(a4, r4, r4, carry, carry);
+	MP_ADD_CARRY(a5, r5, r5, carry, carry);
+
+	MP_CHECKOK(s_mp_pad(r, 6));
+	MP_DIGIT(r, 5) = r5;
+	MP_DIGIT(r, 4) = r4;
+	MP_DIGIT(r, 3) = r3;
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 6;
+
+	/* Do quick 'subract' if we've gone over 
+	 * (add the 2's complement of the curve field) */
+	a5 = MP_DIGIT(&meth->irr,5);
+	if (carry ||  r5 >  a5 ||
+		((r5 == a5) && mp_cmp(r,&meth->irr) != MP_LT)) {
+		a4 = MP_DIGIT(&meth->irr,4);
+		a3 = MP_DIGIT(&meth->irr,3);
+		a2 = MP_DIGIT(&meth->irr,2);
+		a1 = MP_DIGIT(&meth->irr,1);
+		a0 = MP_DIGIT(&meth->irr,0);
+		MP_SUB_BORROW(r0, a0, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a1, r1, carry, carry);
+		MP_SUB_BORROW(r2, a2, r2, carry, carry);
+		MP_SUB_BORROW(r3, a3, r3, carry, carry);
+		MP_SUB_BORROW(r4, a4, r4, carry, carry);
+		MP_SUB_BORROW(r5, a5, r5, carry, carry);
+		MP_DIGIT(r, 5) = r5;
+		MP_DIGIT(r, 4) = r4;
+		MP_DIGIT(r, 3) = r3;
+		MP_DIGIT(r, 2) = r2;
+		MP_DIGIT(r, 1) = r1;
+		MP_DIGIT(r, 0) = r0;
+	}
+	
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/*
+ * The following subraction functions do in-line subractions based
+ * on our curve size.
+ *
+ * ... 3 words
+ */
+mp_err
+ec_GFp_sub_3(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit b0 = 0, b1 = 0, b2 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0;
+	mp_digit borrow;
+
+	switch(MP_USED(a)) {
+	case 3:
+		r2 = MP_DIGIT(a,2);
+	case 2:
+		r1 = MP_DIGIT(a,1);
+	case 1:
+		r0 = MP_DIGIT(a,0);
+	}
+	switch(MP_USED(b)) {
+	case 3:
+		b2 = MP_DIGIT(b,2);
+	case 2:
+		b1 = MP_DIGIT(b,1);
+	case 1:
+		b0 = MP_DIGIT(b,0);
+	}
+
+#ifndef MPI_AMD64_ADD
+	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
+#else
+	__asm__ (
+                "xorq   %3,%3           \n\t"
+                "subq   %4,%0           \n\t"
+                "sbbq   %5,%1           \n\t"
+                "sbbq   %6,%2           \n\t"
+                "adcq   $0,%3           \n\t"
+                : "=r"(r0), "=r"(r1), "=r"(r2), "=r" (borrow)
+                : "r" (b0), "r" (b1), "r" (b2), 
+		  "0" (r0), "1" (r1), "2" (r2)
+                : "%cc" );
+#endif
+
+	/* Do quick 'add' if we've gone under 0
+	 * (subtract the 2's complement of the curve field) */
+	if (borrow) {
+	 	b2 = MP_DIGIT(&meth->irr,2);
+		b1 = MP_DIGIT(&meth->irr,1);
+		b0 = MP_DIGIT(&meth->irr,0);
+#ifndef MPI_AMD64_ADD
+		MP_ADD_CARRY(b0, r0, r0, 0,      borrow);
+		MP_ADD_CARRY(b1, r1, r1, borrow, borrow);
+		MP_ADD_CARRY(b2, r2, r2, borrow, borrow);
+#else
+		__asm__ (
+			"addq   %3,%0           \n\t"
+			"adcq   %4,%1           \n\t"
+			"adcq   %5,%2           \n\t"
+			: "=r"(r0), "=r"(r1), "=r"(r2)
+			: "r" (b0), "r" (b1), "r" (b2),
+  			  "0" (r0), "1" (r1), "2" (r2)
+			: "%cc" );
+#endif
+	}
+
+#ifdef MPI_AMD64_ADD
+	/* compiler fakeout? */
+	if ((r2 == b0) && (r1 == b0) && (r0 == b0)) { 
+		MP_CHECKOK(s_mp_pad(r, 4));
+	} 
+#endif
+	MP_CHECKOK(s_mp_pad(r, 3));
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 3;
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/* 4 words */
+mp_err
+ec_GFp_sub_4(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit b0 = 0, b1 = 0, b2 = 0, b3 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0;
+	mp_digit borrow;
+
+	switch(MP_USED(a)) {
+	case 4:
+		r3 = MP_DIGIT(a,3);
+	case 3:
+		r2 = MP_DIGIT(a,2);
+	case 2:
+		r1 = MP_DIGIT(a,1);
+	case 1:
+		r0 = MP_DIGIT(a,0);
+	}
+	switch(MP_USED(b)) {
+	case 4:
+		b3 = MP_DIGIT(b,3);
+	case 3:
+		b2 = MP_DIGIT(b,2);
+	case 2:
+		b1 = MP_DIGIT(b,1);
+	case 1:
+		b0 = MP_DIGIT(b,0);
+	}
+
+#ifndef MPI_AMD64_ADD
+	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
+	MP_SUB_BORROW(r3, b3, r3, borrow, borrow);
+#else
+	__asm__ (
+                "xorq   %4,%4           \n\t"
+                "subq   %5,%0           \n\t"
+                "sbbq   %6,%1           \n\t"
+                "sbbq   %7,%2           \n\t"
+                "sbbq   %8,%3           \n\t"
+                "adcq   $0,%4           \n\t"
+                : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3), "=r" (borrow)
+                : "r" (b0), "r" (b1), "r" (b2), "r" (b3),
+		  "0" (r0), "1" (r1), "2" (r2), "3" (r3)
+                : "%cc" );
+#endif
+
+	/* Do quick 'add' if we've gone under 0
+	 * (subtract the 2's complement of the curve field) */
+	if (borrow) {
+	 	b3 = MP_DIGIT(&meth->irr,3);
+	 	b2 = MP_DIGIT(&meth->irr,2);
+		b1 = MP_DIGIT(&meth->irr,1);
+		b0 = MP_DIGIT(&meth->irr,0);
+#ifndef MPI_AMD64_ADD
+		MP_ADD_CARRY(b0, r0, r0, 0,      borrow);
+		MP_ADD_CARRY(b1, r1, r1, borrow, borrow);
+		MP_ADD_CARRY(b2, r2, r2, borrow, borrow);
+		MP_ADD_CARRY(b3, r3, r3, borrow, borrow);
+#else
+		__asm__ (
+			"addq   %4,%0           \n\t"
+			"adcq   %5,%1           \n\t"
+			"adcq   %6,%2           \n\t"
+			"adcq   %7,%3           \n\t"
+			: "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3)
+			: "r" (b0), "r" (b1), "r" (b2), "r" (b3),
+  			  "0" (r0), "1" (r1), "2" (r2), "3" (r3)
+			: "%cc" );
+#endif
+	}
+#ifdef MPI_AMD64_ADD
+	/* compiler fakeout? */
+	if ((r3 == b0) && (r1 == b0) && (r0 == b0)) { 
+		MP_CHECKOK(s_mp_pad(r, 4));
+	} 
+#endif
+	MP_CHECKOK(s_mp_pad(r, 4));
+	MP_DIGIT(r, 3) = r3;
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 4;
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/* 5 words */
+mp_err
+ec_GFp_sub_5(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit b0 = 0, b1 = 0, b2 = 0, b3 = 0, b4 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0, r4 = 0;
+	mp_digit borrow;
+
+	switch(MP_USED(a)) {
+	case 5:
+		r4 = MP_DIGIT(a,4);
+	case 4:
+		r3 = MP_DIGIT(a,3);
+	case 3:
+		r2 = MP_DIGIT(a,2);
+	case 2:
+		r1 = MP_DIGIT(a,1);
+	case 1:
+		r0 = MP_DIGIT(a,0);
+	}
+	switch(MP_USED(b)) {
+	case 5:
+		b4 = MP_DIGIT(b,4);
+	case 4:
+		b3 = MP_DIGIT(b,3);
+	case 3:
+		b2 = MP_DIGIT(b,2);
+	case 2:
+		b1 = MP_DIGIT(b,1);
+	case 1:
+		b0 = MP_DIGIT(b,0);
+	}
+
+	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
+	MP_SUB_BORROW(r3, b3, r3, borrow, borrow);
+	MP_SUB_BORROW(r4, b4, r4, borrow, borrow);
+
+	/* Do quick 'add' if we've gone under 0
+	 * (subtract the 2's complement of the curve field) */
+	if (borrow) {
+	 	b4 = MP_DIGIT(&meth->irr,4);
+	 	b3 = MP_DIGIT(&meth->irr,3);
+	 	b2 = MP_DIGIT(&meth->irr,2);
+		b1 = MP_DIGIT(&meth->irr,1);
+		b0 = MP_DIGIT(&meth->irr,0);
+		MP_ADD_CARRY(b0, r0, r0, 0,      borrow);
+		MP_ADD_CARRY(b1, r1, r1, borrow, borrow);
+		MP_ADD_CARRY(b2, r2, r2, borrow, borrow);
+		MP_ADD_CARRY(b3, r3, r3, borrow, borrow);
+	}
+	MP_CHECKOK(s_mp_pad(r, 5));
+	MP_DIGIT(r, 4) = r4;
+	MP_DIGIT(r, 3) = r3;
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 5;
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+/* 6 words */
+mp_err
+ec_GFp_sub_6(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit b0 = 0, b1 = 0, b2 = 0, b3 = 0, b4 = 0, b5 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0, r3 = 0, r4 = 0, r5 = 0;
+	mp_digit borrow;
+
+	switch(MP_USED(a)) {
+	case 6:
+		r5 = MP_DIGIT(a,5);
+	case 5:
+		r4 = MP_DIGIT(a,4);
+	case 4:
+		r3 = MP_DIGIT(a,3);
+	case 3:
+		r2 = MP_DIGIT(a,2);
+	case 2:
+		r1 = MP_DIGIT(a,1);
+	case 1:
+		r0 = MP_DIGIT(a,0);
+	}
+	switch(MP_USED(b)) {
+	case 6:
+		b5 = MP_DIGIT(b,5);
+	case 5:
+		b4 = MP_DIGIT(b,4);
+	case 4:
+		b3 = MP_DIGIT(b,3);
+	case 3:
+		b2 = MP_DIGIT(b,2);
+	case 2:
+		b1 = MP_DIGIT(b,1);
+	case 1:
+		b0 = MP_DIGIT(b,0);
+	}
+
+	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
+	MP_SUB_BORROW(r3, b3, r3, borrow, borrow);
+	MP_SUB_BORROW(r4, b4, r4, borrow, borrow);
+	MP_SUB_BORROW(r5, b5, r5, borrow, borrow);
+
+	/* Do quick 'add' if we've gone under 0
+	 * (subtract the 2's complement of the curve field) */
+	if (borrow) {
+	 	b5 = MP_DIGIT(&meth->irr,5);
+	 	b4 = MP_DIGIT(&meth->irr,4);
+	 	b3 = MP_DIGIT(&meth->irr,3);
+	 	b2 = MP_DIGIT(&meth->irr,2);
+		b1 = MP_DIGIT(&meth->irr,1);
+		b0 = MP_DIGIT(&meth->irr,0);
+		MP_ADD_CARRY(b0, r0, r0, 0,      borrow);
+		MP_ADD_CARRY(b1, r1, r1, borrow, borrow);
+		MP_ADD_CARRY(b2, r2, r2, borrow, borrow);
+		MP_ADD_CARRY(b3, r3, r3, borrow, borrow);
+		MP_ADD_CARRY(b4, r4, r4, borrow, borrow);
+	}
+
+	MP_CHECKOK(s_mp_pad(r, 6));
+	MP_DIGIT(r, 5) = r5;
+	MP_DIGIT(r, 4) = r4;
+	MP_DIGIT(r, 3) = r3;
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 6;
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+
+/* Reduces an integer to a field element. */
+mp_err
+ec_GFp_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	return mp_mod(a, &meth->irr, r);
+}
+
+/* Multiplies two field elements. */
+mp_err
+ec_GFp_mul(const mp_int *a, const mp_int *b, mp_int *r,
+		   const GFMethod *meth)
+{
+	return mp_mulmod(a, b, &meth->irr, r);
+}
+
+/* Squares a field element. */
+mp_err
+ec_GFp_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	return mp_sqrmod(a, &meth->irr, r);
+}
+
+/* Divides two field elements. If a is NULL, then returns the inverse of
+ * b. */
+mp_err
+ec_GFp_div(const mp_int *a, const mp_int *b, mp_int *r,
+		   const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_int t;
+
+	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
+	if (a == NULL) {
+		return mp_invmod(b, &meth->irr, r);
+	} else {
+		/* MPI doesn't support divmod, so we implement it using invmod and 
+		 * mulmod. */
+		MP_CHECKOK(mp_init(&t));
+		MP_CHECKOK(mp_invmod(b, &meth->irr, &t));
+		MP_CHECKOK(mp_mulmod(a, &t, &meth->irr, r));
+	  CLEANUP:
+		mp_clear(&t);
+		return res;
+	}
+}
+
+/* Wrapper functions for generic binary polynomial field arithmetic. */
+
+/* Adds two field elements. */
+mp_err
+ec_GF2m_add(const mp_int *a, const mp_int *b, mp_int *r,
+			const GFMethod *meth)
+{
+	return mp_badd(a, b, r);
+}
+
+/* Negates a field element. Note that for binary polynomial fields, the
+ * negation of a field element is the field element itself. */
+mp_err
+ec_GF2m_neg(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	if (a == r) {
+		return MP_OKAY;
+	} else {
+		return mp_copy(a, r);
+	}
+}
+
+/* Reduces a binary polynomial to a field element. */
+mp_err
+ec_GF2m_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	return mp_bmod(a, meth->irr_arr, r);
+}
+
+/* Multiplies two field elements. */
+mp_err
+ec_GF2m_mul(const mp_int *a, const mp_int *b, mp_int *r,
+			const GFMethod *meth)
+{
+	return mp_bmulmod(a, b, meth->irr_arr, r);
+}
+
+/* Squares a field element. */
+mp_err
+ec_GF2m_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	return mp_bsqrmod(a, meth->irr_arr, r);
+}
+
+/* Divides two field elements. If a is NULL, then returns the inverse of
+ * b. */
+mp_err
+ec_GF2m_div(const mp_int *a, const mp_int *b, mp_int *r,
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_int t;
+
+	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
+	if (a == NULL) {
+		/* The GF(2^m) portion of MPI doesn't support invmod, so we
+		 * compute 1/b. */
+		MP_CHECKOK(mp_init(&t));
+		MP_CHECKOK(mp_set_int(&t, 1));
+		MP_CHECKOK(mp_bdivmod(&t, b, &meth->irr, meth->irr_arr, r));
+	  CLEANUP:
+		mp_clear(&t);
+		return res;
+	} else {
+		return mp_bdivmod(a, b, &meth->irr, meth->irr_arr, r);
+	}
+}
diff --git a/security/nss/lib/freebl/ecl/ecl_mult.c b/security/nss/lib/freebl/ecl/ecl_mult.c
new file mode 100644
index 000000000..050d0a747
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecl_mult.c
@@ -0,0 +1,356 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "ecl.h"
+#include "ecl-priv.h"
+#include <stdlib.h>
+
+/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k * P(x, 
+ * y).  If x, y = NULL, then P is assumed to be the generator (base point) 
+ * of the group of points on the elliptic curve. Input and output values
+ * are assumed to be NOT field-encoded. */
+mp_err
+ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
+			const mp_int *py, mp_int *rx, mp_int *ry)
+{
+	mp_err res = MP_OKAY;
+	mp_int kt;
+
+	ARGCHK((k != NULL) && (group != NULL), MP_BADARG);
+	MP_DIGITS(&kt) = 0;
+
+	/* want scalar to be less than or equal to group order */
+	if (mp_cmp(k, &group->order) > 0) {
+		MP_CHECKOK(mp_init(&kt));
+		MP_CHECKOK(mp_mod(k, &group->order, &kt));
+	} else {
+		MP_SIGN(&kt) = MP_ZPOS;
+		MP_USED(&kt) = MP_USED(k);
+		MP_ALLOC(&kt) = MP_ALLOC(k);
+		MP_DIGITS(&kt) = MP_DIGITS(k);
+	}
+
+	if ((px == NULL) || (py == NULL)) {
+		if (group->base_point_mul) {
+			MP_CHECKOK(group->base_point_mul(&kt, rx, ry, group));
+		} else {
+			MP_CHECKOK(group->
+					   point_mul(&kt, &group->genx, &group->geny, rx, ry,
+								 group));
+		}
+	} else {
+		if (group->meth->field_enc) {
+			MP_CHECKOK(group->meth->field_enc(px, rx, group->meth));
+			MP_CHECKOK(group->meth->field_enc(py, ry, group->meth));
+			MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group));
+		} else {
+			MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group));
+		}
+	}
+	if (group->meth->field_dec) {
+		MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth));
+		MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth));
+	}
+
+  CLEANUP:
+	if (MP_DIGITS(&kt) != MP_DIGITS(k)) {
+		mp_clear(&kt);
+	}
+	return res;
+}
+
+/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + 
+ * k2 * P(x, y), where G is the generator (base point) of the group of
+ * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL.
+ * Input and output values are assumed to be NOT field-encoded. */
+mp_err
+ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px,
+				 const mp_int *py, mp_int *rx, mp_int *ry,
+				 const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int sx, sy;
+
+	ARGCHK(group != NULL, MP_BADARG);
+	ARGCHK(!((k1 == NULL)
+			 && ((k2 == NULL) || (px == NULL)
+				 || (py == NULL))), MP_BADARG);
+
+	/* if some arguments are not defined used ECPoint_mul */
+	if (k1 == NULL) {
+		return ECPoint_mul(group, k2, px, py, rx, ry);
+	} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
+		return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+	}
+
+	MP_DIGITS(&sx) = 0;
+	MP_DIGITS(&sy) = 0;
+	MP_CHECKOK(mp_init(&sx));
+	MP_CHECKOK(mp_init(&sy));
+
+	MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy));
+	MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry));
+
+	if (group->meth->field_enc) {
+		MP_CHECKOK(group->meth->field_enc(&sx, &sx, group->meth));
+		MP_CHECKOK(group->meth->field_enc(&sy, &sy, group->meth));
+		MP_CHECKOK(group->meth->field_enc(rx, rx, group->meth));
+		MP_CHECKOK(group->meth->field_enc(ry, ry, group->meth));
+	}
+
+	MP_CHECKOK(group->point_add(&sx, &sy, rx, ry, rx, ry, group));
+
+	if (group->meth->field_dec) {
+		MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth));
+		MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth));
+	}
+
+  CLEANUP:
+	mp_clear(&sx);
+	mp_clear(&sy);
+	return res;
+}
+
+/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + 
+ * k2 * P(x, y), where G is the generator (base point) of the group of
+ * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL.
+ * Input and output values are assumed to be NOT field-encoded. Uses
+ * algorithm 15 (simultaneous multiple point multiplication) from Brown,
+ * Hankerson, Lopez, Menezes. Software Implementation of the NIST
+ * Elliptic Curves over Prime Fields. */
+mp_err
+ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
+					const mp_int *py, mp_int *rx, mp_int *ry,
+					const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int precomp[4][4][2];
+	const mp_int *a, *b;
+	int i, j;
+	int ai, bi, d;
+
+	ARGCHK(group != NULL, MP_BADARG);
+	ARGCHK(!((k1 == NULL)
+			 && ((k2 == NULL) || (px == NULL)
+				 || (py == NULL))), MP_BADARG);
+
+	/* if some arguments are not defined used ECPoint_mul */
+	if (k1 == NULL) {
+		return ECPoint_mul(group, k2, px, py, rx, ry);
+	} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
+		return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+	}
+
+	/* initialize precomputation table */
+	for (i = 0; i < 4; i++) {
+		for (j = 0; j < 4; j++) {
+			MP_DIGITS(&precomp[i][j][0]) = 0;
+			MP_DIGITS(&precomp[i][j][1]) = 0;
+		}
+	}
+	for (i = 0; i < 4; i++) {
+		for (j = 0; j < 4; j++) {
+			 MP_CHECKOK( mp_init_size(&precomp[i][j][0],
+						 ECL_MAX_FIELD_SIZE_DIGITS) );
+			 MP_CHECKOK( mp_init_size(&precomp[i][j][1],
+						 ECL_MAX_FIELD_SIZE_DIGITS) );
+		}
+	}
+
+	/* fill precomputation table */
+	/* assign {k1, k2} = {a, b} such that len(a) >= len(b) */
+	if (mpl_significant_bits(k1) < mpl_significant_bits(k2)) {
+		a = k2;
+		b = k1;
+		if (group->meth->field_enc) {
+			MP_CHECKOK(group->meth->
+					   field_enc(px, &precomp[1][0][0], group->meth));
+			MP_CHECKOK(group->meth->
+					   field_enc(py, &precomp[1][0][1], group->meth));
+		} else {
+			MP_CHECKOK(mp_copy(px, &precomp[1][0][0]));
+			MP_CHECKOK(mp_copy(py, &precomp[1][0][1]));
+		}
+		MP_CHECKOK(mp_copy(&group->genx, &precomp[0][1][0]));
+		MP_CHECKOK(mp_copy(&group->geny, &precomp[0][1][1]));
+	} else {
+		a = k1;
+		b = k2;
+		MP_CHECKOK(mp_copy(&group->genx, &precomp[1][0][0]));
+		MP_CHECKOK(mp_copy(&group->geny, &precomp[1][0][1]));
+		if (group->meth->field_enc) {
+			MP_CHECKOK(group->meth->
+					   field_enc(px, &precomp[0][1][0], group->meth));
+			MP_CHECKOK(group->meth->
+					   field_enc(py, &precomp[0][1][1], group->meth));
+		} else {
+			MP_CHECKOK(mp_copy(px, &precomp[0][1][0]));
+			MP_CHECKOK(mp_copy(py, &precomp[0][1][1]));
+		}
+	}
+	/* precompute [*][0][*] */
+	mp_zero(&precomp[0][0][0]);
+	mp_zero(&precomp[0][0][1]);
+	MP_CHECKOK(group->
+			   point_dbl(&precomp[1][0][0], &precomp[1][0][1],
+						 &precomp[2][0][0], &precomp[2][0][1], group));
+	MP_CHECKOK(group->
+			   point_add(&precomp[1][0][0], &precomp[1][0][1],
+						 &precomp[2][0][0], &precomp[2][0][1],
+						 &precomp[3][0][0], &precomp[3][0][1], group));
+	/* precompute [*][1][*] */
+	for (i = 1; i < 4; i++) {
+		MP_CHECKOK(group->
+				   point_add(&precomp[0][1][0], &precomp[0][1][1],
+							 &precomp[i][0][0], &precomp[i][0][1],
+							 &precomp[i][1][0], &precomp[i][1][1], group));
+	}
+	/* precompute [*][2][*] */
+	MP_CHECKOK(group->
+			   point_dbl(&precomp[0][1][0], &precomp[0][1][1],
+						 &precomp[0][2][0], &precomp[0][2][1], group));
+	for (i = 1; i < 4; i++) {
+		MP_CHECKOK(group->
+				   point_add(&precomp[0][2][0], &precomp[0][2][1],
+							 &precomp[i][0][0], &precomp[i][0][1],
+							 &precomp[i][2][0], &precomp[i][2][1], group));
+	}
+	/* precompute [*][3][*] */
+	MP_CHECKOK(group->
+			   point_add(&precomp[0][1][0], &precomp[0][1][1],
+						 &precomp[0][2][0], &precomp[0][2][1],
+						 &precomp[0][3][0], &precomp[0][3][1], group));
+	for (i = 1; i < 4; i++) {
+		MP_CHECKOK(group->
+				   point_add(&precomp[0][3][0], &precomp[0][3][1],
+							 &precomp[i][0][0], &precomp[i][0][1],
+							 &precomp[i][3][0], &precomp[i][3][1], group));
+	}
+
+	d = (mpl_significant_bits(a) + 1) / 2;
+
+	/* R = inf */
+	mp_zero(rx);
+	mp_zero(ry);
+
+	for (i = d - 1; i >= 0; i--) {
+		ai = MP_GET_BIT(a, 2 * i + 1);
+		ai <<= 1;
+		ai |= MP_GET_BIT(a, 2 * i);
+		bi = MP_GET_BIT(b, 2 * i + 1);
+		bi <<= 1;
+		bi |= MP_GET_BIT(b, 2 * i);
+		/* R = 2^2 * R */
+		MP_CHECKOK(group->point_dbl(rx, ry, rx, ry, group));
+		MP_CHECKOK(group->point_dbl(rx, ry, rx, ry, group));
+		/* R = R + (ai * A + bi * B) */
+		MP_CHECKOK(group->
+				   point_add(rx, ry, &precomp[ai][bi][0],
+							 &precomp[ai][bi][1], rx, ry, group));
+	}
+
+	if (group->meth->field_dec) {
+		MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth));
+		MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth));
+	}
+
+  CLEANUP:
+	for (i = 0; i < 4; i++) {
+		for (j = 0; j < 4; j++) {
+			mp_clear(&precomp[i][j][0]);
+			mp_clear(&precomp[i][j][1]);
+		}
+	}
+	return res;
+}
+
+/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + 
+ * k2 * P(x, y), where G is the generator (base point) of the group of
+ * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL.
+ * Input and output values are assumed to be NOT field-encoded. */
+mp_err
+ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2,
+			 const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry)
+{
+	mp_err res = MP_OKAY;
+	mp_int k1t, k2t;
+	const mp_int *k1p, *k2p;
+
+	MP_DIGITS(&k1t) = 0;
+	MP_DIGITS(&k2t) = 0;
+
+	ARGCHK(group != NULL, MP_BADARG);
+
+	/* want scalar to be less than or equal to group order */
+	if (k1 != NULL) {
+		if (mp_cmp(k1, &group->order) >= 0) {
+			MP_CHECKOK(mp_init(&k1t));
+			MP_CHECKOK(mp_mod(k1, &group->order, &k1t));
+			k1p = &k1t;
+		} else {
+			k1p = k1;
+		}
+	} else {
+		k1p = k1;
+	}
+	if (k2 != NULL) {
+		if (mp_cmp(k2, &group->order) >= 0) {
+			MP_CHECKOK(mp_init(&k2t));
+			MP_CHECKOK(mp_mod(k2, &group->order, &k2t));
+			k2p = &k2t;
+		} else {
+			k2p = k2;
+		}
+	} else {
+		k2p = k2;
+	}
+
+	/* if points_mul is defined, then use it */
+	if (group->points_mul) {
+		res = group->points_mul(k1p, k2p, px, py, rx, ry, group);
+	} else {
+		res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group);
+	}
+
+  CLEANUP:
+	mp_clear(&k1t);
+	mp_clear(&k2t);
+	return res;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp.h b/security/nss/lib/freebl/ecl/ecp.h
new file mode 100644
index 000000000..1d247b154
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp.h
@@ -0,0 +1,140 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __ecp_h_
+#define __ecp_h_
+
+#include "ecl-priv.h"
+
+/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
+mp_err ec_GFp_pt_is_inf_aff(const mp_int *px, const mp_int *py);
+
+/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
+mp_err ec_GFp_pt_set_inf_aff(mp_int *px, mp_int *py);
+
+/* Computes R = P + Q where R is (rx, ry), P is (px, py) and Q is (qx,
+ * qy). Uses affine coordinates. */
+mp_err ec_GFp_pt_add_aff(const mp_int *px, const mp_int *py,
+						 const mp_int *qx, const mp_int *qy, mp_int *rx,
+						 mp_int *ry, const ECGroup *group);
+
+/* Computes R = P - Q.  Uses affine coordinates. */
+mp_err ec_GFp_pt_sub_aff(const mp_int *px, const mp_int *py,
+						 const mp_int *qx, const mp_int *qy, mp_int *rx,
+						 mp_int *ry, const ECGroup *group);
+
+/* Computes R = 2P.  Uses affine coordinates. */
+mp_err ec_GFp_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
+						 mp_int *ry, const ECGroup *group);
+
+/* Validates a point on a GFp curve. */
+mp_err ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group);
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the prime that
+ * determines the field GFp.  Uses affine coordinates. */
+mp_err ec_GFp_pt_mul_aff(const mp_int *n, const mp_int *px,
+						 const mp_int *py, mp_int *rx, mp_int *ry,
+						 const ECGroup *group);
+#endif
+
+/* Converts a point P(px, py) from affine coordinates to Jacobian
+ * projective coordinates R(rx, ry, rz). */
+mp_err ec_GFp_pt_aff2jac(const mp_int *px, const mp_int *py, mp_int *rx,
+						 mp_int *ry, mp_int *rz, const ECGroup *group);
+
+/* Converts a point P(px, py, pz) from Jacobian projective coordinates to
+ * affine coordinates R(rx, ry). */
+mp_err ec_GFp_pt_jac2aff(const mp_int *px, const mp_int *py,
+						 const mp_int *pz, mp_int *rx, mp_int *ry,
+						 const ECGroup *group);
+
+/* Checks if point P(px, py, pz) is at infinity.  Uses Jacobian
+ * coordinates. */
+mp_err ec_GFp_pt_is_inf_jac(const mp_int *px, const mp_int *py,
+							const mp_int *pz);
+
+/* Sets P(px, py, pz) to be the point at infinity.  Uses Jacobian
+ * coordinates. */
+mp_err ec_GFp_pt_set_inf_jac(mp_int *px, mp_int *py, mp_int *pz);
+
+/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
+ * (qx, qy, qz).  Uses Jacobian coordinates. */
+mp_err ec_GFp_pt_add_jac_aff(const mp_int *px, const mp_int *py,
+							 const mp_int *pz, const mp_int *qx,
+							 const mp_int *qy, mp_int *rx, mp_int *ry,
+							 mp_int *rz, const ECGroup *group);
+
+/* Computes R = 2P.  Uses Jacobian coordinates. */
+mp_err ec_GFp_pt_dbl_jac(const mp_int *px, const mp_int *py,
+						 const mp_int *pz, mp_int *rx, mp_int *ry,
+						 mp_int *rz, const ECGroup *group);
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_JAC
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the prime that
+ * determines the field GFp.  Uses Jacobian coordinates. */
+mp_err ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px,
+						 const mp_int *py, mp_int *rx, mp_int *ry,
+						 const ECGroup *group);
+#endif
+
+/* Computes R(x, y) = k1 * G + k2 * P(x, y), where G is the generator
+ * (base point) of the group of points on the elliptic curve. Allows k1 =
+ * NULL or { k2, P } = NULL.  Implemented using mixed Jacobian-affine
+ * coordinates. Input and output values are assumed to be NOT
+ * field-encoded and are in affine form. */
+mp_err
+ ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
+					const mp_int *py, mp_int *rx, mp_int *ry,
+					const ECGroup *group);
+
+/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
+ * curve points P and R can be identical. Uses mixed Modified-Jacobian
+ * co-ordinates for doubling and Chudnovsky Jacobian coordinates for
+ * additions. Assumes input is already field-encoded using field_enc, and
+ * returns output that is still field-encoded. Uses 5-bit window NAF
+ * method (algorithm 11) for scalar-point multiplication from Brown,
+ * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic 
+ * Curves Over Prime Fields. */
+mp_err
+ ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
+					   mp_int *rx, mp_int *ry, const ECGroup *group);
+
+#endif							/* __ecp_h_ */
diff --git a/security/nss/lib/freebl/ecl/ecp_192.c b/security/nss/lib/freebl/ecl/ecp_192.c
new file mode 100644
index 000000000..f4cd42bc3
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_192.c
@@ -0,0 +1,516 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp.h"
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpi-priv.h"
+#include <stdlib.h>
+
+#define ECP192_DIGITS ECL_CURVE_DIGITS(192)
+
+/* Fast modular reduction for p192 = 2^192 - 2^64 - 1.  a can be r. Uses
+ * algorithm 7 from Brown, Hankerson, Lopez, Menezes. Software
+ * Implementation of the NIST Elliptic Curves over Prime Fields. */
+mp_err
+ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_size a_used = MP_USED(a);
+	mp_digit r3;
+#ifndef MPI_AMD64_ADD 
+	mp_digit carry;
+#endif
+#ifdef ECL_THIRTY_TWO_BIT
+	mp_digit a5a = 0, a5b = 0, a4a = 0, a4b = 0, a3a = 0, a3b = 0;
+        mp_digit r0a, r0b, r1a, r1b, r2a, r2b;
+#else
+	mp_digit a5 = 0, a4 = 0, a3 = 0;
+        mp_digit r0, r1, r2;
+#endif
+
+	/* reduction not needed if a is not larger than field size */
+	if (a_used < ECP192_DIGITS) {
+		if (a == r) {
+			return MP_OKAY;
+		}
+		return mp_copy(a, r);
+	}
+
+	/* for polynomials larger than twice the field size, use regular
+	 * reduction */
+	if (a_used > ECP192_DIGITS*2) {
+		MP_CHECKOK(mp_mod(a, &meth->irr, r));
+	} else {
+		/* copy out upper words of a */
+
+#ifdef ECL_THIRTY_TWO_BIT
+
+		/* in all the math below,
+		 * nXb is most signifiant, nXa is least significant */
+		switch (a_used) {
+		case 12:
+			a5b = MP_DIGIT(a, 11);
+		case 11:
+			a5a = MP_DIGIT(a, 10);
+		case 10:
+			a4b = MP_DIGIT(a, 9);
+		case 9:
+			a4a = MP_DIGIT(a, 8);
+		case 8:
+			a3b = MP_DIGIT(a, 7);
+		case 7:
+			a3a = MP_DIGIT(a, 6);
+		}
+
+
+                r2b= MP_DIGIT(a, 5);
+                r2a= MP_DIGIT(a, 4);
+                r1b = MP_DIGIT(a, 3);
+                r1a = MP_DIGIT(a, 2);
+                r0b = MP_DIGIT(a, 1);
+                r0a = MP_DIGIT(a, 0);
+
+		/* implement r = (a2,a1,a0)+(a5,a5,a5)+(a4,a4,0)+(0,a3,a3) */
+		MP_ADD_CARRY(r0a, a3a, r0a, 0,    carry);
+		MP_ADD_CARRY(r0b, a3b, r0b, carry, carry);
+		MP_ADD_CARRY(r1a, a3a, r1a, carry, carry);
+		MP_ADD_CARRY(r1b, a3b, r1b, carry, carry);
+		MP_ADD_CARRY(r2a, a4a, r2a, carry, carry);
+		MP_ADD_CARRY(r2b, a4b, r2b, carry, carry);
+		r3 = carry; carry = 0;
+		MP_ADD_CARRY(r0a, a5a, r0a, 0,     carry);
+		MP_ADD_CARRY(r0b, a5b, r0b, carry, carry);
+		MP_ADD_CARRY(r1a, a5a, r1a, carry, carry);
+		MP_ADD_CARRY(r1b, a5b, r1b, carry, carry);
+		MP_ADD_CARRY(r2a, a5a, r2a, carry, carry);
+		MP_ADD_CARRY(r2b, a5b, r2b, carry, carry);
+		r3 += carry; 
+		MP_ADD_CARRY(r1a, a4a, r1a, 0,     carry);
+		MP_ADD_CARRY(r1b, a4b, r1b, carry, carry);
+		MP_ADD_CARRY(r2a,   0, r2a, carry, carry);
+		MP_ADD_CARRY(r2b,   0, r2b, carry, carry);
+		r3 += carry;
+
+		/* reduce out the carry */
+		while (r3) {
+			MP_ADD_CARRY(r0a, r3, r0a, 0,     carry);
+			MP_ADD_CARRY(r0b,  0, r0b, carry, carry);
+			MP_ADD_CARRY(r1a, r3, r1a, carry, carry);
+			MP_ADD_CARRY(r1b,  0, r1b, carry, carry);
+			MP_ADD_CARRY(r2a,  0, r2a, carry, carry);
+			MP_ADD_CARRY(r2b,  0, r2b, carry, carry);
+			r3 = carry;
+		}
+
+		/* check for final reduction */
+		/*
+		 * our field is 0xffffffffffffffff, 0xfffffffffffffffe,
+		 * 0xffffffffffffffff. That means we can only be over and need
+		 * one more reduction 
+		 *  if r2 == 0xffffffffffffffffff (same as r2+1 == 0) 
+		 *     and
+		 *     r1 == 0xffffffffffffffffff   or
+		 *     r1 == 0xfffffffffffffffffe and r0 = 0xfffffffffffffffff
+		 * In all cases, we subtract the field (or add the 2's 
+		 * complement value (1,1,0)).  (r0, r1, r2)
+		 */
+		if (((r2b == 0xffffffff) && (r2a == 0xffffffff) 
+			&& (r1b == 0xffffffff) ) &&
+			   ((r1a == 0xffffffff) || 
+			    (r1a == 0xfffffffe) && (r0a == 0xffffffff) &&
+					(r0b == 0xffffffff)) ) {
+			/* do a quick subtract */
+			MP_ADD_CARRY(r0a, 1, r0a, 0, carry);
+			r0b += carry;
+			r1a = r1b = r2a = r2b = 0;
+		}
+
+		/* set the lower words of r */
+		if (a != r) {
+			MP_CHECKOK(s_mp_pad(r, 6));
+		}
+		MP_DIGIT(r, 5) = r2b;
+		MP_DIGIT(r, 4) = r2a;
+		MP_DIGIT(r, 3) = r1b;
+		MP_DIGIT(r, 2) = r1a;
+		MP_DIGIT(r, 1) = r0b;
+		MP_DIGIT(r, 0) = r0a;
+		MP_USED(r) = 6;
+#else
+		switch (a_used) {
+		case 6:
+			a5 = MP_DIGIT(a, 5);
+		case 5:
+			a4 = MP_DIGIT(a, 4);
+		case 4:
+			a3 = MP_DIGIT(a, 3);
+		}
+
+                r2 = MP_DIGIT(a, 2);
+                r1 = MP_DIGIT(a, 1);
+                r0 = MP_DIGIT(a, 0);
+
+		/* implement r = (a2,a1,a0)+(a5,a5,a5)+(a4,a4,0)+(0,a3,a3) */
+#ifndef MPI_AMD64_ADD 
+		MP_ADD_CARRY(r0, a3, r0, 0,     carry);
+		MP_ADD_CARRY(r1, a3, r1, carry, carry);
+		MP_ADD_CARRY(r2, a4, r2, carry, carry);
+		r3 = carry; 
+		MP_ADD_CARRY(r0, a5, r0, 0,     carry);
+		MP_ADD_CARRY(r1, a5, r1, carry, carry);
+		MP_ADD_CARRY(r2, a5, r2, carry, carry);
+		r3 += carry; 
+		MP_ADD_CARRY(r1, a4, r1, 0,     carry);
+		MP_ADD_CARRY(r2,  0, r2, carry, carry);
+		r3 += carry;
+
+#else 
+                r2 = MP_DIGIT(a, 2);
+                r1 = MP_DIGIT(a, 1);
+                r0 = MP_DIGIT(a, 0);
+
+                /* set the lower words of r */
+                __asm__ (
+                "xorq   %3,%3           \n\t"
+                "addq   %4,%0           \n\t"
+                "adcq   %4,%1           \n\t"
+                "adcq   %5,%2           \n\t"
+                "adcq   $0,%3           \n\t"
+                "addq   %6,%0           \n\t"
+                "adcq   %6,%1           \n\t"
+                "adcq   %6,%2           \n\t"
+                "adcq   $0,%3           \n\t"
+                "addq   %5,%1           \n\t"
+                "adcq   $0,%2           \n\t"
+                "adcq   $0,%3           \n\t"
+                : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3), "=r"(a3), 
+		  "=r"(a4), "=r"(a5)
+                : "0" (r0), "1" (r1), "2" (r2), "3" (r3), 
+		  "4" (a3), "5" (a4), "6"(a5)
+                : "%cc" );
+#endif 
+
+		/* reduce out the carry */
+		while (r3) {
+#ifndef MPI_AMD64_ADD
+			MP_ADD_CARRY(r0, r3, r0, 0,     carry);
+			MP_ADD_CARRY(r1, r3, r1, carry, carry);
+			MP_ADD_CARRY(r2,  0, r2, carry, carry);
+			r3 = carry;
+#else
+			a3=r3;
+              		__asm__ (
+                	"xorq   %3,%3           \n\t"
+                	"addq   %4,%0           \n\t"
+                	"adcq   %4,%1           \n\t"
+                	"adcq   $0,%2           \n\t"
+                	"adcq   $0,%3           \n\t"
+                	: "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3), "=r"(a3)
+                	: "0" (r0), "1" (r1), "2" (r2), "3" (r3), "4"(a3)
+                	: "%cc" );
+#endif
+		}
+
+		/* check for final reduction */
+		/*
+		 * our field is 0xffffffffffffffff, 0xfffffffffffffffe,
+		 * 0xffffffffffffffff. That means we can only be over and need
+		 * one more reduction 
+		 *  if r2 == 0xffffffffffffffffff (same as r2+1 == 0) 
+		 *     and
+		 *     r1 == 0xffffffffffffffffff   or
+		 *     r1 == 0xfffffffffffffffffe and r0 = 0xfffffffffffffffff
+		 * In all cases, we subtract the field (or add the 2's 
+		 * complement value (1,1,0)).  (r0, r1, r2)
+		 */
+		if (r3 || ((r2 == MP_DIGIT_MAX) &&
+		      ((r1 == MP_DIGIT_MAX) || 
+			((r1 == (MP_DIGIT_MAX-1)) && (r0 == MP_DIGIT_MAX))))) {
+			/* do a quick subtract */
+			r0++;
+			r1 = r2 = 0;
+		}
+		/* set the lower words of r */
+		if (a != r) {
+			MP_CHECKOK(s_mp_pad(r, 3));
+		}
+		MP_DIGIT(r, 2) = r2;
+		MP_DIGIT(r, 1) = r1;
+		MP_DIGIT(r, 0) = r0;
+		MP_USED(r) = 3;
+#endif
+	}
+
+  CLEANUP:
+	return res;
+}
+
+#ifndef ECL_THIRTY_TWO_BIT
+/* Compute the sum of 192 bit curves. Do the work in-line since the
+ * number of words are so small, we don't want to overhead of mp function
+ * calls.  Uses optimized modular reduction for p192. 
+ */
+mp_err
+ec_GFp_nistp192_add(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit a0 = 0, a1 = 0, a2 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0;
+	mp_digit carry;
+
+	switch(MP_USED(a)) {
+	case 3:
+		a2 = MP_DIGIT(a,2);
+	case 2:
+		a1 = MP_DIGIT(a,1);
+	case 1:
+		a0 = MP_DIGIT(a,0);
+	}
+	switch(MP_USED(b)) {
+	case 3:
+		r2 = MP_DIGIT(b,2);
+	case 2:
+		r1 = MP_DIGIT(b,1);
+	case 1:
+		r0 = MP_DIGIT(b,0);
+	}
+
+#ifndef MPI_AMD64_ADD
+	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
+	MP_ADD_CARRY(a1, r1, r1, carry, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry, carry);
+#else
+	__asm__ (
+                "xorq   %3,%3           \n\t"
+                "addq   %4,%0           \n\t"
+                "adcq   %5,%1           \n\t"
+                "adcq   %6,%2           \n\t"
+                "adcq   $0,%3           \n\t"
+                : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(carry)
+                : "r" (a0), "r" (a1), "r" (a2), "0" (r0), 
+		  "1" (r1), "2" (r2)
+                : "%cc" );
+#endif
+
+	/* Do quick 'subract' if we've gone over 
+	 * (add the 2's complement of the curve field) */
+	if (carry || ((r2 == MP_DIGIT_MAX) &&
+		      ((r1 == MP_DIGIT_MAX) || 
+			((r1 == (MP_DIGIT_MAX-1)) && (r0 == MP_DIGIT_MAX))))) {
+#ifndef MPI_AMD64_ADD
+		MP_ADD_CARRY(r0, 1, r0, 0,     carry);
+		MP_ADD_CARRY(r1, 1, r1, carry, carry);
+		MP_ADD_CARRY(r2, 0, r2, carry, carry);
+#else
+		__asm__ (
+			"addq   $1,%0           \n\t"
+			"adcq   $1,%1           \n\t"
+			"adcq   $0,%2           \n\t"
+			: "=r"(r0), "=r"(r1), "=r"(r2)
+			: "0" (r0), "1" (r1), "2" (r2)
+			: "%cc" );
+#endif
+	}
+
+	
+	MP_CHECKOK(s_mp_pad(r, 3));
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 3;
+	s_mp_clamp(r);
+
+
+  CLEANUP:
+	return res;
+}
+
+/* Compute the diff of 192 bit curves. Do the work in-line since the
+ * number of words are so small, we don't want to overhead of mp function
+ * calls.  Uses optimized modular reduction for p192. 
+ */
+mp_err
+ec_GFp_nistp192_sub(const mp_int *a, const mp_int *b, mp_int *r, 
+			const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_digit b0 = 0, b1 = 0, b2 = 0;
+	mp_digit r0 = 0, r1 = 0, r2 = 0;
+	mp_digit borrow;
+
+	switch(MP_USED(a)) {
+	case 3:
+		r2 = MP_DIGIT(a,2);
+	case 2:
+		r1 = MP_DIGIT(a,1);
+	case 1:
+		r0 = MP_DIGIT(a,0);
+	}
+
+	switch(MP_USED(b)) {
+	case 3:
+		b2 = MP_DIGIT(b,2);
+	case 2:
+		b1 = MP_DIGIT(b,1);
+	case 1:
+		b0 = MP_DIGIT(b,0);
+	}
+
+#ifndef MPI_AMD64_ADD
+	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
+#else
+	__asm__ (
+                "xorq   %3,%3           \n\t"
+                "subq   %4,%0           \n\t"
+                "sbbq   %5,%1           \n\t"
+                "sbbq   %6,%2           \n\t"
+                "adcq   $0,%3           \n\t"
+                : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(borrow)
+                : "r" (b0), "r" (b1), "r" (b2), "0" (r0), 
+		  "1" (r1), "2" (r2)
+                : "%cc" );
+#endif
+
+	/* Do quick 'add' if we've gone under 0
+	 * (subtract the 2's complement of the curve field) */
+	if (borrow) {
+#ifndef MPI_AMD64_ADD
+		MP_SUB_BORROW(r0, 1, r0, 0,     borrow);
+		MP_SUB_BORROW(r1, 1, r1, borrow, borrow);
+		MP_SUB_BORROW(r2,  0, r2, borrow, borrow);
+#else
+		__asm__ (
+			"subq   $1,%0           \n\t"
+			"sbbq   $1,%1           \n\t"
+			"sbbq   $0,%2           \n\t"
+			: "=r"(r0), "=r"(r1), "=r"(r2)
+			: "0" (r0), "1" (r1), "2" (r2)
+			: "%cc" );
+#endif
+	}
+
+	MP_CHECKOK(s_mp_pad(r, 3));
+	MP_DIGIT(r, 2) = r2;
+	MP_DIGIT(r, 1) = r1;
+	MP_DIGIT(r, 0) = r0;
+	MP_SIGN(r) = MP_ZPOS;
+	MP_USED(r) = 3;
+	s_mp_clamp(r);
+
+  CLEANUP:
+	return res;
+}
+
+#endif
+
+/* Compute the square of polynomial a, reduce modulo p192. Store the
+ * result in r.  r could be a.  Uses optimized modular reduction for p192. 
+ */
+mp_err
+ec_GFp_nistp192_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_sqr(a, r));
+	MP_CHECKOK(ec_GFp_nistp192_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Compute the product of two polynomials a and b, reduce modulo p192.
+ * Store the result in r.  r could be a or b; a could be b.  Uses
+ * optimized modular reduction for p192. */
+mp_err
+ec_GFp_nistp192_mul(const mp_int *a, const mp_int *b, mp_int *r,
+					const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_mul(a, b, r));
+	MP_CHECKOK(ec_GFp_nistp192_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Divides two field elements. If a is NULL, then returns the inverse of
+ * b. */
+mp_err
+ec_GFp_nistp192_div(const mp_int *a, const mp_int *b, mp_int *r,
+		   const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_int t;
+
+	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
+	if (a == NULL) {
+		return  mp_invmod(b, &meth->irr, r);
+	} else {
+		/* MPI doesn't support divmod, so we implement it using invmod and 
+		 * mulmod. */
+		MP_CHECKOK(mp_init(&t));
+		MP_CHECKOK(mp_invmod(b, &meth->irr, &t));
+		MP_CHECKOK(mp_mul(a, &t, r));
+		MP_CHECKOK(ec_GFp_nistp192_mod(r, r, meth));
+	  CLEANUP:
+		mp_clear(&t);
+		return res;
+	}
+}
+
+/* Wire in fast field arithmetic and precomputation of base point for
+ * named curves. */
+mp_err
+ec_group_set_gfp192(ECGroup *group, ECCurveName name)
+{
+	if (name == ECCurve_NIST_P192) {
+		group->meth->field_mod = &ec_GFp_nistp192_mod;
+		group->meth->field_mul = &ec_GFp_nistp192_mul;
+		group->meth->field_sqr = &ec_GFp_nistp192_sqr;
+		group->meth->field_div = &ec_GFp_nistp192_div;
+#ifndef ECL_THIRTY_TWO_BIT
+		group->meth->field_add = &ec_GFp_nistp192_add;
+		group->meth->field_sub = &ec_GFp_nistp192_sub;
+#endif
+	}
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_224.c b/security/nss/lib/freebl/ecl/ecp_224.c
new file mode 100644
index 000000000..56683e9ef
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_224.c
@@ -0,0 +1,372 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp.h"
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpi-priv.h"
+#include <stdlib.h>
+
+#define ECP224_DIGITS ECL_CURVE_DIGITS(224)
+
+/* Fast modular reduction for p224 = 2^224 - 2^96 + 1.  a can be r. Uses
+ * algorithm 7 from Brown, Hankerson, Lopez, Menezes. Software
+ * Implementation of the NIST Elliptic Curves over Prime Fields. */
+mp_err
+ec_GFp_nistp224_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_size a_used = MP_USED(a);
+
+	int    r3b;
+	mp_digit carry;
+#ifdef ECL_THIRTY_TWO_BIT
+        mp_digit a6a = 0, a6b = 0,
+                a5a = 0, a5b = 0, a4a = 0, a4b = 0, a3a = 0, a3b = 0;
+        mp_digit r0a, r0b, r1a, r1b, r2a, r2b, r3a;
+#else
+	mp_digit a6 = 0, a5 = 0, a4 = 0, a3b = 0, a5a = 0;
+        mp_digit a6b = 0, a6a_a5b = 0, a5b = 0, a5a_a4b = 0, a4a_a3b = 0;
+        mp_digit r0, r1, r2, r3;
+#endif
+
+	/* reduction not needed if a is not larger than field size */
+	if (a_used < ECP224_DIGITS) {
+		if (a == r) return MP_OKAY;
+		return mp_copy(a, r);
+	}
+	/* for polynomials larger than twice the field size, use regular
+	 * reduction */
+	if (a_used > ECL_CURVE_DIGITS(224*2)) {
+		MP_CHECKOK(mp_mod(a, &meth->irr, r));
+	} else {
+#ifdef ECL_THIRTY_TWO_BIT
+		/* copy out upper words of a */
+		switch (a_used) {
+		case 14:
+			a6b = MP_DIGIT(a, 13);
+		case 13:
+			a6a = MP_DIGIT(a, 12);
+		case 12:
+			a5b = MP_DIGIT(a, 11);
+		case 11:
+			a5a = MP_DIGIT(a, 10);
+		case 10:
+			a4b = MP_DIGIT(a, 9);
+		case 9:
+			a4a = MP_DIGIT(a, 8);
+		case 8:
+			a3b = MP_DIGIT(a, 7);
+		}
+		r3a = MP_DIGIT(a, 6);
+		r2b= MP_DIGIT(a, 5);
+		r2a= MP_DIGIT(a, 4);
+		r1b = MP_DIGIT(a, 3);
+		r1a = MP_DIGIT(a, 2);
+		r0b = MP_DIGIT(a, 1);
+		r0a = MP_DIGIT(a, 0);
+
+
+		/* implement r = (a3a,a2,a1,a0)
+			+(a5a, a4,a3b,  0)
+			+(  0, a6,a5b,  0)
+			-(  0	 0,    0|a6b, a6a|a5b )
+			-(  a6b, a6a|a5b, a5a|a4b, a4a|a3b ) */
+		MP_ADD_CARRY (r1b, a3b, r1b, 0,     carry);
+		MP_ADD_CARRY (r2a, a4a, r2a, carry, carry);
+		MP_ADD_CARRY (r2b, a4b, r2b, carry, carry);
+		MP_ADD_CARRY (r3a, a5a, r3a, carry, carry);
+		r3b = carry;
+		MP_ADD_CARRY (r1b, a5b, r1b, 0,     carry);
+		MP_ADD_CARRY (r2a, a6a, r2a, carry, carry);
+		MP_ADD_CARRY (r2b, a6b, r2b, carry, carry);
+		MP_ADD_CARRY (r3a,   0, r3a, carry, carry);
+		r3b += carry;
+		MP_SUB_BORROW(r0a, a3b, r0a, 0,     carry);
+		MP_SUB_BORROW(r0b, a4a, r0b, carry, carry);
+		MP_SUB_BORROW(r1a, a4b, r1a, carry, carry);
+		MP_SUB_BORROW(r1b, a5a, r1b, carry, carry);
+		MP_SUB_BORROW(r2a, a5b, r2a, carry, carry);
+		MP_SUB_BORROW(r2b, a6a, r2b, carry, carry);
+		MP_SUB_BORROW(r3a, a6b, r3a, carry, carry);
+		r3b -= carry;
+		MP_SUB_BORROW(r0a, a5b, r0a, 0,     carry);
+		MP_SUB_BORROW(r0b, a6a, r0b, carry, carry);
+		MP_SUB_BORROW(r1a, a6b, r1a, carry, carry);
+		if (carry) {
+			MP_SUB_BORROW(r1b, 0, r1b, carry, carry);
+			MP_SUB_BORROW(r2a, 0, r2a, carry, carry);
+			MP_SUB_BORROW(r2b, 0, r2b, carry, carry);
+			MP_SUB_BORROW(r3a, 0, r3a, carry, carry);
+			r3b -= carry;
+		}
+
+		while (r3b > 0) {
+			int tmp;
+			MP_ADD_CARRY(r1b, r3b, r1b, 0,     carry);
+			if (carry) {
+				MP_ADD_CARRY(r2a,  0, r2a, carry, carry);
+				MP_ADD_CARRY(r2b,  0, r2b, carry, carry);
+				MP_ADD_CARRY(r3a,  0, r3a, carry, carry);
+			}
+			tmp = carry;
+			MP_SUB_BORROW(r0a, r3b, r0a, 0,     carry);
+			if (carry) {
+				MP_SUB_BORROW(r0b, 0, r0b, carry, carry);
+				MP_SUB_BORROW(r1a, 0, r1a, carry, carry);
+				MP_SUB_BORROW(r1b, 0, r1b, carry, carry);
+				MP_SUB_BORROW(r2a, 0, r2a, carry, carry);
+				MP_SUB_BORROW(r2b, 0, r2b, carry, carry);
+				MP_SUB_BORROW(r3a, 0, r3a, carry, carry);
+				tmp -= carry;
+			}
+			r3b = tmp;
+		}
+
+		while (r3b < 0) {
+			mp_digit maxInt = MP_DIGIT_MAX;
+                	MP_ADD_CARRY (r0a, 1, r0a, 0,     carry);
+                	MP_ADD_CARRY (r0b, 0, r0b, carry, carry);
+                	MP_ADD_CARRY (r1a, 0, r1a, carry, carry);
+                	MP_ADD_CARRY (r1b, maxInt, r1b, carry, carry);
+                	MP_ADD_CARRY (r2a, maxInt, r2a, carry, carry);
+                	MP_ADD_CARRY (r2b, maxInt, r2b, carry, carry);
+                	MP_ADD_CARRY (r3a, maxInt, r3a, carry, carry);
+			r3b += carry;
+		}
+		/* check for final reduction */
+		/* now the only way we are over is if the top 4 words are all ones */
+		if ((r3a == MP_DIGIT_MAX) && (r2b == MP_DIGIT_MAX)
+			&& (r2a == MP_DIGIT_MAX) && (r1b == MP_DIGIT_MAX) &&
+			 ((r1a != 0) || (r0b != 0) || (r0a != 0)) ) {
+			/* one last subraction */
+			MP_SUB_BORROW(r0a, 1, r0a, 0,     carry);
+			MP_SUB_BORROW(r0b, 0, r0b, carry, carry);
+			MP_SUB_BORROW(r1a, 0, r1a, carry, carry);
+			r1b = r2a = r2b = r3a = 0;
+		}
+
+
+		if (a != r) {
+			MP_CHECKOK(s_mp_pad(r, 7));
+		}
+		/* set the lower words of r */
+		MP_SIGN(r) = MP_ZPOS;
+		MP_USED(r) = 7;
+		MP_DIGIT(r, 6) = r3a;
+		MP_DIGIT(r, 5) = r2b;
+		MP_DIGIT(r, 4) = r2a;
+		MP_DIGIT(r, 3) = r1b;
+		MP_DIGIT(r, 2) = r1a;
+		MP_DIGIT(r, 1) = r0b;
+		MP_DIGIT(r, 0) = r0a;
+#else
+		/* copy out upper words of a */
+		switch (a_used) {
+		case 7:
+			a6 = MP_DIGIT(a, 6);
+			a6b = a6 >> 32;
+			a6a_a5b = a6 << 32;
+		case 6:
+			a5 = MP_DIGIT(a, 5);
+			a5b = a5 >> 32;
+			a6a_a5b |= a5b;
+			a5b = a5b << 32;
+			a5a_a4b = a5 << 32;
+			a5a = a5 & 0xffffffff;
+		case 5:
+			a4 = MP_DIGIT(a, 4);
+			a5a_a4b |= a4 >> 32;
+			a4a_a3b = a4 << 32;
+		case 4:
+			a3b = MP_DIGIT(a, 3) >> 32;
+			a4a_a3b |= a3b;
+			a3b = a3b << 32;
+		}
+
+		r3 = MP_DIGIT(a, 3) & 0xffffffff;
+		r2 = MP_DIGIT(a, 2);
+		r1 = MP_DIGIT(a, 1);
+		r0 = MP_DIGIT(a, 0);
+
+		/* implement r = (a3a,a2,a1,a0)
+			+(a5a, a4,a3b,  0)
+			+(  0, a6,a5b,  0)
+			-(  0	 0,    0|a6b, a6a|a5b )
+			-(  a6b, a6a|a5b, a5a|a4b, a4a|a3b ) */
+		MP_ADD_CARRY (r1, a3b, r1, 0,     carry);
+		MP_ADD_CARRY (r2, a4 , r2, carry, carry);
+		MP_ADD_CARRY (r3, a5a, r3, carry, carry);
+		MP_ADD_CARRY (r1, a5b, r1, 0,     carry);
+		MP_ADD_CARRY (r2, a6 , r2, carry, carry);
+		MP_ADD_CARRY (r3,   0, r3, carry, carry);
+
+		MP_SUB_BORROW(r0, a4a_a3b, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a5a_a4b, r1, carry, carry);
+		MP_SUB_BORROW(r2, a6a_a5b, r2, carry, carry);
+		MP_SUB_BORROW(r3, a6b    , r3, carry, carry);
+		MP_SUB_BORROW(r0, a6a_a5b, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a6b    , r1, carry, carry);
+		if (carry) {
+			MP_SUB_BORROW(r2, 0, r2, carry, carry);
+			MP_SUB_BORROW(r3, 0, r3, carry, carry);
+		}
+
+
+		/* if the value is negative, r3 has a 2's complement 
+		 * high value */
+		r3b = (int)(r3 >>32);
+		while (r3b > 0) {
+			r3 &= 0xffffffff;
+			MP_ADD_CARRY(r1,((mp_digit)r3b) << 32, r1, 0, carry);
+			if (carry) {
+				MP_ADD_CARRY(r2,  0, r2, carry, carry);
+				MP_ADD_CARRY(r3,  0, r3, carry, carry);
+			}
+			MP_SUB_BORROW(r0, r3b, r0, 0, carry);
+			if (carry) {
+				MP_SUB_BORROW(r1, 0, r1, carry, carry);
+				MP_SUB_BORROW(r2, 0, r2, carry, carry);
+				MP_SUB_BORROW(r3, 0, r3, carry, carry);
+			}
+			r3b = (int)(r3 >>32);
+		}
+
+		while (r3b < 0) {
+                	MP_ADD_CARRY (r0, 1, r0, 0,     carry);
+                	MP_ADD_CARRY (r1, MP_DIGIT_MAX <<32, r1, carry, carry);
+                	MP_ADD_CARRY (r2, MP_DIGIT_MAX, r2, carry, carry);
+                	MP_ADD_CARRY (r3, MP_DIGIT_MAX >> 32, r3, carry, carry);
+			r3b = (int)(r3 >>32);
+		}
+		/* check for final reduction */
+		/* now the only way we are over is if the top 4 words are all ones */
+		if ((r3 == (MP_DIGIT_MAX >> 32)) && (r2 == MP_DIGIT_MAX)
+			&& ((r1 & MP_DIGIT_MAX << 32)== MP_DIGIT_MAX << 32) &&
+			 ((r1 != MP_DIGIT_MAX << 32 ) || (r0 != 0)) ) {
+			/* one last subraction */
+			MP_SUB_BORROW(r0, 1, r0, 0,     carry);
+			MP_SUB_BORROW(r1, 0, r1, carry, carry);
+			r2 = r3 = 0;
+		}
+
+
+		if (a != r) {
+			MP_CHECKOK(s_mp_pad(r, 4));
+		}
+		/* set the lower words of r */
+		MP_SIGN(r) = MP_ZPOS;
+		MP_USED(r) = 4;
+		MP_DIGIT(r, 3) = r3;
+		MP_DIGIT(r, 2) = r2;
+		MP_DIGIT(r, 1) = r1;
+		MP_DIGIT(r, 0) = r0;
+#endif
+	}
+
+  CLEANUP:
+	return res;
+}
+
+/* Compute the square of polynomial a, reduce modulo p224. Store the
+ * result in r.  r could be a.  Uses optimized modular reduction for p224. 
+ */
+mp_err
+ec_GFp_nistp224_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_sqr(a, r));
+	MP_CHECKOK(ec_GFp_nistp224_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Compute the product of two polynomials a and b, reduce modulo p224.
+ * Store the result in r.  r could be a or b; a could be b.  Uses
+ * optimized modular reduction for p224. */
+mp_err
+ec_GFp_nistp224_mul(const mp_int *a, const mp_int *b, mp_int *r,
+					const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_mul(a, b, r));
+	MP_CHECKOK(ec_GFp_nistp224_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Divides two field elements. If a is NULL, then returns the inverse of
+ * b. */
+mp_err
+ec_GFp_nistp224_div(const mp_int *a, const mp_int *b, mp_int *r,
+		   const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_int t;
+
+	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
+	if (a == NULL) {
+		return  mp_invmod(b, &meth->irr, r);
+	} else {
+		/* MPI doesn't support divmod, so we implement it using invmod and 
+		 * mulmod. */
+		MP_CHECKOK(mp_init(&t));
+		MP_CHECKOK(mp_invmod(b, &meth->irr, &t));
+		MP_CHECKOK(mp_mul(a, &t, r));
+		MP_CHECKOK(ec_GFp_nistp224_mod(r, r, meth));
+	  CLEANUP:
+		mp_clear(&t);
+		return res;
+	}
+}
+
+/* Wire in fast field arithmetic and precomputation of base point for
+ * named curves. */
+mp_err
+ec_group_set_gfp224(ECGroup *group, ECCurveName name)
+{
+	if (name == ECCurve_NIST_P224) {
+		group->meth->field_mod = &ec_GFp_nistp224_mod;
+		group->meth->field_mul = &ec_GFp_nistp224_mul;
+		group->meth->field_sqr = &ec_GFp_nistp224_sqr;
+		group->meth->field_div = &ec_GFp_nistp224_div;
+	}
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_256.c b/security/nss/lib/freebl/ecl/ecp_256.c
new file mode 100644
index 000000000..15d29ab6e
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_256.c
@@ -0,0 +1,429 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp.h"
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpi-priv.h"
+#include <stdlib.h>
+
+/* Fast modular reduction for p256 = 2^256 - 2^224 + 2^192+ 2^96 - 1.  a can be r. 
+ * Uses algorithm 2.29 from Hankerson, Menezes, Vanstone. Guide to 
+ * Elliptic Curve Cryptography. */
+mp_err
+ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_size a_used = MP_USED(a);
+	int a_bits = mpl_significant_bits(a);
+	mp_digit carry;
+
+#ifdef ECL_THIRTY_TWO_BIT
+	mp_digit a8=0, a9=0, a10=0, a11=0, a12=0, a13=0, a14=0, a15=0;
+	mp_digit r0, r1, r2, r3, r4, r5, r6, r7;
+	int r8; /* must be a signed value ! */
+#else
+	mp_digit a4=0, a5=0, a6=0, a7=0;
+	mp_digit a4h, a4l, a5h, a5l, a6h, a6l, a7h, a7l;
+	mp_digit r0, r1, r2, r3;
+	int r4; /* must be a signed value ! */
+#endif
+	/* for polynomials larger than twice the field size 
+	 * use regular reduction */
+	if (a_bits < 256) {
+		if (a == r) return MP_OKAY;
+		return mp_copy(a,r);
+	}
+	if (a_bits > 512)  {
+		MP_CHECKOK(mp_mod(a, &meth->irr, r));
+	} else {
+
+#ifdef ECL_THIRTY_TWO_BIT
+		switch (a_used) {
+		case 16:
+			a15 = MP_DIGIT(a,15);
+		case 15:
+			a14 = MP_DIGIT(a,14);
+		case 14:
+			a13 = MP_DIGIT(a,13);
+		case 13:
+			a12 = MP_DIGIT(a,12);
+		case 12:
+			a11 = MP_DIGIT(a,11);
+		case 11:
+			a10 = MP_DIGIT(a,10);
+		case 10:
+			a9 = MP_DIGIT(a,9);
+		case 9:
+			a8 = MP_DIGIT(a,8);
+		}
+
+		r0 = MP_DIGIT(a,0);
+		r1 = MP_DIGIT(a,1);
+		r2 = MP_DIGIT(a,2);
+		r3 = MP_DIGIT(a,3);
+		r4 = MP_DIGIT(a,4);
+		r5 = MP_DIGIT(a,5);
+		r6 = MP_DIGIT(a,6);
+		r7 = MP_DIGIT(a,7);
+
+		/* sum 1 */
+		MP_ADD_CARRY(r3, a11, r3, 0,     carry);
+		MP_ADD_CARRY(r4, a12, r4, carry, carry);
+		MP_ADD_CARRY(r5, a13, r5, carry, carry);
+		MP_ADD_CARRY(r6, a14, r6, carry, carry);
+		MP_ADD_CARRY(r7, a15, r7, carry, carry);
+		r8 = carry;
+		MP_ADD_CARRY(r3, a11, r3, 0,     carry);
+		MP_ADD_CARRY(r4, a12, r4, carry, carry);
+		MP_ADD_CARRY(r5, a13, r5, carry, carry);
+		MP_ADD_CARRY(r6, a14, r6, carry, carry);
+		MP_ADD_CARRY(r7, a15, r7, carry, carry);
+		r8 += carry;
+		/* sum 2 */
+		MP_ADD_CARRY(r3, a12, r3, 0,     carry);
+		MP_ADD_CARRY(r4, a13, r4, carry, carry);
+		MP_ADD_CARRY(r5, a14, r5, carry, carry);
+		MP_ADD_CARRY(r6, a15, r6, carry, carry);
+		MP_ADD_CARRY(r7,   0, r7, carry, carry);
+		r8 += carry;
+		/* combine last bottom of sum 3 with second sum 2 */
+		MP_ADD_CARRY(r0, a8,  r0, 0,     carry);
+		MP_ADD_CARRY(r1, a9,  r1, carry, carry);
+		MP_ADD_CARRY(r2, a10, r2, carry, carry);
+		MP_ADD_CARRY(r3, a12, r3, carry, carry);
+		MP_ADD_CARRY(r4, a13, r4, carry, carry);
+		MP_ADD_CARRY(r5, a14, r5, carry, carry);
+		MP_ADD_CARRY(r6, a15, r6, carry, carry);
+		MP_ADD_CARRY(r7, a15, r7, carry, carry); /* from sum 3 */
+		r8 += carry;
+		/* sum 3 (rest of it)*/
+		MP_ADD_CARRY(r6, a14, r6, 0,     carry);
+		MP_ADD_CARRY(r7,   0, r7, carry, carry);
+		r8 += carry;
+		/* sum 4 (rest of it)*/
+		MP_ADD_CARRY(r0, a9,  r0, 0,     carry);
+		MP_ADD_CARRY(r1, a10, r1, carry, carry);
+		MP_ADD_CARRY(r2, a11, r2, carry, carry);
+		MP_ADD_CARRY(r3, a13, r3, carry, carry);
+		MP_ADD_CARRY(r4, a14, r4, carry, carry);
+		MP_ADD_CARRY(r5, a15, r5, carry, carry);
+		MP_ADD_CARRY(r6, a13, r6, carry, carry);
+		MP_ADD_CARRY(r7, a8,  r7, carry, carry);
+		r8 += carry;
+		/* diff 5 */
+		MP_SUB_BORROW(r0, a11, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a12, r1, carry, carry);
+		MP_SUB_BORROW(r2, a13, r2, carry, carry);
+		MP_SUB_BORROW(r3,   0, r3, carry, carry);
+		MP_SUB_BORROW(r4,   0, r4, carry, carry);
+		MP_SUB_BORROW(r5,   0, r5, carry, carry);
+		MP_SUB_BORROW(r6, a8,  r6, carry, carry);
+		MP_SUB_BORROW(r7, a10, r7, carry, carry);
+		r8 -= carry;
+		/* diff 6 */
+		MP_SUB_BORROW(r0, a12, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a13, r1, carry, carry);
+		MP_SUB_BORROW(r2, a14, r2, carry, carry);
+		MP_SUB_BORROW(r3, a15, r3, carry, carry);
+		MP_SUB_BORROW(r4,   0, r4, carry, carry);
+		MP_SUB_BORROW(r5,   0, r5, carry, carry);
+		MP_SUB_BORROW(r6, a9,  r6, carry, carry);
+		MP_SUB_BORROW(r7, a11, r7, carry, carry);
+		r8 -= carry;
+		/* diff 7 */
+		MP_SUB_BORROW(r0, a13, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a14, r1, carry, carry);
+		MP_SUB_BORROW(r2, a15, r2, carry, carry);
+		MP_SUB_BORROW(r3, a8,  r3, carry, carry);
+		MP_SUB_BORROW(r4, a9,  r4, carry, carry);
+		MP_SUB_BORROW(r5, a10, r5, carry, carry);
+		MP_SUB_BORROW(r6, 0,   r6, carry, carry);
+		MP_SUB_BORROW(r7, a12, r7, carry, carry);
+		r8 -= carry;
+		/* diff 8 */
+		MP_SUB_BORROW(r0, a14, r0, 0,     carry);
+		MP_SUB_BORROW(r1, a15, r1, carry, carry);
+		MP_SUB_BORROW(r2, 0,   r2, carry, carry);
+		MP_SUB_BORROW(r3, a9,  r3, carry, carry);
+		MP_SUB_BORROW(r4, a10, r4, carry, carry);
+		MP_SUB_BORROW(r5, a11, r5, carry, carry);
+		MP_SUB_BORROW(r6, 0,   r6, carry, carry);
+		MP_SUB_BORROW(r7, a13, r7, carry, carry);
+		r8 -= carry;
+
+		/* reduce the overflows */
+		while (r8 > 0) {
+			mp_digit r8_d = r8;
+			MP_ADD_CARRY(r0, r8_d,         r0, 0,     carry);
+			MP_ADD_CARRY(r1, 0,            r1, carry, carry);
+			MP_ADD_CARRY(r2, 0,            r2, carry, carry);
+			MP_ADD_CARRY(r3, -r8_d,        r3, carry, carry);
+			MP_ADD_CARRY(r4, MP_DIGIT_MAX, r4, carry, carry);
+			MP_ADD_CARRY(r5, MP_DIGIT_MAX, r5, carry, carry);
+			MP_ADD_CARRY(r6, -(r8_d+1),    r6, carry, carry);
+			MP_ADD_CARRY(r7, (r8_d-1),     r7, carry, carry);
+			r8 = carry;
+		}
+
+		/* reduce the underflows */
+		while (r8 < 0) {
+			mp_digit r8_d = -r8;
+			MP_SUB_BORROW(r0, r8_d,         r0, 0,     carry);
+			MP_SUB_BORROW(r1, 0,            r1, carry, carry);
+			MP_SUB_BORROW(r2, 0,            r2, carry, carry);
+			MP_SUB_BORROW(r3, -r8_d,        r3, carry, carry);
+			MP_SUB_BORROW(r4, MP_DIGIT_MAX, r4, carry, carry);
+			MP_SUB_BORROW(r5, MP_DIGIT_MAX, r5, carry, carry);
+			MP_SUB_BORROW(r6, -(r8_d+1),    r6, carry, carry);
+			MP_SUB_BORROW(r7, (r8_d-1),     r7, carry, carry);
+			r8 = -carry;
+		}
+		if (a != r) {
+			MP_CHECKOK(s_mp_pad(r,8));
+		}
+		MP_SIGN(r) = MP_ZPOS;
+		MP_USED(r) = 8;
+
+		MP_DIGIT(r,7) = r7;
+		MP_DIGIT(r,6) = r6;
+		MP_DIGIT(r,5) = r5;
+		MP_DIGIT(r,4) = r4;
+		MP_DIGIT(r,3) = r3;
+		MP_DIGIT(r,2) = r2;
+		MP_DIGIT(r,1) = r1;
+		MP_DIGIT(r,0) = r0;
+
+		/* final reduction if necessary */
+		if ((r7 == MP_DIGIT_MAX) &&
+			((r6 > 1) || ((r6 == 1) &&
+			(r5 || r4 || r3 || 
+				((r2 == MP_DIGIT_MAX) && (r1 == MP_DIGIT_MAX)
+				  && (r0 == MP_DIGIT_MAX)))))) {
+			MP_CHECKOK(mp_sub(r, &meth->irr, r));
+		}
+#ifdef notdef
+			
+
+		/* smooth the negatives */
+		while (MP_SIGN(r) != MP_ZPOS) {
+			MP_CHECKOK(mp_add(r, &meth->irr, r));
+		}
+		while (MP_USED(r) > 8) {
+			MP_CHECKOK(mp_sub(r, &meth->irr, r));
+		}
+
+		/* final reduction if necessary */
+		if (MP_DIGIT(r,7) >= MP_DIGIT(&meth->irr,7)) {
+		    if (mp_cmp(r,&meth->irr) != MP_LT) {
+			MP_CHECKOK(mp_sub(r, &meth->irr, r));
+		    }
+		}
+#endif
+		s_mp_clamp(r);
+#else
+		switch (a_used) {
+		case 8:
+			a7 = MP_DIGIT(a,7);
+		case 7:
+			a6 = MP_DIGIT(a,6);
+		case 6:
+			a5 = MP_DIGIT(a,5);
+		case 5:
+			a4 = MP_DIGIT(a,4);
+		}
+		a7l = a7 << 32;
+		a7h = a7 >> 32;
+		a6l = a6 << 32;
+		a6h = a6 >> 32;
+		a5l = a5 << 32;
+		a5h = a5 >> 32;
+		a4l = a4 << 32;
+		a4h = a4 >> 32;
+		r3 = MP_DIGIT(a,3);
+		r2 = MP_DIGIT(a,2);
+		r1 = MP_DIGIT(a,1);
+		r0 = MP_DIGIT(a,0);
+
+		/* sum 1 */
+		MP_ADD_CARRY(r1, a5h << 32, r1, 0,     carry);
+		MP_ADD_CARRY(r2, a6,        r2, carry, carry);
+		MP_ADD_CARRY(r3, a7,        r3, carry, carry);
+		r4 = carry;
+		MP_ADD_CARRY(r1, a5h << 32, r1, 0,     carry);
+		MP_ADD_CARRY(r2, a6,        r2, carry, carry);
+		MP_ADD_CARRY(r3, a7,        r3, carry, carry);
+		r4 += carry;
+		/* sum 2 */
+		MP_ADD_CARRY(r1, a6l,       r1, 0,     carry);
+		MP_ADD_CARRY(r2, a6h | a7l, r2, carry, carry);
+		MP_ADD_CARRY(r3, a7h,       r3, carry, carry);
+		r4 += carry;
+		MP_ADD_CARRY(r1, a6l,       r1, 0,     carry);
+		MP_ADD_CARRY(r2, a6h | a7l, r2, carry, carry);
+		MP_ADD_CARRY(r3, a7h,       r3, carry, carry);
+		r4 += carry;
+
+		/* sum 3 */
+		MP_ADD_CARRY(r0, a4,        r0, 0,     carry);
+		MP_ADD_CARRY(r1, a5l >> 32, r1, carry, carry);
+		MP_ADD_CARRY(r2, 0,         r2, carry, carry);
+		MP_ADD_CARRY(r3, a7,        r3, carry, carry);
+		r4 += carry;
+		/* sum 4 */
+		MP_ADD_CARRY(r0, a4h | a5l,     r0, 0,     carry);
+		MP_ADD_CARRY(r1, a5h|(a6h<<32), r1, carry, carry);
+		MP_ADD_CARRY(r2, a7,            r2, carry, carry);
+		MP_ADD_CARRY(r3, a6h | a4l,     r3, carry, carry);
+		r4 += carry;
+		/* diff 5 */
+		MP_SUB_BORROW(r0, a5h | a6l,    r0, 0,     carry);
+		MP_SUB_BORROW(r1, a6h,          r1, carry, carry);
+		MP_SUB_BORROW(r2, 0,            r2, carry, carry);
+		MP_SUB_BORROW(r3, (a4l>>32)|a5l,r3, carry, carry);
+		r4 -= carry;
+		/* diff 6 */
+		MP_SUB_BORROW(r0, a6,  		r0, 0,     carry);
+		MP_SUB_BORROW(r1, a7,           r1, carry, carry);
+		MP_SUB_BORROW(r2, 0,            r2, carry, carry);
+		MP_SUB_BORROW(r3, a4h|(a5h<<32),r3, carry, carry);
+		r4 -= carry;
+		/* diff 7 */
+		MP_SUB_BORROW(r0, a6h|a7l,	r0, 0,     carry);
+		MP_SUB_BORROW(r1, a7h|a4l,      r1, carry, carry);
+		MP_SUB_BORROW(r2, a4h|a5l,      r2, carry, carry);
+		MP_SUB_BORROW(r3, a6l,          r3, carry, carry);
+		r4 -= carry;
+		/* diff 8 */
+		MP_SUB_BORROW(r0, a7,	        r0, 0,     carry);
+		MP_SUB_BORROW(r1, a4h<<32,      r1, carry, carry);
+		MP_SUB_BORROW(r2, a5,           r2, carry, carry);
+		MP_SUB_BORROW(r3, a6h<<32,      r3, carry, carry);
+		r4 -= carry;
+
+		/* reduce the overflows */
+		while (r4 > 0) {
+			mp_digit r4_long = r4;
+			mp_digit r4l = (r4_long << 32);
+			MP_ADD_CARRY(r0, r4_long,      r0, 0,     carry);
+			MP_ADD_CARRY(r1, -r4l,         r1, carry, carry);
+			MP_ADD_CARRY(r2, MP_DIGIT_MAX, r2, carry, carry);
+			MP_ADD_CARRY(r3, r4l-r4_long-1,r3, carry, carry);
+			r4 = carry;
+		}
+
+		/* reduce the underflows */
+		while (r4 < 0) {
+			mp_digit r4_long = -r4;
+			mp_digit r4l = (r4_long << 32);
+			MP_SUB_BORROW(r0, r4_long,      r0, 0,     carry);
+			MP_SUB_BORROW(r1, -r4l,         r1, carry, carry);
+			MP_SUB_BORROW(r2, MP_DIGIT_MAX, r2, carry, carry);
+			MP_SUB_BORROW(r3, r4l-r4_long-1,r3, carry, carry);
+			r4 = -carry;
+		}
+
+		if (a != r) {
+			MP_CHECKOK(s_mp_pad(r,4));
+		}
+		MP_SIGN(r) = MP_ZPOS;
+		MP_USED(r) = 4;
+
+		MP_DIGIT(r,3) = r3;
+		MP_DIGIT(r,2) = r2;
+		MP_DIGIT(r,1) = r1;
+		MP_DIGIT(r,0) = r0;
+
+		/* final reduction if necessary */
+		if ((r3 > 0xFFFFFFFF00000001ULL) ||
+			((r3 == 0xFFFFFFFF00000001ULL) && 
+			(r2 || (r1 >> 32)|| 
+			       (r1 == 0xFFFFFFFFULL && r0 == MP_DIGIT_MAX)))) {
+			/* very rare, just use mp_sub */
+			MP_CHECKOK(mp_sub(r, &meth->irr, r));
+		}
+			
+		s_mp_clamp(r);
+#endif
+	}
+
+  CLEANUP:
+	return res;
+}
+
+/* Compute the square of polynomial a, reduce modulo p256. Store the
+ * result in r.  r could be a.  Uses optimized modular reduction for p256. 
+ */
+mp_err
+ec_GFp_nistp256_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_sqr(a, r));
+	MP_CHECKOK(ec_GFp_nistp256_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Compute the product of two polynomials a and b, reduce modulo p256.
+ * Store the result in r.  r could be a or b; a could be b.  Uses
+ * optimized modular reduction for p256. */
+mp_err
+ec_GFp_nistp256_mul(const mp_int *a, const mp_int *b, mp_int *r,
+					const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_mul(a, b, r));
+	MP_CHECKOK(ec_GFp_nistp256_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Wire in fast field arithmetic and precomputation of base point for
+ * named curves. */
+mp_err
+ec_group_set_gfp256(ECGroup *group, ECCurveName name)
+{
+	if (name == ECCurve_NIST_P256) {
+		group->meth->field_mod = &ec_GFp_nistp256_mod;
+		group->meth->field_mul = &ec_GFp_nistp256_mul;
+		group->meth->field_sqr = &ec_GFp_nistp256_sqr;
+	}
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_384.c b/security/nss/lib/freebl/ecl/ecp_384.c
new file mode 100644
index 000000000..4ad4137d2
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_384.c
@@ -0,0 +1,293 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp.h"
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpi-priv.h"
+#include <stdlib.h>
+
+/* Fast modular reduction for p384 = 2^384 - 2^128 - 2^96 + 2^32 - 1.  a can be r. 
+ * Uses algorithm 2.30 from Hankerson, Menezes, Vanstone. Guide to 
+ * Elliptic Curve Cryptography. */
+mp_err
+ec_GFp_nistp384_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	int a_bits = mpl_significant_bits(a);
+	int i;
+
+	/* m1, m2 are statically-allocated mp_int of exactly the size we need */
+	mp_int m[10];
+
+#ifdef ECL_THIRTY_TWO_BIT
+	mp_digit s[10][12];
+	for (i = 0; i < 10; i++) {
+		MP_SIGN(&m[i]) = MP_ZPOS;
+		MP_ALLOC(&m[i]) = 12;
+		MP_USED(&m[i]) = 12;
+		MP_DIGITS(&m[i]) = s[i];
+	}
+#else
+	mp_digit s[10][6];
+	for (i = 0; i < 10; i++) {
+		MP_SIGN(&m[i]) = MP_ZPOS;
+		MP_ALLOC(&m[i]) = 6;
+		MP_USED(&m[i]) = 6;
+		MP_DIGITS(&m[i]) = s[i];
+	}
+#endif
+
+#ifdef ECL_THIRTY_TWO_BIT
+	/* for polynomials larger than twice the field size or polynomials 
+	 * not using all words, use regular reduction */
+	if ((a_bits > 768) || (a_bits <= 736)) {
+		MP_CHECKOK(mp_mod(a, &meth->irr, r));
+	} else {
+		for (i = 0; i < 12; i++) {
+			s[0][i] = MP_DIGIT(a, i);
+		}
+		s[1][0] = 0;
+		s[1][1] = 0;
+		s[1][2] = 0;
+		s[1][3] = 0;
+		s[1][4] = MP_DIGIT(a, 21);
+		s[1][5] = MP_DIGIT(a, 22);
+		s[1][6] = MP_DIGIT(a, 23);
+		s[1][7] = 0;
+		s[1][8] = 0;
+		s[1][9] = 0;
+		s[1][10] = 0;
+		s[1][11] = 0;
+		for (i = 0; i < 12; i++) {
+			s[2][i] = MP_DIGIT(a, i+12);
+		}
+		s[3][0] = MP_DIGIT(a, 21);
+		s[3][1] = MP_DIGIT(a, 22);
+		s[3][2] = MP_DIGIT(a, 23);
+		for (i = 3; i < 12; i++) {
+			s[3][i] = MP_DIGIT(a, i+9);
+		}
+		s[4][0] = 0;
+		s[4][1] = MP_DIGIT(a, 23);
+		s[4][2] = 0;
+		s[4][3] = MP_DIGIT(a, 20);
+		for (i = 4; i < 12; i++) {
+			s[4][i] = MP_DIGIT(a, i+8);
+		}
+		s[5][0] = 0;
+		s[5][1] = 0;
+		s[5][2] = 0;
+		s[5][3] = 0;
+		s[5][4] = MP_DIGIT(a, 20);
+		s[5][5] = MP_DIGIT(a, 21);
+		s[5][6] = MP_DIGIT(a, 22);
+		s[5][7] = MP_DIGIT(a, 23);
+		s[5][8] = 0;
+		s[5][9] = 0;
+		s[5][10] = 0;
+		s[5][11] = 0;
+		s[6][0] = MP_DIGIT(a, 20);
+		s[6][1] = 0;
+		s[6][2] = 0;
+		s[6][3] = MP_DIGIT(a, 21);
+		s[6][4] = MP_DIGIT(a, 22);
+		s[6][5] = MP_DIGIT(a, 23);
+		s[6][6] = 0;
+		s[6][7] = 0;
+		s[6][8] = 0;
+		s[6][9] = 0;
+		s[6][10] = 0;
+		s[6][11] = 0;
+		s[7][0] = MP_DIGIT(a, 23);
+		for (i = 1; i < 12; i++) {
+			s[7][i] = MP_DIGIT(a, i+11);
+		}
+		s[8][0] = 0;
+		s[8][1] = MP_DIGIT(a, 20);
+		s[8][2] = MP_DIGIT(a, 21);
+		s[8][3] = MP_DIGIT(a, 22);
+		s[8][4] = MP_DIGIT(a, 23);
+		s[8][5] = 0;
+		s[8][6] = 0;
+		s[8][7] = 0;
+		s[8][8] = 0;
+		s[8][9] = 0;
+		s[8][10] = 0;
+		s[8][11] = 0;
+		s[9][0] = 0;
+		s[9][1] = 0;
+		s[9][2] = 0;
+		s[9][3] = MP_DIGIT(a, 23);
+		s[9][4] = MP_DIGIT(a, 23);
+		s[9][5] = 0;
+		s[9][6] = 0;
+		s[9][7] = 0;
+		s[9][8] = 0;
+		s[9][9] = 0;
+		s[9][10] = 0;
+		s[9][11] = 0;
+
+		MP_CHECKOK(mp_add(&m[0], &m[1], r));
+		MP_CHECKOK(mp_add(r, &m[1], r));
+		MP_CHECKOK(mp_add(r, &m[2], r));
+		MP_CHECKOK(mp_add(r, &m[3], r));
+		MP_CHECKOK(mp_add(r, &m[4], r));
+		MP_CHECKOK(mp_add(r, &m[5], r));
+		MP_CHECKOK(mp_add(r, &m[6], r));
+		MP_CHECKOK(mp_sub(r, &m[7], r));
+		MP_CHECKOK(mp_sub(r, &m[8], r));
+		MP_CHECKOK(mp_submod(r, &m[9], &meth->irr, r));
+		s_mp_clamp(r);
+	}
+#else
+	/* for polynomials larger than twice the field size or polynomials 
+	 * not using all words, use regular reduction */
+	if ((a_bits > 768) || (a_bits <= 736)) {
+		MP_CHECKOK(mp_mod(a, &meth->irr, r));
+	} else {
+		for (i = 0; i < 6; i++) {
+			s[0][i] = MP_DIGIT(a, i);
+		}
+		s[1][0] = 0;
+		s[1][1] = 0;
+		s[1][2] = (MP_DIGIT(a, 10) >> 32) | (MP_DIGIT(a, 11) << 32);
+		s[1][3] = MP_DIGIT(a, 11) >> 32;
+		s[1][4] = 0;
+		s[1][5] = 0;
+		for (i = 0; i < 6; i++) {
+			s[2][i] = MP_DIGIT(a, i+6);
+		}
+		s[3][0] = (MP_DIGIT(a, 10) >> 32) | (MP_DIGIT(a, 11) << 32);
+		s[3][1] = (MP_DIGIT(a, 11) >> 32) | (MP_DIGIT(a, 6) << 32);
+		for (i = 2; i < 6; i++) {
+			s[3][i] = (MP_DIGIT(a, i+4) >> 32) | (MP_DIGIT(a, i+5) << 32);
+		}
+		s[4][0] = (MP_DIGIT(a, 11) >> 32) << 32;
+		s[4][1] = MP_DIGIT(a, 10) << 32;
+		for (i = 2; i < 6; i++) {
+			s[4][i] = MP_DIGIT(a, i+4);
+		}
+		s[5][0] = 0;
+		s[5][1] = 0;
+		s[5][2] = MP_DIGIT(a, 10);
+		s[5][3] = MP_DIGIT(a, 11);
+		s[5][4] = 0;
+		s[5][5] = 0;
+		s[6][0] = (MP_DIGIT(a, 10) << 32) >> 32;
+		s[6][1] = (MP_DIGIT(a, 10) >> 32) << 32;
+		s[6][2] = MP_DIGIT(a, 11);
+		s[6][3] = 0;
+		s[6][4] = 0;
+		s[6][5] = 0;
+		s[7][0] = (MP_DIGIT(a, 11) >> 32) | (MP_DIGIT(a, 6) << 32);
+		for (i = 1; i < 6; i++) {
+			s[7][i] = (MP_DIGIT(a, i+5) >> 32) | (MP_DIGIT(a, i+6) << 32);
+		}
+		s[8][0] = MP_DIGIT(a, 10) << 32;
+		s[8][1] = (MP_DIGIT(a, 10) >> 32) | (MP_DIGIT(a, 11) << 32);
+		s[8][2] = MP_DIGIT(a, 11) >> 32;
+		s[8][3] = 0;
+		s[8][4] = 0;
+		s[8][5] = 0;
+		s[9][0] = 0;
+		s[9][1] = (MP_DIGIT(a, 11) >> 32) << 32;
+		s[9][2] = MP_DIGIT(a, 11) >> 32;
+		s[9][3] = 0;
+		s[9][4] = 0;
+		s[9][5] = 0;
+
+		MP_CHECKOK(mp_add(&m[0], &m[1], r));
+		MP_CHECKOK(mp_add(r, &m[1], r));
+		MP_CHECKOK(mp_add(r, &m[2], r));
+		MP_CHECKOK(mp_add(r, &m[3], r));
+		MP_CHECKOK(mp_add(r, &m[4], r));
+		MP_CHECKOK(mp_add(r, &m[5], r));
+		MP_CHECKOK(mp_add(r, &m[6], r));
+		MP_CHECKOK(mp_sub(r, &m[7], r));
+		MP_CHECKOK(mp_sub(r, &m[8], r));
+		MP_CHECKOK(mp_submod(r, &m[9], &meth->irr, r));
+		s_mp_clamp(r);
+	}
+#endif
+
+  CLEANUP:
+	return res;
+}
+
+/* Compute the square of polynomial a, reduce modulo p384. Store the
+ * result in r.  r could be a.  Uses optimized modular reduction for p384. 
+ */
+mp_err
+ec_GFp_nistp384_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_sqr(a, r));
+	MP_CHECKOK(ec_GFp_nistp384_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Compute the product of two polynomials a and b, reduce modulo p384.
+ * Store the result in r.  r could be a or b; a could be b.  Uses
+ * optimized modular reduction for p384. */
+mp_err
+ec_GFp_nistp384_mul(const mp_int *a, const mp_int *b, mp_int *r,
+					const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_mul(a, b, r));
+	MP_CHECKOK(ec_GFp_nistp384_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Wire in fast field arithmetic and precomputation of base point for
+ * named curves. */
+mp_err
+ec_group_set_gfp384(ECGroup *group, ECCurveName name)
+{
+	if (name == ECCurve_NIST_P384) {
+		group->meth->field_mod = &ec_GFp_nistp384_mod;
+		group->meth->field_mul = &ec_GFp_nistp384_mul;
+		group->meth->field_sqr = &ec_GFp_nistp384_sqr;
+	}
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_521.c b/security/nss/lib/freebl/ecl/ecp_521.c
new file mode 100644
index 000000000..685d19b9f
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_521.c
@@ -0,0 +1,170 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp.h"
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpi-priv.h"
+#include <stdlib.h>
+
+#define ECP521_DIGITS ECL_CURVE_DIGITS(521)
+
+/* Fast modular reduction for p521 = 2^521 - 1.  a can be r. Uses
+ * algorithm 2.31 from Hankerson, Menezes, Vanstone. Guide to 
+ * Elliptic Curve Cryptography. */
+mp_err
+ec_GFp_nistp521_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	int a_bits = mpl_significant_bits(a);
+	int i;
+
+	/* m1, m2 are statically-allocated mp_int of exactly the size we need */
+	mp_int m1;
+
+	mp_digit s1[ECP521_DIGITS] = { 0 };
+
+	MP_SIGN(&m1) = MP_ZPOS;
+	MP_ALLOC(&m1) = ECP521_DIGITS;
+	MP_USED(&m1) = ECP521_DIGITS;
+	MP_DIGITS(&m1) = s1;
+
+	if (a_bits < 521) {
+		if (a==r) return MP_OKAY;
+		return mp_copy(a, r);
+	}
+	/* for polynomials larger than twice the field size or polynomials 
+	 * not using all words, use regular reduction */
+	if (a_bits > (521*2)) {
+		MP_CHECKOK(mp_mod(a, &meth->irr, r));
+	} else {
+#define FIRST_DIGIT (ECP521_DIGITS-1)
+		for (i = FIRST_DIGIT; i < MP_USED(a)-1; i++) {
+			s1[i-FIRST_DIGIT] = (MP_DIGIT(a, i) >> 9) 
+				| (MP_DIGIT(a, 1+i) << (MP_DIGIT_BIT-9));
+		}
+		s1[i-FIRST_DIGIT] = MP_DIGIT(a, i) >> 9;
+
+		if ( a != r ) {
+			MP_CHECKOK(s_mp_pad(r,ECP521_DIGITS));
+			for (i = 0; i < ECP521_DIGITS; i++) {
+				MP_DIGIT(r,i) = MP_DIGIT(a, i);
+			}
+		}
+		MP_USED(r) = ECP521_DIGITS;
+		MP_DIGIT(r,FIRST_DIGIT) &=  0x1FF;
+
+		MP_CHECKOK(s_mp_add(r, &m1));
+		if (MP_DIGIT(r, FIRST_DIGIT) & 0x200) {
+			MP_CHECKOK(s_mp_add_d(r,1));
+			MP_DIGIT(r,FIRST_DIGIT) &=  0x1FF;
+		}
+		s_mp_clamp(r);
+	}
+
+  CLEANUP:
+	return res;
+}
+
+/* Compute the square of polynomial a, reduce modulo p521. Store the
+ * result in r.  r could be a.  Uses optimized modular reduction for p521. 
+ */
+mp_err
+ec_GFp_nistp521_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_sqr(a, r));
+	MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Compute the product of two polynomials a and b, reduce modulo p521.
+ * Store the result in r.  r could be a or b; a could be b.  Uses
+ * optimized modular reduction for p521. */
+mp_err
+ec_GFp_nistp521_mul(const mp_int *a, const mp_int *b, mp_int *r,
+					const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	MP_CHECKOK(mp_mul(a, b, r));
+	MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth));
+  CLEANUP:
+	return res;
+}
+
+/* Divides two field elements. If a is NULL, then returns the inverse of
+ * b. */
+mp_err
+ec_GFp_nistp521_div(const mp_int *a, const mp_int *b, mp_int *r,
+		   const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+	mp_int t;
+
+	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
+	if (a == NULL) {
+		return mp_invmod(b, &meth->irr, r);
+	} else {
+		/* MPI doesn't support divmod, so we implement it using invmod and 
+		 * mulmod. */
+		MP_CHECKOK(mp_init(&t));
+		MP_CHECKOK(mp_invmod(b, &meth->irr, &t));
+		MP_CHECKOK(mp_mul(a, &t, r));
+		MP_CHECKOK(ec_GFp_nistp521_mod(r, r, meth));
+	  CLEANUP:
+		mp_clear(&t);
+		return res;
+	}
+}
+
+/* Wire in fast field arithmetic and precomputation of base point for
+ * named curves. */
+mp_err
+ec_group_set_gfp521(ECGroup *group, ECCurveName name)
+{
+	if (name == ECCurve_NIST_P521) {
+		group->meth->field_mod = &ec_GFp_nistp521_mod;
+		group->meth->field_mul = &ec_GFp_nistp521_mul;
+		group->meth->field_sqr = &ec_GFp_nistp521_sqr;
+		group->meth->field_div = &ec_GFp_nistp521_div;
+	}
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_aff.c b/security/nss/lib/freebl/ecl/ecp_aff.c
new file mode 100644
index 000000000..cda04ed22
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_aff.c
@@ -0,0 +1,357 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
+ *   Stephen Fung <fungstep@hotmail.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
+ *   Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de>,
+ *   Nils Larsch <nla@trustcenter.de>, and
+ *   Lenka Fibikova <fibikova@exp-math.uni-essen.de>, the OpenSSL Project
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp.h"
+#include "mplogic.h"
+#include <stdlib.h>
+
+/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
+mp_err
+ec_GFp_pt_is_inf_aff(const mp_int *px, const mp_int *py)
+{
+
+	if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) {
+		return MP_YES;
+	} else {
+		return MP_NO;
+	}
+
+}
+
+/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
+mp_err
+ec_GFp_pt_set_inf_aff(mp_int *px, mp_int *py)
+{
+	mp_zero(px);
+	mp_zero(py);
+	return MP_OKAY;
+}
+
+/* Computes R = P + Q based on IEEE P1363 A.10.1. Elliptic curve points P, 
+ * Q, and R can all be identical. Uses affine coordinates. Assumes input
+ * is already field-encoded using field_enc, and returns output that is
+ * still field-encoded. */
+mp_err
+ec_GFp_pt_add_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
+				  const mp_int *qy, mp_int *rx, mp_int *ry,
+				  const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int lambda, temp, tempx, tempy;
+
+	MP_DIGITS(&lambda) = 0;
+	MP_DIGITS(&temp) = 0;
+	MP_DIGITS(&tempx) = 0;
+	MP_DIGITS(&tempy) = 0;
+	MP_CHECKOK(mp_init(&lambda));
+	MP_CHECKOK(mp_init(&temp));
+	MP_CHECKOK(mp_init(&tempx));
+	MP_CHECKOK(mp_init(&tempy));
+	/* if P = inf, then R = Q */
+	if (ec_GFp_pt_is_inf_aff(px, py) == 0) {
+		MP_CHECKOK(mp_copy(qx, rx));
+		MP_CHECKOK(mp_copy(qy, ry));
+		res = MP_OKAY;
+		goto CLEANUP;
+	}
+	/* if Q = inf, then R = P */
+	if (ec_GFp_pt_is_inf_aff(qx, qy) == 0) {
+		MP_CHECKOK(mp_copy(px, rx));
+		MP_CHECKOK(mp_copy(py, ry));
+		res = MP_OKAY;
+		goto CLEANUP;
+	}
+	/* if px != qx, then lambda = (py-qy) / (px-qx) */
+	if (mp_cmp(px, qx) != 0) {
+		MP_CHECKOK(group->meth->field_sub(py, qy, &tempy, group->meth));
+		MP_CHECKOK(group->meth->field_sub(px, qx, &tempx, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_div(&tempy, &tempx, &lambda, group->meth));
+	} else {
+		/* if py != qy or qy = 0, then R = inf */
+		if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qy) == 0)) {
+			mp_zero(rx);
+			mp_zero(ry);
+			res = MP_OKAY;
+			goto CLEANUP;
+		}
+		/* lambda = (3qx^2+a) / (2qy) */
+		MP_CHECKOK(group->meth->field_sqr(qx, &tempx, group->meth));
+		MP_CHECKOK(mp_set_int(&temp, 3));
+		if (group->meth->field_enc) {
+			MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth));
+		}
+		MP_CHECKOK(group->meth->
+				   field_mul(&tempx, &temp, &tempx, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_add(&tempx, &group->curvea, &tempx, group->meth));
+		MP_CHECKOK(mp_set_int(&temp, 2));
+		if (group->meth->field_enc) {
+			MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth));
+		}
+		MP_CHECKOK(group->meth->field_mul(qy, &temp, &tempy, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_div(&tempx, &tempy, &lambda, group->meth));
+	}
+	/* rx = lambda^2 - px - qx */
+	MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
+	MP_CHECKOK(group->meth->field_sub(&tempx, px, &tempx, group->meth));
+	MP_CHECKOK(group->meth->field_sub(&tempx, qx, &tempx, group->meth));
+	/* ry = (x1-x2) * lambda - y1 */
+	MP_CHECKOK(group->meth->field_sub(qx, &tempx, &tempy, group->meth));
+	MP_CHECKOK(group->meth->
+			   field_mul(&tempy, &lambda, &tempy, group->meth));
+	MP_CHECKOK(group->meth->field_sub(&tempy, qy, &tempy, group->meth));
+	MP_CHECKOK(mp_copy(&tempx, rx));
+	MP_CHECKOK(mp_copy(&tempy, ry));
+
+  CLEANUP:
+	mp_clear(&lambda);
+	mp_clear(&temp);
+	mp_clear(&tempx);
+	mp_clear(&tempy);
+	return res;
+}
+
+/* Computes R = P - Q. Elliptic curve points P, Q, and R can all be
+ * identical. Uses affine coordinates. Assumes input is already
+ * field-encoded using field_enc, and returns output that is still
+ * field-encoded. */
+mp_err
+ec_GFp_pt_sub_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
+				  const mp_int *qy, mp_int *rx, mp_int *ry,
+				  const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int nqy;
+
+	MP_DIGITS(&nqy) = 0;
+	MP_CHECKOK(mp_init(&nqy));
+	/* nqy = -qy */
+	MP_CHECKOK(group->meth->field_neg(qy, &nqy, group->meth));
+	res = group->point_add(px, py, qx, &nqy, rx, ry, group);
+  CLEANUP:
+	mp_clear(&nqy);
+	return res;
+}
+
+/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses
+ * affine coordinates. Assumes input is already field-encoded using
+ * field_enc, and returns output that is still field-encoded. */
+mp_err
+ec_GFp_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
+				  mp_int *ry, const ECGroup *group)
+{
+	return ec_GFp_pt_add_aff(px, py, px, py, rx, ry, group);
+}
+
+/* by default, this routine is unused and thus doesn't need to be compiled */
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and 
+ * R can be identical. Uses affine coordinates. Assumes input is already
+ * field-encoded using field_enc, and returns output that is still
+ * field-encoded. */
+mp_err
+ec_GFp_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py,
+				  mp_int *rx, mp_int *ry, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int k, k3, qx, qy, sx, sy;
+	int b1, b3, i, l;
+
+	MP_DIGITS(&k) = 0;
+	MP_DIGITS(&k3) = 0;
+	MP_DIGITS(&qx) = 0;
+	MP_DIGITS(&qy) = 0;
+	MP_DIGITS(&sx) = 0;
+	MP_DIGITS(&sy) = 0;
+	MP_CHECKOK(mp_init(&k));
+	MP_CHECKOK(mp_init(&k3));
+	MP_CHECKOK(mp_init(&qx));
+	MP_CHECKOK(mp_init(&qy));
+	MP_CHECKOK(mp_init(&sx));
+	MP_CHECKOK(mp_init(&sy));
+
+	/* if n = 0 then r = inf */
+	if (mp_cmp_z(n) == 0) {
+		mp_zero(rx);
+		mp_zero(ry);
+		res = MP_OKAY;
+		goto CLEANUP;
+	}
+	/* Q = P, k = n */
+	MP_CHECKOK(mp_copy(px, &qx));
+	MP_CHECKOK(mp_copy(py, &qy));
+	MP_CHECKOK(mp_copy(n, &k));
+	/* if n < 0 then Q = -Q, k = -k */
+	if (mp_cmp_z(n) < 0) {
+		MP_CHECKOK(group->meth->field_neg(&qy, &qy, group->meth));
+		MP_CHECKOK(mp_neg(&k, &k));
+	}
+#ifdef ECL_DEBUG				/* basic double and add method */
+	l = mpl_significant_bits(&k) - 1;
+	MP_CHECKOK(mp_copy(&qx, &sx));
+	MP_CHECKOK(mp_copy(&qy, &sy));
+	for (i = l - 1; i >= 0; i--) {
+		/* S = 2S */
+		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
+		/* if k_i = 1, then S = S + Q */
+		if (mpl_get_bit(&k, i) != 0) {
+			MP_CHECKOK(group->
+					   point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
+		}
+	}
+#else							/* double and add/subtract method from
+								 * standard */
+	/* k3 = 3 * k */
+	MP_CHECKOK(mp_set_int(&k3, 3));
+	MP_CHECKOK(mp_mul(&k, &k3, &k3));
+	/* S = Q */
+	MP_CHECKOK(mp_copy(&qx, &sx));
+	MP_CHECKOK(mp_copy(&qy, &sy));
+	/* l = index of high order bit in binary representation of 3*k */
+	l = mpl_significant_bits(&k3) - 1;
+	/* for i = l-1 downto 1 */
+	for (i = l - 1; i >= 1; i--) {
+		/* S = 2S */
+		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
+		b3 = MP_GET_BIT(&k3, i);
+		b1 = MP_GET_BIT(&k, i);
+		/* if k3_i = 1 and k_i = 0, then S = S + Q */
+		if ((b3 == 1) && (b1 == 0)) {
+			MP_CHECKOK(group->
+					   point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
+			/* if k3_i = 0 and k_i = 1, then S = S - Q */
+		} else if ((b3 == 0) && (b1 == 1)) {
+			MP_CHECKOK(group->
+					   point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group));
+		}
+	}
+#endif
+	/* output S */
+	MP_CHECKOK(mp_copy(&sx, rx));
+	MP_CHECKOK(mp_copy(&sy, ry));
+
+  CLEANUP:
+	mp_clear(&k);
+	mp_clear(&k3);
+	mp_clear(&qx);
+	mp_clear(&qy);
+	mp_clear(&sx);
+	mp_clear(&sy);
+	return res;
+}
+#endif
+
+/* Validates a point on a GFp curve. */
+mp_err 
+ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group)
+{
+	mp_err res = MP_NO;
+	mp_int accl, accr, tmp, pxt, pyt;
+
+	MP_DIGITS(&accl) = 0;
+	MP_DIGITS(&accr) = 0;
+	MP_DIGITS(&tmp) = 0;
+	MP_DIGITS(&pxt) = 0;
+	MP_DIGITS(&pyt) = 0;
+	MP_CHECKOK(mp_init(&accl));
+	MP_CHECKOK(mp_init(&accr));
+	MP_CHECKOK(mp_init(&tmp));
+	MP_CHECKOK(mp_init(&pxt));
+	MP_CHECKOK(mp_init(&pyt));
+
+    /* 1: Verify that publicValue is not the point at infinity */
+	if (ec_GFp_pt_is_inf_aff(px, py) == MP_YES) {
+		res = MP_NO;
+		goto CLEANUP;
+	}
+    /* 2: Verify that the coordinates of publicValue are elements 
+     *    of the field.
+     */
+	if ((MP_SIGN(px) == MP_NEG) || (mp_cmp(px, &group->meth->irr) >= 0) || 
+		(MP_SIGN(py) == MP_NEG) || (mp_cmp(py, &group->meth->irr) >= 0)) {
+		res = MP_NO;
+		goto CLEANUP;
+	}
+    /* 3: Verify that publicValue is on the curve. */
+	if (group->meth->field_enc) {
+		group->meth->field_enc(px, &pxt, group->meth);
+		group->meth->field_enc(py, &pyt, group->meth);
+	} else {
+		mp_copy(px, &pxt);
+		mp_copy(py, &pyt);
+	}
+	/* left-hand side: y^2  */
+	MP_CHECKOK( group->meth->field_sqr(&pyt, &accl, group->meth) );
+	/* right-hand side: x^3 + a*x + b */
+	MP_CHECKOK( group->meth->field_sqr(&pxt, &tmp, group->meth) );
+	MP_CHECKOK( group->meth->field_mul(&pxt, &tmp, &accr, group->meth) );
+	MP_CHECKOK( group->meth->field_mul(&group->curvea, &pxt, &tmp, group->meth) );
+	MP_CHECKOK( group->meth->field_add(&tmp, &accr, &accr, group->meth) );
+	MP_CHECKOK( group->meth->field_add(&accr, &group->curveb, &accr, group->meth) );
+	/* check LHS - RHS == 0 */
+	MP_CHECKOK( group->meth->field_sub(&accl, &accr, &accr, group->meth) );
+	if (mp_cmp_z(&accr) != 0) {
+		res = MP_NO;
+		goto CLEANUP;
+	}
+    /* 4: Verify that the order of the curve times the publicValue
+     *    is the point at infinity.
+     */
+	MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
+	if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	res = MP_YES;
+
+CLEANUP:
+	mp_clear(&accl);
+	mp_clear(&accr);
+	mp_clear(&tmp);
+	mp_clear(&pxt);
+	mp_clear(&pyt);
+	return res;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_fp.c b/security/nss/lib/freebl/ecl/ecp_fp.c
new file mode 100644
index 000000000..9dcb7b073
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_fp.c
@@ -0,0 +1,568 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves
+ * using floating point operations.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
+ *   Stephen Fung <fungstep@hotmail.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp_fp.h"
+#include "ecl-priv.h"
+#include <stdlib.h>
+
+/* Performs tidying on a short multi-precision floating point integer (the 
+ * lower group->numDoubles floats). */
+void
+ecfp_tidyShort(double *t, const EC_group_fp * group)
+{
+	group->ecfp_tidy(t, group->alpha, group);
+}
+
+/* Performs tidying on only the upper float digits of a multi-precision
+ * floating point integer, i.e. the digits beyond the regular length which 
+ * are removed in the reduction step. */
+void
+ecfp_tidyUpper(double *t, const EC_group_fp * group)
+{
+	group->ecfp_tidy(t + group->numDoubles,
+					 group->alpha + group->numDoubles, group);
+}
+
+/* Performs a "tidy" operation, which performs carrying, moving excess
+ * bits from one double to the next double, so that the precision of the
+ * doubles is reduced to the regular precision group->doubleBitSize. This
+ * might result in some float digits being negative. Alternative C version 
+ * for portability. */
+void
+ecfp_tidy(double *t, const double *alpha, const EC_group_fp * group)
+{
+	double q;
+	int i;
+
+	/* Do carrying */
+	for (i = 0; i < group->numDoubles - 1; i++) {
+		q = t[i] + alpha[i + 1];
+		q -= alpha[i + 1];
+		t[i] -= q;
+		t[i + 1] += q;
+
+		/* If we don't assume that truncation rounding is used, then q
+		 * might be 2^n bigger than expected (if it rounds up), then t[0]
+		 * could be negative and t[1] 2^n larger than expected. */
+	}
+}
+
+/* Performs a more mathematically precise "tidying" so that each term is
+ * positive.  This is slower than the regular tidying, and is used for
+ * conversion from floating point to integer. */
+void
+ecfp_positiveTidy(double *t, const EC_group_fp * group)
+{
+	double q;
+	int i;
+
+	/* Do carrying */
+	for (i = 0; i < group->numDoubles - 1; i++) {
+		/* Subtract beta to force rounding down */
+		q = t[i] - ecfp_beta[i + 1];
+		q += group->alpha[i + 1];
+		q -= group->alpha[i + 1];
+		t[i] -= q;
+		t[i + 1] += q;
+
+		/* Due to subtracting ecfp_beta, we should have each term a
+		 * non-negative int */
+		ECFP_ASSERT(t[i] / ecfp_exp[i] ==
+					(unsigned long long) (t[i] / ecfp_exp[i]));
+		ECFP_ASSERT(t[i] >= 0);
+	}
+}
+
+/* Converts from a floating point representation into an mp_int. Expects
+ * that d is already reduced. */
+void
+ecfp_fp2i(mp_int *mpout, double *d, const ECGroup *ecgroup)
+{
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+	unsigned short i16[(group->primeBitSize + 15) / 16];
+	double q = 1;
+
+#ifdef ECL_THIRTY_TWO_BIT
+	/* TEST uint32_t z = 0; */
+	unsigned int z = 0;
+#else
+	uint64_t z = 0;
+#endif
+	int zBits = 0;
+	int copiedBits = 0;
+	int i = 0;
+	int j = 0;
+
+	mp_digit *out;
+
+	/* Result should always be >= 0, so set sign accordingly */
+	MP_SIGN(mpout) = MP_ZPOS;
+
+	/* Tidy up so we're just dealing with positive numbers */
+	ecfp_positiveTidy(d, group);
+
+	/* We might need to do this reduction step more than once if the
+	 * reduction adds smaller terms which carry-over to cause another
+	 * reduction. However, this should happen very rarely, if ever,
+	 * depending on the elliptic curve. */
+	do {
+		/* Init loop data */
+		z = 0;
+		zBits = 0;
+		q = 1;
+		i = 0;
+		j = 0;
+		copiedBits = 0;
+
+		/* Might have to do a bit more reduction */
+		group->ecfp_singleReduce(d, group);
+
+		/* Grow the size of the mpint if it's too small */
+		s_mp_grow(mpout, group->numInts);
+		MP_USED(mpout) = group->numInts;
+		out = MP_DIGITS(mpout);
+
+		/* Convert double to 16 bit integers */
+		while (copiedBits < group->primeBitSize) {
+			if (zBits < 16) {
+				z += d[i] * q;
+				i++;
+				ECFP_ASSERT(i < (group->primeBitSize + 15) / 16);
+				zBits += group->doubleBitSize;
+			}
+			i16[j] = z;
+			j++;
+			z >>= 16;
+			zBits -= 16;
+			q *= ecfp_twom16;
+			copiedBits += 16;
+		}
+	} while (z != 0);
+
+	/* Convert 16 bit integers to mp_digit */
+#ifdef ECL_THIRTY_TWO_BIT
+	for (i = 0; i < (group->primeBitSize + 15) / 16; i += 2) {
+		*out = 0;
+		if (i + 1 < (group->primeBitSize + 15) / 16) {
+			*out = i16[i + 1];
+			*out <<= 16;
+		}
+		*out++ += i16[i];
+	}
+#else							/* 64 bit */
+	for (i = 0; i < (group->primeBitSize + 15) / 16; i += 4) {
+		*out = 0;
+		if (i + 3 < (group->primeBitSize + 15) / 16) {
+			*out = i16[i + 3];
+			*out <<= 16;
+		}
+		if (i + 2 < (group->primeBitSize + 15) / 16) {
+			*out += i16[i + 2];
+			*out <<= 16;
+		}
+		if (i + 1 < (group->primeBitSize + 15) / 16) {
+			*out += i16[i + 1];
+			*out <<= 16;
+		}
+		*out++ += i16[i];
+	}
+#endif
+
+	/* Perform final reduction.  mpout should already be the same number
+	 * of bits as p, but might not be less than p.  Make it so. Since
+	 * mpout has the same number of bits as p, and 2p has a larger bit
+	 * size, then mpout < 2p, so a single subtraction of p will suffice. */
+	if (mp_cmp(mpout, &ecgroup->meth->irr) >= 0) {
+		mp_sub(mpout, &ecgroup->meth->irr, mpout);
+	}
+
+	/* Shrink the size of the mp_int to the actual used size (required for 
+	 * mp_cmp_z == 0) */
+	out = MP_DIGITS(mpout);
+	for (i = group->numInts - 1; i > 0; i--) {
+		if (out[i] != 0)
+			break;
+	}
+	MP_USED(mpout) = i + 1;
+
+	/* Should be between 0 and p-1 */
+	ECFP_ASSERT(mp_cmp(mpout, &ecgroup->meth->irr) < 0);
+	ECFP_ASSERT(mp_cmp_z(mpout) >= 0);
+}
+
+/* Converts from an mpint into a floating point representation. */
+void
+ecfp_i2fp(double *out, const mp_int *x, const ECGroup *ecgroup)
+{
+	int i;
+	int j = 0;
+	int size;
+	double shift = 1;
+	mp_digit *in;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+#ifdef ECL_DEBUG
+	/* if debug mode, convert result back using ecfp_fp2i into cmp, then
+	 * compare to x. */
+	mp_int cmp;
+
+	MP_DIGITS(&cmp) = NULL;
+	mp_init(&cmp);
+#endif
+
+	ECFP_ASSERT(group != NULL);
+
+	/* init output to 0 (since we skip over some terms) */
+	for (i = 0; i < group->numDoubles; i++)
+		out[i] = 0;
+	i = 0;
+
+	size = MP_USED(x);
+	in = MP_DIGITS(x);
+
+	/* Copy from int into doubles */
+#ifdef ECL_THIRTY_TWO_BIT
+	while (j < size) {
+		while (group->doubleBitSize * (i + 1) <= 32 * j) {
+			i++;
+		}
+		ECFP_ASSERT(group->doubleBitSize * i <= 32 * j);
+		out[i] = in[j];
+		out[i] *= shift;
+		shift *= ecfp_two32;
+		j++;
+	}
+#else
+	while (j < size) {
+		while (group->doubleBitSize * (i + 1) <= 64 * j) {
+			i++;
+		}
+		ECFP_ASSERT(group->doubleBitSize * i <= 64 * j);
+		out[i] = (in[j] & 0x00000000FFFFFFFF) * shift;
+
+		while (group->doubleBitSize * (i + 1) <= 64 * j + 32) {
+			i++;
+		}
+		ECFP_ASSERT(24 * i <= 64 * j + 32);
+		out[i] = (in[j] & 0xFFFFFFFF00000000) * shift;
+
+		shift *= ecfp_two64;
+		j++;
+	}
+#endif
+	/* Realign bits to match double boundaries */
+	ecfp_tidyShort(out, group);
+
+#ifdef ECL_DEBUG
+	/* Convert result back to mp_int, compare to original */
+	ecfp_fp2i(&cmp, out, ecgroup);
+	ECFP_ASSERT(mp_cmp(&cmp, x) == 0);
+	mp_clear(&cmp);
+#endif
+}
+
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the prime that
+ * determines the field GFp.  Elliptic curve points P and R can be
+ * identical.  Uses Jacobian coordinates. Uses 4-bit window method. */
+mp_err
+ec_GFp_point_mul_jac_4w_fp(const mp_int *n, const mp_int *px,
+						   const mp_int *py, mp_int *rx, mp_int *ry,
+						   const ECGroup *ecgroup)
+{
+	mp_err res = MP_OKAY;
+	ecfp_jac_pt precomp[16], r;
+	ecfp_aff_pt p;
+	EC_group_fp *group;
+
+	mp_int rz;
+	int i, ni, d;
+
+	ARGCHK(ecgroup != NULL, MP_BADARG);
+	ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
+
+	group = (EC_group_fp *) ecgroup->extra1;
+	MP_DIGITS(&rz) = 0;
+	MP_CHECKOK(mp_init(&rz));
+
+	/* init p, da */
+	ecfp_i2fp(p.x, px, ecgroup);
+	ecfp_i2fp(p.y, py, ecgroup);
+	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
+
+	/* Do precomputation */
+	group->precompute_jac(precomp, &p, group);
+
+	/* Do main body of calculations */
+	d = (mpl_significant_bits(n) + 3) / 4;
+
+	/* R = inf */
+	for (i = 0; i < group->numDoubles; i++) {
+		r.z[i] = 0;
+	}
+
+	for (i = d - 1; i >= 0; i--) {
+		/* compute window ni */
+		ni = MP_GET_BIT(n, 4 * i + 3);
+		ni <<= 1;
+		ni |= MP_GET_BIT(n, 4 * i + 2);
+		ni <<= 1;
+		ni |= MP_GET_BIT(n, 4 * i + 1);
+		ni <<= 1;
+		ni |= MP_GET_BIT(n, 4 * i);
+
+		/* R = 2^4 * R */
+		group->pt_dbl_jac(&r, &r, group);
+		group->pt_dbl_jac(&r, &r, group);
+		group->pt_dbl_jac(&r, &r, group);
+		group->pt_dbl_jac(&r, &r, group);
+
+		/* R = R + (ni * P) */
+		group->pt_add_jac(&r, &precomp[ni], &r, group);
+	}
+
+	/* Convert back to integer */
+	ecfp_fp2i(rx, r.x, ecgroup);
+	ecfp_fp2i(ry, r.y, ecgroup);
+	ecfp_fp2i(&rz, r.z, ecgroup);
+
+	/* convert result S to affine coordinates */
+	MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, ecgroup));
+
+  CLEANUP:
+	mp_clear(&rz);
+	return res;
+}
+
+/* Uses mixed Jacobian-affine coordinates to perform a point
+ * multiplication: R = n * P, n scalar. Uses mixed Jacobian-affine
+ * coordinates (Jacobian coordinates for doubles and affine coordinates
+ * for additions; based on recommendation from Brown et al.). Not very
+ * time efficient but quite space efficient, no precomputation needed.
+ * group contains the elliptic curve coefficients and the prime that
+ * determines the field GFp.  Elliptic curve points P and R can be
+ * identical. Performs calculations in floating point number format, since 
+ * this is faster than the integer operations on the ULTRASPARC III.
+ * Uses left-to-right binary method (double & add) (algorithm 9) for
+ * scalar-point multiplication from Brown, Hankerson, Lopez, Menezes.
+ * Software Implementation of the NIST Elliptic Curves Over Prime Fields. */
+mp_err
+ec_GFp_pt_mul_jac_fp(const mp_int *n, const mp_int *px, const mp_int *py,
+					 mp_int *rx, mp_int *ry, const ECGroup *ecgroup)
+{
+	mp_err res;
+	mp_int sx, sy, sz;
+
+	ecfp_aff_pt p;
+	ecfp_jac_pt r;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+	int i, l;
+
+	MP_DIGITS(&sx) = 0;
+	MP_DIGITS(&sy) = 0;
+	MP_DIGITS(&sz) = 0;
+	MP_CHECKOK(mp_init(&sx));
+	MP_CHECKOK(mp_init(&sy));
+	MP_CHECKOK(mp_init(&sz));
+
+	/* if n = 0 then r = inf */
+	if (mp_cmp_z(n) == 0) {
+		mp_zero(rx);
+		mp_zero(ry);
+		res = MP_OKAY;
+		goto CLEANUP;
+		/* if n < 0 then out of range error */
+	} else if (mp_cmp_z(n) < 0) {
+		res = MP_RANGE;
+		goto CLEANUP;
+	}
+
+	/* Convert from integer to floating point */
+	ecfp_i2fp(p.x, px, ecgroup);
+	ecfp_i2fp(p.y, py, ecgroup);
+	ecfp_i2fp(group->curvea, &(ecgroup->curvea), ecgroup);
+
+	/* Init r to point at infinity */
+	for (i = 0; i < group->numDoubles; i++) {
+		r.z[i] = 0;
+	}
+
+	/* double and add method */
+	l = mpl_significant_bits(n) - 1;
+
+	for (i = l; i >= 0; i--) {
+		/* R = 2R */
+		group->pt_dbl_jac(&r, &r, group);
+
+		/* if n_i = 1, then R = R + Q */
+		if (MP_GET_BIT(n, i) != 0) {
+			group->pt_add_jac_aff(&r, &p, &r, group);
+		}
+	}
+
+	/* Convert from floating point to integer */
+	ecfp_fp2i(&sx, r.x, ecgroup);
+	ecfp_fp2i(&sy, r.y, ecgroup);
+	ecfp_fp2i(&sz, r.z, ecgroup);
+
+	/* convert result R to affine coordinates */
+	MP_CHECKOK(ec_GFp_pt_jac2aff(&sx, &sy, &sz, rx, ry, ecgroup));
+
+  CLEANUP:
+	mp_clear(&sx);
+	mp_clear(&sy);
+	mp_clear(&sz);
+	return res;
+}
+
+/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
+ * curve points P and R can be identical. Uses mixed Modified-Jacobian
+ * co-ordinates for doubling and Chudnovsky Jacobian coordinates for
+ * additions. Uses 5-bit window NAF method (algorithm 11) for scalar-point 
+ * multiplication from Brown, Hankerson, Lopez, Menezes. Software
+ * Implementation of the NIST Elliptic Curves Over Prime Fields. */
+mp_err
+ec_GFp_point_mul_wNAF_fp(const mp_int *n, const mp_int *px,
+						 const mp_int *py, mp_int *rx, mp_int *ry,
+						 const ECGroup *ecgroup)
+{
+	mp_err res = MP_OKAY;
+	mp_int sx, sy, sz;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+	ecfp_chud_pt precomp[16];
+
+	ecfp_aff_pt p;
+	ecfp_jm_pt r;
+
+	signed char naf[group->orderBitSize + 1];
+	int i;
+
+	MP_DIGITS(&sx) = 0;
+	MP_DIGITS(&sy) = 0;
+	MP_DIGITS(&sz) = 0;
+	MP_CHECKOK(mp_init(&sx));
+	MP_CHECKOK(mp_init(&sy));
+	MP_CHECKOK(mp_init(&sz));
+
+	/* if n = 0 then r = inf */
+	if (mp_cmp_z(n) == 0) {
+		mp_zero(rx);
+		mp_zero(ry);
+		res = MP_OKAY;
+		goto CLEANUP;
+		/* if n < 0 then out of range error */
+	} else if (mp_cmp_z(n) < 0) {
+		res = MP_RANGE;
+		goto CLEANUP;
+	}
+
+	/* Convert from integer to floating point */
+	ecfp_i2fp(p.x, px, ecgroup);
+	ecfp_i2fp(p.y, py, ecgroup);
+	ecfp_i2fp(group->curvea, &(ecgroup->curvea), ecgroup);
+
+	/* Perform precomputation */
+	group->precompute_chud(precomp, &p, group);
+
+	/* Compute 5NAF */
+	ec_compute_wNAF(naf, group->orderBitSize, n, 5);
+
+	/* Init R = pt at infinity */
+	for (i = 0; i < group->numDoubles; i++) {
+		r.z[i] = 0;
+	}
+
+	/* wNAF method */
+	for (i = group->orderBitSize; i >= 0; i--) {
+		/* R = 2R */
+		group->pt_dbl_jm(&r, &r, group);
+
+		if (naf[i] != 0) {
+			group->pt_add_jm_chud(&r, &precomp[(naf[i] + 15) / 2], &r,
+								  group);
+		}
+	}
+
+	/* Convert from floating point to integer */
+	ecfp_fp2i(&sx, r.x, ecgroup);
+	ecfp_fp2i(&sy, r.y, ecgroup);
+	ecfp_fp2i(&sz, r.z, ecgroup);
+
+	/* convert result R to affine coordinates */
+	MP_CHECKOK(ec_GFp_pt_jac2aff(&sx, &sy, &sz, rx, ry, ecgroup));
+
+  CLEANUP:
+	mp_clear(&sx);
+	mp_clear(&sy);
+	mp_clear(&sz);
+	return res;
+}
+
+/* Cleans up extra memory allocated in ECGroup for this implementation. */
+void
+ec_GFp_extra_free_fp(ECGroup *group)
+{
+	if (group->extra1 != NULL) {
+		free(group->extra1);
+		group->extra1 = NULL;
+	}
+}
+
+/* Tests what precision floating point arithmetic is set to. This should
+ * be either a 53-bit mantissa (IEEE standard) or a 64-bit mantissa
+ * (extended precision on x86) and sets it into the EC_group_fp. Returns
+ * either 53 or 64 accordingly. */
+int
+ec_set_fp_precision(EC_group_fp * group)
+{
+	double a = 9007199254740992.0;	/* 2^53 */
+	double b = a + 1;
+
+	if (a == b) {
+		group->fpPrecision = 53;
+		group->alpha = ecfp_alpha_53;
+		return 53;
+	}
+	group->fpPrecision = 64;
+	group->alpha = ecfp_alpha_64;
+	return 64;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_fp.h b/security/nss/lib/freebl/ecl/ecp_fp.h
new file mode 100644
index 000000000..8eedeb4be
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_fp.h
@@ -0,0 +1,406 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __ecp_fp_h_
+#define __ecp_fp_h_
+
+#include "mpi.h"
+#include "ecl.h"
+#include "ecp.h"
+
+#include <sys/types.h>
+#include "mpi-priv.h"
+
+#ifdef ECL_DEBUG
+#include <assert.h>
+#endif
+
+/* Largest number of doubles to store one reduced number in floating
+ * point. Used for memory allocation on the stack. */
+#define ECFP_MAXDOUBLES 10
+
+/* For debugging purposes */
+#ifndef ECL_DEBUG
+#define ECFP_ASSERT(x)
+#else
+#define ECFP_ASSERT(x) assert(x)
+#endif
+
+/* ECFP_Ti = 2^(i*24) Define as preprocessor constants so we can use in
+ * multiple static constants */
+#define ECFP_T0 1.0
+#define ECFP_T1 16777216.0
+#define ECFP_T2 281474976710656.0
+#define ECFP_T3 4722366482869645213696.0
+#define ECFP_T4 79228162514264337593543950336.0
+#define ECFP_T5 1329227995784915872903807060280344576.0
+#define ECFP_T6 22300745198530623141535718272648361505980416.0
+#define ECFP_T7 374144419156711147060143317175368453031918731001856.0
+#define ECFP_T8 6277101735386680763835789423207666416102355444464034512896.0
+#define ECFP_T9 105312291668557186697918027683670432318895095400549111254310977536.0
+#define ECFP_T10  1766847064778384329583297500742918515827483896875618958121606201292619776.0
+#define ECFP_T11 29642774844752946028434172162224104410437116074403984394101141506025761187823616.0
+#define ECFP_T12 497323236409786642155382248146820840100456150797347717440463976893159497012533375533056.0
+#define ECFP_T13  8343699359066055009355553539724812947666814540455674882605631280555545803830627148527195652096.0
+#define ECFP_T14 139984046386112763159840142535527767382602843577165595931249318810236991948760059086304843329475444736.0
+#define ECFP_T15 2348542582773833227889480596789337027375682548908319870707290971532209025114608443463698998384768703031934976.0
+#define ECFP_T16 39402006196394479212279040100143613805079739270465446667948293404245\
+721771497210611414266254884915640806627990306816.0
+#define ECFP_T17 66105596879024859895191530803277103982840468296428121928464879527440\
+5791236311345825189210439715284847591212025023358304256.0
+#define ECFP_T18 11090678776483259438313656736572334813745748301503266300681918322458\
+485231222502492159897624416558312389564843845614287315896631296.0
+#define ECFP_T19 18607071341967536398062689481932916079453218833595342343206149099024\
+36577570298683715049089827234727835552055312041415509848580169253519\
+36.0
+
+#define ECFP_TWO160 1461501637330902918203684832716283019655932542976.0
+#define ECFP_TWO192 6277101735386680763835789423207666416102355444464034512896.0
+#define ECFP_TWO224 26959946667150639794667015087019630673637144422540572481103610249216.0
+
+/* Multiplicative constants */
+static const double ecfp_two32 = 4294967296.0;
+static const double ecfp_two64 = 18446744073709551616.0;
+static const double ecfp_twom16 = .0000152587890625;
+static const double ecfp_twom128 =
+	.00000000000000000000000000000000000000293873587705571876992184134305561419454666389193021880377187926569604314863681793212890625;
+static const double ecfp_twom129 =
+	.000000000000000000000000000000000000001469367938527859384960920671527807097273331945965109401885939632848021574318408966064453125;
+static const double ecfp_twom160 =
+	.0000000000000000000000000000000000000000000000006842277657836020854119773355907793609766904013068924666782559979930620520927053718196475529111921787261962890625;
+static const double ecfp_twom192 =
+	.000000000000000000000000000000000000000000000000000000000159309191113245227702888039776771180559110455519261878607388585338616290151305816094308987472018268594098344692611135542392730712890625;
+static const double ecfp_twom224 =
+	.00000000000000000000000000000000000000000000000000000000000000000003709206150687421385731735261547639513367564778757791002453039058917581340095629358997312082723208437536338919136001159027049567384892725385725498199462890625;
+
+/* ecfp_exp[i] = 2^(i*ECFP_DSIZE) */
+static const double ecfp_exp[2 * ECFP_MAXDOUBLES] = {
+	ECFP_T0, ECFP_T1, ECFP_T2, ECFP_T3, ECFP_T4, ECFP_T5,
+	ECFP_T6, ECFP_T7, ECFP_T8, ECFP_T9, ECFP_T10, ECFP_T11,
+	ECFP_T12, ECFP_T13, ECFP_T14, ECFP_T15, ECFP_T16, ECFP_T17, ECFP_T18,
+	ECFP_T19
+};
+
+/* 1.1 * 2^52 Uses 2^52 to truncate, the .1 is an extra 2^51 to protect
+ * the 2^52 bit, so that adding alphas to a negative number won't borrow
+ * and empty the important 2^52 bit */
+#define ECFP_ALPHABASE_53 6755399441055744.0
+/* Special case: On some platforms, notably x86 Linux, there is an
+ * extended-precision floating point representation with 64-bits of
+ * precision in the mantissa.  These extra bits of precision require a
+ * larger value of alpha to truncate, i.e. 1.1 * 2^63. */
+#define ECFP_ALPHABASE_64 13835058055282163712.0
+
+/* 
+ * ecfp_alpha[i] = 1.5 * 2^(52 + i*ECFP_DSIZE) we add and subtract alpha
+ * to truncate floating point numbers to a certain number of bits for
+ * tidying */
+static const double ecfp_alpha_53[2 * ECFP_MAXDOUBLES] = {
+	ECFP_ALPHABASE_53 * ECFP_T0,
+	ECFP_ALPHABASE_53 * ECFP_T1,
+	ECFP_ALPHABASE_53 * ECFP_T2,
+	ECFP_ALPHABASE_53 * ECFP_T3,
+	ECFP_ALPHABASE_53 * ECFP_T4,
+	ECFP_ALPHABASE_53 * ECFP_T5,
+	ECFP_ALPHABASE_53 * ECFP_T6,
+	ECFP_ALPHABASE_53 * ECFP_T7,
+	ECFP_ALPHABASE_53 * ECFP_T8,
+	ECFP_ALPHABASE_53 * ECFP_T9,
+	ECFP_ALPHABASE_53 * ECFP_T10,
+	ECFP_ALPHABASE_53 * ECFP_T11,
+	ECFP_ALPHABASE_53 * ECFP_T12,
+	ECFP_ALPHABASE_53 * ECFP_T13,
+	ECFP_ALPHABASE_53 * ECFP_T14,
+	ECFP_ALPHABASE_53 * ECFP_T15,
+	ECFP_ALPHABASE_53 * ECFP_T16,
+	ECFP_ALPHABASE_53 * ECFP_T17,
+	ECFP_ALPHABASE_53 * ECFP_T18,
+	ECFP_ALPHABASE_53 * ECFP_T19
+};
+
+/* 
+ * ecfp_alpha[i] = 1.5 * 2^(63 + i*ECFP_DSIZE) we add and subtract alpha
+ * to truncate floating point numbers to a certain number of bits for
+ * tidying */
+static const double ecfp_alpha_64[2 * ECFP_MAXDOUBLES] = {
+	ECFP_ALPHABASE_64 * ECFP_T0,
+	ECFP_ALPHABASE_64 * ECFP_T1,
+	ECFP_ALPHABASE_64 * ECFP_T2,
+	ECFP_ALPHABASE_64 * ECFP_T3,
+	ECFP_ALPHABASE_64 * ECFP_T4,
+	ECFP_ALPHABASE_64 * ECFP_T5,
+	ECFP_ALPHABASE_64 * ECFP_T6,
+	ECFP_ALPHABASE_64 * ECFP_T7,
+	ECFP_ALPHABASE_64 * ECFP_T8,
+	ECFP_ALPHABASE_64 * ECFP_T9,
+	ECFP_ALPHABASE_64 * ECFP_T10,
+	ECFP_ALPHABASE_64 * ECFP_T11,
+	ECFP_ALPHABASE_64 * ECFP_T12,
+	ECFP_ALPHABASE_64 * ECFP_T13,
+	ECFP_ALPHABASE_64 * ECFP_T14,
+	ECFP_ALPHABASE_64 * ECFP_T15,
+	ECFP_ALPHABASE_64 * ECFP_T16,
+	ECFP_ALPHABASE_64 * ECFP_T17,
+	ECFP_ALPHABASE_64 * ECFP_T18,
+	ECFP_ALPHABASE_64 * ECFP_T19
+};
+
+/* 0.011111111111111111111111 (binary) = 0.5 - 2^25 (24 ones) */
+#define ECFP_BETABASE 0.4999999701976776123046875
+
+/* 
+ * We subtract beta prior to using alpha to simulate rounding down. We
+ * make this close to 0.5 to round almost everything down, but exactly 0.5 
+ * would cause some incorrect rounding. */
+static const double ecfp_beta[2 * ECFP_MAXDOUBLES] = {
+	ECFP_BETABASE * ECFP_T0,
+	ECFP_BETABASE * ECFP_T1,
+	ECFP_BETABASE * ECFP_T2,
+	ECFP_BETABASE * ECFP_T3,
+	ECFP_BETABASE * ECFP_T4,
+	ECFP_BETABASE * ECFP_T5,
+	ECFP_BETABASE * ECFP_T6,
+	ECFP_BETABASE * ECFP_T7,
+	ECFP_BETABASE * ECFP_T8,
+	ECFP_BETABASE * ECFP_T9,
+	ECFP_BETABASE * ECFP_T10,
+	ECFP_BETABASE * ECFP_T11,
+	ECFP_BETABASE * ECFP_T12,
+	ECFP_BETABASE * ECFP_T13,
+	ECFP_BETABASE * ECFP_T14,
+	ECFP_BETABASE * ECFP_T15,
+	ECFP_BETABASE * ECFP_T16,
+	ECFP_BETABASE * ECFP_T17,
+	ECFP_BETABASE * ECFP_T18,
+	ECFP_BETABASE * ECFP_T19
+};
+
+static const double ecfp_beta_160 = ECFP_BETABASE * ECFP_TWO160;
+static const double ecfp_beta_192 = ECFP_BETABASE * ECFP_TWO192;
+static const double ecfp_beta_224 = ECFP_BETABASE * ECFP_TWO224;
+
+/* Affine EC Point. This is the basic representation (x, y) of an elliptic 
+ * curve point. */
+typedef struct {
+	double x[ECFP_MAXDOUBLES];
+	double y[ECFP_MAXDOUBLES];
+} ecfp_aff_pt;
+
+/* Jacobian EC Point. This coordinate system uses X = x/z^2, Y = y/z^3,
+ * which enables calculations with fewer inversions than affine
+ * coordinates. */
+typedef struct {
+	double x[ECFP_MAXDOUBLES];
+	double y[ECFP_MAXDOUBLES];
+	double z[ECFP_MAXDOUBLES];
+} ecfp_jac_pt;
+
+/* Chudnovsky Jacobian EC Point. This coordinate system is the same as
+ * Jacobian, except it keeps z^2, z^3 for faster additions. */
+typedef struct {
+	double x[ECFP_MAXDOUBLES];
+	double y[ECFP_MAXDOUBLES];
+	double z[ECFP_MAXDOUBLES];
+	double z2[ECFP_MAXDOUBLES];
+	double z3[ECFP_MAXDOUBLES];
+} ecfp_chud_pt;
+
+/* Modified Jacobian EC Point. This coordinate system is the same as
+ * Jacobian, except it keeps a*z^4 for faster doublings. */
+typedef struct {
+	double x[ECFP_MAXDOUBLES];
+	double y[ECFP_MAXDOUBLES];
+	double z[ECFP_MAXDOUBLES];
+	double az4[ECFP_MAXDOUBLES];
+} ecfp_jm_pt;
+
+struct EC_group_fp_str;
+
+typedef struct EC_group_fp_str EC_group_fp;
+struct EC_group_fp_str {
+	int fpPrecision;			/* Set to number of bits in mantissa, 53
+								 * or 64 */
+	int numDoubles;
+	int primeBitSize;
+	int orderBitSize;
+	int doubleBitSize;
+	int numInts;
+	int aIsM3;					/* True if curvea == -3 (mod p), then we
+								 * can optimize doubling */
+	double curvea[ECFP_MAXDOUBLES];
+	/* Used to truncate a double to the number of bits in the curve */
+	double bitSize_alpha;
+	/* Pointer to either ecfp_alpha_53 or ecfp_alpha_64 */
+	const double *alpha;
+
+	void (*ecfp_singleReduce) (double *r, const EC_group_fp * group);
+	void (*ecfp_reduce) (double *r, double *x, const EC_group_fp * group);
+	/* Performs a "tidy" operation, which performs carrying, moving excess 
+	 * bits from one double to the next double, so that the precision of
+	 * the doubles is reduced to the regular precision ECFP_DSIZE. This
+	 * might result in some float digits being negative. */
+	void (*ecfp_tidy) (double *t, const double *alpha,
+					   const EC_group_fp * group);
+	/* Perform a point addition using coordinate system Jacobian + Affine
+	 * -> Jacobian. Input and output should be multi-precision floating
+	 * point integers. */
+	void (*pt_add_jac_aff) (const ecfp_jac_pt * p, const ecfp_aff_pt * q,
+							ecfp_jac_pt * r, const EC_group_fp * group);
+	/* Perform a point doubling in Jacobian coordinates. Input and output
+	 * should be multi-precision floating point integers. */
+	void (*pt_dbl_jac) (const ecfp_jac_pt * dp, ecfp_jac_pt * dr,
+						const EC_group_fp * group);
+	/* Perform a point addition using Jacobian coordinate system. Input
+	 * and output should be multi-precision floating point integers. */
+	void (*pt_add_jac) (const ecfp_jac_pt * p, const ecfp_jac_pt * q,
+						ecfp_jac_pt * r, const EC_group_fp * group);
+	/* Perform a point doubling in Modified Jacobian coordinates. Input
+	 * and output should be multi-precision floating point integers. */
+	void (*pt_dbl_jm) (const ecfp_jm_pt * p, ecfp_jm_pt * r,
+					   const EC_group_fp * group);
+	/* Perform a point doubling using coordinates Affine -> Chudnovsky
+	 * Jacobian. Input and output should be multi-precision floating point 
+	 * integers. */
+	void (*pt_dbl_aff2chud) (const ecfp_aff_pt * p, ecfp_chud_pt * r,
+							 const EC_group_fp * group);
+	/* Perform a point addition using coordinates: Modified Jacobian +
+	 * Chudnovsky Jacobian -> Modified Jacobian. Input and output should
+	 * be multi-precision floating point integers. */
+	void (*pt_add_jm_chud) (ecfp_jm_pt * p, ecfp_chud_pt * q,
+							ecfp_jm_pt * r, const EC_group_fp * group);
+	/* Perform a point addition using Chudnovsky Jacobian coordinates.
+	 * Input and output should be multi-precision floating point integers. 
+	 */
+	void (*pt_add_chud) (const ecfp_chud_pt * p, const ecfp_chud_pt * q,
+						 ecfp_chud_pt * r, const EC_group_fp * group);
+	/* Expects out to be an array of size 16 of Chudnovsky Jacobian
+	 * points. Fills in Chudnovsky Jacobian form (x, y, z, z^2, z^3), for
+	 * -15P, -13P, -11P, -9P, -7P, -5P, -3P, -P, P, 3P, 5P, 7P, 9P, 11P,
+	 * 13P, 15P */
+	void (*precompute_chud) (ecfp_chud_pt * out, const ecfp_aff_pt * p,
+							 const EC_group_fp * group);
+	/* Expects out to be an array of size 16 of Jacobian points. Fills in
+	 * Chudnovsky Jacobian form (x, y, z), for O, P, 2P, ... 15P */
+	void (*precompute_jac) (ecfp_jac_pt * out, const ecfp_aff_pt * p,
+							const EC_group_fp * group);
+
+};
+
+/* Computes r = x*y.
+ * r must be different (point to different memory) than x and y.
+ * Does not tidy or reduce. */
+void ecfp_multiply(double *r, const double *x, const double *y);
+
+/* Performs a "tidy" operation, which performs carrying, moving excess
+ * bits from one double to the next double, so that the precision of the
+ * doubles is reduced to the regular precision group->doubleBitSize. This
+ * might result in some float digits being negative. */
+void ecfp_tidy(double *t, const double *alpha, const EC_group_fp * group);
+
+/* Performs tidying on only the upper float digits of a multi-precision
+ * floating point integer, i.e. the digits beyond the regular length which 
+ * are removed in the reduction step. */
+void ecfp_tidyUpper(double *t, const EC_group_fp * group);
+
+/* Performs tidying on a short multi-precision floating point integer (the 
+ * lower group->numDoubles floats). */
+void ecfp_tidyShort(double *t, const EC_group_fp * group);
+
+/* Performs a more mathematically precise "tidying" so that each term is
+ * positive.  This is slower than the regular tidying, and is used for
+ * conversion from floating point to integer. */
+void ecfp_positiveTidy(double *t, const EC_group_fp * group);
+
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the prime that
+ * determines the field GFp.  Elliptic curve points P and R can be
+ * identical.  Uses mixed Jacobian-affine coordinates. Uses 4-bit window
+ * method. */
+mp_err
+ ec_GFp_point_mul_jac_4w_fp(const mp_int *n, const mp_int *px,
+							const mp_int *py, mp_int *rx, mp_int *ry,
+							const ECGroup *ecgroup);
+
+/* Computes R = nP where R is (rx, ry) and P is the base point. The
+ * parameters a, b and p are the elliptic curve coefficients and the prime 
+ * that determines the field GFp.  Elliptic curve points P and R can be
+ * identical.  Uses mixed Jacobian-affine coordinates (Jacobian
+ * coordinates for doubles and affine coordinates for additions; based on
+ * recommendation from Brown et al.). Uses window NAF method (algorithm
+ * 11) for scalar-point multiplication from Brown, Hankerson, Lopez,
+ * Menezes. Software Implementation of the NIST Elliptic Curves Over Prime
+ * Fields. */
+mp_err ec_GFp_point_mul_wNAF_fp(const mp_int *n, const mp_int *px,
+								const mp_int *py, mp_int *rx, mp_int *ry,
+								const ECGroup *ecgroup);
+
+/* Uses mixed Jacobian-affine coordinates to perform a point
+ * multiplication: R = n * P, n scalar. Uses mixed Jacobian-affine
+ * coordinates (Jacobian coordinates for doubles and affine coordinates
+ * for additions; based on recommendation from Brown et al.). Not very
+ * time efficient but quite space efficient, no precomputation needed.
+ * group contains the elliptic curve coefficients and the prime that
+ * determines the field GFp.  Elliptic curve points P and R can be
+ * identical. Performs calculations in floating point number format, since 
+ * this is faster than the integer operations on the ULTRASPARC III.
+ * Uses left-to-right binary method (double & add) (algorithm 9) for
+ * scalar-point multiplication from Brown, Hankerson, Lopez, Menezes.
+ * Software Implementation of the NIST Elliptic Curves Over Prime Fields. */
+mp_err
+ ec_GFp_pt_mul_jac_fp(const mp_int *n, const mp_int *px, const mp_int *py,
+					  mp_int *rx, mp_int *ry, const ECGroup *ecgroup);
+
+/* Cleans up extra memory allocated in ECGroup for this implementation. */
+void ec_GFp_extra_free_fp(ECGroup *group);
+
+/* Converts from a floating point representation into an mp_int. Expects
+ * that d is already reduced. */
+void
+ ecfp_fp2i(mp_int *mpout, double *d, const ECGroup *ecgroup);
+
+/* Converts from an mpint into a floating point representation. */
+void
+ ecfp_i2fp(double *out, const mp_int *x, const ECGroup *ecgroup);
+
+/* Tests what precision floating point arithmetic is set to. This should
+ * be either a 53-bit mantissa (IEEE standard) or a 64-bit mantissa
+ * (extended precision on x86) and sets it into the EC_group_fp. Returns
+ * either 53 or 64 accordingly. */
+int ec_set_fp_precision(EC_group_fp * group);
+
+#endif
diff --git a/security/nss/lib/freebl/ecl/ecp_fp160.c b/security/nss/lib/freebl/ecl/ecp_fp160.c
new file mode 100644
index 000000000..8721579f2
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_fp160.c
@@ -0,0 +1,179 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp_fp.h"
+#include <stdlib.h>
+
+#define ECFP_BSIZE 160
+#define ECFP_NUMDOUBLES 7
+
+#include "ecp_fpinc.c"
+
+/* Performs a single step of reduction, just on the uppermost float
+ * (assumes already tidied), and then retidies. Note, this does not
+ * guarantee that the result will be less than p, but truncates the number 
+ * of bits. */
+void
+ecfp160_singleReduce(double *d, const EC_group_fp * group)
+{
+	double q;
+
+	ECFP_ASSERT(group->doubleBitSize == 24);
+	ECFP_ASSERT(group->primeBitSize == 160);
+	ECFP_ASSERT(ECFP_NUMDOUBLES == 7);
+
+	q = d[ECFP_NUMDOUBLES - 1] - ecfp_beta_160;
+	q += group->bitSize_alpha;
+	q -= group->bitSize_alpha;
+
+	d[ECFP_NUMDOUBLES - 1] -= q;
+	d[0] += q * ecfp_twom160;
+	d[1] += q * ecfp_twom129;
+	ecfp_positiveTidy(d, group);
+
+	/* Assertions for the highest order term */
+	ECFP_ASSERT(d[ECFP_NUMDOUBLES - 1] / ecfp_exp[ECFP_NUMDOUBLES - 1] ==
+				(unsigned long long) (d[ECFP_NUMDOUBLES - 1] /
+									  ecfp_exp[ECFP_NUMDOUBLES - 1]));
+	ECFP_ASSERT(d[ECFP_NUMDOUBLES - 1] >= 0);
+}
+
+/* Performs imperfect reduction.  This might leave some negative terms,
+ * and one more reduction might be required for the result to be between 0 
+ * and p-1. x should not already be reduced, i.e. should have
+ * 2*ECFP_NUMDOUBLES significant terms. x and r can be the same, but then
+ * the upper parts of r are not zeroed */
+void
+ecfp160_reduce(double *r, double *x, const EC_group_fp * group)
+{
+
+	double x7, x8, q;
+
+	ECFP_ASSERT(group->doubleBitSize == 24);
+	ECFP_ASSERT(group->primeBitSize == 160);
+	ECFP_ASSERT(ECFP_NUMDOUBLES == 7);
+
+	/* Tidy just the upper bits, the lower bits can wait. */
+	ecfp_tidyUpper(x, group);
+
+	/* Assume that this is already tidied so that we have enough extra
+	 * bits */
+	x7 = x[7] + x[13] * ecfp_twom129;	/* adds bits 15-39 */
+
+	/* Tidy x7, or we won't have enough bits later to add it in */
+	q = x7 + group->alpha[8];
+	q -= group->alpha[8];
+	x7 -= q;					/* holds bits 0-24 */
+	x8 = x[8] + q;				/* holds bits 0-25 */
+
+	r[6] = x[6] + x[13] * ecfp_twom160 + x[12] * ecfp_twom129;	/* adds
+																 * bits
+																 * 8-39 */
+	r[5] = x[5] + x[12] * ecfp_twom160 + x[11] * ecfp_twom129;
+	r[4] = x[4] + x[11] * ecfp_twom160 + x[10] * ecfp_twom129;
+	r[3] = x[3] + x[10] * ecfp_twom160 + x[9] * ecfp_twom129;
+	r[2] = x[2] + x[9] * ecfp_twom160 + x8 * ecfp_twom129;	/* adds bits
+															 * 8-40 */
+	r[1] = x[1] + x8 * ecfp_twom160 + x7 * ecfp_twom129;	/* adds bits
+															 * 8-39 */
+	r[0] = x[0] + x7 * ecfp_twom160;
+
+	/* Tidy up just r[ECFP_NUMDOUBLES-2] so that the number of reductions
+	 * is accurate plus or minus one.  (Rather than tidy all to make it
+	 * totally accurate, which is more costly.) */
+	q = r[ECFP_NUMDOUBLES - 2] + group->alpha[ECFP_NUMDOUBLES - 1];
+	q -= group->alpha[ECFP_NUMDOUBLES - 1];
+	r[ECFP_NUMDOUBLES - 2] -= q;
+	r[ECFP_NUMDOUBLES - 1] += q;
+
+	/* Tidy up the excess bits on r[ECFP_NUMDOUBLES-1] using reduction */
+	/* Use ecfp_beta so we get a positive result */
+	q = r[ECFP_NUMDOUBLES - 1] - ecfp_beta_160;
+	q += group->bitSize_alpha;
+	q -= group->bitSize_alpha;
+
+	r[ECFP_NUMDOUBLES - 1] -= q;
+	r[0] += q * ecfp_twom160;
+	r[1] += q * ecfp_twom129;
+
+	/* Tidy the result */
+	ecfp_tidyShort(r, group);
+}
+
+/* Sets group to use optimized calculations in this file */
+mp_err
+ec_group_set_secp160r1_fp(ECGroup *group)
+{
+
+	EC_group_fp *fpg = NULL;
+
+	/* Allocate memory for floating point group data */
+	fpg = (EC_group_fp *) malloc(sizeof(EC_group_fp));
+	if (fpg == NULL) {
+		return MP_MEM;
+	}
+
+	fpg->numDoubles = ECFP_NUMDOUBLES;
+	fpg->primeBitSize = ECFP_BSIZE;
+	fpg->orderBitSize = 161;
+	fpg->doubleBitSize = 24;
+	fpg->numInts = (ECFP_BSIZE + ECL_BITS - 1) / ECL_BITS;
+	fpg->aIsM3 = 1;
+	fpg->ecfp_singleReduce = &ecfp160_singleReduce;
+	fpg->ecfp_reduce = &ecfp160_reduce;
+	fpg->ecfp_tidy = &ecfp_tidy;
+
+	fpg->pt_add_jac_aff = &ecfp160_pt_add_jac_aff;
+	fpg->pt_add_jac = &ecfp160_pt_add_jac;
+	fpg->pt_add_jm_chud = &ecfp160_pt_add_jm_chud;
+	fpg->pt_add_chud = &ecfp160_pt_add_chud;
+	fpg->pt_dbl_jac = &ecfp160_pt_dbl_jac;
+	fpg->pt_dbl_jm = &ecfp160_pt_dbl_jm;
+	fpg->pt_dbl_aff2chud = &ecfp160_pt_dbl_aff2chud;
+	fpg->precompute_chud = &ecfp160_precompute_chud;
+	fpg->precompute_jac = &ecfp160_precompute_jac;
+
+	group->point_mul = &ec_GFp_point_mul_wNAF_fp;
+	group->points_mul = &ec_pts_mul_basic;
+	group->extra1 = fpg;
+	group->extra_free = &ec_GFp_extra_free_fp;
+
+	ec_set_fp_precision(fpg);
+	fpg->bitSize_alpha = ECFP_TWO160 * fpg->alpha[0];
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_fp192.c b/security/nss/lib/freebl/ecl/ecp_fp192.c
new file mode 100644
index 000000000..b5ee533e0
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_fp192.c
@@ -0,0 +1,177 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp_fp.h"
+#include <stdlib.h>
+
+#define ECFP_BSIZE 192
+#define ECFP_NUMDOUBLES 8
+
+#include "ecp_fpinc.c"
+
+/* Performs a single step of reduction, just on the uppermost float
+ * (assumes already tidied), and then retidies. Note, this does not
+ * guarantee that the result will be less than p. */
+void
+ecfp192_singleReduce(double *d, const EC_group_fp * group)
+{
+	double q;
+
+	ECFP_ASSERT(group->doubleBitSize == 24);
+	ECFP_ASSERT(group->primeBitSize == 192);
+	ECFP_ASSERT(group->numDoubles == 8);
+
+	q = d[ECFP_NUMDOUBLES - 1] - ecfp_beta_192;
+	q += group->bitSize_alpha;
+	q -= group->bitSize_alpha;
+
+	d[ECFP_NUMDOUBLES - 1] -= q;
+	d[0] += q * ecfp_twom192;
+	d[2] += q * ecfp_twom128;
+	ecfp_positiveTidy(d, group);
+}
+
+/* 
+ * Performs imperfect reduction.  This might leave some negative terms,
+ * and one more reduction might be required for the result to be between 0 
+ * and p-1. x should be be an array of at least 16, and r at least 8 x and 
+ * r can be the same, but then the upper parts of r are not zeroed */
+void
+ecfp_reduce_192(double *r, double *x, const EC_group_fp * group)
+{
+	double x8, x9, x10, q;
+
+	ECFP_ASSERT(group->doubleBitSize == 24);
+	ECFP_ASSERT(group->primeBitSize == 192);
+	ECFP_ASSERT(group->numDoubles == 8);
+
+	/* Tidy just the upper portion, the lower part can wait */
+	ecfp_tidyUpper(x, group);
+
+	x8 = x[8] + x[14] * ecfp_twom128;	/* adds bits 16-40 */
+	x9 = x[9] + x[15] * ecfp_twom128;	/* adds bits 16-40 */
+
+	/* Tidy up, or we won't have enough bits later to add it in */
+
+	q = x8 + group->alpha[9];
+	q -= group->alpha[9];
+	x8 -= q;
+	x9 += q;
+
+	q = x9 + group->alpha[10];
+	q -= group->alpha[10];
+	x9 -= q;
+	x10 = x[10] + q;
+
+	r[7] = x[7] + x[15] * ecfp_twom192 + x[13] * ecfp_twom128;	/* adds
+																 * bits
+																 * 0-40 */
+	r[6] = x[6] + x[14] * ecfp_twom192 + x[12] * ecfp_twom128;
+	r[5] = x[5] + x[13] * ecfp_twom192 + x[11] * ecfp_twom128;
+	r[4] = x[4] + x[12] * ecfp_twom192 + x10 * ecfp_twom128;
+	r[3] = x[3] + x[11] * ecfp_twom192 + x9 * ecfp_twom128;	/* adds bits
+															 * 0-40 */
+	r[2] = x[2] + x10 * ecfp_twom192 + x8 * ecfp_twom128;
+	r[1] = x[1] + x9 * ecfp_twom192;	/* adds bits 16-40 */
+	r[0] = x[0] + x8 * ecfp_twom192;
+
+	/* 
+	 * Tidy up just r[group->numDoubles-2] so that the number of
+	 * reductions is accurate plus or minus one.  (Rather than tidy all to 
+	 * make it totally accurate) */
+	q = r[ECFP_NUMDOUBLES - 2] + group->alpha[ECFP_NUMDOUBLES - 1];
+	q -= group->alpha[ECFP_NUMDOUBLES - 1];
+	r[ECFP_NUMDOUBLES - 2] -= q;
+	r[ECFP_NUMDOUBLES - 1] += q;
+
+	/* Tidy up the excess bits on r[group->numDoubles-1] using reduction */
+	/* Use ecfp_beta so we get a positive res */
+	q = r[ECFP_NUMDOUBLES - 1] - ecfp_beta_192;
+	q += group->bitSize_alpha;
+	q -= group->bitSize_alpha;
+
+	r[ECFP_NUMDOUBLES - 1] -= q;
+	r[0] += q * ecfp_twom192;
+	r[2] += q * ecfp_twom128;
+
+	/* Tidy the result */
+	ecfp_tidyShort(r, group);
+}
+
+/* Sets group to use optimized calculations in this file */
+mp_err
+ec_group_set_nistp192_fp(ECGroup *group)
+{
+	EC_group_fp *fpg;
+
+	/* Allocate memory for floating point group data */
+	fpg = (EC_group_fp *) malloc(sizeof(EC_group_fp));
+	if (fpg == NULL) {
+		return MP_MEM;
+	}
+
+	fpg->numDoubles = ECFP_NUMDOUBLES;
+	fpg->primeBitSize = ECFP_BSIZE;
+	fpg->orderBitSize = 192;
+	fpg->doubleBitSize = 24;
+	fpg->numInts = (ECFP_BSIZE + ECL_BITS - 1) / ECL_BITS;
+	fpg->aIsM3 = 1;
+	fpg->ecfp_singleReduce = &ecfp192_singleReduce;
+	fpg->ecfp_reduce = &ecfp_reduce_192;
+	fpg->ecfp_tidy = &ecfp_tidy;
+
+	fpg->pt_add_jac_aff = &ecfp192_pt_add_jac_aff;
+	fpg->pt_add_jac = &ecfp192_pt_add_jac;
+	fpg->pt_add_jm_chud = &ecfp192_pt_add_jm_chud;
+	fpg->pt_add_chud = &ecfp192_pt_add_chud;
+	fpg->pt_dbl_jac = &ecfp192_pt_dbl_jac;
+	fpg->pt_dbl_jm = &ecfp192_pt_dbl_jm;
+	fpg->pt_dbl_aff2chud = &ecfp192_pt_dbl_aff2chud;
+	fpg->precompute_chud = &ecfp192_precompute_chud;
+	fpg->precompute_jac = &ecfp192_precompute_jac;
+
+	group->point_mul = &ec_GFp_point_mul_wNAF_fp;
+	group->points_mul = &ec_pts_mul_basic;
+	group->extra1 = fpg;
+	group->extra_free = &ec_GFp_extra_free_fp;
+
+	ec_set_fp_precision(fpg);
+	fpg->bitSize_alpha = ECFP_TWO192 * fpg->alpha[0];
+
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_fp224.c b/security/nss/lib/freebl/ecl/ecp_fp224.c
new file mode 100644
index 000000000..e1ee536cc
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_fp224.c
@@ -0,0 +1,190 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp_fp.h"
+#include <stdlib.h>
+
+#define ECFP_BSIZE 224
+#define ECFP_NUMDOUBLES 10
+
+#include "ecp_fpinc.c"
+
+/* Performs a single step of reduction, just on the uppermost float
+ * (assumes already tidied), and then retidies. Note, this does not
+ * guarantee that the result will be less than p. */
+void
+ecfp224_singleReduce(double *r, const EC_group_fp * group)
+{
+	double q;
+
+	ECFP_ASSERT(group->doubleBitSize == 24);
+	ECFP_ASSERT(group->primeBitSize == 224);
+	ECFP_ASSERT(group->numDoubles == 10);
+
+	q = r[ECFP_NUMDOUBLES - 1] - ecfp_beta_224;
+	q += group->bitSize_alpha;
+	q -= group->bitSize_alpha;
+
+	r[ECFP_NUMDOUBLES - 1] -= q;
+	r[0] -= q * ecfp_twom224;
+	r[4] += q * ecfp_twom128;
+
+	ecfp_positiveTidy(r, group);
+}
+
+/* 
+ * Performs imperfect reduction.  This might leave some negative terms,
+ * and one more reduction might be required for the result to be between 0 
+ * and p-1. x should be be an array of at least 20, and r at least 10 x
+ * and r can be the same, but then the upper parts of r are not zeroed */
+void
+ecfp224_reduce(double *r, double *x, const EC_group_fp * group)
+{
+
+	double x10, x11, x12, x13, x14, q;
+
+	ECFP_ASSERT(group->doubleBitSize == 24);
+	ECFP_ASSERT(group->primeBitSize == 224);
+	ECFP_ASSERT(group->numDoubles == 10);
+
+	/* Tidy just the upper bits of x.  Don't need to tidy the lower ones
+	 * yet. */
+	ecfp_tidyUpper(x, group);
+
+	x10 = x[10] + x[16] * ecfp_twom128;
+	x11 = x[11] + x[17] * ecfp_twom128;
+	x12 = x[12] + x[18] * ecfp_twom128;
+	x13 = x[13] + x[19] * ecfp_twom128;
+
+	/* Tidy up, or we won't have enough bits later to add it in */
+	q = x10 + group->alpha[11];
+	q -= group->alpha[11];
+	x10 -= q;
+	x11 = x11 + q;
+
+	q = x11 + group->alpha[12];
+	q -= group->alpha[12];
+	x11 -= q;
+	x12 = x12 + q;
+
+	q = x12 + group->alpha[13];
+	q -= group->alpha[13];
+	x12 -= q;
+	x13 = x13 + q;
+
+	q = x13 + group->alpha[14];
+	q -= group->alpha[14];
+	x13 -= q;
+	x14 = x[14] + q;
+
+	r[9] = x[9] + x[15] * ecfp_twom128 - x[19] * ecfp_twom224;
+	r[8] = x[8] + x14 * ecfp_twom128 - x[18] * ecfp_twom224;
+	r[7] = x[7] + x13 * ecfp_twom128 - x[17] * ecfp_twom224;
+	r[6] = x[6] + x12 * ecfp_twom128 - x[16] * ecfp_twom224;
+	r[5] = x[5] + x11 * ecfp_twom128 - x[15] * ecfp_twom224;
+	r[4] = x[4] + x10 * ecfp_twom128 - x14 * ecfp_twom224;
+	r[3] = x[3] - x13 * ecfp_twom224;
+	r[2] = x[2] - x12 * ecfp_twom224;
+	r[1] = x[1] - x11 * ecfp_twom224;
+	r[0] = x[0] - x10 * ecfp_twom224;
+
+	/* 
+	 * Tidy up just r[ECFP_NUMDOUBLES-2] so that the number of reductions
+	 * is accurate plus or minus one.  (Rather than tidy all to make it
+	 * totally accurate) */
+	q = r[ECFP_NUMDOUBLES - 2] + group->alpha[ECFP_NUMDOUBLES - 1];
+	q -= group->alpha[ECFP_NUMDOUBLES - 1];
+	r[ECFP_NUMDOUBLES - 2] -= q;
+	r[ECFP_NUMDOUBLES - 1] += q;
+
+	/* Tidy up the excess bits on r[ECFP_NUMDOUBLES-1] using reduction */
+	/* Use ecfp_beta so we get a positive res */
+	q = r[ECFP_NUMDOUBLES - 1] - ecfp_beta_224;
+	q += group->bitSize_alpha;
+	q -= group->bitSize_alpha;
+
+	r[ECFP_NUMDOUBLES - 1] -= q;
+	r[0] -= q * ecfp_twom224;
+	r[4] += q * ecfp_twom128;
+
+	ecfp_tidyShort(r, group);
+}
+
+/* Sets group to use optimized calculations in this file */
+mp_err
+ec_group_set_nistp224_fp(ECGroup *group)
+{
+
+	EC_group_fp *fpg;
+
+	/* Allocate memory for floating point group data */
+	fpg = (EC_group_fp *) malloc(sizeof(EC_group_fp));
+	if (fpg == NULL) {
+		return MP_MEM;
+	}
+
+	fpg->numDoubles = ECFP_NUMDOUBLES;
+	fpg->primeBitSize = ECFP_BSIZE;
+	fpg->orderBitSize = 224;
+	fpg->doubleBitSize = 24;
+	fpg->numInts = (ECFP_BSIZE + ECL_BITS - 1) / ECL_BITS;
+	fpg->aIsM3 = 1;
+	fpg->ecfp_singleReduce = &ecfp224_singleReduce;
+	fpg->ecfp_reduce = &ecfp224_reduce;
+	fpg->ecfp_tidy = &ecfp_tidy;
+
+	fpg->pt_add_jac_aff = &ecfp224_pt_add_jac_aff;
+	fpg->pt_add_jac = &ecfp224_pt_add_jac;
+	fpg->pt_add_jm_chud = &ecfp224_pt_add_jm_chud;
+	fpg->pt_add_chud = &ecfp224_pt_add_chud;
+	fpg->pt_dbl_jac = &ecfp224_pt_dbl_jac;
+	fpg->pt_dbl_jm = &ecfp224_pt_dbl_jm;
+	fpg->pt_dbl_aff2chud = &ecfp224_pt_dbl_aff2chud;
+	fpg->precompute_chud = &ecfp224_precompute_chud;
+	fpg->precompute_jac = &ecfp224_precompute_jac;
+
+	group->point_mul = &ec_GFp_point_mul_wNAF_fp;
+	group->points_mul = &ec_pts_mul_basic;
+	group->extra1 = fpg;
+	group->extra_free = &ec_GFp_extra_free_fp;
+
+	ec_set_fp_precision(fpg);
+	fpg->bitSize_alpha = ECFP_TWO224 * fpg->alpha[0];
+
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_fpinc.c b/security/nss/lib/freebl/ecl/ecp_fpinc.c
new file mode 100644
index 000000000..61b16ff28
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_fpinc.c
@@ -0,0 +1,855 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* This source file is meant to be included by other source files
+ * (ecp_fp###.c, where ### is one of 160, 192, 224) and should not
+ * constitute an independent compilation unit. It requires the following
+ * preprocessor definitions be made: ECFP_BSIZE - the number of bits in
+ * the field's prime 
+ * ECFP_NUMDOUBLES - the number of doubles to store one
+ * multi-precision integer in floating point 
+
+/* Adds a prefix to a given token to give a unique token name. Prefixes
+ * with "ecfp" + ECFP_BSIZE + "_". e.g. if ECFP_BSIZE = 160, then
+ * PREFIX(hello) = ecfp160_hello This optimization allows static function
+ * linking and compiler loop unrolling without code duplication. */
+#ifndef PREFIX
+#define PREFIX(b) PREFIX1(ECFP_BSIZE, b)
+#define PREFIX1(bsize, b) PREFIX2(bsize, b)
+#define PREFIX2(bsize, b) ecfp ## bsize ## _ ## b
+#endif
+
+/* Returns true iff every double in d is 0. (If d == 0 and it is tidied,
+ * this will be true.) */
+mp_err PREFIX(isZero) (const double *d) {
+	int i;
+
+	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
+		if (d[i] != 0)
+			return MP_NO;
+	}
+	return MP_YES;
+}
+
+/* Sets the multi-precision floating point number at t = 0 */
+void PREFIX(zero) (double *t) {
+	int i;
+
+	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
+		t[i] = 0;
+	}
+}
+
+/* Sets the multi-precision floating point number at t = 1 */
+void PREFIX(one) (double *t) {
+	int i;
+
+	t[0] = 1;
+	for (i = 1; i < ECFP_NUMDOUBLES; i++) {
+		t[i] = 0;
+	}
+}
+
+/* Checks if point P(x, y, z) is at infinity. Uses Jacobian coordinates. */
+mp_err PREFIX(pt_is_inf_jac) (const ecfp_jac_pt * p) {
+	return PREFIX(isZero) (p->z);
+}
+
+/* Sets the Jacobian point P to be at infinity. */
+void PREFIX(set_pt_inf_jac) (ecfp_jac_pt * p) {
+	PREFIX(zero) (p->z);
+}
+
+/* Checks if point P(x, y) is at infinity. Uses Affine coordinates. */
+mp_err PREFIX(pt_is_inf_aff) (const ecfp_aff_pt * p) {
+	if (PREFIX(isZero) (p->x) == MP_YES && PREFIX(isZero) (p->y) == MP_YES)
+		return MP_YES;
+	return MP_NO;
+}
+
+/* Sets the affine point P to be at infinity. */
+void PREFIX(set_pt_inf_aff) (ecfp_aff_pt * p) {
+	PREFIX(zero) (p->x);
+	PREFIX(zero) (p->y);
+}
+
+/* Checks if point P(x, y, z, a*z^4) is at infinity. Uses Modified
+ * Jacobian coordinates. */
+mp_err PREFIX(pt_is_inf_jm) (const ecfp_jm_pt * p) {
+	return PREFIX(isZero) (p->z);
+}
+
+/* Sets the Modified Jacobian point P to be at infinity. */
+void PREFIX(set_pt_inf_jm) (ecfp_jm_pt * p) {
+	PREFIX(zero) (p->z);
+}
+
+/* Checks if point P(x, y, z, z^2, z^3) is at infinity. Uses Chudnovsky
+ * Jacobian coordinates */
+mp_err PREFIX(pt_is_inf_chud) (const ecfp_chud_pt * p) {
+	return PREFIX(isZero) (p->z);
+}
+
+/* Sets the Chudnovsky Jacobian point P to be at infinity. */
+void PREFIX(set_pt_inf_chud) (ecfp_chud_pt * p) {
+	PREFIX(zero) (p->z);
+}
+
+/* Copies a multi-precision floating point number, Setting dest = src */
+void PREFIX(copy) (double *dest, const double *src) {
+	int i;
+
+	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
+		dest[i] = src[i];
+	}
+}
+
+/* Sets dest = -src */
+void PREFIX(negLong) (double *dest, const double *src) {
+	int i;
+
+	for (i = 0; i < 2 * ECFP_NUMDOUBLES; i++) {
+		dest[i] = -src[i];
+	}
+}
+
+/* Sets r = -p p = (x, y, z, z2, z3) r = (x, -y, z, z2, z3) Uses
+ * Chudnovsky Jacobian coordinates. */
+/* TODO reverse order */
+void PREFIX(pt_neg_chud) (const ecfp_chud_pt * p, ecfp_chud_pt * r) {
+	int i;
+
+	PREFIX(copy) (r->x, p->x);
+	PREFIX(copy) (r->z, p->z);
+	PREFIX(copy) (r->z2, p->z2);
+	PREFIX(copy) (r->z3, p->z3);
+	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
+		r->y[i] = -p->y[i];
+	}
+}
+
+/* Computes r = x + y. Does not tidy or reduce. Any combinations of r, x,
+ * y can point to the same data. Componentwise adds first ECFP_NUMDOUBLES
+ * doubles of x and y and stores the result in r. */
+void PREFIX(addShort) (double *r, const double *x, const double *y) {
+	int i;
+
+	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
+		*r++ = *x++ + *y++;
+	}
+}
+
+/* Computes r = x + y. Does not tidy or reduce. Any combinations of r, x,
+ * y can point to the same data. Componentwise adds first
+ * 2*ECFP_NUMDOUBLES doubles of x and y and stores the result in r. */
+void PREFIX(addLong) (double *r, const double *x, const double *y) {
+	int i;
+
+	for (i = 0; i < 2 * ECFP_NUMDOUBLES; i++) {
+		*r++ = *x++ + *y++;
+	}
+}
+
+/* Computes r = x - y. Does not tidy or reduce. Any combinations of r, x,
+ * y can point to the same data. Componentwise subtracts first
+ * ECFP_NUMDOUBLES doubles of x and y and stores the result in r. */
+void PREFIX(subtractShort) (double *r, const double *x, const double *y) {
+	int i;
+
+	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
+		*r++ = *x++ - *y++;
+	}
+}
+
+/* Computes r = x - y. Does not tidy or reduce. Any combinations of r, x,
+ * y can point to the same data. Componentwise subtracts first
+ * 2*ECFP_NUMDOUBLES doubles of x and y and stores the result in r. */
+void PREFIX(subtractLong) (double *r, const double *x, const double *y) {
+	int i;
+
+	for (i = 0; i < 2 * ECFP_NUMDOUBLES; i++) {
+		*r++ = *x++ - *y++;
+	}
+}
+
+/* Computes r = x*y.  Both x and y should be tidied and reduced,
+ * r must be different (point to different memory) than x and y.
+ * Does not tidy or reduce. */
+void PREFIX(multiply)(double *r, const double *x, const double *y) {
+	int i, j;
+
+	for(j=0;j<ECFP_NUMDOUBLES-1;j++) {
+		r[j] = x[0] * y[j];
+		r[j+(ECFP_NUMDOUBLES-1)] = x[ECFP_NUMDOUBLES-1] * y[j];
+	}
+	r[ECFP_NUMDOUBLES-1] = x[0] * y[ECFP_NUMDOUBLES-1];
+	r[ECFP_NUMDOUBLES-1] += x[ECFP_NUMDOUBLES-1] * y[0];
+	r[2*ECFP_NUMDOUBLES-2] = x[ECFP_NUMDOUBLES-1] * y[ECFP_NUMDOUBLES-1];
+	r[2*ECFP_NUMDOUBLES-1] = 0;
+	
+	for(i=1;i<ECFP_NUMDOUBLES-1;i++) {
+		for(j=0;j<ECFP_NUMDOUBLES;j++) {
+			r[i+j] += (x[i] * y[j]);
+		}
+	}
+}
+
+/* Computes the square of x and stores the result in r.  x should be
+ * tidied & reduced, r will be neither tidied nor reduced. 
+ * r should point to different memory than x */
+void PREFIX(square) (double *r, const double *x) {
+	PREFIX(multiply) (r, x, x);
+}
+
+/* Perform a point doubling in Jacobian coordinates. Input and output
+ * should be multi-precision floating point integers. */
+void PREFIX(pt_dbl_jac) (const ecfp_jac_pt * dp, ecfp_jac_pt * dr,
+						 const EC_group_fp * group) {
+	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
+		M[2 * ECFP_NUMDOUBLES], S[2 * ECFP_NUMDOUBLES];
+
+	/* Check for point at infinity */
+	if (PREFIX(pt_is_inf_jac) (dp) == MP_YES) {
+		/* Set r = pt at infinity */
+		PREFIX(set_pt_inf_jac) (dr);
+		goto CLEANUP;
+	}
+
+	/* Perform typical point doubling operations */
+
+	/* TODO? is it worthwhile to do optimizations for when pz = 1? */
+
+	if (group->aIsM3) {
+		/* When a = -3, M = 3(px - pz^2)(px + pz^2) */
+		PREFIX(square) (t1, dp->z);
+		group->ecfp_reduce(t1, t1, group);	/* 2^23 since the negative
+											 * rounding buys another bit */
+		PREFIX(addShort) (t0, dp->x, t1);	/* 2*2^23 */
+		PREFIX(subtractShort) (t1, dp->x, t1);	/* 2 * 2^23 */
+		PREFIX(multiply) (M, t0, t1);	/* 40 * 2^46 */
+		PREFIX(addLong) (t0, M, M);	/* 80 * 2^46 */
+		PREFIX(addLong) (M, t0, M);	/* 120 * 2^46 < 2^53 */
+		group->ecfp_reduce(M, M, group);
+	} else {
+		/* Generic case */
+		/* M = 3 (px^2) + a*(pz^4) */
+		PREFIX(square) (t0, dp->x);
+		PREFIX(addLong) (M, t0, t0);
+		PREFIX(addLong) (t0, t0, M);	/* t0 = 3(px^2) */
+		PREFIX(square) (M, dp->z);
+		group->ecfp_reduce(M, M, group);
+		PREFIX(square) (t1, M);
+		group->ecfp_reduce(t1, t1, group);
+		PREFIX(multiply) (M, t1, group->curvea);	/* M = a(pz^4) */
+		PREFIX(addLong) (M, M, t0);
+		group->ecfp_reduce(M, M, group);
+	}
+
+	/* rz = 2 * py * pz */
+	PREFIX(multiply) (t1, dp->y, dp->z);
+	PREFIX(addLong) (t1, t1, t1);
+	group->ecfp_reduce(dr->z, t1, group);
+
+	/* t0 = 2y^2 */
+	PREFIX(square) (t0, dp->y);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(addShort) (t0, t0, t0);
+
+	/* S = 4 * px * py^2 = 2 * px * t0 */
+	PREFIX(multiply) (S, dp->x, t0);
+	PREFIX(addLong) (S, S, S);
+	group->ecfp_reduce(S, S, group);
+
+	/* rx = M^2 - 2 * S */
+	PREFIX(square) (t1, M);
+	PREFIX(subtractShort) (t1, t1, S);
+	PREFIX(subtractShort) (t1, t1, S);
+	group->ecfp_reduce(dr->x, t1, group);
+
+	/* ry = M * (S - rx) - 8 * py^4 */
+	PREFIX(square) (t1, t0);	/* t1 = 4y^4 */
+	PREFIX(subtractShort) (S, S, dr->x);
+	PREFIX(multiply) (t0, M, S);
+	PREFIX(subtractLong) (t0, t0, t1);
+	PREFIX(subtractLong) (t0, t0, t1);
+	group->ecfp_reduce(dr->y, t0, group);
+
+  CLEANUP:
+	return;
+}
+
+/* Perform a point addition using coordinate system Jacobian + Affine ->
+ * Jacobian. Input and output should be multi-precision floating point
+ * integers. */
+void PREFIX(pt_add_jac_aff) (const ecfp_jac_pt * p, const ecfp_aff_pt * q,
+							 ecfp_jac_pt * r, const EC_group_fp * group) {
+	/* Temporary storage */
+	double A[2 * ECFP_NUMDOUBLES], B[2 * ECFP_NUMDOUBLES],
+		C[2 * ECFP_NUMDOUBLES], C2[2 * ECFP_NUMDOUBLES],
+		D[2 * ECFP_NUMDOUBLES], C3[2 * ECFP_NUMDOUBLES];
+
+	/* Check for point at infinity for p or q */
+	if (PREFIX(pt_is_inf_aff) (q) == MP_YES) {
+		PREFIX(copy) (r->x, p->x);
+		PREFIX(copy) (r->y, p->y);
+		PREFIX(copy) (r->z, p->z);
+		goto CLEANUP;
+	} else if (PREFIX(pt_is_inf_jac) (p) == MP_YES) {
+		PREFIX(copy) (r->x, q->x);
+		PREFIX(copy) (r->y, q->y);
+		/* Since the affine point is not infinity, we can set r->z = 1 */
+		PREFIX(one) (r->z);
+		goto CLEANUP;
+	}
+
+	/* Calculates c = qx * pz^2 - px d = (qy * b - py) rx = d^2 - c^3 + 2
+	 * (px * c^2) ry = d * (c-rx) - py*c^3 rz = c * pz */
+
+	/* A = pz^2, B = pz^3 */
+	PREFIX(square) (A, p->z);
+	group->ecfp_reduce(A, A, group);
+	PREFIX(multiply) (B, A, p->z);
+	group->ecfp_reduce(B, B, group);
+
+	/* C = qx * A - px */
+	PREFIX(multiply) (C, q->x, A);
+	PREFIX(subtractShort) (C, C, p->x);
+	group->ecfp_reduce(C, C, group);
+
+	/* D = qy * B - py */
+	PREFIX(multiply) (D, q->y, B);
+	PREFIX(subtractShort) (D, D, p->y);
+	group->ecfp_reduce(D, D, group);
+
+	/* C2 = C^2, C3 = C^3 */
+	PREFIX(square) (C2, C);
+	group->ecfp_reduce(C2, C2, group);
+	PREFIX(multiply) (C3, C2, C);
+	group->ecfp_reduce(C3, C3, group);
+
+	/* rz = A = pz * C */
+	PREFIX(multiply) (A, p->z, C);
+	group->ecfp_reduce(r->z, A, group);
+
+	/* C = px * C^2, untidied, unreduced */
+	PREFIX(multiply) (C, p->x, C2);
+
+	/* A = D^2, untidied, unreduced */
+	PREFIX(square) (A, D);
+
+	/* rx = B = A - C3 - C - C = D^2 - (C^3 + 2 * (px * C^2) */
+	PREFIX(subtractShort) (A, A, C3);
+	PREFIX(subtractLong) (A, A, C);
+	PREFIX(subtractLong) (A, A, C);
+	group->ecfp_reduce(r->x, A, group);
+
+	/* B = py * C3, untidied, unreduced */
+	PREFIX(multiply) (B, p->y, C3);
+
+	/* C = px * C^2 - rx */
+	PREFIX(subtractShort) (C, C, r->x);
+	group->ecfp_reduce(C, C, group);
+
+	/* ry = A = D * C - py * C^3 */
+	PREFIX(multiply) (A, D, C);
+	PREFIX(subtractLong) (A, A, B);
+	group->ecfp_reduce(r->y, A, group);
+
+  CLEANUP:
+	return;
+}
+
+/* Perform a point addition using Jacobian coordinate system. Input and
+ * output should be multi-precision floating point integers. */
+void PREFIX(pt_add_jac) (const ecfp_jac_pt * p, const ecfp_jac_pt * q,
+						 ecfp_jac_pt * r, const EC_group_fp * group) {
+
+	/* Temporary Storage */
+	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
+		U[2 * ECFP_NUMDOUBLES], R[2 * ECFP_NUMDOUBLES],
+		S[2 * ECFP_NUMDOUBLES], H[2 * ECFP_NUMDOUBLES],
+		H3[2 * ECFP_NUMDOUBLES];
+
+	/* Check for point at infinity for p, if so set r = q */
+	if (PREFIX(pt_is_inf_jac) (p) == MP_YES) {
+		PREFIX(copy) (r->x, q->x);
+		PREFIX(copy) (r->y, q->y);
+		PREFIX(copy) (r->z, q->z);
+		goto CLEANUP;
+	}
+
+	/* Check for point at infinity for p, if so set r = q */
+	if (PREFIX(pt_is_inf_jac) (q) == MP_YES) {
+		PREFIX(copy) (r->x, p->x);
+		PREFIX(copy) (r->y, p->y);
+		PREFIX(copy) (r->z, p->z);
+		goto CLEANUP;
+	}
+
+	/* U = px * qz^2 , S = py * qz^3 */
+	PREFIX(square) (t0, q->z);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(multiply) (U, p->x, t0);
+	group->ecfp_reduce(U, U, group);
+	PREFIX(multiply) (t1, t0, q->z);
+	group->ecfp_reduce(t1, t1, group);
+	PREFIX(multiply) (t0, p->y, t1);
+	group->ecfp_reduce(S, t0, group);
+
+	/* H = qx*(pz)^2 - U , R = (qy * pz^3 - S) */
+	PREFIX(square) (t0, p->z);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(multiply) (H, q->x, t0);
+	PREFIX(subtractShort) (H, H, U);
+	group->ecfp_reduce(H, H, group);
+	PREFIX(multiply) (t1, t0, p->z);	/* t1 = pz^3 */
+	group->ecfp_reduce(t1, t1, group);
+	PREFIX(multiply) (t0, t1, q->y);	/* t0 = qy * pz^3 */
+	PREFIX(subtractShort) (t0, t0, S);
+	group->ecfp_reduce(R, t0, group);
+
+	/* U = U*H^2, H3 = H^3 */
+	PREFIX(square) (t0, H);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(multiply) (t1, U, t0);
+	group->ecfp_reduce(U, t1, group);
+	PREFIX(multiply) (H3, t0, H);
+	group->ecfp_reduce(H3, H3, group);
+
+	/* rz = pz * qz * H */
+	PREFIX(multiply) (t0, q->z, H);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(multiply) (t1, t0, p->z);
+	group->ecfp_reduce(r->z, t1, group);
+
+	/* rx = R^2 - H^3 - 2 * U */
+	PREFIX(square) (t0, R);
+	PREFIX(subtractShort) (t0, t0, H3);
+	PREFIX(subtractShort) (t0, t0, U);
+	PREFIX(subtractShort) (t0, t0, U);
+	group->ecfp_reduce(r->x, t0, group);
+
+	/* ry = R(U - rx) - S*H3 */
+	PREFIX(subtractShort) (t1, U, r->x);
+	PREFIX(multiply) (t0, t1, R);
+	PREFIX(multiply) (t1, S, H3);
+	PREFIX(subtractLong) (t1, t0, t1);
+	group->ecfp_reduce(r->y, t1, group);
+
+  CLEANUP:
+	return;
+}
+
+/* Perform a point doubling in Modified Jacobian coordinates. Input and
+ * output should be multi-precision floating point integers. */
+void PREFIX(pt_dbl_jm) (const ecfp_jm_pt * p, ecfp_jm_pt * r,
+						const EC_group_fp * group) {
+
+	/* Temporary storage */
+	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
+		M[2 * ECFP_NUMDOUBLES], S[2 * ECFP_NUMDOUBLES],
+		U[2 * ECFP_NUMDOUBLES], T[2 * ECFP_NUMDOUBLES];
+
+	/* Check for point at infinity */
+	if (PREFIX(pt_is_inf_jm) (p) == MP_YES) {
+		/* Set r = pt at infinity by setting rz = 0 */
+		PREFIX(set_pt_inf_jm) (r);
+		goto CLEANUP;
+	}
+
+	/* M = 3 (px^2) + a*(pz^4) */
+	PREFIX(square) (t0, p->x);
+	PREFIX(addLong) (M, t0, t0);
+	PREFIX(addLong) (t0, t0, M);	/* t0 = 3(px^2) */
+	PREFIX(addShort) (t0, t0, p->az4);
+	group->ecfp_reduce(M, t0, group);
+
+	/* rz = 2 * py * pz */
+	PREFIX(multiply) (t1, p->y, p->z);
+	PREFIX(addLong) (t1, t1, t1);
+	group->ecfp_reduce(r->z, t1, group);
+
+	/* t0 = 2y^2, U = 8y^4 */
+	PREFIX(square) (t0, p->y);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(addShort) (t0, t0, t0);
+	PREFIX(square) (U, t0);
+	group->ecfp_reduce(U, U, group);
+	PREFIX(addShort) (U, U, U);
+
+	/* S = 4 * px * py^2 = 2 * px * t0 */
+	PREFIX(multiply) (S, p->x, t0);
+	group->ecfp_reduce(S, S, group);
+	PREFIX(addShort) (S, S, S);
+
+	/* rx = M^2 - 2S */
+	PREFIX(square) (T, M);
+	PREFIX(subtractShort) (T, T, S);
+	PREFIX(subtractShort) (T, T, S);
+	group->ecfp_reduce(r->x, T, group);
+
+	/* ry = M * (S - rx) - U */
+	PREFIX(subtractShort) (S, S, r->x);
+	PREFIX(multiply) (t0, M, S);
+	PREFIX(subtractShort) (t0, t0, U);
+	group->ecfp_reduce(r->y, t0, group);
+
+	/* ra*z^4 = 2*U*(apz4) */
+	PREFIX(multiply) (t1, U, p->az4);
+	PREFIX(addLong) (t1, t1, t1);
+	group->ecfp_reduce(r->az4, t1, group);
+
+  CLEANUP:
+	return;
+}
+
+/* Perform a point doubling using coordinates Affine -> Chudnovsky
+ * Jacobian. Input and output should be multi-precision floating point
+ * integers. */
+void PREFIX(pt_dbl_aff2chud) (const ecfp_aff_pt * p, ecfp_chud_pt * r,
+							  const EC_group_fp * group) {
+	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
+		M[2 * ECFP_NUMDOUBLES], twoY2[2 * ECFP_NUMDOUBLES],
+		S[2 * ECFP_NUMDOUBLES];
+
+	/* Check for point at infinity for p, if so set r = O */
+	if (PREFIX(pt_is_inf_aff) (p) == MP_YES) {
+		PREFIX(set_pt_inf_chud) (r);
+		goto CLEANUP;
+	}
+
+	/* M = 3(px)^2 + a */
+	PREFIX(square) (t0, p->x);
+	PREFIX(addLong) (t1, t0, t0);
+	PREFIX(addLong) (t1, t1, t0);
+	PREFIX(addShort) (t1, t1, group->curvea);
+	group->ecfp_reduce(M, t1, group);
+
+	/* twoY2 = 2*(py)^2, S = 4(px)(py)^2 */
+	PREFIX(square) (twoY2, p->y);
+	PREFIX(addLong) (twoY2, twoY2, twoY2);
+	group->ecfp_reduce(twoY2, twoY2, group);
+	PREFIX(multiply) (S, p->x, twoY2);
+	PREFIX(addLong) (S, S, S);
+	group->ecfp_reduce(S, S, group);
+
+	/* rx = M^2 - 2S */
+	PREFIX(square) (t0, M);
+	PREFIX(subtractShort) (t0, t0, S);
+	PREFIX(subtractShort) (t0, t0, S);
+	group->ecfp_reduce(r->x, t0, group);
+
+	/* ry = M(S-rx) - 8y^4 */
+	PREFIX(subtractShort) (t0, S, r->x);
+	PREFIX(multiply) (t1, t0, M);
+	PREFIX(square) (t0, twoY2);
+	PREFIX(subtractLong) (t1, t1, t0);
+	PREFIX(subtractLong) (t1, t1, t0);
+	group->ecfp_reduce(r->y, t1, group);
+
+	/* rz = 2py */
+	PREFIX(addShort) (r->z, p->y, p->y);
+
+	/* rz2 = rz^2 */
+	PREFIX(square) (t0, r->z);
+	group->ecfp_reduce(r->z2, t0, group);
+
+	/* rz3 = rz^3 */
+	PREFIX(multiply) (t0, r->z, r->z2);
+	group->ecfp_reduce(r->z3, t0, group);
+
+  CLEANUP:
+	return;
+}
+
+/* Perform a point addition using coordinates: Modified Jacobian +
+ * Chudnovsky Jacobian -> Modified Jacobian. Input and output should be
+ * multi-precision floating point integers. */
+void PREFIX(pt_add_jm_chud) (ecfp_jm_pt * p, ecfp_chud_pt * q,
+							 ecfp_jm_pt * r, const EC_group_fp * group) {
+
+	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
+		U[2 * ECFP_NUMDOUBLES], R[2 * ECFP_NUMDOUBLES],
+		S[2 * ECFP_NUMDOUBLES], H[2 * ECFP_NUMDOUBLES],
+		H3[2 * ECFP_NUMDOUBLES], pz2[2 * ECFP_NUMDOUBLES];
+
+	/* Check for point at infinity for p, if so set r = q need to convert
+	 * from Chudnovsky form to Modified Jacobian form */
+	if (PREFIX(pt_is_inf_jm) (p) == MP_YES) {
+		PREFIX(copy) (r->x, q->x);
+		PREFIX(copy) (r->y, q->y);
+		PREFIX(copy) (r->z, q->z);
+		PREFIX(square) (t0, q->z2);
+		group->ecfp_reduce(t0, t0, group);
+		PREFIX(multiply) (t1, t0, group->curvea);
+		group->ecfp_reduce(r->az4, t1, group);
+		goto CLEANUP;
+	}
+	/* Check for point at infinity for q, if so set r = p */
+	if (PREFIX(pt_is_inf_chud) (q) == MP_YES) {
+		PREFIX(copy) (r->x, p->x);
+		PREFIX(copy) (r->y, p->y);
+		PREFIX(copy) (r->z, p->z);
+		PREFIX(copy) (r->az4, p->az4);
+		goto CLEANUP;
+	}
+
+	/* U = px * qz^2 */
+	PREFIX(multiply) (U, p->x, q->z2);
+	group->ecfp_reduce(U, U, group);
+
+	/* H = qx*(pz)^2 - U */
+	PREFIX(square) (t0, p->z);
+	group->ecfp_reduce(pz2, t0, group);
+	PREFIX(multiply) (H, pz2, q->x);
+	group->ecfp_reduce(H, H, group);
+	PREFIX(subtractShort) (H, H, U);
+
+	/* U = U*H^2, H3 = H^3 */
+	PREFIX(square) (t0, H);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(multiply) (t1, U, t0);
+	group->ecfp_reduce(U, t1, group);
+	PREFIX(multiply) (H3, t0, H);
+	group->ecfp_reduce(H3, H3, group);
+
+	/* S = py * qz^3 */
+	PREFIX(multiply) (S, p->y, q->z3);
+	group->ecfp_reduce(S, S, group);
+
+	/* R = (qy * z1^3 - s) */
+	PREFIX(multiply) (t0, pz2, p->z);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(multiply) (R, t0, q->y);
+	PREFIX(subtractShort) (R, R, S);
+	group->ecfp_reduce(R, R, group);
+
+	/* rz = pz * qz * H */
+	PREFIX(multiply) (t1, q->z, H);
+	group->ecfp_reduce(t1, t1, group);
+	PREFIX(multiply) (t0, p->z, t1);
+	group->ecfp_reduce(r->z, t0, group);
+
+	/* rx = R^2 - H^3 - 2 * U */
+	PREFIX(square) (t0, R);
+	PREFIX(subtractShort) (t0, t0, H3);
+	PREFIX(subtractShort) (t0, t0, U);
+	PREFIX(subtractShort) (t0, t0, U);
+	group->ecfp_reduce(r->x, t0, group);
+
+	/* ry = R(U - rx) - S*H3 */
+	PREFIX(subtractShort) (t1, U, r->x);
+	PREFIX(multiply) (t0, t1, R);
+	PREFIX(multiply) (t1, S, H3);
+	PREFIX(subtractLong) (t1, t0, t1);
+	group->ecfp_reduce(r->y, t1, group);
+
+	if (group->aIsM3) {			/* a == -3 */
+		/* a(rz^4) = -3 * ((rz^2)^2) */
+		PREFIX(square) (t0, r->z);
+		group->ecfp_reduce(t0, t0, group);
+		PREFIX(square) (t1, t0);
+		PREFIX(addLong) (t0, t1, t1);
+		PREFIX(addLong) (t0, t0, t1);
+		PREFIX(negLong) (t0, t0);
+		group->ecfp_reduce(r->az4, t0, group);
+	} else {					/* Generic case */
+		/* a(rz^4) = a * ((rz^2)^2) */
+		PREFIX(square) (t0, r->z);
+		group->ecfp_reduce(t0, t0, group);
+		PREFIX(square) (t1, t0);
+		group->ecfp_reduce(t1, t1, group);
+		PREFIX(multiply) (t0, group->curvea, t1);
+		group->ecfp_reduce(r->az4, t0, group);
+	}
+  CLEANUP:
+	return;
+}
+
+/* Perform a point addition using Chudnovsky Jacobian coordinates. Input
+ * and output should be multi-precision floating point integers. */
+void PREFIX(pt_add_chud) (const ecfp_chud_pt * p, const ecfp_chud_pt * q,
+						  ecfp_chud_pt * r, const EC_group_fp * group) {
+
+	/* Temporary Storage */
+	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
+		U[2 * ECFP_NUMDOUBLES], R[2 * ECFP_NUMDOUBLES],
+		S[2 * ECFP_NUMDOUBLES], H[2 * ECFP_NUMDOUBLES],
+		H3[2 * ECFP_NUMDOUBLES];
+
+	/* Check for point at infinity for p, if so set r = q */
+	if (PREFIX(pt_is_inf_chud) (p) == MP_YES) {
+		PREFIX(copy) (r->x, q->x);
+		PREFIX(copy) (r->y, q->y);
+		PREFIX(copy) (r->z, q->z);
+		PREFIX(copy) (r->z2, q->z2);
+		PREFIX(copy) (r->z3, q->z3);
+		goto CLEANUP;
+	}
+
+	/* Check for point at infinity for p, if so set r = q */
+	if (PREFIX(pt_is_inf_chud) (q) == MP_YES) {
+		PREFIX(copy) (r->x, p->x);
+		PREFIX(copy) (r->y, p->y);
+		PREFIX(copy) (r->z, p->z);
+		PREFIX(copy) (r->z2, p->z2);
+		PREFIX(copy) (r->z3, p->z3);
+		goto CLEANUP;
+	}
+
+	/* U = px * qz^2 */
+	PREFIX(multiply) (U, p->x, q->z2);
+	group->ecfp_reduce(U, U, group);
+
+	/* H = qx*(pz)^2 - U */
+	PREFIX(multiply) (H, q->x, p->z2);
+	PREFIX(subtractShort) (H, H, U);
+	group->ecfp_reduce(H, H, group);
+
+	/* U = U*H^2, H3 = H^3 */
+	PREFIX(square) (t0, H);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(multiply) (t1, U, t0);
+	group->ecfp_reduce(U, t1, group);
+	PREFIX(multiply) (H3, t0, H);
+	group->ecfp_reduce(H3, H3, group);
+
+	/* S = py * qz^3 */
+	PREFIX(multiply) (S, p->y, q->z3);
+	group->ecfp_reduce(S, S, group);
+
+	/* rz = pz * qz * H */
+	PREFIX(multiply) (t0, q->z, H);
+	group->ecfp_reduce(t0, t0, group);
+	PREFIX(multiply) (t1, t0, p->z);
+	group->ecfp_reduce(r->z, t1, group);
+
+	/* R = (qy * z1^3 - s) */
+	PREFIX(multiply) (t0, q->y, p->z3);
+	PREFIX(subtractShort) (t0, t0, S);
+	group->ecfp_reduce(R, t0, group);
+
+	/* rx = R^2 - H^3 - 2 * U */
+	PREFIX(square) (t0, R);
+	PREFIX(subtractShort) (t0, t0, H3);
+	PREFIX(subtractShort) (t0, t0, U);
+	PREFIX(subtractShort) (t0, t0, U);
+	group->ecfp_reduce(r->x, t0, group);
+
+	/* ry = R(U - rx) - S*H3 */
+	PREFIX(subtractShort) (t1, U, r->x);
+	PREFIX(multiply) (t0, t1, R);
+	PREFIX(multiply) (t1, S, H3);
+	PREFIX(subtractLong) (t1, t0, t1);
+	group->ecfp_reduce(r->y, t1, group);
+
+	/* rz2 = rz^2 */
+	PREFIX(square) (t0, r->z);
+	group->ecfp_reduce(r->z2, t0, group);
+
+	/* rz3 = rz^3 */
+	PREFIX(multiply) (t0, r->z, r->z2);
+	group->ecfp_reduce(r->z3, t0, group);
+
+  CLEANUP:
+	return;
+}
+
+/* Expects out to be an array of size 16 of Chudnovsky Jacobian points.
+ * Fills in Chudnovsky Jacobian form (x, y, z, z^2, z^3), for -15P, -13P,
+ * -11P, -9P, -7P, -5P, -3P, -P, P, 3P, 5P, 7P, 9P, 11P, 13P, 15P */
+void PREFIX(precompute_chud) (ecfp_chud_pt * out, const ecfp_aff_pt * p,
+							  const EC_group_fp * group) {
+
+	ecfp_chud_pt p2;
+
+	/* Set out[8] = P */
+	PREFIX(copy) (out[8].x, p->x);
+	PREFIX(copy) (out[8].y, p->y);
+	PREFIX(one) (out[8].z);
+	PREFIX(one) (out[8].z2);
+	PREFIX(one) (out[8].z3);
+
+	/* Set p2 = 2P */
+	PREFIX(pt_dbl_aff2chud) (p, &p2, group);
+
+	/* Set 3P, 5P, ..., 15P */
+	PREFIX(pt_add_chud) (&out[8], &p2, &out[9], group);
+	PREFIX(pt_add_chud) (&out[9], &p2, &out[10], group);
+	PREFIX(pt_add_chud) (&out[10], &p2, &out[11], group);
+	PREFIX(pt_add_chud) (&out[11], &p2, &out[12], group);
+	PREFIX(pt_add_chud) (&out[12], &p2, &out[13], group);
+	PREFIX(pt_add_chud) (&out[13], &p2, &out[14], group);
+	PREFIX(pt_add_chud) (&out[14], &p2, &out[15], group);
+
+	/* Set -15P, -13P, ..., -P */
+	PREFIX(pt_neg_chud) (&out[8], &out[7]);
+	PREFIX(pt_neg_chud) (&out[9], &out[6]);
+	PREFIX(pt_neg_chud) (&out[10], &out[5]);
+	PREFIX(pt_neg_chud) (&out[11], &out[4]);
+	PREFIX(pt_neg_chud) (&out[12], &out[3]);
+	PREFIX(pt_neg_chud) (&out[13], &out[2]);
+	PREFIX(pt_neg_chud) (&out[14], &out[1]);
+	PREFIX(pt_neg_chud) (&out[15], &out[0]);
+}
+
+/* Expects out to be an array of size 16 of Jacobian points. Fills in
+ * Jacobian form (x, y, z), for O, P, 2P, ... 15P */
+void PREFIX(precompute_jac) (ecfp_jac_pt * precomp, const ecfp_aff_pt * p,
+							 const EC_group_fp * group) {
+	int i;
+
+	/* fill precomputation table */
+	/* set precomp[0] */
+	PREFIX(set_pt_inf_jac) (&precomp[0]);
+	/* set precomp[1] */
+	PREFIX(copy) (precomp[1].x, p->x);
+	PREFIX(copy) (precomp[1].y, p->y);
+	if (PREFIX(pt_is_inf_aff) (p) == MP_YES) {
+		PREFIX(zero) (precomp[1].z);
+	} else {
+		PREFIX(one) (precomp[1].z);
+	}
+	/* set precomp[2] */
+	group->pt_dbl_jac(&precomp[1], &precomp[2], group);
+
+	/* set rest of precomp */
+	for (i = 3; i < 16; i++) {
+		group->pt_add_jac_aff(&precomp[i - 1], p, &precomp[i], group);
+	}
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_jac.c b/security/nss/lib/freebl/ecl/ecp_jac.c
new file mode 100644
index 000000000..2659dbb82
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_jac.c
@@ -0,0 +1,553 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
+ *   Stephen Fung <fungstep@hotmail.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
+ *   Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de>,
+ *   Nils Larsch <nla@trustcenter.de>, and
+ *   Lenka Fibikova <fibikova@exp-math.uni-essen.de>, the OpenSSL Project
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp.h"
+#include "mplogic.h"
+#include <stdlib.h>
+#ifdef ECL_DEBUG
+#include <assert.h>
+#endif
+
+/* Converts a point P(px, py) from affine coordinates to Jacobian
+ * projective coordinates R(rx, ry, rz). Assumes input is already
+ * field-encoded using field_enc, and returns output that is still
+ * field-encoded. */
+mp_err
+ec_GFp_pt_aff2jac(const mp_int *px, const mp_int *py, mp_int *rx,
+				  mp_int *ry, mp_int *rz, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+
+	if (ec_GFp_pt_is_inf_aff(px, py) == MP_YES) {
+		MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz));
+	} else {
+		MP_CHECKOK(mp_copy(px, rx));
+		MP_CHECKOK(mp_copy(py, ry));
+		MP_CHECKOK(mp_set_int(rz, 1));
+		if (group->meth->field_enc) {
+			MP_CHECKOK(group->meth->field_enc(rz, rz, group->meth));
+		}
+	}
+  CLEANUP:
+	return res;
+}
+
+/* Converts a point P(px, py, pz) from Jacobian projective coordinates to
+ * affine coordinates R(rx, ry).  P and R can share x and y coordinates.
+ * Assumes input is already field-encoded using field_enc, and returns
+ * output that is still field-encoded. */
+mp_err
+ec_GFp_pt_jac2aff(const mp_int *px, const mp_int *py, const mp_int *pz,
+				  mp_int *rx, mp_int *ry, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int z1, z2, z3;
+
+	MP_DIGITS(&z1) = 0;
+	MP_DIGITS(&z2) = 0;
+	MP_DIGITS(&z3) = 0;
+	MP_CHECKOK(mp_init(&z1));
+	MP_CHECKOK(mp_init(&z2));
+	MP_CHECKOK(mp_init(&z3));
+
+	/* if point at infinity, then set point at infinity and exit */
+	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
+		MP_CHECKOK(ec_GFp_pt_set_inf_aff(rx, ry));
+		goto CLEANUP;
+	}
+
+	/* transform (px, py, pz) into (px / pz^2, py / pz^3) */
+	if (mp_cmp_d(pz, 1) == 0) {
+		MP_CHECKOK(mp_copy(px, rx));
+		MP_CHECKOK(mp_copy(py, ry));
+	} else {
+		MP_CHECKOK(group->meth->field_div(NULL, pz, &z1, group->meth));
+		MP_CHECKOK(group->meth->field_sqr(&z1, &z2, group->meth));
+		MP_CHECKOK(group->meth->field_mul(&z1, &z2, &z3, group->meth));
+		MP_CHECKOK(group->meth->field_mul(px, &z2, rx, group->meth));
+		MP_CHECKOK(group->meth->field_mul(py, &z3, ry, group->meth));
+	}
+
+  CLEANUP:
+	mp_clear(&z1);
+	mp_clear(&z2);
+	mp_clear(&z3);
+	return res;
+}
+
+/* Checks if point P(px, py, pz) is at infinity. Uses Jacobian
+ * coordinates. */
+mp_err
+ec_GFp_pt_is_inf_jac(const mp_int *px, const mp_int *py, const mp_int *pz)
+{
+	return mp_cmp_z(pz);
+}
+
+/* Sets P(px, py, pz) to be the point at infinity.  Uses Jacobian
+ * coordinates. */
+mp_err
+ec_GFp_pt_set_inf_jac(mp_int *px, mp_int *py, mp_int *pz)
+{
+	mp_zero(pz);
+	return MP_OKAY;
+}
+
+/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
+ * (qx, qy, 1).  Elliptic curve points P, Q, and R can all be identical.
+ * Uses mixed Jacobian-affine coordinates. Assumes input is already
+ * field-encoded using field_enc, and returns output that is still
+ * field-encoded. Uses equation (2) from Brown, Hankerson, Lopez, and
+ * Menezes. Software Implementation of the NIST Elliptic Curves Over Prime
+ * Fields. */
+mp_err
+ec_GFp_pt_add_jac_aff(const mp_int *px, const mp_int *py, const mp_int *pz,
+					  const mp_int *qx, const mp_int *qy, mp_int *rx,
+					  mp_int *ry, mp_int *rz, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int A, B, C, D, C2, C3;
+
+	MP_DIGITS(&A) = 0;
+	MP_DIGITS(&B) = 0;
+	MP_DIGITS(&C) = 0;
+	MP_DIGITS(&D) = 0;
+	MP_DIGITS(&C2) = 0;
+	MP_DIGITS(&C3) = 0;
+	MP_CHECKOK(mp_init(&A));
+	MP_CHECKOK(mp_init(&B));
+	MP_CHECKOK(mp_init(&C));
+	MP_CHECKOK(mp_init(&D));
+	MP_CHECKOK(mp_init(&C2));
+	MP_CHECKOK(mp_init(&C3));
+
+	/* If either P or Q is the point at infinity, then return the other
+	 * point */
+	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
+		MP_CHECKOK(ec_GFp_pt_aff2jac(qx, qy, rx, ry, rz, group));
+		goto CLEANUP;
+	}
+	if (ec_GFp_pt_is_inf_aff(qx, qy) == MP_YES) {
+		MP_CHECKOK(mp_copy(px, rx));
+		MP_CHECKOK(mp_copy(py, ry));
+		MP_CHECKOK(mp_copy(pz, rz));
+		goto CLEANUP;
+	}
+
+	/* A = qx * pz^2, B = qy * pz^3 */
+	MP_CHECKOK(group->meth->field_sqr(pz, &A, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&A, pz, &B, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth));
+
+	/* C = A - px, D = B - py */
+	MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth));
+	MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth));
+
+	/* C2 = C^2, C3 = C^3 */
+	MP_CHECKOK(group->meth->field_sqr(&C, &C2, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&C, &C2, &C3, group->meth));
+
+	/* rz = pz * C */
+	MP_CHECKOK(group->meth->field_mul(pz, &C, rz, group->meth));
+
+	/* C = px * C^2 */
+	MP_CHECKOK(group->meth->field_mul(px, &C2, &C, group->meth));
+	/* A = D^2 */
+	MP_CHECKOK(group->meth->field_sqr(&D, &A, group->meth));
+
+	/* rx = D^2 - (C^3 + 2 * (px * C^2)) */
+	MP_CHECKOK(group->meth->field_add(&C, &C, rx, group->meth));
+	MP_CHECKOK(group->meth->field_add(&C3, rx, rx, group->meth));
+	MP_CHECKOK(group->meth->field_sub(&A, rx, rx, group->meth));
+
+	/* C3 = py * C^3 */
+	MP_CHECKOK(group->meth->field_mul(py, &C3, &C3, group->meth));
+
+	/* ry = D * (px * C^2 - rx) - py * C^3 */
+	MP_CHECKOK(group->meth->field_sub(&C, rx, ry, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&D, ry, ry, group->meth));
+	MP_CHECKOK(group->meth->field_sub(ry, &C3, ry, group->meth));
+
+  CLEANUP:
+	mp_clear(&A);
+	mp_clear(&B);
+	mp_clear(&C);
+	mp_clear(&D);
+	mp_clear(&C2);
+	mp_clear(&C3);
+	return res;
+}
+
+/* Computes R = 2P.  Elliptic curve points P and R can be identical.  Uses 
+ * Jacobian coordinates.
+ *
+ * Assumes input is already field-encoded using field_enc, and returns 
+ * output that is still field-encoded.
+ *
+ * This routine implements Point Doubling in the Jacobian Projective 
+ * space as described in the paper "Efficient elliptic curve exponentiation 
+ * using mixed coordinates", by H. Cohen, A Miyaji, T. Ono.
+ */
+mp_err
+ec_GFp_pt_dbl_jac(const mp_int *px, const mp_int *py, const mp_int *pz,
+				  mp_int *rx, mp_int *ry, mp_int *rz, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int t0, t1, M, S;
+
+	MP_DIGITS(&t0) = 0;
+	MP_DIGITS(&t1) = 0;
+	MP_DIGITS(&M) = 0;
+	MP_DIGITS(&S) = 0;
+	MP_CHECKOK(mp_init(&t0));
+	MP_CHECKOK(mp_init(&t1));
+	MP_CHECKOK(mp_init(&M));
+	MP_CHECKOK(mp_init(&S));
+
+	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
+		MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz));
+		goto CLEANUP;
+	}
+
+	if (mp_cmp_d(pz, 1) == 0) {
+		/* M = 3 * px^2 + a */
+		MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth));
+		MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth));
+		MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_add(&t0, &group->curvea, &M, group->meth));
+	} else if (mp_cmp_int(&group->curvea, -3) == 0) {
+		/* M = 3 * (px + pz^2) * (px - pz^2) */
+		MP_CHECKOK(group->meth->field_sqr(pz, &M, group->meth));
+		MP_CHECKOK(group->meth->field_add(px, &M, &t0, group->meth));
+		MP_CHECKOK(group->meth->field_sub(px, &M, &t1, group->meth));
+		MP_CHECKOK(group->meth->field_mul(&t0, &t1, &M, group->meth));
+		MP_CHECKOK(group->meth->field_add(&M, &M, &t0, group->meth));
+		MP_CHECKOK(group->meth->field_add(&t0, &M, &M, group->meth));
+	} else {
+		/* M = 3 * (px^2) + a * (pz^4) */
+		MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth));
+		MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth));
+		MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth));
+		MP_CHECKOK(group->meth->field_sqr(pz, &M, group->meth));
+		MP_CHECKOK(group->meth->field_sqr(&M, &M, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_mul(&M, &group->curvea, &M, group->meth));
+		MP_CHECKOK(group->meth->field_add(&M, &t0, &M, group->meth));
+	}
+
+	/* rz = 2 * py * pz */
+	/* t0 = 4 * py^2 */
+	if (mp_cmp_d(pz, 1) == 0) {
+		MP_CHECKOK(group->meth->field_add(py, py, rz, group->meth));
+		MP_CHECKOK(group->meth->field_sqr(rz, &t0, group->meth));
+	} else {
+		MP_CHECKOK(group->meth->field_add(py, py, &t0, group->meth));
+		MP_CHECKOK(group->meth->field_mul(&t0, pz, rz, group->meth));
+		MP_CHECKOK(group->meth->field_sqr(&t0, &t0, group->meth));
+	}
+
+	/* S = 4 * px * py^2 = px * (2 * py)^2 */
+	MP_CHECKOK(group->meth->field_mul(px, &t0, &S, group->meth));
+
+	/* rx = M^2 - 2 * S */
+	MP_CHECKOK(group->meth->field_add(&S, &S, &t1, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(&M, rx, group->meth));
+	MP_CHECKOK(group->meth->field_sub(rx, &t1, rx, group->meth));
+
+	/* ry = M * (S - rx) - 8 * py^4 */
+	MP_CHECKOK(group->meth->field_sqr(&t0, &t1, group->meth));
+	if (mp_isodd(&t1)) {
+		MP_CHECKOK(mp_add(&t1, &group->meth->irr, &t1));
+	}
+	MP_CHECKOK(mp_div_2(&t1, &t1));
+	MP_CHECKOK(group->meth->field_sub(&S, rx, &S, group->meth));
+	MP_CHECKOK(group->meth->field_mul(&M, &S, &M, group->meth));
+	MP_CHECKOK(group->meth->field_sub(&M, &t1, ry, group->meth));
+
+  CLEANUP:
+	mp_clear(&t0);
+	mp_clear(&t1);
+	mp_clear(&M);
+	mp_clear(&S);
+	return res;
+}
+
+/* by default, this routine is unused and thus doesn't need to be compiled */
+#ifdef ECL_ENABLE_GFP_PT_MUL_JAC
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the prime that
+ * determines the field GFp.  Elliptic curve points P and R can be
+ * identical.  Uses mixed Jacobian-affine coordinates. Assumes input is
+ * already field-encoded using field_enc, and returns output that is still 
+ * field-encoded. Uses 4-bit window method. */
+mp_err
+ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px, const mp_int *py,
+				  mp_int *rx, mp_int *ry, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int precomp[16][2], rz;
+	int i, ni, d;
+
+	MP_DIGITS(&rz) = 0;
+	for (i = 0; i < 16; i++) {
+		MP_DIGITS(&precomp[i][0]) = 0;
+		MP_DIGITS(&precomp[i][1]) = 0;
+	}
+
+	ARGCHK(group != NULL, MP_BADARG);
+	ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
+
+	/* initialize precomputation table */
+	for (i = 0; i < 16; i++) {
+		MP_CHECKOK(mp_init(&precomp[i][0]));
+		MP_CHECKOK(mp_init(&precomp[i][1]));
+	}
+
+	/* fill precomputation table */
+	mp_zero(&precomp[0][0]);
+	mp_zero(&precomp[0][1]);
+	MP_CHECKOK(mp_copy(px, &precomp[1][0]));
+	MP_CHECKOK(mp_copy(py, &precomp[1][1]));
+	for (i = 2; i < 16; i++) {
+		MP_CHECKOK(group->
+				   point_add(&precomp[1][0], &precomp[1][1],
+							 &precomp[i - 1][0], &precomp[i - 1][1],
+							 &precomp[i][0], &precomp[i][1], group));
+	}
+
+	d = (mpl_significant_bits(n) + 3) / 4;
+
+	/* R = inf */
+	MP_CHECKOK(mp_init(&rz));
+	MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz));
+
+	for (i = d - 1; i >= 0; i--) {
+		/* compute window ni */
+		ni = MP_GET_BIT(n, 4 * i + 3);
+		ni <<= 1;
+		ni |= MP_GET_BIT(n, 4 * i + 2);
+		ni <<= 1;
+		ni |= MP_GET_BIT(n, 4 * i + 1);
+		ni <<= 1;
+		ni |= MP_GET_BIT(n, 4 * i);
+		/* R = 2^4 * R */
+		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
+		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
+		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
+		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
+		/* R = R + (ni * P) */
+		MP_CHECKOK(ec_GFp_pt_add_jac_aff
+				   (rx, ry, &rz, &precomp[ni][0], &precomp[ni][1], rx, ry,
+					&rz, group));
+	}
+
+	/* convert result S to affine coordinates */
+	MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
+
+  CLEANUP:
+	mp_clear(&rz);
+	for (i = 0; i < 16; i++) {
+		mp_clear(&precomp[i][0]);
+		mp_clear(&precomp[i][1]);
+	}
+	return res;
+}
+#endif
+
+/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + 
+ * k2 * P(x, y), where G is the generator (base point) of the group of
+ * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL.
+ * Uses mixed Jacobian-affine coordinates. Input and output values are
+ * assumed to be NOT field-encoded. Uses algorithm 15 (simultaneous
+ * multiple point multiplication) from Brown, Hankerson, Lopez, Menezes.
+ * Software Implementation of the NIST Elliptic Curves over Prime Fields. */
+mp_err
+ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
+				   const mp_int *py, mp_int *rx, mp_int *ry,
+				   const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int precomp[4][4][2];
+	mp_int rz;
+	const mp_int *a, *b;
+	int i, j;
+	int ai, bi, d;
+
+	for (i = 0; i < 4; i++) {
+		for (j = 0; j < 4; j++) {
+			MP_DIGITS(&precomp[i][j][0]) = 0;
+			MP_DIGITS(&precomp[i][j][1]) = 0;
+		}
+	}
+	MP_DIGITS(&rz) = 0;
+
+	ARGCHK(group != NULL, MP_BADARG);
+	ARGCHK(!((k1 == NULL)
+			 && ((k2 == NULL) || (px == NULL)
+				 || (py == NULL))), MP_BADARG);
+
+	/* if some arguments are not defined used ECPoint_mul */
+	if (k1 == NULL) {
+		return ECPoint_mul(group, k2, px, py, rx, ry);
+	} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
+		return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+	}
+
+	/* initialize precomputation table */
+	for (i = 0; i < 4; i++) {
+		for (j = 0; j < 4; j++) {
+			MP_CHECKOK(mp_init(&precomp[i][j][0]));
+			MP_CHECKOK(mp_init(&precomp[i][j][1]));
+		}
+	}
+
+	/* fill precomputation table */
+	/* assign {k1, k2} = {a, b} such that len(a) >= len(b) */
+	if (mpl_significant_bits(k1) < mpl_significant_bits(k2)) {
+		a = k2;
+		b = k1;
+		if (group->meth->field_enc) {
+			MP_CHECKOK(group->meth->
+					   field_enc(px, &precomp[1][0][0], group->meth));
+			MP_CHECKOK(group->meth->
+					   field_enc(py, &precomp[1][0][1], group->meth));
+		} else {
+			MP_CHECKOK(mp_copy(px, &precomp[1][0][0]));
+			MP_CHECKOK(mp_copy(py, &precomp[1][0][1]));
+		}
+		MP_CHECKOK(mp_copy(&group->genx, &precomp[0][1][0]));
+		MP_CHECKOK(mp_copy(&group->geny, &precomp[0][1][1]));
+	} else {
+		a = k1;
+		b = k2;
+		MP_CHECKOK(mp_copy(&group->genx, &precomp[1][0][0]));
+		MP_CHECKOK(mp_copy(&group->geny, &precomp[1][0][1]));
+		if (group->meth->field_enc) {
+			MP_CHECKOK(group->meth->
+					   field_enc(px, &precomp[0][1][0], group->meth));
+			MP_CHECKOK(group->meth->
+					   field_enc(py, &precomp[0][1][1], group->meth));
+		} else {
+			MP_CHECKOK(mp_copy(px, &precomp[0][1][0]));
+			MP_CHECKOK(mp_copy(py, &precomp[0][1][1]));
+		}
+	}
+	/* precompute [*][0][*] */
+	mp_zero(&precomp[0][0][0]);
+	mp_zero(&precomp[0][0][1]);
+	MP_CHECKOK(group->
+			   point_dbl(&precomp[1][0][0], &precomp[1][0][1],
+						 &precomp[2][0][0], &precomp[2][0][1], group));
+	MP_CHECKOK(group->
+			   point_add(&precomp[1][0][0], &precomp[1][0][1],
+						 &precomp[2][0][0], &precomp[2][0][1],
+						 &precomp[3][0][0], &precomp[3][0][1], group));
+	/* precompute [*][1][*] */
+	for (i = 1; i < 4; i++) {
+		MP_CHECKOK(group->
+				   point_add(&precomp[0][1][0], &precomp[0][1][1],
+							 &precomp[i][0][0], &precomp[i][0][1],
+							 &precomp[i][1][0], &precomp[i][1][1], group));
+	}
+	/* precompute [*][2][*] */
+	MP_CHECKOK(group->
+			   point_dbl(&precomp[0][1][0], &precomp[0][1][1],
+						 &precomp[0][2][0], &precomp[0][2][1], group));
+	for (i = 1; i < 4; i++) {
+		MP_CHECKOK(group->
+				   point_add(&precomp[0][2][0], &precomp[0][2][1],
+							 &precomp[i][0][0], &precomp[i][0][1],
+							 &precomp[i][2][0], &precomp[i][2][1], group));
+	}
+	/* precompute [*][3][*] */
+	MP_CHECKOK(group->
+			   point_add(&precomp[0][1][0], &precomp[0][1][1],
+						 &precomp[0][2][0], &precomp[0][2][1],
+						 &precomp[0][3][0], &precomp[0][3][1], group));
+	for (i = 1; i < 4; i++) {
+		MP_CHECKOK(group->
+				   point_add(&precomp[0][3][0], &precomp[0][3][1],
+							 &precomp[i][0][0], &precomp[i][0][1],
+							 &precomp[i][3][0], &precomp[i][3][1], group));
+	}
+
+	d = (mpl_significant_bits(a) + 1) / 2;
+
+	/* R = inf */
+	MP_CHECKOK(mp_init(&rz));
+	MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz));
+
+	for (i = d - 1; i >= 0; i--) {
+		ai = MP_GET_BIT(a, 2 * i + 1);
+		ai <<= 1;
+		ai |= MP_GET_BIT(a, 2 * i);
+		bi = MP_GET_BIT(b, 2 * i + 1);
+		bi <<= 1;
+		bi |= MP_GET_BIT(b, 2 * i);
+		/* R = 2^2 * R */
+		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
+		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
+		/* R = R + (ai * A + bi * B) */
+		MP_CHECKOK(ec_GFp_pt_add_jac_aff
+				   (rx, ry, &rz, &precomp[ai][bi][0], &precomp[ai][bi][1],
+					rx, ry, &rz, group));
+	}
+
+	MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
+
+	if (group->meth->field_dec) {
+		MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth));
+		MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth));
+	}
+
+  CLEANUP:
+	mp_clear(&rz);
+	for (i = 0; i < 4; i++) {
+		for (j = 0; j < 4; j++) {
+			mp_clear(&precomp[i][j][0]);
+			mp_clear(&precomp[i][j][1]);
+		}
+	}
+	return res;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_jm.c b/security/nss/lib/freebl/ecl/ecp_jm.c
new file mode 100644
index 000000000..f015a6158
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_jm.c
@@ -0,0 +1,323 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp.h"
+#include "ecl-priv.h"
+#include "mplogic.h"
+#include <stdlib.h>
+
+#define MAX_SCRATCH 6
+
+/* Computes R = 2P.  Elliptic curve points P and R can be identical.  Uses 
+ * Modified Jacobian coordinates.
+ *
+ * Assumes input is already field-encoded using field_enc, and returns 
+ * output that is still field-encoded.
+ *
+ */
+mp_err
+ec_GFp_pt_dbl_jm(const mp_int *px, const mp_int *py, const mp_int *pz,
+				 const mp_int *paz4, mp_int *rx, mp_int *ry, mp_int *rz,
+				 mp_int *raz4, mp_int scratch[], const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int *t0, *t1, *M, *S;
+
+	t0 = &scratch[0];
+	t1 = &scratch[1];
+	M = &scratch[2];
+	S = &scratch[3];
+
+#if MAX_SCRATCH < 4
+#error "Scratch array defined too small "
+#endif
+
+	/* Check for point at infinity */
+	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
+		/* Set r = pt at infinity by setting rz = 0 */
+
+		MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz));
+		goto CLEANUP;
+	}
+
+	/* M = 3 (px^2) + a*(pz^4) */
+	MP_CHECKOK(group->meth->field_sqr(px, t0, group->meth));
+	MP_CHECKOK(group->meth->field_add(t0, t0, M, group->meth));
+	MP_CHECKOK(group->meth->field_add(t0, M, t0, group->meth));
+	MP_CHECKOK(group->meth->field_add(t0, paz4, M, group->meth));
+
+	/* rz = 2 * py * pz */
+	MP_CHECKOK(group->meth->field_mul(py, pz, S, group->meth));
+	MP_CHECKOK(group->meth->field_add(S, S, rz, group->meth));
+
+	/* t0 = 2y^2 , t1 = 8y^4 */
+	MP_CHECKOK(group->meth->field_sqr(py, t0, group->meth));
+	MP_CHECKOK(group->meth->field_add(t0, t0, t0, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(t0, t1, group->meth));
+	MP_CHECKOK(group->meth->field_add(t1, t1, t1, group->meth));
+
+	/* S = 4 * px * py^2 = 2 * px * t0 */
+	MP_CHECKOK(group->meth->field_mul(px, t0, S, group->meth));
+	MP_CHECKOK(group->meth->field_add(S, S, S, group->meth));
+
+
+	/* rx = M^2 - 2S */
+	MP_CHECKOK(group->meth->field_sqr(M, rx, group->meth));
+	MP_CHECKOK(group->meth->field_sub(rx, S, rx, group->meth));
+	MP_CHECKOK(group->meth->field_sub(rx, S, rx, group->meth));
+
+	/* ry = M * (S - rx) - t1 */
+	MP_CHECKOK(group->meth->field_sub(S, rx, S, group->meth));
+	MP_CHECKOK(group->meth->field_mul(S, M, ry, group->meth));
+	MP_CHECKOK(group->meth->field_sub(ry, t1, ry, group->meth));
+
+	/* ra*z^4 = 2*t1*(apz4) */
+	MP_CHECKOK(group->meth->field_mul(paz4, t1, raz4, group->meth));
+	MP_CHECKOK(group->meth->field_add(raz4, raz4, raz4, group->meth));
+
+
+  CLEANUP:
+	return res;
+}
+
+/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
+ * (qx, qy, 1).  Elliptic curve points P, Q, and R can all be identical.
+ * Uses mixed Modified_Jacobian-affine coordinates. Assumes input is
+ * already field-encoded using field_enc, and returns output that is still
+ * field-encoded. */
+mp_err
+ec_GFp_pt_add_jm_aff(const mp_int *px, const mp_int *py, const mp_int *pz,
+					 const mp_int *paz4, const mp_int *qx,
+					 const mp_int *qy, mp_int *rx, mp_int *ry, mp_int *rz,
+					 mp_int *raz4, mp_int scratch[], const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int *A, *B, *C, *D, *C2, *C3;
+
+	A = &scratch[0];
+	B = &scratch[1];
+	C = &scratch[2];
+	D = &scratch[3];
+	C2 = &scratch[4];
+	C3 = &scratch[5];
+
+#if MAX_SCRATCH < 6
+#error "Scratch array defined too small "
+#endif
+
+	/* If either P or Q is the point at infinity, then return the other
+	 * point */
+	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
+		MP_CHECKOK(ec_GFp_pt_aff2jac(qx, qy, rx, ry, rz, group));
+		MP_CHECKOK(group->meth->field_sqr(rz, raz4, group->meth));
+		MP_CHECKOK(group->meth->field_sqr(raz4, raz4, group->meth));
+		MP_CHECKOK(group->meth->
+				   field_mul(raz4, &group->curvea, raz4, group->meth));
+		goto CLEANUP;
+	}
+	if (ec_GFp_pt_is_inf_aff(qx, qy) == MP_YES) {
+		MP_CHECKOK(mp_copy(px, rx));
+		MP_CHECKOK(mp_copy(py, ry));
+		MP_CHECKOK(mp_copy(pz, rz));
+		MP_CHECKOK(mp_copy(paz4, raz4));
+		goto CLEANUP;
+	}
+
+	/* A = qx * pz^2, B = qy * pz^3 */
+	MP_CHECKOK(group->meth->field_sqr(pz, A, group->meth));
+	MP_CHECKOK(group->meth->field_mul(A, pz, B, group->meth));
+	MP_CHECKOK(group->meth->field_mul(A, qx, A, group->meth));
+	MP_CHECKOK(group->meth->field_mul(B, qy, B, group->meth));
+
+	/* C = A - px, D = B - py */
+	MP_CHECKOK(group->meth->field_sub(A, px, C, group->meth));
+	MP_CHECKOK(group->meth->field_sub(B, py, D, group->meth));
+
+	/* C2 = C^2, C3 = C^3 */
+	MP_CHECKOK(group->meth->field_sqr(C, C2, group->meth));
+	MP_CHECKOK(group->meth->field_mul(C, C2, C3, group->meth));
+
+	/* rz = pz * C */
+	MP_CHECKOK(group->meth->field_mul(pz, C, rz, group->meth));
+
+	/* C = px * C^2 */
+	MP_CHECKOK(group->meth->field_mul(px, C2, C, group->meth));
+	/* A = D^2 */
+	MP_CHECKOK(group->meth->field_sqr(D, A, group->meth));
+
+	/* rx = D^2 - (C^3 + 2 * (px * C^2)) */
+	MP_CHECKOK(group->meth->field_add(C, C, rx, group->meth));
+	MP_CHECKOK(group->meth->field_add(C3, rx, rx, group->meth));
+	MP_CHECKOK(group->meth->field_sub(A, rx, rx, group->meth));
+
+	/* C3 = py * C^3 */
+	MP_CHECKOK(group->meth->field_mul(py, C3, C3, group->meth));
+
+	/* ry = D * (px * C^2 - rx) - py * C^3 */
+	MP_CHECKOK(group->meth->field_sub(C, rx, ry, group->meth));
+	MP_CHECKOK(group->meth->field_mul(D, ry, ry, group->meth));
+	MP_CHECKOK(group->meth->field_sub(ry, C3, ry, group->meth));
+
+	/* raz4 = a * rz^4 */
+	MP_CHECKOK(group->meth->field_sqr(rz, raz4, group->meth));
+	MP_CHECKOK(group->meth->field_sqr(raz4, raz4, group->meth));
+	MP_CHECKOK(group->meth->
+			   field_mul(raz4, &group->curvea, raz4, group->meth));
+CLEANUP:
+	return res;
+}
+
+/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
+ * curve points P and R can be identical. Uses mixed Modified-Jacobian
+ * co-ordinates for doubling and Chudnovsky Jacobian coordinates for
+ * additions. Assumes input is already field-encoded using field_enc, and
+ * returns output that is still field-encoded. Uses 5-bit window NAF
+ * method (algorithm 11) for scalar-point multiplication from Brown,
+ * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic 
+ * Curves Over Prime Fields. */
+mp_err
+ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
+					  mp_int *rx, mp_int *ry, const ECGroup *group)
+{
+	mp_err res = MP_OKAY;
+	mp_int precomp[16][2], rz, tpx, tpy;
+	mp_int raz4;
+	mp_int scratch[MAX_SCRATCH];
+	signed char *naf = NULL;
+	int i, orderBitSize;
+
+	MP_DIGITS(&rz) = 0;
+	MP_DIGITS(&raz4) = 0;
+	MP_DIGITS(&tpx) = 0;
+	MP_DIGITS(&tpy) = 0;
+	for (i = 0; i < 16; i++) {
+		MP_DIGITS(&precomp[i][0]) = 0;
+		MP_DIGITS(&precomp[i][1]) = 0;
+	}
+	for (i = 0; i < MAX_SCRATCH; i++) {
+		MP_DIGITS(&scratch[i]) = 0;
+	}
+
+	ARGCHK(group != NULL, MP_BADARG);
+	ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
+
+	/* initialize precomputation table */
+	MP_CHECKOK(mp_init(&tpx));
+	MP_CHECKOK(mp_init(&tpy));;
+	MP_CHECKOK(mp_init(&rz));
+	MP_CHECKOK(mp_init(&raz4));
+
+	for (i = 0; i < 16; i++) {
+		MP_CHECKOK(mp_init(&precomp[i][0]));
+		MP_CHECKOK(mp_init(&precomp[i][1]));
+	}
+	for (i = 0; i < MAX_SCRATCH; i++) {
+		MP_CHECKOK(mp_init(&scratch[i]));
+	}
+
+	/* Set out[8] = P */
+	MP_CHECKOK(mp_copy(px, &precomp[8][0]));
+	MP_CHECKOK(mp_copy(py, &precomp[8][1]));
+
+	/* Set (tpx, tpy) = 2P */
+	MP_CHECKOK(group->
+			   point_dbl(&precomp[8][0], &precomp[8][1], &tpx, &tpy,
+						 group));
+
+	/* Set 3P, 5P, ..., 15P */
+	for (i = 8; i < 15; i++) {
+		MP_CHECKOK(group->
+				   point_add(&precomp[i][0], &precomp[i][1], &tpx, &tpy,
+							 &precomp[i + 1][0], &precomp[i + 1][1],
+							 group));
+	}
+
+	/* Set -15P, -13P, ..., -P */
+	for (i = 0; i < 8; i++) {
+		MP_CHECKOK(mp_copy(&precomp[15 - i][0], &precomp[i][0]));
+		MP_CHECKOK(group->meth->
+				   field_neg(&precomp[15 - i][1], &precomp[i][1],
+							 group->meth));
+	}
+
+	/* R = inf */
+	MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz));
+
+	orderBitSize = mpl_significant_bits(&group->order);
+
+	/* Allocate memory for NAF */
+	naf = (signed char *) malloc(sizeof(signed char) * (orderBitSize + 1));
+	if (naf == NULL) {
+		res = MP_MEM;
+		goto CLEANUP;
+	}
+
+	/* Compute 5NAF */
+	ec_compute_wNAF(naf, orderBitSize, n, 5);
+
+	/* wNAF method */
+	for (i = orderBitSize; i >= 0; i--) {
+		/* R = 2R */
+		ec_GFp_pt_dbl_jm(rx, ry, &rz, &raz4, rx, ry, &rz, 
+					     &raz4, scratch, group);
+		if (naf[i] != 0) {
+			ec_GFp_pt_add_jm_aff(rx, ry, &rz, &raz4,
+								 &precomp[(naf[i] + 15) / 2][0],
+								 &precomp[(naf[i] + 15) / 2][1], rx, ry,
+								 &rz, &raz4, scratch, group);
+		}
+	}
+
+	/* convert result S to affine coordinates */
+	MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
+
+  CLEANUP:
+	for (i = 0; i < MAX_SCRATCH; i++) {
+		mp_clear(&scratch[i]);
+	}
+	for (i = 0; i < 16; i++) {
+		mp_clear(&precomp[i][0]);
+		mp_clear(&precomp[i][1]);
+	}
+	mp_clear(&tpx);
+	mp_clear(&tpy);
+	mp_clear(&rz);
+	mp_clear(&raz4);
+	free(naf);
+	return res;
+}
diff --git a/security/nss/lib/freebl/ecl/ecp_mont.c b/security/nss/lib/freebl/ecl/ecp_mont.c
new file mode 100644
index 000000000..c8829b6d1
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/ecp_mont.c
@@ -0,0 +1,192 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Uses Montgomery reduction for field arithmetic.  See mpi/mpmontg.c for
+ * code implementation. */
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpi-priv.h"
+#include "ecl-priv.h"
+#include "ecp.h"
+#include <stdlib.h>
+#include <stdio.h>
+
+/* Construct a generic GFMethod for arithmetic over prime fields with
+ * irreducible irr. */
+GFMethod *
+GFMethod_consGFp_mont(const mp_int *irr)
+{
+	mp_err res = MP_OKAY;
+	int i;
+	GFMethod *meth = NULL;
+	mp_mont_modulus *mmm;
+
+	meth = GFMethod_consGFp(irr);
+	if (meth == NULL)
+		return NULL;
+
+	mmm = (mp_mont_modulus *) malloc(sizeof(mp_mont_modulus));
+	if (mmm == NULL) {
+		res = MP_MEM;
+		goto CLEANUP;
+	}
+
+	meth->field_mul = &ec_GFp_mul_mont;
+	meth->field_sqr = &ec_GFp_sqr_mont;
+	meth->field_div = &ec_GFp_div_mont;
+	meth->field_enc = &ec_GFp_enc_mont;
+	meth->field_dec = &ec_GFp_dec_mont;
+	meth->extra1 = mmm;
+	meth->extra2 = NULL;
+	meth->extra_free = &ec_GFp_extra_free_mont;
+
+	mmm->N = meth->irr;
+	i = mpl_significant_bits(&meth->irr);
+	i += MP_DIGIT_BIT - 1;
+	mmm->b = i - i % MP_DIGIT_BIT;
+	mmm->n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(&meth->irr, 0));
+
+  CLEANUP:
+	if (res != MP_OKAY) {
+		GFMethod_free(meth);
+		return NULL;
+	}
+	return meth;
+}
+
+/* Wrapper functions for generic prime field arithmetic. */
+
+/* Field multiplication using Montgomery reduction. */
+mp_err
+ec_GFp_mul_mont(const mp_int *a, const mp_int *b, mp_int *r,
+				const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+#ifdef MP_MONT_USE_MP_MUL
+	/* if MP_MONT_USE_MP_MUL is defined, then the function s_mp_mul_mont
+	 * is not implemented and we have to use mp_mul and s_mp_redc directly 
+	 */
+	MP_CHECKOK(mp_mul(a, b, r));
+	MP_CHECKOK(s_mp_redc(r, (mp_mont_modulus *) meth->extra1));
+#else
+	mp_int s;
+
+	MP_DIGITS(&s) = 0;
+	/* s_mp_mul_mont doesn't allow source and destination to be the same */
+	if ((a == r) || (b == r)) {
+		MP_CHECKOK(mp_init(&s));
+		MP_CHECKOK(s_mp_mul_mont
+				   (a, b, &s, (mp_mont_modulus *) meth->extra1));
+		MP_CHECKOK(mp_copy(&s, r));
+		mp_clear(&s);
+	} else {
+		return s_mp_mul_mont(a, b, r, (mp_mont_modulus *) meth->extra1);
+	}
+#endif
+  CLEANUP:
+	return res;
+}
+
+/* Field squaring using Montgomery reduction. */
+mp_err
+ec_GFp_sqr_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	return ec_GFp_mul_mont(a, a, r, meth);
+}
+
+/* Field division using Montgomery reduction. */
+mp_err
+ec_GFp_div_mont(const mp_int *a, const mp_int *b, mp_int *r,
+				const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	/* if A=aZ represents a encoded in montgomery coordinates with Z and # 
+	 * and \ respectively represent multiplication and division in
+	 * montgomery coordinates, then A\B = (a/b)Z = (A/B)Z and Binv =
+	 * (1/b)Z = (1/B)(Z^2) where B # Binv = Z */
+	MP_CHECKOK(ec_GFp_div(a, b, r, meth));
+	MP_CHECKOK(ec_GFp_enc_mont(r, r, meth));
+	if (a == NULL) {
+		MP_CHECKOK(ec_GFp_enc_mont(r, r, meth));
+	}
+  CLEANUP:
+	return res;
+}
+
+/* Encode a field element in Montgomery form. See s_mp_to_mont in
+ * mpi/mpmontg.c */
+mp_err
+ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_mont_modulus *mmm;
+	mp_err res = MP_OKAY;
+
+	mmm = (mp_mont_modulus *) meth->extra1;
+	MP_CHECKOK(mpl_lsh(a, r, mmm->b));
+	MP_CHECKOK(mp_mod(r, &mmm->N, r));
+  CLEANUP:
+	return res;
+}
+
+/* Decode a field element from Montgomery form. */
+mp_err
+ec_GFp_dec_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
+{
+	mp_err res = MP_OKAY;
+
+	if (a != r) {
+		MP_CHECKOK(mp_copy(a, r));
+	}
+	MP_CHECKOK(s_mp_redc(r, (mp_mont_modulus *) meth->extra1));
+  CLEANUP:
+	return res;
+}
+
+/* Free the memory allocated to the extra fields of Montgomery GFMethod
+ * object. */
+void
+ec_GFp_extra_free_mont(GFMethod *meth)
+{
+	if (meth->extra1 != NULL) {
+		free(meth->extra1);
+		meth->extra1 = NULL;
+	}
+}
diff --git a/security/nss/lib/freebl/ecl/tests/ec2_test.c b/security/nss/lib/freebl/ecl/tests/ec2_test.c
new file mode 100644
index 000000000..cf6540221
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/tests/ec2_test.c
@@ -0,0 +1,516 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for binary polynomial field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpprime.h"
+#include "mp_gf2m.h"
+#include "ecl.h"
+#include "ecl-curve.h"
+#include "ec2.h"
+#include <stdio.h>
+#include <strings.h>
+#include <assert.h>
+
+#include <time.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+/* Time k repetitions of operation op. */
+#define M_TimeOperation(op, k) { \
+	double dStart, dNow, dUserTime; \
+	struct rusage ru; \
+	int i; \
+	getrusage(RUSAGE_SELF, &ru); \
+	dStart = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
+	for (i = 0; i < k; i++) { \
+		{ op; } \
+	}; \
+	getrusage(RUSAGE_SELF, &ru); \
+	dNow = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
+	dUserTime = dNow-dStart; \
+	if (dUserTime) printf("    %-45s k: %6i, t: %6.2f sec\n", #op, k, dUserTime); \
+}
+
+/* Test curve using generic field arithmetic. */
+#define ECTEST_GENERIC_GF2M(name_c, name) \
+	printf("Testing %s using generic implementation...\n", name_c); \
+	params = EC_GetNamedCurveParams(name); \
+	if (params == NULL) { \
+			printf("  Error: could not construct params.\n"); \
+			res = MP_NO; \
+			goto CLEANUP; \
+	} \
+	ECGroup_free(group); \
+	group = ECGroup_fromHex(params); \
+	if (group == NULL) { \
+		printf("  Error: could not construct group.\n"); \
+		res = MP_NO; \
+		goto CLEANUP; \
+	} \
+	MP_CHECKOK( ectest_curve_GF2m(group, ectestPrint, ectestTime, 1) ); \
+	printf("... okay.\n");
+
+/* Test curve using specific field arithmetic. */
+#define ECTEST_NAMED_GF2M(name_c, name) \
+	printf("Testing %s using specific implementation...\n", name_c); \
+	ECGroup_free(group); \
+	group = ECGroup_fromName(name); \
+	if (group == NULL) { \
+		printf("  Warning: could not construct group.\n"); \
+		printf("... failed; continuing with remaining tests.\n"); \
+	} else { \
+		MP_CHECKOK( ectest_curve_GF2m(group, ectestPrint, ectestTime, 0) ); \
+		printf("... okay.\n"); \
+	}
+
+/* Performs basic tests of elliptic curve cryptography over binary
+ * polynomial fields. If tests fail, then it prints an error message,
+ * aborts, and returns an error code. Otherwise, returns 0. */
+int
+ectest_curve_GF2m(ECGroup *group, int ectestPrint, int ectestTime,
+				  int generic)
+{
+
+	mp_int one, order_1, gx, gy, rx, ry, n;
+	int size;
+	mp_err res;
+	char s[1000];
+
+	/* initialize values */
+	MP_CHECKOK(mp_init(&one));
+	MP_CHECKOK(mp_init(&order_1));
+	MP_CHECKOK(mp_init(&gx));
+	MP_CHECKOK(mp_init(&gy));
+	MP_CHECKOK(mp_init(&rx));
+	MP_CHECKOK(mp_init(&ry));
+	MP_CHECKOK(mp_init(&n));
+
+	MP_CHECKOK(mp_set_int(&one, 1));
+	MP_CHECKOK(mp_sub(&group->order, &one, &order_1));
+
+	/* encode base point */
+	if (group->meth->field_dec) {
+		MP_CHECKOK(group->meth->field_dec(&group->genx, &gx, group->meth));
+		MP_CHECKOK(group->meth->field_dec(&group->geny, &gy, group->meth));
+	} else {
+		MP_CHECKOK(mp_copy(&group->genx, &gx));
+		MP_CHECKOK(mp_copy(&group->geny, &gy));
+	}
+
+	if (ectestPrint) {
+		/* output base point */
+		printf("  base point P:\n");
+		MP_CHECKOK(mp_toradix(&gx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&gy, s, 16));
+		printf("    %s\n", s);
+		if (group->meth->field_enc) {
+			printf("  base point P (encoded):\n");
+			MP_CHECKOK(mp_toradix(&group->genx, s, 16));
+			printf("    %s\n", s);
+			MP_CHECKOK(mp_toradix(&group->geny, s, 16));
+			printf("    %s\n", s);
+		}
+	}
+
+#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
+	/* multiply base point by order - 1 and check for negative of base
+	 * point */
+	MP_CHECKOK(ec_GF2m_pt_mul_aff
+			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
+	if (ectestPrint) {
+		printf("  (order-1)*P (affine):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(group->meth->field_add(&ry, &rx, &ry, group->meth));
+	if ((mp_cmp(&rx, &group->genx) != 0)
+		|| (mp_cmp(&ry, &group->geny) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+#endif
+
+	/* multiply base point by order - 1 and check for negative of base
+	 * point */
+	MP_CHECKOK(ec_GF2m_pt_mul_mont
+			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
+	if (ectestPrint) {
+		printf("  (order-1)*P (montgomery):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(group->meth->field_add(&ry, &rx, &ry, group->meth));
+	if ((mp_cmp(&rx, &group->genx) != 0)
+		|| (mp_cmp(&ry, &group->geny) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+#ifdef ECL_ENABLE_GF2M_PROJ
+	/* multiply base point by order - 1 and check for negative of base
+	 * point */
+	MP_CHECKOK(ec_GF2m_pt_mul_proj
+			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
+	if (ectestPrint) {
+		printf("  (order-1)*P (projective):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(group->meth->field_add(&ry, &rx, &ry, group->meth));
+	if ((mp_cmp(&rx, &group->genx) != 0)
+		|| (mp_cmp(&ry, &group->geny) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+#endif
+
+	/* multiply base point by order - 1 and check for negative of base
+	 * point */
+	MP_CHECKOK(ECPoint_mul(group, &order_1, NULL, NULL, &rx, &ry));
+	if (ectestPrint) {
+		printf("  (order-1)*P (ECPoint_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(ec_GF2m_add(&ry, &rx, &ry, group->meth));
+	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* multiply base point by order - 1 and check for negative of base
+	 * point */
+	MP_CHECKOK(ECPoint_mul(group, &order_1, &gx, &gy, &rx, &ry));
+	if (ectestPrint) {
+		printf("  (order-1)*P (ECPoint_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(ec_GF2m_add(&ry, &rx, &ry, group->meth));
+	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
+	/* multiply base point by order and check for point at infinity */
+	MP_CHECKOK(ec_GF2m_pt_mul_aff
+			   (&group->order, &group->genx, &group->geny, &rx, &ry,
+				group));
+	if (ectestPrint) {
+		printf("  (order)*P (affine):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf("  Error: invalid result (expected point at infinity).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+#endif
+
+	/* multiply base point by order and check for point at infinity */
+	MP_CHECKOK(ec_GF2m_pt_mul_mont
+			   (&group->order, &group->genx, &group->geny, &rx, &ry,
+				group));
+	if (ectestPrint) {
+		printf("  (order)*P (montgomery):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf("  Error: invalid result (expected point at infinity).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+#ifdef ECL_ENABLE_GF2M_PROJ
+	/* multiply base point by order and check for point at infinity */
+	MP_CHECKOK(ec_GF2m_pt_mul_proj
+			   (&group->order, &group->genx, &group->geny, &rx, &ry,
+				group));
+	if (ectestPrint) {
+		printf("  (order)*P (projective):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf("  Error: invalid result (expected point at infinity).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+#endif
+
+	/* multiply base point by order and check for point at infinity */
+	MP_CHECKOK(ECPoint_mul(group, &group->order, NULL, NULL, &rx, &ry));
+	if (ectestPrint) {
+		printf("  (order)*P (ECPoint_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf("  Error: invalid result (expected point at infinity).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* multiply base point by order and check for point at infinity */
+	MP_CHECKOK(ECPoint_mul(group, &group->order, &gx, &gy, &rx, &ry));
+	if (ectestPrint) {
+		printf("  (order)*P (ECPoint_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf("  Error: invalid result (expected point at infinity).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* check that (order-1)P + (order-1)P + P == (order-1)P */
+	MP_CHECKOK(ECPoints_mul
+			   (group, &order_1, &order_1, &gx, &gy, &rx, &ry));
+	MP_CHECKOK(ECPoints_mul(group, &one, &one, &rx, &ry, &rx, &ry));
+	if (ectestPrint) {
+		printf
+			("  (order-1)*P + (order-1)*P + P == (order-1)*P (ECPoints_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(ec_GF2m_add(&ry, &rx, &ry, group->meth));
+	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* test validate_point function */
+	if (ECPoint_validate(group, &gx, &gy) != MP_YES) {
+		printf("  Error: validate point on base point failed.\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+	MP_CHECKOK(mp_add_d(&gy, 1, &ry));
+	if (ECPoint_validate(group, &gx, &ry) != MP_NO) {
+		printf("  Error: validate point on invalid point passed.\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	if (ectestTime) {
+		/* compute random scalar */
+		size = mpl_significant_bits(&group->meth->irr);
+		if (size < MP_OKAY) {
+			goto CLEANUP;
+		}
+		MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS));
+		MP_CHECKOK(group->meth->field_mod(&n, &n, group->meth));
+		/* timed test */
+		if (generic) {
+#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
+			M_TimeOperation(MP_CHECKOK
+							(ec_GF2m_pt_mul_aff
+							 (&n, &group->genx, &group->geny, &rx, &ry,
+							  group)), 100);
+#endif
+			M_TimeOperation(MP_CHECKOK
+							(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
+							100);
+			M_TimeOperation(MP_CHECKOK
+							(ECPoints_mul
+							 (group, &n, &n, &gx, &gy, &rx, &ry)), 100);
+		} else {
+			M_TimeOperation(MP_CHECKOK
+							(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
+							100);
+			M_TimeOperation(MP_CHECKOK
+							(ECPoint_mul(group, &n, &gx, &gy, &rx, &ry)),
+							100);
+			M_TimeOperation(MP_CHECKOK
+							(ECPoints_mul
+							 (group, &n, &n, &gx, &gy, &rx, &ry)), 100);
+		}
+	}
+
+  CLEANUP:
+	mp_clear(&one);
+	mp_clear(&order_1);
+	mp_clear(&gx);
+	mp_clear(&gy);
+	mp_clear(&rx);
+	mp_clear(&ry);
+	mp_clear(&n);
+	if (res != MP_OKAY) {
+		printf("  Error: exiting with error value %i\n", res);
+	}
+	return res;
+}
+
+/* Prints help information. */
+void
+printUsage()
+{
+	printf("Usage: ecp_test [--print] [--time]\n");
+	printf
+		("	--print     Print out results of each point arithmetic test.\n");
+	printf
+		("	--time      Benchmark point operations and print results.\n");
+}
+
+/* Performs tests of elliptic curve cryptography over binary polynomial
+ * fields. If tests fail, then it prints an error message, aborts, and
+ * returns an error code. Otherwise, returns 0. */
+int
+main(int argv, char **argc)
+{
+
+	int ectestTime = 0;
+	int ectestPrint = 0;
+	int i;
+	ECGroup *group = NULL;
+	ECCurveParams *params = NULL;
+	mp_err res;
+
+	/* read command-line arguments */
+	for (i = 1; i < argv; i++) {
+		if ((strcasecmp(argc[i], "time") == 0)
+			|| (strcasecmp(argc[i], "-time") == 0)
+			|| (strcasecmp(argc[i], "--time") == 0)) {
+			ectestTime = 1;
+		} else if ((strcasecmp(argc[i], "print") == 0)
+				   || (strcasecmp(argc[i], "-print") == 0)
+				   || (strcasecmp(argc[i], "--print") == 0)) {
+			ectestPrint = 1;
+		} else {
+			printUsage();
+			return 0;
+		}
+	}
+
+	/* generic arithmetic tests */
+	ECTEST_GENERIC_GF2M("SECT-131R1", ECCurve_SECG_CHAR2_131R1);
+
+	/* specific arithmetic tests */
+	ECTEST_NAMED_GF2M("NIST-K163", ECCurve_NIST_K163);
+	ECTEST_NAMED_GF2M("NIST-B163", ECCurve_NIST_B163);
+	ECTEST_NAMED_GF2M("NIST-K233", ECCurve_NIST_K233);
+	ECTEST_NAMED_GF2M("NIST-B233", ECCurve_NIST_B233);
+	ECTEST_NAMED_GF2M("NIST-K283", ECCurve_NIST_K283);
+	ECTEST_NAMED_GF2M("NIST-B283", ECCurve_NIST_B283);
+	ECTEST_NAMED_GF2M("NIST-K409", ECCurve_NIST_K409);
+	ECTEST_NAMED_GF2M("NIST-B409", ECCurve_NIST_B409);
+	ECTEST_NAMED_GF2M("NIST-K571", ECCurve_NIST_K571);
+	ECTEST_NAMED_GF2M("NIST-B571", ECCurve_NIST_B571);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2PNB163V1", ECCurve_X9_62_CHAR2_PNB163V1);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2PNB163V2", ECCurve_X9_62_CHAR2_PNB163V2);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2PNB163V3", ECCurve_X9_62_CHAR2_PNB163V3);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2PNB176V1", ECCurve_X9_62_CHAR2_PNB176V1);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2TNB191V1", ECCurve_X9_62_CHAR2_TNB191V1);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2TNB191V2", ECCurve_X9_62_CHAR2_TNB191V2);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2TNB191V3", ECCurve_X9_62_CHAR2_TNB191V3);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2PNB208W1", ECCurve_X9_62_CHAR2_PNB208W1);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2TNB239V1", ECCurve_X9_62_CHAR2_TNB239V1);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2TNB239V2", ECCurve_X9_62_CHAR2_TNB239V2);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2TNB239V3", ECCurve_X9_62_CHAR2_TNB239V3);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2PNB272W1", ECCurve_X9_62_CHAR2_PNB272W1);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2PNB304W1", ECCurve_X9_62_CHAR2_PNB304W1);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2TNB359V1", ECCurve_X9_62_CHAR2_TNB359V1);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2PNB368W1", ECCurve_X9_62_CHAR2_PNB368W1);
+	ECTEST_NAMED_GF2M("ANSI X9.62 C2TNB431R1", ECCurve_X9_62_CHAR2_TNB431R1);
+	ECTEST_NAMED_GF2M("SECT-113R1", ECCurve_SECG_CHAR2_113R1);
+	ECTEST_NAMED_GF2M("SECT-113R2", ECCurve_SECG_CHAR2_113R2);
+	ECTEST_NAMED_GF2M("SECT-131R1", ECCurve_SECG_CHAR2_131R1);
+	ECTEST_NAMED_GF2M("SECT-131R2", ECCurve_SECG_CHAR2_131R2);
+	ECTEST_NAMED_GF2M("SECT-163K1", ECCurve_SECG_CHAR2_163K1);
+	ECTEST_NAMED_GF2M("SECT-163R1", ECCurve_SECG_CHAR2_163R1);
+	ECTEST_NAMED_GF2M("SECT-163R2", ECCurve_SECG_CHAR2_163R2);
+	ECTEST_NAMED_GF2M("SECT-193R1", ECCurve_SECG_CHAR2_193R1);
+	ECTEST_NAMED_GF2M("SECT-193R2", ECCurve_SECG_CHAR2_193R2);
+	ECTEST_NAMED_GF2M("SECT-233K1", ECCurve_SECG_CHAR2_233K1);
+	ECTEST_NAMED_GF2M("SECT-233R1", ECCurve_SECG_CHAR2_233R1);
+	ECTEST_NAMED_GF2M("SECT-239K1", ECCurve_SECG_CHAR2_239K1);
+	ECTEST_NAMED_GF2M("SECT-283K1", ECCurve_SECG_CHAR2_283K1);
+	ECTEST_NAMED_GF2M("SECT-283R1", ECCurve_SECG_CHAR2_283R1);
+	ECTEST_NAMED_GF2M("SECT-409K1", ECCurve_SECG_CHAR2_409K1);
+	ECTEST_NAMED_GF2M("SECT-409R1", ECCurve_SECG_CHAR2_409R1);
+	ECTEST_NAMED_GF2M("SECT-571K1", ECCurve_SECG_CHAR2_571K1);
+	ECTEST_NAMED_GF2M("SECT-571R1", ECCurve_SECG_CHAR2_571R1);
+	ECTEST_NAMED_GF2M("WTLS-1 (113)", ECCurve_WTLS_1);
+	ECTEST_NAMED_GF2M("WTLS-3 (163)", ECCurve_WTLS_3);
+	ECTEST_NAMED_GF2M("WTLS-4 (113)", ECCurve_WTLS_4);
+	ECTEST_NAMED_GF2M("WTLS-5 (163)", ECCurve_WTLS_5);
+	ECTEST_NAMED_GF2M("WTLS-10 (233)", ECCurve_WTLS_10);
+	ECTEST_NAMED_GF2M("WTLS-11 (233)", ECCurve_WTLS_11);
+
+  CLEANUP:
+	EC_FreeCurveParams(params);
+	ECGroup_free(group);
+	if (res != MP_OKAY) {
+		printf("Error: exiting with error value %i\n", res);
+	}
+	return res;
+}
diff --git a/security/nss/lib/freebl/ecl/tests/ec_naft.c b/security/nss/lib/freebl/ecl/tests/ec_naft.c
new file mode 100644
index 000000000..490794db7
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/tests/ec_naft.c
@@ -0,0 +1,151 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "ecl.h"
+#include "ecp.h"
+#include "ecl-priv.h"
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <time.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+/* Returns 2^e as an integer. This is meant to be used for small powers of 
+ * two. */
+int ec_twoTo(int e);
+
+/* Number of bits of scalar to test */
+#define BITSIZE 160
+
+/* Time k repetitions of operation op. */
+#define M_TimeOperation(op, k) { \
+	double dStart, dNow, dUserTime; \
+	struct rusage ru; \
+	int i; \
+	getrusage(RUSAGE_SELF, &ru); \
+	dStart = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
+	for (i = 0; i < k; i++) { \
+		{ op; } \
+	}; \
+	getrusage(RUSAGE_SELF, &ru); \
+	dNow = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
+	dUserTime = dNow-dStart; \
+	if (dUserTime) printf("    %-45s\n      k: %6i, t: %6.2f sec\n", #op, k, dUserTime); \
+}
+
+/* Tests wNAF computation. Non-adjacent-form is discussed in the paper: D. 
+ * Hankerson, J. Hernandez and A. Menezes, "Software implementation of
+ * elliptic curve cryptography over binary fields", Proc. CHES 2000. */
+
+mp_err
+main(void)
+{
+	signed char naf[BITSIZE + 1];
+	ECGroup *group = NULL;
+	mp_int k;
+	mp_int *scalar;
+	int i, count;
+	int res;
+	int w = 5;
+	char s[1000];
+
+	/* Get a 160 bit scalar to compute wNAF from */
+	group = ECGroup_fromName(ECCurve_SECG_PRIME_160R1);
+	scalar = &group->genx;
+
+	/* Compute wNAF representation of scalar */
+	ec_compute_wNAF(naf, BITSIZE, scalar, w);
+
+	/* Verify correctness of representation */
+	mp_init(&k);				/* init k to 0 */
+
+	for (i = BITSIZE; i >= 0; i--) {
+		mp_add(&k, &k, &k);
+		/* digits in mp_???_d are unsigned */
+		if (naf[i] >= 0) {
+			mp_add_d(&k, naf[i], &k);
+		} else {
+			mp_sub_d(&k, -naf[i], &k);
+		}
+	}
+
+	if (mp_cmp(&k, scalar) != 0) {
+		printf("Error:  incorrect NAF value.\n");
+		MP_CHECKOK(mp_toradix(&k, s, 16));
+		printf("NAF value   %s\n", s);
+		MP_CHECKOK(mp_toradix(scalar, s, 16));
+		printf("original value   %s\n", s);
+		goto CLEANUP;
+	}
+
+	/* Verify digits of representation are valid */
+	for (i = 0; i <= BITSIZE; i++) {
+		if (naf[i] % 2 == 0 && naf[i] != 0) {
+			printf("Error:  Even non-zero digit found.\n");
+			goto CLEANUP;
+		}
+		if (naf[i] < -(ec_twoTo(w - 1)) || naf[i] >= ec_twoTo(w - 1)) {
+			printf("Error:  Magnitude of naf digit too large.\n");
+			goto CLEANUP;
+		}
+	}
+
+	/* Verify sparsity of representation */
+	count = w - 1;
+	for (i = 0; i <= BITSIZE; i++) {
+		if (naf[i] != 0) {
+			if (count < w - 1) {
+				printf("Error:  Sparsity failed.\n");
+				goto CLEANUP;
+			}
+			count = 0;
+		} else
+			count++;
+	}
+
+	/* Check timing */
+	M_TimeOperation(ec_compute_wNAF(naf, BITSIZE, scalar, w), 10000);
+
+	printf("Test passed.\n");
+  CLEANUP:
+	ECGroup_free(group);
+	return MP_OKAY;
+}
diff --git a/security/nss/lib/freebl/ecl/tests/ecp_fpt.c b/security/nss/lib/freebl/ecl/tests/ecp_fpt.c
new file mode 100644
index 000000000..538f4d018
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/tests/ecp_fpt.c
@@ -0,0 +1,1123 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Stephen Fung <fungstep@hotmail.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ecp_fp.h"
+#include "mpprime.h"
+
+#include <stdio.h>
+#include <time.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+/* Time k repetitions of operation op. */
+#define M_TimeOperation(op, k) { \
+  double dStart, dNow, dUserTime; \
+  struct rusage ru; \
+  int i; \
+  getrusage(RUSAGE_SELF, &ru); \
+  dStart = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
+  for (i = 0; i < k; i++) { \
+    { op; } \
+  }; \
+  getrusage(RUSAGE_SELF, &ru); \
+  dNow = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
+  dUserTime = dNow-dStart; \
+  if (dUserTime) printf("    %-45s\n      k: %6i, t: %6.2f sec, k/t: %6.2f ops/sec\n", #op, k, dUserTime, k/dUserTime); \
+}
+
+/* Test curve using specific floating point field arithmetic. */
+#define M_TestCurve(name_c, name) { \
+  printf("Testing %s using specific floating point implementation...\n", name_c); \
+  ECGroup_free(ecgroup); \
+  ecgroup = ECGroup_fromName(name); \
+  if (ecgroup == NULL) { \
+    printf("  Warning: could not construct group.\n"); \
+    printf("%s failed.\n", name_c); \
+    res = MP_NO; \
+    goto CLEANUP; \
+  } else { \
+    MP_CHECKOK( testCurve(ecgroup)); \
+    printf("%s passed.\n", name_c); \
+  } \
+}
+
+/* Outputs a floating point double (currently not used) */
+void
+d_output(const double *u, int len, char *name, const EC_group_fp * group)
+{
+	int i;
+
+	printf("%s:  ", name);
+	for (i = 0; i < len; i++) {
+		printf("+ %.2f * 2^%i ", u[i] / ecfp_exp[i],
+			   group->doubleBitSize * i);
+	}
+	printf("\n");
+}
+
+/* Tests a point p in Jacobian coordinates, comparing against the
+ * expected affine result (x, y). */
+mp_err
+testJacPoint(ecfp_jac_pt * p, mp_int *x, mp_int *y, ECGroup *ecgroup)
+{
+	char s[1000];
+	mp_int rx, ry, rz;
+	mp_err res = MP_OKAY;
+
+	MP_DIGITS(&rx) = 0;
+	MP_DIGITS(&ry) = 0;
+	MP_DIGITS(&rz) = 0;
+
+	MP_CHECKOK(mp_init(&rx));
+	MP_CHECKOK(mp_init(&ry));
+	MP_CHECKOK(mp_init(&rz));
+
+	ecfp_fp2i(&rx, p->x, ecgroup);
+	ecfp_fp2i(&ry, p->y, ecgroup);
+	ecfp_fp2i(&rz, p->z, ecgroup);
+
+	/* convert result R to affine coordinates */
+	ec_GFp_pt_jac2aff(&rx, &ry, &rz, &rx, &ry, ecgroup);
+
+	/* Compare to expected result */
+	if ((mp_cmp(&rx, x) != 0) || (mp_cmp(&ry, y) != 0)) {
+		printf("  Error: Jacobian Floating Point Incorrect.\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("floating point result\nrx    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("ry    %s\n", s);
+		MP_CHECKOK(mp_toradix(x, s, 16));
+		printf("integer result\nx   %s\n", s);
+		MP_CHECKOK(mp_toradix(y, s, 16));
+		printf("y   %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+  CLEANUP:
+	mp_clear(&rx);
+	mp_clear(&ry);
+	mp_clear(&rz);
+
+	return res;
+}
+
+/* Tests a point p in Chudnovsky Jacobian coordinates, comparing against
+ * the expected affine result (x, y). */
+mp_err
+testChudPoint(ecfp_chud_pt * p, mp_int *x, mp_int *y, ECGroup *ecgroup)
+{
+
+	char s[1000];
+	mp_int rx, ry, rz, rz2, rz3, test;
+	mp_err res = MP_OKAY;
+
+	/* Initialization */
+	MP_DIGITS(&rx) = 0;
+	MP_DIGITS(&ry) = 0;
+	MP_DIGITS(&rz) = 0;
+	MP_DIGITS(&rz2) = 0;
+	MP_DIGITS(&rz3) = 0;
+	MP_DIGITS(&test) = 0;
+
+	MP_CHECKOK(mp_init(&rx));
+	MP_CHECKOK(mp_init(&ry));
+	MP_CHECKOK(mp_init(&rz));
+	MP_CHECKOK(mp_init(&rz2));
+	MP_CHECKOK(mp_init(&rz3));
+	MP_CHECKOK(mp_init(&test));
+
+	/* Convert to integers */
+	ecfp_fp2i(&rx, p->x, ecgroup);
+	ecfp_fp2i(&ry, p->y, ecgroup);
+	ecfp_fp2i(&rz, p->z, ecgroup);
+	ecfp_fp2i(&rz2, p->z2, ecgroup);
+	ecfp_fp2i(&rz3, p->z3, ecgroup);
+
+	/* Verify z2, z3 are valid */
+	mp_sqrmod(&rz, &ecgroup->meth->irr, &test);
+	if (mp_cmp(&test, &rz2) != 0) {
+		printf("  Error: rzp2 not valid\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+	mp_mulmod(&test, &rz, &ecgroup->meth->irr, &test);
+	if (mp_cmp(&test, &rz3) != 0) {
+		printf("  Error: rzp2 not valid\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* convert result R to affine coordinates */
+	ec_GFp_pt_jac2aff(&rx, &ry, &rz, &rx, &ry, ecgroup);
+
+	/* Compare against expected result */
+	if ((mp_cmp(&rx, x) != 0) || (mp_cmp(&ry, y) != 0)) {
+		printf("  Error: Chudnovsky Floating Point Incorrect.\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("floating point result\nrx    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("ry    %s\n", s);
+		MP_CHECKOK(mp_toradix(x, s, 16));
+		printf("integer result\nx   %s\n", s);
+		MP_CHECKOK(mp_toradix(y, s, 16));
+		printf("y   %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+  CLEANUP:
+	mp_clear(&rx);
+	mp_clear(&ry);
+	mp_clear(&rz);
+	mp_clear(&rz2);
+	mp_clear(&rz3);
+	mp_clear(&test);
+
+	return res;
+}
+
+/* Tests a point p in Modified Jacobian coordinates, comparing against the 
+ * expected affine result (x, y). */
+mp_err
+testJmPoint(ecfp_jm_pt * r, mp_int *x, mp_int *y, ECGroup *ecgroup)
+{
+
+	char s[1000];
+	mp_int rx, ry, rz, raz4, test;
+	mp_err res = MP_OKAY;
+
+	/* Initialization */
+	MP_DIGITS(&rx) = 0;
+	MP_DIGITS(&ry) = 0;
+	MP_DIGITS(&rz) = 0;
+	MP_DIGITS(&raz4) = 0;
+	MP_DIGITS(&test) = 0;
+
+	MP_CHECKOK(mp_init(&rx));
+	MP_CHECKOK(mp_init(&ry));
+	MP_CHECKOK(mp_init(&rz));
+	MP_CHECKOK(mp_init(&raz4));
+	MP_CHECKOK(mp_init(&test));
+
+	/* Convert to integer */
+	ecfp_fp2i(&rx, r->x, ecgroup);
+	ecfp_fp2i(&ry, r->y, ecgroup);
+	ecfp_fp2i(&rz, r->z, ecgroup);
+	ecfp_fp2i(&raz4, r->az4, ecgroup);
+
+	/* Verify raz4 = rz^4 * a */
+	mp_sqrmod(&rz, &ecgroup->meth->irr, &test);
+	mp_sqrmod(&test, &ecgroup->meth->irr, &test);
+	mp_mulmod(&test, &ecgroup->curvea, &ecgroup->meth->irr, &test);
+	if (mp_cmp(&test, &raz4) != 0) {
+		printf("  Error: a*z^4 not valid\n");
+		MP_CHECKOK(mp_toradix(&ecgroup->curvea, s, 16));
+		printf("a    %s\n", s);
+		MP_CHECKOK(mp_toradix(&rz, s, 16));
+		printf("rz   %s\n", s);
+		MP_CHECKOK(mp_toradix(&raz4, s, 16));
+		printf("raz4    %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* convert result R to affine coordinates */
+	ec_GFp_pt_jac2aff(&rx, &ry, &rz, &rx, &ry, ecgroup);
+
+	/* Compare against expected result */
+	if ((mp_cmp(&rx, x) != 0) || (mp_cmp(&ry, y) != 0)) {
+		printf("  Error: Modified Jacobian Floating Point Incorrect.\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("floating point result\nrx    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("ry    %s\n", s);
+		MP_CHECKOK(mp_toradix(x, s, 16));
+		printf("integer result\nx   %s\n", s);
+		MP_CHECKOK(mp_toradix(y, s, 16));
+		printf("y   %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+  CLEANUP:
+	mp_clear(&rx);
+	mp_clear(&ry);
+	mp_clear(&rz);
+	mp_clear(&raz4);
+	mp_clear(&test);
+
+	return res;
+}
+
+/* Tests point addition of Jacobian + Affine -> Jacobian */
+mp_err
+testPointAddJacAff(ECGroup *ecgroup)
+{
+	mp_err res;
+	mp_int pz, rx2, ry2, rz2;
+	ecfp_jac_pt p, r;
+	ecfp_aff_pt q;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+	/* Init */
+	MP_DIGITS(&pz) = 0;
+	MP_DIGITS(&rx2) = 0;
+	MP_DIGITS(&ry2) = 0;
+	MP_DIGITS(&rz2) = 0;
+	MP_CHECKOK(mp_init(&pz));
+	MP_CHECKOK(mp_init(&rx2));
+	MP_CHECKOK(mp_init(&ry2));
+	MP_CHECKOK(mp_init(&rz2));
+
+	MP_CHECKOK(mp_set_int(&pz, 5));
+
+	/* Set p */
+	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(p.z, &pz, ecgroup);
+	/* Set q */
+	ecfp_i2fp(q.x, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(q.y, &ecgroup->genx, ecgroup);
+
+	/* Do calculations */
+	group->pt_add_jac_aff(&p, &q, &r, group);
+
+	/* Do calculation in integer to compare against */
+	MP_CHECKOK(ec_GFp_pt_add_jac_aff
+			   (&ecgroup->genx, &ecgroup->geny, &pz, &ecgroup->geny,
+				&ecgroup->genx, &rx2, &ry2, &rz2, ecgroup));
+	/* convert result R to affine coordinates */
+	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
+
+	MP_CHECKOK(testJacPoint(&r, &rx2, &ry2, ecgroup));
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Point Addition - Jacobian & Affine\n");
+	else
+		printf("TEST FAILED - Point Addition - Jacobian & Affine\n");
+
+	mp_clear(&pz);
+	mp_clear(&rx2);
+	mp_clear(&ry2);
+	mp_clear(&rz2);
+
+	return res;
+}
+
+/* Tests point addition in Jacobian coordinates */
+mp_err
+testPointAddJac(ECGroup *ecgroup)
+{
+	mp_err res;
+	mp_int pz, qz, qx, qy, rx2, ry2, rz2;
+	ecfp_jac_pt p, q, r;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+	/* Init */
+	MP_DIGITS(&pz) = 0;
+	MP_DIGITS(&qx) = 0;
+	MP_DIGITS(&qy) = 0;
+	MP_DIGITS(&qz) = 0;
+	MP_DIGITS(&rx2) = 0;
+	MP_DIGITS(&ry2) = 0;
+	MP_DIGITS(&rz2) = 0;
+	MP_CHECKOK(mp_init(&pz));
+	MP_CHECKOK(mp_init(&qx));
+	MP_CHECKOK(mp_init(&qy));
+	MP_CHECKOK(mp_init(&qz));
+	MP_CHECKOK(mp_init(&rx2));
+	MP_CHECKOK(mp_init(&ry2));
+	MP_CHECKOK(mp_init(&rz2));
+
+	MP_CHECKOK(mp_set_int(&pz, 5));
+	MP_CHECKOK(mp_set_int(&qz, 105));
+
+	/* Set p */
+	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(p.z, &pz, ecgroup);
+	/* Set q */
+	ecfp_i2fp(q.x, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(q.y, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(q.z, &qz, ecgroup);
+
+	/* Do calculations */
+	group->pt_add_jac(&p, &q, &r, group);
+
+	/* Do calculation in integer to compare against */
+	ec_GFp_pt_jac2aff(&ecgroup->geny, &ecgroup->genx, &qz, &qx, &qy,
+					  ecgroup);
+	MP_CHECKOK(ec_GFp_pt_add_jac_aff
+			   (&ecgroup->genx, &ecgroup->geny, &pz, &qx, &qy, &rx2, &ry2,
+				&rz2, ecgroup));
+	/* convert result R to affine coordinates */
+	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
+
+	MP_CHECKOK(testJacPoint(&r, &rx2, &ry2, ecgroup));
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Point Addition - Jacobian\n");
+	else
+		printf("TEST FAILED - Point Addition - Jacobian\n");
+
+	mp_clear(&pz);
+	mp_clear(&qx);
+	mp_clear(&qy);
+	mp_clear(&qz);
+	mp_clear(&rx2);
+	mp_clear(&ry2);
+	mp_clear(&rz2);
+
+	return res;
+}
+
+/* Tests point addition in Chudnovsky Jacobian Coordinates */
+mp_err
+testPointAddChud(ECGroup *ecgroup)
+{
+	mp_err res;
+	mp_int rx2, ry2, ix, iy, iz, test, pz, qx, qy, qz;
+	ecfp_chud_pt p, q, r;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+	MP_DIGITS(&qx) = 0;
+	MP_DIGITS(&qy) = 0;
+	MP_DIGITS(&qz) = 0;
+	MP_DIGITS(&pz) = 0;
+	MP_DIGITS(&rx2) = 0;
+	MP_DIGITS(&ry2) = 0;
+	MP_DIGITS(&ix) = 0;
+	MP_DIGITS(&iy) = 0;
+	MP_DIGITS(&iz) = 0;
+	MP_DIGITS(&test) = 0;
+
+	MP_CHECKOK(mp_init(&qx));
+	MP_CHECKOK(mp_init(&qy));
+	MP_CHECKOK(mp_init(&qz));
+	MP_CHECKOK(mp_init(&pz));
+	MP_CHECKOK(mp_init(&rx2));
+	MP_CHECKOK(mp_init(&ry2));
+	MP_CHECKOK(mp_init(&ix));
+	MP_CHECKOK(mp_init(&iy));
+	MP_CHECKOK(mp_init(&iz));
+	MP_CHECKOK(mp_init(&test));
+
+	/* Test Chudnovsky form addition */
+	/* Set p */
+	MP_CHECKOK(mp_set_int(&pz, 5));
+	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(p.z, &pz, ecgroup);
+	mp_sqrmod(&pz, &ecgroup->meth->irr, &test);
+	ecfp_i2fp(p.z2, &test, ecgroup);
+	mp_mulmod(&test, &pz, &ecgroup->meth->irr, &test);
+	ecfp_i2fp(p.z3, &test, ecgroup);
+
+	/* Set q */
+	MP_CHECKOK(mp_set_int(&qz, 105));
+	ecfp_i2fp(q.x, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(q.y, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(q.z, &qz, ecgroup);
+	mp_sqrmod(&qz, &ecgroup->meth->irr, &test);
+	ecfp_i2fp(q.z2, &test, ecgroup);
+	mp_mulmod(&test, &qz, &ecgroup->meth->irr, &test);
+	ecfp_i2fp(q.z3, &test, ecgroup);
+
+	group->pt_add_chud(&p, &q, &r, group);
+
+	/* Calculate addition to compare against */
+	ec_GFp_pt_jac2aff(&ecgroup->geny, &ecgroup->genx, &qz, &qx, &qy,
+					  ecgroup);
+	ec_GFp_pt_add_jac_aff(&ecgroup->genx, &ecgroup->geny, &pz, &qx, &qy,
+						  &ix, &iy, &iz, ecgroup);
+	ec_GFp_pt_jac2aff(&ix, &iy, &iz, &rx2, &ry2, ecgroup);
+
+	MP_CHECKOK(testChudPoint(&r, &rx2, &ry2, ecgroup));
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Point Addition - Chudnovsky Jacobian\n");
+	else
+		printf("TEST FAILED - Point Addition - Chudnovsky Jacobian\n");
+
+	mp_clear(&qx);
+	mp_clear(&qy);
+	mp_clear(&qz);
+	mp_clear(&pz);
+	mp_clear(&rx2);
+	mp_clear(&ry2);
+	mp_clear(&ix);
+	mp_clear(&iy);
+	mp_clear(&iz);
+	mp_clear(&test);
+
+	return res;
+}
+
+/* Tests point addition in Modified Jacobian + Chudnovsky Jacobian ->
+ * Modified Jacobian coordinates. */
+mp_err
+testPointAddJmChud(ECGroup *ecgroup)
+{
+	mp_err res;
+	mp_int rx2, ry2, ix, iy, iz, test, pz, paz4, qx, qy, qz;
+	ecfp_chud_pt q;
+	ecfp_jm_pt p, r;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+	MP_DIGITS(&qx) = 0;
+	MP_DIGITS(&qy) = 0;
+	MP_DIGITS(&qz) = 0;
+	MP_DIGITS(&pz) = 0;
+	MP_DIGITS(&paz4) = 0;
+	MP_DIGITS(&iz) = 0;
+	MP_DIGITS(&rx2) = 0;
+	MP_DIGITS(&ry2) = 0;
+	MP_DIGITS(&ix) = 0;
+	MP_DIGITS(&iy) = 0;
+	MP_DIGITS(&iz) = 0;
+	MP_DIGITS(&test) = 0;
+
+	MP_CHECKOK(mp_init(&qx));
+	MP_CHECKOK(mp_init(&qy));
+	MP_CHECKOK(mp_init(&qz));
+	MP_CHECKOK(mp_init(&pz));
+	MP_CHECKOK(mp_init(&paz4));
+	MP_CHECKOK(mp_init(&rx2));
+	MP_CHECKOK(mp_init(&ry2));
+	MP_CHECKOK(mp_init(&ix));
+	MP_CHECKOK(mp_init(&iy));
+	MP_CHECKOK(mp_init(&iz));
+	MP_CHECKOK(mp_init(&test));
+
+	/* Test Modified Jacobian form addition */
+	/* Set p */
+	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
+	/* paz4 = az^4 */
+	MP_CHECKOK(mp_set_int(&pz, 5));
+	mp_sqrmod(&pz, &ecgroup->meth->irr, &paz4);
+	mp_sqrmod(&paz4, &ecgroup->meth->irr, &paz4);
+	mp_mulmod(&paz4, &ecgroup->curvea, &ecgroup->meth->irr, &paz4);
+	ecfp_i2fp(p.z, &pz, ecgroup);
+	ecfp_i2fp(p.az4, &paz4, ecgroup);
+
+	/* Set q */
+	MP_CHECKOK(mp_set_int(&qz, 105));
+	ecfp_i2fp(q.x, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(q.y, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(q.z, &qz, ecgroup);
+	mp_sqrmod(&qz, &ecgroup->meth->irr, &test);
+	ecfp_i2fp(q.z2, &test, ecgroup);
+	mp_mulmod(&test, &qz, &ecgroup->meth->irr, &test);
+	ecfp_i2fp(q.z3, &test, ecgroup);
+
+	/* Do calculation */
+	group->pt_add_jm_chud(&p, &q, &r, group);
+
+	/* Calculate addition to compare against */
+	ec_GFp_pt_jac2aff(&ecgroup->geny, &ecgroup->genx, &qz, &qx, &qy,
+					  ecgroup);
+	ec_GFp_pt_add_jac_aff(&ecgroup->genx, &ecgroup->geny, &pz, &qx, &qy,
+						  &ix, &iy, &iz, ecgroup);
+	ec_GFp_pt_jac2aff(&ix, &iy, &iz, &rx2, &ry2, ecgroup);
+
+	MP_CHECKOK(testJmPoint(&r, &rx2, &ry2, ecgroup));
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf
+			("  Test Passed - Point Addition - Modified & Chudnovsky Jacobian\n");
+	else
+		printf
+			("TEST FAILED - Point Addition - Modified & Chudnovsky Jacobian\n");
+
+	mp_clear(&qx);
+	mp_clear(&qy);
+	mp_clear(&qz);
+	mp_clear(&pz);
+	mp_clear(&paz4);
+	mp_clear(&rx2);
+	mp_clear(&ry2);
+	mp_clear(&ix);
+	mp_clear(&iy);
+	mp_clear(&iz);
+	mp_clear(&test);
+
+	return res;
+}
+
+/* Tests point doubling in Modified Jacobian coordinates */
+mp_err
+testPointDoubleJm(ECGroup *ecgroup)
+{
+	mp_err res;
+	mp_int pz, paz4, rx2, ry2, rz2, raz4;
+	ecfp_jm_pt p, r;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+	MP_DIGITS(&pz) = 0;
+	MP_DIGITS(&paz4) = 0;
+	MP_DIGITS(&rx2) = 0;
+	MP_DIGITS(&ry2) = 0;
+	MP_DIGITS(&rz2) = 0;
+	MP_DIGITS(&raz4) = 0;
+
+	MP_CHECKOK(mp_init(&pz));
+	MP_CHECKOK(mp_init(&paz4));
+	MP_CHECKOK(mp_init(&rx2));
+	MP_CHECKOK(mp_init(&ry2));
+	MP_CHECKOK(mp_init(&rz2));
+	MP_CHECKOK(mp_init(&raz4));
+
+	/* Set p */
+	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
+
+	/* paz4 = az^4 */
+	MP_CHECKOK(mp_set_int(&pz, 5));
+	mp_sqrmod(&pz, &ecgroup->meth->irr, &paz4);
+	mp_sqrmod(&paz4, &ecgroup->meth->irr, &paz4);
+	mp_mulmod(&paz4, &ecgroup->curvea, &ecgroup->meth->irr, &paz4);
+
+	ecfp_i2fp(p.z, &pz, ecgroup);
+	ecfp_i2fp(p.az4, &paz4, ecgroup);
+
+	group->pt_dbl_jm(&p, &r, group);
+
+	M_TimeOperation(group->pt_dbl_jm(&p, &r, group), 100000);
+
+	/* Calculate doubling to compare against */
+	ec_GFp_pt_dbl_jac(&ecgroup->genx, &ecgroup->geny, &pz, &rx2, &ry2,
+					  &rz2, ecgroup);
+	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
+
+	/* Do comparison and check az^4 */
+	MP_CHECKOK(testJmPoint(&r, &rx2, &ry2, ecgroup));
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Point Doubling - Modified Jacobian\n");
+	else
+		printf("TEST FAILED - Point Doubling - Modified Jacobian\n");
+	mp_clear(&pz);
+	mp_clear(&paz4);
+	mp_clear(&rx2);
+	mp_clear(&ry2);
+	mp_clear(&rz2);
+	mp_clear(&raz4);
+
+	return res;
+
+}
+
+/* Tests point doubling in Chudnovsky Jacobian coordinates */
+mp_err
+testPointDoubleChud(ECGroup *ecgroup)
+{
+	mp_err res;
+	mp_int px, py, pz, rx2, ry2, rz2;
+	ecfp_aff_pt p;
+	ecfp_chud_pt p2;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+	MP_DIGITS(&rx2) = 0;
+	MP_DIGITS(&ry2) = 0;
+	MP_DIGITS(&rz2) = 0;
+	MP_DIGITS(&px) = 0;
+	MP_DIGITS(&py) = 0;
+	MP_DIGITS(&pz) = 0;
+
+	MP_CHECKOK(mp_init(&rx2));
+	MP_CHECKOK(mp_init(&ry2));
+	MP_CHECKOK(mp_init(&rz2));
+	MP_CHECKOK(mp_init(&px));
+	MP_CHECKOK(mp_init(&py));
+	MP_CHECKOK(mp_init(&pz));
+
+	/* Set p2 = 2P */
+	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
+
+	group->pt_dbl_aff2chud(&p, &p2, group);
+
+	/* Calculate doubling to compare against */
+	MP_CHECKOK(mp_set_int(&pz, 1));
+	ec_GFp_pt_dbl_jac(&ecgroup->genx, &ecgroup->geny, &pz, &rx2, &ry2,
+					  &rz2, ecgroup);
+	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
+
+	/* Do comparison and check az^4 */
+	MP_CHECKOK(testChudPoint(&p2, &rx2, &ry2, ecgroup));
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Point Doubling - Chudnovsky Jacobian\n");
+	else
+		printf("TEST FAILED - Point Doubling - Chudnovsky Jacobian\n");
+
+	mp_clear(&rx2);
+	mp_clear(&ry2);
+	mp_clear(&rz2);
+	mp_clear(&px);
+	mp_clear(&py);
+	mp_clear(&pz);
+
+	return res;
+}
+
+/* Test point doubling in Jacobian coordinates */
+mp_err
+testPointDoubleJac(ECGroup *ecgroup)
+{
+	mp_err res;
+	mp_int pz, rx, ry, rz, rx2, ry2, rz2;
+	ecfp_jac_pt p, p2;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+	MP_DIGITS(&pz) = 0;
+	MP_DIGITS(&rx) = 0;
+	MP_DIGITS(&ry) = 0;
+	MP_DIGITS(&rz) = 0;
+	MP_DIGITS(&rx2) = 0;
+	MP_DIGITS(&ry2) = 0;
+	MP_DIGITS(&rz2) = 0;
+
+	MP_CHECKOK(mp_init(&pz));
+	MP_CHECKOK(mp_init(&rx));
+	MP_CHECKOK(mp_init(&ry));
+	MP_CHECKOK(mp_init(&rz));
+	MP_CHECKOK(mp_init(&rx2));
+	MP_CHECKOK(mp_init(&ry2));
+	MP_CHECKOK(mp_init(&rz2));
+
+	MP_CHECKOK(mp_set_int(&pz, 5));
+
+	/* Set p2 = 2P */
+	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(p.z, &pz, ecgroup);
+	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
+
+	group->pt_dbl_jac(&p, &p2, group);
+	M_TimeOperation(group->pt_dbl_jac(&p, &p2, group), 100000);
+
+	/* Calculate doubling to compare against */
+	ec_GFp_pt_dbl_jac(&ecgroup->genx, &ecgroup->geny, &pz, &rx2, &ry2,
+					  &rz2, ecgroup);
+	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
+
+	/* Do comparison */
+	MP_CHECKOK(testJacPoint(&p2, &rx2, &ry2, ecgroup));
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Point Doubling - Jacobian\n");
+	else
+		printf("TEST FAILED - Point Doubling - Jacobian\n");
+
+	mp_clear(&pz);
+	mp_clear(&rx);
+	mp_clear(&ry);
+	mp_clear(&rz);
+	mp_clear(&rx2);
+	mp_clear(&ry2);
+	mp_clear(&rz2);
+
+	return res;
+}
+
+/* Tests a point multiplication (various algorithms) */
+mp_err
+testPointMul(ECGroup *ecgroup)
+{
+	mp_err res;
+	char s[1000];
+	mp_int rx, ry, order_1;
+
+	/* Init */
+	MP_DIGITS(&rx) = 0;
+	MP_DIGITS(&ry) = 0;
+	MP_DIGITS(&order_1) = 0;
+
+	MP_CHECKOK(mp_init(&rx));
+	MP_CHECKOK(mp_init(&ry));
+	MP_CHECKOK(mp_init(&order_1));
+
+	MP_CHECKOK(mp_set_int(&order_1, 1));
+	MP_CHECKOK(mp_sub(&ecgroup->order, &order_1, &order_1));
+
+	/* Test Algorithm 1: Jacobian-Affine Double & Add */
+	ec_GFp_pt_mul_jac_fp(&order_1, &ecgroup->genx, &ecgroup->geny, &rx,
+						 &ry, ecgroup);
+	MP_CHECKOK(ecgroup->meth->field_neg(&ry, &ry, ecgroup->meth));
+	if ((mp_cmp(&rx, &ecgroup->genx) != 0)
+		|| (mp_cmp(&ry, &ecgroup->geny) != 0)) {
+		printf
+			("  Error: ec_GFp_pt_mul_jac_fp invalid result (expected (- base point)).\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("rx   %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("ry   %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	ec_GFp_pt_mul_jac_fp(&ecgroup->order, &ecgroup->genx, &ecgroup->geny,
+						 &rx, &ry, ecgroup);
+	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf
+			("  Error: ec_GFp_pt_mul_jac_fp invalid result (expected point at infinity.\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("rx   %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("ry   %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* Test Algorithm 2: 4-bit Window in Jacobian */
+	ec_GFp_point_mul_jac_4w_fp(&order_1, &ecgroup->genx, &ecgroup->geny,
+							   &rx, &ry, ecgroup);
+	MP_CHECKOK(ecgroup->meth->field_neg(&ry, &ry, ecgroup->meth));
+	if ((mp_cmp(&rx, &ecgroup->genx) != 0)
+		|| (mp_cmp(&ry, &ecgroup->geny) != 0)) {
+		printf
+			("  Error: ec_GFp_point_mul_jac_4w_fp invalid result (expected (- base point)).\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("rx   %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("ry   %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	ec_GFp_point_mul_jac_4w_fp(&ecgroup->order, &ecgroup->genx,
+							   &ecgroup->geny, &rx, &ry, ecgroup);
+	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf
+			("  Error: ec_GFp_point_mul_jac_4w_fp invalid result (expected point at infinity.\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("rx   %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("ry   %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* Test Algorithm 3: wNAF with modified Jacobian coordinates */
+	ec_GFp_point_mul_wNAF_fp(&order_1, &ecgroup->genx, &ecgroup->geny, &rx,
+							 &ry, ecgroup);
+	MP_CHECKOK(ecgroup->meth->field_neg(&ry, &ry, ecgroup->meth));
+	if ((mp_cmp(&rx, &ecgroup->genx) != 0)
+		|| (mp_cmp(&ry, &ecgroup->geny) != 0)) {
+		printf
+			("  Error: ec_GFp_pt_mul_wNAF_fp invalid result (expected (- base point)).\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("rx   %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("ry   %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	ec_GFp_point_mul_wNAF_fp(&ecgroup->order, &ecgroup->genx,
+							 &ecgroup->geny, &rx, &ry, ecgroup);
+	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf
+			("  Error: ec_GFp_pt_mul_wNAF_fp invalid result (expected point at infinity.\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("rx   %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("ry   %s\n", s);
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Point Multiplication\n");
+	else
+		printf("TEST FAILED - Point Multiplication\n");
+	mp_clear(&rx);
+	mp_clear(&ry);
+	mp_clear(&order_1);
+
+	return res;
+}
+
+/* Tests point multiplication with a random scalar repeatedly, comparing
+ * for consistency within different algorithms. */
+mp_err
+testPointMulRandom(ECGroup *ecgroup)
+{
+	mp_err res;
+	mp_int rx, ry, rx2, ry2, n;
+	int i, size;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+
+	MP_DIGITS(&rx) = 0;
+	MP_DIGITS(&ry) = 0;
+	MP_DIGITS(&rx2) = 0;
+	MP_DIGITS(&ry2) = 0;
+	MP_DIGITS(&n) = 0;
+
+	MP_CHECKOK(mp_init(&rx));
+	MP_CHECKOK(mp_init(&ry));
+	MP_CHECKOK(mp_init(&rx2));
+	MP_CHECKOK(mp_init(&ry2));
+	MP_CHECKOK(mp_init(&n));
+
+	for (i = 0; i < 100; i++) {
+		/* compute random scalar */
+		size = mpl_significant_bits(&ecgroup->meth->irr);
+		if (size < MP_OKAY) {
+			res = MP_NO;
+			goto CLEANUP;
+		}
+		MP_CHECKOK(mpp_random_size(&n, group->orderBitSize));
+		MP_CHECKOK(mp_mod(&n, &ecgroup->order, &n));
+
+		ec_GFp_pt_mul_jac(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
+						  ecgroup);
+		ec_GFp_pt_mul_jac_fp(&n, &ecgroup->genx, &ecgroup->geny, &rx2,
+							 &ry2, ecgroup);
+
+		if ((mp_cmp(&rx, &rx2) != 0) || (mp_cmp(&ry, &ry2) != 0)) {
+			printf
+				("  Error: different results for Point Multiplication - Double & Add.\n");
+			res = MP_NO;
+			goto CLEANUP;
+		}
+
+		ec_GFp_point_mul_wNAF_fp(&n, &ecgroup->genx, &ecgroup->geny, &rx,
+								 &ry, ecgroup);
+		if ((mp_cmp(&rx, &rx2) != 0) || (mp_cmp(&ry, &ry2) != 0)) {
+			printf
+				("  Error: different results for Point Multiplication - wNAF.\n");
+			res = MP_NO;
+			goto CLEANUP;
+		}
+
+		ec_GFp_point_mul_jac_4w_fp(&n, &ecgroup->genx, &ecgroup->geny, &rx,
+								   &ry, ecgroup);
+		if ((mp_cmp(&rx, &rx2) != 0) || (mp_cmp(&ry, &ry2) != 0)) {
+			printf
+				("  Error: different results for Point Multiplication - 4 bit window.\n");
+			res = MP_NO;
+			goto CLEANUP;
+		}
+
+	}
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Point Random Multiplication\n");
+	else
+		printf("TEST FAILED - Point Random Multiplication\n");
+	mp_clear(&rx);
+	mp_clear(&ry);
+	mp_clear(&rx2);
+	mp_clear(&ry2);
+	mp_clear(&n);
+
+	return res;
+}
+
+/* Tests the time required for a point multiplication */
+mp_err
+testPointMulTime(ECGroup *ecgroup)
+{
+	mp_err res = MP_OKAY;
+	mp_int rx, ry, n;
+	int size;
+
+	MP_DIGITS(&rx) = 0;
+	MP_DIGITS(&ry) = 0;
+	MP_DIGITS(&n) = 0;
+
+	MP_CHECKOK(mp_init(&rx));
+	MP_CHECKOK(mp_init(&ry));
+	MP_CHECKOK(mp_init(&n));
+
+	/* compute random scalar */
+	size = mpl_significant_bits(&ecgroup->meth->irr);
+	if (size < MP_OKAY) {
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS));
+	MP_CHECKOK(ecgroup->meth->field_mod(&n, &n, ecgroup->meth));
+
+	M_TimeOperation(ec_GFp_pt_mul_jac_fp
+					(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
+					 ecgroup), 1000);
+
+	M_TimeOperation(ec_GFp_point_mul_jac_4w_fp
+					(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
+					 ecgroup), 1000);
+
+	M_TimeOperation(ec_GFp_point_mul_wNAF_fp
+					(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
+					 ecgroup), 1000);
+
+	M_TimeOperation(ec_GFp_pt_mul_jac
+					(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
+					 ecgroup), 100);
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Point Multiplication Timing\n");
+	else
+		printf("TEST FAILED - Point Multiplication Timing\n");
+	mp_clear(&rx);
+	mp_clear(&ry);
+	mp_clear(&n);
+
+	return res;
+}
+
+/* Tests pre computation of Chudnovsky Jacobian points used in wNAF form */
+mp_err
+testPreCompute(ECGroup *ecgroup)
+{
+	ecfp_chud_pt precomp[16];
+	ecfp_aff_pt p;
+	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
+	int i;
+	mp_err res;
+
+	mp_int x, y, ny, x2, y2;
+
+	MP_DIGITS(&x) = 0;
+	MP_DIGITS(&y) = 0;
+	MP_DIGITS(&ny) = 0;
+	MP_DIGITS(&x2) = 0;
+	MP_DIGITS(&y2) = 0;
+
+	MP_CHECKOK(mp_init(&x));
+	MP_CHECKOK(mp_init(&y));
+	MP_CHECKOK(mp_init(&ny));
+	MP_CHECKOK(mp_init(&x2));
+	MP_CHECKOK(mp_init(&y2));
+
+	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
+	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
+	ecfp_i2fp(group->curvea, &(ecgroup->curvea), ecgroup);
+
+	/* Perform precomputation */
+	group->precompute_chud(precomp, &p, group);
+
+	M_TimeOperation(group->precompute_chud(precomp, &p, group), 10000);
+
+	/* Calculate addition to compare against */
+	MP_CHECKOK(mp_copy(&ecgroup->genx, &x));
+	MP_CHECKOK(mp_copy(&ecgroup->geny, &y));
+	MP_CHECKOK(ecgroup->meth->field_neg(&y, &ny, ecgroup->meth));
+
+	ec_GFp_pt_dbl_aff(&x, &y, &x2, &y2, ecgroup);
+
+	for (i = 0; i < 8; i++) {
+		MP_CHECKOK(testChudPoint(&precomp[8 + i], &x, &y, ecgroup));
+		MP_CHECKOK(testChudPoint(&precomp[7 - i], &x, &ny, ecgroup));
+		ec_GFp_pt_add_aff(&x, &y, &x2, &y2, &x, &y, ecgroup);
+		MP_CHECKOK(ecgroup->meth->field_neg(&y, &ny, ecgroup->meth));
+	}
+
+  CLEANUP:
+	if (res == MP_OKAY)
+		printf("  Test Passed - Precomputation\n");
+	else
+		printf("TEST FAILED - Precomputation\n");
+
+	mp_clear(&x);
+	mp_clear(&y);
+	mp_clear(&ny);
+	mp_clear(&x2);
+	mp_clear(&y2);
+	return res;
+}
+
+/* Given a curve using floating point arithmetic, test it. This method
+ * specifies which of the above tests to run. */
+mp_err
+testCurve(ECGroup *ecgroup)
+{
+	int res = MP_OKAY;
+
+	MP_CHECKOK(testPointAddJacAff(ecgroup));
+	MP_CHECKOK(testPointAddJac(ecgroup));
+	MP_CHECKOK(testPointAddChud(ecgroup));
+	MP_CHECKOK(testPointAddJmChud(ecgroup));
+	MP_CHECKOK(testPointDoubleJac(ecgroup));
+	MP_CHECKOK(testPointDoubleChud(ecgroup));
+	MP_CHECKOK(testPointDoubleJm(ecgroup));
+	MP_CHECKOK(testPreCompute(ecgroup));
+	MP_CHECKOK(testPointMul(ecgroup));
+	MP_CHECKOK(testPointMulRandom(ecgroup));
+	MP_CHECKOK(testPointMulTime(ecgroup));
+  CLEANUP:
+	return res;
+}
+
+/* Tests a number of curves optimized using floating point arithmetic */
+int
+main(void)
+{
+	mp_err res = MP_OKAY;
+	ECGroup *ecgroup = NULL;
+
+	/* specific arithmetic tests */
+	M_TestCurve("SECG-160R1", ECCurve_SECG_PRIME_160R1);
+	M_TestCurve("SECG-192R1", ECCurve_SECG_PRIME_192R1);
+	M_TestCurve("SEGC-224R1", ECCurve_SECG_PRIME_224R1);
+
+  CLEANUP:
+	ECGroup_free(ecgroup);
+	if (res != MP_OKAY) {
+		printf("Error: exiting with error value %i\n", res);
+	}
+	return res;
+}
diff --git a/security/nss/lib/freebl/ecl/tests/ecp_test.c b/security/nss/lib/freebl/ecl/tests/ecp_test.c
new file mode 100644
index 000000000..eb2844fe5
--- /dev/null
+++ b/security/nss/lib/freebl/ecl/tests/ecp_test.c
@@ -0,0 +1,460 @@
+/* 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for prime field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpprime.h"
+#include "ecl.h"
+#include "ecl-curve.h"
+#include "ecp.h"
+#include <stdio.h>
+#include <strings.h>
+#include <assert.h>
+
+#include <time.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+/* Time k repetitions of operation op. */
+#define M_TimeOperation(op, k) { \
+	double dStart, dNow, dUserTime; \
+	struct rusage ru; \
+	int i; \
+	getrusage(RUSAGE_SELF, &ru); \
+	dStart = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
+	for (i = 0; i < k; i++) { \
+		{ op; } \
+	}; \
+	getrusage(RUSAGE_SELF, &ru); \
+	dNow = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
+	dUserTime = dNow-dStart; \
+	if (dUserTime) printf("    %-45s k: %6i, t: %6.2f sec\n", #op, k, dUserTime); \
+}
+
+/* Test curve using generic field arithmetic. */
+#define ECTEST_GENERIC_GFP(name_c, name) \
+	printf("Testing %s using generic implementation...\n", name_c); \
+	params = EC_GetNamedCurveParams(name); \
+	if (params == NULL) { \
+			printf("  Error: could not construct params.\n"); \
+			res = MP_NO; \
+			goto CLEANUP; \
+	} \
+	ECGroup_free(group); \
+	group = ECGroup_fromHex(params); \
+	if (group == NULL) { \
+		printf("  Error: could not construct group.\n"); \
+		res = MP_NO; \
+		goto CLEANUP; \
+	} \
+	MP_CHECKOK( ectest_curve_GFp(group, ectestPrint, ectestTime, 1) ); \
+	printf("... okay.\n");
+
+/* Test curve using specific field arithmetic. */
+#define ECTEST_NAMED_GFP(name_c, name) \
+	printf("Testing %s using specific implementation...\n", name_c); \
+	ECGroup_free(group); \
+	group = ECGroup_fromName(name); \
+	if (group == NULL) { \
+		printf("  Warning: could not construct group.\n"); \
+		printf("... failed; continuing with remaining tests.\n"); \
+	} else { \
+		MP_CHECKOK( ectest_curve_GFp(group, ectestPrint, ectestTime, 0) ); \
+		printf("... okay.\n"); \
+	}
+
+/* Performs basic tests of elliptic curve cryptography over prime fields.
+ * If tests fail, then it prints an error message, aborts, and returns an
+ * error code. Otherwise, returns 0. */
+int
+ectest_curve_GFp(ECGroup *group, int ectestPrint, int ectestTime,
+				 int generic)
+{
+
+	mp_int one, order_1, gx, gy, rx, ry, n;
+	int size;
+	mp_err res;
+	char s[1000];
+
+	/* initialize values */
+	MP_CHECKOK(mp_init(&one));
+	MP_CHECKOK(mp_init(&order_1));
+	MP_CHECKOK(mp_init(&gx));
+	MP_CHECKOK(mp_init(&gy));
+	MP_CHECKOK(mp_init(&rx));
+	MP_CHECKOK(mp_init(&ry));
+	MP_CHECKOK(mp_init(&n));
+
+	MP_CHECKOK(mp_set_int(&one, 1));
+	MP_CHECKOK(mp_sub(&group->order, &one, &order_1));
+
+	/* encode base point */
+	if (group->meth->field_dec) {
+		MP_CHECKOK(group->meth->field_dec(&group->genx, &gx, group->meth));
+		MP_CHECKOK(group->meth->field_dec(&group->geny, &gy, group->meth));
+	} else {
+		MP_CHECKOK(mp_copy(&group->genx, &gx));
+		MP_CHECKOK(mp_copy(&group->geny, &gy));
+	}
+	if (ectestPrint) {
+		/* output base point */
+		printf("  base point P:\n");
+		MP_CHECKOK(mp_toradix(&gx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&gy, s, 16));
+		printf("    %s\n", s);
+		if (group->meth->field_enc) {
+			printf("  base point P (encoded):\n");
+			MP_CHECKOK(mp_toradix(&group->genx, s, 16));
+			printf("    %s\n", s);
+			MP_CHECKOK(mp_toradix(&group->geny, s, 16));
+			printf("    %s\n", s);
+		}
+	}
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+	/* multiply base point by order - 1 and check for negative of base
+	 * point */
+	MP_CHECKOK(ec_GFp_pt_mul_aff
+			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
+	if (ectestPrint) {
+		printf("  (order-1)*P (affine):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth));
+	if ((mp_cmp(&rx, &group->genx) != 0)
+		|| (mp_cmp(&ry, &group->geny) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+#endif
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+	/* multiply base point by order - 1 and check for negative of base
+	 * point */
+	MP_CHECKOK(ec_GFp_pt_mul_jac
+			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
+	if (ectestPrint) {
+		printf("  (order-1)*P (jacobian):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth));
+	if ((mp_cmp(&rx, &group->genx) != 0)
+		|| (mp_cmp(&ry, &group->geny) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+#endif
+
+	/* multiply base point by order - 1 and check for negative of base
+	 * point */
+	MP_CHECKOK(ECPoint_mul(group, &order_1, NULL, NULL, &rx, &ry));
+	if (ectestPrint) {
+		printf("  (order-1)*P (ECPoint_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry));
+	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* multiply base point by order - 1 and check for negative of base
+	 * point */
+	MP_CHECKOK(ECPoint_mul(group, &order_1, &gx, &gy, &rx, &ry));
+	if (ectestPrint) {
+		printf("  (order-1)*P (ECPoint_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry));
+	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+	/* multiply base point by order and check for point at infinity */
+	MP_CHECKOK(ec_GFp_pt_mul_aff
+			   (&group->order, &group->genx, &group->geny, &rx, &ry,
+				group));
+	if (ectestPrint) {
+		printf("  (order)*P (affine):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf("  Error: invalid result (expected point at infinity).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+#endif
+
+#ifdef ECL_ENABLE_GFP_PT_MUL_JAC
+	/* multiply base point by order and check for point at infinity */
+	MP_CHECKOK(ec_GFp_pt_mul_jac
+			   (&group->order, &group->genx, &group->geny, &rx, &ry,
+				group));
+	if (ectestPrint) {
+		printf("  (order)*P (jacobian):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf("  Error: invalid result (expected point at infinity).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+#endif
+
+	/* multiply base point by order and check for point at infinity */
+	MP_CHECKOK(ECPoint_mul(group, &group->order, NULL, NULL, &rx, &ry));
+	if (ectestPrint) {
+		printf("  (order)*P (ECPoint_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf("  Error: invalid result (expected point at infinity).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* multiply base point by order and check for point at infinity */
+	MP_CHECKOK(ECPoint_mul(group, &group->order, &gx, &gy, &rx, &ry));
+	if (ectestPrint) {
+		printf("  (order)*P (ECPoint_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
+		printf("  Error: invalid result (expected point at infinity).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* check that (order-1)P + (order-1)P + P == (order-1)P */
+	MP_CHECKOK(ECPoints_mul
+			   (group, &order_1, &order_1, &gx, &gy, &rx, &ry));
+	MP_CHECKOK(ECPoints_mul(group, &one, &one, &rx, &ry, &rx, &ry));
+	if (ectestPrint) {
+		printf
+			("  (order-1)*P + (order-1)*P + P == (order-1)*P (ECPoints_mul):\n");
+		MP_CHECKOK(mp_toradix(&rx, s, 16));
+		printf("    %s\n", s);
+		MP_CHECKOK(mp_toradix(&ry, s, 16));
+		printf("    %s\n", s);
+	}
+	MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry));
+	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
+		printf("  Error: invalid result (expected (- base point)).\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	/* test validate_point function */
+	if (ECPoint_validate(group, &gx, &gy) != MP_YES) {
+		printf("  Error: validate point on base point failed.\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+	MP_CHECKOK(mp_add_d(&gy, 1, &ry));
+	if (ECPoint_validate(group, &gx, &ry) != MP_NO) {
+		printf("  Error: validate point on invalid point passed.\n");
+		res = MP_NO;
+		goto CLEANUP;
+	}
+
+	if (ectestTime) {
+		/* compute random scalar */
+		size = mpl_significant_bits(&group->meth->irr);
+		if (size < MP_OKAY) {
+			goto CLEANUP;
+		}
+		MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS));
+		MP_CHECKOK(group->meth->field_mod(&n, &n, group->meth));
+		/* timed test */
+		if (generic) {
+#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
+			M_TimeOperation(MP_CHECKOK
+							(ec_GFp_pt_mul_aff
+							 (&n, &group->genx, &group->geny, &rx, &ry,
+							  group)), 100);
+#endif
+			M_TimeOperation(MP_CHECKOK
+							(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
+							100);
+			M_TimeOperation(MP_CHECKOK
+							(ECPoints_mul
+							 (group, &n, &n, &gx, &gy, &rx, &ry)), 100);
+		} else {
+			M_TimeOperation(MP_CHECKOK
+							(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
+							100);
+			M_TimeOperation(MP_CHECKOK
+							(ECPoint_mul(group, &n, &gx, &gy, &rx, &ry)),
+							100);
+			M_TimeOperation(MP_CHECKOK
+							(ECPoints_mul
+							 (group, &n, &n, &gx, &gy, &rx, &ry)), 100);
+		}
+	}
+
+  CLEANUP:
+	mp_clear(&one);
+	mp_clear(&order_1);
+	mp_clear(&gx);
+	mp_clear(&gy);
+	mp_clear(&rx);
+	mp_clear(&ry);
+	mp_clear(&n);
+	if (res != MP_OKAY) {
+		printf("  Error: exiting with error value %i\n", res);
+	}
+	return res;
+}
+
+/* Prints help information. */
+void
+printUsage()
+{
+	printf("Usage: ecp_test [--print] [--time]\n");
+	printf
+		("	--print     Print out results of each point arithmetic test.\n");
+	printf
+		("	--time      Benchmark point operations and print results.\n");
+}
+
+/* Performs tests of elliptic curve cryptography over prime fields If
+ * tests fail, then it prints an error message, aborts, and returns an
+ * error code. Otherwise, returns 0. */
+int
+main(int argv, char **argc)
+{
+
+	int ectestTime = 0;
+	int ectestPrint = 0;
+	int i;
+	ECGroup *group = NULL;
+	ECCurveParams *params = NULL;
+	mp_err res;
+
+	/* read command-line arguments */
+	for (i = 1; i < argv; i++) {
+		if ((strcasecmp(argc[i], "time") == 0)
+			|| (strcasecmp(argc[i], "-time") == 0)
+			|| (strcasecmp(argc[i], "--time") == 0)) {
+			ectestTime = 1;
+		} else if ((strcasecmp(argc[i], "print") == 0)
+				   || (strcasecmp(argc[i], "-print") == 0)
+				   || (strcasecmp(argc[i], "--print") == 0)) {
+			ectestPrint = 1;
+		} else {
+			printUsage();
+			return 0;
+		}
+	}
+
+	/* generic arithmetic tests */
+	ECTEST_GENERIC_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1);
+
+	/* specific arithmetic tests */
+	ECTEST_NAMED_GFP("NIST-P192", ECCurve_NIST_P192);
+	ECTEST_NAMED_GFP("NIST-P224", ECCurve_NIST_P224);
+	ECTEST_NAMED_GFP("NIST-P256", ECCurve_NIST_P256);
+	ECTEST_NAMED_GFP("NIST-P384", ECCurve_NIST_P384);
+	ECTEST_NAMED_GFP("NIST-P521", ECCurve_NIST_P521);
+	ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v1", ECCurve_X9_62_PRIME_192V1);
+	ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v2", ECCurve_X9_62_PRIME_192V2);
+	ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v3", ECCurve_X9_62_PRIME_192V3);
+	ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v1", ECCurve_X9_62_PRIME_239V1);
+	ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v2", ECCurve_X9_62_PRIME_239V2);
+	ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v3", ECCurve_X9_62_PRIME_239V3);
+	ECTEST_NAMED_GFP("ANSI X9.62 PRIME256v1", ECCurve_X9_62_PRIME_256V1);
+	ECTEST_NAMED_GFP("SECP-112R1", ECCurve_SECG_PRIME_112R1);
+	ECTEST_NAMED_GFP("SECP-112R2", ECCurve_SECG_PRIME_112R2);
+	ECTEST_NAMED_GFP("SECP-128R1", ECCurve_SECG_PRIME_128R1);
+	ECTEST_NAMED_GFP("SECP-128R2", ECCurve_SECG_PRIME_128R2);
+	ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1);
+	ECTEST_NAMED_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1);
+	ECTEST_NAMED_GFP("SECP-160R2", ECCurve_SECG_PRIME_160R2);
+	ECTEST_NAMED_GFP("SECP-192K1", ECCurve_SECG_PRIME_192K1);
+	ECTEST_NAMED_GFP("SECP-192R1", ECCurve_SECG_PRIME_192R1);
+	ECTEST_NAMED_GFP("SECP-224K1", ECCurve_SECG_PRIME_224K1);
+	ECTEST_NAMED_GFP("SECP-224R1", ECCurve_SECG_PRIME_224R1);
+	ECTEST_NAMED_GFP("SECP-256K1", ECCurve_SECG_PRIME_256K1);
+	ECTEST_NAMED_GFP("SECP-256R1", ECCurve_SECG_PRIME_256R1);
+	ECTEST_NAMED_GFP("SECP-384R1", ECCurve_SECG_PRIME_384R1);
+	ECTEST_NAMED_GFP("SECP-521R1", ECCurve_SECG_PRIME_521R1);
+	ECTEST_NAMED_GFP("WTLS-6 (112)", ECCurve_WTLS_6);
+	ECTEST_NAMED_GFP("WTLS-7 (160)", ECCurve_WTLS_7);
+	ECTEST_NAMED_GFP("WTLS-8 (112)", ECCurve_WTLS_8);
+	ECTEST_NAMED_GFP("WTLS-9 (160)", ECCurve_WTLS_9);
+	ECTEST_NAMED_GFP("WTLS-12 (224)", ECCurve_WTLS_12);
+
+  CLEANUP:
+	EC_FreeCurveParams(params);
+	ECGroup_free(group);
+	if (res != MP_OKAY) {
+		printf("Error: exiting with error value %i\n", res);
+	}
+	return res;
+}
diff --git a/security/nss/lib/freebl/freebl.def b/security/nss/lib/freebl/freebl.def
new file mode 100644
index 000000000..61b3337c2
--- /dev/null
+++ b/security/nss/lib/freebl/freebl.def
@@ -0,0 +1,58 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2000
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSSprivate_3.11 {               # NSS 3.11 release
+;+    global:
+LIBRARY freebl3 ;-
+EXPORTS	;-
+FREEBL_GetVector;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/freebl/freebl.rc b/security/nss/lib/freebl/freebl.rc
new file mode 100644
index 000000000..c8dc397c8
--- /dev/null
+++ b/security/nss/lib/freebl/freebl.rc
@@ -0,0 +1,100 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "softkver.h"
+#include <winver.h>
+
+#define MY_LIBNAME "freebl"
+#define MY_FILEDESCRIPTION "NSS freebl Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define SOFTOKEN_VMAJOR_STR STRINGIZE2(SOFTOKEN_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if SOFTOKEN_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME SOFTOKEN_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,0
+ PRODUCTVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", SOFTOKEN_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", SOFTOKEN_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/freebl/freeblver.c b/security/nss/lib/freebl/freeblver.c
new file mode 100644
index 000000000..2c5954534
--- /dev/null
+++ b/security/nss/lib/freebl/freeblver.c
@@ -0,0 +1,56 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Library identity and versioning */
+
+#include "softkver.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_freebl_rcsid[] = "$Header: NSS " SOFTOKEN_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_freebl_sccsid[] = "@(#)NSS " SOFTOKEN_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/freebl/genload.c b/security/nss/lib/freebl/genload.c
new file mode 100644
index 000000000..fac6e22b0
--- /dev/null
+++ b/security/nss/lib/freebl/genload.c
@@ -0,0 +1,191 @@
+/*
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *   Kai Engert <kengert@redhat.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This file is meant to be included by other .c files.
+ * This file takes a "parameter", the scope which includes this
+ * code shall declare this variable:
+ *   const char *NameOfThisSharedLib;
+ *
+ * NameOfThisSharedLib:
+ *   The file name of the shared library that shall be used as the 
+ *   "reference library". The loader will attempt to load the requested
+ *   library from the same directory as the reference library.
+ */
+
+#ifdef XP_UNIX
+#include <unistd.h>
+#define BL_MAXSYMLINKS 20
+
+/*
+ * If 'link' is a symbolic link, this function follows the symbolic links
+ * and returns the pathname of the ultimate source of the symbolic links.
+ * If 'link' is not a symbolic link, this function returns NULL.
+ * The caller should call PR_Free to free the string returned by this
+ * function.
+ */
+static char* loader_GetOriginalPathname(const char* link)
+{
+    char* resolved = NULL;
+    char* input = NULL;
+    PRUint32 iterations = 0;
+    PRInt32 len = 0, retlen = 0;
+    if (!link) {
+        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+        return NULL;
+    }
+    len = PR_MAX(1024, strlen(link) + 1);
+    resolved = PR_Malloc(len);
+    input = PR_Malloc(len);
+    if (!resolved || !input) {
+        if (resolved) {
+            PR_Free(resolved);
+        }
+        if (input) {
+            PR_Free(input);
+        }
+        return NULL;
+    }
+    strcpy(input, link);
+    while ( (iterations++ < BL_MAXSYMLINKS) &&
+            ( (retlen = readlink(input, resolved, len - 1)) > 0) ) {
+        char* tmp = input;
+        resolved[retlen] = '\0'; /* NULL termination */
+        input = resolved;
+        resolved = tmp;
+    }
+    PR_Free(resolved);
+    if (iterations == 1 && retlen < 0) {
+        PR_Free(input);
+        input = NULL;
+    }
+    return input;
+}
+#endif /* XP_UNIX */
+
+/*
+ * Load the library with the file name 'name' residing in the same
+ * directory as the reference library, whose pathname is 'referencePath'.
+ */
+static PRLibrary *
+loader_LoadLibInReferenceDir(const char *referencePath, const char *name)
+{
+    PRLibrary *dlh = NULL;
+    char *fullName = NULL;
+    char* c;
+    PRLibSpec libSpec;
+
+    /* Remove the trailing filename from referencePath and add the new one */
+    c = strrchr(referencePath, PR_GetDirectorySeparator());
+    if (c) {
+        size_t referencePathSize = 1 + c - referencePath;
+        fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 1);
+        if (fullName) {
+            memcpy(fullName, referencePath, referencePathSize);
+            strcpy(fullName + referencePathSize, name); 
+#ifdef DEBUG_LOADER
+            PR_fprintf(PR_STDOUT, "\nAttempting to load fully-qualified %s\n", 
+                       fullName);
+#endif
+            libSpec.type = PR_LibSpec_Pathname;
+            libSpec.value.pathname = fullName;
+            dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
+            PORT_Free(fullName);
+        }
+    }
+    return dlh;
+}
+
+/*
+ * We use PR_GetLibraryFilePathname to get the pathname of the loaded 
+ * shared lib that contains this function, and then do a PR_LoadLibrary
+ * with an absolute pathname for the softoken shared library.
+ */
+
+static PRLibrary *
+loader_LoadLibrary(const char *nameToLoad)
+{
+    PRLibrary *lib = NULL;
+    char* fullPath = NULL;
+    PRLibSpec libSpec;
+
+    /* Get the pathname for nameOfAlreadyLoadedLib, i.e. /usr/lib/libnss3.so
+     * PR_GetLibraryFilePathname works with either the base library name or a
+     * function pointer, depending on the platform. We can't query an exported
+     * symbol such as NSC_GetFunctionList, because on some platforms we can't
+     * find symbols in loaded implicit dependencies.
+     * But we can just get the address of this function !
+     */
+    fullPath = PR_GetLibraryFilePathname(NameOfThisSharedLib,
+                                         (PRFuncPtr)&loader_LoadLibrary);
+
+    if (fullPath) {
+        lib = loader_LoadLibInReferenceDir(fullPath, nameToLoad);
+#ifdef XP_UNIX
+        if (!lib) {
+            /*
+             * If fullPath is a symbolic link, resolve the symbolic
+             * link and try again.
+             */
+            char* originalfullPath = loader_GetOriginalPathname(fullPath);
+            if (originalfullPath) {
+                PR_Free(fullPath);
+                fullPath = originalfullPath;
+                lib = loader_LoadLibInReferenceDir(fullPath, nameToLoad);
+            }
+        }
+#endif
+        PR_Free(fullPath);
+    }
+    if (!lib) {
+#ifdef DEBUG_LOADER
+        PR_fprintf(PR_STDOUT, "\nAttempting to load %s\n", nameToLoad);
+#endif
+        libSpec.type = PR_LibSpec_Pathname;
+        libSpec.value.pathname = nameToLoad;
+        lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
+    }
+    if (NULL == lib) {
+#ifdef DEBUG_LOADER
+        PR_fprintf(PR_STDOUT, "\nLoading failed : %s.\n", nameToLoad);
+#endif
+    }
+    return lib;
+}
+
diff --git a/security/nss/lib/freebl/ldvector.c b/security/nss/lib/freebl/ldvector.c
new file mode 100644
index 000000000..9fa51e6eb
--- /dev/null
+++ b/security/nss/lib/freebl/ldvector.c
@@ -0,0 +1,255 @@
+/*
+ * ldvector.c - platform dependent DSO containing freebl implementation.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "loader.h"
+#include "alghmac.h"
+
+static const struct FREEBLVectorStr vector = 
+{
+
+    sizeof vector,
+    FREEBL_VERSION,
+
+    RSA_NewKey,
+    RSA_PublicKeyOp,
+    RSA_PrivateKeyOp,
+    DSA_NewKey,
+    DSA_SignDigest,
+    DSA_VerifyDigest,
+    DSA_NewKeyFromSeed,
+    DSA_SignDigestWithSeed,
+    DH_GenParam,
+    DH_NewKey,
+    DH_Derive,
+    KEA_Derive,
+    KEA_Verify,
+    RC4_CreateContext,
+    RC4_DestroyContext,
+    RC4_Encrypt,
+    RC4_Decrypt,
+    RC2_CreateContext,
+    RC2_DestroyContext,
+    RC2_Encrypt,
+    RC2_Decrypt,
+    RC5_CreateContext,
+    RC5_DestroyContext,
+    RC5_Encrypt,
+    RC5_Decrypt,
+    DES_CreateContext,
+    DES_DestroyContext,
+    DES_Encrypt,
+    DES_Decrypt,
+    AES_CreateContext,
+    AES_DestroyContext,
+    AES_Encrypt,
+    AES_Decrypt,
+    MD5_Hash,
+    MD5_HashBuf,
+    MD5_NewContext,
+    MD5_DestroyContext,
+    MD5_Begin,
+    MD5_Update,
+    MD5_End,
+    MD5_FlattenSize,
+    MD5_Flatten,
+    MD5_Resurrect,
+    MD5_TraceState,
+    MD2_Hash,
+    MD2_NewContext,
+    MD2_DestroyContext,
+    MD2_Begin,
+    MD2_Update,
+    MD2_End,
+    MD2_FlattenSize,
+    MD2_Flatten,
+    MD2_Resurrect,
+    SHA1_Hash,
+    SHA1_HashBuf,
+    SHA1_NewContext,
+    SHA1_DestroyContext,
+    SHA1_Begin,
+    SHA1_Update,
+    SHA1_End,
+    SHA1_TraceState,
+    SHA1_FlattenSize,
+    SHA1_Flatten,
+    SHA1_Resurrect,
+    RNG_RNGInit,
+    RNG_RandomUpdate,
+    RNG_GenerateGlobalRandomBytes,
+    RNG_RNGShutdown,
+    PQG_ParamGen,
+    PQG_ParamGenSeedLen,
+    PQG_VerifyParams,
+
+    /* End of Version 3.001. */
+
+    RSA_PrivateKeyOpDoubleChecked,
+    RSA_PrivateKeyCheck,
+    BL_Cleanup,
+
+    /* End of Version 3.002. */
+
+    SHA256_NewContext,
+    SHA256_DestroyContext,
+    SHA256_Begin,
+    SHA256_Update,
+    SHA256_End,
+    SHA256_HashBuf,
+    SHA256_Hash,
+    SHA256_TraceState,
+    SHA256_FlattenSize,
+    SHA256_Flatten,
+    SHA256_Resurrect,
+
+    SHA512_NewContext,
+    SHA512_DestroyContext,
+    SHA512_Begin,
+    SHA512_Update,
+    SHA512_End,
+    SHA512_HashBuf,
+    SHA512_Hash,
+    SHA512_TraceState,
+    SHA512_FlattenSize,
+    SHA512_Flatten,
+    SHA512_Resurrect,
+
+    SHA384_NewContext,
+    SHA384_DestroyContext,
+    SHA384_Begin,
+    SHA384_Update,
+    SHA384_End,
+    SHA384_HashBuf,
+    SHA384_Hash,
+    SHA384_TraceState,
+    SHA384_FlattenSize,
+    SHA384_Flatten,
+    SHA384_Resurrect,
+
+    /* End of Version 3.003. */
+
+    AESKeyWrap_CreateContext,
+    AESKeyWrap_DestroyContext,
+    AESKeyWrap_Encrypt,
+    AESKeyWrap_Decrypt,
+
+    /* End of Version 3.004. */
+
+    BLAPI_SHVerify,
+    BLAPI_VerifySelf,
+
+    /* End of Version 3.005. */
+
+    EC_NewKey,
+    EC_NewKeyFromSeed,
+    EC_ValidatePublicKey,
+    ECDH_Derive,
+    ECDSA_SignDigest,
+    ECDSA_VerifyDigest,
+    ECDSA_SignDigestWithSeed,
+
+    /* End of Version 3.006. */
+    /* End of Version 3.007. */
+
+    AES_InitContext,
+    AESKeyWrap_InitContext,
+    DES_InitContext,
+    RC2_InitContext,
+    RC4_InitContext,
+
+    AES_AllocateContext,
+    AESKeyWrap_AllocateContext,
+    DES_AllocateContext,
+    RC2_AllocateContext,
+    RC4_AllocateContext,
+
+    MD2_Clone,
+    MD5_Clone,
+    SHA1_Clone,
+    SHA256_Clone,
+    SHA384_Clone,
+    SHA512_Clone,
+
+    TLS_PRF,
+    HASH_GetRawHashObject,
+
+    HMAC_Create,
+    HMAC_Init,
+    HMAC_Begin,
+    HMAC_Update,
+    HMAC_Clone,
+    HMAC_Finish,
+    HMAC_Destroy,
+
+    RNG_SystemInfoForRNG,
+
+    /* End of Version 3.008. */
+
+    FIPS186Change_GenerateX,
+    FIPS186Change_ReduceModQForDSA,
+
+    /* End of Version 3.009. */
+    Camellia_InitContext,
+    Camellia_AllocateContext,
+    Camellia_CreateContext,
+    Camellia_DestroyContext,
+    Camellia_Encrypt,
+    Camellia_Decrypt,
+
+    /* End of Version 3.010. */
+    PQG_DestroyParams,
+    PQG_DestroyVerify,
+
+};
+
+const FREEBLVector * 
+FREEBL_GetVector(void)
+{
+    extern const char __nss_freebl_rcsid[];
+    extern const char __nss_freebl_sccsid[];
+
+    /* force a reference that won't get optimized away */
+    volatile char c;
+
+    c = __nss_freebl_rcsid[0] + __nss_freebl_sccsid[0]; 
+    return &vector;
+}
+
diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c
new file mode 100644
index 000000000..01a1d6059
--- /dev/null
+++ b/security/nss/lib/freebl/loader.c
@@ -0,0 +1,1595 @@
+/*
+ * loader.c - load platform dependent DSO containing freebl implementation.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "loader.h"
+#include "prmem.h"
+#include "prerror.h"
+#include "prinit.h"
+#include "prenv.h"
+
+static const char* default_name =
+    SHLIB_PREFIX"freebl"SHLIB_VERSION"."SHLIB_SUFFIX;
+
+/* getLibName() returns the name of the library to load. */
+
+#if defined(SOLARIS) && defined(__sparc)
+#include <stddef.h>
+#include <strings.h>
+#include <sys/systeminfo.h>
+
+
+#if defined(NSS_USE_64)
+
+const static char fpu_hybrid_shared_lib[] = "libfreebl_64fpu_3.so";
+const static char int_hybrid_shared_lib[] = "libfreebl_64int_3.so";
+const static char non_hybrid_shared_lib[] = "libfreebl_64fpu_3.so";
+
+const static char int_hybrid_isa[] = "sparcv9";
+const static char fpu_hybrid_isa[] = "sparcv9+vis";
+
+#else
+
+const static char fpu_hybrid_shared_lib[] = "libfreebl_32fpu_3.so";
+const static char int_hybrid_shared_lib[] = "libfreebl_32int64_3.so";
+const static char non_hybrid_shared_lib[] = "libfreebl_32int_3.so";
+
+const static char int_hybrid_isa[] = "sparcv8plus";
+const static char fpu_hybrid_isa[] = "sparcv8plus+vis";
+
+#endif
+
+static const char *
+getLibName(void)
+{
+    char * found_int_hybrid;
+    char * found_fpu_hybrid;
+    long buflen;
+    char buf[256];
+
+    buflen = sysinfo(SI_ISALIST, buf, sizeof buf);
+    if (buflen <= 0) 
+	return NULL;
+    /* sysinfo output is always supposed to be NUL terminated, but ... */
+    if (buflen < sizeof buf) 
+    	buf[buflen] = '\0';
+    else
+    	buf[(sizeof buf) - 1] = '\0';
+    /* The ISA list is a space separated string of names of ISAs and
+     * ISA extensions, in order of decreasing performance.
+     * There are two different ISAs with which NSS's crypto code can be
+     * accelerated. If both are in the list, we take the first one.
+     * If one is in the list, we use it, and if neither then we use
+     * the base unaccelerated code.
+     */
+    found_int_hybrid = strstr(buf, int_hybrid_isa);
+    found_fpu_hybrid = strstr(buf, fpu_hybrid_isa);
+    if (found_fpu_hybrid && 
+	(!found_int_hybrid ||
+	 (found_int_hybrid - found_fpu_hybrid) >= 0)) {
+	return fpu_hybrid_shared_lib;
+    }
+    if (found_int_hybrid) {
+	return int_hybrid_shared_lib;
+    }
+    return non_hybrid_shared_lib;
+}
+
+#elif defined(HPUX) && !defined(NSS_USE_64) && !defined(__ia64)
+/* This code tests to see if we're running on a PA2.x CPU.
+** It returns true (1) if so, and false (0) otherwise.
+*/
+static const char *
+getLibName(void)
+{
+    long cpu = sysconf(_SC_CPU_VERSION);
+    return (cpu == CPU_PA_RISC2_0) 
+		? "libfreebl_32fpu_3.sl"
+	        : "libfreebl_32int32_3.sl" ;
+}
+#else
+/* default case, for platforms/ABIs that have only one freebl shared lib. */
+static const char * getLibName(void) { return default_name; }
+#endif
+
+#include "prio.h"
+#include "prprf.h"
+#include <stdio.h>
+#include "prsystem.h"
+
+static const char *NameOfThisSharedLib = 
+  SHLIB_PREFIX"softokn"SOFTOKEN_SHLIB_VERSION"."SHLIB_SUFFIX;
+
+static PRLibrary* blLib;
+
+#define LSB(x) ((x)&0xff)
+#define MSB(x) ((x)>>8)
+
+static const FREEBLVector *vector;
+static const char *libraryName = NULL;
+
+#include "genload.c"
+
+/* This function must be run only once. */
+/*  determine if hybrid platform, then actually load the DSO. */
+static PRStatus
+freebl_LoadDSO( void ) 
+{
+  PRLibrary *  handle;
+  const char * name = getLibName();
+
+  if (!name) {
+    PR_SetError(PR_LOAD_LIBRARY_ERROR, 0);
+    return PR_FAILURE;
+  }
+
+  handle = loader_LoadLibrary(name);
+  if (handle) {
+    PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
+    PRStatus status;
+    if (address) {
+      FREEBLGetVectorFn  * getVector = (FREEBLGetVectorFn *)address;
+      const FREEBLVector * dsoVector = getVector();
+      if (dsoVector) {
+	unsigned short dsoVersion = dsoVector->version;
+	unsigned short  myVersion = FREEBL_VERSION;
+	if (MSB(dsoVersion) == MSB(myVersion) && 
+	    LSB(dsoVersion) >= LSB(myVersion) &&
+	    dsoVector->length >= sizeof(FREEBLVector)) {
+          vector = dsoVector;
+	  libraryName = name;
+	  blLib = handle;
+	  return PR_SUCCESS;
+	}
+      }
+    }
+    status = PR_UnloadLibrary(handle);
+    PORT_Assert(PR_SUCCESS == status);
+  }
+  return PR_FAILURE;
+}
+
+static const PRCallOnceType pristineCallOnce;
+static PRCallOnceType loadFreeBLOnce;
+
+static PRStatus
+freebl_RunLoaderOnce( void )
+{
+  PRStatus status;
+
+  status = PR_CallOnce(&loadFreeBLOnce, &freebl_LoadDSO);
+  return status;
+}
+
+
+RSAPrivateKey * 
+RSA_NewKey(int keySizeInBits, SECItem * publicExponent)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RSA_NewKey)(keySizeInBits, publicExponent);
+}
+
+SECStatus 
+RSA_PublicKeyOp(RSAPublicKey *   key,
+				 unsigned char *  output,
+				 const unsigned char *  input)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RSA_PublicKeyOp)(key, output, input);
+}
+
+SECStatus 
+RSA_PrivateKeyOp(RSAPrivateKey *  key,
+				  unsigned char *  output,
+				  const unsigned char *  input)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RSA_PrivateKeyOp)(key, output, input);
+}
+
+SECStatus
+RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key,
+                              unsigned char *output,
+                              const unsigned char *input)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RSA_PrivateKeyOpDoubleChecked)(key, output, input);
+}
+
+SECStatus
+RSA_PrivateKeyCheck(RSAPrivateKey *key)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RSA_PrivateKeyCheck)(key);
+}
+
+SECStatus 
+DSA_NewKey(const PQGParams * params, DSAPrivateKey ** privKey)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_NewKey)(params, privKey);
+}
+
+SECStatus 
+DSA_SignDigest(DSAPrivateKey * key, SECItem * signature, const SECItem * digest)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_SignDigest)( key,  signature,  digest);
+}
+
+SECStatus 
+DSA_VerifyDigest(DSAPublicKey * key, const SECItem * signature, 
+                 const SECItem * digest)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_VerifyDigest)( key,  signature,  digest);
+}
+
+SECStatus 
+DSA_NewKeyFromSeed(const PQGParams *params, const unsigned char * seed,
+                   DSAPrivateKey **privKey)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_NewKeyFromSeed)(params,  seed, privKey);
+}
+
+SECStatus 
+DSA_SignDigestWithSeed(DSAPrivateKey * key, SECItem * signature,
+		       const SECItem * digest, const unsigned char * seed)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_SignDigestWithSeed)( key, signature, digest, seed);
+}
+
+SECStatus 
+DH_GenParam(int primeLen, DHParams ** params)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DH_GenParam)(primeLen, params);
+}
+
+SECStatus 
+DH_NewKey(DHParams * params, DHPrivateKey ** privKey)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DH_NewKey)( params, privKey);
+}
+
+SECStatus 
+DH_Derive(SECItem * publicValue, SECItem * prime, SECItem * privateValue, 
+			 SECItem * derivedSecret, unsigned int maxOutBytes)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DH_Derive)( publicValue, prime, privateValue, 
+				derivedSecret, maxOutBytes);
+}
+
+SECStatus 
+KEA_Derive(SECItem *prime, SECItem *public1, SECItem *public2, 
+	   SECItem *private1, SECItem *private2, SECItem *derivedSecret)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_KEA_Derive)(prime, public1, public2, 
+	                        private1, private2, derivedSecret);
+}
+
+PRBool 
+KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return PR_FALSE;
+  return (vector->p_KEA_Verify)(Y, prime, subPrime);
+}
+
+RC4Context *
+RC4_CreateContext(const unsigned char *key, int len)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RC4_CreateContext)(key, len);
+}
+
+void 
+RC4_DestroyContext(RC4Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_RC4_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+RC4_Encrypt(RC4Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC4_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+SECStatus 
+RC4_Decrypt(RC4Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC4_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+RC2Context *
+RC2_CreateContext(const unsigned char *key, unsigned int len,
+		  const unsigned char *iv, int mode, unsigned effectiveKeyLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RC2_CreateContext)(key, len, iv, mode, effectiveKeyLen);
+}
+
+void 
+RC2_DestroyContext(RC2Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_RC2_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+RC2_Encrypt(RC2Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC2_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+SECStatus 
+RC2_Decrypt(RC2Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC2_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+RC5Context *
+RC5_CreateContext(const SECItem *key, unsigned int rounds,
+		  unsigned int wordSize, const unsigned char *iv, int mode)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RC5_CreateContext)(key, rounds, wordSize, iv, mode);
+}
+
+void 
+RC5_DestroyContext(RC5Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_RC5_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+RC5_Encrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC5_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
+				 inputLen);
+}
+
+SECStatus 
+RC5_Decrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC5_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+DESContext *
+DES_CreateContext(const unsigned char *key, const unsigned char *iv,
+		  int mode, PRBool encrypt)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_DES_CreateContext)(key, iv, mode, encrypt);
+}
+
+void 
+DES_DestroyContext(DESContext *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_DES_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+DES_Encrypt(DESContext *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DES_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+SECStatus 
+DES_Decrypt(DESContext *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DES_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+AESContext *
+AES_CreateContext(const unsigned char *key, const unsigned char *iv, 
+                  int mode, int encrypt,
+                  unsigned int keylen, unsigned int blocklen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_AES_CreateContext)(key, iv, mode, encrypt, keylen, 
+				       blocklen);
+}
+
+void 
+AES_DestroyContext(AESContext *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_AES_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+AES_Encrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_AES_Encrypt)(cx, output, outputLen, maxOutputLen, 
+				 input, inputLen);
+}
+
+SECStatus 
+AES_Decrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_AES_Decrypt)(cx, output, outputLen, maxOutputLen, 
+				 input, inputLen);
+}
+
+SECStatus 
+MD5_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD5_Hash)(dest, src);
+}
+
+SECStatus 
+MD5_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD5_HashBuf)(dest, src, src_length);
+}
+
+MD5Context *
+MD5_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_MD5_NewContext)();
+}
+
+void 
+MD5_DestroyContext(MD5Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD5_DestroyContext)(cx, freeit);
+}
+
+void 
+MD5_Begin(MD5Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD5_Begin)(cx);
+}
+
+void 
+MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD5_Update)(cx, input, inputLen);
+}
+
+void 
+MD5_End(MD5Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD5_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+unsigned int 
+MD5_FlattenSize(MD5Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_MD5_FlattenSize)(cx);
+}
+
+SECStatus 
+MD5_Flatten(MD5Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD5_Flatten)(cx, space);
+}
+
+MD5Context * 
+MD5_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_MD5_Resurrect)(space, arg);
+}
+
+void 
+MD5_TraceState(MD5Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD5_TraceState)(cx);
+}
+
+SECStatus 
+MD2_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD2_Hash)(dest, src);
+}
+
+MD2Context *
+MD2_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_MD2_NewContext)();
+}
+
+void 
+MD2_DestroyContext(MD2Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD2_DestroyContext)(cx, freeit);
+}
+
+void 
+MD2_Begin(MD2Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD2_Begin)(cx);
+}
+
+void 
+MD2_Update(MD2Context *cx, const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD2_Update)(cx, input, inputLen);
+}
+
+void 
+MD2_End(MD2Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD2_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+unsigned int 
+MD2_FlattenSize(MD2Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_MD2_FlattenSize)(cx);
+}
+
+SECStatus 
+MD2_Flatten(MD2Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD2_Flatten)(cx, space);
+}
+
+MD2Context * 
+MD2_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_MD2_Resurrect)(space, arg);
+}
+
+
+SECStatus 
+SHA1_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA1_Hash)(dest, src);
+}
+
+SECStatus 
+SHA1_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA1_HashBuf)(dest, src, src_length);
+}
+
+SHA1Context *
+SHA1_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA1_NewContext)();
+}
+
+void 
+SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_DestroyContext)(cx, freeit);
+}
+
+void 
+SHA1_Begin(SHA1Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_Begin)(cx);
+}
+
+void 
+SHA1_Update(SHA1Context *cx, const unsigned char *input,
+			unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_Update)(cx, input, inputLen);
+}
+
+void 
+SHA1_End(SHA1Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+void 
+SHA1_TraceState(SHA1Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_TraceState)(cx);
+}
+
+unsigned int 
+SHA1_FlattenSize(SHA1Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_SHA1_FlattenSize)(cx);
+}
+
+SECStatus 
+SHA1_Flatten(SHA1Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA1_Flatten)(cx, space);
+}
+
+SHA1Context * 
+SHA1_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA1_Resurrect)(space, arg);
+}
+
+SECStatus 
+RNG_RNGInit(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RNG_RNGInit)();
+}
+
+SECStatus 
+RNG_RandomUpdate(const void *data, size_t bytes)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RNG_RandomUpdate)(data, bytes);
+}
+
+SECStatus 
+RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RNG_GenerateGlobalRandomBytes)(dest, len);
+}
+
+void  
+RNG_RNGShutdown(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_RNG_RNGShutdown)();
+}
+
+SECStatus
+PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_PQG_ParamGen)(j, pParams, pVfy); 
+}
+
+SECStatus
+PQG_ParamGenSeedLen( unsigned int j, unsigned int seedBytes, 
+                     PQGParams **pParams, PQGVerify **pVfy)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_PQG_ParamGenSeedLen)(j, seedBytes, pParams, pVfy);
+}
+
+SECStatus   
+PQG_VerifyParams(const PQGParams *params, const PQGVerify *vfy, 
+		 SECStatus *result)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_PQG_VerifyParams)(params, vfy, result);
+}
+
+void   
+PQG_DestroyParams(PQGParams *params)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_PQG_DestroyParams)(params);
+}
+
+void   
+PQG_DestroyVerify(PQGVerify *vfy)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_PQG_DestroyVerify)(vfy);
+}
+
+void 
+BL_Cleanup(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_BL_Cleanup)();
+}
+
+void
+BL_Unload(void)
+{
+  /* This function is not thread-safe, but doesn't need to be, because it is
+   * only called from functions that are also defined as not thread-safe,
+   * namely C_Finalize in softoken, and the SSL bypass shutdown callback called
+   * from NSS_Shutdown. */
+  char *disableUnload = NULL;
+  vector = NULL;
+  /* If an SSL socket is configured with SSL_BYPASS_PKCS11, but the application
+   * never does a handshake on it, BL_Unload will be called even though freebl
+   * was never loaded. So, don't assert blLib. */
+  if (blLib) {
+      disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+      if (!disableUnload) {
+          PRStatus status = PR_UnloadLibrary(blLib);
+          PORT_Assert(PR_SUCCESS == status);
+      }
+      blLib = NULL;
+  }
+  loadFreeBLOnce = pristineCallOnce;
+}
+
+/* ============== New for 3.003 =============================== */
+
+SECStatus 
+SHA256_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA256_Hash)(dest, src);
+}
+
+SECStatus 
+SHA256_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA256_HashBuf)(dest, src, src_length);
+}
+
+SHA256Context *
+SHA256_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA256_NewContext)();
+}
+
+void 
+SHA256_DestroyContext(SHA256Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA256_DestroyContext)(cx, freeit);
+}
+
+void 
+SHA256_Begin(SHA256Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA256_Begin)(cx);
+}
+
+void 
+SHA256_Update(SHA256Context *cx, const unsigned char *input,
+			unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA256_Update)(cx, input, inputLen);
+}
+
+void 
+SHA256_End(SHA256Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA256_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+void 
+SHA256_TraceState(SHA256Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA256_TraceState)(cx);
+}
+
+unsigned int 
+SHA256_FlattenSize(SHA256Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_SHA256_FlattenSize)(cx);
+}
+
+SECStatus 
+SHA256_Flatten(SHA256Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA256_Flatten)(cx, space);
+}
+
+SHA256Context * 
+SHA256_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA256_Resurrect)(space, arg);
+}
+
+SECStatus 
+SHA512_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA512_Hash)(dest, src);
+}
+
+SECStatus 
+SHA512_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA512_HashBuf)(dest, src, src_length);
+}
+
+SHA512Context *
+SHA512_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA512_NewContext)();
+}
+
+void 
+SHA512_DestroyContext(SHA512Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA512_DestroyContext)(cx, freeit);
+}
+
+void 
+SHA512_Begin(SHA512Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA512_Begin)(cx);
+}
+
+void 
+SHA512_Update(SHA512Context *cx, const unsigned char *input,
+			unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA512_Update)(cx, input, inputLen);
+}
+
+void 
+SHA512_End(SHA512Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA512_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+void 
+SHA512_TraceState(SHA512Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA512_TraceState)(cx);
+}
+
+unsigned int 
+SHA512_FlattenSize(SHA512Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_SHA512_FlattenSize)(cx);
+}
+
+SECStatus 
+SHA512_Flatten(SHA512Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA512_Flatten)(cx, space);
+}
+
+SHA512Context * 
+SHA512_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA512_Resurrect)(space, arg);
+}
+
+
+SECStatus 
+SHA384_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA384_Hash)(dest, src);
+}
+
+SECStatus 
+SHA384_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA384_HashBuf)(dest, src, src_length);
+}
+
+SHA384Context *
+SHA384_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA384_NewContext)();
+}
+
+void 
+SHA384_DestroyContext(SHA384Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA384_DestroyContext)(cx, freeit);
+}
+
+void 
+SHA384_Begin(SHA384Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA384_Begin)(cx);
+}
+
+void 
+SHA384_Update(SHA384Context *cx, const unsigned char *input,
+			unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA384_Update)(cx, input, inputLen);
+}
+
+void 
+SHA384_End(SHA384Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA384_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+void 
+SHA384_TraceState(SHA384Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA384_TraceState)(cx);
+}
+
+unsigned int 
+SHA384_FlattenSize(SHA384Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_SHA384_FlattenSize)(cx);
+}
+
+SECStatus 
+SHA384_Flatten(SHA384Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA384_Flatten)(cx, space);
+}
+
+SHA384Context * 
+SHA384_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA384_Resurrect)(space, arg);
+}
+
+
+AESKeyWrapContext *
+AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 
+                         int encrypt, unsigned int keylen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return vector->p_AESKeyWrap_CreateContext(key, iv, encrypt, keylen);
+}
+
+void 
+AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  vector->p_AESKeyWrap_DestroyContext(cx, freeit);
+}
+
+SECStatus 
+AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output,
+		   unsigned int *outputLen, unsigned int maxOutputLen,
+		   const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return vector->p_AESKeyWrap_Encrypt(cx, output, outputLen, maxOutputLen,
+                                      input, inputLen);
+}
+SECStatus 
+AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output,
+		   unsigned int *outputLen, unsigned int maxOutputLen,
+		   const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return vector->p_AESKeyWrap_Decrypt(cx, output, outputLen, maxOutputLen,
+		                      input, inputLen);
+}
+
+PRBool
+BLAPI_SHVerify(const char *name, PRFuncPtr addr)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return PR_FALSE;
+  return vector->p_BLAPI_SHVerify(name, addr);
+}
+
+/*
+ * The Caller is expected to pass NULL as the name, which will
+ * trigger the p_BLAPI_VerifySelf() to return 'TRUE'. If we really loaded
+ * from a shared library, BLAPI_VerifySelf will get pick up the real name
+ * from the static set in freebl_LoadDSO( void ) 
+ */
+PRBool
+BLAPI_VerifySelf(const char *name)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return PR_FALSE;
+  return vector->p_BLAPI_VerifySelf(libraryName);
+}
+
+/* ============== New for 3.006 =============================== */
+
+SECStatus 
+EC_NewKey(ECParams * params, ECPrivateKey ** privKey)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_EC_NewKey)( params, privKey );
+}
+
+SECStatus 
+EC_NewKeyFromSeed(ECParams * params, ECPrivateKey ** privKey,
+    const unsigned char *seed, int seedlen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_EC_NewKeyFromSeed)( params, privKey, seed, seedlen );
+}
+
+SECStatus 
+EC_ValidatePublicKey(ECParams * params, SECItem * publicValue)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_EC_ValidatePublicKey)( params, publicValue );
+}
+
+SECStatus 
+ECDH_Derive(SECItem * publicValue, ECParams * params, SECItem * privateValue,
+            PRBool withCofactor, SECItem * derivedSecret)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_ECDH_Derive)( publicValue, params, privateValue,
+                                  withCofactor, derivedSecret );
+}
+
+SECStatus
+ECDSA_SignDigest(ECPrivateKey * key, SECItem * signature,
+    const SECItem * digest)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_ECDSA_SignDigest)( key, signature, digest );
+}
+
+SECStatus
+ECDSA_VerifyDigest(ECPublicKey * key, const SECItem * signature,
+    const SECItem * digest)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_ECDSA_VerifyDigest)( key, signature, digest );
+}
+
+SECStatus
+ECDSA_SignDigestWithSeed(ECPrivateKey * key, SECItem * signature,
+    const SECItem * digest, const unsigned char *seed, const int seedlen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_ECDSA_SignDigestWithSeed)( key, signature, digest, 
+      seed, seedlen );
+}
+
+/* ============== New for 3.008 =============================== */
+
+AESContext *
+AES_AllocateContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_AES_AllocateContext)();
+}
+
+AESKeyWrapContext *
+AESKeyWrap_AllocateContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_AESKeyWrap_AllocateContext)();
+}
+
+DESContext *
+DES_AllocateContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_DES_AllocateContext)();
+}
+
+RC2Context *
+RC2_AllocateContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RC2_AllocateContext)();
+}
+
+RC4Context *
+RC4_AllocateContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RC4_AllocateContext)();
+}
+
+SECStatus 
+AES_InitContext(AESContext *cx, const unsigned char *key, 
+		unsigned int keylen, const unsigned char *iv, int mode,
+		unsigned int encrypt, unsigned int blocklen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_AES_InitContext)(cx, key, keylen, iv, mode, encrypt, 
+				     blocklen);
+}
+
+SECStatus 
+AESKeyWrap_InitContext(AESKeyWrapContext *cx, const unsigned char *key, 
+		unsigned int keylen, const unsigned char *iv, int mode,
+		unsigned int encrypt, unsigned int blocklen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_AESKeyWrap_InitContext)(cx, key, keylen, iv, mode, 
+					    encrypt, blocklen);
+}
+
+SECStatus 
+DES_InitContext(DESContext *cx, const unsigned char *key, 
+		unsigned int keylen, const unsigned char *iv, int mode,
+		unsigned int encrypt, unsigned int xtra)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DES_InitContext)(cx, key, keylen, iv, mode, encrypt, xtra);
+}
+
+SECStatus 
+RC2_InitContext(RC2Context *cx, const unsigned char *key, 
+		unsigned int keylen, const unsigned char *iv, int mode,
+		unsigned int effectiveKeyLen, unsigned int xtra)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC2_InitContext)(cx, key, keylen, iv, mode, 
+				     effectiveKeyLen, xtra);
+}
+
+SECStatus 
+RC4_InitContext(RC4Context *cx, const unsigned char *key, 
+		unsigned int keylen, const unsigned char *x1, int x2,
+		unsigned int x3, unsigned int x4)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC4_InitContext)(cx, key, keylen, x1, x2, x3, x4);
+}
+
+void 
+MD2_Clone(MD2Context *dest, MD2Context *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD2_Clone)(dest, src);
+}
+
+void 
+MD5_Clone(MD5Context *dest, MD5Context *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD5_Clone)(dest, src);
+}
+
+void 
+SHA1_Clone(SHA1Context *dest, SHA1Context *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA1_Clone)(dest, src);
+}
+
+void 
+SHA256_Clone(SHA256Context *dest, SHA256Context *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA256_Clone)(dest, src);
+}
+
+void 
+SHA384_Clone(SHA384Context *dest, SHA384Context *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA384_Clone)(dest, src);
+}
+
+void 
+SHA512_Clone(SHA512Context *dest, SHA512Context *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA512_Clone)(dest, src);
+}
+
+SECStatus 
+TLS_PRF(const SECItem *secret, const char *label, 
+		     SECItem *seed, SECItem *result, PRBool isFIPS)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_TLS_PRF)(secret, label, seed, result, isFIPS);
+}
+
+const SECHashObject *
+HASH_GetRawHashObject(HASH_HashType hashType)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_HASH_GetRawHashObject)(hashType);
+}
+
+
+void
+HMAC_Destroy(HMACContext *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_HMAC_Destroy)(cx, freeit);
+}
+
+HMACContext *
+HMAC_Create(const SECHashObject *hashObj, const unsigned char *secret, 
+	    unsigned int secret_len, PRBool isFIPS)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_HMAC_Create)(hashObj, secret, secret_len, isFIPS);
+}
+
+SECStatus
+HMAC_Init(HMACContext *cx, const SECHashObject *hashObj, 
+	  const unsigned char *secret, unsigned int secret_len, PRBool isFIPS)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_HMAC_Init)(cx, hashObj, secret, secret_len, isFIPS);
+}
+
+void
+HMAC_Begin(HMACContext *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_HMAC_Begin)(cx);
+}
+
+void 
+HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_HMAC_Update)(cx, data, data_len);
+}
+
+SECStatus
+HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
+	    unsigned int max_result_len)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_HMAC_Finish)(cx, result, result_len, max_result_len);
+}
+
+HMACContext *
+HMAC_Clone(HMACContext *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_HMAC_Clone)(cx);
+}
+
+void
+RNG_SystemInfoForRNG(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_RNG_SystemInfoForRNG)();
+
+}
+
+SECStatus
+FIPS186Change_GenerateX(unsigned char *XKEY, const unsigned char *XSEEDj,
+                        unsigned char *x_j)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_FIPS186Change_GenerateX)(XKEY, XSEEDj, x_j);
+}
+
+SECStatus
+FIPS186Change_ReduceModQForDSA(const unsigned char *w,
+                               const unsigned char *q,
+                               unsigned char *xj)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_FIPS186Change_ReduceModQForDSA)(w, q, xj);
+}
+
+/* === new for Camellia === */
+SECStatus 
+Camellia_InitContext(CamelliaContext *cx, const unsigned char *key, 
+		unsigned int keylen, const unsigned char *iv, int mode,
+		unsigned int encrypt, unsigned int unused)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_Camellia_InitContext)(cx, key, keylen, iv, mode, encrypt,
+					  unused);
+}
+
+CamelliaContext *
+Camellia_AllocateContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_Camellia_AllocateContext)();
+}
+
+
+CamelliaContext *
+Camellia_CreateContext(const unsigned char *key, const unsigned char *iv, 
+		       int mode, int encrypt,
+		       unsigned int keylen)
+{
+    if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+	return NULL;
+    return (vector->p_Camellia_CreateContext)(key, iv, mode, encrypt, keylen);
+}
+
+void 
+Camellia_DestroyContext(CamelliaContext *cx, PRBool freeit)
+{
+    if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+	return ;
+    (vector->p_Camellia_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+Camellia_Encrypt(CamelliaContext *cx, unsigned char *output,
+		 unsigned int *outputLen, unsigned int maxOutputLen,
+		 const unsigned char *input, unsigned int inputLen)
+{
+    if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+	return SECFailure;
+    return (vector->p_Camellia_Encrypt)(cx, output, outputLen, maxOutputLen, 
+					input, inputLen);
+}
+
+SECStatus 
+Camellia_Decrypt(CamelliaContext *cx, unsigned char *output,
+		 unsigned int *outputLen, unsigned int maxOutputLen,
+		 const unsigned char *input, unsigned int inputLen)
+{
+    if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+	return SECFailure;
+    return (vector->p_Camellia_Decrypt)(cx, output, outputLen, maxOutputLen, 
+					input, inputLen);
+}
diff --git a/security/nss/lib/freebl/loader.h b/security/nss/lib/freebl/loader.h
new file mode 100644
index 000000000..fc912d419
--- /dev/null
+++ b/security/nss/lib/freebl/loader.h
@@ -0,0 +1,506 @@
+/*
+ * loader.h - load platform dependent DSO containing freebl implementation.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _LOADER_H_
+#define _LOADER_H_ 1
+
+#include "blapi.h"
+
+#define FREEBL_VERSION 0x030A
+
+struct FREEBLVectorStr {
+
+  unsigned short length;  /* of this struct in bytes */
+  unsigned short version; /* of this struct. */
+
+  RSAPrivateKey * (* p_RSA_NewKey)(int         keySizeInBits,
+				 SECItem *   publicExponent);
+
+  SECStatus (* p_RSA_PublicKeyOp) (RSAPublicKey *   key,
+				 unsigned char *  output,
+				 const unsigned char *  input);
+
+  SECStatus (* p_RSA_PrivateKeyOp)(RSAPrivateKey *  key,
+				  unsigned char *  output,
+				  const unsigned char *  input);
+
+  SECStatus (* p_DSA_NewKey)(const PQGParams *    params, 
+		            DSAPrivateKey **      privKey);
+
+  SECStatus (* p_DSA_SignDigest)(DSAPrivateKey *   key,
+				SECItem *         signature,
+				const SECItem *   digest);
+
+  SECStatus (* p_DSA_VerifyDigest)(DSAPublicKey *  key,
+				  const SECItem *  signature,
+				  const SECItem *  digest);
+
+  SECStatus (* p_DSA_NewKeyFromSeed)(const PQGParams *params, 
+				     const unsigned char * seed,
+                                     DSAPrivateKey **privKey);
+
+  SECStatus (* p_DSA_SignDigestWithSeed)(DSAPrivateKey * key,
+				        SECItem *             signature,
+				        const SECItem *       digest,
+				        const unsigned char * seed);
+
+ SECStatus (* p_DH_GenParam)(int primeLen, DHParams ** params);
+
+ SECStatus (* p_DH_NewKey)(DHParams *           params, 
+                           DHPrivateKey **	privKey);
+
+ SECStatus (* p_DH_Derive)(SECItem *    publicValue, 
+		           SECItem *    prime, 
+			   SECItem *    privateValue, 
+			   SECItem *    derivedSecret,
+			   unsigned int maxOutBytes);
+
+ SECStatus (* p_KEA_Derive)(SECItem *prime, 
+                            SECItem *public1, 
+                            SECItem *public2, 
+			    SECItem *private1, 
+			    SECItem *private2,
+			    SECItem *derivedSecret);
+
+ PRBool (* p_KEA_Verify)(SECItem *Y, SECItem *prime, SECItem *subPrime);
+
+ RC4Context * (* p_RC4_CreateContext)(const unsigned char *key, int len);
+
+ void (* p_RC4_DestroyContext)(RC4Context *cx, PRBool freeit);
+
+ SECStatus (* p_RC4_Encrypt)(RC4Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_RC4_Decrypt)(RC4Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ RC2Context * (* p_RC2_CreateContext)(const unsigned char *key, 
+                     unsigned int len, const unsigned char *iv, 
+		     int mode, unsigned effectiveKeyLen);
+
+ void (* p_RC2_DestroyContext)(RC2Context *cx, PRBool freeit);
+
+ SECStatus (* p_RC2_Encrypt)(RC2Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_RC2_Decrypt)(RC2Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ RC5Context *(* p_RC5_CreateContext)(const SECItem *key, unsigned int rounds,
+                     unsigned int wordSize, const unsigned char *iv, int mode);
+
+ void (* p_RC5_DestroyContext)(RC5Context *cx, PRBool freeit);
+
+ SECStatus (* p_RC5_Encrypt)(RC5Context *cx, unsigned char *output,
+                            unsigned int *outputLen, unsigned int maxOutputLen,
+                            const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_RC5_Decrypt)(RC5Context *cx, unsigned char *output,
+                            unsigned int *outputLen, unsigned int maxOutputLen,
+                            const unsigned char *input, unsigned int inputLen);
+
+ DESContext *(* p_DES_CreateContext)(const unsigned char *key, 
+                                     const unsigned char *iv,
+				     int mode, PRBool encrypt);
+
+ void (* p_DES_DestroyContext)(DESContext *cx, PRBool freeit);
+
+ SECStatus (* p_DES_Encrypt)(DESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_DES_Decrypt)(DESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ AESContext * (* p_AES_CreateContext)(const unsigned char *key, 
+                            const unsigned char *iv, 
+			    int mode, int encrypt, unsigned int keylen, 
+			    unsigned int blocklen);
+
+ void (* p_AES_DestroyContext)(AESContext *cx, PRBool freeit);
+
+ SECStatus (* p_AES_Encrypt)(AESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_AES_Decrypt)(AESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_MD5_Hash)(unsigned char *dest, const char *src);
+
+ SECStatus (* p_MD5_HashBuf)(unsigned char *dest, const unsigned char *src,
+			     uint32 src_length);
+
+ MD5Context *(* p_MD5_NewContext)(void);
+
+ void (* p_MD5_DestroyContext)(MD5Context *cx, PRBool freeit);
+
+ void (* p_MD5_Begin)(MD5Context *cx);
+
+ void (* p_MD5_Update)(MD5Context *cx,
+		       const unsigned char *input, unsigned int inputLen);
+
+ void (* p_MD5_End)(MD5Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen);
+
+ unsigned int (* p_MD5_FlattenSize)(MD5Context *cx);
+
+ SECStatus (* p_MD5_Flatten)(MD5Context *cx,unsigned char *space);
+
+ MD5Context * (* p_MD5_Resurrect)(unsigned char *space, void *arg);
+
+ void (* p_MD5_TraceState)(MD5Context *cx);
+
+ SECStatus (* p_MD2_Hash)(unsigned char *dest, const char *src);
+
+ MD2Context *(* p_MD2_NewContext)(void);
+
+ void (* p_MD2_DestroyContext)(MD2Context *cx, PRBool freeit);
+
+ void (* p_MD2_Begin)(MD2Context *cx);
+
+ void (* p_MD2_Update)(MD2Context *cx,
+		       const unsigned char *input, unsigned int inputLen);
+
+ void (* p_MD2_End)(MD2Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen);
+
+ unsigned int (* p_MD2_FlattenSize)(MD2Context *cx);
+
+ SECStatus (* p_MD2_Flatten)(MD2Context *cx,unsigned char *space);
+
+ MD2Context * (* p_MD2_Resurrect)(unsigned char *space, void *arg);
+
+ SECStatus (* p_SHA1_Hash)(unsigned char *dest, const char *src);
+
+ SECStatus (* p_SHA1_HashBuf)(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+
+ SHA1Context *(* p_SHA1_NewContext)(void);
+
+ void (* p_SHA1_DestroyContext)(SHA1Context *cx, PRBool freeit);
+
+ void (* p_SHA1_Begin)(SHA1Context *cx);
+
+ void (* p_SHA1_Update)(SHA1Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+
+ void (* p_SHA1_End)(SHA1Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+
+ void (* p_SHA1_TraceState)(SHA1Context *cx);
+
+ unsigned int (* p_SHA1_FlattenSize)(SHA1Context *cx);
+
+ SECStatus (* p_SHA1_Flatten)(SHA1Context *cx,unsigned char *space);
+
+ SHA1Context * (* p_SHA1_Resurrect)(unsigned char *space, void *arg);
+
+ SECStatus (* p_RNG_RNGInit)(void);
+
+ SECStatus (* p_RNG_RandomUpdate)(const void *data, size_t bytes);
+
+ SECStatus (* p_RNG_GenerateGlobalRandomBytes)(void *dest, size_t len);
+
+ void  (* p_RNG_RNGShutdown)(void);
+
+ SECStatus (* p_PQG_ParamGen)(unsigned int j, PQGParams **pParams,  
+	                      PQGVerify **pVfy);    
+
+ SECStatus (* p_PQG_ParamGenSeedLen)( unsigned int j, unsigned int seedBytes, 
+                                     PQGParams **pParams, PQGVerify **pVfy); 
+
+ SECStatus (* p_PQG_VerifyParams)(const PQGParams *params, 
+                                  const PQGVerify *vfy, SECStatus *result);
+
+  /* Version 3.001 came to here */
+
+  SECStatus (* p_RSA_PrivateKeyOpDoubleChecked)(RSAPrivateKey *key,
+                              unsigned char *output,
+                              const unsigned char *input);
+
+  SECStatus (* p_RSA_PrivateKeyCheck)(RSAPrivateKey *key);
+
+  void (* p_BL_Cleanup)(void);
+
+  /* Version 3.002 came to here */
+
+ SHA256Context *(* p_SHA256_NewContext)(void);
+ void (* p_SHA256_DestroyContext)(SHA256Context *cx, PRBool freeit);
+ void (* p_SHA256_Begin)(SHA256Context *cx);
+ void (* p_SHA256_Update)(SHA256Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+ void (* p_SHA256_End)(SHA256Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+ SECStatus (* p_SHA256_HashBuf)(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+ SECStatus (* p_SHA256_Hash)(unsigned char *dest, const char *src);
+ void (* p_SHA256_TraceState)(SHA256Context *cx);
+ unsigned int (* p_SHA256_FlattenSize)(SHA256Context *cx);
+ SECStatus (* p_SHA256_Flatten)(SHA256Context *cx,unsigned char *space);
+ SHA256Context * (* p_SHA256_Resurrect)(unsigned char *space, void *arg);
+
+ SHA512Context *(* p_SHA512_NewContext)(void);
+ void (* p_SHA512_DestroyContext)(SHA512Context *cx, PRBool freeit);
+ void (* p_SHA512_Begin)(SHA512Context *cx);
+ void (* p_SHA512_Update)(SHA512Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+ void (* p_SHA512_End)(SHA512Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+ SECStatus (* p_SHA512_HashBuf)(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+ SECStatus (* p_SHA512_Hash)(unsigned char *dest, const char *src);
+ void (* p_SHA512_TraceState)(SHA512Context *cx);
+ unsigned int (* p_SHA512_FlattenSize)(SHA512Context *cx);
+ SECStatus (* p_SHA512_Flatten)(SHA512Context *cx,unsigned char *space);
+ SHA512Context * (* p_SHA512_Resurrect)(unsigned char *space, void *arg);
+
+ SHA384Context *(* p_SHA384_NewContext)(void);
+ void (* p_SHA384_DestroyContext)(SHA384Context *cx, PRBool freeit);
+ void (* p_SHA384_Begin)(SHA384Context *cx);
+ void (* p_SHA384_Update)(SHA384Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+ void (* p_SHA384_End)(SHA384Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+ SECStatus (* p_SHA384_HashBuf)(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+ SECStatus (* p_SHA384_Hash)(unsigned char *dest, const char *src);
+ void (* p_SHA384_TraceState)(SHA384Context *cx);
+ unsigned int (* p_SHA384_FlattenSize)(SHA384Context *cx);
+ SECStatus (* p_SHA384_Flatten)(SHA384Context *cx,unsigned char *space);
+ SHA384Context * (* p_SHA384_Resurrect)(unsigned char *space, void *arg);
+
+  /* Version 3.003 came to here */
+
+ AESKeyWrapContext * (* p_AESKeyWrap_CreateContext)(const unsigned char *key, 
+                   const unsigned char *iv, int encrypt, unsigned int keylen);
+
+ void (* p_AESKeyWrap_DestroyContext)(AESKeyWrapContext *cx, PRBool freeit);
+
+ SECStatus (* p_AESKeyWrap_Encrypt)(AESKeyWrapContext *cx, 
+            unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_AESKeyWrap_Decrypt)(AESKeyWrapContext *cx, 
+            unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen);
+
+  /* Version 3.004 came to here */
+
+ PRBool (*p_BLAPI_SHVerify)(const char *name, PRFuncPtr addr);
+ PRBool (*p_BLAPI_VerifySelf)(const char *name);
+
+  /* Version 3.005 came to here */
+
+ SECStatus (* p_EC_NewKey)(ECParams *           params, 
+                           ECPrivateKey **	privKey);
+
+ SECStatus (* p_EC_NewKeyFromSeed)(ECParams *   params, 
+                             ECPrivateKey **	privKey,
+                             const unsigned char * seed,
+                             int                seedlen);
+
+ SECStatus (* p_EC_ValidatePublicKey)(ECParams *   params, 
+			     SECItem *	        publicValue);
+
+ SECStatus (* p_ECDH_Derive)(SECItem *          publicValue, 
+                             ECParams *         params,
+                             SECItem *          privateValue,
+                             PRBool             withCofactor,
+                             SECItem *          derivedSecret);
+
+ SECStatus (* p_ECDSA_SignDigest)(ECPrivateKey * key,
+                             SECItem *          signature,
+                             const SECItem *    digest);
+
+ SECStatus (* p_ECDSA_VerifyDigest)(ECPublicKey * key,
+                             const SECItem *    signature,
+                             const SECItem *    digest);
+
+ SECStatus (* p_ECDSA_SignDigestWithSeed)(ECPrivateKey * key,
+                             SECItem *          signature,
+                             const SECItem *    digest,
+                             const unsigned char * seed,
+                             const int          seedlen);
+
+  /* Version 3.006 came to here */
+
+  /* no modification to FREEBLVectorStr itself 
+   * but ECParamStr was modified 
+   */
+
+  /* Version 3.007 came to here */
+
+ SECStatus (* p_AES_InitContext)(AESContext *cx,
+				 const unsigned char *key, 
+				 unsigned int keylen, 
+				 const unsigned char *iv, 
+				 int mode, 
+				 unsigned int encrypt,
+				 unsigned int blocklen);
+ SECStatus (* p_AESKeyWrap_InitContext)(AESKeyWrapContext *cx,
+				 const unsigned char *key, 
+				 unsigned int keylen, 
+				 const unsigned char *iv, 
+				 int mode, 
+				 unsigned int encrypt,
+				 unsigned int blocklen);
+ SECStatus (* p_DES_InitContext)(DESContext *cx,
+				 const unsigned char *key, 
+				 unsigned int keylen,
+				 const unsigned char *iv, 
+				 int mode,
+				 unsigned int encrypt,
+				 unsigned int );
+ SECStatus (* p_RC2_InitContext)(RC2Context *cx,
+				 const unsigned char *key, 
+				 unsigned int keylen,
+				 const unsigned char *iv, 
+				 int mode, 
+				 unsigned int effectiveKeyLen,
+				 unsigned int );
+ SECStatus (* p_RC4_InitContext)(RC4Context *cx, 
+				 const unsigned char *key, 
+				 unsigned int keylen,
+				 const unsigned char *, 
+				 int, 
+				 unsigned int ,
+				 unsigned int );
+
+ AESContext *(*p_AES_AllocateContext)(void);
+ AESKeyWrapContext *(*p_AESKeyWrap_AllocateContext)(void);
+ DESContext *(*p_DES_AllocateContext)(void);
+ RC2Context *(*p_RC2_AllocateContext)(void);
+ RC4Context *(*p_RC4_AllocateContext)(void);
+
+ void (* p_MD2_Clone)(MD2Context *dest, MD2Context *src);
+ void (* p_MD5_Clone)(MD5Context *dest, MD5Context *src);
+ void (* p_SHA1_Clone)(SHA1Context *dest, SHA1Context *src);
+ void (* p_SHA256_Clone)(SHA256Context *dest, SHA256Context *src);
+ void (* p_SHA384_Clone)(SHA384Context *dest, SHA384Context *src);
+ void (* p_SHA512_Clone)(SHA512Context *dest, SHA512Context *src);
+
+ SECStatus (* p_TLS_PRF)(const SECItem *secret, const char *label, 
+		         SECItem *seed, SECItem *result, PRBool isFIPS);
+
+ const SECHashObject *(* p_HASH_GetRawHashObject)(HASH_HashType hashType);
+
+ HMACContext * (* p_HMAC_Create)(const SECHashObject *hashObj, 
+				 const unsigned char *secret, 
+				 unsigned int secret_len, PRBool isFIPS);
+ SECStatus (* p_HMAC_Init)(HMACContext *cx, const SECHashObject *hash_obj, 
+			   const unsigned char *secret, 
+			   unsigned int secret_len, PRBool isFIPS);
+ void (* p_HMAC_Begin)(HMACContext *cx);
+ void  (* p_HMAC_Update)(HMACContext *cx, const unsigned char *data, 
+			 unsigned int data_len);
+ HMACContext * (* p_HMAC_Clone)(HMACContext *cx);
+ SECStatus (* p_HMAC_Finish)(HMACContext *cx, unsigned char *result, 
+			     unsigned int *result_len, 
+			     unsigned int max_result_len);
+ void (* p_HMAC_Destroy)(HMACContext *cx, PRBool freeit);
+
+ void (* p_RNG_SystemInfoForRNG)(void);
+
+  /* Version 3.008 came to here */
+
+ SECStatus (* p_FIPS186Change_GenerateX)(unsigned char *XKEY,
+                                         const unsigned char *XSEEDj,
+                                         unsigned char *x_j);
+ SECStatus (* p_FIPS186Change_ReduceModQForDSA)(const unsigned char *w,
+                                                const unsigned char *q,
+                                                unsigned char *xj);
+
+  /* Version 3.009 came to here */
+
+ SECStatus (* p_Camellia_InitContext)(CamelliaContext *cx,
+				 const unsigned char *key, 
+				 unsigned int keylen, 
+				 const unsigned char *iv, 
+				 int mode, 
+				 unsigned int encrypt,
+				 unsigned int unused);
+
+ CamelliaContext *(*p_Camellia_AllocateContext)(void);
+ CamelliaContext * (* p_Camellia_CreateContext)(const unsigned char *key, 
+						const unsigned char *iv, 
+						int mode, int encrypt,
+						unsigned int keylen);
+ void (* p_Camellia_DestroyContext)(CamelliaContext *cx, PRBool freeit);
+
+ SECStatus (* p_Camellia_Encrypt)(CamelliaContext *cx, unsigned char *output,
+				  unsigned int *outputLen,
+				  unsigned int maxOutputLen,
+				  const unsigned char *input,
+				  unsigned int inputLen);
+
+ SECStatus (* p_Camellia_Decrypt)(CamelliaContext *cx, unsigned char *output,
+				  unsigned int *outputLen,
+				  unsigned int maxOutputLen,
+				  const unsigned char *input,
+				  unsigned int inputLen);
+
+ void (* p_PQG_DestroyParams)(PQGParams *params);
+
+ void (* p_PQG_DestroyVerify)(PQGVerify *vfy);
+
+  /* Version 3.010 came to here */
+};
+
+typedef struct FREEBLVectorStr FREEBLVector;
+
+SEC_BEGIN_PROTOS
+
+typedef const FREEBLVector * FREEBLGetVectorFn(void);
+
+extern FREEBLGetVectorFn FREEBL_GetVector;
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/freebl/manifest.mn b/security/nss/lib/freebl/manifest.mn
new file mode 100644
index 000000000..417f6bc27
--- /dev/null
+++ b/security/nss/lib/freebl/manifest.mn
@@ -0,0 +1,186 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Dr Vipul Gupta <vipul.gupta@sun.com> and
+#   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# NOTE: any ifdefs in this file must be defined on the gmake command line
+# (if anywhere).  They cannot come from Makefile or config.mk 
+
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+LIBRARY_NAME = freebl
+LIBRARY_VERSION = 3
+
+ifdef FREEBL_CHILD_BUILD
+  ifdef USE_ABI32_INT32
+    LIBRARY_NAME = freebl_32int
+  endif
+  ifdef USE_ABI32_INT64
+    LIBRARY_NAME = freebl_32int64
+  endif
+  ifdef USE_ABI32_FPU
+    LIBRARY_NAME = freebl_32fpu
+  endif
+  ifdef USE_ABI64_INT
+    LIBRARY_NAME = freebl_64int
+  endif
+  ifdef USE_ABI64_FPU
+    LIBRARY_NAME = freebl_64fpu
+  endif
+endif
+
+# if the library name contains _, we prefix the version with _
+ifneq (,$(findstring _,$(LIBRARY_NAME)))
+  LIBRARY_VERSION := _$(LIBRARY_VERSION)
+endif
+
+MAPFILE_SOURCE = freebl.def
+MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def
+
+SOFTOKEN_LIBRARY_VERSION = 3
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" \
+	-DSHLIB_VERSION=\"$(LIBRARY_VERSION)\" \
+	-DSOFTOKEN_SHLIB_VERSION=\"$(SOFTOKEN_LIBRARY_VERSION)\"
+
+REQUIRES = 
+
+EXPORTS = \
+	blapit.h \
+	shsign.h \
+	ecl-exp.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	alghmac.h \
+	blapi.h \
+	secmpi.h \
+	secrng.h \
+	ec.h \
+	ecl.h \
+	ecl-curve.h \
+	$(NULL)
+
+MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
+MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c
+
+
+ECL_HDRS = ecl-exp.h ecl.h ec2.h ecp.h ecl-priv.h
+ifdef NSS_ENABLE_ECC
+ECL_SRCS = ecl.c ecl_curve.c ecl_mult.c ecl_gf.c \
+	ecp_aff.c ecp_jac.c ecp_mont.c \
+	ec_naf.c ecp_jm.c
+ifdef NSS_ECC_MORE_THAN_SUITE_B
+ECL_SRCS += ec2_aff.c ec2_mont.c ec2_proj.c \
+	ec2_163.c ec2_193.c ec2_233.c \
+	ecp_192.c ecp_224.c ecp_256.c ecp_384.c ecp_521.c 
+endif
+else
+ECL_SRCS = $(NULL)
+endif
+SHA_SRCS = sha_fast.c
+MPCPU_SRCS = mpcpucache.c
+
+CSRCS = \
+	freeblver.c \
+	ldvector.c \
+	prng_fips1861.c \
+	sysrand.c \
+	$(SHA_SRCS) \
+	md2.c \
+	md5.c \
+	sha512.c \
+	alghmac.c \
+	rawhash.c \
+	alg2268.c \
+	arcfour.c \
+	arcfive.c \
+	desblapi.c \
+	des.c \
+	rijndael.c \
+	aeskeywrap.c \
+	camellia.c \
+	dh.c \
+	ec.c \
+	pqg.c \
+	dsa.c \
+	rsa.c \
+	shvfy.c \
+	tlsprfalg.c \
+	$(MPI_SRCS) \
+	$(MPCPU_SRCS) \
+	$(ECL_SRCS) \
+	$(NULL)
+
+ALL_CSRCS := $(CSRCS)
+
+ALL_HDRS =  \
+	alghmac.h \
+	blapi.h \
+	blapit.h \
+	des.h \
+	ec.h \
+	loader.h \
+	rijndael.h \
+	camellia.h \
+	secmpi.h \
+	sha_fast.h \
+	sha256.h \
+	shsign.h \
+	vis_proto.h \
+	$(NULL)
+
+
+ifdef AES_GEN_TBL
+DEFINES += -DRIJNDAEL_GENERATE_TABLES
+else 
+ifdef AES_GEN_TBL_M
+DEFINES += -DRIJNDAEL_GENERATE_TABLES_MACRO
+else
+ifdef AES_GEN_VAL
+DEFINES += -DRIJNDAEL_GENERATE_VALUES
+else
+ifdef AES_GEN_VAL_M
+DEFINES += -DRIJNDAEL_GENERATE_VALUES_MACRO
+else
+DEFINES += -DRIJNDAEL_INCLUDE_TABLES
+endif
+endif
+endif
+endif
diff --git a/security/nss/lib/freebl/mapfile.Solaris b/security/nss/lib/freebl/mapfile.Solaris
new file mode 100644
index 000000000..2db951327
--- /dev/null
+++ b/security/nss/lib/freebl/mapfile.Solaris
@@ -0,0 +1,43 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+libfreebl_3.so {
+	global:
+		FREEBL_GetVector;
+	local:
+		*;
+};
diff --git a/security/nss/lib/freebl/md2.c b/security/nss/lib/freebl/md2.c
new file mode 100644
index 000000000..8582f903e
--- /dev/null
+++ b/security/nss/lib/freebl/md2.c
@@ -0,0 +1,296 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+
+#include "blapi.h"
+
+#define MD2_DIGEST_LEN    16
+#define MD2_BUFSIZE       16
+#define MD2_X_SIZE        48  /* The X array, [CV | INPUT | TMP VARS] */
+#define MD2_CV             0  /* index into X for chaining variables */
+#define MD2_INPUT         16  /* index into X for input */
+#define MD2_TMPVARS       32  /* index into X for temporary variables */
+#define MD2_CHECKSUM_SIZE 16
+
+struct MD2ContextStr {
+	unsigned char checksum[MD2_BUFSIZE];
+	unsigned char X[MD2_X_SIZE];
+	PRUint8 unusedBuffer;
+};
+
+static const PRUint8 MD2S[256] = {
+ 0051, 0056, 0103, 0311, 0242, 0330, 0174, 0001,
+ 0075, 0066, 0124, 0241, 0354, 0360, 0006, 0023,
+ 0142, 0247, 0005, 0363, 0300, 0307, 0163, 0214,
+ 0230, 0223, 0053, 0331, 0274, 0114, 0202, 0312,
+ 0036, 0233, 0127, 0074, 0375, 0324, 0340, 0026,
+ 0147, 0102, 0157, 0030, 0212, 0027, 0345, 0022,
+ 0276, 0116, 0304, 0326, 0332, 0236, 0336, 0111,
+ 0240, 0373, 0365, 0216, 0273, 0057, 0356, 0172,
+ 0251, 0150, 0171, 0221, 0025, 0262, 0007, 0077,
+ 0224, 0302, 0020, 0211, 0013, 0042, 0137, 0041,
+ 0200, 0177, 0135, 0232, 0132, 0220, 0062, 0047,
+ 0065, 0076, 0314, 0347, 0277, 0367, 0227, 0003,
+ 0377, 0031, 0060, 0263, 0110, 0245, 0265, 0321,
+ 0327, 0136, 0222, 0052, 0254, 0126, 0252, 0306,
+ 0117, 0270, 0070, 0322, 0226, 0244, 0175, 0266,
+ 0166, 0374, 0153, 0342, 0234, 0164, 0004, 0361,
+ 0105, 0235, 0160, 0131, 0144, 0161, 0207, 0040,
+ 0206, 0133, 0317, 0145, 0346, 0055, 0250, 0002,
+ 0033, 0140, 0045, 0255, 0256, 0260, 0271, 0366,
+ 0034, 0106, 0141, 0151, 0064, 0100, 0176, 0017,
+ 0125, 0107, 0243, 0043, 0335, 0121, 0257, 0072,
+ 0303, 0134, 0371, 0316, 0272, 0305, 0352, 0046,
+ 0054, 0123, 0015, 0156, 0205, 0050, 0204, 0011,
+ 0323, 0337, 0315, 0364, 0101, 0201, 0115, 0122,
+ 0152, 0334, 0067, 0310, 0154, 0301, 0253, 0372,
+ 0044, 0341, 0173, 0010, 0014, 0275, 0261, 0112,
+ 0170, 0210, 0225, 0213, 0343, 0143, 0350, 0155,
+ 0351, 0313, 0325, 0376, 0073, 0000, 0035, 0071,
+ 0362, 0357, 0267, 0016, 0146, 0130, 0320, 0344,
+ 0246, 0167, 0162, 0370, 0353, 0165, 0113, 0012,
+ 0061, 0104, 0120, 0264, 0217, 0355, 0037, 0032,
+ 0333, 0231, 0215, 0063, 0237, 0021, 0203, 0024
+};
+
+SECStatus 
+MD2_Hash(unsigned char *dest, const char *src)
+{
+	unsigned int len;
+	MD2Context *cx = MD2_NewContext();
+	if (!cx) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return SECFailure;
+	}
+	MD2_Begin(cx);
+	MD2_Update(cx, (const unsigned char *)src, PORT_Strlen(src));
+	MD2_End(cx, dest, &len, MD2_DIGEST_LEN);
+	MD2_DestroyContext(cx, PR_TRUE);
+	return SECSuccess;
+}
+
+MD2Context *
+MD2_NewContext(void)
+{
+	MD2Context *cx = (MD2Context *)PORT_ZAlloc(sizeof(MD2Context));
+	if (cx == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return NULL;
+	}
+	return cx;
+}
+
+void 
+MD2_DestroyContext(MD2Context *cx, PRBool freeit)
+{
+	if (freeit)
+		PORT_ZFree(cx, sizeof(*cx));
+}
+
+void 
+MD2_Begin(MD2Context *cx)
+{
+	memset(cx, 0, sizeof(*cx));
+	cx->unusedBuffer = MD2_BUFSIZE;
+}
+
+static void
+md2_compress(MD2Context *cx)
+{
+	int j;
+	unsigned char P;
+	P = cx->checksum[MD2_CHECKSUM_SIZE-1];
+	/* Compute the running checksum, and set the tmp variables to be 
+	 * CV[i] XOR input[i] 
+	 */
+#define CKSUMFN(n) \
+	P = cx->checksum[n] ^ MD2S[cx->X[MD2_INPUT+n] ^ P]; \
+	cx->checksum[n] = P; \
+	cx->X[MD2_TMPVARS+n] = cx->X[n] ^ cx->X[MD2_INPUT+n];
+	CKSUMFN(0);
+	CKSUMFN(1);
+	CKSUMFN(2);
+	CKSUMFN(3);
+	CKSUMFN(4);
+	CKSUMFN(5);
+	CKSUMFN(6);
+	CKSUMFN(7);
+	CKSUMFN(8);
+	CKSUMFN(9);
+	CKSUMFN(10);
+	CKSUMFN(11);
+	CKSUMFN(12);
+	CKSUMFN(13);
+	CKSUMFN(14);
+	CKSUMFN(15);
+	/* The compression function. */
+#define COMPRESS(n) \
+	P = cx->X[n] ^ MD2S[P]; \
+	cx->X[n] = P;
+	P = 0x00;
+	for (j=0; j<18; j++) {
+		COMPRESS(0);
+		COMPRESS(1);
+		COMPRESS(2);
+		COMPRESS(3);
+		COMPRESS(4);
+		COMPRESS(5);
+		COMPRESS(6);
+		COMPRESS(7);
+		COMPRESS(8);
+		COMPRESS(9);
+		COMPRESS(10);
+		COMPRESS(11);
+		COMPRESS(12);
+		COMPRESS(13);
+		COMPRESS(14);
+		COMPRESS(15);
+		COMPRESS(16);
+		COMPRESS(17);
+		COMPRESS(18);
+		COMPRESS(19);
+		COMPRESS(20);
+		COMPRESS(21);
+		COMPRESS(22);
+		COMPRESS(23);
+		COMPRESS(24);
+		COMPRESS(25);
+		COMPRESS(26);
+		COMPRESS(27);
+		COMPRESS(28);
+		COMPRESS(29);
+		COMPRESS(30);
+		COMPRESS(31);
+		COMPRESS(32);
+		COMPRESS(33);
+		COMPRESS(34);
+		COMPRESS(35);
+		COMPRESS(36);
+		COMPRESS(37);
+		COMPRESS(38);
+		COMPRESS(39);
+		COMPRESS(40);
+		COMPRESS(41);
+		COMPRESS(42);
+		COMPRESS(43);
+		COMPRESS(44);
+		COMPRESS(45);
+		COMPRESS(46);
+		COMPRESS(47);
+		P = (P + j) % 256;
+	}
+	cx->unusedBuffer = MD2_BUFSIZE;
+}
+
+void 
+MD2_Update(MD2Context *cx, const unsigned char *input, unsigned int inputLen)
+{
+	PRUint32 bytesToConsume;
+	
+	/* Fill the remaining input buffer. */
+	if (cx->unusedBuffer != MD2_BUFSIZE) {
+		bytesToConsume = PR_MIN(inputLen, cx->unusedBuffer);
+		memcpy(&cx->X[MD2_INPUT + (MD2_BUFSIZE - cx->unusedBuffer)],
+		            input, bytesToConsume);
+		if (cx->unusedBuffer + bytesToConsume >= MD2_BUFSIZE)
+			md2_compress(cx);
+		inputLen -= bytesToConsume;
+		input += bytesToConsume;
+	}
+
+	/* Iterate over 16-byte chunks of the input. */
+	while (inputLen >= MD2_BUFSIZE) {
+		memcpy(&cx->X[MD2_INPUT], input, MD2_BUFSIZE);
+		md2_compress(cx);
+		inputLen -= MD2_BUFSIZE;
+		input += MD2_BUFSIZE;
+	}
+
+	/* Copy any input that remains into the buffer. */
+	if (inputLen)
+		memcpy(&cx->X[MD2_INPUT], input, inputLen);
+	cx->unusedBuffer = MD2_BUFSIZE - inputLen;
+}
+
+void 
+MD2_End(MD2Context *cx, unsigned char *digest,
+        unsigned int *digestLen, unsigned int maxDigestLen)
+{
+	PRUint8 padStart;
+	if (maxDigestLen < MD2_BUFSIZE) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return;
+	}
+	padStart = MD2_BUFSIZE - cx->unusedBuffer;
+	memset(&cx->X[MD2_INPUT + padStart], cx->unusedBuffer, 
+	            cx->unusedBuffer);
+	md2_compress(cx);
+	memcpy(&cx->X[MD2_INPUT], cx->checksum, MD2_BUFSIZE);
+	md2_compress(cx);
+	*digestLen = MD2_DIGEST_LEN;
+	memcpy(digest, &cx->X[MD2_CV], MD2_DIGEST_LEN);
+}
+
+unsigned int 
+MD2_FlattenSize(MD2Context *cx)
+{
+	return sizeof(*cx);
+}
+
+SECStatus 
+MD2_Flatten(MD2Context *cx, unsigned char *space)
+{
+	memcpy(space, cx, sizeof(*cx));
+	return SECSuccess;
+}
+
+MD2Context * 
+MD2_Resurrect(unsigned char *space, void *arg)
+{
+	MD2Context *cx = MD2_NewContext();
+	if (cx)
+		memcpy(cx, space, sizeof(*cx));
+	return cx;
+}
+
+void MD2_Clone(MD2Context *dest, MD2Context *src) 
+{
+	memcpy(dest, src, sizeof *dest);
+}
diff --git a/security/nss/lib/freebl/md5.c b/security/nss/lib/freebl/md5.c
new file mode 100644
index 000000000..97c400d9c
--- /dev/null
+++ b/security/nss/lib/freebl/md5.c
@@ -0,0 +1,595 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "prlong.h"
+
+#include "blapi.h"
+
+#define MD5_HASH_LEN 16
+#define MD5_BUFFER_SIZE 64
+#define MD5_END_BUFFER (MD5_BUFFER_SIZE - 8)
+
+#define CV0_1 0x67452301
+#define CV0_2 0xefcdab89
+#define CV0_3 0x98badcfe
+#define CV0_4 0x10325476
+
+#define T1_0  0xd76aa478
+#define T1_1  0xe8c7b756
+#define T1_2  0x242070db
+#define T1_3  0xc1bdceee
+#define T1_4  0xf57c0faf
+#define T1_5  0x4787c62a
+#define T1_6  0xa8304613
+#define T1_7  0xfd469501
+#define T1_8  0x698098d8
+#define T1_9  0x8b44f7af
+#define T1_10 0xffff5bb1
+#define T1_11 0x895cd7be
+#define T1_12 0x6b901122
+#define T1_13 0xfd987193
+#define T1_14 0xa679438e
+#define T1_15 0x49b40821
+
+#define T2_0  0xf61e2562
+#define T2_1  0xc040b340
+#define T2_2  0x265e5a51
+#define T2_3  0xe9b6c7aa
+#define T2_4  0xd62f105d
+#define T2_5  0x02441453
+#define T2_6  0xd8a1e681
+#define T2_7  0xe7d3fbc8
+#define T2_8  0x21e1cde6
+#define T2_9  0xc33707d6
+#define T2_10 0xf4d50d87
+#define T2_11 0x455a14ed
+#define T2_12 0xa9e3e905
+#define T2_13 0xfcefa3f8
+#define T2_14 0x676f02d9
+#define T2_15 0x8d2a4c8a
+
+#define T3_0  0xfffa3942
+#define T3_1  0x8771f681
+#define T3_2  0x6d9d6122
+#define T3_3  0xfde5380c
+#define T3_4  0xa4beea44
+#define T3_5  0x4bdecfa9
+#define T3_6  0xf6bb4b60
+#define T3_7  0xbebfbc70
+#define T3_8  0x289b7ec6
+#define T3_9  0xeaa127fa
+#define T3_10 0xd4ef3085
+#define T3_11 0x04881d05
+#define T3_12 0xd9d4d039
+#define T3_13 0xe6db99e5
+#define T3_14 0x1fa27cf8
+#define T3_15 0xc4ac5665
+
+#define T4_0  0xf4292244
+#define T4_1  0x432aff97
+#define T4_2  0xab9423a7
+#define T4_3  0xfc93a039
+#define T4_4  0x655b59c3
+#define T4_5  0x8f0ccc92
+#define T4_6  0xffeff47d
+#define T4_7  0x85845dd1
+#define T4_8  0x6fa87e4f
+#define T4_9  0xfe2ce6e0
+#define T4_10 0xa3014314
+#define T4_11 0x4e0811a1
+#define T4_12 0xf7537e82
+#define T4_13 0xbd3af235
+#define T4_14 0x2ad7d2bb
+#define T4_15 0xeb86d391
+
+#define R1B0  0
+#define R1B1  1
+#define R1B2  2
+#define R1B3  3
+#define R1B4  4
+#define R1B5  5
+#define R1B6  6
+#define R1B7  7
+#define R1B8  8
+#define R1B9  9
+#define R1B10 10
+#define R1B11 11
+#define R1B12 12
+#define R1B13 13
+#define R1B14 14
+#define R1B15 15
+
+#define R2B0  1
+#define R2B1  6
+#define R2B2  11
+#define R2B3  0
+#define R2B4  5
+#define R2B5  10
+#define R2B6  15
+#define R2B7  4
+#define R2B8  9
+#define R2B9  14
+#define R2B10 3 
+#define R2B11 8 
+#define R2B12 13
+#define R2B13 2 
+#define R2B14 7 
+#define R2B15 12
+
+#define R3B0  5
+#define R3B1  8
+#define R3B2  11
+#define R3B3  14
+#define R3B4  1
+#define R3B5  4
+#define R3B6  7
+#define R3B7  10
+#define R3B8  13
+#define R3B9  0
+#define R3B10 3 
+#define R3B11 6 
+#define R3B12 9 
+#define R3B13 12
+#define R3B14 15
+#define R3B15 2 
+
+#define R4B0  0
+#define R4B1  7
+#define R4B2  14
+#define R4B3  5
+#define R4B4  12
+#define R4B5  3
+#define R4B6  10
+#define R4B7  1
+#define R4B8  8
+#define R4B9  15
+#define R4B10 6 
+#define R4B11 13
+#define R4B12 4 
+#define R4B13 11
+#define R4B14 2 
+#define R4B15 9 
+
+#define S1_0 7
+#define S1_1 12
+#define S1_2 17
+#define S1_3 22
+
+#define S2_0 5
+#define S2_1 9
+#define S2_2 14
+#define S2_3 20
+
+#define S3_0 4
+#define S3_1 11
+#define S3_2 16
+#define S3_3 23
+
+#define S4_0 6
+#define S4_1 10
+#define S4_2 15
+#define S4_3 21
+
+struct MD5ContextStr {
+	PRUint32      lsbInput;
+	PRUint32      msbInput;
+	PRUint32      cv[4];
+	union {
+		PRUint8 b[64];
+		PRUint32 w[16];
+	} u;
+};
+
+#define inBuf u.b
+
+SECStatus 
+MD5_Hash(unsigned char *dest, const char *src)
+{
+	return MD5_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
+}
+
+SECStatus 
+MD5_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+	unsigned int len;
+	MD5Context cx;
+
+	MD5_Begin(&cx);
+	MD5_Update(&cx, src, src_length);
+	MD5_End(&cx, dest, &len, MD5_HASH_LEN);
+/*	memset(&cx, 0, sizeof cx); */
+	return SECSuccess;
+}
+
+MD5Context *
+MD5_NewContext(void)
+{
+	/* no need to ZAlloc, MD5_Begin will init the context */
+	MD5Context *cx = (MD5Context *)PORT_Alloc(sizeof(MD5Context));
+	if (cx == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return NULL;
+	}
+	return cx;
+}
+
+void 
+MD5_DestroyContext(MD5Context *cx, PRBool freeit)
+{
+/*	memset(cx, 0, sizeof *cx); */
+	if (freeit) {
+	    PORT_Free(cx);
+	}
+}
+
+void 
+MD5_Begin(MD5Context *cx)
+{
+	cx->lsbInput = 0;
+	cx->msbInput = 0;
+/*	memset(cx->inBuf, 0, sizeof(cx->inBuf)); */
+	cx->cv[0] = CV0_1;
+	cx->cv[1] = CV0_2;
+	cx->cv[2] = CV0_3;
+	cx->cv[3] = CV0_4;
+}
+
+#define cls(i32, s) (tmp = i32, tmp << s | tmp >> (32 - s))
+
+#if defined(SOLARIS) || defined(HPUX)
+#define addto64(sumhigh, sumlow, addend) \
+	sumlow += addend; sumhigh += (sumlow < addend);
+#else
+#define addto64(sumhigh, sumlow, addend) \
+	sumlow += addend; if (sumlow < addend) ++sumhigh;
+#endif
+
+#define MASK 0x00ff00ff
+#ifdef IS_LITTLE_ENDIAN
+#define lendian(i32) \
+	(i32)
+#else
+#define lendian(i32) \
+	(tmp = i32 >> 16 | i32 << 16, (tmp & MASK) << 8 | tmp >> 8 & MASK)
+#endif
+
+#ifndef IS_LITTLE_ENDIAN
+
+#define lebytes(b4) \
+	((b4)[3] << 24 | (b4)[2] << 16 | (b4)[1] << 8 | (b4)[0])
+
+static void
+md5_prep_state_le(MD5Context *cx)
+{
+	PRUint32 tmp;
+	cx->u.w[0] = lendian(cx->u.w[0]);
+	cx->u.w[1] = lendian(cx->u.w[1]);
+	cx->u.w[2] = lendian(cx->u.w[2]);
+	cx->u.w[3] = lendian(cx->u.w[3]);
+	cx->u.w[4] = lendian(cx->u.w[4]);
+	cx->u.w[5] = lendian(cx->u.w[5]);
+	cx->u.w[6] = lendian(cx->u.w[6]);
+	cx->u.w[7] = lendian(cx->u.w[7]);
+	cx->u.w[8] = lendian(cx->u.w[8]);
+	cx->u.w[9] = lendian(cx->u.w[9]);
+	cx->u.w[10] = lendian(cx->u.w[10]);
+	cx->u.w[11] = lendian(cx->u.w[11]);
+	cx->u.w[12] = lendian(cx->u.w[12]);
+	cx->u.w[13] = lendian(cx->u.w[13]);
+	cx->u.w[14] = lendian(cx->u.w[14]);
+	cx->u.w[15] = lendian(cx->u.w[15]);
+}
+
+static void
+md5_prep_buffer_le(MD5Context *cx, const PRUint8 *beBuf)
+{
+	cx->u.w[0] = lebytes(&beBuf[0]);
+	cx->u.w[1] = lebytes(&beBuf[4]);
+	cx->u.w[2] = lebytes(&beBuf[8]);
+	cx->u.w[3] = lebytes(&beBuf[12]);
+	cx->u.w[4] = lebytes(&beBuf[16]);
+	cx->u.w[5] = lebytes(&beBuf[20]);
+	cx->u.w[6] = lebytes(&beBuf[24]);
+	cx->u.w[7] = lebytes(&beBuf[28]);
+	cx->u.w[8] = lebytes(&beBuf[32]);
+	cx->u.w[9] = lebytes(&beBuf[36]);
+	cx->u.w[10] = lebytes(&beBuf[40]);
+	cx->u.w[11] = lebytes(&beBuf[44]);
+	cx->u.w[12] = lebytes(&beBuf[48]);
+	cx->u.w[13] = lebytes(&beBuf[52]);
+	cx->u.w[14] = lebytes(&beBuf[56]);
+	cx->u.w[15] = lebytes(&beBuf[60]);
+}
+#endif
+
+
+#define F(X, Y, Z) \
+	((X & Y) | ((~X) & Z))
+
+#define G(X, Y, Z) \
+	((X & Z) | (Y & (~Z)))
+
+#define H(X, Y, Z) \
+	(X ^ Y ^ Z)
+
+#define I(X, Y, Z) \
+	(Y ^ (X | (~Z)))
+
+#define FF(a, b, c, d, bufint, s, ti) \
+	a = b + cls(a + F(b, c, d) + bufint + ti, s)
+
+#define GG(a, b, c, d, bufint, s, ti) \
+	a = b + cls(a + G(b, c, d) + bufint + ti, s)
+
+#define HH(a, b, c, d, bufint, s, ti) \
+	a = b + cls(a + H(b, c, d) + bufint + ti, s)
+
+#define II(a, b, c, d, bufint, s, ti) \
+	a = b + cls(a + I(b, c, d) + bufint + ti, s)
+
+static void
+md5_compress(MD5Context *cx, const PRUint32 *wBuf)
+{
+	PRUint32 a, b, c, d;
+	PRUint32 tmp;
+	a = cx->cv[0];
+	b = cx->cv[1];
+	c = cx->cv[2];
+	d = cx->cv[3];
+	FF(a, b, c, d, wBuf[R1B0 ], S1_0, T1_0);
+	FF(d, a, b, c, wBuf[R1B1 ], S1_1, T1_1);
+	FF(c, d, a, b, wBuf[R1B2 ], S1_2, T1_2);
+	FF(b, c, d, a, wBuf[R1B3 ], S1_3, T1_3);
+	FF(a, b, c, d, wBuf[R1B4 ], S1_0, T1_4);
+	FF(d, a, b, c, wBuf[R1B5 ], S1_1, T1_5);
+	FF(c, d, a, b, wBuf[R1B6 ], S1_2, T1_6);
+	FF(b, c, d, a, wBuf[R1B7 ], S1_3, T1_7);
+	FF(a, b, c, d, wBuf[R1B8 ], S1_0, T1_8);
+	FF(d, a, b, c, wBuf[R1B9 ], S1_1, T1_9);
+	FF(c, d, a, b, wBuf[R1B10], S1_2, T1_10);
+	FF(b, c, d, a, wBuf[R1B11], S1_3, T1_11);
+	FF(a, b, c, d, wBuf[R1B12], S1_0, T1_12);
+	FF(d, a, b, c, wBuf[R1B13], S1_1, T1_13);
+	FF(c, d, a, b, wBuf[R1B14], S1_2, T1_14);
+	FF(b, c, d, a, wBuf[R1B15], S1_3, T1_15);
+	GG(a, b, c, d, wBuf[R2B0 ], S2_0, T2_0);
+	GG(d, a, b, c, wBuf[R2B1 ], S2_1, T2_1);
+	GG(c, d, a, b, wBuf[R2B2 ], S2_2, T2_2);
+	GG(b, c, d, a, wBuf[R2B3 ], S2_3, T2_3);
+	GG(a, b, c, d, wBuf[R2B4 ], S2_0, T2_4);
+	GG(d, a, b, c, wBuf[R2B5 ], S2_1, T2_5);
+	GG(c, d, a, b, wBuf[R2B6 ], S2_2, T2_6);
+	GG(b, c, d, a, wBuf[R2B7 ], S2_3, T2_7);
+	GG(a, b, c, d, wBuf[R2B8 ], S2_0, T2_8);
+	GG(d, a, b, c, wBuf[R2B9 ], S2_1, T2_9);
+	GG(c, d, a, b, wBuf[R2B10], S2_2, T2_10);
+	GG(b, c, d, a, wBuf[R2B11], S2_3, T2_11);
+	GG(a, b, c, d, wBuf[R2B12], S2_0, T2_12);
+	GG(d, a, b, c, wBuf[R2B13], S2_1, T2_13);
+	GG(c, d, a, b, wBuf[R2B14], S2_2, T2_14);
+	GG(b, c, d, a, wBuf[R2B15], S2_3, T2_15);
+	HH(a, b, c, d, wBuf[R3B0 ], S3_0, T3_0);
+	HH(d, a, b, c, wBuf[R3B1 ], S3_1, T3_1);
+	HH(c, d, a, b, wBuf[R3B2 ], S3_2, T3_2);
+	HH(b, c, d, a, wBuf[R3B3 ], S3_3, T3_3);
+	HH(a, b, c, d, wBuf[R3B4 ], S3_0, T3_4);
+	HH(d, a, b, c, wBuf[R3B5 ], S3_1, T3_5);
+	HH(c, d, a, b, wBuf[R3B6 ], S3_2, T3_6);
+	HH(b, c, d, a, wBuf[R3B7 ], S3_3, T3_7);
+	HH(a, b, c, d, wBuf[R3B8 ], S3_0, T3_8);
+	HH(d, a, b, c, wBuf[R3B9 ], S3_1, T3_9);
+	HH(c, d, a, b, wBuf[R3B10], S3_2, T3_10);
+	HH(b, c, d, a, wBuf[R3B11], S3_3, T3_11);
+	HH(a, b, c, d, wBuf[R3B12], S3_0, T3_12);
+	HH(d, a, b, c, wBuf[R3B13], S3_1, T3_13);
+	HH(c, d, a, b, wBuf[R3B14], S3_2, T3_14);
+	HH(b, c, d, a, wBuf[R3B15], S3_3, T3_15);
+	II(a, b, c, d, wBuf[R4B0 ], S4_0, T4_0);
+	II(d, a, b, c, wBuf[R4B1 ], S4_1, T4_1);
+	II(c, d, a, b, wBuf[R4B2 ], S4_2, T4_2);
+	II(b, c, d, a, wBuf[R4B3 ], S4_3, T4_3);
+	II(a, b, c, d, wBuf[R4B4 ], S4_0, T4_4);
+	II(d, a, b, c, wBuf[R4B5 ], S4_1, T4_5);
+	II(c, d, a, b, wBuf[R4B6 ], S4_2, T4_6);
+	II(b, c, d, a, wBuf[R4B7 ], S4_3, T4_7);
+	II(a, b, c, d, wBuf[R4B8 ], S4_0, T4_8);
+	II(d, a, b, c, wBuf[R4B9 ], S4_1, T4_9);
+	II(c, d, a, b, wBuf[R4B10], S4_2, T4_10);
+	II(b, c, d, a, wBuf[R4B11], S4_3, T4_11);
+	II(a, b, c, d, wBuf[R4B12], S4_0, T4_12);
+	II(d, a, b, c, wBuf[R4B13], S4_1, T4_13);
+	II(c, d, a, b, wBuf[R4B14], S4_2, T4_14);
+	II(b, c, d, a, wBuf[R4B15], S4_3, T4_15);
+	cx->cv[0] += a;
+	cx->cv[1] += b;
+	cx->cv[2] += c;
+	cx->cv[3] += d;
+}
+
+void 
+MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen)
+{
+	PRUint32 bytesToConsume;
+	PRUint32 inBufIndex = cx->lsbInput & 63;
+	const PRUint32 *wBuf;
+
+	/* Add the number of input bytes to the 64-bit input counter. */
+	addto64(cx->msbInput, cx->lsbInput, inputLen);
+	if (inBufIndex) {
+		/* There is already data in the buffer.  Fill with input. */
+		bytesToConsume = PR_MIN(inputLen, MD5_BUFFER_SIZE - inBufIndex);
+		memcpy(&cx->inBuf[inBufIndex], input, bytesToConsume);
+		if (inBufIndex + bytesToConsume >= MD5_BUFFER_SIZE) {
+			/* The buffer is filled.  Run the compression function. */
+#ifndef IS_LITTLE_ENDIAN
+			md5_prep_state_le(cx);
+#endif
+			md5_compress(cx, cx->u.w);
+		}
+		/* Remaining input. */
+		inputLen -= bytesToConsume;
+		input += bytesToConsume;
+	}
+
+	/* Iterate over 64-byte chunks of the message. */
+	while (inputLen >= MD5_BUFFER_SIZE) {
+#ifdef IS_LITTLE_ENDIAN
+#ifdef _X86_
+		/* x86 can handle arithmetic on non-word-aligned buffers */
+		wBuf = (PRUint32 *)input;
+#else
+		if ((ptrdiff_t)input & 0x3) {
+			/* buffer not aligned, copy it to force alignment */
+			memcpy(cx->inBuf, input, MD5_BUFFER_SIZE);
+			wBuf = cx->u.w;
+		} else {
+			/* buffer is aligned */
+			wBuf = (PRUint32 *)input;
+		}
+#endif
+#else
+		md5_prep_buffer_le(cx, input);
+		wBuf = cx->u.w;
+#endif
+		md5_compress(cx, wBuf);
+		inputLen -= MD5_BUFFER_SIZE;
+		input += MD5_BUFFER_SIZE;
+	}
+
+	/* Tail of message (message bytes mod 64). */
+	if (inputLen)
+		memcpy(cx->inBuf, input, inputLen);
+}
+
+static const unsigned char padbytes[] = {
+	0x80, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00
+};
+
+void 
+MD5_End(MD5Context *cx, unsigned char *digest,
+        unsigned int *digestLen, unsigned int maxDigestLen)
+{
+#ifndef IS_LITTLE_ENDIAN
+	PRUint32 tmp;
+#endif
+	PRUint32 lowInput, highInput;
+	PRUint32 inBufIndex = cx->lsbInput & 63;
+
+	if (maxDigestLen < MD5_HASH_LEN) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return;
+	}
+
+	/* Copy out the length of bits input before padding. */
+	lowInput = cx->lsbInput; 
+	highInput = (cx->msbInput << 3) | (lowInput >> 29);
+	lowInput <<= 3;
+
+	if (inBufIndex < MD5_END_BUFFER) {
+		MD5_Update(cx, padbytes, MD5_END_BUFFER - inBufIndex);
+	} else {
+		MD5_Update(cx, padbytes, 
+		           MD5_END_BUFFER + MD5_BUFFER_SIZE - inBufIndex);
+	}
+
+	/* Store the number of bytes input (before padding) in final 64 bits. */
+	cx->u.w[14] = lendian(lowInput);
+	cx->u.w[15] = lendian(highInput);
+
+	/* Final call to compress. */
+#ifndef IS_LITTLE_ENDIAN
+	md5_prep_state_le(cx);
+#endif
+	md5_compress(cx, cx->u.w);
+
+	/* Copy the resulting values out of the chain variables into return buf. */
+	*digestLen = MD5_HASH_LEN;
+#ifndef IS_LITTLE_ENDIAN
+	cx->cv[0] = lendian(cx->cv[0]);
+	cx->cv[1] = lendian(cx->cv[1]);
+	cx->cv[2] = lendian(cx->cv[2]);
+	cx->cv[3] = lendian(cx->cv[3]);
+#endif
+	memcpy(digest, cx->cv, MD5_HASH_LEN);
+}
+
+unsigned int 
+MD5_FlattenSize(MD5Context *cx)
+{
+	return sizeof(*cx);
+}
+
+SECStatus 
+MD5_Flatten(MD5Context *cx, unsigned char *space)
+{
+	memcpy(space, cx, sizeof(*cx));
+	return SECSuccess;
+}
+
+MD5Context * 
+MD5_Resurrect(unsigned char *space, void *arg)
+{
+	MD5Context *cx = MD5_NewContext();
+	if (cx)
+		memcpy(cx, space, sizeof(*cx));
+	return cx;
+}
+
+void MD5_Clone(MD5Context *dest, MD5Context *src) 
+{
+	memcpy(dest, src, sizeof *dest);
+}
+
+void 
+MD5_TraceState(MD5Context *cx)
+{
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+}
diff --git a/security/nss/lib/freebl/mknewpc2.c b/security/nss/lib/freebl/mknewpc2.c
new file mode 100644
index 000000000..e2872598f
--- /dev/null
+++ b/security/nss/lib/freebl/mknewpc2.c
@@ -0,0 +1,242 @@
+/*
+ *  mknewpc2.c
+ *
+ *  Generate PC-2 tables for DES-150 library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is
+ * Nelson B. Bolyard, nelsonb@iname.com.
+ * Portions created by the Initial Developer are Copyright (C) 1990
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+typedef unsigned char BYTE;
+typedef unsigned int  HALF;
+
+#define DES_ENCRYPT 0
+#define DES_DECRYPT 1
+
+/* two 28-bit registers defined in key schedule production process */
+static HALF C0, D0;
+
+static HALF L0, R0;
+
+/* key schedule, 16 internal keys, each with 8 6-bit parts */
+static BYTE KS [8] [16];
+
+
+/*
+ * This table takes the 56 bits in C0 and D0 and shows show they are 
+ * permuted into the 8 6-bit parts of the key in the key schedule.
+ * The bits of C0 are numbered left to right, 1-28.
+ * The bits of D0 are numbered left to right, 29-56.
+ * Zeros in this table represent bits that are always zero.
+ * Note that all the bits in the first  4 rows come from C0, 
+ *       and all the bits in the second 4 rows come from D0.
+ */
+static const BYTE PC2[64] = {
+    14, 17, 11, 24,  1,  5,  0,  0,	/* S1 */
+     3, 28, 15,  6, 21, 10,  0,  0,	/* S2 */
+    23, 19, 12,  4, 26,  8,  0,  0,	/* S3 */
+    16,  7, 27, 20, 13,  2,  0,  0,	/* S4 */
+
+    41, 52, 31, 37, 47, 55,  0,  0,	/* S5 */
+    30, 40, 51, 45, 33, 48,  0,  0,	/* S6 */
+    44, 49, 39, 56, 34, 53,  0,  0,	/* S7 */
+    46, 42, 50, 36, 29, 32,  0,  0	/* S8 */
+};
+
+/* This table represents the same info as PC2, except that 
+ * The bits of C0 and D0 are each numbered right to left, 0-27.
+ * -1 values indicate bits that are always zero.
+ * As before all the bits in the first  4 rows come from C0, 
+ *       and all the bits in the second 4 rows come from D0.
+ */
+static       signed char PC2a[64] = {
+/* bits of C0 */
+    14, 11, 17,  4, 27, 23, -1, -1,	/* S1 */
+    25,  0, 13, 22,  7, 18, -1, -1,	/* S2 */
+     5,  9, 16, 24,  2, 20, -1, -1,	/* S3 */
+    12, 21,  1,  8, 15, 26, -1, -1,	/* S4 */
+/* bits of D0 */
+    15,  4, 25, 19,  9,  1, -1, -1,	/* S5 */
+    26, 16,  5, 11, 23,  8, -1, -1,	/* S6 */
+    12,  7, 17,  0, 22,  3, -1, -1,	/* S7 */
+    10, 14,  6, 20, 27, 24, -1, -1 	/* S8 */
+};
+
+/* This table represents the same info as PC2a, except that 
+ * The order of of the rows has been changed to increase the efficiency
+ * with which the key sechedule is created.
+ * Fewer shifts and ANDs are required to make the KS from these.
+ */
+static const signed char PC2b[64] = {
+/* bits of C0 */
+    14, 11, 17,  4, 27, 23, -1, -1,	/* S1 */
+     5,  9, 16, 24,  2, 20, -1, -1,	/* S3 */
+    25,  0, 13, 22,  7, 18, -1, -1,	/* S2 */
+    12, 21,  1,  8, 15, 26, -1, -1,	/* S4 */
+/* bits of D0 */
+    26, 16,  5, 11, 23,  8, -1, -1,	/* S6 */
+    10, 14,  6, 20, 27, 24, -1, -1,	/* S8 */
+    15,  4, 25, 19,  9,  1, -1, -1,	/* S5 */
+    12,  7, 17,  0, 22,  3, -1, -1 	/* S7 */
+};
+
+/* Only 24 of the 28 bits in C0 and D0 are used in PC2.
+ * The used bits of C0 and D0 are grouped into 4 groups of 6,
+ * so that the PC2 permutation can be accomplished with 4 lookups
+ * in tables of 64 entries.
+ * The following table shows how the bits of C0 and D0 are grouped
+ * into indexes for the respective table lookups.  
+ * Bits are numbered right-to-left, 0-27, as in PC2b.
+ */
+static BYTE NDX[48] = {
+/* Bits of C0 */
+    27, 26, 25, 24, 23, 22,	/* C0 table 0 */
+    18, 17, 16, 15, 14, 13,	/* C0 table 1 */
+     9,  8,  7,  2,  1,  0,	/* C0 table 2 */
+     5,  4, 21, 20, 12, 11,	/* C0 table 3 */
+/* bits of D0 */
+    27, 26, 25, 24, 23, 22,	/* D0 table 0 */
+    20, 19, 17, 16, 15, 14,	/* D0 table 1 */
+    12, 11, 10,  9,  8,  7,	/* D0 table 2 */
+     6,  5,  4,  3,  1,  0	/* D0 table 3 */
+};
+
+/* Here's the code that does that grouping. 
+	left   = PC2LOOKUP(0, 0, ((c0 >> 22) & 0x3F) );
+	left  |= PC2LOOKUP(0, 1, ((c0 >> 13) & 0x3F) );
+	left  |= PC2LOOKUP(0, 2, ((c0 >>  4) & 0x38) | (c0 & 0x7) );
+	left  |= PC2LOOKUP(0, 3, ((c0>>18)&0xC) | ((c0>>11)&0x3) | (c0&0x30));
+
+	right  = PC2LOOKUP(1, 0, ((d0 >> 22) & 0x3F) );
+	right |= PC2LOOKUP(1, 1, ((d0 >> 15) & 0x30) | ((d0 >> 14) & 0xf) );
+	right |= PC2LOOKUP(1, 2, ((d0 >>  7) & 0x3F) );
+	right |= PC2LOOKUP(1, 3, ((d0 >>  1) & 0x3C) | (d0 & 0x3));
+*/
+
+void
+make_pc2a( void )
+{
+
+    int i, j;
+
+    for ( i = 0; i < 64; ++i ) {
+	j = PC2[i];
+	if (j == 0)
+	    j = -1;
+	else if ( j < 29 )
+	    j = 28 - j ;
+	else
+	    j = 56 - j;
+	PC2a[i] = j;
+    }
+    for ( i = 0; i < 64; i += 8 ) {
+	printf("%3d,%3d,%3d,%3d,%3d,%3d,%3d,%3d,\n",
+		PC2a[i+0],PC2a[i+1],PC2a[i+2],PC2a[i+3],
+		PC2a[i+4],PC2a[i+5],PC2a[i+6],PC2a[i+7] );
+    }
+}
+
+HALF PC2cd0[64];
+
+HALF PC_2H[8][64];
+
+void
+mktable( )
+{
+    int i;
+    int table;
+    const BYTE * ndx   = NDX;
+    HALF         mask;
+
+    mask  = 0x80000000;
+    for (i = 0; i < 32; ++i, mask >>= 1) {
+	int bit = PC2b[i];
+	if (bit < 0)
+	    continue;
+	PC2cd0[bit + 32] = mask;
+    }
+
+    mask  = 0x80000000;
+    for (i = 32; i < 64; ++i, mask >>= 1) {
+	int bit = PC2b[i];
+	if (bit < 0)
+	    continue;
+	PC2cd0[bit] = mask;
+    }
+
+#if DEBUG
+    for (i = 0; i < 64; ++i) {
+    	printf("0x%08x,\n", PC2cd0[i]);
+    }
+#endif
+    for (i = 0; i < 24; ++i) {
+    	NDX[i] += 32;	/* because c0 is the upper half */
+    }
+
+    for (table = 0; table < 8; ++table) {
+	HALF bitvals[6];
+    	for (i = 0; i < 6; ++i) {
+	    bitvals[5-i] = PC2cd0[*ndx++];
+	}
+	for (i = 0; i < 64; ++i) {
+	    int  j;
+	    int  k     = 0;
+	    HALF value = 0;
+
+	    for (j = i; j; j >>= 1, ++k) {
+	    	if (j & 1) {
+		    value |= bitvals[k];
+		}
+	    }
+	    PC_2H[table][i] = value;
+	}
+	printf("/* table %d */ {\n", table );
+	for (i = 0; i < 64; i += 4) {
+	    printf("    0x%08x, 0x%08x, 0x%08x, 0x%08x, \n",
+		    PC_2H[table][i],   PC_2H[table][i+1],
+		    PC_2H[table][i+2], PC_2H[table][i+3]);
+	}
+	printf("  },\n");
+    }
+}
+
+
+int
+main(void)
+{
+/*   make_pc2a(); */
+   mktable();
+   return 0;
+}
diff --git a/security/nss/lib/freebl/mksp.c b/security/nss/lib/freebl/mksp.c
new file mode 100644
index 000000000..994dcff0c
--- /dev/null
+++ b/security/nss/lib/freebl/mksp.c
@@ -0,0 +1,159 @@
+/*
+ *  mksp.c
+ *
+ *  Generate SP tables for DES-150 library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is
+ * Nelson B. Bolyard, nelsonb@iname.com.
+ * Portions created by the Initial Developer are Copyright (C) 1990
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+
+/*
+ * sboxes - the tables for the s-box functions
+ *        from FIPS 46, pages 15-16.
+ */
+unsigned char S[8][64] = {
+/* Func S1 = */ {
+	14,  0,  4, 15, 13,  7,  1,  4,  2, 14, 15,  2, 11, 13,  8,  1,
+	 3, 10, 10,  6,  6, 12, 12, 11,  5,  9,  9,  5,  0,  3,  7,  8,
+	 4, 15,  1, 12, 14,  8,  8,  2, 13,  4,  6,  9,  2,  1, 11,  7,
+	15,  5, 12, 11,  9,  3,  7, 14,  3, 10, 10,  0,  5,  6,  0, 13
+    },
+/* Func S2 = */ {
+	15,  3,  1, 13,  8,  4, 14,  7,  6, 15, 11,  2,  3,  8,  4, 14,
+	 9, 12,  7,  0,  2,  1, 13, 10, 12,  6,  0,  9,  5, 11, 10,  5,
+	 0, 13, 14,  8,  7, 10, 11,  1, 10,  3,  4, 15, 13,  4,  1,  2,
+	 5, 11,  8,  6, 12,  7,  6, 12,  9,  0,  3,  5,  2, 14, 15,  9
+    },
+/* Func S3 = */ {
+	10, 13,  0,  7,  9,  0, 14,  9,  6,  3,  3,  4, 15,  6,  5, 10,
+	 1,  2, 13,  8, 12,  5,  7, 14, 11, 12,  4, 11,  2, 15,  8,  1,
+	13,  1,  6, 10,  4, 13,  9,  0,  8,  6, 15,  9,  3,  8,  0,  7,
+	11,  4,  1, 15,  2, 14, 12,  3,  5, 11, 10,  5, 14,  2,  7, 12
+    },
+/* Func S4 = */ {
+	 7, 13, 13,  8, 14, 11,  3,  5,  0,  6,  6, 15,  9,  0, 10,  3,
+	 1,  4,  2,  7,  8,  2,  5, 12, 11,  1, 12, 10,  4, 14, 15,  9,
+	10,  3,  6, 15,  9,  0,  0,  6, 12, 10, 11,  1,  7, 13, 13,  8,
+	15,  9,  1,  4,  3,  5, 14, 11,  5, 12,  2,  7,  8,  2,  4, 14
+    },
+/* Func S5 = */ {
+	 2, 14, 12, 11,  4,  2,  1, 12,  7,  4, 10,  7, 11, 13,  6,  1,
+	 8,  5,  5,  0,  3, 15, 15, 10, 13,  3,  0,  9, 14,  8,  9,  6,
+	 4, 11,  2,  8,  1, 12, 11,  7, 10,  1, 13, 14,  7,  2,  8, 13,
+	15,  6,  9, 15, 12,  0,  5,  9,  6, 10,  3,  4,  0,  5, 14,  3
+    },
+/* Func S6 = */ {
+	12, 10,  1, 15, 10,  4, 15,  2,  9,  7,  2, 12,  6,  9,  8,  5,
+	 0,  6, 13,  1,  3, 13,  4, 14, 14,  0,  7, 11,  5,  3, 11,  8,
+	 9,  4, 14,  3, 15,  2,  5, 12,  2,  9,  8,  5, 12, 15,  3, 10,
+	 7, 11,  0, 14,  4,  1, 10,  7,  1,  6, 13,  0, 11,  8,  6, 13
+    },
+/* Func S7 = */ {
+	 4, 13, 11,  0,  2, 11, 14,  7, 15,  4,  0,  9,  8,  1, 13, 10,
+	 3, 14, 12,  3,  9,  5,  7, 12,  5,  2, 10, 15,  6,  8,  1,  6,
+	 1,  6,  4, 11, 11, 13, 13,  8, 12,  1,  3,  4,  7, 10, 14,  7,
+	10,  9, 15,  5,  6,  0,  8, 15,  0, 14,  5,  2,  9,  3,  2, 12
+    },
+/* Func S8 = */ {
+	13,  1,  2, 15,  8, 13,  4,  8,  6, 10, 15,  3, 11,  7,  1,  4,
+	10, 12,  9,  5,  3,  6, 14, 11,  5,  0,  0, 14, 12,  9,  7,  2,
+	 7,  2, 11,  1,  4, 14,  1,  7,  9,  4, 12, 10, 14,  8,  2, 13,
+	 0, 15,  6, 12, 10,  9, 13,  0, 15,  3,  3,  5,  5,  6,  8, 11
+    }
+};
+
+/*
+ * Permutation function for results from s-boxes
+ *   from FIPS 46 pages 12 and 16.
+ * P = 
+ */
+unsigned char P[32] = {
+	16,   7,  20,  21,  29,  12,  28,  17,
+	 1,  15,  23,  26,   5,  18,  31,  10,
+	 2,   8,  24,  14,  32,  27,   3,   9,
+	19,  13,  30,   6,  22,  11,   4,  25
+};
+
+unsigned int Pinv[32];
+unsigned int SP[8][64];
+
+void
+makePinv(void)
+{
+    int i;
+    unsigned int Pi = 0x80000000;
+    for (i = 0; i < 32; ++i) {
+    	int j = 32 - P[i];
+	Pinv[j] = Pi;
+	Pi >>= 1;
+    }
+}
+
+void
+makeSP(void)
+{
+    int box;
+    for (box = 0; box < 8; ++box) {
+	int item;
+	printf("/* box S%d */ {\n", box + 1);
+    	for (item = 0; item < 64; ++item ) {
+	    unsigned int s = S[box][item];
+	    unsigned int val = 0;
+	    unsigned int bitnum = (7-box) * 4;
+	    for (; s; s >>= 1, ++bitnum) {
+		if (s & 1) {
+		    val |= Pinv[bitnum];
+		}
+	    }
+	    val = (val << 3) | (val >> 29);
+	    SP[box][item] = val;
+	}
+	for (item = 0; item < 64; item += 4) {
+	    printf("\t0x%08x, 0x%08x, 0x%08x, 0x%08x,\n",
+	    SP[box][item], SP[box][item+1], SP[box][item+2], SP[box][item+3]);
+	}
+	printf("    },\n");
+    }
+}
+
+int
+main()
+{
+    makePinv();
+    makeSP();
+    return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/Makefile b/security/nss/lib/freebl/mpi/Makefile
new file mode 100644
index 000000000..c0e78531c
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/Makefile
@@ -0,0 +1,281 @@
+#
+# Makefile for MPI library
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1998
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Netscape Communications Corporation
+#   Richard C. Swift        (swift@netscape.com)
+#   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+# $Id$
+#
+
+## Define CC to be the C compiler you wish to use.  The GNU cc
+## compiler (gcc) should work, at the very least
+#CC=cc
+#CC=gcc
+
+## 
+## Define PERL to point to your local Perl interpreter.  It
+## should be Perl 5.x, although it's conceivable that Perl 4
+## might work ... I haven't tested it.
+##
+#PERL=/usr/bin/perl
+#PERL=perl
+
+include target.mk
+
+CFLAGS+= $(XCFLAGS)
+
+##
+## Define LIBS to include any libraries you need to link against.
+## If NO_TABLE is define, LIBS should include '-lm' or whatever is
+## necessary to bring in the math library.  Otherwise, it can be
+## left alone, unless your system has other peculiar requirements.
+##
+LIBS=#-lmalloc#-lefence#-lm
+
+## 
+## Define RANLIB to be the library header randomizer; you might not
+## need this on some systems (just set it to 'echo' on these systems,
+## such as IRIX)
+##
+RANLIB=echo
+
+##
+## This is the version string used for the documentation and 
+## building the distribution tarball.  Don't mess with it unless
+## you are releasing a new version
+VERS=1.7p6
+
+## ----------------------------------------------------------------------
+## You probably don't need to change anything below this line...
+##
+
+##
+## This is the list of source files that need to be packed into
+## the distribution file
+SRCS=   mpi.c mpprime.c mplogic.c mp_gf2m.c mpmontg.c mpi-test.c primes.c \
+	mpcpucache.c tests/ \
+	utils/gcd.c utils/invmod.c utils/lap.c \
+	utils/ptab.pl utils/sieve.c utils/isprime.c\
+	utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \
+	utils/bbsrand.c utils/prng.c utils/primegen.c \
+	utils/basecvt.c utils/makeprime.c\
+	utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \
+	utils/mpi.h utils/mpprime.h mulsqr.c \
+	make-test-arrays test-arrays.txt all-tests make-logtab \
+	types.pl stats timetest multest
+
+## These are the header files that go into the distribution file
+HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h mp_gf2m.h \
+     mp_gf2m-priv.h utils/bbs_rand.h tests/mpi.h tests/mpprime.h
+
+## These are the documentation files that go into the distribution file
+DOCS=README doc utils/README utils/PRIMES 
+
+## This is the list of tools built by 'make tools'
+TOOLS=gcd invmod isprime lap dec2hex hex2dec primegen prng \
+	basecvt fact exptmod pi makeprime identest
+
+LIBOBJS = mpprime.o mpmontg.o mplogic.o mp_gf2m.o mpi.o mpcpucache.o $(AS_OBJS)
+LIBHDRS = mpi-config.h mpi-priv.h mpi.h
+APPHDRS = mpi-config.h mpi.h mplogic.h mp_gf2m.h mpprime.h
+
+help:
+	@ echo ""
+	@ echo "The following targets can be built with this Makefile:"
+	@ echo ""
+	@ echo "libmpi.a     - arithmetic and prime testing library"
+	@ echo "mpi-test     - test driver (requires MP_IOFUNC)"
+	@ echo "tools        - command line tools"
+	@ echo "doc          - manual pages for tools"
+	@ echo "clean        - clean up objects and such"
+	@ echo "distclean    - get ready for distribution"
+	@ echo "dist         - distribution tarball"
+	@ echo ""
+
+.SUFFIXES: .c .o .i
+
+.c.i:
+	$(CC) $(CFLAGS) -E $< > $@
+
+#.c.o: $*.h $*.c
+#	$(CC) $(CFLAGS) -c $<
+
+#---------------------------------------
+
+$(LIBOBJS): $(LIBHDRS)
+
+logtab.h: make-logtab
+	$(PERL) make-logtab > logtab.h
+
+mpi.o: mpi.c logtab.h $(LIBHDRS)
+
+mplogic.o: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS)
+
+mp_gf2m.o: mp_gf2m.c mpi-priv.h mp_gf2m.h mp_gf2m-priv.h $(LIBHDRS)
+
+mpmontg.o: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS)
+
+mpprime.o: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS)
+
+mpcpucache.o: mpcpucache.c $(LIBHDRS)
+
+mpi_mips.o: mpi_mips.s
+	$(CC) -o $@ $(ASFLAGS) -c mpi_mips.s
+
+mpi_sparc.o : montmulf.h
+
+mpv_sparcv9.s: vis_64.il mpv_sparc.c
+	$(CC) -o $@ $(SOLARIS_FPU_FLAGS) -S vis_64.il mpv_sparc.c
+
+mpv_sparcv8.s: vis_64.il mpv_sparc.c
+	$(CC) -o $@ $(SOLARIS_FPU_FLAGS) -S vis_32.il mpv_sparc.c
+
+montmulfv8.o montmulfv9.o mpv_sparcv8.o mpv_sparcv9.o : %.o : %.s 
+	$(CC) -o $@ $(SOLARIS_ASM_FLAGS) -c $<
+
+# This rule is used to build the .s sources, which are then hand optimized.
+#montmulfv8.s montmulfv9.s : montmulf%.s : montmulf%.il montmulf.c montmulf.h 
+#	$(CC) -o $@ $(SOLARIS_ASM_FLAGS) -S montmulf$*.il montmulf.c
+
+
+libmpi.a: $(LIBOBJS)
+	ar -cvr libmpi.a $(LIBOBJS)
+	$(RANLIB) libmpi.a
+
+lib libs: libmpi.a
+
+mpi.i: mpi.h
+
+#---------------------------------------
+
+MPTESTOBJS = mptest1.o mptest2.o mptest3.o mptest3a.o mptest4.o mptest4a.o \
+	mptest4b.o mptest6.o mptest7.o mptest8.o mptest9.o mptestb.o
+MPTESTS = $(MPTESTOBJS:.o=)
+
+$(MPTESTOBJS): mptest%.o: tests/mptest-%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -o $@ -c $<
+
+$(MPTESTS): mptest%: mptest%.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^  $(LIBS)
+
+tests: mptest1 mptest2 mptest3 mptest3a mptest4 mptest4a mptest4b mptest6 \
+	mptestb bbsrand
+
+utests: mptest7 mptest8 mptest9
+
+#---------------------------------------
+
+EXTRAOBJS = bbsrand.o bbs_rand.o prng.o
+UTILOBJS = primegen.o metime.o identest.o basecvt.o fact.o exptmod.o pi.o \
+	makeprime.o gcd.o invmod.o lap.o isprime.o \
+	dec2hex.o hex2dec.o
+UTILS = $(UTILOBJS:.o=) 
+
+$(UTILS): % : %.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+$(UTILOBJS) $(EXTRAOBJS): %.o : utils/%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -o $@ -c $<
+
+prng: prng.o bbs_rand.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+bbsrand: bbsrand.o bbs_rand.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+utils: $(UTILS) prng bbsrand
+
+#---------------------------------------
+
+test-info.c: test-arrays.txt
+	$(PERL) make-test-arrays test-arrays.txt > test-info.c
+
+mpi-test.o: mpi-test.c test-info.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -o $@ -c $<
+
+mpi-test: mpi-test.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+mdxptest.o: mdxptest.c $(LIBHDRS) mpi-priv.h
+
+mdxptest: mdxptest.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+mulsqr.o: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h 
+	$(CC) $(CFLAGS) -DMP_SQUARE=1 -o $@ -c mulsqr.c 
+
+mulsqr: mulsqr.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+#---------------------------------------
+
+alltests: tests utests mpi-test
+
+tools: $(TOOLS)
+
+doc:
+	(cd doc; ./build)
+
+clean:
+	rm -f *.o *.a *.i
+	rm -f core
+	rm -f *~ .*~
+	rm -f utils/*.o
+	rm -f utils/core
+	rm -f utils/*~ utils/.*~
+
+clobber: clean
+	rm -f $(TOOLS) $(UTILS)
+
+distclean: clean
+	rm -f mptest? mpi-test metime mulsqr karatsuba
+	rm -f mptest?a mptest?b
+	rm -f utils/mptest?
+	rm -f test-info.c logtab.h
+	rm -f libmpi.a
+	rm -f $(TOOLS)
+
+dist: Makefile $(HDRS) $(SRCS) $(DOCS)
+	tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS)
+	pgps -ab mpi-$(VERS).tar
+	chmod +r mpi-$(VERS).tar.asc
+	gzip -9 mpi-$(VERS).tar
+
+# END
diff --git a/security/nss/lib/freebl/mpi/Makefile.os2 b/security/nss/lib/freebl/mpi/Makefile.os2
new file mode 100644
index 000000000..c67f9a793
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/Makefile.os2
@@ -0,0 +1,280 @@
+#
+# Makefile.win - gmake Makefile for building MPI with VACPP on OS/2
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1998
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Netscape Communications Corporation
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+# $Id$
+#
+
+## Define CC to be the C compiler you wish to use.  The GNU cc
+## compiler (gcc) should work, at the very least
+#CC=cc
+#CC=gcc
+CC=icc.exe
+AS=alp.exe
+
+## 
+## Define PERL to point to your local Perl interpreter.  It
+## should be Perl 5.x, although it's conceivable that Perl 4
+## might work ... I haven't tested it.
+##
+#PERL=/usr/bin/perl
+#PERL=perl
+
+##
+## Define CFLAGS to contain any local options your compiler
+## setup requires.
+##
+## Conditional compilation options are no longer here; see
+## the file 'mpi-config.h' instead.
+##
+MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+
+#OS/2
+AS_SRCS = mpi_x86.asm
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+#CFLAGS= -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC \
+ -DDEBUG -D_DEBUG -UNDEBUG -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+#CFLAGS = -O2 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+#CFLAGS = -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+CFLAGS = /Ti+ -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ $(MPICMN)
+ASFLAGS =
+
+##
+## Define LIBS to include any libraries you need to link against.
+## If NO_TABLE is define, LIBS should include '-lm' or whatever is
+## necessary to bring in the math library.  Otherwise, it can be
+## left alone, unless your system has other peculiar requirements.
+##
+LIBS=#-lmalloc#-lefence#-lm
+
+## 
+## Define RANLIB to be the library header randomizer; you might not
+## need this on some systems (just set it to 'echo' on these systems,
+## such as IRIX)
+##
+RANLIB=echo
+
+##
+## This is the version string used for the documentation and 
+## building the distribution tarball.  Don't mess with it unless
+## you are releasing a new version
+VERS=1.7p6
+
+## ----------------------------------------------------------------------
+## You probably don't need to change anything below this line...
+##
+
+##
+## This is the list of source files that need to be packed into
+## the distribution file
+SRCS=   mpi.c mpprime.c mplogic.c mpmontg.c mpi-test.c primes.c tests/ \
+	utils/gcd.c utils/invmod.c utils/lap.c \
+	utils/ptab.pl utils/sieve.c utils/isprime.c\
+	utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \
+	utils/bbsrand.c utils/prng.c utils/primegen.c \
+	utils/basecvt.c utils/makeprime.c\
+	utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \
+	utils/mpi.h utils/mpprime.h mulsqr.c \
+	make-test-arrays test-arrays.txt all-tests make-logtab \
+	types.pl stats timetest multest
+
+## These are the header files that go into the distribution file
+HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h \
+     utils/bbs_rand.h tests/mpi.h tests/mpprime.h
+
+## These are the documentation files that go into the distribution file
+DOCS=README doc utils/README utils/PRIMES 
+
+## This is the list of tools built by 'make tools'
+TOOLS=gcd.exe invmod.exe isprime.exe lap.exe dec2hex.exe hex2dec.exe \
+ primegen.exe prng.exe basecvt.exe fact.exe exptmod.exe pi.exe makeprime.exe
+
+AS_OBJS = $(AS_SRCS:.asm=.obj)
+LIBOBJS = mpprime.obj mpmontg.obj mplogic.obj mpi.obj $(AS_OBJS)
+LIBHDRS = mpi-config.h mpi-priv.h mpi.h
+APPHDRS = mpi-config.h mpi.h mplogic.h mpprime.h
+
+
+help:
+	@ echo ""
+	@ echo "The following targets can be built with this Makefile:"
+	@ echo ""
+	@ echo "mpi.lib      - arithmetic and prime testing library"
+	@ echo "mpi-test.exe - test driver (requires MP_IOFUNC)"
+	@ echo "tools        - command line tools"
+	@ echo "doc          - manual pages for tools"
+	@ echo "clean        - clean up objects and such"
+	@ echo "distclean    - get ready for distribution"
+	@ echo "dist         - distribution tarball"
+	@ echo ""
+
+.SUFFIXES: .c .obj .i .lib .exe .asm
+
+.c.i:
+	$(CC) $(CFLAGS) -E $< > $@
+
+.c.obj: 
+	$(CC) $(CFLAGS) -c $<
+
+.asm.obj:
+	$(AS) $(ASFLAGS) $<
+
+.obj.exe:
+	$(CC) $(CFLAGS) -Fo$@ $<
+
+#---------------------------------------
+
+$(LIBOBJS): $(LIBHDRS)
+
+logtab.h: make-logtab
+	$(PERL) make-logtab > logtab.h
+
+mpi.obj: mpi.c logtab.h $(LIBHDRS)
+
+mplogic.obj: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS)
+
+mpmontg.obj: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS)
+
+mpprime.obj: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS)
+
+mpi_mips.obj: mpi_mips.s
+	$(CC) -Fo$@ $(ASFLAGS) -c mpi_mips.s
+
+mpi.lib: $(LIBOBJS)
+	ilib /out:mpi.lib $(LIBOBJS)
+	$(RANLIB) mpi.lib
+
+lib libs: mpi.lib
+
+#---------------------------------------
+
+MPTESTOBJS = mptest1.obj mptest2.obj mptest3.obj mptest3a.obj mptest4.obj \
+ mptest4a.obj mptest4b.obj mptest6.obj mptest7.obj mptest8.obj mptest9.obj
+MPTESTS = $(MPTESTOBJS:.obj=.exe)
+
+$(MPTESTOBJS): mptest%.obj: tests/mptest-%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+$(MPTESTS): mptest%.exe: mptest%.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^ 
+
+tests: mptest1.exe mptest2.exe mptest3.exe mptest3a.exe mptest4.exe \
+ mptest4a.exe mptest4b.exe mptest6.exe bbsrand.exe
+
+utests: mptest7.exe mptest8.exe mptest9.exe
+
+#---------------------------------------
+
+EXTRAOBJS = bbsrand.obj bbs_rand.obj prng.obj
+UTILOBJS = primegen.obj metime.obj identest.obj basecvt.obj fact.obj \
+ exptmod.obj pi.obj makeprime.obj karatsuba.obj gcd.obj invmod.obj lap.obj \
+ isprime.obj dec2hex.obj hex2dec.obj
+UTILS = $(UTILOBJS:.obj=.exe) 
+
+$(UTILS): %.exe : %.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^ 
+
+$(UTILOBJS) $(EXTRAOBJS): %.obj : utils/%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+prng.exe: prng.obj bbs_rand.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+bbsrand.exe: bbsrand.obj bbs_rand.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+utils: $(UTILS) prng.exe bbsrand.exe
+
+#---------------------------------------
+
+test-info.c: test-arrays.txt
+	$(PERL) make-test-arrays test-arrays.txt > test-info.c
+
+mpi-test.obj: mpi-test.c test-info.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+mpi-test.exe: mpi-test.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+mdxptest.obj: mdxptest.c $(LIBHDRS) mpi-priv.h
+
+mdxptest.exe: mdxptest.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+mulsqr.obj: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h 
+	$(CC) $(CFLAGS) -DMP_SQUARE=1 -Fo$@ -c mulsqr.c 
+
+mulsqr.exe: mulsqr.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+#---------------------------------------
+
+alltests: tests utests mpi-test.exe
+
+tools: $(TOOLS)
+
+doc:
+	(cd doc; ./build)
+
+clean:
+	rm -f *.obj *.lib *.pdb *.ilk
+	cd utils; rm -f *.obj *.lib *.pdb *.ilk
+
+distclean: clean
+	rm -f mptest? mpi-test metime mulsqr karatsuba
+	rm -f mptest?a mptest?b
+	rm -f utils/mptest?
+	rm -f test-info.c logtab.h
+	rm -f mpi.lib
+	rm -f $(TOOLS)
+
+dist: Makefile $(HDRS) $(SRCS) $(DOCS)
+	tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS)
+	pgps -ab mpi-$(VERS).tar
+	chmod +r mpi-$(VERS).tar.asc
+	gzip -9 mpi-$(VERS).tar
+
+
+print: 
+	@echo LIBOBJS = $(LIBOBJS)
+# END
diff --git a/security/nss/lib/freebl/mpi/Makefile.win b/security/nss/lib/freebl/mpi/Makefile.win
new file mode 100644
index 000000000..71ed4893b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/Makefile.win
@@ -0,0 +1,280 @@
+#
+# Makefile.win - gmake Makefile for building MPI with MSVC on NT
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1998
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Netscape Communications Corporation
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+# $Id$
+#
+
+## Define CC to be the C compiler you wish to use.  The GNU cc
+## compiler (gcc) should work, at the very least
+#CC=cc
+#CC=gcc
+CC=cl.exe
+AS=ml.exe
+
+## 
+## Define PERL to point to your local Perl interpreter.  It
+## should be Perl 5.x, although it's conceivable that Perl 4
+## might work ... I haven't tested it.
+##
+#PERL=/usr/bin/perl
+#PERL=perl
+
+##
+## Define CFLAGS to contain any local options your compiler
+## setup requires.
+##
+## Conditional compilation options are no longer here; see
+## the file 'mpi-config.h' instead.
+##
+MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC
+
+#NT
+AS_SRCS = mpi_x86.asm
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+#CFLAGS= -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC \
+ -DDEBUG -D_DEBUG -UNDEBUG -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+#CFLAGS = -O2 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+#CFLAGS = -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+CFLAGS = -O2 -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+ASFLAGS = -Cp -Sn -Zi -coff -I. 
+
+##
+## Define LIBS to include any libraries you need to link against.
+## If NO_TABLE is define, LIBS should include '-lm' or whatever is
+## necessary to bring in the math library.  Otherwise, it can be
+## left alone, unless your system has other peculiar requirements.
+##
+LIBS=#-lmalloc#-lefence#-lm
+
+## 
+## Define RANLIB to be the library header randomizer; you might not
+## need this on some systems (just set it to 'echo' on these systems,
+## such as IRIX)
+##
+RANLIB=echo
+
+##
+## This is the version string used for the documentation and 
+## building the distribution tarball.  Don't mess with it unless
+## you are releasing a new version
+VERS=1.7p6
+
+## ----------------------------------------------------------------------
+## You probably don't need to change anything below this line...
+##
+
+##
+## This is the list of source files that need to be packed into
+## the distribution file
+SRCS=   mpi.c mpprime.c mplogic.c mpmontg.c mpi-test.c primes.c tests/ \
+	utils/gcd.c utils/invmod.c utils/lap.c \
+	utils/ptab.pl utils/sieve.c utils/isprime.c\
+	utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \
+	utils/bbsrand.c utils/prng.c utils/primegen.c \
+	utils/basecvt.c utils/makeprime.c\
+	utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \
+	utils/mpi.h utils/mpprime.h mulsqr.c \
+	make-test-arrays test-arrays.txt all-tests make-logtab \
+	types.pl stats timetest multest
+
+## These are the header files that go into the distribution file
+HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h \
+     utils/bbs_rand.h tests/mpi.h tests/mpprime.h
+
+## These are the documentation files that go into the distribution file
+DOCS=README doc utils/README utils/PRIMES 
+
+## This is the list of tools built by 'make tools'
+TOOLS=gcd.exe invmod.exe isprime.exe lap.exe dec2hex.exe hex2dec.exe \
+ primegen.exe prng.exe basecvt.exe fact.exe exptmod.exe pi.exe makeprime.exe
+
+AS_OBJS = $(AS_SRCS:.asm=.obj)
+LIBOBJS = mpprime.obj mpmontg.obj mplogic.obj mpi.obj $(AS_OBJS)
+LIBHDRS = mpi-config.h mpi-priv.h mpi.h
+APPHDRS = mpi-config.h mpi.h mplogic.h mpprime.h
+
+
+help:
+	@ echo ""
+	@ echo "The following targets can be built with this Makefile:"
+	@ echo ""
+	@ echo "mpi.lib     - arithmetic and prime testing library"
+	@ echo "mpi-test     - test driver (requires MP_IOFUNC)"
+	@ echo "tools        - command line tools"
+	@ echo "doc          - manual pages for tools"
+	@ echo "clean        - clean up objects and such"
+	@ echo "distclean    - get ready for distribution"
+	@ echo "dist         - distribution tarball"
+	@ echo ""
+
+.SUFFIXES: .c .obj .i .lib .exe .asm
+
+.c.i:
+	$(CC) $(CFLAGS) -E $< > $@
+
+.c.obj: 
+	$(CC) $(CFLAGS) -c $<
+
+.asm.obj:
+	$(AS) $(ASFLAGS) -c $<
+
+.obj.exe:
+	$(CC) $(CFLAGS) -Fo$@ $<
+
+#---------------------------------------
+
+$(LIBOBJS): $(LIBHDRS)
+
+logtab.h: make-logtab
+	$(PERL) make-logtab > logtab.h
+
+mpi.obj: mpi.c logtab.h $(LIBHDRS)
+
+mplogic.obj: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS)
+
+mpmontg.obj: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS)
+
+mpprime.obj: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS)
+
+mpi_mips.obj: mpi_mips.s
+	$(CC) -Fo$@ $(ASFLAGS) -c mpi_mips.s
+
+mpi.lib: $(LIBOBJS)
+	ar -cvr mpi.lib $(LIBOBJS)
+	$(RANLIB) mpi.lib
+
+lib libs: mpi.lib
+
+#---------------------------------------
+
+MPTESTOBJS = mptest1.obj mptest2.obj mptest3.obj mptest3a.obj mptest4.obj \
+ mptest4a.obj mptest4b.obj mptest6.obj mptest7.obj mptest8.obj mptest9.obj
+MPTESTS = $(MPTESTOBJS:.obj=.exe)
+
+$(MPTESTOBJS): mptest%.obj: tests/mptest-%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+$(MPTESTS): mptest%.exe: mptest%.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^ 
+
+tests: mptest1.exe mptest2.exe mptest3.exe mptest3a.exe mptest4.exe \
+ mptest4a.exe mptest4b.exe mptest6.exe bbsrand.exe
+
+utests: mptest7.exe mptest8.exe mptest9.exe
+
+#---------------------------------------
+
+EXTRAOBJS = bbsrand.obj bbs_rand.obj prng.obj
+UTILOBJS = primegen.obj metime.obj identest.obj basecvt.obj fact.obj \
+ exptmod.obj pi.obj makeprime.obj karatsuba.obj gcd.obj invmod.obj lap.obj \
+ isprime.obj dec2hex.obj hex2dec.obj
+UTILS = $(UTILOBJS:.obj=.exe) 
+
+$(UTILS): %.exe : %.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^ 
+
+$(UTILOBJS) $(EXTRAOBJS): %.obj : utils/%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+prng.exe: prng.obj bbs_rand.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+bbsrand.exe: bbsrand.obj bbs_rand.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+utils: $(UTILS) prng.exe bbsrand.exe
+
+#---------------------------------------
+
+test-info.c: test-arrays.txt
+	$(PERL) make-test-arrays test-arrays.txt > test-info.c
+
+mpi-test.obj: mpi-test.c test-info.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+mpi-test.exe: mpi-test.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+mdxptest.obj: mdxptest.c $(LIBHDRS) mpi-priv.h
+
+mdxptest.exe: mdxptest.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+mulsqr.obj: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h 
+	$(CC) $(CFLAGS) -DMP_SQUARE=1 -Fo$@ -c mulsqr.c 
+
+mulsqr.exe: mulsqr.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+#---------------------------------------
+
+alltests: tests utests mpi-test.exe
+
+tools: $(TOOLS)
+
+doc:
+	(cd doc; ./build)
+
+clean:
+	rm -f *.obj *.lib *.pdb *.ilk
+	cd utils; rm -f *.obj *.lib *.pdb *.ilk
+
+distclean: clean
+	rm -f mptest? mpi-test metime mulsqr karatsuba
+	rm -f mptest?a mptest?b
+	rm -f utils/mptest?
+	rm -f test-info.c logtab.h
+	rm -f mpi.lib
+	rm -f $(TOOLS)
+
+dist: Makefile $(HDRS) $(SRCS) $(DOCS)
+	tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS)
+	pgps -ab mpi-$(VERS).tar
+	chmod +r mpi-$(VERS).tar.asc
+	gzip -9 mpi-$(VERS).tar
+
+
+print: 
+	@echo LIBOBJS = $(LIBOBJS)
+# END
diff --git a/security/nss/lib/freebl/mpi/README b/security/nss/lib/freebl/mpi/README
new file mode 100644
index 000000000..50ec394e4
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/README
@@ -0,0 +1,799 @@
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version
+1.1 (the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1997-2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+About the MPI Library
+---------------------
+
+The files 'mpi.h' and 'mpi.c' define a simple, arbitrary precision
+signed integer arithmetic package.  The implementation is not the most
+efficient possible, but the code is small and should be fairly easily
+portable to just about any machine that supports an ANSI C compiler,
+as long as it is capable of at least 16-bit arithmetic (but also see
+below for more on this).
+
+This library was written with an eye to cryptographic applications;
+thus, some care is taken to make sure that temporary values are not
+left lying around in memory when they are no longer in use.  This adds
+some overhead for zeroing buffers before they are released back into
+the free pool; however, it gives you the assurance that there is only
+one copy of your important values residing in your process's address
+space at a time.  Obviously, it is difficult to guarantee anything, in
+a pre-emptive multitasking environment, but this at least helps you
+keep a lid on the more obvious ways your data can get spread around in
+memory.
+
+
+Using the Library
+-----------------
+
+To use the MPI library in your program, you must include the header:
+
+#include "mpi.h"
+
+This header provides all the type and function declarations you'll
+need to use the library.  Almost all the names defined by the library
+begin with the prefix 'mp_', so it should be easy to keep them from
+clashing with your program's namespace (he says, glibly, knowing full
+well there are always pathological cases).
+
+There are a few things you may want to configure about the library.
+By default, the MPI library uses an unsigned short for its digit type,
+and an unsigned int for its word type.  The word type must be big
+enough to contain at least two digits, for the primitive arithmetic to
+work out.  On my machine, a short is 2 bytes and an int is 4 bytes --
+but if you have 64-bit ints, you might want to use a 4-byte digit and
+an 8-byte word.  I have tested the library using 1-byte digits and
+2-byte words, as well.  Whatever you choose to do, the things you need
+to change are:
+
+(1) The type definitions for mp_digit and mp_word.
+
+(2) The macro DIGIT_FMT which tells mp_print() how to display a
+    single digit.  This is just a printf() format string, so you
+    can adjust it appropriately.
+
+(3) The macros DIGIT_MAX and MP_WORD_MAX, which specify the 
+    largest value expressible in an mp_digit and an mp_word,
+    respectively.
+
+Both the mp_digit and mp_word should be UNSIGNED integer types.  The
+code relies on having the full positive precision of the type used for
+digits and words.
+
+The remaining type definitions should be left alone, for the most
+part.  The code in the library does not make any significant
+assumptions about the sizes of things, but there is little if any
+reason to change the other parameters, so I would recommend you leave
+them as you found them.
+
+The library comes with a Perl script, 'types.pl', which will scan your
+current Makefile settings, and attempt to find good definitions for
+these types.  It relies on a Unix sort of build environment, so it
+probably won't work under MacOS or Windows, but it can be convenient
+if you're porting to a new flavour of Unix.  Just run 'types.pl' at
+the command line, and it will spit out its results to the standard
+output.
+
+
+Conventions
+-----------
+
+Most functions in the library return a value of type mp_err.  This
+permits the library to communicate success or various kinds of failure
+to the calling program.  The return values currently defined are:
+
+        MP_OKAY         - okay, operation succeeded, all's well
+        MP_YES          - okay, the answer is yes (same as MP_OKAY)
+        MP_NO           - okay, but answer is no (not MP_OKAY)
+        MP_MEM          - operation ran out of memory
+        MP_RANGE        - input parameter was out of range
+        MP_BADARG       - an invalid input parameter was provided
+        MP_UNDEF        - no output value is defined for this input
+
+The only function which currently uses MP_UNDEF is mp_invmod().
+Division by zero is undefined, but the division functions will return
+MP_RANGE for a zero divisor.  MP_BADARG usually means you passed a
+bogus mp_int structure to the function.  MP_YES and MP_NO are not used
+by the library itself; they're defined so you can use them in your own
+extensions.
+
+If you need a readable interpretation of these error codes in your
+program, you may also use the mp_strerror() function.  This function
+takes an mp_err as input, and returns a pointer to a human-readable
+string describing the meaning of the error.  These strings are stored
+as constants within the library, so the caller should not attempt to
+modify or free the memory associated with these strings.
+
+The library represents values in signed-magnitude format.  Values
+strictly less than zero are negative, all others are considered
+positive (zero is positive by fiat).  You can access the 'sign' member
+of the mp_int structure directly, but better is to use the mp_cmp_z()
+function, to find out which side of zero the value lies on.
+
+Most arithmetic functions have a single-digit variant, as well as the
+full arbitrary-precision.  An mp_digit is an unsigned value between 0
+and DIGIT_MAX inclusive.  The radix is available as RADIX.  The number
+of bits in a given digit is given as DIGIT_BIT.
+
+Generally, input parameters are given before output parameters.
+Unless otherwise specified, any input parameter can be re-used as an
+output parameter, without confusing anything.
+
+The basic numeric type defined by the library is an mp_int.  Virtually
+all the functions in the library take a pointer to an mp_int as one of
+their parameters.  An explanation of how to create and use these
+<HR>
+<A NAME="p23">
+<H3>Problem 23:</H3>
+
+structures follows.  And so, without further ado...
+
+
+Initialization and Cleanup
+--------------------------
+
+The basic numeric type defined by the library is an 'mp_int'.
+However, it is not sufficient to simply declare a variable of type
+mp_int in your program.  These variables also need to be initialized
+before they can be used, to allocate the internal storage they require
+for computation.
+
+This is done using one of the following functions:
+
+        mp_init(mp_int *mp);
+        mp_init_copy(mp_int *mp, mp_int *from);
+        mp_init_size(mp_int *mp, mp_size p);
+
+Each of these requires a pointer to a structure of type mp_int.  The
+basic mp_init() simply initializes the mp_int to a default size, and
+sets its value to zero.  If you would like to initialize a copy of an
+existing mp_int, use mp_init_copy(), where the 'from' parameter is the
+mp_int you'd like to make a copy of.  The third function,
+mp_init_size(), permits you to specify how many digits of precision
+should be preallocated for your mp_int.  This can help the library
+avoid unnecessary re-allocations later on.
+
+The default precision used by mp_init() can be retrieved using:
+
+        precision = mp_get_prec();
+
+This returns the number of digits that will be allocated.  You can
+change this value by using:
+
+        mp_set_prec(unsigned int prec);
+
+Any positive value is acceptable -- if you pass zero, the default
+precision will be re-set to the compiled-in library default (this is
+specified in the header file 'mpi-config.h', and typically defaults to
+8 or 16).
+
+Just as you must allocate an mp_int before you can use it, you must
+clean up the structure when you are done with it.  This is performed
+using the mp_clear() function.  Remember that any mp_int that you
+create as a local variable in a function must be mp_clear()'d before
+that function exits, or else the memory allocated to that mp_int will
+be orphaned and unrecoverable.
+
+To set an mp_int to a given value, the following functions are given:
+
+        mp_set(mp_int *mp, mp_digit d);
+        mp_set_int(mp_int *mp, long z);
+
+The mp_set() function sets the mp_int to a single digit value, while
+mp_set_int() sets the mp_int to a signed long integer value.
+
+To set an mp_int to zero, use:
+
+        mp_zero(mp_int *mp);
+
+
+Copying and Moving
+------------------
+
+If you have two initialized mp_int's, and you want to copy the value
+of one into the other, use:
+
+        mp_copy(from, to)
+
+This takes care of clearing the old value of 'to', and copies the new
+value into it.  If 'to' is not yet initialized, use mp_init_copy()
+instead (see above).
+
+Note:   The library tries, whenever possible, to avoid allocating
+----    new memory.  Thus, mp_copy() tries first to satisfy the needs
+        of the copy by re-using the memory already allocated to 'to'.
+        Only if this proves insufficient will mp_copy() actually
+        allocate new memory.
+
+        For this reason, if you know a priori that 'to' has enough
+        available space to hold 'from', you don't need to check the
+        return value of mp_copy() for memory failure.  The USED()
+        macro tells you how many digits are used by an mp_int, and
+        the ALLOC() macro tells you how many are allocated.
+
+If you have two initialized mp_int's, and you want to exchange their
+values, use:
+
+        mp_exch(a, b)
+
+This is better than using mp_copy() with a temporary, since it will
+not (ever) touch the memory allocator -- it just swaps the exact
+contents of the two structures.  The mp_exch() function cannot fail;
+if you pass it an invalid structure, it just ignores it, and does
+nothing.
+
+
+Basic Arithmetic
+----------------
+
+Once you have initialized your integers, you can operate on them.  The
+basic arithmetic functions on full mp_int values are:
+
+mp_add(a, b, c)         - computes c = a + b
+mp_sub(a, b, c)         - computes c = a - b
+mp_mul(a, b, c)         - computes c = a * b
+mp_sqr(a, b)            - computes b = a * a
+mp_div(a, b, q, r)      - computes q, r such that a = bq + r
+mp_div_2d(a, d, q, r)   - computes q = a / 2^d, r = a % 2^d
+mp_expt(a, b, c)        - computes c = a ** b
+mp_2expt(a, k)          - computes a = 2^k
+mp_sqrt(a, c)           - computes c = floor(sqrt(a))
+
+The mp_div_2d() function efficiently computes division by powers of
+two.  Either the q or r parameter may be NULL, in which case that
+portion of the computation will be discarded.
+
+The algorithms used for some of the computations here are described in
+the following files which are included with this distribution:
+
+mul.txt         Describes the multiplication algorithm
+div.txt         Describes the division algorithm
+expt.txt        Describes the exponentiation algorithm
+sqrt.txt        Describes the square-root algorithm
+square.txt      Describes the squaring algorithm
+
+There are single-digit versions of most of these routines, as well.
+In the following prototypes, 'd' is a single mp_digit:
+
+mp_add_d(a, d, c)       - computes c = a + d
+mp_sub_d(a, d, c)       - computes c = a - d
+mp_mul_d(a, d, c)       - computes c = a * d
+mp_mul_2(a, c)          - computes c = a * 2
+mp_div_d(a, d, q, r)    - computes q, r such that a = bq + r
+mp_div_2(a, c)          - computes c = a / 2
+mp_expt_d(a, d, c)      - computes c = a ** d
+
+The mp_mul_2() and mp_div_2() functions take advantage of the internal
+representation of an mp_int to do multiplication by two more quickly
+than mp_mul_d() would.  Other basic functions of an arithmetic variety
+include:
+
+mp_zero(a)              - assign 0 to a
+mp_neg(a, c)            - negate a: c = -a
+mp_abs(a, c)            - absolute value: c = |a|
+
+
+Comparisons
+-----------
+
+Several comparison functions are provided.  Each of these, unless
+otherwise specified, returns zero if the comparands are equal, < 0 if
+the first is less than the second, and > 0 if the first is greater
+than the second:
+
+mp_cmp_z(a)             - compare a <=> 0
+mp_cmp_d(a, d)          - compare a <=> d, d is a single digit
+mp_cmp(a, b)            - compare a <=> b
+mp_cmp_mag(a, b)        - compare |a| <=> |b|
+mp_cmp_int(a, z)        - compare a <=> z, z is a signed long integer
+mp_isodd(a)             - return nonzero if odd, zero otherwise
+mp_iseven(a)            - return nonzero if even, zero otherwise
+
+
+Modular Arithmetic
+------------------
+
+Modular variations of the basic arithmetic functions are also
+supported.  These are available if the MP_MODARITH parameter in
+mpi-config.h is turned on (it is by default).  The modular arithmetic
+functions are:
+
+mp_mod(a, m, c)         - compute c = a (mod m), 0 <= c < m
+mp_mod_d(a, d, c)       - compute c = a (mod d), 0 <= c < d (see below)
+mp_addmod(a, b, m, c)   - compute c = (a + b) mod m
+mp_submod(a, b, m, c)   - compute c = (a - b) mod m
+mp_mulmod(a, b, m, c)   - compute c = (a * b) mod m
+mp_sqrmod(a, m, c)      - compute c = (a * a) mod m
+mp_exptmod(a, b, m, c)  - compute c = (a ** b) mod m
+mp_exptmod_d(a, d, m, c)- compute c = (a ** d) mod m
+
+The mp_sqr() function squares its input argument.  A call to mp_sqr(a,
+c) is identical in meaning to mp_mul(a, a, c); however, if the
+MP_SQUARE variable is set true in mpi-config.h (see below), then it
+will be implemented with a different algorithm, that is supposed to
+take advantage of the redundant computation that takes place during
+squaring.  Unfortunately, some compilers result in worse performance
+on this code, so you can change the behaviour at will.  There is a
+utility program "mulsqr.c" that lets you test which does better on
+your system.
+
+The mp_sqrmod() function is analogous to the mp_sqr() function; it
+uses the mp_sqr() function rather than mp_mul(), and then performs the
+modular reduction.  This probably won't help much unless you are doing
+a lot of them.
+
+See the file 'square.txt' for a synopsis of the algorithm used.
+
+Note:   The mp_mod_d() function computes a modular reduction around
+----    a single digit d.  The result is a single digit c.
+
+Because an inverse is defined for a (mod m) if and only if (a, m) = 1
+(that is, if a and m are relatively prime), mp_invmod() may not be
+able to compute an inverse for the arguments.  In this case, it
+returns the value MP_UNDEF, and does not modify c.  If an inverse is
+defined, however, it returns MP_OKAY, and sets c to the value of the
+inverse (mod m).
+
+See the file 'redux.txt' for a description of the modular reduction
+algorithm used by mp_exptmod().
+
+
+Greatest Common Divisor
+-----------------------
+
+If The greates common divisor of two values can be found using one of the
+following functions:
+
+mp_gcd(a, b, c)         - compute c = (a, b) using binary algorithm
+mp_lcm(a, b, c)         - compute c = [a, b] = ab / (a, b)
+mp_xgcd(a, b, g, x, y)  - compute g, x, y so that ax + by = g = (a, b)
+
+Also provided is a function to compute modular inverses, if they
+exist:
+
+mp_invmod(a, m, c)      - compute c = a^-1 (mod m), if it exists
+
+The function mp_xgcd() computes the greatest common divisor, and also
+returns values of x and y satisfying Bezout's identity.  This is used
+by mp_invmod() to find modular inverses.  However, if you do not need
+these values, you will find that mp_gcd() is MUCH more efficient,
+since it doesn't need all the intermediate values that mp_xgcd()
+requires in order to compute x and y. 
+
+The mp_gcd() (and mp_xgcd()) functions use the binary (extended) GCD
+algorithm due to Josef Stein.
+
+
+Input & Output Functions
+------------------------
+
+The following basic I/O routines are provided.  These are present at
+all times:
+
+mp_read_radix(mp, str, r)  - convert a string in radix r to an mp_int
+mp_read_raw(mp, s, len)    - convert a string of bytes to an mp_int
+mp_radix_size(mp, r)       - return length of buffer needed by mp_toradix()
+mp_raw_size(mp)            - return length of buffer needed by mp_toraw()
+mp_toradix(mp, str, r)     - convert an mp_int to a string of radix r 
+                             digits
+mp_toraw(mp, str)          - convert an mp_int to a string of bytes
+mp_tovalue(ch, r)          - convert ch to its value when taken as
+                             a radix r digit, or -1 if invalid
+mp_strerror(err)           - get a string describing mp_err value 'err'
+
+If you compile the MPI library with MP_IOFUNC defined, you will also
+have access to the following additional I/O function:
+
+mp_print(mp, ofp)       - print an mp_int as text to output stream ofp
+
+Note that mp_radix_size() returns a size in bytes guaranteed to be AT
+LEAST big enough for the digits output by mp_toradix().  Because it
+uses an approximation technique to figure out how many digits will be
+needed, it may return a figure which is larger than necessary.  Thus,
+the caller should not rely on the value to determine how many bytes
+will actually be written by mp_toradix().  The string mp_toradix()
+creates will be NUL terminated, so the standard C library function
+strlen() should be able to ascertain this for you, if you need it.
+
+The mp_read_radix() and mp_toradix() functions support bases from 2 to
+64 inclusive.  If you require more general radix conversion facilities
+than this, you will need to write them yourself (that's why mp_div_d()
+is provided, after all).
+
+Note:   mp_read_radix() will accept as digits either capital or 
+----    lower-case letters.  However, the current implementation of
+        mp_toradix() only outputs upper-case letters, when writing
+        bases betwee 10 and 36.  The underlying code supports using
+        lower-case letters, but the interface stub does not have a
+        selector for it.  You can add one yourself if you think it
+        is worthwhile -- I do not.  Bases from 36 to 64 use lower-
+        case letters as distinct from upper-case.  Bases 63 and
+        64 use the characters '+' and '/' as digits.
+
+        Note also that compiling with MP_IOFUNC defined will cause
+        inclusion of <stdio.h>, so if you are trying to write code
+        which does not depend on the standard C library, you will
+        probably want to avoid this option.  This is needed because
+        the mp_print() function takes a standard library FILE * as
+        one of its parameters, and uses the fprintf() function.
+
+The mp_toraw() function converts the integer to a sequence of bytes,
+in big-endian ordering (most-significant byte first).  Assuming your
+bytes are 8 bits wide, this corresponds to base 256.  The sign is
+encoded as a single leading byte, whose value is 0 for zero or
+positive values, or 1 for negative values.  The mp_read_raw() function
+reverses this process -- it takes a buffer of bytes, interprets the
+first as a sign indicator (0 = zero/positive, nonzero = negative), and
+the rest as a sequence of 1-byte digits in big-endian ordering.
+
+The mp_raw_size() function returns the exact number of bytes required
+to store the given integer in "raw" format (as described in the
+previous paragraph).  Zero is returned in case of error; a valid
+integer will require at least three bytes of storage.
+
+In previous versions of the MPI library, an "external representation
+format" was supported.  This was removed, however, because I found I
+was never using it, it was not as portable as I would have liked, and
+I decided it was a waste of space.
+
+
+Other Functions
+---------------
+
+The files 'mpprime.h' and 'mpprime.c' define some routines which are
+useful for divisibility testing and probabilistic primality testing.
+The routines defined are:
+
+mpp_divis(a, b)          - is a divisible by b?
+mpp_divis_d(a, d)        - is a divisible by digit d?
+mpp_random(a)            - set a to random value at current precision
+mpp_random_size(a, prec) - set a to random value at given precision
+
+Note:  The mpp_random() and mpp_random_size() functions use the C
+----   library's rand() function to generate random values.  It is
+       up to the caller to seed this generator before it is called.
+       These functions are not suitable for generating quantities
+       requiring cryptographic-quality randomness; they are intended
+       primarily for use in primality testing.
+
+       Note too that the MPI library does not call srand(), so your
+       application should do this, if you ever want the sequence
+       to change.
+
+mpp_divis_vector(a, v, s, w)  - is a divisible by any of the s digits
+                                in v?  If so, let w be the index of 
+                                that digit
+
+mpp_divis_primes(a, np)       - is a divisible by any of the first np
+                                primes?  If so, set np to the prime 
+                                which divided a.
+
+mpp_fermat(a, d)              - test if w^a = w (mod a).  If so, 
+                                returns MP_YES, otherwise MP_NO.
+
+mpp_pprime(a, nt)             - perform nt iterations of the Rabin-
+                                Miller probabilistic primality test
+                                on a.  Returns MP_YES if all tests
+                                passed, or MP_NO if any test fails.
+
+The mpp_fermat() function works based on Fermat's little theorem, a
+consequence of which is that if p is a prime, and (w, p) = 1, then:
+
+        w^p = w (mod p)
+
+Put another way, if w^p != w (mod p), then p is not prime.  The test
+is expensive to compute, but it helps to quickly eliminate an enormous
+class of composite numbers prior to Rabin-Miller testing.
+
+Building the Library
+--------------------
+
+The MPI library is designed to be as self-contained as possible.  You
+should be able to compile it with your favourite ANSI C compiler, and
+link it into your program directly.  If you are on a Unix system using
+the GNU C compiler (gcc), the following should work:
+
+% gcc -ansi -pedantic -Wall -O2 -c mpi.c
+
+The file 'mpi-config.h' defines several configurable parameters for
+the library, which you can adjust to suit your application.  At the
+time of this writing, the available options are:
+
+MP_IOFUNC       - Define true to include the mp_print() function, 
+                  which is moderately useful for debugging.  This
+                  implicitly includes <stdio.h>.
+
+MP_MODARITH     - Define true to include the modular arithmetic
+                  functions.  If you don't need modular arithmetic
+                  in your application, you can set this to zero to
+                  leave out all the modular routines.
+
+MP_NUMTH        - Define true to include number theoretic functions
+                  such as mp_gcd(), mp_lcm(), and mp_invmod().
+
+MP_LOGTAB       - If true, the file "logtab.h" is included, which
+                  is basically a static table of base 2 logarithms.
+                  These are used to compute how big the buffers for
+                  radix conversion need to be.  If you set this false,
+                  the library includes <math.h> and uses log().  This
+                  typically forces you to link against math libraries.
+
+MP_MEMSET       - If true, use memset() to zero buffers.  If you run
+                  into weird alignment related bugs, set this to zero
+                  and an explicit loop will be used.
+
+MP_MEMCPY       - If true, use memcpy() to copy buffers.  If you run
+                  into weird alignment bugs, set this to zero and an
+                  explicit loop will be used.
+
+MP_CRYPTO       - If true, whenever arrays of digits are free'd, they
+                  are zeroed first.  This is useful if you're using
+                  the library in a cryptographic environment; however,
+                  it does add overhead to each free operation.  For
+                  performance, if you don't care about zeroing your
+                  buffers, set this to false.
+
+MP_ARGCHK       - Set to 0, 1, or 2.  This defines how the argument
+                  checking macro, ARGCHK(), gets expanded.  If this 
+                  is set to zero, ARGCHK() expands to nothing; no 
+                  argument checks are performed.  If this is 1, the
+                  ARGCHK() macro expands to code that returns MP_BADARG
+                  or similar at runtime.  If it is 2, ARGCHK() expands 
+                  to an assert() call that aborts the program on a 
+                  bad input.
+
+MP_DEBUG        - Turns on debugging output.  This is probably not at
+                  all useful unless you are debugging the library.  It
+                  tends to spit out a LOT of output.
+
+MP_DEFPREC      - The default precision of a newly-created mp_int, in
+                  digits.  The precision can be changed at runtime by
+                  the mp_set_prec() function, but this is its initial
+                  value.
+
+MP_SQUARE       - If this is set to a nonzero value, the mp_sqr() 
+                  function will use an alternate algorithm that takes
+                  advantage of the redundant inner product computation
+                  when both multiplicands are identical.  Unfortunately,
+                  with some compilers this is actually SLOWER than just
+                  calling mp_mul() with the same argument twice.  So
+                  if you set MP_SQUARE to zero, mp_sqr() will be expan-
+                  ded into a call to mp_mul().  This applies to all 
+                  the uses of mp_sqr(), including mp_sqrmod() and the
+                  internal calls to s_mp_sqr() inside mpi.c
+
+                  The program 'mulsqr' (mulsqr.c) can be used to test
+                  which works best for your configuration.  Set up the
+                  CC and CFLAGS variables in the Makefile, then type:
+
+                        make mulsqr
+
+                  Invoke it with arguments similar to the following:
+
+                        mulsqr 25000 1024
+
+                  That is, 25000 products computed on 1024-bit values.
+                  The output will compare the two timings, and recommend
+                  a setting for MP_SQUARE.  It is off by default.
+
+If you would like to use the mp_print() function (see above), be sure
+to define MP_IOFUNC in mpi-config.h.  Many of the test drivers in the
+'tests' subdirectory expect this to be defined (although the test
+driver 'mpi-test' doesn't need it)
+
+The Makefile which comes with the library should take care of building
+the library for you, if you have set the CC and CFLAGS variables at
+the top of the file appropriately.  By default, they are set up to
+use the GNU C compiler:
+
+CC=gcc
+CFLAGS=-ansi -pedantic -Wall -O2
+
+If all goes well, the library should compile without warnings using
+this combination.  You should, of course, make whatever adjustments
+you find necessary.  
+
+The MPI library distribution comes with several additional programs
+which are intended to demonstrate the use of the library, and provide
+a framework for testing it.  There are a handful of test driver
+programs, in the files named 'mptest-X.c', where X is a digit.  Also,
+there are some simple command-line utilities (in the 'utils'
+directory) for manipulating large numbers.  These include:
+
+basecvt.c       A radix-conversion program, supporting bases from
+                2 to 64 inclusive.
+
+bbsrand.c       A BBS (quadratic residue) pseudo-random number 
+                generator.  The file 'bbsrand.c' is just the driver
+                for the program; the real code lives in the files
+                'bbs_rand.h' and 'bbs_rand.c'
+
+dec2hex.c       Converts decimal to hexadecimal
+
+gcd.c           Computes the greatest common divisor of two values.
+                If invoked as 'xgcd', also computes constants x and
+                y such that (a, b) = ax + by, in accordance with
+                Bezout's identity.
+
+hex2dec.c       Converts hexadecimal to decimal
+
+invmod.c        Computes modular inverses
+
+isprime.c       Performs the Rabin-Miller probabilistic primality
+                test on a number.  Values which fail this test are
+                definitely composite, and those which pass are very
+                likely to be prime (although there are no guarantees)
+
+lap.c           Computes the order (least annihilating power) of
+                a value v modulo m.  Very dumb algorithm.
+
+primegen.c      Generates large (probable) primes.
+
+prng.c          A pseudo-random number generator based on the
+                BBS generator code in 'bbs_rand.c'
+
+sieve.c         Implements the Sieve of Eratosthenes, using a big
+                bitmap, to generate a list of prime numbers.
+
+fact.c          Computes the factorial of an arbitrary precision
+                integer (iterative).
+
+exptmod.c       Computes arbitrary precision modular exponentiation
+                from the command line (exptmod a b m -> a^b (mod m))
+
+Most of these can be built from the Makefile that comes with the
+library.  Try 'make tools', if your environment supports it.  (If you
+are compiling on a Macintosh, I'm afraid you'll have to build them by
+hand -- fortunately, this is not difficult -- the library itself
+should compile just fine under Metrowerks CodeWarrior).
+
+
+Testing the Library
+-------------------
+
+Automatic test vectors are included, in the form of a program called
+'mpi-test'.  To build this program and run all the tests, simply
+invoke the shell script 'all-tests'.  If all the tests pass, you
+should see a message:
+
+        All tests passed
+
+If something went wrong, you'll get:
+
+        One or more tests failed.
+
+If this happens, scan back through the preceding lines, to see which
+test failed.  Any failure indicates a bug in the library, which needs
+to be fixed before it will give accurate results.  If you get any such
+thing, please let me know, and I'll try to fix it.  Please let me know
+what platform and compiler you were using, as well as which test
+failed.  If a reason for failure was given, please send me that text
+as well.
+
+If you're on a system such as the Macintosh, where the standard Unix
+build tools don't work, you can build the 'mpi-test' program manually,
+and run it by hand.  This is tedious and obnoxious, sorry.
+
+Further manual testing can be performed by building the manual testing
+programs, whose source is found in the 'tests' subdirectory.  Each
+test is in a source file called 'mptest-X.c'.  The Makefile contains a
+target to build all of them at once:
+
+        make tests
+
+Read the comments at the top of each source file to see what the
+driver is supposed to test.  You probably don't need to do this; these
+programs were only written to help me as I was developing the library.
+
+The relevant files are:
+
+mpi-test.c              The source for the test driver
+
+make-test-arrays        A Perl script to generate some of the internal
+                        data structures used by mpi-test.c
+
+test-arrays.txt         The source file for make-test-arrays
+
+all-tests               A Bourne shell script which runs all the
+                        tests in the mpi-test suite
+
+Running 'make mpi-test' should build the mpi-test program.  If you
+cannot use make, here is what needs to be done:
+
+(1) Use 'make-test-arrays' to generate the file 'test-info.c' from
+    the 'test-arrays.txt' file.  Since Perl can be found everywhere,
+    even on the Macintosh, this should be no trouble.  Under Unix, 
+    this looks like:
+
+        make-test-arrays test-arrays.txt > test-info.c
+
+(2) Build the MPI library:
+
+        gcc -ansi -pedantic -Wall -c mpi.c
+
+(3) Build the mpi-test program:
+
+        gcc -ansi -pedantic -Wall -o mpi-test mpi.o mpi-test.c
+
+When you've got mpi-test, you can use 'all-tests' to run all the tests
+made available by mpi-test.  If any of them fail, there should be a
+diagnostic indicating what went wrong.  These are fairly high-level
+diagnostics, and won't really help you debug the problem; they're
+simply intended to help you isolate which function caused the problem.
+If you encounter a problem of this sort, feel free to e-mail me, and I
+will certainly attempt to help you debug it.
+
+Note:   Several of the tests hard-wired into 'mpi-test' operate under
+----    the assumption that you are using at least a 16-bit mp_digit 
+        type.  If that is not true, several tests might fail, because 
+        of range problems with the maximum digit value.
+
+        If you are using an 8-bit digit, you will also need to 
+        modify the code for mp_read_raw(), which assumes that
+        multiplication by 256 can be done with mp_mul_d(), a
+        fact that fails when DIGIT_MAX is 255.  You can replace
+        the call with s_mp_lshd(), which will give you the same
+        effect, and without doing as much work. :)
+
+Acknowledgements:
+----------------
+
+The algorithms used in this library were drawn primarily from Volume
+2 of Donald Knuth's magnum opus, _The Art of Computer Programming_, 
+"Semi-Numerical Methods".  Barrett's algorithm for modular reduction
+came from Menezes, Oorschot, and Vanstone's _Handbook of Applied
+Cryptography_, Chapter 14.
+
+Thanks are due to Tom St. Denis, for finding an obnoxious sign-related
+bug in mp_read_raw() that made things break on platforms which use
+signed chars.
+
+About the Author
+----------------
+
+This software was written by Michael J. Fromberger.  You can contact
+the author as follows:
+
+E-mail:   <sting@linguist.dartmouth.edu>
+
+Postal:   8000 Cummings Hall, Thayer School of Engineering
+          Dartmouth College, Hanover, New Hampshire, USA
+
+PGP key:  http://linguist.dartmouth.edu/~sting/keys/mjf.html
+          9736 188B 5AFA 23D6 D6AA  BE0D 5856 4525 289D 9907
+
+Last updated:  16-Jan-2000
diff --git a/security/nss/lib/freebl/mpi/all-tests b/security/nss/lib/freebl/mpi/all-tests
new file mode 100755
index 000000000..5177e0a80
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/all-tests
@@ -0,0 +1,115 @@
+#!/bin/sh
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1997
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+ECHO=/bin/echo
+MAKE=gmake
+
+$ECHO "\n** Running unit tests for MPI library\n"
+
+# Build the mpi-test program, which comprises all the unit tests for
+# the MPI library...
+
+$ECHO "Bringing mpi-test up to date ... "
+if $MAKE mpi-test ; then
+  :
+else
+  $ECHO " "
+  $ECHO "Make failed to build mpi-test."
+  $ECHO " "
+  exit 1
+fi
+
+if [ ! -x mpi-test ] ; then
+  $ECHO " "
+  $ECHO "Cannot find 'mpi-test' program, testing cannot continue."
+  $ECHO " "
+  exit 1
+fi
+
+# Get the list of available test suites...
+tests=`mpi-test list | awk '{print $1}'`
+errs=0
+
+# Run each test suite and check the result code of mpi-test
+for test in $tests ; do
+  $ECHO "$test ... \c"
+  if mpi-test $test ; then
+    $ECHO "passed"
+  else
+    $ECHO "FAILED"
+    errs=1
+  fi
+done
+
+# If any tests failed, we'll stop at this point
+if [ "$errs" = "0" ] ; then
+  $ECHO "All unit tests passed"
+else
+  $ECHO "One or more tests failed"
+  exit 1
+fi
+
+# Now try to build the 'pi' program, and see if it can compute the
+# first thousand digits of pi correctly
+$ECHO "\n** Running other tests\n"
+
+$ECHO "Bringing 'pi' up to date ... "
+if $MAKE pi ; then
+    :
+else
+    $ECHO "\nMake failed to build pi.\n"
+    exit 1
+fi
+
+if [ ! -x pi ] ; then
+    $ECHO "\nCannot find 'pi' program; testing cannot continue.\n"
+    exit 1
+fi
+
+./pi 2000 > /tmp/pi.tmp.$$
+if cmp tests/pi2k.txt /tmp/pi.tmp.$$ ; then
+    $ECHO "Okay!  The pi test passes."
+else
+    $ECHO "Oops!  The pi test failed. :("
+    exit 1
+fi
+
+rm -f /tmp/pi.tmp.$$
+
+exit 0
+
+# Here there be dragons
diff --git a/security/nss/lib/freebl/mpi/doc/LICENSE b/security/nss/lib/freebl/mpi/doc/LICENSE
new file mode 100644
index 000000000..35cca68ce
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/LICENSE
@@ -0,0 +1,11 @@
+Within this directory, each of the file listed below is licensed under 
+the terms given in the file LICENSE-MPL, also in this directory.
+
+basecvt.pod
+gcd.pod
+invmod.pod
+isprime.pod
+lap.pod
+mpi-test.pod
+prime.txt
+prng.pod
diff --git a/security/nss/lib/freebl/mpi/doc/LICENSE-MPL b/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
new file mode 100644
index 000000000..d1f78f522
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
@@ -0,0 +1,35 @@
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version
+1.1 (the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the Netscape security libraries.
+
+The Initial Developer of the Original Code is Netscape
+Communications Corporation.  Portions created by Netscape are 
+Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
diff --git a/security/nss/lib/freebl/mpi/doc/basecvt.pod b/security/nss/lib/freebl/mpi/doc/basecvt.pod
new file mode 100644
index 000000000..5c072ccd6
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/basecvt.pod
@@ -0,0 +1,63 @@
+=head1 NAME
+
+ basecvt - radix conversion for arbitrary precision integers
+
+=head1 SYNOPSIS
+
+ basecvt <ibase> <obase> [values]
+
+=head1 DESCRIPTION
+
+The B<basecvt> program is a command-line tool for converting integers
+of arbitrary precision from one radix to another.  The current version
+supports radix values from 2 (binary) to 64, inclusive.  The first two
+command line arguments specify the input and output radix, in base 10.
+Any further arguments are taken to be integers notated in the input
+radix, and these are converted to the output radix.  The output is
+written, one integer per line, to standard output.
+
+When reading integers, only digits considered "valid" for the input
+radix are considered.  Processing of an integer terminates when an
+invalid input digit is encountered.  So, for example, if you set the
+input radix to 10 and enter '10ACF', B<basecvt> would assume that you
+had entered '10' and ignore the rest of the string.
+
+If no values are provided, no output is written, but the program
+simply terminates with a zero exit status.  Error diagnostics are
+written to standard error in the event of out-of-range radix
+specifications.  Regardless of the actual values of the input and
+output radix, the radix arguments are taken to be in base 10 (decimal)
+notation.
+
+=head1 DIGITS
+
+For radices from 2-10, standard ASCII decimal digits 0-9 are used for
+both input and output.  For radices from 11-36, the ASCII letters A-Z
+are also included, following the convention used in hexadecimal.  In
+this range, input is accepted in either upper or lower case, although
+on output only lower-case letters are used.
+
+For radices from 37-62, the output includes both upper- and lower-case
+ASCII letters, and case matters.  In this range, case is distinguished
+both for input and for output values.
+
+For radices 63 and 64, the characters '+' (plus) and '/' (forward
+solidus) are also used.  These are derived from the MIME base64
+encoding scheme.  The overall encoding is not the same as base64,
+because the ASCII digits are used for the bottom of the range, and the
+letters are shifted upward; however, the output will consist of the
+same character set.
+
+This input and output behaviour is inherited from the MPI library used
+by B<basecvt>, and so is not configurable at runtime.
+
+=head1 SEE ALSO
+
+ dec2hex(1), hex2dec(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+
+ $Date$
diff --git a/security/nss/lib/freebl/mpi/doc/build b/security/nss/lib/freebl/mpi/doc/build
new file mode 100755
index 000000000..64a2e6ac9
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/build
@@ -0,0 +1,66 @@
+#!/bin/sh
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1998
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Netscape Communications Corporation
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $Id$
+#
+
+VERS="1.7p6"
+SECT="1"
+NAME="MPI Tools"
+
+echo "Building manual pages ..."
+case $# in
+  0)
+    files=`ls *.pod`
+    ;;
+  *)
+    files=$*
+    ;;
+esac
+
+for name in $files
+do
+   echo -n "$name ... "
+#  sname=`noext $name`
+   sname=`basename $name .pod`
+   pod2man --section="$SECT" --center="$NAME" --release="$VERS" $name > $sname.$SECT
+   echo "(done)"
+done
+
+echo "Finished building."
+
diff --git a/security/nss/lib/freebl/mpi/doc/div.txt b/security/nss/lib/freebl/mpi/doc/div.txt
new file mode 100644
index 000000000..aaf4e14b8
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/div.txt
@@ -0,0 +1,101 @@
+Division
+
+This describes the division algorithm used by the MPI library.
+
+Input:    a, b; a > b
+Compute:  Q, R; a = Qb + R
+
+The input numbers are normalized so that the high-order digit of b is
+at least half the radix.  This guarantees that we have a reasonable
+way to guess at the digits of the quotient (this method was taken from
+Knuth, vol. 2, with adaptations).
+
+To normalize, test the high-order digit of b.  If it is less than half
+the radix, multiply both a and b by d, where:
+
+             radix - 1
+	d = -----------
+              bmax + 1
+
+...where bmax is the high-order digit of b.  Otherwise, set d = 1.
+
+Given normalize values for a and b, let the notation a[n] denote the
+nth digit of a.  Let #a be the number of significant figures of a (not
+including any leading zeroes).
+
+	Let R = 0
+	Let p = #a - 1
+
+	while(p >= 0)
+	  do
+	    R = (R * radix) + a[p]
+	    p = p - 1
+	  while(R < b and p >= 0)
+
+	  if(R < b)
+	    break
+
+	  q = (R[#R - 1] * radix) + R[#R - 2]
+	  q = q / b[#b - 1]
+
+	  T = b * q
+
+	  while(T > L)
+	    q = q - 1
+	    T = T - b
+	  endwhile
+
+	  L = L - T
+
+	  Q = (Q * radix) + q
+
+	endwhile
+
+At this point, Q is the quotient, and R is the normalized remainder.
+To denormalize R, compute:
+
+	R = (R / d)
+
+At this point, you are finished.
+
+------------------------------------------------------------------
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1998, 2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/expt.txt b/security/nss/lib/freebl/mpi/doc/expt.txt
new file mode 100644
index 000000000..cea9dcc58
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/expt.txt
@@ -0,0 +1,132 @@
+Exponentiation
+
+For exponentiation, the MPI library uses a simple and fairly standard
+square-and-multiply method.  The algorithm is this:
+
+Input:	a, b
+Output: a ** b
+
+	s = 1
+
+	while(b != 0)
+	  if(b is odd)
+	    s = s * a
+	  endif
+
+	  b = b / 2
+
+	  x = x * x
+	endwhile
+
+	return s
+
+The modular exponentiation is done the same way, except replacing:
+
+	s = s * a
+
+with
+	s = (s * a) mod m
+
+and replacing
+
+	x = x * x
+
+with
+
+	x = (x * x) mod m
+
+Here is a sample exponentiation using the MPI library, as compared to
+the same problem solved by the Unix 'bc' program on my system:
+
+Computation of 2,381,283 ** 235
+
+'bc' says:
+
+4385CA4A804D199FBEAD95FAD0796FAD0D0B51FC9C16743C45568C789666985DB719\
+4D90E393522F74C9601262C0514145A49F3B53D00983F95FDFCEA3D0043ECEF6227E\
+6FB59C924C3EE74447B359B5BF12A555D46CB819809EF423F004B55C587D6F0E8A55\
+4988036A42ACEF9F71459F97CEF6E574BD7373657111648626B1FF8EE15F663B2C0E\
+6BBE5082D4CDE8E14F263635AE8F35DB2C280819517BE388B5573B84C5A19C871685\
+FD408A6471F9D6AFAF5129A7548EAE926B40874B340285F44765BF5468CE20A13267\
+CD88CE6BC786ACED36EC7EA50F67FF27622575319068A332C3C0CB23E26FB55E26F4\
+5F732753A52B8E2FB4D4F42D894242613CA912A25486C3DEC9C66E5DB6182F6C1761\
+CF8CD0D255BE64B93836B27D452AE38F950EB98B517D4CF50D48F0165EF0CCCE1F5C\
+49BF18219FDBA0EEDD1A7E8B187B70C2BAED5EC5C6821EF27FAFB1CFF70111C52235\
+5E948B93A015AA1AE152B110BB5658CB14D3E45A48BFE7F082C1182672A455A695CD\
+A1855E8781E625F25B41B516E77F589FA420C3B058861EA138CF7A2C58DB3C7504FD\
+D29554D78237834CC5AE710D403CC4F6973D5012B7E117A8976B14A0B5AFA889BD47\
+92C461F0F96116F00A97AE9E83DC5203680CAF9A18A062566C145650AB86BE4F907F\
+A9F7AB4A700B29E1E5BACCD6DCBFA513E10832815F710807EED2E279081FEC61D619\
+AB270BEB3D3A1787B35A9DD41A8766CF21F3B5C693B3BAB1C2FA14A4ED202BC35743\
+E5CBE2391624D4F8C9BFBBC78D69764E7C6C5B11BF005677BFAD17D9278FFC1F158F\
+1B3683FF7960FA0608103792C4163DC0AF3E06287BB8624F8FE3A0FFBDF82ACECA2F\
+CFFF2E1AC93F3CA264A1B
+
+MPI says:
+
+4385CA4A804D199FBEAD95FAD0796FAD0D0B51FC9C16743C45568C789666985DB719\
+4D90E393522F74C9601262C0514145A49F3B53D00983F95FDFCEA3D0043ECEF6227E\
+6FB59C924C3EE74447B359B5BF12A555D46CB819809EF423F004B55C587D6F0E8A55\
+4988036A42ACEF9F71459F97CEF6E574BD7373657111648626B1FF8EE15F663B2C0E\
+6BBE5082D4CDE8E14F263635AE8F35DB2C280819517BE388B5573B84C5A19C871685\
+FD408A6471F9D6AFAF5129A7548EAE926B40874B340285F44765BF5468CE20A13267\
+CD88CE6BC786ACED36EC7EA50F67FF27622575319068A332C3C0CB23E26FB55E26F4\
+5F732753A52B8E2FB4D4F42D894242613CA912A25486C3DEC9C66E5DB6182F6C1761\
+CF8CD0D255BE64B93836B27D452AE38F950EB98B517D4CF50D48F0165EF0CCCE1F5C\
+49BF18219FDBA0EEDD1A7E8B187B70C2BAED5EC5C6821EF27FAFB1CFF70111C52235\
+5E948B93A015AA1AE152B110BB5658CB14D3E45A48BFE7F082C1182672A455A695CD\
+A1855E8781E625F25B41B516E77F589FA420C3B058861EA138CF7A2C58DB3C7504FD\
+D29554D78237834CC5AE710D403CC4F6973D5012B7E117A8976B14A0B5AFA889BD47\
+92C461F0F96116F00A97AE9E83DC5203680CAF9A18A062566C145650AB86BE4F907F\
+A9F7AB4A700B29E1E5BACCD6DCBFA513E10832815F710807EED2E279081FEC61D619\
+AB270BEB3D3A1787B35A9DD41A8766CF21F3B5C693B3BAB1C2FA14A4ED202BC35743\
+E5CBE2391624D4F8C9BFBBC78D69764E7C6C5B11BF005677BFAD17D9278FFC1F158F\
+1B3683FF7960FA0608103792C4163DC0AF3E06287BB8624F8FE3A0FFBDF82ACECA2F\
+CFFF2E1AC93F3CA264A1B
+
+Diff says:
+% diff bc.txt mp.txt
+%
+
+------------------------------------------------------------------
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1998, 2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+$Id$
+
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/gcd.pod b/security/nss/lib/freebl/mpi/doc/gcd.pod
new file mode 100644
index 000000000..53b955f7e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/gcd.pod
@@ -0,0 +1,27 @@
+=head1 NAME
+
+ gcd - compute greatest common divisor of two integers
+
+=head1 SYNOPSIS
+
+ gcd <a> <b>
+
+=head1 DESCRIPTION
+
+The B<gcd> program computes the greatest common divisor of two
+arbitrary-precision integers I<a> and I<b>.  The result is written in
+standard decimal notation to the standard output.
+
+If I<b> is zero, B<gcd> will print an error message and exit.
+
+=head1 SEE ALSO
+
+invmod(1), isprime(1), lap(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/invmod.pod b/security/nss/lib/freebl/mpi/doc/invmod.pod
new file mode 100644
index 000000000..faa8f9d0c
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/invmod.pod
@@ -0,0 +1,33 @@
+=head1 NAME
+
+ invmod - compute modular inverse of an integer
+
+=head1 SYNOPSIS
+
+ invmod <a> <m>
+
+=head1 DESCRIPTION
+
+The B<invmod> program computes the inverse of I<a>, modulo I<m>, if
+that inverse exists.  Both I<a> and I<m> are arbitrary-precision
+integers in decimal notation.  The result is written in standard
+decimal notation to the standard output.
+
+If there is no inverse, the message:
+
+ No inverse
+
+...will be printed to the standard output (an inverse exists if and
+only if the greatest common divisor of I<a> and I<m> is 1).
+
+=head1 SEE ALSO
+
+gcd(1), isprime(1), lap(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/isprime.pod b/security/nss/lib/freebl/mpi/doc/isprime.pod
new file mode 100644
index 000000000..a17c1c1bd
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/isprime.pod
@@ -0,0 +1,62 @@
+=head1 NAME
+
+ isprime - probabilistic primality testing
+
+=head1 SYNOPSIS
+
+ isprime <a>
+
+=head1 DESCRIPTION
+
+The B<isprime> program attempts to determine whether the arbitrary
+precision integer I<a> is prime.  It first tests I<a> for divisibility
+by the first 170 or so small primes, and assuming I<a> is not
+divisible by any of these, applies 15 iterations of the Rabin-Miller
+probabilistic primality test.
+
+If the program discovers that the number is composite, it will print:
+
+ Not prime (reason)
+
+Where I<reason> is either:
+
+	divisible by small prime x
+
+Or:
+
+	failed nth pseudoprime test
+
+In the first case, I<x> indicates the first small prime factor that
+was found.  In the second case, I<n> indicates which of the
+pseudoprime tests failed (numbered from 1)
+
+If this happens, the number is definitely not prime.  However, if the
+number succeeds, this message results:
+
+ Probably prime, 1 in 4^15 chance of false positive
+
+If this happens, the number is prime with very high probability, but
+its primality has not been absolutely proven, only demonstrated to a
+very convincing degree.
+
+The value I<a> can be input in standard decimal notation, or, if it is
+prefixed with I<Ox>, it will be read as hexadecimal.
+
+=head1 ENVIRONMENT
+
+You can control how many iterations of Rabin-Miller are performed on
+the candidate number by setting the I<RM_TESTS> environment variable
+to an integer value before starting up B<isprime>.  This will change
+the output slightly if the number passes all the tests.
+
+=head1 SEE ALSO
+
+gcd(1), invmod(1), lap(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/lap.pod b/security/nss/lib/freebl/mpi/doc/lap.pod
new file mode 100644
index 000000000..ac100639b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/lap.pod
@@ -0,0 +1,35 @@
+=head1 NAME
+
+ lap - compute least annihilating power of a number
+
+=head1 SYNOPSIS
+
+ lap <a> <m>
+
+=head1 DESCRIPTION
+
+The B<lap> program computes the order of I<a> modulo I<m>, for
+arbitrary precision integers I<a> and I<m>.  The B<order> of I<a>
+modulo I<m> is defined as the smallest positive value I<n> for which
+I<a> raised to the I<n>th power, modulo I<m>, is equal to 1.  The
+order may not exist, if I<m> is composite.
+
+=head1 RESTRICTIONS
+
+This program is very slow, especially for large moduli.  It is
+intended as a way to help find primitive elements in a modular field,
+but it does not do so in a particularly inefficient manner.  It was
+written simply to help verify that a particular candidate does not
+have an obviously short cycle mod I<m>.
+
+=head1 SEE ALSO
+
+gcd(1), invmod(1), isprime(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/mpi-test.pod b/security/nss/lib/freebl/mpi/doc/mpi-test.pod
new file mode 100644
index 000000000..16050f09f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/mpi-test.pod
@@ -0,0 +1,49 @@
+=head1 NAME
+
+ mpi-test - automated test program for MPI library
+
+=head1 SYNOPSIS
+
+ mpi-test <suite-name> [quiet]
+ mpi-test list
+ mpi-test help
+
+=head1 DESCRIPTION
+
+The B<mpi-test> program is a general unit test driver for the MPI
+library.  It is used to verify that the library works as it is
+supposed to on your architecture.  As with most such things, passing
+all the tests in B<mpi-test> does not guarantee the code is correct,
+but if any of them fail, there are certainly problems.
+
+Each major function of the library can be tested individually.  For a
+list of the test suites understood by B<mpi-test>, run it with the
+I<list> command line option:
+
+ mpi-test list
+
+This will display a list of the available test suites and a brief
+synopsis of what each one does.  For a brief overview of this
+document, run B<mpi-test> I<help>.
+
+B<mpi-test> exits with a zero status if the selected test succeeds, or
+a nonzero status if it fails.  If a I<suite-name> which is not
+understood by B<mpi-test> is given, a diagnostic is printed to the
+standard error, and the program exits with a result code of 2.  If a
+test fails, the result code will be 1, and a diagnostic is ordinarily
+printed to the standard error.  However, if the I<quiet> option is
+provided, these diagnostics will be suppressed.
+
+=head1 RESTRICTIONS
+
+Only a few canned test cases are provided.  The solutions have been
+verified using the GNU bc(1) program, so bugs there may cause problems
+here; however, this is very unlikely, so if a test fails, it is almost
+certainly my fault, not bc(1)'s.
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
diff --git a/security/nss/lib/freebl/mpi/doc/mul.txt b/security/nss/lib/freebl/mpi/doc/mul.txt
new file mode 100644
index 000000000..01464f251
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/mul.txt
@@ -0,0 +1,114 @@
+Multiplication
+
+This describes the multiplication algorithm used by the MPI library.
+
+This is basically a standard "schoolbook" algorithm.  It is slow --
+O(mn) for m = #a, n = #b -- but easy to implement and verify.
+Basically, we run two nested loops, as illustrated here (R is the
+radix):
+
+k = 0
+for j <- 0 to (#b - 1)
+  for i <- 0 to (#a - 1)
+    w = (a[j] * b[i]) + k + c[i+j]
+    c[i+j] = w mod R
+    k = w div R
+  endfor
+  c[i+j] = k;
+  k = 0;
+endfor
+
+It is necessary that 'w' have room for at least two radix R digits.
+The product of any two digits in radix R is at most:
+
+	(R - 1)(R - 1) = R^2 - 2R + 1
+
+Since a two-digit radix-R number can hold R^2 - 1 distinct values,
+this insures that the product will fit into the two-digit register.
+
+To insure that two digits is enough for w, we must also show that
+there is room for the carry-in from the previous multiplication, and
+the current value of the product digit that is being recomputed.
+Assuming each of these may be as big as R - 1 (and no larger,
+certainly), two digits will be enough if and only if:
+
+	(R^2 - 2R + 1) + 2(R - 1) <= R^2 - 1
+
+Solving this equation shows that, indeed, this is the case:
+
+	R^2 - 2R + 1 + 2R - 2 <= R^2 - 1
+
+	R^2 - 1 <= R^2 - 1
+
+This suggests that a good radix would be one more than the largest
+value that can be held in half a machine word -- so, for example, as
+in this implementation, where we used a radix of 65536 on a machine
+with 4-byte words.  Another advantage of a radix of this sort is that
+binary-level operations are easy on numbers in this representation.
+
+Here's an example multiplication worked out longhand in radix-10,
+using the above algorithm:
+
+   a =     999
+   b =   x 999
+  -------------
+   p =   98001
+
+w = (a[jx] * b[ix]) + kin + c[ix + jx]
+c[ix+jx] = w % RADIX
+k = w / RADIX
+                                                               product
+ix	jx	a[jx]	b[ix]	kin	w	c[i+j]	kout	000000
+0	0	9	9	0	81+0+0	1	8	000001
+0	1	9	9	8	81+8+0	9	8	000091
+0	2	9	9	8	81+8+0	9	8	000991
+				8			0	008991
+1	0	9	9	0	81+0+9	0	9	008901
+1	1	9	9	9	81+9+9	9	9	008901
+1	2	9	9	9	81+9+8	8	9	008901
+				9			0	098901
+2	0	9	9	0	81+0+9	0	9	098001
+2	1	9	9	9	81+9+8	8	9	098001
+2	2	9	9	9	81+9+9	9	9	098001
+
+------------------------------------------------------------------
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1998, 2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/pi.txt b/security/nss/lib/freebl/mpi/doc/pi.txt
new file mode 100644
index 000000000..01c82abe9
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/pi.txt
@@ -0,0 +1,90 @@
+This file describes how pi is computed by the program in 'pi.c' (see
+the utils subdirectory).
+
+Basically, we use Machin's formula, which is what everyone in the
+world uses as a simple method for computing approximations to pi.
+This works for up to a few thousand digits without too much effort.
+Beyond that, though, it gets too slow.
+
+Machin's formula states:
+
+	 pi := 16 * arctan(1/5) - 4 * arctan(1/239)
+
+We compute this in integer arithmetic by first multiplying everything
+through by 10^d, where 'd' is the number of digits of pi we wanted to
+compute.  It turns out, the last few digits will be wrong, but the
+number that are wrong is usually very small (ordinarly only 2-3).
+Having done this, we compute the arctan() function using the formula:
+
+                       1      1       1       1       1     
+       arctan(1/x) := --- - ----- + ----- - ----- + ----- - ...
+                       x    3 x^3   5 x^5   7 x^7   9 x^9
+
+This is done iteratively by computing the first term manually, and
+then iteratively dividing x^2 and k, where k = 3, 5, 7, ... out of the
+current figure.  This is then added to (or subtracted from) a running
+sum, as appropriate.  The iteration continues until we overflow our
+available precision and the current figure goes to zero under integer
+division.  At that point, we're finished.
+
+Actually, we get a couple extra bits of precision out of the fact that
+we know we're computing y * arctan(1/x), by setting up the multiplier
+as:
+
+      y * 10^d
+
+... instead of just 10^d.  There is also a bit of cleverness in how
+the loop is constructed, to avoid special-casing the first term.
+Check out the code for arctan() in 'pi.c', if you are interested in
+seeing how it is set up.
+
+Thanks to Jason P. for this algorithm, which I assembled from notes
+and programs found on his cool "Pile of Pi Programs" page, at:
+
+      http://www.isr.umd.edu/~jasonp/pipage.html
+
+Thanks also to Henrik Johansson <Henrik.Johansson@Nexus.Comm.SE>, from
+whose pi program I borrowed the clever idea of pre-multiplying by x in
+order to avoid a special case on the loop iteration.
+
+------------------------------------------------------------------
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1998, 2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/prime.txt b/security/nss/lib/freebl/mpi/doc/prime.txt
new file mode 100644
index 000000000..694797d5f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/prime.txt
@@ -0,0 +1,6542 @@
+2
+3
+5
+7
+11
+13
+17
+19
+23
+29
+31
+37
+41
+43
+47
+53
+59
+61
+67
+71
+73
+79
+83
+89
+97
+101
+103
+107
+109
+113
+127
+131
+137
+139
+149
+151
+157
+163
+167
+173
+179
+181
+191
+193
+197
+199
+211
+223
+227
+229
+233
+239
+241
+251
+257
+263
+269
+271
+277
+281
+283
+293
+307
+311
+313
+317
+331
+337
+347
+349
+353
+359
+367
+373
+379
+383
+389
+397
+401
+409
+419
+421
+431
+433
+439
+443
+449
+457
+461
+463
+467
+479
+487
+491
+499
+503
+509
+521
+523
+541
+547
+557
+563
+569
+571
+577
+587
+593
+599
+601
+607
+613
+617
+619
+631
+641
+643
+647
+653
+659
+661
+673
+677
+683
+691
+701
+709
+719
+727
+733
+739
+743
+751
+757
+761
+769
+773
+787
+797
+809
+811
+821
+823
+827
+829
+839
+853
+857
+859
+863
+877
+881
+883
+887
+907
+911
+919
+929
+937
+941
+947
+953
+967
+971
+977
+983
+991
+997
+1009
+1013
+1019
+1021
+1031
+1033
+1039
+1049
+1051
+1061
+1063
+1069
+1087
+1091
+1093
+1097
+1103
+1109
+1117
+1123
+1129
+1151
+1153
+1163
+1171
+1181
+1187
+1193
+1201
+1213
+1217
+1223
+1229
+1231
+1237
+1249
+1259
+1277
+1279
+1283
+1289
+1291
+1297
+1301
+1303
+1307
+1319
+1321
+1327
+1361
+1367
+1373
+1381
+1399
+1409
+1423
+1427
+1429
+1433
+1439
+1447
+1451
+1453
+1459
+1471
+1481
+1483
+1487
+1489
+1493
+1499
+1511
+1523
+1531
+1543
+1549
+1553
+1559
+1567
+1571
+1579
+1583
+1597
+1601
+1607
+1609
+1613
+1619
+1621
+1627
+1637
+1657
+1663
+1667
+1669
+1693
+1697
+1699
+1709
+1721
+1723
+1733
+1741
+1747
+1753
+1759
+1777
+1783
+1787
+1789
+1801
+1811
+1823
+1831
+1847
+1861
+1867
+1871
+1873
+1877
+1879
+1889
+1901
+1907
+1913
+1931
+1933
+1949
+1951
+1973
+1979
+1987
+1993
+1997
+1999
+2003
+2011
+2017
+2027
+2029
+2039
+2053
+2063
+2069
+2081
+2083
+2087
+2089
+2099
+2111
+2113
+2129
+2131
+2137
+2141
+2143
+2153
+2161
+2179
+2203
+2207
+2213
+2221
+2237
+2239
+2243
+2251
+2267
+2269
+2273
+2281
+2287
+2293
+2297
+2309
+2311
+2333
+2339
+2341
+2347
+2351
+2357
+2371
+2377
+2381
+2383
+2389
+2393
+2399
+2411
+2417
+2423
+2437
+2441
+2447
+2459
+2467
+2473
+2477
+2503
+2521
+2531
+2539
+2543
+2549
+2551
+2557
+2579
+2591
+2593
+2609
+2617
+2621
+2633
+2647
+2657
+2659
+2663
+2671
+2677
+2683
+2687
+2689
+2693
+2699
+2707
+2711
+2713
+2719
+2729
+2731
+2741
+2749
+2753
+2767
+2777
+2789
+2791
+2797
+2801
+2803
+2819
+2833
+2837
+2843
+2851
+2857
+2861
+2879
+2887
+2897
+2903
+2909
+2917
+2927
+2939
+2953
+2957
+2963
+2969
+2971
+2999
+3001
+3011
+3019
+3023
+3037
+3041
+3049
+3061
+3067
+3079
+3083
+3089
+3109
+3119
+3121
+3137
+3163
+3167
+3169
+3181
+3187
+3191
+3203
+3209
+3217
+3221
+3229
+3251
+3253
+3257
+3259
+3271
+3299
+3301
+3307
+3313
+3319
+3323
+3329
+3331
+3343
+3347
+3359
+3361
+3371
+3373
+3389
+3391
+3407
+3413
+3433
+3449
+3457
+3461
+3463
+3467
+3469
+3491
+3499
+3511
+3517
+3527
+3529
+3533
+3539
+3541
+3547
+3557
+3559
+3571
+3581
+3583
+3593
+3607
+3613
+3617
+3623
+3631
+3637
+3643
+3659
+3671
+3673
+3677
+3691
+3697
+3701
+3709
+3719
+3727
+3733
+3739
+3761
+3767
+3769
+3779
+3793
+3797
+3803
+3821
+3823
+3833
+3847
+3851
+3853
+3863
+3877
+3881
+3889
+3907
+3911
+3917
+3919
+3923
+3929
+3931
+3943
+3947
+3967
+3989
+4001
+4003
+4007
+4013
+4019
+4021
+4027
+4049
+4051
+4057
+4073
+4079
+4091
+4093
+4099
+4111
+4127
+4129
+4133
+4139
+4153
+4157
+4159
+4177
+4201
+4211
+4217
+4219
+4229
+4231
+4241
+4243
+4253
+4259
+4261
+4271
+4273
+4283
+4289
+4297
+4327
+4337
+4339
+4349
+4357
+4363
+4373
+4391
+4397
+4409
+4421
+4423
+4441
+4447
+4451
+4457
+4463
+4481
+4483
+4493
+4507
+4513
+4517
+4519
+4523
+4547
+4549
+4561
+4567
+4583
+4591
+4597
+4603
+4621
+4637
+4639
+4643
+4649
+4651
+4657
+4663
+4673
+4679
+4691
+4703
+4721
+4723
+4729
+4733
+4751
+4759
+4783
+4787
+4789
+4793
+4799
+4801
+4813
+4817
+4831
+4861
+4871
+4877
+4889
+4903
+4909
+4919
+4931
+4933
+4937
+4943
+4951
+4957
+4967
+4969
+4973
+4987
+4993
+4999
+5003
+5009
+5011
+5021
+5023
+5039
+5051
+5059
+5077
+5081
+5087
+5099
+5101
+5107
+5113
+5119
+5147
+5153
+5167
+5171
+5179
+5189
+5197
+5209
+5227
+5231
+5233
+5237
+5261
+5273
+5279
+5281
+5297
+5303
+5309
+5323
+5333
+5347
+5351
+5381
+5387
+5393
+5399
+5407
+5413
+5417
+5419
+5431
+5437
+5441
+5443
+5449
+5471
+5477
+5479
+5483
+5501
+5503
+5507
+5519
+5521
+5527
+5531
+5557
+5563
+5569
+5573
+5581
+5591
+5623
+5639
+5641
+5647
+5651
+5653
+5657
+5659
+5669
+5683
+5689
+5693
+5701
+5711
+5717
+5737
+5741
+5743
+5749
+5779
+5783
+5791
+5801
+5807
+5813
+5821
+5827
+5839
+5843
+5849
+5851
+5857
+5861
+5867
+5869
+5879
+5881
+5897
+5903
+5923
+5927
+5939
+5953
+5981
+5987
+6007
+6011
+6029
+6037
+6043
+6047
+6053
+6067
+6073
+6079
+6089
+6091
+6101
+6113
+6121
+6131
+6133
+6143
+6151
+6163
+6173
+6197
+6199
+6203
+6211
+6217
+6221
+6229
+6247
+6257
+6263
+6269
+6271
+6277
+6287
+6299
+6301
+6311
+6317
+6323
+6329
+6337
+6343
+6353
+6359
+6361
+6367
+6373
+6379
+6389
+6397
+6421
+6427
+6449
+6451
+6469
+6473
+6481
+6491
+6521
+6529
+6547
+6551
+6553
+6563
+6569
+6571
+6577
+6581
+6599
+6607
+6619
+6637
+6653
+6659
+6661
+6673
+6679
+6689
+6691
+6701
+6703
+6709
+6719
+6733
+6737
+6761
+6763
+6779
+6781
+6791
+6793
+6803
+6823
+6827
+6829
+6833
+6841
+6857
+6863
+6869
+6871
+6883
+6899
+6907
+6911
+6917
+6947
+6949
+6959
+6961
+6967
+6971
+6977
+6983
+6991
+6997
+7001
+7013
+7019
+7027
+7039
+7043
+7057
+7069
+7079
+7103
+7109
+7121
+7127
+7129
+7151
+7159
+7177
+7187
+7193
+7207
+7211
+7213
+7219
+7229
+7237
+7243
+7247
+7253
+7283
+7297
+7307
+7309
+7321
+7331
+7333
+7349
+7351
+7369
+7393
+7411
+7417
+7433
+7451
+7457
+7459
+7477
+7481
+7487
+7489
+7499
+7507
+7517
+7523
+7529
+7537
+7541
+7547
+7549
+7559
+7561
+7573
+7577
+7583
+7589
+7591
+7603
+7607
+7621
+7639
+7643
+7649
+7669
+7673
+7681
+7687
+7691
+7699
+7703
+7717
+7723
+7727
+7741
+7753
+7757
+7759
+7789
+7793
+7817
+7823
+7829
+7841
+7853
+7867
+7873
+7877
+7879
+7883
+7901
+7907
+7919
+7927
+7933
+7937
+7949
+7951
+7963
+7993
+8009
+8011
+8017
+8039
+8053
+8059
+8069
+8081
+8087
+8089
+8093
+8101
+8111
+8117
+8123
+8147
+8161
+8167
+8171
+8179
+8191
+8209
+8219
+8221
+8231
+8233
+8237
+8243
+8263
+8269
+8273
+8287
+8291
+8293
+8297
+8311
+8317
+8329
+8353
+8363
+8369
+8377
+8387
+8389
+8419
+8423
+8429
+8431
+8443
+8447
+8461
+8467
+8501
+8513
+8521
+8527
+8537
+8539
+8543
+8563
+8573
+8581
+8597
+8599
+8609
+8623
+8627
+8629
+8641
+8647
+8663
+8669
+8677
+8681
+8689
+8693
+8699
+8707
+8713
+8719
+8731
+8737
+8741
+8747
+8753
+8761
+8779
+8783
+8803
+8807
+8819
+8821
+8831
+8837
+8839
+8849
+8861
+8863
+8867
+8887
+8893
+8923
+8929
+8933
+8941
+8951
+8963
+8969
+8971
+8999
+9001
+9007
+9011
+9013
+9029
+9041
+9043
+9049
+9059
+9067
+9091
+9103
+9109
+9127
+9133
+9137
+9151
+9157
+9161
+9173
+9181
+9187
+9199
+9203
+9209
+9221
+9227
+9239
+9241
+9257
+9277
+9281
+9283
+9293
+9311
+9319
+9323
+9337
+9341
+9343
+9349
+9371
+9377
+9391
+9397
+9403
+9413
+9419
+9421
+9431
+9433
+9437
+9439
+9461
+9463
+9467
+9473
+9479
+9491
+9497
+9511
+9521
+9533
+9539
+9547
+9551
+9587
+9601
+9613
+9619
+9623
+9629
+9631
+9643
+9649
+9661
+9677
+9679
+9689
+9697
+9719
+9721
+9733
+9739
+9743
+9749
+9767
+9769
+9781
+9787
+9791
+9803
+9811
+9817
+9829
+9833
+9839
+9851
+9857
+9859
+9871
+9883
+9887
+9901
+9907
+9923
+9929
+9931
+9941
+9949
+9967
+9973
+10007
+10009
+10037
+10039
+10061
+10067
+10069
+10079
+10091
+10093
+10099
+10103
+10111
+10133
+10139
+10141
+10151
+10159
+10163
+10169
+10177
+10181
+10193
+10211
+10223
+10243
+10247
+10253
+10259
+10267
+10271
+10273
+10289
+10301
+10303
+10313
+10321
+10331
+10333
+10337
+10343
+10357
+10369
+10391
+10399
+10427
+10429
+10433
+10453
+10457
+10459
+10463
+10477
+10487
+10499
+10501
+10513
+10529
+10531
+10559
+10567
+10589
+10597
+10601
+10607
+10613
+10627
+10631
+10639
+10651
+10657
+10663
+10667
+10687
+10691
+10709
+10711
+10723
+10729
+10733
+10739
+10753
+10771
+10781
+10789
+10799
+10831
+10837
+10847
+10853
+10859
+10861
+10867
+10883
+10889
+10891
+10903
+10909
+10937
+10939
+10949
+10957
+10973
+10979
+10987
+10993
+11003
+11027
+11047
+11057
+11059
+11069
+11071
+11083
+11087
+11093
+11113
+11117
+11119
+11131
+11149
+11159
+11161
+11171
+11173
+11177
+11197
+11213
+11239
+11243
+11251
+11257
+11261
+11273
+11279
+11287
+11299
+11311
+11317
+11321
+11329
+11351
+11353
+11369
+11383
+11393
+11399
+11411
+11423
+11437
+11443
+11447
+11467
+11471
+11483
+11489
+11491
+11497
+11503
+11519
+11527
+11549
+11551
+11579
+11587
+11593
+11597
+11617
+11621
+11633
+11657
+11677
+11681
+11689
+11699
+11701
+11717
+11719
+11731
+11743
+11777
+11779
+11783
+11789
+11801
+11807
+11813
+11821
+11827
+11831
+11833
+11839
+11863
+11867
+11887
+11897
+11903
+11909
+11923
+11927
+11933
+11939
+11941
+11953
+11959
+11969
+11971
+11981
+11987
+12007
+12011
+12037
+12041
+12043
+12049
+12071
+12073
+12097
+12101
+12107
+12109
+12113
+12119
+12143
+12149
+12157
+12161
+12163
+12197
+12203
+12211
+12227
+12239
+12241
+12251
+12253
+12263
+12269
+12277
+12281
+12289
+12301
+12323
+12329
+12343
+12347
+12373
+12377
+12379
+12391
+12401
+12409
+12413
+12421
+12433
+12437
+12451
+12457
+12473
+12479
+12487
+12491
+12497
+12503
+12511
+12517
+12527
+12539
+12541
+12547
+12553
+12569
+12577
+12583
+12589
+12601
+12611
+12613
+12619
+12637
+12641
+12647
+12653
+12659
+12671
+12689
+12697
+12703
+12713
+12721
+12739
+12743
+12757
+12763
+12781
+12791
+12799
+12809
+12821
+12823
+12829
+12841
+12853
+12889
+12893
+12899
+12907
+12911
+12917
+12919
+12923
+12941
+12953
+12959
+12967
+12973
+12979
+12983
+13001
+13003
+13007
+13009
+13033
+13037
+13043
+13049
+13063
+13093
+13099
+13103
+13109
+13121
+13127
+13147
+13151
+13159
+13163
+13171
+13177
+13183
+13187
+13217
+13219
+13229
+13241
+13249
+13259
+13267
+13291
+13297
+13309
+13313
+13327
+13331
+13337
+13339
+13367
+13381
+13397
+13399
+13411
+13417
+13421
+13441
+13451
+13457
+13463
+13469
+13477
+13487
+13499
+13513
+13523
+13537
+13553
+13567
+13577
+13591
+13597
+13613
+13619
+13627
+13633
+13649
+13669
+13679
+13681
+13687
+13691
+13693
+13697
+13709
+13711
+13721
+13723
+13729
+13751
+13757
+13759
+13763
+13781
+13789
+13799
+13807
+13829
+13831
+13841
+13859
+13873
+13877
+13879
+13883
+13901
+13903
+13907
+13913
+13921
+13931
+13933
+13963
+13967
+13997
+13999
+14009
+14011
+14029
+14033
+14051
+14057
+14071
+14081
+14083
+14087
+14107
+14143
+14149
+14153
+14159
+14173
+14177
+14197
+14207
+14221
+14243
+14249
+14251
+14281
+14293
+14303
+14321
+14323
+14327
+14341
+14347
+14369
+14387
+14389
+14401
+14407
+14411
+14419
+14423
+14431
+14437
+14447
+14449
+14461
+14479
+14489
+14503
+14519
+14533
+14537
+14543
+14549
+14551
+14557
+14561
+14563
+14591
+14593
+14621
+14627
+14629
+14633
+14639
+14653
+14657
+14669
+14683
+14699
+14713
+14717
+14723
+14731
+14737
+14741
+14747
+14753
+14759
+14767
+14771
+14779
+14783
+14797
+14813
+14821
+14827
+14831
+14843
+14851
+14867
+14869
+14879
+14887
+14891
+14897
+14923
+14929
+14939
+14947
+14951
+14957
+14969
+14983
+15013
+15017
+15031
+15053
+15061
+15073
+15077
+15083
+15091
+15101
+15107
+15121
+15131
+15137
+15139
+15149
+15161
+15173
+15187
+15193
+15199
+15217
+15227
+15233
+15241
+15259
+15263
+15269
+15271
+15277
+15287
+15289
+15299
+15307
+15313
+15319
+15329
+15331
+15349
+15359
+15361
+15373
+15377
+15383
+15391
+15401
+15413
+15427
+15439
+15443
+15451
+15461
+15467
+15473
+15493
+15497
+15511
+15527
+15541
+15551
+15559
+15569
+15581
+15583
+15601
+15607
+15619
+15629
+15641
+15643
+15647
+15649
+15661
+15667
+15671
+15679
+15683
+15727
+15731
+15733
+15737
+15739
+15749
+15761
+15767
+15773
+15787
+15791
+15797
+15803
+15809
+15817
+15823
+15859
+15877
+15881
+15887
+15889
+15901
+15907
+15913
+15919
+15923
+15937
+15959
+15971
+15973
+15991
+16001
+16007
+16033
+16057
+16061
+16063
+16067
+16069
+16073
+16087
+16091
+16097
+16103
+16111
+16127
+16139
+16141
+16183
+16187
+16189
+16193
+16217
+16223
+16229
+16231
+16249
+16253
+16267
+16273
+16301
+16319
+16333
+16339
+16349
+16361
+16363
+16369
+16381
+16411
+16417
+16421
+16427
+16433
+16447
+16451
+16453
+16477
+16481
+16487
+16493
+16519
+16529
+16547
+16553
+16561
+16567
+16573
+16603
+16607
+16619
+16631
+16633
+16649
+16651
+16657
+16661
+16673
+16691
+16693
+16699
+16703
+16729
+16741
+16747
+16759
+16763
+16787
+16811
+16823
+16829
+16831
+16843
+16871
+16879
+16883
+16889
+16901
+16903
+16921
+16927
+16931
+16937
+16943
+16963
+16979
+16981
+16987
+16993
+17011
+17021
+17027
+17029
+17033
+17041
+17047
+17053
+17077
+17093
+17099
+17107
+17117
+17123
+17137
+17159
+17167
+17183
+17189
+17191
+17203
+17207
+17209
+17231
+17239
+17257
+17291
+17293
+17299
+17317
+17321
+17327
+17333
+17341
+17351
+17359
+17377
+17383
+17387
+17389
+17393
+17401
+17417
+17419
+17431
+17443
+17449
+17467
+17471
+17477
+17483
+17489
+17491
+17497
+17509
+17519
+17539
+17551
+17569
+17573
+17579
+17581
+17597
+17599
+17609
+17623
+17627
+17657
+17659
+17669
+17681
+17683
+17707
+17713
+17729
+17737
+17747
+17749
+17761
+17783
+17789
+17791
+17807
+17827
+17837
+17839
+17851
+17863
+17881
+17891
+17903
+17909
+17911
+17921
+17923
+17929
+17939
+17957
+17959
+17971
+17977
+17981
+17987
+17989
+18013
+18041
+18043
+18047
+18049
+18059
+18061
+18077
+18089
+18097
+18119
+18121
+18127
+18131
+18133
+18143
+18149
+18169
+18181
+18191
+18199
+18211
+18217
+18223
+18229
+18233
+18251
+18253
+18257
+18269
+18287
+18289
+18301
+18307
+18311
+18313
+18329
+18341
+18353
+18367
+18371
+18379
+18397
+18401
+18413
+18427
+18433
+18439
+18443
+18451
+18457
+18461
+18481
+18493
+18503
+18517
+18521
+18523
+18539
+18541
+18553
+18583
+18587
+18593
+18617
+18637
+18661
+18671
+18679
+18691
+18701
+18713
+18719
+18731
+18743
+18749
+18757
+18773
+18787
+18793
+18797
+18803
+18839
+18859
+18869
+18899
+18911
+18913
+18917
+18919
+18947
+18959
+18973
+18979
+19001
+19009
+19013
+19031
+19037
+19051
+19069
+19073
+19079
+19081
+19087
+19121
+19139
+19141
+19157
+19163
+19181
+19183
+19207
+19211
+19213
+19219
+19231
+19237
+19249
+19259
+19267
+19273
+19289
+19301
+19309
+19319
+19333
+19373
+19379
+19381
+19387
+19391
+19403
+19417
+19421
+19423
+19427
+19429
+19433
+19441
+19447
+19457
+19463
+19469
+19471
+19477
+19483
+19489
+19501
+19507
+19531
+19541
+19543
+19553
+19559
+19571
+19577
+19583
+19597
+19603
+19609
+19661
+19681
+19687
+19697
+19699
+19709
+19717
+19727
+19739
+19751
+19753
+19759
+19763
+19777
+19793
+19801
+19813
+19819
+19841
+19843
+19853
+19861
+19867
+19889
+19891
+19913
+19919
+19927
+19937
+19949
+19961
+19963
+19973
+19979
+19991
+19993
+19997
+20011
+20021
+20023
+20029
+20047
+20051
+20063
+20071
+20089
+20101
+20107
+20113
+20117
+20123
+20129
+20143
+20147
+20149
+20161
+20173
+20177
+20183
+20201
+20219
+20231
+20233
+20249
+20261
+20269
+20287
+20297
+20323
+20327
+20333
+20341
+20347
+20353
+20357
+20359
+20369
+20389
+20393
+20399
+20407
+20411
+20431
+20441
+20443
+20477
+20479
+20483
+20507
+20509
+20521
+20533
+20543
+20549
+20551
+20563
+20593
+20599
+20611
+20627
+20639
+20641
+20663
+20681
+20693
+20707
+20717
+20719
+20731
+20743
+20747
+20749
+20753
+20759
+20771
+20773
+20789
+20807
+20809
+20849
+20857
+20873
+20879
+20887
+20897
+20899
+20903
+20921
+20929
+20939
+20947
+20959
+20963
+20981
+20983
+21001
+21011
+21013
+21017
+21019
+21023
+21031
+21059
+21061
+21067
+21089
+21101
+21107
+21121
+21139
+21143
+21149
+21157
+21163
+21169
+21179
+21187
+21191
+21193
+21211
+21221
+21227
+21247
+21269
+21277
+21283
+21313
+21317
+21319
+21323
+21341
+21347
+21377
+21379
+21383
+21391
+21397
+21401
+21407
+21419
+21433
+21467
+21481
+21487
+21491
+21493
+21499
+21503
+21517
+21521
+21523
+21529
+21557
+21559
+21563
+21569
+21577
+21587
+21589
+21599
+21601
+21611
+21613
+21617
+21647
+21649
+21661
+21673
+21683
+21701
+21713
+21727
+21737
+21739
+21751
+21757
+21767
+21773
+21787
+21799
+21803
+21817
+21821
+21839
+21841
+21851
+21859
+21863
+21871
+21881
+21893
+21911
+21929
+21937
+21943
+21961
+21977
+21991
+21997
+22003
+22013
+22027
+22031
+22037
+22039
+22051
+22063
+22067
+22073
+22079
+22091
+22093
+22109
+22111
+22123
+22129
+22133
+22147
+22153
+22157
+22159
+22171
+22189
+22193
+22229
+22247
+22259
+22271
+22273
+22277
+22279
+22283
+22291
+22303
+22307
+22343
+22349
+22367
+22369
+22381
+22391
+22397
+22409
+22433
+22441
+22447
+22453
+22469
+22481
+22483
+22501
+22511
+22531
+22541
+22543
+22549
+22567
+22571
+22573
+22613
+22619
+22621
+22637
+22639
+22643
+22651
+22669
+22679
+22691
+22697
+22699
+22709
+22717
+22721
+22727
+22739
+22741
+22751
+22769
+22777
+22783
+22787
+22807
+22811
+22817
+22853
+22859
+22861
+22871
+22877
+22901
+22907
+22921
+22937
+22943
+22961
+22963
+22973
+22993
+23003
+23011
+23017
+23021
+23027
+23029
+23039
+23041
+23053
+23057
+23059
+23063
+23071
+23081
+23087
+23099
+23117
+23131
+23143
+23159
+23167
+23173
+23189
+23197
+23201
+23203
+23209
+23227
+23251
+23269
+23279
+23291
+23293
+23297
+23311
+23321
+23327
+23333
+23339
+23357
+23369
+23371
+23399
+23417
+23431
+23447
+23459
+23473
+23497
+23509
+23531
+23537
+23539
+23549
+23557
+23561
+23563
+23567
+23581
+23593
+23599
+23603
+23609
+23623
+23627
+23629
+23633
+23663
+23669
+23671
+23677
+23687
+23689
+23719
+23741
+23743
+23747
+23753
+23761
+23767
+23773
+23789
+23801
+23813
+23819
+23827
+23831
+23833
+23857
+23869
+23873
+23879
+23887
+23893
+23899
+23909
+23911
+23917
+23929
+23957
+23971
+23977
+23981
+23993
+24001
+24007
+24019
+24023
+24029
+24043
+24049
+24061
+24071
+24077
+24083
+24091
+24097
+24103
+24107
+24109
+24113
+24121
+24133
+24137
+24151
+24169
+24179
+24181
+24197
+24203
+24223
+24229
+24239
+24247
+24251
+24281
+24317
+24329
+24337
+24359
+24371
+24373
+24379
+24391
+24407
+24413
+24419
+24421
+24439
+24443
+24469
+24473
+24481
+24499
+24509
+24517
+24527
+24533
+24547
+24551
+24571
+24593
+24611
+24623
+24631
+24659
+24671
+24677
+24683
+24691
+24697
+24709
+24733
+24749
+24763
+24767
+24781
+24793
+24799
+24809
+24821
+24841
+24847
+24851
+24859
+24877
+24889
+24907
+24917
+24919
+24923
+24943
+24953
+24967
+24971
+24977
+24979
+24989
+25013
+25031
+25033
+25037
+25057
+25073
+25087
+25097
+25111
+25117
+25121
+25127
+25147
+25153
+25163
+25169
+25171
+25183
+25189
+25219
+25229
+25237
+25243
+25247
+25253
+25261
+25301
+25303
+25307
+25309
+25321
+25339
+25343
+25349
+25357
+25367
+25373
+25391
+25409
+25411
+25423
+25439
+25447
+25453
+25457
+25463
+25469
+25471
+25523
+25537
+25541
+25561
+25577
+25579
+25583
+25589
+25601
+25603
+25609
+25621
+25633
+25639
+25643
+25657
+25667
+25673
+25679
+25693
+25703
+25717
+25733
+25741
+25747
+25759
+25763
+25771
+25793
+25799
+25801
+25819
+25841
+25847
+25849
+25867
+25873
+25889
+25903
+25913
+25919
+25931
+25933
+25939
+25943
+25951
+25969
+25981
+25997
+25999
+26003
+26017
+26021
+26029
+26041
+26053
+26083
+26099
+26107
+26111
+26113
+26119
+26141
+26153
+26161
+26171
+26177
+26183
+26189
+26203
+26209
+26227
+26237
+26249
+26251
+26261
+26263
+26267
+26293
+26297
+26309
+26317
+26321
+26339
+26347
+26357
+26371
+26387
+26393
+26399
+26407
+26417
+26423
+26431
+26437
+26449
+26459
+26479
+26489
+26497
+26501
+26513
+26539
+26557
+26561
+26573
+26591
+26597
+26627
+26633
+26641
+26647
+26669
+26681
+26683
+26687
+26693
+26699
+26701
+26711
+26713
+26717
+26723
+26729
+26731
+26737
+26759
+26777
+26783
+26801
+26813
+26821
+26833
+26839
+26849
+26861
+26863
+26879
+26881
+26891
+26893
+26903
+26921
+26927
+26947
+26951
+26953
+26959
+26981
+26987
+26993
+27011
+27017
+27031
+27043
+27059
+27061
+27067
+27073
+27077
+27091
+27103
+27107
+27109
+27127
+27143
+27179
+27191
+27197
+27211
+27239
+27241
+27253
+27259
+27271
+27277
+27281
+27283
+27299
+27329
+27337
+27361
+27367
+27397
+27407
+27409
+27427
+27431
+27437
+27449
+27457
+27479
+27481
+27487
+27509
+27527
+27529
+27539
+27541
+27551
+27581
+27583
+27611
+27617
+27631
+27647
+27653
+27673
+27689
+27691
+27697
+27701
+27733
+27737
+27739
+27743
+27749
+27751
+27763
+27767
+27773
+27779
+27791
+27793
+27799
+27803
+27809
+27817
+27823
+27827
+27847
+27851
+27883
+27893
+27901
+27917
+27919
+27941
+27943
+27947
+27953
+27961
+27967
+27983
+27997
+28001
+28019
+28027
+28031
+28051
+28057
+28069
+28081
+28087
+28097
+28099
+28109
+28111
+28123
+28151
+28163
+28181
+28183
+28201
+28211
+28219
+28229
+28277
+28279
+28283
+28289
+28297
+28307
+28309
+28319
+28349
+28351
+28387
+28393
+28403
+28409
+28411
+28429
+28433
+28439
+28447
+28463
+28477
+28493
+28499
+28513
+28517
+28537
+28541
+28547
+28549
+28559
+28571
+28573
+28579
+28591
+28597
+28603
+28607
+28619
+28621
+28627
+28631
+28643
+28649
+28657
+28661
+28663
+28669
+28687
+28697
+28703
+28711
+28723
+28729
+28751
+28753
+28759
+28771
+28789
+28793
+28807
+28813
+28817
+28837
+28843
+28859
+28867
+28871
+28879
+28901
+28909
+28921
+28927
+28933
+28949
+28961
+28979
+29009
+29017
+29021
+29023
+29027
+29033
+29059
+29063
+29077
+29101
+29123
+29129
+29131
+29137
+29147
+29153
+29167
+29173
+29179
+29191
+29201
+29207
+29209
+29221
+29231
+29243
+29251
+29269
+29287
+29297
+29303
+29311
+29327
+29333
+29339
+29347
+29363
+29383
+29387
+29389
+29399
+29401
+29411
+29423
+29429
+29437
+29443
+29453
+29473
+29483
+29501
+29527
+29531
+29537
+29567
+29569
+29573
+29581
+29587
+29599
+29611
+29629
+29633
+29641
+29663
+29669
+29671
+29683
+29717
+29723
+29741
+29753
+29759
+29761
+29789
+29803
+29819
+29833
+29837
+29851
+29863
+29867
+29873
+29879
+29881
+29917
+29921
+29927
+29947
+29959
+29983
+29989
+30011
+30013
+30029
+30047
+30059
+30071
+30089
+30091
+30097
+30103
+30109
+30113
+30119
+30133
+30137
+30139
+30161
+30169
+30181
+30187
+30197
+30203
+30211
+30223
+30241
+30253
+30259
+30269
+30271
+30293
+30307
+30313
+30319
+30323
+30341
+30347
+30367
+30389
+30391
+30403
+30427
+30431
+30449
+30467
+30469
+30491
+30493
+30497
+30509
+30517
+30529
+30539
+30553
+30557
+30559
+30577
+30593
+30631
+30637
+30643
+30649
+30661
+30671
+30677
+30689
+30697
+30703
+30707
+30713
+30727
+30757
+30763
+30773
+30781
+30803
+30809
+30817
+30829
+30839
+30841
+30851
+30853
+30859
+30869
+30871
+30881
+30893
+30911
+30931
+30937
+30941
+30949
+30971
+30977
+30983
+31013
+31019
+31033
+31039
+31051
+31063
+31069
+31079
+31081
+31091
+31121
+31123
+31139
+31147
+31151
+31153
+31159
+31177
+31181
+31183
+31189
+31193
+31219
+31223
+31231
+31237
+31247
+31249
+31253
+31259
+31267
+31271
+31277
+31307
+31319
+31321
+31327
+31333
+31337
+31357
+31379
+31387
+31391
+31393
+31397
+31469
+31477
+31481
+31489
+31511
+31513
+31517
+31531
+31541
+31543
+31547
+31567
+31573
+31583
+31601
+31607
+31627
+31643
+31649
+31657
+31663
+31667
+31687
+31699
+31721
+31723
+31727
+31729
+31741
+31751
+31769
+31771
+31793
+31799
+31817
+31847
+31849
+31859
+31873
+31883
+31891
+31907
+31957
+31963
+31973
+31981
+31991
+32003
+32009
+32027
+32029
+32051
+32057
+32059
+32063
+32069
+32077
+32083
+32089
+32099
+32117
+32119
+32141
+32143
+32159
+32173
+32183
+32189
+32191
+32203
+32213
+32233
+32237
+32251
+32257
+32261
+32297
+32299
+32303
+32309
+32321
+32323
+32327
+32341
+32353
+32359
+32363
+32369
+32371
+32377
+32381
+32401
+32411
+32413
+32423
+32429
+32441
+32443
+32467
+32479
+32491
+32497
+32503
+32507
+32531
+32533
+32537
+32561
+32563
+32569
+32573
+32579
+32587
+32603
+32609
+32611
+32621
+32633
+32647
+32653
+32687
+32693
+32707
+32713
+32717
+32719
+32749
+32771
+32779
+32783
+32789
+32797
+32801
+32803
+32831
+32833
+32839
+32843
+32869
+32887
+32909
+32911
+32917
+32933
+32939
+32941
+32957
+32969
+32971
+32983
+32987
+32993
+32999
+33013
+33023
+33029
+33037
+33049
+33053
+33071
+33073
+33083
+33091
+33107
+33113
+33119
+33149
+33151
+33161
+33179
+33181
+33191
+33199
+33203
+33211
+33223
+33247
+33287
+33289
+33301
+33311
+33317
+33329
+33331
+33343
+33347
+33349
+33353
+33359
+33377
+33391
+33403
+33409
+33413
+33427
+33457
+33461
+33469
+33479
+33487
+33493
+33503
+33521
+33529
+33533
+33547
+33563
+33569
+33577
+33581
+33587
+33589
+33599
+33601
+33613
+33617
+33619
+33623
+33629
+33637
+33641
+33647
+33679
+33703
+33713
+33721
+33739
+33749
+33751
+33757
+33767
+33769
+33773
+33791
+33797
+33809
+33811
+33827
+33829
+33851
+33857
+33863
+33871
+33889
+33893
+33911
+33923
+33931
+33937
+33941
+33961
+33967
+33997
+34019
+34031
+34033
+34039
+34057
+34061
+34123
+34127
+34129
+34141
+34147
+34157
+34159
+34171
+34183
+34211
+34213
+34217
+34231
+34253
+34259
+34261
+34267
+34273
+34283
+34297
+34301
+34303
+34313
+34319
+34327
+34337
+34351
+34361
+34367
+34369
+34381
+34403
+34421
+34429
+34439
+34457
+34469
+34471
+34483
+34487
+34499
+34501
+34511
+34513
+34519
+34537
+34543
+34549
+34583
+34589
+34591
+34603
+34607
+34613
+34631
+34649
+34651
+34667
+34673
+34679
+34687
+34693
+34703
+34721
+34729
+34739
+34747
+34757
+34759
+34763
+34781
+34807
+34819
+34841
+34843
+34847
+34849
+34871
+34877
+34883
+34897
+34913
+34919
+34939
+34949
+34961
+34963
+34981
+35023
+35027
+35051
+35053
+35059
+35069
+35081
+35083
+35089
+35099
+35107
+35111
+35117
+35129
+35141
+35149
+35153
+35159
+35171
+35201
+35221
+35227
+35251
+35257
+35267
+35279
+35281
+35291
+35311
+35317
+35323
+35327
+35339
+35353
+35363
+35381
+35393
+35401
+35407
+35419
+35423
+35437
+35447
+35449
+35461
+35491
+35507
+35509
+35521
+35527
+35531
+35533
+35537
+35543
+35569
+35573
+35591
+35593
+35597
+35603
+35617
+35671
+35677
+35729
+35731
+35747
+35753
+35759
+35771
+35797
+35801
+35803
+35809
+35831
+35837
+35839
+35851
+35863
+35869
+35879
+35897
+35899
+35911
+35923
+35933
+35951
+35963
+35969
+35977
+35983
+35993
+35999
+36007
+36011
+36013
+36017
+36037
+36061
+36067
+36073
+36083
+36097
+36107
+36109
+36131
+36137
+36151
+36161
+36187
+36191
+36209
+36217
+36229
+36241
+36251
+36263
+36269
+36277
+36293
+36299
+36307
+36313
+36319
+36341
+36343
+36353
+36373
+36383
+36389
+36433
+36451
+36457
+36467
+36469
+36473
+36479
+36493
+36497
+36523
+36527
+36529
+36541
+36551
+36559
+36563
+36571
+36583
+36587
+36599
+36607
+36629
+36637
+36643
+36653
+36671
+36677
+36683
+36691
+36697
+36709
+36713
+36721
+36739
+36749
+36761
+36767
+36779
+36781
+36787
+36791
+36793
+36809
+36821
+36833
+36847
+36857
+36871
+36877
+36887
+36899
+36901
+36913
+36919
+36923
+36929
+36931
+36943
+36947
+36973
+36979
+36997
+37003
+37013
+37019
+37021
+37039
+37049
+37057
+37061
+37087
+37097
+37117
+37123
+37139
+37159
+37171
+37181
+37189
+37199
+37201
+37217
+37223
+37243
+37253
+37273
+37277
+37307
+37309
+37313
+37321
+37337
+37339
+37357
+37361
+37363
+37369
+37379
+37397
+37409
+37423
+37441
+37447
+37463
+37483
+37489
+37493
+37501
+37507
+37511
+37517
+37529
+37537
+37547
+37549
+37561
+37567
+37571
+37573
+37579
+37589
+37591
+37607
+37619
+37633
+37643
+37649
+37657
+37663
+37691
+37693
+37699
+37717
+37747
+37781
+37783
+37799
+37811
+37813
+37831
+37847
+37853
+37861
+37871
+37879
+37889
+37897
+37907
+37951
+37957
+37963
+37967
+37987
+37991
+37993
+37997
+38011
+38039
+38047
+38053
+38069
+38083
+38113
+38119
+38149
+38153
+38167
+38177
+38183
+38189
+38197
+38201
+38219
+38231
+38237
+38239
+38261
+38273
+38281
+38287
+38299
+38303
+38317
+38321
+38327
+38329
+38333
+38351
+38371
+38377
+38393
+38431
+38447
+38449
+38453
+38459
+38461
+38501
+38543
+38557
+38561
+38567
+38569
+38593
+38603
+38609
+38611
+38629
+38639
+38651
+38653
+38669
+38671
+38677
+38693
+38699
+38707
+38711
+38713
+38723
+38729
+38737
+38747
+38749
+38767
+38783
+38791
+38803
+38821
+38833
+38839
+38851
+38861
+38867
+38873
+38891
+38903
+38917
+38921
+38923
+38933
+38953
+38959
+38971
+38977
+38993
+39019
+39023
+39041
+39043
+39047
+39079
+39089
+39097
+39103
+39107
+39113
+39119
+39133
+39139
+39157
+39161
+39163
+39181
+39191
+39199
+39209
+39217
+39227
+39229
+39233
+39239
+39241
+39251
+39293
+39301
+39313
+39317
+39323
+39341
+39343
+39359
+39367
+39371
+39373
+39383
+39397
+39409
+39419
+39439
+39443
+39451
+39461
+39499
+39503
+39509
+39511
+39521
+39541
+39551
+39563
+39569
+39581
+39607
+39619
+39623
+39631
+39659
+39667
+39671
+39679
+39703
+39709
+39719
+39727
+39733
+39749
+39761
+39769
+39779
+39791
+39799
+39821
+39827
+39829
+39839
+39841
+39847
+39857
+39863
+39869
+39877
+39883
+39887
+39901
+39929
+39937
+39953
+39971
+39979
+39983
+39989
+40009
+40013
+40031
+40037
+40039
+40063
+40087
+40093
+40099
+40111
+40123
+40127
+40129
+40151
+40153
+40163
+40169
+40177
+40189
+40193
+40213
+40231
+40237
+40241
+40253
+40277
+40283
+40289
+40343
+40351
+40357
+40361
+40387
+40423
+40427
+40429
+40433
+40459
+40471
+40483
+40487
+40493
+40499
+40507
+40519
+40529
+40531
+40543
+40559
+40577
+40583
+40591
+40597
+40609
+40627
+40637
+40639
+40693
+40697
+40699
+40709
+40739
+40751
+40759
+40763
+40771
+40787
+40801
+40813
+40819
+40823
+40829
+40841
+40847
+40849
+40853
+40867
+40879
+40883
+40897
+40903
+40927
+40933
+40939
+40949
+40961
+40973
+40993
+41011
+41017
+41023
+41039
+41047
+41051
+41057
+41077
+41081
+41113
+41117
+41131
+41141
+41143
+41149
+41161
+41177
+41179
+41183
+41189
+41201
+41203
+41213
+41221
+41227
+41231
+41233
+41243
+41257
+41263
+41269
+41281
+41299
+41333
+41341
+41351
+41357
+41381
+41387
+41389
+41399
+41411
+41413
+41443
+41453
+41467
+41479
+41491
+41507
+41513
+41519
+41521
+41539
+41543
+41549
+41579
+41593
+41597
+41603
+41609
+41611
+41617
+41621
+41627
+41641
+41647
+41651
+41659
+41669
+41681
+41687
+41719
+41729
+41737
+41759
+41761
+41771
+41777
+41801
+41809
+41813
+41843
+41849
+41851
+41863
+41879
+41887
+41893
+41897
+41903
+41911
+41927
+41941
+41947
+41953
+41957
+41959
+41969
+41981
+41983
+41999
+42013
+42017
+42019
+42023
+42043
+42061
+42071
+42073
+42083
+42089
+42101
+42131
+42139
+42157
+42169
+42179
+42181
+42187
+42193
+42197
+42209
+42221
+42223
+42227
+42239
+42257
+42281
+42283
+42293
+42299
+42307
+42323
+42331
+42337
+42349
+42359
+42373
+42379
+42391
+42397
+42403
+42407
+42409
+42433
+42437
+42443
+42451
+42457
+42461
+42463
+42467
+42473
+42487
+42491
+42499
+42509
+42533
+42557
+42569
+42571
+42577
+42589
+42611
+42641
+42643
+42649
+42667
+42677
+42683
+42689
+42697
+42701
+42703
+42709
+42719
+42727
+42737
+42743
+42751
+42767
+42773
+42787
+42793
+42797
+42821
+42829
+42839
+42841
+42853
+42859
+42863
+42899
+42901
+42923
+42929
+42937
+42943
+42953
+42961
+42967
+42979
+42989
+43003
+43013
+43019
+43037
+43049
+43051
+43063
+43067
+43093
+43103
+43117
+43133
+43151
+43159
+43177
+43189
+43201
+43207
+43223
+43237
+43261
+43271
+43283
+43291
+43313
+43319
+43321
+43331
+43391
+43397
+43399
+43403
+43411
+43427
+43441
+43451
+43457
+43481
+43487
+43499
+43517
+43541
+43543
+43573
+43577
+43579
+43591
+43597
+43607
+43609
+43613
+43627
+43633
+43649
+43651
+43661
+43669
+43691
+43711
+43717
+43721
+43753
+43759
+43777
+43781
+43783
+43787
+43789
+43793
+43801
+43853
+43867
+43889
+43891
+43913
+43933
+43943
+43951
+43961
+43963
+43969
+43973
+43987
+43991
+43997
+44017
+44021
+44027
+44029
+44041
+44053
+44059
+44071
+44087
+44089
+44101
+44111
+44119
+44123
+44129
+44131
+44159
+44171
+44179
+44189
+44201
+44203
+44207
+44221
+44249
+44257
+44263
+44267
+44269
+44273
+44279
+44281
+44293
+44351
+44357
+44371
+44381
+44383
+44389
+44417
+44449
+44453
+44483
+44491
+44497
+44501
+44507
+44519
+44531
+44533
+44537
+44543
+44549
+44563
+44579
+44587
+44617
+44621
+44623
+44633
+44641
+44647
+44651
+44657
+44683
+44687
+44699
+44701
+44711
+44729
+44741
+44753
+44771
+44773
+44777
+44789
+44797
+44809
+44819
+44839
+44843
+44851
+44867
+44879
+44887
+44893
+44909
+44917
+44927
+44939
+44953
+44959
+44963
+44971
+44983
+44987
+45007
+45013
+45053
+45061
+45077
+45083
+45119
+45121
+45127
+45131
+45137
+45139
+45161
+45179
+45181
+45191
+45197
+45233
+45247
+45259
+45263
+45281
+45289
+45293
+45307
+45317
+45319
+45329
+45337
+45341
+45343
+45361
+45377
+45389
+45403
+45413
+45427
+45433
+45439
+45481
+45491
+45497
+45503
+45523
+45533
+45541
+45553
+45557
+45569
+45587
+45589
+45599
+45613
+45631
+45641
+45659
+45667
+45673
+45677
+45691
+45697
+45707
+45737
+45751
+45757
+45763
+45767
+45779
+45817
+45821
+45823
+45827
+45833
+45841
+45853
+45863
+45869
+45887
+45893
+45943
+45949
+45953
+45959
+45971
+45979
+45989
+46021
+46027
+46049
+46051
+46061
+46073
+46091
+46093
+46099
+46103
+46133
+46141
+46147
+46153
+46171
+46181
+46183
+46187
+46199
+46219
+46229
+46237
+46261
+46271
+46273
+46279
+46301
+46307
+46309
+46327
+46337
+46349
+46351
+46381
+46399
+46411
+46439
+46441
+46447
+46451
+46457
+46471
+46477
+46489
+46499
+46507
+46511
+46523
+46549
+46559
+46567
+46573
+46589
+46591
+46601
+46619
+46633
+46639
+46643
+46649
+46663
+46679
+46681
+46687
+46691
+46703
+46723
+46727
+46747
+46751
+46757
+46769
+46771
+46807
+46811
+46817
+46819
+46829
+46831
+46853
+46861
+46867
+46877
+46889
+46901
+46919
+46933
+46957
+46993
+46997
+47017
+47041
+47051
+47057
+47059
+47087
+47093
+47111
+47119
+47123
+47129
+47137
+47143
+47147
+47149
+47161
+47189
+47207
+47221
+47237
+47251
+47269
+47279
+47287
+47293
+47297
+47303
+47309
+47317
+47339
+47351
+47353
+47363
+47381
+47387
+47389
+47407
+47417
+47419
+47431
+47441
+47459
+47491
+47497
+47501
+47507
+47513
+47521
+47527
+47533
+47543
+47563
+47569
+47581
+47591
+47599
+47609
+47623
+47629
+47639
+47653
+47657
+47659
+47681
+47699
+47701
+47711
+47713
+47717
+47737
+47741
+47743
+47777
+47779
+47791
+47797
+47807
+47809
+47819
+47837
+47843
+47857
+47869
+47881
+47903
+47911
+47917
+47933
+47939
+47947
+47951
+47963
+47969
+47977
+47981
+48017
+48023
+48029
+48049
+48073
+48079
+48091
+48109
+48119
+48121
+48131
+48157
+48163
+48179
+48187
+48193
+48197
+48221
+48239
+48247
+48259
+48271
+48281
+48299
+48311
+48313
+48337
+48341
+48353
+48371
+48383
+48397
+48407
+48409
+48413
+48437
+48449
+48463
+48473
+48479
+48481
+48487
+48491
+48497
+48523
+48527
+48533
+48539
+48541
+48563
+48571
+48589
+48593
+48611
+48619
+48623
+48647
+48649
+48661
+48673
+48677
+48679
+48731
+48733
+48751
+48757
+48761
+48767
+48779
+48781
+48787
+48799
+48809
+48817
+48821
+48823
+48847
+48857
+48859
+48869
+48871
+48883
+48889
+48907
+48947
+48953
+48973
+48989
+48991
+49003
+49009
+49019
+49031
+49033
+49037
+49043
+49057
+49069
+49081
+49103
+49109
+49117
+49121
+49123
+49139
+49157
+49169
+49171
+49177
+49193
+49199
+49201
+49207
+49211
+49223
+49253
+49261
+49277
+49279
+49297
+49307
+49331
+49333
+49339
+49363
+49367
+49369
+49391
+49393
+49409
+49411
+49417
+49429
+49433
+49451
+49459
+49463
+49477
+49481
+49499
+49523
+49529
+49531
+49537
+49547
+49549
+49559
+49597
+49603
+49613
+49627
+49633
+49639
+49663
+49667
+49669
+49681
+49697
+49711
+49727
+49739
+49741
+49747
+49757
+49783
+49787
+49789
+49801
+49807
+49811
+49823
+49831
+49843
+49853
+49871
+49877
+49891
+49919
+49921
+49927
+49937
+49939
+49943
+49957
+49991
+49993
+49999
+50021
+50023
+50033
+50047
+50051
+50053
+50069
+50077
+50087
+50093
+50101
+50111
+50119
+50123
+50129
+50131
+50147
+50153
+50159
+50177
+50207
+50221
+50227
+50231
+50261
+50263
+50273
+50287
+50291
+50311
+50321
+50329
+50333
+50341
+50359
+50363
+50377
+50383
+50387
+50411
+50417
+50423
+50441
+50459
+50461
+50497
+50503
+50513
+50527
+50539
+50543
+50549
+50551
+50581
+50587
+50591
+50593
+50599
+50627
+50647
+50651
+50671
+50683
+50707
+50723
+50741
+50753
+50767
+50773
+50777
+50789
+50821
+50833
+50839
+50849
+50857
+50867
+50873
+50891
+50893
+50909
+50923
+50929
+50951
+50957
+50969
+50971
+50989
+50993
+51001
+51031
+51043
+51047
+51059
+51061
+51071
+51109
+51131
+51133
+51137
+51151
+51157
+51169
+51193
+51197
+51199
+51203
+51217
+51229
+51239
+51241
+51257
+51263
+51283
+51287
+51307
+51329
+51341
+51343
+51347
+51349
+51361
+51383
+51407
+51413
+51419
+51421
+51427
+51431
+51437
+51439
+51449
+51461
+51473
+51479
+51481
+51487
+51503
+51511
+51517
+51521
+51539
+51551
+51563
+51577
+51581
+51593
+51599
+51607
+51613
+51631
+51637
+51647
+51659
+51673
+51679
+51683
+51691
+51713
+51719
+51721
+51749
+51767
+51769
+51787
+51797
+51803
+51817
+51827
+51829
+51839
+51853
+51859
+51869
+51871
+51893
+51899
+51907
+51913
+51929
+51941
+51949
+51971
+51973
+51977
+51991
+52009
+52021
+52027
+52051
+52057
+52067
+52069
+52081
+52103
+52121
+52127
+52147
+52153
+52163
+52177
+52181
+52183
+52189
+52201
+52223
+52237
+52249
+52253
+52259
+52267
+52289
+52291
+52301
+52313
+52321
+52361
+52363
+52369
+52379
+52387
+52391
+52433
+52453
+52457
+52489
+52501
+52511
+52517
+52529
+52541
+52543
+52553
+52561
+52567
+52571
+52579
+52583
+52609
+52627
+52631
+52639
+52667
+52673
+52691
+52697
+52709
+52711
+52721
+52727
+52733
+52747
+52757
+52769
+52783
+52807
+52813
+52817
+52837
+52859
+52861
+52879
+52883
+52889
+52901
+52903
+52919
+52937
+52951
+52957
+52963
+52967
+52973
+52981
+52999
+53003
+53017
+53047
+53051
+53069
+53077
+53087
+53089
+53093
+53101
+53113
+53117
+53129
+53147
+53149
+53161
+53171
+53173
+53189
+53197
+53201
+53231
+53233
+53239
+53267
+53269
+53279
+53281
+53299
+53309
+53323
+53327
+53353
+53359
+53377
+53381
+53401
+53407
+53411
+53419
+53437
+53441
+53453
+53479
+53503
+53507
+53527
+53549
+53551
+53569
+53591
+53593
+53597
+53609
+53611
+53617
+53623
+53629
+53633
+53639
+53653
+53657
+53681
+53693
+53699
+53717
+53719
+53731
+53759
+53773
+53777
+53783
+53791
+53813
+53819
+53831
+53849
+53857
+53861
+53881
+53887
+53891
+53897
+53899
+53917
+53923
+53927
+53939
+53951
+53959
+53987
+53993
+54001
+54011
+54013
+54037
+54049
+54059
+54083
+54091
+54101
+54121
+54133
+54139
+54151
+54163
+54167
+54181
+54193
+54217
+54251
+54269
+54277
+54287
+54293
+54311
+54319
+54323
+54331
+54347
+54361
+54367
+54371
+54377
+54401
+54403
+54409
+54413
+54419
+54421
+54437
+54443
+54449
+54469
+54493
+54497
+54499
+54503
+54517
+54521
+54539
+54541
+54547
+54559
+54563
+54577
+54581
+54583
+54601
+54617
+54623
+54629
+54631
+54647
+54667
+54673
+54679
+54709
+54713
+54721
+54727
+54751
+54767
+54773
+54779
+54787
+54799
+54829
+54833
+54851
+54869
+54877
+54881
+54907
+54917
+54919
+54941
+54949
+54959
+54973
+54979
+54983
+55001
+55009
+55021
+55049
+55051
+55057
+55061
+55073
+55079
+55103
+55109
+55117
+55127
+55147
+55163
+55171
+55201
+55207
+55213
+55217
+55219
+55229
+55243
+55249
+55259
+55291
+55313
+55331
+55333
+55337
+55339
+55343
+55351
+55373
+55381
+55399
+55411
+55439
+55441
+55457
+55469
+55487
+55501
+55511
+55529
+55541
+55547
+55579
+55589
+55603
+55609
+55619
+55621
+55631
+55633
+55639
+55661
+55663
+55667
+55673
+55681
+55691
+55697
+55711
+55717
+55721
+55733
+55763
+55787
+55793
+55799
+55807
+55813
+55817
+55819
+55823
+55829
+55837
+55843
+55849
+55871
+55889
+55897
+55901
+55903
+55921
+55927
+55931
+55933
+55949
+55967
+55987
+55997
+56003
+56009
+56039
+56041
+56053
+56081
+56087
+56093
+56099
+56101
+56113
+56123
+56131
+56149
+56167
+56171
+56179
+56197
+56207
+56209
+56237
+56239
+56249
+56263
+56267
+56269
+56299
+56311
+56333
+56359
+56369
+56377
+56383
+56393
+56401
+56417
+56431
+56437
+56443
+56453
+56467
+56473
+56477
+56479
+56489
+56501
+56503
+56509
+56519
+56527
+56531
+56533
+56543
+56569
+56591
+56597
+56599
+56611
+56629
+56633
+56659
+56663
+56671
+56681
+56687
+56701
+56711
+56713
+56731
+56737
+56747
+56767
+56773
+56779
+56783
+56807
+56809
+56813
+56821
+56827
+56843
+56857
+56873
+56891
+56893
+56897
+56909
+56911
+56921
+56923
+56929
+56941
+56951
+56957
+56963
+56983
+56989
+56993
+56999
+57037
+57041
+57047
+57059
+57073
+57077
+57089
+57097
+57107
+57119
+57131
+57139
+57143
+57149
+57163
+57173
+57179
+57191
+57193
+57203
+57221
+57223
+57241
+57251
+57259
+57269
+57271
+57283
+57287
+57301
+57329
+57331
+57347
+57349
+57367
+57373
+57383
+57389
+57397
+57413
+57427
+57457
+57467
+57487
+57493
+57503
+57527
+57529
+57557
+57559
+57571
+57587
+57593
+57601
+57637
+57641
+57649
+57653
+57667
+57679
+57689
+57697
+57709
+57713
+57719
+57727
+57731
+57737
+57751
+57773
+57781
+57787
+57791
+57793
+57803
+57809
+57829
+57839
+57847
+57853
+57859
+57881
+57899
+57901
+57917
+57923
+57943
+57947
+57973
+57977
+57991
+58013
+58027
+58031
+58043
+58049
+58057
+58061
+58067
+58073
+58099
+58109
+58111
+58129
+58147
+58151
+58153
+58169
+58171
+58189
+58193
+58199
+58207
+58211
+58217
+58229
+58231
+58237
+58243
+58271
+58309
+58313
+58321
+58337
+58363
+58367
+58369
+58379
+58391
+58393
+58403
+58411
+58417
+58427
+58439
+58441
+58451
+58453
+58477
+58481
+58511
+58537
+58543
+58549
+58567
+58573
+58579
+58601
+58603
+58613
+58631
+58657
+58661
+58679
+58687
+58693
+58699
+58711
+58727
+58733
+58741
+58757
+58763
+58771
+58787
+58789
+58831
+58889
+58897
+58901
+58907
+58909
+58913
+58921
+58937
+58943
+58963
+58967
+58979
+58991
+58997
+59009
+59011
+59021
+59023
+59029
+59051
+59053
+59063
+59069
+59077
+59083
+59093
+59107
+59113
+59119
+59123
+59141
+59149
+59159
+59167
+59183
+59197
+59207
+59209
+59219
+59221
+59233
+59239
+59243
+59263
+59273
+59281
+59333
+59341
+59351
+59357
+59359
+59369
+59377
+59387
+59393
+59399
+59407
+59417
+59419
+59441
+59443
+59447
+59453
+59467
+59471
+59473
+59497
+59509
+59513
+59539
+59557
+59561
+59567
+59581
+59611
+59617
+59621
+59627
+59629
+59651
+59659
+59663
+59669
+59671
+59693
+59699
+59707
+59723
+59729
+59743
+59747
+59753
+59771
+59779
+59791
+59797
+59809
+59833
+59863
+59879
+59887
+59921
+59929
+59951
+59957
+59971
+59981
+59999
+60013
+60017
+60029
+60037
+60041
+60077
+60083
+60089
+60091
+60101
+60103
+60107
+60127
+60133
+60139
+60149
+60161
+60167
+60169
+60209
+60217
+60223
+60251
+60257
+60259
+60271
+60289
+60293
+60317
+60331
+60337
+60343
+60353
+60373
+60383
+60397
+60413
+60427
+60443
+60449
+60457
+60493
+60497
+60509
+60521
+60527
+60539
+60589
+60601
+60607
+60611
+60617
+60623
+60631
+60637
+60647
+60649
+60659
+60661
+60679
+60689
+60703
+60719
+60727
+60733
+60737
+60757
+60761
+60763
+60773
+60779
+60793
+60811
+60821
+60859
+60869
+60887
+60889
+60899
+60901
+60913
+60917
+60919
+60923
+60937
+60943
+60953
+60961
+61001
+61007
+61027
+61031
+61043
+61051
+61057
+61091
+61099
+61121
+61129
+61141
+61151
+61153
+61169
+61211
+61223
+61231
+61253
+61261
+61283
+61291
+61297
+61331
+61333
+61339
+61343
+61357
+61363
+61379
+61381
+61403
+61409
+61417
+61441
+61463
+61469
+61471
+61483
+61487
+61493
+61507
+61511
+61519
+61543
+61547
+61553
+61559
+61561
+61583
+61603
+61609
+61613
+61627
+61631
+61637
+61643
+61651
+61657
+61667
+61673
+61681
+61687
+61703
+61717
+61723
+61729
+61751
+61757
+61781
+61813
+61819
+61837
+61843
+61861
+61871
+61879
+61909
+61927
+61933
+61949
+61961
+61967
+61979
+61981
+61987
+61991
+62003
+62011
+62017
+62039
+62047
+62053
+62057
+62071
+62081
+62099
+62119
+62129
+62131
+62137
+62141
+62143
+62171
+62189
+62191
+62201
+62207
+62213
+62219
+62233
+62273
+62297
+62299
+62303
+62311
+62323
+62327
+62347
+62351
+62383
+62401
+62417
+62423
+62459
+62467
+62473
+62477
+62483
+62497
+62501
+62507
+62533
+62539
+62549
+62563
+62581
+62591
+62597
+62603
+62617
+62627
+62633
+62639
+62653
+62659
+62683
+62687
+62701
+62723
+62731
+62743
+62753
+62761
+62773
+62791
+62801
+62819
+62827
+62851
+62861
+62869
+62873
+62897
+62903
+62921
+62927
+62929
+62939
+62969
+62971
+62981
+62983
+62987
+62989
+63029
+63031
+63059
+63067
+63073
+63079
+63097
+63103
+63113
+63127
+63131
+63149
+63179
+63197
+63199
+63211
+63241
+63247
+63277
+63281
+63299
+63311
+63313
+63317
+63331
+63337
+63347
+63353
+63361
+63367
+63377
+63389
+63391
+63397
+63409
+63419
+63421
+63439
+63443
+63463
+63467
+63473
+63487
+63493
+63499
+63521
+63527
+63533
+63541
+63559
+63577
+63587
+63589
+63599
+63601
+63607
+63611
+63617
+63629
+63647
+63649
+63659
+63667
+63671
+63689
+63691
+63697
+63703
+63709
+63719
+63727
+63737
+63743
+63761
+63773
+63781
+63793
+63799
+63803
+63809
+63823
+63839
+63841
+63853
+63857
+63863
+63901
+63907
+63913
+63929
+63949
+63977
+63997
+64007
+64013
+64019
+64033
+64037
+64063
+64067
+64081
+64091
+64109
+64123
+64151
+64153
+64157
+64171
+64187
+64189
+64217
+64223
+64231
+64237
+64271
+64279
+64283
+64301
+64303
+64319
+64327
+64333
+64373
+64381
+64399
+64403
+64433
+64439
+64451
+64453
+64483
+64489
+64499
+64513
+64553
+64567
+64577
+64579
+64591
+64601
+64609
+64613
+64621
+64627
+64633
+64661
+64663
+64667
+64679
+64693
+64709
+64717
+64747
+64763
+64781
+64783
+64793
+64811
+64817
+64849
+64853
+64871
+64877
+64879
+64891
+64901
+64919
+64921
+64927
+64937
+64951
+64969
+64997
+65003
+65011
+65027
+65029
+65033
+65053
+65063
+65071
+65089
+65099
+65101
+65111
+65119
+65123
+65129
+65141
+65147
+65167
+65171
+65173
+65179
+65183
+65203
+65213
+65239
+65257
+65267
+65269
+65287
+65293
+65309
+65323
+65327
+65353
+65357
+65371
+65381
+65393
+65407
+65413
+65419
+65423
+65437
+65447
+65449
+65479
+65497
+65519
+65521
diff --git a/security/nss/lib/freebl/mpi/doc/prng.pod b/security/nss/lib/freebl/mpi/doc/prng.pod
new file mode 100644
index 000000000..1ae75da82
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/prng.pod
@@ -0,0 +1,41 @@
+=head1 NAME
+
+ prng - pseudo-random number generator
+
+=head1 SYNOPSIS
+
+ prng [count]
+
+=head1 DESCRIPTION
+
+B<Prng> generates 32-bit pseudo-random integers using the
+Blum-Blum-Shub (BBS) quadratic residue generator.  It is seeded using
+the standard C library's rand() function, which itself seeded from the
+system clock and the process ID number.  Thus, the values generated
+are not particularly useful for cryptographic applications, but they
+are in general much better than the typical output of the usual
+multiplicative congruency generator used by most runtime libraries.
+
+You may optionally specify how many random values should be generated
+by giving a I<count> argument on the command line.  If you do not
+specify a count, only one random value will be generated.  The results
+are output to the standard output in decimal notation, one value per
+line.
+
+=head1 RESTRICTIONS
+
+As stated above, B<prng> uses the C library's rand() function to seed
+the generator, so it is not terribly suitable for cryptographic
+applications.  Also note that each time you run the program, a new
+seed is generated, so it is better to run it once with a I<count>
+parameter than it is to run it multiple times to generate several
+values.
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Copyright (C) 1998 Michael J. Fromberger, All Rights Reserved
+ Thayer School of Engineering, Dartmouth College, Hanover, NH  USA
+
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/redux.txt b/security/nss/lib/freebl/mpi/doc/redux.txt
new file mode 100644
index 000000000..d6eb7844f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/redux.txt
@@ -0,0 +1,121 @@
+Modular Reduction
+
+Usually, modular reduction is accomplished by long division, using the
+mp_div() or mp_mod() functions.  However, when performing modular
+exponentiation, you spend a lot of time reducing by the same modulus
+again and again.  For this purpose, doing a full division for each
+multiplication is quite inefficient.
+
+For this reason, the mp_exptmod() function does not perform modular
+reductions in the usual way, but instead takes advantage of an
+algorithm due to Barrett, as described by Menezes, Oorschot and
+VanStone in their book _Handbook of Applied Cryptography_, published
+by the CRC Press (see Chapter 14 for details).  This method reduces
+most of the computation of reduction to efficient shifting and masking
+operations, and avoids the multiple-precision division entirely.
+
+Here is a brief synopsis of Barrett reduction, as it is implemented in
+this library.
+
+Let b denote the radix of the computation (one more than the maximum
+value that can be denoted by an mp_digit).  Let m be the modulus, and
+let k be the number of significant digits of m.  Let x be the value to
+be reduced modulo m.  By the Division Theorem, there exist unique
+integers Q and R such that:
+
+	 x = Qm + R, 0 <= R < m
+
+Barrett reduction takes advantage of the fact that you can easily
+approximate Q to within two, given a value M such that:
+
+	                  2k
+	                 b
+	    M = floor( ----- )
+	                 m
+
+Computation of M requires a full-precision division step, so if you
+are only doing a single reduction by m, you gain no advantage.
+However, when multiple reductions by the same m are required, this
+division need only be done once, beforehand.  Using this, we can use
+the following equation to compute Q', an approximation of Q:
+
+                     x
+            floor( ------ ) M
+                      k-1
+                     b
+Q' = floor( ----------------- )
+                    k+1
+                   b
+
+The divisions by b^(k-1) and b^(k+1) and the floor() functions can be
+efficiently implemented with shifts and masks, leaving only a single
+multiplication to be performed to get this approximation.  It can be
+shown that Q - 2 <= Q' <= Q, so in the worst case, we can get out with
+two additional subtractions to bring the value into line with the
+actual value of Q.
+
+Once we've got Q', we basically multiply that by m and subtract from
+x, yielding:
+
+   x - Q'm = Qm + R - Q'm
+
+Since we know the constraint on Q', this is one of:
+
+      R
+      m + R
+      2m + R
+
+Since R < m by the Division Theorem, we can simply subtract off m
+until we get a value in the correct range, which will happen with no
+more than 2 subtractions:
+
+     v = x - Q'm
+
+     while(v >= m)
+       v = v - m
+     endwhile
+
+
+In random performance trials, modular exponentiation using this method
+of reduction gave around a 40% speedup over using the division for
+reduction.
+
+------------------------------------------------------------------
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1998, 2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+$Id$
diff --git a/security/nss/lib/freebl/mpi/doc/sqrt.txt b/security/nss/lib/freebl/mpi/doc/sqrt.txt
new file mode 100644
index 000000000..c709217a5
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/sqrt.txt
@@ -0,0 +1,87 @@
+Square Root
+
+A simple iterative algorithm is used to compute the greatest integer
+less than or equal to the square root.  Essentially, this is Newton's
+linear approximation, computed by finding successive values of the
+equation:
+
+		    x[k]^2 - V
+x[k+1]	 =  x[k] - ------------
+	             2 x[k]
+
+...where V is the value for which the square root is being sought.  In
+essence, what is happening here is that we guess a value for the
+square root, then figure out how far off we were by squaring our guess
+and subtracting the target.  Using this value, we compute a linear
+approximation for the error, and adjust the "guess".  We keep doing
+this until the precision gets low enough that the above equation
+yields a quotient of zero.  At this point, our last guess is one
+greater than the square root we're seeking.
+
+The initial guess is computed by dividing V by 4, which is a heuristic
+I have found to be fairly good on average.  This also has the
+advantage of being very easy to compute efficiently, even for large
+values.
+
+So, the resulting algorithm works as follows:
+
+    x = V / 4   /* compute initial guess */
+    
+    loop
+	t = (x * x) - V   /* Compute absolute error  */
+	u = 2 * x         /* Adjust by tangent slope */
+	t = t / u
+
+	/* Loop is done if error is zero */
+	if(t == 0)
+	    break
+
+	/* Adjust guess by error term    */
+	x = x - t
+    end
+
+    x = x - 1
+
+The result of the computation is the value of x.
+
+------------------------------------------------------------------
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1998, 2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/square.txt b/security/nss/lib/freebl/mpi/doc/square.txt
new file mode 100644
index 000000000..319ea9657
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/square.txt
@@ -0,0 +1,109 @@
+Squaring Algorithm
+
+When you are squaring a value, you can take advantage of the fact that
+half the multiplications performed by the more general multiplication
+algorithm (see 'mul.txt' for a description) are redundant when the
+multiplicand equals the multiplier.
+
+In particular, the modified algorithm is:
+
+k = 0
+for j <- 0 to (#a - 1)
+  w = c[2*j] + (a[j] ^ 2);
+  k = w div R
+
+  for i <- j+1 to (#a - 1)
+    w = (2 * a[j] * a[i]) + k + c[i+j]
+    c[i+j] = w mod R
+    k = w div R
+  endfor
+  c[i+j] = k;
+  k = 0;
+endfor
+
+On the surface, this looks identical to the multiplication algorithm;
+however, note the following differences:
+
+  - precomputation of the leading term in the outer loop
+
+  - i runs from j+1 instead of from zero
+
+  - doubling of a[i] * a[j] in the inner product
+
+Unfortunately, the construction of the inner product is such that we
+need more than two digits to represent the inner product, in some
+cases.  In a C implementation, this means that some gymnastics must be
+performed in order to handle overflow, for which C has no direct
+abstraction.  We do this by observing the following:
+
+If we have multiplied a[i] and a[j], and the product is more than half
+the maximum value expressible in two digits, then doubling this result
+will overflow into a third digit.  If this occurs, we take note of the
+overflow, and double it anyway -- C integer arithmetic ignores
+overflow, so the two digits we get back should still be valid, modulo
+the overflow.
+
+Having doubled this value, we now have to add in the remainders and
+the digits already computed by earlier steps.  If we did not overflow
+in the previous step, we might still cause an overflow here.  That
+will happen whenever the maximum value expressible in two digits, less
+the amount we have to add, is greater than the result of the previous
+step.  Thus, the overflow computation is:
+
+
+  u = 0
+  w = a[i] * a[j]
+
+  if(w > (R - 1)/ 2)
+    u = 1;
+
+  w = w * 2
+  v = c[i + j] + k
+
+  if(u == 0 && (R - 1 - v) < w)
+    u = 1
+
+If there is an overflow, u will be 1, otherwise u will be 0.  The rest
+of the parameters are the same as they are in the above description.
+
+------------------------------------------------------------------
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1998, 2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/timing.txt b/security/nss/lib/freebl/mpi/doc/timing.txt
new file mode 100644
index 000000000..4c77da79f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/timing.txt
@@ -0,0 +1,250 @@
+MPI Library Timing Tests
+
+Hardware/OS
+(A) SGI O2 1 x MIPS R10000 250MHz IRIX 6.5.3
+(B) IBM RS/6000 43P-240 1 x PowerPC 603e 223MHz AIX 4.3
+(C) Dell GX1/L+ 1 x Pentium III 550MHz Linux 2.2.12-20
+(D) PowerBook G3 1 x PowerPC 750 266MHz LinuxPPC 2.2.6-15apmac
+(E) PowerBook G3 1 x PowerPC 750 266MHz MacOS 8.5.1
+(F) PowerBook G3 1 x PowerPC 750 400MHz MacOS 9.0.2
+
+Compiler
+(1) MIPSpro C 7.2.1 -O3 optimizations
+(2) GCC 2.95.1 -O3 optimizations
+(3) IBM AIX xlc -O3 optimizations (version unknown)
+(4) EGCS 2.91.66 -O3 optimizations
+(5) Metrowerks CodeWarrior 5.0 C, all optimizations
+(6) MIPSpro C 7.30 -O3 optimizations
+(7) same as (6), with optimized libmalloc.so
+
+Timings are given in seconds, computed using the C library's clock()
+function.  The first column gives the hardware and compiler
+configuration used for the test. The second column indicates the
+number of tests that were aggregated to get the statistics for that
+size.  These were compiled using 16 bit digits.
+
+Source data were generated randomly using a fixed seed, so they should
+be internally consistent, but may vary on different systems depending
+on the C library.  Also, since the resolution of the timer accessed by
+clock() varies, there may be some variance in the precision of these
+measurements.
+
+Prime Generation (primegen)
+
+128 bits:
+A1      200     min=0.03, avg=0.19, max=0.72, sum=38.46
+A2      200     min=0.02, avg=0.16, max=0.62, sum=32.55
+B3      200     min=0.01, avg=0.07, max=0.22, sum=13.29
+C4      200     min=0.00, avg=0.03, max=0.20, sum=6.14
+D4      200     min=0.00, avg=0.05, max=0.33, sum=9.70
+A6      200     min=0.01, avg=0.09, max=0.36, sum=17.48
+A7      200     min=0.00, avg=0.05, max=0.24, sum=10.07
+
+192 bits:
+A1      200     min=0.05, avg=0.45, max=3.13, sum=89.96
+A2      200     min=0.04, avg=0.39, max=2.61, sum=77.55
+B3      200     min=0.02, avg=0.18, max=1.25, sum=36.97
+C4      200     min=0.01, avg=0.09, max=0.33, sum=18.24
+D4      200     min=0.02, avg=0.15, max=0.54, sum=29.63
+A6      200     min=0.02, avg=0.24, max=1.70, sum=47.84
+A7      200     min=0.01, avg=0.15, max=1.05, sum=30.88
+
+256 bits:
+A1      200     min=0.08, avg=0.92, max=6.13, sum=184.79
+A2      200     min=0.06, avg=0.76, max=5.03, sum=151.11
+B3      200     min=0.04, avg=0.41, max=2.68, sum=82.35
+C4      200     min=0.02, avg=0.19, max=0.69, sum=37.91
+D4      200     min=0.03, avg=0.31, max=1.15, sum=63.00
+A6      200     min=0.04, avg=0.48, max=3.13, sum=95.46
+A7      200     min=0.03, avg=0.37, max=2.36, sum=73.60
+
+320 bits:
+A1      200     min=0.11, avg=1.59, max=6.14, sum=318.81
+A2      200     min=0.09, avg=1.27, max=4.93, sum=254.03
+B3      200     min=0.07, avg=0.82, max=3.13, sum=163.80
+C4      200     min=0.04, avg=0.44, max=1.91, sum=87.59
+D4      200     min=0.06, avg=0.73, max=3.22, sum=146.73
+A6      200     min=0.07, avg=0.93, max=3.50, sum=185.01
+A7      200     min=0.05, avg=0.76, max=2.94, sum=151.78
+
+384 bits:
+A1      200     min=0.16, avg=2.69, max=11.41, sum=537.89
+A2      200     min=0.13, avg=2.15, max=9.03, sum=429.14
+B3      200     min=0.11, avg=1.54, max=6.49, sum=307.78
+C4      200     min=0.06, avg=0.81, max=4.84, sum=161.13
+D4      200     min=0.10, avg=1.38, max=8.31, sum=276.81
+A6      200     min=0.11, avg=1.73, max=7.36, sum=345.55
+A7      200     min=0.09, avg=1.46, max=6.12, sum=292.02
+
+448 bits:
+A1      200     min=0.23, avg=3.36, max=15.92, sum=672.63
+A2      200     min=0.17, avg=2.61, max=12.25, sum=522.86
+B3      200     min=0.16, avg=2.10, max=9.83, sum=420.86
+C4      200     min=0.09, avg=1.44, max=7.64, sum=288.36
+D4      200     min=0.16, avg=2.50, max=13.29, sum=500.17
+A6      200     min=0.15, avg=2.31, max=10.81, sum=461.58
+A7      200     min=0.14, avg=2.03, max=9.53, sum=405.16
+
+512 bits:
+A1      200     min=0.30, avg=6.12, max=22.18, sum=1223.35
+A2      200     min=0.25, avg=4.67, max=16.90, sum=933.18
+B3      200     min=0.23, avg=4.13, max=14.94, sum=825.45
+C4      200     min=0.13, avg=2.08, max=9.75, sum=415.22
+D4      200     min=0.24, avg=4.04, max=20.18, sum=808.11
+A6      200     min=0.22, avg=4.47, max=16.19, sum=893.83
+A7      200     min=0.20, avg=4.03, max=14.65, sum=806.02
+
+Modular Exponentation (metime)
+
+The following results are aggregated from 200 pseudo-randomly
+generated tests, based on a fixed seed. 
+
+                      base, exponent, and modulus size (bits)
+P/C       128   192   256   320   384   448   512   640   768   896  1024
+------- -----------------------------------------------------------------
+A1      0.015 0.027 0.047 0.069 0.098 0.133 0.176 0.294 0.458 0.680 1.040
+A2      0.013 0.024 0.037 0.053 0.077 0.102 0.133 0.214 0.326 0.476 0.668
+B3      0.005 0.011 0.021 0.036 0.056 0.084 0.121 0.222 0.370 0.573 0.840
+C4      0.002 0.006 0.011 0.020 0.032 0.048 0.069 0.129 0.223 0.344 0.507
+D4      0.004 0.010 0.019 0.034 0.056 0.085 0.123 0.232 0.390 0.609 0.899
+E5      0.007 0.015 0.031 0.055 0.088 0.133 0.183 0.342 0.574 0.893 1.317
+A6      0.008 0.016 0.038 0.042 0.064 0.093 0.133 0.239 0.393 0.604 0.880
+A7      0.005 0.011 0.020 0.036 0.056 0.083 0.121 0.223 0.374 0.583 0.855
+
+Multiplication and Squaring tests, (mulsqr)
+
+The following results are aggregated from 500000 pseudo-randomly
+generated tests, based on a per-run wall-clock seed.  Times are given
+in seconds, except where indicated in microseconds (us).
+
+(A1)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      9.33        9.15    >   1.9     18.7us      18.3us
+128     10.88       10.44   >   4.0     21.8us      20.9us
+192     13.30       11.89   >   10.6    26.7us      23.8us
+256     14.88       12.64   >   15.1    29.8us      25.3us
+320     18.64       15.01   >   19.5    37.3us      30.0us
+384     23.11       17.70   >   23.4    46.2us      35.4us
+448     28.28       20.88   >   26.2    56.6us      41.8us
+512     34.09       24.51   >   28.1    68.2us      49.0us
+640     47.86       33.25   >   30.5    95.7us      66.5us
+768     64.91       43.54   >   32.9    129.8us     87.1us
+896     84.49       55.48   >   34.3    169.0us     111.0us
+1024    107.25      69.21   >   35.5    214.5us     138.4us
+1536    227.97      141.91  >   37.8    456.0us     283.8us
+2048    394.05      242.15  >   38.5    788.1us     484.3us
+
+(A2)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      7.87        7.95    <   1.0     15.7us      15.9us
+128     9.40        9.19    >   2.2     18.8us      18.4us
+192     11.15       10.59   >   5.0     22.3us      21.2us
+256     12.02       11.16   >   7.2     24.0us      22.3us
+320     14.62       13.43   >   8.1     29.2us      26.9us
+384     17.72       15.80   >   10.8    35.4us      31.6us
+448     21.24       18.51   >   12.9    42.5us      37.0us
+512     25.36       21.78   >   14.1    50.7us      43.6us
+640     34.57       29.00   >   16.1    69.1us      58.0us
+768     46.10       37.60   >   18.4    92.2us      75.2us
+896     58.94       47.72   >   19.0    117.9us     95.4us
+1024    73.76       59.12   >   19.8    147.5us     118.2us
+1536    152.00      118.80  >   21.8    304.0us     237.6us
+2048    259.41      199.57  >   23.1    518.8us     399.1us
+
+(B3)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      2.60        2.47    >   5.0     5.20us      4.94us
+128     4.43        4.06    >   8.4     8.86us      8.12us
+192     7.03        6.10    >   13.2    14.1us      12.2us
+256     10.44       8.59    >   17.7    20.9us      17.2us
+320     14.44       11.64   >   19.4    28.9us      23.3us
+384     19.12       15.08   >   21.1    38.2us      30.2us
+448     24.55       19.09   >   22.2    49.1us      38.2us
+512     31.03       23.53   >   24.2    62.1us      47.1us
+640     45.05       33.80   >   25.0    90.1us      67.6us
+768     63.02       46.05   >   26.9    126.0us     92.1us
+896     83.74       60.29   >   28.0    167.5us     120.6us
+1024    106.73      76.65   >   28.2    213.5us     153.3us
+1536    228.94      160.98  >   29.7    457.9us     322.0us
+2048    398.08      275.93  >   30.7    796.2us     551.9us
+
+(C4)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      1.34        1.28    >   4.5     2.68us      2.56us
+128     2.76        2.59    >   6.2     5.52us      5.18us
+192     4.52        4.16    >   8.0     9.04us      8.32us
+256     6.64        5.99    >   9.8     13.3us      12.0us
+320     9.20        8.13    >   11.6    18.4us      16.3us
+384     12.01       10.58   >   11.9    24.0us      21.2us
+448     15.24       13.33   >   12.5    30.5us      26.7us
+512     19.02       16.46   >   13.5    38.0us      32.9us
+640     27.56       23.54   >   14.6    55.1us      47.1us
+768     37.89       31.78   >   16.1    75.8us      63.6us
+896     49.24       41.42   >   15.9    98.5us      82.8us
+1024    62.59       52.18   >   16.6    125.2us     104.3us
+1536    131.66      107.72  >   18.2    263.3us     215.4us
+2048    226.45      182.95  >   19.2    453.0us     365.9us
+
+(A7)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      1.74        1.71    >   1.7     3.48us      3.42us
+128     3.48        2.96    >   14.9    6.96us      5.92us
+192     5.74        4.60    >   19.9    11.5us      9.20us
+256     8.75        6.61    >   24.5    17.5us      13.2us
+320     12.5        8.99    >   28.1    25.0us      18.0us
+384     16.9        11.9    >   29.6    33.8us      23.8us
+448     22.2        15.2    >   31.7    44.4us      30.4us
+512     28.3        19.0    >   32.7    56.6us      38.0us
+640     42.4        28.0    >   34.0    84.8us      56.0us
+768     59.4        38.5    >   35.2    118.8us     77.0us
+896     79.5        51.2    >   35.6    159.0us     102.4us
+1024    102.6	    65.5    >	36.2	205.2us	    131.0us
+1536    224.3	    140.6   >	37.3	448.6us	    281.2us
+2048    393.4	    244.3   >	37.9	786.8us	    488.6us
+
+------------------------------------------------------------------
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1998, 2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/hpma512.s b/security/nss/lib/freebl/mpi/hpma512.s
new file mode 100644
index 000000000..0d88608c1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/hpma512.s
@@ -0,0 +1,646 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is multacc512 multiple-precision integer arithmetic.
+ *
+ * The Initial Developer of the Original Code is
+ * Hewlett-Packard Company.
+ * Portions created by the Initial Developer are Copyright (C) 1999
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   coded by:   Bill Worley, Hewlett-Packard labs
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ *
+ *  This PA-RISC 2.0 function computes the product of two unsigned integers,
+ *  and adds the result to a previously computed integer.  The multiplicand
+ *  is a 512-bit (64-byte, eight doubleword) unsigned integer, stored in
+ *  memory in little-double-wordian order.  The multiplier is an unsigned
+ *  64-bit integer.  The previously computed integer to which the product is
+ *  added is located in the result ("res") area, and is assumed to be a
+ *  576-bit (72-byte, nine doubleword) unsigned integer, stored in memory
+ *  in little-double-wordian order.  This value normally will be the result
+ *  of a previously computed nine doubleword result.  It is not necessary
+ *  to pad the multiplicand with an additional 64-bit zero doubleword.
+ *
+ *  Multiplicand, multiplier, and addend ideally should be aligned at
+ *  16-byte boundaries for best performance.  The code will function
+ *  correctly for alignment at eight-byte boundaries which are not 16-byte
+ *  boundaries, but the execution may be slightly slower due to even/odd
+ *  bank conflicts on PA-RISC 8000 processors.
+ *
+ *  This function is designed to accept the same calling sequence as Bill
+ *  Ackerman's "maxpy_little" function.  The carry from the ninth doubleword
+ *  of the result is written to the tenth word of the result, as is done by
+ *  Bill Ackerman's function.  The final carry also is returned as an
+ *  integer, which may be ignored.  The function prototype may be either
+ *  of the following:
+ *
+ *      void multacc512( int l, chunk* m, const chunk* a, chunk* res );
+ *          or
+ *      int multacc512( int l, chunk* m, const chunk* a, chunk* res );
+ *
+ *  where:  "l" originally denoted vector lengths.  This parameter is
+ *      ignored.  This function always assumes a multiplicand length of
+ *      512 bits (eight doublewords), and addend and result lengths of
+ *      576 bits (nine doublewords).
+ *
+ *      "m" is a pointer to the doubleword multiplier, ideally aligned
+ *      on a 16-byte boundary.
+ *
+ *      "a" is a pointer to the eight-doubleword multiplicand, stored
+ *      in little-double-wordian order, and ideally aligned on a 16-byte
+ *      boundary.
+ *
+ *      "res" is a pointer to the nine doubleword addend, and to the
+ *      nine-doubleword product computed by this function.  The result
+ *      also is stored in little-double-wordian order, and ideally is
+ *      aligned on a 16-byte boundary. It is expected that the alignment
+ *      of the "res" area may alternate between even/odd doubleword
+ *      boundaries for successive calls for 512-bit x 512-bit
+ *      multiplications.
+ *
+ *  The code for this function has been scheduled to use the parallelism
+ *  of the PA-RISC 8000 series microprocessors as well as the author was
+ *  able.  Comments and/or suggestions for improvement are welcomed.
+ *
+ *  The code is "64-bit safe".  This means it may be called in either
+ *  the 32ILP context or the 64LP context.  All 64-bits of registers are
+ *  saved and restored.
+ *
+ *  This code is self-contained.  It requires no other header files in order
+ *  to compile and to be linkable on a PA-RISC 2.0 machine.  Symbolic
+ *  definitions for registers and stack offsets are included within this
+ *  one source file.
+ *
+ *  This is a leaf routine.  As such, minimal use is made of the stack area.
+ *  Of the 192 bytes allocated, 64 bytes are used for saving/restoring eight
+ *  general registers, and 128 bytes are used to move intermediate products
+ *  from the floating-point registers to the general registers.  Stack
+ *  protocols assure proper alignment of these areas.
+ *
+ */
+
+
+/*  ====================================================================*/
+/*      symbolic definitions for PA-RISC registers      */
+/*      in the MIPS style, avoids lots of case shifts       */
+/*      assigments (except t4) preserve register number parity  */
+/*  ====================================================================*/
+
+#define zero    %r0         /* permanent zero */
+#define t5      %r1         /* temp register, altered by addil */
+
+#define rp      %r2         /* return pointer */
+
+#define s1      %r3         /* callee saves register*/
+#define s0      %r4         /* callee saves register*/
+#define s3      %r5         /* callee saves register*/
+#define s2      %r6         /* callee saves register*/
+#define s5      %r7         /* callee saves register*/
+#define s4      %r8         /* callee saves register*/
+#define s7      %r9         /* callee saves register*/
+#define s6      %r10        /* callee saves register*/
+
+#define t1      %r19        /* caller saves register*/
+#define t0      %r20        /* caller saves register*/
+#define t3      %r21        /* caller saves register*/
+#define t2      %r22        /* caller saves register*/
+
+#define a3      %r23        /* fourth argument register, high word */
+#define a2      %r24        /* third argument register, low word*/
+#define a1      %r25        /* second argument register, high word*/
+#define a0      %r26        /* first argument register, low word*/
+
+#define v0      %r28        /* high order return value*/
+#define v1      %r29        /* low order return value*/
+
+#define sp      %r30        /* stack pointer*/
+#define t4      %r31        /* temporary register   */
+
+#define fa0     %fr4        /* first argument register*/
+#define fa1     %fr5        /* second argument register*/
+#define fa2     %fr6        /* third argument register*/
+#define fa3     %fr7        /* fourth argument register*/
+
+#define fa0r    %fr4R       /* first argument register*/
+#define fa1r    %fr5R       /* second argument register*/
+#define fa2r    %fr6R       /* third argument register*/
+#define fa3r    %fr7R       /* fourth argument register*/
+
+#define ft0     %fr8        /* caller saves register*/
+#define ft1     %fr9        /* caller saves register*/
+#define ft2     %fr10       /* caller saves register*/
+#define ft3     %fr11       /* caller saves register*/
+
+#define ft0r    %fr8R       /* caller saves register*/
+#define ft1r    %fr9R       /* caller saves register*/
+#define ft2r    %fr10R      /* caller saves register*/
+#define ft3r    %fr11R      /* caller saves register*/
+
+#define ft4     %fr22       /* caller saves register*/
+#define ft5     %fr23       /* caller saves register*/
+#define ft6     %fr24       /* caller saves register*/
+#define ft7     %fr25       /* caller saves register*/
+#define ft8     %fr26       /* caller saves register*/
+#define ft9     %fr27       /* caller saves register*/
+#define ft10    %fr28       /* caller saves register*/
+#define ft11    %fr29       /* caller saves register*/
+#define ft12    %fr30       /* caller saves register*/
+#define ft13    %fr31       /* caller saves register*/
+
+#define ft4r    %fr22R      /* caller saves register*/
+#define ft5r    %fr23R      /* caller saves register*/
+#define ft6r    %fr24R      /* caller saves register*/
+#define ft7r    %fr25R      /* caller saves register*/
+#define ft8r    %fr26R      /* caller saves register*/
+#define ft9r    %fr27R      /* caller saves register*/
+#define ft10r   %fr28R      /* caller saves register*/
+#define ft11r   %fr29R      /* caller saves register*/
+#define ft12r   %fr30R      /* caller saves register*/
+#define ft13r   %fr31R      /* caller saves register*/
+
+
+
+/*  ================================================================== */
+/*      functional definitions for PA-RISC registers           */
+/*  ================================================================== */
+
+/*              general registers           */
+
+#define T1      a0          /* temp, (length parameter ignored)             */
+
+#define pM      a1          /* -> 64-bit multiplier                         */
+#define T2      a1          /* temp, (after fetching multiplier)            */
+
+#define pA      a2          /* -> multiplicand vector (8 64-bit words)      */
+#define T3      a2          /* temp, (after fetching multiplicand)          */
+
+#define pR      a3          /* -> addend vector (8 64-bit doublewords,
+                                  result vector (9 64-bit words)            */
+
+#define S0      s0          /* callee saves summand registers               */
+#define S1      s1
+#define S2      s2
+#define S3      s3
+#define S4      s4
+#define S5      s5
+#define S6      s6
+#define S7      s7
+
+#define S8      v0          /* caller saves summand registers               */
+#define S9      v1
+#define S10     t0
+#define S11     t1
+#define S12     t2
+#define S13     t3
+#define S14     t4
+#define S15     t5
+
+
+
+/*              floating-point registers                                    */
+
+#define M       fa0         /* multiplier double word                       */
+#define MR      fa0r        /* low order half of multiplier double word     */
+#define ML      fa0         /* high order half of multiplier double word    */
+
+#define A0      fa2         /* multiplicand double word 0                   */
+#define A0R     fa2r        /* low order half of multiplicand double word   */
+#define A0L     fa2         /* high order half of multiplicand double word  */
+
+#define A1      fa3         /* multiplicand double word 1                   */
+#define A1R     fa3r        /* low order half of multiplicand double word   */
+#define A1L     fa3         /* high order half of multiplicand double word  */
+
+#define A2      ft0         /* multiplicand double word 2                   */
+#define A2R     ft0r        /* low order half of multiplicand double word   */
+#define A2L     ft0         /* high order half of multiplicand double word  */
+
+#define A3      ft1         /* multiplicand double word 3                   */
+#define A3R     ft1r        /* low order half of multiplicand double word   */
+#define A3L     ft1         /* high order half of multiplicand double word  */
+
+#define A4      ft2         /* multiplicand double word 4                   */
+#define A4R     ft2r        /* low order half of multiplicand double word   */
+#define A4L     ft2         /* high order half of multiplicand double word  */
+
+#define A5      ft3         /* multiplicand double word 5                   */
+#define A5R     ft3r        /* low order half of multiplicand double word   */
+#define A5L     ft3         /* high order half of multiplicand double word  */
+
+#define A6      ft4         /* multiplicand double word 6                   */
+#define A6R     ft4r        /* low order half of multiplicand double word   */
+#define A6L     ft4         /* high order half of multiplicand double word  */
+
+#define A7      ft5         /* multiplicand double word 7                   */
+#define A7R     ft5r        /* low order half of multiplicand double word   */
+#define A7L     ft5         /* high order half of multiplicand double word  */
+
+#define P0      ft6         /* product word 0                               */
+#define P1      ft7         /* product word 0                               */
+#define P2      ft8         /* product word 0                               */
+#define P3      ft9         /* product word 0                               */
+#define P4      ft10        /* product word 0                               */
+#define P5      ft11        /* product word 0                               */
+#define P6      ft12        /* product word 0                               */
+#define P7      ft13        /* product word 0                               */
+
+
+
+
+/*  ======================================================================  */
+/*      symbolic definitions for HP-UX stack offsets                        */
+/*      symbolic definitions for memory NOPs                                */
+/*  ======================================================================  */
+
+#define ST_SZ       192         /* stack area total size                    */
+
+#define SV0         -192(sp)    /* general register save area               */
+#define SV1         -184(sp)
+#define SV2         -176(sp)
+#define SV3         -168(sp)
+#define SV4         -160(sp)
+#define SV5         -152(sp)
+#define SV6         -144(sp)
+#define SV7         -136(sp)
+
+#define XF0         -128(sp)    /* data transfer area                       */
+#define XF1         -120(sp)    /* for floating-pt to integer regs          */
+#define XF2         -112(sp)
+#define XF3         -104(sp)
+#define XF4         -96(sp)
+#define XF5         -88(sp)
+#define XF6         -80(sp)
+#define XF7         -72(sp)
+#define XF8         -64(sp)
+#define XF9         -56(sp)
+#define XF10        -48(sp)
+#define XF11        -40(sp)
+#define XF12        -32(sp)
+#define XF13        -24(sp)
+#define XF14        -16(sp)
+#define XF15        -8(sp)
+
+#define mnop    proberi (sp),3,zero     /* memory NOP                       */
+
+
+
+
+/*  ======================================================================  */
+/*      assembler formalities                                               */
+/*  ======================================================================  */
+
+#ifdef __LP64__
+                .level  2.0W
+#else
+                .level  2.0
+#endif
+                .space    $TEXT$
+                .subspa   $CODE$
+                .align    16
+
+/*  ======================================================================  */
+/*      here to compute 64-bit x 512-bit product + 512-bit addend           */
+/*  ======================================================================  */
+
+multacc512
+        .PROC
+        .CALLINFO
+        .ENTER
+    fldd    0(pM),M                 ; multiplier double word
+    ldo     ST_SZ(sp),sp            ; push stack
+
+    fldd    0(pA),A0                ; multiplicand double word 0
+    std     S1,SV1                  ; save s1
+
+    fldd    16(pA),A2               ; multiplicand double word 2
+    std     S3,SV3                  ; save s3
+
+    fldd    32(pA),A4               ; multiplicand double word 4
+    std     S5,SV5                  ; save s5
+
+    fldd    48(pA),A6               ; multiplicand double word 6
+    std     S7,SV7                  ; save s7
+
+
+    std     S0,SV0                  ; save s0
+    fldd    8(pA),A1                ; multiplicand double word 1
+    xmpyu   MR,A0L,P0               ; A0 cross 32-bit word products
+    xmpyu   ML,A0R,P2
+
+    std     S2,SV2                  ; save s2
+    fldd    24(pA),A3               ; multiplicand double word 3
+    xmpyu   MR,A2L,P4               ; A2 cross 32-bit word products
+    xmpyu   ML,A2R,P6
+
+    std     S4,SV4                  ; save s4
+    fldd    40(pA),A5               ; multiplicand double word 5
+
+    std     S6,SV6                  ; save s6
+    fldd    56(pA),A7               ; multiplicand double word 7
+
+
+    fstd    P0,XF0                  ; MR * A0L
+    xmpyu   MR,A0R,P0               ; A0 right 32-bit word product
+    xmpyu   MR,A1L,P1               ; A1 cross 32-bit word product
+
+    fstd    P2,XF2                  ; ML * A0R
+    xmpyu   ML,A0L,P2               ; A0 left 32-bit word product
+    xmpyu   ML,A1R,P3               ; A1 cross 32-bit word product
+
+    fstd    P4,XF4                  ; MR * A2L
+    xmpyu   MR,A2R,P4               ; A2 right 32-bit word product
+    xmpyu   MR,A3L,P5               ; A3 cross 32-bit word product
+
+    fstd    P6,XF6                  ; ML * A2R
+    xmpyu   ML,A2L,P6               ; A2 parallel 32-bit word product
+    xmpyu   ML,A3R,P7               ; A3 cross 32-bit word product
+
+
+    ldd     XF0,S0                  ; MR * A0L
+    fstd    P1,XF1                  ; MR * A1L
+
+    ldd     XF2,S2                  ; ML * A0R
+    fstd    P3,XF3                  ; ML * A1R
+
+    ldd     XF4,S4                  ; MR * A2L
+    fstd    P5,XF5                  ; MR * A3L
+    xmpyu   MR,A1R,P1               ; A1 parallel 32-bit word products
+    xmpyu   ML,A1L,P3
+
+    ldd     XF6,S6                  ; ML * A2R
+    fstd    P7,XF7                  ; ML * A3R
+    xmpyu   MR,A3R,P5               ; A3 parallel 32-bit word products
+    xmpyu   ML,A3L,P7
+
+
+    fstd    P0,XF0                  ; MR * A0R
+    ldd     XF1,S1                  ; MR * A1L
+    nop
+    add     S0,S2,T1                ; A0 cross product sum
+
+    fstd    P2,XF2                  ; ML * A0L
+    ldd     XF3,S3                  ; ML * A1R
+    add,dc  zero,zero,S0            ; A0 cross product sum carry
+    depd,z  T1,31,32,S2             ; A0 cross product sum << 32
+
+    fstd    P4,XF4                  ; MR * A2R
+    ldd     XF5,S5                  ; MR * A3L
+    shrpd   S0,T1,32,S0             ; A0 carry | cross product sum >> 32
+    add     S4,S6,T3                ; A2 cross product sum
+
+    fstd    P6,XF6                  ; ML * A2L
+    ldd     XF7,S7                  ; ML * A3R
+    add,dc  zero,zero,S4            ; A2 cross product sum carry
+    depd,z  T3,31,32,S6             ; A2 cross product sum << 32
+
+
+    ldd     XF0,S8                  ; MR * A0R
+    fstd    P1,XF1                  ; MR * A1R
+    xmpyu   MR,A4L,P0               ; A4 cross 32-bit word product
+    xmpyu   MR,A5L,P1               ; A5 cross 32-bit word product
+
+    ldd     XF2,S10                 ; ML * A0L
+    fstd    P3,XF3                  ; ML * A1L
+    xmpyu   ML,A4R,P2               ; A4 cross 32-bit word product
+    xmpyu   ML,A5R,P3               ; A5 cross 32-bit word product
+
+    ldd     XF4,S12                 ; MR * A2R
+    fstd    P5,XF5                  ; MR * A3L
+    xmpyu   MR,A6L,P4               ; A6 cross 32-bit word product
+    xmpyu   MR,A7L,P5               ; A7 cross 32-bit word product
+
+    ldd     XF6,S14                 ; ML * A2L
+    fstd    P7,XF7                  ; ML * A3L
+    xmpyu   ML,A6R,P6               ; A6 cross 32-bit word product
+    xmpyu   ML,A7R,P7               ; A7 cross 32-bit word product
+
+
+    fstd    P0,XF0                  ; MR * A4L
+    ldd     XF1,S9                  ; MR * A1R
+    shrpd   S4,T3,32,S4             ; A2 carry | cross product sum >> 32
+    add     S1,S3,T1                ; A1 cross product sum
+
+    fstd    P2,XF2                  ; ML * A4R
+    ldd     XF3,S11                 ; ML * A1L
+    add,dc  zero,zero,S1            ; A1 cross product sum carry
+    depd,z  T1,31,32,S3             ; A1 cross product sum << 32
+
+    fstd    P4,XF4                  ; MR * A6L
+    ldd     XF5,S13                 ; MR * A3R
+    shrpd   S1,T1,32,S1             ; A1 carry | cross product sum >> 32
+    add     S5,S7,T3                ; A3 cross product sum
+
+    fstd    P6,XF6                  ; ML * A6R
+    ldd     XF7,S15                 ; ML * A3L
+    add,dc  zero,zero,S5            ; A3 cross product sum carry
+    depd,z  T3,31,32,S7             ; A3 cross product sum << 32
+
+
+    shrpd   S5,T3,32,S5             ; A3 carry | cross product sum >> 32
+    add     S2,S8,S8                ; M * A0 right doubleword, P0 doubleword
+
+    add,dc  S0,S10,S10              ; M * A0 left doubleword
+    add     S3,S9,S9                ; M * A1 right doubleword
+
+    add,dc  S1,S11,S11              ; M * A1 left doubleword
+    add     S6,S12,S12              ; M * A2 right doubleword
+
+
+    ldd     24(pR),S3               ; Addend word 3
+    fstd    P1,XF1                  ; MR * A5L
+    add,dc  S4,S14,S14              ; M * A2 left doubleword
+    xmpyu   MR,A5R,P1               ; A5 right 32-bit word product
+
+    ldd     8(pR),S1                ; Addend word 1
+    fstd    P3,XF3                  ; ML * A5R
+    add     S7,S13,S13              ; M * A3 right doubleword
+    xmpyu   ML,A5L,P3               ; A5 left 32-bit word product
+
+    ldd     0(pR),S7                ; Addend word 0
+    fstd    P5,XF5                  ; MR * A7L
+    add,dc  S5,S15,S15              ; M * A3 left doubleword
+    xmpyu   MR,A7R,P5               ; A7 right 32-bit word product
+
+    ldd     16(pR),S5               ; Addend word 2
+    fstd    P7,XF7                  ; ML * A7R
+    add     S10,S9,S9               ; P1 doubleword
+    xmpyu   ML,A7L,P7               ; A7 left 32-bit word products
+
+
+    ldd     XF0,S0                  ; MR * A4L
+    fstd    P1,XF9                  ; MR * A5R
+    add,dc  S11,S12,S12             ; P2 doubleword
+    xmpyu   MR,A4R,P0               ; A4 right 32-bit word product
+
+    ldd     XF2,S2                  ; ML * A4R
+    fstd    P3,XF11                 ; ML * A5L
+    add,dc  S14,S13,S13             ; P3 doubleword
+    xmpyu   ML,A4L,P2               ; A4 left 32-bit word product
+
+    ldd     XF6,S6                  ; ML * A6R
+    fstd    P5,XF13                 ; MR * A7R
+    add,dc  zero,S15,T2             ; P4 partial doubleword
+    xmpyu   MR,A6R,P4               ; A6 right 32-bit word product
+
+    ldd     XF4,S4                  ; MR * A6L
+    fstd    P7,XF15                 ; ML * A7L
+    add     S7,S8,S8                ; R0 + P0, new R0 doubleword
+    xmpyu   ML,A6L,P6               ; A6 left 32-bit word product
+
+
+    fstd    P0,XF0                  ; MR * A4R
+    ldd     XF7,S7                  ; ML * A7R
+    add,dc  S1,S9,S9                ; c + R1 + P1, new R1 doubleword
+
+    fstd    P2,XF2                  ; ML * A4L
+    ldd     XF1,S1                  ; MR * A5L
+    add,dc  S5,S12,S12              ; c + R2 + P2, new R2 doubleword
+
+    fstd    P4,XF4                  ; MR * A6R
+    ldd     XF5,S5                  ; MR * A7L
+    add,dc  S3,S13,S13              ; c + R3 + P3, new R3 doubleword
+
+    fstd    P6,XF6                  ; ML * A6L
+    ldd     XF3,S3                  ; ML * A5R
+    add,dc  zero,T2,T2              ; c + partial P4
+    add     S0,S2,T1                ; A4 cross product sum
+
+
+    std     S8,0(pR)                ; save R0
+    add,dc  zero,zero,S0            ; A4 cross product sum carry
+    depd,z  T1,31,32,S2             ; A4 cross product sum << 32
+
+    std     S9,8(pR)                ; save R1
+    shrpd   S0,T1,32,S0             ; A4 carry | cross product sum >> 32
+    add     S4,S6,T3                ; A6 cross product sum
+
+    std     S12,16(pR)              ; save R2
+    add,dc  zero,zero,S4            ; A6 cross product sum carry
+    depd,z  T3,31,32,S6             ; A6 cross product sum << 32
+
+
+    std     S13,24(pR)              ; save R3
+    shrpd   S4,T3,32,S4             ; A6 carry | cross product sum >> 32
+    add     S1,S3,T1                ; A5 cross product sum
+
+    ldd     XF0,S8                  ; MR * A4R
+    add,dc  zero,zero,S1            ; A5 cross product sum carry
+    depd,z  T1,31,32,S3             ; A5 cross product sum << 32
+
+    ldd     XF2,S10                 ; ML * A4L
+    ldd     XF9,S9                  ; MR * A5R
+    shrpd   S1,T1,32,S1             ; A5 carry | cross product sum >> 32
+    add     S5,S7,T3                ; A7 cross product sum
+
+    ldd     XF4,S12                 ; MR * A6R
+    ldd     XF11,S11                ; ML * A5L
+    add,dc  zero,zero,S5            ; A7 cross product sum carry
+    depd,z  T3,31,32,S7             ; A7 cross product sum << 32
+
+    ldd     XF6,S14                 ; ML * A6L
+    ldd     XF13,S13                ; MR * A7R
+    shrpd   S5,T3,32,S5             ; A7 carry | cross product sum >> 32
+    add     S2,S8,S8                ; M * A4 right doubleword
+
+
+    ldd     XF15,S15                ; ML * A7L
+    add,dc  S0,S10,S10              ; M * A4 left doubleword
+    add     S3,S9,S9                ; M * A5 right doubleword
+
+    add,dc  S1,S11,S11              ; M * A5 left doubleword
+    add     S6,S12,S12              ; M * A6 right doubleword
+
+    ldd     32(pR),S0               ; Addend word 4
+    ldd     40(pR),S1               ; Addend word 5
+    add,dc  S4,S14,S14              ; M * A6 left doubleword
+    add     S7,S13,S13              ; M * A7 right doubleword
+
+    ldd     48(pR),S2               ; Addend word 6
+    ldd     56(pR),S3               ; Addend word 7
+    add,dc  S5,S15,S15              ; M * A7 left doubleword
+    add     S8,T2,S8                ; P4 doubleword
+
+    ldd     64(pR),S4               ; Addend word 8
+    ldd     SV5,s5                  ; restore s5
+    add,dc  S10,S9,S9               ; P5 doubleword
+    add,dc  S11,S12,S12             ; P6 doubleword
+
+
+    ldd     SV6,s6                  ; restore s6
+    ldd     SV7,s7                  ; restore s7
+    add,dc  S14,S13,S13             ; P7 doubleword
+    add,dc  zero,S15,S15            ; P8 doubleword
+
+    add     S0,S8,S8                ; new R4 doubleword
+
+    ldd     SV0,s0                  ; restore s0
+    std     S8,32(pR)               ; save R4
+    add,dc  S1,S9,S9                ; new R5 doubleword
+
+    ldd     SV1,s1                  ; restore s1
+    std     S9,40(pR)               ; save R5
+    add,dc  S2,S12,S12              ; new R6 doubleword
+
+    ldd     SV2,s2                  ; restore s2
+    std     S12,48(pR)              ; save R6
+    add,dc  S3,S13,S13              ; new R7 doubleword
+
+    ldd     SV3,s3                  ; restore s3
+    std     S13,56(pR)              ; save R7
+    add,dc  S4,S15,S15              ; new R8 doubleword
+
+    ldd     SV4,s4                  ; restore s4
+    std     S15,64(pR)              ; save result[8]
+    add,dc  zero,zero,v0            ; return carry from R8
+
+    CMPIB,*= 0,v0,$L0               ; if no overflow, exit
+    LDO     8(pR),pR
+
+$FINAL1                             ; Final carry propagation
+    LDD     64(pR),v0
+    LDO     8(pR),pR
+    ADDI    1,v0,v0
+    CMPIB,*= 0,v0,$FINAL1           ; Keep looping if there is a carry.
+    STD     v0,56(pR)
+$L0
+    bv      zero(rp)                ; -> caller
+    ldo     -ST_SZ(sp),sp           ; pop stack
+
+/*  ======================================================================  */
+/*      end of module                                                       */
+/*  ======================================================================  */
+
+                .LEAVE
+
+                .PROCEND
+                .SPACE         $TEXT$
+                .SUBSPA        $CODE$
+                .EXPORT        multacc512,ENTRY
+
+        .end
diff --git a/security/nss/lib/freebl/mpi/hppa20.s b/security/nss/lib/freebl/mpi/hppa20.s
new file mode 100644
index 000000000..4cabd249b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/hppa20.s
@@ -0,0 +1,935 @@
+; ***** BEGIN LICENSE BLOCK *****
+; Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;
+; The contents of this file are subject to the Mozilla Public License Version
+; 1.1 (the "License"); you may not use this file except in compliance with
+; the License. You may obtain a copy of the License at
+; http://www.mozilla.org/MPL/
+;
+; Software distributed under the License is distributed on an "AS IS" basis,
+; WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+; for the specific language governing rights and limitations under the
+; License.
+;
+; The Original Code is MAXPY multiple-precision integer arithmetic.
+;
+; The Initial Developer of the Original Code is
+; the Hewlett-Packard Company.
+; Portions created by the Initial Developer are Copyright (C) 1997
+; the Initial Developer. All Rights Reserved.
+;
+; Contributor(s):
+;   coded by:   William B. Ackerman
+;
+; Alternatively, the contents of this file may be used under the terms of
+; either the GNU General Public License Version 2 or later (the "GPL"), or
+; the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+; in which case the provisions of the GPL or the LGPL are applicable instead
+; of those above. If you wish to allow use of your version of this file only
+; under the terms of either the GPL or the LGPL, and not to allow others to
+; use your version of this file under the terms of the MPL, indicate your
+; decision by deleting the provisions above and replace them with the notice
+; and other provisions required by the GPL or the LGPL. If you do not delete
+; the provisions above, a recipient may use your version of this file under
+; the terms of any one of the MPL, the GPL or the LGPL.
+;
+; ***** END LICENSE BLOCK *****
+
+#ifdef __LP64__
+        .LEVEL   2.0W
+#else
+;       .LEVEL   1.1
+;       .ALLOW   2.0N
+        .LEVEL   2.0N
+#endif
+        .SPACE   $TEXT$,SORT=8
+        .SUBSPA  $CODE$,QUAD=0,ALIGN=4,ACCESS=0x2c,CODE_ONLY,SORT=24
+
+; ***************************************************************
+;
+;                 maxpy_[little/big]
+;
+; ***************************************************************
+
+; There is no default -- you must specify one or the other.
+#define LITTLE_WORDIAN 1
+
+#ifdef LITTLE_WORDIAN
+#define EIGHT 8
+#define SIXTEEN 16
+#define THIRTY_TWO 32
+#define UN_EIGHT -8
+#define UN_SIXTEEN -16
+#define UN_TWENTY_FOUR -24
+#endif
+
+#ifdef BIG_WORDIAN
+#define EIGHT -8
+#define SIXTEEN -16
+#define THIRTY_TWO -32
+#define UN_EIGHT 8
+#define UN_SIXTEEN 16
+#define UN_TWENTY_FOUR 24
+#endif
+
+; This performs a multiple-precision integer version of "daxpy",
+; Using the selected addressing direction.  "Little-wordian" means that
+; the least significant word of a number is stored at the lowest address.
+; "Big-wordian" means that the most significant word is at the lowest
+; address.  Either way, the incoming address of the vector is that
+; of the least significant word.  That means that, for little-wordian
+; addressing, we move the address upward as we propagate carries
+; from the least significant word to the most significant.  For
+; big-wordian we move the address downward.
+
+; We use the following registers:
+;
+;     r2   return PC, of course
+;     r26 = arg1 =  length
+;     r25 = arg2 =  address of scalar
+;     r24 = arg3 =  multiplicand vector
+;     r23 = arg4 =  result vector
+;
+;     fr9 = scalar loaded once only from r25
+
+; The cycle counts shown in the bodies below are simply the result of a
+; scheduling by hand.  The actual PCX-U hardware does it differently.
+; The intention is that the overall speed is the same.
+
+; The pipeline startup and shutdown code is constructed in the usual way,
+; by taking the loop bodies and removing unnecessary instructions.
+; We have left the comments describing cycle numbers in the code.
+; These are intended for reference when comparing with the main loop,
+; and have no particular relationship to actual cycle numbers.
+
+#ifdef LITTLE_WORDIAN
+maxpy_little
+#else
+maxpy_big
+#endif
+        .PROC
+        .CALLINFO FRAME=120,ENTRY_GR=%r4
+        .ENTER
+
+; Of course, real men don't use the sissy "enter" and "leave" commands.
+; They write their own stack manipulation stuff.  Unfortunately,
+; that doesn't generate complete unwind info, whereas "enter" and
+; "leave" (if the documentation is to be believed) do so.  Therefore,
+; we use the sissy commands.  We have verified (by real-man methods)
+; that the above command generates what we want:
+;       STW,MA  %r3,128(%sp)
+;       STW     %r4,-124(%sp)
+
+        ADDIB,< -1,%r26,$L0         ; If N = 0, exit immediately.
+        FLDD    0(%r25),%fr9        ; fr9 = scalar
+
+; First startup
+
+        FLDD    0(%r24),%fr24       ; Cycle 1
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        CMPIB,> 3,%r26,$N_IS_SMALL  ; Pick out cases N = 1, 2, or 3
+        XMPYU   %fr9L,%fr24R,%fr24  ; Cycle 6
+        FLDD    EIGHT(%r24),%fr28   ; Cycle 8
+        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
+        FSTD    %fr24,-96(%sp)
+        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
+        FSTD    %fr25,-80(%sp)
+        LDO     SIXTEEN(%r24),%r24  ; Cycle 12
+        FSTD    %fr31,-64(%sp)
+        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
+        FSTD    %fr27,-48(%sp)
+
+; Second startup
+
+        XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
+        FSTD    %fr30,-56(%sp)
+        FLDD    0(%r24),%fr24
+
+        FSTD    %fr26,-88(%sp)      ; Cycle 2
+
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        FSTD    %fr28,-104(%sp)
+
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        LDD     -96(%sp),%r3
+        FSTD    %fr29,-72(%sp)
+
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+
+        XMPYU   %fr9L,%fr24R,%fr24  ; Cycle 6
+        LDD     -56(%sp),%r20
+        ADD     %r21,%r3,%r3
+
+        ADD,DC  %r20,%r19,%r19      ; Cycle 7
+        LDD     -88(%sp),%r4
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -48(%sp),%r1
+
+        FLDD    EIGHT(%r24),%fr28   ; Cycle 8
+        LDD     -104(%sp),%r31
+        ADD,DC  %r0,%r0,%r20
+        SHRPD   %r19,%r3,32,%r3
+
+        LDD     -72(%sp),%r29       ; Cycle 9
+        SHRPD   %r20,%r19,32,%r20
+        ADD     %r21,%r1,%r1
+
+        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
+        ADD,DC  %r3,%r4,%r4
+        FSTD    %fr24,-96(%sp)
+
+        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
+        ADD,DC  %r0,%r20,%r20
+        LDD     0(%r23),%r3
+        FSTD    %fr25,-80(%sp)
+
+        LDO     SIXTEEN(%r24),%r24  ; Cycle 12
+        FSTD    %fr31,-64(%sp)
+
+        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
+        ADD     %r0,%r0,%r0         ; clear the carry bit
+        ADDIB,<= -4,%r26,$ENDLOOP   ; actually happens in cycle 12
+        FSTD    %fr27,-48(%sp)
+;        MFCTL   %cr16,%r21         ; for timing
+;        STD     %r21,-112(%sp)
+
+; Here is the loop.
+
+$LOOP   XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
+        ADD,DC  %r29,%r4,%r4
+        FSTD    %fr30,-56(%sp)
+        FLDD    0(%r24),%fr24
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20
+        FSTD    %fr26,-88(%sp)
+
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        ADD     %r3,%r1,%r1
+        FSTD    %fr28,-104(%sp)
+        LDD     UN_EIGHT(%r23),%r21
+
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        ADD,DC  %r21,%r4,%r28
+        FSTD    %fr29,-72(%sp)    
+        LDD     -96(%sp),%r3
+
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        ADD,DC  %r20,%r31,%r22
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+
+        XMPYU   %fr9L,%fr24R,%fr24  ; Cycle 6
+        ADD     %r21,%r3,%r3
+        LDD     -56(%sp),%r20
+        STD     %r1,UN_SIXTEEN(%r23)
+
+        ADD,DC  %r20,%r19,%r19      ; Cycle 7
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -88(%sp),%r4
+        LDD     -48(%sp),%r1
+
+        ADD,DC  %r0,%r0,%r20        ; Cycle 8
+        SHRPD   %r19,%r3,32,%r3
+        FLDD    EIGHT(%r24),%fr28
+        LDD     -104(%sp),%r31
+
+        SHRPD   %r20,%r19,32,%r20   ; Cycle 9
+        ADD     %r21,%r1,%r1
+        STD     %r28,UN_EIGHT(%r23)
+        LDD     -72(%sp),%r29
+
+        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
+        ADD,DC  %r3,%r4,%r4
+        FSTD    %fr24,-96(%sp)
+
+        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
+        ADD,DC  %r0,%r20,%r20
+        FSTD    %fr25,-80(%sp)
+        LDD     0(%r23),%r3
+
+        LDO     SIXTEEN(%r24),%r24  ; Cycle 12
+        FSTD    %fr31,-64(%sp)
+
+        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
+        ADD     %r22,%r1,%r1
+        ADDIB,> -2,%r26,$LOOP       ; actually happens in cycle 12
+        FSTD    %fr27,-48(%sp)
+
+$ENDLOOP
+
+; Shutdown code, first stage.
+
+;        MFCTL   %cr16,%r21         ; for timing
+;        STD     %r21,UN_SIXTEEN(%r23)
+;        LDD     -112(%sp),%r21
+;        STD     %r21,UN_EIGHT(%r23)
+
+        XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
+        ADD,DC  %r29,%r4,%r4
+        CMPIB,= 0,%r26,$ONEMORE
+        FSTD    %fr30,-56(%sp)
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20
+        FSTD    %fr26,-88(%sp)
+
+        ADD     %r3,%r1,%r1         ; Cycle 3
+        FSTD    %fr28,-104(%sp)
+        LDD     UN_EIGHT(%r23),%r21
+
+        ADD,DC  %r21,%r4,%r28       ; Cycle 4
+        FSTD    %fr29,-72(%sp)    
+        STD     %r28,UN_EIGHT(%r23) ; moved up from cycle 9
+        LDD     -96(%sp),%r3
+
+        ADD,DC  %r20,%r31,%r22      ; Cycle 5
+        STD     %r1,UN_SIXTEEN(%r23)
+$JOIN4
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+
+        ADD     %r21,%r3,%r3        ; Cycle 6
+        LDD     -56(%sp),%r20
+
+        ADD,DC  %r20,%r19,%r19      ; Cycle 7
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -88(%sp),%r4
+        LDD     -48(%sp),%r1
+
+        ADD,DC  %r0,%r0,%r20        ; Cycle 8
+        SHRPD   %r19,%r3,32,%r3
+        LDD     -104(%sp),%r31
+
+        SHRPD   %r20,%r19,32,%r20   ; Cycle 9
+        ADD     %r21,%r1,%r1
+        LDD     -72(%sp),%r29
+
+        ADD,DC  %r3,%r4,%r4         ; Cycle 10
+
+        ADD,DC  %r0,%r20,%r20       ; Cycle 11
+        LDD     0(%r23),%r3
+
+        ADD     %r22,%r1,%r1        ; Cycle 13
+
+; Shutdown code, second stage.
+
+        ADD,DC  %r29,%r4,%r4        ; Cycle 1
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20
+
+        LDD     UN_EIGHT(%r23),%r21 ; Cycle 3
+        ADD     %r3,%r1,%r1
+
+        ADD,DC  %r21,%r4,%r28       ; Cycle 4
+
+        ADD,DC  %r20,%r31,%r22      ; Cycle 5
+
+        STD     %r1,UN_SIXTEEN(%r23); Cycle 6
+
+        STD     %r28,UN_EIGHT(%r23) ; Cycle 9
+
+        LDD     0(%r23),%r3         ; Cycle 11
+
+; Shutdown code, third stage.
+
+        LDO     SIXTEEN(%r23),%r23
+        ADD     %r3,%r22,%r1
+$JOIN1  ADD,DC  %r0,%r0,%r21
+        CMPIB,*= 0,%r21,$L0         ; if no overflow, exit
+        STD     %r1,UN_SIXTEEN(%r23)
+
+; Final carry propagation
+
+$FINAL1 LDO     EIGHT(%r23),%r23
+        LDD     UN_SIXTEEN(%r23),%r21
+        ADDI    1,%r21,%r21
+        CMPIB,*= 0,%r21,$FINAL1     ; Keep looping if there is a carry.
+        STD     %r21,UN_SIXTEEN(%r23)
+        B       $L0
+        NOP
+
+; Here is the code that handles the difficult cases N=1, N=2, and N=3.
+; We do the usual trick -- branch out of the startup code at appropriate
+; points, and branch into the shutdown code.
+
+$N_IS_SMALL
+        CMPIB,= 0,%r26,$N_IS_ONE
+        FSTD    %fr24,-96(%sp)      ; Cycle 10
+        FLDD    EIGHT(%r24),%fr28   ; Cycle 8
+        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
+        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
+        FSTD    %fr25,-80(%sp)
+        FSTD    %fr31,-64(%sp)      ; Cycle 12
+        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
+        FSTD    %fr27,-48(%sp)
+        XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
+        CMPIB,= 2,%r26,$N_IS_THREE
+        FSTD    %fr30,-56(%sp)
+
+; N = 2
+        FSTD    %fr26,-88(%sp)      ; Cycle 2
+        FSTD    %fr28,-104(%sp)     ; Cycle 3
+        LDD     -96(%sp),%r3        ; Cycle 4
+        FSTD    %fr29,-72(%sp)
+        B       $JOIN4
+        ADD     %r0,%r0,%r22
+
+$N_IS_THREE
+        FLDD    SIXTEEN(%r24),%fr24
+        FSTD    %fr26,-88(%sp)      ; Cycle 2
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        FSTD    %fr28,-104(%sp)
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        LDD     -96(%sp),%r3
+        FSTD    %fr29,-72(%sp)
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+        B       $JOIN3
+        ADD     %r0,%r0,%r22
+
+$N_IS_ONE
+        FSTD    %fr25,-80(%sp)
+        FSTD    %fr27,-48(%sp)
+        FSTD    %fr26,-88(%sp)      ; Cycle 2
+        B       $JOIN5
+        ADD     %r0,%r0,%r22
+
+; We came out of the unrolled loop with wrong parity.  Do one more
+; single cycle.  This is quite tricky, because of the way the
+; carry chains and SHRPD chains have been chopped up.
+
+$ONEMORE
+
+        FLDD    0(%r24),%fr24
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20
+        FSTD    %fr26,-88(%sp)
+
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        FSTD    %fr28,-104(%sp)
+        LDD     UN_EIGHT(%r23),%r21
+        ADD     %r3,%r1,%r1
+
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        ADD,DC  %r21,%r4,%r28
+        STD     %r28,UN_EIGHT(%r23) ; moved from cycle 9
+        LDD     -96(%sp),%r3
+        FSTD    %fr29,-72(%sp)    
+
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        ADD,DC  %r20,%r31,%r22
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+
+        STD     %r1,UN_SIXTEEN(%r23); Cycle 6
+$JOIN3
+        XMPYU   %fr9L,%fr24R,%fr24
+        LDD     -56(%sp),%r20
+        ADD     %r21,%r3,%r3
+
+        ADD,DC  %r20,%r19,%r19      ; Cycle 7
+        LDD     -88(%sp),%r4
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -48(%sp),%r1
+
+        LDD     -104(%sp),%r31      ; Cycle 8
+        ADD,DC  %r0,%r0,%r20
+        SHRPD   %r19,%r3,32,%r3
+
+        LDD     -72(%sp),%r29       ; Cycle 9
+        SHRPD   %r20,%r19,32,%r20
+        ADD     %r21,%r1,%r1
+
+        ADD,DC  %r3,%r4,%r4         ; Cycle 10
+        FSTD    %fr24,-96(%sp)
+
+        ADD,DC  %r0,%r20,%r20       ; Cycle 11
+        LDD     0(%r23),%r3
+        FSTD    %fr25,-80(%sp)
+
+        ADD     %r22,%r1,%r1        ; Cycle 13
+        FSTD    %fr27,-48(%sp)
+
+; Shutdown code, stage 1-1/2.
+
+        ADD,DC  %r29,%r4,%r4        ; Cycle 1
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20     
+        FSTD    %fr26,-88(%sp)
+
+        LDD     UN_EIGHT(%r23),%r21 ; Cycle 3
+        ADD     %r3,%r1,%r1
+
+        ADD,DC  %r21,%r4,%r28       ; Cycle 4
+        STD     %r28,UN_EIGHT(%r23) ; moved from cycle 9
+
+        ADD,DC  %r20,%r31,%r22      ; Cycle 5
+        STD     %r1,UN_SIXTEEN(%r23)
+$JOIN5
+        LDD     -96(%sp),%r3        ; moved from cycle 4
+        LDD     -80(%sp),%r21
+        ADD     %r21,%r3,%r3        ; Cycle 6
+        ADD,DC  %r0,%r0,%r19        ; Cycle 7
+        LDD     -88(%sp),%r4
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -48(%sp),%r1
+        SHRPD   %r19,%r3,32,%r3     ; Cycle 8
+        ADD     %r21,%r1,%r1        ; Cycle 9
+        ADD,DC  %r3,%r4,%r4         ; Cycle 10
+        LDD     0(%r23),%r3         ; Cycle 11
+        ADD     %r22,%r1,%r1        ; Cycle 13
+
+; Shutdown code, stage 2-1/2.
+
+        ADD,DC  %r0,%r4,%r4         ; Cycle 1
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        LDD     UN_EIGHT(%r23),%r21 ; Cycle 3
+        ADD     %r3,%r1,%r1
+        STD     %r1,UN_SIXTEEN(%r23)
+        ADD,DC  %r21,%r4,%r1
+        B       $JOIN1
+        LDO     EIGHT(%r23),%r23
+
+; exit
+
+$L0
+        .LEAVE
+
+; We have verified that the above command generates what we want:
+;       LDW     -124(%sp),%r4
+;       BVE     (%r2)
+;       LDW,MB  -128(%sp),%r3
+
+        .PROCEND
+
+; ***************************************************************
+;
+;                 add_diag_[little/big]
+;
+; ***************************************************************
+
+; The arguments are as follows:
+;     r2   return PC, of course
+;     r26 = arg1 =  length
+;     r25 = arg2 =  vector to square
+;     r24 = arg3 =  result vector
+
+#ifdef LITTLE_WORDIAN
+add_diag_little
+#else
+add_diag_big
+#endif
+        .PROC
+        .CALLINFO FRAME=120,ENTRY_GR=%r4
+        .ENTER
+
+        ADDIB,< -1,%r26,$Z0         ; If N=0, exit immediately.
+        NOP
+
+; Startup code
+
+        FLDD    0(%r25),%fr7        ; Cycle 2 (alternate body)
+        XMPYU   %fr7R,%fr7R,%fr29   ; Cycle 4
+        XMPYU   %fr7L,%fr7R,%fr27   ; Cycle 5
+        XMPYU   %fr7L,%fr7L,%fr30
+        LDO     SIXTEEN(%r25),%r25  ; Cycle 6
+        FSTD    %fr29,-88(%sp)
+        FSTD    %fr27,-72(%sp)      ; Cycle 7
+        CMPIB,= 0,%r26,$DIAG_N_IS_ONE ; Cycle 1 (main body)
+        FSTD    %fr30,-96(%sp)
+        FLDD    UN_EIGHT(%r25),%fr7 ; Cycle 2
+        LDD     -88(%sp),%r22       ; Cycle 3
+        LDD     -72(%sp),%r31       ; Cycle 4
+        XMPYU   %fr7R,%fr7R,%fr28
+        XMPYU   %fr7L,%fr7R,%fr24   ; Cycle 5
+        XMPYU   %fr7L,%fr7L,%fr31
+        LDD     -96(%sp),%r20       ; Cycle 6
+        FSTD    %fr28,-80(%sp)
+        ADD     %r0,%r0,%r0         ; clear the carry bit
+        ADDIB,<= -2,%r26,$ENDDIAGLOOP ; Cycle 7
+        FSTD    %fr24,-64(%sp)
+
+; Here is the loop.  It is unrolled twice, modelled after the "alternate body" and then the "main body".
+
+$DIAGLOOP
+        SHRPD   %r31,%r0,31,%r3     ; Cycle 1 (alternate body)
+        LDO     SIXTEEN(%r25),%r25
+        LDD     0(%r24),%r1
+        FSTD    %fr31,-104(%sp)
+        SHRPD   %r0,%r31,31,%r4     ; Cycle 2
+        ADD,DC  %r22,%r3,%r3
+        FLDD    UN_SIXTEEN(%r25),%fr7   
+        ADD,DC  %r0,%r20,%r20       ; Cycle 3
+        ADD     %r1,%r3,%r3
+        XMPYU   %fr7R,%fr7R,%fr29   ; Cycle 4
+        LDD     -80(%sp),%r21
+        STD     %r3,0(%r24)
+        XMPYU   %fr7L,%fr7R,%fr27   ; Cycle 5
+        XMPYU   %fr7L,%fr7L,%fr30
+        LDD     -64(%sp),%r29       
+        LDD     EIGHT(%r24),%r1  
+        ADD,DC  %r4,%r20,%r20       ; Cycle 6
+        LDD     -104(%sp),%r19
+        FSTD    %fr29,-88(%sp)
+        ADD     %r20,%r1,%r1        ; Cycle 7
+        FSTD    %fr27,-72(%sp)
+        SHRPD   %r29,%r0,31,%r4     ; Cycle 1 (main body)
+        LDO     THIRTY_TWO(%r24),%r24
+        LDD     UN_SIXTEEN(%r24),%r28
+        FSTD    %fr30,-96(%sp)
+        SHRPD   %r0,%r29,31,%r3     ; Cycle 2
+        ADD,DC  %r21,%r4,%r4
+        FLDD    UN_EIGHT(%r25),%fr7
+        STD     %r1,UN_TWENTY_FOUR(%r24)
+        ADD,DC  %r0,%r19,%r19       ; Cycle 3
+        ADD     %r28,%r4,%r4
+        XMPYU   %fr7R,%fr7R,%fr28   ; Cycle 4
+        LDD     -88(%sp),%r22
+        STD     %r4,UN_SIXTEEN(%r24)
+        XMPYU   %fr7L,%fr7R,%fr24   ; Cycle 5
+        XMPYU   %fr7L,%fr7L,%fr31
+        LDD     -72(%sp),%r31
+        LDD     UN_EIGHT(%r24),%r28
+        ADD,DC  %r3,%r19,%r19       ; Cycle 6
+        LDD     -96(%sp),%r20
+        FSTD    %fr28,-80(%sp)
+        ADD     %r19,%r28,%r28      ; Cycle 7
+        FSTD    %fr24,-64(%sp)
+        ADDIB,> -2,%r26,$DIAGLOOP   ; Cycle 8
+        STD     %r28,UN_EIGHT(%r24)
+
+$ENDDIAGLOOP
+
+        ADD,DC  %r0,%r22,%r22    
+        CMPIB,= 0,%r26,$ONEMOREDIAG
+        SHRPD   %r31,%r0,31,%r3
+
+; Shutdown code, first stage.
+
+        FSTD    %fr31,-104(%sp)     ; Cycle 1 (alternate body)
+        LDD     0(%r24),%r28
+        SHRPD   %r0,%r31,31,%r4     ; Cycle 2
+        ADD     %r3,%r22,%r3
+        ADD,DC  %r0,%r20,%r20       ; Cycle 3
+        LDD     -80(%sp),%r21
+        ADD     %r3,%r28,%r3
+        LDD     -64(%sp),%r29       ; Cycle 4
+        STD     %r3,0(%r24)
+        LDD     EIGHT(%r24),%r1     ; Cycle 5
+        LDO     SIXTEEN(%r25),%r25  ; Cycle 6
+        LDD     -104(%sp),%r19
+        ADD,DC  %r4,%r20,%r20
+        ADD     %r20,%r1,%r1        ; Cycle 7
+        ADD,DC  %r0,%r21,%r21       ; Cycle 8
+        STD     %r1,EIGHT(%r24)
+
+; Shutdown code, second stage.
+
+        SHRPD   %r29,%r0,31,%r4     ; Cycle 1 (main body)
+        LDO     THIRTY_TWO(%r24),%r24
+        LDD     UN_SIXTEEN(%r24),%r1
+        SHRPD   %r0,%r29,31,%r3      ; Cycle 2
+        ADD     %r4,%r21,%r4
+        ADD,DC  %r0,%r19,%r19       ; Cycle 3
+        ADD     %r4,%r1,%r4
+        STD     %r4,UN_SIXTEEN(%r24); Cycle 4
+        LDD     UN_EIGHT(%r24),%r28 ; Cycle 5
+        ADD,DC  %r3,%r19,%r19       ; Cycle 6       
+        ADD     %r19,%r28,%r28      ; Cycle 7
+        ADD,DC  %r0,%r0,%r22        ; Cycle 8
+        CMPIB,*= 0,%r22,$Z0         ; if no overflow, exit
+        STD     %r28,UN_EIGHT(%r24)
+
+; Final carry propagation
+
+$FDIAG2
+        LDO     EIGHT(%r24),%r24
+        LDD     UN_EIGHT(%r24),%r26
+        ADDI    1,%r26,%r26
+        CMPIB,*= 0,%r26,$FDIAG2     ; Keep looping if there is a carry.
+        STD     %r26,UN_EIGHT(%r24)
+
+        B   $Z0
+        NOP
+
+; Here is the code that handles the difficult case N=1.
+; We do the usual trick -- branch out of the startup code at appropriate
+; points, and branch into the shutdown code.
+
+$DIAG_N_IS_ONE
+
+        LDD     -88(%sp),%r22
+        LDD     -72(%sp),%r31
+        B       $JOINDIAG
+        LDD     -96(%sp),%r20
+
+; We came out of the unrolled loop with wrong parity.  Do one more
+; single cycle.  This is the "alternate body".  It will, of course,
+; give us opposite registers from the other case, so we need
+; completely different shutdown code.
+
+$ONEMOREDIAG
+        FSTD    %fr31,-104(%sp)     ; Cycle 1 (alternate body)
+        LDD     0(%r24),%r28
+        FLDD    0(%r25),%fr7        ; Cycle 2
+        SHRPD   %r0,%r31,31,%r4
+        ADD     %r3,%r22,%r3
+        ADD,DC  %r0,%r20,%r20       ; Cycle 3
+        LDD     -80(%sp),%r21
+        ADD     %r3,%r28,%r3
+        LDD     -64(%sp),%r29       ; Cycle 4
+        STD     %r3,0(%r24)
+        XMPYU   %fr7R,%fr7R,%fr29
+        LDD     EIGHT(%r24),%r1     ; Cycle 5
+        XMPYU   %fr7L,%fr7R,%fr27
+        XMPYU   %fr7L,%fr7L,%fr30
+        LDD     -104(%sp),%r19      ; Cycle 6
+        FSTD    %fr29,-88(%sp)
+        ADD,DC  %r4,%r20,%r20
+        FSTD    %fr27,-72(%sp)      ; Cycle 7
+        ADD     %r20,%r1,%r1
+        ADD,DC  %r0,%r21,%r21       ; Cycle 8
+        STD     %r1,EIGHT(%r24)
+
+; Shutdown code, first stage.
+
+        SHRPD   %r29,%r0,31,%r4     ; Cycle 1 (main body)
+        LDO     THIRTY_TWO(%r24),%r24
+        FSTD    %fr30,-96(%sp)
+        LDD     UN_SIXTEEN(%r24),%r1
+        SHRPD   %r0,%r29,31,%r3     ; Cycle 2
+        ADD     %r4,%r21,%r4
+        ADD,DC  %r0,%r19,%r19       ; Cycle 3
+        LDD     -88(%sp),%r22
+        ADD     %r4,%r1,%r4
+        LDD     -72(%sp),%r31       ; Cycle 4
+        STD     %r4,UN_SIXTEEN(%r24)
+        LDD     UN_EIGHT(%r24),%r28 ; Cycle 5
+        LDD     -96(%sp),%r20       ; Cycle 6
+        ADD,DC  %r3,%r19,%r19
+        ADD     %r19,%r28,%r28      ; Cycle 7
+        ADD,DC  %r0,%r22,%r22       ; Cycle 8
+        STD     %r28,UN_EIGHT(%r24)
+
+; Shutdown code, second stage.
+
+$JOINDIAG
+        SHRPD   %r31,%r0,31,%r3     ; Cycle 1 (alternate body)
+        LDD     0(%r24),%r28        
+        SHRPD   %r0,%r31,31,%r4     ; Cycle 2
+        ADD     %r3,%r22,%r3
+        ADD,DC  %r0,%r20,%r20       ; Cycle 3
+        ADD     %r3,%r28,%r3
+        STD     %r3,0(%r24)         ; Cycle 4
+        LDD     EIGHT(%r24),%r1     ; Cycle 5
+        ADD,DC  %r4,%r20,%r20
+        ADD     %r20,%r1,%r1        ; Cycle 7
+        ADD,DC  %r0,%r0,%r21        ; Cycle 8
+        CMPIB,*= 0,%r21,$Z0         ; if no overflow, exit
+        STD     %r1,EIGHT(%r24)
+
+; Final carry propagation
+
+$FDIAG1
+        LDO     EIGHT(%r24),%r24
+        LDD     EIGHT(%r24),%r26
+        ADDI    1,%r26,%r26
+        CMPIB,*= 0,%r26,$FDIAG1    ; Keep looping if there is a carry.
+        STD     %r26,EIGHT(%r24)
+
+$Z0
+        .LEAVE
+        .PROCEND
+;	.ALLOW
+
+        .SPACE         $TEXT$
+        .SUBSPA        $CODE$
+#ifdef LITTLE_WORDIAN
+        .EXPORT        maxpy_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN
+        .EXPORT        add_diag_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN
+#else
+        .EXPORT        maxpy_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN
+        .EXPORT        add_diag_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN
+#endif
+        .END
+
+
+; How to use "maxpy_PA20_little" and "maxpy_PA20_big"
+; 
+; The routine "maxpy_PA20_little" or "maxpy_PA20_big"
+; performs a 64-bit x any-size multiply, and adds the
+; result to an area of memory.  That is, it performs
+; something like
+; 
+;      A B C D
+;    *       Z
+;   __________
+;    P Q R S T
+; 
+; and then adds the "PQRST" vector into an area of memory,
+; handling all carries.
+; 
+; Digression on nomenclature and endian-ness:
+; 
+; Each of the capital letters in the above represents a 64-bit
+; quantity.  That is, you could think of the discussion as
+; being in terms of radix-16-quintillion arithmetic.  The data
+; type being manipulated is "unsigned long long int".  This
+; requires the 64-bit extension of the HP-UX C compiler,
+; available at release 10.  You need these compiler flags to
+; enable these extensions:
+; 
+;       -Aa +e +DA2.0 +DS2.0
+; 
+; (The first specifies ANSI C, the second enables the
+; extensions, which are beyond ANSI C, and the third and
+; fourth tell the compiler to use whatever features of the
+; PA2.0 architecture it wishes, in order to made the code more
+; efficient.  Since the presence of the assembly code will
+; make the program unable to run on anything less than PA2.0,
+; you might as well gain the performance enhancements in the C
+; code as well.)
+; 
+; Questions of "endian-ness" often come up, usually in the
+; context of byte ordering in a word.  These routines have a
+; similar issue, that could be called "wordian-ness".
+; Independent of byte ordering (PA is always big-endian), one
+; can make two choices when representing extremely large
+; numbers as arrays of 64-bit doublewords in memory.
+; 
+; "Little-wordian" layout means that the least significant
+; word of a number is stored at the lowest address.
+; 
+;   MSW     LSW
+;    |       |
+;    V       V
+; 
+;    A B C D E
+; 
+;    ^     ^ ^
+;    |     | |____ address 0
+;    |     |
+;    |     |_______address 8
+;    |
+;    address 32
+; 
+; "Big-wordian" means that the most significant word is at the
+; lowest address.
+; 
+;   MSW     LSW
+;    |       |
+;    V       V
+; 
+;    A B C D E
+; 
+;    ^     ^ ^
+;    |     | |____ address 32
+;    |     |
+;    |     |_______address 24
+;    |
+;    address 0
+; 
+; When you compile the file, you must specify one or the other, with
+; a switch "-DLITTLE_WORDIAN" or "-DBIG_WORDIAN".
+; 
+;     Incidentally, you assemble this file as part of your
+;     project with the same C compiler as the rest of the program.
+;     My "makefile" for a superprecision arithmetic package has
+;     the following stuff:
+; 
+;     # definitions:
+;     CC = cc -Aa +e -z +DA2.0 +DS2.0 +w1
+;     CFLAGS = +O3
+;     LDFLAGS = -L /usr/lib -Wl,-aarchive
+; 
+;     # general build rule for ".s" files:
+;     .s.o:
+;             $(CC) $(CFLAGS) -c $< -DBIG_WORDIAN
+; 
+;     # Now any bind step that calls for pa20.o will assemble pa20.s
+; 
+; End of digression, back to arithmetic:
+; 
+; The way we multiply two huge numbers is, of course, to multiply
+; the "ABCD" vector by each of the "WXYZ" doublewords, adding
+; the result vectors with increasing offsets, the way we learned
+; in school, back before we all used calculators:
+; 
+;            A B C D
+;          * W X Y Z
+;         __________
+;          P Q R S T
+;        E F G H I
+;      M N O P Q
+;  + R S T U V
+;    _______________
+;    F I N A L S U M
+; 
+; So we call maxpy_PA20_big (in my case; my package is
+; big-wordian) repeatedly, giving the W, X, Y, and Z arguments
+; in turn as the "scalar", and giving the "ABCD" vector each
+; time.  We direct it to add its result into an area of memory
+; that we have cleared at the start.  We skew the exact
+; location into that area with each call.
+; 
+; The prototype for the function is
+; 
+; extern void maxpy_PA20_big(
+;    int length,        /* Number of doublewords in the multiplicand vector. */
+;    const long long int *scalaraddr,    /* Address to fetch the scalar. */
+;    const long long int *multiplicand,  /* The multiplicand vector. */
+;    long long int *result);             /* Where to accumulate the result. */
+; 
+; (You should place a copy of this prototype in an include file
+; or in your C file.)
+; 
+; Now, IN ALL CASES, the given address for the multiplicand or
+; the result is that of the LEAST SIGNIFICANT DOUBLEWORD.
+; That word is, of course, the word at which the routine
+; starts processing.  "maxpy_PA20_little" then increases the
+; addresses as it computes.  "maxpy_PA20_big" decreases them.
+; 
+; In our example above, "length" would be 4 in each case.
+; "multiplicand" would be the "ABCD" vector.  Specifically,
+; the address of the element "D".  "scalaraddr" would be the
+; address of "W", "X", "Y", or "Z" on the four calls that we
+; would make.  (The order doesn't matter, of course.)
+; "result" would be the appropriate address in the result
+; area.  When multiplying by "Z", that would be the least
+; significant word.  When multiplying by "Y", it would be the
+; next higher word (8 bytes higher if little-wordian; 8 bytes
+; lower if big-wordian), and so on.  The size of the result
+; area must be the the sum of the sizes of the multiplicand
+; and multiplier vectors, and must be initialized to zero
+; before we start.
+; 
+; Whenever the routine adds its partial product into the result
+; vector, it follows carry chains as far as they need to go.
+; 
+; Here is the super-precision multiply routine that I use for
+; my package.  The package is big-wordian.  I have taken out
+; handling of exponents (it's a floating point package):
+; 
+; static void mul_PA20(
+;   int size,
+;   const long long int *arg1,
+;   const long long int *arg2,
+;   long long int *result)
+; {
+;    int i;
+; 
+;    for (i=0 ; i<2*size ; i++) result[i] = 0ULL;
+; 
+;    for (i=0 ; i<size ; i++) {
+;       maxpy_PA20_big(size, &arg2[i], &arg1[size-1], &result[size+i]);
+;    }
+; }
diff --git a/security/nss/lib/freebl/mpi/hppatch.adb b/security/nss/lib/freebl/mpi/hppatch.adb
new file mode 100644
index 000000000..f07cc29f5
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/hppatch.adb
@@ -0,0 +1,54 @@
+#/bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is script to change the system id in an object file from PA-RISC 2.0 to 1.1.
+#
+# The Initial Developer of the Original Code is
+# Hewlett-Packard Company.
+# Portions created by the Initial Developer are Copyright (C) 1999
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   wrapped by Dennis Handly on Tue Mar 23 15:23:43 1999
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# script to change the system id in an object file from PA-RISC 2.0 to 1.1
+
+adb -w $1 << EOF
+?m 0 -1 0
+0x0?X
+0x0?W (@0x0&~0x40000)|(~@0x0&0x40000)
+
+0?"change checksum"
+0x7c?X
+0x7c?W (@0x7c&~0x40000)|(~@0x7c&0x40000)
+$q
+EOF
+
+exit 0
+
diff --git a/security/nss/lib/freebl/mpi/logtab.h b/security/nss/lib/freebl/mpi/logtab.h
new file mode 100644
index 000000000..636fd7245
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/logtab.h
@@ -0,0 +1,62 @@
+/*
+ *  logtab.h
+ *
+ *  Arbitrary precision integer arithmetic library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+const float s_logv_2[] = {
+   0.000000000f, 0.000000000f, 1.000000000f, 0.630929754f,  /*  0  1  2  3 */
+   0.500000000f, 0.430676558f, 0.386852807f, 0.356207187f,  /*  4  5  6  7 */
+   0.333333333f, 0.315464877f, 0.301029996f, 0.289064826f,  /*  8  9 10 11 */
+   0.278942946f, 0.270238154f, 0.262649535f, 0.255958025f,  /* 12 13 14 15 */
+   0.250000000f, 0.244650542f, 0.239812467f, 0.235408913f,  /* 16 17 18 19 */
+   0.231378213f, 0.227670249f, 0.224243824f, 0.221064729f,  /* 20 21 22 23 */
+   0.218104292f, 0.215338279f, 0.212746054f, 0.210309918f,  /* 24 25 26 27 */
+   0.208014598f, 0.205846832f, 0.203795047f, 0.201849087f,  /* 28 29 30 31 */
+   0.200000000f, 0.198239863f, 0.196561632f, 0.194959022f,  /* 32 33 34 35 */
+   0.193426404f, 0.191958720f, 0.190551412f, 0.189200360f,  /* 36 37 38 39 */
+   0.187901825f, 0.186652411f, 0.185449023f, 0.184288833f,  /* 40 41 42 43 */
+   0.183169251f, 0.182087900f, 0.181042597f, 0.180031327f,  /* 44 45 46 47 */
+   0.179052232f, 0.178103594f, 0.177183820f, 0.176291434f,  /* 48 49 50 51 */
+   0.175425064f, 0.174583430f, 0.173765343f, 0.172969690f,  /* 52 53 54 55 */
+   0.172195434f, 0.171441601f, 0.170707280f, 0.169991616f,  /* 56 57 58 59 */
+   0.169293808f, 0.168613099f, 0.167948779f, 0.167300179f,  /* 60 61 62 63 */
+   0.166666667f
+};
+
diff --git a/security/nss/lib/freebl/mpi/make-logtab b/security/nss/lib/freebl/mpi/make-logtab
new file mode 100755
index 000000000..dc1ec575b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/make-logtab
@@ -0,0 +1,64 @@
+#!/usr/linguist/bin/perl
+
+#
+# make-logtab
+#
+# Generate a table of logarithms of 2 in various bases, for use in
+# estimating the output sizes of various bases.
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+# library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>
+# Portions created by the Initial Developer are Copyright (C) 1998, 2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $Id$
+
+$ARRAYNAME = $ENV{'ARRAYNAME'} || "s_logv_2";
+$ARRAYTYPE = $ENV{'ARRAYTYPE'} || "float";
+
+printf("const %s %s[] = {\n   %0.9ff, %0.9ff, ", 
+       $ARRAYTYPE, $ARRAYNAME, 0, 0);
+$brk = 2;
+for($ix = 2; $ix < 64; $ix++) {
+    printf("%0.9ff, ", (log(2)/log($ix)));
+    $brk = ($brk + 1) & 3;
+    if(!$brk) {
+	printf(" /* %2d %2d %2d %2d */\n   ",
+	       $ix - 3, $ix - 2, $ix - 1, $ix);
+    }
+}
+printf("%0.9ff\n};\n\n", (log(2)/log($ix)));
+
+exit 0;
diff --git a/security/nss/lib/freebl/mpi/make-test-arrays b/security/nss/lib/freebl/mpi/make-test-arrays
new file mode 100755
index 000000000..8dd19fc4f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/make-test-arrays
@@ -0,0 +1,133 @@
+#!/usr/linguist/bin/perl
+
+#
+# make-test-arrays
+#
+# Given a test-arrays file, which specifies the test suite names, the
+# names of the functions which perform those test suites, and
+# descriptive comments, this script generates C structures for the
+# mpi-test program.  The input consists of lines of the form:
+#
+# suite-name:function-name:comment
+#
+# The output is written to the standard output.  Blank lines are
+# ignored, and comments beginning with '#' are stripped.
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1998
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $Id$
+#
+
+# Read parameters from the environment, if available
+$NAMEVAR = $ENV{'NAMEVAR'} || "g_names";
+$COUNTVAR = $ENV{'COUNTVAR'} || "g_count";
+$FUNCVAR = $ENV{'FUNCVAR'} || "g_tests";
+$DESCVAR = $ENV{'DESCVAR'} || "g_descs";
+$FUNCLEN = 13;
+$NAMELEN = 18;
+$DESCLEN = 45;
+
+#------------------------------------------------------------------------
+# Suck in input from the files on the command line, or standard input
+while(<>) {
+    chomp;
+    s/\#.*$//;
+    next if /^\s*$/;
+
+    ($suite, $func, $desc) = split(/:/, $_);
+
+    $tmp = { "suite" => $suite,
+	     "func"  => $func,
+	     "desc"  => $desc };
+
+    push(@item, $tmp);
+}
+$count = scalar(@item);
+$last = pop(@item);
+
+#------------------------------------------------------------------------
+# Output the table of names
+print "/* Table mapping test suite names to index numbers */\n";
+printf("const int   %s = %d;\n", $COUNTVAR, $count);
+printf("const char *%s[] = {\n", $NAMEVAR);
+
+foreach $elt (@item) {
+    printf("   \"%s\",%s/* %s%s */\n", $elt->{"suite"},
+	   " " x ($NAMELEN - length($elt->{"suite"})),
+	   $elt->{"desc"},
+	   " " x ($DESCLEN - length($elt->{"desc"})));
+}
+printf("   \"%s\" %s/* %s%s */\n", $last->{"suite"},
+       " " x ($NAMELEN - length($last->{"suite"})),
+       $last->{"desc"},
+       " " x ($DESCLEN - length($last->{"desc"})));
+print "};\n\n";
+
+#------------------------------------------------------------------------
+# Output the driver function prototypes
+print "/* Test function prototypes */\n";
+foreach $elt (@item, $last) {
+    printf("int  %s(void);\n", $elt->{"func"});
+}
+print "\n";
+
+#------------------------------------------------------------------------
+# Output the table of functions
+print "/* Table mapping index numbers to functions */\n";
+printf("int (*%s[])(void)  = {\n   ", $FUNCVAR);
+$brk = 0;
+
+foreach $elt (@item) {
+    print($elt->{"func"}, ", ", 
+	  " " x ($FUNCLEN - length($elt->{"func"})));
+    $brk = ($brk + 1) & 3;
+    print "\n   " unless($brk);
+}
+print $last->{"func"}, "\n};\n\n";
+
+#------------------------------------------------------------------------
+# Output the table of descriptions
+print "/* Table mapping index numbers to descriptions */\n";
+printf("const char *%s[] = {\n", $DESCVAR);
+
+foreach $elt (@item) {
+    printf("   \"%s\",\n", $elt->{"desc"});
+}
+printf("   \"%s\"\n};\n\n", $last->{"desc"});
+
+exit 0;
+
diff --git a/security/nss/lib/freebl/mpi/mdxptest.c b/security/nss/lib/freebl/mpi/mdxptest.c
new file mode 100644
index 000000000..0377c5949
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mdxptest.c
@@ -0,0 +1,342 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <malloc.h>
+#include <time.h>
+#include "mpi.h"
+#include "mpi-priv.h"
+
+/* #define OLD_WAY 1  */
+
+/* This key is the 1024-bit test key used for speed testing of RSA private 
+** key ops.
+*/
+
+#define CONST const
+
+static CONST unsigned char default_n[128] = {
+0xc2,0xae,0x96,0x89,0xaf,0xce,0xd0,0x7b,0x3b,0x35,0xfd,0x0f,0xb1,0xf4,0x7a,0xd1,
+0x3c,0x7d,0xb5,0x86,0xf2,0x68,0x36,0xc9,0x97,0xe6,0x82,0x94,0x86,0xaa,0x05,0x39,
+0xec,0x11,0x51,0xcc,0x5c,0xa1,0x59,0xba,0x29,0x18,0xf3,0x28,0xf1,0x9d,0xe3,0xae,
+0x96,0x5d,0x6d,0x87,0x73,0xf6,0xf6,0x1f,0xd0,0x2d,0xfb,0x2f,0x7a,0x13,0x7f,0xc8,
+0x0c,0x7a,0xe9,0x85,0xfb,0xce,0x74,0x86,0xf8,0xef,0x2f,0x85,0x37,0x73,0x0f,0x62,
+0x4e,0x93,0x17,0xb7,0x7e,0x84,0x9a,0x94,0x11,0x05,0xca,0x0d,0x31,0x4b,0x2a,0xc8,
+0xdf,0xfe,0xe9,0x0c,0x13,0xc7,0xf2,0xad,0x19,0x64,0x28,0x3c,0xb5,0x6a,0xc8,0x4b,
+0x79,0xea,0x7c,0xce,0x75,0x92,0x45,0x3e,0xa3,0x9d,0x64,0x6f,0x04,0x69,0x19,0x17
+};
+
+static CONST unsigned char default_d[128] = {
+0x13,0xcb,0xbc,0xf2,0xf3,0x35,0x8c,0x6d,0x7b,0x6f,0xd9,0xf3,0xa6,0x9c,0xbd,0x80,
+0x59,0x2e,0x4f,0x2f,0x11,0xa7,0x17,0x2b,0x18,0x8f,0x0f,0xe8,0x1a,0x69,0x5f,0x6e,
+0xac,0x5a,0x76,0x7e,0xd9,0x4c,0x6e,0xdb,0x47,0x22,0x8a,0x57,0x37,0x7a,0x5e,0x94,
+0x7a,0x25,0xb5,0xe5,0x78,0x1d,0x3c,0x99,0xaf,0x89,0x7d,0x69,0x2e,0x78,0x9d,0x1d,
+0x84,0xc8,0xc1,0xd7,0x1a,0xb2,0x6d,0x2d,0x8a,0xd9,0xab,0x6b,0xce,0xae,0xb0,0xa0,
+0x58,0x55,0xad,0x5c,0x40,0x8a,0xd6,0x96,0x08,0x8a,0xe8,0x63,0xe6,0x3d,0x6c,0x20,
+0x49,0xc7,0xaf,0x0f,0x25,0x73,0xd3,0x69,0x43,0x3b,0xf2,0x32,0xf8,0x3d,0x5e,0xee,
+0x7a,0xca,0xd6,0x94,0x55,0xe5,0xbd,0x25,0x34,0x8d,0x63,0x40,0xb5,0x8a,0xc3,0x01
+};
+
+
+#define DEFAULT_ITERS 50
+
+typedef clock_t timetype;
+#define gettime(x) *(x) = clock()
+#define subtime(a, b) a -= b
+#define msec(x) ((clock_t)((double)x * 1000.0 / CLOCKS_PER_SEC))
+#define sec(x) (x / CLOCKS_PER_SEC)
+
+struct TimingContextStr {
+    timetype start;
+    timetype end;
+    timetype interval;
+
+    int   minutes;  
+    int   seconds;  
+    int   millisecs;
+};
+
+typedef struct TimingContextStr TimingContext;
+
+TimingContext *CreateTimingContext(void) 
+{
+    return (TimingContext *)malloc(sizeof(TimingContext));
+}
+
+void DestroyTimingContext(TimingContext *ctx) 
+{
+    free(ctx);
+}
+
+void TimingBegin(TimingContext *ctx) 
+{
+    gettime(&ctx->start);
+}
+
+static void timingUpdate(TimingContext *ctx) 
+{
+
+    ctx->millisecs = msec(ctx->interval) % 1000;
+    ctx->seconds   = sec(ctx->interval);
+    ctx->minutes   = ctx->seconds / 60;
+    ctx->seconds  %= 60;
+
+}
+
+void TimingEnd(TimingContext *ctx) 
+{
+    gettime(&ctx->end);
+    ctx->interval = ctx->end;
+    subtime(ctx->interval, ctx->start);
+    timingUpdate(ctx);
+}
+
+char *TimingGenerateString(TimingContext *ctx) 
+{
+    static char sBuf[4096];
+
+    sprintf(sBuf, "%d minutes, %d.%03d seconds", ctx->minutes,
+				ctx->seconds, ctx->millisecs);
+    return sBuf;
+}
+
+static void
+dumpBytes( unsigned char * b, int l)
+{
+    int i;
+    if (l <= 0)
+        return;
+    for (i = 0; i < l; ++i) {
+        if (i % 16 == 0)
+            printf("\t");
+        printf(" %02x", b[i]);
+        if (i % 16 == 15)
+            printf("\n");
+    }
+    if ((i % 16) != 0)
+        printf("\n");
+    printf("\n");
+}
+
+static mp_err
+testNewFuncs(const unsigned char * modulusBytes, int modulus_len)
+{
+    mp_err mperr	= MP_OKAY;
+    mp_int modulus;
+    unsigned char buf[512];
+
+    mperr = mp_init(&modulus);
+    mperr = mp_read_unsigned_octets(&modulus,  modulusBytes,  modulus_len );
+    mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len);
+    mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len+1);
+    mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len+4);
+    mperr = mp_to_unsigned_octets(&modulus, buf, modulus_len);
+    mperr = mp_to_signed_octets(&modulus, buf, modulus_len + 1);
+    mp_clear(&modulus);
+    return mperr;
+}
+
+int
+testModExp( const unsigned char *      modulusBytes, 
+	    const unsigned int         expo,
+	    const unsigned char *      input, 
+	          unsigned char *      output,
+	          int                  modulus_len)
+{
+    mp_err mperr	= MP_OKAY;
+    mp_int modulus;
+    mp_int base;
+    mp_int exponent;
+    mp_int result;
+
+    mperr  = mp_init(&modulus);
+    mperr += mp_init(&base);
+    mperr += mp_init(&exponent);
+    mperr += mp_init(&result);
+    /* we initialize all mp_ints unconditionally, even if some fail.
+    ** This guarantees that the DIGITS pointer is valid (even if null).
+    ** So, mp_clear will do the right thing below. 
+    */
+    if (mperr == MP_OKAY) {
+      mperr  = mp_read_unsigned_octets(&modulus,  
+		modulusBytes + (sizeof default_n - modulus_len),  modulus_len );
+      mperr += mp_read_unsigned_octets(&base,     input,         modulus_len );
+      mp_set(&exponent, expo);
+      if (mperr == MP_OKAY) {
+#if OLD_WAY
+	mperr = s_mp_exptmod(&base, &exponent, &modulus, &result);
+#else
+	mperr = mp_exptmod(&base, &exponent, &modulus, &result);
+#endif
+	if (mperr == MP_OKAY) {
+	  mperr = mp_to_fixlen_octets(&result, output, modulus_len);
+	}
+      }
+    }
+    mp_clear(&base);
+    mp_clear(&result);
+
+    mp_clear(&modulus);
+    mp_clear(&exponent);
+
+    return (int)mperr;
+}
+
+int
+doModExp(   const unsigned char *      modulusBytes, 
+	    const unsigned char *      exponentBytes, 
+	    const unsigned char *      input, 
+	          unsigned char *      output,
+	          int                  modulus_len)
+{
+    mp_err mperr	= MP_OKAY;
+    mp_int modulus;
+    mp_int base;
+    mp_int exponent;
+    mp_int result;
+
+    mperr  = mp_init(&modulus);
+    mperr += mp_init(&base);
+    mperr += mp_init(&exponent);
+    mperr += mp_init(&result);
+    /* we initialize all mp_ints unconditionally, even if some fail.
+    ** This guarantees that the DIGITS pointer is valid (even if null).
+    ** So, mp_clear will do the right thing below. 
+    */
+    if (mperr == MP_OKAY) {
+      mperr  = mp_read_unsigned_octets(&modulus,  
+		modulusBytes + (sizeof default_n - modulus_len),  modulus_len );
+      mperr += mp_read_unsigned_octets(&exponent, exponentBytes, modulus_len );
+      mperr += mp_read_unsigned_octets(&base,     input,         modulus_len );
+      if (mperr == MP_OKAY) {
+#if OLD_WAY
+	mperr = s_mp_exptmod(&base, &exponent, &modulus, &result);
+#else
+	mperr = mp_exptmod(&base, &exponent, &modulus, &result);
+#endif
+	if (mperr == MP_OKAY) {
+	  mperr = mp_to_fixlen_octets(&result, output, modulus_len);
+	}
+      }
+    }
+    mp_clear(&base);
+    mp_clear(&result);
+
+    mp_clear(&modulus);
+    mp_clear(&exponent);
+
+    return (int)mperr;
+}
+
+int
+main(int argc, char **argv)
+{
+    TimingContext *	  timeCtx;
+    char *		  progName;
+    long 		  iters 	= DEFAULT_ITERS;
+    unsigned int 	  modulus_len;
+    int		 	  i;
+    int 		  rv;
+    unsigned char 	  buf [1024];
+    unsigned char 	  buf2[1024];
+
+    progName = strrchr(argv[0], '/');
+    if (!progName)
+	progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    if (argc >= 2) {
+	iters = atol(argv[1]);
+    }
+
+    if (argc >= 3) {
+	modulus_len = atol(argv[2]);
+    } else 
+	modulus_len = sizeof default_n;
+
+    /* no library init function !? */
+
+    memset(buf, 0x41, sizeof buf);
+
+  if (iters < 2) {
+    testNewFuncs( default_n, modulus_len);
+    testNewFuncs( default_n+1, modulus_len - 1);
+    testNewFuncs( default_n+2, modulus_len - 2);
+    testNewFuncs( default_n+3, modulus_len - 3);
+
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = testModExp(default_n, 0, buf, buf2, modulus_len);
+    dumpBytes((unsigned char *)buf2, modulus_len);
+
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = testModExp(default_n, 1, buf, buf2, modulus_len);
+    dumpBytes((unsigned char *)buf2, modulus_len);
+
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = testModExp(default_n, 2, buf, buf2, modulus_len);
+    dumpBytes((unsigned char *)buf2, modulus_len);
+
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = testModExp(default_n, 3, buf, buf2, modulus_len);
+    dumpBytes((unsigned char *)buf2, modulus_len);
+  }
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = doModExp(default_n, default_d, buf, buf2, modulus_len);
+    if (rv != 0) {
+	fprintf(stderr, "Error in modexp operation:\n");
+	exit(1);
+    }
+    dumpBytes((unsigned char *)buf2, modulus_len);
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+
+    timeCtx = CreateTimingContext();
+    TimingBegin(timeCtx);
+    i = iters;
+    while (i--) {
+	rv = doModExp(default_n, default_d, buf, buf2, modulus_len);
+	if (rv != 0) {
+	    fprintf(stderr, "Error in modexp operation\n");
+	    exit(1);
+	}
+    }
+    TimingEnd(timeCtx);
+    printf("%ld iterations in %s\n", iters, TimingGenerateString(timeCtx));
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+
+    return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/montmulf.c b/security/nss/lib/freebl/mpi/montmulf.c
new file mode 100644
index 000000000..a1fe939a8
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulf.c
@@ -0,0 +1,329 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is SPARC optimized Montgomery multiply functions.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems Inc.
+ * Portions created by the Initial Developer are Copyright (C) 1999-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifdef SOLARIS
+#define RF_INLINE_MACROS 1
+#endif
+
+static const double TwoTo16=65536.0;
+static const double TwoToMinus16=1.0/65536.0;
+static const double Zero=0.0;
+static const double TwoTo32=65536.0*65536.0;
+static const double TwoToMinus32=1.0/(65536.0*65536.0);
+
+#ifdef RF_INLINE_MACROS
+
+double upper32(double);
+double lower32(double, double);
+double mod(double, double, double);
+
+void i16_to_d16_and_d32x4(const double * /*1/(2^16)*/, 
+			  const double * /* 2^16*/,
+			  const double * /* 0 */,
+			  double *       /*result16*/, 
+			  double *       /* result32 */,
+			  float *  /*source - should be unsigned int*
+		          	       converted to float* */);
+
+#else
+#ifdef MP_USE_FLOOR
+#include <math.h>
+#else
+#define floor(d) ((double)((unsigned long long)(d)))
+#endif
+
+static double upper32(double x)
+{
+  return floor(x*TwoToMinus32);
+}
+
+static double lower32(double x, double y)
+{
+  return x-TwoTo32*floor(x*TwoToMinus32);
+}
+
+static double mod(double x, double oneoverm, double m)
+{
+  return x-m*floor(x*oneoverm);
+}
+
+#endif
+
+
+static void cleanup(double *dt, int from, int tlen)
+{
+ int i;
+ double tmp,tmp1,x,x1;
+
+ tmp=tmp1=Zero;
+ /* original code **
+ for(i=2*from;i<2*tlen-2;i++)
+   {
+     x=dt[i];
+     dt[i]=lower32(x,Zero)+tmp1;
+     tmp1=tmp;
+     tmp=upper32(x);
+   }
+ dt[tlen-2]+=tmp1;
+ dt[tlen-1]+=tmp;
+ **end original code ***/
+ /* new code ***/
+ for(i=2*from;i<2*tlen;i+=2)
+   {
+     x=dt[i];
+     x1=dt[i+1];
+     dt[i]=lower32(x,Zero)+tmp;
+     dt[i+1]=lower32(x1,Zero)+tmp1;
+     tmp=upper32(x);
+     tmp1=upper32(x1);
+   }
+  /** end new code **/
+}
+
+
+void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
+{
+int i;
+long long t, t1, a, b, c, d;
+
+ t1=0;
+ a=(long long)d16[0];
+ b=(long long)d16[1];
+ for(i=0; i<ilen-1; i++)
+   {
+     c=(long long)d16[2*i+2];
+     t1+=(unsigned int)a;
+     t=(a>>32);
+     d=(long long)d16[2*i+3];
+     t1+=(b&0xffff)<<16;
+     t+=(b>>16)+(t1>>32);
+     i32[i]=(unsigned int)t1;
+     t1=t;
+     a=c;
+     b=d;
+   }
+ t1+=(unsigned int)a;
+ t=(a>>32);
+ t1+=(b&0xffff)<<16;
+ i32[i]=(unsigned int)t1;
+}
+
+void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
+{
+int i;
+
+#pragma pipeloop(0)
+ for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
+}
+
+
+void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
+{
+int i;
+unsigned int a;
+
+#pragma pipeloop(0)
+ for(i=0;i<len;i++)
+   {
+     a=i32[i];
+     d16[2*i]=(double)(a&0xffff);
+     d16[2*i+1]=(double)(a>>16);
+   }
+}
+
+
+void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+			     unsigned int *i32, int len)
+{
+int i = 0;
+unsigned int a;
+
+#pragma pipeloop(0)
+#ifdef RF_INLINE_MACROS
+ for(;i<len-3;i+=4)
+   {
+     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
+			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
+   }
+#endif
+ for(;i<len;i++)
+   {
+     a=i32[i];
+     d32[i]=(double)(i32[i]);
+     d16[2*i]=(double)(a&0xffff);
+     d16[2*i+1]=(double)(a>>16);
+   }
+}
+
+
+void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
+{
+long long acc;
+int i;
+
+ if(i32[len]>0) i=-1;
+ else
+   {
+     for(i=len-1; i>=0; i--)
+       {
+	 if(i32[i]!=nint[i]) break;
+       }
+   }
+ if((i<0)||(i32[i]>nint[i]))
+   {
+     acc=0;
+     for(i=0;i<len;i++)
+       {
+	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
+	 i32[i]=(unsigned int)acc;
+	 acc=acc>>32;
+       }
+   }
+}
+
+
+
+
+/*
+** the lengths of the input arrays should be at least the following:
+** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
+** all of them should be different from one another
+**
+*/
+void mont_mulf_noconv(unsigned int *result,
+		     double *dm1, double *dm2, double *dt,
+		     double *dn, unsigned int *nint,
+		     int nlen, double dn0)
+{
+ int i, j, jj;
+ int tmp;
+ double digit, m2j, nextm2j, a, b;
+ double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
+
+ pdm1=&(dm1[0]);
+ pdm2=&(dm2[0]);
+ pdn=&(dn[0]);
+ pdm2[2*nlen]=Zero;
+
+ if (nlen!=16)
+   {
+     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
+
+     a=dt[0]=pdm1[0]*pdm2[0];
+     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+     pdtj=&(dt[0]);
+     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
+       {
+	 m2j=pdm2[j];
+	 a=pdtj[0]+pdn[0]*digit;
+	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
+	 pdtj[1]=b;
+
+#pragma pipeloop(0)
+	 for(i=1;i<nlen;i++)
+	   {
+	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+	   }
+ 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
+	 
+	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+       }
+   }
+ else
+   {
+     a=dt[0]=pdm1[0]*pdm2[0];
+
+     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
+     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
+     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
+     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
+     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
+     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
+     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
+     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
+     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
+     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
+     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
+
+     pdn_0=pdn[0];
+     pdm1_0=pdm1[0];
+
+     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+     pdtj=&(dt[0]);
+
+     for(j=0;j<32;j++,pdtj++)
+       {
+
+	 m2j=pdm2[j];
+	 a=pdtj[0]+pdn_0*digit;
+	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
+	 pdtj[1]=b;
+
+	 /**** this loop will be fully unrolled:
+	 for(i=1;i<16;i++)
+	   {
+	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+	   }
+	 *************************************/
+	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
+	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
+	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
+	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
+	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
+	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
+	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
+	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
+	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
+	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
+	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
+	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
+	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
+	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
+	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
+	 /* no need for cleenup, cannot overflow */
+	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+       }
+   }
+
+ conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
+
+ adjust_montf_result(result,nint,nlen); 
+ 
+}
+
diff --git a/security/nss/lib/freebl/mpi/montmulf.h b/security/nss/lib/freebl/mpi/montmulf.h
new file mode 100644
index 000000000..9bd0f72f8
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulf.h
@@ -0,0 +1,103 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is interface file for SPARC Montgomery multiply functions.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems Inc.
+ * Portions created by the Initial Developer are Copyright (C) 1999-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/*  The functions that are to be called from outside of the .s file have the
+ *  following interfaces and array size requirements:
+ */
+
+
+void conv_i32_to_d32(double *d32, unsigned int *i32, int len);
+
+/*  Converts an array of int's to an array of doubles, so that each double
+ *  corresponds to an int.  len is the number of items converted.
+ *  Does not allocate the output array.
+ *  The pointers d32 and i32 should point to arrays of size at least  len
+ *  (doubles and unsigned ints, respectively)
+ */
+
+
+void conv_i32_to_d16(double *d16, unsigned int *i32, int len);
+
+/*  Converts an array of int's to an array of doubles so that each element
+ *  of the int array is converted to a pair of doubles, the first one
+ *  corresponding to the lower (least significant) 16 bits of the int and
+ *  the second one corresponding to the upper (most significant) 16 bits of
+ *  the 32-bit int. len is the number of ints converted.
+ *  Does not allocate the output array.
+ *  The pointer d16 should point to an array of doubles of size at least
+ *  2*len and i32 should point an array of ints of size at least  len
+ */
+
+
+void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+			     unsigned int *i32, int len);
+
+/*  Does the above two conversions together, it is much faster than doing
+ *  both of those in succession
+ */
+
+
+void mont_mulf_noconv(unsigned int *result,
+		     double *dm1, double *dm2, double *dt,
+		     double *dn, unsigned int *nint,
+		     int nlen, double dn0);
+
+/*  Does the Montgomery multiplication of the numbers stored in the arrays
+ *  pointed to by dm1 and dm2, writing the result to the array pointed to by
+ *  result. It uses the array pointed to by dt as a temporary work area.
+ *  nint should point to the modulus in the array-of-integers representation, 
+ *  dn should point to its array-of-doubles as obtained as a result of the
+ *  function call   conv_i32_to_d32(dn, nint, nlen);
+ *  nlen is the length of the array containing the modulus.
+ *  The representation used for dm1 is the one that is a result of the function
+ *  call   conv_i32_to_d32(dm1, m1, nlen), the representation for dm2 is the
+ *  result of the function call   conv_i32_to_d16(dm2, m2, nlen).
+ *  Note that m1 and m2 should both be of length nlen, so they should be
+ *  padded with 0's if necessary before the conversion. The result comes in 
+ *  this form (int representation, padded with 0's).
+ *  dn0 is the value of the 16 least significant bits of n0'.
+ *  The function does not allocate memory for any of the arrays, so the 
+ *  pointers should point to arrays with the following minimal sizes:
+ *  result - nlen+1
+ *  dm1    - nlen
+ *  dm2    - 2*nlen+1  ( the +1 is necessary for technical reasons )
+ *  dt     - 4*nlen+2
+ *  dn     - nlen
+ *  nint   - nlen
+ *  No two arrays should point to overlapping areas of memory.
+ */  
diff --git a/security/nss/lib/freebl/mpi/montmulf.il b/security/nss/lib/freebl/mpi/montmulf.il
new file mode 100644
index 000000000..27ce26a77
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulf.il
@@ -0,0 +1,141 @@
+!  
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+!
+! The contents of this file are subject to the Mozilla Public License Version
+! 1.1 (the "License"); you may not use this file except in compliance with
+! the License. You may obtain a copy of the License at
+! http://www.mozilla.org/MPL/
+!
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is inline macros for SPARC Montgomery multiply functions.
+!
+! The Initial Developer of the Original Code is
+! Sun Microsystems Inc.
+! Portions created by the Initial Developer are Copyright (C) 1999-2000
+! the Initial Developer. All Rights Reserved.
+!
+! Contributor(s):
+!
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+!
+! ***** END LICENSE BLOCK *****
+! $Id$
+
+!
+! double upper32(double /*frs1*/);
+!
+        .inline upper32,8
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f10
+
+	fdtox	%f10,%f10
+	fitod	%f10,%f0
+        .end
+
+!
+! double lower32(double /*frs1*/, double /* Zero */);
+!
+        .inline lower32,8
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f10
+        std     %o2,[%sp+0x48]
+        ldd     [%sp+0x48],%f12
+
+	fdtox	%f10,%f10
+	fmovs	%f12,%f10
+	fxtod	%f10,%f0
+        .end
+
+!
+! double mod(double /*x*/, double /*1/m*/, double /*m*/);
+!
+        .inline mod,12
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f2
+        std     %o2,[%sp+0x48]
+        ldd     [%sp+0x48],%f4
+        std     %o4,[%sp+0x48]
+        ldd     [%sp+0x48],%f6
+
+	fmuld	%f2,%f4,%f4
+	fdtox	%f4,%f4
+	fxtod	%f4,%f4
+	fmuld	%f4,%f6,%f4
+	fsubd	%f2,%f4,%f0
+        .end
+
+
+!
+! void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
+!			    double * /* 0 */,
+!			    double * /*result16*/, double * /* result32 */
+!			    float *  /*source - should be unsigned int*
+!		            	       converted to float* */);
+!
+        .inline i16_to_d16_and_d32x4,24
+        ldd     [%o0],%f2  ! 1/(2^16)
+        ldd     [%o1],%f4  ! 2^16
+	ldd	[%o2],%f22
+
+	fmovd	%f22,%f6
+	ld	[%o5],%f7
+	fmovd	%f22,%f10
+	ld	[%o5+4],%f11
+	fmovd	%f22,%f14
+	ld	[%o5+8],%f15
+	fmovd	%f22,%f18
+	ld	[%o5+12],%f19
+	fxtod	%f6,%f6
+	std	%f6,[%o4]
+	fxtod	%f10,%f10
+	std	%f10,[%o4+8]
+	fxtod	%f14,%f14
+	std	%f14,[%o4+16]
+	fxtod	%f18,%f18
+	std	%f18,[%o4+24]
+	fmuld	%f2,%f6,%f8
+	fmuld	%f2,%f10,%f12
+	fmuld	%f2,%f14,%f16
+	fmuld	%f2,%f18,%f20
+	fdtox	%f8,%f8
+	fdtox	%f12,%f12
+	fdtox	%f16,%f16
+	fdtox	%f20,%f20
+	fxtod	%f8,%f8
+	std	%f8,[%o3+8]
+	fxtod	%f12,%f12
+	std	%f12,[%o3+24]
+	fxtod	%f16,%f16
+	std	%f16,[%o3+40]
+	fxtod	%f20,%f20
+	std	%f20,[%o3+56]
+	fmuld	%f8,%f4,%f8
+	fmuld	%f12,%f4,%f12
+	fmuld	%f16,%f4,%f16
+	fmuld	%f20,%f4,%f20
+	fsubd	%f6,%f8,%f8
+	std	%f8,[%o3]
+	fsubd	%f10,%f12,%f12
+	std	%f12,[%o3+16]
+	fsubd	%f14,%f16,%f16
+	std	%f16,[%o3+32]
+	fsubd	%f18,%f20,%f20
+	std	%f20,[%o3+48]
+        .end
+
+
diff --git a/security/nss/lib/freebl/mpi/montmulf.s b/security/nss/lib/freebl/mpi/montmulf.s
new file mode 100644
index 000000000..372d961c6
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulf.s
@@ -0,0 +1,1970 @@
+!  
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+!
+! The contents of this file are subject to the Mozilla Public License Version
+! 1.1 (the "License"); you may not use this file except in compliance with
+! the License. You may obtain a copy of the License at
+! http://www.mozilla.org/MPL/
+!
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is SPARC hand-optimized Montgomery multiply functions.
+!
+! The Initial Developer of the Original Code is
+! Sun Microsystems Inc.
+! Portions created by the Initial Developer are Copyright (C) 1999-2000
+! the Initial Developer. All Rights Reserved.
+!
+! Contributor(s):
+!
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+!
+! ***** END LICENSE BLOCK *****
+
+	.section	".text",#alloc,#execinstr
+	.file	"montmulf.c"
+
+	.section	".data",#alloc,#write
+	.align	8
+TwoTo16:		/* frequency 1.0 confidence 0.0 */
+	.word	1089470464
+	.word	0
+	.type	TwoTo16,#object
+	.size	TwoTo16,8
+TwoToMinus16:		/* frequency 1.0 confidence 0.0 */
+	.word	1055916032
+	.word	0
+	.type	TwoToMinus16,#object
+	.size	TwoToMinus16,8
+Zero:		/* frequency 1.0 confidence 0.0 */
+	.word	0
+	.word	0
+	.type	Zero,#object
+	.size	Zero,8
+TwoTo32:		/* frequency 1.0 confidence 0.0 */
+	.word	1106247680
+	.word	0
+	.type	TwoTo32,#object
+	.size	TwoTo32,8
+TwoToMinus32:		/* frequency 1.0 confidence 0.0 */
+	.word	1039138816
+	.word	0
+	.type	TwoToMinus32,#object
+	.size	TwoToMinus32,8
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE cleanup
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global cleanup
+                                   cleanup:		/* frequency 1.0 confidence 0.0 */
+! FILE montmulf.c
+
+!    1		                    !#define RF_INLINE_MACROS
+!    3		                    !static double TwoTo16=65536.0;
+!    4		                    !static double TwoToMinus16=1.0/65536.0;
+!    5		                    !static double Zero=0.0;
+!    6		                    !static double TwoTo32=65536.0*65536.0;
+!    7		                    !static double TwoToMinus32=1.0/(65536.0*65536.0);
+!    9		                    !#ifdef RF_INLINE_MACROS
+!   11		                    !double upper32(double);
+!   12		                    !double lower32(double, double);
+!   13		                    !double mod(double, double, double);
+!   15		                    !#else
+!   17		                    !static double upper32(double x)
+!   18		                    !{
+!   19		                    !  return floor(x*TwoToMinus32);
+!   20		                    !}
+!   22		                    !static double lower32(double x, double y)
+!   23		                    !{
+!   24		                    !  return x-TwoTo32*floor(x*TwoToMinus32);
+!   25		                    !}
+!   27		                    !static double mod(double x, double oneoverm, double m)
+!   28		                    !{
+!   29		                    !  return x-m*floor(x*oneoverm);
+!   30		                    !}
+!   32		                    !#endif
+!   35		                    !void cleanup(double *dt, int from, int tlen)
+!   36		                    !{
+!   37		                    ! int i;
+!   38		                    ! double tmp,tmp1,x,x1;
+!   40		                    ! tmp=tmp1=Zero;
+
+/* 000000	  40 ( 0  1) */		sethi	%hi(Zero),%g2
+
+!   41		                    ! /* original code **
+!   42		                    ! for(i=2*from;i<2*tlen-2;i++)
+!   43		                    !   {
+!   44		                    !     x=dt[i];
+!   45		                    !     dt[i]=lower32(x,Zero)+tmp1;
+!   46		                    !     tmp1=tmp;
+!   47		                    !     tmp=upper32(x);
+!   48		                    !   }
+!   49		                    ! dt[tlen-2]+=tmp1;
+!   50		                    ! dt[tlen-1]+=tmp;
+!   51		                    ! **end original code ***/
+!   52		                    ! /* new code ***/
+!   53		                    ! for(i=2*from;i<2*tlen;i+=2)
+
+/* 0x0004	  53 ( 1  2) */		sll	%o2,1,%g3
+/* 0x0008	  40 ( 1  4) */		ldd	[%g2+%lo(Zero)],%f0
+/* 0x000c	     ( 1  2) */		add	%g2,%lo(Zero),%g2
+/* 0x0010	  53 ( 2  3) */		sll	%o1,1,%g4
+/* 0x0014	  36 ( 3  4) */		sll	%o1,4,%g1
+/* 0x0018	  40 ( 3  4) */		fmovd	%f0,%f4
+/* 0x001c	  53 ( 3  4) */		cmp	%g4,%g3
+/* 0x0020	     ( 3  4) */		bge,pt	%icc,.L77000116	! tprob=0.56
+/* 0x0024	     ( 4  5) */		fmovd	%f0,%f2
+/* 0x0028	  36 ( 4  5) */		add	%o0,%g1,%g1
+/* 0x002c	     ( 4  5) */		sub	%g3,1,%g3
+
+!   54		                    !   {
+!   55		                    !     x=dt[i];
+
+/* 0x0030	  55 ( 5  8) */		ldd	[%g1],%f8
+                                   .L900000114:		/* frequency 6.4 confidence 0.0 */
+/* 0x0034	     ( 0  3) */		fdtox	%f8,%f6
+
+!   56		                    !     x1=dt[i+1];
+
+/* 0x0038	  56 ( 0  3) */		ldd	[%g1+8],%f10
+
+!   57		                    !     dt[i]=lower32(x,Zero)+tmp;
+!   58		                    !     dt[i+1]=lower32(x1,Zero)+tmp1;
+!   59		                    !     tmp=upper32(x);
+!   60		                    !     tmp1=upper32(x1);
+
+/* 0x003c	  60 ( 0  1) */		add	%g4,2,%g4
+/* 0x0040	     ( 1  4) */		fdtox	%f8,%f8
+/* 0x0044	     ( 1  2) */		cmp	%g4,%g3
+/* 0x0048	     ( 5  6) */		fmovs	%f0,%f6
+/* 0x004c	     ( 7 10) */		fxtod	%f6,%f6
+/* 0x0050	     ( 8 11) */		fdtox	%f10,%f0
+/* 0x0054	  57 (10 13) */		faddd	%f6,%f2,%f2
+/* 0x0058	     (10 11) */		std	%f2,[%g1]
+/* 0x005c	     (12 15) */		ldd	[%g2],%f2
+/* 0x0060	     (14 15) */		fmovs	%f2,%f0
+/* 0x0064	     (16 19) */		fxtod	%f0,%f6
+/* 0x0068	     (17 20) */		fdtox	%f10,%f0
+/* 0x006c	     (18 21) */		fitod	%f8,%f2
+/* 0x0070	  58 (19 22) */		faddd	%f6,%f4,%f4
+/* 0x0074	     (19 20) */		std	%f4,[%g1+8]
+/* 0x0078	  60 (19 20) */		add	%g1,16,%g1
+/* 0x007c	     (20 23) */		fitod	%f0,%f4
+/* 0x0080	     (20 23) */		ldd	[%g2],%f0
+/* 0x0084	     (20 21) */		ble,a,pt	%icc,.L900000114	! tprob=0.86
+/* 0x0088	     (21 24) */		ldd	[%g1],%f8
+                                   .L77000116:		/* frequency 1.0 confidence 0.0 */
+/* 0x008c	     ( 0  2) */		retl	! Result = 
+/* 0x0090	     ( 1  2) */		nop
+/* 0x0094	   0 ( 0  0) */		.type	cleanup,2
+/* 0x0094	     ( 0  0) */		.size	cleanup,(.-cleanup)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE conv_d16_to_i32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global conv_d16_to_i32
+                                   conv_d16_to_i32:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		save	%sp,-136,%sp
+
+!   61		                    !   }
+!   62		                    !  /** end new code **/
+!   63		                    !}
+!   66		                    !void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
+!   67		                    !{
+!   68		                    !int i;
+!   69		                    !long long t, t1, a, b, c, d;
+!   71		                    ! t1=0;
+!   72		                    ! a=(long long)d16[0];
+
+/* 0x0004	  72 ( 1  4) */		ldd	[%i1],%f0
+
+!   73		                    ! b=(long long)d16[1];
+!   74		                    ! for(i=0; i<ilen-1; i++)
+
+/* 0x0008	  74 ( 1  2) */		sub	%i3,1,%g2
+/* 0x000c	  67 ( 1  2) */		or	%g0,%i0,%g5
+/* 0x0010	  74 ( 2  3) */		cmp	%g2,0
+/* 0x0014	  71 ( 2  3) */		or	%g0,0,%o4
+/* 0x0018	  72 ( 3  6) */		fdtox	%f0,%f0
+/* 0x001c	     ( 3  4) */		std	%f0,[%sp+120]
+/* 0x0020	  74 ( 3  4) */		or	%g0,0,%o7
+/* 0x0024	  67 ( 4  5) */		or	%g0,%i3,%o0
+/* 0x0028	     ( 4  5) */		sub	%i3,2,%o2
+/* 0x002c	  73 ( 5  8) */		ldd	[%i1+8],%f0
+/* 0x0030	  67 ( 5  6) */		sethi	%hi(0xfc00),%o0
+/* 0x0034	     ( 5  6) */		add	%o2,1,%g3
+/* 0x0038	     ( 6  7) */		add	%o0,1023,%o1
+/* 0x003c	     ( 6  7) */		or	%g0,%g5,%o5
+/* 0x0040	  73 ( 7 10) */		fdtox	%f0,%f0
+/* 0x0044	     ( 7  8) */		std	%f0,[%sp+112]
+/* 0x0048	  72 (11 13) */		ldx	[%sp+120],%g4
+/* 0x004c	  73 (12 14) */		ldx	[%sp+112],%g1
+/* 0x0050	  74 (12 13) */		ble,pt	%icc,.L900000214	! tprob=0.56
+/* 0x0054	     (12 13) */		sethi	%hi(0xfc00),%g2
+/* 0x0058	  67 (13 14) */		or	%g0,-1,%g2
+/* 0x005c	  74 (13 14) */		cmp	%g3,3
+/* 0x0060	  67 (14 15) */		srl	%g2,0,%o3
+/* 0x0064	     (14 15) */		or	%g0,%i1,%g2
+/* 0x0068	  74 (14 15) */		bl,pn	%icc,.L77000134	! tprob=0.44
+/* 0x006c	     (15 18) */		ldd	[%g2+16],%f0
+
+!   75		                    !   {
+!   76		                    !     c=(long long)d16[2*i+2];
+!   77		                    !     t1+=a&0xffffffff;
+!   78		                    !     t=(a>>32);
+!   79		                    !     d=(long long)d16[2*i+3];
+!   80		                    !     t1+=(b&0xffff)<<16;
+
+/* 0x0070	  80 (15 16) */		and	%g1,%o1,%o0
+
+!   81		                    !     t+=(b>>16)+(t1>>32);
+!   82		                    !     i32[i]=t1&0xffffffff;
+!   83		                    !     t1=t;
+!   84		                    !     a=c;
+!   85		                    !     b=d;
+
+/* 0x0074	  85 (15 16) */		add	%g2,16,%g2
+/* 0x0078	  80 (16 17) */		sllx	%o0,16,%g3
+/* 0x007c	  77 (16 17) */		and	%g4,%o3,%o0
+/* 0x0080	  76 (17 20) */		fdtox	%f0,%f0
+/* 0x0084	     (17 18) */		std	%f0,[%sp+104]
+/* 0x0088	  74 (17 18) */		add	%o0,%g3,%o4
+/* 0x008c	  79 (18 21) */		ldd	[%g2+8],%f2
+/* 0x0090	  81 (18 19) */		srax	%g1,16,%o0
+/* 0x0094	  82 (18 19) */		and	%o4,%o3,%o7
+/* 0x0098	  81 (19 20) */		stx	%o0,[%sp+112]
+/* 0x009c	     (19 20) */		srax	%o4,32,%o0
+/* 0x00a0	  85 (19 20) */		add	%g5,4,%o5
+/* 0x00a4	  81 (20 21) */		stx	%o0,[%sp+120]
+/* 0x00a8	  78 (20 21) */		srax	%g4,32,%o4
+/* 0x00ac	  79 (20 23) */		fdtox	%f2,%f0
+/* 0x00b0	     (21 22) */		std	%f0,[%sp+96]
+/* 0x00b4	  81 (22 24) */		ldx	[%sp+112],%o0
+/* 0x00b8	     (23 25) */		ldx	[%sp+120],%g4
+/* 0x00bc	  76 (25 27) */		ldx	[%sp+104],%g3
+/* 0x00c0	  81 (25 26) */		add	%o0,%g4,%g4
+/* 0x00c4	  79 (26 28) */		ldx	[%sp+96],%g1
+/* 0x00c8	  81 (26 27) */		add	%o4,%g4,%o4
+/* 0x00cc	  82 (27 28) */		st	%o7,[%g5]
+/* 0x00d0	     (27 28) */		or	%g0,1,%o7
+/* 0x00d4	  84 (27 28) */		or	%g0,%g3,%g4
+                                   .L900000209:		/* frequency 64.0 confidence 0.0 */
+/* 0x00d8	  76 (17 19) */		ldd	[%g2+16],%f0
+/* 0x00dc	  85 (17 18) */		add	%o7,1,%o7
+/* 0x00e0	     (17 18) */		add	%o5,4,%o5
+/* 0x00e4	     (18 18) */		cmp	%o7,%o2
+/* 0x00e8	     (18 19) */		add	%g2,16,%g2
+/* 0x00ec	  76 (19 22) */		fdtox	%f0,%f0
+/* 0x00f0	     (20 21) */		std	%f0,[%sp+104]
+/* 0x00f4	  79 (21 23) */		ldd	[%g2+8],%f0
+/* 0x00f8	     (23 26) */		fdtox	%f0,%f0
+/* 0x00fc	     (24 25) */		std	%f0,[%sp+96]
+/* 0x0100	  80 (25 26) */		and	%g1,%o1,%g3
+/* 0x0104	     (26 27) */		sllx	%g3,16,%g3
+/* 0x0108	     ( 0  0) */		stx	%g3,[%sp+120]
+/* 0x010c	  77 (26 27) */		and	%g4,%o3,%g3
+/* 0x0110	  74 ( 0  0) */		stx	%o7,[%sp+128]
+/* 0x0114	     ( 0  0) */		ldx	[%sp+120],%o7
+/* 0x0118	     (27 27) */		add	%g3,%o7,%g3
+/* 0x011c	     ( 0  0) */		ldx	[%sp+128],%o7
+/* 0x0120	  81 (28 29) */		srax	%g1,16,%g1
+/* 0x0124	  74 (28 28) */		add	%g3,%o4,%g3
+/* 0x0128	  81 (29 30) */		srax	%g3,32,%o4
+/* 0x012c	     ( 0  0) */		stx	%o4,[%sp+112]
+/* 0x0130	  78 (30 31) */		srax	%g4,32,%o4
+/* 0x0134	  81 ( 0  0) */		ldx	[%sp+112],%g4
+/* 0x0138	     (30 31) */		add	%g1,%g4,%g4
+/* 0x013c	  79 (31 33) */		ldx	[%sp+96],%g1
+/* 0x0140	  81 (31 32) */		add	%o4,%g4,%o4
+/* 0x0144	  82 (32 33) */		and	%g3,%o3,%g3
+/* 0x0148	  84 ( 0  0) */		ldx	[%sp+104],%g4
+/* 0x014c	  85 (33 34) */		ble,pt	%icc,.L900000209	! tprob=0.50
+/* 0x0150	     (33 34) */		st	%g3,[%o5-4]
+                                   .L900000212:		/* frequency 8.0 confidence 0.0 */
+/* 0x0154	  85 ( 0  1) */		ba	.L900000214	! tprob=1.00
+/* 0x0158	     ( 0  1) */		sethi	%hi(0xfc00),%g2
+                                   .L77000134:		/* frequency 0.7 confidence 0.0 */
+                                   .L900000213:		/* frequency 6.4 confidence 0.0 */
+/* 0x015c	  77 ( 0  1) */		and	%g4,%o3,%o0
+/* 0x0160	  80 ( 0  1) */		and	%g1,%o1,%g3
+/* 0x0164	  76 ( 0  3) */		fdtox	%f0,%f0
+/* 0x0168	  77 ( 1  2) */		add	%o4,%o0,%o0
+/* 0x016c	  76 ( 1  2) */		std	%f0,[%sp+104]
+/* 0x0170	  85 ( 1  2) */		add	%o7,1,%o7
+/* 0x0174	  80 ( 2  3) */		sllx	%g3,16,%o4
+/* 0x0178	  79 ( 2  5) */		ldd	[%g2+24],%f2
+/* 0x017c	  85 ( 2  3) */		add	%g2,16,%g2
+/* 0x0180	  80 ( 3  4) */		add	%o0,%o4,%o4
+/* 0x0184	  81 ( 3  4) */		stx	%o7,[%sp+128]
+/* 0x0188	     ( 4  5) */		srax	%g1,16,%o0
+/* 0x018c	     ( 4  5) */		stx	%o0,[%sp+112]
+/* 0x0190	  82 ( 4  5) */		and	%o4,%o3,%g3
+/* 0x0194	  81 ( 5  6) */		srax	%o4,32,%o0
+/* 0x0198	     ( 5  6) */		stx	%o0,[%sp+120]
+/* 0x019c	  79 ( 5  8) */		fdtox	%f2,%f0
+/* 0x01a0	     ( 6  7) */		std	%f0,[%sp+96]
+/* 0x01a4	  78 ( 6  7) */		srax	%g4,32,%o4
+/* 0x01a8	  81 ( 7  9) */		ldx	[%sp+120],%o7
+/* 0x01ac	     ( 8 10) */		ldx	[%sp+112],%g4
+/* 0x01b0	  76 (10 12) */		ldx	[%sp+104],%g1
+/* 0x01b4	  81 (10 11) */		add	%g4,%o7,%g4
+/* 0x01b8	     (11 13) */		ldx	[%sp+128],%o7
+/* 0x01bc	     (11 12) */		add	%o4,%g4,%o4
+/* 0x01c0	  79 (12 14) */		ldx	[%sp+96],%o0
+/* 0x01c4	  84 (12 13) */		or	%g0,%g1,%g4
+/* 0x01c8	  82 (13 14) */		st	%g3,[%o5]
+/* 0x01cc	  85 (13 14) */		add	%o5,4,%o5
+/* 0x01d0	     (13 14) */		cmp	%o7,%o2
+/* 0x01d4	     (14 15) */		or	%g0,%o0,%g1
+/* 0x01d8	     (14 15) */		ble,a,pt	%icc,.L900000213	! tprob=0.86
+/* 0x01dc	     (14 17) */		ldd	[%g2+16],%f0
+                                   .L77000127:		/* frequency 1.0 confidence 0.0 */
+
+!   86		                    !   }
+!   87		                    !     t1+=a&0xffffffff;
+!   88		                    !     t=(a>>32);
+!   89		                    !     t1+=(b&0xffff)<<16;
+!   90		                    !     i32[i]=t1&0xffffffff;
+
+/* 0x01e0	  90 ( 0  1) */		sethi	%hi(0xfc00),%g2
+                                   .L900000214:		/* frequency 1.0 confidence 0.0 */
+/* 0x01e4	  90 ( 0  1) */		or	%g0,-1,%g3
+/* 0x01e8	     ( 0  1) */		add	%g2,1023,%g2
+/* 0x01ec	     ( 1  2) */		srl	%g3,0,%g3
+/* 0x01f0	     ( 1  2) */		and	%g1,%g2,%g2
+/* 0x01f4	     ( 2  3) */		and	%g4,%g3,%g4
+/* 0x01f8	     ( 3  4) */		sllx	%g2,16,%g2
+/* 0x01fc	     ( 3  4) */		add	%o4,%g4,%g4
+/* 0x0200	     ( 4  5) */		add	%g4,%g2,%g2
+/* 0x0204	     ( 5  6) */		sll	%o7,2,%g4
+/* 0x0208	     ( 5  6) */		and	%g2,%g3,%g2
+/* 0x020c	     ( 6  7) */		st	%g2,[%g5+%g4]
+/* 0x0210	     ( 7  9) */		ret	! Result = 
+/* 0x0214	     ( 9 10) */		restore	%g0,%g0,%g0
+/* 0x0218	   0 ( 0  0) */		.type	conv_d16_to_i32,2
+/* 0x0218	     ( 0  0) */		.size	conv_d16_to_i32,(.-conv_d16_to_i32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	8
+!
+! CONSTANT POOL
+!
+                                   .L_const_seg_900000301:		/* frequency 1.0 confidence 0.0 */
+/* 000000	   0 ( 0  0) */		.word	1127219200,0
+/* 0x0008	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE conv_i32_to_d32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global conv_i32_to_d32
+                                   conv_i32_to_d32:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		orcc	%g0,%o2,%g1
+
+!   92		                    !}
+!   94		                    !void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
+!   95		                    !{
+!   96		                    !int i;
+!   98		                    !#pragma pipeloop(0)
+!   99		                    ! for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
+
+/* 0x0004	  99 ( 0  1) */		ble,pt	%icc,.L77000140	! tprob=0.56
+/* 0x0008	     ( 0  1) */		nop
+/* 0x000c	     ( 1  2) */		sethi	%hi(.L_const_seg_900000301),%g2
+/* 0x0010	  95 ( 1  2) */		or	%g0,%o1,%g4
+/* 0x0014	  99 ( 2  3) */		add	%g2,%lo(.L_const_seg_900000301),%g2
+/* 0x0018	     ( 2  3) */		or	%g0,0,%o5
+/* 0x001c	  95 ( 3  4) */		or	%g0,%o0,%g5
+/* 0x0020	  99 ( 3  4) */		sub	%o2,1,%g3
+/* 0x0024	     ( 4  5) */		cmp	%o2,9
+/* 0x0028	     ( 4  5) */		bl,pn	%icc,.L77000144	! tprob=0.44
+/* 0x002c	     ( 4  7) */		ldd	[%g2],%f8
+/* 0x0030	     ( 5  8) */		ld	[%o1],%f7
+/* 0x0034	     ( 5  6) */		add	%o1,16,%g4
+/* 0x0038	     ( 5  6) */		sub	%o2,5,%g1
+/* 0x003c	     ( 6  9) */		ld	[%o1+4],%f5
+/* 0x0040	     ( 6  7) */		or	%g0,4,%o5
+/* 0x0044	     ( 7 10) */		ld	[%o1+8],%f3
+/* 0x0048	     ( 7  8) */		fmovs	%f8,%f6
+/* 0x004c	     ( 8 11) */		ld	[%o1+12],%f1
+                                   .L900000305:		/* frequency 64.0 confidence 0.0 */
+/* 0x0050	     ( 8 16) */		ld	[%g4],%f11
+/* 0x0054	     ( 8  9) */		add	%o5,5,%o5
+/* 0x0058	     ( 8  9) */		add	%g4,20,%g4
+/* 0x005c	     ( 8 11) */		fsubd	%f6,%f8,%f6
+/* 0x0060	     ( 9 10) */		std	%f6,[%g5]
+/* 0x0064	     ( 9  9) */		cmp	%o5,%g1
+/* 0x0068	     ( 9 10) */		add	%g5,40,%g5
+/* 0x006c	     ( 0  0) */		fmovs	%f8,%f4
+/* 0x0070	     (10 18) */		ld	[%g4-16],%f7
+/* 0x0074	     (10 13) */		fsubd	%f4,%f8,%f12
+/* 0x0078	     ( 0  0) */		fmovs	%f8,%f2
+/* 0x007c	     (11 12) */		std	%f12,[%g5-32]
+/* 0x0080	     (12 20) */		ld	[%g4-12],%f5
+/* 0x0084	     (12 15) */		fsubd	%f2,%f8,%f12
+/* 0x0088	     ( 0  0) */		fmovs	%f8,%f0
+/* 0x008c	     (13 14) */		std	%f12,[%g5-24]
+/* 0x0090	     (14 22) */		ld	[%g4-8],%f3
+/* 0x0094	     (14 17) */		fsubd	%f0,%f8,%f12
+/* 0x0098	     ( 0  0) */		fmovs	%f8,%f10
+/* 0x009c	     (15 16) */		std	%f12,[%g5-16]
+/* 0x00a0	     (16 24) */		ld	[%g4-4],%f1
+/* 0x00a4	     (16 19) */		fsubd	%f10,%f8,%f10
+/* 0x00a8	     ( 0  0) */		fmovs	%f8,%f6
+/* 0x00ac	     (17 18) */		ble,pt	%icc,.L900000305	! tprob=0.50
+/* 0x00b0	     (17 18) */		std	%f10,[%g5-8]
+                                   .L900000308:		/* frequency 8.0 confidence 0.0 */
+/* 0x00b4	     ( 0  1) */		fmovs	%f8,%f4
+/* 0x00b8	     ( 0  1) */		add	%g5,32,%g5
+/* 0x00bc	     ( 0  1) */		cmp	%o5,%g3
+/* 0x00c0	     ( 1  2) */		fmovs	%f8,%f2
+/* 0x00c4	     ( 2  3) */		fmovs	%f8,%f0
+/* 0x00c8	     ( 4  7) */		fsubd	%f6,%f8,%f6
+/* 0x00cc	     ( 4  5) */		std	%f6,[%g5-32]
+/* 0x00d0	     ( 5  8) */		fsubd	%f4,%f8,%f4
+/* 0x00d4	     ( 5  6) */		std	%f4,[%g5-24]
+/* 0x00d8	     ( 6  9) */		fsubd	%f2,%f8,%f2
+/* 0x00dc	     ( 6  7) */		std	%f2,[%g5-16]
+/* 0x00e0	     ( 7 10) */		fsubd	%f0,%f8,%f0
+/* 0x00e4	     ( 7  8) */		bg,pn	%icc,.L77000140	! tprob=0.14
+/* 0x00e8	     ( 7  8) */		std	%f0,[%g5-8]
+                                   .L77000144:		/* frequency 0.7 confidence 0.0 */
+/* 0x00ec	     ( 0  3) */		ld	[%g4],%f1
+                                   .L900000309:		/* frequency 6.4 confidence 0.0 */
+/* 0x00f0	     ( 0  3) */		ldd	[%g2],%f8
+/* 0x00f4	     ( 0  1) */		add	%o5,1,%o5
+/* 0x00f8	     ( 0  1) */		add	%g4,4,%g4
+/* 0x00fc	     ( 1  2) */		cmp	%o5,%g3
+/* 0x0100	     ( 2  3) */		fmovs	%f8,%f0
+/* 0x0104	     ( 4  7) */		fsubd	%f0,%f8,%f0
+/* 0x0108	     ( 4  5) */		std	%f0,[%g5]
+/* 0x010c	     ( 4  5) */		add	%g5,8,%g5
+/* 0x0110	     ( 4  5) */		ble,a,pt	%icc,.L900000309	! tprob=0.86
+/* 0x0114	     ( 6  9) */		ld	[%g4],%f1
+                                   .L77000140:		/* frequency 1.0 confidence 0.0 */
+/* 0x0118	     ( 0  2) */		retl	! Result = 
+/* 0x011c	     ( 1  2) */		nop
+/* 0x0120	   0 ( 0  0) */		.type	conv_i32_to_d32,2
+/* 0x0120	     ( 0  0) */		.size	conv_i32_to_d32,(.-conv_i32_to_d32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	8
+!
+! CONSTANT POOL
+!
+                                   .L_const_seg_900000401:		/* frequency 1.0 confidence 0.0 */
+/* 000000	   0 ( 0  0) */		.word	1127219200,0
+/* 0x0008	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE conv_i32_to_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global conv_i32_to_d16
+                                   conv_i32_to_d16:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		save	%sp,-104,%sp
+/* 0x0004	     ( 1  2) */		orcc	%g0,%i2,%o0
+
+!  100		                    !}
+!  103		                    !void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
+!  104		                    !{
+!  105		                    !int i;
+!  106		                    !unsigned int a;
+!  108		                    !#pragma pipeloop(0)
+!  109		                    ! for(i=0;i<len;i++)
+
+/* 0x0008	 109 ( 1  2) */		ble,pt	%icc,.L77000150	! tprob=0.56
+/* 0x000c	     ( 1  2) */		nop
+/* 0x0010	     ( 2  3) */		sub	%o0,1,%o5
+/* 0x0014	     ( 2  3) */		sethi	%hi(0xfc00),%g2
+
+!  110		                    !   {
+!  111		                    !     a=i32[i];
+!  112		                    !     d16[2*i]=(double)(a&0xffff);
+!  113		                    !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0018	 113 ( 3  4) */		sethi	%hi(.L_const_seg_900000401),%o0
+/* 0x001c	     ( 3  4) */		add	%o5,1,%g3
+/* 0x0020	     ( 4  5) */		add	%g2,1023,%o4
+/* 0x0024	 109 ( 4  5) */		or	%g0,0,%g1
+/* 0x0028	     ( 5  6) */		cmp	%g3,3
+/* 0x002c	     ( 5  6) */		or	%g0,%i1,%o7
+/* 0x0030	     ( 6  7) */		add	%o0,%lo(.L_const_seg_900000401),%o3
+/* 0x0034	     ( 6  7) */		or	%g0,%i0,%g2
+/* 0x0038	     ( 6  7) */		bl,pn	%icc,.L77000154	! tprob=0.44
+/* 0x003c	     ( 7  8) */		add	%o7,4,%o0
+/* 0x0040	 112 ( 7 10) */		ldd	[%o3],%f0
+/* 0x0044	 113 ( 7  8) */		or	%g0,1,%g1
+/* 0x0048	 111 ( 8 11) */		ld	[%o0-4],%o1
+/* 0x004c	   0 ( 8  9) */		or	%g0,%o0,%o7
+/* 0x0050	 112 (10 11) */		and	%o1,%o4,%o0
+                                   .L900000406:		/* frequency 64.0 confidence 0.0 */
+/* 0x0054	 112 (22 23) */		st	%o0,[%sp+96]
+/* 0x0058	 113 (22 23) */		add	%g1,1,%g1
+/* 0x005c	     (22 23) */		add	%g2,16,%g2
+/* 0x0060	     (23 23) */		cmp	%g1,%o5
+/* 0x0064	     (23 24) */		add	%o7,4,%o7
+/* 0x0068	 112 (29 31) */		ld	[%sp+96],%f3
+/* 0x006c	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x0070	     (31 34) */		fsubd	%f2,%f0,%f2
+/* 0x0074	 113 (32 33) */		srl	%o1,16,%o0
+/* 0x0078	 112 (32 33) */		std	%f2,[%g2-16]
+/* 0x007c	 113 (33 34) */		st	%o0,[%sp+92]
+/* 0x0080	     (40 42) */		ld	[%sp+92],%f3
+/* 0x0084	 111 (41 43) */		ld	[%o7-4],%o1
+/* 0x0088	 113 ( 0  0) */		fmovs	%f0,%f2
+/* 0x008c	     (42 45) */		fsubd	%f2,%f0,%f2
+/* 0x0090	 112 (43 44) */		and	%o1,%o4,%o0
+/* 0x0094	 113 (43 44) */		ble,pt	%icc,.L900000406	! tprob=0.50
+/* 0x0098	     (43 44) */		std	%f2,[%g2-8]
+                                   .L900000409:		/* frequency 8.0 confidence 0.0 */
+/* 0x009c	 112 ( 0  1) */		st	%o0,[%sp+96]
+/* 0x00a0	     ( 0  1) */		fmovs	%f0,%f2
+/* 0x00a4	 113 ( 0  1) */		add	%g2,16,%g2
+/* 0x00a8	     ( 1  2) */		srl	%o1,16,%o0
+/* 0x00ac	 112 ( 4  7) */		ld	[%sp+96],%f3
+/* 0x00b0	     ( 6  9) */		fsubd	%f2,%f0,%f2
+/* 0x00b4	     ( 6  7) */		std	%f2,[%g2-16]
+/* 0x00b8	 113 ( 7  8) */		st	%o0,[%sp+92]
+/* 0x00bc	     (10 11) */		fmovs	%f0,%f2
+/* 0x00c0	     (11 14) */		ld	[%sp+92],%f3
+/* 0x00c4	     (13 16) */		fsubd	%f2,%f0,%f0
+/* 0x00c8	     (13 14) */		std	%f0,[%g2-8]
+/* 0x00cc	     (14 16) */		ret	! Result = 
+/* 0x00d0	     (16 17) */		restore	%g0,%g0,%g0
+                                   .L77000154:		/* frequency 0.7 confidence 0.0 */
+/* 0x00d4	 111 ( 0  3) */		ld	[%o7],%o0
+                                   .L900000410:		/* frequency 6.4 confidence 0.0 */
+/* 0x00d8	 112 ( 0  1) */		and	%o0,%o4,%o1
+/* 0x00dc	     ( 0  1) */		st	%o1,[%sp+96]
+/* 0x00e0	 113 ( 0  1) */		add	%g1,1,%g1
+/* 0x00e4	 112 ( 1  4) */		ldd	[%o3],%f0
+/* 0x00e8	 113 ( 1  2) */		srl	%o0,16,%o0
+/* 0x00ec	     ( 1  2) */		add	%o7,4,%o7
+/* 0x00f0	     ( 2  3) */		cmp	%g1,%o5
+/* 0x00f4	 112 ( 3  4) */		fmovs	%f0,%f2
+/* 0x00f8	     ( 4  7) */		ld	[%sp+96],%f3
+/* 0x00fc	     ( 6  9) */		fsubd	%f2,%f0,%f2
+/* 0x0100	     ( 6  7) */		std	%f2,[%g2]
+/* 0x0104	 113 ( 7  8) */		st	%o0,[%sp+92]
+/* 0x0108	     (10 11) */		fmovs	%f0,%f2
+/* 0x010c	     (11 14) */		ld	[%sp+92],%f3
+/* 0x0110	     (13 16) */		fsubd	%f2,%f0,%f0
+/* 0x0114	     (13 14) */		std	%f0,[%g2+8]
+/* 0x0118	     (13 14) */		add	%g2,16,%g2
+/* 0x011c	     (13 14) */		ble,a,pt	%icc,.L900000410	! tprob=0.86
+/* 0x0120	     (14 17) */		ld	[%o7],%o0
+                                   .L77000150:		/* frequency 1.0 confidence 0.0 */
+/* 0x0124	     ( 0  2) */		ret	! Result = 
+/* 0x0128	     ( 2  3) */		restore	%g0,%g0,%g0
+/* 0x012c	   0 ( 0  0) */		.type	conv_i32_to_d16,2
+/* 0x012c	     ( 0  0) */		.size	conv_i32_to_d16,(.-conv_i32_to_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	8
+!
+! CONSTANT POOL
+!
+                                   .L_const_seg_900000501:		/* frequency 1.0 confidence 0.0 */
+/* 000000	   0 ( 0  0) */		.word	1127219200,0
+/* 0x0008	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE conv_i32_to_d32_and_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global conv_i32_to_d32_and_d16
+                                   conv_i32_to_d32_and_d16:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		save	%sp,-104,%sp
+/* 0x0004	     ( 1  2) */		or	%g0,%i3,%i4
+/* 0x0008	     ( 1  2) */		or	%g0,%i2,%g1
+
+!  114		                    !   }
+!  115		                    !}
+!  118		                    !void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
+!  119		                    !			  double * /* 0 */,
+!  120		                    !			  double * /*result16*/, double * /* result32 */,
+!  121		                    !			  float *  /*source - should be unsigned int*
+!  122		                    !		          	       converted to float* */);
+!  126		                    !void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+!  127		                    !			     unsigned int *i32, int len)
+!  128		                    !{
+!  129		                    !int i;
+!  130		                    !unsigned int a;
+!  132		                    !#pragma pipeloop(0)
+!  133		                    ! for(i=0;i<len-3;i+=4)
+
+/* 0x000c	 133 ( 2  3) */		sub	%i4,3,%g2
+/* 0x0010	     ( 2  3) */		or	%g0,0,%o7
+/* 0x0014	     ( 3  4) */		cmp	%g2,0
+/* 0x0018	 128 ( 3  4) */		or	%g0,%i0,%i3
+/* 0x001c	 133 ( 3  4) */		ble,pt	%icc,.L900000515	! tprob=0.56
+/* 0x0020	     ( 4  5) */		cmp	%o7,%i4
+
+!  134		                    !   {
+!  135		                    !     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
+!  136		                    !			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
+
+/* 0x0024	 136 ( 4  5) */		sethi	%hi(Zero),%g2
+/* 0x0028	 133 ( 5  6) */		or	%g0,%g1,%o3
+/* 0x002c	     ( 5  6) */		sub	%i4,4,%o2
+/* 0x0030	 136 ( 6  7) */		add	%g2,%lo(Zero),%o1
+/* 0x0034	 133 ( 6  7) */		or	%g0,0,%o5
+/* 0x0038	     ( 7  8) */		or	%g0,0,%o4
+/* 0x003c	 136 ( 7  8) */		or	%g0,%o3,%g4
+                                   .L900000514:		/* frequency 6.4 confidence 0.0 */
+/* 0x0040	     ( 0  3) */		ldd	[%o1],%f2
+/* 0x0044	 136 ( 0  1) */		add	%i3,%o5,%g2
+/* 0x0048	     ( 0  1) */		add	%i1,%o4,%g3
+/* 0x004c	     ( 1  4) */		ldd	[%o1-8],%f0
+/* 0x0050	     ( 1  2) */		add	%o7,4,%o7
+/* 0x0054	     ( 1  2) */		add	%o3,16,%o3
+/* 0x0058	     ( 2  3) */		fmovd	%f2,%f14
+/* 0x005c	     ( 2  5) */		ld	[%g4],%f15
+/* 0x0060	     ( 2  3) */		cmp	%o7,%o2
+/* 0x0064	     ( 3  4) */		fmovd	%f2,%f10
+/* 0x0068	     ( 3  6) */		ld	[%g4+4],%f11
+/* 0x006c	     ( 4  5) */		fmovd	%f2,%f6
+/* 0x0070	     ( 4  7) */		ld	[%g4+8],%f7
+/* 0x0074	     ( 5  8) */		ld	[%g4+12],%f3
+/* 0x0078	     ( 5  8) */		fxtod	%f14,%f14
+/* 0x007c	     ( 6  9) */		fxtod	%f10,%f10
+/* 0x0080	     ( 6  9) */		ldd	[%o1-16],%f16
+/* 0x0084	     ( 7 10) */		fxtod	%f6,%f6
+/* 0x0088	     ( 7  8) */		std	%f14,[%i3+%o5]
+/* 0x008c	     ( 7  8) */		add	%o5,32,%o5
+/* 0x0090	     ( 8 11) */		fxtod	%f2,%f2
+/* 0x0094	     ( 8 11) */		fmuld	%f0,%f14,%f12
+/* 0x0098	     ( 8  9) */		std	%f10,[%g2+8]
+/* 0x009c	     ( 9 12) */		fmuld	%f0,%f10,%f8
+/* 0x00a0	     ( 9 10) */		std	%f6,[%g2+16]
+/* 0x00a4	     (10 13) */		fmuld	%f0,%f6,%f4
+/* 0x00a8	     (10 11) */		std	%f2,[%g2+24]
+/* 0x00ac	     (11 14) */		fmuld	%f0,%f2,%f0
+/* 0x00b0	     (11 14) */		fdtox	%f12,%f12
+/* 0x00b4	     (12 15) */		fdtox	%f8,%f8
+/* 0x00b8	     (13 16) */		fdtox	%f4,%f4
+/* 0x00bc	     (14 17) */		fdtox	%f0,%f0
+/* 0x00c0	     (15 18) */		fxtod	%f12,%f12
+/* 0x00c4	     (15 16) */		std	%f12,[%g3+8]
+/* 0x00c8	     (16 19) */		fxtod	%f8,%f8
+/* 0x00cc	     (16 17) */		std	%f8,[%g3+24]
+/* 0x00d0	     (17 20) */		fxtod	%f4,%f4
+/* 0x00d4	     (17 18) */		std	%f4,[%g3+40]
+/* 0x00d8	     (18 21) */		fxtod	%f0,%f0
+/* 0x00dc	     (18 21) */		fmuld	%f12,%f16,%f12
+/* 0x00e0	     (18 19) */		std	%f0,[%g3+56]
+/* 0x00e4	     (19 22) */		fmuld	%f8,%f16,%f8
+/* 0x00e8	     (20 23) */		fmuld	%f4,%f16,%f4
+/* 0x00ec	     (21 24) */		fmuld	%f0,%f16,%f0
+/* 0x00f0	     (21 24) */		fsubd	%f14,%f12,%f12
+/* 0x00f4	     (21 22) */		std	%f12,[%i1+%o4]
+/* 0x00f8	     (22 25) */		fsubd	%f10,%f8,%f8
+/* 0x00fc	     (22 23) */		std	%f8,[%g3+16]
+/* 0x0100	     (22 23) */		add	%o4,64,%o4
+/* 0x0104	     (23 26) */		fsubd	%f6,%f4,%f4
+/* 0x0108	     (23 24) */		std	%f4,[%g3+32]
+/* 0x010c	     (24 27) */		fsubd	%f2,%f0,%f0
+/* 0x0110	     (24 25) */		std	%f0,[%g3+48]
+/* 0x0114	     (24 25) */		ble,pt	%icc,.L900000514	! tprob=0.86
+/* 0x0118	     (25 26) */		or	%g0,%o3,%g4
+                                   .L77000159:		/* frequency 1.0 confidence 0.0 */
+
+!  137		                    !   }
+!  138		                    ! for(;i<len;i++)
+
+/* 0x011c	 138 ( 0  1) */		cmp	%o7,%i4
+                                   .L900000515:		/* frequency 1.0 confidence 0.0 */
+/* 0x0120	 138 ( 0  1) */		bge,pt	%icc,.L77000164	! tprob=0.56
+/* 0x0124	     ( 0  1) */		nop
+
+!  139		                    !   {
+!  140		                    !     a=i32[i];
+!  141		                    !     d32[i]=(double)(i32[i]);
+!  142		                    !     d16[2*i]=(double)(a&0xffff);
+!  143		                    !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0128	 143 ( 0  1) */		sethi	%hi(.L_const_seg_900000501),%o1
+/* 0x012c	 138 ( 1  2) */		sethi	%hi(0xfc00),%o0
+/* 0x0130	 141 ( 1  4) */		ldd	[%o1+%lo(.L_const_seg_900000501)],%f0
+/* 0x0134	 138 ( 1  2) */		sub	%i4,%o7,%g3
+/* 0x0138	     ( 2  3) */		sll	%o7,2,%g2
+/* 0x013c	     ( 2  3) */		add	%o0,1023,%o3
+/* 0x0140	     ( 3  4) */		sll	%o7,3,%g4
+/* 0x0144	     ( 3  4) */		cmp	%g3,3
+/* 0x0148	     ( 4  5) */		add	%g1,%g2,%o0
+/* 0x014c	     ( 4  5) */		add	%o1,%lo(.L_const_seg_900000501),%o2
+/* 0x0150	     ( 5  6) */		add	%i3,%g4,%o4
+/* 0x0154	     ( 5  6) */		sub	%i4,1,%o1
+/* 0x0158	     ( 6  7) */		sll	%o7,4,%g5
+/* 0x015c	     ( 6  7) */		bl,pn	%icc,.L77000161	! tprob=0.44
+/* 0x0160	     ( 7  8) */		add	%i1,%g5,%o5
+/* 0x0164	 141 ( 7 10) */		ld	[%g1+%g2],%f3
+/* 0x0168	 143 ( 7  8) */		add	%o4,8,%o4
+/* 0x016c	 140 ( 8 11) */		ld	[%g1+%g2],%g1
+/* 0x0170	 143 ( 8  9) */		add	%o5,16,%o5
+/* 0x0174	     ( 8  9) */		add	%o7,1,%o7
+/* 0x0178	 141 ( 9 10) */		fmovs	%f0,%f2
+/* 0x017c	 143 ( 9 10) */		add	%o0,4,%o0
+/* 0x0180	 142 (10 11) */		and	%g1,%o3,%g2
+/* 0x0184	 141 (11 14) */		fsubd	%f2,%f0,%f2
+/* 0x0188	     (11 12) */		std	%f2,[%o4-8]
+/* 0x018c	 143 (11 12) */		srl	%g1,16,%g1
+/* 0x0190	 142 (12 13) */		st	%g2,[%sp+96]
+/* 0x0194	     (15 16) */		fmovs	%f0,%f2
+/* 0x0198	     (16 19) */		ld	[%sp+96],%f3
+/* 0x019c	     (18 21) */		fsubd	%f2,%f0,%f2
+/* 0x01a0	     (18 19) */		std	%f2,[%o5-16]
+/* 0x01a4	 143 (19 20) */		st	%g1,[%sp+92]
+/* 0x01a8	     (22 23) */		fmovs	%f0,%f2
+/* 0x01ac	     (23 26) */		ld	[%sp+92],%f3
+/* 0x01b0	     (25 28) */		fsubd	%f2,%f0,%f2
+/* 0x01b4	     (25 26) */		std	%f2,[%o5-8]
+                                   .L900000509:		/* frequency 64.0 confidence 0.0 */
+/* 0x01b8	 141 (26 28) */		ld	[%o0],%f3
+/* 0x01bc	 143 (26 27) */		add	%o7,2,%o7
+/* 0x01c0	     (26 27) */		add	%o5,32,%o5
+/* 0x01c4	 140 (27 29) */		ld	[%o0],%g1
+/* 0x01c8	 143 (27 27) */		cmp	%o7,%o1
+/* 0x01cc	     (27 28) */		add	%o4,16,%o4
+/* 0x01d0	 141 ( 0  0) */		fmovs	%f0,%f2
+/* 0x01d4	     (28 31) */		fsubd	%f2,%f0,%f2
+/* 0x01d8	     (29 30) */		std	%f2,[%o4-16]
+/* 0x01dc	 142 (29 30) */		and	%g1,%o3,%g2
+/* 0x01e0	     (30 31) */		st	%g2,[%sp+96]
+/* 0x01e4	     (37 39) */		ld	[%sp+96],%f3
+/* 0x01e8	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x01ec	     (39 42) */		fsubd	%f2,%f0,%f2
+/* 0x01f0	 143 (40 41) */		srl	%g1,16,%g1
+/* 0x01f4	 142 (40 41) */		std	%f2,[%o5-32]
+/* 0x01f8	 143 (41 42) */		st	%g1,[%sp+92]
+/* 0x01fc	     (48 50) */		ld	[%sp+92],%f3
+/* 0x0200	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x0204	     (50 53) */		fsubd	%f2,%f0,%f2
+/* 0x0208	     (51 52) */		std	%f2,[%o5-24]
+/* 0x020c	     (51 52) */		add	%o0,4,%o0
+/* 0x0210	 141 (52 54) */		ld	[%o0],%f3
+/* 0x0214	 140 (53 55) */		ld	[%o0],%g1
+/* 0x0218	 141 ( 0  0) */		fmovs	%f0,%f2
+/* 0x021c	     (54 57) */		fsubd	%f2,%f0,%f2
+/* 0x0220	     (55 56) */		std	%f2,[%o4-8]
+/* 0x0224	 142 (55 56) */		and	%g1,%o3,%g2
+/* 0x0228	     (56 57) */		st	%g2,[%sp+96]
+/* 0x022c	     (63 65) */		ld	[%sp+96],%f3
+/* 0x0230	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x0234	     (65 68) */		fsubd	%f2,%f0,%f2
+/* 0x0238	 143 (66 67) */		srl	%g1,16,%g1
+/* 0x023c	 142 (66 67) */		std	%f2,[%o5-16]
+/* 0x0240	 143 (67 68) */		st	%g1,[%sp+92]
+/* 0x0244	     (74 76) */		ld	[%sp+92],%f3
+/* 0x0248	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x024c	     (76 79) */		fsubd	%f2,%f0,%f2
+/* 0x0250	     (77 78) */		std	%f2,[%o5-8]
+/* 0x0254	     (77 78) */		bl,pt	%icc,.L900000509	! tprob=0.50
+/* 0x0258	     (77 78) */		add	%o0,4,%o0
+                                   .L900000512:		/* frequency 8.0 confidence 0.0 */
+/* 0x025c	 143 ( 0  1) */		cmp	%o7,%i4
+/* 0x0260	     ( 0  1) */		bge,pn	%icc,.L77000164	! tprob=0.14
+/* 0x0264	     ( 0  1) */		nop
+                                   .L77000161:		/* frequency 0.7 confidence 0.0 */
+/* 0x0268	 141 ( 0  3) */		ld	[%o0],%f3
+                                   .L900000513:		/* frequency 6.4 confidence 0.0 */
+/* 0x026c	 141 ( 0  3) */		ldd	[%o2],%f0
+/* 0x0270	 143 ( 0  1) */		add	%o7,1,%o7
+/* 0x0274	 140 ( 1  4) */		ld	[%o0],%o1
+/* 0x0278	 143 ( 1  2) */		add	%o0,4,%o0
+/* 0x027c	     ( 1  2) */		cmp	%o7,%i4
+/* 0x0280	 141 ( 2  3) */		fmovs	%f0,%f2
+/* 0x0284	 142 ( 3  4) */		and	%o1,%o3,%g1
+/* 0x0288	 141 ( 4  7) */		fsubd	%f2,%f0,%f2
+/* 0x028c	     ( 4  5) */		std	%f2,[%o4]
+/* 0x0290	 143 ( 4  5) */		srl	%o1,16,%o1
+/* 0x0294	 142 ( 5  6) */		st	%g1,[%sp+96]
+/* 0x0298	 143 ( 5  6) */		add	%o4,8,%o4
+/* 0x029c	 142 ( 8  9) */		fmovs	%f0,%f2
+/* 0x02a0	     ( 9 12) */		ld	[%sp+96],%f3
+/* 0x02a4	     (11 14) */		fsubd	%f2,%f0,%f2
+/* 0x02a8	     (11 12) */		std	%f2,[%o5]
+/* 0x02ac	 143 (12 13) */		st	%o1,[%sp+92]
+/* 0x02b0	     (15 16) */		fmovs	%f0,%f2
+/* 0x02b4	     (16 19) */		ld	[%sp+92],%f3
+/* 0x02b8	     (18 21) */		fsubd	%f2,%f0,%f0
+/* 0x02bc	     (18 19) */		std	%f0,[%o5+8]
+/* 0x02c0	     (18 19) */		add	%o5,16,%o5
+/* 0x02c4	     (18 19) */		bl,a,pt	%icc,.L900000513	! tprob=0.86
+/* 0x02c8	     (19 22) */		ld	[%o0],%f3
+                                   .L77000164:		/* frequency 1.0 confidence 0.0 */
+/* 0x02cc	     ( 0  2) */		ret	! Result = 
+/* 0x02d0	     ( 2  3) */		restore	%g0,%g0,%g0
+/* 0x02d4	   0 ( 0  0) */		.type	conv_i32_to_d32_and_d16,2
+/* 0x02d4	     ( 0  0) */		.size	conv_i32_to_d32_and_d16,(.-conv_i32_to_d32_and_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE adjust_montf_result
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global adjust_montf_result
+                                   adjust_montf_result:		/* frequency 1.0 confidence 0.0 */
+
+!  144		                    !   }
+!  145		                    !}
+!  148		                    !void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
+!  149		                    !{
+!  150		                    !long long acc;
+!  151		                    !int i;
+!  153		                    ! if(i32[len]>0) i=-1;
+
+/* 000000	 153 ( 0  1) */		sll	%o2,2,%g1
+/* 0x0004	     ( 0  1) */		or	%g0,-1,%g3
+/* 0x0008	     ( 1  4) */		ld	[%o0+%g1],%g1
+/* 0x000c	     ( 3  4) */		cmp	%g1,0
+/* 0x0010	     ( 3  4) */		bleu,pn	%icc,.L77000175	! tprob=0.50
+/* 0x0014	     ( 3  4) */		or	%g0,%o1,%o3
+/* 0x0018	     ( 4  5) */		ba	.L900000611	! tprob=1.00
+/* 0x001c	     ( 4  5) */		cmp	%g3,0
+                                   .L77000175:		/* frequency 0.8 confidence 0.0 */
+
+!  154		                    ! else
+!  155		                    !   {
+!  156		                    !     for(i=len-1; i>=0; i++)
+
+/* 0x0020	 156 ( 0  1) */		subcc	%o2,1,%g3
+/* 0x0024	     ( 0  1) */		bneg,pt	%icc,.L900000611	! tprob=0.60
+/* 0x0028	     ( 1  2) */		cmp	%g3,0
+/* 0x002c	     ( 1  2) */		sll	%g3,2,%g1
+/* 0x0030	     ( 2  3) */		add	%o0,%g1,%g2
+/* 0x0034	     ( 2  3) */		add	%o1,%g1,%g1
+
+!  157		                    !       {
+!  158		                    !	 if(i32[i]!=nint[i]) break;
+
+/* 0x0038	 158 ( 3  6) */		ld	[%g1],%g5
+                                   .L900000610:		/* frequency 5.3 confidence 0.0 */
+/* 0x003c	 158 ( 0  3) */		ld	[%g2],%o5
+/* 0x0040	     ( 0  1) */		add	%g1,4,%g1
+/* 0x0044	     ( 0  1) */		add	%g2,4,%g2
+/* 0x0048	     ( 2  3) */		cmp	%o5,%g5
+/* 0x004c	     ( 2  3) */		bne,pn	%icc,.L77000182	! tprob=0.16
+/* 0x0050	     ( 2  3) */		nop
+/* 0x0054	     ( 3  4) */		addcc	%g3,1,%g3
+/* 0x0058	     ( 3  4) */		bpos,a,pt	%icc,.L900000610	! tprob=0.84
+/* 0x005c	     ( 3  6) */		ld	[%g1],%g5
+                                   .L77000182:		/* frequency 1.0 confidence 0.0 */
+
+!  159		                    !       }
+!  160		                    !   }
+!  161		                    ! if((i<0)||(i32[i]>nint[i]))
+
+/* 0x0060	 161 ( 0  1) */		cmp	%g3,0
+                                   .L900000611:		/* frequency 1.0 confidence 0.0 */
+/* 0x0064	 161 ( 0  1) */		bl,pn	%icc,.L77000198	! tprob=0.50
+/* 0x0068	     ( 0  1) */		sll	%g3,2,%g2
+/* 0x006c	     ( 1  4) */		ld	[%o1+%g2],%g1
+/* 0x0070	     ( 2  5) */		ld	[%o0+%g2],%g2
+/* 0x0074	     ( 4  5) */		cmp	%g2,%g1
+/* 0x0078	     ( 4  5) */		bleu,pt	%icc,.L77000191	! tprob=0.56
+/* 0x007c	     ( 4  5) */		nop
+                                   .L77000198:		/* frequency 0.8 confidence 0.0 */
+
+!  162		                    !   {
+!  163		                    !     acc=0;
+!  164		                    !     for(i=0;i<len;i++)
+
+/* 0x0080	 164 ( 0  1) */		cmp	%o2,0
+/* 0x0084	     ( 0  1) */		ble,pt	%icc,.L77000191	! tprob=0.60
+/* 0x0088	     ( 0  1) */		nop
+/* 0x008c	 161 ( 1  2) */		or	%g0,-1,%g2
+/* 0x0090	     ( 1  2) */		sub	%o2,1,%g4
+/* 0x0094	     ( 2  3) */		srl	%g2,0,%g3
+/* 0x0098	 163 ( 2  3) */		or	%g0,0,%g5
+/* 0x009c	 164 ( 3  4) */		or	%g0,0,%o5
+/* 0x00a0	 161 ( 3  4) */		or	%g0,%o0,%o4
+/* 0x00a4	     ( 4  5) */		cmp	%o2,3
+/* 0x00a8	     ( 4  5) */		add	%o1,4,%g2
+/* 0x00ac	 164 ( 4  5) */		bl,pn	%icc,.L77000199	! tprob=0.40
+/* 0x00b0	     ( 5  6) */		add	%o0,8,%g1
+
+!  165		                    !       {
+!  166		                    !	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
+
+/* 0x00b4	 166 ( 5  8) */		ld	[%o0],%o2
+/* 0x00b8	   0 ( 5  6) */		or	%g0,%g2,%o3
+/* 0x00bc	 166 ( 6  9) */		ld	[%o1],%o1
+/* 0x00c0	   0 ( 6  7) */		or	%g0,%g1,%o4
+
+!  167		                    !	 i32[i]=acc&0xffffffff;
+!  168		                    !	 acc=acc>>32;
+
+/* 0x00c4	 168 ( 6  7) */		or	%g0,2,%o5
+/* 0x00c8	 166 ( 7 10) */		ld	[%o0+4],%g1
+/* 0x00cc	 164 ( 8  9) */		sub	%o2,%o1,%o2
+/* 0x00d0	     ( 9 10) */		or	%g0,%o2,%g5
+/* 0x00d4	 167 ( 9 10) */		and	%o2,%g3,%o2
+/* 0x00d8	     ( 9 10) */		st	%o2,[%o0]
+/* 0x00dc	 168 (10 11) */		srax	%g5,32,%g5
+                                   .L900000605:		/* frequency 64.0 confidence 0.0 */
+/* 0x00e0	 166 (12 20) */		ld	[%o3],%o2
+/* 0x00e4	 168 (12 13) */		add	%o5,1,%o5
+/* 0x00e8	     (12 13) */		add	%o3,4,%o3
+/* 0x00ec	     (13 13) */		cmp	%o5,%g4
+/* 0x00f0	     (13 14) */		add	%o4,4,%o4
+/* 0x00f4	 164 (14 14) */		sub	%g1,%o2,%g1
+/* 0x00f8	     (15 15) */		add	%g1,%g5,%g5
+/* 0x00fc	 167 (16 17) */		and	%g5,%g3,%o2
+/* 0x0100	 166 (16 24) */		ld	[%o4-4],%g1
+/* 0x0104	 167 (17 18) */		st	%o2,[%o4-8]
+/* 0x0108	 168 (17 18) */		ble,pt	%icc,.L900000605	! tprob=0.50
+/* 0x010c	     (17 18) */		srax	%g5,32,%g5
+                                   .L900000608:		/* frequency 8.0 confidence 0.0 */
+/* 0x0110	 166 ( 0  3) */		ld	[%o3],%g2
+/* 0x0114	 164 ( 2  3) */		sub	%g1,%g2,%g1
+/* 0x0118	     ( 3  4) */		add	%g1,%g5,%g1
+/* 0x011c	 167 ( 4  5) */		and	%g1,%g3,%g2
+/* 0x0120	     ( 5  7) */		retl	! Result = 
+/* 0x0124	     ( 6  7) */		st	%g2,[%o4-4]
+                                   .L77000199:		/* frequency 0.6 confidence 0.0 */
+/* 0x0128	 166 ( 0  3) */		ld	[%o4],%g1
+                                   .L900000609:		/* frequency 5.3 confidence 0.0 */
+/* 0x012c	 166 ( 0  3) */		ld	[%o3],%g2
+/* 0x0130	     ( 0  1) */		add	%g5,%g1,%g1
+/* 0x0134	 168 ( 0  1) */		add	%o5,1,%o5
+/* 0x0138	     ( 1  2) */		add	%o3,4,%o3
+/* 0x013c	     ( 1  2) */		cmp	%o5,%g4
+/* 0x0140	 166 ( 2  3) */		sub	%g1,%g2,%g1
+/* 0x0144	 167 ( 3  4) */		and	%g1,%g3,%g2
+/* 0x0148	     ( 3  4) */		st	%g2,[%o4]
+/* 0x014c	 168 ( 3  4) */		add	%o4,4,%o4
+/* 0x0150	     ( 4  5) */		srax	%g1,32,%g5
+/* 0x0154	     ( 4  5) */		ble,a,pt	%icc,.L900000609	! tprob=0.84
+/* 0x0158	     ( 4  7) */		ld	[%o4],%g1
+                                   .L77000191:		/* frequency 1.0 confidence 0.0 */
+/* 0x015c	     ( 0  2) */		retl	! Result = 
+/* 0x0160	     ( 1  2) */		nop
+/* 0x0164	   0 ( 0  0) */		.type	adjust_montf_result,2
+/* 0x0164	     ( 0  0) */		.size	adjust_montf_result,(.-adjust_montf_result)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	32
+!
+! SUBROUTINE mont_mulf_noconv
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global mont_mulf_noconv
+                                   mont_mulf_noconv:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		save	%sp,-144,%sp
+/* 0x0004	     ( 1  2) */		st	%i0,[%fp+68]
+
+!  169		                    !       }
+!  170		                    !   }
+!  171		                    !}
+!  175		                    !void cleanup(double *dt, int from, int tlen);
+!  177		                    !/*
+!  178		                    !** the lengths of the input arrays should be at least the following:
+!  179		                    !** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
+!  180		                    !** all of them should be different from one another
+!  181		                    !**
+!  182		                    !*/
+!  183		                    !void mont_mulf_noconv(unsigned int *result,
+!  184		                    !		     double *dm1, double *dm2, double *dt,
+!  185		                    !		     double *dn, unsigned int *nint,
+!  186		                    !		     int nlen, double dn0)
+!  187		                    !{
+!  188		                    ! int i, j, jj;
+!  189		                    ! int tmp;
+!  190		                    ! double digit, m2j, nextm2j, a, b;
+!  191		                    ! double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
+!  193		                    ! pdm1=&(dm1[0]);
+!  194		                    ! pdm2=&(dm2[0]);
+!  195		                    ! pdn=&(dn[0]);
+!  196		                    ! pdm2[2*nlen]=Zero;
+
+/* 0x0008	 196 ( 1  2) */		sethi	%hi(Zero),%g2
+/* 0x000c	 187 ( 1  2) */		or	%g0,%i2,%o1
+/* 0x0010	     ( 2  3) */		st	%i5,[%fp+88]
+/* 0x0014	     ( 2  3) */		or	%g0,%i3,%o2
+/* 0x0018	 196 ( 2  3) */		add	%g2,%lo(Zero),%g4
+/* 0x001c	     ( 3  6) */		ldd	[%g2+%lo(Zero)],%f2
+/* 0x0020	 187 ( 3  4) */		or	%g0,%o2,%g5
+/* 0x0024	 196 ( 3  4) */		or	%g0,%o1,%i0
+/* 0x0028	 187 ( 4  5) */		or	%g0,%i4,%i2
+
+!  198		                    ! if (nlen!=16)
+!  199		                    !   {
+!  200		                    !     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
+!  202		                    !     a=dt[0]=pdm1[0]*pdm2[0];
+!  203		                    !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  205		                    !     pdtj=&(dt[0]);
+!  206		                    !     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
+!  207		                    !       {
+!  208		                    !	 m2j=pdm2[j];
+!  209		                    !	 a=pdtj[0]+pdn[0]*digit;
+!  210		                    !	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
+!  211		                    !	 pdtj[1]=b;
+!  213		                    !#pragma pipeloop(0)
+!  214		                    !	 for(i=1;i<nlen;i++)
+!  215		                    !	   {
+!  216		                    !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  217		                    !	   }
+!  218		                    ! 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
+!  219		                    !	 
+!  220		                    !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  221		                    !       }
+!  222		                    !   }
+!  223		                    ! else
+!  224		                    !   {
+!  225		                    !     a=dt[0]=pdm1[0]*pdm2[0];
+!  227		                    !     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
+!  228		                    !     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
+!  229		                    !     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
+!  230		                    !     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
+!  231		                    !     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
+!  232		                    !     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
+!  233		                    !     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
+!  234		                    !     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
+!  235		                    !     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
+!  236		                    !     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
+!  237		                    !     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
+!  239		                    !     pdn_0=pdn[0];
+!  240		                    !     pdm1_0=pdm1[0];
+!  242		                    !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  243		                    !     pdtj=&(dt[0]);
+!  245		                    !     for(j=0;j<32;j++,pdtj++)
+!  246		                    !       {
+!  248		                    !	 m2j=pdm2[j];
+!  249		                    !	 a=pdtj[0]+pdn_0*digit;
+!  250		                    !	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
+!  251		                    !	 pdtj[1]=b;
+!  253		                    !	 /**** this loop will be fully unrolled:
+!  254		                    !	 for(i=1;i<16;i++)
+!  255		                    !	   {
+!  256		                    !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  257		                    !	   }
+!  258		                    !	 *************************************/
+!  259		                    !	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
+!  260		                    !	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
+!  261		                    !	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
+!  262		                    !	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
+!  263		                    !	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
+!  264		                    !	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
+!  265		                    !	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
+!  266		                    !	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
+!  267		                    !	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
+!  268		                    !	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
+!  269		                    !	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
+!  270		                    !	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
+!  271		                    !	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
+!  272		                    !	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
+!  273		                    !	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
+!  274		                    !	 /* no need for cleenup, cannot overflow */
+!  275		                    !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  276		                    !       }
+!  277		                    !   }
+!  279		                    ! conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
+!  281		                    ! adjust_montf_result(result,nint,nlen); 
+
+/* 0x002c	 281 ( 4  5) */		or	%g0,1,%o4
+/* 0x0030	 187 ( 6  9) */		ldd	[%fp+96],%f0
+/* 0x0034	 196 ( 7 10) */		ld	[%fp+92],%o0
+/* 0x0038	 187 ( 8  9) */		fmovd	%f0,%f16
+/* 0x003c	 196 ( 9 10) */		sll	%o0,4,%g2
+/* 0x0040	     ( 9 10) */		or	%g0,%o0,%g1
+/* 0x0044	 198 (10 11) */		cmp	%o0,16
+/* 0x0048	     (10 11) */		be,pn	%icc,.L77000289	! tprob=0.50
+/* 0x004c	     (10 11) */		std	%f2,[%o1+%g2]
+/* 0x0050	 200 (11 12) */		sll	%o0,2,%g2
+/* 0x0054	     (11 14) */		ldd	[%g4],%f2
+/* 0x0058	     (12 13) */		add	%g2,2,%o1
+/* 0x005c	     (12 13) */		add	%g2,1,%o3
+/* 0x0060	 196 (13 14) */		sll	%o0,1,%o7
+/* 0x0064	 200 (13 14) */		cmp	%o1,0
+/* 0x0068	     (13 14) */		ble,a,pt	%icc,.L900000755	! tprob=0.55
+/* 0x006c	     (14 17) */		ldd	[%i1],%f0
+/* 0x0070	     (14 15) */		cmp	%o1,3
+/* 0x0074	 281 (14 15) */		or	%g0,1,%o1
+/* 0x0078	     (14 15) */		bl,pn	%icc,.L77000279	! tprob=0.40
+/* 0x007c	     (15 16) */		add	%o2,8,%o0
+/* 0x0080	     (15 16) */		std	%f2,[%g5]
+/* 0x0084	   0 (16 17) */		or	%g0,%o0,%o2
+                                   .L900000726:		/* frequency 64.0 confidence 0.0 */
+/* 0x0088	     ( 3  5) */		ldd	[%g4],%f0
+/* 0x008c	     ( 3  4) */		add	%o4,1,%o4
+/* 0x0090	     ( 3  4) */		add	%o2,8,%o2
+/* 0x0094	     ( 4  4) */		cmp	%o4,%o3
+/* 0x0098	     ( 5  6) */		ble,pt	%icc,.L900000726	! tprob=0.50
+/* 0x009c	     ( 5  6) */		std	%f0,[%o2-8]
+                                   .L900000729:		/* frequency 8.0 confidence 0.0 */
+/* 0x00a0	     ( 0  1) */		ba	.L900000755	! tprob=1.00
+/* 0x00a4	     ( 0  3) */		ldd	[%i1],%f0
+                                   .L77000279:		/* frequency 0.6 confidence 0.0 */
+/* 0x00a8	     ( 0  1) */		std	%f2,[%o2]
+                                   .L900000754:		/* frequency 5.3 confidence 0.0 */
+/* 0x00ac	     ( 0  3) */		ldd	[%g4],%f2
+/* 0x00b0	     ( 0  1) */		cmp	%o1,%o3
+/* 0x00b4	     ( 0  1) */		add	%o2,8,%o2
+/* 0x00b8	     ( 1  2) */		add	%o1,1,%o1
+/* 0x00bc	     ( 1  2) */		ble,a,pt	%icc,.L900000754	! tprob=0.87
+/* 0x00c0	     ( 3  4) */		std	%f2,[%o2]
+                                   .L77000284:		/* frequency 0.8 confidence 0.0 */
+/* 0x00c4	 202 ( 0  3) */		ldd	[%i1],%f0
+                                   .L900000755:		/* frequency 0.8 confidence 0.0 */
+/* 0x00c8	 202 ( 0  3) */		ldd	[%i0],%f2
+/* 0x00cc	     ( 0  1) */		add	%o7,1,%o2
+/* 0x00d0	 206 ( 0  1) */		cmp	%o7,0
+/* 0x00d4	     ( 1  2) */		sll	%o2,1,%o0
+/* 0x00d8	     ( 1  2) */		sub	%o7,1,%o1
+/* 0x00dc	 202 ( 2  5) */		fmuld	%f0,%f2,%f0
+/* 0x00e0	     ( 2  3) */		std	%f0,[%g5]
+/* 0x00e4	     ( 2  3) */		sub	%g1,1,%o7
+/* 0x00e8	     ( 3  6) */		ldd	[%g4],%f6
+/* 0x00ec	   0 ( 3  4) */		or	%g0,%o7,%g3
+/* 0x00f0	     ( 3  4) */		or	%g0,0,%l0
+/* 0x00f4	     ( 4  7) */		ldd	[%g4-8],%f2
+/* 0x00f8	     ( 4  5) */		or	%g0,0,%i5
+/* 0x00fc	     ( 4  5) */		or	%g0,%o1,%o5
+/* 0x0100	     ( 5  8) */		fdtox	%f0,%f0
+/* 0x0104	     ( 5  8) */		ldd	[%g4-16],%f4
+/* 0x0108	     ( 5  6) */		or	%g0,%o0,%o3
+/* 0x010c	 210 ( 6  7) */		add	%i0,8,%o4
+/* 0x0110	     ( 6  7) */		or	%g0,0,%i4
+/* 0x0114	     ( 9 10) */		fmovs	%f6,%f0
+/* 0x0118	     (11 14) */		fxtod	%f0,%f0
+/* 0x011c	 203 (14 17) */		fmuld	%f0,%f16,%f0
+/* 0x0120	     (17 20) */		fmuld	%f0,%f2,%f2
+/* 0x0124	     (20 23) */		fdtox	%f2,%f2
+/* 0x0128	     (23 26) */		fxtod	%f2,%f2
+/* 0x012c	     (26 29) */		fmuld	%f2,%f4,%f2
+/* 0x0130	     (29 32) */		fsubd	%f0,%f2,%f22
+/* 0x0134	 206 (29 30) */		ble,pt	%icc,.L900000748	! tprob=0.60
+/* 0x0138	     (29 30) */		sll	%g1,4,%g2
+/* 0x013c	 210 (30 33) */		ldd	[%i2],%f0
+                                   .L900000749:		/* frequency 5.3 confidence 0.0 */
+/* 0x0140	 210 ( 0  3) */		fmuld	%f0,%f22,%f8
+/* 0x0144	     ( 0  3) */		ldd	[%i1],%f0
+/* 0x0148	 214 ( 0  1) */		cmp	%g1,1
+/* 0x014c	 210 ( 1  4) */		ldd	[%o4+%i4],%f6
+/* 0x0150	     ( 1  2) */		add	%i1,8,%o0
+/* 0x0154	 214 ( 1  2) */		or	%g0,1,%o1
+/* 0x0158	 210 ( 2  5) */		ldd	[%i3],%f2
+/* 0x015c	     ( 2  3) */		add	%i3,16,%l1
+/* 0x0160	     ( 3  6) */		fmuld	%f0,%f6,%f6
+/* 0x0164	     ( 3  6) */		ldd	[%g4-8],%f4
+/* 0x0168	     ( 4  7) */		faddd	%f2,%f8,%f2
+/* 0x016c	     ( 4  7) */		ldd	[%i3+8],%f0
+/* 0x0170	 208 ( 5  8) */		ldd	[%i0+%i4],%f20
+/* 0x0174	 210 ( 6  9) */		faddd	%f0,%f6,%f0
+/* 0x0178	     ( 7 10) */		fmuld	%f2,%f4,%f2
+/* 0x017c	     (10 13) */		faddd	%f0,%f2,%f18
+/* 0x0180	 211 (10 11) */		std	%f18,[%i3+8]
+/* 0x0184	 214 (10 11) */		ble,pt	%icc,.L900000753	! tprob=0.54
+/* 0x0188	     (11 12) */		srl	%i5,31,%g2
+/* 0x018c	     (11 12) */		cmp	%g3,7
+/* 0x0190	 210 (12 13) */		add	%i2,8,%g2
+/* 0x0194	 214 (12 13) */		bl,pn	%icc,.L77000281	! tprob=0.36
+/* 0x0198	     (13 14) */		add	%g2,24,%o2
+/* 0x019c	 216 (13 16) */		ldd	[%o0+16],%f14
+/* 0x01a0	     (13 14) */		add	%i3,48,%l1
+/* 0x01a4	     (14 17) */		ldd	[%o0+24],%f12
+/* 0x01a8	   0 (14 15) */		or	%g0,%o2,%g2
+/* 0x01ac	 214 (14 15) */		sub	%g1,3,%o2
+/* 0x01b0	 216 (15 18) */		ldd	[%o0],%f2
+/* 0x01b4	     (15 16) */		or	%g0,5,%o1
+/* 0x01b8	     (16 19) */		ldd	[%g2-24],%f0
+/* 0x01bc	     (17 20) */		ldd	[%o0+8],%f6
+/* 0x01c0	     (17 20) */		fmuld	%f2,%f20,%f2
+/* 0x01c4	     (17 18) */		add	%o0,32,%o0
+/* 0x01c8	     (18 21) */		ldd	[%g2-16],%f8
+/* 0x01cc	     (18 21) */		fmuld	%f0,%f22,%f4
+/* 0x01d0	     (19 22) */		ldd	[%i3+16],%f0
+/* 0x01d4	     (19 22) */		fmuld	%f6,%f20,%f10
+/* 0x01d8	     (20 23) */		ldd	[%g2-8],%f6
+/* 0x01dc	     (21 24) */		faddd	%f2,%f4,%f4
+/* 0x01e0	     (21 24) */		ldd	[%i3+32],%f2
+                                   .L900000738:		/* frequency 512.0 confidence 0.0 */
+/* 0x01e4	 216 (16 24) */		ldd	[%g2],%f24
+/* 0x01e8	     (16 17) */		add	%o1,3,%o1
+/* 0x01ec	     (16 17) */		add	%g2,24,%g2
+/* 0x01f0	     (16 19) */		fmuld	%f8,%f22,%f8
+/* 0x01f4	     (17 25) */		ldd	[%l1],%f28
+/* 0x01f8	     (17 17) */		cmp	%o1,%o2
+/* 0x01fc	     (17 18) */		add	%o0,24,%o0
+/* 0x0200	     (18 26) */		ldd	[%o0-24],%f26
+/* 0x0204	     (18 21) */		faddd	%f0,%f4,%f0
+/* 0x0208	     (18 19) */		add	%l1,48,%l1
+/* 0x020c	     (19 22) */		faddd	%f10,%f8,%f10
+/* 0x0210	     (19 22) */		fmuld	%f14,%f20,%f4
+/* 0x0214	     (19 20) */		std	%f0,[%l1-80]
+/* 0x0218	     (20 28) */		ldd	[%g2-16],%f8
+/* 0x021c	     (20 23) */		fmuld	%f6,%f22,%f6
+/* 0x0220	     (21 29) */		ldd	[%l1-32],%f0
+/* 0x0224	     (22 30) */		ldd	[%o0-16],%f14
+/* 0x0228	     (22 25) */		faddd	%f2,%f10,%f2
+/* 0x022c	     (23 26) */		faddd	%f4,%f6,%f10
+/* 0x0230	     (23 26) */		fmuld	%f12,%f20,%f4
+/* 0x0234	     (23 24) */		std	%f2,[%l1-64]
+/* 0x0238	     (24 32) */		ldd	[%g2-8],%f6
+/* 0x023c	     (24 27) */		fmuld	%f24,%f22,%f24
+/* 0x0240	     (25 33) */		ldd	[%l1-16],%f2
+/* 0x0244	     (26 34) */		ldd	[%o0-8],%f12
+/* 0x0248	     (26 29) */		faddd	%f28,%f10,%f10
+/* 0x024c	     (27 28) */		std	%f10,[%l1-48]
+/* 0x0250	     (27 30) */		fmuld	%f26,%f20,%f10
+/* 0x0254	     (27 28) */		ble,pt	%icc,.L900000738	! tprob=0.50
+/* 0x0258	     (27 30) */		faddd	%f4,%f24,%f4
+                                   .L900000741:		/* frequency 64.0 confidence 0.0 */
+/* 0x025c	 216 ( 0  3) */		fmuld	%f8,%f22,%f28
+/* 0x0260	     ( 0  3) */		ldd	[%g2],%f24
+/* 0x0264	     ( 0  3) */		faddd	%f0,%f4,%f26
+/* 0x0268	     ( 1  4) */		fmuld	%f12,%f20,%f8
+/* 0x026c	     ( 1  2) */		add	%l1,32,%l1
+/* 0x0270	     ( 1  2) */		cmp	%o1,%g3
+/* 0x0274	     ( 2  5) */		fmuld	%f14,%f20,%f14
+/* 0x0278	     ( 2  5) */		ldd	[%l1-32],%f4
+/* 0x027c	     ( 2  3) */		add	%g2,8,%g2
+/* 0x0280	     ( 3  6) */		faddd	%f10,%f28,%f12
+/* 0x0284	     ( 3  6) */		fmuld	%f6,%f22,%f6
+/* 0x0288	     ( 3  6) */		ldd	[%l1-16],%f0
+/* 0x028c	     ( 4  7) */		fmuld	%f24,%f22,%f10
+/* 0x0290	     ( 4  5) */		std	%f26,[%l1-64]
+/* 0x0294	     ( 6  9) */		faddd	%f2,%f12,%f2
+/* 0x0298	     ( 6  7) */		std	%f2,[%l1-48]
+/* 0x029c	     ( 7 10) */		faddd	%f14,%f6,%f6
+/* 0x02a0	     ( 8 11) */		faddd	%f8,%f10,%f2
+/* 0x02a4	     (10 13) */		faddd	%f4,%f6,%f4
+/* 0x02a8	     (10 11) */		std	%f4,[%l1-32]
+/* 0x02ac	     (11 14) */		faddd	%f0,%f2,%f0
+/* 0x02b0	     (11 12) */		bg,pn	%icc,.L77000213	! tprob=0.13
+/* 0x02b4	     (11 12) */		std	%f0,[%l1-16]
+                                   .L77000281:		/* frequency 4.0 confidence 0.0 */
+/* 0x02b8	 216 ( 0  3) */		ldd	[%o0],%f0
+                                   .L900000752:		/* frequency 36.6 confidence 0.0 */
+/* 0x02bc	 216 ( 0  3) */		ldd	[%g2],%f4
+/* 0x02c0	     ( 0  3) */		fmuld	%f0,%f20,%f2
+/* 0x02c4	     ( 0  1) */		add	%o1,1,%o1
+/* 0x02c8	     ( 1  4) */		ldd	[%l1],%f0
+/* 0x02cc	     ( 1  2) */		add	%o0,8,%o0
+/* 0x02d0	     ( 1  2) */		add	%g2,8,%g2
+/* 0x02d4	     ( 2  5) */		fmuld	%f4,%f22,%f4
+/* 0x02d8	     ( 2  3) */		cmp	%o1,%g3
+/* 0x02dc	     ( 5  8) */		faddd	%f2,%f4,%f2
+/* 0x02e0	     ( 8 11) */		faddd	%f0,%f2,%f0
+/* 0x02e4	     ( 8  9) */		std	%f0,[%l1]
+/* 0x02e8	     ( 8  9) */		add	%l1,16,%l1
+/* 0x02ec	     ( 8  9) */		ble,a,pt	%icc,.L900000752	! tprob=0.87
+/* 0x02f0	     (10 13) */		ldd	[%o0],%f0
+                                   .L77000213:		/* frequency 5.3 confidence 0.0 */
+/* 0x02f4	     ( 0  1) */		srl	%i5,31,%g2
+                                   .L900000753:		/* frequency 5.3 confidence 0.0 */
+/* 0x02f8	 218 ( 0  1) */		cmp	%l0,30
+/* 0x02fc	     ( 0  1) */		bne,a,pt	%icc,.L900000751	! tprob=0.54
+/* 0x0300	     ( 0  3) */		fdtox	%f18,%f0
+/* 0x0304	     ( 1  2) */		add	%i5,%g2,%g2
+/* 0x0308	     ( 1  2) */		sub	%o3,1,%o2
+/* 0x030c	     ( 2  3) */		sra	%g2,1,%o0
+/* 0x0310	 216 ( 2  5) */		ldd	[%g4],%f0
+/* 0x0314	     ( 3  4) */		add	%o0,1,%g2
+/* 0x0318	     ( 4  5) */		sll	%g2,1,%o0
+/* 0x031c	     ( 4  5) */		fmovd	%f0,%f2
+/* 0x0320	     ( 5  6) */		sll	%g2,4,%o1
+/* 0x0324	     ( 5  6) */		cmp	%o0,%o3
+/* 0x0328	     ( 5  6) */		bge,pt	%icc,.L77000215	! tprob=0.53
+/* 0x032c	     ( 6  7) */		or	%g0,0,%l0
+/* 0x0330	 218 ( 6  7) */		add	%g5,%o1,%o1
+/* 0x0334	 216 ( 7 10) */		ldd	[%o1],%f8
+                                   .L900000750:		/* frequency 32.0 confidence 0.0 */
+/* 0x0338	     ( 0  3) */		fdtox	%f8,%f6
+/* 0x033c	     ( 0  3) */		ldd	[%g4],%f10
+/* 0x0340	     ( 0  1) */		add	%o0,2,%o0
+/* 0x0344	     ( 1  4) */		ldd	[%o1+8],%f4
+/* 0x0348	     ( 1  4) */		fdtox	%f8,%f8
+/* 0x034c	     ( 1  2) */		cmp	%o0,%o2
+/* 0x0350	     ( 5  6) */		fmovs	%f10,%f6
+/* 0x0354	     ( 7 10) */		fxtod	%f6,%f10
+/* 0x0358	     ( 8 11) */		fdtox	%f4,%f6
+/* 0x035c	     ( 9 12) */		fdtox	%f4,%f4
+/* 0x0360	     (10 13) */		faddd	%f10,%f2,%f2
+/* 0x0364	     (10 11) */		std	%f2,[%o1]
+/* 0x0368	     (12 15) */		ldd	[%g4],%f2
+/* 0x036c	     (14 15) */		fmovs	%f2,%f6
+/* 0x0370	     (16 19) */		fxtod	%f6,%f6
+/* 0x0374	     (17 20) */		fitod	%f8,%f2
+/* 0x0378	     (19 22) */		faddd	%f6,%f0,%f0
+/* 0x037c	     (19 20) */		std	%f0,[%o1+8]
+/* 0x0380	     (19 20) */		add	%o1,16,%o1
+/* 0x0384	     (20 23) */		fitod	%f4,%f0
+/* 0x0388	     (20 21) */		ble,a,pt	%icc,.L900000750	! tprob=0.87
+/* 0x038c	     (20 23) */		ldd	[%o1],%f8
+                                   .L77000233:		/* frequency 4.6 confidence 0.0 */
+/* 0x0390	     ( 0  0) */		or	%g0,0,%l0
+                                   .L77000215:		/* frequency 5.3 confidence 0.0 */
+/* 0x0394	     ( 0  3) */		fdtox	%f18,%f0
+                                   .L900000751:		/* frequency 5.3 confidence 0.0 */
+/* 0x0398	     ( 0  3) */		ldd	[%g4],%f6
+/* 0x039c	 220 ( 0  1) */		add	%i5,1,%i5
+/* 0x03a0	     ( 0  1) */		add	%i4,8,%i4
+/* 0x03a4	     ( 1  4) */		ldd	[%g4-8],%f2
+/* 0x03a8	     ( 1  2) */		add	%l0,1,%l0
+/* 0x03ac	     ( 1  2) */		add	%i3,8,%i3
+/* 0x03b0	     ( 2  3) */		fmovs	%f6,%f0
+/* 0x03b4	     ( 2  5) */		ldd	[%g4-16],%f4
+/* 0x03b8	     ( 2  3) */		cmp	%i5,%o5
+/* 0x03bc	     ( 4  7) */		fxtod	%f0,%f0
+/* 0x03c0	     ( 7 10) */		fmuld	%f0,%f16,%f0
+/* 0x03c4	     (10 13) */		fmuld	%f0,%f2,%f2
+/* 0x03c8	     (13 16) */		fdtox	%f2,%f2
+/* 0x03cc	     (16 19) */		fxtod	%f2,%f2
+/* 0x03d0	     (19 22) */		fmuld	%f2,%f4,%f2
+/* 0x03d4	     (22 25) */		fsubd	%f0,%f2,%f22
+/* 0x03d8	     (22 23) */		ble,a,pt	%icc,.L900000749	! tprob=0.89
+/* 0x03dc	     (22 25) */		ldd	[%i2],%f0
+                                   .L900000725:		/* frequency 0.7 confidence 0.0 */
+/* 0x03e0	 220 ( 0  1) */		ba	.L900000748	! tprob=1.00
+/* 0x03e4	     ( 0  1) */		sll	%g1,4,%g2
+
+	
+                                   .L77000289:		/* frequency 0.8 confidence 0.0 */
+/* 0x03e8	 225 ( 0  3) */		ldd	[%o1],%f6
+/* 0x03ec	 242 ( 0  1) */		add	%g4,-8,%g2
+/* 0x03f0	     ( 0  1) */		add	%g4,-16,%g3
+/* 0x03f4	 225 ( 1  4) */		ldd	[%i1],%f2
+/* 0x03f8	 245 ( 1  2) */		or	%g0,0,%o3
+/* 0x03fc	     ( 1  2) */		or	%g0,0,%o0
+/* 0x0400	 225 ( 3  6) */		fmuld	%f2,%f6,%f2
+/* 0x0404	     ( 3  4) */		std	%f2,[%o2]
+/* 0x0408	     ( 4  7) */		ldd	[%g4],%f6
+/* 0x040c	 237 ( 7  8) */		std	%f6,[%o2+8]
+/* 0x0410	     ( 8  9) */		std	%f6,[%o2+16]
+/* 0x0414	     ( 9 10) */		std	%f6,[%o2+24]
+/* 0x0418	     (10 11) */		std	%f6,[%o2+32]
+/* 0x041c	     (11 12) */		std	%f6,[%o2+40]
+/* 0x0420	     (12 13) */		std	%f6,[%o2+48]
+/* 0x0424	     (13 14) */		std	%f6,[%o2+56]
+/* 0x0428	     (14 15) */		std	%f6,[%o2+64]
+/* 0x042c	     (15 16) */		std	%f6,[%o2+72]
+!	prefetch	[%i4],0
+!	prefetch	[%i4+32],0
+!	prefetch	[%i4+64],0
+!	prefetch	[%i4+96],0
+!	prefetch	[%i4+120],0
+!	prefetch	[%i1],0
+!	prefetch	[%i1+32],0
+!	prefetch	[%i1+64],0
+!	prefetch	[%i1+96],0
+!	prefetch	[%i1+120],0
+/* 0x0430	     (16 17) */		std	%f6,[%o2+80]
+/* 0x0434	     (17 18) */		std	%f6,[%o2+88]
+/* 0x0438	     (18 19) */		std	%f6,[%o2+96]
+/* 0x043c	     (19 20) */		std	%f6,[%o2+104]
+/* 0x0440	     (20 21) */		std	%f6,[%o2+112]
+/* 0x0444	     (21 22) */		std	%f6,[%o2+120]
+/* 0x0448	     (22 23) */		std	%f6,[%o2+128]
+/* 0x044c	     (23 24) */		std	%f6,[%o2+136]
+/* 0x0450	     (24 25) */		std	%f6,[%o2+144]
+/* 0x0454	     (25 26) */		std	%f6,[%o2+152]
+/* 0x0458	     (26 27) */		std	%f6,[%o2+160]
+/* 0x045c	     (27 28) */		std	%f6,[%o2+168]
+/* 0x0460	     (27 30) */		fdtox	%f2,%f2
+/* 0x0464	     (28 29) */		std	%f6,[%o2+176]
+/* 0x0468	     (29 30) */		std	%f6,[%o2+184]
+/* 0x046c	     (30 31) */		std	%f6,[%o2+192]
+/* 0x0470	     (31 32) */		std	%f6,[%o2+200]
+/* 0x0474	     (32 33) */		std	%f6,[%o2+208]
+/* 0x0478	     (33 34) */		std	%f6,[%o2+216]
+/* 0x047c	     (34 35) */		std	%f6,[%o2+224]
+/* 0x0480	     (35 36) */		std	%f6,[%o2+232]
+/* 0x0484	     (36 37) */		std	%f6,[%o2+240]
+/* 0x0488	     (37 38) */		std	%f6,[%o2+248]
+/* 0x048c	     (38 39) */		std	%f6,[%o2+256]
+/* 0x0490	     (39 40) */		std	%f6,[%o2+264]
+/* 0x0494	     (40 41) */		std	%f6,[%o2+272]
+/* 0x0498	     (41 42) */		std	%f6,[%o2+280]
+/* 0x049c	     (42 43) */		std	%f6,[%o2+288]
+/* 0x04a0	     (43 44) */		std	%f6,[%o2+296]
+/* 0x04a4	     (44 45) */		std	%f6,[%o2+304]
+/* 0x04a8	     (45 46) */		std	%f6,[%o2+312]
+/* 0x04ac	     (46 47) */		std	%f6,[%o2+320]
+/* 0x04b0	     (47 48) */		std	%f6,[%o2+328]
+/* 0x04b4	     (48 49) */		std	%f6,[%o2+336]
+/* 0x04b8	     (49 50) */		std	%f6,[%o2+344]
+/* 0x04bc	     (50 51) */		std	%f6,[%o2+352]
+/* 0x04c0	     (51 52) */		std	%f6,[%o2+360]
+/* 0x04c4	     (52 53) */		std	%f6,[%o2+368]
+/* 0x04c8	     (53 54) */		std	%f6,[%o2+376]
+/* 0x04cc	     (54 55) */		std	%f6,[%o2+384]
+/* 0x04d0	     (55 56) */		std	%f6,[%o2+392]
+/* 0x04d4	     (56 57) */		std	%f6,[%o2+400]
+/* 0x04d8	     (57 58) */		std	%f6,[%o2+408]
+/* 0x04dc	     (58 59) */		std	%f6,[%o2+416]
+/* 0x04e0	     (59 60) */		std	%f6,[%o2+424]
+/* 0x04e4	     (60 61) */		std	%f6,[%o2+432]
+/* 0x04e8	     (61 62) */		std	%f6,[%o2+440]
+/* 0x04ec	     (62 63) */		std	%f6,[%o2+448]
+/* 0x04f0	     (63 64) */		std	%f6,[%o2+456]
+/* 0x04f4	     (64 65) */		std	%f6,[%o2+464]
+/* 0x04f8	     (65 66) */		std	%f6,[%o2+472]
+/* 0x04fc	     (66 67) */		std	%f6,[%o2+480]
+/* 0x0500	     (67 68) */		std	%f6,[%o2+488]
+/* 0x0504	     (68 69) */		std	%f6,[%o2+496]
+/* 0x0508	     (69 70) */		std	%f6,[%o2+504]
+/* 0x050c	     (70 71) */		std	%f6,[%o2+512]
+/* 0x0510	     (71 72) */		std	%f6,[%o2+520]
+/* 0x0514	 242 (72 75) */		ld	[%g4],%f2 ! dalign
+/* 0x0518	     (73 76) */		ld	[%g2],%f6 ! dalign
+/* 0x051c	     (74 77) */		fxtod	%f2,%f10
+/* 0x0520	     (74 77) */		ld	[%g2+4],%f7
+/* 0x0524	     (75 78) */		ld	[%g3],%f8 ! dalign
+/* 0x0528	     (76 79) */		ld	[%g3+4],%f9
+/* 0x052c	     (77 80) */		fmuld	%f10,%f0,%f0
+/* 0x0530	 239 (77 80) */		ldd	[%i4],%f4
+/* 0x0534	 240 (78 81) */		ldd	[%i1],%f2
+/* 0x0538	     (80 83) */		fmuld	%f0,%f6,%f6
+/* 0x053c	     (83 86) */		fdtox	%f6,%f6
+/* 0x0540	     (86 89) */		fxtod	%f6,%f6
+/* 0x0544	     (89 92) */		fmuld	%f6,%f8,%f6
+/* 0x0548	     (92 95) */		fsubd	%f0,%f6,%f0
+/* 0x054c	 250 (95 98) */		fmuld	%f4,%f0,%f10
+                                   .L900000747:		/* frequency 6.4 confidence 0.0 */
+
+
+	fmovd %f0,%f0
+	fmovd %f16,%f18
+	ldd [%i4],%f2
+	ldd [%o2],%f8
+	ldd [%i1],%f10
+	ldd [%g4-8],%f14
+	ldd [%g4-16],%f16
+	ldd [%o1],%f24
+
+	ldd [%i1+8],%f26
+	ldd [%i1+16],%f40
+	ldd [%i1+48],%f46
+	ldd [%i1+56],%f30
+	ldd [%i1+64],%f54
+	ldd [%i1+104],%f34
+	ldd [%i1+112],%f58
+
+	ldd [%i4+112],%f60
+	ldd [%i4+8],%f28	
+	ldd [%i4+104],%f38
+
+	nop
+	nop
+!
+	.L99999999:
+!1
+!!!
+	ldd	[%i1+24],%f32
+	fmuld	%f0,%f2,%f4
+!2
+!!!
+	ldd	[%i4+24],%f36
+	fmuld	%f26,%f24,%f20
+!3
+!!!
+	ldd	[%i1+40],%f42
+	fmuld	%f28,%f0,%f22
+!4
+!!!
+	ldd	[%i4+40],%f44
+	fmuld	%f32,%f24,%f32
+!5
+!!!
+	ldd	[%o1+8],%f6
+	faddd	%f4,%f8,%f4
+	fmuld	%f36,%f0,%f36
+!6
+!!!
+	add	%o1,8,%o1
+	ldd	[%i4+56],%f50
+	fmuld	%f42,%f24,%f42
+!7
+!!!
+	ldd	[%i1+72],%f52
+	faddd	%f20,%f22,%f20
+	fmuld	%f44,%f0,%f44
+!8
+!!!
+	ldd	[%o2+16],%f22
+	fmuld	%f10,%f6,%f12
+!9
+!!!
+	ldd	[%i4+72],%f56
+	faddd	%f32,%f36,%f32
+	fmuld	%f14,%f4,%f4
+!10
+!!!
+	ldd	[%o2+48],%f36
+	fmuld	%f30,%f24,%f48
+!11
+!!!
+	ldd	[%o2+8],%f8
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50	
+!12
+!!!
+	std	%f20,[%o2+16]
+	faddd	%f42,%f44,%f42
+	fmuld	%f52,%f24,%f52
+!13
+!!!
+	ldd	[%o2+80],%f44
+	faddd	%f4,%f12,%f4
+	fmuld	%f56,%f0,%f56
+!14
+!!!
+	ldd	[%i1+88],%f20
+	faddd	%f32,%f36,%f32
+!15
+!!!
+	ldd	[%i4+88],%f22
+	faddd	%f48,%f50,%f48
+!16
+!!!
+	ldd	[%o2+112],%f50
+	faddd	%f52,%f56,%f52
+!17
+!!!
+	ldd	[%o2+144],%f56
+	faddd	%f4,%f8,%f8
+	fmuld	%f20,%f24,%f20
+!18
+!!!
+	std	%f32,[%o2+48]
+	faddd	%f42,%f44,%f42
+	fmuld	%f22,%f0,%f22
+!19
+!!!
+	std	%f42,[%o2+80]
+	faddd	%f48,%f50,%f48
+	fmuld	%f34,%f24,%f32
+!20
+!!!
+	std	%f48,[%o2+112]
+	faddd	%f52,%f56,%f52
+	fmuld	%f38,%f0,%f36
+!21
+!!!
+	ldd	[%i1+120],%f42
+	fdtox	%f8,%f4
+!22
+!!!
+	std	%f52,[%o2+144]
+	faddd	%f20,%f22,%f20
+!23
+!!!
+	ldd	[%i4+120],%f44
+!24
+!!!
+	ldd	[%o2+176],%f22
+	faddd	%f32,%f36,%f32
+	fmuld	%f42,%f24,%f42
+!25
+!!!
+	ldd	[%i4+16],%f50
+	fmovs	%f17,%f4
+!26
+!!!
+	ldd	[%i1+32],%f52
+	fmuld	%f44,%f0,%f44
+!27
+!!!
+	ldd	[%i4+32],%f56
+	fmuld	%f40,%f24,%f48
+!28
+!!!
+	ldd	[%o2+208],%f36
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50
+!29
+!!!
+	std	%f20,[%o2+176]
+	fxtod	%f4,%f4
+	fmuld	%f52,%f24,%f52
+!30
+!!!
+	ldd	[%i4+48],%f22
+	faddd	%f42,%f44,%f42
+	fmuld	%f56,%f0,%f56
+!31
+!!!
+	ldd	[%o2+240],%f44
+	faddd	%f32,%f36,%f32
+!32
+!!!
+	std	%f32,[%o2+208]
+	faddd	%f48,%f50,%f48
+	fmuld	%f46,%f24,%f20
+!33
+!!!
+	ldd	[%o2+32],%f50
+	fmuld	%f4,%f18,%f12
+!34
+!!!
+	ldd	[%i4+64],%f36
+	faddd	%f52,%f56,%f52
+	fmuld	%f22,%f0,%f22
+!35
+!!!
+	ldd	[%o2+64],%f56
+	faddd	%f42,%f44,%f42
+!36
+!!!
+	std	%f42,[%o2+240]
+	faddd	%f48,%f50,%f48
+	fmuld	%f54,%f24,%f32
+!37
+!!!
+	std	%f48,[%o2+32]
+	fmuld	%f12,%f14,%f4
+!38
+!!!
+	ldd	[%i1+80],%f42
+	faddd	%f52,%f56,%f56	! yes, tmp52!
+	fmuld	%f36,%f0,%f36
+!39
+!!!
+	ldd	[%i4+80],%f44
+	faddd	%f20,%f22,%f20
+!40
+!!!
+	ldd	[%i1+96],%f48
+	fmuld	%f58,%f24,%f52
+!41
+!!!
+	ldd	[%i4+96],%f50
+	fdtox	%f4,%f4
+	fmuld	%f42,%f24,%f42
+!42
+!!!
+	std	%f56,[%o2+64]	! yes, tmp52!
+	faddd	%f32,%f36,%f32
+	fmuld	%f44,%f0,%f44
+!43
+!!!
+	ldd	[%o2+96],%f22
+	fmuld	%f48,%f24,%f48
+!44
+!!!
+	ldd	[%o2+128],%f36
+	fmovd	%f6,%f24
+	fmuld	%f50,%f0,%f50
+!45
+!!!
+	fxtod	%f4,%f4
+	fmuld	%f60,%f0,%f56
+!46
+!!!
+	add	%o2,8,%o2
+	faddd	%f42,%f44,%f42
+!47
+!!!
+	ldd	[%o2+160-8],%f44
+	faddd	%f20,%f22,%f20
+!48
+!!!
+	std	%f20,[%o2+96-8]
+	faddd	%f48,%f50,%f48
+!49
+!!!
+	ldd	[%o2+192-8],%f50
+	faddd	%f52,%f56,%f52
+	fmuld	%f4,%f16,%f4
+!50
+!!!
+	ldd	[%o2+224-8],%f56
+	faddd	%f32,%f36,%f32
+!51
+!!!
+	std	%f32,[%o2+128-8]
+	faddd	%f42,%f44,%f42
+!52
+	add	%o3,1,%o3
+	std	%f42,[%o2+160-8]
+	faddd	%f48,%f50,%f48
+!53
+!!!
+	cmp	%o3,31
+	std	%f48,[%o2+192-8]
+	faddd	%f52,%f56,%f52
+!54
+	std	%f52,[%o2+224-8]
+	ble,pt	%icc,.L99999999
+	fsubd	%f12,%f4,%f0
+
+
+
+!55
+	std %f8,[%o2]
+
+	
+	
+	
+	
+	
+	                                   .L77000285:		/* frequency 1.0 confidence 0.0 */
+/* 0x07a8	 279 ( 0  1) */		sll	%g1,4,%g2
+                                   .L900000748:		/* frequency 1.0 confidence 0.0 */
+/* 0x07ac	 279 ( 0  3) */		ldd	[%g5+%g2],%f0
+/* 0x07b0	     ( 0  1) */		add	%g5,%g2,%i1
+/* 0x07b4	     ( 0  1) */		or	%g0,0,%o4
+/* 0x07b8	 206 ( 1  4) */		ld	[%fp+68],%o0
+/* 0x07bc	 279 ( 1  2) */		or	%g0,0,%i0
+/* 0x07c0	     ( 1  2) */		cmp	%g1,0
+/* 0x07c4	     ( 2  5) */		fdtox	%f0,%f0
+/* 0x07c8	     ( 2  3) */		std	%f0,[%sp+120]
+/* 0x07cc	 275 ( 2  3) */		sethi	%hi(0xfc00),%o1
+/* 0x07d0	 206 ( 3  4) */		or	%g0,%o0,%o3
+/* 0x07d4	 275 ( 3  4) */		sub	%g1,1,%g4
+/* 0x07d8	 279 ( 4  7) */		ldd	[%i1+8],%f0
+/* 0x07dc	     ( 4  5) */		or	%g0,%o0,%g5
+/* 0x07e0	     ( 4  5) */		add	%o1,1023,%o1
+/* 0x07e4	     ( 6  9) */		fdtox	%f0,%f0
+/* 0x07e8	     ( 6  7) */		std	%f0,[%sp+112]
+/* 0x07ec	     (10 12) */		ldx	[%sp+112],%o5
+/* 0x07f0	     (11 13) */		ldx	[%sp+120],%o7
+/* 0x07f4	     (11 12) */		ble,pt	%icc,.L900000746	! tprob=0.56
+/* 0x07f8	     (11 12) */		sethi	%hi(0xfc00),%g2
+/* 0x07fc	 275 (12 13) */		or	%g0,-1,%g2
+/* 0x0800	 279 (12 13) */		cmp	%g1,3
+/* 0x0804	 275 (13 14) */		srl	%g2,0,%o2
+/* 0x0808	 279 (13 14) */		bl,pn	%icc,.L77000286	! tprob=0.44
+/* 0x080c	     (13 14) */		or	%g0,%i1,%g2
+/* 0x0810	     (14 17) */		ldd	[%i1+16],%f0
+/* 0x0814	     (14 15) */		and	%o5,%o1,%o0
+/* 0x0818	     (14 15) */		add	%i1,16,%g2
+/* 0x081c	     (15 16) */		sllx	%o0,16,%g3
+/* 0x0820	     (15 16) */		and	%o7,%o2,%o0
+/* 0x0824	     (16 19) */		fdtox	%f0,%f0
+/* 0x0828	     (16 17) */		std	%f0,[%sp+104]
+/* 0x082c	     (16 17) */		add	%o0,%g3,%o4
+/* 0x0830	     (17 20) */		ldd	[%i1+24],%f2
+/* 0x0834	     (17 18) */		srax	%o5,16,%o0
+/* 0x0838	     (17 18) */		add	%o3,4,%g5
+/* 0x083c	     (18 19) */		stx	%o0,[%sp+128]
+/* 0x0840	     (18 19) */		and	%o4,%o2,%o0
+/* 0x0844	     (18 19) */		or	%g0,1,%i0
+/* 0x0848	     (19 20) */		stx	%o0,[%sp+112]
+/* 0x084c	     (19 20) */		srax	%o4,32,%o0
+/* 0x0850	     (19 22) */		fdtox	%f2,%f0
+/* 0x0854	     (20 21) */		stx	%o0,[%sp+136]
+/* 0x0858	     (20 21) */		srax	%o7,32,%o4
+/* 0x085c	     (21 22) */		std	%f0,[%sp+96]
+/* 0x0860	     (22 24) */		ldx	[%sp+136],%o7
+/* 0x0864	     (23 25) */		ldx	[%sp+128],%o0
+/* 0x0868	     (25 27) */		ldx	[%sp+104],%g3
+/* 0x086c	     (25 26) */		add	%o0,%o7,%o0
+/* 0x0870	     (26 28) */		ldx	[%sp+112],%o7
+/* 0x0874	     (26 27) */		add	%o4,%o0,%o4
+/* 0x0878	     (27 29) */		ldx	[%sp+96],%o5
+/* 0x087c	     (28 29) */		st	%o7,[%o3]
+/* 0x0880	     (28 29) */		or	%g0,%g3,%o7
+                                   .L900000730:		/* frequency 64.0 confidence 0.0 */
+/* 0x0884	     (17 19) */		ldd	[%g2+16],%f0
+/* 0x0888	     (17 18) */		add	%i0,1,%i0
+/* 0x088c	     (17 18) */		add	%g5,4,%g5
+/* 0x0890	     (18 18) */		cmp	%i0,%g4
+/* 0x0894	     (18 19) */		add	%g2,16,%g2
+/* 0x0898	     (19 22) */		fdtox	%f0,%f0
+/* 0x089c	     (20 21) */		std	%f0,[%sp+104]
+/* 0x08a0	     (21 23) */		ldd	[%g2+8],%f0
+/* 0x08a4	     (23 26) */		fdtox	%f0,%f0
+/* 0x08a8	     (24 25) */		std	%f0,[%sp+96]
+/* 0x08ac	     (25 26) */		and	%o5,%o1,%g3
+/* 0x08b0	     (26 27) */		sllx	%g3,16,%g3
+/* 0x08b4	     ( 0  0) */		stx	%g3,[%sp+120]
+/* 0x08b8	     (26 27) */		and	%o7,%o2,%g3
+/* 0x08bc	     ( 0  0) */		stx	%o7,[%sp+128]
+/* 0x08c0	     ( 0  0) */		ldx	[%sp+120],%o7
+/* 0x08c4	     (27 27) */		add	%g3,%o7,%g3
+/* 0x08c8	     ( 0  0) */		ldx	[%sp+128],%o7
+/* 0x08cc	     (28 29) */		srax	%o5,16,%o5
+/* 0x08d0	     (28 28) */		add	%g3,%o4,%g3
+/* 0x08d4	     (29 30) */		srax	%g3,32,%o4
+/* 0x08d8	     ( 0  0) */		stx	%o4,[%sp+112]
+/* 0x08dc	     (30 31) */		srax	%o7,32,%o4
+/* 0x08e0	     ( 0  0) */		ldx	[%sp+112],%o7
+/* 0x08e4	     (30 31) */		add	%o5,%o7,%o7
+/* 0x08e8	     (31 33) */		ldx	[%sp+96],%o5
+/* 0x08ec	     (31 32) */		add	%o4,%o7,%o4
+/* 0x08f0	     (32 33) */		and	%g3,%o2,%g3
+/* 0x08f4	     ( 0  0) */		ldx	[%sp+104],%o7
+/* 0x08f8	     (33 34) */		ble,pt	%icc,.L900000730	! tprob=0.50
+/* 0x08fc	     (33 34) */		st	%g3,[%g5-4]
+                                   .L900000733:		/* frequency 8.0 confidence 0.0 */
+/* 0x0900	     ( 0  1) */		ba	.L900000746	! tprob=1.00
+/* 0x0904	     ( 0  1) */		sethi	%hi(0xfc00),%g2
+                                   .L77000286:		/* frequency 0.7 confidence 0.0 */
+/* 0x0908	     ( 0  3) */		ldd	[%g2+16],%f0
+                                   .L900000745:		/* frequency 6.4 confidence 0.0 */
+/* 0x090c	     ( 0  1) */		and	%o7,%o2,%o0
+/* 0x0910	     ( 0  1) */		and	%o5,%o1,%g3
+/* 0x0914	     ( 0  3) */		fdtox	%f0,%f0
+/* 0x0918	     ( 1  2) */		add	%o4,%o0,%o0
+/* 0x091c	     ( 1  2) */		std	%f0,[%sp+104]
+/* 0x0920	     ( 1  2) */		add	%i0,1,%i0
+/* 0x0924	     ( 2  3) */		sllx	%g3,16,%o4
+/* 0x0928	     ( 2  5) */		ldd	[%g2+24],%f2
+/* 0x092c	     ( 2  3) */		add	%g2,16,%g2
+/* 0x0930	     ( 3  4) */		add	%o0,%o4,%o4
+/* 0x0934	     ( 3  4) */		cmp	%i0,%g4
+/* 0x0938	     ( 4  5) */		srax	%o5,16,%o0
+/* 0x093c	     ( 4  5) */		stx	%o0,[%sp+112]
+/* 0x0940	     ( 4  5) */		and	%o4,%o2,%g3
+/* 0x0944	     ( 5  6) */		srax	%o4,32,%o5
+/* 0x0948	     ( 5  8) */		fdtox	%f2,%f0
+/* 0x094c	     ( 5  6) */		std	%f0,[%sp+96]
+/* 0x0950	     ( 6  7) */		srax	%o7,32,%o4
+/* 0x0954	     ( 6  8) */		ldx	[%sp+112],%o7
+/* 0x0958	     ( 8  9) */		add	%o7,%o5,%o7
+/* 0x095c	     ( 9 11) */		ldx	[%sp+104],%o5
+/* 0x0960	     ( 9 10) */		add	%o4,%o7,%o4
+/* 0x0964	     (10 12) */		ldx	[%sp+96],%o0
+/* 0x0968	     (11 12) */		st	%g3,[%g5]
+/* 0x096c	     (11 12) */		or	%g0,%o5,%o7
+/* 0x0970	     (11 12) */		add	%g5,4,%g5
+/* 0x0974	     (12 13) */		or	%g0,%o0,%o5
+/* 0x0978	     (12 13) */		ble,a,pt	%icc,.L900000745	! tprob=0.86
+/* 0x097c	     (12 15) */		ldd	[%g2+16],%f0
+                                   .L77000236:		/* frequency 1.0 confidence 0.0 */
+/* 0x0980	     ( 0  1) */		sethi	%hi(0xfc00),%g2
+                                   .L900000746:		/* frequency 1.0 confidence 0.0 */
+/* 0x0984	     ( 0  1) */		or	%g0,-1,%o0
+/* 0x0988	     ( 0  1) */		add	%g2,1023,%g2
+/* 0x098c	     ( 0  3) */		ld	[%fp+88],%o1
+/* 0x0990	     ( 1  2) */		srl	%o0,0,%g3
+/* 0x0994	     ( 1  2) */		and	%o5,%g2,%g2
+/* 0x0998	     ( 2  3) */		and	%o7,%g3,%g4
+/* 0x099c	 281 ( 2  3) */		or	%g0,-1,%o5
+/* 0x09a0	 275 ( 3  4) */		sllx	%g2,16,%g2
+/* 0x09a4	     ( 3  4) */		add	%o4,%g4,%g4
+/* 0x09a8	     ( 4  5) */		add	%g4,%g2,%g2
+/* 0x09ac	     ( 5  6) */		sll	%i0,2,%g4
+/* 0x09b0	     ( 5  6) */		and	%g2,%g3,%g2
+/* 0x09b4	     ( 6  7) */		st	%g2,[%o3+%g4]
+/* 0x09b8	 281 ( 6  7) */		sll	%g1,2,%g2
+/* 0x09bc	     ( 7 10) */		ld	[%o3+%g2],%g2
+/* 0x09c0	     ( 9 10) */		cmp	%g2,0
+/* 0x09c4	     ( 9 10) */		bleu,pn	%icc,.L77000241	! tprob=0.50
+/* 0x09c8	     ( 9 10) */		or	%g0,%o1,%o2
+/* 0x09cc	     (10 11) */		ba	.L900000744	! tprob=1.00
+/* 0x09d0	     (10 11) */		cmp	%o5,0
+                                   .L77000241:		/* frequency 0.8 confidence 0.0 */
+/* 0x09d4	     ( 0  1) */		subcc	%g1,1,%o5
+/* 0x09d8	     ( 0  1) */		bneg,pt	%icc,.L900000744	! tprob=0.60
+/* 0x09dc	     ( 1  2) */		cmp	%o5,0
+/* 0x09e0	     ( 1  2) */		sll	%o5,2,%g2
+/* 0x09e4	     ( 2  3) */		add	%o1,%g2,%o0
+/* 0x09e8	     ( 2  3) */		add	%o3,%g2,%o4
+/* 0x09ec	     ( 3  6) */		ld	[%o0],%g2
+                                   .L900000743:		/* frequency 5.3 confidence 0.0 */
+/* 0x09f0	     ( 0  3) */		ld	[%o4],%g3
+/* 0x09f4	     ( 0  1) */		add	%o0,4,%o0
+/* 0x09f8	     ( 0  1) */		add	%o4,4,%o4
+/* 0x09fc	     ( 2  3) */		cmp	%g3,%g2
+/* 0x0a00	     ( 2  3) */		bne,pn	%icc,.L77000244	! tprob=0.16
+/* 0x0a04	     ( 2  3) */		nop
+/* 0x0a08	     ( 3  4) */		addcc	%o5,1,%o5
+/* 0x0a0c	     ( 3  4) */		bpos,a,pt	%icc,.L900000743	! tprob=0.84
+/* 0x0a10	     ( 3  6) */		ld	[%o0],%g2
+                                   .L77000244:		/* frequency 1.0 confidence 0.0 */
+/* 0x0a14	     ( 0  1) */		cmp	%o5,0
+                                   .L900000744:		/* frequency 1.0 confidence 0.0 */
+/* 0x0a18	     ( 0  1) */		bl,pn	%icc,.L77000287	! tprob=0.50
+/* 0x0a1c	     ( 0  1) */		sll	%o5,2,%g2
+/* 0x0a20	     ( 1  4) */		ld	[%o2+%g2],%g3
+/* 0x0a24	     ( 2  5) */		ld	[%o3+%g2],%g2
+/* 0x0a28	     ( 4  5) */		cmp	%g2,%g3
+/* 0x0a2c	     ( 4  5) */		bleu,pt	%icc,.L77000224	! tprob=0.56
+/* 0x0a30	     ( 4  5) */		nop
+                                   .L77000287:		/* frequency 0.8 confidence 0.0 */
+/* 0x0a34	     ( 0  1) */		cmp	%g1,0
+/* 0x0a38	     ( 0  1) */		ble,pt	%icc,.L77000224	! tprob=0.60
+/* 0x0a3c	     ( 0  1) */		nop
+/* 0x0a40	 281 ( 1  2) */		sub	%g1,1,%o7
+/* 0x0a44	     ( 1  2) */		or	%g0,-1,%g2
+/* 0x0a48	     ( 2  3) */		srl	%g2,0,%o4
+/* 0x0a4c	     ( 2  3) */		add	%o7,1,%o0
+/* 0x0a50	 279 ( 3  4) */		or	%g0,0,%o5
+/* 0x0a54	     ( 3  4) */		or	%g0,0,%g1
+/* 0x0a58	     ( 4  5) */		cmp	%o0,3
+/* 0x0a5c	     ( 4  5) */		bl,pn	%icc,.L77000288	! tprob=0.40
+/* 0x0a60	     ( 4  5) */		add	%o3,8,%o1
+/* 0x0a64	     ( 5  6) */		add	%o2,4,%o0
+/* 0x0a68	     ( 5  8) */		ld	[%o1-8],%g2
+/* 0x0a6c	   0 ( 5  6) */		or	%g0,%o1,%o3
+/* 0x0a70	 279 ( 6  9) */		ld	[%o0-4],%g3
+/* 0x0a74	   0 ( 6  7) */		or	%g0,%o0,%o2
+/* 0x0a78	 279 ( 6  7) */		or	%g0,2,%g1
+/* 0x0a7c	     ( 7 10) */		ld	[%o3-4],%o0
+/* 0x0a80	     ( 8  9) */		sub	%g2,%g3,%g2
+/* 0x0a84	     ( 9 10) */		or	%g0,%g2,%o5
+/* 0x0a88	     ( 9 10) */		and	%g2,%o4,%g2
+/* 0x0a8c	     ( 9 10) */		st	%g2,[%o3-8]
+/* 0x0a90	     (10 11) */		srax	%o5,32,%o5
+                                   .L900000734:		/* frequency 64.0 confidence 0.0 */
+/* 0x0a94	     (12 20) */		ld	[%o2],%g2
+/* 0x0a98	     (12 13) */		add	%g1,1,%g1
+/* 0x0a9c	     (12 13) */		add	%o2,4,%o2
+/* 0x0aa0	     (13 13) */		cmp	%g1,%o7
+/* 0x0aa4	     (13 14) */		add	%o3,4,%o3
+/* 0x0aa8	     (14 14) */		sub	%o0,%g2,%o0
+/* 0x0aac	     (15 15) */		add	%o0,%o5,%o5
+/* 0x0ab0	     (16 17) */		and	%o5,%o4,%g2
+/* 0x0ab4	     (16 24) */		ld	[%o3-4],%o0
+/* 0x0ab8	     (17 18) */		st	%g2,[%o3-8]
+/* 0x0abc	     (17 18) */		ble,pt	%icc,.L900000734	! tprob=0.50
+/* 0x0ac0	     (17 18) */		srax	%o5,32,%o5
+                                   .L900000737:		/* frequency 8.0 confidence 0.0 */
+/* 0x0ac4	     ( 0  3) */		ld	[%o2],%o1
+/* 0x0ac8	     ( 2  3) */		sub	%o0,%o1,%o0
+/* 0x0acc	     ( 3  4) */		add	%o0,%o5,%o0
+/* 0x0ad0	     ( 4  5) */		and	%o0,%o4,%o1
+/* 0x0ad4	     ( 4  5) */		st	%o1,[%o3-4]
+/* 0x0ad8	     ( 5  7) */		ret	! Result = 
+/* 0x0adc	     ( 7  8) */		restore	%g0,%g0,%g0
+                                   .L77000288:		/* frequency 0.6 confidence 0.0 */
+/* 0x0ae0	     ( 0  3) */		ld	[%o3],%o0
+                                   .L900000742:		/* frequency 5.3 confidence 0.0 */
+/* 0x0ae4	     ( 0  3) */		ld	[%o2],%o1
+/* 0x0ae8	     ( 0  1) */		add	%o5,%o0,%o0
+/* 0x0aec	     ( 0  1) */		add	%g1,1,%g1
+/* 0x0af0	     ( 1  2) */		add	%o2,4,%o2
+/* 0x0af4	     ( 1  2) */		cmp	%g1,%o7
+/* 0x0af8	     ( 2  3) */		sub	%o0,%o1,%o0
+/* 0x0afc	     ( 3  4) */		and	%o0,%o4,%o1
+/* 0x0b00	     ( 3  4) */		st	%o1,[%o3]
+/* 0x0b04	     ( 3  4) */		add	%o3,4,%o3
+/* 0x0b08	     ( 4  5) */		srax	%o0,32,%o5
+/* 0x0b0c	     ( 4  5) */		ble,a,pt	%icc,.L900000742	! tprob=0.84
+/* 0x0b10	     ( 4  7) */		ld	[%o3],%o0
+                                   .L77000224:		/* frequency 1.0 confidence 0.0 */
+/* 0x0b14	     ( 0  2) */		ret	! Result = 
+/* 0x0b18	     ( 2  3) */		restore	%g0,%g0,%g0
+/* 0x0b1c	   0 ( 0  0) */		.type	mont_mulf_noconv,2
+/* 0x0b1c	     ( 0  0) */		.size	mont_mulf_noconv,(.-mont_mulf_noconv)
+
diff --git a/security/nss/lib/freebl/mpi/montmulfv8.il b/security/nss/lib/freebl/mpi/montmulfv8.il
new file mode 100644
index 000000000..27ce26a77
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulfv8.il
@@ -0,0 +1,141 @@
+!  
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+!
+! The contents of this file are subject to the Mozilla Public License Version
+! 1.1 (the "License"); you may not use this file except in compliance with
+! the License. You may obtain a copy of the License at
+! http://www.mozilla.org/MPL/
+!
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is inline macros for SPARC Montgomery multiply functions.
+!
+! The Initial Developer of the Original Code is
+! Sun Microsystems Inc.
+! Portions created by the Initial Developer are Copyright (C) 1999-2000
+! the Initial Developer. All Rights Reserved.
+!
+! Contributor(s):
+!
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+!
+! ***** END LICENSE BLOCK *****
+! $Id$
+
+!
+! double upper32(double /*frs1*/);
+!
+        .inline upper32,8
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f10
+
+	fdtox	%f10,%f10
+	fitod	%f10,%f0
+        .end
+
+!
+! double lower32(double /*frs1*/, double /* Zero */);
+!
+        .inline lower32,8
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f10
+        std     %o2,[%sp+0x48]
+        ldd     [%sp+0x48],%f12
+
+	fdtox	%f10,%f10
+	fmovs	%f12,%f10
+	fxtod	%f10,%f0
+        .end
+
+!
+! double mod(double /*x*/, double /*1/m*/, double /*m*/);
+!
+        .inline mod,12
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f2
+        std     %o2,[%sp+0x48]
+        ldd     [%sp+0x48],%f4
+        std     %o4,[%sp+0x48]
+        ldd     [%sp+0x48],%f6
+
+	fmuld	%f2,%f4,%f4
+	fdtox	%f4,%f4
+	fxtod	%f4,%f4
+	fmuld	%f4,%f6,%f4
+	fsubd	%f2,%f4,%f0
+        .end
+
+
+!
+! void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
+!			    double * /* 0 */,
+!			    double * /*result16*/, double * /* result32 */
+!			    float *  /*source - should be unsigned int*
+!		            	       converted to float* */);
+!
+        .inline i16_to_d16_and_d32x4,24
+        ldd     [%o0],%f2  ! 1/(2^16)
+        ldd     [%o1],%f4  ! 2^16
+	ldd	[%o2],%f22
+
+	fmovd	%f22,%f6
+	ld	[%o5],%f7
+	fmovd	%f22,%f10
+	ld	[%o5+4],%f11
+	fmovd	%f22,%f14
+	ld	[%o5+8],%f15
+	fmovd	%f22,%f18
+	ld	[%o5+12],%f19
+	fxtod	%f6,%f6
+	std	%f6,[%o4]
+	fxtod	%f10,%f10
+	std	%f10,[%o4+8]
+	fxtod	%f14,%f14
+	std	%f14,[%o4+16]
+	fxtod	%f18,%f18
+	std	%f18,[%o4+24]
+	fmuld	%f2,%f6,%f8
+	fmuld	%f2,%f10,%f12
+	fmuld	%f2,%f14,%f16
+	fmuld	%f2,%f18,%f20
+	fdtox	%f8,%f8
+	fdtox	%f12,%f12
+	fdtox	%f16,%f16
+	fdtox	%f20,%f20
+	fxtod	%f8,%f8
+	std	%f8,[%o3+8]
+	fxtod	%f12,%f12
+	std	%f12,[%o3+24]
+	fxtod	%f16,%f16
+	std	%f16,[%o3+40]
+	fxtod	%f20,%f20
+	std	%f20,[%o3+56]
+	fmuld	%f8,%f4,%f8
+	fmuld	%f12,%f4,%f12
+	fmuld	%f16,%f4,%f16
+	fmuld	%f20,%f4,%f20
+	fsubd	%f6,%f8,%f8
+	std	%f8,[%o3]
+	fsubd	%f10,%f12,%f12
+	std	%f12,[%o3+16]
+	fsubd	%f14,%f16,%f16
+	std	%f16,[%o3+32]
+	fsubd	%f18,%f20,%f20
+	std	%f20,[%o3+48]
+        .end
+
+
diff --git a/security/nss/lib/freebl/mpi/montmulfv8.s b/security/nss/lib/freebl/mpi/montmulfv8.s
new file mode 100644
index 000000000..25dcad322
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulfv8.s
@@ -0,0 +1,1850 @@
+!  
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+!
+! The contents of this file are subject to the Mozilla Public License Version
+! 1.1 (the "License"); you may not use this file except in compliance with
+! the License. You may obtain a copy of the License at
+! http://www.mozilla.org/MPL/
+!
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is SPARC hand-optimized Montgomery multiply functions.
+!
+! The Initial Developer of the Original Code is
+! Sun Microsystems Inc.
+! Portions created by the Initial Developer are Copyright (C) 1999-2000
+! the Initial Developer. All Rights Reserved.
+!
+! Contributor(s):
+!
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+!
+! ***** END LICENSE BLOCK *****
+
+	.section	".text",#alloc,#execinstr
+	.file	"montmulf.c"
+
+	.section	".rodata",#alloc
+	.global	TwoTo16
+	.align	8
+!
+! CONSTANT POOL
+!
+	.global TwoTo16
+TwoTo16:
+	.word	1089470464
+	.word	0
+	.type	TwoTo16,#object
+	.size	TwoTo16,8
+	.global	TwoToMinus16
+!
+! CONSTANT POOL
+!
+	.global TwoToMinus16
+TwoToMinus16:
+	.word	1055916032
+	.word	0
+	.type	TwoToMinus16,#object
+	.size	TwoToMinus16,8
+	.global	Zero
+!
+! CONSTANT POOL
+!
+	.global Zero
+Zero:
+	.word	0
+	.word	0
+	.type	Zero,#object
+	.size	Zero,8
+	.global	TwoTo32
+!
+! CONSTANT POOL
+!
+	.global TwoTo32
+TwoTo32:
+	.word	1106247680
+	.word	0
+	.type	TwoTo32,#object
+	.size	TwoTo32,8
+	.global	TwoToMinus32
+!
+! CONSTANT POOL
+!
+	.global TwoToMinus32
+TwoToMinus32:
+	.word	1039138816
+	.word	0
+	.type	TwoToMinus32,#object
+	.size	TwoToMinus32,8
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	4
+!
+! SUBROUTINE conv_d16_to_i32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_d16_to_i32
+                       conv_d16_to_i32:
+/* 000000	     */		save	%sp,-128,%sp
+! FILE montmulf.c
+
+!   36		      !#define RF_INLINE_MACROS
+!   38		      !static const double TwoTo16=65536.0;
+!   39		      !static const double TwoToMinus16=1.0/65536.0;
+!   40		      !static const double Zero=0.0;
+!   41		      !static const double TwoTo32=65536.0*65536.0;
+!   42		      !static const double TwoToMinus32=1.0/(65536.0*65536.0);
+!   44		      !#ifdef RF_INLINE_MACROS
+!   46		      !double upper32(double);
+!   47		      !double lower32(double, double);
+!   48		      !double mod(double, double, double);
+!   50		      !void i16_to_d16_and_d32x4(const double * /*1/(2^16)*/, 
+!   51		      !			  const double * /* 2^16*/,
+!   52		      !			  const double * /* 0 */,
+!   53		      !			  double *       /*result16*/, 
+!   54		      !			  double *       /* result32 */,
+!   55		      !			  float *  /*source - should be unsigned int*
+!   56		      !		          	       converted to float* */);
+!   58		      !#else
+!   60		      !static double upper32(double x)
+!   61		      !{
+!   62		      !  return floor(x*TwoToMinus32);
+!   63		      !}
+!   65		      !static double lower32(double x, double y)
+!   66		      !{
+!   67		      !  return x-TwoTo32*floor(x*TwoToMinus32);
+!   68		      !}
+!   70		      !static double mod(double x, double oneoverm, double m)
+!   71		      !{
+!   72		      !  return x-m*floor(x*oneoverm);
+!   73		      !}
+!   75		      !#endif
+!   78		      !static void cleanup(double *dt, int from, int tlen)
+!   79		      !{
+!   80		      ! int i;
+!   81		      ! double tmp,tmp1,x,x1;
+!   83		      ! tmp=tmp1=Zero;
+!   84		      ! /* original code **
+!   85		      ! for(i=2*from;i<2*tlen-2;i++)
+!   86		      !   {
+!   87		      !     x=dt[i];
+!   88		      !     dt[i]=lower32(x,Zero)+tmp1;
+!   89		      !     tmp1=tmp;
+!   90		      !     tmp=upper32(x);
+!   91		      !   }
+!   92		      ! dt[tlen-2]+=tmp1;
+!   93		      ! dt[tlen-1]+=tmp;
+!   94		      ! **end original code ***/
+!   95		      ! /* new code ***/
+!   96		      ! for(i=2*from;i<2*tlen;i+=2)
+!   97		      !   {
+!   98		      !     x=dt[i];
+!   99		      !     x1=dt[i+1];
+!  100		      !     dt[i]=lower32(x,Zero)+tmp;
+!  101		      !     dt[i+1]=lower32(x1,Zero)+tmp1;
+!  102		      !     tmp=upper32(x);
+!  103		      !     tmp1=upper32(x1);
+!  104		      !   }
+!  105		      !  /** end new code **/
+!  106		      !}
+!  109		      !void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
+!  110		      !{
+!  111		      !int i;
+!  112		      !long long t, t1, a, b, c, d;
+!  114		      ! t1=0;
+!  115		      ! a=(long long)d16[0];
+
+/* 0x0004	 115 */		ldd	[%i1],%f0
+/* 0x0008	 110 */		or	%g0,%i1,%o0
+
+!  116		      ! b=(long long)d16[1];
+!  117		      ! for(i=0; i<ilen-1; i++)
+
+/* 0x000c	 117 */		sub	%i3,1,%g2
+/* 0x0010	     */		cmp	%g2,0
+/* 0x0014	 114 */		or	%g0,0,%o4
+/* 0x0018	 115 */		fdtox	%f0,%f0
+/* 0x001c	     */		std	%f0,[%sp+120]
+/* 0x0020	 117 */		or	%g0,0,%o7
+/* 0x0024	 110 */		or	%g0,%i3,%o1
+/* 0x0028	     */		sub	%i3,2,%o2
+/* 0x002c	 116 */		ldd	[%o0+8],%f0
+/* 0x0030	 110 */		sethi	%hi(0xfc00),%o1
+/* 0x0034	     */		add	%o2,1,%g3
+/* 0x0038	     */		add	%o1,1023,%o1
+/* 0x003c	     */		or	%g0,%i0,%o5
+/* 0x0040	 116 */		fdtox	%f0,%f0
+/* 0x0044	     */		std	%f0,[%sp+112]
+/* 0x0048	     */		ldx	[%sp+112],%g1
+/* 0x004c	 115 */		ldx	[%sp+120],%g4
+/* 0x0050	 117 */		ble,pt	%icc,.L900000117
+/* 0x0054	     */		sethi	%hi(0xfc00),%g2
+/* 0x0058	 110 */		or	%g0,-1,%g2
+/* 0x005c	 117 */		cmp	%g3,3
+/* 0x0060	 110 */		srl	%g2,0,%o3
+/* 0x0064	 117 */		bl,pn	%icc,.L77000134
+/* 0x0068	     */		or	%g0,%o0,%g2
+
+!  118		      !   {
+!  119		      !     c=(long long)d16[2*i+2];
+
+/* 0x006c	 119 */		ldd	[%o0+16],%f0
+
+!  120		      !     t1+=a&0xffffffff;
+!  121		      !     t=(a>>32);
+!  122		      !     d=(long long)d16[2*i+3];
+!  123		      !     t1+=(b&0xffff)<<16;
+!  124		      !     t+=(b>>16)+(t1>>32);
+!  125		      !     i32[i]=t1&0xffffffff;
+!  126		      !     t1=t;
+!  127		      !     a=c;
+!  128		      !     b=d;
+
+/* 0x0070	 128 */		add	%o0,16,%g2
+/* 0x0074	 123 */		and	%g1,%o1,%o0
+/* 0x0078	     */		sllx	%o0,16,%g3
+/* 0x007c	 120 */		and	%g4,%o3,%o0
+/* 0x0080	 117 */		add	%o0,%g3,%o4
+/* 0x0084	 119 */		fdtox	%f0,%f0
+/* 0x0088	     */		std	%f0,[%sp+104]
+/* 0x008c	 125 */		and	%o4,%o3,%g5
+/* 0x0090	 122 */		ldd	[%g2+8],%f2
+/* 0x0094	 128 */		add	%o5,4,%o5
+/* 0x0098	 124 */		srax	%o4,32,%o4
+/* 0x009c	     */		stx	%o4,[%sp+112]
+/* 0x00a0	 122 */		fdtox	%f2,%f0
+/* 0x00a4	     */		std	%f0,[%sp+96]
+/* 0x00a8	 124 */		srax	%g1,16,%o0
+/* 0x00ac	     */		ldx	[%sp+112],%o7
+/* 0x00b0	 121 */		srax	%g4,32,%o4
+/* 0x00b4	 124 */		add	%o0,%o7,%g4
+/* 0x00b8	 128 */		or	%g0,1,%o7
+/* 0x00bc	 119 */		ldx	[%sp+104],%g3
+/* 0x00c0	 124 */		add	%o4,%g4,%o4
+/* 0x00c4	 122 */		ldx	[%sp+96],%g1
+/* 0x00c8	 125 */		st	%g5,[%o5-4]
+/* 0x00cc	 127 */		or	%g0,%g3,%g4
+                       .L900000112:
+/* 0x00d0	 119 */		ldd	[%g2+16],%f0
+/* 0x00d4	 128 */		add	%o7,1,%o7
+/* 0x00d8	     */		add	%o5,4,%o5
+/* 0x00dc	     */		cmp	%o7,%o2
+/* 0x00e0	     */		add	%g2,16,%g2
+/* 0x00e4	 119 */		fdtox	%f0,%f0
+/* 0x00e8	     */		std	%f0,[%sp+104]
+/* 0x00ec	 122 */		ldd	[%g2+8],%f0
+/* 0x00f0	     */		fdtox	%f0,%f0
+/* 0x00f4	     */		std	%f0,[%sp+96]
+/* 0x00f8	 123 */		and	%g1,%o1,%g3
+/* 0x00fc	     */		sllx	%g3,16,%g5
+/* 0x0100	 120 */		and	%g4,%o3,%g3
+/* 0x0104	 117 */		add	%g3,%g5,%g3
+/* 0x0108	 124 */		srax	%g1,16,%g1
+/* 0x010c	 117 */		add	%g3,%o4,%g3
+/* 0x0110	 124 */		srax	%g3,32,%o4
+/* 0x0114	     */		stx	%o4,[%sp+112]
+/* 0x0118	 119 */		ldx	[%sp+104],%g5
+/* 0x011c	 121 */		srax	%g4,32,%o4
+/* 0x0120	 124 */		ldx	[%sp+112],%g4
+/* 0x0124	     */		add	%g1,%g4,%g4
+/* 0x0128	 122 */		ldx	[%sp+96],%g1
+/* 0x012c	 124 */		add	%o4,%g4,%o4
+/* 0x0130	 125 */		and	%g3,%o3,%g3
+/* 0x0134	 127 */		or	%g0,%g5,%g4
+/* 0x0138	 128 */		ble,pt	%icc,.L900000112
+/* 0x013c	     */		st	%g3,[%o5-4]
+                       .L900000115:
+/* 0x0140	 128 */		ba	.L900000117
+/* 0x0144	     */		sethi	%hi(0xfc00),%g2
+                       .L77000134:
+/* 0x0148	 119 */		ldd	[%g2+16],%f0
+                       .L900000116:
+/* 0x014c	 120 */		and	%g4,%o3,%o0
+/* 0x0150	 123 */		and	%g1,%o1,%g3
+/* 0x0154	 119 */		fdtox	%f0,%f0
+/* 0x0158	 120 */		add	%o4,%o0,%o0
+/* 0x015c	 119 */		std	%f0,[%sp+104]
+/* 0x0160	 128 */		add	%o7,1,%o7
+/* 0x0164	 123 */		sllx	%g3,16,%o4
+/* 0x0168	 122 */		ldd	[%g2+24],%f2
+/* 0x016c	 128 */		add	%g2,16,%g2
+/* 0x0170	 123 */		add	%o0,%o4,%o0
+/* 0x0174	 128 */		cmp	%o7,%o2
+/* 0x0178	 125 */		and	%o0,%o3,%g3
+/* 0x017c	 122 */		fdtox	%f2,%f0
+/* 0x0180	     */		std	%f0,[%sp+96]
+/* 0x0184	 124 */		srax	%o0,32,%o0
+/* 0x0188	     */		stx	%o0,[%sp+112]
+/* 0x018c	 121 */		srax	%g4,32,%o4
+/* 0x0190	 122 */		ldx	[%sp+96],%o0
+/* 0x0194	 124 */		srax	%g1,16,%g5
+/* 0x0198	     */		ldx	[%sp+112],%g4
+/* 0x019c	 119 */		ldx	[%sp+104],%g1
+/* 0x01a0	 125 */		st	%g3,[%o5]
+/* 0x01a4	 124 */		add	%g5,%g4,%g4
+/* 0x01a8	 128 */		add	%o5,4,%o5
+/* 0x01ac	 124 */		add	%o4,%g4,%o4
+/* 0x01b0	 127 */		or	%g0,%g1,%g4
+/* 0x01b4	 128 */		or	%g0,%o0,%g1
+/* 0x01b8	     */		ble,a,pt	%icc,.L900000116
+/* 0x01bc	     */		ldd	[%g2+16],%f0
+                       .L77000127:
+
+!  129		      !   }
+!  130		      !     t1+=a&0xffffffff;
+!  131		      !     t=(a>>32);
+!  132		      !     t1+=(b&0xffff)<<16;
+!  133		      !     i32[i]=t1&0xffffffff;
+
+/* 0x01c0	 133 */		sethi	%hi(0xfc00),%g2
+                       .L900000117:
+/* 0x01c4	 133 */		or	%g0,-1,%g3
+/* 0x01c8	     */		add	%g2,1023,%g2
+/* 0x01cc	     */		srl	%g3,0,%g3
+/* 0x01d0	     */		and	%g1,%g2,%g2
+/* 0x01d4	     */		and	%g4,%g3,%g4
+/* 0x01d8	     */		sllx	%g2,16,%g2
+/* 0x01dc	     */		add	%o4,%g4,%g4
+/* 0x01e0	     */		add	%g4,%g2,%g2
+/* 0x01e4	     */		sll	%o7,2,%g4
+/* 0x01e8	     */		and	%g2,%g3,%g2
+/* 0x01ec	     */		st	%g2,[%i0+%g4]
+/* 0x01f0	     */		ret	! Result = 
+/* 0x01f4	     */		restore	%g0,%g0,%g0
+/* 0x01f8	   0 */		.type	conv_d16_to_i32,2
+/* 0x01f8	     */		.size	conv_d16_to_i32,(.-conv_d16_to_i32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000201:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	4
+/* 0x0008	     */		.skip	16
+!
+! SUBROUTINE conv_i32_to_d32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d32
+                       conv_i32_to_d32:
+/* 000000	     */		or	%g0,%o7,%g2
+
+!  135		      !}
+!  137		      !void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
+!  138		      !{
+!  139		      !int i;
+!  141		      !#pragma pipeloop(0)
+!  142		      ! for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
+
+/* 0x0004	 142 */		cmp	%o2,0
+                       .L900000210:
+/* 0x0008	     */		call	.+8
+/* 0x000c	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
+/* 0x0010	 142 */		or	%g0,0,%o5
+/* 0x0014	 138 */		add	%g4,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
+/* 0x0018	     */		or	%g0,%o0,%g5
+/* 0x001c	     */		add	%g4,%o7,%g1
+/* 0x0020	 142 */		ble,pt	%icc,.L77000140
+/* 0x0024	     */		or	%g0,%g2,%o7
+/* 0x0028	     */		sethi	%hi(.L_const_seg_900000201),%g2
+/* 0x002c	 138 */		or	%g0,%o1,%g4
+/* 0x0030	 142 */		add	%g2,%lo(.L_const_seg_900000201),%g2
+/* 0x0034	     */		sub	%o2,1,%g3
+/* 0x0038	     */		ld	[%g1+%g2],%g2
+/* 0x003c	     */		cmp	%o2,9
+/* 0x0040	     */		bl,pn	%icc,.L77000144
+/* 0x0044	     */		ldd	[%g2],%f8
+/* 0x0048	     */		add	%o1,16,%g4
+/* 0x004c	     */		sub	%o2,5,%g1
+/* 0x0050	     */		ld	[%o1],%f7
+/* 0x0054	     */		or	%g0,4,%o5
+/* 0x0058	     */		ld	[%o1+4],%f5
+/* 0x005c	     */		ld	[%o1+8],%f3
+/* 0x0060	     */		fmovs	%f8,%f6
+/* 0x0064	     */		ld	[%o1+12],%f1
+                       .L900000205:
+/* 0x0068	     */		ld	[%g4],%f11
+/* 0x006c	     */		add	%o5,5,%o5
+/* 0x0070	     */		add	%g4,20,%g4
+/* 0x0074	     */		fsubd	%f6,%f8,%f6
+/* 0x0078	     */		std	%f6,[%g5]
+/* 0x007c	     */		cmp	%o5,%g1
+/* 0x0080	     */		add	%g5,40,%g5
+/* 0x0084	     */		fmovs	%f8,%f4
+/* 0x0088	     */		ld	[%g4-16],%f7
+/* 0x008c	     */		fsubd	%f4,%f8,%f12
+/* 0x0090	     */		fmovs	%f8,%f2
+/* 0x0094	     */		std	%f12,[%g5-32]
+/* 0x0098	     */		ld	[%g4-12],%f5
+/* 0x009c	     */		fsubd	%f2,%f8,%f12
+/* 0x00a0	     */		fmovs	%f8,%f0
+/* 0x00a4	     */		std	%f12,[%g5-24]
+/* 0x00a8	     */		ld	[%g4-8],%f3
+/* 0x00ac	     */		fsubd	%f0,%f8,%f12
+/* 0x00b0	     */		fmovs	%f8,%f10
+/* 0x00b4	     */		std	%f12,[%g5-16]
+/* 0x00b8	     */		ld	[%g4-4],%f1
+/* 0x00bc	     */		fsubd	%f10,%f8,%f10
+/* 0x00c0	     */		fmovs	%f8,%f6
+/* 0x00c4	     */		ble,pt	%icc,.L900000205
+/* 0x00c8	     */		std	%f10,[%g5-8]
+                       .L900000208:
+/* 0x00cc	     */		fmovs	%f8,%f4
+/* 0x00d0	     */		add	%g5,32,%g5
+/* 0x00d4	     */		cmp	%o5,%g3
+/* 0x00d8	     */		fmovs	%f8,%f2
+/* 0x00dc	     */		fmovs	%f8,%f0
+/* 0x00e0	     */		fsubd	%f6,%f8,%f6
+/* 0x00e4	     */		std	%f6,[%g5-32]
+/* 0x00e8	     */		fsubd	%f4,%f8,%f4
+/* 0x00ec	     */		std	%f4,[%g5-24]
+/* 0x00f0	     */		fsubd	%f2,%f8,%f2
+/* 0x00f4	     */		std	%f2,[%g5-16]
+/* 0x00f8	     */		fsubd	%f0,%f8,%f0
+/* 0x00fc	     */		bg,pn	%icc,.L77000140
+/* 0x0100	     */		std	%f0,[%g5-8]
+                       .L77000144:
+/* 0x0104	     */		ld	[%g4],%f1
+                       .L900000211:
+/* 0x0108	     */		ldd	[%g2],%f8
+/* 0x010c	     */		add	%o5,1,%o5
+/* 0x0110	     */		add	%g4,4,%g4
+/* 0x0114	     */		cmp	%o5,%g3
+/* 0x0118	     */		fmovs	%f8,%f0
+/* 0x011c	     */		fsubd	%f0,%f8,%f0
+/* 0x0120	     */		std	%f0,[%g5]
+/* 0x0124	     */		add	%g5,8,%g5
+/* 0x0128	     */		ble,a,pt	%icc,.L900000211
+/* 0x012c	     */		ld	[%g4],%f1
+                       .L77000140:
+/* 0x0130	     */		retl	! Result = 
+/* 0x0134	     */		nop
+/* 0x0138	   0 */		.type	conv_i32_to_d32,2
+/* 0x0138	     */		.size	conv_i32_to_d32,(.-conv_i32_to_d32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000301:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	4
+!
+! SUBROUTINE conv_i32_to_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d16
+                       conv_i32_to_d16:
+/* 000000	     */		save	%sp,-104,%sp
+/* 0x0004	     */		or	%g0,%i2,%o0
+
+!  143		      !}
+!  146		      !void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
+!  147		      !{
+!  148		      !int i;
+!  149		      !unsigned int a;
+!  151		      !#pragma pipeloop(0)
+!  152		      ! for(i=0;i<len;i++)
+!  153		      !   {
+!  154		      !     a=i32[i];
+!  155		      !     d16[2*i]=(double)(a&0xffff);
+!  156		      !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0008	 156 */		sethi	%hi(.L_const_seg_900000301),%g2
+                       .L900000310:
+/* 0x000c	     */		call	.+8
+/* 0x0010	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
+/* 0x0014	 152 */		cmp	%o0,0
+/* 0x0018	 147 */		add	%g3,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
+/* 0x001c	 152 */		ble,pt	%icc,.L77000150
+/* 0x0020	     */		add	%g3,%o7,%o2
+/* 0x0024	     */		sub	%i2,1,%o5
+/* 0x0028	 156 */		add	%g2,%lo(.L_const_seg_900000301),%o1
+/* 0x002c	 152 */		sethi	%hi(0xfc00),%o0
+/* 0x0030	     */		ld	[%o2+%o1],%o3
+/* 0x0034	     */		add	%o5,1,%g2
+/* 0x0038	     */		or	%g0,0,%g1
+/* 0x003c	     */		cmp	%g2,3
+/* 0x0040	     */		or	%g0,%i1,%o7
+/* 0x0044	     */		add	%o0,1023,%o4
+/* 0x0048	     */		or	%g0,%i0,%g3
+/* 0x004c	     */		bl,pn	%icc,.L77000154
+/* 0x0050	     */		add	%o7,4,%o0
+/* 0x0054	 155 */		ldd	[%o3],%f0
+/* 0x0058	 156 */		or	%g0,1,%g1
+/* 0x005c	 154 */		ld	[%o0-4],%o1
+/* 0x0060	   0 */		or	%g0,%o0,%o7
+/* 0x0064	 155 */		and	%o1,%o4,%o0
+                       .L900000306:
+/* 0x0068	 155 */		st	%o0,[%sp+96]
+/* 0x006c	 156 */		add	%g1,1,%g1
+/* 0x0070	     */		add	%g3,16,%g3
+/* 0x0074	     */		cmp	%g1,%o5
+/* 0x0078	     */		add	%o7,4,%o7
+/* 0x007c	 155 */		ld	[%sp+96],%f3
+/* 0x0080	     */		fmovs	%f0,%f2
+/* 0x0084	     */		fsubd	%f2,%f0,%f2
+/* 0x0088	 156 */		srl	%o1,16,%o0
+/* 0x008c	 155 */		std	%f2,[%g3-16]
+/* 0x0090	 156 */		st	%o0,[%sp+92]
+/* 0x0094	     */		ld	[%sp+92],%f3
+/* 0x0098	 154 */		ld	[%o7-4],%o1
+/* 0x009c	 156 */		fmovs	%f0,%f2
+/* 0x00a0	     */		fsubd	%f2,%f0,%f2
+/* 0x00a4	 155 */		and	%o1,%o4,%o0
+/* 0x00a8	 156 */		ble,pt	%icc,.L900000306
+/* 0x00ac	     */		std	%f2,[%g3-8]
+                       .L900000309:
+/* 0x00b0	 155 */		st	%o0,[%sp+96]
+/* 0x00b4	     */		fmovs	%f0,%f2
+/* 0x00b8	 156 */		add	%g3,16,%g3
+/* 0x00bc	     */		srl	%o1,16,%o0
+/* 0x00c0	 155 */		ld	[%sp+96],%f3
+/* 0x00c4	     */		fsubd	%f2,%f0,%f2
+/* 0x00c8	     */		std	%f2,[%g3-16]
+/* 0x00cc	 156 */		st	%o0,[%sp+92]
+/* 0x00d0	     */		fmovs	%f0,%f2
+/* 0x00d4	     */		ld	[%sp+92],%f3
+/* 0x00d8	     */		fsubd	%f2,%f0,%f0
+/* 0x00dc	     */		std	%f0,[%g3-8]
+/* 0x00e0	     */		ret	! Result = 
+/* 0x00e4	     */		restore	%g0,%g0,%g0
+                       .L77000154:
+/* 0x00e8	 154 */		ld	[%o7],%o0
+                       .L900000311:
+/* 0x00ec	 155 */		and	%o0,%o4,%o1
+/* 0x00f0	     */		st	%o1,[%sp+96]
+/* 0x00f4	 156 */		add	%g1,1,%g1
+/* 0x00f8	 155 */		ldd	[%o3],%f0
+/* 0x00fc	 156 */		srl	%o0,16,%o0
+/* 0x0100	     */		add	%o7,4,%o7
+/* 0x0104	     */		cmp	%g1,%o5
+/* 0x0108	 155 */		fmovs	%f0,%f2
+/* 0x010c	     */		ld	[%sp+96],%f3
+/* 0x0110	     */		fsubd	%f2,%f0,%f2
+/* 0x0114	     */		std	%f2,[%g3]
+/* 0x0118	 156 */		st	%o0,[%sp+92]
+/* 0x011c	     */		fmovs	%f0,%f2
+/* 0x0120	     */		ld	[%sp+92],%f3
+/* 0x0124	     */		fsubd	%f2,%f0,%f0
+/* 0x0128	     */		std	%f0,[%g3+8]
+/* 0x012c	     */		add	%g3,16,%g3
+/* 0x0130	     */		ble,a,pt	%icc,.L900000311
+/* 0x0134	     */		ld	[%o7],%o0
+                       .L77000150:
+/* 0x0138	     */		ret	! Result = 
+/* 0x013c	     */		restore	%g0,%g0,%g0
+/* 0x0140	   0 */		.type	conv_i32_to_d16,2
+/* 0x0140	     */		.size	conv_i32_to_d16,(.-conv_i32_to_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000401:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	4
+/* 0x0008	     */		.skip	16
+!
+! SUBROUTINE conv_i32_to_d32_and_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d32_and_d16
+                       conv_i32_to_d32_and_d16:
+/* 000000	     */		save	%sp,-120,%sp
+                       .L900000415:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g4
+
+!  157		      !   }
+!  158		      !}
+!  161		      !void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+!  162		      !			     unsigned int *i32, int len)
+!  163		      !{
+!  164		      !int i = 0;
+!  165		      !unsigned int a;
+!  167		      !#pragma pipeloop(0)
+!  168		      !#ifdef RF_INLINE_MACROS
+!  169		      ! for(;i<len-3;i+=4)
+
+/* 0x000c	 169 */		sub	%i3,3,%g2
+/* 0x0010	     */		cmp	%g2,0
+/* 0x0014	 163 */		add	%g4,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g4
+
+!  170		      !   {
+!  171		      !     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
+!  172		      !			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
+
+/* 0x0018	 172 */		sethi	%hi(Zero),%g2
+/* 0x001c	 163 */		add	%g4,%o7,%o4
+/* 0x0020	 172 */		add	%g2,%lo(Zero),%g2
+/* 0x0024	     */		sethi	%hi(TwoToMinus16),%g3
+/* 0x0028	     */		ld	[%o4+%g2],%o1
+/* 0x002c	     */		sethi	%hi(TwoTo16),%g4
+/* 0x0030	     */		add	%g3,%lo(TwoToMinus16),%g2
+/* 0x0034	     */		ld	[%o4+%g2],%o3
+/* 0x0038	 164 */		or	%g0,0,%g5
+/* 0x003c	 172 */		add	%g4,%lo(TwoTo16),%g3
+/* 0x0040	     */		ld	[%o4+%g3],%o2
+/* 0x0044	 163 */		or	%g0,%i0,%i4
+/* 0x0048	 169 */		or	%g0,%i2,%o7
+/* 0x004c	     */		ble,pt	%icc,.L900000418
+/* 0x0050	     */		cmp	%g5,%i3
+/* 0x0054	 172 */		stx	%o7,[%sp+104]
+/* 0x0058	 169 */		sub	%i3,4,%o5
+/* 0x005c	     */		or	%g0,0,%g4
+/* 0x0060	     */		or	%g0,0,%g1
+                       .L900000417:
+/* 0x0064	     */		ldd	[%o1],%f2
+/* 0x0068	 172 */		add	%i4,%g4,%g2
+/* 0x006c	     */		add	%i1,%g1,%g3
+/* 0x0070	     */		ldd	[%o3],%f0
+/* 0x0074	     */		add	%g5,4,%g5
+/* 0x0078	     */		fmovd	%f2,%f14
+/* 0x007c	     */		ld	[%o7],%f15
+/* 0x0080	     */		cmp	%g5,%o5
+/* 0x0084	     */		fmovd	%f2,%f10
+/* 0x0088	     */		ld	[%o7+4],%f11
+/* 0x008c	     */		add	%o7,16,%o7
+/* 0x0090	     */		ldx	[%sp+104],%o0
+/* 0x0094	     */		fmovd	%f2,%f6
+/* 0x0098	     */		stx	%o7,[%sp+112]
+/* 0x009c	     */		fxtod	%f14,%f14
+/* 0x00a0	     */		ld	[%o0+8],%f7
+/* 0x00a4	     */		fxtod	%f10,%f10
+/* 0x00a8	     */		ld	[%o0+12],%f3
+/* 0x00ac	     */		fxtod	%f6,%f6
+/* 0x00b0	     */		ldd	[%o2],%f16
+/* 0x00b4	     */		fmuld	%f0,%f14,%f12
+/* 0x00b8	     */		fxtod	%f2,%f2
+/* 0x00bc	     */		fmuld	%f0,%f10,%f8
+/* 0x00c0	     */		std	%f14,[%i4+%g4]
+/* 0x00c4	     */		ldx	[%sp+112],%o7
+/* 0x00c8	     */		add	%g4,32,%g4
+/* 0x00cc	     */		fmuld	%f0,%f6,%f4
+/* 0x00d0	     */		fdtox	%f12,%f12
+/* 0x00d4	     */		std	%f10,[%g2+8]
+/* 0x00d8	     */		fmuld	%f0,%f2,%f0
+/* 0x00dc	     */		fdtox	%f8,%f8
+/* 0x00e0	     */		std	%f6,[%g2+16]
+/* 0x00e4	     */		std	%f2,[%g2+24]
+/* 0x00e8	     */		fdtox	%f4,%f4
+/* 0x00ec	     */		fdtox	%f0,%f0
+/* 0x00f0	     */		fxtod	%f12,%f12
+/* 0x00f4	     */		std	%f12,[%g3+8]
+/* 0x00f8	     */		fxtod	%f8,%f8
+/* 0x00fc	     */		std	%f8,[%g3+24]
+/* 0x0100	     */		fxtod	%f4,%f4
+/* 0x0104	     */		std	%f4,[%g3+40]
+/* 0x0108	     */		fxtod	%f0,%f0
+/* 0x010c	     */		std	%f0,[%g3+56]
+/* 0x0110	     */		fmuld	%f12,%f16,%f12
+/* 0x0114	     */		fmuld	%f8,%f16,%f8
+/* 0x0118	     */		fmuld	%f4,%f16,%f4
+/* 0x011c	     */		fsubd	%f14,%f12,%f12
+/* 0x0120	     */		std	%f12,[%i1+%g1]
+/* 0x0124	     */		fmuld	%f0,%f16,%f0
+/* 0x0128	     */		fsubd	%f10,%f8,%f8
+/* 0x012c	     */		std	%f8,[%g3+16]
+/* 0x0130	     */		add	%g1,64,%g1
+/* 0x0134	     */		fsubd	%f6,%f4,%f4
+/* 0x0138	     */		std	%f4,[%g3+32]
+/* 0x013c	     */		fsubd	%f2,%f0,%f0
+/* 0x0140	     */		std	%f0,[%g3+48]
+/* 0x0144	     */		ble,a,pt	%icc,.L900000417
+/* 0x0148	     */		stx	%o7,[%sp+104]
+                       .L77000159:
+
+!  173		      !   }
+!  174		      !#endif
+!  175		      ! for(;i<len;i++)
+
+/* 0x014c	 175 */		cmp	%g5,%i3
+                       .L900000418:
+/* 0x0150	 175 */		bge,pt	%icc,.L77000164
+/* 0x0154	     */		nop
+
+!  176		      !   {
+!  177		      !     a=i32[i];
+!  178		      !     d32[i]=(double)(i32[i]);
+!  179		      !     d16[2*i]=(double)(a&0xffff);
+!  180		      !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0158	 180 */		sethi	%hi(.L_const_seg_900000401),%g2
+/* 0x015c	     */		add	%g2,%lo(.L_const_seg_900000401),%o1
+/* 0x0160	 175 */		sethi	%hi(0xfc00),%o0
+/* 0x0164	     */		ld	[%o4+%o1],%o2
+/* 0x0168	     */		sll	%g5,2,%o3
+/* 0x016c	     */		sub	%i3,%g5,%g3
+/* 0x0170	     */		sll	%g5,3,%g2
+/* 0x0174	     */		add	%o0,1023,%o4
+/* 0x0178	 178 */		ldd	[%o2],%f0
+/* 0x017c	     */		add	%i2,%o3,%o0
+/* 0x0180	 175 */		cmp	%g3,3
+/* 0x0184	     */		add	%i4,%g2,%o3
+/* 0x0188	     */		sub	%i3,1,%o1
+/* 0x018c	     */		sll	%g5,4,%g4
+/* 0x0190	     */		bl,pn	%icc,.L77000161
+/* 0x0194	     */		add	%i1,%g4,%o5
+/* 0x0198	 178 */		ld	[%o0],%f3
+/* 0x019c	 180 */		add	%o3,8,%o3
+/* 0x01a0	 177 */		ld	[%o0],%o7
+/* 0x01a4	 180 */		add	%o5,16,%o5
+/* 0x01a8	     */		add	%g5,1,%g5
+/* 0x01ac	 178 */		fmovs	%f0,%f2
+/* 0x01b0	 180 */		add	%o0,4,%o0
+/* 0x01b4	 179 */		and	%o7,%o4,%g1
+/* 0x01b8	 178 */		fsubd	%f2,%f0,%f2
+/* 0x01bc	     */		std	%f2,[%o3-8]
+/* 0x01c0	 180 */		srl	%o7,16,%o7
+/* 0x01c4	 179 */		st	%g1,[%sp+96]
+/* 0x01c8	     */		fmovs	%f0,%f2
+/* 0x01cc	     */		ld	[%sp+96],%f3
+/* 0x01d0	     */		fsubd	%f2,%f0,%f2
+/* 0x01d4	     */		std	%f2,[%o5-16]
+/* 0x01d8	 180 */		st	%o7,[%sp+92]
+/* 0x01dc	     */		fmovs	%f0,%f2
+/* 0x01e0	     */		ld	[%sp+92],%f3
+/* 0x01e4	     */		fsubd	%f2,%f0,%f2
+/* 0x01e8	     */		std	%f2,[%o5-8]
+                       .L900000411:
+/* 0x01ec	 178 */		ld	[%o0],%f3
+/* 0x01f0	 180 */		add	%g5,2,%g5
+/* 0x01f4	     */		add	%o5,32,%o5
+/* 0x01f8	 177 */		ld	[%o0],%o7
+/* 0x01fc	 180 */		cmp	%g5,%o1
+/* 0x0200	     */		add	%o3,16,%o3
+/* 0x0204	 178 */		fmovs	%f0,%f2
+/* 0x0208	     */		fsubd	%f2,%f0,%f2
+/* 0x020c	     */		std	%f2,[%o3-16]
+/* 0x0210	 179 */		and	%o7,%o4,%g1
+/* 0x0214	     */		st	%g1,[%sp+96]
+/* 0x0218	     */		ld	[%sp+96],%f3
+/* 0x021c	     */		fmovs	%f0,%f2
+/* 0x0220	     */		fsubd	%f2,%f0,%f2
+/* 0x0224	 180 */		srl	%o7,16,%o7
+/* 0x0228	 179 */		std	%f2,[%o5-32]
+/* 0x022c	 180 */		st	%o7,[%sp+92]
+/* 0x0230	     */		ld	[%sp+92],%f3
+/* 0x0234	     */		fmovs	%f0,%f2
+/* 0x0238	     */		fsubd	%f2,%f0,%f2
+/* 0x023c	     */		std	%f2,[%o5-24]
+/* 0x0240	     */		add	%o0,4,%o0
+/* 0x0244	 178 */		ld	[%o0],%f3
+/* 0x0248	 177 */		ld	[%o0],%o7
+/* 0x024c	 178 */		fmovs	%f0,%f2
+/* 0x0250	     */		fsubd	%f2,%f0,%f2
+/* 0x0254	     */		std	%f2,[%o3-8]
+/* 0x0258	 179 */		and	%o7,%o4,%g1
+/* 0x025c	     */		st	%g1,[%sp+96]
+/* 0x0260	     */		ld	[%sp+96],%f3
+/* 0x0264	     */		fmovs	%f0,%f2
+/* 0x0268	     */		fsubd	%f2,%f0,%f2
+/* 0x026c	 180 */		srl	%o7,16,%o7
+/* 0x0270	 179 */		std	%f2,[%o5-16]
+/* 0x0274	 180 */		st	%o7,[%sp+92]
+/* 0x0278	     */		ld	[%sp+92],%f3
+/* 0x027c	     */		fmovs	%f0,%f2
+/* 0x0280	     */		fsubd	%f2,%f0,%f2
+/* 0x0284	     */		std	%f2,[%o5-8]
+/* 0x0288	     */		bl,pt	%icc,.L900000411
+/* 0x028c	     */		add	%o0,4,%o0
+                       .L900000414:
+/* 0x0290	 180 */		cmp	%g5,%i3
+/* 0x0294	     */		bge,pn	%icc,.L77000164
+/* 0x0298	     */		nop
+                       .L77000161:
+/* 0x029c	 178 */		ld	[%o0],%f3
+                       .L900000416:
+/* 0x02a0	 178 */		ldd	[%o2],%f0
+/* 0x02a4	 180 */		add	%g5,1,%g5
+/* 0x02a8	 177 */		ld	[%o0],%o1
+/* 0x02ac	 180 */		add	%o0,4,%o0
+/* 0x02b0	     */		cmp	%g5,%i3
+/* 0x02b4	 178 */		fmovs	%f0,%f2
+/* 0x02b8	 179 */		and	%o1,%o4,%o7
+/* 0x02bc	 178 */		fsubd	%f2,%f0,%f2
+/* 0x02c0	     */		std	%f2,[%o3]
+/* 0x02c4	 180 */		srl	%o1,16,%o1
+/* 0x02c8	 179 */		st	%o7,[%sp+96]
+/* 0x02cc	 180 */		add	%o3,8,%o3
+/* 0x02d0	 179 */		fmovs	%f0,%f2
+/* 0x02d4	     */		ld	[%sp+96],%f3
+/* 0x02d8	     */		fsubd	%f2,%f0,%f2
+/* 0x02dc	     */		std	%f2,[%o5]
+/* 0x02e0	 180 */		st	%o1,[%sp+92]
+/* 0x02e4	     */		fmovs	%f0,%f2
+/* 0x02e8	     */		ld	[%sp+92],%f3
+/* 0x02ec	     */		fsubd	%f2,%f0,%f0
+/* 0x02f0	     */		std	%f0,[%o5+8]
+/* 0x02f4	     */		add	%o5,16,%o5
+/* 0x02f8	     */		bl,a,pt	%icc,.L900000416
+/* 0x02fc	     */		ld	[%o0],%f3
+                       .L77000164:
+/* 0x0300	     */		ret	! Result = 
+/* 0x0304	     */		restore	%g0,%g0,%g0
+/* 0x0308	   0 */		.type	conv_i32_to_d32_and_d16,2
+/* 0x0308	     */		.size	conv_i32_to_d32_and_d16,(.-conv_i32_to_d32_and_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	4
+!
+! SUBROUTINE adjust_montf_result
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global adjust_montf_result
+                       adjust_montf_result:
+/* 000000	     */		or	%g0,%o2,%g5
+
+!  181		      !   }
+!  182		      !}
+!  185		      !void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
+!  186		      !{
+!  187		      !long long acc;
+!  188		      !int i;
+!  190		      ! if(i32[len]>0) i=-1;
+
+/* 0x0004	 190 */		or	%g0,-1,%g4
+/* 0x0008	     */		sll	%o2,2,%g1
+/* 0x000c	     */		ld	[%o0+%g1],%g1
+/* 0x0010	     */		cmp	%g1,0
+/* 0x0014	     */		bleu,pn	%icc,.L77000175
+/* 0x0018	     */		or	%g0,%o1,%o3
+/* 0x001c	     */		ba	.L900000511
+/* 0x0020	     */		cmp	%g4,0
+                       .L77000175:
+
+!  191		      ! else
+!  192		      !   {
+!  193		      !     for(i=len-1; i>=0; i--)
+
+/* 0x0024	 193 */		sub	%o2,1,%g4
+/* 0x0028	     */		sll	%g4,2,%g1
+/* 0x002c	     */		cmp	%g4,0
+/* 0x0030	     */		bl,pt	%icc,.L900000511
+/* 0x0034	     */		cmp	%g4,0
+/* 0x0038	     */		add	%o1,%g1,%g2
+
+!  194		      !       {
+!  195		      !	 if(i32[i]!=nint[i]) break;
+
+/* 0x003c	 195 */		ld	[%g2],%o5
+/* 0x0040	 193 */		add	%o0,%g1,%g3
+                       .L900000510:
+/* 0x0044	 195 */		ld	[%g3],%o2
+/* 0x0048	     */		sub	%g4,1,%g1
+/* 0x004c	     */		sub	%g2,4,%g2
+/* 0x0050	     */		sub	%g3,4,%g3
+/* 0x0054	     */		cmp	%o2,%o5
+/* 0x0058	     */		bne,pn	%icc,.L77000182
+/* 0x005c	     */		nop
+/* 0x0060	   0 */		or	%g0,%g1,%g4
+/* 0x0064	 195 */		cmp	%g1,0
+/* 0x0068	     */		bge,a,pt	%icc,.L900000510
+/* 0x006c	     */		ld	[%g2],%o5
+                       .L77000182:
+
+!  196		      !       }
+!  197		      !   }
+!  198		      ! if((i<0)||(i32[i]>nint[i]))
+
+/* 0x0070	 198 */		cmp	%g4,0
+                       .L900000511:
+/* 0x0074	 198 */		bl,pn	%icc,.L77000198
+/* 0x0078	     */		sll	%g4,2,%g2
+/* 0x007c	     */		ld	[%o1+%g2],%g1
+/* 0x0080	     */		ld	[%o0+%g2],%g2
+/* 0x0084	     */		cmp	%g2,%g1
+/* 0x0088	     */		bleu,pt	%icc,.L77000191
+/* 0x008c	     */		nop
+                       .L77000198:
+
+!  199		      !   {
+!  200		      !     acc=0;
+!  201		      !     for(i=0;i<len;i++)
+
+/* 0x0090	 201 */		cmp	%g5,0
+/* 0x0094	     */		ble,pt	%icc,.L77000191
+/* 0x0098	     */		nop
+/* 0x009c	     */		or	%g0,%g5,%g1
+/* 0x00a0	 198 */		or	%g0,-1,%g2
+/* 0x00a4	     */		srl	%g2,0,%g3
+/* 0x00a8	     */		sub	%g5,1,%g4
+/* 0x00ac	 200 */		or	%g0,0,%g5
+/* 0x00b0	 201 */		or	%g0,0,%o5
+/* 0x00b4	 198 */		or	%g0,%o0,%o4
+/* 0x00b8	     */		cmp	%g1,3
+/* 0x00bc	 201 */		bl,pn	%icc,.L77000199
+/* 0x00c0	     */		add	%o0,8,%g1
+/* 0x00c4	     */		add	%o1,4,%g2
+
+!  202		      !       {
+!  203		      !	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
+
+/* 0x00c8	 203 */		ld	[%o0],%o2
+/* 0x00cc	     */		ld	[%o1],%o1
+/* 0x00d0	   0 */		or	%g0,%g1,%o4
+/* 0x00d4	     */		or	%g0,%g2,%o3
+/* 0x00d8	 203 */		ld	[%o0+4],%g1
+
+!  204		      !	 i32[i]=acc&0xffffffff;
+!  205		      !	 acc=acc>>32;
+
+/* 0x00dc	 205 */		or	%g0,2,%o5
+/* 0x00e0	 201 */		sub	%o2,%o1,%o2
+/* 0x00e4	     */		or	%g0,%o2,%g5
+/* 0x00e8	 204 */		and	%o2,%g3,%o2
+/* 0x00ec	     */		st	%o2,[%o0]
+/* 0x00f0	 205 */		srax	%g5,32,%g5
+                       .L900000505:
+/* 0x00f4	 203 */		ld	[%o3],%o2
+/* 0x00f8	 205 */		add	%o5,1,%o5
+/* 0x00fc	     */		add	%o3,4,%o3
+/* 0x0100	     */		cmp	%o5,%g4
+/* 0x0104	     */		add	%o4,4,%o4
+/* 0x0108	 201 */		sub	%g1,%o2,%g1
+/* 0x010c	     */		add	%g1,%g5,%g5
+/* 0x0110	 204 */		and	%g5,%g3,%o2
+/* 0x0114	 203 */		ld	[%o4-4],%g1
+/* 0x0118	 204 */		st	%o2,[%o4-8]
+/* 0x011c	 205 */		ble,pt	%icc,.L900000505
+/* 0x0120	     */		srax	%g5,32,%g5
+                       .L900000508:
+/* 0x0124	 203 */		ld	[%o3],%g2
+/* 0x0128	 201 */		sub	%g1,%g2,%g1
+/* 0x012c	     */		add	%g1,%g5,%g1
+/* 0x0130	 204 */		and	%g1,%g3,%g2
+/* 0x0134	     */		retl	! Result = 
+/* 0x0138	     */		st	%g2,[%o4-4]
+                       .L77000199:
+/* 0x013c	 203 */		ld	[%o4],%g1
+                       .L900000509:
+/* 0x0140	 203 */		ld	[%o3],%g2
+/* 0x0144	     */		add	%g5,%g1,%g1
+/* 0x0148	 205 */		add	%o5,1,%o5
+/* 0x014c	     */		add	%o3,4,%o3
+/* 0x0150	     */		cmp	%o5,%g4
+/* 0x0154	 203 */		sub	%g1,%g2,%g1
+/* 0x0158	 204 */		and	%g1,%g3,%g2
+/* 0x015c	     */		st	%g2,[%o4]
+/* 0x0160	 205 */		add	%o4,4,%o4
+/* 0x0164	     */		srax	%g1,32,%g5
+/* 0x0168	     */		ble,a,pt	%icc,.L900000509
+/* 0x016c	     */		ld	[%o4],%g1
+                       .L77000191:
+/* 0x0170	     */		retl	! Result = 
+/* 0x0174	     */		nop
+/* 0x0178	   0 */		.type	adjust_montf_result,2
+/* 0x0178	     */		.size	adjust_montf_result,(.-adjust_montf_result)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	4
+/* 000000	     */		.skip	16
+!
+! SUBROUTINE mont_mulf_noconv
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global mont_mulf_noconv
+                       mont_mulf_noconv:
+/* 000000	     */		save	%sp,-144,%sp
+                       .L900000646:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000646-.)),%g5
+
+!  206		      !       }
+!  207		      !   }
+!  208		      !}
+!  213		      !/*
+!  214		      !** the lengths of the input arrays should be at least the following:
+!  215		      !** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
+!  216		      !** all of them should be different from one another
+!  217		      !**
+!  218		      !*/
+!  219		      !void mont_mulf_noconv(unsigned int *result,
+!  220		      !		     double *dm1, double *dm2, double *dt,
+!  221		      !		     double *dn, unsigned int *nint,
+!  222		      !		     int nlen, double dn0)
+!  223		      !{
+!  224		      ! int i, j, jj;
+!  225		      ! int tmp;
+!  226		      ! double digit, m2j, nextm2j, a, b;
+!  227		      ! double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
+!  229		      ! pdm1=&(dm1[0]);
+!  230		      ! pdm2=&(dm2[0]);
+!  231		      ! pdn=&(dn[0]);
+!  232		      ! pdm2[2*nlen]=Zero;
+
+/* 0x000c	 232 */		ld	[%fp+92],%o1
+/* 0x0010	     */		sethi	%hi(Zero),%g2
+/* 0x0014	 223 */		ldd	[%fp+96],%f2
+/* 0x0018	     */		add	%g5,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000646-.)),%g5
+/* 0x001c	 232 */		add	%g2,%lo(Zero),%g2
+/* 0x0020	 223 */		st	%i0,[%fp+68]
+/* 0x0024	     */		add	%g5,%o7,%o3
+
+!  234		      ! if (nlen!=16)
+!  235		      !   {
+!  236		      !     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
+!  238		      !     a=dt[0]=pdm1[0]*pdm2[0];
+!  239		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+/* 0x0028	 239 */		sethi	%hi(TwoToMinus16),%g3
+/* 0x002c	 232 */		ld	[%o3+%g2],%l0
+/* 0x0030	 239 */		sethi	%hi(TwoTo16),%g4
+/* 0x0034	 223 */		or	%g0,%i2,%o2
+/* 0x0038	     */		fmovd	%f2,%f16
+/* 0x003c	     */		st	%i5,[%fp+88]
+/* 0x0040	 239 */		add	%g3,%lo(TwoToMinus16),%g2
+/* 0x0044	 223 */		or	%g0,%i1,%i2
+/* 0x0048	 232 */		ldd	[%l0],%f0
+/* 0x004c	 239 */		add	%g4,%lo(TwoTo16),%g3
+/* 0x0050	 223 */		or	%g0,%i3,%o0
+/* 0x0054	 232 */		sll	%o1,4,%g4
+/* 0x0058	 239 */		ld	[%o3+%g2],%g5
+/* 0x005c	 223 */		or	%g0,%i3,%i1
+/* 0x0060	 239 */		ld	[%o3+%g3],%g1
+/* 0x0064	 232 */		or	%g0,%o1,%i0
+/* 0x0068	     */		or	%g0,%o2,%i3
+/* 0x006c	 234 */		cmp	%o1,16
+/* 0x0070	     */		be,pn	%icc,.L77000279
+/* 0x0074	     */		std	%f0,[%o2+%g4]
+/* 0x0078	 236 */		sll	%o1,2,%g2
+/* 0x007c	     */		or	%g0,%o0,%o3
+/* 0x0080	 232 */		sll	%o1,1,%o1
+/* 0x0084	 236 */		add	%g2,2,%o2
+/* 0x0088	     */		cmp	%o2,0
+/* 0x008c	     */		ble,a,pt	%icc,.L900000660
+/* 0x0090	     */		ldd	[%i2],%f0
+
+!  241		      !     pdtj=&(dt[0]);
+!  242		      !     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
+!  243		      !       {
+!  244		      !	 m2j=pdm2[j];
+!  245		      !	 a=pdtj[0]+pdn[0]*digit;
+!  246		      !	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
+!  247		      !	 pdtj[1]=b;
+!  249		      !#pragma pipeloop(0)
+!  250		      !	 for(i=1;i<nlen;i++)
+!  251		      !	   {
+!  252		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  253		      !	   }
+!  254		      ! 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
+!  255		      !	 
+!  256		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  257		      !       }
+!  258		      !   }
+!  259		      ! else
+!  260		      !   {
+!  261		      !     a=dt[0]=pdm1[0]*pdm2[0];
+!  263		      !     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
+!  264		      !     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
+!  265		      !     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
+!  266		      !     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
+!  267		      !     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
+!  268		      !     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
+!  269		      !     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
+!  270		      !     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
+!  271		      !     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
+!  272		      !     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
+!  273		      !     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
+!  275		      !     pdn_0=pdn[0];
+!  276		      !     pdm1_0=pdm1[0];
+!  278		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  279		      !     pdtj=&(dt[0]);
+!  281		      !     for(j=0;j<32;j++,pdtj++)
+
+/* 0x0094	 281 */		add	%g2,2,%o0
+/* 0x0098	 236 */		add	%g2,1,%o2
+/* 0x009c	 281 */		cmp	%o0,3
+/* 0x00a0	     */		bl,pn	%icc,.L77000280
+/* 0x00a4	     */		or	%g0,1,%o0
+/* 0x00a8	     */		add	%o3,8,%o3
+/* 0x00ac	     */		or	%g0,1,%o4
+/* 0x00b0	     */		std	%f0,[%o3-8]
+                       .L900000630:
+/* 0x00b4	     */		std	%f0,[%o3]
+/* 0x00b8	     */		add	%o4,2,%o4
+/* 0x00bc	     */		add	%o3,16,%o3
+/* 0x00c0	     */		cmp	%o4,%g2
+/* 0x00c4	     */		ble,pt	%icc,.L900000630
+/* 0x00c8	     */		std	%f0,[%o3-8]
+                       .L900000633:
+/* 0x00cc	     */		cmp	%o4,%o2
+/* 0x00d0	     */		bg,pn	%icc,.L77000285
+/* 0x00d4	     */		add	%o4,1,%o0
+                       .L77000280:
+/* 0x00d8	     */		std	%f0,[%o3]
+                       .L900000659:
+/* 0x00dc	     */		ldd	[%l0],%f0
+/* 0x00e0	     */		cmp	%o0,%o2
+/* 0x00e4	     */		add	%o3,8,%o3
+/* 0x00e8	     */		add	%o0,1,%o0
+/* 0x00ec	     */		ble,a,pt	%icc,.L900000659
+/* 0x00f0	     */		std	%f0,[%o3]
+                       .L77000285:
+/* 0x00f4	 238 */		ldd	[%i2],%f0
+                       .L900000660:
+/* 0x00f8	 238 */		ldd	[%i3],%f2
+/* 0x00fc	     */		add	%o1,1,%o2
+/* 0x0100	 242 */		cmp	%o1,0
+/* 0x0104	     */		sll	%o2,1,%o0
+/* 0x0108	     */		sub	%o1,1,%o1
+/* 0x010c	 238 */		fmuld	%f0,%f2,%f0
+/* 0x0110	     */		std	%f0,[%i1]
+/* 0x0114	   0 */		or	%g0,0,%l1
+/* 0x0118	     */		ldd	[%l0],%f6
+/* 0x011c	     */		or	%g0,0,%g4
+/* 0x0120	     */		or	%g0,%o2,%i5
+/* 0x0124	     */		ldd	[%g5],%f2
+/* 0x0128	     */		or	%g0,%o1,%g3
+/* 0x012c	     */		or	%g0,%o0,%o3
+/* 0x0130	     */		fdtox	%f0,%f0
+/* 0x0134	     */		ldd	[%g1],%f4
+/* 0x0138	 246 */		add	%i3,8,%o4
+/* 0x013c	     */		or	%g0,0,%l2
+/* 0x0140	     */		or	%g0,%i1,%o5
+/* 0x0144	     */		sub	%i0,1,%o7
+/* 0x0148	     */		fmovs	%f6,%f0
+/* 0x014c	     */		fxtod	%f0,%f0
+/* 0x0150	 239 */		fmuld	%f0,%f16,%f0
+/* 0x0154	     */		fmuld	%f0,%f2,%f2
+/* 0x0158	     */		fdtox	%f2,%f2
+/* 0x015c	     */		fxtod	%f2,%f2
+/* 0x0160	     */		fmuld	%f2,%f4,%f2
+/* 0x0164	     */		fsubd	%f0,%f2,%f22
+/* 0x0168	 242 */		ble,pt	%icc,.L900000653
+/* 0x016c	     */		sll	%i0,4,%g2
+/* 0x0170	 246 */		ldd	[%i4],%f0
+                       .L900000654:
+/* 0x0174	 246 */		fmuld	%f0,%f22,%f8
+/* 0x0178	     */		ldd	[%i2],%f0
+/* 0x017c	 250 */		cmp	%i0,1
+/* 0x0180	 246 */		ldd	[%o4+%l2],%f6
+/* 0x0184	     */		add	%i2,8,%o0
+/* 0x0188	 250 */		or	%g0,1,%o1
+/* 0x018c	 246 */		ldd	[%o5],%f2
+/* 0x0190	     */		add	%o5,16,%l3
+/* 0x0194	     */		fmuld	%f0,%f6,%f6
+/* 0x0198	     */		ldd	[%g5],%f4
+/* 0x019c	     */		faddd	%f2,%f8,%f2
+/* 0x01a0	     */		ldd	[%o5+8],%f0
+/* 0x01a4	 244 */		ldd	[%i3+%l2],%f20
+/* 0x01a8	 246 */		faddd	%f0,%f6,%f0
+/* 0x01ac	     */		fmuld	%f2,%f4,%f2
+/* 0x01b0	     */		faddd	%f0,%f2,%f18
+/* 0x01b4	 247 */		std	%f18,[%o5+8]
+/* 0x01b8	 250 */		ble,pt	%icc,.L900000658
+/* 0x01bc	     */		srl	%g4,31,%g2
+/* 0x01c0	     */		cmp	%o7,7
+/* 0x01c4	 246 */		add	%i4,8,%g2
+/* 0x01c8	 250 */		bl,pn	%icc,.L77000284
+/* 0x01cc	     */		add	%g2,24,%o2
+/* 0x01d0	 252 */		ldd	[%o0+24],%f12
+/* 0x01d4	     */		add	%o5,48,%l3
+/* 0x01d8	     */		ldd	[%o0],%f2
+/* 0x01dc	   0 */		or	%g0,%o2,%g2
+/* 0x01e0	 250 */		sub	%o7,2,%o2
+/* 0x01e4	 252 */		ldd	[%g2-24],%f0
+/* 0x01e8	     */		or	%g0,5,%o1
+/* 0x01ec	     */		ldd	[%o0+8],%f6
+/* 0x01f0	     */		fmuld	%f2,%f20,%f2
+/* 0x01f4	     */		ldd	[%o0+16],%f14
+/* 0x01f8	     */		fmuld	%f0,%f22,%f4
+/* 0x01fc	     */		add	%o0,32,%o0
+/* 0x0200	     */		ldd	[%g2-16],%f8
+/* 0x0204	     */		fmuld	%f6,%f20,%f10
+/* 0x0208	     */		ldd	[%o5+16],%f0
+/* 0x020c	     */		ldd	[%g2-8],%f6
+/* 0x0210	     */		faddd	%f2,%f4,%f4
+/* 0x0214	     */		ldd	[%o5+32],%f2
+                       .L900000642:
+/* 0x0218	 252 */		ldd	[%g2],%f24
+/* 0x021c	     */		add	%o1,3,%o1
+/* 0x0220	     */		add	%g2,24,%g2
+/* 0x0224	     */		fmuld	%f8,%f22,%f8
+/* 0x0228	     */		ldd	[%l3],%f28
+/* 0x022c	     */		cmp	%o1,%o2
+/* 0x0230	     */		add	%o0,24,%o0
+/* 0x0234	     */		ldd	[%o0-24],%f26
+/* 0x0238	     */		faddd	%f0,%f4,%f0
+/* 0x023c	     */		add	%l3,48,%l3
+/* 0x0240	     */		faddd	%f10,%f8,%f10
+/* 0x0244	     */		fmuld	%f14,%f20,%f4
+/* 0x0248	     */		std	%f0,[%l3-80]
+/* 0x024c	     */		ldd	[%g2-16],%f8
+/* 0x0250	     */		fmuld	%f6,%f22,%f6
+/* 0x0254	     */		ldd	[%l3-32],%f0
+/* 0x0258	     */		ldd	[%o0-16],%f14
+/* 0x025c	     */		faddd	%f2,%f10,%f2
+/* 0x0260	     */		faddd	%f4,%f6,%f10
+/* 0x0264	     */		fmuld	%f12,%f20,%f4
+/* 0x0268	     */		std	%f2,[%l3-64]
+/* 0x026c	     */		ldd	[%g2-8],%f6
+/* 0x0270	     */		fmuld	%f24,%f22,%f24
+/* 0x0274	     */		ldd	[%l3-16],%f2
+/* 0x0278	     */		ldd	[%o0-8],%f12
+/* 0x027c	     */		faddd	%f28,%f10,%f10
+/* 0x0280	     */		std	%f10,[%l3-48]
+/* 0x0284	     */		fmuld	%f26,%f20,%f10
+/* 0x0288	     */		ble,pt	%icc,.L900000642
+/* 0x028c	     */		faddd	%f4,%f24,%f4
+                       .L900000645:
+/* 0x0290	 252 */		fmuld	%f8,%f22,%f28
+/* 0x0294	     */		ldd	[%g2],%f24
+/* 0x0298	     */		faddd	%f0,%f4,%f26
+/* 0x029c	     */		fmuld	%f12,%f20,%f8
+/* 0x02a0	     */		add	%l3,32,%l3
+/* 0x02a4	     */		cmp	%o1,%o7
+/* 0x02a8	     */		fmuld	%f14,%f20,%f14
+/* 0x02ac	     */		ldd	[%l3-32],%f4
+/* 0x02b0	     */		add	%g2,8,%g2
+/* 0x02b4	     */		faddd	%f10,%f28,%f12
+/* 0x02b8	     */		fmuld	%f6,%f22,%f6
+/* 0x02bc	     */		ldd	[%l3-16],%f0
+/* 0x02c0	     */		fmuld	%f24,%f22,%f10
+/* 0x02c4	     */		std	%f26,[%l3-64]
+/* 0x02c8	     */		faddd	%f2,%f12,%f2
+/* 0x02cc	     */		std	%f2,[%l3-48]
+/* 0x02d0	     */		faddd	%f14,%f6,%f6
+/* 0x02d4	     */		faddd	%f8,%f10,%f2
+/* 0x02d8	     */		faddd	%f4,%f6,%f4
+/* 0x02dc	     */		std	%f4,[%l3-32]
+/* 0x02e0	     */		faddd	%f0,%f2,%f0
+/* 0x02e4	     */		bg,pn	%icc,.L77000213
+/* 0x02e8	     */		std	%f0,[%l3-16]
+                       .L77000284:
+/* 0x02ec	 252 */		ldd	[%o0],%f0
+                       .L900000657:
+/* 0x02f0	 252 */		ldd	[%g2],%f4
+/* 0x02f4	     */		fmuld	%f0,%f20,%f2
+/* 0x02f8	     */		add	%o1,1,%o1
+/* 0x02fc	     */		ldd	[%l3],%f0
+/* 0x0300	     */		add	%o0,8,%o0
+/* 0x0304	     */		add	%g2,8,%g2
+/* 0x0308	     */		fmuld	%f4,%f22,%f4
+/* 0x030c	     */		cmp	%o1,%o7
+/* 0x0310	     */		faddd	%f2,%f4,%f2
+/* 0x0314	     */		faddd	%f0,%f2,%f0
+/* 0x0318	     */		std	%f0,[%l3]
+/* 0x031c	     */		add	%l3,16,%l3
+/* 0x0320	     */		ble,a,pt	%icc,.L900000657
+/* 0x0324	     */		ldd	[%o0],%f0
+                       .L77000213:
+/* 0x0328	     */		srl	%g4,31,%g2
+                       .L900000658:
+/* 0x032c	 254 */		cmp	%l1,30
+/* 0x0330	     */		bne,a,pt	%icc,.L900000656
+/* 0x0334	     */		fdtox	%f18,%f0
+/* 0x0338	     */		add	%g4,%g2,%g2
+/* 0x033c	     */		sra	%g2,1,%o0
+/* 0x0340	 281 */		ldd	[%l0],%f0
+/* 0x0344	     */		sll	%i5,1,%o2
+/* 0x0348	     */		add	%o0,1,%g2
+/* 0x034c	     */		sll	%g2,1,%o0
+/* 0x0350	 254 */		sub	%o2,1,%o2
+/* 0x0354	 281 */		fmovd	%f0,%f2
+/* 0x0358	     */		sll	%g2,4,%o1
+/* 0x035c	     */		cmp	%o0,%o3
+/* 0x0360	     */		bge,pt	%icc,.L77000215
+/* 0x0364	     */		or	%g0,0,%l1
+/* 0x0368	 254 */		add	%i1,%o1,%o1
+/* 0x036c	 281 */		ldd	[%o1],%f6
+                       .L900000655:
+/* 0x0370	     */		fdtox	%f6,%f10
+/* 0x0374	     */		ldd	[%o1+8],%f4
+/* 0x0378	     */		add	%o0,2,%o0
+/* 0x037c	     */		ldd	[%l0],%f12
+/* 0x0380	     */		fdtox	%f6,%f6
+/* 0x0384	     */		cmp	%o0,%o2
+/* 0x0388	     */		fdtox	%f4,%f8
+/* 0x038c	     */		fdtox	%f4,%f4
+/* 0x0390	     */		fmovs	%f12,%f10
+/* 0x0394	     */		fmovs	%f12,%f8
+/* 0x0398	     */		fxtod	%f10,%f10
+/* 0x039c	     */		fxtod	%f8,%f8
+/* 0x03a0	     */		faddd	%f10,%f2,%f2
+/* 0x03a4	     */		std	%f2,[%o1]
+/* 0x03a8	     */		faddd	%f8,%f0,%f0
+/* 0x03ac	     */		std	%f0,[%o1+8]
+/* 0x03b0	     */		add	%o1,16,%o1
+/* 0x03b4	     */		fitod	%f6,%f2
+/* 0x03b8	     */		fitod	%f4,%f0
+/* 0x03bc	     */		ble,a,pt	%icc,.L900000655
+/* 0x03c0	     */		ldd	[%o1],%f6
+                       .L77000233:
+/* 0x03c4	     */		or	%g0,0,%l1
+                       .L77000215:
+/* 0x03c8	     */		fdtox	%f18,%f0
+                       .L900000656:
+/* 0x03cc	     */		ldd	[%l0],%f6
+/* 0x03d0	 256 */		add	%g4,1,%g4
+/* 0x03d4	     */		add	%l2,8,%l2
+/* 0x03d8	     */		ldd	[%g5],%f2
+/* 0x03dc	     */		add	%l1,1,%l1
+/* 0x03e0	     */		add	%o5,8,%o5
+/* 0x03e4	     */		fmovs	%f6,%f0
+/* 0x03e8	     */		ldd	[%g1],%f4
+/* 0x03ec	     */		cmp	%g4,%g3
+/* 0x03f0	     */		fxtod	%f0,%f0
+/* 0x03f4	     */		fmuld	%f0,%f16,%f0
+/* 0x03f8	     */		fmuld	%f0,%f2,%f2
+/* 0x03fc	     */		fdtox	%f2,%f2
+/* 0x0400	     */		fxtod	%f2,%f2
+/* 0x0404	     */		fmuld	%f2,%f4,%f2
+/* 0x0408	     */		fsubd	%f0,%f2,%f22
+/* 0x040c	     */		ble,a,pt	%icc,.L900000654
+/* 0x0410	     */		ldd	[%i4],%f0
+                       .L900000629:
+/* 0x0414	 256 */		ba	.L900000653
+/* 0x0418	     */		sll	%i0,4,%g2
+                       .L77000279:
+/* 0x041c	 261 */		ldd	[%o2],%f6
+/* 0x0420	 279 */		or	%g0,%o0,%o4
+/* 0x0424	 281 */		or	%g0,0,%o3
+/* 0x0428	 261 */		ldd	[%i2],%f4
+/* 0x042c	 273 */		std	%f0,[%o0+8]
+/* 0x0430	     */		std	%f0,[%o0+16]
+/* 0x0434	 261 */		fmuld	%f4,%f6,%f4
+/* 0x0438	     */		std	%f4,[%o0]
+/* 0x043c	 273 */		std	%f0,[%o0+24]
+/* 0x0440	     */		std	%f0,[%o0+32]
+/* 0x0444	     */		fdtox	%f4,%f4
+/* 0x0448	     */		std	%f0,[%o0+40]
+/* 0x044c	     */		std	%f0,[%o0+48]
+/* 0x0450	     */		std	%f0,[%o0+56]
+/* 0x0454	     */		std	%f0,[%o0+64]
+/* 0x0458	     */		std	%f0,[%o0+72]
+/* 0x045c	     */		std	%f0,[%o0+80]
+/* 0x0460	     */		std	%f0,[%o0+88]
+/* 0x0464	     */		std	%f0,[%o0+96]
+/* 0x0468	     */		std	%f0,[%o0+104]
+/* 0x046c	     */		std	%f0,[%o0+112]
+/* 0x0470	     */		std	%f0,[%o0+120]
+/* 0x0474	     */		std	%f0,[%o0+128]
+/* 0x0478	     */		std	%f0,[%o0+136]
+/* 0x047c	     */		std	%f0,[%o0+144]
+/* 0x0480	     */		std	%f0,[%o0+152]
+/* 0x0484	     */		std	%f0,[%o0+160]
+/* 0x0488	     */		std	%f0,[%o0+168]
+/* 0x048c	     */		fmovs	%f0,%f4
+/* 0x0490	     */		std	%f0,[%o0+176]
+/* 0x0494	 281 */		or	%g0,0,%o1
+/* 0x0498	 273 */		std	%f0,[%o0+184]
+/* 0x049c	     */		fxtod	%f4,%f4
+/* 0x04a0	     */		std	%f0,[%o0+192]
+/* 0x04a4	     */		std	%f0,[%o0+200]
+/* 0x04a8	     */		std	%f0,[%o0+208]
+/* 0x04ac	 278 */		fmuld	%f4,%f2,%f2
+/* 0x04b0	 273 */		std	%f0,[%o0+216]
+/* 0x04b4	     */		std	%f0,[%o0+224]
+/* 0x04b8	     */		std	%f0,[%o0+232]
+/* 0x04bc	     */		std	%f0,[%o0+240]
+/* 0x04c0	     */		std	%f0,[%o0+248]
+/* 0x04c4	     */		std	%f0,[%o0+256]
+/* 0x04c8	     */		std	%f0,[%o0+264]
+/* 0x04cc	     */		std	%f0,[%o0+272]
+/* 0x04d0	     */		std	%f0,[%o0+280]
+/* 0x04d4	     */		std	%f0,[%o0+288]
+/* 0x04d8	     */		std	%f0,[%o0+296]
+/* 0x04dc	     */		std	%f0,[%o0+304]
+/* 0x04e0	     */		std	%f0,[%o0+312]
+/* 0x04e4	     */		std	%f0,[%o0+320]
+/* 0x04e8	     */		std	%f0,[%o0+328]
+/* 0x04ec	     */		std	%f0,[%o0+336]
+/* 0x04f0	     */		std	%f0,[%o0+344]
+/* 0x04f4	     */		std	%f0,[%o0+352]
+/* 0x04f8	     */		std	%f0,[%o0+360]
+/* 0x04fc	     */		std	%f0,[%o0+368]
+/* 0x0500	     */		std	%f0,[%o0+376]
+/* 0x0504	     */		std	%f0,[%o0+384]
+/* 0x0508	     */		std	%f0,[%o0+392]
+/* 0x050c	     */		std	%f0,[%o0+400]
+/* 0x0510	     */		std	%f0,[%o0+408]
+/* 0x0514	     */		std	%f0,[%o0+416]
+/* 0x0518	     */		std	%f0,[%o0+424]
+/* 0x051c	     */		std	%f0,[%o0+432]
+/* 0x0520	     */		std	%f0,[%o0+440]
+/* 0x0524	     */		std	%f0,[%o0+448]
+/* 0x0528	     */		std	%f0,[%o0+456]
+/* 0x052c	     */		std	%f0,[%o0+464]
+/* 0x0530	     */		std	%f0,[%o0+472]
+/* 0x0534	     */		std	%f0,[%o0+480]
+/* 0x0538	     */		std	%f0,[%o0+488]
+/* 0x053c	     */		std	%f0,[%o0+496]
+/* 0x0540	     */		std	%f0,[%o0+504]
+/* 0x0544	     */		std	%f0,[%o0+512]
+/* 0x0548	     */		std	%f0,[%o0+520]
+/* 0x054c	     */		ldd	[%g5],%f0
+/* 0x0550	     */		ldd	[%g1],%f8
+/* 0x0554	     */		fmuld	%f2,%f0,%f6
+/* 0x0558	 275 */		ldd	[%i4],%f4
+/* 0x055c	 276 */		ldd	[%i2],%f0
+/* 0x0560	     */		fdtox	%f6,%f6
+/* 0x0564	     */		fxtod	%f6,%f6
+/* 0x0568	     */		fmuld	%f6,%f8,%f6
+/* 0x056c	     */		fsubd	%f2,%f6,%f2
+/* 0x0570	 286 */		fmuld	%f4,%f2,%f12
+
+!  282		      !       {
+!  284		      !	 m2j=pdm2[j];
+!  285		      !	 a=pdtj[0]+pdn_0*digit;
+!  286		      !	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
+
+!  287		      !	 pdtj[1]=b;
+!  289		      !	 /**** this loop will be fully unrolled:
+!  290		      !	 for(i=1;i<16;i++)
+!  291		      !	   {
+!  292		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  293		      !	   }
+!  294		      !	 *************************************/
+!  295		      !	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
+!  296		      !	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
+!  297		      !	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
+!  298		      !	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
+!  299		      !	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
+!  300		      !	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
+!  301		      !	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
+!  302		      !	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
+!  303		      !	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
+!  304		      !	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
+!  305		      !	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
+!  306		      !	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
+!  307		      !	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
+!  308		      !	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
+!  309		      !	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
+!  310		      !	 /* no need for cleenup, cannot overflow */
+!  311		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+	fmovd %f2,%f0		! hand modified
+	fmovd %f16,%f18			! hand modified
+	ldd [%i4],%f2
+	ldd [%o4],%f8
+	ldd [%i2],%f10
+	ldd [%g5],%f14		! hand modified
+	ldd [%g1],%f16		! hand modified
+	ldd [%i3],%f24
+
+	ldd [%i2+8],%f26
+	ldd [%i2+16],%f40
+	ldd [%i2+48],%f46
+	ldd [%i2+56],%f30
+	ldd [%i2+64],%f54
+	ldd [%i2+104],%f34
+	ldd [%i2+112],%f58
+
+	ldd [%i4+8],%f28	
+	ldd [%i4+104],%f38
+	ldd [%i4+112],%f60
+
+	.L99999999: 			!1
+	ldd	[%i2+24],%f32
+	fmuld	%f0,%f2,%f4 	!2
+	ldd	[%i4+24],%f36
+	fmuld	%f26,%f24,%f20 	!3
+	ldd	[%i2+40],%f42
+	fmuld	%f28,%f0,%f22 	!4
+	ldd	[%i4+40],%f44
+	fmuld	%f32,%f24,%f32 	!5
+	ldd	[%i3+8],%f6
+	faddd	%f4,%f8,%f4
+	fmuld	%f36,%f0,%f36 	!6
+	add	%i3,8,%i3
+	ldd	[%i4+56],%f50
+	fmuld	%f42,%f24,%f42 	!7
+	ldd	[%i2+72],%f52
+	faddd	%f20,%f22,%f20
+	fmuld	%f44,%f0,%f44 	!8
+	ldd	[%o4+16],%f22
+	fmuld	%f10,%f6,%f12 	!9
+	ldd	[%i4+72],%f56
+	faddd	%f32,%f36,%f32
+	fmuld	%f14,%f4,%f4 !10
+	ldd	[%o4+48],%f36
+	fmuld	%f30,%f24,%f48 	!11
+	ldd	[%o4+8],%f8
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50	!12
+	std	%f20,[%o4+16]
+	faddd	%f42,%f44,%f42
+	fmuld	%f52,%f24,%f52 	!13
+	ldd	[%o4+80],%f44
+	faddd	%f4,%f12,%f4
+	fmuld	%f56,%f0,%f56 	!14
+	ldd	[%i2+88],%f20
+	faddd	%f32,%f36,%f32 	!15
+	ldd	[%i4+88],%f22
+	faddd	%f48,%f50,%f48 	!16
+	ldd	[%o4+112],%f50
+	faddd	%f52,%f56,%f52 	!17
+	ldd	[%o4+144],%f56
+	faddd	%f4,%f8,%f8
+	fmuld	%f20,%f24,%f20 	!18
+	std	%f32,[%o4+48]
+	faddd	%f42,%f44,%f42
+	fmuld	%f22,%f0,%f22 	!19
+	std	%f42,[%o4+80]
+	faddd	%f48,%f50,%f48
+	fmuld	%f34,%f24,%f32 	!20
+	std	%f48,[%o4+112]
+	faddd	%f52,%f56,%f52
+	fmuld	%f38,%f0,%f36 	!21
+	ldd	[%i2+120],%f42
+	fdtox	%f8,%f4 		!22
+	std	%f52,[%o4+144]
+	faddd	%f20,%f22,%f20 	!23
+	ldd	[%i4+120],%f44 	!24
+	ldd	[%o4+176],%f22
+	faddd	%f32,%f36,%f32
+	fmuld	%f42,%f24,%f42 	!25
+	ldd	[%i4+16],%f50
+	fmovs	%f17,%f4 	!26
+	ldd	[%i2+32],%f52
+	fmuld	%f44,%f0,%f44 	!27
+	ldd	[%i4+32],%f56
+	fmuld	%f40,%f24,%f48 	!28
+	ldd	[%o4+208],%f36
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50 	!29
+	std	%f20,[%o4+176]
+	fxtod	%f4,%f4
+	fmuld	%f52,%f24,%f52 	!30
+	ldd	[%i4+48],%f22
+	faddd	%f42,%f44,%f42
+	fmuld	%f56,%f0,%f56 	!31
+	ldd	[%o4+240],%f44
+	faddd	%f32,%f36,%f32 	!32
+	std	%f32,[%o4+208]
+	faddd	%f48,%f50,%f48
+	fmuld	%f46,%f24,%f20 	!33
+	ldd	[%o4+32],%f50
+	fmuld	%f4,%f18,%f12 	!34
+	ldd	[%i4+64],%f36
+	faddd	%f52,%f56,%f52
+	fmuld	%f22,%f0,%f22 	!35
+	ldd	[%o4+64],%f56
+	faddd	%f42,%f44,%f42 	!36
+	std	%f42,[%o4+240]
+	faddd	%f48,%f50,%f48
+	fmuld	%f54,%f24,%f32 	!37
+	std	%f48,[%o4+32]
+	fmuld	%f12,%f14,%f4 !38
+	ldd	[%i2+80],%f42
+	faddd	%f52,%f56,%f56	! yes, tmp52!
+	fmuld	%f36,%f0,%f36 	!39
+	ldd	[%i4+80],%f44
+	faddd	%f20,%f22,%f20 	!40
+	ldd	[%i2+96],%f48
+	fmuld	%f58,%f24,%f52 	!41
+	ldd	[%i4+96],%f50
+	fdtox	%f4,%f4
+	fmuld	%f42,%f24,%f42 	!42
+	std	%f56,[%o4+64]	! yes, tmp52!
+	faddd	%f32,%f36,%f32
+	fmuld	%f44,%f0,%f44 	!43
+	ldd	[%o4+96],%f22
+	fmuld	%f48,%f24,%f48 	!44
+	ldd	[%o4+128],%f36
+	fmovd	%f6,%f24
+	fmuld	%f50,%f0,%f50 	!45
+	fxtod	%f4,%f4
+	fmuld	%f60,%f0,%f56 	!46
+	add	%o4,8,%o4
+	faddd	%f42,%f44,%f42 	!47
+	ldd	[%o4+160-8],%f44
+	faddd	%f20,%f22,%f20 	!48
+	std	%f20,[%o4+96-8]
+	faddd	%f48,%f50,%f48 	!49
+	ldd	[%o4+192-8],%f50
+	faddd	%f52,%f56,%f52
+	fmuld	%f4,%f16,%f4 	!50
+	ldd	[%o4+224-8],%f56
+	faddd	%f32,%f36,%f32 	!51
+	std	%f32,[%o4+128-8]
+	faddd	%f42,%f44,%f42 	!52
+	add	%o3,1,%o3
+	std	%f42,[%o4+160-8]
+	faddd	%f48,%f50,%f48 	!53
+	cmp	%o3,31
+	std	%f48,[%o4+192-8]
+	fsubd	%f12,%f4,%f0 	!54
+	faddd	%f52,%f56,%f52
+	ble,pt	%icc,.L99999999
+	std	%f52,[%o4+224-8] 	!55
+	std %f8,[%o4]
+
+!  312		      !       }
+!  313		      !   }
+!  315		      ! conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
+
+/* 0x07c8	 315 */		sll	%i0,4,%g2
+                       .L900000653:
+/* 0x07cc	 315 */		add	%i1,%g2,%i1
+/* 0x07d0	 242 */		ld	[%fp+68],%o0
+/* 0x07d4	 315 */		or	%g0,0,%o4
+/* 0x07d8	     */		ldd	[%i1],%f0
+/* 0x07dc	     */		or	%g0,0,%g5
+/* 0x07e0	     */		cmp	%i0,0
+/* 0x07e4	 242 */		or	%g0,%o0,%o3
+/* 0x07e8	 311 */		sub	%i0,1,%g1
+/* 0x07ec	 315 */		fdtox	%f0,%f0
+/* 0x07f0	     */		std	%f0,[%sp+120]
+/* 0x07f4	 311 */		sethi	%hi(0xfc00),%o1
+/* 0x07f8	     */		add	%g1,1,%g3
+/* 0x07fc	     */		or	%g0,%o0,%g4
+/* 0x0800	 315 */		ldd	[%i1+8],%f0
+/* 0x0804	     */		add	%o1,1023,%o1
+/* 0x0808	     */		fdtox	%f0,%f0
+/* 0x080c	     */		std	%f0,[%sp+112]
+/* 0x0810	     */		ldx	[%sp+112],%o5
+/* 0x0814	     */		ldx	[%sp+120],%o7
+/* 0x0818	     */		ble,pt	%icc,.L900000651
+/* 0x081c	     */		sethi	%hi(0xfc00),%g2
+/* 0x0820	 311 */		or	%g0,-1,%g2
+/* 0x0824	 315 */		cmp	%g3,3
+/* 0x0828	 311 */		srl	%g2,0,%o2
+/* 0x082c	 315 */		bl,pn	%icc,.L77000287
+/* 0x0830	     */		or	%g0,%i1,%g2
+/* 0x0834	     */		ldd	[%i1+16],%f0
+/* 0x0838	     */		and	%o5,%o1,%o0
+/* 0x083c	     */		add	%i1,16,%g2
+/* 0x0840	     */		sllx	%o0,16,%g3
+/* 0x0844	     */		and	%o7,%o2,%o0
+/* 0x0848	     */		fdtox	%f0,%f0
+/* 0x084c	     */		std	%f0,[%sp+104]
+/* 0x0850	     */		add	%o0,%g3,%o4
+/* 0x0854	     */		ldd	[%i1+24],%f2
+/* 0x0858	     */		srax	%o5,16,%o0
+/* 0x085c	     */		add	%o3,4,%g4
+/* 0x0860	     */		stx	%o0,[%sp+128]
+/* 0x0864	     */		and	%o4,%o2,%o0
+/* 0x0868	     */		stx	%o0,[%sp+112]
+/* 0x086c	     */		srax	%o4,32,%o0
+/* 0x0870	     */		fdtox	%f2,%f0
+/* 0x0874	     */		stx	%o0,[%sp+136]
+/* 0x0878	     */		srax	%o7,32,%o4
+/* 0x087c	     */		std	%f0,[%sp+96]
+/* 0x0880	     */		ldx	[%sp+128],%g5
+/* 0x0884	     */		ldx	[%sp+136],%o7
+/* 0x0888	     */		ldx	[%sp+104],%g3
+/* 0x088c	     */		add	%g5,%o7,%o0
+/* 0x0890	     */		or	%g0,1,%g5
+/* 0x0894	     */		ldx	[%sp+112],%o7
+/* 0x0898	     */		add	%o4,%o0,%o4
+/* 0x089c	     */		ldx	[%sp+96],%o5
+/* 0x08a0	     */		st	%o7,[%o3]
+/* 0x08a4	     */		or	%g0,%g3,%o7
+                       .L900000634:
+/* 0x08a8	     */		ldd	[%g2+16],%f0
+/* 0x08ac	     */		add	%g5,1,%g5
+/* 0x08b0	     */		add	%g4,4,%g4
+/* 0x08b4	     */		cmp	%g5,%g1
+/* 0x08b8	     */		add	%g2,16,%g2
+/* 0x08bc	     */		fdtox	%f0,%f0
+/* 0x08c0	     */		std	%f0,[%sp+104]
+/* 0x08c4	     */		ldd	[%g2+8],%f0
+/* 0x08c8	     */		fdtox	%f0,%f0
+/* 0x08cc	     */		std	%f0,[%sp+96]
+/* 0x08d0	     */		and	%o5,%o1,%g3
+/* 0x08d4	     */		sllx	%g3,16,%g3
+/* 0x08d8	     */		stx	%g3,[%sp+120]
+/* 0x08dc	     */		and	%o7,%o2,%g3
+/* 0x08e0	     */		stx	%o7,[%sp+128]
+/* 0x08e4	     */		ldx	[%sp+120],%o7
+/* 0x08e8	     */		add	%g3,%o7,%g3
+/* 0x08ec	     */		ldx	[%sp+128],%o7
+/* 0x08f0	     */		srax	%o5,16,%o5
+/* 0x08f4	     */		add	%g3,%o4,%g3
+/* 0x08f8	     */		srax	%g3,32,%o4
+/* 0x08fc	     */		stx	%o4,[%sp+112]
+/* 0x0900	     */		srax	%o7,32,%o4
+/* 0x0904	     */		ldx	[%sp+112],%o7
+/* 0x0908	     */		add	%o5,%o7,%o7
+/* 0x090c	     */		ldx	[%sp+96],%o5
+/* 0x0910	     */		add	%o4,%o7,%o4
+/* 0x0914	     */		and	%g3,%o2,%g3
+/* 0x0918	     */		ldx	[%sp+104],%o7
+/* 0x091c	     */		ble,pt	%icc,.L900000634
+/* 0x0920	     */		st	%g3,[%g4-4]
+                       .L900000637:
+/* 0x0924	     */		ba	.L900000651
+/* 0x0928	     */		sethi	%hi(0xfc00),%g2
+                       .L77000287:
+/* 0x092c	     */		ldd	[%g2+16],%f0
+                       .L900000650:
+/* 0x0930	     */		and	%o7,%o2,%o0
+/* 0x0934	     */		and	%o5,%o1,%g3
+/* 0x0938	     */		fdtox	%f0,%f0
+/* 0x093c	     */		add	%o4,%o0,%o0
+/* 0x0940	     */		std	%f0,[%sp+104]
+/* 0x0944	     */		add	%g5,1,%g5
+/* 0x0948	     */		sllx	%g3,16,%o4
+/* 0x094c	     */		ldd	[%g2+24],%f2
+/* 0x0950	     */		add	%g2,16,%g2
+/* 0x0954	     */		add	%o0,%o4,%o4
+/* 0x0958	     */		cmp	%g5,%g1
+/* 0x095c	     */		srax	%o5,16,%o0
+/* 0x0960	     */		stx	%o0,[%sp+112]
+/* 0x0964	     */		and	%o4,%o2,%g3
+/* 0x0968	     */		srax	%o4,32,%o5
+/* 0x096c	     */		fdtox	%f2,%f0
+/* 0x0970	     */		std	%f0,[%sp+96]
+/* 0x0974	     */		srax	%o7,32,%o4
+/* 0x0978	     */		ldx	[%sp+112],%o7
+/* 0x097c	     */		add	%o7,%o5,%o7
+/* 0x0980	     */		ldx	[%sp+104],%o5
+/* 0x0984	     */		add	%o4,%o7,%o4
+/* 0x0988	     */		ldx	[%sp+96],%o0
+/* 0x098c	     */		st	%g3,[%g4]
+/* 0x0990	     */		or	%g0,%o5,%o7
+/* 0x0994	     */		add	%g4,4,%g4
+/* 0x0998	     */		or	%g0,%o0,%o5
+/* 0x099c	     */		ble,a,pt	%icc,.L900000650
+/* 0x09a0	     */		ldd	[%g2+16],%f0
+                       .L77000236:
+/* 0x09a4	     */		sethi	%hi(0xfc00),%g2
+                       .L900000651:
+/* 0x09a8	     */		or	%g0,-1,%o0
+/* 0x09ac	     */		add	%g2,1023,%g2
+/* 0x09b0	     */		ld	[%fp+88],%o1
+/* 0x09b4	     */		srl	%o0,0,%g3
+/* 0x09b8	     */		and	%o5,%g2,%g2
+/* 0x09bc	     */		and	%o7,%g3,%g4
+
+!  317		      ! adjust_montf_result(result,nint,nlen); 
+
+/* 0x09c0	 317 */		or	%g0,-1,%o5
+/* 0x09c4	 311 */		sllx	%g2,16,%g2
+/* 0x09c8	     */		add	%o4,%g4,%g4
+/* 0x09cc	     */		add	%g4,%g2,%g2
+/* 0x09d0	     */		sll	%g5,2,%g4
+/* 0x09d4	     */		and	%g2,%g3,%g2
+/* 0x09d8	     */		st	%g2,[%o3+%g4]
+/* 0x09dc	 317 */		sll	%i0,2,%g2
+/* 0x09e0	     */		ld	[%o3+%g2],%g2
+/* 0x09e4	     */		cmp	%g2,0
+/* 0x09e8	     */		bleu,pn	%icc,.L77000241
+/* 0x09ec	     */		or	%g0,%o1,%o2
+/* 0x09f0	     */		ba	.L900000649
+/* 0x09f4	     */		cmp	%o5,0
+                       .L77000241:
+/* 0x09f8	     */		sub	%i0,1,%o5
+/* 0x09fc	     */		sll	%o5,2,%g2
+/* 0x0a00	     */		cmp	%o5,0
+/* 0x0a04	     */		bl,pt	%icc,.L900000649
+/* 0x0a08	     */		cmp	%o5,0
+/* 0x0a0c	     */		add	%o1,%g2,%o1
+/* 0x0a10	     */		add	%o3,%g2,%o4
+/* 0x0a14	     */		ld	[%o1],%g2
+                       .L900000648:
+/* 0x0a18	     */		ld	[%o4],%g3
+/* 0x0a1c	     */		sub	%o5,1,%o0
+/* 0x0a20	     */		sub	%o1,4,%o1
+/* 0x0a24	     */		sub	%o4,4,%o4
+/* 0x0a28	     */		cmp	%g3,%g2
+/* 0x0a2c	     */		bne,pn	%icc,.L77000244
+/* 0x0a30	     */		nop
+/* 0x0a34	   0 */		or	%g0,%o0,%o5
+/* 0x0a38	 317 */		cmp	%o0,0
+/* 0x0a3c	     */		bge,a,pt	%icc,.L900000648
+/* 0x0a40	     */		ld	[%o1],%g2
+                       .L77000244:
+/* 0x0a44	     */		cmp	%o5,0
+                       .L900000649:
+/* 0x0a48	     */		bl,pn	%icc,.L77000288
+/* 0x0a4c	     */		sll	%o5,2,%g2
+/* 0x0a50	     */		ld	[%o2+%g2],%g3
+/* 0x0a54	     */		ld	[%o3+%g2],%g2
+/* 0x0a58	     */		cmp	%g2,%g3
+/* 0x0a5c	     */		bleu,pt	%icc,.L77000224
+/* 0x0a60	     */		nop
+                       .L77000288:
+/* 0x0a64	     */		cmp	%i0,0
+/* 0x0a68	     */		ble,pt	%icc,.L77000224
+/* 0x0a6c	     */		nop
+/* 0x0a70	 317 */		sub	%i0,1,%o7
+/* 0x0a74	     */		or	%g0,-1,%g2
+/* 0x0a78	     */		srl	%g2,0,%o4
+/* 0x0a7c	     */		add	%o7,1,%o0
+/* 0x0a80	 315 */		or	%g0,0,%o5
+/* 0x0a84	     */		or	%g0,0,%g1
+/* 0x0a88	     */		cmp	%o0,3
+/* 0x0a8c	     */		bl,pn	%icc,.L77000289
+/* 0x0a90	     */		add	%o3,8,%o1
+/* 0x0a94	     */		add	%o2,4,%o0
+/* 0x0a98	     */		ld	[%o1-8],%g2
+/* 0x0a9c	   0 */		or	%g0,%o1,%o3
+/* 0x0aa0	 315 */		ld	[%o0-4],%g3
+/* 0x0aa4	   0 */		or	%g0,%o0,%o2
+/* 0x0aa8	 315 */		or	%g0,2,%g1
+/* 0x0aac	     */		ld	[%o3-4],%o0
+/* 0x0ab0	     */		sub	%g2,%g3,%g2
+/* 0x0ab4	     */		or	%g0,%g2,%o5
+/* 0x0ab8	     */		and	%g2,%o4,%g2
+/* 0x0abc	     */		st	%g2,[%o3-8]
+/* 0x0ac0	     */		srax	%o5,32,%o5
+                       .L900000638:
+/* 0x0ac4	     */		ld	[%o2],%g2
+/* 0x0ac8	     */		add	%g1,1,%g1
+/* 0x0acc	     */		add	%o2,4,%o2
+/* 0x0ad0	     */		cmp	%g1,%o7
+/* 0x0ad4	     */		add	%o3,4,%o3
+/* 0x0ad8	     */		sub	%o0,%g2,%o0
+/* 0x0adc	     */		add	%o0,%o5,%o5
+/* 0x0ae0	     */		and	%o5,%o4,%g2
+/* 0x0ae4	     */		ld	[%o3-4],%o0
+/* 0x0ae8	     */		st	%g2,[%o3-8]
+/* 0x0aec	     */		ble,pt	%icc,.L900000638
+/* 0x0af0	     */		srax	%o5,32,%o5
+                       .L900000641:
+/* 0x0af4	     */		ld	[%o2],%o1
+/* 0x0af8	     */		sub	%o0,%o1,%o0
+/* 0x0afc	     */		add	%o0,%o5,%o0
+/* 0x0b00	     */		and	%o0,%o4,%o1
+/* 0x0b04	     */		st	%o1,[%o3-4]
+/* 0x0b08	     */		ret	! Result = 
+/* 0x0b0c	     */		restore	%g0,%g0,%g0
+                       .L77000289:
+/* 0x0b10	     */		ld	[%o3],%o0
+                       .L900000647:
+/* 0x0b14	     */		ld	[%o2],%o1
+/* 0x0b18	     */		add	%o5,%o0,%o0
+/* 0x0b1c	     */		add	%g1,1,%g1
+/* 0x0b20	     */		add	%o2,4,%o2
+/* 0x0b24	     */		cmp	%g1,%o7
+/* 0x0b28	     */		sub	%o0,%o1,%o0
+/* 0x0b2c	     */		and	%o0,%o4,%o1
+/* 0x0b30	     */		st	%o1,[%o3]
+/* 0x0b34	     */		add	%o3,4,%o3
+/* 0x0b38	     */		srax	%o0,32,%o5
+/* 0x0b3c	     */		ble,a,pt	%icc,.L900000647
+/* 0x0b40	     */		ld	[%o3],%o0
+                       .L77000224:
+/* 0x0b44	     */		ret	! Result = 
+/* 0x0b48	     */		restore	%g0,%g0,%g0
+/* 0x0b4c	   0 */		.type	mont_mulf_noconv,2
+/* 0x0b4c	     */		.size	mont_mulf_noconv,(.-mont_mulf_noconv)
+
diff --git a/security/nss/lib/freebl/mpi/montmulfv9.il b/security/nss/lib/freebl/mpi/montmulfv9.il
new file mode 100644
index 000000000..a37fdc768
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulfv9.il
@@ -0,0 +1,126 @@
+!  
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+!
+! The contents of this file are subject to the Mozilla Public License Version
+! 1.1 (the "License"); you may not use this file except in compliance with
+! the License. You may obtain a copy of the License at
+! http://www.mozilla.org/MPL/
+!
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is inline macros for SPARC Montgomery multiply functions.
+!
+! The Initial Developer of the Original Code is
+! Sun Microsystems Inc.
+! Portions created by the Initial Developer are Copyright (C) 1999-2000
+! the Initial Developer. All Rights Reserved.
+!
+! Contributor(s):
+!
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+!
+! ***** END LICENSE BLOCK *****
+! $Id$
+
+!
+! double upper32(double /*frs1*/);
+!
+        .inline upper32,8
+	fdtox	%f0,%f10
+	fitod	%f10,%f0
+        .end
+
+!
+! double lower32(double /*frs1*/, double /* Zero */);
+!
+        .inline lower32,8
+	fdtox	%f0,%f10
+	fmovs	%f2,%f10
+	fxtod	%f10,%f0
+        .end
+
+!
+! double mod(double /*x*/, double /*1/m*/, double /*m*/);
+!
+        .inline mod,12
+	fmuld	%f0,%f2,%f2
+	fdtox	%f2,%f2
+	fxtod	%f2,%f2
+	fmuld	%f2,%f4,%f2
+	fsubd	%f0,%f2,%f0
+        .end
+
+
+!
+! void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
+!			    double * /* 0 */,
+!			    double * /*result16*/, double * /* result32 */
+!			    float *  /*source - should be unsigned int*
+!		            	       converted to float* */);
+!
+        .inline i16_to_d16_and_d32x4,24
+        ldd     [%o0],%f2  ! 1/(2^16)
+        ldd     [%o1],%f4  ! 2^16
+	ldd	[%o2],%f22
+
+	fmovd	%f22,%f6
+	ld	[%o5],%f7
+	fmovd	%f22,%f10
+	ld	[%o5+4],%f11
+	fmovd	%f22,%f14
+	ld	[%o5+8],%f15
+	fmovd	%f22,%f18
+	ld	[%o5+12],%f19
+	fxtod	%f6,%f6
+	std	%f6,[%o4]
+	fxtod	%f10,%f10
+	std	%f10,[%o4+8]
+	fxtod	%f14,%f14
+	std	%f14,[%o4+16]
+	fxtod	%f18,%f18
+	std	%f18,[%o4+24]
+	fmuld	%f2,%f6,%f8
+	fmuld	%f2,%f10,%f12
+	fmuld	%f2,%f14,%f16
+	fmuld	%f2,%f18,%f20
+	fdtox	%f8,%f8
+	fdtox	%f12,%f12
+	fdtox	%f16,%f16
+	fdtox	%f20,%f20
+	fxtod	%f8,%f8
+	std	%f8,[%o3+8]
+	fxtod	%f12,%f12
+	std	%f12,[%o3+24]
+	fxtod	%f16,%f16
+	std	%f16,[%o3+40]
+	fxtod	%f20,%f20
+	std	%f20,[%o3+56]
+	fmuld	%f8,%f4,%f8
+	fmuld	%f12,%f4,%f12
+	fmuld	%f16,%f4,%f16
+	fmuld	%f20,%f4,%f20
+	fsubd	%f6,%f8,%f8
+	std	%f8,[%o3]
+	fsubd	%f10,%f12,%f12
+	std	%f12,[%o3+16]
+	fsubd	%f14,%f16,%f16
+	std	%f16,[%o3+32]
+	fsubd	%f18,%f20,%f20
+	std	%f20,[%o3+48]
+        .end
+
+
diff --git a/security/nss/lib/freebl/mpi/montmulfv9.s b/security/nss/lib/freebl/mpi/montmulfv9.s
new file mode 100644
index 000000000..143601004
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulfv9.s
@@ -0,0 +1,2380 @@
+!  
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+!
+! The contents of this file are subject to the Mozilla Public License Version
+! 1.1 (the "License"); you may not use this file except in compliance with
+! the License. You may obtain a copy of the License at
+! http://www.mozilla.org/MPL/
+!
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is SPARC hand-optimized Montgomery multiply functions.
+!
+! The Initial Developer of the Original Code is
+! Sun Microsystems Inc.
+! Portions created by the Initial Developer are Copyright (C) 1999-2000
+! the Initial Developer. All Rights Reserved.
+!
+! Contributor(s):
+!
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+!
+! ***** END LICENSE BLOCK *****
+
+	.section	".text",#alloc,#execinstr
+	.file	"montmulf.c"
+
+	.section	".rodata",#alloc
+	.global	TwoTo16
+	.align	8
+!
+! CONSTANT POOL
+!
+	.global TwoTo16
+TwoTo16:
+	.word	1089470464
+	.word	0
+	.type	TwoTo16,#object
+	.size	TwoTo16,8
+	.global	TwoToMinus16
+!
+! CONSTANT POOL
+!
+	.global TwoToMinus16
+TwoToMinus16:
+	.word	1055916032
+	.word	0
+	.type	TwoToMinus16,#object
+	.size	TwoToMinus16,8
+	.global	Zero
+!
+! CONSTANT POOL
+!
+	.global Zero
+Zero:
+	.word	0
+	.word	0
+	.type	Zero,#object
+	.size	Zero,8
+	.global	TwoTo32
+!
+! CONSTANT POOL
+!
+	.global TwoTo32
+TwoTo32:
+	.word	1106247680
+	.word	0
+	.type	TwoTo32,#object
+	.size	TwoTo32,8
+	.global	TwoToMinus32
+!
+! CONSTANT POOL
+!
+	.global TwoToMinus32
+TwoToMinus32:
+	.word	1039138816
+	.word	0
+	.type	TwoToMinus32,#object
+	.size	TwoToMinus32,8
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.register	%g3,#scratch
+/* 000000	     */		.register	%g2,#scratch
+/* 000000	   0 */		.align	8
+!
+! SUBROUTINE conv_d16_to_i32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_d16_to_i32
+                       conv_d16_to_i32:
+/* 000000	     */		save	%sp,-208,%sp
+! FILE montmulf.c
+
+!    1		      !/*
+!    2		      ! * The contents of this file are subject to the Mozilla Public
+!    3		      ! * License Version 1.1 (the "License"); you may not use this file
+!    4		      ! * except in compliance with the License. You may obtain a copy of
+!    5		      ! * the License at http://www.mozilla.org/MPL/
+!    6		      ! * 
+!    7		      ! * Software distributed under the License is distributed on an "AS
+!    8		      ! * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!    9		      ! * implied. See the License for the specific language governing
+!   10		      ! * rights and limitations under the License.
+!   11		      ! * 
+!   12		      ! * The Original Code is SPARC optimized Montgomery multiply functions.
+!   13		      ! *
+!   14		      ! * The Initial Developer of the Original Code is Sun Microsystems Inc.
+!   15		      ! * Portions created by Sun Microsystems Inc. are 
+!   16		      ! * Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+!   17		      ! * 
+!   18		      ! * Contributor(s):
+!   19		      ! *	Netscape Communications Corporation
+!   20		      ! * 
+!   21		      ! * Alternatively, the contents of this file may be used under the
+!   22		      ! * terms of the GNU General Public License Version 2 or later (the
+!   23		      ! * "GPL"), in which case the provisions of the GPL are applicable 
+!   24		      ! * instead of those above.	If you wish to allow use of your 
+!   25		      ! * version of this file only under the terms of the GPL and not to
+!   26		      ! * allow others to use your version of this file under the MPL,
+!   27		      ! * indicate your decision by deleting the provisions above and
+!   28		      ! * replace them with the notice and other provisions required by
+!   29		      ! * the GPL.  If you do not delete the provisions above, a recipient
+!   30		      ! * may use your version of this file under either the MPL or the
+!   31		      ! * GPL.
+!   32		      ! *
+!   33		      ! *  $Id$
+!   34		      ! */
+!   36		      !#define RF_INLINE_MACROS
+!   38		      !static const double TwoTo16=65536.0;
+!   39		      !static const double TwoToMinus16=1.0/65536.0;
+!   40		      !static const double Zero=0.0;
+!   41		      !static const double TwoTo32=65536.0*65536.0;
+!   42		      !static const double TwoToMinus32=1.0/(65536.0*65536.0);
+!   44		      !#ifdef RF_INLINE_MACROS
+!   46		      !double upper32(double);
+!   47		      !double lower32(double, double);
+!   48		      !double mod(double, double, double);
+!   50		      !void i16_to_d16_and_d32x4(const double * /*1/(2^16)*/, 
+!   51		      !			  const double * /* 2^16*/,
+!   52		      !			  const double * /* 0 */,
+!   53		      !			  double *       /*result16*/, 
+!   54		      !			  double *       /* result32 */,
+!   55		      !			  float *  /*source - should be unsigned int*
+!   56		      !		          	       converted to float* */);
+!   58		      !#else
+!   60		      !static double upper32(double x)
+!   61		      !{
+!   62		      !  return floor(x*TwoToMinus32);
+!   63		      !}
+!   65		      !static double lower32(double x, double y)
+!   66		      !{
+!   67		      !  return x-TwoTo32*floor(x*TwoToMinus32);
+!   68		      !}
+!   70		      !static double mod(double x, double oneoverm, double m)
+!   71		      !{
+!   72		      !  return x-m*floor(x*oneoverm);
+!   73		      !}
+!   75		      !#endif
+!   78		      !static void cleanup(double *dt, int from, int tlen)
+!   79		      !{
+!   80		      ! int i;
+!   81		      ! double tmp,tmp1,x,x1;
+!   83		      ! tmp=tmp1=Zero;
+!   84		      ! /* original code **
+!   85		      ! for(i=2*from;i<2*tlen-2;i++)
+!   86		      !   {
+!   87		      !     x=dt[i];
+!   88		      !     dt[i]=lower32(x,Zero)+tmp1;
+!   89		      !     tmp1=tmp;
+!   90		      !     tmp=upper32(x);
+!   91		      !   }
+!   92		      ! dt[tlen-2]+=tmp1;
+!   93		      ! dt[tlen-1]+=tmp;
+!   94		      ! **end original code ***/
+!   95		      ! /* new code ***/
+!   96		      ! for(i=2*from;i<2*tlen;i+=2)
+!   97		      !   {
+!   98		      !     x=dt[i];
+!   99		      !     x1=dt[i+1];
+!  100		      !     dt[i]=lower32(x,Zero)+tmp;
+!  101		      !     dt[i+1]=lower32(x1,Zero)+tmp1;
+!  102		      !     tmp=upper32(x);
+!  103		      !     tmp1=upper32(x1);
+!  104		      !   }
+!  105		      !  /** end new code **/
+!  106		      !}
+!  109		      !void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
+!  110		      !{
+!  111		      !int i;
+!  112		      !long long t, t1, a, b, c, d;
+!  114		      ! t1=0;
+!  115		      ! a=(long long)d16[0];
+
+/* 0x0004	 115 */		ldd	[%i1],%f2
+
+!  116		      ! b=(long long)d16[1];
+!  117		      ! for(i=0; i<ilen-1; i++)
+
+/* 0x0008	 117 */		sub	%i3,1,%o1
+/* 0x000c	 110 */		or	%g0,%i0,%g1
+/* 0x0010	 116 */		ldd	[%i1+8],%f4
+/* 0x0014	 117 */		cmp	%o1,0
+/* 0x0018	 114 */		or	%g0,0,%g5
+/* 0x001c	 115 */		fdtox	%f2,%f2
+/* 0x0020	     */		std	%f2,[%sp+2247]
+/* 0x0024	 117 */		or	%g0,0,%o0
+/* 0x0028	 116 */		fdtox	%f4,%f2
+/* 0x002c	     */		std	%f2,[%sp+2239]
+/* 0x0030	 110 */		sub	%o1,1,%o7
+/* 0x0034	     */		or	%g0,%i1,%o4
+/* 0x0038	     */		sethi	%hi(0xfc00),%o3
+/* 0x003c	     */		or	%g0,-1,%o1
+/* 0x0040	     */		or	%g0,2,%i1
+/* 0x0044	     */		srl	%o1,0,%g3
+/* 0x0048	     */		or	%g0,%o4,%g4
+/* 0x004c	 116 */		ldx	[%sp+2239],%i2
+/* 0x0050	     */		add	%o3,1023,%o5
+/* 0x0054	 117 */		sub	%o7,1,%o2
+/* 0x0058	 115 */		ldx	[%sp+2247],%i3
+/* 0x005c	 117 */		ble,pt	%icc,.L900000113
+/* 0x0060	     */		sethi	%hi(0xfc00),%g2
+/* 0x0064	     */		add	%o7,1,%g2
+
+!  118		      !   {
+!  119		      !     c=(long long)d16[2*i+2];
+!  120		      !     t1+=a&0xffffffff;
+!  121		      !     t=(a>>32);
+!  122		      !     d=(long long)d16[2*i+3];
+!  123		      !     t1+=(b&0xffff)<<16;
+
+/* 0x0068	 123 */		and	%i2,%o5,%i4
+/* 0x006c	     */		sllx	%i4,16,%o1
+/* 0x0070	 117 */		cmp	%g2,6
+/* 0x0074	     */		bl,pn	%icc,.L77000134
+/* 0x0078	     */		or	%g0,3,%i0
+/* 0x007c	 119 */		ldd	[%o4+16],%f0
+/* 0x0080	 120 */		and	%i3,%g3,%o3
+
+!  124		      !     t+=(b>>16)+(t1>>32);
+
+/* 0x0084	 124 */		srax	%i2,16,%i5
+/* 0x0088	 117 */		add	%o3,%o1,%i4
+/* 0x008c	 121 */		srax	%i3,32,%i3
+/* 0x0090	 119 */		fdtox	%f0,%f0
+/* 0x0094	     */		std	%f0,[%sp+2231]
+
+!  125		      !     i32[i]=t1&0xffffffff;
+
+/* 0x0098	 125 */		and	%i4,%g3,%l0
+/* 0x009c	 117 */		or	%g0,72,%o3
+/* 0x00a0	 122 */		ldd	[%g4+24],%f0
+/* 0x00a4	 117 */		or	%g0,64,%o4
+/* 0x00a8	     */		or	%g0,4,%o1
+
+!  126		      !     t1=t;
+!  127		      !     a=c;
+!  128		      !     b=d;
+
+/* 0x00ac	 128 */		or	%g0,5,%i0
+/* 0x00b0	     */		or	%g0,4,%i1
+/* 0x00b4	 119 */		ldx	[%sp+2231],%g2
+/* 0x00b8	 122 */		fdtox	%f0,%f0
+/* 0x00bc	 128 */		or	%g0,4,%o0
+/* 0x00c0	 122 */		std	%f0,[%sp+2223]
+/* 0x00c4	     */		ldd	[%g4+40],%f2
+/* 0x00c8	 120 */		and	%g2,%g3,%i2
+/* 0x00cc	 119 */		ldd	[%g4+32],%f0
+/* 0x00d0	 121 */		srax	%g2,32,%g2
+/* 0x00d4	 122 */		ldd	[%g4+56],%f4
+/* 0x00d8	     */		fdtox	%f2,%f2
+/* 0x00dc	     */		ldx	[%sp+2223],%g5
+/* 0x00e0	 119 */		fdtox	%f0,%f0
+/* 0x00e4	 125 */		st	%l0,[%g1]
+/* 0x00e8	 124 */		srax	%i4,32,%l0
+/* 0x00ec	 122 */		fdtox	%f4,%f4
+/* 0x00f0	     */		std	%f2,[%sp+2223]
+/* 0x00f4	 123 */		and	%g5,%o5,%i4
+/* 0x00f8	 124 */		add	%i5,%l0,%i5
+/* 0x00fc	 119 */		std	%f0,[%sp+2231]
+/* 0x0100	 123 */		sllx	%i4,16,%i4
+/* 0x0104	 124 */		add	%i3,%i5,%i3
+/* 0x0108	 119 */		ldd	[%g4+48],%f2
+/* 0x010c	 124 */		srax	%g5,16,%g5
+/* 0x0110	 117 */		add	%i2,%i4,%i2
+/* 0x0114	 122 */		ldd	[%g4+72],%f0
+/* 0x0118	 117 */		add	%i2,%i3,%i4
+/* 0x011c	 124 */		srax	%i4,32,%i5
+/* 0x0120	 119 */		fdtox	%f2,%f2
+/* 0x0124	 125 */		and	%i4,%g3,%i4
+/* 0x0128	 122 */		ldx	[%sp+2223],%i2
+/* 0x012c	 124 */		add	%g5,%i5,%g5
+/* 0x0130	 119 */		ldx	[%sp+2231],%i3
+/* 0x0134	 124 */		add	%g2,%g5,%g5
+/* 0x0138	 119 */		std	%f2,[%sp+2231]
+/* 0x013c	 122 */		std	%f4,[%sp+2223]
+/* 0x0140	 119 */		ldd	[%g4+64],%f2
+/* 0x0144	 125 */		st	%i4,[%g1+4]
+                       .L900000108:
+/* 0x0148	 122 */		ldx	[%sp+2223],%i4
+/* 0x014c	 128 */		add	%o0,2,%o0
+/* 0x0150	     */		add	%i0,4,%i0
+/* 0x0154	 119 */		ldx	[%sp+2231],%l0
+/* 0x0158	 117 */		add	%o3,16,%o3
+/* 0x015c	 123 */		and	%i2,%o5,%g2
+/* 0x0160	     */		sllx	%g2,16,%i5
+/* 0x0164	 120 */		and	%i3,%g3,%g2
+/* 0x0168	 122 */		ldd	[%g4+%o3],%f4
+/* 0x016c	     */		fdtox	%f0,%f0
+/* 0x0170	     */		std	%f0,[%sp+2223]
+/* 0x0174	 124 */		srax	%i2,16,%i2
+/* 0x0178	 117 */		add	%g2,%i5,%g2
+/* 0x017c	 119 */		fdtox	%f2,%f0
+/* 0x0180	 117 */		add	%o4,16,%o4
+/* 0x0184	 119 */		std	%f0,[%sp+2231]
+/* 0x0188	 117 */		add	%g2,%g5,%g2
+/* 0x018c	 119 */		ldd	[%g4+%o4],%f2
+/* 0x0190	 124 */		srax	%g2,32,%i5
+/* 0x0194	 128 */		cmp	%o0,%o2
+/* 0x0198	 121 */		srax	%i3,32,%g5
+/* 0x019c	 124 */		add	%i2,%i5,%i2
+/* 0x01a0	     */		add	%g5,%i2,%i5
+/* 0x01a4	 117 */		add	%o1,4,%o1
+/* 0x01a8	 125 */		and	%g2,%g3,%g2
+/* 0x01ac	 127 */		or	%g0,%l0,%g5
+/* 0x01b0	 125 */		st	%g2,[%g1+%o1]
+/* 0x01b4	 128 */		add	%i1,4,%i1
+/* 0x01b8	 122 */		ldx	[%sp+2223],%i2
+/* 0x01bc	 119 */		ldx	[%sp+2231],%i3
+/* 0x01c0	 117 */		add	%o3,16,%o3
+/* 0x01c4	 123 */		and	%i4,%o5,%g2
+/* 0x01c8	     */		sllx	%g2,16,%l0
+/* 0x01cc	 120 */		and	%g5,%g3,%g2
+/* 0x01d0	 122 */		ldd	[%g4+%o3],%f0
+/* 0x01d4	     */		fdtox	%f4,%f4
+/* 0x01d8	     */		std	%f4,[%sp+2223]
+/* 0x01dc	 124 */		srax	%i4,16,%i4
+/* 0x01e0	 117 */		add	%g2,%l0,%g2
+/* 0x01e4	 119 */		fdtox	%f2,%f2
+/* 0x01e8	 117 */		add	%o4,16,%o4
+/* 0x01ec	 119 */		std	%f2,[%sp+2231]
+/* 0x01f0	 117 */		add	%g2,%i5,%g2
+/* 0x01f4	 119 */		ldd	[%g4+%o4],%f2
+/* 0x01f8	 124 */		srax	%g2,32,%i5
+/* 0x01fc	 121 */		srax	%g5,32,%g5
+/* 0x0200	 124 */		add	%i4,%i5,%i4
+/* 0x0204	     */		add	%g5,%i4,%g5
+/* 0x0208	 117 */		add	%o1,4,%o1
+/* 0x020c	 125 */		and	%g2,%g3,%g2
+/* 0x0210	 128 */		ble,pt	%icc,.L900000108
+/* 0x0214	     */		st	%g2,[%g1+%o1]
+                       .L900000111:
+/* 0x0218	 122 */		ldx	[%sp+2223],%o2
+/* 0x021c	 123 */		and	%i2,%o5,%i4
+/* 0x0220	 120 */		and	%i3,%g3,%g2
+/* 0x0224	 123 */		sllx	%i4,16,%i4
+/* 0x0228	 119 */		ldx	[%sp+2231],%i5
+/* 0x022c	 128 */		cmp	%o0,%o7
+/* 0x0230	 124 */		srax	%i2,16,%i2
+/* 0x0234	 117 */		add	%g2,%i4,%g2
+/* 0x0238	 122 */		fdtox	%f0,%f4
+/* 0x023c	     */		std	%f4,[%sp+2223]
+/* 0x0240	 117 */		add	%g2,%g5,%g5
+/* 0x0244	 123 */		and	%o2,%o5,%l0
+/* 0x0248	 124 */		srax	%g5,32,%l1
+/* 0x024c	 120 */		and	%i5,%g3,%i4
+/* 0x0250	 119 */		fdtox	%f2,%f0
+/* 0x0254	 121 */		srax	%i3,32,%g2
+/* 0x0258	 119 */		std	%f0,[%sp+2231]
+/* 0x025c	 124 */		add	%i2,%l1,%i2
+/* 0x0260	 123 */		sllx	%l0,16,%i3
+/* 0x0264	 124 */		add	%g2,%i2,%i2
+/* 0x0268	     */		srax	%o2,16,%o2
+/* 0x026c	 117 */		add	%o1,4,%g2
+/* 0x0270	     */		add	%i4,%i3,%o1
+/* 0x0274	 125 */		and	%g5,%g3,%g5
+/* 0x0278	     */		st	%g5,[%g1+%g2]
+/* 0x027c	 119 */		ldx	[%sp+2231],%i3
+/* 0x0280	 117 */		add	%o1,%i2,%o1
+/* 0x0284	     */		add	%g2,4,%g2
+/* 0x0288	 124 */		srax	%o1,32,%i4
+/* 0x028c	 122 */		ldx	[%sp+2223],%i2
+/* 0x0290	 125 */		and	%o1,%g3,%g5
+/* 0x0294	 121 */		srax	%i5,32,%o1
+/* 0x0298	 124 */		add	%o2,%i4,%o2
+/* 0x029c	 125 */		st	%g5,[%g1+%g2]
+/* 0x02a0	 128 */		bg,pn	%icc,.L77000127
+/* 0x02a4	     */		add	%o1,%o2,%g5
+/* 0x02a8	     */		add	%i0,6,%i0
+/* 0x02ac	     */		add	%i1,6,%i1
+                       .L77000134:
+/* 0x02b0	 119 */		sra	%i1,0,%o2
+                       .L900000112:
+/* 0x02b4	 119 */		sllx	%o2,3,%o3
+/* 0x02b8	 120 */		and	%i3,%g3,%o1
+/* 0x02bc	 119 */		ldd	[%g4+%o3],%f0
+/* 0x02c0	 122 */		sra	%i0,0,%o3
+/* 0x02c4	 123 */		and	%i2,%o5,%o2
+/* 0x02c8	 122 */		sllx	%o3,3,%o3
+/* 0x02cc	 120 */		add	%g5,%o1,%o1
+/* 0x02d0	 119 */		fdtox	%f0,%f0
+/* 0x02d4	     */		std	%f0,[%sp+2231]
+/* 0x02d8	 123 */		sllx	%o2,16,%o2
+/* 0x02dc	     */		add	%o1,%o2,%o2
+/* 0x02e0	 128 */		add	%i1,2,%i1
+/* 0x02e4	 122 */		ldd	[%g4+%o3],%f0
+/* 0x02e8	 124 */		srax	%o2,32,%g2
+/* 0x02ec	 125 */		and	%o2,%g3,%o3
+/* 0x02f0	 124 */		srax	%i2,16,%o1
+/* 0x02f4	 128 */		add	%i0,2,%i0
+/* 0x02f8	 122 */		fdtox	%f0,%f0
+/* 0x02fc	     */		std	%f0,[%sp+2223]
+/* 0x0300	 125 */		sra	%o0,0,%o2
+/* 0x0304	     */		sllx	%o2,2,%o2
+/* 0x0308	 124 */		add	%o1,%g2,%g5
+/* 0x030c	 121 */		srax	%i3,32,%g2
+/* 0x0310	 128 */		add	%o0,1,%o0
+/* 0x0314	 124 */		add	%g2,%g5,%g5
+/* 0x0318	 128 */		cmp	%o0,%o7
+/* 0x031c	 119 */		ldx	[%sp+2231],%o4
+/* 0x0320	 122 */		ldx	[%sp+2223],%i2
+/* 0x0324	 125 */		st	%o3,[%g1+%o2]
+/* 0x0328	 127 */		or	%g0,%o4,%i3
+/* 0x032c	 128 */		ble,pt	%icc,.L900000112
+/* 0x0330	     */		sra	%i1,0,%o2
+                       .L77000127:
+
+!  129		      !   }
+!  130		      !     t1+=a&0xffffffff;
+!  131		      !     t=(a>>32);
+!  132		      !     t1+=(b&0xffff)<<16;
+!  133		      !     i32[i]=t1&0xffffffff;
+
+/* 0x0334	 133 */		sethi	%hi(0xfc00),%g2
+                       .L900000113:
+/* 0x0338	 133 */		or	%g0,-1,%g3
+/* 0x033c	     */		add	%g2,1023,%g2
+/* 0x0340	     */		srl	%g3,0,%g3
+/* 0x0344	     */		and	%i2,%g2,%g2
+/* 0x0348	     */		and	%i3,%g3,%g4
+/* 0x034c	     */		sllx	%g2,16,%g2
+/* 0x0350	     */		add	%g5,%g4,%g4
+/* 0x0354	     */		sra	%o0,0,%g5
+/* 0x0358	     */		add	%g4,%g2,%g4
+/* 0x035c	     */		sllx	%g5,2,%g2
+/* 0x0360	     */		and	%g4,%g3,%g3
+/* 0x0364	     */		st	%g3,[%g1+%g2]
+/* 0x0368	     */		ret	! Result = 
+/* 0x036c	     */		restore	%g0,%g0,%g0
+/* 0x0370	   0 */		.type	conv_d16_to_i32,2
+/* 0x0370	     */		.size	conv_d16_to_i32,(.-conv_d16_to_i32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000201:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	8
+/* 0x0008	     */		.skip	24
+!
+! SUBROUTINE conv_i32_to_d32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d32
+                       conv_i32_to_d32:
+/* 000000	     */		or	%g0,%o7,%g3
+
+!  135		      !}
+!  137		      !void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
+!  138		      !{
+!  139		      !int i;
+!  141		      !#pragma pipeloop(0)
+!  142		      ! for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
+
+/* 0x0004	 142 */		cmp	%o2,0
+                       .L900000210:
+/* 0x0008	     */		call	.+8
+/* 0x000c	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
+/* 0x0010	 142 */		or	%g0,0,%o3
+/* 0x0014	 138 */		add	%g4,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
+/* 0x0018	 142 */		sub	%o2,1,%o4
+/* 0x001c	 138 */		add	%g4,%o7,%g1
+/* 0x0020	 142 */		ble,pt	%icc,.L77000140
+/* 0x0024	     */		or	%g0,%g3,%o7
+/* 0x0028	     */		sethi	%hi(.L_const_seg_900000201),%g3
+/* 0x002c	     */		cmp	%o2,12
+/* 0x0030	     */		add	%g3,%lo(.L_const_seg_900000201),%g2
+/* 0x0034	     */		or	%g0,%o1,%g5
+/* 0x0038	     */		ldx	[%g1+%g2],%g4
+/* 0x003c	     */		or	%g0,0,%g1
+/* 0x0040	     */		or	%g0,24,%g2
+/* 0x0044	     */		bl,pn	%icc,.L77000144
+/* 0x0048	     */		or	%g0,0,%g3
+/* 0x004c	     */		ld	[%o1],%f13
+/* 0x0050	     */		or	%g0,7,%o3
+/* 0x0054	     */		ldd	[%g4],%f8
+/* 0x0058	     */		sub	%o2,5,%g3
+/* 0x005c	     */		or	%g0,8,%g1
+/* 0x0060	     */		ld	[%o1+4],%f11
+/* 0x0064	     */		ld	[%o1+8],%f7
+/* 0x0068	     */		fmovs	%f8,%f12
+/* 0x006c	     */		ld	[%o1+12],%f5
+/* 0x0070	     */		fmovs	%f8,%f10
+/* 0x0074	     */		ld	[%o1+16],%f3
+/* 0x0078	     */		fmovs	%f8,%f6
+/* 0x007c	     */		ld	[%o1+20],%f1
+/* 0x0080	     */		fsubd	%f12,%f8,%f12
+/* 0x0084	     */		std	%f12,[%o0]
+/* 0x0088	     */		fsubd	%f10,%f8,%f10
+/* 0x008c	     */		std	%f10,[%o0+8]
+                       .L900000205:
+/* 0x0090	     */		ld	[%o1+%g2],%f11
+/* 0x0094	     */		add	%g1,8,%g1
+/* 0x0098	     */		add	%o3,5,%o3
+/* 0x009c	     */		fsubd	%f6,%f8,%f6
+/* 0x00a0	     */		add	%g2,4,%g2
+/* 0x00a4	     */		std	%f6,[%o0+%g1]
+/* 0x00a8	     */		cmp	%o3,%g3
+/* 0x00ac	     */		fmovs	%f8,%f4
+/* 0x00b0	     */		ld	[%o1+%g2],%f7
+/* 0x00b4	     */		fsubd	%f4,%f8,%f12
+/* 0x00b8	     */		add	%g1,8,%g1
+/* 0x00bc	     */		add	%g2,4,%g2
+/* 0x00c0	     */		fmovs	%f8,%f2
+/* 0x00c4	     */		std	%f12,[%o0+%g1]
+/* 0x00c8	     */		ld	[%o1+%g2],%f5
+/* 0x00cc	     */		fsubd	%f2,%f8,%f12
+/* 0x00d0	     */		add	%g1,8,%g1
+/* 0x00d4	     */		add	%g2,4,%g2
+/* 0x00d8	     */		fmovs	%f8,%f0
+/* 0x00dc	     */		std	%f12,[%o0+%g1]
+/* 0x00e0	     */		ld	[%o1+%g2],%f3
+/* 0x00e4	     */		fsubd	%f0,%f8,%f12
+/* 0x00e8	     */		add	%g1,8,%g1
+/* 0x00ec	     */		add	%g2,4,%g2
+/* 0x00f0	     */		fmovs	%f8,%f10
+/* 0x00f4	     */		std	%f12,[%o0+%g1]
+/* 0x00f8	     */		ld	[%o1+%g2],%f1
+/* 0x00fc	     */		fsubd	%f10,%f8,%f10
+/* 0x0100	     */		add	%g1,8,%g1
+/* 0x0104	     */		add	%g2,4,%g2
+/* 0x0108	     */		std	%f10,[%o0+%g1]
+/* 0x010c	     */		ble,pt	%icc,.L900000205
+/* 0x0110	     */		fmovs	%f8,%f6
+                       .L900000208:
+/* 0x0114	     */		fmovs	%f8,%f4
+/* 0x0118	     */		ld	[%o1+%g2],%f11
+/* 0x011c	     */		add	%g1,8,%g3
+/* 0x0120	     */		fmovs	%f8,%f2
+/* 0x0124	     */		add	%g1,16,%g1
+/* 0x0128	     */		cmp	%o3,%o4
+/* 0x012c	     */		fmovs	%f8,%f0
+/* 0x0130	     */		add	%g1,8,%o1
+/* 0x0134	     */		add	%g1,16,%o2
+/* 0x0138	     */		fmovs	%f8,%f10
+/* 0x013c	     */		add	%g1,24,%g2
+/* 0x0140	     */		fsubd	%f6,%f8,%f6
+/* 0x0144	     */		std	%f6,[%o0+%g3]
+/* 0x0148	     */		fsubd	%f4,%f8,%f4
+/* 0x014c	     */		std	%f4,[%o0+%g1]
+/* 0x0150	     */		sra	%o3,0,%g1
+/* 0x0154	     */		fsubd	%f2,%f8,%f2
+/* 0x0158	     */		std	%f2,[%o0+%o1]
+/* 0x015c	     */		sllx	%g1,2,%g3
+/* 0x0160	     */		fsubd	%f0,%f8,%f0
+/* 0x0164	     */		std	%f0,[%o0+%o2]
+/* 0x0168	     */		fsubd	%f10,%f8,%f0
+/* 0x016c	     */		bg,pn	%icc,.L77000140
+/* 0x0170	     */		std	%f0,[%o0+%g2]
+                       .L77000144:
+/* 0x0174	     */		ldd	[%g4],%f8
+                       .L900000211:
+/* 0x0178	     */		ld	[%g5+%g3],%f13
+/* 0x017c	     */		sllx	%g1,3,%g2
+/* 0x0180	     */		add	%o3,1,%o3
+/* 0x0184	     */		sra	%o3,0,%g1
+/* 0x0188	     */		cmp	%o3,%o4
+/* 0x018c	     */		fmovs	%f8,%f12
+/* 0x0190	     */		sllx	%g1,2,%g3
+/* 0x0194	     */		fsubd	%f12,%f8,%f0
+/* 0x0198	     */		std	%f0,[%o0+%g2]
+/* 0x019c	     */		ble,a,pt	%icc,.L900000211
+/* 0x01a0	     */		ldd	[%g4],%f8
+                       .L77000140:
+/* 0x01a4	     */		retl	! Result = 
+/* 0x01a8	     */		nop
+/* 0x01ac	   0 */		.type	conv_i32_to_d32,2
+/* 0x01ac	     */		.size	conv_i32_to_d32,(.-conv_i32_to_d32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000301:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	8
+/* 0x0008	     */		.skip	24
+!
+! SUBROUTINE conv_i32_to_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d16
+                       conv_i32_to_d16:
+/* 000000	     */		save	%sp,-192,%sp
+                       .L900000310:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
+
+!  143		      !}
+!  146		      !void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
+!  147		      !{
+!  148		      !int i;
+!  149		      !unsigned int a;
+!  151		      !#pragma pipeloop(0)
+!  152		      ! for(i=0;i<len;i++)
+
+/* 0x000c	 152 */		cmp	%i2,0
+/* 0x0010	 147 */		add	%g3,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
+/* 0x0014	 152 */		ble,pt	%icc,.L77000150
+/* 0x0018	     */		add	%g3,%o7,%o0
+
+!  153		      !   {
+!  154		      !     a=i32[i];
+!  155		      !     d16[2*i]=(double)(a&0xffff);
+!  156		      !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x001c	 156 */		sethi	%hi(.L_const_seg_900000301),%g2
+/* 0x0020	 147 */		or	%g0,%i2,%o1
+/* 0x0024	 152 */		sethi	%hi(0xfc00),%g3
+/* 0x0028	 156 */		add	%g2,%lo(.L_const_seg_900000301),%g2
+/* 0x002c	 152 */		or	%g0,%o1,%g4
+/* 0x0030	 156 */		ldx	[%o0+%g2],%o5
+/* 0x0034	 152 */		add	%g3,1023,%g1
+/* 0x0038	 147 */		or	%g0,%i1,%o7
+/* 0x003c	 152 */		or	%g0,0,%i2
+/* 0x0040	     */		sub	%o1,1,%g5
+/* 0x0044	     */		or	%g0,0,%g3
+/* 0x0048	     */		or	%g0,1,%g2
+/* 0x004c	 154 */		or	%g0,0,%o2
+/* 0x0050	     */		cmp	%g4,6
+/* 0x0054	 152 */		bl,pn	%icc,.L77000154
+/* 0x0058	     */		ldd	[%o5],%f0
+/* 0x005c	     */		sub	%o1,2,%o3
+/* 0x0060	     */		or	%g0,16,%o2
+/* 0x0064	 154 */		ld	[%i1],%o4
+/* 0x0068	 156 */		or	%g0,3,%g2
+/* 0x006c	     */		or	%g0,2,%g3
+/* 0x0070	 155 */		fmovs	%f0,%f2
+/* 0x0074	 156 */		or	%g0,4,%i2
+/* 0x0078	 155 */		and	%o4,%g1,%o0
+/* 0x007c	     */		st	%o0,[%sp+2227]
+/* 0x0080	     */		fmovs	%f0,%f4
+/* 0x0084	 156 */		srl	%o4,16,%i4
+/* 0x0088	 152 */		or	%g0,12,%o4
+/* 0x008c	     */		or	%g0,24,%o0
+/* 0x0090	 155 */		ld	[%sp+2227],%f3
+/* 0x0094	     */		fsubd	%f2,%f0,%f2
+/* 0x0098	     */		std	%f2,[%i0]
+/* 0x009c	 156 */		st	%i4,[%sp+2223]
+/* 0x00a0	 154 */		ld	[%o7+4],%o1
+/* 0x00a4	 156 */		fmovs	%f0,%f2
+/* 0x00a8	 155 */		and	%o1,%g1,%i1
+/* 0x00ac	 156 */		ld	[%sp+2223],%f3
+/* 0x00b0	     */		srl	%o1,16,%o1
+/* 0x00b4	     */		fsubd	%f2,%f0,%f2
+/* 0x00b8	     */		std	%f2,[%i0+8]
+/* 0x00bc	     */		st	%o1,[%sp+2223]
+/* 0x00c0	 155 */		st	%i1,[%sp+2227]
+/* 0x00c4	 154 */		ld	[%o7+8],%o1
+/* 0x00c8	 156 */		fmovs	%f0,%f2
+/* 0x00cc	 155 */		and	%o1,%g1,%g4
+/* 0x00d0	     */		ld	[%sp+2227],%f5
+/* 0x00d4	 156 */		srl	%o1,16,%o1
+/* 0x00d8	     */		ld	[%sp+2223],%f3
+/* 0x00dc	     */		st	%o1,[%sp+2223]
+/* 0x00e0	 155 */		fsubd	%f4,%f0,%f4
+/* 0x00e4	     */		st	%g4,[%sp+2227]
+/* 0x00e8	 156 */		fsubd	%f2,%f0,%f2
+/* 0x00ec	 154 */		ld	[%o7+12],%o1
+/* 0x00f0	 155 */		std	%f4,[%i0+16]
+/* 0x00f4	 156 */		std	%f2,[%i0+24]
+                       .L900000306:
+/* 0x00f8	 155 */		ld	[%sp+2227],%f5
+/* 0x00fc	 156 */		add	%i2,2,%i2
+/* 0x0100	     */		add	%g2,4,%g2
+/* 0x0104	     */		ld	[%sp+2223],%f3
+/* 0x0108	     */		cmp	%i2,%o3
+/* 0x010c	     */		add	%g3,4,%g3
+/* 0x0110	 155 */		and	%o1,%g1,%g4
+/* 0x0114	 156 */		srl	%o1,16,%o1
+/* 0x0118	 155 */		st	%g4,[%sp+2227]
+/* 0x011c	 156 */		st	%o1,[%sp+2223]
+/* 0x0120	 152 */		add	%o4,4,%o1
+/* 0x0124	 154 */		ld	[%o7+%o1],%o4
+/* 0x0128	 156 */		fmovs	%f0,%f2
+/* 0x012c	 155 */		fmovs	%f0,%f4
+/* 0x0130	     */		fsubd	%f4,%f0,%f4
+/* 0x0134	 152 */		add	%o2,16,%o2
+/* 0x0138	 156 */		fsubd	%f2,%f0,%f2
+/* 0x013c	 155 */		std	%f4,[%i0+%o2]
+/* 0x0140	 152 */		add	%o0,16,%o0
+/* 0x0144	 156 */		std	%f2,[%i0+%o0]
+/* 0x0148	 155 */		ld	[%sp+2227],%f5
+/* 0x014c	 156 */		ld	[%sp+2223],%f3
+/* 0x0150	 155 */		and	%o4,%g1,%g4
+/* 0x0154	 156 */		srl	%o4,16,%o4
+/* 0x0158	 155 */		st	%g4,[%sp+2227]
+/* 0x015c	 156 */		st	%o4,[%sp+2223]
+/* 0x0160	 152 */		add	%o1,4,%o4
+/* 0x0164	 154 */		ld	[%o7+%o4],%o1
+/* 0x0168	 156 */		fmovs	%f0,%f2
+/* 0x016c	 155 */		fmovs	%f0,%f4
+/* 0x0170	     */		fsubd	%f4,%f0,%f4
+/* 0x0174	 152 */		add	%o2,16,%o2
+/* 0x0178	 156 */		fsubd	%f2,%f0,%f2
+/* 0x017c	 155 */		std	%f4,[%i0+%o2]
+/* 0x0180	 152 */		add	%o0,16,%o0
+/* 0x0184	 156 */		ble,pt	%icc,.L900000306
+/* 0x0188	     */		std	%f2,[%i0+%o0]
+                       .L900000309:
+/* 0x018c	 155 */		ld	[%sp+2227],%f5
+/* 0x0190	 156 */		fmovs	%f0,%f2
+/* 0x0194	     */		srl	%o1,16,%o3
+/* 0x0198	     */		ld	[%sp+2223],%f3
+/* 0x019c	 155 */		and	%o1,%g1,%i1
+/* 0x01a0	 152 */		add	%o2,16,%g4
+/* 0x01a4	 155 */		fmovs	%f0,%f4
+/* 0x01a8	     */		st	%i1,[%sp+2227]
+/* 0x01ac	 152 */		add	%o0,16,%o2
+/* 0x01b0	 156 */		st	%o3,[%sp+2223]
+/* 0x01b4	 154 */		sra	%i2,0,%o3
+/* 0x01b8	 152 */		add	%g4,16,%o1
+/* 0x01bc	 155 */		fsubd	%f4,%f0,%f4
+/* 0x01c0	     */		std	%f4,[%i0+%g4]
+/* 0x01c4	 152 */		add	%o0,32,%o0
+/* 0x01c8	 156 */		fsubd	%f2,%f0,%f2
+/* 0x01cc	     */		std	%f2,[%i0+%o2]
+/* 0x01d0	     */		sllx	%o3,2,%o2
+/* 0x01d4	 155 */		ld	[%sp+2227],%f5
+/* 0x01d8	 156 */		cmp	%i2,%g5
+/* 0x01dc	     */		add	%g2,6,%g2
+/* 0x01e0	     */		ld	[%sp+2223],%f3
+/* 0x01e4	     */		add	%g3,6,%g3
+/* 0x01e8	 155 */		fmovs	%f0,%f4
+/* 0x01ec	 156 */		fmovs	%f0,%f2
+/* 0x01f0	 155 */		fsubd	%f4,%f0,%f4
+/* 0x01f4	     */		std	%f4,[%i0+%o1]
+/* 0x01f8	 156 */		fsubd	%f2,%f0,%f0
+/* 0x01fc	     */		bg,pn	%icc,.L77000150
+/* 0x0200	     */		std	%f0,[%i0+%o0]
+                       .L77000154:
+/* 0x0204	 155 */		ldd	[%o5],%f0
+                       .L900000311:
+/* 0x0208	 154 */		ld	[%o7+%o2],%o0
+/* 0x020c	 155 */		sra	%g3,0,%o1
+/* 0x0210	     */		fmovs	%f0,%f2
+/* 0x0214	     */		sllx	%o1,3,%o2
+/* 0x0218	 156 */		add	%i2,1,%i2
+/* 0x021c	 155 */		and	%o0,%g1,%o1
+/* 0x0220	     */		st	%o1,[%sp+2227]
+/* 0x0224	 156 */		add	%g3,2,%g3
+/* 0x0228	     */		srl	%o0,16,%o1
+/* 0x022c	     */		cmp	%i2,%g5
+/* 0x0230	     */		sra	%g2,0,%o0
+/* 0x0234	     */		add	%g2,2,%g2
+/* 0x0238	     */		sllx	%o0,3,%o0
+/* 0x023c	 155 */		ld	[%sp+2227],%f3
+/* 0x0240	 154 */		sra	%i2,0,%o3
+/* 0x0244	 155 */		fsubd	%f2,%f0,%f2
+/* 0x0248	     */		std	%f2,[%i0+%o2]
+/* 0x024c	     */		sllx	%o3,2,%o2
+/* 0x0250	 156 */		st	%o1,[%sp+2223]
+/* 0x0254	     */		fmovs	%f0,%f2
+/* 0x0258	     */		ld	[%sp+2223],%f3
+/* 0x025c	     */		fsubd	%f2,%f0,%f0
+/* 0x0260	     */		std	%f0,[%i0+%o0]
+/* 0x0264	     */		ble,a,pt	%icc,.L900000311
+/* 0x0268	     */		ldd	[%o5],%f0
+                       .L77000150:
+/* 0x026c	     */		ret	! Result = 
+/* 0x0270	     */		restore	%g0,%g0,%g0
+/* 0x0274	   0 */		.type	conv_i32_to_d16,2
+/* 0x0274	     */		.size	conv_i32_to_d16,(.-conv_i32_to_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000401:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	8
+/* 0x0008	     */		.skip	24
+!
+! SUBROUTINE conv_i32_to_d32_and_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d32_and_d16
+                       conv_i32_to_d32_and_d16:
+/* 000000	     */		save	%sp,-192,%sp
+                       .L900000415:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g3
+
+!  157		      !   }
+!  158		      !}
+!  161		      !void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+!  162		      !			     unsigned int *i32, int len)
+!  163		      !{
+!  164		      !int i = 0;
+!  165		      !unsigned int a;
+!  167		      !#pragma pipeloop(0)
+!  168		      !#ifdef RF_INLINE_MACROS
+!  169		      ! for(;i<len-3;i+=4)
+!  170		      !   {
+!  171		      !     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
+!  172		      !			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
+
+/* 0x000c	 172 */		sethi	%hi(Zero),%g2
+/* 0x0010	 163 */		add	%g3,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g3
+/* 0x0014	     */		or	%g0,%i3,%g5
+/* 0x0018	     */		add	%g3,%o7,%o3
+/* 0x001c	 172 */		add	%g2,%lo(Zero),%g2
+/* 0x0020	     */		ldx	[%o3+%g2],%o0
+/* 0x0024	     */		sethi	%hi(TwoToMinus16),%g3
+/* 0x0028	 163 */		or	%g0,%i0,%i3
+/* 0x002c	 169 */		sub	%g5,3,%o1
+/* 0x0030	 172 */		sethi	%hi(TwoTo16),%g4
+/* 0x0034	 163 */		or	%g0,%i2,%i0
+/* 0x0038	 172 */		add	%g3,%lo(TwoToMinus16),%g2
+/* 0x003c	     */		ldx	[%o3+%g2],%o2
+/* 0x0040	 169 */		cmp	%o1,0
+/* 0x0044	 164 */		or	%g0,0,%i2
+/* 0x0048	 169 */		ble,pt	%icc,.L900000418
+/* 0x004c	     */		cmp	%i2,%g5
+/* 0x0050	     */		ldd	[%o0],%f2
+/* 0x0054	 172 */		add	%g4,%lo(TwoTo16),%g3
+/* 0x0058	     */		ldx	[%o3+%g3],%o1
+/* 0x005c	 169 */		sub	%g5,4,%o4
+/* 0x0060	     */		or	%g0,0,%o5
+                       .L900000417:
+/* 0x0064	 172 */		sra	%i2,0,%g2
+/* 0x0068	     */		fmovd	%f2,%f14
+/* 0x006c	     */		ldd	[%o2],%f0
+/* 0x0070	     */		sllx	%g2,2,%g3
+/* 0x0074	     */		fmovd	%f2,%f10
+/* 0x0078	     */		ldd	[%o1],%f16
+/* 0x007c	     */		ld	[%g3+%i0],%f15
+/* 0x0080	     */		add	%i0,%g3,%g3
+/* 0x0084	     */		fmovd	%f2,%f6
+/* 0x0088	     */		ld	[%g3+4],%f11
+/* 0x008c	     */		sra	%o5,0,%g4
+/* 0x0090	     */		add	%i2,4,%i2
+/* 0x0094	     */		ld	[%g3+8],%f7
+/* 0x0098	     */		fxtod	%f14,%f14
+/* 0x009c	     */		sllx	%g2,3,%g2
+/* 0x00a0	     */		ld	[%g3+12],%f3
+/* 0x00a4	     */		fxtod	%f10,%f10
+/* 0x00a8	     */		sllx	%g4,3,%g3
+/* 0x00ac	     */		fxtod	%f6,%f6
+/* 0x00b0	     */		std	%f14,[%g2+%i3]
+/* 0x00b4	     */		add	%i3,%g2,%g4
+/* 0x00b8	     */		fxtod	%f2,%f2
+/* 0x00bc	     */		fmuld	%f0,%f14,%f12
+/* 0x00c0	     */		std	%f2,[%g4+24]
+/* 0x00c4	     */		fmuld	%f0,%f10,%f8
+/* 0x00c8	     */		std	%f10,[%g4+8]
+/* 0x00cc	     */		add	%i1,%g3,%g2
+/* 0x00d0	     */		fmuld	%f0,%f6,%f4
+/* 0x00d4	     */		std	%f6,[%g4+16]
+/* 0x00d8	     */		cmp	%i2,%o4
+/* 0x00dc	     */		fmuld	%f0,%f2,%f0
+/* 0x00e0	     */		fdtox	%f12,%f12
+/* 0x00e4	     */		add	%o5,8,%o5
+/* 0x00e8	     */		fdtox	%f8,%f8
+/* 0x00ec	     */		fdtox	%f4,%f4
+/* 0x00f0	     */		fdtox	%f0,%f0
+/* 0x00f4	     */		fxtod	%f12,%f12
+/* 0x00f8	     */		std	%f12,[%g2+8]
+/* 0x00fc	     */		fxtod	%f8,%f8
+/* 0x0100	     */		std	%f8,[%g2+24]
+/* 0x0104	     */		fxtod	%f4,%f4
+/* 0x0108	     */		std	%f4,[%g2+40]
+/* 0x010c	     */		fxtod	%f0,%f0
+/* 0x0110	     */		std	%f0,[%g2+56]
+/* 0x0114	     */		fmuld	%f12,%f16,%f12
+/* 0x0118	     */		fmuld	%f8,%f16,%f8
+/* 0x011c	     */		fmuld	%f4,%f16,%f4
+/* 0x0120	     */		fsubd	%f14,%f12,%f12
+/* 0x0124	     */		std	%f12,[%g3+%i1]
+/* 0x0128	     */		fmuld	%f0,%f16,%f0
+/* 0x012c	     */		fsubd	%f10,%f8,%f8
+/* 0x0130	     */		std	%f8,[%g2+16]
+/* 0x0134	     */		fsubd	%f6,%f4,%f4
+/* 0x0138	     */		std	%f4,[%g2+32]
+/* 0x013c	     */		fsubd	%f2,%f0,%f0
+/* 0x0140	     */		std	%f0,[%g2+48]
+/* 0x0144	     */		ble,a,pt	%icc,.L900000417
+/* 0x0148	     */		ldd	[%o0],%f2
+                       .L77000159:
+
+!  173		      !   }
+!  174		      !#endif
+!  175		      ! for(;i<len;i++)
+
+/* 0x014c	 175 */		cmp	%i2,%g5
+                       .L900000418:
+/* 0x0150	 175 */		bge,pt	%icc,.L77000164
+/* 0x0154	     */		nop
+
+!  176		      !   {
+!  177		      !     a=i32[i];
+!  178		      !     d32[i]=(double)(i32[i]);
+!  179		      !     d16[2*i]=(double)(a&0xffff);
+!  180		      !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0158	 180 */		sethi	%hi(.L_const_seg_900000401),%g2
+/* 0x015c	     */		add	%g2,%lo(.L_const_seg_900000401),%g2
+/* 0x0160	 175 */		sethi	%hi(0xfc00),%g3
+/* 0x0164	 180 */		ldx	[%o3+%g2],%g1
+/* 0x0168	 175 */		sll	%i2,1,%i4
+/* 0x016c	     */		sub	%g5,%i2,%g4
+/* 0x0170	 177 */		sra	%i2,0,%o3
+/* 0x0174	 175 */		add	%g3,1023,%g3
+/* 0x0178	 178 */		ldd	[%g1],%f2
+/* 0x017c	     */		sllx	%o3,2,%o2
+/* 0x0180	 175 */		add	%i4,1,%g2
+/* 0x0184	 177 */		or	%g0,%o3,%o1
+/* 0x0188	     */		cmp	%g4,6
+/* 0x018c	 175 */		bl,pn	%icc,.L77000161
+/* 0x0190	     */		sra	%i2,0,%o3
+/* 0x0194	 177 */		or	%g0,%o2,%o0
+/* 0x0198	 178 */		ld	[%i0+%o2],%f5
+/* 0x019c	 179 */		fmovs	%f2,%f8
+/* 0x01a0	 175 */		add	%o0,4,%o3
+/* 0x01a4	 177 */		ld	[%i0+%o0],%o7
+/* 0x01a8	 180 */		fmovs	%f2,%f6
+/* 0x01ac	 178 */		fmovs	%f2,%f4
+/* 0x01b0	     */		sllx	%o1,3,%o2
+/* 0x01b4	 175 */		add	%o3,4,%o5
+/* 0x01b8	 179 */		sra	%i4,0,%o0
+/* 0x01bc	 175 */		add	%o3,8,%o4
+/* 0x01c0	 178 */		fsubd	%f4,%f2,%f4
+/* 0x01c4	     */		std	%f4,[%i3+%o2]
+/* 0x01c8	 179 */		sllx	%o0,3,%i5
+/* 0x01cc	     */		and	%o7,%g3,%o0
+/* 0x01d0	     */		st	%o0,[%sp+2227]
+/* 0x01d4	 175 */		add	%i5,16,%o1
+/* 0x01d8	 180 */		srl	%o7,16,%g4
+/* 0x01dc	     */		add	%i2,1,%i2
+/* 0x01e0	     */		sra	%g2,0,%o0
+/* 0x01e4	 175 */		add	%o2,8,%o2
+/* 0x01e8	 179 */		fmovs	%f2,%f4
+/* 0x01ec	 180 */		sllx	%o0,3,%l0
+/* 0x01f0	     */		add	%i4,3,%g2
+/* 0x01f4	 179 */		ld	[%sp+2227],%f5
+/* 0x01f8	 175 */		add	%l0,16,%o0
+/* 0x01fc	 180 */		add	%i4,2,%i4
+/* 0x0200	 175 */		sub	%g5,1,%o7
+/* 0x0204	 180 */		add	%i2,3,%i2
+/* 0x0208	 179 */		fsubd	%f4,%f2,%f4
+/* 0x020c	     */		std	%f4,[%i1+%i5]
+/* 0x0210	 180 */		st	%g4,[%sp+2223]
+/* 0x0214	 177 */		ld	[%i0+%o3],%i5
+/* 0x0218	 180 */		fmovs	%f2,%f4
+/* 0x021c	     */		srl	%i5,16,%g4
+/* 0x0220	 179 */		and	%i5,%g3,%i5
+/* 0x0224	 180 */		ld	[%sp+2223],%f5
+/* 0x0228	     */		fsubd	%f4,%f2,%f4
+/* 0x022c	     */		std	%f4,[%i1+%l0]
+/* 0x0230	     */		st	%g4,[%sp+2223]
+/* 0x0234	 177 */		ld	[%i0+%o5],%g4
+/* 0x0238	 179 */		st	%i5,[%sp+2227]
+/* 0x023c	 178 */		fmovs	%f2,%f4
+/* 0x0240	 180 */		srl	%g4,16,%i5
+/* 0x0244	 179 */		and	%g4,%g3,%g4
+/* 0x0248	 180 */		ld	[%sp+2223],%f7
+/* 0x024c	     */		st	%i5,[%sp+2223]
+/* 0x0250	 178 */		ld	[%i0+%o3],%f5
+/* 0x0254	 180 */		fsubd	%f6,%f2,%f6
+/* 0x0258	 177 */		ld	[%i0+%o4],%o3
+/* 0x025c	 178 */		fsubd	%f4,%f2,%f4
+/* 0x0260	 179 */		ld	[%sp+2227],%f9
+/* 0x0264	 180 */		ld	[%sp+2223],%f1
+/* 0x0268	 179 */		st	%g4,[%sp+2227]
+/* 0x026c	     */		fsubd	%f8,%f2,%f8
+/* 0x0270	     */		std	%f8,[%i1+%o1]
+/* 0x0274	 180 */		std	%f6,[%i1+%o0]
+/* 0x0278	 178 */		std	%f4,[%i3+%o2]
+                       .L900000411:
+/* 0x027c	 179 */		ld	[%sp+2227],%f13
+/* 0x0280	 180 */		srl	%o3,16,%g4
+/* 0x0284	     */		add	%i2,2,%i2
+/* 0x0288	     */		st	%g4,[%sp+2223]
+/* 0x028c	     */		cmp	%i2,%o7
+/* 0x0290	     */		add	%g2,4,%g2
+/* 0x0294	 178 */		ld	[%i0+%o5],%f11
+/* 0x0298	 180 */		add	%i4,4,%i4
+/* 0x029c	 175 */		add	%o4,4,%o5
+/* 0x02a0	 177 */		ld	[%i0+%o5],%g4
+/* 0x02a4	 179 */		and	%o3,%g3,%o3
+/* 0x02a8	     */		st	%o3,[%sp+2227]
+/* 0x02ac	 180 */		fmovs	%f2,%f0
+/* 0x02b0	 179 */		fmovs	%f2,%f12
+/* 0x02b4	 180 */		fsubd	%f0,%f2,%f8
+/* 0x02b8	 179 */		fsubd	%f12,%f2,%f4
+/* 0x02bc	 175 */		add	%o1,16,%o1
+/* 0x02c0	 180 */		ld	[%sp+2223],%f7
+/* 0x02c4	 178 */		fmovs	%f2,%f10
+/* 0x02c8	 179 */		std	%f4,[%i1+%o1]
+/* 0x02cc	 175 */		add	%o0,16,%o0
+/* 0x02d0	 178 */		fsubd	%f10,%f2,%f4
+/* 0x02d4	 175 */		add	%o2,8,%o2
+/* 0x02d8	 180 */		std	%f8,[%i1+%o0]
+/* 0x02dc	 178 */		std	%f4,[%i3+%o2]
+/* 0x02e0	 179 */		ld	[%sp+2227],%f9
+/* 0x02e4	 180 */		srl	%g4,16,%o3
+/* 0x02e8	     */		st	%o3,[%sp+2223]
+/* 0x02ec	 178 */		ld	[%i0+%o4],%f5
+/* 0x02f0	 175 */		add	%o4,8,%o4
+/* 0x02f4	 177 */		ld	[%i0+%o4],%o3
+/* 0x02f8	 179 */		and	%g4,%g3,%g4
+/* 0x02fc	     */		st	%g4,[%sp+2227]
+/* 0x0300	 180 */		fmovs	%f2,%f6
+/* 0x0304	 179 */		fmovs	%f2,%f8
+/* 0x0308	 180 */		fsubd	%f6,%f2,%f6
+/* 0x030c	 179 */		fsubd	%f8,%f2,%f8
+/* 0x0310	 175 */		add	%o1,16,%o1
+/* 0x0314	 180 */		ld	[%sp+2223],%f1
+/* 0x0318	 178 */		fmovs	%f2,%f4
+/* 0x031c	 179 */		std	%f8,[%i1+%o1]
+/* 0x0320	 175 */		add	%o0,16,%o0
+/* 0x0324	 178 */		fsubd	%f4,%f2,%f4
+/* 0x0328	 175 */		add	%o2,8,%o2
+/* 0x032c	 180 */		std	%f6,[%i1+%o0]
+/* 0x0330	     */		bl,pt	%icc,.L900000411
+/* 0x0334	     */		std	%f4,[%i3+%o2]
+                       .L900000414:
+/* 0x0338	 180 */		srl	%o3,16,%o7
+/* 0x033c	     */		st	%o7,[%sp+2223]
+/* 0x0340	 179 */		fmovs	%f2,%f12
+/* 0x0344	 178 */		ld	[%i0+%o5],%f11
+/* 0x0348	 180 */		fmovs	%f2,%f0
+/* 0x034c	 179 */		and	%o3,%g3,%g4
+/* 0x0350	 180 */		fmovs	%f2,%f6
+/* 0x0354	 175 */		add	%o1,16,%o3
+/* 0x0358	     */		add	%o0,16,%o7
+/* 0x035c	 178 */		fmovs	%f2,%f10
+/* 0x0360	 175 */		add	%o2,8,%o2
+/* 0x0364	     */		add	%o1,32,%o5
+/* 0x0368	 179 */		ld	[%sp+2227],%f13
+/* 0x036c	 178 */		fmovs	%f2,%f4
+/* 0x0370	 175 */		add	%o0,32,%o1
+/* 0x0374	 180 */		ld	[%sp+2223],%f7
+/* 0x0378	 175 */		add	%o2,8,%o0
+/* 0x037c	 180 */		cmp	%i2,%g5
+/* 0x0380	 179 */		st	%g4,[%sp+2227]
+/* 0x0384	     */		fsubd	%f12,%f2,%f8
+/* 0x0388	 180 */		add	%g2,6,%g2
+/* 0x038c	 179 */		std	%f8,[%i1+%o3]
+/* 0x0390	 180 */		fsubd	%f0,%f2,%f0
+/* 0x0394	 177 */		sra	%i2,0,%o3
+/* 0x0398	 180 */		std	%f0,[%i1+%o7]
+/* 0x039c	 178 */		fsubd	%f10,%f2,%f0
+/* 0x03a0	 180 */		add	%i4,6,%i4
+/* 0x03a4	 178 */		std	%f0,[%i3+%o2]
+/* 0x03a8	     */		sllx	%o3,2,%o2
+/* 0x03ac	 179 */		ld	[%sp+2227],%f9
+/* 0x03b0	 178 */		ld	[%i0+%o4],%f5
+/* 0x03b4	 179 */		fmovs	%f2,%f8
+/* 0x03b8	     */		fsubd	%f8,%f2,%f0
+/* 0x03bc	     */		std	%f0,[%i1+%o5]
+/* 0x03c0	 180 */		fsubd	%f6,%f2,%f0
+/* 0x03c4	     */		std	%f0,[%i1+%o1]
+/* 0x03c8	 178 */		fsubd	%f4,%f2,%f0
+/* 0x03cc	 180 */		bge,pn	%icc,.L77000164
+/* 0x03d0	     */		std	%f0,[%i3+%o0]
+                       .L77000161:
+/* 0x03d4	 178 */		ldd	[%g1],%f2
+                       .L900000416:
+/* 0x03d8	 178 */		ld	[%i0+%o2],%f5
+/* 0x03dc	 179 */		sra	%i4,0,%o0
+/* 0x03e0	 180 */		add	%i2,1,%i2
+/* 0x03e4	 177 */		ld	[%i0+%o2],%o1
+/* 0x03e8	 178 */		sllx	%o3,3,%o3
+/* 0x03ec	 180 */		add	%i4,2,%i4
+/* 0x03f0	 178 */		fmovs	%f2,%f4
+/* 0x03f4	 179 */		sllx	%o0,3,%o4
+/* 0x03f8	 180 */		cmp	%i2,%g5
+/* 0x03fc	 179 */		and	%o1,%g3,%o0
+/* 0x0400	 178 */		fsubd	%f4,%f2,%f0
+/* 0x0404	     */		std	%f0,[%i3+%o3]
+/* 0x0408	 180 */		srl	%o1,16,%o1
+/* 0x040c	 179 */		st	%o0,[%sp+2227]
+/* 0x0410	 180 */		sra	%g2,0,%o0
+/* 0x0414	     */		add	%g2,2,%g2
+/* 0x0418	 177 */		sra	%i2,0,%o3
+/* 0x041c	 180 */		sllx	%o0,3,%o0
+/* 0x0420	 179 */		fmovs	%f2,%f4
+/* 0x0424	     */		sllx	%o3,2,%o2
+/* 0x0428	     */		ld	[%sp+2227],%f5
+/* 0x042c	     */		fsubd	%f4,%f2,%f0
+/* 0x0430	     */		std	%f0,[%i1+%o4]
+/* 0x0434	 180 */		st	%o1,[%sp+2223]
+/* 0x0438	     */		fmovs	%f2,%f4
+/* 0x043c	     */		ld	[%sp+2223],%f5
+/* 0x0440	     */		fsubd	%f4,%f2,%f0
+/* 0x0444	     */		std	%f0,[%i1+%o0]
+/* 0x0448	     */		bl,a,pt	%icc,.L900000416
+/* 0x044c	     */		ldd	[%g1],%f2
+                       .L77000164:
+/* 0x0450	     */		ret	! Result = 
+/* 0x0454	     */		restore	%g0,%g0,%g0
+/* 0x0458	   0 */		.type	conv_i32_to_d32_and_d16,2
+/* 0x0458	     */		.size	conv_i32_to_d32_and_d16,(.-conv_i32_to_d32_and_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! SUBROUTINE adjust_montf_result
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global adjust_montf_result
+                       adjust_montf_result:
+/* 000000	     */		save	%sp,-176,%sp
+/* 0x0004	     */		or	%g0,%i2,%o1
+/* 0x0008	     */		or	%g0,%i0,%i2
+
+!  181		      !   }
+!  182		      !}
+!  185		      !void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
+!  186		      !{
+!  187		      !long long acc;
+!  188		      !int i;
+!  190		      ! if(i32[len]>0) i=-1;
+
+/* 0x000c	 190 */		sra	%o1,0,%g2
+/* 0x0010	     */		or	%g0,-1,%o2
+/* 0x0014	     */		sllx	%g2,2,%g2
+/* 0x0018	     */		ld	[%i2+%g2],%g2
+/* 0x001c	     */		cmp	%g2,0
+/* 0x0020	     */		bleu,pn	%icc,.L77000175
+/* 0x0024	     */		or	%g0,%i1,%i0
+/* 0x0028	     */		ba	.L900000511
+/* 0x002c	     */		cmp	%o2,0
+                       .L77000175:
+
+!  191		      ! else
+!  192		      !   {
+!  193		      !     for(i=len-1; i>=0; i--)
+
+/* 0x0030	 193 */		sub	%o1,1,%o2
+/* 0x0034	     */		cmp	%o2,0
+/* 0x0038	     */		bl,pn	%icc,.L77000182
+/* 0x003c	     */		sra	%o2,0,%g2
+                       .L900000510:
+
+!  194		      !       {
+!  195		      !	 if(i32[i]!=nint[i]) break;
+
+/* 0x0040	 195 */		sllx	%g2,2,%g2
+/* 0x0044	     */		sub	%o2,1,%o0
+/* 0x0048	     */		ld	[%i1+%g2],%g3
+/* 0x004c	     */		ld	[%i2+%g2],%g2
+/* 0x0050	     */		cmp	%g2,%g3
+/* 0x0054	     */		bne,pn	%icc,.L77000182
+/* 0x0058	     */		nop
+/* 0x005c	   0 */		or	%g0,%o0,%o2
+/* 0x0060	 195 */		cmp	%o0,0
+/* 0x0064	     */		bge,pt	%icc,.L900000510
+/* 0x0068	     */		sra	%o2,0,%g2
+                       .L77000182:
+
+!  196		      !       }
+!  197		      !   }
+!  198		      ! if((i<0)||(i32[i]>nint[i]))
+
+/* 0x006c	 198 */		cmp	%o2,0
+                       .L900000511:
+/* 0x0070	 198 */		bl,pn	%icc,.L77000198
+/* 0x0074	     */		sra	%o2,0,%g2
+/* 0x0078	     */		sllx	%g2,2,%g2
+/* 0x007c	     */		ld	[%i1+%g2],%g3
+/* 0x0080	     */		ld	[%i2+%g2],%g2
+/* 0x0084	     */		cmp	%g2,%g3
+/* 0x0088	     */		bleu,pt	%icc,.L77000191
+/* 0x008c	     */		nop
+                       .L77000198:
+
+!  199		      !   {
+!  200		      !     acc=0;
+!  201		      !     for(i=0;i<len;i++)
+
+/* 0x0090	 201 */		cmp	%o1,0
+/* 0x0094	     */		ble,pt	%icc,.L77000191
+/* 0x0098	     */		nop
+/* 0x009c	 198 */		or	%g0,-1,%g2
+/* 0x00a0	 201 */		or	%g0,%o1,%g3
+/* 0x00a4	 198 */		srl	%g2,0,%g2
+/* 0x00a8	     */		sub	%o1,1,%g4
+/* 0x00ac	     */		cmp	%o1,9
+/* 0x00b0	 201 */		or	%g0,0,%i1
+/* 0x00b4	 200 */		or	%g0,0,%g5
+
+!  202		      !       {
+!  203		      !	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
+
+/* 0x00b8	 203 */		or	%g0,0,%o1
+/* 0x00bc	 201 */		bl,pn	%icc,.L77000199
+/* 0x00c0	     */		sub	%g3,4,%o7
+/* 0x00c4	 203 */		ld	[%i2],%o1
+
+!  204		      !	 i32[i]=acc&0xffffffff;
+!  205		      !	 acc=acc>>32;
+
+/* 0x00c8	 205 */		or	%g0,5,%i1
+/* 0x00cc	 203 */		ld	[%i0],%o2
+/* 0x00d0	 201 */		or	%g0,8,%o5
+/* 0x00d4	     */		or	%g0,12,%o4
+/* 0x00d8	 203 */		ld	[%i0+4],%o3
+/* 0x00dc	 201 */		or	%g0,16,%g1
+/* 0x00e0	 203 */		ld	[%i2+4],%o0
+/* 0x00e4	 201 */		sub	%o1,%o2,%o1
+/* 0x00e8	 203 */		ld	[%i0+8],%i3
+/* 0x00ec	 204 */		and	%o1,%g2,%g5
+/* 0x00f0	     */		st	%g5,[%i2]
+/* 0x00f4	 205 */		srax	%o1,32,%g5
+/* 0x00f8	 201 */		sub	%o0,%o3,%o0
+/* 0x00fc	 203 */		ld	[%i0+12],%o2
+/* 0x0100	 201 */		add	%o0,%g5,%o0
+/* 0x0104	 204 */		and	%o0,%g2,%g5
+/* 0x0108	     */		st	%g5,[%i2+4]
+/* 0x010c	 205 */		srax	%o0,32,%o0
+/* 0x0110	 203 */		ld	[%i2+8],%o1
+/* 0x0114	     */		ld	[%i2+12],%o3
+/* 0x0118	 201 */		sub	%o1,%i3,%o1
+                       .L900000505:
+/* 0x011c	     */		add	%g1,4,%g3
+/* 0x0120	 203 */		ld	[%g1+%i2],%g5
+/* 0x0124	 201 */		add	%o1,%o0,%o0
+/* 0x0128	 203 */		ld	[%i0+%g1],%i3
+/* 0x012c	 201 */		sub	%o3,%o2,%o1
+/* 0x0130	 204 */		and	%o0,%g2,%o2
+/* 0x0134	     */		st	%o2,[%o5+%i2]
+/* 0x0138	 205 */		srax	%o0,32,%o2
+/* 0x013c	     */		add	%i1,4,%i1
+/* 0x0140	 201 */		add	%g1,8,%o5
+/* 0x0144	 203 */		ld	[%g3+%i2],%o0
+/* 0x0148	 201 */		add	%o1,%o2,%o1
+/* 0x014c	 203 */		ld	[%i0+%g3],%o3
+/* 0x0150	 201 */		sub	%g5,%i3,%o2
+/* 0x0154	 204 */		and	%o1,%g2,%g5
+/* 0x0158	     */		st	%g5,[%o4+%i2]
+/* 0x015c	 205 */		srax	%o1,32,%g5
+/* 0x0160	     */		cmp	%i1,%o7
+/* 0x0164	 201 */		add	%g1,12,%o4
+/* 0x0168	 203 */		ld	[%o5+%i2],%o1
+/* 0x016c	 201 */		add	%o2,%g5,%o2
+/* 0x0170	 203 */		ld	[%i0+%o5],%i3
+/* 0x0174	 201 */		sub	%o0,%o3,%o0
+/* 0x0178	 204 */		and	%o2,%g2,%o3
+/* 0x017c	     */		st	%o3,[%g1+%i2]
+/* 0x0180	 205 */		srax	%o2,32,%g5
+/* 0x0184	 203 */		ld	[%o4+%i2],%o3
+/* 0x0188	 201 */		add	%g1,16,%g1
+/* 0x018c	     */		add	%o0,%g5,%o0
+/* 0x0190	 203 */		ld	[%i0+%o4],%o2
+/* 0x0194	 201 */		sub	%o1,%i3,%o1
+/* 0x0198	 204 */		and	%o0,%g2,%g5
+/* 0x019c	     */		st	%g5,[%g3+%i2]
+/* 0x01a0	 205 */		ble,pt	%icc,.L900000505
+/* 0x01a4	     */		srax	%o0,32,%o0
+                       .L900000508:
+/* 0x01a8	     */		add	%o1,%o0,%g3
+/* 0x01ac	     */		sub	%o3,%o2,%o1
+/* 0x01b0	 203 */		ld	[%g1+%i2],%o0
+/* 0x01b4	     */		ld	[%i0+%g1],%o2
+/* 0x01b8	 205 */		srax	%g3,32,%o7
+/* 0x01bc	 204 */		and	%g3,%g2,%o3
+/* 0x01c0	 201 */		add	%o1,%o7,%o1
+/* 0x01c4	 204 */		st	%o3,[%o5+%i2]
+/* 0x01c8	 205 */		cmp	%i1,%g4
+/* 0x01cc	 201 */		sub	%o0,%o2,%o0
+/* 0x01d0	 204 */		and	%o1,%g2,%o2
+/* 0x01d4	     */		st	%o2,[%o4+%i2]
+/* 0x01d8	 205 */		srax	%o1,32,%o1
+/* 0x01dc	 203 */		sra	%i1,0,%o2
+/* 0x01e0	 201 */		add	%o0,%o1,%o0
+/* 0x01e4	 205 */		srax	%o0,32,%g5
+/* 0x01e8	 204 */		and	%o0,%g2,%o1
+/* 0x01ec	     */		st	%o1,[%g1+%i2]
+/* 0x01f0	 205 */		bg,pn	%icc,.L77000191
+/* 0x01f4	     */		sllx	%o2,2,%o1
+                       .L77000199:
+/* 0x01f8	   0 */		or	%g0,%o1,%g1
+                       .L900000509:
+/* 0x01fc	 203 */		ld	[%o1+%i2],%o0
+/* 0x0200	 205 */		add	%i1,1,%i1
+/* 0x0204	 203 */		ld	[%i0+%o1],%o1
+/* 0x0208	     */		sra	%i1,0,%o2
+/* 0x020c	 205 */		cmp	%i1,%g4
+/* 0x0210	 203 */		add	%g5,%o0,%o0
+/* 0x0214	     */		sub	%o0,%o1,%o0
+/* 0x0218	 205 */		srax	%o0,32,%g5
+/* 0x021c	 204 */		and	%o0,%g2,%o1
+/* 0x0220	     */		st	%o1,[%g1+%i2]
+/* 0x0224	     */		sllx	%o2,2,%o1
+/* 0x0228	 205 */		ble,pt	%icc,.L900000509
+/* 0x022c	     */		or	%g0,%o1,%g1
+                       .L77000191:
+/* 0x0230	     */		ret	! Result = 
+/* 0x0234	     */		restore	%g0,%g0,%g0
+/* 0x0238	   0 */		.type	adjust_montf_result,2
+/* 0x0238	     */		.size	adjust_montf_result,(.-adjust_montf_result)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+/* 000000	     */		.skip	24
+!
+! SUBROUTINE mont_mulf_noconv
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global mont_mulf_noconv
+                       mont_mulf_noconv:
+/* 000000	     */		save	%sp,-224,%sp
+                       .L900000643:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000643-.)),%g5
+/* 0x000c	     */		ldx	[%fp+2223],%l0
+
+!  206		      !       }
+!  207		      !   }
+!  208		      !}
+!  213		      !/*
+!  214		      !** the lengths of the input arrays should be at least the following:
+!  215		      !** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
+!  216		      !** all of them should be different from one another
+!  217		      !**
+!  218		      !*/
+!  219		      !void mont_mulf_noconv(unsigned int *result,
+!  220		      !		     double *dm1, double *dm2, double *dt,
+!  221		      !		     double *dn, unsigned int *nint,
+!  222		      !		     int nlen, double dn0)
+!  223		      !{
+!  224		      ! int i, j, jj;
+!  225		      ! int tmp;
+!  226		      ! double digit, m2j, nextm2j, a, b;
+!  227		      ! double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
+!  229		      ! pdm1=&(dm1[0]);
+!  230		      ! pdm2=&(dm2[0]);
+!  231		      ! pdn=&(dn[0]);
+!  232		      ! pdm2[2*nlen]=Zero;
+
+/* 0x0010	 232 */		sethi	%hi(Zero),%g2
+/* 0x0014	 223 */		fmovd	%f14,%f30
+/* 0x0018	     */		add	%g5,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000643-.)),%g5
+/* 0x001c	 232 */		add	%g2,%lo(Zero),%g2
+/* 0x0020	     */		sll	%l0,1,%o3
+/* 0x0024	 223 */		add	%g5,%o7,%o4
+/* 0x0028	 232 */		sra	%o3,0,%g5
+/* 0x002c	     */		ldx	[%o4+%g2],%o7
+
+!  234		      ! if (nlen!=16)
+!  235		      !   {
+!  236		      !     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
+!  238		      !     a=dt[0]=pdm1[0]*pdm2[0];
+!  239		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+/* 0x0030	 239 */		sethi	%hi(TwoToMinus16),%g3
+/* 0x0034	     */		sethi	%hi(TwoTo16),%g4
+/* 0x0038	     */		add	%g3,%lo(TwoToMinus16),%g2
+/* 0x003c	 232 */		ldd	[%o7],%f0
+/* 0x0040	 239 */		add	%g4,%lo(TwoTo16),%g3
+/* 0x0044	 223 */		or	%g0,%i4,%o0
+/* 0x0048	 232 */		sllx	%g5,3,%g4
+/* 0x004c	 239 */		ldx	[%o4+%g2],%o5
+/* 0x0050	 223 */		or	%g0,%i5,%l3
+/* 0x0054	     */		or	%g0,%i0,%l2
+/* 0x0058	 239 */		ldx	[%o4+%g3],%o4
+/* 0x005c	 234 */		cmp	%l0,16
+/* 0x0060	 232 */		std	%f0,[%i2+%g4]
+/* 0x0064	 234 */		be,pn	%icc,.L77000279
+/* 0x0068	     */		or	%g0,%i3,%l4
+/* 0x006c	 236 */		sll	%l0,2,%g2
+/* 0x0070	 223 */		or	%g0,%o0,%i5
+/* 0x0074	 236 */		add	%g2,2,%o0
+/* 0x0078	 223 */		or	%g0,%i1,%i4
+/* 0x007c	 236 */		cmp	%o0,0
+/* 0x0080	 223 */		or	%g0,%i2,%l1
+/* 0x0084	 236 */		ble,a,pt	%icc,.L900000657
+/* 0x0088	     */		ldd	[%i1],%f6
+
+!  241		      !     pdtj=&(dt[0]);
+!  242		      !     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
+!  243		      !       {
+!  244		      !	 m2j=pdm2[j];
+!  245		      !	 a=pdtj[0]+pdn[0]*digit;
+!  246		      !	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
+!  247		      !	 pdtj[1]=b;
+!  249		      !#pragma pipeloop(0)
+!  250		      !	 for(i=1;i<nlen;i++)
+!  251		      !	   {
+!  252		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  253		      !	   }
+!  254		      ! 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
+!  255		      !	 
+!  256		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  257		      !       }
+!  258		      !   }
+!  259		      ! else
+!  260		      !   {
+!  261		      !     a=dt[0]=pdm1[0]*pdm2[0];
+!  263		      !     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
+!  264		      !     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
+!  265		      !     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
+!  266		      !     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
+!  267		      !     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
+!  268		      !     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
+!  269		      !     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
+!  270		      !     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
+!  271		      !     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
+!  272		      !     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
+!  273		      !     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
+!  275		      !     pdn_0=pdn[0];
+!  276		      !     pdm1_0=pdm1[0];
+!  278		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  279		      !     pdtj=&(dt[0]);
+!  281		      !     for(j=0;j<32;j++,pdtj++)
+
+/* 0x008c	 281 */		or	%g0,%o0,%o1
+/* 0x0090	 236 */		sub	%o0,1,%g1
+/* 0x0094	     */		or	%g0,0,%g2
+/* 0x0098	 281 */		cmp	%o1,5
+/* 0x009c	     */		bl,pn	%icc,.L77000280
+/* 0x00a0	     */		or	%g0,8,%o0
+/* 0x00a4	     */		std	%f0,[%i3]
+/* 0x00a8	     */		or	%g0,2,%g2
+/* 0x00ac	     */		sub	%g1,2,%o1
+                       .L900000627:
+/* 0x00b0	     */		add	%o0,8,%g3
+/* 0x00b4	     */		std	%f0,[%i3+%o0]
+/* 0x00b8	     */		add	%g2,3,%g2
+/* 0x00bc	     */		add	%o0,16,%o2
+/* 0x00c0	     */		std	%f0,[%i3+%g3]
+/* 0x00c4	     */		cmp	%g2,%o1
+/* 0x00c8	     */		add	%o0,24,%o0
+/* 0x00cc	     */		ble,pt	%icc,.L900000627
+/* 0x00d0	     */		std	%f0,[%i3+%o2]
+                       .L900000630:
+/* 0x00d4	     */		cmp	%g2,%g1
+/* 0x00d8	     */		bg,pn	%icc,.L77000285
+/* 0x00dc	     */		std	%f0,[%i3+%o0]
+                       .L77000280:
+/* 0x00e0	     */		ldd	[%o7],%f0
+                       .L900000656:
+/* 0x00e4	     */		sra	%g2,0,%o0
+/* 0x00e8	     */		add	%g2,1,%g2
+/* 0x00ec	     */		sllx	%o0,3,%o0
+/* 0x00f0	     */		cmp	%g2,%g1
+/* 0x00f4	     */		std	%f0,[%i3+%o0]
+/* 0x00f8	     */		ble,a,pt	%icc,.L900000656
+/* 0x00fc	     */		ldd	[%o7],%f0
+                       .L77000285:
+/* 0x0100	 238 */		ldd	[%i1],%f6
+                       .L900000657:
+/* 0x0104	 238 */		ldd	[%i2],%f8
+/* 0x0108	 242 */		cmp	%o3,0
+/* 0x010c	     */		sub	%o3,1,%o1
+/* 0x0110	 239 */		ldd	[%o7],%f10
+/* 0x0114	     */		add	%o3,1,%o2
+/* 0x0118	   0 */		or	%g0,0,%i2
+/* 0x011c	 238 */		fmuld	%f6,%f8,%f6
+/* 0x0120	     */		std	%f6,[%i3]
+/* 0x0124	   0 */		or	%g0,0,%g3
+/* 0x0128	 239 */		ldd	[%o5],%f8
+/* 0x012c	   0 */		or	%g0,%o2,%g1
+/* 0x0130	 236 */		sub	%l0,1,%i1
+/* 0x0134	 239 */		ldd	[%o4],%f12
+/* 0x0138	 236 */		or	%g0,1,%g4
+/* 0x013c	     */		fdtox	%f6,%f0
+/* 0x0140	     */		fmovs	%f10,%f0
+/* 0x0144	     */		fxtod	%f0,%f6
+/* 0x0148	 239 */		fmuld	%f6,%f14,%f6
+/* 0x014c	     */		fmuld	%f6,%f8,%f8
+/* 0x0150	     */		fdtox	%f8,%f8
+/* 0x0154	     */		fxtod	%f8,%f8
+/* 0x0158	     */		fmuld	%f8,%f12,%f8
+/* 0x015c	     */		fsubd	%f6,%f8,%f20
+/* 0x0160	 242 */		ble,pt	%icc,.L900000650
+/* 0x0164	     */		sllx	%g5,3,%g2
+/* 0x0168	   0 */		st	%o1,[%sp+2223]
+/* 0x016c	 246 */		ldd	[%i5],%f6
+                       .L900000651:
+/* 0x0170	 246 */		sra	%g4,0,%g2
+/* 0x0174	     */		fmuld	%f6,%f20,%f6
+/* 0x0178	     */		ldd	[%i3],%f12
+/* 0x017c	     */		sllx	%g2,3,%g2
+/* 0x0180	     */		ldd	[%i4],%f8
+/* 0x0184	 250 */		cmp	%l0,1
+/* 0x0188	 246 */		ldd	[%l1+%g2],%f10
+/* 0x018c	 244 */		sra	%i2,0,%g2
+/* 0x0190	     */		add	%i2,1,%i0
+/* 0x0194	 246 */		faddd	%f12,%f6,%f6
+/* 0x0198	     */		ldd	[%o5],%f12
+/* 0x019c	 244 */		sllx	%g2,3,%g2
+/* 0x01a0	 246 */		fmuld	%f8,%f10,%f8
+/* 0x01a4	     */		ldd	[%i3+8],%f10
+/* 0x01a8	     */		srl	%i2,31,%o3
+/* 0x01ac	 244 */		ldd	[%l1+%g2],%f18
+/* 0x01b0	   0 */		or	%g0,1,%l5
+/* 0x01b4	 236 */		or	%g0,2,%g2
+/* 0x01b8	 246 */		fmuld	%f6,%f12,%f6
+/* 0x01bc	 250 */		or	%g0,32,%o1
+/* 0x01c0	     */		or	%g0,48,%o2
+/* 0x01c4	 246 */		faddd	%f10,%f8,%f8
+/* 0x01c8	     */		faddd	%f8,%f6,%f16
+/* 0x01cc	 250 */		ble,pn	%icc,.L77000213
+/* 0x01d0	     */		std	%f16,[%i3+8]
+/* 0x01d4	     */		cmp	%i1,8
+/* 0x01d8	     */		sub	%l0,3,%o3
+/* 0x01dc	     */		bl,pn	%icc,.L77000284
+/* 0x01e0	     */		or	%g0,8,%o0
+/* 0x01e4	 252 */		ldd	[%i5+8],%f0
+/* 0x01e8	     */		or	%g0,6,%l5
+/* 0x01ec	     */		ldd	[%i4+8],%f2
+/* 0x01f0	     */		or	%g0,4,%g2
+/* 0x01f4	 250 */		or	%g0,40,%o0
+/* 0x01f8	 252 */		ldd	[%i5+16],%f8
+/* 0x01fc	     */		fmuld	%f0,%f20,%f10
+/* 0x0200	     */		ldd	[%i4+16],%f4
+/* 0x0204	     */		fmuld	%f2,%f18,%f2
+/* 0x0208	     */		ldd	[%i3+16],%f0
+/* 0x020c	     */		fmuld	%f8,%f20,%f12
+/* 0x0210	     */		ldd	[%i4+24],%f6
+/* 0x0214	     */		fmuld	%f4,%f18,%f4
+/* 0x0218	     */		ldd	[%i5+24],%f8
+/* 0x021c	     */		faddd	%f2,%f10,%f2
+/* 0x0220	     */		ldd	[%i4+32],%f14
+/* 0x0224	     */		fmuld	%f6,%f18,%f10
+/* 0x0228	     */		ldd	[%i5+32],%f6
+/* 0x022c	     */		faddd	%f4,%f12,%f4
+/* 0x0230	     */		ldd	[%i4+40],%f12
+/* 0x0234	     */		faddd	%f0,%f2,%f0
+/* 0x0238	     */		std	%f0,[%i3+16]
+/* 0x023c	     */		ldd	[%i3+32],%f0
+/* 0x0240	     */		ldd	[%i3+48],%f2
+                       .L900000639:
+/* 0x0244	     */		add	%o2,16,%l6
+/* 0x0248	 252 */		ldd	[%i5+%o0],%f22
+/* 0x024c	     */		add	%l5,3,%l5
+/* 0x0250	     */		fmuld	%f8,%f20,%f8
+/* 0x0254	 250 */		add	%o0,8,%o0
+/* 0x0258	 252 */		ldd	[%l6+%i3],%f26
+/* 0x025c	     */		cmp	%l5,%o3
+/* 0x0260	     */		ldd	[%i4+%o0],%f24
+/* 0x0264	     */		faddd	%f0,%f4,%f0
+/* 0x0268	     */		add	%g2,6,%g2
+/* 0x026c	     */		faddd	%f10,%f8,%f10
+/* 0x0270	     */		fmuld	%f14,%f18,%f4
+/* 0x0274	     */		std	%f0,[%o1+%i3]
+/* 0x0278	 250 */		add	%o2,32,%o1
+/* 0x027c	 252 */		ldd	[%i5+%o0],%f8
+/* 0x0280	     */		fmuld	%f6,%f20,%f6
+/* 0x0284	 250 */		add	%o0,8,%o0
+/* 0x0288	 252 */		ldd	[%o1+%i3],%f0
+/* 0x028c	     */		ldd	[%i4+%o0],%f14
+/* 0x0290	     */		faddd	%f2,%f10,%f2
+/* 0x0294	     */		faddd	%f4,%f6,%f10
+/* 0x0298	     */		fmuld	%f12,%f18,%f4
+/* 0x029c	     */		std	%f2,[%o2+%i3]
+/* 0x02a0	 250 */		add	%o2,48,%o2
+/* 0x02a4	 252 */		ldd	[%i5+%o0],%f6
+/* 0x02a8	     */		fmuld	%f22,%f20,%f22
+/* 0x02ac	 250 */		add	%o0,8,%o0
+/* 0x02b0	 252 */		ldd	[%o2+%i3],%f2
+/* 0x02b4	     */		ldd	[%i4+%o0],%f12
+/* 0x02b8	     */		faddd	%f26,%f10,%f10
+/* 0x02bc	     */		std	%f10,[%l6+%i3]
+/* 0x02c0	     */		fmuld	%f24,%f18,%f10
+/* 0x02c4	     */		ble,pt	%icc,.L900000639
+/* 0x02c8	     */		faddd	%f4,%f22,%f4
+                       .L900000642:
+/* 0x02cc	 252 */		fmuld	%f8,%f20,%f24
+/* 0x02d0	     */		faddd	%f0,%f4,%f8
+/* 0x02d4	 250 */		add	%o2,16,%o3
+/* 0x02d8	 252 */		ldd	[%o3+%i3],%f4
+/* 0x02dc	     */		fmuld	%f14,%f18,%f0
+/* 0x02e0	     */		cmp	%l5,%i1
+/* 0x02e4	     */		std	%f8,[%o1+%i3]
+/* 0x02e8	     */		fmuld	%f12,%f18,%f8
+/* 0x02ec	 250 */		add	%o2,32,%o1
+/* 0x02f0	 252 */		faddd	%f10,%f24,%f12
+/* 0x02f4	     */		ldd	[%i5+%o0],%f22
+/* 0x02f8	     */		fmuld	%f6,%f20,%f6
+/* 0x02fc	     */		add	%g2,8,%g2
+/* 0x0300	     */		fmuld	%f22,%f20,%f10
+/* 0x0304	     */		faddd	%f2,%f12,%f2
+/* 0x0308	     */		faddd	%f0,%f6,%f6
+/* 0x030c	     */		ldd	[%o1+%i3],%f0
+/* 0x0310	     */		std	%f2,[%o2+%i3]
+/* 0x0314	     */		faddd	%f8,%f10,%f2
+/* 0x0318	     */		sra	%l5,0,%o2
+/* 0x031c	     */		sllx	%o2,3,%o0
+/* 0x0320	     */		faddd	%f4,%f6,%f4
+/* 0x0324	     */		std	%f4,[%o3+%i3]
+/* 0x0328	     */		faddd	%f0,%f2,%f0
+/* 0x032c	     */		std	%f0,[%o1+%i3]
+/* 0x0330	     */		bg,a,pn	%icc,.L77000213
+/* 0x0334	     */		srl	%i2,31,%o3
+                       .L77000284:
+/* 0x0338	 252 */		ldd	[%i4+%o0],%f2
+                       .L900000655:
+/* 0x033c	 252 */		ldd	[%i5+%o0],%f0
+/* 0x0340	     */		fmuld	%f2,%f18,%f2
+/* 0x0344	     */		sra	%g2,0,%o0
+/* 0x0348	     */		sllx	%o0,3,%o1
+/* 0x034c	     */		add	%l5,1,%l5
+/* 0x0350	     */		fmuld	%f0,%f20,%f4
+/* 0x0354	     */		ldd	[%o1+%i3],%f0
+/* 0x0358	     */		sra	%l5,0,%o2
+/* 0x035c	     */		sllx	%o2,3,%o0
+/* 0x0360	     */		add	%g2,2,%g2
+/* 0x0364	     */		cmp	%l5,%i1
+/* 0x0368	     */		faddd	%f2,%f4,%f2
+/* 0x036c	     */		faddd	%f0,%f2,%f0
+/* 0x0370	     */		std	%f0,[%o1+%i3]
+/* 0x0374	     */		ble,a,pt	%icc,.L900000655
+/* 0x0378	     */		ldd	[%i4+%o0],%f2
+                       .L900000626:
+/* 0x037c	     */		srl	%i2,31,%o3
+/* 0x0380	 252 */		ba	.L900000654
+/* 0x0384	     */		cmp	%g3,30
+                       .L77000213:
+/* 0x0388	 254 */		cmp	%g3,30
+                       .L900000654:
+/* 0x038c	     */		add	%i2,%o3,%o0
+/* 0x0390	 254 */		bne,a,pt	%icc,.L900000653
+/* 0x0394	     */		fdtox	%f16,%f0
+/* 0x0398	 281 */		sra	%o0,1,%g2
+/* 0x039c	     */		add	%g2,1,%g2
+/* 0x03a0	     */		ldd	[%o7],%f0
+/* 0x03a4	     */		sll	%g2,1,%o1
+/* 0x03a8	     */		sll	%g1,1,%g2
+/* 0x03ac	     */		or	%g0,%o1,%o2
+/* 0x03b0	     */		fmovd	%f0,%f2
+/* 0x03b4	     */		or	%g0,%g2,%o0
+/* 0x03b8	     */		cmp	%o1,%o0
+/* 0x03bc	     */		sub	%g2,1,%o0
+/* 0x03c0	     */		bge,pt	%icc,.L77000215
+/* 0x03c4	     */		or	%g0,0,%g3
+/* 0x03c8	 254 */		add	%o1,1,%o1
+/* 0x03cc	 281 */		sra	%o2,0,%g2
+                       .L900000652:
+/* 0x03d0	     */		sllx	%g2,3,%g2
+/* 0x03d4	     */		ldd	[%o7],%f6
+/* 0x03d8	     */		add	%o2,2,%o2
+/* 0x03dc	     */		sra	%o1,0,%g3
+/* 0x03e0	     */		ldd	[%g2+%l4],%f8
+/* 0x03e4	     */		cmp	%o2,%o0
+/* 0x03e8	     */		sllx	%g3,3,%g3
+/* 0x03ec	     */		add	%o1,2,%o1
+/* 0x03f0	     */		ldd	[%l4+%g3],%f10
+/* 0x03f4	     */		fdtox	%f8,%f12
+/* 0x03f8	     */		fdtox	%f10,%f4
+/* 0x03fc	     */		fmovd	%f12,%f8
+/* 0x0400	     */		fmovs	%f6,%f12
+/* 0x0404	     */		fmovs	%f6,%f4
+/* 0x0408	     */		fxtod	%f12,%f6
+/* 0x040c	     */		fxtod	%f4,%f12
+/* 0x0410	     */		fdtox	%f10,%f4
+/* 0x0414	     */		faddd	%f6,%f2,%f6
+/* 0x0418	     */		std	%f6,[%g2+%l4]
+/* 0x041c	     */		faddd	%f12,%f0,%f6
+/* 0x0420	     */		std	%f6,[%l4+%g3]
+/* 0x0424	     */		fitod	%f8,%f2
+/* 0x0428	     */		fitod	%f4,%f0
+/* 0x042c	     */		ble,pt	%icc,.L900000652
+/* 0x0430	     */		sra	%o2,0,%g2
+                       .L77000233:
+/* 0x0434	     */		or	%g0,0,%g3
+                       .L77000215:
+/* 0x0438	     */		fdtox	%f16,%f0
+                       .L900000653:
+/* 0x043c	 256 */		ldd	[%o7],%f6
+/* 0x0440	     */		add	%g4,1,%g4
+/* 0x0444	     */		or	%g0,%i0,%i2
+/* 0x0448	     */		ldd	[%o5],%f8
+/* 0x044c	     */		add	%g3,1,%g3
+/* 0x0450	     */		add	%i3,8,%i3
+/* 0x0454	     */		fmovs	%f6,%f0
+/* 0x0458	     */		ldd	[%o4],%f10
+/* 0x045c	     */		ld	[%sp+2223],%o0
+/* 0x0460	     */		fxtod	%f0,%f6
+/* 0x0464	     */		cmp	%i0,%o0
+/* 0x0468	     */		fmuld	%f6,%f30,%f6
+/* 0x046c	     */		fmuld	%f6,%f8,%f8
+/* 0x0470	     */		fdtox	%f8,%f8
+/* 0x0474	     */		fxtod	%f8,%f8
+/* 0x0478	     */		fmuld	%f8,%f10,%f8
+/* 0x047c	     */		fsubd	%f6,%f8,%f20
+/* 0x0480	     */		ble,a,pt	%icc,.L900000651
+/* 0x0484	     */		ldd	[%i5],%f6
+                       .L900000625:
+/* 0x0488	 256 */		ba	.L900000650
+/* 0x048c	     */		sllx	%g5,3,%g2
+                       .L77000279:
+/* 0x0490	 261 */		ldd	[%i1],%f4
+/* 0x0494	     */		ldd	[%i2],%f6
+/* 0x0498	 273 */		std	%f0,[%i3+8]
+/* 0x049c	     */		std	%f0,[%i3+16]
+/* 0x04a0	 261 */		fmuld	%f4,%f6,%f6
+/* 0x04a4	     */		std	%f6,[%i3]
+/* 0x04a8	 273 */		std	%f0,[%i3+24]
+/* 0x04ac	     */		std	%f0,[%i3+32]
+/* 0x04b0	     */		fdtox	%f6,%f2
+/* 0x04b4	     */		std	%f0,[%i3+40]
+/* 0x04b8	     */		std	%f0,[%i3+48]
+/* 0x04bc	     */		std	%f0,[%i3+56]
+/* 0x04c0	     */		std	%f0,[%i3+64]
+/* 0x04c4	     */		fmovs	%f0,%f2
+/* 0x04c8	     */		std	%f0,[%i3+72]
+/* 0x04cc	     */		std	%f0,[%i3+80]
+/* 0x04d0	     */		std	%f0,[%i3+88]
+/* 0x04d4	     */		std	%f0,[%i3+96]
+/* 0x04d8	     */		std	%f0,[%i3+104]
+/* 0x04dc	     */		std	%f0,[%i3+112]
+/* 0x04e0	     */		std	%f0,[%i3+120]
+/* 0x04e4	     */		std	%f0,[%i3+128]
+/* 0x04e8	     */		std	%f0,[%i3+136]
+/* 0x04ec	     */		std	%f0,[%i3+144]
+/* 0x04f0	     */		std	%f0,[%i3+152]
+/* 0x04f4	     */		std	%f0,[%i3+160]
+/* 0x04f8	     */		std	%f0,[%i3+168]
+/* 0x04fc	     */		fxtod	%f2,%f6
+/* 0x0500	     */		std	%f0,[%i3+176]
+/* 0x0504	 281 */		or	%g0,1,%o2
+/* 0x0508	 273 */		std	%f0,[%i3+184]
+
+!  282		      !       {
+!  284		      !	 m2j=pdm2[j];
+!  285		      !	 a=pdtj[0]+pdn_0*digit;
+!  286		      !	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
+
+/* 0x050c	 286 */		sra	%o2,0,%g2
+/* 0x0510	 279 */		or	%g0,%i3,%o3
+/* 0x0514	 273 */		std	%f0,[%i3+192]
+/* 0x0518	 278 */		fmuld	%f6,%f14,%f6
+/* 0x051c	 281 */		or	%g0,0,%g1
+/* 0x0520	 273 */		std	%f0,[%i3+200]
+/* 0x0524	     */		std	%f0,[%i3+208]
+/* 0x0528	     */		std	%f0,[%i3+216]
+/* 0x052c	     */		std	%f0,[%i3+224]
+/* 0x0530	     */		std	%f0,[%i3+232]
+/* 0x0534	     */		std	%f0,[%i3+240]
+/* 0x0538	     */		std	%f0,[%i3+248]
+/* 0x053c	     */		std	%f0,[%i3+256]
+/* 0x0540	     */		std	%f0,[%i3+264]
+/* 0x0544	     */		std	%f0,[%i3+272]
+/* 0x0548	     */		std	%f0,[%i3+280]
+/* 0x054c	     */		std	%f0,[%i3+288]
+/* 0x0550	     */		std	%f0,[%i3+296]
+/* 0x0554	     */		std	%f0,[%i3+304]
+/* 0x0558	     */		std	%f0,[%i3+312]
+/* 0x055c	     */		std	%f0,[%i3+320]
+/* 0x0560	     */		std	%f0,[%i3+328]
+/* 0x0564	     */		std	%f0,[%i3+336]
+/* 0x0568	     */		std	%f0,[%i3+344]
+/* 0x056c	     */		std	%f0,[%i3+352]
+/* 0x0570	     */		std	%f0,[%i3+360]
+/* 0x0574	     */		std	%f0,[%i3+368]
+/* 0x0578	     */		std	%f0,[%i3+376]
+/* 0x057c	     */		std	%f0,[%i3+384]
+/* 0x0580	     */		std	%f0,[%i3+392]
+/* 0x0584	     */		std	%f0,[%i3+400]
+/* 0x0588	     */		std	%f0,[%i3+408]
+/* 0x058c	     */		std	%f0,[%i3+416]
+/* 0x0590	     */		std	%f0,[%i3+424]
+/* 0x0594	     */		std	%f0,[%i3+432]
+/* 0x0598	     */		std	%f0,[%i3+440]
+/* 0x059c	     */		std	%f0,[%i3+448]
+/* 0x05a0	     */		std	%f0,[%i3+456]
+/* 0x05a4	     */		std	%f0,[%i3+464]
+/* 0x05a8	     */		std	%f0,[%i3+472]
+/* 0x05ac	     */		std	%f0,[%i3+480]
+/* 0x05b0	     */		std	%f0,[%i3+488]
+/* 0x05b4	     */		std	%f0,[%i3+496]
+/* 0x05b8	 278 */		ldd	[%o5],%f8
+/* 0x05bc	     */		ldd	[%o4],%f10
+/* 0x05c0	     */		fmuld	%f6,%f8,%f8
+/* 0x05c4	 273 */		std	%f0,[%i3+504]
+/* 0x05c8	     */		std	%f0,[%i3+512]
+/* 0x05cc	     */		std	%f0,[%i3+520]
+/* 0x05d0	     */		fdtox	%f8,%f8
+/* 0x05d4	 275 */		ldd	[%o0],%f0
+/* 0x05d8	     */		fxtod	%f8,%f8
+/* 0x05dc	     */		fmuld	%f8,%f10,%f8
+/* 0x05e0	     */		fsubd	%f6,%f8,%f2
+
+!  287		      !	 pdtj[1]=b;
+!  289		      !	 /**** this loop will be fully unrolled:
+!  290		      !	 for(i=1;i<16;i++)
+!  291		      !	   {
+!  292		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  293		      !	   }
+!  294		      !	 *************************************/
+!  295		      !	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
+!  296		      !	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
+!  297		      !	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
+!  298		      !	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
+!  299		      !	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
+!  300		      !	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
+!  301		      !	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
+!  302		      !	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
+!  303		      !	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
+!  304		      !	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
+!  305		      !	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
+!  306		      !	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
+!  307		      !	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
+!  308		      !	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
+!  309		      !	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
+!  310		      !	 /* no need for cleenup, cannot overflow */
+!  311		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+
+	fmovd %f2,%f0		! hand modified
+	fmovd %f30,%f18		! hand modified
+	ldd [%o0],%f2
+	ldd [%o3],%f8
+	ldd [%i1],%f10
+	ldd [%o5],%f14		! hand modified
+	ldd [%o4],%f16		! hand modified
+	ldd [%i2],%f24
+
+	ldd [%i1+8],%f26
+	ldd [%i1+16],%f40
+	ldd [%i1+48],%f46
+	ldd [%i1+56],%f30
+	ldd [%i1+64],%f54
+	ldd [%i1+104],%f34
+	ldd [%i1+112],%f58
+
+	ldd [%o0+8],%f28	
+	ldd [%o0+104],%f38
+	ldd [%o0+112],%f60
+
+	.L99999999: 			!1
+	ldd	[%i1+24],%f32
+	fmuld	%f0,%f2,%f4 	!2
+	ldd	[%o0+24],%f36
+	fmuld	%f26,%f24,%f20 	!3
+	ldd	[%i1+40],%f42
+	fmuld	%f28,%f0,%f22 	!4
+	ldd	[%o0+40],%f44
+	fmuld	%f32,%f24,%f32 	!5
+	ldd	[%i2+8],%f6
+	faddd	%f4,%f8,%f4
+	fmuld	%f36,%f0,%f36 	!6
+	add	%i2,8,%i2
+	ldd	[%o0+56],%f50
+	fmuld	%f42,%f24,%f42 	!7
+	ldd	[%i1+72],%f52
+	faddd	%f20,%f22,%f20
+	fmuld	%f44,%f0,%f44 	!8
+	ldd	[%o3+16],%f22
+	fmuld	%f10,%f6,%f12 	!9
+	ldd	[%o0+72],%f56
+	faddd	%f32,%f36,%f32
+	fmuld	%f14,%f4,%f4 !10
+	ldd	[%o3+48],%f36
+	fmuld	%f30,%f24,%f48 	!11
+	ldd	[%o3+8],%f8
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50	!12
+	std	%f20,[%o3+16]
+	faddd	%f42,%f44,%f42
+	fmuld	%f52,%f24,%f52 	!13
+	ldd	[%o3+80],%f44
+	faddd	%f4,%f12,%f4
+	fmuld	%f56,%f0,%f56 	!14
+	ldd	[%i1+88],%f20
+	faddd	%f32,%f36,%f32 	!15
+	ldd	[%o0+88],%f22
+	faddd	%f48,%f50,%f48 	!16
+	ldd	[%o3+112],%f50
+	faddd	%f52,%f56,%f52 	!17
+	ldd	[%o3+144],%f56
+	faddd	%f4,%f8,%f8
+	fmuld	%f20,%f24,%f20 	!18
+	std	%f32,[%o3+48]
+	faddd	%f42,%f44,%f42
+	fmuld	%f22,%f0,%f22 	!19
+	std	%f42,[%o3+80]
+	faddd	%f48,%f50,%f48
+	fmuld	%f34,%f24,%f32 	!20
+	std	%f48,[%o3+112]
+	faddd	%f52,%f56,%f52
+	fmuld	%f38,%f0,%f36 	!21
+	ldd	[%i1+120],%f42
+	fdtox	%f8,%f4 		!22
+	std	%f52,[%o3+144]
+	faddd	%f20,%f22,%f20 	!23
+	ldd	[%o0+120],%f44 	!24
+	ldd	[%o3+176],%f22
+	faddd	%f32,%f36,%f32
+	fmuld	%f42,%f24,%f42 	!25
+	ldd	[%o0+16],%f50
+	fmovs	%f17,%f4 	!26
+	ldd	[%i1+32],%f52
+	fmuld	%f44,%f0,%f44 	!27
+	ldd	[%o0+32],%f56
+	fmuld	%f40,%f24,%f48 	!28
+	ldd	[%o3+208],%f36
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50 	!29
+	std	%f20,[%o3+176]
+	fxtod	%f4,%f4
+	fmuld	%f52,%f24,%f52 	!30
+	ldd	[%o0+48],%f22
+	faddd	%f42,%f44,%f42
+	fmuld	%f56,%f0,%f56 	!31
+	ldd	[%o3+240],%f44
+	faddd	%f32,%f36,%f32 	!32
+	std	%f32,[%o3+208]
+	faddd	%f48,%f50,%f48
+	fmuld	%f46,%f24,%f20 	!33
+	ldd	[%o3+32],%f50
+	fmuld	%f4,%f18,%f12 	!34
+	ldd	[%o0+64],%f36
+	faddd	%f52,%f56,%f52
+	fmuld	%f22,%f0,%f22 	!35
+	ldd	[%o3+64],%f56
+	faddd	%f42,%f44,%f42 	!36
+	std	%f42,[%o3+240]
+	faddd	%f48,%f50,%f48
+	fmuld	%f54,%f24,%f32 	!37
+	std	%f48,[%o3+32]
+	fmuld	%f12,%f14,%f4 !38
+	ldd	[%i1+80],%f42
+	faddd	%f52,%f56,%f56	! yes, tmp52!
+	fmuld	%f36,%f0,%f36 	!39
+	ldd	[%o0+80],%f44
+	faddd	%f20,%f22,%f20 	!40
+	ldd	[%i1+96],%f48
+	fmuld	%f58,%f24,%f52 	!41
+	ldd	[%o0+96],%f50
+	fdtox	%f4,%f4
+	fmuld	%f42,%f24,%f42 	!42
+	std	%f56,[%o3+64]	! yes, tmp52!
+	faddd	%f32,%f36,%f32
+	fmuld	%f44,%f0,%f44 	!43
+	ldd	[%o3+96],%f22
+	fmuld	%f48,%f24,%f48 	!44
+	ldd	[%o3+128],%f36
+	fmovd	%f6,%f24
+	fmuld	%f50,%f0,%f50 	!45
+	fxtod	%f4,%f4
+	fmuld	%f60,%f0,%f56 	!46
+	add	%o3,8,%o3
+	faddd	%f42,%f44,%f42 	!47
+	ldd	[%o3+160-8],%f44
+	faddd	%f20,%f22,%f20 	!48
+	std	%f20,[%o3+96-8]
+	faddd	%f48,%f50,%f48 	!49
+	ldd	[%o3+192-8],%f50
+	faddd	%f52,%f56,%f52
+	fmuld	%f4,%f16,%f4 	!50
+	ldd	[%o3+224-8],%f56
+	faddd	%f32,%f36,%f32 	!51
+	std	%f32,[%o3+128-8]
+	faddd	%f42,%f44,%f42 	!52
+	add	%g1,1,%g1
+	std	%f42,[%o3+160-8]
+	faddd	%f48,%f50,%f48 	!53
+	cmp	%g1,31
+	std	%f48,[%o3+192-8]
+	fsubd	%f12,%f4,%f0 	!54
+	faddd	%f52,%f56,%f52
+	ble,pt	%icc,.L99999999
+	std	%f52,[%o3+224-8] 	!55
+	std %f8,[%o3]
+!  312		      !       }
+!  313		      !   }
+!  315		      ! conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
+
+/* 0x0844	 315 */		sllx	%g5,3,%g2
+                       .L900000650:
+/* 0x0848	 315 */		ldd	[%g2+%l4],%f2
+/* 0x084c	     */		add	%l4,%g2,%o0
+/* 0x0850	     */		or	%g0,0,%g1
+/* 0x0854	     */		ldd	[%o0+8],%f4
+/* 0x0858	     */		or	%g0,0,%i2
+/* 0x085c	     */		cmp	%l0,0
+/* 0x0860	     */		fdtox	%f2,%f2
+/* 0x0864	     */		std	%f2,[%sp+2255]
+/* 0x0868	 311 */		sethi	%hi(0xfc00),%o3
+/* 0x086c	 315 */		fdtox	%f4,%f2
+/* 0x0870	     */		std	%f2,[%sp+2247]
+/* 0x0874	 311 */		or	%g0,-1,%o2
+/* 0x0878	     */		srl	%o2,0,%o5
+/* 0x087c	     */		or	%g0,2,%g5
+/* 0x0880	     */		sub	%l0,1,%g3
+/* 0x0884	     */		or	%g0,%o0,%o7
+/* 0x0888	     */		add	%o3,1023,%o4
+/* 0x088c	 315 */		or	%g0,64,%o3
+/* 0x0890	     */		ldx	[%sp+2255],%i0
+/* 0x0894	     */		sub	%l0,2,%o1
+/* 0x0898	     */		ldx	[%sp+2247],%i1
+/* 0x089c	     */		ble,pt	%icc,.L900000648
+/* 0x08a0	     */		sethi	%hi(0xfc00),%g2
+/* 0x08a4	     */		cmp	%l0,6
+/* 0x08a8	     */		and	%i0,%o5,%o2
+/* 0x08ac	     */		bl,pn	%icc,.L77000287
+/* 0x08b0	     */		or	%g0,3,%g4
+/* 0x08b4	     */		ldd	[%o7+16],%f0
+/* 0x08b8	     */		and	%i1,%o4,%i3
+/* 0x08bc	     */		sllx	%i3,16,%o0
+/* 0x08c0	     */		or	%g0,5,%g4
+/* 0x08c4	     */		srax	%i1,16,%i4
+/* 0x08c8	     */		fdtox	%f0,%f0
+/* 0x08cc	     */		std	%f0,[%sp+2239]
+/* 0x08d0	     */		srax	%i0,32,%i1
+/* 0x08d4	     */		add	%o2,%o0,%i5
+/* 0x08d8	     */		ldd	[%o7+24],%f0
+/* 0x08dc	     */		and	%i5,%o5,%l1
+/* 0x08e0	     */		or	%g0,72,%o2
+/* 0x08e4	     */		or	%g0,4,%o0
+/* 0x08e8	     */		or	%g0,4,%g5
+/* 0x08ec	     */		ldx	[%sp+2239],%g1
+/* 0x08f0	     */		fdtox	%f0,%f0
+/* 0x08f4	     */		or	%g0,4,%i2
+/* 0x08f8	     */		std	%f0,[%sp+2231]
+/* 0x08fc	     */		ldd	[%o7+40],%f2
+/* 0x0900	     */		and	%g1,%o5,%i3
+/* 0x0904	     */		ldd	[%o7+32],%f0
+/* 0x0908	     */		srax	%g1,32,%g1
+/* 0x090c	     */		ldd	[%o7+56],%f4
+/* 0x0910	     */		fdtox	%f2,%f2
+/* 0x0914	     */		ldx	[%sp+2231],%g2
+/* 0x0918	     */		fdtox	%f0,%f0
+/* 0x091c	     */		st	%l1,[%l2]
+/* 0x0920	     */		srax	%i5,32,%l1
+/* 0x0924	     */		fdtox	%f4,%f4
+/* 0x0928	     */		std	%f2,[%sp+2231]
+/* 0x092c	     */		and	%g2,%o4,%i5
+/* 0x0930	     */		add	%i4,%l1,%i4
+/* 0x0934	     */		std	%f0,[%sp+2239]
+/* 0x0938	     */		sllx	%i5,16,%i0
+/* 0x093c	     */		add	%i1,%i4,%i1
+/* 0x0940	     */		ldd	[%o7+48],%f2
+/* 0x0944	     */		srax	%g2,16,%g2
+/* 0x0948	     */		add	%i3,%i0,%i0
+/* 0x094c	     */		ldd	[%o7+72],%f0
+/* 0x0950	     */		add	%i0,%i1,%i3
+/* 0x0954	     */		srax	%i3,32,%i4
+/* 0x0958	     */		fdtox	%f2,%f2
+/* 0x095c	     */		and	%i3,%o5,%i3
+/* 0x0960	     */		ldx	[%sp+2231],%i1
+/* 0x0964	     */		add	%g2,%i4,%g2
+/* 0x0968	     */		ldx	[%sp+2239],%i0
+/* 0x096c	     */		add	%g1,%g2,%g1
+/* 0x0970	     */		std	%f2,[%sp+2239]
+/* 0x0974	     */		std	%f4,[%sp+2231]
+/* 0x0978	     */		ldd	[%o7+64],%f2
+/* 0x097c	     */		st	%i3,[%l2+4]
+                       .L900000631:
+/* 0x0980	     */		ldx	[%sp+2231],%i3
+/* 0x0984	     */		add	%i2,2,%i2
+/* 0x0988	     */		add	%g4,4,%g4
+/* 0x098c	     */		ldx	[%sp+2239],%i5
+/* 0x0990	     */		add	%o2,16,%o2
+/* 0x0994	     */		and	%i1,%o4,%g2
+/* 0x0998	     */		sllx	%g2,16,%i4
+/* 0x099c	     */		and	%i0,%o5,%g2
+/* 0x09a0	     */		ldd	[%o7+%o2],%f4
+/* 0x09a4	     */		fdtox	%f0,%f0
+/* 0x09a8	     */		std	%f0,[%sp+2231]
+/* 0x09ac	     */		srax	%i1,16,%i1
+/* 0x09b0	     */		add	%g2,%i4,%g2
+/* 0x09b4	     */		fdtox	%f2,%f0
+/* 0x09b8	     */		add	%o3,16,%o3
+/* 0x09bc	     */		std	%f0,[%sp+2239]
+/* 0x09c0	     */		add	%g2,%g1,%g1
+/* 0x09c4	     */		ldd	[%o7+%o3],%f2
+/* 0x09c8	     */		srax	%g1,32,%i4
+/* 0x09cc	     */		cmp	%i2,%o1
+/* 0x09d0	     */		srax	%i0,32,%g2
+/* 0x09d4	     */		add	%i1,%i4,%i0
+/* 0x09d8	     */		add	%g2,%i0,%i4
+/* 0x09dc	     */		add	%o0,4,%o0
+/* 0x09e0	     */		and	%g1,%o5,%g2
+/* 0x09e4	     */		or	%g0,%i5,%g1
+/* 0x09e8	     */		st	%g2,[%l2+%o0]
+/* 0x09ec	     */		add	%g5,4,%g5
+/* 0x09f0	     */		ldx	[%sp+2231],%i1
+/* 0x09f4	     */		ldx	[%sp+2239],%i0
+/* 0x09f8	     */		add	%o2,16,%o2
+/* 0x09fc	     */		and	%i3,%o4,%g2
+/* 0x0a00	     */		sllx	%g2,16,%i5
+/* 0x0a04	     */		and	%g1,%o5,%g2
+/* 0x0a08	     */		ldd	[%o7+%o2],%f0
+/* 0x0a0c	     */		fdtox	%f4,%f4
+/* 0x0a10	     */		std	%f4,[%sp+2231]
+/* 0x0a14	     */		srax	%i3,16,%i3
+/* 0x0a18	     */		add	%g2,%i5,%g2
+/* 0x0a1c	     */		fdtox	%f2,%f2
+/* 0x0a20	     */		add	%o3,16,%o3
+/* 0x0a24	     */		std	%f2,[%sp+2239]
+/* 0x0a28	     */		add	%g2,%i4,%g2
+/* 0x0a2c	     */		ldd	[%o7+%o3],%f2
+/* 0x0a30	     */		srax	%g2,32,%i4
+/* 0x0a34	     */		srax	%g1,32,%g1
+/* 0x0a38	     */		add	%i3,%i4,%i3
+/* 0x0a3c	     */		add	%g1,%i3,%g1
+/* 0x0a40	     */		add	%o0,4,%o0
+/* 0x0a44	     */		and	%g2,%o5,%g2
+/* 0x0a48	     */		ble,pt	%icc,.L900000631
+/* 0x0a4c	     */		st	%g2,[%l2+%o0]
+                       .L900000634:
+/* 0x0a50	     */		srax	%i1,16,%i5
+/* 0x0a54	     */		ldx	[%sp+2231],%o1
+/* 0x0a58	     */		and	%i1,%o4,%i3
+/* 0x0a5c	     */		sllx	%i3,16,%i3
+/* 0x0a60	     */		ldx	[%sp+2239],%i4
+/* 0x0a64	     */		and	%i0,%o5,%g2
+/* 0x0a68	     */		add	%g2,%i3,%g2
+/* 0x0a6c	     */		and	%o1,%o4,%i3
+/* 0x0a70	     */		fdtox	%f0,%f4
+/* 0x0a74	     */		sllx	%i3,16,%i3
+/* 0x0a78	     */		std	%f4,[%sp+2231]
+/* 0x0a7c	     */		add	%g2,%g1,%g2
+/* 0x0a80	     */		srax	%g2,32,%l1
+/* 0x0a84	     */		and	%i4,%o5,%i1
+/* 0x0a88	     */		fdtox	%f2,%f0
+/* 0x0a8c	     */		srax	%i0,32,%g1
+/* 0x0a90	     */		std	%f0,[%sp+2239]
+/* 0x0a94	     */		add	%i5,%l1,%i0
+/* 0x0a98	     */		srax	%o1,16,%o1
+/* 0x0a9c	     */		add	%g1,%i0,%i0
+/* 0x0aa0	     */		add	%o0,4,%g1
+/* 0x0aa4	     */		add	%i1,%i3,%o0
+/* 0x0aa8	     */		and	%g2,%o5,%g2
+/* 0x0aac	     */		st	%g2,[%l2+%g1]
+/* 0x0ab0	     */		add	%o0,%i0,%o0
+/* 0x0ab4	     */		srax	%o0,32,%i3
+/* 0x0ab8	     */		ldx	[%sp+2231],%i1
+/* 0x0abc	     */		add	%g1,4,%g1
+/* 0x0ac0	     */		ldx	[%sp+2239],%i0
+/* 0x0ac4	     */		and	%o0,%o5,%g2
+/* 0x0ac8	     */		add	%o1,%i3,%o1
+/* 0x0acc	     */		srax	%i4,32,%o0
+/* 0x0ad0	     */		cmp	%i2,%g3
+/* 0x0ad4	     */		st	%g2,[%l2+%g1]
+/* 0x0ad8	     */		bg,pn	%icc,.L77000236
+/* 0x0adc	     */		add	%o0,%o1,%g1
+/* 0x0ae0	     */		add	%g4,6,%g4
+/* 0x0ae4	     */		add	%g5,6,%g5
+                       .L77000287:
+/* 0x0ae8	     */		sra	%g5,0,%o1
+                       .L900000647:
+/* 0x0aec	     */		sllx	%o1,3,%o2
+/* 0x0af0	     */		and	%i0,%o5,%o0
+/* 0x0af4	     */		ldd	[%o7+%o2],%f0
+/* 0x0af8	     */		sra	%g4,0,%o2
+/* 0x0afc	     */		and	%i1,%o4,%o1
+/* 0x0b00	     */		sllx	%o2,3,%o2
+/* 0x0b04	     */		add	%g1,%o0,%o0
+/* 0x0b08	     */		fdtox	%f0,%f0
+/* 0x0b0c	     */		std	%f0,[%sp+2239]
+/* 0x0b10	     */		sllx	%o1,16,%o1
+/* 0x0b14	     */		add	%o0,%o1,%o1
+/* 0x0b18	     */		add	%g5,2,%g5
+/* 0x0b1c	     */		ldd	[%o7+%o2],%f0
+/* 0x0b20	     */		srax	%o1,32,%g1
+/* 0x0b24	     */		and	%o1,%o5,%o2
+/* 0x0b28	     */		srax	%i1,16,%o0
+/* 0x0b2c	     */		add	%g4,2,%g4
+/* 0x0b30	     */		fdtox	%f0,%f0
+/* 0x0b34	     */		std	%f0,[%sp+2231]
+/* 0x0b38	     */		sra	%i2,0,%o1
+/* 0x0b3c	     */		sllx	%o1,2,%o1
+/* 0x0b40	     */		add	%o0,%g1,%g2
+/* 0x0b44	     */		srax	%i0,32,%g1
+/* 0x0b48	     */		add	%i2,1,%i2
+/* 0x0b4c	     */		add	%g1,%g2,%g1
+/* 0x0b50	     */		cmp	%i2,%g3
+/* 0x0b54	     */		ldx	[%sp+2239],%o3
+/* 0x0b58	     */		ldx	[%sp+2231],%i1
+/* 0x0b5c	     */		st	%o2,[%l2+%o1]
+/* 0x0b60	     */		or	%g0,%o3,%i0
+/* 0x0b64	     */		ble,pt	%icc,.L900000647
+/* 0x0b68	     */		sra	%g5,0,%o1
+                       .L77000236:
+/* 0x0b6c	     */		sethi	%hi(0xfc00),%g2
+                       .L900000648:
+/* 0x0b70	     */		or	%g0,-1,%o0
+/* 0x0b74	     */		add	%g2,1023,%g2
+/* 0x0b78	     */		srl	%o0,0,%g3
+/* 0x0b7c	     */		and	%i1,%g2,%g2
+/* 0x0b80	     */		and	%i0,%g3,%g4
+/* 0x0b84	     */		sllx	%g2,16,%g2
+/* 0x0b88	     */		add	%g1,%g4,%g4
+/* 0x0b8c	     */		sra	%i2,0,%g5
+/* 0x0b90	     */		add	%g4,%g2,%g4
+/* 0x0b94	     */		sllx	%g5,2,%g2
+/* 0x0b98	     */		and	%g4,%g3,%g3
+/* 0x0b9c	     */		st	%g3,[%l2+%g2]
+
+!  317		      ! adjust_montf_result(result,nint,nlen); 
+
+/* 0x0ba0	 317 */		sra	%l0,0,%g4
+/* 0x0ba4	     */		sllx	%g4,2,%g2
+/* 0x0ba8	     */		ld	[%l2+%g2],%g2
+/* 0x0bac	     */		cmp	%g2,0
+/* 0x0bb0	     */		bleu,pn	%icc,.L77000241
+/* 0x0bb4	     */		or	%g0,-1,%o1
+/* 0x0bb8	     */		ba	.L900000646
+/* 0x0bbc	     */		cmp	%o1,0
+                       .L77000241:
+/* 0x0bc0	     */		sub	%l0,1,%o1
+/* 0x0bc4	     */		cmp	%o1,0
+/* 0x0bc8	     */		bl,pn	%icc,.L77000244
+/* 0x0bcc	     */		sra	%o1,0,%g2
+                       .L900000645:
+/* 0x0bd0	     */		sllx	%g2,2,%g2
+/* 0x0bd4	     */		sub	%o1,1,%o0
+/* 0x0bd8	     */		ld	[%l3+%g2],%g3
+/* 0x0bdc	     */		ld	[%l2+%g2],%g2
+/* 0x0be0	     */		cmp	%g2,%g3
+/* 0x0be4	     */		bne,pn	%icc,.L77000244
+/* 0x0be8	     */		nop
+/* 0x0bec	   0 */		or	%g0,%o0,%o1
+/* 0x0bf0	 317 */		cmp	%o0,0
+/* 0x0bf4	     */		bge,pt	%icc,.L900000645
+/* 0x0bf8	     */		sra	%o1,0,%g2
+                       .L77000244:
+/* 0x0bfc	     */		cmp	%o1,0
+                       .L900000646:
+/* 0x0c00	     */		bl,pn	%icc,.L77000288
+/* 0x0c04	     */		sra	%o1,0,%g2
+/* 0x0c08	     */		sllx	%g2,2,%g2
+/* 0x0c0c	     */		ld	[%l3+%g2],%g3
+/* 0x0c10	     */		ld	[%l2+%g2],%g2
+/* 0x0c14	     */		cmp	%g2,%g3
+/* 0x0c18	     */		bleu,pt	%icc,.L77000224
+/* 0x0c1c	     */		nop
+                       .L77000288:
+/* 0x0c20	     */		cmp	%l0,0
+/* 0x0c24	     */		ble,pt	%icc,.L77000224
+/* 0x0c28	     */		nop
+/* 0x0c2c	 317 */		or	%g0,-1,%g2
+/* 0x0c30	 315 */		or	%g0,0,%i0
+/* 0x0c34	 317 */		srl	%g2,0,%g2
+/* 0x0c38	 315 */		or	%g0,0,%g4
+/* 0x0c3c	     */		or	%g0,0,%o1
+/* 0x0c40	 317 */		sub	%l0,1,%g5
+/* 0x0c44	     */		cmp	%l0,9
+/* 0x0c48	 315 */		or	%g0,8,%o5
+/* 0x0c4c	     */		bl,pn	%icc,.L77000289
+/* 0x0c50	     */		sub	%l0,4,%o7
+/* 0x0c54	     */		ld	[%l2],%o1
+/* 0x0c58	     */		or	%g0,5,%i0
+/* 0x0c5c	     */		ld	[%l3],%o2
+/* 0x0c60	     */		or	%g0,12,%o4
+/* 0x0c64	     */		or	%g0,16,%g1
+/* 0x0c68	     */		ld	[%l3+4],%o3
+/* 0x0c6c	     */		ld	[%l2+4],%o0
+/* 0x0c70	     */		sub	%o1,%o2,%o1
+/* 0x0c74	     */		ld	[%l3+8],%i1
+/* 0x0c78	     */		and	%o1,%g2,%g4
+/* 0x0c7c	     */		st	%g4,[%l2]
+/* 0x0c80	     */		srax	%o1,32,%g4
+/* 0x0c84	     */		sub	%o0,%o3,%o0
+/* 0x0c88	     */		ld	[%l3+12],%o2
+/* 0x0c8c	     */		add	%o0,%g4,%o0
+/* 0x0c90	     */		and	%o0,%g2,%g4
+/* 0x0c94	     */		st	%g4,[%l2+4]
+/* 0x0c98	     */		srax	%o0,32,%o0
+/* 0x0c9c	     */		ld	[%l2+8],%o1
+/* 0x0ca0	     */		ld	[%l2+12],%o3
+/* 0x0ca4	     */		sub	%o1,%i1,%o1
+                       .L900000635:
+/* 0x0ca8	     */		add	%g1,4,%g3
+/* 0x0cac	     */		ld	[%g1+%l2],%g4
+/* 0x0cb0	     */		add	%o1,%o0,%o0
+/* 0x0cb4	     */		ld	[%l3+%g1],%i1
+/* 0x0cb8	     */		sub	%o3,%o2,%o1
+/* 0x0cbc	     */		and	%o0,%g2,%o2
+/* 0x0cc0	     */		st	%o2,[%o5+%l2]
+/* 0x0cc4	     */		srax	%o0,32,%o2
+/* 0x0cc8	     */		add	%i0,4,%i0
+/* 0x0ccc	     */		add	%g1,8,%o5
+/* 0x0cd0	     */		ld	[%g3+%l2],%o0
+/* 0x0cd4	     */		add	%o1,%o2,%o1
+/* 0x0cd8	     */		ld	[%l3+%g3],%o3
+/* 0x0cdc	     */		sub	%g4,%i1,%o2
+/* 0x0ce0	     */		and	%o1,%g2,%g4
+/* 0x0ce4	     */		st	%g4,[%o4+%l2]
+/* 0x0ce8	     */		srax	%o1,32,%g4
+/* 0x0cec	     */		cmp	%i0,%o7
+/* 0x0cf0	     */		add	%g1,12,%o4
+/* 0x0cf4	     */		ld	[%o5+%l2],%o1
+/* 0x0cf8	     */		add	%o2,%g4,%o2
+/* 0x0cfc	     */		ld	[%l3+%o5],%i1
+/* 0x0d00	     */		sub	%o0,%o3,%o0
+/* 0x0d04	     */		and	%o2,%g2,%o3
+/* 0x0d08	     */		st	%o3,[%g1+%l2]
+/* 0x0d0c	     */		srax	%o2,32,%g4
+/* 0x0d10	     */		ld	[%o4+%l2],%o3
+/* 0x0d14	     */		add	%g1,16,%g1
+/* 0x0d18	     */		add	%o0,%g4,%o0
+/* 0x0d1c	     */		ld	[%l3+%o4],%o2
+/* 0x0d20	     */		sub	%o1,%i1,%o1
+/* 0x0d24	     */		and	%o0,%g2,%g4
+/* 0x0d28	     */		st	%g4,[%g3+%l2]
+/* 0x0d2c	     */		ble,pt	%icc,.L900000635
+/* 0x0d30	     */		srax	%o0,32,%o0
+                       .L900000638:
+/* 0x0d34	     */		add	%o1,%o0,%g3
+/* 0x0d38	     */		sub	%o3,%o2,%o1
+/* 0x0d3c	     */		ld	[%g1+%l2],%o0
+/* 0x0d40	     */		ld	[%l3+%g1],%o2
+/* 0x0d44	     */		srax	%g3,32,%o7
+/* 0x0d48	     */		and	%g3,%g2,%o3
+/* 0x0d4c	     */		add	%o1,%o7,%o1
+/* 0x0d50	     */		st	%o3,[%o5+%l2]
+/* 0x0d54	     */		cmp	%i0,%g5
+/* 0x0d58	     */		sub	%o0,%o2,%o0
+/* 0x0d5c	     */		and	%o1,%g2,%o2
+/* 0x0d60	     */		st	%o2,[%o4+%l2]
+/* 0x0d64	     */		srax	%o1,32,%o1
+/* 0x0d68	     */		sra	%i0,0,%o2
+/* 0x0d6c	     */		add	%o0,%o1,%o0
+/* 0x0d70	     */		srax	%o0,32,%g4
+/* 0x0d74	     */		and	%o0,%g2,%o1
+/* 0x0d78	     */		st	%o1,[%g1+%l2]
+/* 0x0d7c	     */		bg,pn	%icc,.L77000224
+/* 0x0d80	     */		sllx	%o2,2,%o1
+                       .L77000289:
+/* 0x0d84	   0 */		or	%g0,%o1,%g1
+                       .L900000644:
+/* 0x0d88	     */		ld	[%o1+%l2],%o0
+/* 0x0d8c	     */		add	%i0,1,%i0
+/* 0x0d90	     */		ld	[%l3+%o1],%o1
+/* 0x0d94	     */		sra	%i0,0,%o2
+/* 0x0d98	     */		cmp	%i0,%g5
+/* 0x0d9c	     */		add	%g4,%o0,%o0
+/* 0x0da0	     */		sub	%o0,%o1,%o0
+/* 0x0da4	     */		srax	%o0,32,%g4
+/* 0x0da8	     */		and	%o0,%g2,%o1
+/* 0x0dac	     */		st	%o1,[%g1+%l2]
+/* 0x0db0	     */		sllx	%o2,2,%o1
+/* 0x0db4	     */		ble,pt	%icc,.L900000644
+/* 0x0db8	     */		or	%g0,%o1,%g1
+                       .L77000224:
+/* 0x0dbc	     */		ret	! Result = 
+/* 0x0dc0	     */		restore	%g0,%g0,%g0
+/* 0x0dc4	   0 */		.type	mont_mulf_noconv,2
+/* 0x0dc4	     */		.size	mont_mulf_noconv,(.-mont_mulf_noconv)
+
diff --git a/security/nss/lib/freebl/mpi/mp_comba.c b/security/nss/lib/freebl/mpi/mp_comba.c
new file mode 100644
index 000000000..af87c6045
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mp_comba.c
@@ -0,0 +1,1298 @@
+/*
+ * The below file is derived from TFM v0.03.
+ * It contains code from fp_mul_comba.c and
+ * fp_sqr_comba.c, which contained the following license.
+ *
+ * Right now, the assembly in this file limits
+ * this code to AMD 64.
+ *
+ * This file is public domain.
+ */
+
+/* TomsFastMath, a fast ISO C bignum library.
+ * 
+ * This project is meant to fill in where LibTomMath
+ * falls short.  That is speed ;-)
+ *
+ * This project is public domain and free for all purposes.
+ * 
+ * Tom St Denis, tomstdenis@iahu.ca
+ */
+
+
+#include "mpi-priv.h"
+
+
+
+/* clamp digits */
+#define mp_clamp(a)   { while ((a)->used && (a)->dp[(a)->used-1] == 0) --((a)->used); (a)->sign = (a)->used ? (a)->sign : ZPOS; }
+
+/* anything you need at the start */
+#define COMBA_START
+
+/* clear the chaining variables */
+#define COMBA_CLEAR \
+   c0 = c1 = c2 = 0;
+
+/* forward the carry to the next digit */
+#define COMBA_FORWARD \
+   do { c0 = c1; c1 = c2; c2 = 0; } while (0);
+
+/* anything you need at the end */
+#define COMBA_FINI
+
+/* this should multiply i and j  */
+#define MULADD(i, j)                                      \
+__asm__  (                                                    \
+     "movq  %6,%%rax     \n\t"                            \
+     "mulq  %7           \n\t"                            \
+     "addq  %%rax,%0     \n\t"                            \
+     "adcq  %%rdx,%1     \n\t"                            \
+     "adcq  $0,%2        \n\t"                            \
+     :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "g"(i), "g"(j)  :"%rax","%rdx","%cc");
+
+
+
+
+/* sqr macros only */
+#define CLEAR_CARRY \
+   c0 = c1 = c2 = 0;
+
+#define COMBA_STORE(x) \
+   x = c0;
+
+#define COMBA_STORE2(x) \
+   x = c1;
+
+#define CARRY_FORWARD \
+   do { c0 = c1; c1 = c2; c2 = 0; } while (0);
+
+#define COMBA_FINI
+
+#define SQRADD(i, j)                                      \
+__asm__ (                                                     \
+     "movq  %6,%%rax     \n\t"                            \
+     "mulq  %%rax        \n\t"                            \
+     "addq  %%rax,%0     \n\t"                            \
+     "adcq  %%rdx,%1     \n\t"                            \
+     "adcq  $0,%2        \n\t"                            \
+     :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "g"(i) :"%rax","%rdx","%cc");
+
+#define SQRADD2(i, j)                                     \
+__asm__ (                                                     \
+     "movq  %6,%%rax     \n\t"                            \
+     "mulq  %7           \n\t"                            \
+     "addq  %%rax,%0     \n\t"                            \
+     "adcq  %%rdx,%1     \n\t"                            \
+     "adcq  $0,%2        \n\t"                            \
+     "addq  %%rax,%0     \n\t"                            \
+     "adcq  %%rdx,%1     \n\t"                            \
+     "adcq  $0,%2        \n\t"                            \
+     :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "g"(i), "g"(j)  :"%rax","%rdx","%cc");
+
+#define SQRADDSC(i, j)                                    \
+__asm__ (                                                     \
+     "movq  %3,%%rax     \n\t"                            \
+     "mulq  %4           \n\t"                            \
+     "movq  %%rax,%0     \n\t"                            \
+     "movq  %%rdx,%1     \n\t"                            \
+     "xorq  %2,%2        \n\t"                            \
+     :"=r"(sc0), "=r"(sc1), "=r"(sc2): "g"(i), "g"(j) :"%rax","%rdx","%cc");
+
+#define SQRADDAC(i, j)                                                         \
+__asm__ (                                                     \
+     "movq  %6,%%rax     \n\t"                            \
+     "mulq  %7           \n\t"                            \
+     "addq  %%rax,%0     \n\t"                            \
+     "adcq  %%rdx,%1     \n\t"                            \
+     "adcq  $0,%2        \n\t"                            \
+     :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) :"%rax","%rdx","%cc");
+
+#define SQRADDDB                                                               \
+__asm__ (                                                     \
+     "addq %6,%0         \n\t"                            \
+     "adcq %7,%1         \n\t"                            \
+     "adcq %8,%2         \n\t"                            \
+     "addq %6,%0         \n\t"                            \
+     "adcq %7,%1         \n\t"                            \
+     "adcq %8,%2         \n\t"                            \
+     :"=&r"(c0), "=&r"(c1), "=&r"(c2) : "0"(c0), "1"(c1), "2"(c2), "r"(sc0), "r"(sc1), "r"(sc2) : "%cc");
+
+
+
+
+
+void s_mp_mul_comba_4(const mp_int *A, const mp_int *B, mp_int *C)
+{
+   mp_digit c0, c1, c2, at[8];
+
+   memcpy(at, A->dp, 4 * sizeof(mp_digit));
+   memcpy(at+4, B->dp, 4 * sizeof(mp_digit));
+   COMBA_START;
+   
+   COMBA_CLEAR;
+   /* 0 */
+   MULADD(at[0], at[4]); 
+   COMBA_STORE(C->dp[0]);
+   /* 1 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[5]);       MULADD(at[1], at[4]); 
+   COMBA_STORE(C->dp[1]);
+   /* 2 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[6]);       MULADD(at[1], at[5]);       MULADD(at[2], at[4]); 
+   COMBA_STORE(C->dp[2]);
+   /* 3 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[7]);       MULADD(at[1], at[6]);       MULADD(at[2], at[5]);       MULADD(at[3], at[4]); 
+   COMBA_STORE(C->dp[3]);
+   /* 4 */
+   COMBA_FORWARD;
+   MULADD(at[1], at[7]);       MULADD(at[2], at[6]);       MULADD(at[3], at[5]); 
+   COMBA_STORE(C->dp[4]);
+   /* 5 */
+   COMBA_FORWARD;
+   MULADD(at[2], at[7]);       MULADD(at[3], at[6]); 
+   COMBA_STORE(C->dp[5]);
+   /* 6 */
+   COMBA_FORWARD;
+   MULADD(at[3], at[7]); 
+   COMBA_STORE(C->dp[6]);
+   COMBA_STORE2(C->dp[7]);
+   C->used = 8;
+   C->sign = A->sign ^ B->sign;
+   mp_clamp(C);
+   COMBA_FINI;
+}
+
+void s_mp_mul_comba_8(const mp_int *A, const mp_int *B, mp_int *C)
+{
+   mp_digit c0, c1, c2, at[16];
+
+   memcpy(at, A->dp, 8 * sizeof(mp_digit));
+   memcpy(at+8, B->dp, 8 * sizeof(mp_digit));
+   COMBA_START;
+
+   COMBA_CLEAR;
+   /* 0 */
+   MULADD(at[0], at[8]); 
+   COMBA_STORE(C->dp[0]);
+   /* 1 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[9]);       MULADD(at[1], at[8]); 
+   COMBA_STORE(C->dp[1]);
+   /* 2 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[10]);       MULADD(at[1], at[9]);       MULADD(at[2], at[8]); 
+   COMBA_STORE(C->dp[2]);
+   /* 3 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[11]);       MULADD(at[1], at[10]);       MULADD(at[2], at[9]);       MULADD(at[3], at[8]); 
+   COMBA_STORE(C->dp[3]);
+   /* 4 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[12]);       MULADD(at[1], at[11]);       MULADD(at[2], at[10]);       MULADD(at[3], at[9]);       MULADD(at[4], at[8]); 
+   COMBA_STORE(C->dp[4]);
+   /* 5 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[13]);       MULADD(at[1], at[12]);       MULADD(at[2], at[11]);       MULADD(at[3], at[10]);       MULADD(at[4], at[9]);       MULADD(at[5], at[8]); 
+   COMBA_STORE(C->dp[5]);
+   /* 6 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[14]);       MULADD(at[1], at[13]);       MULADD(at[2], at[12]);       MULADD(at[3], at[11]);       MULADD(at[4], at[10]);       MULADD(at[5], at[9]);       MULADD(at[6], at[8]); 
+   COMBA_STORE(C->dp[6]);
+   /* 7 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[15]);       MULADD(at[1], at[14]);       MULADD(at[2], at[13]);       MULADD(at[3], at[12]);       MULADD(at[4], at[11]);       MULADD(at[5], at[10]);       MULADD(at[6], at[9]);       MULADD(at[7], at[8]); 
+   COMBA_STORE(C->dp[7]);
+   /* 8 */
+   COMBA_FORWARD;
+   MULADD(at[1], at[15]);       MULADD(at[2], at[14]);       MULADD(at[3], at[13]);       MULADD(at[4], at[12]);       MULADD(at[5], at[11]);       MULADD(at[6], at[10]);       MULADD(at[7], at[9]); 
+   COMBA_STORE(C->dp[8]);
+   /* 9 */
+   COMBA_FORWARD;
+   MULADD(at[2], at[15]);       MULADD(at[3], at[14]);       MULADD(at[4], at[13]);       MULADD(at[5], at[12]);       MULADD(at[6], at[11]);       MULADD(at[7], at[10]); 
+   COMBA_STORE(C->dp[9]);
+   /* 10 */
+   COMBA_FORWARD;
+   MULADD(at[3], at[15]);       MULADD(at[4], at[14]);       MULADD(at[5], at[13]);       MULADD(at[6], at[12]);       MULADD(at[7], at[11]); 
+   COMBA_STORE(C->dp[10]);
+   /* 11 */
+   COMBA_FORWARD;
+   MULADD(at[4], at[15]);       MULADD(at[5], at[14]);       MULADD(at[6], at[13]);       MULADD(at[7], at[12]); 
+   COMBA_STORE(C->dp[11]);
+   /* 12 */
+   COMBA_FORWARD;
+   MULADD(at[5], at[15]);       MULADD(at[6], at[14]);       MULADD(at[7], at[13]); 
+   COMBA_STORE(C->dp[12]);
+   /* 13 */
+   COMBA_FORWARD;
+   MULADD(at[6], at[15]);       MULADD(at[7], at[14]); 
+   COMBA_STORE(C->dp[13]);
+   /* 14 */
+   COMBA_FORWARD;
+   MULADD(at[7], at[15]); 
+   COMBA_STORE(C->dp[14]);
+   COMBA_STORE2(C->dp[15]);
+   C->used = 16;
+   C->sign = A->sign ^ B->sign;
+   mp_clamp(C);
+   COMBA_FINI;
+}
+
+void s_mp_mul_comba_16(const mp_int *A, const mp_int *B, mp_int *C)
+{
+   mp_digit c0, c1, c2, at[32];
+
+   memcpy(at, A->dp, 16 * sizeof(mp_digit));
+   memcpy(at+16, B->dp, 16 * sizeof(mp_digit));
+   COMBA_START;
+
+   COMBA_CLEAR;
+   /* 0 */
+   MULADD(at[0], at[16]); 
+   COMBA_STORE(C->dp[0]);
+   /* 1 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[17]);       MULADD(at[1], at[16]); 
+   COMBA_STORE(C->dp[1]);
+   /* 2 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[18]);       MULADD(at[1], at[17]);       MULADD(at[2], at[16]); 
+   COMBA_STORE(C->dp[2]);
+   /* 3 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[19]);       MULADD(at[1], at[18]);       MULADD(at[2], at[17]);       MULADD(at[3], at[16]); 
+   COMBA_STORE(C->dp[3]);
+   /* 4 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[20]);       MULADD(at[1], at[19]);       MULADD(at[2], at[18]);       MULADD(at[3], at[17]);       MULADD(at[4], at[16]); 
+   COMBA_STORE(C->dp[4]);
+   /* 5 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[21]);       MULADD(at[1], at[20]);       MULADD(at[2], at[19]);       MULADD(at[3], at[18]);       MULADD(at[4], at[17]);       MULADD(at[5], at[16]); 
+   COMBA_STORE(C->dp[5]);
+   /* 6 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[22]);       MULADD(at[1], at[21]);       MULADD(at[2], at[20]);       MULADD(at[3], at[19]);       MULADD(at[4], at[18]);       MULADD(at[5], at[17]);       MULADD(at[6], at[16]); 
+   COMBA_STORE(C->dp[6]);
+   /* 7 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[23]);       MULADD(at[1], at[22]);       MULADD(at[2], at[21]);       MULADD(at[3], at[20]);       MULADD(at[4], at[19]);       MULADD(at[5], at[18]);       MULADD(at[6], at[17]);       MULADD(at[7], at[16]); 
+   COMBA_STORE(C->dp[7]);
+   /* 8 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[24]);       MULADD(at[1], at[23]);       MULADD(at[2], at[22]);       MULADD(at[3], at[21]);       MULADD(at[4], at[20]);       MULADD(at[5], at[19]);       MULADD(at[6], at[18]);       MULADD(at[7], at[17]);       MULADD(at[8], at[16]); 
+   COMBA_STORE(C->dp[8]);
+   /* 9 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[25]);       MULADD(at[1], at[24]);       MULADD(at[2], at[23]);       MULADD(at[3], at[22]);       MULADD(at[4], at[21]);       MULADD(at[5], at[20]);       MULADD(at[6], at[19]);       MULADD(at[7], at[18]);       MULADD(at[8], at[17]);       MULADD(at[9], at[16]); 
+   COMBA_STORE(C->dp[9]);
+   /* 10 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[26]);       MULADD(at[1], at[25]);       MULADD(at[2], at[24]);       MULADD(at[3], at[23]);       MULADD(at[4], at[22]);       MULADD(at[5], at[21]);       MULADD(at[6], at[20]);       MULADD(at[7], at[19]);       MULADD(at[8], at[18]);       MULADD(at[9], at[17]);       MULADD(at[10], at[16]); 
+   COMBA_STORE(C->dp[10]);
+   /* 11 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[27]);       MULADD(at[1], at[26]);       MULADD(at[2], at[25]);       MULADD(at[3], at[24]);       MULADD(at[4], at[23]);       MULADD(at[5], at[22]);       MULADD(at[6], at[21]);       MULADD(at[7], at[20]);       MULADD(at[8], at[19]);       MULADD(at[9], at[18]);       MULADD(at[10], at[17]);       MULADD(at[11], at[16]); 
+   COMBA_STORE(C->dp[11]);
+   /* 12 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[28]);       MULADD(at[1], at[27]);       MULADD(at[2], at[26]);       MULADD(at[3], at[25]);       MULADD(at[4], at[24]);       MULADD(at[5], at[23]);       MULADD(at[6], at[22]);       MULADD(at[7], at[21]);       MULADD(at[8], at[20]);       MULADD(at[9], at[19]);       MULADD(at[10], at[18]);       MULADD(at[11], at[17]);       MULADD(at[12], at[16]); 
+   COMBA_STORE(C->dp[12]);
+   /* 13 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[29]);       MULADD(at[1], at[28]);       MULADD(at[2], at[27]);       MULADD(at[3], at[26]);       MULADD(at[4], at[25]);       MULADD(at[5], at[24]);       MULADD(at[6], at[23]);       MULADD(at[7], at[22]);       MULADD(at[8], at[21]);       MULADD(at[9], at[20]);       MULADD(at[10], at[19]);       MULADD(at[11], at[18]);       MULADD(at[12], at[17]);       MULADD(at[13], at[16]); 
+   COMBA_STORE(C->dp[13]);
+   /* 14 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[30]);       MULADD(at[1], at[29]);       MULADD(at[2], at[28]);       MULADD(at[3], at[27]);       MULADD(at[4], at[26]);       MULADD(at[5], at[25]);       MULADD(at[6], at[24]);       MULADD(at[7], at[23]);       MULADD(at[8], at[22]);       MULADD(at[9], at[21]);       MULADD(at[10], at[20]);       MULADD(at[11], at[19]);       MULADD(at[12], at[18]);       MULADD(at[13], at[17]);       MULADD(at[14], at[16]); 
+   COMBA_STORE(C->dp[14]);
+   /* 15 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[31]);       MULADD(at[1], at[30]);       MULADD(at[2], at[29]);       MULADD(at[3], at[28]);       MULADD(at[4], at[27]);       MULADD(at[5], at[26]);       MULADD(at[6], at[25]);       MULADD(at[7], at[24]);       MULADD(at[8], at[23]);       MULADD(at[9], at[22]);       MULADD(at[10], at[21]);       MULADD(at[11], at[20]);       MULADD(at[12], at[19]);       MULADD(at[13], at[18]);       MULADD(at[14], at[17]);       MULADD(at[15], at[16]); 
+   COMBA_STORE(C->dp[15]);
+   /* 16 */
+   COMBA_FORWARD;
+   MULADD(at[1], at[31]);       MULADD(at[2], at[30]);       MULADD(at[3], at[29]);       MULADD(at[4], at[28]);       MULADD(at[5], at[27]);       MULADD(at[6], at[26]);       MULADD(at[7], at[25]);       MULADD(at[8], at[24]);       MULADD(at[9], at[23]);       MULADD(at[10], at[22]);       MULADD(at[11], at[21]);       MULADD(at[12], at[20]);       MULADD(at[13], at[19]);       MULADD(at[14], at[18]);       MULADD(at[15], at[17]); 
+   COMBA_STORE(C->dp[16]);
+   /* 17 */
+   COMBA_FORWARD;
+   MULADD(at[2], at[31]);       MULADD(at[3], at[30]);       MULADD(at[4], at[29]);       MULADD(at[5], at[28]);       MULADD(at[6], at[27]);       MULADD(at[7], at[26]);       MULADD(at[8], at[25]);       MULADD(at[9], at[24]);       MULADD(at[10], at[23]);       MULADD(at[11], at[22]);       MULADD(at[12], at[21]);       MULADD(at[13], at[20]);       MULADD(at[14], at[19]);       MULADD(at[15], at[18]); 
+   COMBA_STORE(C->dp[17]);
+   /* 18 */
+   COMBA_FORWARD;
+   MULADD(at[3], at[31]);       MULADD(at[4], at[30]);       MULADD(at[5], at[29]);       MULADD(at[6], at[28]);       MULADD(at[7], at[27]);       MULADD(at[8], at[26]);       MULADD(at[9], at[25]);       MULADD(at[10], at[24]);       MULADD(at[11], at[23]);       MULADD(at[12], at[22]);       MULADD(at[13], at[21]);       MULADD(at[14], at[20]);       MULADD(at[15], at[19]); 
+   COMBA_STORE(C->dp[18]);
+   /* 19 */
+   COMBA_FORWARD;
+   MULADD(at[4], at[31]);       MULADD(at[5], at[30]);       MULADD(at[6], at[29]);       MULADD(at[7], at[28]);       MULADD(at[8], at[27]);       MULADD(at[9], at[26]);       MULADD(at[10], at[25]);       MULADD(at[11], at[24]);       MULADD(at[12], at[23]);       MULADD(at[13], at[22]);       MULADD(at[14], at[21]);       MULADD(at[15], at[20]); 
+   COMBA_STORE(C->dp[19]);
+   /* 20 */
+   COMBA_FORWARD;
+   MULADD(at[5], at[31]);       MULADD(at[6], at[30]);       MULADD(at[7], at[29]);       MULADD(at[8], at[28]);       MULADD(at[9], at[27]);       MULADD(at[10], at[26]);       MULADD(at[11], at[25]);       MULADD(at[12], at[24]);       MULADD(at[13], at[23]);       MULADD(at[14], at[22]);       MULADD(at[15], at[21]); 
+   COMBA_STORE(C->dp[20]);
+   /* 21 */
+   COMBA_FORWARD;
+   MULADD(at[6], at[31]);       MULADD(at[7], at[30]);       MULADD(at[8], at[29]);       MULADD(at[9], at[28]);       MULADD(at[10], at[27]);       MULADD(at[11], at[26]);       MULADD(at[12], at[25]);       MULADD(at[13], at[24]);       MULADD(at[14], at[23]);       MULADD(at[15], at[22]); 
+   COMBA_STORE(C->dp[21]);
+   /* 22 */
+   COMBA_FORWARD;
+   MULADD(at[7], at[31]);       MULADD(at[8], at[30]);       MULADD(at[9], at[29]);       MULADD(at[10], at[28]);       MULADD(at[11], at[27]);       MULADD(at[12], at[26]);       MULADD(at[13], at[25]);       MULADD(at[14], at[24]);       MULADD(at[15], at[23]); 
+   COMBA_STORE(C->dp[22]);
+   /* 23 */
+   COMBA_FORWARD;
+   MULADD(at[8], at[31]);       MULADD(at[9], at[30]);       MULADD(at[10], at[29]);       MULADD(at[11], at[28]);       MULADD(at[12], at[27]);       MULADD(at[13], at[26]);       MULADD(at[14], at[25]);       MULADD(at[15], at[24]); 
+   COMBA_STORE(C->dp[23]);
+   /* 24 */
+   COMBA_FORWARD;
+   MULADD(at[9], at[31]);       MULADD(at[10], at[30]);       MULADD(at[11], at[29]);       MULADD(at[12], at[28]);       MULADD(at[13], at[27]);       MULADD(at[14], at[26]);       MULADD(at[15], at[25]); 
+   COMBA_STORE(C->dp[24]);
+   /* 25 */
+   COMBA_FORWARD;
+   MULADD(at[10], at[31]);       MULADD(at[11], at[30]);       MULADD(at[12], at[29]);       MULADD(at[13], at[28]);       MULADD(at[14], at[27]);       MULADD(at[15], at[26]); 
+   COMBA_STORE(C->dp[25]);
+   /* 26 */
+   COMBA_FORWARD;
+   MULADD(at[11], at[31]);       MULADD(at[12], at[30]);       MULADD(at[13], at[29]);       MULADD(at[14], at[28]);       MULADD(at[15], at[27]); 
+   COMBA_STORE(C->dp[26]);
+   /* 27 */
+   COMBA_FORWARD;
+   MULADD(at[12], at[31]);       MULADD(at[13], at[30]);       MULADD(at[14], at[29]);       MULADD(at[15], at[28]); 
+   COMBA_STORE(C->dp[27]);
+   /* 28 */
+   COMBA_FORWARD;
+   MULADD(at[13], at[31]);       MULADD(at[14], at[30]);       MULADD(at[15], at[29]); 
+   COMBA_STORE(C->dp[28]);
+   /* 29 */
+   COMBA_FORWARD;
+   MULADD(at[14], at[31]);       MULADD(at[15], at[30]); 
+   COMBA_STORE(C->dp[29]);
+   /* 30 */
+   COMBA_FORWARD;
+   MULADD(at[15], at[31]); 
+   COMBA_STORE(C->dp[30]);
+   COMBA_STORE2(C->dp[31]);
+   C->used = 32;
+   C->sign = A->sign ^ B->sign;
+   mp_clamp(C);
+   COMBA_FINI;
+}
+
+void s_mp_mul_comba_32(const mp_int *A, const mp_int *B, mp_int *C)
+{
+   mp_digit c0, c1, c2, at[64];
+
+   memcpy(at, A->dp, 32 * sizeof(mp_digit));
+   memcpy(at+32, B->dp, 32 * sizeof(mp_digit));
+   COMBA_START;
+
+   COMBA_CLEAR;
+   /* 0 */
+   MULADD(at[0], at[32]); 
+   COMBA_STORE(C->dp[0]);
+   /* 1 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[33]);    MULADD(at[1], at[32]); 
+   COMBA_STORE(C->dp[1]);
+   /* 2 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[34]);    MULADD(at[1], at[33]);    MULADD(at[2], at[32]); 
+   COMBA_STORE(C->dp[2]);
+   /* 3 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[35]);    MULADD(at[1], at[34]);    MULADD(at[2], at[33]);    MULADD(at[3], at[32]); 
+   COMBA_STORE(C->dp[3]);
+   /* 4 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[36]);    MULADD(at[1], at[35]);    MULADD(at[2], at[34]);    MULADD(at[3], at[33]);    MULADD(at[4], at[32]); 
+   COMBA_STORE(C->dp[4]);
+   /* 5 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[37]);    MULADD(at[1], at[36]);    MULADD(at[2], at[35]);    MULADD(at[3], at[34]);    MULADD(at[4], at[33]);    MULADD(at[5], at[32]); 
+   COMBA_STORE(C->dp[5]);
+   /* 6 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[38]);    MULADD(at[1], at[37]);    MULADD(at[2], at[36]);    MULADD(at[3], at[35]);    MULADD(at[4], at[34]);    MULADD(at[5], at[33]);    MULADD(at[6], at[32]); 
+   COMBA_STORE(C->dp[6]);
+   /* 7 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[39]);    MULADD(at[1], at[38]);    MULADD(at[2], at[37]);    MULADD(at[3], at[36]);    MULADD(at[4], at[35]);    MULADD(at[5], at[34]);    MULADD(at[6], at[33]);    MULADD(at[7], at[32]); 
+   COMBA_STORE(C->dp[7]);
+   /* 8 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[40]);    MULADD(at[1], at[39]);    MULADD(at[2], at[38]);    MULADD(at[3], at[37]);    MULADD(at[4], at[36]);    MULADD(at[5], at[35]);    MULADD(at[6], at[34]);    MULADD(at[7], at[33]);    MULADD(at[8], at[32]); 
+   COMBA_STORE(C->dp[8]);
+   /* 9 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[41]);    MULADD(at[1], at[40]);    MULADD(at[2], at[39]);    MULADD(at[3], at[38]);    MULADD(at[4], at[37]);    MULADD(at[5], at[36]);    MULADD(at[6], at[35]);    MULADD(at[7], at[34]);    MULADD(at[8], at[33]);    MULADD(at[9], at[32]); 
+   COMBA_STORE(C->dp[9]);
+   /* 10 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[42]);    MULADD(at[1], at[41]);    MULADD(at[2], at[40]);    MULADD(at[3], at[39]);    MULADD(at[4], at[38]);    MULADD(at[5], at[37]);    MULADD(at[6], at[36]);    MULADD(at[7], at[35]);    MULADD(at[8], at[34]);    MULADD(at[9], at[33]);    MULADD(at[10], at[32]); 
+   COMBA_STORE(C->dp[10]);
+   /* 11 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[43]);    MULADD(at[1], at[42]);    MULADD(at[2], at[41]);    MULADD(at[3], at[40]);    MULADD(at[4], at[39]);    MULADD(at[5], at[38]);    MULADD(at[6], at[37]);    MULADD(at[7], at[36]);    MULADD(at[8], at[35]);    MULADD(at[9], at[34]);    MULADD(at[10], at[33]);    MULADD(at[11], at[32]); 
+   COMBA_STORE(C->dp[11]);
+   /* 12 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[44]);    MULADD(at[1], at[43]);    MULADD(at[2], at[42]);    MULADD(at[3], at[41]);    MULADD(at[4], at[40]);    MULADD(at[5], at[39]);    MULADD(at[6], at[38]);    MULADD(at[7], at[37]);    MULADD(at[8], at[36]);    MULADD(at[9], at[35]);    MULADD(at[10], at[34]);    MULADD(at[11], at[33]);    MULADD(at[12], at[32]); 
+   COMBA_STORE(C->dp[12]);
+   /* 13 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[45]);    MULADD(at[1], at[44]);    MULADD(at[2], at[43]);    MULADD(at[3], at[42]);    MULADD(at[4], at[41]);    MULADD(at[5], at[40]);    MULADD(at[6], at[39]);    MULADD(at[7], at[38]);    MULADD(at[8], at[37]);    MULADD(at[9], at[36]);    MULADD(at[10], at[35]);    MULADD(at[11], at[34]);    MULADD(at[12], at[33]);    MULADD(at[13], at[32]); 
+   COMBA_STORE(C->dp[13]);
+   /* 14 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[46]);    MULADD(at[1], at[45]);    MULADD(at[2], at[44]);    MULADD(at[3], at[43]);    MULADD(at[4], at[42]);    MULADD(at[5], at[41]);    MULADD(at[6], at[40]);    MULADD(at[7], at[39]);    MULADD(at[8], at[38]);    MULADD(at[9], at[37]);    MULADD(at[10], at[36]);    MULADD(at[11], at[35]);    MULADD(at[12], at[34]);    MULADD(at[13], at[33]);    MULADD(at[14], at[32]); 
+   COMBA_STORE(C->dp[14]);
+   /* 15 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[47]);    MULADD(at[1], at[46]);    MULADD(at[2], at[45]);    MULADD(at[3], at[44]);    MULADD(at[4], at[43]);    MULADD(at[5], at[42]);    MULADD(at[6], at[41]);    MULADD(at[7], at[40]);    MULADD(at[8], at[39]);    MULADD(at[9], at[38]);    MULADD(at[10], at[37]);    MULADD(at[11], at[36]);    MULADD(at[12], at[35]);    MULADD(at[13], at[34]);    MULADD(at[14], at[33]);    MULADD(at[15], at[32]); 
+   COMBA_STORE(C->dp[15]);
+   /* 16 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[48]);    MULADD(at[1], at[47]);    MULADD(at[2], at[46]);    MULADD(at[3], at[45]);    MULADD(at[4], at[44]);    MULADD(at[5], at[43]);    MULADD(at[6], at[42]);    MULADD(at[7], at[41]);    MULADD(at[8], at[40]);    MULADD(at[9], at[39]);    MULADD(at[10], at[38]);    MULADD(at[11], at[37]);    MULADD(at[12], at[36]);    MULADD(at[13], at[35]);    MULADD(at[14], at[34]);    MULADD(at[15], at[33]);    MULADD(at[16], at[32]); 
+   COMBA_STORE(C->dp[16]);
+   /* 17 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[49]);    MULADD(at[1], at[48]);    MULADD(at[2], at[47]);    MULADD(at[3], at[46]);    MULADD(at[4], at[45]);    MULADD(at[5], at[44]);    MULADD(at[6], at[43]);    MULADD(at[7], at[42]);    MULADD(at[8], at[41]);    MULADD(at[9], at[40]);    MULADD(at[10], at[39]);    MULADD(at[11], at[38]);    MULADD(at[12], at[37]);    MULADD(at[13], at[36]);    MULADD(at[14], at[35]);    MULADD(at[15], at[34]);    MULADD(at[16], at[33]);    MULADD(at[17], at[32]); 
+   COMBA_STORE(C->dp[17]);
+   /* 18 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[50]);    MULADD(at[1], at[49]);    MULADD(at[2], at[48]);    MULADD(at[3], at[47]);    MULADD(at[4], at[46]);    MULADD(at[5], at[45]);    MULADD(at[6], at[44]);    MULADD(at[7], at[43]);    MULADD(at[8], at[42]);    MULADD(at[9], at[41]);    MULADD(at[10], at[40]);    MULADD(at[11], at[39]);    MULADD(at[12], at[38]);    MULADD(at[13], at[37]);    MULADD(at[14], at[36]);    MULADD(at[15], at[35]);    MULADD(at[16], at[34]);    MULADD(at[17], at[33]);    MULADD(at[18], at[32]); 
+   COMBA_STORE(C->dp[18]);
+   /* 19 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[51]);    MULADD(at[1], at[50]);    MULADD(at[2], at[49]);    MULADD(at[3], at[48]);    MULADD(at[4], at[47]);    MULADD(at[5], at[46]);    MULADD(at[6], at[45]);    MULADD(at[7], at[44]);    MULADD(at[8], at[43]);    MULADD(at[9], at[42]);    MULADD(at[10], at[41]);    MULADD(at[11], at[40]);    MULADD(at[12], at[39]);    MULADD(at[13], at[38]);    MULADD(at[14], at[37]);    MULADD(at[15], at[36]);    MULADD(at[16], at[35]);    MULADD(at[17], at[34]);    MULADD(at[18], at[33]);    MULADD(at[19], at[32]); 
+   COMBA_STORE(C->dp[19]);
+   /* 20 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[52]);    MULADD(at[1], at[51]);    MULADD(at[2], at[50]);    MULADD(at[3], at[49]);    MULADD(at[4], at[48]);    MULADD(at[5], at[47]);    MULADD(at[6], at[46]);    MULADD(at[7], at[45]);    MULADD(at[8], at[44]);    MULADD(at[9], at[43]);    MULADD(at[10], at[42]);    MULADD(at[11], at[41]);    MULADD(at[12], at[40]);    MULADD(at[13], at[39]);    MULADD(at[14], at[38]);    MULADD(at[15], at[37]);    MULADD(at[16], at[36]);    MULADD(at[17], at[35]);    MULADD(at[18], at[34]);    MULADD(at[19], at[33]);    MULADD(at[20], at[32]); 
+   COMBA_STORE(C->dp[20]);
+   /* 21 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[53]);    MULADD(at[1], at[52]);    MULADD(at[2], at[51]);    MULADD(at[3], at[50]);    MULADD(at[4], at[49]);    MULADD(at[5], at[48]);    MULADD(at[6], at[47]);    MULADD(at[7], at[46]);    MULADD(at[8], at[45]);    MULADD(at[9], at[44]);    MULADD(at[10], at[43]);    MULADD(at[11], at[42]);    MULADD(at[12], at[41]);    MULADD(at[13], at[40]);    MULADD(at[14], at[39]);    MULADD(at[15], at[38]);    MULADD(at[16], at[37]);    MULADD(at[17], at[36]);    MULADD(at[18], at[35]);    MULADD(at[19], at[34]);    MULADD(at[20], at[33]);    MULADD(at[21], at[32]); 
+   COMBA_STORE(C->dp[21]);
+   /* 22 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[54]);    MULADD(at[1], at[53]);    MULADD(at[2], at[52]);    MULADD(at[3], at[51]);    MULADD(at[4], at[50]);    MULADD(at[5], at[49]);    MULADD(at[6], at[48]);    MULADD(at[7], at[47]);    MULADD(at[8], at[46]);    MULADD(at[9], at[45]);    MULADD(at[10], at[44]);    MULADD(at[11], at[43]);    MULADD(at[12], at[42]);    MULADD(at[13], at[41]);    MULADD(at[14], at[40]);    MULADD(at[15], at[39]);    MULADD(at[16], at[38]);    MULADD(at[17], at[37]);    MULADD(at[18], at[36]);    MULADD(at[19], at[35]);    MULADD(at[20], at[34]);    MULADD(at[21], at[33]);    MULADD(at[22], at[32]); 
+   COMBA_STORE(C->dp[22]);
+   /* 23 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[55]);    MULADD(at[1], at[54]);    MULADD(at[2], at[53]);    MULADD(at[3], at[52]);    MULADD(at[4], at[51]);    MULADD(at[5], at[50]);    MULADD(at[6], at[49]);    MULADD(at[7], at[48]);    MULADD(at[8], at[47]);    MULADD(at[9], at[46]);    MULADD(at[10], at[45]);    MULADD(at[11], at[44]);    MULADD(at[12], at[43]);    MULADD(at[13], at[42]);    MULADD(at[14], at[41]);    MULADD(at[15], at[40]);    MULADD(at[16], at[39]);    MULADD(at[17], at[38]);    MULADD(at[18], at[37]);    MULADD(at[19], at[36]);    MULADD(at[20], at[35]);    MULADD(at[21], at[34]);    MULADD(at[22], at[33]);    MULADD(at[23], at[32]); 
+   COMBA_STORE(C->dp[23]);
+   /* 24 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[56]);    MULADD(at[1], at[55]);    MULADD(at[2], at[54]);    MULADD(at[3], at[53]);    MULADD(at[4], at[52]);    MULADD(at[5], at[51]);    MULADD(at[6], at[50]);    MULADD(at[7], at[49]);    MULADD(at[8], at[48]);    MULADD(at[9], at[47]);    MULADD(at[10], at[46]);    MULADD(at[11], at[45]);    MULADD(at[12], at[44]);    MULADD(at[13], at[43]);    MULADD(at[14], at[42]);    MULADD(at[15], at[41]);    MULADD(at[16], at[40]);    MULADD(at[17], at[39]);    MULADD(at[18], at[38]);    MULADD(at[19], at[37]);    MULADD(at[20], at[36]);    MULADD(at[21], at[35]);    MULADD(at[22], at[34]);    MULADD(at[23], at[33]);    MULADD(at[24], at[32]); 
+   COMBA_STORE(C->dp[24]);
+   /* 25 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[57]);    MULADD(at[1], at[56]);    MULADD(at[2], at[55]);    MULADD(at[3], at[54]);    MULADD(at[4], at[53]);    MULADD(at[5], at[52]);    MULADD(at[6], at[51]);    MULADD(at[7], at[50]);    MULADD(at[8], at[49]);    MULADD(at[9], at[48]);    MULADD(at[10], at[47]);    MULADD(at[11], at[46]);    MULADD(at[12], at[45]);    MULADD(at[13], at[44]);    MULADD(at[14], at[43]);    MULADD(at[15], at[42]);    MULADD(at[16], at[41]);    MULADD(at[17], at[40]);    MULADD(at[18], at[39]);    MULADD(at[19], at[38]);    MULADD(at[20], at[37]);    MULADD(at[21], at[36]);    MULADD(at[22], at[35]);    MULADD(at[23], at[34]);    MULADD(at[24], at[33]);    MULADD(at[25], at[32]); 
+   COMBA_STORE(C->dp[25]);
+   /* 26 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[58]);    MULADD(at[1], at[57]);    MULADD(at[2], at[56]);    MULADD(at[3], at[55]);    MULADD(at[4], at[54]);    MULADD(at[5], at[53]);    MULADD(at[6], at[52]);    MULADD(at[7], at[51]);    MULADD(at[8], at[50]);    MULADD(at[9], at[49]);    MULADD(at[10], at[48]);    MULADD(at[11], at[47]);    MULADD(at[12], at[46]);    MULADD(at[13], at[45]);    MULADD(at[14], at[44]);    MULADD(at[15], at[43]);    MULADD(at[16], at[42]);    MULADD(at[17], at[41]);    MULADD(at[18], at[40]);    MULADD(at[19], at[39]);    MULADD(at[20], at[38]);    MULADD(at[21], at[37]);    MULADD(at[22], at[36]);    MULADD(at[23], at[35]);    MULADD(at[24], at[34]);    MULADD(at[25], at[33]);    MULADD(at[26], at[32]); 
+   COMBA_STORE(C->dp[26]);
+   /* 27 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[59]);    MULADD(at[1], at[58]);    MULADD(at[2], at[57]);    MULADD(at[3], at[56]);    MULADD(at[4], at[55]);    MULADD(at[5], at[54]);    MULADD(at[6], at[53]);    MULADD(at[7], at[52]);    MULADD(at[8], at[51]);    MULADD(at[9], at[50]);    MULADD(at[10], at[49]);    MULADD(at[11], at[48]);    MULADD(at[12], at[47]);    MULADD(at[13], at[46]);    MULADD(at[14], at[45]);    MULADD(at[15], at[44]);    MULADD(at[16], at[43]);    MULADD(at[17], at[42]);    MULADD(at[18], at[41]);    MULADD(at[19], at[40]);    MULADD(at[20], at[39]);    MULADD(at[21], at[38]);    MULADD(at[22], at[37]);    MULADD(at[23], at[36]);    MULADD(at[24], at[35]);    MULADD(at[25], at[34]);    MULADD(at[26], at[33]);    MULADD(at[27], at[32]); 
+   COMBA_STORE(C->dp[27]);
+   /* 28 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[60]);    MULADD(at[1], at[59]);    MULADD(at[2], at[58]);    MULADD(at[3], at[57]);    MULADD(at[4], at[56]);    MULADD(at[5], at[55]);    MULADD(at[6], at[54]);    MULADD(at[7], at[53]);    MULADD(at[8], at[52]);    MULADD(at[9], at[51]);    MULADD(at[10], at[50]);    MULADD(at[11], at[49]);    MULADD(at[12], at[48]);    MULADD(at[13], at[47]);    MULADD(at[14], at[46]);    MULADD(at[15], at[45]);    MULADD(at[16], at[44]);    MULADD(at[17], at[43]);    MULADD(at[18], at[42]);    MULADD(at[19], at[41]);    MULADD(at[20], at[40]);    MULADD(at[21], at[39]);    MULADD(at[22], at[38]);    MULADD(at[23], at[37]);    MULADD(at[24], at[36]);    MULADD(at[25], at[35]);    MULADD(at[26], at[34]);    MULADD(at[27], at[33]);    MULADD(at[28], at[32]); 
+   COMBA_STORE(C->dp[28]);
+   /* 29 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[61]);    MULADD(at[1], at[60]);    MULADD(at[2], at[59]);    MULADD(at[3], at[58]);    MULADD(at[4], at[57]);    MULADD(at[5], at[56]);    MULADD(at[6], at[55]);    MULADD(at[7], at[54]);    MULADD(at[8], at[53]);    MULADD(at[9], at[52]);    MULADD(at[10], at[51]);    MULADD(at[11], at[50]);    MULADD(at[12], at[49]);    MULADD(at[13], at[48]);    MULADD(at[14], at[47]);    MULADD(at[15], at[46]);    MULADD(at[16], at[45]);    MULADD(at[17], at[44]);    MULADD(at[18], at[43]);    MULADD(at[19], at[42]);    MULADD(at[20], at[41]);    MULADD(at[21], at[40]);    MULADD(at[22], at[39]);    MULADD(at[23], at[38]);    MULADD(at[24], at[37]);    MULADD(at[25], at[36]);    MULADD(at[26], at[35]);    MULADD(at[27], at[34]);    MULADD(at[28], at[33]);    MULADD(at[29], at[32]); 
+   COMBA_STORE(C->dp[29]);
+   /* 30 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[62]);    MULADD(at[1], at[61]);    MULADD(at[2], at[60]);    MULADD(at[3], at[59]);    MULADD(at[4], at[58]);    MULADD(at[5], at[57]);    MULADD(at[6], at[56]);    MULADD(at[7], at[55]);    MULADD(at[8], at[54]);    MULADD(at[9], at[53]);    MULADD(at[10], at[52]);    MULADD(at[11], at[51]);    MULADD(at[12], at[50]);    MULADD(at[13], at[49]);    MULADD(at[14], at[48]);    MULADD(at[15], at[47]);    MULADD(at[16], at[46]);    MULADD(at[17], at[45]);    MULADD(at[18], at[44]);    MULADD(at[19], at[43]);    MULADD(at[20], at[42]);    MULADD(at[21], at[41]);    MULADD(at[22], at[40]);    MULADD(at[23], at[39]);    MULADD(at[24], at[38]);    MULADD(at[25], at[37]);    MULADD(at[26], at[36]);    MULADD(at[27], at[35]);    MULADD(at[28], at[34]);    MULADD(at[29], at[33]);    MULADD(at[30], at[32]); 
+   COMBA_STORE(C->dp[30]);
+   /* 31 */
+   COMBA_FORWARD;
+   MULADD(at[0], at[63]);    MULADD(at[1], at[62]);    MULADD(at[2], at[61]);    MULADD(at[3], at[60]);    MULADD(at[4], at[59]);    MULADD(at[5], at[58]);    MULADD(at[6], at[57]);    MULADD(at[7], at[56]);    MULADD(at[8], at[55]);    MULADD(at[9], at[54]);    MULADD(at[10], at[53]);    MULADD(at[11], at[52]);    MULADD(at[12], at[51]);    MULADD(at[13], at[50]);    MULADD(at[14], at[49]);    MULADD(at[15], at[48]);    MULADD(at[16], at[47]);    MULADD(at[17], at[46]);    MULADD(at[18], at[45]);    MULADD(at[19], at[44]);    MULADD(at[20], at[43]);    MULADD(at[21], at[42]);    MULADD(at[22], at[41]);    MULADD(at[23], at[40]);    MULADD(at[24], at[39]);    MULADD(at[25], at[38]);    MULADD(at[26], at[37]);    MULADD(at[27], at[36]);    MULADD(at[28], at[35]);    MULADD(at[29], at[34]);    MULADD(at[30], at[33]);    MULADD(at[31], at[32]); 
+   COMBA_STORE(C->dp[31]);
+   /* 32 */
+   COMBA_FORWARD;
+   MULADD(at[1], at[63]);    MULADD(at[2], at[62]);    MULADD(at[3], at[61]);    MULADD(at[4], at[60]);    MULADD(at[5], at[59]);    MULADD(at[6], at[58]);    MULADD(at[7], at[57]);    MULADD(at[8], at[56]);    MULADD(at[9], at[55]);    MULADD(at[10], at[54]);    MULADD(at[11], at[53]);    MULADD(at[12], at[52]);    MULADD(at[13], at[51]);    MULADD(at[14], at[50]);    MULADD(at[15], at[49]);    MULADD(at[16], at[48]);    MULADD(at[17], at[47]);    MULADD(at[18], at[46]);    MULADD(at[19], at[45]);    MULADD(at[20], at[44]);    MULADD(at[21], at[43]);    MULADD(at[22], at[42]);    MULADD(at[23], at[41]);    MULADD(at[24], at[40]);    MULADD(at[25], at[39]);    MULADD(at[26], at[38]);    MULADD(at[27], at[37]);    MULADD(at[28], at[36]);    MULADD(at[29], at[35]);    MULADD(at[30], at[34]);    MULADD(at[31], at[33]); 
+   COMBA_STORE(C->dp[32]);
+   /* 33 */
+   COMBA_FORWARD;
+   MULADD(at[2], at[63]);    MULADD(at[3], at[62]);    MULADD(at[4], at[61]);    MULADD(at[5], at[60]);    MULADD(at[6], at[59]);    MULADD(at[7], at[58]);    MULADD(at[8], at[57]);    MULADD(at[9], at[56]);    MULADD(at[10], at[55]);    MULADD(at[11], at[54]);    MULADD(at[12], at[53]);    MULADD(at[13], at[52]);    MULADD(at[14], at[51]);    MULADD(at[15], at[50]);    MULADD(at[16], at[49]);    MULADD(at[17], at[48]);    MULADD(at[18], at[47]);    MULADD(at[19], at[46]);    MULADD(at[20], at[45]);    MULADD(at[21], at[44]);    MULADD(at[22], at[43]);    MULADD(at[23], at[42]);    MULADD(at[24], at[41]);    MULADD(at[25], at[40]);    MULADD(at[26], at[39]);    MULADD(at[27], at[38]);    MULADD(at[28], at[37]);    MULADD(at[29], at[36]);    MULADD(at[30], at[35]);    MULADD(at[31], at[34]); 
+   COMBA_STORE(C->dp[33]);
+   /* 34 */
+   COMBA_FORWARD;
+   MULADD(at[3], at[63]);    MULADD(at[4], at[62]);    MULADD(at[5], at[61]);    MULADD(at[6], at[60]);    MULADD(at[7], at[59]);    MULADD(at[8], at[58]);    MULADD(at[9], at[57]);    MULADD(at[10], at[56]);    MULADD(at[11], at[55]);    MULADD(at[12], at[54]);    MULADD(at[13], at[53]);    MULADD(at[14], at[52]);    MULADD(at[15], at[51]);    MULADD(at[16], at[50]);    MULADD(at[17], at[49]);    MULADD(at[18], at[48]);    MULADD(at[19], at[47]);    MULADD(at[20], at[46]);    MULADD(at[21], at[45]);    MULADD(at[22], at[44]);    MULADD(at[23], at[43]);    MULADD(at[24], at[42]);    MULADD(at[25], at[41]);    MULADD(at[26], at[40]);    MULADD(at[27], at[39]);    MULADD(at[28], at[38]);    MULADD(at[29], at[37]);    MULADD(at[30], at[36]);    MULADD(at[31], at[35]); 
+   COMBA_STORE(C->dp[34]);
+   /* 35 */
+   COMBA_FORWARD;
+   MULADD(at[4], at[63]);    MULADD(at[5], at[62]);    MULADD(at[6], at[61]);    MULADD(at[7], at[60]);    MULADD(at[8], at[59]);    MULADD(at[9], at[58]);    MULADD(at[10], at[57]);    MULADD(at[11], at[56]);    MULADD(at[12], at[55]);    MULADD(at[13], at[54]);    MULADD(at[14], at[53]);    MULADD(at[15], at[52]);    MULADD(at[16], at[51]);    MULADD(at[17], at[50]);    MULADD(at[18], at[49]);    MULADD(at[19], at[48]);    MULADD(at[20], at[47]);    MULADD(at[21], at[46]);    MULADD(at[22], at[45]);    MULADD(at[23], at[44]);    MULADD(at[24], at[43]);    MULADD(at[25], at[42]);    MULADD(at[26], at[41]);    MULADD(at[27], at[40]);    MULADD(at[28], at[39]);    MULADD(at[29], at[38]);    MULADD(at[30], at[37]);    MULADD(at[31], at[36]); 
+   COMBA_STORE(C->dp[35]);
+   /* 36 */
+   COMBA_FORWARD;
+   MULADD(at[5], at[63]);    MULADD(at[6], at[62]);    MULADD(at[7], at[61]);    MULADD(at[8], at[60]);    MULADD(at[9], at[59]);    MULADD(at[10], at[58]);    MULADD(at[11], at[57]);    MULADD(at[12], at[56]);    MULADD(at[13], at[55]);    MULADD(at[14], at[54]);    MULADD(at[15], at[53]);    MULADD(at[16], at[52]);    MULADD(at[17], at[51]);    MULADD(at[18], at[50]);    MULADD(at[19], at[49]);    MULADD(at[20], at[48]);    MULADD(at[21], at[47]);    MULADD(at[22], at[46]);    MULADD(at[23], at[45]);    MULADD(at[24], at[44]);    MULADD(at[25], at[43]);    MULADD(at[26], at[42]);    MULADD(at[27], at[41]);    MULADD(at[28], at[40]);    MULADD(at[29], at[39]);    MULADD(at[30], at[38]);    MULADD(at[31], at[37]); 
+   COMBA_STORE(C->dp[36]);
+   /* 37 */
+   COMBA_FORWARD;
+   MULADD(at[6], at[63]);    MULADD(at[7], at[62]);    MULADD(at[8], at[61]);    MULADD(at[9], at[60]);    MULADD(at[10], at[59]);    MULADD(at[11], at[58]);    MULADD(at[12], at[57]);    MULADD(at[13], at[56]);    MULADD(at[14], at[55]);    MULADD(at[15], at[54]);    MULADD(at[16], at[53]);    MULADD(at[17], at[52]);    MULADD(at[18], at[51]);    MULADD(at[19], at[50]);    MULADD(at[20], at[49]);    MULADD(at[21], at[48]);    MULADD(at[22], at[47]);    MULADD(at[23], at[46]);    MULADD(at[24], at[45]);    MULADD(at[25], at[44]);    MULADD(at[26], at[43]);    MULADD(at[27], at[42]);    MULADD(at[28], at[41]);    MULADD(at[29], at[40]);    MULADD(at[30], at[39]);    MULADD(at[31], at[38]); 
+   COMBA_STORE(C->dp[37]);
+   /* 38 */
+   COMBA_FORWARD;
+   MULADD(at[7], at[63]);    MULADD(at[8], at[62]);    MULADD(at[9], at[61]);    MULADD(at[10], at[60]);    MULADD(at[11], at[59]);    MULADD(at[12], at[58]);    MULADD(at[13], at[57]);    MULADD(at[14], at[56]);    MULADD(at[15], at[55]);    MULADD(at[16], at[54]);    MULADD(at[17], at[53]);    MULADD(at[18], at[52]);    MULADD(at[19], at[51]);    MULADD(at[20], at[50]);    MULADD(at[21], at[49]);    MULADD(at[22], at[48]);    MULADD(at[23], at[47]);    MULADD(at[24], at[46]);    MULADD(at[25], at[45]);    MULADD(at[26], at[44]);    MULADD(at[27], at[43]);    MULADD(at[28], at[42]);    MULADD(at[29], at[41]);    MULADD(at[30], at[40]);    MULADD(at[31], at[39]); 
+   COMBA_STORE(C->dp[38]);
+   /* 39 */
+   COMBA_FORWARD;
+   MULADD(at[8], at[63]);    MULADD(at[9], at[62]);    MULADD(at[10], at[61]);    MULADD(at[11], at[60]);    MULADD(at[12], at[59]);    MULADD(at[13], at[58]);    MULADD(at[14], at[57]);    MULADD(at[15], at[56]);    MULADD(at[16], at[55]);    MULADD(at[17], at[54]);    MULADD(at[18], at[53]);    MULADD(at[19], at[52]);    MULADD(at[20], at[51]);    MULADD(at[21], at[50]);    MULADD(at[22], at[49]);    MULADD(at[23], at[48]);    MULADD(at[24], at[47]);    MULADD(at[25], at[46]);    MULADD(at[26], at[45]);    MULADD(at[27], at[44]);    MULADD(at[28], at[43]);    MULADD(at[29], at[42]);    MULADD(at[30], at[41]);    MULADD(at[31], at[40]); 
+   COMBA_STORE(C->dp[39]);
+   /* 40 */
+   COMBA_FORWARD;
+   MULADD(at[9], at[63]);    MULADD(at[10], at[62]);    MULADD(at[11], at[61]);    MULADD(at[12], at[60]);    MULADD(at[13], at[59]);    MULADD(at[14], at[58]);    MULADD(at[15], at[57]);    MULADD(at[16], at[56]);    MULADD(at[17], at[55]);    MULADD(at[18], at[54]);    MULADD(at[19], at[53]);    MULADD(at[20], at[52]);    MULADD(at[21], at[51]);    MULADD(at[22], at[50]);    MULADD(at[23], at[49]);    MULADD(at[24], at[48]);    MULADD(at[25], at[47]);    MULADD(at[26], at[46]);    MULADD(at[27], at[45]);    MULADD(at[28], at[44]);    MULADD(at[29], at[43]);    MULADD(at[30], at[42]);    MULADD(at[31], at[41]); 
+   COMBA_STORE(C->dp[40]);
+   /* 41 */
+   COMBA_FORWARD;
+   MULADD(at[10], at[63]);    MULADD(at[11], at[62]);    MULADD(at[12], at[61]);    MULADD(at[13], at[60]);    MULADD(at[14], at[59]);    MULADD(at[15], at[58]);    MULADD(at[16], at[57]);    MULADD(at[17], at[56]);    MULADD(at[18], at[55]);    MULADD(at[19], at[54]);    MULADD(at[20], at[53]);    MULADD(at[21], at[52]);    MULADD(at[22], at[51]);    MULADD(at[23], at[50]);    MULADD(at[24], at[49]);    MULADD(at[25], at[48]);    MULADD(at[26], at[47]);    MULADD(at[27], at[46]);    MULADD(at[28], at[45]);    MULADD(at[29], at[44]);    MULADD(at[30], at[43]);    MULADD(at[31], at[42]); 
+   COMBA_STORE(C->dp[41]);
+   /* 42 */
+   COMBA_FORWARD;
+   MULADD(at[11], at[63]);    MULADD(at[12], at[62]);    MULADD(at[13], at[61]);    MULADD(at[14], at[60]);    MULADD(at[15], at[59]);    MULADD(at[16], at[58]);    MULADD(at[17], at[57]);    MULADD(at[18], at[56]);    MULADD(at[19], at[55]);    MULADD(at[20], at[54]);    MULADD(at[21], at[53]);    MULADD(at[22], at[52]);    MULADD(at[23], at[51]);    MULADD(at[24], at[50]);    MULADD(at[25], at[49]);    MULADD(at[26], at[48]);    MULADD(at[27], at[47]);    MULADD(at[28], at[46]);    MULADD(at[29], at[45]);    MULADD(at[30], at[44]);    MULADD(at[31], at[43]); 
+   COMBA_STORE(C->dp[42]);
+   /* 43 */
+   COMBA_FORWARD;
+   MULADD(at[12], at[63]);    MULADD(at[13], at[62]);    MULADD(at[14], at[61]);    MULADD(at[15], at[60]);    MULADD(at[16], at[59]);    MULADD(at[17], at[58]);    MULADD(at[18], at[57]);    MULADD(at[19], at[56]);    MULADD(at[20], at[55]);    MULADD(at[21], at[54]);    MULADD(at[22], at[53]);    MULADD(at[23], at[52]);    MULADD(at[24], at[51]);    MULADD(at[25], at[50]);    MULADD(at[26], at[49]);    MULADD(at[27], at[48]);    MULADD(at[28], at[47]);    MULADD(at[29], at[46]);    MULADD(at[30], at[45]);    MULADD(at[31], at[44]); 
+   COMBA_STORE(C->dp[43]);
+   /* 44 */
+   COMBA_FORWARD;
+   MULADD(at[13], at[63]);    MULADD(at[14], at[62]);    MULADD(at[15], at[61]);    MULADD(at[16], at[60]);    MULADD(at[17], at[59]);    MULADD(at[18], at[58]);    MULADD(at[19], at[57]);    MULADD(at[20], at[56]);    MULADD(at[21], at[55]);    MULADD(at[22], at[54]);    MULADD(at[23], at[53]);    MULADD(at[24], at[52]);    MULADD(at[25], at[51]);    MULADD(at[26], at[50]);    MULADD(at[27], at[49]);    MULADD(at[28], at[48]);    MULADD(at[29], at[47]);    MULADD(at[30], at[46]);    MULADD(at[31], at[45]); 
+   COMBA_STORE(C->dp[44]);
+   /* 45 */
+   COMBA_FORWARD;
+   MULADD(at[14], at[63]);    MULADD(at[15], at[62]);    MULADD(at[16], at[61]);    MULADD(at[17], at[60]);    MULADD(at[18], at[59]);    MULADD(at[19], at[58]);    MULADD(at[20], at[57]);    MULADD(at[21], at[56]);    MULADD(at[22], at[55]);    MULADD(at[23], at[54]);    MULADD(at[24], at[53]);    MULADD(at[25], at[52]);    MULADD(at[26], at[51]);    MULADD(at[27], at[50]);    MULADD(at[28], at[49]);    MULADD(at[29], at[48]);    MULADD(at[30], at[47]);    MULADD(at[31], at[46]); 
+   COMBA_STORE(C->dp[45]);
+   /* 46 */
+   COMBA_FORWARD;
+   MULADD(at[15], at[63]);    MULADD(at[16], at[62]);    MULADD(at[17], at[61]);    MULADD(at[18], at[60]);    MULADD(at[19], at[59]);    MULADD(at[20], at[58]);    MULADD(at[21], at[57]);    MULADD(at[22], at[56]);    MULADD(at[23], at[55]);    MULADD(at[24], at[54]);    MULADD(at[25], at[53]);    MULADD(at[26], at[52]);    MULADD(at[27], at[51]);    MULADD(at[28], at[50]);    MULADD(at[29], at[49]);    MULADD(at[30], at[48]);    MULADD(at[31], at[47]); 
+   COMBA_STORE(C->dp[46]);
+   /* 47 */
+   COMBA_FORWARD;
+   MULADD(at[16], at[63]);    MULADD(at[17], at[62]);    MULADD(at[18], at[61]);    MULADD(at[19], at[60]);    MULADD(at[20], at[59]);    MULADD(at[21], at[58]);    MULADD(at[22], at[57]);    MULADD(at[23], at[56]);    MULADD(at[24], at[55]);    MULADD(at[25], at[54]);    MULADD(at[26], at[53]);    MULADD(at[27], at[52]);    MULADD(at[28], at[51]);    MULADD(at[29], at[50]);    MULADD(at[30], at[49]);    MULADD(at[31], at[48]); 
+   COMBA_STORE(C->dp[47]);
+   /* 48 */
+   COMBA_FORWARD;
+   MULADD(at[17], at[63]);    MULADD(at[18], at[62]);    MULADD(at[19], at[61]);    MULADD(at[20], at[60]);    MULADD(at[21], at[59]);    MULADD(at[22], at[58]);    MULADD(at[23], at[57]);    MULADD(at[24], at[56]);    MULADD(at[25], at[55]);    MULADD(at[26], at[54]);    MULADD(at[27], at[53]);    MULADD(at[28], at[52]);    MULADD(at[29], at[51]);    MULADD(at[30], at[50]);    MULADD(at[31], at[49]); 
+   COMBA_STORE(C->dp[48]);
+   /* 49 */
+   COMBA_FORWARD;
+   MULADD(at[18], at[63]);    MULADD(at[19], at[62]);    MULADD(at[20], at[61]);    MULADD(at[21], at[60]);    MULADD(at[22], at[59]);    MULADD(at[23], at[58]);    MULADD(at[24], at[57]);    MULADD(at[25], at[56]);    MULADD(at[26], at[55]);    MULADD(at[27], at[54]);    MULADD(at[28], at[53]);    MULADD(at[29], at[52]);    MULADD(at[30], at[51]);    MULADD(at[31], at[50]); 
+   COMBA_STORE(C->dp[49]);
+   /* 50 */
+   COMBA_FORWARD;
+   MULADD(at[19], at[63]);    MULADD(at[20], at[62]);    MULADD(at[21], at[61]);    MULADD(at[22], at[60]);    MULADD(at[23], at[59]);    MULADD(at[24], at[58]);    MULADD(at[25], at[57]);    MULADD(at[26], at[56]);    MULADD(at[27], at[55]);    MULADD(at[28], at[54]);    MULADD(at[29], at[53]);    MULADD(at[30], at[52]);    MULADD(at[31], at[51]); 
+   COMBA_STORE(C->dp[50]);
+   /* 51 */
+   COMBA_FORWARD;
+   MULADD(at[20], at[63]);    MULADD(at[21], at[62]);    MULADD(at[22], at[61]);    MULADD(at[23], at[60]);    MULADD(at[24], at[59]);    MULADD(at[25], at[58]);    MULADD(at[26], at[57]);    MULADD(at[27], at[56]);    MULADD(at[28], at[55]);    MULADD(at[29], at[54]);    MULADD(at[30], at[53]);    MULADD(at[31], at[52]); 
+   COMBA_STORE(C->dp[51]);
+   /* 52 */
+   COMBA_FORWARD;
+   MULADD(at[21], at[63]);    MULADD(at[22], at[62]);    MULADD(at[23], at[61]);    MULADD(at[24], at[60]);    MULADD(at[25], at[59]);    MULADD(at[26], at[58]);    MULADD(at[27], at[57]);    MULADD(at[28], at[56]);    MULADD(at[29], at[55]);    MULADD(at[30], at[54]);    MULADD(at[31], at[53]); 
+   COMBA_STORE(C->dp[52]);
+   /* 53 */
+   COMBA_FORWARD;
+   MULADD(at[22], at[63]);    MULADD(at[23], at[62]);    MULADD(at[24], at[61]);    MULADD(at[25], at[60]);    MULADD(at[26], at[59]);    MULADD(at[27], at[58]);    MULADD(at[28], at[57]);    MULADD(at[29], at[56]);    MULADD(at[30], at[55]);    MULADD(at[31], at[54]); 
+   COMBA_STORE(C->dp[53]);
+   /* 54 */
+   COMBA_FORWARD;
+   MULADD(at[23], at[63]);    MULADD(at[24], at[62]);    MULADD(at[25], at[61]);    MULADD(at[26], at[60]);    MULADD(at[27], at[59]);    MULADD(at[28], at[58]);    MULADD(at[29], at[57]);    MULADD(at[30], at[56]);    MULADD(at[31], at[55]); 
+   COMBA_STORE(C->dp[54]);
+   /* 55 */
+   COMBA_FORWARD;
+   MULADD(at[24], at[63]);    MULADD(at[25], at[62]);    MULADD(at[26], at[61]);    MULADD(at[27], at[60]);    MULADD(at[28], at[59]);    MULADD(at[29], at[58]);    MULADD(at[30], at[57]);    MULADD(at[31], at[56]); 
+   COMBA_STORE(C->dp[55]);
+   /* 56 */
+   COMBA_FORWARD;
+   MULADD(at[25], at[63]);    MULADD(at[26], at[62]);    MULADD(at[27], at[61]);    MULADD(at[28], at[60]);    MULADD(at[29], at[59]);    MULADD(at[30], at[58]);    MULADD(at[31], at[57]); 
+   COMBA_STORE(C->dp[56]);
+   /* 57 */
+   COMBA_FORWARD;
+   MULADD(at[26], at[63]);    MULADD(at[27], at[62]);    MULADD(at[28], at[61]);    MULADD(at[29], at[60]);    MULADD(at[30], at[59]);    MULADD(at[31], at[58]); 
+   COMBA_STORE(C->dp[57]);
+   /* 58 */
+   COMBA_FORWARD;
+   MULADD(at[27], at[63]);    MULADD(at[28], at[62]);    MULADD(at[29], at[61]);    MULADD(at[30], at[60]);    MULADD(at[31], at[59]); 
+   COMBA_STORE(C->dp[58]);
+   /* 59 */
+   COMBA_FORWARD;
+   MULADD(at[28], at[63]);    MULADD(at[29], at[62]);    MULADD(at[30], at[61]);    MULADD(at[31], at[60]); 
+   COMBA_STORE(C->dp[59]);
+   /* 60 */
+   COMBA_FORWARD;
+   MULADD(at[29], at[63]);    MULADD(at[30], at[62]);    MULADD(at[31], at[61]); 
+   COMBA_STORE(C->dp[60]);
+   /* 61 */
+   COMBA_FORWARD;
+   MULADD(at[30], at[63]);    MULADD(at[31], at[62]); 
+   COMBA_STORE(C->dp[61]);
+   /* 62 */
+   COMBA_FORWARD;
+   MULADD(at[31], at[63]); 
+   COMBA_STORE(C->dp[62]);
+   COMBA_STORE2(C->dp[63]);
+   C->used = 64;
+   C->sign = A->sign ^ B->sign;
+   mp_clamp(C);
+   COMBA_FINI;
+}
+
+
+
+void s_mp_sqr_comba_4(const mp_int *A, mp_int *B)
+{
+   mp_digit *a, b[8], c0, c1, c2;
+
+   a = A->dp;
+   COMBA_START; 
+
+   /* clear carries */
+   CLEAR_CARRY;
+
+   /* output 0 */
+   SQRADD(a[0],a[0]);
+   COMBA_STORE(b[0]);
+
+   /* output 1 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[1]); 
+   COMBA_STORE(b[1]);
+
+   /* output 2 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[2]);    SQRADD(a[1], a[1]); 
+   COMBA_STORE(b[2]);
+
+   /* output 3 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[3]);    SQRADD2(a[1], a[2]); 
+   COMBA_STORE(b[3]);
+
+   /* output 4 */
+   CARRY_FORWARD;
+   SQRADD2(a[1], a[3]);    SQRADD(a[2], a[2]); 
+   COMBA_STORE(b[4]);
+
+   /* output 5 */
+   CARRY_FORWARD;
+   SQRADD2(a[2], a[3]); 
+   COMBA_STORE(b[5]);
+
+   /* output 6 */
+   CARRY_FORWARD;
+   SQRADD(a[3], a[3]); 
+   COMBA_STORE(b[6]);
+   COMBA_STORE2(b[7]);
+   COMBA_FINI;
+
+   B->used = 8;
+   B->sign = ZPOS;
+   memcpy(B->dp, b, 8 * sizeof(mp_digit));
+   mp_clamp(B);
+}
+
+void s_mp_sqr_comba_8(const mp_int *A, mp_int *B)
+{
+   mp_digit *a, b[16], c0, c1, c2, sc0, sc1, sc2;
+
+   a = A->dp;
+   COMBA_START; 
+
+   /* clear carries */
+   CLEAR_CARRY;
+
+   /* output 0 */
+   SQRADD(a[0],a[0]);
+   COMBA_STORE(b[0]);
+
+   /* output 1 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[1]); 
+   COMBA_STORE(b[1]);
+
+   /* output 2 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[2]);    SQRADD(a[1], a[1]); 
+   COMBA_STORE(b[2]);
+
+   /* output 3 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[3]);    SQRADD2(a[1], a[2]); 
+   COMBA_STORE(b[3]);
+
+   /* output 4 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[4]);    SQRADD2(a[1], a[3]);    SQRADD(a[2], a[2]); 
+   COMBA_STORE(b[4]);
+
+   /* output 5 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[5]); SQRADDAC(a[1], a[4]); SQRADDAC(a[2], a[3]); SQRADDDB; 
+   COMBA_STORE(b[5]);
+
+   /* output 6 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[6]); SQRADDAC(a[1], a[5]); SQRADDAC(a[2], a[4]); SQRADDDB; SQRADD(a[3], a[3]); 
+   COMBA_STORE(b[6]);
+
+   /* output 7 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[7]); SQRADDAC(a[1], a[6]); SQRADDAC(a[2], a[5]); SQRADDAC(a[3], a[4]); SQRADDDB; 
+   COMBA_STORE(b[7]);
+
+   /* output 8 */
+   CARRY_FORWARD;
+   SQRADDSC(a[1], a[7]); SQRADDAC(a[2], a[6]); SQRADDAC(a[3], a[5]); SQRADDDB; SQRADD(a[4], a[4]); 
+   COMBA_STORE(b[8]);
+
+   /* output 9 */
+   CARRY_FORWARD;
+   SQRADDSC(a[2], a[7]); SQRADDAC(a[3], a[6]); SQRADDAC(a[4], a[5]); SQRADDDB; 
+   COMBA_STORE(b[9]);
+
+   /* output 10 */
+   CARRY_FORWARD;
+   SQRADD2(a[3], a[7]);    SQRADD2(a[4], a[6]);    SQRADD(a[5], a[5]); 
+   COMBA_STORE(b[10]);
+
+   /* output 11 */
+   CARRY_FORWARD;
+   SQRADD2(a[4], a[7]);    SQRADD2(a[5], a[6]); 
+   COMBA_STORE(b[11]);
+
+   /* output 12 */
+   CARRY_FORWARD;
+   SQRADD2(a[5], a[7]);    SQRADD(a[6], a[6]); 
+   COMBA_STORE(b[12]);
+
+   /* output 13 */
+   CARRY_FORWARD;
+   SQRADD2(a[6], a[7]); 
+   COMBA_STORE(b[13]);
+
+   /* output 14 */
+   CARRY_FORWARD;
+   SQRADD(a[7], a[7]); 
+   COMBA_STORE(b[14]);
+   COMBA_STORE2(b[15]);
+   COMBA_FINI;
+
+   B->used = 16;
+   B->sign = ZPOS;
+   memcpy(B->dp, b, 16 * sizeof(mp_digit));
+   mp_clamp(B);
+}
+
+void s_mp_sqr_comba_16(const mp_int *A, mp_int *B)
+{
+   mp_digit *a, b[32], c0, c1, c2, sc0, sc1, sc2;
+
+   a = A->dp;
+   COMBA_START; 
+
+   /* clear carries */
+   CLEAR_CARRY;
+
+   /* output 0 */
+   SQRADD(a[0],a[0]);
+   COMBA_STORE(b[0]);
+
+   /* output 1 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[1]); 
+   COMBA_STORE(b[1]);
+
+   /* output 2 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[2]);    SQRADD(a[1], a[1]); 
+   COMBA_STORE(b[2]);
+
+   /* output 3 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[3]);    SQRADD2(a[1], a[2]); 
+   COMBA_STORE(b[3]);
+
+   /* output 4 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[4]);    SQRADD2(a[1], a[3]);    SQRADD(a[2], a[2]); 
+   COMBA_STORE(b[4]);
+
+   /* output 5 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[5]); SQRADDAC(a[1], a[4]); SQRADDAC(a[2], a[3]); SQRADDDB; 
+   COMBA_STORE(b[5]);
+
+   /* output 6 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[6]); SQRADDAC(a[1], a[5]); SQRADDAC(a[2], a[4]); SQRADDDB; SQRADD(a[3], a[3]); 
+   COMBA_STORE(b[6]);
+
+   /* output 7 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[7]); SQRADDAC(a[1], a[6]); SQRADDAC(a[2], a[5]); SQRADDAC(a[3], a[4]); SQRADDDB; 
+   COMBA_STORE(b[7]);
+
+   /* output 8 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[8]); SQRADDAC(a[1], a[7]); SQRADDAC(a[2], a[6]); SQRADDAC(a[3], a[5]); SQRADDDB; SQRADD(a[4], a[4]); 
+   COMBA_STORE(b[8]);
+
+   /* output 9 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[9]); SQRADDAC(a[1], a[8]); SQRADDAC(a[2], a[7]); SQRADDAC(a[3], a[6]); SQRADDAC(a[4], a[5]); SQRADDDB; 
+   COMBA_STORE(b[9]);
+
+   /* output 10 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[10]); SQRADDAC(a[1], a[9]); SQRADDAC(a[2], a[8]); SQRADDAC(a[3], a[7]); SQRADDAC(a[4], a[6]); SQRADDDB; SQRADD(a[5], a[5]); 
+   COMBA_STORE(b[10]);
+
+   /* output 11 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[11]); SQRADDAC(a[1], a[10]); SQRADDAC(a[2], a[9]); SQRADDAC(a[3], a[8]); SQRADDAC(a[4], a[7]); SQRADDAC(a[5], a[6]); SQRADDDB; 
+   COMBA_STORE(b[11]);
+
+   /* output 12 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[12]); SQRADDAC(a[1], a[11]); SQRADDAC(a[2], a[10]); SQRADDAC(a[3], a[9]); SQRADDAC(a[4], a[8]); SQRADDAC(a[5], a[7]); SQRADDDB; SQRADD(a[6], a[6]); 
+   COMBA_STORE(b[12]);
+
+   /* output 13 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[13]); SQRADDAC(a[1], a[12]); SQRADDAC(a[2], a[11]); SQRADDAC(a[3], a[10]); SQRADDAC(a[4], a[9]); SQRADDAC(a[5], a[8]); SQRADDAC(a[6], a[7]); SQRADDDB; 
+   COMBA_STORE(b[13]);
+
+   /* output 14 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[14]); SQRADDAC(a[1], a[13]); SQRADDAC(a[2], a[12]); SQRADDAC(a[3], a[11]); SQRADDAC(a[4], a[10]); SQRADDAC(a[5], a[9]); SQRADDAC(a[6], a[8]); SQRADDDB; SQRADD(a[7], a[7]); 
+   COMBA_STORE(b[14]);
+
+   /* output 15 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[15]); SQRADDAC(a[1], a[14]); SQRADDAC(a[2], a[13]); SQRADDAC(a[3], a[12]); SQRADDAC(a[4], a[11]); SQRADDAC(a[5], a[10]); SQRADDAC(a[6], a[9]); SQRADDAC(a[7], a[8]); SQRADDDB; 
+   COMBA_STORE(b[15]);
+
+   /* output 16 */
+   CARRY_FORWARD;
+   SQRADDSC(a[1], a[15]); SQRADDAC(a[2], a[14]); SQRADDAC(a[3], a[13]); SQRADDAC(a[4], a[12]); SQRADDAC(a[5], a[11]); SQRADDAC(a[6], a[10]); SQRADDAC(a[7], a[9]); SQRADDDB; SQRADD(a[8], a[8]); 
+   COMBA_STORE(b[16]);
+
+   /* output 17 */
+   CARRY_FORWARD;
+   SQRADDSC(a[2], a[15]); SQRADDAC(a[3], a[14]); SQRADDAC(a[4], a[13]); SQRADDAC(a[5], a[12]); SQRADDAC(a[6], a[11]); SQRADDAC(a[7], a[10]); SQRADDAC(a[8], a[9]); SQRADDDB; 
+   COMBA_STORE(b[17]);
+
+   /* output 18 */
+   CARRY_FORWARD;
+   SQRADDSC(a[3], a[15]); SQRADDAC(a[4], a[14]); SQRADDAC(a[5], a[13]); SQRADDAC(a[6], a[12]); SQRADDAC(a[7], a[11]); SQRADDAC(a[8], a[10]); SQRADDDB; SQRADD(a[9], a[9]); 
+   COMBA_STORE(b[18]);
+
+   /* output 19 */
+   CARRY_FORWARD;
+   SQRADDSC(a[4], a[15]); SQRADDAC(a[5], a[14]); SQRADDAC(a[6], a[13]); SQRADDAC(a[7], a[12]); SQRADDAC(a[8], a[11]); SQRADDAC(a[9], a[10]); SQRADDDB; 
+   COMBA_STORE(b[19]);
+
+   /* output 20 */
+   CARRY_FORWARD;
+   SQRADDSC(a[5], a[15]); SQRADDAC(a[6], a[14]); SQRADDAC(a[7], a[13]); SQRADDAC(a[8], a[12]); SQRADDAC(a[9], a[11]); SQRADDDB; SQRADD(a[10], a[10]); 
+   COMBA_STORE(b[20]);
+
+   /* output 21 */
+   CARRY_FORWARD;
+   SQRADDSC(a[6], a[15]); SQRADDAC(a[7], a[14]); SQRADDAC(a[8], a[13]); SQRADDAC(a[9], a[12]); SQRADDAC(a[10], a[11]); SQRADDDB; 
+   COMBA_STORE(b[21]);
+
+   /* output 22 */
+   CARRY_FORWARD;
+   SQRADDSC(a[7], a[15]); SQRADDAC(a[8], a[14]); SQRADDAC(a[9], a[13]); SQRADDAC(a[10], a[12]); SQRADDDB; SQRADD(a[11], a[11]); 
+   COMBA_STORE(b[22]);
+
+   /* output 23 */
+   CARRY_FORWARD;
+   SQRADDSC(a[8], a[15]); SQRADDAC(a[9], a[14]); SQRADDAC(a[10], a[13]); SQRADDAC(a[11], a[12]); SQRADDDB; 
+   COMBA_STORE(b[23]);
+
+   /* output 24 */
+   CARRY_FORWARD;
+   SQRADDSC(a[9], a[15]); SQRADDAC(a[10], a[14]); SQRADDAC(a[11], a[13]); SQRADDDB; SQRADD(a[12], a[12]); 
+   COMBA_STORE(b[24]);
+
+   /* output 25 */
+   CARRY_FORWARD;
+   SQRADDSC(a[10], a[15]); SQRADDAC(a[11], a[14]); SQRADDAC(a[12], a[13]); SQRADDDB; 
+   COMBA_STORE(b[25]);
+
+   /* output 26 */
+   CARRY_FORWARD;
+   SQRADD2(a[11], a[15]);    SQRADD2(a[12], a[14]);    SQRADD(a[13], a[13]); 
+   COMBA_STORE(b[26]);
+
+   /* output 27 */
+   CARRY_FORWARD;
+   SQRADD2(a[12], a[15]);    SQRADD2(a[13], a[14]); 
+   COMBA_STORE(b[27]);
+
+   /* output 28 */
+   CARRY_FORWARD;
+   SQRADD2(a[13], a[15]);    SQRADD(a[14], a[14]); 
+   COMBA_STORE(b[28]);
+
+   /* output 29 */
+   CARRY_FORWARD;
+   SQRADD2(a[14], a[15]); 
+   COMBA_STORE(b[29]);
+
+   /* output 30 */
+   CARRY_FORWARD;
+   SQRADD(a[15], a[15]); 
+   COMBA_STORE(b[30]);
+   COMBA_STORE2(b[31]);
+   COMBA_FINI;
+
+   B->used = 32;
+   B->sign = ZPOS;
+   memcpy(B->dp, b, 32 * sizeof(mp_digit));
+   mp_clamp(B);
+}
+
+
+void s_mp_sqr_comba_32(const mp_int *A, mp_int *B)
+{
+   mp_digit *a, b[64], c0, c1, c2, sc0, sc1, sc2;
+
+   a = A->dp;
+   COMBA_START; 
+
+   /* clear carries */
+   CLEAR_CARRY;
+
+   /* output 0 */
+   SQRADD(a[0],a[0]);
+   COMBA_STORE(b[0]);
+
+   /* output 1 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[1]); 
+   COMBA_STORE(b[1]);
+
+   /* output 2 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[2]); SQRADD(a[1], a[1]); 
+   COMBA_STORE(b[2]);
+
+   /* output 3 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[3]); SQRADD2(a[1], a[2]); 
+   COMBA_STORE(b[3]);
+
+   /* output 4 */
+   CARRY_FORWARD;
+   SQRADD2(a[0], a[4]); SQRADD2(a[1], a[3]); SQRADD(a[2], a[2]); 
+   COMBA_STORE(b[4]);
+
+   /* output 5 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[5]); SQRADDAC(a[1], a[4]); SQRADDAC(a[2], a[3]); SQRADDDB; 
+   COMBA_STORE(b[5]);
+
+   /* output 6 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[6]); SQRADDAC(a[1], a[5]); SQRADDAC(a[2], a[4]); SQRADDDB; SQRADD(a[3], a[3]); 
+   COMBA_STORE(b[6]);
+
+   /* output 7 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[7]); SQRADDAC(a[1], a[6]); SQRADDAC(a[2], a[5]); SQRADDAC(a[3], a[4]); SQRADDDB; 
+   COMBA_STORE(b[7]);
+
+   /* output 8 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[8]); SQRADDAC(a[1], a[7]); SQRADDAC(a[2], a[6]); SQRADDAC(a[3], a[5]); SQRADDDB; SQRADD(a[4], a[4]); 
+   COMBA_STORE(b[8]);
+
+   /* output 9 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[9]); SQRADDAC(a[1], a[8]); SQRADDAC(a[2], a[7]); SQRADDAC(a[3], a[6]); SQRADDAC(a[4], a[5]); SQRADDDB; 
+   COMBA_STORE(b[9]);
+
+   /* output 10 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[10]); SQRADDAC(a[1], a[9]); SQRADDAC(a[2], a[8]); SQRADDAC(a[3], a[7]); SQRADDAC(a[4], a[6]); SQRADDDB; SQRADD(a[5], a[5]); 
+   COMBA_STORE(b[10]);
+
+   /* output 11 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[11]); SQRADDAC(a[1], a[10]); SQRADDAC(a[2], a[9]); SQRADDAC(a[3], a[8]); SQRADDAC(a[4], a[7]); SQRADDAC(a[5], a[6]); SQRADDDB; 
+   COMBA_STORE(b[11]);
+
+   /* output 12 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[12]); SQRADDAC(a[1], a[11]); SQRADDAC(a[2], a[10]); SQRADDAC(a[3], a[9]); SQRADDAC(a[4], a[8]); SQRADDAC(a[5], a[7]); SQRADDDB; SQRADD(a[6], a[6]); 
+   COMBA_STORE(b[12]);
+
+   /* output 13 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[13]); SQRADDAC(a[1], a[12]); SQRADDAC(a[2], a[11]); SQRADDAC(a[3], a[10]); SQRADDAC(a[4], a[9]); SQRADDAC(a[5], a[8]); SQRADDAC(a[6], a[7]); SQRADDDB; 
+   COMBA_STORE(b[13]);
+
+   /* output 14 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[14]); SQRADDAC(a[1], a[13]); SQRADDAC(a[2], a[12]); SQRADDAC(a[3], a[11]); SQRADDAC(a[4], a[10]); SQRADDAC(a[5], a[9]); SQRADDAC(a[6], a[8]); SQRADDDB; SQRADD(a[7], a[7]); 
+   COMBA_STORE(b[14]);
+
+   /* output 15 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[15]); SQRADDAC(a[1], a[14]); SQRADDAC(a[2], a[13]); SQRADDAC(a[3], a[12]); SQRADDAC(a[4], a[11]); SQRADDAC(a[5], a[10]); SQRADDAC(a[6], a[9]); SQRADDAC(a[7], a[8]); SQRADDDB; 
+   COMBA_STORE(b[15]);
+
+   /* output 16 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[16]); SQRADDAC(a[1], a[15]); SQRADDAC(a[2], a[14]); SQRADDAC(a[3], a[13]); SQRADDAC(a[4], a[12]); SQRADDAC(a[5], a[11]); SQRADDAC(a[6], a[10]); SQRADDAC(a[7], a[9]); SQRADDDB; SQRADD(a[8], a[8]); 
+   COMBA_STORE(b[16]);
+
+   /* output 17 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[17]); SQRADDAC(a[1], a[16]); SQRADDAC(a[2], a[15]); SQRADDAC(a[3], a[14]); SQRADDAC(a[4], a[13]); SQRADDAC(a[5], a[12]); SQRADDAC(a[6], a[11]); SQRADDAC(a[7], a[10]); SQRADDAC(a[8], a[9]); SQRADDDB; 
+   COMBA_STORE(b[17]);
+
+   /* output 18 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[18]); SQRADDAC(a[1], a[17]); SQRADDAC(a[2], a[16]); SQRADDAC(a[3], a[15]); SQRADDAC(a[4], a[14]); SQRADDAC(a[5], a[13]); SQRADDAC(a[6], a[12]); SQRADDAC(a[7], a[11]); SQRADDAC(a[8], a[10]); SQRADDDB; SQRADD(a[9], a[9]); 
+   COMBA_STORE(b[18]);
+
+   /* output 19 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[19]); SQRADDAC(a[1], a[18]); SQRADDAC(a[2], a[17]); SQRADDAC(a[3], a[16]); SQRADDAC(a[4], a[15]); SQRADDAC(a[5], a[14]); SQRADDAC(a[6], a[13]); SQRADDAC(a[7], a[12]); SQRADDAC(a[8], a[11]); SQRADDAC(a[9], a[10]); SQRADDDB; 
+   COMBA_STORE(b[19]);
+
+   /* output 20 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[20]); SQRADDAC(a[1], a[19]); SQRADDAC(a[2], a[18]); SQRADDAC(a[3], a[17]); SQRADDAC(a[4], a[16]); SQRADDAC(a[5], a[15]); SQRADDAC(a[6], a[14]); SQRADDAC(a[7], a[13]); SQRADDAC(a[8], a[12]); SQRADDAC(a[9], a[11]); SQRADDDB; SQRADD(a[10], a[10]); 
+   COMBA_STORE(b[20]);
+
+   /* output 21 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[21]); SQRADDAC(a[1], a[20]); SQRADDAC(a[2], a[19]); SQRADDAC(a[3], a[18]); SQRADDAC(a[4], a[17]); SQRADDAC(a[5], a[16]); SQRADDAC(a[6], a[15]); SQRADDAC(a[7], a[14]); SQRADDAC(a[8], a[13]); SQRADDAC(a[9], a[12]); SQRADDAC(a[10], a[11]); SQRADDDB; 
+   COMBA_STORE(b[21]);
+
+   /* output 22 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[22]); SQRADDAC(a[1], a[21]); SQRADDAC(a[2], a[20]); SQRADDAC(a[3], a[19]); SQRADDAC(a[4], a[18]); SQRADDAC(a[5], a[17]); SQRADDAC(a[6], a[16]); SQRADDAC(a[7], a[15]); SQRADDAC(a[8], a[14]); SQRADDAC(a[9], a[13]); SQRADDAC(a[10], a[12]); SQRADDDB; SQRADD(a[11], a[11]); 
+   COMBA_STORE(b[22]);
+
+   /* output 23 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[23]); SQRADDAC(a[1], a[22]); SQRADDAC(a[2], a[21]); SQRADDAC(a[3], a[20]); SQRADDAC(a[4], a[19]); SQRADDAC(a[5], a[18]); SQRADDAC(a[6], a[17]); SQRADDAC(a[7], a[16]); SQRADDAC(a[8], a[15]); SQRADDAC(a[9], a[14]); SQRADDAC(a[10], a[13]); SQRADDAC(a[11], a[12]); SQRADDDB; 
+   COMBA_STORE(b[23]);
+
+   /* output 24 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[24]); SQRADDAC(a[1], a[23]); SQRADDAC(a[2], a[22]); SQRADDAC(a[3], a[21]); SQRADDAC(a[4], a[20]); SQRADDAC(a[5], a[19]); SQRADDAC(a[6], a[18]); SQRADDAC(a[7], a[17]); SQRADDAC(a[8], a[16]); SQRADDAC(a[9], a[15]); SQRADDAC(a[10], a[14]); SQRADDAC(a[11], a[13]); SQRADDDB; SQRADD(a[12], a[12]); 
+   COMBA_STORE(b[24]);
+
+   /* output 25 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[25]); SQRADDAC(a[1], a[24]); SQRADDAC(a[2], a[23]); SQRADDAC(a[3], a[22]); SQRADDAC(a[4], a[21]); SQRADDAC(a[5], a[20]); SQRADDAC(a[6], a[19]); SQRADDAC(a[7], a[18]); SQRADDAC(a[8], a[17]); SQRADDAC(a[9], a[16]); SQRADDAC(a[10], a[15]); SQRADDAC(a[11], a[14]); SQRADDAC(a[12], a[13]); SQRADDDB; 
+   COMBA_STORE(b[25]);
+
+   /* output 26 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[26]); SQRADDAC(a[1], a[25]); SQRADDAC(a[2], a[24]); SQRADDAC(a[3], a[23]); SQRADDAC(a[4], a[22]); SQRADDAC(a[5], a[21]); SQRADDAC(a[6], a[20]); SQRADDAC(a[7], a[19]); SQRADDAC(a[8], a[18]); SQRADDAC(a[9], a[17]); SQRADDAC(a[10], a[16]); SQRADDAC(a[11], a[15]); SQRADDAC(a[12], a[14]); SQRADDDB; SQRADD(a[13], a[13]); 
+   COMBA_STORE(b[26]);
+
+   /* output 27 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[27]); SQRADDAC(a[1], a[26]); SQRADDAC(a[2], a[25]); SQRADDAC(a[3], a[24]); SQRADDAC(a[4], a[23]); SQRADDAC(a[5], a[22]); SQRADDAC(a[6], a[21]); SQRADDAC(a[7], a[20]); SQRADDAC(a[8], a[19]); SQRADDAC(a[9], a[18]); SQRADDAC(a[10], a[17]); SQRADDAC(a[11], a[16]); SQRADDAC(a[12], a[15]); SQRADDAC(a[13], a[14]); SQRADDDB; 
+   COMBA_STORE(b[27]);
+
+   /* output 28 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[28]); SQRADDAC(a[1], a[27]); SQRADDAC(a[2], a[26]); SQRADDAC(a[3], a[25]); SQRADDAC(a[4], a[24]); SQRADDAC(a[5], a[23]); SQRADDAC(a[6], a[22]); SQRADDAC(a[7], a[21]); SQRADDAC(a[8], a[20]); SQRADDAC(a[9], a[19]); SQRADDAC(a[10], a[18]); SQRADDAC(a[11], a[17]); SQRADDAC(a[12], a[16]); SQRADDAC(a[13], a[15]); SQRADDDB; SQRADD(a[14], a[14]); 
+   COMBA_STORE(b[28]);
+
+   /* output 29 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[29]); SQRADDAC(a[1], a[28]); SQRADDAC(a[2], a[27]); SQRADDAC(a[3], a[26]); SQRADDAC(a[4], a[25]); SQRADDAC(a[5], a[24]); SQRADDAC(a[6], a[23]); SQRADDAC(a[7], a[22]); SQRADDAC(a[8], a[21]); SQRADDAC(a[9], a[20]); SQRADDAC(a[10], a[19]); SQRADDAC(a[11], a[18]); SQRADDAC(a[12], a[17]); SQRADDAC(a[13], a[16]); SQRADDAC(a[14], a[15]); SQRADDDB; 
+   COMBA_STORE(b[29]);
+
+   /* output 30 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[30]); SQRADDAC(a[1], a[29]); SQRADDAC(a[2], a[28]); SQRADDAC(a[3], a[27]); SQRADDAC(a[4], a[26]); SQRADDAC(a[5], a[25]); SQRADDAC(a[6], a[24]); SQRADDAC(a[7], a[23]); SQRADDAC(a[8], a[22]); SQRADDAC(a[9], a[21]); SQRADDAC(a[10], a[20]); SQRADDAC(a[11], a[19]); SQRADDAC(a[12], a[18]); SQRADDAC(a[13], a[17]); SQRADDAC(a[14], a[16]); SQRADDDB; SQRADD(a[15], a[15]); 
+   COMBA_STORE(b[30]);
+
+   /* output 31 */
+   CARRY_FORWARD;
+   SQRADDSC(a[0], a[31]); SQRADDAC(a[1], a[30]); SQRADDAC(a[2], a[29]); SQRADDAC(a[3], a[28]); SQRADDAC(a[4], a[27]); SQRADDAC(a[5], a[26]); SQRADDAC(a[6], a[25]); SQRADDAC(a[7], a[24]); SQRADDAC(a[8], a[23]); SQRADDAC(a[9], a[22]); SQRADDAC(a[10], a[21]); SQRADDAC(a[11], a[20]); SQRADDAC(a[12], a[19]); SQRADDAC(a[13], a[18]); SQRADDAC(a[14], a[17]); SQRADDAC(a[15], a[16]); SQRADDDB; 
+   COMBA_STORE(b[31]);
+
+   /* output 32 */
+   CARRY_FORWARD;
+   SQRADDSC(a[1], a[31]); SQRADDAC(a[2], a[30]); SQRADDAC(a[3], a[29]); SQRADDAC(a[4], a[28]); SQRADDAC(a[5], a[27]); SQRADDAC(a[6], a[26]); SQRADDAC(a[7], a[25]); SQRADDAC(a[8], a[24]); SQRADDAC(a[9], a[23]); SQRADDAC(a[10], a[22]); SQRADDAC(a[11], a[21]); SQRADDAC(a[12], a[20]); SQRADDAC(a[13], a[19]); SQRADDAC(a[14], a[18]); SQRADDAC(a[15], a[17]); SQRADDDB; SQRADD(a[16], a[16]); 
+   COMBA_STORE(b[32]);
+
+   /* output 33 */
+   CARRY_FORWARD;
+   SQRADDSC(a[2], a[31]); SQRADDAC(a[3], a[30]); SQRADDAC(a[4], a[29]); SQRADDAC(a[5], a[28]); SQRADDAC(a[6], a[27]); SQRADDAC(a[7], a[26]); SQRADDAC(a[8], a[25]); SQRADDAC(a[9], a[24]); SQRADDAC(a[10], a[23]); SQRADDAC(a[11], a[22]); SQRADDAC(a[12], a[21]); SQRADDAC(a[13], a[20]); SQRADDAC(a[14], a[19]); SQRADDAC(a[15], a[18]); SQRADDAC(a[16], a[17]); SQRADDDB; 
+   COMBA_STORE(b[33]);
+
+   /* output 34 */
+   CARRY_FORWARD;
+   SQRADDSC(a[3], a[31]); SQRADDAC(a[4], a[30]); SQRADDAC(a[5], a[29]); SQRADDAC(a[6], a[28]); SQRADDAC(a[7], a[27]); SQRADDAC(a[8], a[26]); SQRADDAC(a[9], a[25]); SQRADDAC(a[10], a[24]); SQRADDAC(a[11], a[23]); SQRADDAC(a[12], a[22]); SQRADDAC(a[13], a[21]); SQRADDAC(a[14], a[20]); SQRADDAC(a[15], a[19]); SQRADDAC(a[16], a[18]); SQRADDDB; SQRADD(a[17], a[17]); 
+   COMBA_STORE(b[34]);
+
+   /* output 35 */
+   CARRY_FORWARD;
+   SQRADDSC(a[4], a[31]); SQRADDAC(a[5], a[30]); SQRADDAC(a[6], a[29]); SQRADDAC(a[7], a[28]); SQRADDAC(a[8], a[27]); SQRADDAC(a[9], a[26]); SQRADDAC(a[10], a[25]); SQRADDAC(a[11], a[24]); SQRADDAC(a[12], a[23]); SQRADDAC(a[13], a[22]); SQRADDAC(a[14], a[21]); SQRADDAC(a[15], a[20]); SQRADDAC(a[16], a[19]); SQRADDAC(a[17], a[18]); SQRADDDB; 
+   COMBA_STORE(b[35]);
+
+   /* output 36 */
+   CARRY_FORWARD;
+   SQRADDSC(a[5], a[31]); SQRADDAC(a[6], a[30]); SQRADDAC(a[7], a[29]); SQRADDAC(a[8], a[28]); SQRADDAC(a[9], a[27]); SQRADDAC(a[10], a[26]); SQRADDAC(a[11], a[25]); SQRADDAC(a[12], a[24]); SQRADDAC(a[13], a[23]); SQRADDAC(a[14], a[22]); SQRADDAC(a[15], a[21]); SQRADDAC(a[16], a[20]); SQRADDAC(a[17], a[19]); SQRADDDB; SQRADD(a[18], a[18]); 
+   COMBA_STORE(b[36]);
+
+   /* output 37 */
+   CARRY_FORWARD;
+   SQRADDSC(a[6], a[31]); SQRADDAC(a[7], a[30]); SQRADDAC(a[8], a[29]); SQRADDAC(a[9], a[28]); SQRADDAC(a[10], a[27]); SQRADDAC(a[11], a[26]); SQRADDAC(a[12], a[25]); SQRADDAC(a[13], a[24]); SQRADDAC(a[14], a[23]); SQRADDAC(a[15], a[22]); SQRADDAC(a[16], a[21]); SQRADDAC(a[17], a[20]); SQRADDAC(a[18], a[19]); SQRADDDB; 
+   COMBA_STORE(b[37]);
+
+   /* output 38 */
+   CARRY_FORWARD;
+   SQRADDSC(a[7], a[31]); SQRADDAC(a[8], a[30]); SQRADDAC(a[9], a[29]); SQRADDAC(a[10], a[28]); SQRADDAC(a[11], a[27]); SQRADDAC(a[12], a[26]); SQRADDAC(a[13], a[25]); SQRADDAC(a[14], a[24]); SQRADDAC(a[15], a[23]); SQRADDAC(a[16], a[22]); SQRADDAC(a[17], a[21]); SQRADDAC(a[18], a[20]); SQRADDDB; SQRADD(a[19], a[19]); 
+   COMBA_STORE(b[38]);
+
+   /* output 39 */
+   CARRY_FORWARD;
+   SQRADDSC(a[8], a[31]); SQRADDAC(a[9], a[30]); SQRADDAC(a[10], a[29]); SQRADDAC(a[11], a[28]); SQRADDAC(a[12], a[27]); SQRADDAC(a[13], a[26]); SQRADDAC(a[14], a[25]); SQRADDAC(a[15], a[24]); SQRADDAC(a[16], a[23]); SQRADDAC(a[17], a[22]); SQRADDAC(a[18], a[21]); SQRADDAC(a[19], a[20]); SQRADDDB; 
+   COMBA_STORE(b[39]);
+
+   /* output 40 */
+   CARRY_FORWARD;
+   SQRADDSC(a[9], a[31]); SQRADDAC(a[10], a[30]); SQRADDAC(a[11], a[29]); SQRADDAC(a[12], a[28]); SQRADDAC(a[13], a[27]); SQRADDAC(a[14], a[26]); SQRADDAC(a[15], a[25]); SQRADDAC(a[16], a[24]); SQRADDAC(a[17], a[23]); SQRADDAC(a[18], a[22]); SQRADDAC(a[19], a[21]); SQRADDDB; SQRADD(a[20], a[20]); 
+   COMBA_STORE(b[40]);
+
+   /* output 41 */
+   CARRY_FORWARD;
+   SQRADDSC(a[10], a[31]); SQRADDAC(a[11], a[30]); SQRADDAC(a[12], a[29]); SQRADDAC(a[13], a[28]); SQRADDAC(a[14], a[27]); SQRADDAC(a[15], a[26]); SQRADDAC(a[16], a[25]); SQRADDAC(a[17], a[24]); SQRADDAC(a[18], a[23]); SQRADDAC(a[19], a[22]); SQRADDAC(a[20], a[21]); SQRADDDB; 
+   COMBA_STORE(b[41]);
+
+   /* output 42 */
+   CARRY_FORWARD;
+   SQRADDSC(a[11], a[31]); SQRADDAC(a[12], a[30]); SQRADDAC(a[13], a[29]); SQRADDAC(a[14], a[28]); SQRADDAC(a[15], a[27]); SQRADDAC(a[16], a[26]); SQRADDAC(a[17], a[25]); SQRADDAC(a[18], a[24]); SQRADDAC(a[19], a[23]); SQRADDAC(a[20], a[22]); SQRADDDB; SQRADD(a[21], a[21]); 
+   COMBA_STORE(b[42]);
+
+   /* output 43 */
+   CARRY_FORWARD;
+   SQRADDSC(a[12], a[31]); SQRADDAC(a[13], a[30]); SQRADDAC(a[14], a[29]); SQRADDAC(a[15], a[28]); SQRADDAC(a[16], a[27]); SQRADDAC(a[17], a[26]); SQRADDAC(a[18], a[25]); SQRADDAC(a[19], a[24]); SQRADDAC(a[20], a[23]); SQRADDAC(a[21], a[22]); SQRADDDB; 
+   COMBA_STORE(b[43]);
+
+   /* output 44 */
+   CARRY_FORWARD;
+   SQRADDSC(a[13], a[31]); SQRADDAC(a[14], a[30]); SQRADDAC(a[15], a[29]); SQRADDAC(a[16], a[28]); SQRADDAC(a[17], a[27]); SQRADDAC(a[18], a[26]); SQRADDAC(a[19], a[25]); SQRADDAC(a[20], a[24]); SQRADDAC(a[21], a[23]); SQRADDDB; SQRADD(a[22], a[22]); 
+   COMBA_STORE(b[44]);
+
+   /* output 45 */
+   CARRY_FORWARD;
+   SQRADDSC(a[14], a[31]); SQRADDAC(a[15], a[30]); SQRADDAC(a[16], a[29]); SQRADDAC(a[17], a[28]); SQRADDAC(a[18], a[27]); SQRADDAC(a[19], a[26]); SQRADDAC(a[20], a[25]); SQRADDAC(a[21], a[24]); SQRADDAC(a[22], a[23]); SQRADDDB; 
+   COMBA_STORE(b[45]);
+
+   /* output 46 */
+   CARRY_FORWARD;
+   SQRADDSC(a[15], a[31]); SQRADDAC(a[16], a[30]); SQRADDAC(a[17], a[29]); SQRADDAC(a[18], a[28]); SQRADDAC(a[19], a[27]); SQRADDAC(a[20], a[26]); SQRADDAC(a[21], a[25]); SQRADDAC(a[22], a[24]); SQRADDDB; SQRADD(a[23], a[23]); 
+   COMBA_STORE(b[46]);
+
+   /* output 47 */
+   CARRY_FORWARD;
+   SQRADDSC(a[16], a[31]); SQRADDAC(a[17], a[30]); SQRADDAC(a[18], a[29]); SQRADDAC(a[19], a[28]); SQRADDAC(a[20], a[27]); SQRADDAC(a[21], a[26]); SQRADDAC(a[22], a[25]); SQRADDAC(a[23], a[24]); SQRADDDB; 
+   COMBA_STORE(b[47]);
+
+   /* output 48 */
+   CARRY_FORWARD;
+   SQRADDSC(a[17], a[31]); SQRADDAC(a[18], a[30]); SQRADDAC(a[19], a[29]); SQRADDAC(a[20], a[28]); SQRADDAC(a[21], a[27]); SQRADDAC(a[22], a[26]); SQRADDAC(a[23], a[25]); SQRADDDB; SQRADD(a[24], a[24]); 
+   COMBA_STORE(b[48]);
+
+   /* output 49 */
+   CARRY_FORWARD;
+   SQRADDSC(a[18], a[31]); SQRADDAC(a[19], a[30]); SQRADDAC(a[20], a[29]); SQRADDAC(a[21], a[28]); SQRADDAC(a[22], a[27]); SQRADDAC(a[23], a[26]); SQRADDAC(a[24], a[25]); SQRADDDB; 
+   COMBA_STORE(b[49]);
+
+   /* output 50 */
+   CARRY_FORWARD;
+   SQRADDSC(a[19], a[31]); SQRADDAC(a[20], a[30]); SQRADDAC(a[21], a[29]); SQRADDAC(a[22], a[28]); SQRADDAC(a[23], a[27]); SQRADDAC(a[24], a[26]); SQRADDDB; SQRADD(a[25], a[25]); 
+   COMBA_STORE(b[50]);
+
+   /* output 51 */
+   CARRY_FORWARD;
+   SQRADDSC(a[20], a[31]); SQRADDAC(a[21], a[30]); SQRADDAC(a[22], a[29]); SQRADDAC(a[23], a[28]); SQRADDAC(a[24], a[27]); SQRADDAC(a[25], a[26]); SQRADDDB; 
+   COMBA_STORE(b[51]);
+
+   /* output 52 */
+   CARRY_FORWARD;
+   SQRADDSC(a[21], a[31]); SQRADDAC(a[22], a[30]); SQRADDAC(a[23], a[29]); SQRADDAC(a[24], a[28]); SQRADDAC(a[25], a[27]); SQRADDDB; SQRADD(a[26], a[26]); 
+   COMBA_STORE(b[52]);
+
+   /* output 53 */
+   CARRY_FORWARD;
+   SQRADDSC(a[22], a[31]); SQRADDAC(a[23], a[30]); SQRADDAC(a[24], a[29]); SQRADDAC(a[25], a[28]); SQRADDAC(a[26], a[27]); SQRADDDB; 
+   COMBA_STORE(b[53]);
+
+   /* output 54 */
+   CARRY_FORWARD;
+   SQRADDSC(a[23], a[31]); SQRADDAC(a[24], a[30]); SQRADDAC(a[25], a[29]); SQRADDAC(a[26], a[28]); SQRADDDB; SQRADD(a[27], a[27]); 
+   COMBA_STORE(b[54]);
+
+   /* output 55 */
+   CARRY_FORWARD;
+   SQRADDSC(a[24], a[31]); SQRADDAC(a[25], a[30]); SQRADDAC(a[26], a[29]); SQRADDAC(a[27], a[28]); SQRADDDB; 
+   COMBA_STORE(b[55]);
+
+   /* output 56 */
+   CARRY_FORWARD;
+   SQRADDSC(a[25], a[31]); SQRADDAC(a[26], a[30]); SQRADDAC(a[27], a[29]); SQRADDDB; SQRADD(a[28], a[28]); 
+   COMBA_STORE(b[56]);
+
+   /* output 57 */
+   CARRY_FORWARD;
+   SQRADDSC(a[26], a[31]); SQRADDAC(a[27], a[30]); SQRADDAC(a[28], a[29]); SQRADDDB; 
+   COMBA_STORE(b[57]);
+
+   /* output 58 */
+   CARRY_FORWARD;
+   SQRADD2(a[27], a[31]); SQRADD2(a[28], a[30]); SQRADD(a[29], a[29]); 
+   COMBA_STORE(b[58]);
+
+   /* output 59 */
+   CARRY_FORWARD;
+   SQRADD2(a[28], a[31]); SQRADD2(a[29], a[30]); 
+   COMBA_STORE(b[59]);
+
+   /* output 60 */
+   CARRY_FORWARD;
+   SQRADD2(a[29], a[31]); SQRADD(a[30], a[30]); 
+   COMBA_STORE(b[60]);
+
+   /* output 61 */
+   CARRY_FORWARD;
+   SQRADD2(a[30], a[31]); 
+   COMBA_STORE(b[61]);
+
+   /* output 62 */
+   CARRY_FORWARD;
+   SQRADD(a[31], a[31]); 
+   COMBA_STORE(b[62]);
+   COMBA_STORE2(b[63]);
+   COMBA_FINI;
+
+   B->used = 64;
+   B->sign = ZPOS;
+   memcpy(B->dp, b, 64 * sizeof(mp_digit));
+   mp_clamp(B);
+}
diff --git a/security/nss/lib/freebl/mpi/mp_comba_amd64_sun.s b/security/nss/lib/freebl/mpi/mp_comba_amd64_sun.s
new file mode 100644
index 000000000..a5181df33
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mp_comba_amd64_sun.s
@@ -0,0 +1,16097 @@
+//* TomsFastMath, a fast ISO C bignum library.
+/ * 
+/ * This project is meant to fill in where LibTomMath
+/ * falls short.  That is speed ;-)
+/ *
+/ * This project is public domain and free for all purposes.
+/ * 
+/ * Tom St Denis, tomstdenis@iahu.ca
+/ */
+
+//*
+/ * The source file from which this assembly was derived
+/ * comes from TFM v0.03, which has the above license.
+/ * This source was compiled with an unnamed compiler at
+/ * the highest optimization level.  Afterwards, the
+/ * trailing .section was removed because it causes errors
+/ * in the Studio 10 compiler on AMD 64.
+/ */
+
+       	.file	"mp_comba.c"
+	.text
+	.align 16
+.globl s_mp_mul_comba_4
+	.type	s_mp_mul_comba_4, @function
+s_mp_mul_comba_4:
+.LFB2:
+	pushq	%r12
+.LCFI0:
+	pushq	%rbp
+.LCFI1:
+	pushq	%rbx
+.LCFI2:
+	movq	16(%rdi), %r9
+	movq	%rdx, %rbx
+	movq	16(%rsi), %rdx
+	movq	(%r9), %rax
+	movq	%rax, -64(%rsp)
+	movq	8(%r9), %r8
+	movq	%r8, -56(%rsp)
+	movq	16(%r9), %rbp
+	movq	%rbp, -48(%rsp)
+	movq	24(%r9), %r12
+	movq	%r12, -40(%rsp)
+	movq	(%rdx), %rcx
+	movq	%rcx, -32(%rsp)
+	movq	8(%rdx), %r10
+	movq	%r10, -24(%rsp)
+	movq	16(%rdx), %r11
+	xorl	%r10d, %r10d
+	movq	%r10, %r8
+	movq	%r10, %r9
+	movq	%r10, %rbp
+	movq	%r11, -16(%rsp)
+	movq	16(%rbx), %r11
+	movq	24(%rdx), %rax
+	movq	%rax, -8(%rsp)
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%r8, (%r11)
+	movq	%rbp, %r8
+	movq	%r10, %rbp
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%r9     
+	adcq  %rdx,%r8     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%rbp, %r12
+/APP
+	movq  -56(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%r9     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r9, 8(%r11)
+	movq	%r12, %r9
+	movq	%r10, %r12
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r12, %rcx
+/APP
+	movq  -56(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -48(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 16(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -56(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -48(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -40(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 24(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -56(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -48(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -40(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 32(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -48(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r8, %r12
+	movq	%r9, %rbp
+/APP
+	movq  -40(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 40(%r11)
+	movq	%rbp, %r8
+	movq	%r12, %rcx
+/APP
+	movq  -40(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rcx     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r8, 48(%r11)
+	movl	(%rsi), %esi
+	xorl	(%rdi), %esi
+	testq	%rcx, %rcx
+	movq	%rcx, 56(%r11)
+	movl	$8, 8(%rbx)
+	jne	.L9
+	.align 16
+.L18:
+	movl	8(%rbx), %edx
+	leal	-1(%rdx), %edi
+	testl	%edi, %edi
+	movl	%edi, 8(%rbx)
+	je	.L9
+	leal	-2(%rdx), %r10d
+	cmpq	$0, (%r11,%r10,8)
+	je	.L18
+.L9:
+	movl	8(%rbx), %edx
+	xorl	%r11d, %r11d
+	testl	%edx, %edx
+	cmovne	%esi, %r11d
+	movl	%r11d, (%rbx)
+	popq	%rbx
+	popq	%rbp
+	popq	%r12
+	ret
+.LFE2:
+	.size	s_mp_mul_comba_4, .-s_mp_mul_comba_4
+	.align 16
+.globl s_mp_mul_comba_8
+	.type	s_mp_mul_comba_8, @function
+s_mp_mul_comba_8:
+.LFB3:
+	pushq	%r12
+.LCFI3:
+	pushq	%rbp
+.LCFI4:
+	pushq	%rbx
+.LCFI5:
+	movq	%rdx, %rbx
+	subq	$8, %rsp
+.LCFI6:
+	movq	16(%rdi), %rdx
+	movq	(%rdx), %r8
+	movq	%r8, -120(%rsp)
+	movq	8(%rdx), %rbp
+	movq	%rbp, -112(%rsp)
+	movq	16(%rdx), %r9
+	movq	%r9, -104(%rsp)
+	movq	24(%rdx), %r12
+	movq	%r12, -96(%rsp)
+	movq	32(%rdx), %rcx
+	movq	%rcx, -88(%rsp)
+	movq	40(%rdx), %r10
+	movq	%r10, -80(%rsp)
+	movq	48(%rdx), %r11
+	movq	%r11, -72(%rsp)
+	movq	56(%rdx), %rax
+	movq	16(%rsi), %rdx
+	movq	%rax, -64(%rsp)
+	movq	(%rdx), %r8
+	movq	%r8, -56(%rsp)
+	movq	8(%rdx), %rbp
+	movq	%rbp, -48(%rsp)
+	movq	16(%rdx), %r9
+	movq	%r9, -40(%rsp)
+	movq	24(%rdx), %r12
+	movq	%r12, -32(%rsp)
+	movq	32(%rdx), %rcx
+	movq	%rcx, -24(%rsp)
+	movq	40(%rdx), %r10
+	movq	%r10, -16(%rsp)
+	movq	48(%rdx), %r11
+	xorl	%r10d, %r10d
+	movq	%r10, %r8
+	movq	%r10, %r9
+	movq	%r10, %rbp
+	movq	%r11, -8(%rsp)
+	movq	16(%rbx), %r11
+	movq	56(%rdx), %rax
+	movq	%rax, (%rsp)
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  -56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%r8, (%r11)
+	movq	%rbp, %r8
+	movq	%r10, %rbp
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  -48(%rsp)           
+	addq  %rax,%r9     
+	adcq  %rdx,%r8     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%rbp, %r12
+/APP
+	movq  -112(%rsp),%rax     
+	mulq  -56(%rsp)           
+	addq  %rax,%r9     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r9, 8(%r11)
+	movq	%r12, %r9
+	movq	%r10, %r12
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  -40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r12, %rcx
+/APP
+	movq  -112(%rsp),%rax     
+	mulq  -48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -104(%rsp),%rax     
+	mulq  -56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 16(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  -40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  -48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -96(%rsp),%rax     
+	mulq  -56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 24(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -112(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  -40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  -48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -88(%rsp),%rax     
+	mulq  -56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 32(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  -40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  -48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -80(%rsp),%rax     
+	mulq  -56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 40(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -112(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  -40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  -48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -72(%rsp),%rax     
+	mulq  -56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 48(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  (%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  -40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  -48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 56(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -112(%rsp),%rax     
+	mulq  (%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  -40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 64(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -104(%rsp),%rax     
+	mulq  (%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 72(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -96(%rsp),%rax     
+	mulq  (%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 80(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -88(%rsp),%rax     
+	mulq  (%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 88(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -80(%rsp),%rax     
+	mulq  (%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 96(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -72(%rsp),%rax     
+	mulq  (%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r8, %r12
+	movq	%r9, %rbp
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  -8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 104(%r11)
+	movq	%rbp, %r8
+	movq	%r12, %rcx
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  (%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rcx     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r8, 112(%r11)
+	movl	(%rsi), %esi
+	xorl	(%rdi), %esi
+	testq	%rcx, %rcx
+	movq	%rcx, 120(%r11)
+	movl	$16, 8(%rbx)
+	jne	.L35
+	.align 16
+.L43:
+	movl	8(%rbx), %edx
+	leal	-1(%rdx), %edi
+	testl	%edi, %edi
+	movl	%edi, 8(%rbx)
+	je	.L35
+	leal	-2(%rdx), %eax
+	cmpq	$0, (%r11,%rax,8)
+	je	.L43
+.L35:
+	movl	8(%rbx), %r11d
+	xorl	%edx, %edx
+	testl	%r11d, %r11d
+	cmovne	%esi, %edx
+	movl	%edx, (%rbx)
+	addq	$8, %rsp
+	popq	%rbx
+	popq	%rbp
+	popq	%r12
+	ret
+.LFE3:
+	.size	s_mp_mul_comba_8, .-s_mp_mul_comba_8
+	.align 16
+.globl s_mp_mul_comba_16
+	.type	s_mp_mul_comba_16, @function
+s_mp_mul_comba_16:
+.LFB4:
+	pushq	%r12
+.LCFI7:
+	pushq	%rbp
+.LCFI8:
+	pushq	%rbx
+.LCFI9:
+	movq	%rdx, %rbx
+	subq	$136, %rsp
+.LCFI10:
+	movq	16(%rdi), %rax
+	movq	(%rax), %r8
+	movq	%r8, -120(%rsp)
+	movq	8(%rax), %rbp
+	movq	%rbp, -112(%rsp)
+	movq	16(%rax), %r9
+	movq	%r9, -104(%rsp)
+	movq	24(%rax), %r12
+	movq	%r12, -96(%rsp)
+	movq	32(%rax), %rcx
+	movq	%rcx, -88(%rsp)
+	movq	40(%rax), %r10
+	movq	%r10, -80(%rsp)
+	movq	48(%rax), %rdx
+	movq	%rdx, -72(%rsp)
+	movq	56(%rax), %r11
+	movq	%r11, -64(%rsp)
+	movq	64(%rax), %r8
+	movq	%r8, -56(%rsp)
+	movq	72(%rax), %rbp
+	movq	%rbp, -48(%rsp)
+	movq	80(%rax), %r9
+	movq	%r9, -40(%rsp)
+	movq	88(%rax), %r12
+	movq	%r12, -32(%rsp)
+	movq	96(%rax), %rcx
+	movq	%rcx, -24(%rsp)
+	movq	104(%rax), %r10
+	movq	%r10, -16(%rsp)
+	movq	112(%rax), %rdx
+	movq	%rdx, -8(%rsp)
+	movq	120(%rax), %r11
+	movq	%r11, (%rsp)
+	movq	16(%rsi), %r11
+	movq	(%r11), %r8
+	movq	%r8, 8(%rsp)
+	movq	8(%r11), %rbp
+	movq	%rbp, 16(%rsp)
+	movq	16(%r11), %r9
+	movq	%r9, 24(%rsp)
+	movq	24(%r11), %r12
+	movq	%r12, 32(%rsp)
+	movq	32(%r11), %rcx
+	movq	%rcx, 40(%rsp)
+	movq	40(%r11), %r10
+	movq	%r10, 48(%rsp)
+	movq	48(%r11), %rdx
+	movq	%rdx, 56(%rsp)
+	movq	56(%r11), %rax
+	movq	%rax, 64(%rsp)
+	movq	64(%r11), %r8
+	movq	%r8, 72(%rsp)
+	movq	72(%r11), %rbp
+	movq	%rbp, 80(%rsp)
+	movq	80(%r11), %r9
+	movq	%r9, 88(%rsp)
+	movq	88(%r11), %r12
+	movq	%r12, 96(%rsp)
+	movq	96(%r11), %rcx
+	movq	%rcx, 104(%rsp)
+	movq	104(%r11), %r10
+	movq	%r10, 112(%rsp)
+	movq	112(%r11), %rdx
+	xorl	%r10d, %r10d
+	movq	%r10, %r8
+	movq	%r10, %r9
+	movq	%r10, %rbp
+	movq	%rdx, 120(%rsp)
+	movq	120(%r11), %rax
+	movq	%rax, 128(%rsp)
+	movq	16(%rbx), %r11
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%r8, (%r11)
+	movq	%rbp, %r8
+	movq	%r10, %rbp
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%r9     
+	adcq  %rdx,%r8     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%rbp, %r12
+/APP
+	movq  -112(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%r9     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r9, 8(%r11)
+	movq	%r12, %r9
+	movq	%r10, %r12
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r12, %rcx
+/APP
+	movq  -112(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -104(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 16(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -96(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 24(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -112(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -88(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 32(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -80(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 40(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -112(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -72(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 48(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 56(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -112(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -64(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -56(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 64(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -64(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -56(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -48(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 72(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -112(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -64(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -56(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -48(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -40(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 80(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -64(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -56(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -48(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -40(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -32(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 88(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -112(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -64(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -56(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -48(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -40(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -32(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -24(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 96(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -64(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -56(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -48(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -40(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -32(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -24(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  -16(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 104(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -112(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -64(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -56(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -48(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -40(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -32(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -24(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -16(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  -8(%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 112(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -120(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -112(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -104(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -64(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -56(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -48(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -40(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -32(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -24(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -16(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -8(%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  8(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 120(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -112(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -104(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -96(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -64(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -56(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -48(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -40(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -32(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -24(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -16(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -8(%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  16(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 128(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -104(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -96(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -88(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -64(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -56(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -48(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -40(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -32(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -24(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -16(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -8(%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  24(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 136(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -96(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -88(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -80(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -64(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -56(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -48(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -40(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -32(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -24(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -16(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -8(%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  32(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 144(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -88(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -80(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -72(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -64(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -56(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -48(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -40(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -32(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -24(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -16(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -8(%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  40(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 152(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -80(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -72(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -64(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -56(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -48(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -40(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -32(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -24(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -16(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -8(%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  48(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 160(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -72(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -64(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -56(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -48(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -40(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -32(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -24(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -16(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -8(%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  56(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 168(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -64(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -56(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -48(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -40(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -32(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -24(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -16(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -8(%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  64(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 176(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -56(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -48(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -40(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -32(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -24(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -16(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -8(%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  72(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 184(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -48(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -40(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -32(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -24(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -16(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -8(%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  80(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 192(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -40(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -32(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -24(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -16(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -8(%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  88(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 200(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -32(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -24(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -16(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -8(%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  96(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 208(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -24(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -16(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+	movq  -8(%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%r8, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  104(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 216(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %r8
+	movq	%r10, %rcx
+/APP
+	movq  -16(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+	movq  -8(%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%r9, %rbp
+	movq	%rcx, %r12
+/APP
+	movq  (%rsp),%rax     
+	mulq  112(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, 224(%r11)
+	movq	%r12, %r9
+	movq	%rbp, %rcx
+	movq	%r10, %r8
+/APP
+	movq  -8(%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r8, %r12
+	movq	%r9, %rbp
+/APP
+	movq  (%rsp),%rax     
+	mulq  120(%rsp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rcx, 232(%r11)
+	movq	%rbp, %r8
+	movq	%r12, %rcx
+/APP
+	movq  (%rsp),%rax     
+	mulq  128(%rsp)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rcx     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r8, 240(%r11)
+	movl	(%rsi), %esi
+	xorl	(%rdi), %esi
+	testq	%rcx, %rcx
+	movq	%rcx, 248(%r11)
+	movl	$32, 8(%rbx)
+	jne	.L76
+	.align 16
+.L84:
+	movl	8(%rbx), %edx
+	leal	-1(%rdx), %edi
+	testl	%edi, %edi
+	movl	%edi, 8(%rbx)
+	je	.L76
+	leal	-2(%rdx), %eax
+	cmpq	$0, (%r11,%rax,8)
+	je	.L84
+.L76:
+	movl	8(%rbx), %edx
+	xorl	%r11d, %r11d
+	testl	%edx, %edx
+	cmovne	%esi, %r11d
+	movl	%r11d, (%rbx)
+	addq	$136, %rsp
+	popq	%rbx
+	popq	%rbp
+	popq	%r12
+	ret
+.LFE4:
+	.size	s_mp_mul_comba_16, .-s_mp_mul_comba_16
+	.align 16
+.globl s_mp_mul_comba_32
+	.type	s_mp_mul_comba_32, @function
+s_mp_mul_comba_32:
+.LFB5:
+	pushq	%rbp
+.LCFI11:
+	movq	%rsp, %rbp
+.LCFI12:
+	pushq	%r13
+.LCFI13:
+	movq	%rdx, %r13
+	movl	$256, %edx
+	pushq	%r12
+.LCFI14:
+	movq	%rsi, %r12
+	pushq	%rbx
+.LCFI15:
+	movq	%rdi, %rbx
+	subq	$520, %rsp
+.LCFI16:
+	movq	16(%rdi), %rsi
+	leaq	-544(%rbp), %rdi
+	call	memcpy@PLT
+	movq	16(%r12), %rsi
+	leaq	-288(%rbp), %rdi
+	movl	$256, %edx
+	call	memcpy@PLT
+	movq	16(%r13), %r9
+	xorl	%r8d, %r8d
+	movq	%r8, %rsi
+	movq	%r8, %rdi
+	movq	%r8, %r10
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%rsi, (%r9)
+	movq	%r10, %rsi
+	movq	%r8, %r10
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r10, %r11
+/APP
+	movq  -536(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rdi, 8(%r9)
+	movq	%r11, %rdi
+	movq	%r8, %r11
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r11, %rcx
+/APP
+	movq  -536(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -528(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 16(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -520(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 24(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -512(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 32(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -504(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 40(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -496(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 48(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -488(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 56(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -480(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 64(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -472(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 72(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -464(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 80(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -456(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 88(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -448(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 96(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -440(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 104(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -432(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 112(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -424(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 120(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -416(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 128(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -408(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 136(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -400(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 144(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -392(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 152(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -384(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 160(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -376(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 168(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -368(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 176(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -360(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 184(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -352(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 192(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -344(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 200(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -336(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 208(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -328(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 216(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -320(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 224(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -312(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 232(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -304(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 240(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -544(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -536(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -288(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 248(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -536(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -528(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -280(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 256(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -528(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -520(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -272(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 264(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -520(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -512(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -264(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 272(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -512(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -504(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -256(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 280(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -504(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -496(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -248(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 288(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -496(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -488(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -240(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 296(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -488(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -480(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -232(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 304(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -480(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -472(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -224(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 312(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -472(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -464(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -216(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 320(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -464(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -456(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -208(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 328(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %r11
+	movq	%r8, %r10
+/APP
+	movq  -456(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -448(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -440(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+	movq  -296(%rbp),%rax     
+	mulq  -200(%rbp)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r11, 336(%r9)
+	movq	%r10, %rsi
+	movq	%r8, %r10
+/APP
+	movq  -448(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r10, %rcx
+/APP
+	movq  -440(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -432(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rsi, %r11
+	movq	%rcx, %r10
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -192(%rbp)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%r11     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%rdi, 344(%r9)
+	movq	%r11, %rcx
+	movq	%r10, %rdi
+	movq	%r8, %r11
+/APP
+	movq  -440(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r11, %rsi
+/APP
+	movq  -432(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -184(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 352(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -432(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -424(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -176(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 360(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -424(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -416(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -168(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 368(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -416(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -408(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -160(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 376(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -408(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -400(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -152(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 384(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -400(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -392(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -144(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 392(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -392(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -384(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -136(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 400(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -384(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -376(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -128(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 408(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -376(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -368(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -120(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 416(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -368(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -360(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -112(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 424(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -360(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -352(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -104(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 432(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -352(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -344(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -96(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 440(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -344(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -336(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -88(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 448(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -336(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -328(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -80(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 456(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -328(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -320(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -72(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 464(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -320(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -312(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rcx, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -64(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 472(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rcx
+	movq	%r8, %rsi
+/APP
+	movq  -312(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  -304(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r10
+	movq	%rsi, %r11
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -56(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rcx, 480(%r9)
+	movq	%r11, %rdi
+	movq	%r10, %rsi
+	movq	%r8, %rcx
+/APP
+	movq  -304(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rcx        
+	
+/NO_APP
+	movq	%rcx, %r11
+	movq	%rdi, %r10
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -48(%rbp)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r10     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rsi, 488(%r9)
+	movq	%r10, %rcx
+	movq	%r11, %rsi
+/APP
+	movq  -296(%rbp),%rax     
+	mulq  -40(%rbp)           
+	addq  %rax,%rcx     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%rcx, 496(%r9)
+	movl	(%r12), %ecx
+	xorl	(%rbx), %ecx
+	testq	%rsi, %rsi
+	movq	%rsi, 504(%r9)
+	movl	$64, 8(%r13)
+	jne	.L149
+	.align 16
+.L157:
+	movl	8(%r13), %edx
+	leal	-1(%rdx), %ebx
+	testl	%ebx, %ebx
+	movl	%ebx, 8(%r13)
+	je	.L149
+	leal	-2(%rdx), %r12d
+	cmpq	$0, (%r9,%r12,8)
+	je	.L157
+.L149:
+	movl	8(%r13), %r9d
+	xorl	%edx, %edx
+	testl	%r9d, %r9d
+	cmovne	%ecx, %edx
+	movl	%edx, (%r13)
+	addq	$520, %rsp
+	popq	%rbx
+	popq	%r12
+	popq	%r13
+	leave
+	ret
+.LFE5:
+	.size	s_mp_mul_comba_32, .-s_mp_mul_comba_32
+	.align 16
+.globl s_mp_sqr_comba_4
+	.type	s_mp_sqr_comba_4, @function
+s_mp_sqr_comba_4:
+.LFB6:
+	pushq	%rbp
+.LCFI17:
+	movq	%rsi, %r11
+	xorl	%esi, %esi
+	movq	%rsi, %r10
+	movq	%rsi, %rbp
+	movq	%rsi, %r8
+	pushq	%rbx
+.LCFI18:
+	movq	%rsi, %rbx
+	movq	16(%rdi), %rcx
+	movq	%rsi, %rdi
+/APP
+	movq  (%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%rbx     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r10, -72(%rsp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  8(%rcx)           
+	addq  %rax,%rbx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rbp        
+	addq  %rax,%rbx     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%rbx, -64(%rsp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  16(%rcx)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r8        
+	addq  %rax,%rdi     
+	adcq  %rdx,%rbp     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%rbp, %rbx
+	movq	%r8, %rbp
+/APP
+	movq  8(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rdi     
+	adcq  %rdx,%rbx     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%rdi, -56(%rsp)
+	movq	%rbp, %r9
+	movq	%rbx, %r8
+	movq	%rsi, %rdi
+/APP
+	movq  (%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rdi        
+	addq  %rax,%r8     
+	adcq  %rdx,%r9     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r9, %rbx
+	movq	%rdi, %rbp
+/APP
+	movq  8(%rcx),%rax     
+	mulq  16(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rbx     
+	adcq  $0,%rbp        
+	addq  %rax,%r8     
+	adcq  %rdx,%rbx     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%r8, -48(%rsp)
+	movq	%rbp, %r9
+	movq	%rbx, %rdi
+	movq	%rsi, %r8
+	movl	$8, 8(%r11)
+	movl	$0, (%r11)
+/APP
+	movq  8(%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	addq  %rax,%rdi     
+	adcq  %rdx,%r9     
+	adcq  $0,%r8        
+	
+/NO_APP
+	movq	%r9, %rbx
+	movq	%r8, %rbp
+/APP
+	movq  16(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rdi     
+	adcq  %rdx,%rbx     
+	adcq  $0,%rbp        
+	
+/NO_APP
+	movq	%rbp, %rax
+	movq	%rdi, -40(%rsp)
+	movq	%rbx, %rbp
+	movq	%rax, %rdi
+	movq	%rsi, %rbx
+/APP
+	movq  16(%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%rbp     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rbx        
+	addq  %rax,%rbp     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%rbp, -32(%rsp)
+	movq	%rbx, %r9
+/APP
+	movq  24(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rdi     
+	adcq  %rdx,%r9     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	16(%r11), %rdx
+	movq	%rdi, -24(%rsp)
+	movq	%r9, -16(%rsp)
+	movq	%r10, (%rdx)
+	movq	-64(%rsp), %r8
+	movq	%r8, 8(%rdx)
+	movq	-56(%rsp), %rbp
+	movq	%rbp, 16(%rdx)
+	movq	-48(%rsp), %rdi
+	movq	%rdi, 24(%rdx)
+	movq	-40(%rsp), %rsi
+	movq	%rsi, 32(%rdx)
+	movq	-32(%rsp), %rbx
+	movq	%rbx, 40(%rdx)
+	movq	-24(%rsp), %rcx
+	movq	%rcx, 48(%rdx)
+	movq	-16(%rsp), %rax
+	movq	%rax, 56(%rdx)
+	movl	8(%r11), %edx
+	testl	%edx, %edx
+	je	.L168
+	leal	-1(%rdx), %ecx
+	movq	16(%r11), %rsi
+	mov	%ecx, %r10d
+	cmpq	$0, (%rsi,%r10,8)
+	jne	.L166
+	movl	%ecx, %edx
+	.align 16
+.L167:
+	testl	%edx, %edx
+	movl	%edx, %ecx
+	je	.L171
+	decl	%edx
+	mov	%edx, %eax
+	cmpq	$0, (%rsi,%rax,8)
+	je	.L167
+	movl	%ecx, 8(%r11)
+	movl	%ecx, %edx
+.L166:
+	testl	%edx, %edx
+	je	.L168
+	popq	%rbx
+	popq	%rbp
+	movl	(%r11), %eax
+	movl	%eax, (%r11)
+	ret
+.L171:
+	movl	%edx, 8(%r11)
+	.align 16
+.L168:
+	popq	%rbx
+	popq	%rbp
+	xorl	%eax, %eax
+	movl	%eax, (%r11)
+	ret
+.LFE6:
+	.size	s_mp_sqr_comba_4, .-s_mp_sqr_comba_4
+	.align 16
+.globl s_mp_sqr_comba_8
+	.type	s_mp_sqr_comba_8, @function
+s_mp_sqr_comba_8:
+.LFB7:
+	pushq	%r14
+.LCFI19:
+	xorl	%r9d, %r9d
+	movq	%r9, %r14
+	movq	%r9, %r10
+	pushq	%r13
+.LCFI20:
+	movq	%r9, %r13
+	pushq	%r12
+.LCFI21:
+	movq	%r9, %r12
+	pushq	%rbp
+.LCFI22:
+	movq	%rsi, %rbp
+	movq	%r9, %rsi
+	pushq	%rbx
+.LCFI23:
+	movq	%r9, %rbx
+	subq	$8, %rsp
+.LCFI24:
+	movq	16(%rdi), %rcx
+/APP
+	movq  (%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r14     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r14, -120(%rsp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  8(%rcx)           
+	addq  %rax,%rbx     
+	adcq  %rdx,%r12     
+	adcq  $0,%r10        
+	addq  %rax,%rbx     
+	adcq  %rdx,%r12     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%rbx, -112(%rsp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  16(%rcx)           
+	addq  %rax,%r12     
+	adcq  %rdx,%r10     
+	adcq  $0,%r13        
+	addq  %rax,%r12     
+	adcq  %rdx,%r10     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r10, %rbx
+	movq	%r13, %r10
+	movq	%r9, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r12     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r12, -104(%rsp)
+	movq	%r10, %rdi
+	movq	%rbx, %r11
+/APP
+	movq  (%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	addq  %rax,%r11     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %rbx
+	movq	%rsi, %r10
+	movq	%r9, %rdi
+/APP
+	movq  8(%rcx),%rax     
+	mulq  16(%rcx)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r10        
+	addq  %rax,%r11     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r9, %rsi
+	movq	%r11, -96(%rsp)
+	movq	%r10, %r8
+	movq	%rbx, %r12
+	movq	%r9, %r11
+/APP
+	movq  (%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r12     
+	adcq  %rdx,%r8     
+	adcq  $0,%r13        
+	addq  %rax,%r12     
+	adcq  %rdx,%r8     
+	adcq  $0,%r13        
+	
+	movq  8(%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r12     
+	adcq  %rdx,%r8     
+	adcq  $0,%r13        
+	addq  %rax,%r12     
+	adcq  %rdx,%r8     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%r13, %r10
+	movq	%r9, %r8
+/APP
+	movq  16(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r12     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r12, -88(%rsp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  40(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%r11         
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%r11         
+	
+/NO_APP
+	movq	%rbx, -80(%rsp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  48(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rax
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%rax, %rdx
+	movq	%r11, %rbx
+	movq	%r13, %rdi
+	movq	%rdx, %r11
+	movq	%r12, %rsi
+/APP
+	movq  24(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r10, -72(%rsp)
+	movq	%r11, %r10
+/APP
+	movq  (%rcx),%rax     
+	mulq  56(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rax
+/APP
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%rax         
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%rax         
+	
+/NO_APP
+	movq	%rbx, -64(%rsp)
+	movq	%rax, %r11
+	movq	%r9, %rbx
+/APP
+	movq  8(%rcx),%rax     
+	mulq  56(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	
+/NO_APP
+	movq	%rbx, %rsi
+	movq	%r13, %rdi
+	movq	%r11, %rbx
+	movq	%r12, %r13
+	movq	%rsi, %r11
+/APP
+	movq  32(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r10, -56(%rsp)
+	movq	%r9, %r10
+/APP
+	movq  16(%rcx),%rax     
+	mulq  56(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %r13,%r13        
+	
+	movq  24(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r13        
+	
+	movq  32(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%rdi, %r12
+	movq	%r13, %rax
+/APP
+	addq %r8,%rbx         
+	adcq %r12,%r11         
+	adcq %rax,%r10         
+	addq %r8,%rbx         
+	adcq %r12,%r11         
+	adcq %rax,%r10         
+	
+/NO_APP
+	movq	%rbx, -48(%rsp)
+	movq	%r11, %r12
+	movq	%r10, %rsi
+	movq	%r9, %rbx
+	movq	%r9, %r11
+/APP
+	movq  24(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r12     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rbx        
+	addq  %rax,%r12     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%rbx, %r13
+/APP
+	movq  32(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r12     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r13        
+	addq  %rax,%r12     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%rsi, %r10
+	movq	%r13, %rbx
+	movq	%r9, %r13
+/APP
+	movq  40(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r12     
+	adcq  %rdx,%r10     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%r12, -40(%rsp)
+	movq	%rbx, %r8
+	movq	%r10, %rdi
+/APP
+	movq  32(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%r8     
+	adcq  $0,%r11        
+	addq  %rax,%rdi     
+	adcq  %rdx,%r8     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r8, %r10
+	movq	%r11, %rbx
+/APP
+	movq  40(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%r10     
+	adcq  $0,%rbx        
+	addq  %rax,%rdi     
+	adcq  %rdx,%r10     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%rdi, -32(%rsp)
+	movq	%rbx, %rsi
+	movq	%r10, %r12
+/APP
+	movq  40(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r12     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r13        
+	addq  %rax,%r12     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%rsi, %r10
+	movq	%r13, %rbx
+/APP
+	movq  48(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r12     
+	adcq  %rdx,%r10     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%r12, -24(%rsp)
+	movq	%r10, %rdi
+	movq	%rbx, %rsi
+	movq	%r9, %r10
+	movl	$16, 8(%rbp)
+	movl	$0, (%rbp)
+/APP
+	movq  48(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r10        
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%rdi, -16(%rsp)
+	movq	%r10, %r8
+/APP
+	movq  56(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%r9        
+	
+/NO_APP
+	movq	16(%rbp), %rax
+	movq	%rsi, -8(%rsp)
+	movq	%r8, (%rsp)
+	movq	%r14, (%rax)
+	movq	-112(%rsp), %rbx
+	movq	%rbx, 8(%rax)
+	movq	-104(%rsp), %rcx
+	movq	%rcx, 16(%rax)
+	movq	-96(%rsp), %rdx
+	movq	%rdx, 24(%rax)
+	movq	-88(%rsp), %r14
+	movq	%r14, 32(%rax)
+	movq	-80(%rsp), %r13
+	movq	%r13, 40(%rax)
+	movq	-72(%rsp), %r12
+	movq	%r12, 48(%rax)
+	movq	-64(%rsp), %r11
+	movq	%r11, 56(%rax)
+	movq	-56(%rsp), %r10
+	movq	%r10, 64(%rax)
+	movq	-48(%rsp), %r9
+	movq	%r9, 72(%rax)
+	movq	-40(%rsp), %r8
+	movq	%r8, 80(%rax)
+	movq	-32(%rsp), %rdi
+	movq	%rdi, 88(%rax)
+	movq	-24(%rsp), %rsi
+	movq	%rsi, 96(%rax)
+	movq	-16(%rsp), %rbx
+	movq	%rbx, 104(%rax)
+	movq	-8(%rsp), %rcx
+	movq	%rcx, 112(%rax)
+	movq	(%rsp), %rdx
+	movq	%rdx, 120(%rax)
+	movl	8(%rbp), %edx
+	testl	%edx, %edx
+	je	.L192
+	leal	-1(%rdx), %ecx
+	movq	16(%rbp), %rsi
+	mov	%ecx, %r14d
+	cmpq	$0, (%rsi,%r14,8)
+	jne	.L190
+	movl	%ecx, %edx
+	.align 16
+.L191:
+	testl	%edx, %edx
+	movl	%edx, %ecx
+	je	.L195
+	decl	%edx
+	mov	%edx, %r9d
+	cmpq	$0, (%rsi,%r9,8)
+	je	.L191
+	movl	%ecx, 8(%rbp)
+	movl	%ecx, %edx
+.L190:
+	testl	%edx, %edx
+	je	.L192
+	movl	(%rbp), %eax
+	movl	%eax, (%rbp)
+	addq	$8, %rsp
+	popq	%rbx
+	popq	%rbp
+	popq	%r12
+	popq	%r13
+	popq	%r14
+	ret
+.L195:
+	movl	%edx, 8(%rbp)
+	.align 16
+.L192:
+	xorl	%eax, %eax
+	movl	%eax, (%rbp)
+	addq	$8, %rsp
+	popq	%rbx
+	popq	%rbp
+	popq	%r12
+	popq	%r13
+	popq	%r14
+	ret
+.LFE7:
+	.size	s_mp_sqr_comba_8, .-s_mp_sqr_comba_8
+	.align 16
+.globl s_mp_sqr_comba_16
+	.type	s_mp_sqr_comba_16, @function
+s_mp_sqr_comba_16:
+.LFB8:
+	pushq	%rbp
+.LCFI25:
+	xorl	%r9d, %r9d
+	movq	%r9, %r8
+	movq	%r9, %r11
+	movq	%rsp, %rbp
+.LCFI26:
+	pushq	%r14
+.LCFI27:
+	movq	%rsi, %r14
+	movq	%r9, %rsi
+	pushq	%r13
+.LCFI28:
+	movq	%r9, %r13
+	pushq	%r12
+.LCFI29:
+	movq	%r9, %r12
+	pushq	%rbx
+.LCFI30:
+	movq	%r9, %rbx
+	subq	$256, %rsp
+.LCFI31:
+	movq	16(%rdi), %rcx
+/APP
+	movq  (%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r8     
+	adcq  %rdx,%rbx     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, -288(%rbp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  8(%rcx)           
+	addq  %rax,%rbx     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r12        
+	addq  %rax,%rbx     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rbx, -280(%rbp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  16(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	addq  %rax,%rsi     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r12, %rbx
+	movq	%r13, %r10
+/APP
+	movq  8(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rsi     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%rsi, -272(%rbp)
+	movq	%r10, %rdi
+	movq	%r9, %rsi
+	movq	%rbx, %r10
+/APP
+	movq  (%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r10     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r11        
+	addq  %rax,%r10     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rdi, %r12
+	movq	%r11, %rbx
+	movq	%r9, %rdi
+/APP
+	movq  8(%rcx),%rax     
+	mulq  16(%rcx)           
+	addq  %rax,%r10     
+	adcq  %rdx,%r12     
+	adcq  $0,%rbx        
+	addq  %rax,%r10     
+	adcq  %rdx,%r12     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%r9, %r11
+	movq	%r10, -264(%rbp)
+	movq	%rbx, %r8
+	movq	%r12, %r13
+	movq	%r9, %r12
+/APP
+	movq  (%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r13     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	addq  %rax,%r13     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	
+	movq  8(%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r13     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	addq  %rax,%r13     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%r12, %r10
+	movq	%r9, %r8
+/APP
+	movq  16(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r13     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r13, -256(%rbp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  40(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%r11         
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%r11         
+	
+/NO_APP
+	movq	%rbx, -248(%rbp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  48(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rax
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%rax, %rdx
+	movq	%r11, %rbx
+	movq	%r13, %rdi
+	movq	%rdx, %r11
+	movq	%r12, %rsi
+/APP
+	movq  24(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r10, -240(%rbp)
+	movq	%r11, %r10
+/APP
+	movq  (%rcx),%rax     
+	mulq  56(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rdx
+/APP
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%rdx         
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%rdx         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rbx, -232(%rbp)
+	movq	%r9, %rbx
+/APP
+	movq  (%rcx),%rax     
+	mulq  64(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	
+	movq  32(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%r11     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%r13, %rdi
+	movq	%r10, -224(%rbp)
+	movq	%r12, %rsi
+	movq	%rbx, %r10
+	movq	%r9, %r12
+/APP
+	movq  (%rcx),%rax     
+	mulq  72(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%r11         
+	adcq %rdi,%r10         
+	adcq %rsi,%r12         
+	addq %r8,%r11         
+	adcq %rdi,%r10         
+	adcq %rsi,%r12         
+	
+/NO_APP
+	movq	%r11, -216(%rbp)
+	movq	%r12, %rbx
+/APP
+	movq  (%rcx),%rax     
+	mulq  80(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rax
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r10         
+	adcq %r13,%rbx         
+	adcq %r12,%rax         
+	addq %r8,%r10         
+	adcq %r13,%rbx         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%rax, %rdx
+	movq	%rbx, %r11
+	movq	%r13, %rdi
+	movq	%rdx, %rbx
+	movq	%r12, %rsi
+/APP
+	movq  40(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%r11     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%r10, -208(%rbp)
+	movq	%rbx, %r10
+/APP
+	movq  (%rcx),%rax     
+	mulq  88(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rdx
+/APP
+	addq %r8,%r11         
+	adcq %rdi,%r10         
+	adcq %rsi,%rdx         
+	addq %r8,%r11         
+	adcq %rdi,%r10         
+	adcq %rsi,%rdx         
+	
+/NO_APP
+	movq	%rdx, %r13
+	movq	%r11, -200(%rbp)
+	movq	%r13, %r12
+/APP
+	movq  (%rcx),%rax     
+	mulq  96(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rax
+	movq	%rdi, %rdx
+	movq	%rsi, %r11
+/APP
+	addq %r8,%r10         
+	adcq %rdx,%r12         
+	adcq %r11,%rax         
+	addq %r8,%r10         
+	adcq %rdx,%r12         
+	adcq %r11,%rax         
+	
+/NO_APP
+	movq	%rdx, %rbx
+	movq	%rax, %r13
+	movq	%r11, %rsi
+/APP
+	movq  48(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%rbx, %rdi
+	movq	%r10, -192(%rbp)
+	movq	%r13, %r10
+/APP
+	movq  (%rcx),%rax     
+	mulq  104(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r9, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%r12         
+	adcq %rdi,%r10         
+	adcq %rsi,%r13         
+	addq %r8,%r12         
+	adcq %rdi,%r10         
+	adcq %rsi,%r13         
+	
+/NO_APP
+	movq	%r12, -184(%rbp)
+	movq	%r13, %r12
+/APP
+	movq  (%rcx),%rax     
+	mulq  112(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rax
+	movq	%rdi, %rbx
+	movq	%rsi, %rdx
+/APP
+	addq %r8,%r10         
+	adcq %rbx,%r12         
+	adcq %rdx,%rax         
+	addq %r8,%r10         
+	adcq %rbx,%r12         
+	adcq %rdx,%rax         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r13
+	movq	%rbx, %rdi
+/APP
+	movq  56(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r10, -176(%rbp)
+	movq	%r13, %r10
+/APP
+	movq  (%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r9, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%r12         
+	adcq %rdi,%r10         
+	adcq %rsi,%r13         
+	addq %r8,%r12         
+	adcq %rdi,%r10         
+	adcq %rsi,%r13         
+	
+/NO_APP
+	movq	%r12, -168(%rbp)
+	movq	%r13, %r12
+/APP
+	movq  8(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rax
+	movq	%rdi, %rbx
+	movq	%rsi, %rdx
+/APP
+	addq %r8,%r10         
+	adcq %rbx,%r12         
+	adcq %rdx,%rax         
+	addq %r8,%r10         
+	adcq %rbx,%r12         
+	adcq %rdx,%rax         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r13
+	movq	%rbx, %rdi
+/APP
+	movq  64(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r10, -160(%rbp)
+	movq	%r9, %r11
+/APP
+	movq  16(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r13, %r10
+	movq	%r9, %rbx
+/APP
+	movq  24(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%r12         
+	adcq %rdi,%r10         
+	adcq %rsi,%r11         
+	addq %r8,%r12         
+	adcq %rdi,%r10         
+	adcq %rsi,%r11         
+	
+/NO_APP
+	movq	%r12, -152(%rbp)
+/APP
+	movq  24(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	
+/NO_APP
+	movq	%rbx, %rdx
+	movq	%r13, %rdi
+	movq	%r11, %rbx
+	movq	%r12, %rsi
+	movq	%rdx, %r11
+	movq	%r9, %r12
+/APP
+	movq  72(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r10, -144(%rbp)
+	movq	%r11, %r10
+/APP
+	movq  32(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  72(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%r12         
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%r12         
+	
+/NO_APP
+	movq	%rbx, -136(%rbp)
+	movq	%r12, %r11
+/APP
+	movq  40(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  72(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rax
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%rax, %rdx
+	movq	%r11, %rbx
+	movq	%r13, %rdi
+	movq	%rdx, %r11
+	movq	%r12, %rsi
+/APP
+	movq  80(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r10, -128(%rbp)
+	movq	%r11, %r10
+/APP
+	movq  48(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  72(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  80(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rdx
+/APP
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%rdx         
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%rdx         
+	
+/NO_APP
+	movq	%rbx, -120(%rbp)
+	movq	%rdx, %r11
+	movq	%r9, %rbx
+/APP
+	movq  56(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  72(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  80(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	
+/NO_APP
+	movq	%rbx, %rdx
+	movq	%r13, %rdi
+	movq	%r11, %rbx
+	movq	%r12, %rsi
+	movq	%rdx, %r11
+	movq	%r9, %r12
+/APP
+	movq  88(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r10, -112(%rbp)
+	movq	%r11, %r10
+/APP
+	movq  64(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  72(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  80(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  88(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%r12         
+	addq %r8,%rbx         
+	adcq %rdi,%r10         
+	adcq %rsi,%r12         
+	
+/NO_APP
+	movq	%rbx, -104(%rbp)
+	movq	%r12, %r11
+/APP
+	movq  72(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  80(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  88(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r9, %rax
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	addq %r8,%r10         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%rax, %rdx
+	movq	%r11, %rbx
+	movq	%r13, %rdi
+	movq	%rdx, %r11
+	movq	%r12, %rsi
+/APP
+	movq  96(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r10     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r10, -96(%rbp)
+	movq	%r9, %r10
+/APP
+	movq  80(%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  88(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  96(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r12
+	movq	%rsi, %rax
+	movq	%r9, %rsi
+/APP
+	addq %r8,%rbx         
+	adcq %r12,%r11         
+	adcq %rax,%r10         
+	addq %r8,%rbx         
+	adcq %r12,%r11         
+	adcq %rax,%r10         
+	
+/NO_APP
+	movq	%r9, %r12
+	movq	%rbx, -88(%rbp)
+	movq	%r11, %r13
+	movq	%r10, %r11
+/APP
+	movq  88(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%r13     
+	adcq  %rdx,%r11     
+	adcq  $0,%r12        
+	addq  %rax,%r13     
+	adcq  %rdx,%r11     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r12, %rdi
+/APP
+	movq  96(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r13     
+	adcq  %rdx,%r11     
+	adcq  $0,%rdi        
+	addq  %rax,%r13     
+	adcq  %rdx,%r11     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r11, %rbx
+	movq	%rdi, %r10
+	movq	%r9, %r11
+/APP
+	movq  104(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r13     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%r13, -80(%rbp)
+	movq	%r10, %r8
+	movq	%rbx, %r10
+/APP
+	movq  96(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%r10     
+	adcq  %rdx,%r8     
+	adcq  $0,%rsi        
+	addq  %rax,%r10     
+	adcq  %rdx,%r8     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %r12
+	movq	%rsi, %rbx
+/APP
+	movq  104(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r10     
+	adcq  %rdx,%r12     
+	adcq  $0,%rbx        
+	addq  %rax,%r10     
+	adcq  %rdx,%r12     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%r10, -72(%rbp)
+	movq	%rbx, %r13
+	movq	%r12, %rbx
+/APP
+	movq  104(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rbx     
+	adcq  %rdx,%r13     
+	adcq  $0,%r11        
+	addq  %rax,%rbx     
+	adcq  %rdx,%r13     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r11, %r12
+	movq	%r13, %r10
+/APP
+	movq  112(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rbx     
+	adcq  %rdx,%r10     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rbx, -64(%rbp)
+	movq	%r10, %rdi
+	movq	%r9, %rbx
+	movq	%r12, %rsi
+/APP
+	movq  112(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rbx        
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%rdi, -56(%rbp)
+	movq	%rbx, %r8
+/APP
+	movq  120(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%r9        
+	
+/NO_APP
+	movq	%rsi, -48(%rbp)
+	movq	16(%r14), %rdi
+	leaq	-288(%rbp), %rsi
+	movl	$256, %edx
+	movq	%r8, -40(%rbp)
+	movl	$32, 8(%r14)
+	movl	$0, (%r14)
+	call	memcpy@PLT
+	movl	8(%r14), %edx
+	testl	%edx, %edx
+	je	.L232
+	leal	-1(%rdx), %ecx
+	movq	16(%r14), %rsi
+	mov	%ecx, %r9d
+	cmpq	$0, (%rsi,%r9,8)
+	jne	.L230
+	movl	%ecx, %edx
+	.align 16
+.L231:
+	testl	%edx, %edx
+	movl	%edx, %ecx
+	je	.L235
+	decl	%edx
+	mov	%edx, %eax
+	cmpq	$0, (%rsi,%rax,8)
+	je	.L231
+	movl	%ecx, 8(%r14)
+	movl	%ecx, %edx
+.L230:
+	testl	%edx, %edx
+	je	.L232
+	movl	(%r14), %eax
+	movl	%eax, (%r14)
+	addq	$256, %rsp
+	popq	%rbx
+	popq	%r12
+	popq	%r13
+	popq	%r14
+	leave
+	ret
+.L235:
+	movl	%edx, 8(%r14)
+	.align 16
+.L232:
+	xorl	%eax, %eax
+	movl	%eax, (%r14)
+	addq	$256, %rsp
+	popq	%rbx
+	popq	%r12
+	popq	%r13
+	popq	%r14
+	leave
+	ret
+.LFE8:
+	.size	s_mp_sqr_comba_16, .-s_mp_sqr_comba_16
+	.align 16
+.globl s_mp_sqr_comba_32
+	.type	s_mp_sqr_comba_32, @function
+s_mp_sqr_comba_32:
+.LFB9:
+	pushq	%rbp
+.LCFI32:
+	xorl	%r10d, %r10d
+	movq	%r10, %r8
+	movq	%r10, %r11
+	movq	%rsp, %rbp
+.LCFI33:
+	pushq	%r14
+.LCFI34:
+	movq	%rsi, %r14
+	movq	%r10, %rsi
+	pushq	%r13
+.LCFI35:
+	movq	%r10, %r13
+	pushq	%r12
+.LCFI36:
+	movq	%r10, %r12
+	pushq	%rbx
+.LCFI37:
+	movq	%r10, %rbx
+	subq	$512, %rsp
+.LCFI38:
+	movq	16(%rdi), %rcx
+/APP
+	movq  (%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r8     
+	adcq  %rdx,%rbx     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, -544(%rbp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  8(%rcx)           
+	addq  %rax,%rbx     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r12        
+	addq  %rax,%rbx     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rbx, -536(%rbp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  16(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	addq  %rax,%rsi     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r12, %rbx
+	movq	%r13, %r9
+/APP
+	movq  8(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rsi     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r9        
+	
+/NO_APP
+	movq	%rsi, -528(%rbp)
+	movq	%r9, %rdi
+	movq	%r10, %rsi
+	movq	%rbx, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r9     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r11        
+	addq  %rax,%r9     
+	adcq  %rdx,%rdi     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%rdi, %r12
+	movq	%r11, %r13
+	movq	%r10, %rdi
+/APP
+	movq  8(%rcx),%rax     
+	mulq  16(%rcx)           
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r10, %r11
+	movq	%r9, -520(%rbp)
+	movq	%r13, %r8
+	movq	%r12, %r13
+	movq	%r10, %r12
+/APP
+	movq  (%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r13     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	addq  %rax,%r13     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	
+	movq  8(%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r13     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	addq  %rax,%r13     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%r12, %r9
+	movq	%r10, %r8
+/APP
+	movq  16(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r13     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r9        
+	
+/NO_APP
+	movq	%r13, -512(%rbp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  40(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  24(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%r11         
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%r11         
+	
+/NO_APP
+	movq	%rbx, -504(%rbp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  48(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r10, %rax
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%rax, %rdx
+	movq	%r11, %rbx
+	movq	%r13, %rdi
+	movq	%rdx, %r11
+	movq	%r12, %rsi
+/APP
+	movq  24(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r9, -496(%rbp)
+	movq	%r11, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  56(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  32(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r10, %rdx
+/APP
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%rdx         
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%rdx         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rbx, -488(%rbp)
+	movq	%r10, %rbx
+/APP
+	movq  (%rcx),%rax     
+	mulq  64(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	
+	movq  32(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r11     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%r13, %rdi
+	movq	%r9, -480(%rbp)
+	movq	%r12, %rsi
+	movq	%rbx, %r9
+	movq	%r10, %r12
+/APP
+	movq  (%rcx),%rax     
+	mulq  72(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  40(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%r11         
+	adcq %rdi,%r9         
+	adcq %rsi,%r12         
+	addq %r8,%r11         
+	adcq %rdi,%r9         
+	adcq %rsi,%r12         
+	
+/NO_APP
+	movq	%r11, -472(%rbp)
+	movq	%r12, %rbx
+/APP
+	movq  (%rcx),%rax     
+	mulq  80(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r10, %rax
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r9         
+	adcq %r13,%rbx         
+	adcq %r12,%rax         
+	addq %r8,%r9         
+	adcq %r13,%rbx         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%rax, %rdx
+	movq	%rbx, %r11
+	movq	%r13, %rdi
+	movq	%rdx, %rbx
+	movq	%r12, %rsi
+/APP
+	movq  40(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r11     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%r9, -464(%rbp)
+	movq	%rbx, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  88(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  48(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r10, %rdx
+/APP
+	addq %r8,%r11         
+	adcq %rdi,%r9         
+	adcq %rsi,%rdx         
+	addq %r8,%r11         
+	adcq %rdi,%r9         
+	adcq %rsi,%rdx         
+	
+/NO_APP
+	movq	%rdx, %r13
+	movq	%r11, -456(%rbp)
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  96(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %rax
+	movq	%rsi, %r11
+/APP
+	addq %r8,%r9         
+	adcq %rax,%r12         
+	adcq %r11,%r13         
+	addq %r8,%r9         
+	adcq %rax,%r12         
+	adcq %r11,%r13         
+	
+/NO_APP
+	movq	%rax, %rbx
+	movq	%r11, %rsi
+/APP
+	movq  48(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%rbx, %rdi
+	movq	%r9, -448(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  104(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  56(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%r12         
+	adcq %rdi,%r9         
+	adcq %rsi,%r13         
+	addq %r8,%r12         
+	adcq %rdi,%r9         
+	adcq %rsi,%r13         
+	
+/NO_APP
+	movq	%r12, -440(%rbp)
+	movq	%r10, %r12
+/APP
+	movq  (%rcx),%rax     
+	mulq  112(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r13, %rdx
+	movq	%rdi, %rbx
+	movq	%rsi, %r13
+/APP
+	addq %r8,%r9         
+	adcq %rbx,%rdx         
+	adcq %r13,%r12         
+	addq %r8,%r9         
+	adcq %rbx,%rdx         
+	adcq %r13,%r12         
+	
+/NO_APP
+	movq	%r12, %rax
+	movq	%r13, %r11
+	movq	%rdx, %r12
+	movq	%rax, %r13
+	movq	%rbx, %rdi
+	movq	%r11, %rsi
+/APP
+	movq  56(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r9, -432(%rbp)
+	movq	%r13, %r9
+	movq	%r10, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  120(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  8(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  64(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %rax
+	movq	%rdi, %rdx
+	movq	%rsi, %rbx
+/APP
+	addq %rax,%r12         
+	adcq %rdx,%r9         
+	adcq %rbx,%r13         
+	addq %rax,%r12         
+	adcq %rdx,%r9         
+	adcq %rbx,%r13         
+	
+/NO_APP
+	movq	%r12, -424(%rbp)
+	movq	%rdx, %r8
+	movq	%rax, %rsi
+	movq	%rbx, %rdi
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  128(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%rsi, %rax
+	movq	%r8, %rbx
+	movq	%rdi, %rdx
+/APP
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r8
+	movq	%rbx, %rdi
+/APP
+	movq  64(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r9, -416(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  136(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  72(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%rdi, %rax
+	movq	%rsi, %rdx
+/APP
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%r12, -408(%rbp)
+	movq	%rdx, %rdi
+	movq	%rax, %r8
+	movq	%rbx, %rsi
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  144(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%rsi, %rax
+	movq	%r8, %rbx
+	movq	%rdi, %rdx
+/APP
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r8
+	movq	%rbx, %rdi
+/APP
+	movq  72(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r9, -400(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  152(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  72(%rcx),%rax     
+	mulq  80(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%rdi, %rax
+	movq	%rsi, %rdx
+/APP
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%r12, -392(%rbp)
+	movq	%rdx, %rdi
+	movq	%rax, %r8
+	movq	%rbx, %rsi
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  160(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%rsi, %rax
+	movq	%r8, %rbx
+	movq	%rdi, %rdx
+/APP
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r8
+	movq	%rbx, %rdi
+/APP
+	movq  80(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r9, -384(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  168(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  72(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  80(%rcx),%rax     
+	mulq  88(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%rdi, %rax
+	movq	%rsi, %rdx
+/APP
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%r12, -376(%rbp)
+	movq	%rdx, %rdi
+	movq	%rax, %r8
+	movq	%rbx, %rsi
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  176(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%rsi, %rax
+	movq	%r8, %rbx
+	movq	%rdi, %rdx
+/APP
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r8
+	movq	%rbx, %rdi
+/APP
+	movq  88(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r9, -368(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  184(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  16(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  24(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  32(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  40(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  48(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  56(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  64(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  72(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  80(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  88(%rcx),%rax     
+	mulq  96(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%rdi, %rax
+	movq	%rsi, %rdx
+/APP
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%rdx, %rdi
+	movq	%r12, -360(%rbp)
+	movq	%rax, %r8
+	movq	%rbx, %rsi
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  192(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%rdi, %rax
+/APP
+	addq %rsi,%r9         
+	adcq %rbx,%r12         
+	adcq %rax,%r13         
+	addq %rsi,%r9         
+	adcq %rbx,%r12         
+	adcq %rax,%r13         
+	
+/NO_APP
+	movq	%rax, %r11
+	movq	%rbx, %r8
+/APP
+	movq  96(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rdi
+	movq	%r9, -352(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  200(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  104(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r13         
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r13         
+	
+/NO_APP
+	movq	%r12, -344(%rbp)
+	movq	%r10, %r12
+/APP
+	movq  (%rcx),%rax     
+	mulq  208(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r13, %rdx
+	movq	%r8, %rbx
+	movq	%rdi, %r13
+/APP
+	addq %rsi,%r9         
+	adcq %rbx,%rdx         
+	adcq %r13,%r12         
+	addq %rsi,%r9         
+	adcq %rbx,%rdx         
+	adcq %r13,%r12         
+	
+/NO_APP
+	movq	%r12, %rax
+	movq	%r13, %r11
+	movq	%rdx, %r12
+	movq	%rax, %r13
+	movq	%rbx, %r8
+	movq	%r11, %rdi
+/APP
+	movq  104(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r9, -336(%rbp)
+	movq	%r13, %r9
+	movq	%r10, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  216(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  112(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r13         
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r13         
+	
+/NO_APP
+	movq	%r12, -328(%rbp)
+/APP
+	movq  (%rcx),%rax     
+	mulq  224(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r13, %rax
+	movq	%r10, %rdx
+	movq	%r8, %rbx
+	movq	%rdi, %r12
+/APP
+	addq %rsi,%r9         
+	adcq %rbx,%rax         
+	adcq %r12,%rdx         
+	addq %rsi,%r9         
+	adcq %rbx,%rax         
+	adcq %r12,%rdx         
+	
+/NO_APP
+	movq	%rdx, %rdi
+	movq	%r12, %r11
+	movq	%rbx, %r8
+	movq	%rax, %r12
+	movq	%rdi, %r13
+	movq	%r11, %rdi
+/APP
+	movq  112(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r9, -320(%rbp)
+	movq	%r13, %rbx
+	movq	%r10, %r9
+/APP
+	movq  (%rcx),%rax     
+	mulq  232(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  120(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	addq %rsi,%r12         
+	adcq %r8,%rbx         
+	adcq %rdi,%r9         
+	addq %rsi,%r12         
+	adcq %r8,%rbx         
+	adcq %rdi,%r9         
+	
+/NO_APP
+	movq	%r12, -312(%rbp)
+	movq	%r9, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  240(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r10, %rax
+	movq	%r8, %r11
+	movq	%rdi, %rdx
+/APP
+	addq %rsi,%rbx         
+	adcq %r11,%r13         
+	adcq %rdx,%rax         
+	addq %rsi,%rbx         
+	adcq %r11,%r13         
+	adcq %rdx,%rax         
+	
+/NO_APP
+	movq	%rdx, %r9
+	movq	%rax, %rdx
+	movq	%r13, %r12
+	movq	%r11, %r8
+	movq	%rdx, %r13
+	movq	%r9, %rdi
+/APP
+	movq  120(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rbx     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%rbx, -304(%rbp)
+	movq	%r13, %rbx
+	movq	%r10, %r13
+/APP
+	movq  (%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  8(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  128(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	addq %rsi,%r12         
+	adcq %r8,%rbx         
+	adcq %rdi,%r13         
+	addq %rsi,%r12         
+	adcq %r8,%rbx         
+	adcq %rdi,%r13         
+	
+/NO_APP
+	movq	%r12, -296(%rbp)
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  8(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  16(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  24(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r8, %r11
+	movq	%rdi, %rax
+/APP
+	addq %rsi,%rbx         
+	adcq %r11,%r12         
+	adcq %rax,%r13         
+	addq %rsi,%rbx         
+	adcq %r11,%r12         
+	adcq %rax,%r13         
+	
+/NO_APP
+	movq	%rax, %r9
+	movq	%r11, %r8
+/APP
+	movq  128(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rbx     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r9, %rdi
+	movq	%rbx, -288(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  16(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  24(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  136(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r13         
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r13         
+	
+/NO_APP
+	movq	%r12, -280(%rbp)
+	movq	%r10, %r12
+/APP
+	movq  24(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  32(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r13, %rdx
+	movq	%r8, %rbx
+	movq	%rdi, %r13
+/APP
+	addq %rsi,%r9         
+	adcq %rbx,%rdx         
+	adcq %r13,%r12         
+	addq %rsi,%r9         
+	adcq %rbx,%rdx         
+	adcq %r13,%r12         
+	
+/NO_APP
+	movq	%r12, %rax
+	movq	%r13, %r11
+	movq	%rdx, %r12
+	movq	%rax, %r13
+	movq	%rbx, %r8
+	movq	%r11, %rdi
+/APP
+	movq  136(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r9, -272(%rbp)
+	movq	%r13, %r9
+	movq	%r10, %r13
+/APP
+	movq  32(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  40(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  136(%rcx),%rax     
+	mulq  144(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r13         
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r13         
+	
+/NO_APP
+	movq	%r12, -264(%rbp)
+/APP
+	movq  40(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  48(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  136(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r13, %rax
+	movq	%r10, %rdx
+	movq	%r8, %rbx
+	movq	%rdi, %r12
+/APP
+	addq %rsi,%r9         
+	adcq %rbx,%rax         
+	adcq %r12,%rdx         
+	addq %rsi,%r9         
+	adcq %rbx,%rax         
+	adcq %r12,%rdx         
+	
+/NO_APP
+	movq	%rdx, %rdi
+	movq	%r12, %r11
+	movq	%rbx, %r8
+	movq	%rax, %r12
+	movq	%rdi, %r13
+	movq	%r11, %rdi
+/APP
+	movq  144(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r10, %r11
+	movq	%r9, -256(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  48(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  56(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  136(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  144(%rcx),%rax     
+	mulq  152(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r11         
+	addq %rsi,%r12         
+	adcq %r8,%r9         
+	adcq %rdi,%r11         
+	
+/NO_APP
+	movq	%r12, -248(%rbp)
+	movq	%r11, %r13
+/APP
+	movq  56(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  64(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  72(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  136(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  144(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%r10, %rax
+	movq	%rsi, %rdx
+	movq	%r8, %rbx
+	movq	%rdi, %r12
+/APP
+	addq %rdx,%r9         
+	adcq %rbx,%r13         
+	adcq %r12,%rax         
+	addq %rdx,%r9         
+	adcq %rbx,%r13         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%r12, %r11
+	movq	%rdx, %r8
+	movq	%rax, %rdx
+	movq	%r13, %r12
+	movq	%rbx, %rdi
+	movq	%rdx, %r13
+	movq	%r11, %rsi
+/APP
+	movq  152(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r9, -240(%rbp)
+	movq	%r13, %r9
+	movq	%r10, %r13
+/APP
+	movq  64(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  72(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  80(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  88(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  96(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  104(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  112(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  120(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  128(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  136(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  144(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  152(%rcx),%rax     
+	mulq  160(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %rax
+	movq	%rdi, %rdx
+	movq	%rsi, %rbx
+/APP
+	addq %rax,%r12         
+	adcq %rdx,%r9         
+	adcq %rbx,%r13         
+	addq %rax,%r12         
+	adcq %rdx,%r9         
+	adcq %rbx,%r13         
+	
+/NO_APP
+	movq	%r12, -232(%rbp)
+	movq	%rdx, %r8
+	movq	%rax, %rsi
+	movq	%rbx, %rdi
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  72(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  80(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  88(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  136(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  144(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  152(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%rsi, %rax
+	movq	%r8, %rbx
+	movq	%rdi, %rdx
+/APP
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r8
+	movq	%rbx, %rdi
+/APP
+	movq  160(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r9, -224(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  80(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  88(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  96(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  104(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  112(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  120(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  128(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  136(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  144(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  152(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  160(%rcx),%rax     
+	mulq  168(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%rdi, %rax
+	movq	%rsi, %rdx
+/APP
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%r12, -216(%rbp)
+	movq	%rdx, %rdi
+	movq	%rax, %r8
+	movq	%rbx, %rsi
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  88(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  96(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  104(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  136(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  144(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  152(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  160(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%rsi, %rax
+	movq	%r8, %rbx
+	movq	%rdi, %rdx
+/APP
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r8
+	movq	%rbx, %rdi
+/APP
+	movq  168(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r9, -208(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  96(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  104(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  112(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  120(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  128(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  136(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  144(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  152(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  160(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  168(%rcx),%rax     
+	mulq  176(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%rdi, %rax
+	movq	%rsi, %rdx
+/APP
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%r12, -200(%rbp)
+	movq	%rdx, %rdi
+	movq	%rax, %r8
+	movq	%rbx, %rsi
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  104(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  112(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  120(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  136(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  144(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  152(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  160(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  168(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%rsi, %rax
+	movq	%r8, %rbx
+	movq	%rdi, %rdx
+/APP
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r8
+	movq	%rbx, %rdi
+/APP
+	movq  176(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r9, -192(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  112(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  120(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  128(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  136(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  144(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  152(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  160(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  168(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  176(%rcx),%rax     
+	mulq  184(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r8, %rbx
+	movq	%rdi, %rax
+	movq	%rsi, %rdx
+/APP
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	addq %rbx,%r12         
+	adcq %rax,%r9         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%r12, -184(%rbp)
+	movq	%rdx, %rdi
+	movq	%rax, %r8
+	movq	%rbx, %rsi
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  120(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%rsi     
+	movq  %rdx,%r8     
+	xorq  %rdi,%rdi        
+	
+	movq  128(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  136(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  144(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  152(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  160(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  168(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+	movq  176(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%rdi        
+	
+/NO_APP
+	movq	%rsi, %rax
+	movq	%r8, %rbx
+	movq	%rdi, %rdx
+/APP
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	addq %rax,%r9         
+	adcq %rbx,%r12         
+	adcq %rdx,%r13         
+	
+/NO_APP
+	movq	%rdx, %r11
+	movq	%rax, %r8
+	movq	%rbx, %rdi
+/APP
+	movq  184(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r9, -176(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  128(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+/NO_APP
+	movq	%r10, %r13
+/APP
+	movq  136(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  144(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  152(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  160(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  168(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  176(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  184(%rcx),%rax     
+	mulq  192(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%r12         
+	adcq %rdi,%r9         
+	adcq %rsi,%r13         
+	addq %r8,%r12         
+	adcq %rdi,%r9         
+	adcq %rsi,%r13         
+	
+/NO_APP
+	movq	%r12, -168(%rbp)
+	movq	%r13, %r12
+	movq	%r10, %r13
+/APP
+	movq  136(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  144(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  152(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  160(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  168(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  176(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  184(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %rbx
+	movq	%rsi, %rax
+/APP
+	addq %r8,%r9         
+	adcq %rbx,%r12         
+	adcq %rax,%r13         
+	addq %r8,%r9         
+	adcq %rbx,%r12         
+	adcq %rax,%r13         
+	
+/NO_APP
+	movq	%rax, %r11
+	movq	%rbx, %rdi
+	movq	%r10, %rbx
+/APP
+	movq  192(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r11, %rsi
+	movq	%r9, -160(%rbp)
+	movq	%r13, %r9
+/APP
+	movq  144(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  152(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  160(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  168(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  176(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  184(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  192(%rcx),%rax     
+	mulq  200(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%r12         
+	adcq %rdi,%r9         
+	adcq %rsi,%rbx         
+	addq %r8,%r12         
+	adcq %rdi,%r9         
+	adcq %rsi,%rbx         
+	
+/NO_APP
+	movq	%r12, -152(%rbp)
+/APP
+	movq  152(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  160(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  168(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  176(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  184(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  192(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r10, %rdx
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r9         
+	adcq %r13,%rbx         
+	adcq %r12,%rdx         
+	addq %r8,%r9         
+	adcq %r13,%rbx         
+	adcq %r12,%rdx         
+	
+/NO_APP
+	movq	%rdx, %rax
+	movq	%r13, %rdi
+	movq	%r12, %rsi
+	movq	%rax, %r11
+	movq	%r10, %r12
+/APP
+	movq  200(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r9, -144(%rbp)
+	movq	%r11, %r9
+/APP
+	movq  160(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  168(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  176(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  184(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  192(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  200(%rcx),%rax     
+	mulq  208(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%r12         
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%r12         
+	
+/NO_APP
+	movq	%rbx, -136(%rbp)
+	movq	%r12, %r11
+/APP
+	movq  168(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  176(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  184(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  192(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  200(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r10, %rax
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%rax, %rdx
+	movq	%r11, %rbx
+	movq	%r13, %rdi
+	movq	%rdx, %r11
+	movq	%r12, %rsi
+/APP
+	movq  208(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r9, -128(%rbp)
+	movq	%r11, %r9
+/APP
+	movq  176(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  184(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  192(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  200(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  208(%rcx),%rax     
+	mulq  216(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r10, %rdx
+/APP
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%rdx         
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%rdx         
+	
+/NO_APP
+	movq	%rbx, -120(%rbp)
+	movq	%rdx, %r11
+	movq	%r10, %rbx
+/APP
+	movq  184(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  192(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  200(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  208(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rbx         
+	
+/NO_APP
+	movq	%rbx, %rdx
+	movq	%r13, %rdi
+	movq	%r11, %rbx
+	movq	%r12, %rsi
+	movq	%rdx, %r11
+	movq	%r10, %r12
+/APP
+	movq  216(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r9, -112(%rbp)
+	movq	%r11, %r9
+/APP
+	movq  192(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  200(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  208(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  216(%rcx),%rax     
+	mulq  224(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%r12         
+	addq %r8,%rbx         
+	adcq %rdi,%r9         
+	adcq %rsi,%r12         
+	
+/NO_APP
+	movq	%rbx, -104(%rbp)
+	movq	%r12, %r11
+/APP
+	movq  200(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  208(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  216(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%r10, %rax
+	movq	%rdi, %r13
+	movq	%rsi, %r12
+/APP
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	addq %r8,%r9         
+	adcq %r13,%r11         
+	adcq %r12,%rax         
+	
+/NO_APP
+	movq	%rax, %rdx
+	movq	%r11, %rbx
+	movq	%r13, %rdi
+	movq	%rdx, %r11
+	movq	%r12, %rsi
+	movq	%r10, %r12
+/APP
+	movq  224(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r9     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r9, -96(%rbp)
+	movq	%r10, %r9
+/APP
+	movq  208(%rcx),%rax     
+	mulq  248(%rcx)           
+	movq  %rax,%r8     
+	movq  %rdx,%rdi     
+	xorq  %rsi,%rsi        
+	
+	movq  216(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+	movq  224(%rcx),%rax     
+	mulq  232(%rcx)           
+	addq  %rax,%r8     
+	adcq  %rdx,%rdi     
+	adcq  $0,%rsi        
+	
+/NO_APP
+	movq	%rdi, %r13
+	movq	%rsi, %rax
+/APP
+	addq %r8,%rbx         
+	adcq %r13,%r11         
+	adcq %rax,%r9         
+	addq %r8,%rbx         
+	adcq %r13,%r11         
+	adcq %rax,%r9         
+	
+/NO_APP
+	movq	%rbx, -88(%rbp)
+	movq	%r11, %rsi
+	movq	%r9, %r8
+/APP
+	movq  216(%rcx),%rax     
+	mulq  248(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%r12, %r11
+/APP
+	movq  224(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%r11        
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%r11        
+	
+/NO_APP
+	movq	%r8, %r13
+	movq	%r11, %rbx
+/APP
+	movq  232(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rsi     
+	adcq  %rdx,%r13     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%rsi, -80(%rbp)
+	movq	%rbx, %r12
+	movq	%r13, %rdi
+	movq	%r10, %r13
+/APP
+	movq  224(%rcx),%rax     
+	mulq  248(%rcx)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	addq  %rax,%rdi     
+	adcq  %rdx,%r12     
+	adcq  $0,%r13        
+	
+/NO_APP
+	movq	%r12, %r9
+	movq	%r13, %r12
+/APP
+	movq  232(%rcx),%rax     
+	mulq  240(%rcx)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%r9     
+	adcq  $0,%r12        
+	addq  %rax,%rdi     
+	adcq  %rdx,%r9     
+	adcq  $0,%r12        
+	
+/NO_APP
+	movq	%rdi, -72(%rbp)
+	movq	%r9, %r11
+	movq	%r12, %rbx
+	movq	%r10, %r9
+/APP
+	movq  232(%rcx),%rax     
+	mulq  248(%rcx)           
+	addq  %rax,%r11     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r9        
+	addq  %rax,%r11     
+	adcq  %rdx,%rbx     
+	adcq  $0,%r9        
+	
+/NO_APP
+	movq	%rbx, %r13
+	movq	%r9, %rbx
+	movq	%r10, %r9
+/APP
+	movq  240(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%r11     
+	adcq  %rdx,%r13     
+	adcq  $0,%rbx        
+	
+/NO_APP
+	movq	%r11, -64(%rbp)
+	movq	%r13, %rdi
+	movq	%rbx, %rsi
+/APP
+	movq  240(%rcx),%rax     
+	mulq  248(%rcx)           
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r9        
+	addq  %rax,%rdi     
+	adcq  %rdx,%rsi     
+	adcq  $0,%r9        
+	
+/NO_APP
+	movq	%rdi, -56(%rbp)
+	movq	%r9, %r8
+/APP
+	movq  248(%rcx),%rax     
+	mulq  %rax        
+	addq  %rax,%rsi     
+	adcq  %rdx,%r8     
+	adcq  $0,%r10        
+	
+/NO_APP
+	movq	%rsi, -48(%rbp)
+	movq	16(%r14), %rdi
+	leaq	-544(%rbp), %rsi
+	movl	$512, %edx
+	movq	%r8, -40(%rbp)
+	movl	$64, 8(%r14)
+	movl	$0, (%r14)
+	call	memcpy@PLT
+	movl	8(%r14), %edx
+	testl	%edx, %edx
+	je	.L304
+	leal	-1(%rdx), %ecx
+	movq	16(%r14), %rsi
+	mov	%ecx, %r10d
+	cmpq	$0, (%rsi,%r10,8)
+	jne	.L302
+	movl	%ecx, %edx
+	.align 16
+.L303:
+	testl	%edx, %edx
+	movl	%edx, %ecx
+	je	.L307
+	decl	%edx
+	mov	%edx, %eax
+	cmpq	$0, (%rsi,%rax,8)
+	je	.L303
+	movl	%ecx, 8(%r14)
+	movl	%ecx, %edx
+.L302:
+	testl	%edx, %edx
+	je	.L304
+	movl	(%r14), %eax
+	movl	%eax, (%r14)
+	addq	$512, %rsp
+	popq	%rbx
+	popq	%r12
+	popq	%r13
+	popq	%r14
+	leave
+	ret
+.L307:
+	movl	%edx, 8(%r14)
+	.align 16
+.L304:
+	xorl	%eax, %eax
+	movl	%eax, (%r14)
+	addq	$512, %rsp
+	popq	%rbx
+	popq	%r12
+	popq	%r13
+	popq	%r14
+	leave
+	ret
+.LFE9:
+	.size	s_mp_sqr_comba_32, .-s_mp_sqr_comba_32
diff --git a/security/nss/lib/freebl/mpi/mp_gf2m-priv.h b/security/nss/lib/freebl/mpi/mp_gf2m-priv.h
new file mode 100644
index 000000000..f93597d59
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mp_gf2m-priv.h
@@ -0,0 +1,102 @@
+/*
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Multi-precision Binary Polynomial Arithmetic Library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang Shantz <sheueling.chang@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _MP_GF2M_PRIV_H_
+#define _MP_GF2M_PRIV_H_
+
+#include "mpi-priv.h"
+
+extern const mp_digit mp_gf2m_sqr_tb[16];
+
+#if defined(MP_USE_UINT_DIGIT)
+#define MP_DIGIT_BITS 32
+#else
+#define MP_DIGIT_BITS 64
+#endif
+
+/* Platform-specific macros for fast binary polynomial squaring. */
+#if MP_DIGIT_BITS == 32
+#define gf2m_SQR1(w) \
+    mp_gf2m_sqr_tb[(w) >> 28 & 0xF] << 24 | mp_gf2m_sqr_tb[(w) >> 24 & 0xF] << 16 | \
+    mp_gf2m_sqr_tb[(w) >> 20 & 0xF] <<  8 | mp_gf2m_sqr_tb[(w) >> 16 & 0xF]
+#define gf2m_SQR0(w) \
+    mp_gf2m_sqr_tb[(w) >> 12 & 0xF] << 24 | mp_gf2m_sqr_tb[(w) >>  8 & 0xF] << 16 | \
+    mp_gf2m_sqr_tb[(w) >>  4 & 0xF] <<  8 | mp_gf2m_sqr_tb[(w)       & 0xF]
+#else
+#define gf2m_SQR1(w) \
+    mp_gf2m_sqr_tb[(w) >> 60 & 0xF] << 56 | mp_gf2m_sqr_tb[(w) >> 56 & 0xF] << 48 | \
+    mp_gf2m_sqr_tb[(w) >> 52 & 0xF] << 40 | mp_gf2m_sqr_tb[(w) >> 48 & 0xF] << 32 | \
+    mp_gf2m_sqr_tb[(w) >> 44 & 0xF] << 24 | mp_gf2m_sqr_tb[(w) >> 40 & 0xF] << 16 | \
+    mp_gf2m_sqr_tb[(w) >> 36 & 0xF] <<  8 | mp_gf2m_sqr_tb[(w) >> 32 & 0xF]
+#define gf2m_SQR0(w) \
+    mp_gf2m_sqr_tb[(w) >> 28 & 0xF] << 56 | mp_gf2m_sqr_tb[(w) >> 24 & 0xF] << 48 | \
+    mp_gf2m_sqr_tb[(w) >> 20 & 0xF] << 40 | mp_gf2m_sqr_tb[(w) >> 16 & 0xF] << 32 | \
+    mp_gf2m_sqr_tb[(w) >> 12 & 0xF] << 24 | mp_gf2m_sqr_tb[(w) >>  8 & 0xF] << 16 | \
+    mp_gf2m_sqr_tb[(w) >>  4 & 0xF] <<  8 | mp_gf2m_sqr_tb[(w)       & 0xF]
+#endif
+
+/* Multiply two binary polynomials mp_digits a, b.
+ * Result is a polynomial with degree < 2 * MP_DIGIT_BITS - 1.
+ * Output in two mp_digits rh, rl.
+ */
+void s_bmul_1x1(mp_digit *rh, mp_digit *rl, const mp_digit a, const mp_digit b);
+
+/* Compute xor-multiply of two binary polynomials  (a1, a0) x (b1, b0)  
+ * result is a binary polynomial in 4 mp_digits r[4].
+ * The caller MUST ensure that r has the right amount of space allocated.
+ */
+void s_bmul_2x2(mp_digit *r, const mp_digit a1, const mp_digit a0, const mp_digit b1,
+	const mp_digit b0);
+
+/* Compute xor-multiply of two binary polynomials  (a2, a1, a0) x (b2, b1, b0)  
+ * result is a binary polynomial in 6 mp_digits r[6].
+ * The caller MUST ensure that r has the right amount of space allocated.
+ */
+void s_bmul_3x3(mp_digit *r, const mp_digit a2, const mp_digit a1, const mp_digit a0, 
+	const mp_digit b2, const mp_digit b1, const mp_digit b0);
+
+/* Compute xor-multiply of two binary polynomials  (a3, a2, a1, a0) x (b3, b2, b1, b0)  
+ * result is a binary polynomial in 8 mp_digits r[8].
+ * The caller MUST ensure that r has the right amount of space allocated.
+ */
+void s_bmul_4x4(mp_digit *r, const mp_digit a3, const mp_digit a2, const mp_digit a1, 
+	const mp_digit a0, const mp_digit b3, const mp_digit b2, const mp_digit b1, 
+	const mp_digit b0);
+
+#endif /* _MP_GF2M_PRIV_H_ */
diff --git a/security/nss/lib/freebl/mpi/mp_gf2m.c b/security/nss/lib/freebl/mpi/mp_gf2m.c
new file mode 100644
index 000000000..a68e88028
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mp_gf2m.c
@@ -0,0 +1,603 @@
+/*
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Multi-precision Binary Polynomial Arithmetic Library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang Shantz <sheueling.chang@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mp_gf2m.h"
+#include "mp_gf2m-priv.h"
+#include "mplogic.h"
+#include "mpi-priv.h"
+
+const mp_digit mp_gf2m_sqr_tb[16] =
+{
+      0,     1,     4,     5,    16,    17,    20,    21,
+     64,    65,    68,    69,    80,    81,    84,    85
+};
+
+/* Multiply two binary polynomials mp_digits a, b.
+ * Result is a polynomial with degree < 2 * MP_DIGIT_BITS - 1.
+ * Output in two mp_digits rh, rl.
+ */
+#if MP_DIGIT_BITS == 32
+void 
+s_bmul_1x1(mp_digit *rh, mp_digit *rl, const mp_digit a, const mp_digit b)
+{
+    register mp_digit h, l, s;
+    mp_digit tab[8], top2b = a >> 30; 
+    register mp_digit a1, a2, a4;
+
+    a1 = a & (0x3FFFFFFF); a2 = a1 << 1; a4 = a2 << 1;
+
+    tab[0] =  0; tab[1] = a1;    tab[2] = a2;    tab[3] = a1^a2;
+    tab[4] = a4; tab[5] = a1^a4; tab[6] = a2^a4; tab[7] = a1^a2^a4;
+
+    s = tab[b       & 0x7]; l  = s;
+    s = tab[b >>  3 & 0x7]; l ^= s <<  3; h  = s >> 29;
+    s = tab[b >>  6 & 0x7]; l ^= s <<  6; h ^= s >> 26;
+    s = tab[b >>  9 & 0x7]; l ^= s <<  9; h ^= s >> 23;
+    s = tab[b >> 12 & 0x7]; l ^= s << 12; h ^= s >> 20;
+    s = tab[b >> 15 & 0x7]; l ^= s << 15; h ^= s >> 17;
+    s = tab[b >> 18 & 0x7]; l ^= s << 18; h ^= s >> 14;
+    s = tab[b >> 21 & 0x7]; l ^= s << 21; h ^= s >> 11;
+    s = tab[b >> 24 & 0x7]; l ^= s << 24; h ^= s >>  8;
+    s = tab[b >> 27 & 0x7]; l ^= s << 27; h ^= s >>  5;
+    s = tab[b >> 30      ]; l ^= s << 30; h ^= s >>  2;
+
+    /* compensate for the top two bits of a */
+
+    if (top2b & 01) { l ^= b << 30; h ^= b >> 2; } 
+    if (top2b & 02) { l ^= b << 31; h ^= b >> 1; } 
+
+    *rh = h; *rl = l;
+} 
+#else
+void 
+s_bmul_1x1(mp_digit *rh, mp_digit *rl, const mp_digit a, const mp_digit b)
+{
+    register mp_digit h, l, s;
+    mp_digit tab[16], top3b = a >> 61;
+    register mp_digit a1, a2, a4, a8;
+
+    a1 = a & (0x1FFFFFFFFFFFFFFFULL); a2 = a1 << 1; 
+    a4 = a2 << 1; a8 = a4 << 1;
+    tab[ 0] = 0;     tab[ 1] = a1;       tab[ 2] = a2;       tab[ 3] = a1^a2;
+    tab[ 4] = a4;    tab[ 5] = a1^a4;    tab[ 6] = a2^a4;    tab[ 7] = a1^a2^a4;
+    tab[ 8] = a8;    tab[ 9] = a1^a8;    tab[10] = a2^a8;    tab[11] = a1^a2^a8;
+    tab[12] = a4^a8; tab[13] = a1^a4^a8; tab[14] = a2^a4^a8; tab[15] = a1^a2^a4^a8;
+
+    s = tab[b       & 0xF]; l  = s;
+    s = tab[b >>  4 & 0xF]; l ^= s <<  4; h  = s >> 60;
+    s = tab[b >>  8 & 0xF]; l ^= s <<  8; h ^= s >> 56;
+    s = tab[b >> 12 & 0xF]; l ^= s << 12; h ^= s >> 52;
+    s = tab[b >> 16 & 0xF]; l ^= s << 16; h ^= s >> 48;
+    s = tab[b >> 20 & 0xF]; l ^= s << 20; h ^= s >> 44;
+    s = tab[b >> 24 & 0xF]; l ^= s << 24; h ^= s >> 40;
+    s = tab[b >> 28 & 0xF]; l ^= s << 28; h ^= s >> 36;
+    s = tab[b >> 32 & 0xF]; l ^= s << 32; h ^= s >> 32;
+    s = tab[b >> 36 & 0xF]; l ^= s << 36; h ^= s >> 28;
+    s = tab[b >> 40 & 0xF]; l ^= s << 40; h ^= s >> 24;
+    s = tab[b >> 44 & 0xF]; l ^= s << 44; h ^= s >> 20;
+    s = tab[b >> 48 & 0xF]; l ^= s << 48; h ^= s >> 16;
+    s = tab[b >> 52 & 0xF]; l ^= s << 52; h ^= s >> 12;
+    s = tab[b >> 56 & 0xF]; l ^= s << 56; h ^= s >>  8;
+    s = tab[b >> 60      ]; l ^= s << 60; h ^= s >>  4;
+
+    /* compensate for the top three bits of a */
+
+    if (top3b & 01) { l ^= b << 61; h ^= b >> 3; } 
+    if (top3b & 02) { l ^= b << 62; h ^= b >> 2; } 
+    if (top3b & 04) { l ^= b << 63; h ^= b >> 1; } 
+
+    *rh = h; *rl = l;
+} 
+#endif
+
+/* Compute xor-multiply of two binary polynomials  (a1, a0) x (b1, b0)  
+ * result is a binary polynomial in 4 mp_digits r[4].
+ * The caller MUST ensure that r has the right amount of space allocated.
+ */
+void 
+s_bmul_2x2(mp_digit *r, const mp_digit a1, const mp_digit a0, const mp_digit b1,
+           const mp_digit b0)
+{
+    mp_digit m1, m0;
+    /* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */
+    s_bmul_1x1(r+3, r+2, a1, b1);
+    s_bmul_1x1(r+1, r, a0, b0);
+    s_bmul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1);
+    /* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */
+    r[2] ^= m1 ^ r[1] ^ r[3];  /* h0 ^= m1 ^ l1 ^ h1; */
+    r[1]  = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0;  /* l1 ^= l0 ^ h0 ^ m0; */
+}
+
+/* Compute xor-multiply of two binary polynomials  (a2, a1, a0) x (b2, b1, b0)  
+ * result is a binary polynomial in 6 mp_digits r[6].
+ * The caller MUST ensure that r has the right amount of space allocated.
+ */
+void 
+s_bmul_3x3(mp_digit *r, const mp_digit a2, const mp_digit a1, const mp_digit a0, 
+	const mp_digit b2, const mp_digit b1, const mp_digit b0)
+{
+	mp_digit zm[4];
+
+	s_bmul_1x1(r+5, r+4, a2, b2);         /* fill top 2 words */
+	s_bmul_2x2(zm, a1, a2^a0, b1, b2^b0); /* fill middle 4 words */
+	s_bmul_2x2(r, a1, a0, b1, b0);        /* fill bottom 4 words */
+
+	zm[3] ^= r[3];
+	zm[2] ^= r[2]; 
+	zm[1] ^= r[1] ^ r[5];
+	zm[0] ^= r[0] ^ r[4];
+
+	r[5]  ^= zm[3];
+	r[4]  ^= zm[2];
+	r[3]  ^= zm[1];
+	r[2]  ^= zm[0];
+}
+
+/* Compute xor-multiply of two binary polynomials  (a3, a2, a1, a0) x (b3, b2, b1, b0)  
+ * result is a binary polynomial in 8 mp_digits r[8].
+ * The caller MUST ensure that r has the right amount of space allocated.
+ */
+void s_bmul_4x4(mp_digit *r, const mp_digit a3, const mp_digit a2, const mp_digit a1, 
+	const mp_digit a0, const mp_digit b3, const mp_digit b2, const mp_digit b1, 
+	const mp_digit b0)
+{
+	mp_digit zm[4];
+
+	s_bmul_2x2(r+4, a3, a2, b3, b2);            /* fill top 4 words */
+	s_bmul_2x2(zm, a3^a1, a2^a0, b3^b1, b2^b0); /* fill middle 4 words */
+	s_bmul_2x2(r, a1, a0, b1, b0);              /* fill bottom 4 words */
+
+	zm[3] ^= r[3] ^ r[7]; 
+	zm[2] ^= r[2] ^ r[6]; 
+	zm[1] ^= r[1] ^ r[5]; 
+	zm[0] ^= r[0] ^ r[4]; 
+
+	r[5]  ^= zm[3];    
+	r[4]  ^= zm[2];
+	r[3]  ^= zm[1];    
+	r[2]  ^= zm[0];
+}
+
+/* Compute addition of two binary polynomials a and b,
+ * store result in c; c could be a or b, a and b could be equal; 
+ * c is the bitwise XOR of a and b.
+ */
+mp_err
+mp_badd(const mp_int *a, const mp_int *b, mp_int *c)
+{
+    mp_digit *pa, *pb, *pc;
+    mp_size ix;
+    mp_size used_pa, used_pb;
+    mp_err res = MP_OKAY;
+
+    /* Add all digits up to the precision of b.  If b had more
+     * precision than a initially, swap a, b first
+     */
+    if (MP_USED(a) >= MP_USED(b)) {
+        pa = MP_DIGITS(a);
+        pb = MP_DIGITS(b);
+        used_pa = MP_USED(a);
+        used_pb = MP_USED(b);
+    } else {
+        pa = MP_DIGITS(b);
+        pb = MP_DIGITS(a);
+        used_pa = MP_USED(b);
+        used_pb = MP_USED(a);
+    }
+
+    /* Make sure c has enough precision for the output value */
+    MP_CHECKOK( s_mp_pad(c, used_pa) );
+
+    /* Do word-by-word xor */
+    pc = MP_DIGITS(c);
+    for (ix = 0; ix < used_pb; ix++) {
+        (*pc++) = (*pa++) ^ (*pb++);
+    }
+
+    /* Finish the rest of digits until we're actually done */
+    for (; ix < used_pa; ++ix) {
+        *pc++ = *pa++;
+    }
+
+    MP_USED(c) = used_pa;
+    MP_SIGN(c) = ZPOS;
+    s_mp_clamp(c);
+
+CLEANUP:
+    return res;
+} 
+
+#define s_mp_div2(a) MP_CHECKOK( mpl_rsh((a), (a), 1) );
+
+/* Compute binary polynomial multiply d = a * b */
+static void 
+s_bmul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *d)
+{
+    mp_digit a_i, a0b0, a1b1, carry = 0;
+    while (a_len--) {
+        a_i = *a++;
+        s_bmul_1x1(&a1b1, &a0b0, a_i, b);
+        *d++ = a0b0 ^ carry;
+        carry = a1b1;
+    }
+    *d = carry;
+}
+
+/* Compute binary polynomial xor multiply accumulate d ^= a * b */
+static void 
+s_bmul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *d)
+{
+    mp_digit a_i, a0b0, a1b1, carry = 0;
+    while (a_len--) {
+        a_i = *a++;
+        s_bmul_1x1(&a1b1, &a0b0, a_i, b);
+        *d++ ^= a0b0 ^ carry;
+        carry = a1b1;
+    }
+    *d ^= carry;
+}
+
+/* Compute binary polynomial xor multiply c = a * b.  
+ * All parameters may be identical.
+ */
+mp_err 
+mp_bmul(const mp_int *a, const mp_int *b, mp_int *c)
+{
+    mp_digit *pb, b_i;
+    mp_int tmp;
+    mp_size ib, a_used, b_used;
+    mp_err res = MP_OKAY;
+
+    MP_DIGITS(&tmp) = 0;
+
+    ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+    if (a == c) {
+        MP_CHECKOK( mp_init_copy(&tmp, a) );
+        if (a == b)
+            b = &tmp;
+        a = &tmp;
+    } else if (b == c) {
+        MP_CHECKOK( mp_init_copy(&tmp, b) );
+        b = &tmp;
+    }
+
+    if (MP_USED(a) < MP_USED(b)) {
+        const mp_int *xch = b;      /* switch a and b if b longer */
+        b = a;
+        a = xch;
+    }
+
+    MP_USED(c) = 1; MP_DIGIT(c, 0) = 0;
+    MP_CHECKOK( s_mp_pad(c, USED(a) + USED(b)) );
+
+    pb = MP_DIGITS(b);
+    s_bmul_d(MP_DIGITS(a), MP_USED(a), *pb++, MP_DIGITS(c));
+
+    /* Outer loop:  Digits of b */
+    a_used = MP_USED(a);
+    b_used = MP_USED(b);
+	MP_USED(c) = a_used + b_used;
+    for (ib = 1; ib < b_used; ib++) {
+        b_i = *pb++;
+
+        /* Inner product:  Digits of a */
+        if (b_i)
+            s_bmul_d_add(MP_DIGITS(a), a_used, b_i, MP_DIGITS(c) + ib);
+        else
+            MP_DIGIT(c, ib + a_used) = b_i;
+    }
+
+    s_mp_clamp(c);
+
+    SIGN(c) = ZPOS;
+
+CLEANUP:
+    mp_clear(&tmp);
+    return res;
+}
+
+
+/* Compute modular reduction of a and store result in r.  
+ * r could be a. 
+ * For modular arithmetic, the irreducible polynomial f(t) is represented 
+ * as an array of int[], where f(t) is of the form: 
+ *     f(t) = t^p[0] + t^p[1] + ... + t^p[k]
+ * where m = p[0] > p[1] > ... > p[k] = 0.
+ */
+mp_err
+mp_bmod(const mp_int *a, const unsigned int p[], mp_int *r)
+{
+    int j, k;
+    int n, dN, d0, d1;
+    mp_digit zz, *z, tmp;
+    mp_size used;
+    mp_err res = MP_OKAY;
+
+    /* The algorithm does the reduction in place in r, 
+     * if a != r, copy a into r first so reduction can be done in r
+     */
+    if (a != r) {
+        MP_CHECKOK( mp_copy(a, r) );
+    }
+    z = MP_DIGITS(r);
+
+    /* start reduction */
+    dN = p[0] / MP_DIGIT_BITS;
+    used = MP_USED(r);
+
+    for (j = used - 1; j > dN;) {
+
+        zz = z[j];
+        if (zz == 0) {
+            j--; continue;
+        }
+        z[j] = 0;
+
+        for (k = 1; p[k] > 0; k++) {
+            /* reducing component t^p[k] */
+            n = p[0] - p[k];
+            d0 = n % MP_DIGIT_BITS;  
+            d1 = MP_DIGIT_BITS - d0;
+            n /= MP_DIGIT_BITS;
+            z[j-n] ^= (zz>>d0);
+            if (d0) 
+                z[j-n-1] ^= (zz<<d1);
+        }
+
+        /* reducing component t^0 */
+        n = dN;  
+        d0 = p[0] % MP_DIGIT_BITS;
+        d1 = MP_DIGIT_BITS - d0;
+        z[j-n] ^= (zz >> d0);
+        if (d0) 
+            z[j-n-1] ^= (zz << d1);
+
+    }
+
+    /* final round of reduction */
+    while (j == dN) {
+
+        d0 = p[0] % MP_DIGIT_BITS;
+        zz = z[dN] >> d0;  
+        if (zz == 0) break;
+        d1 = MP_DIGIT_BITS - d0;
+
+        /* clear up the top d1 bits */
+        if (d0) z[dN] = (z[dN] << d1) >> d1; 
+        *z ^= zz; /* reduction t^0 component */
+
+        for (k = 1; p[k] > 0; k++) {
+            /* reducing component t^p[k]*/
+            n = p[k] / MP_DIGIT_BITS;
+            d0 = p[k] % MP_DIGIT_BITS;
+            d1 = MP_DIGIT_BITS - d0;
+            z[n] ^= (zz << d0);
+            tmp = zz >> d1;
+            if (d0 && tmp)
+                z[n+1] ^= tmp;
+        }
+    }
+
+    s_mp_clamp(r);
+CLEANUP:
+    return res;
+}
+
+/* Compute the product of two polynomials a and b, reduce modulo p, 
+ * Store the result in r.  r could be a or b; a could be b.
+ */
+mp_err 
+mp_bmulmod(const mp_int *a, const mp_int *b, const unsigned int p[], mp_int *r)
+{
+    mp_err res;
+    
+    if (a == b) return mp_bsqrmod(a, p, r);
+    if ((res = mp_bmul(a, b, r) ) != MP_OKAY)
+	return res;
+    return mp_bmod(r, p, r);
+}
+
+/* Compute binary polynomial squaring c = a*a mod p .  
+ * Parameter r and a can be identical.
+ */
+
+mp_err 
+mp_bsqrmod(const mp_int *a, const unsigned int p[], mp_int *r)
+{
+    mp_digit *pa, *pr, a_i;
+    mp_int tmp;
+    mp_size ia, a_used;
+    mp_err res;
+
+    ARGCHK(a != NULL && r != NULL, MP_BADARG);
+    MP_DIGITS(&tmp) = 0;
+
+    if (a == r) {
+        MP_CHECKOK( mp_init_copy(&tmp, a) );
+        a = &tmp;
+    }
+
+    MP_USED(r) = 1; MP_DIGIT(r, 0) = 0;
+    MP_CHECKOK( s_mp_pad(r, 2*USED(a)) );
+
+    pa = MP_DIGITS(a);
+    pr = MP_DIGITS(r);
+    a_used = MP_USED(a);
+	MP_USED(r) = 2 * a_used;
+
+    for (ia = 0; ia < a_used; ia++) {
+        a_i = *pa++;
+        *pr++ = gf2m_SQR0(a_i);
+        *pr++ = gf2m_SQR1(a_i);
+    }
+
+    MP_CHECKOK( mp_bmod(r, p, r) );
+    s_mp_clamp(r);
+    SIGN(r) = ZPOS;
+
+CLEANUP:
+    mp_clear(&tmp);
+    return res;
+}
+
+/* Compute binary polynomial y/x mod p, y divided by x, reduce modulo p.
+ * Store the result in r. r could be x or y, and x could equal y.
+ * Uses algorithm Modular_Division_GF(2^m) from 
+ *     Chang-Shantz, S.  "From Euclid's GCD to Montgomery Multiplication to 
+ *     the Great Divide".
+ */
+int 
+mp_bdivmod(const mp_int *y, const mp_int *x, const mp_int *pp, 
+    const unsigned int p[], mp_int *r)
+{
+    mp_int aa, bb, uu;
+    mp_int *a, *b, *u, *v;
+    mp_err res = MP_OKAY;
+
+    MP_DIGITS(&aa) = 0;
+    MP_DIGITS(&bb) = 0;
+    MP_DIGITS(&uu) = 0;
+
+    MP_CHECKOK( mp_init_copy(&aa, x) );
+    MP_CHECKOK( mp_init_copy(&uu, y) );
+    MP_CHECKOK( mp_init_copy(&bb, pp) );
+    MP_CHECKOK( s_mp_pad(r, USED(pp)) );
+    MP_USED(r) = 1; MP_DIGIT(r, 0) = 0;
+
+    a = &aa; b= &bb; u=&uu; v=r;
+    /* reduce x and y mod p */
+    MP_CHECKOK( mp_bmod(a, p, a) );
+    MP_CHECKOK( mp_bmod(u, p, u) );
+
+    while (!mp_isodd(a)) {
+        s_mp_div2(a);
+        if (mp_isodd(u)) {
+            MP_CHECKOK( mp_badd(u, pp, u) );
+        }
+        s_mp_div2(u);
+    }
+
+    do {
+        if (mp_cmp_mag(b, a) > 0) {
+            MP_CHECKOK( mp_badd(b, a, b) );
+            MP_CHECKOK( mp_badd(v, u, v) );
+            do {
+                s_mp_div2(b);
+                if (mp_isodd(v)) {
+                    MP_CHECKOK( mp_badd(v, pp, v) );
+                }
+                s_mp_div2(v);
+            } while (!mp_isodd(b));
+        }
+        else if ((MP_DIGIT(a,0) == 1) && (MP_USED(a) == 1))
+            break;
+        else {
+            MP_CHECKOK( mp_badd(a, b, a) );
+            MP_CHECKOK( mp_badd(u, v, u) );
+            do {
+                s_mp_div2(a);
+                if (mp_isodd(u)) {
+                    MP_CHECKOK( mp_badd(u, pp, u) );
+                }
+                s_mp_div2(u);
+            } while (!mp_isodd(a));
+        }
+    } while (1);
+
+    MP_CHECKOK( mp_copy(u, r) );
+
+CLEANUP:
+    mp_clear(&aa);
+    mp_clear(&bb);
+    mp_clear(&uu);
+    return res;
+
+}
+
+/* Convert the bit-string representation of a polynomial a into an array
+ * of integers corresponding to the bits with non-zero coefficient.
+ * Up to max elements of the array will be filled.  Return value is total
+ * number of coefficients that would be extracted if array was large enough.
+ */
+int
+mp_bpoly2arr(const mp_int *a, unsigned int p[], int max)
+{
+    int i, j, k;
+    mp_digit top_bit, mask;
+
+    top_bit = 1;
+    top_bit <<= MP_DIGIT_BIT - 1;
+
+    for (k = 0; k < max; k++) p[k] = 0;
+    k = 0;
+
+    for (i = MP_USED(a) - 1; i >= 0; i--) {
+        mask = top_bit;
+        for (j = MP_DIGIT_BIT - 1; j >= 0; j--) {
+            if (MP_DIGITS(a)[i] & mask) {
+                if (k < max) p[k] = MP_DIGIT_BIT * i + j;
+                k++;
+            }
+            mask >>= 1;
+        }
+    }
+
+    return k;
+}
+
+/* Convert the coefficient array representation of a polynomial to a 
+ * bit-string.  The array must be terminated by 0.
+ */
+mp_err
+mp_barr2poly(const unsigned int p[], mp_int *a)
+{
+
+    mp_err res = MP_OKAY;
+    int i;
+
+    mp_zero(a);
+    for (i = 0; p[i] > 0; i++) {
+	MP_CHECKOK( mpl_set_bit(a, p[i], 1) );
+    }
+    MP_CHECKOK( mpl_set_bit(a, 0, 1) );
+	
+CLEANUP:
+    return res;
+}
diff --git a/security/nss/lib/freebl/mpi/mp_gf2m.h b/security/nss/lib/freebl/mpi/mp_gf2m.h
new file mode 100644
index 000000000..1a305f336
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mp_gf2m.h
@@ -0,0 +1,63 @@
+/*
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Multi-precision Binary Polynomial Arithmetic Library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang Shantz <sheueling.chang@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _MP_GF2M_H_
+#define _MP_GF2M_H_
+
+#include "mpi.h"
+
+mp_err mp_badd(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err mp_bmul(const mp_int *a, const mp_int *b, mp_int *c);
+
+/* For modular arithmetic, the irreducible polynomial f(t) is represented 
+ * as an array of int[], where f(t) is of the form: 
+ *     f(t) = t^p[0] + t^p[1] + ... + t^p[k]
+ * where m = p[0] > p[1] > ... > p[k] = 0.
+ */
+mp_err mp_bmod(const mp_int *a, const unsigned int p[], mp_int *r);
+mp_err mp_bmulmod(const mp_int *a, const mp_int *b, const unsigned int p[], 
+    mp_int *r);
+mp_err mp_bsqrmod(const mp_int *a, const unsigned int p[], mp_int *r);
+mp_err mp_bdivmod(const mp_int *y, const mp_int *x, const mp_int *pp, 
+    const unsigned int p[], mp_int *r);
+
+int mp_bpoly2arr(const mp_int *a, unsigned int p[], int max);
+mp_err mp_barr2poly(const unsigned int p[], mp_int *a);
+
+#endif /* _MP_GF2M_H_ */
diff --git a/security/nss/lib/freebl/mpi/mpcpucache.c b/security/nss/lib/freebl/mpi/mpcpucache.c
new file mode 100644
index 000000000..65927d05e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpcpucache.c
@@ -0,0 +1,843 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Robert Relyea <rrelyea@redhat.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi.h"
+
+/*
+ * This file implements a single function: s_mpi_getProcessorLineSize();
+ * s_mpi_getProcessorLineSize() returns the size in bytes of the cache line
+ * if a cache exists, or zero if there is no cache. If more than one
+ * cache line exists, it should return the smallest line size (which is 
+ * usually the L1 cache).
+ *
+ * mp_modexp uses this information to make sure that private key information
+ * isn't being leaked through the cache.
+ *
+ * Currently the file returns good data for most modern x86 processors, and
+ * reasonable data on 64-bit ppc processors. All other processors are assumed
+ * to have a cache line size of 32 bytes unless modified by target.mk.
+ * 
+ */
+
+#if defined(i386) || defined(__i386) || defined(__X86__) || defined (_M_IX86) || defined(__x86_64__) || defined(__x86_64) || defined(_M_AMD64)
+/* X86 processors have special instructions that tell us about the cache */
+#include "string.h"
+
+#if defined(__x86_64__) || defined(__x86_64) || defined(_M_AMD64)
+#define AMD_64 1
+#endif
+
+/* Generic CPUID function */
+#if defined(AMD_64)
+
+#if defined(__GNUC__)
+
+static void cpuid(unsigned long op, unsigned long *eax, 
+	                 unsigned long *ebx, unsigned long *ecx, 
+                         unsigned long *edx)
+{
+	__asm__("cpuid\n\t"
+		: "=a" (*eax),
+		  "=b" (*ebx),
+		  "=c" (*ecx),
+		  "=d" (*edx)
+		: "0" (op));
+}
+
+#elif defined(_MSC_VER)
+
+#include <intrin.h>
+
+static void cpuid(unsigned long op, unsigned long *eax, 
+           unsigned long *ebx, unsigned long *ecx, 
+           unsigned long *edx)
+{
+    int intrinsic_out[4];
+
+    __cpuid(intrinsic_out, op);
+    *eax = intrinsic_out[0];
+    *ebx = intrinsic_out[1];
+    *ecx = intrinsic_out[2];
+    *edx = intrinsic_out[3];
+}
+
+#endif
+
+#else /* !defined(AMD_64) */
+
+/* x86 */
+
+#if defined(__GNUC__)
+static void cpuid(unsigned long op, unsigned long *eax, 
+	                 unsigned long *ebx, unsigned long *ecx, 
+                         unsigned long *edx)
+{
+/* sigh GCC isn't smart enough to save the ebx PIC register on it's own
+ * in this case, so do it by hand. */
+	__asm__("pushl %%ebx\n\t"
+		  "cpuid\n\t"
+		  "mov %%ebx,%1\n\t"
+		  "popl %%ebx\n\t"
+		: "=a" (*eax),
+		  "=r" (*ebx),
+		  "=c" (*ecx),
+		  "=d" (*edx)
+		: "0" (op));
+}
+
+/*
+ * try flipping a processor flag to determine CPU type
+ */
+static unsigned long changeFlag(unsigned long flag)
+{
+	unsigned long changedFlags, originalFlags;
+	__asm__("pushfl\n\t"            /* get the flags */
+	        "popl %0\n\t"
+	        "movl %0,%1\n\t"	/* save the original flags */
+	        "xorl %2,%0\n\t" 	/* flip the bit */
+		"pushl %0\n\t"  	/* set the flags */
+	        "popfl\n\t"
+		"pushfl\n\t"		/* get the flags again (for return) */
+		"popl %0\n\t"
+		"pushl %1\n\t"		/* restore the original flags */
+		 "popfl\n\t"
+		: "=r" (changedFlags),
+		  "=r" (originalFlags),
+		  "=r" (flag)
+		: "2" (flag));
+	return changedFlags ^ originalFlags;
+}
+
+#elif defined(_MSC_VER)
+
+/*
+ * windows versions of the above assembler
+ */
+#define wcpuid __asm __emit 0fh __asm __emit 0a2h
+static void cpuid(unsigned long op,    unsigned long *Reax, 
+    unsigned long *Rebx, unsigned long *Recx, unsigned long *Redx)
+{
+        unsigned long  Leax, Lebx, Lecx, Ledx;
+        __asm {
+        pushad
+        mov     eax,op
+        wcpuid
+        mov     Leax,eax
+        mov     Lebx,ebx
+        mov     Lecx,ecx
+        mov     Ledx,edx
+        popad
+        }
+        *Reax = Leax;
+        *Rebx = Lebx;
+        *Recx = Lecx;
+        *Redx = Ledx;
+}
+
+static unsigned long changeFlag(unsigned long flag)
+{
+	unsigned long changedFlags, originalFlags;
+	__asm {
+		push eax
+		push ebx
+		pushfd 	                /* get the flags */
+	        pop  eax
+		push eax		/* save the flags on the stack */
+	        mov  originalFlags,eax  /* save the original flags */
+		mov  ebx,flag
+	        xor  eax,ebx            /* flip the bit */
+		push eax                /* set the flags */
+	        popfd
+		pushfd                  /* get the flags again (for return) */
+		pop  eax	
+		popfd                   /* restore the original flags */
+		mov changedFlags,eax
+		pop ebx
+		pop eax
+	}
+	return changedFlags ^ originalFlags;
+}
+#endif
+
+#endif
+
+#if !defined(AMD_64)
+#define AC_FLAG 0x40000
+#define ID_FLAG 0x200000
+
+/* 386 processors can't flip the AC_FLAG, intel AP Note AP-485 */
+static int is386()
+{
+    return changeFlag(AC_FLAG) == 0;
+}
+
+/* 486 processors can't flip the ID_FLAG, intel AP Note AP-485 */
+static int is486()
+{
+    return changeFlag(ID_FLAG) == 0;
+}
+#endif
+
+
+/*
+ * table for Intel Cache.
+ * See Intel Application Note AP-485 for more information 
+ */
+
+typedef unsigned char CacheTypeEntry;
+
+typedef enum {
+    Cache_NONE    = 0,
+    Cache_UNKNOWN = 1,
+    Cache_TLB     = 2,
+    Cache_TLBi    = 3,
+    Cache_TLBd    = 4,
+    Cache_Trace   = 5,
+    Cache_L1      = 6,
+    Cache_L1i     = 7,
+    Cache_L1d     = 8,
+    Cache_L2      = 9 ,
+    Cache_L2i     = 10 ,
+    Cache_L2d     = 11 ,
+    Cache_L3      = 12 ,
+    Cache_L3i     = 13,
+    Cache_L3d     = 14
+} CacheType;
+
+struct _cache {
+    CacheTypeEntry type;
+    unsigned char lineSize;
+};
+static const struct _cache CacheMap[256] = {
+/* 00 */ {Cache_NONE,    0   },
+/* 01 */ {Cache_TLBi,    0   },
+/* 02 */ {Cache_TLBi,    0   },
+/* 03 */ {Cache_TLBd,    0   },
+/* 04 */ {Cache_TLBd,        },
+/* 05 */ {Cache_UNKNOWN, 0   },
+/* 06 */ {Cache_L1i,     32  },
+/* 07 */ {Cache_UNKNOWN, 0   },
+/* 08 */ {Cache_L1i,     32  },
+/* 09 */ {Cache_UNKNOWN, 0   },
+/* 0a */ {Cache_L1d,     32  },
+/* 0b */ {Cache_UNKNOWN, 0   },
+/* 0c */ {Cache_L1d,     32  },
+/* 0d */ {Cache_UNKNOWN, 0   },
+/* 0e */ {Cache_UNKNOWN, 0   },
+/* 0f */ {Cache_UNKNOWN, 0   },
+/* 10 */ {Cache_UNKNOWN, 0   },
+/* 11 */ {Cache_UNKNOWN, 0   },
+/* 12 */ {Cache_UNKNOWN, 0   },
+/* 13 */ {Cache_UNKNOWN, 0   },
+/* 14 */ {Cache_UNKNOWN, 0   },
+/* 15 */ {Cache_UNKNOWN, 0   },
+/* 16 */ {Cache_UNKNOWN, 0   },
+/* 17 */ {Cache_UNKNOWN, 0   },
+/* 18 */ {Cache_UNKNOWN, 0   },
+/* 19 */ {Cache_UNKNOWN, 0   },
+/* 1a */ {Cache_UNKNOWN, 0   },
+/* 1b */ {Cache_UNKNOWN, 0   },
+/* 1c */ {Cache_UNKNOWN, 0   },
+/* 1d */ {Cache_UNKNOWN, 0   },
+/* 1e */ {Cache_UNKNOWN, 0   },
+/* 1f */ {Cache_UNKNOWN, 0   },
+/* 20 */ {Cache_UNKNOWN, 0   },
+/* 21 */ {Cache_UNKNOWN, 0   },
+/* 22 */ {Cache_L3,      64  },
+/* 23 */ {Cache_L3,      64  },
+/* 24 */ {Cache_UNKNOWN, 0   },
+/* 25 */ {Cache_L3,      64  },
+/* 26 */ {Cache_UNKNOWN, 0   },
+/* 27 */ {Cache_UNKNOWN, 0   },
+/* 28 */ {Cache_UNKNOWN, 0   },
+/* 29 */ {Cache_L3,      64  },
+/* 2a */ {Cache_UNKNOWN, 0   },
+/* 2b */ {Cache_UNKNOWN, 0   },
+/* 2c */ {Cache_L1d,     64  },
+/* 2d */ {Cache_UNKNOWN, 0   },
+/* 2e */ {Cache_UNKNOWN, 0   },
+/* 2f */ {Cache_UNKNOWN, 0   },
+/* 30 */ {Cache_L1i,     64  },
+/* 31 */ {Cache_UNKNOWN, 0   },
+/* 32 */ {Cache_UNKNOWN, 0   },
+/* 33 */ {Cache_UNKNOWN, 0   },
+/* 34 */ {Cache_UNKNOWN, 0   },
+/* 35 */ {Cache_UNKNOWN, 0   },
+/* 36 */ {Cache_UNKNOWN, 0   },
+/* 37 */ {Cache_UNKNOWN, 0   },
+/* 38 */ {Cache_UNKNOWN, 0   },
+/* 39 */ {Cache_L2,      64  },
+/* 3a */ {Cache_UNKNOWN, 0   },
+/* 3b */ {Cache_L2,      64  },
+/* 3c */ {Cache_L2,      64  },
+/* 3d */ {Cache_UNKNOWN, 0   },
+/* 3e */ {Cache_UNKNOWN, 0   },
+/* 3f */ {Cache_UNKNOWN, 0   },
+/* 40 */ {Cache_L2,      0   },
+/* 41 */ {Cache_L2,      32  },
+/* 42 */ {Cache_L2,      32  },
+/* 43 */ {Cache_L2,      32  },
+/* 44 */ {Cache_L2,      32  },
+/* 45 */ {Cache_L2,      32  },
+/* 46 */ {Cache_UNKNOWN, 0   },
+/* 47 */ {Cache_UNKNOWN, 0   },
+/* 48 */ {Cache_UNKNOWN, 0   },
+/* 49 */ {Cache_UNKNOWN, 0   },
+/* 4a */ {Cache_UNKNOWN, 0   },
+/* 4b */ {Cache_UNKNOWN, 0   },
+/* 4c */ {Cache_UNKNOWN, 0   },
+/* 4d */ {Cache_UNKNOWN, 0   },
+/* 4e */ {Cache_UNKNOWN, 0   },
+/* 4f */ {Cache_UNKNOWN, 0   },
+/* 50 */ {Cache_TLBi,    0   },
+/* 51 */ {Cache_TLBi,    0   },
+/* 52 */ {Cache_TLBi,    0   },
+/* 53 */ {Cache_UNKNOWN, 0   },
+/* 54 */ {Cache_UNKNOWN, 0   },
+/* 55 */ {Cache_UNKNOWN, 0   },
+/* 56 */ {Cache_UNKNOWN, 0   },
+/* 57 */ {Cache_UNKNOWN, 0   },
+/* 58 */ {Cache_UNKNOWN, 0   },
+/* 59 */ {Cache_UNKNOWN, 0   },
+/* 5a */ {Cache_UNKNOWN, 0   },
+/* 5b */ {Cache_TLBd,    0   },
+/* 5c */ {Cache_TLBd,    0   },
+/* 5d */ {Cache_TLBd,    0   },
+/* 5e */ {Cache_UNKNOWN, 0   },
+/* 5f */ {Cache_UNKNOWN, 0   },
+/* 60 */ {Cache_UNKNOWN, 0   },
+/* 61 */ {Cache_UNKNOWN, 0   },
+/* 62 */ {Cache_UNKNOWN, 0   },
+/* 63 */ {Cache_UNKNOWN, 0   },
+/* 64 */ {Cache_UNKNOWN, 0   },
+/* 65 */ {Cache_UNKNOWN, 0   },
+/* 66 */ {Cache_L1d,     64  },
+/* 67 */ {Cache_L1d,     64  },
+/* 68 */ {Cache_L1d,     64  },
+/* 69 */ {Cache_UNKNOWN, 0   },
+/* 6a */ {Cache_UNKNOWN, 0   },
+/* 6b */ {Cache_UNKNOWN, 0   },
+/* 6c */ {Cache_UNKNOWN, 0   },
+/* 6d */ {Cache_UNKNOWN, 0   },
+/* 6e */ {Cache_UNKNOWN, 0   },
+/* 6f */ {Cache_UNKNOWN, 0   },
+/* 70 */ {Cache_Trace,   1   },
+/* 71 */ {Cache_Trace,   1   },
+/* 72 */ {Cache_Trace,   1   },
+/* 73 */ {Cache_UNKNOWN, 0   },
+/* 74 */ {Cache_UNKNOWN, 0   },
+/* 75 */ {Cache_UNKNOWN, 0   },
+/* 76 */ {Cache_UNKNOWN, 0   },
+/* 77 */ {Cache_UNKNOWN, 0   },
+/* 78 */ {Cache_UNKNOWN, 0   },
+/* 79 */ {Cache_L2,      64  },
+/* 7a */ {Cache_L2,      64  },
+/* 7b */ {Cache_L2,      64  },
+/* 7c */ {Cache_L2,      64  },
+/* 7d */ {Cache_UNKNOWN, 0   },
+/* 7e */ {Cache_UNKNOWN, 0   },
+/* 7f */ {Cache_UNKNOWN, 0   },
+/* 80 */ {Cache_UNKNOWN, 0   },
+/* 81 */ {Cache_UNKNOWN, 0   },
+/* 82 */ {Cache_L2,      32  },
+/* 83 */ {Cache_L2,      32  },
+/* 84 */ {Cache_L2,      32  },
+/* 85 */ {Cache_L2,      32  },
+/* 86 */ {Cache_L2,      64  },
+/* 87 */ {Cache_L2,      64  },
+/* 88 */ {Cache_UNKNOWN, 0   },
+/* 89 */ {Cache_UNKNOWN, 0   },
+/* 8a */ {Cache_UNKNOWN, 0   },
+/* 8b */ {Cache_UNKNOWN, 0   },
+/* 8c */ {Cache_UNKNOWN, 0   },
+/* 8d */ {Cache_UNKNOWN, 0   },
+/* 8e */ {Cache_UNKNOWN, 0   },
+/* 8f */ {Cache_UNKNOWN, 0   },
+/* 90 */ {Cache_UNKNOWN, 0   },
+/* 91 */ {Cache_UNKNOWN, 0   },
+/* 92 */ {Cache_UNKNOWN, 0   },
+/* 93 */ {Cache_UNKNOWN, 0   },
+/* 94 */ {Cache_UNKNOWN, 0   },
+/* 95 */ {Cache_UNKNOWN, 0   },
+/* 96 */ {Cache_UNKNOWN, 0   },
+/* 97 */ {Cache_UNKNOWN, 0   },
+/* 98 */ {Cache_UNKNOWN, 0   },
+/* 99 */ {Cache_UNKNOWN, 0   },
+/* 9a */ {Cache_UNKNOWN, 0   },
+/* 9b */ {Cache_UNKNOWN, 0   },
+/* 9c */ {Cache_UNKNOWN, 0   },
+/* 9d */ {Cache_UNKNOWN, 0   },
+/* 9e */ {Cache_UNKNOWN, 0   },
+/* 9f */ {Cache_UNKNOWN, 0   },
+/* a0 */ {Cache_UNKNOWN, 0   },
+/* a1 */ {Cache_UNKNOWN, 0   },
+/* a2 */ {Cache_UNKNOWN, 0   },
+/* a3 */ {Cache_UNKNOWN, 0   },
+/* a4 */ {Cache_UNKNOWN, 0   },
+/* a5 */ {Cache_UNKNOWN, 0   },
+/* a6 */ {Cache_UNKNOWN, 0   },
+/* a7 */ {Cache_UNKNOWN, 0   },
+/* a8 */ {Cache_UNKNOWN, 0   },
+/* a9 */ {Cache_UNKNOWN, 0   },
+/* aa */ {Cache_UNKNOWN, 0   },
+/* ab */ {Cache_UNKNOWN, 0   },
+/* ac */ {Cache_UNKNOWN, 0   },
+/* ad */ {Cache_UNKNOWN, 0   },
+/* ae */ {Cache_UNKNOWN, 0   },
+/* af */ {Cache_UNKNOWN, 0   },
+/* b0 */ {Cache_TLBi,    0   },
+/* b1 */ {Cache_UNKNOWN, 0   },
+/* b2 */ {Cache_UNKNOWN, 0   },
+/* b3 */ {Cache_TLBd,    0   },
+/* b4 */ {Cache_UNKNOWN, 0   },
+/* b5 */ {Cache_UNKNOWN, 0   },
+/* b6 */ {Cache_UNKNOWN, 0   },
+/* b7 */ {Cache_UNKNOWN, 0   },
+/* b8 */ {Cache_UNKNOWN, 0   },
+/* b9 */ {Cache_UNKNOWN, 0   },
+/* ba */ {Cache_UNKNOWN, 0   },
+/* bb */ {Cache_UNKNOWN, 0   },
+/* bc */ {Cache_UNKNOWN, 0   },
+/* bd */ {Cache_UNKNOWN, 0   },
+/* be */ {Cache_UNKNOWN, 0   },
+/* bf */ {Cache_UNKNOWN, 0   },
+/* c0 */ {Cache_UNKNOWN, 0   },
+/* c1 */ {Cache_UNKNOWN, 0   },
+/* c2 */ {Cache_UNKNOWN, 0   },
+/* c3 */ {Cache_UNKNOWN, 0   },
+/* c4 */ {Cache_UNKNOWN, 0   },
+/* c5 */ {Cache_UNKNOWN, 0   },
+/* c6 */ {Cache_UNKNOWN, 0   },
+/* c7 */ {Cache_UNKNOWN, 0   },
+/* c8 */ {Cache_UNKNOWN, 0   },
+/* c9 */ {Cache_UNKNOWN, 0   },
+/* ca */ {Cache_UNKNOWN, 0   },
+/* cb */ {Cache_UNKNOWN, 0   },
+/* cc */ {Cache_UNKNOWN, 0   },
+/* cd */ {Cache_UNKNOWN, 0   },
+/* ce */ {Cache_UNKNOWN, 0   },
+/* cf */ {Cache_UNKNOWN, 0   },
+/* d0 */ {Cache_UNKNOWN, 0   },
+/* d1 */ {Cache_UNKNOWN, 0   },
+/* d2 */ {Cache_UNKNOWN, 0   },
+/* d3 */ {Cache_UNKNOWN, 0   },
+/* d4 */ {Cache_UNKNOWN, 0   },
+/* d5 */ {Cache_UNKNOWN, 0   },
+/* d6 */ {Cache_UNKNOWN, 0   },
+/* d7 */ {Cache_UNKNOWN, 0   },
+/* d8 */ {Cache_UNKNOWN, 0   },
+/* d9 */ {Cache_UNKNOWN, 0   },
+/* da */ {Cache_UNKNOWN, 0   },
+/* db */ {Cache_UNKNOWN, 0   },
+/* dc */ {Cache_UNKNOWN, 0   },
+/* dd */ {Cache_UNKNOWN, 0   },
+/* de */ {Cache_UNKNOWN, 0   },
+/* df */ {Cache_UNKNOWN, 0   },
+/* e0 */ {Cache_UNKNOWN, 0   },
+/* e1 */ {Cache_UNKNOWN, 0   },
+/* e2 */ {Cache_UNKNOWN, 0   },
+/* e3 */ {Cache_UNKNOWN, 0   },
+/* e4 */ {Cache_UNKNOWN, 0   },
+/* e5 */ {Cache_UNKNOWN, 0   },
+/* e6 */ {Cache_UNKNOWN, 0   },
+/* e7 */ {Cache_UNKNOWN, 0   },
+/* e8 */ {Cache_UNKNOWN, 0   },
+/* e9 */ {Cache_UNKNOWN, 0   },
+/* ea */ {Cache_UNKNOWN, 0   },
+/* eb */ {Cache_UNKNOWN, 0   },
+/* ec */ {Cache_UNKNOWN, 0   },
+/* ed */ {Cache_UNKNOWN, 0   },
+/* ee */ {Cache_UNKNOWN, 0   },
+/* ef */ {Cache_UNKNOWN, 0   },
+/* f0 */ {Cache_UNKNOWN, 0   },
+/* f1 */ {Cache_UNKNOWN, 0   },
+/* f2 */ {Cache_UNKNOWN, 0   },
+/* f3 */ {Cache_UNKNOWN, 0   },
+/* f4 */ {Cache_UNKNOWN, 0   },
+/* f5 */ {Cache_UNKNOWN, 0   },
+/* f6 */ {Cache_UNKNOWN, 0   },
+/* f7 */ {Cache_UNKNOWN, 0   },
+/* f8 */ {Cache_UNKNOWN, 0   },
+/* f9 */ {Cache_UNKNOWN, 0   },
+/* fa */ {Cache_UNKNOWN, 0   },
+/* fb */ {Cache_UNKNOWN, 0   },
+/* fc */ {Cache_UNKNOWN, 0   },
+/* fd */ {Cache_UNKNOWN, 0   },
+/* fe */ {Cache_UNKNOWN, 0   },
+/* ff */ {Cache_UNKNOWN, 0   }
+};
+
+
+/*
+ * use the above table to determine the CacheEntryLineSize.
+ */
+static void
+getIntelCacheEntryLineSize(unsigned long val, int *level, 
+						unsigned long *lineSize)
+{
+    CacheType type;
+
+    type = CacheMap[val].type;
+    /* only interested in data caches */
+    /* NOTE val = 0x40 is a special value that means no L2 or L3 cache.
+     * this data check has the side effect of rejecting that entry. If
+     * that wasn't the case, we could have to reject it explicitly */
+    if (CacheMap[val].lineSize == 0) {
+	return;
+    }
+    /* look at the caches, skip types we aren't interested in.
+     * if we already have a value for a lower level cache, skip the
+     * current entry */
+    if ((type == Cache_L1)|| (type == Cache_L1d)) {
+	*level = 1;
+	*lineSize = CacheMap[val].lineSize;
+    } else if ((*level >= 2) && ((type == Cache_L2) || (type == Cache_L2d))) {
+	*level = 2;
+	*lineSize = CacheMap[val].lineSize;
+    } else if ((*level >= 3) && ((type == Cache_L3) || (type == Cache_L3d))) {
+	*level = 3;
+	*lineSize = CacheMap[val].lineSize;
+    }
+    return;
+}
+
+
+static void
+getIntelRegisterCacheLineSize(unsigned long val, 
+			int *level, unsigned long *lineSize)
+{
+    getIntelCacheEntryLineSize(val >> 24 & 0xff, level, lineSize);
+    getIntelCacheEntryLineSize(val >> 16 & 0xff, level, lineSize);
+    getIntelCacheEntryLineSize(val >> 8 & 0xff, level, lineSize);
+    getIntelCacheEntryLineSize(val & 0xff, level, lineSize);
+}
+
+/*
+ * returns '0' if no recognized cache is found, or if the cache
+ * information is supported by this processor 
+ */
+static unsigned long
+getIntelCacheLineSize(int cpuidLevel)
+{
+    int level = 4;
+    unsigned long lineSize = 0;
+    unsigned long eax, ebx, ecx, edx;
+    int repeat, count;
+
+    if (cpuidLevel < 2) {
+	return 0;
+    }
+
+    /* command '2' of the cpuid is intel's cache info call. Each byte of the
+     * 4 registers contain a potential descriptor for the cache. The CacheMap	
+     * table maps the cache entry with the processor cache. Register 'al'
+     * contains a count value that cpuid '2' needs to be called in order to 
+     * find all the cache descriptors. Only registers with the high bit set
+     * to 'zero' have valid descriptors. This code loops through all the
+     * required calls to cpuid '2' and passes any valid descriptors it finds
+     * to the getIntelRegisterCacheLineSize code, which breaks the registers
+     * down into their component descriptors. In the end the lineSize of the
+     * lowest level cache data cache is returned. */
+    cpuid(2, &eax, &ebx, &ecx, &edx);
+    repeat = eax & 0xf;
+    for (count = 0; count < repeat; count++) {
+	if ((eax & 0x80000000) == 0) {
+	    getIntelRegisterCacheLineSize(eax & 0xffffff00, &level, &lineSize);
+	}
+	if ((ebx & 0x80000000) == 0) {
+	    getIntelRegisterCacheLineSize(ebx, &level, &lineSize);
+	}
+	if ((ecx & 0x80000000) == 0) {
+	    getIntelRegisterCacheLineSize(ecx, &level, &lineSize);
+	}
+	if ((edx & 0x80000000) == 0) {
+	    getIntelRegisterCacheLineSize(edx, &level, &lineSize);
+	}
+	if (count+1 != repeat) {
+	    cpuid(2, &eax, &ebx, &ecx, &edx);
+	}
+    }
+    return lineSize;
+}
+
+/*
+ * returns '0' if the cache info is not supported by this processor.
+ * This is based on the AMD extended cache commands for cpuid. 
+ * (see "AMD Processor Recognition Application Note" Publication 20734).
+ * Some other processors use the identical scheme.
+ * (see "Processor Recognition, Transmeta Corporation").
+ */
+static unsigned long
+getOtherCacheLineSize(unsigned long cpuidLevel)
+{
+    unsigned long lineSize = 0;
+    unsigned long eax, ebx, ecx, edx;
+
+    /* get the Extended CPUID level */
+    cpuid(0x80000000, &eax, &ebx, &ecx, &edx);
+    cpuidLevel = eax;
+
+    if (cpuidLevel >= 0x80000005) {
+	cpuid(0x80000005, &eax, &ebx, &ecx, &edx);
+	lineSize = ecx & 0xff; /* line Size, L1 Data Cache */
+    }
+    return lineSize;
+}
+
+static const char * const manMap[] = {
+#define INTEL     0
+    "GenuineIntel",
+#define AMD       1
+    "AuthenticAMD",
+#define CYRIX     2
+    "CyrixInstead",
+#define CENTAUR   2
+    "CentaurHauls",
+#define NEXGEN    3
+    "NexGenDriven",
+#define TRANSMETA 4
+    "GenuineTMx86",
+#define RISE      5
+    "RiseRiseRise",
+#define UMC       6
+    "UMC UMC UMC ",
+#define SIS       7
+    "Sis Sis Sis ",
+#define NATIONAL  8
+    "Geode by NSC",
+};
+
+static const int n_manufacturers = sizeof(manMap)/sizeof(manMap[0]);
+
+
+#define MAN_UNKNOWN 9
+
+#if !defined(AMD_64)
+#define SSE2_FLAG (1<<26)
+unsigned long
+s_mpi_is_sse2()
+{
+    unsigned long eax, ebx, ecx, edx;
+    int manufacturer = MAN_UNKNOWN;
+    int i;
+    char string[13];
+
+    if (is386() || is486()) {
+	return 0;
+    }
+    cpuid(0, &eax, &ebx, &ecx, &edx);
+    *(int *)string = ebx;
+    *(int *)&string[4] = edx;
+    *(int *)&string[8] = ecx;
+    string[12] = 0;
+
+    /* has no SSE2 extensions */
+    if (eax == 0) {
+	return 0;
+    }
+
+    for (i=0; i < n_manufacturers; i++) {
+	if ( strcmp(manMap[i],string) == 0) {
+	    manufacturer = i;
+	    break;
+	}
+    }
+
+    /* only use sse2 on intel */
+    if (manufacturer != INTEL) {
+	return 0;
+    }
+
+    cpuid(1,&eax,&ebx,&ecx,&edx);
+    return (edx & SSE2_FLAG) == SSE2_FLAG;
+}
+#endif
+
+unsigned long
+s_mpi_getProcessorLineSize()
+{
+    unsigned long eax, ebx, ecx, edx;
+    unsigned long cpuidLevel;
+    unsigned long cacheLineSize = 0;
+    int manufacturer = MAN_UNKNOWN;
+    int i;
+    char string[65];
+
+#if !defined(AMD_64)
+    if (is386()) {
+	return 0; /* 386 had no cache */
+    } if (is486()) {
+	return 32; /* really? need more info */
+    }
+#endif
+
+    /* Pentium, cpuid command is available */
+    cpuid(0, &eax, &ebx, &ecx, &edx);
+    cpuidLevel = eax;
+    *(int *)string = ebx;
+    *(int *)&string[4] = edx;
+    *(int *)&string[8] = ecx;
+    string[12] = 0;
+
+    manufacturer = MAN_UNKNOWN;
+    for (i=0; i < n_manufacturers; i++) {
+	if ( strcmp(manMap[i],string) == 0) {
+	    manufacturer = i;
+	}
+    }
+
+    if (manufacturer == INTEL) {
+	cacheLineSize = getIntelCacheLineSize(cpuidLevel);
+    } else {
+	cacheLineSize = getOtherCacheLineSize(cpuidLevel);
+    }
+    /* doesn't support cache info based on cpuid. This means
+     * an old pentium class processor, which have cache lines of
+     * 32. If we learn differently, we can use a switch based on
+     * the Manufacturer id  */
+    if (cacheLineSize == 0) {
+	cacheLineSize = 32;
+    }
+    return cacheLineSize;
+}
+#define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED 1
+#endif
+
+#if defined(__ppc64__) 
+/*
+ *  Sigh, The PPC has some really nice features to help us determine cache
+ *  size, since it had lots of direct control functions to do so. The POWER
+ *  processor even has an instruction to do this, but it was dropped in
+ *  PowerPC. Unfortunately most of them are not available in user mode.
+ *
+ *  The dcbz function would be a great way to determine cache line size except
+ *  1) it only works on write-back memory (it throws an exception otherwise), 
+ *  and 2) because so many mac programs 'knew' the processor cache size was
+ *  32 bytes, they used this instruction as a fast 'zero 32 bytes'. Now the new
+ *  G5 processor has 128 byte cache, but dcbz only clears 32 bytes to keep
+ *  these programs happy. dcbzl work if 64 bit instructions are supported.
+ *  If you know 64 bit instructions are supported, and that stack is 
+ *  write-back, you can use this code.
+ */
+#include "memory.h"
+
+/* clear the cache line that contains 'array' */
+static inline void dcbzl(char *array)
+{
+	register char *a asm("r2") = array;
+	__asm__ __volatile__( "dcbzl %0,r0" : "=r" (a): "0"(a) );
+}
+
+
+#define PPC_DO_ALIGN(x,y) ((char *)\
+			((((long long) (x))+((y)-1))&~((y)-1)))
+
+#define PPC_MAX_LINE_SIZE 256
+unsigned long
+s_mpi_getProcessorLineSize()
+{
+    char testArray[2*PPC_MAX_LINE_SIZE+1];
+    char *test;
+    int i;
+
+    /* align the array on a maximum line size boundary, so we
+     * know we are starting to clear from the first address */
+    test = PPC_DO_ALIGN(testArray, PPC_MAX_LINE_SIZE); 
+    /* set all the values to 1's */
+    memset(test, 0xff, PPC_MAX_LINE_SIZE);
+    /* clear one cache block starting at 'test' */
+    dcbzl(test);
+
+    /* find the size of the cleared area, that's our block size */
+    for (i=PPC_MAX_LINE_SIZE; i != 0; i = i/2) {
+	if (test[i-1] == 0) {
+	    return i;
+	}
+    }
+    return 0;
+}
+
+#define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED 1
+#endif
+
+
+/*
+ * put other processor and platform specific cache code here
+ * return the smallest cache line size in bytes on the processor 
+ * (usually the L1 cache). If the OS has a call, this would be
+ * a greate place to put it.
+ *
+ * If there is no cache, return 0;
+ * 
+ * define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED so the generic functions
+ * below aren't compiled.
+ *
+ */
+
+
+/* target.mk can define MPI_CACHE_LINE_SIZE if it's common for the family or 
+ * OS */
+#if defined(MPI_CACHE_LINE_SIZE) && !defined(MPI_GET_PROCESSOR_LINE_SIZE_DEFINED)
+
+unsigned long
+s_mpi_getProcessorLineSize()
+{
+   return MPI_CACHE_LINE_SIZE;
+}
+#define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED 1
+#endif
+
+
+/* If no way to get the processor cache line size has been defined, assume
+ * it's 32 bytes (most common value, does not significantly impact performance)
+ */ 
+#ifndef MPI_GET_PROCESSOR_LINE_SIZE_DEFINED
+unsigned long
+s_mpi_getProcessorLineSize()
+{
+   return 32;
+}
+#endif
+
+#ifdef TEST_IT
+#include <stdio.h>
+
+main()
+{
+    printf("line size = %d\n", s_mpi_getProcessorLineSize());
+} 
+#endif
diff --git a/security/nss/lib/freebl/mpi/mpcpucache_amd64.s b/security/nss/lib/freebl/mpi/mpcpucache_amd64.s
new file mode 100644
index 000000000..8f7562461
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpcpucache_amd64.s
@@ -0,0 +1,893 @@
+/ ***** BEGIN LICENSE BLOCK *****
+/ Version: MPL 1.1/GPL 2.0/LGPL 2.1
+/
+/ The contents of this file are subject to the Mozilla Public License Version
+/ 1.1 (the "License"); you may not use this file except in compliance with
+/ the License. You may obtain a copy of the License at
+/ http://www.mozilla.org/MPL/
+/
+/ Software distributed under the License is distributed on an "AS IS" basis,
+/ WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+/ for the specific language governing rights and limitations under the
+/ License.
+/
+/ The Original Code is Red Hat code.
+/
+/ The Initial Developer of the Original Code is
+/ Red Hat, Inc.
+/ Portions created by the Initial Developer are Copyright (C) 2005
+/ the Initial Developer. All Rights Reserved.
+/
+/ Contributor(s):
+/	Robert Relyea <rrelyea@redhat.com>
+/
+/ Alternatively, the contents of this file may be used under the terms of
+/ either the GNU General Public License Version 2 or later (the "GPL"), or
+/ the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+/ in which case the provisions of the GPL or the LGPL are applicable instead
+/ of those above. If you wish to allow use of your version of this file only
+/ under the terms of either the GPL or the LGPL, and not to allow others to
+/ use your version of this file under the terms of the MPL, indicate your
+/ decision by deleting the provisions above and replace them with the notice
+/ and other provisions required by the GPL or the LGPL. If you do not delete
+/ the provisions above, a recipient may use your version of this file under
+/ the terms of any one of the MPL, the GPL or the LGPL.
+/
+/ ***** END LICENSE BLOCK *****
+
+	.file	"mpcpucache.c"
+/	.section	.rodata.str1.1,"aMS",@progbits,1
+	.section	.rodata
+.LC0:
+	.string	"GenuineIntel"
+.LC1:
+	.string	"AuthenticAMD"
+.LC2:
+	.string	"CyrixInstead"
+.LC3:
+	.string	"CentaurHauls"
+.LC4:
+	.string	"NexGenDriven"
+.LC5:
+	.string	"GenuineTMx86"
+.LC6:
+	.string	"RiseRiseRise"
+.LC7:
+	.string	"UMC UMC UMC "
+.LC8:
+	.string	"Sis Sis Sis "
+.LC9:
+	.string	"Geode by NSC"
+	.section	.data.rel.ro.local,"aw",@progbits
+	.align 32
+	.type	manMap, @object
+	.size	manMap, 80
+manMap:
+	.quad	.LC0
+	.quad	.LC1
+	.quad	.LC2
+	.quad	.LC3
+	.quad	.LC4
+	.quad	.LC5
+	.quad	.LC6
+	.quad	.LC7
+	.quad	.LC8
+	.quad	.LC9
+	.section	.rodata
+	.align 32
+	.type	CacheMap, @object
+	.size	CacheMap, 512
+CacheMap:
+	.byte	0
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	4
+	.zero	1
+	.byte	1
+	.byte	0
+	.byte	7
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	7
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	8
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	8
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	12
+	.byte	64
+	.byte	12
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	12
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	12
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	8
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	7
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	0
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	8
+	.byte	64
+	.byte	8
+	.byte	64
+	.byte	8
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	5
+	.byte	1
+	.byte	5
+	.byte	1
+	.byte	5
+	.byte	1
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.text
+	.align	16
+	.type	cpuid, @function
+cpuid:
+.LFB2:
+	movq	%rdx, %r10
+	pushq	%rbx
+.LCFI0:
+	movq	%rcx, %r11
+	movq	%rdi, %rax
+/APP
+	cpuid
+	
+/NO_APP
+	movq	%rax, (%rsi)
+	movq	%rbx, (%r10)
+	popq	%rbx
+	movq	%rcx, (%r11)
+	movq	%rdx, (%r8)
+	ret
+.LFE2:
+	.size	cpuid, .-cpuid
+	.align	16
+	.type	getIntelCacheEntryLineSize, @function
+getIntelCacheEntryLineSize:
+.LFB3:
+	leaq	CacheMap(%rip), %r9
+	movq	%rdx, %r10
+	movzbl	1(%r9,%rdi,2), %ecx
+	movzbl	(%r9,%rdi,2), %r8d
+	testb	%cl, %cl
+	je	.L2
+	cmpl	$6, %r8d
+	sete	%dl
+	cmpl	$8, %r8d
+	sete	%al
+	orl	%edx, %eax
+	testb	$1, %al
+	je	.L4
+	movl	$1, (%rsi)
+.L9:
+	movzbl	%cl, %eax 
+	movq	%rax, (%r10)
+	ret
+	.align	16
+.L4:
+	movl	(%rsi), %r11d
+	cmpl	$1, %r11d
+	jg	.L11
+.L6:
+	cmpl	$2, %r11d
+	jle	.L2
+	cmpl	$12, %r8d
+	sete	%dl
+	cmpl	$14, %r8d
+	sete	%al
+	orl	%edx, %eax
+	testb	$1, %al
+	je	.L2
+	movzbq	1(%r9,%rdi,2), %rax
+	movl	$3, (%rsi)
+	movq	%rax, (%r10)
+	.align	16
+.L2:
+	rep ; ret
+	.align	16
+.L11:
+	cmpl	$9, %r8d
+	sete	%dl
+	cmpl	$11, %r8d
+	sete	%al
+	orl	%edx, %eax
+	testb	$1, %al
+	je	.L6
+	movl	$2, (%rsi)
+	jmp	.L9
+.LFE3:
+	.size	getIntelCacheEntryLineSize, .-getIntelCacheEntryLineSize
+	.align	16
+	.type	getIntelRegisterCacheLineSize, @function
+getIntelRegisterCacheLineSize:
+.LFB4:
+	pushq	%rbp
+.LCFI1:
+	movq	%rsp, %rbp
+.LCFI2:
+	movq	%rbx, -24(%rbp)
+.LCFI3:
+	movq	%rdi, %rbx
+	shrq	$24, %rdi
+	movq	%r12, -16(%rbp)
+.LCFI4:
+	movq	%r13, -8(%rbp)
+.LCFI5:
+	andl	$255, %edi
+	subq	$24, %rsp
+.LCFI6:
+	movq	%rsi, %r13
+	movq	%rdx, %r12
+	call	getIntelCacheEntryLineSize
+	movq	%rbx, %rdi
+	movq	%r12, %rdx
+	movq	%r13, %rsi
+	shrq	$16, %rdi
+	andl	$255, %edi
+	call	getIntelCacheEntryLineSize
+	movq	%rbx, %rdi
+	movq	%r12, %rdx
+	movq	%r13, %rsi
+	shrq	$8, %rdi
+	andl	$255, %ebx
+	andl	$255, %edi
+	call	getIntelCacheEntryLineSize
+	movq	%r12, %rdx
+	movq	%r13, %rsi
+	movq	%rbx, %rdi
+	movq	8(%rsp), %r12
+	movq	(%rsp), %rbx
+	movq	16(%rsp), %r13
+	leave
+	jmp	getIntelCacheEntryLineSize
+.LFE4:
+	.size	getIntelRegisterCacheLineSize, .-getIntelRegisterCacheLineSize
+	.align	16
+.globl s_mpi_getProcessorLineSize
+	.type	s_mpi_getProcessorLineSize, @function
+s_mpi_getProcessorLineSize:
+.LFB7:
+	pushq	%rbp
+.LCFI7:
+	xorl	%edi, %edi
+	movq	%rsp, %rbp
+.LCFI8:
+	pushq	%r15
+.LCFI9:
+	leaq	-136(%rbp), %r8
+	leaq	-144(%rbp), %rcx
+	leaq	-152(%rbp), %rdx
+	pushq	%r14
+.LCFI10:
+	leaq	-160(%rbp), %rsi
+	leaq	-128(%rbp), %r14
+	pushq	%r13
+.LCFI11:
+	leaq	manMap(%rip), %r13
+	pushq	%r12
+.LCFI12:
+	movl	$9, %r12d
+	pushq	%rbx
+.LCFI13:
+	xorl	%ebx, %ebx
+	subq	$200, %rsp
+.LCFI14:
+	call	cpuid
+	movq	-152(%rbp), %rax
+	movq	-160(%rbp), %r15
+	movb	$0, -116(%rbp)
+	movl	%eax, -128(%rbp)
+	movq	-136(%rbp), %rax
+	movl	%eax, -124(%rbp)
+	movq	-144(%rbp), %rax
+	movl	%eax, -120(%rbp)
+	.align	16
+.L18:
+	movslq	%ebx,%rax
+	movq	%r14, %rsi
+	movq	(%r13,%rax,8), %rdi
+	call	strcmp@PLT
+	testl	%eax, %eax
+	cmove	%ebx, %r12d
+	incl	%ebx
+	cmpl	$9, %ebx
+	jle	.L18
+	testl	%r12d, %r12d
+	jne	.L19
+	xorl	%eax, %eax
+	decl	%r15d
+	movl	$4, -204(%rbp)
+	movq	$0, -200(%rbp)
+	jle	.L21
+	leaq	-168(%rbp), %r8
+	leaq	-176(%rbp), %rcx
+	leaq	-184(%rbp), %rdx
+	leaq	-192(%rbp), %rsi
+	movl	$2, %edi
+	xorl	%ebx, %ebx
+	call	cpuid
+	movq	-192(%rbp), %rdi
+	movl	%edi, %r12d
+	andl	$15, %r12d
+	cmpl	%r12d, %ebx
+	jl	.L30
+	jmp	.L38
+	.align	16
+.L25:
+	movq	-184(%rbp), %rdi
+	testl	$2147483648, %edi 
+	je	.L40
+.L26:
+	movq	-176(%rbp), %rdi
+	testl	$2147483648, %edi 
+	je	.L41
+.L27:
+	movq	-168(%rbp), %rdi
+	testl	$2147483648, %edi 
+	je	.L42
+.L28:
+	incl	%ebx
+	cmpl	%r12d, %ebx
+	je	.L24
+	leaq	-168(%rbp), %r8
+	leaq	-176(%rbp), %rcx
+	leaq	-184(%rbp), %rdx
+	leaq	-192(%rbp), %rsi
+	movl	$2, %edi
+	call	cpuid
+.L24:
+	cmpl	%r12d, %ebx
+	jge	.L38
+	movq	-192(%rbp), %rdi
+.L30:
+	testl	$2147483648, %edi 
+	jne	.L25
+	leaq	-200(%rbp), %rdx
+	leaq	-204(%rbp), %rsi
+	andl	$4294967040, %edi
+	call	getIntelRegisterCacheLineSize
+	movq	-184(%rbp), %rdi
+	testl	$2147483648, %edi 
+	jne	.L26
+.L40:
+	leaq	-200(%rbp), %rdx
+	leaq	-204(%rbp), %rsi
+	call	getIntelRegisterCacheLineSize
+	movq	-176(%rbp), %rdi
+	testl	$2147483648, %edi 
+	jne	.L27
+.L41:
+	leaq	-200(%rbp), %rdx
+	leaq	-204(%rbp), %rsi
+	call	getIntelRegisterCacheLineSize
+	movq	-168(%rbp), %rdi
+	testl	$2147483648, %edi 
+	jne	.L28
+.L42:
+	leaq	-200(%rbp), %rdx
+	leaq	-204(%rbp), %rsi
+	call	getIntelRegisterCacheLineSize
+	jmp	.L28
+.L38:
+	movq	-200(%rbp), %rax
+.L21:
+	movq	%rax, %rdx
+	movl	$32, %eax
+	testq	%rdx, %rdx
+	cmoveq	%rax, %rdx
+	addq	$200, %rsp
+	popq	%rbx
+	popq	%r12
+	popq	%r13
+	popq	%r14
+	popq	%r15
+	leave
+	movq	%rdx, %rax
+	ret
+.L19:
+	leaq	-216(%rbp), %r8
+	leaq	-224(%rbp), %rcx
+	leaq	-232(%rbp), %rdx
+	leaq	-240(%rbp), %rsi
+	movl	$2147483648, %edi
+	xorl	%ebx, %ebx
+	call	cpuid
+	movl	$2147483652, %eax
+	cmpq	%rax, -240(%rbp)
+	ja	.L43
+.L32:
+	movq	%rbx, %rdx
+	movl	$32, %eax
+	testq	%rdx, %rdx
+	cmoveq	%rax, %rdx
+	addq	$200, %rsp
+	popq	%rbx
+	popq	%r12
+	popq	%r13
+	popq	%r14
+	popq	%r15
+	leave
+	movq	%rdx, %rax
+	ret
+.L43:
+	leaq	-216(%rbp), %r8
+	leaq	-224(%rbp), %rcx
+	leaq	-232(%rbp), %rdx
+	leaq	-240(%rbp), %rsi
+	movl	$2147483653, %edi
+	call	cpuid
+	movzbq	-224(%rbp), %rbx
+	jmp	.L32
+.LFE7:
+	.size	s_mpi_getProcessorLineSize, .-s_mpi_getProcessorLineSize
diff --git a/security/nss/lib/freebl/mpi/mpcpucache_x86.s b/security/nss/lib/freebl/mpi/mpcpucache_x86.s
new file mode 100644
index 000000000..5b6b8d864
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpcpucache_x86.s
@@ -0,0 +1,933 @@
+/ ***** BEGIN LICENSE BLOCK *****
+/ Version: MPL 1.1/GPL 2.0/LGPL 2.1
+/
+/ The contents of this file are subject to the Mozilla Public License Version
+/ 1.1 (the "License"); you may not use this file except in compliance with
+/ the License. You may obtain a copy of the License at
+/ http://www.mozilla.org/MPL/
+/
+/ Software distributed under the License is distributed on an "AS IS" basis,
+/ WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+/ for the specific language governing rights and limitations under the
+/ License.
+/
+/ The Original Code is Red Hat code.
+/
+/ The Initial Developer of the Original Code is
+/ Red Hat, Inc.
+/ Portions created by the Initial Developer are Copyright (C) 2005
+/ the Initial Developer. All Rights Reserved.
+/
+/ Contributor(s):
+/	Robert Relyea <rrelyea@redhat.com>
+/
+/ Alternatively, the contents of this file may be used under the terms of
+/ either the GNU General Public License Version 2 or later (the "GPL"), or
+/ the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+/ in which case the provisions of the GPL or the LGPL are applicable instead
+/ of those above. If you wish to allow use of your version of this file only
+/ under the terms of either the GPL or the LGPL, and not to allow others to
+/ use your version of this file under the terms of the MPL, indicate your
+/ decision by deleting the provisions above and replace them with the notice
+/ and other provisions required by the GPL or the LGPL. If you do not delete
+/ the provisions above, a recipient may use your version of this file under
+/ the terms of any one of the MPL, the GPL or the LGPL.
+/
+/ ***** END LICENSE BLOCK *****
+
+	.file	"mpcpucache.c"
+/	.section	.rodata.str1.1,"aMS",@progbits,1
+	.section	.rodata
+.LC0:
+	.string	"GenuineIntel"
+.LC1:
+	.string	"AuthenticAMD"
+.LC2:
+	.string	"CyrixInstead"
+.LC3:
+	.string	"CentaurHauls"
+.LC4:
+	.string	"NexGenDriven"
+.LC5:
+	.string	"GenuineTMx86"
+.LC6:
+	.string	"RiseRiseRise"
+.LC7:
+	.string	"UMC UMC UMC "
+.LC8:
+	.string	"Sis Sis Sis "
+.LC9:
+	.string	"Geode by NSC"
+	.section	.data.rel.ro.local,"aw",@progbits
+	.align 32
+	.type	manMap, @object
+	.size	manMap, 40
+manMap:
+	.long	.LC0
+	.long	.LC1
+	.long	.LC2
+	.long	.LC3
+	.long	.LC4
+	.long	.LC5
+	.long	.LC6
+	.long	.LC7
+	.long	.LC8
+	.long	.LC9
+	.section	.rodata
+	.align 32
+	.type	CacheMap, @object
+	.size	CacheMap, 512
+CacheMap:
+	.byte	0
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	4
+	.zero	1
+	.byte	1
+	.byte	0
+	.byte	7
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	7
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	8
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	8
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	12
+	.byte	64
+	.byte	12
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	12
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	12
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	8
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	7
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	0
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	8
+	.byte	64
+	.byte	8
+	.byte	64
+	.byte	8
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	5
+	.byte	1
+	.byte	5
+	.byte	1
+	.byte	5
+	.byte	1
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	32
+	.byte	9
+	.byte	64
+	.byte	9
+	.byte	64
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	3
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	4
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.byte	1
+	.byte	0
+	.text
+	.align	4
+	.type	cpuid, @function
+cpuid:
+	pushl	%ebp
+	pushl	%edi
+	pushl	%esi
+	subl	$8, %esp
+	movl	%edx, %ebp
+/APP
+	pushl %ebx
+	cpuid
+	mov %ebx,%esi
+	popl %ebx
+	
+/NO_APP
+	movl	%eax, (%ebp)
+	movl	24(%esp), %eax
+	movl	%esi, (%eax)
+	movl	28(%esp), %eax
+	movl	%ecx, (%eax)
+	movl	32(%esp), %eax
+	movl	%edx, (%eax)
+	addl	$8, %esp
+	popl	%esi
+	popl	%edi
+	popl	%ebp
+	ret
+	.size	cpuid, .-cpuid
+	.align	4
+	.type	changeFlag, @function
+changeFlag:
+/APP
+	pushfl
+	popl %edx
+	movl %edx,%ecx
+	xorl %eax,%edx
+	pushl %edx
+	popfl
+	pushfl
+	popl %edx
+	pushl %ecx
+	popfl
+	
+/NO_APP
+	xorl	%ecx, %edx
+	movl	%edx, %eax
+	ret
+	.size	changeFlag, .-changeFlag
+	.align	4
+	.type	getIntelCacheEntryLineSize, @function
+getIntelCacheEntryLineSize:
+	pushl	%edi
+	pushl	%esi
+	pushl	%ebx
+	call	.L17
+.L17:
+	popl	%ebx
+	addl	$_GLOBAL_OFFSET_TABLE_+[.-.L17], %ebx
+	movzbl	CacheMap@GOTOFF(%ebx,%eax,2), %ecx
+	movb	1+CacheMap@GOTOFF(%ebx,%eax,2), %al
+	testb	%al, %al
+	movl	16(%esp), %edi
+	je	.L3
+	cmpl	$6, %ecx
+	je	.L6
+	cmpl	$8, %ecx
+	je	.L6
+	movl	(%edx), %esi
+	cmpl	$1, %esi
+	jg	.L15
+.L8:
+	cmpl	$2, %esi
+	jle	.L3
+	cmpl	$12, %ecx
+	je	.L12
+	cmpl	$14, %ecx
+	je	.L12
+	.align	4
+.L3:
+	popl	%ebx
+	popl	%esi
+	popl	%edi
+	ret
+	.align	4
+.L6:
+	movzbl	%al, %eax
+	movl	$1, (%edx)
+	movl	%eax, (%edi)
+.L16:
+	popl	%ebx
+	popl	%esi
+	popl	%edi
+	ret
+	.align	4
+.L15:
+	cmpl	$9, %ecx
+	je	.L9
+	cmpl	$11, %ecx
+	jne	.L8
+.L9:
+	movzbl	%al, %eax
+	movl	$2, (%edx)
+	movl	%eax, (%edi)
+	jmp	.L16
+.L12:
+	movzbl	%al, %eax
+	movl	$3, (%edx)
+	movl	%eax, (%edi)
+	jmp	.L16
+	.size	getIntelCacheEntryLineSize, .-getIntelCacheEntryLineSize
+	.align	4
+	.type	getIntelRegisterCacheLineSize, @function
+getIntelRegisterCacheLineSize:
+	pushl	%ebp
+	movl	%esp, %ebp
+	pushl	%edi
+	pushl	%esi
+	pushl	%ecx
+	movl	8(%ebp), %edi
+	movl	%eax, %esi
+	movl	%edx, -12(%ebp)
+	shrl	$24, %eax
+	pushl	%edi
+	call	getIntelCacheEntryLineSize
+	movl	%esi, %eax
+	pushl	%edi
+	shrl	$16, %eax
+	movl	-12(%ebp), %edx
+	andl	$255, %eax
+	call	getIntelCacheEntryLineSize
+	pushl	%edi
+	movl	%esi, %edx
+	movzbl	%dh, %eax
+	movl	-12(%ebp), %edx
+	call	getIntelCacheEntryLineSize
+	andl	$255, %esi
+	movl	%edi, 8(%ebp)
+	movl	-12(%ebp), %edx
+	addl	$12, %esp
+	leal	-8(%ebp), %esp
+	movl	%esi, %eax
+	popl	%esi
+	popl	%edi
+	leave
+	jmp	getIntelCacheEntryLineSize
+	.size	getIntelRegisterCacheLineSize, .-getIntelRegisterCacheLineSize
+	.align	4
+.globl s_mpi_getProcessorLineSize
+	.type	s_mpi_getProcessorLineSize, @function
+s_mpi_getProcessorLineSize:
+	pushl	%ebp
+	movl	%esp, %ebp
+	pushl	%edi
+	pushl	%esi
+	pushl	%ebx
+	subl	$188, %esp
+	call	.L52
+.L52:
+	popl	%ebx
+	addl	$_GLOBAL_OFFSET_TABLE_+[.-.L52], %ebx
+	movl	$9, -168(%ebp)
+	movl	$262144, %eax
+	call	changeFlag
+	xorl	%edx, %edx
+	testl	%eax, %eax
+	jne	.L50
+.L19:
+	leal	-12(%ebp), %esp
+	popl	%ebx
+	popl	%esi
+	movl	%edx, %eax
+	popl	%edi
+	leave
+	ret
+	.align	4
+.L50:
+	movl	$2097152, %eax
+	call	changeFlag
+	testl	%eax, %eax
+	movl	$32, %edx
+	je	.L19
+	leal	-108(%ebp), %eax
+	pushl	%eax
+	leal	-112(%ebp), %eax
+	pushl	%eax
+	leal	-116(%ebp), %eax
+	pushl	%eax
+	leal	-120(%ebp), %edx
+	xorl	%eax, %eax
+	call	cpuid
+	movl	-120(%ebp), %eax
+	movl	%eax, -164(%ebp)
+	movl	-116(%ebp), %eax
+	movl	%eax, -104(%ebp)
+	movl	-108(%ebp), %eax
+	movl	%eax, -100(%ebp)
+	movl	-112(%ebp), %eax
+	movl	%eax, -96(%ebp)
+	movb	$0, -92(%ebp)
+	xorl	%esi, %esi
+	addl	$12, %esp
+	leal	-104(%ebp), %edi
+	.align	4
+.L28:
+	subl	$8, %esp
+	pushl	%edi
+	pushl	manMap@GOTOFF(%ebx,%esi,4)
+	call	strcmp@PLT
+	addl	$16, %esp
+	testl	%eax, %eax
+	jne	.L26
+	movl	%esi, -168(%ebp)
+.L26:
+	incl	%esi
+	cmpl	$9, %esi
+	jle	.L28
+	movl	-168(%ebp), %eax
+	testl	%eax, %eax
+	jne	.L29
+	xorl	%eax, %eax
+	cmpl	$1, -164(%ebp)
+	movl	$4, -144(%ebp)
+	movl	$0, -140(%ebp)
+	jle	.L41
+	leal	-124(%ebp), %edx
+	movl	%edx, -188(%ebp)
+	leal	-128(%ebp), %eax
+	pushl	%edx
+	movl	%eax, -184(%ebp)
+	leal	-132(%ebp), %edx
+	pushl	%eax
+	movl	%edx, -180(%ebp)
+	movl	$2, %eax
+	pushl	%edx
+	leal	-136(%ebp), %edx
+	call	cpuid
+	movl	-136(%ebp), %eax
+	movl	%eax, %edi
+	andl	$15, %edi
+	xorl	%esi, %esi
+	addl	$12, %esp
+	leal	-140(%ebp), %edx
+	cmpl	%edi, %esi
+	movl	%edx, -176(%ebp)
+	jl	.L40
+	jmp	.L48
+	.align	4
+.L49:
+	movl	-136(%ebp), %eax
+.L40:
+	testl	%eax, %eax
+	js	.L35
+	xorb	%al, %al
+	pushl	-176(%ebp)
+	leal	-144(%ebp), %edx
+	call	getIntelRegisterCacheLineSize
+	popl	%eax
+.L35:
+	movl	-132(%ebp), %eax
+	testl	%eax, %eax
+	js	.L36
+	pushl	-176(%ebp)
+	leal	-144(%ebp), %edx
+	call	getIntelRegisterCacheLineSize
+	popl	%eax
+.L36:
+	movl	-128(%ebp), %eax
+	testl	%eax, %eax
+	js	.L37
+	pushl	-176(%ebp)
+	leal	-144(%ebp), %edx
+	call	getIntelRegisterCacheLineSize
+	popl	%eax
+.L37:
+	movl	-124(%ebp), %eax
+	testl	%eax, %eax
+	js	.L38
+	pushl	-176(%ebp)
+	leal	-144(%ebp), %edx
+	call	getIntelRegisterCacheLineSize
+	popl	%eax
+.L38:
+	incl	%esi
+	cmpl	%edi, %esi
+	je	.L34
+	pushl	-188(%ebp)
+	pushl	-184(%ebp)
+	pushl	-180(%ebp)
+	leal	-136(%ebp), %edx
+	movl	$2, %eax
+	call	cpuid
+	addl	$12, %esp
+.L34:
+	cmpl	%edi, %esi
+	jl	.L49
+.L48:
+	movl	-140(%ebp), %eax
+.L41:
+	testl	%eax, %eax
+	jne	.L44
+	movb	$32, %al
+.L44:
+	leal	-12(%ebp), %esp
+	popl	%ebx
+	popl	%esi
+	movl	%eax, %edx
+	movl	%edx, %eax
+	popl	%edi
+	leave
+	ret
+.L29:
+	leal	-148(%ebp), %eax
+	movl	%eax, -192(%ebp)
+	movl	$0, -172(%ebp)
+	leal	-152(%ebp), %edi
+	pushl	%eax
+	pushl	%edi
+	leal	-156(%ebp), %esi
+	pushl	%esi
+	leal	-160(%ebp), %edx
+	movl	$-2147483648, %eax
+	call	cpuid
+	addl	$12, %esp
+	cmpl	$-2147483644, -160(%ebp)
+	ja	.L51
+.L42:
+	movl	-172(%ebp), %eax
+	jmp	.L41
+.L51:
+	pushl	-192(%ebp)
+	pushl	%edi
+	pushl	%esi
+	leal	-160(%ebp), %edx
+	movl	$-2147483643, %eax
+	call	cpuid
+	movzbl	-152(%ebp), %edx
+	addl	$12, %esp
+	movl	%edx, -172(%ebp)
+	jmp	.L42
+	.size	s_mpi_getProcessorLineSize, .-s_mpi_getProcessorLineSize
diff --git a/security/nss/lib/freebl/mpi/mpi-config.h b/security/nss/lib/freebl/mpi/mpi-config.h
new file mode 100644
index 000000000..45d8fc233
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi-config.h
@@ -0,0 +1,112 @@
+/* Default configuration for MPI library 
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1997
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef MPI_CONFIG_H_
+#define MPI_CONFIG_H_
+
+/*
+  For boolean options, 
+  0 = no
+  1 = yes
+
+  Other options are documented individually.
+
+ */
+
+#ifndef MP_IOFUNC
+#define MP_IOFUNC     0  /* include mp_print() ?                */
+#endif
+
+#ifndef MP_MODARITH
+#define MP_MODARITH   1  /* include modular arithmetic ?        */
+#endif
+
+#ifndef MP_NUMTH
+#define MP_NUMTH      1  /* include number theoretic functions? */
+#endif
+
+#ifndef MP_LOGTAB
+#define MP_LOGTAB     1  /* use table of logs instead of log()? */
+#endif
+
+#ifndef MP_MEMSET
+#define MP_MEMSET     1  /* use memset() to zero buffers?       */
+#endif
+
+#ifndef MP_MEMCPY
+#define MP_MEMCPY     1  /* use memcpy() to copy buffers?       */
+#endif
+
+#ifndef MP_CRYPTO
+#define MP_CRYPTO     1  /* erase memory on free?               */
+#endif
+
+#ifndef MP_ARGCHK
+/*
+  0 = no parameter checks
+  1 = runtime checks, continue execution and return an error to caller
+  2 = assertions; dump core on parameter errors
+ */
+#ifdef DEBUG
+#define MP_ARGCHK     2  /* how to check input arguments        */
+#else
+#define MP_ARGCHK     1  /* how to check input arguments        */
+#endif
+#endif
+
+#ifndef MP_DEBUG
+#define MP_DEBUG      0  /* print diagnostic output?            */
+#endif
+
+#ifndef MP_DEFPREC
+#define MP_DEFPREC    64 /* default precision, in digits        */
+#endif
+
+#ifndef MP_MACRO
+#define MP_MACRO      0  /* use macros for frequent calls?      */
+#endif
+
+#ifndef MP_SQUARE
+#define MP_SQUARE     1  /* use separate squaring code?         */
+#endif
+
+#endif /* ifndef MPI_CONFIG_H_ */
+
+
diff --git a/security/nss/lib/freebl/mpi/mpi-priv.h b/security/nss/lib/freebl/mpi/mpi-priv.h
new file mode 100644
index 000000000..e033a5e24
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi-priv.h
@@ -0,0 +1,318 @@
+/*
+ *  mpi-priv.h	- Private header file for MPI 
+ *  Arbitrary precision integer arithmetic library
+ *
+ *  NOTE WELL: the content of this header file is NOT part of the "public"
+ *  API for the MPI library, and may change at any time.  
+ *  Application programs that use libmpi should NOT include this header file.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#ifndef _MPI_PRIV_H_
+#define _MPI_PRIV_H_ 1
+
+#include "mpi.h"
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+#if MP_DEBUG
+#include <stdio.h>
+
+#define DIAG(T,V) {fprintf(stderr,T);mp_print(V,stderr);fputc('\n',stderr);}
+#else
+#define DIAG(T,V)
+#endif
+
+/* If we aren't using a wired-in logarithm table, we need to include
+   the math library to get the log() function
+ */
+
+/* {{{ s_logv_2[] - log table for 2 in various bases */
+
+#if MP_LOGTAB
+/*
+  A table of the logs of 2 for various bases (the 0 and 1 entries of
+  this table are meaningless and should not be referenced).  
+
+  This table is used to compute output lengths for the mp_toradix()
+  function.  Since a number n in radix r takes up about log_r(n)
+  digits, we estimate the output size by taking the least integer
+  greater than log_r(n), where:
+
+  log_r(n) = log_2(n) * log_r(2)
+
+  This table, therefore, is a table of log_r(2) for 2 <= r <= 36,
+  which are the output bases supported.  
+ */
+
+extern const float s_logv_2[];
+#define LOG_V_2(R)  s_logv_2[(R)]
+
+#else
+
+/* 
+   If MP_LOGTAB is not defined, use the math library to compute the
+   logarithms on the fly.  Otherwise, use the table.
+   Pick which works best for your system.
+ */
+
+#include <math.h>
+#define LOG_V_2(R)  (log(2.0)/log(R))
+
+#endif /* if MP_LOGTAB */
+
+/* }}} */
+
+/* {{{ Digit arithmetic macros */
+
+/*
+  When adding and multiplying digits, the results can be larger than
+  can be contained in an mp_digit.  Thus, an mp_word is used.  These
+  macros mask off the upper and lower digits of the mp_word (the
+  mp_word may be more than 2 mp_digits wide, but we only concern
+  ourselves with the low-order 2 mp_digits)
+ */
+
+#define  CARRYOUT(W)  (mp_digit)((W)>>DIGIT_BIT)
+#define  ACCUM(W)     (mp_digit)(W)
+
+#define MP_MIN(a,b)   (((a) < (b)) ? (a) : (b))
+#define MP_MAX(a,b)   (((a) > (b)) ? (a) : (b))
+#define MP_HOWMANY(a,b) (((a) + (b) - 1)/(b))
+#define MP_ROUNDUP(a,b) (MP_HOWMANY(a,b) * (b))
+
+/* }}} */
+
+/* {{{ Comparison constants */
+
+#define  MP_LT       -1
+#define  MP_EQ        0
+#define  MP_GT        1
+
+/* }}} */
+
+/* {{{ private function declarations */
+
+/* 
+   If MP_MACRO is false, these will be defined as actual functions;
+   otherwise, suitable macro definitions will be used.  This works
+   around the fact that ANSI C89 doesn't support an 'inline' keyword
+   (although I hear C9x will ... about bloody time).  At present, the
+   macro definitions are identical to the function bodies, but they'll
+   expand in place, instead of generating a function call.
+
+   I chose these particular functions to be made into macros because
+   some profiling showed they are called a lot on a typical workload,
+   and yet they are primarily housekeeping.
+ */
+#if MP_MACRO == 0
+ void     s_mp_setz(mp_digit *dp, mp_size count); /* zero digits           */
+ void     s_mp_copy(const mp_digit *sp, mp_digit *dp, mp_size count); /* copy */
+ void    *s_mp_alloc(size_t nb, size_t ni);       /* general allocator     */
+ void     s_mp_free(void *ptr);                   /* general free function */
+extern unsigned long mp_allocs;
+extern unsigned long mp_frees;
+extern unsigned long mp_copies;
+#else
+
+ /* Even if these are defined as macros, we need to respect the settings
+    of the MP_MEMSET and MP_MEMCPY configuration options...
+  */
+ #if MP_MEMSET == 0
+  #define  s_mp_setz(dp, count) \
+       {int ix;for(ix=0;ix<(count);ix++)(dp)[ix]=0;}
+ #else
+  #define  s_mp_setz(dp, count) memset(dp, 0, (count) * sizeof(mp_digit))
+ #endif /* MP_MEMSET */
+
+ #if MP_MEMCPY == 0
+  #define  s_mp_copy(sp, dp, count) \
+       {int ix;for(ix=0;ix<(count);ix++)(dp)[ix]=(sp)[ix];}
+ #else
+  #define  s_mp_copy(sp, dp, count) memcpy(dp, sp, (count) * sizeof(mp_digit))
+ #endif /* MP_MEMCPY */
+
+ #define  s_mp_alloc(nb, ni)  calloc(nb, ni)
+ #define  s_mp_free(ptr) {if(ptr) free(ptr);}
+#endif /* MP_MACRO */
+
+mp_err   s_mp_grow(mp_int *mp, mp_size min);   /* increase allocated size */
+mp_err   s_mp_pad(mp_int *mp, mp_size min);    /* left pad with zeroes    */
+
+#if MP_MACRO == 0
+ void     s_mp_clamp(mp_int *mp);               /* clip leading zeroes     */
+#else
+ #define  s_mp_clamp(mp)\
+  { mp_size used = MP_USED(mp); \
+    while (used > 1 && DIGIT(mp, used - 1) == 0) --used; \
+    MP_USED(mp) = used; \
+  } 
+#endif /* MP_MACRO */
+
+void     s_mp_exch(mp_int *a, mp_int *b);      /* swap a and b in place   */
+
+mp_err   s_mp_lshd(mp_int *mp, mp_size p);     /* left-shift by p digits  */
+void     s_mp_rshd(mp_int *mp, mp_size p);     /* right-shift by p digits */
+mp_err   s_mp_mul_2d(mp_int *mp, mp_digit d);  /* multiply by 2^d in place */
+void     s_mp_div_2d(mp_int *mp, mp_digit d);  /* divide by 2^d in place  */
+void     s_mp_mod_2d(mp_int *mp, mp_digit d);  /* modulo 2^d in place     */
+void     s_mp_div_2(mp_int *mp);               /* divide by 2 in place    */
+mp_err   s_mp_mul_2(mp_int *mp);               /* multiply by 2 in place  */
+mp_err   s_mp_norm(mp_int *a, mp_int *b, mp_digit *pd); 
+                                               /* normalize for division  */
+mp_err   s_mp_add_d(mp_int *mp, mp_digit d);   /* unsigned digit addition */
+mp_err   s_mp_sub_d(mp_int *mp, mp_digit d);   /* unsigned digit subtract */
+mp_err   s_mp_mul_d(mp_int *mp, mp_digit d);   /* unsigned digit multiply */
+mp_err   s_mp_div_d(mp_int *mp, mp_digit d, mp_digit *r);
+		                               /* unsigned digit divide   */
+mp_err   s_mp_reduce(mp_int *x, const mp_int *m, const mp_int *mu);
+                                               /* Barrett reduction       */
+mp_err   s_mp_add(mp_int *a, const mp_int *b); /* magnitude addition      */
+mp_err   s_mp_add_3arg(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err   s_mp_sub(mp_int *a, const mp_int *b); /* magnitude subtract      */
+mp_err   s_mp_sub_3arg(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err   s_mp_add_offset(mp_int *a, mp_int *b, mp_size offset);
+                                               /* a += b * RADIX^offset   */
+mp_err   s_mp_mul(mp_int *a, const mp_int *b); /* magnitude multiply      */
+#if MP_SQUARE
+mp_err   s_mp_sqr(mp_int *a);                  /* magnitude square        */
+#else
+#define  s_mp_sqr(a) s_mp_mul(a, a)
+#endif
+mp_err   s_mp_div(mp_int *rem, mp_int *div, mp_int *quot); /* magnitude div */
+mp_err   s_mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+mp_err   s_mp_2expt(mp_int *a, mp_digit k);    /* a = 2^k                 */
+int      s_mp_cmp(const mp_int *a, const mp_int *b); /* magnitude comparison */
+int      s_mp_cmp_d(const mp_int *a, mp_digit d); /* magnitude digit compare */
+int      s_mp_ispow2(const mp_int *v);         /* is v a power of 2?      */
+int      s_mp_ispow2d(mp_digit d);             /* is d a power of 2?      */
+
+int      s_mp_tovalue(char ch, int r);          /* convert ch to value    */
+char     s_mp_todigit(mp_digit val, int r, int low); /* convert val to digit */
+int      s_mp_outlen(int bits, int r);          /* output length in bytes */
+mp_digit s_mp_invmod_radix(mp_digit P);   /* returns (P ** -1) mod RADIX */
+mp_err   s_mp_invmod_odd_m( const mp_int *a, const mp_int *m, mp_int *c);
+mp_err   s_mp_invmod_2d(    const mp_int *a, mp_size k,       mp_int *c);
+mp_err   s_mp_invmod_even_m(const mp_int *a, const mp_int *m, mp_int *c);
+
+#ifdef NSS_USE_COMBA
+
+#define IS_POWER_OF_2(a) ((a) && !((a) & ((a)-1)))
+
+void s_mp_mul_comba_4(const mp_int *A, const mp_int *B, mp_int *C);
+void s_mp_mul_comba_8(const mp_int *A, const mp_int *B, mp_int *C);
+void s_mp_mul_comba_16(const mp_int *A, const mp_int *B, mp_int *C);
+void s_mp_mul_comba_32(const mp_int *A, const mp_int *B, mp_int *C);
+
+void s_mp_sqr_comba_4(const mp_int *A, mp_int *B);
+void s_mp_sqr_comba_8(const mp_int *A, mp_int *B);
+void s_mp_sqr_comba_16(const mp_int *A, mp_int *B);
+void s_mp_sqr_comba_32(const mp_int *A, mp_int *B);
+
+#endif /* end NSS_USE_COMBA */
+
+/* ------ mpv functions, operate on arrays of digits, not on mp_int's ------ */
+#if defined (__OS2__) && defined (__IBMC__)
+#define MPI_ASM_DECL __cdecl
+#else
+#define MPI_ASM_DECL
+#endif
+
+#ifdef MPI_AMD64
+
+mp_digit MPI_ASM_DECL s_mpv_mul_set_vec64(mp_digit*, mp_digit *, mp_size, mp_digit);
+mp_digit MPI_ASM_DECL s_mpv_mul_add_vec64(mp_digit*, const mp_digit*, mp_size, mp_digit);
+
+/* c = a * b */
+#define s_mpv_mul_d(a, a_len, b, c) \
+	((unsigned long*)c)[a_len] = s_mpv_mul_set_vec64(c, a, a_len, b)
+
+/* c += a * b */
+#define s_mpv_mul_d_add(a, a_len, b, c) \
+	((unsigned long*)c)[a_len] = s_mpv_mul_add_vec64(c, a, a_len, b)
+
+#else
+
+void     MPI_ASM_DECL s_mpv_mul_d(const mp_digit *a, mp_size a_len,
+                                        mp_digit b, mp_digit *c);
+void     MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
+                                            mp_digit b, mp_digit *c);
+
+#endif
+
+void     MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
+                                                mp_size a_len, mp_digit b, 
+			                        mp_digit *c);
+void     MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
+                                                mp_size a_len,
+                                                mp_digit *sqrs);
+
+mp_err   MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
+                            mp_digit divisor, mp_digit *quot, mp_digit *rem);
+
+/* c += a * b * (MP_RADIX ** offset);  */
+#define s_mp_mul_d_add_offset(a, b, c, off) \
+(s_mpv_mul_d_add_prop(MP_DIGITS(a), MP_USED(a), b, MP_DIGITS(c) + off), MP_OKAY)
+
+typedef struct {
+  mp_int       N;	/* modulus N */
+  mp_digit     n0prime; /* n0' = - (n0 ** -1) mod MP_RADIX */
+  mp_size      b;	/* R == 2 ** b,  also b = # significant bits in N */
+} mp_mont_modulus;
+
+mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, 
+	               mp_mont_modulus *mmm);
+mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm);
+
+/*
+ * s_mpi_getProcessorLineSize() returns the size in bytes of the cache line
+ * if a cache exists, or zero if there is no cache. If more than one
+ * cache line exists, it should return the smallest line size (which is
+ * usually the L1 cache).
+ *
+ * mp_modexp uses this information to make sure that private key information
+ * isn't being leaked through the cache.
+ *
+ * see mpcpucache.c for the implementation.
+ */
+unsigned long s_mpi_getProcessorLineSize();
+
+/* }}} */
+#endif
+
diff --git a/security/nss/lib/freebl/mpi/mpi-test.c b/security/nss/lib/freebl/mpi/mpi-test.c
new file mode 100644
index 000000000..735a8c3f6
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi-test.c
@@ -0,0 +1,1986 @@
+/*
+ * mpi-test.c
+ *
+ * This is a general test suite for the MPI library, which tests
+ * all the functions in the library with known values.  The program
+ * exits with a zero (successful) status if the tests pass, or a 
+ * nonzero status if the tests fail.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1999
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+#include "test-info.c"
+
+/* ZS means Zero Suppressed (no leading zeros) */
+#if MP_USE_LONG_DIGIT 
+#define ZS_DIGIT_FMT         "%lX"
+#elif MP_USE_LONG_LONG_DIGIT
+#define ZS_DIGIT_FMT         "%llX"
+#elif MP_USE_UINT_DIGIT 
+#define ZS_DIGIT_FMT         "%X"
+#else
+#error "unknown type of digit"
+#endif
+
+/*
+  Test vectors
+
+  If you intend to change any of these values, you must also recompute
+  the corresponding solutions below.  Basically, these are just hex
+  strings (for the big integers) or integer values (for the digits).
+
+  The comparison tests think they know what relationships hold between
+  these values.  If you change that, you may have to adjust the code
+  for the comparison tests accordingly.  Most of the other tests
+  should be fine as long as you re-compute the solutions, though.
+ */
+const char   *mp1  = "639A868CDA0C569861B";
+const char   *mp2  = "AAFC0A3FE45E5E09DBE2C29";
+const char   *mp3  = "B55AA8DF8A7E83241F38AC7A9E479CAEF2E4D7C5";
+const char   *mp4  = "-63DBC2265B88268DC801C10EA68476B7BDE0090F";
+const char   *mp5  = "F595CB42";
+const char   *mp5a = "-4B597E";
+const char   *mp6  = "0";
+const char   *mp7  = "EBFA7121CD838CE6439CC59DDB4CBEF3";
+const char   *mp8  = "5";
+const char   *mp9  = "F74A2876A1432698923B0767DA19DCF3D71795EE";
+const char   *mp10 = "9184E72A000";
+const char   *mp11 = "54D79A3557E8";
+const char   *mp12 = "10000000000000000";
+const char   *mp13 = 
+"34584F700C15A341E40BF7BFDD88A6630C8FF2B2067469372D391342BDAB6163963C"
+"D5A5C79F708BDE26E0CCF2DB66CD6D6089E29A877C45F2B050D226E6DA88";
+const char   *mp14 =
+"AC3FA0EABAAC45724814D798942A1E28E14C81E0DE8055CED630E7689DA648683645DB6E"
+"458D9F5338CC3D4E33A5D1C9BF42780133599E60DEE0049AFA8F9489501AE5C9AA2B8C13"
+"FD21285A538B2CA87A626BB56E0A654C8707535E637FF4E39174157402BDE3AA30C9F134"
+"0C1307BAA864B075A9CC828B6A5E2B2BF1AE406D920CC5E7657D7C0E697DEE5375773AF9"
+"E200A1B8FAD7CD141F9EE47ABB55511FEB9A4D99EBA22F3A3FF6792FA7EE9E5DC0EE94F7"
+"7A631EDF3D7DD7C2DAAAFDF234D60302AB63D5234CEAE941B9AF0ADDD9E6E3A940A94EE5"
+"5DB45A7C66E61EDD0477419BBEFA44C325129601C4F45671C6A0E64665DF341D17FBC71F"
+"77418BD9F4375DDB3B9D56126526D8E5E0F35A121FD4F347013DA880020A752324F31DDD"
+"9BCDB13A3B86E207A2DE086825E6EEB87B3A64232CFD8205B799BC018634AAE193F19531"
+"D6EBC19A75F27CFFAA03EB5974898F53FD569AA5CE60F431B53B0CDE715A5F382405C9C4"
+"761A8E24888328F09F7BCE4E8D80C957DF177629C8421ACCD0C268C63C0DD47C3C0D954F"
+"D79F7D7297C6788DF4B3E51381759864D880ACA246DF09533739B8BB6085EAF7AE8DC2D9"
+"F224E6874926C8D24D34B457FD2C9A586C6B99582DC24F787A39E3942786CF1D494B6EB4"
+"A513498CDA0B217C4E80BCE7DA1C704C35E071AC21E0DA9F57C27C3533F46A8D20B04137"
+"C1B1384BE4B2EB46";
+const char   *mp15 = 
+"39849CF7FD65AF2E3C4D87FE5526221103D90BA26A6642FFE3C3ECC0887BBBC57E011BF1"
+"05D822A841653509C68F79EBE51C0099B8CBB04DEF31F36F5954208A3209AC122F0E11D8"
+"4AE67A494D78336A2066D394D42E27EF6B03DDAF6D69F5112C93E714D27C94F82FC7EF77"
+"445768C68EAE1C4A1407BE1B303243391D325090449764AE469CC53EC8012C4C02A72F37"
+"07ED7275D2CC8D0A14B5BCC6BF264941520EBA97E3E6BAE4EE8BC87EE0DDA1F5611A6ECB"
+"65F8AEF4F184E10CADBDFA5A2FEF828901D18C20785E5CC63473D638762DA80625003711"
+"9E984AC43E707915B133543AF9D5522C3E7180DC58E1E5381C1FB7DC6A5F4198F3E88FA6"
+"CBB6DFA8B2D1C763226B253E18BCCB79A29EE82D2DE735078C8AE3C3C86D476AAA08434C"
+"09C274BDD40A1D8FDE38D6536C22F44E807EB73DE4FB36C9F51E0BC835DDBE3A8EFCF2FE"
+"672B525769DC39230EE624D5EEDBD837C82A52E153F37378C3AD68A81A7ADBDF3345DBCE"
+"8FA18CA1DE618EF94DF72EAD928D4F45B9E51632ACF158CF8332C51891D1D12C2A7E6684"
+"360C4BF177C952579A9F442CFFEC8DAE4821A8E7A31C4861D8464CA9116C60866C5E72F7"
+"434ADBED36D54ACDFDFF70A4EFB46E285131FE725F1C637D1C62115EDAD01C4189716327"
+"BFAA79618B1656CBFA22C2C965687D0381CC2FE0245913C4D8D96108213680BD8E93E821"
+"822AD9DDBFE4BD04";
+const char   *mp16 = "4A724340668DB150339A70";
+const char   *mp17 = "8ADB90F58";
+const char   *mp18 = "C64C230AB20E5";
+const char *mp19 = 
+"F1C9DACDA287F2E3C88DCE2393B8F53DAAAC1196DC36510962B6B59454CFE64B";
+const char *mp20 = 
+"D445662C8B6FE394107B867797750C326E0F4A967E135FC430F6CD7207913AC7";
+const char* mp21 = "2";
+
+const mp_digit md1 = 0;
+const mp_digit md2 = 0x1;
+const mp_digit md3 = 0x80;
+const mp_digit md4 = 0x9C97;
+const mp_digit md5 = 0xF5BF;
+const mp_digit md6 = 0x14A0;
+const mp_digit md7 = 0x03E8;
+const mp_digit md8 = 0x0101;
+const mp_digit md9 = 0xA;
+
+/* 
+   Solutions of the form x_mpABC, where:
+
+   x = (p)roduct, (s)um, (d)ifference, (q)uotient, (r)emainder, (g)cd,
+       (i)nverse, (e)xponent, square roo(t), (g)cd, (l)cm.  A
+       leading 'm' indicates a modular operation, e.g. ms_mp12 is the
+       modular sum of operands 1 and 2
+
+   ABC are the operand numbers involved in the computation.  If a 'd'
+   precedes the number, it is a digit operand; if a 'c' precedes it,
+   it is a constant; otherwise, it is a full integer.  
+ */
+
+const char *p_mp12   = "4286AD72E095C9FE009938750743174ADDD7FD1E53";
+const char *p_mp34   = "-46BDBD66CA108C94A8CF46C325F7B6E2F2BA82D35"
+                       "A1BFD6934C441EE369B60CA29BADC26845E918B";
+const char *p_mp57   = "E260C265A0A27C17AD5F4E59D6E0360217A2EBA6";
+const char *p_mp22   = "7233B5C1097FFC77CCF55928FDC3A5D31B712FDE7A1E91";
+const char *p_mp1d4  = "3CECEA2331F4220BEF68DED";
+const char *p_mp8d6  = "6720";
+const char *p_mp1113 =
+"11590FC3831C8C3C51813142C88E566408DB04F9E27642F6471A1822E0100B12F7F1"
+"5699A127C0FA9D26DCBFF458522661F30C6ADA4A07C8C90F9116893F6DBFBF24C3A2"
+"4340";
+const char *p_mp1415 = 
+"26B36540DE8B3586699CCEAE218A2842C7D5A01590E70C4A26E789107FBCDB06AA2C"
+"6DDC39E6FA18B16FCB2E934C9A5F844DAD60EE3B1EA82199EC5E9608F67F860FB965"
+"736055DF0E8F2540EB28D07F47E309B5F5D7C94FF190AB9C83A6970160CA700B1081"
+"F60518132AF28C6CEE6B7C473E461ABAC52C39CED50A08DD4E7EA8BA18DAD545126D"
+"A388F6983C29B6BE3F9DCBC15766E8E6D626A92C5296A9C4653CAE5788350C0E2107"
+"F57E5E8B6994C4847D727FF1A63A66A6CEF42B9C9E6BD04C92550B85D5527DE8A132"
+"E6BE89341A9285C7CE7FB929D871BBCBD0ED2863B6B078B0DBB30FCA66D6C64284D6"
+"57F394A0271E15B6EC7A9D530EBAC6CA262EF6F97E1A29FCE7749240E4AECA591ECF"
+"272122BC587370F9371B67BB696B3CDC1BC8C5B64B6280994EBA00CDEB8EB0F5D06E"
+"18F401D65FDCECF23DD7B9BB5B4C5458AEF2CCC09BA7F70EACB844750ACFD027521E"
+"2E047DE8388B35F8512D3DA46FF1A12D4260213602BF7BFFDB6059439B1BD0676449"
+"8D98C74F48FB3F548948D5BA0C8ECFCD054465132DC43466D6BBD59FBAF8D6D4E157"
+"2D612B40A956C7D3E140F3B8562EF18568B24D335707D5BAC7495014DF2444172426"
+"FD099DED560D30D1F945386604AFC85C64BD1E5F531F5C7840475FC0CF0F79810012"
+"4572BAF5A9910CDBD02B27FFCC3C7E5E88EF59F3AE152476E33EDA696A4F751E0AE4"
+"A3D2792DEA78E25B9110E12A19EFD09EA47FF9D6594DA445478BEB6901EAF8A35B2D"
+"FD59BEE9BF7AA8535B7D326EFA5AA2121B5EBE04DD85827A3D43BD04F4AA6D7B62A2"
+"B6D7A3077286A511A431E1EF75FCEBA3FAE9D5843A8ED17AA02BBB1B571F904699C5"
+"A6073F87DDD012E2322AB3F41F2A61F428636FE86914148E19B8EF8314ED83332F2F"
+"8C2ADE95071E792C0A68B903E060DD322A75FD0C2B992059FCCBB58AFA06B50D1634"
+"BBD93F187FCE0566609FCC2BABB269C66CEB097598AA17957BB4FDA3E64A1B30402E"
+"851CF9208E33D52E459A92C63FBB66435BB018E155E2C7F055E0B7AB82CD58FC4889"
+"372ED9EEAC2A07E8E654AB445B9298D2830D6D4DFD117B9C8ABE3968927DC24B3633"
+"BAD6E6466DB45DDAE87A0AB00336AC2CCCE176704F7214FCAB55743AB76C2B6CA231"
+"7984610B27B5786DE55C184DDF556EDFEA79A3652831940DAD941E243F482DC17E50"
+"284BC2FB1AD712A92542C573E55678878F02DFD9E3A863C7DF863227AEDE14B47AD3"
+"957190124820ADC19F5353878EDB6BF7D0C77352A6E3BDB53EEB88F5AEF6226D6E68"
+"756776A8FB49B77564147A641664C2A54F7E5B680CCC6A4D22D894E464DF20537094"
+"548F1732452F9E7F810C0B4B430C073C0FBCE03F0D03F82630654BCE166AA772E1EE"
+"DD0C08D3E3EBDF0AF54203B43AFDFC40D8FC79C97A4B0A4E1BEB14D8FCEFDDED8758"
+"6ED65B18";
+const char *p_mp2121 = "4";
+const char *mp_mp345 = "B9B6D3A3";
+const char *mp_mp335 = "16609C2D";
+
+const char *s_mp13   = "B55AA8DF8A7E83241F38B2B446B06A4FB84E5DE0";
+const char *s_mp34   = "517EE6B92EF65C965736EB6BF7C325F73504CEB6";
+const char *s_mp46   = "-63DBC2265B88268DC801C10EA68476B7BDE0090F";
+const char *s_mp5d4  = "F59667D9";
+const char *s_mp2d5  = "AAFC0A3FE45E5E09DBF21E8";
+const char *s_mp1415 = 
+"E5C43DE2B811F4A084625F96E9504039E5258D8348E698CEB9F4D4292622042DB446"
+"F75F4B65C1FB7A317257FA354BB5A45E789AEC254EAECE11F80A53E3B513822491DB"
+"D9399DEC4807A2A3A10360129AC93F4A42388D3BF20B310DD0E9E9F4BE07FC88D53A"
+"78A26091E0AB506A70813712CCBFBDD440A69A906E650EE090FDD6A42A95AC1A414D"
+"317F1A9F781E6A30E9EE142ECDA45A1E3454A1417A7B9A613DA90831CF88EA1F2E82"
+"41AE88CC4053220903C2E05BCDD42F02B8CF8868F84C64C5858BAD356143C5494607"
+"EE22E11650148BAF65A985F6FC4CA540A55697F2B5AA95D6B8CF96EF638416DE1DD6"
+"3BA9E2C09E22D03E75B60BE456C642F86B82A709253E5E087B507DE3A45F8392423F"
+"4DBC284E8DC88C43CA77BC8DCEFB6129A59025F80F90FF978116DEBB9209E306FBB9"
+"1B6111F8B8CFACB7C7C9BC12691C22EE88303E1713F1DFCEB622B8EA102F6365678B"
+"C580ED87225467AA78E875868BD53B17574BA59305BC1AC666E4B7E9ED72FCFC200E"
+"189D98FC8C5C7533739C53F52DDECDDFA5A8668BFBD40DABC9640F8FCAE58F532940"
+"8162261320A25589E9FB51B50F80056471F24B7E1AEC35D1356FC2747FFC13A04B34"
+"24FCECE10880BD9D97CA8CDEB2F5969BF4F30256EB5ED2BCD1DC64BDC2EE65217848"
+"48A37FB13F84ED4FB7ACA18C4639EE64309BDD3D552AEB4AAF44295943DC1229A497"
+"A84A";
+
+const char *ms_mp345 = "1E71E292";
+
+const char *d_mp12   = "-AAFBA6A55DD183FD854A60E";
+const char *d_mp34   = "119366B05E606A9B1E73A6D8944CC1366B0C4E0D4";
+const char *d_mp5d4  = "F5952EAB";
+const char *d_mp6d2  = "-1";
+const char *md_mp345 = "26596B86";
+
+const char *q_mp42   = "-95825A1FFA1A155D5";
+const char *r_mp42   = "-6312E99D7700A3DCB32ADF2";
+const char *q_mp45a  = "15344CDA3D841F661D2B61B6EDF7828CE36";
+const char *r_mp45a  = "-47C47B";
+const char *q_mp7c2  = "75FD3890E6C1C67321CE62CEEDA65F79";
+const char *q_mp3d6  = "8CAFD53C272BD6FE8B0847BDC3B539EFAB5C3";
+const char *r_mp3d6  = "1E5";
+const char *r_mp5d5  = "1257";
+const char *r_mp47   = "B3A9018D970281A90FB729A181D95CB8";
+const char *q_mp1404 = 
+"-1B994D869142D3EF6123A3CBBC3C0114FA071CFCEEF4B7D231D65591D32501AD80F"
+"FF49AE4EC80514CC071EF6B42521C2508F4CB2FEAD69A2D2EF3934087DCAF88CC4C4"
+"659F1CA8A7F4D36817D802F778F1392337FE36302D6865BF0D4645625DF8BB044E19"
+"930635BE2609FAC8D99357D3A9F81F2578DE15A300964188292107DAC980E0A08CD7"
+"E938A2135FAD45D50CB1D8C2D4C4E60C27AB98B9FBD7E4DBF752C57D2674520E4BB2"
+"7E42324C0EFE84FB3E38CF6950E699E86FD45FE40D428400F2F94EDF7E94FAE10B45"
+"89329E1BF61E5A378C7B31C9C6A234F8254D4C24823B84D0BF8D671D8BC9154DFAC9"
+"49BD8ACABD6BD32DD4DC587F22C86153CB3954BDF7C2A890D623642492C482CF3E2C"
+"776FC019C3BBC61688B485E6FD35D6376089C1E33F880E84C4E51E8ABEACE1B3FB70"
+"3EAD0E28D2D44E7F1C0A859C840775E94F8C1369D985A3C5E8114B21D68B3CBB75D2"
+"791C586153C85B90CAA483E57A40E2D97950AAB84920A4396C950C87C7FFFE748358"
+"42A0BF65445B26D40F05BE164B822CA96321F41D85A289C5F5CD5F438A78704C9683"
+"422299D21899A22F853B0C93081CC9925E350132A0717A611DD932A68A0ACC6E4C7F"
+"7F685EF8C1F4910AEA5DC00BB5A36FCA07FFEAA490C547F6E14A08FE87041AB803E1"
+"BD9E23E4D367A2C35762F209073DFF48F3";
+const char *r_mp1404 = "12FF98621ABF63144BFFC3207AC8FC10D8D1A09";
+
+const char *q_mp13c  = 
+		"34584F700C15A341E40BF7BFDD88A6630C8FF2B2067469372D391342"
+		"BDAB6163963CD5A5C79F708BDE26E0CCF2DB66CD6D6089E29A877C45";
+const char *r_mp13c  = "F2B050D226E6DA88";
+const char *q_mp9c16 = "F74A2876A1432698923B0767DA19DCF3D71795E";
+const char *r_mp9c16 = "E";
+
+const char *e_mp5d9 = "A8FD7145E727A20E52E73D22990D35D158090307A"
+		      "13A5215AAC4E9AB1E96BD34E531209E03310400";
+const char *e_mp78  = "AA5F72C737DFFD8CCD108008BFE7C79ADC01A819B"
+		      "32B75FB82EC0FB8CA83311DA36D4063F1E57857A2"
+		      "1AB226563D84A15BB63CE975FF1453BD6750C58D9"
+		      "D113175764F5D0B3C89B262D4702F4D9640A3";
+const char *me_mp817 = "E504493ACB02F7F802B327AB13BF25";
+const char *me_mp5d47 = "1D45ED0D78F2778157992C951DD2734C";
+const char *me_mp1512 = "FB5B2A28D902B9D9";
+const char *me_mp161718 = "423C6AC6DBD74";
+const char *me_mp5114 =
+"64F0F72807993578BBA3C7C36FFB184028F9EB9A810C92079E1498D8A80FC848E1F0"
+"25F1DE43B7F6AC063F5CC29D8A7C2D7A66269D72BF5CDC327AF88AF8EF9E601DCB0A"
+"3F35BFF3525FB1B61CE3A25182F17C0A0633B4089EA15BDC47664A43FEF639748AAC"
+"19CF58E83D8FA32CD10661D2D4210CC84792937E6F36CB601851356622E63ADD4BD5"
+"542412C2E0C4958E51FD2524AABDC7D60CFB5DB332EEC9DC84210F10FAE0BA2018F2"
+"14C9D6867C9D6E49CF28C18D06CE009FD4D04BFC8837C3FAAA773F5CCF6DED1C22DE"
+"181786AFE188540586F2D74BF312E595244E6936AE52E45742109BAA76C36F2692F5"
+"CEF97AD462B138BE92721194B163254CBAAEE9B9864B21CCDD5375BCAD0D24132724"
+"113D3374B4BCF9AA49BA5ACBC12288C0BCF46DCE6CB4A241A91BD559B130B6E9CD3D"
+"D7A2C8B280C2A278BA9BF5D93244D563015C9484B86D9FEB602501DC16EEBC3EFF19"
+"53D7999682BF1A1E3B2E7B21F4BDCA3C355039FEF55B9C0885F98DC355CA7A6D8ECF"
+"5F7F1A6E11A764F2343C823B879B44616B56BF6AE3FA2ACF5483660E618882018E3F"
+"C8459313BACFE1F93CECC37B2576A5C0B2714BD3EEDEEC22F0E7E3E77B11396B9B99"
+"D683F2447A4004BBD4A57F6A616CDDFEC595C4FC19884CC2FC21CF5BF5B0B81E0F83"
+"B9DDA0CF4DFF35BB8D31245912BF4497FD0BD95F0C604E26EA5A8EA4F5EAE870A5BD"
+"FE8C";
+
+const char *e_mpc2d3 = "100000000000000000000000000000000";
+
+const char *t_mp9    = "FB9B6E32FF0452A34746";
+const char *i_mp27   = "B6AD8DCCDAF92B6FE57D062FFEE3A99";
+const char *i_mp2019 = 
+"BDF3D88DC373A63EED92903115B03FC8501910AF68297B4C41870AED3EA9F839";
+/* "15E3FE09E8AE5523AABA197BD2D16318D3CA148EDF4AE1C1C52FC96AFAF5680B"; */
+
+
+const char *t_mp15 =
+"795853094E59B0008093BCA8DECF68587C64BDCA2F3F7F8963DABC12F1CFFFA9B8C4"
+"365232FD4751870A0EF6CA619287C5D8B7F1747D95076AB19645EF309773E9EACEA0"
+"975FA4AE16251A8DA5865349C3A903E3B8A2C0DEA3C0720B6020C7FED69AFF62BB72"
+"10FAC443F9FFA2950776F949E819260C2AF8D94E8A1431A40F8C23C1973DE5D49AA2"
+"0B3FF5DA5C1D5324E712A78FF33A9B1748F83FA529905924A31DF38643B3F693EF9B"
+"58D846BB1AEAE4523ECC843FF551C1B300A130B65C1677402778F98C51C10813250E"
+"2496882877B069E877B59740DC1226F18A5C0F66F64A5F59A9FAFC5E9FC45AEC0E7A"
+"BEE244F7DD3AC268CF512A0E52E4F5BE5B94";
+
+const char *g_mp71   = "1";
+const char *g_mp25   = "7";
+const char *l_mp1011 = "C589E3D7D64A6942A000";
+
+/* mp9 in radices from 5 to 64 inclusive */
+#define LOW_RADIX   5
+#define HIGH_RADIX  64
+const char *v_mp9[] = {
+  "404041130042310320100141302000203430214122130002340212132414134210033",
+  "44515230120451152500101352430105520150025145320010504454125502",
+  "644641136612541136016610100564613624243140151310023515322",
+  "173512120732412062323044435407317550316717172705712756",
+  "265785018434285762514442046172754680368422060744852",
+  "1411774500397290569709059837552310354075408897518",
+  "184064268501499311A17746095910428222A241708032A",
+  "47706011B225950B02BB45602AA039893118A85950892",
+  "1A188C826B982353CB58422563AC602B783101671A86",
+  "105957B358B89B018958908A9114BC3DDC410B77982",
+  "CB7B3387E23452178846C55DD9D70C7CA9AEA78E8",
+  "F74A2876A1432698923B0767DA19DCF3D71795EE",
+  "17BF7C3673B76D7G7A5GA836277296F806E7453A",
+  "2EBG8HH3HFA6185D6H0596AH96G24C966DD3HG2",
+  "6G3HGBFEG8I3F25EAF61B904EIA40CFDH2124F",
+  "10AHC3D29EBHDF3HD97905CG0JA8061855C3FI",
+  "3BA5A55J5K699B2D09C38A4B237CH51IHA132",
+  "EDEA90DJ0B5CB3FGG1C8587FEB99D3C143CA",
+  "31M26JI1BBD56K3I028MML4EEDMAJK60LGLE",
+  "GGG5M3142FKKG82EJ28111D70EMHC241E4E",
+  "4446F4D5H10982023N297BF0DKBBHLLJB0I",
+  "12E9DEEOBMKAKEP0IM284MIP7FO1O521M46",
+  "85NN0HD48NN2FDDB1F5BMMKIB8CK20MDPK",
+  "2D882A7A0O0JPCJ4APDRIB77IABAKDGJP2",
+  "MFMCI0R7S27AAA3O3L2S8K44HKA7O02CN",
+  "7IGQS73FFSHC50NNH44B6PTTNLC3M6H78",
+  "2KLUB3U9850CSN6ANIDNIF1LB29MJ43LH",
+  "UT52GTL18CJ9H4HR0TJTK6ESUFBHF5FE",
+  "BTVL87QQBMUGF8PFWU4W3VU7U922QTMW",
+  "4OG10HW0MSWJBIDEE2PDH24GA7RIHIAA",
+  "1W8W9AX2DRUX48GXOLMK0PE42H0FEUWN",
+  "SVWI84VBH069WR15W1U2VTK06USY8Z2",
+  "CPTPNPDa5TYCPPNLALENT9IMX2GL0W2",
+  "5QU21UJMRaUYYYYYN6GHSMPOYOXEEUY",
+  "2O2Q7C6RPPB1SXJ9bR4035SPaQQ3H2W",
+  "18d994IbT4PHbD7cGIPCRP00bbQO0bc",
+  "NcDUEEWRO7XT76260WGeBHPVa72RdA",
+  "BbX2WCF9VfSB5LPdJAdeXKV1fd6LC2",
+  "60QDKW67P4JSQaTdQg7JE9ISafLaVU",
+  "33ba9XbDbRdNF4BeDB2XYMhAVDaBdA",
+  "1RIPZJA8gT5L5H7fTcaRhQ39geMMTc",
+  "d65j70fBATjcDiidPYXUGcaBVVLME",
+  "LKA9jhPabDG612TXWkhfT2gMXNIP2",
+  "BgNaYhjfT0G8PBcYRP8khJCR3C9QE",
+  "6Wk8RhJTAgDh10fYAiUVB1aM0HacG",
+  "3dOCjaf78kd5EQNViUZWj3AfFL90I",
+  "290VWkL3aiJoW4MBbHk0Z0bDo22Ni",
+  "1DbDZ1hpPZNUDBUp6UigcJllEdC26",
+  "dFSOLBUM7UZX8Vnc6qokGIOiFo1h",
+  "NcoUYJOg0HVmKI9fR2ag0S8R2hrK",
+  "EOpiJ5Te7oDe2pn8ZhAUKkhFHlZh",
+  "8nXK8rp8neV8LWta1WDgd1QnlWsU",
+  "5T3d6bcSBtHgrH9bCbu84tblaa7r",
+  "3PlUDIYUvMqOVCir7AtquK5dWanq",
+  "2A70gDPX2AtiicvIGGk9poiMtgvu",
+  "1MjiRxjk10J6SVAxFguv9kZiUnIc",
+  "rpre2vIDeb4h3sp50r1YBbtEx9L",
+  "ZHcoip0AglDAfibrsUcJ9M1C8fm",
+  "NHP18+eoe6uU54W49Kc6ZK7+bT2",
+  "FTAA7QXGoQOaZi7PzePtFFN5vNk"
+};
+
+const unsigned char b_mp4[] = {
+  0x01, 
+#if MP_DIGIT_MAX > MP_32BIT_MAX
+  0x00, 0x00, 0x00, 0x00,
+#endif
+  0x63, 0xDB, 0xC2, 0x26, 
+  0x5B, 0x88, 0x26, 0x8D, 
+  0xC8, 0x01, 0xC1, 0x0E, 
+  0xA6, 0x84, 0x76, 0xB7, 
+  0xBD, 0xE0, 0x09, 0x0F
+};
+
+/* Search for a test suite name in the names table  */
+int  find_name(char *name);
+void reason(char *fmt, ...);
+
+/*------------------------------------------------------------------------*/
+/*------------------------------------------------------------------------*/
+
+char g_intbuf[4096];  /* buffer for integer comparison   */
+char a_intbuf[4096];  /* buffer for integer comparison   */
+int  g_verbose = 1;   /* print out reasons for failure?  */
+int  res;
+
+#define IFOK(x) { if (MP_OKAY > (res = (x))) { \
+  reason("test %s failed: error %d\n", #x, res); return 1; }}
+
+int main(int argc, char *argv[])
+{
+  int which, res;
+
+  srand((unsigned int)time(NULL));
+
+  if (argc < 2) {
+    fprintf(stderr, "Usage: %s <test-suite> | list\n"
+	    "Type '%s help' for assistance\n", argv[0], argv[0]);
+    return 2;
+  } else if(argc > 2) {
+    if(strcmp(argv[2], "quiet") == 0)
+      g_verbose = 0;
+  }
+
+  if(strcmp(argv[1], "help") == 0) {
+    fprintf(stderr, "Help for mpi-test\n\n"
+	    "This program is a test driver for the MPI library, which\n"
+	    "tests all the various functions in the library to make sure\n"
+	    "they are working correctly.  The syntax is:\n"
+	    "    %s <suite-name>\n"
+	    "...where <suite-name> is the name of the test you wish to\n"
+	    "run.  To get a list of the tests, use '%s list'.\n\n"
+	    "The program exits with a status of zero if the test passes,\n"
+	    "or non-zero if it fails.  Ordinarily, failure is accompanied\n"
+	    "by a diagnostic message to standard error.  To suppress this\n"
+	    "add the keyword 'quiet' after the suite-name on the command\n"
+	    "line.\n\n", argv[0], argv[0]);
+    return 0;
+  }
+
+  if ((which = find_name(argv[1])) < 0) {
+    fprintf(stderr, "%s: test suite '%s' is not known\n", argv[0], argv[1]);
+    return 2;
+  }
+
+  if((res = (g_tests[which])()) < 0) {
+    fprintf(stderr, "%s: test suite not implemented yet\n", argv[0]);
+    return 2;
+  } else {
+    return res; 
+  }
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int find_name(char *name)
+{
+  int ix = 0;
+  
+  while(ix < g_count) {
+    if (strcmp(name, g_names[ix]) == 0)
+      return ix;
+    
+    ++ix;
+  }
+  
+  return -1;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_list(void)
+{
+  int ix;
+  
+  fprintf(stderr, "There are currently %d test suites available\n",
+	  g_count);
+  
+  for(ix = 1; ix < g_count; ix++)
+    fprintf(stdout, "%-20s %s\n", g_names[ix], g_descs[ix]);
+  
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_copy(void)
+{
+  mp_int  a, b;
+  int     ix;
+
+  mp_init(&a); mp_init(&b);
+
+  mp_read_radix(&a, mp3, 16);
+  mp_copy(&a, &b);
+
+  if(SIGN(&a) != SIGN(&b) || USED(&a) != USED(&b)) {
+    if(SIGN(&a) != SIGN(&b)) {
+      reason("error: sign of original is %d, sign of copy is %d\n", 
+	     SIGN(&a), SIGN(&b));
+    } else {
+      reason("error: original precision is %d, copy precision is %d\n",
+	     USED(&a), USED(&b));
+    }
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  for(ix = 0; ix < USED(&b); ix++) {
+    if(DIGIT(&a, ix) != DIGIT(&b, ix)) {
+      reason("error: digit %d " DIGIT_FMT " != " DIGIT_FMT "\n",
+	     ix, DIGIT(&a, ix), DIGIT(&b, ix));
+      mp_clear(&a); mp_clear(&b);
+      return 1;
+    }
+  }
+     
+  mp_clear(&a); mp_clear(&b);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_exch(void)
+{
+  mp_int  a, b;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp7, 16); mp_read_radix(&b, mp1, 16);
+
+  mp_exch(&a, &b);
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, mp1) != 0) {
+    mp_clear(&b);
+    reason("error: exchange failed\n");
+    return 1;
+  }
+
+  mp_toradix(&b, g_intbuf, 16);
+
+  mp_clear(&b);
+  if(strcmp(g_intbuf, mp7) != 0) {
+    reason("error: exchange failed\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_zero(void)
+{
+  mp_int   a;
+
+  mp_init(&a); mp_read_radix(&a, mp7, 16);
+  mp_zero(&a);
+
+  if(USED(&a) != 1 || DIGIT(&a, 1) != 0) {
+    mp_toradix(&a, g_intbuf, 16);
+    reason("error: result is %s\n", g_intbuf);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_set(void)
+{
+  mp_int   a;
+
+  /* Test single digit set */
+  mp_init(&a); mp_set(&a, 5);
+  if(DIGIT(&a, 0) != 5) {
+    mp_toradix(&a, g_intbuf, 16);
+    reason("error: result is %s, expected 5\n", g_intbuf);
+    mp_clear(&a);
+    return 1;
+  }
+
+  /* Test integer set */
+  mp_set_int(&a, -4938110);
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a);
+  if(strcmp(g_intbuf, mp5a) != 0) {
+    reason("error: result is %s, expected %s\n", g_intbuf, mp5a);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_abs(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp4, 16);
+  mp_abs(&a, &a);
+  
+  if(SIGN(&a) != ZPOS) {
+    reason("error: sign of result is negative\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_neg(void)
+{
+  mp_int  a;
+  mp_sign s;
+
+  mp_init(&a); mp_read_radix(&a, mp4, 16);
+
+  s = SIGN(&a);
+  mp_neg(&a, &a);
+  if(SIGN(&a) == s) {
+    reason("error: sign of result is same as sign of nonzero input\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_add_d(void)
+{
+  mp_int  a;
+
+  mp_init(&a);
+  
+  mp_read_radix(&a, mp5, 16);
+  mp_add_d(&a, md4, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp5d4) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp5d4);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp2, 16);
+  mp_add_d(&a, md5, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp2d5) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp2d5);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_add(void)
+{
+  mp_int  a, b;
+  int     res = 0;
+
+  mp_init(&a); mp_init(&b);
+
+  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp3, 16);
+  mp_add(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp13) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp13);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp4, 16);
+  mp_add(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp34) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp34);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp4, 16); mp_read_radix(&b, mp6, 16);
+  mp_add(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp46) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp46);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp14, 16); mp_read_radix(&b, mp15, 16);
+  mp_add(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp1415) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp1415);
+    res = 1;
+  }
+
+ CLEANUP:
+  mp_clear(&a); mp_clear(&b);
+  return res;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sub_d(void)
+{
+  mp_int   a;
+
+  mp_init(&a);
+  mp_read_radix(&a, mp5, 16);
+
+  mp_sub_d(&a, md4, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, d_mp5d4) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, d_mp5d4);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp6, 16);
+  
+  mp_sub_d(&a, md2, &a);
+  mp_toradix(&a, g_intbuf, 16);
+  
+  mp_clear(&a);
+  if(strcmp(g_intbuf, d_mp6d2) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, d_mp6d2);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sub(void)
+{
+  mp_int  a, b;
+
+  mp_init(&a); mp_init(&b);
+
+  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp2, 16);
+  mp_sub(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, d_mp12) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, d_mp12);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  mp_sub(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, d_mp34) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, d_mp34);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mul_d(void)
+{
+  mp_int   a;
+
+  mp_init(&a);
+  mp_read_radix(&a, mp1, 16);
+
+  IFOK( mp_mul_d(&a, md4, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  
+  if(strcmp(g_intbuf, p_mp1d4) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp1d4);    
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp8, 16);
+  IFOK( mp_mul_d(&a, md6, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, p_mp8d6) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp8d6); 
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mul(void)
+{
+  mp_int   a, b;
+  int      res = 0;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp2, 16);
+
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp12) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp12);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp34) !=0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp34);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp5, 16); mp_read_radix(&b, mp7, 16);
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp57) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp57);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp11, 16); mp_read_radix(&b, mp13, 16);
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp1113) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp1113);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp14, 16); mp_read_radix(&b, mp15, 16);
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp1415) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp1415);
+    res = 1;
+  }
+  mp_read_radix(&a, mp21, 10); mp_read_radix(&b, mp21, 10);
+
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 10);
+
+  if(strcmp(g_intbuf, p_mp2121) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp2121);
+    res = 1; goto CLEANUP;
+  }
+
+ CLEANUP:
+  mp_clear(&a); mp_clear(&b);
+  return res;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sqr(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp2, 16);
+
+  mp_sqr(&a, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, p_mp22) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp22);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_div_d(void)
+{
+  mp_int    a, q;
+  mp_digit  r;
+  int       err = 0;
+
+  mp_init(&a); mp_init(&q);
+  mp_read_radix(&a, mp3, 16);
+
+  IFOK( mp_div_d(&a, md6, &q, &r) );
+  mp_toradix(&q, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp3d6) != 0) {
+    reason("error: computed q = %s, expected %s\n", g_intbuf, q_mp3d6);
+    ++err;
+  }
+
+  sprintf(g_intbuf, ZS_DIGIT_FMT, r);
+
+  if(strcmp(g_intbuf, r_mp3d6) != 0) {
+    reason("error: computed r = %s, expected %s\n", g_intbuf, r_mp3d6);
+    ++err;
+  }
+
+  mp_read_radix(&a, mp9, 16);
+  IFOK( mp_div_d(&a, 16, &q, &r) );
+  mp_toradix(&q, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp9c16) != 0) {
+    reason("error: computed q = %s, expected %s\n", g_intbuf, q_mp9c16);
+    ++err;
+  }
+
+  sprintf(g_intbuf, ZS_DIGIT_FMT, r);
+
+  if(strcmp(g_intbuf, r_mp9c16) != 0) {
+    reason("error: computed r = %s, expected %s\n", g_intbuf, r_mp9c16);
+    ++err;
+  }
+
+  mp_clear(&a); mp_clear(&q);
+  return err;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_div_2(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp7, 16);
+  IFOK( mp_div_2(&a, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, q_mp7c2) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, q_mp7c2);
+    return 1;
+  }
+    
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_div_2d(void)
+{
+  mp_int  a, q, r;
+
+  mp_init(&q); mp_init(&r);
+  mp_init(&a); mp_read_radix(&a, mp13, 16);
+
+  IFOK( mp_div_2d(&a, 64, &q, &r) );
+  mp_clear(&a);
+
+  mp_toradix(&q, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp13c) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, q_mp13c);
+    mp_clear(&q); mp_clear(&r);
+    return 1;
+  }
+
+  mp_clear(&q);
+
+  mp_toradix(&r, g_intbuf, 16);
+  if(strcmp(g_intbuf, r_mp13c) != 0) {
+    reason("error, computed %s, expected %s\n", g_intbuf, r_mp13c);
+    mp_clear(&r);
+    return 1;
+  }
+
+  mp_clear(&r);
+  
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_div(void)
+{
+  mp_int  a, b, r;
+  int     err = 0;
+
+  mp_init(&a); mp_init(&b); mp_init(&r);
+
+  mp_read_radix(&a, mp4, 16); mp_read_radix(&b, mp2, 16);
+  IFOK( mp_div(&a, &b, &a, &r) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp42) != 0) {
+    reason("error: test 1 computed quot %s, expected %s\n", g_intbuf, q_mp42);
+    ++err;
+  }
+
+  mp_toradix(&r, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, r_mp42) != 0) {
+    reason("error: test 1 computed rem %s, expected %s\n", g_intbuf, r_mp42);
+    ++err;
+  }
+
+  mp_read_radix(&a, mp4, 16); mp_read_radix(&b, mp5a, 16);
+  IFOK( mp_div(&a, &b, &a, &r) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp45a) != 0) {
+    reason("error: test 2 computed quot %s, expected %s\n", g_intbuf, q_mp45a);
+    ++err;
+  }
+
+  mp_toradix(&r, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, r_mp45a) != 0) {
+    reason("error: test 2 computed rem %s, expected %s\n", g_intbuf, r_mp45a);
+    ++err;
+  }
+
+  mp_read_radix(&a, mp14, 16); mp_read_radix(&b, mp4, 16);
+  IFOK( mp_div(&a, &b, &a, &r) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp1404) != 0) {
+    reason("error: test 3 computed quot %s, expected %s\n", g_intbuf, q_mp1404);
+    ++err;
+  }
+
+  mp_toradix(&r, g_intbuf, 16);
+  
+  if(strcmp(g_intbuf, r_mp1404) != 0) {
+    reason("error: test 3 computed rem %s, expected %s\n", g_intbuf, r_mp1404);
+    ++err;
+  }
+
+  mp_clear(&a); mp_clear(&b); mp_clear(&r);
+
+  return err;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_expt_d(void)
+{
+  mp_int   a;
+
+  mp_init(&a); mp_read_radix(&a, mp5, 16);
+  mp_expt_d(&a, md9, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, e_mp5d9) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, e_mp5d9);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_expt(void)
+{
+  mp_int   a, b;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp7, 16); mp_read_radix(&b, mp8, 16);
+
+  mp_expt(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&b);
+
+  if(strcmp(g_intbuf, e_mp78) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, e_mp78);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_2expt(void)
+{
+  mp_int   a;
+
+  mp_init(&a);
+  mp_2expt(&a, md3);
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a);
+
+  if(strcmp(g_intbuf, e_mpc2d3) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, e_mpc2d3);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sqrt(void)
+{
+  mp_int  a;
+  int     res = 0;
+
+  mp_init(&a); mp_read_radix(&a, mp9, 16);
+  mp_sqrt(&a, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, t_mp9) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, t_mp9);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp15, 16);
+  mp_sqrt(&a, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, t_mp15) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, t_mp15);
+    res = 1;
+  }
+
+ CLEANUP:
+  mp_clear(&a);
+  return res;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mod_d(void)
+{
+  mp_int     a;
+  mp_digit   r;
+
+  mp_init(&a); mp_read_radix(&a, mp5, 16);
+  IFOK( mp_mod_d(&a, md5, &r) );
+  sprintf(g_intbuf, ZS_DIGIT_FMT, r);
+  mp_clear(&a);
+
+  if(strcmp(g_intbuf, r_mp5d5) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, r_mp5d5);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mod(void)
+{
+  mp_int  a, m;
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp4, 16); mp_read_radix(&m, mp7, 16);
+  IFOK( mp_mod(&a, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, r_mp47) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, r_mp47);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_addmod(void)
+{
+  mp_int a, b, m;
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  mp_read_radix(&m, mp5, 16);
+
+  IFOK( mp_addmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+
+  if(strcmp(g_intbuf, ms_mp345) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, ms_mp345);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_submod(void)
+{
+  mp_int a, b, m;
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  mp_read_radix(&m, mp5, 16);
+
+  IFOK( mp_submod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+
+  if(strcmp(g_intbuf, md_mp345) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, md_mp345);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mulmod(void)
+{
+  mp_int a, b, m;
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  mp_read_radix(&m, mp5, 16);
+
+  IFOK( mp_mulmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+
+  if(strcmp(g_intbuf, mp_mp345) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, mp_mp345);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sqrmod(void)
+{
+  mp_int a, m;
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&m, mp5, 16);
+
+  IFOK( mp_sqrmod(&a, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, mp_mp335) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, mp_mp335);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_exptmod(void)
+{
+  mp_int  a, b, m;
+  int     res = 0;
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, mp8, 16); mp_read_radix(&b, mp1, 16);
+  mp_read_radix(&m, mp7, 16);
+
+  IFOK( mp_exptmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, me_mp817) != 0) {
+    reason("case 1: error: computed %s, expected %s\n", g_intbuf, me_mp817);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp5, 16);
+  mp_read_radix(&m, mp12, 16);
+
+  IFOK( mp_exptmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, me_mp1512) != 0) {
+    reason("case 2: error: computed %s, expected %s\n", g_intbuf, me_mp1512);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp5, 16); mp_read_radix(&b, mp1, 16);
+  mp_read_radix(&m, mp14, 16);
+
+  IFOK( mp_exptmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, me_mp5114) != 0) {
+    reason("case 3: error: computed %s, expected %s\n", g_intbuf, me_mp5114);
+    res = 1;
+  }
+
+  mp_read_radix(&a, mp16, 16); mp_read_radix(&b, mp17, 16);
+  mp_read_radix(&m, mp18, 16);
+
+  IFOK( mp_exptmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, me_mp161718) != 0) {
+    reason("case 4: error: computed %s, expected %s\n", g_intbuf, me_mp161718);
+    res = 1;
+  }
+
+ CLEANUP:
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+  return res;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_exptmod_d(void)
+{
+  mp_int  a, m;
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp5, 16); mp_read_radix(&m, mp7, 16);
+
+  IFOK( mp_exptmod_d(&a, md4, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, me_mp5d47) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, me_mp5d47);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_invmod(void)
+{
+  mp_int  a, m, c;
+  mp_int  p1, p2, p3, p4, p5;
+  mp_int  t1, t2, t3, t4;
+  mp_err  res;
+
+  /* 5 128-bit primes. */
+  static const char ivp1[] = { "AAD8A5A2A2BEF644BAEE7DB0CA643719" };
+  static const char ivp2[] = { "CB371AD2B79A90BCC88D0430663E40B9" };
+  static const char ivp3[] = { "C6C818D4DF2618406CA09280C0400099" };
+  static const char ivp4[] = { "CE949C04512E68918006B1F0D7E93F27" };
+  static const char ivp5[] = { "F8EE999B6416645040687440E0B89F51" };
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp2, 16); mp_read_radix(&m, mp7, 16);
+
+  IFOK( mp_invmod(&a, &m, &a) );
+
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, i_mp27) != 0) {
+    reason("error: invmod test 1 computed %s, expected %s\n", g_intbuf, i_mp27);
+    return 1;
+  }
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp20, 16); mp_read_radix(&m, mp19, 16);
+
+  IFOK( mp_invmod(&a, &m, &a) );
+
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, i_mp2019) != 0) {
+    reason("error: invmod test 2 computed %s, expected %s\n", g_intbuf, i_mp2019);
+    return 1;
+  }
+
+/* Need the following test cases:
+  Odd modulus
+    - a is odd,      relatively prime to m
+    - a is odd,  not relatively prime to m
+    - a is even,     relatively prime to m
+    - a is even, not relatively prime to m
+  Even modulus
+    - a is even  (should fail)
+    - a is odd,  not relatively prime to m
+    - a is odd,      relatively prime to m,
+      m is not a power of 2
+	- m has factor 2**k, k < 32
+	- m has factor 2**k, k > 32
+      m is a power of 2, 2**k
+	- k < 32
+	- k > 32
+*/
+
+  mp_init(&a);  mp_init(&m);  mp_init(&c);  
+  mp_init(&p1); mp_init(&p2); mp_init(&p3); mp_init(&p4); mp_init(&p5); 
+  mp_init(&t1); mp_init(&t2); mp_init(&t3); mp_init(&t4); 
+
+  mp_read_radix(&p1, ivp1, 16);
+  mp_read_radix(&p2, ivp2, 16);
+  mp_read_radix(&p3, ivp3, 16);
+  mp_read_radix(&p4, ivp4, 16);
+  mp_read_radix(&p5, ivp5, 16);
+
+  IFOK( mp_2expt(&t2, 68) );	/* t2 = 2**68 */
+  IFOK( mp_2expt(&t3, 128) );	/* t3 = 2**128 */
+  IFOK( mp_2expt(&t4, 31) );	/* t4 = 2**31 */
+
+/* test 3: Odd modulus - a is odd, relatively prime to m */
+
+  IFOK( mp_mul(&p1, &p2, &a) );
+  IFOK( mp_mul(&p3, &p4, &m) );
+  IFOK( mp_invmod(&a, &m, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &m, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 3 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&a);   mp_init(&t1);  mp_init(&c);   
+
+/* test 4: Odd modulus - a is odd, NOT relatively prime to m */
+
+  IFOK( mp_mul(&p1, &p3, &a) );
+  /* reuse same m as before */
+
+  res = mp_invmod_xgcd(&a, &m, &c);
+  if (res != MP_UNDEF) 
+    goto CLEANUP4;
+
+  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
+  if (res != MP_UNDEF) {
+CLEANUP4:
+    reason("error: invmod test 4 succeeded, should have failed.\n");
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&a);   mp_init(&t1);  mp_init(&c);   
+
+/* test 5: Odd modulus - a is even, relatively prime to m */
+
+  IFOK( mp_mul(&p1, &t2, &a) );
+  /* reuse m */
+  IFOK( mp_invmod(&a, &m, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &m, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 5 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&a);   mp_init(&t1);  mp_init(&c);   
+
+/* test 6: Odd modulus - a is odd, NOT relatively prime to m */
+
+  /* reuse t2 */
+  IFOK( mp_mul(&t2, &p3, &a) );
+  /* reuse same m as before */
+
+  res = mp_invmod_xgcd(&a, &m, &c);
+  if (res != MP_UNDEF) 
+    goto CLEANUP6;
+
+  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
+  if (res != MP_UNDEF) {
+CLEANUP6:
+    reason("error: invmod test 6 succeeded, should have failed.\n");
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&m); mp_clear(&c);  mp_clear(&t1); 
+  mp_init(&a);   mp_init(&m);  mp_init(&c);   mp_init(&t1); 
+
+/* test 7: Even modulus, even a, should fail */
+
+  IFOK( mp_mul(&p3, &t3, &m) ); /* even m */
+  /* reuse t2 */
+  IFOK( mp_mul(&p1, &t2, &a) ); /* even a */
+
+  res = mp_invmod_xgcd(&a, &m, &c);
+  if (res != MP_UNDEF) 
+    goto CLEANUP7;
+
+  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
+  if (res != MP_UNDEF) {
+CLEANUP7:
+    reason("error: invmod test 7 succeeded, should have failed.\n");
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&c);  mp_clear(&t1); 
+  mp_init(&a);   mp_init(&c);   mp_init(&t1); 
+
+/* test 8: Even modulus    - a is odd,  not relatively prime to m */
+
+  /* reuse m */
+  IFOK( mp_mul(&p3, &p1, &a) ); /* even a */
+
+  res = mp_invmod_xgcd(&a, &m, &c);
+  if (res != MP_UNDEF) 
+    goto CLEANUP8;
+
+  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
+  if (res != MP_UNDEF) {
+CLEANUP8:
+    reason("error: invmod test 8 succeeded, should have failed.\n");
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&m); mp_clear(&c);  mp_clear(&t1); 
+  mp_init(&a);   mp_init(&m);  mp_init(&c);   mp_init(&t1); 
+
+/* test 9: Even modulus    - m has factor 2**k, k < 32
+ *	                   - a is odd, relatively prime to m,
+ */
+  IFOK( mp_mul(&p3, &t4, &m) ); /* even m */
+  IFOK( mp_mul(&p1, &p2, &a) );
+  IFOK( mp_invmod(&a, &m, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &m, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 9 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&m);  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&m);   mp_init(&t1);  mp_init(&c);   
+
+/* test 10: Even modulus    - m has factor 2**k, k > 32
+ *	                    - a is odd, relatively prime to m,
+ */
+  IFOK( mp_mul(&p3, &t3, &m) ); /* even m */
+  /* reuse a */
+  IFOK( mp_invmod(&a, &m, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &m, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 10 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&t1);  mp_init(&c);   
+
+/* test 11: Even modulus    - m is a power of 2, 2**k | k < 32
+ *                          - a is odd, relatively prime to m,
+ */
+  IFOK( mp_invmod(&a, &t4, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &t4, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 11 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&t1);  mp_init(&c);   
+
+/* test 12: Even modulus    - m is a power of 2, 2**k | k > 32
+ *                          - a is odd, relatively prime to m,
+ */
+  IFOK( mp_invmod(&a, &t3, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &t3, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 12 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+
+  mp_clear(&a);  mp_clear(&m);  mp_clear(&c);  
+  mp_clear(&t1); mp_clear(&t2); mp_clear(&t3); mp_clear(&t4); 
+  mp_clear(&p1); mp_clear(&p2); mp_clear(&p3); mp_clear(&p4); mp_clear(&p5); 
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_cmp_d(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp8, 16);
+
+  if(mp_cmp_d(&a, md8) >= 0) {
+    reason("error: %s >= " DIGIT_FMT "\n", mp8, md8);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp5, 16);
+
+  if(mp_cmp_d(&a, md8) <= 0) {
+    reason("error: %s <= " DIGIT_FMT "\n", mp5, md8);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp6, 16);
+
+  if(mp_cmp_d(&a, md1) != 0) {
+    reason("error: %s != " DIGIT_FMT "\n", mp6, md1);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_cmp_z(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp6, 16);
+
+  if(mp_cmp_z(&a) != 0) {
+    reason("error: someone thinks a zero value is non-zero\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp1, 16);
+  
+  if(mp_cmp_z(&a) <= 0) {
+    reason("error: someone thinks a positive value is non-positive\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp4, 16);
+
+  if(mp_cmp_z(&a) >= 0) {
+    reason("error: someone thinks a negative value is non-negative\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_cmp(void)
+{
+  mp_int  a, b;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+
+  if(mp_cmp(&a, &b) <= 0) {
+    reason("error: %s <= %s\n", mp3, mp4);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&b, mp3, 16);
+  if(mp_cmp(&a, &b) != 0) {
+    reason("error: %s != %s\n", mp3, mp3);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp5, 16);
+  if(mp_cmp(&a, &b) >= 0) {
+    reason("error: %s >= %s\n", mp5, mp3);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp5a, 16);
+  if(mp_cmp_int(&a, 1000000) >= 0 ||
+     (mp_cmp_int(&a, -5000000) <= 0) ||
+     (mp_cmp_int(&a, -4938110) != 0)) {
+    reason("error: long integer comparison failed (%s)", mp5a);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_cmp_mag(void)
+{
+  mp_int  a, b;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp5, 16); mp_read_radix(&b, mp4, 16);
+
+  if(mp_cmp_mag(&a, &b) >= 0) {
+    reason("error: %s >= %s\n", mp5, mp4);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&b, mp5, 16);
+  if(mp_cmp_mag(&a, &b) != 0) {
+    reason("error: %s != %s\n", mp5, mp5);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp1, 16);
+  if(mp_cmp_mag(&b, &a) >= 0) {
+    reason("error: %s >= %s\n", mp5, mp1);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+  return 0;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_parity(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp1, 16);
+
+  if(!mp_isodd(&a)) {
+    reason("error: expected operand to be odd, but it isn't\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp6, 16);
+  
+  if(!mp_iseven(&a)) {
+    reason("error: expected operand to be even, but it isn't\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_gcd(void)
+{
+  mp_int  a, b;
+  int     out = 0;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp7, 16); mp_read_radix(&b, mp1, 16);
+
+  mp_gcd(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, g_mp71) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, g_mp71);
+    out = 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+  return out;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_lcm(void)
+{
+  mp_int  a, b;
+  int     out = 0;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp10, 16); mp_read_radix(&b, mp11, 16);
+
+  mp_lcm(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, l_mp1011) != 0) {
+    reason("error: computed %s, expected%s\n", g_intbuf, l_mp1011);
+    out = 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+
+  return out;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_convert(void)
+{
+  int    ix;
+  mp_int a;
+
+  mp_init(&a); mp_read_radix(&a, mp9, 16);
+
+  for(ix = LOW_RADIX; ix <= HIGH_RADIX; ix++) {
+    mp_toradix(&a, g_intbuf, ix);
+
+    if(strcmp(g_intbuf, v_mp9[ix - LOW_RADIX]) != 0) {
+      reason("error: radix %d, computed %s, expected %s\n",
+	     ix, g_intbuf, v_mp9[ix - LOW_RADIX]);
+      mp_clear(&a);
+      return 1;
+    }
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_raw(void)
+{
+  int    len, out = 0;
+  mp_int a;
+  char   *buf;
+
+  mp_init(&a); mp_read_radix(&a, mp4, 16);
+
+  len = mp_raw_size(&a);
+  if(len != sizeof(b_mp4)) {
+    reason("error: test_raw: expected length %d, computed %d\n", sizeof(b_mp4),
+	   len);
+    mp_clear(&a);
+    return 1;
+  }
+
+  buf = calloc(len, sizeof(char));
+  mp_toraw(&a, buf);
+
+  if(memcmp(buf, b_mp4, sizeof(b_mp4)) != 0) {
+    reason("error: test_raw: binary output does not match test vector\n");
+    out = 1;
+  }
+
+  free(buf);
+  mp_clear(&a);
+
+  return out;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_pprime(void)
+{
+  mp_int   p;
+  int      err = 0;
+  mp_err   res;
+
+  mp_init(&p);
+  mp_read_radix(&p, mp7, 16);
+
+  if(mpp_pprime(&p, 5) != MP_YES) {
+    reason("error: %s failed Rabin-Miller test, but is prime\n", mp7);
+    err = 1;
+  }
+
+  IFOK( mp_set_int(&p, 9) );
+  res = mpp_pprime(&p, 50);
+  if (res == MP_YES) {
+    reason("error: 9 is composite but passed Rabin-Miller test\n");
+    err = 1;
+  } else if (res != MP_NO) {
+    reason("test mpp_pprime(9, 50) failed: error %d\n", res); 
+    err = 1;
+  }
+
+  IFOK( mp_set_int(&p, 15) );
+  res = mpp_pprime(&p, 50);
+  if (res == MP_YES) {
+    reason("error: 15 is composite but passed Rabin-Miller test\n");
+    err = 1;
+  } else if (res != MP_NO) {
+    reason("test mpp_pprime(15, 50) failed: error %d\n", res); 
+    err = 1;
+  }
+
+  mp_clear(&p);
+
+  return err;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_fermat(void)
+{
+  mp_int p;
+  mp_err res;
+  int    err = 0;
+
+  mp_init(&p);
+  mp_read_radix(&p, mp7, 16);
+  
+  if((res = mpp_fermat(&p, 2)) != MP_YES) {
+    reason("error: %s failed Fermat test on 2: %s\n", mp7, 
+	   mp_strerror(res));
+    ++err;
+  }
+
+  if((res = mpp_fermat(&p, 3)) != MP_YES) {
+    reason("error: %s failed Fermat test on 3: %s\n", mp7, 
+	   mp_strerror(res));
+    ++err;
+  }
+
+  mp_clear(&p);
+
+  return err;
+
+}
+
+/*------------------------------------------------------------------------*/
+/* Like fprintf(), but only if we are behaving in a verbose manner        */
+
+void reason(char *fmt, ...)
+{
+  va_list    ap;
+
+  if(!g_verbose)
+    return;
+
+  va_start(ap, fmt);
+  vfprintf(stderr, fmt, ap);
+  va_end(ap);
+}
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c
new file mode 100644
index 000000000..be062f66d
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi.c
@@ -0,0 +1,4850 @@
+/*
+ *  mpi.c
+ *
+ *  Arbitrary precision integer arithmetic library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Netscape Communications Corporation
+ *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "mpi-priv.h"
+#if defined(OSF1)
+#include <c_asm.h>
+#endif
+
+#if MP_LOGTAB
+/*
+  A table of the logs of 2 for various bases (the 0 and 1 entries of
+  this table are meaningless and should not be referenced).  
+
+  This table is used to compute output lengths for the mp_toradix()
+  function.  Since a number n in radix r takes up about log_r(n)
+  digits, we estimate the output size by taking the least integer
+  greater than log_r(n), where:
+
+  log_r(n) = log_2(n) * log_r(2)
+
+  This table, therefore, is a table of log_r(2) for 2 <= r <= 36,
+  which are the output bases supported.  
+ */
+#include "logtab.h"
+#endif
+
+/* {{{ Constant strings */
+
+/* Constant strings returned by mp_strerror() */
+static const char *mp_err_string[] = {
+  "unknown result code",     /* say what?            */
+  "boolean true",            /* MP_OKAY, MP_YES      */
+  "boolean false",           /* MP_NO                */
+  "out of memory",           /* MP_MEM               */
+  "argument out of range",   /* MP_RANGE             */
+  "invalid input parameter", /* MP_BADARG            */
+  "result is undefined"      /* MP_UNDEF             */
+};
+
+/* Value to digit maps for radix conversion   */
+
+/* s_dmap_1 - standard digits and letters */
+static const char *s_dmap_1 = 
+  "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/";
+
+/* }}} */
+
+unsigned long mp_allocs;
+unsigned long mp_frees;
+unsigned long mp_copies;
+
+/* {{{ Default precision manipulation */
+
+/* Default precision for newly created mp_int's      */
+static mp_size s_mp_defprec = MP_DEFPREC;
+
+mp_size mp_get_prec(void)
+{
+  return s_mp_defprec;
+
+} /* end mp_get_prec() */
+
+void         mp_set_prec(mp_size prec)
+{
+  if(prec == 0)
+    s_mp_defprec = MP_DEFPREC;
+  else
+    s_mp_defprec = prec;
+
+} /* end mp_set_prec() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ mp_init(mp) */
+
+/*
+  mp_init(mp)
+
+  Initialize a new zero-valued mp_int.  Returns MP_OKAY if successful,
+  MP_MEM if memory could not be allocated for the structure.
+ */
+
+mp_err mp_init(mp_int *mp)
+{
+  return mp_init_size(mp, s_mp_defprec);
+
+} /* end mp_init() */
+
+/* }}} */
+
+/* {{{ mp_init_size(mp, prec) */
+
+/*
+  mp_init_size(mp, prec)
+
+  Initialize a new zero-valued mp_int with at least the given
+  precision; returns MP_OKAY if successful, or MP_MEM if memory could
+  not be allocated for the structure.
+ */
+
+mp_err mp_init_size(mp_int *mp, mp_size prec)
+{
+  ARGCHK(mp != NULL && prec > 0, MP_BADARG);
+
+  prec = MP_ROUNDUP(prec, s_mp_defprec);
+  if((DIGITS(mp) = s_mp_alloc(prec, sizeof(mp_digit))) == NULL)
+    return MP_MEM;
+
+  SIGN(mp) = ZPOS;
+  USED(mp) = 1;
+  ALLOC(mp) = prec;
+
+  return MP_OKAY;
+
+} /* end mp_init_size() */
+
+/* }}} */
+
+/* {{{ mp_init_copy(mp, from) */
+
+/*
+  mp_init_copy(mp, from)
+
+  Initialize mp as an exact copy of from.  Returns MP_OKAY if
+  successful, MP_MEM if memory could not be allocated for the new
+  structure.
+ */
+
+mp_err mp_init_copy(mp_int *mp, const mp_int *from)
+{
+  ARGCHK(mp != NULL && from != NULL, MP_BADARG);
+
+  if(mp == from)
+    return MP_OKAY;
+
+  if((DIGITS(mp) = s_mp_alloc(ALLOC(from), sizeof(mp_digit))) == NULL)
+    return MP_MEM;
+
+  s_mp_copy(DIGITS(from), DIGITS(mp), USED(from));
+  USED(mp) = USED(from);
+  ALLOC(mp) = ALLOC(from);
+  SIGN(mp) = SIGN(from);
+
+  return MP_OKAY;
+
+} /* end mp_init_copy() */
+
+/* }}} */
+
+/* {{{ mp_copy(from, to) */
+
+/*
+  mp_copy(from, to)
+
+  Copies the mp_int 'from' to the mp_int 'to'.  It is presumed that
+  'to' has already been initialized (if not, use mp_init_copy()
+  instead). If 'from' and 'to' are identical, nothing happens.
+ */
+
+mp_err mp_copy(const mp_int *from, mp_int *to)
+{
+  ARGCHK(from != NULL && to != NULL, MP_BADARG);
+
+  if(from == to)
+    return MP_OKAY;
+
+  ++mp_copies;
+  { /* copy */
+    mp_digit   *tmp;
+
+    /*
+      If the allocated buffer in 'to' already has enough space to hold
+      all the used digits of 'from', we'll re-use it to avoid hitting
+      the memory allocater more than necessary; otherwise, we'd have
+      to grow anyway, so we just allocate a hunk and make the copy as
+      usual
+     */
+    if(ALLOC(to) >= USED(from)) {
+      s_mp_setz(DIGITS(to) + USED(from), ALLOC(to) - USED(from));
+      s_mp_copy(DIGITS(from), DIGITS(to), USED(from));
+      
+    } else {
+      if((tmp = s_mp_alloc(ALLOC(from), sizeof(mp_digit))) == NULL)
+	return MP_MEM;
+
+      s_mp_copy(DIGITS(from), tmp, USED(from));
+
+      if(DIGITS(to) != NULL) {
+#if MP_CRYPTO
+	s_mp_setz(DIGITS(to), ALLOC(to));
+#endif
+	s_mp_free(DIGITS(to));
+      }
+
+      DIGITS(to) = tmp;
+      ALLOC(to) = ALLOC(from);
+    }
+
+    /* Copy the precision and sign from the original */
+    USED(to) = USED(from);
+    SIGN(to) = SIGN(from);
+  } /* end copy */
+
+  return MP_OKAY;
+
+} /* end mp_copy() */
+
+/* }}} */
+
+/* {{{ mp_exch(mp1, mp2) */
+
+/*
+  mp_exch(mp1, mp2)
+
+  Exchange mp1 and mp2 without allocating any intermediate memory
+  (well, unless you count the stack space needed for this call and the
+  locals it creates...).  This cannot fail.
+ */
+
+void mp_exch(mp_int *mp1, mp_int *mp2)
+{
+#if MP_ARGCHK == 2
+  assert(mp1 != NULL && mp2 != NULL);
+#else
+  if(mp1 == NULL || mp2 == NULL)
+    return;
+#endif
+
+  s_mp_exch(mp1, mp2);
+
+} /* end mp_exch() */
+
+/* }}} */
+
+/* {{{ mp_clear(mp) */
+
+/*
+  mp_clear(mp)
+
+  Release the storage used by an mp_int, and void its fields so that
+  if someone calls mp_clear() again for the same int later, we won't
+  get tollchocked.
+ */
+
+void   mp_clear(mp_int *mp)
+{
+  if(mp == NULL)
+    return;
+
+  if(DIGITS(mp) != NULL) {
+#if MP_CRYPTO
+    s_mp_setz(DIGITS(mp), ALLOC(mp));
+#endif
+    s_mp_free(DIGITS(mp));
+    DIGITS(mp) = NULL;
+  }
+
+  USED(mp) = 0;
+  ALLOC(mp) = 0;
+
+} /* end mp_clear() */
+
+/* }}} */
+
+/* {{{ mp_zero(mp) */
+
+/*
+  mp_zero(mp) 
+
+  Set mp to zero.  Does not change the allocated size of the structure,
+  and therefore cannot fail (except on a bad argument, which we ignore)
+ */
+void   mp_zero(mp_int *mp)
+{
+  if(mp == NULL)
+    return;
+
+  s_mp_setz(DIGITS(mp), ALLOC(mp));
+  USED(mp) = 1;
+  SIGN(mp) = ZPOS;
+
+} /* end mp_zero() */
+
+/* }}} */
+
+/* {{{ mp_set(mp, d) */
+
+void   mp_set(mp_int *mp, mp_digit d)
+{
+  if(mp == NULL)
+    return;
+
+  mp_zero(mp);
+  DIGIT(mp, 0) = d;
+
+} /* end mp_set() */
+
+/* }}} */
+
+/* {{{ mp_set_int(mp, z) */
+
+mp_err mp_set_int(mp_int *mp, long z)
+{
+  int            ix;
+  unsigned long  v = labs(z);
+  mp_err         res;
+
+  ARGCHK(mp != NULL, MP_BADARG);
+
+  mp_zero(mp);
+  if(z == 0)
+    return MP_OKAY;  /* shortcut for zero */
+
+  if (sizeof v <= sizeof(mp_digit)) {
+    DIGIT(mp,0) = v;
+  } else {
+    for (ix = sizeof(long) - 1; ix >= 0; ix--) {
+      if ((res = s_mp_mul_d(mp, (UCHAR_MAX + 1))) != MP_OKAY)
+	return res;
+
+      res = s_mp_add_d(mp, (mp_digit)((v >> (ix * CHAR_BIT)) & UCHAR_MAX));
+      if (res != MP_OKAY)
+	return res;
+    }
+  }
+  if(z < 0)
+    SIGN(mp) = NEG;
+
+  return MP_OKAY;
+
+} /* end mp_set_int() */
+
+/* }}} */
+
+/* {{{ mp_set_ulong(mp, z) */
+
+mp_err mp_set_ulong(mp_int *mp, unsigned long z)
+{
+  int            ix;
+  mp_err         res;
+
+  ARGCHK(mp != NULL, MP_BADARG);
+
+  mp_zero(mp);
+  if(z == 0)
+    return MP_OKAY;  /* shortcut for zero */
+
+  if (sizeof z <= sizeof(mp_digit)) {
+    DIGIT(mp,0) = z;
+  } else {
+    for (ix = sizeof(long) - 1; ix >= 0; ix--) {
+      if ((res = s_mp_mul_d(mp, (UCHAR_MAX + 1))) != MP_OKAY)
+	return res;
+
+      res = s_mp_add_d(mp, (mp_digit)((z >> (ix * CHAR_BIT)) & UCHAR_MAX));
+      if (res != MP_OKAY)
+	return res;
+    }
+  }
+  return MP_OKAY;
+} /* end mp_set_ulong() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Digit arithmetic */
+
+/* {{{ mp_add_d(a, d, b) */
+
+/*
+  mp_add_d(a, d, b)
+
+  Compute the sum b = a + d, for a single digit d.  Respects the sign of
+  its primary addend (single digits are unsigned anyway).
+ */
+
+mp_err mp_add_d(const mp_int *a, mp_digit d, mp_int *b)
+{
+  mp_int   tmp;
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_init_copy(&tmp, a)) != MP_OKAY)
+    return res;
+
+  if(SIGN(&tmp) == ZPOS) {
+    if((res = s_mp_add_d(&tmp, d)) != MP_OKAY)
+      goto CLEANUP;
+  } else if(s_mp_cmp_d(&tmp, d) >= 0) {
+    if((res = s_mp_sub_d(&tmp, d)) != MP_OKAY)
+      goto CLEANUP;
+  } else {
+    mp_neg(&tmp, &tmp);
+
+    DIGIT(&tmp, 0) = d - DIGIT(&tmp, 0);
+  }
+
+  if(s_mp_cmp_d(&tmp, 0) == 0)
+    SIGN(&tmp) = ZPOS;
+
+  s_mp_exch(&tmp, b);
+
+CLEANUP:
+  mp_clear(&tmp);
+  return res;
+
+} /* end mp_add_d() */
+
+/* }}} */
+
+/* {{{ mp_sub_d(a, d, b) */
+
+/*
+  mp_sub_d(a, d, b)
+
+  Compute the difference b = a - d, for a single digit d.  Respects the
+  sign of its subtrahend (single digits are unsigned anyway).
+ */
+
+mp_err mp_sub_d(const mp_int *a, mp_digit d, mp_int *b)
+{
+  mp_int   tmp;
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_init_copy(&tmp, a)) != MP_OKAY)
+    return res;
+
+  if(SIGN(&tmp) == NEG) {
+    if((res = s_mp_add_d(&tmp, d)) != MP_OKAY)
+      goto CLEANUP;
+  } else if(s_mp_cmp_d(&tmp, d) >= 0) {
+    if((res = s_mp_sub_d(&tmp, d)) != MP_OKAY)
+      goto CLEANUP;
+  } else {
+    mp_neg(&tmp, &tmp);
+
+    DIGIT(&tmp, 0) = d - DIGIT(&tmp, 0);
+    SIGN(&tmp) = NEG;
+  }
+
+  if(s_mp_cmp_d(&tmp, 0) == 0)
+    SIGN(&tmp) = ZPOS;
+
+  s_mp_exch(&tmp, b);
+
+CLEANUP:
+  mp_clear(&tmp);
+  return res;
+
+} /* end mp_sub_d() */
+
+/* }}} */
+
+/* {{{ mp_mul_d(a, d, b) */
+
+/*
+  mp_mul_d(a, d, b)
+
+  Compute the product b = a * d, for a single digit d.  Respects the sign
+  of its multiplicand (single digits are unsigned anyway)
+ */
+
+mp_err mp_mul_d(const mp_int *a, mp_digit d, mp_int *b)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if(d == 0) {
+    mp_zero(b);
+    return MP_OKAY;
+  }
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  res = s_mp_mul_d(b, d);
+
+  return res;
+
+} /* end mp_mul_d() */
+
+/* }}} */
+
+/* {{{ mp_mul_2(a, c) */
+
+mp_err mp_mul_2(const mp_int *a, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, c)) != MP_OKAY)
+    return res;
+
+  return s_mp_mul_2(c);
+
+} /* end mp_mul_2() */
+
+/* }}} */
+
+/* {{{ mp_div_d(a, d, q, r) */
+
+/*
+  mp_div_d(a, d, q, r)
+
+  Compute the quotient q = a / d and remainder r = a mod d, for a
+  single digit d.  Respects the sign of its divisor (single digits are
+  unsigned anyway).
+ */
+
+mp_err mp_div_d(const mp_int *a, mp_digit d, mp_int *q, mp_digit *r)
+{
+  mp_err   res;
+  mp_int   qp;
+  mp_digit rem;
+  int      pow;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  if(d == 0)
+    return MP_RANGE;
+
+  /* Shortcut for powers of two ... */
+  if((pow = s_mp_ispow2d(d)) >= 0) {
+    mp_digit  mask;
+
+    mask = ((mp_digit)1 << pow) - 1;
+    rem = DIGIT(a, 0) & mask;
+
+    if(q) {
+      mp_copy(a, q);
+      s_mp_div_2d(q, pow);
+    }
+
+    if(r)
+      *r = rem;
+
+    return MP_OKAY;
+  }
+
+  if((res = mp_init_copy(&qp, a)) != MP_OKAY)
+    return res;
+
+  res = s_mp_div_d(&qp, d, &rem);
+
+  if(s_mp_cmp_d(&qp, 0) == 0)
+    SIGN(q) = ZPOS;
+
+  if(r)
+    *r = rem;
+
+  if(q)
+    s_mp_exch(&qp, q);
+
+  mp_clear(&qp);
+  return res;
+
+} /* end mp_div_d() */
+
+/* }}} */
+
+/* {{{ mp_div_2(a, c) */
+
+/*
+  mp_div_2(a, c)
+
+  Compute c = a / 2, disregarding the remainder.
+ */
+
+mp_err mp_div_2(const mp_int *a, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, c)) != MP_OKAY)
+    return res;
+
+  s_mp_div_2(c);
+
+  return MP_OKAY;
+
+} /* end mp_div_2() */
+
+/* }}} */
+
+/* {{{ mp_expt_d(a, d, b) */
+
+mp_err mp_expt_d(const mp_int *a, mp_digit d, mp_int *c)
+{
+  mp_int   s, x;
+  mp_err   res;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_init(&s)) != MP_OKAY)
+    return res;
+  if((res = mp_init_copy(&x, a)) != MP_OKAY)
+    goto X;
+
+  DIGIT(&s, 0) = 1;
+
+  while(d != 0) {
+    if(d & 1) {
+      if((res = s_mp_mul(&s, &x)) != MP_OKAY)
+	goto CLEANUP;
+    }
+
+    d /= 2;
+
+    if((res = s_mp_sqr(&x)) != MP_OKAY)
+      goto CLEANUP;
+  }
+
+  s_mp_exch(&s, c);
+
+CLEANUP:
+  mp_clear(&x);
+X:
+  mp_clear(&s);
+
+  return res;
+
+} /* end mp_expt_d() */
+
+/* }}} */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Full arithmetic */
+
+/* {{{ mp_abs(a, b) */
+
+/*
+  mp_abs(a, b)
+
+  Compute b = |a|.  'a' and 'b' may be identical.
+ */
+
+mp_err mp_abs(const mp_int *a, mp_int *b)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  SIGN(b) = ZPOS;
+
+  return MP_OKAY;
+
+} /* end mp_abs() */
+
+/* }}} */
+
+/* {{{ mp_neg(a, b) */
+
+/*
+  mp_neg(a, b)
+
+  Compute b = -a.  'a' and 'b' may be identical.
+ */
+
+mp_err mp_neg(const mp_int *a, mp_int *b)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  if(s_mp_cmp_d(b, 0) == MP_EQ) 
+    SIGN(b) = ZPOS;
+  else 
+    SIGN(b) = (SIGN(b) == NEG) ? ZPOS : NEG;
+
+  return MP_OKAY;
+
+} /* end mp_neg() */
+
+/* }}} */
+
+/* {{{ mp_add(a, b, c) */
+
+/*
+  mp_add(a, b, c)
+
+  Compute c = a + b.  All parameters may be identical.
+ */
+
+mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(SIGN(a) == SIGN(b)) { /* same sign:  add values, keep sign */
+    MP_CHECKOK( s_mp_add_3arg(a, b, c) );
+  } else if(s_mp_cmp(a, b) >= 0) {  /* different sign: |a| >= |b|   */
+    MP_CHECKOK( s_mp_sub_3arg(a, b, c) );
+  } else {                          /* different sign: |a|  < |b|   */
+    MP_CHECKOK( s_mp_sub_3arg(b, a, c) );
+  }
+
+  if (s_mp_cmp_d(c, 0) == MP_EQ)
+    SIGN(c) = ZPOS;
+
+CLEANUP:
+  return res;
+
+} /* end mp_add() */
+
+/* }}} */
+
+/* {{{ mp_sub(a, b, c) */
+
+/*
+  mp_sub(a, b, c)
+
+  Compute c = a - b.  All parameters may be identical.
+ */
+
+mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c)
+{
+  mp_err  res;
+  int     magDiff;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if (a == b) {
+    mp_zero(c);
+    return MP_OKAY;
+  }
+
+  if (MP_SIGN(a) != MP_SIGN(b)) {
+    MP_CHECKOK( s_mp_add_3arg(a, b, c) );
+  } else if (!(magDiff = s_mp_cmp(a, b))) {
+    mp_zero(c);
+    res = MP_OKAY;
+  } else if (magDiff > 0) {
+    MP_CHECKOK( s_mp_sub_3arg(a, b, c) );
+  } else {
+    MP_CHECKOK( s_mp_sub_3arg(b, a, c) );
+    MP_SIGN(c) = !MP_SIGN(a);
+  }
+
+  if (s_mp_cmp_d(c, 0) == MP_EQ)
+    MP_SIGN(c) = MP_ZPOS;
+
+CLEANUP:
+  return res;
+
+} /* end mp_sub() */
+
+/* }}} */
+
+/* {{{ mp_mul(a, b, c) */
+
+/*
+  mp_mul(a, b, c)
+
+  Compute c = a * b.  All parameters may be identical.
+ */
+mp_err   mp_mul(const mp_int *a, const mp_int *b, mp_int * c)
+{
+  mp_digit *pb;
+  mp_int   tmp;
+  mp_err   res;
+  mp_size  ib;
+  mp_size  useda, usedb;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if (a == c) {
+    if ((res = mp_init_copy(&tmp, a)) != MP_OKAY)
+      return res;
+    if (a == b) 
+      b = &tmp;
+    a = &tmp;
+  } else if (b == c) {
+    if ((res = mp_init_copy(&tmp, b)) != MP_OKAY)
+      return res;
+    b = &tmp;
+  } else {
+    MP_DIGITS(&tmp) = 0;
+  }
+
+  if (MP_USED(a) < MP_USED(b)) {
+    const mp_int *xch = b;	/* switch a and b, to do fewer outer loops */
+    b = a;
+    a = xch;
+  }
+
+  MP_USED(c) = 1; MP_DIGIT(c, 0) = 0;
+  if((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
+    goto CLEANUP;
+
+#ifdef NSS_USE_COMBA
+  if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
+      if (MP_USED(a) == 4) {
+          s_mp_mul_comba_4(a, b, c);
+          goto CLEANUP;
+      }
+      if (MP_USED(a) == 8) {
+          s_mp_mul_comba_8(a, b, c);
+          goto CLEANUP;
+      }
+      if (MP_USED(a) == 16) {
+          s_mp_mul_comba_16(a, b, c);
+          goto CLEANUP;
+      }
+      if (MP_USED(a) == 32) {
+          s_mp_mul_comba_32(a, b, c);
+          goto CLEANUP;
+      } 
+  }
+#endif
+
+  pb = MP_DIGITS(b);
+  s_mpv_mul_d(MP_DIGITS(a), MP_USED(a), *pb++, MP_DIGITS(c));
+
+  /* Outer loop:  Digits of b */
+  useda = MP_USED(a);
+  usedb = MP_USED(b);
+  for (ib = 1; ib < usedb; ib++) {
+    mp_digit b_i    = *pb++;
+
+    /* Inner product:  Digits of a */
+    if (b_i)
+      s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
+    else
+      MP_DIGIT(c, ib + useda) = b_i;
+  }
+
+  s_mp_clamp(c);
+
+  if(SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
+    SIGN(c) = ZPOS;
+  else
+    SIGN(c) = NEG;
+
+CLEANUP:
+  mp_clear(&tmp);
+  return res;
+} /* end mp_mul() */
+
+/* }}} */
+
+/* {{{ mp_sqr(a, sqr) */
+
+#if MP_SQUARE
+/*
+  Computes the square of a.  This can be done more
+  efficiently than a general multiplication, because many of the
+  computation steps are redundant when squaring.  The inner product
+  step is a bit more complicated, but we save a fair number of
+  iterations of the multiplication loop.
+ */
+
+/* sqr = a^2;   Caller provides both a and tmp; */
+mp_err   mp_sqr(const mp_int *a, mp_int *sqr)
+{
+  mp_digit *pa;
+  mp_digit d;
+  mp_err   res;
+  mp_size  ix;
+  mp_int   tmp;
+  int      count;
+
+  ARGCHK(a != NULL && sqr != NULL, MP_BADARG);
+
+  if (a == sqr) {
+    if((res = mp_init_copy(&tmp, a)) != MP_OKAY)
+      return res;
+    a = &tmp;
+  } else {
+    DIGITS(&tmp) = 0;
+    res = MP_OKAY;
+  }
+
+  ix = 2 * MP_USED(a);
+  if (ix > MP_ALLOC(sqr)) {
+    MP_USED(sqr) = 1; 
+    MP_CHECKOK( s_mp_grow(sqr, ix) );
+  } 
+  MP_USED(sqr) = ix;
+  MP_DIGIT(sqr, 0) = 0;
+
+#ifdef NSS_USE_COMBA
+  if (IS_POWER_OF_2(MP_USED(a))) {
+      if (MP_USED(a) == 4) {
+          s_mp_sqr_comba_4(a, sqr);
+          goto CLEANUP;
+      }
+      if (MP_USED(a) == 8) {
+          s_mp_sqr_comba_8(a, sqr);
+          goto CLEANUP;
+      }
+      if (MP_USED(a) == 16) {
+          s_mp_sqr_comba_16(a, sqr);
+          goto CLEANUP;
+      }
+      if (MP_USED(a) == 32) {
+          s_mp_sqr_comba_32(a, sqr);
+          goto CLEANUP;
+      } 
+  }
+#endif
+
+  pa = MP_DIGITS(a);
+  count = MP_USED(a) - 1;
+  if (count > 0) {
+    d = *pa++;
+    s_mpv_mul_d(pa, count, d, MP_DIGITS(sqr) + 1);
+    for (ix = 3; --count > 0; ix += 2) {
+      d = *pa++;
+      s_mpv_mul_d_add(pa, count, d, MP_DIGITS(sqr) + ix);
+    } /* for(ix ...) */
+    MP_DIGIT(sqr, MP_USED(sqr)-1) = 0; /* above loop stopped short of this. */
+
+    /* now sqr *= 2 */
+    s_mp_mul_2(sqr);
+  } else {
+    MP_DIGIT(sqr, 1) = 0;
+  }
+
+  /* now add the squares of the digits of a to sqr. */
+  s_mpv_sqr_add_prop(MP_DIGITS(a), MP_USED(a), MP_DIGITS(sqr));
+
+  SIGN(sqr) = ZPOS;
+  s_mp_clamp(sqr);
+
+CLEANUP:
+  mp_clear(&tmp);
+  return res;
+
+} /* end mp_sqr() */
+#endif
+
+/* }}} */
+
+/* {{{ mp_div(a, b, q, r) */
+
+/*
+  mp_div(a, b, q, r)
+
+  Compute q = a / b and r = a mod b.  Input parameters may be re-used
+  as output parameters.  If q or r is NULL, that portion of the
+  computation will be discarded (although it will still be computed)
+ */
+mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r)
+{
+  mp_err   res;
+  mp_int   *pQ, *pR;
+  mp_int   qtmp, rtmp, btmp;
+  int      cmp;
+  mp_sign  signA;
+  mp_sign  signB;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+  
+  signA = MP_SIGN(a);
+  signB = MP_SIGN(b);
+
+  if(mp_cmp_z(b) == MP_EQ)
+    return MP_RANGE;
+
+  DIGITS(&qtmp) = 0;
+  DIGITS(&rtmp) = 0;
+  DIGITS(&btmp) = 0;
+
+  /* Set up some temporaries... */
+  if (!r || r == a || r == b) {
+    MP_CHECKOK( mp_init_copy(&rtmp, a) );
+    pR = &rtmp;
+  } else {
+    MP_CHECKOK( mp_copy(a, r) );
+    pR = r;
+  }
+
+  if (!q || q == a || q == b) {
+    MP_CHECKOK( mp_init_size(&qtmp, MP_USED(a)) );
+    pQ = &qtmp;
+  } else {
+    MP_CHECKOK( s_mp_pad(q, MP_USED(a)) );
+    pQ = q;
+    mp_zero(pQ);
+  }
+
+  /*
+    If |a| <= |b|, we can compute the solution without division;
+    otherwise, we actually do the work required.
+   */
+  if ((cmp = s_mp_cmp(a, b)) <= 0) {
+    if (cmp) {
+      /* r was set to a above. */
+      mp_zero(pQ);
+    } else {
+      mp_set(pQ, 1);
+      mp_zero(pR);
+    }
+  } else {
+    MP_CHECKOK( mp_init_copy(&btmp, b) );
+    MP_CHECKOK( s_mp_div(pR, &btmp, pQ) );
+  }
+
+  /* Compute the signs for the output  */
+  MP_SIGN(pR) = signA;   /* Sr = Sa              */
+  /* Sq = ZPOS if Sa == Sb */ /* Sq = NEG if Sa != Sb */
+  MP_SIGN(pQ) = (signA == signB) ? ZPOS : NEG;
+
+  if(s_mp_cmp_d(pQ, 0) == MP_EQ)
+    SIGN(pQ) = ZPOS;
+  if(s_mp_cmp_d(pR, 0) == MP_EQ)
+    SIGN(pR) = ZPOS;
+
+  /* Copy output, if it is needed      */
+  if(q && q != pQ) 
+    s_mp_exch(pQ, q);
+
+  if(r && r != pR) 
+    s_mp_exch(pR, r);
+
+CLEANUP:
+  mp_clear(&btmp);
+  mp_clear(&rtmp);
+  mp_clear(&qtmp);
+
+  return res;
+
+} /* end mp_div() */
+
+/* }}} */
+
+/* {{{ mp_div_2d(a, d, q, r) */
+
+mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  if(q) {
+    if((res = mp_copy(a, q)) != MP_OKAY)
+      return res;
+  }
+  if(r) {
+    if((res = mp_copy(a, r)) != MP_OKAY)
+      return res;
+  }
+  if(q) {
+    s_mp_div_2d(q, d);
+  }
+  if(r) {
+    s_mp_mod_2d(r, d);
+  }
+
+  return MP_OKAY;
+
+} /* end mp_div_2d() */
+
+/* }}} */
+
+/* {{{ mp_expt(a, b, c) */
+
+/*
+  mp_expt(a, b, c)
+
+  Compute c = a ** b, that is, raise a to the b power.  Uses a
+  standard iterative square-and-multiply technique.
+ */
+
+mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int   s, x;
+  mp_err   res;
+  mp_digit d;
+  int      dig, bit;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(mp_cmp_z(b) < 0)
+    return MP_RANGE;
+
+  if((res = mp_init(&s)) != MP_OKAY)
+    return res;
+
+  mp_set(&s, 1);
+
+  if((res = mp_init_copy(&x, a)) != MP_OKAY)
+    goto X;
+
+  /* Loop over low-order digits in ascending order */
+  for(dig = 0; dig < (USED(b) - 1); dig++) {
+    d = DIGIT(b, dig);
+
+    /* Loop over bits of each non-maximal digit */
+    for(bit = 0; bit < DIGIT_BIT; bit++) {
+      if(d & 1) {
+	if((res = s_mp_mul(&s, &x)) != MP_OKAY) 
+	  goto CLEANUP;
+      }
+
+      d >>= 1;
+      
+      if((res = s_mp_sqr(&x)) != MP_OKAY)
+	goto CLEANUP;
+    }
+  }
+
+  /* Consider now the last digit... */
+  d = DIGIT(b, dig);
+
+  while(d) {
+    if(d & 1) {
+      if((res = s_mp_mul(&s, &x)) != MP_OKAY)
+	goto CLEANUP;
+    }
+
+    d >>= 1;
+
+    if((res = s_mp_sqr(&x)) != MP_OKAY)
+      goto CLEANUP;
+  }
+  
+  if(mp_iseven(b))
+    SIGN(&s) = SIGN(a);
+
+  res = mp_copy(&s, c);
+
+CLEANUP:
+  mp_clear(&x);
+X:
+  mp_clear(&s);
+
+  return res;
+
+} /* end mp_expt() */
+
+/* }}} */
+
+/* {{{ mp_2expt(a, k) */
+
+/* Compute a = 2^k */
+
+mp_err mp_2expt(mp_int *a, mp_digit k)
+{
+  ARGCHK(a != NULL, MP_BADARG);
+
+  return s_mp_2expt(a, k);
+
+} /* end mp_2expt() */
+
+/* }}} */
+
+/* {{{ mp_mod(a, m, c) */
+
+/*
+  mp_mod(a, m, c)
+
+  Compute c = a (mod m).  Result will always be 0 <= c < m.
+ */
+
+mp_err mp_mod(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+  int     mag;
+
+  ARGCHK(a != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if(SIGN(m) == NEG)
+    return MP_RANGE;
+
+  /*
+     If |a| > m, we need to divide to get the remainder and take the
+     absolute value.  
+
+     If |a| < m, we don't need to do any division, just copy and adjust
+     the sign (if a is negative).
+
+     If |a| == m, we can simply set the result to zero.
+
+     This order is intended to minimize the average path length of the
+     comparison chain on common workloads -- the most frequent cases are
+     that |a| != m, so we do those first.
+   */
+  if((mag = s_mp_cmp(a, m)) > 0) {
+    if((res = mp_div(a, m, NULL, c)) != MP_OKAY)
+      return res;
+    
+    if(SIGN(c) == NEG) {
+      if((res = mp_add(c, m, c)) != MP_OKAY)
+	return res;
+    }
+
+  } else if(mag < 0) {
+    if((res = mp_copy(a, c)) != MP_OKAY)
+      return res;
+
+    if(mp_cmp_z(a) < 0) {
+      if((res = mp_add(c, m, c)) != MP_OKAY)
+	return res;
+
+    }
+    
+  } else {
+    mp_zero(c);
+
+  }
+
+  return MP_OKAY;
+
+} /* end mp_mod() */
+
+/* }}} */
+
+/* {{{ mp_mod_d(a, d, c) */
+
+/*
+  mp_mod_d(a, d, c)
+
+  Compute c = a (mod d).  Result will always be 0 <= c < d
+ */
+mp_err mp_mod_d(const mp_int *a, mp_digit d, mp_digit *c)
+{
+  mp_err   res;
+  mp_digit rem;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if(s_mp_cmp_d(a, d) > 0) {
+    if((res = mp_div_d(a, d, NULL, &rem)) != MP_OKAY)
+      return res;
+
+  } else {
+    if(SIGN(a) == NEG)
+      rem = d - DIGIT(a, 0);
+    else
+      rem = DIGIT(a, 0);
+  }
+
+  if(c)
+    *c = rem;
+
+  return MP_OKAY;
+
+} /* end mp_mod_d() */
+
+/* }}} */
+
+/* {{{ mp_sqrt(a, b) */
+
+/*
+  mp_sqrt(a, b)
+
+  Compute the integer square root of a, and store the result in b.
+  Uses an integer-arithmetic version of Newton's iterative linear
+  approximation technique to determine this value; the result has the
+  following two properties:
+
+     b^2 <= a
+     (b+1)^2 >= a
+
+  It is a range error to pass a negative value.
+ */
+mp_err mp_sqrt(const mp_int *a, mp_int *b)
+{
+  mp_int   x, t;
+  mp_err   res;
+  mp_size  used;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  /* Cannot take square root of a negative value */
+  if(SIGN(a) == NEG)
+    return MP_RANGE;
+
+  /* Special cases for zero and one, trivial     */
+  if(mp_cmp_d(a, 1) <= 0)
+    return mp_copy(a, b);
+    
+  /* Initialize the temporaries we'll use below  */
+  if((res = mp_init_size(&t, USED(a))) != MP_OKAY)
+    return res;
+
+  /* Compute an initial guess for the iteration as a itself */
+  if((res = mp_init_copy(&x, a)) != MP_OKAY)
+    goto X;
+
+  used = MP_USED(&x);
+  if (used > 1) {
+    s_mp_rshd(&x, used / 2);
+  }
+
+  for(;;) {
+    /* t = (x * x) - a */
+    mp_copy(&x, &t);      /* can't fail, t is big enough for original x */
+    if((res = mp_sqr(&t, &t)) != MP_OKAY ||
+       (res = mp_sub(&t, a, &t)) != MP_OKAY)
+      goto CLEANUP;
+
+    /* t = t / 2x       */
+    s_mp_mul_2(&x);
+    if((res = mp_div(&t, &x, &t, NULL)) != MP_OKAY)
+      goto CLEANUP;
+    s_mp_div_2(&x);
+
+    /* Terminate the loop, if the quotient is zero */
+    if(mp_cmp_z(&t) == MP_EQ)
+      break;
+
+    /* x = x - t       */
+    if((res = mp_sub(&x, &t, &x)) != MP_OKAY)
+      goto CLEANUP;
+
+  }
+
+  /* Copy result to output parameter */
+  mp_sub_d(&x, 1, &x);
+  s_mp_exch(&x, b);
+
+ CLEANUP:
+  mp_clear(&x);
+ X:
+  mp_clear(&t); 
+
+  return res;
+
+} /* end mp_sqrt() */
+
+/* }}} */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Modular arithmetic */
+
+#if MP_MODARITH
+/* {{{ mp_addmod(a, b, m, c) */
+
+/*
+  mp_addmod(a, b, m, c)
+
+  Compute c = (a + b) mod m
+ */
+
+mp_err mp_addmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_add(a, b, c)) != MP_OKAY)
+    return res;
+  if((res = mp_mod(c, m, c)) != MP_OKAY)
+    return res;
+
+  return MP_OKAY;
+
+}
+
+/* }}} */
+
+/* {{{ mp_submod(a, b, m, c) */
+
+/*
+  mp_submod(a, b, m, c)
+
+  Compute c = (a - b) mod m
+ */
+
+mp_err mp_submod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_sub(a, b, c)) != MP_OKAY)
+    return res;
+  if((res = mp_mod(c, m, c)) != MP_OKAY)
+    return res;
+
+  return MP_OKAY;
+
+}
+
+/* }}} */
+
+/* {{{ mp_mulmod(a, b, m, c) */
+
+/*
+  mp_mulmod(a, b, m, c)
+
+  Compute c = (a * b) mod m
+ */
+
+mp_err mp_mulmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_mul(a, b, c)) != MP_OKAY)
+    return res;
+  if((res = mp_mod(c, m, c)) != MP_OKAY)
+    return res;
+
+  return MP_OKAY;
+
+}
+
+/* }}} */
+
+/* {{{ mp_sqrmod(a, m, c) */
+
+#if MP_SQUARE
+mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_sqr(a, c)) != MP_OKAY)
+    return res;
+  if((res = mp_mod(c, m, c)) != MP_OKAY)
+    return res;
+
+  return MP_OKAY;
+
+} /* end mp_sqrmod() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_exptmod(a, b, m, c) */
+
+/*
+  s_mp_exptmod(a, b, m, c)
+
+  Compute c = (a ** b) mod m.  Uses a standard square-and-multiply
+  method with modular reductions at each step. (This is basically the
+  same code as mp_expt(), except for the addition of the reductions)
+  
+  The modular reductions are done using Barrett's algorithm (see
+  s_mp_reduce() below for details)
+ */
+
+mp_err s_mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
+{
+  mp_int   s, x, mu;
+  mp_err   res;
+  mp_digit d;
+  int      dig, bit;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(mp_cmp_z(b) < 0 || mp_cmp_z(m) <= 0)
+    return MP_RANGE;
+
+  if((res = mp_init(&s)) != MP_OKAY)
+    return res;
+  if((res = mp_init_copy(&x, a)) != MP_OKAY ||
+     (res = mp_mod(&x, m, &x)) != MP_OKAY)
+    goto X;
+  if((res = mp_init(&mu)) != MP_OKAY)
+    goto MU;
+
+  mp_set(&s, 1);
+
+  /* mu = b^2k / m */
+  s_mp_add_d(&mu, 1); 
+  s_mp_lshd(&mu, 2 * USED(m));
+  if((res = mp_div(&mu, m, &mu, NULL)) != MP_OKAY)
+    goto CLEANUP;
+
+  /* Loop over digits of b in ascending order, except highest order */
+  for(dig = 0; dig < (USED(b) - 1); dig++) {
+    d = DIGIT(b, dig);
+
+    /* Loop over the bits of the lower-order digits */
+    for(bit = 0; bit < DIGIT_BIT; bit++) {
+      if(d & 1) {
+	if((res = s_mp_mul(&s, &x)) != MP_OKAY)
+	  goto CLEANUP;
+	if((res = s_mp_reduce(&s, m, &mu)) != MP_OKAY)
+	  goto CLEANUP;
+      }
+
+      d >>= 1;
+
+      if((res = s_mp_sqr(&x)) != MP_OKAY)
+	goto CLEANUP;
+      if((res = s_mp_reduce(&x, m, &mu)) != MP_OKAY)
+	goto CLEANUP;
+    }
+  }
+
+  /* Now do the last digit... */
+  d = DIGIT(b, dig);
+
+  while(d) {
+    if(d & 1) {
+      if((res = s_mp_mul(&s, &x)) != MP_OKAY)
+	goto CLEANUP;
+      if((res = s_mp_reduce(&s, m, &mu)) != MP_OKAY)
+	goto CLEANUP;
+    }
+
+    d >>= 1;
+
+    if((res = s_mp_sqr(&x)) != MP_OKAY)
+      goto CLEANUP;
+    if((res = s_mp_reduce(&x, m, &mu)) != MP_OKAY)
+      goto CLEANUP;
+  }
+
+  s_mp_exch(&s, c);
+
+ CLEANUP:
+  mp_clear(&mu);
+ MU:
+  mp_clear(&x);
+ X:
+  mp_clear(&s);
+
+  return res;
+
+} /* end s_mp_exptmod() */
+
+/* }}} */
+
+/* {{{ mp_exptmod_d(a, d, m, c) */
+
+mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c)
+{
+  mp_int   s, x;
+  mp_err   res;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_init(&s)) != MP_OKAY)
+    return res;
+  if((res = mp_init_copy(&x, a)) != MP_OKAY)
+    goto X;
+
+  mp_set(&s, 1);
+
+  while(d != 0) {
+    if(d & 1) {
+      if((res = s_mp_mul(&s, &x)) != MP_OKAY ||
+	 (res = mp_mod(&s, m, &s)) != MP_OKAY)
+	goto CLEANUP;
+    }
+
+    d /= 2;
+
+    if((res = s_mp_sqr(&x)) != MP_OKAY ||
+       (res = mp_mod(&x, m, &x)) != MP_OKAY)
+      goto CLEANUP;
+  }
+
+  s_mp_exch(&s, c);
+
+CLEANUP:
+  mp_clear(&x);
+X:
+  mp_clear(&s);
+
+  return res;
+
+} /* end mp_exptmod_d() */
+
+/* }}} */
+#endif /* if MP_MODARITH */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Comparison functions */
+
+/* {{{ mp_cmp_z(a) */
+
+/*
+  mp_cmp_z(a)
+
+  Compare a <=> 0.  Returns <0 if a<0, 0 if a=0, >0 if a>0.
+ */
+
+int    mp_cmp_z(const mp_int *a)
+{
+  if(SIGN(a) == NEG)
+    return MP_LT;
+  else if(USED(a) == 1 && DIGIT(a, 0) == 0)
+    return MP_EQ;
+  else
+    return MP_GT;
+
+} /* end mp_cmp_z() */
+
+/* }}} */
+
+/* {{{ mp_cmp_d(a, d) */
+
+/*
+  mp_cmp_d(a, d)
+
+  Compare a <=> d.  Returns <0 if a<d, 0 if a=d, >0 if a>d
+ */
+
+int    mp_cmp_d(const mp_int *a, mp_digit d)
+{
+  ARGCHK(a != NULL, MP_EQ);
+
+  if(SIGN(a) == NEG)
+    return MP_LT;
+
+  return s_mp_cmp_d(a, d);
+
+} /* end mp_cmp_d() */
+
+/* }}} */
+
+/* {{{ mp_cmp(a, b) */
+
+int    mp_cmp(const mp_int *a, const mp_int *b)
+{
+  ARGCHK(a != NULL && b != NULL, MP_EQ);
+
+  if(SIGN(a) == SIGN(b)) {
+    int  mag;
+
+    if((mag = s_mp_cmp(a, b)) == MP_EQ)
+      return MP_EQ;
+
+    if(SIGN(a) == ZPOS)
+      return mag;
+    else
+      return -mag;
+
+  } else if(SIGN(a) == ZPOS) {
+    return MP_GT;
+  } else {
+    return MP_LT;
+  }
+
+} /* end mp_cmp() */
+
+/* }}} */
+
+/* {{{ mp_cmp_mag(a, b) */
+
+/*
+  mp_cmp_mag(a, b)
+
+  Compares |a| <=> |b|, and returns an appropriate comparison result
+ */
+
+int    mp_cmp_mag(mp_int *a, mp_int *b)
+{
+  ARGCHK(a != NULL && b != NULL, MP_EQ);
+
+  return s_mp_cmp(a, b);
+
+} /* end mp_cmp_mag() */
+
+/* }}} */
+
+/* {{{ mp_cmp_int(a, z) */
+
+/*
+  This just converts z to an mp_int, and uses the existing comparison
+  routines.  This is sort of inefficient, but it's not clear to me how
+  frequently this wil get used anyway.  For small positive constants,
+  you can always use mp_cmp_d(), and for zero, there is mp_cmp_z().
+ */
+int    mp_cmp_int(const mp_int *a, long z)
+{
+  mp_int  tmp;
+  int     out;
+
+  ARGCHK(a != NULL, MP_EQ);
+  
+  mp_init(&tmp); mp_set_int(&tmp, z);
+  out = mp_cmp(a, &tmp);
+  mp_clear(&tmp);
+
+  return out;
+
+} /* end mp_cmp_int() */
+
+/* }}} */
+
+/* {{{ mp_isodd(a) */
+
+/*
+  mp_isodd(a)
+
+  Returns a true (non-zero) value if a is odd, false (zero) otherwise.
+ */
+int    mp_isodd(const mp_int *a)
+{
+  ARGCHK(a != NULL, 0);
+
+  return (int)(DIGIT(a, 0) & 1);
+
+} /* end mp_isodd() */
+
+/* }}} */
+
+/* {{{ mp_iseven(a) */
+
+int    mp_iseven(const mp_int *a)
+{
+  return !mp_isodd(a);
+
+} /* end mp_iseven() */
+
+/* }}} */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Number theoretic functions */
+
+#if MP_NUMTH
+/* {{{ mp_gcd(a, b, c) */
+
+/*
+  Like the old mp_gcd() function, except computes the GCD using the
+  binary algorithm due to Josef Stein in 1961 (via Knuth).
+ */
+mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_err   res;
+  mp_int   u, v, t;
+  mp_size  k = 0;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(mp_cmp_z(a) == MP_EQ && mp_cmp_z(b) == MP_EQ)
+      return MP_RANGE;
+  if(mp_cmp_z(a) == MP_EQ) {
+    return mp_copy(b, c);
+  } else if(mp_cmp_z(b) == MP_EQ) {
+    return mp_copy(a, c);
+  }
+
+  if((res = mp_init(&t)) != MP_OKAY)
+    return res;
+  if((res = mp_init_copy(&u, a)) != MP_OKAY)
+    goto U;
+  if((res = mp_init_copy(&v, b)) != MP_OKAY)
+    goto V;
+
+  SIGN(&u) = ZPOS;
+  SIGN(&v) = ZPOS;
+
+  /* Divide out common factors of 2 until at least 1 of a, b is even */
+  while(mp_iseven(&u) && mp_iseven(&v)) {
+    s_mp_div_2(&u);
+    s_mp_div_2(&v);
+    ++k;
+  }
+
+  /* Initialize t */
+  if(mp_isodd(&u)) {
+    if((res = mp_copy(&v, &t)) != MP_OKAY)
+      goto CLEANUP;
+    
+    /* t = -v */
+    if(SIGN(&v) == ZPOS)
+      SIGN(&t) = NEG;
+    else
+      SIGN(&t) = ZPOS;
+    
+  } else {
+    if((res = mp_copy(&u, &t)) != MP_OKAY)
+      goto CLEANUP;
+
+  }
+
+  for(;;) {
+    while(mp_iseven(&t)) {
+      s_mp_div_2(&t);
+    }
+
+    if(mp_cmp_z(&t) == MP_GT) {
+      if((res = mp_copy(&t, &u)) != MP_OKAY)
+	goto CLEANUP;
+
+    } else {
+      if((res = mp_copy(&t, &v)) != MP_OKAY)
+	goto CLEANUP;
+
+      /* v = -t */
+      if(SIGN(&t) == ZPOS)
+	SIGN(&v) = NEG;
+      else
+	SIGN(&v) = ZPOS;
+    }
+
+    if((res = mp_sub(&u, &v, &t)) != MP_OKAY)
+      goto CLEANUP;
+
+    if(s_mp_cmp_d(&t, 0) == MP_EQ)
+      break;
+  }
+
+  s_mp_2expt(&v, k);       /* v = 2^k   */
+  res = mp_mul(&u, &v, c); /* c = u * v */
+
+ CLEANUP:
+  mp_clear(&v);
+ V:
+  mp_clear(&u);
+ U:
+  mp_clear(&t);
+
+  return res;
+
+} /* end mp_gcd() */
+
+/* }}} */
+
+/* {{{ mp_lcm(a, b, c) */
+
+/* We compute the least common multiple using the rule:
+
+   ab = [a, b](a, b)
+
+   ... by computing the product, and dividing out the gcd.
+ */
+
+mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int  gcd, prod;
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  /* Set up temporaries */
+  if((res = mp_init(&gcd)) != MP_OKAY)
+    return res;
+  if((res = mp_init(&prod)) != MP_OKAY)
+    goto GCD;
+
+  if((res = mp_mul(a, b, &prod)) != MP_OKAY)
+    goto CLEANUP;
+  if((res = mp_gcd(a, b, &gcd)) != MP_OKAY)
+    goto CLEANUP;
+
+  res = mp_div(&prod, &gcd, c, NULL);
+
+ CLEANUP:
+  mp_clear(&prod);
+ GCD:
+  mp_clear(&gcd);
+
+  return res;
+
+} /* end mp_lcm() */
+
+/* }}} */
+
+/* {{{ mp_xgcd(a, b, g, x, y) */
+
+/*
+  mp_xgcd(a, b, g, x, y)
+
+  Compute g = (a, b) and values x and y satisfying Bezout's identity
+  (that is, ax + by = g).  This uses the binary extended GCD algorithm
+  based on the Stein algorithm used for mp_gcd()
+  See algorithm 14.61 in Handbook of Applied Cryptogrpahy.
+ */
+
+mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y)
+{
+  mp_int   gx, xc, yc, u, v, A, B, C, D;
+  mp_int  *clean[9];
+  mp_err   res;
+  int      last = -1;
+
+  if(mp_cmp_z(b) == 0)
+    return MP_RANGE;
+
+  /* Initialize all these variables we need */
+  MP_CHECKOK( mp_init(&u) );
+  clean[++last] = &u;
+  MP_CHECKOK( mp_init(&v) );
+  clean[++last] = &v;
+  MP_CHECKOK( mp_init(&gx) );
+  clean[++last] = &gx;
+  MP_CHECKOK( mp_init(&A) );
+  clean[++last] = &A;
+  MP_CHECKOK( mp_init(&B) );
+  clean[++last] = &B;
+  MP_CHECKOK( mp_init(&C) );
+  clean[++last] = &C;
+  MP_CHECKOK( mp_init(&D) );
+  clean[++last] = &D;
+  MP_CHECKOK( mp_init_copy(&xc, a) );
+  clean[++last] = &xc;
+  mp_abs(&xc, &xc);
+  MP_CHECKOK( mp_init_copy(&yc, b) );
+  clean[++last] = &yc;
+  mp_abs(&yc, &yc);
+
+  mp_set(&gx, 1);
+
+  /* Divide by two until at least one of them is odd */
+  while(mp_iseven(&xc) && mp_iseven(&yc)) {
+    mp_size nx = mp_trailing_zeros(&xc);
+    mp_size ny = mp_trailing_zeros(&yc);
+    mp_size n  = MP_MIN(nx, ny);
+    s_mp_div_2d(&xc,n);
+    s_mp_div_2d(&yc,n);
+    MP_CHECKOK( s_mp_mul_2d(&gx,n) );
+  }
+
+  mp_copy(&xc, &u);
+  mp_copy(&yc, &v);
+  mp_set(&A, 1); mp_set(&D, 1);
+
+  /* Loop through binary GCD algorithm */
+  do {
+    while(mp_iseven(&u)) {
+      s_mp_div_2(&u);
+
+      if(mp_iseven(&A) && mp_iseven(&B)) {
+	s_mp_div_2(&A); s_mp_div_2(&B);
+      } else {
+	MP_CHECKOK( mp_add(&A, &yc, &A) );
+	s_mp_div_2(&A);
+	MP_CHECKOK( mp_sub(&B, &xc, &B) );
+	s_mp_div_2(&B);
+      }
+    }
+
+    while(mp_iseven(&v)) {
+      s_mp_div_2(&v);
+
+      if(mp_iseven(&C) && mp_iseven(&D)) {
+	s_mp_div_2(&C); s_mp_div_2(&D);
+      } else {
+	MP_CHECKOK( mp_add(&C, &yc, &C) );
+	s_mp_div_2(&C);
+	MP_CHECKOK( mp_sub(&D, &xc, &D) );
+	s_mp_div_2(&D);
+      }
+    }
+
+    if(mp_cmp(&u, &v) >= 0) {
+      MP_CHECKOK( mp_sub(&u, &v, &u) );
+      MP_CHECKOK( mp_sub(&A, &C, &A) );
+      MP_CHECKOK( mp_sub(&B, &D, &B) );
+    } else {
+      MP_CHECKOK( mp_sub(&v, &u, &v) );
+      MP_CHECKOK( mp_sub(&C, &A, &C) );
+      MP_CHECKOK( mp_sub(&D, &B, &D) );
+    }
+  } while (mp_cmp_z(&u) != 0);
+
+  /* copy results to output */
+  if(x)
+    MP_CHECKOK( mp_copy(&C, x) );
+
+  if(y)
+    MP_CHECKOK( mp_copy(&D, y) );
+      
+  if(g)
+    MP_CHECKOK( mp_mul(&gx, &v, g) );
+
+ CLEANUP:
+  while(last >= 0)
+    mp_clear(clean[last--]);
+
+  return res;
+
+} /* end mp_xgcd() */
+
+/* }}} */
+
+mp_size mp_trailing_zeros(const mp_int *mp)
+{
+  mp_digit d;
+  mp_size  n = 0;
+  int      ix;
+
+  if (!mp || !MP_DIGITS(mp) || !mp_cmp_z(mp))
+    return n;
+
+  for (ix = 0; !(d = MP_DIGIT(mp,ix)) && (ix < MP_USED(mp)); ++ix)
+    n += MP_DIGIT_BIT;
+  if (!d)
+    return 0;	/* shouldn't happen, but ... */
+#if !defined(MP_USE_UINT_DIGIT)
+  if (!(d & 0xffffffffU)) {
+    d >>= 32;
+    n  += 32;
+  }
+#endif
+  if (!(d & 0xffffU)) {
+    d >>= 16;
+    n  += 16;
+  }
+  if (!(d & 0xffU)) {
+    d >>= 8;
+    n  += 8;
+  }
+  if (!(d & 0xfU)) {
+    d >>= 4;
+    n  += 4;
+  }
+  if (!(d & 0x3U)) {
+    d >>= 2;
+    n  += 2;
+  }
+  if (!(d & 0x1U)) {
+    d >>= 1;
+    n  += 1;
+  }
+#if MP_ARGCHK == 2
+  assert(0 != (d & 1));
+#endif
+  return n;
+}
+
+/* Given a and prime p, computes c and k such that a*c == 2**k (mod p).
+** Returns k (positive) or error (negative).
+** This technique from the paper "Fast Modular Reciprocals" (unpublished)
+** by Richard Schroeppel (a.k.a. Captain Nemo).
+*/
+mp_err s_mp_almost_inverse(const mp_int *a, const mp_int *p, mp_int *c)
+{
+  mp_err res;
+  mp_err k    = 0;
+  mp_int d, f, g;
+
+  ARGCHK(a && p && c, MP_BADARG);
+
+  MP_DIGITS(&d) = 0;
+  MP_DIGITS(&f) = 0;
+  MP_DIGITS(&g) = 0;
+  MP_CHECKOK( mp_init(&d) );
+  MP_CHECKOK( mp_init_copy(&f, a) );	/* f = a */
+  MP_CHECKOK( mp_init_copy(&g, p) );	/* g = p */
+
+  mp_set(c, 1);
+  mp_zero(&d);
+
+  if (mp_cmp_z(&f) == 0) {
+    res = MP_UNDEF;
+  } else 
+  for (;;) {
+    int diff_sign;
+    while (mp_iseven(&f)) {
+      mp_size n = mp_trailing_zeros(&f);
+      if (!n) {
+	res = MP_UNDEF;
+	goto CLEANUP;
+      }
+      s_mp_div_2d(&f, n);
+      MP_CHECKOK( s_mp_mul_2d(&d, n) );
+      k += n;
+    }
+    if (mp_cmp_d(&f, 1) == MP_EQ) {	/* f == 1 */
+      res = k;
+      break;
+    }
+    diff_sign = mp_cmp(&f, &g);
+    if (diff_sign < 0) {		/* f < g */
+      s_mp_exch(&f, &g);
+      s_mp_exch(c, &d);
+    } else if (diff_sign == 0) {		/* f == g */
+      res = MP_UNDEF;		/* a and p are not relatively prime */
+      break;
+    }
+    if ((MP_DIGIT(&f,0) % 4) == (MP_DIGIT(&g,0) % 4)) {
+      MP_CHECKOK( mp_sub(&f, &g, &f) );	/* f = f - g */
+      MP_CHECKOK( mp_sub(c,  &d,  c) );	/* c = c - d */
+    } else {
+      MP_CHECKOK( mp_add(&f, &g, &f) );	/* f = f + g */
+      MP_CHECKOK( mp_add(c,  &d,  c) );	/* c = c + d */
+    }
+  }
+  if (res >= 0) {
+    while (MP_SIGN(c) != MP_ZPOS) {
+      MP_CHECKOK( mp_add(c, p, c) );
+    }
+    res = k;
+  }
+
+CLEANUP:
+  mp_clear(&d);
+  mp_clear(&f);
+  mp_clear(&g);
+  return res;
+}
+
+/* Compute T = (P ** -1) mod MP_RADIX.  Also works for 16-bit mp_digits.
+** This technique from the paper "Fast Modular Reciprocals" (unpublished)
+** by Richard Schroeppel (a.k.a. Captain Nemo).
+*/
+mp_digit  s_mp_invmod_radix(mp_digit P)
+{
+  mp_digit T = P;
+  T *= 2 - (P * T);
+  T *= 2 - (P * T);
+  T *= 2 - (P * T);
+  T *= 2 - (P * T);
+#if !defined(MP_USE_UINT_DIGIT)
+  T *= 2 - (P * T);
+  T *= 2 - (P * T);
+#endif
+  return T;
+}
+
+/* Given c, k, and prime p, where a*c == 2**k (mod p), 
+** Compute x = (a ** -1) mod p.  This is similar to Montgomery reduction.
+** This technique from the paper "Fast Modular Reciprocals" (unpublished)
+** by Richard Schroeppel (a.k.a. Captain Nemo).
+*/
+mp_err  s_mp_fixup_reciprocal(const mp_int *c, const mp_int *p, int k, mp_int *x)
+{
+  int      k_orig = k;
+  mp_digit r;
+  mp_size  ix;
+  mp_err   res;
+
+  if (mp_cmp_z(c) < 0) {		/* c < 0 */
+    MP_CHECKOK( mp_add(c, p, x) );	/* x = c + p */
+  } else {
+    MP_CHECKOK( mp_copy(c, x) );	/* x = c */
+  }
+
+  /* make sure x is large enough */
+  ix = MP_HOWMANY(k, MP_DIGIT_BIT) + MP_USED(p) + 1;
+  ix = MP_MAX(ix, MP_USED(x));
+  MP_CHECKOK( s_mp_pad(x, ix) );
+
+  r = 0 - s_mp_invmod_radix(MP_DIGIT(p,0));
+
+  for (ix = 0; k > 0; ix++) {
+    int      j = MP_MIN(k, MP_DIGIT_BIT);
+    mp_digit v = r * MP_DIGIT(x, ix);
+    if (j < MP_DIGIT_BIT) {
+      v &= ((mp_digit)1 << j) - 1;	/* v = v mod (2 ** j) */
+    }
+    s_mp_mul_d_add_offset(p, v, x, ix); /* x += p * v * (RADIX ** ix) */
+    k -= j;
+  }
+  s_mp_clamp(x);
+  s_mp_div_2d(x, k_orig);
+  res = MP_OKAY;
+
+CLEANUP:
+  return res;
+}
+
+/* compute mod inverse using Schroeppel's method, only if m is odd */
+mp_err s_mp_invmod_odd_m(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  int k;
+  mp_err  res;
+  mp_int  x;
+
+  ARGCHK(a && m && c, MP_BADARG);
+
+  if(mp_cmp_z(a) == 0 || mp_cmp_z(m) == 0)
+    return MP_RANGE;
+  if (mp_iseven(m))
+    return MP_UNDEF;
+
+  MP_DIGITS(&x) = 0;
+
+  if (a == c) {
+    if ((res = mp_init_copy(&x, a)) != MP_OKAY)
+      return res;
+    if (a == m) 
+      m = &x;
+    a = &x;
+  } else if (m == c) {
+    if ((res = mp_init_copy(&x, m)) != MP_OKAY)
+      return res;
+    m = &x;
+  } else {
+    MP_DIGITS(&x) = 0;
+  }
+
+  MP_CHECKOK( s_mp_almost_inverse(a, m, c) );
+  k = res;
+  MP_CHECKOK( s_mp_fixup_reciprocal(c, m, k, c) );
+CLEANUP:
+  mp_clear(&x);
+  return res;
+}
+
+/* Known good algorithm for computing modular inverse.  But slow. */
+mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  mp_int  g, x;
+  mp_err  res;
+
+  ARGCHK(a && m && c, MP_BADARG);
+
+  if(mp_cmp_z(a) == 0 || mp_cmp_z(m) == 0)
+    return MP_RANGE;
+
+  MP_DIGITS(&g) = 0;
+  MP_DIGITS(&x) = 0;
+  MP_CHECKOK( mp_init(&x) );
+  MP_CHECKOK( mp_init(&g) );
+
+  MP_CHECKOK( mp_xgcd(a, m, &g, &x, NULL) );
+
+  if (mp_cmp_d(&g, 1) != MP_EQ) {
+    res = MP_UNDEF;
+    goto CLEANUP;
+  }
+
+  res = mp_mod(&x, m, c);
+  SIGN(c) = SIGN(a);
+
+CLEANUP:
+  mp_clear(&x);
+  mp_clear(&g);
+
+  return res;
+}
+
+/* modular inverse where modulus is 2**k. */
+/* c = a**-1 mod 2**k */
+mp_err s_mp_invmod_2d(const mp_int *a, mp_size k, mp_int *c)
+{
+  mp_err res;
+  mp_size ix = k + 4;
+  mp_int t0, t1, val, tmp, two2k;
+
+  static const mp_digit d2 = 2;
+  static const mp_int two = { MP_ZPOS, 1, 1, (mp_digit *)&d2 };
+
+  if (mp_iseven(a))
+    return MP_UNDEF;
+  if (k <= MP_DIGIT_BIT) {
+    mp_digit i = s_mp_invmod_radix(MP_DIGIT(a,0));
+    if (k < MP_DIGIT_BIT)
+      i &= ((mp_digit)1 << k) - (mp_digit)1;
+    mp_set(c, i);
+    return MP_OKAY;
+  }
+  MP_DIGITS(&t0) = 0;
+  MP_DIGITS(&t1) = 0;
+  MP_DIGITS(&val) = 0;
+  MP_DIGITS(&tmp) = 0;
+  MP_DIGITS(&two2k) = 0;
+  MP_CHECKOK( mp_init_copy(&val, a) );
+  s_mp_mod_2d(&val, k);
+  MP_CHECKOK( mp_init_copy(&t0, &val) );
+  MP_CHECKOK( mp_init_copy(&t1, &t0)  );
+  MP_CHECKOK( mp_init(&tmp) );
+  MP_CHECKOK( mp_init(&two2k) );
+  MP_CHECKOK( s_mp_2expt(&two2k, k) );
+  do {
+    MP_CHECKOK( mp_mul(&val, &t1, &tmp)  );
+    MP_CHECKOK( mp_sub(&two, &tmp, &tmp) );
+    MP_CHECKOK( mp_mul(&t1, &tmp, &t1)   );
+    s_mp_mod_2d(&t1, k);
+    while (MP_SIGN(&t1) != MP_ZPOS) {
+      MP_CHECKOK( mp_add(&t1, &two2k, &t1) );
+    }
+    if (mp_cmp(&t1, &t0) == MP_EQ) 
+      break;
+    MP_CHECKOK( mp_copy(&t1, &t0) );
+  } while (--ix > 0);
+  if (!ix) {
+    res = MP_UNDEF;
+  } else {
+    mp_exch(c, &t1);
+  }
+
+CLEANUP:
+  mp_clear(&t0);
+  mp_clear(&t1);
+  mp_clear(&val);
+  mp_clear(&tmp);
+  mp_clear(&two2k);
+  return res;
+}
+
+mp_err s_mp_invmod_even_m(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  mp_err res;
+  mp_size k;
+  mp_int oddFactor, evenFactor;	/* factors of the modulus */
+  mp_int oddPart, evenPart;	/* parts to combine via CRT. */
+  mp_int C2, tmp1, tmp2;
+
+  /*static const mp_digit d1 = 1; */
+  /*static const mp_int one = { MP_ZPOS, 1, 1, (mp_digit *)&d1 }; */
+
+  if ((res = s_mp_ispow2(m)) >= 0) {
+    k = res;
+    return s_mp_invmod_2d(a, k, c);
+  }
+  MP_DIGITS(&oddFactor) = 0;
+  MP_DIGITS(&evenFactor) = 0;
+  MP_DIGITS(&oddPart) = 0;
+  MP_DIGITS(&evenPart) = 0;
+  MP_DIGITS(&C2)     = 0;
+  MP_DIGITS(&tmp1)   = 0;
+  MP_DIGITS(&tmp2)   = 0;
+
+  MP_CHECKOK( mp_init_copy(&oddFactor, m) );    /* oddFactor = m */
+  MP_CHECKOK( mp_init(&evenFactor) );
+  MP_CHECKOK( mp_init(&oddPart) );
+  MP_CHECKOK( mp_init(&evenPart) );
+  MP_CHECKOK( mp_init(&C2)     );
+  MP_CHECKOK( mp_init(&tmp1)   );
+  MP_CHECKOK( mp_init(&tmp2)   );
+
+  k = mp_trailing_zeros(m);
+  s_mp_div_2d(&oddFactor, k);
+  MP_CHECKOK( s_mp_2expt(&evenFactor, k) );
+
+  /* compute a**-1 mod oddFactor. */
+  MP_CHECKOK( s_mp_invmod_odd_m(a, &oddFactor, &oddPart) );
+  /* compute a**-1 mod evenFactor, where evenFactor == 2**k. */
+  MP_CHECKOK( s_mp_invmod_2d(   a,       k,    &evenPart) );
+
+  /* Use Chinese Remainer theorem to compute a**-1 mod m. */
+  /* let m1 = oddFactor,  v1 = oddPart, 
+   * let m2 = evenFactor, v2 = evenPart.
+   */
+
+  /* Compute C2 = m1**-1 mod m2. */
+  MP_CHECKOK( s_mp_invmod_2d(&oddFactor, k,    &C2) );
+
+  /* compute u = (v2 - v1)*C2 mod m2 */
+  MP_CHECKOK( mp_sub(&evenPart, &oddPart,   &tmp1) );
+  MP_CHECKOK( mp_mul(&tmp1,     &C2,        &tmp2) );
+  s_mp_mod_2d(&tmp2, k);
+  while (MP_SIGN(&tmp2) != MP_ZPOS) {
+    MP_CHECKOK( mp_add(&tmp2, &evenFactor, &tmp2) );
+  }
+
+  /* compute answer = v1 + u*m1 */
+  MP_CHECKOK( mp_mul(&tmp2,     &oddFactor, c) );
+  MP_CHECKOK( mp_add(&oddPart,  c,          c) );
+  /* not sure this is necessary, but it's low cost if not. */
+  MP_CHECKOK( mp_mod(c,         m,          c) );
+
+CLEANUP:
+  mp_clear(&oddFactor);
+  mp_clear(&evenFactor);
+  mp_clear(&oddPart);
+  mp_clear(&evenPart);
+  mp_clear(&C2);
+  mp_clear(&tmp1);
+  mp_clear(&tmp2);
+  return res;
+}
+
+
+/* {{{ mp_invmod(a, m, c) */
+
+/*
+  mp_invmod(a, m, c)
+
+  Compute c = a^-1 (mod m), if there is an inverse for a (mod m).
+  This is equivalent to the question of whether (a, m) = 1.  If not,
+  MP_UNDEF is returned, and there is no inverse.
+ */
+
+mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c)
+{
+
+  ARGCHK(a && m && c, MP_BADARG);
+
+  if(mp_cmp_z(a) == 0 || mp_cmp_z(m) == 0)
+    return MP_RANGE;
+
+  if (mp_isodd(m)) {
+    return s_mp_invmod_odd_m(a, m, c);
+  }
+  if (mp_iseven(a))
+    return MP_UNDEF;	/* not invertable */
+
+  return s_mp_invmod_even_m(a, m, c);
+
+} /* end mp_invmod() */
+
+/* }}} */
+#endif /* if MP_NUMTH */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ mp_print(mp, ofp) */
+
+#if MP_IOFUNC
+/*
+  mp_print(mp, ofp)
+
+  Print a textual representation of the given mp_int on the output
+  stream 'ofp'.  Output is generated using the internal radix.
+ */
+
+void   mp_print(mp_int *mp, FILE *ofp)
+{
+  int   ix;
+
+  if(mp == NULL || ofp == NULL)
+    return;
+
+  fputc((SIGN(mp) == NEG) ? '-' : '+', ofp);
+
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    fprintf(ofp, DIGIT_FMT, DIGIT(mp, ix));
+  }
+
+} /* end mp_print() */
+
+#endif /* if MP_IOFUNC */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ More I/O Functions */
+
+/* {{{ mp_read_raw(mp, str, len) */
+
+/* 
+   mp_read_raw(mp, str, len)
+
+   Read in a raw value (base 256) into the given mp_int
+ */
+
+mp_err  mp_read_raw(mp_int *mp, char *str, int len)
+{
+  int            ix;
+  mp_err         res;
+  unsigned char *ustr = (unsigned char *)str;
+
+  ARGCHK(mp != NULL && str != NULL && len > 0, MP_BADARG);
+
+  mp_zero(mp);
+
+  /* Get sign from first byte */
+  if(ustr[0])
+    SIGN(mp) = NEG;
+  else
+    SIGN(mp) = ZPOS;
+
+  /* Read the rest of the digits */
+  for(ix = 1; ix < len; ix++) {
+    if((res = mp_mul_d(mp, 256, mp)) != MP_OKAY)
+      return res;
+    if((res = mp_add_d(mp, ustr[ix], mp)) != MP_OKAY)
+      return res;
+  }
+
+  return MP_OKAY;
+
+} /* end mp_read_raw() */
+
+/* }}} */
+
+/* {{{ mp_raw_size(mp) */
+
+int    mp_raw_size(mp_int *mp)
+{
+  ARGCHK(mp != NULL, 0);
+
+  return (USED(mp) * sizeof(mp_digit)) + 1;
+
+} /* end mp_raw_size() */
+
+/* }}} */
+
+/* {{{ mp_toraw(mp, str) */
+
+mp_err mp_toraw(mp_int *mp, char *str)
+{
+  int  ix, jx, pos = 1;
+
+  ARGCHK(mp != NULL && str != NULL, MP_BADARG);
+
+  str[0] = (char)SIGN(mp);
+
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    mp_digit  d = DIGIT(mp, ix);
+
+    /* Unpack digit bytes, high order first */
+    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
+      str[pos++] = (char)(d >> (jx * CHAR_BIT));
+    }
+  }
+
+  return MP_OKAY;
+
+} /* end mp_toraw() */
+
+/* }}} */
+
+/* {{{ mp_read_radix(mp, str, radix) */
+
+/*
+  mp_read_radix(mp, str, radix)
+
+  Read an integer from the given string, and set mp to the resulting
+  value.  The input is presumed to be in base 10.  Leading non-digit
+  characters are ignored, and the function reads until a non-digit
+  character or the end of the string.
+ */
+
+mp_err  mp_read_radix(mp_int *mp, const char *str, int radix)
+{
+  int     ix = 0, val = 0;
+  mp_err  res;
+  mp_sign sig = ZPOS;
+
+  ARGCHK(mp != NULL && str != NULL && radix >= 2 && radix <= MAX_RADIX, 
+	 MP_BADARG);
+
+  mp_zero(mp);
+
+  /* Skip leading non-digit characters until a digit or '-' or '+' */
+  while(str[ix] && 
+	(s_mp_tovalue(str[ix], radix) < 0) && 
+	str[ix] != '-' &&
+	str[ix] != '+') {
+    ++ix;
+  }
+
+  if(str[ix] == '-') {
+    sig = NEG;
+    ++ix;
+  } else if(str[ix] == '+') {
+    sig = ZPOS; /* this is the default anyway... */
+    ++ix;
+  }
+
+  while((val = s_mp_tovalue(str[ix], radix)) >= 0) {
+    if((res = s_mp_mul_d(mp, radix)) != MP_OKAY)
+      return res;
+    if((res = s_mp_add_d(mp, val)) != MP_OKAY)
+      return res;
+    ++ix;
+  }
+
+  if(s_mp_cmp_d(mp, 0) == MP_EQ)
+    SIGN(mp) = ZPOS;
+  else
+    SIGN(mp) = sig;
+
+  return MP_OKAY;
+
+} /* end mp_read_radix() */
+
+mp_err mp_read_variable_radix(mp_int *a, const char * str, int default_radix)
+{
+  int     radix = default_radix;
+  int     cx;
+  mp_sign sig   = ZPOS;
+  mp_err  res;
+
+  /* Skip leading non-digit characters until a digit or '-' or '+' */
+  while ((cx = *str) != 0 && 
+	(s_mp_tovalue(cx, radix) < 0) && 
+	cx != '-' &&
+	cx != '+') {
+    ++str;
+  }
+
+  if (cx == '-') {
+    sig = NEG;
+    ++str;
+  } else if (cx == '+') {
+    sig = ZPOS; /* this is the default anyway... */
+    ++str;
+  }
+
+  if (str[0] == '0') {
+    if ((str[1] | 0x20) == 'x') {
+      radix = 16;
+      str += 2;
+    } else {
+      radix = 8;
+      str++;
+    }
+  }
+  res = mp_read_radix(a, str, radix);
+  if (res == MP_OKAY) {
+    MP_SIGN(a) = (s_mp_cmp_d(a, 0) == MP_EQ) ? ZPOS : sig;
+  }
+  return res;
+}
+
+/* }}} */
+
+/* {{{ mp_radix_size(mp, radix) */
+
+int    mp_radix_size(mp_int *mp, int radix)
+{
+  int  bits;
+
+  if(!mp || radix < 2 || radix > MAX_RADIX)
+    return 0;
+
+  bits = USED(mp) * DIGIT_BIT - 1;
+ 
+  return s_mp_outlen(bits, radix);
+
+} /* end mp_radix_size() */
+
+/* }}} */
+
+/* {{{ mp_toradix(mp, str, radix) */
+
+mp_err mp_toradix(mp_int *mp, char *str, int radix)
+{
+  int  ix, pos = 0;
+
+  ARGCHK(mp != NULL && str != NULL, MP_BADARG);
+  ARGCHK(radix > 1 && radix <= MAX_RADIX, MP_RANGE);
+
+  if(mp_cmp_z(mp) == MP_EQ) {
+    str[0] = '0';
+    str[1] = '\0';
+  } else {
+    mp_err   res;
+    mp_int   tmp;
+    mp_sign  sgn;
+    mp_digit rem, rdx = (mp_digit)radix;
+    char     ch;
+
+    if((res = mp_init_copy(&tmp, mp)) != MP_OKAY)
+      return res;
+
+    /* Save sign for later, and take absolute value */
+    sgn = SIGN(&tmp); SIGN(&tmp) = ZPOS;
+
+    /* Generate output digits in reverse order      */
+    while(mp_cmp_z(&tmp) != 0) {
+      if((res = mp_div_d(&tmp, rdx, &tmp, &rem)) != MP_OKAY) {
+	mp_clear(&tmp);
+	return res;
+      }
+
+      /* Generate digits, use capital letters */
+      ch = s_mp_todigit(rem, radix, 0);
+
+      str[pos++] = ch;
+    }
+
+    /* Add - sign if original value was negative */
+    if(sgn == NEG)
+      str[pos++] = '-';
+
+    /* Add trailing NUL to end the string        */
+    str[pos--] = '\0';
+
+    /* Reverse the digits and sign indicator     */
+    ix = 0;
+    while(ix < pos) {
+      char tmp = str[ix];
+
+      str[ix] = str[pos];
+      str[pos] = tmp;
+      ++ix;
+      --pos;
+    }
+    
+    mp_clear(&tmp);
+  }
+
+  return MP_OKAY;
+
+} /* end mp_toradix() */
+
+/* }}} */
+
+/* {{{ mp_tovalue(ch, r) */
+
+int    mp_tovalue(char ch, int r)
+{
+  return s_mp_tovalue(ch, r);
+
+} /* end mp_tovalue() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ mp_strerror(ec) */
+
+/*
+  mp_strerror(ec)
+
+  Return a string describing the meaning of error code 'ec'.  The
+  string returned is allocated in static memory, so the caller should
+  not attempt to modify or free the memory associated with this
+  string.
+ */
+const char  *mp_strerror(mp_err ec)
+{
+  int   aec = (ec < 0) ? -ec : ec;
+
+  /* Code values are negative, so the senses of these comparisons
+     are accurate */
+  if(ec < MP_LAST_CODE || ec > MP_OKAY) {
+    return mp_err_string[0];  /* unknown error code */
+  } else {
+    return mp_err_string[aec + 1];
+  }
+
+} /* end mp_strerror() */
+
+/* }}} */
+
+/*========================================================================*/
+/*------------------------------------------------------------------------*/
+/* Static function definitions (internal use only)                        */
+
+/* {{{ Memory management */
+
+/* {{{ s_mp_grow(mp, min) */
+
+/* Make sure there are at least 'min' digits allocated to mp              */
+mp_err   s_mp_grow(mp_int *mp, mp_size min)
+{
+  if(min > ALLOC(mp)) {
+    mp_digit   *tmp;
+
+    /* Set min to next nearest default precision block size */
+    min = MP_ROUNDUP(min, s_mp_defprec);
+
+    if((tmp = s_mp_alloc(min, sizeof(mp_digit))) == NULL)
+      return MP_MEM;
+
+    s_mp_copy(DIGITS(mp), tmp, USED(mp));
+
+#if MP_CRYPTO
+    s_mp_setz(DIGITS(mp), ALLOC(mp));
+#endif
+    s_mp_free(DIGITS(mp));
+    DIGITS(mp) = tmp;
+    ALLOC(mp) = min;
+  }
+
+  return MP_OKAY;
+
+} /* end s_mp_grow() */
+
+/* }}} */
+
+/* {{{ s_mp_pad(mp, min) */
+
+/* Make sure the used size of mp is at least 'min', growing if needed     */
+mp_err   s_mp_pad(mp_int *mp, mp_size min)
+{
+  if(min > USED(mp)) {
+    mp_err  res;
+
+    /* Make sure there is room to increase precision  */
+    if (min > ALLOC(mp)) {
+      if ((res = s_mp_grow(mp, min)) != MP_OKAY)
+	return res;
+    } else {
+      s_mp_setz(DIGITS(mp) + USED(mp), min - USED(mp));
+    }
+
+    /* Increase precision; should already be 0-filled */
+    USED(mp) = min;
+  }
+
+  return MP_OKAY;
+
+} /* end s_mp_pad() */
+
+/* }}} */
+
+/* {{{ s_mp_setz(dp, count) */
+
+#if MP_MACRO == 0
+/* Set 'count' digits pointed to by dp to be zeroes                       */
+void s_mp_setz(mp_digit *dp, mp_size count)
+{
+#if MP_MEMSET == 0
+  int  ix;
+
+  for(ix = 0; ix < count; ix++)
+    dp[ix] = 0;
+#else
+  memset(dp, 0, count * sizeof(mp_digit));
+#endif
+
+} /* end s_mp_setz() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_copy(sp, dp, count) */
+
+#if MP_MACRO == 0
+/* Copy 'count' digits from sp to dp                                      */
+void s_mp_copy(const mp_digit *sp, mp_digit *dp, mp_size count)
+{
+#if MP_MEMCPY == 0
+  int  ix;
+
+  for(ix = 0; ix < count; ix++)
+    dp[ix] = sp[ix];
+#else
+  memcpy(dp, sp, count * sizeof(mp_digit));
+#endif
+
+} /* end s_mp_copy() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_alloc(nb, ni) */
+
+#if MP_MACRO == 0
+/* Allocate ni records of nb bytes each, and return a pointer to that     */
+void    *s_mp_alloc(size_t nb, size_t ni)
+{
+  ++mp_allocs;
+  return calloc(nb, ni);
+
+} /* end s_mp_alloc() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_free(ptr) */
+
+#if MP_MACRO == 0
+/* Free the memory pointed to by ptr                                      */
+void     s_mp_free(void *ptr)
+{
+  if(ptr) {
+    ++mp_frees;
+    free(ptr);
+  }
+} /* end s_mp_free() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_clamp(mp) */
+
+#if MP_MACRO == 0
+/* Remove leading zeroes from the given value                             */
+void     s_mp_clamp(mp_int *mp)
+{
+  mp_size used = MP_USED(mp);
+  while (used > 1 && DIGIT(mp, used - 1) == 0)
+    --used;
+  MP_USED(mp) = used;
+} /* end s_mp_clamp() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_exch(a, b) */
+
+/* Exchange the data for a and b; (b, a) = (a, b)                         */
+void     s_mp_exch(mp_int *a, mp_int *b)
+{
+  mp_int   tmp;
+
+  tmp = *a;
+  *a = *b;
+  *b = tmp;
+
+} /* end s_mp_exch() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ Arithmetic helpers */
+
+/* {{{ s_mp_lshd(mp, p) */
+
+/* 
+   Shift mp leftward by p digits, growing if needed, and zero-filling
+   the in-shifted digits at the right end.  This is a convenient
+   alternative to multiplication by powers of the radix
+   The value of USED(mp) must already have been set to the value for
+   the shifted result.
+ */   
+
+mp_err   s_mp_lshd(mp_int *mp, mp_size p)
+{
+  mp_err  res;
+  mp_size pos;
+  int     ix;
+
+  if(p == 0)
+    return MP_OKAY;
+
+  if (MP_USED(mp) == 1 && MP_DIGIT(mp, 0) == 0)
+    return MP_OKAY;
+
+  if((res = s_mp_pad(mp, USED(mp) + p)) != MP_OKAY)
+    return res;
+
+  pos = USED(mp) - 1;
+
+  /* Shift all the significant figures over as needed */
+  for(ix = pos - p; ix >= 0; ix--) 
+    DIGIT(mp, ix + p) = DIGIT(mp, ix);
+
+  /* Fill the bottom digits with zeroes */
+  for(ix = 0; ix < p; ix++)
+    DIGIT(mp, ix) = 0;
+
+  return MP_OKAY;
+
+} /* end s_mp_lshd() */
+
+/* }}} */
+
+/* {{{ s_mp_mul_2d(mp, d) */
+
+/*
+  Multiply the integer by 2^d, where d is a number of bits.  This
+  amounts to a bitwise shift of the value.
+ */
+mp_err   s_mp_mul_2d(mp_int *mp, mp_digit d)
+{
+  mp_err   res;
+  mp_digit dshift, bshift;
+  mp_digit mask;
+
+  ARGCHK(mp != NULL,  MP_BADARG);
+
+  dshift = d / MP_DIGIT_BIT;
+  bshift = d % MP_DIGIT_BIT;
+  /* bits to be shifted out of the top word */
+  mask   = ((mp_digit)~0 << (MP_DIGIT_BIT - bshift)); 
+  mask  &= MP_DIGIT(mp, MP_USED(mp) - 1);
+
+  if (MP_OKAY != (res = s_mp_pad(mp, MP_USED(mp) + dshift + (mask != 0) )))
+    return res;
+
+  if (dshift && MP_OKAY != (res = s_mp_lshd(mp, dshift)))
+    return res;
+
+  if (bshift) { 
+    mp_digit *pa = MP_DIGITS(mp);
+    mp_digit *alim = pa + MP_USED(mp);
+    mp_digit  prev = 0;
+
+    for (pa += dshift; pa < alim; ) {
+      mp_digit x = *pa;
+      *pa++ = (x << bshift) | prev;
+      prev = x >> (DIGIT_BIT - bshift);
+    }
+  }
+
+  s_mp_clamp(mp);
+  return MP_OKAY;
+} /* end s_mp_mul_2d() */
+
+/* {{{ s_mp_rshd(mp, p) */
+
+/* 
+   Shift mp rightward by p digits.  Maintains the invariant that
+   digits above the precision are all zero.  Digits shifted off the
+   end are lost.  Cannot fail.
+ */
+
+void     s_mp_rshd(mp_int *mp, mp_size p)
+{
+  mp_size  ix;
+  mp_digit *src, *dst;
+
+  if(p == 0)
+    return;
+
+  /* Shortcut when all digits are to be shifted off */
+  if(p >= USED(mp)) {
+    s_mp_setz(DIGITS(mp), ALLOC(mp));
+    USED(mp) = 1;
+    SIGN(mp) = ZPOS;
+    return;
+  }
+
+  /* Shift all the significant figures over as needed */
+  dst = MP_DIGITS(mp);
+  src = dst + p;
+  for (ix = USED(mp) - p; ix > 0; ix--)
+    *dst++ = *src++;
+
+  MP_USED(mp) -= p;
+  /* Fill the top digits with zeroes */
+  while (p-- > 0)
+    *dst++ = 0;
+
+#if 0
+  /* Strip off any leading zeroes    */
+  s_mp_clamp(mp);
+#endif
+
+} /* end s_mp_rshd() */
+
+/* }}} */
+
+/* {{{ s_mp_div_2(mp) */
+
+/* Divide by two -- take advantage of radix properties to do it fast      */
+void     s_mp_div_2(mp_int *mp)
+{
+  s_mp_div_2d(mp, 1);
+
+} /* end s_mp_div_2() */
+
+/* }}} */
+
+/* {{{ s_mp_mul_2(mp) */
+
+mp_err s_mp_mul_2(mp_int *mp)
+{
+  mp_digit *pd;
+  int      ix, used;
+  mp_digit kin = 0;
+
+  /* Shift digits leftward by 1 bit */
+  used = MP_USED(mp);
+  pd = MP_DIGITS(mp);
+  for (ix = 0; ix < used; ix++) {
+    mp_digit d = *pd;
+    *pd++ = (d << 1) | kin;
+    kin = (d >> (DIGIT_BIT - 1));
+  }
+
+  /* Deal with rollover from last digit */
+  if (kin) {
+    if (ix >= ALLOC(mp)) {
+      mp_err res;
+      if((res = s_mp_grow(mp, ALLOC(mp) + 1)) != MP_OKAY)
+	return res;
+    }
+
+    DIGIT(mp, ix) = kin;
+    USED(mp) += 1;
+  }
+
+  return MP_OKAY;
+
+} /* end s_mp_mul_2() */
+
+/* }}} */
+
+/* {{{ s_mp_mod_2d(mp, d) */
+
+/*
+  Remainder the integer by 2^d, where d is a number of bits.  This
+  amounts to a bitwise AND of the value, and does not require the full
+  division code
+ */
+void     s_mp_mod_2d(mp_int *mp, mp_digit d)
+{
+  mp_size  ndig = (d / DIGIT_BIT), nbit = (d % DIGIT_BIT);
+  mp_size  ix;
+  mp_digit dmask;
+
+  if(ndig >= USED(mp))
+    return;
+
+  /* Flush all the bits above 2^d in its digit */
+  dmask = ((mp_digit)1 << nbit) - 1;
+  DIGIT(mp, ndig) &= dmask;
+
+  /* Flush all digits above the one with 2^d in it */
+  for(ix = ndig + 1; ix < USED(mp); ix++)
+    DIGIT(mp, ix) = 0;
+
+  s_mp_clamp(mp);
+
+} /* end s_mp_mod_2d() */
+
+/* }}} */
+
+/* {{{ s_mp_div_2d(mp, d) */
+
+/*
+  Divide the integer by 2^d, where d is a number of bits.  This
+  amounts to a bitwise shift of the value, and does not require the
+  full division code (used in Barrett reduction, see below)
+ */
+void     s_mp_div_2d(mp_int *mp, mp_digit d)
+{
+  int       ix;
+  mp_digit  save, next, mask;
+
+  s_mp_rshd(mp, d / DIGIT_BIT);
+  d %= DIGIT_BIT;
+  if (d) {
+    mask = ((mp_digit)1 << d) - 1;
+    save = 0;
+    for(ix = USED(mp) - 1; ix >= 0; ix--) {
+      next = DIGIT(mp, ix) & mask;
+      DIGIT(mp, ix) = (DIGIT(mp, ix) >> d) | (save << (DIGIT_BIT - d));
+      save = next;
+    }
+  }
+  s_mp_clamp(mp);
+
+} /* end s_mp_div_2d() */
+
+/* }}} */
+
+/* {{{ s_mp_norm(a, b, *d) */
+
+/*
+  s_mp_norm(a, b, *d)
+
+  Normalize a and b for division, where b is the divisor.  In order
+  that we might make good guesses for quotient digits, we want the
+  leading digit of b to be at least half the radix, which we
+  accomplish by multiplying a and b by a power of 2.  The exponent 
+  (shift count) is placed in *pd, so that the remainder can be shifted 
+  back at the end of the division process.
+ */
+
+mp_err   s_mp_norm(mp_int *a, mp_int *b, mp_digit *pd)
+{
+  mp_digit  d;
+  mp_digit  mask;
+  mp_digit  b_msd;
+  mp_err    res    = MP_OKAY;
+
+  d = 0;
+  mask  = DIGIT_MAX & ~(DIGIT_MAX >> 1);	/* mask is msb of digit */
+  b_msd = DIGIT(b, USED(b) - 1);
+  while (!(b_msd & mask)) {
+    b_msd <<= 1;
+    ++d;
+  }
+
+  if (d) {
+    MP_CHECKOK( s_mp_mul_2d(a, d) );
+    MP_CHECKOK( s_mp_mul_2d(b, d) );
+  }
+
+  *pd = d;
+CLEANUP:
+  return res;
+
+} /* end s_mp_norm() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ Primitive digit arithmetic */
+
+/* {{{ s_mp_add_d(mp, d) */
+
+/* Add d to |mp| in place                                                 */
+mp_err   s_mp_add_d(mp_int *mp, mp_digit d)    /* unsigned digit addition */
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  mp_word   w, k = 0;
+  mp_size   ix = 1;
+
+  w = (mp_word)DIGIT(mp, 0) + d;
+  DIGIT(mp, 0) = ACCUM(w);
+  k = CARRYOUT(w);
+
+  while(ix < USED(mp) && k) {
+    w = (mp_word)DIGIT(mp, ix) + k;
+    DIGIT(mp, ix) = ACCUM(w);
+    k = CARRYOUT(w);
+    ++ix;
+  }
+
+  if(k != 0) {
+    mp_err  res;
+
+    if((res = s_mp_pad(mp, USED(mp) + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(mp, ix) = (mp_digit)k;
+  }
+
+  return MP_OKAY;
+#else
+  mp_digit * pmp = MP_DIGITS(mp);
+  mp_digit sum, mp_i, carry = 0;
+  mp_err   res = MP_OKAY;
+  int used = (int)MP_USED(mp);
+
+  mp_i = *pmp;
+  *pmp++ = sum = d + mp_i;
+  carry = (sum < d);
+  while (carry && --used > 0) {
+    mp_i = *pmp;
+    *pmp++ = sum = carry + mp_i;
+    carry = !sum;
+  }
+  if (carry && !used) {
+    /* mp is growing */
+    used = MP_USED(mp);
+    MP_CHECKOK( s_mp_pad(mp, used + 1) );
+    MP_DIGIT(mp, used) = carry;
+  }
+CLEANUP:
+  return res;
+#endif
+} /* end s_mp_add_d() */
+
+/* }}} */
+
+/* {{{ s_mp_sub_d(mp, d) */
+
+/* Subtract d from |mp| in place, assumes |mp| > d                        */
+mp_err   s_mp_sub_d(mp_int *mp, mp_digit d)    /* unsigned digit subtract */
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  mp_word   w, b = 0;
+  mp_size   ix = 1;
+
+  /* Compute initial subtraction    */
+  w = (RADIX + (mp_word)DIGIT(mp, 0)) - d;
+  b = CARRYOUT(w) ? 0 : 1;
+  DIGIT(mp, 0) = ACCUM(w);
+
+  /* Propagate borrows leftward     */
+  while(b && ix < USED(mp)) {
+    w = (RADIX + (mp_word)DIGIT(mp, ix)) - b;
+    b = CARRYOUT(w) ? 0 : 1;
+    DIGIT(mp, ix) = ACCUM(w);
+    ++ix;
+  }
+
+  /* Remove leading zeroes          */
+  s_mp_clamp(mp);
+
+  /* If we have a borrow out, it's a violation of the input invariant */
+  if(b)
+    return MP_RANGE;
+  else
+    return MP_OKAY;
+#else
+  mp_digit *pmp = MP_DIGITS(mp);
+  mp_digit mp_i, diff, borrow;
+  mp_size  used = MP_USED(mp);
+
+  mp_i = *pmp;
+  *pmp++ = diff = mp_i - d;
+  borrow = (diff > mp_i);
+  while (borrow && --used) {
+    mp_i = *pmp;
+    *pmp++ = diff = mp_i - borrow;
+    borrow = (diff > mp_i);
+  }
+  s_mp_clamp(mp);
+  return (borrow && !used) ? MP_RANGE : MP_OKAY;
+#endif
+} /* end s_mp_sub_d() */
+
+/* }}} */
+
+/* {{{ s_mp_mul_d(a, d) */
+
+/* Compute a = a * d, single digit multiplication                         */
+mp_err   s_mp_mul_d(mp_int *a, mp_digit d)
+{
+  mp_err  res;
+  mp_size used;
+  int     pow;
+
+  if (!d) {
+    mp_zero(a);
+    return MP_OKAY;
+  }
+  if (d == 1)
+    return MP_OKAY;
+  if (0 <= (pow = s_mp_ispow2d(d))) {
+    return s_mp_mul_2d(a, (mp_digit)pow);
+  }
+
+  used = MP_USED(a);
+  MP_CHECKOK( s_mp_pad(a, used + 1) );
+
+  s_mpv_mul_d(MP_DIGITS(a), used, d, MP_DIGITS(a));
+
+  s_mp_clamp(a);
+
+CLEANUP:
+  return res;
+  
+} /* end s_mp_mul_d() */
+
+/* }}} */
+
+/* {{{ s_mp_div_d(mp, d, r) */
+
+/*
+  s_mp_div_d(mp, d, r)
+
+  Compute the quotient mp = mp / d and remainder r = mp mod d, for a
+  single digit d.  If r is null, the remainder will be discarded.
+ */
+
+mp_err   s_mp_div_d(mp_int *mp, mp_digit d, mp_digit *r)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+  mp_word   w = 0, q;
+#else
+  mp_digit  w, q;
+#endif
+  int       ix;
+  mp_err    res;
+  mp_int    quot;
+  mp_int    rem;
+
+  if(d == 0)
+    return MP_RANGE;
+  if (d == 1) {
+    if (r)
+      *r = 0;
+    return MP_OKAY;
+  }
+  /* could check for power of 2 here, but mp_div_d does that. */
+  if (MP_USED(mp) == 1) {
+    mp_digit n   = MP_DIGIT(mp,0);
+    mp_digit rem;
+
+    q   = n / d;
+    rem = n % d;
+    MP_DIGIT(mp,0) = q;
+    if (r)
+      *r = rem;
+    return MP_OKAY;
+  }
+
+  MP_DIGITS(&rem)  = 0;
+  MP_DIGITS(&quot) = 0;
+  /* Make room for the quotient */
+  MP_CHECKOK( mp_init_size(&quot, USED(mp)) );
+
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    w = (w << DIGIT_BIT) | DIGIT(mp, ix);
+
+    if(w >= d) {
+      q = w / d;
+      w = w % d;
+    } else {
+      q = 0;
+    }
+
+    s_mp_lshd(&quot, 1);
+    DIGIT(&quot, 0) = (mp_digit)q;
+  }
+#else
+  {
+    mp_digit p;
+#if !defined(MP_ASSEMBLY_DIV_2DX1D)
+    mp_digit norm;
+#endif
+
+    MP_CHECKOK( mp_init_copy(&rem, mp) );
+
+#if !defined(MP_ASSEMBLY_DIV_2DX1D)
+    MP_DIGIT(&quot, 0) = d;
+    MP_CHECKOK( s_mp_norm(&rem, &quot, &norm) );
+    if (norm)
+      d <<= norm;
+    MP_DIGIT(&quot, 0) = 0;
+#endif
+
+    p = 0;
+    for (ix = USED(&rem) - 1; ix >= 0; ix--) {
+      w = DIGIT(&rem, ix);
+
+      if (p) {
+        MP_CHECKOK( s_mpv_div_2dx1d(p, w, d, &q, &w) );
+      } else if (w >= d) {
+	q = w / d;
+	w = w % d;
+      } else {
+	q = 0;
+      }
+
+      MP_CHECKOK( s_mp_lshd(&quot, 1) );
+      DIGIT(&quot, 0) = q;
+      p = w;
+    }
+#if !defined(MP_ASSEMBLY_DIV_2DX1D)
+    if (norm)
+      w >>= norm;
+#endif
+  }
+#endif
+
+  /* Deliver the remainder, if desired */
+  if(r)
+    *r = (mp_digit)w;
+
+  s_mp_clamp(&quot);
+  mp_exch(&quot, mp);
+CLEANUP:
+  mp_clear(&quot);
+  mp_clear(&rem);
+
+  return res;
+} /* end s_mp_div_d() */
+
+/* }}} */
+
+
+/* }}} */
+
+/* {{{ Primitive full arithmetic */
+
+/* {{{ s_mp_add(a, b) */
+
+/* Compute a = |a| + |b|                                                  */
+mp_err   s_mp_add(mp_int *a, const mp_int *b)  /* magnitude addition      */
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  mp_word   w = 0;
+#else
+  mp_digit  d, sum, carry = 0;
+#endif
+  mp_digit *pa, *pb;
+  mp_size   ix;
+  mp_size   used;
+  mp_err    res;
+
+  /* Make sure a has enough precision for the output value */
+  if((USED(b) > USED(a)) && (res = s_mp_pad(a, USED(b))) != MP_OKAY)
+    return res;
+
+  /*
+    Add up all digits up to the precision of b.  If b had initially
+    the same precision as a, or greater, we took care of it by the
+    padding step above, so there is no problem.  If b had initially
+    less precision, we'll have to make sure the carry out is duly
+    propagated upward among the higher-order digits of the sum.
+   */
+  pa = MP_DIGITS(a);
+  pb = MP_DIGITS(b);
+  used = MP_USED(b);
+  for(ix = 0; ix < used; ix++) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+    w = w + *pa + *pb++;
+    *pa++ = ACCUM(w);
+    w = CARRYOUT(w);
+#else
+    d = *pa;
+    sum = d + *pb++;
+    d = (sum < d);			/* detect overflow */
+    *pa++ = sum += carry;
+    carry = d + (sum < carry);		/* detect overflow */
+#endif
+  }
+
+  /* If we run out of 'b' digits before we're actually done, make
+     sure the carries get propagated upward...  
+   */
+  used = MP_USED(a);
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  while (w && ix < used) {
+    w = w + *pa;
+    *pa++ = ACCUM(w);
+    w = CARRYOUT(w);
+    ++ix;
+  }
+#else
+  while (carry && ix < used) {
+    sum = carry + *pa;
+    *pa++ = sum;
+    carry = !sum;
+    ++ix;
+  }
+#endif
+
+  /* If there's an overall carry out, increase precision and include
+     it.  We could have done this initially, but why touch the memory
+     allocator unless we're sure we have to?
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  if (w) {
+    if((res = s_mp_pad(a, used + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(a, ix) = (mp_digit)w;
+  }
+#else
+  if (carry) {
+    if((res = s_mp_pad(a, used + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(a, used) = carry;
+  }
+#endif
+
+  return MP_OKAY;
+} /* end s_mp_add() */
+
+/* }}} */
+
+/* Compute c = |a| + |b|         */ /* magnitude addition      */
+mp_err   s_mp_add_3arg(const mp_int *a, const mp_int *b, mp_int *c)  
+{
+  mp_digit *pa, *pb, *pc;
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  mp_word   w = 0;
+#else
+  mp_digit  sum, carry = 0, d;
+#endif
+  mp_size   ix;
+  mp_size   used;
+  mp_err    res;
+
+  MP_SIGN(c) = MP_SIGN(a);
+  if (MP_USED(a) < MP_USED(b)) {
+    const mp_int *xch = a;
+    a = b;
+    b = xch;
+  }
+
+  /* Make sure a has enough precision for the output value */
+  if (MP_OKAY != (res = s_mp_pad(c, MP_USED(a))))
+    return res;
+
+  /*
+    Add up all digits up to the precision of b.  If b had initially
+    the same precision as a, or greater, we took care of it by the
+    exchange step above, so there is no problem.  If b had initially
+    less precision, we'll have to make sure the carry out is duly
+    propagated upward among the higher-order digits of the sum.
+   */
+  pa = MP_DIGITS(a);
+  pb = MP_DIGITS(b);
+  pc = MP_DIGITS(c);
+  used = MP_USED(b);
+  for (ix = 0; ix < used; ix++) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+    w = w + *pa++ + *pb++;
+    *pc++ = ACCUM(w);
+    w = CARRYOUT(w);
+#else
+    d = *pa++;
+    sum = d + *pb++;
+    d = (sum < d);			/* detect overflow */
+    *pc++ = sum += carry;
+    carry = d + (sum < carry);		/* detect overflow */
+#endif
+  }
+
+  /* If we run out of 'b' digits before we're actually done, make
+     sure the carries get propagated upward...  
+   */
+  for (used = MP_USED(a); ix < used; ++ix) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+    w = w + *pa++;
+    *pc++ = ACCUM(w);
+    w = CARRYOUT(w);
+#else
+    *pc++ = sum = carry + *pa++;
+    carry = (sum < carry);
+#endif
+  }
+
+  /* If there's an overall carry out, increase precision and include
+     it.  We could have done this initially, but why touch the memory
+     allocator unless we're sure we have to?
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  if (w) {
+    if((res = s_mp_pad(c, used + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(c, used) = (mp_digit)w;
+    ++used;
+  }
+#else
+  if (carry) {
+    if((res = s_mp_pad(c, used + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(c, used) = carry;
+    ++used;
+  }
+#endif
+  MP_USED(c) = used;
+  return MP_OKAY;
+}
+/* {{{ s_mp_add_offset(a, b, offset) */
+
+/* Compute a = |a| + ( |b| * (RADIX ** offset) )             */
+mp_err   s_mp_add_offset(mp_int *a, mp_int *b, mp_size offset)   
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  mp_word   w, k = 0;
+#else
+  mp_digit  d, sum, carry = 0;
+#endif
+  mp_size   ib;
+  mp_size   ia;
+  mp_size   lim;
+  mp_err    res;
+
+  /* Make sure a has enough precision for the output value */
+  lim = MP_USED(b) + offset;
+  if((lim > USED(a)) && (res = s_mp_pad(a, lim)) != MP_OKAY)
+    return res;
+
+  /*
+    Add up all digits up to the precision of b.  If b had initially
+    the same precision as a, or greater, we took care of it by the
+    padding step above, so there is no problem.  If b had initially
+    less precision, we'll have to make sure the carry out is duly
+    propagated upward among the higher-order digits of the sum.
+   */
+  lim = USED(b);
+  for(ib = 0, ia = offset; ib < lim; ib++, ia++) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+    w = (mp_word)DIGIT(a, ia) + DIGIT(b, ib) + k;
+    DIGIT(a, ia) = ACCUM(w);
+    k = CARRYOUT(w);
+#else
+    d = MP_DIGIT(a, ia);
+    sum = d + MP_DIGIT(b, ib);
+    d = (sum < d);
+    MP_DIGIT(a,ia) = sum += carry;
+    carry = d + (sum < carry);
+#endif
+  }
+
+  /* If we run out of 'b' digits before we're actually done, make
+     sure the carries get propagated upward...  
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  for (lim = MP_USED(a); k && (ia < lim); ++ia) {
+    w = (mp_word)DIGIT(a, ia) + k;
+    DIGIT(a, ia) = ACCUM(w);
+    k = CARRYOUT(w);
+  }
+#else
+  for (lim = MP_USED(a); carry && (ia < lim); ++ia) {
+    d = MP_DIGIT(a, ia);
+    MP_DIGIT(a,ia) = sum = d + carry;
+    carry = (sum < d);
+  }
+#endif
+
+  /* If there's an overall carry out, increase precision and include
+     it.  We could have done this initially, but why touch the memory
+     allocator unless we're sure we have to?
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  if(k) {
+    if((res = s_mp_pad(a, USED(a) + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(a, ia) = (mp_digit)k;
+  }
+#else
+  if (carry) {
+    if((res = s_mp_pad(a, lim + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(a, lim) = carry;
+  }
+#endif
+  s_mp_clamp(a);
+
+  return MP_OKAY;
+
+} /* end s_mp_add_offset() */
+
+/* }}} */
+
+/* {{{ s_mp_sub(a, b) */
+
+/* Compute a = |a| - |b|, assumes |a| >= |b|                              */
+mp_err   s_mp_sub(mp_int *a, const mp_int *b)  /* magnitude subtract      */
+{
+  mp_digit *pa, *pb, *limit;
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  mp_sword  w = 0;
+#else
+  mp_digit  d, diff, borrow = 0;
+#endif
+
+  /*
+    Subtract and propagate borrow.  Up to the precision of b, this
+    accounts for the digits of b; after that, we just make sure the
+    carries get to the right place.  This saves having to pad b out to
+    the precision of a just to make the loops work right...
+   */
+  pa = MP_DIGITS(a);
+  pb = MP_DIGITS(b);
+  limit = pb + MP_USED(b);
+  while (pb < limit) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+    w = w + *pa - *pb++;
+    *pa++ = ACCUM(w);
+    w >>= MP_DIGIT_BIT;
+#else
+    d = *pa;
+    diff = d - *pb++;
+    d = (diff > d);				/* detect borrow */
+    if (borrow && --diff == MP_DIGIT_MAX)
+      ++d;
+    *pa++ = diff;
+    borrow = d;	
+#endif
+  }
+  limit = MP_DIGITS(a) + MP_USED(a);
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  while (w && pa < limit) {
+    w = w + *pa;
+    *pa++ = ACCUM(w);
+    w >>= MP_DIGIT_BIT;
+  }
+#else
+  while (borrow && pa < limit) {
+    d = *pa;
+    *pa++ = diff = d - borrow;
+    borrow = (diff > d);
+  }
+#endif
+
+  /* Clobber any leading zeroes we created    */
+  s_mp_clamp(a);
+
+  /* 
+     If there was a borrow out, then |b| > |a| in violation
+     of our input invariant.  We've already done the work,
+     but we'll at least complain about it...
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  return w ? MP_RANGE : MP_OKAY;
+#else
+  return borrow ? MP_RANGE : MP_OKAY;
+#endif
+} /* end s_mp_sub() */
+
+/* }}} */
+
+/* Compute c = |a| - |b|, assumes |a| >= |b| */ /* magnitude subtract      */
+mp_err   s_mp_sub_3arg(const mp_int *a, const mp_int *b, mp_int *c)  
+{
+  mp_digit *pa, *pb, *pc;
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  mp_sword  w = 0;
+#else
+  mp_digit  d, diff, borrow = 0;
+#endif
+  int       ix, limit;
+  mp_err    res;
+
+  MP_SIGN(c) = MP_SIGN(a);
+
+  /* Make sure a has enough precision for the output value */
+  if (MP_OKAY != (res = s_mp_pad(c, MP_USED(a))))
+    return res;
+
+  /*
+    Subtract and propagate borrow.  Up to the precision of b, this
+    accounts for the digits of b; after that, we just make sure the
+    carries get to the right place.  This saves having to pad b out to
+    the precision of a just to make the loops work right...
+   */
+  pa = MP_DIGITS(a);
+  pb = MP_DIGITS(b);
+  pc = MP_DIGITS(c);
+  limit = MP_USED(b);
+  for (ix = 0; ix < limit; ++ix) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+    w = w + *pa++ - *pb++;
+    *pc++ = ACCUM(w);
+    w >>= MP_DIGIT_BIT;
+#else
+    d = *pa++;
+    diff = d - *pb++;
+    d = (diff > d);
+    if (borrow && --diff == MP_DIGIT_MAX)
+      ++d;
+    *pc++ = diff;
+    borrow = d;
+#endif
+  }
+  for (limit = MP_USED(a); ix < limit; ++ix) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+    w = w + *pa++;
+    *pc++ = ACCUM(w);
+    w >>= MP_DIGIT_BIT;
+#else
+    d = *pa++;
+    *pc++ = diff = d - borrow;
+    borrow = (diff > d);
+#endif
+  }
+
+  /* Clobber any leading zeroes we created    */
+  MP_USED(c) = ix;
+  s_mp_clamp(c);
+
+  /* 
+     If there was a borrow out, then |b| > |a| in violation
+     of our input invariant.  We've already done the work,
+     but we'll at least complain about it...
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  return w ? MP_RANGE : MP_OKAY;
+#else
+  return borrow ? MP_RANGE : MP_OKAY;
+#endif
+}
+/* {{{ s_mp_mul(a, b) */
+
+/* Compute a = |a| * |b|                                                  */
+mp_err   s_mp_mul(mp_int *a, const mp_int *b)
+{
+  return mp_mul(a, b, a);
+} /* end s_mp_mul() */
+
+/* }}} */
+
+#if defined(MP_USE_UINT_DIGIT) && defined(MP_USE_LONG_LONG_MULTIPLY)
+/* This trick works on Sparc V8 CPUs with the Workshop compilers. */
+#define MP_MUL_DxD(a, b, Phi, Plo) \
+  { unsigned long long product = (unsigned long long)a * b; \
+    Plo = (mp_digit)product; \
+    Phi = (mp_digit)(product >> MP_DIGIT_BIT); }
+#elif defined(OSF1)
+#define MP_MUL_DxD(a, b, Phi, Plo) \
+  { Plo = asm ("mulq %a0, %a1, %v0", a, b);\
+    Phi = asm ("umulh %a0, %a1, %v0", a, b); }
+#else
+#define MP_MUL_DxD(a, b, Phi, Plo) \
+  { mp_digit a0b1, a1b0; \
+    Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
+    Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
+    a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
+    a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
+    a1b0 += a0b1; \
+    Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
+    if (a1b0 < a0b1)  \
+      Phi += MP_HALF_RADIX; \
+    a1b0 <<= MP_HALF_DIGIT_BIT; \
+    Plo += a1b0; \
+    if (Plo < a1b0) \
+      ++Phi; \
+  }
+#endif
+
+#if !defined(MP_ASSEMBLY_MULTIPLY)
+/* c = a * b */
+void s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+  *c = d;
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  *c = carry;
+#endif
+}
+
+/* c += a * b */
+void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, 
+			      mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + *c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+  *c = d;
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    a0b0 += a_i = *c;
+    if (a0b0 < a_i)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  *c = carry;
+#endif
+}
+
+/* Presently, this is only used by the Montgomery arithmetic code. */
+/* c += a * b */
+void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + *c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+
+  while (d) {
+    mp_word w = (mp_word)*c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+
+    a0b0 += a_i = *c;
+    if (a0b0 < a_i)
+      ++a1b1;
+
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  while (carry) {
+    mp_digit c_i = *c;
+    carry += c_i;
+    *c++ = carry;
+    carry = carry < c_i;
+  }
+#endif
+}
+#endif
+
+#if defined(MP_USE_UINT_DIGIT) && defined(MP_USE_LONG_LONG_MULTIPLY)
+/* This trick works on Sparc V8 CPUs with the Workshop compilers. */
+#define MP_SQR_D(a, Phi, Plo) \
+  { unsigned long long square = (unsigned long long)a * a; \
+    Plo = (mp_digit)square; \
+    Phi = (mp_digit)(square >> MP_DIGIT_BIT); }
+#elif defined(OSF1)
+#define MP_SQR_D(a, Phi, Plo) \
+  { Plo = asm ("mulq  %a0, %a0, %v0", a);\
+    Phi = asm ("umulh %a0, %a0, %v0", a); }
+#else
+#define MP_SQR_D(a, Phi, Plo) \
+  { mp_digit Pmid; \
+    Plo  = (a  & MP_HALF_DIGIT_MAX) * (a  & MP_HALF_DIGIT_MAX); \
+    Phi  = (a >> MP_HALF_DIGIT_BIT) * (a >> MP_HALF_DIGIT_BIT); \
+    Pmid = (a  & MP_HALF_DIGIT_MAX) * (a >> MP_HALF_DIGIT_BIT); \
+    Phi += Pmid >> (MP_HALF_DIGIT_BIT - 1);  \
+    Pmid <<= (MP_HALF_DIGIT_BIT + 1);  \
+    Plo += Pmid;  \
+    if (Plo < Pmid)  \
+      ++Phi;  \
+  }
+#endif
+
+#if !defined(MP_ASSEMBLY_SQUARE)
+/* Add the squares of the digits of a to the digits of b. */
+void s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+  mp_word  w;
+  mp_digit d;
+  mp_size  ix;
+
+  w  = 0;
+#define ADD_SQUARE(n) \
+    d = pa[n]; \
+    w += (d * (mp_word)d) + ps[2*n]; \
+    ps[2*n] = ACCUM(w); \
+    w = (w >> DIGIT_BIT) + ps[2*n+1]; \
+    ps[2*n+1] = ACCUM(w); \
+    w = (w >> DIGIT_BIT)
+
+  for (ix = a_len; ix >= 4; ix -= 4) {
+    ADD_SQUARE(0);
+    ADD_SQUARE(1);
+    ADD_SQUARE(2);
+    ADD_SQUARE(3);
+    pa += 4;
+    ps += 8;
+  }
+  if (ix) {
+    ps += 2*ix;
+    pa += ix;
+    switch (ix) {
+    case 3: ADD_SQUARE(-3); /* FALLTHRU */
+    case 2: ADD_SQUARE(-2); /* FALLTHRU */
+    case 1: ADD_SQUARE(-1); /* FALLTHRU */
+    case 0: break;
+    }
+  }
+  while (w) {
+    w += *ps;
+    *ps++ = ACCUM(w);
+    w = (w >> DIGIT_BIT);
+  }
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *pa++;
+    mp_digit a0a0, a1a1;
+
+    MP_SQR_D(a_i, a1a1, a0a0);
+
+    /* here a1a1 and a0a0 constitute a_i ** 2 */
+    a0a0 += carry;
+    if (a0a0 < carry)
+      ++a1a1;
+
+    /* now add to ps */
+    a0a0 += a_i = *ps;
+    if (a0a0 < a_i)
+      ++a1a1;
+    *ps++ = a0a0;
+    a1a1 += a_i = *ps;
+    carry = (a1a1 < a_i);
+    *ps++ = a1a1;
+  }
+  while (carry) {
+    mp_digit s_i = *ps;
+    carry += s_i;
+    *ps++ = carry;
+    carry = carry < s_i;
+  }
+#endif
+}
+#endif
+
+#if (defined(MP_NO_MP_WORD) || defined(MP_NO_DIV_WORD)) \
+&& !defined(MP_ASSEMBLY_DIV_2DX1D)
+/*
+** Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized 
+** so its high bit is 1.   This code is from NSPR.
+*/
+mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor, 
+		       mp_digit *qp, mp_digit *rp)
+{
+    mp_digit d1, d0, q1, q0;
+    mp_digit r1, r0, m;
+
+    d1 = divisor >> MP_HALF_DIGIT_BIT;
+    d0 = divisor & MP_HALF_DIGIT_MAX;
+    r1 = Nhi % d1;
+    q1 = Nhi / d1;
+    m = q1 * d0;
+    r1 = (r1 << MP_HALF_DIGIT_BIT) | (Nlo >> MP_HALF_DIGIT_BIT);
+    if (r1 < m) {
+        q1--, r1 += divisor;
+        if (r1 >= divisor && r1 < m) {
+	    q1--, r1 += divisor;
+	}
+    }
+    r1 -= m;
+    r0 = r1 % d1;
+    q0 = r1 / d1;
+    m = q0 * d0;
+    r0 = (r0 << MP_HALF_DIGIT_BIT) | (Nlo & MP_HALF_DIGIT_MAX);
+    if (r0 < m) {
+        q0--, r0 += divisor;
+        if (r0 >= divisor && r0 < m) {
+	    q0--, r0 += divisor;
+	}
+    }
+    if (qp)
+	*qp = (q1 << MP_HALF_DIGIT_BIT) | q0;
+    if (rp)
+	*rp = r0 - m;
+    return MP_OKAY;
+}
+#endif
+
+#if MP_SQUARE
+/* {{{ s_mp_sqr(a) */
+
+mp_err   s_mp_sqr(mp_int *a)
+{
+  mp_err   res;
+  mp_int   tmp;
+
+  if((res = mp_init_size(&tmp, 2 * USED(a))) != MP_OKAY)
+    return res;
+  res = mp_sqr(a, &tmp);
+  if (res == MP_OKAY) {
+    s_mp_exch(&tmp, a);
+  }
+  mp_clear(&tmp);
+  return res;
+}
+
+/* }}} */
+#endif
+
+/* {{{ s_mp_div(a, b) */
+
+/*
+  s_mp_div(a, b)
+
+  Compute a = a / b and b = a mod b.  Assumes b > a.
+ */
+
+mp_err   s_mp_div(mp_int *rem, 	/* i: dividend, o: remainder */
+                  mp_int *div, 	/* i: divisor                */
+		  mp_int *quot)	/* i: 0;        o: quotient  */
+{
+  mp_int   part, t;
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+  mp_word  q_msd;
+#else
+  mp_digit q_msd;
+#endif
+  mp_err   res;
+  mp_digit d;
+  mp_digit div_msd;
+  int      ix;
+
+  if(mp_cmp_z(div) == 0)
+    return MP_RANGE;
+
+  /* Shortcut if divisor is power of two */
+  if((ix = s_mp_ispow2(div)) >= 0) {
+    MP_CHECKOK( mp_copy(rem, quot) );
+    s_mp_div_2d(quot, (mp_digit)ix);
+    s_mp_mod_2d(rem,  (mp_digit)ix);
+
+    return MP_OKAY;
+  }
+
+  DIGITS(&t) = 0;
+  MP_SIGN(rem) = ZPOS;
+  MP_SIGN(div) = ZPOS;
+
+  /* A working temporary for division     */
+  MP_CHECKOK( mp_init_size(&t, MP_ALLOC(rem)));
+
+  /* Normalize to optimize guessing       */
+  MP_CHECKOK( s_mp_norm(rem, div, &d) );
+
+  part = *rem;
+
+  /* Perform the division itself...woo!   */
+  MP_USED(quot) = MP_ALLOC(quot);
+
+  /* Find a partial substring of rem which is at least div */
+  /* If we didn't find one, we're finished dividing    */
+  while (MP_USED(rem) > MP_USED(div) || s_mp_cmp(rem, div) >= 0) {
+    int i;
+    int unusedRem;
+
+    unusedRem = MP_USED(rem) - MP_USED(div);
+    MP_DIGITS(&part) = MP_DIGITS(rem) + unusedRem;
+    MP_ALLOC(&part)  = MP_ALLOC(rem)  - unusedRem;
+    MP_USED(&part)   = MP_USED(div);
+    if (s_mp_cmp(&part, div) < 0) {
+      -- unusedRem;
+#if MP_ARGCHK == 2
+      assert(unusedRem >= 0);
+#endif
+      -- MP_DIGITS(&part);
+      ++ MP_USED(&part);
+      ++ MP_ALLOC(&part);
+    }
+
+    /* Compute a guess for the next quotient digit       */
+    q_msd = MP_DIGIT(&part, MP_USED(&part) - 1);
+    div_msd = MP_DIGIT(div, MP_USED(div) - 1);
+    if (q_msd >= div_msd) {
+      q_msd = 1;
+    } else if (MP_USED(&part) > 1) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+      q_msd = (q_msd << MP_DIGIT_BIT) | MP_DIGIT(&part, MP_USED(&part) - 2);
+      q_msd /= div_msd;
+      if (q_msd == RADIX)
+        --q_msd;
+#else
+      mp_digit r;
+      MP_CHECKOK( s_mpv_div_2dx1d(q_msd, MP_DIGIT(&part, MP_USED(&part) - 2), 
+				  div_msd, &q_msd, &r) );
+#endif
+    } else {
+      q_msd = 0;
+    }
+#if MP_ARGCHK == 2
+    assert(q_msd > 0); /* This case should never occur any more. */
+#endif
+    if (q_msd <= 0)
+      break;
+
+    /* See what that multiplies out to                   */
+    mp_copy(div, &t);
+    MP_CHECKOK( s_mp_mul_d(&t, (mp_digit)q_msd) );
+
+    /* 
+       If it's too big, back it off.  We should not have to do this
+       more than once, or, in rare cases, twice.  Knuth describes a
+       method by which this could be reduced to a maximum of once, but
+       I didn't implement that here.
+     * When using s_mpv_div_2dx1d, we may have to do this 3 times.
+     */
+    for (i = 4; s_mp_cmp(&t, &part) > 0 && i > 0; --i) {
+      --q_msd;
+      s_mp_sub(&t, div);	/* t -= div */
+    }
+    if (i < 0) {
+      res = MP_RANGE;
+      goto CLEANUP;
+    }
+
+    /* At this point, q_msd should be the right next digit   */
+    MP_CHECKOK( s_mp_sub(&part, &t) );	/* part -= t */
+    s_mp_clamp(rem);
+
+    /*
+      Include the digit in the quotient.  We allocated enough memory
+      for any quotient we could ever possibly get, so we should not
+      have to check for failures here
+     */
+    MP_DIGIT(quot, unusedRem) = (mp_digit)q_msd;
+  }
+
+  /* Denormalize remainder                */
+  if (d) {
+    s_mp_div_2d(rem, d);
+  }
+
+  s_mp_clamp(quot);
+
+CLEANUP:
+  mp_clear(&t);
+
+  return res;
+
+} /* end s_mp_div() */
+
+
+/* }}} */
+
+/* {{{ s_mp_2expt(a, k) */
+
+mp_err   s_mp_2expt(mp_int *a, mp_digit k)
+{
+  mp_err    res;
+  mp_size   dig, bit;
+
+  dig = k / DIGIT_BIT;
+  bit = k % DIGIT_BIT;
+
+  mp_zero(a);
+  if((res = s_mp_pad(a, dig + 1)) != MP_OKAY)
+    return res;
+  
+  DIGIT(a, dig) |= ((mp_digit)1 << bit);
+
+  return MP_OKAY;
+
+} /* end s_mp_2expt() */
+
+/* }}} */
+
+/* {{{ s_mp_reduce(x, m, mu) */
+
+/*
+  Compute Barrett reduction, x (mod m), given a precomputed value for
+  mu = b^2k / m, where b = RADIX and k = #digits(m).  This should be
+  faster than straight division, when many reductions by the same
+  value of m are required (such as in modular exponentiation).  This
+  can nearly halve the time required to do modular exponentiation,
+  as compared to using the full integer divide to reduce.
+
+  This algorithm was derived from the _Handbook of Applied
+  Cryptography_ by Menezes, Oorschot and VanStone, Ch. 14,
+  pp. 603-604.  
+ */
+
+mp_err   s_mp_reduce(mp_int *x, const mp_int *m, const mp_int *mu)
+{
+  mp_int   q;
+  mp_err   res;
+
+  if((res = mp_init_copy(&q, x)) != MP_OKAY)
+    return res;
+
+  s_mp_rshd(&q, USED(m) - 1);  /* q1 = x / b^(k-1)  */
+  s_mp_mul(&q, mu);            /* q2 = q1 * mu      */
+  s_mp_rshd(&q, USED(m) + 1);  /* q3 = q2 / b^(k+1) */
+
+  /* x = x mod b^(k+1), quick (no division) */
+  s_mp_mod_2d(x, DIGIT_BIT * (USED(m) + 1));
+
+  /* q = q * m mod b^(k+1), quick (no division) */
+  s_mp_mul(&q, m);
+  s_mp_mod_2d(&q, DIGIT_BIT * (USED(m) + 1));
+
+  /* x = x - q */
+  if((res = mp_sub(x, &q, x)) != MP_OKAY)
+    goto CLEANUP;
+
+  /* If x < 0, add b^(k+1) to it */
+  if(mp_cmp_z(x) < 0) {
+    mp_set(&q, 1);
+    if((res = s_mp_lshd(&q, USED(m) + 1)) != MP_OKAY)
+      goto CLEANUP;
+    if((res = mp_add(x, &q, x)) != MP_OKAY)
+      goto CLEANUP;
+  }
+
+  /* Back off if it's too big */
+  while(mp_cmp(x, m) >= 0) {
+    if((res = s_mp_sub(x, m)) != MP_OKAY)
+      break;
+  }
+
+ CLEANUP:
+  mp_clear(&q);
+
+  return res;
+
+} /* end s_mp_reduce() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ Primitive comparisons */
+
+/* {{{ s_mp_cmp(a, b) */
+
+/* Compare |a| <=> |b|, return 0 if equal, <0 if a<b, >0 if a>b           */
+int      s_mp_cmp(const mp_int *a, const mp_int *b)
+{
+  mp_size used_a = MP_USED(a);
+  {
+    mp_size used_b = MP_USED(b);
+
+    if (used_a > used_b)
+      goto IS_GT;
+    if (used_a < used_b)
+      goto IS_LT;
+  }
+  {
+    mp_digit *pa, *pb;
+    mp_digit da = 0, db = 0;
+
+#define CMP_AB(n) if ((da = pa[n]) != (db = pb[n])) goto done
+
+    pa = MP_DIGITS(a) + used_a;
+    pb = MP_DIGITS(b) + used_a;
+    while (used_a >= 4) {
+      pa     -= 4;
+      pb     -= 4;
+      used_a -= 4;
+      CMP_AB(3);
+      CMP_AB(2);
+      CMP_AB(1);
+      CMP_AB(0);
+    }
+    while (used_a-- > 0 && ((da = *--pa) == (db = *--pb))) 
+      /* do nothing */;
+done:
+    if (da > db)
+      goto IS_GT;
+    if (da < db) 
+      goto IS_LT;
+  }
+  return MP_EQ;
+IS_LT:
+  return MP_LT;
+IS_GT:
+  return MP_GT;
+} /* end s_mp_cmp() */
+
+/* }}} */
+
+/* {{{ s_mp_cmp_d(a, d) */
+
+/* Compare |a| <=> d, return 0 if equal, <0 if a<d, >0 if a>d             */
+int      s_mp_cmp_d(const mp_int *a, mp_digit d)
+{
+  if(USED(a) > 1)
+    return MP_GT;
+
+  if(DIGIT(a, 0) < d)
+    return MP_LT;
+  else if(DIGIT(a, 0) > d)
+    return MP_GT;
+  else
+    return MP_EQ;
+
+} /* end s_mp_cmp_d() */
+
+/* }}} */
+
+/* {{{ s_mp_ispow2(v) */
+
+/*
+  Returns -1 if the value is not a power of two; otherwise, it returns
+  k such that v = 2^k, i.e. lg(v).
+ */
+int      s_mp_ispow2(const mp_int *v)
+{
+  mp_digit d;
+  int      extra = 0, ix;
+
+  ix = MP_USED(v) - 1;
+  d = MP_DIGIT(v, ix); /* most significant digit of v */
+
+  extra = s_mp_ispow2d(d);
+  if (extra < 0 || ix == 0)
+    return extra;
+
+  while (--ix >= 0) {
+    if (DIGIT(v, ix) != 0)
+      return -1; /* not a power of two */
+    extra += MP_DIGIT_BIT;
+  }
+
+  return extra;
+
+} /* end s_mp_ispow2() */
+
+/* }}} */
+
+/* {{{ s_mp_ispow2d(d) */
+
+int      s_mp_ispow2d(mp_digit d)
+{
+  if ((d != 0) && ((d & (d-1)) == 0)) { /* d is a power of 2 */
+    int pow = 0;
+#if defined (MP_USE_UINT_DIGIT)
+    if (d & 0xffff0000U)
+      pow += 16;
+    if (d & 0xff00ff00U)
+      pow += 8;
+    if (d & 0xf0f0f0f0U)
+      pow += 4;
+    if (d & 0xccccccccU)
+      pow += 2;
+    if (d & 0xaaaaaaaaU)
+      pow += 1;
+#elif defined(MP_USE_LONG_LONG_DIGIT)
+    if (d & 0xffffffff00000000ULL)
+      pow += 32;
+    if (d & 0xffff0000ffff0000ULL)
+      pow += 16;
+    if (d & 0xff00ff00ff00ff00ULL)
+      pow += 8;
+    if (d & 0xf0f0f0f0f0f0f0f0ULL)
+      pow += 4;
+    if (d & 0xccccccccccccccccULL)
+      pow += 2;
+    if (d & 0xaaaaaaaaaaaaaaaaULL)
+      pow += 1;
+#elif defined(MP_USE_LONG_DIGIT)
+    if (d & 0xffffffff00000000UL)
+      pow += 32;
+    if (d & 0xffff0000ffff0000UL)
+      pow += 16;
+    if (d & 0xff00ff00ff00ff00UL)
+      pow += 8;
+    if (d & 0xf0f0f0f0f0f0f0f0UL)
+      pow += 4;
+    if (d & 0xccccccccccccccccUL)
+      pow += 2;
+    if (d & 0xaaaaaaaaaaaaaaaaUL)
+      pow += 1;
+#else
+#error "unknown type for mp_digit"
+#endif
+    return pow;
+  }
+  return -1;
+
+} /* end s_mp_ispow2d() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ Primitive I/O helpers */
+
+/* {{{ s_mp_tovalue(ch, r) */
+
+/*
+  Convert the given character to its digit value, in the given radix.
+  If the given character is not understood in the given radix, -1 is
+  returned.  Otherwise the digit's numeric value is returned.
+
+  The results will be odd if you use a radix < 2 or > 62, you are
+  expected to know what you're up to.
+ */
+int      s_mp_tovalue(char ch, int r)
+{
+  int    val, xch;
+  
+  if(r > 36)
+    xch = ch;
+  else
+    xch = toupper(ch);
+
+  if(isdigit(xch))
+    val = xch - '0';
+  else if(isupper(xch))
+    val = xch - 'A' + 10;
+  else if(islower(xch))
+    val = xch - 'a' + 36;
+  else if(xch == '+')
+    val = 62;
+  else if(xch == '/')
+    val = 63;
+  else 
+    return -1;
+
+  if(val < 0 || val >= r)
+    return -1;
+
+  return val;
+
+} /* end s_mp_tovalue() */
+
+/* }}} */
+
+/* {{{ s_mp_todigit(val, r, low) */
+
+/*
+  Convert val to a radix-r digit, if possible.  If val is out of range
+  for r, returns zero.  Otherwise, returns an ASCII character denoting
+  the value in the given radix.
+
+  The results may be odd if you use a radix < 2 or > 64, you are
+  expected to know what you're doing.
+ */
+  
+char     s_mp_todigit(mp_digit val, int r, int low)
+{
+  char   ch;
+
+  if(val >= r)
+    return 0;
+
+  ch = s_dmap_1[val];
+
+  if(r <= 36 && low)
+    ch = tolower(ch);
+
+  return ch;
+
+} /* end s_mp_todigit() */
+
+/* }}} */
+
+/* {{{ s_mp_outlen(bits, radix) */
+
+/* 
+   Return an estimate for how long a string is needed to hold a radix
+   r representation of a number with 'bits' significant bits, plus an
+   extra for a zero terminator (assuming C style strings here)
+ */
+int      s_mp_outlen(int bits, int r)
+{
+  return (int)((double)bits * LOG_V_2(r) + 1.5) + 1;
+
+} /* end s_mp_outlen() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ mp_read_unsigned_octets(mp, str, len) */
+/* mp_read_unsigned_octets(mp, str, len)
+   Read in a raw value (base 256) into the given mp_int
+   No sign bit, number is positive.  Leading zeros ignored.
+ */
+
+mp_err  
+mp_read_unsigned_octets(mp_int *mp, const unsigned char *str, mp_size len)
+{
+  int            count;
+  mp_err         res;
+  mp_digit       d;
+
+  ARGCHK(mp != NULL && str != NULL && len > 0, MP_BADARG);
+
+  mp_zero(mp);
+
+  count = len % sizeof(mp_digit);
+  if (count) {
+    for (d = 0; count-- > 0; --len) {
+      d = (d << 8) | *str++;
+    }
+    MP_DIGIT(mp, 0) = d;
+  }
+
+  /* Read the rest of the digits */
+  for(; len > 0; len -= sizeof(mp_digit)) {
+    for (d = 0, count = sizeof(mp_digit); count > 0; --count) {
+      d = (d << 8) | *str++;
+    }
+    if (MP_EQ == mp_cmp_z(mp)) {
+      if (!d)
+	continue;
+    } else {
+      if((res = s_mp_lshd(mp, 1)) != MP_OKAY)
+	return res;
+    }
+    MP_DIGIT(mp, 0) = d;
+  }
+  return MP_OKAY;
+} /* end mp_read_unsigned_octets() */
+/* }}} */
+
+/* {{{ mp_unsigned_octet_size(mp) */
+int    
+mp_unsigned_octet_size(const mp_int *mp)
+{
+  int  bytes;
+  int  ix;
+  mp_digit  d = 0;
+
+  ARGCHK(mp != NULL, MP_BADARG);
+  ARGCHK(MP_ZPOS == SIGN(mp), MP_BADARG);
+
+  bytes = (USED(mp) * sizeof(mp_digit));
+
+  /* subtract leading zeros. */
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    d = DIGIT(mp, ix);
+    if (d) 
+	break;
+    bytes -= sizeof(d);
+  }
+  if (!bytes)
+    return 1;
+
+  /* Have MSD, check digit bytes, high order first */
+  for(ix = sizeof(mp_digit) - 1; ix >= 0; ix--) {
+    unsigned char x = (unsigned char)(d >> (ix * CHAR_BIT));
+    if (x) 
+	break;
+    --bytes;
+  }
+  return bytes;
+} /* end mp_unsigned_octet_size() */
+/* }}} */
+
+/* {{{ mp_to_unsigned_octets(mp, str) */
+/* output a buffer of big endian octets no longer than specified. */
+mp_err 
+mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
+{
+  int  ix, pos = 0;
+  int  bytes;
+
+  ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
+
+  bytes = mp_unsigned_octet_size(mp);
+  ARGCHK(bytes <= maxlen, MP_BADARG);
+
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    mp_digit  d = DIGIT(mp, ix);
+    int       jx;
+
+    /* Unpack digit bytes, high order first */
+    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
+      unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
+      if (!pos && !x)	/* suppress leading zeros */
+	continue;
+      str[pos++] = x;
+    }
+  }
+  if (!pos)
+    str[pos++] = 0;
+  return pos;
+} /* end mp_to_unsigned_octets() */
+/* }}} */
+
+/* {{{ mp_to_signed_octets(mp, str) */
+/* output a buffer of big endian octets no longer than specified. */
+mp_err 
+mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
+{
+  int  ix, pos = 0;
+  int  bytes;
+
+  ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
+
+  bytes = mp_unsigned_octet_size(mp);
+  ARGCHK(bytes <= maxlen, MP_BADARG);
+
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    mp_digit  d = DIGIT(mp, ix);
+    int       jx;
+
+    /* Unpack digit bytes, high order first */
+    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
+      unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
+      if (!pos) {
+	if (!x)		/* suppress leading zeros */
+	  continue;
+	if (x & 0x80) { /* add one leading zero to make output positive.  */
+	  ARGCHK(bytes + 1 <= maxlen, MP_BADARG);
+	  if (bytes + 1 > maxlen)
+	    return MP_BADARG;
+	  str[pos++] = 0;
+	}
+      }
+      str[pos++] = x;
+    }
+  }
+  if (!pos)
+    str[pos++] = 0;
+  return pos;
+} /* end mp_to_signed_octets() */
+/* }}} */
+
+/* {{{ mp_to_fixlen_octets(mp, str) */
+/* output a buffer of big endian octets exactly as long as requested. */
+mp_err 
+mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length)
+{
+  int  ix, pos = 0;
+  int  bytes;
+
+  ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
+
+  bytes = mp_unsigned_octet_size(mp);
+  ARGCHK(bytes <= length, MP_BADARG);
+
+  /* place any needed leading zeros */
+  for (;length > bytes; --length) {
+	*str++ = 0;
+  }
+
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    mp_digit  d = DIGIT(mp, ix);
+    int       jx;
+
+    /* Unpack digit bytes, high order first */
+    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
+      unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
+      if (!pos && !x)	/* suppress leading zeros */
+	continue;
+      str[pos++] = x;
+    }
+  }
+  if (!pos)
+    str[pos++] = 0;
+  return MP_OKAY;
+} /* end mp_to_fixlen_octets() */
+/* }}} */
+
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mpi.h b/security/nss/lib/freebl/mpi/mpi.h
new file mode 100644
index 000000000..788d65205
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi.h
@@ -0,0 +1,336 @@
+/*
+ *  mpi.h
+ *
+ *  Arbitrary precision integer arithmetic library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _H_MPI_
+#define _H_MPI_
+
+#include "mpi-config.h"
+
+#if MP_DEBUG
+#undef MP_IOFUNC
+#define MP_IOFUNC 1
+#endif
+
+#if MP_IOFUNC
+#include <stdio.h>
+#include <ctype.h>
+#endif
+
+#include <limits.h>
+
+#if defined(BSDI)
+#undef ULLONG_MAX
+#endif
+
+#if defined( macintosh )
+#include <Types.h>
+#elif defined( _WIN32_WCE)
+/* #include <sys/types.h> What do we need here ?? */
+#else
+#include <sys/types.h>
+#endif
+
+#define  MP_NEG    1
+#define  MP_ZPOS   0
+
+#define  MP_OKAY          0 /* no error, all is well */
+#define  MP_YES           0 /* yes (boolean result)  */
+#define  MP_NO           -1 /* no (boolean result)   */
+#define  MP_MEM          -2 /* out of memory         */
+#define  MP_RANGE        -3 /* argument out of range */
+#define  MP_BADARG       -4 /* invalid parameter     */
+#define  MP_UNDEF        -5 /* answer is undefined   */
+#define  MP_LAST_CODE    MP_UNDEF
+
+typedef unsigned int      mp_sign;
+typedef unsigned int      mp_size;
+typedef int               mp_err;
+
+#define MP_32BIT_MAX 4294967295U
+
+#if !defined(ULONG_MAX) 
+#error "ULONG_MAX not defined"
+#elif !defined(UINT_MAX)
+#error "UINT_MAX not defined"
+#elif !defined(USHRT_MAX)
+#error "USHRT_MAX not defined"
+#endif
+
+#if defined(ULONG_LONG_MAX)			/* GCC, HPUX */
+#define MP_ULONG_LONG_MAX ULONG_LONG_MAX
+#elif defined(ULLONG_MAX)			/* Solaris */
+#define MP_ULONG_LONG_MAX ULLONG_MAX
+/* MP_ULONG_LONG_MAX was defined to be ULLONG_MAX */
+#elif defined(ULONGLONG_MAX)			/* IRIX, AIX */
+#define MP_ULONG_LONG_MAX ULONGLONG_MAX
+#endif
+
+/* We only use unsigned long for mp_digit iff long is more than 32 bits. */
+#if !defined(MP_USE_UINT_DIGIT) && ULONG_MAX > MP_32BIT_MAX
+typedef unsigned long     mp_digit;
+#define MP_DIGIT_MAX      ULONG_MAX
+#define MP_DIGIT_FMT      "%016lX"   /* printf() format for 1 digit */
+#define MP_HALF_DIGIT_MAX UINT_MAX
+#undef  MP_NO_MP_WORD
+#define MP_NO_MP_WORD 1
+#undef  MP_USE_LONG_DIGIT
+#define MP_USE_LONG_DIGIT 1
+#undef  MP_USE_LONG_LONG_DIGIT
+
+#elif !defined(MP_USE_UINT_DIGIT) && defined(MP_ULONG_LONG_MAX) 
+typedef unsigned long long mp_digit;
+#define MP_DIGIT_MAX       MP_ULONG_LONG_MAX
+#define MP_DIGIT_FMT      "%016llX"  /* printf() format for 1 digit */
+#define MP_HALF_DIGIT_MAX  UINT_MAX
+#undef  MP_NO_MP_WORD
+#define MP_NO_MP_WORD 1
+#undef  MP_USE_LONG_LONG_DIGIT
+#define MP_USE_LONG_LONG_DIGIT 1
+#undef  MP_USE_LONG_DIGIT
+
+#else
+typedef unsigned int      mp_digit;
+#define MP_DIGIT_MAX      UINT_MAX
+#define MP_DIGIT_FMT      "%08X"     /* printf() format for 1 digit */
+#define MP_HALF_DIGIT_MAX USHRT_MAX
+#undef  MP_USE_UINT_DIGIT
+#define MP_USE_UINT_DIGIT 1
+#undef  MP_USE_LONG_LONG_DIGIT
+#undef  MP_USE_LONG_DIGIT
+#endif
+
+#if !defined(MP_NO_MP_WORD) 
+#if  defined(MP_USE_UINT_DIGIT) && \
+    (defined(MP_ULONG_LONG_MAX) || (ULONG_MAX > UINT_MAX))
+
+#if (ULONG_MAX > UINT_MAX)
+typedef unsigned long     mp_word;
+typedef          long     mp_sword;
+#define MP_WORD_MAX       ULONG_MAX
+
+#else
+typedef unsigned long long mp_word;
+typedef          long long mp_sword;
+#define MP_WORD_MAX       MP_ULONG_LONG_MAX
+#endif
+
+#else 
+#define MP_NO_MP_WORD 1
+#endif
+#endif /* !defined(MP_NO_MP_WORD) */
+
+#if !defined(MP_WORD_MAX) && defined(MP_DEFINE_SMALL_WORD)
+typedef unsigned int      mp_word;
+typedef          int      mp_sword;
+#define MP_WORD_MAX       UINT_MAX
+#endif
+
+#define MP_DIGIT_BIT      (CHAR_BIT*sizeof(mp_digit))
+#define MP_WORD_BIT       (CHAR_BIT*sizeof(mp_word))
+#define MP_RADIX          (1+(mp_word)MP_DIGIT_MAX)
+
+#define MP_HALF_DIGIT_BIT (MP_DIGIT_BIT/2)
+#define MP_HALF_RADIX     (1+(mp_digit)MP_HALF_DIGIT_MAX)
+/* MP_HALF_RADIX really ought to be called MP_SQRT_RADIX, but it's named 
+** MP_HALF_RADIX because it's the radix for MP_HALF_DIGITs, and it's 
+** consistent with the other _HALF_ names.
+*/
+
+
+/* Macros for accessing the mp_int internals           */
+#define  MP_SIGN(MP)     ((MP)->sign)
+#define  MP_USED(MP)     ((MP)->used)
+#define  MP_ALLOC(MP)    ((MP)->alloc)
+#define  MP_DIGITS(MP)   ((MP)->dp)
+#define  MP_DIGIT(MP,N)  (MP)->dp[(N)]
+
+/* This defines the maximum I/O base (minimum is 2)   */
+#define MP_MAX_RADIX         64
+
+typedef struct {
+  mp_sign       sign;    /* sign of this quantity      */
+  mp_size       alloc;   /* how many digits allocated  */
+  mp_size       used;    /* how many digits used       */
+  mp_digit     *dp;      /* the digits themselves      */
+} mp_int;
+
+/* Default precision       */
+mp_size mp_get_prec(void);
+void    mp_set_prec(mp_size prec);
+
+/* Memory management       */
+mp_err mp_init(mp_int *mp);
+mp_err mp_init_size(mp_int *mp, mp_size prec);
+mp_err mp_init_copy(mp_int *mp, const mp_int *from);
+mp_err mp_copy(const mp_int *from, mp_int *to);
+void   mp_exch(mp_int *mp1, mp_int *mp2);
+void   mp_clear(mp_int *mp);
+void   mp_zero(mp_int *mp);
+void   mp_set(mp_int *mp, mp_digit d);
+mp_err mp_set_int(mp_int *mp, long z);
+#define mp_set_long(mp,z) mp_set_int(mp,z)
+mp_err mp_set_ulong(mp_int *mp, unsigned long z);
+
+/* Single digit arithmetic */
+mp_err mp_add_d(const mp_int *a, mp_digit d, mp_int *b);
+mp_err mp_sub_d(const mp_int *a, mp_digit d, mp_int *b);
+mp_err mp_mul_d(const mp_int *a, mp_digit d, mp_int *b);
+mp_err mp_mul_2(const mp_int *a, mp_int *c);
+mp_err mp_div_d(const mp_int *a, mp_digit d, mp_int *q, mp_digit *r);
+mp_err mp_div_2(const mp_int *a, mp_int *c);
+mp_err mp_expt_d(const mp_int *a, mp_digit d, mp_int *c);
+
+/* Sign manipulations      */
+mp_err mp_abs(const mp_int *a, mp_int *b);
+mp_err mp_neg(const mp_int *a, mp_int *b);
+
+/* Full arithmetic         */
+mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
+#if MP_SQUARE
+mp_err mp_sqr(const mp_int *a, mp_int *b);
+#else
+#define mp_sqr(a, b) mp_mul(a, a, b)
+#endif
+mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
+mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
+mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
+mp_err mp_2expt(mp_int *a, mp_digit k);
+mp_err mp_sqrt(const mp_int *a, mp_int *b);
+
+/* Modular arithmetic      */
+#if MP_MODARITH
+mp_err mp_mod(const mp_int *a, const mp_int *m, mp_int *c);
+mp_err mp_mod_d(const mp_int *a, mp_digit d, mp_digit *c);
+mp_err mp_addmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+mp_err mp_submod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+mp_err mp_mulmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+#if MP_SQUARE
+mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
+#else
+#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
+#endif
+mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
+#endif /* MP_MODARITH */
+
+/* Comparisons             */
+int    mp_cmp_z(const mp_int *a);
+int    mp_cmp_d(const mp_int *a, mp_digit d);
+int    mp_cmp(const mp_int *a, const mp_int *b);
+int    mp_cmp_mag(mp_int *a, mp_int *b);
+int    mp_cmp_int(const mp_int *a, long z);
+int    mp_isodd(const mp_int *a);
+int    mp_iseven(const mp_int *a);
+
+/* Number theoretic        */
+#if MP_NUMTH
+mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
+mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
+mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
+mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
+mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
+#endif /* end MP_NUMTH */
+
+/* Input and output        */
+#if MP_IOFUNC
+void   mp_print(mp_int *mp, FILE *ofp);
+#endif /* end MP_IOFUNC */
+
+/* Base conversion         */
+mp_err mp_read_raw(mp_int *mp, char *str, int len);
+int    mp_raw_size(mp_int *mp);
+mp_err mp_toraw(mp_int *mp, char *str);
+mp_err mp_read_radix(mp_int *mp, const char *str, int radix);
+mp_err mp_read_variable_radix(mp_int *a, const char * str, int default_radix);
+int    mp_radix_size(mp_int *mp, int radix);
+mp_err mp_toradix(mp_int *mp, char *str, int radix);
+int    mp_tovalue(char ch, int r);
+
+#define mp_tobinary(M, S)  mp_toradix((M), (S), 2)
+#define mp_tooctal(M, S)   mp_toradix((M), (S), 8)
+#define mp_todecimal(M, S) mp_toradix((M), (S), 10)
+#define mp_tohex(M, S)     mp_toradix((M), (S), 16)
+
+/* Error strings           */
+const  char  *mp_strerror(mp_err ec);
+
+/* Octet string conversion functions */
+mp_err mp_read_unsigned_octets(mp_int *mp, const unsigned char *str, mp_size len);
+int    mp_unsigned_octet_size(const mp_int *mp);
+mp_err mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen);
+mp_err mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen);
+mp_err mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size len);
+
+/* Miscellaneous */
+mp_size mp_trailing_zeros(const mp_int *mp);
+
+#define MP_CHECKOK(x)  if (MP_OKAY > (res = (x))) goto CLEANUP
+#define MP_CHECKERR(x) if (MP_OKAY > (res = (x))) goto CLEANUP
+
+#if defined(MP_API_COMPATIBLE)
+#define NEG             MP_NEG
+#define ZPOS            MP_ZPOS
+#define DIGIT_MAX       MP_DIGIT_MAX
+#define DIGIT_BIT       MP_DIGIT_BIT
+#define DIGIT_FMT       MP_DIGIT_FMT
+#define RADIX           MP_RADIX
+#define MAX_RADIX       MP_MAX_RADIX
+#define SIGN(MP)        MP_SIGN(MP)
+#define USED(MP)        MP_USED(MP)
+#define ALLOC(MP)       MP_ALLOC(MP)
+#define DIGITS(MP)      MP_DIGITS(MP)
+#define DIGIT(MP,N)     MP_DIGIT(MP,N)
+
+#if MP_ARGCHK == 1
+#define  ARGCHK(X,Y)  {if(!(X)){return (Y);}}
+#elif MP_ARGCHK == 2
+#include <assert.h>
+#define  ARGCHK(X,Y)  assert(X)
+#else
+#define  ARGCHK(X,Y)  /*  */
+#endif
+#endif /* defined MP_API_COMPATIBLE */
+
+#endif /* end _H_MPI_ */
diff --git a/security/nss/lib/freebl/mpi/mpi_amd64.c b/security/nss/lib/freebl/mpi/mpi_amd64.c
new file mode 100644
index 000000000..5befb8753
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_amd64.c
@@ -0,0 +1,65 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Solaris software cryptographic token.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef MPI_AMD64
+#error This file only works on AMD64 platforms.
+#endif
+
+#include <mpi-priv.h>
+
+/*
+ * MPI glue
+ *
+ */
+
+/* Presently, this is only used by the Montgomery arithmetic code. */
+/* c += a * b */
+void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len,
+                                       mp_digit b, mp_digit *c)
+{
+  mp_digit w;
+  mp_digit d;
+
+  d = s_mpv_mul_add_vec64(c, a, a_len, b);
+  c += a_len;
+  while (d) {
+    w = c[0] + d;
+    d = (w < c[0] || w < d);
+    *c++ = w;
+  }
+}
+
diff --git a/security/nss/lib/freebl/mpi/mpi_amd64_gas.s b/security/nss/lib/freebl/mpi/mpi_amd64_gas.s
new file mode 100644
index 000000000..86e16e362
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_amd64_gas.s
@@ -0,0 +1,422 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+# 
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+# 
+# The Original Code is the Solaris software cryptographic token.
+# 
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are Copyright (C) 2005
+# the Initial Developer. All Rights Reserved.
+# 
+# Contributor(s):
+#   Sun Microsystems, Inc.
+# 
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+# 
+# ***** END LICENSE BLOCK ***** */
+
+
+# ------------------------------------------------------------------------
+#
+#  Implementation of s_mpv_mul_set_vec which exploits
+#  the 64X64->128 bit  unsigned multiply instruction.
+#
+# ------------------------------------------------------------------------
+
+# r = a * digit, r and a are vectors of length len
+# returns the carry digit
+# r and a are 64 bit aligned.
+#
+# uint64_t
+# s_mpv_mul_set_vec64(uint64_t *r, uint64_t *a, int len, uint64_t digit)
+#
+
+.text; .align 16; .globl s_mpv_mul_set_vec64; .type s_mpv_mul_set_vec64, @function; s_mpv_mul_set_vec64:
+
+	xorq	%rax, %rax		# if (len == 0) return (0)
+	testq	%rdx, %rdx
+	jz	.L17
+
+	movq	%rdx, %r8		# Use r8 for len; %rdx is used by mul
+	xorq	%r9, %r9		# cy = 0
+
+.L15:
+	cmpq	$8, %r8			# 8 - len
+	jb	.L16
+	movq	0(%rsi), %rax		# rax = a[0]
+	movq	8(%rsi), %r11		# prefetch a[1]
+	mulq	%rcx			# p = a[0] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 0(%rdi)		# r[0] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	16(%rsi), %r11		# prefetch a[2]
+	mulq	%rcx			# p = a[1] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 8(%rdi)		# r[1] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	24(%rsi), %r11		# prefetch a[3]
+	mulq	%rcx			# p = a[2] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 16(%rdi)		# r[2] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	32(%rsi), %r11		# prefetch a[4]
+	mulq	%rcx			# p = a[3] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 24(%rdi)		# r[3] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	40(%rsi), %r11		# prefetch a[5]
+	mulq	%rcx			# p = a[4] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 32(%rdi)		# r[4] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	48(%rsi), %r11		# prefetch a[6]
+	mulq	%rcx			# p = a[5] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 40(%rdi)		# r[5] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	56(%rsi), %r11		# prefetch a[7]
+	mulq	%rcx			# p = a[6] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 48(%rdi)		# r[6] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	mulq	%rcx			# p = a[7] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 56(%rdi)		# r[7] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	addq	$64, %rsi
+	addq	$64, %rdi
+	subq	$8, %r8
+
+	jz	.L17
+	jmp	.L15
+
+.L16:
+	movq	0(%rsi), %rax
+	mulq	%rcx			# p = a[0] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 0(%rdi)		# r[0] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	8(%rsi), %rax
+	mulq	%rcx			# p = a[1] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 8(%rdi)		# r[1] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	16(%rsi), %rax
+	mulq	%rcx			# p = a[2] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 16(%rdi)		# r[2] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	24(%rsi), %rax
+	mulq	%rcx			# p = a[3] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 24(%rdi)		# r[3] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	32(%rsi), %rax
+	mulq	%rcx			# p = a[4] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 32(%rdi)		# r[4] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	40(%rsi), %rax
+	mulq	%rcx			# p = a[5] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 40(%rdi)		# r[5] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	48(%rsi), %rax
+	mulq	%rcx			# p = a[6] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 48(%rdi)		# r[6] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+
+.L17:
+	movq	%r9, %rax
+	ret
+
+.size s_mpv_mul_set_vec64, [.-s_mpv_mul_set_vec64]
+
+# ------------------------------------------------------------------------
+#
+#  Implementation of s_mpv_mul_add_vec which exploits
+#  the 64X64->128 bit  unsigned multiply instruction.
+#
+# ------------------------------------------------------------------------
+
+# r += a * digit, r and a are vectors of length len
+# returns the carry digit
+# r and a are 64 bit aligned.
+#
+# uint64_t
+# s_mpv_mul_add_vec64(uint64_t *r, uint64_t *a, int len, uint64_t digit)
+#
+
+.text; .align 16; .globl s_mpv_mul_add_vec64; .type s_mpv_mul_add_vec64, @function; s_mpv_mul_add_vec64:
+
+	xorq	%rax, %rax		# if (len == 0) return (0)
+	testq	%rdx, %rdx
+	jz	.L27
+
+	movq	%rdx, %r8		# Use r8 for len; %rdx is used by mul
+	xorq	%r9, %r9		# cy = 0
+
+.L25:
+	cmpq	$8, %r8			# 8 - len
+	jb	.L26
+	movq	0(%rsi), %rax		# rax = a[0]
+	movq	0(%rdi), %r10		# r10 = r[0]
+	movq	8(%rsi), %r11		# prefetch a[1]
+	mulq	%rcx			# p = a[0] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[0]
+	movq	8(%rdi), %r10		# prefetch r[1]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 0(%rdi)		# r[0] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	16(%rsi), %r11		# prefetch a[2]
+	mulq	%rcx			# p = a[1] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[1]
+	movq	16(%rdi), %r10		# prefetch r[2]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 8(%rdi)		# r[1] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	24(%rsi), %r11		# prefetch a[3]
+	mulq	%rcx			# p = a[2] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[2]
+	movq	24(%rdi), %r10		# prefetch r[3]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 16(%rdi)		# r[2] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	32(%rsi), %r11		# prefetch a[4]
+	mulq	%rcx			# p = a[3] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[3]
+	movq	32(%rdi), %r10		# prefetch r[4]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 24(%rdi)		# r[3] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	40(%rsi), %r11		# prefetch a[5]
+	mulq	%rcx			# p = a[4] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[4]
+	movq	40(%rdi), %r10		# prefetch r[5]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 32(%rdi)		# r[4] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	48(%rsi), %r11		# prefetch a[6]
+	mulq	%rcx			# p = a[5] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[5]
+	movq	48(%rdi), %r10		# prefetch r[6]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 40(%rdi)		# r[5] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	movq	56(%rsi), %r11		# prefetch a[7]
+	mulq	%rcx			# p = a[6] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[6]
+	movq	56(%rdi), %r10		# prefetch r[7]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 48(%rdi)		# r[6] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	movq	%r11, %rax
+	mulq	%rcx			# p = a[7] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[7]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 56(%rdi)		# r[7] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+
+	addq	$64, %rsi
+	addq	$64, %rdi
+	subq	$8, %r8
+
+	jz	.L27
+	jmp	.L25
+
+.L26:
+	movq	0(%rsi), %rax
+	movq	0(%rdi), %r10
+	mulq	%rcx			# p = a[0] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[0]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 0(%rdi)		# r[0] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	8(%rsi), %rax
+	movq	8(%rdi), %r10
+	mulq	%rcx			# p = a[1] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[1]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 8(%rdi)		# r[1] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	16(%rsi), %rax
+	movq	16(%rdi), %r10
+	mulq	%rcx			# p = a[2] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[2]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 16(%rdi)		# r[2] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	24(%rsi), %rax
+	movq	24(%rdi), %r10
+	mulq	%rcx			# p = a[3] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[3]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 24(%rdi)		# r[3] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	32(%rsi), %rax
+	movq	32(%rdi), %r10
+	mulq	%rcx			# p = a[4] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[4]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 32(%rdi)		# r[4] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	40(%rsi), %rax
+	movq	40(%rdi), %r10
+	mulq	%rcx			# p = a[5] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[5]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 40(%rdi)		# r[5] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	48(%rsi), %rax
+	movq	48(%rdi), %r10
+	mulq	%rcx			# p = a[6] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		# p += r[6]
+	addq	%r9, %rax
+	adcq	$0, %rdx		# p += cy
+	movq	%rax, 48(%rdi)		# r[6] = lo(p)
+	movq	%rdx, %r9		# cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+
+.L27:
+	movq	%r9, %rax
+	ret
+        
+.size s_mpv_mul_add_vec64, [.-s_mpv_mul_add_vec64]
+
+# Magic indicating no need for an executable stack
+.section .note.GNU-stack, "", @progbits
+.previous
diff --git a/security/nss/lib/freebl/mpi/mpi_amd64_sun.s b/security/nss/lib/freebl/mpi/mpi_amd64_sun.s
new file mode 100644
index 000000000..ac7107415
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_amd64_sun.s
@@ -0,0 +1,418 @@
+/ ***** BEGIN LICENSE BLOCK *****
+/ Version: MPL 1.1/GPL 2.0/LGPL 2.1
+/ 
+/ The contents of this file are subject to the Mozilla Public License Version
+/ 1.1 (the "License"); you may not use this file except in compliance with
+/ the License. You may obtain a copy of the License at
+/ http://www.mozilla.org/MPL/
+/ 
+/ Software distributed under the License is distributed on an "AS IS" basis,
+/ WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+/ for the specific language governing rights and limitations under the
+/ License.
+/ 
+/ The Original Code is the Solaris software cryptographic token.
+/ 
+/ The Initial Developer of the Original Code is
+/ Sun Microsystems, Inc.
+/ Portions created by the Initial Developer are Copyright (C) 2005
+/ the Initial Developer. All Rights Reserved.
+/ 
+/ Contributor(s):
+/   Sun Microsystems, Inc.
+/ 
+/ Alternatively, the contents of this file may be used under the terms of
+/ either the GNU General Public License Version 2 or later (the "GPL"), or
+/ the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+/ in which case the provisions of the GPL or the LGPL are applicable instead
+/ of those above. If you wish to allow use of your version of this file only
+/ under the terms of either the GPL or the LGPL, and not to allow others to
+/ use your version of this file under the terms of the MPL, indicate your
+/ decision by deleting the provisions above and replace them with the notice
+/ and other provisions required by the GPL or the LGPL. If you do not delete
+/ the provisions above, a recipient may use your version of this file under
+/ the terms of any one of the MPL, the GPL or the LGPL.
+/ 
+/ ***** END LICENSE BLOCK ***** */
+
+
+/ ------------------------------------------------------------------------
+/
+/  Implementation of s_mpv_mul_set_vec which exploits
+/  the 64X64->128 bit  unsigned multiply instruction.
+/
+/ ------------------------------------------------------------------------
+
+/ r = a * digit, r and a are vectors of length len
+/ returns the carry digit
+/ r and a are 64 bit aligned.
+/
+/ uint64_t
+/ s_mpv_mul_set_vec64(uint64_t *r, uint64_t *a, int len, uint64_t digit)
+/
+
+.text; .align 16; .globl s_mpv_mul_set_vec64; .type s_mpv_mul_set_vec64, @function; s_mpv_mul_set_vec64:
+
+	xorq	%rax, %rax		/ if (len == 0) return (0)
+	testq	%rdx, %rdx
+	jz	.L17
+
+	movq	%rdx, %r8		/ Use r8 for len; %rdx is used by mul
+	xorq	%r9, %r9		/ cy = 0
+
+.L15:
+	cmpq	$8, %r8			/ 8 - len
+	jb	.L16
+	movq	0(%rsi), %rax		/ rax = a[0]
+	movq	8(%rsi), %r11		/ prefetch a[1]
+	mulq	%rcx			/ p = a[0] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 0(%rdi)		/ r[0] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	16(%rsi), %r11		/ prefetch a[2]
+	mulq	%rcx			/ p = a[1] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 8(%rdi)		/ r[1] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	24(%rsi), %r11		/ prefetch a[3]
+	mulq	%rcx			/ p = a[2] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 16(%rdi)		/ r[2] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	32(%rsi), %r11		/ prefetch a[4]
+	mulq	%rcx			/ p = a[3] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 24(%rdi)		/ r[3] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	40(%rsi), %r11		/ prefetch a[5]
+	mulq	%rcx			/ p = a[4] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 32(%rdi)		/ r[4] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	48(%rsi), %r11		/ prefetch a[6]
+	mulq	%rcx			/ p = a[5] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 40(%rdi)		/ r[5] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	56(%rsi), %r11		/ prefetch a[7]
+	mulq	%rcx			/ p = a[6] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 48(%rdi)		/ r[6] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	mulq	%rcx			/ p = a[7] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 56(%rdi)		/ r[7] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	addq	$64, %rsi
+	addq	$64, %rdi
+	subq	$8, %r8
+
+	jz	.L17
+	jmp	.L15
+
+.L16:
+	movq	0(%rsi), %rax
+	mulq	%rcx			/ p = a[0] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 0(%rdi)		/ r[0] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	8(%rsi), %rax
+	mulq	%rcx			/ p = a[1] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 8(%rdi)		/ r[1] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	16(%rsi), %rax
+	mulq	%rcx			/ p = a[2] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 16(%rdi)		/ r[2] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	24(%rsi), %rax
+	mulq	%rcx			/ p = a[3] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 24(%rdi)		/ r[3] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	32(%rsi), %rax
+	mulq	%rcx			/ p = a[4] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 32(%rdi)		/ r[4] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	40(%rsi), %rax
+	mulq	%rcx			/ p = a[5] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 40(%rdi)		/ r[5] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+	movq	48(%rsi), %rax
+	mulq	%rcx			/ p = a[6] * digit
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 48(%rdi)		/ r[6] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L17
+
+
+.L17:
+	movq	%r9, %rax
+	ret
+
+.size s_mpv_mul_set_vec64, [.-s_mpv_mul_set_vec64]
+
+/ ------------------------------------------------------------------------
+/
+/  Implementation of s_mpv_mul_add_vec which exploits
+/  the 64X64->128 bit  unsigned multiply instruction.
+/
+/ ------------------------------------------------------------------------
+
+/ r += a * digit, r and a are vectors of length len
+/ returns the carry digit
+/ r and a are 64 bit aligned.
+/
+/ uint64_t
+/ s_mpv_mul_add_vec64(uint64_t *r, uint64_t *a, int len, uint64_t digit)
+/
+
+.text; .align 16; .globl s_mpv_mul_add_vec64; .type s_mpv_mul_add_vec64, @function; s_mpv_mul_add_vec64:
+
+	xorq	%rax, %rax		/ if (len == 0) return (0)
+	testq	%rdx, %rdx
+	jz	.L27
+
+	movq	%rdx, %r8		/ Use r8 for len; %rdx is used by mul
+	xorq	%r9, %r9		/ cy = 0
+
+.L25:
+	cmpq	$8, %r8			/ 8 - len
+	jb	.L26
+	movq	0(%rsi), %rax		/ rax = a[0]
+	movq	0(%rdi), %r10		/ r10 = r[0]
+	movq	8(%rsi), %r11		/ prefetch a[1]
+	mulq	%rcx			/ p = a[0] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[0]
+	movq	8(%rdi), %r10		/ prefetch r[1]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 0(%rdi)		/ r[0] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	16(%rsi), %r11		/ prefetch a[2]
+	mulq	%rcx			/ p = a[1] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[1]
+	movq	16(%rdi), %r10		/ prefetch r[2]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 8(%rdi)		/ r[1] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	24(%rsi), %r11		/ prefetch a[3]
+	mulq	%rcx			/ p = a[2] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[2]
+	movq	24(%rdi), %r10		/ prefetch r[3]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 16(%rdi)		/ r[2] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	32(%rsi), %r11		/ prefetch a[4]
+	mulq	%rcx			/ p = a[3] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[3]
+	movq	32(%rdi), %r10		/ prefetch r[4]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 24(%rdi)		/ r[3] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	40(%rsi), %r11		/ prefetch a[5]
+	mulq	%rcx			/ p = a[4] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[4]
+	movq	40(%rdi), %r10		/ prefetch r[5]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 32(%rdi)		/ r[4] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	48(%rsi), %r11		/ prefetch a[6]
+	mulq	%rcx			/ p = a[5] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[5]
+	movq	48(%rdi), %r10		/ prefetch r[6]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 40(%rdi)		/ r[5] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	movq	56(%rsi), %r11		/ prefetch a[7]
+	mulq	%rcx			/ p = a[6] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[6]
+	movq	56(%rdi), %r10		/ prefetch r[7]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 48(%rdi)		/ r[6] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	movq	%r11, %rax
+	mulq	%rcx			/ p = a[7] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[7]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 56(%rdi)		/ r[7] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+
+	addq	$64, %rsi
+	addq	$64, %rdi
+	subq	$8, %r8
+
+	jz	.L27
+	jmp	.L25
+
+.L26:
+	movq	0(%rsi), %rax
+	movq	0(%rdi), %r10
+	mulq	%rcx			/ p = a[0] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[0]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 0(%rdi)		/ r[0] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	8(%rsi), %rax
+	movq	8(%rdi), %r10
+	mulq	%rcx			/ p = a[1] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[1]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 8(%rdi)		/ r[1] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	16(%rsi), %rax
+	movq	16(%rdi), %r10
+	mulq	%rcx			/ p = a[2] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[2]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 16(%rdi)		/ r[2] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	24(%rsi), %rax
+	movq	24(%rdi), %r10
+	mulq	%rcx			/ p = a[3] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[3]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 24(%rdi)		/ r[3] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	32(%rsi), %rax
+	movq	32(%rdi), %r10
+	mulq	%rcx			/ p = a[4] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[4]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 32(%rdi)		/ r[4] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	40(%rsi), %rax
+	movq	40(%rdi), %r10
+	mulq	%rcx			/ p = a[5] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[5]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 40(%rdi)		/ r[5] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+	movq	48(%rsi), %rax
+	movq	48(%rdi), %r10
+	mulq	%rcx			/ p = a[6] * digit
+	addq	%r10, %rax
+	adcq	$0, %rdx		/ p += r[6]
+	addq	%r9, %rax
+	adcq	$0, %rdx		/ p += cy
+	movq	%rax, 48(%rdi)		/ r[6] = lo(p)
+	movq	%rdx, %r9		/ cy = hi(p)
+	decq	%r8
+	jz	.L27
+
+
+.L27:
+	movq	%r9, %rax
+	ret
+        
+.size s_mpv_mul_add_vec64, [.-s_mpv_mul_add_vec64]
diff --git a/security/nss/lib/freebl/mpi/mpi_hp.c b/security/nss/lib/freebl/mpi/mpi_hp.c
new file mode 100644
index 000000000..c27e9cfa7
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_hp.c
@@ -0,0 +1,115 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/* This file contains routines that perform vector multiplication.  */
+
+#include "mpi-priv.h"
+#include <unistd.h>
+
+#include <stddef.h>
+/* #include <sys/systeminfo.h> */
+#include <strings.h>
+
+extern void multacc512( 
+   int             length,        /* doublewords in multiplicand vector. */
+   const mp_digit *scalaraddr,    /* Address of scalar. */
+   const mp_digit *multiplicand,  /* The multiplicand vector. */
+   mp_digit *      result);       /* Where to accumulate the result. */
+
+extern void maxpy_little(
+   int             length,        /* doublewords in multiplicand vector. */
+   const mp_digit *scalaraddr,    /* Address of scalar. */
+   const mp_digit *multiplicand,  /* The multiplicand vector. */
+   mp_digit *      result);       /* Where to accumulate the result. */
+
+extern void add_diag_little(
+   int            length,       /* doublewords in input vector. */
+   const mp_digit *root,         /* The vector to square. */
+   mp_digit *      result);      /* Where to accumulate the result. */
+
+void 
+s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps)
+{
+    add_diag_little(a_len, pa, ps);
+}
+
+#define MAX_STACK_DIGITS 258
+#define MULTACC512_LEN   (512 / MP_DIGIT_BIT)
+#define HP_MPY_ADD_FN    (a_len == MULTACC512_LEN ? multacc512 : maxpy_little)
+
+/* c = a * b */
+void 
+s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    mp_digit x[MAX_STACK_DIGITS];
+    mp_digit *px = x;
+    size_t   xSize = 0;
+
+    if (a == c) {
+	if (a_len > MAX_STACK_DIGITS) {
+	    xSize = sizeof(mp_digit) * (a_len + 2);
+	    px = malloc(xSize);
+	    if (!px)
+		return;
+	}
+	memcpy(px, a, a_len * sizeof(*a));
+	a = px;
+    }
+    s_mp_setz(c, a_len + 1);
+    HP_MPY_ADD_FN(a_len, &b, a, c);
+    if (px != x && px) {
+	memset(px, 0, xSize);
+	free(px);
+    }
+}
+
+/* c += a * b, where a is a_len words long. */
+void     
+s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    c[a_len] = 0;	/* so carry propagation stops here. */
+    HP_MPY_ADD_FN(a_len, &b, a, c);
+}
+
+/* c += a * b, where a is y words long. */
+void     
+s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, 
+			 mp_digit *c)
+{
+    HP_MPY_ADD_FN(a_len, &b, a, c);
+}
+
diff --git a/security/nss/lib/freebl/mpi/mpi_i86pc.s b/security/nss/lib/freebl/mpi/mpi_i86pc.s
new file mode 100644
index 000000000..ae679af48
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_i86pc.s
@@ -0,0 +1,348 @@
+/
+/ ***** BEGIN LICENSE BLOCK *****
+/ Version: MPL 1.1/GPL 2.0/LGPL 2.1
+/
+/ The contents of this file are subject to the Mozilla Public License Version
+/ 1.1 (the "License"); you may not use this file except in compliance with
+/ the License. You may obtain a copy of the License at
+/ http://www.mozilla.org/MPL/
+/
+/ Software distributed under the License is distributed on an "AS IS" basis,
+/ WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+/ for the specific language governing rights and limitations under the
+/ License.
+/
+/ The Original Code is the Netscape security libraries.
+/
+/ The Initial Developer of the Original Code is
+/ Netscape Communications Corporation.
+/ Portions created by the Initial Developer are Copyright (C) 2001
+/ the Initial Developer. All Rights Reserved.
+/
+/ Contributor(s):
+/
+/ Alternatively, the contents of this file may be used under the terms of
+/ either the GNU General Public License Version 2 or later (the "GPL"), or
+/ the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+/ in which case the provisions of the GPL or the LGPL are applicable instead
+/ of those above. If you wish to allow use of your version of this file only
+/ under the terms of either the GPL or the LGPL, and not to allow others to
+/ use your version of this file under the terms of the MPL, indicate your
+/ decision by deleting the provisions above and replace them with the notice
+/ and other provisions required by the GPL or the LGPL. If you do not delete
+/ the provisions above, a recipient may use your version of this file under
+/ the terms of any one of the MPL, the GPL or the LGPL.
+/
+/ ***** END LICENSE BLOCK *****
+
+/  $Id$
+/
+
+.text
+
+ /  ebp - 36:	caller's esi
+ /  ebp - 32:	caller's edi
+ /  ebp - 28:	
+ /  ebp - 24:	
+ /  ebp - 20:	
+ /  ebp - 16:	
+ /  ebp - 12:	
+ /  ebp - 8:	
+ /  ebp - 4:	
+ /  ebp + 0:	caller's ebp
+ /  ebp + 4:	return address
+ /  ebp + 8:	a	argument
+ /  ebp + 12:	a_len	argument
+ /  ebp + 16:	b	argument
+ /  ebp + 20:	c	argument
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+.globl	s_mpv_mul_d
+.type	s_mpv_mul_d,@function
+s_mpv_mul_d:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		/ carry = 0
+    mov    12(%ebp),%ecx	/ ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     L2			/ jmp if a_len == 0
+    mov    8(%ebp),%esi		/ esi = a
+    cld
+L1:
+    lodsl			/ eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	/ edx = b
+    mull   %edx			/ edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		/ add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    %edx,%ebx		/ high half of product becomes next carry
+
+    stosl			/ [es:edi] = ax; edi += 4;
+    dec    %ecx			/ --a_len
+    jnz    L1			/ jmp if a_len != 0
+L2:
+    mov    %ebx,0(%edi)		/ *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ /  ebp - 36:	caller's esi
+ /  ebp - 32:	caller's edi
+ /  ebp - 28:	
+ /  ebp - 24:	
+ /  ebp - 20:	
+ /  ebp - 16:	
+ /  ebp - 12:	
+ /  ebp - 8:	
+ /  ebp - 4:	
+ /  ebp + 0:	caller's ebp
+ /  ebp + 4:	return address
+ /  ebp + 8:	a	argument
+ /  ebp + 12:	a_len	argument
+ /  ebp + 16:	b	argument
+ /  ebp + 20:	c	argument
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+.globl	s_mpv_mul_d_add
+.type	s_mpv_mul_d_add,@function
+s_mpv_mul_d_add:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		/ carry = 0
+    mov    12(%ebp),%ecx	/ ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     L4			/ jmp if a_len == 0
+    mov    8(%ebp),%esi		/ esi = a
+    cld
+L3:
+    lodsl			/ eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	/ edx = b
+    mull   %edx			/ edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		/ add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		/ add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		/ high half of product becomes next carry
+
+    stosl			/ [es:edi] = ax; edi += 4;
+    dec    %ecx			/ --a_len
+    jnz    L3			/ jmp if a_len != 0
+L4:
+    mov    %ebx,0(%edi)		/ *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ /  ebp - 36:	caller's esi
+ /  ebp - 32:	caller's edi
+ /  ebp - 28:	
+ /  ebp - 24:	
+ /  ebp - 20:	
+ /  ebp - 16:	
+ /  ebp - 12:	
+ /  ebp - 8:	
+ /  ebp - 4:	
+ /  ebp + 0:	caller's ebp
+ /  ebp + 4:	return address
+ /  ebp + 8:	a	argument
+ /  ebp + 12:	a_len	argument
+ /  ebp + 16:	b	argument
+ /  ebp + 20:	c	argument
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+.globl	s_mpv_mul_d_add_prop
+.type	s_mpv_mul_d_add_prop,@function
+s_mpv_mul_d_add_prop:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		/ carry = 0
+    mov    12(%ebp),%ecx	/ ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     L6			/ jmp if a_len == 0
+    cld
+    mov    8(%ebp),%esi		/ esi = a
+L5:
+    lodsl			/ eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	/ edx = b
+    mull   %edx			/ edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		/ add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		/ add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		/ high half of product becomes next carry
+
+    stosl			/ [es:edi] = ax; edi += 4;
+    dec    %ecx			/ --a_len
+    jnz    L5			/ jmp if a_len != 0
+L6:
+    cmp    $0,%ebx		/ is carry zero?
+    jz     L8
+    mov    0(%edi),%eax		/ add in current word from *c
+    add	   %ebx,%eax
+    stosl			/ [es:edi] = ax; edi += 4;
+    jnc    L8
+L7:
+    mov    0(%edi),%eax		/ add in current word from *c
+    adc	   $0,%eax
+    stosl			/ [es:edi] = ax; edi += 4;
+    jc     L7
+L8:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ /  ebp - 20:	caller's esi
+ /  ebp - 16:	caller's edi
+ /  ebp - 12:	
+ /  ebp - 8:	carry
+ /  ebp - 4:	a_len	local
+ /  ebp + 0:	caller's ebp
+ /  ebp + 4:	return address
+ /  ebp + 8:	pa	argument
+ /  ebp + 12:	a_len	argument
+ /  ebp + 16:	ps	argument
+ /  ebp + 20:	
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+
+.globl	s_mpv_sqr_add_prop
+.type	s_mpv_sqr_add_prop,@function
+s_mpv_sqr_add_prop:
+     push   %ebp
+     mov    %esp,%ebp
+     sub    $12,%esp
+     push   %edi
+     push   %esi
+     push   %ebx
+     movl   $0,%ebx		/ carry = 0
+     mov    12(%ebp),%ecx	/ a_len
+     mov    16(%ebp),%edi	/ edi = ps
+     cmp    $0,%ecx
+     je     L11			/ jump if a_len == 0
+     cld
+     mov    8(%ebp),%esi	/ esi = pa
+L10:
+     lodsl			/ %eax = [ds:si]; si += 4;
+     mull   %eax
+
+     add    %ebx,%eax		/ add "carry"
+     adc    $0,%edx
+     mov    0(%edi),%ebx
+     add    %ebx,%eax		/ add low word from result
+     mov    4(%edi),%ebx
+     stosl			/ [es:di] = %eax; di += 4;
+     adc    %ebx,%edx		/ add high word from result
+     movl   $0,%ebx
+     mov    %edx,%eax
+     adc    $0,%ebx
+     stosl			/ [es:di] = %eax; di += 4;
+     dec    %ecx		/ --a_len
+     jnz    L10			/ jmp if a_len != 0
+L11:
+    cmp    $0,%ebx		/ is carry zero?
+    jz     L14
+    mov    0(%edi),%eax		/ add in current word from *c
+    add	   %ebx,%eax
+    stosl			/ [es:edi] = ax; edi += 4;
+    jnc    L14
+L12:
+    mov    0(%edi),%eax		/ add in current word from *c
+    adc	   $0,%eax
+    stosl			/ [es:edi] = ax; edi += 4;
+    jc     L12
+L14:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ /
+ / Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
+ / so its high bit is 1.   This code is from NSPR.
+ /
+ / mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
+ / 		          mp_digit *qp, mp_digit *rp)
+
+ /  esp +  0:   Caller's ebx
+ /  esp +  4:	return address
+ /  esp +  8:	Nhi	argument
+ /  esp + 12:	Nlo	argument
+ /  esp + 16:	divisor	argument
+ /  esp + 20:	qp	argument
+ /  esp + 24:   rp	argument
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+ / 
+
+.globl	s_mpv_div_2dx1d
+.type	s_mpv_div_2dx1d,@function
+s_mpv_div_2dx1d:
+       push   %ebx
+       mov    8(%esp),%edx
+       mov    12(%esp),%eax
+       mov    16(%esp),%ebx
+       div    %ebx
+       mov    20(%esp),%ebx
+       mov    %eax,0(%ebx)
+       mov    24(%esp),%ebx
+       mov    %edx,0(%ebx)
+       xor    %eax,%eax		/ return zero
+       pop    %ebx
+       ret    
+       nop
+  
diff --git a/security/nss/lib/freebl/mpi/mpi_mips.s b/security/nss/lib/freebl/mpi/mpi_mips.s
new file mode 100644
index 000000000..059222224
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_mips.s
@@ -0,0 +1,504 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include <regdef.h>
+        .set    noreorder
+        .set    noat
+
+        .section        .text, 1, 0x00000006, 4, 4
+.text:
+        .section        .text
+
+        .ent    s_mpv_mul_d_add
+        .globl  s_mpv_mul_d_add
+
+s_mpv_mul_d_add: 
+ #/* c += a * b */
+ #void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, 
+ #			      mp_digit *c)
+ #{
+ #  mp_digit   a0, a1;	regs a4, a5
+ #  mp_digit   c0, c1;  regs a6, a7
+ #  mp_digit   cy = 0;  reg t2
+ #  mp_word    w0, w1;  regs t0, t1
+ #
+ #  if (a_len) {
+	beq	a1,zero,.L.1
+	move	t2,zero		# cy = 0
+	dsll32	a2,a2,0		# "b" is sometimes negative (?!?!)
+	dsrl32	a2,a2,0		# This clears the upper 32 bits.
+ #    a0 = a[0];
+	lwu	a4,0(a0)
+ #    w0 = ((mp_word)b * a0);
+	dmultu	a2,a4
+ #    if (--a_len) {
+	addiu	a1,a1,-1
+	beq	a1,zero,.L.2
+ #      while (a_len >= 2) {
+	sltiu	t3,a1,2
+	bne	t3,zero,.L.3
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+.L.4:
+ #	  a_len -= 2;
+        addiu	a1,a1,-2
+ #	  c0     = c[0];
+	lwu	a6,0(a3)
+ #	  w0    += cy;
+	mflo	t0
+	daddu	t0,t0,t2
+ #	  w0    += c0;
+	daddu	t0,t0,a6
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5			#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  a0     = a[2];
+	lwu	a4,8(a0)
+ #	  a     += 2;
+	addiu	a0,a0,8
+ #	  c1     = c[1];
+	lwu	a7,4(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  w1    += c1;
+	daddu	t1,t1,a7
+ #	  w0     = (mp_word)b * a0;
+	dmultu	a2,a4			#
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  c     += 2;
+	addiu	a3,a3,8
+	sltiu	t3,a1,2
+	beq	t3,zero,.L.4
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+ #      }
+.L.3:
+ #      c0       = c[0];
+	lwu	a6,0(a3)
+ #      w0      += cy;
+ #      if (a_len) {
+	mflo	t0
+	beq	a1,zero,.L.5
+	daddu	t0,t0,t2
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5
+ #	  w0    += c0;
+	daddu	t0,t0,a6		#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  c1     = c[1];
+	lwu	a7,4(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  w1    += c1;
+	daddu	t1,t1,a7
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c     += 1;
+	b	.L.6
+	addiu	a3,a3,4
+ #      } else {
+.L.5:
+ #	  w0    += c0;
+	daddu	t0,t0,a6
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  cy     = CARRYOUT(w0);
+	b	.L.6
+	dsrl32	t2,t0,0
+ #      }
+ #    } else {
+.L.2:
+ #      c0     = c[0];
+	lwu	a6,0(a3)
+ #      w0    += c0;
+	mflo	t0
+	daddu	t0,t0,a6
+ #      c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #      cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #    }
+.L.6:
+ #    c[1] = cy;
+	jr	ra
+	sw	t2,4(a3)
+ #  }
+.L.1:
+	jr	ra
+	nop
+ #}
+ #
+        .end    s_mpv_mul_d_add
+
+        .ent    s_mpv_mul_d_add_prop
+        .globl  s_mpv_mul_d_add_prop
+
+s_mpv_mul_d_add_prop: 
+ #/* c += a * b */
+ #void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, 
+ #			      mp_digit *c)
+ #{
+ #  mp_digit   a0, a1;	regs a4, a5
+ #  mp_digit   c0, c1;  regs a6, a7
+ #  mp_digit   cy = 0;  reg t2
+ #  mp_word    w0, w1;  regs t0, t1
+ #
+ #  if (a_len) {
+	beq	a1,zero,.M.1
+	move	t2,zero		# cy = 0
+	dsll32	a2,a2,0		# "b" is sometimes negative (?!?!)
+	dsrl32	a2,a2,0		# This clears the upper 32 bits.
+ #    a0 = a[0];
+	lwu	a4,0(a0)
+ #    w0 = ((mp_word)b * a0);
+	dmultu	a2,a4
+ #    if (--a_len) {
+	addiu	a1,a1,-1
+	beq	a1,zero,.M.2
+ #      while (a_len >= 2) {
+	sltiu	t3,a1,2
+	bne	t3,zero,.M.3
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+.M.4:
+ #	  a_len -= 2;
+        addiu	a1,a1,-2
+ #	  c0     = c[0];
+	lwu	a6,0(a3)
+ #	  w0    += cy;
+	mflo	t0
+	daddu	t0,t0,t2
+ #	  w0    += c0;
+	daddu	t0,t0,a6
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5			#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  a0     = a[2];
+	lwu	a4,8(a0)
+ #	  a     += 2;
+	addiu	a0,a0,8
+ #	  c1     = c[1];
+	lwu	a7,4(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  w1    += c1;
+	daddu	t1,t1,a7
+ #	  w0     = (mp_word)b * a0;
+	dmultu	a2,a4			#
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  c     += 2;
+	addiu	a3,a3,8
+	sltiu	t3,a1,2
+	beq	t3,zero,.M.4
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+ #      }
+.M.3:
+ #      c0       = c[0];
+	lwu	a6,0(a3)
+ #      w0      += cy;
+ #      if (a_len) {
+	mflo	t0
+	beq	a1,zero,.M.5
+	daddu	t0,t0,t2
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5
+ #	  w0    += c0;
+	daddu	t0,t0,a6		#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  c1     = c[1];
+	lwu	a7,4(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  w1    += c1;
+	daddu	t1,t1,a7
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c     += 1;
+	b	.M.6
+	addiu	a3,a3,8
+ #      } else {
+.M.5:
+ #	  w0    += c0;
+	daddu	t0,t0,a6
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+	b	.M.6
+	addiu	a3,a3,4
+ #      }
+ #    } else {
+.M.2:
+ #      c0     = c[0];
+	lwu	a6,0(a3)
+ #      w0    += c0;
+	mflo	t0
+	daddu	t0,t0,a6
+ #      c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #      cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+	addiu	a3,a3,4
+ #    }
+.M.6:
+
+ #    while (cy) {
+	beq	t2,zero,.M.1
+	nop
+.M.7:
+ #      mp_word w = (mp_word)*c + cy;
+	lwu	a6,0(a3)
+	daddu	t2,t2,a6
+ #      *c++ = ACCUM(w);
+	sw	t2,0(a3)
+ #      cy = CARRYOUT(w);
+	dsrl32	t2,t2,0
+	bne	t2,zero,.M.7
+	addiu	a3,a3,4
+
+ #  }
+.M.1:
+	jr	ra
+	nop
+ #}
+ #
+        .end    s_mpv_mul_d_add_prop
+
+        .ent    s_mpv_mul_d
+        .globl  s_mpv_mul_d
+
+s_mpv_mul_d: 
+ #/* c = a * b */
+ #void s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, 
+ #			      mp_digit *c)
+ #{
+ #  mp_digit   a0, a1;	regs a4, a5
+ #  mp_digit   cy = 0;  reg t2
+ #  mp_word    w0, w1;  regs t0, t1
+ #
+ #  if (a_len) {
+	beq	a1,zero,.N.1
+	move	t2,zero		# cy = 0
+	dsll32	a2,a2,0		# "b" is sometimes negative (?!?!)
+	dsrl32	a2,a2,0		# This clears the upper 32 bits.
+ #    a0 = a[0];
+	lwu	a4,0(a0)
+ #    w0 = ((mp_word)b * a0);
+	dmultu	a2,a4
+ #    if (--a_len) {
+	addiu	a1,a1,-1
+	beq	a1,zero,.N.2
+ #      while (a_len >= 2) {
+	sltiu	t3,a1,2
+	bne	t3,zero,.N.3
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+.N.4:
+ #	  a_len -= 2;
+        addiu	a1,a1,-2
+ #	  w0    += cy;
+	mflo	t0
+	daddu	t0,t0,t2
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5	
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  a0     = a[2];
+	lwu	a4,8(a0)
+ #	  a     += 2;
+	addiu	a0,a0,8
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  w0     = (mp_word)b * a0;
+	dmultu	a2,a4	
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  c     += 2;
+	addiu	a3,a3,8
+	sltiu	t3,a1,2
+	beq	t3,zero,.N.4
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+ #      }
+.N.3:
+ #      w0      += cy;
+ #      if (a_len) {
+	mflo	t0
+	beq	a1,zero,.N.5
+	daddu	t0,t0,t2
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5			#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c     += 1;
+	b	.N.6
+	addiu	a3,a3,4
+ #      } else {
+.N.5:
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  cy     = CARRYOUT(w0);
+	b	.N.6
+	dsrl32	t2,t0,0
+ #      }
+ #    } else {
+.N.2:
+	mflo	t0
+ #      c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #      cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #    }
+.N.6:
+ #    c[1] = cy;
+	jr	ra
+	sw	t2,4(a3)
+ #  }
+.N.1:
+	jr	ra
+	nop
+ #}
+ #
+        .end    s_mpv_mul_d
+
+
+        .ent    s_mpv_sqr_add_prop
+        .globl  s_mpv_sqr_add_prop
+ #void   s_mpv_sqr_add_prop(const mp_digit *a, mp_size a_len, mp_digit *sqrs);
+ #	registers
+ #	a0		*a
+ #	a1		a_len
+ #	a2		*sqr
+ #	a3		digit from *a, a_i
+ #	a4		square of digit from a
+ #	a5,a6		next 2 digits in sqr
+ #	a7,t0		carry 
+s_mpv_sqr_add_prop:
+	move	a7,zero
+	move	t0,zero
+	lwu	a3,0(a0)
+	addiu	a1,a1,-1	# --a_len
+	dmultu	a3,a3
+	beq	a1,zero,.P.3	# jump if we've already done the only sqr
+	addiu	a0,a0,4		# ++a
+.P.2:
+        lwu	a5,0(a2)
+        lwu	a6,4(a2)
+	addiu	a2,a2,8		# sqrs += 2;
+	dsll32	a6,a6,0
+	daddu	a5,a5,a6
+	lwu	a3,0(a0)
+	addiu	a0,a0,4		# ++a
+	mflo	a4
+	daddu	a6,a5,a4
+	sltu	a7,a6,a5	# a7 = a6 < a5	detect overflow
+	dmultu	a3,a3
+	daddu	a4,a6,t0
+	sltu	t0,a4,a6
+	add	t0,t0,a7
+	sw	a4,-8(a2)
+	addiu	a1,a1,-1	# --a_len
+	dsrl32	a4,a4,0
+	bne	a1,zero,.P.2	# loop if a_len > 0
+	sw	a4,-4(a2)
+.P.3:
+        lwu	a5,0(a2)
+        lwu	a6,4(a2)
+	addiu	a2,a2,8		# sqrs += 2;
+	dsll32	a6,a6,0
+	daddu	a5,a5,a6
+	mflo	a4
+	daddu	a6,a5,a4
+	sltu	a7,a6,a5	# a7 = a6 < a5	detect overflow
+	daddu	a4,a6,t0
+	sltu	t0,a4,a6
+	add	t0,t0,a7
+	sw	a4,-8(a2)
+	beq	t0,zero,.P.9	# jump if no carry
+	dsrl32	a4,a4,0
+.P.8:
+	sw	a4,-4(a2)
+	/* propagate final carry */
+	lwu	a5,0(a2)
+	daddu	a6,a5,t0
+	sltu	t0,a6,a5
+	bne	t0,zero,.P.8	# loop if carry persists
+	addiu	a2,a2,4		# sqrs++
+.P.9:
+	jr	ra
+	sw	a4,-4(a2)
+
+        .end    s_mpv_sqr_add_prop
diff --git a/security/nss/lib/freebl/mpi/mpi_sparc.c b/security/nss/lib/freebl/mpi/mpi_sparc.c
new file mode 100644
index 000000000..f7eb19c19
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_sparc.c
@@ -0,0 +1,257 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/* Multiplication performance enhancements for sparc v8+vis CPUs. */
+
+#include "mpi-priv.h"
+#include <stddef.h>
+#include <sys/systeminfo.h>
+#include <strings.h>
+
+/* In the functions below, */
+/* vector y must be 8-byte aligned, and n must be even */
+/* returns carry out of high order word of result */
+/* maximum n is 256 */
+
+/* vector x += vector y * scaler a; where y is of length n words. */
+extern mp_digit mul_add_inp(mp_digit *x, const mp_digit *y, int n, mp_digit a);
+
+/* vector z = vector x + vector y * scaler a; where y is of length n words. */
+extern mp_digit mul_add(mp_digit *z, const mp_digit *x, const mp_digit *y, 
+			int n, mp_digit a);
+
+/* v8 versions of these functions run on any Sparc v8 CPU. */
+
+/* This trick works on Sparc V8 CPUs with the Workshop compilers. */
+#define MP_MUL_DxD(a, b, Phi, Plo) \
+  { unsigned long long product = (unsigned long long)a * b; \
+    Plo = (mp_digit)product; \
+    Phi = (mp_digit)(product >> MP_DIGIT_BIT); }
+
+/* c = a * b */
+static void 
+v8_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+  *c = d;
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  *c = carry;
+#endif
+}
+
+/* c += a * b */
+static void 
+v8_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + *c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+  *c = d;
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    a0b0 += a_i = *c;
+    if (a0b0 < a_i)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  *c = carry;
+#endif
+}
+
+/* Presently, this is only used by the Montgomery arithmetic code. */
+/* c += a * b */
+static void 
+v8_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + *c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+
+  while (d) {
+    mp_word w = (mp_word)*c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+
+    a0b0 += a_i = *c;
+    if (a0b0 < a_i)
+      ++a1b1;
+
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  while (carry) {
+    mp_digit c_i = *c;
+    carry += c_i;
+    *c++ = carry;
+    carry = carry < c_i;
+  }
+#endif
+}
+
+/* These functions run only on v8plus+vis or v9+vis CPUs. */
+
+/* c = a * b */
+void 
+s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    mp_digit d;
+    mp_digit x[258];
+    if (a_len <= 256) {
+	if (a == c || ((ptrdiff_t)a & 0x7) != 0 || (a_len & 1) != 0) {
+	    mp_digit * px;
+	    px = (((ptrdiff_t)x & 0x7) != 0) ? x + 1 : x;
+	    memcpy(px, a, a_len * sizeof(*a));
+	    a = px;
+	    if (a_len & 1) {
+		px[a_len] = 0;
+	    }
+	}
+	s_mp_setz(c, a_len + 1);
+	d = mul_add_inp(c, a, a_len, b);
+	c[a_len] = d;
+    } else {
+	v8_mpv_mul_d(a, a_len, b, c);
+    }
+}
+
+/* c += a * b, where a is a_len words long. */
+void     
+s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    mp_digit d;
+    mp_digit x[258];
+    if (a_len <= 256) {
+	if (((ptrdiff_t)a & 0x7) != 0 || (a_len & 1) != 0) {
+	    mp_digit * px;
+	    px = (((ptrdiff_t)x & 0x7) != 0) ? x + 1 : x;
+	    memcpy(px, a, a_len * sizeof(*a));
+	    a = px;
+	    if (a_len & 1) {
+		px[a_len] = 0;
+	    }
+	}
+	d = mul_add_inp(c, a, a_len, b);
+	c[a_len] = d;
+    } else {
+	v8_mpv_mul_d_add(a, a_len, b, c);
+    }
+}
+
+/* c += a * b, where a is y words long. */
+void     
+s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    mp_digit d;
+    mp_digit x[258];
+    if (a_len <= 256) {
+	if (((ptrdiff_t)a & 0x7) != 0 || (a_len & 1) != 0) {
+	    mp_digit * px;
+	    px = (((ptrdiff_t)x & 0x7) != 0) ? x + 1 : x;
+	    memcpy(px, a, a_len * sizeof(*a));
+	    a = px;
+	    if (a_len & 1) {
+		px[a_len] = 0;
+	    }
+	}
+	d = mul_add_inp(c, a, a_len, b);
+	if (d) {
+	    c += a_len;
+	    do {
+		mp_digit sum = d + *c;
+		*c++ = sum;
+		d = sum < d;
+	    } while (d);
+	}
+    } else {
+	v8_mpv_mul_d_add_prop(a, a_len, b, c);
+    }
+}
diff --git a/security/nss/lib/freebl/mpi/mpi_x86.s b/security/nss/lib/freebl/mpi/mpi_x86.s
new file mode 100644
index 000000000..8bf0e08d1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_x86.s
@@ -0,0 +1,576 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#  $Id$
+#
+
+.data
+.align 4
+ #
+ # -1 means to call s_mpi_is_sse to determine if we support sse 
+ #    instructions.
+ #  0 means to use x86 instructions
+ #  1 means to use sse2 instructions
+.type	is_sse,@object
+.size	is_sse,4
+is_sse: .long	-1 
+
+#
+# sigh, handle the difference between -fPIC and not PIC
+# default to pic, since this file seems to be exclusively
+# linux right now (solaris uses mpi_i86pc.s and windows uses
+# mpi_x86_asm.c)
+#
+.ifndef NO_PIC
+.macro GET   var,reg
+    movl   \var@GOTOFF(%ebx),\reg
+.endm
+.macro PUT   reg,var
+    movl   \reg,\var@GOTOFF(%ebx)
+.endm
+.else
+.macro GET   var,reg
+    movl   \var,\reg
+.endm
+.macro PUT   reg,var
+    movl   \reg,\var
+.endm
+.endif
+
+.text
+
+
+ #  ebp - 36:	caller's esi
+ #  ebp - 32:	caller's edi
+ #  ebp - 28:	
+ #  ebp - 24:	
+ #  ebp - 20:	
+ #  ebp - 16:	
+ #  ebp - 12:	
+ #  ebp - 8:	
+ #  ebp - 4:	
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	a	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	b	argument
+ #  ebp + 20:	c	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+.globl	s_mpv_mul_d
+.type	s_mpv_mul_d,@function
+s_mpv_mul_d:
+    GET    is_sse,%eax
+    cmp    $0,%eax
+    je     s_mpv_mul_d_x86
+    jg     s_mpv_mul_d_sse2
+    call   s_mpi_is_sse2
+    PUT    %eax,is_sse
+    cmp    $0,%eax
+    jg     s_mpv_mul_d_sse2
+s_mpv_mul_d_x86:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     2f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+1:
+    lodsl			# eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	# edx = b
+    mull   %edx			# edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		# add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    %edx,%ebx		# high half of product becomes next carry
+
+    stosl			# [es:edi] = ax; edi += 4;
+    dec    %ecx			# --a_len
+    jnz    1b			# jmp if a_len != 0
+2:
+    mov    %ebx,0(%edi)		# *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+s_mpv_mul_d_sse2:
+    push   %ebp
+    mov    %esp,%ebp
+    push   %edi
+    push   %esi
+    psubq  %mm2,%mm2		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    movd   16(%ebp),%mm1	# mm1 = b
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     6f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+5:
+    movd   0(%esi),%mm0         # mm0 = *a++
+    add    $4,%esi
+    pmuludq %mm1,%mm0           # mm0 = b * *a++
+    paddq  %mm0,%mm2            # add the carry
+    movd   %mm2,0(%edi)         # store the 32bit result
+    add    $4,%edi
+    psrlq  $32, %mm2		# save the carry
+    dec    %ecx			# --a_len
+    jnz    5b			# jmp if a_len != 0
+6:
+    movd   %mm2,0(%edi)		# *c = carry
+    emms
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #  ebp - 36:	caller's esi
+ #  ebp - 32:	caller's edi
+ #  ebp - 28:	
+ #  ebp - 24:	
+ #  ebp - 20:	
+ #  ebp - 16:	
+ #  ebp - 12:	
+ #  ebp - 8:	
+ #  ebp - 4:	
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	a	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	b	argument
+ #  ebp + 20:	c	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+.globl	s_mpv_mul_d_add
+.type	s_mpv_mul_d_add,@function
+s_mpv_mul_d_add:
+    GET    is_sse,%eax
+    cmp    $0,%eax
+    je     s_mpv_mul_d_add_x86
+    jg     s_mpv_mul_d_add_sse2
+    call   s_mpi_is_sse2
+    PUT    %eax,is_sse
+    cmp    $0,%eax
+    jg     s_mpv_mul_d_add_sse2
+s_mpv_mul_d_add_x86:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     11f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+10:
+    lodsl			# eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	# edx = b
+    mull   %edx			# edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		# add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		# add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		# high half of product becomes next carry
+
+    stosl			# [es:edi] = ax; edi += 4;
+    dec    %ecx			# --a_len
+    jnz    10b			# jmp if a_len != 0
+11:
+    mov    %ebx,0(%edi)		# *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+s_mpv_mul_d_add_sse2:
+    push   %ebp
+    mov    %esp,%ebp
+    push   %edi
+    push   %esi
+    psubq  %mm2,%mm2		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    movd   16(%ebp),%mm1	# mm1 = b
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     16f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+15:
+    movd   0(%esi),%mm0         # mm0 = *a++
+    add    $4,%esi
+    pmuludq %mm1,%mm0           # mm0 = b * *a++
+    paddq  %mm0,%mm2            # add the carry
+    movd   0(%edi),%mm0
+    paddq  %mm0,%mm2            # add the carry
+    movd   %mm2,0(%edi)         # store the 32bit result
+    add    $4,%edi
+    psrlq  $32, %mm2		# save the carry
+    dec    %ecx			# --a_len
+    jnz    15b			# jmp if a_len != 0
+16:
+    movd   %mm2,0(%edi)		# *c = carry
+    emms
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #  ebp - 8:	caller's esi
+ #  ebp - 4:	caller's edi
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	a	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	b	argument
+ #  ebp + 20:	c	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+.globl	s_mpv_mul_d_add_prop
+.type	s_mpv_mul_d_add_prop,@function
+s_mpv_mul_d_add_prop:
+    GET    is_sse,%eax
+    cmp    $0,%eax
+    je     s_mpv_mul_d_add_prop_x86
+    jg     s_mpv_mul_d_add_prop_sse2
+    call   s_mpi_is_sse2
+    PUT    %eax,is_sse
+    cmp    $0,%eax
+    jg     s_mpv_mul_d_add_prop_sse2
+s_mpv_mul_d_add_prop_x86:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     21f			# jmp if a_len == 0
+    cld
+    mov    8(%ebp),%esi		# esi = a
+20:
+    lodsl			# eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	# edx = b
+    mull   %edx			# edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		# add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		# add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		# high half of product becomes next carry
+
+    stosl			# [es:edi] = ax; edi += 4;
+    dec    %ecx			# --a_len
+    jnz    20b			# jmp if a_len != 0
+21:
+    cmp    $0,%ebx		# is carry zero?
+    jz     23f
+    mov    0(%edi),%eax		# add in current word from *c
+    add	   %ebx,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jnc    23f
+22:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     22b
+23:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+s_mpv_mul_d_add_prop_sse2:
+    push   %ebp
+    mov    %esp,%ebp
+    push   %edi
+    push   %esi
+    push   %ebx
+    psubq  %mm2,%mm2		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    movd   16(%ebp),%mm1	# mm1 = b
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     26f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+25:
+    movd   0(%esi),%mm0         # mm0 = *a++
+    movd   0(%edi),%mm3		# fetch the sum
+    add    $4,%esi
+    pmuludq %mm1,%mm0           # mm0 = b * *a++
+    paddq  %mm0,%mm2            # add the carry
+    paddq  %mm3,%mm2            # add *c++
+    movd   %mm2,0(%edi)         # store the 32bit result
+    add    $4,%edi
+    psrlq  $32, %mm2		# save the carry
+    dec    %ecx			# --a_len
+    jnz    25b			# jmp if a_len != 0
+26:
+    movd   %mm2,%ebx
+    cmp    $0,%ebx		# is carry zero?
+    jz     28f
+    mov    0(%edi),%eax
+    add    %ebx, %eax
+    stosl
+    jnc    28f
+27:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     27b
+28:
+    emms
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+
+ #  ebp - 20:	caller's esi
+ #  ebp - 16:	caller's edi
+ #  ebp - 12:	
+ #  ebp - 8:	carry
+ #  ebp - 4:	a_len	local
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	pa	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	ps	argument
+ #  ebp + 20:	
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+
+.globl	s_mpv_sqr_add_prop
+.type	s_mpv_sqr_add_prop,@function
+s_mpv_sqr_add_prop:
+     GET   is_sse,%eax
+     cmp    $0,%eax
+     je     s_mpv_sqr_add_prop_x86
+     jg     s_mpv_sqr_add_prop_sse2
+     call   s_mpi_is_sse2
+     PUT    %eax,is_sse
+     cmp    $0,%eax
+     jg     s_mpv_sqr_add_prop_sse2
+s_mpv_sqr_add_prop_x86:
+     push   %ebp
+     mov    %esp,%ebp
+     sub    $12,%esp
+     push   %edi
+     push   %esi
+     push   %ebx
+     movl   $0,%ebx		# carry = 0
+     mov    12(%ebp),%ecx	# a_len
+     mov    16(%ebp),%edi	# edi = ps
+     cmp    $0,%ecx
+     je     31f			# jump if a_len == 0
+     cld
+     mov    8(%ebp),%esi	# esi = pa
+30:
+     lodsl			# %eax = [ds:si]; si += 4;
+     mull   %eax
+
+     add    %ebx,%eax		# add "carry"
+     adc    $0,%edx
+     mov    0(%edi),%ebx
+     add    %ebx,%eax		# add low word from result
+     mov    4(%edi),%ebx
+     stosl			# [es:di] = %eax; di += 4;
+     adc    %ebx,%edx		# add high word from result
+     movl   $0,%ebx
+     mov    %edx,%eax
+     adc    $0,%ebx
+     stosl			# [es:di] = %eax; di += 4;
+     dec    %ecx		# --a_len
+     jnz    30b			# jmp if a_len != 0
+31:
+    cmp    $0,%ebx		# is carry zero?
+    jz     34f
+    mov    0(%edi),%eax		# add in current word from *c
+    add	   %ebx,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jnc    34f
+32:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     32b
+34:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+s_mpv_sqr_add_prop_sse2:
+    push   %ebp
+    mov    %esp,%ebp
+    push   %edi
+    push   %esi
+    push   %ebx
+    psubq  %mm2,%mm2		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    16(%ebp),%edi
+    cmp    $0,%ecx
+    je     36f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+35:
+    movd   0(%esi),%mm0        # mm0 = *a
+    movd   0(%edi),%mm3	       # fetch the sum
+    add	   $4,%esi
+    pmuludq %mm0,%mm0          # mm0 = sqr(a)
+    paddq  %mm0,%mm2           # add the carry
+    paddq  %mm3,%mm2           # add the low word
+    movd   4(%edi),%mm3
+    movd   %mm2,0(%edi)        # store the 32bit result
+    psrlq  $32, %mm2	
+    paddq  %mm3,%mm2           # add the high word
+    movd   %mm2,4(%edi)        # store the 32bit result
+    psrlq  $32, %mm2	       # save the carry.
+    add    $8,%edi
+    dec    %ecx			# --a_len
+    jnz    35b			# jmp if a_len != 0
+36:
+    movd   %mm2,%ebx
+    cmp    $0,%ebx		# is carry zero?
+    jz     38f
+    mov    0(%edi),%eax
+    add    %ebx, %eax
+    stosl
+    jnc    38f
+37:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     37b
+38:
+    emms
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #
+ # Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
+ # so its high bit is 1.   This code is from NSPR.
+ #
+ # mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
+ # 		          mp_digit *qp, mp_digit *rp)
+
+ #  esp +  0:   Caller's ebx
+ #  esp +  4:	return address
+ #  esp +  8:	Nhi	argument
+ #  esp + 12:	Nlo	argument
+ #  esp + 16:	divisor	argument
+ #  esp + 20:	qp	argument
+ #  esp + 24:   rp	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+ # 
+
+.globl	s_mpv_div_2dx1d
+.type	s_mpv_div_2dx1d,@function
+s_mpv_div_2dx1d:
+       push   %ebx
+       mov    8(%esp),%edx
+       mov    12(%esp),%eax
+       mov    16(%esp),%ebx
+       div    %ebx
+       mov    20(%esp),%ebx
+       mov    %eax,0(%ebx)
+       mov    24(%esp),%ebx
+       mov    %edx,0(%ebx)
+       xor    %eax,%eax		# return zero
+       pop    %ebx
+       ret    
+       nop
+  
+ # Magic indicating no need for an executable stack
+.section .note.GNU-stack, "", @progbits
+.previous
diff --git a/security/nss/lib/freebl/mpi/mpi_x86_asm.c b/security/nss/lib/freebl/mpi/mpi_x86_asm.c
new file mode 100644
index 000000000..b8a224f14
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_x86_asm.c
@@ -0,0 +1,368 @@
+/*
+ *  mpi_x86.c - MSVC inline assembly implementation of s_mpv_ functions.
+ * 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Benjamin Smedberg <benjamin@smedbergs.us>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi-priv.h"
+
+/*
+ *   ebp - 36:	caller's esi
+ *   ebp - 32:	caller's edi
+ *   ebp - 28:	
+ *   ebp - 24:	
+ *   ebp - 20:	
+ *   ebp - 16:	
+ *   ebp - 12:	
+ *   ebp - 8:	
+ *   ebp - 4:	
+ *   ebp + 0:	caller's ebp
+ *   ebp + 4:	return address
+ *   ebp + 8:	a	argument
+ *   ebp + 12:	a_len	argument
+ *   ebp + 16:	b	argument
+ *   ebp + 20:	c	argument
+ *   registers:
+ *  	eax:
+ * 	ebx:	carry
+ * 	ecx:	a_len
+ * 	edx:
+ * 	esi:	a ptr
+ * 	edi:	c ptr
+ */
+__declspec(naked) void
+s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+  __asm {
+    push   ebp
+    mov    ebp,esp
+    sub    esp,28
+    push   edi
+    push   esi
+    push   ebx
+    mov    ebx,0		; carry = 0
+    mov    ecx,[ebp+12]		; ecx = a_len
+    mov    edi,[ebp+20]
+    cmp    ecx,0
+    je     L_2			; jmp if a_len == 0
+    mov    esi,[ebp+8]		; esi = a
+    cld
+L_1:
+    lodsd			; eax = [ds:esi]; esi += 4
+    mov    edx,[ebp+16]		; edx = b
+    mul    edx			; edx:eax = Phi:Plo = a_i * b
+
+    add    eax,ebx		; add carry (ebx) to edx:eax
+    adc    edx,0
+    mov    ebx,edx		; high half of product becomes next carry
+
+    stosd			; [es:edi] = ax; edi += 4;
+    dec    ecx			; --a_len
+    jnz    L_1			; jmp if a_len != 0
+L_2:
+    mov    [edi],ebx		; *c = carry
+    pop    ebx
+    pop    esi
+    pop    edi
+    leave  
+    ret    
+    nop
+  }
+}
+
+/*
+ *   ebp - 36:	caller's esi
+ *   ebp - 32:	caller's edi
+ *   ebp - 28:	
+ *   ebp - 24:	
+ *   ebp - 20:	
+ *   ebp - 16:	
+ *   ebp - 12:	
+ *   ebp - 8:	
+ *   ebp - 4:	
+ *   ebp + 0:	caller's ebp
+ *   ebp + 4:	return address
+ *   ebp + 8:	a	argument
+ *   ebp + 12:	a_len	argument
+ *   ebp + 16:	b	argument
+ *   ebp + 20:	c	argument
+ *   registers:
+ *  	eax:
+ * 	ebx:	carry
+ * 	ecx:	a_len
+ * 	edx:
+ * 	esi:	a ptr
+ * 	edi:	c ptr
+ */
+__declspec(naked) void
+s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+  __asm {
+    push   ebp
+    mov    ebp,esp
+    sub    esp,28
+    push   edi
+    push   esi
+    push   ebx
+    mov    ebx,0		; carry = 0
+    mov    ecx,[ebp+12]		; ecx = a_len
+    mov    edi,[ebp+20]
+    cmp    ecx,0
+    je     L_4			; jmp if a_len == 0
+    mov    esi,[ebp+8]		; esi = a
+    cld
+L_3:
+    lodsd			; eax = [ds:esi]; esi += 4
+    mov    edx,[ebp+16]		; edx = b
+    mul    edx			; edx:eax = Phi:Plo = a_i * b
+
+    add    eax,ebx		; add carry (ebx) to edx:eax
+    adc    edx,0
+    mov    ebx,[edi]		; add in current word from *c
+    add    eax,ebx		
+    adc    edx,0
+    mov    ebx,edx		; high half of product becomes next carry
+
+    stosd			; [es:edi] = ax; edi += 4;
+    dec    ecx			; --a_len
+    jnz    L_3			; jmp if a_len != 0
+L_4:
+    mov    [edi],ebx		; *c = carry
+    pop    ebx
+    pop    esi
+    pop    edi
+    leave  
+    ret    
+    nop
+  }
+}
+
+/*
+ *   ebp - 36:	caller's esi
+ *   ebp - 32:	caller's edi
+ *   ebp - 28:	
+ *   ebp - 24:	
+ *   ebp - 20:	
+ *   ebp - 16:	
+ *   ebp - 12:	
+ *   ebp - 8:	
+ *   ebp - 4:	
+ *   ebp + 0:	caller's ebp
+ *   ebp + 4:	return address
+ *   ebp + 8:	a	argument
+ *   ebp + 12:	a_len	argument
+ *   ebp + 16:	b	argument
+ *   ebp + 20:	c	argument
+ *   registers:
+ *  	eax:
+ * 	ebx:	carry
+ * 	ecx:	a_len
+ * 	edx:
+ * 	esi:	a ptr
+ * 	edi:	c ptr
+ */
+__declspec(naked) void
+s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+  __asm {
+    push   ebp
+    mov    ebp,esp
+    sub    esp,28
+    push   edi
+    push   esi
+    push   ebx
+    mov    ebx,0		; carry = 0
+    mov    ecx,[ebp+12]		; ecx = a_len
+    mov    edi,[ebp+20]
+    cmp    ecx,0
+    je     L_6			; jmp if a_len == 0
+    cld
+    mov    esi,[ebp+8]		; esi = a
+L_5:
+    lodsd			; eax = [ds:esi]; esi += 4
+    mov    edx,[ebp+16]		; edx = b
+    mul    edx			; edx:eax = Phi:Plo = a_i * b
+
+    add    eax,ebx		; add carry (ebx) to edx:eax
+    adc    edx,0
+    mov    ebx,[edi]		; add in current word from *c
+    add    eax,ebx		
+    adc    edx,0
+    mov    ebx,edx		; high half of product becomes next carry
+
+    stosd			; [es:edi] = ax; edi += 4;
+    dec    ecx			; --a_len
+    jnz    L_5			; jmp if a_len != 0
+L_6:
+    cmp    ebx,0		; is carry zero?
+    jz     L_8
+    mov    eax,[edi]		; add in current word from *c
+    add    eax,ebx
+    stosd			; [es:edi] = ax; edi += 4;
+    jnc    L_8
+L_7:
+    mov    eax,[edi]		; add in current word from *c
+    adc    eax,0
+    stosd			; [es:edi] = ax; edi += 4;
+    jc     L_7
+L_8:
+    pop    ebx
+    pop    esi
+    pop    edi
+    leave  
+    ret    
+    nop
+  }
+}
+
+/*
+ *   ebp - 20:	caller's esi
+ *   ebp - 16:	caller's edi
+ *   ebp - 12:	
+ *   ebp - 8:	carry
+ *   ebp - 4:	a_len	local
+ *   ebp + 0:	caller's ebp
+ *   ebp + 4:	return address
+ *   ebp + 8:	pa	argument
+ *   ebp + 12:	a_len	argument
+ *   ebp + 16:	ps	argument
+ *   ebp + 20:	
+ *   registers:
+ *  	eax:
+ * 	ebx:	carry
+ * 	ecx:	a_len
+ * 	edx:
+ * 	esi:	a ptr
+ * 	edi:	c ptr
+ */
+__declspec(naked) void
+s_mpv_sqr_add_prop(const mp_digit *a, mp_size a_len, mp_digit *sqrs)
+{
+  __asm {
+     push   ebp
+     mov    ebp,esp
+     sub    esp,12
+     push   edi
+     push   esi
+     push   ebx
+     mov    ebx,0		; carry = 0
+     mov    ecx,[ebp+12]	; a_len
+     mov    edi,[ebp+16]	; edi = ps
+     cmp    ecx,0
+     je     L_11		; jump if a_len == 0
+     cld
+     mov    esi,[ebp+8]		; esi = pa
+L_10:
+     lodsd			; eax = [ds:si]; si += 4;
+     mul    eax
+
+     add    eax,ebx		; add "carry"
+     adc    edx,0
+     mov    ebx,[edi]
+     add    eax,ebx		; add low word from result
+     mov    ebx,[edi+4]
+     stosd			; [es:di] = eax; di += 4;
+     adc    edx,ebx		; add high word from result
+     mov    ebx,0
+     mov    eax,edx
+     adc    ebx,0
+     stosd			; [es:di] = eax; di += 4;
+     dec    ecx			; --a_len
+     jnz    L_10		; jmp if a_len != 0
+L_11:
+    cmp    ebx,0		; is carry zero?
+    jz     L_14
+    mov    eax,[edi]		; add in current word from *c
+    add    eax,ebx
+    stosd			; [es:edi] = ax; edi += 4;
+    jnc    L_14
+L_12:
+    mov    eax,[edi]		; add in current word from *c
+    adc    eax,0
+    stosd			; [es:edi] = ax; edi += 4;
+    jc     L_12
+L_14:
+    pop    ebx
+    pop    esi
+    pop    edi
+    leave  
+    ret    
+    nop
+  }
+}
+
+/* 
+ *  Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
+ *  so its high bit is 1.   This code is from NSPR.
+ *
+ *  Dump of assembler code for function s_mpv_div_2dx1d:
+ *  
+ *   esp +  0:   Caller's ebx
+ *   esp +  4:	return address
+ *   esp +  8:	Nhi	argument
+ *   esp + 12:	Nlo	argument
+ *   esp + 16:	divisor	argument
+ *   esp + 20:	qp	argument
+ *   esp + 24:   rp	argument
+ *   registers:
+ *  	eax:
+ * 	ebx:	carry
+ * 	ecx:	a_len
+ * 	edx:
+ * 	esi:	a ptr
+ * 	edi:	c ptr
+ */  
+__declspec(naked) mp_err
+s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
+		mp_digit *qp, mp_digit *rp)
+{
+  __asm {
+       push   ebx
+       mov    edx,[esp+8]
+       mov    eax,[esp+12]
+       mov    ebx,[esp+16]
+       div    ebx
+       mov    ebx,[esp+20]
+       mov    [ebx],eax
+       mov    ebx,[esp+24]
+       mov    [ebx],edx
+       xor    eax,eax		; return zero
+       pop    ebx
+       ret    
+       nop
+  }
+}
diff --git a/security/nss/lib/freebl/mpi/mplogic.c b/security/nss/lib/freebl/mpi/mplogic.c
new file mode 100644
index 000000000..3d9973714
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mplogic.c
@@ -0,0 +1,465 @@
+/*
+ *  mplogic.c
+ *
+ *  Bitwise logical operations on MPI values
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "mpi-priv.h"
+#include "mplogic.h"
+
+/* {{{ Lookup table for population count */
+
+static unsigned char bitc[] = {
+   0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 
+   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
+   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
+   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
+   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
+   4, 5, 5, 6, 5, 6, 6, 7, 5, 6, 6, 7, 6, 7, 7, 8
+};
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/*
+  mpl_not(a, b)    - compute b = ~a
+  mpl_and(a, b, c) - compute c = a & b
+  mpl_or(a, b, c)  - compute c = a | b
+  mpl_xor(a, b, c) - compute c = a ^ b
+ */
+
+/* {{{ mpl_not(a, b) */
+
+mp_err mpl_not(mp_int *a, mp_int *b)
+{
+  mp_err   res;
+  unsigned int      ix;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  /* This relies on the fact that the digit type is unsigned */
+  for(ix = 0; ix < USED(b); ix++) 
+    DIGIT(b, ix) = ~DIGIT(b, ix);
+
+  s_mp_clamp(b);
+
+  return MP_OKAY;
+
+} /* end mpl_not() */
+
+/* }}} */
+
+/* {{{ mpl_and(a, b, c) */
+
+mp_err mpl_and(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int  *which, *other;
+  mp_err   res;
+  unsigned int      ix;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(USED(a) <= USED(b)) {
+    which = a;
+    other = b;
+  } else {
+    which = b;
+    other = a;
+  }
+
+  if((res = mp_copy(which, c)) != MP_OKAY)
+    return res;
+
+  for(ix = 0; ix < USED(which); ix++)
+    DIGIT(c, ix) &= DIGIT(other, ix);
+
+  s_mp_clamp(c);
+
+  return MP_OKAY;
+
+} /* end mpl_and() */
+
+/* }}} */
+
+/* {{{ mpl_or(a, b, c) */
+
+mp_err mpl_or(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int  *which, *other;
+  mp_err   res;
+  unsigned int      ix;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(USED(a) >= USED(b)) {
+    which = a;
+    other = b;
+  } else {
+    which = b;
+    other = a;
+  }
+
+  if((res = mp_copy(which, c)) != MP_OKAY)
+    return res;
+
+  for(ix = 0; ix < USED(which); ix++)
+    DIGIT(c, ix) |= DIGIT(other, ix);
+
+  return MP_OKAY;
+
+} /* end mpl_or() */
+
+/* }}} */
+
+/* {{{ mpl_xor(a, b, c) */
+
+mp_err mpl_xor(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int  *which, *other;
+  mp_err   res;
+  unsigned int      ix;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(USED(a) >= USED(b)) {
+    which = a;
+    other = b;
+  } else {
+    which = b;
+    other = a;
+  }
+
+  if((res = mp_copy(which, c)) != MP_OKAY)
+    return res;
+
+  for(ix = 0; ix < USED(which); ix++)
+    DIGIT(c, ix) ^= DIGIT(other, ix);
+
+  s_mp_clamp(c);
+
+  return MP_OKAY;
+
+} /* end mpl_xor() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/*
+  mpl_rsh(a, b, d)     - b = a >> d
+  mpl_lsh(a, b, d)     - b = a << d
+ */
+
+/* {{{ mpl_rsh(a, b, d) */
+
+mp_err mpl_rsh(const mp_int *a, mp_int *b, mp_digit d)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  s_mp_div_2d(b, d);
+
+  return MP_OKAY;
+
+} /* end mpl_rsh() */
+
+/* }}} */
+
+/* {{{ mpl_lsh(a, b, d) */
+
+mp_err mpl_lsh(const mp_int *a, mp_int *b, mp_digit d)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  return s_mp_mul_2d(b, d);
+
+} /* end mpl_lsh() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/*
+  mpl_num_set(a, num)
+
+  Count the number of set bits in the binary representation of a.
+  Returns MP_OKAY and sets 'num' to be the number of such bits, if
+  possible.  If num is NULL, the result is thrown away, but it is
+  not considered an error.
+
+  mpl_num_clear() does basically the same thing for clear bits.
+ */
+
+/* {{{ mpl_num_set(a, num) */
+
+mp_err mpl_num_set(mp_int *a, int *num)
+{
+  unsigned int   ix;
+  int            db, nset = 0;
+  mp_digit       cur;
+  unsigned char  reg;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  for(ix = 0; ix < USED(a); ix++) {
+    cur = DIGIT(a, ix);
+    
+    for(db = 0; db < sizeof(mp_digit); db++) {
+      reg = (unsigned char)(cur >> (CHAR_BIT * db));
+
+      nset += bitc[reg];
+    }
+  }
+
+  if(num)
+    *num = nset;
+
+  return MP_OKAY;
+
+} /* end mpl_num_set() */
+
+/* }}} */
+
+/* {{{ mpl_num_clear(a, num) */
+
+mp_err mpl_num_clear(mp_int *a, int *num)
+{
+  unsigned int   ix;
+  int            db, nset = 0;
+  mp_digit       cur;
+  unsigned char  reg;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  for(ix = 0; ix < USED(a); ix++) {
+    cur = DIGIT(a, ix);
+    
+    for(db = 0; db < sizeof(mp_digit); db++) {
+      reg = (unsigned char)(cur >> (CHAR_BIT * db));
+
+      nset += bitc[UCHAR_MAX - reg];
+    }
+  }
+
+  if(num)
+    *num = nset;
+
+  return MP_OKAY;
+
+
+} /* end mpl_num_clear() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/*
+  mpl_parity(a)
+
+  Determines the bitwise parity of the value given.  Returns MP_EVEN
+  if an even number of digits are set, MP_ODD if an odd number are
+  set.
+ */
+
+/* {{{ mpl_parity(a) */
+
+mp_err mpl_parity(mp_int *a)
+{
+  unsigned int ix;
+  int      par = 0;
+  mp_digit cur;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  for(ix = 0; ix < USED(a); ix++) {
+    int   shft = (sizeof(mp_digit) * CHAR_BIT) / 2;
+
+    cur = DIGIT(a, ix);
+
+    /* Compute parity for current digit */
+    while(shft != 0) {
+      cur ^= (cur >> shft);
+      shft >>= 1;
+    }
+    cur &= 1;
+
+    /* XOR with running parity so far   */
+    par ^= cur;
+  }
+
+  if(par)
+    return MP_ODD;
+  else
+    return MP_EVEN;
+
+} /* end mpl_parity() */
+
+/* }}} */
+
+/*
+  mpl_set_bit
+
+  Returns MP_OKAY or some error code.
+  Grows a if needed to set a bit to 1.
+ */
+mp_err mpl_set_bit(mp_int *a, mp_size bitNum, mp_size value)
+{
+  mp_size      ix;
+  mp_err       rv;
+  mp_digit     mask;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  ix = bitNum / MP_DIGIT_BIT;
+  if (ix + 1 > MP_USED(a)) {
+    rv = s_mp_pad(a, ix + 1);
+    if (rv != MP_OKAY)
+      return rv;
+  }
+
+  bitNum = bitNum % MP_DIGIT_BIT;
+  mask = (mp_digit)1 << bitNum;
+  if (value)
+    MP_DIGIT(a,ix) |= mask;
+  else
+    MP_DIGIT(a,ix) &= ~mask;
+  s_mp_clamp(a);
+  return MP_OKAY;
+}
+
+/*
+  mpl_get_bit
+
+  returns 0 or 1 or some (negative) error code.
+ */
+mp_err mpl_get_bit(const mp_int *a, mp_size bitNum)
+{
+  mp_size      bit, ix;
+  mp_err       rv;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  ix = bitNum / MP_DIGIT_BIT;
+  ARGCHK(ix <= MP_USED(a) - 1, MP_RANGE);
+
+  bit   = bitNum % MP_DIGIT_BIT;
+  rv = (mp_err)(MP_DIGIT(a, ix) >> bit) & 1;
+  return rv;
+}
+
+/*
+  mpl_get_bits
+  - Extracts numBits bits from a, where the least significant extracted bit
+  is bit lsbNum.  Returns a negative value if error occurs.
+  - Because sign bit is used to indicate error, maximum number of bits to 
+  be returned is the lesser of (a) the number of bits in an mp_digit, or
+  (b) one less than the number of bits in an mp_err.
+  - lsbNum + numbits can be greater than the number of significant bits in
+  integer a, as long as bit lsbNum is in the high order digit of a.
+ */
+mp_err mpl_get_bits(const mp_int *a, mp_size lsbNum, mp_size numBits) 
+{
+  mp_size    rshift = (lsbNum % MP_DIGIT_BIT);
+  mp_size    lsWndx = (lsbNum / MP_DIGIT_BIT);
+  mp_digit * digit  = MP_DIGITS(a) + lsWndx;
+  mp_digit   mask   = ((1 << numBits) - 1);
+
+  ARGCHK(numBits < CHAR_BIT * sizeof mask, MP_BADARG);
+  ARGCHK(MP_HOWMANY(lsbNum, MP_DIGIT_BIT) <= MP_USED(a), MP_RANGE);
+
+  if ((numBits + lsbNum % MP_DIGIT_BIT <= MP_DIGIT_BIT) ||
+      (lsWndx + 1 >= MP_USED(a))) {
+    mask &= (digit[0] >> rshift);
+  } else {
+    mask &= ((digit[0] >> rshift) | (digit[1] << (MP_DIGIT_BIT - rshift)));
+  }
+  return (mp_err)mask;
+}
+
+/*
+  mpl_significant_bits
+  returns number of significnant bits in abs(a).
+  returns 1 if value is zero.
+ */
+mp_err mpl_significant_bits(const mp_int *a)
+{
+  mp_err bits 	= 0;
+  int    ix;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  ix = MP_USED(a);
+  for (ix = MP_USED(a); ix > 0; ) {
+    mp_digit d;
+    d = MP_DIGIT(a, --ix);
+    if (d) {
+      while (d) {
+	++bits;
+	d >>= 1;
+      }
+      break;
+    }
+  }
+  bits += ix * MP_DIGIT_BIT;
+  if (!bits)
+    bits = 1;
+  return bits;
+}
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mplogic.h b/security/nss/lib/freebl/mpi/mplogic.h
new file mode 100644
index 000000000..e3bc924a2
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mplogic.h
@@ -0,0 +1,85 @@
+/*
+ *  mplogic.h
+ *
+ *  Bitwise logical operations on MPI values
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _H_MPLOGIC_
+#define _H_MPLOGIC_
+
+#include "mpi.h"
+
+/*
+  The logical operations treat an mp_int as if it were a bit vector,
+  without regard to its sign (an mp_int is represented in a signed
+  magnitude format).  Values are treated as if they had an infinite
+  string of zeros left of the most-significant bit.
+ */
+
+/* Parity results                    */
+
+#define MP_EVEN       MP_YES
+#define MP_ODD        MP_NO
+
+/* Bitwise functions                 */
+
+mp_err mpl_not(mp_int *a, mp_int *b);            /* one's complement  */
+mp_err mpl_and(mp_int *a, mp_int *b, mp_int *c); /* bitwise AND       */
+mp_err mpl_or(mp_int *a, mp_int *b, mp_int *c);  /* bitwise OR        */
+mp_err mpl_xor(mp_int *a, mp_int *b, mp_int *c); /* bitwise XOR       */
+
+/* Shift functions                   */
+
+mp_err mpl_rsh(const mp_int *a, mp_int *b, mp_digit d);   /* right shift    */
+mp_err mpl_lsh(const mp_int *a, mp_int *b, mp_digit d);   /* left shift     */
+
+/* Bit count and parity              */
+
+mp_err mpl_num_set(mp_int *a, int *num);         /* count set bits    */
+mp_err mpl_num_clear(mp_int *a, int *num);       /* count clear bits  */
+mp_err mpl_parity(mp_int *a);                    /* determine parity  */
+
+/* Get & Set the value of a bit */
+
+mp_err mpl_set_bit(mp_int *a, mp_size bitNum, mp_size value);
+mp_err mpl_get_bit(const mp_int *a, mp_size bitNum);
+mp_err mpl_get_bits(const mp_int *a, mp_size lsbNum, mp_size numBits);
+mp_err mpl_significant_bits(const mp_int *a);
+
+#endif /* end _H_MPLOGIC_ */
diff --git a/security/nss/lib/freebl/mpi/mpmontg.c b/security/nss/lib/freebl/mpi/mpmontg.c
new file mode 100644
index 000000000..bea8009c2
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpmontg.c
@@ -0,0 +1,1209 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang Shantz <sheueling.chang@sun.com>,
+ *   Stephen Fung <stephen.fung@sun.com>, and
+ *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/* This file implements moduluar exponentiation using Montgomery's
+ * method for modular reduction.  This file implements the method
+ * described as "Improvement 1" in the paper "A Cryptogrpahic Library for
+ * the Motorola DSP56000" by Stephen R. Dusse' and Burton S. Kaliski Jr.
+ * published in "Advances in Cryptology: Proceedings of EUROCRYPT '90"
+ * "Lecture Notes in Computer Science" volume 473, 1991, pg 230-244,
+ * published by Springer Verlag.
+ */
+
+#define MP_USING_CACHE_SAFE_MOD_EXP 1 
+#include <string.h>
+#include "mpi-priv.h"
+#include "mplogic.h"
+#include "mpprime.h"
+#ifdef MP_USING_MONT_MULF
+#include "montmulf.h"
+#endif
+#include <stddef.h> /* ptrdiff_t */
+
+/* if MP_CHAR_STORE_SLOW is defined, we  */
+/* need to know endianness of this platform. */
+#ifdef MP_CHAR_STORE_SLOW
+#if !defined(MP_IS_BIG_ENDIAN) && !defined(MP_IS_LITTLE_ENDIAN)
+#error "You must define MP_IS_BIG_ENDIAN or MP_IS_LITTLE_ENDIAN\n" \
+       "  if you define MP_CHAR_STORE_SLOW."
+#endif
+#endif
+
+#define STATIC
+
+#define MAX_ODD_INTS    32   /* 2 ** (WINDOW_BITS - 1) */
+
+#if defined(_WIN32_WCE)
+#define ABORT  res = MP_UNDEF; goto CLEANUP
+#else
+#define ABORT abort()
+#endif
+
+/* computes T = REDC(T), 2^b == R */
+mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm)
+{
+  mp_err res;
+  mp_size i;
+
+  i = MP_USED(T) + MP_USED(&mmm->N) + 2;
+  MP_CHECKOK( s_mp_pad(T, i) );
+  for (i = 0; i < MP_USED(&mmm->N); ++i ) {
+    mp_digit m_i = MP_DIGIT(T, i) * mmm->n0prime;
+    /* T += N * m_i * (MP_RADIX ** i); */
+    MP_CHECKOK( s_mp_mul_d_add_offset(&mmm->N, m_i, T, i) );
+  }
+  s_mp_clamp(T);
+
+  /* T /= R */
+  s_mp_div_2d(T, mmm->b); 
+
+  if ((res = s_mp_cmp(T, &mmm->N)) >= 0) {
+    /* T = T - N */
+    MP_CHECKOK( s_mp_sub(T, &mmm->N) );
+#ifdef DEBUG
+    if ((res = mp_cmp(T, &mmm->N)) >= 0) {
+      res = MP_UNDEF;
+      goto CLEANUP;
+    }
+#endif
+  }
+  res = MP_OKAY;
+CLEANUP:
+  return res;
+}
+
+#if !defined(MP_ASSEMBLY_MUL_MONT) && !defined(MP_MONT_USE_MP_MUL)
+mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, 
+	           mp_mont_modulus *mmm)
+{
+  mp_digit *pb;
+  mp_digit m_i;
+  mp_err   res;
+  mp_size  ib;
+  mp_size  useda, usedb;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if (MP_USED(a) < MP_USED(b)) {
+    const mp_int *xch = b;	/* switch a and b, to do fewer outer loops */
+    b = a;
+    a = xch;
+  }
+
+  MP_USED(c) = 1; MP_DIGIT(c, 0) = 0;
+  ib = MP_USED(a) + MP_MAX(MP_USED(b), MP_USED(&mmm->N)) + 2;
+  if((res = s_mp_pad(c, ib)) != MP_OKAY)
+    goto CLEANUP;
+
+  useda = MP_USED(a);
+  pb = MP_DIGITS(b);
+  s_mpv_mul_d(MP_DIGITS(a), useda, *pb++, MP_DIGITS(c));
+  s_mp_setz(MP_DIGITS(c) + useda + 1, ib - (useda + 1));
+  m_i = MP_DIGIT(c, 0) * mmm->n0prime;
+  s_mp_mul_d_add_offset(&mmm->N, m_i, c, 0);
+
+  /* Outer loop:  Digits of b */
+  usedb = MP_USED(b);
+  for (ib = 1; ib < usedb; ib++) {
+    mp_digit b_i    = *pb++;
+
+    /* Inner product:  Digits of a */
+    if (b_i)
+      s_mpv_mul_d_add_prop(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
+    m_i = MP_DIGIT(c, ib) * mmm->n0prime;
+    s_mp_mul_d_add_offset(&mmm->N, m_i, c, ib);
+  }
+  if (usedb < MP_USED(&mmm->N)) {
+    for (usedb = MP_USED(&mmm->N); ib < usedb; ++ib ) {
+      m_i = MP_DIGIT(c, ib) * mmm->n0prime;
+      s_mp_mul_d_add_offset(&mmm->N, m_i, c, ib);
+    }
+  }
+  s_mp_clamp(c);
+  s_mp_div_2d(c, mmm->b); 
+  if (s_mp_cmp(c, &mmm->N) >= 0) {
+    MP_CHECKOK( s_mp_sub(c, &mmm->N) );
+  }
+  res = MP_OKAY;
+
+CLEANUP:
+  return res;
+}
+#endif
+
+STATIC
+mp_err s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
+{
+  mp_err res;
+
+  /* xMont = x * R mod N   where  N is modulus */
+  MP_CHECKOK( mpl_lsh(x, xMont, mmm->b) );  		/* xMont = x << b */
+  MP_CHECKOK( mp_div(xMont, &mmm->N, 0, xMont) );	/*         mod N */
+CLEANUP:
+  return res;
+}
+
+#ifdef MP_USING_MONT_MULF
+
+/* the floating point multiply is already cache safe,
+ * don't turn on cache safe unless we specifically
+ * force it */
+#ifndef MP_FORCE_CACHE_SAFE
+#undef MP_USING_CACHE_SAFE_MOD_EXP
+#endif
+
+unsigned int mp_using_mont_mulf = 1;
+
+/* computes montgomery square of the integer in mResult */
+#define SQR \
+  conv_i32_to_d32_and_d16(dm1, d16Tmp, mResult, nLen); \
+  mont_mulf_noconv(mResult, dm1, d16Tmp, \
+		   dTmp, dn, MP_DIGITS(modulus), nLen, dn0)
+
+/* computes montgomery product of x and the integer in mResult */
+#define MUL(x) \
+  conv_i32_to_d32(dm1, mResult, nLen); \
+  mont_mulf_noconv(mResult, dm1, oddPowers[x], \
+		   dTmp, dn, MP_DIGITS(modulus), nLen, dn0)
+
+/* Do modular exponentiation using floating point multiply code. */
+mp_err mp_exptmod_f(const mp_int *   montBase, 
+                    const mp_int *   exponent, 
+		    const mp_int *   modulus, 
+		    mp_int *         result, 
+		    mp_mont_modulus *mmm, 
+		    int              nLen, 
+		    mp_size          bits_in_exponent, 
+		    mp_size          window_bits,
+		    mp_size          odd_ints)
+{
+  mp_digit *mResult;
+  double   *dBuf = 0, *dm1, *dn, *dSqr, *d16Tmp, *dTmp;
+  double    dn0;
+  mp_size   i;
+  mp_err    res;
+  int       expOff;
+  int       dSize = 0, oddPowSize, dTmpSize;
+  mp_int    accum1;
+  double   *oddPowers[MAX_ODD_INTS];
+
+  /* function for computing n0prime only works if n0 is odd */
+
+  MP_DIGITS(&accum1) = 0;
+
+  for (i = 0; i < MAX_ODD_INTS; ++i)
+    oddPowers[i] = 0;
+
+  MP_CHECKOK( mp_init_size(&accum1, 3 * nLen + 2) );
+
+  mp_set(&accum1, 1);
+  MP_CHECKOK( s_mp_to_mont(&accum1, mmm, &accum1) );
+  MP_CHECKOK( s_mp_pad(&accum1, nLen) );
+
+  oddPowSize = 2 * nLen + 1;
+  dTmpSize   = 2 * oddPowSize;
+  dSize = sizeof(double) * (nLen * 4 + 1 + 
+			    ((odd_ints + 1) * oddPowSize) + dTmpSize);
+  dBuf   = (double *)malloc(dSize);
+  dm1    = dBuf;		/* array of d32 */
+  dn     = dBuf   + nLen;	/* array of d32 */
+  dSqr   = dn     + nLen;    	/* array of d32 */
+  d16Tmp = dSqr   + nLen;	/* array of d16 */
+  dTmp   = d16Tmp + oddPowSize;
+
+  for (i = 0; i < odd_ints; ++i) {
+      oddPowers[i] = dTmp;
+      dTmp += oddPowSize;
+  }
+  mResult = (mp_digit *)(dTmp + dTmpSize);	/* size is nLen + 1 */
+
+  /* Make dn and dn0 */
+  conv_i32_to_d32(dn, MP_DIGITS(modulus), nLen);
+  dn0 = (double)(mmm->n0prime & 0xffff);
+
+  /* Make dSqr */
+  conv_i32_to_d32_and_d16(dm1, oddPowers[0], MP_DIGITS(montBase), nLen);
+  mont_mulf_noconv(mResult, dm1, oddPowers[0], 
+		   dTmp, dn, MP_DIGITS(modulus), nLen, dn0);
+  conv_i32_to_d32(dSqr, mResult, nLen);
+
+  for (i = 1; i < odd_ints; ++i) {
+    mont_mulf_noconv(mResult, dSqr, oddPowers[i - 1], 
+		     dTmp, dn, MP_DIGITS(modulus), nLen, dn0);
+    conv_i32_to_d16(oddPowers[i], mResult, nLen);
+  }
+
+  s_mp_copy(MP_DIGITS(&accum1), mResult, nLen); /* from, to, len */
+
+  for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
+    mp_size smallExp;
+    MP_CHECKOK( mpl_get_bits(exponent, expOff, window_bits) );
+    smallExp = (mp_size)res;
+
+    if (window_bits == 1) {
+      if (!smallExp) {
+	SQR;
+      } else if (smallExp & 1) {
+	SQR; MUL(0); 
+      } else {
+	ABORT;
+      }
+    } else if (window_bits == 4) {
+      if (!smallExp) {
+	SQR; SQR; SQR; SQR;
+      } else if (smallExp & 1) {
+	SQR; SQR; SQR; SQR; MUL(smallExp/2); 
+      } else if (smallExp & 2) {
+	SQR; SQR; SQR; MUL(smallExp/4); SQR; 
+      } else if (smallExp & 4) {
+	SQR; SQR; MUL(smallExp/8); SQR; SQR; 
+      } else if (smallExp & 8) {
+	SQR; MUL(smallExp/16); SQR; SQR; SQR; 
+      } else {
+	ABORT;
+      }
+    } else if (window_bits == 5) {
+      if (!smallExp) {
+	SQR; SQR; SQR; SQR; SQR; 
+      } else if (smallExp & 1) {
+	SQR; SQR; SQR; SQR; SQR; MUL(smallExp/2);
+      } else if (smallExp & 2) {
+	SQR; SQR; SQR; SQR; MUL(smallExp/4); SQR;
+      } else if (smallExp & 4) {
+	SQR; SQR; SQR; MUL(smallExp/8); SQR; SQR;
+      } else if (smallExp & 8) {
+	SQR; SQR; MUL(smallExp/16); SQR; SQR; SQR;
+      } else if (smallExp & 0x10) {
+	SQR; MUL(smallExp/32); SQR; SQR; SQR; SQR;
+      } else {
+	ABORT;
+      }
+    } else if (window_bits == 6) {
+      if (!smallExp) {
+	SQR; SQR; SQR; SQR; SQR; SQR;
+      } else if (smallExp & 1) {
+	SQR; SQR; SQR; SQR; SQR; SQR; MUL(smallExp/2); 
+      } else if (smallExp & 2) {
+	SQR; SQR; SQR; SQR; SQR; MUL(smallExp/4); SQR; 
+      } else if (smallExp & 4) {
+	SQR; SQR; SQR; SQR; MUL(smallExp/8); SQR; SQR; 
+      } else if (smallExp & 8) {
+	SQR; SQR; SQR; MUL(smallExp/16); SQR; SQR; SQR; 
+      } else if (smallExp & 0x10) {
+	SQR; SQR; MUL(smallExp/32); SQR; SQR; SQR; SQR; 
+      } else if (smallExp & 0x20) {
+	SQR; MUL(smallExp/64); SQR; SQR; SQR; SQR; SQR; 
+      } else {
+	ABORT;
+      }
+    } else {
+      ABORT;
+    }
+  }
+
+  s_mp_copy(mResult, MP_DIGITS(&accum1), nLen); /* from, to, len */
+
+  res = s_mp_redc(&accum1, mmm);
+  mp_exch(&accum1, result);
+
+CLEANUP:
+  mp_clear(&accum1);
+  if (dBuf) {
+    if (dSize)
+      memset(dBuf, 0, dSize);
+    free(dBuf);
+  }
+
+  return res;
+}
+#undef SQR
+#undef MUL
+#endif
+
+#define SQR(a,b) \
+  MP_CHECKOK( mp_sqr(a, b) );\
+  MP_CHECKOK( s_mp_redc(b, mmm) )
+
+#if defined(MP_MONT_USE_MP_MUL)
+#define MUL(x,a,b) \
+  MP_CHECKOK( mp_mul(a, oddPowers + (x), b) ); \
+  MP_CHECKOK( s_mp_redc(b, mmm) ) 
+#else
+#define MUL(x,a,b) \
+  MP_CHECKOK( s_mp_mul_mont(a, oddPowers + (x), b, mmm) )
+#endif
+
+#define SWAPPA ptmp = pa1; pa1 = pa2; pa2 = ptmp
+
+/* Do modular exponentiation using integer multiply code. */
+mp_err mp_exptmod_i(const mp_int *   montBase, 
+                    const mp_int *   exponent, 
+		    const mp_int *   modulus, 
+		    mp_int *         result, 
+		    mp_mont_modulus *mmm, 
+		    int              nLen, 
+		    mp_size          bits_in_exponent, 
+		    mp_size          window_bits,
+		    mp_size          odd_ints)
+{
+  mp_int *pa1, *pa2, *ptmp;
+  mp_size i;
+  mp_err  res;
+  int     expOff;
+  mp_int  accum1, accum2, power2, oddPowers[MAX_ODD_INTS];
+
+  /* power2 = base ** 2; oddPowers[i] = base ** (2*i + 1); */
+  /* oddPowers[i] = base ** (2*i + 1); */
+
+  MP_DIGITS(&accum1) = 0;
+  MP_DIGITS(&accum2) = 0;
+  MP_DIGITS(&power2) = 0;
+  for (i = 0; i < MAX_ODD_INTS; ++i) {
+    MP_DIGITS(oddPowers + i) = 0;
+  }
+
+  MP_CHECKOK( mp_init_size(&accum1, 3 * nLen + 2) );
+  MP_CHECKOK( mp_init_size(&accum2, 3 * nLen + 2) );
+
+  MP_CHECKOK( mp_init_copy(&oddPowers[0], montBase) );
+
+  mp_init_size(&power2, nLen + 2 * MP_USED(montBase) + 2);
+  MP_CHECKOK( mp_sqr(montBase, &power2) );	/* power2 = montBase ** 2 */
+  MP_CHECKOK( s_mp_redc(&power2, mmm) );
+
+  for (i = 1; i < odd_ints; ++i) {
+    mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2);
+    MP_CHECKOK( mp_mul(oddPowers + (i - 1), &power2, oddPowers + i) );
+    MP_CHECKOK( s_mp_redc(oddPowers + i, mmm) );
+  }
+
+  /* set accumulator to montgomery residue of 1 */
+  mp_set(&accum1, 1);
+  MP_CHECKOK( s_mp_to_mont(&accum1, mmm, &accum1) );
+  pa1 = &accum1;
+  pa2 = &accum2;
+
+  for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
+    mp_size smallExp;
+    MP_CHECKOK( mpl_get_bits(exponent, expOff, window_bits) );
+    smallExp = (mp_size)res;
+
+    if (window_bits == 1) {
+      if (!smallExp) {
+	SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 1) {
+	SQR(pa1,pa2); MUL(0,pa2,pa1);
+      } else {
+	ABORT;
+      }
+    } else if (window_bits == 4) {
+      if (!smallExp) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 1) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	MUL(smallExp/2, pa1,pa2); SWAPPA;
+      } else if (smallExp & 2) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); 
+	MUL(smallExp/4,pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 4) {
+	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/8,pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 8) {
+	SQR(pa1,pa2); MUL(smallExp/16,pa2,pa1); SQR(pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else {
+	ABORT;
+      }
+    } else if (window_bits == 5) {
+      if (!smallExp) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 1) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); MUL(smallExp/2,pa2,pa1);
+      } else if (smallExp & 2) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	MUL(smallExp/4,pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 4) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); 
+	MUL(smallExp/8,pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 8) {
+	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/16,pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 0x10) {
+	SQR(pa1,pa2); MUL(smallExp/32,pa2,pa1); SQR(pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
+      } else {
+	ABORT;
+      }
+    } else if (window_bits == 6) {
+      if (!smallExp) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 1) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/2,pa1,pa2); SWAPPA;
+      } else if (smallExp & 2) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); MUL(smallExp/4,pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 4) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	MUL(smallExp/8,pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 8) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); 
+	MUL(smallExp/16,pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 0x10) {
+	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/32,pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 0x20) {
+	SQR(pa1,pa2); MUL(smallExp/64,pa2,pa1); SQR(pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else {
+	ABORT;
+      }
+    } else {
+      ABORT;
+    }
+  }
+
+  res = s_mp_redc(pa1, mmm);
+  mp_exch(pa1, result);
+
+CLEANUP:
+  mp_clear(&accum1);
+  mp_clear(&accum2);
+  mp_clear(&power2);
+  for (i = 0; i < odd_ints; ++i) {
+    mp_clear(oddPowers + i);
+  }
+  return res;
+}
+#undef SQR
+#undef MUL
+
+#ifdef MP_USING_CACHE_SAFE_MOD_EXP
+unsigned int mp_using_cache_safe_exp = 1;
+#endif
+
+mp_err mp_set_safe_modexp(int value) 
+{
+#ifdef MP_USING_CACHE_SAFE_MOD_EXP
+ mp_using_cache_safe_exp = value;
+ return MP_OKAY;
+#else
+ if (value == 0) {
+   return MP_OKAY;
+ }
+ return MP_BADARG;
+#endif
+}
+
+#ifdef MP_USING_CACHE_SAFE_MOD_EXP
+#define WEAVE_WORD_SIZE 4
+
+#ifndef MP_CHAR_STORE_SLOW
+/*
+ * mpi_to_weave takes an array of bignums, a matrix in which each bignum 
+ * occupies all the columns of a row, and transposes it into a matrix in 
+ * which each bignum occupies a column of every row.  The first row of the
+ * input matrix becomes the first column of the output matrix.  The n'th
+ * row of input becomes the n'th column of output.  The input data is said
+ * to be "interleaved" or "woven" into the output matrix.
+ *
+ * The array of bignums is left in this woven form.  Each time a single
+ * bignum value is needed, it is recreated by fetching the n'th column, 
+ * forming a single row which is the new bignum.
+ *
+ * The purpose of this interleaving is make it impossible to determine which
+ * of the bignums is being used in any one operation by examining the pattern
+ * of cache misses.
+ *
+ * The weaving function does not transpose the entire input matrix in one call.
+ * It transposes 4 rows of mp_ints into their respective columns of output.
+ *
+ * There are two different implementations of the weaving and unweaving code
+ * in this file.  One uses byte loads and stores.  The second uses loads and
+ * stores of mp_weave_word size values.  The weaved forms of these two 
+ * implementations differ.  Consequently, each one has its own explanation.
+ *
+ * Here is the explanation for the byte-at-a-time implementation.
+ *
+ * This implementation treats each mp_int bignum as an array of bytes, 
+ * rather than as an array of mp_digits.  It stores those bytes as a 
+ * column of bytes in the output matrix.  It doesn't care if the machine
+ * uses big-endian or little-endian byte ordering within mp_digits.
+ * The first byte of the mp_digit array becomes the first byte in the output
+ * column, regardless of whether that byte is the MSB or LSB of the mp_digit.
+ *
+ * "bignums" is an array of mp_ints.
+ * It points to four rows, four mp_ints, a subset of a larger array of mp_ints.
+ *
+ * "weaved" is the weaved output matrix. 
+ * The first byte of bignums[0] is stored in weaved[0].
+ * 
+ * "nBignums" is the total number of bignums in the array of which "bignums" 
+ * is a part.  
+ *
+ * "nDigits" is the size in mp_digits of each mp_int in the "bignums" array. 
+ * mp_ints that use less than nDigits digits are logically padded with zeros 
+ * while being stored in the weaved array.
+ */
+mp_err mpi_to_weave(const mp_int  *bignums, 
+                    unsigned char *weaved, 
+		    mp_size nDigits,  /* in each mp_int of input */
+		    mp_size nBignums) /* in the entire source array */
+{
+  mp_size i;
+  unsigned char * endDest = weaved + (nDigits * nBignums * sizeof(mp_digit));
+
+  for (i=0; i < WEAVE_WORD_SIZE; i++) {
+    mp_size used = MP_USED(&bignums[i]);
+    unsigned char *pSrc   = (unsigned char *)MP_DIGITS(&bignums[i]);
+    unsigned char *endSrc = pSrc + (used * sizeof(mp_digit));
+    unsigned char *pDest  = weaved + i;
+
+    ARGCHK(MP_SIGN(&bignums[i]) == MP_ZPOS, MP_BADARG);
+    ARGCHK(used <= nDigits, MP_BADARG);
+
+    for (; pSrc < endSrc; pSrc++) {
+      *pDest = *pSrc;
+      pDest += nBignums;
+    }
+    while (pDest < endDest) {
+      *pDest = 0;
+      pDest += nBignums;
+    }
+  }
+
+  return MP_OKAY;
+}
+
+/* Reverse the operation above for one mp_int.
+ * Reconstruct one mp_int from its column in the weaved array.
+ * "pSrc" points to the offset into the weave array of the bignum we 
+ * are going to reconstruct.
+ */
+mp_err weave_to_mpi(mp_int *a,                /* output, result */
+                    const unsigned char *pSrc, /* input, byte matrix */
+		    mp_size nDigits,          /* per mp_int output */
+		    mp_size nBignums)         /* bignums in weaved matrix */
+{
+  unsigned char *pDest   = (unsigned char *)MP_DIGITS(a);
+  unsigned char *endDest = pDest + (nDigits * sizeof(mp_digit));
+
+  MP_SIGN(a) = MP_ZPOS;
+  MP_USED(a) = nDigits;
+
+  for (; pDest < endDest; pSrc += nBignums, pDest++) {
+    *pDest = *pSrc;
+  }
+  s_mp_clamp(a);
+  return MP_OKAY;
+}
+
+#else
+
+/* Need a primitive that we know is 32 bits long... */
+/* this is true on all modern processors we know of today*/
+typedef unsigned int mp_weave_word;
+
+/*
+ * on some platforms character stores into memory is very expensive since they
+ * generate a read/modify/write operation on the bus. On those platforms
+ * we need to do integer writes to the bus. Because of some unrolled code,
+ * in this current code the size of mp_weave_word must be four. The code that
+ * makes this assumption explicity is called out. (on some platforms a write
+ * of 4 bytes still requires a single read-modify-write operation.
+ *
+ * This function is takes the identical parameters as the function above, 
+ * however it lays out the final array differently. Where the previous function
+ * treats the mpi_int as an byte array, this function treats it as an array of
+ * mp_digits where each digit is stored in big endian order.
+ * 
+ * since we need to interleave on a byte by byte basis, we need to collect 
+ * several mpi structures together into a single uint32 before we write. We
+ * also need to make sure the uint32 is arranged so that the first value of 
+ * the first array winds up in b[0]. This means construction of that uint32
+ * is endian specific (even though the layout of the mp_digits in the array 
+ * is always big endian).
+ *
+ * The final data is stored as follows :
+ *
+ * Our same logical array p array, m is sizeof(mp_digit),
+ * N is still count and n is now b_size. If we define p[i].digit[j]0 as the 
+ * most significant byte of the word p[i].digit[j], p[i].digit[j]1 as 
+ * the next most significant byte of p[i].digit[j], ...  and p[i].digit[j]m-1
+ * is the least significant byte. 
+ * Our array would look like:
+ * p[0].digit[0]0     p[1].digit[0]0    ...  p[N-2].digit[0]0    p[N-1].digit[0]0
+ * p[0].digit[0]1     p[1].digit[0]1    ...  p[N-2].digit[0]1    p[N-1].digit[0]1
+ *                .                                         .
+ * p[0].digit[0]m-1   p[1].digit[0]m-1  ...  p[N-2].digit[0]m-1  p[N-1].digit[0]m-1
+ * p[0].digit[1]0     p[1].digit[1]0    ...  p[N-2].digit[1]0    p[N-1].digit[1]0
+ *                .                                         .
+ *                .                                         .
+ * p[0].digit[n-1]m-2 p[1].digit[n-1]m-2 ... p[N-2].digit[n-1]m-2 p[N-1].digit[n-1]m-2
+ * p[0].digit[n-1]m-1 p[1].digit[n-1]m-1 ... p[N-2].digit[n-1]m-1 p[N-1].digit[n-1]m-1 
+ *
+ */
+mp_err mpi_to_weave(const mp_int *a, unsigned char *b, 
+					mp_size b_size, mp_size count)
+{
+  mp_size i;
+  mp_digit *digitsa0;
+  mp_digit *digitsa1;
+  mp_digit *digitsa2;
+  mp_digit *digitsa3;
+  mp_size   useda0;
+  mp_size   useda1;
+  mp_size   useda2;
+  mp_size   useda3;
+  mp_weave_word *weaved = (mp_weave_word *)b;
+
+  count = count/sizeof(mp_weave_word);
+
+  /* this code pretty much depends on this ! */
+#if MP_ARGCHK == 2
+  assert(WEAVE_WORD_SIZE == 4); 
+  assert(sizeof(mp_weave_word) == 4);
+#endif
+
+  digitsa0 = MP_DIGITS(&a[0]);
+  digitsa1 = MP_DIGITS(&a[1]);
+  digitsa2 = MP_DIGITS(&a[2]);
+  digitsa3 = MP_DIGITS(&a[3]);
+  useda0 = MP_USED(&a[0]);
+  useda1 = MP_USED(&a[1]);
+  useda2 = MP_USED(&a[2]);
+  useda3 = MP_USED(&a[3]);
+
+  ARGCHK(MP_SIGN(&a[0]) == MP_ZPOS, MP_BADARG);
+  ARGCHK(MP_SIGN(&a[1]) == MP_ZPOS, MP_BADARG);
+  ARGCHK(MP_SIGN(&a[2]) == MP_ZPOS, MP_BADARG);
+  ARGCHK(MP_SIGN(&a[3]) == MP_ZPOS, MP_BADARG);
+  ARGCHK(useda0 <= b_size, MP_BADARG);
+  ARGCHK(useda1 <= b_size, MP_BADARG);
+  ARGCHK(useda2 <= b_size, MP_BADARG);
+  ARGCHK(useda3 <= b_size, MP_BADARG);
+
+#define SAFE_FETCH(digit, used, word) ((word) < (used) ? (digit[word]) : 0)
+
+  for (i=0; i < b_size; i++) {
+    mp_digit d0 = SAFE_FETCH(digitsa0,useda0,i);
+    mp_digit d1 = SAFE_FETCH(digitsa1,useda1,i);
+    mp_digit d2 = SAFE_FETCH(digitsa2,useda2,i);
+    mp_digit d3 = SAFE_FETCH(digitsa3,useda3,i);
+    register mp_weave_word acc;
+
+/*
+ * ONE_STEP takes the MSB of each of our current digits and places that
+ * byte in the appropriate position for writing to the weaved array.
+ *  On little endian:
+ *   b3 b2 b1 b0
+ *  On big endian:
+ *   b0 b1 b2 b3
+ *  When the data is written it would always wind up:
+ *   b[0] = b0
+ *   b[1] = b1
+ *   b[2] = b2
+ *   b[3] = b3
+ *
+ * Once we've written the MSB, we shift the whole digit up left one
+ * byte, putting the Next Most Significant Byte in the MSB position,
+ * so we we repeat the next one step that byte will be written.
+ * NOTE: This code assumes sizeof(mp_weave_word) and MP_WEAVE_WORD_SIZE
+ * is 4.
+ */
+#ifdef MP_IS_LITTLE_ENDIAN 
+#define MPI_WEAVE_ONE_STEP \
+    acc  = (d0 >> (MP_DIGIT_BIT-8))  & 0x000000ff; d0 <<= 8; /*b0*/ \
+    acc |= (d1 >> (MP_DIGIT_BIT-16)) & 0x0000ff00; d1 <<= 8; /*b1*/ \
+    acc |= (d2 >> (MP_DIGIT_BIT-24)) & 0x00ff0000; d2 <<= 8; /*b2*/ \
+    acc |= (d3 >> (MP_DIGIT_BIT-32)) & 0xff000000; d3 <<= 8; /*b3*/ \
+    *weaved = acc; weaved += count;
+#else 
+#define MPI_WEAVE_ONE_STEP \
+    acc  = (d0 >> (MP_DIGIT_BIT-32)) & 0xff000000; d0 <<= 8; /*b0*/ \
+    acc |= (d1 >> (MP_DIGIT_BIT-24)) & 0x00ff0000; d1 <<= 8; /*b1*/ \
+    acc |= (d2 >> (MP_DIGIT_BIT-16)) & 0x0000ff00; d2 <<= 8; /*b2*/ \
+    acc |= (d3 >> (MP_DIGIT_BIT-8))  & 0x000000ff; d3 <<= 8; /*b3*/ \
+    *weaved = acc; weaved += count;
+#endif 
+   switch (sizeof(mp_digit)) {
+   case 32:
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+   case 16:
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+   case 8:
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+   case 4:
+    MPI_WEAVE_ONE_STEP
+    MPI_WEAVE_ONE_STEP
+   case 2:
+    MPI_WEAVE_ONE_STEP
+   case 1:
+    MPI_WEAVE_ONE_STEP
+    break;
+   }
+  }
+
+  return MP_OKAY;
+}
+
+/* reverse the operation above for one entry.
+ * b points to the offset into the weave array of the power we are
+ * calculating */
+mp_err weave_to_mpi(mp_int *a, const unsigned char *b, 
+					mp_size b_size, mp_size count)
+{
+  mp_digit *pb = MP_DIGITS(a);
+  mp_digit *end = &pb[b_size];
+
+  MP_SIGN(a) = MP_ZPOS;
+  MP_USED(a) = b_size;
+
+  for (; pb < end; pb++) {
+    register mp_digit digit;
+
+    digit = *b << 8; b += count;
+#define MPI_UNWEAVE_ONE_STEP  digit |= *b; b += count; digit = digit << 8;
+    switch (sizeof(mp_digit)) {
+    case 32:
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+    case 16:
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+    case 8:
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+    case 4:
+	MPI_UNWEAVE_ONE_STEP 
+	MPI_UNWEAVE_ONE_STEP 
+    case 2:
+	break;
+    }
+    digit |= *b; b += count; 
+
+    *pb = digit;
+  }
+  s_mp_clamp(a);
+  return MP_OKAY;
+}
+#endif
+
+
+#define SQR(a,b) \
+  MP_CHECKOK( mp_sqr(a, b) );\
+  MP_CHECKOK( s_mp_redc(b, mmm) )
+
+#if defined(MP_MONT_USE_MP_MUL)
+#define MUL_NOWEAVE(x,a,b) \
+  MP_CHECKOK( mp_mul(a, x, b) ); \
+  MP_CHECKOK( s_mp_redc(b, mmm) ) 
+#else
+#define MUL_NOWEAVE(x,a,b) \
+  MP_CHECKOK( s_mp_mul_mont(a, x, b, mmm) )
+#endif
+
+#define MUL(x,a,b) \
+  MP_CHECKOK( weave_to_mpi(&tmp, powers + (x), nLen, num_powers) ); \
+  MUL_NOWEAVE(&tmp,a,b)
+
+#define SWAPPA ptmp = pa1; pa1 = pa2; pa2 = ptmp
+#define MP_ALIGN(x,y) ((((ptrdiff_t)(x))+((y)-1))&(((ptrdiff_t)0)-(y)))
+
+/* Do modular exponentiation using integer multiply code. */
+mp_err mp_exptmod_safe_i(const mp_int *   montBase, 
+                    const mp_int *   exponent, 
+		    const mp_int *   modulus, 
+		    mp_int *         result, 
+		    mp_mont_modulus *mmm, 
+		    int              nLen, 
+		    mp_size          bits_in_exponent, 
+		    mp_size          window_bits,
+		    mp_size          num_powers)
+{
+  mp_int *pa1, *pa2, *ptmp;
+  mp_size i;
+  mp_size first_window;
+  mp_err  res;
+  int     expOff;
+  mp_int  accum1, accum2, accum[WEAVE_WORD_SIZE];
+  mp_int  tmp;
+  unsigned char *powersArray;
+  unsigned char *powers;
+
+  MP_DIGITS(&accum1) = 0;
+  MP_DIGITS(&accum2) = 0;
+  MP_DIGITS(&accum[0]) = 0;
+  MP_DIGITS(&accum[1]) = 0;
+  MP_DIGITS(&accum[2]) = 0;
+  MP_DIGITS(&accum[3]) = 0;
+  MP_DIGITS(&tmp) = 0;
+
+  powersArray = (unsigned char *)malloc(num_powers*(nLen*sizeof(mp_digit)+1));
+  if (powersArray == NULL) {
+    res = MP_MEM;
+    goto CLEANUP;
+  }
+
+  /* powers[i] = base ** (i); */
+  powers = (unsigned char *)MP_ALIGN(powersArray,num_powers);
+
+  /* grab the first window value. This allows us to preload accumulator1
+   * and save a conversion, some squares and a multiple*/
+  MP_CHECKOK( mpl_get_bits(exponent, 
+				bits_in_exponent-window_bits, window_bits) );
+  first_window = (mp_size)res;
+
+  MP_CHECKOK( mp_init_size(&accum1, 3 * nLen + 2) );
+  MP_CHECKOK( mp_init_size(&accum2, 3 * nLen + 2) );
+  MP_CHECKOK( mp_init_size(&tmp, 3 * nLen + 2) );
+
+  /* build the first WEAVE_WORD powers inline */
+  /* if WEAVE_WORD_SIZE is not 4, this code will have to change */
+  if (num_powers > 2) {
+    MP_CHECKOK( mp_init_size(&accum[0], 3 * nLen + 2) );
+    MP_CHECKOK( mp_init_size(&accum[1], 3 * nLen + 2) );
+    MP_CHECKOK( mp_init_size(&accum[2], 3 * nLen + 2) );
+    MP_CHECKOK( mp_init_size(&accum[3], 3 * nLen + 2) );
+    mp_set(&accum[0], 1);
+    MP_CHECKOK( s_mp_to_mont(&accum[0], mmm, &accum[0]) );
+    MP_CHECKOK( mp_copy(montBase, &accum[1]) );
+    SQR(montBase, &accum[2]);
+    MUL_NOWEAVE(montBase, &accum[2], &accum[3]);
+    MP_CHECKOK( mpi_to_weave(accum, powers, nLen, num_powers) );
+    if (first_window < 4) {
+      MP_CHECKOK( mp_copy(&accum[first_window], &accum1) );
+      first_window = num_powers;
+    }
+  } else {
+      if (first_window == 0) {
+        mp_set(&accum1, 1);
+        MP_CHECKOK( s_mp_to_mont(&accum1, mmm, &accum1) );
+      } else {
+        /* assert first_window == 1? */
+        MP_CHECKOK( mp_copy(montBase, &accum1) );
+      }
+  }
+
+  /*
+   * calculate all the powers in the powers array.
+   * this adds 2**(k-1)-2 square operations over just calculating the
+   * odd powers where k is the window size in the two other mp_modexpt
+   * implementations in this file. We will get some of that
+   * back by not needing the first 'k' squares and one multiply for the 
+   * first window */ 
+  for (i = WEAVE_WORD_SIZE; i < num_powers; i++) {
+    int acc_index = i & (WEAVE_WORD_SIZE-1); /* i % WEAVE_WORD_SIZE */
+    if ( i & 1 ) {
+      MUL_NOWEAVE(montBase, &accum[acc_index-1] , &accum[acc_index]);
+      /* we've filled the array do our 'per array' processing */
+      if (acc_index == (WEAVE_WORD_SIZE-1)) {
+        MP_CHECKOK( mpi_to_weave(accum, powers + i - (WEAVE_WORD_SIZE-1),
+							 nLen, num_powers) );
+
+        if (first_window <= i) {
+          MP_CHECKOK( mp_copy(&accum[first_window & (WEAVE_WORD_SIZE-1)], 
+								&accum1) );
+          first_window = num_powers;
+        }
+      }
+    } else {
+      /* up to 8 we can find 2^i-1 in the accum array, but at 8 we our source
+       * and target are the same so we need to copy.. After that, the
+       * value is overwritten, so we need to fetch it from the stored
+       * weave array */
+      if (i > 2* WEAVE_WORD_SIZE) {
+        MP_CHECKOK(weave_to_mpi(&accum2, powers+i/2, nLen, num_powers));
+        SQR(&accum2, &accum[acc_index]);
+      } else {
+	int half_power_index = (i/2) & (WEAVE_WORD_SIZE-1);
+	if (half_power_index == acc_index) {
+	   /* copy is cheaper than weave_to_mpi */
+	   MP_CHECKOK(mp_copy(&accum[half_power_index], &accum2));
+	   SQR(&accum2,&accum[acc_index]);
+	} else {
+	   SQR(&accum[half_power_index],&accum[acc_index]);
+	}
+      }
+    }
+  }
+  /* if the accum1 isn't set, Then there is something wrong with our logic 
+   * above and is an internal programming error. 
+   */
+#if MP_ARGCHK == 2
+  assert(MP_USED(&accum1) != 0);
+#endif
+
+  /* set accumulator to montgomery residue of 1 */
+  pa1 = &accum1;
+  pa2 = &accum2;
+
+  for (expOff = bits_in_exponent - window_bits*2; expOff >= 0; expOff -= window_bits) {
+    mp_size smallExp;
+    MP_CHECKOK( mpl_get_bits(exponent, expOff, window_bits) );
+    smallExp = (mp_size)res;
+
+    /* handle unroll the loops */
+    switch (window_bits) {
+    case 1:
+	if (!smallExp) {
+	    SQR(pa1,pa2); SWAPPA;
+	} else if (smallExp & 1) {
+	    SQR(pa1,pa2); MUL_NOWEAVE(montBase,pa2,pa1);
+	} else {
+	    ABORT;
+	}
+	break;
+    case 6:
+	SQR(pa1,pa2); SQR(pa2,pa1); 
+	/* fall through */
+    case 4:
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
+	MUL(smallExp, pa1,pa2); SWAPPA;
+	break;
+    case 5:
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); MUL(smallExp,pa2,pa1);
+	break;
+    default:
+	ABORT; /* could do a loop? */
+    }
+  }
+
+  res = s_mp_redc(pa1, mmm);
+  mp_exch(pa1, result);
+
+CLEANUP:
+  mp_clear(&accum1);
+  mp_clear(&accum2);
+  mp_clear(&accum[0]);
+  mp_clear(&accum[1]);
+  mp_clear(&accum[2]);
+  mp_clear(&accum[3]);
+  mp_clear(&tmp);
+  /* PORT_Memset(powers,0,num_powers*nLen*sizeof(mp_digit)); */
+  free(powersArray);
+  return res;
+}
+#undef SQR
+#undef MUL
+#endif
+
+mp_err mp_exptmod(const mp_int *inBase, const mp_int *exponent, 
+		  const mp_int *modulus, mp_int *result)
+{
+  const mp_int *base;
+  mp_size bits_in_exponent, i, window_bits, odd_ints;
+  mp_err  res;
+  int     nLen;
+  mp_int  montBase, goodBase;
+  mp_mont_modulus mmm;
+#ifdef MP_USING_CACHE_SAFE_MOD_EXP
+  static unsigned int max_window_bits;
+#endif
+
+  /* function for computing n0prime only works if n0 is odd */
+  if (!mp_isodd(modulus))
+    return s_mp_exptmod(inBase, exponent, modulus, result);
+
+  MP_DIGITS(&montBase) = 0;
+  MP_DIGITS(&goodBase) = 0;
+
+  if (mp_cmp(inBase, modulus) < 0) {
+    base = inBase;
+  } else {
+    MP_CHECKOK( mp_init(&goodBase) );
+    base = &goodBase;
+    MP_CHECKOK( mp_mod(inBase, modulus, &goodBase) );
+  }
+
+  nLen  = MP_USED(modulus);
+  MP_CHECKOK( mp_init_size(&montBase, 2 * nLen + 2) );
+
+  mmm.N = *modulus;			/* a copy of the mp_int struct */
+  i = mpl_significant_bits(modulus);
+  i += MP_DIGIT_BIT - 1;
+  mmm.b = i - i % MP_DIGIT_BIT;
+
+  /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
+  **		where n0 = least significant mp_digit of N, the modulus.
+  */
+  mmm.n0prime = 0 - s_mp_invmod_radix( MP_DIGIT(modulus, 0) );
+
+  MP_CHECKOK( s_mp_to_mont(base, &mmm, &montBase) );
+
+  bits_in_exponent = mpl_significant_bits(exponent);
+#ifdef MP_USING_CACHE_SAFE_MOD_EXP
+  if (mp_using_cache_safe_exp) {
+    if (bits_in_exponent > 780)
+	window_bits = 6;
+    else if (bits_in_exponent > 256)
+	window_bits = 5;
+    else if (bits_in_exponent > 20)
+	window_bits = 4;
+       /* RSA public key exponents are typically under 20 bits (common values 
+        * are: 3, 17, 65537) and a 4-bit window is inefficient
+        */
+    else 
+	window_bits = 1;
+  } else
+#endif
+  if (bits_in_exponent > 480)
+    window_bits = 6;
+  else if (bits_in_exponent > 160)
+    window_bits = 5;
+  else if (bits_in_exponent > 20)
+    window_bits = 4;
+  /* RSA public key exponents are typically under 20 bits (common values 
+   * are: 3, 17, 65537) and a 4-bit window is inefficient
+   */
+  else 
+    window_bits = 1;
+
+#ifdef MP_USING_CACHE_SAFE_MOD_EXP
+  /*
+   * clamp the window size based on
+   * the cache line size.
+   */
+  if (!max_window_bits) {
+    unsigned long cache_size = s_mpi_getProcessorLineSize();
+    /* processor has no cache, use 'fast' code always */
+    if (cache_size == 0) {
+      mp_using_cache_safe_exp = 0;
+    } 
+    if ((cache_size == 0) || (cache_size >= 64)) {
+      max_window_bits = 6;
+    } else if (cache_size >= 32) {
+      max_window_bits = 5;
+    } else if (cache_size >= 16) {
+      max_window_bits = 4;
+    } else max_window_bits = 1; /* should this be an assert? */
+  }
+
+  /* clamp the window size down before we caclulate bits_in_exponent */
+  if (mp_using_cache_safe_exp) {
+    if (window_bits > max_window_bits) {
+      window_bits = max_window_bits;
+    }
+  }
+#endif
+
+  odd_ints = 1 << (window_bits - 1);
+  i = bits_in_exponent % window_bits;
+  if (i != 0) {
+    bits_in_exponent += window_bits - i;
+  } 
+
+#ifdef MP_USING_MONT_MULF
+  if (mp_using_mont_mulf) {
+    MP_CHECKOK( s_mp_pad(&montBase, nLen) );
+    res = mp_exptmod_f(&montBase, exponent, modulus, result, &mmm, nLen, 
+		     bits_in_exponent, window_bits, odd_ints);
+  } else
+#endif
+#ifdef MP_USING_CACHE_SAFE_MOD_EXP
+  if (mp_using_cache_safe_exp) {
+    res = mp_exptmod_safe_i(&montBase, exponent, modulus, result, &mmm, nLen, 
+		     bits_in_exponent, window_bits, 1 << window_bits);
+  } else
+#endif
+  res = mp_exptmod_i(&montBase, exponent, modulus, result, &mmm, nLen, 
+		     bits_in_exponent, window_bits, odd_ints);
+
+CLEANUP:
+  mp_clear(&montBase);
+  mp_clear(&goodBase);
+  /* Don't mp_clear mmm.N because it is merely a copy of modulus.
+  ** Just zap it.
+  */
+  memset(&mmm, 0, sizeof mmm);
+  return res;
+}
diff --git a/security/nss/lib/freebl/mpi/mpprime.c b/security/nss/lib/freebl/mpi/mpprime.c
new file mode 100644
index 000000000..4d6428118
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpprime.c
@@ -0,0 +1,613 @@
+/*
+ *  mpprime.c
+ *
+ *  Utilities for finding and working with prime and pseudo-prime
+ *  integers
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1997
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi-priv.h"
+#include "mpprime.h"
+#include "mplogic.h"
+#include <stdlib.h>
+#include <string.h>
+
+#define SMALL_TABLE 0 /* determines size of hard-wired prime table */
+
+#define RANDOM() rand()
+
+#include "primes.c"  /* pull in the prime digit table */
+
+/* 
+   Test if any of a given vector of digits divides a.  If not, MP_NO
+   is returned; otherwise, MP_YES is returned and 'which' is set to
+   the index of the integer in the vector which divided a.
+ */
+mp_err    s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which);
+
+/* {{{ mpp_divis(a, b) */
+
+/*
+  mpp_divis(a, b)
+
+  Returns MP_YES if a is divisible by b, or MP_NO if it is not.
+ */
+
+mp_err  mpp_divis(mp_int *a, mp_int *b)
+{
+  mp_err  res;
+  mp_int  rem;
+
+  if((res = mp_init(&rem)) != MP_OKAY)
+    return res;
+
+  if((res = mp_mod(a, b, &rem)) != MP_OKAY)
+    goto CLEANUP;
+
+  if(mp_cmp_z(&rem) == 0)
+    res = MP_YES;
+  else
+    res = MP_NO;
+
+CLEANUP:
+  mp_clear(&rem);
+  return res;
+
+} /* end mpp_divis() */
+
+/* }}} */
+
+/* {{{ mpp_divis_d(a, d) */
+
+/*
+  mpp_divis_d(a, d)
+
+  Return MP_YES if a is divisible by d, or MP_NO if it is not.
+ */
+
+mp_err  mpp_divis_d(mp_int *a, mp_digit d)
+{
+  mp_err     res;
+  mp_digit   rem;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  if(d == 0)
+    return MP_NO;
+
+  if((res = mp_mod_d(a, d, &rem)) != MP_OKAY)
+    return res;
+
+  if(rem == 0)
+    return MP_YES;
+  else
+    return MP_NO;
+
+} /* end mpp_divis_d() */
+
+/* }}} */
+
+/* {{{ mpp_random(a) */
+
+/*
+  mpp_random(a)
+
+  Assigns a random value to a.  This value is generated using the
+  standard C library's rand() function, so it should not be used for
+  cryptographic purposes, but it should be fine for primality testing,
+  since all we really care about there is good statistical properties.
+
+  As many digits as a currently has are filled with random digits.
+ */
+
+mp_err  mpp_random(mp_int *a)
+
+{
+  mp_digit  next = 0;
+  unsigned int       ix, jx;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  for(ix = 0; ix < USED(a); ix++) {
+    for(jx = 0; jx < sizeof(mp_digit); jx++) {
+      next = (next << CHAR_BIT) | (RANDOM() & UCHAR_MAX);
+    }
+    DIGIT(a, ix) = next;
+  }
+
+  return MP_OKAY;
+
+} /* end mpp_random() */
+
+/* }}} */
+
+/* {{{ mpp_random_size(a, prec) */
+
+mp_err  mpp_random_size(mp_int *a, mp_size prec)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && prec > 0, MP_BADARG);
+  
+  if((res = s_mp_pad(a, prec)) != MP_OKAY)
+    return res;
+
+  return mpp_random(a);
+
+} /* end mpp_random_size() */
+
+/* }}} */
+
+/* {{{ mpp_divis_vector(a, vec, size, which) */
+
+/*
+  mpp_divis_vector(a, vec, size, which)
+
+  Determines if a is divisible by any of the 'size' digits in vec.
+  Returns MP_YES and sets 'which' to the index of the offending digit,
+  if it is; returns MP_NO if it is not.
+ */
+
+mp_err  mpp_divis_vector(mp_int *a, const mp_digit *vec, int size, int *which)
+{
+  ARGCHK(a != NULL && vec != NULL && size > 0, MP_BADARG);
+  
+  return s_mpp_divp(a, vec, size, which);
+
+} /* end mpp_divis_vector() */
+
+/* }}} */
+
+/* {{{ mpp_divis_primes(a, np) */
+
+/*
+  mpp_divis_primes(a, np)
+
+  Test whether a is divisible by any of the first 'np' primes.  If it
+  is, returns MP_YES and sets *np to the value of the digit that did
+  it.  If not, returns MP_NO.
+ */
+mp_err  mpp_divis_primes(mp_int *a, mp_digit *np)
+{
+  int     size, which;
+  mp_err  res;
+
+  ARGCHK(a != NULL && np != NULL, MP_BADARG);
+
+  size = (int)*np;
+  if(size > prime_tab_size)
+    size = prime_tab_size;
+
+  res = mpp_divis_vector(a, prime_tab, size, &which);
+  if(res == MP_YES) 
+    *np = prime_tab[which];
+
+  return res;
+
+} /* end mpp_divis_primes() */
+
+/* }}} */
+
+/* {{{ mpp_fermat(a, w) */
+
+/*
+  Using w as a witness, try pseudo-primality testing based on Fermat's
+  little theorem.  If a is prime, and (w, a) = 1, then w^a == w (mod
+  a).  So, we compute z = w^a (mod a) and compare z to w; if they are
+  equal, the test passes and we return MP_YES.  Otherwise, we return
+  MP_NO.
+ */
+mp_err  mpp_fermat(mp_int *a, mp_digit w)
+{
+  mp_int  base, test;
+  mp_err  res;
+  
+  if((res = mp_init(&base)) != MP_OKAY)
+    return res;
+
+  mp_set(&base, w);
+
+  if((res = mp_init(&test)) != MP_OKAY)
+    goto TEST;
+
+  /* Compute test = base^a (mod a) */
+  if((res = mp_exptmod(&base, a, a, &test)) != MP_OKAY)
+    goto CLEANUP;
+
+  
+  if(mp_cmp(&base, &test) == 0)
+    res = MP_YES;
+  else
+    res = MP_NO;
+
+ CLEANUP:
+  mp_clear(&test);
+ TEST:
+  mp_clear(&base);
+
+  return res;
+
+} /* end mpp_fermat() */
+
+/* }}} */
+
+/*
+  Perform the fermat test on each of the primes in a list until
+  a) one of them shows a is not prime, or 
+  b) the list is exhausted.
+  Returns:  MP_YES if it passes tests.
+	    MP_NO  if fermat test reveals it is composite
+	    Some MP error code if some other error occurs.
+ */
+mp_err mpp_fermat_list(mp_int *a, const mp_digit *primes, mp_size nPrimes)
+{
+  mp_err rv = MP_YES;
+
+  while (nPrimes-- > 0 && rv == MP_YES) {
+    rv = mpp_fermat(a, *primes++);
+  }
+  return rv;
+}
+
+/* {{{ mpp_pprime(a, nt) */
+
+/*
+  mpp_pprime(a, nt)
+
+  Performs nt iteration of the Miller-Rabin probabilistic primality
+  test on a.  Returns MP_YES if the tests pass, MP_NO if one fails.
+  If MP_NO is returned, the number is definitely composite.  If MP_YES
+  is returned, it is probably prime (but that is not guaranteed).
+ */
+
+mp_err  mpp_pprime(mp_int *a, int nt)
+{
+  mp_err   res;
+  mp_int   x, amo, m, z;	/* "amo" = "a minus one" */
+  int      iter;
+  unsigned int jx;
+  mp_size  b;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  MP_DIGITS(&x) = 0;
+  MP_DIGITS(&amo) = 0;
+  MP_DIGITS(&m) = 0;
+  MP_DIGITS(&z) = 0;
+
+  /* Initialize temporaries... */
+  MP_CHECKOK( mp_init(&amo));
+  /* Compute amo = a - 1 for what follows...    */
+  MP_CHECKOK( mp_sub_d(a, 1, &amo) );
+
+  b = mp_trailing_zeros(&amo);
+  if (!b) { /* a was even ? */
+    res = MP_NO;
+    goto CLEANUP;
+  }
+
+  MP_CHECKOK( mp_init_size(&x, MP_USED(a)) );
+  MP_CHECKOK( mp_init(&z) );
+  MP_CHECKOK( mp_init(&m) );
+  MP_CHECKOK( mp_div_2d(&amo, b, &m, 0) );
+
+  /* Do the test nt times... */
+  for(iter = 0; iter < nt; iter++) {
+
+    /* Choose a random value for x < a          */
+    s_mp_pad(&x, USED(a));
+    mpp_random(&x);
+    MP_CHECKOK( mp_mod(&x, a, &x) );
+
+    /* Compute z = (x ** m) mod a               */
+    MP_CHECKOK( mp_exptmod(&x, &m, a, &z) );
+    
+    if(mp_cmp_d(&z, 1) == 0 || mp_cmp(&z, &amo) == 0) {
+      res = MP_YES;
+      continue;
+    }
+    
+    res = MP_NO;  /* just in case the following for loop never executes. */
+    for (jx = 1; jx < b; jx++) {
+      /* z = z^2 (mod a) */
+      MP_CHECKOK( mp_sqrmod(&z, a, &z) );
+      res = MP_NO;	/* previous line set res to MP_YES */
+
+      if(mp_cmp_d(&z, 1) == 0) {
+	break;
+      }
+      if(mp_cmp(&z, &amo) == 0) {
+	res = MP_YES;
+	break;
+      } 
+    } /* end testing loop */
+
+    /* If the test passes, we will continue iterating, but a failed
+       test means the candidate is definitely NOT prime, so we will
+       immediately break out of this loop
+     */
+    if(res == MP_NO)
+      break;
+
+  } /* end iterations loop */
+  
+CLEANUP:
+  mp_clear(&m);
+  mp_clear(&z);
+  mp_clear(&x);
+  mp_clear(&amo);
+  return res;
+
+} /* end mpp_pprime() */
+
+/* }}} */
+
+/* Produce table of composites from list of primes and trial value.  
+** trial must be odd. List of primes must not include 2.
+** sieve should have dimension >= MAXPRIME/2, where MAXPRIME is largest 
+** prime in list of primes.  After this function is finished,
+** if sieve[i] is non-zero, then (trial + 2*i) is composite.
+** Each prime used in the sieve costs one division of trial, and eliminates
+** one or more values from the search space. (3 eliminates 1/3 of the values
+** alone!)  Each value left in the search space costs 1 or more modular 
+** exponentations.  So, these divisions are a bargain!
+*/
+mp_err mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes, 
+		 unsigned char *sieve, mp_size nSieve)
+{
+  mp_err       res;
+  mp_digit     rem;
+  mp_size      ix;
+  unsigned long offset;
+
+  memset(sieve, 0, nSieve);
+
+  for(ix = 0; ix < nPrimes; ix++) {
+    mp_digit prime = primes[ix];
+    mp_size  i;
+    if((res = mp_mod_d(trial, prime, &rem)) != MP_OKAY) 
+      return res;
+
+    if (rem == 0) {
+      offset = 0;
+    } else {
+      offset = prime - (rem / 2);
+    }
+    for (i = offset; i < nSieve ; i += prime) {
+      sieve[i] = 1;
+    }
+  }
+
+  return MP_OKAY;
+}
+
+#define SIEVE_SIZE 32*1024
+
+mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong,
+		      unsigned long * nTries)
+{
+  mp_digit      np;
+  mp_err        res;
+  int           i	= 0;
+  mp_int        trial;
+  mp_int        q;
+  mp_size       num_tests;
+  unsigned char *sieve;
+  
+  ARGCHK(start != 0, MP_BADARG);
+  ARGCHK(nBits > 16, MP_RANGE);
+
+  sieve = malloc(SIEVE_SIZE);
+  ARGCHK(sieve != NULL, MP_MEM);
+
+  MP_DIGITS(&trial) = 0;
+  MP_DIGITS(&q) = 0;
+  MP_CHECKOK( mp_init(&trial) );
+  MP_CHECKOK( mp_init(&q)     );
+  /* values taken from table 4.4, HandBook of Applied Cryptography */
+  if (nBits >= 1300) {
+    num_tests = 2;
+  } else if (nBits >= 850) {
+    num_tests = 3;
+  } else if (nBits >= 650) {
+    num_tests = 4;
+  } else if (nBits >= 550) {
+    num_tests = 5;
+  } else if (nBits >= 450) {
+    num_tests = 6;
+  } else if (nBits >= 400) {
+    num_tests = 7;
+  } else if (nBits >= 350) {
+    num_tests = 8;
+  } else if (nBits >= 300) {
+    num_tests = 9;
+  } else if (nBits >= 250) {
+    num_tests = 12;
+  } else if (nBits >= 200) {
+    num_tests = 15;
+  } else if (nBits >= 150) {
+    num_tests = 18;
+  } else if (nBits >= 100) {
+    num_tests = 27;
+  } else
+    num_tests = 50;
+
+  if (strong) 
+    --nBits;
+  MP_CHECKOK( mpl_set_bit(start, nBits - 1, 1) );
+  MP_CHECKOK( mpl_set_bit(start,         0, 1) );
+  for (i = mpl_significant_bits(start) - 1; i >= nBits; --i) {
+    MP_CHECKOK( mpl_set_bit(start, i, 0) );
+  }
+  /* start sieveing with prime value of 3. */
+  MP_CHECKOK(mpp_sieve(start, prime_tab + 1, prime_tab_size - 1, 
+		       sieve, SIEVE_SIZE) );
+
+#ifdef DEBUG_SIEVE
+  res = 0;
+  for (i = 0; i < SIEVE_SIZE; ++i) {
+    if (!sieve[i])
+      ++res;
+  }
+  fprintf(stderr,"sieve found %d potential primes.\n", res);
+#define FPUTC(x,y) fputc(x,y)
+#else
+#define FPUTC(x,y) 
+#endif
+
+  res = MP_NO;
+  for(i = 0; i < SIEVE_SIZE; ++i) {
+    if (sieve[i])	/* this number is composite */
+      continue;
+    MP_CHECKOK( mp_add_d(start, 2 * i, &trial) );
+    FPUTC('.', stderr);
+    /* run a Fermat test */
+    res = mpp_fermat(&trial, 2);
+    if (res != MP_OKAY) {
+      if (res == MP_NO)
+	continue;	/* was composite */
+      goto CLEANUP;
+    }
+      
+    FPUTC('+', stderr);
+    /* If that passed, run some Miller-Rabin tests	*/
+    res = mpp_pprime(&trial, num_tests);
+    if (res != MP_OKAY) {
+      if (res == MP_NO)
+	continue;	/* was composite */
+      goto CLEANUP;
+    }
+    FPUTC('!', stderr);
+
+    if (!strong) 
+      break;	/* success !! */
+
+    /* At this point, we have strong evidence that our candidate
+       is itself prime.  If we want a strong prime, we need now
+       to test q = 2p + 1 for primality...
+     */
+    MP_CHECKOK( mp_mul_2(&trial, &q) );
+    MP_CHECKOK( mp_add_d(&q, 1, &q)  );
+
+    /* Test q for small prime divisors ... */
+    np = prime_tab_size;
+    res = mpp_divis_primes(&q, &np);
+    if (res == MP_YES) { /* is composite */
+      mp_clear(&q);
+      continue;
+    }
+    if (res != MP_NO) 
+      goto CLEANUP;
+
+    /* And test with Fermat, as with its parent ... */
+    res = mpp_fermat(&q, 2);
+    if (res != MP_YES) {
+      mp_clear(&q);
+      if (res == MP_NO)
+	continue;	/* was composite */
+      goto CLEANUP;
+    }
+
+    /* And test with Miller-Rabin, as with its parent ... */
+    res = mpp_pprime(&q, num_tests);
+    if (res != MP_YES) {
+      mp_clear(&q);
+      if (res == MP_NO)
+	continue;	/* was composite */
+      goto CLEANUP;
+    }
+
+    /* If it passed, we've got a winner */
+    mp_exch(&q, &trial);
+    mp_clear(&q);
+    break;
+
+  } /* end of loop through sieved values */
+  if (res == MP_YES) 
+    mp_exch(&trial, start);
+CLEANUP:
+  mp_clear(&trial);
+  mp_clear(&q);
+  if (nTries)
+    *nTries += i;
+  if (sieve != NULL) {
+  	memset(sieve, 0, SIEVE_SIZE);
+  	free (sieve);
+  }
+  return res;
+}
+
+/*========================================================================*/
+/*------------------------------------------------------------------------*/
+/* Static functions visible only to the library internally                */
+
+/* {{{ s_mpp_divp(a, vec, size, which) */
+
+/* 
+   Test for divisibility by members of a vector of digits.  Returns
+   MP_NO if a is not divisible by any of them; returns MP_YES and sets
+   'which' to the index of the offender, if it is.  Will stop on the
+   first digit against which a is divisible.
+ */
+
+mp_err    s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which)
+{
+  mp_err    res;
+  mp_digit  rem;
+
+  int     ix;
+
+  for(ix = 0; ix < size; ix++) {
+    if((res = mp_mod_d(a, vec[ix], &rem)) != MP_OKAY) 
+      return res;
+
+    if(rem == 0) {
+      if(which)
+	*which = ix;
+      return MP_YES;
+    }
+  }
+
+  return MP_NO;
+
+} /* end s_mpp_divp() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mpprime.h b/security/nss/lib/freebl/mpi/mpprime.h
new file mode 100644
index 000000000..486d4a1ad
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpprime.h
@@ -0,0 +1,70 @@
+/*
+ *  mpprime.h
+ *
+ *  Utilities for finding and working with prime and pseudo-prime
+ *  integers
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1997
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _H_MP_PRIME_
+#define _H_MP_PRIME_
+
+#include "mpi.h"
+
+extern const int prime_tab_size;   /* number of primes available */
+extern const mp_digit prime_tab[];
+
+/* Tests for divisibility    */
+mp_err  mpp_divis(mp_int *a, mp_int *b);
+mp_err  mpp_divis_d(mp_int *a, mp_digit d);
+
+/* Random selection          */
+mp_err  mpp_random(mp_int *a);
+mp_err  mpp_random_size(mp_int *a, mp_size prec);
+
+/* Pseudo-primality testing  */
+mp_err  mpp_divis_vector(mp_int *a, const mp_digit *vec, int size, int *which);
+mp_err  mpp_divis_primes(mp_int *a, mp_digit *np);
+mp_err  mpp_fermat(mp_int *a, mp_digit w);
+mp_err mpp_fermat_list(mp_int *a, const mp_digit *primes, mp_size nPrimes);
+mp_err  mpp_pprime(mp_int *a, int nt);
+mp_err mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes, 
+		 unsigned char *sieve, mp_size nSieve);
+mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong,
+		      unsigned long * nTries);
+
+#endif /* end _H_MP_PRIME_ */
diff --git a/security/nss/lib/freebl/mpi/mpv_sparc.c b/security/nss/lib/freebl/mpi/mpv_sparc.c
new file mode 100644
index 000000000..96ddde7fb
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpv_sparc.c
@@ -0,0 +1,253 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is a SPARC/VIS optimized multiply and add function.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems Inc.
+ * Portions created by the Initial Developer are Copyright (C) 1999-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "vis_proto.h"
+
+/***************************************************************/
+
+typedef  int                t_s32;
+typedef  unsigned int       t_u32;
+#if defined(__sparcv9)
+typedef  long               t_s64;
+typedef  unsigned long      t_u64;
+#else
+typedef  long long          t_s64;
+typedef  unsigned long long t_u64;
+#endif
+typedef  double             t_d64;
+
+/***************************************************************/
+
+typedef union {
+  t_d64 d64;
+  struct {
+    t_s32 i0;
+    t_s32 i1;
+  } i32s;
+} d64_2_i32;
+
+/***************************************************************/
+
+#define BUFF_SIZE  256
+
+#define A_BITS  19
+#define A_MASK  ((1 << A_BITS) - 1)
+
+/***************************************************************/
+
+static t_u64 mask_cnst[] = {
+  0x8000000080000000ull
+};
+
+/***************************************************************/
+
+#define DEF_VARS(N)                     \
+  t_d64 *py = (t_d64*)y;                \
+  t_d64 mask = *((t_d64*)mask_cnst);    \
+  t_d64 ca = (1u << 31) - 1;            \
+  t_d64 da = (t_d64)a;                  \
+  t_s64 buff[N], s;                     \
+  d64_2_i32 dy
+
+/***************************************************************/
+
+#define MUL_U32_S64_2(i)                                \
+  dy.d64 = vis_fxnor(mask, py[i]);                      \
+  buff[2*(i)  ] = (ca - (t_d64)dy.i32s.i0) * da;        \
+  buff[2*(i)+1] = (ca - (t_d64)dy.i32s.i1) * da
+
+#define MUL_U32_S64_2_D(i)              \
+  dy.d64 = vis_fxnor(mask, py[i]);      \
+  d0 = ca - (t_d64)dy.i32s.i0;          \
+  d1 = ca - (t_d64)dy.i32s.i1;          \
+  buff[4*(i)  ] = (t_s64)(d0 * da);     \
+  buff[4*(i)+1] = (t_s64)(d0 * db);     \
+  buff[4*(i)+2] = (t_s64)(d1 * da);     \
+  buff[4*(i)+3] = (t_s64)(d1 * db)
+
+/***************************************************************/
+
+#define ADD_S64_U32(i)          \
+  s = buff[i] + x[i] + c;       \
+  z[i] = s;                     \
+  c = (s >> 32)
+
+#define ADD_S64_U32_D(i)                        \
+  s = buff[2*(i)] +(((t_s64)(buff[2*(i)+1]))<<A_BITS) + x[i] + uc;   \
+  z[i] = s;                                     \
+  uc = ((t_u64)s >> 32)
+
+/***************************************************************/
+
+#define MUL_U32_S64_8(i)        \
+  MUL_U32_S64_2(i);             \
+  MUL_U32_S64_2(i+1);           \
+  MUL_U32_S64_2(i+2);           \
+  MUL_U32_S64_2(i+3)
+
+#define MUL_U32_S64_D_8(i)      \
+  MUL_U32_S64_2_D(i);           \
+  MUL_U32_S64_2_D(i+1);         \
+  MUL_U32_S64_2_D(i+2);         \
+  MUL_U32_S64_2_D(i+3)
+
+/***************************************************************/
+
+#define ADD_S64_U32_8(i)        \
+  ADD_S64_U32(i);               \
+  ADD_S64_U32(i+1);             \
+  ADD_S64_U32(i+2);             \
+  ADD_S64_U32(i+3);             \
+  ADD_S64_U32(i+4);             \
+  ADD_S64_U32(i+5);             \
+  ADD_S64_U32(i+6);             \
+  ADD_S64_U32(i+7)
+
+#define ADD_S64_U32_D_8(i)      \
+  ADD_S64_U32_D(i);             \
+  ADD_S64_U32_D(i+1);           \
+  ADD_S64_U32_D(i+2);           \
+  ADD_S64_U32_D(i+3);           \
+  ADD_S64_U32_D(i+4);           \
+  ADD_S64_U32_D(i+5);           \
+  ADD_S64_U32_D(i+6);           \
+  ADD_S64_U32_D(i+7)
+
+/***************************************************************/
+
+t_u32 mul_add(t_u32 *z, t_u32 *x, t_u32 *y, int n, t_u32 a)
+{
+  if (a < (1 << A_BITS)) {
+
+    if (n == 8) {
+      DEF_VARS(8);
+      t_s32 c = 0;
+
+      MUL_U32_S64_8(0);
+      ADD_S64_U32_8(0);
+
+      return c;
+
+    } else if (n == 16) {
+      DEF_VARS(16);
+      t_s32 c = 0;
+
+      MUL_U32_S64_8(0);
+      MUL_U32_S64_8(4);
+      ADD_S64_U32_8(0);
+      ADD_S64_U32_8(8);
+
+      return c;
+
+    } else {
+      DEF_VARS(BUFF_SIZE);
+      t_s32 i, c = 0;
+
+#pragma pipeloop(0)
+      for (i = 0; i < (n+1)/2; i ++) {
+        MUL_U32_S64_2(i);
+      }
+
+#pragma pipeloop(0)
+      for (i = 0; i < n; i ++) {
+        ADD_S64_U32(i);
+      }
+
+      return c;
+
+    }
+  } else {
+
+    if (n == 8) {
+      DEF_VARS(2*8);
+      t_d64 d0, d1, db;
+      t_u32 uc = 0;
+
+      da = (t_d64)(a &  A_MASK);
+      db = (t_d64)(a >> A_BITS);
+
+      MUL_U32_S64_D_8(0);
+      ADD_S64_U32_D_8(0);
+
+      return uc;
+
+    } else if (n == 16) {
+      DEF_VARS(2*16);
+      t_d64 d0, d1, db;
+      t_u32 uc = 0;
+
+      da = (t_d64)(a &  A_MASK);
+      db = (t_d64)(a >> A_BITS);
+
+      MUL_U32_S64_D_8(0);
+      MUL_U32_S64_D_8(4);
+      ADD_S64_U32_D_8(0);
+      ADD_S64_U32_D_8(8);
+
+      return uc;
+
+    } else {
+      DEF_VARS(2*BUFF_SIZE);
+      t_d64 d0, d1, db;
+      t_u32 i, uc = 0;
+
+      da = (t_d64)(a &  A_MASK);
+      db = (t_d64)(a >> A_BITS);
+
+#pragma pipeloop(0)
+      for (i = 0; i < (n+1)/2; i ++) {
+        MUL_U32_S64_2_D(i);
+      }
+
+#pragma pipeloop(0)
+      for (i = 0; i < n; i ++) {
+        ADD_S64_U32_D(i);
+      }
+
+      return uc;
+    }
+  }
+}
+
+/***************************************************************/
+
+t_u32 mul_add_inp(t_u32 *x, t_u32 *y, int n, t_u32 a)
+{
+  return mul_add(x, x, y, n, a);
+}
+
+/***************************************************************/
diff --git a/security/nss/lib/freebl/mpi/mpv_sparcv8.s b/security/nss/lib/freebl/mpi/mpv_sparcv8.s
new file mode 100644
index 000000000..8cfa4d0c4
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpv_sparcv8.s
@@ -0,0 +1,1639 @@
+! Inner multiply loop functions for hybrid 32/64-bit Sparc v8plus CPUs.
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+! 
+! The contents of this file are subject to the Mozilla Public License Version 
+! 1.1 (the "License"); you may not use this file except in compliance with 
+! the License. You may obtain a copy of the License at 
+! http://www.mozilla.org/MPL/
+! 
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is a SPARC v8plus+VIS optimized multiply and add function
+! 
+! The Initial Developer of the Original Code is Sun Microsystems Inc.
+! Portions created by Sun Microsystems Inc. are 
+! Copyright (C) 2000-2005 Sun Microsystems Inc.  All Rights Reserved.
+! 
+! Contributor(s):
+! 
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+! 
+! ***** END LICENSE BLOCK *****
+! $Id$
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   3 ( 0  0) */		.file	"mpv_sparc.c"
+/* 000000	  14 ( 0  0) */		.align	8
+!
+! SUBROUTINE .L_const_seg_900000106
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+        .L_const_seg_900000106:		/* frequency 1.0 confidence 0.0 */
+/* 000000	  19 ( 0  0) */		.word	1127219200,0
+/* 0x0008	  20 ( 0  0) */		.word	1105199103,-4194304
+/* 0x0010	  21 ( 0  0) */		.align	16
+/* 0x0010	  27 ( 0  0) */		.global	mul_add
+
+!
+! ENTRY mul_add
+!
+
+        .global mul_add
+        mul_add:		/* frequency 1.0 confidence 0.0 */
+/* 0x0010	  29 ( 0  1) */		sethi	%hi(0x1800),%g1
+/* 0x0014	  30 ( 0  1) */		sethi	%hi(mask_cnst),%g2
+/* 0x0018	  31 ( 1  2) */		xor	%g1,-984,%g1
+/* 0x001c	  32 ( 1  2) */		add	%g2,%lo(mask_cnst),%g2
+/* 0x0020	  33 ( 2  4) */		save	%sp,%g1,%sp
+
+!
+! ENTRY .L900000154
+!
+
+        .L900000154:		/* frequency 1.0 confidence 0.0 */
+/* 0x0024	  35 ( 0  2) */		call	(.+0x8)	! params = 	! Result = 
+/* 0x0028	     ( 1  2) */		sethi	%hi((_GLOBAL_OFFSET_TABLE_-(.L900000154-.))),%g5
+/* 0x002c	 177 ( 2  3) */		sethi	%hi(.L_const_seg_900000106),%g3
+/* 0x0030	 178 ( 2  3) */		add	%g5,%lo((_GLOBAL_OFFSET_TABLE_-(.L900000154-.))),%g5
+/* 0x0034	 179 ( 3  4) */		or	%g0,%i4,%o1
+/* 0x0038	 180 ( 3  4) */		st	%o1,[%fp+84]
+/* 0x003c	 181 ( 3  4) */		add	%g5,%o7,%o3
+/* 0x0040	 182 ( 4  5) */		add	%g3,%lo(.L_const_seg_900000106),%g3
+/* 0x0044	 183 ( 4  6) */		ld	[%o3+%g2],%g2
+/* 0x0048	 184 ( 4  5) */		or	%g0,%i3,%o2
+/* 0x004c	 185 ( 5  6) */		sethi	%hi(0x80000),%g4
+/* 0x0050	 186 ( 5  7) */		ld	[%o3+%g3],%o0
+/* 0x0054	 187 ( 5  6) */		or	%g0,%i2,%g5
+/* 0x0058	 188 ( 6  7) */		or	%g0,%o2,%o3
+/* 0x005c	 189 ( 6 10) */		ldd	[%g2],%f0
+/* 0x0060	 190 ( 6  7) */		subcc	%o1,%g4,%g0
+/* 0x0064	 191 ( 6  7) */		bcc,pn	%icc,.L77000048	! tprob=0.50
+/* 0x0068	     ( 7  8) */		subcc	%o2,8,%g0
+/* 0x006c	 193 ( 7  8) */		bne,pn	%icc,.L77000037	! tprob=0.50
+/* 0x0070	     ( 8 12) */		ldd	[%o0],%f8
+/* 0x0074	 195 ( 9 13) */		ldd	[%g5],%f4
+/* 0x0078	 196 (10 14) */		ldd	[%g5+8],%f6
+/* 0x007c	 197 (11 15) */		ldd	[%g5+16],%f10
+/* 0x0080	 198 (11 14) */		fmovs	%f8,%f12
+/* 0x0084	 199 (12 16) */		fxnor	%f0,%f4,%f4
+/* 0x0088	 200 (12 14) */		ld	[%fp+84],%f13
+/* 0x008c	 201 (13 17) */		ldd	[%o0+8],%f14
+/* 0x0090	 202 (13 17) */		fxnor	%f0,%f6,%f6
+/* 0x0094	 203 (14 18) */		ldd	[%g5+24],%f16
+/* 0x0098	 204 (14 18) */		fxnor	%f0,%f10,%f10
+/* 0x009c	 208 (15 17) */		ld	[%i1],%g2
+/* 0x00a0	 209 (15 20) */		fsubd	%f12,%f8,%f8
+/* 0x00a4	 210 (16 21) */		fitod	%f4,%f18
+/* 0x00a8	 211 (16 18) */		ld	[%i1+4],%g3
+/* 0x00ac	 212 (17 22) */		fitod	%f5,%f4
+/* 0x00b0	 213 (17 19) */		ld	[%i1+8],%g4
+/* 0x00b4	 214 (18 23) */		fitod	%f6,%f20
+/* 0x00b8	 215 (18 20) */		ld	[%i1+12],%g5
+/* 0x00bc	 216 (19 21) */		ld	[%i1+16],%o0
+/* 0x00c0	 217 (19 24) */		fitod	%f7,%f6
+/* 0x00c4	 218 (20 22) */		ld	[%i1+20],%o1
+/* 0x00c8	 219 (20 24) */		fxnor	%f0,%f16,%f16
+/* 0x00cc	 220 (21 26) */		fsubd	%f14,%f18,%f12
+/* 0x00d0	 221 (21 23) */		ld	[%i1+24],%o2
+/* 0x00d4	 222 (22 27) */		fsubd	%f14,%f4,%f4
+/* 0x00d8	 223 (22 24) */		ld	[%i1+28],%o3
+/* 0x00dc	 224 (23 28) */		fitod	%f10,%f18
+/* 0x00e0	 225 (24 29) */		fsubd	%f14,%f20,%f20
+/* 0x00e4	 226 (25 30) */		fitod	%f11,%f10
+/* 0x00e8	 227 (26 31) */		fsubd	%f14,%f6,%f6
+/* 0x00ec	 228 (26 31) */		fmuld	%f12,%f8,%f12
+/* 0x00f0	 229 (27 32) */		fitod	%f16,%f22
+/* 0x00f4	 230 (27 32) */		fmuld	%f4,%f8,%f4
+/* 0x00f8	 231 (28 33) */		fsubd	%f14,%f18,%f18
+/* 0x00fc	 232 (29 34) */		fitod	%f17,%f16
+/* 0x0100	 233 (29 34) */		fmuld	%f20,%f8,%f20
+/* 0x0104	 234 (30 35) */		fsubd	%f14,%f10,%f10
+/* 0x0108	 235 (31 36) */		fdtox	%f12,%f12
+/* 0x010c	 236 (31 32) */		std	%f12,[%sp+152]
+/* 0x0110	 237 (31 36) */		fmuld	%f6,%f8,%f6
+/* 0x0114	 238 (32 37) */		fdtox	%f4,%f4
+/* 0x0118	 239 (32 33) */		std	%f4,[%sp+144]
+/* 0x011c	 240 (33 38) */		fsubd	%f14,%f22,%f4
+/* 0x0120	 241 (33 38) */		fmuld	%f18,%f8,%f12
+/* 0x0124	 242 (34 39) */		fdtox	%f20,%f18
+/* 0x0128	 243 (34 35) */		std	%f18,[%sp+136]
+/* 0x012c	 244 (35 37) */		ldx	[%sp+152],%o4
+/* 0x0130	 245 (35 40) */		fsubd	%f14,%f16,%f14
+/* 0x0134	 246 (35 40) */		fmuld	%f10,%f8,%f10
+/* 0x0138	 247 (36 41) */		fdtox	%f6,%f6
+/* 0x013c	 248 (36 37) */		std	%f6,[%sp+128]
+/* 0x0140	 249 (37 39) */		ldx	[%sp+144],%o5
+/* 0x0144	 250 (37 38) */		add	%o4,%g2,%o4
+/* 0x0148	 251 (38 39) */		st	%o4,[%i0]
+/* 0x014c	 252 (38 39) */		srax	%o4,32,%g2
+/* 0x0150	 253 (38 43) */		fdtox	%f12,%f6
+/* 0x0154	 254 (38 43) */		fmuld	%f4,%f8,%f4
+/* 0x0158	 255 (39 40) */		std	%f6,[%sp+120]
+/* 0x015c	 256 (39 40) */		add	%o5,%g3,%g3
+/* 0x0160	 257 (40 42) */		ldx	[%sp+136],%o7
+/* 0x0164	 258 (40 41) */		add	%g3,%g2,%g2
+/* 0x0168	 259 (40 45) */		fmuld	%f14,%f8,%f6
+/* 0x016c	 260 (40 45) */		fdtox	%f10,%f8
+/* 0x0170	 261 (41 42) */		std	%f8,[%sp+112]
+/* 0x0174	 262 (41 42) */		srax	%g2,32,%o5
+/* 0x0178	 263 (42 44) */		ldx	[%sp+128],%g3
+/* 0x017c	 264 (42 43) */		add	%o7,%g4,%g4
+/* 0x0180	 265 (43 44) */		st	%g2,[%i0+4]
+/* 0x0184	 266 (43 44) */		add	%g4,%o5,%g4
+/* 0x0188	 267 (43 48) */		fdtox	%f4,%f4
+/* 0x018c	 268 (44 46) */		ldx	[%sp+120],%o5
+/* 0x0190	 269 (44 45) */		add	%g3,%g5,%g3
+/* 0x0194	 270 (44 45) */		srax	%g4,32,%g5
+/* 0x0198	 271 (45 46) */		std	%f4,[%sp+104]
+/* 0x019c	 272 (45 46) */		add	%g3,%g5,%g3
+/* 0x01a0	 273 (45 50) */		fdtox	%f6,%f4
+/* 0x01a4	 274 (46 47) */		std	%f4,[%sp+96]
+/* 0x01a8	 275 (46 47) */		add	%o5,%o0,%o0
+/* 0x01ac	 276 (46 47) */		srax	%g3,32,%o5
+/* 0x01b0	 277 (47 49) */		ldx	[%sp+112],%g5
+/* 0x01b4	 278 (47 48) */		add	%o0,%o5,%o0
+/* 0x01b8	 279 (48 49) */		st	%g4,[%i0+8]
+/* 0x01bc	 280 (49 51) */		ldx	[%sp+104],%o5
+/* 0x01c0	 281 (49 50) */		add	%g5,%o1,%o1
+/* 0x01c4	 282 (49 50) */		srax	%o0,32,%g5
+/* 0x01c8	 283 (50 51) */		st	%o0,[%i0+16]
+/* 0x01cc	 284 (50 51) */		add	%o1,%g5,%o1
+/* 0x01d0	 285 (51 53) */		ldx	[%sp+96],%g5
+/* 0x01d4	 286 (51 52) */		add	%o5,%o2,%o2
+/* 0x01d8	 287 (51 52) */		srax	%o1,32,%o5
+/* 0x01dc	 288 (52 53) */		st	%o1,[%i0+20]
+/* 0x01e0	 289 (52 53) */		add	%o2,%o5,%o2
+/* 0x01e4	 290 (53 54) */		st	%o2,[%i0+24]
+/* 0x01e8	 291 (53 54) */		srax	%o2,32,%g4
+/* 0x01ec	 292 (53 54) */		add	%g5,%o3,%g2
+/* 0x01f0	 293 (54 55) */		st	%g3,[%i0+12]
+/* 0x01f4	 294 (54 55) */		add	%g2,%g4,%g2
+/* 0x01f8	 295 (55 56) */		st	%g2,[%i0+28]
+/* 0x01fc	 299 (55 56) */		srax	%g2,32,%o7
+/* 0x0200	 300 (56 57) */		or	%g0,%o7,%i0
+/* 0x0204	     (57 64) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0208	     (59 61) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000037
+!
+
+        .L77000037:		/* frequency 1.0 confidence 0.0 */
+/* 0x020c	 307 ( 0  1) */		subcc	%o2,16,%g0
+/* 0x0210	 308 ( 0  1) */		bne,pn	%icc,.L77000076	! tprob=0.50
+/* 0x0214	     ( 1  5) */		ldd	[%o0],%f8
+/* 0x0218	 310 ( 2  6) */		ldd	[%g5],%f4
+/* 0x021c	 311 ( 3  7) */		ldd	[%g5+8],%f6
+/* 0x0220	 317 ( 4  8) */		ldd	[%o0+8],%f14
+/* 0x0224	 318 ( 4  7) */		fmovs	%f8,%f12
+/* 0x0228	 319 ( 5  7) */		ld	[%fp+84],%f13
+/* 0x022c	 320 ( 5  9) */		fxnor	%f0,%f4,%f4
+/* 0x0230	 321 ( 6 10) */		ldd	[%g5+16],%f10
+/* 0x0234	 322 ( 6 10) */		fxnor	%f0,%f6,%f6
+/* 0x0238	 323 ( 7 11) */		ldd	[%g5+24],%f16
+/* 0x023c	 324 ( 8 12) */		ldd	[%g5+32],%f20
+/* 0x0240	 325 ( 8 13) */		fsubd	%f12,%f8,%f8
+/* 0x0244	 331 ( 9 11) */		ld	[%i1+40],%o7
+/* 0x0248	 332 ( 9 14) */		fitod	%f4,%f18
+/* 0x024c	 333 (10 14) */		ldd	[%g5+40],%f22
+/* 0x0250	 334 (10 15) */		fitod	%f5,%f4
+/* 0x0254	 335 (11 12) */		stx	%o7,[%sp+96]
+/* 0x0258	 336 (11 16) */		fitod	%f6,%f24
+/* 0x025c	 337 (12 14) */		ld	[%i1+44],%o7
+/* 0x0260	 338 (12 16) */		fxnor	%f0,%f10,%f10
+/* 0x0264	 339 (13 17) */		ldd	[%g5+48],%f26
+/* 0x0268	 340 (13 18) */		fitod	%f7,%f6
+/* 0x026c	 341 (14 15) */		stx	%o7,[%sp+104]
+/* 0x0270	 342 (14 19) */		fsubd	%f14,%f18,%f18
+/* 0x0274	 343 (15 17) */		ld	[%i1+48],%o7
+/* 0x0278	 344 (15 20) */		fsubd	%f14,%f4,%f4
+/* 0x027c	 345 (16 18) */		ld	[%i1+36],%o5
+/* 0x0280	 346 (16 21) */		fitod	%f10,%f28
+/* 0x0284	 347 (17 18) */		stx	%o7,[%sp+112]
+/* 0x0288	 348 (17 21) */		fxnor	%f0,%f16,%f16
+/* 0x028c	 349 (18 20) */		ld	[%i1],%g2
+/* 0x0290	 350 (18 23) */		fsubd	%f14,%f24,%f24
+/* 0x0294	 351 (19 20) */		stx	%o5,[%sp+120]
+/* 0x0298	 352 (19 24) */		fitod	%f11,%f10
+/* 0x029c	 353 (19 24) */		fmuld	%f18,%f8,%f18
+/* 0x02a0	 354 (20 22) */		ld	[%i1+52],%o5
+/* 0x02a4	 355 (20 25) */		fsubd	%f14,%f6,%f6
+/* 0x02a8	 356 (20 25) */		fmuld	%f4,%f8,%f4
+/* 0x02ac	 357 (21 26) */		fitod	%f16,%f30
+/* 0x02b0	 358 (22 26) */		fxnor	%f0,%f20,%f20
+/* 0x02b4	 359 (22 24) */		ld	[%i1+4],%g3
+/* 0x02b8	 360 (23 27) */		ldd	[%g5+56],%f2
+/* 0x02bc	 361 (23 28) */		fsubd	%f14,%f28,%f28
+/* 0x02c0	 362 (23 28) */		fmuld	%f24,%f8,%f24
+/* 0x02c4	 363 (24 25) */		stx	%o5,[%sp+128]
+/* 0x02c8	 364 (24 29) */		fdtox	%f18,%f18
+/* 0x02cc	 365 (25 26) */		std	%f18,[%sp+272]
+/* 0x02d0	 366 (25 30) */		fitod	%f17,%f16
+/* 0x02d4	 367 (25 30) */		fmuld	%f6,%f8,%f6
+/* 0x02d8	 368 (26 31) */		fsubd	%f14,%f10,%f10
+/* 0x02dc	 369 (27 32) */		fitod	%f20,%f18
+/* 0x02e0	 370 (28 33) */		fdtox	%f4,%f4
+/* 0x02e4	 371 (28 29) */		std	%f4,[%sp+264]
+/* 0x02e8	 372 (28 33) */		fmuld	%f28,%f8,%f28
+/* 0x02ec	 373 (29 31) */		ld	[%i1+8],%g4
+/* 0x02f0	 374 (29 34) */		fsubd	%f14,%f30,%f4
+/* 0x02f4	 375 (30 34) */		fxnor	%f0,%f22,%f22
+/* 0x02f8	 376 (30 32) */		ld	[%i1+12],%g5
+/* 0x02fc	 377 (31 33) */		ld	[%i1+16],%o0
+/* 0x0300	 378 (31 36) */		fitod	%f21,%f20
+/* 0x0304	 379 (31 36) */		fmuld	%f10,%f8,%f10
+/* 0x0308	 380 (32 34) */		ld	[%i1+20],%o1
+/* 0x030c	 381 (32 37) */		fdtox	%f24,%f24
+/* 0x0310	 382 (33 34) */		std	%f24,[%sp+256]
+/* 0x0314	 383 (33 38) */		fsubd	%f14,%f16,%f16
+/* 0x0318	 384 (34 36) */		ldx	[%sp+272],%o7
+/* 0x031c	 385 (34 39) */		fdtox	%f6,%f6
+/* 0x0320	 386 (34 39) */		fmuld	%f4,%f8,%f4
+/* 0x0324	 387 (35 36) */		std	%f6,[%sp+248]
+/* 0x0328	 388 (35 40) */		fitod	%f22,%f24
+/* 0x032c	 389 (36 38) */		ld	[%i1+32],%o4
+/* 0x0330	 390 (36 41) */		fsubd	%f14,%f18,%f6
+/* 0x0334	 391 (36 37) */		add	%o7,%g2,%g2
+/* 0x0338	 392 (37 39) */		ldx	[%sp+264],%o7
+/* 0x033c	 393 (37 41) */		fxnor	%f0,%f26,%f26
+/* 0x0340	 394 (37 38) */		srax	%g2,32,%o5
+/* 0x0344	 395 (38 39) */		st	%g2,[%i0]
+/* 0x0348	 396 (38 43) */		fitod	%f23,%f18
+/* 0x034c	 397 (38 43) */		fmuld	%f16,%f8,%f16
+/* 0x0350	 398 (39 41) */		ldx	[%sp+248],%g2
+/* 0x0354	 399 (39 44) */		fdtox	%f28,%f22
+/* 0x0358	 400 (39 40) */		add	%o7,%g3,%g3
+/* 0x035c	 401 (40 42) */		ldx	[%sp+256],%o7
+/* 0x0360	 402 (40 45) */		fsubd	%f14,%f20,%f20
+/* 0x0364	 403 (40 41) */		add	%g3,%o5,%g3
+/* 0x0368	 404 (41 42) */		std	%f22,[%sp+240]
+/* 0x036c	 405 (41 46) */		fitod	%f26,%f22
+/* 0x0370	 406 (41 42) */		srax	%g3,32,%o5
+/* 0x0374	 407 (41 42) */		add	%g2,%g5,%g2
+/* 0x0378	 408 (42 43) */		st	%g3,[%i0+4]
+/* 0x037c	 409 (42 47) */		fdtox	%f10,%f10
+/* 0x0380	 410 (42 43) */		add	%o7,%g4,%g4
+/* 0x0384	 411 (42 47) */		fmuld	%f6,%f8,%f6
+/* 0x0388	 412 (43 44) */		std	%f10,[%sp+232]
+/* 0x038c	 413 (43 47) */		fxnor	%f0,%f2,%f12
+/* 0x0390	 414 (43 44) */		add	%g4,%o5,%g4
+/* 0x0394	 415 (44 45) */		st	%g4,[%i0+8]
+/* 0x0398	 416 (44 45) */		srax	%g4,32,%o5
+/* 0x039c	 417 (44 49) */		fsubd	%f14,%f24,%f10
+/* 0x03a0	 418 (45 47) */		ldx	[%sp+240],%o7
+/* 0x03a4	 419 (45 50) */		fdtox	%f4,%f4
+/* 0x03a8	 420 (45 46) */		add	%g2,%o5,%g2
+/* 0x03ac	 421 (45 50) */		fmuld	%f20,%f8,%f20
+/* 0x03b0	 422 (46 47) */		std	%f4,[%sp+224]
+/* 0x03b4	 423 (46 47) */		srax	%g2,32,%g5
+/* 0x03b8	 424 (46 51) */		fsubd	%f14,%f18,%f4
+/* 0x03bc	 425 (47 48) */		st	%g2,[%i0+12]
+/* 0x03c0	 426 (47 52) */		fitod	%f27,%f24
+/* 0x03c4	 427 (47 48) */		add	%o7,%o0,%g3
+/* 0x03c8	 428 (48 50) */		ldx	[%sp+232],%o5
+/* 0x03cc	 429 (48 53) */		fdtox	%f16,%f16
+/* 0x03d0	 430 (48 49) */		add	%g3,%g5,%g2
+/* 0x03d4	 431 (49 50) */		std	%f16,[%sp+216]
+/* 0x03d8	 432 (49 50) */		srax	%g2,32,%g4
+/* 0x03dc	 433 (49 54) */		fitod	%f12,%f18
+/* 0x03e0	 434 (49 54) */		fmuld	%f10,%f8,%f10
+/* 0x03e4	 435 (50 51) */		st	%g2,[%i0+16]
+/* 0x03e8	 436 (50 55) */		fsubd	%f14,%f22,%f16
+/* 0x03ec	 437 (50 51) */		add	%o5,%o1,%g2
+/* 0x03f0	 438 (51 53) */		ld	[%i1+24],%o2
+/* 0x03f4	 439 (51 56) */		fitod	%f13,%f12
+/* 0x03f8	 440 (51 52) */		add	%g2,%g4,%g2
+/* 0x03fc	 441 (51 56) */		fmuld	%f4,%f8,%f22
+/* 0x0400	 442 (52 54) */		ldx	[%sp+224],%g3
+/* 0x0404	 443 (52 53) */		srax	%g2,32,%g4
+/* 0x0408	 444 (52 57) */		fdtox	%f6,%f6
+/* 0x040c	 445 (53 54) */		std	%f6,[%sp+208]
+/* 0x0410	 446 (53 58) */		fdtox	%f20,%f6
+/* 0x0414	 447 (54 55) */		stx	%o4,[%sp+136]
+/* 0x0418	 448 (54 59) */		fsubd	%f14,%f24,%f4
+/* 0x041c	 449 (55 56) */		std	%f6,[%sp+200]
+/* 0x0420	 450 (55 60) */		fsubd	%f14,%f18,%f6
+/* 0x0424	 451 (55 60) */		fmuld	%f16,%f8,%f16
+/* 0x0428	 452 (56 57) */		st	%g2,[%i0+20]
+/* 0x042c	 453 (56 57) */		add	%g3,%o2,%g2
+/* 0x0430	 454 (56 61) */		fdtox	%f10,%f10
+/* 0x0434	 455 (57 59) */		ld	[%i1+28],%o3
+/* 0x0438	 456 (57 58) */		add	%g2,%g4,%g2
+/* 0x043c	 457 (58 60) */		ldx	[%sp+216],%g5
+/* 0x0440	 458 (58 59) */		srax	%g2,32,%g4
+/* 0x0444	 459 (59 60) */		std	%f10,[%sp+192]
+/* 0x0448	 460 (59 64) */		fsubd	%f14,%f12,%f10
+/* 0x044c	 461 (59 64) */		fmuld	%f4,%f8,%f4
+/* 0x0450	 462 (60 61) */		st	%g2,[%i0+24]
+/* 0x0454	 463 (60 61) */		add	%g5,%o3,%g2
+/* 0x0458	 464 (60 65) */		fdtox	%f22,%f12
+/* 0x045c	 465 (60 65) */		fmuld	%f6,%f8,%f6
+/* 0x0460	 466 (61 63) */		ldx	[%sp+136],%o0
+/* 0x0464	 467 (61 62) */		add	%g2,%g4,%g2
+/* 0x0468	 468 (62 64) */		ldx	[%sp+208],%g3
+/* 0x046c	 469 (62 63) */		srax	%g2,32,%g4
+/* 0x0470	 470 (63 65) */		ldx	[%sp+120],%o1
+/* 0x0474	 471 (64 66) */		ldx	[%sp+200],%g5
+/* 0x0478	 472 (64 65) */		add	%g3,%o0,%g3
+/* 0x047c	 473 (64 69) */		fdtox	%f4,%f4
+/* 0x0480	 474 (64 69) */		fmuld	%f10,%f8,%f8
+/* 0x0484	 475 (65 66) */		std	%f12,[%sp+184]
+/* 0x0488	 476 (65 66) */		add	%g3,%g4,%g3
+/* 0x048c	 477 (65 70) */		fdtox	%f16,%f12
+/* 0x0490	 478 (66 67) */		std	%f12,[%sp+176]
+/* 0x0494	 479 (66 67) */		srax	%g3,32,%o0
+/* 0x0498	 480 (66 67) */		add	%g5,%o1,%g5
+/* 0x049c	 481 (67 69) */		ldx	[%sp+192],%o2
+/* 0x04a0	 482 (67 68) */		add	%g5,%o0,%g5
+/* 0x04a4	 483 (68 70) */		ldx	[%sp+96],%g4
+/* 0x04a8	 484 (68 69) */		srax	%g5,32,%o1
+/* 0x04ac	 485 (69 71) */		ld	[%i1+56],%o4
+/* 0x04b0	 486 (70 72) */		ldx	[%sp+104],%o0
+/* 0x04b4	 487 (70 71) */		add	%o2,%g4,%g4
+/* 0x04b8	 488 (71 72) */		std	%f4,[%sp+168]
+/* 0x04bc	 489 (71 72) */		add	%g4,%o1,%g4
+/* 0x04c0	 490 (71 76) */		fdtox	%f6,%f4
+/* 0x04c4	 491 (72 74) */		ldx	[%sp+184],%o3
+/* 0x04c8	 492 (72 73) */		srax	%g4,32,%o2
+/* 0x04cc	 493 (73 75) */		ldx	[%sp+112],%o1
+/* 0x04d0	 494 (74 75) */		std	%f4,[%sp+160]
+/* 0x04d4	 495 (74 75) */		add	%o3,%o0,%o0
+/* 0x04d8	 496 (74 79) */		fdtox	%f8,%f4
+/* 0x04dc	 497 (75 77) */		ldx	[%sp+176],%o5
+/* 0x04e0	 498 (75 76) */		add	%o0,%o2,%o0
+/* 0x04e4	 499 (76 77) */		stx	%o4,[%sp+144]
+/* 0x04e8	 500 (77 78) */		st	%g2,[%i0+28]
+/* 0x04ec	 501 (77 78) */		add	%o5,%o1,%g2
+/* 0x04f0	 502 (77 78) */		srax	%o0,32,%o1
+/* 0x04f4	 503 (78 79) */		std	%f4,[%sp+152]
+/* 0x04f8	 504 (78 79) */		add	%g2,%o1,%o1
+/* 0x04fc	 505 (79 81) */		ldx	[%sp+168],%o7
+/* 0x0500	 506 (79 80) */		srax	%o1,32,%o3
+/* 0x0504	 507 (80 82) */		ldx	[%sp+128],%o2
+/* 0x0508	 508 (81 83) */		ld	[%i1+60],%o4
+/* 0x050c	 509 (82 83) */		add	%o7,%o2,%o2
+/* 0x0510	 510 (83 84) */		add	%o2,%o3,%o2
+/* 0x0514	 511 (83 85) */		ldx	[%sp+144],%o5
+/* 0x0518	 512 (84 86) */		ldx	[%sp+160],%g2
+/* 0x051c	 513 (85 87) */		ldx	[%sp+152],%o3
+/* 0x0520	 514 (86 87) */		st	%g3,[%i0+32]
+/* 0x0524	 515 (86 87) */		add	%g2,%o5,%g2
+/* 0x0528	 516 (86 87) */		srax	%o2,32,%o5
+/* 0x052c	 517 (87 88) */		st	%g5,[%i0+36]
+/* 0x0530	 518 (87 88) */		add	%g2,%o5,%g2
+/* 0x0534	 519 (87 88) */		add	%o3,%o4,%g3
+/* 0x0538	 520 (88 89) */		st	%o0,[%i0+44]
+/* 0x053c	 521 (88 89) */		srax	%g2,32,%g5
+/* 0x0540	 522 (89 90) */		st	%o1,[%i0+48]
+/* 0x0544	 523 (89 90) */		add	%g3,%g5,%g3
+/* 0x0548	 524 (90 91) */		st	%o2,[%i0+52]
+/* 0x054c	 528 (90 91) */		srax	%g3,32,%o7
+/* 0x0550	 529 (91 92) */		st	%g4,[%i0+40]
+/* 0x0554	 530 (92 93) */		st	%g2,[%i0+56]
+/* 0x0558	 531 (93 94) */		st	%g3,[%i0+60]
+/* 0x055c	 532 (93 94) */		or	%g0,%o7,%i0
+/* 0x0560	     (94 101) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0564	     (96 98) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000076
+!
+
+        .L77000076:		/* frequency 1.0 confidence 0.0 */
+/* 0x0568	 540 ( 0  4) */		ldd	[%o0],%f6
+/* 0x056c	 546 ( 0  1) */		add	%o2,1,%g2
+/* 0x0570	 547 ( 0  3) */		fmovd	%f0,%f14
+/* 0x0574	 548 ( 0  1) */		or	%g0,0,%o7
+/* 0x0578	 549 ( 1  3) */		ld	[%fp+84],%f9
+/* 0x057c	 550 ( 1  2) */		srl	%g2,31,%g3
+/* 0x0580	 551 ( 1  2) */		add	%fp,-2264,%o5
+/* 0x0584	 552 ( 2  3) */		add	%g2,%g3,%g2
+/* 0x0588	 553 ( 2  6) */		ldd	[%o0+8],%f18
+/* 0x058c	 554 ( 2  3) */		add	%fp,-2256,%o4
+/* 0x0590	 555 ( 3  6) */		fmovs	%f6,%f8
+/* 0x0594	 556 ( 3  4) */		sra	%g2,1,%o1
+/* 0x0598	 557 ( 3  4) */		or	%g0,0,%g2
+/* 0x059c	 558 ( 4  5) */		subcc	%o1,0,%g0
+/* 0x05a0	 559 ( 4  5) */		sub	%o1,1,%o2
+/* 0x05a4	 563 ( 5  6) */		add	%g5,32,%o0
+/* 0x05a8	 564 ( 6 11) */		fsubd	%f8,%f6,%f16
+/* 0x05ac	 565 ( 6  7) */		ble,pt	%icc,.L900000161	! tprob=0.50
+/* 0x05b0	     ( 6  7) */		subcc	%o3,0,%g0
+/* 0x05b4	 567 ( 7  8) */		subcc	%o1,7,%g0
+/* 0x05b8	 568 ( 7  8) */		bl,pn	%icc,.L77000077	! tprob=0.50
+/* 0x05bc	     ( 7  8) */		sub	%o1,2,%o1
+/* 0x05c0	 570 ( 8 12) */		ldd	[%g5],%f2
+/* 0x05c4	 571 ( 9 13) */		ldd	[%g5+8],%f4
+/* 0x05c8	 572 ( 9 10) */		or	%g0,5,%g2
+/* 0x05cc	 573 (10 14) */		ldd	[%g5+16],%f0
+/* 0x05d0	 574 (11 15) */		fxnor	%f14,%f2,%f2
+/* 0x05d4	 575 (11 15) */		ldd	[%g5+24],%f12
+/* 0x05d8	 576 (12 16) */		fxnor	%f14,%f4,%f6
+/* 0x05dc	 577 (12 16) */		ldd	[%g5+32],%f10
+/* 0x05e0	 578 (13 17) */		fxnor	%f14,%f0,%f8
+/* 0x05e4	 579 (15 20) */		fitod	%f3,%f0
+/* 0x05e8	 580 (16 21) */		fitod	%f2,%f4
+/* 0x05ec	 581 (17 22) */		fitod	%f7,%f2
+/* 0x05f0	 582 (18 23) */		fitod	%f6,%f6
+/* 0x05f4	 583 (20 25) */		fsubd	%f18,%f0,%f0
+/* 0x05f8	 584 (21 26) */		fsubd	%f18,%f4,%f4
+
+!
+! ENTRY .L900000149
+!
+
+        .L900000149:		/* frequency 1.0 confidence 0.0 */
+/* 0x05fc	 586 ( 0  4) */		fxnor	%f14,%f12,%f22
+/* 0x0600	 587 ( 0  5) */		fmuld	%f4,%f16,%f4
+/* 0x0604	 588 ( 0  1) */		add	%g2,2,%g2
+/* 0x0608	 589 ( 0  1) */		add	%o4,32,%o4
+/* 0x060c	 590 ( 1  6) */		fitod	%f9,%f24
+/* 0x0610	 591 ( 1  6) */		fmuld	%f0,%f16,%f20
+/* 0x0614	 592 ( 1  2) */		add	%o0,8,%o0
+/* 0x0618	 593 ( 1  2) */		subcc	%g2,%o1,%g0
+/* 0x061c	 594 ( 2  6) */		ldd	[%o0],%f12
+/* 0x0620	 595 ( 2  7) */		fsubd	%f18,%f2,%f0
+/* 0x0624	 596 ( 2  3) */		add	%o5,32,%o5
+/* 0x0628	 597 ( 3  8) */		fsubd	%f18,%f6,%f2
+/* 0x062c	 598 ( 5 10) */		fdtox	%f4,%f4
+/* 0x0630	 599 ( 6 11) */		fdtox	%f20,%f6
+/* 0x0634	 600 ( 6  7) */		std	%f4,[%o5-32]
+/* 0x0638	 601 ( 7 12) */		fitod	%f8,%f4
+/* 0x063c	 602 ( 7  8) */		std	%f6,[%o4-32]
+/* 0x0640	 603 ( 8 12) */		fxnor	%f14,%f10,%f8
+/* 0x0644	 604 ( 8 13) */		fmuld	%f2,%f16,%f6
+/* 0x0648	 605 ( 9 14) */		fitod	%f23,%f2
+/* 0x064c	 606 ( 9 14) */		fmuld	%f0,%f16,%f20
+/* 0x0650	 607 ( 9 10) */		add	%o0,8,%o0
+/* 0x0654	 608 (10 14) */		ldd	[%o0],%f10
+/* 0x0658	 609 (10 15) */		fsubd	%f18,%f24,%f0
+/* 0x065c	 610 (12 17) */		fsubd	%f18,%f4,%f4
+/* 0x0660	 611 (13 18) */		fdtox	%f6,%f6
+/* 0x0664	 612 (14 19) */		fdtox	%f20,%f20
+/* 0x0668	 613 (14 15) */		std	%f6,[%o5-16]
+/* 0x066c	 614 (15 20) */		fitod	%f22,%f6
+/* 0x0670	 615 (15 16) */		ble,pt	%icc,.L900000149	! tprob=0.50
+/* 0x0674	     (15 16) */		std	%f20,[%o4-16]
+
+!
+! ENTRY .L900000152
+!
+
+        .L900000152:		/* frequency 1.0 confidence 0.0 */
+/* 0x0678	 618 ( 0  4) */		fxnor	%f14,%f12,%f12
+/* 0x067c	 619 ( 0  5) */		fmuld	%f0,%f16,%f22
+/* 0x0680	 620 ( 0  1) */		add	%o5,80,%o5
+/* 0x0684	 621 ( 0  1) */		add	%o4,80,%o4
+/* 0x0688	 622 ( 1  5) */		fxnor	%f14,%f10,%f0
+/* 0x068c	 623 ( 1  6) */		fmuld	%f4,%f16,%f24
+/* 0x0690	 624 ( 1  2) */		subcc	%g2,%o2,%g0
+/* 0x0694	 625 ( 1  2) */		add	%o0,8,%g5
+/* 0x0698	 626 ( 2  7) */		fitod	%f8,%f20
+/* 0x069c	 627 ( 3  8) */		fitod	%f9,%f8
+/* 0x06a0	 628 ( 4  9) */		fsubd	%f18,%f6,%f6
+/* 0x06a4	 629 ( 5 10) */		fitod	%f12,%f26
+/* 0x06a8	 630 ( 6 11) */		fitod	%f13,%f4
+/* 0x06ac	 631 ( 7 12) */		fsubd	%f18,%f2,%f12
+/* 0x06b0	 632 ( 8 13) */		fitod	%f0,%f2
+/* 0x06b4	 633 ( 9 14) */		fitod	%f1,%f0
+/* 0x06b8	 634 (10 15) */		fsubd	%f18,%f20,%f10
+/* 0x06bc	 635 (10 15) */		fmuld	%f6,%f16,%f20
+/* 0x06c0	 636 (11 16) */		fsubd	%f18,%f8,%f8
+/* 0x06c4	 637 (12 17) */		fsubd	%f18,%f26,%f6
+/* 0x06c8	 638 (12 17) */		fmuld	%f12,%f16,%f12
+/* 0x06cc	 639 (13 18) */		fsubd	%f18,%f4,%f4
+/* 0x06d0	 640 (14 19) */		fsubd	%f18,%f2,%f2
+/* 0x06d4	 641 (15 20) */		fsubd	%f18,%f0,%f0
+/* 0x06d8	 642 (15 20) */		fmuld	%f10,%f16,%f10
+/* 0x06dc	 643 (16 21) */		fdtox	%f24,%f24
+/* 0x06e0	 644 (16 17) */		std	%f24,[%o5-80]
+/* 0x06e4	 645 (16 21) */		fmuld	%f8,%f16,%f8
+/* 0x06e8	 646 (17 22) */		fdtox	%f22,%f22
+/* 0x06ec	 647 (17 18) */		std	%f22,[%o4-80]
+/* 0x06f0	 648 (17 22) */		fmuld	%f6,%f16,%f6
+/* 0x06f4	 649 (18 23) */		fdtox	%f20,%f20
+/* 0x06f8	 650 (18 19) */		std	%f20,[%o5-64]
+/* 0x06fc	 651 (18 23) */		fmuld	%f4,%f16,%f4
+/* 0x0700	 652 (19 24) */		fdtox	%f12,%f12
+/* 0x0704	 653 (19 20) */		std	%f12,[%o4-64]
+/* 0x0708	 654 (19 24) */		fmuld	%f2,%f16,%f2
+/* 0x070c	 655 (20 25) */		fdtox	%f10,%f10
+/* 0x0710	 656 (20 21) */		std	%f10,[%o5-48]
+/* 0x0714	 657 (20 25) */		fmuld	%f0,%f16,%f0
+/* 0x0718	 658 (21 26) */		fdtox	%f8,%f8
+/* 0x071c	 659 (21 22) */		std	%f8,[%o4-48]
+/* 0x0720	 660 (22 27) */		fdtox	%f6,%f6
+/* 0x0724	 661 (22 23) */		std	%f6,[%o5-32]
+/* 0x0728	 662 (23 28) */		fdtox	%f4,%f4
+/* 0x072c	 663 (23 24) */		std	%f4,[%o4-32]
+/* 0x0730	 664 (24 29) */		fdtox	%f2,%f2
+/* 0x0734	 665 (24 25) */		std	%f2,[%o5-16]
+/* 0x0738	 666 (25 30) */		fdtox	%f0,%f0
+/* 0x073c	 667 (25 26) */		bg,pn	%icc,.L77000043	! tprob=0.50
+/* 0x0740	     (25 26) */		std	%f0,[%o4-16]
+
+!
+! ENTRY .L77000077
+!
+
+        .L77000077:		/* frequency 1.0 confidence 0.0 */
+/* 0x0744	 670 ( 0  4) */		ldd	[%g5],%f0
+
+!
+! ENTRY .L900000160
+!
+
+        .L900000160:		/* frequency 1.0 confidence 0.0 */
+/* 0x0748	 672 ( 0  4) */		fxnor	%f14,%f0,%f0
+/* 0x074c	 673 ( 0  1) */		add	%g2,1,%g2
+/* 0x0750	 674 ( 0  1) */		add	%g5,8,%g5
+/* 0x0754	 675 ( 1  2) */		subcc	%g2,%o2,%g0
+/* 0x0758	 676 ( 4  9) */		fitod	%f0,%f2
+/* 0x075c	 677 ( 5 10) */		fitod	%f1,%f0
+/* 0x0760	 678 ( 9 14) */		fsubd	%f18,%f2,%f2
+/* 0x0764	 679 (10 15) */		fsubd	%f18,%f0,%f0
+/* 0x0768	 680 (14 19) */		fmuld	%f2,%f16,%f2
+/* 0x076c	 681 (15 20) */		fmuld	%f0,%f16,%f0
+/* 0x0770	 682 (19 24) */		fdtox	%f2,%f2
+/* 0x0774	 683 (19 20) */		std	%f2,[%o5]
+/* 0x0778	 684 (19 20) */		add	%o5,16,%o5
+/* 0x077c	 685 (20 25) */		fdtox	%f0,%f0
+/* 0x0780	 686 (20 21) */		std	%f0,[%o4]
+/* 0x0784	 687 (20 21) */		add	%o4,16,%o4
+/* 0x0788	 688 (20 21) */		ble,a,pt	%icc,.L900000160	! tprob=0.50
+/* 0x078c	     (23 27) */		ldd	[%g5],%f0
+
+!
+! ENTRY .L77000043
+!
+
+        .L77000043:		/* frequency 1.0 confidence 0.0 */
+/* 0x0790	 696 ( 0  1) */		subcc	%o3,0,%g0
+
+!
+! ENTRY .L900000161
+!
+
+        .L900000161:		/* frequency 1.0 confidence 0.0 */
+/* 0x0794	 698 ( 0  1) */		ble,a,pt	%icc,.L900000159	! tprob=0.50
+/* 0x0798	     ( 0  1) */		or	%g0,%o7,%i0
+/* 0x079c	 703 ( 0  2) */		ldx	[%fp-2256],%o2
+/* 0x07a0	 704 ( 0  1) */		or	%g0,%i1,%g3
+/* 0x07a4	 705 ( 1  2) */		sub	%o3,1,%o5
+/* 0x07a8	 706 ( 1  2) */		or	%g0,0,%g4
+/* 0x07ac	 707 ( 2  3) */		add	%fp,-2264,%g5
+/* 0x07b0	 708 ( 2  3) */		or	%g0,%i0,%g2
+/* 0x07b4	 709 ( 3  4) */		subcc	%o3,6,%g0
+/* 0x07b8	 710 ( 3  4) */		sub	%o5,2,%o4
+/* 0x07bc	 711 ( 3  4) */		bl,pn	%icc,.L77000078	! tprob=0.50
+/* 0x07c0	     ( 3  5) */		ldx	[%fp-2264],%o0
+/* 0x07c4	 713 ( 4  6) */		ld	[%g3],%o1
+/* 0x07c8	 714 ( 4  5) */		add	%g2,4,%g2
+/* 0x07cc	 715 ( 4  5) */		or	%g0,3,%g4
+/* 0x07d0	 716 ( 5  7) */		ld	[%g3+4],%o3
+/* 0x07d4	 717 ( 5  6) */		add	%g3,8,%g3
+/* 0x07d8	 718 ( 5  6) */		add	%fp,-2240,%g5
+/* 0x07dc	 719 ( 6  7) */		add	%o0,%o1,%o0
+/* 0x07e0	 720 ( 6  8) */		ldx	[%fp-2248],%o1
+/* 0x07e4	 721 ( 7  8) */		st	%o0,[%g2-4]
+/* 0x07e8	 722 ( 7  8) */		srax	%o0,32,%o0
+
+!
+! ENTRY .L900000145
+!
+
+        .L900000145:		/* frequency 1.0 confidence 0.0 */
+/* 0x07ec	 724 ( 0  2) */		ld	[%g3],%o7
+/* 0x07f0	 725 ( 0  1) */		add	%o2,%o3,%o2
+/* 0x07f4	 726 ( 0  1) */		sra	%o0,0,%o3
+/* 0x07f8	 727 ( 1  3) */		ldx	[%g5],%o0
+/* 0x07fc	 728 ( 1  2) */		add	%o2,%o3,%o2
+/* 0x0800	 729 ( 1  2) */		add	%g4,3,%g4
+/* 0x0804	 730 ( 2  3) */		st	%o2,[%g2]
+/* 0x0808	 731 ( 2  3) */		srax	%o2,32,%o3
+/* 0x080c	 732 ( 2  3) */		subcc	%g4,%o4,%g0
+/* 0x0810	 733 ( 3  5) */		ld	[%g3+4],%o2
+/* 0x0814	 734 ( 4  5) */		stx	%o2,[%sp+96]
+/* 0x0818	 735 ( 4  5) */		add	%o1,%o7,%o1
+/* 0x081c	 736 ( 5  7) */		ldx	[%g5+8],%o2
+/* 0x0820	 737 ( 5  6) */		add	%o1,%o3,%o1
+/* 0x0824	 738 ( 5  6) */		add	%g2,12,%g2
+/* 0x0828	 739 ( 6  7) */		st	%o1,[%g2-8]
+/* 0x082c	 740 ( 6  7) */		srax	%o1,32,%o7
+/* 0x0830	 741 ( 6  7) */		add	%g3,12,%g3
+/* 0x0834	 742 ( 7  9) */		ld	[%g3-4],%o3
+/* 0x0838	 743 ( 8 10) */		ldx	[%sp+96],%o1
+/* 0x083c	 744 (10 11) */		add	%o0,%o1,%o0
+/* 0x0840	 745 (10 12) */		ldx	[%g5+16],%o1
+/* 0x0844	 746 (11 12) */		add	%o0,%o7,%o0
+/* 0x0848	 747 (11 12) */		add	%g5,24,%g5
+/* 0x084c	 748 (11 12) */		st	%o0,[%g2-4]
+/* 0x0850	 749 (11 12) */		ble,pt	%icc,.L900000145	! tprob=0.50
+/* 0x0854	     (12 13) */		srax	%o0,32,%o0
+
+!
+! ENTRY .L900000148
+!
+
+        .L900000148:		/* frequency 1.0 confidence 0.0 */
+/* 0x0858	 752 ( 0  1) */		add	%o2,%o3,%o2
+/* 0x085c	 753 ( 0  1) */		sra	%o0,0,%o3
+/* 0x0860	 754 ( 0  2) */		ld	[%g3],%o0
+/* 0x0864	 755 ( 1  2) */		add	%o2,%o3,%o3
+/* 0x0868	 756 ( 1  2) */		add	%g2,8,%g2
+/* 0x086c	 757 ( 2  3) */		srax	%o3,32,%o2
+/* 0x0870	 758 ( 2  3) */		st	%o3,[%g2-8]
+/* 0x0874	 759 ( 2  3) */		add	%o1,%o0,%o0
+/* 0x0878	 760 ( 3  4) */		add	%o0,%o2,%o0
+/* 0x087c	 761 ( 3  4) */		st	%o0,[%g2-4]
+/* 0x0880	 762 ( 3  4) */		subcc	%g4,%o5,%g0
+/* 0x0884	 763 ( 3  4) */		bg,pn	%icc,.L77000061	! tprob=0.50
+/* 0x0888	     ( 4  5) */		srax	%o0,32,%o7
+/* 0x088c	 765 ( 4  5) */		add	%g3,4,%g3
+
+!
+! ENTRY .L77000078
+!
+
+        .L77000078:		/* frequency 1.0 confidence 0.0 */
+/* 0x0890	 767 ( 0  2) */		ld	[%g3],%o2
+
+!
+! ENTRY .L900000158
+!
+
+        .L900000158:		/* frequency 1.0 confidence 0.0 */
+/* 0x0894	 769 ( 0  2) */		ldx	[%g5],%o0
+/* 0x0898	 770 ( 0  1) */		sra	%o7,0,%o1
+/* 0x089c	 771 ( 0  1) */		add	%g4,1,%g4
+/* 0x08a0	 772 ( 1  2) */		add	%g3,4,%g3
+/* 0x08a4	 773 ( 1  2) */		add	%g5,8,%g5
+/* 0x08a8	 774 ( 2  3) */		add	%o0,%o2,%o0
+/* 0x08ac	 775 ( 2  3) */		subcc	%g4,%o5,%g0
+/* 0x08b0	 776 ( 3  4) */		add	%o0,%o1,%o0
+/* 0x08b4	 777 ( 3  4) */		st	%o0,[%g2]
+/* 0x08b8	 778 ( 3  4) */		add	%g2,4,%g2
+/* 0x08bc	 779 ( 4  5) */		srax	%o0,32,%o7
+/* 0x08c0	 780 ( 4  5) */		ble,a,pt	%icc,.L900000158	! tprob=0.50
+/* 0x08c4	     ( 4  6) */		ld	[%g3],%o2
+
+!
+! ENTRY .L77000047
+!
+
+        .L77000047:		/* frequency 1.0 confidence 0.0 */
+/* 0x08c8	 783 ( 0  1) */		or	%g0,%o7,%i0
+/* 0x08cc	     ( 1  8) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x08d0	     ( 3  5) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000048
+!
+
+        .L77000048:		/* frequency 1.0 confidence 0.0 */
+/* 0x08d4	 794 ( 0  1) */		bne,pn	%icc,.L77000050	! tprob=0.50
+/* 0x08d8	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
+/* 0x08dc	 796 ( 0  4) */		ldd	[%g5],%f4
+/* 0x08e0	 804 ( 0  1) */		srl	%o1,19,%g3
+/* 0x08e4	 805 ( 1  2) */		st	%g3,[%sp+240]
+/* 0x08e8	 806 ( 1  2) */		andn	%o1,%g2,%g2
+/* 0x08ec	 807 ( 2  6) */		ldd	[%o0],%f8
+/* 0x08f0	 808 ( 3  4) */		st	%g2,[%sp+244]
+/* 0x08f4	 809 ( 3  7) */		fxnor	%f0,%f4,%f4
+/* 0x08f8	 810 ( 4  8) */		ldd	[%g5+8],%f6
+/* 0x08fc	 814 ( 5  9) */		ldd	[%o0+8],%f18
+/* 0x0900	 815 ( 5  8) */		fmovs	%f8,%f12
+/* 0x0904	 816 ( 6 10) */		ldd	[%g5+16],%f10
+/* 0x0908	 817 ( 6  9) */		fmovs	%f8,%f16
+/* 0x090c	 818 ( 7 11) */		ldd	[%g5+24],%f20
+/* 0x0910	 819 ( 7 12) */		fitod	%f4,%f14
+/* 0x0914	 823 ( 8 10) */		ld	[%i1],%g2
+/* 0x0918	 824 ( 8 13) */		fitod	%f5,%f4
+/* 0x091c	 825 ( 9 11) */		ld	[%sp+240],%f13
+/* 0x0920	 826 ( 9 13) */		fxnor	%f0,%f6,%f6
+/* 0x0924	 827 (10 12) */		ld	[%sp+244],%f17
+/* 0x0928	 828 (10 14) */		fxnor	%f0,%f10,%f10
+/* 0x092c	 829 (11 13) */		ld	[%i1+28],%o3
+/* 0x0930	 830 (11 15) */		fxnor	%f0,%f20,%f20
+/* 0x0934	 831 (12 14) */		ld	[%i1+4],%g3
+/* 0x0938	 832 (12 17) */		fsubd	%f12,%f8,%f12
+/* 0x093c	 833 (13 14) */		stx	%o3,[%sp+96]
+/* 0x0940	 834 (13 18) */		fsubd	%f18,%f14,%f14
+/* 0x0944	 835 (14 16) */		ld	[%i1+8],%g4
+/* 0x0948	 836 (14 19) */		fsubd	%f16,%f8,%f8
+/* 0x094c	 837 (15 17) */		ld	[%i1+12],%g5
+/* 0x0950	 838 (15 20) */		fsubd	%f18,%f4,%f4
+/* 0x0954	 839 (16 18) */		ld	[%i1+16],%o0
+/* 0x0958	 840 (16 21) */		fitod	%f6,%f22
+/* 0x095c	 841 (17 19) */		ld	[%i1+20],%o1
+/* 0x0960	 842 (17 22) */		fitod	%f7,%f6
+/* 0x0964	 843 (18 20) */		ld	[%i1+24],%o2
+/* 0x0968	 844 (18 23) */		fitod	%f10,%f16
+/* 0x096c	 845 (18 23) */		fmuld	%f14,%f12,%f24
+/* 0x0970	 846 (19 24) */		fitod	%f20,%f28
+/* 0x0974	 847 (19 24) */		fmuld	%f14,%f8,%f14
+/* 0x0978	 848 (20 25) */		fitod	%f11,%f10
+/* 0x097c	 849 (20 25) */		fmuld	%f4,%f12,%f26
+/* 0x0980	 850 (21 26) */		fsubd	%f18,%f22,%f22
+/* 0x0984	 851 (21 26) */		fmuld	%f4,%f8,%f4
+/* 0x0988	 852 (22 27) */		fsubd	%f18,%f6,%f6
+/* 0x098c	 853 (23 28) */		fdtox	%f24,%f24
+/* 0x0990	 854 (23 24) */		std	%f24,[%sp+224]
+/* 0x0994	 855 (24 29) */		fdtox	%f14,%f14
+/* 0x0998	 856 (24 25) */		std	%f14,[%sp+232]
+/* 0x099c	 857 (25 30) */		fdtox	%f26,%f14
+/* 0x09a0	 858 (25 26) */		std	%f14,[%sp+208]
+/* 0x09a4	 859 (26 28) */		ldx	[%sp+224],%o4
+/* 0x09a8	 860 (26 31) */		fitod	%f21,%f20
+/* 0x09ac	 861 (26 31) */		fmuld	%f22,%f12,%f30
+/* 0x09b0	 862 (27 29) */		ldx	[%sp+232],%o5
+/* 0x09b4	 863 (27 32) */		fsubd	%f18,%f16,%f16
+/* 0x09b8	 864 (27 32) */		fmuld	%f22,%f8,%f22
+/* 0x09bc	 865 (28 29) */		sllx	%o4,19,%o4
+/* 0x09c0	 866 (28 33) */		fdtox	%f4,%f4
+/* 0x09c4	 867 (28 29) */		std	%f4,[%sp+216]
+/* 0x09c8	 868 (28 33) */		fmuld	%f6,%f12,%f24
+/* 0x09cc	 869 (29 34) */		fsubd	%f18,%f28,%f26
+/* 0x09d0	 870 (29 30) */		add	%o5,%o4,%o4
+/* 0x09d4	 871 (29 34) */		fmuld	%f6,%f8,%f6
+/* 0x09d8	 872 (30 35) */		fsubd	%f18,%f10,%f10
+/* 0x09dc	 873 (30 31) */		add	%o4,%g2,%g2
+/* 0x09e0	 874 (30 31) */		st	%g2,[%i0]
+/* 0x09e4	 875 (31 33) */		ldx	[%sp+208],%o7
+/* 0x09e8	 876 (31 32) */		srlx	%g2,32,%o5
+/* 0x09ec	 877 (31 36) */		fsubd	%f18,%f20,%f18
+/* 0x09f0	 878 (32 37) */		fdtox	%f30,%f28
+/* 0x09f4	 879 (32 33) */		std	%f28,[%sp+192]
+/* 0x09f8	 880 (32 37) */		fmuld	%f16,%f12,%f14
+/* 0x09fc	 881 (33 34) */		sllx	%o7,19,%o4
+/* 0x0a00	 882 (33 35) */		ldx	[%sp+216],%o7
+/* 0x0a04	 883 (33 38) */		fdtox	%f22,%f20
+/* 0x0a08	 884 (33 38) */		fmuld	%f16,%f8,%f16
+/* 0x0a0c	 885 (34 35) */		std	%f20,[%sp+200]
+/* 0x0a10	 886 (34 39) */		fdtox	%f24,%f20
+/* 0x0a14	 887 (34 39) */		fmuld	%f26,%f12,%f22
+/* 0x0a18	 888 (35 36) */		std	%f20,[%sp+176]
+/* 0x0a1c	 889 (35 36) */		add	%o7,%o4,%o4
+/* 0x0a20	 890 (35 40) */		fdtox	%f6,%f6
+/* 0x0a24	 891 (35 40) */		fmuld	%f10,%f12,%f4
+/* 0x0a28	 892 (36 38) */		ldx	[%sp+192],%o3
+/* 0x0a2c	 893 (36 37) */		add	%o4,%g3,%g3
+/* 0x0a30	 894 (36 41) */		fmuld	%f10,%f8,%f10
+/* 0x0a34	 895 (37 38) */		std	%f6,[%sp+184]
+/* 0x0a38	 896 (37 38) */		add	%g3,%o5,%g3
+/* 0x0a3c	 897 (37 42) */		fdtox	%f14,%f6
+/* 0x0a40	 898 (37 42) */		fmuld	%f26,%f8,%f20
+/* 0x0a44	 899 (38 40) */		ldx	[%sp+200],%o4
+/* 0x0a48	 900 (38 39) */		sllx	%o3,19,%o3
+/* 0x0a4c	 901 (38 39) */		srlx	%g3,32,%o5
+/* 0x0a50	 902 (38 43) */		fdtox	%f16,%f14
+/* 0x0a54	 903 (39 40) */		std	%f6,[%sp+160]
+/* 0x0a58	 904 (39 44) */		fmuld	%f18,%f12,%f12
+/* 0x0a5c	 905 (40 42) */		ldx	[%sp+176],%o7
+/* 0x0a60	 906 (40 41) */		add	%o4,%o3,%o3
+/* 0x0a64	 907 (40 45) */		fdtox	%f4,%f16
+/* 0x0a68	 908 (40 45) */		fmuld	%f18,%f8,%f18
+/* 0x0a6c	 909 (41 42) */		std	%f14,[%sp+168]
+/* 0x0a70	 910 (41 42) */		add	%o3,%g4,%g4
+/* 0x0a74	 911 (41 46) */		fdtox	%f10,%f4
+/* 0x0a78	 912 (42 44) */		ldx	[%sp+184],%o3
+/* 0x0a7c	 913 (42 43) */		sllx	%o7,19,%o4
+/* 0x0a80	 914 (42 43) */		add	%g4,%o5,%g4
+/* 0x0a84	 915 (42 47) */		fdtox	%f22,%f14
+/* 0x0a88	 916 (43 44) */		std	%f16,[%sp+144]
+/* 0x0a8c	 917 (43 44) */		srlx	%g4,32,%o5
+/* 0x0a90	 918 (43 48) */		fdtox	%f20,%f6
+/* 0x0a94	 919 (44 46) */		ldx	[%sp+160],%o7
+/* 0x0a98	 920 (44 45) */		add	%o3,%o4,%o3
+/* 0x0a9c	 921 (44 49) */		fdtox	%f12,%f16
+/* 0x0aa0	 922 (45 46) */		std	%f4,[%sp+152]
+/* 0x0aa4	 923 (45 46) */		add	%o3,%g5,%g5
+/* 0x0aa8	 924 (45 50) */		fdtox	%f18,%f8
+/* 0x0aac	 925 (46 48) */		ldx	[%sp+168],%o3
+/* 0x0ab0	 926 (46 47) */		sllx	%o7,19,%o4
+/* 0x0ab4	 927 (46 47) */		add	%g5,%o5,%g5
+/* 0x0ab8	 928 (47 48) */		std	%f14,[%sp+128]
+/* 0x0abc	 929 (47 48) */		srlx	%g5,32,%o5
+/* 0x0ac0	 930 (48 49) */		std	%f6,[%sp+136]
+/* 0x0ac4	 931 (48 49) */		add	%o3,%o4,%o3
+/* 0x0ac8	 932 (49 50) */		std	%f16,[%sp+112]
+/* 0x0acc	 933 (49 50) */		add	%o3,%o0,%o0
+/* 0x0ad0	 934 (50 52) */		ldx	[%sp+144],%o7
+/* 0x0ad4	 935 (50 51) */		add	%o0,%o5,%o0
+/* 0x0ad8	 936 (51 53) */		ldx	[%sp+152],%o3
+/* 0x0adc	 937 (52 53) */		std	%f8,[%sp+120]
+/* 0x0ae0	 938 (52 53) */		sllx	%o7,19,%o4
+/* 0x0ae4	 939 (52 53) */		srlx	%o0,32,%o7
+/* 0x0ae8	 940 (53 54) */		stx	%o0,[%sp+104]
+/* 0x0aec	 941 (53 54) */		add	%o3,%o4,%o3
+/* 0x0af0	 942 (54 56) */		ldx	[%sp+128],%o5
+/* 0x0af4	 943 (54 55) */		add	%o3,%o1,%o1
+/* 0x0af8	 944 (55 57) */		ldx	[%sp+136],%o0
+/* 0x0afc	 945 (55 56) */		add	%o1,%o7,%o1
+/* 0x0b00	 946 (56 57) */		st	%g3,[%i0+4]
+/* 0x0b04	 947 (56 57) */		sllx	%o5,19,%o3
+/* 0x0b08	 948 (57 59) */		ldx	[%sp+112],%o4
+/* 0x0b0c	 949 (57 58) */		add	%o0,%o3,%o3
+/* 0x0b10	 950 (58 60) */		ldx	[%sp+120],%o0
+/* 0x0b14	 951 (58 59) */		add	%o3,%o2,%o2
+/* 0x0b18	 952 (58 59) */		srlx	%o1,32,%o3
+/* 0x0b1c	 953 (59 60) */		st	%o1,[%i0+20]
+/* 0x0b20	 954 (59 60) */		sllx	%o4,19,%g2
+/* 0x0b24	 955 (59 60) */		add	%o2,%o3,%o2
+/* 0x0b28	 956 (60 62) */		ldx	[%sp+96],%o4
+/* 0x0b2c	 957 (60 61) */		srlx	%o2,32,%g3
+/* 0x0b30	 958 (60 61) */		add	%o0,%g2,%g2
+/* 0x0b34	 959 (61 63) */		ldx	[%sp+104],%o0
+/* 0x0b38	 960 (62 63) */		st	%o2,[%i0+24]
+/* 0x0b3c	 961 (62 63) */		add	%g2,%o4,%g2
+/* 0x0b40	 962 (63 64) */		st	%o0,[%i0+16]
+/* 0x0b44	 963 (63 64) */		add	%g2,%g3,%g2
+/* 0x0b48	 964 (64 65) */		st	%g4,[%i0+8]
+/* 0x0b4c	 968 (64 65) */		srlx	%g2,32,%o7
+/* 0x0b50	 969 (65 66) */		st	%g5,[%i0+12]
+/* 0x0b54	 970 (66 67) */		st	%g2,[%i0+28]
+/* 0x0b58	 971 (66 67) */		or	%g0,%o7,%i0
+/* 0x0b5c	     (67 74) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0b60	     (69 71) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000050
+!
+
+        .L77000050:		/* frequency 1.0 confidence 0.0 */
+/* 0x0b64	 978 ( 0  1) */		subcc	%o2,16,%g0
+/* 0x0b68	 979 ( 0  1) */		bne,pn	%icc,.L77000073	! tprob=0.50
+/* 0x0b6c	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
+/* 0x0b70	 981 ( 1  5) */		ldd	[%g5],%f4
+/* 0x0b74	 982 ( 2  6) */		ldd	[%g5+8],%f6
+/* 0x0b78	 989 ( 2  3) */		andn	%o1,%g2,%g2
+/* 0x0b7c	 993 ( 2  3) */		srl	%o1,19,%g3
+/* 0x0b80	 994 ( 3  7) */		ldd	[%g5+16],%f8
+/* 0x0b84	 995 ( 4  8) */		fxnor	%f0,%f4,%f4
+/* 0x0b88	 996 ( 4  5) */		st	%g2,[%sp+356]
+/* 0x0b8c	 997 ( 5  9) */		ldd	[%o0],%f20
+/* 0x0b90	 998 ( 5  9) */		fxnor	%f0,%f6,%f6
+/* 0x0b94	 999 ( 6  7) */		st	%g3,[%sp+352]
+/* 0x0b98	1000 ( 6 10) */		fxnor	%f0,%f8,%f8
+/* 0x0b9c	1005 ( 7 11) */		ldd	[%o0+8],%f30
+/* 0x0ba0	1006 ( 8 13) */		fitod	%f4,%f22
+/* 0x0ba4	1007 ( 8 12) */		ldd	[%g5+24],%f10
+/* 0x0ba8	1008 ( 9 12) */		fmovs	%f20,%f24
+/* 0x0bac	1009 ( 9 13) */		ldd	[%g5+32],%f12
+/* 0x0bb0	1010 (10 15) */		fitod	%f5,%f4
+/* 0x0bb4	1011 (10 14) */		ldd	[%g5+40],%f14
+/* 0x0bb8	1012 (11 14) */		fmovs	%f20,%f26
+/* 0x0bbc	1013 (11 15) */		ldd	[%g5+48],%f16
+/* 0x0bc0	1014 (12 14) */		ld	[%sp+356],%f25
+/* 0x0bc4	1015 (12 17) */		fitod	%f6,%f28
+/* 0x0bc8	1016 (13 15) */		ld	[%sp+352],%f27
+/* 0x0bcc	1017 (13 18) */		fitod	%f8,%f32
+/* 0x0bd0	1018 (14 19) */		fsubd	%f30,%f22,%f22
+/* 0x0bd4	1019 (14 18) */		ldd	[%g5+56],%f18
+/* 0x0bd8	1020 (15 20) */		fsubd	%f24,%f20,%f24
+/* 0x0bdc	1021 (16 21) */		fsubd	%f26,%f20,%f20
+/* 0x0be0	1022 (17 22) */		fsubd	%f30,%f4,%f4
+/* 0x0be4	1023 (18 23) */		fsubd	%f30,%f28,%f26
+/* 0x0be8	1024 (19 24) */		fitod	%f7,%f6
+/* 0x0bec	1025 (20 25) */		fsubd	%f30,%f32,%f28
+/* 0x0bf0	1026 (20 25) */		fmuld	%f22,%f24,%f32
+/* 0x0bf4	1027 (21 26) */		fmuld	%f22,%f20,%f22
+/* 0x0bf8	1028 (21 25) */		fxnor	%f0,%f10,%f10
+/* 0x0bfc	1029 (22 27) */		fmuld	%f4,%f24,%f44
+/* 0x0c00	1030 (22 27) */		fitod	%f9,%f8
+/* 0x0c04	1031 (23 28) */		fmuld	%f4,%f20,%f4
+/* 0x0c08	1032 (23 27) */		fxnor	%f0,%f12,%f12
+/* 0x0c0c	1033 (24 29) */		fsubd	%f30,%f6,%f6
+/* 0x0c10	1034 (24 29) */		fmuld	%f26,%f24,%f46
+/* 0x0c14	1035 (25 30) */		fitod	%f10,%f34
+/* 0x0c18	1036 (26 31) */		fdtox	%f22,%f22
+/* 0x0c1c	1037 (26 27) */		std	%f22,[%sp+336]
+/* 0x0c20	1038 (27 32) */		fmuld	%f26,%f20,%f22
+/* 0x0c24	1039 (27 32) */		fdtox	%f44,%f26
+/* 0x0c28	1040 (27 28) */		std	%f26,[%sp+328]
+/* 0x0c2c	1041 (28 33) */		fdtox	%f4,%f4
+/* 0x0c30	1042 (28 29) */		std	%f4,[%sp+320]
+/* 0x0c34	1043 (29 34) */		fmuld	%f6,%f24,%f26
+/* 0x0c38	1044 (29 34) */		fsubd	%f30,%f8,%f8
+/* 0x0c3c	1045 (30 35) */		fdtox	%f46,%f4
+/* 0x0c40	1046 (30 31) */		std	%f4,[%sp+312]
+/* 0x0c44	1047 (31 36) */		fmuld	%f28,%f24,%f4
+/* 0x0c48	1048 (31 36) */		fdtox	%f32,%f32
+/* 0x0c4c	1049 (31 32) */		std	%f32,[%sp+344]
+/* 0x0c50	1050 (32 37) */		fitod	%f11,%f10
+/* 0x0c54	1051 (32 37) */		fmuld	%f6,%f20,%f32
+/* 0x0c58	1052 (33 38) */		fsubd	%f30,%f34,%f34
+/* 0x0c5c	1053 (34 39) */		fdtox	%f22,%f6
+/* 0x0c60	1054 (34 35) */		std	%f6,[%sp+304]
+/* 0x0c64	1058 (35 40) */		fitod	%f12,%f36
+/* 0x0c68	1059 (35 40) */		fmuld	%f28,%f20,%f6
+/* 0x0c6c	1060 (36 41) */		fdtox	%f26,%f22
+/* 0x0c70	1061 (36 37) */		std	%f22,[%sp+296]
+/* 0x0c74	1062 (37 42) */		fmuld	%f8,%f24,%f22
+/* 0x0c78	1063 (37 42) */		fdtox	%f4,%f4
+/* 0x0c7c	1064 (37 38) */		std	%f4,[%sp+280]
+/* 0x0c80	1065 (38 43) */		fmuld	%f8,%f20,%f8
+/* 0x0c84	1066 (38 43) */		fsubd	%f30,%f10,%f10
+/* 0x0c88	1067 (39 44) */		fmuld	%f34,%f24,%f4
+/* 0x0c8c	1068 (39 44) */		fitod	%f13,%f12
+/* 0x0c90	1069 (40 45) */		fsubd	%f30,%f36,%f36
+/* 0x0c94	1070 (41 46) */		fdtox	%f6,%f6
+/* 0x0c98	1071 (41 42) */		std	%f6,[%sp+272]
+/* 0x0c9c	1072 (42 46) */		fxnor	%f0,%f14,%f14
+/* 0x0ca0	1073 (42 47) */		fmuld	%f34,%f20,%f6
+/* 0x0ca4	1074 (43 48) */		fdtox	%f22,%f22
+/* 0x0ca8	1075 (43 44) */		std	%f22,[%sp+264]
+/* 0x0cac	1076 (44 49) */		fdtox	%f8,%f8
+/* 0x0cb0	1077 (44 45) */		std	%f8,[%sp+256]
+/* 0x0cb4	1078 (44 49) */		fmuld	%f10,%f24,%f22
+/* 0x0cb8	1079 (45 50) */		fdtox	%f4,%f4
+/* 0x0cbc	1080 (45 46) */		std	%f4,[%sp+248]
+/* 0x0cc0	1081 (45 50) */		fmuld	%f10,%f20,%f8
+/* 0x0cc4	1082 (46 51) */		fsubd	%f30,%f12,%f4
+/* 0x0cc8	1083 (46 51) */		fmuld	%f36,%f24,%f10
+/* 0x0ccc	1084 (47 52) */		fitod	%f14,%f38
+/* 0x0cd0	1085 (48 53) */		fdtox	%f6,%f6
+/* 0x0cd4	1086 (48 49) */		std	%f6,[%sp+240]
+/* 0x0cd8	1087 (49 54) */		fdtox	%f22,%f12
+/* 0x0cdc	1088 (49 50) */		std	%f12,[%sp+232]
+/* 0x0ce0	1089 (49 54) */		fmuld	%f36,%f20,%f6
+/* 0x0ce4	1090 (50 55) */		fdtox	%f8,%f8
+/* 0x0ce8	1091 (50 51) */		std	%f8,[%sp+224]
+/* 0x0cec	1092 (51 56) */		fdtox	%f10,%f22
+/* 0x0cf0	1093 (51 52) */		std	%f22,[%sp+216]
+/* 0x0cf4	1094 (51 56) */		fmuld	%f4,%f24,%f8
+/* 0x0cf8	1095 (52 57) */		fitod	%f15,%f14
+/* 0x0cfc	1096 (52 57) */		fmuld	%f4,%f20,%f4
+/* 0x0d00	1097 (53 58) */		fsubd	%f30,%f38,%f22
+/* 0x0d04	1098 (54 58) */		fxnor	%f0,%f16,%f16
+/* 0x0d08	1099 (55 60) */		fdtox	%f6,%f6
+/* 0x0d0c	1100 (55 56) */		std	%f6,[%sp+208]
+/* 0x0d10	1101 (56 61) */		fdtox	%f8,%f6
+/* 0x0d14	1102 (56 57) */		std	%f6,[%sp+200]
+/* 0x0d18	1103 (57 62) */		fsubd	%f30,%f14,%f10
+/* 0x0d1c	1104 (58 63) */		fitod	%f16,%f40
+/* 0x0d20	1105 (58 63) */		fmuld	%f22,%f24,%f6
+/* 0x0d24	1106 (59 64) */		fdtox	%f4,%f4
+/* 0x0d28	1107 (59 60) */		std	%f4,[%sp+192]
+/* 0x0d2c	1108 (60 65) */		fitod	%f17,%f16
+/* 0x0d30	1109 (60 65) */		fmuld	%f22,%f20,%f4
+/* 0x0d34	1110 (61 65) */		fxnor	%f0,%f18,%f18
+/* 0x0d38	1111 (62 67) */		fdtox	%f32,%f32
+/* 0x0d3c	1112 (62 63) */		std	%f32,[%sp+288]
+/* 0x0d40	1113 (62 67) */		fmuld	%f10,%f24,%f8
+/* 0x0d44	1114 (63 68) */		fdtox	%f6,%f6
+/* 0x0d48	1115 (63 64) */		std	%f6,[%sp+184]
+/* 0x0d4c	1116 (63 68) */		fmuld	%f10,%f20,%f22
+/* 0x0d50	1117 (64 69) */		fsubd	%f30,%f40,%f6
+/* 0x0d54	1118 (65 70) */		fdtox	%f4,%f4
+/* 0x0d58	1119 (65 66) */		std	%f4,[%sp+176]
+/* 0x0d5c	1120 (66 71) */		fsubd	%f30,%f16,%f10
+/* 0x0d60	1121 (67 72) */		fdtox	%f8,%f4
+/* 0x0d64	1122 (67 68) */		std	%f4,[%sp+168]
+/* 0x0d68	1123 (68 73) */		fdtox	%f22,%f4
+/* 0x0d6c	1124 (68 69) */		std	%f4,[%sp+160]
+/* 0x0d70	1125 (69 74) */		fitod	%f18,%f42
+/* 0x0d74	1126 (69 74) */		fmuld	%f6,%f24,%f4
+/* 0x0d78	1127 (70 75) */		fmuld	%f6,%f20,%f22
+/* 0x0d7c	1128 (71 76) */		fmuld	%f10,%f24,%f6
+/* 0x0d80	1129 (72 77) */		fmuld	%f10,%f20,%f8
+/* 0x0d84	1130 (74 79) */		fdtox	%f4,%f4
+/* 0x0d88	1131 (74 75) */		std	%f4,[%sp+152]
+/* 0x0d8c	1132 (75 80) */		fsubd	%f30,%f42,%f4
+/* 0x0d90	1133 (76 81) */		fdtox	%f6,%f6
+/* 0x0d94	1134 (76 77) */		std	%f6,[%sp+136]
+/* 0x0d98	1135 (77 82) */		fdtox	%f22,%f22
+/* 0x0d9c	1136 (77 78) */		std	%f22,[%sp+144]
+/* 0x0da0	1137 (78 83) */		fdtox	%f8,%f22
+/* 0x0da4	1138 (78 79) */		std	%f22,[%sp+128]
+/* 0x0da8	1139 (79 84) */		fitod	%f19,%f22
+/* 0x0dac	1140 (80 85) */		fmuld	%f4,%f24,%f6
+/* 0x0db0	1141 (81 86) */		fmuld	%f4,%f20,%f4
+/* 0x0db4	1142 (84 89) */		fsubd	%f30,%f22,%f22
+/* 0x0db8	1143 (85 90) */		fdtox	%f6,%f6
+/* 0x0dbc	1144 (85 86) */		std	%f6,[%sp+120]
+/* 0x0dc0	1145 (86 91) */		fdtox	%f4,%f4
+/* 0x0dc4	1146 (86 87) */		std	%f4,[%sp+112]
+/* 0x0dc8	1150 (87 89) */		ldx	[%sp+336],%g2
+/* 0x0dcc	1151 (88 90) */		ldx	[%sp+344],%g3
+/* 0x0dd0	1152 (89 91) */		ld	[%i1],%g4
+/* 0x0dd4	1153 (89 90) */		sllx	%g2,19,%g2
+/* 0x0dd8	1154 (89 94) */		fmuld	%f22,%f20,%f4
+/* 0x0ddc	1155 (90 92) */		ldx	[%sp+328],%g5
+/* 0x0de0	1156 (90 91) */		add	%g3,%g2,%g2
+/* 0x0de4	1157 (90 95) */		fmuld	%f22,%f24,%f6
+/* 0x0de8	1158 (91 93) */		ldx	[%sp+320],%g3
+/* 0x0dec	1159 (91 92) */		add	%g2,%g4,%g4
+/* 0x0df0	1160 (92 94) */		ldx	[%sp+304],%o0
+/* 0x0df4	1161 (93 94) */		st	%g4,[%i0]
+/* 0x0df8	1162 (93 94) */		sllx	%g3,19,%g2
+/* 0x0dfc	1163 (93 94) */		srlx	%g4,32,%g4
+/* 0x0e00	1164 (94 96) */		ld	[%i1+4],%g3
+/* 0x0e04	1165 (94 95) */		add	%g5,%g2,%g2
+/* 0x0e08	1166 (94 99) */		fdtox	%f4,%f4
+/* 0x0e0c	1167 (95 97) */		ldx	[%sp+312],%g5
+/* 0x0e10	1168 (95 100) */		fdtox	%f6,%f6
+/* 0x0e14	1169 (96 98) */		ldx	[%sp+288],%o1
+/* 0x0e18	1170 (96 97) */		add	%g2,%g3,%g2
+/* 0x0e1c	1171 (96 97) */		sllx	%o0,19,%g3
+/* 0x0e20	1172 (97 99) */		ldx	[%sp+272],%o2
+/* 0x0e24	1173 (97 98) */		add	%g2,%g4,%g2
+/* 0x0e28	1174 (97 98) */		add	%g5,%g3,%g3
+/* 0x0e2c	1175 (98 100) */		ld	[%i1+8],%g4
+/* 0x0e30	1176 (98 99) */		srlx	%g2,32,%o0
+/* 0x0e34	1177 (99 101) */		ldx	[%sp+296],%g5
+/* 0x0e38	1178 (100 101) */		st	%g2,[%i0+4]
+/* 0x0e3c	1179 (100 101) */		sllx	%o2,19,%g2
+/* 0x0e40	1180 (100 101) */		add	%g3,%g4,%g3
+/* 0x0e44	1181 (101 103) */		ldx	[%sp+256],%o2
+/* 0x0e48	1182 (101 102) */		sllx	%o1,19,%g4
+/* 0x0e4c	1183 (101 102) */		add	%g3,%o0,%g3
+/* 0x0e50	1184 (102 104) */		ld	[%i1+12],%o0
+/* 0x0e54	1185 (102 103) */		srlx	%g3,32,%o1
+/* 0x0e58	1186 (102 103) */		add	%g5,%g4,%g4
+/* 0x0e5c	1187 (103 105) */		ldx	[%sp+280],%g5
+/* 0x0e60	1188 (104 105) */		st	%g3,[%i0+8]
+/* 0x0e64	1189 (104 105) */		sllx	%o2,19,%g3
+/* 0x0e68	1190 (104 105) */		add	%g4,%o0,%g4
+/* 0x0e6c	1191 (105 107) */		ld	[%i1+16],%o0
+/* 0x0e70	1192 (105 106) */		add	%g5,%g2,%g2
+/* 0x0e74	1193 (105 106) */		add	%g4,%o1,%g4
+/* 0x0e78	1194 (106 108) */		ldx	[%sp+264],%g5
+/* 0x0e7c	1195 (106 107) */		srlx	%g4,32,%o1
+/* 0x0e80	1196 (107 109) */		ldx	[%sp+240],%o2
+/* 0x0e84	1197 (107 108) */		add	%g2,%o0,%g2
+/* 0x0e88	1198 (108 110) */		ld	[%i1+20],%o0
+/* 0x0e8c	1199 (108 109) */		add	%g5,%g3,%g3
+/* 0x0e90	1200 (108 109) */		add	%g2,%o1,%g2
+/* 0x0e94	1201 (109 111) */		ldx	[%sp+248],%g5
+/* 0x0e98	1202 (109 110) */		srlx	%g2,32,%o1
+/* 0x0e9c	1203 (110 111) */		st	%g4,[%i0+12]
+/* 0x0ea0	1204 (110 111) */		sllx	%o2,19,%g4
+/* 0x0ea4	1205 (110 111) */		add	%g3,%o0,%g3
+/* 0x0ea8	1206 (111 113) */		ld	[%i1+24],%o0
+/* 0x0eac	1207 (111 112) */		add	%g5,%g4,%g4
+/* 0x0eb0	1208 (111 112) */		add	%g3,%o1,%g3
+/* 0x0eb4	1209 (112 114) */		ldx	[%sp+224],%o2
+/* 0x0eb8	1210 (112 113) */		srlx	%g3,32,%o1
+/* 0x0ebc	1211 (113 115) */		ldx	[%sp+232],%g5
+/* 0x0ec0	1212 (113 114) */		add	%g4,%o0,%g4
+/* 0x0ec4	1213 (114 115) */		st	%g2,[%i0+16]
+/* 0x0ec8	1214 (114 115) */		sllx	%o2,19,%g2
+/* 0x0ecc	1215 (114 115) */		add	%g4,%o1,%g4
+/* 0x0ed0	1216 (115 117) */		ld	[%i1+28],%o0
+/* 0x0ed4	1217 (115 116) */		srlx	%g4,32,%o1
+/* 0x0ed8	1218 (115 116) */		add	%g5,%g2,%g2
+/* 0x0edc	1222 (116 118) */		ldx	[%sp+208],%o2
+/* 0x0ee0	1223 (117 119) */		ldx	[%sp+216],%g5
+/* 0x0ee4	1224 (117 118) */		add	%g2,%o0,%g2
+/* 0x0ee8	1225 (118 119) */		st	%g3,[%i0+20]
+/* 0x0eec	1226 (118 119) */		sllx	%o2,19,%g3
+/* 0x0ef0	1227 (118 119) */		add	%g2,%o1,%g2
+/* 0x0ef4	1228 (119 121) */		ld	[%i1+32],%o0
+/* 0x0ef8	1229 (119 120) */		srlx	%g2,32,%o1
+/* 0x0efc	1230 (119 120) */		add	%g5,%g3,%g3
+/* 0x0f00	1231 (120 122) */		ldx	[%sp+192],%o2
+/* 0x0f04	1232 (121 123) */		ldx	[%sp+200],%g5
+/* 0x0f08	1233 (121 122) */		add	%g3,%o0,%g3
+/* 0x0f0c	1234 (122 123) */		st	%g4,[%i0+24]
+/* 0x0f10	1235 (122 123) */		sllx	%o2,19,%g4
+/* 0x0f14	1236 (122 123) */		add	%g3,%o1,%g3
+/* 0x0f18	1237 (123 125) */		ld	[%i1+36],%o0
+/* 0x0f1c	1238 (123 124) */		srlx	%g3,32,%o1
+/* 0x0f20	1239 (123 124) */		add	%g5,%g4,%g4
+/* 0x0f24	1240 (124 126) */		ldx	[%sp+176],%o2
+/* 0x0f28	1241 (125 127) */		ldx	[%sp+184],%g5
+/* 0x0f2c	1242 (125 126) */		add	%g4,%o0,%g4
+/* 0x0f30	1243 (126 127) */		st	%g2,[%i0+28]
+/* 0x0f34	1244 (126 127) */		sllx	%o2,19,%g2
+/* 0x0f38	1245 (126 127) */		add	%g4,%o1,%g4
+/* 0x0f3c	1246 (127 129) */		ld	[%i1+40],%o0
+/* 0x0f40	1247 (127 128) */		srlx	%g4,32,%o1
+/* 0x0f44	1248 (127 128) */		add	%g5,%g2,%g2
+/* 0x0f48	1249 (128 130) */		ldx	[%sp+160],%o2
+/* 0x0f4c	1250 (129 131) */		ldx	[%sp+168],%g5
+/* 0x0f50	1251 (129 130) */		add	%g2,%o0,%g2
+/* 0x0f54	1252 (130 131) */		st	%g3,[%i0+32]
+/* 0x0f58	1253 (130 131) */		sllx	%o2,19,%g3
+/* 0x0f5c	1254 (130 131) */		add	%g2,%o1,%g2
+/* 0x0f60	1255 (131 133) */		ld	[%i1+44],%o0
+/* 0x0f64	1256 (131 132) */		srlx	%g2,32,%o1
+/* 0x0f68	1257 (131 132) */		add	%g5,%g3,%g3
+/* 0x0f6c	1258 (132 134) */		ldx	[%sp+144],%o2
+/* 0x0f70	1259 (133 135) */		ldx	[%sp+152],%g5
+/* 0x0f74	1260 (133 134) */		add	%g3,%o0,%g3
+/* 0x0f78	1261 (134 135) */		st	%g4,[%i0+36]
+/* 0x0f7c	1262 (134 135) */		sllx	%o2,19,%g4
+/* 0x0f80	1263 (134 135) */		add	%g3,%o1,%g3
+/* 0x0f84	1264 (135 137) */		ld	[%i1+48],%o0
+/* 0x0f88	1265 (135 136) */		srlx	%g3,32,%o1
+/* 0x0f8c	1266 (135 136) */		add	%g5,%g4,%g4
+/* 0x0f90	1267 (136 138) */		ldx	[%sp+128],%o2
+/* 0x0f94	1268 (137 139) */		ldx	[%sp+136],%g5
+/* 0x0f98	1269 (137 138) */		add	%g4,%o0,%g4
+/* 0x0f9c	1270 (138 139) */		std	%f4,[%sp+96]
+/* 0x0fa0	1271 (138 139) */		add	%g4,%o1,%g4
+/* 0x0fa4	1272 (139 140) */		st	%g2,[%i0+40]
+/* 0x0fa8	1273 (139 140) */		sllx	%o2,19,%g2
+/* 0x0fac	1274 (139 140) */		srlx	%g4,32,%o1
+/* 0x0fb0	1275 (140 142) */		ld	[%i1+52],%o0
+/* 0x0fb4	1276 (140 141) */		add	%g5,%g2,%g2
+/* 0x0fb8	1277 (141 142) */		std	%f6,[%sp+104]
+/* 0x0fbc	1278 (142 144) */		ldx	[%sp+120],%g5
+/* 0x0fc0	1279 (142 143) */		add	%g2,%o0,%g2
+/* 0x0fc4	1280 (143 144) */		st	%g3,[%i0+44]
+/* 0x0fc8	1281 (143 144) */		add	%g2,%o1,%g2
+/* 0x0fcc	1282 (144 146) */		ldx	[%sp+112],%o2
+/* 0x0fd0	1283 (144 145) */		srlx	%g2,32,%o1
+/* 0x0fd4	1284 (145 147) */		ld	[%i1+56],%o0
+/* 0x0fd8	1285 (146 147) */		st	%g4,[%i0+48]
+/* 0x0fdc	1286 (146 147) */		sllx	%o2,19,%g3
+/* 0x0fe0	1287 (147 149) */		ldx	[%sp+96],%o2
+/* 0x0fe4	1288 (147 148) */		add	%g5,%g3,%g3
+/* 0x0fe8	1289 (148 150) */		ldx	[%sp+104],%g5
+/* 0x0fec	1290 (148 149) */		add	%g3,%o0,%g3
+/* 0x0ff0	1291 (149 151) */		ld	[%i1+60],%o0
+/* 0x0ff4	1292 (149 150) */		sllx	%o2,19,%g4
+/* 0x0ff8	1293 (149 150) */		add	%g3,%o1,%g3
+/* 0x0ffc	1294 (150 151) */		st	%g2,[%i0+52]
+/* 0x1000	1295 (150 151) */		srlx	%g3,32,%o1
+/* 0x1004	1296 (150 151) */		add	%g5,%g4,%g4
+/* 0x1008	1297 (151 152) */		st	%g3,[%i0+56]
+/* 0x100c	1298 (151 152) */		add	%g4,%o0,%g2
+/* 0x1010	1299 (152 153) */		add	%g2,%o1,%g2
+/* 0x1014	1300 (152 153) */		st	%g2,[%i0+60]
+/* 0x1018	1304 (153 154) */		srlx	%g2,32,%o7
+
+!
+! ENTRY .L77000061
+!
+
+        .L77000061:		/* frequency 1.0 confidence 0.0 */
+/* 0x119c	1437 ( 0  1) */		or	%g0,%o7,%i0
+
+!
+! ENTRY .L900000159
+!
+
+        .L900000159:		/* frequency 1.0 confidence 0.0 */
+/* 0x11a0	     ( 0  7) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x11a4	     ( 2  4) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000073
+!
+
+        .L77000073:		/* frequency 1.0 confidence 0.0 */
+	or	%g0, %i4, %o2
+	or	%g0, %o0, %o1
+	or	%g0, %i3, %o0
+
+!
+! ENTRY .L77000052
+!
+
+        .L77000052:		/* frequency 1.0 confidence 0.0 */
+/* 0x1028	1318 ( 0  1) */		andn	%o2,%g2,%g2
+/* 0x102c	1319 ( 0  1) */		st	%g2,[%sp+96]
+/* 0x1030	1325 ( 0  1) */		add	%o0,1,%g3
+/* 0x1034	1326 ( 0  1) */		fmovd	%f0,%f14
+/* 0x1038	1327 ( 1  2) */		srl	%o2,19,%g2
+/* 0x103c	1328 ( 1  2) */		st	%g2,[%sp+92]
+/* 0x1040	1329 ( 1  2) */		or	%g0,0,%o5
+/* 0x1044	1330 ( 2  3) */		srl	%g3,31,%g2
+/* 0x1048	1331 ( 2  5) */		ldd	[%o1],%f6
+/* 0x104c	1335 ( 2  3) */		sethi	%hi(0x1800),%g1
+/* 0x1050	1336 ( 3  4) */		add	%g3,%g2,%g2
+/* 0x1054	1337 ( 3  4) */		xor	%g1,-304,%g1
+/* 0x1058	1338 ( 3  6) */		ldd	[%o1+8],%f20
+/* 0x105c	1339 ( 4  5) */		sra	%g2,1,%o3
+/* 0x1060	1340 ( 4  5) */		fmovs	%f6,%f8
+/* 0x1064	1341 ( 4  5) */		add	%g1,%fp,%g3
+/* 0x1068	1342 ( 5  6) */		fmovs	%f6,%f10
+/* 0x106c	1343 ( 5  7) */		ld	[%sp+96],%f9
+/* 0x1070	1344 ( 5  6) */		subcc	%o3,0,%g0
+/* 0x1074	1345 ( 6  8) */		ld	[%sp+92],%f11
+/* 0x1078	1346 ( 6  7) */		sethi	%hi(0x1800),%g1
+/* 0x107c	1347 ( 6  7) */		or	%g0,%i2,%o1
+/* 0x1080	1348 ( 7 10) */		fsubd	%f8,%f6,%f18
+/* 0x1084	1349 ( 7  8) */		xor	%g1,-296,%g1
+/* 0x1088	1350 ( 7  8) */		or	%g0,0,%g4
+/* 0x108c	1351 ( 8 11) */		fsubd	%f10,%f6,%f16
+/* 0x1090	1352 ( 8  9) */		bleu,pt	%icc,.L990000162	! tprob=0.50
+/* 0x1094	     ( 8  9) */		subcc	%o0,0,%g0
+/* 0x1098	1354 ( 9 10) */		add	%g1,%fp,%g2
+/* 0x109c	1355 ( 9 10) */		sethi	%hi(0x1800),%g1
+/* 0x10a0	1356 (10 11) */		xor	%g1,-288,%g1
+/* 0x10a4	1357 (10 11) */		subcc	%o3,7,%g0
+/* 0x10a8	1358 (11 12) */		add	%g1,%fp,%o7
+/* 0x10ac	1359 (11 12) */		sethi	%hi(0x1800),%g1
+/* 0x10b0	1360 (12 13) */		xor	%g1,-280,%g1
+/* 0x10b4	1361 (13 14) */		add	%g1,%fp,%o4
+/* 0x10b8	1362 (13 14) */		bl,pn	%icc,.L77000054	! tprob=0.50
+/* 0x10bc	     (13 14) */		sub	%o3,2,%o2
+/* 0x10c0	1364 (14 17) */		ldd	[%o1],%f2
+/* 0x10c4	1365 (14 15) */		add	%o1,16,%g5
+/* 0x10c8	1366 (14 15) */		or	%g0,4,%g4
+/* 0x10cc	1367 (15 18) */		ldd	[%o1+8],%f0
+/* 0x10d0	1368 (15 16) */		add	%o1,8,%o1
+/* 0x10d4	1369 (16 18) */		fxnor	%f14,%f2,%f6
+/* 0x10d8	1370 (16 19) */		ldd	[%g5],%f4
+/* 0x10dc	1371 (16 17) */		add	%o1,16,%o1
+/* 0x10e0	1372 (17 19) */		fxnor	%f14,%f0,%f12
+/* 0x10e4	1373 (17 20) */		ldd	[%o1],%f0
+/* 0x10e8	1374 (17 18) */		add	%o1,8,%o1
+/* 0x10ec	1375 (18 21) */		fitod	%f7,%f2
+/* 0x10f0	1376 (19 22) */		fitod	%f6,%f6
+/* 0x10f4	1377 (20 22) */		fxnor	%f14,%f4,%f10
+/* 0x10f8	1378 (21 24) */		fsubd	%f20,%f2,%f2
+/* 0x10fc	1379 (22 24) */		fxnor	%f14,%f0,%f8
+/* 0x1100	1380 (23 26) */		fitod	%f13,%f4
+/* 0x1104	1381 (24 27) */		fsubd	%f20,%f6,%f6
+/* 0x1108	1382 (24 27) */		fmuld	%f2,%f16,%f0
+
+!
+! ENTRY .L990000154
+!
+
+        .L990000154:		/* frequency 1.0 confidence 0.0 */
+/* 0x110c	1384 ( 0  3) */		ldd	[%o1],%f24
+/* 0x1110	1385 ( 0  1) */		add	%g4,3,%g4
+/* 0x1114	1386 ( 0  1) */		add	%o4,96,%o4
+/* 0x1118	1387 ( 1  4) */		fitod	%f11,%f22
+/* 0x111c	1388 ( 2  5) */		fsubd	%f20,%f4,%f26
+/* 0x1120	1389 ( 2  3) */		subcc	%g4,%o2,%g0
+/* 0x1124	1390 ( 2  3) */		add	%o7,96,%o7
+/* 0x1128	1391 ( 2  5) */		fmuld	%f6,%f18,%f28
+/* 0x112c	1392 ( 3  6) */		fmuld	%f6,%f16,%f6
+/* 0x1130	1393 ( 3  4) */		add	%g2,96,%g2
+/* 0x1134	1394 ( 3  4) */		add	%g3,96,%g3
+/* 0x1138	1395 ( 4  7) */		fdtox	%f0,%f0
+/* 0x113c	1396 ( 5  8) */		fitod	%f12,%f4
+/* 0x1140	1397 ( 5  8) */		fmuld	%f2,%f18,%f2
+/* 0x1144	1398 ( 6  9) */		fdtox	%f28,%f12
+/* 0x1148	1399 ( 7 10) */		fdtox	%f6,%f6
+/* 0x114c	1400 ( 7  8) */		std	%f12,[%g3-96]
+/* 0x1150	1401 ( 8  9) */		std	%f6,[%g2-96]
+/* 0x1154	1402 ( 8 11) */		fdtox	%f2,%f2
+/* 0x1158	1403 ( 9 12) */		fsubd	%f20,%f4,%f6
+/* 0x115c	1404 ( 9 10) */		std	%f2,[%o7-96]
+/* 0x1160	1405 ( 9 10) */		add	%o1,8,%o1
+/* 0x1164	1406 (10 12) */		fxnor	%f14,%f24,%f12
+/* 0x1168	1407 (10 13) */		fmuld	%f26,%f16,%f4
+/* 0x116c	1408 (10 11) */		std	%f0,[%o4-96]
+/* 0x1170	1409 (11 14) */		ldd	[%o1],%f0
+/* 0x1174	1410 (11 14) */		fitod	%f9,%f2
+/* 0x1178	1411 (12 15) */		fsubd	%f20,%f22,%f28
+/* 0x117c	1412 (12 15) */		fmuld	%f6,%f18,%f24
+/* 0x1180	1413 (13 16) */		fmuld	%f6,%f16,%f22
+/* 0x1184	1414 (13 16) */		fdtox	%f4,%f4
+/* 0x1188	1415 (14 17) */		fitod	%f10,%f6
+/* 0x118c	1416 (14 17) */		fmuld	%f26,%f18,%f10
+/* 0x1190	1417 (15 18) */		fdtox	%f24,%f24
+/* 0x1194	1418 (16 19) */		fdtox	%f22,%f22
+/* 0x1198	1419 (16 17) */		std	%f24,[%g3-64]
+/* 0x119c	1420 (17 18) */		std	%f22,[%g2-64]
+/* 0x11a0	1421 (17 20) */		fdtox	%f10,%f10
+/* 0x11a4	1422 (18 21) */		fsubd	%f20,%f6,%f6
+/* 0x11a8	1423 (18 19) */		std	%f10,[%o7-64]
+/* 0x11ac	1424 (18 19) */		add	%o1,8,%o1
+/* 0x11b0	1425 (19 21) */		fxnor	%f14,%f0,%f10
+/* 0x11b4	1426 (19 22) */		fmuld	%f28,%f16,%f0
+/* 0x11b8	1427 (19 20) */		std	%f4,[%o4-64]
+/* 0x11bc	1428 (20 23) */		ldd	[%o1],%f22
+/* 0x11c0	1429 (20 23) */		fitod	%f13,%f4
+/* 0x11c4	1430 (21 24) */		fsubd	%f20,%f2,%f2
+/* 0x11c8	1431 (21 24) */		fmuld	%f6,%f18,%f26
+/* 0x11cc	1432 (22 25) */		fmuld	%f6,%f16,%f24
+/* 0x11d0	1433 (22 25) */		fdtox	%f0,%f0
+/* 0x11d4	1434 (23 26) */		fitod	%f8,%f6
+/* 0x11d8	1435 (23 26) */		fmuld	%f28,%f18,%f8
+/* 0x11dc	1436 (24 27) */		fdtox	%f26,%f26
+/* 0x11e0	1437 (25 28) */		fdtox	%f24,%f24
+/* 0x11e4	1438 (25 26) */		std	%f26,[%g3-32]
+/* 0x11e8	1439 (26 27) */		std	%f24,[%g2-32]
+/* 0x11ec	1440 (26 29) */		fdtox	%f8,%f8
+/* 0x11f0	1441 (27 30) */		fsubd	%f20,%f6,%f6
+/* 0x11f4	1442 (27 28) */		std	%f8,[%o7-32]
+/* 0x11f8	1443 (27 28) */		add	%o1,8,%o1
+/* 0x11fc	1444 (28 30) */		fxnor	%f14,%f22,%f8
+/* 0x1200	1445 (28 29) */		std	%f0,[%o4-32]
+/* 0x1204	1446 (28 29) */		bcs,pt	%icc,.L990000154	! tprob=0.50
+/* 0x1208	     (28 31) */		fmuld	%f2,%f16,%f0
+
+!
+! ENTRY .L990000157
+!
+
+        .L990000157:		/* frequency 1.0 confidence 0.0 */
+/* 0x120c	1449 ( 0  3) */		fitod	%f12,%f28
+/* 0x1210	1450 ( 0  3) */		fmuld	%f6,%f18,%f24
+/* 0x1214	1451 ( 0  1) */		add	%g3,128,%g3
+/* 0x1218	1452 ( 1  4) */		fitod	%f10,%f12
+/* 0x121c	1453 ( 1  4) */		fmuld	%f6,%f16,%f26
+/* 0x1220	1454 ( 1  2) */		add	%g2,128,%g2
+/* 0x1224	1455 ( 2  5) */		fsubd	%f20,%f4,%f4
+/* 0x1228	1456 ( 2  5) */		fmuld	%f2,%f18,%f22
+/* 0x122c	1457 ( 2  3) */		add	%o7,128,%o7
+/* 0x1230	1458 ( 3  6) */		fdtox	%f24,%f6
+/* 0x1234	1459 ( 3  4) */		std	%f6,[%g3-128]
+/* 0x1238	1460 ( 3  4) */		add	%o4,128,%o4
+/* 0x123c	1461 ( 4  7) */		fsubd	%f20,%f28,%f2
+/* 0x1240	1462 ( 4  5) */		subcc	%g4,%o3,%g0
+/* 0x1244	1463 ( 5  8) */		fitod	%f11,%f6
+/* 0x1248	1464 ( 5  8) */		fmuld	%f4,%f18,%f24
+/* 0x124c	1465 ( 6  9) */		fdtox	%f26,%f10
+/* 0x1250	1466 ( 6  7) */		std	%f10,[%g2-128]
+/* 0x1254	1467 ( 7 10) */		fdtox	%f22,%f10
+/* 0x1258	1468 ( 7  8) */		std	%f10,[%o7-128]
+/* 0x125c	1469 ( 7 10) */		fmuld	%f2,%f18,%f26
+/* 0x1260	1470 ( 8 11) */		fsubd	%f20,%f12,%f10
+/* 0x1264	1471 ( 8 11) */		fmuld	%f2,%f16,%f2
+/* 0x1268	1472 ( 9 12) */		fsubd	%f20,%f6,%f22
+/* 0x126c	1473 ( 9 12) */		fmuld	%f4,%f16,%f12
+/* 0x1270	1474 (10 13) */		fdtox	%f0,%f0
+/* 0x1274	1475 (10 11) */		std	%f0,[%o4-128]
+/* 0x1278	1476 (11 14) */		fitod	%f8,%f4
+/* 0x127c	1477 (11 14) */		fmuld	%f10,%f18,%f6
+/* 0x1280	1478 (12 15) */		fdtox	%f26,%f0
+/* 0x1284	1479 (12 13) */		std	%f0,[%g3-96]
+/* 0x1288	1480 (12 15) */		fmuld	%f10,%f16,%f10
+/* 0x128c	1481 (13 16) */		fdtox	%f2,%f2
+/* 0x1290	1482 (13 14) */		std	%f2,[%g2-96]
+/* 0x1294	1483 (14 17) */		fitod	%f9,%f0
+/* 0x1298	1484 (14 17) */		fmuld	%f22,%f18,%f2
+/* 0x129c	1485 (15 18) */		fdtox	%f24,%f8
+/* 0x12a0	1486 (15 16) */		std	%f8,[%o7-96]
+/* 0x12a4	1487 (16 19) */		fsubd	%f20,%f4,%f4
+/* 0x12a8	1488 (16 19) */		fmuld	%f22,%f16,%f8
+/* 0x12ac	1489 (17 20) */		fdtox	%f12,%f12
+/* 0x12b0	1490 (17 18) */		std	%f12,[%o4-96]
+/* 0x12b4	1491 (18 21) */		fsubd	%f20,%f0,%f0
+/* 0x12b8	1492 (19 22) */		fdtox	%f6,%f6
+/* 0x12bc	1493 (19 20) */		std	%f6,[%g3-64]
+/* 0x12c0	1494 (20 23) */		fdtox	%f10,%f10
+/* 0x12c4	1495 (20 21) */		std	%f10,[%g2-64]
+/* 0x12c8	1496 (20 23) */		fmuld	%f4,%f18,%f6
+/* 0x12cc	1497 (21 24) */		fdtox	%f2,%f2
+/* 0x12d0	1498 (21 22) */		std	%f2,[%o7-64]
+/* 0x12d4	1499 (21 24) */		fmuld	%f4,%f16,%f4
+/* 0x12d8	1500 (22 25) */		fmuld	%f0,%f18,%f2
+/* 0x12dc	1501 (22 25) */		fdtox	%f8,%f8
+/* 0x12e0	1502 (22 23) */		std	%f8,[%o4-64]
+/* 0x12e4	1503 (23 26) */		fdtox	%f6,%f6
+/* 0x12e8	1504 (23 24) */		std	%f6,[%g3-32]
+/* 0x12ec	1505 (23 26) */		fmuld	%f0,%f16,%f0
+/* 0x12f0	1506 (24 27) */		fdtox	%f4,%f4
+/* 0x12f4	1507 (24 25) */		std	%f4,[%g2-32]
+/* 0x12f8	1508 (25 28) */		fdtox	%f2,%f2
+/* 0x12fc	1509 (25 26) */		std	%f2,[%o7-32]
+/* 0x1300	1510 (26 29) */		fdtox	%f0,%f0
+/* 0x1304	1511 (26 27) */		bcc,pn	%icc,.L77000056	! tprob=0.50
+/* 0x1308	     (26 27) */		std	%f0,[%o4-32]
+
+!
+! ENTRY .L77000054
+!
+
+        .L77000054:		/* frequency 1.0 confidence 0.0 */
+/* 0x130c	1514 ( 0  3) */		ldd	[%o1],%f0
+
+!
+! ENTRY .L990000161
+!
+
+        .L990000161:		/* frequency 1.0 confidence 0.0 */
+/* 0x1310	1516 ( 0  2) */		fxnor	%f14,%f0,%f0
+/* 0x1314	1517 ( 0  1) */		add	%g4,1,%g4
+/* 0x1318	1518 ( 0  1) */		add	%o1,8,%o1
+/* 0x131c	1519 ( 1  2) */		subcc	%g4,%o3,%g0
+/* 0x1320	1520 ( 2  5) */		fitod	%f0,%f2
+/* 0x1324	1521 ( 3  6) */		fitod	%f1,%f0
+/* 0x1328	1522 ( 5  8) */		fsubd	%f20,%f2,%f2
+/* 0x132c	1523 ( 6  9) */		fsubd	%f20,%f0,%f0
+/* 0x1330	1524 ( 8 11) */		fmuld	%f2,%f18,%f6
+/* 0x1334	1525 ( 9 12) */		fmuld	%f2,%f16,%f4
+/* 0x1338	1526 (10 13) */		fmuld	%f0,%f18,%f2
+/* 0x133c	1527 (11 14) */		fdtox	%f6,%f6
+/* 0x1340	1528 (11 12) */		std	%f6,[%g3]
+/* 0x1344	1529 (11 14) */		fmuld	%f0,%f16,%f0
+/* 0x1348	1530 (12 15) */		fdtox	%f4,%f4
+/* 0x134c	1531 (12 13) */		std	%f4,[%g2]
+/* 0x1350	1532 (12 13) */		add	%g2,32,%g2
+/* 0x1354	1533 (13 16) */		fdtox	%f2,%f2
+/* 0x1358	1534 (13 14) */		std	%f2,[%o7]
+/* 0x135c	1535 (13 14) */		add	%o7,32,%o7
+/* 0x1360	1536 (14 17) */		fdtox	%f0,%f0
+/* 0x1364	1537 (14 15) */		std	%f0,[%o4]
+/* 0x1368	1538 (14 15) */		add	%o4,32,%o4
+/* 0x136c	1539 (15 16) */		add	%g3,32,%g3
+/* 0x1370	1540 (15 16) */		bcs,a,pt	%icc,.L990000161	! tprob=0.50
+/* 0x1374	     (16 19) */		ldd	[%o1],%f0
+
+!
+! ENTRY .L77000056
+!
+
+         .L77000056:		/* frequency 1.0 confidence 0.0 */
+/* 0x1378	1548 ( 0  1) */		subcc	%o0,0,%g0
+
+!
+! ENTRY .L990000162
+!
+
+         .L990000162:		/* frequency 1.0 confidence 0.0 */
+/* 0x137c	1550 ( 0  1) */		bleu,pt	%icc,.L77770061	! tprob=0.50
+/* 0x1380	     ( 0  1) */		nop
+/* 0x1384	1555 ( 0  1) */		sethi	%hi(0x1800),%g1
+/* 0x1388	1556 ( 1  2) */		xor	%g1,-304,%g1
+/* 0x138c	1557 ( 1  2) */		or	%g0,%i1,%g4
+/* 0x1390	1558 ( 2  3) */		add	%g1,%fp,%g5
+/* 0x1394	1559 ( 2  3) */		sethi	%hi(0x1800),%g1
+/* 0x1398	1560 ( 3  4) */		xor	%g1,-296,%g1
+/* 0x139c	1561 ( 3  4) */		or	%g0,%o0,%o7
+/* 0x13a0	1562 ( 4  5) */		add	%g1,%fp,%g2
+/* 0x13a4	1563 ( 4  5) */		or	%g0,0,%i2
+/* 0x13a8	1564 ( 5  6) */		or	%g0,%i0,%g3
+/* 0x13ac	1565 ( 5  6) */		subcc	%o0,6,%g0
+/* 0x13b0	1566 ( 5  6) */		bl,pn	%icc,.L77000058	! tprob=0.50
+/* 0x13b4	     ( 6  7) */		sethi	%hi(0x1800),%g1
+/* 0x13b8	1568 ( 6  8) */		ld	[%g4],%o2
+/* 0x13bc	1569 ( 6  7) */		add	%g3,4,%g3
+/* 0x13c0	1570 ( 7  8) */		xor	%g1,-264,%g1
+/* 0x13c4	1571 ( 7  8) */		sub	%o7,3,%o4
+/* 0x13c8	1572 ( 8  9) */		add	%g1,%fp,%g2
+/* 0x13cc	1573 ( 8  9) */		sethi	%hi(0x1800),%g1
+/* 0x13d0	1574 ( 9 10) */		xor	%g1,-272,%g1
+/* 0x13d4	1575 ( 9 10) */		or	%g0,2,%i2
+/* 0x13d8	1576 (10 11) */		add	%g1,%fp,%g5
+/* 0x13dc	1577 (10 11) */		sethi	%hi(0x1800),%g1
+/* 0x13e0	1578 (11 12) */		xor	%g1,-296,%g1
+/* 0x13e4	1579 (12 13) */		add	%g1,%fp,%g1
+/* 0x13e8	1580 (13 15) */		ldx	[%g1],%o1
+/* 0x13ec	1581 (14 16) */		ldx	[%g1-8],%o0
+/* 0x13f0	1582 (15 16) */		sllx	%o1,19,%o1
+/* 0x13f4	1583 (15 17) */		ldx	[%g1+16],%o3
+/* 0x13f8	1584 (16 17) */		add	%o0,%o1,%o0
+/* 0x13fc	1585 (16 18) */		ld	[%g4+4],%o1
+/* 0x1400	1586 (16 17) */		add	%g4,8,%g4
+/* 0x1404	1587 (17 18) */		sllx	%o3,19,%o3
+/* 0x1408	1588 (17 18) */		add	%o0,%o2,%o0
+/* 0x140c	1589 (17 19) */		ldx	[%g1+8],%o2
+/* 0x1410	1590 (18 19) */		st	%o0,[%g3-4]
+/* 0x1414	1591 (18 19) */		srlx	%o0,32,%o0
+
+!
+! ENTRY .L990000142
+!
+
+        .L990000142:		/* frequency 1.0 confidence 0.0 */
+/* 0x1418	1593 ( 0  1) */		add	%o2,%o3,%o2
+/* 0x141c	1594 ( 0  1) */		add	%i2,4,%i2
+/* 0x1420	1595 ( 0  2) */		ld	[%g4],%o3
+/* 0x1424	1596 ( 1  2) */		srl	%o0,0,%o5
+/* 0x1428	1597 ( 1  2) */		add	%o2,%o1,%o1
+/* 0x142c	1598 ( 1  3) */		ldx	[%g2],%o0
+/* 0x1430	1599 ( 3  4) */		sllx	%o0,19,%o2
+/* 0x1434	1600 ( 3  5) */		ldx	[%g5],%o0
+/* 0x1438	1601 ( 3  4) */		add	%o1,%o5,%o1
+/* 0x143c	1602 ( 4  5) */		st	%o1,[%g3]
+/* 0x1440	1603 ( 4  5) */		srlx	%o1,32,%o5
+/* 0x1444	1604 ( 4  5) */		subcc	%i2,%o4,%g0
+/* 0x1448	1605 ( 5  7) */		ldx	[%g2+16],%o1
+/* 0x144c	1606 ( 5  6) */		add	%o0,%o2,%o0
+/* 0x1450	1607 ( 5  6) */		add	%g3,16,%g3
+/* 0x1454	1608 ( 6  8) */		ld	[%g4+4],%o2
+/* 0x1458	1609 ( 6  7) */		add	%o0,%o3,%o0
+/* 0x145c	1610 ( 7  8) */		sllx	%o1,19,%o3
+/* 0x1460	1611 ( 7  9) */		ldx	[%g5+16],%o1
+/* 0x1464	1612 ( 7  8) */		add	%o0,%o5,%o0
+/* 0x1468	1613 ( 8  9) */		st	%o0,[%g3-12]
+/* 0x146c	1614 ( 8  9) */		srlx	%o0,32,%o5
+/* 0x1470	1615 ( 8  9) */		add	%g4,16,%g4
+/* 0x1474	1616 ( 9 11) */		ldx	[%g2+32],%o0
+/* 0x1478	1617 ( 9 10) */		add	%o1,%o3,%o1
+/* 0x147c	1618 ( 9 10) */		add	%g2,64,%g2
+/* 0x1480	1619 (10 12) */		ld	[%g4-8],%o3
+/* 0x1484	1620 (10 11) */		add	%o1,%o2,%o2
+/* 0x1488	1621 (11 12) */		sllx	%o0,19,%o1
+/* 0x148c	1622 (11 13) */		ldx	[%g5+32],%o0
+/* 0x1490	1623 (11 12) */		add	%o2,%o5,%o2
+/* 0x1494	1624 (12 13) */		st	%o2,[%g3-8]
+/* 0x1498	1625 (12 13) */		srlx	%o2,32,%o5
+/* 0x149c	1626 (12 13) */		add	%g5,64,%g5
+/* 0x14a0	1627 (13 15) */		ldx	[%g2-16],%o2
+/* 0x14a4	1628 (13 14) */		add	%o0,%o1,%o0
+/* 0x14a8	1629 (14 16) */		ld	[%g4-4],%o1
+/* 0x14ac	1630 (14 15) */		add	%o0,%o3,%o0
+/* 0x14b0	1631 (15 16) */		sllx	%o2,19,%o3
+/* 0x14b4	1632 (15 17) */		ldx	[%g5-16],%o2
+/* 0x14b8	1633 (15 16) */		add	%o0,%o5,%o0
+/* 0x14bc	1634 (16 17) */		st	%o0,[%g3-4]
+/* 0x14c0	1635 (16 17) */		bcs,pt	%icc,.L990000142	! tprob=0.50
+/* 0x14c4	     (16 17) */		srlx	%o0,32,%o0
+
+!
+! ENTRY .L990000145
+!
+
+        .L990000145:		/* frequency 1.0 confidence 0.0 */
+/* 0x14c8	1638 ( 0  1) */		add	%o2,%o3,%o3
+/* 0x14cc	1639 ( 0  1) */		add	%g3,4,%g3
+/* 0x14d0	1640 ( 1  2) */		srl	%o0,0,%o2
+/* 0x14d4	1641 ( 1  2) */		add	%o3,%o1,%o0
+/* 0x14d8	1642 ( 2  3) */		add	%o0,%o2,%o0
+/* 0x14dc	1643 ( 2  3) */		st	%o0,[%g3-4]
+/* 0x14e0	1644 ( 2  3) */		subcc	%i2,%o7,%g0
+/* 0x14e4	1645 ( 2  3) */		bcc,pn	%icc,.L77770061	! tprob=0.50
+/* 0x14e8	     ( 3  4) */		srlx	%o0,32,%o5
+
+!
+! ENTRY .L77000058
+!
+
+        .L77000058:		/* frequency 1.0 confidence 0.0 */
+/* 0x14ec	1648 ( 0  2) */		ldx	[%g2],%o2
+
+!
+! ENTRY .L990000160
+!
+
+        .L990000160:		/* frequency 1.0 confidence 0.0 */
+/* 0x14f0	1650 ( 0  1) */		sllx	%o2,19,%o3
+/* 0x14f4	1651 ( 0  2) */		ldx	[%g5],%o0
+/* 0x14f8	1652 ( 0  1) */		add	%i2,1,%i2
+/* 0x14fc	1653 ( 1  2) */		srl	%o5,0,%o1
+/* 0x1500	1654 ( 1  3) */		ld	[%g4],%o2
+/* 0x1504	1655 ( 1  2) */		add	%g2,16,%g2
+/* 0x1508	1656 ( 2  3) */		add	%o0,%o3,%o0
+/* 0x150c	1657 ( 2  3) */		add	%g5,16,%g5
+/* 0x1510	1658 ( 3  4) */		add	%o0,%o2,%o0
+/* 0x1514	1659 ( 3  4) */		add	%g4,4,%g4
+/* 0x1518	1660 ( 4  5) */		add	%o0,%o1,%o0
+/* 0x151c	1661 ( 4  5) */		st	%o0,[%g3]
+/* 0x1520	1662 ( 4  5) */		subcc	%i2,%o7,%g0
+/* 0x1524	1663 ( 5  6) */		srlx	%o0,32,%o5
+/* 0x1528	1664 ( 5  6) */		add	%g3,4,%g3
+/* 0x152c	1665 ( 5  6) */		bcs,a,pt	%icc,.L990000160	! tprob=0.50
+/* 0x1530	     ( 6  8) */		ldx	[%g2],%o2
+
+!
+! ENTRY .L77770061
+!
+
+        .L77770061:		/* frequency 1.0 confidence 0.0 */
+/* 0x1534	     ( 0  2) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x1538	     ( 2  3) */		restore	%g0,%o5,%o0
+
+/* 0x11a8	1441 ( 0  0) */		.type	mul_add,2
+/* 0x11a8	1442 ( 0  0) */		.size	mul_add,(.-mul_add)
+/* 0x11a8	1445 ( 0  0) */		.align	16
+/* 0x11b0	1451 ( 0  0) */		.global	mul_add_inp
+
+!
+! ENTRY mul_add_inp
+!
+
+        .global mul_add_inp
+        mul_add_inp:		/* frequency 1.0 confidence 0.0 */
+/* 0x11b0	1453 ( 0  1) */		or	%g0,%o2,%g1
+/* 0x11b4	1454 ( 0  1) */		or	%g0,%o3,%o4
+/* 0x11b8	1455 ( 1  2) */		or	%g0,%o0,%g3
+/* 0x11bc	1456 ( 1  2) */		or	%g0,%o1,%g2
+/* 0x11c0	1466 ( 2  3) */		or	%g0,%g1,%o3
+/* 0x11c4	1467 ( 2  3) */		or	%g0,%g3,%o1
+/* 0x11c8	1468 ( 3  4) */		or	%g0,%g2,%o2
+/* 0x11cc	1469 ( 3  4) */		or	%g0,%o7,%g1
+/* 0x11d0	1470 ( 4  6) */		call	mul_add	! params = 	! Result = 
+/* 0x11d4	     ( 5  6) */		or	%g0,%g1,%o7
+/* 0x11d8	1472 ( 0  0) */		.type	mul_add_inp,2
+/* 0x11d8	1473 ( 0  0) */		.size	mul_add_inp,(.-mul_add_inp)
+
+	.section	".data",#alloc,#write
+/* 0x11d8	   6 ( 0  0) */		.align	8
+
+!
+! ENTRY mask_cnst
+!
+
+        mask_cnst:		/* frequency 1.0 confidence 0.0 */
+/* 0x11d8	   8 ( 0  0) */		.word	-2147483648
+/* 0x11dc	   9 ( 0  0) */		.word	-2147483648
+/* 0x11e0	  10 ( 0  0) */		.type	mask_cnst,#object
+/* 0x11e0	  11 ( 0  0) */		.size	mask_cnst,8
+
diff --git a/security/nss/lib/freebl/mpi/mpv_sparcv8x.s b/security/nss/lib/freebl/mpi/mpv_sparcv8x.s
new file mode 100644
index 000000000..154d69965
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpv_sparcv8x.s
@@ -0,0 +1,175 @@
+! Inner multiply loop functions for pure 32-bit Sparc v8 CPUs.
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+! 
+! The contents of this file are subject to the Mozilla Public License Version 
+! 1.1 (the "License"); you may not use this file except in compliance with 
+! the License. You may obtain a copy of the License at 
+! http://www.mozilla.org/MPL/
+! 
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is a SPARC v8 optimized multiply and add function
+! 
+! The Initial Developer of the Original Code is Sun Microsystems Inc.
+! Portions created by Sun Microsystems Inc. are 
+! Copyright (C) 2000-2005 Sun Microsystems Inc.  All Rights Reserved.
+! 
+! Contributor(s):
+! 
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+! 
+! ***** END LICENSE BLOCK *****
+
+! $Id$
+
+	.file	"mpv_sparcv8x.s"
+	.align	8
+
+	.section     ".text",#alloc,#execinstr
+	.global      s_mpv_mul_d
+ s_mpv_mul_d:
+	save         %sp, -0x60, %sp
+	mov          %i0, %o0
+	clr          %g4
+	cmp          %i1, 0x0
+	be           .L103
+	sub          %i1, 0x1, %o5
+	ld           [%o0], %g1
+.L101:
+	umul         %g1, %i2, %g2
+	rd           %y, %g1
+	add          %g2, %g4, %g3
+	mov          %g1, %o4
+	add          %o0, 0x4, %o0
+	cmp          %g3, %g4
+	blu,a        .L102
+	add          %g1, 0x1, %o4
+.L102:
+	st           %g3, [%i3]
+	mov          %o5, %g1
+	add          %i3, 0x4, %i3
+	cmp          %g1, 0x0
+	mov          %o4, %g4
+	sub          %o5, 0x1, %o5
+	bne,a        .L101
+	ld           [%o0], %g1
+.L103:
+	st           %g4, [%i3]
+	ret
+	restore
+
+	.type	s_mpv_mul_d,2
+	.size	s_mpv_mul_d,(.-s_mpv_mul_d)
+
+	.align	16
+	.global      s_mpv_mul_d_add
+ s_mpv_mul_d_add:
+
+	save         %sp, -0x60, %sp
+	mov          %i0, %o0
+	clr          %g4
+	cmp          %i1, 0x0
+	be           .L204
+	sub          %i1, 0x1, %o5
+	ld           [%o0], %g1
+.L201:
+	umul         %g1, %i2, %g2
+	rd           %y, %g1
+	add          %g2, %g4, %g3
+	mov          %g1, %o4
+	add          %o0, 0x4, %o0
+	cmp          %g3, %g4
+	blu,a        .L202
+	add          %g1, 0x1, %o4
+.L202:
+	ld           [%i3], %g2
+	add          %g3, %g2, %g1
+	cmp          %g1, %g2
+	blu,a        .L203
+	add          %o4, 0x1, %o4
+.L203:
+	st           %g1, [%i3]
+	mov          %o5, %g1
+	add          %i3, 0x4, %i3
+	cmp          %g1, 0x0
+	mov          %o4, %g4
+	sub          %o5, 0x1, %o5
+	bne,a        .L201
+	ld           [%o0], %g1
+.L204:
+	st           %g4, [%i3]
+	ret
+	restore
+
+	.type	s_mpv_mul_d_add,2
+	.size	s_mpv_mul_d_add,(.-s_mpv_mul_d_add)
+
+	.align	16
+	.global      s_mpv_mul_d_add_prop
+ s_mpv_mul_d_add_prop:
+
+	save         %sp, -0x60, %sp
+	mov          %i0, %o0
+	clr          %o5
+	cmp          %i1, 0x0
+	be           .L30x70
+	sub          %i1, 0x1, %g4
+	ld           [%o0], %g1
+.L30x1c:
+	umul         %g1, %i2, %g2
+	rd           %y, %g1
+	add          %g2, %o5, %g3
+	mov          %g1, %o4
+	add          %o0, 0x4, %o0
+	cmp          %g3, %o5
+	blu,a        .L30x3c
+	add          %g1, 0x1, %o4
+.L30x3c:
+	ld           [%i3], %g2
+	add          %g3, %g2, %g1
+	cmp          %g1, %g2
+	blu,a        .L30x50
+	add          %o4, 0x1, %o4
+.L30x50:
+	st           %g1, [%i3]
+	mov          %g4, %g1
+	add          %i3, 0x4, %i3
+	cmp          %g1, 0x0
+	mov          %o4, %o5
+	sub          %g4, 0x1, %g4
+	bne,a        .L30x1c
+	ld           [%o0], %g1
+.L30x70:
+	cmp          %o5, 0x0
+	be           .L30xa0
+	nop
+	ld           [%i3], %g1
+.L30x80:
+	add          %o5, %g1, %g2
+	st           %g2, [%i3]
+	add          %i3, 0x4, %i3
+	cmp          %g2, %g1
+	addx         %g0, 0x0, %o5
+	cmp          %o5, 0x0
+	bne,a        .L30x80
+	ld           [%i3], %g1
+.L30xa0:
+	ret
+	restore
+
+	.type	s_mpv_mul_d_add_prop,2
+	.size	s_mpv_mul_d_add_prop,(.-s_mpv_mul_d_add_prop)
diff --git a/security/nss/lib/freebl/mpi/mpv_sparcv9.s b/security/nss/lib/freebl/mpi/mpv_sparcv9.s
new file mode 100644
index 000000000..cb6472a16
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpv_sparcv9.s
@@ -0,0 +1,1680 @@
+!
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+!
+! The contents of this file are subject to the Mozilla Public License Version
+! 1.1 (the "License"); you may not use this file except in compliance with
+! the License. You may obtain a copy of the License at
+! http://www.mozilla.org/MPL/
+!
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is a SPARC/VIS optimized multiply and add function.
+!
+! The Initial Developer of the Original Code is
+! Sun Microsystems Inc.
+! Portions created by the Initial Developer are Copyright (C) 1999-2000
+! the Initial Developer. All Rights Reserved.
+!
+! Contributor(s):
+!
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+!
+! ***** END LICENSE BLOCK *****
+
+!  $Id$
+!
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.register	%g2,#scratch
+/* 000000	     ( 0  0) */		.register	%g3,#scratch
+/* 000000	   3 ( 0  0) */		.file	"mpv_sparc.c"
+/* 000000	  15 ( 0  0) */		.align	8
+!
+! SUBROUTINE .L_const_seg_900000101
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   .L_const_seg_900000101:		/* frequency 1.0 confidence 0.0 */
+/* 000000	  20 ( 0  0) */		.word	1127219200,0
+/* 0x0008	  21 ( 0  0) */		.word	1105199103,-4194304
+/* 0x0010	  22 ( 0  0) */		.align	8
+/* 0x0010	  28 ( 0  0) */		.global	mul_add
+
+!
+! ENTRY mul_add
+!
+
+                                   	.global mul_add
+                                   mul_add:		/* frequency 1.0 confidence 0.0 */
+/* 0x0010	  30 ( 0  1) */		sethi	%hi(0x1c00),%g1
+/* 0x0014	  31 ( 0  1) */		sethi	%hi(mask_cnst),%g2
+/* 0x0018	  32 ( 1  2) */		xor	%g1,-48,%g1
+/* 0x001c	  33 ( 1  2) */		add	%g2,%lo(mask_cnst),%g2
+/* 0x0020	  34 ( 2  3) */		save	%sp,%g1,%sp
+
+!
+! ENTRY .L900000149
+!
+
+                                   .L900000149:		/* frequency 1.0 confidence 0.0 */
+/* 0x0024	  36 ( 0  2) */		call	(.+0x8)	! params = 	! Result = 
+/* 0x0028	     ( 1  2) */		sethi	%hi((_GLOBAL_OFFSET_TABLE_-(.L900000149-.))),%g5
+/* 0x002c	 178 ( 2  3) */		sethi	%hi(.L_const_seg_900000101),%g3
+/* 0x0030	 179 ( 2  3) */		add	%g5,%lo((_GLOBAL_OFFSET_TABLE_-(.L900000149-.))),%g5
+/* 0x0034	 180 ( 3  4) */		add	%g3,%lo(.L_const_seg_900000101),%g3
+/* 0x0038	 181 ( 3  4) */		add	%g5,%o7,%o1
+/* 0x003c	 182 ( 4  5) */		sethi	%hi(0x80000),%g4
+/* 0x0040	 183 ( 4  6) */		ldx	[%o1+%g2],%g2
+/* 0x0044	 184 ( 4  5) */		or	%g0,%i2,%o2
+/* 0x0048	 185 ( 5  6) */		subcc	%i4,%g4,%g0
+/* 0x004c	 186 ( 5  7) */		ldx	[%o1+%g3],%o0
+/* 0x0050	 187 ( 6  7) */		or	%g0,%i0,%o7
+/* 0x0054	 188 ( 6  7) */		or	%g0,%i1,%o5
+/* 0x0058	 189 ( 6  9) */		ldd	[%g2],%f0
+/* 0x005c	 190 ( 6  7) */		bcc,pn	%icc,.L77000048	! tprob=0.50
+/* 0x0060	     ( 7  8) */		subcc	%i3,8,%g0
+/* 0x0064	 192 ( 7  8) */		bne,pn	%icc,.L900000158	! tprob=0.50
+/* 0x0068	     ( 8  9) */		subcc	%i3,16,%g0
+/* 0x006c	 194 ( 9 12) */		ldd	[%o2],%f4
+/* 0x0070	 195 (10 11) */		st	%i4,[%sp+2287]
+/* 0x0074	 196 (11 14) */		ldd	[%o0],%f8
+/* 0x0078	 197 (11 13) */		fxnor	%f0,%f4,%f4
+/* 0x007c	 198 (12 15) */		ldd	[%o2+8],%f10
+/* 0x0080	 199 (13 16) */		fitod	%f4,%f12
+/* 0x0084	 200 (13 16) */		ldd	[%o0+8],%f14
+/* 0x0088	 201 (14 17) */		ld	[%sp+2287],%f7
+/* 0x008c	 202 (14 17) */		fitod	%f5,%f4
+/* 0x0090	 203 (15 17) */		fxnor	%f0,%f10,%f10
+/* 0x0094	 204 (15 18) */		ldd	[%o2+16],%f16
+/* 0x0098	 205 (16 19) */		ldd	[%o2+24],%f18
+/* 0x009c	 206 (17 20) */		fsubd	%f14,%f4,%f4
+/* 0x00a0	 210 (17 20) */		ld	[%i1],%g2
+/* 0x00a4	 211 (18 20) */		fxnor	%f0,%f16,%f16
+/* 0x00a8	 212 (18 21) */		ld	[%i1+4],%g3
+/* 0x00ac	 213 (19 22) */		ld	[%i1+8],%g4
+/* 0x00b0	 214 (20 23) */		fitod	%f16,%f20
+/* 0x00b4	 215 (20 23) */		ld	[%i1+16],%o0
+/* 0x00b8	 216 (21 24) */		ld	[%i1+12],%g5
+/* 0x00bc	 217 (22 25) */		ld	[%i1+20],%o1
+/* 0x00c0	 218 (23 26) */		ld	[%i1+24],%o2
+/* 0x00c4	 219 (24 25) */		fmovs	%f8,%f6
+/* 0x00c8	 220 (24 27) */		ld	[%i1+28],%o3
+/* 0x00cc	 221 (26 29) */		fsubd	%f6,%f8,%f6
+/* 0x00d0	 222 (27 30) */		fsubd	%f14,%f12,%f8
+/* 0x00d4	 223 (28 31) */		fitod	%f10,%f12
+/* 0x00d8	 224 (29 32) */		fmuld	%f4,%f6,%f4
+/* 0x00dc	 225 (29 32) */		fitod	%f11,%f10
+/* 0x00e0	 226 (30 33) */		fmuld	%f8,%f6,%f8
+/* 0x00e4	 227 (31 34) */		fsubd	%f14,%f12,%f12
+/* 0x00e8	 228 (32 35) */		fdtox	%f4,%f4
+/* 0x00ec	 229 (32 33) */		std	%f4,[%sp+2271]
+/* 0x00f0	 230 (33 36) */		fdtox	%f8,%f8
+/* 0x00f4	 231 (33 34) */		std	%f8,[%sp+2279]
+/* 0x00f8	 232 (34 37) */		fmuld	%f12,%f6,%f12
+/* 0x00fc	 233 (34 37) */		fsubd	%f14,%f10,%f10
+/* 0x0100	 234 (35 38) */		fsubd	%f14,%f20,%f4
+/* 0x0104	 235 (36 39) */		fitod	%f17,%f8
+/* 0x0108	 236 (37 39) */		fxnor	%f0,%f18,%f16
+/* 0x010c	 237 (37 39) */		ldx	[%sp+2279],%o4
+/* 0x0110	 238 (37 40) */		fmuld	%f10,%f6,%f10
+/* 0x0114	 239 (38 41) */		fdtox	%f12,%f12
+/* 0x0118	 240 (38 39) */		std	%f12,[%sp+2263]
+/* 0x011c	 241 (38 41) */		fmuld	%f4,%f6,%f4
+/* 0x0120	 242 (39 42) */		fitod	%f16,%f18
+/* 0x0124	 243 (39 40) */		add	%o4,%g2,%g2
+/* 0x0128	 244 (39 40) */		st	%g2,[%i0]
+/* 0x012c	 245 (40 42) */		ldx	[%sp+2271],%o4
+/* 0x0130	 246 (40 43) */		fsubd	%f14,%f8,%f8
+/* 0x0134	 247 (40 41) */		srax	%g2,32,%o5
+/* 0x0138	 248 (41 44) */		fdtox	%f10,%f10
+/* 0x013c	 249 (41 42) */		std	%f10,[%sp+2255]
+/* 0x0140	 250 (42 45) */		fdtox	%f4,%f4
+/* 0x0144	 251 (42 43) */		std	%f4,[%sp+2247]
+/* 0x0148	 252 (42 43) */		add	%o4,%g3,%o4
+/* 0x014c	 253 (43 46) */		fitod	%f17,%f12
+/* 0x0150	 254 (43 45) */		ldx	[%sp+2263],%g2
+/* 0x0154	 255 (43 44) */		add	%o4,%o5,%g3
+/* 0x0158	 256 (43 46) */		fmuld	%f8,%f6,%f8
+/* 0x015c	 257 (44 47) */		fsubd	%f14,%f18,%f10
+/* 0x0160	 258 (44 45) */		st	%g3,[%i0+4]
+/* 0x0164	 259 (44 45) */		srax	%g3,32,%g3
+/* 0x0168	 260 (45 46) */		add	%g2,%g4,%g4
+/* 0x016c	 261 (45 47) */		ldx	[%sp+2255],%g2
+/* 0x0170	 262 (46 49) */		fsubd	%f14,%f12,%f4
+/* 0x0174	 263 (46 47) */		add	%g4,%g3,%g3
+/* 0x0178	 264 (46 48) */		ldx	[%sp+2247],%g4
+/* 0x017c	 265 (47 50) */		fmuld	%f10,%f6,%f10
+/* 0x0180	 266 (47 50) */		fdtox	%f8,%f8
+/* 0x0184	 267 (47 48) */		std	%f8,[%sp+2239]
+/* 0x0188	 268 (48 49) */		add	%g4,%o0,%g4
+/* 0x018c	 269 (48 49) */		add	%g2,%g5,%g2
+/* 0x0190	 270 (48 49) */		st	%g3,[%i0+8]
+/* 0x0194	 271 (49 52) */		fmuld	%f4,%f6,%f4
+/* 0x0198	 272 (49 50) */		srax	%g3,32,%o0
+/* 0x019c	 273 (49 51) */		ldx	[%sp+2239],%g5
+/* 0x01a0	 274 (50 53) */		fdtox	%f10,%f6
+/* 0x01a4	 275 (50 51) */		std	%f6,[%sp+2231]
+/* 0x01a8	 276 (50 51) */		add	%g2,%o0,%g2
+/* 0x01ac	 277 (51 52) */		srax	%g2,32,%g3
+/* 0x01b0	 278 (51 52) */		add	%g5,%o1,%o1
+/* 0x01b4	 279 (51 52) */		st	%g2,[%i0+12]
+/* 0x01b8	 280 (52 55) */		fdtox	%f4,%f4
+/* 0x01bc	 281 (52 53) */		std	%f4,[%sp+2223]
+/* 0x01c0	 282 (52 53) */		add	%g4,%g3,%g3
+/* 0x01c4	 283 (53 54) */		srax	%g3,32,%g4
+/* 0x01c8	 284 (53 54) */		st	%g3,[%i0+16]
+/* 0x01cc	 285 (54 56) */		ldx	[%sp+2231],%o0
+/* 0x01d0	 286 (54 55) */		add	%o1,%g4,%g4
+/* 0x01d4	 287 (55 56) */		srax	%g4,32,%g2
+/* 0x01d8	 288 (55 57) */		ldx	[%sp+2223],%g5
+/* 0x01dc	 289 (56 57) */		add	%o0,%o2,%o2
+/* 0x01e0	 290 (56 57) */		st	%g4,[%i0+20]
+/* 0x01e4	 291 (57 58) */		add	%o2,%g2,%g2
+/* 0x01e8	 292 (57 58) */		add	%g5,%o3,%g5
+/* 0x01ec	 293 (57 58) */		st	%g2,[%i0+24]
+/* 0x01f0	 294 (58 59) */		srax	%g2,32,%g3
+/* 0x01f4	 295 (59 60) */		add	%g5,%g3,%g2
+/* 0x01f8	 296 (59 60) */		st	%g2,[%i0+28]
+/* 0x01fc	 300 (60 61) */		srax	%g2,32,%o3
+/* 0x0200	 301 (61 62) */		srl	%o3,0,%i0
+/* 0x0204	     (62 64) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0208	     (64 65) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L900000158
+!
+
+                                   .L900000158:		/* frequency 1.0 confidence 0.0 */
+/* 0x020c	 308 ( 0  1) */		bne,a,pn	%icc,.L900000157	! tprob=0.50
+/* 0x0210	     ( 0  1) */		st	%i4,[%sp+2223]
+/* 0x0214	 315 ( 1  4) */		ldd	[%o2],%f4
+/* 0x0218	 316 ( 2  3) */		st	%i4,[%sp+2351]
+/* 0x021c	 317 ( 3  6) */		ldd	[%o0],%f8
+/* 0x0220	 318 ( 3  5) */		fxnor	%f0,%f4,%f4
+/* 0x0224	 319 ( 4  7) */		ldd	[%o2+8],%f10
+/* 0x0228	 320 ( 5  8) */		ldd	[%o0+8],%f14
+/* 0x022c	 321 ( 5  8) */		fitod	%f4,%f12
+/* 0x0230	 322 ( 6  9) */		ld	[%sp+2351],%f7
+/* 0x0234	 323 ( 6  8) */		fxnor	%f0,%f10,%f10
+/* 0x0238	 324 ( 7 10) */		ldd	[%o2+16],%f16
+/* 0x023c	 325 ( 7 10) */		fitod	%f5,%f4
+/* 0x0240	 326 ( 8 11) */		ldd	[%o2+24],%f18
+/* 0x0244	 330 ( 9 12) */		ldd	[%o2+32],%f20
+/* 0x0248	 331 ( 9 11) */		fxnor	%f0,%f16,%f16
+/* 0x024c	 335 (10 13) */		ld	[%i1],%g2
+/* 0x0250	 336 (10 13) */		fsubd	%f14,%f4,%f4
+/* 0x0254	 337 (11 14) */		ldd	[%o2+40],%f22
+/* 0x0258	 338 (11 14) */		fitod	%f16,%f28
+/* 0x025c	 339 (12 15) */		ld	[%i1+4],%g3
+/* 0x0260	 340 (13 16) */		ld	[%i1+8],%g4
+/* 0x0264	 341 (13 15) */		fxnor	%f0,%f22,%f22
+/* 0x0268	 342 (14 17) */		ld	[%i1+12],%g5
+/* 0x026c	 343 (15 18) */		ld	[%i1+16],%o0
+/* 0x0270	 344 (16 19) */		ldd	[%o2+48],%f24
+/* 0x0274	 345 (17 20) */		ld	[%i1+20],%o1
+/* 0x0278	 346 (17 18) */		fmovs	%f8,%f6
+/* 0x027c	 347 (18 21) */		ldd	[%o2+56],%f26
+/* 0x0280	 348 (19 22) */		ld	[%i1+24],%o2
+/* 0x0284	 349 (19 22) */		fsubd	%f6,%f8,%f6
+/* 0x0288	 350 (20 23) */		ld	[%i1+28],%o3
+/* 0x028c	 351 (20 23) */		fsubd	%f14,%f12,%f8
+/* 0x0290	 355 (21 24) */		ld	[%i1+32],%o4
+/* 0x0294	 356 (21 24) */		fitod	%f10,%f12
+/* 0x0298	 357 (22 25) */		ld	[%i1+36],%o7
+/* 0x029c	 358 (22 25) */		fitod	%f11,%f10
+/* 0x02a0	 359 (22 25) */		fmuld	%f4,%f6,%f4
+/* 0x02a4	 360 (23 26) */		ld	[%i1+40],%l1
+/* 0x02a8	 361 (23 26) */		fmuld	%f8,%f6,%f8
+/* 0x02ac	 362 (24 27) */		ld	[%i1+56],%l5
+/* 0x02b0	 363 (24 27) */		fsubd	%f14,%f12,%f12
+/* 0x02b4	 364 (25 28) */		fsubd	%f14,%f10,%f10
+/* 0x02b8	 365 (26 29) */		fdtox	%f8,%f8
+/* 0x02bc	 366 (26 27) */		std	%f8,[%sp+2343]
+/* 0x02c0	 367 (27 30) */		fitod	%f17,%f8
+/* 0x02c4	 368 (27 30) */		fmuld	%f12,%f6,%f12
+/* 0x02c8	 369 (28 31) */		fdtox	%f4,%f4
+/* 0x02cc	 370 (28 29) */		std	%f4,[%sp+2335]
+/* 0x02d0	 371 (28 31) */		fmuld	%f10,%f6,%f10
+/* 0x02d4	 372 (29 31) */		fxnor	%f0,%f18,%f16
+/* 0x02d8	 373 (30 33) */		fdtox	%f12,%f12
+/* 0x02dc	 374 (30 31) */		std	%f12,[%sp+2327]
+/* 0x02e0	 375 (31 33) */		ldx	[%sp+2343],%o5
+/* 0x02e4	 376 (31 34) */		fsubd	%f14,%f8,%f8
+/* 0x02e8	 377 (32 35) */		fsubd	%f14,%f28,%f4
+/* 0x02ec	 378 (33 36) */		fitod	%f17,%f12
+/* 0x02f0	 379 (33 34) */		add	%o5,%g2,%g2
+/* 0x02f4	 380 (33 34) */		st	%g2,[%i0]
+/* 0x02f8	 381 (34 36) */		ldx	[%sp+2335],%o5
+/* 0x02fc	 382 (34 37) */		fitod	%f16,%f18
+/* 0x0300	 383 (34 35) */		srax	%g2,32,%l0
+/* 0x0304	 384 (35 37) */		fxnor	%f0,%f20,%f16
+/* 0x0308	 385 (35 38) */		fmuld	%f8,%f6,%f20
+/* 0x030c	 386 (36 39) */		fdtox	%f10,%f10
+/* 0x0310	 387 (36 37) */		std	%f10,[%sp+2319]
+/* 0x0314	 388 (36 37) */		add	%o5,%g3,%g3
+/* 0x0318	 389 (36 39) */		fmuld	%f4,%f6,%f4
+/* 0x031c	 390 (37 40) */		fitod	%f16,%f8
+/* 0x0320	 391 (37 38) */		add	%g3,%l0,%g3
+/* 0x0324	 392 (37 38) */		st	%g3,[%i0+4]
+/* 0x0328	 393 (38 40) */		ldx	[%sp+2327],%o5
+/* 0x032c	 394 (38 41) */		fsubd	%f14,%f18,%f18
+/* 0x0330	 395 (38 39) */		srax	%g3,32,%l3
+/* 0x0334	 396 (39 41) */		ldx	[%sp+2319],%l2
+/* 0x0338	 397 (39 42) */		fdtox	%f4,%f4
+/* 0x033c	 398 (40 41) */		std	%f4,[%sp+2311]
+/* 0x0340	 399 (40 43) */		fdtox	%f20,%f20
+/* 0x0344	 400 (40 41) */		add	%o5,%g4,%g4
+/* 0x0348	 401 (41 42) */		std	%f20,[%sp+2303]
+/* 0x034c	 402 (41 44) */		fsubd	%f14,%f12,%f4
+/* 0x0350	 403 (41 42) */		add	%g4,%l3,%g4
+/* 0x0354	 404 (41 44) */		fmuld	%f18,%f6,%f18
+/* 0x0358	 405 (42 43) */		st	%g4,[%i0+8]
+/* 0x035c	 406 (42 45) */		fitod	%f17,%f16
+/* 0x0360	 407 (42 43) */		srax	%g4,32,%l4
+/* 0x0364	 408 (43 46) */		ld	[%i1+44],%l0
+/* 0x0368	 409 (43 46) */		fsubd	%f14,%f8,%f20
+/* 0x036c	 410 (43 44) */		add	%l2,%g5,%l2
+/* 0x0370	 411 (44 46) */		ldx	[%sp+2311],%g5
+/* 0x0374	 412 (44 47) */		fitod	%f22,%f8
+/* 0x0378	 413 (44 45) */		add	%l2,%l4,%l2
+/* 0x037c	 414 (44 47) */		fmuld	%f4,%f6,%f4
+/* 0x0380	 415 (45 46) */		st	%l2,[%i0+12]
+/* 0x0384	 416 (45 48) */		fsubd	%f14,%f16,%f10
+/* 0x0388	 417 (46 49) */		ld	[%i1+52],%l3
+/* 0x038c	 418 (46 49) */		fdtox	%f18,%f18
+/* 0x0390	 419 (46 47) */		add	%g5,%o0,%l4
+/* 0x0394	 420 (46 49) */		fmuld	%f20,%f6,%f12
+/* 0x0398	 421 (47 48) */		std	%f18,[%sp+2295]
+/* 0x039c	 422 (47 48) */		srax	%l2,32,%o0
+/* 0x03a0	 423 (47 50) */		fitod	%f23,%f16
+/* 0x03a4	 424 (48 51) */		ld	[%i1+48],%o5
+/* 0x03a8	 425 (48 51) */		fsubd	%f14,%f8,%f8
+/* 0x03ac	 426 (48 49) */		add	%l4,%o0,%l4
+/* 0x03b0	 427 (49 50) */		st	%l4,[%i0+16]
+/* 0x03b4	 428 (49 50) */		srax	%l4,32,%o0
+/* 0x03b8	 429 (49 51) */		fxnor	%f0,%f24,%f18
+/* 0x03bc	 430 (50 52) */		ldx	[%sp+2303],%g5
+/* 0x03c0	 431 (50 53) */		fdtox	%f4,%f4
+/* 0x03c4	 432 (51 52) */		std	%f4,[%sp+2287]
+/* 0x03c8	 433 (51 54) */		fdtox	%f12,%f12
+/* 0x03cc	 434 (51 54) */		fmuld	%f10,%f6,%f4
+/* 0x03d0	 435 (52 53) */		std	%f12,[%sp+2279]
+/* 0x03d4	 436 (52 55) */		fsubd	%f14,%f16,%f12
+/* 0x03d8	 437 (52 53) */		add	%g5,%o1,%g2
+/* 0x03dc	 438 (52 55) */		fmuld	%f8,%f6,%f8
+/* 0x03e0	 439 (53 55) */		ldx	[%sp+2295],%g5
+/* 0x03e4	 440 (53 56) */		fitod	%f18,%f10
+/* 0x03e8	 441 (53 54) */		add	%g2,%o0,%g2
+/* 0x03ec	 442 (54 55) */		st	%g2,[%i0+20]
+/* 0x03f0	 443 (54 57) */		fitod	%f19,%f16
+/* 0x03f4	 444 (54 55) */		srax	%g2,32,%o0
+/* 0x03f8	 445 (55 58) */		fdtox	%f8,%f8
+/* 0x03fc	 446 (55 56) */		std	%f8,[%sp+2263]
+/* 0x0400	 447 (55 56) */		add	%g5,%o2,%g3
+/* 0x0404	 448 (56 58) */		ldx	[%sp+2287],%g5
+/* 0x0408	 449 (56 59) */		fsubd	%f14,%f10,%f10
+/* 0x040c	 450 (56 57) */		add	%g3,%o0,%g3
+/* 0x0410	 451 (57 58) */		st	%g3,[%i0+24]
+/* 0x0414	 452 (57 60) */		fsubd	%f14,%f16,%f8
+/* 0x0418	 453 (57 58) */		srax	%g3,32,%o0
+/* 0x041c	 454 (58 61) */		fdtox	%f4,%f4
+/* 0x0420	 455 (58 59) */		std	%f4,[%sp+2271]
+/* 0x0424	 456 (58 59) */		add	%g5,%o3,%g4
+/* 0x0428	 457 (59 61) */		fxnor	%f0,%f26,%f18
+/* 0x042c	 458 (59 62) */		fmuld	%f12,%f6,%f4
+/* 0x0430	 459 (59 60) */		add	%g4,%o0,%g4
+/* 0x0434	 460 (60 61) */		st	%g4,[%i0+28]
+/* 0x0438	 461 (60 63) */		fmuld	%f10,%f6,%f10
+/* 0x043c	 462 (60 61) */		srax	%g4,32,%o0
+/* 0x0440	 463 (61 63) */		ldx	[%sp+2279],%g5
+/* 0x0444	 464 (61 64) */		fitod	%f18,%f12
+/* 0x0448	 465 (61 64) */		fmuld	%f8,%f6,%f8
+/* 0x044c	 466 (62 65) */		fdtox	%f4,%f4
+/* 0x0450	 467 (62 63) */		std	%f4,[%sp+2255]
+/* 0x0454	 468 (63 64) */		add	%g5,%o4,%l2
+/* 0x0458	 469 (63 65) */		ldx	[%sp+2271],%g5
+/* 0x045c	 470 (63 66) */		fdtox	%f10,%f16
+/* 0x0460	 471 (64 67) */		fsubd	%f14,%f12,%f4
+/* 0x0464	 472 (64 65) */		std	%f16,[%sp+2247]
+/* 0x0468	 473 (64 65) */		add	%l2,%o0,%l2
+/* 0x046c	 474 (65 68) */		fdtox	%f8,%f8
+/* 0x0470	 475 (65 66) */		std	%f8,[%sp+2239]
+/* 0x0474	 476 (65 66) */		add	%g5,%o7,%l4
+/* 0x0478	 477 (66 69) */		fitod	%f19,%f10
+/* 0x047c	 478 (66 68) */		ldx	[%sp+2263],%g5
+/* 0x0480	 479 (66 67) */		srax	%l2,32,%o0
+/* 0x0484	 480 (67 68) */		add	%l4,%o0,%l4
+/* 0x0488	 481 (67 70) */		fmuld	%f4,%f6,%f4
+/* 0x048c	 482 (67 69) */		ldx	[%sp+2255],%o0
+/* 0x0490	 483 (68 69) */		srax	%l4,32,%o1
+/* 0x0494	 484 (68 69) */		add	%g5,%l1,%l1
+/* 0x0498	 485 (68 69) */		st	%l2,[%i0+32]
+/* 0x049c	 486 (69 72) */		fsubd	%f14,%f10,%f8
+/* 0x04a0	 487 (69 71) */		ldx	[%sp+2239],%o3
+/* 0x04a4	 488 (69 70) */		add	%l1,%o1,%o1
+/* 0x04a8	 489 (70 72) */		ldx	[%sp+2247],%g5
+/* 0x04ac	 490 (70 71) */		srax	%o1,32,%o2
+/* 0x04b0	 491 (70 71) */		add	%o0,%l0,%o0
+/* 0x04b4	 492 (71 74) */		fdtox	%f4,%f4
+/* 0x04b8	 493 (71 72) */		std	%f4,[%sp+2231]
+/* 0x04bc	 494 (71 72) */		add	%o0,%o2,%o2
+/* 0x04c0	 495 (72 73) */		add	%o3,%l3,%l3
+/* 0x04c4	 496 (72 75) */		fmuld	%f8,%f6,%f4
+/* 0x04c8	 497 (72 73) */		add	%g5,%o5,%g5
+/* 0x04cc	 498 (73 74) */		srax	%o2,32,%o3
+/* 0x04d0	 499 (73 74) */		st	%l4,[%i0+36]
+/* 0x04d4	 500 (74 75) */		add	%g5,%o3,%g2
+/* 0x04d8	 501 (74 76) */		ldx	[%sp+2231],%o0
+/* 0x04dc	 502 (75 76) */		srax	%g2,32,%g3
+/* 0x04e0	 503 (75 78) */		fdtox	%f4,%f4
+/* 0x04e4	 504 (75 76) */		std	%f4,[%sp+2223]
+/* 0x04e8	 505 (76 77) */		st	%o1,[%i0+40]
+/* 0x04ec	 506 (76 77) */		add	%l3,%g3,%g3
+/* 0x04f0	 507 (76 77) */		add	%o0,%l5,%g5
+/* 0x04f4	 508 (77 78) */		st	%o2,[%i0+44]
+/* 0x04f8	 509 (77 78) */		srax	%g3,32,%g4
+/* 0x04fc	 510 (78 79) */		st	%g2,[%i0+48]
+/* 0x0500	 511 (78 79) */		add	%g5,%g4,%g4
+/* 0x0504	 512 (79 80) */		st	%g3,[%i0+52]
+/* 0x0508	 513 (79 80) */		srax	%g4,32,%g5
+/* 0x050c	 514 (80 83) */		ld	[%i1+60],%g3
+/* 0x0510	 515 (81 83) */		ldx	[%sp+2223],%g2
+/* 0x0514	 516 (82 83) */		st	%g4,[%i0+56]
+/* 0x0518	 517 (83 84) */		add	%g2,%g3,%g2
+/* 0x051c	 518 (84 85) */		add	%g2,%g5,%g2
+/* 0x0520	 519 (84 85) */		st	%g2,[%i0+60]
+/* 0x0524	 523 (85 86) */		srax	%g2,32,%o3
+/* 0x0528	 524 (86 87) */		srl	%o3,0,%i0
+/* 0x052c	     (87 89) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0530	     (89 90) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L900000157
+!
+
+                                   .L900000157:		/* frequency 1.0 confidence 0.0 */
+/* 0x0534	 532 ( 0  1) */		fmovd	%f0,%f14
+/* 0x0538	 533 ( 0  3) */		ldd	[%o0],%f8
+/* 0x053c	 539 ( 0  1) */		add	%i3,1,%g2
+/* 0x0540	 540 ( 1  4) */		ld	[%sp+2223],%f7
+/* 0x0544	 541 ( 1  2) */		srl	%g2,31,%g3
+/* 0x0548	 545 ( 1  2) */		add	%fp,-217,%g4
+/* 0x054c	 546 ( 2  3) */		add	%g2,%g3,%g2
+/* 0x0550	 547 ( 2  3) */		or	%g0,0,%g5
+/* 0x0554	 548 ( 2  5) */		ldd	[%o0+8],%f18
+/* 0x0558	 549 ( 3  4) */		fmovs	%f8,%f6
+/* 0x055c	 550 ( 3  4) */		sra	%g2,1,%o1
+/* 0x0560	 551 ( 3  4) */		or	%g0,0,%o0
+/* 0x0564	 552 ( 4  5) */		subcc	%o1,0,%g0
+/* 0x0568	 553 ( 5  6) */		or	%g0,%o1,%o3
+/* 0x056c	 554 ( 5  8) */		fsubd	%f6,%f8,%f16
+/* 0x0570	 555 ( 5  6) */		ble,pt	%icc,.L900000156	! tprob=0.50
+/* 0x0574	     ( 6  7) */		subcc	%i3,0,%g0
+/* 0x0578	 557 ( 6  7) */		sub	%o1,1,%g2
+/* 0x057c	 558 ( 7  8) */		or	%g0,0,%i0
+/* 0x0580	 559 ( 7  8) */		or	%g0,1,%g3
+/* 0x0584	 560 ( 8  9) */		subcc	%o3,10,%g0
+/* 0x0588	 561 ( 8  9) */		bl,pn	%icc,.L77000077	! tprob=0.50
+/* 0x058c	     ( 9 10) */		or	%g0,0,%o1
+/* 0x0590	 563 ( 9 12) */		ldd	[%i2+8],%f0
+/* 0x0594	 564 ( 9 10) */		sub	%o3,3,%o3
+/* 0x0598	 565 (10 13) */		ldd	[%i2],%f2
+/* 0x059c	 566 (10 11) */		or	%g0,7,%o0
+/* 0x05a0	 567 (10 11) */		or	%g0,2,%i0
+/* 0x05a4	 568 (11 13) */		fxnor	%f14,%f0,%f8
+/* 0x05a8	 569 (11 14) */		ldd	[%i2+16],%f4
+/* 0x05ac	 570 (11 12) */		or	%g0,16,%o2
+/* 0x05b0	 571 (12 14) */		fxnor	%f14,%f2,%f2
+/* 0x05b4	 572 (12 15) */		ldd	[%i2+24],%f6
+/* 0x05b8	 573 (12 13) */		or	%g0,48,%o4
+/* 0x05bc	 574 (13 16) */		fitod	%f8,%f12
+/* 0x05c0	 575 (13 14) */		or	%g0,24,%o1
+/* 0x05c4	 576 (13 14) */		or	%g0,3,%g3
+/* 0x05c8	 577 (14 17) */		fitod	%f2,%f0
+/* 0x05cc	 578 (15 18) */		fitod	%f3,%f20
+/* 0x05d0	 579 (15 18) */		ldd	[%i2+32],%f2
+/* 0x05d4	 580 (16 19) */		fitod	%f9,%f10
+/* 0x05d8	 581 (16 19) */		ldd	[%i2+40],%f8
+/* 0x05dc	 582 (17 20) */		fsubd	%f18,%f0,%f0
+/* 0x05e0	 583 (18 21) */		fsubd	%f18,%f20,%f22
+/* 0x05e4	 584 (19 22) */		fsubd	%f18,%f12,%f20
+/* 0x05e8	 585 (19 22) */		ldd	[%i2+48],%f12
+/* 0x05ec	 586 (20 23) */		fsubd	%f18,%f10,%f10
+/* 0x05f0	 587 (20 23) */		fmuld	%f0,%f16,%f0
+/* 0x05f4	 588 (21 23) */		fxnor	%f14,%f4,%f4
+/* 0x05f8	 589 (21 24) */		fmuld	%f22,%f16,%f22
+/* 0x05fc	 590 (22 24) */		fxnor	%f14,%f6,%f6
+/* 0x0600	 591 (22 25) */		fmuld	%f20,%f16,%f20
+/* 0x0604	 592 (23 26) */		fdtox	%f0,%f0
+/* 0x0608	 593 (23 24) */		std	%f0,[%fp-217]
+/* 0x060c	 594 (23 26) */		fmuld	%f10,%f16,%f10
+/* 0x0610	 595 (24 27) */		fdtox	%f22,%f22
+/* 0x0614	 596 (24 25) */		std	%f22,[%fp-209]
+/* 0x0618	 597 (25 28) */		fitod	%f5,%f0
+/* 0x061c	 598 (26 29) */		fdtox	%f10,%f10
+/* 0x0620	 599 (27 30) */		fdtox	%f20,%f20
+/* 0x0624	 600 (27 28) */		std	%f20,[%fp-201]
+/* 0x0628	 601 (28 31) */		fitod	%f4,%f4
+/* 0x062c	 602 (28 29) */		std	%f10,[%fp-193]
+/* 0x0630	 603 (29 31) */		fxnor	%f14,%f2,%f10
+/* 0x0634	 604 (30 33) */		fitod	%f7,%f2
+/* 0x0638	 605 (31 34) */		fsubd	%f18,%f0,%f0
+/* 0x063c	 606 (32 35) */		fsubd	%f18,%f4,%f4
+/* 0x0640	 607 (33 35) */		fxnor	%f14,%f8,%f8
+
+!
+! ENTRY .L900000144
+!
+
+                                   .L900000144:		/* frequency 1.0 confidence 0.0 */
+/* 0x0644	 609 ( 0  3) */		fitod	%f11,%f22
+/* 0x0648	 610 ( 0  1) */		add	%o0,3,%o0
+/* 0x064c	 611 ( 0  1) */		add	%g3,6,%g3
+/* 0x0650	 612 ( 0  3) */		fmuld	%f0,%f16,%f0
+/* 0x0654	 613 ( 1  4) */		fmuld	%f4,%f16,%f24
+/* 0x0658	 614 ( 1  2) */		subcc	%o0,%o3,%g0
+/* 0x065c	 615 ( 1  2) */		add	%i0,6,%i0
+/* 0x0660	 616 ( 1  4) */		fsubd	%f18,%f2,%f2
+/* 0x0664	 617 ( 2  5) */		fitod	%f6,%f4
+/* 0x0668	 618 ( 3  6) */		fdtox	%f0,%f0
+/* 0x066c	 619 ( 3  4) */		add	%o4,8,%i1
+/* 0x0670	 620 ( 4  7) */		ldd	[%i2+%i1],%f20
+/* 0x0674	 621 ( 4  7) */		fdtox	%f24,%f6
+/* 0x0678	 622 ( 4  5) */		add	%o2,16,%o4
+/* 0x067c	 623 ( 5  8) */		fsubd	%f18,%f4,%f4
+/* 0x0680	 624 ( 5  6) */		std	%f6,[%o4+%g4]
+/* 0x0684	 625 ( 5  6) */		add	%o1,16,%o2
+/* 0x0688	 626 ( 6  8) */		fxnor	%f14,%f12,%f6
+/* 0x068c	 627 ( 6  7) */		std	%f0,[%o2+%g4]
+/* 0x0690	 628 ( 7 10) */		fitod	%f9,%f0
+/* 0x0694	 629 ( 7 10) */		fmuld	%f2,%f16,%f2
+/* 0x0698	 630 ( 8 11) */		fmuld	%f4,%f16,%f24
+/* 0x069c	 631 ( 8 11) */		fsubd	%f18,%f22,%f12
+/* 0x06a0	 632 ( 9 12) */		fitod	%f10,%f4
+/* 0x06a4	 633 (10 13) */		fdtox	%f2,%f2
+/* 0x06a8	 634 (10 11) */		add	%i1,8,%o1
+/* 0x06ac	 635 (11 14) */		ldd	[%i2+%o1],%f22
+/* 0x06b0	 636 (11 14) */		fdtox	%f24,%f10
+/* 0x06b4	 637 (11 12) */		add	%o4,16,%i4
+/* 0x06b8	 638 (12 15) */		fsubd	%f18,%f4,%f4
+/* 0x06bc	 639 (12 13) */		std	%f10,[%i4+%g4]
+/* 0x06c0	 640 (12 13) */		add	%o2,16,%i1
+/* 0x06c4	 641 (13 15) */		fxnor	%f14,%f20,%f10
+/* 0x06c8	 642 (13 14) */		std	%f2,[%i1+%g4]
+/* 0x06cc	 643 (14 17) */		fitod	%f7,%f2
+/* 0x06d0	 644 (14 17) */		fmuld	%f12,%f16,%f12
+/* 0x06d4	 645 (15 18) */		fmuld	%f4,%f16,%f24
+/* 0x06d8	 646 (15 18) */		fsubd	%f18,%f0,%f0
+/* 0x06dc	 647 (16 19) */		fitod	%f8,%f4
+/* 0x06e0	 648 (17 20) */		fdtox	%f12,%f20
+/* 0x06e4	 649 (17 18) */		add	%o1,8,%o4
+/* 0x06e8	 650 (18 21) */		ldd	[%i2+%o4],%f12
+/* 0x06ec	 651 (18 21) */		fdtox	%f24,%f8
+/* 0x06f0	 652 (18 19) */		add	%i4,16,%o2
+/* 0x06f4	 653 (19 22) */		fsubd	%f18,%f4,%f4
+/* 0x06f8	 654 (19 20) */		std	%f8,[%o2+%g4]
+/* 0x06fc	 655 (19 20) */		add	%i1,16,%o1
+/* 0x0700	 656 (20 22) */		fxnor	%f14,%f22,%f8
+/* 0x0704	 657 (20 21) */		ble,pt	%icc,.L900000144	! tprob=0.50
+/* 0x0708	     (20 21) */		std	%f20,[%o1+%g4]
+
+!
+! ENTRY .L900000147
+!
+
+                                   .L900000147:		/* frequency 1.0 confidence 0.0 */
+/* 0x070c	 660 ( 0  3) */		fitod	%f6,%f6
+/* 0x0710	 661 ( 0  3) */		fmuld	%f4,%f16,%f24
+/* 0x0714	 662 ( 0  1) */		add	%i4,32,%l4
+/* 0x0718	 663 ( 1  4) */		fsubd	%f18,%f2,%f2
+/* 0x071c	 664 ( 1  4) */		fmuld	%f0,%f16,%f22
+/* 0x0720	 665 ( 1  2) */		add	%i1,32,%l3
+/* 0x0724	 666 ( 2  5) */		fitod	%f10,%f28
+/* 0x0728	 667 ( 2  3) */		sra	%o0,0,%o2
+/* 0x072c	 668 ( 2  3) */		add	%i4,48,%l2
+/* 0x0730	 669 ( 3  6) */		fsubd	%f18,%f6,%f4
+/* 0x0734	 670 ( 3  4) */		add	%i1,48,%l1
+/* 0x0738	 671 ( 3  4) */		add	%i4,64,%l0
+/* 0x073c	 672 ( 4  7) */		fitod	%f11,%f26
+/* 0x0740	 673 ( 4  5) */		sllx	%o2,3,%o1
+/* 0x0744	 674 ( 4  5) */		add	%i1,64,%i5
+/* 0x0748	 675 ( 5  8) */		fitod	%f8,%f6
+/* 0x074c	 676 ( 5  6) */		add	%i4,80,%i4
+/* 0x0750	 677 ( 5  6) */		add	%i1,80,%i1
+/* 0x0754	 678 ( 6  8) */		fxnor	%f14,%f12,%f0
+/* 0x0758	 679 ( 6  9) */		fmuld	%f4,%f16,%f20
+/* 0x075c	 680 ( 6  7) */		add	%i4,16,%o4
+/* 0x0760	 681 ( 7 10) */		fitod	%f9,%f4
+/* 0x0764	 682 ( 7 10) */		fmuld	%f2,%f16,%f12
+/* 0x0768	 683 ( 7  8) */		add	%i1,16,%o3
+/* 0x076c	 684 ( 8 11) */		fsubd	%f18,%f28,%f10
+/* 0x0770	 685 ( 8  9) */		subcc	%o0,%g2,%g0
+/* 0x0774	 686 ( 8  9) */		add	%g3,12,%g3
+/* 0x0778	 687 ( 9 12) */		fitod	%f0,%f2
+/* 0x077c	 688 (10 13) */		fsubd	%f18,%f26,%f8
+/* 0x0780	 689 (11 14) */		fitod	%f1,%f0
+/* 0x0784	 690 (11 14) */		fmuld	%f10,%f16,%f10
+/* 0x0788	 691 (12 15) */		fdtox	%f24,%f24
+/* 0x078c	 692 (12 13) */		std	%f24,[%l4+%g4]
+/* 0x0790	 693 (12 13) */		add	%i0,12,%i0
+/* 0x0794	 694 (13 16) */		fsubd	%f18,%f6,%f6
+/* 0x0798	 695 (13 16) */		fmuld	%f8,%f16,%f8
+/* 0x079c	 696 (14 17) */		fdtox	%f22,%f22
+/* 0x07a0	 697 (14 15) */		std	%f22,[%l3+%g4]
+/* 0x07a4	 698 (15 18) */		fsubd	%f18,%f4,%f4
+/* 0x07a8	 699 (16 19) */		fdtox	%f20,%f20
+/* 0x07ac	 700 (16 17) */		std	%f20,[%l2+%g4]
+/* 0x07b0	 701 (16 19) */		fmuld	%f6,%f16,%f6
+/* 0x07b4	 702 (17 20) */		fsubd	%f18,%f2,%f2
+/* 0x07b8	 703 (18 21) */		fsubd	%f18,%f0,%f0
+/* 0x07bc	 704 (18 21) */		fmuld	%f4,%f16,%f4
+/* 0x07c0	 705 (19 22) */		fdtox	%f12,%f12
+/* 0x07c4	 706 (19 20) */		std	%f12,[%l1+%g4]
+/* 0x07c8	 707 (20 23) */		fdtox	%f10,%f10
+/* 0x07cc	 708 (20 21) */		std	%f10,[%l0+%g4]
+/* 0x07d0	 709 (20 23) */		fmuld	%f2,%f16,%f2
+/* 0x07d4	 710 (21 24) */		fdtox	%f8,%f8
+/* 0x07d8	 711 (21 22) */		std	%f8,[%i5+%g4]
+/* 0x07dc	 712 (21 24) */		fmuld	%f0,%f16,%f0
+/* 0x07e0	 713 (22 25) */		fdtox	%f6,%f6
+/* 0x07e4	 714 (22 23) */		std	%f6,[%i4+%g4]
+/* 0x07e8	 715 (23 26) */		fdtox	%f4,%f4
+/* 0x07ec	 716 (23 24) */		std	%f4,[%i1+%g4]
+/* 0x07f0	 717 (24 27) */		fdtox	%f2,%f2
+/* 0x07f4	 718 (24 25) */		std	%f2,[%o4+%g4]
+/* 0x07f8	 719 (25 28) */		fdtox	%f0,%f0
+/* 0x07fc	 720 (25 26) */		bg,pn	%icc,.L77000043	! tprob=0.50
+/* 0x0800	     (25 26) */		std	%f0,[%o3+%g4]
+
+!
+! ENTRY .L77000077
+!
+
+                                   .L77000077:		/* frequency 1.0 confidence 0.0 */
+/* 0x0804	 723 ( 0  3) */		ldd	[%i2+%o1],%f0
+
+!
+! ENTRY .L900000155
+!
+
+                                   .L900000155:		/* frequency 1.0 confidence 0.0 */
+/* 0x0808	 725 ( 0  2) */		fxnor	%f14,%f0,%f0
+/* 0x080c	 726 ( 0  1) */		sra	%i0,0,%o1
+/* 0x0810	 727 ( 0  1) */		add	%o0,1,%o0
+/* 0x0814	 728 ( 1  2) */		sllx	%o1,3,%i4
+/* 0x0818	 729 ( 1  2) */		add	%i0,2,%i0
+/* 0x081c	 730 ( 2  5) */		fitod	%f0,%f2
+/* 0x0820	 731 ( 2  3) */		sra	%g3,0,%o1
+/* 0x0824	 732 ( 2  3) */		add	%g3,2,%g3
+/* 0x0828	 733 ( 3  6) */		fitod	%f1,%f0
+/* 0x082c	 734 ( 3  4) */		sllx	%o1,3,%i1
+/* 0x0830	 735 ( 3  4) */		subcc	%o0,%g2,%g0
+/* 0x0834	 736 ( 4  5) */		sra	%o0,0,%o2
+/* 0x0838	 737 ( 5  8) */		fsubd	%f18,%f2,%f2
+/* 0x083c	 738 ( 5  6) */		sllx	%o2,3,%o1
+/* 0x0840	 739 ( 6  9) */		fsubd	%f18,%f0,%f0
+/* 0x0844	 740 ( 8 11) */		fmuld	%f2,%f16,%f2
+/* 0x0848	 741 ( 9 12) */		fmuld	%f0,%f16,%f0
+/* 0x084c	 742 (11 14) */		fdtox	%f2,%f2
+/* 0x0850	 743 (11 12) */		std	%f2,[%i4+%g4]
+/* 0x0854	 744 (12 15) */		fdtox	%f0,%f0
+/* 0x0858	 745 (12 13) */		std	%f0,[%i1+%g4]
+/* 0x085c	 746 (12 13) */		ble,a,pt	%icc,.L900000155	! tprob=0.50
+/* 0x0860	     (14 17) */		ldd	[%i2+%o1],%f0
+
+!
+! ENTRY .L77000043
+!
+
+                                   .L77000043:		/* frequency 1.0 confidence 0.0 */
+/* 0x0864	 754 ( 0  1) */		subcc	%i3,0,%g0
+
+!
+! ENTRY .L900000156
+!
+
+                                   .L900000156:		/* frequency 1.0 confidence 0.0 */
+/* 0x0868	 756 ( 0  1) */		ble,a,pt	%icc,.L77000061	! tprob=0.50
+/* 0x086c	     ( 0  1) */		or	%g0,%g5,%o3
+/* 0x0870	 761 ( 0  2) */		ldx	[%fp-209],%i1
+/* 0x0874	 762 ( 1  2) */		sub	%i3,1,%g3
+/* 0x0878	 763 ( 1  2) */		or	%g0,0,%i0
+/* 0x087c	 764 ( 2  3) */		subcc	%i3,5,%g0
+/* 0x0880	 765 ( 2  3) */		bl,pn	%icc,.L77000078	! tprob=0.50
+/* 0x0884	     ( 2  4) */		ldx	[%fp-217],%i2
+/* 0x0888	 767 ( 3  6) */		ld	[%o5],%i3
+/* 0x088c	 768 ( 3  4) */		or	%g0,8,%g2
+/* 0x0890	 769 ( 3  4) */		or	%g0,16,%o4
+/* 0x0894	 770 ( 4  5) */		sub	%g3,1,%o3
+/* 0x0898	 771 ( 4  5) */		or	%g0,3,%i0
+/* 0x089c	 772 ( 5  6) */		add	%i2,%i3,%o1
+/* 0x08a0	 773 ( 5  8) */		ld	[%o5+4],%i2
+/* 0x08a4	 774 ( 6  7) */		st	%o1,[%o7]
+/* 0x08a8	 775 ( 6  7) */		srax	%o1,32,%o1
+/* 0x08ac	 776 ( 7  9) */		ldx	[%fp-201],%o2
+/* 0x08b0	 777 ( 7  8) */		add	%i1,%i2,%o0
+/* 0x08b4	 778 ( 7  8) */		or	%g0,%o1,%i1
+/* 0x08b8	 779 ( 8 11) */		ld	[%o5+8],%o1
+/* 0x08bc	 780 ( 8  9) */		add	%o0,%i1,%o0
+/* 0x08c0	 781 ( 9 10) */		st	%o0,[%o7+4]
+/* 0x08c4	 782 ( 9 10) */		srax	%o0,32,%o0
+
+!
+! ENTRY .L900000140
+!
+
+                                   .L900000140:		/* frequency 1.0 confidence 0.0 */
+/* 0x08c8	 784 ( 0  1) */		add	%g2,4,%i1
+/* 0x08cc	 785 ( 0  1) */		add	%o4,8,%o4
+/* 0x08d0	 786 ( 1  3) */		ldx	[%o4+%g4],%i2
+/* 0x08d4	 787 ( 1  2) */		sra	%o0,0,%g5
+/* 0x08d8	 788 ( 1  2) */		add	%o2,%o1,%o1
+/* 0x08dc	 789 ( 2  5) */		ld	[%o5+%i1],%o0
+/* 0x08e0	 790 ( 2  3) */		add	%o1,%g5,%o1
+/* 0x08e4	 791 ( 2  3) */		add	%i0,2,%i0
+/* 0x08e8	 792 ( 3  4) */		st	%o1,[%o7+%g2]
+/* 0x08ec	 793 ( 3  4) */		srax	%o1,32,%g5
+/* 0x08f0	 794 ( 3  4) */		subcc	%i0,%o3,%g0
+/* 0x08f4	 795 ( 4  5) */		add	%g2,8,%g2
+/* 0x08f8	 796 ( 4  5) */		add	%o4,8,%o4
+/* 0x08fc	 797 ( 5  7) */		ldx	[%o4+%g4],%o2
+/* 0x0900	 798 ( 5  6) */		add	%i2,%o0,%o0
+/* 0x0904	 799 ( 6  9) */		ld	[%o5+%g2],%o1
+/* 0x0908	 800 ( 6  7) */		add	%o0,%g5,%o0
+/* 0x090c	 801 ( 7  8) */		st	%o0,[%o7+%i1]
+/* 0x0910	 802 ( 7  8) */		ble,pt	%icc,.L900000140	! tprob=0.50
+/* 0x0914	     ( 7  8) */		srax	%o0,32,%o0
+
+!
+! ENTRY .L900000143
+!
+
+                                   .L900000143:		/* frequency 1.0 confidence 0.0 */
+/* 0x0918	 805 ( 0  1) */		sra	%o0,0,%o3
+/* 0x091c	 806 ( 0  1) */		add	%o2,%o1,%o0
+/* 0x0920	 807 ( 1  2) */		add	%o0,%o3,%o0
+/* 0x0924	 808 ( 1  2) */		st	%o0,[%o7+%g2]
+/* 0x0928	 809 ( 1  2) */		subcc	%i0,%g3,%g0
+/* 0x092c	 810 ( 2  3) */		srax	%o0,32,%g5
+/* 0x0930	 811 ( 2  3) */		bg,a,pn	%icc,.L77000061	! tprob=0.50
+/* 0x0934	     ( 3  4) */		or	%g0,%g5,%o3
+
+!
+! ENTRY .L77000078
+!
+
+                                   .L77000078:		/* frequency 1.0 confidence 0.0 */
+/* 0x0938	 814 ( 0  1) */		sra	%i0,0,%o0
+
+!
+! ENTRY .L900000154
+!
+
+                                   .L900000154:		/* frequency 1.0 confidence 0.0 */
+/* 0x093c	 816 ( 0  1) */		sllx	%o0,2,%g2
+/* 0x0940	 817 ( 0  1) */		add	%i0,1,%i0
+/* 0x0944	 818 ( 1  2) */		sllx	%o0,3,%o4
+/* 0x0948	 819 ( 1  4) */		ld	[%o5+%g2],%o2
+/* 0x094c	 820 ( 1  2) */		subcc	%i0,%g3,%g0
+/* 0x0950	 821 ( 2  4) */		ldx	[%o4+%g4],%o0
+/* 0x0954	 822 ( 2  3) */		sra	%g5,0,%o1
+/* 0x0958	 823 ( 4  5) */		add	%o0,%o2,%o0
+/* 0x095c	 824 ( 5  6) */		add	%o0,%o1,%o0
+/* 0x0960	 825 ( 5  6) */		st	%o0,[%o7+%g2]
+/* 0x0964	 826 ( 6  7) */		srax	%o0,32,%g5
+/* 0x0968	 827 ( 6  7) */		ble,pt	%icc,.L900000154	! tprob=0.50
+/* 0x096c	     ( 7  8) */		sra	%i0,0,%o0
+
+!
+! ENTRY .L77000047
+!
+
+                                   .L77000047:		/* frequency 1.0 confidence 0.0 */
+/* 0x0970	 834 ( 0  1) */		or	%g0,%g5,%o3
+
+!
+! ENTRY .L77000061
+!
+
+                                  .L77000061:		/* frequency 1.0 confidence 0.0 */
+
+/* 0x0974	 835 ( 1  2) */		srl	%o3,0,%i0
+/* 0x0978	     ( 2  4) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x097c	     ( 4  5) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000048
+!
+
+                                   .L77000048:		/* frequency 1.0 confidence 0.0 */
+/* 0x0980	 844 ( 0  1) */		bne,pn	%icc,.L77000050	! tprob=0.50
+/* 0x0984	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
+/* 0x0988	 854 ( 0  3) */		ldd	[%o2],%f4
+/* 0x098c	 855 ( 1  4) */		ldd	[%o0],%f6
+/* 0x0990	 856 ( 1  2) */		srl	%i4,19,%g3
+/* 0x0994	 857 ( 1  2) */		andn	%i4,%g2,%g2
+/* 0x0998	 858 ( 2  3) */		st	%g3,[%sp+2351]
+/* 0x099c	 859 ( 2  4) */		fxnor	%f0,%f4,%f4
+/* 0x09a0	 860 ( 3  4) */		st	%g2,[%sp+2355]
+/* 0x09a4	 861 ( 4  7) */		ldd	[%o2+8],%f12
+/* 0x09a8	 862 ( 4  7) */		fitod	%f4,%f10
+/* 0x09ac	 863 ( 5  8) */		ldd	[%o0+8],%f16
+/* 0x09b0	 864 ( 5  8) */		fitod	%f5,%f4
+/* 0x09b4	 865 ( 6  9) */		ldd	[%o2+16],%f18
+/* 0x09b8	 866 ( 6  8) */		fxnor	%f0,%f12,%f12
+/* 0x09bc	 867 ( 7 10) */		ld	[%sp+2351],%f9
+/* 0x09c0	 868 ( 7 10) */		fsubd	%f16,%f10,%f10
+/* 0x09c4	 869 ( 8 11) */		ld	[%sp+2355],%f15
+/* 0x09c8	 870 ( 8 11) */		fitod	%f12,%f22
+/* 0x09cc	 871 ( 9 12) */		ldd	[%o2+24],%f20
+/* 0x09d0	 872 ( 9 12) */		fitod	%f13,%f12
+/* 0x09d4	 876 (10 13) */		ld	[%i1],%g2
+/* 0x09d8	 877 (10 13) */		fsubd	%f16,%f4,%f4
+/* 0x09dc	 878 (11 14) */		ld	[%i1+4],%g3
+/* 0x09e0	 879 (11 14) */		fsubd	%f16,%f22,%f22
+/* 0x09e4	 880 (12 15) */		ld	[%i1+8],%g4
+/* 0x09e8	 881 (12 14) */		fxnor	%f0,%f18,%f18
+/* 0x09ec	 882 (13 16) */		ld	[%i1+12],%g5
+/* 0x09f0	 883 (13 16) */		fsubd	%f16,%f12,%f12
+/* 0x09f4	 884 (14 17) */		ld	[%i1+16],%o0
+/* 0x09f8	 885 (14 17) */		fitod	%f18,%f26
+/* 0x09fc	 886 (15 18) */		ld	[%i1+20],%o1
+/* 0x0a00	 887 (15 17) */		fxnor	%f0,%f20,%f20
+/* 0x0a04	 888 (16 19) */		ld	[%i1+24],%o2
+/* 0x0a08	 889 (17 20) */		ld	[%i1+28],%o3
+/* 0x0a0c	 890 (19 20) */		fmovs	%f6,%f8
+/* 0x0a10	 891 (20 21) */		fmovs	%f6,%f14
+/* 0x0a14	 892 (22 25) */		fsubd	%f8,%f6,%f8
+/* 0x0a18	 893 (23 26) */		fsubd	%f14,%f6,%f6
+/* 0x0a1c	 894 (25 28) */		fmuld	%f10,%f8,%f14
+/* 0x0a20	 895 (26 29) */		fmuld	%f10,%f6,%f10
+/* 0x0a24	 896 (27 30) */		fmuld	%f4,%f8,%f24
+/* 0x0a28	 897 (28 31) */		fdtox	%f14,%f14
+/* 0x0a2c	 898 (28 29) */		std	%f14,[%sp+2335]
+/* 0x0a30	 899 (28 31) */		fmuld	%f22,%f8,%f28
+/* 0x0a34	 900 (29 32) */		fitod	%f19,%f14
+/* 0x0a38	 901 (29 32) */		fmuld	%f22,%f6,%f18
+/* 0x0a3c	 902 (30 33) */		fdtox	%f10,%f10
+/* 0x0a40	 903 (30 31) */		std	%f10,[%sp+2343]
+/* 0x0a44	 904 (30 33) */		fmuld	%f4,%f6,%f4
+/* 0x0a48	 905 (31 34) */		fmuld	%f12,%f8,%f22
+/* 0x0a4c	 906 (32 35) */		fdtox	%f18,%f18
+/* 0x0a50	 907 (32 33) */		std	%f18,[%sp+2311]
+/* 0x0a54	 908 (32 35) */		fmuld	%f12,%f6,%f10
+/* 0x0a58	 909 (33 35) */		ldx	[%sp+2335],%o4
+/* 0x0a5c	 910 (33 36) */		fdtox	%f24,%f12
+/* 0x0a60	 911 (34 35) */		std	%f12,[%sp+2319]
+/* 0x0a64	 912 (34 37) */		fsubd	%f16,%f26,%f12
+/* 0x0a68	 913 (35 37) */		ldx	[%sp+2343],%o5
+/* 0x0a6c	 914 (35 36) */		sllx	%o4,19,%o4
+/* 0x0a70	 915 (35 38) */		fdtox	%f4,%f4
+/* 0x0a74	 916 (36 37) */		std	%f4,[%sp+2327]
+/* 0x0a78	 917 (36 39) */		fdtox	%f28,%f24
+/* 0x0a7c	 918 (37 38) */		std	%f24,[%sp+2303]
+/* 0x0a80	 919 (37 40) */		fitod	%f20,%f4
+/* 0x0a84	 920 (37 38) */		add	%o5,%o4,%o4
+/* 0x0a88	 921 (37 40) */		fmuld	%f12,%f8,%f24
+/* 0x0a8c	 922 (38 40) */		ldx	[%sp+2319],%o7
+/* 0x0a90	 923 (38 41) */		fsubd	%f16,%f14,%f14
+/* 0x0a94	 924 (38 39) */		add	%o4,%g2,%o4
+/* 0x0a98	 925 (38 41) */		fmuld	%f12,%f6,%f12
+/* 0x0a9c	 926 (39 41) */		ldx	[%sp+2327],%o5
+/* 0x0aa0	 927 (39 42) */		fitod	%f21,%f18
+/* 0x0aa4	 928 (40 41) */		st	%o4,[%i0]
+/* 0x0aa8	 929 (40 41) */		sllx	%o7,19,%o7
+/* 0x0aac	 930 (40 43) */		fdtox	%f22,%f20
+/* 0x0ab0	 931 (41 42) */		std	%f20,[%sp+2287]
+/* 0x0ab4	 932 (41 44) */		fdtox	%f10,%f10
+/* 0x0ab8	 933 (41 42) */		add	%o5,%o7,%o5
+/* 0x0abc	 934 (41 44) */		fmuld	%f14,%f8,%f20
+/* 0x0ac0	 935 (42 43) */		std	%f10,[%sp+2295]
+/* 0x0ac4	 936 (42 43) */		srlx	%o4,32,%o7
+/* 0x0ac8	 937 (42 45) */		fsubd	%f16,%f4,%f4
+/* 0x0acc	 938 (42 45) */		fmuld	%f14,%f6,%f14
+/* 0x0ad0	 939 (43 45) */		ldx	[%sp+2311],%g2
+/* 0x0ad4	 940 (43 46) */		fdtox	%f24,%f10
+/* 0x0ad8	 941 (43 44) */		add	%o5,%g3,%g3
+/* 0x0adc	 942 (44 45) */		std	%f10,[%sp+2271]
+/* 0x0ae0	 943 (44 45) */		add	%g3,%o7,%g3
+/* 0x0ae4	 944 (44 47) */		fdtox	%f12,%f12
+/* 0x0ae8	 945 (45 47) */		ldx	[%sp+2303],%l0
+/* 0x0aec	 946 (45 48) */		fsubd	%f16,%f18,%f10
+/* 0x0af0	 947 (45 48) */		fmuld	%f4,%f8,%f16
+/* 0x0af4	 948 (46 47) */		std	%f12,[%sp+2279]
+/* 0x0af8	 949 (46 49) */		fdtox	%f20,%f12
+/* 0x0afc	 950 (46 49) */		fmuld	%f4,%f6,%f4
+/* 0x0b00	 951 (47 48) */		std	%f12,[%sp+2255]
+/* 0x0b04	 952 (47 48) */		sllx	%l0,19,%l0
+/* 0x0b08	 953 (47 50) */		fdtox	%f14,%f12
+/* 0x0b0c	 954 (48 50) */		ldx	[%sp+2287],%o5
+/* 0x0b10	 955 (48 49) */		add	%g2,%l0,%g2
+/* 0x0b14	 956 (48 51) */		fmuld	%f10,%f8,%f8
+/* 0x0b18	 957 (49 51) */		ldx	[%sp+2295],%l1
+/* 0x0b1c	 958 (49 50) */		srlx	%g3,32,%l0
+/* 0x0b20	 959 (49 50) */		add	%g2,%g4,%g4
+/* 0x0b24	 960 (49 52) */		fmuld	%f10,%f6,%f6
+/* 0x0b28	 961 (50 51) */		std	%f12,[%sp+2263]
+/* 0x0b2c	 962 (50 51) */		sllx	%o5,19,%g2
+/* 0x0b30	 963 (50 51) */		add	%g4,%l0,%g4
+/* 0x0b34	 964 (51 53) */		ldx	[%sp+2279],%l0
+/* 0x0b38	 965 (51 52) */		srlx	%g4,32,%o5
+/* 0x0b3c	 966 (51 52) */		add	%l1,%g2,%g2
+/* 0x0b40	 967 (52 53) */		st	%g3,[%i0+4]
+/* 0x0b44	 968 (52 53) */		add	%g2,%g5,%g2
+/* 0x0b48	 969 (52 55) */		fdtox	%f16,%f10
+/* 0x0b4c	 970 (53 55) */		ldx	[%sp+2271],%o7
+/* 0x0b50	 971 (53 54) */		add	%g2,%o5,%g2
+/* 0x0b54	 972 (53 56) */		fdtox	%f4,%f4
+/* 0x0b58	 973 (54 55) */		std	%f10,[%sp+2239]
+/* 0x0b5c	 974 (55 56) */		sllx	%o7,19,%o7
+/* 0x0b60	 975 (55 56) */		std	%f4,[%sp+2247]
+/* 0x0b64	 976 (55 58) */		fdtox	%f8,%f4
+/* 0x0b68	 977 (56 57) */		add	%l0,%o7,%o7
+/* 0x0b6c	 978 (56 58) */		ldx	[%sp+2263],%o5
+/* 0x0b70	 979 (57 58) */		add	%o7,%o0,%o0
+/* 0x0b74	 980 (57 58) */		std	%f4,[%sp+2223]
+/* 0x0b78	 981 (57 60) */		fdtox	%f6,%f4
+/* 0x0b7c	 982 (58 60) */		ldx	[%sp+2255],%g5
+/* 0x0b80	 983 (58 59) */		srlx	%g2,32,%o7
+/* 0x0b84	 984 (59 60) */		std	%f4,[%sp+2231]
+/* 0x0b88	 985 (59 60) */		add	%o0,%o7,%o0
+/* 0x0b8c	 986 (60 61) */		sllx	%g5,19,%g5
+/* 0x0b90	 987 (60 62) */		ldx	[%sp+2247],%l1
+/* 0x0b94	 988 (61 62) */		add	%o5,%g5,%g5
+/* 0x0b98	 989 (61 62) */		st	%g2,[%i0+12]
+/* 0x0b9c	 990 (62 64) */		ldx	[%sp+2239],%l0
+/* 0x0ba0	 991 (62 63) */		srlx	%o0,32,%o4
+/* 0x0ba4	 992 (62 63) */		add	%g5,%o1,%o1
+/* 0x0ba8	 993 (63 64) */		add	%o1,%o4,%o1
+/* 0x0bac	 994 (63 65) */		ldx	[%sp+2223],%o7
+/* 0x0bb0	 995 (64 65) */		sllx	%l0,19,%g3
+/* 0x0bb4	 996 (64 66) */		ldx	[%sp+2231],%o5
+/* 0x0bb8	 997 (65 66) */		add	%l1,%g3,%o4
+/* 0x0bbc	 998 (65 66) */		st	%o0,[%i0+16]
+/* 0x0bc0	 999 (66 67) */		add	%o4,%o2,%o2
+/* 0x0bc4	1000 (66 67) */		st	%o1,[%i0+20]
+/* 0x0bc8	1001 (67 68) */		srlx	%o1,32,%o4
+/* 0x0bcc	1002 (67 68) */		st	%g4,[%i0+8]
+/* 0x0bd0	1003 (68 69) */		sllx	%o7,19,%g2
+/* 0x0bd4	1004 (68 69) */		add	%o2,%o4,%o4
+/* 0x0bd8	1005 (68 69) */		st	%o4,[%i0+24]
+/* 0x0bdc	1006 (69 70) */		add	%o5,%g2,%g2
+/* 0x0be0	1007 (70 71) */		srlx	%o4,32,%g3
+/* 0x0be4	1008 (70 71) */		add	%g2,%o3,%g2
+/* 0x0be8	1009 (71 72) */		add	%g2,%g3,%g2
+/* 0x0bec	1010 (71 72) */		st	%g2,[%i0+28]
+/* 0x0bf0	1014 (72 73) */		srlx	%g2,32,%o3
+/* 0x0bf4	1015 (73 74) */		srl	%o3,0,%i0
+/* 0x0bf8	     (74 76) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0bfc	     (76 77) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000050
+!
+
+                                   .L77000050:		/* frequency 1.0 confidence 0.0 */
+/* 0x0c00	1022 ( 0  1) */		subcc	%i3,16,%g0
+/* 0x0c04	1023 ( 0  1) */		bne,pn	%icc,.L77000073	! tprob=0.50
+/* 0x0c08	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
+/* 0x0c0c	1034 ( 1  4) */		ldd	[%o2],%f4
+/* 0x0c10	1035 ( 1  2) */		andn	%i4,%g2,%g2
+/* 0x0c14	1036 ( 2  3) */		st	%g2,[%sp+2483]
+/* 0x0c18	1037 ( 2  3) */		srl	%i4,19,%g2
+/* 0x0c1c	1038 ( 3  4) */		st	%g2,[%sp+2479]
+/* 0x0c20	1039 ( 3  5) */		fxnor	%f0,%f4,%f4
+/* 0x0c24	1040 ( 4  7) */		ldd	[%o0],%f8
+/* 0x0c28	1041 ( 5  8) */		fitod	%f4,%f10
+/* 0x0c2c	1042 ( 5  8) */		ldd	[%o0+8],%f16
+/* 0x0c30	1043 ( 6  9) */		ldd	[%o2+8],%f14
+/* 0x0c34	1044 ( 6  9) */		fitod	%f5,%f4
+/* 0x0c38	1045 ( 7 10) */		ld	[%sp+2483],%f13
+/* 0x0c3c	1046 ( 8 11) */		ld	[%sp+2479],%f7
+/* 0x0c40	1047 ( 8 11) */		fsubd	%f16,%f10,%f10
+/* 0x0c44	1048 ( 9 11) */		fxnor	%f0,%f14,%f14
+/* 0x0c48	1049 (10 13) */		fsubd	%f16,%f4,%f4
+/* 0x0c4c	1050 (14 15) */		fmovs	%f8,%f12
+/* 0x0c50	1051 (15 16) */		fmovs	%f8,%f6
+/* 0x0c54	1052 (17 20) */		fsubd	%f12,%f8,%f12
+/* 0x0c58	1053 (18 21) */		fsubd	%f6,%f8,%f6
+/* 0x0c5c	1054 (19 22) */		fitod	%f14,%f8
+/* 0x0c60	1055 (20 23) */		fmuld	%f10,%f12,%f18
+/* 0x0c64	1056 (20 23) */		fitod	%f15,%f14
+/* 0x0c68	1057 (21 24) */		fmuld	%f10,%f6,%f10
+/* 0x0c6c	1058 (22 25) */		fsubd	%f16,%f8,%f8
+/* 0x0c70	1059 (22 25) */		fmuld	%f4,%f12,%f20
+/* 0x0c74	1060 (23 26) */		fmuld	%f4,%f6,%f4
+/* 0x0c78	1061 (23 26) */		fsubd	%f16,%f14,%f14
+/* 0x0c7c	1062 (24 27) */		fdtox	%f10,%f10
+/* 0x0c80	1063 (24 25) */		std	%f10,[%sp+2463]
+/* 0x0c84	1064 (25 28) */		fmuld	%f8,%f12,%f10
+/* 0x0c88	1065 (25 28) */		fdtox	%f18,%f18
+/* 0x0c8c	1066 (25 26) */		std	%f18,[%sp+2471]
+/* 0x0c90	1067 (26 29) */		fmuld	%f8,%f6,%f8
+/* 0x0c94	1068 (26 29) */		fdtox	%f4,%f4
+/* 0x0c98	1069 (26 27) */		std	%f4,[%sp+2447]
+/* 0x0c9c	1070 (27 30) */		fmuld	%f14,%f12,%f4
+/* 0x0ca0	1071 (27 30) */		fdtox	%f20,%f18
+/* 0x0ca4	1072 (27 28) */		std	%f18,[%sp+2455]
+/* 0x0ca8	1073 (28 31) */		fdtox	%f10,%f10
+/* 0x0cac	1074 (28 29) */		std	%f10,[%sp+2439]
+/* 0x0cb0	1075 (28 31) */		fmuld	%f14,%f6,%f14
+/* 0x0cb4	1076 (29 32) */		fdtox	%f8,%f8
+/* 0x0cb8	1077 (29 30) */		std	%f8,[%sp+2431]
+/* 0x0cbc	1078 (30 33) */		ldd	[%o2+16],%f10
+/* 0x0cc0	1079 (30 33) */		fdtox	%f4,%f4
+/* 0x0cc4	1080 (31 34) */		ldd	[%o2+24],%f8
+/* 0x0cc8	1081 (31 34) */		fdtox	%f14,%f14
+/* 0x0ccc	1082 (32 33) */		std	%f4,[%sp+2423]
+/* 0x0cd0	1083 (32 34) */		fxnor	%f0,%f10,%f10
+/* 0x0cd4	1084 (33 35) */		fxnor	%f0,%f8,%f4
+/* 0x0cd8	1085 (33 34) */		std	%f14,[%sp+2415]
+/* 0x0cdc	1086 (34 37) */		fitod	%f10,%f8
+/* 0x0ce0	1087 (35 38) */		fitod	%f11,%f10
+/* 0x0ce4	1088 (36 39) */		fitod	%f4,%f14
+/* 0x0ce8	1089 (37 40) */		fsubd	%f16,%f8,%f8
+/* 0x0cec	1090 (38 41) */		fsubd	%f16,%f10,%f10
+/* 0x0cf0	1091 (39 42) */		fsubd	%f16,%f14,%f14
+/* 0x0cf4	1092 (40 43) */		fmuld	%f8,%f12,%f18
+/* 0x0cf8	1093 (40 43) */		fitod	%f5,%f4
+/* 0x0cfc	1094 (41 44) */		fmuld	%f8,%f6,%f8
+/* 0x0d00	1095 (42 45) */		fmuld	%f10,%f12,%f20
+/* 0x0d04	1096 (43 46) */		fmuld	%f10,%f6,%f10
+/* 0x0d08	1097 (43 46) */		fsubd	%f16,%f4,%f4
+/* 0x0d0c	1098 (44 47) */		fdtox	%f8,%f8
+/* 0x0d10	1099 (44 45) */		std	%f8,[%sp+2399]
+/* 0x0d14	1100 (45 48) */		fmuld	%f14,%f12,%f8
+/* 0x0d18	1101 (45 48) */		fdtox	%f18,%f18
+/* 0x0d1c	1102 (45 46) */		std	%f18,[%sp+2407]
+/* 0x0d20	1103 (46 49) */		fdtox	%f10,%f10
+/* 0x0d24	1104 (46 47) */		std	%f10,[%sp+2383]
+/* 0x0d28	1105 (46 49) */		fmuld	%f14,%f6,%f14
+/* 0x0d2c	1106 (47 50) */		fmuld	%f4,%f12,%f10
+/* 0x0d30	1107 (47 50) */		fdtox	%f20,%f18
+/* 0x0d34	1108 (47 48) */		std	%f18,[%sp+2391]
+/* 0x0d38	1109 (48 51) */		fdtox	%f8,%f8
+/* 0x0d3c	1110 (48 49) */		std	%f8,[%sp+2375]
+/* 0x0d40	1111 (48 51) */		fmuld	%f4,%f6,%f4
+/* 0x0d44	1112 (49 52) */		fdtox	%f14,%f14
+/* 0x0d48	1113 (49 50) */		std	%f14,[%sp+2367]
+/* 0x0d4c	1117 (50 53) */		ldd	[%o2+32],%f8
+/* 0x0d50	1118 (50 53) */		fdtox	%f10,%f10
+/* 0x0d54	1119 (51 54) */		fdtox	%f4,%f4
+/* 0x0d58	1120 (51 52) */		std	%f4,[%sp+2351]
+/* 0x0d5c	1121 (52 54) */		fxnor	%f0,%f8,%f8
+/* 0x0d60	1122 (52 55) */		ldd	[%o2+40],%f14
+/* 0x0d64	1123 (53 54) */		std	%f10,[%sp+2359]
+/* 0x0d68	1124 (54 57) */		fitod	%f8,%f4
+/* 0x0d6c	1125 (55 57) */		fxnor	%f0,%f14,%f10
+/* 0x0d70	1126 (56 59) */		fitod	%f9,%f8
+/* 0x0d74	1127 (57 60) */		fsubd	%f16,%f4,%f4
+/* 0x0d78	1128 (58 61) */		fitod	%f10,%f14
+/* 0x0d7c	1129 (59 62) */		fsubd	%f16,%f8,%f8
+/* 0x0d80	1130 (60 63) */		fmuld	%f4,%f12,%f18
+/* 0x0d84	1131 (60 63) */		fitod	%f11,%f10
+/* 0x0d88	1132 (61 64) */		fmuld	%f4,%f6,%f4
+/* 0x0d8c	1133 (61 64) */		fsubd	%f16,%f14,%f14
+/* 0x0d90	1134 (62 65) */		fmuld	%f8,%f12,%f20
+/* 0x0d94	1135 (63 66) */		fmuld	%f8,%f6,%f8
+/* 0x0d98	1136 (63 66) */		fsubd	%f16,%f10,%f10
+/* 0x0d9c	1137 (64 67) */		fdtox	%f4,%f4
+/* 0x0da0	1138 (64 65) */		std	%f4,[%sp+2335]
+/* 0x0da4	1139 (65 68) */		fmuld	%f14,%f12,%f4
+/* 0x0da8	1140 (65 68) */		fdtox	%f18,%f18
+/* 0x0dac	1141 (65 66) */		std	%f18,[%sp+2343]
+/* 0x0db0	1142 (66 69) */		fdtox	%f8,%f8
+/* 0x0db4	1143 (66 67) */		std	%f8,[%sp+2319]
+/* 0x0db8	1144 (66 69) */		fmuld	%f14,%f6,%f14
+/* 0x0dbc	1145 (67 70) */		fmuld	%f10,%f12,%f8
+/* 0x0dc0	1146 (67 70) */		fdtox	%f20,%f18
+/* 0x0dc4	1147 (67 68) */		std	%f18,[%sp+2327]
+/* 0x0dc8	1148 (68 71) */		fdtox	%f4,%f4
+/* 0x0dcc	1149 (68 69) */		std	%f4,[%sp+2311]
+/* 0x0dd0	1150 (68 71) */		fmuld	%f10,%f6,%f10
+/* 0x0dd4	1151 (69 72) */		fdtox	%f14,%f14
+/* 0x0dd8	1152 (69 70) */		std	%f14,[%sp+2303]
+/* 0x0ddc	1153 (70 73) */		ldd	[%o2+48],%f4
+/* 0x0de0	1154 (70 73) */		fdtox	%f8,%f8
+/* 0x0de4	1155 (71 74) */		fdtox	%f10,%f10
+/* 0x0de8	1156 (71 72) */		std	%f10,[%sp+2287]
+/* 0x0dec	1157 (72 74) */		fxnor	%f0,%f4,%f4
+/* 0x0df0	1158 (72 75) */		ldd	[%o2+56],%f14
+/* 0x0df4	1159 (73 74) */		std	%f8,[%sp+2295]
+/* 0x0df8	1160 (74 77) */		fitod	%f4,%f10
+/* 0x0dfc	1161 (75 78) */		fitod	%f5,%f4
+/* 0x0e00	1162 (76 78) */		fxnor	%f0,%f14,%f8
+/* 0x0e04	1163 (77 80) */		fsubd	%f16,%f10,%f10
+/* 0x0e08	1164 (78 81) */		fsubd	%f16,%f4,%f4
+/* 0x0e0c	1165 (79 82) */		fitod	%f8,%f14
+/* 0x0e10	1166 (80 83) */		fmuld	%f10,%f12,%f18
+/* 0x0e14	1167 (80 83) */		fitod	%f9,%f8
+/* 0x0e18	1168 (81 84) */		fmuld	%f10,%f6,%f10
+/* 0x0e1c	1169 (82 85) */		fmuld	%f4,%f12,%f20
+/* 0x0e20	1170 (82 85) */		fsubd	%f16,%f14,%f14
+/* 0x0e24	1171 (83 86) */		fdtox	%f18,%f18
+/* 0x0e28	1172 (83 84) */		std	%f18,[%sp+2279]
+/* 0x0e2c	1173 (83 86) */		fmuld	%f4,%f6,%f4
+/* 0x0e30	1174 (84 87) */		fdtox	%f10,%f10
+/* 0x0e34	1175 (84 85) */		std	%f10,[%sp+2271]
+/* 0x0e38	1176 (85 88) */		fdtox	%f20,%f10
+/* 0x0e3c	1177 (85 86) */		std	%f10,[%sp+2263]
+/* 0x0e40	1178 (86 89) */		fdtox	%f4,%f4
+/* 0x0e44	1179 (86 87) */		std	%f4,[%sp+2255]
+/* 0x0e48	1180 (86 89) */		fmuld	%f14,%f12,%f10
+/* 0x0e4c	1181 (87 90) */		fmuld	%f14,%f6,%f4
+/* 0x0e50	1182 (89 92) */		fdtox	%f10,%f10
+/* 0x0e54	1183 (89 90) */		std	%f10,[%sp+2247]
+/* 0x0e58	1184 (90 93) */		fdtox	%f4,%f4
+/* 0x0e5c	1185 (90 91) */		std	%f4,[%sp+2239]
+/* 0x0e60	1189 (91 93) */		ldx	[%sp+2463],%g2
+/* 0x0e64	1190 (91 94) */		fsubd	%f16,%f8,%f4
+/* 0x0e68	1191 (92 94) */		ldx	[%sp+2471],%g3
+/* 0x0e6c	1192 (93 96) */		ld	[%i1],%g4
+/* 0x0e70	1193 (93 94) */		sllx	%g2,19,%g2
+/* 0x0e74	1194 (94 96) */		ldx	[%sp+2455],%g5
+/* 0x0e78	1195 (94 95) */		add	%g3,%g2,%g2
+/* 0x0e7c	1196 (94 97) */		fmuld	%f4,%f6,%f6
+/* 0x0e80	1197 (95 97) */		ldx	[%sp+2447],%g3
+/* 0x0e84	1198 (95 96) */		add	%g2,%g4,%g4
+/* 0x0e88	1199 (95 98) */		fmuld	%f4,%f12,%f4
+/* 0x0e8c	1200 (96 97) */		st	%g4,[%i0]
+/* 0x0e90	1201 (96 97) */		srlx	%g4,32,%g4
+/* 0x0e94	1202 (97 100) */		ld	[%i1+8],%o0
+/* 0x0e98	1203 (97 98) */		sllx	%g3,19,%g2
+/* 0x0e9c	1204 (97 100) */		fdtox	%f6,%f6
+/* 0x0ea0	1205 (98 101) */		ld	[%i1+4],%g3
+/* 0x0ea4	1206 (98 99) */		add	%g5,%g2,%g2
+/* 0x0ea8	1207 (98 101) */		fdtox	%f4,%f4
+/* 0x0eac	1208 (99 101) */		ldx	[%sp+2439],%g5
+/* 0x0eb0	1209 (100 103) */		ld	[%i1+12],%o1
+/* 0x0eb4	1210 (100 101) */		add	%g2,%g3,%g2
+/* 0x0eb8	1211 (101 103) */		ldx	[%sp+2431],%g3
+/* 0x0ebc	1212 (101 102) */		add	%g2,%g4,%g4
+/* 0x0ec0	1213 (102 103) */		st	%g4,[%i0+4]
+/* 0x0ec4	1214 (103 104) */		std	%f6,[%sp+2223]
+/* 0x0ec8	1215 (103 104) */		sllx	%g3,19,%g2
+/* 0x0ecc	1216 (104 106) */		ldx	[%sp+2423],%g3
+/* 0x0ed0	1217 (104 105) */		add	%g5,%g2,%g2
+/* 0x0ed4	1218 (105 107) */		ldx	[%sp+2415],%g5
+/* 0x0ed8	1219 (105 106) */		add	%g2,%o0,%g2
+/* 0x0edc	1220 (106 107) */		std	%f4,[%sp+2231]
+/* 0x0ee0	1221 (106 107) */		srlx	%g4,32,%o0
+/* 0x0ee4	1222 (107 109) */		ldx	[%sp+2407],%g4
+/* 0x0ee8	1223 (107 108) */		sllx	%g5,19,%g5
+/* 0x0eec	1224 (107 108) */		add	%g2,%o0,%g2
+/* 0x0ef0	1225 (108 109) */		st	%g2,[%i0+8]
+/* 0x0ef4	1226 (108 109) */		srlx	%g2,32,%o0
+/* 0x0ef8	1227 (108 109) */		add	%g3,%g5,%g3
+/* 0x0efc	1228 (109 111) */		ldx	[%sp+2399],%g5
+/* 0x0f00	1229 (109 110) */		add	%g3,%o1,%g3
+/* 0x0f04	1230 (110 113) */		ld	[%i1+16],%o1
+/* 0x0f08	1231 (110 111) */		add	%g3,%o0,%g3
+/* 0x0f0c	1232 (111 112) */		st	%g3,[%i0+12]
+/* 0x0f10	1233 (111 112) */		sllx	%g5,19,%g5
+/* 0x0f14	1234 (112 113) */		srlx	%g3,32,%o0
+/* 0x0f18	1235 (112 113) */		add	%g4,%g5,%g2
+/* 0x0f1c	1236 (112 114) */		ldx	[%sp+2383],%g5
+/* 0x0f20	1237 (113 115) */		ldx	[%sp+2391],%g4
+/* 0x0f24	1238 (113 114) */		add	%g2,%o1,%g2
+/* 0x0f28	1239 (114 117) */		ld	[%i1+20],%o1
+/* 0x0f2c	1240 (114 115) */		sllx	%g5,19,%g5
+/* 0x0f30	1241 (114 115) */		add	%g2,%o0,%g2
+/* 0x0f34	1242 (115 116) */		st	%g2,[%i0+16]
+/* 0x0f38	1243 (115 116) */		srlx	%g2,32,%o0
+/* 0x0f3c	1244 (115 116) */		add	%g4,%g5,%g3
+/* 0x0f40	1245 (116 118) */		ldx	[%sp+2367],%g5
+/* 0x0f44	1246 (116 117) */		add	%g3,%o1,%g3
+/* 0x0f48	1247 (117 119) */		ldx	[%sp+2375],%g4
+/* 0x0f4c	1248 (117 118) */		add	%g3,%o0,%g3
+/* 0x0f50	1249 (118 121) */		ld	[%i1+24],%o1
+/* 0x0f54	1250 (118 119) */		sllx	%g5,19,%g5
+/* 0x0f58	1251 (119 120) */		st	%g3,[%i0+20]
+/* 0x0f5c	1252 (119 120) */		add	%g4,%g5,%g2
+/* 0x0f60	1253 (120 122) */		ldx	[%sp+2351],%g5
+/* 0x0f64	1254 (120 121) */		srlx	%g3,32,%o0
+/* 0x0f68	1255 (120 121) */		add	%g2,%o1,%g2
+/* 0x0f6c	1256 (121 123) */		ldx	[%sp+2359],%g4
+/* 0x0f70	1257 (121 122) */		add	%g2,%o0,%g2
+/* 0x0f74	1258 (122 125) */		ld	[%i1+28],%o1
+/* 0x0f78	1259 (122 123) */		sllx	%g5,19,%g5
+/* 0x0f7c	1260 (123 124) */		st	%g2,[%i0+24]
+/* 0x0f80	1261 (123 124) */		add	%g4,%g5,%g3
+/* 0x0f84	1265 (124 126) */		ldx	[%sp+2335],%g5
+/* 0x0f88	1266 (124 125) */		srlx	%g2,32,%o0
+/* 0x0f8c	1267 (124 125) */		add	%g3,%o1,%g3
+/* 0x0f90	1268 (125 127) */		ldx	[%sp+2343],%g4
+/* 0x0f94	1269 (125 126) */		add	%g3,%o0,%g3
+/* 0x0f98	1270 (126 127) */		sllx	%g5,19,%g5
+/* 0x0f9c	1271 (126 129) */		ld	[%i1+32],%o1
+/* 0x0fa0	1272 (127 128) */		add	%g4,%g5,%g2
+/* 0x0fa4	1273 (127 129) */		ldx	[%sp+2319],%g5
+/* 0x0fa8	1274 (128 130) */		ldx	[%sp+2327],%g4
+/* 0x0fac	1275 (128 129) */		srlx	%g3,32,%o0
+/* 0x0fb0	1276 (128 129) */		add	%g2,%o1,%g2
+/* 0x0fb4	1277 (129 130) */		st	%g3,[%i0+28]
+/* 0x0fb8	1278 (129 130) */		sllx	%g5,19,%g5
+/* 0x0fbc	1279 (129 130) */		add	%g2,%o0,%g2
+/* 0x0fc0	1280 (130 133) */		ld	[%i1+36],%o1
+/* 0x0fc4	1281 (130 131) */		add	%g4,%g5,%g3
+/* 0x0fc8	1282 (131 133) */		ldx	[%sp+2303],%g5
+/* 0x0fcc	1283 (131 132) */		srlx	%g2,32,%o0
+/* 0x0fd0	1284 (132 134) */		ldx	[%sp+2311],%g4
+/* 0x0fd4	1285 (132 133) */		add	%g3,%o1,%g3
+/* 0x0fd8	1286 (133 134) */		sllx	%g5,19,%g5
+/* 0x0fdc	1287 (133 134) */		st	%g2,[%i0+32]
+/* 0x0fe0	1288 (133 134) */		add	%g3,%o0,%g3
+/* 0x0fe4	1289 (134 135) */		add	%g4,%g5,%g2
+/* 0x0fe8	1290 (134 136) */		ldx	[%sp+2287],%g5
+/* 0x0fec	1291 (135 137) */		ldx	[%sp+2295],%g4
+/* 0x0ff0	1292 (135 136) */		srlx	%g3,32,%o0
+/* 0x0ff4	1293 (136 139) */		ld	[%i1+40],%o1
+/* 0x0ff8	1294 (136 137) */		sllx	%g5,19,%g5
+/* 0x0ffc	1295 (137 138) */		st	%g3,[%i0+36]
+/* 0x1000	1296 (137 138) */		add	%g4,%g5,%g3
+/* 0x1004	1297 (138 140) */		ldx	[%sp+2271],%g5
+/* 0x1008	1298 (138 139) */		add	%g2,%o1,%g2
+/* 0x100c	1299 (139 141) */		ldx	[%sp+2279],%g4
+/* 0x1010	1300 (139 140) */		add	%g2,%o0,%g2
+/* 0x1014	1301 (140 143) */		ld	[%i1+44],%o1
+/* 0x1018	1302 (140 141) */		sllx	%g5,19,%g5
+/* 0x101c	1303 (141 142) */		st	%g2,[%i0+40]
+/* 0x1020	1304 (141 142) */		srlx	%g2,32,%o0
+/* 0x1024	1305 (141 142) */		add	%g4,%g5,%g2
+/* 0x1028	1306 (142 144) */		ldx	[%sp+2255],%g5
+/* 0x102c	1307 (142 143) */		add	%g3,%o1,%g3
+/* 0x1030	1308 (143 145) */		ldx	[%sp+2263],%g4
+/* 0x1034	1309 (143 144) */		add	%g3,%o0,%g3
+/* 0x1038	1310 (144 147) */		ld	[%i1+48],%o1
+/* 0x103c	1311 (144 145) */		sllx	%g5,19,%g5
+/* 0x1040	1312 (145 146) */		srlx	%g3,32,%o0
+/* 0x1044	1313 (145 146) */		st	%g3,[%i0+44]
+/* 0x1048	1314 (145 146) */		add	%g4,%g5,%g3
+/* 0x104c	1315 (146 148) */		ldx	[%sp+2239],%g5
+/* 0x1050	1316 (146 147) */		add	%g2,%o1,%g2
+/* 0x1054	1317 (147 150) */		ld	[%i1+52],%o1
+/* 0x1058	1318 (147 148) */		add	%g2,%o0,%g2
+/* 0x105c	1319 (148 150) */		ldx	[%sp+2247],%g4
+/* 0x1060	1320 (148 149) */		sllx	%g5,19,%g5
+/* 0x1064	1321 (149 150) */		srlx	%g2,32,%o0
+/* 0x1068	1322 (149 150) */		st	%g2,[%i0+48]
+/* 0x106c	1323 (149 150) */		add	%g3,%o1,%g3
+/* 0x1070	1324 (150 153) */		ld	[%i1+56],%o1
+/* 0x1074	1325 (150 151) */		add	%g4,%g5,%g2
+/* 0x1078	1326 (150 151) */		add	%g3,%o0,%g3
+/* 0x107c	1327 (151 153) */		ldx	[%sp+2223],%g5
+/* 0x1080	1328 (151 152) */		srlx	%g3,32,%o0
+/* 0x1084	1329 (152 154) */		ldx	[%sp+2231],%g4
+/* 0x1088	1330 (152 153) */		add	%g2,%o1,%g2
+/* 0x108c	1331 (153 154) */		sllx	%g5,19,%g5
+/* 0x1090	1332 (153 156) */		ld	[%i1+60],%o1
+/* 0x1094	1333 (153 154) */		add	%g2,%o0,%g2
+/* 0x1098	1334 (154 155) */		st	%g3,[%i0+52]
+/* 0x109c	1335 (154 155) */		add	%g4,%g5,%g3
+/* 0x10a0	1336 (155 156) */		st	%g2,[%i0+56]
+/* 0x10a4	1337 (155 156) */		srlx	%g2,32,%g2
+/* 0x10a8	1338 (155 156) */		add	%g3,%o1,%g3
+/* 0x10ac	1339 (156 157) */		add	%g3,%g2,%g2
+/* 0x10b0	1340 (156 157) */		st	%g2,[%i0+60]
+/* 0x10b4	1344 (157 158) */		srlx	%g2,32,%o3
+/* 0x10b8	1345 (158 159) */		srl	%o3,0,%i0
+/* 0x10bc	     (159 161) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x10c0	     (161 162) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000073
+!
+
+                                   .L77000073:		/* frequency 1.0 confidence 0.0 */
+
+
+	or	%g0, %i4, %o2
+	or	%g0, %o0, %o1
+	or	%g0, %i3, %o0
+
+!
+! ENTRY .L77000052
+!
+
+                                   .L77000052:		/* frequency 1.0 confidence 0.0 */
+/* 0x1028	1318 ( 0  1) */		andn	%o2,%g2,%g2
+/* 0x102c	1319 ( 0  1) */		st	%g2,[%sp+2227]
+/* 0x1030	1325 ( 0  1) */		add	%o0,1,%g3
+/* 0x1034	1326 ( 0  1) */		fmovd	%f0,%f14
+/* 0x1038	1327 ( 1  2) */		srl	%o2,19,%g2
+/* 0x103c	1328 ( 1  2) */		st	%g2,[%sp+2223]
+/* 0x1040	1329 ( 1  2) */		or	%g0,0,%o5
+/* 0x1044	1330 ( 2  3) */		srl	%g3,31,%g2
+/* 0x1048	1331 ( 2  5) */		ldd	[%o1],%f6
+/* 0x104c	1335 ( 2  3) */		sethi	%hi(0x1000),%g1
+/* 0x1050	1336 ( 3  4) */		add	%g3,%g2,%g2
+/* 0x1054	1337 ( 3  4) */		xor	%g1,-625,%g1
+/* 0x1058	1338 ( 3  6) */		ldd	[%o1+8],%f20
+/* 0x105c	1339 ( 4  5) */		sra	%g2,1,%o3
+/* 0x1060	1340 ( 4  5) */		fmovs	%f6,%f8
+/* 0x1064	1341 ( 4  5) */		add	%g1,%fp,%g3
+/* 0x1068	1342 ( 5  6) */		fmovs	%f6,%f10
+/* 0x106c	1343 ( 5  7) */		ld	[%sp+2227],%f9
+/* 0x1070	1344 ( 5  6) */		subcc	%o3,0,%g0
+/* 0x1074	1345 ( 6  8) */		ld	[%sp+2223],%f11
+/* 0x1078	1346 ( 6  7) */		sethi	%hi(0x1000),%g1
+/* 0x107c	1347 ( 6  7) */		or	%g0,%i2,%o1
+/* 0x1080	1348 ( 7 10) */		fsubd	%f8,%f6,%f18
+/* 0x1084	1349 ( 7  8) */		xor	%g1,-617,%g1
+/* 0x1088	1350 ( 7  8) */		or	%g0,0,%g4
+/* 0x108c	1351 ( 8 11) */		fsubd	%f10,%f6,%f16
+/* 0x1090	1352 ( 8  9) */		bleu,pt	%icc,.L990000162	! tprob=0.50
+/* 0x1094	     ( 8  9) */		subcc	%o0,0,%g0
+/* 0x1098	1354 ( 9 10) */		add	%g1,%fp,%g2
+/* 0x109c	1355 ( 9 10) */		sethi	%hi(0x1000),%g1
+/* 0x10a0	1356 (10 11) */		xor	%g1,-609,%g1
+/* 0x10a4	1357 (10 11) */		subcc	%o3,7,%g0
+/* 0x10a8	1358 (11 12) */		add	%g1,%fp,%o7
+/* 0x10ac	1359 (11 12) */		sethi	%hi(0x1000),%g1
+/* 0x10b0	1360 (12 13) */		xor	%g1,-601,%g1
+/* 0x10b4	1361 (13 14) */		add	%g1,%fp,%o4
+/* 0x10b8	1362 (13 14) */		bl,pn	%icc,.L77000054	! tprob=0.50
+/* 0x10bc	     (13 14) */		sub	%o3,2,%o2
+/* 0x10c0	1364 (14 17) */		ldd	[%o1],%f2
+/* 0x10c4	1365 (14 15) */		add	%o1,16,%g5
+/* 0x10c8	1366 (14 15) */		or	%g0,4,%g4
+/* 0x10cc	1367 (15 18) */		ldd	[%o1+8],%f0
+/* 0x10d0	1368 (15 16) */		add	%o1,8,%o1
+/* 0x10d4	1369 (16 18) */		fxnor	%f14,%f2,%f6
+/* 0x10d8	1370 (16 19) */		ldd	[%g5],%f4
+/* 0x10dc	1371 (16 17) */		add	%o1,16,%o1
+/* 0x10e0	1372 (17 19) */		fxnor	%f14,%f0,%f12
+/* 0x10e4	1373 (17 20) */		ldd	[%o1],%f0
+/* 0x10e8	1374 (17 18) */		add	%o1,8,%o1
+/* 0x10ec	1375 (18 21) */		fitod	%f7,%f2
+/* 0x10f0	1376 (19 22) */		fitod	%f6,%f6
+/* 0x10f4	1377 (20 22) */		fxnor	%f14,%f4,%f10
+/* 0x10f8	1378 (21 24) */		fsubd	%f20,%f2,%f2
+/* 0x10fc	1379 (22 24) */		fxnor	%f14,%f0,%f8
+/* 0x1100	1380 (23 26) */		fitod	%f13,%f4
+/* 0x1104	1381 (24 27) */		fsubd	%f20,%f6,%f6
+/* 0x1108	1382 (24 27) */		fmuld	%f2,%f16,%f0
+
+!
+! ENTRY .L990000154
+!
+
+                                   .L990000154:		/* frequency 1.0 confidence 0.0 */
+/* 0x110c	1384 ( 0  3) */		ldd	[%o1],%f24
+/* 0x1110	1385 ( 0  1) */		add	%g4,3,%g4
+/* 0x1114	1386 ( 0  1) */		add	%o4,96,%o4
+/* 0x1118	1387 ( 1  4) */		fitod	%f11,%f22
+/* 0x111c	1388 ( 2  5) */		fsubd	%f20,%f4,%f26
+/* 0x1120	1389 ( 2  3) */		subcc	%g4,%o2,%g0
+/* 0x1124	1390 ( 2  3) */		add	%o7,96,%o7
+/* 0x1128	1391 ( 2  5) */		fmuld	%f6,%f18,%f28
+/* 0x112c	1392 ( 3  6) */		fmuld	%f6,%f16,%f6
+/* 0x1130	1393 ( 3  4) */		add	%g2,96,%g2
+/* 0x1134	1394 ( 3  4) */		add	%g3,96,%g3
+/* 0x1138	1395 ( 4  7) */		fdtox	%f0,%f0
+/* 0x113c	1396 ( 5  8) */		fitod	%f12,%f4
+/* 0x1140	1397 ( 5  8) */		fmuld	%f2,%f18,%f2
+/* 0x1144	1398 ( 6  9) */		fdtox	%f28,%f12
+/* 0x1148	1399 ( 7 10) */		fdtox	%f6,%f6
+/* 0x114c	1400 ( 7  8) */		std	%f12,[%g3-96]
+/* 0x1150	1401 ( 8  9) */		std	%f6,[%g2-96]
+/* 0x1154	1402 ( 8 11) */		fdtox	%f2,%f2
+/* 0x1158	1403 ( 9 12) */		fsubd	%f20,%f4,%f6
+/* 0x115c	1404 ( 9 10) */		std	%f2,[%o7-96]
+/* 0x1160	1405 ( 9 10) */		add	%o1,8,%o1
+/* 0x1164	1406 (10 12) */		fxnor	%f14,%f24,%f12
+/* 0x1168	1407 (10 13) */		fmuld	%f26,%f16,%f4
+/* 0x116c	1408 (10 11) */		std	%f0,[%o4-96]
+/* 0x1170	1409 (11 14) */		ldd	[%o1],%f0
+/* 0x1174	1410 (11 14) */		fitod	%f9,%f2
+/* 0x1178	1411 (12 15) */		fsubd	%f20,%f22,%f28
+/* 0x117c	1412 (12 15) */		fmuld	%f6,%f18,%f24
+/* 0x1180	1413 (13 16) */		fmuld	%f6,%f16,%f22
+/* 0x1184	1414 (13 16) */		fdtox	%f4,%f4
+/* 0x1188	1415 (14 17) */		fitod	%f10,%f6
+/* 0x118c	1416 (14 17) */		fmuld	%f26,%f18,%f10
+/* 0x1190	1417 (15 18) */		fdtox	%f24,%f24
+/* 0x1194	1418 (16 19) */		fdtox	%f22,%f22
+/* 0x1198	1419 (16 17) */		std	%f24,[%g3-64]
+/* 0x119c	1420 (17 18) */		std	%f22,[%g2-64]
+/* 0x11a0	1421 (17 20) */		fdtox	%f10,%f10
+/* 0x11a4	1422 (18 21) */		fsubd	%f20,%f6,%f6
+/* 0x11a8	1423 (18 19) */		std	%f10,[%o7-64]
+/* 0x11ac	1424 (18 19) */		add	%o1,8,%o1
+/* 0x11b0	1425 (19 21) */		fxnor	%f14,%f0,%f10
+/* 0x11b4	1426 (19 22) */		fmuld	%f28,%f16,%f0
+/* 0x11b8	1427 (19 20) */		std	%f4,[%o4-64]
+/* 0x11bc	1428 (20 23) */		ldd	[%o1],%f22
+/* 0x11c0	1429 (20 23) */		fitod	%f13,%f4
+/* 0x11c4	1430 (21 24) */		fsubd	%f20,%f2,%f2
+/* 0x11c8	1431 (21 24) */		fmuld	%f6,%f18,%f26
+/* 0x11cc	1432 (22 25) */		fmuld	%f6,%f16,%f24
+/* 0x11d0	1433 (22 25) */		fdtox	%f0,%f0
+/* 0x11d4	1434 (23 26) */		fitod	%f8,%f6
+/* 0x11d8	1435 (23 26) */		fmuld	%f28,%f18,%f8
+/* 0x11dc	1436 (24 27) */		fdtox	%f26,%f26
+/* 0x11e0	1437 (25 28) */		fdtox	%f24,%f24
+/* 0x11e4	1438 (25 26) */		std	%f26,[%g3-32]
+/* 0x11e8	1439 (26 27) */		std	%f24,[%g2-32]
+/* 0x11ec	1440 (26 29) */		fdtox	%f8,%f8
+/* 0x11f0	1441 (27 30) */		fsubd	%f20,%f6,%f6
+/* 0x11f4	1442 (27 28) */		std	%f8,[%o7-32]
+/* 0x11f8	1443 (27 28) */		add	%o1,8,%o1
+/* 0x11fc	1444 (28 30) */		fxnor	%f14,%f22,%f8
+/* 0x1200	1445 (28 29) */		std	%f0,[%o4-32]
+/* 0x1204	1446 (28 29) */		bcs,pt	%icc,.L990000154	! tprob=0.50
+/* 0x1208	     (28 31) */		fmuld	%f2,%f16,%f0
+
+!
+! ENTRY .L990000157
+!
+
+                                   .L990000157:		/* frequency 1.0 confidence 0.0 */
+/* 0x120c	1449 ( 0  3) */		fitod	%f12,%f28
+/* 0x1210	1450 ( 0  3) */		fmuld	%f6,%f18,%f24
+/* 0x1214	1451 ( 0  1) */		add	%g3,128,%g3
+/* 0x1218	1452 ( 1  4) */		fitod	%f10,%f12
+/* 0x121c	1453 ( 1  4) */		fmuld	%f6,%f16,%f26
+/* 0x1220	1454 ( 1  2) */		add	%g2,128,%g2
+/* 0x1224	1455 ( 2  5) */		fsubd	%f20,%f4,%f4
+/* 0x1228	1456 ( 2  5) */		fmuld	%f2,%f18,%f22
+/* 0x122c	1457 ( 2  3) */		add	%o7,128,%o7
+/* 0x1230	1458 ( 3  6) */		fdtox	%f24,%f6
+/* 0x1234	1459 ( 3  4) */		std	%f6,[%g3-128]
+/* 0x1238	1460 ( 3  4) */		add	%o4,128,%o4
+/* 0x123c	1461 ( 4  7) */		fsubd	%f20,%f28,%f2
+/* 0x1240	1462 ( 4  5) */		subcc	%g4,%o3,%g0
+/* 0x1244	1463 ( 5  8) */		fitod	%f11,%f6
+/* 0x1248	1464 ( 5  8) */		fmuld	%f4,%f18,%f24
+/* 0x124c	1465 ( 6  9) */		fdtox	%f26,%f10
+/* 0x1250	1466 ( 6  7) */		std	%f10,[%g2-128]
+/* 0x1254	1467 ( 7 10) */		fdtox	%f22,%f10
+/* 0x1258	1468 ( 7  8) */		std	%f10,[%o7-128]
+/* 0x125c	1469 ( 7 10) */		fmuld	%f2,%f18,%f26
+/* 0x1260	1470 ( 8 11) */		fsubd	%f20,%f12,%f10
+/* 0x1264	1471 ( 8 11) */		fmuld	%f2,%f16,%f2
+/* 0x1268	1472 ( 9 12) */		fsubd	%f20,%f6,%f22
+/* 0x126c	1473 ( 9 12) */		fmuld	%f4,%f16,%f12
+/* 0x1270	1474 (10 13) */		fdtox	%f0,%f0
+/* 0x1274	1475 (10 11) */		std	%f0,[%o4-128]
+/* 0x1278	1476 (11 14) */		fitod	%f8,%f4
+/* 0x127c	1477 (11 14) */		fmuld	%f10,%f18,%f6
+/* 0x1280	1478 (12 15) */		fdtox	%f26,%f0
+/* 0x1284	1479 (12 13) */		std	%f0,[%g3-96]
+/* 0x1288	1480 (12 15) */		fmuld	%f10,%f16,%f10
+/* 0x128c	1481 (13 16) */		fdtox	%f2,%f2
+/* 0x1290	1482 (13 14) */		std	%f2,[%g2-96]
+/* 0x1294	1483 (14 17) */		fitod	%f9,%f0
+/* 0x1298	1484 (14 17) */		fmuld	%f22,%f18,%f2
+/* 0x129c	1485 (15 18) */		fdtox	%f24,%f8
+/* 0x12a0	1486 (15 16) */		std	%f8,[%o7-96]
+/* 0x12a4	1487 (16 19) */		fsubd	%f20,%f4,%f4
+/* 0x12a8	1488 (16 19) */		fmuld	%f22,%f16,%f8
+/* 0x12ac	1489 (17 20) */		fdtox	%f12,%f12
+/* 0x12b0	1490 (17 18) */		std	%f12,[%o4-96]
+/* 0x12b4	1491 (18 21) */		fsubd	%f20,%f0,%f0
+/* 0x12b8	1492 (19 22) */		fdtox	%f6,%f6
+/* 0x12bc	1493 (19 20) */		std	%f6,[%g3-64]
+/* 0x12c0	1494 (20 23) */		fdtox	%f10,%f10
+/* 0x12c4	1495 (20 21) */		std	%f10,[%g2-64]
+/* 0x12c8	1496 (20 23) */		fmuld	%f4,%f18,%f6
+/* 0x12cc	1497 (21 24) */		fdtox	%f2,%f2
+/* 0x12d0	1498 (21 22) */		std	%f2,[%o7-64]
+/* 0x12d4	1499 (21 24) */		fmuld	%f4,%f16,%f4
+/* 0x12d8	1500 (22 25) */		fmuld	%f0,%f18,%f2
+/* 0x12dc	1501 (22 25) */		fdtox	%f8,%f8
+/* 0x12e0	1502 (22 23) */		std	%f8,[%o4-64]
+/* 0x12e4	1503 (23 26) */		fdtox	%f6,%f6
+/* 0x12e8	1504 (23 24) */		std	%f6,[%g3-32]
+/* 0x12ec	1505 (23 26) */		fmuld	%f0,%f16,%f0
+/* 0x12f0	1506 (24 27) */		fdtox	%f4,%f4
+/* 0x12f4	1507 (24 25) */		std	%f4,[%g2-32]
+/* 0x12f8	1508 (25 28) */		fdtox	%f2,%f2
+/* 0x12fc	1509 (25 26) */		std	%f2,[%o7-32]
+/* 0x1300	1510 (26 29) */		fdtox	%f0,%f0
+/* 0x1304	1511 (26 27) */		bcc,pn	%icc,.L77000056	! tprob=0.50
+/* 0x1308	     (26 27) */		std	%f0,[%o4-32]
+
+!
+! ENTRY .L77000054
+!
+
+                                   .L77000054:		/* frequency 1.0 confidence 0.0 */
+/* 0x130c	1514 ( 0  3) */		ldd	[%o1],%f0
+
+!
+! ENTRY .L990000161
+!
+
+                                   .L990000161:		/* frequency 1.0 confidence 0.0 */
+/* 0x1310	1516 ( 0  2) */		fxnor	%f14,%f0,%f0
+/* 0x1314	1517 ( 0  1) */		add	%g4,1,%g4
+/* 0x1318	1518 ( 0  1) */		add	%o1,8,%o1
+/* 0x131c	1519 ( 1  2) */		subcc	%g4,%o3,%g0
+/* 0x1320	1520 ( 2  5) */		fitod	%f0,%f2
+/* 0x1324	1521 ( 3  6) */		fitod	%f1,%f0
+/* 0x1328	1522 ( 5  8) */		fsubd	%f20,%f2,%f2
+/* 0x132c	1523 ( 6  9) */		fsubd	%f20,%f0,%f0
+/* 0x1330	1524 ( 8 11) */		fmuld	%f2,%f18,%f6
+/* 0x1334	1525 ( 9 12) */		fmuld	%f2,%f16,%f4
+/* 0x1338	1526 (10 13) */		fmuld	%f0,%f18,%f2
+/* 0x133c	1527 (11 14) */		fdtox	%f6,%f6
+/* 0x1340	1528 (11 12) */		std	%f6,[%g3]
+/* 0x1344	1529 (11 14) */		fmuld	%f0,%f16,%f0
+/* 0x1348	1530 (12 15) */		fdtox	%f4,%f4
+/* 0x134c	1531 (12 13) */		std	%f4,[%g2]
+/* 0x1350	1532 (12 13) */		add	%g2,32,%g2
+/* 0x1354	1533 (13 16) */		fdtox	%f2,%f2
+/* 0x1358	1534 (13 14) */		std	%f2,[%o7]
+/* 0x135c	1535 (13 14) */		add	%o7,32,%o7
+/* 0x1360	1536 (14 17) */		fdtox	%f0,%f0
+/* 0x1364	1537 (14 15) */		std	%f0,[%o4]
+/* 0x1368	1538 (14 15) */		add	%o4,32,%o4
+/* 0x136c	1539 (15 16) */		add	%g3,32,%g3
+/* 0x1370	1540 (15 16) */		bcs,a,pt	%icc,.L990000161	! tprob=0.50
+/* 0x1374	     (16 19) */		ldd	[%o1],%f0
+
+!
+! ENTRY .L77000056
+!
+
+                                   .L77000056:		/* frequency 1.0 confidence 0.0 */
+/* 0x1378	1548 ( 0  1) */		subcc	%o0,0,%g0
+
+!
+! ENTRY .L990000162
+!
+
+                                   .L990000162:		/* frequency 1.0 confidence 0.0 */
+/* 0x137c	1550 ( 0  1) */		bleu,pt	%icc,.L77770061	! tprob=0.50
+/* 0x1380	     ( 0  1) */		nop
+/* 0x1384	1555 ( 0  1) */		sethi	%hi(0x1000),%g1
+/* 0x1388	1556 ( 1  2) */		xor	%g1,-625,%g1
+/* 0x138c	1557 ( 1  2) */		or	%g0,%i1,%g4
+/* 0x1390	1558 ( 2  3) */		add	%g1,%fp,%g5
+/* 0x1394	1559 ( 2  3) */		sethi	%hi(0x1000),%g1
+/* 0x1398	1560 ( 3  4) */		xor	%g1,-617,%g1
+/* 0x139c	1561 ( 3  4) */		or	%g0,%o0,%o7
+/* 0x13a0	1562 ( 4  5) */		add	%g1,%fp,%g2
+/* 0x13a4	1563 ( 4  5) */		or	%g0,0,%i2
+/* 0x13a8	1564 ( 5  6) */		or	%g0,%i0,%g3
+/* 0x13ac	1565 ( 5  6) */		subcc	%o0,6,%g0
+/* 0x13b0	1566 ( 5  6) */		bl,pn	%icc,.L77000058	! tprob=0.50
+/* 0x13b4	     ( 6  7) */		sethi	%hi(0x1000),%g1
+/* 0x13b8	1568 ( 6  8) */		ld	[%g4],%o2
+/* 0x13bc	1569 ( 6  7) */		add	%g3,4,%g3
+/* 0x13c0	1570 ( 7  8) */		xor	%g1,-585,%g1
+/* 0x13c4	1571 ( 7  8) */		sub	%o7,3,%o4
+/* 0x13c8	1572 ( 8  9) */		add	%g1,%fp,%g2
+/* 0x13cc	1573 ( 8  9) */		sethi	%hi(0x1000),%g1
+/* 0x13d0	1574 ( 9 10) */		xor	%g1,-593,%g1
+/* 0x13d4	1575 ( 9 10) */		or	%g0,2,%i2
+/* 0x13d8	1576 (10 11) */		add	%g1,%fp,%g5
+/* 0x13dc	1577 (10 11) */		sethi	%hi(0x1000),%g1
+/* 0x13e0	1578 (11 12) */		xor	%g1,-617,%g1
+/* 0x13e4	1579 (12 13) */		add	%g1,%fp,%g1
+/* 0x13e8	1580 (13 15) */		ldx	[%g1],%o1
+/* 0x13ec	1581 (14 16) */		ldx	[%g1-8],%o0
+/* 0x13f0	1582 (15 16) */		sllx	%o1,19,%o1
+/* 0x13f4	1583 (15 17) */		ldx	[%g1+16],%o3
+/* 0x13f8	1584 (16 17) */		add	%o0,%o1,%o0
+/* 0x13fc	1585 (16 18) */		ld	[%g4+4],%o1
+/* 0x1400	1586 (16 17) */		add	%g4,8,%g4
+/* 0x1404	1587 (17 18) */		sllx	%o3,19,%o3
+/* 0x1408	1588 (17 18) */		add	%o0,%o2,%o0
+/* 0x140c	1589 (17 19) */		ldx	[%g1+8],%o2
+/* 0x1410	1590 (18 19) */		st	%o0,[%g3-4]
+/* 0x1414	1591 (18 19) */		srlx	%o0,32,%o0
+
+!
+! ENTRY .L990000142
+!
+
+                                   .L990000142:		/* frequency 1.0 confidence 0.0 */
+/* 0x1418	1593 ( 0  1) */		add	%o2,%o3,%o2
+/* 0x141c	1594 ( 0  1) */		add	%i2,4,%i2
+/* 0x1420	1595 ( 0  2) */		ld	[%g4],%o3
+/* 0x1424	1596 ( 1  2) */		srl	%o0,0,%o5
+/* 0x1428	1597 ( 1  2) */		add	%o2,%o1,%o1
+/* 0x142c	1598 ( 1  3) */		ldx	[%g2],%o0
+/* 0x1430	1599 ( 3  4) */		sllx	%o0,19,%o2
+/* 0x1434	1600 ( 3  5) */		ldx	[%g5],%o0
+/* 0x1438	1601 ( 3  4) */		add	%o1,%o5,%o1
+/* 0x143c	1602 ( 4  5) */		st	%o1,[%g3]
+/* 0x1440	1603 ( 4  5) */		srlx	%o1,32,%o5
+/* 0x1444	1604 ( 4  5) */		subcc	%i2,%o4,%g0
+/* 0x1448	1605 ( 5  7) */		ldx	[%g2+16],%o1
+/* 0x144c	1606 ( 5  6) */		add	%o0,%o2,%o0
+/* 0x1450	1607 ( 5  6) */		add	%g3,16,%g3
+/* 0x1454	1608 ( 6  8) */		ld	[%g4+4],%o2
+/* 0x1458	1609 ( 6  7) */		add	%o0,%o3,%o0
+/* 0x145c	1610 ( 7  8) */		sllx	%o1,19,%o3
+/* 0x1460	1611 ( 7  9) */		ldx	[%g5+16],%o1
+/* 0x1464	1612 ( 7  8) */		add	%o0,%o5,%o0
+/* 0x1468	1613 ( 8  9) */		st	%o0,[%g3-12]
+/* 0x146c	1614 ( 8  9) */		srlx	%o0,32,%o5
+/* 0x1470	1615 ( 8  9) */		add	%g4,16,%g4
+/* 0x1474	1616 ( 9 11) */		ldx	[%g2+32],%o0
+/* 0x1478	1617 ( 9 10) */		add	%o1,%o3,%o1
+/* 0x147c	1618 ( 9 10) */		add	%g2,64,%g2
+/* 0x1480	1619 (10 12) */		ld	[%g4-8],%o3
+/* 0x1484	1620 (10 11) */		add	%o1,%o2,%o2
+/* 0x1488	1621 (11 12) */		sllx	%o0,19,%o1
+/* 0x148c	1622 (11 13) */		ldx	[%g5+32],%o0
+/* 0x1490	1623 (11 12) */		add	%o2,%o5,%o2
+/* 0x1494	1624 (12 13) */		st	%o2,[%g3-8]
+/* 0x1498	1625 (12 13) */		srlx	%o2,32,%o5
+/* 0x149c	1626 (12 13) */		add	%g5,64,%g5
+/* 0x14a0	1627 (13 15) */		ldx	[%g2-16],%o2
+/* 0x14a4	1628 (13 14) */		add	%o0,%o1,%o0
+/* 0x14a8	1629 (14 16) */		ld	[%g4-4],%o1
+/* 0x14ac	1630 (14 15) */		add	%o0,%o3,%o0
+/* 0x14b0	1631 (15 16) */		sllx	%o2,19,%o3
+/* 0x14b4	1632 (15 17) */		ldx	[%g5-16],%o2
+/* 0x14b8	1633 (15 16) */		add	%o0,%o5,%o0
+/* 0x14bc	1634 (16 17) */		st	%o0,[%g3-4]
+/* 0x14c0	1635 (16 17) */		bcs,pt	%icc,.L990000142	! tprob=0.50
+/* 0x14c4	     (16 17) */		srlx	%o0,32,%o0
+
+!
+! ENTRY .L990000145
+!
+
+                                   .L990000145:		/* frequency 1.0 confidence 0.0 */
+/* 0x14c8	1638 ( 0  1) */		add	%o2,%o3,%o3
+/* 0x14cc	1639 ( 0  1) */		add	%g3,4,%g3
+/* 0x14d0	1640 ( 1  2) */		srl	%o0,0,%o2
+/* 0x14d4	1641 ( 1  2) */		add	%o3,%o1,%o0
+/* 0x14d8	1642 ( 2  3) */		add	%o0,%o2,%o0
+/* 0x14dc	1643 ( 2  3) */		st	%o0,[%g3-4]
+/* 0x14e0	1644 ( 2  3) */		subcc	%i2,%o7,%g0
+/* 0x14e4	1645 ( 2  3) */		bcc,pn	%icc,.L77770061	! tprob=0.50
+/* 0x14e8	     ( 3  4) */		srlx	%o0,32,%o5
+
+!
+! ENTRY .L77000058
+!
+
+                                   .L77000058:		/* frequency 1.0 confidence 0.0 */
+/* 0x14ec	1648 ( 0  2) */		ldx	[%g2],%o2
+
+!
+! ENTRY .L990000160
+!
+
+                                   .L990000160:		/* frequency 1.0 confidence 0.0 */
+/* 0x14f0	1650 ( 0  1) */		sllx	%o2,19,%o3
+/* 0x14f4	1651 ( 0  2) */		ldx	[%g5],%o0
+/* 0x14f8	1652 ( 0  1) */		add	%i2,1,%i2
+/* 0x14fc	1653 ( 1  2) */		srl	%o5,0,%o1
+/* 0x1500	1654 ( 1  3) */		ld	[%g4],%o2
+/* 0x1504	1655 ( 1  2) */		add	%g2,16,%g2
+/* 0x1508	1656 ( 2  3) */		add	%o0,%o3,%o0
+/* 0x150c	1657 ( 2  3) */		add	%g5,16,%g5
+/* 0x1510	1658 ( 3  4) */		add	%o0,%o2,%o0
+/* 0x1514	1659 ( 3  4) */		add	%g4,4,%g4
+/* 0x1518	1660 ( 4  5) */		add	%o0,%o1,%o0
+/* 0x151c	1661 ( 4  5) */		st	%o0,[%g3]
+/* 0x1520	1662 ( 4  5) */		subcc	%i2,%o7,%g0
+/* 0x1524	1663 ( 5  6) */		srlx	%o0,32,%o5
+/* 0x1528	1664 ( 5  6) */		add	%g3,4,%g3
+/* 0x152c	1665 ( 5  6) */		bcs,a,pt	%icc,.L990000160	! tprob=0.50
+/* 0x1530	     ( 6  8) */		ldx	[%g2],%o2
+
+!
+! ENTRY .L77770061
+!
+
+                                   .L77770061:		/* frequency 1.0 confidence 0.0 */
+/* 0x1534	     ( 0  2) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x1538	     ( 2  3) */		restore	%g0,%o5,%o0
+
+
+/* 0x124c	1476 ( 0  0) */		.type	mul_add,2
+/* 0x124c	1477 ( 0  0) */		.size	mul_add,(.-mul_add)
+/* 0x124c	1480 ( 0  0) */		.align	8
+/* 0x1250	1486 ( 0  0) */		.global	mul_add_inp
+
+!
+! ENTRY mul_add_inp
+!
+
+                                   	.global mul_add_inp
+                                   mul_add_inp:		/* frequency 1.0 confidence 0.0 */
+/* 0x1250	1488 ( 0  1) */		save	%sp,-176,%sp
+/* 0x1254	1500 ( 1  2) */		sra	%i2,0,%o3
+/* 0x1258	1501 ( 1  2) */		or	%g0,%i1,%o2
+/* 0x125c	1502 ( 2  3) */		or	%g0,%i0,%o0
+/* 0x1260	1503 ( 2  3) */		or	%g0,%i0,%o1
+/* 0x1264	1504 ( 3  5) */		call	mul_add	! params = 	! Result = 
+/* 0x1268	     ( 4  5) */		srl	%i3,0,%o4
+/* 0x126c	1506 ( 5  6) */		srl	%o0,0,%i0
+/* 0x1270	     ( 6  8) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x1274	     ( 8  9) */		restore	%g0,%g0,%g0
+/* 0x1278	1509 ( 0  0) */		.type	mul_add_inp,2
+/* 0x1278	1510 ( 0  0) */		.size	mul_add_inp,(.-mul_add_inp)
+
+	.section	".data",#alloc,#write
+/* 0x1278	   6 ( 0  0) */		.align	8
+
+!
+! ENTRY mask_cnst
+!
+
+                                   mask_cnst:		/* frequency 1.0 confidence 0.0 */
+/* 0x1278	   8 ( 0  0) */		.xword	-9223372034707292160
+/* 0x1280	   9 ( 0  0) */		.type	mask_cnst,#object
+/* 0x1280	  10 ( 0  0) */		.size	mask_cnst,8
+
diff --git a/security/nss/lib/freebl/mpi/mpvalpha.c b/security/nss/lib/freebl/mpi/mpvalpha.c
new file mode 100644
index 000000000..5118e73c3
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpvalpha.c
@@ -0,0 +1,214 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Multiple Precision Integer optimization code for 
+ * the Compaq Alpha processor.
+ *
+ * The Initial Developer of the Original Code is
+ * Richard C. Swift.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):	Richard C. Swift	(swift@netscape.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi-priv.h"
+#include <c_asm.h>
+
+
+#define MP_MUL_DxD(a, b, Phi, Plo)		\
+ { Plo = asm ("mulq %a0, %a1, %v0", a, b);	\
+   Phi = asm ("umulh %a0, %a1, %v0", a, b); }	\
+
+/* This is empty for the loop in s_mpv_mul_d	*/
+#define CARRY_ADD
+
+#define ONE_MUL				\
+    a_i = *a++;				\
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);	\
+    a0b0 += carry;			\
+    if (a0b0 < carry)			\
+      ++a1b1;				\
+    CARRY_ADD				\
+    *c++ = a0b0;			\
+    carry = a1b1;			\
+
+#define FOUR_MUL			\
+	ONE_MUL				\
+	ONE_MUL				\
+	ONE_MUL				\
+	ONE_MUL				\
+
+#define SIXTEEN_MUL			\
+	FOUR_MUL			\
+	FOUR_MUL			\
+	FOUR_MUL			\
+	FOUR_MUL			\
+
+#define THIRTYTWO_MUL			\
+	SIXTEEN_MUL			\
+	SIXTEEN_MUL			\
+
+#define ONETWENTYEIGHT_MUL		\
+	THIRTYTWO_MUL			\
+	THIRTYTWO_MUL			\
+	THIRTYTWO_MUL			\
+	THIRTYTWO_MUL			\
+
+
+#define EXPAND_256(CALL)		\
+ mp_digit carry = 0;			\
+ mp_digit a_i;				\
+ mp_digit a0b0, a1b1;			\
+ if (a_len &255) {			\
+	if (a_len &1) {			\
+	  ONE_MUL			\
+	}				\
+	if (a_len &2) {			\
+	  ONE_MUL			\
+	  ONE_MUL			\
+	}				\
+	if (a_len &4) {			\
+	  FOUR_MUL			\
+	}				\
+	if (a_len &8) {			\
+	  FOUR_MUL			\
+	  FOUR_MUL			\
+	}				\
+	if (a_len & 16 ) {		\
+	  SIXTEEN_MUL			\
+	}				\
+	if (a_len & 32 ) {		\
+	  THIRTYTWO_MUL			\
+	}				\
+	if (a_len & 64 ) {		\
+	  THIRTYTWO_MUL			\
+	  THIRTYTWO_MUL			\
+	}				\
+	if (a_len & 128) {		\
+	  ONETWENTYEIGHT_MUL		\
+	}				\
+	a_len = a_len & (-256);		\
+  }					\
+  if (a_len>=256 ) {			\
+	carry = CALL(a, a_len, b, c, carry);	\
+	c += a_len;			\
+  }					\
+
+#define FUNC_NAME(NAME)			\
+mp_digit NAME(const mp_digit *a, 	\
+	mp_size a_len,			\
+	mp_digit b, mp_digit *c, 	\
+	mp_digit carry)			\
+
+#define DECLARE_MUL_256(FNAME)		\
+FUNC_NAME(FNAME)			\
+{					\
+  mp_digit a_i;				\
+  mp_digit a0b0, a1b1;			\
+  while (a_len) {			\
+	ONETWENTYEIGHT_MUL		\
+	ONETWENTYEIGHT_MUL		\
+	a_len-= 256;			\
+  }					\
+  return carry;				\
+}					\
+
+/* Expanding the loop in s_mpv_mul_d appeared to slow down the
+   (admittedly) small number of tests (i.e., timetest) used to
+   measure performance, so this define disables that optimization. */
+#define DO_NOT_EXPAND 1
+
+/* Need forward declaration so it can be instantiated after
+	the routine that uses it; this helps locality somewhat	*/
+#if !defined(DO_NOT_EXPAND)
+FUNC_NAME(s_mpv_mul_d_MUL256);
+#endif
+
+/* c = a * b */
+void s_mpv_mul_d(const mp_digit *a, mp_size a_len, 
+			mp_digit b, mp_digit *c)
+{
+#if defined(DO_NOT_EXPAND)
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+#else
+  EXPAND_256(s_mpv_mul_d_MUL256)
+#endif
+  *c = carry;
+}
+
+#if !defined(DO_NOT_EXPAND)
+DECLARE_MUL_256(s_mpv_mul_d_MUL256)
+#endif
+
+#undef CARRY_ADD
+/* This is redefined for the loop in s_mpv_mul_d_add */
+#define CARRY_ADD			\
+    a0b0 += a_i = *c;			\
+    if (a0b0 < a_i)			\
+      ++a1b1;				\
+
+/* Need forward declaration so it can be instantiated between the
+	two routines that use it; this helps locality somewhat	*/
+FUNC_NAME(s_mpv_mul_d_add_MUL256);
+
+/* c += a * b */
+void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, 
+			mp_digit b, mp_digit *c)
+{
+  EXPAND_256(s_mpv_mul_d_add_MUL256)
+  *c = carry;
+}
+
+/* Instantiate multiply 256 routine here */
+DECLARE_MUL_256(s_mpv_mul_d_add_MUL256)
+
+/* Presently, this is only used by the Montgomery arithmetic code. */
+/* c += a * b */
+void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, 
+			mp_digit b, mp_digit *c)
+{
+  EXPAND_256(s_mpv_mul_d_add_MUL256)
+  while (carry) {
+    mp_digit c_i = *c;
+    carry += c_i;
+    *c++ = carry;
+    carry = carry < c_i;
+  }
+}
+
diff --git a/security/nss/lib/freebl/mpi/mulsqr.c b/security/nss/lib/freebl/mpi/mulsqr.c
new file mode 100644
index 000000000..d73ad8d69
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mulsqr.c
@@ -0,0 +1,115 @@
+/*
+ * Test whether to include squaring code given the current settings
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1997
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <time.h>
+
+#define MP_SQUARE 1  /* make sure squaring code is included */
+
+#include "mpi.h"
+#include "mpprime.h"
+
+int main(int argc, char *argv[])
+{
+  int           ntests, prec, ix;
+  unsigned int  seed;
+  clock_t       start, stop;
+  double        multime, sqrtime;
+  mp_int        a, c;
+
+  seed = (unsigned int)time(NULL);
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <ntests> <nbits>\n", argv[0]);
+    return 1;
+  }
+
+  if((ntests = abs(atoi(argv[1]))) == 0) {
+    fprintf(stderr, "%s: must request at least 1 test.\n", argv[0]);
+    return 1;
+  }
+  if((prec = abs(atoi(argv[2]))) < CHAR_BIT) {
+    fprintf(stderr, "%s: must request at least %d bits.\n", argv[0],
+	    CHAR_BIT);
+    return 1;
+  }
+
+  prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT;
+
+  mp_init_size(&a, prec);
+  mp_init_size(&c, 2 * prec);
+
+  /* Test multiplication by self */
+  srand(seed);
+  start = clock();
+  for(ix = 0; ix < ntests; ix++) {
+    mpp_random_size(&a, prec);
+    mp_mul(&a, &a, &c);
+  }
+  stop = clock();
+
+  multime = (double)(stop - start) / CLOCKS_PER_SEC;
+
+  /* Test squaring */
+  srand(seed);
+  start = clock();
+  for(ix = 0; ix < ntests; ix++) {
+    mpp_random_size(&a, prec);
+    mp_sqr(&a, &c);
+  }
+  stop = clock();
+
+  sqrtime = (double)(stop - start) / CLOCKS_PER_SEC;
+
+  printf("Multiply: %.4f\n", multime);
+  printf("Square:   %.4f\n", sqrtime);
+  if(multime < sqrtime) {
+    printf("Speedup:  %.1f%%\n", 100.0 * (1.0 - multime / sqrtime));
+    printf("Prefer:   multiply\n");
+  } else {
+    printf("Speedup:  %.1f%%\n", 100.0 * (1.0 - sqrtime / multime));
+    printf("Prefer:   square\n");
+  }
+
+  mp_clear(&a); mp_clear(&c);
+  return 0;
+
+}
diff --git a/security/nss/lib/freebl/mpi/multest b/security/nss/lib/freebl/mpi/multest
new file mode 100755
index 000000000..e8004ffd9
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/multest
@@ -0,0 +1,111 @@
+#!/bin/sh
+#
+# multest
+#
+# Run multiply and square timing tests, to compute a chart for the
+# current processor and compiler combination.
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $Id$
+#
+
+ECHO=/bin/echo
+MAKE=gmake
+
+$ECHO "\n** Running multiply and square timing tests\n"
+
+$ECHO "Bringing 'mulsqr' up to date ... "
+if $MAKE mulsqr ; then
+    :
+else
+    $ECHO "\nMake failed to build mulsqr.\n"
+    exit 1
+fi
+
+if [ ! -x ./mulsqr ] ; then
+    $ECHO "\nCannot find 'mulsqr' program, testing cannot continue.\n"
+    exit 1
+fi
+
+sizes='64 128 192 256 320 384 448 512 640 768 896 1024 1536 2048'
+ntests=500000
+
+$ECHO "Running timing tests, please wait ... "
+
+trap 'echo "oop!";rm -f tt*.tmp;exit 0' INT HUP
+
+touch tt$$.tmp
+$ECHO $ntests tests >> tt$$.tmp
+for size in $sizes ; do
+    $ECHO "$size bits ... \c"
+    set -A res `./mulsqr $ntests $size|head -3|tr -d '%'|awk '{print $2}'`
+    $ECHO $size"\t"${res[0]}"\t"${res[1]}"\t"${res[2]} >> tt$$.tmp
+    $ECHO "(done)"
+done
+mv tt$$.tmp mulsqr-results.txt
+rm -f tt$$.tmp
+
+$ECHO "\n** Running Karatsuba-Ofman multiplication tests\n"
+
+$ECHO "Brining 'karatsuba' up to date ... "
+if $MAKE karatsuba ; then
+    :
+else
+    $ECHO "\nMake failed to build karatsuba.\n"
+    exit 1
+fi
+
+if [ ! -x ./karatsuba ] ; then
+    $ECHO "\nCannot find 'karatsuba' program, testing cannot continue.\n"
+    exit 1
+fi
+
+ntests=100000
+
+trap 'echo "oop!";rm -f tt*.tmp;exit 0' INT HUP
+
+touch tt$$.tmp
+for size in $sizes ; do
+    $ECHO "$size bits ... "
+    ./karatsuba $ntests $size >> tt$$.tmp
+    tail -2 tt$$.tmp
+done
+mv tt$$.tmp karatsuba-results.txt
+rm -f tt$$.tmp
+
+exit 0
diff --git a/security/nss/lib/freebl/mpi/primes.c b/security/nss/lib/freebl/mpi/primes.c
new file mode 100644
index 000000000..2391c5e4b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/primes.c
@@ -0,0 +1,874 @@
+/*
+ * These tables of primes wwere generated using the 'sieve' program
+ * (sieve.c) and converted to this format with 'ptab.pl'.  
+ *
+ * The 'small' table is just the first 128 primes.  The 'large' table
+ * is a table of all the prime values that will fit into a single
+ * mp_digit (given the current size of an mp_digit, which is two bytes).
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1997
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#if SMALL_TABLE
+#define MP_PRIME_TAB_SIZE 128
+#else
+#define MP_PRIME_TAB_SIZE 6542
+#endif
+
+const int prime_tab_size = MP_PRIME_TAB_SIZE;
+const mp_digit  prime_tab[] = {
+	0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013, 
+	0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035, 
+	0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059, 
+	0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F, 0x0083, 
+	0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD, 
+	0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF, 
+	0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107, 
+	0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137, 
+	0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167, 
+	0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199, 
+	0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9, 
+	0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7, 
+	0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239, 
+	0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265, 
+	0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293, 
+	0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF, 
+#if ! SMALL_TABLE
+	0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF, 0x02F5, 0x02F9, 0x0301, 
+	0x0305, 0x0313, 0x031D, 0x0329, 0x032B, 0x0335, 0x0337, 0x033B, 
+	0x033D, 0x0347, 0x0355, 0x0359, 0x035B, 0x035F, 0x036D, 0x0371, 
+	0x0373, 0x0377, 0x038B, 0x038F, 0x0397, 0x03A1, 0x03A9, 0x03AD, 
+	0x03B3, 0x03B9, 0x03C7, 0x03CB, 0x03D1, 0x03D7, 0x03DF, 0x03E5, 
+	0x03F1, 0x03F5, 0x03FB, 0x03FD, 0x0407, 0x0409, 0x040F, 0x0419, 
+	0x041B, 0x0425, 0x0427, 0x042D, 0x043F, 0x0443, 0x0445, 0x0449, 
+	0x044F, 0x0455, 0x045D, 0x0463, 0x0469, 0x047F, 0x0481, 0x048B, 
+	0x0493, 0x049D, 0x04A3, 0x04A9, 0x04B1, 0x04BD, 0x04C1, 0x04C7, 
+	0x04CD, 0x04CF, 0x04D5, 0x04E1, 0x04EB, 0x04FD, 0x04FF, 0x0503, 
+	0x0509, 0x050B, 0x0511, 0x0515, 0x0517, 0x051B, 0x0527, 0x0529, 
+	0x052F, 0x0551, 0x0557, 0x055D, 0x0565, 0x0577, 0x0581, 0x058F, 
+	0x0593, 0x0595, 0x0599, 0x059F, 0x05A7, 0x05AB, 0x05AD, 0x05B3, 
+	0x05BF, 0x05C9, 0x05CB, 0x05CF, 0x05D1, 0x05D5, 0x05DB, 0x05E7, 
+	0x05F3, 0x05FB, 0x0607, 0x060D, 0x0611, 0x0617, 0x061F, 0x0623, 
+	0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653, 
+	0x0655, 0x065B, 0x0665, 0x0679, 0x067F, 0x0683, 0x0685, 0x069D, 
+	0x06A1, 0x06A3, 0x06AD, 0x06B9, 0x06BB, 0x06C5, 0x06CD, 0x06D3, 
+	0x06D9, 0x06DF, 0x06F1, 0x06F7, 0x06FB, 0x06FD, 0x0709, 0x0713, 
+	0x071F, 0x0727, 0x0737, 0x0745, 0x074B, 0x074F, 0x0751, 0x0755, 
+	0x0757, 0x0761, 0x076D, 0x0773, 0x0779, 0x078B, 0x078D, 0x079D, 
+	0x079F, 0x07B5, 0x07BB, 0x07C3, 0x07C9, 0x07CD, 0x07CF, 0x07D3, 
+	0x07DB, 0x07E1, 0x07EB, 0x07ED, 0x07F7, 0x0805, 0x080F, 0x0815, 
+	0x0821, 0x0823, 0x0827, 0x0829, 0x0833, 0x083F, 0x0841, 0x0851, 
+	0x0853, 0x0859, 0x085D, 0x085F, 0x0869, 0x0871, 0x0883, 0x089B, 
+	0x089F, 0x08A5, 0x08AD, 0x08BD, 0x08BF, 0x08C3, 0x08CB, 0x08DB, 
+	0x08DD, 0x08E1, 0x08E9, 0x08EF, 0x08F5, 0x08F9, 0x0905, 0x0907, 
+	0x091D, 0x0923, 0x0925, 0x092B, 0x092F, 0x0935, 0x0943, 0x0949, 
+	0x094D, 0x094F, 0x0955, 0x0959, 0x095F, 0x096B, 0x0971, 0x0977, 
+	0x0985, 0x0989, 0x098F, 0x099B, 0x09A3, 0x09A9, 0x09AD, 0x09C7, 
+	0x09D9, 0x09E3, 0x09EB, 0x09EF, 0x09F5, 0x09F7, 0x09FD, 0x0A13, 
+	0x0A1F, 0x0A21, 0x0A31, 0x0A39, 0x0A3D, 0x0A49, 0x0A57, 0x0A61, 
+	0x0A63, 0x0A67, 0x0A6F, 0x0A75, 0x0A7B, 0x0A7F, 0x0A81, 0x0A85, 
+	0x0A8B, 0x0A93, 0x0A97, 0x0A99, 0x0A9F, 0x0AA9, 0x0AAB, 0x0AB5, 
+	0x0ABD, 0x0AC1, 0x0ACF, 0x0AD9, 0x0AE5, 0x0AE7, 0x0AED, 0x0AF1, 
+	0x0AF3, 0x0B03, 0x0B11, 0x0B15, 0x0B1B, 0x0B23, 0x0B29, 0x0B2D, 
+	0x0B3F, 0x0B47, 0x0B51, 0x0B57, 0x0B5D, 0x0B65, 0x0B6F, 0x0B7B, 
+	0x0B89, 0x0B8D, 0x0B93, 0x0B99, 0x0B9B, 0x0BB7, 0x0BB9, 0x0BC3, 
+	0x0BCB, 0x0BCF, 0x0BDD, 0x0BE1, 0x0BE9, 0x0BF5, 0x0BFB, 0x0C07, 
+	0x0C0B, 0x0C11, 0x0C25, 0x0C2F, 0x0C31, 0x0C41, 0x0C5B, 0x0C5F, 
+	0x0C61, 0x0C6D, 0x0C73, 0x0C77, 0x0C83, 0x0C89, 0x0C91, 0x0C95, 
+	0x0C9D, 0x0CB3, 0x0CB5, 0x0CB9, 0x0CBB, 0x0CC7, 0x0CE3, 0x0CE5, 
+	0x0CEB, 0x0CF1, 0x0CF7, 0x0CFB, 0x0D01, 0x0D03, 0x0D0F, 0x0D13, 
+	0x0D1F, 0x0D21, 0x0D2B, 0x0D2D, 0x0D3D, 0x0D3F, 0x0D4F, 0x0D55, 
+	0x0D69, 0x0D79, 0x0D81, 0x0D85, 0x0D87, 0x0D8B, 0x0D8D, 0x0DA3, 
+	0x0DAB, 0x0DB7, 0x0DBD, 0x0DC7, 0x0DC9, 0x0DCD, 0x0DD3, 0x0DD5, 
+	0x0DDB, 0x0DE5, 0x0DE7, 0x0DF3, 0x0DFD, 0x0DFF, 0x0E09, 0x0E17, 
+	0x0E1D, 0x0E21, 0x0E27, 0x0E2F, 0x0E35, 0x0E3B, 0x0E4B, 0x0E57, 
+	0x0E59, 0x0E5D, 0x0E6B, 0x0E71, 0x0E75, 0x0E7D, 0x0E87, 0x0E8F, 
+	0x0E95, 0x0E9B, 0x0EB1, 0x0EB7, 0x0EB9, 0x0EC3, 0x0ED1, 0x0ED5, 
+	0x0EDB, 0x0EED, 0x0EEF, 0x0EF9, 0x0F07, 0x0F0B, 0x0F0D, 0x0F17, 
+	0x0F25, 0x0F29, 0x0F31, 0x0F43, 0x0F47, 0x0F4D, 0x0F4F, 0x0F53, 
+	0x0F59, 0x0F5B, 0x0F67, 0x0F6B, 0x0F7F, 0x0F95, 0x0FA1, 0x0FA3, 
+	0x0FA7, 0x0FAD, 0x0FB3, 0x0FB5, 0x0FBB, 0x0FD1, 0x0FD3, 0x0FD9, 
+	0x0FE9, 0x0FEF, 0x0FFB, 0x0FFD, 0x1003, 0x100F, 0x101F, 0x1021, 
+	0x1025, 0x102B, 0x1039, 0x103D, 0x103F, 0x1051, 0x1069, 0x1073, 
+	0x1079, 0x107B, 0x1085, 0x1087, 0x1091, 0x1093, 0x109D, 0x10A3, 
+	0x10A5, 0x10AF, 0x10B1, 0x10BB, 0x10C1, 0x10C9, 0x10E7, 0x10F1, 
+	0x10F3, 0x10FD, 0x1105, 0x110B, 0x1115, 0x1127, 0x112D, 0x1139, 
+	0x1145, 0x1147, 0x1159, 0x115F, 0x1163, 0x1169, 0x116F, 0x1181, 
+	0x1183, 0x118D, 0x119B, 0x11A1, 0x11A5, 0x11A7, 0x11AB, 0x11C3, 
+	0x11C5, 0x11D1, 0x11D7, 0x11E7, 0x11EF, 0x11F5, 0x11FB, 0x120D, 
+	0x121D, 0x121F, 0x1223, 0x1229, 0x122B, 0x1231, 0x1237, 0x1241, 
+	0x1247, 0x1253, 0x125F, 0x1271, 0x1273, 0x1279, 0x127D, 0x128F, 
+	0x1297, 0x12AF, 0x12B3, 0x12B5, 0x12B9, 0x12BF, 0x12C1, 0x12CD, 
+	0x12D1, 0x12DF, 0x12FD, 0x1307, 0x130D, 0x1319, 0x1327, 0x132D, 
+	0x1337, 0x1343, 0x1345, 0x1349, 0x134F, 0x1357, 0x135D, 0x1367, 
+	0x1369, 0x136D, 0x137B, 0x1381, 0x1387, 0x138B, 0x1391, 0x1393, 
+	0x139D, 0x139F, 0x13AF, 0x13BB, 0x13C3, 0x13D5, 0x13D9, 0x13DF, 
+	0x13EB, 0x13ED, 0x13F3, 0x13F9, 0x13FF, 0x141B, 0x1421, 0x142F, 
+	0x1433, 0x143B, 0x1445, 0x144D, 0x1459, 0x146B, 0x146F, 0x1471, 
+	0x1475, 0x148D, 0x1499, 0x149F, 0x14A1, 0x14B1, 0x14B7, 0x14BD, 
+	0x14CB, 0x14D5, 0x14E3, 0x14E7, 0x1505, 0x150B, 0x1511, 0x1517, 
+	0x151F, 0x1525, 0x1529, 0x152B, 0x1537, 0x153D, 0x1541, 0x1543, 
+	0x1549, 0x155F, 0x1565, 0x1567, 0x156B, 0x157D, 0x157F, 0x1583, 
+	0x158F, 0x1591, 0x1597, 0x159B, 0x15B5, 0x15BB, 0x15C1, 0x15C5, 
+	0x15CD, 0x15D7, 0x15F7, 0x1607, 0x1609, 0x160F, 0x1613, 0x1615, 
+	0x1619, 0x161B, 0x1625, 0x1633, 0x1639, 0x163D, 0x1645, 0x164F, 
+	0x1655, 0x1669, 0x166D, 0x166F, 0x1675, 0x1693, 0x1697, 0x169F, 
+	0x16A9, 0x16AF, 0x16B5, 0x16BD, 0x16C3, 0x16CF, 0x16D3, 0x16D9, 
+	0x16DB, 0x16E1, 0x16E5, 0x16EB, 0x16ED, 0x16F7, 0x16F9, 0x1709, 
+	0x170F, 0x1723, 0x1727, 0x1733, 0x1741, 0x175D, 0x1763, 0x1777, 
+	0x177B, 0x178D, 0x1795, 0x179B, 0x179F, 0x17A5, 0x17B3, 0x17B9, 
+	0x17BF, 0x17C9, 0x17CB, 0x17D5, 0x17E1, 0x17E9, 0x17F3, 0x17F5, 
+	0x17FF, 0x1807, 0x1813, 0x181D, 0x1835, 0x1837, 0x183B, 0x1843, 
+	0x1849, 0x184D, 0x1855, 0x1867, 0x1871, 0x1877, 0x187D, 0x187F, 
+	0x1885, 0x188F, 0x189B, 0x189D, 0x18A7, 0x18AD, 0x18B3, 0x18B9, 
+	0x18C1, 0x18C7, 0x18D1, 0x18D7, 0x18D9, 0x18DF, 0x18E5, 0x18EB, 
+	0x18F5, 0x18FD, 0x1915, 0x191B, 0x1931, 0x1933, 0x1945, 0x1949, 
+	0x1951, 0x195B, 0x1979, 0x1981, 0x1993, 0x1997, 0x1999, 0x19A3, 
+	0x19A9, 0x19AB, 0x19B1, 0x19B5, 0x19C7, 0x19CF, 0x19DB, 0x19ED, 
+	0x19FD, 0x1A03, 0x1A05, 0x1A11, 0x1A17, 0x1A21, 0x1A23, 0x1A2D, 
+	0x1A2F, 0x1A35, 0x1A3F, 0x1A4D, 0x1A51, 0x1A69, 0x1A6B, 0x1A7B, 
+	0x1A7D, 0x1A87, 0x1A89, 0x1A93, 0x1AA7, 0x1AAB, 0x1AAD, 0x1AB1, 
+	0x1AB9, 0x1AC9, 0x1ACF, 0x1AD5, 0x1AD7, 0x1AE3, 0x1AF3, 0x1AFB, 
+	0x1AFF, 0x1B05, 0x1B23, 0x1B25, 0x1B2F, 0x1B31, 0x1B37, 0x1B3B, 
+	0x1B41, 0x1B47, 0x1B4F, 0x1B55, 0x1B59, 0x1B65, 0x1B6B, 0x1B73, 
+	0x1B7F, 0x1B83, 0x1B91, 0x1B9D, 0x1BA7, 0x1BBF, 0x1BC5, 0x1BD1, 
+	0x1BD7, 0x1BD9, 0x1BEF, 0x1BF7, 0x1C09, 0x1C13, 0x1C19, 0x1C27, 
+	0x1C2B, 0x1C2D, 0x1C33, 0x1C3D, 0x1C45, 0x1C4B, 0x1C4F, 0x1C55, 
+	0x1C73, 0x1C81, 0x1C8B, 0x1C8D, 0x1C99, 0x1CA3, 0x1CA5, 0x1CB5, 
+	0x1CB7, 0x1CC9, 0x1CE1, 0x1CF3, 0x1CF9, 0x1D09, 0x1D1B, 0x1D21, 
+	0x1D23, 0x1D35, 0x1D39, 0x1D3F, 0x1D41, 0x1D4B, 0x1D53, 0x1D5D, 
+	0x1D63, 0x1D69, 0x1D71, 0x1D75, 0x1D7B, 0x1D7D, 0x1D87, 0x1D89, 
+	0x1D95, 0x1D99, 0x1D9F, 0x1DA5, 0x1DA7, 0x1DB3, 0x1DB7, 0x1DC5, 
+	0x1DD7, 0x1DDB, 0x1DE1, 0x1DF5, 0x1DF9, 0x1E01, 0x1E07, 0x1E0B, 
+	0x1E13, 0x1E17, 0x1E25, 0x1E2B, 0x1E2F, 0x1E3D, 0x1E49, 0x1E4D, 
+	0x1E4F, 0x1E6D, 0x1E71, 0x1E89, 0x1E8F, 0x1E95, 0x1EA1, 0x1EAD, 
+	0x1EBB, 0x1EC1, 0x1EC5, 0x1EC7, 0x1ECB, 0x1EDD, 0x1EE3, 0x1EEF, 
+	0x1EF7, 0x1EFD, 0x1F01, 0x1F0D, 0x1F0F, 0x1F1B, 0x1F39, 0x1F49, 
+	0x1F4B, 0x1F51, 0x1F67, 0x1F75, 0x1F7B, 0x1F85, 0x1F91, 0x1F97, 
+	0x1F99, 0x1F9D, 0x1FA5, 0x1FAF, 0x1FB5, 0x1FBB, 0x1FD3, 0x1FE1, 
+	0x1FE7, 0x1FEB, 0x1FF3, 0x1FFF, 0x2011, 0x201B, 0x201D, 0x2027, 
+	0x2029, 0x202D, 0x2033, 0x2047, 0x204D, 0x2051, 0x205F, 0x2063, 
+	0x2065, 0x2069, 0x2077, 0x207D, 0x2089, 0x20A1, 0x20AB, 0x20B1, 
+	0x20B9, 0x20C3, 0x20C5, 0x20E3, 0x20E7, 0x20ED, 0x20EF, 0x20FB, 
+	0x20FF, 0x210D, 0x2113, 0x2135, 0x2141, 0x2149, 0x214F, 0x2159, 
+	0x215B, 0x215F, 0x2173, 0x217D, 0x2185, 0x2195, 0x2197, 0x21A1, 
+	0x21AF, 0x21B3, 0x21B5, 0x21C1, 0x21C7, 0x21D7, 0x21DD, 0x21E5, 
+	0x21E9, 0x21F1, 0x21F5, 0x21FB, 0x2203, 0x2209, 0x220F, 0x221B, 
+	0x2221, 0x2225, 0x222B, 0x2231, 0x2239, 0x224B, 0x224F, 0x2263, 
+	0x2267, 0x2273, 0x2275, 0x227F, 0x2285, 0x2287, 0x2291, 0x229D, 
+	0x229F, 0x22A3, 0x22B7, 0x22BD, 0x22DB, 0x22E1, 0x22E5, 0x22ED, 
+	0x22F7, 0x2303, 0x2309, 0x230B, 0x2327, 0x2329, 0x232F, 0x2333, 
+	0x2335, 0x2345, 0x2351, 0x2353, 0x2359, 0x2363, 0x236B, 0x2383, 
+	0x238F, 0x2395, 0x23A7, 0x23AD, 0x23B1, 0x23BF, 0x23C5, 0x23C9, 
+	0x23D5, 0x23DD, 0x23E3, 0x23EF, 0x23F3, 0x23F9, 0x2405, 0x240B, 
+	0x2417, 0x2419, 0x2429, 0x243D, 0x2441, 0x2443, 0x244D, 0x245F, 
+	0x2467, 0x246B, 0x2479, 0x247D, 0x247F, 0x2485, 0x249B, 0x24A1, 
+	0x24AF, 0x24B5, 0x24BB, 0x24C5, 0x24CB, 0x24CD, 0x24D7, 0x24D9, 
+	0x24DD, 0x24DF, 0x24F5, 0x24F7, 0x24FB, 0x2501, 0x2507, 0x2513, 
+	0x2519, 0x2527, 0x2531, 0x253D, 0x2543, 0x254B, 0x254F, 0x2573, 
+	0x2581, 0x258D, 0x2593, 0x2597, 0x259D, 0x259F, 0x25AB, 0x25B1, 
+	0x25BD, 0x25CD, 0x25CF, 0x25D9, 0x25E1, 0x25F7, 0x25F9, 0x2605, 
+	0x260B, 0x260F, 0x2615, 0x2627, 0x2629, 0x2635, 0x263B, 0x263F, 
+	0x264B, 0x2653, 0x2659, 0x2665, 0x2669, 0x266F, 0x267B, 0x2681, 
+	0x2683, 0x268F, 0x269B, 0x269F, 0x26AD, 0x26B3, 0x26C3, 0x26C9, 
+	0x26CB, 0x26D5, 0x26DD, 0x26EF, 0x26F5, 0x2717, 0x2719, 0x2735, 
+	0x2737, 0x274D, 0x2753, 0x2755, 0x275F, 0x276B, 0x276D, 0x2773, 
+	0x2777, 0x277F, 0x2795, 0x279B, 0x279D, 0x27A7, 0x27AF, 0x27B3, 
+	0x27B9, 0x27C1, 0x27C5, 0x27D1, 0x27E3, 0x27EF, 0x2803, 0x2807, 
+	0x280D, 0x2813, 0x281B, 0x281F, 0x2821, 0x2831, 0x283D, 0x283F, 
+	0x2849, 0x2851, 0x285B, 0x285D, 0x2861, 0x2867, 0x2875, 0x2881, 
+	0x2897, 0x289F, 0x28BB, 0x28BD, 0x28C1, 0x28D5, 0x28D9, 0x28DB, 
+	0x28DF, 0x28ED, 0x28F7, 0x2903, 0x2905, 0x2911, 0x2921, 0x2923, 
+	0x293F, 0x2947, 0x295D, 0x2965, 0x2969, 0x296F, 0x2975, 0x2983, 
+	0x2987, 0x298F, 0x299B, 0x29A1, 0x29A7, 0x29AB, 0x29BF, 0x29C3, 
+	0x29D5, 0x29D7, 0x29E3, 0x29E9, 0x29ED, 0x29F3, 0x2A01, 0x2A13, 
+	0x2A1D, 0x2A25, 0x2A2F, 0x2A4F, 0x2A55, 0x2A5F, 0x2A65, 0x2A6B, 
+	0x2A6D, 0x2A73, 0x2A83, 0x2A89, 0x2A8B, 0x2A97, 0x2A9D, 0x2AB9, 
+	0x2ABB, 0x2AC5, 0x2ACD, 0x2ADD, 0x2AE3, 0x2AEB, 0x2AF1, 0x2AFB, 
+	0x2B13, 0x2B27, 0x2B31, 0x2B33, 0x2B3D, 0x2B3F, 0x2B4B, 0x2B4F, 
+	0x2B55, 0x2B69, 0x2B6D, 0x2B6F, 0x2B7B, 0x2B8D, 0x2B97, 0x2B99, 
+	0x2BA3, 0x2BA5, 0x2BA9, 0x2BBD, 0x2BCD, 0x2BE7, 0x2BEB, 0x2BF3, 
+	0x2BF9, 0x2BFD, 0x2C09, 0x2C0F, 0x2C17, 0x2C23, 0x2C2F, 0x2C35, 
+	0x2C39, 0x2C41, 0x2C57, 0x2C59, 0x2C69, 0x2C77, 0x2C81, 0x2C87, 
+	0x2C93, 0x2C9F, 0x2CAD, 0x2CB3, 0x2CB7, 0x2CCB, 0x2CCF, 0x2CDB, 
+	0x2CE1, 0x2CE3, 0x2CE9, 0x2CEF, 0x2CFF, 0x2D07, 0x2D1D, 0x2D1F, 
+	0x2D3B, 0x2D43, 0x2D49, 0x2D4D, 0x2D61, 0x2D65, 0x2D71, 0x2D89, 
+	0x2D9D, 0x2DA1, 0x2DA9, 0x2DB3, 0x2DB5, 0x2DC5, 0x2DC7, 0x2DD3, 
+	0x2DDF, 0x2E01, 0x2E03, 0x2E07, 0x2E0D, 0x2E19, 0x2E1F, 0x2E25, 
+	0x2E2D, 0x2E33, 0x2E37, 0x2E39, 0x2E3F, 0x2E57, 0x2E5B, 0x2E6F, 
+	0x2E79, 0x2E7F, 0x2E85, 0x2E93, 0x2E97, 0x2E9D, 0x2EA3, 0x2EA5, 
+	0x2EB1, 0x2EB7, 0x2EC1, 0x2EC3, 0x2ECD, 0x2ED3, 0x2EE7, 0x2EEB, 
+	0x2F05, 0x2F09, 0x2F0B, 0x2F11, 0x2F27, 0x2F29, 0x2F41, 0x2F45, 
+	0x2F4B, 0x2F4D, 0x2F51, 0x2F57, 0x2F6F, 0x2F75, 0x2F7D, 0x2F81, 
+	0x2F83, 0x2FA5, 0x2FAB, 0x2FB3, 0x2FC3, 0x2FCF, 0x2FD1, 0x2FDB, 
+	0x2FDD, 0x2FE7, 0x2FED, 0x2FF5, 0x2FF9, 0x3001, 0x300D, 0x3023, 
+	0x3029, 0x3037, 0x303B, 0x3055, 0x3059, 0x305B, 0x3067, 0x3071, 
+	0x3079, 0x307D, 0x3085, 0x3091, 0x3095, 0x30A3, 0x30A9, 0x30B9, 
+	0x30BF, 0x30C7, 0x30CB, 0x30D1, 0x30D7, 0x30DF, 0x30E5, 0x30EF, 
+	0x30FB, 0x30FD, 0x3103, 0x3109, 0x3119, 0x3121, 0x3127, 0x312D, 
+	0x3139, 0x3143, 0x3145, 0x314B, 0x315D, 0x3161, 0x3167, 0x316D, 
+	0x3173, 0x317F, 0x3191, 0x3199, 0x319F, 0x31A9, 0x31B1, 0x31C3, 
+	0x31C7, 0x31D5, 0x31DB, 0x31ED, 0x31F7, 0x31FF, 0x3209, 0x3215, 
+	0x3217, 0x321D, 0x3229, 0x3235, 0x3259, 0x325D, 0x3263, 0x326B, 
+	0x326F, 0x3275, 0x3277, 0x327B, 0x328D, 0x3299, 0x329F, 0x32A7, 
+	0x32AD, 0x32B3, 0x32B7, 0x32C9, 0x32CB, 0x32CF, 0x32D1, 0x32E9, 
+	0x32ED, 0x32F3, 0x32F9, 0x3307, 0x3325, 0x332B, 0x332F, 0x3335, 
+	0x3341, 0x3347, 0x335B, 0x335F, 0x3367, 0x336B, 0x3373, 0x3379, 
+	0x337F, 0x3383, 0x33A1, 0x33A3, 0x33AD, 0x33B9, 0x33C1, 0x33CB, 
+	0x33D3, 0x33EB, 0x33F1, 0x33FD, 0x3401, 0x340F, 0x3413, 0x3419, 
+	0x341B, 0x3437, 0x3445, 0x3455, 0x3457, 0x3463, 0x3469, 0x346D, 
+	0x3481, 0x348B, 0x3491, 0x3497, 0x349D, 0x34A5, 0x34AF, 0x34BB, 
+	0x34C9, 0x34D3, 0x34E1, 0x34F1, 0x34FF, 0x3509, 0x3517, 0x351D, 
+	0x352D, 0x3533, 0x353B, 0x3541, 0x3551, 0x3565, 0x356F, 0x3571, 
+	0x3577, 0x357B, 0x357D, 0x3581, 0x358D, 0x358F, 0x3599, 0x359B, 
+	0x35A1, 0x35B7, 0x35BD, 0x35BF, 0x35C3, 0x35D5, 0x35DD, 0x35E7, 
+	0x35EF, 0x3605, 0x3607, 0x3611, 0x3623, 0x3631, 0x3635, 0x3637, 
+	0x363B, 0x364D, 0x364F, 0x3653, 0x3659, 0x3661, 0x366B, 0x366D, 
+	0x368B, 0x368F, 0x36AD, 0x36AF, 0x36B9, 0x36BB, 0x36CD, 0x36D1, 
+	0x36E3, 0x36E9, 0x36F7, 0x3701, 0x3703, 0x3707, 0x371B, 0x373F, 
+	0x3745, 0x3749, 0x374F, 0x375D, 0x3761, 0x3775, 0x377F, 0x378D, 
+	0x37A3, 0x37A9, 0x37AB, 0x37C9, 0x37D5, 0x37DF, 0x37F1, 0x37F3, 
+	0x37F7, 0x3805, 0x380B, 0x3821, 0x3833, 0x3835, 0x3841, 0x3847, 
+	0x384B, 0x3853, 0x3857, 0x385F, 0x3865, 0x386F, 0x3871, 0x387D, 
+	0x388F, 0x3899, 0x38A7, 0x38B7, 0x38C5, 0x38C9, 0x38CF, 0x38D5, 
+	0x38D7, 0x38DD, 0x38E1, 0x38E3, 0x38FF, 0x3901, 0x391D, 0x3923, 
+	0x3925, 0x3929, 0x392F, 0x393D, 0x3941, 0x394D, 0x395B, 0x396B, 
+	0x3979, 0x397D, 0x3983, 0x398B, 0x3991, 0x3995, 0x399B, 0x39A1, 
+	0x39A7, 0x39AF, 0x39B3, 0x39BB, 0x39BF, 0x39CD, 0x39DD, 0x39E5, 
+	0x39EB, 0x39EF, 0x39FB, 0x3A03, 0x3A13, 0x3A15, 0x3A1F, 0x3A27, 
+	0x3A2B, 0x3A31, 0x3A4B, 0x3A51, 0x3A5B, 0x3A63, 0x3A67, 0x3A6D, 
+	0x3A79, 0x3A87, 0x3AA5, 0x3AA9, 0x3AB7, 0x3ACD, 0x3AD5, 0x3AE1, 
+	0x3AE5, 0x3AEB, 0x3AF3, 0x3AFD, 0x3B03, 0x3B11, 0x3B1B, 0x3B21, 
+	0x3B23, 0x3B2D, 0x3B39, 0x3B45, 0x3B53, 0x3B59, 0x3B5F, 0x3B71, 
+	0x3B7B, 0x3B81, 0x3B89, 0x3B9B, 0x3B9F, 0x3BA5, 0x3BA7, 0x3BAD, 
+	0x3BB7, 0x3BB9, 0x3BC3, 0x3BCB, 0x3BD1, 0x3BD7, 0x3BE1, 0x3BE3, 
+	0x3BF5, 0x3BFF, 0x3C01, 0x3C0D, 0x3C11, 0x3C17, 0x3C1F, 0x3C29, 
+	0x3C35, 0x3C43, 0x3C4F, 0x3C53, 0x3C5B, 0x3C65, 0x3C6B, 0x3C71, 
+	0x3C85, 0x3C89, 0x3C97, 0x3CA7, 0x3CB5, 0x3CBF, 0x3CC7, 0x3CD1, 
+	0x3CDD, 0x3CDF, 0x3CF1, 0x3CF7, 0x3D03, 0x3D0D, 0x3D19, 0x3D1B, 
+	0x3D1F, 0x3D21, 0x3D2D, 0x3D33, 0x3D37, 0x3D3F, 0x3D43, 0x3D6F, 
+	0x3D73, 0x3D75, 0x3D79, 0x3D7B, 0x3D85, 0x3D91, 0x3D97, 0x3D9D, 
+	0x3DAB, 0x3DAF, 0x3DB5, 0x3DBB, 0x3DC1, 0x3DC9, 0x3DCF, 0x3DF3, 
+	0x3E05, 0x3E09, 0x3E0F, 0x3E11, 0x3E1D, 0x3E23, 0x3E29, 0x3E2F, 
+	0x3E33, 0x3E41, 0x3E57, 0x3E63, 0x3E65, 0x3E77, 0x3E81, 0x3E87, 
+	0x3EA1, 0x3EB9, 0x3EBD, 0x3EBF, 0x3EC3, 0x3EC5, 0x3EC9, 0x3ED7, 
+	0x3EDB, 0x3EE1, 0x3EE7, 0x3EEF, 0x3EFF, 0x3F0B, 0x3F0D, 0x3F37, 
+	0x3F3B, 0x3F3D, 0x3F41, 0x3F59, 0x3F5F, 0x3F65, 0x3F67, 0x3F79, 
+	0x3F7D, 0x3F8B, 0x3F91, 0x3FAD, 0x3FBF, 0x3FCD, 0x3FD3, 0x3FDD, 
+	0x3FE9, 0x3FEB, 0x3FF1, 0x3FFD, 0x401B, 0x4021, 0x4025, 0x402B, 
+	0x4031, 0x403F, 0x4043, 0x4045, 0x405D, 0x4061, 0x4067, 0x406D, 
+	0x4087, 0x4091, 0x40A3, 0x40A9, 0x40B1, 0x40B7, 0x40BD, 0x40DB, 
+	0x40DF, 0x40EB, 0x40F7, 0x40F9, 0x4109, 0x410B, 0x4111, 0x4115, 
+	0x4121, 0x4133, 0x4135, 0x413B, 0x413F, 0x4159, 0x4165, 0x416B, 
+	0x4177, 0x417B, 0x4193, 0x41AB, 0x41B7, 0x41BD, 0x41BF, 0x41CB, 
+	0x41E7, 0x41EF, 0x41F3, 0x41F9, 0x4205, 0x4207, 0x4219, 0x421F, 
+	0x4223, 0x4229, 0x422F, 0x4243, 0x4253, 0x4255, 0x425B, 0x4261, 
+	0x4273, 0x427D, 0x4283, 0x4285, 0x4289, 0x4291, 0x4297, 0x429D, 
+	0x42B5, 0x42C5, 0x42CB, 0x42D3, 0x42DD, 0x42E3, 0x42F1, 0x4307, 
+	0x430F, 0x431F, 0x4325, 0x4327, 0x4333, 0x4337, 0x4339, 0x434F, 
+	0x4357, 0x4369, 0x438B, 0x438D, 0x4393, 0x43A5, 0x43A9, 0x43AF, 
+	0x43B5, 0x43BD, 0x43C7, 0x43CF, 0x43E1, 0x43E7, 0x43EB, 0x43ED, 
+	0x43F1, 0x43F9, 0x4409, 0x440B, 0x4417, 0x4423, 0x4429, 0x443B, 
+	0x443F, 0x4445, 0x444B, 0x4451, 0x4453, 0x4459, 0x4465, 0x446F, 
+	0x4483, 0x448F, 0x44A1, 0x44A5, 0x44AB, 0x44AD, 0x44BD, 0x44BF, 
+	0x44C9, 0x44D7, 0x44DB, 0x44F9, 0x44FB, 0x4505, 0x4511, 0x4513, 
+	0x452B, 0x4531, 0x4541, 0x4549, 0x4553, 0x4555, 0x4561, 0x4577, 
+	0x457D, 0x457F, 0x458F, 0x45A3, 0x45AD, 0x45AF, 0x45BB, 0x45C7, 
+	0x45D9, 0x45E3, 0x45EF, 0x45F5, 0x45F7, 0x4601, 0x4603, 0x4609, 
+	0x4613, 0x4625, 0x4627, 0x4633, 0x4639, 0x463D, 0x4643, 0x4645, 
+	0x465D, 0x4679, 0x467B, 0x467F, 0x4681, 0x468B, 0x468D, 0x469D, 
+	0x46A9, 0x46B1, 0x46C7, 0x46C9, 0x46CF, 0x46D3, 0x46D5, 0x46DF, 
+	0x46E5, 0x46F9, 0x4705, 0x470F, 0x4717, 0x4723, 0x4729, 0x472F, 
+	0x4735, 0x4739, 0x474B, 0x474D, 0x4751, 0x475D, 0x476F, 0x4771, 
+	0x477D, 0x4783, 0x4787, 0x4789, 0x4799, 0x47A5, 0x47B1, 0x47BF, 
+	0x47C3, 0x47CB, 0x47DD, 0x47E1, 0x47ED, 0x47FB, 0x4801, 0x4807, 
+	0x480B, 0x4813, 0x4819, 0x481D, 0x4831, 0x483D, 0x4847, 0x4855, 
+	0x4859, 0x485B, 0x486B, 0x486D, 0x4879, 0x4897, 0x489B, 0x48A1, 
+	0x48B9, 0x48CD, 0x48E5, 0x48EF, 0x48F7, 0x4903, 0x490D, 0x4919, 
+	0x491F, 0x492B, 0x4937, 0x493D, 0x4945, 0x4955, 0x4963, 0x4969, 
+	0x496D, 0x4973, 0x4997, 0x49AB, 0x49B5, 0x49D3, 0x49DF, 0x49E1, 
+	0x49E5, 0x49E7, 0x4A03, 0x4A0F, 0x4A1D, 0x4A23, 0x4A39, 0x4A41, 
+	0x4A45, 0x4A57, 0x4A5D, 0x4A6B, 0x4A7D, 0x4A81, 0x4A87, 0x4A89, 
+	0x4A8F, 0x4AB1, 0x4AC3, 0x4AC5, 0x4AD5, 0x4ADB, 0x4AED, 0x4AEF, 
+	0x4B07, 0x4B0B, 0x4B0D, 0x4B13, 0x4B1F, 0x4B25, 0x4B31, 0x4B3B, 
+	0x4B43, 0x4B49, 0x4B59, 0x4B65, 0x4B6D, 0x4B77, 0x4B85, 0x4BAD, 
+	0x4BB3, 0x4BB5, 0x4BBB, 0x4BBF, 0x4BCB, 0x4BD9, 0x4BDD, 0x4BDF, 
+	0x4BE3, 0x4BE5, 0x4BE9, 0x4BF1, 0x4BF7, 0x4C01, 0x4C07, 0x4C0D, 
+	0x4C0F, 0x4C15, 0x4C1B, 0x4C21, 0x4C2D, 0x4C33, 0x4C4B, 0x4C55, 
+	0x4C57, 0x4C61, 0x4C67, 0x4C73, 0x4C79, 0x4C7F, 0x4C8D, 0x4C93, 
+	0x4C99, 0x4CCD, 0x4CE1, 0x4CE7, 0x4CF1, 0x4CF3, 0x4CFD, 0x4D05, 
+	0x4D0F, 0x4D1B, 0x4D27, 0x4D29, 0x4D2F, 0x4D33, 0x4D41, 0x4D51, 
+	0x4D59, 0x4D65, 0x4D6B, 0x4D81, 0x4D83, 0x4D8D, 0x4D95, 0x4D9B, 
+	0x4DB1, 0x4DB3, 0x4DC9, 0x4DCF, 0x4DD7, 0x4DE1, 0x4DED, 0x4DF9, 
+	0x4DFB, 0x4E05, 0x4E0B, 0x4E17, 0x4E19, 0x4E1D, 0x4E2B, 0x4E35, 
+	0x4E37, 0x4E3D, 0x4E4F, 0x4E53, 0x4E5F, 0x4E67, 0x4E79, 0x4E85, 
+	0x4E8B, 0x4E91, 0x4E95, 0x4E9B, 0x4EA1, 0x4EAF, 0x4EB3, 0x4EB5, 
+	0x4EC1, 0x4ECD, 0x4ED1, 0x4ED7, 0x4EE9, 0x4EFB, 0x4F07, 0x4F09, 
+	0x4F19, 0x4F25, 0x4F2D, 0x4F3F, 0x4F49, 0x4F63, 0x4F67, 0x4F6D, 
+	0x4F75, 0x4F7B, 0x4F81, 0x4F85, 0x4F87, 0x4F91, 0x4FA5, 0x4FA9, 
+	0x4FAF, 0x4FB7, 0x4FBB, 0x4FCF, 0x4FD9, 0x4FDB, 0x4FFD, 0x4FFF, 
+	0x5003, 0x501B, 0x501D, 0x5029, 0x5035, 0x503F, 0x5045, 0x5047, 
+	0x5053, 0x5071, 0x5077, 0x5083, 0x5093, 0x509F, 0x50A1, 0x50B7, 
+	0x50C9, 0x50D5, 0x50E3, 0x50ED, 0x50EF, 0x50FB, 0x5107, 0x510B, 
+	0x510D, 0x5111, 0x5117, 0x5123, 0x5125, 0x5135, 0x5147, 0x5149, 
+	0x5171, 0x5179, 0x5189, 0x518F, 0x5197, 0x51A1, 0x51A3, 0x51A7, 
+	0x51B9, 0x51C1, 0x51CB, 0x51D3, 0x51DF, 0x51E3, 0x51F5, 0x51F7, 
+	0x5209, 0x5213, 0x5215, 0x5219, 0x521B, 0x521F, 0x5227, 0x5243, 
+	0x5245, 0x524B, 0x5261, 0x526D, 0x5273, 0x5281, 0x5293, 0x5297, 
+	0x529D, 0x52A5, 0x52AB, 0x52B1, 0x52BB, 0x52C3, 0x52C7, 0x52C9, 
+	0x52DB, 0x52E5, 0x52EB, 0x52FF, 0x5315, 0x531D, 0x5323, 0x5341, 
+	0x5345, 0x5347, 0x534B, 0x535D, 0x5363, 0x5381, 0x5383, 0x5387, 
+	0x538F, 0x5395, 0x5399, 0x539F, 0x53AB, 0x53B9, 0x53DB, 0x53E9, 
+	0x53EF, 0x53F3, 0x53F5, 0x53FB, 0x53FF, 0x540D, 0x5411, 0x5413, 
+	0x5419, 0x5435, 0x5437, 0x543B, 0x5441, 0x5449, 0x5453, 0x5455, 
+	0x545F, 0x5461, 0x546B, 0x546D, 0x5471, 0x548F, 0x5491, 0x549D, 
+	0x54A9, 0x54B3, 0x54C5, 0x54D1, 0x54DF, 0x54E9, 0x54EB, 0x54F7, 
+	0x54FD, 0x5507, 0x550D, 0x551B, 0x5527, 0x552B, 0x5539, 0x553D, 
+	0x554F, 0x5551, 0x555B, 0x5563, 0x5567, 0x556F, 0x5579, 0x5585, 
+	0x5597, 0x55A9, 0x55B1, 0x55B7, 0x55C9, 0x55D9, 0x55E7, 0x55ED, 
+	0x55F3, 0x55FD, 0x560B, 0x560F, 0x5615, 0x5617, 0x5623, 0x562F, 
+	0x5633, 0x5639, 0x563F, 0x564B, 0x564D, 0x565D, 0x565F, 0x566B, 
+	0x5671, 0x5675, 0x5683, 0x5689, 0x568D, 0x568F, 0x569B, 0x56AD, 
+	0x56B1, 0x56D5, 0x56E7, 0x56F3, 0x56FF, 0x5701, 0x5705, 0x5707, 
+	0x570B, 0x5713, 0x571F, 0x5723, 0x5747, 0x574D, 0x575F, 0x5761, 
+	0x576D, 0x5777, 0x577D, 0x5789, 0x57A1, 0x57A9, 0x57AF, 0x57B5, 
+	0x57C5, 0x57D1, 0x57D3, 0x57E5, 0x57EF, 0x5803, 0x580D, 0x580F, 
+	0x5815, 0x5827, 0x582B, 0x582D, 0x5855, 0x585B, 0x585D, 0x586D, 
+	0x586F, 0x5873, 0x587B, 0x588D, 0x5897, 0x58A3, 0x58A9, 0x58AB, 
+	0x58B5, 0x58BD, 0x58C1, 0x58C7, 0x58D3, 0x58D5, 0x58DF, 0x58F1, 
+	0x58F9, 0x58FF, 0x5903, 0x5917, 0x591B, 0x5921, 0x5945, 0x594B, 
+	0x594D, 0x5957, 0x595D, 0x5975, 0x597B, 0x5989, 0x5999, 0x599F, 
+	0x59B1, 0x59B3, 0x59BD, 0x59D1, 0x59DB, 0x59E3, 0x59E9, 0x59ED, 
+	0x59F3, 0x59F5, 0x59FF, 0x5A01, 0x5A0D, 0x5A11, 0x5A13, 0x5A17, 
+	0x5A1F, 0x5A29, 0x5A2F, 0x5A3B, 0x5A4D, 0x5A5B, 0x5A67, 0x5A77, 
+	0x5A7F, 0x5A85, 0x5A95, 0x5A9D, 0x5AA1, 0x5AA3, 0x5AA9, 0x5ABB, 
+	0x5AD3, 0x5AE5, 0x5AEF, 0x5AFB, 0x5AFD, 0x5B01, 0x5B0F, 0x5B19, 
+	0x5B1F, 0x5B25, 0x5B2B, 0x5B3D, 0x5B49, 0x5B4B, 0x5B67, 0x5B79, 
+	0x5B87, 0x5B97, 0x5BA3, 0x5BB1, 0x5BC9, 0x5BD5, 0x5BEB, 0x5BF1, 
+	0x5BF3, 0x5BFD, 0x5C05, 0x5C09, 0x5C0B, 0x5C0F, 0x5C1D, 0x5C29, 
+	0x5C2F, 0x5C33, 0x5C39, 0x5C47, 0x5C4B, 0x5C4D, 0x5C51, 0x5C6F, 
+	0x5C75, 0x5C77, 0x5C7D, 0x5C87, 0x5C89, 0x5CA7, 0x5CBD, 0x5CBF, 
+	0x5CC3, 0x5CC9, 0x5CD1, 0x5CD7, 0x5CDD, 0x5CED, 0x5CF9, 0x5D05, 
+	0x5D0B, 0x5D13, 0x5D17, 0x5D19, 0x5D31, 0x5D3D, 0x5D41, 0x5D47, 
+	0x5D4F, 0x5D55, 0x5D5B, 0x5D65, 0x5D67, 0x5D6D, 0x5D79, 0x5D95, 
+	0x5DA3, 0x5DA9, 0x5DAD, 0x5DB9, 0x5DC1, 0x5DC7, 0x5DD3, 0x5DD7, 
+	0x5DDD, 0x5DEB, 0x5DF1, 0x5DFD, 0x5E07, 0x5E0D, 0x5E13, 0x5E1B, 
+	0x5E21, 0x5E27, 0x5E2B, 0x5E2D, 0x5E31, 0x5E39, 0x5E45, 0x5E49, 
+	0x5E57, 0x5E69, 0x5E73, 0x5E75, 0x5E85, 0x5E8B, 0x5E9F, 0x5EA5, 
+	0x5EAF, 0x5EB7, 0x5EBB, 0x5ED9, 0x5EFD, 0x5F09, 0x5F11, 0x5F27, 
+	0x5F33, 0x5F35, 0x5F3B, 0x5F47, 0x5F57, 0x5F5D, 0x5F63, 0x5F65, 
+	0x5F77, 0x5F7B, 0x5F95, 0x5F99, 0x5FA1, 0x5FB3, 0x5FBD, 0x5FC5, 
+	0x5FCF, 0x5FD5, 0x5FE3, 0x5FE7, 0x5FFB, 0x6011, 0x6023, 0x602F, 
+	0x6037, 0x6053, 0x605F, 0x6065, 0x606B, 0x6073, 0x6079, 0x6085, 
+	0x609D, 0x60AD, 0x60BB, 0x60BF, 0x60CD, 0x60D9, 0x60DF, 0x60E9, 
+	0x60F5, 0x6109, 0x610F, 0x6113, 0x611B, 0x612D, 0x6139, 0x614B, 
+	0x6155, 0x6157, 0x615B, 0x616F, 0x6179, 0x6187, 0x618B, 0x6191, 
+	0x6193, 0x619D, 0x61B5, 0x61C7, 0x61C9, 0x61CD, 0x61E1, 0x61F1, 
+	0x61FF, 0x6209, 0x6217, 0x621D, 0x6221, 0x6227, 0x623B, 0x6241, 
+	0x624B, 0x6251, 0x6253, 0x625F, 0x6265, 0x6283, 0x628D, 0x6295, 
+	0x629B, 0x629F, 0x62A5, 0x62AD, 0x62D5, 0x62D7, 0x62DB, 0x62DD, 
+	0x62E9, 0x62FB, 0x62FF, 0x6305, 0x630D, 0x6317, 0x631D, 0x632F, 
+	0x6341, 0x6343, 0x634F, 0x635F, 0x6367, 0x636D, 0x6371, 0x6377, 
+	0x637D, 0x637F, 0x63B3, 0x63C1, 0x63C5, 0x63D9, 0x63E9, 0x63EB, 
+	0x63EF, 0x63F5, 0x6401, 0x6403, 0x6409, 0x6415, 0x6421, 0x6427, 
+	0x642B, 0x6439, 0x6443, 0x6449, 0x644F, 0x645D, 0x6467, 0x6475, 
+	0x6485, 0x648D, 0x6493, 0x649F, 0x64A3, 0x64AB, 0x64C1, 0x64C7, 
+	0x64C9, 0x64DB, 0x64F1, 0x64F7, 0x64F9, 0x650B, 0x6511, 0x6521, 
+	0x652F, 0x6539, 0x653F, 0x654B, 0x654D, 0x6553, 0x6557, 0x655F, 
+	0x6571, 0x657D, 0x658D, 0x658F, 0x6593, 0x65A1, 0x65A5, 0x65AD, 
+	0x65B9, 0x65C5, 0x65E3, 0x65F3, 0x65FB, 0x65FF, 0x6601, 0x6607, 
+	0x661D, 0x6629, 0x6631, 0x663B, 0x6641, 0x6647, 0x664D, 0x665B, 
+	0x6661, 0x6673, 0x667D, 0x6689, 0x668B, 0x6695, 0x6697, 0x669B, 
+	0x66B5, 0x66B9, 0x66C5, 0x66CD, 0x66D1, 0x66E3, 0x66EB, 0x66F5, 
+	0x6703, 0x6713, 0x6719, 0x671F, 0x6727, 0x6731, 0x6737, 0x673F, 
+	0x6745, 0x6751, 0x675B, 0x676F, 0x6779, 0x6781, 0x6785, 0x6791, 
+	0x67AB, 0x67BD, 0x67C1, 0x67CD, 0x67DF, 0x67E5, 0x6803, 0x6809, 
+	0x6811, 0x6817, 0x682D, 0x6839, 0x683B, 0x683F, 0x6845, 0x684B, 
+	0x684D, 0x6857, 0x6859, 0x685D, 0x6863, 0x6869, 0x686B, 0x6871, 
+	0x6887, 0x6899, 0x689F, 0x68B1, 0x68BD, 0x68C5, 0x68D1, 0x68D7, 
+	0x68E1, 0x68ED, 0x68EF, 0x68FF, 0x6901, 0x690B, 0x690D, 0x6917, 
+	0x6929, 0x692F, 0x6943, 0x6947, 0x6949, 0x694F, 0x6965, 0x696B, 
+	0x6971, 0x6983, 0x6989, 0x6997, 0x69A3, 0x69B3, 0x69B5, 0x69BB, 
+	0x69C1, 0x69C5, 0x69D3, 0x69DF, 0x69E3, 0x69E5, 0x69F7, 0x6A07, 
+	0x6A2B, 0x6A37, 0x6A3D, 0x6A4B, 0x6A67, 0x6A69, 0x6A75, 0x6A7B, 
+	0x6A87, 0x6A8D, 0x6A91, 0x6A93, 0x6AA3, 0x6AC1, 0x6AC9, 0x6AE1, 
+	0x6AE7, 0x6B05, 0x6B0F, 0x6B11, 0x6B23, 0x6B27, 0x6B2D, 0x6B39, 
+	0x6B41, 0x6B57, 0x6B59, 0x6B5F, 0x6B75, 0x6B87, 0x6B89, 0x6B93, 
+	0x6B95, 0x6B9F, 0x6BBD, 0x6BBF, 0x6BDB, 0x6BE1, 0x6BEF, 0x6BFF, 
+	0x6C05, 0x6C19, 0x6C29, 0x6C2B, 0x6C31, 0x6C35, 0x6C55, 0x6C59, 
+	0x6C5B, 0x6C5F, 0x6C65, 0x6C67, 0x6C73, 0x6C77, 0x6C7D, 0x6C83, 
+	0x6C8F, 0x6C91, 0x6C97, 0x6C9B, 0x6CA1, 0x6CA9, 0x6CAF, 0x6CB3, 
+	0x6CC7, 0x6CCB, 0x6CEB, 0x6CF5, 0x6CFD, 0x6D0D, 0x6D0F, 0x6D25, 
+	0x6D27, 0x6D2B, 0x6D31, 0x6D39, 0x6D3F, 0x6D4F, 0x6D5D, 0x6D61, 
+	0x6D73, 0x6D7B, 0x6D7F, 0x6D93, 0x6D99, 0x6DA5, 0x6DB1, 0x6DB7, 
+	0x6DC1, 0x6DC3, 0x6DCD, 0x6DCF, 0x6DDB, 0x6DF7, 0x6E03, 0x6E15, 
+	0x6E17, 0x6E29, 0x6E33, 0x6E3B, 0x6E45, 0x6E75, 0x6E77, 0x6E7B, 
+	0x6E81, 0x6E89, 0x6E93, 0x6E95, 0x6E9F, 0x6EBD, 0x6EBF, 0x6EE3, 
+	0x6EE9, 0x6EF3, 0x6EF9, 0x6EFB, 0x6F0D, 0x6F11, 0x6F17, 0x6F1F, 
+	0x6F2F, 0x6F3D, 0x6F4D, 0x6F53, 0x6F61, 0x6F65, 0x6F79, 0x6F7D, 
+	0x6F83, 0x6F85, 0x6F8F, 0x6F9B, 0x6F9D, 0x6FA3, 0x6FAF, 0x6FB5, 
+	0x6FBB, 0x6FBF, 0x6FCB, 0x6FCD, 0x6FD3, 0x6FD7, 0x6FE3, 0x6FE9, 
+	0x6FF1, 0x6FF5, 0x6FF7, 0x6FFD, 0x700F, 0x7019, 0x701F, 0x7027, 
+	0x7033, 0x7039, 0x704F, 0x7051, 0x7057, 0x7063, 0x7075, 0x7079, 
+	0x7087, 0x708D, 0x7091, 0x70A5, 0x70AB, 0x70BB, 0x70C3, 0x70C7, 
+	0x70CF, 0x70E5, 0x70ED, 0x70F9, 0x70FF, 0x7105, 0x7115, 0x7121, 
+	0x7133, 0x7151, 0x7159, 0x715D, 0x715F, 0x7163, 0x7169, 0x7183, 
+	0x7187, 0x7195, 0x71AD, 0x71C3, 0x71C9, 0x71CB, 0x71D1, 0x71DB, 
+	0x71E1, 0x71EF, 0x71F5, 0x71FB, 0x7207, 0x7211, 0x7217, 0x7219, 
+	0x7225, 0x722F, 0x723B, 0x7243, 0x7255, 0x7267, 0x7271, 0x7277, 
+	0x727F, 0x728F, 0x7295, 0x729B, 0x72A3, 0x72B3, 0x72C7, 0x72CB, 
+	0x72CD, 0x72D7, 0x72D9, 0x72E3, 0x72EF, 0x72F5, 0x72FD, 0x7303, 
+	0x730D, 0x7321, 0x732B, 0x733D, 0x7357, 0x735B, 0x7361, 0x737F, 
+	0x7381, 0x7385, 0x738D, 0x7393, 0x739F, 0x73AB, 0x73BD, 0x73C1, 
+	0x73C9, 0x73DF, 0x73E5, 0x73E7, 0x73F3, 0x7415, 0x741B, 0x742D, 
+	0x7439, 0x743F, 0x7441, 0x745D, 0x746B, 0x747B, 0x7489, 0x748D, 
+	0x749B, 0x74A7, 0x74AB, 0x74B1, 0x74B7, 0x74B9, 0x74DD, 0x74E1, 
+	0x74E7, 0x74FB, 0x7507, 0x751F, 0x7525, 0x753B, 0x753D, 0x754D, 
+	0x755F, 0x756B, 0x7577, 0x7589, 0x758B, 0x7591, 0x7597, 0x759D, 
+	0x75A1, 0x75A7, 0x75B5, 0x75B9, 0x75BB, 0x75D1, 0x75D9, 0x75E5, 
+	0x75EB, 0x75F5, 0x75FB, 0x7603, 0x760F, 0x7621, 0x762D, 0x7633, 
+	0x763D, 0x763F, 0x7655, 0x7663, 0x7669, 0x766F, 0x7673, 0x7685, 
+	0x768B, 0x769F, 0x76B5, 0x76B7, 0x76C3, 0x76DB, 0x76DF, 0x76F1, 
+	0x7703, 0x7705, 0x771B, 0x771D, 0x7721, 0x772D, 0x7735, 0x7741, 
+	0x774B, 0x7759, 0x775D, 0x775F, 0x7771, 0x7781, 0x77A7, 0x77AD, 
+	0x77B3, 0x77B9, 0x77C5, 0x77CF, 0x77D5, 0x77E1, 0x77E9, 0x77EF, 
+	0x77F3, 0x77F9, 0x7807, 0x7825, 0x782B, 0x7835, 0x783D, 0x7853, 
+	0x7859, 0x7861, 0x786D, 0x7877, 0x7879, 0x7883, 0x7885, 0x788B, 
+	0x7895, 0x7897, 0x78A1, 0x78AD, 0x78BF, 0x78D3, 0x78D9, 0x78DD, 
+	0x78E5, 0x78FB, 0x7901, 0x7907, 0x7925, 0x792B, 0x7939, 0x793F, 
+	0x794B, 0x7957, 0x795D, 0x7967, 0x7969, 0x7973, 0x7991, 0x7993, 
+	0x79A3, 0x79AB, 0x79AF, 0x79B1, 0x79B7, 0x79C9, 0x79CD, 0x79CF, 
+	0x79D5, 0x79D9, 0x79F3, 0x79F7, 0x79FF, 0x7A05, 0x7A0F, 0x7A11, 
+	0x7A15, 0x7A1B, 0x7A23, 0x7A27, 0x7A2D, 0x7A4B, 0x7A57, 0x7A59, 
+	0x7A5F, 0x7A65, 0x7A69, 0x7A7D, 0x7A93, 0x7A9B, 0x7A9F, 0x7AA1, 
+	0x7AA5, 0x7AED, 0x7AF5, 0x7AF9, 0x7B01, 0x7B17, 0x7B19, 0x7B1D, 
+	0x7B2B, 0x7B35, 0x7B37, 0x7B3B, 0x7B4F, 0x7B55, 0x7B5F, 0x7B71, 
+	0x7B77, 0x7B8B, 0x7B9B, 0x7BA1, 0x7BA9, 0x7BAF, 0x7BB3, 0x7BC7, 
+	0x7BD3, 0x7BE9, 0x7BEB, 0x7BEF, 0x7BF1, 0x7BFD, 0x7C07, 0x7C19, 
+	0x7C1B, 0x7C31, 0x7C37, 0x7C49, 0x7C67, 0x7C69, 0x7C73, 0x7C81, 
+	0x7C8B, 0x7C93, 0x7CA3, 0x7CD5, 0x7CDB, 0x7CE5, 0x7CED, 0x7CF7, 
+	0x7D03, 0x7D09, 0x7D1B, 0x7D1D, 0x7D33, 0x7D39, 0x7D3B, 0x7D3F, 
+	0x7D45, 0x7D4D, 0x7D53, 0x7D59, 0x7D63, 0x7D75, 0x7D77, 0x7D8D, 
+	0x7D8F, 0x7D9F, 0x7DAD, 0x7DB7, 0x7DBD, 0x7DBF, 0x7DCB, 0x7DD5, 
+	0x7DE9, 0x7DED, 0x7DFB, 0x7E01, 0x7E05, 0x7E29, 0x7E2B, 0x7E2F, 
+	0x7E35, 0x7E41, 0x7E43, 0x7E47, 0x7E55, 0x7E61, 0x7E67, 0x7E6B, 
+	0x7E71, 0x7E73, 0x7E79, 0x7E7D, 0x7E91, 0x7E9B, 0x7E9D, 0x7EA7, 
+	0x7EAD, 0x7EB9, 0x7EBB, 0x7ED3, 0x7EDF, 0x7EEB, 0x7EF1, 0x7EF7, 
+	0x7EFB, 0x7F13, 0x7F15, 0x7F19, 0x7F31, 0x7F33, 0x7F39, 0x7F3D, 
+	0x7F43, 0x7F4B, 0x7F5B, 0x7F61, 0x7F63, 0x7F6D, 0x7F79, 0x7F87, 
+	0x7F8D, 0x7FAF, 0x7FB5, 0x7FC3, 0x7FC9, 0x7FCD, 0x7FCF, 0x7FED, 
+	0x8003, 0x800B, 0x800F, 0x8015, 0x801D, 0x8021, 0x8023, 0x803F, 
+	0x8041, 0x8047, 0x804B, 0x8065, 0x8077, 0x808D, 0x808F, 0x8095, 
+	0x80A5, 0x80AB, 0x80AD, 0x80BD, 0x80C9, 0x80CB, 0x80D7, 0x80DB, 
+	0x80E1, 0x80E7, 0x80F5, 0x80FF, 0x8105, 0x810D, 0x8119, 0x811D, 
+	0x812F, 0x8131, 0x813B, 0x8143, 0x8153, 0x8159, 0x815F, 0x817D, 
+	0x817F, 0x8189, 0x819B, 0x819D, 0x81A7, 0x81AF, 0x81B3, 0x81BB, 
+	0x81C7, 0x81DF, 0x8207, 0x8209, 0x8215, 0x821F, 0x8225, 0x8231, 
+	0x8233, 0x823F, 0x8243, 0x8245, 0x8249, 0x824F, 0x8261, 0x826F, 
+	0x827B, 0x8281, 0x8285, 0x8293, 0x82B1, 0x82B5, 0x82BD, 0x82C7, 
+	0x82CF, 0x82D5, 0x82DF, 0x82F1, 0x82F9, 0x82FD, 0x830B, 0x831B, 
+	0x8321, 0x8329, 0x832D, 0x8333, 0x8335, 0x833F, 0x8341, 0x834D, 
+	0x8351, 0x8353, 0x8357, 0x835D, 0x8365, 0x8369, 0x836F, 0x838F, 
+	0x83A7, 0x83B1, 0x83B9, 0x83CB, 0x83D5, 0x83D7, 0x83DD, 0x83E7, 
+	0x83E9, 0x83ED, 0x83FF, 0x8405, 0x8411, 0x8413, 0x8423, 0x8425, 
+	0x843B, 0x8441, 0x8447, 0x844F, 0x8461, 0x8465, 0x8477, 0x8483, 
+	0x848B, 0x8491, 0x8495, 0x84A9, 0x84AF, 0x84CD, 0x84E3, 0x84EF, 
+	0x84F1, 0x84F7, 0x8509, 0x850D, 0x854B, 0x854F, 0x8551, 0x855D, 
+	0x8563, 0x856D, 0x856F, 0x857B, 0x8587, 0x85A3, 0x85A5, 0x85A9, 
+	0x85B7, 0x85CD, 0x85D3, 0x85D5, 0x85DB, 0x85E1, 0x85EB, 0x85F9, 
+	0x85FD, 0x85FF, 0x8609, 0x860F, 0x8617, 0x8621, 0x862F, 0x8639, 
+	0x863F, 0x8641, 0x864D, 0x8663, 0x8675, 0x867D, 0x8687, 0x8699, 
+	0x86A5, 0x86A7, 0x86B3, 0x86B7, 0x86C3, 0x86C5, 0x86CF, 0x86D1, 
+	0x86D7, 0x86E9, 0x86EF, 0x86F5, 0x8717, 0x871D, 0x871F, 0x872B, 
+	0x872F, 0x8735, 0x8747, 0x8759, 0x875B, 0x876B, 0x8771, 0x8777, 
+	0x877F, 0x8785, 0x878F, 0x87A1, 0x87A9, 0x87B3, 0x87BB, 0x87C5, 
+	0x87C7, 0x87CB, 0x87DD, 0x87F7, 0x8803, 0x8819, 0x881B, 0x881F, 
+	0x8821, 0x8837, 0x883D, 0x8843, 0x8851, 0x8861, 0x8867, 0x887B, 
+	0x8885, 0x8891, 0x8893, 0x88A5, 0x88CF, 0x88D3, 0x88EB, 0x88ED, 
+	0x88F3, 0x88FD, 0x8909, 0x890B, 0x8911, 0x891B, 0x8923, 0x8927, 
+	0x892D, 0x8939, 0x8945, 0x894D, 0x8951, 0x8957, 0x8963, 0x8981, 
+	0x8995, 0x899B, 0x89B3, 0x89B9, 0x89C3, 0x89CF, 0x89D1, 0x89DB, 
+	0x89EF, 0x89F5, 0x89FB, 0x89FF, 0x8A0B, 0x8A19, 0x8A23, 0x8A35, 
+	0x8A41, 0x8A49, 0x8A4F, 0x8A5B, 0x8A5F, 0x8A6D, 0x8A77, 0x8A79, 
+	0x8A85, 0x8AA3, 0x8AB3, 0x8AB5, 0x8AC1, 0x8AC7, 0x8ACB, 0x8ACD, 
+	0x8AD1, 0x8AD7, 0x8AF1, 0x8AF5, 0x8B07, 0x8B09, 0x8B0D, 0x8B13, 
+	0x8B21, 0x8B57, 0x8B5D, 0x8B91, 0x8B93, 0x8BA3, 0x8BA9, 0x8BAF, 
+	0x8BBB, 0x8BD5, 0x8BD9, 0x8BDB, 0x8BE1, 0x8BF7, 0x8BFD, 0x8BFF, 
+	0x8C0B, 0x8C17, 0x8C1D, 0x8C27, 0x8C39, 0x8C3B, 0x8C47, 0x8C53, 
+	0x8C5D, 0x8C6F, 0x8C7B, 0x8C81, 0x8C89, 0x8C8F, 0x8C99, 0x8C9F, 
+	0x8CA7, 0x8CAB, 0x8CAD, 0x8CB1, 0x8CC5, 0x8CDD, 0x8CE3, 0x8CE9, 
+	0x8CF3, 0x8D01, 0x8D0B, 0x8D0D, 0x8D23, 0x8D29, 0x8D37, 0x8D41, 
+	0x8D5B, 0x8D5F, 0x8D71, 0x8D79, 0x8D85, 0x8D91, 0x8D9B, 0x8DA7, 
+	0x8DAD, 0x8DB5, 0x8DC5, 0x8DCB, 0x8DD3, 0x8DD9, 0x8DDF, 0x8DF5, 
+	0x8DF7, 0x8E01, 0x8E15, 0x8E1F, 0x8E25, 0x8E51, 0x8E63, 0x8E69, 
+	0x8E73, 0x8E75, 0x8E79, 0x8E7F, 0x8E8D, 0x8E91, 0x8EAB, 0x8EAF, 
+	0x8EB1, 0x8EBD, 0x8EC7, 0x8ECF, 0x8ED3, 0x8EDB, 0x8EE7, 0x8EEB, 
+	0x8EF7, 0x8EFF, 0x8F15, 0x8F1D, 0x8F23, 0x8F2D, 0x8F3F, 0x8F45, 
+	0x8F4B, 0x8F53, 0x8F59, 0x8F65, 0x8F69, 0x8F71, 0x8F83, 0x8F8D, 
+	0x8F99, 0x8F9F, 0x8FAB, 0x8FAD, 0x8FB3, 0x8FB7, 0x8FB9, 0x8FC9, 
+	0x8FD5, 0x8FE1, 0x8FEF, 0x8FF9, 0x9007, 0x900D, 0x9017, 0x9023, 
+	0x9025, 0x9031, 0x9037, 0x903B, 0x9041, 0x9043, 0x904F, 0x9053, 
+	0x906D, 0x9073, 0x9085, 0x908B, 0x9095, 0x909B, 0x909D, 0x90AF, 
+	0x90B9, 0x90C1, 0x90C5, 0x90DF, 0x90E9, 0x90FD, 0x9103, 0x9113, 
+	0x9127, 0x9133, 0x913D, 0x9145, 0x914F, 0x9151, 0x9161, 0x9167, 
+	0x917B, 0x9185, 0x9199, 0x919D, 0x91BB, 0x91BD, 0x91C1, 0x91C9, 
+	0x91D9, 0x91DB, 0x91ED, 0x91F1, 0x91F3, 0x91F9, 0x9203, 0x9215, 
+	0x9221, 0x922F, 0x9241, 0x9247, 0x9257, 0x926B, 0x9271, 0x9275, 
+	0x927D, 0x9283, 0x9287, 0x928D, 0x9299, 0x92A1, 0x92AB, 0x92AD, 
+	0x92B9, 0x92BF, 0x92C3, 0x92C5, 0x92CB, 0x92D5, 0x92D7, 0x92E7, 
+	0x92F3, 0x9301, 0x930B, 0x9311, 0x9319, 0x931F, 0x933B, 0x933D, 
+	0x9343, 0x9355, 0x9373, 0x9395, 0x9397, 0x93A7, 0x93B3, 0x93B5, 
+	0x93C7, 0x93D7, 0x93DD, 0x93E5, 0x93EF, 0x93F7, 0x9401, 0x9409, 
+	0x9413, 0x943F, 0x9445, 0x944B, 0x944F, 0x9463, 0x9467, 0x9469, 
+	0x946D, 0x947B, 0x9497, 0x949F, 0x94A5, 0x94B5, 0x94C3, 0x94E1, 
+	0x94E7, 0x9505, 0x9509, 0x9517, 0x9521, 0x9527, 0x952D, 0x9535, 
+	0x9539, 0x954B, 0x9557, 0x955D, 0x955F, 0x9575, 0x9581, 0x9589, 
+	0x958F, 0x959B, 0x959F, 0x95AD, 0x95B1, 0x95B7, 0x95B9, 0x95BD, 
+	0x95CF, 0x95E3, 0x95E9, 0x95F9, 0x961F, 0x962F, 0x9631, 0x9635, 
+	0x963B, 0x963D, 0x9665, 0x968F, 0x969D, 0x96A1, 0x96A7, 0x96A9, 
+	0x96C1, 0x96CB, 0x96D1, 0x96D3, 0x96E5, 0x96EF, 0x96FB, 0x96FD, 
+	0x970D, 0x970F, 0x9715, 0x9725, 0x972B, 0x9733, 0x9737, 0x9739, 
+	0x9743, 0x9749, 0x9751, 0x975B, 0x975D, 0x976F, 0x977F, 0x9787, 
+	0x9793, 0x97A5, 0x97B1, 0x97B7, 0x97C3, 0x97CD, 0x97D3, 0x97D9, 
+	0x97EB, 0x97F7, 0x9805, 0x9809, 0x980B, 0x9815, 0x9829, 0x982F, 
+	0x983B, 0x9841, 0x9851, 0x986B, 0x986F, 0x9881, 0x9883, 0x9887, 
+	0x98A7, 0x98B1, 0x98B9, 0x98BF, 0x98C3, 0x98C9, 0x98CF, 0x98DD, 
+	0x98E3, 0x98F5, 0x98F9, 0x98FB, 0x990D, 0x9917, 0x991F, 0x9929, 
+	0x9931, 0x993B, 0x993D, 0x9941, 0x9947, 0x9949, 0x9953, 0x997D, 
+	0x9985, 0x9991, 0x9995, 0x999B, 0x99AD, 0x99AF, 0x99BF, 0x99C7, 
+	0x99CB, 0x99CD, 0x99D7, 0x99E5, 0x99F1, 0x99FB, 0x9A0F, 0x9A13, 
+	0x9A1B, 0x9A25, 0x9A4B, 0x9A4F, 0x9A55, 0x9A57, 0x9A61, 0x9A75, 
+	0x9A7F, 0x9A8B, 0x9A91, 0x9A9D, 0x9AB7, 0x9AC3, 0x9AC7, 0x9ACF, 
+	0x9AEB, 0x9AF3, 0x9AF7, 0x9AFF, 0x9B17, 0x9B1D, 0x9B27, 0x9B2F, 
+	0x9B35, 0x9B45, 0x9B51, 0x9B59, 0x9B63, 0x9B6F, 0x9B77, 0x9B8D, 
+	0x9B93, 0x9B95, 0x9B9F, 0x9BA1, 0x9BA7, 0x9BB1, 0x9BB7, 0x9BBD, 
+	0x9BC5, 0x9BCB, 0x9BCF, 0x9BDD, 0x9BF9, 0x9C01, 0x9C11, 0x9C23, 
+	0x9C2B, 0x9C2F, 0x9C35, 0x9C49, 0x9C4D, 0x9C5F, 0x9C65, 0x9C67, 
+	0x9C7F, 0x9C97, 0x9C9D, 0x9CA3, 0x9CAF, 0x9CBB, 0x9CBF, 0x9CC1, 
+	0x9CD7, 0x9CD9, 0x9CE3, 0x9CE9, 0x9CF1, 0x9CFD, 0x9D01, 0x9D15, 
+	0x9D27, 0x9D2D, 0x9D31, 0x9D3D, 0x9D55, 0x9D5B, 0x9D61, 0x9D97, 
+	0x9D9F, 0x9DA5, 0x9DA9, 0x9DC3, 0x9DE7, 0x9DEB, 0x9DED, 0x9DF1, 
+	0x9E0B, 0x9E17, 0x9E23, 0x9E27, 0x9E2D, 0x9E33, 0x9E3B, 0x9E47, 
+	0x9E51, 0x9E53, 0x9E5F, 0x9E6F, 0x9E81, 0x9E87, 0x9E8F, 0x9E95, 
+	0x9EA1, 0x9EB3, 0x9EBD, 0x9EBF, 0x9EF5, 0x9EF9, 0x9EFB, 0x9F05, 
+	0x9F23, 0x9F2F, 0x9F37, 0x9F3B, 0x9F43, 0x9F53, 0x9F61, 0x9F6D, 
+	0x9F73, 0x9F77, 0x9F7D, 0x9F89, 0x9F8F, 0x9F91, 0x9F95, 0x9FA3, 
+	0x9FAF, 0x9FB3, 0x9FC1, 0x9FC7, 0x9FDF, 0x9FE5, 0x9FEB, 0x9FF5, 
+	0xA001, 0xA00D, 0xA021, 0xA033, 0xA039, 0xA03F, 0xA04F, 0xA057, 
+	0xA05B, 0xA061, 0xA075, 0xA079, 0xA099, 0xA09D, 0xA0AB, 0xA0B5, 
+	0xA0B7, 0xA0BD, 0xA0C9, 0xA0D9, 0xA0DB, 0xA0DF, 0xA0E5, 0xA0F1, 
+	0xA0F3, 0xA0FD, 0xA105, 0xA10B, 0xA10F, 0xA111, 0xA11B, 0xA129, 
+	0xA12F, 0xA135, 0xA141, 0xA153, 0xA175, 0xA17D, 0xA187, 0xA18D, 
+	0xA1A5, 0xA1AB, 0xA1AD, 0xA1B7, 0xA1C3, 0xA1C5, 0xA1E3, 0xA1ED, 
+	0xA1FB, 0xA207, 0xA213, 0xA223, 0xA229, 0xA22F, 0xA231, 0xA243, 
+	0xA247, 0xA24D, 0xA26B, 0xA279, 0xA27D, 0xA283, 0xA289, 0xA28B, 
+	0xA291, 0xA295, 0xA29B, 0xA2A9, 0xA2AF, 0xA2B3, 0xA2BB, 0xA2C5, 
+	0xA2D1, 0xA2D7, 0xA2F7, 0xA301, 0xA309, 0xA31F, 0xA321, 0xA32B, 
+	0xA331, 0xA349, 0xA351, 0xA355, 0xA373, 0xA379, 0xA37B, 0xA387, 
+	0xA397, 0xA39F, 0xA3A5, 0xA3A9, 0xA3AF, 0xA3B7, 0xA3C7, 0xA3D5, 
+	0xA3DB, 0xA3E1, 0xA3E5, 0xA3E7, 0xA3F1, 0xA3FD, 0xA3FF, 0xA40F, 
+	0xA41D, 0xA421, 0xA423, 0xA427, 0xA43B, 0xA44D, 0xA457, 0xA459, 
+	0xA463, 0xA469, 0xA475, 0xA493, 0xA49B, 0xA4AD, 0xA4B9, 0xA4C3, 
+	0xA4C5, 0xA4CB, 0xA4D1, 0xA4D5, 0xA4E1, 0xA4ED, 0xA4EF, 0xA4F3, 
+	0xA4FF, 0xA511, 0xA529, 0xA52B, 0xA535, 0xA53B, 0xA543, 0xA553, 
+	0xA55B, 0xA561, 0xA56D, 0xA577, 0xA585, 0xA58B, 0xA597, 0xA59D, 
+	0xA5A3, 0xA5A7, 0xA5A9, 0xA5C1, 0xA5C5, 0xA5CB, 0xA5D3, 0xA5D9, 
+	0xA5DD, 0xA5DF, 0xA5E3, 0xA5E9, 0xA5F7, 0xA5FB, 0xA603, 0xA60D, 
+	0xA625, 0xA63D, 0xA649, 0xA64B, 0xA651, 0xA65D, 0xA673, 0xA691, 
+	0xA693, 0xA699, 0xA6AB, 0xA6B5, 0xA6BB, 0xA6C1, 0xA6C9, 0xA6CD, 
+	0xA6CF, 0xA6D5, 0xA6DF, 0xA6E7, 0xA6F1, 0xA6F7, 0xA6FF, 0xA70F, 
+	0xA715, 0xA723, 0xA729, 0xA72D, 0xA745, 0xA74D, 0xA757, 0xA759, 
+	0xA765, 0xA76B, 0xA76F, 0xA793, 0xA795, 0xA7AB, 0xA7B1, 0xA7B9, 
+	0xA7BF, 0xA7C9, 0xA7D1, 0xA7D7, 0xA7E3, 0xA7ED, 0xA7FB, 0xA805, 
+	0xA80B, 0xA81D, 0xA829, 0xA82B, 0xA837, 0xA83B, 0xA855, 0xA85F, 
+	0xA86D, 0xA87D, 0xA88F, 0xA897, 0xA8A9, 0xA8B5, 0xA8C1, 0xA8C7, 
+	0xA8D7, 0xA8E5, 0xA8FD, 0xA907, 0xA913, 0xA91B, 0xA931, 0xA937, 
+	0xA939, 0xA943, 0xA97F, 0xA985, 0xA987, 0xA98B, 0xA993, 0xA9A3, 
+	0xA9B1, 0xA9BB, 0xA9C1, 0xA9D9, 0xA9DF, 0xA9EB, 0xA9FD, 0xAA15, 
+	0xAA17, 0xAA35, 0xAA39, 0xAA3B, 0xAA47, 0xAA4D, 0xAA57, 0xAA59, 
+	0xAA5D, 0xAA6B, 0xAA71, 0xAA81, 0xAA83, 0xAA8D, 0xAA95, 0xAAAB, 
+	0xAABF, 0xAAC5, 0xAAC9, 0xAAE9, 0xAAEF, 0xAB01, 0xAB05, 0xAB07, 
+	0xAB0B, 0xAB0D, 0xAB11, 0xAB19, 0xAB4D, 0xAB5B, 0xAB71, 0xAB73, 
+	0xAB89, 0xAB9D, 0xABA7, 0xABAF, 0xABB9, 0xABBB, 0xABC1, 0xABC5, 
+	0xABD3, 0xABD7, 0xABDD, 0xABF1, 0xABF5, 0xABFB, 0xABFD, 0xAC09, 
+	0xAC15, 0xAC1B, 0xAC27, 0xAC37, 0xAC39, 0xAC45, 0xAC4F, 0xAC57, 
+	0xAC5B, 0xAC61, 0xAC63, 0xAC7F, 0xAC8B, 0xAC93, 0xAC9D, 0xACA9, 
+	0xACAB, 0xACAF, 0xACBD, 0xACD9, 0xACE1, 0xACE7, 0xACEB, 0xACED, 
+	0xACF1, 0xACF7, 0xACF9, 0xAD05, 0xAD3F, 0xAD45, 0xAD53, 0xAD5D, 
+	0xAD5F, 0xAD65, 0xAD81, 0xADA1, 0xADA5, 0xADC3, 0xADCB, 0xADD1, 
+	0xADD5, 0xADDB, 0xADE7, 0xADF3, 0xADF5, 0xADF9, 0xADFF, 0xAE05, 
+	0xAE13, 0xAE23, 0xAE2B, 0xAE49, 0xAE4D, 0xAE4F, 0xAE59, 0xAE61, 
+	0xAE67, 0xAE6B, 0xAE71, 0xAE8B, 0xAE8F, 0xAE9B, 0xAE9D, 0xAEA7, 
+	0xAEB9, 0xAEC5, 0xAED1, 0xAEE3, 0xAEE5, 0xAEE9, 0xAEF5, 0xAEFD, 
+	0xAF09, 0xAF13, 0xAF27, 0xAF2B, 0xAF33, 0xAF43, 0xAF4F, 0xAF57, 
+	0xAF5D, 0xAF6D, 0xAF75, 0xAF7F, 0xAF8B, 0xAF99, 0xAF9F, 0xAFA3, 
+	0xAFAB, 0xAFB7, 0xAFBB, 0xAFCF, 0xAFD5, 0xAFFD, 0xB005, 0xB015, 
+	0xB01B, 0xB03F, 0xB041, 0xB047, 0xB04B, 0xB051, 0xB053, 0xB069, 
+	0xB07B, 0xB07D, 0xB087, 0xB08D, 0xB0B1, 0xB0BF, 0xB0CB, 0xB0CF, 
+	0xB0E1, 0xB0E9, 0xB0ED, 0xB0FB, 0xB105, 0xB107, 0xB111, 0xB119, 
+	0xB11D, 0xB11F, 0xB131, 0xB141, 0xB14D, 0xB15B, 0xB165, 0xB173, 
+	0xB179, 0xB17F, 0xB1A9, 0xB1B3, 0xB1B9, 0xB1BF, 0xB1D3, 0xB1DD, 
+	0xB1E5, 0xB1F1, 0xB1F5, 0xB201, 0xB213, 0xB215, 0xB21F, 0xB22D, 
+	0xB23F, 0xB249, 0xB25B, 0xB263, 0xB269, 0xB26D, 0xB27B, 0xB281, 
+	0xB28B, 0xB2A9, 0xB2B7, 0xB2BD, 0xB2C3, 0xB2C7, 0xB2D3, 0xB2F9, 
+	0xB2FD, 0xB2FF, 0xB303, 0xB309, 0xB311, 0xB31D, 0xB327, 0xB32D, 
+	0xB33F, 0xB345, 0xB377, 0xB37D, 0xB381, 0xB387, 0xB393, 0xB39B, 
+	0xB3A5, 0xB3C5, 0xB3CB, 0xB3E1, 0xB3E3, 0xB3ED, 0xB3F9, 0xB40B, 
+	0xB40D, 0xB413, 0xB417, 0xB435, 0xB43D, 0xB443, 0xB449, 0xB45B, 
+	0xB465, 0xB467, 0xB46B, 0xB477, 0xB48B, 0xB495, 0xB49D, 0xB4B5, 
+	0xB4BF, 0xB4C1, 0xB4C7, 0xB4DD, 0xB4E3, 0xB4E5, 0xB4F7, 0xB501, 
+	0xB50D, 0xB50F, 0xB52D, 0xB53F, 0xB54B, 0xB567, 0xB569, 0xB56F, 
+	0xB573, 0xB579, 0xB587, 0xB58D, 0xB599, 0xB5A3, 0xB5AB, 0xB5AF, 
+	0xB5BB, 0xB5D5, 0xB5DF, 0xB5E7, 0xB5ED, 0xB5FD, 0xB5FF, 0xB609, 
+	0xB61B, 0xB629, 0xB62F, 0xB633, 0xB639, 0xB647, 0xB657, 0xB659, 
+	0xB65F, 0xB663, 0xB66F, 0xB683, 0xB687, 0xB69B, 0xB69F, 0xB6A5, 
+	0xB6B1, 0xB6B3, 0xB6D7, 0xB6DB, 0xB6E1, 0xB6E3, 0xB6ED, 0xB6EF, 
+	0xB705, 0xB70D, 0xB713, 0xB71D, 0xB729, 0xB735, 0xB747, 0xB755, 
+	0xB76D, 0xB791, 0xB795, 0xB7A9, 0xB7C1, 0xB7CB, 0xB7D1, 0xB7D3, 
+	0xB7EF, 0xB7F5, 0xB807, 0xB80F, 0xB813, 0xB819, 0xB821, 0xB827, 
+	0xB82B, 0xB82D, 0xB839, 0xB855, 0xB867, 0xB875, 0xB885, 0xB893, 
+	0xB8A5, 0xB8AF, 0xB8B7, 0xB8BD, 0xB8C1, 0xB8C7, 0xB8CD, 0xB8D5, 
+	0xB8EB, 0xB8F7, 0xB8F9, 0xB903, 0xB915, 0xB91B, 0xB91D, 0xB92F, 
+	0xB939, 0xB93B, 0xB947, 0xB951, 0xB963, 0xB983, 0xB989, 0xB98D, 
+	0xB993, 0xB999, 0xB9A1, 0xB9A7, 0xB9AD, 0xB9B7, 0xB9CB, 0xB9D1, 
+	0xB9DD, 0xB9E7, 0xB9EF, 0xB9F9, 0xBA07, 0xBA0D, 0xBA17, 0xBA25, 
+	0xBA29, 0xBA2B, 0xBA41, 0xBA53, 0xBA55, 0xBA5F, 0xBA61, 0xBA65, 
+	0xBA79, 0xBA7D, 0xBA7F, 0xBAA1, 0xBAA3, 0xBAAF, 0xBAB5, 0xBABF, 
+	0xBAC1, 0xBACB, 0xBADD, 0xBAE3, 0xBAF1, 0xBAFD, 0xBB09, 0xBB1F, 
+	0xBB27, 0xBB2D, 0xBB3D, 0xBB43, 0xBB4B, 0xBB4F, 0xBB5B, 0xBB61, 
+	0xBB69, 0xBB6D, 0xBB91, 0xBB97, 0xBB9D, 0xBBB1, 0xBBC9, 0xBBCF, 
+	0xBBDB, 0xBBED, 0xBBF7, 0xBBF9, 0xBC03, 0xBC1D, 0xBC23, 0xBC33, 
+	0xBC3B, 0xBC41, 0xBC45, 0xBC5D, 0xBC6F, 0xBC77, 0xBC83, 0xBC8F, 
+	0xBC99, 0xBCAB, 0xBCB7, 0xBCB9, 0xBCD1, 0xBCD5, 0xBCE1, 0xBCF3, 
+	0xBCFF, 0xBD0D, 0xBD17, 0xBD19, 0xBD1D, 0xBD35, 0xBD41, 0xBD4F, 
+	0xBD59, 0xBD5F, 0xBD61, 0xBD67, 0xBD6B, 0xBD71, 0xBD8B, 0xBD8F, 
+	0xBD95, 0xBD9B, 0xBD9D, 0xBDB3, 0xBDBB, 0xBDCD, 0xBDD1, 0xBDE3, 
+	0xBDEB, 0xBDEF, 0xBE07, 0xBE09, 0xBE15, 0xBE21, 0xBE25, 0xBE27, 
+	0xBE5B, 0xBE5D, 0xBE6F, 0xBE75, 0xBE79, 0xBE7F, 0xBE8B, 0xBE8D, 
+	0xBE93, 0xBE9F, 0xBEA9, 0xBEB1, 0xBEB5, 0xBEB7, 0xBECF, 0xBED9, 
+	0xBEDB, 0xBEE5, 0xBEE7, 0xBEF3, 0xBEF9, 0xBF0B, 0xBF33, 0xBF39, 
+	0xBF4D, 0xBF5D, 0xBF5F, 0xBF6B, 0xBF71, 0xBF7B, 0xBF87, 0xBF89, 
+	0xBF8D, 0xBF93, 0xBFA1, 0xBFAD, 0xBFB9, 0xBFCF, 0xBFD5, 0xBFDD, 
+	0xBFE1, 0xBFE3, 0xBFF3, 0xC005, 0xC011, 0xC013, 0xC019, 0xC029, 
+	0xC02F, 0xC031, 0xC037, 0xC03B, 0xC047, 0xC065, 0xC06D, 0xC07D, 
+	0xC07F, 0xC091, 0xC09B, 0xC0B3, 0xC0B5, 0xC0BB, 0xC0D3, 0xC0D7, 
+	0xC0D9, 0xC0EF, 0xC0F1, 0xC101, 0xC103, 0xC109, 0xC115, 0xC119, 
+	0xC12B, 0xC133, 0xC137, 0xC145, 0xC149, 0xC15B, 0xC173, 0xC179, 
+	0xC17B, 0xC181, 0xC18B, 0xC18D, 0xC197, 0xC1BD, 0xC1C3, 0xC1CD, 
+	0xC1DB, 0xC1E1, 0xC1E7, 0xC1FF, 0xC203, 0xC205, 0xC211, 0xC221, 
+	0xC22F, 0xC23F, 0xC24B, 0xC24D, 0xC253, 0xC25D, 0xC277, 0xC27B, 
+	0xC27D, 0xC289, 0xC28F, 0xC293, 0xC29F, 0xC2A7, 0xC2B3, 0xC2BD, 
+	0xC2CF, 0xC2D5, 0xC2E3, 0xC2FF, 0xC301, 0xC307, 0xC311, 0xC313, 
+	0xC317, 0xC325, 0xC347, 0xC349, 0xC34F, 0xC365, 0xC367, 0xC371, 
+	0xC37F, 0xC383, 0xC385, 0xC395, 0xC39D, 0xC3A7, 0xC3AD, 0xC3B5, 
+	0xC3BF, 0xC3C7, 0xC3CB, 0xC3D1, 0xC3D3, 0xC3E3, 0xC3E9, 0xC3EF, 
+	0xC401, 0xC41F, 0xC42D, 0xC433, 0xC437, 0xC455, 0xC457, 0xC461, 
+	0xC46F, 0xC473, 0xC487, 0xC491, 0xC499, 0xC49D, 0xC4A5, 0xC4B7, 
+	0xC4BB, 0xC4C9, 0xC4CF, 0xC4D3, 0xC4EB, 0xC4F1, 0xC4F7, 0xC509, 
+	0xC51B, 0xC51D, 0xC541, 0xC547, 0xC551, 0xC55F, 0xC56B, 0xC56F, 
+	0xC575, 0xC577, 0xC595, 0xC59B, 0xC59F, 0xC5A1, 0xC5A7, 0xC5C3, 
+	0xC5D7, 0xC5DB, 0xC5EF, 0xC5FB, 0xC613, 0xC623, 0xC635, 0xC641, 
+	0xC64F, 0xC655, 0xC659, 0xC665, 0xC685, 0xC691, 0xC697, 0xC6A1, 
+	0xC6A9, 0xC6B3, 0xC6B9, 0xC6CB, 0xC6CD, 0xC6DD, 0xC6EB, 0xC6F1, 
+	0xC707, 0xC70D, 0xC719, 0xC71B, 0xC72D, 0xC731, 0xC739, 0xC757, 
+	0xC763, 0xC767, 0xC773, 0xC775, 0xC77F, 0xC7A5, 0xC7BB, 0xC7BD, 
+	0xC7C1, 0xC7CF, 0xC7D5, 0xC7E1, 0xC7F9, 0xC7FD, 0xC7FF, 0xC803, 
+	0xC811, 0xC81D, 0xC827, 0xC829, 0xC839, 0xC83F, 0xC853, 0xC857, 
+	0xC86B, 0xC881, 0xC88D, 0xC88F, 0xC893, 0xC895, 0xC8A1, 0xC8B7, 
+	0xC8CF, 0xC8D5, 0xC8DB, 0xC8DD, 0xC8E3, 0xC8E7, 0xC8ED, 0xC8EF, 
+	0xC8F9, 0xC905, 0xC911, 0xC917, 0xC919, 0xC91F, 0xC92F, 0xC937, 
+	0xC93D, 0xC941, 0xC953, 0xC95F, 0xC96B, 0xC979, 0xC97D, 0xC989, 
+	0xC98F, 0xC997, 0xC99D, 0xC9AF, 0xC9B5, 0xC9BF, 0xC9CB, 0xC9D9, 
+	0xC9DF, 0xC9E3, 0xC9EB, 0xCA01, 0xCA07, 0xCA09, 0xCA25, 0xCA37, 
+	0xCA39, 0xCA4B, 0xCA55, 0xCA5B, 0xCA69, 0xCA73, 0xCA75, 0xCA7F, 
+	0xCA8D, 0xCA93, 0xCA9D, 0xCA9F, 0xCAB5, 0xCABB, 0xCAC3, 0xCAC9, 
+	0xCAD9, 0xCAE5, 0xCAED, 0xCB03, 0xCB05, 0xCB09, 0xCB17, 0xCB29, 
+	0xCB35, 0xCB3B, 0xCB53, 0xCB59, 0xCB63, 0xCB65, 0xCB71, 0xCB87, 
+	0xCB99, 0xCB9F, 0xCBB3, 0xCBB9, 0xCBC3, 0xCBD1, 0xCBD5, 0xCBD7, 
+	0xCBDD, 0xCBE9, 0xCBFF, 0xCC0D, 0xCC19, 0xCC1D, 0xCC23, 0xCC2B, 
+	0xCC41, 0xCC43, 0xCC4D, 0xCC59, 0xCC61, 0xCC89, 0xCC8B, 0xCC91, 
+	0xCC9B, 0xCCA3, 0xCCA7, 0xCCD1, 0xCCE5, 0xCCE9, 0xCD09, 0xCD15, 
+	0xCD1F, 0xCD25, 0xCD31, 0xCD3D, 0xCD3F, 0xCD49, 0xCD51, 0xCD57, 
+	0xCD5B, 0xCD63, 0xCD67, 0xCD81, 0xCD93, 0xCD97, 0xCD9F, 0xCDBB, 
+	0xCDC1, 0xCDD3, 0xCDD9, 0xCDE5, 0xCDE7, 0xCDF1, 0xCDF7, 0xCDFD, 
+	0xCE0B, 0xCE15, 0xCE21, 0xCE2F, 0xCE47, 0xCE4D, 0xCE51, 0xCE65, 
+	0xCE7B, 0xCE7D, 0xCE8F, 0xCE93, 0xCE99, 0xCEA5, 0xCEA7, 0xCEB7, 
+	0xCEC9, 0xCED7, 0xCEDD, 0xCEE3, 0xCEE7, 0xCEED, 0xCEF5, 0xCF07, 
+	0xCF0B, 0xCF19, 0xCF37, 0xCF3B, 0xCF4D, 0xCF55, 0xCF5F, 0xCF61, 
+	0xCF65, 0xCF6D, 0xCF79, 0xCF7D, 0xCF89, 0xCF9B, 0xCF9D, 0xCFA9, 
+	0xCFB3, 0xCFB5, 0xCFC5, 0xCFCD, 0xCFD1, 0xCFEF, 0xCFF1, 0xCFF7, 
+	0xD013, 0xD015, 0xD01F, 0xD021, 0xD033, 0xD03D, 0xD04B, 0xD04F, 
+	0xD069, 0xD06F, 0xD081, 0xD085, 0xD099, 0xD09F, 0xD0A3, 0xD0AB, 
+	0xD0BD, 0xD0C1, 0xD0CD, 0xD0E7, 0xD0FF, 0xD103, 0xD117, 0xD12D, 
+	0xD12F, 0xD141, 0xD157, 0xD159, 0xD15D, 0xD169, 0xD16B, 0xD171, 
+	0xD177, 0xD17D, 0xD181, 0xD187, 0xD195, 0xD199, 0xD1B1, 0xD1BD, 
+	0xD1C3, 0xD1D5, 0xD1D7, 0xD1E3, 0xD1FF, 0xD20D, 0xD211, 0xD217, 
+	0xD21F, 0xD235, 0xD23B, 0xD247, 0xD259, 0xD261, 0xD265, 0xD279, 
+	0xD27F, 0xD283, 0xD289, 0xD28B, 0xD29D, 0xD2A3, 0xD2A7, 0xD2B3, 
+	0xD2BF, 0xD2C7, 0xD2E3, 0xD2E9, 0xD2F1, 0xD2FB, 0xD2FD, 0xD315, 
+	0xD321, 0xD32B, 0xD343, 0xD34B, 0xD355, 0xD369, 0xD375, 0xD37B, 
+	0xD387, 0xD393, 0xD397, 0xD3A5, 0xD3B1, 0xD3C9, 0xD3EB, 0xD3FD, 
+	0xD405, 0xD40F, 0xD415, 0xD427, 0xD42F, 0xD433, 0xD43B, 0xD44B, 
+	0xD459, 0xD45F, 0xD463, 0xD469, 0xD481, 0xD483, 0xD489, 0xD48D, 
+	0xD493, 0xD495, 0xD4A5, 0xD4AB, 0xD4B1, 0xD4C5, 0xD4DD, 0xD4E1, 
+	0xD4E3, 0xD4E7, 0xD4F5, 0xD4F9, 0xD50B, 0xD50D, 0xD513, 0xD51F, 
+	0xD523, 0xD531, 0xD535, 0xD537, 0xD549, 0xD559, 0xD55F, 0xD565, 
+	0xD567, 0xD577, 0xD58B, 0xD591, 0xD597, 0xD5B5, 0xD5B9, 0xD5C1, 
+	0xD5C7, 0xD5DF, 0xD5EF, 0xD5F5, 0xD5FB, 0xD603, 0xD60F, 0xD62D, 
+	0xD631, 0xD643, 0xD655, 0xD65D, 0xD661, 0xD67B, 0xD685, 0xD687, 
+	0xD69D, 0xD6A5, 0xD6AF, 0xD6BD, 0xD6C3, 0xD6C7, 0xD6D9, 0xD6E1, 
+	0xD6ED, 0xD709, 0xD70B, 0xD711, 0xD715, 0xD721, 0xD727, 0xD73F, 
+	0xD745, 0xD74D, 0xD757, 0xD76B, 0xD77B, 0xD783, 0xD7A1, 0xD7A7, 
+	0xD7AD, 0xD7B1, 0xD7B3, 0xD7BD, 0xD7CB, 0xD7D1, 0xD7DB, 0xD7FB, 
+	0xD811, 0xD823, 0xD825, 0xD829, 0xD82B, 0xD82F, 0xD837, 0xD84D, 
+	0xD855, 0xD867, 0xD873, 0xD88F, 0xD891, 0xD8A1, 0xD8AD, 0xD8BF, 
+	0xD8CD, 0xD8D7, 0xD8E9, 0xD8F5, 0xD8FB, 0xD91B, 0xD925, 0xD933, 
+	0xD939, 0xD943, 0xD945, 0xD94F, 0xD951, 0xD957, 0xD96D, 0xD96F, 
+	0xD973, 0xD979, 0xD981, 0xD98B, 0xD991, 0xD99F, 0xD9A5, 0xD9A9, 
+	0xD9B5, 0xD9D3, 0xD9EB, 0xD9F1, 0xD9F7, 0xD9FF, 0xDA05, 0xDA09, 
+	0xDA0B, 0xDA0F, 0xDA15, 0xDA1D, 0xDA23, 0xDA29, 0xDA3F, 0xDA51, 
+	0xDA59, 0xDA5D, 0xDA5F, 0xDA71, 0xDA77, 0xDA7B, 0xDA7D, 0xDA8D, 
+	0xDA9F, 0xDAB3, 0xDABD, 0xDAC3, 0xDAC9, 0xDAE7, 0xDAE9, 0xDAF5, 
+	0xDB11, 0xDB17, 0xDB1D, 0xDB23, 0xDB25, 0xDB31, 0xDB3B, 0xDB43, 
+	0xDB55, 0xDB67, 0xDB6B, 0xDB73, 0xDB85, 0xDB8F, 0xDB91, 0xDBAD, 
+	0xDBAF, 0xDBB9, 0xDBC7, 0xDBCB, 0xDBCD, 0xDBEB, 0xDBF7, 0xDC0D, 
+	0xDC27, 0xDC31, 0xDC39, 0xDC3F, 0xDC49, 0xDC51, 0xDC61, 0xDC6F, 
+	0xDC75, 0xDC7B, 0xDC85, 0xDC93, 0xDC99, 0xDC9D, 0xDC9F, 0xDCA9, 
+	0xDCB5, 0xDCB7, 0xDCBD, 0xDCC7, 0xDCCF, 0xDCD3, 0xDCD5, 0xDCDF, 
+	0xDCF9, 0xDD0F, 0xDD15, 0xDD17, 0xDD23, 0xDD35, 0xDD39, 0xDD53, 
+	0xDD57, 0xDD5F, 0xDD69, 0xDD6F, 0xDD7D, 0xDD87, 0xDD89, 0xDD9B, 
+	0xDDA1, 0xDDAB, 0xDDBF, 0xDDC5, 0xDDCB, 0xDDCF, 0xDDE7, 0xDDE9, 
+	0xDDED, 0xDDF5, 0xDDFB, 0xDE0B, 0xDE19, 0xDE29, 0xDE3B, 0xDE3D, 
+	0xDE41, 0xDE4D, 0xDE4F, 0xDE59, 0xDE5B, 0xDE61, 0xDE6D, 0xDE77, 
+	0xDE7D, 0xDE83, 0xDE97, 0xDE9D, 0xDEA1, 0xDEA7, 0xDECD, 0xDED1, 
+	0xDED7, 0xDEE3, 0xDEF1, 0xDEF5, 0xDF01, 0xDF09, 0xDF13, 0xDF1F, 
+	0xDF2B, 0xDF33, 0xDF37, 0xDF3D, 0xDF4B, 0xDF55, 0xDF5B, 0xDF67, 
+	0xDF69, 0xDF73, 0xDF85, 0xDF87, 0xDF99, 0xDFA3, 0xDFAB, 0xDFB5, 
+	0xDFB7, 0xDFC3, 0xDFC7, 0xDFD5, 0xDFF1, 0xDFF3, 0xE003, 0xE005, 
+	0xE017, 0xE01D, 0xE027, 0xE02D, 0xE035, 0xE045, 0xE053, 0xE071, 
+	0xE07B, 0xE08F, 0xE095, 0xE09F, 0xE0B7, 0xE0B9, 0xE0D5, 0xE0D7, 
+	0xE0E3, 0xE0F3, 0xE0F9, 0xE101, 0xE125, 0xE129, 0xE131, 0xE135, 
+	0xE143, 0xE14F, 0xE159, 0xE161, 0xE16D, 0xE171, 0xE177, 0xE17F, 
+	0xE183, 0xE189, 0xE197, 0xE1AD, 0xE1B5, 0xE1BB, 0xE1BF, 0xE1C1, 
+	0xE1CB, 0xE1D1, 0xE1E5, 0xE1EF, 0xE1F7, 0xE1FD, 0xE203, 0xE219, 
+	0xE22B, 0xE22D, 0xE23D, 0xE243, 0xE257, 0xE25B, 0xE275, 0xE279, 
+	0xE287, 0xE29D, 0xE2AB, 0xE2AF, 0xE2BB, 0xE2C1, 0xE2C9, 0xE2CD, 
+	0xE2D3, 0xE2D9, 0xE2F3, 0xE2FD, 0xE2FF, 0xE311, 0xE323, 0xE327, 
+	0xE329, 0xE339, 0xE33B, 0xE34D, 0xE351, 0xE357, 0xE35F, 0xE363, 
+	0xE369, 0xE375, 0xE377, 0xE37D, 0xE383, 0xE39F, 0xE3C5, 0xE3C9, 
+	0xE3D1, 0xE3E1, 0xE3FB, 0xE3FF, 0xE401, 0xE40B, 0xE417, 0xE419, 
+	0xE423, 0xE42B, 0xE431, 0xE43B, 0xE447, 0xE449, 0xE453, 0xE455, 
+	0xE46D, 0xE471, 0xE48F, 0xE4A9, 0xE4AF, 0xE4B5, 0xE4C7, 0xE4CD, 
+	0xE4D3, 0xE4E9, 0xE4EB, 0xE4F5, 0xE507, 0xE521, 0xE525, 0xE537, 
+	0xE53F, 0xE545, 0xE54B, 0xE557, 0xE567, 0xE56D, 0xE575, 0xE585, 
+	0xE58B, 0xE593, 0xE5A3, 0xE5A5, 0xE5CF, 0xE609, 0xE611, 0xE615, 
+	0xE61B, 0xE61D, 0xE621, 0xE629, 0xE639, 0xE63F, 0xE653, 0xE657, 
+	0xE663, 0xE66F, 0xE675, 0xE681, 0xE683, 0xE68D, 0xE68F, 0xE695, 
+	0xE6AB, 0xE6AD, 0xE6B7, 0xE6BD, 0xE6C5, 0xE6CB, 0xE6D5, 0xE6E3, 
+	0xE6E9, 0xE6EF, 0xE6F3, 0xE705, 0xE70D, 0xE717, 0xE71F, 0xE72F, 
+	0xE73D, 0xE747, 0xE749, 0xE753, 0xE755, 0xE761, 0xE767, 0xE76B, 
+	0xE77F, 0xE789, 0xE791, 0xE7C5, 0xE7CD, 0xE7D7, 0xE7DD, 0xE7DF, 
+	0xE7E9, 0xE7F1, 0xE7FB, 0xE801, 0xE807, 0xE80F, 0xE819, 0xE81B, 
+	0xE831, 0xE833, 0xE837, 0xE83D, 0xE84B, 0xE84F, 0xE851, 0xE869, 
+	0xE875, 0xE879, 0xE893, 0xE8A5, 0xE8A9, 0xE8AF, 0xE8BD, 0xE8DB, 
+	0xE8E1, 0xE8E5, 0xE8EB, 0xE8ED, 0xE903, 0xE90B, 0xE90F, 0xE915, 
+	0xE917, 0xE92D, 0xE933, 0xE93B, 0xE94B, 0xE951, 0xE95F, 0xE963, 
+	0xE969, 0xE97B, 0xE983, 0xE98F, 0xE995, 0xE9A1, 0xE9B9, 0xE9D7, 
+	0xE9E7, 0xE9EF, 0xEA11, 0xEA19, 0xEA2F, 0xEA35, 0xEA43, 0xEA4D, 
+	0xEA5F, 0xEA6D, 0xEA71, 0xEA7D, 0xEA85, 0xEA89, 0xEAAD, 0xEAB3, 
+	0xEAB9, 0xEABB, 0xEAC5, 0xEAC7, 0xEACB, 0xEADF, 0xEAE5, 0xEAEB, 
+	0xEAF5, 0xEB01, 0xEB07, 0xEB09, 0xEB31, 0xEB39, 0xEB3F, 0xEB5B, 
+	0xEB61, 0xEB63, 0xEB6F, 0xEB81, 0xEB85, 0xEB9D, 0xEBAB, 0xEBB1, 
+	0xEBB7, 0xEBC1, 0xEBD5, 0xEBDF, 0xEBED, 0xEBFD, 0xEC0B, 0xEC1B, 
+	0xEC21, 0xEC29, 0xEC4D, 0xEC51, 0xEC5D, 0xEC69, 0xEC6F, 0xEC7B, 
+	0xECAD, 0xECB9, 0xECBF, 0xECC3, 0xECC9, 0xECCF, 0xECD7, 0xECDD, 
+	0xECE7, 0xECE9, 0xECF3, 0xECF5, 0xED07, 0xED11, 0xED1F, 0xED2F, 
+	0xED37, 0xED3D, 0xED41, 0xED55, 0xED59, 0xED5B, 0xED65, 0xED6B, 
+	0xED79, 0xED8B, 0xED95, 0xEDBB, 0xEDC5, 0xEDD7, 0xEDD9, 0xEDE3, 
+	0xEDE5, 0xEDF1, 0xEDF5, 0xEDF7, 0xEDFB, 0xEE09, 0xEE0F, 0xEE19, 
+	0xEE21, 0xEE49, 0xEE4F, 0xEE63, 0xEE67, 0xEE73, 0xEE7B, 0xEE81, 
+	0xEEA3, 0xEEAB, 0xEEC1, 0xEEC9, 0xEED5, 0xEEDF, 0xEEE1, 0xEEF1, 
+	0xEF1B, 0xEF27, 0xEF2F, 0xEF45, 0xEF4D, 0xEF63, 0xEF6B, 0xEF71, 
+	0xEF93, 0xEF95, 0xEF9B, 0xEF9F, 0xEFAD, 0xEFB3, 0xEFC3, 0xEFC5, 
+	0xEFDB, 0xEFE1, 0xEFE9, 0xF001, 0xF017, 0xF01D, 0xF01F, 0xF02B, 
+	0xF02F, 0xF035, 0xF043, 0xF047, 0xF04F, 0xF067, 0xF06B, 0xF071, 
+	0xF077, 0xF079, 0xF08F, 0xF0A3, 0xF0A9, 0xF0AD, 0xF0BB, 0xF0BF, 
+	0xF0C5, 0xF0CB, 0xF0D3, 0xF0D9, 0xF0E3, 0xF0E9, 0xF0F1, 0xF0F7, 
+	0xF107, 0xF115, 0xF11B, 0xF121, 0xF137, 0xF13D, 0xF155, 0xF175, 
+	0xF17B, 0xF18D, 0xF193, 0xF1A5, 0xF1AF, 0xF1B7, 0xF1D5, 0xF1E7, 
+	0xF1ED, 0xF1FD, 0xF209, 0xF20F, 0xF21B, 0xF21D, 0xF223, 0xF227, 
+	0xF233, 0xF23B, 0xF241, 0xF257, 0xF25F, 0xF265, 0xF269, 0xF277, 
+	0xF281, 0xF293, 0xF2A7, 0xF2B1, 0xF2B3, 0xF2B9, 0xF2BD, 0xF2BF, 
+	0xF2DB, 0xF2ED, 0xF2EF, 0xF2F9, 0xF2FF, 0xF305, 0xF30B, 0xF319, 
+	0xF341, 0xF359, 0xF35B, 0xF35F, 0xF367, 0xF373, 0xF377, 0xF38B, 
+	0xF38F, 0xF3AF, 0xF3C1, 0xF3D1, 0xF3D7, 0xF3FB, 0xF403, 0xF409, 
+	0xF40D, 0xF413, 0xF421, 0xF425, 0xF42B, 0xF445, 0xF44B, 0xF455, 
+	0xF463, 0xF475, 0xF47F, 0xF485, 0xF48B, 0xF499, 0xF4A3, 0xF4A9, 
+	0xF4AF, 0xF4BD, 0xF4C3, 0xF4DB, 0xF4DF, 0xF4ED, 0xF503, 0xF50B, 
+	0xF517, 0xF521, 0xF529, 0xF535, 0xF547, 0xF551, 0xF563, 0xF56B, 
+	0xF583, 0xF58D, 0xF595, 0xF599, 0xF5B1, 0xF5B7, 0xF5C9, 0xF5CF, 
+	0xF5D1, 0xF5DB, 0xF5F9, 0xF5FB, 0xF605, 0xF607, 0xF60B, 0xF60D, 
+	0xF635, 0xF637, 0xF653, 0xF65B, 0xF661, 0xF667, 0xF679, 0xF67F, 
+	0xF689, 0xF697, 0xF69B, 0xF6AD, 0xF6CB, 0xF6DD, 0xF6DF, 0xF6EB, 
+	0xF709, 0xF70F, 0xF72D, 0xF731, 0xF743, 0xF74F, 0xF751, 0xF755, 
+	0xF763, 0xF769, 0xF773, 0xF779, 0xF781, 0xF787, 0xF791, 0xF79D, 
+	0xF79F, 0xF7A5, 0xF7B1, 0xF7BB, 0xF7BD, 0xF7CF, 0xF7D3, 0xF7E7, 
+	0xF7EB, 0xF7F1, 0xF7FF, 0xF805, 0xF80B, 0xF821, 0xF827, 0xF82D, 
+	0xF835, 0xF847, 0xF859, 0xF863, 0xF865, 0xF86F, 0xF871, 0xF877, 
+	0xF87B, 0xF881, 0xF88D, 0xF89F, 0xF8A1, 0xF8AB, 0xF8B3, 0xF8B7, 
+	0xF8C9, 0xF8CB, 0xF8D1, 0xF8D7, 0xF8DD, 0xF8E7, 0xF8EF, 0xF8F9, 
+	0xF8FF, 0xF911, 0xF91D, 0xF925, 0xF931, 0xF937, 0xF93B, 0xF941, 
+	0xF94F, 0xF95F, 0xF961, 0xF96D, 0xF971, 0xF977, 0xF99D, 0xF9A3, 
+	0xF9A9, 0xF9B9, 0xF9CD, 0xF9E9, 0xF9FD, 0xFA07, 0xFA0D, 0xFA13, 
+	0xFA21, 0xFA25, 0xFA3F, 0xFA43, 0xFA51, 0xFA5B, 0xFA6D, 0xFA7B, 
+	0xFA97, 0xFA99, 0xFA9D, 0xFAAB, 0xFABB, 0xFABD, 0xFAD9, 0xFADF, 
+	0xFAE7, 0xFAED, 0xFB0F, 0xFB17, 0xFB1B, 0xFB2D, 0xFB2F, 0xFB3F, 
+	0xFB47, 0xFB4D, 0xFB75, 0xFB7D, 0xFB8F, 0xFB93, 0xFBB1, 0xFBB7, 
+	0xFBC3, 0xFBC5, 0xFBE3, 0xFBE9, 0xFBF3, 0xFC01, 0xFC29, 0xFC37, 
+	0xFC41, 0xFC43, 0xFC4F, 0xFC59, 0xFC61, 0xFC65, 0xFC6D, 0xFC73, 
+	0xFC79, 0xFC95, 0xFC97, 0xFC9B, 0xFCA7, 0xFCB5, 0xFCC5, 0xFCCD, 
+	0xFCEB, 0xFCFB, 0xFD0D, 0xFD0F, 0xFD19, 0xFD2B, 0xFD31, 0xFD51, 
+	0xFD55, 0xFD67, 0xFD6D, 0xFD6F, 0xFD7B, 0xFD85, 0xFD97, 0xFD99, 
+	0xFD9F, 0xFDA9, 0xFDB7, 0xFDC9, 0xFDE5, 0xFDEB, 0xFDF3, 0xFE03, 
+	0xFE05, 0xFE09, 0xFE1D, 0xFE27, 0xFE2F, 0xFE41, 0xFE4B, 0xFE4D, 
+	0xFE57, 0xFE5F, 0xFE63, 0xFE69, 0xFE75, 0xFE7B, 0xFE8F, 0xFE93, 
+	0xFE95, 0xFE9B, 0xFE9F, 0xFEB3, 0xFEBD, 0xFED7, 0xFEE9, 0xFEF3, 
+	0xFEF5, 0xFF07, 0xFF0D, 0xFF1D, 0xFF2B, 0xFF2F, 0xFF49, 0xFF4D, 
+	0xFF5B, 0xFF65, 0xFF71, 0xFF7F, 0xFF85, 0xFF8B, 0xFF8F, 0xFF9D, 
+	0xFFA7, 0xFFA9, 0xFFC7, 0xFFD9, 0xFFEF, 0xFFF1, 
+#endif
+};
+
diff --git a/security/nss/lib/freebl/mpi/stats b/security/nss/lib/freebl/mpi/stats
new file mode 100755
index 000000000..4e8c44357
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/stats
@@ -0,0 +1,74 @@
+#!/usr/bin/perl
+
+#
+# Treat each line as a sequence of comma and/or space delimited
+# floating point numbers, and compute basic statistics on them.
+# These are written to standard output
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1998, 2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $Id$
+#
+
+$min = 1.7976931348623157E+308;
+$max = 2.2250738585072014E-308;
+$sum = $num = 0;
+
+while(<>) {
+    chomp;
+
+    @nums = split(/[\s,]+/, $_);
+    next if($#nums < 0);
+
+    $num += scalar @nums;
+    foreach (@nums) {
+	$min = $_ if($_ < $min);
+	$max = $_ if($_ > $max);
+	$sum += $_;
+    }
+}
+
+if($num) {
+    $avg = $sum / $num;
+} else {
+    $min = $max = 0;
+}
+
+printf "%d\tmin=%.2f, avg=%.2f, max=%.2f, sum=%.2f\n",
+    $num, $min, $avg, $max, $sum;
+
+# end
diff --git a/security/nss/lib/freebl/mpi/target.mk b/security/nss/lib/freebl/mpi/target.mk
new file mode 100644
index 000000000..6f71e8053
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/target.mk
@@ -0,0 +1,249 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1998
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Netscape Communications Corporation
+#   Richard C. Swift  (swift@netscape.com)
+#   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+##
+## Define CFLAGS to contain any local options your compiler
+## setup requires.
+##
+## Conditional compilation options are no longer here; see
+## the file 'mpi-config.h' instead.
+##
+MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC
+CFLAGS= -O $(MPICMN)
+#CFLAGS=-ansi -fullwarn -woff 1521 -O3 $(MPICMN)
+#CFLAGS=-ansi -pedantic -Wall -O3 $(MPICMN)
+#CFLAGS=-ansi -pedantic -Wall -g -O2 -DMP_DEBUG=1 $(MPICMN)
+
+ifeq ($(TARGET),mipsIRIX)
+#IRIX
+#MPICMN += -DMP_MONT_USE_MP_MUL 
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+MPICMN += -DMP_USE_UINT_DIGIT
+#MPICMN += -DMP_NO_MP_WORD
+AS_OBJS = mpi_mips.o
+#ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 -exceptions
+ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 
+#CFLAGS=-ansi -n32 -O3 -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN)
+CFLAGS=-ansi -n32 -O2 -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN)
+#CFLAGS=-ansi -n32 -g -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN)
+#CFLAGS=-ansi -64 -O2 -fullwarn -woff 1429 -D_SGI_SOURCE -DMP_NO_MP_WORD \
+ $(MPICMN)
+endif
+
+ifeq ($(TARGET),alphaOSF1)
+#Alpha/OSF1
+MPICMN += -DMP_ASSEMBLY_MULTIPLY
+AS_OBJS+= mpvalpha.o
+#CFLAGS= -O -Olimit 4000 -ieee_with_inexact -std1 -DOSF1 -D_REENTRANT $(MPICMN)
+CFLAGS= -O -Olimit 4000 -ieee_with_inexact -std1 -DOSF1 -D_REENTRANT \
+ -DMP_NO_MP_WORD $(MPICMN)
+endif
+
+ifeq ($(TARGET),v9SOLARIS)
+#Solaris 64
+SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xchip=ultra -xarch=v9a -KPIC -mt
+#SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v9a -KPIC -mt
+SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v9a -KPIC -mt 
+AS_OBJS += montmulfv9.o 
+AS_OBJS += mpi_sparc.o mpv_sparcv9.o
+MPICMN += -DMP_USE_UINT_DIGIT 
+#MPICMN += -DMP_NO_MP_WORD 
+MPICMN += -DMP_ASSEMBLY_MULTIPLY 
+MPICMN += -DMP_USING_MONT_MULF
+CFLAGS= -O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
+ -DSOLARIS2_8 -xarch=v9 -DXP_UNIX $(MPICMN)
+#CFLAGS= -g -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
+ -DSOLARIS2_8 -xarch=v9 -DXP_UNIX $(MPICMN)
+endif
+
+ifeq ($(TARGET),v8plusSOLARIS)
+#Solaris 32
+SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v8plusa -KPIC -mt
+SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v8plusa -KPIC -mt 
+AS_OBJS += montmulfv8.o 
+AS_OBJS += mpi_sparc.o mpv_sparcv8.o
+#AS_OBJS = montmulf.o
+MPICMN += -DMP_ASSEMBLY_MULTIPLY 
+MPICMN += -DMP_USING_MONT_MULF 
+MPICMN += -DMP_USE_UINT_DIGIT
+MPICMN += -DMP_NO_MP_WORD
+CFLAGS=-O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
+ -DSOLARIS2_6 -xarch=v8plus -DXP_UNIX $(MPICMN)
+endif
+
+ifeq ($(TARGET),v8SOLARIS)
+#Solaris 32
+#SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v8 -KPIC -mt
+#SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v8plusa -KPIC -mt 
+#AS_OBJS = montmulfv8.o mpi_sparc.o mpv_sparcv8.o
+#AS_OBJS = montmulf.o
+#MPICMN += -DMP_USING_MONT_MULF
+#MPICMN += -DMP_ASSEMBLY_MULTIPLY 
+MPICMN += -DMP_USE_LONG_LONG_MULTIPLY -DMP_USE_UINT_DIGIT
+MPICMN += -DMP_NO_MP_WORD
+CFLAGS=-O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
+ -DSOLARIS2_6 -xarch=v8 -DXP_UNIX $(MPICMN)
+endif
+
+ifeq ($(TARGET),ia64HPUX)
+#HPUX 32 on ia64  -- 64 bit digits SCREAM.
+# This one is for DD32 which is the 32-bit ABI with 64-bit registers.
+CFLAGS= +O3 -DHPUX10 -D_POSIX_C_SOURCE=199506L -Aa +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +p +DD32 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
+#CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Aa +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +p +DD32 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
+#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +p +DD32 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
+endif
+
+ifeq ($(TARGET),ia64HPUX64)
+#HPUX 32 on ia64
+# This one is for DD64 which is the 64-bit ABI 
+CFLAGS= +O3 -DHPUX10 -D_POSIX_C_SOURCE=199506L -Aa +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +p +DD64 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
+#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +p +DD64 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
+endif
+
+ifeq ($(TARGET),PA2.0WHPUX)
+#HPUX64 (HP PA 2.0 Wide) using MAXPY and 64-bit digits
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+AS_OBJS = mpi_hp.o hpma512.o hppa20.o 
+CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +DA2.0W +DS2.0 +O3 +DChpux -DHPUX11  -DXP_UNIX \
+ $(MPICMN)
+#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +DA2.0W +DS2.0 +DChpux -DHPUX11  -DXP_UNIX \
+ $(MPICMN)
+AS = $(CC) $(CFLAGS) -c
+endif
+
+ifeq ($(TARGET),PA2.0NHPUX)
+#HPUX32 (HP PA 2.0 Narrow) hybrid model, using 32-bit digits
+# This one is for DA2.0 (N) which is the 32-bit ABI with 64-bit registers.
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+AS_OBJS = mpi_hp.o hpma512.o hppa20.o 
+CFLAGS= +O3 -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +DA2.0 +DS2.0 +DChpux -DHPUX11  -DXP_UNIX \
+ -Wl,+k $(MPICMN)
+#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +DA2.0 +DS2.0 +DChpux -DHPUX11  -DXP_UNIX \
+ -Wl,+k $(MPICMN)
+AS = $(CC) $(CFLAGS) -c
+endif
+
+ifeq ($(TARGET),PA1.1HPUX)
+#HPUX32 (HP PA 1.1) Pure 32 bit
+MPICMN += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+#MPICMN += -DMP_USE_LONG_LONG_MULTIPLY
+CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE +DAportable +DS1.1 -DHPUX11 -DXP_UNIX $(MPICMN)
+##CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+# -D_HPUX_SOURCE +DAportable +DS1.1 -DHPUX11 -DXP_UNIX $(MPICMN)
+endif
+
+ifeq ($(TARGET),32AIX)
+#
+CC = xlC_r
+MPICMN += -DMP_USE_UINT_DIGIT
+MPICMN += -DMP_NO_DIV_WORD
+#MPICMN += -DMP_NO_MUL_WORD
+MPICMN += -DMP_NO_ADD_WORD
+MPICMN += -DMP_NO_SUB_WORD
+#MPICMN += -DMP_NO_MP_WORD
+#MPICMN += -DMP_USE_LONG_LONG_MULTIPLY
+CFLAGS = -O -DAIX -DSYSV -qarch=com -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG  $(MPICMN)
+#CFLAGS = -g -DAIX -DSYSV -qarch=com -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG  $(MPICMN)
+#CFLAGS += -pg
+endif
+
+ifeq ($(TARGET),64AIX)
+#
+CC = xlC_r
+MPICMN += -DMP_USE_UINT_DIGIT
+CFLAGS = -O -O2 -DAIX -DSYSV -qarch=com -DAIX_64BIT -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG $(MPICMN)
+OBJECT_MODE=64
+export OBJECT_MODE
+endif
+
+ifeq ($(TARGET),x86LINUX)
+#Linux
+AS_OBJS = mpi_x86.o
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+MPICMN += -DMP_MONT_USE_MP_MUL -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
+CFLAGS= -O2 -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
+ -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \
+ -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN)
+#CFLAGS= -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
+ -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \
+ -DXP_UNIX -DDEBUG -UNDEBUG -D_REENTRANT $(MPICMN)
+#CFLAGS= -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
+ -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \
+ -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN)
+endif
+
+ifeq ($(TARGET),AMD64SOLARIS)
+ASFLAGS += -xarch=generic64
+AS_OBJS = mpi_amd64.o mpi_amd64_sun.o
+MP_CONFIG = -DMP_ASSEMBLY_MULTIPLY -DMPI_AMD64
+MP_CONFIG += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
+CFLAGS = -xarch=generic64 -xO4 -I. -DMP_API_COMPATIBLE -DMP_IOFUNC $(MP_CONFIG)
+MPICMN += $(MP_CONFIG)
+
+mpi_amd64_asm.o: mpi_amd64_sun.s
+	$(AS) -xarch=generic64 -P -D_ASM mpi_amd64_sun.s
+endif
+
+ifeq ($(TARGET),WIN32)
+AS_OBJS = mpi_x86.obj
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+MPICMN += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD -DMP_API_COMPATIBLE 
+MPICMN += -DMP_MONT_USE_MP_MUL 
+MPICMN += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
+CFLAGS  = -Od -Z7 -MDd -W3 -nologo -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USER)
+CFLAGS += -DWIN32 -D_WINDOWS -D_X86_ -DWIN95 -DXP_PC -DNSS_ENABLE_ECC 
+CFLAGS += $(MPICMN)
+
+$(AS_OBJS): %.obj : %.asm
+	ml -Cp -Sn -Zi -coff -nologo -c $<
+
+$(LIBOBJS): %.obj : %.c 
+	cl $(CFLAGS) -Fo$@ -c $<
+
+endif
diff --git a/security/nss/lib/freebl/mpi/test-arrays.txt b/security/nss/lib/freebl/mpi/test-arrays.txt
new file mode 100644
index 000000000..62c4c3d61
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/test-arrays.txt
@@ -0,0 +1,90 @@
+#
+# Test suite table for MPI library
+#
+# Format of entries:
+# suite-name:function-name:description
+#
+# suite-name	The name used to identify this test in mpi-test
+# function-name	The function called to perform this test in mpi-test.c
+# description   A brief description of what the suite tests
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1998
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $Id$
+#
+list:test_list:print out a list of the available test suites
+copy:test_copy:test assignment of mp-int structures
+exchange:test_exch:test exchange of mp-int structures
+zero:test_zero:test zeroing of an mp-int
+set:test_set:test setting an mp-int to a small constant
+absolute-value:test_abs:test the absolute value function
+negate:test_neg:test the arithmetic negation function
+add-digit:test_add_d:test digit addition
+add:test_add:test full addition
+subtract-digit:test_sub_d:test digit subtraction
+subtract:test_sub:test full subtraction
+multiply-digit:test_mul_d:test digit multiplication
+multiply:test_mul:test full multiplication
+square:test_sqr:test full squaring function
+divide-digit:test_div_d:test digit division
+divide-2:test_div_2:test division by two
+divide-2d:test_div_2d:test division & remainder by 2^d
+divide:test_div:test full division
+expt-digit:test_expt_d:test digit exponentiation
+expt:test_expt:test full exponentiation
+expt-2:test_2expt:test power-of-two exponentiation
+square-root:test_sqrt:test integer square root function
+modulo-digit:test_mod_d:test digit modular reduction
+modulo:test_mod:test full modular reduction
+mod-add:test_addmod:test modular addition
+mod-subtract:test_submod:test modular subtraction
+mod-multiply:test_mulmod:test modular multiplication
+mod-square:test_sqrmod:test modular squaring function
+mod-expt:test_exptmod:test full modular exponentiation
+mod-expt-digit:test_exptmod_d:test digit modular exponentiation
+mod-inverse:test_invmod:test modular inverse function
+compare-digit:test_cmp_d:test digit comparison function
+compare-zero:test_cmp_z:test zero comparison function
+compare:test_cmp:test general signed comparison
+compare-magnitude:test_cmp_mag:test general magnitude comparison
+parity:test_parity:test parity comparison functions
+gcd:test_gcd:test greatest common divisor functions
+lcm:test_lcm:test least common multiple function
+conversion:test_convert:test general radix conversion facilities
+binary:test_raw:test raw output format
+pprime:test_pprime:test probabilistic primality tester
+fermat:test_fermat:test Fermat pseudoprimality tester
diff --git a/security/nss/lib/freebl/mpi/test-info.c b/security/nss/lib/freebl/mpi/test-info.c
new file mode 100644
index 000000000..86682ecd5
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/test-info.c
@@ -0,0 +1,194 @@
+/*
+ *  test-info.c
+ *
+ *  Arbitrary precision integer arithmetic library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/* Table mapping test suite names to index numbers */
+const int   g_count = 42;
+const char *g_names[] = {
+   "list",              /* print out a list of the available test suites */
+   "copy",              /* test assignment of mp-int structures          */
+   "exchange",          /* test exchange of mp-int structures            */
+   "zero",              /* test zeroing of an mp-int                     */
+   "set",               /* test setting an mp-int to a small constant    */
+   "absolute-value",    /* test the absolute value function              */
+   "negate",            /* test the arithmetic negation function         */
+   "add-digit",         /* test digit addition                           */
+   "add",               /* test full addition                            */
+   "subtract-digit",    /* test digit subtraction                        */
+   "subtract",          /* test full subtraction                         */
+   "multiply-digit",    /* test digit multiplication                     */
+   "multiply",          /* test full multiplication                      */
+   "square",            /* test full squaring function                   */
+   "divide-digit",      /* test digit division                           */
+   "divide-2",          /* test division by two                          */
+   "divide-2d",         /* test division & remainder by 2^d              */
+   "divide",            /* test full division                            */
+   "expt-digit",        /* test digit exponentiation                     */
+   "expt",              /* test full exponentiation                      */
+   "expt-2",            /* test power-of-two exponentiation              */
+   "square-root",       /* test integer square root function             */
+   "modulo-digit",      /* test digit modular reduction                  */
+   "modulo",            /* test full modular reduction                   */
+   "mod-add",           /* test modular addition                         */
+   "mod-subtract",      /* test modular subtraction                      */
+   "mod-multiply",      /* test modular multiplication                   */
+   "mod-square",        /* test modular squaring function                */
+   "mod-expt",          /* test full modular exponentiation              */
+   "mod-expt-digit",    /* test digit modular exponentiation             */
+   "mod-inverse",       /* test modular inverse function                 */
+   "compare-digit",     /* test digit comparison function                */
+   "compare-zero",      /* test zero comparison function                 */
+   "compare",           /* test general signed comparison                */
+   "compare-magnitude", /* test general magnitude comparison             */
+   "parity",            /* test parity comparison functions              */
+   "gcd",               /* test greatest common divisor functions        */
+   "lcm",               /* test least common multiple function           */
+   "conversion",        /* test general radix conversion facilities      */
+   "binary",            /* test raw output format                        */
+   "pprime",            /* test probabilistic primality tester           */
+   "fermat"             /* test Fermat pseudoprimality tester            */
+};
+
+/* Test function prototypes */
+int  test_list(void);
+int  test_copy(void);
+int  test_exch(void);
+int  test_zero(void);
+int  test_set(void);
+int  test_abs(void);
+int  test_neg(void);
+int  test_add_d(void);
+int  test_add(void);
+int  test_sub_d(void);
+int  test_sub(void);
+int  test_mul_d(void);
+int  test_mul(void);
+int  test_sqr(void);
+int  test_div_d(void);
+int  test_div_2(void);
+int  test_div_2d(void);
+int  test_div(void);
+int  test_expt_d(void);
+int  test_expt(void);
+int  test_2expt(void);
+int  test_sqrt(void);
+int  test_mod_d(void);
+int  test_mod(void);
+int  test_addmod(void);
+int  test_submod(void);
+int  test_mulmod(void);
+int  test_sqrmod(void);
+int  test_exptmod(void);
+int  test_exptmod_d(void);
+int  test_invmod(void);
+int  test_cmp_d(void);
+int  test_cmp_z(void);
+int  test_cmp(void);
+int  test_cmp_mag(void);
+int  test_parity(void);
+int  test_gcd(void);
+int  test_lcm(void);
+int  test_convert(void);
+int  test_raw(void);
+int  test_pprime(void);
+int  test_fermat(void);
+
+/* Table mapping index numbers to functions */
+int (*g_tests[])(void)  = {
+   test_list,     test_copy,     test_exch,     test_zero,     
+   test_set,      test_abs,      test_neg,      test_add_d,    
+   test_add,      test_sub_d,    test_sub,      test_mul_d,    
+   test_mul,      test_sqr,      test_div_d,    test_div_2,    
+   test_div_2d,   test_div,      test_expt_d,   test_expt,     
+   test_2expt,    test_sqrt,     test_mod_d,    test_mod,      
+   test_addmod,   test_submod,   test_mulmod,   test_sqrmod,   
+   test_exptmod,  test_exptmod_d, test_invmod,   test_cmp_d,    
+   test_cmp_z,    test_cmp,      test_cmp_mag,  test_parity,   
+   test_gcd,      test_lcm,      test_convert,  test_raw,      
+   test_pprime,   test_fermat
+};
+
+/* Table mapping index numbers to descriptions */
+const char *g_descs[] = {
+   "print out a list of the available test suites",
+   "test assignment of mp-int structures",
+   "test exchange of mp-int structures",
+   "test zeroing of an mp-int",
+   "test setting an mp-int to a small constant",
+   "test the absolute value function",
+   "test the arithmetic negation function",
+   "test digit addition",
+   "test full addition",
+   "test digit subtraction",
+   "test full subtraction",
+   "test digit multiplication",
+   "test full multiplication",
+   "test full squaring function",
+   "test digit division",
+   "test division by two",
+   "test division & remainder by 2^d",
+   "test full division",
+   "test digit exponentiation",
+   "test full exponentiation",
+   "test power-of-two exponentiation",
+   "test integer square root function",
+   "test digit modular reduction",
+   "test full modular reduction",
+   "test modular addition",
+   "test modular subtraction",
+   "test modular multiplication",
+   "test modular squaring function",
+   "test full modular exponentiation",
+   "test digit modular exponentiation",
+   "test modular inverse function",
+   "test digit comparison function",
+   "test zero comparison function",
+   "test general signed comparison",
+   "test general magnitude comparison",
+   "test parity comparison functions",
+   "test greatest common divisor functions",
+   "test least common multiple function",
+   "test general radix conversion facilities",
+   "test raw output format",
+   "test probabilistic primality tester",
+   "test Fermat pseudoprimality tester"
+};
+
diff --git a/security/nss/lib/freebl/mpi/tests/LICENSE b/security/nss/lib/freebl/mpi/tests/LICENSE
new file mode 100644
index 000000000..c2c5d0190
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/LICENSE
@@ -0,0 +1,6 @@
+Within this directory, each of the file listed below is licensed under 
+the terms given in the file LICENSE-MPL, also in this directory.
+
+pi1k.txt
+pi2k.txt
+pi5k.txt
diff --git a/security/nss/lib/freebl/mpi/tests/LICENSE-MPL b/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
new file mode 100644
index 000000000..d1f78f522
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
@@ -0,0 +1,35 @@
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version
+1.1 (the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the Netscape security libraries.
+
+The Initial Developer of the Original Code is Netscape
+Communications Corporation.  Portions created by Netscape are 
+Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-1.c b/security/nss/lib/freebl/mpi/tests/mptest-1.c
new file mode 100644
index 000000000..98a36cb06
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-1.c
@@ -0,0 +1,75 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 1: Simple input test (drives single-digit multiply and add,
+ *         as well as I/O routines)
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#ifdef MAC_CW_SIOUX
+#include <console.h>
+#endif
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  int    ix;
+  mp_int mp;
+
+#ifdef MAC_CW_SIOUX
+  argc = ccommand(&argv);
+#endif
+
+  mp_init(&mp);
+  
+  for(ix = 1; ix < argc; ix++) {
+    mp_read_radix(&mp, argv[ix], 10);
+    mp_print(&mp, stdout);
+    fputc('\n', stdout);
+  }
+
+  mp_clear(&mp);
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-2.c b/security/nss/lib/freebl/mpi/tests/mptest-2.c
new file mode 100644
index 000000000..7c09e7d2d
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-2.c
@@ -0,0 +1,86 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 2: Basic addition and subtraction test
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int a, b, c;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 2: Basic addition and subtraction\n\n");
+
+  mp_init(&a);
+  mp_init(&b);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  
+  mp_init(&c);
+  printf("c = a + b\n");
+
+  mp_add(&a, &b, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+  
+  printf("c = a - b\n");
+  
+  mp_sub(&a, &b, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
+
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-3.c b/security/nss/lib/freebl/mpi/tests/mptest-3.c
new file mode 100644
index 000000000..43a287996
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-3.c
@@ -0,0 +1,131 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 3: Multiplication, division, and exponentiation test
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include <time.h>
+
+#include "mpi.h"
+
+#define  SQRT 1  /* define nonzero to get square-root test  */
+#define  EXPT 0  /* define nonzero to get exponentiate test */
+
+int main(int argc, char *argv[])
+{
+  int      ix;
+  mp_int   a, b, c, d;
+  mp_digit r;
+  mp_err   res;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 3: Multiplication and division\n\n");
+  srand(time(NULL));
+
+  mp_init(&a);
+  mp_init(&b);
+
+  mp_read_variable_radix(&a, argv[1], 10);
+  mp_read_variable_radix(&b, argv[2], 10);
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  
+  mp_init(&c);
+  printf("\nc = a * b\n");
+
+  mp_mul(&a, &b, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = b * 32523\n");
+
+  mp_mul_d(&b, 32523, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+  
+  mp_init(&d);
+  printf("\nc = a / b, d = a mod b\n");
+  
+  mp_div(&a, &b, &c, &d);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
+  printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);  
+
+  ix = rand() % 256;
+  printf("\nc = a / %d, r = a mod %d\n", ix, ix);
+  mp_div_d(&a, (mp_digit)ix, &c, &r);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
+  printf("r = %04X\n", r);
+
+#if EXPT
+  printf("\nc = a ** b\n");
+  mp_expt(&a, &b, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
+#endif
+
+  ix = rand() % 256;
+  printf("\nc = 2^%d\n", ix);
+  mp_2expt(&c, ix);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+#if SQRT
+  printf("\nc = sqrt(a)\n");
+  if((res = mp_sqrt(&a, &c)) != MP_OKAY) {
+    printf("mp_sqrt: %s\n", mp_strerror(res));
+  } else {
+    printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+    mp_sqr(&c, &c);
+    printf("c^2 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  }
+#endif
+
+  mp_clear(&d);
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-3a.c b/security/nss/lib/freebl/mpi/tests/mptest-3a.c
new file mode 100644
index 000000000..a4d246212
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-3a.c
@@ -0,0 +1,144 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 3a: Multiplication vs. squaring timing test
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include <time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+int main(int argc, char *argv[])
+{
+  int        ix, num, prec = 8;
+  double     d1, d2;
+  clock_t    start, finish;
+  time_t     seed;
+  mp_int     a, c, d;
+
+  seed = time(NULL);
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests> [<precision>]\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  if(!num) {
+    fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]);
+    return 1;
+  }
+
+  if(argc > 2) {
+    if((prec = atoi(argv[2])) <= 0)
+      prec = 8;
+    else
+      prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT;
+  }
+  
+  printf("Test 3a: Multiplication vs squaring timing test\n"
+	 "Precision:  %d digits (%u bits)\n"
+	 "# of tests: %d\n\n", prec, prec * DIGIT_BIT, num);
+
+  mp_init_size(&a, prec);
+
+  mp_init(&c); mp_init(&d);
+
+  printf("Verifying accuracy ... \n");
+  srand((unsigned int)seed);
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mp_mul(&a, &a, &c);
+    mp_sqr(&a, &d);
+
+    if(mp_cmp(&c, &d) != 0) {
+      printf("Error!  Results not accurate:\n");
+      printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+      printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+      printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
+      mp_sub(&c, &d, &d);
+      printf("dif "); mp_print(&d, stdout); fputc('\n', stdout);
+      mp_clear(&c); mp_clear(&d);
+      mp_clear(&a);
+      return 1;
+    }
+  }
+  printf("Accuracy is confirmed for the %d test samples\n", num);
+  mp_clear(&d);
+
+  printf("Testing squaring ... \n");
+  srand((unsigned int)seed);
+  start = clock();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mp_sqr(&a, &c);
+  }
+  finish = clock();
+
+  d2 = (double)(finish - start) / CLOCKS_PER_SEC;
+
+  printf("Testing multiplication ... \n");
+  srand((unsigned int)seed);
+  start = clock();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random(&a);
+    mp_mul(&a, &a, &c);
+  }
+  finish = clock();
+
+  d1 = (double)(finish - start) / CLOCKS_PER_SEC;
+
+  printf("Multiplication time: %.3f sec (%.3f each)\n", d1, d1 / num);
+  printf("Squaring time:       %.3f sec (%.3f each)\n", d2, d2 / num);
+  printf("Improvement:         %.2f%%\n", (1.0 - (d2 / d1)) * 100.0);
+
+  mp_clear(&c);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4.c b/security/nss/lib/freebl/mpi/tests/mptest-4.c
new file mode 100644
index 000000000..181cd4116
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-4.c
@@ -0,0 +1,126 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 4: Modular arithmetic tests
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  int      ix;
+  mp_int   a, b, c, m;
+  mp_digit r;
+
+  if(argc < 4) {
+    fprintf(stderr, "Usage: %s <a> <b> <m>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 4: Modular arithmetic\n\n");
+
+  mp_init(&a);
+  mp_init(&b);
+  mp_init(&m);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+  mp_read_radix(&m, argv[3], 10);
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  printf("m = "); mp_print(&m, stdout); fputc('\n', stdout);
+  
+  mp_init(&c);
+  printf("\nc = a (mod m)\n");
+
+  mp_mod(&a, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = b (mod m)\n");
+
+  mp_mod(&b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = b (mod 1853)\n");
+
+  mp_mod_d(&b, 1853, &r);
+  printf("c = %04X\n", r);
+
+  printf("\nc = (a + b) mod m\n");
+
+  mp_addmod(&a, &b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = (a - b) mod m\n");
+
+  mp_submod(&a, &b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = (a * b) mod m\n");
+
+  mp_mulmod(&a, &b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = (a ** b) mod m\n");
+
+  mp_exptmod(&a, &b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nIn-place modular squaring test:\n");
+  for(ix = 0; ix < 5; ix++) {
+    printf("a = (a * a) mod m   a = ");
+    mp_sqrmod(&a, &m, &a);
+    mp_print(&a, stdout);
+    fputc('\n', stdout);
+  }
+  
+
+  mp_clear(&c);
+  mp_clear(&m);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4a.c b/security/nss/lib/freebl/mpi/tests/mptest-4a.c
new file mode 100644
index 000000000..87cb37547
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-4a.c
@@ -0,0 +1,138 @@
+/* 
+ *  mptest4a - modular exponentiation speed test 
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include <sys/time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+typedef struct {
+  unsigned int  sec;
+  unsigned int  usec;
+} instant_t;
+
+instant_t now(void)
+{
+  struct timeval clk;
+  instant_t      res;
+
+  res.sec = res.usec = 0;
+
+  if(gettimeofday(&clk, NULL) != 0)
+    return res;
+
+  res.sec = clk.tv_sec;
+  res.usec = clk.tv_usec;
+
+  return res;
+}
+
+extern mp_err s_mp_pad();
+
+int main(int argc, char *argv[])
+{
+  int        ix, num, prec = 8;
+  unsigned   int d;
+  instant_t  start, finish;
+  time_t     seed;
+  mp_int     a, m, c;
+
+  seed = time(NULL);
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests> [<precision>]\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  if(!num) {
+    fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]);
+    return 1;
+  }
+
+  if(argc > 2) {
+    if((prec = atoi(argv[2])) <= 0)
+      prec = 8;
+  }
+  
+  printf("Test 3a: Modular exponentiation timing test\n"
+	 "Precision:  %d digits (%d bits)\n"
+	 "# of tests: %d\n\n", prec, prec * DIGIT_BIT, num);
+
+  mp_init_size(&a, prec);
+  mp_init_size(&m, prec);
+  mp_init_size(&c, prec);
+  s_mp_pad(&a, prec);
+  s_mp_pad(&m, prec);
+  s_mp_pad(&c, prec);
+
+  printf("Testing modular exponentiation ... \n");
+  srand((unsigned int)seed);
+
+  start = now();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random(&a);
+    mpp_random(&c);
+    mpp_random(&m);
+    mp_exptmod(&a, &c, &m, &c);
+  }
+  finish = now();
+
+  d = (finish.sec - start.sec) * 1000000;
+  d -= start.usec; d += finish.usec;
+
+  printf("Total time elapsed:        %u usec\n", d);
+  printf("Time per exponentiation:   %u usec (%.3f sec)\n", 
+	 (d / num), (double)(d / num) / 1000000);
+
+  mp_clear(&c);
+  mp_clear(&a);
+  mp_clear(&m);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4b.c b/security/nss/lib/freebl/mpi/tests/mptest-4b.c
new file mode 100644
index 000000000..3b5f3b924
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-4b.c
@@ -0,0 +1,135 @@
+/*
+ * mptest-4b.c
+ *
+ * Test speed of a large modular exponentiation of a primitive element
+ * modulo a prime.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include <sys/time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+char *g_prime = 
+  "34BD53C07350E817CCD49721020F1754527959C421C1533244769D4CF060A8B1C3DA"
+  "25094BE723FB1E2369B55FEEBBE0FAC16425161BF82684062B5EC5D7D47D1B23C117"
+  "0FA19745E44A55E148314E582EB813AC9EE5126295E2E380CACC2F6D206B293E5ED9"
+  "23B54EE961A8C69CD625CE4EC38B70C649D7F014432AEF3A1C93";
+char *g_gen = "5";
+
+typedef struct {
+  unsigned int  sec;
+  unsigned int  usec;
+} instant_t;
+
+instant_t now(void)
+{
+  struct timeval clk;
+  instant_t      res;
+
+  res.sec = res.usec = 0;
+
+  if(gettimeofday(&clk, NULL) != 0)
+    return res;
+
+  res.sec = clk.tv_sec;
+  res.usec = clk.tv_usec;
+
+  return res;
+}
+
+extern mp_err s_mp_pad();
+
+int main(int argc, char *argv[])
+{
+  instant_t    start, finish;
+  mp_int       prime, gen, expt, res;
+  unsigned int ix, diff;
+  int          num;
+
+  srand(time(NULL));
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests>\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  if(num == 0)
+    ++num;
+
+  mp_init(&prime); mp_init(&gen); mp_init(&res);
+  mp_read_radix(&prime, g_prime, 16);
+  mp_read_radix(&gen, g_gen, 16);
+
+  mp_init_size(&expt, USED(&prime) - 1);
+  s_mp_pad(&expt, USED(&prime) - 1);
+
+  printf("Testing %d modular exponentations ... \n", num);
+
+  start = now();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random(&expt);
+    mp_exptmod(&gen, &expt, &prime, &res);
+  }
+  finish = now();
+
+  diff = (finish.sec - start.sec) * 1000000;
+  diff += finish.usec; diff -= start.usec;
+
+  printf("%d operations took %u usec (%.3f sec)\n",
+	 num, diff, (double)diff / 1000000.0);
+  printf("That is %.3f sec per operation.\n",
+	 ((double)diff / 1000000.0) / num);
+
+  mp_clear(&expt);
+  mp_clear(&res);
+  mp_clear(&gen);
+  mp_clear(&prime);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-5.c b/security/nss/lib/freebl/mpi/tests/mptest-5.c
new file mode 100644
index 000000000..e77c5b0f2
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-5.c
@@ -0,0 +1,103 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 5: Other number theoretic functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int   a, b, c, x, y;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 5: Number theoretic functions\n\n");
+
+  mp_init(&a);
+  mp_init(&b);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  
+  mp_init(&c);
+  printf("\nc = (a, b)\n");
+
+  mp_gcd(&a, &b, &c);
+  printf("Euclid: c = "); mp_print(&c, stdout); fputc('\n', stdout);
+/*
+  mp_bgcd(&a, &b, &c);
+  printf("Binary: c = "); mp_print(&c, stdout); fputc('\n', stdout);
+*/
+  mp_init(&x);
+  mp_init(&y);
+  printf("\nc = (a, b) = ax + by\n");
+
+  mp_xgcd(&a, &b, &c, &x, &y);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+  printf("x = "); mp_print(&x, stdout); fputc('\n', stdout);
+  printf("y = "); mp_print(&y, stdout); fputc('\n', stdout);
+
+  printf("\nc = a^-1 (mod b)\n");
+  if(mp_invmod(&a, &b, &c) == MP_UNDEF) {
+    printf("a has no inverse mod b\n");
+  } else {
+    printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+  }
+
+  mp_clear(&y);
+  mp_clear(&x);
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-5a.c b/security/nss/lib/freebl/mpi/tests/mptest-5a.c
new file mode 100644
index 000000000..0cc2f0349
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-5a.c
@@ -0,0 +1,165 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 5a: Greatest common divisor speed test, binary vs. Euclid
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+
+#include <sys/time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+typedef struct {
+  unsigned int  sec;
+  unsigned int  usec;
+} instant_t;
+
+instant_t now(void)
+{
+  struct timeval clk;
+  instant_t      res;
+
+  res.sec = res.usec = 0;
+
+  if(gettimeofday(&clk, NULL) != 0)
+    return res;
+
+  res.sec = clk.tv_sec;
+  res.usec = clk.tv_usec;
+
+  return res;
+}
+
+#define PRECISION 16
+
+int main(int argc, char *argv[])
+{
+  int          ix, num, prec = PRECISION;
+  mp_int       a, b, c, d;
+  instant_t    start, finish;
+  time_t       seed;
+  unsigned int d1, d2;
+
+  seed = time(NULL);
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests>\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  printf("Test 5a: Euclid vs. Binary, a GCD speed test\n\n"
+	 "Number of tests: %d\n"
+	 "Precision:       %d digits\n\n", num, prec);
+
+  mp_init_size(&a, prec);
+  mp_init_size(&b, prec);
+  mp_init(&c);
+  mp_init(&d);
+
+  printf("Verifying accuracy ... \n");
+  srand((unsigned int)seed);
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mpp_random_size(&b, prec);
+
+    mp_gcd(&a, &b, &c);
+    mp_bgcd(&a, &b, &d);
+
+    if(mp_cmp(&c, &d) != 0) {
+      printf("Error!  Results not accurate:\n");
+      printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+      printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+      printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+      printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
+
+      mp_clear(&a); mp_clear(&b); mp_clear(&c); mp_clear(&d);
+      return 1;
+    }
+  }
+  mp_clear(&d);
+  printf("Accuracy confirmed for the %d test samples\n", num);
+
+  printf("Testing Euclid ... \n");
+  srand((unsigned int)seed);
+  start = now();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mpp_random_size(&b, prec);
+    mp_gcd(&a, &b, &c);
+
+  }
+  finish = now();
+
+  d1 = (finish.sec - start.sec) * 1000000;
+  d1 -= start.usec; d1 += finish.usec;
+
+  printf("Testing binary ... \n");
+  srand((unsigned int)seed);
+  start = now();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mpp_random_size(&b, prec);
+    mp_bgcd(&a, &b, &c);
+  }
+  finish = now();
+
+  d2 = (finish.sec - start.sec) * 1000000;
+  d2 -= start.usec; d2 += finish.usec;
+
+  printf("Euclidean algorithm time: %u usec\n", d1);
+  printf("Binary algorithm time:    %u usec\n", d2);
+  printf("Improvement:              %.2f%%\n",
+         (1.0 - ((double)d2 / (double)d1)) * 100.0);
+
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-6.c b/security/nss/lib/freebl/mpi/tests/mptest-6.c
new file mode 100644
index 000000000..a587778c9
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-6.c
@@ -0,0 +1,111 @@
+/*
+ *  Simple test driver for MPI library
+ *
+ *  Test 6: Output functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include "mpi.h"
+
+void print_buf(FILE *ofp, char *buf, int len)
+{
+  int ix, brk = 0;
+
+  for(ix = 0; ix < len; ix++) {
+    fprintf(ofp, "%02X ", buf[ix]);
+
+    brk = (brk + 1) & 0xF;
+    if(!brk) 
+      fputc('\n', ofp);
+  }
+
+  if(brk)
+    fputc('\n', ofp);
+
+}
+
+int main(int argc, char *argv[])
+{
+  int       ix, size;
+  mp_int    a;
+  char     *buf;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 6: Output functions\n\n");
+
+  mp_init(&a);
+
+  mp_read_radix(&a, argv[1], 10);
+
+  printf("\nConverting to a string:\n");
+
+  printf("Rx Size Representation\n");
+  for(ix = 2; ix <= MAX_RADIX; ix++) {
+    size = mp_radix_size(&a, ix);
+
+    buf = calloc(size, sizeof(char));
+    mp_toradix(&a, buf, ix);
+    printf("%2d: %3d: %s\n", ix, size, buf);
+    free(buf);
+
+  }
+
+  printf("\nRaw output:\n");
+  size = mp_raw_size(&a);
+  buf = calloc(size, sizeof(char));
+
+  printf("Size:  %d bytes\n", size);
+
+  mp_toraw(&a, buf);
+  print_buf(stdout, buf, size);
+  free(buf);
+  
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-7.c b/security/nss/lib/freebl/mpi/tests/mptest-7.c
new file mode 100644
index 000000000..3153133cb
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-7.c
@@ -0,0 +1,107 @@
+/*
+ *  Simple test driver for MPI library
+ *
+ *  Test 7: Random and divisibility tests
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+
+#define MP_IOFUNC 1
+#include "mpi.h"
+
+#include "mpprime.h"
+
+int main(int argc, char *argv[])
+{
+  mp_digit  num;
+  mp_int    a, b;
+
+  srand(time(NULL));
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 7: Random & divisibility tests\n\n");
+
+  mp_init(&a);
+  mp_init(&b);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+
+  if(mpp_divis(&a, &b) == MP_YES)
+    printf("a is divisible by b\n");
+  else
+    printf("a is not divisible by b\n");
+
+  if(mpp_divis(&b, &a) == MP_YES)
+    printf("b is divisible by a\n");
+  else
+    printf("b is not divisible by a\n");
+
+  printf("\nb = mpp_random()\n");
+  mpp_random(&b);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  mpp_random(&b);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  mpp_random(&b);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+
+  printf("\nTesting a for divisibility by first 170 primes\n");
+  num = 170;
+  if(mpp_divis_primes(&a, &num) == MP_YES)
+    printf("It is divisible by at least one of them\n");
+  else
+    printf("It is not divisible by any of them\n");
+
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-8.c b/security/nss/lib/freebl/mpi/tests/mptest-8.c
new file mode 100644
index 000000000..8bff49b20
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-8.c
@@ -0,0 +1,98 @@
+/*
+ *  Simple test driver for MPI library
+ *
+ *  Test 8: Probabilistic primality tester
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+
+#define MP_IOFUNC 1
+#include "mpi.h"
+
+#include "mpprime.h"
+
+int main(int argc, char *argv[])
+{
+  int       ix;
+  mp_digit  num;
+  mp_int    a;
+
+  srand(time(NULL));
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 8: Probabilistic primality testing\n\n");
+
+  mp_init(&a);
+
+  mp_read_radix(&a, argv[1], 10);
+
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+
+  printf("\nChecking for divisibility by small primes ... \n");
+  num = 170;
+  if(mpp_divis_primes(&a, &num) == MP_YES) {
+    printf("it is not prime\n");
+    goto CLEANUP;
+  }
+  printf("Passed that test (not divisible by any small primes).\n");
+
+  for(ix = 0; ix < 10; ix++) {
+    printf("\nPerforming Rabin-Miller test, iteration %d\n", ix + 1);
+
+    if(mpp_pprime(&a, 5) == MP_NO) {
+      printf("it is not prime\n");
+      goto CLEANUP;
+    }
+  }
+  printf("All tests passed; a is probably prime\n");
+
+CLEANUP:
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-9.c b/security/nss/lib/freebl/mpi/tests/mptest-9.c
new file mode 100644
index 000000000..03444cba1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-9.c
@@ -0,0 +1,116 @@
+/*
+ *    mptest-9.c
+ *
+ *   Test logical functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+#include "mplogic.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int    a, b, c;
+  int       pco;
+  mp_err    res;
+
+  printf("Test 9: Logical functions\n\n");
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_init(&b); mp_init(&c);
+  mp_read_radix(&a, argv[1], 16);
+  mp_read_radix(&b, argv[2], 16);
+
+  printf("a       = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b       = "); mp_print(&b, stdout); fputc('\n', stdout);
+
+  mpl_not(&a, &c);
+  printf("~a      = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_and(&a, &b, &c);
+  printf("a & b   = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_or(&a, &b, &c);
+  printf("a | b   = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_xor(&a, &b, &c);
+  printf("a ^ b   = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_rsh(&a, &c, 1);
+  printf("a >>  1 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  mpl_rsh(&a, &c, 5);
+  printf("a >>  5 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  mpl_rsh(&a, &c, 16);
+  printf("a >> 16 = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_lsh(&a, &c, 1);
+  printf("a <<  1 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  mpl_lsh(&a, &c, 5);
+  printf("a <<  5 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  mpl_lsh(&a, &c, 16);
+  printf("a << 16 = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_num_set(&a, &pco);
+  printf("population(a) = %d\n", pco);
+  mpl_num_set(&b, &pco);
+  printf("population(b) = %d\n", pco);
+
+  res = mpl_parity(&a);
+  if(res == MP_EVEN)
+    printf("a has even parity\n");
+  else
+    printf("a has odd parity\n");
+  
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
+
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-b.c b/security/nss/lib/freebl/mpi/tests/mptest-b.c
new file mode 100644
index 000000000..6da6b136a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-b.c
@@ -0,0 +1,220 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test GF2m: Binary Polynomial Arithmetic
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Multi-precision Binary Polynomial Arithmetic Library.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sheueling Chang Shantz <sheueling.chang@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include "mp_gf2m.h"
+
+int main(int argc, char *argv[])
+{
+    int      ix;
+    mp_int   pp, a, b, x, y, order;
+    mp_int   c, d, e;
+    mp_digit r;
+    mp_err   res;
+    unsigned int p[] = {163,7,6,3,0};
+    unsigned int ptemp[10];
+
+    printf("Test b: Binary Polynomial Arithmetic\n\n");
+
+    mp_init(&pp);
+    mp_init(&a);
+    mp_init(&b);
+    mp_init(&x);
+    mp_init(&y);
+    mp_init(&order);
+
+    mp_read_radix(&pp, "0800000000000000000000000000000000000000C9", 16);
+    mp_read_radix(&a, "1", 16);
+    mp_read_radix(&b, "020A601907B8C953CA1481EB10512F78744A3205FD", 16);
+    mp_read_radix(&x, "03F0EBA16286A2D57EA0991168D4994637E8343E36", 16);
+    mp_read_radix(&y, "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1", 16);
+    mp_read_radix(&order, "040000000000000000000292FE77E70C12A4234C33", 16);
+    printf("pp = "); mp_print(&pp, stdout); fputc('\n', stdout);
+    printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+    printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+    printf("x = "); mp_print(&x, stdout); fputc('\n', stdout);
+    printf("y = "); mp_print(&y, stdout); fputc('\n', stdout);
+    printf("order = "); mp_print(&order, stdout); fputc('\n', stdout);
+
+    mp_init(&c);
+    mp_init(&d);
+    mp_init(&e);
+
+    /* Test polynomial conversion */
+    ix = mp_bpoly2arr(&pp, ptemp, 10);
+    if (
+	(ix != 5) ||
+	(ptemp[0] != p[0]) ||
+	(ptemp[1] != p[1]) ||
+	(ptemp[2] != p[2]) ||
+	(ptemp[3] != p[3]) ||
+	(ptemp[4] != p[4])
+    ) {
+	printf("Polynomial to array conversion not correct\n"); 
+	return -1;
+    }
+
+    printf("Polynomial conversion test #1 successful.\n");
+    MP_CHECKOK( mp_barr2poly(p, &c) );
+    if (mp_cmp(&pp, &c) != 0) {
+        printf("Array to polynomial conversion not correct\n"); 
+        return -1;
+    }
+    printf("Polynomial conversion test #2 successful.\n");
+
+    /* Test addition */
+    MP_CHECKOK( mp_badd(&a, &a, &c) );
+    if (mp_cmp_z(&c) != 0) {
+        printf("a+a should equal zero\n"); 
+        return -1;
+    }
+    printf("Addition test #1 successful.\n");
+    MP_CHECKOK( mp_badd(&a, &b, &c) );
+    MP_CHECKOK( mp_badd(&b, &c, &c) );
+    if (mp_cmp(&c, &a) != 0) {
+        printf("c = (a + b) + b should equal a\n"); 
+        printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+        return -1;
+    }
+    printf("Addition test #2 successful.\n");
+    
+    /* Test multiplication */
+    mp_set(&c, 2);
+    MP_CHECKOK( mp_bmul(&b, &c, &c) );
+    MP_CHECKOK( mp_badd(&b, &c, &c) );
+    mp_set(&d, 3);
+    MP_CHECKOK( mp_bmul(&b, &d, &d) );
+    if (mp_cmp(&c, &d) != 0) {
+        printf("c = (2 * b) + b should equal c = 3 * b\n"); 
+        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+        printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
+        return -1;
+    }
+    printf("Multiplication test #1 successful.\n");
+
+    /* Test modular reduction */
+    MP_CHECKOK( mp_bmod(&b, p, &c) );
+    if (mp_cmp(&b, &c) != 0) {
+        printf("c = b mod p should equal b\n"); 
+        printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+        return -1;
+    }
+    printf("Modular reduction test #1 successful.\n");
+    MP_CHECKOK( mp_badd(&b, &pp, &c) );
+    MP_CHECKOK( mp_bmod(&c, p, &c) );
+    if (mp_cmp(&b, &c) != 0) {
+        printf("c = (b + p) mod p should equal b\n"); 
+        printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+        return -1;
+    }
+    printf("Modular reduction test #2 successful.\n");
+    MP_CHECKOK( mp_bmul(&b, &pp, &c) );
+    MP_CHECKOK( mp_bmod(&c, p, &c) );
+    if (mp_cmp_z(&c) != 0) {
+        printf("c = (b * p) mod p should equal 0\n"); 
+        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+        return -1;
+    }
+    printf("Modular reduction test #3 successful.\n");
+
+    /* Test modular multiplication */
+    MP_CHECKOK( mp_bmulmod(&b, &pp, p, &c) );
+    if (mp_cmp_z(&c) != 0) {
+        printf("c = (b * p) mod p should equal 0\n"); 
+        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+        return -1;
+    }
+    printf("Modular multiplication test #1 successful.\n");
+    mp_set(&c, 1);
+    MP_CHECKOK( mp_badd(&pp, &c, &c) );
+    MP_CHECKOK( mp_bmulmod(&b, &c, p, &c) );
+    if (mp_cmp(&b, &c) != 0) {
+        printf("c = (b * (p + 1)) mod p should equal b\n"); 
+        printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+        return -1;
+    }
+    printf("Modular multiplication test #2 successful.\n");
+
+    /* Test modular squaring */
+    MP_CHECKOK( mp_copy(&b, &c) );
+    MP_CHECKOK( mp_bmulmod(&b, &c, p, &c) );
+    MP_CHECKOK( mp_bsqrmod(&b, p, &d) );
+    if (mp_cmp(&c, &d) != 0) {
+        printf("c = (b * b) mod p should equal d = b^2 mod p\n"); 
+        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+        printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
+        return -1;
+    }
+    printf("Modular squaring test #1 successful.\n");
+    
+    /* Test modular division */
+    MP_CHECKOK( mp_bdivmod(&b, &x, &pp, p, &c) );
+    MP_CHECKOK( mp_bmulmod(&c, &x, p, &c) );
+    if (mp_cmp(&b, &c) != 0) {
+        printf("c = (b / x) * x mod p should equal b\n"); 
+        printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+        return -1;
+    }
+    printf("Modular division test #1 successful.\n");
+
+CLEANUP:
+
+    mp_clear(&order);
+    mp_clear(&y);
+    mp_clear(&x);
+    mp_clear(&b);
+    mp_clear(&a);
+    mp_clear(&pp);
+
+    return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/pi1k.txt b/security/nss/lib/freebl/mpi/tests/pi1k.txt
new file mode 100644
index 000000000..5ff6209ff
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/pi1k.txt
@@ -0,0 +1 @@
+31415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679821480865132823066470938446095505822317253594081284811174502841027019385211055596446229489549303819644288109756659334461284756482337867831652712019091456485669234603486104543266482133936072602491412737245870066063155881748815209209628292540917153643678925903600113305305488204665213841469519415116094330572703657595919530921861173819326117931051185480744623799627495673518857527248912279381830119491298336733624406566430860213949463952247371907021798609437027705392171762931767523846748184676694051320005681271452635608277857713427577896091736371787214684409012249534301465495853710507922796892589235420199561121290219608640344181598136297747713099605187072113499999983729780499510597317328160963185950244594553469083026425223082533446850352619311881710100031378387528865875332083814206171776691473035982534904287554687311595628638823537875937519577818577805321712268066130019278766111959092164201989
diff --git a/security/nss/lib/freebl/mpi/tests/pi2k.txt b/security/nss/lib/freebl/mpi/tests/pi2k.txt
new file mode 100644
index 000000000..9ce82acd1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/pi2k.txt
@@ -0,0 +1 @@
+314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036001133053054882046652138414695194151160943305727036575959195309218611738193261179310511854807446237996274956735188575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124972177528347913151557485724245415069595082953311686172785588907509838175463746493931925506040092770167113900984882401285836160356370766010471018194295559619894676783744944825537977472684710404753464620804668425906949129331367702898915210475216205696602405803815019351125338243003558764024749647326391419927260426992279678235478163600934172164121992458631503028618297455570674983850549458858692699569092721079750930295532116534498720275596023648066549911988183479775356636980742654252786255181841757467289097777279380008164706001614524919217321721477235014144197356854816136115735255213347574184946843852332390739414333454776241686251898356948556209921922218427255025425688767179049460165346680498862723279178608578438382796797668145410095388378636095068006422512520511739298489608412848862694560424196528502221066118630674427862203919494504712371378696095636437191728746776465757396241389086583264599581339047802759010
diff --git a/security/nss/lib/freebl/mpi/tests/pi5k.txt b/security/nss/lib/freebl/mpi/tests/pi5k.txt
new file mode 100644
index 000000000..901fac2ea
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/pi5k.txt
@@ -0,0 +1 @@
+314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036001133053054882046652138414695194151160943305727036575959195309218611738193261179310511854807446237996274956735188575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124972177528347913151557485724245415069595082953311686172785588907509838175463746493931925506040092770167113900984882401285836160356370766010471018194295559619894676783744944825537977472684710404753464620804668425906949129331367702898915210475216205696602405803815019351125338243003558764024749647326391419927260426992279678235478163600934172164121992458631503028618297455570674983850549458858692699569092721079750930295532116534498720275596023648066549911988183479775356636980742654252786255181841757467289097777279380008164706001614524919217321721477235014144197356854816136115735255213347574184946843852332390739414333454776241686251898356948556209921922218427255025425688767179049460165346680498862723279178608578438382796797668145410095388378636095068006422512520511739298489608412848862694560424196528502221066118630674427862203919494504712371378696095636437191728746776465757396241389086583264599581339047802759009946576407895126946839835259570982582262052248940772671947826848260147699090264013639443745530506820349625245174939965143142980919065925093722169646151570985838741059788595977297549893016175392846813826868386894277415599185592524595395943104997252468084598727364469584865383673622262609912460805124388439045124413654976278079771569143599770012961608944169486855584840635342207222582848864815845602850601684273945226746767889525213852254995466672782398645659611635488623057745649803559363456817432411251507606947945109659609402522887971089314566913686722874894056010150330861792868092087476091782493858900971490967598526136554978189312978482168299894872265880485756401427047755513237964145152374623436454285844479526586782105114135473573952311342716610213596953623144295248493718711014576540359027993440374200731057853906219838744780847848968332144571386875194350643021845319104848100537061468067491927819119793995206141966342875444064374512371819217999839101591956181467514269123974894090718649423196156794520809514655022523160388193014209376213785595663893778708303906979207734672218256259966150142150306803844773454920260541466592520149744285073251866600213243408819071048633173464965145390579626856100550810665879699816357473638405257145910289706414011097120628043903975951567715770042033786993600723055876317635942187312514712053292819182618612586732157919841484882916447060957527069572209175671167229109816909152801735067127485832228718352093539657251210835791513698820914442100675103346711031412671113699086585163983150197016515116851714376576183515565088490998985998238734552833163550764791853589322618548963213293308985706420467525907091548141654985946163718027098199430992448895757128289059232332609729971208443357326548938239119325974636673058360414281388303203824903758985243744170291327656180937734440307074692112019130203303801976211011004492932151608424448596376698389522868478312355265821314495768572624334418930396864262434107732269780280731891544110104468232527162010526522721116603966655730925471105578537634668206531098965269186205647693125705863566201855810072936065987648611791045334885034611365768675324944166803962657978771855608455296541266540853061434443185867697514566140680070023787765913440171274947042056223053899456131407112700040785473326993908145466464588079727082668306343285878569830523580893306575740679545716377525420211495576158140025012622859413021647155097925923099079654737612551765675135751782966645477917450112996148903046399471329621073404375189573596145890193897131117904297828564750320319869151402870808599048010941214722131794764777262241425485454033215718530614228813758504306332175182979866223717215916077166925474873898665494945011465406284336639379003976926567214638530673609657120918076383271664162748888007869256029022847210403172118608204190004229661711963779213375751149595015660496318629472654736425230817703675159067350235072835405670403867435136222247715891504953098444893330963408780769325993978054193414473774418426312986080998886874132604721
diff --git a/security/nss/lib/freebl/mpi/timetest b/security/nss/lib/freebl/mpi/timetest
new file mode 100755
index 000000000..ee896d54a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/timetest
@@ -0,0 +1,136 @@
+#!/bin/sh
+
+# Simple timing test for the MPI library.  Basically, we use prime
+# generation as a timing test, since it exercises most of the pathways
+# of the library fairly heavily.  The 'primegen' tool outputs a line
+# summarizing timing results.  We gather these and process them for
+# statistical information, which is collected into a file.
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Netscape Communications Corporation
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# 
+# $Id$
+#
+
+# Avoid using built-in shell echoes
+ECHO=/bin/echo
+MAKE=gmake
+PERL=perl
+
+# Use a fixed seed so timings will be more consistent
+# This one is the 11th-18th decimal digits of 'e'
+#export SEED=45904523
+SEED=45904523; export SEED
+
+#------------------------------------------------------------------------
+
+$ECHO "\n** Running timing tests for MPI library\n"
+
+$ECHO "Bringing 'metime' up to date ... "
+if $MAKE metime ; then
+    :
+else 
+    $ECHO "\nMake failed to build metime.\n"
+    exit 1
+fi
+
+if [ ! -x ./metime ] ; then 
+    $ECHO "\nCannot find 'metime' program, testing cannot continue.\n"
+    exit 1
+fi
+
+#------------------------------------------------------------------------
+
+$ECHO "Bringing 'primegen' up to date ... "
+if $MAKE primegen ; then
+    :
+else
+    $ECHO "\nMake failed to build primegen.\n"
+    exit 1
+fi
+
+if [ ! -x ./primegen ] ; then
+    $ECHO "\nCannot find 'primegen' program, testing cannot continue.\n"
+    exit 1
+fi
+
+#------------------------------------------------------------------------
+
+rm -f timing-results.txt
+touch timing-results.txt
+
+sizes="256 512 1024 2048"
+ntests=10
+
+trap 'echo "oop!";rm -f tt*.tmp timing-results.txt;exit 0' INT HUP
+
+$ECHO "\n-- Modular exponentiation\n"
+$ECHO "Modular exponentiation:" >> timing-results.txt
+
+$ECHO "Running $ntests modular exponentiations per test:"
+for size in $sizes ; do
+    $ECHO "- Gathering statistics for $size bits ... "
+    secs=`./metime $ntests $size | tail -1 | awk '{print $2}'`
+    $ECHO "$size: " $secs " seconds per op" >> timing-results.txt
+    tail -1 timing-results.txt
+done
+
+$ECHO "<done>";
+
+sizes="256 512 1024"
+ntests=1
+
+$ECHO "\n-- Prime generation\n"
+$ECHO "Prime generation:" >> timing-results.txt
+
+$ECHO "Generating $ntests prime values per test:"
+for size in $sizes ; do
+    $ECHO "- Gathering statistics for $size bits ... "
+    ./primegen $size $ntests | grep ticks | awk '{print $7}' | tr -d '(' > tt$$.tmp
+    $ECHO "$size:" >> timing-results.txt
+    $PERL stats tt$$.tmp >> timing-results.txt
+    tail -1 timing-results.txt
+    rm -f tt$$.tmp
+done
+
+$ECHO "<done>"
+
+trap 'rm -f tt*.tmp timing-results.txt' INT HUP
+
+exit 0
+
diff --git a/security/nss/lib/freebl/mpi/types.pl b/security/nss/lib/freebl/mpi/types.pl
new file mode 100755
index 000000000..6933d0dfe
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/types.pl
@@ -0,0 +1,162 @@
+#!/usr/bin/perl
+
+#
+# types.pl - find recommended type definitions for digits and words
+#
+# This script scans the Makefile for the C compiler and compilation
+# flags currently in use, and using this combination, attempts to
+# compile a simple test program that outputs the sizes of the various
+# unsigned integer types, in bytes.  Armed with these, it finds all
+# the "viable" type combinations for mp_digit and mp_word, where
+# viability is defined by the requirement that mp_word be at least two
+# times the precision of mp_digit.
+#
+# Of these, the one with the largest digit size is chosen, and
+# appropriate typedef statements are written to standard output.
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $Id$
+#
+
+@_=split(/\//,$0);chomp($prog=pop(@_));
+
+# The array of integer types to be considered...
+@TYPES = ( 
+	   "unsigned char", 
+	   "unsigned short", 
+	   "unsigned int", 
+	   "unsigned long"
+);
+
+# Macro names for the maximum unsigned value of each type
+%TMAX = ( 
+	  "unsigned char"   => "UCHAR_MAX",
+	  "unsigned short"  => "USHRT_MAX",
+	  "unsigned int"    => "UINT_MAX",
+	  "unsigned long"   => "ULONG_MAX"
+);
+
+# Read the Makefile to find out which C compiler to use
+open(MFP, "<Makefile") or die "$prog: Makefile: $!\n";
+while(<MFP>) {
+    chomp;
+    if(/^CC=(.*)$/) {
+	$cc = $1;
+	last if $cflags;
+    } elsif(/^CFLAGS=(.*)$/) {
+	$cflags = $1;
+	last if $cc;
+    }
+}
+close(MFP);
+
+# If we couldn't find that, use 'cc' by default
+$cc = "cc" unless $cc;
+
+printf STDERR "Using '%s' as the C compiler.\n", $cc;
+
+print STDERR "Determining type sizes ... \n";
+open(OFP, ">tc$$.c") or die "$prog: tc$$.c: $!\n";
+print OFP "#include <stdio.h>\n\nint main(void)\n{\n";
+foreach $type (@TYPES) {
+    printf OFP "\tprintf(\"%%d\\n\", (int)sizeof(%s));\n", $type;
+}
+print OFP "\n\treturn 0;\n}\n";
+close(OFP);
+
+system("$cc $cflags -o tc$$ tc$$.c");
+
+die "$prog: unable to build test program\n" unless(-x "tc$$");
+
+open(IFP, "./tc$$|") or die "$prog: can't execute test program\n";
+$ix = 0;
+while(<IFP>) {
+    chomp;
+    $size{$TYPES[$ix++]} = $_;
+}
+close(IFP);
+
+unlink("tc$$");
+unlink("tc$$.c");
+
+print STDERR "Selecting viable combinations ... \n";
+while(($type, $size) = each(%size)) {
+    push(@ts, [ $size, $type ]);
+}
+
+# Sort them ascending by size 
+@ts = sort { $a->[0] <=> $b->[0] } @ts;
+
+# Try all possible combinations, finding pairs in which the word size
+# is twice the digit size.  The number of possible pairs is too small
+# to bother doing this more efficiently than by brute force
+for($ix = 0; $ix <= $#ts; $ix++) {
+    $w = $ts[$ix];
+
+    for($jx = 0; $jx <= $#ts; $jx++) {
+	$d = $ts[$jx];
+
+	if($w->[0] == 2 * $d->[0]) {
+	    push(@valid, [ $d, $w ]);
+	}
+    }
+}
+
+# Sort descending by digit size
+@valid = sort { $b->[0]->[0] <=> $a->[0]->[0] } @valid;
+
+# Select the maximum as the recommended combination
+$rec = shift(@valid);
+
+printf("typedef %-18s mp_sign;\n", "char");
+printf("typedef %-18s mp_digit;  /* %d byte type */\n", 
+       $rec->[0]->[1], $rec->[0]->[0]);
+printf("typedef %-18s mp_word;   /* %d byte type */\n", 
+       $rec->[1]->[1], $rec->[1]->[0]);
+printf("typedef %-18s mp_size;\n", "unsigned int");
+printf("typedef %-18s mp_err;\n\n", "int");
+
+printf("#define %-18s (CHAR_BIT*sizeof(mp_digit))\n", "DIGIT_BIT");
+printf("#define %-18s %s\n", "DIGIT_MAX", $TMAX{$rec->[0]->[1]});
+printf("#define %-18s (CHAR_BIT*sizeof(mp_word))\n", "MP_WORD_BIT");
+printf("#define %-18s %s\n\n", "MP_WORD_MAX", $TMAX{$rec->[1]->[1]});
+printf("#define %-18s (DIGIT_MAX+1)\n\n", "RADIX");
+
+printf("#define %-18s \"%%0%dX\"\n", "DIGIT_FMT", (2 * $rec->[0]->[0]));
+
+exit 0;
diff --git a/security/nss/lib/freebl/mpi/utils/LICENSE b/security/nss/lib/freebl/mpi/utils/LICENSE
new file mode 100644
index 000000000..5f96df7ab
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/LICENSE
@@ -0,0 +1,4 @@
+Within this directory, each of the file listed below is licensed under 
+the terms given in the file LICENSE-MPL, also in this directory.
+
+PRIMES
diff --git a/security/nss/lib/freebl/mpi/utils/LICENSE-MPL b/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
new file mode 100644
index 000000000..d1f78f522
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
@@ -0,0 +1,35 @@
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version
+1.1 (the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the Netscape security libraries.
+
+The Initial Developer of the Original Code is Netscape
+Communications Corporation.  Portions created by Netscape are 
+Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
diff --git a/security/nss/lib/freebl/mpi/utils/PRIMES b/security/nss/lib/freebl/mpi/utils/PRIMES
new file mode 100644
index 000000000..ed65703ff
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/PRIMES
@@ -0,0 +1,41 @@
+Probable primes (sorted by number of significant bits)
+
+ 128: 81386202757205669562183851789305348631
+
+ 128: 180241813863264101444573802809858694397
+
+ 128: 245274683055224433281596312431122059021
+
+ 128: 187522309397665259809392608791686659539
+
+ 256: 83252422946206411852330647237287722547866360773229941071371588246436\
+      513990159
+
+ 256: 79132571131322331023736933767063051273085304521895229780914612117520\
+      058517909
+
+ 256: 72081815425552909748220041100909735706208853818662000557743644603407\
+      965465527
+
+ 256: 87504602391905701494845474079163412737334477797316409702279059573654\
+      274811271
+
+ 512: 12233064210800062190450937494718705259777386009095453001870729392786\
+      63450255179083524798507997690270500580265258111668148238355016411719\
+      9168737693316468563
+
+ 512: 12003639081420725322369909586347545220275253633035565716386136197501\
+      88208318984400479275215620499883521216480724155582768193682335576385\
+      2069481074929084063
+
+1024: 16467877625718912296741904171202513097057724053648819680815842057593\
+      20371835940722471475475803725455063836431454757000451907612224427007\
+      63984592414360595161051906727075047683803534852982766542661204179549\
+      77327573530800542562611753617736693359790119074768292178493884576587\
+      0230450429880021317876149636714743053
+
+1024: 16602953991090311275234291158294516471009930684624948451178742895360\
+      86073703307475884280944414508444679430090561246728195735962931545473\
+      40743240318558456247740186704660778277799687988031119436541068736925\
+      20563780233711166724859277827382391527748470939542560819625727876091\
+      5372193745283891895989104479029844957
diff --git a/security/nss/lib/freebl/mpi/utils/README b/security/nss/lib/freebl/mpi/utils/README
new file mode 100644
index 000000000..90da5fee5
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/README
@@ -0,0 +1,241 @@
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version
+1.1 (the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+Portions created by the Initial Developer are Copyright (C) 1998, 2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+Additional MPI utilities
+------------------------
+
+The files 'mpprime.h' and 'mpprime.c' define some useful extensions to
+the MPI library for dealing with prime numbers (in particular, testing
+for divisbility, and the Rabin-Miller probabilistic primality test).
+
+The files 'mplogic.h' and 'mplogic.c' define extensions to the MPI
+library for doing bitwise logical operations and shifting.
+
+This document assumes you have read the help file for the MPI library
+and understand its conventions.
+
+Divisibility (mpprime.h)
+------------
+
+To test a number for divisibility by another number:
+
+mpp_divis(a, b)		- test if b|a
+mpp_divis_d(a, d)	- test if d|a
+
+Each of these functions returns MP_YES if its initial argument is
+divisible by its second, or MP_NO if it is not.  Other errors may be
+returned as appropriate (such as MP_RANGE if you try to test for
+divisibility by zero).
+
+Randomness (mpprime.h)
+----------
+
+To generate random data:
+
+mpp_random(a)		- fill a with random data
+mpp_random_size(a, p)   - fill a with p digits of random data
+
+The mpp_random_size() function increases the precision of a to at
+least p, then fills all those digits randomly.  The mp_random()
+function fills a to its current precision (as determined by the number
+of significant digits, USED(a))
+
+Note that these functions simply use the C library's rand() function
+to fill a with random digits up to its precision.  This should be
+adequate for primality testing, but should not be used for
+cryptographic applications where truly random values are required for
+security.  
+
+You should call srand() in your driver program in order to seed the
+random generator; this function doesn't call it.
+
+Primality Testing (mpprime.h)
+-----------------
+
+mpp_divis_vector(a, v, s, w)   - is a divisible by any of the s values
+                                 in v, and if so, w = which.
+mpp_divis_primes(a, np)   - is a divisible by any of the first np primes?
+mpp_fermat(a, w)          - is a pseudoprime with respect to witness w?
+mpp_pprime(a, nt)	  - run nt iterations of Rabin-Miller on a.
+
+The mpp_divis_vector() function tests a for divisibility by each
+member of an array of digits.  The array is v, the size of that array
+is s.  Returns MP_YES if a is divisible, and stores the index of the
+offending digit in w.  Returns MP_NO if a is not divisible by any of
+the digits in the array.
+
+A small table of primes is compiled into the library (typically the
+first 128 primes, although you can change this by editing the file
+'primes.c' before you build).  The global variable prime_tab_size
+contains the number of primes in the table, and the values themselves
+are in the array prime_tab[], which is an array of mp_digit.
+
+The mpp_divis_primes() function is basically just a wrapper around
+mpp_divis_vector() that uses prime_tab[] as the test vector.  The np
+parameter is a pointer to an mp_digit -- on input, it should specify
+the number of primes to be tested against.  If a is divisible by any
+of the primes, MP_YES is returned and np is given the prime value that
+divided a (you can use this if you're factoring, for example).
+Otherwise, MP_NO is returned and np is untouched.
+
+The function mpp_fermat() performs Fermat's test, using w as a
+witness.  This test basically relies on the fact that if a is prime,
+and w is relatively prime to a, then:
+
+	w^a = w (mod a)
+
+That is,
+
+	w^(a - 1) = 1 (mod a)
+
+The function returns MP_YES if the test passes, MP_NO if it fails.  If
+w is relatively prime to a, and the test fails, a is definitely
+composite.  If w is relatively prime to a and the test passes, then a
+is either prime, or w is a false witness (the probability of this
+happening depends on the choice of w and of a ... consult a number
+theory textbook for more information about this).  
+
+Note:  If (w, a) != 1, the output of this test is meaningless.
+----
+
+The function mpp_pprime() performs the Rabin-Miller probabilistic
+primality test for nt rounds.  If all the tests pass, MP_YES is
+returned, and a is probably prime.  The probability that an answer of
+MP_YES is incorrect is no greater than 1 in 4^nt, and in fact is
+usually much less than that (this is a pessimistic estimate).  If any
+test fails, MP_NO is returned, and a is definitely composite.
+
+Bruce Schneier recommends at least 5 iterations of this test for most
+cryptographic applications; Knuth suggests that 25 are reasonable.
+Run it as many times as you feel are necessary.
+
+See the programs 'makeprime.c' and 'isprime.c' for reasonable examples
+of how to use these functions for primality testing.
+
+
+Bitwise Logic (mplogic.c)
+-------------
+
+The four commonest logical operations are implemented as:
+
+mpl_not(a, b)		- Compute bitwise (one's) complement, b = ~a
+
+mpl_and(a, b, c)	- Compute bitwise AND, c = a & b
+
+mpl_or(a, b, c)		- Compute bitwise OR, c = a | b
+
+mpl_xor(a, b, c)	- Compute bitwise XOR, c = a ^ b
+
+Left and right shifts are available as well.  These take a number to
+shift, a destination, and a shift amount.  The shift amount must be a
+digit value between 0 and DIGIT_BIT inclusive; if it is not, MP_RANGE
+will be returned and the shift will not happen.
+
+mpl_rsh(a, b, d)	- Compute logical right shift, b = a >> d
+
+mpl_lsh(a, b, d)	- Compute logical left shift, b = a << d
+
+Since these are logical shifts, they fill with zeroes (the library
+uses a signed magnitude representation, so there are no sign bits to
+extend anyway).
+
+
+Command-line Utilities
+----------------------
+
+A handful of interesting command-line utilities are provided.  These
+are:
+
+lap.c		- Find the order of a mod m.  Usage is 'lap <a> <m>'.
+                  This uses a dumb algorithm, so don't use it for 
+                  a really big modulus.
+
+invmod.c	- Find the inverse of a mod m, if it exists.  Usage
+		  is 'invmod <a> <m>'
+
+sieve.c		- A simple bitmap-based implementation of the Sieve
+		  of Eratosthenes.  Used to generate the table of 
+		  primes in primes.c.  Usage is 'sieve <nbits>'
+
+prng.c          - Uses the routines in bbs_rand.{h,c} to generate
+                  one or more 32-bit pseudo-random integers.  This
+                  is mainly an example, not intended for use in a
+                  cryptographic application (the system time is 
+                  the only source of entropy used)
+
+dec2hex.c       - Convert decimal to hexadecimal
+
+hex2dec.c       - Convert hexadecimal to decimal
+
+basecvt.c       - General radix conversion tool (supports 2-64)
+
+isprime.c       - Probabilistically test an integer for primality
+                  using the Rabin-Miller pseudoprime test combined
+                  with division by small primes.
+
+primegen.c      - Generate primes at random.
+
+exptmod.c       - Perform modular exponentiation
+
+ptab.pl		- A Perl script to munge the output of the sieve
+		  program into a compilable C structure.
+
+
+Other Files
+-----------
+
+PRIMES		- Some randomly generated numbers which are prime with
+		  extremely high probability.
+
+README		- You're reading me already.
+
+
+About the Author
+----------------
+
+This software was written by Michael J. Fromberger.  You can contact
+the author as follows:
+
+E-mail:	  <sting@linguist.dartmouth.edu>
+
+Postal:	  8000 Cummings Hall, Thayer School of Engineering
+	  Dartmouth College, Hanover, New Hampshire, USA
+
+PGP key:  http://linguist.dartmouth.edu/~sting/keys/mjf.html
+          9736 188B 5AFA 23D6 D6AA  BE0D 5856 4525 289D 9907
+
+Last updated:  $Id$
diff --git a/security/nss/lib/freebl/mpi/utils/basecvt.c b/security/nss/lib/freebl/mpi/utils/basecvt.c
new file mode 100644
index 000000000..cf6d61196
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/basecvt.c
@@ -0,0 +1,100 @@
+/*
+ *  basecvt.c
+ *
+ *  Convert integer values specified on the command line from one input
+ *  base to another.  Accepts input and output bases between 2 and 36
+ *  inclusive.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+#define IBASE     10
+#define OBASE     16
+#define USAGE     "Usage: %s ibase obase [value]\n"
+#define MAXBASE   64
+#define MINBASE   2
+
+int main(int argc, char *argv[])
+{
+  int    ix, ibase = IBASE, obase = OBASE;
+  mp_int val;
+
+  ix = 1;
+  if(ix < argc) {
+    ibase = atoi(argv[ix++]);
+    
+    if(ibase < MINBASE || ibase > MAXBASE) {
+      fprintf(stderr, "%s: input radix must be between %d and %d inclusive\n",
+	      argv[0], MINBASE, MAXBASE);
+      return 1;
+    }
+  }
+  if(ix < argc) {
+    obase = atoi(argv[ix++]);
+
+    if(obase < MINBASE || obase > MAXBASE) {
+      fprintf(stderr, "%s: output radix must be between %d and %d inclusive\n",
+	      argv[0], MINBASE, MAXBASE);
+      return 1;
+    }
+  }
+
+  mp_init(&val);
+  while(ix < argc) {
+    char  *out;
+    int    outlen;
+
+    mp_read_radix(&val, argv[ix++], ibase);
+
+    outlen = mp_radix_size(&val, obase);
+    out = calloc(outlen, sizeof(char));
+    mp_toradix(&val, out, obase);
+
+    printf("%s\n", out);
+    free(out);
+  }
+
+  mp_clear(&val);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/bbs_rand.c b/security/nss/lib/freebl/mpi/utils/bbs_rand.c
new file mode 100644
index 000000000..8ec867d14
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/bbs_rand.c
@@ -0,0 +1,96 @@
+/*
+ *  Blum, Blum & Shub PRNG using the MPI library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "bbs_rand.h"
+
+#define SEED     1
+#define MODULUS  2
+
+/* This modulus is the product of two randomly generated 512-bit
+   prime integers, each of which is congruent to 3 (mod 4).          */
+static char *bbs_modulus = 
+"75A2A6E1D27393B86562B9CE7279A8403CB4258A637DAB5233465373E37837383EDC"
+"332282B8575927BC4172CE8C147B4894050EE9D2BDEED355C121037270CA2570D127"
+"7D2390CD1002263326635CC6B259148DE3A1A03201980A925E395E646A5E9164B0EC"
+"28559EBA58C87447245ADD0651EDA507056A1129E3A3E16E903D64B437";
+
+static int    bbs_init = 0;  /* flag set when library is initialized */
+static mp_int bbs_state;     /* the current state of the generator   */
+
+/* Suggested size of random seed data */
+int           bbs_seed_size = (sizeof(bbs_modulus) / 2);
+
+void         bbs_srand(unsigned char *data, int len)
+{
+  if((bbs_init & SEED) == 0) {
+    mp_init(&bbs_state);
+    bbs_init |= SEED;
+  }
+
+  mp_read_raw(&bbs_state, (char *)data, len);
+
+} /* end bbs_srand() */
+
+unsigned int bbs_rand(void)
+{
+  static mp_int   modulus;
+  unsigned int    result = 0, ix;
+
+  if((bbs_init & MODULUS) == 0) {
+    mp_init(&modulus);
+    mp_read_radix(&modulus, bbs_modulus, 16);
+    bbs_init |= MODULUS;
+  }
+
+  for(ix = 0; ix < sizeof(unsigned int); ix++) {
+    mp_digit   d;
+
+    mp_sqrmod(&bbs_state, &modulus, &bbs_state);
+    d = DIGIT(&bbs_state, 0);
+
+    result = (result << CHAR_BIT) | (d & UCHAR_MAX);
+  }
+
+  return result;
+
+} /* end bbs_rand() */
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/bbs_rand.h b/security/nss/lib/freebl/mpi/utils/bbs_rand.h
new file mode 100644
index 000000000..3bfe2d7fe
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/bbs_rand.h
@@ -0,0 +1,57 @@
+/*
+ *  bbs_rand.h
+ *
+ *  Blum, Blum & Shub PRNG using the MPI library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _H_BBSRAND_
+#define _H_BBSRAND_
+
+#include <limits.h>
+#include "mpi.h"
+
+#define  BBS_RAND_MAX    UINT_MAX
+
+/* Suggested length of seed data */
+extern int bbs_seed_size;
+
+void         bbs_srand(unsigned char *data, int len);
+unsigned int bbs_rand(void);
+
+#endif /* end _H_BBSRAND_ */
diff --git a/security/nss/lib/freebl/mpi/utils/bbsrand.c b/security/nss/lib/freebl/mpi/utils/bbsrand.c
new file mode 100644
index 000000000..317058d69
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/bbsrand.c
@@ -0,0 +1,67 @@
+/*
+ *  bbsrand.c
+ *
+ *  Test driver for routines in bbs_rand.h
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <limits.h>
+
+#include "bbs_rand.h"
+
+#define NUM_TESTS   100
+
+int main(void)
+{
+  unsigned int   seed, result, ix;
+
+  seed = time(NULL);
+  bbs_srand((unsigned char *)&seed, sizeof(seed));
+
+  for(ix = 0; ix < NUM_TESTS; ix++) {
+    result = bbs_rand();
+    
+    printf("Test %3u: %08X\n", ix + 1, result);
+  }
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/dec2hex.c b/security/nss/lib/freebl/mpi/utils/dec2hex.c
new file mode 100644
index 000000000..a1658b54b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/dec2hex.c
@@ -0,0 +1,71 @@
+/*
+ *  dec2hex.c
+ *
+ *  Convert decimal integers into hexadecimal
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int  a;
+  char   *buf;
+  int     len;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_read_radix(&a, argv[1], 10);
+  len = mp_radix_size(&a, 16);
+  buf = malloc(len);
+  mp_toradix(&a, buf, 16);
+
+  printf("%s\n", buf);
+
+  free(buf);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/exptmod.c b/security/nss/lib/freebl/mpi/utils/exptmod.c
new file mode 100644
index 000000000..e1a87fa50
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/exptmod.c
@@ -0,0 +1,83 @@
+/*
+ *  exptmod.c
+ *
+ * Command line tool to perform modular exponentiation on arbitrary
+ * precision integers.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int  a, b, m;
+  mp_err  res;
+  char   *str;
+  int     len, rval = 0;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b> <m>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+  mp_read_radix(&m, argv[3], 10);
+
+  if((res = mp_exptmod(&a, &b, &m, &a)) != MP_OKAY) {
+    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
+    rval = 1;
+  } else {
+    len = mp_radix_size(&a, 10);
+    str = calloc(len, sizeof(char));
+    mp_toradix(&a, str, 10);
+
+    printf("%s\n", str);
+
+    free(str);
+  }
+
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+
+  return rval;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/fact.c b/security/nss/lib/freebl/mpi/utils/fact.c
new file mode 100644
index 000000000..d549cfa74
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/fact.c
@@ -0,0 +1,115 @@
+/*
+ * fact.c
+ *
+ * Compute factorial of input integer
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+mp_err mp_fact(mp_int *a, mp_int *b);
+
+int main(int argc, char *argv[])
+{
+  mp_int  a;
+  mp_err  res;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <number>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a);
+  mp_read_radix(&a, argv[1], 10);
+
+  if((res = mp_fact(&a, &a)) != MP_OKAY) {
+    fprintf(stderr, "%s: error: %s\n", argv[0],
+	    mp_strerror(res));
+    mp_clear(&a);
+    return 1;
+  }
+
+  {
+    char  *buf;
+    int    len;
+
+    len = mp_radix_size(&a, 10);
+    buf = malloc(len);
+    mp_todecimal(&a, buf);
+
+    puts(buf);
+
+    free(buf);
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+mp_err mp_fact(mp_int *a, mp_int *b)
+{
+  mp_int    ix, s;
+  mp_err    res = MP_OKAY;
+
+  if(mp_cmp_z(a) < 0)
+    return MP_UNDEF;
+
+  mp_init(&s);
+  mp_add_d(&s, 1, &s);   /* s = 1  */
+  mp_init(&ix);
+  mp_add_d(&ix, 1, &ix); /* ix = 1 */
+
+  for(/*  */; mp_cmp(&ix, a) <= 0; mp_add_d(&ix, 1, &ix)) {
+    if((res = mp_mul(&s, &ix, &s)) != MP_OKAY)
+      break;
+  }
+
+  mp_clear(&ix);
+
+  /* Copy out results if we got them */
+  if(res == MP_OKAY)
+    mp_copy(&s, b);
+
+  mp_clear(&s);
+
+  return res;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/gcd.c b/security/nss/lib/freebl/mpi/utils/gcd.c
new file mode 100644
index 000000000..11980b86e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/gcd.c
@@ -0,0 +1,119 @@
+/*
+ *  gcd.c
+ *
+ *  Greatest common divisor
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+char     *g_prog = NULL;
+
+void print_mp_int(mp_int *mp, FILE *ofp);
+
+int main(int argc, char *argv[]) 
+{
+  mp_int   a, b, x, y;
+  mp_err   res;
+  int      ext = 0;
+
+  g_prog = argv[0];
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", g_prog);
+    return 1;
+  }
+
+  mp_init(&a); mp_read_radix(&a, argv[1], 10);
+  mp_init(&b); mp_read_radix(&b, argv[2], 10);
+
+  /* If we were called 'xgcd', compute x, y so that g = ax + by */
+  if(strcmp(g_prog, "xgcd") == 0) {
+    ext = 1;
+    mp_init(&x); mp_init(&y);
+  }
+
+  if(ext) {
+    if((res = mp_xgcd(&a, &b, &a, &x, &y)) != MP_OKAY) {
+      fprintf(stderr, "%s: error: %s\n", g_prog, mp_strerror(res));
+      mp_clear(&a); mp_clear(&b);
+      mp_clear(&x); mp_clear(&y);
+      return 1;
+    }
+  } else {
+    if((res = mp_gcd(&a, &b, &a)) != MP_OKAY) {
+      fprintf(stderr, "%s: error: %s\n", g_prog,
+	      mp_strerror(res));
+      mp_clear(&a); mp_clear(&b);
+      return 1;
+    }
+  }
+
+  print_mp_int(&a, stdout); 
+  if(ext) {
+    fputs("x = ", stdout); print_mp_int(&x, stdout); 
+    fputs("y = ", stdout); print_mp_int(&y, stdout); 
+  }
+
+  mp_clear(&a); mp_clear(&b);
+
+  if(ext) {
+    mp_clear(&x);
+    mp_clear(&y);
+  }
+
+  return 0;
+
+}
+
+void print_mp_int(mp_int *mp, FILE *ofp)
+{
+  char  *buf;
+  int    len;
+
+  len = mp_radix_size(mp, 10);
+  buf = calloc(len, sizeof(char));
+  mp_todecimal(mp, buf);
+  fprintf(ofp, "%s\n", buf);
+  free(buf);
+
+}
diff --git a/security/nss/lib/freebl/mpi/utils/hex2dec.c b/security/nss/lib/freebl/mpi/utils/hex2dec.c
new file mode 100644
index 000000000..6d7d54d7f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/hex2dec.c
@@ -0,0 +1,71 @@
+/*
+ *  hex2dec.c
+ *
+ *  Convert decimal integers into hexadecimal
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int  a;
+  char   *buf;
+  int     len;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_read_radix(&a, argv[1], 16);
+  len = mp_radix_size(&a, 10);
+  buf = malloc(len);
+  mp_toradix(&a, buf, 10);
+
+  printf("%s\n", buf);
+
+  free(buf);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/identest.c b/security/nss/lib/freebl/mpi/utils/identest.c
new file mode 100644
index 000000000..a75d2b352
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/identest.c
@@ -0,0 +1,79 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include "mpi.h"
+#include "mpprime.h"
+#include <sys/types.h>
+#include <time.h>
+
+#define MAX_PREC (4096 / MP_DIGIT_BIT)
+
+mp_err identity_test(void)
+{
+  mp_size       preca, precb;
+  mp_err        res;
+  mp_int        a, b;
+  mp_int        t1, t2, t3, t4, t5;
+
+  preca = (rand() % MAX_PREC) + 1;
+  precb = (rand() % MAX_PREC) + 1;
+
+  MP_DIGITS(&a) = 0;
+  MP_DIGITS(&b) = 0;
+  MP_DIGITS(&t1) = 0;
+  MP_DIGITS(&t2) = 0;
+  MP_DIGITS(&t3) = 0;
+  MP_DIGITS(&t4) = 0;
+  MP_DIGITS(&t5) = 0;
+
+  MP_CHECKOK( mp_init(&a)  );
+  MP_CHECKOK( mp_init(&b)  );
+  MP_CHECKOK( mp_init(&t1) );
+  MP_CHECKOK( mp_init(&t2) );
+  MP_CHECKOK( mp_init(&t3) );
+  MP_CHECKOK( mp_init(&t4) );
+  MP_CHECKOK( mp_init(&t5) );
+
+  MP_CHECKOK( mpp_random_size(&a, preca) );
+  MP_CHECKOK( mpp_random_size(&b, precb) );
+
+  if (mp_cmp(&a, &b) < 0)
+    mp_exch(&a, &b);
+
+  MP_CHECKOK( mp_mod(&a, &b, &t1) );       /* t1 = a%b */
+  MP_CHECKOK( mp_div(&a, &b, &t2, NULL) ); /* t2 = a/b */
+  MP_CHECKOK( mp_mul(&b, &t2, &t3) );      /* t3 = (a/b)*b */
+  MP_CHECKOK( mp_add(&t1, &t3, &t4) );     /* t4 = a%b + (a/b)*b */
+  MP_CHECKOK( mp_sub(&t4, &a, &t5) );      /* t5 = a%b + (a/b)*b - a */
+  if (mp_cmp_z(&t5) != 0) {
+    res = MP_UNDEF;
+    goto CLEANUP;
+  }
+
+CLEANUP:
+  mp_clear(&t5);
+  mp_clear(&t4);
+  mp_clear(&t3);
+  mp_clear(&t2);
+  mp_clear(&t1);
+  mp_clear(&b);
+  mp_clear(&a);
+  return res;
+}
+
+int
+main(void)
+{
+  unsigned int  seed = (unsigned int)time(NULL);
+  unsigned long count = 0;
+  mp_err        res;
+
+  srand(seed);
+
+  while (MP_OKAY == (res = identity_test())) {
+     if ((++count % 100) == 0)
+       fputc('.', stderr);
+  }
+
+  fprintf(stderr, "\ntest failed, err %d\n", res);
+  return res;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/invmod.c b/security/nss/lib/freebl/mpi/utils/invmod.c
new file mode 100644
index 000000000..c1d488c5a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/invmod.c
@@ -0,0 +1,92 @@
+/*
+ *  invmod.c
+ *
+ *  Compute modular inverses
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1997
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int    a, m;
+  mp_err    res;
+  char     *buf;
+  int       len, out = 0;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <m>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&m, argv[2], 10);
+
+  if(mp_cmp(&a, &m) > 0)
+    mp_mod(&a, &m, &a);
+
+  switch((res = mp_invmod(&a, &m, &a))) {
+  case MP_OKAY:
+    len = mp_radix_size(&a, 10);
+    buf = malloc(len);
+
+    mp_toradix(&a, buf, 10);
+    printf("%s\n", buf);
+    free(buf);
+    break;
+
+  case MP_UNDEF:
+    printf("No inverse\n");
+    out = 1;
+    break;
+
+  default:
+    printf("error: %s (%d)\n", mp_strerror(res), res);
+    out = 2;
+    break;
+  }
+
+  mp_clear(&a);
+  mp_clear(&m);
+
+  return out;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/isprime.c b/security/nss/lib/freebl/mpi/utils/isprime.c
new file mode 100644
index 000000000..b413f826f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/isprime.c
@@ -0,0 +1,121 @@
+/*
+ *  isprime.c
+ *
+ *  Probabilistic primality tester command-line tool
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+#define  RM_TESTS       15   /* how many iterations of Rabin-Miller? */
+#define  MINIMUM        1024 /* don't bother us with a < this        */
+
+int      g_tests = RM_TESTS;
+char    *g_prog = NULL;
+
+int main(int argc, char *argv[])
+{
+  mp_int   a;
+  mp_digit np = prime_tab_size; /* from mpprime.h */
+  int      res = 0;
+
+  g_prog = argv[0];
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>, where <a> is a decimal integer\n"
+	    "Use '0x' prefix for a hexadecimal value\n", g_prog);
+    return 1;
+  }
+
+  /* Read number of tests from environment, if present */
+  {
+    char *tmp;
+
+    if((tmp = getenv("RM_TESTS")) != NULL) {
+      if((g_tests = atoi(tmp)) <= 0)
+	g_tests = RM_TESTS;
+    }
+  }
+
+  mp_init(&a);
+  if(argv[1][0] == '0' && argv[1][1] == 'x')
+    mp_read_radix(&a, argv[1] + 2, 16);
+  else
+    mp_read_radix(&a, argv[1], 10);
+
+  if(mp_cmp_d(&a, MINIMUM) <= 0) {
+    fprintf(stderr, "%s: please use a value greater than %d\n", 
+	    g_prog, MINIMUM);
+    mp_clear(&a);
+    return 1;
+  }
+
+  /* Test for divisibility by small primes */
+  if(mpp_divis_primes(&a, &np) != MP_NO) {
+    printf("Not prime (divisible by small prime %d)\n", np);
+    res = 2;
+    goto CLEANUP;
+  }
+
+  /* Test with Fermat's test, using 2 as a witness */
+  if(mpp_fermat(&a, 2) != MP_YES) {
+    printf("Not prime (failed Fermat test)\n");
+    res = 2;
+    goto CLEANUP;
+  }
+ 
+  /* Test with Rabin-Miller probabilistic test */
+  if(mpp_pprime(&a, g_tests) == MP_NO) {
+      printf("Not prime (failed pseudoprime test)\n");
+      res = 2;
+      goto CLEANUP;
+  }
+
+  printf("Probably prime, 1 in 4^%d chance of false positive\n", g_tests);
+
+CLEANUP:
+  mp_clear(&a);
+  
+  return res;
+
+}
diff --git a/security/nss/lib/freebl/mpi/utils/lap.c b/security/nss/lib/freebl/mpi/utils/lap.c
new file mode 100644
index 000000000..5697c941d
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/lap.c
@@ -0,0 +1,121 @@
+/*
+ *  lap.c
+ *
+ *  Find least annihilating power of a mod m
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+
+#include "mpi.h"
+
+void sig_catch(int ign);
+
+int g_quit = 0;
+
+int main(int argc, char *argv[])
+{
+  mp_int   a, m, p, k;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <m>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a);
+  mp_init(&m);
+  mp_init(&p);
+  mp_add_d(&p, 1, &p);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&m, argv[2], 10);
+
+  mp_init_copy(&k, &a);
+
+  signal(SIGINT, sig_catch);
+#ifndef __OS2__
+  signal(SIGHUP, sig_catch);
+#endif
+  signal(SIGTERM, sig_catch);
+
+  while(mp_cmp(&p, &m) < 0) {
+    if(g_quit) {
+	int  len;
+	char *buf;
+
+	len = mp_radix_size(&p, 10);
+	buf = malloc(len);
+	mp_toradix(&p, buf, 10);
+	
+	fprintf(stderr, "Terminated at: %s\n", buf);
+	free(buf);
+	return 1;
+    }
+    if(mp_cmp_d(&k, 1) == 0) {
+      int    len;
+      char  *buf;
+
+      len = mp_radix_size(&p, 10);
+      buf = malloc(len);
+      mp_toradix(&p, buf, 10);
+
+      printf("%s\n", buf);
+
+      free(buf);
+      break;
+    }
+
+    mp_mulmod(&k, &a, &m, &k);
+    mp_add_d(&p, 1, &p);
+  }
+
+  if(mp_cmp(&p, &m) >= 0) 
+    printf("No annihilating power.\n");
+
+  mp_clear(&p);
+  mp_clear(&m);
+  mp_clear(&a);
+  return 0;
+}
+
+void sig_catch(int ign)
+{
+  g_quit = 1;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/makeprime.c b/security/nss/lib/freebl/mpi/utils/makeprime.c
new file mode 100644
index 000000000..f081c7e56
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/makeprime.c
@@ -0,0 +1,147 @@
+/*
+ * makeprime.c
+ *
+ * A simple prime generator function (and test driver).  Prints out the
+ * first prime it finds greater than or equal to the starting value.
+ *
+ * Usage: makeprime <start>
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+/* These two must be included for make_prime() to work */
+
+#include "mpi.h"
+#include "mpprime.h"
+
+/*
+  make_prime(p, nr)
+
+  Find the smallest prime integer greater than or equal to p, where
+  primality is verified by 'nr' iterations of the Rabin-Miller
+  probabilistic primality test.  The caller is responsible for
+  generating the initial value of p.
+
+  Returns MP_OKAY if a prime has been generated, otherwise the error
+  code indicates some other problem.  The value of p is clobbered; the
+  caller should keep a copy if the value is needed.  
+ */
+mp_err   make_prime(mp_int *p, int nr);
+
+/* The main() is not required -- it's just a test driver */
+int main(int argc, char *argv[])
+{
+  mp_int    start;
+  mp_err    res;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <start-value>\n", argv[0]);
+    return 1;
+  }
+	    
+  mp_init(&start);
+  if(argv[1][0] == '0' && tolower(argv[1][1]) == 'x') {
+    mp_read_radix(&start, argv[1] + 2, 16);
+  } else {
+    mp_read_radix(&start, argv[1], 10);
+  }
+  mp_abs(&start, &start);
+
+  if((res = make_prime(&start, 5)) != MP_OKAY) {
+    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
+    mp_clear(&start);
+
+    return 1;
+
+  } else {
+    char  *buf = malloc(mp_radix_size(&start, 10));
+
+    mp_todecimal(&start, buf);
+    printf("%s\n", buf);
+    free(buf);
+    
+    mp_clear(&start);
+
+    return 0;
+  }
+  
+} /* end main() */
+
+/*------------------------------------------------------------------------*/
+
+mp_err   make_prime(mp_int *p, int nr)
+{
+  mp_err  res;
+
+  if(mp_iseven(p)) {
+    mp_add_d(p, 1, p);
+  }
+
+  do {
+    mp_digit   which = prime_tab_size;
+
+    /*  First test for divisibility by a few small primes */
+    if((res = mpp_divis_primes(p, &which)) == MP_YES)
+      continue;
+    else if(res != MP_NO)
+      goto CLEANUP;
+
+    /* If that passes, try one iteration of Fermat's test */
+    if((res = mpp_fermat(p, 2)) == MP_NO)
+      continue;
+    else if(res != MP_YES)
+      goto CLEANUP;
+
+    /* If that passes, run Rabin-Miller as often as requested */
+    if((res = mpp_pprime(p, nr)) == MP_YES)
+      break;
+    else if(res != MP_NO)
+      goto CLEANUP;
+      
+  } while((res = mp_add_d(p, 2, p)) == MP_OKAY);
+
+ CLEANUP:
+  return res;
+
+} /* end make_prime() */
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/metime.c b/security/nss/lib/freebl/mpi/utils/metime.c
new file mode 100644
index 000000000..29ee59050
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/metime.c
@@ -0,0 +1,136 @@
+/* 
+ *  metime.c
+ *
+ * Modular exponentiation timing test
+ *
+ * $Id$
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+double clk_to_sec(clock_t start, clock_t stop);
+
+int main(int argc, char *argv[])
+{
+  int          ix, num, prec = 8;
+  unsigned int seed;
+  clock_t      start, stop;
+  double       sec;
+
+  mp_int     a, m, c;
+
+  if(getenv("SEED") != NULL)
+    seed = abs(atoi(getenv("SEED")));
+  else 
+    seed = (unsigned int)time(NULL);
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests> [<nbits>]\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  if(!num) {
+    fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]);
+    return 1;
+  }
+
+  if(argc > 2) {
+    if((prec = atoi(argv[2])) <= 0)
+      prec = 8;
+    else 
+      prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT;
+
+  }
+  
+  printf("Modular exponentiation timing test\n"
+	 "Precision:  %d digits (%d bits)\n"
+	 "# of tests: %d\n\n", prec, prec * DIGIT_BIT, num);
+
+  mp_init_size(&a, prec);
+  mp_init_size(&m, prec);
+  mp_init_size(&c, prec);
+
+  srand(seed);
+
+  start = clock();
+  for(ix = 0; ix < num; ix++) {
+
+    mpp_random_size(&a, prec);
+    mpp_random_size(&c, prec);
+    mpp_random_size(&m, prec);
+    /* set msb and lsb of m */
+    DIGIT(&m,0) |= 1;
+    DIGIT(&m, USED(&m)-1) |= (mp_digit)1 << (DIGIT_BIT - 1);
+    if (mp_cmp(&a, &m) > 0)
+      mp_sub(&a, &m, &a);
+
+    mp_exptmod(&a, &c, &m, &c);
+  }
+  stop = clock();
+
+  sec = clk_to_sec(start, stop);
+
+  printf("Total:      %.3f seconds\n", sec);
+  printf("Individual: %.3f seconds\n", sec / num);
+
+  mp_clear(&c);
+  mp_clear(&a);
+  mp_clear(&m);
+
+  return 0;
+}
+
+double clk_to_sec(clock_t start, clock_t stop)
+{
+  return (double)(stop - start) / CLOCKS_PER_SEC;
+}
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/pi.c b/security/nss/lib/freebl/mpi/utils/pi.c
new file mode 100644
index 000000000..1ca17669e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/pi.c
@@ -0,0 +1,197 @@
+/*
+ * pi.c
+ *
+ * Compute pi to an arbitrary number of digits.  Uses Machin's formula,
+ * like everyone else on the planet:
+ * 
+ *    pi = 16 * arctan(1/5) - 4 * arctan(1/239)
+ *
+ * This is pretty effective for up to a few thousand digits, but it
+ * gets pretty slow after that.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1999
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+
+mp_err arctan(mp_digit mul, mp_digit x, mp_digit prec, mp_int *sum);
+
+int main(int argc, char *argv[])
+{
+  mp_err       res;
+  mp_digit     ndigits;
+  mp_int       sum1, sum2;
+  clock_t      start, stop;
+  int          out = 0;
+
+  /* Make the user specify precision on the command line */
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-digits>\n", argv[0]);
+    return 1;
+  }
+
+  if((ndigits = abs(atoi(argv[1]))) == 0) {
+    fprintf(stderr, "%s: you must request at least 1 digit\n", argv[0]);
+    return 1;
+  }
+
+  start = clock();
+  mp_init(&sum1); mp_init(&sum2);
+
+  /* sum1 = 16 * arctan(1/5)  */
+  if((res = arctan(16, 5, ndigits, &sum1)) != MP_OKAY) {
+    fprintf(stderr, "%s: arctan: %s\n", argv[0], mp_strerror(res));
+    out = 1; goto CLEANUP;
+  }
+
+  /* sum2 = 4 * arctan(1/239) */
+  if((res = arctan(4, 239, ndigits, &sum2)) != MP_OKAY) {
+    fprintf(stderr, "%s: arctan: %s\n", argv[0], mp_strerror(res));
+    out = 1; goto CLEANUP;
+  }
+
+  /* pi = sum1 - sum2         */
+  if((res = mp_sub(&sum1, &sum2, &sum1)) != MP_OKAY) {
+    fprintf(stderr, "%s: mp_sub: %s\n", argv[0], mp_strerror(res));
+    out = 1; goto CLEANUP;
+  }
+  stop = clock();
+
+  /* Write the output in decimal */
+  {
+    char  *buf = malloc(mp_radix_size(&sum1, 10));
+
+    if(buf == NULL) {
+      fprintf(stderr, "%s: out of memory\n", argv[0]);
+      out = 1; goto CLEANUP;
+    }
+    mp_todecimal(&sum1, buf);
+    printf("%s\n", buf);
+    free(buf);
+  }
+
+  fprintf(stderr, "Computation took %.2f sec.\n", 
+	  (double)(stop - start) / CLOCKS_PER_SEC);
+
+ CLEANUP:
+  mp_clear(&sum1);
+  mp_clear(&sum2);
+
+  return out;
+
+}
+
+/* Compute sum := mul * arctan(1/x), to 'prec' digits of precision */
+mp_err arctan(mp_digit mul, mp_digit x, mp_digit prec, mp_int *sum)
+{
+  mp_int   t, v;
+  mp_digit q = 1, rd;
+  mp_err   res;
+  int      sign = 1;
+
+  prec += 3;  /* push inaccuracies off the end */
+
+  mp_init(&t); mp_set(&t, 10);
+  mp_init(&v); 
+  if((res = mp_expt_d(&t, prec, &t)) != MP_OKAY ||  /* get 10^prec    */
+     (res = mp_mul_d(&t, mul, &t)) != MP_OKAY ||    /* ... times mul  */
+     (res = mp_mul_d(&t, x, &t)) != MP_OKAY)        /* ... times x    */
+    goto CLEANUP;
+
+  /*
+    The extra multiplication by x in the above takes care of what
+    would otherwise have to be a special case for 1 / x^1 during the
+    first loop iteration.  A little sneaky, but effective.
+
+    We compute arctan(1/x) by the formula:
+
+         1     1       1       1
+	 - - ----- + ----- - ----- + ...
+	 x   3 x^3   5 x^5   7 x^7
+
+    We multiply through by 'mul' beforehand, which gives us a couple
+    more iterations and more precision
+   */
+
+  x *= x; /* works as long as x < sqrt(RADIX), which it is here */
+
+  mp_zero(sum);
+
+  do {
+    if((res = mp_div_d(&t, x, &t, &rd)) != MP_OKAY)
+      goto CLEANUP;
+
+    if(sign < 0 && rd != 0)
+      mp_add_d(&t, 1, &t);
+
+    if((res = mp_div_d(&t, q, &v, &rd)) != MP_OKAY)
+      goto CLEANUP;
+
+    if(sign < 0 && rd != 0)
+      mp_add_d(&v, 1, &v);
+
+    if(sign > 0)
+      res = mp_add(sum, &v, sum);
+    else
+      res = mp_sub(sum, &v, sum);
+
+    if(res != MP_OKAY)
+      goto CLEANUP;
+
+    sign *= -1;
+    q += 2;
+
+  } while(mp_cmp_z(&t) != 0);
+
+  /* Chop off inaccurate low-order digits */
+  mp_div_d(sum, 1000, sum, NULL);
+
+ CLEANUP:
+  mp_clear(&v);
+  mp_clear(&t);
+
+  return res;
+}
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/primegen.c b/security/nss/lib/freebl/mpi/utils/primegen.c
new file mode 100644
index 000000000..1cd5c9f5b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/primegen.c
@@ -0,0 +1,201 @@
+/*
+ *  primegen.c
+ *
+ * Generates random integers which are prime with a high degree of
+ * probability using the Miller-Rabin probabilistic primality testing
+ * algorithm.
+ *
+ * Usage:
+ *    primegen <bits> [<num>]
+ *
+ *    <bits>   - number of significant bits each prime should have
+ *    <num>    - number of primes to generate
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpprime.h"
+
+#undef MACOS		/* define if running on a Macintosh */
+
+#ifdef MACOS
+#include <console.h>
+#endif
+
+#define NUM_TESTS 5  /* Number of Rabin-Miller iterations to test with */
+
+#ifdef DEBUG
+#define FPUTC(x,y) fputc(x,y)
+#else
+#define FPUTC(x,y) 
+#endif
+
+int main(int argc, char *argv[])
+{
+  unsigned char *raw;
+  char          *out;
+  unsigned long nTries;
+  int		rawlen, bits, outlen, ngen, ix, jx;
+  int           g_strong = 0;
+  mp_int	testval;
+  mp_err	res;
+  clock_t	start, end;
+
+#ifdef MACOS
+  argc = ccommand(&argv);
+#endif
+
+  /* We'll just use the C library's rand() for now, although this
+     won't be good enough for cryptographic purposes */
+  if((out = getenv("SEED")) == NULL) {
+    srand((unsigned int)time(NULL));
+  } else {
+    srand((unsigned int)atoi(out));
+  }
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <bits> [<count> [strong]]\n", argv[0]);
+    return 1;
+  }
+	
+  if((bits = abs(atoi(argv[1]))) < CHAR_BIT) {
+    fprintf(stderr, "%s: please request at least %d bits.\n",
+	    argv[0], CHAR_BIT);
+    return 1;
+  }
+
+  /* If optional third argument is given, use that as the number of
+     primes to generate; otherwise generate one prime only.
+   */
+  if(argc < 3) {
+    ngen = 1;
+  } else {
+    ngen = abs(atoi(argv[2]));
+  }
+
+  /* If fourth argument is given, and is the word "strong", we'll 
+     generate strong (Sophie Germain) primes. 
+   */
+  if(argc > 3 && strcmp(argv[3], "strong") == 0)
+    g_strong = 1;
+
+  /* testval - candidate being tested; nTries - number tried so far */
+  if ((res = mp_init(&testval)) != MP_OKAY) {
+    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
+    return 1;
+  }
+  
+  if(g_strong) {
+    printf("Requested %d strong prime value(s) of %d bits.\n", 
+	   ngen, bits);
+  } else {
+    printf("Requested %d prime value(s) of %d bits.\n", ngen, bits);
+  }
+
+  rawlen = (bits / CHAR_BIT) + ((bits % CHAR_BIT) ? 1 : 0) + 1;
+
+  if((raw = calloc(rawlen, sizeof(unsigned char))) == NULL) {
+    fprintf(stderr, "%s: out of memory, sorry.\n", argv[0]);
+    return 1;
+  }
+
+  /* This loop is one for each prime we need to generate */
+  for(jx = 0; jx < ngen; jx++) {
+
+    raw[0] = 0;  /* sign is positive */
+
+    /*	Pack the initializer with random bytes	*/
+    for(ix = 1; ix < rawlen; ix++) 
+      raw[ix] = (rand() * rand()) & UCHAR_MAX;
+
+    raw[1] |= 0x80;             /* set high-order bit of test value     */
+    raw[rawlen - 1] |= 1;       /* set low-order bit of test value      */
+
+    /* Make an mp_int out of the initializer */
+    mp_read_raw(&testval, (char *)raw, rawlen);
+
+    /* Initialize candidate counter */
+    nTries = 0;
+
+    start = clock(); /* time generation for this prime */
+    do {
+      res = mpp_make_prime(&testval, bits, g_strong, &nTries);
+      if (res != MP_NO)
+	break;
+      /* This code works whether digits are 16 or 32 bits */
+      res = mp_add_d(&testval, 32 * 1024, &testval);
+      res = mp_add_d(&testval, 32 * 1024, &testval);
+      FPUTC(',', stderr);
+    } while (1);
+    end = clock();
+
+    if (res != MP_YES) {
+      break;
+    }
+    FPUTC('\n', stderr);
+    puts("The following value is probably prime:");
+    outlen = mp_radix_size(&testval, 10);
+    out = calloc(outlen, sizeof(unsigned char));
+    mp_toradix(&testval, (char *)out, 10);
+    printf("10: %s\n", out);
+    mp_toradix(&testval, (char *)out, 16);
+    printf("16: %s\n\n", out);
+    free(out);
+    
+    printf("Number of candidates tried: %lu\n", nTries);
+    printf("This computation took %ld clock ticks (%.2f seconds)\n",
+	   (end - start), ((double)(end - start) / CLOCKS_PER_SEC));
+    
+    FPUTC('\n', stderr);
+  } /* end of loop to generate all requested primes */
+  
+  if(res != MP_OKAY) 
+    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
+
+  free(raw);
+  mp_clear(&testval);	
+  
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/prng.c b/security/nss/lib/freebl/mpi/utils/prng.c
new file mode 100644
index 000000000..320d12828
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/prng.c
@@ -0,0 +1,90 @@
+/*
+ *  prng.c
+ *
+ *  Command-line pseudo-random number generator
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <time.h>
+
+#ifdef __OS2__
+#include <types.h>
+#include <process.h>
+#else
+#include <unistd.h>
+#endif
+
+#include "bbs_rand.h"
+
+int main(int argc, char *argv[])
+{
+  unsigned char *seed;
+  unsigned int   ix, num = 1;
+  pid_t          pid;
+  
+  if(argc > 1) {
+    num = atoi(argv[1]);
+    if(num <= 0) 
+      num = 1;
+  }
+
+  pid = getpid();
+  srand(time(NULL) * (unsigned int)pid);
+
+  /* Not a perfect seed, but not bad */
+  seed = malloc(bbs_seed_size);
+  for(ix = 0; ix < bbs_seed_size; ix++) {
+    seed[ix] = rand() % UCHAR_MAX;
+  }
+
+  bbs_srand(seed, bbs_seed_size);
+  memset(seed, 0, bbs_seed_size);
+  free(seed);
+
+  while(num-- > 0) {
+    ix = bbs_rand();
+
+    printf("%u\n", ix);
+  }
+
+  return 0;
+
+}
diff --git a/security/nss/lib/freebl/mpi/utils/ptab.pl b/security/nss/lib/freebl/mpi/utils/ptab.pl
new file mode 100755
index 000000000..a1d9c3046
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/ptab.pl
@@ -0,0 +1,61 @@
+#!/usr/linguist/bin/perl
+
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+#
+# The Initial Developer of the Original Code is
+# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
+# Portions created by the Initial Developer are Copyright (C) 1998
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $Id$
+#
+
+while(<>) {
+    chomp;
+    push(@primes, $_);
+}
+
+printf("mp_size   prime_tab_size = %d;\n", ($#primes + 1));
+print "mp_digit  prime_tab[] = {\n";
+
+print "\t";
+$last = pop(@primes);
+foreach $prime (sort {$a<=>$b} @primes) {
+    printf("0x%04X, ", $prime);
+    $brk = ($brk + 1) % 8;
+    print "\n\t" if(!$brk);
+}
+printf("0x%04X", $last);
+print "\n" if($brk);
+print "};\n\n";
+
+exit 0;
diff --git a/security/nss/lib/freebl/mpi/utils/sieve.c b/security/nss/lib/freebl/mpi/utils/sieve.c
new file mode 100644
index 000000000..b699bec1a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/sieve.c
@@ -0,0 +1,268 @@
+/*
+ * sieve.c
+ *
+ * Finds prime numbers using the Sieve of Eratosthenes
+ *
+ * This implementation uses a bitmap to represent all odd integers in a
+ * given range.  We iterate over this bitmap, crossing off the
+ * multiples of each prime we find.  At the end, all the remaining set
+ * bits correspond to prime integers.
+ *
+ * Here, we make two passes -- once we have generated a sieve-ful of
+ * primes, we copy them out, reset the sieve using the highest
+ * generated prime from the first pass as a base.  Then we cross out
+ * all the multiples of all the primes we found the first time through,
+ * and re-sieve.  In this way, we get double use of the memory we
+ * allocated for the sieve the first time though.  Since we also
+ * implicitly ignore multiples of 2, this amounts to 4 times the
+ * values.
+ *
+ * This could (and probably will) be generalized to re-use the sieve a
+ * few more times.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
+ *
+ * The Initial Developer of the Original Code is
+ * Michael J. Fromberger.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+
+typedef unsigned char  byte;
+
+typedef struct {
+  int   size;
+  byte *bits;
+  long  base;
+  int   next;
+  int   nbits;
+} sieve;
+
+void sieve_init(sieve *sp, long base, int nbits);
+void sieve_grow(sieve *sp, int nbits);
+long sieve_next(sieve *sp);
+void sieve_reset(sieve *sp, long base);
+void sieve_cross(sieve *sp, long val);
+void sieve_clear(sieve *sp);
+
+#define S_ISSET(S, B)  (((S)->bits[(B)/CHAR_BIT]>>((B)%CHAR_BIT))&1)
+#define S_SET(S, B)    ((S)->bits[(B)/CHAR_BIT]|=(1<<((B)%CHAR_BIT)))
+#define S_CLR(S, B)    ((S)->bits[(B)/CHAR_BIT]&=~(1<<((B)%CHAR_BIT)))
+#define S_VAL(S, B)    ((S)->base+(2*(B)))
+#define S_BIT(S, V)    (((V)-((S)->base))/2)
+
+int main(int argc, char *argv[])
+{
+  sieve   s;
+  long    pr, *p;
+  int     c, ix, cur = 0;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <width>\n", argv[0]);
+    return 1;
+  }
+
+  c = atoi(argv[1]);
+  if(c < 0) c = -c;
+
+  fprintf(stderr, "%s: sieving to %d positions\n", argv[0], c);
+
+  sieve_init(&s, 3, c);
+
+  c = 0;
+  while((pr = sieve_next(&s)) > 0) {
+    ++c;
+  }
+
+  p = calloc(c, sizeof(long));
+  if(!p) {
+    fprintf(stderr, "%s: out of memory after first half\n", argv[0]);
+    sieve_clear(&s);
+    exit(1);
+  }
+
+  fprintf(stderr, "%s: half done ... \n", argv[0]);
+
+  for(ix = 0; ix < s.nbits; ix++) {
+    if(S_ISSET(&s, ix)) {
+      p[cur] = S_VAL(&s, ix);
+      printf("%ld\n", p[cur]);
+      ++cur;
+    }
+  }
+
+  sieve_reset(&s, p[cur - 1]);
+  fprintf(stderr, "%s: crossing off %d found primes ... \n", argv[0], cur);
+  for(ix = 0; ix < cur; ix++) {
+    sieve_cross(&s, p[ix]);
+    if(!(ix % 1000))
+      fputc('.', stderr);
+  }
+  fputc('\n', stderr);
+
+  free(p);
+
+  fprintf(stderr, "%s: sieving again from %ld ... \n", argv[0], p[cur - 1]);
+  c = 0;
+  while((pr = sieve_next(&s)) > 0) {
+    ++c;
+  }
+  
+  fprintf(stderr, "%s: done!\n", argv[0]);
+  for(ix = 0; ix < s.nbits; ix++) {
+    if(S_ISSET(&s, ix)) {
+      printf("%ld\n", S_VAL(&s, ix));
+    }
+  }
+
+  sieve_clear(&s);
+
+  return 0;
+}
+
+void sieve_init(sieve *sp, long base, int nbits)
+{
+  sp->size = (nbits / CHAR_BIT);
+
+  if(nbits % CHAR_BIT)
+    ++sp->size;
+
+  sp->bits = calloc(sp->size, sizeof(byte));
+  memset(sp->bits, UCHAR_MAX, sp->size);
+  if(!(base & 1))
+    ++base;
+  sp->base = base;
+  
+  sp->next = 0;
+  sp->nbits = sp->size * CHAR_BIT;
+}
+
+void sieve_grow(sieve *sp, int nbits)
+{
+  int  ns = (nbits / CHAR_BIT);
+
+  if(nbits % CHAR_BIT)
+    ++ns;
+
+  if(ns > sp->size) {
+    byte   *tmp;
+    int     ix;
+
+    tmp = calloc(ns, sizeof(byte));
+    if(tmp == NULL) {
+      fprintf(stderr, "Error: out of memory in sieve_grow\n");
+      return;
+    }
+
+    memcpy(tmp, sp->bits, sp->size);
+    for(ix = sp->size; ix < ns; ix++) {
+      tmp[ix] = UCHAR_MAX;
+    }
+
+    free(sp->bits);
+    sp->bits = tmp;
+    sp->size = ns;
+
+    sp->nbits = sp->size * CHAR_BIT;
+  }
+}
+
+long sieve_next(sieve *sp)
+{
+  long out;
+  int  ix = 0;
+  long val;
+
+  if(sp->next > sp->nbits)
+    return -1;
+
+  out = S_VAL(sp, sp->next);
+#ifdef DEBUG
+  fprintf(stderr, "Sieving %ld\n", out);
+#endif
+
+  /* Sieve out all multiples of the current prime */
+  val = out;
+  while(ix < sp->nbits) {
+    val += out;
+    ix = S_BIT(sp, val);
+    if((val & 1) && ix < sp->nbits) { /* && S_ISSET(sp, ix)) { */
+      S_CLR(sp, ix);
+#ifdef DEBUG
+      fprintf(stderr, "Crossing out %ld (bit %d)\n", val, ix);
+#endif
+    }
+  }
+
+  /* Scan ahead to the next prime */
+  ++sp->next;
+  while(sp->next < sp->nbits && !S_ISSET(sp, sp->next))
+    ++sp->next;
+
+  return out;
+}
+
+void sieve_cross(sieve *sp, long val)
+{
+  int  ix = 0;
+  long cur = val;
+
+  while(cur < sp->base)
+    cur += val;
+
+  ix = S_BIT(sp, cur);
+  while(ix < sp->nbits) {
+    if(cur & 1) 
+      S_CLR(sp, ix);
+    cur += val;
+    ix = S_BIT(sp, cur);
+  }
+}
+
+void sieve_reset(sieve *sp, long base)
+{
+  memset(sp->bits, UCHAR_MAX, sp->size);
+  sp->base = base;
+  sp->next = 0;
+}
+
+void sieve_clear(sieve *sp)
+{
+  if(sp->bits) 
+    free(sp->bits);
+
+  sp->bits = NULL;
+}
diff --git a/security/nss/lib/freebl/mpi/vis_32.il b/security/nss/lib/freebl/mpi/vis_32.il
new file mode 100644
index 000000000..8a57fbde3
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/vis_32.il
@@ -0,0 +1,1324 @@
+! 
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+!
+! The contents of this file are subject to the Mozilla Public License Version
+! 1.1 (the "License"); you may not use this file except in compliance with
+! the License. You may obtain a copy of the License at
+! http://www.mozilla.org/MPL/
+!
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is vis inline macros (32 bit).  (vis_32.il 3.3).
+!
+! The Initial Developer of the Original Code is
+! Sun Microsystems Inc.
+! Portions created by the Initial Developer are Copyright (C) 1995-2000
+! the Initial Developer. All Rights Reserved.
+!
+! Contributor(s):
+!
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+!
+! ***** END LICENSE BLOCK *****
+! $Id$
+
+! The interface to the VIS instructions as declared below (and in the VIS
+! User's Manual) will not change, but the macro implementation might change
+! in the future.
+
+!--------------------------------------------------------------------
+! Pure edge handling instructions
+!
+! int vis_edge8(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8,8
+	edge8	%o0,%o1,%o0
+	.end
+!
+! int vis_edge8l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8l,8
+	edge8l	%o0,%o1,%o0
+	.end
+!
+! int vis_edge16(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16,8
+	edge16	%o0,%o1,%o0
+	.end
+!
+! int vis_edge16l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16l,8
+	edge16l	%o0,%o1,%o0
+	.end
+!
+! int vis_edge32(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32,8
+	edge32	%o0,%o1,%o0
+	.end
+!
+! int vis_edge32l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32l,8
+	edge32l	%o0,%o1,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Edge handling instructions with negative return values if cc set
+!
+! int vis_edge8cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8cc,8
+	edge8	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge8lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8lcc,8
+	edge8l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge16cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16cc,8
+	edge16	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge16lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16lcc,8
+	edge16l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge32cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32cc,8
+	edge32	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge32lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32lcc,8
+	edge32l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Alignment instructions
+!
+! void *vis_alignaddr(void */*rs1*/, int /*rs2*/);
+!
+	.inline vis_alignaddr,8
+	alignaddr	%o0,%o1,%o0
+	.end
+!
+! void *vis_alignaddrl(void */*rs1*/, int /*rs2*/);
+!
+	.inline vis_alignaddrl,8
+	alignaddrl	%o0,%o1,%o0
+	.end
+!
+! double vis_faligndata(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_faligndata,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	faligndata	%f4,%f10,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Partitioned comparison instructions
+!
+! int vis_fcmple16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmple16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmple16	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpne16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpne16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpne16	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmple32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmple32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmple32	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpne32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpne32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpne32	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpgt16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpgt16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpgt16	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpeq16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpeq16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpeq16	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpgt32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpgt32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpgt32	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpeq32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpeq32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpeq32	%f4,%f10,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Partitioned arithmetic
+!
+! double vis_fmul8x16(float /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8x16,12
+	st	%o0,[%sp+0x44]
+	ld	[%sp+0x44],%f4
+	st	%o1,[%sp+0x48]
+	st	%o2,[%sp+0x4c]
+	ldd	[%sp+0x48],%f10
+	fmul8x16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8x16_dummy(float /*frs1*/, int /*dummy*/, double /*frs2*/);
+!
+	.inline vis_fmul8x16_dummy,16
+	st	%o0,[%sp+0x44]
+	ld	[%sp+0x44],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fmul8x16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8x16au(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmul8x16au,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fmul8x16au	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8x16al(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmul8x16al,8
+	st	%o0,[%sp+0x44]
+	ld	[%sp+0x44],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fmul8x16al	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8sux16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8sux16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fmul8sux16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8ulx16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8ulx16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fmul8ulx16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmuld8sux16(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmuld8sux16,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fmuld8sux16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmuld8ulx16(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmuld8ulx16,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fmuld8ulx16	%f4,%f10,%f0
+	.end
+!
+! double vis_fpadd16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpadd16,16
+	std	%o0,[%sp+0x40]
+	ldd	[%sp+0x40],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpadd16	%f4,%f10,%f0
+	.end
+!
+! float vis_fpadd16s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpadd16s,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpadd16s	%f4,%f10,%f0
+	.end
+!
+! double vis_fpadd32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpadd32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpadd32	%f4,%f10,%f0
+	.end
+!
+! float vis_fpadd32s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpadd32s,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpadd32s	%f4,%f10,%f0
+	.end
+!
+! double vis_fpsub16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpsub16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpsub16	%f4,%f10,%f0
+	.end
+!
+! float vis_fpsub16s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpsub16s,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpsub16s	%f4,%f10,%f0
+	.end
+!
+! double vis_fpsub32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpsub32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpsub32	%f4,%f10,%f0
+	.end
+!
+! float vis_fpsub32s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpsub32s,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpsub32s	%f4,%f10,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Pixel packing
+!
+! float vis_fpack16(double /*frs2*/);
+!
+	.inline vis_fpack16,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fpack16	%f4,%f0
+	.end
+
+!
+! double vis_fpack16_pair(double /*frs2*/, double /*frs2*/);
+!
+	.inline vis_fpack16_pair,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpack16	%f4,%f0
+	fpack16	%f10,%f1
+	.end
+!
+! void vis_st2_fpack16(double, double, double *)
+!
+	.inline vis_st2_fpack16,20
+ 	std	%o0,[%sp+0x48]
+ 	ldd	[%sp+0x48],%f4
+ 	std	%o2,[%sp+0x48]
+ 	ldd	[%sp+0x48],%f10
+ 	fpack16	%f4,%f0
+ 	fpack16	%f10,%f1
+ 	st	%f0,[%o4+0]
+ 	st	%f1,[%o4+4]
+ 	.end
+!
+! void vis_std_fpack16(double, double, double *)
+!
+	.inline vis_std_fpack16,20
+	std     %o0,[%sp+0x48]
+	ldd     [%sp+0x48],%f4
+	std     %o2,[%sp+0x48]
+	ldd     [%sp+0x48],%f10
+	fpack16 %f4,%f0
+	fpack16 %f10,%f1
+	std     %f0,[%o4]
+	.end
+!
+! void vis_st2_fpackfix(double, double, double *)
+!
+	.inline vis_st2_fpackfix,20
+ 	std	%o0,[%sp+0x48]
+ 	ldd	[%sp+0x48],%f4
+ 	std	%o2,[%sp+0x48]
+ 	ldd	[%sp+0x48],%f10
+ 	fpackfix %f4,%f0
+ 	fpackfix %f10,%f1
+ 	st	%f0,[%o4+0]
+ 	st	%f1,[%o4+4]
+ 	.end
+!
+! double vis_fpack16_to_hi(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack16_to_hi,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f0
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fpack16	%f4,%f0
+	.end
+
+! double vis_fpack16_to_lo(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack16_to_lo,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f0
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fpack16	%f4,%f3
+	fmovs	%f3,%f1		/* without this, optimizer goes wrong */
+	.end
+
+!
+! double vis_fpack32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpack32	%f4,%f10,%f0
+	.end
+!
+! float vis_fpackfix(double /*frs2*/);
+!
+	.inline vis_fpackfix,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fpackfix	%f4,%f0
+	.end
+!
+! double vis_fpackfix_pair(double /*frs2*/, double /*frs2*/);
+!
+	.inline vis_fpackfix_pair,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f6
+	fpackfix	%f4,%f0
+	fpackfix	%f6,%f1
+	.end
+
+!--------------------------------------------------------------------
+! Motion estimation
+!
+! double vis_pdist(double /*frs1*/, double /*frs2*/, double /*frd*/);
+!
+	.inline vis_pdist,24
+	std	%o4,[%sp+0x48]
+	ldd	[%sp+0x48],%f0
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	pdist	%f4,%f10,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Channel merging
+!
+! double vis_fpmerge(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpmerge,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpmerge	%f4,%f10,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Pixel expansion
+!
+! double vis_fexpand(float /*frs2*/);
+!
+	.inline vis_fexpand,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	fexpand	%f4,%f0
+	.end
+
+! double vis_fexpand_hi(double /*frs2*/);
+!
+	.inline vis_fexpand_hi,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fexpand	%f4,%f0
+	.end
+
+! double vis_fexpand_lo(double /*frs2*/);
+!
+	.inline vis_fexpand_lo,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fmovs	%f5, %f2
+	fexpand	%f2,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Bitwise logical operations
+!
+! double vis_fnor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fnor,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fnor	%f4,%f10,%f0
+	.end
+!
+! float vis_fnors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fnors,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fnors	%f4,%f10,%f0
+	.end
+!
+! double vis_fandnot(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fandnot,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fandnot1	%f4,%f10,%f0
+	.end
+!
+! float vis_fandnots(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fandnots,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fandnot1s	%f4,%f10,%f0
+	.end
+!
+! double vis_fnot(double /*frs1*/);
+!
+	.inline vis_fnot,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fnot1	%f4,%f0
+	.end
+!
+! float vis_fnots(float /*frs1*/);
+!
+	.inline vis_fnots,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	fnot1s	%f4,%f0
+	.end
+!
+! double vis_fxor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fxor,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fxor	%f4,%f10,%f0
+	.end
+!
+! float vis_fxors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fxors,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fxors	%f4,%f10,%f0
+	.end
+!
+! double vis_fnand(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fnand,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fnand	%f4,%f10,%f0
+	.end
+!
+! float vis_fnands(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fnands,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fnands	%f4,%f10,%f0
+	.end
+!
+! double vis_fand(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fand,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fand	%f4,%f10,%f0
+	.end
+!
+! float vis_fands(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fands,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fands	%f4,%f10,%f0
+	.end
+!
+! double vis_fxnor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fxnor,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fxnor	%f4,%f10,%f0
+	.end
+!
+! float vis_fxnors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fxnors,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fxnors	%f4,%f10,%f0
+	.end
+!
+! double vis_fsrc(double /*frs1*/);
+!
+	.inline vis_fsrc,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fsrc1	%f4,%f0
+	.end
+!
+! float vis_fsrcs(float /*frs1*/);
+!
+	.inline vis_fsrcs,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	fsrc1s	%f4,%f0
+	.end
+!
+! double vis_fornot(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fornot,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fornot1	%f4,%f10,%f0
+	.end
+!
+! float vis_fornots(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fornots,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fornot1s	%f4,%f10,%f0
+	.end
+!
+! double vis_for(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_for,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	for	%f4,%f10,%f0
+	.end
+!
+! float vis_fors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fors,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fors	%f4,%f10,%f0
+	.end
+!
+! double vis_fzero(/* void */)
+!
+	.inline	vis_fzero,0
+	fzero	%f0
+	.end
+!
+! float vis_fzeros(/* void */)
+!
+	.inline	vis_fzeros,0
+	fzeros	%f0
+	.end
+!
+! double vis_fone(/* void */)
+!
+	.inline	vis_fone,0
+	fone	%f0
+	.end
+!
+! float vis_fones(/* void */)
+!
+	.inline	vis_fones,0
+	fones	%f0
+	.end
+
+!--------------------------------------------------------------------
+! Partial store instructions
+!
+! vis_stdfa_ASI_PST8P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8P,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc0	! ASI_PST8_P
+	.end
+!
+! vis_stdfa_ASI_PST8PL(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8PL,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc8	! ASI_PST8_PL
+	.end
+!
+! vis_stdfa_ASI_PST8P_int_pair(void *rs1, void *rs2, void *rs3, int rmask);
+!
+	.inline vis_stdfa_ASI_PST8P_int_pair,16
+        ld	[%o0],%f4
+        ld	[%o1],%f5
+	stda	%f4,[%o2]%o3,0xc0	! ASI_PST8_P
+	.end
+!
+! vis_stdfa_ASI_PST8S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8S,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc1	! ASI_PST8_S
+	.end
+!
+! vis_stdfa_ASI_PST16P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST16P,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc2	! ASI_PST16_P
+	.end
+!
+! vis_stdfa_ASI_PST16S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST16S,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc3	! ASI_PST16_S
+	.end
+!
+! vis_stdfa_ASI_PST32P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST32P,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc4	! ASI_PST32_P
+	.end
+!
+! vis_stdfa_ASI_PST32S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST32S,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc5	! ASI_PST32_S
+	.end
+
+!--------------------------------------------------------------------
+! Short store instructions
+!
+! vis_stdfa_ASI_FL8P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8P,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd0	! ASI_FL8_P
+	.end
+!
+! vis_stdfa_ASI_FL8P_index(double frd, void *rs1, long index)
+!
+	.inline vis_stdfa_ASI_FL8P_index,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2+%o3]0xd0 ! ASI_FL8_P
+	.end
+!
+! vis_stdfa_ASI_FL8S(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8S,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd1	! ASI_FL8_S
+	.end
+!
+! vis_stdfa_ASI_FL16P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16P,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd2	! ASI_FL16_P
+	.end
+!
+! vis_stdfa_ASI_FL16P_index(double frd, void *rs1, long index)
+!
+	.inline vis_stdfa_ASI_FL16P_index,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2+%o3]0xd2 ! ASI_FL16_P
+	.end
+!
+! vis_stdfa_ASI_FL16S(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16S,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd3	! ASI_FL16_S
+	.end
+!
+! vis_stdfa_ASI_FL8PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8PL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd8	! ASI_FL8_PL
+	.end
+!
+! vis_stdfa_ASI_FL8SL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8SL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd9	! ASI_FL8_SL
+	.end
+!
+! vis_stdfa_ASI_FL16PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16PL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xda	! ASI_FL16_PL
+	.end
+!
+! vis_stdfa_ASI_FL16SL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16SL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xdb	! ASI_FL16_SL
+	.end
+
+!--------------------------------------------------------------------
+! Short load instructions
+!
+! double vis_lddfa_ASI_FL8P(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8P,4
+	ldda	[%o0]0xd0,%f4	! ASI_FL8_P
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_FL8P_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL8P_index,8
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8P_hi(void *rs1, unsigned int index)
+!
+	.inline vis_lddfa_ASI_FL8P_hi,8
+	sra     %o1,16,%o1
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8P_lo(void *rs1, unsigned int index)
+!
+	.inline vis_lddfa_ASI_FL8P_lo,8
+	sll     %o1,16,%o1
+	sra     %o1,16,%o1
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8S(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8S,4
+	ldda	[%o0]0xd1,%f4	! ASI_FL8_S
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16P(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16P,4
+	ldda	[%o0]0xd2,%f4	! ASI_FL16_P
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16P_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL16P_index,8
+	ldda	[%o0+%o1]0xd2,%f4 ! ASI_FL16_P
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16S(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16S,4
+	ldda	[%o0]0xd3,%f4	! ASI_FL16_S
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8PL,4
+	ldda	[%o0]0xd8,%f4	! ASI_FL8_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8PL_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL8PL_index,8
+	ldda	[%o0+%o1]0xd8,%f4	! ASI_FL8_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8SL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8SL,4
+	ldda	[%o0]0xd9,%f4	! ASI_FL8_SL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16PL,4
+	ldda	[%o0]0xda,%f4	! ASI_FL16_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16PL_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL16PL_index,8
+	ldda	[%o0+%o1]0xda,%f4	! ASI_FL16_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16SL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16SL,4
+	ldda	[%o0]0xdb,%f4	! ASI_FL16_SL
+	fmovd	%f4,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Graphics status register
+!
+! unsigned int vis_read_gsr(void)
+!
+	.inline vis_read_gsr,0
+	rd	%gsr,%o0
+	.end
+!
+! void vis_write_gsr(unsigned int /* GSR */)
+!
+	.inline vis_write_gsr,4
+	wr	%g0,%o0,%gsr
+	.end
+
+!--------------------------------------------------------------------
+! Voxel texture mapping
+!
+! unsigned long vis_array8(unsigned long long /*rs1 */, int /*rs2*/)
+!
+	.inline	vis_array8,12
+	sllx	%o0,32,%o0
+	srl	%o1,0,%o1	! clear the most significant 32 bits of %o1
+	or	%o0,%o1,%o3	! join %o0 and %o1 into %o3
+	array8	%o3,%o2,%o0
+	.end
+!
+! unsigned long vis_array16(unsigned long long /*rs1*/, int /*rs2*/)
+!
+	.inline	vis_array16,12
+	sllx	%o0,32,%o0
+	srl	%o1,0,%o1	! clear the most significant 32 bits of %o1
+	or	%o0,%o1,%o3	! join %o0 and %o1 into %o3
+	array16	%o3,%o2,%o0
+	.end
+!
+! unsigned long vis_array32(unsigned long long /*rs1*/, int /*rs2*/)
+!
+	.inline	vis_array32,12
+	sllx	%o0,32,%o0
+	srl	%o1,0,%o1	! clear the most significant 32 bits of %o1
+	or	%o0,%o1,%o3	! join %o0 and %o1 into %o3
+	array32	%o3,%o2,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Register aliasing and type casts
+!
+! float vis_read_hi(double /* frs1 */);
+!
+	.inline vis_read_hi,8
+	std	%o0,[%sp+0x48]	! store double frs1
+	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1; return %f0;
+	.end
+!
+! float vis_read_lo(double /* frs1 */);
+!
+	.inline vis_read_lo,8
+	std	%o0,[%sp+0x48]	! store double frs1
+	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1;
+	fmovs	%f1,%f0		! %f0 = low word (frs1); return %f0;
+	.end
+!
+! double vis_write_hi(double /* frs1 */, float /* frs2 */);
+!
+	.inline vis_write_hi,12
+	std	%o0,[%sp+0x48]	! store double frs1;
+	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1;
+	st	%o2,[%sp+0x44]	! store float frs2;
+	ld	[%sp+0x44],%f2	! %f2 = float frs2;
+	fmovs	%f2,%f0		! %f0 = float frs2; return %f0:f1;
+	.end
+!
+! double vis_write_lo(double /* frs1 */, float /* frs2 */);
+!
+	.inline vis_write_lo,12
+	std	%o0,[%sp+0x48]	! store double frs1;
+	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1;
+	st	%o2,[%sp+0x44]	! store float frs2;
+	ld	[%sp+0x44],%f2	! %f2 = float frs2;
+	fmovs	%f2,%f1		! %f1 = float frs2; return %f0:f1;
+	.end
+!
+! double vis_freg_pair(float /* frs1 */, float /* frs2 */);
+!
+	.inline vis_freg_pair,8
+	st	%o0,[%sp+0x48]	! store float frs1
+	ld	[%sp+0x48],%f0
+	st	%o1,[%sp+0x48]	! store float frs2
+	ld	[%sp+0x48],%f1
+	.end
+!
+! float vis_to_float(unsigned int /*value*/);
+!
+	.inline vis_to_float,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f0
+	.end
+!
+! double vis_to_double(unsigned int /*value1*/, unsigned int /*value2*/);
+!
+	.inline vis_to_double,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f0
+	.end
+!
+! double vis_to_double_dup(unsigned int /*value*/);
+!
+	.inline vis_to_double_dup,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f1
+	fmovs	%f1,%f0		! duplicate value
+	.end
+!
+! double vis_ll_to_double(unsigned long long /*value*/);
+!
+	.inline vis_ll_to_double,8
+	std     %o0,[%sp+0x48]
+	ldd     [%sp+0x48],%f0
+	.end
+
+!--------------------------------------------------------------------
+! Address space identifier (ASI) register
+!
+! unsigned int vis_read_asi(void)
+!
+	.inline vis_read_asi,0
+	rd	%asi,%o0
+	.end
+!
+! void vis_write_asi(unsigned int /* ASI */)
+!
+	.inline vis_write_asi,4
+	wr	%g0,%o0,%asi
+	.end
+
+!--------------------------------------------------------------------
+! Load/store from/into alternate space
+!
+! float vis_ldfa_ASI_REG(void *rs1)
+!
+	.inline vis_ldfa_ASI_REG,4
+	lda	[%o0+0]%asi,%f4
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! float vis_ldfa_ASI_P(void *rs1)
+!
+	.inline vis_ldfa_ASI_P,4
+	lda	[%o0]0x80,%f4	! ASI_P
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! float vis_ldfa_ASI_PL(void *rs1)
+!
+	.inline vis_ldfa_ASI_PL,4
+	lda	[%o0]0x88,%f4	! ASI_PL
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_REG(void *rs1)
+!
+	.inline vis_lddfa_ASI_REG,4
+	ldda	[%o0+0]%asi,%f4
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_P(void *rs1)
+!
+	.inline vis_lddfa_ASI_P,4
+	ldda	[%o0]0x80,%f4	! ASI_P
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_PL,4
+	ldda	[%o0]0x88,%f4	! ASI_PL
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! vis_stfa_ASI_REG(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_REG,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	sta	%f4,[%o1+0]%asi
+	.end
+!
+! vis_stfa_ASI_P(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_P,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	sta	%f4,[%o1]0x80	! ASI_P
+	.end
+!
+! vis_stfa_ASI_PL(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_PL,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	sta	%f4,[%o1]0x88	! ASI_PL
+	.end
+!
+! vis_stdfa_ASI_REG(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_REG,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2+0]%asi
+	.end
+!
+! vis_stdfa_ASI_P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_P,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0x80	! ASI_P
+	.end
+!
+! vis_stdfa_ASI_PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_PL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0x88	! ASI_PL
+	.end
+!
+! unsigned short vis_lduha_ASI_REG(void *rs1)
+!
+	.inline vis_lduha_ASI_REG,4
+	lduha	[%o0+0]%asi,%o0
+	.end
+!
+! unsigned short vis_lduha_ASI_P(void *rs1)
+!
+	.inline vis_lduha_ASI_P,4
+	lduha	[%o0]0x80,%o0	! ASI_P
+	.end
+!
+! unsigned short vis_lduha_ASI_PL(void *rs1)
+!
+	.inline vis_lduha_ASI_PL,4
+	lduha	[%o0]0x88,%o0	! ASI_PL
+	.end
+!
+! unsigned short vis_lduha_ASI_P_index(void *rs1, long index)
+!
+	.inline vis_lduha_ASI_P_index,8
+	lduha	[%o0+%o1]0x80,%o0	! ASI_P
+	.end
+!
+! unsigned short vis_lduha_ASI_PL_index(void *rs1, long index)
+!
+	.inline vis_lduha_ASI_PL_index,8
+	lduha	[%o0+%o1]0x88,%o0	! ASI_PL
+	.end
+
+!--------------------------------------------------------------------
+! Prefetch
+!
+! void vis_prefetch_read(void * /*address*/);
+!
+	.inline vis_prefetch_read,4
+	prefetch	[%o0+0],0
+	.end
+!
+! void vis_prefetch_write(void * /*address*/);
+!
+	.inline vis_prefetch_write,4
+	prefetch	[%o0+0],2
+	.end
diff --git a/security/nss/lib/freebl/mpi/vis_64.il b/security/nss/lib/freebl/mpi/vis_64.il
new file mode 100644
index 000000000..1ad8207fa
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/vis_64.il
@@ -0,0 +1,1030 @@
+! 
+! ***** BEGIN LICENSE BLOCK *****
+! Version: MPL 1.1/GPL 2.0/LGPL 2.1
+!
+! The contents of this file are subject to the Mozilla Public License Version
+! 1.1 (the "License"); you may not use this file except in compliance with
+! the License. You may obtain a copy of the License at
+! http://www.mozilla.org/MPL/
+!
+! Software distributed under the License is distributed on an "AS IS" basis,
+! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+! for the specific language governing rights and limitations under the
+! License.
+!
+! The Original Code is vis inline macros (64 bit).  (vis_64.il 3.4).
+!
+! The Initial Developer of the Original Code is
+! Sun Microsystems Inc.
+! Portions created by the Initial Developer are Copyright (C) 1998-2000
+! the Initial Developer. All Rights Reserved.
+!
+! Contributor(s):
+!
+! Alternatively, the contents of this file may be used under the terms of
+! either the GNU General Public License Version 2 or later (the "GPL"), or
+! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+! in which case the provisions of the GPL or the LGPL are applicable instead
+! of those above. If you wish to allow use of your version of this file only
+! under the terms of either the GPL or the LGPL, and not to allow others to
+! use your version of this file under the terms of the MPL, indicate your
+! decision by deleting the provisions above and replace them with the notice
+! and other provisions required by the GPL or the LGPL. If you do not delete
+! the provisions above, a recipient may use your version of this file under
+! the terms of any one of the MPL, the GPL or the LGPL.
+!
+! ***** END LICENSE BLOCK *****
+! $Id$
+
+! This file is to be used in place of vis.il in 64-bit builds.
+
+!--------------------------------------------------------------------
+! Pure edge handling instructions
+!
+! int vis_edge8(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8,16
+	edge8	%o0,%o1,%o0
+	.end
+!
+! int vis_edge8l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8l,16
+	edge8l	%o0,%o1,%o0
+	.end
+!
+! int vis_edge16(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16,16
+	edge16	%o0,%o1,%o0
+	.end
+!
+! int vis_edge16l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16l,16
+	edge16l	%o0,%o1,%o0
+	.end
+!
+! int vis_edge32(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32,16
+	edge32	%o0,%o1,%o0
+	.end
+!
+! int vis_edge32l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32l,16
+	edge32l	%o0,%o1,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Edge handling instructions with negative return values if cc set
+!
+! int vis_edge8cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8cc,16
+	edge8	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge8lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8lcc,16
+	edge8l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge16cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16cc,16
+	edge16	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge16lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16lcc,16
+	edge16l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge32cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32cc,16
+	edge32	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge32lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32lcc,16
+	edge32l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Alignment instructions
+!
+! void *vis_alignaddr(void */*rs1*/, int /*rs2*/);
+!
+	.inline vis_alignaddr,12
+	alignaddr	%o0,%o1,%o0
+	.end
+!
+! void *vis_alignaddrl(void */*rs1*/, int /*rs2*/);
+!
+	.inline vis_alignaddrl,12
+	alignaddrl	%o0,%o1,%o0
+	.end
+!
+! double vis_faligndata(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_faligndata,16
+	faligndata	%f0,%f2,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Partitioned comparison instructions
+!
+! int vis_fcmple16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmple16,16
+	fcmple16	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpne16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpne16,16
+	fcmpne16	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmple32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmple32,16
+	fcmple32	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpne32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpne32,16
+	fcmpne32	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpgt16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpgt16,16
+	fcmpgt16	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpeq16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpeq16,16
+	fcmpeq16	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpgt32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpgt32,16
+	fcmpgt32	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpeq32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpeq32,16
+	fcmpeq32	%f0,%f2,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Partitioned arithmetic
+!
+! double vis_fmul8x16(float /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8x16,12
+	fmul8x16	%f1,%f2,%f0
+	.end
+!
+! double vis_fmul8x16_dummy(float /*frs1*/, int /*dummy*/, double /*frs2*/);
+!
+	.inline vis_fmul8x16_dummy,16
+	fmul8x16	%f1,%f4,%f0
+	.end
+!
+! double vis_fmul8x16au(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmul8x16au,8
+	fmul8x16au	%f1,%f3,%f0
+	.end
+!
+! double vis_fmul8x16al(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmul8x16al,8
+	fmul8x16al	%f1,%f3,%f0
+	.end
+!
+! double vis_fmul8sux16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8sux16,16
+	fmul8sux16	%f0,%f2,%f0
+	.end
+!
+! double vis_fmul8ulx16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8ulx16,16
+	fmul8ulx16	%f0,%f2,%f0
+	.end
+!
+! double vis_fmuld8sux16(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmuld8sux16,8
+	fmuld8sux16	%f1,%f3,%f0
+	.end
+!
+! double vis_fmuld8ulx16(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmuld8ulx16,8
+	fmuld8ulx16	%f1,%f3,%f0
+	.end
+!
+! double vis_fpadd16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpadd16,16
+	fpadd16	%f0,%f2,%f0
+	.end
+!
+! float vis_fpadd16s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpadd16s,8
+	fpadd16s	%f1,%f3,%f0
+	.end
+!
+! double vis_fpadd32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpadd32,16
+	fpadd32	%f0,%f2,%f0
+	.end
+!
+! float vis_fpadd32s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpadd32s,8
+	fpadd32s	%f1,%f3,%f0
+	.end
+!
+! double vis_fpsub16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpsub16,16
+	fpsub16	%f0,%f2,%f0
+	.end
+!
+! float vis_fpsub16s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpsub16s,8
+	fpsub16s	%f1,%f3,%f0
+	.end
+!
+! double vis_fpsub32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpsub32,16
+	fpsub32	%f0,%f2,%f0
+	.end
+!
+! float vis_fpsub32s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpsub32s,8
+	fpsub32s	%f1,%f3,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Pixel packing
+!
+! float vis_fpack16(double /*frs2*/);
+!
+	.inline vis_fpack16,8
+	fpack16	%f0,%f0
+	.end
+!
+! double vis_fpack16_pair(double /*frs2*/, double /*frs2*/);
+!
+	.inline vis_fpack16_pair,16
+	fpack16	%f0,%f0
+	fpack16	%f2,%f1
+	.end
+!
+! void vis_st2_fpack16(double, double, double *)
+!
+	.inline vis_st2_fpack16,24
+ 	fpack16	%f0,%f0
+ 	fpack16	%f2,%f1
+ 	st	%f0,[%o2+0]
+ 	st	%f1,[%o2+4]
+ 	.end
+!
+! void vis_std_fpack16(double, double, double *)
+!
+	.inline vis_std_fpack16,24
+	fpack16	%f0,%f0
+	fpack16	%f2,%f1
+	std	%f0,[%o2]
+	.end
+!
+! void vis_st2_fpackfix(double, double, double *)
+!
+	.inline vis_st2_fpackfix,24
+ 	fpackfix %f0,%f0
+ 	fpackfix %f2,%f1
+ 	st	%f0,[%o2+0]
+ 	st	%f1,[%o2+4]
+ 	.end
+!
+! double vis_fpack16_to_hi(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack16_to_hi,16
+	fpack16	%f2,%f0
+	.end
+
+! double vis_fpack16_to_lo(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack16_to_lo,16
+	fpack16	%f2,%f3
+	fmovs	%f3,%f1		/* without this, optimizer goes wrong */
+	.end
+
+!
+! double vis_fpack32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack32,16
+	fpack32	%f0,%f2,%f0
+	.end
+!
+! float vis_fpackfix(double /*frs2*/);
+!
+	.inline vis_fpackfix,8
+	fpackfix	%f0,%f0
+	.end
+!
+! double vis_fpackfix_pair(double /*frs2*/, double /*frs2*/);
+!
+	.inline vis_fpackfix_pair,16
+	fpackfix	%f0,%f0
+	fpackfix	%f2,%f1
+	.end
+
+!--------------------------------------------------------------------
+! Motion estimation
+!
+! double vis_pxldist64(double accum /*frd*/, double pxls1 /*frs1*/, 
+!		       double pxls2 /*frs2*/);
+!
+	.inline vis_pxldist64,24
+	pdist	%f2,%f4,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Channel merging
+!
+! double vis_fpmerge(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpmerge,8
+	fpmerge	%f1,%f3,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Pixel expansion
+!
+! double vis_fexpand(float /*frs2*/);
+!
+	.inline vis_fexpand,4
+	fexpand	%f1,%f0
+	.end
+
+! double vis_fexpand_hi(double /*frs2*/);
+!
+	.inline vis_fexpand_hi,8
+	fexpand	%f0,%f0
+	.end
+
+! double vis_fexpand_lo(double /*frs2*/);
+!
+	.inline vis_fexpand_lo,8
+	fexpand	%f1,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Bitwise logical operations
+!
+! double vis_fnor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fnor,16
+	fnor	%f0,%f2,%f0
+	.end
+!
+! float vis_fnors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fnors,8
+	fnors	%f1,%f3,%f0
+	.end
+!
+! double vis_fandnot(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fandnot,16
+	fandnot1 %f0,%f2,%f0
+	.end
+!
+! float vis_fandnots(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fandnots,8
+	fandnot1s %f1,%f3,%f0
+	.end
+!
+! double vis_fnot(double /*frs1*/);
+!
+	.inline vis_fnot,8
+	fnot1	%f0,%f0
+	.end
+!
+! float vis_fnots(float /*frs1*/);
+!
+	.inline vis_fnots,4
+	fnot1s	%f1,%f0
+	.end
+!
+! double vis_fxor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fxor,16
+	fxor	%f0,%f2,%f0
+	.end
+!
+! float vis_fxors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fxors,8
+	fxors	%f1,%f3,%f0
+	.end
+!
+! double vis_fnand(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fnand,16
+	fnand	%f0,%f2,%f0
+	.end
+!
+! float vis_fnands(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fnands,8
+	fnands	%f1,%f3,%f0
+	.end
+!
+! double vis_fand(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fand,16
+	fand	%f0,%f2,%f0
+	.end
+!
+! float vis_fands(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fands,8
+	fands	%f1,%f3,%f0
+	.end
+!
+! double vis_fxnor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fxnor,16
+	fxnor	%f0,%f2,%f0
+	.end
+!
+! float vis_fxnors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fxnors,8
+	fxnors	%f1,%f3,%f0
+	.end
+!
+! double vis_fsrc(double /*frs1*/);
+!
+	.inline vis_fsrc,8
+	fsrc1	%f0,%f0
+	.end
+!
+! float vis_fsrcs(float /*frs1*/);
+!
+	.inline vis_fsrcs,4
+	fsrc1s	%f1,%f0
+	.end
+!
+! double vis_fornot(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fornot,16
+	fornot1	%f0,%f2,%f0
+	.end
+!
+! float vis_fornots(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fornots,8
+	fornot1s %f1,%f3,%f0
+	.end
+!
+! double vis_for(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_for,16
+	for	%f0,%f2,%f0
+	.end
+!
+! float vis_fors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fors,8
+	fors	%f1,%f3,%f0
+	.end
+!
+! double vis_fzero(/* void */)
+!
+	.inline	vis_fzero,0
+	fzero	%f0
+	.end
+!
+! float vis_fzeros(/* void */)
+!
+	.inline	vis_fzeros,0
+	fzeros	%f0
+	.end
+!
+! double vis_fone(/* void */)
+!
+	.inline	vis_fone,0
+	fone	%f0
+	.end
+!
+! float vis_fones(/* void */)
+!
+	.inline	vis_fones,0
+	fones	%f0
+	.end
+
+!--------------------------------------------------------------------
+! Partial store instructions
+!
+! vis_stdfa_ASI_PST8P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8P,20
+	stda	%f0,[%o1]%o2,0xc0	! ASI_PST8_P
+	.end
+!
+! vis_stdfa_ASI_PST8PL(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8PL,20
+	stda	%f0,[%o1]%o2,0xc8	! ASI_PST8_PL
+	.end
+!
+! vis_stdfa_ASI_PST8P_int_pair(void *rs1, void *rs2, void *rs3, int rmask);
+!
+	.inline vis_stdfa_ASI_PST8P_int_pair,28
+        ld	[%o0],%f4
+        ld	[%o1],%f5
+	stda	%f4,[%o2]%o3,0xc0	! ASI_PST8_P
+	.end
+!
+! vis_stdfa_ASI_PST8S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8S,20
+	stda	%f0,[%o1]%o2,0xc1	! ASI_PST8_S
+	.end
+!
+! vis_stdfa_ASI_PST16P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST16P,20
+	stda	%f0,[%o1]%o2,0xc2	! ASI_PST16_P
+	.end
+!
+! vis_stdfa_ASI_PST16S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST16S,20
+	stda	%f0,[%o1]%o2,0xc3	! ASI_PST16_S
+	.end
+!
+! vis_stdfa_ASI_PST32P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST32P,20
+	stda	%f0,[%o1]%o2,0xc4	! ASI_PST32_P
+	.end
+!
+! vis_stdfa_ASI_PST32S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST32S,20
+	stda	%f0,[%o1]%o2,0xc5	! ASI_PST32_S
+	.end
+
+!--------------------------------------------------------------------
+! Short store instructions
+!
+! vis_stdfa_ASI_FL8P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8P,16
+	stda	%f0,[%o1]0xd0	! ASI_FL8_P
+	.end
+!
+! vis_stdfa_ASI_FL8P_index(double frd, void *rs1, long index)
+!
+	.inline vis_stdfa_ASI_FL8P_index,24
+	stda	%f0,[%o1+%o2]0xd0 ! ASI_FL8_P
+	.end
+!
+! vis_stdfa_ASI_FL8S(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8S,16
+	stda	%f0,[%o1]0xd1	! ASI_FL8_S
+	.end
+!
+! vis_stdfa_ASI_FL16P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16P,16
+	stda	%f0,[%o1]0xd2	! ASI_FL16_P
+	.end
+!
+! vis_stdfa_ASI_FL16P_index(double frd, void *rs1, long index)
+!
+	.inline vis_stdfa_ASI_FL16P_index,24
+	stda	%f0,[%o1+%o2]0xd2 ! ASI_FL16_P
+	.end
+!
+! vis_stdfa_ASI_FL16S(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16S,16
+	stda	%f0,[%o1]0xd3	! ASI_FL16_S
+	.end
+!
+! vis_stdfa_ASI_FL8PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8PL,16
+	stda	%f0,[%o1]0xd8	! ASI_FL8_PL
+	.end
+!
+! vis_stdfa_ASI_FL8SL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8SL,16
+	stda	%f0,[%o1]0xd9	! ASI_FL8_SL
+	.end
+!
+! vis_stdfa_ASI_FL16PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16PL,16
+	stda	%f0,[%o1]0xda	! ASI_FL16_PL
+	.end
+!
+! vis_stdfa_ASI_FL16SL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16SL,16
+	stda	%f0,[%o1]0xdb	! ASI_FL16_SL
+	.end
+
+!--------------------------------------------------------------------
+! Short load instructions
+!
+! double vis_lddfa_ASI_FL8P(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8P,8
+	ldda	[%o0]0xd0,%f4	! ASI_FL8_P
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_FL8P_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL8P_index,16
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8P_hi(void *rs1, unsigned int index)
+!
+	.inline vis_lddfa_ASI_FL8P_hi,12
+	sra     %o1,16,%o1
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8P_lo(void *rs1, unsigned int index)
+!
+	.inline vis_lddfa_ASI_FL8P_lo,12
+	sll     %o1,16,%o1
+	sra     %o1,16,%o1
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8S(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8S,8
+	ldda	[%o0]0xd1,%f4	! ASI_FL8_S
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16P(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16P,8
+	ldda	[%o0]0xd2,%f4	! ASI_FL16_P
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16P_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL16P_index,16
+	ldda	[%o0+%o1]0xd2,%f4 ! ASI_FL16_P
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16S(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16S,8
+	ldda	[%o0]0xd3,%f4	! ASI_FL16_S
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8PL,8
+	ldda	[%o0]0xd8,%f4	! ASI_FL8_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8PL_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL8PL_index,16
+	ldda	[%o0+%o1]0xd8,%f4	! ASI_FL8_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8SL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8SL,8
+	ldda	[%o0]0xd9,%f4	! ASI_FL8_SL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16PL,8
+	ldda	[%o0]0xda,%f4	! ASI_FL16_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16PL_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL16PL_index,16
+	ldda	[%o0+%o1]0xda,%f4	! ASI_FL16_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16SL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16SL,8
+	ldda	[%o0]0xdb,%f4	! ASI_FL16_SL
+	fmovd	%f4,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Graphics status register
+!
+! unsigned int vis_read_gsr(void)
+!
+	.inline vis_read_gsr,0
+	rd	%gsr,%o0
+	.end
+!
+! void vis_write_gsr(unsigned int /* GSR */)
+!
+	.inline vis_write_gsr,4
+	wr	%g0,%o0,%gsr
+	.end
+
+!--------------------------------------------------------------------
+! Voxel texture mapping
+!
+! unsigned long vis_array8(unsigned long long /*rs1 */, int /*rs2*/)
+!
+	.inline	vis_array8,12
+	array8	%o0,%o1,%o0
+	.end
+!
+! unsigned long vis_array16(unsigned long long /*rs1*/, int /*rs2*/)
+!
+	.inline	vis_array16,12
+	array16	%o0,%o1,%o0
+	.end
+!
+! unsigned long vis_array32(unsigned long long /*rs1*/, int /*rs2*/)
+!
+	.inline	vis_array32,12
+	array32	%o0,%o1,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Register aliasing and type casts
+!
+! float vis_read_hi(double /* frs1 */);
+!
+	.inline vis_read_hi,8
+	fmovs	%f0,%f0
+	.end
+!
+! float vis_read_lo(double /* frs1 */);
+!
+	.inline vis_read_lo,8
+	fmovs	%f1,%f0		! %f0 = low word (frs1); return %f0;
+	.end
+!
+! double vis_write_hi(double /* frs1 */, float /* frs2 */);
+!
+	.inline vis_write_hi,12
+	fmovs	%f3,%f0		! %f3 = float frs2; return %f0:f1;
+	.end
+!
+! double vis_write_lo(double /* frs1 */, float /* frs2 */);
+!
+	.inline vis_write_lo,12
+	fmovs	%f3,%f1		! %f3 = float frs2; return %f0:f1;
+	.end
+!
+! double vis_freg_pair(float /* frs1 */, float /* frs2 */);
+!
+	.inline vis_freg_pair,8
+	fmovs	%f1,%f0		! %f1 = float frs1; put in hi;
+	fmovs	%f3,%f1		! %f3 = float frs2; put in lo; return %f0:f1;
+	.end
+!
+! float vis_to_float(unsigned int /*value*/);
+!
+	.inline vis_to_float,4
+	st	%o0,[%sp+2183]
+	ld	[%sp+2183],%f0
+	.end
+!
+! double vis_to_double(unsigned int /*value1*/, unsigned int /*value2*/);
+!
+	.inline vis_to_double,8
+	st	%o0,[%sp+2183]
+	ld	[%sp+2183],%f0
+	st	%o1,[%sp+2183]
+	ld	[%sp+2183],%f1
+	.end
+!
+! double vis_to_double_dup(unsigned int /*value*/);
+!
+	.inline vis_to_double_dup,4
+	st	%o0,[%sp+2183]
+	ld	[%sp+2183],%f1
+	fmovs	%f1,%f0		! duplicate value
+	.end
+!
+! double vis_ll_to_double(unsigned long long /*value*/);
+!
+	.inline vis_ll_to_double,8
+	stx     %o0,[%sp+2183]
+	ldd     [%sp+2183],%f0
+        .end
+
+!--------------------------------------------------------------------
+! Address space identifier (ASI) register
+!
+! unsigned int vis_read_asi(void)
+!
+	.inline vis_read_asi,0
+	rd	%asi,%o0
+	.end
+!
+! void vis_write_asi(unsigned int /* ASI */)
+!
+	.inline vis_write_asi,4
+	wr	%g0,%o0,%asi
+	.end
+
+!--------------------------------------------------------------------
+! Load/store from/into alternate space
+!
+! float vis_ldfa_ASI_REG(void *rs1)
+!
+	.inline vis_ldfa_ASI_REG,8
+	lda	[%o0+0]%asi,%f4
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! float vis_ldfa_ASI_P(void *rs1)
+!
+	.inline vis_ldfa_ASI_P,8
+	lda	[%o0]0x80,%f4	! ASI_P
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! float vis_ldfa_ASI_PL(void *rs1)
+!
+	.inline vis_ldfa_ASI_PL,8
+	lda	[%o0]0x88,%f4	! ASI_PL
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_REG(void *rs1)
+!
+	.inline vis_lddfa_ASI_REG,8
+	ldda	[%o0+0]%asi,%f4
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_P(void *rs1)
+!
+	.inline vis_lddfa_ASI_P,8
+	ldda	[%o0]0x80,%f4	! ASI_P
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_PL,8
+	ldda	[%o0]0x88,%f4	! ASI_PL
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! vis_stfa_ASI_REG(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_REG,12
+	sta	%f1,[%o1+0]%asi
+	.end
+!
+! vis_stfa_ASI_P(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_P,12
+	sta	%f1,[%o1]0x80	! ASI_P
+	.end
+!
+! vis_stfa_ASI_PL(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_PL,12
+	sta	%f1,[%o1]0x88	! ASI_PL
+	.end
+!
+! vis_stdfa_ASI_REG(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_REG,16
+	stda	%f0,[%o1+0]%asi
+	.end
+!
+! vis_stdfa_ASI_P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_P,16
+	stda	%f0,[%o1]0x80	! ASI_P
+	.end
+!
+! vis_stdfa_ASI_PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_PL,16
+	stda	%f0,[%o1]0x88	! ASI_PL
+	.end
+!
+! unsigned short vis_lduha_ASI_REG(void *rs1)
+!
+	.inline vis_lduha_ASI_REG,8
+	lduha	[%o0+0]%asi,%o0
+	.end
+!
+! unsigned short vis_lduha_ASI_P(void *rs1)
+!
+	.inline vis_lduha_ASI_P,8
+	lduha	[%o0]0x80,%o0	! ASI_P
+	.end
+!
+! unsigned short vis_lduha_ASI_PL(void *rs1)
+!
+	.inline vis_lduha_ASI_PL,8
+	lduha	[%o0]0x88,%o0	! ASI_PL
+	.end
+!
+! unsigned short vis_lduha_ASI_P_index(void *rs1, long index)
+!
+	.inline vis_lduha_ASI_P_index,16
+	lduha	[%o0+%o1]0x80,%o0	! ASI_P
+	.end
+!
+! unsigned short vis_lduha_ASI_PL_index(void *rs1, long index)
+!
+	.inline vis_lduha_ASI_PL_index,16
+	lduha	[%o0+%o1]0x88,%o0	! ASI_PL
+	.end
+
+!--------------------------------------------------------------------
+! Prefetch
+!
+! void vis_prefetch_read(void * /*address*/);
+!
+	.inline vis_prefetch_read,8
+	prefetch	[%o0+0],0
+	.end
+!
+! void vis_prefetch_write(void * /*address*/);
+!
+	.inline vis_prefetch_write,8
+	prefetch	[%o0+0],2
+	.end
diff --git a/security/nss/lib/freebl/mpi/vis_proto.h b/security/nss/lib/freebl/mpi/vis_proto.h
new file mode 100644
index 000000000..2790fedd0
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/vis_proto.h
@@ -0,0 +1,267 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is prototypes for vis.il  (vis_proto.h 1.3).
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems Inc.
+ * Portions created by the Initial Developer are Copyright (C) 1995
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/*
+ * Prototypes for the inline templates in vis.il
+ */
+
+#ifndef VIS_PROTO_H
+#define VIS_PROTO_H
+
+#pragma ident	"@(#)vis_proto.h	1.3	97/03/30 SMI"
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/* Pure edge handling instructions */
+int vis_edge8(void * /*frs1*/, void * /*frs2*/);
+int vis_edge8l(void * /*frs1*/, void * /*frs2*/);
+int vis_edge16(void * /*frs1*/, void * /*frs2*/);
+int vis_edge16l(void * /*frs1*/, void * /*frs2*/);
+int vis_edge32(void * /*frs1*/, void * /*frs2*/);
+int vis_edge32l(void * /*frs1*/, void * /*frs2*/);
+
+/* Edge handling instructions with negative return values if cc set. */
+int vis_edge8cc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge8lcc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge16cc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge16lcc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge32cc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge32lcc(void * /*frs1*/, void * /*frs2*/);
+
+/* Alignment instructions. */
+void *vis_alignaddr(void * /*rs1*/, int /*rs2*/);
+void *vis_alignaddrl(void * /*rs1*/, int /*rs2*/);
+double vis_faligndata(double /*frs1*/, double /*frs2*/);
+
+/* Partitioned comparison instructions. */
+int vis_fcmple16(double /*frs1*/, double /*frs2*/);
+int vis_fcmpne16(double /*frs1*/, double /*frs2*/);
+int vis_fcmple32(double /*frs1*/, double /*frs2*/);
+int vis_fcmpne32(double /*frs1*/, double /*frs2*/);
+int vis_fcmpgt16(double /*frs1*/, double /*frs2*/);
+int vis_fcmpeq16(double /*frs1*/, double /*frs2*/);
+int vis_fcmpgt32(double /*frs1*/, double /*frs2*/);
+int vis_fcmpeq32(double /*frs1*/, double /*frs2*/);
+
+/* Partitioned multiplication. */
+#if 0
+double vis_fmul8x16(float /*frs1*/, double /*frs2*/);
+#endif
+double vis_fmul8x16_dummy(float /*frs1*/, int /*dummy*/, double /*frs2*/);
+double vis_fmul8x16au(float /*frs1*/, float /*frs2*/);
+double vis_fmul8x16al(float /*frs1*/, float /*frs2*/);
+double vis_fmul8sux16(double /*frs1*/, double /*frs2*/);
+double vis_fmul8ulx16(double /*frs1*/, double /*frs2*/);
+double vis_fmuld8ulx16(float /*frs1*/, float /*frs2*/);
+double vis_fmuld8sux16(float /*frs1*/, float /*frs2*/);
+
+/* Partitioned addition & subtraction. */
+double vis_fpadd16(double /*frs1*/, double /*frs2*/);
+float vis_fpadd16s(float /*frs1*/, float /*frs2*/);
+double vis_fpadd32(double /*frs1*/, double /*frs2*/);
+float vis_fpadd32s(float /*frs1*/, float /*frs2*/);
+double vis_fpsub16(double /*frs1*/, double /*frs2*/);
+float vis_fpsub16s(float /*frs1*/, float /*frs2*/);
+double vis_fpsub32(double /*frs1*/, double /*frs2*/);
+float vis_fpsub32s(float /*frs1*/, float /*frs2*/);
+
+/* Pixel packing & clamping. */
+float vis_fpack16(double /*frs2*/);
+double vis_fpack32(double /*frs1*/, double /*frs2*/);
+float vis_fpackfix(double /*frs2*/);
+
+/* Combined pack ops. */
+double vis_fpack16_pair(double /*frs2*/, double /*frs2*/);
+double vis_fpackfix_pair(double /*frs2*/, double /*frs2*/);
+void vis_st2_fpack16(double, double, double *);
+void vis_std_fpack16(double, double, double *);
+void vis_st2_fpackfix(double, double, double *);
+
+double vis_fpack16_to_hi(double /*frs1*/, double /*frs2*/);
+double vis_fpack16_to_lo(double /*frs1*/, double /*frs2*/);
+
+/* Motion estimation. */
+double vis_pdist(double /*frs1*/, double /*frs2*/, double /*frd*/);
+
+/* Channel merging. */
+double vis_fpmerge(float /*frs1*/, float /*frs2*/);
+
+/* Pixel expansion. */
+double vis_fexpand(float /*frs2*/);
+double vis_fexpand_hi(double /*frs2*/);
+double vis_fexpand_lo(double /*frs2*/);
+
+/* Bitwise logical operators. */
+double vis_fnor(double /*frs1*/, double /*frs2*/);
+float vis_fnors(float /*frs1*/, float /*frs2*/);
+double vis_fandnot(double /*frs1*/, double /*frs2*/);
+float vis_fandnots(float /*frs1*/, float /*frs2*/);
+double vis_fnot(double /*frs1*/);
+float vis_fnots(float /*frs1*/);
+double vis_fxor(double /*frs1*/, double /*frs2*/);
+float vis_fxors(float /*frs1*/, float /*frs2*/);
+double vis_fnand(double /*frs1*/, double /*frs2*/);
+float vis_fnands(float /*frs1*/, float /*frs2*/);
+double vis_fand(double /*frs1*/, double /*frs2*/);
+float vis_fands(float /*frs1*/, float /*frs2*/);
+double vis_fxnor(double /*frs1*/, double /*frs2*/);
+float vis_fxnors(float /*frs1*/, float /*frs2*/);
+double vis_fsrc(double /*frs1*/);
+float vis_fsrcs(float /*frs1*/);
+double vis_fornot(double /*frs1*/, double /*frs2*/);
+float vis_fornots(float /*frs1*/, float /*frs2*/);
+double vis_for(double /*frs1*/, double /*frs2*/);
+float vis_fors(float /*frs1*/, float /*frs2*/);
+double vis_fzero(void);
+float vis_fzeros(void);
+double vis_fone(void);
+float vis_fones(void);
+
+/* Partial stores. */
+void vis_stdfa_ASI_PST8P(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST8PL(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST8P_int_pair(void * /*rs1*/, void * /*rs2*/,
+                                  void * /*rs3*/, int /*rmask*/);
+void vis_stdfa_ASI_PST8S(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST16P(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST16S(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST32P(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST32S(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+
+/* Byte & short stores. */
+void vis_stdfa_ASI_FL8P(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL8P_index(double /*frd*/, void * /*rs1*/, long /*index*/);
+void vis_stdfa_ASI_FL8S(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL16P(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL16P_index(double /*frd*/, void * /*rs1*/, long /*index*/);
+void vis_stdfa_ASI_FL16S(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL8PL(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL8SL(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL16PL(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL16SL(double /*frd*/, void * /*rs1*/);
+
+/* Byte & short loads. */
+double vis_lddfa_ASI_FL8P(void * /*rs1*/);
+double vis_lddfa_ASI_FL8P_index(void * /*rs1*/, long /*index*/);
+double vis_lddfa_ASI_FL8P_hi(void * /*rs1*/, unsigned int /*index*/);
+double vis_lddfa_ASI_FL8P_lo(void * /*rs1*/, unsigned int /*index*/);
+double vis_lddfa_ASI_FL8S(void * /*rs1*/);
+double vis_lddfa_ASI_FL16P(void * /*rs1*/);
+double vis_lddfa_ASI_FL16P_index(void * /*rs1*/, long /*index*/);
+double vis_lddfa_ASI_FL16S(void * /*rs1*/);
+double vis_lddfa_ASI_FL8PL(void * /*rs1*/);
+double vis_lddfa_ASI_FL8SL(void * /*rs1*/);
+double vis_lddfa_ASI_FL16PL(void * /*rs1*/);
+double vis_lddfa_ASI_FL16SL(void * /*rs1*/);
+
+/* Direct write to GSR, read from GSR */
+void vis_write_gsr(unsigned int /*GSR*/);
+unsigned int vis_read_gsr(void);
+
+/* Voxel texture mapping. */
+#if !defined(_NO_LONGLONG)
+unsigned long vis_array8(unsigned long long /*rs1*/, int /*rs2*/);
+unsigned long vis_array16(unsigned long long /*rs1*/, int /*rs2*/);
+unsigned long vis_array32(unsigned long long /*rs1*/, int /*rs2*/);
+#endif /* !defined(_NO_LONGLONG) */
+
+/* Register aliasing and type casts. */
+float vis_read_hi(double /*frs1*/);
+float vis_read_lo(double /*frs1*/);
+double vis_write_hi(double /*frs1*/, float /*frs2*/);
+double vis_write_lo(double /*frs1*/, float /*frs2*/);
+double vis_freg_pair(float /*frs1*/, float /*frs2*/);
+float vis_to_float(unsigned int /*value*/);
+double vis_to_double(unsigned int /*value1*/, unsigned int /*value2*/);
+double vis_to_double_dup(unsigned int /*value*/);
+#if !defined(_NO_LONGLONG)
+double vis_ll_to_double(unsigned long long /*value*/);
+#endif /* !defined(_NO_LONGLONG) */
+
+/* Miscellany (no inlines) */
+void vis_error(char * /*fmt*/, int /*a0*/);
+void vis_sim_init(void);
+
+/* For better performance */
+#define vis_fmul8x16(farg,darg) vis_fmul8x16_dummy((farg),0,(darg))
+
+/* Nicknames for explicit ASI loads and stores. */
+#define vis_st_u8      vis_stdfa_ASI_FL8P
+#define vis_st_u8_i    vis_stdfa_ASI_FL8P_index
+#define vis_st_u8_le   vis_stdfa_ASI_FL8PL
+#define vis_st_u16     vis_stdfa_ASI_FL16P
+#define vis_st_u16_i   vis_stdfa_ASI_FL16P_index
+#define vis_st_u16_le  vis_stdfa_ASI_FL16PL
+
+#define vis_ld_u8      vis_lddfa_ASI_FL8P
+#define vis_ld_u8_i    vis_lddfa_ASI_FL8P_index
+#define vis_ld_u8_le   vis_lddfa_ASI_FL8PL
+#define vis_ld_u16     vis_lddfa_ASI_FL16P
+#define vis_ld_u16_i   vis_lddfa_ASI_FL16P_index
+#define vis_ld_u16_le  vis_lddfa_ASI_FL16PL
+
+#define vis_pst_8      vis_stdfa_ASI_PST8P
+#define vis_pst_16     vis_stdfa_ASI_PST16P
+#define vis_pst_32     vis_stdfa_ASI_PST32P
+
+#define vis_st_u8s     vis_stdfa_ASI_FL8S
+#define vis_st_u8s_le  vis_stdfa_ASI_FL8SL
+#define vis_st_u16s    vis_stdfa_ASI_FL16S
+#define vis_st_u16s_le vis_stdfa_ASI_FL16SL
+
+#define vis_ld_u8s     vis_lddfa_ASI_FL8S
+#define vis_ld_u8s_le  vis_lddfa_ASI_FL8SL
+#define vis_ld_u16s    vis_lddfa_ASI_FL16S
+#define vis_ld_u16s_le vis_lddfa_ASI_FL16SL
+
+#define vis_pst_8s     vis_stdfa_ASI_PST8S
+#define vis_pst_16s    vis_stdfa_ASI_PST16S
+#define vis_pst_32s    vis_stdfa_ASI_PST32S
+
+/* "<" and ">=" may be implemented in terms of ">" and "<=". */
+#define vis_fcmplt16(a,b) vis_fcmpgt16((b),(a))
+#define vis_fcmplt32(a,b) vis_fcmpgt32((b),(a))
+#define vis_fcmpge16(a,b) vis_fcmple16((b),(a))
+#define vis_fcmpge32(a,b) vis_fcmple32((b),(a))
+
+#ifdef __cplusplus
+} // End of extern "C"
+#endif /* __cplusplus */
+
+#endif /* VIS_PROTO_H */
diff --git a/security/nss/lib/freebl/os2_rand.c b/security/nss/lib/freebl/os2_rand.c
new file mode 100644
index 000000000..b7bc413f7
--- /dev/null
+++ b/security/nss/lib/freebl/os2_rand.c
@@ -0,0 +1,340 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#define INCL_DOS
+#define INCL_DOSERRORS
+#include <os2.h>
+#include "secrng.h"
+#include "prerror.h"
+#include <stdlib.h>
+#include <time.h>
+#include <stdio.h>
+#include <sys/stat.h>
+
+static BOOL clockTickTime(unsigned long *phigh, unsigned long *plow)
+{
+    APIRET rc = NO_ERROR;
+    QWORD qword = {0,0};
+
+    rc = DosTmrQueryTime(&qword);
+    if (rc != NO_ERROR)
+       return FALSE;
+
+    *phigh = qword.ulHi;
+    *plow  = qword.ulLo;
+
+    return TRUE;
+}
+
+size_t RNG_GetNoise(void *buf, size_t maxbuf)
+{
+    unsigned long high = 0;
+    unsigned long low  = 0;
+    clock_t val = 0;
+    int n = 0;
+    int nBytes = 0;
+    time_t sTime;
+
+    if (maxbuf <= 0)
+       return 0;
+
+    clockTickTime(&high, &low);
+
+    /* get the maximally changing bits first */
+    nBytes = sizeof(low) > maxbuf ? maxbuf : sizeof(low);
+    memcpy(buf, &low, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+       return n;
+
+    nBytes = sizeof(high) > maxbuf ? maxbuf : sizeof(high);
+    memcpy(((char *)buf) + n, &high, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+       return n;
+
+    /* get the number of milliseconds that have elapsed since application started */
+    val = clock();
+
+    nBytes = sizeof(val) > maxbuf ? maxbuf : sizeof(val);
+    memcpy(((char *)buf) + n, &val, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+       return n;
+
+    /* get the time in seconds since midnight Jan 1, 1970 */
+    time(&sTime);
+    nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
+    memcpy(((char *)buf) + n, &sTime, nBytes);
+    n += nBytes;
+
+    return n;
+}
+
+static BOOL
+EnumSystemFiles(void (*func)(const char *))
+{
+    APIRET              rc;
+    ULONG               sysInfo = 0;
+    char                bootLetter[2];
+    char                sysDir[_MAX_PATH] = "";
+    char                filename[_MAX_PATH];
+    HDIR                hdir = HDIR_CREATE;
+    ULONG               numFiles = 1;
+    FILEFINDBUF3        fileBuf = {0};
+    ULONG               buflen = sizeof(FILEFINDBUF3);
+
+    if (DosQuerySysInfo(QSV_BOOT_DRIVE, QSV_BOOT_DRIVE, (PVOID)&sysInfo,
+                        sizeof(ULONG)) == NO_ERROR)
+    {
+      bootLetter[0] = sysInfo + 'A' -1;
+      bootLetter[1] = '\0';
+      strcpy(sysDir, bootLetter);
+      strcpy(sysDir+1, ":\\OS2\\");
+
+      strcpy( filename, sysDir );
+      strcat( filename, "*.*" );
+    }
+
+    rc =DosFindFirst( filename, &hdir, FILE_NORMAL, &fileBuf, buflen,
+                      &numFiles, FIL_STANDARD );
+    if( rc == NO_ERROR )
+    {
+      do {
+        // pass the full pathname to the callback
+        sprintf( filename, "%s%s", sysDir, fileBuf.achName );
+        (*func)(filename);
+
+        numFiles = 1;
+        rc = DosFindNext( hdir, &fileBuf, buflen, &numFiles );
+        if( rc != NO_ERROR && rc != ERROR_NO_MORE_FILES )
+          printf( "DosFindNext errod code = %d\n", rc );
+      } while ( rc == NO_ERROR );
+
+      rc = DosFindClose(hdir);
+      if( rc != NO_ERROR )
+        printf( "DosFindClose error code = %d", rc );
+    }
+    else
+      printf( "DosFindFirst error code = %d", rc );
+
+    return TRUE;
+}
+
+static int    dwNumFiles, dwReadEvery;
+
+static void
+CountFiles(const char *file)
+{
+    dwNumFiles++;
+}
+
+static void
+ReadFiles(const char *file)
+{
+    if ((dwNumFiles % dwReadEvery) == 0)
+        RNG_FileForRNG(file);
+
+    dwNumFiles++;
+}
+
+static void
+ReadSystemFiles(void)
+{
+    // first count the number of files
+    dwNumFiles = 0;
+    if (!EnumSystemFiles(CountFiles))
+        return;
+
+    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
+
+    // now read 10 files
+    if (dwNumFiles == 0)
+        return;
+
+    dwReadEvery = dwNumFiles / 10;
+    if (dwReadEvery == 0)
+        dwReadEvery = 1;  // less than 10 files
+
+    dwNumFiles = 0;
+    EnumSystemFiles(ReadFiles);
+}
+
+void RNG_SystemInfoForRNG(void)
+{
+   unsigned long *plong = 0;
+   PTIB ptib;
+   PPIB ppib;
+   APIRET rc = NO_ERROR;
+   DATETIME dt;
+   COUNTRYCODE cc = {0};
+   COUNTRYINFO ci = {0};
+   unsigned long actual = 0;
+   char path[_MAX_PATH]="";
+   char fullpath[_MAX_PATH]="";
+   unsigned long pathlength = sizeof(path);
+   FSALLOCATE fsallocate;
+   FILESTATUS3 fstatus;
+   unsigned long defaultdrive = 0;
+   unsigned long logicaldrives = 0;
+   unsigned long sysInfo[QSV_MAX] = {0};
+   char buffer[20];
+   int nBytes = 0;
+
+   nBytes = RNG_GetNoise(buffer, sizeof(buffer));
+   RNG_RandomUpdate(buffer, nBytes);
+   
+   /* allocate memory and use address and memory */
+   plong = (unsigned long *)malloc(sizeof(*plong));
+   RNG_RandomUpdate(&plong, sizeof(plong));
+   RNG_RandomUpdate(plong, sizeof(*plong));
+   free(plong);
+
+   /* process info */
+   rc = DosGetInfoBlocks(&ptib, &ppib);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(ptib, sizeof(*ptib));
+      RNG_RandomUpdate(ppib, sizeof(*ppib));
+   }
+
+   /* time */
+   rc = DosGetDateTime(&dt);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&dt, sizeof(dt));
+   }
+
+   /* country */
+   rc = DosQueryCtryInfo(sizeof(ci), &cc, &ci, &actual);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&cc, sizeof(cc));
+      RNG_RandomUpdate(&ci, sizeof(ci));
+      RNG_RandomUpdate(&actual, sizeof(actual));
+   }
+
+   /* current directory */
+   rc = DosQueryCurrentDir(0, path, &pathlength);
+   strcat(fullpath, "\\");
+   strcat(fullpath, path);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(fullpath, strlen(fullpath));
+      // path info
+      rc = DosQueryPathInfo(fullpath, FIL_STANDARD, &fstatus, sizeof(fstatus));
+      if (rc == NO_ERROR)
+      {
+         RNG_RandomUpdate(&fstatus, sizeof(fstatus));
+      }
+   }
+
+   /* file system info */
+   rc = DosQueryFSInfo(0, FSIL_ALLOC, &fsallocate, sizeof(fsallocate));
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&fsallocate, sizeof(fsallocate));
+   }
+
+   /* drive info */
+   rc = DosQueryCurrentDisk(&defaultdrive, &logicaldrives);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&defaultdrive, sizeof(defaultdrive));
+      RNG_RandomUpdate(&logicaldrives, sizeof(logicaldrives));
+   }
+
+   /* system info */
+   rc = DosQuerySysInfo(1L, QSV_MAX, (PVOID)&sysInfo, sizeof(ULONG)*QSV_MAX);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&sysInfo, sizeof(sysInfo));
+   }
+
+   // now let's do some files
+   ReadSystemFiles();
+
+   /* more noise */
+   nBytes = RNG_GetNoise(buffer, sizeof(buffer));
+   RNG_RandomUpdate(buffer, nBytes);
+}
+
+void RNG_FileForRNG(const char *filename)
+{
+    struct stat stat_buf;
+    unsigned char buffer[1024];
+    FILE *file = 0;
+    int nBytes = 0;
+    static int totalFileBytes = 0;
+    
+    if (stat((char *)filename, &stat_buf) < 0)
+       return;
+
+    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
+    
+    file = fopen((char *)filename, "r");
+    if (file != NULL)
+    {
+       for (;;)
+       {
+           size_t bytes = fread(buffer, 1, sizeof(buffer), file);
+
+           if (bytes == 0)
+              break;
+
+           RNG_RandomUpdate(buffer, bytes);
+           totalFileBytes += bytes;
+           if (totalFileBytes > 250000)
+              break;
+       }
+       fclose(file);
+    }
+
+    nBytes = RNG_GetNoise(buffer, 20); 
+    RNG_RandomUpdate(buffer, nBytes);
+}
+
+size_t RNG_SystemRNG(void *dest, size_t maxLen)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return 0;
+}
diff --git a/security/nss/lib/freebl/pqg.c b/security/nss/lib/freebl/pqg.c
new file mode 100644
index 000000000..2f45a43ce
--- /dev/null
+++ b/security/nss/lib/freebl/pqg.c
@@ -0,0 +1,714 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * PQG parameter generation/verification.  Based on FIPS 186-1.
+ *
+ * $Id$
+ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "blapi.h"
+#include "secitem.h"
+#include "mpi.h"
+#include "mpprime.h"
+#include "mplogic.h"
+#include "secmpi.h"
+
+#define MAX_ITERATIONS 600  /* Maximum number of iterations of primegen */
+#define PQG_Q_PRIMALITY_TESTS 18 /* from HAC table 4.4 */
+#define PQG_P_PRIMALITY_TESTS 5  /* from HAC table 4.4 */
+
+ /* XXX to be replaced by define in blapit.h */
+#define BITS_IN_Q 160
+
+/* For FIPS-compliance testing.
+** The following array holds the seed defined in FIPS 186-1 appendix 5.
+** This seed is used to generate P and Q according to appendix 2; use of
+** this seed will exactly generate the PQG specified in appendix 2.
+*/
+#ifdef FIPS_186_1_A5_TEST
+static const unsigned char fips_186_1_a5_pqseed[] = {
+    0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8,
+    0xb6, 0x21, 0x1b, 0x40, 0x62, 0xba, 0x32, 0x24,
+    0xe0, 0x42, 0x7d, 0xd3
+};
+#endif
+
+/* Get a seed for generating P and Q.  If in testing mode, copy in the
+** seed from FIPS 186-1 appendix 5.  Otherwise, obtain bytes from the
+** global random number generator.
+*/
+static SECStatus
+getPQseed(SECItem *seed, PRArenaPool* arena)
+{
+    SECStatus rv;
+
+    if (!seed->data) {
+        seed->data = (unsigned char*)PORT_ArenaZAlloc(arena, seed->len);
+    }
+    if (!seed->data) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+#ifdef FIPS_186_1_A5_TEST
+    memcpy(seed->data, fips_186_1_a5_pqseed, seed->len);
+    return SECSuccess;
+#else
+    rv = RNG_GenerateGlobalRandomBytes(seed->data, seed->len);
+    /*
+     * NIST CMVP disallows a sequence of 20 bytes with the most
+     * significant byte equal to 0.  Perhaps they interpret
+     * "a sequence of at least 160 bits" as "a number >= 2^159".
+     * So we always set the most significant bit to 1. (bug 334533)
+     */
+    seed->data[0] |= 0x80;
+    return rv;
+#endif
+}
+
+/* Generate a candidate h value.  If in testing mode, use the h value
+** specified in FIPS 186-1 appendix 5, h = 2.  Otherwise, obtain bytes
+** from the global random number generator.
+*/
+static SECStatus
+generate_h_candidate(SECItem *hit, mp_int *H)
+{
+    SECStatus rv = SECSuccess;
+    mp_err   err = MP_OKAY;
+#ifdef FIPS_186_1_A5_TEST
+    memset(hit->data, 0, hit->len);
+    hit->data[hit->len-1] = 0x02;
+#else
+    rv = RNG_GenerateGlobalRandomBytes(hit->data, hit->len);
+#endif
+    if (rv)
+	return SECFailure;
+    err = mp_read_unsigned_octets(H, hit->data, hit->len);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* Compute SHA[(SEED + addend) mod 2**g]
+** Result is placed in shaOutBuf.
+** This computation is used in steps 2 and 7 of FIPS 186 Appendix 2.2 .
+*/
+static SECStatus
+addToSeedThenSHA(const SECItem * seed,
+                 unsigned long   addend,
+                 int             g,
+                 unsigned char * shaOutBuf)
+{
+    SECItem str = { 0, 0, 0 };
+    mp_int s, sum, modulus, tmp;
+    mp_err    err = MP_OKAY;
+    SECStatus rv  = SECSuccess;
+    MP_DIGITS(&s)       = 0;
+    MP_DIGITS(&sum)     = 0;
+    MP_DIGITS(&modulus) = 0;
+    MP_DIGITS(&tmp)     = 0;
+    CHECK_MPI_OK( mp_init(&s) );
+    CHECK_MPI_OK( mp_init(&sum) );
+    CHECK_MPI_OK( mp_init(&modulus) );
+    SECITEM_TO_MPINT(*seed, &s); /* s = seed */
+    /* seed += addend */
+    if (addend < MP_DIGIT_MAX) {
+	CHECK_MPI_OK( mp_add_d(&s, (mp_digit)addend, &s) );
+    } else {
+	CHECK_MPI_OK( mp_init(&tmp) );
+	CHECK_MPI_OK( mp_set_ulong(&tmp, addend) );
+	CHECK_MPI_OK( mp_add(&s, &tmp, &s) );
+    }
+    CHECK_MPI_OK( mp_div_2d(&s, (mp_digit)g, NULL, &sum) );/*sum = s mod 2**g */
+    MPINT_TO_SECITEM(&sum, &str, NULL);
+    rv = SHA1_HashBuf(shaOutBuf, str.data, str.len); /* SHA1 hash result */
+cleanup:
+    mp_clear(&s);
+    mp_clear(&sum);
+    mp_clear(&modulus);
+    mp_clear(&tmp);
+    if (str.data)
+	SECITEM_ZfreeItem(&str, PR_FALSE);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+    }
+    return rv;
+}
+
+/*
+**  Perform steps 2 and 3 of FIPS 186, appendix 2.2.
+**  Generate Q from seed.
+*/
+static SECStatus
+makeQfromSeed(
+      unsigned int  g,          /* input.  Length of seed in bits. */
+const SECItem   *   seed,       /* input.  */
+      mp_int    *   Q)          /* output. */
+{
+    unsigned char sha1[SHA1_LENGTH];
+    unsigned char sha2[SHA1_LENGTH];
+    unsigned char U[SHA1_LENGTH];
+    SECStatus rv  = SECSuccess;
+    mp_err    err = MP_OKAY;
+    int i;
+    /* ******************************************************************
+    ** Step 2.
+    ** "Compute U = SHA[SEED] XOR SHA[(SEED+1) mod 2**g]."
+    **/
+    CHECK_SEC_OK( SHA1_HashBuf(sha1, seed->data, seed->len) );
+    CHECK_SEC_OK( addToSeedThenSHA(seed, 1, g, sha2) );
+    for (i=0; i<SHA1_LENGTH; ++i) 
+	U[i] = sha1[i] ^ sha2[i];
+    /* ******************************************************************
+    ** Step 3.
+    ** "Form Q from U by setting the most signficant bit (the 2**159 bit)
+    **  and the least signficant bit to 1.  In terms of boolean operations,
+    **  Q = U OR 2**159 OR 1.  Note that 2**159 < Q < 2**160."
+    */
+    U[0]             |= 0x80;  /* U is MSB first */
+    U[SHA1_LENGTH-1] |= 0x01;
+    err = mp_read_unsigned_octets(Q, U, SHA1_LENGTH);
+cleanup:
+     memset(U, 0, SHA1_LENGTH);
+     memset(sha1, 0, SHA1_LENGTH);
+     memset(sha2, 0, SHA1_LENGTH);
+     if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+     }
+     return rv;
+}
+
+/*  Perform steps 7, 8 and 9 of FIPS 186, appendix 2.2.
+**  Generate P from Q, seed, L, and offset.
+*/
+static SECStatus
+makePfromQandSeed(
+      unsigned int  L,          /* Length of P in bits.  Per FIPS 186. */
+      unsigned int  offset,     /* Per FIPS 186, appendix 2.2. */
+      unsigned int  g,          /* input.  Length of seed in bits. */
+const SECItem   *   seed,       /* input.  */
+const mp_int    *   Q,          /* input.  */
+      mp_int    *   P)          /* output. */
+{
+    unsigned int  k;            /* Per FIPS 186, appendix 2.2. */
+    unsigned int  n;            /* Per FIPS 186, appendix 2.2. */
+    mp_digit      b;            /* Per FIPS 186, appendix 2.2. */
+    unsigned char V_k[SHA1_LENGTH];
+    mp_int        W, X, c, twoQ, V_n, tmp;
+    mp_err    err = MP_OKAY;
+    SECStatus rv  = SECSuccess;
+    /* Initialize bignums */
+    MP_DIGITS(&W)     = 0;
+    MP_DIGITS(&X)     = 0;
+    MP_DIGITS(&c)     = 0;
+    MP_DIGITS(&twoQ)  = 0;
+    MP_DIGITS(&V_n)   = 0;
+    MP_DIGITS(&tmp)   = 0;
+    CHECK_MPI_OK( mp_init(&W)    );
+    CHECK_MPI_OK( mp_init(&X)    );
+    CHECK_MPI_OK( mp_init(&c)    );
+    CHECK_MPI_OK( mp_init(&twoQ) );
+    CHECK_MPI_OK( mp_init(&tmp)  );
+    CHECK_MPI_OK( mp_init(&V_n)  );
+    /* L - 1 = n*160 + b */
+    n = (L - 1) / BITS_IN_Q;
+    b = (L - 1) % BITS_IN_Q;
+    /* ******************************************************************
+    ** Step 7.
+    **  "for k = 0 ... n let
+    **           V_k = SHA[(SEED + offset + k) mod 2**g]."
+    **
+    ** Step 8.
+    **  "Let W be the integer 
+    **    W = V_0 + (V_1 * 2**160) + ... + (V_n-1 * 2**((n-1)*160)) 
+    **         + ((V_n mod 2**b) * 2**(n*160))
+    */
+    for (k=0; k<n; ++k) { /* Do the first n terms of V_k */
+	/* Do step 7 for iteration k.
+	** V_k = SHA[(seed + offset + k) mod 2**g]
+	*/
+	CHECK_SEC_OK( addToSeedThenSHA(seed, offset + k, g, V_k) );
+	/* Do step 8 for iteration k.
+	** W += V_k * 2**(k*160)
+	*/
+	OCTETS_TO_MPINT(V_k, &tmp, SHA1_LENGTH);      /* get bignum V_k     */
+	CHECK_MPI_OK( mpl_lsh(&tmp, &tmp, k*160) );   /* tmp = V_k << k*160 */
+	CHECK_MPI_OK( mp_add(&W, &tmp, &W) );         /* W += tmp           */
+    }
+    /* Step 8, continued.
+    **   [W += ((V_n mod 2**b) * 2**(n*160))] 
+    */
+    CHECK_SEC_OK( addToSeedThenSHA(seed, offset + n, g, V_k) );
+    OCTETS_TO_MPINT(V_k, &V_n, SHA1_LENGTH);          /* get bignum V_n     */
+    CHECK_MPI_OK( mp_div_2d(&V_n, b, NULL, &tmp) );   /* tmp = V_n mod 2**b */
+    CHECK_MPI_OK( mpl_lsh(&tmp, &tmp, n*160) );       /* tmp = tmp << n*160 */
+    CHECK_MPI_OK( mp_add(&W, &tmp, &W) );             /* W += tmp           */
+    /* Step 8, continued.
+    ** "and let X = W + 2**(L-1).
+    **  Note that 0 <= W < 2**(L-1) and hence 2**(L-1) <= X < 2**L."
+    */
+    CHECK_MPI_OK( mpl_set_bit(&X, (mp_size)(L-1), 1) );    /* X = 2**(L-1) */
+    CHECK_MPI_OK( mp_add(&X, &W, &X) );                    /* X += W       */
+    /*************************************************************
+    ** Step 9.
+    ** "Let c = X mod 2q  and set p = X - (c - 1).
+    **  Note that p is congruent to 1 mod 2q."
+    */
+    CHECK_MPI_OK( mp_mul_2(Q, &twoQ) );                    /* 2q           */
+    CHECK_MPI_OK( mp_mod(&X, &twoQ, &c) );                 /* c = X mod 2q */
+    CHECK_MPI_OK( mp_sub_d(&c, 1, &c) );                   /* c -= 1       */
+    CHECK_MPI_OK( mp_sub(&X, &c, P) );                     /* P = X - c    */
+cleanup:
+    mp_clear(&W);
+    mp_clear(&X);
+    mp_clear(&c);
+    mp_clear(&twoQ);
+    mp_clear(&V_n);
+    mp_clear(&tmp);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+    }
+    return rv;
+}
+
+/*
+** Generate G from h, P, and Q.
+*/
+static SECStatus
+makeGfromH(const mp_int *P,     /* input.  */
+           const mp_int *Q,     /* input.  */
+                 mp_int *H,     /* input and output. */
+                 mp_int *G,     /* output. */
+                 PRBool *passed)
+{
+    mp_int exp, pm1;
+    mp_err err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    *passed = PR_FALSE;
+    MP_DIGITS(&exp) = 0;
+    MP_DIGITS(&pm1) = 0;
+    CHECK_MPI_OK( mp_init(&exp) );
+    CHECK_MPI_OK( mp_init(&pm1) );
+    CHECK_MPI_OK( mp_sub_d(P, 1, &pm1) );        /* P - 1            */
+    if ( mp_cmp(H, &pm1) >= 0)                   /* H >= P-1         */
+	CHECK_MPI_OK( mp_sub(H, &pm1, H) );      /* H = H mod (P-1)  */
+    /* Let b = 2**n (smallest power of 2 greater than P).
+    ** Since P-1 >= b/2, and H < b, quotient(H/(P-1)) = 0 or 1
+    ** so the above operation safely computes H mod (P-1)
+    */
+    /* Check for H = to 0 or 1.  Regen H if so.  (Regen means return error). */
+    if (mp_cmp_d(H, 1) <= 0) {
+	rv = SECFailure;
+	goto cleanup;
+    }
+    /* Compute G, according to the equation  G = (H ** ((P-1)/Q)) mod P */
+    CHECK_MPI_OK( mp_div(&pm1, Q, &exp, NULL) );  /* exp = (P-1)/Q      */
+    CHECK_MPI_OK( mp_exptmod(H, &exp, P, G) );    /* G = H ** exp mod P */
+    /* Check for G == 0 or G == 1, return error if so. */
+    if (mp_cmp_d(G, 1) <= 0) {
+	rv = SECFailure;
+	goto cleanup;
+    }
+    *passed = PR_TRUE;
+cleanup:
+    mp_clear(&exp);
+    mp_clear(&pm1);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus
+PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
+{
+    unsigned int L;            /* Length of P in bits.  Per FIPS 186. */
+    unsigned int seedBytes;
+
+    if (j > 8 || !pParams || !pVfy) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    L = 512 + (j * 64);         /* bits in P */
+    seedBytes = L/8;
+    return PQG_ParamGenSeedLen(j, seedBytes, pParams, pVfy);
+}
+
+/* This code uses labels and gotos, so that it can follow the numbered
+** steps in the algorithms from FIPS 186 appendix 2.2 very closely,
+** and so that the correctness of this code can be easily verified.
+** So, please forgive the ugly c code.
+**/
+SECStatus
+PQG_ParamGenSeedLen(unsigned int j, unsigned int seedBytes,
+                    PQGParams **pParams, PQGVerify **pVfy)
+{
+    unsigned int  L;        /* Length of P in bits.  Per FIPS 186. */
+    unsigned int  n;        /* Per FIPS 186, appendix 2.2. */
+    unsigned int  b;        /* Per FIPS 186, appendix 2.2. */
+    unsigned int  g;        /* Per FIPS 186, appendix 2.2. */
+    unsigned int  counter;  /* Per FIPS 186, appendix 2.2. */
+    unsigned int  offset;   /* Per FIPS 186, appendix 2.2. */
+    SECItem      *seed;     /* Per FIPS 186, appendix 2.2. */
+    PRArenaPool  *arena  = NULL;
+    PQGParams    *params = NULL;
+    PQGVerify    *verify = NULL;
+    PRBool passed;
+    SECItem hit = { 0, 0, 0 };
+    mp_int P, Q, G, H, l;
+    mp_err    err = MP_OKAY;
+    SECStatus rv  = SECFailure;
+    int iterations = 0;
+    if (j > 8 || seedBytes < 20 || !pParams || !pVfy) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* Initialize an arena for the params. */
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    params = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
+    if (!params) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+    params->arena = arena;
+    /* Initialize an arena for the verify. */
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(params->arena, PR_TRUE);
+	return SECFailure;
+    }
+    verify = (PQGVerify *)PORT_ArenaZAlloc(arena, sizeof(PQGVerify));
+    if (!verify) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	PORT_FreeArena(params->arena, PR_TRUE);
+	return SECFailure;
+    }
+    verify->arena = arena;
+    seed = &verify->seed;
+    arena = NULL;
+    /* Initialize bignums */
+    MP_DIGITS(&P) = 0;
+    MP_DIGITS(&Q) = 0;
+    MP_DIGITS(&G) = 0;
+    MP_DIGITS(&H) = 0;
+    MP_DIGITS(&l) = 0;
+    CHECK_MPI_OK( mp_init(&P) );
+    CHECK_MPI_OK( mp_init(&Q) );
+    CHECK_MPI_OK( mp_init(&G) );
+    CHECK_MPI_OK( mp_init(&H) );
+    CHECK_MPI_OK( mp_init(&l) );
+    /* Compute lengths. */
+    L = 512 + (j * 64);               /* bits in P */
+    n = (L - 1) / BITS_IN_Q;          /* BITS_IN_Q is 160 */  
+    b = (L - 1) % BITS_IN_Q;
+    g = seedBytes * BITS_PER_BYTE;    /* bits in seed, NOT G of PQG. */
+step_1:
+    /* ******************************************************************
+    ** Step 1.
+    ** "Choose an abitrary sequence of at least 160 bits and call it SEED.
+    **  Let g be the length of SEED in bits."
+    */
+    if (++iterations > MAX_ITERATIONS) {        /* give up after a while */
+        PORT_SetError(SEC_ERROR_NEED_RANDOM);
+        goto cleanup;
+    }
+    seed->len = seedBytes;
+    CHECK_SEC_OK( getPQseed(seed, verify->arena) );
+    /* ******************************************************************
+    ** Step 2.
+    ** "Compute U = SHA[SEED] XOR SHA[(SEED+1) mod 2**g]."
+    **
+    ** Step 3.
+    ** "Form Q from U by setting the most signficant bit (the 2**159 bit) 
+    **  and the least signficant bit to 1.  In terms of boolean operations,
+    **  Q = U OR 2**159 OR 1.  Note that 2**159 < Q < 2**160."
+    */
+    CHECK_SEC_OK( makeQfromSeed(g, seed, &Q) );
+    /* ******************************************************************
+    ** Step 4.
+    ** "Use a robust primality testing algorithm to test whether q is prime."
+    **
+    ** Appendix 2.1 states that a Rabin test with at least 50 iterations
+    ** "will give an acceptable probability of error."
+    */
+    /*CHECK_SEC_OK( prm_RabinTest(&Q, &passed) );*/
+    err = mpp_pprime(&Q, PQG_Q_PRIMALITY_TESTS);
+    passed = (err == MP_YES) ? SECSuccess : SECFailure;
+    /* ******************************************************************
+    ** Step 5. "If q is not prime, goto step 1."
+    */
+    if (passed != SECSuccess)
+        goto step_1;
+    /* ******************************************************************
+    ** Step 6. "Let counter = 0 and offset = 2."
+    */
+    counter = 0;
+    offset  = 2;
+step_7:
+    /* ******************************************************************
+    ** Step 7.
+    ** "for k = 0 ... n let
+    **          V_k = SHA[(SEED + offset + k) mod 2**g]."
+    **
+    ** Step 8.
+    ** "Let W be the sum of  (V_k * 2**(k*160)) for k = 0 ... n
+    **  and let X = W + 2**(L-1).
+    **  Note that 0 <= W < 2**(L-1) and hence 2**(L-1) <= X < 2**L."
+    **
+    ** Step 9.
+    ** "Let c = X mod 2q  and set p = X - (c - 1).
+    **  Note that p is congruent to 1 mod 2q."
+    */
+    CHECK_SEC_OK( makePfromQandSeed(L, offset, g, seed, &Q, &P) );
+    /*************************************************************
+    ** Step 10.
+    ** "if p < 2**(L-1), then goto step 13."
+    */
+    CHECK_MPI_OK( mpl_set_bit(&l, (mp_size)(L-1), 1) ); /* l = 2**(L-1) */
+    if (mp_cmp(&P, &l) < 0)
+        goto step_13;
+    /************************************************************
+    ** Step 11.
+    ** "Perform a robust primality test on p."
+    */
+    /*CHECK_SEC_OK( prm_RabinTest(&P, &passed) );*/
+    err = mpp_pprime(&P, PQG_P_PRIMALITY_TESTS);
+    passed = (err == MP_YES) ? SECSuccess : SECFailure;
+    /* ******************************************************************
+    ** Step 12. "If p passes the test performed in step 11, go to step 15."
+    */
+    if (passed == SECSuccess)
+        goto step_15;
+step_13:
+    /* ******************************************************************
+    ** Step 13.  "Let counter = counter + 1 and offset = offset + n + 1."
+    */
+    counter++;
+    offset += n + 1;
+    /* ******************************************************************
+    ** Step 14.  "If counter >= 4096 goto step 1, otherwise go to step 7."
+    */
+    if (counter >= 4096)
+        goto step_1;
+    goto step_7;
+step_15:
+    /* ******************************************************************
+    ** Step 15.  
+    ** "Save the value of SEED and the value of counter for use
+    **  in certifying the proper generation of p and q."
+    */
+    /* Generate h. */
+    SECITEM_AllocItem(NULL, &hit, L/8); /* h is no longer than p */
+    if (!hit.data) goto cleanup;
+    do {
+	/* loop generate h until 1<h<p-1 and (h**[(p-1)/q])mod p > 1 */
+	CHECK_SEC_OK( generate_h_candidate(&hit, &H) );
+        CHECK_SEC_OK( makeGfromH(&P, &Q, &H, &G, &passed) );
+    } while (passed != PR_TRUE);
+    /* All generation is done.  Now, save the PQG params.  */
+    MPINT_TO_SECITEM(&P, &params->prime,    params->arena);
+    MPINT_TO_SECITEM(&Q, &params->subPrime, params->arena);
+    MPINT_TO_SECITEM(&G, &params->base,     params->arena);
+    MPINT_TO_SECITEM(&H, &verify->h,        verify->arena);
+    verify->counter = counter;
+    *pParams = params;
+    *pVfy = verify;
+cleanup:
+    mp_clear(&P);
+    mp_clear(&Q);
+    mp_clear(&G);
+    mp_clear(&H);
+    mp_clear(&l);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    if (rv) {
+	PORT_FreeArena(params->arena, PR_TRUE);
+	PORT_FreeArena(verify->arena, PR_TRUE);
+    }
+    if (hit.data) {
+        SECITEM_FreeItem(&hit, PR_FALSE);
+    }
+    return rv;
+}
+
+SECStatus   
+PQG_VerifyParams(const PQGParams *params, 
+                 const PQGVerify *vfy, SECStatus *result)
+{
+    SECStatus rv = SECSuccess;
+    int passed;
+    unsigned int g, n, L, offset;
+    mp_int P, Q, G, P_, Q_, G_, r, h;
+    mp_err err = MP_OKAY;
+    int j;
+#define CHECKPARAM(cond)      \
+    if (!(cond)) {            \
+	*result = SECFailure; \
+	goto cleanup;         \
+    }
+    if (!params || !vfy || !result) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    MP_DIGITS(&P) = 0;
+    MP_DIGITS(&Q) = 0;
+    MP_DIGITS(&G) = 0;
+    MP_DIGITS(&P_) = 0;
+    MP_DIGITS(&Q_) = 0;
+    MP_DIGITS(&G_) = 0;
+    MP_DIGITS(&r) = 0;
+    MP_DIGITS(&h) = 0;
+    CHECK_MPI_OK( mp_init(&P) );
+    CHECK_MPI_OK( mp_init(&Q) );
+    CHECK_MPI_OK( mp_init(&G) );
+    CHECK_MPI_OK( mp_init(&P_) );
+    CHECK_MPI_OK( mp_init(&Q_) );
+    CHECK_MPI_OK( mp_init(&G_) );
+    CHECK_MPI_OK( mp_init(&r) );
+    CHECK_MPI_OK( mp_init(&h) );
+    *result = SECSuccess;
+    SECITEM_TO_MPINT(params->prime,    &P);
+    SECITEM_TO_MPINT(params->subPrime, &Q);
+    SECITEM_TO_MPINT(params->base,     &G);
+    /* 1.  Q is 160 bits long. */
+    CHECKPARAM( mpl_significant_bits(&Q) == 160 );
+    /* 2.  P is one of the 9 valid lengths. */
+    L = mpl_significant_bits(&P);
+    j = PQG_PBITS_TO_INDEX(L);
+    CHECKPARAM( j >= 0 && j <= 8 );
+    /* 3.  G < P */
+    CHECKPARAM( mp_cmp(&G, &P) < 0 );
+    /* 4.  P % Q == 1 */
+    CHECK_MPI_OK( mp_mod(&P, &Q, &r) );
+    CHECKPARAM( mp_cmp_d(&r, 1) == 0 );
+    /* 5.  Q is prime */
+    CHECKPARAM( mpp_pprime(&Q, PQG_Q_PRIMALITY_TESTS) == MP_YES );
+    /* 6.  P is prime */
+    CHECKPARAM( mpp_pprime(&P, PQG_P_PRIMALITY_TESTS) == MP_YES );
+    /* Steps 7-12 are done only if the optional PQGVerify is supplied. */
+    /* 7.  counter < 4096 */
+    CHECKPARAM( vfy->counter < 4096 );
+    /* 8.  g >= 160 and g < 2048   (g is length of seed in bits) */
+    g = vfy->seed.len * 8;
+    CHECKPARAM( g >= 160 && g < 2048 );
+    /* 9.  Q generated from SEED matches Q in PQGParams. */
+    CHECK_SEC_OK( makeQfromSeed(g, &vfy->seed, &Q_) );
+    CHECKPARAM( mp_cmp(&Q, &Q_) == 0 );
+    /* 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams. */
+    n = (L - 1) / BITS_IN_Q;
+    offset = vfy->counter * (n + 1) + 2;
+    CHECK_SEC_OK( makePfromQandSeed(L, offset, g, &vfy->seed, &Q, &P_) );
+    CHECKPARAM( mp_cmp(&P, &P_) == 0 );
+    /* Next two are optional: if h == 0 ignore */
+    if (vfy->h.len == 0) goto cleanup;
+    /* 11. 1 < h < P-1 */
+    SECITEM_TO_MPINT(vfy->h, &h);
+    CHECK_MPI_OK( mpl_set_bit(&P, 0, 0) ); /* P is prime, p-1 == zero 1st bit */
+    CHECKPARAM( mp_cmp_d(&h, 1) > 0 && mp_cmp(&h, &P) );
+    CHECK_MPI_OK( mpl_set_bit(&P, 0, 1) ); /* set it back */
+    /* 12. G generated from h matches G in PQGParams. */
+    CHECK_SEC_OK( makeGfromH(&P, &Q, &h, &G_, &passed) );
+    CHECKPARAM( passed && mp_cmp(&G, &G_) == 0 );
+cleanup:
+    mp_clear(&P);
+    mp_clear(&Q);
+    mp_clear(&G);
+    mp_clear(&P_);
+    mp_clear(&Q_);
+    mp_clear(&G_);
+    mp_clear(&r);
+    mp_clear(&h);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/**************************************************************************
+ *  Free the PQGParams struct and the things it points to.                *
+ **************************************************************************/
+void
+PQG_DestroyParams(PQGParams *params)
+{
+    if (params == NULL) 
+    	return;
+    if (params->arena != NULL) {
+	PORT_FreeArena(params->arena, PR_FALSE);	/* don't zero it */
+    } else {
+	SECITEM_FreeItem(&params->prime,    PR_FALSE); /* don't free prime */
+	SECITEM_FreeItem(&params->subPrime, PR_FALSE); /* don't free subPrime */
+	SECITEM_FreeItem(&params->base,     PR_FALSE); /* don't free base */
+	PORT_Free(params);
+    }
+}
+
+/**************************************************************************
+ *  Free the PQGVerify struct and the things it points to.                *
+ **************************************************************************/
+
+void
+PQG_DestroyVerify(PQGVerify *vfy)
+{
+    if (vfy == NULL) 
+    	return;
+    if (vfy->arena != NULL) {
+	PORT_FreeArena(vfy->arena, PR_FALSE);	/* don't zero it */
+    } else {
+	SECITEM_FreeItem(&vfy->seed,   PR_FALSE); /* don't free seed */
+	SECITEM_FreeItem(&vfy->h,      PR_FALSE); /* don't free h */
+	PORT_Free(vfy);
+    }
+}
diff --git a/security/nss/lib/freebl/prng_fips1861.c b/security/nss/lib/freebl/prng_fips1861.c
new file mode 100644
index 000000000..50c29692e
--- /dev/null
+++ b/security/nss/lib/freebl/prng_fips1861.c
@@ -0,0 +1,642 @@
+/*
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "prinit.h"
+#include "blapi.h"
+#include "nssilock.h"
+#include "secitem.h"
+#include "sha_fast.h"
+#include "sha256.h"
+#include "secrng.h"	/* for RNG_GetNoise() */
+#include "secmpi.h"
+
+/*
+ * The minimum amount of seed data required before the generator will
+ * provide data.
+ * Note that this is a measure of the number of bytes sent to
+ * RNG_RandomUpdate, not the actual amount of entropy present in the
+ * generator.  Naturally, it is impossible to know (at this level) just
+ * how much entropy is present in the provided seed data.  A bare minimum
+ * of entropy would be 20 bytes, so by requiring 1K this code is making
+ * the tacit assumption that at least 1 byte of pure entropy is provided
+ * with every 8 bytes supplied to RNG_RandomUpdate.  The reality of this
+ * assumption is left up to the caller.
+ */
+#define MIN_SEED_COUNT 1024
+
+/*
+ * Steps taken from Algorithm 1 of FIPS 186-2 Change Notice 1
+ */
+
+/*
+ * According to FIPS 186-2, 160 <= b <= 512.
+ * For our purposes, we will assume b == 160,
+ * 256, or 512 (the output size of SHA-1,
+ * SHA-256, or SHA-512).
+ */
+#define FIPS_B     256
+#define BSIZE      (FIPS_B / PR_BITS_PER_BYTE)
+#if BSIZE != SHA256_LENGTH
+#error "this file requires that BSIZE and SHA256_LENGTH be equal"
+#endif
+
+/* Output size of the G function */
+#define FIPS_G     160
+#define GSIZE      (FIPS_G / PR_BITS_PER_BYTE)
+
+/*
+ * Add two b-bit numbers represented as arrays of BSIZE bytes.
+ * The numbers are big-endian, MSB first, so addition is done
+ * from the end of the buffer to the beginning.
+ */
+#define ADD_B_BIT_PLUS_CARRY(dest, add1, add2, cy) \
+    carry = cy; \
+    for (k=BSIZE-1; k>=0; --k) { \
+	carry += add1[k] + add2[k]; \
+	dest[k] = (PRUint8)carry; \
+	carry >>= 8; \
+    }
+
+#define ADD_B_BIT_2(dest, add1, add2) \
+	ADD_B_BIT_PLUS_CARRY(dest, add1, add2, 0)
+
+
+/*
+ * FIPS requires result from Step 3.3 to be reduced mod q when generating
+ * random numbers for DSA.
+ *
+ * Input: w, 2*GSIZE bytes
+ *        q, DSA_SUBPRIME_LEN bytes
+ * Output: xj, DSA_SUBPRIME_LEN bytes
+ */
+SECStatus
+FIPS186Change_ReduceModQForDSA(const unsigned char *w,
+                               const unsigned char *q,
+                               unsigned char *xj)
+{
+    mp_int W, Q, Xj;
+    mp_err err;
+    SECStatus rv = SECSuccess;
+
+    /* Initialize MPI integers. */
+    MP_DIGITS(&W) = 0;
+    MP_DIGITS(&Q) = 0;
+    MP_DIGITS(&Xj) = 0;
+    CHECK_MPI_OK( mp_init(&W) );
+    CHECK_MPI_OK( mp_init(&Q) );
+    CHECK_MPI_OK( mp_init(&Xj) );
+    /*
+     * Convert input arguments into MPI integers.
+     */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&W, w, 2*GSIZE) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&Q, q, DSA_SUBPRIME_LEN) );
+    /*
+     * Algorithm 1 of FIPS 186-2 Change Notice 1, Step 3.3
+     *
+     * xj = (w0 || w1) mod q
+     */
+    CHECK_MPI_OK( mp_mod(&W, &Q, &Xj) );
+    CHECK_MPI_OK( mp_to_fixlen_octets(&Xj, xj, DSA_SUBPRIME_LEN) );
+cleanup:
+    mp_clear(&W);
+    mp_clear(&Q);
+    mp_clear(&Xj);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+ * Specialized SHA1-like function.  This function appends zeroes to a 
+ * single input block and runs a single instance of the compression function, 
+ * as specified in FIPS 186-2 appendix 3.3.
+ */
+static void 
+RNG_UpdateAndEnd_FIPS186_2(SHA1Context *ctx, 
+                           unsigned char *input, unsigned int inputLen,
+                           unsigned char *hashout, unsigned int *pDigestLen, 
+                           unsigned int maxDigestLen);
+
+/*
+ * Global RNG context
+ */ 
+struct RNGContextStr {
+    PRUint8   XKEY[BSIZE]; /* Seed for next SHA iteration */
+    PRUint8   Xj[2*GSIZE]; /* Output from previous operation. */
+    PZLock   *lock;        /* Lock to serialize access to global rng */
+    PRUint8   avail;       /* # bytes of output available, [0...2*GSIZE] */
+    PRUint32  seedCount;   /* number of seed bytes given to generator */
+    PRBool    isValid;     /* false if RNG reaches an invalid state */
+};
+typedef struct RNGContextStr RNGContext;
+static RNGContext *globalrng = NULL;
+static RNGContext theGlobalRng;
+
+/*
+ * Clean up the global RNG context
+ */
+static void
+freeRNGContext()
+{
+    unsigned char inputhash[BSIZE];
+    SECStatus rv;
+
+    /* destroy context lock */
+    PZ_DestroyLock(globalrng->lock);
+
+    /* zero global RNG context except for XKEY to preserve entropy */
+    rv = SHA256_HashBuf(inputhash, globalrng->XKEY, BSIZE);
+    PORT_Assert(SECSuccess == rv);
+    memset(globalrng, 0, sizeof(*globalrng));
+    memcpy(globalrng->XKEY, inputhash, BSIZE);
+
+    globalrng = NULL;
+}
+
+/*
+ * The core of Algorithm 1 of FIPS 186-2 Change Notice 1,
+ * separated from alg_fips186_2_cn_1 as a standalone function
+ * for FIPS algorithm testing.
+ *
+ * Parameters:
+ *   XKEY [input/output]: the state of the RNG (seed-key)
+ *   XSEEDj [input]: optional user input (seed)
+ *   x_j [output]: output of the RNG
+ *
+ * Return value:
+ * This function usually returns SECSuccess.  The only reason
+ * this function returns SECFailure is that XSEEDj equals
+ * XKEY, including the intermediate XKEY value between the two
+ * iterations.  (This test is actually a FIPS 140-2 requirement
+ * and not required for FIPS algorithm testing, but it is too
+ * hard to separate from this function.)  If this function fails,
+ * XKEY is not updated, but some data may have been written to
+ * x_j, which should be ignored.
+ */
+SECStatus
+FIPS186Change_GenerateX(unsigned char *XKEY, const unsigned char *XSEEDj,
+                        unsigned char *x_j)
+{
+    /* SHA1 context for G(t, XVAL) function */
+    SHA1Context sha1cx;
+    /* XKEY for iteration 1 */
+    PRUint8 XKEY_1[BSIZE];
+    const PRUint8 *XKEY_old;
+    PRUint8 *XKEY_new;
+    /* input to hash function */
+    PRUint8 XVAL[BSIZE];
+    /* used by ADD_B_BIT macros */
+    int k, carry;
+    /* store the output of G(t, XVAL) in the rightmost GSIZE bytes */
+    PRUint8 w_i[BSIZE];
+    int i;
+    unsigned int len;
+    SECStatus rv = SECSuccess;
+
+#if GSIZE < BSIZE
+    /* zero the leftmost bytes so we can pass it to ADD_B_BIT_PLUS_CARRY */
+    memset(w_i, 0, BSIZE - GSIZE);
+#endif
+    /* 
+     * <Step 2> Initialize t, taken care of in SHA-1 (same initial values)
+     *
+     * <Step 3.1> XSEEDj is optional user input
+     */ 
+    for (i = 0; i < 2; i++) {
+	/* only update XKEY when both iterations have been completed */
+	if (i == 0) {
+	    /* for iteration 0 */
+	    XKEY_old = XKEY;
+	    XKEY_new = XKEY_1;
+	} else {
+	    /* for iteration 1 */
+	    XKEY_old = XKEY_1;
+	    XKEY_new = XKEY;
+	}
+	/* 
+	 * <Step 3.2a> XVAL = (XKEY + XSEEDj) mod 2^b
+	 *     :always reduced mod 2^b, since storing as b-bit value
+	 */
+	if (XSEEDj) {
+	    /* XSEEDj > 0 */
+	    if (memcmp(XKEY_old, XSEEDj, BSIZE) == 0) {
+		/* Should we add the error code SEC_ERROR_BAD_RNG_SEED? */
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		rv = SECFailure;
+		goto done;
+	    }
+	    ADD_B_BIT_2(XVAL, XKEY_old, XSEEDj);
+	} else {
+	    /* XSEEDj == 0 */
+	    memcpy(XVAL, XKEY_old, BSIZE);
+	}
+	/* 
+	 * <Step 3.2b> Wi = G(t, XVAL)
+	 *     :FIPS 186-2 specifies a different padding than the SHA1 180-1
+	 *     :specification, this function is implemented in
+	 *     :RNG_UpdateAndEnd_FIPS186_2 below.
+	 */ 
+	SHA1_Begin(&sha1cx);
+	RNG_UpdateAndEnd_FIPS186_2(&sha1cx, XVAL, BSIZE,
+				   &w_i[BSIZE - GSIZE], &len, GSIZE);
+	/* 
+	 * <Step 3.2c> XKEY = (1 + XKEY + Wi) mod 2^b
+	 *     :always reduced mod 2^b, since storing as 160-bit value 
+	 */
+	ADD_B_BIT_PLUS_CARRY(XKEY_new, XKEY_old, w_i, 1);
+	/*
+	 * <Step 3.3> Xj = (W0 || W1)
+	 */
+	memcpy(&x_j[i*GSIZE], &w_i[BSIZE - GSIZE], GSIZE);
+    }
+
+done:
+    /* housekeeping */
+    memset(&w_i[BSIZE - GSIZE], 0, GSIZE);
+    memset(XVAL, 0, BSIZE);
+    memset(XKEY_1, 0, BSIZE);
+    return rv;
+}
+
+/*
+ * Implementation of Algorithm 1 of FIPS 186-2 Change Notice 1,
+ * hereinafter called alg_cn_1().  It is assumed a lock for the global
+ * rng context has already been acquired.
+ * Calling this function with XSEEDj == NULL is equivalent to saying there
+ * is no optional user input, which is further equivalent to saying that
+ * the optional user input is 0.
+ */
+static SECStatus
+alg_fips186_2_cn_1(RNGContext *rng, const unsigned char *XSEEDj)
+{
+    /* store a copy of the output to compare with the previous output */
+    PRUint8 x_j[2*GSIZE];
+    SECStatus rv;
+
+    if (!rng->isValid) {
+	/* RNG has alread entered an invalid state. */
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    rv = FIPS186Change_GenerateX(rng->XKEY, XSEEDj, x_j);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+    /*     [FIPS 140-2] verify output does not match previous output */
+    if (memcmp(x_j, rng->Xj, 2*GSIZE) == 0) {
+	/* failed FIPS 140-2 continuous RNG test.  RNG now invalid. */
+	rng->isValid = PR_FALSE;
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	rv = SECFailure;
+	goto done;
+    }
+    /* Xj is the output */
+    memcpy(rng->Xj, x_j, 2*GSIZE);
+    /* Always have a full buffer after executing alg_cn_1() */
+    rng->avail = 2*GSIZE;
+
+done:
+    /* housekeeping */
+    memset(x_j, 0, 2*GSIZE);
+    return rv;
+}
+
+/* Use NSPR to prevent RNG_RNGInit from being called from separate
+ * threads, creating a race condition.
+ */
+static const PRCallOnceType pristineCallOnce;
+static PRCallOnceType coRNGInit;
+static PRStatus rng_init(void)
+{
+    unsigned char bytes[SYSTEM_RNG_SEED_COUNT];
+    unsigned int numBytes;
+    if (globalrng == NULL) {
+	/* create a new global RNG context */
+	globalrng = &theGlobalRng;
+        PORT_Assert(NULL == globalrng->lock);
+	/* create a lock for it */
+	globalrng->lock = PZ_NewLock(nssILockOther);
+	if (globalrng->lock == NULL) {
+	    globalrng = NULL;
+	    PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+	    return PR_FAILURE;
+	}
+	/* the RNG is in a valid state */
+	globalrng->isValid = PR_TRUE;
+	/* Try to get some seed data for the RNG */
+	numBytes = RNG_SystemRNG(bytes, sizeof bytes);
+	PORT_Assert(numBytes == 0 || numBytes == sizeof bytes);
+	if (numBytes != 0) {
+	    RNG_RandomUpdate(bytes, numBytes);
+	    memset(bytes, 0, numBytes);
+	} else if (PORT_GetError() != PR_NOT_IMPLEMENTED_ERROR) {
+	    PZ_DestroyLock(globalrng->lock);
+	    globalrng->lock = NULL;
+	    globalrng->isValid = PR_FALSE;
+	    globalrng = NULL;
+	    return PR_FAILURE;
+	}
+	numBytes = RNG_GetNoise(bytes, sizeof bytes);
+	RNG_RandomUpdate(bytes, numBytes);
+    }
+    return PR_SUCCESS;
+}
+
+/*
+ * Initialize the global RNG context and give it some seed input taken
+ * from the system.  This function is thread-safe and will only allow
+ * the global context to be initialized once.  The seed input is likely
+ * small, so it is imperative that RNG_RandomUpdate() be called with
+ * additional seed data before the generator is used.  A good way to
+ * provide the generator with additional entropy is to call
+ * RNG_SystemInfoForRNG().  Note that NSS_Init() does exactly that.
+ */
+SECStatus 
+RNG_RNGInit(void)
+{
+    /* Allow only one call to initialize the context */
+    PR_CallOnce(&coRNGInit, rng_init);
+    /* Make sure there is a context */
+    return (globalrng != NULL) ? PR_SUCCESS : PR_FAILURE;
+}
+
+/*
+** Update the global random number generator with more seeding
+** material
+*/
+static SECStatus 
+prng_RandomUpdate(RNGContext *rng, const void *data, size_t bytes)
+{
+    SECStatus rv = SECSuccess;
+    /* check for a valid global RNG context */
+    PORT_Assert(rng != NULL);
+    if (rng == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* RNG_SystemInfoForRNG() sometimes does this, not really an error */
+    if (bytes == 0)
+	return SECSuccess;
+    /* --- LOCKED --- */
+    PZ_Lock(rng->lock);
+    /*
+     * Random information is initially supplied by a call to
+     * RNG_SystemInfoForRNG().  That function collects entropy from
+     * the system and calls RNG_RandomUpdate() to seed the generator.
+     * Algorithm 1 of FIPS 186-2 Change Notice 1, step 1 specifies that
+     * a secret value for the seed-key must be chosen before the
+     * generator can begin.  The size of XKEY is b bits, so fill it
+     * with the b-bit hash of the input to the first RNG_RandomUpdate()
+     * call.
+     */
+    if (rng->seedCount == 0) {
+	/* This is the first call to RandomUpdate().  Use a hash
+	 * of the input to set the seed-key, XKEY.
+	 *
+	 * <Step 1> copy hash of seed bytes into context's XKEY
+	 */
+	SHA256_HashBuf(rng->XKEY, data, bytes);
+	/* Now continue with algorithm. */
+	rv = alg_fips186_2_cn_1(rng, NULL);
+	/* As per FIPS 140-2 continuous RNG test requirement, the first
+	 * iteration of output is discarded.  So here there is really
+	 * no output available.  This forces another execution of alg_cn_1()
+	 * before any bytes can be extracted from the generator.
+	 */
+	rng->avail = 0;
+    } else if (bytes == BSIZE && memcmp(rng->XKEY, data, BSIZE) == 0) {
+	/* Should we add the error code SEC_ERROR_BAD_RNG_SEED? */
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    } else {
+	/*
+	 * FIPS 186-2 does not specify how to reseed the RNG.  We retrofit
+	 * our RNG with a reseed function from NIST SP 800-90.
+	 *
+	 * Use a hash of the seed-key and the input to reseed the RNG.
+	 */
+	SHA256Context ctx;
+	SHA256_Begin(&ctx);
+	SHA256_Update(&ctx, rng->XKEY, BSIZE);
+	SHA256_Update(&ctx, data, bytes);
+	SHA256_End(&ctx, rng->XKEY, NULL, BSIZE);
+    }
+    /* If got this far, have added bytes of seed data. */
+    if (rv == SECSuccess)
+	rng->seedCount += bytes;
+    PZ_Unlock(rng->lock);
+    /* --- UNLOCKED --- */
+    return rv;
+}
+
+/*
+** Update the global random number generator with more seeding
+** material.
+*/
+SECStatus 
+RNG_RandomUpdate(const void *data, size_t bytes)
+{
+    return prng_RandomUpdate(globalrng, data, bytes);
+}
+
+/*
+** Generate some random bytes, using the global random number generator
+** object.
+*/
+static SECStatus 
+prng_GenerateGlobalRandomBytes(RNGContext *rng,
+                               void *dest, size_t len)
+{
+    PRUint8 num;
+    SECStatus rv = SECSuccess;
+    unsigned char *output = dest;
+    /* check for a valid global RNG context */
+    PORT_Assert(rng != NULL);
+    if (rng == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* --- LOCKED --- */
+    PZ_Lock(rng->lock);
+    /* Check the amount of seed data in the generator.  If not enough,
+     * don't produce any data.
+     */
+    if (rng->seedCount < MIN_SEED_COUNT) {
+	PZ_Unlock(rng->lock);
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	return SECFailure;
+    }
+    /*
+     * If there are enough bytes of random data, send back Xj, 
+     * else call alg_cn_1() with 0's to generate more random data.
+     */
+    while (len > 0 && rv == SECSuccess) {
+	if (rng->avail == 0) {
+	    /* All available bytes are used, so generate more. */
+	    rv = alg_fips186_2_cn_1(rng, NULL);
+	}
+	/* number of bytes to obtain on this iteration (max of 40) */
+	num = PR_MIN(rng->avail, len);
+	/*
+	 * if avail < 2*GSIZE, the first 2*GSIZE - avail bytes have
+	 * already been used.
+	 */
+	if (num) {
+	    memcpy(output, rng->Xj + (2*GSIZE - rng->avail), num);
+	    rng->avail -= num;
+	    len -= num;
+	    output += num;
+	}
+    }
+    PZ_Unlock(rng->lock);
+    /* --- UNLOCKED --- */
+    return rv;
+}
+
+/*
+** Generate some random bytes, using the global random number generator
+** object.
+*/
+SECStatus 
+RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
+{
+    return prng_GenerateGlobalRandomBytes(globalrng, dest, len);
+}
+
+void
+RNG_RNGShutdown(void)
+{
+    /* check for a valid global RNG context */
+    PORT_Assert(globalrng != NULL);
+    if (globalrng == NULL) {
+	/* Should set a "not initialized" error code. */
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return;
+    }
+    /* clear */
+    freeRNGContext();
+    /* reset the callonce struct to allow a new call to RNG_RNGInit() */
+    coRNGInit = pristineCallOnce;
+}
+
+/*
+ *  SHA: Generate hash value from context
+ *       Specialized function for PRNG
+ *       The PRNG specified in FIPS 186-2 3.3 uses a function, G,
+ *       which has the same initialization and compression functions
+ *       as SHA1 180-1, but uses different padding.  FIPS 186-2 3.3 
+ *       specifies that the message be padded with 0's until the size
+ *       reaches 512 bits.
+ */
+static void 
+RNG_UpdateAndEnd_FIPS186_2(SHA1Context *ctx, 
+                           unsigned char *input, unsigned int inputLen,
+                           unsigned char *hashout, unsigned int *pDigestLen, 
+                           unsigned int maxDigestLen)
+{
+#if defined(SHA_NEED_TMP_VARIABLE)
+    register PRUint32 tmp;
+#endif
+    static const unsigned char bulk_pad0[64] = { 0,0,0,0,0,0,0,0,0,0,
+               0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+               0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  };
+
+    PORT_Assert(maxDigestLen >= SHA1_LENGTH);
+    PORT_Assert(inputLen <= SHA1_INPUT_LEN);
+
+    /*
+     *  Add the input
+     */
+    SHA1_Update(ctx, input, inputLen);
+    /*
+     *  Pad with zeroes
+     *  This will fill the input block and cause the compression function
+     *  to be called.
+     */
+    SHA1_Update(ctx, bulk_pad0, SHA1_INPUT_LEN - inputLen);
+
+    /*
+     *  Output hash
+     */
+    SHA_STORE_RESULT;
+    *pDigestLen = SHA1_LENGTH;
+}
+
+/*
+ * Specialized RNG for DSA
+ *
+ * As per Algorithm 1 of FIPS 186-2 Change Notice 1, in step 3.3 the value
+ * Xj should be reduced mod q, a 160-bit prime number.  Since this parameter
+ * is only meaningful in the context of DSA, the above RNG functions
+ * were implemented without it.  They are re-implemented below for use
+ * with DSA.
+ *
+ */
+
+/*
+** Generate some random bytes, using the global random number generator
+** object.  In DSA mode, so there is a q.
+*/
+SECStatus 
+DSA_GenerateGlobalRandomBytes(void *dest, size_t len, const unsigned char *q)
+{
+    SECStatus rv;
+    unsigned char w[2*GSIZE];
+
+    PORT_Assert(q && len == DSA_SUBPRIME_LEN);
+    if (len != DSA_SUBPRIME_LEN) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    if (*q == 0) {
+        ++q;
+    }
+    rv = prng_GenerateGlobalRandomBytes(globalrng, w, 2*GSIZE);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    FIPS186Change_ReduceModQForDSA(w, q, (unsigned char *)dest);
+    return rv;
+}
diff --git a/security/nss/lib/freebl/rawhash.c b/security/nss/lib/freebl/rawhash.c
new file mode 100644
index 000000000..a3efe9b30
--- /dev/null
+++ b/security/nss/lib/freebl/rawhash.c
@@ -0,0 +1,164 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nspr.h"
+#include "sechash.h"
+#include "blapi.h"	/* below the line */
+#include "secerr.h"
+
+static void *
+null_hash_new_context(void)
+{
+    return NULL;
+}
+
+static void *
+null_hash_clone_context(void *v)
+{
+    PORT_Assert(v == NULL);
+    return NULL;
+}
+
+static void
+null_hash_begin(void *v)
+{
+}
+
+static void
+null_hash_update(void *v, const unsigned char *input, unsigned int length)
+{
+}
+
+static void
+null_hash_end(void *v, unsigned char *output, unsigned int *outLen,
+	      unsigned int maxOut)
+{
+    *outLen = 0;
+}
+
+static void
+null_hash_destroy_context(void *v, PRBool b)
+{
+    PORT_Assert(v == NULL);
+}
+
+
+const SECHashObject SECRawHashObjects[] = {
+  { 0,
+    (void * (*)(void)) null_hash_new_context,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) null_hash_destroy_context,
+    (void (*)(void *)) null_hash_begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) null_hash_update,
+    (void (*)(void *, unsigned char *, unsigned int *,
+	      unsigned int)) null_hash_end,
+    0,
+    HASH_AlgNULL
+  },
+  { MD2_LENGTH,
+    (void * (*)(void)) MD2_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) MD2_DestroyContext,
+    (void (*)(void *)) MD2_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) MD2_Update,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) MD2_End,
+    MD2_BLOCK_LENGTH,
+    HASH_AlgMD2
+  },
+  { MD5_LENGTH,
+    (void * (*)(void)) MD5_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) MD5_DestroyContext,
+    (void (*)(void *)) MD5_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) MD5_Update,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) MD5_End,
+    MD5_BLOCK_LENGTH,
+    HASH_AlgMD5
+  },
+  { SHA1_LENGTH,
+    (void * (*)(void)) SHA1_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) SHA1_DestroyContext,
+    (void (*)(void *)) SHA1_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) SHA1_Update,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) SHA1_End,
+    SHA1_BLOCK_LENGTH,
+    HASH_AlgSHA1
+  },
+  { SHA256_LENGTH,
+    (void * (*)(void)) SHA256_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) SHA256_DestroyContext,
+    (void (*)(void *)) SHA256_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) SHA256_Update,
+    (void (*)(void *, unsigned char *, unsigned int *,
+	      unsigned int)) SHA256_End,
+    SHA256_BLOCK_LENGTH,
+    HASH_AlgSHA256
+  },
+  { SHA384_LENGTH,
+    (void * (*)(void)) SHA384_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) SHA384_DestroyContext,
+    (void (*)(void *)) SHA384_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) SHA384_Update,
+    (void (*)(void *, unsigned char *, unsigned int *,
+	      unsigned int)) SHA384_End,
+    SHA384_BLOCK_LENGTH,
+    HASH_AlgSHA384
+  },
+  { SHA512_LENGTH,
+    (void * (*)(void)) SHA512_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) SHA512_DestroyContext,
+    (void (*)(void *)) SHA512_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) SHA512_Update,
+    (void (*)(void *, unsigned char *, unsigned int *,
+	      unsigned int)) SHA512_End,
+    SHA512_BLOCK_LENGTH,
+    HASH_AlgSHA512
+  },
+};
+
+const SECHashObject *
+HASH_GetRawHashObject(HASH_HashType hashType)
+{
+    if (hashType < HASH_AlgNULL || hashType >= HASH_AlgTOTAL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    return &SECRawHashObjects[hashType];
+}
diff --git a/security/nss/lib/freebl/ret_cr16.s b/security/nss/lib/freebl/ret_cr16.s
new file mode 100644
index 000000000..7fb37e725
--- /dev/null
+++ b/security/nss/lib/freebl/ret_cr16.s
@@ -0,0 +1,57 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef __LP64__
+        .LEVEL   2.0W
+#else
+        .LEVEL   1.1
+#endif
+
+	.CODE	; equivalent to the following two lines
+;       .SPACE   $TEXT$,SORT=8
+;       .SUBSPA  $CODE$,QUAD=0,ALIGN=4,ACCESS=0x2c,CODE_ONLY,SORT=24
+
+ret_cr16
+	.PROC
+	.CALLINFO 	FRAME=0, NO_CALLS
+	.EXPORT 	ret_cr16,ENTRY
+	.ENTER
+;	BV		%r0(%rp)
+	BV		0(%rp)
+	MFCTL		%cr16,%ret0
+        .LEAVE
+        .PROCEND
+        .END
diff --git a/security/nss/lib/freebl/rijndael.c b/security/nss/lib/freebl/rijndael.c
new file mode 100644
index 000000000..58f5e5cdf
--- /dev/null
+++ b/security/nss/lib/freebl/rijndael.c
@@ -0,0 +1,1155 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "prinit.h"
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "blapi.h"
+#include "rijndael.h"
+
+/*
+ * There are currently five ways to build this code, varying in performance
+ * and code size.
+ *
+ * RIJNDAEL_INCLUDE_TABLES         Include all tables from rijndael32.tab
+ * RIJNDAEL_GENERATE_TABLES        Generate tables on first 
+ *                                 encryption/decryption, then store them;
+ *                                 use the function gfm
+ * RIJNDAEL_GENERATE_TABLES_MACRO  Same as above, but use macros to do
+ *                                 the generation
+ * RIJNDAEL_GENERATE_VALUES        Do not store tables, generate the table
+ *                                 values "on-the-fly", using gfm
+ * RIJNDAEL_GENERATE_VALUES_MACRO  Same as above, but use macros
+ *
+ * The default is RIJNDAEL_INCLUDE_TABLES.
+ */
+
+/*
+ * When building RIJNDAEL_INCLUDE_TABLES, includes S**-1, Rcon, T[0..4], 
+ *                                                 T**-1[0..4], IMXC[0..4]
+ * When building anything else, includes S, S**-1, Rcon
+ */
+#include "rijndael32.tab"
+
+#if defined(RIJNDAEL_INCLUDE_TABLES)
+/*
+ * RIJNDAEL_INCLUDE_TABLES
+ */
+#define T0(i)    _T0[i]
+#define T1(i)    _T1[i]
+#define T2(i)    _T2[i]
+#define T3(i)    _T3[i]
+#define TInv0(i) _TInv0[i]
+#define TInv1(i) _TInv1[i]
+#define TInv2(i) _TInv2[i]
+#define TInv3(i) _TInv3[i]
+#define IMXC0(b) _IMXC0[b]
+#define IMXC1(b) _IMXC1[b]
+#define IMXC2(b) _IMXC2[b]
+#define IMXC3(b) _IMXC3[b]
+/* The S-box can be recovered from the T-tables */
+#ifdef IS_LITTLE_ENDIAN
+#define SBOX(b)    ((PRUint8)_T3[b])
+#else
+#define SBOX(b)    ((PRUint8)_T1[b])
+#endif
+#define SINV(b) (_SInv[b])
+
+#else /* not RIJNDAEL_INCLUDE_TABLES */
+
+/*
+ * Code for generating T-table values.
+ */
+
+#ifdef IS_LITTLE_ENDIAN
+#define WORD4(b0, b1, b2, b3) \
+    (((b3) << 24) | ((b2) << 16) | ((b1) << 8) | (b0))
+#else
+#define WORD4(b0, b1, b2, b3) \
+    (((b0) << 24) | ((b1) << 16) | ((b2) << 8) | (b3))
+#endif
+
+/*
+ * Define the S and S**-1 tables (both have been stored)
+ */
+#define SBOX(b)    (_S[b])
+#define SINV(b) (_SInv[b])
+
+/*
+ * The function xtime, used for Galois field multiplication
+ */
+#define XTIME(a) \
+    ((a & 0x80) ? ((a << 1) ^ 0x1b) : (a << 1))
+
+/* Choose GFM method (macros or function) */
+#if defined(RIJNDAEL_GENERATE_TABLES_MACRO) ||  \
+    defined(RIJNDAEL_GENERATE_VALUES_MACRO)
+
+/*
+ * Galois field GF(2**8) multipliers, in macro form
+ */
+#define GFM01(a) \
+    (a)                                 /* a * 01 = a, the identity */
+#define GFM02(a) \
+    (XTIME(a) & 0xff)                   /* a * 02 = xtime(a) */
+#define GFM04(a) \
+    (GFM02(GFM02(a)))                   /* a * 04 = xtime**2(a) */
+#define GFM08(a) \
+    (GFM02(GFM04(a)))                   /* a * 08 = xtime**3(a) */
+#define GFM03(a) \
+    (GFM01(a) ^ GFM02(a))               /* a * 03 = a * (01 + 02) */
+#define GFM09(a) \
+    (GFM01(a) ^ GFM08(a))               /* a * 09 = a * (01 + 08) */
+#define GFM0B(a) \
+    (GFM01(a) ^ GFM02(a) ^ GFM08(a))    /* a * 0B = a * (01 + 02 + 08) */
+#define GFM0D(a) \
+    (GFM01(a) ^ GFM04(a) ^ GFM08(a))    /* a * 0D = a * (01 + 04 + 08) */
+#define GFM0E(a) \
+    (GFM02(a) ^ GFM04(a) ^ GFM08(a))    /* a * 0E = a * (02 + 04 + 08) */
+
+#else  /* RIJNDAEL_GENERATE_TABLES or RIJNDAEL_GENERATE_VALUES */
+
+/* GF_MULTIPLY
+ *
+ * multiply two bytes represented in GF(2**8), mod (x**4 + 1)
+ */
+PRUint8 gfm(PRUint8 a, PRUint8 b)
+{
+    PRUint8 res = 0;
+    while (b > 0) {
+	res = (b & 0x01) ? res ^ a : res;
+	a = XTIME(a);
+	b >>= 1;
+    }
+    return res;
+}
+
+#define GFM01(a) \
+    (a)                                 /* a * 01 = a, the identity */
+#define GFM02(a) \
+    (XTIME(a) & 0xff)                   /* a * 02 = xtime(a) */
+#define GFM03(a) \
+    (gfm(a, 0x03))                      /* a * 03 */
+#define GFM09(a) \
+    (gfm(a, 0x09))                      /* a * 09 */
+#define GFM0B(a) \
+    (gfm(a, 0x0B))                      /* a * 0B */
+#define GFM0D(a) \
+    (gfm(a, 0x0D))                      /* a * 0D */
+#define GFM0E(a) \
+    (gfm(a, 0x0E))                      /* a * 0E */
+
+#endif /* choosing GFM function */
+
+/*
+ * The T-tables
+ */
+#define G_T0(i) \
+    ( WORD4( GFM02(SBOX(i)), GFM01(SBOX(i)), GFM01(SBOX(i)), GFM03(SBOX(i)) ) )
+#define G_T1(i) \
+    ( WORD4( GFM03(SBOX(i)), GFM02(SBOX(i)), GFM01(SBOX(i)), GFM01(SBOX(i)) ) )
+#define G_T2(i) \
+    ( WORD4( GFM01(SBOX(i)), GFM03(SBOX(i)), GFM02(SBOX(i)), GFM01(SBOX(i)) ) )
+#define G_T3(i) \
+    ( WORD4( GFM01(SBOX(i)), GFM01(SBOX(i)), GFM03(SBOX(i)), GFM02(SBOX(i)) ) )
+
+/*
+ * The inverse T-tables
+ */
+#define G_TInv0(i) \
+    ( WORD4( GFM0E(SINV(i)), GFM09(SINV(i)), GFM0D(SINV(i)), GFM0B(SINV(i)) ) )
+#define G_TInv1(i) \
+    ( WORD4( GFM0B(SINV(i)), GFM0E(SINV(i)), GFM09(SINV(i)), GFM0D(SINV(i)) ) )
+#define G_TInv2(i) \
+    ( WORD4( GFM0D(SINV(i)), GFM0B(SINV(i)), GFM0E(SINV(i)), GFM09(SINV(i)) ) )
+#define G_TInv3(i) \
+    ( WORD4( GFM09(SINV(i)), GFM0D(SINV(i)), GFM0B(SINV(i)), GFM0E(SINV(i)) ) )
+
+/*
+ * The inverse mix column tables
+ */
+#define G_IMXC0(i) \
+    ( WORD4( GFM0E(i), GFM09(i), GFM0D(i), GFM0B(i) ) )
+#define G_IMXC1(i) \
+    ( WORD4( GFM0B(i), GFM0E(i), GFM09(i), GFM0D(i) ) )
+#define G_IMXC2(i) \
+    ( WORD4( GFM0D(i), GFM0B(i), GFM0E(i), GFM09(i) ) )
+#define G_IMXC3(i) \
+    ( WORD4( GFM09(i), GFM0D(i), GFM0B(i), GFM0E(i) ) )
+
+/* Now choose the T-table indexing method */
+#if defined(RIJNDAEL_GENERATE_VALUES)
+/* generate values for the tables with a function*/
+static PRUint32 gen_TInvXi(PRUint8 tx, PRUint8 i)
+{
+    PRUint8 si01, si02, si03, si04, si08, si09, si0B, si0D, si0E;
+    si01 = SINV(i);
+    si02 = XTIME(si01);
+    si04 = XTIME(si02);
+    si08 = XTIME(si04);
+    si03 = si02 ^ si01;
+    si09 = si08 ^ si01;
+    si0B = si08 ^ si03;
+    si0D = si09 ^ si04;
+    si0E = si08 ^ si04 ^ si02;
+    switch (tx) {
+    case 0:
+	return WORD4(si0E, si09, si0D, si0B);
+    case 1:
+	return WORD4(si0B, si0E, si09, si0D);
+    case 2:
+	return WORD4(si0D, si0B, si0E, si09);
+    case 3:
+	return WORD4(si09, si0D, si0B, si0E);
+    }
+    return -1;
+}
+#define T0(i)    G_T0(i)
+#define T1(i)    G_T1(i)
+#define T2(i)    G_T2(i)
+#define T3(i)    G_T3(i)
+#define TInv0(i) gen_TInvXi(0, i)
+#define TInv1(i) gen_TInvXi(1, i)
+#define TInv2(i) gen_TInvXi(2, i)
+#define TInv3(i) gen_TInvXi(3, i)
+#define IMXC0(b) G_IMXC0(b)
+#define IMXC1(b) G_IMXC1(b)
+#define IMXC2(b) G_IMXC2(b)
+#define IMXC3(b) G_IMXC3(b)
+#elif defined(RIJNDAEL_GENERATE_VALUES_MACRO)
+/* generate values for the tables with macros */
+#define T0(i)    G_T0(i)
+#define T1(i)    G_T1(i)
+#define T2(i)    G_T2(i)
+#define T3(i)    G_T3(i)
+#define TInv0(i) G_TInv0(i)
+#define TInv1(i) G_TInv1(i)
+#define TInv2(i) G_TInv2(i)
+#define TInv3(i) G_TInv3(i)
+#define IMXC0(b) G_IMXC0(b)
+#define IMXC1(b) G_IMXC1(b)
+#define IMXC2(b) G_IMXC2(b)
+#define IMXC3(b) G_IMXC3(b)
+#else  /* RIJNDAEL_GENERATE_TABLES or RIJNDAEL_GENERATE_TABLES_MACRO */
+/* Generate T and T**-1 table values and store, then index */
+/* The inverse mix column tables are still generated */
+#define T0(i)    rijndaelTables->T0[i]
+#define T1(i)    rijndaelTables->T1[i]
+#define T2(i)    rijndaelTables->T2[i]
+#define T3(i)    rijndaelTables->T3[i]
+#define TInv0(i) rijndaelTables->TInv0[i]
+#define TInv1(i) rijndaelTables->TInv1[i]
+#define TInv2(i) rijndaelTables->TInv2[i]
+#define TInv3(i) rijndaelTables->TInv3[i]
+#define IMXC0(b) G_IMXC0(b)
+#define IMXC1(b) G_IMXC1(b)
+#define IMXC2(b) G_IMXC2(b)
+#define IMXC3(b) G_IMXC3(b)
+#endif /* choose T-table indexing method */
+
+#endif /* not RIJNDAEL_INCLUDE_TABLES */
+
+#if defined(RIJNDAEL_GENERATE_TABLES) ||  \
+    defined(RIJNDAEL_GENERATE_TABLES_MACRO)
+
+/* Code to generate and store the tables */
+
+struct rijndael_tables_str {
+    PRUint32 T0[256];
+    PRUint32 T1[256];
+    PRUint32 T2[256];
+    PRUint32 T3[256];
+    PRUint32 TInv0[256];
+    PRUint32 TInv1[256];
+    PRUint32 TInv2[256];
+    PRUint32 TInv3[256];
+};
+
+static struct rijndael_tables_str *rijndaelTables = NULL;
+static PRCallOnceType coRTInit = { 0, 0, 0 };
+static PRStatus 
+init_rijndael_tables(void)
+{
+    PRUint32 i;
+    PRUint8 si01, si02, si03, si04, si08, si09, si0B, si0D, si0E;
+    struct rijndael_tables_str *rts;
+    rts = (struct rijndael_tables_str *)
+                   PORT_Alloc(sizeof(struct rijndael_tables_str));
+    if (!rts) return PR_FAILURE;
+    for (i=0; i<256; i++) {
+	/* The forward values */
+	si01 = SBOX(i);
+	si02 = XTIME(si01);
+	si03 = si02 ^ si01;
+	rts->T0[i] = WORD4(si02, si01, si01, si03);
+	rts->T1[i] = WORD4(si03, si02, si01, si01);
+	rts->T2[i] = WORD4(si01, si03, si02, si01);
+	rts->T3[i] = WORD4(si01, si01, si03, si02);
+	/* The inverse values */
+	si01 = SINV(i);
+	si02 = XTIME(si01);
+	si04 = XTIME(si02);
+	si08 = XTIME(si04);
+	si03 = si02 ^ si01;
+	si09 = si08 ^ si01;
+	si0B = si08 ^ si03;
+	si0D = si09 ^ si04;
+	si0E = si08 ^ si04 ^ si02;
+	rts->TInv0[i] = WORD4(si0E, si09, si0D, si0B);
+	rts->TInv1[i] = WORD4(si0B, si0E, si09, si0D);
+	rts->TInv2[i] = WORD4(si0D, si0B, si0E, si09);
+	rts->TInv3[i] = WORD4(si09, si0D, si0B, si0E);
+    }
+    /* wait until all the values are in to set */
+    rijndaelTables = rts;
+    return PR_SUCCESS;
+}
+
+#endif /* code to generate tables */
+
+/**************************************************************************
+ *
+ * Stuff related to the Rijndael key schedule
+ *
+ *************************************************************************/
+
+#define SUBBYTE(w) \
+    ((SBOX((w >> 24) & 0xff) << 24) | \
+     (SBOX((w >> 16) & 0xff) << 16) | \
+     (SBOX((w >>  8) & 0xff) <<  8) | \
+     (SBOX((w      ) & 0xff)         ))
+
+#ifdef IS_LITTLE_ENDIAN
+#define ROTBYTE(b) \
+    ((b >> 8) | (b << 24))
+#else
+#define ROTBYTE(b) \
+    ((b << 8) | (b >> 24))
+#endif
+
+/* rijndael_key_expansion7
+ *
+ * Generate the expanded key from the key input by the user.
+ * XXX
+ * Nk == 7 (224 key bits) is a weird case.  Since Nk > 6, an added SubByte
+ * transformation is done periodically.  The period is every 4 bytes, and
+ * since 7%4 != 0 this happens at different times for each key word (unlike
+ * Nk == 8 where it happens twice in every key word, in the same positions).
+ * For now, I'm implementing this case "dumbly", w/o any unrolling.
+ */
+static SECStatus
+rijndael_key_expansion7(AESContext *cx, const unsigned char *key, unsigned int Nk)
+{
+    unsigned int i;
+    PRUint32 *W;
+    PRUint32 *pW;
+    PRUint32 tmp;
+    W = cx->expandedKey;
+    /* 1.  the first Nk words contain the cipher key */
+    memcpy(W, key, Nk * 4);
+    i = Nk;
+    /* 2.  loop until full expanded key is obtained */
+    pW = W + i - 1;
+    for (; i < cx->Nb * (cx->Nr + 1); ++i) {
+	tmp = *pW++;
+	if (i % Nk == 0)
+	    tmp = SUBBYTE(ROTBYTE(tmp)) ^ Rcon[i / Nk - 1];
+	else if (i % Nk == 4)
+	    tmp = SUBBYTE(tmp);
+	*pW = W[i - Nk] ^ tmp;
+    }
+    return SECSuccess;
+}
+
+/* rijndael_key_expansion
+ *
+ * Generate the expanded key from the key input by the user.
+ */
+static SECStatus
+rijndael_key_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk)
+{
+    unsigned int i;
+    PRUint32 *W;
+    PRUint32 *pW;
+    PRUint32 tmp;
+    unsigned int round_key_words = cx->Nb * (cx->Nr + 1);
+    if (Nk == 7)
+	return rijndael_key_expansion7(cx, key, Nk);
+    W = cx->expandedKey;
+    /* The first Nk words contain the input cipher key */
+    memcpy(W, key, Nk * 4);
+    i = Nk;
+    pW = W + i - 1;
+    /* Loop over all sets of Nk words, except the last */
+    while (i < round_key_words - Nk) {
+	tmp = *pW++;
+	tmp = SUBBYTE(ROTBYTE(tmp)) ^ Rcon[i / Nk - 1];
+	*pW = W[i++ - Nk] ^ tmp;
+	tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	if (Nk == 4)
+	    continue;
+	switch (Nk) {
+	case 8: tmp = *pW++; tmp = SUBBYTE(tmp); *pW = W[i++ - Nk] ^ tmp;
+	case 7: tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	case 6: tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	case 5: tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	}
+    }
+    /* Generate the last word */
+    tmp = *pW++;
+    tmp = SUBBYTE(ROTBYTE(tmp)) ^ Rcon[i / Nk - 1];
+    *pW = W[i++ - Nk] ^ tmp;
+    /* There may be overflow here, if Nk % (Nb * (Nr + 1)) > 0.  However,
+     * since the above loop generated all but the last Nk key words, there
+     * is no more need for the SubByte transformation.
+     */
+    if (Nk < 8) {
+	for (; i < round_key_words; ++i) {
+	    tmp = *pW++; 
+	    *pW = W[i - Nk] ^ tmp;
+	}
+    } else {
+	/* except in the case when Nk == 8.  Then one more SubByte may have
+	 * to be performed, at i % Nk == 4.
+	 */
+	for (; i < round_key_words; ++i) {
+	    tmp = *pW++;
+	    if (i % Nk == 4)
+		tmp = SUBBYTE(tmp);
+	    *pW = W[i - Nk] ^ tmp;
+	}
+    }
+    return SECSuccess;
+}
+
+/* rijndael_invkey_expansion
+ *
+ * Generate the expanded key for the inverse cipher from the key input by 
+ * the user.
+ */
+static SECStatus
+rijndael_invkey_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk)
+{
+    unsigned int r;
+    PRUint32 *roundkeyw;
+    PRUint8 *b;
+    int Nb = cx->Nb;
+    /* begins like usual key expansion ... */
+    if (rijndael_key_expansion(cx, key, Nk) != SECSuccess)
+	return SECFailure;
+    /* ... but has the additional step of InvMixColumn,
+     * excepting the first and last round keys.
+     */
+    roundkeyw = cx->expandedKey + cx->Nb;
+    for (r=1; r<cx->Nr; ++r) {
+	/* each key word, roundkeyw, represents a column in the key
+	 * matrix.  Each column is multiplied by the InvMixColumn matrix.
+	 *   [ 0E 0B 0D 09 ]   [ b0 ]
+	 *   [ 09 0E 0B 0D ] * [ b1 ]
+	 *   [ 0D 09 0E 0B ]   [ b2 ]
+	 *   [ 0B 0D 09 0E ]   [ b3 ]
+	 */
+	b = (PRUint8 *)roundkeyw;
+	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
+	b = (PRUint8 *)roundkeyw;
+	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
+	b = (PRUint8 *)roundkeyw;
+	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
+	b = (PRUint8 *)roundkeyw;
+	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
+	if (Nb <= 4)
+	    continue;
+	switch (Nb) {
+	case 8: b = (PRUint8 *)roundkeyw;
+	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
+	                       IMXC2(b[2]) ^ IMXC3(b[3]);
+	case 7: b = (PRUint8 *)roundkeyw;
+	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
+	                       IMXC2(b[2]) ^ IMXC3(b[3]);
+	case 6: b = (PRUint8 *)roundkeyw;
+	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
+	                       IMXC2(b[2]) ^ IMXC3(b[3]);
+	case 5: b = (PRUint8 *)roundkeyw;
+	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
+	                       IMXC2(b[2]) ^ IMXC3(b[3]);
+	}
+    }
+    return SECSuccess;
+}
+/**************************************************************************
+ *
+ * Stuff related to Rijndael encryption/decryption, optimized for
+ * a 128-bit blocksize.
+ *
+ *************************************************************************/
+
+#ifdef IS_LITTLE_ENDIAN
+#define BYTE0WORD(w) ((w) & 0x000000ff)
+#define BYTE1WORD(w) ((w) & 0x0000ff00)
+#define BYTE2WORD(w) ((w) & 0x00ff0000)
+#define BYTE3WORD(w) ((w) & 0xff000000)
+#else
+#define BYTE0WORD(w) ((w) & 0xff000000)
+#define BYTE1WORD(w) ((w) & 0x00ff0000)
+#define BYTE2WORD(w) ((w) & 0x0000ff00)
+#define BYTE3WORD(w) ((w) & 0x000000ff)
+#endif
+
+typedef union {
+    PRUint32 w[4];
+    PRUint8  b[16];
+} rijndael_state;
+
+#define COLUMN_0(state) state.w[0]
+#define COLUMN_1(state) state.w[1]
+#define COLUMN_2(state) state.w[2]
+#define COLUMN_3(state) state.w[3]
+
+#define STATE_BYTE(i) state.b[i]
+
+static SECStatus 
+rijndael_encryptBlock128(AESContext *cx, 
+                         unsigned char *output,
+                         const unsigned char *input)
+{
+    unsigned int r;
+    PRUint32 *roundkeyw;
+    rijndael_state state;
+    PRUint32 C0, C1, C2, C3;
+#if defined(_X86_)
+#define pIn input
+#define pOut output
+#else
+    unsigned char *pIn, *pOut;
+    PRUint32 inBuf[4], outBuf[4];
+
+    if ((ptrdiff_t)input & 0x3) {
+	memcpy(inBuf, input, sizeof inBuf);
+	pIn = (unsigned char *)inBuf;
+    } else {
+	pIn = (unsigned char *)input;
+    }
+    if ((ptrdiff_t)output & 0x3) {
+	pOut = (unsigned char *)outBuf;
+    } else {
+	pOut = (unsigned char *)output;
+    }
+#endif
+    roundkeyw = cx->expandedKey;
+    /* Step 1: Add Round Key 0 to initial state */
+    COLUMN_0(state) = *((PRUint32 *)(pIn     )) ^ *roundkeyw++;
+    COLUMN_1(state) = *((PRUint32 *)(pIn + 4 )) ^ *roundkeyw++;
+    COLUMN_2(state) = *((PRUint32 *)(pIn + 8 )) ^ *roundkeyw++;
+    COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw++;
+    /* Step 2: Loop over rounds [1..NR-1] */
+    for (r=1; r<cx->Nr; ++r) {
+        /* Do ShiftRow, ByteSub, and MixColumn all at once */
+	C0 = T0(STATE_BYTE(0))  ^
+	     T1(STATE_BYTE(5))  ^
+	     T2(STATE_BYTE(10)) ^
+	     T3(STATE_BYTE(15));
+	C1 = T0(STATE_BYTE(4))  ^
+	     T1(STATE_BYTE(9))  ^
+	     T2(STATE_BYTE(14)) ^
+	     T3(STATE_BYTE(3));
+	C2 = T0(STATE_BYTE(8))  ^
+	     T1(STATE_BYTE(13)) ^
+	     T2(STATE_BYTE(2))  ^
+	     T3(STATE_BYTE(7));
+	C3 = T0(STATE_BYTE(12)) ^
+	     T1(STATE_BYTE(1))  ^
+	     T2(STATE_BYTE(6))  ^
+	     T3(STATE_BYTE(11));
+	/* Round key addition */
+	COLUMN_0(state) = C0 ^ *roundkeyw++;
+	COLUMN_1(state) = C1 ^ *roundkeyw++;
+	COLUMN_2(state) = C2 ^ *roundkeyw++;
+	COLUMN_3(state) = C3 ^ *roundkeyw++;
+    }
+    /* Step 3: Do the last round */
+    /* Final round does not employ MixColumn */
+    C0 = ((BYTE0WORD(T2(STATE_BYTE(0))))   |
+          (BYTE1WORD(T3(STATE_BYTE(5))))   |
+          (BYTE2WORD(T0(STATE_BYTE(10))))  |
+          (BYTE3WORD(T1(STATE_BYTE(15)))))  ^
+          *roundkeyw++;
+    C1 = ((BYTE0WORD(T2(STATE_BYTE(4))))   |
+          (BYTE1WORD(T3(STATE_BYTE(9))))   |
+          (BYTE2WORD(T0(STATE_BYTE(14))))  |
+          (BYTE3WORD(T1(STATE_BYTE(3)))))   ^
+          *roundkeyw++;
+    C2 = ((BYTE0WORD(T2(STATE_BYTE(8))))   |
+          (BYTE1WORD(T3(STATE_BYTE(13))))  |
+          (BYTE2WORD(T0(STATE_BYTE(2))))   |
+          (BYTE3WORD(T1(STATE_BYTE(7)))))   ^
+          *roundkeyw++;
+    C3 = ((BYTE0WORD(T2(STATE_BYTE(12))))  |
+          (BYTE1WORD(T3(STATE_BYTE(1))))   |
+          (BYTE2WORD(T0(STATE_BYTE(6))))   |
+          (BYTE3WORD(T1(STATE_BYTE(11)))))  ^
+          *roundkeyw++;
+    *((PRUint32 *) pOut     )  = C0;
+    *((PRUint32 *)(pOut + 4))  = C1;
+    *((PRUint32 *)(pOut + 8))  = C2;
+    *((PRUint32 *)(pOut + 12)) = C3;
+#if defined(_X86_)
+#undef pIn
+#undef pOut
+#else
+    if ((ptrdiff_t)output & 0x3) {
+	memcpy(output, outBuf, sizeof outBuf);
+    }
+#endif
+    return SECSuccess;
+}
+
+static SECStatus 
+rijndael_decryptBlock128(AESContext *cx, 
+                         unsigned char *output,
+                         const unsigned char *input)
+{
+    int r;
+    PRUint32 *roundkeyw;
+    rijndael_state state;
+    PRUint32 C0, C1, C2, C3;
+#if defined(_X86_)
+#define pIn input
+#define pOut output
+#else
+    unsigned char *pIn, *pOut;
+    PRUint32 inBuf[4], outBuf[4];
+
+    if ((ptrdiff_t)input & 0x3) {
+	memcpy(inBuf, input, sizeof inBuf);
+	pIn = (unsigned char *)inBuf;
+    } else {
+	pIn = (unsigned char *)input;
+    }
+    if ((ptrdiff_t)output & 0x3) {
+	pOut = (unsigned char *)outBuf;
+    } else {
+	pOut = (unsigned char *)output;
+    }
+#endif
+    roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3;
+    /* reverse the final key addition */
+    COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw--;
+    COLUMN_2(state) = *((PRUint32 *)(pIn +  8)) ^ *roundkeyw--;
+    COLUMN_1(state) = *((PRUint32 *)(pIn +  4)) ^ *roundkeyw--;
+    COLUMN_0(state) = *((PRUint32 *)(pIn     )) ^ *roundkeyw--;
+    /* Loop over rounds in reverse [NR..1] */
+    for (r=cx->Nr; r>1; --r) {
+	/* Invert the (InvByteSub*InvMixColumn)(InvShiftRow(state)) */
+	C0 = TInv0(STATE_BYTE(0))  ^
+	     TInv1(STATE_BYTE(13)) ^
+	     TInv2(STATE_BYTE(10)) ^
+	     TInv3(STATE_BYTE(7));
+	C1 = TInv0(STATE_BYTE(4))  ^
+	     TInv1(STATE_BYTE(1))  ^
+	     TInv2(STATE_BYTE(14)) ^
+	     TInv3(STATE_BYTE(11));
+	C2 = TInv0(STATE_BYTE(8))  ^
+	     TInv1(STATE_BYTE(5))  ^
+	     TInv2(STATE_BYTE(2))  ^
+	     TInv3(STATE_BYTE(15));
+	C3 = TInv0(STATE_BYTE(12)) ^
+	     TInv1(STATE_BYTE(9))  ^
+	     TInv2(STATE_BYTE(6))  ^
+	     TInv3(STATE_BYTE(3));
+	/* Invert the key addition step */
+	COLUMN_3(state) = C3 ^ *roundkeyw--;
+	COLUMN_2(state) = C2 ^ *roundkeyw--;
+	COLUMN_1(state) = C1 ^ *roundkeyw--;
+	COLUMN_0(state) = C0 ^ *roundkeyw--;
+    }
+    /* inverse sub */
+    pOut[ 0] = SINV(STATE_BYTE( 0));
+    pOut[ 1] = SINV(STATE_BYTE(13));
+    pOut[ 2] = SINV(STATE_BYTE(10));
+    pOut[ 3] = SINV(STATE_BYTE( 7));
+    pOut[ 4] = SINV(STATE_BYTE( 4));
+    pOut[ 5] = SINV(STATE_BYTE( 1));
+    pOut[ 6] = SINV(STATE_BYTE(14));
+    pOut[ 7] = SINV(STATE_BYTE(11));
+    pOut[ 8] = SINV(STATE_BYTE( 8));
+    pOut[ 9] = SINV(STATE_BYTE( 5));
+    pOut[10] = SINV(STATE_BYTE( 2));
+    pOut[11] = SINV(STATE_BYTE(15));
+    pOut[12] = SINV(STATE_BYTE(12));
+    pOut[13] = SINV(STATE_BYTE( 9));
+    pOut[14] = SINV(STATE_BYTE( 6));
+    pOut[15] = SINV(STATE_BYTE( 3));
+    /* final key addition */
+    *((PRUint32 *)(pOut + 12)) ^= *roundkeyw--;
+    *((PRUint32 *)(pOut +  8)) ^= *roundkeyw--;
+    *((PRUint32 *)(pOut +  4)) ^= *roundkeyw--;
+    *((PRUint32 *) pOut      ) ^= *roundkeyw--;
+#if defined(_X86_)
+#undef pIn
+#undef pOut
+#else
+    if ((ptrdiff_t)output & 0x3) {
+	memcpy(output, outBuf, sizeof outBuf);
+    }
+#endif
+    return SECSuccess;
+}
+
+/**************************************************************************
+ *
+ * Stuff related to general Rijndael encryption/decryption, for blocksizes
+ * greater than 128 bits.
+ *
+ * XXX This code is currently untested!  So far, AES specs have only been
+ *     released for 128 bit blocksizes.  This will be tested, but for now
+ *     only the code above has been tested using known values.
+ *
+ *************************************************************************/
+
+#define COLUMN(array, j) *((PRUint32 *)(array + j))
+
+SECStatus 
+rijndael_encryptBlock(AESContext *cx, 
+                      unsigned char *output,
+                      const unsigned char *input)
+{
+    return SECFailure;
+#ifdef rijndael_large_blocks_fixed
+    unsigned int j, r, Nb;
+    unsigned int c2=0, c3=0;
+    PRUint32 *roundkeyw;
+    PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE];
+    Nb = cx->Nb;
+    roundkeyw = cx->expandedKey;
+    /* Step 1: Add Round Key 0 to initial state */
+    for (j=0; j<4*Nb; j+=4) {
+	COLUMN(clone, j) = COLUMN(input, j) ^ *roundkeyw++;
+    }
+    /* Step 2: Loop over rounds [1..NR-1] */
+    for (r=1; r<cx->Nr; ++r) {
+	for (j=0; j<Nb; ++j) {
+	    COLUMN(output, j) = T0(STATE_BYTE(4*  j          )) ^
+	                        T1(STATE_BYTE(4*((j+ 1)%Nb)+1)) ^
+	                        T2(STATE_BYTE(4*((j+c2)%Nb)+2)) ^
+	                        T3(STATE_BYTE(4*((j+c3)%Nb)+3));
+	}
+	for (j=0; j<4*Nb; j+=4) {
+	    COLUMN(clone, j) = COLUMN(output, j) ^ *roundkeyw++;
+	}
+    }
+    /* Step 3: Do the last round */
+    /* Final round does not employ MixColumn */
+    for (j=0; j<Nb; ++j) {
+	COLUMN(output, j) = ((BYTE0WORD(T2(STATE_BYTE(4* j         ))))  |
+                             (BYTE1WORD(T3(STATE_BYTE(4*(j+ 1)%Nb)+1)))  |
+                             (BYTE2WORD(T0(STATE_BYTE(4*(j+c2)%Nb)+2)))  |
+                             (BYTE3WORD(T1(STATE_BYTE(4*(j+c3)%Nb)+3)))) ^
+	                     *roundkeyw++;
+    }
+    return SECSuccess;
+#endif
+}
+
+SECStatus 
+rijndael_decryptBlock(AESContext *cx, 
+                      unsigned char *output,
+                      const unsigned char *input)
+{
+    return SECFailure;
+#ifdef rijndael_large_blocks_fixed
+    int j, r, Nb;
+    int c2=0, c3=0;
+    PRUint32 *roundkeyw;
+    PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE];
+    Nb = cx->Nb;
+    roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3;
+    /* reverse key addition */
+    for (j=4*Nb; j>=0; j-=4) {
+	COLUMN(clone, j) = COLUMN(input, j) ^ *roundkeyw--;
+    }
+    /* Loop over rounds in reverse [NR..1] */
+    for (r=cx->Nr; r>1; --r) {
+	/* Invert the (InvByteSub*InvMixColumn)(InvShiftRow(state)) */
+	for (j=0; j<Nb; ++j) {
+	    COLUMN(output, 4*j) = TInv0(STATE_BYTE(4* j            )) ^
+	                          TInv1(STATE_BYTE(4*(j+Nb- 1)%Nb)+1) ^
+	                          TInv2(STATE_BYTE(4*(j+Nb-c2)%Nb)+2) ^
+	                          TInv3(STATE_BYTE(4*(j+Nb-c3)%Nb)+3);
+	}
+	/* Invert the key addition step */
+	for (j=4*Nb; j>=0; j-=4) {
+	    COLUMN(clone, j) = COLUMN(output, j) ^ *roundkeyw--;
+	}
+    }
+    /* inverse sub */
+    for (j=0; j<4*Nb; ++j) {
+	output[j] = SINV(clone[j]);
+    }
+    /* final key addition */
+    for (j=4*Nb; j>=0; j-=4) {
+	COLUMN(output, j) ^= *roundkeyw--;
+    }
+    return SECSuccess;
+#endif
+}
+
+/**************************************************************************
+ *
+ *  Rijndael modes of operation (ECB and CBC)
+ *
+ *************************************************************************/
+
+static SECStatus 
+rijndael_encryptECB(AESContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen, 
+                    unsigned int blocksize)
+{
+    SECStatus rv;
+    AESBlockFunc *encryptor;
+    encryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
+				  ? &rijndael_encryptBlock128 
+				  : &rijndael_encryptBlock;
+    while (inputLen > 0) {
+        rv = (*encryptor)(cx, output, input);
+	if (rv != SECSuccess)
+	    return rv;
+	output += blocksize;
+	input += blocksize;
+	inputLen -= blocksize;
+    }
+    return SECSuccess;
+}
+
+static SECStatus 
+rijndael_encryptCBC(AESContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen, 
+                    unsigned int blocksize)
+{
+    unsigned int j;
+    SECStatus rv;
+    AESBlockFunc *encryptor;
+    unsigned char *lastblock;
+    unsigned char inblock[RIJNDAEL_MAX_STATE_SIZE * 8];
+
+    if (!inputLen)
+	return SECSuccess;
+    lastblock = cx->iv;
+    encryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
+				  ? &rijndael_encryptBlock128 
+				  : &rijndael_encryptBlock;
+    while (inputLen > 0) {
+	/* XOR with the last block (IV if first block) */
+	for (j=0; j<blocksize; ++j)
+	    inblock[j] = input[j] ^ lastblock[j];
+	/* encrypt */
+        rv = (*encryptor)(cx, output, inblock);
+	if (rv != SECSuccess)
+	    return rv;
+	/* move to the next block */
+	lastblock = output;
+	output += blocksize;
+	input += blocksize;
+	inputLen -= blocksize;
+    }
+    memcpy(cx->iv, lastblock, blocksize);
+    return SECSuccess;
+}
+
+static SECStatus 
+rijndael_decryptECB(AESContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen, 
+                    unsigned int blocksize)
+{
+    SECStatus rv;
+    AESBlockFunc *decryptor;
+    decryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
+				  ? &rijndael_decryptBlock128 
+				  : &rijndael_decryptBlock;
+    while (inputLen > 0) {
+        rv = (*decryptor)(cx, output, input);
+	if (rv != SECSuccess)
+	    return rv;
+	output += blocksize;
+	input += blocksize;
+	inputLen -= blocksize;
+    }
+    return SECSuccess;
+}
+
+static SECStatus 
+rijndael_decryptCBC(AESContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen, 
+                    unsigned int blocksize)
+{
+    SECStatus rv;
+    AESBlockFunc *decryptor;
+    const unsigned char *in;
+    unsigned char *out;
+    unsigned int j;
+    unsigned char newIV[RIJNDAEL_MAX_BLOCKSIZE];
+
+    if (!inputLen) 
+	return SECSuccess;
+    PORT_Assert(output - input >= 0 || input - output >= (int)inputLen );
+    decryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
+                                  ? &rijndael_decryptBlock128 
+				  : &rijndael_decryptBlock;
+    in  = input  + (inputLen - blocksize);
+    memcpy(newIV, in, blocksize);
+    out = output + (inputLen - blocksize);
+    while (inputLen > blocksize) {
+        rv = (*decryptor)(cx, out, in);
+	if (rv != SECSuccess)
+	    return rv;
+	for (j=0; j<blocksize; ++j)
+	    out[j] ^= in[(int)(j - blocksize)];
+	out -= blocksize;
+	in -= blocksize;
+	inputLen -= blocksize;
+    }
+    if (in == input) {
+        rv = (*decryptor)(cx, out, in);
+	if (rv != SECSuccess)
+	    return rv;
+	for (j=0; j<blocksize; ++j)
+	    out[j] ^= cx->iv[j];
+    }
+    memcpy(cx->iv, newIV, blocksize);
+    return SECSuccess;
+}
+
+/************************************************************************
+ *
+ * BLAPI Interface functions
+ *
+ * The following functions implement the encryption routines defined in
+ * BLAPI for the AES cipher, Rijndael.
+ *
+ ***********************************************************************/
+
+AESContext * AES_AllocateContext(void)
+{
+    return PORT_ZNew(AESContext);
+}
+
+SECStatus   
+AES_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, 
+	        const unsigned char *iv, int mode, unsigned int encrypt,
+	        unsigned int blocksize)
+{
+    unsigned int Nk;
+    /* According to Rijndael AES Proposal, section 12.1, block and key
+     * lengths between 128 and 256 bits are supported, as long as the
+     * length in bytes is divisible by 4.
+     */
+    if (key == NULL || 
+        keysize < RIJNDAEL_MIN_BLOCKSIZE   || 
+	keysize > RIJNDAEL_MAX_BLOCKSIZE   || 
+	keysize % 4 != 0 ||
+        blocksize < RIJNDAEL_MIN_BLOCKSIZE || 
+	blocksize > RIJNDAEL_MAX_BLOCKSIZE || 
+	blocksize % 4 != 0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (mode != NSS_AES && mode != NSS_AES_CBC) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (mode == NSS_AES_CBC && iv == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (!cx) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    	return SECFailure;
+    }
+    /* Nb = (block size in bits) / 32 */
+    cx->Nb = blocksize / 4;
+    /* Nk = (key size in bits) / 32 */
+    Nk = keysize / 4;
+    /* Obtain number of rounds from "table" */
+    cx->Nr = RIJNDAEL_NUM_ROUNDS(Nk, cx->Nb);
+    /* copy in the iv, if neccessary */
+    if (mode == NSS_AES_CBC) {
+	memcpy(cx->iv, iv, blocksize);
+	cx->worker = (encrypt) ? &rijndael_encryptCBC : &rijndael_decryptCBC;
+    } else {
+	cx->worker = (encrypt) ? &rijndael_encryptECB : &rijndael_decryptECB;
+    }
+    PORT_Assert((cx->Nb * (cx->Nr + 1)) <= RIJNDAEL_MAX_EXP_KEY_SIZE);
+    if ((cx->Nb * (cx->Nr + 1)) > RIJNDAEL_MAX_EXP_KEY_SIZE) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	goto cleanup;
+    }
+    /* Generate expanded key */
+    if (encrypt) {
+	if (rijndael_key_expansion(cx, key, Nk) != SECSuccess)
+	    goto cleanup;
+    } else {
+	if (rijndael_invkey_expansion(cx, key, Nk) != SECSuccess)
+	    goto cleanup;
+    }
+    return SECSuccess;
+cleanup:
+    return SECFailure;
+}
+
+
+/* AES_CreateContext
+ *
+ * create a new context for Rijndael operations
+ */
+AESContext *
+AES_CreateContext(const unsigned char *key, const unsigned char *iv, 
+                  int mode, int encrypt,
+                  unsigned int keysize, unsigned int blocksize)
+{
+    AESContext *cx = AES_AllocateContext();
+    if (cx) {
+	SECStatus rv = AES_InitContext(cx, key, keysize, iv, mode, encrypt,
+				       blocksize);
+	if (rv != SECSuccess) {
+	    AES_DestroyContext(cx, PR_TRUE);
+	    cx = NULL;
+	}
+    }
+    return cx;
+}
+
+/*
+ * AES_DestroyContext
+ * 
+ * Zero an AES cipher context.  If freeit is true, also free the pointer
+ * to the context.
+ */
+void 
+AES_DestroyContext(AESContext *cx, PRBool freeit)
+{
+/*  memset(cx, 0, sizeof *cx); */
+    if (freeit)
+	PORT_Free(cx);
+}
+
+/*
+ * AES_Encrypt
+ *
+ * Encrypt an arbitrary-length buffer.  The output buffer must already be
+ * allocated to at least inputLen.
+ */
+SECStatus 
+AES_Encrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+    int blocksize;
+    /* Check args */
+    if (cx == NULL || output == NULL || input == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    blocksize = 4 * cx->Nb;
+    if (inputLen % blocksize != 0) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return SECFailure;
+    }
+    if (maxOutputLen < inputLen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    *outputLen = inputLen;
+#if defined(RIJNDAEL_GENERATE_TABLES) ||  \
+    defined(RIJNDAEL_GENERATE_TABLES_MACRO)
+    if (rijndaelTables == NULL) {
+	if (PR_CallOnce(&coRTInit, init_rijndael_tables) 
+	      != PR_SUCCESS) {
+	    return PR_FAILURE;
+	}
+    }
+#endif
+    return (*cx->worker)(cx, output, outputLen, maxOutputLen,	
+                             input, inputLen, blocksize);
+}
+
+/*
+ * AES_Decrypt
+ *
+ * Decrypt and arbitrary-length buffer.  The output buffer must already be
+ * allocated to at least inputLen.
+ */
+SECStatus 
+AES_Decrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+    int blocksize;
+    /* Check args */
+    if (cx == NULL || output == NULL || input == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    blocksize = 4 * cx->Nb;
+    if (inputLen % blocksize != 0) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return SECFailure;
+    }
+    if (maxOutputLen < inputLen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    *outputLen = inputLen;
+#if defined(RIJNDAEL_GENERATE_TABLES) ||  \
+    defined(RIJNDAEL_GENERATE_TABLES_MACRO)
+    if (rijndaelTables == NULL) {
+	if (PR_CallOnce(&coRTInit, init_rijndael_tables) 
+	      != PR_SUCCESS) {
+	    return PR_FAILURE;
+	}
+    }
+#endif
+    return (*cx->worker)(cx, output, outputLen, maxOutputLen,	
+                             input, inputLen, blocksize);
+}
+
diff --git a/security/nss/lib/freebl/rijndael.h b/security/nss/lib/freebl/rijndael.h
new file mode 100644
index 000000000..4ace67528
--- /dev/null
+++ b/security/nss/lib/freebl/rijndael.h
@@ -0,0 +1,95 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _RIJNDAEL_H_
+#define _RIJNDAEL_H_ 1
+
+#define RIJNDAEL_MIN_BLOCKSIZE 16 /* bytes */
+#define RIJNDAEL_MAX_BLOCKSIZE 32 /* bytes */
+
+typedef SECStatus AESFunc(AESContext *cx, unsigned char *output,
+                          unsigned int *outputLen, unsigned int maxOutputLen,
+                          const unsigned char *input, unsigned int inputLen, 
+                          unsigned int blocksize);
+
+typedef SECStatus AESBlockFunc(AESContext *cx, 
+                               unsigned char *output,
+                               const unsigned char *input);
+
+/* RIJNDAEL_NUM_ROUNDS
+ *
+ * Number of rounds per execution
+ * Nk - number of key bytes
+ * Nb - blocksize (in bytes)
+ */
+#define RIJNDAEL_NUM_ROUNDS(Nk, Nb) \
+    (PR_MAX(Nk, Nb) + 6)
+
+/* RIJNDAEL_MAX_STATE_SIZE 
+ *
+ * Maximum number of bytes in the state (spec includes up to 256-bit block
+ * size)
+ */
+#define RIJNDAEL_MAX_STATE_SIZE 32
+
+/*
+ * This magic number is (Nb_max * (Nr_max + 1))
+ * where Nb_max is the maximum block size in 32-bit words,
+ *       Nr_max is the maximum number of rounds, which is Nb_max + 6
+ */
+#define RIJNDAEL_MAX_EXP_KEY_SIZE (8 * 15)
+
+/* AESContextStr
+ *
+ * Values which maintain the state for Rijndael encryption/decryption.
+ *
+ * iv          - initialization vector for CBC mode
+ * Nb          - the number of bytes in a block, specified by user
+ * Nr          - the number of rounds, specified by a table
+ * expandedKey - the round keys in 4-byte words, the length is Nr * Nb
+ * worker      - the encryption/decryption function to use with this context
+ */
+struct AESContextStr
+{
+    unsigned int   Nb;
+    unsigned int   Nr;
+    AESFunc       *worker;
+    unsigned char iv[RIJNDAEL_MAX_BLOCKSIZE];
+    PRUint32      expandedKey[RIJNDAEL_MAX_EXP_KEY_SIZE];
+};
+
+#endif /* _RIJNDAEL_H_ */
diff --git a/security/nss/lib/freebl/rijndael32.tab b/security/nss/lib/freebl/rijndael32.tab
new file mode 100644
index 000000000..6b78e2e8b
--- /dev/null
+++ b/security/nss/lib/freebl/rijndael32.tab
@@ -0,0 +1,1215 @@
+#ifndef RIJNDAEL_INCLUDE_TABLES
+static const PRUint8 _S[256] = 
+{
+ 99, 124, 119, 123, 242, 107, 111, 197,  48,   1, 103,  43, 254, 215, 171, 118,
+202, 130, 201, 125, 250,  89,  71, 240, 173, 212, 162, 175, 156, 164, 114, 192,
+183, 253, 147,  38,  54,  63, 247, 204,  52, 165, 229, 241, 113, 216,  49,  21,
+  4, 199,  35, 195,  24, 150,   5, 154,   7,  18, 128, 226, 235,  39, 178, 117,
+  9, 131,  44,  26,  27, 110,  90, 160,  82,  59, 214, 179,  41, 227,  47, 132,
+ 83, 209,   0, 237,  32, 252, 177,  91, 106, 203, 190,  57,  74,  76,  88, 207,
+208, 239, 170, 251,  67,  77,  51, 133,  69, 249,   2, 127,  80,  60, 159, 168,
+ 81, 163,  64, 143, 146, 157,  56, 245, 188, 182, 218,  33,  16, 255, 243, 210,
+205,  12,  19, 236,  95, 151,  68,  23, 196, 167, 126,  61, 100,  93,  25, 115,
+ 96, 129,  79, 220,  34,  42, 144, 136,  70, 238, 184,  20, 222,  94,  11, 219,
+224,  50,  58,  10,  73,   6,  36,  92, 194, 211, 172,  98, 145, 149, 228, 121,
+231, 200,  55, 109, 141, 213,  78, 169, 108,  86, 244, 234, 101, 122, 174,   8,
+186, 120,  37,  46,  28, 166, 180, 198, 232, 221, 116,  31,  75, 189, 139, 138,
+112,  62, 181, 102,  72,   3, 246,  14,  97,  53,  87, 185, 134, 193,  29, 158,
+225, 248, 152,  17, 105, 217, 142, 148, 155,  30, 135, 233, 206,  85,  40, 223,
+140, 161, 137,  13, 191, 230,  66, 104,  65, 153,  45,  15, 176,  84, 187,  22 
+};
+#endif /* not RIJNDAEL_INCLUDE_TABLES */
+
+static const PRUint8 _SInv[256] = 
+{
+ 82,   9, 106, 213,  48,  54, 165,  56, 191,  64, 163, 158, 129, 243, 215, 251,
+124, 227,  57, 130, 155,  47, 255, 135,  52, 142,  67,  68, 196, 222, 233, 203,
+ 84, 123, 148,  50, 166, 194,  35,  61, 238,  76, 149,  11,  66, 250, 195,  78,
+  8,  46, 161, 102,  40, 217,  36, 178, 118,  91, 162,  73, 109, 139, 209,  37,
+114, 248, 246, 100, 134, 104, 152,  22, 212, 164,  92, 204,  93, 101, 182, 146,
+108, 112,  72,  80, 253, 237, 185, 218,  94,  21,  70,  87, 167, 141, 157, 132,
+144, 216, 171,   0, 140, 188, 211,  10, 247, 228,  88,   5, 184, 179,  69,   6,
+208,  44,  30, 143, 202,  63,  15,   2, 193, 175, 189,   3,   1,  19, 138, 107,
+ 58, 145,  17,  65,  79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115,
+150, 172, 116,  34, 231, 173,  53, 133, 226, 249,  55, 232,  28, 117, 223, 110,
+ 71, 241,  26, 113,  29,  41, 197, 137, 111, 183,  98,  14, 170,  24, 190,  27,
+252,  86,  62,  75, 198, 210, 121,  32, 154, 219, 192, 254, 120, 205,  90, 244,
+ 31, 221, 168,  51, 136,   7, 199,  49, 177,  18,  16,  89,  39, 128, 236,  95,
+ 96,  81, 127, 169,  25, 181,  74,  13,  45, 229, 122, 159, 147, 201, 156, 239,
+160, 224,  59,  77, 174,  42, 245, 176, 200, 235, 187,  60, 131,  83, 153,  97,
+ 23,  43,   4, 126, 186, 119, 214,  38, 225, 105,  20,  99,  85,  33,  12, 125 
+};
+
+#ifdef RIJNDAEL_INCLUDE_TABLES
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _T0[256] = 
+{
+0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0x0df2f2ff, 0xbd6b6bd6,
+0xb16f6fde, 0x54c5c591, 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
+0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, 0x45caca8f, 0x9d82821f,
+0x40c9c989, 0x877d7dfa, 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
+0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, 0xbf9c9c23, 0xf7a4a453,
+0x967272e4, 0x5bc0c09b, 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
+0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, 0x5c343468, 0xf4a5a551,
+0x34e5e5d1, 0x08f1f1f9, 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
+0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, 0x28181830, 0xa1969637,
+0x0f05050a, 0xb59a9a2f, 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
+0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, 0x1b090912, 0x9e83831d,
+0x742c2c58, 0x2e1a1a34, 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
+0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, 0x7b292952, 0x3ee3e3dd,
+0x712f2f5e, 0x97848413, 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
+0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, 0xbe6a6ad4, 0x46cbcb8d,
+0xd9bebe67, 0x4b393972, 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
+0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, 0xc5434386, 0xd74d4d9a,
+0x55333366, 0x94858511, 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
+0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, 0xf35151a2, 0xfea3a35d,
+0xc0404080, 0x8a8f8f05, 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
+0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, 0x30101020, 0x1affffe5,
+0x0ef3f3fd, 0x6dd2d2bf, 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
+0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, 0x57c4c493, 0xf2a7a755,
+0x827e7efc, 0x473d3d7a, 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
+0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, 0x66222244, 0x7e2a2a54,
+0xab90903b, 0x8388880b, 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
+0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, 0x3be0e0db, 0x56323264,
+0x4e3a3a74, 0x1e0a0a14, 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
+0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, 0xa8919139, 0xa4959531,
+0x37e4e4d3, 0x8b7979f2, 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
+0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, 0xb46c6cd8, 0xfa5656ac,
+0x07f4f4f3, 0x25eaeacf, 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
+0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, 0x241c1c38, 0xf1a6a657,
+0xc7b4b473, 0x51c6c697, 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
+0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, 0x907070e0, 0x423e3e7c,
+0xc4b5b571, 0xaa6666cc, 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
+0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, 0x91868617, 0x58c1c199,
+0x271d1d3a, 0xb99e9e27, 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
+0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, 0xb69b9b2d, 0x221e1e3c,
+0x92878715, 0x20e9e9c9, 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
+0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, 0xdabfbf65, 0x31e6e6d7,
+0xc6424284, 0xb86868d0, 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
+0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c  
+};
+#else
+static const PRUint32 _T0[256] = 
+{
+0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d, 0xfff2f20d, 0xd66b6bbd,
+0xde6f6fb1, 0x91c5c554, 0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d,
+0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a, 0x8fcaca45, 0x1f82829d,
+0x89c9c940, 0xfa7d7d87, 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b,
+0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea, 0x239c9cbf, 0x53a4a4f7,
+0xe4727296, 0x9bc0c05b, 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a,
+0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f, 0x6834345c, 0x51a5a5f4,
+0xd1e5e534, 0xf9f1f108, 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f,
+0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e, 0x30181828, 0x379696a1,
+0x0a05050f, 0x2f9a9ab5, 0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d,
+0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f, 0x1209091b, 0x1d83839e,
+0x582c2c74, 0x341a1a2e, 0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb,
+0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce, 0x5229297b, 0xdde3e33e,
+0x5e2f2f71, 0x13848497, 0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c,
+0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed, 0xd46a6abe, 0x8dcbcb46,
+0x67bebed9, 0x7239394b, 0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a,
+0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16, 0x864343c5, 0x9a4d4dd7,
+0x66333355, 0x11858594, 0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81,
+0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3, 0xa25151f3, 0x5da3a3fe,
+0x804040c0, 0x058f8f8a, 0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504,
+0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163, 0x20101030, 0xe5ffff1a,
+0xfdf3f30e, 0xbfd2d26d, 0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f,
+0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739, 0x93c4c457, 0x55a7a7f2,
+0xfc7e7e82, 0x7a3d3d47, 0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395,
+0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f, 0x44222266, 0x542a2a7e,
+0x3b9090ab, 0x0b888883, 0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c,
+0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76, 0xdbe0e03b, 0x64323256,
+0x743a3a4e, 0x140a0a1e, 0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4,
+0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6, 0x399191a8, 0x319595a4,
+0xd3e4e437, 0xf279798b, 0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7,
+0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0, 0xd86c6cb4, 0xac5656fa,
+0xf3f4f407, 0xcfeaea25, 0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818,
+0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72, 0x381c1c24, 0x57a6a6f1,
+0x73b4b4c7, 0x97c6c651, 0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21,
+0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85, 0xe0707090, 0x7c3e3e42,
+0x71b5b5c4, 0xcc6666aa, 0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12,
+0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0, 0x17868691, 0x99c1c158,
+0x3a1d1d27, 0x279e9eb9, 0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133,
+0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7, 0x2d9b9bb6, 0x3c1e1e22,
+0x15878792, 0xc9e9e920, 0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a,
+0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17, 0x65bfbfda, 0xd7e6e631,
+0x844242c6, 0xd06868b8, 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11,
+0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _T1[256] = 
+{
+0x6363c6a5, 0x7c7cf884, 0x7777ee99, 0x7b7bf68d, 0xf2f2ff0d, 0x6b6bd6bd,
+0x6f6fdeb1, 0xc5c59154, 0x30306050, 0x01010203, 0x6767cea9, 0x2b2b567d,
+0xfefee719, 0xd7d7b562, 0xabab4de6, 0x7676ec9a, 0xcaca8f45, 0x82821f9d,
+0xc9c98940, 0x7d7dfa87, 0xfafaef15, 0x5959b2eb, 0x47478ec9, 0xf0f0fb0b,
+0xadad41ec, 0xd4d4b367, 0xa2a25ffd, 0xafaf45ea, 0x9c9c23bf, 0xa4a453f7,
+0x7272e496, 0xc0c09b5b, 0xb7b775c2, 0xfdfde11c, 0x93933dae, 0x26264c6a,
+0x36366c5a, 0x3f3f7e41, 0xf7f7f502, 0xcccc834f, 0x3434685c, 0xa5a551f4,
+0xe5e5d134, 0xf1f1f908, 0x7171e293, 0xd8d8ab73, 0x31316253, 0x15152a3f,
+0x0404080c, 0xc7c79552, 0x23234665, 0xc3c39d5e, 0x18183028, 0x969637a1,
+0x05050a0f, 0x9a9a2fb5, 0x07070e09, 0x12122436, 0x80801b9b, 0xe2e2df3d,
+0xebebcd26, 0x27274e69, 0xb2b27fcd, 0x7575ea9f, 0x0909121b, 0x83831d9e,
+0x2c2c5874, 0x1a1a342e, 0x1b1b362d, 0x6e6edcb2, 0x5a5ab4ee, 0xa0a05bfb,
+0x5252a4f6, 0x3b3b764d, 0xd6d6b761, 0xb3b37dce, 0x2929527b, 0xe3e3dd3e,
+0x2f2f5e71, 0x84841397, 0x5353a6f5, 0xd1d1b968, 0x00000000, 0xededc12c,
+0x20204060, 0xfcfce31f, 0xb1b179c8, 0x5b5bb6ed, 0x6a6ad4be, 0xcbcb8d46,
+0xbebe67d9, 0x3939724b, 0x4a4a94de, 0x4c4c98d4, 0x5858b0e8, 0xcfcf854a,
+0xd0d0bb6b, 0xefefc52a, 0xaaaa4fe5, 0xfbfbed16, 0x434386c5, 0x4d4d9ad7,
+0x33336655, 0x85851194, 0x45458acf, 0xf9f9e910, 0x02020406, 0x7f7ffe81,
+0x5050a0f0, 0x3c3c7844, 0x9f9f25ba, 0xa8a84be3, 0x5151a2f3, 0xa3a35dfe,
+0x404080c0, 0x8f8f058a, 0x92923fad, 0x9d9d21bc, 0x38387048, 0xf5f5f104,
+0xbcbc63df, 0xb6b677c1, 0xdadaaf75, 0x21214263, 0x10102030, 0xffffe51a,
+0xf3f3fd0e, 0xd2d2bf6d, 0xcdcd814c, 0x0c0c1814, 0x13132635, 0xececc32f,
+0x5f5fbee1, 0x979735a2, 0x444488cc, 0x17172e39, 0xc4c49357, 0xa7a755f2,
+0x7e7efc82, 0x3d3d7a47, 0x6464c8ac, 0x5d5dbae7, 0x1919322b, 0x7373e695,
+0x6060c0a0, 0x81811998, 0x4f4f9ed1, 0xdcdca37f, 0x22224466, 0x2a2a547e,
+0x90903bab, 0x88880b83, 0x46468cca, 0xeeeec729, 0xb8b86bd3, 0x1414283c,
+0xdedea779, 0x5e5ebce2, 0x0b0b161d, 0xdbdbad76, 0xe0e0db3b, 0x32326456,
+0x3a3a744e, 0x0a0a141e, 0x494992db, 0x06060c0a, 0x2424486c, 0x5c5cb8e4,
+0xc2c29f5d, 0xd3d3bd6e, 0xacac43ef, 0x6262c4a6, 0x919139a8, 0x959531a4,
+0xe4e4d337, 0x7979f28b, 0xe7e7d532, 0xc8c88b43, 0x37376e59, 0x6d6ddab7,
+0x8d8d018c, 0xd5d5b164, 0x4e4e9cd2, 0xa9a949e0, 0x6c6cd8b4, 0x5656acfa,
+0xf4f4f307, 0xeaeacf25, 0x6565caaf, 0x7a7af48e, 0xaeae47e9, 0x08081018,
+0xbaba6fd5, 0x7878f088, 0x25254a6f, 0x2e2e5c72, 0x1c1c3824, 0xa6a657f1,
+0xb4b473c7, 0xc6c69751, 0xe8e8cb23, 0xdddda17c, 0x7474e89c, 0x1f1f3e21,
+0x4b4b96dd, 0xbdbd61dc, 0x8b8b0d86, 0x8a8a0f85, 0x7070e090, 0x3e3e7c42,
+0xb5b571c4, 0x6666ccaa, 0x484890d8, 0x03030605, 0xf6f6f701, 0x0e0e1c12,
+0x6161c2a3, 0x35356a5f, 0x5757aef9, 0xb9b969d0, 0x86861791, 0xc1c19958,
+0x1d1d3a27, 0x9e9e27b9, 0xe1e1d938, 0xf8f8eb13, 0x98982bb3, 0x11112233,
+0x6969d2bb, 0xd9d9a970, 0x8e8e0789, 0x949433a7, 0x9b9b2db6, 0x1e1e3c22,
+0x87871592, 0xe9e9c920, 0xcece8749, 0x5555aaff, 0x28285078, 0xdfdfa57a,
+0x8c8c038f, 0xa1a159f8, 0x89890980, 0x0d0d1a17, 0xbfbf65da, 0xe6e6d731,
+0x424284c6, 0x6868d0b8, 0x414182c3, 0x999929b0, 0x2d2d5a77, 0x0f0f1e11,
+0xb0b07bcb, 0x5454a8fc, 0xbbbb6dd6, 0x16162c3a  
+};
+#else
+static const PRUint32 _T1[256] = 
+{
+0xa5c66363, 0x84f87c7c, 0x99ee7777, 0x8df67b7b, 0x0dfff2f2, 0xbdd66b6b,
+0xb1de6f6f, 0x5491c5c5, 0x50603030, 0x03020101, 0xa9ce6767, 0x7d562b2b,
+0x19e7fefe, 0x62b5d7d7, 0xe64dabab, 0x9aec7676, 0x458fcaca, 0x9d1f8282,
+0x4089c9c9, 0x87fa7d7d, 0x15effafa, 0xebb25959, 0xc98e4747, 0x0bfbf0f0,
+0xec41adad, 0x67b3d4d4, 0xfd5fa2a2, 0xea45afaf, 0xbf239c9c, 0xf753a4a4,
+0x96e47272, 0x5b9bc0c0, 0xc275b7b7, 0x1ce1fdfd, 0xae3d9393, 0x6a4c2626,
+0x5a6c3636, 0x417e3f3f, 0x02f5f7f7, 0x4f83cccc, 0x5c683434, 0xf451a5a5,
+0x34d1e5e5, 0x08f9f1f1, 0x93e27171, 0x73abd8d8, 0x53623131, 0x3f2a1515,
+0x0c080404, 0x5295c7c7, 0x65462323, 0x5e9dc3c3, 0x28301818, 0xa1379696,
+0x0f0a0505, 0xb52f9a9a, 0x090e0707, 0x36241212, 0x9b1b8080, 0x3ddfe2e2,
+0x26cdebeb, 0x694e2727, 0xcd7fb2b2, 0x9fea7575, 0x1b120909, 0x9e1d8383,
+0x74582c2c, 0x2e341a1a, 0x2d361b1b, 0xb2dc6e6e, 0xeeb45a5a, 0xfb5ba0a0,
+0xf6a45252, 0x4d763b3b, 0x61b7d6d6, 0xce7db3b3, 0x7b522929, 0x3edde3e3,
+0x715e2f2f, 0x97138484, 0xf5a65353, 0x68b9d1d1, 0x00000000, 0x2cc1eded,
+0x60402020, 0x1fe3fcfc, 0xc879b1b1, 0xedb65b5b, 0xbed46a6a, 0x468dcbcb,
+0xd967bebe, 0x4b723939, 0xde944a4a, 0xd4984c4c, 0xe8b05858, 0x4a85cfcf,
+0x6bbbd0d0, 0x2ac5efef, 0xe54faaaa, 0x16edfbfb, 0xc5864343, 0xd79a4d4d,
+0x55663333, 0x94118585, 0xcf8a4545, 0x10e9f9f9, 0x06040202, 0x81fe7f7f,
+0xf0a05050, 0x44783c3c, 0xba259f9f, 0xe34ba8a8, 0xf3a25151, 0xfe5da3a3,
+0xc0804040, 0x8a058f8f, 0xad3f9292, 0xbc219d9d, 0x48703838, 0x04f1f5f5,
+0xdf63bcbc, 0xc177b6b6, 0x75afdada, 0x63422121, 0x30201010, 0x1ae5ffff,
+0x0efdf3f3, 0x6dbfd2d2, 0x4c81cdcd, 0x14180c0c, 0x35261313, 0x2fc3ecec,
+0xe1be5f5f, 0xa2359797, 0xcc884444, 0x392e1717, 0x5793c4c4, 0xf255a7a7,
+0x82fc7e7e, 0x477a3d3d, 0xacc86464, 0xe7ba5d5d, 0x2b321919, 0x95e67373,
+0xa0c06060, 0x98198181, 0xd19e4f4f, 0x7fa3dcdc, 0x66442222, 0x7e542a2a,
+0xab3b9090, 0x830b8888, 0xca8c4646, 0x29c7eeee, 0xd36bb8b8, 0x3c281414,
+0x79a7dede, 0xe2bc5e5e, 0x1d160b0b, 0x76addbdb, 0x3bdbe0e0, 0x56643232,
+0x4e743a3a, 0x1e140a0a, 0xdb924949, 0x0a0c0606, 0x6c482424, 0xe4b85c5c,
+0x5d9fc2c2, 0x6ebdd3d3, 0xef43acac, 0xa6c46262, 0xa8399191, 0xa4319595,
+0x37d3e4e4, 0x8bf27979, 0x32d5e7e7, 0x438bc8c8, 0x596e3737, 0xb7da6d6d,
+0x8c018d8d, 0x64b1d5d5, 0xd29c4e4e, 0xe049a9a9, 0xb4d86c6c, 0xfaac5656,
+0x07f3f4f4, 0x25cfeaea, 0xafca6565, 0x8ef47a7a, 0xe947aeae, 0x18100808,
+0xd56fbaba, 0x88f07878, 0x6f4a2525, 0x725c2e2e, 0x24381c1c, 0xf157a6a6,
+0xc773b4b4, 0x5197c6c6, 0x23cbe8e8, 0x7ca1dddd, 0x9ce87474, 0x213e1f1f,
+0xdd964b4b, 0xdc61bdbd, 0x860d8b8b, 0x850f8a8a, 0x90e07070, 0x427c3e3e,
+0xc471b5b5, 0xaacc6666, 0xd8904848, 0x05060303, 0x01f7f6f6, 0x121c0e0e,
+0xa3c26161, 0x5f6a3535, 0xf9ae5757, 0xd069b9b9, 0x91178686, 0x5899c1c1,
+0x273a1d1d, 0xb9279e9e, 0x38d9e1e1, 0x13ebf8f8, 0xb32b9898, 0x33221111,
+0xbbd26969, 0x70a9d9d9, 0x89078e8e, 0xa7339494, 0xb62d9b9b, 0x223c1e1e,
+0x92158787, 0x20c9e9e9, 0x4987cece, 0xffaa5555, 0x78502828, 0x7aa5dfdf,
+0x8f038c8c, 0xf859a1a1, 0x80098989, 0x171a0d0d, 0xda65bfbf, 0x31d7e6e6,
+0xc6844242, 0xb8d06868, 0xc3824141, 0xb0299999, 0x775a2d2d, 0x111e0f0f,
+0xcb7bb0b0, 0xfca85454, 0xd66dbbbb, 0x3a2c1616  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _T2[256] = 
+{
+0x63c6a563, 0x7cf8847c, 0x77ee9977, 0x7bf68d7b, 0xf2ff0df2, 0x6bd6bd6b,
+0x6fdeb16f, 0xc59154c5, 0x30605030, 0x01020301, 0x67cea967, 0x2b567d2b,
+0xfee719fe, 0xd7b562d7, 0xab4de6ab, 0x76ec9a76, 0xca8f45ca, 0x821f9d82,
+0xc98940c9, 0x7dfa877d, 0xfaef15fa, 0x59b2eb59, 0x478ec947, 0xf0fb0bf0,
+0xad41ecad, 0xd4b367d4, 0xa25ffda2, 0xaf45eaaf, 0x9c23bf9c, 0xa453f7a4,
+0x72e49672, 0xc09b5bc0, 0xb775c2b7, 0xfde11cfd, 0x933dae93, 0x264c6a26,
+0x366c5a36, 0x3f7e413f, 0xf7f502f7, 0xcc834fcc, 0x34685c34, 0xa551f4a5,
+0xe5d134e5, 0xf1f908f1, 0x71e29371, 0xd8ab73d8, 0x31625331, 0x152a3f15,
+0x04080c04, 0xc79552c7, 0x23466523, 0xc39d5ec3, 0x18302818, 0x9637a196,
+0x050a0f05, 0x9a2fb59a, 0x070e0907, 0x12243612, 0x801b9b80, 0xe2df3de2,
+0xebcd26eb, 0x274e6927, 0xb27fcdb2, 0x75ea9f75, 0x09121b09, 0x831d9e83,
+0x2c58742c, 0x1a342e1a, 0x1b362d1b, 0x6edcb26e, 0x5ab4ee5a, 0xa05bfba0,
+0x52a4f652, 0x3b764d3b, 0xd6b761d6, 0xb37dceb3, 0x29527b29, 0xe3dd3ee3,
+0x2f5e712f, 0x84139784, 0x53a6f553, 0xd1b968d1, 0x00000000, 0xedc12ced,
+0x20406020, 0xfce31ffc, 0xb179c8b1, 0x5bb6ed5b, 0x6ad4be6a, 0xcb8d46cb,
+0xbe67d9be, 0x39724b39, 0x4a94de4a, 0x4c98d44c, 0x58b0e858, 0xcf854acf,
+0xd0bb6bd0, 0xefc52aef, 0xaa4fe5aa, 0xfbed16fb, 0x4386c543, 0x4d9ad74d,
+0x33665533, 0x85119485, 0x458acf45, 0xf9e910f9, 0x02040602, 0x7ffe817f,
+0x50a0f050, 0x3c78443c, 0x9f25ba9f, 0xa84be3a8, 0x51a2f351, 0xa35dfea3,
+0x4080c040, 0x8f058a8f, 0x923fad92, 0x9d21bc9d, 0x38704838, 0xf5f104f5,
+0xbc63dfbc, 0xb677c1b6, 0xdaaf75da, 0x21426321, 0x10203010, 0xffe51aff,
+0xf3fd0ef3, 0xd2bf6dd2, 0xcd814ccd, 0x0c18140c, 0x13263513, 0xecc32fec,
+0x5fbee15f, 0x9735a297, 0x4488cc44, 0x172e3917, 0xc49357c4, 0xa755f2a7,
+0x7efc827e, 0x3d7a473d, 0x64c8ac64, 0x5dbae75d, 0x19322b19, 0x73e69573,
+0x60c0a060, 0x81199881, 0x4f9ed14f, 0xdca37fdc, 0x22446622, 0x2a547e2a,
+0x903bab90, 0x880b8388, 0x468cca46, 0xeec729ee, 0xb86bd3b8, 0x14283c14,
+0xdea779de, 0x5ebce25e, 0x0b161d0b, 0xdbad76db, 0xe0db3be0, 0x32645632,
+0x3a744e3a, 0x0a141e0a, 0x4992db49, 0x060c0a06, 0x24486c24, 0x5cb8e45c,
+0xc29f5dc2, 0xd3bd6ed3, 0xac43efac, 0x62c4a662, 0x9139a891, 0x9531a495,
+0xe4d337e4, 0x79f28b79, 0xe7d532e7, 0xc88b43c8, 0x376e5937, 0x6ddab76d,
+0x8d018c8d, 0xd5b164d5, 0x4e9cd24e, 0xa949e0a9, 0x6cd8b46c, 0x56acfa56,
+0xf4f307f4, 0xeacf25ea, 0x65caaf65, 0x7af48e7a, 0xae47e9ae, 0x08101808,
+0xba6fd5ba, 0x78f08878, 0x254a6f25, 0x2e5c722e, 0x1c38241c, 0xa657f1a6,
+0xb473c7b4, 0xc69751c6, 0xe8cb23e8, 0xdda17cdd, 0x74e89c74, 0x1f3e211f,
+0x4b96dd4b, 0xbd61dcbd, 0x8b0d868b, 0x8a0f858a, 0x70e09070, 0x3e7c423e,
+0xb571c4b5, 0x66ccaa66, 0x4890d848, 0x03060503, 0xf6f701f6, 0x0e1c120e,
+0x61c2a361, 0x356a5f35, 0x57aef957, 0xb969d0b9, 0x86179186, 0xc19958c1,
+0x1d3a271d, 0x9e27b99e, 0xe1d938e1, 0xf8eb13f8, 0x982bb398, 0x11223311,
+0x69d2bb69, 0xd9a970d9, 0x8e07898e, 0x9433a794, 0x9b2db69b, 0x1e3c221e,
+0x87159287, 0xe9c920e9, 0xce8749ce, 0x55aaff55, 0x28507828, 0xdfa57adf,
+0x8c038f8c, 0xa159f8a1, 0x89098089, 0x0d1a170d, 0xbf65dabf, 0xe6d731e6,
+0x4284c642, 0x68d0b868, 0x4182c341, 0x9929b099, 0x2d5a772d, 0x0f1e110f,
+0xb07bcbb0, 0x54a8fc54, 0xbb6dd6bb, 0x162c3a16  
+};
+#else
+static const PRUint32 _T2[256] = 
+{
+0x63a5c663, 0x7c84f87c, 0x7799ee77, 0x7b8df67b, 0xf20dfff2, 0x6bbdd66b,
+0x6fb1de6f, 0xc55491c5, 0x30506030, 0x01030201, 0x67a9ce67, 0x2b7d562b,
+0xfe19e7fe, 0xd762b5d7, 0xabe64dab, 0x769aec76, 0xca458fca, 0x829d1f82,
+0xc94089c9, 0x7d87fa7d, 0xfa15effa, 0x59ebb259, 0x47c98e47, 0xf00bfbf0,
+0xadec41ad, 0xd467b3d4, 0xa2fd5fa2, 0xafea45af, 0x9cbf239c, 0xa4f753a4,
+0x7296e472, 0xc05b9bc0, 0xb7c275b7, 0xfd1ce1fd, 0x93ae3d93, 0x266a4c26,
+0x365a6c36, 0x3f417e3f, 0xf702f5f7, 0xcc4f83cc, 0x345c6834, 0xa5f451a5,
+0xe534d1e5, 0xf108f9f1, 0x7193e271, 0xd873abd8, 0x31536231, 0x153f2a15,
+0x040c0804, 0xc75295c7, 0x23654623, 0xc35e9dc3, 0x18283018, 0x96a13796,
+0x050f0a05, 0x9ab52f9a, 0x07090e07, 0x12362412, 0x809b1b80, 0xe23ddfe2,
+0xeb26cdeb, 0x27694e27, 0xb2cd7fb2, 0x759fea75, 0x091b1209, 0x839e1d83,
+0x2c74582c, 0x1a2e341a, 0x1b2d361b, 0x6eb2dc6e, 0x5aeeb45a, 0xa0fb5ba0,
+0x52f6a452, 0x3b4d763b, 0xd661b7d6, 0xb3ce7db3, 0x297b5229, 0xe33edde3,
+0x2f715e2f, 0x84971384, 0x53f5a653, 0xd168b9d1, 0x00000000, 0xed2cc1ed,
+0x20604020, 0xfc1fe3fc, 0xb1c879b1, 0x5bedb65b, 0x6abed46a, 0xcb468dcb,
+0xbed967be, 0x394b7239, 0x4ade944a, 0x4cd4984c, 0x58e8b058, 0xcf4a85cf,
+0xd06bbbd0, 0xef2ac5ef, 0xaae54faa, 0xfb16edfb, 0x43c58643, 0x4dd79a4d,
+0x33556633, 0x85941185, 0x45cf8a45, 0xf910e9f9, 0x02060402, 0x7f81fe7f,
+0x50f0a050, 0x3c44783c, 0x9fba259f, 0xa8e34ba8, 0x51f3a251, 0xa3fe5da3,
+0x40c08040, 0x8f8a058f, 0x92ad3f92, 0x9dbc219d, 0x38487038, 0xf504f1f5,
+0xbcdf63bc, 0xb6c177b6, 0xda75afda, 0x21634221, 0x10302010, 0xff1ae5ff,
+0xf30efdf3, 0xd26dbfd2, 0xcd4c81cd, 0x0c14180c, 0x13352613, 0xec2fc3ec,
+0x5fe1be5f, 0x97a23597, 0x44cc8844, 0x17392e17, 0xc45793c4, 0xa7f255a7,
+0x7e82fc7e, 0x3d477a3d, 0x64acc864, 0x5de7ba5d, 0x192b3219, 0x7395e673,
+0x60a0c060, 0x81981981, 0x4fd19e4f, 0xdc7fa3dc, 0x22664422, 0x2a7e542a,
+0x90ab3b90, 0x88830b88, 0x46ca8c46, 0xee29c7ee, 0xb8d36bb8, 0x143c2814,
+0xde79a7de, 0x5ee2bc5e, 0x0b1d160b, 0xdb76addb, 0xe03bdbe0, 0x32566432,
+0x3a4e743a, 0x0a1e140a, 0x49db9249, 0x060a0c06, 0x246c4824, 0x5ce4b85c,
+0xc25d9fc2, 0xd36ebdd3, 0xacef43ac, 0x62a6c462, 0x91a83991, 0x95a43195,
+0xe437d3e4, 0x798bf279, 0xe732d5e7, 0xc8438bc8, 0x37596e37, 0x6db7da6d,
+0x8d8c018d, 0xd564b1d5, 0x4ed29c4e, 0xa9e049a9, 0x6cb4d86c, 0x56faac56,
+0xf407f3f4, 0xea25cfea, 0x65afca65, 0x7a8ef47a, 0xaee947ae, 0x08181008,
+0xbad56fba, 0x7888f078, 0x256f4a25, 0x2e725c2e, 0x1c24381c, 0xa6f157a6,
+0xb4c773b4, 0xc65197c6, 0xe823cbe8, 0xdd7ca1dd, 0x749ce874, 0x1f213e1f,
+0x4bdd964b, 0xbddc61bd, 0x8b860d8b, 0x8a850f8a, 0x7090e070, 0x3e427c3e,
+0xb5c471b5, 0x66aacc66, 0x48d89048, 0x03050603, 0xf601f7f6, 0x0e121c0e,
+0x61a3c261, 0x355f6a35, 0x57f9ae57, 0xb9d069b9, 0x86911786, 0xc15899c1,
+0x1d273a1d, 0x9eb9279e, 0xe138d9e1, 0xf813ebf8, 0x98b32b98, 0x11332211,
+0x69bbd269, 0xd970a9d9, 0x8e89078e, 0x94a73394, 0x9bb62d9b, 0x1e223c1e,
+0x87921587, 0xe920c9e9, 0xce4987ce, 0x55ffaa55, 0x28785028, 0xdf7aa5df,
+0x8c8f038c, 0xa1f859a1, 0x89800989, 0x0d171a0d, 0xbfda65bf, 0xe631d7e6,
+0x42c68442, 0x68b8d068, 0x41c38241, 0x99b02999, 0x2d775a2d, 0x0f111e0f,
+0xb0cb7bb0, 0x54fca854, 0xbbd66dbb, 0x163a2c16  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _T3[256] = 
+{
+0xc6a56363, 0xf8847c7c, 0xee997777, 0xf68d7b7b, 0xff0df2f2, 0xd6bd6b6b,
+0xdeb16f6f, 0x9154c5c5, 0x60503030, 0x02030101, 0xcea96767, 0x567d2b2b,
+0xe719fefe, 0xb562d7d7, 0x4de6abab, 0xec9a7676, 0x8f45caca, 0x1f9d8282,
+0x8940c9c9, 0xfa877d7d, 0xef15fafa, 0xb2eb5959, 0x8ec94747, 0xfb0bf0f0,
+0x41ecadad, 0xb367d4d4, 0x5ffda2a2, 0x45eaafaf, 0x23bf9c9c, 0x53f7a4a4,
+0xe4967272, 0x9b5bc0c0, 0x75c2b7b7, 0xe11cfdfd, 0x3dae9393, 0x4c6a2626,
+0x6c5a3636, 0x7e413f3f, 0xf502f7f7, 0x834fcccc, 0x685c3434, 0x51f4a5a5,
+0xd134e5e5, 0xf908f1f1, 0xe2937171, 0xab73d8d8, 0x62533131, 0x2a3f1515,
+0x080c0404, 0x9552c7c7, 0x46652323, 0x9d5ec3c3, 0x30281818, 0x37a19696,
+0x0a0f0505, 0x2fb59a9a, 0x0e090707, 0x24361212, 0x1b9b8080, 0xdf3de2e2,
+0xcd26ebeb, 0x4e692727, 0x7fcdb2b2, 0xea9f7575, 0x121b0909, 0x1d9e8383,
+0x58742c2c, 0x342e1a1a, 0x362d1b1b, 0xdcb26e6e, 0xb4ee5a5a, 0x5bfba0a0,
+0xa4f65252, 0x764d3b3b, 0xb761d6d6, 0x7dceb3b3, 0x527b2929, 0xdd3ee3e3,
+0x5e712f2f, 0x13978484, 0xa6f55353, 0xb968d1d1, 0x00000000, 0xc12ceded,
+0x40602020, 0xe31ffcfc, 0x79c8b1b1, 0xb6ed5b5b, 0xd4be6a6a, 0x8d46cbcb,
+0x67d9bebe, 0x724b3939, 0x94de4a4a, 0x98d44c4c, 0xb0e85858, 0x854acfcf,
+0xbb6bd0d0, 0xc52aefef, 0x4fe5aaaa, 0xed16fbfb, 0x86c54343, 0x9ad74d4d,
+0x66553333, 0x11948585, 0x8acf4545, 0xe910f9f9, 0x04060202, 0xfe817f7f,
+0xa0f05050, 0x78443c3c, 0x25ba9f9f, 0x4be3a8a8, 0xa2f35151, 0x5dfea3a3,
+0x80c04040, 0x058a8f8f, 0x3fad9292, 0x21bc9d9d, 0x70483838, 0xf104f5f5,
+0x63dfbcbc, 0x77c1b6b6, 0xaf75dada, 0x42632121, 0x20301010, 0xe51affff,
+0xfd0ef3f3, 0xbf6dd2d2, 0x814ccdcd, 0x18140c0c, 0x26351313, 0xc32fecec,
+0xbee15f5f, 0x35a29797, 0x88cc4444, 0x2e391717, 0x9357c4c4, 0x55f2a7a7,
+0xfc827e7e, 0x7a473d3d, 0xc8ac6464, 0xbae75d5d, 0x322b1919, 0xe6957373,
+0xc0a06060, 0x19988181, 0x9ed14f4f, 0xa37fdcdc, 0x44662222, 0x547e2a2a,
+0x3bab9090, 0x0b838888, 0x8cca4646, 0xc729eeee, 0x6bd3b8b8, 0x283c1414,
+0xa779dede, 0xbce25e5e, 0x161d0b0b, 0xad76dbdb, 0xdb3be0e0, 0x64563232,
+0x744e3a3a, 0x141e0a0a, 0x92db4949, 0x0c0a0606, 0x486c2424, 0xb8e45c5c,
+0x9f5dc2c2, 0xbd6ed3d3, 0x43efacac, 0xc4a66262, 0x39a89191, 0x31a49595,
+0xd337e4e4, 0xf28b7979, 0xd532e7e7, 0x8b43c8c8, 0x6e593737, 0xdab76d6d,
+0x018c8d8d, 0xb164d5d5, 0x9cd24e4e, 0x49e0a9a9, 0xd8b46c6c, 0xacfa5656,
+0xf307f4f4, 0xcf25eaea, 0xcaaf6565, 0xf48e7a7a, 0x47e9aeae, 0x10180808,
+0x6fd5baba, 0xf0887878, 0x4a6f2525, 0x5c722e2e, 0x38241c1c, 0x57f1a6a6,
+0x73c7b4b4, 0x9751c6c6, 0xcb23e8e8, 0xa17cdddd, 0xe89c7474, 0x3e211f1f,
+0x96dd4b4b, 0x61dcbdbd, 0x0d868b8b, 0x0f858a8a, 0xe0907070, 0x7c423e3e,
+0x71c4b5b5, 0xccaa6666, 0x90d84848, 0x06050303, 0xf701f6f6, 0x1c120e0e,
+0xc2a36161, 0x6a5f3535, 0xaef95757, 0x69d0b9b9, 0x17918686, 0x9958c1c1,
+0x3a271d1d, 0x27b99e9e, 0xd938e1e1, 0xeb13f8f8, 0x2bb39898, 0x22331111,
+0xd2bb6969, 0xa970d9d9, 0x07898e8e, 0x33a79494, 0x2db69b9b, 0x3c221e1e,
+0x15928787, 0xc920e9e9, 0x8749cece, 0xaaff5555, 0x50782828, 0xa57adfdf,
+0x038f8c8c, 0x59f8a1a1, 0x09808989, 0x1a170d0d, 0x65dabfbf, 0xd731e6e6,
+0x84c64242, 0xd0b86868, 0x82c34141, 0x29b09999, 0x5a772d2d, 0x1e110f0f,
+0x7bcbb0b0, 0xa8fc5454, 0x6dd6bbbb, 0x2c3a1616  
+};
+#else
+static const PRUint32 _T3[256] = 
+{
+0x6363a5c6, 0x7c7c84f8, 0x777799ee, 0x7b7b8df6, 0xf2f20dff, 0x6b6bbdd6,
+0x6f6fb1de, 0xc5c55491, 0x30305060, 0x01010302, 0x6767a9ce, 0x2b2b7d56,
+0xfefe19e7, 0xd7d762b5, 0xababe64d, 0x76769aec, 0xcaca458f, 0x82829d1f,
+0xc9c94089, 0x7d7d87fa, 0xfafa15ef, 0x5959ebb2, 0x4747c98e, 0xf0f00bfb,
+0xadadec41, 0xd4d467b3, 0xa2a2fd5f, 0xafafea45, 0x9c9cbf23, 0xa4a4f753,
+0x727296e4, 0xc0c05b9b, 0xb7b7c275, 0xfdfd1ce1, 0x9393ae3d, 0x26266a4c,
+0x36365a6c, 0x3f3f417e, 0xf7f702f5, 0xcccc4f83, 0x34345c68, 0xa5a5f451,
+0xe5e534d1, 0xf1f108f9, 0x717193e2, 0xd8d873ab, 0x31315362, 0x15153f2a,
+0x04040c08, 0xc7c75295, 0x23236546, 0xc3c35e9d, 0x18182830, 0x9696a137,
+0x05050f0a, 0x9a9ab52f, 0x0707090e, 0x12123624, 0x80809b1b, 0xe2e23ddf,
+0xebeb26cd, 0x2727694e, 0xb2b2cd7f, 0x75759fea, 0x09091b12, 0x83839e1d,
+0x2c2c7458, 0x1a1a2e34, 0x1b1b2d36, 0x6e6eb2dc, 0x5a5aeeb4, 0xa0a0fb5b,
+0x5252f6a4, 0x3b3b4d76, 0xd6d661b7, 0xb3b3ce7d, 0x29297b52, 0xe3e33edd,
+0x2f2f715e, 0x84849713, 0x5353f5a6, 0xd1d168b9, 0x00000000, 0xeded2cc1,
+0x20206040, 0xfcfc1fe3, 0xb1b1c879, 0x5b5bedb6, 0x6a6abed4, 0xcbcb468d,
+0xbebed967, 0x39394b72, 0x4a4ade94, 0x4c4cd498, 0x5858e8b0, 0xcfcf4a85,
+0xd0d06bbb, 0xefef2ac5, 0xaaaae54f, 0xfbfb16ed, 0x4343c586, 0x4d4dd79a,
+0x33335566, 0x85859411, 0x4545cf8a, 0xf9f910e9, 0x02020604, 0x7f7f81fe,
+0x5050f0a0, 0x3c3c4478, 0x9f9fba25, 0xa8a8e34b, 0x5151f3a2, 0xa3a3fe5d,
+0x4040c080, 0x8f8f8a05, 0x9292ad3f, 0x9d9dbc21, 0x38384870, 0xf5f504f1,
+0xbcbcdf63, 0xb6b6c177, 0xdada75af, 0x21216342, 0x10103020, 0xffff1ae5,
+0xf3f30efd, 0xd2d26dbf, 0xcdcd4c81, 0x0c0c1418, 0x13133526, 0xecec2fc3,
+0x5f5fe1be, 0x9797a235, 0x4444cc88, 0x1717392e, 0xc4c45793, 0xa7a7f255,
+0x7e7e82fc, 0x3d3d477a, 0x6464acc8, 0x5d5de7ba, 0x19192b32, 0x737395e6,
+0x6060a0c0, 0x81819819, 0x4f4fd19e, 0xdcdc7fa3, 0x22226644, 0x2a2a7e54,
+0x9090ab3b, 0x8888830b, 0x4646ca8c, 0xeeee29c7, 0xb8b8d36b, 0x14143c28,
+0xdede79a7, 0x5e5ee2bc, 0x0b0b1d16, 0xdbdb76ad, 0xe0e03bdb, 0x32325664,
+0x3a3a4e74, 0x0a0a1e14, 0x4949db92, 0x06060a0c, 0x24246c48, 0x5c5ce4b8,
+0xc2c25d9f, 0xd3d36ebd, 0xacacef43, 0x6262a6c4, 0x9191a839, 0x9595a431,
+0xe4e437d3, 0x79798bf2, 0xe7e732d5, 0xc8c8438b, 0x3737596e, 0x6d6db7da,
+0x8d8d8c01, 0xd5d564b1, 0x4e4ed29c, 0xa9a9e049, 0x6c6cb4d8, 0x5656faac,
+0xf4f407f3, 0xeaea25cf, 0x6565afca, 0x7a7a8ef4, 0xaeaee947, 0x08081810,
+0xbabad56f, 0x787888f0, 0x25256f4a, 0x2e2e725c, 0x1c1c2438, 0xa6a6f157,
+0xb4b4c773, 0xc6c65197, 0xe8e823cb, 0xdddd7ca1, 0x74749ce8, 0x1f1f213e,
+0x4b4bdd96, 0xbdbddc61, 0x8b8b860d, 0x8a8a850f, 0x707090e0, 0x3e3e427c,
+0xb5b5c471, 0x6666aacc, 0x4848d890, 0x03030506, 0xf6f601f7, 0x0e0e121c,
+0x6161a3c2, 0x35355f6a, 0x5757f9ae, 0xb9b9d069, 0x86869117, 0xc1c15899,
+0x1d1d273a, 0x9e9eb927, 0xe1e138d9, 0xf8f813eb, 0x9898b32b, 0x11113322,
+0x6969bbd2, 0xd9d970a9, 0x8e8e8907, 0x9494a733, 0x9b9bb62d, 0x1e1e223c,
+0x87879215, 0xe9e920c9, 0xcece4987, 0x5555ffaa, 0x28287850, 0xdfdf7aa5,
+0x8c8c8f03, 0xa1a1f859, 0x89898009, 0x0d0d171a, 0xbfbfda65, 0xe6e631d7,
+0x4242c684, 0x6868b8d0, 0x4141c382, 0x9999b029, 0x2d2d775a, 0x0f0f111e,
+0xb0b0cb7b, 0x5454fca8, 0xbbbbd66d, 0x16163a2c  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _TInv0[256] = 
+{
+0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 0xcb6bab3b, 0xf1459d1f,
+0xab58faac, 0x9303e34b, 0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5,
+0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5, 0x495ab1de, 0x671bba25,
+0x980eea45, 0xe1c0fe5d, 0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b,
+0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295, 0x2d83bed4, 0xd3217458,
+0x2969e049, 0x44c8c98e, 0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927,
+0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d, 0x184adf63, 0x82311ae5,
+0x60335197, 0x457f5362, 0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9,
+0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52, 0x23d373ab, 0xe2024b72,
+0x578f1fe3, 0x2aab5566, 0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3,
+0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed, 0x2b1ccf8a, 0x92b479a7,
+0xf0f207f3, 0xa1e2694e, 0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4,
+0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4, 0x39ec830b, 0xaaef6040,
+0x069f715e, 0x51106ebd, 0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d,
+0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060, 0x24fb9819, 0x97e9bdd6,
+0xcc434089, 0x779ed967, 0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879,
+0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000, 0x83868009, 0x48ed2b32,
+0xac70111e, 0x4e725a6c, 0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36,
+0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624, 0xb1670a0c, 0x0fe75793,
+0xd296eeb4, 0x9e919b1b, 0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c,
+0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12, 0x0b0d090e, 0xadc78bf2,
+0xb9a8b62d, 0xc8a91e14, 0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3,
+0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b, 0x7629438b, 0xdcc623cb,
+0x68fcedb6, 0x63f1e4b8, 0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684,
+0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7, 0x4b2f9e1d, 0xf330b2dc,
+0xec52860d, 0xd0e3c177, 0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947,
+0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322, 0xc74e4987, 0xc1d138d9,
+0xfea2ca8c, 0x360bd498, 0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f,
+0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54, 0xc2138df6, 0xe8b8d890,
+0x5ef7392e, 0xf5afc382, 0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf,
+0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb, 0x097826cd, 0xf418596e,
+0x01b79aec, 0xa89a4f83, 0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef,
+0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029, 0xafb2a431, 0x31233f2a,
+0x3094a5c6, 0xc066a235, 0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733,
+0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117, 0x8dd64d76, 0x4db0ef43,
+0x544daacc, 0xdf0496e4, 0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546,
+0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb, 0x5a1d67b3, 0x52d2db92,
+0x335610e9, 0x1347d66d, 0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb,
+0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a, 0x59dfd29c, 0x3f73f255,
+0x79ce1418, 0xbf37c773, 0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478,
+0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2, 0x72c31d16, 0x0c25e2bc,
+0x8b493c28, 0x41950dff, 0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664,
+0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0  
+};
+#else
+static const PRUint32 _TInv0[256] = 
+{
+0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96, 0x3bab6bcb, 0x1f9d45f1,
+0xacfa58ab, 0x4be30393, 0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25,
+0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f, 0xdeb15a49, 0x25ba1b67,
+0x45ea0e98, 0x5dfec0e1, 0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6,
+0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da, 0xd4be832d, 0x587421d3,
+0x49e06929, 0x8ec9c844, 0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd,
+0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4, 0x63df4a18, 0xe51a3182,
+0x97513360, 0x62537f45, 0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94,
+0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7, 0xab73d323, 0x724b02e2,
+0xe31f8f57, 0x6655ab2a, 0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5,
+0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c, 0x8acf1c2b, 0xa779b492,
+0xf307f2f0, 0x4e69e2a1, 0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a,
+0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75, 0x0b83ec39, 0x4060efaa,
+0x5e719f06, 0xbd6e1051, 0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46,
+0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff, 0x1998fb24, 0xd6bde997,
+0x894043cc, 0x67d99e77, 0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb,
+0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000, 0x09808683, 0x322bed48,
+0x1e1170ac, 0x6c5a724e, 0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927,
+0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a, 0x0c0a67b1, 0x9357e70f,
+0xb4ee96d2, 0x1b9b919e, 0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16,
+0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d, 0x0e090d0b, 0xf28bc7ad,
+0x2db6a8b9, 0x141ea9c8, 0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd,
+0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34, 0x8b432976, 0xcb23c6dc,
+0xb6edfc68, 0xb8e4f163, 0xd731dcca, 0x42638510, 0x13972240, 0x84c61120,
+0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d, 0x1d9e2f4b, 0xdcb230f3,
+0x0d8652ec, 0x77c1e3d0, 0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422,
+0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef, 0x87494ec7, 0xd938d1c1,
+0x8ccaa2fe, 0x98d40b36, 0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4,
+0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662, 0xf68d13c2, 0x90d8b8e8,
+0x2e39f75e, 0x82c3aff5, 0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3,
+0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b, 0xcd267809, 0x6e5918f4,
+0xec9ab701, 0x834f9aa8, 0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6,
+0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6, 0x31a4b2af, 0x2a3f2331,
+0xc6a59430, 0x35a266c0, 0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815,
+0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f, 0x764dd68d, 0x43efb04d,
+0xccaa4d54, 0xe49604df, 0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f,
+0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e, 0xb3671d5a, 0x92dbd252,
+0xe9105633, 0x6dd64713, 0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89,
+0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c, 0x9cd2df59, 0x55f2733f,
+0x1814ce79, 0x73c737bf, 0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86,
+0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f, 0x161dc372, 0xbce2250c,
+0x283c498b, 0xff0d9541, 0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190,
+0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _TInv1[256] = 
+{
+0xa7f45150, 0x65417e53, 0xa4171ac3, 0x5e273a96, 0x6bab3bcb, 0x459d1ff1,
+0x58faacab, 0x03e34b93, 0xfa302055, 0x6d76adf6, 0x76cc8891, 0x4c02f525,
+0xd7e54ffc, 0xcb2ac5d7, 0x44352680, 0xa362b58f, 0x5ab1de49, 0x1bba2567,
+0x0eea4598, 0xc0fe5de1, 0x752fc302, 0xf04c8112, 0x97468da3, 0xf9d36bc6,
+0x5f8f03e7, 0x9c921595, 0x7a6dbfeb, 0x595295da, 0x83bed42d, 0x217458d3,
+0x69e04929, 0xc8c98e44, 0x89c2756a, 0x798ef478, 0x3e58996b, 0x71b927dd,
+0x4fe1beb6, 0xad88f017, 0xac20c966, 0x3ace7db4, 0x4adf6318, 0x311ae582,
+0x33519760, 0x7f536245, 0x7764b1e0, 0xae6bbb84, 0xa081fe1c, 0x2b08f994,
+0x68487058, 0xfd458f19, 0x6cde9487, 0xf87b52b7, 0xd373ab23, 0x024b72e2,
+0x8f1fe357, 0xab55662a, 0x28ebb207, 0xc2b52f03, 0x7bc5869a, 0x0837d3a5,
+0x872830f2, 0xa5bf23b2, 0x6a0302ba, 0x8216ed5c, 0x1ccf8a2b, 0xb479a792,
+0xf207f3f0, 0xe2694ea1, 0xf4da65cd, 0xbe0506d5, 0x6234d11f, 0xfea6c48a,
+0x532e349d, 0x55f3a2a0, 0xe18a0532, 0xebf6a475, 0xec830b39, 0xef6040aa,
+0x9f715e06, 0x106ebd51, 0x8a213ef9, 0x06dd963d, 0x053eddae, 0xbde64d46,
+0x8d5491b5, 0x5dc47105, 0xd406046f, 0x155060ff, 0xfb981924, 0xe9bdd697,
+0x434089cc, 0x9ed96777, 0x42e8b0bd, 0x8b890788, 0x5b19e738, 0xeec879db,
+0x0a7ca147, 0x0f427ce9, 0x1e84f8c9, 0x00000000, 0x86800983, 0xed2b3248,
+0x70111eac, 0x725a6c4e, 0xff0efdfb, 0x38850f56, 0xd5ae3d1e, 0x392d3627,
+0xd90f0a64, 0xa65c6821, 0x545b9bd1, 0x2e36243a, 0x670a0cb1, 0xe757930f,
+0x96eeb4d2, 0x919b1b9e, 0xc5c0804f, 0x20dc61a2, 0x4b775a69, 0x1a121c16,
+0xba93e20a, 0x2aa0c0e5, 0xe0223c43, 0x171b121d, 0x0d090e0b, 0xc78bf2ad,
+0xa8b62db9, 0xa91e14c8, 0x19f15785, 0x0775af4c, 0xdd99eebb, 0x607fa3fd,
+0x2601f79f, 0xf5725cbc, 0x3b6644c5, 0x7efb5b34, 0x29438b76, 0xc623cbdc,
+0xfcedb668, 0xf1e4b863, 0xdc31d7ca, 0x85634210, 0x22971340, 0x11c68420,
+0x244a857d, 0x3dbbd2f8, 0x32f9ae11, 0xa129c76d, 0x2f9e1d4b, 0x30b2dcf3,
+0x52860dec, 0xe3c177d0, 0x16b32b6c, 0xb970a999, 0x489411fa, 0x64e94722,
+0x8cfca8c4, 0x3ff0a01a, 0x2c7d56d8, 0x903322ef, 0x4e4987c7, 0xd138d9c1,
+0xa2ca8cfe, 0x0bd49836, 0x81f5a6cf, 0xde7aa528, 0x8eb7da26, 0xbfad3fa4,
+0x9d3a2ce4, 0x9278500d, 0xcc5f6a9b, 0x467e5462, 0x138df6c2, 0xb8d890e8,
+0xf7392e5e, 0xafc382f5, 0x805d9fbe, 0x93d0697c, 0x2dd56fa9, 0x1225cfb3,
+0x99acc83b, 0x7d1810a7, 0x639ce86e, 0xbb3bdb7b, 0x7826cd09, 0x18596ef4,
+0xb79aec01, 0x9a4f83a8, 0x6e95e665, 0xe6ffaa7e, 0xcfbc2108, 0xe815efe6,
+0x9be7bad9, 0x366f4ace, 0x099fead4, 0x7cb029d6, 0xb2a431af, 0x233f2a31,
+0x94a5c630, 0x66a235c0, 0xbc4e7437, 0xca82fca6, 0xd090e0b0, 0xd8a73315,
+0x9804f14a, 0xdaec41f7, 0x50cd7f0e, 0xf691172f, 0xd64d768d, 0xb0ef434d,
+0x4daacc54, 0x0496e4df, 0xb5d19ee3, 0x886a4c1b, 0x1f2cc1b8, 0x5165467f,
+0xea5e9d04, 0x358c015d, 0x7487fa73, 0x410bfb2e, 0x1d67b35a, 0xd2db9252,
+0x5610e933, 0x47d66d13, 0x61d79a8c, 0x0ca1377a, 0x14f8598e, 0x3c13eb89,
+0x27a9ceee, 0xc961b735, 0xe51ce1ed, 0xb1477a3c, 0xdfd29c59, 0x73f2553f,
+0xce141879, 0x37c773bf, 0xcdf753ea, 0xaafd5f5b, 0x6f3ddf14, 0xdb447886,
+0xf3afca81, 0xc468b93e, 0x3424382c, 0x40a3c25f, 0xc31d1672, 0x25e2bc0c,
+0x493c288b, 0x950dff41, 0x01a83971, 0xb30c08de, 0xe4b4d89c, 0xc1566490,
+0x84cb7b61, 0xb632d570, 0x5c6c4874, 0x57b8d042  
+};
+#else
+static const PRUint32 _TInv1[256] = 
+{
+0x5051f4a7, 0x537e4165, 0xc31a17a4, 0x963a275e, 0xcb3bab6b, 0xf11f9d45,
+0xabacfa58, 0x934be303, 0x552030fa, 0xf6ad766d, 0x9188cc76, 0x25f5024c,
+0xfc4fe5d7, 0xd7c52acb, 0x80263544, 0x8fb562a3, 0x49deb15a, 0x6725ba1b,
+0x9845ea0e, 0xe15dfec0, 0x02c32f75, 0x12814cf0, 0xa38d4697, 0xc66bd3f9,
+0xe7038f5f, 0x9515929c, 0xebbf6d7a, 0xda955259, 0x2dd4be83, 0xd3587421,
+0x2949e069, 0x448ec9c8, 0x6a75c289, 0x78f48e79, 0x6b99583e, 0xdd27b971,
+0xb6bee14f, 0x17f088ad, 0x66c920ac, 0xb47dce3a, 0x1863df4a, 0x82e51a31,
+0x60975133, 0x4562537f, 0xe0b16477, 0x84bb6bae, 0x1cfe81a0, 0x94f9082b,
+0x58704868, 0x198f45fd, 0x8794de6c, 0xb7527bf8, 0x23ab73d3, 0xe2724b02,
+0x57e31f8f, 0x2a6655ab, 0x07b2eb28, 0x032fb5c2, 0x9a86c57b, 0xa5d33708,
+0xf2302887, 0xb223bfa5, 0xba02036a, 0x5ced1682, 0x2b8acf1c, 0x92a779b4,
+0xf0f307f2, 0xa14e69e2, 0xcd65daf4, 0xd50605be, 0x1fd13462, 0x8ac4a6fe,
+0x9d342e53, 0xa0a2f355, 0x32058ae1, 0x75a4f6eb, 0x390b83ec, 0xaa4060ef,
+0x065e719f, 0x51bd6e10, 0xf93e218a, 0x3d96dd06, 0xaedd3e05, 0x464de6bd,
+0xb591548d, 0x0571c45d, 0x6f0406d4, 0xff605015, 0x241998fb, 0x97d6bde9,
+0xcc894043, 0x7767d99e, 0xbdb0e842, 0x8807898b, 0x38e7195b, 0xdb79c8ee,
+0x47a17c0a, 0xe97c420f, 0xc9f8841e, 0x00000000, 0x83098086, 0x48322bed,
+0xac1e1170, 0x4e6c5a72, 0xfbfd0eff, 0x560f8538, 0x1e3daed5, 0x27362d39,
+0x640a0fd9, 0x21685ca6, 0xd19b5b54, 0x3a24362e, 0xb10c0a67, 0x0f9357e7,
+0xd2b4ee96, 0x9e1b9b91, 0x4f80c0c5, 0xa261dc20, 0x695a774b, 0x161c121a,
+0x0ae293ba, 0xe5c0a02a, 0x433c22e0, 0x1d121b17, 0x0b0e090d, 0xadf28bc7,
+0xb92db6a8, 0xc8141ea9, 0x8557f119, 0x4caf7507, 0xbbee99dd, 0xfda37f60,
+0x9ff70126, 0xbc5c72f5, 0xc544663b, 0x345bfb7e, 0x768b4329, 0xdccb23c6,
+0x68b6edfc, 0x63b8e4f1, 0xcad731dc, 0x10426385, 0x40139722, 0x2084c611,
+0x7d854a24, 0xf8d2bb3d, 0x11aef932, 0x6dc729a1, 0x4b1d9e2f, 0xf3dcb230,
+0xec0d8652, 0xd077c1e3, 0x6c2bb316, 0x99a970b9, 0xfa119448, 0x2247e964,
+0xc4a8fc8c, 0x1aa0f03f, 0xd8567d2c, 0xef223390, 0xc787494e, 0xc1d938d1,
+0xfe8ccaa2, 0x3698d40b, 0xcfa6f581, 0x28a57ade, 0x26dab78e, 0xa43fadbf,
+0xe42c3a9d, 0x0d507892, 0x9b6a5fcc, 0x62547e46, 0xc2f68d13, 0xe890d8b8,
+0x5e2e39f7, 0xf582c3af, 0xbe9f5d80, 0x7c69d093, 0xa96fd52d, 0xb3cf2512,
+0x3bc8ac99, 0xa710187d, 0x6ee89c63, 0x7bdb3bbb, 0x09cd2678, 0xf46e5918,
+0x01ec9ab7, 0xa8834f9a, 0x65e6956e, 0x7eaaffe6, 0x0821bccf, 0xe6ef15e8,
+0xd9bae79b, 0xce4a6f36, 0xd4ea9f09, 0xd629b07c, 0xaf31a4b2, 0x312a3f23,
+0x30c6a594, 0xc035a266, 0x37744ebc, 0xa6fc82ca, 0xb0e090d0, 0x1533a7d8,
+0x4af10498, 0xf741ecda, 0x0e7fcd50, 0x2f1791f6, 0x8d764dd6, 0x4d43efb0,
+0x54ccaa4d, 0xdfe49604, 0xe39ed1b5, 0x1b4c6a88, 0xb8c12c1f, 0x7f466551,
+0x049d5eea, 0x5d018c35, 0x73fa8774, 0x2efb0b41, 0x5ab3671d, 0x5292dbd2,
+0x33e91056, 0x136dd647, 0x8c9ad761, 0x7a37a10c, 0x8e59f814, 0x89eb133c,
+0xeecea927, 0x35b761c9, 0xede11ce5, 0x3c7a47b1, 0x599cd2df, 0x3f55f273,
+0x791814ce, 0xbf73c737, 0xea53f7cd, 0x5b5ffdaa, 0x14df3d6f, 0x867844db,
+0x81caaff3, 0x3eb968c4, 0x2c382434, 0x5fc2a340, 0x72161dc3, 0x0cbce225,
+0x8b283c49, 0x41ff0d95, 0x7139a801, 0xde080cb3, 0x9cd8b4e4, 0x906456c1,
+0x617bcb84, 0x70d532b6, 0x74486c5c, 0x42d0b857  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _TInv2[256] = 
+{
+0xf45150a7, 0x417e5365, 0x171ac3a4, 0x273a965e, 0xab3bcb6b, 0x9d1ff145,
+0xfaacab58, 0xe34b9303, 0x302055fa, 0x76adf66d, 0xcc889176, 0x02f5254c,
+0xe54ffcd7, 0x2ac5d7cb, 0x35268044, 0x62b58fa3, 0xb1de495a, 0xba25671b,
+0xea45980e, 0xfe5de1c0, 0x2fc30275, 0x4c8112f0, 0x468da397, 0xd36bc6f9,
+0x8f03e75f, 0x9215959c, 0x6dbfeb7a, 0x5295da59, 0xbed42d83, 0x7458d321,
+0xe0492969, 0xc98e44c8, 0xc2756a89, 0x8ef47879, 0x58996b3e, 0xb927dd71,
+0xe1beb64f, 0x88f017ad, 0x20c966ac, 0xce7db43a, 0xdf63184a, 0x1ae58231,
+0x51976033, 0x5362457f, 0x64b1e077, 0x6bbb84ae, 0x81fe1ca0, 0x08f9942b,
+0x48705868, 0x458f19fd, 0xde94876c, 0x7b52b7f8, 0x73ab23d3, 0x4b72e202,
+0x1fe3578f, 0x55662aab, 0xebb20728, 0xb52f03c2, 0xc5869a7b, 0x37d3a508,
+0x2830f287, 0xbf23b2a5, 0x0302ba6a, 0x16ed5c82, 0xcf8a2b1c, 0x79a792b4,
+0x07f3f0f2, 0x694ea1e2, 0xda65cdf4, 0x0506d5be, 0x34d11f62, 0xa6c48afe,
+0x2e349d53, 0xf3a2a055, 0x8a0532e1, 0xf6a475eb, 0x830b39ec, 0x6040aaef,
+0x715e069f, 0x6ebd5110, 0x213ef98a, 0xdd963d06, 0x3eddae05, 0xe64d46bd,
+0x5491b58d, 0xc471055d, 0x06046fd4, 0x5060ff15, 0x981924fb, 0xbdd697e9,
+0x4089cc43, 0xd967779e, 0xe8b0bd42, 0x8907888b, 0x19e7385b, 0xc879dbee,
+0x7ca1470a, 0x427ce90f, 0x84f8c91e, 0x00000000, 0x80098386, 0x2b3248ed,
+0x111eac70, 0x5a6c4e72, 0x0efdfbff, 0x850f5638, 0xae3d1ed5, 0x2d362739,
+0x0f0a64d9, 0x5c6821a6, 0x5b9bd154, 0x36243a2e, 0x0a0cb167, 0x57930fe7,
+0xeeb4d296, 0x9b1b9e91, 0xc0804fc5, 0xdc61a220, 0x775a694b, 0x121c161a,
+0x93e20aba, 0xa0c0e52a, 0x223c43e0, 0x1b121d17, 0x090e0b0d, 0x8bf2adc7,
+0xb62db9a8, 0x1e14c8a9, 0xf1578519, 0x75af4c07, 0x99eebbdd, 0x7fa3fd60,
+0x01f79f26, 0x725cbcf5, 0x6644c53b, 0xfb5b347e, 0x438b7629, 0x23cbdcc6,
+0xedb668fc, 0xe4b863f1, 0x31d7cadc, 0x63421085, 0x97134022, 0xc6842011,
+0x4a857d24, 0xbbd2f83d, 0xf9ae1132, 0x29c76da1, 0x9e1d4b2f, 0xb2dcf330,
+0x860dec52, 0xc177d0e3, 0xb32b6c16, 0x70a999b9, 0x9411fa48, 0xe9472264,
+0xfca8c48c, 0xf0a01a3f, 0x7d56d82c, 0x3322ef90, 0x4987c74e, 0x38d9c1d1,
+0xca8cfea2, 0xd498360b, 0xf5a6cf81, 0x7aa528de, 0xb7da268e, 0xad3fa4bf,
+0x3a2ce49d, 0x78500d92, 0x5f6a9bcc, 0x7e546246, 0x8df6c213, 0xd890e8b8,
+0x392e5ef7, 0xc382f5af, 0x5d9fbe80, 0xd0697c93, 0xd56fa92d, 0x25cfb312,
+0xacc83b99, 0x1810a77d, 0x9ce86e63, 0x3bdb7bbb, 0x26cd0978, 0x596ef418,
+0x9aec01b7, 0x4f83a89a, 0x95e6656e, 0xffaa7ee6, 0xbc2108cf, 0x15efe6e8,
+0xe7bad99b, 0x6f4ace36, 0x9fead409, 0xb029d67c, 0xa431afb2, 0x3f2a3123,
+0xa5c63094, 0xa235c066, 0x4e7437bc, 0x82fca6ca, 0x90e0b0d0, 0xa73315d8,
+0x04f14a98, 0xec41f7da, 0xcd7f0e50, 0x91172ff6, 0x4d768dd6, 0xef434db0,
+0xaacc544d, 0x96e4df04, 0xd19ee3b5, 0x6a4c1b88, 0x2cc1b81f, 0x65467f51,
+0x5e9d04ea, 0x8c015d35, 0x87fa7374, 0x0bfb2e41, 0x67b35a1d, 0xdb9252d2,
+0x10e93356, 0xd66d1347, 0xd79a8c61, 0xa1377a0c, 0xf8598e14, 0x13eb893c,
+0xa9ceee27, 0x61b735c9, 0x1ce1ede5, 0x477a3cb1, 0xd29c59df, 0xf2553f73,
+0x141879ce, 0xc773bf37, 0xf753eacd, 0xfd5f5baa, 0x3ddf146f, 0x447886db,
+0xafca81f3, 0x68b93ec4, 0x24382c34, 0xa3c25f40, 0x1d1672c3, 0xe2bc0c25,
+0x3c288b49, 0x0dff4195, 0xa8397101, 0x0c08deb3, 0xb4d89ce4, 0x566490c1,
+0xcb7b6184, 0x32d570b6, 0x6c48745c, 0xb8d04257  
+};
+#else
+static const PRUint32 _TInv2[256] = 
+{
+0xa75051f4, 0x65537e41, 0xa4c31a17, 0x5e963a27, 0x6bcb3bab, 0x45f11f9d,
+0x58abacfa, 0x03934be3, 0xfa552030, 0x6df6ad76, 0x769188cc, 0x4c25f502,
+0xd7fc4fe5, 0xcbd7c52a, 0x44802635, 0xa38fb562, 0x5a49deb1, 0x1b6725ba,
+0x0e9845ea, 0xc0e15dfe, 0x7502c32f, 0xf012814c, 0x97a38d46, 0xf9c66bd3,
+0x5fe7038f, 0x9c951592, 0x7aebbf6d, 0x59da9552, 0x832dd4be, 0x21d35874,
+0x692949e0, 0xc8448ec9, 0x896a75c2, 0x7978f48e, 0x3e6b9958, 0x71dd27b9,
+0x4fb6bee1, 0xad17f088, 0xac66c920, 0x3ab47dce, 0x4a1863df, 0x3182e51a,
+0x33609751, 0x7f456253, 0x77e0b164, 0xae84bb6b, 0xa01cfe81, 0x2b94f908,
+0x68587048, 0xfd198f45, 0x6c8794de, 0xf8b7527b, 0xd323ab73, 0x02e2724b,
+0x8f57e31f, 0xab2a6655, 0x2807b2eb, 0xc2032fb5, 0x7b9a86c5, 0x08a5d337,
+0x87f23028, 0xa5b223bf, 0x6aba0203, 0x825ced16, 0x1c2b8acf, 0xb492a779,
+0xf2f0f307, 0xe2a14e69, 0xf4cd65da, 0xbed50605, 0x621fd134, 0xfe8ac4a6,
+0x539d342e, 0x55a0a2f3, 0xe132058a, 0xeb75a4f6, 0xec390b83, 0xefaa4060,
+0x9f065e71, 0x1051bd6e, 0x8af93e21, 0x063d96dd, 0x05aedd3e, 0xbd464de6,
+0x8db59154, 0x5d0571c4, 0xd46f0406, 0x15ff6050, 0xfb241998, 0xe997d6bd,
+0x43cc8940, 0x9e7767d9, 0x42bdb0e8, 0x8b880789, 0x5b38e719, 0xeedb79c8,
+0x0a47a17c, 0x0fe97c42, 0x1ec9f884, 0x00000000, 0x86830980, 0xed48322b,
+0x70ac1e11, 0x724e6c5a, 0xfffbfd0e, 0x38560f85, 0xd51e3dae, 0x3927362d,
+0xd9640a0f, 0xa621685c, 0x54d19b5b, 0x2e3a2436, 0x67b10c0a, 0xe70f9357,
+0x96d2b4ee, 0x919e1b9b, 0xc54f80c0, 0x20a261dc, 0x4b695a77, 0x1a161c12,
+0xba0ae293, 0x2ae5c0a0, 0xe0433c22, 0x171d121b, 0x0d0b0e09, 0xc7adf28b,
+0xa8b92db6, 0xa9c8141e, 0x198557f1, 0x074caf75, 0xddbbee99, 0x60fda37f,
+0x269ff701, 0xf5bc5c72, 0x3bc54466, 0x7e345bfb, 0x29768b43, 0xc6dccb23,
+0xfc68b6ed, 0xf163b8e4, 0xdccad731, 0x85104263, 0x22401397, 0x112084c6,
+0x247d854a, 0x3df8d2bb, 0x3211aef9, 0xa16dc729, 0x2f4b1d9e, 0x30f3dcb2,
+0x52ec0d86, 0xe3d077c1, 0x166c2bb3, 0xb999a970, 0x48fa1194, 0x642247e9,
+0x8cc4a8fc, 0x3f1aa0f0, 0x2cd8567d, 0x90ef2233, 0x4ec78749, 0xd1c1d938,
+0xa2fe8cca, 0x0b3698d4, 0x81cfa6f5, 0xde28a57a, 0x8e26dab7, 0xbfa43fad,
+0x9de42c3a, 0x920d5078, 0xcc9b6a5f, 0x4662547e, 0x13c2f68d, 0xb8e890d8,
+0xf75e2e39, 0xaff582c3, 0x80be9f5d, 0x937c69d0, 0x2da96fd5, 0x12b3cf25,
+0x993bc8ac, 0x7da71018, 0x636ee89c, 0xbb7bdb3b, 0x7809cd26, 0x18f46e59,
+0xb701ec9a, 0x9aa8834f, 0x6e65e695, 0xe67eaaff, 0xcf0821bc, 0xe8e6ef15,
+0x9bd9bae7, 0x36ce4a6f, 0x09d4ea9f, 0x7cd629b0, 0xb2af31a4, 0x23312a3f,
+0x9430c6a5, 0x66c035a2, 0xbc37744e, 0xcaa6fc82, 0xd0b0e090, 0xd81533a7,
+0x984af104, 0xdaf741ec, 0x500e7fcd, 0xf62f1791, 0xd68d764d, 0xb04d43ef,
+0x4d54ccaa, 0x04dfe496, 0xb5e39ed1, 0x881b4c6a, 0x1fb8c12c, 0x517f4665,
+0xea049d5e, 0x355d018c, 0x7473fa87, 0x412efb0b, 0x1d5ab367, 0xd25292db,
+0x5633e910, 0x47136dd6, 0x618c9ad7, 0x0c7a37a1, 0x148e59f8, 0x3c89eb13,
+0x27eecea9, 0xc935b761, 0xe5ede11c, 0xb13c7a47, 0xdf599cd2, 0x733f55f2,
+0xce791814, 0x37bf73c7, 0xcdea53f7, 0xaa5b5ffd, 0x6f14df3d, 0xdb867844,
+0xf381caaf, 0xc43eb968, 0x342c3824, 0x405fc2a3, 0xc372161d, 0x250cbce2,
+0x498b283c, 0x9541ff0d, 0x017139a8, 0xb3de080c, 0xe49cd8b4, 0xc1906456,
+0x84617bcb, 0xb670d532, 0x5c74486c, 0x5742d0b8  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _TInv3[256] = 
+{
+0x5150a7f4, 0x7e536541, 0x1ac3a417, 0x3a965e27, 0x3bcb6bab, 0x1ff1459d,
+0xacab58fa, 0x4b9303e3, 0x2055fa30, 0xadf66d76, 0x889176cc, 0xf5254c02,
+0x4ffcd7e5, 0xc5d7cb2a, 0x26804435, 0xb58fa362, 0xde495ab1, 0x25671bba,
+0x45980eea, 0x5de1c0fe, 0xc302752f, 0x8112f04c, 0x8da39746, 0x6bc6f9d3,
+0x03e75f8f, 0x15959c92, 0xbfeb7a6d, 0x95da5952, 0xd42d83be, 0x58d32174,
+0x492969e0, 0x8e44c8c9, 0x756a89c2, 0xf478798e, 0x996b3e58, 0x27dd71b9,
+0xbeb64fe1, 0xf017ad88, 0xc966ac20, 0x7db43ace, 0x63184adf, 0xe582311a,
+0x97603351, 0x62457f53, 0xb1e07764, 0xbb84ae6b, 0xfe1ca081, 0xf9942b08,
+0x70586848, 0x8f19fd45, 0x94876cde, 0x52b7f87b, 0xab23d373, 0x72e2024b,
+0xe3578f1f, 0x662aab55, 0xb20728eb, 0x2f03c2b5, 0x869a7bc5, 0xd3a50837,
+0x30f28728, 0x23b2a5bf, 0x02ba6a03, 0xed5c8216, 0x8a2b1ccf, 0xa792b479,
+0xf3f0f207, 0x4ea1e269, 0x65cdf4da, 0x06d5be05, 0xd11f6234, 0xc48afea6,
+0x349d532e, 0xa2a055f3, 0x0532e18a, 0xa475ebf6, 0x0b39ec83, 0x40aaef60,
+0x5e069f71, 0xbd51106e, 0x3ef98a21, 0x963d06dd, 0xddae053e, 0x4d46bde6,
+0x91b58d54, 0x71055dc4, 0x046fd406, 0x60ff1550, 0x1924fb98, 0xd697e9bd,
+0x89cc4340, 0x67779ed9, 0xb0bd42e8, 0x07888b89, 0xe7385b19, 0x79dbeec8,
+0xa1470a7c, 0x7ce90f42, 0xf8c91e84, 0x00000000, 0x09838680, 0x3248ed2b,
+0x1eac7011, 0x6c4e725a, 0xfdfbff0e, 0x0f563885, 0x3d1ed5ae, 0x3627392d,
+0x0a64d90f, 0x6821a65c, 0x9bd1545b, 0x243a2e36, 0x0cb1670a, 0x930fe757,
+0xb4d296ee, 0x1b9e919b, 0x804fc5c0, 0x61a220dc, 0x5a694b77, 0x1c161a12,
+0xe20aba93, 0xc0e52aa0, 0x3c43e022, 0x121d171b, 0x0e0b0d09, 0xf2adc78b,
+0x2db9a8b6, 0x14c8a91e, 0x578519f1, 0xaf4c0775, 0xeebbdd99, 0xa3fd607f,
+0xf79f2601, 0x5cbcf572, 0x44c53b66, 0x5b347efb, 0x8b762943, 0xcbdcc623,
+0xb668fced, 0xb863f1e4, 0xd7cadc31, 0x42108563, 0x13402297, 0x842011c6,
+0x857d244a, 0xd2f83dbb, 0xae1132f9, 0xc76da129, 0x1d4b2f9e, 0xdcf330b2,
+0x0dec5286, 0x77d0e3c1, 0x2b6c16b3, 0xa999b970, 0x11fa4894, 0x472264e9,
+0xa8c48cfc, 0xa01a3ff0, 0x56d82c7d, 0x22ef9033, 0x87c74e49, 0xd9c1d138,
+0x8cfea2ca, 0x98360bd4, 0xa6cf81f5, 0xa528de7a, 0xda268eb7, 0x3fa4bfad,
+0x2ce49d3a, 0x500d9278, 0x6a9bcc5f, 0x5462467e, 0xf6c2138d, 0x90e8b8d8,
+0x2e5ef739, 0x82f5afc3, 0x9fbe805d, 0x697c93d0, 0x6fa92dd5, 0xcfb31225,
+0xc83b99ac, 0x10a77d18, 0xe86e639c, 0xdb7bbb3b, 0xcd097826, 0x6ef41859,
+0xec01b79a, 0x83a89a4f, 0xe6656e95, 0xaa7ee6ff, 0x2108cfbc, 0xefe6e815,
+0xbad99be7, 0x4ace366f, 0xead4099f, 0x29d67cb0, 0x31afb2a4, 0x2a31233f,
+0xc63094a5, 0x35c066a2, 0x7437bc4e, 0xfca6ca82, 0xe0b0d090, 0x3315d8a7,
+0xf14a9804, 0x41f7daec, 0x7f0e50cd, 0x172ff691, 0x768dd64d, 0x434db0ef,
+0xcc544daa, 0xe4df0496, 0x9ee3b5d1, 0x4c1b886a, 0xc1b81f2c, 0x467f5165,
+0x9d04ea5e, 0x015d358c, 0xfa737487, 0xfb2e410b, 0xb35a1d67, 0x9252d2db,
+0xe9335610, 0x6d1347d6, 0x9a8c61d7, 0x377a0ca1, 0x598e14f8, 0xeb893c13,
+0xceee27a9, 0xb735c961, 0xe1ede51c, 0x7a3cb147, 0x9c59dfd2, 0x553f73f2,
+0x1879ce14, 0x73bf37c7, 0x53eacdf7, 0x5f5baafd, 0xdf146f3d, 0x7886db44,
+0xca81f3af, 0xb93ec468, 0x382c3424, 0xc25f40a3, 0x1672c31d, 0xbc0c25e2,
+0x288b493c, 0xff41950d, 0x397101a8, 0x08deb30c, 0xd89ce4b4, 0x6490c156,
+0x7b6184cb, 0xd570b632, 0x48745c6c, 0xd04257b8  
+};
+#else
+static const PRUint32 _TInv3[256] = 
+{
+0xf4a75051, 0x4165537e, 0x17a4c31a, 0x275e963a, 0xab6bcb3b, 0x9d45f11f,
+0xfa58abac, 0xe303934b, 0x30fa5520, 0x766df6ad, 0xcc769188, 0x024c25f5,
+0xe5d7fc4f, 0x2acbd7c5, 0x35448026, 0x62a38fb5, 0xb15a49de, 0xba1b6725,
+0xea0e9845, 0xfec0e15d, 0x2f7502c3, 0x4cf01281, 0x4697a38d, 0xd3f9c66b,
+0x8f5fe703, 0x929c9515, 0x6d7aebbf, 0x5259da95, 0xbe832dd4, 0x7421d358,
+0xe0692949, 0xc9c8448e, 0xc2896a75, 0x8e7978f4, 0x583e6b99, 0xb971dd27,
+0xe14fb6be, 0x88ad17f0, 0x20ac66c9, 0xce3ab47d, 0xdf4a1863, 0x1a3182e5,
+0x51336097, 0x537f4562, 0x6477e0b1, 0x6bae84bb, 0x81a01cfe, 0x082b94f9,
+0x48685870, 0x45fd198f, 0xde6c8794, 0x7bf8b752, 0x73d323ab, 0x4b02e272,
+0x1f8f57e3, 0x55ab2a66, 0xeb2807b2, 0xb5c2032f, 0xc57b9a86, 0x3708a5d3,
+0x2887f230, 0xbfa5b223, 0x036aba02, 0x16825ced, 0xcf1c2b8a, 0x79b492a7,
+0x07f2f0f3, 0x69e2a14e, 0xdaf4cd65, 0x05bed506, 0x34621fd1, 0xa6fe8ac4,
+0x2e539d34, 0xf355a0a2, 0x8ae13205, 0xf6eb75a4, 0x83ec390b, 0x60efaa40,
+0x719f065e, 0x6e1051bd, 0x218af93e, 0xdd063d96, 0x3e05aedd, 0xe6bd464d,
+0x548db591, 0xc45d0571, 0x06d46f04, 0x5015ff60, 0x98fb2419, 0xbde997d6,
+0x4043cc89, 0xd99e7767, 0xe842bdb0, 0x898b8807, 0x195b38e7, 0xc8eedb79,
+0x7c0a47a1, 0x420fe97c, 0x841ec9f8, 0x00000000, 0x80868309, 0x2bed4832,
+0x1170ac1e, 0x5a724e6c, 0x0efffbfd, 0x8538560f, 0xaed51e3d, 0x2d392736,
+0x0fd9640a, 0x5ca62168, 0x5b54d19b, 0x362e3a24, 0x0a67b10c, 0x57e70f93,
+0xee96d2b4, 0x9b919e1b, 0xc0c54f80, 0xdc20a261, 0x774b695a, 0x121a161c,
+0x93ba0ae2, 0xa02ae5c0, 0x22e0433c, 0x1b171d12, 0x090d0b0e, 0x8bc7adf2,
+0xb6a8b92d, 0x1ea9c814, 0xf1198557, 0x75074caf, 0x99ddbbee, 0x7f60fda3,
+0x01269ff7, 0x72f5bc5c, 0x663bc544, 0xfb7e345b, 0x4329768b, 0x23c6dccb,
+0xedfc68b6, 0xe4f163b8, 0x31dccad7, 0x63851042, 0x97224013, 0xc6112084,
+0x4a247d85, 0xbb3df8d2, 0xf93211ae, 0x29a16dc7, 0x9e2f4b1d, 0xb230f3dc,
+0x8652ec0d, 0xc1e3d077, 0xb3166c2b, 0x70b999a9, 0x9448fa11, 0xe9642247,
+0xfc8cc4a8, 0xf03f1aa0, 0x7d2cd856, 0x3390ef22, 0x494ec787, 0x38d1c1d9,
+0xcaa2fe8c, 0xd40b3698, 0xf581cfa6, 0x7ade28a5, 0xb78e26da, 0xadbfa43f,
+0x3a9de42c, 0x78920d50, 0x5fcc9b6a, 0x7e466254, 0x8d13c2f6, 0xd8b8e890,
+0x39f75e2e, 0xc3aff582, 0x5d80be9f, 0xd0937c69, 0xd52da96f, 0x2512b3cf,
+0xac993bc8, 0x187da710, 0x9c636ee8, 0x3bbb7bdb, 0x267809cd, 0x5918f46e,
+0x9ab701ec, 0x4f9aa883, 0x956e65e6, 0xffe67eaa, 0xbccf0821, 0x15e8e6ef,
+0xe79bd9ba, 0x6f36ce4a, 0x9f09d4ea, 0xb07cd629, 0xa4b2af31, 0x3f23312a,
+0xa59430c6, 0xa266c035, 0x4ebc3774, 0x82caa6fc, 0x90d0b0e0, 0xa7d81533,
+0x04984af1, 0xecdaf741, 0xcd500e7f, 0x91f62f17, 0x4dd68d76, 0xefb04d43,
+0xaa4d54cc, 0x9604dfe4, 0xd1b5e39e, 0x6a881b4c, 0x2c1fb8c1, 0x65517f46,
+0x5eea049d, 0x8c355d01, 0x877473fa, 0x0b412efb, 0x671d5ab3, 0xdbd25292,
+0x105633e9, 0xd647136d, 0xd7618c9a, 0xa10c7a37, 0xf8148e59, 0x133c89eb,
+0xa927eece, 0x61c935b7, 0x1ce5ede1, 0x47b13c7a, 0xd2df599c, 0xf2733f55,
+0x14ce7918, 0xc737bf73, 0xf7cdea53, 0xfdaa5b5f, 0x3d6f14df, 0x44db8678,
+0xaff381ca, 0x68c43eb9, 0x24342c38, 0xa3405fc2, 0x1dc37216, 0xe2250cbc,
+0x3c498b28, 0x0d9541ff, 0xa8017139, 0x0cb3de08, 0xb4e49cd8, 0x56c19064,
+0xcb84617b, 0x32b670d5, 0x6c5c7448, 0xb85742d0  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _IMXC0[256] = 
+{
+0x00000000, 0x0b0d090e, 0x161a121c, 0x1d171b12, 0x2c342438, 0x27392d36,
+0x3a2e3624, 0x31233f2a, 0x58684870, 0x5365417e, 0x4e725a6c, 0x457f5362,
+0x745c6c48, 0x7f516546, 0x62467e54, 0x694b775a, 0xb0d090e0, 0xbbdd99ee,
+0xa6ca82fc, 0xadc78bf2, 0x9ce4b4d8, 0x97e9bdd6, 0x8afea6c4, 0x81f3afca,
+0xe8b8d890, 0xe3b5d19e, 0xfea2ca8c, 0xf5afc382, 0xc48cfca8, 0xcf81f5a6,
+0xd296eeb4, 0xd99be7ba, 0x7bbb3bdb, 0x70b632d5, 0x6da129c7, 0x66ac20c9,
+0x578f1fe3, 0x5c8216ed, 0x41950dff, 0x4a9804f1, 0x23d373ab, 0x28de7aa5,
+0x35c961b7, 0x3ec468b9, 0x0fe75793, 0x04ea5e9d, 0x19fd458f, 0x12f04c81,
+0xcb6bab3b, 0xc066a235, 0xdd71b927, 0xd67cb029, 0xe75f8f03, 0xec52860d,
+0xf1459d1f, 0xfa489411, 0x9303e34b, 0x980eea45, 0x8519f157, 0x8e14f859,
+0xbf37c773, 0xb43ace7d, 0xa92dd56f, 0xa220dc61, 0xf66d76ad, 0xfd607fa3,
+0xe07764b1, 0xeb7a6dbf, 0xda595295, 0xd1545b9b, 0xcc434089, 0xc74e4987,
+0xae053edd, 0xa50837d3, 0xb81f2cc1, 0xb31225cf, 0x82311ae5, 0x893c13eb,
+0x942b08f9, 0x9f2601f7, 0x46bde64d, 0x4db0ef43, 0x50a7f451, 0x5baafd5f,
+0x6a89c275, 0x6184cb7b, 0x7c93d069, 0x779ed967, 0x1ed5ae3d, 0x15d8a733,
+0x08cfbc21, 0x03c2b52f, 0x32e18a05, 0x39ec830b, 0x24fb9819, 0x2ff69117,
+0x8dd64d76, 0x86db4478, 0x9bcc5f6a, 0x90c15664, 0xa1e2694e, 0xaaef6040,
+0xb7f87b52, 0xbcf5725c, 0xd5be0506, 0xdeb30c08, 0xc3a4171a, 0xc8a91e14,
+0xf98a213e, 0xf2872830, 0xef903322, 0xe49d3a2c, 0x3d06dd96, 0x360bd498,
+0x2b1ccf8a, 0x2011c684, 0x1132f9ae, 0x1a3ff0a0, 0x0728ebb2, 0x0c25e2bc,
+0x656e95e6, 0x6e639ce8, 0x737487fa, 0x78798ef4, 0x495ab1de, 0x4257b8d0,
+0x5f40a3c2, 0x544daacc, 0xf7daec41, 0xfcd7e54f, 0xe1c0fe5d, 0xeacdf753,
+0xdbeec879, 0xd0e3c177, 0xcdf4da65, 0xc6f9d36b, 0xafb2a431, 0xa4bfad3f,
+0xb9a8b62d, 0xb2a5bf23, 0x83868009, 0x888b8907, 0x959c9215, 0x9e919b1b,
+0x470a7ca1, 0x4c0775af, 0x51106ebd, 0x5a1d67b3, 0x6b3e5899, 0x60335197,
+0x7d244a85, 0x7629438b, 0x1f6234d1, 0x146f3ddf, 0x097826cd, 0x02752fc3,
+0x335610e9, 0x385b19e7, 0x254c02f5, 0x2e410bfb, 0x8c61d79a, 0x876cde94,
+0x9a7bc586, 0x9176cc88, 0xa055f3a2, 0xab58faac, 0xb64fe1be, 0xbd42e8b0,
+0xd4099fea, 0xdf0496e4, 0xc2138df6, 0xc91e84f8, 0xf83dbbd2, 0xf330b2dc,
+0xee27a9ce, 0xe52aa0c0, 0x3cb1477a, 0x37bc4e74, 0x2aab5566, 0x21a65c68,
+0x10856342, 0x1b886a4c, 0x069f715e, 0x0d927850, 0x64d90f0a, 0x6fd40604,
+0x72c31d16, 0x79ce1418, 0x48ed2b32, 0x43e0223c, 0x5ef7392e, 0x55fa3020,
+0x01b79aec, 0x0aba93e2, 0x17ad88f0, 0x1ca081fe, 0x2d83bed4, 0x268eb7da,
+0x3b99acc8, 0x3094a5c6, 0x59dfd29c, 0x52d2db92, 0x4fc5c080, 0x44c8c98e,
+0x75ebf6a4, 0x7ee6ffaa, 0x63f1e4b8, 0x68fcedb6, 0xb1670a0c, 0xba6a0302,
+0xa77d1810, 0xac70111e, 0x9d532e34, 0x965e273a, 0x8b493c28, 0x80443526,
+0xe90f427c, 0xe2024b72, 0xff155060, 0xf418596e, 0xc53b6644, 0xce366f4a,
+0xd3217458, 0xd82c7d56, 0x7a0ca137, 0x7101a839, 0x6c16b32b, 0x671bba25,
+0x5638850f, 0x5d358c01, 0x40229713, 0x4b2f9e1d, 0x2264e947, 0x2969e049,
+0x347efb5b, 0x3f73f255, 0x0e50cd7f, 0x055dc471, 0x184adf63, 0x1347d66d,
+0xcadc31d7, 0xc1d138d9, 0xdcc623cb, 0xd7cb2ac5, 0xe6e815ef, 0xede51ce1,
+0xf0f207f3, 0xfbff0efd, 0x92b479a7, 0x99b970a9, 0x84ae6bbb, 0x8fa362b5,
+0xbe805d9f, 0xb58d5491, 0xa89a4f83, 0xa397468d  
+};
+#else
+static const PRUint32 _IMXC0[256] = 
+{
+0x00000000, 0x0e090d0b, 0x1c121a16, 0x121b171d, 0x3824342c, 0x362d3927,
+0x24362e3a, 0x2a3f2331, 0x70486858, 0x7e416553, 0x6c5a724e, 0x62537f45,
+0x486c5c74, 0x4665517f, 0x547e4662, 0x5a774b69, 0xe090d0b0, 0xee99ddbb,
+0xfc82caa6, 0xf28bc7ad, 0xd8b4e49c, 0xd6bde997, 0xc4a6fe8a, 0xcaaff381,
+0x90d8b8e8, 0x9ed1b5e3, 0x8ccaa2fe, 0x82c3aff5, 0xa8fc8cc4, 0xa6f581cf,
+0xb4ee96d2, 0xbae79bd9, 0xdb3bbb7b, 0xd532b670, 0xc729a16d, 0xc920ac66,
+0xe31f8f57, 0xed16825c, 0xff0d9541, 0xf104984a, 0xab73d323, 0xa57ade28,
+0xb761c935, 0xb968c43e, 0x9357e70f, 0x9d5eea04, 0x8f45fd19, 0x814cf012,
+0x3bab6bcb, 0x35a266c0, 0x27b971dd, 0x29b07cd6, 0x038f5fe7, 0x0d8652ec,
+0x1f9d45f1, 0x119448fa, 0x4be30393, 0x45ea0e98, 0x57f11985, 0x59f8148e,
+0x73c737bf, 0x7dce3ab4, 0x6fd52da9, 0x61dc20a2, 0xad766df6, 0xa37f60fd,
+0xb16477e0, 0xbf6d7aeb, 0x955259da, 0x9b5b54d1, 0x894043cc, 0x87494ec7,
+0xdd3e05ae, 0xd33708a5, 0xc12c1fb8, 0xcf2512b3, 0xe51a3182, 0xeb133c89,
+0xf9082b94, 0xf701269f, 0x4de6bd46, 0x43efb04d, 0x51f4a750, 0x5ffdaa5b,
+0x75c2896a, 0x7bcb8461, 0x69d0937c, 0x67d99e77, 0x3daed51e, 0x33a7d815,
+0x21bccf08, 0x2fb5c203, 0x058ae132, 0x0b83ec39, 0x1998fb24, 0x1791f62f,
+0x764dd68d, 0x7844db86, 0x6a5fcc9b, 0x6456c190, 0x4e69e2a1, 0x4060efaa,
+0x527bf8b7, 0x5c72f5bc, 0x0605bed5, 0x080cb3de, 0x1a17a4c3, 0x141ea9c8,
+0x3e218af9, 0x302887f2, 0x223390ef, 0x2c3a9de4, 0x96dd063d, 0x98d40b36,
+0x8acf1c2b, 0x84c61120, 0xaef93211, 0xa0f03f1a, 0xb2eb2807, 0xbce2250c,
+0xe6956e65, 0xe89c636e, 0xfa877473, 0xf48e7978, 0xdeb15a49, 0xd0b85742,
+0xc2a3405f, 0xccaa4d54, 0x41ecdaf7, 0x4fe5d7fc, 0x5dfec0e1, 0x53f7cdea,
+0x79c8eedb, 0x77c1e3d0, 0x65daf4cd, 0x6bd3f9c6, 0x31a4b2af, 0x3fadbfa4,
+0x2db6a8b9, 0x23bfa5b2, 0x09808683, 0x07898b88, 0x15929c95, 0x1b9b919e,
+0xa17c0a47, 0xaf75074c, 0xbd6e1051, 0xb3671d5a, 0x99583e6b, 0x97513360,
+0x854a247d, 0x8b432976, 0xd134621f, 0xdf3d6f14, 0xcd267809, 0xc32f7502,
+0xe9105633, 0xe7195b38, 0xf5024c25, 0xfb0b412e, 0x9ad7618c, 0x94de6c87,
+0x86c57b9a, 0x88cc7691, 0xa2f355a0, 0xacfa58ab, 0xbee14fb6, 0xb0e842bd,
+0xea9f09d4, 0xe49604df, 0xf68d13c2, 0xf8841ec9, 0xd2bb3df8, 0xdcb230f3,
+0xcea927ee, 0xc0a02ae5, 0x7a47b13c, 0x744ebc37, 0x6655ab2a, 0x685ca621,
+0x42638510, 0x4c6a881b, 0x5e719f06, 0x5078920d, 0x0a0fd964, 0x0406d46f,
+0x161dc372, 0x1814ce79, 0x322bed48, 0x3c22e043, 0x2e39f75e, 0x2030fa55,
+0xec9ab701, 0xe293ba0a, 0xf088ad17, 0xfe81a01c, 0xd4be832d, 0xdab78e26,
+0xc8ac993b, 0xc6a59430, 0x9cd2df59, 0x92dbd252, 0x80c0c54f, 0x8ec9c844,
+0xa4f6eb75, 0xaaffe67e, 0xb8e4f163, 0xb6edfc68, 0x0c0a67b1, 0x02036aba,
+0x10187da7, 0x1e1170ac, 0x342e539d, 0x3a275e96, 0x283c498b, 0x26354480,
+0x7c420fe9, 0x724b02e2, 0x605015ff, 0x6e5918f4, 0x44663bc5, 0x4a6f36ce,
+0x587421d3, 0x567d2cd8, 0x37a10c7a, 0x39a80171, 0x2bb3166c, 0x25ba1b67,
+0x0f853856, 0x018c355d, 0x13972240, 0x1d9e2f4b, 0x47e96422, 0x49e06929,
+0x5bfb7e34, 0x55f2733f, 0x7fcd500e, 0x71c45d05, 0x63df4a18, 0x6dd64713,
+0xd731dcca, 0xd938d1c1, 0xcb23c6dc, 0xc52acbd7, 0xef15e8e6, 0xe11ce5ed,
+0xf307f2f0, 0xfd0efffb, 0xa779b492, 0xa970b999, 0xbb6bae84, 0xb562a38f,
+0x9f5d80be, 0x91548db5, 0x834f9aa8, 0x8d4697a3  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _IMXC1[256] = 
+{
+0x00000000, 0x0d090e0b, 0x1a121c16, 0x171b121d, 0x3424382c, 0x392d3627,
+0x2e36243a, 0x233f2a31, 0x68487058, 0x65417e53, 0x725a6c4e, 0x7f536245,
+0x5c6c4874, 0x5165467f, 0x467e5462, 0x4b775a69, 0xd090e0b0, 0xdd99eebb,
+0xca82fca6, 0xc78bf2ad, 0xe4b4d89c, 0xe9bdd697, 0xfea6c48a, 0xf3afca81,
+0xb8d890e8, 0xb5d19ee3, 0xa2ca8cfe, 0xafc382f5, 0x8cfca8c4, 0x81f5a6cf,
+0x96eeb4d2, 0x9be7bad9, 0xbb3bdb7b, 0xb632d570, 0xa129c76d, 0xac20c966,
+0x8f1fe357, 0x8216ed5c, 0x950dff41, 0x9804f14a, 0xd373ab23, 0xde7aa528,
+0xc961b735, 0xc468b93e, 0xe757930f, 0xea5e9d04, 0xfd458f19, 0xf04c8112,
+0x6bab3bcb, 0x66a235c0, 0x71b927dd, 0x7cb029d6, 0x5f8f03e7, 0x52860dec,
+0x459d1ff1, 0x489411fa, 0x03e34b93, 0x0eea4598, 0x19f15785, 0x14f8598e,
+0x37c773bf, 0x3ace7db4, 0x2dd56fa9, 0x20dc61a2, 0x6d76adf6, 0x607fa3fd,
+0x7764b1e0, 0x7a6dbfeb, 0x595295da, 0x545b9bd1, 0x434089cc, 0x4e4987c7,
+0x053eddae, 0x0837d3a5, 0x1f2cc1b8, 0x1225cfb3, 0x311ae582, 0x3c13eb89,
+0x2b08f994, 0x2601f79f, 0xbde64d46, 0xb0ef434d, 0xa7f45150, 0xaafd5f5b,
+0x89c2756a, 0x84cb7b61, 0x93d0697c, 0x9ed96777, 0xd5ae3d1e, 0xd8a73315,
+0xcfbc2108, 0xc2b52f03, 0xe18a0532, 0xec830b39, 0xfb981924, 0xf691172f,
+0xd64d768d, 0xdb447886, 0xcc5f6a9b, 0xc1566490, 0xe2694ea1, 0xef6040aa,
+0xf87b52b7, 0xf5725cbc, 0xbe0506d5, 0xb30c08de, 0xa4171ac3, 0xa91e14c8,
+0x8a213ef9, 0x872830f2, 0x903322ef, 0x9d3a2ce4, 0x06dd963d, 0x0bd49836,
+0x1ccf8a2b, 0x11c68420, 0x32f9ae11, 0x3ff0a01a, 0x28ebb207, 0x25e2bc0c,
+0x6e95e665, 0x639ce86e, 0x7487fa73, 0x798ef478, 0x5ab1de49, 0x57b8d042,
+0x40a3c25f, 0x4daacc54, 0xdaec41f7, 0xd7e54ffc, 0xc0fe5de1, 0xcdf753ea,
+0xeec879db, 0xe3c177d0, 0xf4da65cd, 0xf9d36bc6, 0xb2a431af, 0xbfad3fa4,
+0xa8b62db9, 0xa5bf23b2, 0x86800983, 0x8b890788, 0x9c921595, 0x919b1b9e,
+0x0a7ca147, 0x0775af4c, 0x106ebd51, 0x1d67b35a, 0x3e58996b, 0x33519760,
+0x244a857d, 0x29438b76, 0x6234d11f, 0x6f3ddf14, 0x7826cd09, 0x752fc302,
+0x5610e933, 0x5b19e738, 0x4c02f525, 0x410bfb2e, 0x61d79a8c, 0x6cde9487,
+0x7bc5869a, 0x76cc8891, 0x55f3a2a0, 0x58faacab, 0x4fe1beb6, 0x42e8b0bd,
+0x099fead4, 0x0496e4df, 0x138df6c2, 0x1e84f8c9, 0x3dbbd2f8, 0x30b2dcf3,
+0x27a9ceee, 0x2aa0c0e5, 0xb1477a3c, 0xbc4e7437, 0xab55662a, 0xa65c6821,
+0x85634210, 0x886a4c1b, 0x9f715e06, 0x9278500d, 0xd90f0a64, 0xd406046f,
+0xc31d1672, 0xce141879, 0xed2b3248, 0xe0223c43, 0xf7392e5e, 0xfa302055,
+0xb79aec01, 0xba93e20a, 0xad88f017, 0xa081fe1c, 0x83bed42d, 0x8eb7da26,
+0x99acc83b, 0x94a5c630, 0xdfd29c59, 0xd2db9252, 0xc5c0804f, 0xc8c98e44,
+0xebf6a475, 0xe6ffaa7e, 0xf1e4b863, 0xfcedb668, 0x670a0cb1, 0x6a0302ba,
+0x7d1810a7, 0x70111eac, 0x532e349d, 0x5e273a96, 0x493c288b, 0x44352680,
+0x0f427ce9, 0x024b72e2, 0x155060ff, 0x18596ef4, 0x3b6644c5, 0x366f4ace,
+0x217458d3, 0x2c7d56d8, 0x0ca1377a, 0x01a83971, 0x16b32b6c, 0x1bba2567,
+0x38850f56, 0x358c015d, 0x22971340, 0x2f9e1d4b, 0x64e94722, 0x69e04929,
+0x7efb5b34, 0x73f2553f, 0x50cd7f0e, 0x5dc47105, 0x4adf6318, 0x47d66d13,
+0xdc31d7ca, 0xd138d9c1, 0xc623cbdc, 0xcb2ac5d7, 0xe815efe6, 0xe51ce1ed,
+0xf207f3f0, 0xff0efdfb, 0xb479a792, 0xb970a999, 0xae6bbb84, 0xa362b58f,
+0x805d9fbe, 0x8d5491b5, 0x9a4f83a8, 0x97468da3  
+};
+#else
+static const PRUint32 _IMXC1[256] = 
+{
+0x00000000, 0x0b0e090d, 0x161c121a, 0x1d121b17, 0x2c382434, 0x27362d39,
+0x3a24362e, 0x312a3f23, 0x58704868, 0x537e4165, 0x4e6c5a72, 0x4562537f,
+0x74486c5c, 0x7f466551, 0x62547e46, 0x695a774b, 0xb0e090d0, 0xbbee99dd,
+0xa6fc82ca, 0xadf28bc7, 0x9cd8b4e4, 0x97d6bde9, 0x8ac4a6fe, 0x81caaff3,
+0xe890d8b8, 0xe39ed1b5, 0xfe8ccaa2, 0xf582c3af, 0xc4a8fc8c, 0xcfa6f581,
+0xd2b4ee96, 0xd9bae79b, 0x7bdb3bbb, 0x70d532b6, 0x6dc729a1, 0x66c920ac,
+0x57e31f8f, 0x5ced1682, 0x41ff0d95, 0x4af10498, 0x23ab73d3, 0x28a57ade,
+0x35b761c9, 0x3eb968c4, 0x0f9357e7, 0x049d5eea, 0x198f45fd, 0x12814cf0,
+0xcb3bab6b, 0xc035a266, 0xdd27b971, 0xd629b07c, 0xe7038f5f, 0xec0d8652,
+0xf11f9d45, 0xfa119448, 0x934be303, 0x9845ea0e, 0x8557f119, 0x8e59f814,
+0xbf73c737, 0xb47dce3a, 0xa96fd52d, 0xa261dc20, 0xf6ad766d, 0xfda37f60,
+0xe0b16477, 0xebbf6d7a, 0xda955259, 0xd19b5b54, 0xcc894043, 0xc787494e,
+0xaedd3e05, 0xa5d33708, 0xb8c12c1f, 0xb3cf2512, 0x82e51a31, 0x89eb133c,
+0x94f9082b, 0x9ff70126, 0x464de6bd, 0x4d43efb0, 0x5051f4a7, 0x5b5ffdaa,
+0x6a75c289, 0x617bcb84, 0x7c69d093, 0x7767d99e, 0x1e3daed5, 0x1533a7d8,
+0x0821bccf, 0x032fb5c2, 0x32058ae1, 0x390b83ec, 0x241998fb, 0x2f1791f6,
+0x8d764dd6, 0x867844db, 0x9b6a5fcc, 0x906456c1, 0xa14e69e2, 0xaa4060ef,
+0xb7527bf8, 0xbc5c72f5, 0xd50605be, 0xde080cb3, 0xc31a17a4, 0xc8141ea9,
+0xf93e218a, 0xf2302887, 0xef223390, 0xe42c3a9d, 0x3d96dd06, 0x3698d40b,
+0x2b8acf1c, 0x2084c611, 0x11aef932, 0x1aa0f03f, 0x07b2eb28, 0x0cbce225,
+0x65e6956e, 0x6ee89c63, 0x73fa8774, 0x78f48e79, 0x49deb15a, 0x42d0b857,
+0x5fc2a340, 0x54ccaa4d, 0xf741ecda, 0xfc4fe5d7, 0xe15dfec0, 0xea53f7cd,
+0xdb79c8ee, 0xd077c1e3, 0xcd65daf4, 0xc66bd3f9, 0xaf31a4b2, 0xa43fadbf,
+0xb92db6a8, 0xb223bfa5, 0x83098086, 0x8807898b, 0x9515929c, 0x9e1b9b91,
+0x47a17c0a, 0x4caf7507, 0x51bd6e10, 0x5ab3671d, 0x6b99583e, 0x60975133,
+0x7d854a24, 0x768b4329, 0x1fd13462, 0x14df3d6f, 0x09cd2678, 0x02c32f75,
+0x33e91056, 0x38e7195b, 0x25f5024c, 0x2efb0b41, 0x8c9ad761, 0x8794de6c,
+0x9a86c57b, 0x9188cc76, 0xa0a2f355, 0xabacfa58, 0xb6bee14f, 0xbdb0e842,
+0xd4ea9f09, 0xdfe49604, 0xc2f68d13, 0xc9f8841e, 0xf8d2bb3d, 0xf3dcb230,
+0xeecea927, 0xe5c0a02a, 0x3c7a47b1, 0x37744ebc, 0x2a6655ab, 0x21685ca6,
+0x10426385, 0x1b4c6a88, 0x065e719f, 0x0d507892, 0x640a0fd9, 0x6f0406d4,
+0x72161dc3, 0x791814ce, 0x48322bed, 0x433c22e0, 0x5e2e39f7, 0x552030fa,
+0x01ec9ab7, 0x0ae293ba, 0x17f088ad, 0x1cfe81a0, 0x2dd4be83, 0x26dab78e,
+0x3bc8ac99, 0x30c6a594, 0x599cd2df, 0x5292dbd2, 0x4f80c0c5, 0x448ec9c8,
+0x75a4f6eb, 0x7eaaffe6, 0x63b8e4f1, 0x68b6edfc, 0xb10c0a67, 0xba02036a,
+0xa710187d, 0xac1e1170, 0x9d342e53, 0x963a275e, 0x8b283c49, 0x80263544,
+0xe97c420f, 0xe2724b02, 0xff605015, 0xf46e5918, 0xc544663b, 0xce4a6f36,
+0xd3587421, 0xd8567d2c, 0x7a37a10c, 0x7139a801, 0x6c2bb316, 0x6725ba1b,
+0x560f8538, 0x5d018c35, 0x40139722, 0x4b1d9e2f, 0x2247e964, 0x2949e069,
+0x345bfb7e, 0x3f55f273, 0x0e7fcd50, 0x0571c45d, 0x1863df4a, 0x136dd647,
+0xcad731dc, 0xc1d938d1, 0xdccb23c6, 0xd7c52acb, 0xe6ef15e8, 0xede11ce5,
+0xf0f307f2, 0xfbfd0eff, 0x92a779b4, 0x99a970b9, 0x84bb6bae, 0x8fb562a3,
+0xbe9f5d80, 0xb591548d, 0xa8834f9a, 0xa38d4697  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _IMXC2[256] = 
+{
+0x00000000, 0x090e0b0d, 0x121c161a, 0x1b121d17, 0x24382c34, 0x2d362739,
+0x36243a2e, 0x3f2a3123, 0x48705868, 0x417e5365, 0x5a6c4e72, 0x5362457f,
+0x6c48745c, 0x65467f51, 0x7e546246, 0x775a694b, 0x90e0b0d0, 0x99eebbdd,
+0x82fca6ca, 0x8bf2adc7, 0xb4d89ce4, 0xbdd697e9, 0xa6c48afe, 0xafca81f3,
+0xd890e8b8, 0xd19ee3b5, 0xca8cfea2, 0xc382f5af, 0xfca8c48c, 0xf5a6cf81,
+0xeeb4d296, 0xe7bad99b, 0x3bdb7bbb, 0x32d570b6, 0x29c76da1, 0x20c966ac,
+0x1fe3578f, 0x16ed5c82, 0x0dff4195, 0x04f14a98, 0x73ab23d3, 0x7aa528de,
+0x61b735c9, 0x68b93ec4, 0x57930fe7, 0x5e9d04ea, 0x458f19fd, 0x4c8112f0,
+0xab3bcb6b, 0xa235c066, 0xb927dd71, 0xb029d67c, 0x8f03e75f, 0x860dec52,
+0x9d1ff145, 0x9411fa48, 0xe34b9303, 0xea45980e, 0xf1578519, 0xf8598e14,
+0xc773bf37, 0xce7db43a, 0xd56fa92d, 0xdc61a220, 0x76adf66d, 0x7fa3fd60,
+0x64b1e077, 0x6dbfeb7a, 0x5295da59, 0x5b9bd154, 0x4089cc43, 0x4987c74e,
+0x3eddae05, 0x37d3a508, 0x2cc1b81f, 0x25cfb312, 0x1ae58231, 0x13eb893c,
+0x08f9942b, 0x01f79f26, 0xe64d46bd, 0xef434db0, 0xf45150a7, 0xfd5f5baa,
+0xc2756a89, 0xcb7b6184, 0xd0697c93, 0xd967779e, 0xae3d1ed5, 0xa73315d8,
+0xbc2108cf, 0xb52f03c2, 0x8a0532e1, 0x830b39ec, 0x981924fb, 0x91172ff6,
+0x4d768dd6, 0x447886db, 0x5f6a9bcc, 0x566490c1, 0x694ea1e2, 0x6040aaef,
+0x7b52b7f8, 0x725cbcf5, 0x0506d5be, 0x0c08deb3, 0x171ac3a4, 0x1e14c8a9,
+0x213ef98a, 0x2830f287, 0x3322ef90, 0x3a2ce49d, 0xdd963d06, 0xd498360b,
+0xcf8a2b1c, 0xc6842011, 0xf9ae1132, 0xf0a01a3f, 0xebb20728, 0xe2bc0c25,
+0x95e6656e, 0x9ce86e63, 0x87fa7374, 0x8ef47879, 0xb1de495a, 0xb8d04257,
+0xa3c25f40, 0xaacc544d, 0xec41f7da, 0xe54ffcd7, 0xfe5de1c0, 0xf753eacd,
+0xc879dbee, 0xc177d0e3, 0xda65cdf4, 0xd36bc6f9, 0xa431afb2, 0xad3fa4bf,
+0xb62db9a8, 0xbf23b2a5, 0x80098386, 0x8907888b, 0x9215959c, 0x9b1b9e91,
+0x7ca1470a, 0x75af4c07, 0x6ebd5110, 0x67b35a1d, 0x58996b3e, 0x51976033,
+0x4a857d24, 0x438b7629, 0x34d11f62, 0x3ddf146f, 0x26cd0978, 0x2fc30275,
+0x10e93356, 0x19e7385b, 0x02f5254c, 0x0bfb2e41, 0xd79a8c61, 0xde94876c,
+0xc5869a7b, 0xcc889176, 0xf3a2a055, 0xfaacab58, 0xe1beb64f, 0xe8b0bd42,
+0x9fead409, 0x96e4df04, 0x8df6c213, 0x84f8c91e, 0xbbd2f83d, 0xb2dcf330,
+0xa9ceee27, 0xa0c0e52a, 0x477a3cb1, 0x4e7437bc, 0x55662aab, 0x5c6821a6,
+0x63421085, 0x6a4c1b88, 0x715e069f, 0x78500d92, 0x0f0a64d9, 0x06046fd4,
+0x1d1672c3, 0x141879ce, 0x2b3248ed, 0x223c43e0, 0x392e5ef7, 0x302055fa,
+0x9aec01b7, 0x93e20aba, 0x88f017ad, 0x81fe1ca0, 0xbed42d83, 0xb7da268e,
+0xacc83b99, 0xa5c63094, 0xd29c59df, 0xdb9252d2, 0xc0804fc5, 0xc98e44c8,
+0xf6a475eb, 0xffaa7ee6, 0xe4b863f1, 0xedb668fc, 0x0a0cb167, 0x0302ba6a,
+0x1810a77d, 0x111eac70, 0x2e349d53, 0x273a965e, 0x3c288b49, 0x35268044,
+0x427ce90f, 0x4b72e202, 0x5060ff15, 0x596ef418, 0x6644c53b, 0x6f4ace36,
+0x7458d321, 0x7d56d82c, 0xa1377a0c, 0xa8397101, 0xb32b6c16, 0xba25671b,
+0x850f5638, 0x8c015d35, 0x97134022, 0x9e1d4b2f, 0xe9472264, 0xe0492969,
+0xfb5b347e, 0xf2553f73, 0xcd7f0e50, 0xc471055d, 0xdf63184a, 0xd66d1347,
+0x31d7cadc, 0x38d9c1d1, 0x23cbdcc6, 0x2ac5d7cb, 0x15efe6e8, 0x1ce1ede5,
+0x07f3f0f2, 0x0efdfbff, 0x79a792b4, 0x70a999b9, 0x6bbb84ae, 0x62b58fa3,
+0x5d9fbe80, 0x5491b58d, 0x4f83a89a, 0x468da397  
+};
+#else
+static const PRUint32 _IMXC2[256] = 
+{
+0x00000000, 0x0d0b0e09, 0x1a161c12, 0x171d121b, 0x342c3824, 0x3927362d,
+0x2e3a2436, 0x23312a3f, 0x68587048, 0x65537e41, 0x724e6c5a, 0x7f456253,
+0x5c74486c, 0x517f4665, 0x4662547e, 0x4b695a77, 0xd0b0e090, 0xddbbee99,
+0xcaa6fc82, 0xc7adf28b, 0xe49cd8b4, 0xe997d6bd, 0xfe8ac4a6, 0xf381caaf,
+0xb8e890d8, 0xb5e39ed1, 0xa2fe8cca, 0xaff582c3, 0x8cc4a8fc, 0x81cfa6f5,
+0x96d2b4ee, 0x9bd9bae7, 0xbb7bdb3b, 0xb670d532, 0xa16dc729, 0xac66c920,
+0x8f57e31f, 0x825ced16, 0x9541ff0d, 0x984af104, 0xd323ab73, 0xde28a57a,
+0xc935b761, 0xc43eb968, 0xe70f9357, 0xea049d5e, 0xfd198f45, 0xf012814c,
+0x6bcb3bab, 0x66c035a2, 0x71dd27b9, 0x7cd629b0, 0x5fe7038f, 0x52ec0d86,
+0x45f11f9d, 0x48fa1194, 0x03934be3, 0x0e9845ea, 0x198557f1, 0x148e59f8,
+0x37bf73c7, 0x3ab47dce, 0x2da96fd5, 0x20a261dc, 0x6df6ad76, 0x60fda37f,
+0x77e0b164, 0x7aebbf6d, 0x59da9552, 0x54d19b5b, 0x43cc8940, 0x4ec78749,
+0x05aedd3e, 0x08a5d337, 0x1fb8c12c, 0x12b3cf25, 0x3182e51a, 0x3c89eb13,
+0x2b94f908, 0x269ff701, 0xbd464de6, 0xb04d43ef, 0xa75051f4, 0xaa5b5ffd,
+0x896a75c2, 0x84617bcb, 0x937c69d0, 0x9e7767d9, 0xd51e3dae, 0xd81533a7,
+0xcf0821bc, 0xc2032fb5, 0xe132058a, 0xec390b83, 0xfb241998, 0xf62f1791,
+0xd68d764d, 0xdb867844, 0xcc9b6a5f, 0xc1906456, 0xe2a14e69, 0xefaa4060,
+0xf8b7527b, 0xf5bc5c72, 0xbed50605, 0xb3de080c, 0xa4c31a17, 0xa9c8141e,
+0x8af93e21, 0x87f23028, 0x90ef2233, 0x9de42c3a, 0x063d96dd, 0x0b3698d4,
+0x1c2b8acf, 0x112084c6, 0x3211aef9, 0x3f1aa0f0, 0x2807b2eb, 0x250cbce2,
+0x6e65e695, 0x636ee89c, 0x7473fa87, 0x7978f48e, 0x5a49deb1, 0x5742d0b8,
+0x405fc2a3, 0x4d54ccaa, 0xdaf741ec, 0xd7fc4fe5, 0xc0e15dfe, 0xcdea53f7,
+0xeedb79c8, 0xe3d077c1, 0xf4cd65da, 0xf9c66bd3, 0xb2af31a4, 0xbfa43fad,
+0xa8b92db6, 0xa5b223bf, 0x86830980, 0x8b880789, 0x9c951592, 0x919e1b9b,
+0x0a47a17c, 0x074caf75, 0x1051bd6e, 0x1d5ab367, 0x3e6b9958, 0x33609751,
+0x247d854a, 0x29768b43, 0x621fd134, 0x6f14df3d, 0x7809cd26, 0x7502c32f,
+0x5633e910, 0x5b38e719, 0x4c25f502, 0x412efb0b, 0x618c9ad7, 0x6c8794de,
+0x7b9a86c5, 0x769188cc, 0x55a0a2f3, 0x58abacfa, 0x4fb6bee1, 0x42bdb0e8,
+0x09d4ea9f, 0x04dfe496, 0x13c2f68d, 0x1ec9f884, 0x3df8d2bb, 0x30f3dcb2,
+0x27eecea9, 0x2ae5c0a0, 0xb13c7a47, 0xbc37744e, 0xab2a6655, 0xa621685c,
+0x85104263, 0x881b4c6a, 0x9f065e71, 0x920d5078, 0xd9640a0f, 0xd46f0406,
+0xc372161d, 0xce791814, 0xed48322b, 0xe0433c22, 0xf75e2e39, 0xfa552030,
+0xb701ec9a, 0xba0ae293, 0xad17f088, 0xa01cfe81, 0x832dd4be, 0x8e26dab7,
+0x993bc8ac, 0x9430c6a5, 0xdf599cd2, 0xd25292db, 0xc54f80c0, 0xc8448ec9,
+0xeb75a4f6, 0xe67eaaff, 0xf163b8e4, 0xfc68b6ed, 0x67b10c0a, 0x6aba0203,
+0x7da71018, 0x70ac1e11, 0x539d342e, 0x5e963a27, 0x498b283c, 0x44802635,
+0x0fe97c42, 0x02e2724b, 0x15ff6050, 0x18f46e59, 0x3bc54466, 0x36ce4a6f,
+0x21d35874, 0x2cd8567d, 0x0c7a37a1, 0x017139a8, 0x166c2bb3, 0x1b6725ba,
+0x38560f85, 0x355d018c, 0x22401397, 0x2f4b1d9e, 0x642247e9, 0x692949e0,
+0x7e345bfb, 0x733f55f2, 0x500e7fcd, 0x5d0571c4, 0x4a1863df, 0x47136dd6,
+0xdccad731, 0xd1c1d938, 0xc6dccb23, 0xcbd7c52a, 0xe8e6ef15, 0xe5ede11c,
+0xf2f0f307, 0xfffbfd0e, 0xb492a779, 0xb999a970, 0xae84bb6b, 0xa38fb562,
+0x80be9f5d, 0x8db59154, 0x9aa8834f, 0x97a38d46  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _IMXC3[256] = 
+{
+0x00000000, 0x0e0b0d09, 0x1c161a12, 0x121d171b, 0x382c3424, 0x3627392d,
+0x243a2e36, 0x2a31233f, 0x70586848, 0x7e536541, 0x6c4e725a, 0x62457f53,
+0x48745c6c, 0x467f5165, 0x5462467e, 0x5a694b77, 0xe0b0d090, 0xeebbdd99,
+0xfca6ca82, 0xf2adc78b, 0xd89ce4b4, 0xd697e9bd, 0xc48afea6, 0xca81f3af,
+0x90e8b8d8, 0x9ee3b5d1, 0x8cfea2ca, 0x82f5afc3, 0xa8c48cfc, 0xa6cf81f5,
+0xb4d296ee, 0xbad99be7, 0xdb7bbb3b, 0xd570b632, 0xc76da129, 0xc966ac20,
+0xe3578f1f, 0xed5c8216, 0xff41950d, 0xf14a9804, 0xab23d373, 0xa528de7a,
+0xb735c961, 0xb93ec468, 0x930fe757, 0x9d04ea5e, 0x8f19fd45, 0x8112f04c,
+0x3bcb6bab, 0x35c066a2, 0x27dd71b9, 0x29d67cb0, 0x03e75f8f, 0x0dec5286,
+0x1ff1459d, 0x11fa4894, 0x4b9303e3, 0x45980eea, 0x578519f1, 0x598e14f8,
+0x73bf37c7, 0x7db43ace, 0x6fa92dd5, 0x61a220dc, 0xadf66d76, 0xa3fd607f,
+0xb1e07764, 0xbfeb7a6d, 0x95da5952, 0x9bd1545b, 0x89cc4340, 0x87c74e49,
+0xddae053e, 0xd3a50837, 0xc1b81f2c, 0xcfb31225, 0xe582311a, 0xeb893c13,
+0xf9942b08, 0xf79f2601, 0x4d46bde6, 0x434db0ef, 0x5150a7f4, 0x5f5baafd,
+0x756a89c2, 0x7b6184cb, 0x697c93d0, 0x67779ed9, 0x3d1ed5ae, 0x3315d8a7,
+0x2108cfbc, 0x2f03c2b5, 0x0532e18a, 0x0b39ec83, 0x1924fb98, 0x172ff691,
+0x768dd64d, 0x7886db44, 0x6a9bcc5f, 0x6490c156, 0x4ea1e269, 0x40aaef60,
+0x52b7f87b, 0x5cbcf572, 0x06d5be05, 0x08deb30c, 0x1ac3a417, 0x14c8a91e,
+0x3ef98a21, 0x30f28728, 0x22ef9033, 0x2ce49d3a, 0x963d06dd, 0x98360bd4,
+0x8a2b1ccf, 0x842011c6, 0xae1132f9, 0xa01a3ff0, 0xb20728eb, 0xbc0c25e2,
+0xe6656e95, 0xe86e639c, 0xfa737487, 0xf478798e, 0xde495ab1, 0xd04257b8,
+0xc25f40a3, 0xcc544daa, 0x41f7daec, 0x4ffcd7e5, 0x5de1c0fe, 0x53eacdf7,
+0x79dbeec8, 0x77d0e3c1, 0x65cdf4da, 0x6bc6f9d3, 0x31afb2a4, 0x3fa4bfad,
+0x2db9a8b6, 0x23b2a5bf, 0x09838680, 0x07888b89, 0x15959c92, 0x1b9e919b,
+0xa1470a7c, 0xaf4c0775, 0xbd51106e, 0xb35a1d67, 0x996b3e58, 0x97603351,
+0x857d244a, 0x8b762943, 0xd11f6234, 0xdf146f3d, 0xcd097826, 0xc302752f,
+0xe9335610, 0xe7385b19, 0xf5254c02, 0xfb2e410b, 0x9a8c61d7, 0x94876cde,
+0x869a7bc5, 0x889176cc, 0xa2a055f3, 0xacab58fa, 0xbeb64fe1, 0xb0bd42e8,
+0xead4099f, 0xe4df0496, 0xf6c2138d, 0xf8c91e84, 0xd2f83dbb, 0xdcf330b2,
+0xceee27a9, 0xc0e52aa0, 0x7a3cb147, 0x7437bc4e, 0x662aab55, 0x6821a65c,
+0x42108563, 0x4c1b886a, 0x5e069f71, 0x500d9278, 0x0a64d90f, 0x046fd406,
+0x1672c31d, 0x1879ce14, 0x3248ed2b, 0x3c43e022, 0x2e5ef739, 0x2055fa30,
+0xec01b79a, 0xe20aba93, 0xf017ad88, 0xfe1ca081, 0xd42d83be, 0xda268eb7,
+0xc83b99ac, 0xc63094a5, 0x9c59dfd2, 0x9252d2db, 0x804fc5c0, 0x8e44c8c9,
+0xa475ebf6, 0xaa7ee6ff, 0xb863f1e4, 0xb668fced, 0x0cb1670a, 0x02ba6a03,
+0x10a77d18, 0x1eac7011, 0x349d532e, 0x3a965e27, 0x288b493c, 0x26804435,
+0x7ce90f42, 0x72e2024b, 0x60ff1550, 0x6ef41859, 0x44c53b66, 0x4ace366f,
+0x58d32174, 0x56d82c7d, 0x377a0ca1, 0x397101a8, 0x2b6c16b3, 0x25671bba,
+0x0f563885, 0x015d358c, 0x13402297, 0x1d4b2f9e, 0x472264e9, 0x492969e0,
+0x5b347efb, 0x553f73f2, 0x7f0e50cd, 0x71055dc4, 0x63184adf, 0x6d1347d6,
+0xd7cadc31, 0xd9c1d138, 0xcbdcc623, 0xc5d7cb2a, 0xefe6e815, 0xe1ede51c,
+0xf3f0f207, 0xfdfbff0e, 0xa792b479, 0xa999b970, 0xbb84ae6b, 0xb58fa362,
+0x9fbe805d, 0x91b58d54, 0x83a89a4f, 0x8da39746  
+};
+#else
+static const PRUint32 _IMXC3[256] = 
+{
+0x00000000, 0x090d0b0e, 0x121a161c, 0x1b171d12, 0x24342c38, 0x2d392736,
+0x362e3a24, 0x3f23312a, 0x48685870, 0x4165537e, 0x5a724e6c, 0x537f4562,
+0x6c5c7448, 0x65517f46, 0x7e466254, 0x774b695a, 0x90d0b0e0, 0x99ddbbee,
+0x82caa6fc, 0x8bc7adf2, 0xb4e49cd8, 0xbde997d6, 0xa6fe8ac4, 0xaff381ca,
+0xd8b8e890, 0xd1b5e39e, 0xcaa2fe8c, 0xc3aff582, 0xfc8cc4a8, 0xf581cfa6,
+0xee96d2b4, 0xe79bd9ba, 0x3bbb7bdb, 0x32b670d5, 0x29a16dc7, 0x20ac66c9,
+0x1f8f57e3, 0x16825ced, 0x0d9541ff, 0x04984af1, 0x73d323ab, 0x7ade28a5,
+0x61c935b7, 0x68c43eb9, 0x57e70f93, 0x5eea049d, 0x45fd198f, 0x4cf01281,
+0xab6bcb3b, 0xa266c035, 0xb971dd27, 0xb07cd629, 0x8f5fe703, 0x8652ec0d,
+0x9d45f11f, 0x9448fa11, 0xe303934b, 0xea0e9845, 0xf1198557, 0xf8148e59,
+0xc737bf73, 0xce3ab47d, 0xd52da96f, 0xdc20a261, 0x766df6ad, 0x7f60fda3,
+0x6477e0b1, 0x6d7aebbf, 0x5259da95, 0x5b54d19b, 0x4043cc89, 0x494ec787,
+0x3e05aedd, 0x3708a5d3, 0x2c1fb8c1, 0x2512b3cf, 0x1a3182e5, 0x133c89eb,
+0x082b94f9, 0x01269ff7, 0xe6bd464d, 0xefb04d43, 0xf4a75051, 0xfdaa5b5f,
+0xc2896a75, 0xcb84617b, 0xd0937c69, 0xd99e7767, 0xaed51e3d, 0xa7d81533,
+0xbccf0821, 0xb5c2032f, 0x8ae13205, 0x83ec390b, 0x98fb2419, 0x91f62f17,
+0x4dd68d76, 0x44db8678, 0x5fcc9b6a, 0x56c19064, 0x69e2a14e, 0x60efaa40,
+0x7bf8b752, 0x72f5bc5c, 0x05bed506, 0x0cb3de08, 0x17a4c31a, 0x1ea9c814,
+0x218af93e, 0x2887f230, 0x3390ef22, 0x3a9de42c, 0xdd063d96, 0xd40b3698,
+0xcf1c2b8a, 0xc6112084, 0xf93211ae, 0xf03f1aa0, 0xeb2807b2, 0xe2250cbc,
+0x956e65e6, 0x9c636ee8, 0x877473fa, 0x8e7978f4, 0xb15a49de, 0xb85742d0,
+0xa3405fc2, 0xaa4d54cc, 0xecdaf741, 0xe5d7fc4f, 0xfec0e15d, 0xf7cdea53,
+0xc8eedb79, 0xc1e3d077, 0xdaf4cd65, 0xd3f9c66b, 0xa4b2af31, 0xadbfa43f,
+0xb6a8b92d, 0xbfa5b223, 0x80868309, 0x898b8807, 0x929c9515, 0x9b919e1b,
+0x7c0a47a1, 0x75074caf, 0x6e1051bd, 0x671d5ab3, 0x583e6b99, 0x51336097,
+0x4a247d85, 0x4329768b, 0x34621fd1, 0x3d6f14df, 0x267809cd, 0x2f7502c3,
+0x105633e9, 0x195b38e7, 0x024c25f5, 0x0b412efb, 0xd7618c9a, 0xde6c8794,
+0xc57b9a86, 0xcc769188, 0xf355a0a2, 0xfa58abac, 0xe14fb6be, 0xe842bdb0,
+0x9f09d4ea, 0x9604dfe4, 0x8d13c2f6, 0x841ec9f8, 0xbb3df8d2, 0xb230f3dc,
+0xa927eece, 0xa02ae5c0, 0x47b13c7a, 0x4ebc3774, 0x55ab2a66, 0x5ca62168,
+0x63851042, 0x6a881b4c, 0x719f065e, 0x78920d50, 0x0fd9640a, 0x06d46f04,
+0x1dc37216, 0x14ce7918, 0x2bed4832, 0x22e0433c, 0x39f75e2e, 0x30fa5520,
+0x9ab701ec, 0x93ba0ae2, 0x88ad17f0, 0x81a01cfe, 0xbe832dd4, 0xb78e26da,
+0xac993bc8, 0xa59430c6, 0xd2df599c, 0xdbd25292, 0xc0c54f80, 0xc9c8448e,
+0xf6eb75a4, 0xffe67eaa, 0xe4f163b8, 0xedfc68b6, 0x0a67b10c, 0x036aba02,
+0x187da710, 0x1170ac1e, 0x2e539d34, 0x275e963a, 0x3c498b28, 0x35448026,
+0x420fe97c, 0x4b02e272, 0x5015ff60, 0x5918f46e, 0x663bc544, 0x6f36ce4a,
+0x7421d358, 0x7d2cd856, 0xa10c7a37, 0xa8017139, 0xb3166c2b, 0xba1b6725,
+0x8538560f, 0x8c355d01, 0x97224013, 0x9e2f4b1d, 0xe9642247, 0xe0692949,
+0xfb7e345b, 0xf2733f55, 0xcd500e7f, 0xc45d0571, 0xdf4a1863, 0xd647136d,
+0x31dccad7, 0x38d1c1d9, 0x23c6dccb, 0x2acbd7c5, 0x15e8e6ef, 0x1ce5ede1,
+0x07f2f0f3, 0x0efffbfd, 0x79b492a7, 0x70b999a9, 0x6bae84bb, 0x62a38fb5,
+0x5d80be9f, 0x548db591, 0x4f9aa883, 0x4697a38d  
+};
+#endif
+
+#endif /* RIJNDAEL_INCLUDE_TABLES */
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 Rcon[30] = {
+0x00000001, 0x00000002, 0x00000004, 0x00000008, 0x00000010, 0x00000020,
+0x00000040, 0x00000080, 0x0000001b, 0x00000036, 0x0000006c, 0x000000d8,
+0x000000ab, 0x0000004d, 0x0000009a, 0x0000002f, 0x0000005e, 0x000000bc,
+0x00000063, 0x000000c6, 0x00000097, 0x00000035, 0x0000006a, 0x000000d4,
+0x000000b3, 0x0000007d, 0x000000fa, 0x000000ef, 0x000000c5, 0x00000091 
+};
+#else
+static const PRUint32 Rcon[30] = {
+0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, 0x20000000,
+0x40000000, 0x80000000, 0x1b000000, 0x36000000, 0x6c000000, 0xd8000000,
+0xab000000, 0x4d000000, 0x9a000000, 0x2f000000, 0x5e000000, 0xbc000000,
+0x63000000, 0xc6000000, 0x97000000, 0x35000000, 0x6a000000, 0xd4000000,
+0xb3000000, 0x7d000000, 0xfa000000, 0xef000000, 0xc5000000, 0x91000000 
+};
+#endif
+
diff --git a/security/nss/lib/freebl/rijndael_tables.c b/security/nss/lib/freebl/rijndael_tables.c
new file mode 100644
index 000000000..e2ebdeec6
--- /dev/null
+++ b/security/nss/lib/freebl/rijndael_tables.c
@@ -0,0 +1,246 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "stdio.h"
+#include "prtypes.h"
+#include "blapi.h"
+
+/*
+ * what follows is code thrown together to generate the myriad of tables
+ * used by Rijndael, the AES cipher.
+ */
+
+
+#define WORD_LE(b0, b1, b2, b3) \
+    (((b3) << 24) | ((b2) << 16) | ((b1) << 8) | b0)
+
+#define WORD_BE(b0, b1, b2, b3) \
+    (((b0) << 24) | ((b1) << 16) | ((b2) << 8) | b3)
+
+static const PRUint8 __S[256] = 
+{
+ 99, 124, 119, 123, 242, 107, 111, 197,  48,   1, 103,  43, 254, 215, 171, 118, 
+202, 130, 201, 125, 250,  89,  71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 
+183, 253, 147,  38,  54,  63, 247, 204,  52, 165, 229, 241, 113, 216,  49,  21, 
+  4, 199,  35, 195,  24, 150,   5, 154,   7,  18, 128, 226, 235,  39, 178, 117, 
+  9, 131,  44,  26,  27, 110,  90, 160,  82,  59, 214, 179,  41, 227,  47, 132, 
+ 83, 209,   0, 237,  32, 252, 177,  91, 106, 203, 190,  57,  74,  76,  88, 207, 
+208, 239, 170, 251,  67,  77,  51, 133,  69, 249,   2, 127,  80,  60, 159, 168, 
+ 81, 163,  64, 143, 146, 157,  56, 245, 188, 182, 218,  33,  16, 255, 243, 210, 
+205,  12,  19, 236,  95, 151,  68,  23, 196, 167, 126,  61, 100,  93,  25, 115, 
+ 96, 129,  79, 220,  34,  42, 144, 136,  70, 238, 184,  20, 222,  94,  11, 219, 
+224,  50,  58,  10,  73,   6,  36,  92, 194, 211, 172,  98, 145, 149, 228, 121, 
+231, 200,  55, 109, 141, 213,  78, 169, 108,  86, 244, 234, 101, 122, 174,   8, 
+186, 120,  37,  46,  28, 166, 180, 198, 232, 221, 116,  31,  75, 189, 139, 138, 
+112,  62, 181, 102,  72,   3, 246,  14,  97,  53,  87, 185, 134, 193,  29, 158, 
+225, 248, 152,  17, 105, 217, 142, 148, 155,  30, 135, 233, 206,  85,  40, 223, 
+140, 161, 137,  13, 191, 230,  66, 104,  65, 153,  45,  15, 176,  84, 187,  22, 
+};
+
+static const PRUint8 __SInv[256] = 
+{
+ 82,   9, 106, 213,  48,  54, 165,  56, 191,  64, 163, 158, 129, 243, 215, 251, 
+124, 227,  57, 130, 155,  47, 255, 135,  52, 142,  67,  68, 196, 222, 233, 203, 
+ 84, 123, 148,  50, 166, 194,  35,  61, 238,  76, 149,  11,  66, 250, 195,  78, 
+  8,  46, 161, 102,  40, 217,  36, 178, 118,  91, 162,  73, 109, 139, 209,  37, 
+114, 248, 246, 100, 134, 104, 152,  22, 212, 164,  92, 204,  93, 101, 182, 146, 
+108, 112,  72,  80, 253, 237, 185, 218,  94,  21,  70,  87, 167, 141, 157, 132, 
+144, 216, 171,   0, 140, 188, 211,  10, 247, 228,  88,   5, 184, 179,  69,   6, 
+208,  44,  30, 143, 202,  63,  15,   2, 193, 175, 189,   3,   1,  19, 138, 107, 
+ 58, 145,  17,  65,  79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115, 
+150, 172, 116,  34, 231, 173,  53, 133, 226, 249,  55, 232,  28, 117, 223, 110, 
+ 71, 241,  26, 113,  29,  41, 197, 137, 111, 183,  98,  14, 170,  24, 190,  27, 
+252,  86,  62,  75, 198, 210, 121,  32, 154, 219, 192, 254, 120, 205,  90, 244, 
+ 31, 221, 168,  51, 136,   7, 199,  49, 177,  18,  16,  89,  39, 128, 236,  95, 
+ 96,  81, 127, 169,  25, 181,  74,  13,  45, 229, 122, 159, 147, 201, 156, 239, 
+160, 224,  59,  77, 174,  42, 245, 176, 200, 235, 187,  60, 131,  83, 153,  97, 
+ 23,  43,   4, 126, 186, 119, 214,  38, 225, 105,  20,  99,  85,  33,  12, 125
+};
+
+/* GF_MULTIPLY
+ *
+ * multiply two bytes represented in GF(2**8), mod (x**4 + 1)
+ */
+PRUint8 gf_multiply(PRUint8 a, PRUint8 b)
+{
+    PRUint8 res = 0;
+    while (b > 0) {
+	res = (b & 0x01) ? res ^ a : res;
+	a = (a & 0x80) ? ((a << 1) ^ 0x1b) : (a << 1);
+	b >>= 1;
+    }
+    return res;
+}
+
+void
+make_T_Table(char *table, const PRUint8 Sx[256], FILE *file,
+             unsigned char m0, unsigned char m1, 
+             unsigned char m2, unsigned char m3)
+{
+    PRUint32 Ti;
+    int i;
+    fprintf(file, "#ifdef IS_LITTLE_ENDIAN\n");
+    fprintf(file, "static const PRUint32 _T%s[256] = \n{\n", table);
+    for (i=0; i<256; i++) {
+	Ti = WORD_LE( gf_multiply(Sx[i], m0),
+	              gf_multiply(Sx[i], m1),
+	              gf_multiply(Sx[i], m2),
+	              gf_multiply(Sx[i], m3) );
+	if (Ti == 0)
+	    fprintf(file, "0x00000000%c%c", (i==255)?' ':',',
+	                                    (i%6==5)?'\n':' ');
+	else
+	    fprintf(file, "%#.8x%c%c", Ti, (i==255)?' ':',',
+	                                   (i%6==5)?'\n':' ');
+    }
+    fprintf(file, "\n};\n");
+    fprintf(file, "#else\n");
+    fprintf(file, "static const PRUint32 _T%s[256] = \n{\n", table);
+    for (i=0; i<256; i++) {
+	Ti = WORD_BE( gf_multiply(Sx[i], m0),
+	              gf_multiply(Sx[i], m1),
+	              gf_multiply(Sx[i], m2),
+	              gf_multiply(Sx[i], m3) );
+	if (Ti == 0)
+	    fprintf(file, "0x00000000%c%c", (i==255)?' ':',',
+	                                    (i%6==5)?'\n':' ');
+	else
+	    fprintf(file, "%#.8x%c%c", Ti, (i==255)?' ':',',
+	                                   (i%6==5)?'\n':' ');
+    }
+    fprintf(file, "\n};\n");
+    fprintf(file, "#endif\n\n");
+}
+
+void make_InvMixCol_Table(int num, FILE *file, PRUint8 m0, PRUint8 m1, PRUint8 m2, PRUint8 m3)
+{
+    PRUint16 i;
+    PRUint8 b0, b1, b2, b3;
+    fprintf(file, "#ifdef IS_LITTLE_ENDIAN\n");
+    fprintf(file, "static const PRUint32 _IMXC%d[256] = \n{\n", num);
+    for (i=0; i<256; i++) {
+	b0 = gf_multiply(i, m0);
+	b1 = gf_multiply(i, m1);
+	b2 = gf_multiply(i, m2);
+	b3 = gf_multiply(i, m3);
+	fprintf(file, "0x%.2x%.2x%.2x%.2x%c%c", b3, b2, b1, b0, (i==255)?' ':',', (i%6==5)?'\n':' ');
+    }
+    fprintf(file, "\n};\n");
+    fprintf(file, "#else\n");
+    fprintf(file, "static const PRUint32 _IMXC%d[256] = \n{\n", num);
+    for (i=0; i<256; i++) {
+	b0 = gf_multiply(i, m0);
+	b1 = gf_multiply(i, m1);
+	b2 = gf_multiply(i, m2);
+	b3 = gf_multiply(i, m3);
+	fprintf(file, "0x%.2x%.2x%.2x%.2x%c%c", b0, b1, b2, b3, (i==255)?' ':',', (i%6==5)?'\n':' ');
+    }
+    fprintf(file, "\n};\n");
+    fprintf(file, "#endif\n\n");
+}
+
+int main()
+{
+    int i, j;
+    PRUint8 cur, last;
+    PRUint32 tmp;
+    FILE *optfile;
+    optfile = fopen("rijndael32.tab", "w");
+    /* output S, if there are no T tables */
+    fprintf(optfile, "#ifndef RIJNDAEL_INCLUDE_TABLES\n");
+    fprintf(optfile, "static const PRUint8 _S[256] = \n{\n");
+    for (i=0; i<256; i++) {
+	fprintf(optfile, "%3d%c%c", __S[i],(i==255)?' ':',', 
+	                            (i%16==15)?'\n':' ');
+    }
+    fprintf(optfile, "};\n#endif /* not RIJNDAEL_INCLUDE_TABLES */\n\n");
+    /* output S**-1 */
+    fprintf(optfile, "static const PRUint8 _SInv[256] = \n{\n");
+    for (i=0; i<256; i++) {
+	fprintf(optfile, "%3d%c%c", __SInv[i],(i==255)?' ':',', 
+	                            (i%16==15)?'\n':' ');
+    }
+    fprintf(optfile, "};\n\n");
+    fprintf(optfile, "#ifdef RIJNDAEL_INCLUDE_TABLES\n");
+    /* The 32-bit word tables for optimized implementation */
+    /* T0 = [ S[a] * 02, S[a], S[a], S[a] * 03 ] */
+    make_T_Table("0", __S, optfile, 0x02, 0x01, 0x01, 0x03);
+    /* T1 = [ S[a] * 03, S[a] * 02, S[a], S[a] ] */
+    make_T_Table("1", __S, optfile, 0x03, 0x02, 0x01, 0x01);
+    /* T2 = [ S[a], S[a] * 03, S[a] * 02, S[a] ] */
+    make_T_Table("2", __S, optfile, 0x01, 0x03, 0x02, 0x01);
+    /* T3 = [ S[a], S[a], S[a] * 03, S[a] * 02 ] */
+    make_T_Table("3", __S, optfile, 0x01, 0x01, 0x03, 0x02);
+    /* TInv0 = [ Si[a] * 0E, Si[a] * 09, Si[a] * 0D, Si[a] * 0B ] */
+    make_T_Table("Inv0", __SInv, optfile, 0x0e, 0x09, 0x0d, 0x0b);
+    /* TInv1 = [ Si[a] * 0B, Si[a] * 0E, Si[a] * 09, Si[a] * 0D ] */
+    make_T_Table("Inv1", __SInv, optfile, 0x0b, 0x0e, 0x09, 0x0d);
+    /* TInv2 = [ Si[a] * 0D, Si[a] * 0B, Si[a] * 0E, Si[a] * 09 ] */
+    make_T_Table("Inv2", __SInv, optfile, 0x0d, 0x0b, 0x0e, 0x09);
+    /* TInv3 = [ Si[a] * 09, Si[a] * 0D, Si[a] * 0B, Si[a] * 0E ] */
+    make_T_Table("Inv3", __SInv, optfile, 0x09, 0x0d, 0x0b, 0x0e);
+    /* byte multiply tables for inverse key expansion (mimics InvMixColumn) */
+    make_InvMixCol_Table(0, optfile, 0x0e, 0x09, 0x0d, 0x0b);
+    make_InvMixCol_Table(1, optfile, 0x0b, 0x0E, 0x09, 0x0d);
+    make_InvMixCol_Table(2, optfile, 0x0d, 0x0b, 0x0e, 0x09);
+    make_InvMixCol_Table(3, optfile, 0x09, 0x0d, 0x0b, 0x0e);
+    fprintf(optfile, "#endif /* RIJNDAEL_INCLUDE_TABLES */\n\n");
+    /* round constants for key expansion */
+    fprintf(optfile, "#ifdef IS_LITTLE_ENDIAN\n");
+    fprintf(optfile, "static const PRUint32 Rcon[30] = {\n");
+    cur = 0x01;
+    for (i=0; i<30; i++) {
+	fprintf(optfile, "%#.8x%c%c", WORD_LE(cur, 0, 0, 0), 
+	                                (i==29)?' ':',', (i%6==5)?'\n':' ');
+	last = cur;
+	cur = gf_multiply(last, 0x02);
+    }
+    fprintf(optfile, "};\n");
+    fprintf(optfile, "#else\n");
+    fprintf(optfile, "static const PRUint32 Rcon[30] = {\n");
+    cur = 0x01;
+    for (i=0; i<30; i++) {
+	fprintf(optfile, "%#.8x%c%c", WORD_BE(cur, 0, 0, 0), 
+	                                (i==29)?' ':',', (i%6==5)?'\n':' ');
+	last = cur;
+	cur = gf_multiply(last, 0x02);
+    }
+    fprintf(optfile, "};\n");
+    fprintf(optfile, "#endif\n\n");
+    fclose(optfile);
+    return 0;
+}
diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c
new file mode 100644
index 000000000..171d55696
--- /dev/null
+++ b/security/nss/lib/freebl/rsa.c
@@ -0,0 +1,957 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * RSA key generation, public key op, private key op.
+ *
+ * $Id$
+ */
+
+#include "secerr.h"
+
+#include "prclist.h"
+#include "nssilock.h"
+#include "prinit.h"
+#include "blapi.h"
+#include "mpi.h"
+#include "mpprime.h"
+#include "mplogic.h"
+#include "secmpi.h"
+#include "secitem.h"
+
+/*
+** Number of times to attempt to generate a prime (p or q) from a random
+** seed (the seed changes for each iteration).
+*/
+#define MAX_PRIME_GEN_ATTEMPTS 10
+/*
+** Number of times to attempt to generate a key.  The primes p and q change
+** for each attempt.
+*/
+#define MAX_KEY_GEN_ATTEMPTS 10
+
+/* exponent should not be greater than modulus */
+#define BAD_RSA_KEY_SIZE(modLen, expLen) \
+    ((expLen) > (modLen) || (modLen) > RSA_MAX_MODULUS_BITS/8 || \
+    (expLen) > RSA_MAX_EXPONENT_BITS/8)
+
+/*
+** RSABlindingParamsStr
+**
+** For discussion of Paul Kocher's timing attack against an RSA private key
+** operation, see http://www.cryptography.com/timingattack/paper.html.  The 
+** countermeasure to this attack, known as blinding, is also discussed in 
+** the Handbook of Applied Cryptography, 11.118-11.119.
+*/
+struct RSABlindingParamsStr
+{
+    /* Blinding-specific parameters */
+    PRCList   link;                  /* link to list of structs            */
+    SECItem   modulus;               /* list element "key"                 */
+    mp_int    f, g;                  /* Blinding parameters                */
+    int       counter;               /* number of remaining uses of (f, g) */
+};
+
+/*
+** RSABlindingParamsListStr
+**
+** List of key-specific blinding params.  The arena holds the volatile pool
+** of memory for each entry and the list itself.  The lock is for list
+** operations, in this case insertions and iterations, as well as control
+** of the counter for each set of blinding parameters.
+*/
+struct RSABlindingParamsListStr
+{
+    PZLock  *lock;   /* Lock for the list   */
+    PRCList  head;   /* Pointer to the list */
+};
+
+/*
+** The master blinding params list.
+*/
+static struct RSABlindingParamsListStr blindingParamsList = { 0 };
+
+/* Number of times to reuse (f, g).  Suggested by Paul Kocher */
+#define RSA_BLINDING_PARAMS_MAX_REUSE 50
+
+/* Global, allows optional use of blinding.  On by default. */
+/* Cannot be changed at the moment, due to thread-safety issues. */
+static PRBool nssRSAUseBlinding = PR_TRUE;
+
+static SECStatus
+rsa_keygen_from_primes(mp_int *p, mp_int *q, mp_int *e, RSAPrivateKey *key,
+                       unsigned int keySizeInBits)
+{
+    mp_int n, d, phi;
+    mp_int psub1, qsub1, tmp;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&n)     = 0;
+    MP_DIGITS(&d)     = 0;
+    MP_DIGITS(&phi)   = 0;
+    MP_DIGITS(&psub1) = 0;
+    MP_DIGITS(&qsub1) = 0;
+    MP_DIGITS(&tmp)   = 0;
+    CHECK_MPI_OK( mp_init(&n)     );
+    CHECK_MPI_OK( mp_init(&d)     );
+    CHECK_MPI_OK( mp_init(&phi)   );
+    CHECK_MPI_OK( mp_init(&psub1) );
+    CHECK_MPI_OK( mp_init(&qsub1) );
+    CHECK_MPI_OK( mp_init(&tmp)   );
+    /* 1.  Compute n = p*q */
+    CHECK_MPI_OK( mp_mul(p, q, &n) );
+    /*     verify that the modulus has the desired number of bits */
+    if ((unsigned)mpl_significant_bits(&n) != keySizeInBits) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	rv = SECFailure;
+	goto cleanup;
+    }
+    /* 2.  Compute phi = (p-1)*(q-1) */
+    CHECK_MPI_OK( mp_sub_d(p, 1, &psub1) );
+    CHECK_MPI_OK( mp_sub_d(q, 1, &qsub1) );
+    CHECK_MPI_OK( mp_mul(&psub1, &qsub1, &phi) );
+    /* 3.  Compute d = e**-1 mod(phi) */
+    err = mp_invmod(e, &phi, &d);
+    /*     Verify that phi(n) and e have no common divisors */
+    if (err != MP_OKAY) {
+	if (err == MP_UNDEF) {
+	    PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	    err = MP_OKAY; /* to keep PORT_SetError from being called again */
+	    rv = SECFailure;
+	}
+	goto cleanup;
+    }
+    MPINT_TO_SECITEM(&n, &key->modulus, key->arena);
+    MPINT_TO_SECITEM(&d, &key->privateExponent, key->arena);
+    /* 4.  Compute exponent1 = d mod (p-1) */
+    CHECK_MPI_OK( mp_mod(&d, &psub1, &tmp) );
+    MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
+    /* 5.  Compute exponent2 = d mod (q-1) */
+    CHECK_MPI_OK( mp_mod(&d, &qsub1, &tmp) );
+    MPINT_TO_SECITEM(&tmp, &key->exponent2, key->arena);
+    /* 6.  Compute coefficient = q**-1 mod p */
+    CHECK_MPI_OK( mp_invmod(q, p, &tmp) );
+    MPINT_TO_SECITEM(&tmp, &key->coefficient, key->arena);
+cleanup:
+    mp_clear(&n);
+    mp_clear(&d);
+    mp_clear(&phi);
+    mp_clear(&psub1);
+    mp_clear(&qsub1);
+    mp_clear(&tmp);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+static SECStatus
+generate_prime(mp_int *prime, int primeLen)
+{
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    unsigned long counter = 0;
+    int piter;
+    unsigned char *pb = NULL;
+    pb = PORT_Alloc(primeLen);
+    if (!pb) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto cleanup;
+    }
+    for (piter = 0; piter < MAX_PRIME_GEN_ATTEMPTS; piter++) {
+	CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) );
+	pb[0]          |= 0xC0; /* set two high-order bits */
+	pb[primeLen-1] |= 0x01; /* set low-order bit       */
+	CHECK_MPI_OK( mp_read_unsigned_octets(prime, pb, primeLen) );
+	err = mpp_make_prime(prime, primeLen * 8, PR_FALSE, &counter);
+	if (err != MP_NO)
+	    goto cleanup;
+	/* keep going while err == MP_NO */
+    }
+cleanup:
+    if (pb)
+	PORT_ZFree(pb, primeLen);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+** Generate and return a new RSA public and private key.
+**	Both keys are encoded in a single RSAPrivateKey structure.
+**	"cx" is the random number generator context
+**	"keySizeInBits" is the size of the key to be generated, in bits.
+**	   512, 1024, etc.
+**	"publicExponent" when not NULL is a pointer to some data that
+**	   represents the public exponent to use. The data is a byte
+**	   encoded integer, in "big endian" order.
+*/
+RSAPrivateKey *
+RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
+{
+    unsigned int primeLen;
+    mp_int p, q, e;
+    int kiter;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    int prerr = 0;
+    RSAPrivateKey *key = NULL;
+    PRArenaPool *arena = NULL;
+    /* Require key size to be a multiple of 16 bits. */
+    if (!publicExponent || keySizeInBits % 16 != 0 ||
+	    BAD_RSA_KEY_SIZE(keySizeInBits/8, publicExponent->len)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* 1. Allocate arena & key */
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    key = (RSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(RSAPrivateKey));
+    if (!key) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return NULL;
+    }
+    key->arena = arena;
+    /* length of primes p and q (in bytes) */
+    primeLen = keySizeInBits / (2 * BITS_PER_BYTE);
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&q) = 0;
+    MP_DIGITS(&e) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&q) );
+    CHECK_MPI_OK( mp_init(&e) );
+    /* 2.  Set the version number (PKCS1 v1.5 says it should be zero) */
+    SECITEM_AllocItem(arena, &key->version, 1);
+    key->version.data[0] = 0;
+    /* 3.  Set the public exponent */
+    SECITEM_CopyItem(arena, &key->publicExponent, publicExponent);
+    SECITEM_TO_MPINT(*publicExponent, &e);
+    kiter = 0;
+    do {
+	prerr = 0;
+	PORT_SetError(0);
+	CHECK_SEC_OK( generate_prime(&p, primeLen) );
+	CHECK_SEC_OK( generate_prime(&q, primeLen) );
+	/* Assure q < p */
+	if (mp_cmp(&p, &q) < 0)
+	    mp_exch(&p, &q);
+	/* Attempt to use these primes to generate a key */
+	rv = rsa_keygen_from_primes(&p, &q, &e, key, keySizeInBits);
+	if (rv == SECSuccess)
+	    break; /* generated two good primes */
+	prerr = PORT_GetError();
+	kiter++;
+	/* loop until have primes */
+    } while (prerr == SEC_ERROR_NEED_RANDOM && kiter < MAX_KEY_GEN_ATTEMPTS);
+    if (prerr)
+	goto cleanup;
+    MPINT_TO_SECITEM(&p, &key->prime1, arena);
+    MPINT_TO_SECITEM(&q, &key->prime2, arena);
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&e);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    if (rv && arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+	key = NULL;
+    }
+    return key;
+}
+
+static unsigned int
+rsa_modulusLen(SECItem *modulus)
+{
+    unsigned char byteZero = modulus->data[0];
+    unsigned int modLen = modulus->len - !byteZero;
+    return modLen;
+}
+
+/*
+** Perform a raw public-key operation 
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+SECStatus 
+RSA_PublicKeyOp(RSAPublicKey  *key, 
+                unsigned char *output, 
+                const unsigned char *input)
+{
+    unsigned int modLen, expLen, offset;
+    mp_int n, e, m, c;
+    mp_err err   = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    if (!key || !output || !input) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    MP_DIGITS(&n) = 0;
+    MP_DIGITS(&e) = 0;
+    MP_DIGITS(&m) = 0;
+    MP_DIGITS(&c) = 0;
+    CHECK_MPI_OK( mp_init(&n) );
+    CHECK_MPI_OK( mp_init(&e) );
+    CHECK_MPI_OK( mp_init(&m) );
+    CHECK_MPI_OK( mp_init(&c) );
+    modLen = rsa_modulusLen(&key->modulus);
+    expLen = rsa_modulusLen(&key->publicExponent);
+    /* 1.  Obtain public key (n, e) */
+    if (BAD_RSA_KEY_SIZE(modLen, expLen)) {
+    	PORT_SetError(SEC_ERROR_INVALID_KEY);
+	rv = SECFailure;
+	goto cleanup;
+    }
+    SECITEM_TO_MPINT(key->modulus, &n);
+    SECITEM_TO_MPINT(key->publicExponent, &e);
+    if (e.used > n.used) {
+	/* exponent should not be greater than modulus */
+    	PORT_SetError(SEC_ERROR_INVALID_KEY);
+	rv = SECFailure;
+	goto cleanup;
+    }
+    /* 2. check input out of range (needs to be in range [0..n-1]) */
+    offset = (key->modulus.data[0] == 0) ? 1 : 0; /* may be leading 0 */
+    if (memcmp(input, key->modulus.data + offset, modLen) >= 0) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        rv = SECFailure;
+        goto cleanup;
+    }
+    /* 2 bis.  Represent message as integer in range [0..n-1] */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&m, input, modLen) );
+    /* 3.  Compute c = m**e mod n */
+#ifdef USE_MPI_EXPT_D
+    /* XXX see which is faster */
+    if (MP_USED(&e) == 1) {
+	CHECK_MPI_OK( mp_exptmod_d(&m, MP_DIGIT(&e, 0), &n, &c) );
+    } else
+#endif
+    CHECK_MPI_OK( mp_exptmod(&m, &e, &n, &c) );
+    /* 4.  result c is ciphertext */
+    err = mp_to_fixlen_octets(&c, output, modLen);
+    if (err >= 0) err = MP_OKAY;
+cleanup:
+    mp_clear(&n);
+    mp_clear(&e);
+    mp_clear(&m);
+    mp_clear(&c);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+**  RSA Private key operation (no CRT).
+*/
+static SECStatus 
+rsa_PrivateKeyOpNoCRT(RSAPrivateKey *key, mp_int *m, mp_int *c, mp_int *n,
+                      unsigned int modLen)
+{
+    mp_int d;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&d) = 0;
+    CHECK_MPI_OK( mp_init(&d) );
+    SECITEM_TO_MPINT(key->privateExponent, &d);
+    /* 1. m = c**d mod n */
+    CHECK_MPI_OK( mp_exptmod(c, &d, n, m) );
+cleanup:
+    mp_clear(&d);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+**  RSA Private key operation using CRT.
+*/
+static SECStatus 
+rsa_PrivateKeyOpCRTNoCheck(RSAPrivateKey *key, mp_int *m, mp_int *c)
+{
+    mp_int p, q, d_p, d_q, qInv;
+    mp_int m1, m2, h, ctmp;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&p)    = 0;
+    MP_DIGITS(&q)    = 0;
+    MP_DIGITS(&d_p)  = 0;
+    MP_DIGITS(&d_q)  = 0;
+    MP_DIGITS(&qInv) = 0;
+    MP_DIGITS(&m1)   = 0;
+    MP_DIGITS(&m2)   = 0;
+    MP_DIGITS(&h)    = 0;
+    MP_DIGITS(&ctmp) = 0;
+    CHECK_MPI_OK( mp_init(&p)    );
+    CHECK_MPI_OK( mp_init(&q)    );
+    CHECK_MPI_OK( mp_init(&d_p)  );
+    CHECK_MPI_OK( mp_init(&d_q)  );
+    CHECK_MPI_OK( mp_init(&qInv) );
+    CHECK_MPI_OK( mp_init(&m1)   );
+    CHECK_MPI_OK( mp_init(&m2)   );
+    CHECK_MPI_OK( mp_init(&h)    );
+    CHECK_MPI_OK( mp_init(&ctmp) );
+    /* copy private key parameters into mp integers */
+    SECITEM_TO_MPINT(key->prime1,      &p);    /* p */
+    SECITEM_TO_MPINT(key->prime2,      &q);    /* q */
+    SECITEM_TO_MPINT(key->exponent1,   &d_p);  /* d_p  = d mod (p-1) */
+    SECITEM_TO_MPINT(key->exponent2,   &d_q);  /* d_q  = d mod (q-1) */
+    SECITEM_TO_MPINT(key->coefficient, &qInv); /* qInv = q**-1 mod p */
+    /* 1. m1 = c**d_p mod p */
+    CHECK_MPI_OK( mp_mod(c, &p, &ctmp) );
+    CHECK_MPI_OK( mp_exptmod(&ctmp, &d_p, &p, &m1) );
+    /* 2. m2 = c**d_q mod q */
+    CHECK_MPI_OK( mp_mod(c, &q, &ctmp) );
+    CHECK_MPI_OK( mp_exptmod(&ctmp, &d_q, &q, &m2) );
+    /* 3.  h = (m1 - m2) * qInv mod p */
+    CHECK_MPI_OK( mp_submod(&m1, &m2, &p, &h) );
+    CHECK_MPI_OK( mp_mulmod(&h, &qInv, &p, &h)  );
+    /* 4.  m = m2 + h * q */
+    CHECK_MPI_OK( mp_mul(&h, &q, m) );
+    CHECK_MPI_OK( mp_add(m, &m2, m) );
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&d_p);
+    mp_clear(&d_q);
+    mp_clear(&qInv);
+    mp_clear(&m1);
+    mp_clear(&m2);
+    mp_clear(&h);
+    mp_clear(&ctmp);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+** An attack against RSA CRT was described by Boneh, DeMillo, and Lipton in:
+** "On the Importance of Eliminating Errors in Cryptographic Computations",
+** http://theory.stanford.edu/~dabo/papers/faults.ps.gz
+**
+** As a defense against the attack, carry out the private key operation, 
+** followed up with a public key operation to invert the result.  
+** Verify that result against the input.
+*/
+static SECStatus 
+rsa_PrivateKeyOpCRTCheckedPubKey(RSAPrivateKey *key, mp_int *m, mp_int *c)
+{
+    mp_int n, e, v;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&n) = 0;
+    MP_DIGITS(&e) = 0;
+    MP_DIGITS(&v) = 0;
+    CHECK_MPI_OK( mp_init(&n) );
+    CHECK_MPI_OK( mp_init(&e) );
+    CHECK_MPI_OK( mp_init(&v) );
+    CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, m, c) );
+    SECITEM_TO_MPINT(key->modulus,        &n);
+    SECITEM_TO_MPINT(key->publicExponent, &e);
+    /* Perform a public key operation v = m ** e mod n */
+    CHECK_MPI_OK( mp_exptmod(m, &e, &n, &v) );
+    if (mp_cmp(&v, c) != 0) {
+	rv = SECFailure;
+    }
+cleanup:
+    mp_clear(&n);
+    mp_clear(&e);
+    mp_clear(&v);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+static PRCallOnceType coBPInit = { 0, 0, 0 };
+static PRStatus 
+init_blinding_params_list(void)
+{
+    blindingParamsList.lock = PZ_NewLock(nssILockOther);
+    if (!blindingParamsList.lock) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return PR_FAILURE;
+    }
+    PR_INIT_CLIST(&blindingParamsList.head);
+    return PR_SUCCESS;
+}
+
+static SECStatus
+generate_blinding_params(struct RSABlindingParamsStr *rsabp, 
+                         RSAPrivateKey *key, mp_int *n, unsigned int modLen)
+{
+    SECStatus rv = SECSuccess;
+    mp_int e, k;
+    mp_err err = MP_OKAY;
+    unsigned char *kb = NULL;
+    MP_DIGITS(&e) = 0;
+    MP_DIGITS(&k) = 0;
+    CHECK_MPI_OK( mp_init(&e) );
+    CHECK_MPI_OK( mp_init(&k) );
+    SECITEM_TO_MPINT(key->publicExponent, &e);
+    /* generate random k < n */
+    kb = PORT_Alloc(modLen);
+    if (!kb) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto cleanup;
+    }
+    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(kb, modLen) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, modLen) );
+    /* k < n */
+    CHECK_MPI_OK( mp_mod(&k, n, &k) );
+    /* f = k**e mod n */
+    CHECK_MPI_OK( mp_exptmod(&k, &e, n, &rsabp->f) );
+    /* g = k**-1 mod n */
+    CHECK_MPI_OK( mp_invmod(&k, n, &rsabp->g) );
+    /* Initialize the counter for this (f, g) */
+    rsabp->counter = RSA_BLINDING_PARAMS_MAX_REUSE;
+cleanup:
+    if (kb)
+	PORT_ZFree(kb, modLen);
+    mp_clear(&k);
+    mp_clear(&e);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+static SECStatus
+init_blinding_params(struct RSABlindingParamsStr *rsabp, RSAPrivateKey *key,
+                     mp_int *n, unsigned int modLen)
+{
+    SECStatus rv = SECSuccess;
+    mp_err err = MP_OKAY;
+    MP_DIGITS(&rsabp->f) = 0;
+    MP_DIGITS(&rsabp->g) = 0;
+    /* initialize blinding parameters */
+    CHECK_MPI_OK( mp_init(&rsabp->f) );
+    CHECK_MPI_OK( mp_init(&rsabp->g) );
+    /* List elements are keyed using the modulus */
+    SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
+    CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );
+    return SECSuccess;
+cleanup:
+    mp_clear(&rsabp->f);
+    mp_clear(&rsabp->g);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+static SECStatus
+get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
+                    mp_int *f, mp_int *g)
+{
+    SECStatus rv = SECSuccess;
+    mp_err err = MP_OKAY;
+    int cmp;
+    PRCList *el;
+    struct RSABlindingParamsStr *rsabp = NULL;
+    /* Init the list if neccessary (the init function is only called once!) */
+    if (blindingParamsList.lock == NULL) {
+	if (PR_CallOnce(&coBPInit, init_blinding_params_list) != PR_SUCCESS) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return SECFailure;
+	}
+    }
+    /* Acquire the list lock */
+    PZ_Lock(blindingParamsList.lock);
+    /* Walk the list looking for the private key */
+    for (el = PR_NEXT_LINK(&blindingParamsList.head);
+         el != &blindingParamsList.head;
+         el = PR_NEXT_LINK(el)) {
+	rsabp = (struct RSABlindingParamsStr *)el;
+	cmp = SECITEM_CompareItem(&rsabp->modulus, &key->modulus);
+	if (cmp == 0) {
+	    /* Check the usage counter for the parameters */
+	    if (--rsabp->counter <= 0) {
+		/* Regenerate the blinding parameters */
+		CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );
+	    }
+	    /* Return the parameters */
+	    CHECK_MPI_OK( mp_copy(&rsabp->f, f) );
+	    CHECK_MPI_OK( mp_copy(&rsabp->g, g) );
+	    /* Now that the params are located, release the list lock. */
+	    PZ_Unlock(blindingParamsList.lock); /* XXX when fails? */
+	    return SECSuccess;
+	} else if (cmp > 0) {
+	    /* The key is not in the list.  Break to param creation. */
+	    break;
+	}
+    }
+    /* At this point, the key is not in the list.  el should point to the
+    ** list element that this key should be inserted before.  NOTE: the list
+    ** lock is still held, so there cannot be a race condition here.
+    */
+    rsabp = (struct RSABlindingParamsStr *)
+              PORT_ZAlloc(sizeof(struct RSABlindingParamsStr));
+    if (!rsabp) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto cleanup;
+    }
+    /* Initialize the list pointer for the element */
+    PR_INIT_CLIST(&rsabp->link);
+    /* Initialize the blinding parameters 
+    ** This ties up the list lock while doing some heavy, element-specific
+    ** operations, but we don't want to insert the element until it is valid,
+    ** which requires computing the blinding params.  If this proves costly,
+    ** it could be done after the list lock is released, and then if it fails
+    ** the lock would have to be reobtained and the invalid element removed.
+    */
+    rv = init_blinding_params(rsabp, key, n, modLen);
+    if (rv != SECSuccess) {
+	PORT_ZFree(rsabp, sizeof(struct RSABlindingParamsStr));
+	goto cleanup;
+    }
+    /* Insert the new element into the list
+    ** If inserting in the middle of the list, el points to the link
+    ** to insert before.  Otherwise, the link needs to be appended to
+    ** the end of the list, which is the same as inserting before the
+    ** head (since el would have looped back to the head).
+    */
+    PR_INSERT_BEFORE(&rsabp->link, el);
+    /* Return the parameters */
+    CHECK_MPI_OK( mp_copy(&rsabp->f, f) );
+    CHECK_MPI_OK( mp_copy(&rsabp->g, g) );
+    /* Release the list lock */
+    PZ_Unlock(blindingParamsList.lock); /* XXX when fails? */
+    return SECSuccess;
+cleanup:
+    /* It is possible to reach this after the lock is already released.
+    ** Ignore the error in that case.
+    */
+    PZ_Unlock(blindingParamsList.lock);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return SECFailure;
+}
+
+/*
+** Perform a raw private-key operation 
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+static SECStatus 
+rsa_PrivateKeyOp(RSAPrivateKey *key, 
+                 unsigned char *output, 
+                 const unsigned char *input,
+                 PRBool check)
+{
+    unsigned int modLen;
+    unsigned int offset;
+    SECStatus rv = SECSuccess;
+    mp_err err;
+    mp_int n, c, m;
+    mp_int f, g;
+    if (!key || !output || !input) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* check input out of range (needs to be in range [0..n-1]) */
+    modLen = rsa_modulusLen(&key->modulus);
+    offset = (key->modulus.data[0] == 0) ? 1 : 0; /* may be leading 0 */
+    if (memcmp(input, key->modulus.data + offset, modLen) >= 0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    MP_DIGITS(&n) = 0;
+    MP_DIGITS(&c) = 0;
+    MP_DIGITS(&m) = 0;
+    MP_DIGITS(&f) = 0;
+    MP_DIGITS(&g) = 0;
+    CHECK_MPI_OK( mp_init(&n) );
+    CHECK_MPI_OK( mp_init(&c) );
+    CHECK_MPI_OK( mp_init(&m) );
+    CHECK_MPI_OK( mp_init(&f) );
+    CHECK_MPI_OK( mp_init(&g) );
+    SECITEM_TO_MPINT(key->modulus, &n);
+    OCTETS_TO_MPINT(input, &c, modLen);
+    /* If blinding, compute pre-image of ciphertext by multiplying by
+    ** blinding factor
+    */
+    if (nssRSAUseBlinding) {
+	CHECK_SEC_OK( get_blinding_params(key, &n, modLen, &f, &g) );
+	/* c' = c*f mod n */
+	CHECK_MPI_OK( mp_mulmod(&c, &f, &n, &c) );
+    }
+    /* Do the private key operation m = c**d mod n */
+    if ( key->prime1.len      == 0 ||
+         key->prime2.len      == 0 ||
+         key->exponent1.len   == 0 ||
+         key->exponent2.len   == 0 ||
+         key->coefficient.len == 0) {
+	CHECK_SEC_OK( rsa_PrivateKeyOpNoCRT(key, &m, &c, &n, modLen) );
+    } else if (check) {
+	CHECK_SEC_OK( rsa_PrivateKeyOpCRTCheckedPubKey(key, &m, &c) );
+    } else {
+	CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, &m, &c) );
+    }
+    /* If blinding, compute post-image of plaintext by multiplying by
+    ** blinding factor
+    */
+    if (nssRSAUseBlinding) {
+	/* m = m'*g mod n */
+	CHECK_MPI_OK( mp_mulmod(&m, &g, &n, &m) );
+    }
+    err = mp_to_fixlen_octets(&m, output, modLen);
+    if (err >= 0) err = MP_OKAY;
+cleanup:
+    mp_clear(&n);
+    mp_clear(&c);
+    mp_clear(&m);
+    mp_clear(&f);
+    mp_clear(&g);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus 
+RSA_PrivateKeyOp(RSAPrivateKey *key, 
+                 unsigned char *output, 
+                 const unsigned char *input)
+{
+    return rsa_PrivateKeyOp(key, output, input, PR_FALSE);
+}
+
+SECStatus 
+RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key, 
+                              unsigned char *output, 
+                              const unsigned char *input)
+{
+    return rsa_PrivateKeyOp(key, output, input, PR_TRUE);
+}
+
+static SECStatus
+swap_in_key_value(PRArenaPool *arena, mp_int *mpval, SECItem *buffer)
+{
+    int len;
+    mp_err err = MP_OKAY;
+    memset(buffer->data, 0, buffer->len);
+    len = mp_unsigned_octet_size(mpval);
+    if (len <= 0) return SECFailure;
+    if ((unsigned int)len <= buffer->len) {
+	/* The new value is no longer than the old buffer, so use it */
+	err = mp_to_unsigned_octets(mpval, buffer->data, len);
+	if (err >= 0) err = MP_OKAY;
+	buffer->len = len;
+    } else if (arena) {
+	/* The new value is longer, but working within an arena */
+	(void)SECITEM_AllocItem(arena, buffer, len);
+	err = mp_to_unsigned_octets(mpval, buffer->data, len);
+	if (err >= 0) err = MP_OKAY;
+    } else {
+	/* The new value is longer, no arena, can't handle this key */
+	return SECFailure;
+    }
+    return (err == MP_OKAY) ? SECSuccess : SECFailure;
+}
+
+SECStatus
+RSA_PrivateKeyCheck(RSAPrivateKey *key)
+{
+    mp_int p, q, n, psub1, qsub1, e, d, d_p, d_q, qInv, res;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&n)    = 0;
+    MP_DIGITS(&psub1)= 0;
+    MP_DIGITS(&qsub1)= 0;
+    MP_DIGITS(&e)    = 0;
+    MP_DIGITS(&d)    = 0;
+    MP_DIGITS(&d_p)  = 0;
+    MP_DIGITS(&d_q)  = 0;
+    MP_DIGITS(&qInv) = 0;
+    MP_DIGITS(&res)  = 0;
+    CHECK_MPI_OK( mp_init(&n)    );
+    CHECK_MPI_OK( mp_init(&p)    );
+    CHECK_MPI_OK( mp_init(&q)    );
+    CHECK_MPI_OK( mp_init(&psub1));
+    CHECK_MPI_OK( mp_init(&qsub1));
+    CHECK_MPI_OK( mp_init(&e)    );
+    CHECK_MPI_OK( mp_init(&d)    );
+    CHECK_MPI_OK( mp_init(&d_p)  );
+    CHECK_MPI_OK( mp_init(&d_q)  );
+    CHECK_MPI_OK( mp_init(&qInv) );
+    CHECK_MPI_OK( mp_init(&res)  );
+    SECITEM_TO_MPINT(key->modulus,         &n);
+    SECITEM_TO_MPINT(key->prime1,          &p);
+    SECITEM_TO_MPINT(key->prime2,          &q);
+    SECITEM_TO_MPINT(key->publicExponent,  &e);
+    SECITEM_TO_MPINT(key->privateExponent, &d);
+    SECITEM_TO_MPINT(key->exponent1,       &d_p);
+    SECITEM_TO_MPINT(key->exponent2,       &d_q);
+    SECITEM_TO_MPINT(key->coefficient,     &qInv);
+    /* p > q  */
+    if (mp_cmp(&p, &q) <= 0) {
+	/* mind the p's and q's (and d_p's and d_q's) */
+	SECItem tmp;
+	mp_exch(&p, &q);
+	mp_exch(&d_p,&d_q);
+	tmp = key->prime1;
+	key->prime1 = key->prime2;
+	key->prime2 = tmp;
+	tmp = key->exponent1;
+	key->exponent1 = key->exponent2;
+	key->exponent2 = tmp;
+    }
+#define VERIFY_MPI_EQUAL(m1, m2) \
+    if (mp_cmp(m1, m2) != 0) {   \
+	rv = SECFailure;         \
+	goto cleanup;            \
+    }
+#define VERIFY_MPI_EQUAL_1(m)    \
+    if (mp_cmp_d(m, 1) != 0) {   \
+	rv = SECFailure;         \
+	goto cleanup;            \
+    }
+    /*
+     * The following errors cannot be recovered from.
+     */
+    /* n == p * q */
+    CHECK_MPI_OK( mp_mul(&p, &q, &res) );
+    VERIFY_MPI_EQUAL(&res, &n);
+    /* gcd(e, p-1) == 1 */
+    CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
+    CHECK_MPI_OK( mp_gcd(&e, &psub1, &res) );
+    VERIFY_MPI_EQUAL_1(&res);
+    /* gcd(e, q-1) == 1 */
+    CHECK_MPI_OK( mp_sub_d(&q, 1, &qsub1) );
+    CHECK_MPI_OK( mp_gcd(&e, &qsub1, &res) );
+    VERIFY_MPI_EQUAL_1(&res);
+    /* d*e == 1 mod p-1 */
+    CHECK_MPI_OK( mp_mulmod(&d, &e, &psub1, &res) );
+    VERIFY_MPI_EQUAL_1(&res);
+    /* d*e == 1 mod q-1 */
+    CHECK_MPI_OK( mp_mulmod(&d, &e, &qsub1, &res) );
+    VERIFY_MPI_EQUAL_1(&res);
+    /*
+     * The following errors can be recovered from.
+     */
+    /* d_p == d mod p-1 */
+    CHECK_MPI_OK( mp_mod(&d, &psub1, &res) );
+    if (mp_cmp(&d_p, &res) != 0) {
+	/* swap in the correct value */
+	CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent1) );
+    }
+    /* d_q == d mod q-1 */
+    CHECK_MPI_OK( mp_mod(&d, &qsub1, &res) );
+    if (mp_cmp(&d_q, &res) != 0) {
+	/* swap in the correct value */
+	CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent2) );
+    }
+    /* q * q**-1 == 1 mod p */
+    CHECK_MPI_OK( mp_mulmod(&q, &qInv, &p, &res) );
+    if (mp_cmp_d(&res, 1) != 0) {
+	/* compute the correct value */
+	CHECK_MPI_OK( mp_invmod(&q, &p, &qInv) );
+	CHECK_SEC_OK( swap_in_key_value(key->arena, &qInv, &key->coefficient) );
+    }
+cleanup:
+    mp_clear(&n);
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&psub1);
+    mp_clear(&qsub1);
+    mp_clear(&e);
+    mp_clear(&d);
+    mp_clear(&d_p);
+    mp_clear(&d_q);
+    mp_clear(&qInv);
+    mp_clear(&res);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/* cleanup at shutdown */
+void RSA_Cleanup(void)
+{
+    if (!coBPInit.initialized)
+	return;
+
+    while (!PR_CLIST_IS_EMPTY(&blindingParamsList.head))
+    {
+	struct RSABlindingParamsStr * rsabp = (struct RSABlindingParamsStr *)
+	    PR_LIST_HEAD(&blindingParamsList.head);
+	PR_REMOVE_LINK(&rsabp->link);
+	mp_clear(&rsabp->f);
+	mp_clear(&rsabp->g);
+	SECITEM_FreeItem(&rsabp->modulus,PR_FALSE);
+	PORT_Free(rsabp);
+    }
+
+    if (blindingParamsList.lock)
+    {
+	PZ_DestroyLock(blindingParamsList.lock);
+	blindingParamsList.lock = NULL;
+    }
+
+    coBPInit.initialized = 0;
+    coBPInit.inProgress = 0;
+    coBPInit.status = 0;
+}
+
+/*
+ * need a central place for this function to free up all the memory that
+ * free_bl may have allocated along the way. Currently only RSA does this,
+ * so I've put it here for now.
+ */
+void BL_Cleanup(void)
+{
+    RSA_Cleanup();
+}
diff --git a/security/nss/lib/freebl/secmpi.h b/security/nss/lib/freebl/secmpi.h
new file mode 100644
index 000000000..e343fb894
--- /dev/null
+++ b/security/nss/lib/freebl/secmpi.h
@@ -0,0 +1,61 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi.h"
+
+#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
+
+#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
+
+#define OCTETS_TO_MPINT(oc, mp, len) \
+    CHECK_MPI_OK(mp_read_unsigned_octets((mp), oc, len))
+
+#define SECITEM_TO_MPINT(it, mp) \
+    CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len))
+
+#define MPINT_TO_SECITEM(mp, it, arena)                         \
+    SECITEM_AllocItem(arena, (it), mp_unsigned_octet_size(mp)); \
+    if ((it)->data == NULL) {err = MP_MEM; goto cleanup;}       \
+    err = mp_to_unsigned_octets(mp, (it)->data, (it)->len);     \
+    if (err < 0) goto cleanup; else err = MP_OKAY;
+
+#define MP_TO_SEC_ERROR(err)                                          \
+    switch (err) {                                                    \
+    case MP_MEM:    PORT_SetError(SEC_ERROR_NO_MEMORY);       break;  \
+    case MP_RANGE:  PORT_SetError(SEC_ERROR_BAD_DATA);        break;  \
+    case MP_BADARG: PORT_SetError(SEC_ERROR_INVALID_ARGS);    break;  \
+    default:        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); break;  \
+    }
diff --git a/security/nss/lib/freebl/secrng.h b/security/nss/lib/freebl/secrng.h
new file mode 100644
index 000000000..036a3f71a
--- /dev/null
+++ b/security/nss/lib/freebl/secrng.h
@@ -0,0 +1,99 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SECRNG_H_
+#define _SECRNG_H_
+/*
+ * secrng.h - public data structures and prototypes for the secure random
+ *	      number generator
+ *
+ * $Id$
+ */
+
+/******************************************/
+/*
+** Random number generation. A cryptographically strong random number
+** generator.
+*/
+
+#include "blapi.h"
+
+/* the number of bytes to read from the system random number generator */
+#define SYSTEM_RNG_SEED_COUNT 1024
+
+SEC_BEGIN_PROTOS
+
+/*
+** The following functions are provided by the security library
+** but are differently implemented for the UNIX, Win, and OS/2
+** versions
+*/
+
+/*
+** Get the "noisiest" information available on the system.
+** The amount of data returned depends on the system implementation.
+** It will not exceed maxbytes, but may be (much) less.
+** Returns number of noise bytes copied into buf, or zero if error.
+*/
+extern size_t RNG_GetNoise(void *buf, size_t maxbytes);
+
+/*
+** RNG_SystemInfoForRNG should be called before any use of SSL. It
+** gathers up the system specific information to help seed the
+** state of the global random number generator.
+*/
+extern void RNG_SystemInfoForRNG(void);
+
+/* 
+** Use the contents (and stat) of a file to help seed the
+** global random number generator.
+*/
+extern void RNG_FileForRNG(const char *filename);
+
+/*
+** Get maxbytes bytes of random data from the system random number
+** generator.
+** Returns the number of bytes copied into buf -- maxbytes if success
+** or zero if error.
+** Errors:
+**   PR_NOT_IMPLEMENTED_ERROR   There is no system RNG on the platform.
+**   SEC_ERROR_NEED_RANDOM      The system RNG failed.
+*/
+extern size_t RNG_SystemRNG(void *buf, size_t maxbytes);
+
+SEC_END_PROTOS
+
+#endif /* _SECRNG_H_ */
diff --git a/security/nss/lib/freebl/sha-fast-amd64-sun.s b/security/nss/lib/freebl/sha-fast-amd64-sun.s
new file mode 100644
index 000000000..d818bc9aa
--- /dev/null
+++ b/security/nss/lib/freebl/sha-fast-amd64-sun.s
@@ -0,0 +1,2142 @@
+/ ***** BEGIN LICENSE BLOCK *****
+/ Version: MPL 1.1/GPL 2.0/LGPL 2.1
+/
+/ The contents of this file are subject to the Mozilla Public License Version
+/ 1.1 (the "License"); you may not use this file except in compliance with
+/ the License. You may obtain a copy of the License at
+/ http://www.mozilla.org/MPL/
+/
+/ Software distributed under the License is distributed on an "AS IS" basis,
+/ WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+/ for the specific language governing rights and limitations under the
+/ License.
+/
+/ The Original Code is SHA 180-1 Reference Implementation (Optimized).
+/
+/ The Initial Developer of the Original Code is
+/ Paul Kocher of Cryptography Research.
+/ Portions created by the Initial Developer are Copyright (C) 1995-9
+/ the Initial Developer. All Rights Reserved.
+/
+/ Contributor(s):
+/
+/ Alternatively, the contents of this file may be used under the terms of
+/ either the GNU General Public License Version 2 or later (the "GPL"), or
+/ the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+/ in which case the provisions of the GPL or the LGPL are applicable instead
+/ of those above. If you wish to allow use of your version of this file only
+/ under the terms of either the GPL or the LGPL, and not to allow others to
+/ use your version of this file under the terms of the MPL, indicate your
+/ decision by deleting the provisions above and replace them with the notice
+/ and other provisions required by the GPL or the LGPL. If you do not delete
+/ the provisions above, a recipient may use your version of this file under
+/ the terms of any one of the MPL, the GPL or the LGPL.
+/
+/ ***** END LICENSE BLOCK *****
+
+	.file	"sha_fast.c"
+	.text
+	.align 16
+.globl SHA1_Begin
+	.type	SHA1_Begin, @function
+SHA1_Begin:
+.LFB4:
+	movl	$4023233417, %ecx
+	movl	$2562383102, %edx
+	movl	$3285377520, %eax
+	movq	$0, 64(%rdi)
+	movq	$1732584193, 72(%rdi)
+	movq	%rcx, 80(%rdi)
+	movq	%rdx, 88(%rdi)
+	movq	$271733878, 96(%rdi)
+	movq	%rax, 104(%rdi)
+	ret
+.LFE4:
+	.size	SHA1_Begin, .-SHA1_Begin
+	.align 16
+	.type	shaCompress, @function
+shaCompress:
+.LFB7:
+	pushq	%r15
+.LCFI0:
+	pushq	%r14
+.LCFI1:
+	pushq	%r13
+.LCFI2:
+	pushq	%r12
+.LCFI3:
+	movq	-88(%rdi), %r12
+	movq	-80(%rdi), %r10
+	movq	-72(%rdi), %r13
+	movq	-64(%rdi), %r8
+	pushq	%rbx
+.LCFI4:
+	movq	-56(%rdi), %rcx
+	movl	(%rsi), %eax
+	movl	%r12d, %edx
+	movq	%r13, %r9
+	roll	$5, %edx
+	movl	4(%rsi), %ebx
+	xorq	%r8, %r9 
+/APP
+	bswap %eax
+/NO_APP
+	andq	%r10, %r9
+	mov	%eax, %r15d
+	roll	$30, %r10d
+	movq	%r15, -48(%rdi)
+	xorq	%r8, %r9 
+	movq	-48(%rdi), %r14
+	addq	%r9, %rdx
+	movq	%r10, %rax
+	movl	%r12d, %r15d
+	addq	%rcx, %rdx
+	xorq	%r13, %rax 
+	roll	$30, %r15d
+	leaq	1518500249(%rdx,%r14), %rdx
+	andq	%r12, %rax
+	movq	%r15, %r12
+/APP
+	bswap %ebx
+/NO_APP
+	movl	%edx, %ecx
+	mov	%ebx, %r11d
+	xorq	%r13, %rax 
+	movq	%r11, -40(%rdi)
+	roll	$5, %ecx
+	movq	-40(%rdi), %r9
+	addq	%rax, %rcx
+	xorq	%r10, %r12 
+	movl	8(%rsi), %r14d
+	addq	%r8, %rcx
+	andq	%rdx, %r12
+	movl	%edx, %r11d
+	leaq	1518500249(%rcx,%r9), %rcx
+	xorq	%r10, %r12 
+	roll	$30, %r11d
+/APP
+	bswap %r14d
+/NO_APP
+	movl	%ecx, %r8d
+	mov	%r14d, %ebx
+	movl	12(%rsi), %r9d
+	movq	%rbx, -32(%rdi)
+	roll	$5, %r8d
+	movq	-32(%rdi), %rax
+	addq	%r12, %r8
+	movq	%r11, %r12
+	movl	%ecx, %ebx
+	addq	%r13, %r8
+	xorq	%r15, %r12 
+	roll	$30, %ebx
+	leaq	1518500249(%r8,%rax), %r8
+	andq	%rcx, %r12
+	movl	16(%rsi), %eax
+/APP
+	bswap %r9d
+/NO_APP
+	movl	%r8d, %edx
+	mov	%r9d, %r14d
+	xorq	%r15, %r12 
+	movq	%r14, -24(%rdi)
+	roll	$5, %edx
+	movq	-24(%rdi), %r13
+	addq	%r12, %rdx
+	movq	%rbx, %r12
+	movl	%r8d, %r14d
+	addq	%r10, %rdx
+	leaq	1518500249(%rdx,%r13), %rdx
+	movl	20(%rsi), %r13d
+/APP
+	bswap %eax
+/NO_APP
+	movl	%edx, %ecx
+	mov	%eax, %r9d
+	roll	$5, %ecx
+	xorq	%r11, %r12 
+	movq	%r9, -16(%rdi)
+	andq	%r8, %r12
+	movq	-16(%rdi), %r10
+	roll	$30, %r14d
+	xorq	%r11, %r12 
+	movq	%r14, %rax
+	movl	%edx, %r9d
+	addq	%r12, %rcx
+	xorq	%rbx, %rax 
+	roll	$30, %r9d
+	addq	%r15, %rcx
+	andq	%rdx, %rax
+	leaq	1518500249(%rcx,%r10), %rcx
+	xorq	%rbx, %rax 
+	movl	24(%rsi), %r10d
+/APP
+	bswap %r13d
+/NO_APP
+	movl	%ecx, %r8d
+	mov	%r13d, %r15d
+	movq	%r15, -8(%rdi)
+	roll	$5, %r8d
+	movq	-8(%rdi), %r12
+	addq	%rax, %r8
+	movl	%ecx, %r15d
+	addq	%r11, %r8
+	movq	%r9, %r11
+	roll	$30, %r15d
+	leaq	1518500249(%r8,%r12), %r8
+	xorq	%r14, %r11 
+	movl	28(%rsi), %r12d
+/APP
+	bswap %r10d
+/NO_APP
+	andq	%rcx, %r11
+	mov	%r10d, %r13d
+	movl	%r8d, %edx
+	movq	%r13, (%rdi)
+	xorq	%r14, %r11 
+	movq	(%rdi), %rax
+	roll	$5, %edx
+	movq	%r15, %r10
+	movl	%r8d, %r13d
+	addq	%r11, %rdx
+	xorq	%r9, %r10 
+	roll	$30, %r13d
+	addq	%rbx, %rdx
+	andq	%r8, %r10
+	leaq	1518500249(%rdx,%rax), %rdx
+	xorq	%r9, %r10 
+	movl	32(%rsi), %eax
+/APP
+	bswap %r12d
+/NO_APP
+	movl	%edx, %ecx
+	mov	%r12d, %ebx
+	movq	%rbx, 8(%rdi)
+	roll	$5, %ecx
+	movq	8(%rdi), %r11
+	addq	%r10, %rcx
+	movq	%r13, %r10
+	movl	%edx, %ebx
+	addq	%r14, %rcx
+	leaq	1518500249(%rcx,%r11), %rcx
+/APP
+	bswap %eax
+/NO_APP
+	movl	%ecx, %r8d
+	mov	%eax, %r12d
+	roll	$5, %r8d
+	xorq	%r15, %r10 
+	movq	%r12, 16(%rdi)
+	andq	%rdx, %r10
+	movq	16(%rdi), %r14
+	roll	$30, %ebx
+	xorq	%r15, %r10 
+	movq	%rbx, %rax
+	movl	36(%rsi), %r11d
+	addq	%r10, %r8
+	xorq	%r13, %rax 
+	movl	%ecx, %r12d
+	addq	%r9, %r8
+	andq	%rcx, %rax
+	roll	$30, %r12d
+	leaq	1518500249(%r8,%r14), %r8
+	xorq	%r13, %rax 
+	movl	40(%rsi), %r14d
+/APP
+	bswap %r11d
+/NO_APP
+	movl	%r8d, %edx
+	mov	%r11d, %r9d
+	movq	%r12, %r11
+	movq	%r9, 24(%rdi)
+	roll	$5, %edx
+	movq	24(%rdi), %r10
+	addq	%rax, %rdx
+	xorq	%rbx, %r11 
+	movl	%r8d, %r9d
+	addq	%r15, %rdx
+	andq	%r8, %r11
+	roll	$30, %r9d
+	leaq	1518500249(%rdx,%r10), %rdx
+	xorq	%rbx, %r11 
+	movl	44(%rsi), %r10d
+/APP
+	bswap %r14d
+/NO_APP
+	movl	%edx, %ecx
+	mov	%r14d, %r15d
+	movq	%r15, 32(%rdi)
+	roll	$5, %ecx
+	movq	32(%rdi), %rax
+	addq	%r11, %rcx
+	movq	%r9, %r11
+	movl	%edx, %r15d
+	addq	%r13, %rcx
+	xorq	%r12, %r11 
+	roll	$30, %r15d
+	leaq	1518500249(%rcx,%rax), %rcx
+	andq	%rdx, %r11
+	movl	48(%rsi), %eax
+/APP
+	bswap %r10d
+/NO_APP
+	movl	%ecx, %r8d
+	mov	%r10d, %r14d
+	xorq	%r12, %r11 
+	movq	%r14, 40(%rdi)
+	roll	$5, %r8d
+	movq	40(%rdi), %r13
+	addq	%r11, %r8
+	movq	%r15, %r10
+	movl	%ecx, %r14d
+	addq	%rbx, %r8
+	xorq	%r9, %r10 
+	leaq	1518500249(%r8,%r13), %r8
+	movl	52(%rsi), %r13d
+/APP
+	bswap %eax
+/NO_APP
+	movl	%r8d, %edx
+	mov	%eax, %ebx
+	roll	$5, %edx
+	andq	%rcx, %r10
+	movq	%rbx, 48(%rdi)
+	xorq	%r9, %r10 
+	movq	48(%rdi), %r11
+	roll	$30, %r14d
+	addq	%r10, %rdx
+	movq	%r14, %rax
+	movl	%r8d, %ebx
+	addq	%r12, %rdx
+	xorq	%r15, %rax 
+	roll	$30, %ebx
+	leaq	1518500249(%rdx,%r11), %rdx
+	andq	%r8, %rax
+	movl	56(%rsi), %r11d
+/APP
+	bswap %r13d
+/NO_APP
+	movl	%edx, %ecx
+	mov	%r13d, %r12d
+	xorq	%r15, %rax 
+	movq	%r12, 56(%rdi)
+	roll	$5, %ecx
+	movq	56(%rdi), %r10
+	addq	%rax, %rcx
+	movl	%edx, %r12d
+	addq	%r9, %rcx
+	movq	%rbx, %r9
+	roll	$30, %r12d
+	leaq	1518500249(%rcx,%r10), %rcx
+	xorq	%r14, %r9 
+	movl	60(%rsi), %r10d
+/APP
+	bswap %r11d
+/NO_APP
+	andq	%rdx, %r9
+	mov	%r11d, %r13d
+	movl	%ecx, %r8d
+	movq	%r13, 64(%rdi)
+	xorq	%r14, %r9 
+	movq	64(%rdi), %rax
+	roll	$5, %r8d
+	movq	%r12, %r11
+	movl	%ecx, %r13d
+	addq	%r9, %r8
+	xorq	%rbx, %r11 
+	roll	$30, %r13d
+	addq	%r15, %r8
+	andq	%rcx, %r11
+	leaq	1518500249(%r8,%rax), %r8
+	xorq	%rbx, %r11 
+/APP
+	bswap %r10d
+/NO_APP
+	movl	%r8d, %esi
+	mov	%r10d, %r15d
+	movq	%r15, 72(%rdi)
+	roll	$5, %esi
+	movq	72(%rdi), %r9
+	movq	56(%rdi), %r10
+	movq	16(%rdi), %rcx
+	addq	%r11, %rsi
+	movq	-32(%rdi), %rdx
+	addq	%r14, %rsi
+	movq	-48(%rdi), %rax
+	leaq	1518500249(%rsi,%r9), %r14
+	movq	%r13, %r11
+	movl	%r8d, %r15d
+	xorq	%rcx, %r10 
+	xorq	%rdx, %r10 
+	movl	%r14d, %ecx
+	xorl	%eax, %r10d
+	roll	%r10d
+	roll	$5, %ecx
+	xorq	%r12, %r11 
+	andq	%r8, %r11
+	movq	%r10, -48(%rdi)
+	movq	-48(%rdi), %r9
+	xorq	%r12, %r11 
+	roll	$30, %r15d
+	movl	%r14d, %r10d
+	addq	%r11, %rcx
+	movq	64(%rdi), %r11
+	movq	24(%rdi), %rdx
+	addq	%rbx, %rcx
+	movq	-24(%rdi), %rbx
+	movq	-40(%rdi), %rax
+	leaq	1518500249(%rcx,%r9), %rcx
+	movq	%r15, %r8
+	roll	$30, %r10d
+	xorq	%rdx, %r11 
+	xorq	%r13, %r8 
+	xorq	%rbx, %r11 
+	andq	%r14, %r8
+	movl	%ecx, %r9d
+	xorl	%eax, %r11d
+	xorq	%r13, %r8 
+	roll	$5, %r9d
+	roll	%r11d
+	addq	%r8, %r9
+	movq	%r10, %rax
+	movq	%r11, -40(%rdi)
+	movq	-40(%rdi), %rsi
+	addq	%r12, %r9
+	movq	72(%rdi), %rbx
+	movq	32(%rdi), %rdx
+	xorq	%r15, %rax 
+	movq	-16(%rdi), %r14
+	movq	-32(%rdi), %r12
+	andq	%rcx, %rax
+	leaq	1518500249(%r9,%rsi), %r9
+	xorq	%r15, %rax 
+	movl	%ecx, %r11d
+	xorq	%rdx, %rbx 
+	roll	$30, %r11d
+	xorq	%r14, %rbx 
+	movl	%r9d, %esi
+	xorl	%r12d, %ebx
+	roll	$5, %esi
+	roll	%ebx
+	addq	%rax, %rsi
+	movq	%rbx, -32(%rdi)
+	movq	-32(%rdi), %r8
+	addq	%r13, %rsi
+	movq	-48(%rdi), %r12
+	movq	40(%rdi), %rdx
+	movq	%r11, %r13
+	movq	-8(%rdi), %r14
+	movq	-24(%rdi), %rcx
+	movl	%r9d, %ebx
+	leaq	1518500249(%rsi,%r8), %rsi
+	xorq	%rdx, %r12 
+	xorq	%r14, %r12 
+	movl	%esi, %r8d
+	xorl	%ecx, %r12d
+	roll	%r12d
+	roll	$5, %r8d
+	xorq	%r10, %r13 
+	andq	%r9, %r13
+	movq	%r12, -24(%rdi)
+	movq	-24(%rdi), %rax
+	xorq	%r10, %r13 
+	roll	$30, %ebx
+	movl	%esi, %r12d
+	addq	%r13, %r8
+	xorq	%rbx, %rsi 
+	roll	$30, %r12d
+	addq	%r15, %r8
+	movq	-40(%rdi), %r15
+	movq	48(%rdi), %rdx
+	movq	(%rdi), %r14
+	movq	-16(%rdi), %r9
+	leaq	1518500249(%r8,%rax), %r13
+	xorq	%r11, %rsi 
+	xorq	%rdx, %r15 
+	movl	%r13d, %ecx
+	xorq	%r14, %r15 
+	roll	$5, %ecx
+	xorl	%r9d, %r15d
+	addq	%rsi, %rcx
+	roll	%r15d
+	addq	%r10, %rcx
+	movq	%r15, -16(%rdi)
+	movq	-16(%rdi), %rsi
+	movl	%r13d, %r15d
+	movq	-32(%rdi), %r14
+	movq	56(%rdi), %rax
+	xorq	%r12, %r13 
+	movq	8(%rdi), %rdx
+	movq	-8(%rdi), %r10
+	xorq	%rbx, %r13 
+	leaq	1859775393(%rcx,%rsi), %r9
+	roll	$30, %r15d
+	xorq	%rax, %r14 
+	xorq	%rdx, %r14 
+	movl	%r9d, %esi
+	xorl	%r10d, %r14d
+	roll	$5, %esi
+	roll	%r14d
+	addq	%r13, %rsi
+	movq	%r14, -8(%rdi)
+	movq	-8(%rdi), %r8
+	addq	%r11, %rsi
+	movq	-24(%rdi), %r13
+	movq	64(%rdi), %rax
+	movl	%r9d, %r14d
+	movq	16(%rdi), %rdx
+	movq	(%rdi), %r11
+	xorq	%r15, %r9 
+	leaq	1859775393(%rsi,%r8), %r10
+	xorq	%rax, %r13 
+	xorq	%rdx, %r13 
+	movl	%r10d, %r8d
+	xorl	%r11d, %r13d
+	roll	$5, %r8d
+	roll	%r13d
+	xorq	%r12, %r9 
+	roll	$30, %r14d
+	addq	%r9, %r8
+	movq	%r13, (%rdi)
+	movq	(%rdi), %rcx
+	addq	%rbx, %r8
+	movq	-16(%rdi), %rbx
+	movq	72(%rdi), %rax
+	movq	24(%rdi), %rdx
+	movq	8(%rdi), %r9
+	movl	%r10d, %r13d
+	leaq	1859775393(%r8,%rcx), %r11
+	xorq	%r14, %r10 
+	roll	$30, %r13d
+	xorq	%rax, %rbx 
+	xorq	%r15, %r10 
+	xorq	%rdx, %rbx 
+	movl	%r11d, %ecx
+	xorl	%r9d, %ebx
+	roll	$5, %ecx
+	roll	%ebx
+	addq	%r10, %rcx
+	movq	%rbx, 8(%rdi)
+	movq	8(%rdi), %rsi
+	addq	%r12, %rcx
+	movq	-8(%rdi), %r12
+	movq	-48(%rdi), %rax
+	movl	%r11d, %ebx
+	movq	32(%rdi), %rdx
+	movq	16(%rdi), %r9
+	xorq	%r13, %r11 
+	leaq	1859775393(%rcx,%rsi), %r10
+	xorq	%r14, %r11 
+	roll	$30, %ebx
+	xorq	%rax, %r12 
+	xorq	%rdx, %r12 
+	movl	%r10d, %esi
+	xorl	%r9d, %r12d
+	roll	$5, %esi
+	roll	%r12d
+	addq	%r11, %rsi
+	movq	%r12, 16(%rdi)
+	addq	%r15, %rsi
+	movq	16(%rdi), %r8
+	movq	(%rdi), %r15
+	movq	-40(%rdi), %rax
+	movl	%r10d, %r12d
+	movq	40(%rdi), %rdx
+	movq	24(%rdi), %r9
+	xorq	%rbx, %r10 
+	leaq	1859775393(%rsi,%r8), %r11
+	xorq	%r13, %r10 
+	xorq	%rax, %r15 
+	xorq	%rdx, %r15 
+	movl	%r11d, %r8d
+	xorl	%r9d, %r15d
+	roll	$5, %r8d
+	roll	%r15d
+	addq	%r10, %r8
+	movq	%r15, 24(%rdi)
+	movq	24(%rdi), %rcx
+	addq	%r14, %r8
+	movq	8(%rdi), %r14
+	movq	-32(%rdi), %rax
+	roll	$30, %r12d
+	movq	48(%rdi), %rdx
+	movq	32(%rdi), %r10
+	movl	%r11d, %r15d
+	leaq	1859775393(%r8,%rcx), %r9
+	xorq	%r12, %r11 
+	roll	$30, %r15d
+	xorq	%rax, %r14 
+	xorq	%rbx, %r11 
+	xorq	%rdx, %r14 
+	movl	%r9d, %ecx
+	xorl	%r10d, %r14d
+	roll	$5, %ecx
+	roll	%r14d
+	addq	%r11, %rcx
+	movq	%r14, 32(%rdi)
+	addq	%r13, %rcx
+	movq	32(%rdi), %rsi
+	movq	16(%rdi), %r13
+	movq	-24(%rdi), %rax
+	movl	%r9d, %r14d
+	movq	56(%rdi), %rdx
+	movq	40(%rdi), %r11
+	xorq	%r15, %r9 
+	leaq	1859775393(%rcx,%rsi), %r10
+	xorq	%r12, %r9 
+	roll	$30, %r14d
+	xorq	%rax, %r13 
+	xorq	%rdx, %r13 
+	movl	%r10d, %esi
+	xorl	%r11d, %r13d
+	roll	$5, %esi
+	roll	%r13d
+	addq	%r9, %rsi
+	movq	%r13, 40(%rdi)
+	movq	40(%rdi), %r8
+	addq	%rbx, %rsi
+	movq	24(%rdi), %rbx
+	movq	-16(%rdi), %rax
+	movl	%r10d, %r13d
+	movq	64(%rdi), %rdx
+	movq	48(%rdi), %r9
+	xorq	%r14, %r10 
+	leaq	1859775393(%rsi,%r8), %r11
+	xorq	%r15, %r10 
+	roll	$30, %r13d
+	xorq	%rax, %rbx 
+	xorq	%rdx, %rbx 
+	movl	%r11d, %r8d
+	xorl	%r9d, %ebx
+	roll	$5, %r8d
+	roll	%ebx
+	addq	%r10, %r8
+	movq	%rbx, 48(%rdi)
+	addq	%r12, %r8
+	movq	48(%rdi), %rcx
+	movq	32(%rdi), %r12
+	movq	-8(%rdi), %rax
+	movl	%r11d, %ebx
+	movq	72(%rdi), %rdx
+	movq	56(%rdi), %r9
+	leaq	1859775393(%r8,%rcx), %r10
+	xorq	%rax, %r12 
+	xorq	%rdx, %r12 
+	movl	%r10d, %ecx
+	xorl	%r9d, %r12d
+	xorq	%r13, %r11 
+	roll	$5, %ecx
+	xorq	%r14, %r11 
+	roll	%r12d
+	roll	$30, %ebx
+	addq	%r11, %rcx
+	movq	%r12, 56(%rdi)
+	movq	56(%rdi), %rsi
+	addq	%r15, %rcx
+	movq	40(%rdi), %r15
+	movq	(%rdi), %rax
+	movq	-48(%rdi), %rdx
+	movq	64(%rdi), %r9
+	movl	%r10d, %r12d
+	leaq	1859775393(%rcx,%rsi), %r11
+	xorq	%rbx, %r10 
+	roll	$30, %r12d
+	xorq	%rax, %r15 
+	xorq	%r13, %r10 
+	xorq	%rdx, %r15 
+	movl	%r11d, %esi
+	xorl	%r9d, %r15d
+	roll	$5, %esi
+	roll	%r15d
+	addq	%r10, %rsi
+	movq	%r15, 64(%rdi)
+	movq	64(%rdi), %r8
+	addq	%r14, %rsi
+	movq	48(%rdi), %r14
+	movq	8(%rdi), %rax
+	movl	%r11d, %r15d
+	movq	-40(%rdi), %rdx
+	movq	72(%rdi), %r10
+	xorq	%r12, %r11 
+	leaq	1859775393(%rsi,%r8), %r9
+	xorq	%rbx, %r11 
+	roll	$30, %r15d
+	xorq	%rax, %r14 
+	xorq	%rdx, %r14 
+	movl	%r9d, %r8d
+	xorl	%r10d, %r14d
+	roll	$5, %r8d
+	roll	%r14d
+	addq	%r11, %r8
+	movq	%r14, 72(%rdi)
+	addq	%r13, %r8
+	movq	72(%rdi), %rcx
+	movq	56(%rdi), %r13
+	movq	16(%rdi), %rax
+	movl	%r9d, %r14d
+	movq	-32(%rdi), %rdx
+	movq	-48(%rdi), %r11
+	leaq	1859775393(%r8,%rcx), %r10
+	xorq	%rax, %r13 
+	xorq	%rdx, %r13 
+	movl	%r10d, %ecx
+	xorl	%r11d, %r13d
+	roll	$5, %ecx
+	roll	%r13d
+	xorq	%r15, %r9 
+	roll	$30, %r14d
+	xorq	%r12, %r9 
+	movq	%r13, -48(%rdi)
+	movq	-48(%rdi), %rsi
+	addq	%r9, %rcx
+	movl	%r10d, %r13d
+	xorq	%r14, %r10 
+	addq	%rbx, %rcx
+	movq	64(%rdi), %rbx
+	movq	24(%rdi), %rax
+	movq	-24(%rdi), %rdx
+	leaq	1859775393(%rcx,%rsi), %r11
+	movq	-40(%rdi), %r9
+	xorq	%r15, %r10 
+	roll	$30, %r13d
+	xorq	%rax, %rbx 
+	movl	%r11d, %esi
+	xorq	%rdx, %rbx 
+	roll	$5, %esi
+	xorl	%r9d, %ebx
+	addq	%r10, %rsi
+	roll	%ebx
+	addq	%r12, %rsi
+	movq	%rbx, -40(%rdi)
+	movq	-40(%rdi), %r8
+	movl	%r11d, %ebx
+	movq	72(%rdi), %r12
+	movq	32(%rdi), %rax
+	xorq	%r13, %r11 
+	movq	-16(%rdi), %rdx
+	movq	-32(%rdi), %r9
+	xorq	%r14, %r11 
+	leaq	1859775393(%rsi,%r8), %r10
+	roll	$30, %ebx
+	xorq	%rax, %r12 
+	xorq	%rdx, %r12 
+	movl	%r10d, %r8d
+	xorl	%r9d, %r12d
+	roll	$5, %r8d
+	roll	%r12d
+	addq	%r11, %r8
+	movq	%r12, -32(%rdi)
+	movq	-32(%rdi), %rcx
+	addq	%r15, %r8
+	movq	-48(%rdi), %r15
+	movq	40(%rdi), %rax
+	movl	%r10d, %r12d
+	movq	-8(%rdi), %rdx
+	movq	-24(%rdi), %r9
+	xorq	%rbx, %r10 
+	leaq	1859775393(%r8,%rcx), %r11
+	xorq	%r13, %r10 
+	xorq	%rax, %r15 
+	xorq	%rdx, %r15 
+	movl	%r11d, %ecx
+	xorl	%r9d, %r15d
+	roll	$5, %ecx
+	roll	%r15d
+	addq	%r10, %rcx
+	addq	%r14, %rcx
+	movq	%r15, -24(%rdi)
+	movq	-24(%rdi), %rsi
+	movq	-40(%rdi), %r14
+	movq	48(%rdi), %rax
+	roll	$30, %r12d
+	movq	(%rdi), %rdx
+	movq	-16(%rdi), %r10
+	movl	%r11d, %r15d
+	leaq	1859775393(%rcx,%rsi), %r9
+	xorq	%r12, %r11 
+	roll	$30, %r15d
+	xorq	%rax, %r14 
+	xorq	%rbx, %r11 
+	xorq	%rdx, %r14 
+	movl	%r9d, %esi
+	xorl	%r10d, %r14d
+	roll	$5, %esi
+	roll	%r14d
+	addq	%r11, %rsi
+	movq	%r14, -16(%rdi)
+	movq	-16(%rdi), %r8
+	addq	%r13, %rsi
+	movq	-32(%rdi), %r11
+	movq	56(%rdi), %rax
+	movl	%r9d, %r14d
+	movq	8(%rdi), %rdx
+	movq	-8(%rdi), %r10
+	xorq	%r15, %r9 
+	leaq	1859775393(%rsi,%r8), %r13
+	xorq	%r12, %r9 
+	roll	$30, %r14d
+	xorq	%rax, %r11 
+	xorq	%rdx, %r11 
+	movl	%r13d, %r8d
+	xorl	%r10d, %r11d
+	roll	$5, %r8d
+	movl	%r13d, %r10d
+	roll	%r11d
+	addq	%r9, %r8
+	xorq	%r14, %r13 
+	movq	%r11, -8(%rdi)
+	addq	%rbx, %r8
+	movq	-8(%rdi), %rbx
+	movq	-24(%rdi), %r9
+	movq	64(%rdi), %rax
+	xorq	%r15, %r13 
+	movq	16(%rdi), %rdx
+	movq	(%rdi), %rcx
+	leaq	1859775393(%r8,%rbx), %r11
+	xorq	%rax, %r9 
+	xorq	%rdx, %r9 
+	movl	%r11d, %ebx
+	xorl	%ecx, %r9d
+	roll	$5, %ebx
+	roll	%r9d
+	addq	%r13, %rbx
+	movq	%r9, (%rdi)
+	movq	(%rdi), %rsi
+	addq	%r12, %rbx
+	movq	-16(%rdi), %r12
+	movq	72(%rdi), %r13
+	movl	%r11d, %r9d
+	leaq	1859775393(%rbx,%rsi), %rcx
+	movl	%r10d, %ebx
+	movq	24(%rdi), %r10
+	movq	8(%rdi), %rax
+	xorq	%r13, %r12 
+	roll	$30, %ebx
+	movl	%ecx, %esi
+	xorq	%r10, %r12 
+	xorq	%rbx, %r11 
+	roll	$5, %esi
+	xorl	%eax, %r12d
+	xorq	%r14, %r11 
+	roll	$30, %r9d
+	roll	%r12d
+	addq	%r11, %rsi
+	movq	%rcx, %rax
+	movq	%r12, 8(%rdi)
+	movq	8(%rdi), %rdx
+	addq	%r15, %rsi
+	movq	-8(%rdi), %r11
+	movq	-48(%rdi), %r13
+	movl	%ecx, %r12d
+	movq	32(%rdi), %r10
+	movq	16(%rdi), %r8
+	orq	%r9, %rcx
+	leaq	1859775393(%rsi,%rdx), %rsi
+	andq	%rbx, %rcx
+	andq	%r9, %rax
+	xorq	%r13, %r11 
+	orq	%rcx, %rax
+	roll	$30, %r12d
+	xorq	%r10, %r11 
+	movq	%rsi, %r10
+	xorl	%r8d, %r11d
+	movl	%esi, %r8d
+	andq	%r12, %r10
+	roll	%r11d
+	roll	$5, %r8d
+	movq	%r11, 16(%rdi)
+	addq	%rax, %r8
+	movq	16(%rdi), %r15
+	movq	(%rdi), %r13
+	movq	-40(%rdi), %rdx
+	addq	%r14, %r8
+	movq	40(%rdi), %r14
+	movq	24(%rdi), %rcx
+	movl	%esi, %r11d
+	addq	%r15, %r8
+	movl	$2400959708, %r15d
+	orq	%r12, %rsi
+	xorq	%rdx, %r13 
+	addq	%r15, %r8
+	andq	%r9, %rsi
+	xorq	%r14, %r13 
+	orq	%rsi, %r10
+	xorl	%ecx, %r13d
+	movl	%r8d, %ecx
+	roll	%r13d
+	roll	$5, %ecx
+	movq	%r13, 24(%rdi)
+	addq	%r10, %rcx
+	movq	24(%rdi), %rax
+	movq	8(%rdi), %r14
+	movq	-32(%rdi), %rdx
+	addq	%rbx, %rcx
+	movq	48(%rdi), %rbx
+	movq	32(%rdi), %rsi
+	roll	$30, %r11d
+	addq	%rax, %rcx
+	movl	%r8d, %r13d
+	movq	%r8, %r10
+	xorq	%rdx, %r14 
+	addq	%r15, %rcx
+	orq	%r11, %r8
+	xorq	%rbx, %r14 
+	andq	%r12, %r8
+	andq	%r11, %r10
+	xorl	%esi, %r14d
+	movl	%ecx, %esi
+	orq	%r8, %r10
+	roll	$5, %esi
+	roll	%r14d
+	roll	$30, %r13d
+	addq	%r10, %rsi
+	movq	%r14, 32(%rdi)
+	movq	32(%rdi), %rax
+	addq	%r9, %rsi
+	movq	16(%rdi), %r9
+	movq	-24(%rdi), %rdx
+	movq	56(%rdi), %rbx
+	movq	40(%rdi), %r8
+	movl	%ecx, %r14d
+	addq	%rax, %rsi
+	movq	%rcx, %r10
+	orq	%r13, %rcx
+	xorq	%rdx, %r9 
+	addq	%r15, %rsi
+	andq	%r11, %rcx
+	xorq	%rbx, %r9 
+	andq	%r13, %r10
+	roll	$30, %r14d
+	xorl	%r8d, %r9d
+	movl	%esi, %r8d
+	orq	%rcx, %r10
+	roll	%r9d
+	roll	$5, %r8d
+	movq	%r9, 40(%rdi)
+	addq	%r10, %r8
+	movq	40(%rdi), %rax
+	movq	24(%rdi), %r10
+	movq	-16(%rdi), %rdx
+	addq	%r12, %r8
+	movq	64(%rdi), %rbx
+	movq	48(%rdi), %rcx
+	movl	%esi, %r9d
+	addq	%rax, %r8
+	movq	%rsi, %r12
+	xorq	%rdx, %r10 
+	addq	%r15, %r8
+	xorq	%rbx, %r10 
+	orq	%r14, %rsi
+	andq	%r14, %r12
+	andq	%r13, %rsi
+	xorl	%ecx, %r10d
+	movl	%r8d, %ecx
+	orq	%rsi, %r12
+	roll	%r10d
+	roll	$5, %ecx
+	movq	%r10, 48(%rdi)
+	addq	%r12, %rcx
+	movq	48(%rdi), %rax
+	movq	32(%rdi), %r12
+	movq	-8(%rdi), %rdx
+	addq	%r11, %rcx
+	movq	72(%rdi), %rbx
+	movq	56(%rdi), %rsi
+	roll	$30, %r9d
+	addq	%rax, %rcx
+	movl	%r8d, %r10d
+	movq	%r8, %r11
+	xorq	%rdx, %r12 
+	addq	%r15, %rcx
+	orq	%r9, %r8
+	xorq	%rbx, %r12 
+	andq	%r14, %r8
+	andq	%r9, %r11
+	xorl	%esi, %r12d
+	movl	%ecx, %esi
+	orq	%r8, %r11
+	roll	%r12d
+	roll	$5, %esi
+	roll	$30, %r10d
+	movq	%r12, 56(%rdi)
+	addq	%r11, %rsi
+	movq	56(%rdi), %rax
+	movq	40(%rdi), %r11
+	movq	(%rdi), %rdx
+	addq	%r13, %rsi
+	movq	-48(%rdi), %rbx
+	movq	64(%rdi), %r8
+	movq	%rcx, %r13
+	addq	%rax, %rsi
+	andq	%r10, %r13
+	movl	%ecx, %r12d
+	xorq	%rdx, %r11 
+	addq	%r15, %rsi
+	xorq	%rbx, %r11 
+	xorl	%r8d, %r11d
+	movl	%esi, %r8d
+	roll	%r11d
+	roll	$5, %r8d
+	orq	%r10, %rcx
+	andq	%r9, %rcx
+	movq	%r11, 64(%rdi)
+	movq	64(%rdi), %rax
+	orq	%rcx, %r13
+	roll	$30, %r12d
+	movl	%esi, %r11d
+	addq	%r13, %r8
+	movq	48(%rdi), %r13
+	movq	8(%rdi), %rdx
+	movq	-40(%rdi), %rbx
+	addq	%r14, %r8
+	movq	72(%rdi), %rcx
+	addq	%rax, %r8
+	movq	%rsi, %r14
+	orq	%r12, %rsi
+	xorq	%rdx, %r13 
+	addq	%r15, %r8
+	andq	%r10, %rsi
+	xorq	%rbx, %r13 
+	andq	%r12, %r14
+	roll	$30, %r11d
+	xorl	%ecx, %r13d
+	movl	%r8d, %ecx
+	orq	%rsi, %r14
+	roll	%r13d
+	roll	$5, %ecx
+	movq	%r13, 72(%rdi)
+	addq	%r14, %rcx
+	movq	72(%rdi), %rax
+	movq	56(%rdi), %r14
+	movq	16(%rdi), %rdx
+	addq	%r9, %rcx
+	movq	-32(%rdi), %rbx
+	movq	-48(%rdi), %rsi
+	movl	%r8d, %r13d
+	addq	%rax, %rcx
+	movq	%r8, %r9
+	orq	%r11, %r8
+	xorq	%rdx, %r14 
+	addq	%r15, %rcx
+	andq	%r12, %r8
+	xorq	%rbx, %r14 
+	andq	%r11, %r9
+	xorl	%esi, %r14d
+	movl	%ecx, %esi
+	orq	%r8, %r9
+	roll	$5, %esi
+	roll	%r14d
+	addq	%r9, %rsi
+	movq	%r14, -48(%rdi)
+	movq	-48(%rdi), %rax
+	addq	%r10, %rsi
+	movq	64(%rdi), %r10
+	movq	24(%rdi), %rdx
+	movq	-24(%rdi), %rbx
+	movq	-40(%rdi), %r8
+	movl	%ecx, %r14d
+	addq	%rax, %rsi
+	roll	$30, %r13d
+	movq	%rcx, %r9
+	xorq	%rdx, %r10 
+	addq	%r15, %rsi
+	orq	%r13, %rcx
+	xorq	%rbx, %r10 
+	andq	%r11, %rcx
+	andq	%r13, %r9
+	xorl	%r8d, %r10d
+	movl	%esi, %r8d
+	orq	%rcx, %r9
+	roll	$5, %r8d
+	roll	%r10d
+	roll	$30, %r14d
+	addq	%r9, %r8
+	movq	%r10, -40(%rdi)
+	movq	-40(%rdi), %rax
+	addq	%r12, %r8
+	movq	72(%rdi), %r12
+	movq	32(%rdi), %rdx
+	movq	-16(%rdi), %rbx
+	movq	-32(%rdi), %rcx
+	movl	%esi, %r10d
+	addq	%rax, %r8
+	movq	%rsi, %r9
+	orq	%r14, %rsi
+	xorq	%rdx, %r12 
+	addq	%r15, %r8
+	andq	%r13, %rsi
+	xorq	%rbx, %r12 
+	andq	%r14, %r9
+	roll	$30, %r10d
+	xorl	%ecx, %r12d
+	movl	%r8d, %ecx
+	orq	%rsi, %r9
+	roll	$5, %ecx
+	roll	%r12d
+	addq	%r9, %rcx
+	movq	%r12, -32(%rdi)
+	movq	-32(%rdi), %rax
+	addq	%r11, %rcx
+	movq	-48(%rdi), %r11
+	movq	40(%rdi), %rdx
+	movq	-8(%rdi), %rbx
+	movq	-24(%rdi), %rsi
+	movl	%r8d, %r12d
+	addq	%rax, %rcx
+	movq	%r8, %r9
+	xorq	%rdx, %r11 
+	addq	%r15, %rcx
+	xorq	%rbx, %r11 
+	xorl	%esi, %r11d
+	orq	%r10, %r8
+	andq	%r10, %r9
+	andq	%r14, %r8
+	movl	%ecx, %esi
+	roll	%r11d
+	orq	%r8, %r9
+	roll	$5, %esi
+	movq	%r11, -24(%rdi)
+	addq	%r9, %rsi
+	movq	-24(%rdi), %rax
+	roll	$30, %r12d
+	addq	%r13, %rsi
+	movq	-40(%rdi), %r13
+	movq	48(%rdi), %rdx
+	movq	(%rdi), %rbx
+	movq	-16(%rdi), %r8
+	movl	%ecx, %r11d
+	addq	%rax, %rsi
+	movq	%rcx, %r9
+	orq	%r12, %rcx
+	xorq	%rdx, %r13 
+	addq	%r15, %rsi
+	andq	%r10, %rcx
+	xorq	%rbx, %r13 
+	andq	%r12, %r9
+	roll	$30, %r11d
+	xorl	%r8d, %r13d
+	movl	%esi, %r8d
+	orq	%rcx, %r9
+	roll	%r13d
+	roll	$5, %r8d
+	movq	%r13, -16(%rdi)
+	addq	%r9, %r8
+	movq	-16(%rdi), %rax
+	movq	-32(%rdi), %r9
+	movq	56(%rdi), %rdx
+	addq	%r14, %r8
+	movq	8(%rdi), %rcx
+	movq	-8(%rdi), %rbx
+	movl	%esi, %r13d
+	addq	%rax, %r8
+	movq	%rsi, %r14
+	orq	%r11, %rsi
+	xorq	%rdx, %r9 
+	addq	%r15, %r8
+	andq	%r11, %r14
+	xorq	%rcx, %r9 
+	xorl	%ebx, %r9d
+	movl	%r8d, %ebx
+	roll	%r9d
+	roll	$5, %ebx
+	andq	%r12, %rsi
+	orq	%rsi, %r14
+	movq	%r9, -8(%rdi)
+	movq	-8(%rdi), %rax
+	addq	%r14, %rbx
+	movq	-24(%rdi), %r14
+	movq	64(%rdi), %rdx
+	movq	16(%rdi), %rcx
+	addq	%r10, %rbx
+	movq	(%rdi), %rsi
+	roll	$30, %r13d
+	addq	%rax, %rbx
+	movl	%r8d, %r9d
+	xorq	%rdx, %r14 
+	addq	%r15, %rbx
+	movq	%r8, %r10
+	xorq	%rcx, %r14 
+	orq	%r13, %r8
+	andq	%r13, %r10
+	andq	%r11, %r8
+	xorl	%esi, %r14d
+	movl	%ebx, %esi
+	orq	%r8, %r10
+	roll	$5, %esi
+	roll	%r14d
+	addq	%r10, %rsi
+	movq	%r14, (%rdi)
+	movq	(%rdi), %rax
+	addq	%r12, %rsi
+	movq	-16(%rdi), %r12
+	movq	72(%rdi), %rdx
+	movq	24(%rdi), %rcx
+	movq	8(%rdi), %r8
+	roll	$30, %r9d
+	addq	%rax, %rsi
+	movl	%ebx, %r14d
+	movq	%rbx, %r10
+	xorq	%rdx, %r12 
+	addq	%r15, %rsi
+	orq	%r9, %rbx
+	xorq	%rcx, %r12 
+	andq	%r13, %rbx
+	andq	%r9, %r10
+	xorl	%r8d, %r12d
+	movl	%esi, %r8d
+	orq	%rbx, %r10
+	roll	%r12d
+	roll	$5, %r8d
+	movq	%r12, 8(%rdi)
+	movq	8(%rdi), %rax
+	addq	%r10, %r8
+	movq	-8(%rdi), %rbx
+	movq	-48(%rdi), %rdx
+	addq	%r11, %r8
+	movq	32(%rdi), %r11
+	movq	16(%rdi), %rcx
+	movl	%esi, %r12d
+	addq	%rax, %r8
+	movq	%rsi, %r10
+	addq	%r15, %r8
+	xorq	%rdx, %rbx 
+	roll	$30, %r14d
+	xorq	%r11, %rbx 
+	orq	%r14, %rsi
+	andq	%r14, %r10
+	xorl	%ecx, %ebx
+	andq	%r9, %rsi
+	movl	%r8d, %ecx
+	roll	%ebx
+	orq	%rsi, %r10
+	roll	$5, %ecx
+	movq	%rbx, 16(%rdi)
+	movq	16(%rdi), %rsi
+	addq	%r10, %rcx
+	movq	(%rdi), %r11
+	movq	-40(%rdi), %rax
+	addq	%r13, %rcx
+	movq	40(%rdi), %rdx
+	movq	24(%rdi), %r13
+	roll	$30, %r12d
+	addq	%rsi, %rcx
+	movl	%r8d, %ebx
+	movq	%r8, %r10
+	xorq	%rax, %r11 
+	addq	%r15, %rcx
+	orq	%r12, %r8
+	xorq	%rdx, %r11 
+	andq	%r14, %r8
+	andq	%r12, %r10
+	xorl	%r13d, %r11d
+	movl	%ecx, %r13d
+	orq	%r8, %r10
+	roll	%r11d
+	roll	$5, %r13d
+	roll	$30, %ebx
+	movq	%r11, 24(%rdi)
+	addq	%r10, %r13
+	movq	24(%rdi), %rsi
+	movq	8(%rdi), %r10
+	movq	-32(%rdi), %rax
+	addq	%r9, %r13
+	movq	48(%rdi), %rdx
+	movq	32(%rdi), %r8
+	movl	%ecx, %r11d
+	addq	%rsi, %r13
+	movq	%rcx, %r9
+	xorq	%rax, %r10 
+	addq	%r15, %r13
+	xorq	%rdx, %r10 
+	xorl	%r8d, %r10d
+	movl	%r13d, %r8d
+	roll	%r10d
+	orq	%rbx, %rcx
+	andq	%rbx, %r9
+	movq	%r10, 32(%rdi)
+	andq	%r12, %rcx
+	movl	%r13d, %r10d
+	orq	%rcx, %r9
+	roll	$5, %r10d
+	movq	32(%rdi), %rsi
+	addq	%r9, %r10
+	roll	$30, %r11d
+	movq	%r13, %rcx
+	addq	%r14, %r10
+	movq	16(%rdi), %r14
+	movq	-24(%rdi), %rax
+	movq	56(%rdi), %rdx
+	movq	40(%rdi), %r9
+	addq	%rsi, %r10
+	addq	%r15, %r10
+	orq	%r11, %r13
+	andq	%r11, %rcx
+	xorq	%rax, %r14 
+	andq	%rbx, %r13
+	xorq	%rdx, %r14 
+	orq	%r13, %rcx
+	xorl	%r9d, %r14d
+	movl	%r10d, %r9d
+	roll	%r14d
+	roll	$5, %r9d
+	movq	%r14, 40(%rdi)
+	movq	40(%rdi), %rsi
+	addq	%rcx, %r9
+	movq	24(%rdi), %r13
+	addq	%r12, %r9
+	movq	-16(%rdi), %r12
+	movq	64(%rdi), %rax
+	movl	%r10d, %r14d
+	addq	%rsi, %r9
+	movl	%r8d, %esi
+	addq	%r15, %r9
+	movq	48(%rdi), %r15
+	xorq	%r12, %r13 
+	roll	$30, %esi
+	xorq	%rax, %r13 
+	xorq	%rsi, %r10 
+	xorl	%r15d, %r13d
+	movl	%r9d, %r15d
+	xorq	%r11, %r10 
+	roll	$5, %r15d
+	roll	%r13d
+	addq	%r10, %r15
+	movq	%r13, 48(%rdi)
+	movq	48(%rdi), %r10
+	addq	%rbx, %r15
+	movq	32(%rdi), %rbx
+	movq	-8(%rdi), %r8
+	movq	72(%rdi), %rdx
+	movq	56(%rdi), %rcx
+	roll	$30, %r14d
+	addq	%r10, %r15
+	movl	$3395469782, %r10d
+	movl	%r9d, %r13d
+	xorq	%r8, %rbx 
+	addq	%r10, %r15
+	xorq	%r14, %r9 
+	xorq	%rdx, %rbx 
+	xorq	%rsi, %r9 
+	roll	$30, %r13d
+	xorl	%ecx, %ebx
+	movl	%r15d, %ecx
+	roll	%ebx
+	roll	$5, %ecx
+	movq	%rbx, 56(%rdi)
+	addq	%r9, %rcx
+	movq	56(%rdi), %r12
+	movq	40(%rdi), %r9
+	movq	(%rdi), %rax
+	addq	%r11, %rcx
+	movq	-48(%rdi), %r8
+	movq	64(%rdi), %r11
+	movl	%r15d, %ebx
+	addq	%r12, %rcx
+	xorq	%r13, %r15 
+	roll	$30, %ebx
+	xorq	%rax, %r9 
+	addq	%r10, %rcx
+	xorq	%r14, %r15 
+	xorq	%r8, %r9 
+	xorl	%r11d, %r9d
+	movl	%ecx, %r11d
+	roll	%r9d
+	roll	$5, %r11d
+	movq	%r9, 64(%rdi)
+	addq	%r15, %r11
+	movq	64(%rdi), %rdx
+	movq	48(%rdi), %r15
+	movq	8(%rdi), %r12
+	addq	%rsi, %r11
+	movq	-40(%rdi), %rax
+	movq	72(%rdi), %r8
+	movl	%ecx, %r9d
+	addq	%rdx, %r11
+	xorq	%r12, %r15 
+	addq	%r10, %r11
+	xorq	%rax, %r15 
+	xorl	%r8d, %r15d
+	movl	%r11d, %r8d
+	roll	%r15d
+	roll	$5, %r8d
+	xorq	%rbx, %rcx 
+	xorq	%r13, %rcx 
+	movq	%r15, 72(%rdi)
+	movq	72(%rdi), %rsi
+	addq	%rcx, %r8
+	movq	56(%rdi), %r12
+	movq	16(%rdi), %rcx
+	movq	-32(%rdi), %rdx
+	addq	%r14, %r8
+	movq	-48(%rdi), %r14
+	addq	%rsi, %r8
+	roll	$30, %r9d
+	movl	%r11d, %r15d
+	xorq	%rcx, %r12 
+	addq	%r10, %r8
+	xorq	%r9, %r11 
+	xorq	%rdx, %r12 
+	xorq	%rbx, %r11 
+	roll	$30, %r15d
+	xorl	%r14d, %r12d
+	movl	%r8d, %r14d
+	roll	$5, %r14d
+	roll	%r12d
+	addq	%r11, %r14
+	movq	%r12, -48(%rdi)
+	movq	-48(%rdi), %rax
+	addq	%r13, %r14
+	movq	64(%rdi), %r13
+	movq	24(%rdi), %rsi
+	movq	-24(%rdi), %rcx
+	movq	-40(%rdi), %r11
+	movl	%r8d, %r12d
+	addq	%rax, %r14
+	xorq	%r15, %r8 
+	roll	$30, %r12d
+	xorq	%rsi, %r13 
+	addq	%r10, %r14
+	xorq	%r9, %r8 
+	xorq	%rcx, %r13 
+	xorl	%r11d, %r13d
+	movl	%r14d, %r11d
+	roll	$5, %r11d
+	roll	%r13d
+	addq	%r8, %r11
+	movq	%r13, -40(%rdi)
+	movq	-40(%rdi), %rdx
+	addq	%rbx, %r11
+	movq	72(%rdi), %rbx
+	movq	32(%rdi), %rax
+	movq	-16(%rdi), %rsi
+	movq	-32(%rdi), %r8
+	movl	%r14d, %r13d
+	addq	%rdx, %r11
+	xorq	%rax, %rbx 
+	addq	%r10, %r11
+	xorq	%rsi, %rbx 
+	xorl	%r8d, %ebx
+	xorq	%r12, %r14 
+	movl	%r11d, %r8d
+	xorq	%r15, %r14 
+	roll	%ebx
+	roll	$5, %r8d
+	movq	%rbx, -32(%rdi)
+	addq	%r14, %r8
+	movq	-32(%rdi), %rcx
+	movq	-48(%rdi), %r14
+	movq	40(%rdi), %rdx
+	addq	%r9, %r8
+	movq	-8(%rdi), %rax
+	movq	-24(%rdi), %r9
+	roll	$30, %r13d
+	addq	%rcx, %r8
+	movl	%r11d, %ebx
+	xorq	%r13, %r11 
+	xorq	%rdx, %r14 
+	addq	%r10, %r8
+	xorq	%r12, %r11 
+	xorq	%rax, %r14 
+	roll	$30, %ebx
+	xorl	%r9d, %r14d
+	movl	%r8d, %r9d
+	roll	$5, %r9d
+	roll	%r14d
+	addq	%r11, %r9
+	movq	%r14, -24(%rdi)
+	movq	-24(%rdi), %rsi
+	addq	%r15, %r9
+	movq	-40(%rdi), %r15
+	movq	48(%rdi), %rcx
+	movq	(%rdi), %rdx
+	movq	-16(%rdi), %r11
+	movl	%r8d, %r14d
+	addq	%rsi, %r9
+	xorq	%rbx, %r8 
+	xorq	%rcx, %r15 
+	addq	%r10, %r9
+	xorq	%r13, %r8 
+	xorq	%rdx, %r15 
+	xorl	%r11d, %r15d
+	movl	%r9d, %r11d
+	roll	%r15d
+	roll	$5, %r11d
+	movq	%r15, -16(%rdi)
+	addq	%r8, %r11
+	movq	-16(%rdi), %rax
+	addq	%r12, %r11
+	movq	-32(%rdi), %r12
+	movq	56(%rdi), %rsi
+	movq	8(%rdi), %rcx
+	movq	-8(%rdi), %r8
+	movl	%r9d, %r15d
+	addq	%rax, %r11
+	addq	%r10, %r11
+	roll	$30, %r14d
+	xorq	%rsi, %r12 
+	xorq	%rcx, %r12 
+	xorq	%r14, %r9 
+	roll	$30, %r15d
+	xorl	%r8d, %r12d
+	movl	%r11d, %r8d
+	xorq	%rbx, %r9 
+	roll	$5, %r8d
+	roll	%r12d
+	addq	%r9, %r8
+	movq	%r12, -8(%rdi)
+	movq	-8(%rdi), %rdx
+	addq	%r13, %r8
+	movq	-24(%rdi), %r13
+	movq	64(%rdi), %rax
+	movq	16(%rdi), %rsi
+	movq	(%rdi), %rcx
+	movl	%r11d, %r12d
+	addq	%rdx, %r8
+	xorq	%r15, %r11 
+	roll	$30, %r12d
+	xorq	%rax, %r13 
+	addq	%r10, %r8
+	xorq	%r14, %r11 
+	xorq	%rsi, %r13 
+	xorl	%ecx, %r13d
+	movl	%r8d, %ecx
+	roll	$5, %ecx
+	roll	%r13d
+	addq	%r11, %rcx
+	movq	%r13, (%rdi)
+	movq	(%rdi), %r9
+	addq	%rbx, %rcx
+	movq	-16(%rdi), %rbx
+	movq	72(%rdi), %rdx
+	movq	24(%rdi), %rax
+	movq	8(%rdi), %rsi
+	movl	%r8d, %r13d
+	addq	%r9, %rcx
+	xorq	%r12, %r8 
+	xorq	%rdx, %rbx 
+	addq	%r10, %rcx
+	xorq	%r15, %r8 
+	xorq	%rax, %rbx 
+	xorl	%esi, %ebx
+	movl	%ecx, %esi
+	roll	$5, %esi
+	roll	%ebx
+	addq	%r8, %rsi
+	movq	%rbx, 8(%rdi)
+	movq	8(%rdi), %r11
+	addq	%r14, %rsi
+	movq	-8(%rdi), %r14
+	movq	-48(%rdi), %r9
+	movq	32(%rdi), %rdx
+	movq	16(%rdi), %r8
+	roll	$30, %r13d
+	addq	%r11, %rsi
+	movl	%ecx, %ebx
+	xorq	%r13, %rcx 
+	xorq	%r9, %r14 
+	addq	%r10, %rsi
+	xorq	%r12, %rcx 
+	xorq	%rdx, %r14 
+	roll	$30, %ebx
+	xorl	%r8d, %r14d
+	movl	%esi, %r8d
+	roll	$5, %r8d
+	roll	%r14d
+	addq	%rcx, %r8
+	movq	%r14, 16(%rdi)
+	movq	16(%rdi), %rax
+	addq	%r15, %r8
+	movq	(%rdi), %r15
+	movq	-40(%rdi), %r11
+	movq	40(%rdi), %r9
+	movq	24(%rdi), %rcx
+	movl	%esi, %r14d
+	addq	%rax, %r8
+	xorq	%rbx, %rsi 
+	roll	$30, %r14d
+	xorq	%r11, %r15 
+	addq	%r10, %r8
+	xorq	%r13, %rsi 
+	xorq	%r9, %r15 
+	xorl	%ecx, %r15d
+	movl	%r8d, %ecx
+	roll	%r15d
+	roll	$5, %ecx
+	movq	%r15, 24(%rdi)
+	addq	%rsi, %rcx
+	movq	24(%rdi), %rdx
+	movq	8(%rdi), %r11
+	movq	-32(%rdi), %rax
+	addq	%r12, %rcx
+	movq	48(%rdi), %r12
+	movq	32(%rdi), %rsi
+	movl	%r8d, %r15d
+	addq	%rdx, %rcx
+	xorq	%rax, %r11 
+	addq	%r10, %rcx
+	xorq	%r12, %r11 
+	xorl	%esi, %r11d
+	movl	%ecx, %esi
+	roll	%r11d
+	movq	%r11, 32(%rdi)
+	movl	%ecx, %r11d
+	movq	32(%rdi), %r9
+	roll	$5, %r11d
+	xorq	%r14, %r8 
+	movq	16(%rdi), %r12
+	xorq	%rbx, %r8 
+	movq	-24(%rdi), %rdx
+	movq	56(%rdi), %rax
+	addq	%r8, %r11
+	movq	40(%rdi), %r8
+	roll	$30, %r15d
+	addq	%r13, %r11
+	xorq	%r15, %rcx 
+	addq	%r9, %r11
+	xorq	%rdx, %r12 
+	xorq	%r14, %rcx 
+	addq	%r10, %r11
+	xorq	%rax, %r12 
+	xorl	%r8d, %r12d
+	movl	%r11d, %r8d
+	roll	$5, %r8d
+	roll	%r12d
+	addq	%rcx, %r8
+	movq	%r12, 40(%rdi)
+	movq	40(%rdi), %r13
+	addq	%rbx, %r8
+	movq	24(%rdi), %rbx
+	movq	-16(%rdi), %r9
+	movq	64(%rdi), %rdx
+	movq	48(%rdi), %rcx
+	movl	%r11d, %r12d
+	addq	%r13, %r8
+	movl	%esi, %r13d
+	roll	$30, %r12d
+	xorq	%r9, %rbx 
+	addq	%r10, %r8
+	roll	$30, %r13d
+	xorq	%rdx, %rbx 
+	xorq	%r13, %r11 
+	xorl	%ecx, %ebx
+	movl	%r8d, %ecx
+	xorq	%r15, %r11 
+	roll	%ebx
+	roll	$5, %ecx
+	movq	%rbx, 48(%rdi)
+	addq	%r11, %rcx
+	movq	48(%rdi), %rax
+	movq	32(%rdi), %r11
+	movq	-8(%rdi), %rsi
+	addq	%r14, %rcx
+	movq	72(%rdi), %r9
+	movq	56(%rdi), %r14
+	movl	%r8d, %ebx
+	addq	%rax, %rcx
+	xorq	%rsi, %r11 
+	addq	%r10, %rcx
+	xorq	%r9, %r11 
+	xorl	%r14d, %r11d
+	xorq	%r12, %r8 
+	movl	%ecx, %r14d
+	xorq	%r13, %r8 
+	roll	%r11d
+	roll	$5, %r14d
+	movq	%r11, 56(%rdi)
+	addq	%r8, %r14
+	movq	56(%rdi), %rdx
+	movq	40(%rdi), %r8
+	movq	(%rdi), %rax
+	addq	%r15, %r14
+	movq	-48(%rdi), %r15
+	movq	64(%rdi), %rsi
+	roll	$30, %ebx
+	addq	%rdx, %r14
+	movl	%ecx, %r11d
+	xorq	%rbx, %rcx 
+	xorq	%rax, %r8 
+	addq	%r10, %r14
+	xorq	%r12, %rcx 
+	xorq	%r15, %r8 
+	roll	$30, %r11d
+	xorl	%esi, %r8d
+	movl	%r14d, %esi
+	roll	%r8d
+	roll	$5, %esi
+	movq	%r8, 64(%rdi)
+	movq	64(%rdi), %r9
+	addq	%rcx, %rsi
+	movq	48(%rdi), %r15
+	movq	8(%rdi), %rcx
+	addq	%r13, %rsi
+	movq	-40(%rdi), %rdx
+	movq	72(%rdi), %rax
+	movl	%r14d, %r8d
+	addq	%r9, %rsi
+	xorq	%r11, %r14 
+	addq	%r10, %rsi
+	xorq	%rcx, %r15 
+	xorq	%rbx, %r14 
+	xorq	%rdx, %r15 
+	movl	%esi, %r13d
+	xorl	%eax, %r15d
+	roll	$5, %r13d
+	roll	%r15d
+	addq	%r14, %r13
+	movq	%r15, 72(%rdi)
+	addq	%r12, %r13
+	movq	72(%rdi), %r12
+	addq	%r12, %r13
+	addq	%r10, %r13
+	movq	-88(%rdi), %r10
+	roll	$30, %r8d
+	addq	%r13, %r10
+	movq	%r10, -88(%rdi)
+	movq	-80(%rdi), %r9
+	addq	%rsi, %r9
+	movq	%r9, -80(%rdi)
+	movq	-72(%rdi), %rcx
+	addq	%r8, %rcx
+	movq	%rcx, -72(%rdi)
+	movq	-64(%rdi), %rdx
+	addq	%r11, %rdx
+	movq	%rdx, -64(%rdi)
+	movq	-56(%rdi), %rax
+	addq	%rbx, %rax
+	popq	%rbx
+	popq	%r12
+	popq	%r13
+	popq	%r14
+	popq	%r15
+	movq	%rax, -56(%rdi)
+	ret
+.LFE7:
+	.size	shaCompress, .-shaCompress
+	.align 16
+.globl SHA1_Update
+	.type	SHA1_Update, @function
+SHA1_Update:
+.LFB5:
+	pushq	%rbp
+.LCFI5:
+	movq	%rsp, %rbp
+.LCFI6:
+	movq	%r13, -24(%rbp)
+.LCFI7:
+	movq	%r14, -16(%rbp)
+.LCFI8:
+	movl	%edx, %r13d
+	movq	%r15, -8(%rbp)
+.LCFI9:
+	movq	%rbx, -40(%rbp)
+.LCFI10:
+	movq	%rdi, %r15
+	movq	%r12, -32(%rbp)
+.LCFI11:
+	subq	$48, %rsp
+.LCFI12:
+	testl	%edx, %edx
+	movq	%rsi, %r14
+	je	.L243
+	movq	64(%rdi), %rdx
+	mov	%r13d, %ecx
+	leaq	(%rdx,%rcx), %rax
+	movq	%rax, 64(%rdi)
+	movl	%edx, %eax
+	andl	$63, %eax
+	movl	%eax, -44(%rbp)
+	jne	.L256
+.L245:
+	cmpl	$63, %r13d
+	jbe	.L253
+	leaq	160(%r15), %rbx
+	.align 16
+.L250:
+	movq	%r14, %rsi
+	subl	$64, %r13d
+	movq	%rbx, %rdi
+	call	shaCompress
+	addq	$64, %r14
+	cmpl	$63, %r13d
+	ja	.L250
+.L253:
+	testl	%r13d, %r13d
+	je	.L243
+	mov	%r13d, %edx
+	movq	%r14, %rsi
+	movq	%r15, %rdi
+	movq	-40(%rbp), %rbx
+	movq	-32(%rbp), %r12
+	movq	-24(%rbp), %r13
+	movq	-16(%rbp), %r14
+	movq	-8(%rbp), %r15
+	leave
+	jmp	memcpy@PLT
+	.align 16
+.L243:
+	movq	-40(%rbp), %rbx
+	movq	-32(%rbp), %r12
+	movq	-24(%rbp), %r13
+	movq	-16(%rbp), %r14
+	movq	-8(%rbp), %r15
+	leave
+	ret
+.L256:
+	movl	$64, %ebx
+	mov	%eax, %edi
+	subl	%eax, %ebx
+	cmpl	%ebx, %r13d
+	cmovb	%r13d, %ebx
+	addq	%r15, %rdi
+	mov	%ebx, %r12d
+	subl	%ebx, %r13d
+	movq	%r12, %rdx
+	addq	%r12, %r14
+	call	memcpy@PLT
+	addl	-44(%rbp), %ebx
+	andl	$63, %ebx
+	jne	.L245
+	leaq	160(%r15), %rdi
+	movq	%r15, %rsi
+	call	shaCompress
+	jmp	.L245
+.LFE5:
+	.size	SHA1_Update, .-SHA1_Update
+	.section	.rodata
+	.align 32
+	.type	bulk_pad.0, @object
+	.size	bulk_pad.0, 64
+bulk_pad.0:
+	.byte	-128
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.byte	0
+	.text
+	.align 16
+.globl SHA1_End
+	.type	SHA1_End, @function
+SHA1_End:
+.LFB6:
+	pushq	%rbp
+.LCFI13:
+	movq	%rsp, %rbp
+.LCFI14:
+	movq	%r12, -24(%rbp)
+.LCFI15:
+	movq	%r13, -16(%rbp)
+.LCFI16:
+	movq	%rsi, %r13
+	movq	%r14, -8(%rbp)
+.LCFI17:
+	movq	%rbx, -32(%rbp)
+.LCFI18:
+	subq	$32, %rsp
+.LCFI19:
+	movq	64(%rdi), %rbx
+	movq	%rdx, %r14
+	movl	$119, %edx
+	leaq	bulk_pad.0(%rip), %rsi
+	movq	%rdi, %r12
+	movl	%ebx, %r8d
+	salq	$3, %rbx
+	andl	$63, %r8d
+	subl	%r8d, %edx
+	andl	$63, %edx
+	incl	%edx
+	call	SHA1_Update@PLT
+	movq	%rbx, %rdi
+	movq	%r12, %rsi
+	shrq	$32, %rdi
+/APP
+	bswap %edi
+/NO_APP
+	movl	%edi, 56(%r12)
+	leaq	160(%r12), %rdi
+/APP
+	bswap %ebx
+/NO_APP
+	movl	%ebx, 60(%r12)
+	call	shaCompress
+	movl	72(%r12), %esi
+	movl	80(%r12), %ebx
+	movl	88(%r12), %ecx
+	movl	96(%r12), %edx
+	movl	104(%r12), %eax
+	movq	8(%rsp), %r12
+/APP
+	bswap %ebx
+	bswap %esi
+/NO_APP
+	movl	%ebx, 4(%r13)
+	movl	%esi, (%r13)
+/APP
+	bswap %ecx
+	bswap %edx
+/NO_APP
+	movl	%ecx, 8(%r13)
+	movl	%edx, 12(%r13)
+/APP
+	bswap %eax
+/NO_APP
+	movq	(%rsp), %rbx
+	movl	%eax, 16(%r13)
+	movl	$20, (%r14)
+	movq	16(%rsp), %r13
+	movq	24(%rsp), %r14
+	leave
+	ret
+.LFE6:
+	.size	SHA1_End, .-SHA1_End
+	.align 16
+.globl SHA1_NewContext
+	.type	SHA1_NewContext, @function
+SHA1_NewContext:
+.LFB8:
+	movl	$248, %edi
+	jmp	PORT_Alloc_Util@PLT
+.LFE8:
+	.size	SHA1_NewContext, .-SHA1_NewContext
+	.align 16
+.globl SHA1_DestroyContext
+	.type	SHA1_DestroyContext, @function
+SHA1_DestroyContext:
+.LFB9:
+	pushq	%rbp
+.LCFI20:
+	movl	$248, %edx
+	movq	%rsp, %rbp
+.LCFI21:
+	movq	%rbx, -16(%rbp)
+.LCFI22:
+	movq	%r12, -8(%rbp)
+.LCFI23:
+	movl	%esi, %ebx
+	subq	$16, %rsp
+.LCFI24:
+	xorl	%esi, %esi
+	movq	%rdi, %r12
+	call	memset@PLT
+	testl	%ebx, %ebx
+	jne	.L268
+	movq	(%rsp), %rbx
+	movq	8(%rsp), %r12
+	leave
+	ret
+	.align 16
+.L268:
+	movq	%r12, %rdi
+	movq	(%rsp), %rbx
+	movq	8(%rsp), %r12
+	leave
+	jmp	PORT_Free_Util@PLT
+.LFE9:
+	.size	SHA1_DestroyContext, .-SHA1_DestroyContext
+	.align 16
+.globl SHA1_HashBuf
+	.type	SHA1_HashBuf, @function
+SHA1_HashBuf:
+.LFB10:
+	pushq	%rbp
+.LCFI25:
+	movq	%rsp, %rbp
+.LCFI26:
+	movq	%rbx, -32(%rbp)
+.LCFI27:
+	leaq	-288(%rbp), %rbx
+	movq	%r12, -24(%rbp)
+.LCFI28:
+	movq	%r13, -16(%rbp)
+.LCFI29:
+	movq	%r14, -8(%rbp)
+.LCFI30:
+	movq	%rsi, %r13
+	subq	$304, %rsp
+.LCFI31:
+	movq	%rdi, %r14
+	movl	%edx, %r12d
+	movq	%rbx, %rdi
+	call	SHA1_Begin@PLT
+	movl	%r12d, %edx
+	movq	%r13, %rsi
+	movq	%rbx, %rdi
+	call	SHA1_Update@PLT
+	leaq	-292(%rbp), %rdx
+	movq	%r14, %rsi
+	movq	%rbx, %rdi
+	movl	$20, %ecx
+	call	SHA1_End@PLT
+	movq	-32(%rbp), %rbx
+	movq	-24(%rbp), %r12
+	xorl	%eax, %eax
+	movq	-16(%rbp), %r13
+	movq	-8(%rbp), %r14
+	leave
+	ret
+.LFE10:
+	.size	SHA1_HashBuf, .-SHA1_HashBuf
+	.align 16
+.globl SHA1_Hash
+	.type	SHA1_Hash, @function
+SHA1_Hash:
+.LFB11:
+	pushq	%rbp
+.LCFI32:
+	movq	%rsp, %rbp
+.LCFI33:
+	movq	%rbx, -16(%rbp)
+.LCFI34:
+	movq	%r12, -8(%rbp)
+.LCFI35:
+	movq	%rsi, %rbx
+	subq	$16, %rsp
+.LCFI36:
+	movq	%rdi, %r12
+	movq	%rsi, %rdi
+	call	strlen@PLT
+	movq	%rbx, %rsi
+	movq	%r12, %rdi
+	movq	(%rsp), %rbx
+	movq	8(%rsp), %r12
+	leave
+	movl	%eax, %edx
+	jmp	SHA1_HashBuf@PLT
+.LFE11:
+	.size	SHA1_Hash, .-SHA1_Hash
+	.align 16
+.globl SHA1_FlattenSize
+	.type	SHA1_FlattenSize, @function
+SHA1_FlattenSize:
+.LFB12:
+	movl	$248, %eax
+	ret
+.LFE12:
+	.size	SHA1_FlattenSize, .-SHA1_FlattenSize
+	.align 16
+.globl SHA1_Flatten
+	.type	SHA1_Flatten, @function
+SHA1_Flatten:
+.LFB13:
+	pushq	%rbp
+.LCFI37:
+	movq	%rsi, %rax
+	movl	$248, %edx
+	movq	%rdi, %rsi
+	movq	%rax, %rdi
+	movq	%rsp, %rbp
+.LCFI38:
+	call	memcpy@PLT
+	leave
+	xorl	%eax, %eax
+	ret
+.LFE13:
+	.size	SHA1_Flatten, .-SHA1_Flatten
+	.align 16
+.globl SHA1_Resurrect
+	.type	SHA1_Resurrect, @function
+SHA1_Resurrect:
+.LFB14:
+	pushq	%rbp
+.LCFI39:
+	movq	%rsp, %rbp
+.LCFI40:
+	movq	%rbx, -16(%rbp)
+.LCFI41:
+	movq	%r12, -8(%rbp)
+.LCFI42:
+	subq	$16, %rsp
+.LCFI43:
+	movq	%rdi, %r12
+	call	SHA1_NewContext@PLT
+	movq	%rax, %rbx
+	xorl	%eax, %eax
+	testq	%rbx, %rbx
+	je	.L273
+	movl	$248, %edx
+	movq	%r12, %rsi
+	movq	%rbx, %rdi
+	call	memcpy@PLT
+	movq	%rbx, %rax
+.L273:
+	movq	(%rsp), %rbx
+	movq	8(%rsp), %r12
+	leave
+	ret
+.LFE14:
+	.size	SHA1_Resurrect, .-SHA1_Resurrect
+	.align 16
+.globl SHA1_Clone
+	.type	SHA1_Clone, @function
+SHA1_Clone:
+.LFB15:
+	movl	$248, %edx
+	jmp	memcpy@PLT
+.LFE15:
+	.size	SHA1_Clone, .-SHA1_Clone
+	.align 16
+.globl SHA1_TraceState
+	.type	SHA1_TraceState, @function
+SHA1_TraceState:
+.LFB16:
+	movl	$-5992, %edi
+	jmp	PORT_SetError_Util@PLT
+.LFE16:
+	.size	SHA1_TraceState, .-SHA1_TraceState
diff --git a/security/nss/lib/freebl/sha256.h b/security/nss/lib/freebl/sha256.h
new file mode 100644
index 000000000..f59813257
--- /dev/null
+++ b/security/nss/lib/freebl/sha256.h
@@ -0,0 +1,51 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2002
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SHA_256_H_
+#define _SHA_256_H_
+
+#include "prtypes.h"
+
+struct SHA256ContextStr {
+    union {
+	PRUint32 w[64];	    /* message schedule, input buffer, plus 48 words */
+	PRUint8  b[256];
+    } u;
+    PRUint32 h[8];		/* 8 state variables */
+    PRUint32 sizeHi,sizeLo;	/* 64-bit count of hashed bytes. */
+};
+
+#endif /* _SHA_256_H_ */
diff --git a/security/nss/lib/freebl/sha512.c b/security/nss/lib/freebl/sha512.c
new file mode 100644
index 000000000..b01b643ad
--- /dev/null
+++ b/security/nss/lib/freebl/sha512.c
@@ -0,0 +1,1386 @@
+/*
+ * sha512.c - implementation of SHA256, SHA384 and SHA512
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2002
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#include "prcpucfg.h"
+#if defined(_X86_) || defined(SHA_NO_LONG_LONG)
+#define NOUNROLL512 1
+#undef HAVE_LONG_LONG
+#endif
+#include "prtypes.h"	/* for PRUintXX */
+#include "secport.h"	/* for PORT_XXX */
+#include "blapi.h"
+#include "sha256.h"	/* for struct SHA256ContextStr */
+
+/* ============= Common constants and defines ======================= */
+
+#define W ctx->u.w
+#define B ctx->u.b
+#define H ctx->h
+
+#define SHR(x,n) (x >> n)
+#define SHL(x,n) (x << n)
+#define Ch(x,y,z)  ((x & y) ^ (~x & z))
+#define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z))
+
+/* Padding used with all flavors of SHA */
+static const PRUint8 pad[240] = { 
+0x80,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+   0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
+   /* compiler will fill the rest in with zeros */
+};
+
+/* ============= SHA256 implemenmtation ================================== */
+
+/* SHA-256 constants, K256. */
+static const PRUint32 K256[64] = {
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 
+    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 
+    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 
+    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 
+    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 
+    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 
+    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 
+    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 
+    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+};
+
+/* SHA-256 initial hash values */
+static const PRUint32 H256[8] = {
+    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 
+    0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
+};
+
+#if (_MSC_VER >= 1300)
+#include <stdlib.h>
+#pragma intrinsic(_byteswap_ulong)
+#define SHA_HTONL(x) _byteswap_ulong(x)
+#define BYTESWAP4(x)  x = SHA_HTONL(x)
+#elif defined(_MSC_VER) && defined(_X86_)
+#ifndef FORCEINLINE
+#if (_MSC_VER >= 1200)
+#define FORCEINLINE __forceinline
+#else
+#define FORCEINLINE __inline
+#endif
+#endif
+#define FASTCALL __fastcall
+
+static FORCEINLINE PRUint32 FASTCALL 
+swap4b(PRUint32 dwd) 
+{
+    __asm {
+    	mov   eax,dwd
+	bswap eax
+    }
+}
+
+#define SHA_HTONL(x) swap4b(x)
+#define BYTESWAP4(x)  x = SHA_HTONL(x)
+
+#elif defined(LINUX) && defined(_X86_)
+#undef  __OPTIMIZE__
+#define __OPTIMIZE__ 1
+#undef  __pentium__
+#define __pentium__ 1
+#include <byteswap.h>
+#define SHA_HTONL(x) bswap_32(x)
+#define BYTESWAP4(x)  x = SHA_HTONL(x)
+
+#else /* neither windows nor Linux PC */
+#define SWAP4MASK  0x00FF00FF
+#define SHA_HTONL(x) (t1 = (x), t1 = (t1 << 16) | (t1 >> 16), \
+                      ((t1 & SWAP4MASK) << 8) | ((t1 >> 8) & SWAP4MASK))
+#define BYTESWAP4(x)  x = SHA_HTONL(x)
+#endif
+
+#if defined(_MSC_VER) && defined(_X86_)
+#pragma intrinsic (_lrotr, _lrotl) 
+#define ROTR32(x,n) _lrotr(x,n)
+#define ROTL32(x,n) _lrotl(x,n)
+#else
+#define ROTR32(x,n) ((x >> n) | (x << ((8 * sizeof x) - n)))
+#define ROTL32(x,n) ((x << n) | (x >> ((8 * sizeof x) - n)))
+#endif
+
+/* Capitol Sigma and lower case sigma functions */
+#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x,22))
+#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x,25))
+#define s0(x) (t1 = x, ROTR32(t1, 7) ^ ROTR32(t1,18) ^ SHR(t1, 3))
+#define s1(x) (t2 = x, ROTR32(t2,17) ^ ROTR32(t2,19) ^ SHR(t2,10))
+
+SHA256Context *
+SHA256_NewContext(void)
+{
+    SHA256Context *ctx = PORT_New(SHA256Context);
+    return ctx;
+}
+
+void 
+SHA256_DestroyContext(SHA256Context *ctx, PRBool freeit)
+{
+    if (freeit) {
+        PORT_ZFree(ctx, sizeof *ctx);
+    }
+}
+
+void 
+SHA256_Begin(SHA256Context *ctx)
+{
+    memset(ctx, 0, sizeof *ctx);
+    memcpy(H, H256, sizeof H256);
+}
+
+static void
+SHA256_Compress(SHA256Context *ctx)
+{
+  {
+    register PRUint32 t1, t2;
+
+#if defined(IS_LITTLE_ENDIAN)
+    BYTESWAP4(W[0]);
+    BYTESWAP4(W[1]);
+    BYTESWAP4(W[2]);
+    BYTESWAP4(W[3]);
+    BYTESWAP4(W[4]);
+    BYTESWAP4(W[5]);
+    BYTESWAP4(W[6]);
+    BYTESWAP4(W[7]);
+    BYTESWAP4(W[8]);
+    BYTESWAP4(W[9]);
+    BYTESWAP4(W[10]);
+    BYTESWAP4(W[11]);
+    BYTESWAP4(W[12]);
+    BYTESWAP4(W[13]);
+    BYTESWAP4(W[14]);
+    BYTESWAP4(W[15]);
+#endif
+
+#define INITW(t) W[t] = (s1(W[t-2]) + W[t-7] + s0(W[t-15]) + W[t-16])
+
+    /* prepare the "message schedule"   */
+#ifdef NOUNROLL256
+    {
+	int t;
+	for (t = 16; t < 64; ++t) {
+	    INITW(t);
+	}
+    }
+#else
+    INITW(16);
+    INITW(17);
+    INITW(18);
+    INITW(19);
+
+    INITW(20);
+    INITW(21);
+    INITW(22);
+    INITW(23);
+    INITW(24);
+    INITW(25);
+    INITW(26);
+    INITW(27);
+    INITW(28);
+    INITW(29);
+
+    INITW(30);
+    INITW(31);
+    INITW(32);
+    INITW(33);
+    INITW(34);
+    INITW(35);
+    INITW(36);
+    INITW(37);
+    INITW(38);
+    INITW(39);
+
+    INITW(40);
+    INITW(41);
+    INITW(42);
+    INITW(43);
+    INITW(44);
+    INITW(45);
+    INITW(46);
+    INITW(47);
+    INITW(48);
+    INITW(49);
+
+    INITW(50);
+    INITW(51);
+    INITW(52);
+    INITW(53);
+    INITW(54);
+    INITW(55);
+    INITW(56);
+    INITW(57);
+    INITW(58);
+    INITW(59);
+
+    INITW(60);
+    INITW(61);
+    INITW(62);
+    INITW(63);
+
+#endif
+#undef INITW
+  }
+  {
+    PRUint32 a, b, c, d, e, f, g, h;
+
+    a = H[0];
+    b = H[1];
+    c = H[2];
+    d = H[3];
+    e = H[4];
+    f = H[5];
+    g = H[6];
+    h = H[7];
+
+#define ROUND(n,a,b,c,d,e,f,g,h) \
+    h += S1(e) + Ch(e,f,g) + K256[n] + W[n]; \
+    d += h; \
+    h += S0(a) + Maj(a,b,c); 
+
+#ifdef NOUNROLL256
+    {
+	int t;
+	for (t = 0; t < 64; t+= 8) {
+	    ROUND(t+0,a,b,c,d,e,f,g,h)
+	    ROUND(t+1,h,a,b,c,d,e,f,g)
+	    ROUND(t+2,g,h,a,b,c,d,e,f)
+	    ROUND(t+3,f,g,h,a,b,c,d,e)
+	    ROUND(t+4,e,f,g,h,a,b,c,d)
+	    ROUND(t+5,d,e,f,g,h,a,b,c)
+	    ROUND(t+6,c,d,e,f,g,h,a,b)
+	    ROUND(t+7,b,c,d,e,f,g,h,a)
+	}
+    }
+#else
+    ROUND( 0,a,b,c,d,e,f,g,h)
+    ROUND( 1,h,a,b,c,d,e,f,g)
+    ROUND( 2,g,h,a,b,c,d,e,f)
+    ROUND( 3,f,g,h,a,b,c,d,e)
+    ROUND( 4,e,f,g,h,a,b,c,d)
+    ROUND( 5,d,e,f,g,h,a,b,c)
+    ROUND( 6,c,d,e,f,g,h,a,b)
+    ROUND( 7,b,c,d,e,f,g,h,a)
+
+    ROUND( 8,a,b,c,d,e,f,g,h)
+    ROUND( 9,h,a,b,c,d,e,f,g)
+    ROUND(10,g,h,a,b,c,d,e,f)
+    ROUND(11,f,g,h,a,b,c,d,e)
+    ROUND(12,e,f,g,h,a,b,c,d)
+    ROUND(13,d,e,f,g,h,a,b,c)
+    ROUND(14,c,d,e,f,g,h,a,b)
+    ROUND(15,b,c,d,e,f,g,h,a)
+
+    ROUND(16,a,b,c,d,e,f,g,h)
+    ROUND(17,h,a,b,c,d,e,f,g)
+    ROUND(18,g,h,a,b,c,d,e,f)
+    ROUND(19,f,g,h,a,b,c,d,e)
+    ROUND(20,e,f,g,h,a,b,c,d)
+    ROUND(21,d,e,f,g,h,a,b,c)
+    ROUND(22,c,d,e,f,g,h,a,b)
+    ROUND(23,b,c,d,e,f,g,h,a)
+
+    ROUND(24,a,b,c,d,e,f,g,h)
+    ROUND(25,h,a,b,c,d,e,f,g)
+    ROUND(26,g,h,a,b,c,d,e,f)
+    ROUND(27,f,g,h,a,b,c,d,e)
+    ROUND(28,e,f,g,h,a,b,c,d)
+    ROUND(29,d,e,f,g,h,a,b,c)
+    ROUND(30,c,d,e,f,g,h,a,b)
+    ROUND(31,b,c,d,e,f,g,h,a)
+
+    ROUND(32,a,b,c,d,e,f,g,h)
+    ROUND(33,h,a,b,c,d,e,f,g)
+    ROUND(34,g,h,a,b,c,d,e,f)
+    ROUND(35,f,g,h,a,b,c,d,e)
+    ROUND(36,e,f,g,h,a,b,c,d)
+    ROUND(37,d,e,f,g,h,a,b,c)
+    ROUND(38,c,d,e,f,g,h,a,b)
+    ROUND(39,b,c,d,e,f,g,h,a)
+
+    ROUND(40,a,b,c,d,e,f,g,h)
+    ROUND(41,h,a,b,c,d,e,f,g)
+    ROUND(42,g,h,a,b,c,d,e,f)
+    ROUND(43,f,g,h,a,b,c,d,e)
+    ROUND(44,e,f,g,h,a,b,c,d)
+    ROUND(45,d,e,f,g,h,a,b,c)
+    ROUND(46,c,d,e,f,g,h,a,b)
+    ROUND(47,b,c,d,e,f,g,h,a)
+
+    ROUND(48,a,b,c,d,e,f,g,h)
+    ROUND(49,h,a,b,c,d,e,f,g)
+    ROUND(50,g,h,a,b,c,d,e,f)
+    ROUND(51,f,g,h,a,b,c,d,e)
+    ROUND(52,e,f,g,h,a,b,c,d)
+    ROUND(53,d,e,f,g,h,a,b,c)
+    ROUND(54,c,d,e,f,g,h,a,b)
+    ROUND(55,b,c,d,e,f,g,h,a)
+
+    ROUND(56,a,b,c,d,e,f,g,h)
+    ROUND(57,h,a,b,c,d,e,f,g)
+    ROUND(58,g,h,a,b,c,d,e,f)
+    ROUND(59,f,g,h,a,b,c,d,e)
+    ROUND(60,e,f,g,h,a,b,c,d)
+    ROUND(61,d,e,f,g,h,a,b,c)
+    ROUND(62,c,d,e,f,g,h,a,b)
+    ROUND(63,b,c,d,e,f,g,h,a)
+#endif
+
+    H[0] += a;
+    H[1] += b;
+    H[2] += c;
+    H[3] += d;
+    H[4] += e;
+    H[5] += f;
+    H[6] += g;
+    H[7] += h;
+  }
+#undef ROUND
+}
+
+#undef s0
+#undef s1
+#undef S0
+#undef S1
+
+void 
+SHA256_Update(SHA256Context *ctx, const unsigned char *input,
+		    unsigned int inputLen)
+{
+    unsigned int inBuf = ctx->sizeLo & 0x3f;
+    if (!inputLen)
+    	return;
+
+    /* Add inputLen into the count of bytes processed, before processing */
+    if ((ctx->sizeLo += inputLen) < inputLen)
+    	ctx->sizeHi++;
+
+    /* if data already in buffer, attemp to fill rest of buffer */
+    if (inBuf) {
+    	unsigned int todo = SHA256_BLOCK_LENGTH - inBuf;
+	if (inputLen < todo)
+	    todo = inputLen;
+	memcpy(B + inBuf, input, todo);
+	input    += todo;
+	inputLen -= todo;
+	if (inBuf + todo == SHA256_BLOCK_LENGTH)
+	    SHA256_Compress(ctx);
+    }
+
+    /* if enough data to fill one or more whole buffers, process them. */
+    while (inputLen >= SHA256_BLOCK_LENGTH) {
+    	memcpy(B, input, SHA256_BLOCK_LENGTH);
+	input    += SHA256_BLOCK_LENGTH;
+	inputLen -= SHA256_BLOCK_LENGTH;
+	SHA256_Compress(ctx);
+    }
+    /* if data left over, fill it into buffer */
+    if (inputLen) 
+    	memcpy(B, input, inputLen);
+}
+
+void 
+SHA256_End(SHA256Context *ctx, unsigned char *digest,
+           unsigned int *digestLen, unsigned int maxDigestLen)
+{
+    unsigned int inBuf = ctx->sizeLo & 0x3f;
+    unsigned int padLen = (inBuf < 56) ? (56 - inBuf) : (56 + 64 - inBuf);
+    PRUint32 hi, lo;
+#ifdef SWAP4MASK
+    PRUint32 t1;
+#endif
+
+    hi = (ctx->sizeHi << 3) | (ctx->sizeLo >> 29);
+    lo = (ctx->sizeLo << 3);
+
+    SHA256_Update(ctx, pad, padLen);
+
+#if defined(IS_LITTLE_ENDIAN)
+    W[14] = SHA_HTONL(hi);
+    W[15] = SHA_HTONL(lo);
+#else
+    W[14] = hi;
+    W[15] = lo;
+#endif
+    SHA256_Compress(ctx);
+
+    /* now output the answer */
+#if defined(IS_LITTLE_ENDIAN)
+    BYTESWAP4(H[0]);
+    BYTESWAP4(H[1]);
+    BYTESWAP4(H[2]);
+    BYTESWAP4(H[3]);
+    BYTESWAP4(H[4]);
+    BYTESWAP4(H[5]);
+    BYTESWAP4(H[6]);
+    BYTESWAP4(H[7]);
+#endif
+    padLen = PR_MIN(SHA256_LENGTH, maxDigestLen);
+    memcpy(digest, H, padLen);
+    if (digestLen)
+	*digestLen = padLen;
+}
+
+SECStatus 
+SHA256_HashBuf(unsigned char *dest, const unsigned char *src, 
+               uint32 src_length)
+{
+    SHA256Context ctx;
+    unsigned int outLen;
+
+    SHA256_Begin(&ctx);
+    SHA256_Update(&ctx, src, src_length);
+    SHA256_End(&ctx, dest, &outLen, SHA256_LENGTH);
+
+    return SECSuccess;
+}
+
+
+SECStatus 
+SHA256_Hash(unsigned char *dest, const char *src)
+{
+    return SHA256_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
+}
+
+
+void SHA256_TraceState(SHA256Context *ctx) { }
+
+unsigned int 
+SHA256_FlattenSize(SHA256Context *ctx)
+{
+    return sizeof *ctx;
+}
+
+SECStatus 
+SHA256_Flatten(SHA256Context *ctx,unsigned char *space)
+{
+    PORT_Memcpy(space, ctx, sizeof *ctx);
+    return SECSuccess;
+}
+
+SHA256Context * 
+SHA256_Resurrect(unsigned char *space, void *arg)
+{
+    SHA256Context *ctx = SHA256_NewContext();
+    if (ctx) 
+	PORT_Memcpy(ctx, space, sizeof *ctx);
+    return ctx;
+}
+
+void SHA256_Clone(SHA256Context *dest, SHA256Context *src) 
+{
+    memcpy(dest, src, sizeof *dest);
+}
+
+
+/* ======= SHA512 and SHA384 common constants and defines ================= */
+
+/* common #defines for SHA512 and SHA384 */
+#if defined(HAVE_LONG_LONG)
+#define ROTR64(x,n) ((x >> n) | (x << (64 - n)))
+#define ROTL64(x,n) ((x << n) | (x >> (64 - n)))
+
+#define S0(x) (ROTR64(x,28) ^ ROTR64(x,34) ^ ROTR64(x,39))
+#define S1(x) (ROTR64(x,14) ^ ROTR64(x,18) ^ ROTR64(x,41))
+#define s0(x) (t1 = x, ROTR64(t1, 1) ^ ROTR64(t1, 8) ^ SHR(t1,7))
+#define s1(x) (t2 = x, ROTR64(t2,19) ^ ROTR64(t2,61) ^ SHR(t2,6))
+
+#if PR_BYTES_PER_LONG == 8
+#define ULLC(hi,lo) 0x ## hi ## lo ## UL
+#elif defined(_MSC_VER)
+#define ULLC(hi,lo) 0x ## hi ## lo ## ui64
+#else
+#define ULLC(hi,lo) 0x ## hi ## lo ## ULL
+#endif
+
+#define SHA_MASK16 ULLC(0000FFFF,0000FFFF)
+#define SHA_MASK8  ULLC(00FF00FF,00FF00FF)
+#define SHA_HTONLL(x) (t1 = x, \
+  t1 = ((t1 & SHA_MASK8 ) <<  8) | ((t1 >>  8) & SHA_MASK8 ), \
+  t1 = ((t1 & SHA_MASK16) << 16) | ((t1 >> 16) & SHA_MASK16), \
+  (t1 >> 32) | (t1 << 32))
+#define BYTESWAP8(x)  x = SHA_HTONLL(x)
+
+#else /* no long long */
+
+#if defined(IS_LITTLE_ENDIAN)
+#define ULLC(hi,lo) { 0x ## lo ## U, 0x ## hi ## U }
+#else
+#define ULLC(hi,lo) { 0x ## hi ## U, 0x ## lo ## U }
+#endif
+
+#define SHA_HTONLL(x) ( BYTESWAP4(x.lo), BYTESWAP4(x.hi), \
+   x.hi ^= x.lo ^= x.hi ^= x.lo, x)
+#define BYTESWAP8(x)  do { PRUint32 tmp; BYTESWAP4(x.lo); BYTESWAP4(x.hi); \
+   tmp = x.lo; x.lo = x.hi; x.hi = tmp; } while (0)
+#endif
+
+/* SHA-384 and SHA-512 constants, K512. */
+static const PRUint64 K512[80] = {
+#if PR_BYTES_PER_LONG == 8
+     0x428a2f98d728ae22UL ,  0x7137449123ef65cdUL , 
+     0xb5c0fbcfec4d3b2fUL ,  0xe9b5dba58189dbbcUL ,
+     0x3956c25bf348b538UL ,  0x59f111f1b605d019UL , 
+     0x923f82a4af194f9bUL ,  0xab1c5ed5da6d8118UL ,
+     0xd807aa98a3030242UL ,  0x12835b0145706fbeUL , 
+     0x243185be4ee4b28cUL ,  0x550c7dc3d5ffb4e2UL ,
+     0x72be5d74f27b896fUL ,  0x80deb1fe3b1696b1UL , 
+     0x9bdc06a725c71235UL ,  0xc19bf174cf692694UL ,
+     0xe49b69c19ef14ad2UL ,  0xefbe4786384f25e3UL , 
+     0x0fc19dc68b8cd5b5UL ,  0x240ca1cc77ac9c65UL ,
+     0x2de92c6f592b0275UL ,  0x4a7484aa6ea6e483UL , 
+     0x5cb0a9dcbd41fbd4UL ,  0x76f988da831153b5UL ,
+     0x983e5152ee66dfabUL ,  0xa831c66d2db43210UL , 
+     0xb00327c898fb213fUL ,  0xbf597fc7beef0ee4UL ,
+     0xc6e00bf33da88fc2UL ,  0xd5a79147930aa725UL , 
+     0x06ca6351e003826fUL ,  0x142929670a0e6e70UL ,
+     0x27b70a8546d22ffcUL ,  0x2e1b21385c26c926UL , 
+     0x4d2c6dfc5ac42aedUL ,  0x53380d139d95b3dfUL ,
+     0x650a73548baf63deUL ,  0x766a0abb3c77b2a8UL , 
+     0x81c2c92e47edaee6UL ,  0x92722c851482353bUL ,
+     0xa2bfe8a14cf10364UL ,  0xa81a664bbc423001UL , 
+     0xc24b8b70d0f89791UL ,  0xc76c51a30654be30UL ,
+     0xd192e819d6ef5218UL ,  0xd69906245565a910UL , 
+     0xf40e35855771202aUL ,  0x106aa07032bbd1b8UL ,
+     0x19a4c116b8d2d0c8UL ,  0x1e376c085141ab53UL , 
+     0x2748774cdf8eeb99UL ,  0x34b0bcb5e19b48a8UL ,
+     0x391c0cb3c5c95a63UL ,  0x4ed8aa4ae3418acbUL , 
+     0x5b9cca4f7763e373UL ,  0x682e6ff3d6b2b8a3UL ,
+     0x748f82ee5defb2fcUL ,  0x78a5636f43172f60UL , 
+     0x84c87814a1f0ab72UL ,  0x8cc702081a6439ecUL ,
+     0x90befffa23631e28UL ,  0xa4506cebde82bde9UL , 
+     0xbef9a3f7b2c67915UL ,  0xc67178f2e372532bUL ,
+     0xca273eceea26619cUL ,  0xd186b8c721c0c207UL , 
+     0xeada7dd6cde0eb1eUL ,  0xf57d4f7fee6ed178UL ,
+     0x06f067aa72176fbaUL ,  0x0a637dc5a2c898a6UL , 
+     0x113f9804bef90daeUL ,  0x1b710b35131c471bUL ,
+     0x28db77f523047d84UL ,  0x32caab7b40c72493UL , 
+     0x3c9ebe0a15c9bebcUL ,  0x431d67c49c100d4cUL ,
+     0x4cc5d4becb3e42b6UL ,  0x597f299cfc657e2aUL , 
+     0x5fcb6fab3ad6faecUL ,  0x6c44198c4a475817UL 
+#else
+    ULLC(428a2f98,d728ae22), ULLC(71374491,23ef65cd), 
+    ULLC(b5c0fbcf,ec4d3b2f), ULLC(e9b5dba5,8189dbbc),
+    ULLC(3956c25b,f348b538), ULLC(59f111f1,b605d019), 
+    ULLC(923f82a4,af194f9b), ULLC(ab1c5ed5,da6d8118),
+    ULLC(d807aa98,a3030242), ULLC(12835b01,45706fbe), 
+    ULLC(243185be,4ee4b28c), ULLC(550c7dc3,d5ffb4e2),
+    ULLC(72be5d74,f27b896f), ULLC(80deb1fe,3b1696b1), 
+    ULLC(9bdc06a7,25c71235), ULLC(c19bf174,cf692694),
+    ULLC(e49b69c1,9ef14ad2), ULLC(efbe4786,384f25e3), 
+    ULLC(0fc19dc6,8b8cd5b5), ULLC(240ca1cc,77ac9c65),
+    ULLC(2de92c6f,592b0275), ULLC(4a7484aa,6ea6e483), 
+    ULLC(5cb0a9dc,bd41fbd4), ULLC(76f988da,831153b5),
+    ULLC(983e5152,ee66dfab), ULLC(a831c66d,2db43210), 
+    ULLC(b00327c8,98fb213f), ULLC(bf597fc7,beef0ee4),
+    ULLC(c6e00bf3,3da88fc2), ULLC(d5a79147,930aa725), 
+    ULLC(06ca6351,e003826f), ULLC(14292967,0a0e6e70),
+    ULLC(27b70a85,46d22ffc), ULLC(2e1b2138,5c26c926), 
+    ULLC(4d2c6dfc,5ac42aed), ULLC(53380d13,9d95b3df),
+    ULLC(650a7354,8baf63de), ULLC(766a0abb,3c77b2a8), 
+    ULLC(81c2c92e,47edaee6), ULLC(92722c85,1482353b),
+    ULLC(a2bfe8a1,4cf10364), ULLC(a81a664b,bc423001), 
+    ULLC(c24b8b70,d0f89791), ULLC(c76c51a3,0654be30),
+    ULLC(d192e819,d6ef5218), ULLC(d6990624,5565a910), 
+    ULLC(f40e3585,5771202a), ULLC(106aa070,32bbd1b8),
+    ULLC(19a4c116,b8d2d0c8), ULLC(1e376c08,5141ab53), 
+    ULLC(2748774c,df8eeb99), ULLC(34b0bcb5,e19b48a8),
+    ULLC(391c0cb3,c5c95a63), ULLC(4ed8aa4a,e3418acb), 
+    ULLC(5b9cca4f,7763e373), ULLC(682e6ff3,d6b2b8a3),
+    ULLC(748f82ee,5defb2fc), ULLC(78a5636f,43172f60), 
+    ULLC(84c87814,a1f0ab72), ULLC(8cc70208,1a6439ec),
+    ULLC(90befffa,23631e28), ULLC(a4506ceb,de82bde9), 
+    ULLC(bef9a3f7,b2c67915), ULLC(c67178f2,e372532b),
+    ULLC(ca273ece,ea26619c), ULLC(d186b8c7,21c0c207), 
+    ULLC(eada7dd6,cde0eb1e), ULLC(f57d4f7f,ee6ed178),
+    ULLC(06f067aa,72176fba), ULLC(0a637dc5,a2c898a6), 
+    ULLC(113f9804,bef90dae), ULLC(1b710b35,131c471b),
+    ULLC(28db77f5,23047d84), ULLC(32caab7b,40c72493), 
+    ULLC(3c9ebe0a,15c9bebc), ULLC(431d67c4,9c100d4c),
+    ULLC(4cc5d4be,cb3e42b6), ULLC(597f299c,fc657e2a), 
+    ULLC(5fcb6fab,3ad6faec), ULLC(6c44198c,4a475817)
+#endif
+};
+
+struct SHA512ContextStr {
+    union {
+	PRUint64 w[80];	    /* message schedule, input buffer, plus 64 words */
+	PRUint32 l[160];
+	PRUint8  b[640];
+    } u;
+    PRUint64 h[8];	    /* 8 state variables */
+    PRUint64 sizeLo;	    /* 64-bit count of hashed bytes. */
+};
+
+/* =========== SHA512 implementation ===================================== */
+
+/* SHA-512 initial hash values */
+static const PRUint64 H512[8] = {
+#if PR_BYTES_PER_LONG == 8
+     0x6a09e667f3bcc908UL ,  0xbb67ae8584caa73bUL , 
+     0x3c6ef372fe94f82bUL ,  0xa54ff53a5f1d36f1UL , 
+     0x510e527fade682d1UL ,  0x9b05688c2b3e6c1fUL , 
+     0x1f83d9abfb41bd6bUL ,  0x5be0cd19137e2179UL 
+#else
+    ULLC(6a09e667,f3bcc908), ULLC(bb67ae85,84caa73b), 
+    ULLC(3c6ef372,fe94f82b), ULLC(a54ff53a,5f1d36f1), 
+    ULLC(510e527f,ade682d1), ULLC(9b05688c,2b3e6c1f), 
+    ULLC(1f83d9ab,fb41bd6b), ULLC(5be0cd19,137e2179)
+#endif
+};
+
+
+SHA512Context *
+SHA512_NewContext(void)
+{
+    SHA512Context *ctx = PORT_New(SHA512Context);
+    return ctx;
+}
+
+void 
+SHA512_DestroyContext(SHA512Context *ctx, PRBool freeit)
+{
+    if (freeit) {
+        PORT_ZFree(ctx, sizeof *ctx);
+    }
+}
+
+void 
+SHA512_Begin(SHA512Context *ctx)
+{
+    memset(ctx, 0, sizeof *ctx);
+    memcpy(H, H512, sizeof H512);
+}
+
+#if defined(SHA512_TRACE)
+#if defined(HAVE_LONG_LONG)
+#define DUMP(n,a,d,e,h) printf(" t = %2d, %s = %016lx, %s = %016lx\n", \
+			       n, #e, d, #a, h);
+#else
+#define DUMP(n,a,d,e,h) printf(" t = %2d, %s = %08x%08x, %s = %08x%08x\n", \
+			       n, #e, d.hi, d.lo, #a, h.hi, h.lo);
+#endif
+#else
+#define DUMP(n,a,d,e,h)
+#endif
+
+#if defined(HAVE_LONG_LONG)
+
+#define ADDTO(x,y) y += x
+
+#define INITW(t) W[t] = (s1(W[t-2]) + W[t-7] + s0(W[t-15]) + W[t-16])
+
+#define ROUND(n,a,b,c,d,e,f,g,h) \
+    h += S1(e) + Ch(e,f,g) + K512[n] + W[n]; \
+    d += h; \
+    h += S0(a) + Maj(a,b,c); \
+    DUMP(n,a,d,e,h)
+
+#else /* use only 32-bit variables, and don't unroll loops */
+
+#undef  NOUNROLL512
+#define NOUNROLL512 1
+
+#define ADDTO(x,y) y.lo += x.lo; y.hi += x.hi + (x.lo > y.lo)
+
+#define ROTR64a(x,n,lo,hi) (x.lo >> n | x.hi << (32-n))
+#define ROTR64A(x,n,lo,hi) (x.lo << (64-n) | x.hi >> (n-32))
+#define  SHR64a(x,n,lo,hi) (x.lo >> n | x.hi << (32-n))
+
+/* Capitol Sigma and lower case sigma functions */
+#define s0lo(x) (ROTR64a(x,1,lo,hi) ^ ROTR64a(x,8,lo,hi) ^ SHR64a(x,7,lo,hi))
+#define s0hi(x) (ROTR64a(x,1,hi,lo) ^ ROTR64a(x,8,hi,lo) ^ (x.hi >> 7))
+
+#define s1lo(x) (ROTR64a(x,19,lo,hi) ^ ROTR64A(x,61,lo,hi) ^ SHR64a(x,6,lo,hi))
+#define s1hi(x) (ROTR64a(x,19,hi,lo) ^ ROTR64A(x,61,hi,lo) ^ (x.hi >> 6))
+
+#define S0lo(x)(ROTR64a(x,28,lo,hi) ^ ROTR64A(x,34,lo,hi) ^ ROTR64A(x,39,lo,hi))
+#define S0hi(x)(ROTR64a(x,28,hi,lo) ^ ROTR64A(x,34,hi,lo) ^ ROTR64A(x,39,hi,lo))
+
+#define S1lo(x)(ROTR64a(x,14,lo,hi) ^ ROTR64a(x,18,lo,hi) ^ ROTR64A(x,41,lo,hi))
+#define S1hi(x)(ROTR64a(x,14,hi,lo) ^ ROTR64a(x,18,hi,lo) ^ ROTR64A(x,41,hi,lo))
+
+/* 32-bit versions of Ch and Maj */
+#define Chxx(x,y,z,lo) ((x.lo & y.lo) ^ (~x.lo & z.lo))
+#define Majx(x,y,z,lo) ((x.lo & y.lo) ^ (x.lo & z.lo) ^ (y.lo & z.lo))
+
+#define INITW(t) \
+    do { \
+	PRUint32 lo, tm; \
+	PRUint32 cy = 0; \
+	lo = s1lo(W[t-2]); \
+	lo += (tm = W[t-7].lo);     if (lo < tm) cy++; \
+	lo += (tm = s0lo(W[t-15])); if (lo < tm) cy++; \
+	lo += (tm = W[t-16].lo);    if (lo < tm) cy++; \
+	W[t].lo = lo; \
+	W[t].hi = cy + s1hi(W[t-2]) + W[t-7].hi + s0hi(W[t-15]) + W[t-16].hi; \
+    } while (0)
+
+#define ROUND(n,a,b,c,d,e,f,g,h) \
+    { \
+	PRUint32 lo, tm, cy; \
+	lo  = S1lo(e); \
+	lo += (tm = Chxx(e,f,g,lo));    cy = (lo < tm); \
+	lo += (tm = K512[n].lo);	if (lo < tm) cy++; \
+	lo += (tm =    W[n].lo);	if (lo < tm) cy++; \
+	h.lo += lo;			if (h.lo < lo) cy++; \
+	h.hi += cy + S1hi(e) + Chxx(e,f,g,hi) + K512[n].hi + W[n].hi; \
+	d.lo += h.lo; \
+	d.hi += h.hi + (d.lo < h.lo); \
+	lo  = S0lo(a);  \
+	lo += (tm = Majx(a,b,c,lo));	cy = (lo < tm); \
+	h.lo += lo;			if (h.lo < lo) cy++; \
+	h.hi += cy + S0hi(a) + Majx(a,b,c,hi); \
+	DUMP(n,a,d,e,h) \
+    }
+#endif
+
+static void
+SHA512_Compress(SHA512Context *ctx)
+{
+#if defined(IS_LITTLE_ENDIAN)
+  {
+#if defined(HAVE_LONG_LONG)
+    PRUint64 t1;
+#else
+    PRUint32 t1;
+#endif
+    BYTESWAP8(W[0]);
+    BYTESWAP8(W[1]);
+    BYTESWAP8(W[2]);
+    BYTESWAP8(W[3]);
+    BYTESWAP8(W[4]);
+    BYTESWAP8(W[5]);
+    BYTESWAP8(W[6]);
+    BYTESWAP8(W[7]);
+    BYTESWAP8(W[8]);
+    BYTESWAP8(W[9]);
+    BYTESWAP8(W[10]);
+    BYTESWAP8(W[11]);
+    BYTESWAP8(W[12]);
+    BYTESWAP8(W[13]);
+    BYTESWAP8(W[14]);
+    BYTESWAP8(W[15]);
+  }
+#endif
+
+  {
+    PRUint64 t1, t2;
+#ifdef NOUNROLL512
+    {
+	/* prepare the "message schedule"   */
+	int t;
+	for (t = 16; t < 80; ++t) {
+	    INITW(t);
+	}
+    }
+#else
+    INITW(16);
+    INITW(17);
+    INITW(18);
+    INITW(19);
+
+    INITW(20);
+    INITW(21);
+    INITW(22);
+    INITW(23);
+    INITW(24);
+    INITW(25);
+    INITW(26);
+    INITW(27);
+    INITW(28);
+    INITW(29);
+
+    INITW(30);
+    INITW(31);
+    INITW(32);
+    INITW(33);
+    INITW(34);
+    INITW(35);
+    INITW(36);
+    INITW(37);
+    INITW(38);
+    INITW(39);
+
+    INITW(40);
+    INITW(41);
+    INITW(42);
+    INITW(43);
+    INITW(44);
+    INITW(45);
+    INITW(46);
+    INITW(47);
+    INITW(48);
+    INITW(49);
+
+    INITW(50);
+    INITW(51);
+    INITW(52);
+    INITW(53);
+    INITW(54);
+    INITW(55);
+    INITW(56);
+    INITW(57);
+    INITW(58);
+    INITW(59);
+
+    INITW(60);
+    INITW(61);
+    INITW(62);
+    INITW(63);
+    INITW(64);
+    INITW(65);
+    INITW(66);
+    INITW(67);
+    INITW(68);
+    INITW(69);
+
+    INITW(70);
+    INITW(71);
+    INITW(72);
+    INITW(73);
+    INITW(74);
+    INITW(75);
+    INITW(76);
+    INITW(77);
+    INITW(78);
+    INITW(79);
+#endif
+  }
+#ifdef SHA512_TRACE
+  {
+    int i;
+    for (i = 0; i < 80; ++i) {
+#ifdef HAVE_LONG_LONG
+	printf("W[%2d] = %016lx\n", i, W[i]);
+#else
+	printf("W[%2d] = %08x%08x\n", i, W[i].hi, W[i].lo);
+#endif
+    }
+  }
+#endif
+  {
+    PRUint64 a, b, c, d, e, f, g, h;
+
+    a = H[0];
+    b = H[1];
+    c = H[2];
+    d = H[3];
+    e = H[4];
+    f = H[5];
+    g = H[6];
+    h = H[7];
+
+#ifdef NOUNROLL512
+    {
+	int t;
+	for (t = 0; t < 80; t+= 8) {
+	    ROUND(t+0,a,b,c,d,e,f,g,h)
+	    ROUND(t+1,h,a,b,c,d,e,f,g)
+	    ROUND(t+2,g,h,a,b,c,d,e,f)
+	    ROUND(t+3,f,g,h,a,b,c,d,e)
+	    ROUND(t+4,e,f,g,h,a,b,c,d)
+	    ROUND(t+5,d,e,f,g,h,a,b,c)
+	    ROUND(t+6,c,d,e,f,g,h,a,b)
+	    ROUND(t+7,b,c,d,e,f,g,h,a)
+	}
+    }
+#else
+    ROUND( 0,a,b,c,d,e,f,g,h)
+    ROUND( 1,h,a,b,c,d,e,f,g)
+    ROUND( 2,g,h,a,b,c,d,e,f)
+    ROUND( 3,f,g,h,a,b,c,d,e)
+    ROUND( 4,e,f,g,h,a,b,c,d)
+    ROUND( 5,d,e,f,g,h,a,b,c)
+    ROUND( 6,c,d,e,f,g,h,a,b)
+    ROUND( 7,b,c,d,e,f,g,h,a)
+
+    ROUND( 8,a,b,c,d,e,f,g,h)
+    ROUND( 9,h,a,b,c,d,e,f,g)
+    ROUND(10,g,h,a,b,c,d,e,f)
+    ROUND(11,f,g,h,a,b,c,d,e)
+    ROUND(12,e,f,g,h,a,b,c,d)
+    ROUND(13,d,e,f,g,h,a,b,c)
+    ROUND(14,c,d,e,f,g,h,a,b)
+    ROUND(15,b,c,d,e,f,g,h,a)
+
+    ROUND(16,a,b,c,d,e,f,g,h)
+    ROUND(17,h,a,b,c,d,e,f,g)
+    ROUND(18,g,h,a,b,c,d,e,f)
+    ROUND(19,f,g,h,a,b,c,d,e)
+    ROUND(20,e,f,g,h,a,b,c,d)
+    ROUND(21,d,e,f,g,h,a,b,c)
+    ROUND(22,c,d,e,f,g,h,a,b)
+    ROUND(23,b,c,d,e,f,g,h,a)
+
+    ROUND(24,a,b,c,d,e,f,g,h)
+    ROUND(25,h,a,b,c,d,e,f,g)
+    ROUND(26,g,h,a,b,c,d,e,f)
+    ROUND(27,f,g,h,a,b,c,d,e)
+    ROUND(28,e,f,g,h,a,b,c,d)
+    ROUND(29,d,e,f,g,h,a,b,c)
+    ROUND(30,c,d,e,f,g,h,a,b)
+    ROUND(31,b,c,d,e,f,g,h,a)
+
+    ROUND(32,a,b,c,d,e,f,g,h)
+    ROUND(33,h,a,b,c,d,e,f,g)
+    ROUND(34,g,h,a,b,c,d,e,f)
+    ROUND(35,f,g,h,a,b,c,d,e)
+    ROUND(36,e,f,g,h,a,b,c,d)
+    ROUND(37,d,e,f,g,h,a,b,c)
+    ROUND(38,c,d,e,f,g,h,a,b)
+    ROUND(39,b,c,d,e,f,g,h,a)
+
+    ROUND(40,a,b,c,d,e,f,g,h)
+    ROUND(41,h,a,b,c,d,e,f,g)
+    ROUND(42,g,h,a,b,c,d,e,f)
+    ROUND(43,f,g,h,a,b,c,d,e)
+    ROUND(44,e,f,g,h,a,b,c,d)
+    ROUND(45,d,e,f,g,h,a,b,c)
+    ROUND(46,c,d,e,f,g,h,a,b)
+    ROUND(47,b,c,d,e,f,g,h,a)
+
+    ROUND(48,a,b,c,d,e,f,g,h)
+    ROUND(49,h,a,b,c,d,e,f,g)
+    ROUND(50,g,h,a,b,c,d,e,f)
+    ROUND(51,f,g,h,a,b,c,d,e)
+    ROUND(52,e,f,g,h,a,b,c,d)
+    ROUND(53,d,e,f,g,h,a,b,c)
+    ROUND(54,c,d,e,f,g,h,a,b)
+    ROUND(55,b,c,d,e,f,g,h,a)
+
+    ROUND(56,a,b,c,d,e,f,g,h)
+    ROUND(57,h,a,b,c,d,e,f,g)
+    ROUND(58,g,h,a,b,c,d,e,f)
+    ROUND(59,f,g,h,a,b,c,d,e)
+    ROUND(60,e,f,g,h,a,b,c,d)
+    ROUND(61,d,e,f,g,h,a,b,c)
+    ROUND(62,c,d,e,f,g,h,a,b)
+    ROUND(63,b,c,d,e,f,g,h,a)
+
+    ROUND(64,a,b,c,d,e,f,g,h)
+    ROUND(65,h,a,b,c,d,e,f,g)
+    ROUND(66,g,h,a,b,c,d,e,f)
+    ROUND(67,f,g,h,a,b,c,d,e)
+    ROUND(68,e,f,g,h,a,b,c,d)
+    ROUND(69,d,e,f,g,h,a,b,c)
+    ROUND(70,c,d,e,f,g,h,a,b)
+    ROUND(71,b,c,d,e,f,g,h,a)
+
+    ROUND(72,a,b,c,d,e,f,g,h)
+    ROUND(73,h,a,b,c,d,e,f,g)
+    ROUND(74,g,h,a,b,c,d,e,f)
+    ROUND(75,f,g,h,a,b,c,d,e)
+    ROUND(76,e,f,g,h,a,b,c,d)
+    ROUND(77,d,e,f,g,h,a,b,c)
+    ROUND(78,c,d,e,f,g,h,a,b)
+    ROUND(79,b,c,d,e,f,g,h,a)
+#endif
+
+    ADDTO(a,H[0]);
+    ADDTO(b,H[1]);
+    ADDTO(c,H[2]);
+    ADDTO(d,H[3]);
+    ADDTO(e,H[4]);
+    ADDTO(f,H[5]);
+    ADDTO(g,H[6]);
+    ADDTO(h,H[7]);
+  }
+}
+
+void 
+SHA512_Update(SHA512Context *ctx, const unsigned char *input,
+              unsigned int inputLen)
+{
+    unsigned int inBuf;
+    if (!inputLen)
+    	return;
+
+#if defined(HAVE_LONG_LONG)
+    inBuf = (unsigned int)ctx->sizeLo & 0x7f;
+    /* Add inputLen into the count of bytes processed, before processing */
+    ctx->sizeLo += inputLen;
+#else
+    inBuf = (unsigned int)ctx->sizeLo.lo & 0x7f;
+    ctx->sizeLo.lo += inputLen;
+    if (ctx->sizeLo.lo < inputLen) ctx->sizeLo.hi++;
+#endif
+
+    /* if data already in buffer, attemp to fill rest of buffer */
+    if (inBuf) {
+    	unsigned int todo = SHA512_BLOCK_LENGTH - inBuf;
+	if (inputLen < todo)
+	    todo = inputLen;
+	memcpy(B + inBuf, input, todo);
+	input    += todo;
+	inputLen -= todo;
+	if (inBuf + todo == SHA512_BLOCK_LENGTH)
+	    SHA512_Compress(ctx);
+    }
+
+    /* if enough data to fill one or more whole buffers, process them. */
+    while (inputLen >= SHA512_BLOCK_LENGTH) {
+    	memcpy(B, input, SHA512_BLOCK_LENGTH);
+	input    += SHA512_BLOCK_LENGTH;
+	inputLen -= SHA512_BLOCK_LENGTH;
+	SHA512_Compress(ctx);
+    }
+    /* if data left over, fill it into buffer */
+    if (inputLen) 
+    	memcpy(B, input, inputLen);
+}
+
+void 
+SHA512_End(SHA512Context *ctx, unsigned char *digest,
+           unsigned int *digestLen, unsigned int maxDigestLen)
+{
+#if defined(HAVE_LONG_LONG)
+    unsigned int inBuf  = (unsigned int)ctx->sizeLo & 0x7f;
+    unsigned int padLen = (inBuf < 112) ? (112 - inBuf) : (112 + 128 - inBuf);
+    PRUint64 lo, t1;
+    lo = (ctx->sizeLo << 3);
+#else
+    unsigned int inBuf  = (unsigned int)ctx->sizeLo.lo & 0x7f;
+    unsigned int padLen = (inBuf < 112) ? (112 - inBuf) : (112 + 128 - inBuf);
+    PRUint64 lo = ctx->sizeLo;
+    PRUint32 t1;
+    lo.lo <<= 3;
+#endif
+
+    SHA512_Update(ctx, pad, padLen);
+
+#if defined(HAVE_LONG_LONG)
+    W[14] = 0;
+#else
+    W[14].lo = 0;
+    W[14].hi = 0;
+#endif
+
+    W[15] = lo;
+#if defined(IS_LITTLE_ENDIAN)
+    BYTESWAP8(W[15]);
+#endif
+    SHA512_Compress(ctx);
+
+    /* now output the answer */
+#if defined(IS_LITTLE_ENDIAN)
+    BYTESWAP8(H[0]);
+    BYTESWAP8(H[1]);
+    BYTESWAP8(H[2]);
+    BYTESWAP8(H[3]);
+    BYTESWAP8(H[4]);
+    BYTESWAP8(H[5]);
+    BYTESWAP8(H[6]);
+    BYTESWAP8(H[7]);
+#endif
+    padLen = PR_MIN(SHA512_LENGTH, maxDigestLen);
+    memcpy(digest, H, padLen);
+    if (digestLen)
+	*digestLen = padLen;
+}
+
+SECStatus 
+SHA512_HashBuf(unsigned char *dest, const unsigned char *src, 
+               uint32 src_length)
+{
+    SHA512Context ctx;
+    unsigned int outLen;
+
+    SHA512_Begin(&ctx);
+    SHA512_Update(&ctx, src, src_length);
+    SHA512_End(&ctx, dest, &outLen, SHA512_LENGTH);
+
+    return SECSuccess;
+}
+
+
+SECStatus 
+SHA512_Hash(unsigned char *dest, const char *src)
+{
+    return SHA512_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
+}
+
+
+void SHA512_TraceState(SHA512Context *ctx) { }
+
+unsigned int 
+SHA512_FlattenSize(SHA512Context *ctx)
+{
+    return sizeof *ctx;
+}
+
+SECStatus 
+SHA512_Flatten(SHA512Context *ctx,unsigned char *space)
+{
+    PORT_Memcpy(space, ctx, sizeof *ctx);
+    return SECSuccess;
+}
+
+SHA512Context * 
+SHA512_Resurrect(unsigned char *space, void *arg)
+{
+    SHA512Context *ctx = SHA512_NewContext();
+    if (ctx) 
+	PORT_Memcpy(ctx, space, sizeof *ctx);
+    return ctx;
+}
+
+void SHA512_Clone(SHA512Context *dest, SHA512Context *src) 
+{
+    memcpy(dest, src, sizeof *dest);
+}
+
+/* ======================================================================= */
+/* SHA384 uses a SHA512Context as the real context. 
+** The only differences between SHA384 an SHA512 are:
+** a) the intialization values for the context, and
+** b) the number of bytes of data produced as output.
+*/
+
+/* SHA-384 initial hash values */
+static const PRUint64 H384[8] = {
+#if PR_BYTES_PER_LONG == 8
+     0xcbbb9d5dc1059ed8UL ,  0x629a292a367cd507UL , 
+     0x9159015a3070dd17UL ,  0x152fecd8f70e5939UL , 
+     0x67332667ffc00b31UL ,  0x8eb44a8768581511UL , 
+     0xdb0c2e0d64f98fa7UL ,  0x47b5481dbefa4fa4UL 
+#else
+    ULLC(cbbb9d5d,c1059ed8), ULLC(629a292a,367cd507), 
+    ULLC(9159015a,3070dd17), ULLC(152fecd8,f70e5939), 
+    ULLC(67332667,ffc00b31), ULLC(8eb44a87,68581511), 
+    ULLC(db0c2e0d,64f98fa7), ULLC(47b5481d,befa4fa4)
+#endif
+};
+
+SHA384Context *
+SHA384_NewContext(void)
+{
+    return SHA512_NewContext();
+}
+
+void 
+SHA384_DestroyContext(SHA384Context *ctx, PRBool freeit)
+{
+    SHA512_DestroyContext(ctx, freeit);
+}
+
+void 
+SHA384_Begin(SHA384Context *ctx)
+{
+    memset(ctx, 0, sizeof *ctx);
+    memcpy(H, H384, sizeof H384);
+}
+
+void 
+SHA384_Update(SHA384Context *ctx, const unsigned char *input,
+		    unsigned int inputLen)
+{
+    SHA512_Update(ctx, input, inputLen);
+}
+
+void 
+SHA384_End(SHA384Context *ctx, unsigned char *digest,
+		 unsigned int *digestLen, unsigned int maxDigestLen)
+{
+#define SHA_MIN(a,b) (a < b ? a : b)
+    unsigned int maxLen = SHA_MIN(maxDigestLen, SHA384_LENGTH);
+    SHA512_End(ctx, digest, digestLen, maxLen);
+}
+
+SECStatus 
+SHA384_HashBuf(unsigned char *dest, const unsigned char *src,
+			  uint32 src_length)
+{
+    SHA512Context ctx;
+    unsigned int outLen;
+
+    SHA384_Begin(&ctx);
+    SHA512_Update(&ctx, src, src_length);
+    SHA512_End(&ctx, dest, &outLen, SHA384_LENGTH);
+
+    return SECSuccess;
+}
+
+SECStatus 
+SHA384_Hash(unsigned char *dest, const char *src)
+{
+    return SHA384_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
+}
+
+void SHA384_TraceState(SHA384Context *ctx) { }
+
+unsigned int 
+SHA384_FlattenSize(SHA384Context *ctx)
+{
+    return sizeof(SHA384Context);
+}
+
+SECStatus 
+SHA384_Flatten(SHA384Context *ctx,unsigned char *space)
+{
+    return SHA512_Flatten(ctx, space);
+}
+
+SHA384Context * 
+SHA384_Resurrect(unsigned char *space, void *arg)
+{
+    return SHA512_Resurrect(space, arg);
+}
+
+void SHA384_Clone(SHA384Context *dest, SHA384Context *src) 
+{
+    memcpy(dest, src, sizeof *dest);
+}
+
+/* ======================================================================= */
+#ifdef SELFTEST
+#include <stdio.h>
+
+static const char abc[] = { "abc" };
+static const char abcdbc[] = { 
+    "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+};
+static const char abcdef[] = { 
+    "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
+    "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 
+};
+
+void
+dumpHash32(const unsigned char *buf, unsigned int bufLen)
+{
+    unsigned int i;
+    for (i = 0; i < bufLen; i += 4) {
+	printf(" %02x%02x%02x%02x", buf[i], buf[i+1], buf[i+2], buf[i+3]);
+    }
+    printf("\n");
+}
+
+void test256(void)
+{
+    unsigned char outBuf[SHA256_LENGTH];
+
+    printf("SHA256, input = %s\n", abc);
+    SHA256_Hash(outBuf, abc);
+    dumpHash32(outBuf, sizeof outBuf);
+
+    printf("SHA256, input = %s\n", abcdbc);
+    SHA256_Hash(outBuf, abcdbc);
+    dumpHash32(outBuf, sizeof outBuf);
+}
+
+void
+dumpHash64(const unsigned char *buf, unsigned int bufLen)
+{
+    unsigned int i;
+    for (i = 0; i < bufLen; i += 8) {
+    	if (i % 32 == 0)
+	    printf("\n");
+	printf(" %02x%02x%02x%02x%02x%02x%02x%02x", 
+	       buf[i  ], buf[i+1], buf[i+2], buf[i+3],
+	       buf[i+4], buf[i+5], buf[i+6], buf[i+7]);
+    }
+    printf("\n");
+}
+
+void test512(void)
+{
+    unsigned char outBuf[SHA512_LENGTH];
+
+    printf("SHA512, input = %s\n", abc);
+    SHA512_Hash(outBuf, abc);
+    dumpHash64(outBuf, sizeof outBuf);
+
+    printf("SHA512, input = %s\n", abcdef);
+    SHA512_Hash(outBuf, abcdef);
+    dumpHash64(outBuf, sizeof outBuf);
+}
+
+void time512(void)
+{
+    unsigned char outBuf[SHA512_LENGTH];
+
+    SHA512_Hash(outBuf, abc);
+    SHA512_Hash(outBuf, abcdef);
+}
+
+void test384(void)
+{
+    unsigned char outBuf[SHA384_LENGTH];
+
+    printf("SHA384, input = %s\n", abc);
+    SHA384_Hash(outBuf, abc);
+    dumpHash64(outBuf, sizeof outBuf);
+
+    printf("SHA384, input = %s\n", abcdef);
+    SHA384_Hash(outBuf, abcdef);
+    dumpHash64(outBuf, sizeof outBuf);
+}
+
+int main (int argc, char *argv[], char *envp[])
+{
+    int i = 1;
+    if (argc > 1) {
+    	i = atoi(argv[1]);
+    }
+    if (i < 2) {
+	test256();
+	test512();
+	test384();
+    } else {
+    	while (i-- > 0) {
+	    time512();
+	}
+	printf("done\n");
+    }
+    return 0;
+}
+
+void *PORT_Alloc(size_t len) 		{ return malloc(len); }
+void PORT_Free(void *ptr)		{ free(ptr); }
+void PORT_ZFree(void *ptr, size_t len)  { memset(ptr, 0, len); free(ptr); }
+#endif
diff --git a/security/nss/lib/freebl/sha_fast.c b/security/nss/lib/freebl/sha_fast.c
new file mode 100644
index 000000000..b59e3ce39
--- /dev/null
+++ b/security/nss/lib/freebl/sha_fast.c
@@ -0,0 +1,472 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is SHA 180-1 Reference Implementation (Optimized).
+ *
+ * The Initial Developer of the Original Code is
+ * Paul Kocher of Cryptography Research.
+ * Portions created by the Initial Developer are Copyright (C) 1995-9
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include <memory.h>
+#include "blapi.h"
+#include "sha_fast.h"
+#include "prerror.h"
+
+#ifdef TRACING_SSL
+#include "ssl.h"
+#include "ssltrace.h"
+#endif
+
+static void shaCompress(volatile SHA_HW_t *X, const PRUint32 * datain);
+
+#define W u.w
+#define B u.b
+
+
+#define SHA_F1(X,Y,Z) ((((Y)^(Z))&(X))^(Z))
+#define SHA_F2(X,Y,Z) ((X)^(Y)^(Z))
+#define SHA_F3(X,Y,Z) (((X)&(Y))|((Z)&((X)|(Y))))
+#define SHA_F4(X,Y,Z) ((X)^(Y)^(Z))
+
+#define SHA_MIX(n,a,b,c)    XW(n) = SHA_ROTL(XW(a)^XW(b)^XW(c)^XW(n), 1)
+
+/*
+ *  SHA: initialize context
+ */
+void 
+SHA1_Begin(SHA1Context *ctx)
+{
+  ctx->size = 0;
+  /*
+   *  Initialize H with constants from FIPS180-1.
+   */
+  ctx->H[0] = 0x67452301L;
+  ctx->H[1] = 0xefcdab89L;
+  ctx->H[2] = 0x98badcfeL;
+  ctx->H[3] = 0x10325476L;
+  ctx->H[4] = 0xc3d2e1f0L;
+}
+
+/* Explanation of H array and index values:
+ * The context's H array is actually the concatenation of two arrays 
+ * defined by SHA1, the H array of state variables (5 elements),
+ * and the W array of intermediate values, of which there are 16 elements.
+ * The W array starts at H[5], that is W[0] is H[5].
+ * Although these values are defined as 32-bit values, we use 64-bit
+ * variables to hold them because the AMD64 stores 64 bit values in
+ * memory MUCH faster than it stores any smaller values.
+ *
+ * Rather than passing the context structure to shaCompress, we pass
+ * this combined array of H and W values.  We do not pass the address
+ * of the first element of this array, but rather pass the address of an
+ * element in the middle of the array, element X.  Presently X[0] is H[11].
+ * So we pass the address of H[11] as the address of array X to shaCompress.
+ * Then shaCompress accesses the members of the array using positive AND 
+ * negative indexes.  
+ *
+ * Pictorially: (each element is 8 bytes)
+ * H | H0 H1 H2 H3 H4 W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 Wa Wb Wc Wd We Wf |
+ * X |-11-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 |
+ * 
+ * The byte offset from X[0] to any member of H and W is always 
+ * representable in a signed 8-bit value, which will be encoded 
+ * as a single byte offset in the X86-64 instruction set.  
+ * If we didn't pass the address of H[11], and instead passed the 
+ * address of H[0], the offsets to elements H[16] and above would be
+ * greater than 127, not representable in a signed 8-bit value, and the 
+ * x86-64 instruction set would encode every such offset as a 32-bit 
+ * signed number in each instruction that accessed element H[16] or 
+ * higher.  This results in much bigger and slower code. 
+ */
+#if !defined(SHA_PUT_W_IN_STACK)
+#define H2X 11 /* X[0] is H[11], and H[0] is X[-11] */
+#define W2X  6 /* X[0] is W[6],  and W[0] is X[-6]  */
+#else
+#define H2X 0
+#endif
+
+/*
+ *  SHA: Add data to context.
+ */
+void 
+SHA1_Update(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len) 
+{
+  register unsigned int lenB;
+  register unsigned int togo;
+
+  if (!len)
+    return;
+
+  /* accumulate the byte count. */
+  lenB = (unsigned int)(ctx->size) & 63U;
+
+  ctx->size += len;
+
+  /*
+   *  Read the data into W and process blocks as they get full
+   */
+  if (lenB > 0) {
+    togo = 64U - lenB;
+    if (len < togo)
+      togo = len;
+    memcpy(ctx->B + lenB, dataIn, togo);
+    len    -= togo;
+    dataIn += togo;
+    lenB    = (lenB + togo) & 63U;
+    if (!lenB) {
+      shaCompress(&ctx->H[H2X], ctx->W);
+    }
+  }
+#if !defined(SHA_ALLOW_UNALIGNED_ACCESS)
+  if ((ptrdiff_t)dataIn % sizeof(PRUint32)) {
+    while (len >= 64U) {
+      memcpy(ctx->B, dataIn, 64);
+      len    -= 64U;
+      shaCompress(&ctx->H[H2X], ctx->W);
+      dataIn += 64U;
+    }
+  } else 
+#endif
+  {
+    while (len >= 64U) {
+      len    -= 64U;
+      shaCompress(&ctx->H[H2X], (PRUint32 *)dataIn);
+      dataIn += 64U;
+    }
+  }
+  if (len) {
+    memcpy(ctx->B, dataIn, len);
+  }
+}
+
+
+/*
+ *  SHA: Generate hash value from context
+ */
+void 
+SHA1_End(SHA1Context *ctx, unsigned char *hashout,
+         unsigned int *pDigestLen, unsigned int maxDigestLen)
+{
+  register PRUint64 size;
+  register PRUint32 lenB;
+
+  static const unsigned char bulk_pad[64] = { 0x80,0,0,0,0,0,0,0,0,0,
+          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  };
+#define tmp lenB
+
+  PORT_Assert (maxDigestLen >= SHA1_LENGTH);
+
+  /*
+   *  Pad with a binary 1 (e.g. 0x80), then zeroes, then length in bits
+   */
+  size = ctx->size;
+
+  lenB = (PRUint32)size & 63;
+  SHA1_Update(ctx, bulk_pad, (((55+64) - lenB) & 63) + 1);
+  PORT_Assert(((PRUint32)ctx->size & 63) == 56);
+  /* Convert size from bytes to bits. */
+  size <<= 3;
+  ctx->W[14] = SHA_HTONL((PRUint32)(size >> 32));
+  ctx->W[15] = SHA_HTONL((PRUint32)size);
+  shaCompress(&ctx->H[H2X], ctx->W);
+
+  /*
+   *  Output hash
+   */
+  SHA_STORE_RESULT;
+  *pDigestLen = SHA1_LENGTH;
+
+}
+
+#undef B
+#undef tmp
+/*
+ *  SHA: Compression function, unrolled.
+ *
+ * Some operations in shaCompress are done as 5 groups of 16 operations.
+ * Others are done as 4 groups of 20 operations.
+ * The code below shows that structure.
+ *
+ * The functions that compute the new values of the 5 state variables
+ * A-E are done in 4 groups of 20 operations (or you may also think
+ * of them as being done in 16 groups of 5 operations).  They are
+ * done by the SHA_RNDx macros below, in the right column.
+ *
+ * The functions that set the 16 values of the W array are done in 
+ * 5 groups of 16 operations.  The first group is done by the 
+ * LOAD macros below, the latter 4 groups are done by SHA_MIX below,
+ * in the left column.
+ *
+ * gcc's optimizer observes that each member of the W array is assigned
+ * a value 5 times in this code.  It reduces the number of store 
+ * operations done to the W array in the context (that is, in the X array)
+ * by creating a W array on the stack, and storing the W values there for 
+ * the first 4 groups of operations on W, and storing the values in the 
+ * context's W array only in the fifth group.  This is undesirable.
+ * It is MUCH bigger code than simply using the context's W array, because 
+ * all the offsets to the W array in the stack are 32-bit signed offsets, 
+ * and it is no faster than storing the values in the context's W array. 
+ *
+ * The original code for sha_fast.c prevented this creation of a separate 
+ * W array in the stack by creating a W array of 80 members, each of
+ * whose elements is assigned only once. It also separated the computations
+ * of the W array values and the computations of the values for the 5
+ * state variables into two separate passes, W's, then A-E's so that the 
+ * second pass could be done all in registers (except for accessing the W
+ * array) on machines with fewer registers.  The method is suboptimal
+ * for machines with enough registers to do it all in one pass, and it
+ * necessitates using many instructions with 32-bit offsets.
+ *
+ * This code eliminates the separate W array on the stack by a completely
+ * different means: by declaring the X array volatile.  This prevents
+ * the optimizer from trying to reduce the use of the X array by the
+ * creation of a MORE expensive W array on the stack. The result is
+ * that all instructions use signed 8-bit offsets and not 32-bit offsets.
+ *
+ * The combination of this code and the -O3 optimizer flag on GCC 3.4.3
+ * results in code that is 3 times faster than the previous NSS sha_fast
+ * code on AMD64.
+ */
+static void 
+shaCompress(volatile SHA_HW_t *X, const PRUint32 *inbuf) 
+{
+  register SHA_HW_t A, B, C, D, E;
+
+#if defined(SHA_NEED_TMP_VARIABLE)
+  register PRUint32 tmp;
+#endif
+
+#if !defined(SHA_PUT_W_IN_STACK)
+#define XH(n) X[n-H2X]
+#define XW(n) X[n-W2X]
+#else
+  SHA_HW_t w_0, w_1, w_2, w_3, w_4, w_5, w_6, w_7,
+           w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
+#define XW(n) w_ ## n
+#define XH(n) X[n]
+#endif
+
+#define K0 0x5a827999L
+#define K1 0x6ed9eba1L
+#define K2 0x8f1bbcdcL
+#define K3 0xca62c1d6L
+
+#define SHA_RND1(a,b,c,d,e,n) \
+  a = SHA_ROTL(b,5)+SHA_F1(c,d,e)+a+XW(n)+K0; c=SHA_ROTL(c,30) 
+#define SHA_RND2(a,b,c,d,e,n) \
+  a = SHA_ROTL(b,5)+SHA_F2(c,d,e)+a+XW(n)+K1; c=SHA_ROTL(c,30) 
+#define SHA_RND3(a,b,c,d,e,n) \
+  a = SHA_ROTL(b,5)+SHA_F3(c,d,e)+a+XW(n)+K2; c=SHA_ROTL(c,30) 
+#define SHA_RND4(a,b,c,d,e,n) \
+  a = SHA_ROTL(b,5)+SHA_F4(c,d,e)+a+XW(n)+K3; c=SHA_ROTL(c,30) 
+
+#define LOAD(n) XW(n) = SHA_HTONL(inbuf[n])
+
+  A = XH(0);
+  B = XH(1);
+  C = XH(2);
+  D = XH(3);
+  E = XH(4);
+
+  LOAD(0);		   SHA_RND1(E,A,B,C,D, 0);
+  LOAD(1);		   SHA_RND1(D,E,A,B,C, 1);
+  LOAD(2);		   SHA_RND1(C,D,E,A,B, 2);
+  LOAD(3);		   SHA_RND1(B,C,D,E,A, 3);
+  LOAD(4);		   SHA_RND1(A,B,C,D,E, 4);
+  LOAD(5);		   SHA_RND1(E,A,B,C,D, 5);
+  LOAD(6);		   SHA_RND1(D,E,A,B,C, 6);
+  LOAD(7);		   SHA_RND1(C,D,E,A,B, 7);
+  LOAD(8);		   SHA_RND1(B,C,D,E,A, 8);
+  LOAD(9);		   SHA_RND1(A,B,C,D,E, 9);
+  LOAD(10);		   SHA_RND1(E,A,B,C,D,10);
+  LOAD(11);		   SHA_RND1(D,E,A,B,C,11);
+  LOAD(12);		   SHA_RND1(C,D,E,A,B,12);
+  LOAD(13);		   SHA_RND1(B,C,D,E,A,13);
+  LOAD(14);		   SHA_RND1(A,B,C,D,E,14);
+  LOAD(15);		   SHA_RND1(E,A,B,C,D,15);
+
+  SHA_MIX( 0, 13,  8,  2); SHA_RND1(D,E,A,B,C, 0);
+  SHA_MIX( 1, 14,  9,  3); SHA_RND1(C,D,E,A,B, 1);
+  SHA_MIX( 2, 15, 10,  4); SHA_RND1(B,C,D,E,A, 2);
+  SHA_MIX( 3,  0, 11,  5); SHA_RND1(A,B,C,D,E, 3);
+
+  SHA_MIX( 4,  1, 12,  6); SHA_RND2(E,A,B,C,D, 4);
+  SHA_MIX( 5,  2, 13,  7); SHA_RND2(D,E,A,B,C, 5);
+  SHA_MIX( 6,  3, 14,  8); SHA_RND2(C,D,E,A,B, 6);
+  SHA_MIX( 7,  4, 15,  9); SHA_RND2(B,C,D,E,A, 7);
+  SHA_MIX( 8,  5,  0, 10); SHA_RND2(A,B,C,D,E, 8);
+  SHA_MIX( 9,  6,  1, 11); SHA_RND2(E,A,B,C,D, 9);
+  SHA_MIX(10,  7,  2, 12); SHA_RND2(D,E,A,B,C,10);
+  SHA_MIX(11,  8,  3, 13); SHA_RND2(C,D,E,A,B,11);
+  SHA_MIX(12,  9,  4, 14); SHA_RND2(B,C,D,E,A,12);
+  SHA_MIX(13, 10,  5, 15); SHA_RND2(A,B,C,D,E,13);
+  SHA_MIX(14, 11,  6,  0); SHA_RND2(E,A,B,C,D,14);
+  SHA_MIX(15, 12,  7,  1); SHA_RND2(D,E,A,B,C,15);
+
+  SHA_MIX( 0, 13,  8,  2); SHA_RND2(C,D,E,A,B, 0);
+  SHA_MIX( 1, 14,  9,  3); SHA_RND2(B,C,D,E,A, 1);
+  SHA_MIX( 2, 15, 10,  4); SHA_RND2(A,B,C,D,E, 2);
+  SHA_MIX( 3,  0, 11,  5); SHA_RND2(E,A,B,C,D, 3);
+  SHA_MIX( 4,  1, 12,  6); SHA_RND2(D,E,A,B,C, 4);
+  SHA_MIX( 5,  2, 13,  7); SHA_RND2(C,D,E,A,B, 5);
+  SHA_MIX( 6,  3, 14,  8); SHA_RND2(B,C,D,E,A, 6);
+  SHA_MIX( 7,  4, 15,  9); SHA_RND2(A,B,C,D,E, 7);
+
+  SHA_MIX( 8,  5,  0, 10); SHA_RND3(E,A,B,C,D, 8);
+  SHA_MIX( 9,  6,  1, 11); SHA_RND3(D,E,A,B,C, 9);
+  SHA_MIX(10,  7,  2, 12); SHA_RND3(C,D,E,A,B,10);
+  SHA_MIX(11,  8,  3, 13); SHA_RND3(B,C,D,E,A,11);
+  SHA_MIX(12,  9,  4, 14); SHA_RND3(A,B,C,D,E,12);
+  SHA_MIX(13, 10,  5, 15); SHA_RND3(E,A,B,C,D,13);
+  SHA_MIX(14, 11,  6,  0); SHA_RND3(D,E,A,B,C,14);
+  SHA_MIX(15, 12,  7,  1); SHA_RND3(C,D,E,A,B,15);
+
+  SHA_MIX( 0, 13,  8,  2); SHA_RND3(B,C,D,E,A, 0);
+  SHA_MIX( 1, 14,  9,  3); SHA_RND3(A,B,C,D,E, 1);
+  SHA_MIX( 2, 15, 10,  4); SHA_RND3(E,A,B,C,D, 2);
+  SHA_MIX( 3,  0, 11,  5); SHA_RND3(D,E,A,B,C, 3);
+  SHA_MIX( 4,  1, 12,  6); SHA_RND3(C,D,E,A,B, 4);
+  SHA_MIX( 5,  2, 13,  7); SHA_RND3(B,C,D,E,A, 5);
+  SHA_MIX( 6,  3, 14,  8); SHA_RND3(A,B,C,D,E, 6);
+  SHA_MIX( 7,  4, 15,  9); SHA_RND3(E,A,B,C,D, 7);
+  SHA_MIX( 8,  5,  0, 10); SHA_RND3(D,E,A,B,C, 8);
+  SHA_MIX( 9,  6,  1, 11); SHA_RND3(C,D,E,A,B, 9);
+  SHA_MIX(10,  7,  2, 12); SHA_RND3(B,C,D,E,A,10);
+  SHA_MIX(11,  8,  3, 13); SHA_RND3(A,B,C,D,E,11);
+
+  SHA_MIX(12,  9,  4, 14); SHA_RND4(E,A,B,C,D,12);
+  SHA_MIX(13, 10,  5, 15); SHA_RND4(D,E,A,B,C,13);
+  SHA_MIX(14, 11,  6,  0); SHA_RND4(C,D,E,A,B,14);
+  SHA_MIX(15, 12,  7,  1); SHA_RND4(B,C,D,E,A,15);
+
+  SHA_MIX( 0, 13,  8,  2); SHA_RND4(A,B,C,D,E, 0);
+  SHA_MIX( 1, 14,  9,  3); SHA_RND4(E,A,B,C,D, 1);
+  SHA_MIX( 2, 15, 10,  4); SHA_RND4(D,E,A,B,C, 2);
+  SHA_MIX( 3,  0, 11,  5); SHA_RND4(C,D,E,A,B, 3);
+  SHA_MIX( 4,  1, 12,  6); SHA_RND4(B,C,D,E,A, 4);
+  SHA_MIX( 5,  2, 13,  7); SHA_RND4(A,B,C,D,E, 5);
+  SHA_MIX( 6,  3, 14,  8); SHA_RND4(E,A,B,C,D, 6);
+  SHA_MIX( 7,  4, 15,  9); SHA_RND4(D,E,A,B,C, 7);
+  SHA_MIX( 8,  5,  0, 10); SHA_RND4(C,D,E,A,B, 8);
+  SHA_MIX( 9,  6,  1, 11); SHA_RND4(B,C,D,E,A, 9);
+  SHA_MIX(10,  7,  2, 12); SHA_RND4(A,B,C,D,E,10);
+  SHA_MIX(11,  8,  3, 13); SHA_RND4(E,A,B,C,D,11);
+  SHA_MIX(12,  9,  4, 14); SHA_RND4(D,E,A,B,C,12);
+  SHA_MIX(13, 10,  5, 15); SHA_RND4(C,D,E,A,B,13);
+  SHA_MIX(14, 11,  6,  0); SHA_RND4(B,C,D,E,A,14);
+  SHA_MIX(15, 12,  7,  1); SHA_RND4(A,B,C,D,E,15);
+
+  XH(0) += A;
+  XH(1) += B;
+  XH(2) += C;
+  XH(3) += D;
+  XH(4) += E;
+}
+
+/*************************************************************************
+** Code below this line added to make SHA code support BLAPI interface
+*/
+
+SHA1Context *
+SHA1_NewContext(void)
+{
+    SHA1Context *cx;
+
+    /* no need to ZNew, SHA1_Begin will init the context */
+    cx = PORT_New(SHA1Context);
+    return cx;
+}
+
+/* Zero and free the context */
+void
+SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
+{
+    memset(cx, 0, sizeof *cx);
+    if (freeit) {
+        PORT_Free(cx);
+    }
+}
+
+SECStatus
+SHA1_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SHA1Context ctx;
+    unsigned int outLen;
+
+    SHA1_Begin(&ctx);
+    SHA1_Update(&ctx, src, src_length);
+    SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
+    return SECSuccess;
+}
+
+/* Hash a null-terminated character string. */
+SECStatus
+SHA1_Hash(unsigned char *dest, const char *src)
+{
+    return SHA1_HashBuf(dest, (const unsigned char *)src, PORT_Strlen (src));
+}
+
+/*
+ * need to support save/restore state in pkcs11. Stores all the info necessary
+ * for a structure into just a stream of bytes.
+ */
+unsigned int
+SHA1_FlattenSize(SHA1Context *cx)
+{
+    return sizeof(SHA1Context);
+}
+
+SECStatus
+SHA1_Flatten(SHA1Context *cx,unsigned char *space)
+{
+    PORT_Memcpy(space,cx, sizeof(SHA1Context));
+    return SECSuccess;
+}
+
+SHA1Context *
+SHA1_Resurrect(unsigned char *space,void *arg)
+{
+    SHA1Context *cx = SHA1_NewContext();
+    if (cx == NULL) return NULL;
+
+    PORT_Memcpy(cx,space, sizeof(SHA1Context));
+    return cx;
+}
+
+void SHA1_Clone(SHA1Context *dest, SHA1Context *src) 
+{
+    memcpy(dest, src, sizeof *dest);
+}
+
+void
+SHA1_TraceState(SHA1Context *ctx)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+}
diff --git a/security/nss/lib/freebl/sha_fast.h b/security/nss/lib/freebl/sha_fast.h
new file mode 100644
index 000000000..d579ebad4
--- /dev/null
+++ b/security/nss/lib/freebl/sha_fast.h
@@ -0,0 +1,184 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is SHA 180-1 Reference Implementation (Optimized).
+ *
+ * The Initial Developer of the Original Code is
+ * Paul Kocher of Cryptography Research.
+ * Portions created by the Initial Developer are Copyright (C) 1995-9
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SHA_FAST_H_
+#define _SHA_FAST_H_
+
+#include "prlong.h"
+
+#define SHA1_INPUT_LEN 64
+
+#if defined(IS_64) && !defined(__sparc) 
+typedef PRUint64 SHA_HW_t;
+#define SHA1_USING_64_BIT 1
+#else
+typedef PRUint32 SHA_HW_t;
+#endif
+
+struct SHA1ContextStr {
+  union {
+    PRUint32 w[16];		/* input buffer */
+    PRUint8  b[64];
+  } u;
+  PRUint64 size;          	/* count of hashed bytes. */
+  SHA_HW_t H[22];		/* 5 state variables, 16 tmp values, 1 extra */
+};
+
+#if defined(_MSC_VER)
+#include <stdlib.h>
+#if defined(IS_LITTLE_ENDIAN) 
+#if (_MSC_VER >= 1300)
+#pragma intrinsic(_byteswap_ulong)
+#define SHA_HTONL(x) _byteswap_ulong(x)
+#elif defined(_X86_)
+#ifndef FORCEINLINE
+#if (_MSC_VER >= 1200)
+#define FORCEINLINE __forceinline
+#else
+#define FORCEINLINE __inline
+#endif /* _MSC_VER */
+#endif /* !defined FORCEINLINE */
+#define FASTCALL __fastcall
+
+static FORCEINLINE PRUint32 FASTCALL 
+swap4b(PRUint32 dwd) 
+{
+    __asm {
+    	mov   eax,dwd
+	bswap eax
+    }
+}
+
+#define SHA_HTONL(x) swap4b(x)
+#endif /* _X86_ */
+#endif /* IS_LITTLE_ENDIAN */
+
+#pragma intrinsic (_lrotr, _lrotl) 
+#define SHA_ROTL(x,n) _lrotl(x,n)
+#define SHA_ROTL_IS_DEFINED 1
+#endif /* _MSC_VER */
+
+#if defined(__GNUC__) 
+/* __x86_64__  and __x86_64 are defined by GCC on x86_64 CPUs */
+
+#if defined( SHA1_USING_64_BIT )
+static __inline__ PRUint64 SHA_ROTL(PRUint64 x, PRUint32 n)
+{
+    PRUint32 t = (PRUint32)x;
+    return ((t << n) | (t >> (32 - n)));
+}
+#else 
+static __inline__ PRUint32 SHA_ROTL(PRUint32 t, PRUint32 n)
+{
+    return ((t << n) | (t >> (32 - n)));
+}
+#endif
+#define SHA_ROTL_IS_DEFINED 1
+
+#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64) 
+static __inline__ PRUint32 swap4b(PRUint32 value)
+{
+    __asm__("bswap %0" : "+r" (value));
+    return (value);
+}
+#define SHA_HTONL(x) swap4b(x)
+#endif /* x86 family */
+
+#endif /* __GNUC__ */
+
+#if !defined(SHA_ROTL_IS_DEFINED)
+#define SHA_NEED_TMP_VARIABLE 1
+#define SHA_ROTL(X,n) (tmp = (X), ((tmp) << (n)) | ((tmp) >> (32-(n))))
+#endif
+
+#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64) 
+#define SHA_ALLOW_UNALIGNED_ACCESS 1
+#endif
+
+#if !defined(SHA_HTONL)
+#define SHA_MASK      0x00FF00FF
+#if defined(IS_LITTLE_ENDIAN)
+#undef  SHA_NEED_TMP_VARIABLE 
+#define SHA_NEED_TMP_VARIABLE 1
+#define SHA_HTONL(x)  (tmp = (x), tmp = (tmp << 16) | (tmp >> 16), \
+                       ((tmp & SHA_MASK) << 8) | ((tmp >> 8) & SHA_MASK))
+#else
+#define SHA_HTONL(x)  (x)
+#endif
+#endif
+
+#define SHA_BYTESWAP(x) x = SHA_HTONL(x)
+
+#define SHA_STORE(n) ((PRUint32*)hashout)[n] = SHA_HTONL(ctx->H[n])
+#if defined(SHA_ALLOW_UNALIGNED_ACCESS)
+#define SHA_STORE_RESULT \
+  SHA_STORE(0); \
+  SHA_STORE(1); \
+  SHA_STORE(2); \
+  SHA_STORE(3); \
+  SHA_STORE(4);
+
+#elif defined(IS_LITTLE_ENDIAN) || defined( SHA1_USING_64_BIT )
+#define SHA_STORE_RESULT \
+  if (!((ptrdiff_t)hashout % sizeof(PRUint32))) { \
+    SHA_STORE(0); \
+    SHA_STORE(1); \
+    SHA_STORE(2); \
+    SHA_STORE(3); \
+    SHA_STORE(4); \
+  } else { \
+    ctx->u.w[0] = SHA_HTONL(ctx->H[0]); \
+    ctx->u.w[1] = SHA_HTONL(ctx->H[1]); \
+    ctx->u.w[2] = SHA_HTONL(ctx->H[2]); \
+    ctx->u.w[3] = SHA_HTONL(ctx->H[3]); \
+    ctx->u.w[4] = SHA_HTONL(ctx->H[4]); \
+    memcpy(hashout, ctx->u.w, SHA1_LENGTH); \
+  }
+
+#else
+#define SHA_STORE_RESULT \
+  if (!((ptrdiff_t)hashout % sizeof(PRUint32))) { \
+    SHA_STORE(0); \
+    SHA_STORE(1); \
+    SHA_STORE(2); \
+    SHA_STORE(3); \
+    SHA_STORE(4); \
+  } else { \
+    memcpy(hashout, ctx->H, SHA1_LENGTH); \
+  }
+#endif 
+
+#endif /* _SHA_FAST_H_ */
diff --git a/security/nss/lib/freebl/shsign.h b/security/nss/lib/freebl/shsign.h
new file mode 100644
index 000000000..0557bf8b3
--- /dev/null
+++ b/security/nss/lib/freebl/shsign.h
@@ -0,0 +1,47 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _SHSIGN_H_
+#define _SHSIGN_H_
+
+#define SGN_SUFFIX ".chk"
+#define  NSS_SIGN_CHK_MAGIC1 0xf1
+#define  NSS_SIGN_CHK_MAGIC2 0xc5
+#define  NSS_SIGN_CHK_MAJOR_VERSION 0x01
+#define  NSS_SIGN_CHK_MINOR_VERSION 0x02
+
+#endif /* _SHSIGN_H_ */
diff --git a/security/nss/lib/freebl/shvfy.c b/security/nss/lib/freebl/shvfy.c
new file mode 100644
index 000000000..5c5aad8b1
--- /dev/null
+++ b/security/nss/lib/freebl/shvfy.c
@@ -0,0 +1,295 @@
+
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "shsign.h"
+#include "prlink.h"
+#include "prio.h"
+#include "blapi.h"
+#include "seccomon.h"
+#include "stdio.h"
+#include "prmem.h"
+
+/* #define DEBUG_SHVERIFY 1 */
+
+static char *
+mkCheckFileName(const char *libName)
+{
+    int ln_len = PORT_Strlen(libName);
+    char *output = PORT_Alloc(ln_len+sizeof(SGN_SUFFIX));
+    int index = ln_len + 1 - sizeof("."SHLIB_SUFFIX);
+
+    if ((index > 0) &&
+        (PORT_Strncmp(&libName[index],
+                        "."SHLIB_SUFFIX,sizeof("."SHLIB_SUFFIX)) == 0)) {
+        ln_len = index;
+    }
+    PORT_Memcpy(output,libName,ln_len);
+    PORT_Memcpy(&output[ln_len],SGN_SUFFIX,sizeof(SGN_SUFFIX));
+    return output;
+}
+
+static int
+decodeInt(unsigned char *buf)
+{
+    return (buf[3]) | (buf[2] << 8) | (buf[1] << 16) | (buf[0] << 24);
+}
+
+static SECStatus
+readItem(PRFileDesc *fd, SECItem *item)
+{
+    unsigned char buf[4];
+    int bytesRead;
+
+
+    bytesRead = PR_Read(fd, buf, 4);
+    if (bytesRead != 4) {
+	return SECFailure;
+    }
+    item->len = decodeInt(buf);
+
+    item->data = PORT_Alloc(item->len);
+    if (item->data == NULL) {
+	item->len = 0;
+	return SECFailure;
+    }
+    bytesRead = PR_Read(fd, item->data, item->len);
+    if (bytesRead != item->len) {
+	PORT_Free(item->data);
+	item->data = NULL;
+	item->len = 0;
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+PRBool
+BLAPI_SHVerify(const char *name, PRFuncPtr addr)
+{
+    /* find our shared library name */
+    char *shName = PR_GetLibraryFilePathname(name, addr);
+    char *checkName = NULL;
+    PRFileDesc *checkFD = NULL;
+    PRFileDesc *shFD = NULL;
+    SHA1Context *hashcx = NULL;
+    SECItem signature = { 0, NULL, 0 };
+    SECItem hash;
+    int bytesRead, offset;
+    SECStatus rv;
+    DSAPublicKey key;
+    int count;
+
+    PRBool result = PR_FALSE; /* if anything goes wrong,
+			       * the signature does not verify */
+    unsigned char buf[512];
+    unsigned char hashBuf[SHA1_LENGTH];
+
+    PORT_Memset(&key,0,sizeof(key));
+    hash.data = hashBuf;
+    hash.len = sizeof(hashBuf);
+
+    if (!shName) {
+	goto loser;
+    }
+
+    /* figure out the name of our check file */
+    checkName = mkCheckFileName(shName);
+    if (!checkName) {
+	goto loser;
+    }
+
+    /* open the check File */
+    checkFD = PR_Open(checkName, PR_RDONLY, 0);
+    if (checkFD == NULL) {
+#ifdef DEBUG_SHVERIFY
+        fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
+                checkName, (int)PR_GetError(), (int)PR_GetOSError());
+#endif /* DEBUG_SHVERIFY */
+	goto loser;
+    }
+
+    /* read and Verify the headerthe header */
+    bytesRead = PR_Read(checkFD, buf, 12);
+    if (bytesRead != 12) {
+	goto loser;
+    }
+    if ((buf[0] != NSS_SIGN_CHK_MAGIC1) || (buf[1] != NSS_SIGN_CHK_MAGIC2)) {
+	goto loser;
+    }
+    if ((buf[2] != NSS_SIGN_CHK_MAJOR_VERSION) || 
+				(buf[3] < NSS_SIGN_CHK_MINOR_VERSION)) {
+	goto loser;
+    }
+#ifdef notdef
+    if (decodeInt(&buf[8]) != CKK_DSA) {
+	goto loser;
+    }
+#endif
+
+    /* seek past any future header extensions */
+    offset = decodeInt(&buf[4]);
+    PR_Seek(checkFD, offset, PR_SEEK_SET);
+
+    /* read the key */
+    rv = readItem(checkFD,&key.params.prime);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = readItem(checkFD,&key.params.subPrime);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = readItem(checkFD,&key.params.base);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = readItem(checkFD,&key.publicValue);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    /* read the siganture */
+    rv = readItem(checkFD,&signature);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* done with the check file */
+    PR_Close(checkFD);
+    checkFD = NULL;
+
+    /* open our library file */
+    shFD = PR_Open(shName, PR_RDONLY, 0);
+    if (shFD == NULL) {
+#ifdef DEBUG_SHVERIFY
+        fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
+                shName, (int)PR_GetError(), (int)PR_GetOSError());
+#endif /* DEBUG_SHVERIFY */
+	goto loser;
+    }
+
+    /* hash our library file with SHA1 */
+    hashcx = SHA1_NewContext();
+    if (hashcx == NULL) {
+	goto loser;
+    }
+    SHA1_Begin(hashcx);
+
+    count = 0;
+    while ((bytesRead = PR_Read(shFD, buf, sizeof(buf))) > 0) {
+	SHA1_Update(hashcx, buf, bytesRead);
+	count += bytesRead;
+    }
+    PR_Close(shFD);
+    shFD = NULL;
+
+    SHA1_End(hashcx, hash.data, &hash.len, hash.len);
+
+
+    /* verify the hash against the check file */
+    if (DSA_VerifyDigest(&key, &signature, &hash) == SECSuccess) {
+	result = PR_TRUE;
+    }
+#ifdef DEBUG_SHVERIFY
+  {
+        int i,j;
+        fprintf(stderr,"File %s: %d bytes\n",shName, count);
+        fprintf(stderr,"  hash: %d bytes\n", hash.len);
+#define STEP 10
+        for (i=0; i < hash.len; i += STEP) {
+           fprintf(stderr,"   ");
+           for (j=0; j < STEP && (i+j) < hash.len; j++) {
+                fprintf(stderr," %02x", hash.data[i+j]);
+           }
+           fprintf(stderr,"\n");
+        }
+        fprintf(stderr,"  signature: %d bytes\n", signature.len);
+        for (i=0; i < signature.len; i += STEP) {
+           fprintf(stderr,"   ");
+           for (j=0; j < STEP && (i+j) < signature.len; j++) {
+                fprintf(stderr," %02x", signature.data[i+j]);
+           }
+           fprintf(stderr,"\n");
+        }
+	fprintf(stderr,"Verified : %s\n",result?"TRUE": "FALSE");
+    }
+#endif /* DEBUG_SHVERIFY */
+
+
+loser:
+    if (shName != NULL) {
+	PR_Free(shName);
+    }
+    if (checkName != NULL) {
+	PORT_Free(checkName);
+    }
+    if (checkFD != NULL) {
+	PR_Close(checkFD);
+    }
+    if (shFD != NULL) {
+	PR_Close(shFD);
+    }
+    if (hashcx != NULL) {
+	SHA1_DestroyContext(hashcx,PR_TRUE);
+    }
+    if (signature.data != NULL) {
+	PORT_Free(signature.data);
+    }
+    if (key.params.prime.data != NULL) {
+	PORT_Free(key.params.prime.data);
+    }
+    if (key.params.subPrime.data != NULL) {
+	PORT_Free(key.params.subPrime.data);
+    }
+    if (key.params.base.data != NULL) {
+	PORT_Free(key.params.base.data);
+    }
+    if (key.publicValue.data != NULL) {
+	PORT_Free(key.publicValue.data);
+    }
+
+    return result;
+}
+
+PRBool
+BLAPI_VerifySelf(const char *name)
+{
+    /* to separate shlib to verify if name is NULL */
+    if (name == NULL) {
+	return PR_TRUE;
+    }
+    return BLAPI_SHVerify(name, (PRFuncPtr) decodeInt);
+}
diff --git a/security/nss/lib/freebl/sysrand.c b/security/nss/lib/freebl/sysrand.c
new file mode 100644
index 000000000..7991e8f30
--- /dev/null
+++ b/security/nss/lib/freebl/sysrand.c
@@ -0,0 +1,46 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "seccomon.h"
+#if defined(XP_UNIX) || defined(XP_BEOS)
+#include "unix_rand.c"
+#endif
+#ifdef XP_WIN
+#include "win_rand.c"
+#endif
+#ifdef XP_OS2
+#include "os2_rand.c"
+#endif
diff --git a/security/nss/lib/freebl/tlsprfalg.c b/security/nss/lib/freebl/tlsprfalg.c
new file mode 100644
index 000000000..05f3f0d76
--- /dev/null
+++ b/security/nss/lib/freebl/tlsprfalg.c
@@ -0,0 +1,164 @@
+/* tlsprfalg.c - TLS Pseudo Random Function (PRF) implementation
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "sechash.h"
+#include "alghmac.h"
+#include "blapi.h"
+
+#define PHASH_STATE_MAX_LEN SHA1_LENGTH
+
+/* TLS P_hash function */
+static SECStatus
+sftk_P_hash(HASH_HashType hashType, const SECItem *secret, const char *label, 
+	SECItem *seed, SECItem *result, PRBool isFIPS)
+{
+    unsigned char state[PHASH_STATE_MAX_LEN];
+    unsigned char outbuf[PHASH_STATE_MAX_LEN];
+    unsigned int state_len = 0, label_len = 0, outbuf_len = 0, chunk_size;
+    unsigned int remaining;
+    unsigned char *res;
+    SECStatus status;
+    HMACContext *cx;
+    SECStatus rv = SECFailure;
+    const SECHashObject *hashObj = HASH_GetRawHashObject(hashType);
+
+    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
+    PORT_Assert((seed != NULL) && (seed->data != NULL));
+    PORT_Assert((result != NULL) && (result->data != NULL));
+
+    remaining = result->len;
+    res = result->data;
+
+    if (label != NULL)
+	label_len = PORT_Strlen(label);
+
+    cx = HMAC_Create(hashObj, secret->data, secret->len, isFIPS);
+    if (cx == NULL)
+	goto loser;
+
+    /* initialize the state = A(1) = HMAC_hash(secret, seed) */
+    HMAC_Begin(cx);
+    HMAC_Update(cx, (unsigned char *)label, label_len);
+    HMAC_Update(cx, seed->data, seed->len);
+    status = HMAC_Finish(cx, state, &state_len, sizeof(state));
+    if (status != SECSuccess)
+	goto loser;
+
+    /* generate a block at a time until we're done */
+    while (remaining > 0) {
+
+	HMAC_Begin(cx);
+	HMAC_Update(cx, state, state_len);
+	if (label_len)
+	    HMAC_Update(cx, (unsigned char *)label, label_len);
+	HMAC_Update(cx, seed->data, seed->len);
+	status = HMAC_Finish(cx, outbuf, &outbuf_len, sizeof(outbuf));
+	if (status != SECSuccess)
+	    goto loser;
+
+        /* Update the state = A(i) = HMAC_hash(secret, A(i-1)) */
+	HMAC_Begin(cx); 
+	HMAC_Update(cx, state, state_len); 
+	status = HMAC_Finish(cx, state, &state_len, sizeof(state));
+	if (status != SECSuccess)
+	    goto loser;
+
+	chunk_size = PR_MIN(outbuf_len, remaining);
+	PORT_Memcpy(res, &outbuf, chunk_size);
+	res += chunk_size;
+	remaining -= chunk_size;
+    }
+
+    rv = SECSuccess;
+
+loser:
+    /* clear out state so it's not left on the stack */
+    if (cx) 
+    	HMAC_Destroy(cx, PR_TRUE);
+    PORT_Memset(state, 0, sizeof(state));
+    PORT_Memset(outbuf, 0, sizeof(outbuf));
+    return rv;
+}
+
+SECStatus
+TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, 
+         SECItem *result, PRBool isFIPS)
+{
+    SECStatus rv = SECFailure, status;
+    unsigned int i;
+    SECItem tmp = { siBuffer, NULL, 0};
+    SECItem S1;
+    SECItem S2;
+
+    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
+    PORT_Assert((seed != NULL) && (seed->data != NULL));
+    PORT_Assert((result != NULL) && (result->data != NULL));
+
+    S1.type = siBuffer;
+    S1.len  = (secret->len / 2) + (secret->len & 1);
+    S1.data = secret->data;
+
+    S2.type = siBuffer;
+    S2.len  = S1.len;
+    S2.data = secret->data + (secret->len - S2.len);
+
+    tmp.data = (unsigned char*)PORT_Alloc(result->len);
+    if (tmp.data == NULL)
+	goto loser;
+    tmp.len = result->len;
+
+    status = sftk_P_hash(HASH_AlgMD5, &S1, label, seed, result, isFIPS);
+    if (status != SECSuccess)
+	goto loser;
+
+    status = sftk_P_hash(HASH_AlgSHA1, &S2, label, seed, &tmp, isFIPS);
+    if (status != SECSuccess)
+	goto loser;
+
+    for (i = 0; i < result->len; i++)
+	result->data[i] ^= tmp.data[i];
+
+    rv = SECSuccess;
+
+loser:
+    if (tmp.data != NULL)
+	PORT_ZFree(tmp.data, tmp.len);
+    return rv;
+}
+
diff --git a/security/nss/lib/freebl/unix_rand.c b/security/nss/lib/freebl/unix_rand.c
new file mode 100644
index 000000000..aec738c09
--- /dev/null
+++ b/security/nss/lib/freebl/unix_rand.c
@@ -0,0 +1,1155 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include "secrng.h"
+#include "secerr.h"
+#include "prerror.h"
+#include "prthread.h"
+
+size_t RNG_FileUpdate(const char *fileName, size_t limit);
+
+/*
+ * When copying data to the buffer we want the least signicant bytes
+ * from the input since those bits are changing the fastest. The address
+ * of least significant byte depends upon whether we are running on
+ * a big-endian or little-endian machine.
+ *
+ * Does this mean the least signicant bytes are the most significant
+ * to us? :-)
+ */
+    
+static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen)
+{
+    union endianness {
+	int32 i;
+	char c[4];
+    } u;
+
+    if (srclen <= dstlen) {
+	memcpy(dst, src, srclen);
+	return srclen;
+    }
+    u.i = 0x01020304;
+    if (u.c[0] == 0x01) {
+	/* big-endian case */
+	memcpy(dst, (char*)src + (srclen - dstlen), dstlen);
+    } else {
+	/* little-endian case */
+	memcpy(dst, src, dstlen);
+    }
+    return dstlen;
+}
+
+#ifdef SOLARIS
+
+#include <kstat.h>
+
+static const PRUint32 entropy_buf_len = 4096; /* buffer up to 4 KB */
+
+/* Buffer entropy data, and feed it to the RNG, entropy_buf_len bytes at a time.
+ * Returns error if RNG_RandomUpdate fails. Also increments *total_fed
+ * by the number of bytes successfully buffered.
+ */
+static SECStatus BufferEntropy(char* inbuf, PRUint32 inlen,
+                                char* entropy_buf, PRUint32* entropy_buffered,
+                                PRUint32* total_fed)
+{
+    PRUint32 tocopy = 0;
+    PRUint32 avail = 0;
+    SECStatus rv = SECSuccess;
+
+    while (inlen) {
+        avail = entropy_buf_len - *entropy_buffered;
+        if (!avail) {
+            /* Buffer is full, time to feed it to the RNG. */
+            rv = RNG_RandomUpdate(entropy_buf, entropy_buf_len);
+            if (SECSuccess != rv) {
+                break;
+            }
+            *entropy_buffered = 0;
+            avail = entropy_buf_len;
+        }
+        tocopy = PR_MIN(avail, inlen);
+        memcpy(entropy_buf + *entropy_buffered, inbuf, tocopy);
+        *entropy_buffered += tocopy;
+        inlen -= tocopy;
+        inbuf += tocopy;
+        *total_fed += tocopy;
+    }
+    return rv;
+}
+
+/* Feed kernel statistics structures and ks_data field to the RNG.
+ * Returns status as well as the number of bytes successfully fed to the RNG.
+ */
+static SECStatus RNG_kstat(PRUint32* fed)
+{
+    kstat_ctl_t*    kc = NULL;
+    kstat_t*        ksp = NULL;
+    PRUint32        entropy_buffered = 0;
+    char*           entropy_buf = NULL;
+    SECStatus       rv = SECSuccess;
+
+    PORT_Assert(fed);
+    if (!fed) {
+        return SECFailure;
+    }
+    *fed = 0;
+
+    kc = kstat_open();
+    PORT_Assert(kc);
+    if (!kc) {
+        return SECFailure;
+    }
+    entropy_buf = (char*) PORT_Alloc(entropy_buf_len);
+    PORT_Assert(entropy_buf);
+    if (entropy_buf) {
+        for (ksp = kc->kc_chain; ksp != NULL; ksp = ksp->ks_next) {
+            if (-1 == kstat_read(kc, ksp, NULL)) {
+                /* missing data from a single kstat shouldn't be fatal */
+                continue;
+            }
+            rv = BufferEntropy((char*)ksp, sizeof(kstat_t),
+                                    entropy_buf, &entropy_buffered,
+                                    fed);
+            if (SECSuccess != rv) {
+                break;
+            }
+
+            if (ksp->ks_data && ksp->ks_data_size>0 && ksp->ks_ndata>0) {
+                rv = BufferEntropy((char*)ksp->ks_data, ksp->ks_data_size,
+                                        entropy_buf, &entropy_buffered,
+                                        fed);
+                if (SECSuccess != rv) {
+                    break;
+                }
+            }
+        }
+        if (SECSuccess == rv && entropy_buffered) {
+            /* Buffer is not empty, time to feed it to the RNG */
+            rv = RNG_RandomUpdate(entropy_buf, entropy_buffered);
+        }
+        PORT_Free(entropy_buf);
+    } else {
+        rv = SECFailure;
+    }
+    if (kstat_close(kc)) {
+        PORT_Assert(0);
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+#endif
+
+#if defined(SCO) || defined(UNIXWARE) || defined(BSDI) || defined(FREEBSD) \
+    || defined(NETBSD) || defined(DARWIN) || defined(OPENBSD) \
+    || defined(NTO) || defined(__riscos__)
+#include <sys/times.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    int ticks;
+    struct tms buffer;
+
+    ticks=times(&buffer);
+    return CopyLowBits(buf, maxbytes, &ticks, sizeof(ticks));
+}
+
+static void
+GiveSystemInfo(void)
+{
+    long si;
+
+    /* 
+     * Is this really necessary?  Why not use rand48 or something?
+     */
+    si = sysconf(_SC_CHILD_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+
+    si = sysconf(_SC_STREAM_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+
+    si = sysconf(_SC_OPEN_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+}
+#endif
+
+#if defined(__sun)
+#if defined(__svr4) || defined(SVR4)
+#include <sys/systeminfo.h>
+#include <sys/times.h>
+#include <wait.h>
+
+int gettimeofday(struct timeval *);
+int gethostname(char *, int);
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    hrtime_t t;
+    t = gethrtime();
+    if (t) {
+	return CopyLowBits(buf, maxbytes, &t, sizeof(t));
+    }
+    return 0;
+}
+#else /* SunOS (Sun, but not SVR4) */
+
+extern long sysconf(int name);
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    long si;
+
+    /* This is not very good */
+    si = sysconf(_SC_CHILD_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+}
+#endif
+#endif /* Sun */
+
+#if defined(__hpux)
+#include <sys/unistd.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+#if defined(__ia64)
+#include <ia64/sys/inline.h>
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    PRUint64 t;
+
+    t = _Asm_mov_from_ar(_AREG44);
+    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
+}
+#else
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    extern int ret_cr16();
+    int cr16val;
+
+    cr16val = ret_cr16();
+    return CopyLowBits(buf, maxbytes, &cr16val, sizeof(cr16val));
+}
+#endif
+
+static void
+GiveSystemInfo(void)
+{
+    long si;
+
+    /* This is not very good */
+    si = sysconf(_AES_OS_VERSION);
+    RNG_RandomUpdate(&si, sizeof(si));
+    si = sysconf(_SC_CPU_VERSION);
+    RNG_RandomUpdate(&si, sizeof(si));
+}
+#endif /* HPUX */
+
+#if defined(OSF1)
+#include <sys/types.h>
+#include <sys/sysinfo.h>
+#include <sys/systeminfo.h>
+#include <c_asm.h>
+
+static void
+GiveSystemInfo(void)
+{
+    char buf[BUFSIZ];
+    int rv;
+    int off = 0;
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+
+/*
+ * Use the "get the cycle counter" instruction on the alpha.
+ * The low 32 bits completely turn over in less than a minute.
+ * The high 32 bits are some non-counter gunk that changes sometimes.
+ */
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    unsigned long t;
+
+    t = asm("rpcc %v0");
+    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
+}
+
+#endif /* Alpha */
+
+#if defined(_IBMR2)
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    /* XXX haven't found any yet! */
+}
+#endif /* IBM R2 */
+
+#if defined(LINUX)
+#include <sys/sysinfo.h>
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    struct sysinfo si;
+    if (sysinfo(&si) == 0) {
+	RNG_RandomUpdate(&si, sizeof(si));
+    }
+}
+#endif /* LINUX */
+
+#if defined(NCR)
+
+#include <sys/utsname.h>
+#include <sys/systeminfo.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+
+#endif /* NCR */
+
+
+#if defined(sgi)
+#include <fcntl.h>
+#undef PRIVATE
+#include <sys/mman.h>
+#include <sys/syssgi.h>
+#include <sys/immu.h>
+#include <sys/systeminfo.h>
+#include <sys/utsname.h>
+#include <wait.h>
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[4096];
+
+    rv = syssgi(SGI_SYSID, &buf[0]);
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, MAXSYSIDSIZE);
+    }
+#ifdef SGI_RDUBLK
+    rv = syssgi(SGI_RDUBLK, getpid(), &buf[0], sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, sizeof(buf));
+    }
+#endif /* SGI_RDUBLK */
+    rv = syssgi(SGI_INVENT, SGI_INV_READ, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, sizeof(buf));
+    }
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+
+static size_t GetHighResClock(void *buf, size_t maxbuf)
+{
+    unsigned phys_addr, raddr, cycleval;
+    static volatile unsigned *iotimer_addr = NULL;
+    static int tries = 0;
+    static int cntr_size;
+    int mfd;
+    long s0[2];
+    struct timeval tv;
+
+#ifndef SGI_CYCLECNTR_SIZE
+#define SGI_CYCLECNTR_SIZE      165     /* Size user needs to use to read CC */
+#endif
+
+    if (iotimer_addr == NULL) {
+	if (tries++ > 1) {
+	    /* Don't keep trying if it didn't work */
+	    return 0;
+	}
+
+	/*
+	** For SGI machines we can use the cycle counter, if it has one,
+	** to generate some truly random numbers
+	*/
+	phys_addr = syssgi(SGI_QUERY_CYCLECNTR, &cycleval);
+	if (phys_addr) {
+	    int pgsz = getpagesize();
+	    int pgoffmask = pgsz - 1;
+
+	    raddr = phys_addr & ~pgoffmask;
+	    mfd = open("/dev/mmem", O_RDONLY);
+	    if (mfd < 0) {
+		return 0;
+	    }
+	    iotimer_addr = (unsigned *)
+		mmap(0, pgoffmask, PROT_READ, MAP_PRIVATE, mfd, (int)raddr);
+	    if (iotimer_addr == (void*)-1) {
+		close(mfd);
+		iotimer_addr = NULL;
+		return 0;
+	    }
+	    iotimer_addr = (unsigned*)
+		((__psint_t)iotimer_addr | (phys_addr & pgoffmask));
+	    /*
+	     * The file 'mfd' is purposefully not closed.
+	     */
+	    cntr_size = syssgi(SGI_CYCLECNTR_SIZE);
+	    if (cntr_size < 0) {
+		struct utsname utsinfo;
+
+		/* 
+		 * We must be executing on a 6.0 or earlier system, since the
+		 * SGI_CYCLECNTR_SIZE call is not supported.
+		 * 
+		 * The only pre-6.1 platforms with 64-bit counters are
+		 * IP19 and IP21 (Challenge, PowerChallenge, Onyx).
+		 */
+		uname(&utsinfo);
+		if (!strncmp(utsinfo.machine, "IP19", 4) ||
+		    !strncmp(utsinfo.machine, "IP21", 4))
+			cntr_size = 64;
+		else
+			cntr_size = 32;
+	    }
+	    cntr_size /= 8;	/* Convert from bits to bytes */
+	}
+    }
+
+    s0[0] = *iotimer_addr;
+    if (cntr_size > 4)
+	s0[1] = *(iotimer_addr + 1);
+    memcpy(buf, (char *)&s0[0], cntr_size);
+    return CopyLowBits(buf, maxbuf, &s0, cntr_size);
+}
+#endif
+
+#if defined(sony)
+#include <sys/systeminfo.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+#endif /* sony */
+
+#if defined(sinix)
+#include <sys/systeminfo.h>
+#include <sys/times.h>
+
+int gettimeofday(struct timeval *, struct timezone *);
+int gethostname(char *, int);
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    int ticks;
+    struct tms buffer;
+
+    ticks=times(&buffer);
+    return CopyLowBits(buf, maxbytes, &ticks, sizeof(ticks));
+}
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+#endif /* sinix */
+
+#if defined(VMS)
+#include <c_asm.h>
+
+static void
+GiveSystemInfo(void)
+{
+    long si;
+ 
+    /* 
+     * This is copied from the SCO/UNIXWARE etc section. And like the comment
+     * there says, what's the point? This isn't random, it generates the same
+     * stuff every time its run!
+     */
+    si = sysconf(_SC_CHILD_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+ 
+    si = sysconf(_SC_STREAM_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+ 
+    si = sysconf(_SC_OPEN_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+}
+ 
+/*
+ * Use the "get the cycle counter" instruction on the alpha.
+ * The low 32 bits completely turn over in less than a minute.
+ * The high 32 bits are some non-counter gunk that changes sometimes.
+ */
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    unsigned long t;
+ 
+    t = asm("rpcc %v0");
+    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
+}
+ 
+#endif /* VMS */
+
+#ifdef BEOS
+#include <be/kernel/OS.h>
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    bigtime_t bigtime; /* Actually an int64 */
+
+    bigtime = real_time_clock_usecs();
+    return CopyLowBits(buf, maxbytes, &bigtime, sizeof(bigtime));
+}
+
+static void
+GiveSystemInfo(void)
+{
+    system_info *info = NULL;
+    int32 val;                     
+    get_system_info(info);
+    if (info) {
+        val = info->boot_time;
+        RNG_RandomUpdate(&val, sizeof(val));
+        val = info->used_pages;
+        RNG_RandomUpdate(&val, sizeof(val));
+        val = info->used_ports;
+        RNG_RandomUpdate(&val, sizeof(val));
+        val = info->used_threads;
+        RNG_RandomUpdate(&val, sizeof(val));
+        val = info->used_teams;
+        RNG_RandomUpdate(&val, sizeof(val));
+    }
+}
+#endif /* BEOS */
+
+#if defined(nec_ews)
+#include <sys/systeminfo.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+#endif /* nec_ews */
+
+size_t RNG_GetNoise(void *buf, size_t maxbytes)
+{
+    struct timeval tv;
+    int n = 0;
+    int c;
+
+    n = GetHighResClock(buf, maxbytes);
+    maxbytes -= n;
+
+#if defined(__sun) && (defined(_svr4) || defined(SVR4)) || defined(sony)
+    (void)gettimeofday(&tv);
+#else
+    (void)gettimeofday(&tv, 0);
+#endif
+    c = CopyLowBits((char*)buf+n, maxbytes, &tv.tv_usec, sizeof(tv.tv_usec));
+    n += c;
+    maxbytes -= c;
+    c = CopyLowBits((char*)buf+n, maxbytes, &tv.tv_sec, sizeof(tv.tv_sec));
+    n += c;
+    return n;
+}
+
+#define SAFE_POPEN_MAXARGS	10	/* must be at least 2 */
+
+/*
+ * safe_popen is static to this module and we know what arguments it is
+ * called with. Note that this version only supports a single open child
+ * process at any time.
+ */
+static pid_t safe_popen_pid;
+static struct sigaction oldact;
+
+static FILE *
+safe_popen(char *cmd)
+{
+    int p[2], fd, argc;
+    pid_t pid;
+    char *argv[SAFE_POPEN_MAXARGS + 1];
+    FILE *fp;
+    static char blank[] = " \t";
+    static struct sigaction newact;
+
+    if (pipe(p) < 0)
+	return 0;
+
+    fp = fdopen(p[0], "r");
+    if (fp == 0) {
+	close(p[0]);
+	close(p[1]);
+	return 0;
+    }
+
+    /* Setup signals so that SIGCHLD is ignored as we want to do waitpid */
+    newact.sa_handler = SIG_DFL;
+    newact.sa_flags = 0;
+    sigfillset(&newact.sa_mask);
+    sigaction (SIGCHLD, &newact, &oldact);
+
+    pid = fork();
+    switch (pid) {
+      int ndesc;
+
+      case -1:
+	fclose(fp); /* this closes p[0], the fd associated with fp */
+	close(p[1]);
+	sigaction (SIGCHLD, &oldact, NULL);
+	return 0;
+
+      case 0:
+	/* dup write-side of pipe to stderr and stdout */
+	if (p[1] != 1) dup2(p[1], 1);
+	if (p[1] != 2) dup2(p[1], 2);
+
+	/* 
+	 * close the other file descriptors, except stdin which we
+	 * try reassociating with /dev/null, first (bug 174993)
+	 */
+	if (!freopen("/dev/null", "r", stdin))
+	    close(0);
+	ndesc = getdtablesize();
+	for (fd = PR_MIN(65536, ndesc); --fd > 2; close(fd));
+
+	/* clean up environment in the child process */
+	putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc");
+	putenv("SHELL=/bin/sh");
+	putenv("IFS= \t");
+
+	/*
+	 * The caller may have passed us a string that is in text
+	 * space. It may be illegal to modify the string
+	 */
+	cmd = strdup(cmd);
+	/* format argv */
+	argv[0] = strtok(cmd, blank);
+	argc = 1;
+	while ((argv[argc] = strtok(0, blank)) != 0) {
+	    if (++argc == SAFE_POPEN_MAXARGS) {
+		argv[argc] = 0;
+		break;
+	    }
+	}
+
+	/* and away we go */
+	execvp(argv[0], argv);
+	exit(127);
+	break;
+
+      default:
+	close(p[1]);
+	break;
+    }
+
+    /* non-zero means there's a cmd running */
+    safe_popen_pid = pid;
+    return fp;
+}
+
+static int
+safe_pclose(FILE *fp)
+{
+    pid_t pid;
+    int status = -1, rv;
+
+    if ((pid = safe_popen_pid) == 0)
+	return -1;
+    safe_popen_pid = 0;
+
+    fclose(fp);
+
+    /* yield the processor so the child gets some time to exit normally */
+    PR_Sleep(PR_INTERVAL_NO_WAIT);
+
+    /* if the child hasn't exited, kill it -- we're done with its output */
+    while ((rv = waitpid(pid, &status, WNOHANG)) == -1 && errno == EINTR)
+	;
+    if (rv == 0) {
+	kill(pid, SIGKILL);
+	while ((rv = waitpid(pid, &status, 0)) == -1 && errno == EINTR)
+	    ;
+    }
+
+    /* Reset SIGCHLD signal hander before returning */
+    sigaction(SIGCHLD, &oldact, NULL);
+
+    return status;
+}
+
+
+#if !defined(VMS)
+
+#ifdef DARWIN
+#include <crt_externs.h>
+#endif
+
+/* Fork netstat to collect its output by default. Do not unset this unless
+ * another source of entropy is available
+ */
+#define DO_NETSTAT 1
+
+void RNG_SystemInfoForRNG(void)
+{
+    FILE *fp;
+    char buf[BUFSIZ];
+    size_t bytes;
+    const char * const *cp;
+    char *randfile;
+#ifdef DARWIN
+    char **environ = *_NSGetEnviron();
+#else
+    extern char **environ;
+#endif
+#ifdef BEOS
+    static const char * const files[] = {
+	"/boot/var/swap",
+	"/boot/var/log/syslog",
+	"/boot/var/tmp",
+	"/boot/home/config/settings",
+	"/boot/home",
+	0
+    };
+#else
+    static const char * const files[] = {
+	"/etc/passwd",
+	"/etc/utmp",
+	"/tmp",
+	"/var/tmp",
+	"/usr/tmp",
+	0
+    };
+#endif
+
+#if defined(BSDI)
+    static char netstat_ni_cmd[] = "netstat -nis";
+#else
+    static char netstat_ni_cmd[] = "netstat -ni";
+#endif
+
+    GiveSystemInfo();
+
+    bytes = RNG_GetNoise(buf, sizeof(buf));
+    RNG_RandomUpdate(buf, bytes);
+
+    /*
+     * Pass the C environment and the addresses of the pointers to the
+     * hash function. This makes the random number function depend on the
+     * execution environment of the user and on the platform the program
+     * is running on.
+     */
+    if (environ != NULL) {
+        cp = (const char * const *) environ;
+        while (*cp) {
+	    RNG_RandomUpdate(*cp, strlen(*cp));
+	    cp++;
+        }
+        RNG_RandomUpdate(environ, (char*)cp - (char*)environ);
+    }
+
+    /* Give in system information */
+    if (gethostname(buf, sizeof(buf)) == 0) {
+	RNG_RandomUpdate(buf, strlen(buf));
+    }
+    GiveSystemInfo();
+
+    /* grab some data from system's PRNG before any other files. */
+    bytes = RNG_FileUpdate("/dev/urandom", SYSTEM_RNG_SEED_COUNT);
+
+    /* If the user points us to a random file, pass it through the rng */
+    randfile = getenv("NSRANDFILE");
+    if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
+	RNG_FileForRNG(randfile);
+    }
+
+    /* pass other files through */
+    for (cp = files; *cp; cp++)
+	RNG_FileForRNG(*cp);
+
+/*
+ * Bug 100447: On BSD/OS 4.2 and 4.3, we have problem calling safe_popen
+ * in a pthreads environment.  Therefore, we call safe_popen last and on
+ * BSD/OS we do not call safe_popen when we succeeded in getting data
+ * from /dev/urandom.
+ *
+ * Bug 174993: LINUX provides /dev/urandom, don't fork netstat
+ * if data has been gathered successfully
+ */
+
+#if defined(BSDI) || defined(LINUX)
+    if (bytes)
+        return;
+#endif
+
+#ifdef SOLARIS
+
+/*
+ * On Solaris, NSS may be initialized automatically from libldap in
+ * applications that are unaware of the use of NSS. safe_popen forks, and
+ * sometimes creates issues with some applications' pthread_atfork handlers.
+ * We always have /dev/urandom on Solaris 9 and above as an entropy source,
+ * and for Solaris 8 we have the libkstat interface, so we don't need to
+ * fork netstat.
+ */
+
+#undef DO_NETSTAT
+    if (!bytes) {
+        /* On Solaris 8, /dev/urandom isn't available, so we use libkstat. */
+        PRUint32 kstat_bytes = 0;
+        if (SECSuccess != RNG_kstat(&kstat_bytes)) {
+            PORT_Assert(0);
+        }
+        bytes += kstat_bytes;
+        PORT_Assert(bytes);
+    }
+#endif
+
+#ifdef DO_NETSTAT
+    fp = safe_popen(netstat_ni_cmd);
+    if (fp != NULL) {
+	while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0)
+	    RNG_RandomUpdate(buf, bytes);
+	safe_pclose(fp);
+    }
+#endif
+
+}
+#else
+void RNG_SystemInfoForRNG(void)
+{
+    FILE *fp;
+    char buf[BUFSIZ];
+    size_t bytes;
+    int extra;
+    char **cp;
+    extern char **environ;
+    char *randfile;
+ 
+    GiveSystemInfo();
+ 
+    bytes = RNG_GetNoise(buf, sizeof(buf));
+    RNG_RandomUpdate(buf, bytes);
+ 
+    /*
+     * Pass the C environment and the addresses of the pointers to the
+     * hash function. This makes the random number function depend on the
+     * execution environment of the user and on the platform the program
+     * is running on.
+     */
+    cp = environ;
+    while (*cp) {
+	RNG_RandomUpdate(*cp, strlen(*cp));
+	cp++;
+    }
+    RNG_RandomUpdate(environ, (char*)cp - (char*)environ);
+ 
+    /* Give in system information */
+    if (gethostname(buf, sizeof(buf)) > 0) {
+	RNG_RandomUpdate(buf, strlen(buf));
+    }
+    GiveSystemInfo();
+ 
+    /* If the user points us to a random file, pass it through the rng */
+    randfile = getenv("NSRANDFILE");
+    if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
+	RNG_FileForRNG(randfile);
+    }
+
+    /*
+    ** We need to generate at least 1024 bytes of seed data. Since we don't
+    ** do the file stuff for VMS, and because the environ list is so short
+    ** on VMS, we need to make sure we generate enough. So do another 1000
+    ** bytes to be sure.
+    */
+    extra = 1000;
+    while (extra > 0) {
+        cp = environ;
+        while (*cp) {
+	    int n = strlen(*cp);
+	    RNG_RandomUpdate(*cp, n);
+	    extra -= n;
+	    cp++;
+        }
+    }
+}
+#endif
+
+#define TOTAL_FILE_LIMIT 1000000	/* one million */
+
+size_t RNG_FileUpdate(const char *fileName, size_t limit)
+{
+    FILE *        file;
+    size_t        bytes;
+    size_t        fileBytes = 0;
+    struct stat   stat_buf;
+    unsigned char buffer[BUFSIZ];
+    static size_t totalFileBytes = 0;
+    
+    /* suppress valgrind warnings due to holes in struct stat */
+    memset(&stat_buf, 0, sizeof(stat_buf));
+
+    if (stat((char *)fileName, &stat_buf) < 0)
+	return fileBytes;
+    RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));
+    
+    file = fopen((char *)fileName, "r");
+    if (file != NULL) {
+	while (limit > fileBytes) {
+	    bytes = PR_MIN(sizeof buffer, limit - fileBytes);
+	    bytes = fread(buffer, 1, bytes, file);
+	    if (bytes == 0) 
+		break;
+	    RNG_RandomUpdate(buffer, bytes);
+	    fileBytes      += bytes;
+	    totalFileBytes += bytes;
+	    /* after TOTAL_FILE_LIMIT has been reached, only read in first
+	    ** buffer of data from each subsequent file.
+	    */
+	    if (totalFileBytes > TOTAL_FILE_LIMIT) 
+		break;
+	}
+	fclose(file);
+    }
+    /*
+     * Pass yet another snapshot of our highest resolution clock into
+     * the hash function.
+     */
+    bytes = RNG_GetNoise(buffer, sizeof(buffer));
+    RNG_RandomUpdate(buffer, bytes);
+    return fileBytes;
+}
+
+void RNG_FileForRNG(const char *fileName)
+{
+    RNG_FileUpdate(fileName, TOTAL_FILE_LIMIT);
+}
+
+size_t RNG_SystemRNG(void *dest, size_t maxLen)
+{
+    FILE *file;
+    size_t bytes;
+    size_t fileBytes = 0;
+    unsigned char *buffer = dest;
+
+    file = fopen("/dev/urandom", "r");
+    if (file == NULL) {
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+	return fileBytes;
+    }
+    while (maxLen > fileBytes) {
+	bytes = maxLen - fileBytes;
+	bytes = fread(buffer, 1, bytes, file);
+	if (bytes == 0) 
+	    break;
+	fileBytes += bytes;
+	buffer += bytes;
+    }
+    fclose(file);
+    if (fileBytes != maxLen) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);  /* system RNG failed */
+	fileBytes = 0;
+    }
+    return fileBytes;
+}
diff --git a/security/nss/lib/freebl/win_rand.c b/security/nss/lib/freebl/win_rand.c
new file mode 100644
index 000000000..4a3f61b59
--- /dev/null
+++ b/security/nss/lib/freebl/win_rand.c
@@ -0,0 +1,648 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secrng.h"
+#include "secerr.h"
+#ifdef XP_WIN
+#include <windows.h>
+
+#if defined(_WIN32_WCE)
+#include <stdlib.h>	/* Win CE puts lots of stuff here. */
+#include "prprf.h"	/* for PR_snprintf */
+#else
+#include <time.h>
+#include <io.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#endif
+#include <stdio.h>
+
+#ifndef _WIN32
+#define VTD_Device_ID   5
+#define OP_OVERRIDE     _asm _emit 0x66
+#include <dos.h>
+#endif
+
+#include "prio.h"
+#include "prerror.h"
+
+static PRInt32  filesToRead;
+static DWORD    totalFileBytes;
+static DWORD    maxFileBytes	= 250000;	/* 250 thousand */
+static DWORD    dwNumFiles, dwReadEvery;
+
+static BOOL
+CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow)
+{
+#ifdef _WIN32
+    LARGE_INTEGER   liCount;
+
+    if (!QueryPerformanceCounter(&liCount))
+        return FALSE;
+
+    *lpdwHigh = liCount.u.HighPart;
+    *lpdwLow = liCount.u.LowPart;
+    return TRUE;
+
+#else   /* is WIN16 */
+    BOOL    bRetVal;
+    FARPROC lpAPI;
+    WORD    w1, w2, w3, w4;
+
+    // Get direct access to the VTD and query the current clock tick time
+    _asm {
+        xor   di, di
+        mov   es, di
+        mov   ax, 1684h
+        mov   bx, VTD_Device_ID
+        int   2fh
+        mov   ax, es
+        or    ax, di
+        jz    EnumerateFailed
+
+        ; VTD API is available. First store the API address (the address actually
+        ; contains an instruction that causes a fault, the fault handler then
+        ; makes the ring transition and calls the API in the VxD)
+        mov   word ptr lpAPI, di
+        mov   word ptr lpAPI+2, es
+        mov   ax, 100h      ; API function to VTD_Get_Real_Time
+;       call  dword ptr [lpAPI]
+        call  [lpAPI]
+
+        ; Result is in EDX:EAX which we will get 16-bits at a time
+        mov   w2, dx
+        OP_OVERRIDE
+        shr   dx,10h        ; really "shr edx, 16"
+        mov   w1, dx
+
+        mov   w4, ax
+        OP_OVERRIDE
+        shr   ax,10h        ; really "shr eax, 16"
+        mov   w3, ax
+
+        mov   bRetVal, 1    ; return TRUE
+        jmp   EnumerateExit
+
+      EnumerateFailed:
+        mov   bRetVal, 0    ; return FALSE
+
+      EnumerateExit:
+    }
+
+    *lpdwHigh = MAKELONG(w2, w1);
+    *lpdwLow = MAKELONG(w4, w3);
+
+    return bRetVal;
+#endif  /* is WIN16 */
+}
+
+size_t RNG_GetNoise(void *buf, size_t maxbuf)
+{
+    DWORD   dwHigh, dwLow, dwVal;
+    int     n = 0;
+    int     nBytes;
+
+    if (maxbuf <= 0)
+        return 0;
+
+    CurrentClockTickTime(&dwHigh, &dwLow);
+
+    // get the maximally changing bits first
+    nBytes = sizeof(dwLow) > maxbuf ? maxbuf : sizeof(dwLow);
+    memcpy((char *)buf, &dwLow, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+        return n;
+
+    nBytes = sizeof(dwHigh) > maxbuf ? maxbuf : sizeof(dwHigh);
+    memcpy(((char *)buf) + n, &dwHigh, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+        return n;
+
+    // get the number of milliseconds that have elapsed since Windows started
+    dwVal = GetTickCount();
+
+    nBytes = sizeof(dwVal) > maxbuf ? maxbuf : sizeof(dwVal);
+    memcpy(((char *)buf) + n, &dwVal, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+        return n;
+
+#if defined(_WIN32_WCE)
+    {
+    // get the number of milliseconds elapsed since Windows CE was started. 
+    DWORD  tickCount = GetTickCount();
+    nBytes = (sizeof tickCount) > maxbuf ? maxbuf : (sizeof tickCount);
+    memcpy(((char *)buf) + n, &tickCount, nBytes);
+    n += nBytes;
+    }
+#else
+    {
+    time_t  sTime;
+    // get the time in seconds since midnight Jan 1, 1970
+    time(&sTime);
+    nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
+    memcpy(((char *)buf) + n, &sTime, nBytes);
+    n += nBytes;
+    }
+#endif
+
+    return n;
+}
+
+#if defined(_WIN32_WCE)
+static BOOL
+EnumSystemFilesWithNSPR(const char * dirName, 
+			BOOL recursive,
+                        PRInt32 (*func)(const char *))
+{
+    PRDir *      pDir;
+    PRDirEntry * pEntry;
+    BOOL         rv 		= FALSE;
+
+    pDir = PR_OpenDir(dirName);
+    if (!pDir)
+    	return rv;
+    while ((pEntry = PR_ReadDir(pDir, PR_SKIP_BOTH|PR_SKIP_HIDDEN)) != NULL) {
+	PRStatus    status;
+	PRInt32     count;
+	PRInt32     stop;
+	PRFileInfo  fileInfo;
+	char        szFileName[_MAX_PATH];
+
+        count = (PRInt32)PR_snprintf(szFileName, sizeof szFileName, "%s\\%s", 
+	                             dirName, PR_DirName(pEntry));
+	if (count < 1)
+	    continue;
+	status = PR_GetFileInfo(szFileName, &fileInfo);
+	if (status != PR_SUCCESS)
+	    continue;
+	if (fileInfo.type == PR_FILE_FILE) {
+	    stop = (*func)(szFileName);
+	    rv = TRUE;
+	    if (stop)
+	        break;
+	    continue;
+    	}
+	if (recursive && fileInfo.type == PR_FILE_DIRECTORY) {
+	    rv |= EnumSystemFilesWithNSPR(szFileName, recursive, func);
+	}
+    }
+    PR_CloseDir(pDir);
+    return rv;
+}
+#endif
+
+static BOOL
+EnumSystemFiles(PRInt32 (*func)(const char *))
+{
+#if defined(_WIN32_WCE)
+    BOOL rv = FALSE;
+    rv |= EnumSystemFilesWithNSPR("\\Windows\\Temporary Internet Files", TRUE, func);
+    rv |= EnumSystemFilesWithNSPR("\\Temp",    FALSE, func);
+    rv |= EnumSystemFilesWithNSPR("\\Windows", FALSE, func);
+    return rv;
+#else
+    int                 iStatus;
+    char                szSysDir[_MAX_PATH];
+    char                szFileName[_MAX_PATH];
+#ifdef _WIN32
+    WIN32_FIND_DATA     fdData;
+    HANDLE              lFindHandle;
+#else
+    struct _find_t  fdData;
+#endif
+
+    if (!GetSystemDirectory(szSysDir, sizeof(szSysDir)))
+        return FALSE;
+
+    // tack *.* on the end so we actually look for files. this will
+    // not overflow
+    strcpy(szFileName, szSysDir);
+    strcat(szFileName, "\\*.*");
+
+#ifdef _WIN32
+    lFindHandle = FindFirstFile(szFileName, &fdData);
+    if (lFindHandle == INVALID_HANDLE_VALUE)
+        return FALSE;
+    do {
+        // pass the full pathname to the callback
+        sprintf(szFileName, "%s\\%s", szSysDir, fdData.cFileName);
+        (*func)(szFileName);
+        iStatus = FindNextFile(lFindHandle, &fdData);
+    } while (iStatus != 0);
+    FindClose(lFindHandle);
+#else
+    if (_dos_findfirst(szFileName, 
+             _A_NORMAL | _A_RDONLY | _A_ARCH | _A_SUBDIR, &fdData) != 0)
+        return FALSE;
+    do {
+        // pass the full pathname to the callback
+        sprintf(szFileName, "%s\\%s", szSysDir, fdData.name);
+        (*func)(szFileName);
+        iStatus = _dos_findnext(&fdData);
+    } while (iStatus == 0);
+    _dos_findclose(&fdData);
+#endif
+
+    return TRUE;
+#endif
+}
+
+static PRInt32
+CountFiles(const char *file)
+{
+    dwNumFiles++;
+    return 0;
+}
+
+static PRInt32
+ReadFiles(const char *file)
+{
+    if ((dwNumFiles % dwReadEvery) == 0) {
+	++filesToRead;
+    }
+    if (filesToRead) {
+	DWORD    prevFileBytes = totalFileBytes;
+        RNG_FileForRNG(file);
+	if (prevFileBytes < totalFileBytes) {
+	    --filesToRead;
+	}
+    }
+    dwNumFiles++;
+    return (totalFileBytes >= maxFileBytes);
+}
+
+static void
+ReadSystemFiles()
+{
+    // first count the number of files
+    dwNumFiles = 0;
+    if (!EnumSystemFiles(CountFiles))
+        return;
+
+    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
+
+    // now read the first 10 readable files, then 10 or 11 files
+    // spread throughout the system directory
+    filesToRead = 10;
+    if (dwNumFiles == 0)
+        return;
+
+    dwReadEvery = dwNumFiles / 10;
+    if (dwReadEvery == 0)
+        dwReadEvery = 1;  // less than 10 files
+
+    dwNumFiles = 0;
+    EnumSystemFiles(ReadFiles);
+}
+
+void RNG_SystemInfoForRNG(void)
+{
+    DWORD           dwVal;
+    char            buffer[256];
+    int             nBytes;
+#ifdef _WIN32
+    MEMORYSTATUS    sMem;
+    HANDLE          hVal;
+#if !defined(_WIN32_WCE)
+    DWORD           dwSerialNum;
+    DWORD           dwComponentLen;
+    DWORD           dwSysFlags;
+    char            volName[128];
+    DWORD           dwSectors, dwBytes, dwFreeClusters, dwNumClusters;
+#endif
+#else
+    int             iVal;
+    HTASK           hTask;
+    WORD            wDS, wCS;
+    LPSTR           lpszEnv;
+#endif
+
+    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
+    RNG_RandomUpdate(buffer, nBytes);
+
+#ifdef _WIN32
+    sMem.dwLength = sizeof(sMem);
+    GlobalMemoryStatus(&sMem);                // assorted memory stats
+    RNG_RandomUpdate(&sMem, sizeof(sMem));
+#if !defined(_WIN32_WCE)
+    dwVal = GetLogicalDrives();
+    RNG_RandomUpdate(&dwVal, sizeof(dwVal));  // bitfields in bits 0-25
+#endif
+#else
+    dwVal = GetFreeSpace(0);
+    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
+
+    _asm    mov wDS, ds;
+    _asm    mov wCS, cs;
+    RNG_RandomUpdate(&wDS, sizeof(wDS));
+    RNG_RandomUpdate(&wCS, sizeof(wCS));
+#endif
+
+#ifdef _WIN32
+#if !defined(_WIN32_WCE)
+    dwVal = sizeof(buffer);
+    if (GetComputerName(buffer, &dwVal))
+        RNG_RandomUpdate(buffer, dwVal);
+#endif
+/* XXX This is code that got yanked because of NSPR20.  We should put it
+ * back someday.
+ */
+#ifdef notdef
+    {
+    POINT ptVal;
+    GetCursorPos(&ptVal);
+    RNG_RandomUpdate(&ptVal, sizeof(ptVal));
+    }
+
+    dwVal = GetQueueStatus(QS_ALLINPUT);      // high and low significant
+    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
+
+    {
+    HWND hWnd;
+    hWnd = GetClipboardOwner();               // 2 or 4 bytes
+    RNG_RandomUpdate((void *)&hWnd, sizeof(hWnd));
+    }
+
+    {
+    UUID sUuid;
+    UuidCreate(&sUuid);                       // this will fail on machines with no ethernet
+    RNG_RandomUpdate(&sUuid, sizeof(sUuid));  // boards. shove the bits in regardless
+    }
+#endif
+
+    hVal = GetCurrentProcess();               // 4 or 8 byte pseudo handle (a
+                                              // constant!) of current process
+    RNG_RandomUpdate(&hVal, sizeof(hVal));
+
+    dwVal = GetCurrentProcessId();            // process ID (4 bytes)
+    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
+
+    dwVal = GetCurrentThreadId();             // thread ID (4 bytes)
+    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
+
+#if !defined(_WIN32_WCE)
+    volName[0] = '\0';
+    buffer[0] = '\0';
+    GetVolumeInformation(NULL,
+                         volName,
+                         sizeof(volName),
+                         &dwSerialNum,
+                         &dwComponentLen,
+                         &dwSysFlags,
+                         buffer,
+                         sizeof(buffer));
+
+    RNG_RandomUpdate(volName,         strlen(volName));
+    RNG_RandomUpdate(&dwSerialNum,    sizeof(dwSerialNum));
+    RNG_RandomUpdate(&dwComponentLen, sizeof(dwComponentLen));
+    RNG_RandomUpdate(&dwSysFlags,     sizeof(dwSysFlags));
+    RNG_RandomUpdate(buffer,          strlen(buffer));
+
+    if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, &dwNumClusters)) {
+        RNG_RandomUpdate(&dwSectors,      sizeof(dwSectors));
+        RNG_RandomUpdate(&dwBytes,        sizeof(dwBytes));
+        RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters));
+        RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
+    }
+#endif
+#else   /* is WIN16 */
+    hTask = GetCurrentTask();
+    RNG_RandomUpdate((void *)&hTask, sizeof(hTask));
+
+    iVal = GetNumTasks();
+    RNG_RandomUpdate(&iVal, sizeof(iVal));      // number of running tasks
+
+    lpszEnv = GetDOSEnvironment();
+    while (*lpszEnv != '\0') {
+        RNG_RandomUpdate(lpszEnv, strlen(lpszEnv));
+
+        lpszEnv += strlen(lpszEnv) + 1;
+    }
+#endif  /* is WIN16 */
+
+    // now let's do some files
+    ReadSystemFiles();
+
+    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
+    RNG_RandomUpdate(buffer, nBytes);
+}
+
+#if defined(_WIN32_WCE)
+void RNG_FileForRNG(const char *filename)
+{
+    PRFileDesc *    file;
+    int             nBytes;
+    PRFileInfo      infoBuf;
+    unsigned char   buffer[1024];
+
+    /* windows doesn't initialize all the bytes in the stat buf,
+     * so initialize them all here to avoid UMRs.
+     */
+    memset(&infoBuf, 0, sizeof infoBuf);
+
+    if (PR_GetFileInfo(filename, &infoBuf) < 0)
+        return;
+
+    RNG_RandomUpdate((unsigned char*)&infoBuf, sizeof(infoBuf));
+
+    file = PR_Open(filename, PR_RDONLY, 0);
+    if (file != NULL) {
+        for (;;) {
+            PRInt32 bytes = PR_Read(file, buffer, sizeof buffer);
+
+            if (bytes <= 0)
+                break;
+
+            RNG_RandomUpdate(buffer, bytes);
+            totalFileBytes += bytes;
+            if (totalFileBytes > maxFileBytes)
+                break;
+        }
+
+        PR_Close(file);
+    }
+
+    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
+    RNG_RandomUpdate(buffer, nBytes);
+}
+
+#else /* not WinCE */
+
+void RNG_FileForRNG(const char *filename)
+{
+    FILE*           file;
+    int             nBytes;
+    struct stat     stat_buf;
+    unsigned char   buffer[1024];
+
+   /* static DWORD    totalFileBytes = 0; */
+
+    /* windows doesn't initialize all the bytes in the stat buf,
+     * so initialize them all here to avoid UMRs.
+     */
+    memset(&stat_buf, 0, sizeof stat_buf);
+
+    if (stat((char *)filename, &stat_buf) < 0)
+        return;
+
+    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
+
+    file = fopen((char *)filename, "r");
+    if (file != NULL) {
+        for (;;) {
+            size_t  bytes = fread(buffer, 1, sizeof(buffer), file);
+
+            if (bytes == 0)
+                break;
+
+            RNG_RandomUpdate(buffer, bytes);
+            totalFileBytes += bytes;
+            if (totalFileBytes > maxFileBytes)
+                break;
+        }
+
+        fclose(file);
+    }
+
+    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
+    RNG_RandomUpdate(buffer, nBytes);
+}
+
+#endif  /* not WinCE */
+
+/*
+ * CryptoAPI requires Windows NT 4.0 or Windows 95 OSR2 and later.
+ * Until we drop support for Windows 95, we need to emulate some
+ * definitions and declarations in <wincrypt.h> and look up the
+ * functions in advapi32.dll at run time.
+ */
+
+#ifndef WIN64
+typedef unsigned long HCRYPTPROV;
+#endif
+
+#define CRYPT_VERIFYCONTEXT 0xF0000000
+
+#define PROV_RSA_FULL 1
+
+typedef BOOL
+(WINAPI *CryptAcquireContextAFn)(
+    HCRYPTPROV *phProv,
+    LPCSTR pszContainer,
+    LPCSTR pszProvider,
+    DWORD dwProvType,
+    DWORD dwFlags);
+
+typedef BOOL
+(WINAPI *CryptReleaseContextFn)(
+    HCRYPTPROV hProv,
+    DWORD dwFlags);
+
+typedef BOOL
+(WINAPI *CryptGenRandomFn)(
+    HCRYPTPROV hProv,
+    DWORD dwLen,
+    BYTE *pbBuffer);
+
+/*
+ * Windows XP and Windows Server 2003 and later have RtlGenRandom,
+ * which must be looked up by the name SystemFunction036.
+ */
+typedef BOOLEAN
+(APIENTRY *RtlGenRandomFn)(
+    PVOID RandomBuffer,
+    ULONG RandomBufferLength);
+
+size_t RNG_SystemRNG(void *dest, size_t maxLen)
+{
+    HMODULE hModule;
+    RtlGenRandomFn pRtlGenRandom;
+    CryptAcquireContextAFn pCryptAcquireContextA;
+    CryptReleaseContextFn pCryptReleaseContext;
+    CryptGenRandomFn pCryptGenRandom;
+    HCRYPTPROV hCryptProv;
+    size_t bytes = 0;
+
+    hModule = LoadLibrary("advapi32.dll");
+    if (hModule == NULL) {
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+	return 0;
+    }
+    pRtlGenRandom = (RtlGenRandomFn)
+	GetProcAddress(hModule, "SystemFunction036");
+    if (pRtlGenRandom) {
+	if (pRtlGenRandom(dest, maxLen)) {
+	    bytes = maxLen;
+	} else {
+	    PORT_SetError(SEC_ERROR_NEED_RANDOM);  /* system RNG failed */
+	}
+	goto done;
+    }
+    pCryptAcquireContextA = (CryptAcquireContextAFn)
+	GetProcAddress(hModule, "CryptAcquireContextA");
+    pCryptReleaseContext = (CryptReleaseContextFn)
+	GetProcAddress(hModule, "CryptReleaseContext");
+    pCryptGenRandom = (CryptGenRandomFn)
+	GetProcAddress(hModule, "CryptGenRandom");
+    if (!pCryptAcquireContextA || !pCryptReleaseContext || !pCryptGenRandom) {
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+	goto done;
+    }
+    if (pCryptAcquireContextA(&hCryptProv, NULL, NULL,
+	PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
+	if (pCryptGenRandom(hCryptProv, maxLen, dest)) {
+	    bytes = maxLen;
+	}
+	pCryptReleaseContext(hCryptProv, 0);
+    }
+    if (bytes == 0) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);  /* system RNG failed */
+    }
+done:
+    FreeLibrary(hModule);
+    return bytes;
+}
+
+#endif  /* is XP_WIN */
diff --git a/security/nss/lib/jar/Makefile b/security/nss/lib/jar/Makefile
new file mode 100644
index 000000000..e28a7d29f
--- /dev/null
+++ b/security/nss/lib/jar/Makefile
@@ -0,0 +1,43 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
diff --git a/security/nss/lib/jar/config.mk b/security/nss/lib/jar/config.mk
new file mode 100644
index 000000000..665828c63
--- /dev/null
+++ b/security/nss/lib/jar/config.mk
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/jar/jar-ds.c b/security/nss/lib/jar/jar-ds.c
new file mode 100644
index 000000000..e913902a1
--- /dev/null
+++ b/security/nss/lib/jar/jar-ds.c
@@ -0,0 +1,73 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "jar.h"
+
+/* These are old DS_* routines renamed to ZZ_* */
+
+ZZList *ZZ_NewList()
+  {
+  ZZList *list;
+
+  list = (ZZList *) PORT_ZAlloc (sizeof (ZZList));
+
+  if (list)
+    ZZ_InitList (list);
+
+  return list;
+  }
+
+ZZLink *ZZ_NewLink (JAR_Item *thing)
+  {
+  ZZLink *link;
+
+  link = (ZZLink *) PORT_ZAlloc (sizeof (ZZLink));
+
+  if (link)
+    link->thing = thing;
+ 
+  return link;
+  }
+
+void ZZ_DestroyLink (ZZLink *link)
+  {
+  PORT_Free (link);
+  }
+
+void ZZ_DestroyList (ZZList *list)
+  {
+  PORT_Free (list);
+  }
diff --git a/security/nss/lib/jar/jar-ds.h b/security/nss/lib/jar/jar-ds.h
new file mode 100644
index 000000000..cfd73f69f
--- /dev/null
+++ b/security/nss/lib/jar/jar-ds.h
@@ -0,0 +1,109 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __JAR_DS_h_
+#define __JAR_DS_h_
+
+/* Typedefs */
+typedef struct ZZLinkStr ZZLink;
+typedef struct ZZListStr ZZList;
+
+/*
+** Circular linked list. Each link contains a pointer to the object that
+** is actually in the list.
+*/ 
+struct ZZLinkStr 
+{
+    ZZLink *next;
+    ZZLink *prev;
+    JAR_Item *thing;
+};
+
+struct ZZListStr 
+{
+    ZZLink link;
+};
+
+#define ZZ_InitList(lst)	     \
+{				     \
+    (lst)->link.next = &(lst)->link; \
+    (lst)->link.prev = &(lst)->link; \
+    (lst)->link.thing = 0;	     \
+}
+
+#define ZZ_ListEmpty(lst) \
+    ((lst)->link.next == &(lst)->link)
+
+#define ZZ_ListHead(lst) \
+    ((lst)->link.next)
+
+#define ZZ_ListTail(lst) \
+    ((lst)->link.prev)
+
+#define ZZ_ListIterDone(lst,lnk) \
+    ((lnk) == &(lst)->link)
+
+#define ZZ_AppendLink(lst,lnk)	    \
+{				    \
+    (lnk)->next = &(lst)->link;	    \
+    (lnk)->prev = (lst)->link.prev; \
+    (lst)->link.prev->next = (lnk); \
+    (lst)->link.prev = (lnk);	    \
+}
+
+#define ZZ_InsertLink(lst,lnk)	    \
+{				    \
+    (lnk)->next = (lst)->link.next; \
+    (lnk)->prev = &(lst)->link;	    \
+    (lst)->link.next->prev = (lnk); \
+    (lst)->link.next = (lnk);	    \
+}
+
+#define ZZ_RemoveLink(lnk)	     \
+{				     \
+    (lnk)->next->prev = (lnk)->prev; \
+    (lnk)->prev->next = (lnk)->next; \
+    (lnk)->next = 0;		     \
+    (lnk)->prev = 0;		     \
+}
+
+extern ZZLink *ZZ_NewLink (JAR_Item *thing);
+extern void ZZ_DestroyLink (ZZLink *link);
+extern ZZList *ZZ_NewList (void);
+extern void ZZ_DestroyList (ZZList *list);
+
+
+#endif /* __JAR_DS_h_ */
diff --git a/security/nss/lib/jar/jar.c b/security/nss/lib/jar/jar.c
new file mode 100644
index 000000000..6d575a036
--- /dev/null
+++ b/security/nss/lib/jar/jar.c
@@ -0,0 +1,834 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ *  JAR.C
+ *
+ *  Jarnature.
+ *  Routines common to signing and validating.
+ *
+ */
+
+#include "jar.h"
+#include "jarint.h"
+
+static void jar_destroy_list (ZZList *list);
+
+static int jar_find_first_cert 
+    (JAR_Signer *signer, int type, JAR_Item **it);
+
+/*
+ *  J A R _ n e w 
+ *
+ *  Create a new instantiation of a manifest representation.
+ *  Use this as a token to any calls to this API.
+ *
+ */
+
+JAR *JAR_new (void)
+  {
+  JAR *jar;
+
+  if ((jar = (JAR*)PORT_ZAlloc (sizeof (JAR))) == NULL)
+    goto loser;
+
+  if ((jar->manifest = ZZ_NewList()) == NULL)
+    goto loser;
+
+  if ((jar->hashes = ZZ_NewList()) == NULL)
+    goto loser;
+
+  if ((jar->phy = ZZ_NewList()) == NULL)
+    goto loser;
+
+  if ((jar->metainfo = ZZ_NewList()) == NULL)
+    goto loser;
+
+  if ((jar->signers = ZZ_NewList()) == NULL)
+    goto loser;
+
+  return jar;
+
+loser:
+
+  if (jar)
+    {
+    if (jar->manifest)
+      ZZ_DestroyList (jar->manifest);
+
+    if (jar->hashes)
+      ZZ_DestroyList (jar->hashes);
+
+    if (jar->phy)
+      ZZ_DestroyList (jar->phy);
+
+    if (jar->metainfo)
+      ZZ_DestroyList (jar->metainfo);
+
+    if (jar->signers)
+      ZZ_DestroyList (jar->signers);
+
+    PORT_Free (jar);
+    }
+
+  return NULL;
+  }
+
+/* 
+ *  J A R _ d e s t r o y
+ *
+ *  Godzilla.
+ *
+ */
+
+void PR_CALLBACK JAR_destroy (JAR *jar)
+  {
+  PORT_Assert( jar != NULL );
+
+  if (jar == NULL)
+    return;
+
+  if (jar->fp) JAR_FCLOSE ((PRFileDesc*)jar->fp);
+
+  if (jar->url)      PORT_Free (jar->url);
+  if (jar->filename) PORT_Free (jar->filename);
+
+  /* Free the linked list elements */
+
+  jar_destroy_list (jar->manifest);
+  ZZ_DestroyList (jar->manifest);
+
+  jar_destroy_list (jar->hashes);
+  ZZ_DestroyList (jar->hashes);
+
+  jar_destroy_list (jar->phy);
+  ZZ_DestroyList (jar->phy);
+
+  jar_destroy_list (jar->metainfo);
+  ZZ_DestroyList (jar->metainfo);
+
+  jar_destroy_list (jar->signers);
+  ZZ_DestroyList (jar->signers);
+
+  PORT_Free (jar);
+  }
+
+static void jar_destroy_list (ZZList *list)
+  {
+  ZZLink *link, *oldlink;
+
+  JAR_Item *it;
+
+  JAR_Physical *phy;
+  JAR_Digest *dig;
+  JAR_Cert *fing;
+  JAR_Metainfo *met;
+  JAR_Signer *signer;
+
+  if (list && !ZZ_ListEmpty (list))
+    {
+    link = ZZ_ListHead (list);
+
+    while (!ZZ_ListIterDone (list, link))
+      {
+      it = link->thing;
+      if (!it) goto next;
+
+      if (it->pathname) PORT_Free (it->pathname);
+ 
+      switch (it->type)
+        {
+        case jarTypeMeta:
+
+          met = (JAR_Metainfo *) it->data;
+          if (met)
+            {
+            if (met->header) PORT_Free (met->header);
+            if (met->info) PORT_Free (met->info);
+            PORT_Free (met);
+            }
+          break;
+
+	case jarTypePhy:
+
+          phy = (JAR_Physical *) it->data;
+          if (phy)
+            PORT_Free (phy);
+          break;
+
+        case jarTypeSign:
+
+          fing = (JAR_Cert *) it->data;
+          if (fing)
+            {
+            if (fing->cert)
+              CERT_DestroyCertificate (fing->cert);
+            if (fing->key)
+              PORT_Free (fing->key);
+            PORT_Free (fing);
+            }
+	  break;
+
+        case jarTypeSect:
+        case jarTypeMF:
+        case jarTypeSF:
+
+          dig = (JAR_Digest *) it->data;
+          if (dig)
+            {
+            PORT_Free (dig);
+            }
+          break;
+
+        case jarTypeOwner:
+
+          signer = (JAR_Signer *) it->data;
+
+          if (signer)
+            JAR_destroy_signer (signer);
+
+          break;
+
+        default:
+
+          /* PORT_Assert( 1 != 2 ); */
+          break;
+        }
+
+      PORT_Free (it);
+
+    next:
+
+      oldlink = link;
+      link = link->next;
+
+      ZZ_DestroyLink (oldlink);
+      }
+    }
+  }
+
+/*
+ *  J A R _ g e t _ m e t a i n f o
+ *
+ *  Retrieve meta information from the manifest file.
+ *  It doesn't matter whether it's from .MF or .SF, does it?
+ *
+ */
+
+int JAR_get_metainfo
+    (JAR *jar, char *name, char *header, void **info, unsigned long *length)
+  {
+  JAR_Item *it;
+
+  ZZLink *link;
+  ZZList *list;
+
+  JAR_Metainfo *met;
+
+  PORT_Assert( jar != NULL && header != NULL );
+
+  if (jar == NULL || header == NULL)
+    return JAR_ERR_PNF;
+
+  list = jar->metainfo;
+
+  if (ZZ_ListEmpty (list))
+    return JAR_ERR_PNF;
+
+  for (link = ZZ_ListHead (list); 
+       !ZZ_ListIterDone (list, link); 
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypeMeta)
+      {
+      if ((name && !it->pathname) || (!name && it->pathname))
+        continue;
+
+      if (name && it->pathname && strcmp (it->pathname, name))
+        continue;
+
+      met = (JAR_Metainfo *) it->data;
+
+      if (!PORT_Strcasecmp (met->header, header))
+        {
+        *info = PORT_Strdup (met->info);
+        *length = PORT_Strlen (met->info);
+        return 0;
+        }
+      }
+    }
+
+  return JAR_ERR_PNF;
+  }
+
+/*
+ *  J A R _ f i n d
+ *
+ *  Establish the search pattern for use
+ *  by JAR_find_next, to traverse the filenames
+ *  or certificates in the JAR structure.
+ *
+ *  See jar.h for a description on how to use.
+ *
+ */
+
+JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type)
+  {
+  JAR_Context *ctx;
+
+  PORT_Assert( jar != NULL );
+
+  if (!jar)
+    return NULL;
+
+  ctx = (JAR_Context *) PORT_ZAlloc (sizeof (JAR_Context));
+
+  if (ctx == NULL)
+    return NULL;
+
+  ctx->jar = jar;
+
+  if (pattern)
+    {
+    if ((ctx->pattern = PORT_Strdup (pattern)) == NULL)
+      {
+      PORT_Free (ctx);
+      return NULL;
+      }
+    }
+
+  ctx->finding = type;
+
+  switch (type)
+    {
+    case jarTypeMF:     ctx->next = ZZ_ListHead (jar->hashes);
+                        break;
+
+    case jarTypeSF:
+    case jarTypeSign:   ctx->next = NULL;
+                        ctx->nextsign = ZZ_ListHead (jar->signers);
+                        break;
+
+    case jarTypeSect:   ctx->next = ZZ_ListHead (jar->manifest);
+                        break;
+
+    case jarTypePhy:    ctx->next = ZZ_ListHead (jar->phy);
+                        break;
+
+    case jarTypeOwner:  if (jar->signers)
+                          ctx->next = ZZ_ListHead (jar->signers);
+                        else
+                          ctx->next = NULL;
+                        break;
+
+    case jarTypeMeta:   ctx->next = ZZ_ListHead (jar->metainfo);
+                        break;
+
+    default:            PORT_Assert( 1 != 2);
+                        break;
+    }
+
+  return ctx;
+  }
+
+/*
+ *  J A R _ f i n d _ e n d
+ *
+ *  Destroy the find iterator context.
+ *
+ */
+
+void JAR_find_end (JAR_Context *ctx)
+  {
+  PORT_Assert( ctx != NULL );
+
+  if (ctx)
+    {
+    if (ctx->pattern) 
+      PORT_Free (ctx->pattern);
+    PORT_Free (ctx);
+    }
+  }
+
+/*
+ *  J A R _ f i n d _ n e x t
+ *
+ *  Return the next item of the given type
+ *  from one of the JAR linked lists.
+ *
+ */
+
+int JAR_find_next (JAR_Context *ctx, JAR_Item **it)
+  {
+  JAR *jar;
+  ZZList *list = NULL;
+
+  int finding;
+
+  JAR_Signer *signer = NULL;
+
+  PORT_Assert( ctx != NULL );
+  PORT_Assert( ctx->jar != NULL );
+
+  jar = ctx->jar;
+
+  /* Internally, convert jarTypeSign to jarTypeSF, and return
+     the actual attached certificate later */
+
+  finding = (ctx->finding == jarTypeSign) ? jarTypeSF : ctx->finding;
+
+  if (ctx->nextsign)
+    {
+      if (ZZ_ListIterDone (jar->signers, ctx->nextsign))
+       {
+       *it = NULL;
+       return -1;
+       }
+    PORT_Assert (ctx->nextsign->thing != NULL);
+    signer = (JAR_Signer*)ctx->nextsign->thing->data;
+    }
+
+
+  /* Find out which linked list to traverse. Then if
+     necessary, advance to the next linked list. */
+
+  while (1)
+    {
+    switch (finding)
+      {
+      case jarTypeSign:    /* not any more */
+                           PORT_Assert( finding != jarTypeSign );
+                           list = signer->certs;
+                           break;
+
+      case jarTypeSect:    list = jar->manifest;
+                           break;
+
+      case jarTypePhy:     list = jar->phy;
+                           break;
+
+      case jarTypeSF:      /* signer, not jar */
+                           PORT_Assert( signer != NULL );
+                           list = signer->sf;
+                           break;
+
+      case jarTypeMF:      list = jar->hashes;
+                           break;
+
+      case jarTypeOwner:   list = jar->signers;
+                           break;
+
+      case jarTypeMeta:    list = jar->metainfo;
+                           break;
+
+      default:             PORT_Assert( 1 != 2 );
+                           break;
+      }
+
+    if (list == NULL)
+      {
+      *it = NULL;
+      return -1;
+      }
+
+    /* When looping over lists of lists, advance
+       to the next signer. This is done when multiple
+       signers are possible. */
+
+    if (ZZ_ListIterDone (list, ctx->next))
+      {
+      if (ctx->nextsign && jar->signers) 
+        {
+        ctx->nextsign = ctx->nextsign->next;
+        if (!ZZ_ListIterDone (jar->signers, ctx->nextsign)) 
+          {
+          PORT_Assert (ctx->nextsign->thing != NULL);
+
+          signer = (JAR_Signer*)ctx->nextsign->thing->data;
+          PORT_Assert( signer != NULL );
+
+          ctx->next = NULL;
+          continue;
+          }
+        }
+      *it = NULL;
+      return -1;
+      }
+
+    /* if the signer changed, still need to fill
+       in the "next" link */
+
+    if (ctx->nextsign && ctx->next == NULL)
+      {
+      switch (finding)
+        {
+        case jarTypeSF:
+
+          ctx->next = ZZ_ListHead (signer->sf);
+          break;
+
+        case jarTypeSign:
+
+          ctx->next = ZZ_ListHead (signer->certs);
+          break;
+        }
+      }
+
+    PORT_Assert( ctx->next != NULL );
+
+
+    while (!ZZ_ListIterDone (list, ctx->next))
+      {
+      *it = ctx->next->thing;
+      ctx->next = ctx->next->next;
+
+      if (!*it || (*it)->type != finding)
+        continue;
+
+      if (ctx->pattern && *ctx->pattern)
+        {
+        if (PORT_Strcmp ((*it)->pathname, ctx->pattern))
+          continue;
+        }
+
+      /* We have a valid match. If this is a jarTypeSign
+         return the certificate instead.. */
+
+      if (ctx->finding == jarTypeSign)
+        {
+        JAR_Item *itt;
+
+        /* just the first one for now */
+        if (jar_find_first_cert (signer, jarTypeSign, &itt) >= 0) 
+           {
+           *it = itt;
+           return 0;
+           }
+
+        continue;      
+        }
+
+      return 0;
+      }
+
+    } /* end while */
+  }
+
+static int jar_find_first_cert 
+    (JAR_Signer *signer, int type, JAR_Item **it)
+  {
+  ZZLink *link;
+  ZZList *list;
+
+  int status = JAR_ERR_PNF;
+
+  list = signer->certs;
+
+  *it = NULL;
+
+  if (ZZ_ListEmpty (list))
+    {
+    /* empty list */
+    return JAR_ERR_PNF;
+    }
+
+  for (link = ZZ_ListHead (list); 
+       !ZZ_ListIterDone (list, link); 
+       link = link->next)
+    {
+    if (link->thing->type == type)
+      {
+      *it = link->thing;
+      status = 0;
+      break;
+      }
+    }
+
+  return status;
+  }
+
+JAR_Signer *JAR_new_signer (void)
+  {
+  JAR_Signer *signer;
+
+  signer = (JAR_Signer *) PORT_ZAlloc (sizeof (JAR_Signer));
+
+  if (signer == NULL)
+    goto loser;
+
+
+  /* certs */
+  signer->certs = ZZ_NewList();
+
+  if (signer->certs == NULL)
+    goto loser;
+
+
+  /* sf */
+  signer->sf = ZZ_NewList();
+
+  if (signer->sf == NULL)
+    goto loser;
+
+
+  return signer;
+
+
+loser:
+
+  if (signer)
+    {
+    if (signer->certs) 
+      ZZ_DestroyList (signer->certs);
+
+    if (signer->sf) 
+      ZZ_DestroyList (signer->sf);
+
+    PORT_Free (signer);
+    }
+
+  return NULL;
+  }
+
+void JAR_destroy_signer (JAR_Signer *signer)
+  {
+  if (signer)
+    {
+    if (signer->owner) PORT_Free (signer->owner);
+    if (signer->digest) PORT_Free (signer->digest);
+
+    jar_destroy_list (signer->sf);
+    ZZ_DestroyList (signer->sf);
+
+    jar_destroy_list (signer->certs);
+    ZZ_DestroyList (signer->certs);
+
+    PORT_Free (signer);
+    }
+  }
+
+JAR_Signer *jar_get_signer (JAR *jar, char *basename)
+  {
+  JAR_Item *it;
+  JAR_Context *ctx;
+
+  JAR_Signer *candidate;
+  JAR_Signer *signer = NULL;
+
+  ctx = JAR_find (jar, NULL, jarTypeOwner);
+
+  if (ctx == NULL)
+    return NULL;
+
+  while (JAR_find_next (ctx, &it) >= 0)
+    {
+    candidate = (JAR_Signer *) it->data;
+    if (*basename == '*' || !PORT_Strcmp (candidate->owner, basename))
+      {
+      signer = candidate;
+      break;
+      }
+    }
+
+  JAR_find_end (ctx);
+
+  return signer;
+  }
+
+/*
+ *  J A R _ g e t _ f i l e n a m e
+ *
+ *  Returns the filename associated with
+ *  a JAR structure.
+ *
+ */
+
+char *JAR_get_filename (JAR *jar)
+  {
+  return jar->filename;
+  }
+
+/*
+ *  J A R _ g e t _ u r l
+ *
+ *  Returns the URL associated with
+ *  a JAR structure. Nobody really uses this now.
+ *
+ */
+
+char *JAR_get_url (JAR *jar)
+  {
+  return jar->url;
+  }
+
+/*
+ *  J A R _ s e t _ c a l l b a c k
+ *
+ *  Register some manner of callback function for this jar. 
+ *
+ */
+
+int JAR_set_callback (int type, JAR *jar, 
+      int (*fn) (int status, JAR *jar, 
+         const char *metafile, char *pathname, char *errortext))
+  {
+  if (type == JAR_CB_SIGNAL)
+    {
+    jar->signal = fn;
+    return 0;
+    }
+  else
+    return -1;
+  }
+
+/*
+ *  Callbacks
+ *
+ */
+
+/* To return an error string */
+char *(*jar_fn_GetString) (int) = NULL;
+
+/* To return an MWContext for Java */
+void *(*jar_fn_FindSomeContext) (void) = NULL;
+
+/* To fabricate an MWContext for FE_GetPassword */
+void *(*jar_fn_GetInitContext) (void) = NULL;
+
+void
+JAR_init_callbacks
+     ( 
+     char *(*string_cb)(int), 
+     void *(*find_cx)(void), 
+     void *(*init_cx)(void) 
+     )
+  {
+  jar_fn_GetString = string_cb;
+  jar_fn_FindSomeContext = find_cx;
+  jar_fn_GetInitContext = init_cx;
+  }
+
+/*
+ *  J A R _ g e t _ e r r o r
+ *
+ *  This is provided to map internal JAR errors to strings for
+ *  the Java console. Also, a DLL may call this function if it does
+ *  not have access to the XP_GetString function.
+ *
+ *  These strings aren't UI, since they are Java console only.
+ *
+ */
+
+char *JAR_get_error (int status)
+  { 
+  char *errstring = NULL;
+
+  switch (status)
+    {
+    case JAR_ERR_GENERAL:
+      errstring = "General JAR file error";
+      break;
+
+    case JAR_ERR_FNF:
+      errstring = "JAR file not found";
+      break;
+
+    case JAR_ERR_CORRUPT:
+      errstring = "Corrupt JAR file";
+      break;
+
+    case JAR_ERR_MEMORY:
+      errstring = "Out of memory";
+      break;
+
+    case JAR_ERR_DISK:
+      errstring = "Disk error (perhaps out of space)";
+      break;
+
+    case JAR_ERR_ORDER:
+      errstring = "Inconsistent files in META-INF directory";
+      break;
+
+    case JAR_ERR_SIG:
+      errstring = "Invalid digital signature file";
+      break;
+
+    case JAR_ERR_METADATA:
+      errstring = "JAR metadata failed verification";
+      break;
+
+    case JAR_ERR_ENTRY:
+      errstring = "No Manifest entry for this JAR entry";
+      break;
+
+    case JAR_ERR_HASH:
+      errstring = "Invalid Hash of this JAR entry";
+      break;
+
+    case JAR_ERR_PK7:
+      errstring = "Strange PKCS7 or RSA failure";
+      break;
+
+    case JAR_ERR_PNF:
+      errstring = "Path not found inside JAR file";
+      break;
+
+    default:
+      if (jar_fn_GetString)
+        {
+        errstring = jar_fn_GetString (status);
+        }
+      else
+        {
+        /* this is not a normal situation, and would only be
+           called in cases of improper initialization */
+
+        char *err;
+
+        err = (char*)PORT_Alloc (40);
+        if (err)
+          PR_snprintf (err, 39,  "Error %d\n", status);
+        else
+          err = "Error! Bad! Out of memory!";
+
+        return err;
+        }
+      break;
+    }
+
+  return errstring;
+  }
diff --git a/security/nss/lib/jar/jar.h b/security/nss/lib/jar/jar.h
new file mode 100644
index 000000000..23b76b9cf
--- /dev/null
+++ b/security/nss/lib/jar/jar.h
@@ -0,0 +1,481 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __JAR_h_
+#define __JAR_h_
+
+/*
+ *  In general, any functions that return pointers
+ *  have memory owned by the caller.
+ *
+ */
+
+/* security includes */
+#include "cert.h"
+#include "hasht.h"
+
+/* nspr 2.0 includes */
+#include "prio.h"
+
+#ifndef ZHUGEP
+#ifdef XP_WIN16
+#define ZHUGEP __huge
+#else
+#define ZHUGEP
+#endif
+#endif
+
+#include <stdio.h>
+
+/* various types */
+
+typedef enum
+  {
+  jarTypeMF = 2,
+  jarTypeSF = 3,
+  jarTypeMeta = 6,
+  jarTypePhy = 7,
+  jarTypeSign = 10,
+  jarTypeSect = 11,
+  jarTypeOwner = 13
+  }
+jarType;
+
+/* void data in ZZList's contain JAR_Item type */
+
+typedef struct JAR_Item_
+  {
+  char *pathname;        /* relative. inside zip file */
+  jarType type;          /* various types */
+  size_t size;           /* size of data below */
+  void *data;            /* totally opaque */
+  }
+JAR_Item;
+
+
+/* hashes */
+
+typedef enum
+  {
+  jarHashNone = 0,
+  jarHashBad = 1,
+  jarHashPresent = 2
+  }
+jarHash;
+
+typedef struct JAR_Digest_
+  {
+  jarHash md5_status;
+  unsigned char md5 [MD5_LENGTH];
+  jarHash sha1_status;
+  unsigned char sha1 [SHA1_LENGTH];
+  }
+JAR_Digest;
+
+
+/* physical archive formats */
+
+typedef enum
+  {
+  jarArchGuess = 0,
+  jarArchNone = 1,
+  jarArchZip = 2,
+  jarArchTar = 3
+  }
+jarArch;
+
+
+#include "jar-ds.h"
+
+/* jar object */
+
+typedef struct JAR_
+  {
+  jarArch format;       /* physical archive format */ 
+  char *url;            /* Where it came from */
+  char *filename;       /* Disk location */
+  FILE *fp;             /* For multiple extractions */    /* JAR_FILE */
+
+  /* various linked lists */
+
+  ZZList *manifest;     /* Digests of MF sections */
+  ZZList *hashes;       /* Digests of actual signed files */
+  ZZList *phy;          /* Physical layout of JAR file */
+  ZZList *metainfo;     /* Global metainfo */
+
+  JAR_Digest *globalmeta;  /* digest of .MF global portion */
+
+  /* Below will change to a linked list to support multiple sigs */
+
+  int pkcs7;            /* Enforced opaqueness */
+  int valid;            /* PKCS7 signature validated */
+
+  ZZList *signers;      /* the above, per signer */
+
+  /* Window context, very necessary for PKCS11 now */
+
+  void *mw;             /* MWContext window context */
+
+  /* Signal callback function */
+
+  int (*signal) (int status, struct JAR_ *jar, 
+     const char *metafile, char *pathname, char *errorstring);
+  }
+JAR;
+
+
+/*
+ *  Iterator
+ *
+ *  Context for iterative operations. Certain operations
+ *  require iterating multiple linked lists because of
+ *  multiple signers. "nextsign" is used for this purpose.
+ *
+ */
+
+typedef struct JAR_Context_
+  {
+  JAR *jar;             /* Jar we are searching */
+  char *pattern;        /* Regular expression */
+  jarType finding;      /* Type of item to find */
+  ZZLink *next;         /* Next item in find */
+  ZZLink *nextsign;     /* Next signer, sometimes */
+  }
+JAR_Context;
+
+typedef struct JAR_Signer_
+  {
+  int pkcs7;            /* Enforced opaqueness */
+  int valid;            /* PKCS7 signature validated */
+  char *owner;          /* name of .RSA file */
+  JAR_Digest *digest;   /* of .SF file */
+  ZZList *sf;           /* Linked list of .SF file contents */
+  ZZList *certs;        /* Signing information */
+  }
+JAR_Signer;
+
+
+/* Meta informaton, or "policy", from the manifest file.
+   Right now just one tuple per JAR_Item. */
+
+typedef struct JAR_Metainfo_
+  {
+  char *header;
+  char *info;
+  }
+JAR_Metainfo;
+
+/* This should not be global */
+
+typedef struct JAR_Physical_
+  {
+  unsigned char compression;
+  unsigned long offset;
+  unsigned long length;
+  unsigned long uncompressed_length;
+#if defined(XP_UNIX) || defined(XP_BEOS)
+  uint16 mode;
+#endif
+  }
+JAR_Physical;
+
+typedef struct JAR_Cert_
+  {
+  size_t length;
+  void *key;
+  CERTCertificate *cert;
+  }
+JAR_Cert;
+
+
+/* certificate stuff */
+
+typedef enum
+  {
+  jarCertCompany = 1,
+  jarCertCA = 2,
+  jarCertSerial = 3,
+  jarCertExpires = 4,
+  jarCertNickname = 5,
+  jarCertFinger = 6,
+  jarCertJavaHack = 100
+  }
+jarCert;
+
+/* callback types */
+
+#define JAR_CB_SIGNAL	1
+
+
+/* 
+ *  This is the base for the JAR error codes. It will
+ *  change when these are incorporated into allxpstr.c,
+ *  but right now they won't let me put them there.
+ *
+ */
+
+#ifndef SEC_ERR_BASE
+#define SEC_ERR_BASE		(-0x2000)
+#endif
+ 
+#define JAR_BASE		SEC_ERR_BASE + 300
+
+/* Jar specific error definitions */
+
+#define JAR_ERR_GENERAL         (JAR_BASE + 1)
+#define JAR_ERR_FNF		(JAR_BASE + 2)
+#define JAR_ERR_CORRUPT		(JAR_BASE + 3)
+#define JAR_ERR_MEMORY		(JAR_BASE + 4)
+#define JAR_ERR_DISK		(JAR_BASE + 5)
+#define JAR_ERR_ORDER           (JAR_BASE + 6)
+#define JAR_ERR_SIG		(JAR_BASE + 7)
+#define JAR_ERR_METADATA        (JAR_BASE + 8)
+#define JAR_ERR_ENTRY		(JAR_BASE + 9)
+#define JAR_ERR_HASH		(JAR_BASE + 10)
+#define JAR_ERR_PK7		(JAR_BASE + 11)
+#define JAR_ERR_PNF		(JAR_BASE + 12)
+
+
+/*
+ *  Birth and death 
+ *
+ */
+
+extern JAR *JAR_new (void);
+
+extern void PR_CALLBACK JAR_destroy (JAR *jar);
+
+extern char *JAR_get_error (int status);
+
+extern int JAR_set_callback (int type, JAR *jar, 
+  int (*fn) (int status, JAR *jar, 
+  const char *metafile, char *pathname, char *errortext));
+
+extern void JAR_init_callbacks
+  ( char *(*string_cb)(int), void *(*find_cx)(void), void *(*init_cx)(void) );
+
+/*
+ *  JAR_set_context
+ *
+ *  PKCS11 may require a password to be entered by the user
+ *  before any crypto routines may be called. This will require
+ *  a window context if used from inside Mozilla.
+ *
+ *  Call this routine with your context before calling 
+ *  verifying or signing. If you have no context, call with NULL
+ *  and one will be chosen for you.
+ *
+ */
+
+int JAR_set_context (JAR *jar, void /*MWContext*/ *mw);
+
+/*
+ *  Iterative operations
+ *
+ *  JAR_find sets up for repeated calls with JAR_find_next.
+ *  I never liked findfirst and findnext, this is nicer.
+ *
+ *  Pattern contains a relative pathname to match inside the
+ *  archive. It is currently assumed to be "*".
+ *
+ *  To use:
+ *
+ *     JAR_Item *item;
+ *     JAR_find (jar, "*.class", jarTypeMF);
+ *     while (JAR_find_next (jar, &item) >= 0) 
+ *       { do stuff }
+ *
+ */
+
+
+/* Replacement functions with an external context */
+
+extern JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type);
+
+extern int JAR_find_next (JAR_Context *ctx, JAR_Item **it);
+
+extern void JAR_find_end (JAR_Context *ctx);
+
+
+/*
+ *  Function to parse manifest file:
+ *
+ *  Many signatures may be attached to a single filename located
+ *  inside the zip file. We only support one.
+ *
+ *  Several manifests may be included in the zip file. 
+ *
+ *  You must pass the MANIFEST.MF file before any .SF files.
+ *
+ *  Right now this returns a big ole list, privately in the jar structure.
+ *  If you need to traverse it, use JAR_find if possible.
+ *
+ *  The path is needed to determine what type of binary signature is
+ *  being passed, though it is technically not needed for manifest files.
+ *
+ *  When parsing an ASCII file, null terminate the ASCII raw_manifest
+ *  prior to sending it, and indicate a length of 0. For binary digital
+ *  signatures only, indicate the true length of the signature.
+ *  (This is legacy behavior.)
+ *
+ *  You may free the manifest after parsing it.
+ *
+ */
+
+extern int JAR_parse_manifest 
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+       long length, const char *path, const char *url);
+
+/*
+ *  Verify data (nonstreaming). The signature is actually
+ *  checked by JAR_parse_manifest or JAR_pass_archive.
+ *
+ */
+
+extern JAR_Digest * PR_CALLBACK JAR_calculate_digest 
+    (void ZHUGEP *data, long length);
+
+extern int PR_CALLBACK JAR_verify_digest
+    (JAR *jar, const char *name, JAR_Digest *dig);
+
+extern int JAR_digest_file (char *filename, JAR_Digest *dig);
+
+/*
+ *  Get attribute from certificate:
+ *
+ *  Returns any special signed attribute associated with this cert
+ *  or signature (passed in "data"). Attributes jarCert*. Most of the time
+ *  this will return a zero terminated string.
+ *
+ */
+
+extern int PR_CALLBACK JAR_cert_attribute
+    (JAR *jar, jarCert attrib, long keylen, void *key, 
+       void **result, unsigned long *length);
+
+/*
+ *  Meta information
+ *
+ *  Currently, since this call does not support passing of an owner
+ *  (certificate, or physical name of the .sf file), it is restricted to
+ *  returning information located in the manifest.mf file. 
+ *
+ *  Meta information is a name/value pair inside the archive file. Here,
+ *  the name is passed in *header and value returned in **info.
+ *
+ *  Pass a NULL as the name to retrieve metainfo from the global section.
+ *
+ *  Data is returned in **info, of size *length. The return value
+ *  will indicate if no data was found.
+ *
+ */
+
+extern int JAR_get_metainfo
+    (JAR *jar, char *name, char *header, void **info, unsigned long *length);
+
+extern char *JAR_get_filename (JAR *jar);
+
+extern char *JAR_get_url (JAR *jar);
+
+/*
+ *  Return an HTML mockup of a certificate or signature.
+ *
+ *  Returns a zero terminated ascii string
+ *  in raw HTML format.
+ *
+ */
+
+extern char *JAR_cert_html
+    (JAR *jar, int style, long keylen, void *key, int *result);
+
+/* save the certificate with this fingerprint in persistent
+   storage, somewhere, for retrieval in a future session when there 
+   is no corresponding JAR structure. */
+
+extern int PR_CALLBACK JAR_stash_cert
+        (JAR *jar, long keylen, void *key);
+
+/* retrieve a certificate presumably stashed with the above
+   function, but may be any certificate. Type is &CERTCertificate */
+
+void *JAR_fetch_cert (long length, void *key);
+
+/*
+ *  New functions to handle archives alone
+ *    (call JAR_new beforehand)
+ *
+ *  JAR_pass_archive acts much like parse_manifest. Certificates
+ *  are returned in the JAR structure but as opaque data. When calling 
+ *  JAR_verified_extract you still need to decide which of these 
+ *  certificates to honor. 
+ *
+ *  Code to examine a JAR structure is in jarbert.c. You can obtain both 
+ *  a list of filenames and certificates from traversing the linked list.
+ *
+ */
+
+extern int JAR_pass_archive
+    (JAR *jar, jarArch format, char *filename, const char *url);
+
+/*
+ * Same thing, but don't check signatures
+ */
+extern int JAR_pass_archive_unverified
+    (JAR *jar, jarArch format, char *filename, const char *url);
+
+/*
+ *  Extracts a relative pathname from the archive and places it
+ *  in the filename specified. 
+ * 
+ *  Call JAR_set_nailed if you want to keep the file descriptors
+ *  open between multiple calls to JAR_verify_extract.
+ *
+ */
+
+extern int JAR_verified_extract
+    (JAR *jar, char *path, char *outpath);
+
+/*
+ *  JAR_extract does no crypto checking. This can be used if you
+ *  need to extract a manifest file or signature, etc.
+ *
+ */
+
+extern int JAR_extract
+    (JAR *jar, char *path, char *outpath);
+
+
+#endif /* __JAR_h_ */ 
diff --git a/security/nss/lib/jar/jarfile.c b/security/nss/lib/jar/jarfile.c
new file mode 100644
index 000000000..2ff6fd88e
--- /dev/null
+++ b/security/nss/lib/jar/jarfile.c
@@ -0,0 +1,1177 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ *  JARFILE
+ *
+ *  Parsing of a Jar file
+ */
+
+#define JAR_SIZE 256
+
+#include "jar.h"
+
+#include "jarint.h"
+#include "jarfile.h"
+
+/* commercial compression */
+#include "jzlib.h"
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+#include "sys/stat.h"
+#endif
+
+#include "sechash.h"	/* for HASH_GetHashObject() */
+
+/* extracting */
+
+static int jar_guess_jar (char *filename, JAR_FILE fp);
+
+static int jar_inflate_memory 
+   (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data);
+
+static int jar_physical_extraction 
+   (JAR_FILE fp, char *outpath, long offset, long length);
+
+static int jar_physical_inflate
+   (JAR_FILE fp, char *outpath, long offset, 
+         long length, unsigned int method);
+
+static int jar_verify_extract 
+   (JAR *jar, char *path, char *physical_path);
+
+static JAR_Physical *jar_get_physical (JAR *jar, char *pathname);
+
+static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp);
+
+static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext);
+
+
+/* indexing */
+
+static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp);
+
+static int jar_listtar (JAR *jar, JAR_FILE fp);
+
+static int jar_listzip (JAR *jar, JAR_FILE fp);
+
+
+/* conversions */
+
+static int dosdate (char *date, char *s);
+
+static int dostime (char *time, char *s);
+
+static unsigned int xtoint (unsigned char *ii);
+
+static unsigned long xtolong (unsigned char *ll);
+
+static long atoo (char *s);
+
+/*
+ *  J A R _ p a s s _ a r c h i v e
+ *
+ *  For use by naive clients. Slam an entire archive file
+ *  into this function. We extract manifests, parse, index
+ *  the archive file, and do whatever nastiness.
+ *
+ */
+
+int JAR_pass_archive
+    (JAR *jar, jarArch format, char *filename, const char *url)
+  {
+  JAR_FILE fp;
+  int status = 0;
+
+  if (filename == NULL)
+    return JAR_ERR_GENERAL;
+
+  if ((fp = JAR_FOPEN (filename, "rb")) != NULL)
+    {
+    if (format == jarArchGuess)
+      format = (jarArch)jar_guess_jar (filename, fp);
+
+    jar->format = format;
+    jar->url = url ? PORT_Strdup (url) : NULL;
+    jar->filename = PORT_Strdup (filename);
+
+    status = jar_gen_index (jar, format, fp);
+
+    if (status == 0)
+      status = jar_extract_manifests (jar, format, fp);
+
+    JAR_FCLOSE (fp);
+
+    if (status < 0)
+      return status;
+
+    /* people were expecting it this way */
+    return jar->valid;
+    }
+  else
+    {
+    /* file not found */
+    return JAR_ERR_FNF;
+    }
+  }
+
+/*
+ *  J A R _ p a s s _ a r c h i v e _ u n v e r i f i e d
+ *
+ * Same as JAR_pass_archive, but doesn't parse signatures.
+ *
+ */
+int JAR_pass_archive_unverified
+        (JAR *jar, jarArch format, char *filename, const char *url)
+{
+        JAR_FILE fp;
+        int status = 0;
+
+        if (filename == NULL) {
+                return JAR_ERR_GENERAL;
+        }
+
+        if ((fp = JAR_FOPEN (filename, "rb")) != NULL) {
+                if (format == jarArchGuess) {
+                        format = (jarArch)jar_guess_jar (filename, fp);
+                }
+
+                jar->format = format;
+                jar->url = url ? PORT_Strdup (url) : NULL;
+                jar->filename = PORT_Strdup (filename);
+
+                status = jar_gen_index (jar, format, fp);
+
+                if (status == 0) {
+                        status = jar_extract_mf(jar, format, fp, "mf");
+                }
+
+                JAR_FCLOSE (fp);
+
+                if (status < 0) {
+                        return status;
+                }
+
+                /* people were expecting it this way */
+                return jar->valid;
+        } else {
+                /* file not found */
+                return JAR_ERR_FNF;
+        }
+}
+
+/*
+ *  J A R _ v e r i f i e d _ e x t r a c t
+ *
+ *  Optimization: keep a file descriptor open
+ *  inside the JAR structure, so we don't have to
+ *  open the file 25 times to run java. 
+ *
+ */
+
+int JAR_verified_extract
+    (JAR *jar, char *path, char *outpath)
+  {
+  int status;
+
+  status = JAR_extract (jar, path, outpath);
+
+  if (status >= 0)
+    return jar_verify_extract (jar, path, outpath);
+  else
+    return status;
+  }
+
+int JAR_extract
+    (JAR *jar, char *path, char *outpath)
+  {
+  int result;
+
+  JAR_Physical *phy;
+
+  if (jar->fp == NULL && jar->filename)
+    {
+    jar->fp = (FILE*)JAR_FOPEN (jar->filename, "rb");
+    }
+
+  if (jar->fp == NULL)
+    {
+    /* file not found */
+    return JAR_ERR_FNF;
+    }
+
+  phy = jar_get_physical (jar, path);
+
+  if (phy)
+    {
+    if (phy->compression != 0 && phy->compression != 8)
+      {
+      /* unsupported compression method */
+      result = JAR_ERR_CORRUPT;
+      }
+
+    if (phy->compression == 0)
+      {
+      result = jar_physical_extraction 
+         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length);
+      }
+    else
+      {
+      result = jar_physical_inflate 
+         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length, 
+            (unsigned int) phy->compression);
+      }
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+    if (phy->mode)
+      chmod (outpath, 0400 | (mode_t) phy->mode);
+#endif
+    }
+  else
+    {
+    /* pathname not found in archive */
+    result = JAR_ERR_PNF;
+    }
+
+  return result;
+  }
+
+/* 
+ *  p h y s i c a l _ e x t r a c t i o n
+ *
+ *  This needs to be done in chunks of say 32k, instead of
+ *  in one bulk calloc. (Necessary under Win16 platform.)
+ *  This is done for uncompressed entries only.
+ *
+ */
+
+#define CHUNK 32768
+
+static int jar_physical_extraction 
+     (JAR_FILE fp, char *outpath, long offset, long length)
+  {
+  JAR_FILE out;
+
+  char *buffer;
+  long at, chunk;
+
+  int status = 0;
+
+  buffer = (char *) PORT_ZAlloc (CHUNK);
+
+  if (buffer == NULL)
+    return JAR_ERR_MEMORY;
+
+  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
+    {
+    at = 0;
+
+    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
+
+    while (at < length)
+      {
+      chunk = (at + CHUNK <= length) ? CHUNK : length - at;
+
+      if (JAR_FREAD (fp, buffer, chunk) != chunk)
+        {
+        status = JAR_ERR_DISK;
+        break;
+        }
+
+      at += chunk;
+
+      if (JAR_FWRITE (out, buffer, chunk) < chunk)
+        {
+        /* most likely a disk full error */
+        status = JAR_ERR_DISK;
+        break;
+        }
+      }
+    JAR_FCLOSE (out);
+    }
+  else
+    {
+    /* error opening output file */
+    status = JAR_ERR_DISK;
+    }
+
+  PORT_Free (buffer);
+  return status;
+  }
+
+/*
+ *  j a r _ p h y s i c a l _ i n f l a t e
+ *
+ *  Inflate a range of bytes in a file, writing the inflated
+ *  result to "outpath". Chunk based.
+ *
+ */
+
+/* input and output chunks differ, assume 4x compression */
+
+#define ICHUNK 8192
+#define OCHUNK 32768
+
+static int jar_physical_inflate
+     (JAR_FILE fp, char *outpath, long offset, 
+          long length, unsigned int method)
+  {
+  z_stream zs;
+
+  JAR_FILE out;
+
+  long at, chunk;
+  char *inbuf, *outbuf;
+
+  int status = 0;
+
+  unsigned long prev_total, ochunk, tin;
+
+  /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
+  if ((inbuf = (char *) PORT_ZAlloc (ICHUNK + 1)) == NULL)
+    return JAR_ERR_MEMORY;
+
+  if ((outbuf = (char *) PORT_ZAlloc (OCHUNK)) == NULL)
+    {
+    PORT_Free (inbuf);
+    return JAR_ERR_MEMORY;
+    }
+
+  PORT_Memset (&zs, 0, sizeof (zs));
+  status = inflateInit2 (&zs, -MAX_WBITS);
+
+  if (status != Z_OK)
+    {
+    PORT_Free (inbuf);
+    PORT_Free (outbuf);
+    return JAR_ERR_GENERAL;
+    }
+
+  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
+    {
+    at = 0;
+
+    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
+
+    while (at < length)
+      {
+      chunk = (at + ICHUNK <= length) ? ICHUNK : length - at;
+
+      if (JAR_FREAD (fp, inbuf, chunk) != chunk)
+        {
+        /* incomplete read */
+        JAR_FCLOSE (out);
+        PORT_Free (inbuf);
+        PORT_Free (outbuf);
+        return JAR_ERR_CORRUPT;
+        }
+
+      at += chunk;
+
+      if (at == length)
+        {
+        /* add an extra dummy byte at the end */
+        inbuf[chunk++] = 0xDD;
+        }
+
+      zs.next_in = (Bytef *) inbuf;
+      zs.avail_in = chunk;
+      zs.avail_out = OCHUNK;
+
+      tin = zs.total_in;
+
+      while ((zs.total_in - tin < chunk) || (zs.avail_out == 0))
+        {
+        prev_total = zs.total_out;
+
+        zs.next_out = (Bytef *) outbuf;
+        zs.avail_out = OCHUNK;
+
+        status = inflate (&zs, Z_NO_FLUSH);
+
+        if (status != Z_OK && status != Z_STREAM_END)
+          {
+          /* error during decompression */
+          JAR_FCLOSE (out);
+          PORT_Free (inbuf);
+          PORT_Free (outbuf);
+          return JAR_ERR_CORRUPT;
+          }
+
+	ochunk = zs.total_out - prev_total;
+
+        if (JAR_FWRITE (out, outbuf, ochunk) < ochunk)
+          {
+          /* most likely a disk full error */
+          status = JAR_ERR_DISK;
+          break;
+          }
+
+        if (status == Z_STREAM_END)
+          break;
+        }
+      }
+
+    JAR_FCLOSE (out);
+    status = inflateEnd (&zs);
+    }
+  else
+    {
+    /* error opening output file */
+    status = JAR_ERR_DISK;
+    }
+
+  PORT_Free (inbuf);
+  PORT_Free (outbuf);
+
+  return status;
+  }
+
+/*
+ *  j a r _ i n f l a t e _ m e m o r y
+ *
+ *  Call zlib to inflate the given memory chunk. It is re-XP_ALLOC'd, 
+ *  and thus appears to operate inplace to the caller.
+ *
+ */
+
+static int jar_inflate_memory 
+     (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data)
+  {
+  int status;
+  z_stream zs;
+
+  long insz, outsz;
+
+  char *inbuf, *outbuf;
+
+  inbuf =  *data;
+  insz = *length;
+
+  outsz = expected_out_len;
+  outbuf = (char*)PORT_ZAlloc (outsz);
+
+  if (outbuf == NULL)
+    return JAR_ERR_MEMORY;
+
+  PORT_Memset (&zs, 0, sizeof (zs));
+
+  status = inflateInit2 (&zs, -MAX_WBITS);
+
+  if (status < 0)
+    {
+    /* error initializing zlib stream */
+    PORT_Free (outbuf);
+    return JAR_ERR_GENERAL;
+    }
+
+  zs.next_in = (Bytef *) inbuf;
+  zs.next_out = (Bytef *) outbuf;
+
+  zs.avail_in = insz;
+  zs.avail_out = outsz;
+
+  status = inflate (&zs, Z_FINISH);
+
+  if (status != Z_OK && status != Z_STREAM_END)
+    {
+    /* error during deflation */
+    PORT_Free (outbuf);
+    return JAR_ERR_GENERAL; 
+    }
+
+  status = inflateEnd (&zs);
+
+  if (status != Z_OK)
+    {
+    /* error during deflation */
+    PORT_Free (outbuf);
+    return JAR_ERR_GENERAL;
+    }
+
+  PORT_Free (*data);
+
+  *data = outbuf;
+  *length = zs.total_out;
+
+  return 0;
+  }
+
+/*
+ *  v e r i f y _ e x t r a c t
+ *
+ *  Validate signature on the freshly extracted file.
+ *
+ */
+
+static int jar_verify_extract (JAR *jar, char *path, char *physical_path)
+  {
+  int status;
+  JAR_Digest dig;
+
+  PORT_Memset (&dig, 0, sizeof (JAR_Digest));
+  status = JAR_digest_file (physical_path, &dig);
+
+  if (!status)
+    status = JAR_verify_digest (jar, path, &dig);
+
+  return status;
+  }
+
+/*
+ *  g e t _ p h y s i c a l
+ *
+ *  Let's get physical.
+ *  Obtains the offset and length of this file in the jar file.
+ *
+ */
+
+static JAR_Physical *jar_get_physical (JAR *jar, char *pathname)
+  {
+  JAR_Item *it;
+
+  JAR_Physical *phy;
+
+  ZZLink *link;
+  ZZList *list;
+
+  list = jar->phy;
+
+  if (ZZ_ListEmpty (list))
+    return NULL;
+
+  for (link = ZZ_ListHead (list);
+       !ZZ_ListIterDone (list, link);
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypePhy 
+          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
+      {
+      phy = (JAR_Physical *) it->data;
+      return phy;
+      }
+    }
+
+  return NULL;
+  }
+
+/*
+ *  j a r _ e x t r a c t _ m a n i f e s t s
+ *
+ *  Extract the manifest files and parse them,
+ *  from an open archive file whose contents are known.
+ *
+ */
+
+static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp)
+  {
+  int status;
+
+  if (format != jarArchZip && format != jarArchTar)
+    return JAR_ERR_CORRUPT;
+
+  if ((status = jar_extract_mf (jar, format, fp, "mf")) < 0)
+    return status;
+
+  if ((status = jar_extract_mf (jar, format, fp, "sf")) < 0)
+    return status;
+
+  if ((status = jar_extract_mf (jar, format, fp, "rsa")) < 0)
+    return status;
+
+  if ((status = jar_extract_mf (jar, format, fp, "dsa")) < 0)
+    return status;
+
+  return 0;
+  }
+
+/*
+ *  j a r _ e x t r a c t _ m f
+ *
+ *  Extracts manifest files based on an extension, which 
+ *  should be .MF, .SF, .RSA, etc. Order of the files is now no 
+ *  longer important when zipping jar files.
+ *
+ */
+
+static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext)
+  {
+  JAR_Item *it;
+
+  JAR_Physical *phy;
+
+  ZZLink *link;
+  ZZList *list;
+
+  char *fn, *e;
+  char ZHUGEP *manifest;
+
+  long length;
+  int status, ret = 0, num;
+
+  list = jar->phy;
+
+  if (ZZ_ListEmpty (list))
+    return JAR_ERR_PNF;
+
+  for (link = ZZ_ListHead (list);
+       !ZZ_ListIterDone (list, link);
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypePhy 
+          && !PORT_Strncmp (it->pathname, "META-INF", 8))
+      {
+      phy = (JAR_Physical *) it->data;
+
+      if (PORT_Strlen (it->pathname) < 8)
+        continue;
+
+      fn = it->pathname + 8;
+      if (*fn == '/' || *fn == '\\') fn++;
+
+      if (*fn == 0)
+        {
+        /* just a directory entry */
+        continue;
+        }
+
+      /* skip to extension */
+      for (e = fn; *e && *e != '.'; e++)
+        /* yip */ ;
+
+      /* and skip dot */
+      if (*e == '.') e++;
+
+      if (PORT_Strcasecmp (ext, e))
+        {
+        /* not the right extension */
+        continue;
+        }
+
+      if (phy->length == 0 || phy->length > 0xFFFF)
+        {
+        /* manifest files cannot be zero length or too big! */
+        /* the 0xFFFF limit is per J2SE SDK */
+        return JAR_ERR_CORRUPT;
+        }
+
+      /* Read in the manifest and parse it */
+      /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
+      manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1);
+      if (manifest)
+        {
+        JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0);
+        num = JAR_FREAD (fp, manifest, phy->length);
+
+        if (num != phy->length)
+          {
+          /* corrupt archive file */
+          PORT_Free (manifest);
+          return JAR_ERR_CORRUPT;
+          }
+
+        if (phy->compression == 8)
+          {
+          length = phy->length;
+          /* add an extra dummy byte at the end */
+          manifest[length++] = 0xDD;
+
+          status = jar_inflate_memory ((unsigned int) phy->compression, &length,  phy->uncompressed_length, &manifest);
+
+          if (status < 0)
+            {
+            PORT_Free (manifest);
+            return status;
+            }
+          }
+        else if (phy->compression)
+          {
+          /* unsupported compression method */
+          PORT_Free (manifest);
+          return JAR_ERR_CORRUPT;
+          }
+        else
+          length = phy->length;
+
+        status = JAR_parse_manifest 
+           (jar, manifest, length, it->pathname, "url");
+
+        PORT_Free (manifest);
+
+        if (status < 0 && ret == 0) ret = status;
+        }
+      else
+        return JAR_ERR_MEMORY;
+      }
+    else if (it->type == jarTypePhy)
+      {
+      /* ordinary file */
+      }
+    }
+
+  return ret;
+  }
+
+/*
+ *  j a r _ g e n _ i n d e x
+ *
+ *  Generate an index for the various types of
+ *  known archive files. Right now .ZIP and .TAR
+ *
+ */
+
+static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp)
+  {
+  int result = JAR_ERR_CORRUPT;
+  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
+
+  switch (format)
+    {
+    case jarArchZip:
+      result = jar_listzip (jar, fp);
+      break;
+
+    case jarArchTar:
+      result = jar_listtar (jar, fp);
+      break;
+
+    case jarArchGuess:
+    case jarArchNone:
+      return JAR_ERR_GENERAL;
+    }
+
+  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
+  return result;
+  }
+
+
+/*
+ *  j a r _ l i s t z i p
+ *
+ *  List the physical contents of a Phil Katz 
+ *  style .ZIP file into the JAR linked list.
+ *
+ */
+
+static int jar_listzip (JAR *jar, JAR_FILE fp)
+  {
+  int err = 0;
+
+  long pos = 0L;
+  char filename [JAR_SIZE];
+
+  char date [9], time [9];
+  char sig [4];
+
+  unsigned int compression;
+  unsigned int filename_len, extra_len;
+
+  struct ZipLocal *Local;
+  struct ZipCentral *Central;
+  struct ZipEnd *End;
+
+  /* phy things */
+
+  ZZLink  *ent;
+  JAR_Item *it;
+  JAR_Physical *phy;
+
+  Local = (struct ZipLocal *) PORT_ZAlloc (30);
+  Central = (struct ZipCentral *) PORT_ZAlloc (46);
+  End = (struct ZipEnd *) PORT_ZAlloc (22);
+
+  if (!Local || !Central || !End)
+    {
+    /* out of memory */
+    err = JAR_ERR_MEMORY;
+    goto loser;
+    }
+
+  while (1)
+    {
+    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
+
+    if (JAR_FREAD (fp, (char *) sig, 4) != 4)
+      {
+      /* zip file ends prematurely */
+      err = JAR_ERR_CORRUPT;
+      goto loser;
+      }
+
+    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
+
+    if (xtolong ((unsigned char *)sig) == LSIG)
+      {
+      JAR_FREAD (fp, (char *) Local, 30);
+
+      filename_len = xtoint ((unsigned char *) Local->filename_len);
+      extra_len = xtoint ((unsigned char *) Local->extrafield_len);
+
+      if (filename_len >= JAR_SIZE)
+        {
+        /* corrupt zip file */
+        err = JAR_ERR_CORRUPT;
+        goto loser;
+        }
+
+      if (JAR_FREAD (fp, filename, filename_len) != filename_len)
+        {
+        /* truncated archive file */
+        err = JAR_ERR_CORRUPT;
+        goto loser;
+        }
+
+      filename [filename_len] = 0;
+
+      /* Add this to our jar chain */
+
+      phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
+
+      if (phy == NULL)
+        {
+        err = JAR_ERR_MEMORY;
+        goto loser;
+        }
+
+      /* We will index any file that comes our way, but when it comes
+         to actually extraction, compression must be 0 or 8 */
+
+      compression = xtoint ((unsigned char *) Local->method);
+      phy->compression = compression >= 0 && 
+              compression <= 255 ? compression : 222;
+
+      phy->offset = pos + 30 + filename_len + extra_len;
+      phy->length = xtolong ((unsigned char *) Local->size);
+      phy->uncompressed_length = xtolong((unsigned char *) Local->orglen);
+
+      dosdate (date, Local->date);
+      dostime (time, Local->time);
+
+      it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
+      if (it == NULL)
+        {
+        err = JAR_ERR_MEMORY;
+        goto loser;
+        }
+
+      it->pathname = PORT_Strdup (filename);
+
+      it->type = jarTypePhy;
+
+      it->data = (unsigned char *) phy;
+      it->size = sizeof (JAR_Physical);
+
+      ent = ZZ_NewLink (it);
+
+      if (ent == NULL)
+        {
+        err = JAR_ERR_MEMORY;
+        goto loser;
+        }
+
+      ZZ_AppendLink (jar->phy, ent);
+ 
+      pos = phy->offset + phy->length;
+      }
+    else if (xtolong ( (unsigned char *)sig) == CSIG)
+      {
+      if (JAR_FREAD (fp, (char *) Central, 46) != 46)
+        {
+        /* apparently truncated archive */
+        err = JAR_ERR_CORRUPT;
+        goto loser;
+        }
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+      /* with unix we need to locate any bits from 
+         the protection mask in the external attributes. */
+        {
+        unsigned int attr;
+
+        /* determined empirically */
+        attr = Central->external_attributes [2];
+
+        if (attr)
+          {
+          /* we have to read the filename, again */
+
+          filename_len = xtoint ((unsigned char *) Central->filename_len);
+
+          if (filename_len >= JAR_SIZE)
+            {
+            /* corrupt in central directory */
+            err = JAR_ERR_CORRUPT;
+            goto loser;
+            }
+
+          if (JAR_FREAD (fp, filename, filename_len) != filename_len)
+            {
+            /* truncated in central directory */
+            err = JAR_ERR_CORRUPT;
+            goto loser;
+            }
+
+          filename [filename_len] = 0;
+
+          /* look up this name again */
+          phy = jar_get_physical (jar, filename);
+
+          if (phy)
+            {
+            /* always allow access by self */
+            phy->mode = 0400 | attr;
+            }
+          }
+        }
+#endif
+
+      pos += 46 + xtoint ( (unsigned char *)Central->filename_len)
+                + xtoint ( (unsigned char *)Central->commentfield_len)
+                + xtoint ( (unsigned char *)Central->extrafield_len);
+      }
+    else if (xtolong ( (unsigned char *)sig) == ESIG)
+      {
+      if (JAR_FREAD (fp, (char *) End, 22) != 22)
+        {
+        err = JAR_ERR_CORRUPT;
+        goto loser;
+        }
+      else
+        break;
+      }
+    else
+      {
+      /* garbage in archive */
+      err = JAR_ERR_CORRUPT;
+      goto loser;
+      }
+    }
+
+loser:
+
+  if (Local) PORT_Free (Local);
+  if (Central) PORT_Free (Central);
+  if (End) PORT_Free (End);
+
+  return err;
+  }
+
+/*
+ *  j a r _ l i s t t a r
+ *
+ *  List the physical contents of a Unix 
+ *  .tar file into the JAR linked list.
+ *
+ */
+
+static int jar_listtar (JAR *jar, JAR_FILE fp)
+  {
+  long pos = 0L;
+
+  long sz, mode;
+  time_t when;
+  union TarEntry tarball;
+
+  char *s;
+
+  /* phy things */
+
+  JAR_Physical *phy;
+
+  while (1)
+    {
+    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
+
+    if (JAR_FREAD (fp, (char *) &tarball, 512) < 512)
+      break;
+
+    if (!*tarball.val.filename)
+      break;
+
+    when = atoo (tarball.val.time);
+    sz = atoo (tarball.val.size);
+    mode = atoo (tarball.val.mode);
+
+
+    /* Tag the end of filename */
+
+    s = tarball.val.filename;
+    while (*s && *s != ' ') s++;
+    *s = 0;
+
+
+    /* Add to our linked list */
+
+    phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
+
+    if (phy == NULL)
+      return JAR_ERR_MEMORY;
+
+    phy->compression = 0;
+    phy->offset = pos + 512;
+    phy->length = sz;
+
+    ADDITEM (jar->phy, jarTypePhy, 
+       tarball.val.filename, phy, sizeof (JAR_Physical));
+
+
+    /* Advance to next file entry */
+
+    sz += 511;
+    sz = (sz / 512) * 512;
+
+    pos += sz + 512;
+    }
+
+  return 0;
+  }
+
+/*
+ *  d o s d a t e
+ *
+ *  Not used right now, but keep it in here because
+ *  it will be needed. 
+ *
+ */
+
+static int dosdate (char *date, char *s)
+  {
+  int num = xtoint ( (unsigned char *)s);
+
+  PR_snprintf (date, 9, "%02d-%02d-%02d",
+     ((num >> 5) & 0x0F), (num & 0x1F), ((num >> 9) + 80));
+
+  return 0;
+  }
+
+/*
+ *  d o s t i m e
+ *
+ *  Not used right now, but keep it in here because
+ *  it will be needed. 
+ *
+ */
+
+static int dostime (char *time, char *s)
+  {
+  int num = xtoint ( (unsigned char *)s);
+
+  PR_snprintf (time, 6, "%02d:%02d",
+     ((num >> 11) & 0x1F), ((num >> 5) & 0x3F));
+
+  return 0;
+  }
+
+/*
+ *  x t o i n t
+ *
+ *  Converts a two byte ugly endianed integer
+ *  to our platform's integer.
+ *
+ */
+
+static unsigned int xtoint (unsigned char *ii)
+  {
+  return (int) (ii [0]) | ((int) ii [1] << 8);
+  }
+
+/*
+ *  x t o l o n g
+ *
+ *  Converts a four byte ugly endianed integer
+ *  to our platform's integer.
+ *
+ */
+
+static unsigned long xtolong (unsigned char *ll)
+  {
+  unsigned long ret;
+
+  ret =  (
+         (((unsigned long) ll [0]) <<  0) |
+         (((unsigned long) ll [1]) <<  8) |
+         (((unsigned long) ll [2]) << 16) |
+         (((unsigned long) ll [3]) << 24)
+         );
+
+  return ret;
+  }
+
+/*
+ *  a t o o
+ *
+ *  Ascii octal to decimal.
+ *  Used for integer encoding inside tar files.
+ *
+ */
+
+static long atoo (char *s)
+  {
+  long num = 0L;
+
+  while (*s == ' ') s++;
+
+  while (*s >= '0' && *s <= '7')
+    {
+    num <<= 3;
+    num += *s++ - '0';
+    }
+
+  return num;
+  }
+
+/*
+ *  g u e s s _ j a r
+ *
+ *  Try to guess what kind of JAR file this is.
+ *  Maybe tar, maybe zip. Look in the file for magic
+ *  or at its filename.
+ *
+ */
+
+static int jar_guess_jar (char *filename, JAR_FILE fp)
+  {
+  char *ext;
+
+  ext = filename + PORT_Strlen (filename) - 4;
+
+  if (!PORT_Strcmp (ext, ".tar"))
+    return jarArchTar;
+
+  return jarArchZip;
+  }
diff --git a/security/nss/lib/jar/jarfile.h b/security/nss/lib/jar/jarfile.h
new file mode 100644
index 000000000..ce3ed3d37
--- /dev/null
+++ b/security/nss/lib/jar/jarfile.h
@@ -0,0 +1,117 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ *  JARFILE.H
+ * 
+ *  Certain constants and structures for the archive format.
+ *
+ */
+
+/* ZIP */
+
+struct ZipLocal
+  {
+  char signature [4];
+  char word [2];
+  char bitflag [2];
+  char method [2];
+  char time [2];
+  char date [2];
+  char crc32 [4];
+  char size [4];
+  char orglen [4];
+  char filename_len [2];
+  char extrafield_len [2];
+  };
+
+struct ZipCentral
+  {
+  char signature [4];
+  char version_made_by [2];
+  char version [2];
+  char bitflag [2];
+  char method [2];
+  char time [2];
+  char date [2];
+  char crc32 [4];
+  char size [4];
+  char orglen [4];
+  char filename_len [2];
+  char extrafield_len [2];
+  char commentfield_len [2];
+  char diskstart_number [2];
+  char internal_attributes [2];
+  char external_attributes [4];
+  char localhdr_offset [4];
+  };
+
+struct ZipEnd
+  {
+  char signature [4];
+  char disk_nr [2];
+  char start_central_dir [2];
+  char total_entries_disk [2];
+  char total_entries_archive [2];
+  char central_dir_size [4];
+  char offset_central_dir [4];
+  char commentfield_len [2];
+  };
+
+#define LSIG 0x04034B50l
+#define CSIG 0x02014B50l
+#define ESIG 0x06054B50l
+
+/* TAR */
+
+union TarEntry
+  {
+  struct header
+    {
+    char filename [100];
+    char mode [8];
+    char uid [8];
+    char gid [8];
+    char size [12];
+    char time [12];
+    char checksum [8];
+    char linkflag;
+    char linkname [100];
+    }
+  val;
+
+  char buffer [512];
+  };
diff --git a/security/nss/lib/jar/jarint.c b/security/nss/lib/jar/jarint.c
new file mode 100644
index 000000000..a6245fe99
--- /dev/null
+++ b/security/nss/lib/jar/jarint.c
@@ -0,0 +1,84 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Internal libjar routines.
+ */
+
+#include "jar.h"
+#include "jarint.h"
+
+/*-----------------------------------------------------------------------
+ * JAR_FOPEN_to_PR_Open
+ * Translate JAR_FOPEN arguments to PR_Open arguments
+ */
+PRFileDesc*
+JAR_FOPEN_to_PR_Open(const char* name, const char *mode)
+{
+
+	PRIntn	prflags=0, prmode=0;
+
+	/* Get read/write flags */
+	if(strchr(mode, 'r') && !strchr(mode, '+')) {
+		prflags |= PR_RDONLY;
+	} else if( (strchr(mode, 'w') || strchr(mode, 'a')) &&
+			!strchr(mode,'+') ) {
+		prflags |= PR_WRONLY;
+	} else {
+		prflags |= PR_RDWR;
+	}
+
+	/* Create a new file? */
+	if(strchr(mode, 'w') || strchr(mode, 'a')) {
+		prflags |= PR_CREATE_FILE;
+	}
+
+	/* Append? */
+	if(strchr(mode, 'a')) {
+		prflags |= PR_APPEND;
+	}
+
+	/* Truncate? */
+	if(strchr(mode, 'w')) {
+		prflags |= PR_TRUNCATE;
+	}
+
+	/* We can't do umask because it isn't XP.  Choose some default
+	   mode for created files */
+	prmode = 0755;
+
+	return PR_Open(name, prflags, prmode);
+}
diff --git a/security/nss/lib/jar/jarint.h b/security/nss/lib/jar/jarint.h
new file mode 100644
index 000000000..c1abc4f94
--- /dev/null
+++ b/security/nss/lib/jar/jarint.h
@@ -0,0 +1,89 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* JAR internal routines */
+
+#include "nspr.h"
+
+/* definitely required */
+/*#include "certdb.h" */
+#include "key.h"
+#include "base64.h"
+
+extern CERTCertDBHandle *JAR_open_database (void);
+
+extern int JAR_close_database (CERTCertDBHandle *certdb);
+
+extern int jar_close_key_database (void *keydb);
+
+extern void *jar_open_key_database (void);
+
+extern JAR_Signer *JAR_new_signer (void);
+
+extern void JAR_destroy_signer (JAR_Signer *signer);
+
+extern JAR_Signer *jar_get_signer (JAR *jar, char *basename);
+
+extern int jar_append (ZZList *list, int type,
+   char *pathname, void *data, size_t size);
+
+/* Translate fopen mode arg to PR_Open flags and mode */
+PRFileDesc*
+JAR_FOPEN_to_PR_Open(const char *name, const char *mode);
+
+
+#define ADDITEM(list,type,pathname,data,size) \
+  { int err; err = jar_append (list, type, pathname, data, size); \
+    if (err < 0) return err; }
+
+/* Here is some ugliness in the event it is necessary to link
+   with NSPR 1.0 libraries, which do not include an FSEEK. It is 
+   difficult to fudge an FSEEK into 1.0 so we use stdio. */
+
+/* nspr 2.0 suite */
+#define JAR_FILE PRFileDesc *
+/* #define JAR_FOPEN(fn,mode) PR_Open(fn,0,0) */
+#define JAR_FOPEN(fn,mode) JAR_FOPEN_to_PR_Open(fn,mode)
+#define JAR_FCLOSE PR_Close
+#define JAR_FSEEK PR_Seek
+#define JAR_FREAD PR_Read
+#define JAR_FWRITE PR_Write
+
+int jar_create_pk7
+   (CERTCertDBHandle *certdb, void *keydb,
+       CERTCertificate *cert, char *password, JAR_FILE infp, 
+       JAR_FILE outfp);
+
diff --git a/security/nss/lib/jar/jarjart.c b/security/nss/lib/jar/jarjart.c
new file mode 100644
index 000000000..8946fc228
--- /dev/null
+++ b/security/nss/lib/jar/jarjart.c
@@ -0,0 +1,361 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ *  JARJART
+ *
+ *  JAR functions used by Jartool
+ */
+
+/* This allows manifest files above 64k to be
+   processed on non-win16 platforms */
+
+#include "jar.h"
+#include "jarint.h"
+#include "jarjart.h"
+#include "blapi.h"	/* JAR is supposed to be above the line!! */
+#include "pk11func.h"	/* PK11 wrapper funcs are all above the line. */
+#include "certdb.h"
+
+/* from certdb.h */
+#define CERTDB_USER (1<<6)
+
+/*
+ *  S O B _ l i s t _ c e r t s
+ *
+ *  Return a list of newline separated certificate nicknames
+ *  (this function used by the Jartool)
+ * 
+ */
+
+static SECStatus jar_list_cert_callback 
+     (CERTCertificate *cert, SECItem *k, void *data)
+  {
+  char *name;
+  char **ugly_list;
+
+  int trusted;
+
+  ugly_list = (char **) data;
+
+  if (cert)
+    {
+    name = cert->nickname;
+
+    trusted = cert->trust->objectSigningFlags & CERTDB_USER;
+
+    /* Add this name or email to list */
+
+    if (name && trusted)
+      {
+      *ugly_list = (char*)PORT_Realloc
+           (*ugly_list, PORT_Strlen (*ugly_list) + PORT_Strlen (name) + 2);
+
+      if (*ugly_list)
+        {
+        if (**ugly_list)
+          PORT_Strcat (*ugly_list, "\n");
+
+        PORT_Strcat (*ugly_list, name);
+        }
+      }
+    }
+
+  return (SECSuccess);
+  }
+
+/*
+ *  S O B _ J A R _ l i s t _ c e r t s
+ *
+ *  Return a linfeed separated ascii list of certificate
+ *  nicknames for the Jartool.
+ *
+ */
+
+char *JAR_JAR_list_certs (void)
+  {
+  SECStatus status = SECFailure;
+  CERTCertDBHandle *certdb;
+  CERTCertList *certs;
+  CERTCertListNode *node;
+
+  char *ugly_list;
+
+  certdb = JAR_open_database();
+
+  /* a little something */
+  ugly_list = (char*)PORT_ZAlloc (16);
+
+  if (ugly_list)
+    {
+    *ugly_list = 0;
+
+    certs = PK11_ListCerts(PK11CertListUnique, NULL/* pwarg*/);
+    if (certs)
+      {
+	for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
+				node = CERT_LIST_NEXT(node))
+           {
+	    jar_list_cert_callback(node->cert, NULL, (void *)&ugly_list);
+	   }
+	CERT_DestroyCertList(certs);
+	status = SECSuccess;
+       }
+    }
+
+  JAR_close_database (certdb);
+
+  return (status != SECSuccess) ? NULL : ugly_list;
+  }
+
+int JAR_JAR_validate_archive (char *filename)
+  {
+  JAR *jar;
+  int status = -1;
+
+  jar = JAR_new();
+
+  if (jar)
+    {
+    status = JAR_pass_archive (jar, jarArchGuess, filename, "");
+
+    if (status == 0)
+      status = jar->valid;
+
+    JAR_destroy (jar);
+    }
+
+  return status;
+  }
+
+char *JAR_JAR_get_error (int status)
+  {
+  return JAR_get_error (status);
+  }
+
+/*
+ *  S O B _ J A R _  h a s h
+ *
+ *  Hash algorithm interface for use by the Jartool. Since we really
+ *  don't know the private sizes of the context, and Java does need to
+ *  know this number, allocate 512 bytes for it.
+ *
+ *  In april 1997 hashes in this file were changed to call PKCS11,
+ *  as FIPS requires that when a smartcard has failed validation, 
+ *  hashes are not to be performed. But because of the difficulty of
+ *  preserving pointer context between calls to the JAR_JAR hashing
+ *  functions, the hash routines are called directly, though after
+ *  checking to see if hashing is allowed.
+ *
+ */
+
+void *JAR_JAR_new_hash (int alg)
+  {
+  void *context;
+
+  MD5Context *md5;
+  SHA1Context *sha1;
+
+  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
+
+  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
+    return NULL;
+
+  context = PORT_ZAlloc (512);
+
+  if (context)
+    {
+    switch (alg)
+      {
+      case 1:  /* MD5 */
+               md5 = (MD5Context *) context;
+               MD5_Begin (md5);
+               break;
+
+      case 2:  /* SHA1 */
+               sha1 = (SHA1Context *) context;
+               SHA1_Begin (sha1);
+               break;
+      }
+    }
+
+  return context;
+  }
+
+void *JAR_JAR_hash (int alg, void *cookie, int length, void *data)
+  {
+  MD5Context *md5;
+  SHA1Context *sha1;
+
+  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
+
+  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
+    return NULL;
+
+  if (length > 0)
+    {
+    switch (alg)
+      {
+      case 1:  /* MD5 */
+               md5 = (MD5Context *) cookie;
+               MD5_Update (md5, (unsigned char*)data, length);
+               break;
+
+      case 2:  /* SHA1 */
+               sha1 = (SHA1Context *) cookie;
+               SHA1_Update (sha1, (unsigned char*)data, length);
+               break;
+      }
+    }
+
+  return cookie;
+  }
+
+void *JAR_JAR_end_hash (int alg, void *cookie)
+  {
+  int length;
+  unsigned char *data;
+  char *ascii; 
+
+  MD5Context *md5;
+  SHA1Context *sha1;
+
+  unsigned int md5_length;
+  unsigned char md5_digest [MD5_LENGTH];
+
+  unsigned int sha1_length;
+  unsigned char sha1_digest [SHA1_LENGTH];
+
+  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
+
+  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1)) 
+    return NULL;
+
+  switch (alg)
+    {
+    case 1:  /* MD5 */
+
+             md5 = (MD5Context *) cookie;
+
+             MD5_End (md5, md5_digest, &md5_length, MD5_LENGTH);
+             /* MD5_DestroyContext (md5, PR_TRUE); */
+
+             data = md5_digest;
+             length = md5_length;
+
+             break;
+
+    case 2:  /* SHA1 */
+
+             sha1 = (SHA1Context *) cookie;
+
+             SHA1_End (sha1, sha1_digest, &sha1_length, SHA1_LENGTH);
+             /* SHA1_DestroyContext (sha1, PR_TRUE); */
+
+             data = sha1_digest;
+             length = sha1_length;
+
+             break;
+
+    default: return NULL;
+    }
+
+  /* Instead of destroy context, since we created it */
+  /* PORT_Free (cookie); */
+
+  ascii = BTOA_DataToAscii(data, length);
+
+  return ascii ? PORT_Strdup (ascii) : NULL;
+  }
+
+/*
+ *  S O B _ J A R _ s i g n _ a r c h i v e
+ *
+ *  A simple API to sign a JAR archive.
+ *
+ */
+
+int JAR_JAR_sign_archive 
+      (char *nickname, char *password, char *sf, char *outsig)
+  {
+  int status = JAR_ERR_GENERAL;
+  JAR_FILE sf_fp; 
+  JAR_FILE out_fp;
+
+  CERTCertDBHandle *certdb;
+  void *keydb;
+
+  CERTCertificate *cert;
+
+  if (PORT_Strlen (sf) < 5)
+    {
+    return JAR_ERR_GENERAL;
+    }
+
+  /* open cert and key databases */
+
+  certdb = JAR_open_database();
+  if (certdb == NULL)
+    return JAR_ERR_GENERAL;
+
+  keydb = jar_open_key_database();
+  if (keydb == NULL)
+    {
+    JAR_close_database(certdb);
+    return JAR_ERR_GENERAL;
+    }
+
+  sf_fp = JAR_FOPEN (sf, "rb");
+  out_fp = JAR_FOPEN (outsig, "wb");
+
+  cert = CERT_FindCertByNickname (certdb, nickname);
+
+  if (cert && sf_fp && out_fp)
+    {
+    status = jar_create_pk7 (certdb, keydb, cert, password, sf_fp, out_fp);
+    }
+
+  /* remove password from prying eyes */
+  PORT_Memset (password, 0, PORT_Strlen (password));
+
+  JAR_FCLOSE (sf_fp);
+  JAR_FCLOSE (out_fp);
+
+  JAR_close_database (certdb);
+  jar_close_key_database (keydb);
+
+  return status;
+  }
diff --git a/security/nss/lib/jar/jarjart.h b/security/nss/lib/jar/jarjart.h
new file mode 100644
index 000000000..4bc700ad0
--- /dev/null
+++ b/security/nss/lib/jar/jarjart.h
@@ -0,0 +1,75 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ *  jarjart.h
+ *
+ *  Functions for the Jartool, which is written in Java and
+ *  requires wrappers located elsewhere in the client.
+ *
+ *  Do not call these unless you are the Jartool, no matter
+ *  how convenient they may appear.
+ *
+ */
+
+#ifndef _JARJART_H_
+#define _JARJART_H_
+
+/* return a list of certificate nicknames, separated by \n's */
+extern char *JAR_JAR_list_certs (void);
+
+/* validate archive, simple api */
+extern int JAR_JAR_validate_archive (char *filename);
+
+/* begin hash */
+extern void *JAR_JAR_new_hash (int alg);
+
+/* hash a streaming pile */
+extern void *JAR_JAR_hash (int alg, void *cookie, int length, void *data);
+
+/* end hash */
+extern void *JAR_JAR_end_hash (int alg, void *cookie);
+
+/* sign the archive (given an .SF file) with the given cert.
+   The password argument is a relic, PKCS11 now handles that. */
+
+extern int JAR_JAR_sign_archive 
+   (char *nickname, char *password, char *sf, char *outsig);
+
+/* convert status to text */
+extern char *JAR_JAR_get_error (int status);
+
+#endif
diff --git a/security/nss/lib/jar/jarnav.c b/security/nss/lib/jar/jarnav.c
new file mode 100644
index 000000000..58c67df67
--- /dev/null
+++ b/security/nss/lib/jar/jarnav.c
@@ -0,0 +1,110 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ *  JARNAV.C
+ *
+ *  JAR stuff needed for client only.
+ *
+ */
+
+#include "jar.h"
+#include "jarint.h"
+
+/* from proto.h */
+#ifdef MOZILLA_CLIENT_OLD
+extern MWContext *XP_FindSomeContext(void);
+#endif
+
+/* sigh */
+extern MWContext *FE_GetInitContext(void);
+
+/* To return an MWContext for Java */
+static MWContext *(*jar_fn_FindSomeContext) (void) = NULL;
+
+/* To fabricate an MWContext for FE_GetPassword */
+static MWContext *(*jar_fn_GetInitContext) (void) = NULL;
+
+/*
+ *  J A R _ i n i t
+ *
+ *  Initialize the JAR functions.
+ * 
+ */
+
+void JAR_init (void)
+  {
+#ifdef MOZILLA_CLIENT_OLD
+  JAR_init_callbacks (XP_GetString, XP_FindSomeContext, FE_GetInitContext);
+#else
+  JAR_init_callbacks (XP_GetString, NULL, NULL);
+#endif
+  }
+
+/*
+ *  J A R _ s e t _ c o n t e x t
+ *
+ *  Set the jar window context for use by PKCS11, since
+ *  it may be needed to prompt the user for a password.
+ *
+ */
+
+int JAR_set_context (JAR *jar, MWContext *mw)
+  {
+  if (mw)
+    {
+    jar->mw = mw;
+    }
+  else
+    {
+    /* jar->mw = XP_FindSomeContext(); */
+    jar->mw = NULL;
+
+    /*
+     * We can't find a context because we're in startup state and none
+     * exist yet. go get an FE_InitContext that only works at initialization
+     * time.
+     */
+
+    /* Turn on the mac when we get the FE_ function */
+    if (jar->mw == NULL)
+      {
+      jar->mw = jar_fn_GetInitContext();
+      }
+   }
+
+  return 0;
+  }
diff --git a/security/nss/lib/jar/jarsign.c b/security/nss/lib/jar/jarsign.c
new file mode 100644
index 000000000..fb4ad1555
--- /dev/null
+++ b/security/nss/lib/jar/jarsign.c
@@ -0,0 +1,353 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ *  JARSIGN
+ *
+ *  Routines used in signing archives.
+ */
+
+
+#include "jar.h"
+#include "jarint.h"
+#include "secpkcs7.h"
+#include "pk11func.h"
+#include "sechash.h"
+
+/* from libevent.h */
+typedef void (*ETVoidPtrFunc) (void * data);
+
+#ifdef MOZILLA_CLIENT_OLD
+
+extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
+
+/* from proto.h */
+/* extern MWContext *XP_FindSomeContext(void); */
+extern void *XP_FindSomeContext(void);
+
+#endif
+
+/* key database wrapper */
+
+/* static SECKEYKeyDBHandle *jar_open_key_database (void); */
+
+/* CHUNQ is our bite size */
+
+#define CHUNQ 64000
+#define FILECHUNQ 32768
+
+/*
+ *  J A R _ c a l c u l a t e _ d i g e s t 
+ *
+ *  Quick calculation of a digest for
+ *  the specified block of memory. Will calculate
+ *  for all supported algorithms, now MD5.
+ *
+ *  This version supports huge pointers for WIN16.
+ * 
+ */
+
+JAR_Digest * PR_CALLBACK JAR_calculate_digest (void ZHUGEP *data, long length)
+  {
+  long chunq;
+  JAR_Digest *dig;
+
+  unsigned int md5_length, sha1_length;
+
+  PK11Context *md5  = 0;
+  PK11Context *sha1 = 0;
+
+  dig = (JAR_Digest *) PORT_ZAlloc (sizeof (JAR_Digest));
+
+  if (dig == NULL) 
+    {
+    /* out of memory allocating digest */
+    return NULL;
+    }
+
+#if defined(XP_WIN16)
+  PORT_Assert ( !IsBadHugeReadPtr(data, length) );
+#endif
+
+  md5  = PK11_CreateDigestContext (SEC_OID_MD5);
+  sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
+
+  if (length >= 0) 
+    {
+    PK11_DigestBegin (md5);
+    PK11_DigestBegin (sha1);
+
+    do {
+       chunq = length;
+
+#ifdef XP_WIN16
+       if (length > CHUNQ) chunq = CHUNQ;
+
+       /*
+        *  If the block of data crosses one or more segment 
+        *  boundaries then only pass the chunk of data in the 
+        *  first segment.
+        * 
+        *  This allows the data to be treated as FAR by the
+        *  PK11_DigestOp(...) routine.
+        *
+        */
+
+       if (OFFSETOF(data) + chunq >= 0x10000) 
+         chunq = 0x10000 - OFFSETOF(data);
+#endif
+
+       PK11_DigestOp (md5,  (unsigned char*)data, chunq);
+       PK11_DigestOp (sha1, (unsigned char*)data, chunq);
+
+       length -= chunq;
+       data = ((char ZHUGEP *) data + chunq);
+       } 
+    while (length > 0);
+
+    PK11_DigestFinal (md5,  dig->md5,  &md5_length,  MD5_LENGTH);
+    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
+
+    PK11_DestroyContext (md5,  PR_TRUE);
+    PK11_DestroyContext (sha1, PR_TRUE);
+    }
+
+  return dig;
+  }
+
+/*
+ *  J A R _ d i g e s t _ f i l e
+ *
+ *  Calculates the MD5 and SHA1 digests for a file 
+ *  present on disk, and returns these in JAR_Digest struct.
+ *
+ */
+
+int JAR_digest_file (char *filename, JAR_Digest *dig)
+    {
+    JAR_FILE fp;
+
+    int num;
+    unsigned char *buf;
+
+    PK11Context *md5 = 0;
+    PK11Context *sha1 = 0;
+
+    unsigned int md5_length, sha1_length;
+
+    buf = (unsigned char *) PORT_ZAlloc (FILECHUNQ);
+    if (buf == NULL)
+      {
+      /* out of memory */
+      return JAR_ERR_MEMORY;
+      }
+ 
+    if ((fp = JAR_FOPEN (filename, "rb")) == 0)
+      {
+      /* perror (filename); FIX XXX XXX XXX XXX XXX XXX */
+      PORT_Free (buf);
+      return JAR_ERR_FNF;
+      }
+
+    md5 = PK11_CreateDigestContext (SEC_OID_MD5);
+    sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
+
+    if (md5 == NULL || sha1 == NULL) 
+      {
+      /* can't generate digest contexts */
+      PORT_Free (buf);
+      JAR_FCLOSE (fp);
+      return JAR_ERR_GENERAL;
+      }
+
+    PK11_DigestBegin (md5);
+    PK11_DigestBegin (sha1);
+
+    while (1)
+      {
+      if ((num = JAR_FREAD (fp, buf, FILECHUNQ)) == 0)
+        break;
+
+      PK11_DigestOp (md5, buf, num);
+      PK11_DigestOp (sha1, buf, num);
+      }
+
+    PK11_DigestFinal (md5, dig->md5, &md5_length, MD5_LENGTH);
+    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
+
+    PK11_DestroyContext (md5, PR_TRUE);
+    PK11_DestroyContext (sha1, PR_TRUE);
+
+    PORT_Free (buf);
+    JAR_FCLOSE (fp);
+
+    return 0;
+    }
+
+/*
+ *  J A R _ o p e n _ k e y _ d a t a b a s e
+ *
+ */
+
+void* jar_open_key_database (void)
+  {
+    return NULL;
+  }
+
+int jar_close_key_database (void *keydb)
+  {
+  /* We never do close it */
+  return 0;
+  }
+
+
+/*
+ *  j a r _ c r e a t e _ p k 7
+ *
+ */
+
+static void jar_pk7_out (void *arg, const char *buf, unsigned long len)
+  {
+  JAR_FWRITE ((JAR_FILE) arg, buf, len);
+  }
+
+int jar_create_pk7 
+   (CERTCertDBHandle *certdb, void *keydb, 
+       CERTCertificate *cert, char *password, JAR_FILE infp, JAR_FILE outfp)
+  {
+  int nb;
+  unsigned char buffer [4096], digestdata[32];
+  const SECHashObject *hashObj;
+  void *hashcx;
+  unsigned int len;
+
+  int status = 0;
+  char *errstring;
+
+  SECItem digest;
+  SEC_PKCS7ContentInfo *cinfo;
+  SECStatus rv;
+
+  void /*MWContext*/ *mw;
+
+  if (outfp == NULL || infp == NULL || cert == NULL)
+    return JAR_ERR_GENERAL;
+
+  /* we sign with SHA */
+  hashObj = HASH_GetHashObject(HASH_AlgSHA1);
+
+  hashcx = (* hashObj->create)();
+  if (hashcx == NULL)
+    return JAR_ERR_GENERAL;
+
+  (* hashObj->begin)(hashcx);
+
+  while (1)
+    {
+    /* nspr2.0 doesn't support feof 
+       if (feof (infp)) break; */
+
+    nb = JAR_FREAD (infp, buffer, sizeof (buffer));
+    if (nb == 0) 
+      {
+      /* eof */
+      break;
+      }
+    (* hashObj->update) (hashcx, buffer, nb);
+    }
+
+  (* hashObj->end) (hashcx, digestdata, &len, 32);
+  (* hashObj->destroy) (hashcx, PR_TRUE);
+
+  digest.data = digestdata;
+  digest.len = len;
+
+  /* signtool must use any old context it can find since it's
+     calling from inside javaland. */
+
+#ifdef MOZILLA_CLIENT_OLD
+  mw = XP_FindSomeContext();
+#else
+  mw = NULL;
+#endif
+
+  PORT_SetError (0);
+
+  cinfo = SEC_PKCS7CreateSignedData 
+             (cert, certUsageObjectSigner, NULL, 
+                SEC_OID_SHA1, &digest, NULL, (void *) mw);
+
+  if (cinfo == NULL)
+    return JAR_ERR_PK7;
+
+  rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
+  if (rv != SECSuccess) 
+    {
+    status = PORT_GetError();
+    SEC_PKCS7DestroyContentInfo (cinfo);
+    return status;
+    }
+
+  /* Having this here forces signtool to always include
+     signing time. */
+
+  rv = SEC_PKCS7AddSigningTime (cinfo);
+  if (rv != SECSuccess)
+    {
+    /* don't check error */
+    }
+
+  PORT_SetError (0);
+
+  /* if calling from mozilla thread*/
+  rv = SEC_PKCS7Encode 
+             (cinfo, jar_pk7_out, outfp, 
+                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw);
+
+  if (rv != SECSuccess)
+    status = PORT_GetError();
+
+  SEC_PKCS7DestroyContentInfo (cinfo);
+
+  if (rv != SECSuccess)
+    {
+    errstring = JAR_get_error (status);
+    /*XP_TRACE (("Jar signing failed (reason %d = %s)", status, errstring));*/
+    return status < 0 ? status : JAR_ERR_GENERAL;
+    }
+
+  return 0;
+  }
diff --git a/security/nss/lib/jar/jarver.c b/security/nss/lib/jar/jarver.c
new file mode 100644
index 000000000..d8753dc1d
--- /dev/null
+++ b/security/nss/lib/jar/jarver.c
@@ -0,0 +1,1884 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ *  JARVER
+ *
+ *  Jarnature Parsing & Verification
+ */
+
+#include "nssrenam.h"
+#include "jar.h"
+#include "jarint.h"
+#include "certdb.h"
+#include "certt.h"
+#include "secpkcs7.h"
+
+/*#include "cdbhdl.h" */
+#include "secder.h"
+
+/* to use huge pointers in win16 */
+
+#define xp_HUGE_MEMCPY PORT_Memcpy
+#define xp_HUGE_STRCPY PORT_Strcpy
+#define xp_HUGE_STRLEN PORT_Strlen
+#define xp_HUGE_STRNCASECMP PORT_Strncasecmp
+
+/* from certdb.h */
+#define CERTDB_USER (1<<6)
+
+#define SZ 512
+
+static int jar_validate_pkcs7 
+     (JAR *jar, JAR_Signer *signer, char *data, long length);
+
+static void jar_catch_bytes
+     (void *arg, const char *buf, unsigned long len);
+
+static int jar_gather_signers
+     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo);
+
+static char ZHUGEP *jar_eat_line 
+     (int lines, int eating, char ZHUGEP *data, long *len);
+
+static JAR_Digest *jar_digest_section 
+     (char ZHUGEP *manifest, long length);
+
+static JAR_Digest *jar_get_mf_digest (JAR *jar, char *path);
+
+static int jar_parse_digital_signature 
+     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar);
+
+static int jar_add_cert
+     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert);
+
+static CERTCertificate *jar_get_certificate
+            (JAR *jar, long keylen, void *key, int *result);
+
+static char *jar_cert_element (char *name, char *tag, int occ);
+
+static char *jar_choose_nickname (CERTCertificate *cert);
+
+static char *jar_basename (const char *path);
+
+static int jar_signal 
+     (int status, JAR *jar, const char *metafile, char *pathname);
+
+#ifdef DEBUG
+static int jar_insanity_check (char ZHUGEP *data, long length);
+#endif
+
+int jar_parse_mf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url);
+
+int jar_parse_sf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url);
+
+int jar_parse_sig
+    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length);
+
+int jar_parse_any
+    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url);
+
+static int jar_internal_digest 
+     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig);
+
+/*
+ *  J A R _ p a r s e _ m a n i f e s t
+ * 
+ *  Pass manifest files to this function. They are
+ *  decoded and placed into internal representations.
+ * 
+ *  Accepts both signature and manifest files. Use
+ *  the same "jar" for both. 
+ *
+ */
+
+int JAR_parse_manifest 
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+{
+  int filename_free = 0;
+
+  /* fill in the path, if supplied. This is a the location
+     of the jar file on disk, if known */
+
+  if (jar->filename == NULL && path)
+    {
+    jar->filename = PORT_Strdup (path);
+    if (jar->filename == NULL)
+      return JAR_ERR_MEMORY;
+    filename_free = 1;
+    }
+
+  /* fill in the URL, if supplied. This is the place
+     from which the jar file was retrieved. */
+
+  if (jar->url == NULL && url)
+    {
+    jar->url = PORT_Strdup (url);
+    if (jar->url == NULL)
+      {
+      if (filename_free)
+        {
+        PORT_Free (jar->filename);
+        }
+      return JAR_ERR_MEMORY;
+      }
+    }
+
+  /* Determine what kind of file this is from the META-INF 
+     directory. It could be MF, SF, or a binary RSA/DSA file */
+
+  if (!xp_HUGE_STRNCASECMP (raw_manifest, "Manifest-Version:", 17))
+    {
+    return jar_parse_mf (jar, raw_manifest, length, path, url);
+    }
+  else if (!xp_HUGE_STRNCASECMP (raw_manifest, "Signature-Version:", 18))
+    {
+    return jar_parse_sf (jar, raw_manifest, length, path, url);
+    }
+  else
+    {
+    /* This is probably a binary signature */
+    return jar_parse_sig (jar, path, raw_manifest, length);
+    }
+  }
+
+/*
+ *  j a r _ p a r s e _ s i g
+ *
+ *  Pass some manner of RSA or DSA digital signature
+ *  on, after checking to see if it comes at an appropriate state.
+ *
+ */
+ 
+int jar_parse_sig
+    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length)
+{
+  JAR_Signer *signer;
+  int status = JAR_ERR_ORDER;
+
+  if (length <= 128) 
+    {
+    /* signature is way too small */
+    return JAR_ERR_SIG;
+    }
+
+  /* make sure that MF and SF have already been processed */
+
+  if (jar->globalmeta == NULL)
+    return JAR_ERR_ORDER;
+
+  /* Determine whether or not this RSA file has
+     has an associated SF file */
+
+  if (path)
+    {
+    char *owner;
+    owner = jar_basename (path);
+
+    if (owner == NULL)
+      return JAR_ERR_MEMORY;
+
+    signer = jar_get_signer (jar, owner);
+
+    PORT_Free (owner);
+    }
+  else
+    signer = jar_get_signer (jar, "*");
+
+  if (signer == NULL)
+    return JAR_ERR_ORDER;
+
+
+  /* Do not pass a huge pointer to this function,
+     since the underlying security code is unaware. We will
+     never pass >64k through here. */
+
+  if (length > 64000)
+    {
+    /* this digital signature is way too big */
+    return JAR_ERR_SIG;
+    }
+
+  /* don't expense unneeded calloc overhead on non-win16 */
+  status = jar_parse_digital_signature 
+                (raw_manifest, signer, length, jar);
+
+  return status;
+  }
+
+/*
+ *  j a r _ p a r s e _ m f
+ *
+ *  Parse the META-INF/manifest.mf file, whose
+ *  information applies to all signers.
+ *
+ */
+
+int jar_parse_mf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+  if (jar->globalmeta)
+    {
+    /* refuse a second manifest file, if passed for some reason */
+    return JAR_ERR_ORDER;
+    }
+
+
+  /* remember a digest for the global section */
+
+  jar->globalmeta = jar_digest_section (raw_manifest, length);
+
+  if (jar->globalmeta == NULL)
+    return JAR_ERR_MEMORY;
+
+
+  return jar_parse_any 
+    (jar, jarTypeMF, NULL, raw_manifest, length, path, url);
+  }
+
+/*
+ *  j a r _ p a r s e _ s f
+ *
+ *  Parse META-INF/xxx.sf, a digitally signed file
+ *  pointing to a subset of MF sections. 
+ *
+ */
+
+int jar_parse_sf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+  JAR_Signer *signer = NULL;
+  int status = JAR_ERR_MEMORY;
+
+  if (jar->globalmeta == NULL)
+    {
+    /* It is a requirement that the MF file be passed before the SF file */
+    return JAR_ERR_ORDER;
+    }
+
+  signer = JAR_new_signer();
+
+  if (signer == NULL)
+    goto loser;
+
+  if (path)
+    {
+    signer->owner = jar_basename (path);
+    if (signer->owner == NULL)
+      goto loser;
+    }
+
+
+  /* check for priors. When someone doctors a jar file
+     to contain identical path entries, prevent the second
+     one from affecting JAR functions */
+
+  if (jar_get_signer (jar, signer->owner))
+    {
+    /* someone is trying to spoof us */
+    status = JAR_ERR_ORDER;
+    goto loser;
+    }
+
+
+  /* remember its digest */
+
+  signer->digest = JAR_calculate_digest (raw_manifest, length);
+
+  if (signer->digest == NULL)
+    goto loser;
+
+  /* Add this signer to the jar */
+
+  ADDITEM (jar->signers, jarTypeOwner, 
+     signer->owner, signer, sizeof (JAR_Signer));
+
+
+  return jar_parse_any 
+    (jar, jarTypeSF, signer, raw_manifest, length, path, url);
+
+loser:
+
+  if (signer)
+    JAR_destroy_signer (signer);
+
+  return status;
+  }
+
+/* 
+ *  j a r _ p a r s e _ a n y
+ *
+ *  Parse a MF or SF manifest file. 
+ *
+ */
+ 
+int jar_parse_any
+    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+  int status;
+
+  long raw_len;
+
+  JAR_Digest *dig, *mfdig = NULL;
+
+  char line [SZ];
+  char x_name [SZ], x_md5 [SZ], x_sha [SZ];
+
+  char *x_info;
+
+  char *sf_md5 = NULL, *sf_sha1 = NULL;
+
+  *x_name = 0;
+  *x_md5 = 0;
+  *x_sha = 0;
+
+  PORT_Assert( length > 0 );
+  raw_len = length;
+
+#ifdef DEBUG
+  if ((status = jar_insanity_check (raw_manifest, raw_len)) < 0)
+    return status;
+#endif
+
+
+  /* null terminate the first line */
+  raw_manifest = jar_eat_line (0, PR_TRUE, raw_manifest, &raw_len);
+
+
+  /* skip over the preliminary section */
+  /* This is one section at the top of the file with global metainfo */
+
+  while (raw_len)
+    {
+    JAR_Metainfo *met;
+
+    raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
+    if (!*raw_manifest) break;
+
+    met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
+    if (met == NULL)
+      return JAR_ERR_MEMORY;
+
+    /* Parse out the header & info */
+
+    if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
+      {
+      /* almost certainly nonsense */
+      PORT_Free (met);
+      continue;
+      }
+
+    xp_HUGE_STRCPY (line, raw_manifest);
+    x_info = line;
+
+    while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
+      x_info++;
+
+    if (*x_info) *x_info++ = 0;
+
+    while (*x_info == ' ' || *x_info == '\t')
+      x_info++;
+
+    /* metainfo (name, value) pair is now (line, x_info) */
+
+    met->header = PORT_Strdup (line);
+    met->info = PORT_Strdup (x_info);
+
+    if (type == jarTypeMF)
+      {
+      ADDITEM (jar->metainfo, jarTypeMeta, 
+         /* pathname */ NULL, met, sizeof (JAR_Metainfo));
+      }
+
+    /* For SF files, this metadata may be the digests
+       of the MF file, still in the "met" structure. */
+
+    if (type == jarTypeSF)
+      {
+      if (!PORT_Strcasecmp (line, "MD5-Digest"))
+        sf_md5 = (char *) met->info;
+
+      if (!PORT_Strcasecmp (line, "SHA1-Digest") || !PORT_Strcasecmp (line, "SHA-Digest"))
+        sf_sha1 = (char *) met->info;
+      }
+
+    if (type != jarTypeMF)
+      {
+      PORT_Free (met->header);
+      if (type != jarTypeSF)
+        {
+        PORT_Free (met->info);
+        }
+      PORT_Free (met);
+      }
+    }
+
+  if (type == jarTypeSF && jar->globalmeta)
+    {
+    /* this is a SF file which may contain a digest of the manifest.mf's 
+       global metainfo. */
+
+    int match = 0;
+    JAR_Digest *glob = jar->globalmeta;
+
+    if (sf_md5)
+      {
+      unsigned int md5_length;
+      unsigned char *md5_digest;
+
+      md5_digest = ATOB_AsciiToData (sf_md5, &md5_length);
+      PORT_Assert( md5_length == MD5_LENGTH );
+
+      if (md5_length != MD5_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      match = PORT_Memcmp (md5_digest, glob->md5, MD5_LENGTH);
+      }
+
+    if (sf_sha1 && match == 0)
+      {
+      unsigned int sha1_length;
+      unsigned char *sha1_digest;
+
+      sha1_digest = ATOB_AsciiToData (sf_sha1, &sha1_length);
+      PORT_Assert( sha1_length == SHA1_LENGTH );
+
+      if (sha1_length != SHA1_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      match = PORT_Memcmp (sha1_digest, glob->sha1, SHA1_LENGTH);
+      }
+
+    if (match != 0)
+      {
+      /* global digest doesn't match, SF file therefore invalid */
+      jar->valid = JAR_ERR_METADATA;
+      return JAR_ERR_METADATA;
+      }
+    }
+
+  /* done with top section of global data */
+
+
+  while (raw_len)
+    {
+    *x_md5 = 0;
+    *x_sha = 0;
+    *x_name = 0;
+
+
+    /* If this is a manifest file, attempt to get a digest of the following section, 
+       without damaging it. This digest will be saved later. */
+
+    if (type == jarTypeMF)
+      {
+      char ZHUGEP *sec;
+      long sec_len = raw_len;
+
+      if (!*raw_manifest || *raw_manifest == '\n')
+        {     
+        /* skip the blank line */ 
+        sec = jar_eat_line (1, PR_FALSE, raw_manifest, &sec_len);
+        }
+      else
+        sec = raw_manifest;
+
+      if (!xp_HUGE_STRNCASECMP (sec, "Name:", 5))
+        {
+        if (type == jarTypeMF)
+          mfdig = jar_digest_section (sec, sec_len);
+        else
+          mfdig = NULL;
+        }
+      }
+
+
+    while (raw_len)
+      {
+      raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
+      if (!*raw_manifest) break; /* blank line, done with this entry */
+
+      if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
+        {
+        /* almost certainly nonsense */
+        continue;
+        }
+
+
+      /* Parse out the name/value pair */
+
+      xp_HUGE_STRCPY (line, raw_manifest);
+      x_info = line;
+
+      while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
+        x_info++;
+
+      if (*x_info) *x_info++ = 0;
+
+      while (*x_info == ' ' || *x_info == '\t') 
+        x_info++;
+
+
+      if (!PORT_Strcasecmp (line, "Name"))
+        PORT_Strcpy (x_name, x_info);
+
+      else if (!PORT_Strcasecmp (line, "MD5-Digest"))
+        PORT_Strcpy (x_md5, x_info);
+
+      else if (!PORT_Strcasecmp (line, "SHA1-Digest") 
+                  || !PORT_Strcasecmp (line, "SHA-Digest"))
+        {
+        PORT_Strcpy (x_sha, x_info);
+        }
+
+      /* Algorithm list is meta info we don't care about; keeping it out
+         of metadata saves significant space for large jar files */
+
+      else if (!PORT_Strcasecmp (line, "Digest-Algorithms")
+                    || !PORT_Strcasecmp (line, "Hash-Algorithms"))
+        {
+        continue;
+        }
+
+      /* Meta info is only collected for the manifest.mf file,
+         since the JAR_get_metainfo call does not support identity */
+
+      else if (type == jarTypeMF)
+        {
+        JAR_Metainfo *met;
+
+        /* this is meta-data */
+
+        met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
+
+        if (met == NULL)
+          return JAR_ERR_MEMORY;
+
+        /* metainfo (name, value) pair is now (line, x_info) */
+
+        if ((met->header = PORT_Strdup (line)) == NULL)
+          {
+          PORT_Free (met);
+          return JAR_ERR_MEMORY;
+          }
+
+        if ((met->info = PORT_Strdup (x_info)) == NULL)
+          {
+          PORT_Free (met->header);
+          PORT_Free (met);
+          return JAR_ERR_MEMORY;
+          }
+
+        ADDITEM (jar->metainfo, jarTypeMeta, 
+           x_name, met, sizeof (JAR_Metainfo));
+        }
+      }
+
+	if(!x_name || !*x_name) {
+		/* Whatever that was, it wasn't an entry, because we didn't get a name.
+		 * We don't really have anything, so don't record this. */
+		continue;
+	}
+
+    dig = (JAR_Digest*)PORT_ZAlloc (sizeof (JAR_Digest));
+    if (dig == NULL)
+      return JAR_ERR_MEMORY;
+
+    if (*x_md5 ) 
+      {
+      unsigned int binary_length;
+      unsigned char *binary_digest;
+
+      binary_digest = ATOB_AsciiToData (x_md5, &binary_length);
+      PORT_Assert( binary_length == MD5_LENGTH );
+
+      if (binary_length != MD5_LENGTH)
+        {
+        PORT_Free (dig);
+        return JAR_ERR_CORRUPT;
+        }
+
+      memcpy (dig->md5, binary_digest, MD5_LENGTH);
+      dig->md5_status = jarHashPresent;
+      }
+
+    if (*x_sha ) 
+      {
+      unsigned int binary_length;
+      unsigned char *binary_digest;
+
+      binary_digest = ATOB_AsciiToData (x_sha, &binary_length);
+      PORT_Assert( binary_length == SHA1_LENGTH );
+
+      if (binary_length != SHA1_LENGTH)
+        {
+        PORT_Free (dig);
+        return JAR_ERR_CORRUPT;
+        }
+
+      memcpy (dig->sha1, binary_digest, SHA1_LENGTH);
+      dig->sha1_status = jarHashPresent;
+      }
+
+    PORT_Assert( type == jarTypeMF || type == jarTypeSF );
+
+
+    if (type == jarTypeMF)
+      {
+      ADDITEM (jar->hashes, jarTypeMF, x_name, dig, sizeof (JAR_Digest));
+      }
+    else if (type == jarTypeSF)
+      {
+      ADDITEM (signer->sf, jarTypeSF, x_name, dig, sizeof (JAR_Digest));
+      }
+    else
+      {
+      PORT_Free (dig);
+      return JAR_ERR_ORDER;
+      }
+
+    /* we're placing these calculated digests of manifest.mf 
+       sections in a list where they can subsequently be forgotten */
+
+    if (type == jarTypeMF && mfdig)
+      {
+      ADDITEM (jar->manifest, jarTypeSect, 
+         x_name, mfdig, sizeof (JAR_Digest));
+
+      mfdig = NULL;
+      }
+
+
+    /* Retrieve our saved SHA1 digest from saved copy and check digests.
+       This is just comparing the digest of the MF section as indicated in
+       the SF file with the one we remembered from parsing the MF file */
+
+    if (type == jarTypeSF)
+      {
+      if ((status = jar_internal_digest (jar, path, x_name, dig)) < 0)
+        return status;
+      }
+    }
+
+  return 0;
+  }
+
+static int jar_internal_digest 
+     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig)
+  {
+  int cv;
+  int status;
+
+  JAR_Digest *savdig;
+
+  savdig = jar_get_mf_digest (jar, x_name);
+
+  if (savdig == NULL)
+    {
+    /* no .mf digest for this pathname */
+    status = jar_signal (JAR_ERR_ENTRY, jar, path, x_name);
+    if (status < 0) 
+      return 0; /* was continue; */
+    else 
+      return status;
+    }
+
+  /* check for md5 consistency */
+  if (dig->md5_status)
+    {
+    cv = PORT_Memcmp (savdig->md5, dig->md5, MD5_LENGTH);
+    /* md5 hash of .mf file is not what expected */
+    if (cv) 
+      {
+      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
+
+      /* bad hash, man */
+
+      dig->md5_status = jarHashBad;
+      savdig->md5_status = jarHashBad;
+
+      if (status < 0) 
+        return 0; /* was continue; */
+      else 
+        return status;
+      }
+    }
+
+  /* check for sha1 consistency */
+  if (dig->sha1_status)
+    {
+    cv = PORT_Memcmp (savdig->sha1, dig->sha1, SHA1_LENGTH);
+    /* sha1 hash of .mf file is not what expected */
+    if (cv) 
+      {
+      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
+
+      /* bad hash, man */
+
+      dig->sha1_status = jarHashBad;
+      savdig->sha1_status = jarHashBad;
+
+      if (status < 0)
+        return 0; /* was continue; */
+      else
+        return status;
+      }
+    }
+	return 0;
+  }
+
+#ifdef DEBUG
+/*
+ *  j a r _ i n s a n i t y _ c h e c k
+ *
+ *  Check for illegal characters (or possibly so)
+ *  in the manifest files, to detect potential memory
+ *  corruption by our neighbors. Debug only, since
+ *  not I18N safe.
+ * 
+ */
+
+static int jar_insanity_check (char ZHUGEP *data, long length)
+  {
+  int c;
+  long off;
+
+  for (off = 0; off < length; off++)
+    {
+    c = data [off];
+
+    if (c == '\n' || c == '\r' || (c >= ' ' && c <= 128))
+      continue;
+
+    return JAR_ERR_CORRUPT;
+    }
+
+  return 0;
+  }
+#endif
+
+/*
+ *  j a r _ p a r s e _ d i g i t a l _ s i g n a t u r e
+ *
+ *  Parse an RSA or DSA (or perhaps other) digital signature.
+ *  Right now everything is PKCS7.
+ *
+ */
+
+static int jar_parse_digital_signature 
+     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar)
+  {
+  return jar_validate_pkcs7 (jar, signer, raw_manifest, length);
+  }
+
+/*
+ *  j a r _ a d d _ c e r t
+ * 
+ *  Add information for the given certificate
+ *  (or whatever) to the JAR linked list. A pointer
+ *  is passed for some relevant reference, say
+ *  for example the original certificate.
+ *
+ */
+
+static int jar_add_cert
+     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert)
+  {
+  JAR_Cert *fing;
+  unsigned char *keyData;
+
+  if (cert == NULL)
+    return JAR_ERR_ORDER;
+
+  fing = (JAR_Cert*)PORT_ZAlloc (sizeof (JAR_Cert));
+
+  if (fing == NULL)
+    goto loser;
+
+  fing->cert = CERT_DupCertificate (cert);
+
+  /* get the certkey */
+
+  fing->length = cert->derIssuer.len + 2 + cert->serialNumber.len;
+
+  keyData = (unsigned char *) PORT_ZAlloc (fing->length);
+  fing->key = keyData;
+
+  if (fing->key == NULL)
+    goto loser;
+  keyData[0] = ((cert->derIssuer.len) >> 8) & 0xff;
+  keyData[1] = ((cert->derIssuer.len) & 0xff);
+  PORT_Memcpy (&keyData[2], cert->derIssuer.data, cert->derIssuer.len);
+  PORT_Memcpy (&keyData[2+cert->derIssuer.len], cert->serialNumber.data,
+						 cert->serialNumber.len);
+
+  ADDITEM (signer->certs, type, 
+    /* pathname */ NULL, fing, sizeof (JAR_Cert));
+
+  return 0;
+
+loser:
+
+  if (fing)
+    {
+    if (fing->cert) 
+      CERT_DestroyCertificate (fing->cert);
+
+    PORT_Free (fing);
+    }
+
+  return JAR_ERR_MEMORY;
+  }
+
+/*
+ *  e a t _ l i n e 
+ *
+ *  Consume an ascii line from the top of a file kept
+ *  in memory. This destroys the file in place. This function
+ *  handles PC, Mac, and Unix style text files.
+ *
+ */
+
+static char ZHUGEP *jar_eat_line 
+    (int lines, int eating, char ZHUGEP *data, long *len)
+  {
+  char ZHUGEP *ret;
+
+  ret = data;
+  if (!*len) return ret;
+
+  /* Eat the requisite number of lines, if any; 
+     prior to terminating the current line with a 0. */
+
+  for (/* yip */ ; lines; lines--)
+    {
+    while (*data && *data != '\n')
+      data++;
+
+    /* After the CR, ok to eat one LF */
+
+    if (*data == '\n')
+      data++;
+
+    /* If there are zeros, we put them there */
+
+    while (*data == 0 && data - ret < *len)
+      data++;
+    }
+
+  *len -= data - ret;
+  ret = data;
+
+  if (eating)
+    {
+    /* Terminate this line with a 0 */ 
+
+    while (*data && *data != '\n' && *data != '\r')
+      data++;
+
+    /* In any case we are allowed to eat CR */
+
+    if (*data == '\r')
+      *data++ = 0;
+
+    /* After the CR, ok to eat one LF */
+
+    if (*data == '\n')
+      *data++ = 0;
+    }
+
+  return ret;
+  }
+
+/*
+ *  j a r _ d i g e s t _ s e c t i o n
+ *
+ *  Return the digests of the next section of the manifest file.
+ *  Does not damage the manifest file, unlike parse_manifest.
+ * 
+ */
+
+static JAR_Digest *jar_digest_section 
+    (char ZHUGEP *manifest, long length)
+  {
+  long global_len;
+  char ZHUGEP *global_end;
+
+  global_end = manifest;
+  global_len = length;
+
+  while (global_len)
+    {
+    global_end = jar_eat_line (1, PR_FALSE, global_end, &global_len);
+    if (*global_end == 0 || *global_end == '\n')
+      break;
+    }
+
+  return JAR_calculate_digest (manifest, global_end - manifest);
+  }
+
+/*
+ *  J A R _ v e r i f y _ d i g e s t
+ *
+ *  Verifies that a precalculated digest matches the
+ *  expected value in the manifest.
+ *
+ */
+
+int PR_CALLBACK JAR_verify_digest
+    (JAR *jar, const char *name, JAR_Digest *dig)
+  {
+  JAR_Item *it;
+
+  JAR_Digest *shindig;
+
+  ZZLink *link;
+  ZZList *list;
+
+  int result1, result2;
+
+  list = jar->hashes;
+
+  result1 = result2 = 0;
+
+  if (jar->valid < 0)
+    {
+    /* signature not valid */
+    return JAR_ERR_SIG;
+    }
+
+  if (ZZ_ListEmpty (list))
+    {
+    /* empty list */
+    return JAR_ERR_PNF;
+    }
+
+  for (link = ZZ_ListHead (list); 
+       !ZZ_ListIterDone (list, link); 
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypeMF 
+           && it->pathname && !PORT_Strcmp (it->pathname, name))
+      {
+      shindig = (JAR_Digest *) it->data;
+
+      if (shindig->md5_status)
+        {
+        if (shindig->md5_status == jarHashBad)
+          return JAR_ERR_HASH;
+        else
+          result1 = memcmp (dig->md5, shindig->md5, MD5_LENGTH);
+        }
+
+      if (shindig->sha1_status)
+        {
+        if (shindig->sha1_status == jarHashBad)
+          return JAR_ERR_HASH;
+        else
+          result2 = memcmp (dig->sha1, shindig->sha1, SHA1_LENGTH);
+        }
+
+      return (result1 == 0 && result2 == 0) ? 0 : JAR_ERR_HASH;
+      }
+    }
+
+  return JAR_ERR_PNF;
+  }
+
+/* 
+ *  J A R _ c e r t _ a t t r i b u t e
+ *
+ *  Return the named certificate attribute from the
+ *  certificate specified by the given key.
+ *
+ */
+
+int PR_CALLBACK JAR_cert_attribute
+    (JAR *jar, jarCert attrib, long keylen, void *key, 
+        void **result, unsigned long *length)
+  {
+  int status = 0;
+  char *ret = NULL;
+
+  CERTCertificate *cert;
+
+  CERTCertDBHandle *certdb;
+
+  JAR_Digest *dig;
+  SECItem hexme;
+
+  *length = 0;
+
+  if (attrib == 0 || key == 0)
+    return JAR_ERR_GENERAL;
+
+  if (attrib == jarCertJavaHack)
+    {
+    cert = (CERTCertificate *) NULL;
+    certdb = JAR_open_database();
+
+    if (certdb)
+      {
+      cert = CERT_FindCertByNickname (certdb, key);
+
+      if (cert)
+        {
+        *length = cert->certKey.len;
+
+        *result = (void *) PORT_ZAlloc (*length);
+
+        if (*result)
+          PORT_Memcpy (*result, cert->certKey.data, *length);
+        else
+          {
+          JAR_close_database (certdb);
+          return JAR_ERR_MEMORY;
+          }
+        }
+      JAR_close_database (certdb);
+      }
+
+    return cert ? 0 : JAR_ERR_GENERAL;
+    }
+
+  if (jar && jar->pkcs7 == 0)
+    return JAR_ERR_GENERAL;
+
+  cert = jar_get_certificate (jar, keylen, key, &status);
+
+  if (cert == NULL || status < 0)
+    return JAR_ERR_GENERAL;
+
+#define SEP " <br> "
+#define SEPLEN (PORT_Strlen(SEP))
+
+  switch (attrib)
+    {
+    case jarCertCompany:
+
+      ret = cert->subjectName;
+
+      /* This is pretty ugly looking but only used
+         here for this one purpose. */
+
+      if (ret)
+        {
+        int retlen = 0;
+
+        char *cer_ou1, *cer_ou2, *cer_ou3;
+	char *cer_cn, *cer_e, *cer_o, *cer_l;
+
+	cer_cn  = CERT_GetCommonName (&cert->subject);
+        cer_e   = CERT_GetCertEmailAddress (&cert->subject);
+        cer_ou3 = jar_cert_element (ret, "OU=", 3);
+        cer_ou2 = jar_cert_element (ret, "OU=", 2);
+        cer_ou1 = jar_cert_element (ret, "OU=", 1);
+        cer_o   = CERT_GetOrgName (&cert->subject);
+        cer_l   = CERT_GetCountryName (&cert->subject);
+
+        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
+        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
+        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
+        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
+        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
+        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
+        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
+
+        ret = (char *) PORT_ZAlloc (1 + retlen);
+
+        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
+        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
+        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
+        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
+        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
+        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
+        if (cer_l)     PORT_Strcat (ret, cer_l);
+
+	/* return here to avoid unsightly memory leak */
+
+        *result = ret;
+        *length = PORT_Strlen (ret);
+
+        return 0;
+        }
+      break;
+
+    case jarCertCA:
+
+      ret = cert->issuerName;
+
+      if (ret)
+        {
+        int retlen = 0;
+
+        char *cer_ou1, *cer_ou2, *cer_ou3;
+	char *cer_cn, *cer_e, *cer_o, *cer_l;
+
+        /* This is pretty ugly looking but only used
+           here for this one purpose. */
+
+	cer_cn  = CERT_GetCommonName (&cert->issuer);
+        cer_e   = CERT_GetCertEmailAddress (&cert->issuer);
+        cer_ou3 = jar_cert_element (ret, "OU=", 3);
+        cer_ou2 = jar_cert_element (ret, "OU=", 2);
+        cer_ou1 = jar_cert_element (ret, "OU=", 1);
+        cer_o   = CERT_GetOrgName (&cert->issuer);
+        cer_l   = CERT_GetCountryName (&cert->issuer);
+
+        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
+        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
+        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
+        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
+        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
+        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
+        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
+
+        ret = (char *) PORT_ZAlloc (1 + retlen);
+
+        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
+        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
+        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
+        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
+        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
+        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
+        if (cer_l)     PORT_Strcat (ret, cer_l);
+
+	/* return here to avoid unsightly memory leak */
+
+        *result = ret;
+        *length = PORT_Strlen (ret);
+
+        return 0;
+        }
+
+      break;
+
+    case jarCertSerial:
+
+      ret = CERT_Hexify (&cert->serialNumber, 1);
+      break;
+
+    case jarCertExpires:
+
+      ret = DER_UTCDayToAscii (&cert->validity.notAfter);
+      break;
+
+    case jarCertNickname:
+
+      ret = jar_choose_nickname (cert);
+      break;
+
+    case jarCertFinger:
+
+      dig = JAR_calculate_digest 
+         ((char *) cert->derCert.data, cert->derCert.len);
+
+      if (dig)
+        {
+        hexme.len = sizeof (dig->md5);
+        hexme.data = dig->md5;
+        ret = CERT_Hexify (&hexme, 1);
+        }
+      break;
+
+    default:
+
+      return JAR_ERR_GENERAL;
+    }
+
+  *result = ret ? PORT_Strdup (ret) : NULL;
+  *length = ret ? PORT_Strlen (ret) : 0;
+
+  return 0;
+  }
+
+/* 
+ *  j a r  _ c e r t _ e l e m e n t
+ *
+ *  Retrieve an element from an x400ish ascii
+ *  designator, in a hackish sort of way. The right
+ *  thing would probably be to sort AVATags.
+ *
+ */
+
+static char *jar_cert_element (char *name, char *tag, int occ)
+  {
+  if (name && tag)
+    {
+    char *s;
+    int found = 0;
+
+    while (occ--)
+      {
+      if (PORT_Strstr (name, tag))
+        {
+        name = PORT_Strstr (name, tag) + PORT_Strlen (tag);
+        found = 1;
+        }
+      else
+        {
+        name = PORT_Strstr (name, "=");
+        if (name == NULL) return NULL;
+        found = 0;
+        }
+      }
+
+    if (!found) return NULL;
+
+    /* must mangle only the copy */
+    name = PORT_Strdup (name);
+
+    /* advance to next equal */
+    for (s = name; *s && *s != '='; s++)
+      /* yip */ ;
+
+    /* back up to previous comma */
+    while (s > name && *s != ',') s--;
+
+    /* zap the whitespace and return */
+    *s = 0;
+    }
+
+  return name;
+  }
+
+/* 
+ *  j a r _ c h o o s e _ n i c k n a m e
+ *
+ *  Attempt to determine a suitable nickname for
+ *  a certificate with a computer-generated "tmpcertxxx" 
+ *  nickname. It needs to be something a user can
+ *  understand, so try a few things.
+ *
+ */
+
+static char *jar_choose_nickname (CERTCertificate *cert)
+  {
+  char *cert_cn;
+  char *cert_o;
+  char *cert_cn_o;
+
+  int cn_o_length;
+
+  /* is the existing name ok */
+
+  if (cert->nickname && PORT_Strncmp (cert->nickname, "tmpcert", 7))
+    return PORT_Strdup (cert->nickname);
+
+  /* we have an ugly name here people */
+
+  /* Try the CN */
+  cert_cn = CERT_GetCommonName (&cert->subject);
+
+  if (cert_cn)
+    {
+    /* check for duplicate nickname */
+
+    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
+      return cert_cn;
+
+    /* Try the CN plus O */
+    cert_o = CERT_GetOrgName (&cert->subject);
+
+    cn_o_length = PORT_Strlen (cert_cn) + 3 + PORT_Strlen (cert_o) + 20;
+    cert_cn_o = (char*)PORT_ZAlloc (cn_o_length);
+
+    PR_snprintf (cert_cn_o, cn_o_length, 
+           "%s's %s Certificate", cert_cn, cert_o);
+
+    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
+      {
+      PORT_Free (cert_cn_o);
+      return cert_cn;
+      }
+    PORT_Free (cert_cn_o);
+    }
+
+  /* If all that failed, use the ugly nickname */
+  return cert->nickname ? PORT_Strdup (cert->nickname) : NULL;
+  }
+
+/*
+ *  J A R _ c e r t _ h t m l 
+ *
+ *  Return an HTML representation of the certificate
+ *  designated by the given fingerprint, in specified style.
+ *
+ *  JAR is optional, but supply it if you can in order
+ *  to optimize.
+ *
+ */
+
+char *JAR_cert_html
+    (JAR *jar, int style, long keylen, void *key, int *result)
+  {
+  CERTCertificate *cert;
+
+  *result = -1;
+
+  if (style != 0)
+    return NULL;
+
+  cert = jar_get_certificate (jar, keylen, key, result);
+
+  if (cert == NULL || *result < 0)
+    return NULL;
+
+  *result = -1;
+
+   return NULL;
+  }
+
+/*
+ *  J A R _ s t a s h _ c e r t
+ *
+ *  Stash the certificate pointed to by this
+ *  fingerprint, in persistent storage somewhere.
+ *
+ */
+
+extern int PR_CALLBACK JAR_stash_cert
+    (JAR *jar, long keylen, void *key)
+  {
+  int result = 0;
+
+  char *nickname;
+  CERTCertTrust trust;
+
+  CERTCertDBHandle *certdb;
+  CERTCertificate *cert, *newcert;
+
+  cert = jar_get_certificate (jar, keylen, key, &result);
+
+  if (result < 0)
+    return result;
+
+  if (cert == NULL)
+    return JAR_ERR_GENERAL;
+
+  if ((certdb = JAR_open_database()) == NULL)
+    return JAR_ERR_GENERAL;
+
+  /* Attempt to give a name to the newish certificate */
+  nickname = jar_choose_nickname (cert);
+
+  newcert = CERT_FindCertByNickname (certdb, nickname);
+
+  if (newcert && newcert->isperm) 
+    {
+    /* already in permanant database */
+    JAR_close_database (certdb);
+    return 0;
+    }
+
+  if (newcert) cert = newcert;
+
+  /* FIX, since FindCert returns a bogus dbhandle
+     set it ourselves */
+
+  cert->dbhandle = certdb;
+
+  if (nickname != NULL)
+    {
+    PORT_Memset ((void *) &trust, 0, sizeof(trust));
+
+    if (CERT_AddTempCertToPerm (cert, nickname, &trust) != SECSuccess) 
+      {
+      /* XXX might want to call PORT_GetError here */
+      result = JAR_ERR_GENERAL;
+      }
+    }
+
+  JAR_close_database (certdb);
+
+  return result;
+  }
+
+/*
+ *  J A R _ f e t c h _ c e r t
+ *
+ *  Given an opaque identifier of a certificate, 
+ *  return the full certificate.
+ *
+ * The new function, which retrieves by key.
+ *
+ */
+
+void *JAR_fetch_cert (long length, void *key)
+  {
+  CERTIssuerAndSN issuerSN;
+  CERTCertificate *cert = NULL;
+
+  CERTCertDBHandle *certdb;
+
+  certdb = JAR_open_database();
+
+  if (certdb)
+    {
+    unsigned char *keyData = (unsigned char *)key;
+    issuerSN.derIssuer.len = (keyData[0] << 8) + keyData[0];
+    issuerSN.derIssuer.data = &keyData[2];
+    issuerSN.serialNumber.len = length - (2 + issuerSN.derIssuer.len);
+    issuerSN.serialNumber.data = &keyData[2+issuerSN.derIssuer.len];
+
+    cert = CERT_FindCertByIssuerAndSN (certdb, &issuerSN);
+
+    JAR_close_database (certdb);
+    }
+
+  return (void *) cert;
+  }
+
+/*
+ *  j a r _ g e t _ m f _ d i g e s t
+ *
+ *  Retrieve a corresponding saved digest over a section
+ *  of the main manifest file. 
+ *
+ */
+
+static JAR_Digest *jar_get_mf_digest (JAR *jar, char *pathname)
+  {
+  JAR_Item *it;
+
+  JAR_Digest *dig;
+
+  ZZLink *link;
+  ZZList *list;
+
+  list = jar->manifest;
+
+  if (ZZ_ListEmpty (list))
+    return NULL;
+
+  for (link = ZZ_ListHead (list);
+       !ZZ_ListIterDone (list, link);
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypeSect 
+          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
+      {
+      dig = (JAR_Digest *) it->data;
+      return dig;
+      }
+    }
+
+  return NULL;
+  }
+
+/*
+ *  j a r _ b a s e n a m e
+ *
+ *  Return the basename -- leading components of path stripped off,
+ *  extension ripped off -- of a path.
+ *
+ */
+
+static char *jar_basename (const char *path)
+  {
+  char *pith, *e, *basename, *ext;
+
+  if (path == NULL)
+    return PORT_Strdup ("");
+
+  pith = PORT_Strdup (path);
+
+  basename = pith;
+
+  while (1)
+    {
+    for (e = basename; *e && *e != '/' && *e != '\\'; e++)
+      /* yip */ ;
+    if (*e) 
+      basename = ++e; 
+    else
+      break;
+    }
+
+  if ((ext = PORT_Strrchr (basename, '.')) != NULL)
+    *ext = 0;
+
+  /* We already have the space allocated */
+  PORT_Strcpy (pith, basename);
+
+  return pith;
+  }
+
+/*
+ *  + + + + + + + + + + + + + + +
+ *
+ *  CRYPTO ROUTINES FOR JAR
+ *
+ *  The following functions are the cryptographic 
+ *  interface to PKCS7 for Jarnatures.
+ *
+ *  + + + + + + + + + + + + + + +
+ *
+ */
+
+/*
+ *  j a r _ c a t c h _ b y t e s
+ *
+ *  In the event signatures contain enveloped data, it will show up here.
+ *  But note that the lib/pkcs7 routines aren't ready for it.
+ *
+ */
+
+static void jar_catch_bytes
+     (void *arg, const char *buf, unsigned long len)
+  {
+  /* Actually this should never be called, since there is
+     presumably no data in the signature itself. */
+  }
+
+/*
+ *  j a r _ v a l i d a t e _ p k c s 7
+ *
+ *  Validate (and decode, if necessary) a binary pkcs7
+ *  signature in DER format.
+ *
+ */
+
+static int jar_validate_pkcs7 
+     (JAR *jar, JAR_Signer *signer, char *data, long length)
+{
+
+  SEC_PKCS7ContentInfo *cinfo = NULL;
+  SEC_PKCS7DecoderContext *dcx;
+  PRBool goodSig;
+  int status = 0;
+  SECItem detdig;
+
+  PORT_Assert( jar != NULL && signer != NULL );
+
+  if (jar == NULL || signer == NULL)
+    return JAR_ERR_ORDER;
+
+  signer->valid = JAR_ERR_SIG;
+
+  /* We need a context if we can get one */
+
+#ifdef MOZILLA_CLIENT_OLD
+  if (jar->mw == NULL) {
+    JAR_set_context (jar, NULL);
+  }
+#endif
+
+
+  dcx = SEC_PKCS7DecoderStart
+           (jar_catch_bytes, NULL /*cb_arg*/, NULL /*getpassword*/, jar->mw,
+            NULL, NULL, NULL);
+
+  if (dcx == NULL) 
+    {
+    /* strange pkcs7 failure */
+    return JAR_ERR_PK7;
+    }
+
+  SEC_PKCS7DecoderUpdate (dcx, data, length);
+  cinfo = SEC_PKCS7DecoderFinish (dcx);
+
+  if (cinfo == NULL)
+    {
+    /* strange pkcs7 failure */
+    return JAR_ERR_PK7;
+    }
+
+  if (SEC_PKCS7ContentIsEncrypted (cinfo))
+    {
+    /* content was encrypted, fail */
+    return JAR_ERR_PK7;
+    }
+
+  if (SEC_PKCS7ContentIsSigned (cinfo) == PR_FALSE)
+    {
+    /* content was not signed, fail */
+    return JAR_ERR_PK7;
+    }
+
+  PORT_SetError (0);
+
+  /* use SHA1 only */
+
+  detdig.len = SHA1_LENGTH;
+  detdig.data = signer->digest->sha1;
+
+  goodSig = SEC_PKCS7VerifyDetachedSignature(cinfo, certUsageObjectSigner, 
+                                             &detdig, HASH_AlgSHA1, PR_FALSE);
+  jar_gather_signers (jar, signer, cinfo);
+  if (goodSig == PR_TRUE)
+    {
+    /* signature is valid */
+    signer->valid = 0;
+    }
+  else
+    {
+    status = PORT_GetError();
+
+    PORT_Assert( status < 0 );
+    if (status >= 0) status = JAR_ERR_SIG;
+
+    jar->valid = status;
+    signer->valid = status;
+    }
+
+  jar->pkcs7 = PR_TRUE;
+  signer->pkcs7 = PR_TRUE;
+
+  SEC_PKCS7DestroyContentInfo (cinfo);
+
+  return status;
+}
+
+/*
+ *  j a r _ g a t h e r _ s i g n e r s
+ *
+ *  Add the single signer of this signature to the
+ *  certificate linked list.
+ *
+ */
+
+static int jar_gather_signers
+     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo)
+  {
+  int result;
+
+  CERTCertificate *cert;
+  CERTCertDBHandle *certdb;
+
+  SEC_PKCS7SignedData *sdp;
+  SEC_PKCS7SignerInfo **pksigners, *pksigner;
+
+  sdp = cinfo->content.signedData;
+
+  if (sdp == NULL)
+    return JAR_ERR_PK7;
+
+  pksigners = sdp->signerInfos;
+
+  /* permit exactly one signer */
+
+  if (pksigners == NULL || pksigners [0] == NULL || pksigners [1] != NULL)
+    return JAR_ERR_PK7;
+
+  pksigner = *pksigners;
+  cert = pksigner->cert;
+
+  if (cert == NULL)
+    return JAR_ERR_PK7;
+
+  certdb = JAR_open_database();
+
+  if (certdb == NULL)
+    return JAR_ERR_GENERAL;
+
+  result = jar_add_cert (jar, signer, jarTypeSign, cert);
+
+  JAR_close_database (certdb);
+
+  return result;
+  }
+
+/*
+ *  j a r _ o p e n _ d a t a b a s e
+ *
+ *  Open the certificate database,
+ *  for use by JAR functions.
+ *
+ */
+
+CERTCertDBHandle *JAR_open_database (void)
+  {
+  CERTCertDBHandle *certdb;
+
+  certdb = CERT_GetDefaultCertDB();
+
+  return certdb;
+  }
+
+/*
+ *  j a r _ c l o s e _ d a t a b a s e
+ *
+ *  Close the certificate database.
+ *  For use by JAR functions.
+ *
+ */
+
+int JAR_close_database (CERTCertDBHandle *certdb)
+  {
+  return 0;
+  }
+
+/*
+ *  j a r _ g e t _ c e r t i f i c a t e
+ *
+ *  Return the certificate referenced
+ *  by a given fingerprint, or NULL if not found.
+ *  Error code is returned in result.
+ *
+ */
+
+static CERTCertificate *jar_get_certificate
+      (JAR *jar, long keylen, void *key, int *result)
+  {
+  int found = 0;
+
+  JAR_Item *it;
+  JAR_Cert *fing = NULL;
+
+  JAR_Context *ctx;
+
+  if (jar == NULL) 
+    {
+    void *cert;
+    cert = JAR_fetch_cert (keylen, key);
+    *result = (cert == NULL) ? JAR_ERR_GENERAL : 0;
+    return (CERTCertificate *) cert;
+    }
+
+  ctx = JAR_find (jar, NULL, jarTypeSign);
+
+  while (JAR_find_next (ctx, &it) >= 0)
+    {
+    fing = (JAR_Cert *) it->data;
+
+    if (keylen != fing->length)
+      continue;
+
+    PORT_Assert( keylen < 0xFFFF );
+    if (!PORT_Memcmp (fing->key, key, keylen))
+      {
+      found = 1;
+      break;
+      }
+    }
+
+  JAR_find_end (ctx);
+
+  if (found == 0)
+    {
+    *result = JAR_ERR_GENERAL;
+    return NULL;
+    }
+
+  PORT_Assert(fing != NULL);
+  *result = 0;
+  return fing->cert;
+  }
+
+/*
+ *  j a r _ s i g n a l
+ *
+ *  Nonfatal errors come here to callback Java.
+ *  
+ */
+
+static int jar_signal 
+     (int status, JAR *jar, const char *metafile, char *pathname)
+  {
+  char *errstring;
+
+  errstring = JAR_get_error (status);
+
+  if (jar->signal)
+    {
+    (*jar->signal) (status, jar, metafile, pathname, errstring);
+    return 0;
+    }
+
+  return status;
+  }
+
+/*
+ *  j a r _ a p p e n d
+ *
+ *  Tack on an element to one of a JAR's linked
+ *  lists, with rudimentary error handling.
+ *
+ */
+
+int jar_append (ZZList *list, int type, 
+        char *pathname, void *data, size_t size)
+  {
+  JAR_Item *it;
+  ZZLink *entity;
+
+  it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
+
+  if (it == NULL)
+    goto loser;
+
+  if (pathname)
+    {
+    it->pathname = PORT_Strdup (pathname);
+    if (it->pathname == NULL)
+      goto loser;
+    }
+
+  it->type = (jarType)type;
+  it->data = (unsigned char *) data;
+  it->size = size;
+
+  entity = ZZ_NewLink (it);
+
+  if (entity)
+    {
+    ZZ_AppendLink (list, entity);
+    return 0;
+    }
+
+loser:
+
+  if (it)
+    {
+    if (it->pathname) PORT_Free (it->pathname);
+    PORT_Free (it);
+    }
+
+  return JAR_ERR_MEMORY;
+  }
+
diff --git a/security/nss/lib/jar/jzconf.h b/security/nss/lib/jar/jzconf.h
new file mode 100644
index 000000000..278aaa5d5
--- /dev/null
+++ b/security/nss/lib/jar/jzconf.h
@@ -0,0 +1,190 @@
+/* zconf.h -- configuration of the zlib compression library
+ * Copyright (C) 1995-1996 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+/* This file was modified since it was taken from the zlib distribution */
+/* $Id$ */
+
+#ifndef _ZCONF_H
+#define _ZCONF_H
+
+/*
+ * If you *really* need a unique prefix for all types and library functions,
+ * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
+ */
+#ifdef Z_PREFIX
+#  define deflateInit_	z_deflateInit_
+#  define deflate	z_deflate
+#  define deflateEnd	z_deflateEnd
+#  define inflateInit_ 	z_inflateInit_
+#  define inflate	z_inflate
+#  define inflateEnd	z_inflateEnd
+#  define deflateInit2_	z_deflateInit2_
+#  define deflateSetDictionary z_deflateSetDictionary
+#  define deflateCopy	z_deflateCopy
+#  define deflateReset	z_deflateReset
+#  define deflateParams	z_deflateParams
+#  define inflateInit2_	z_inflateInit2_
+#  define inflateSetDictionary z_inflateSetDictionary
+#  define inflateSync	z_inflateSync
+#  define inflateReset	z_inflateReset
+#  define compress	z_compress
+#  define uncompress	z_uncompress
+#  define adler32	z_adler32
+#  define crc32		z_crc32
+#  define get_crc_table z_get_crc_table
+
+#  define Byte		z_Byte
+#  define uInt		z_uInt
+#  define uLong		z_uLong
+#  define Bytef	        z_Bytef
+#  define charf		z_charf
+#  define intf		z_intf
+#  define uIntf		z_uIntf
+#  define uLongf	z_uLongf
+#  define voidpf	z_voidpf
+#  define voidp		z_voidp
+#endif
+
+#if (defined(_WIN32) || defined(__WIN32__)) && !defined(WIN32)
+#  define WIN32
+#endif
+#if defined(__GNUC__) || defined(WIN32) || defined(__386__) || defined(i386)
+#  ifndef __32BIT__
+#    define __32BIT__
+#  endif
+#endif
+#if defined(__MSDOS__) && !defined(MSDOS)
+#  define MSDOS
+#endif
+
+/*
+ * Compile with -DMAXSEG_64K if the alloc function cannot allocate more
+ * than 64k bytes at a time (needed on systems with 16-bit int).
+ */
+#if defined(MSDOS) && !defined(__32BIT__)
+#  define MAXSEG_64K
+#endif
+#ifdef MSDOS
+#  define UNALIGNED_OK
+#endif
+
+#if (defined(MSDOS) || defined(_WINDOWS) || defined(WIN32) || defined(XP_OS2))  && !defined(STDC)
+#  define STDC
+#endif
+#if (defined(__STDC__) || defined(__cplusplus)) && !defined(STDC)
+#  define STDC
+#endif
+
+#ifndef STDC
+#  ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */
+#    define const
+#  endif
+#endif
+
+/* Some Mac compilers merge all .h files incorrectly: */
+#if defined(__MWERKS__) || defined(applec) ||defined(THINK_C) ||defined(__SC__)
+#  define NO_DUMMY_DECL
+#endif
+
+/* Maximum value for memLevel in deflateInit2 */
+#ifndef MAX_MEM_LEVEL
+#  ifdef MAXSEG_64K
+#    define MAX_MEM_LEVEL 8
+#  else
+#    define MAX_MEM_LEVEL 9
+#  endif
+#endif
+
+/* Maximum value for windowBits in deflateInit2 and inflateInit2 */
+#ifndef MAX_WBITS
+#  define MAX_WBITS   15 /* 32K LZ77 window */
+#endif
+
+/* The memory requirements for deflate are (in bytes):
+            1 << (windowBits+2)   +  1 << (memLevel+9)
+ that is: 128K for windowBits=15  +  128K for memLevel = 8  (default values)
+ plus a few kilobytes for small objects. For example, if you want to reduce
+ the default memory requirements from 256K to 128K, compile with
+     make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7"
+ Of course this will generally degrade compression (there's no free lunch).
+
+   The memory requirements for inflate are (in bytes) 1 << windowBits
+ that is, 32K for windowBits=15 (default value) plus a few kilobytes
+ for small objects.
+*/
+
+                        /* Type declarations */
+
+#ifndef OF /* function prototypes */
+#  ifdef STDC
+#    define OF(args)  args
+#  else
+#    define OF(args)  ()
+#  endif
+#endif
+
+/* The following definitions for FAR are needed only for MSDOS mixed
+ * model programming (small or medium model with some far allocations).
+ * This was tested only with MSC; for other MSDOS compilers you may have
+ * to define NO_MEMCPY in zutil.h.  If you don't need the mixed model,
+ * just define FAR to be empty.
+ */
+#if (defined(M_I86SM) || defined(M_I86MM)) && !defined(__32BIT__)
+   /* MSC small or medium model */
+#  define SMALL_MEDIUM
+#  ifdef _MSC_VER
+#    define FAR __far
+#  else
+#    define FAR far
+#  endif
+#endif
+#if defined(__BORLANDC__) && (defined(__SMALL__) || defined(__MEDIUM__))
+#  ifndef __32BIT__
+#    define SMALL_MEDIUM
+#    define FAR __far
+#  endif
+#endif
+#ifndef FAR
+#   define FAR
+#endif
+
+typedef unsigned char  Byte;  /* 8 bits */
+typedef unsigned int   uInt;  /* 16 bits or more */
+typedef unsigned long  uLong; /* 32 bits or more */
+
+#if defined(__BORLANDC__) && defined(SMALL_MEDIUM)
+   /* Borland C/C++ ignores FAR inside typedef */
+#  define Bytef Byte FAR
+#else
+   typedef Byte  FAR Bytef;
+#endif
+typedef char  FAR charf;
+typedef int   FAR intf;
+typedef uInt  FAR uIntf;
+typedef uLong FAR uLongf;
+
+#ifdef STDC
+   typedef void FAR *voidpf;
+   typedef void     *voidp;
+#else
+   typedef Byte FAR *voidpf;
+   typedef Byte     *voidp;
+#endif
+
+#ifdef MOZILLA_CLIENT
+#include "prtypes.h"
+#else
+/* Compile with -DZLIB_DLL for Windows DLL support */
+#if (defined(_WINDOWS) || defined(WINDOWS)) && defined(ZLIB_DLL)
+#  include <windows.h>
+#  define EXPORT  WINAPI
+#else
+#  define EXPORT
+#endif
+
+#define PR_PUBLIC_API(type) type
+
+#endif /* MOZILLA_CLIENT */
+
+#endif /* _ZCONF_H */
diff --git a/security/nss/lib/jar/jzlib.h b/security/nss/lib/jar/jzlib.h
new file mode 100644
index 000000000..dd5b4d8e9
--- /dev/null
+++ b/security/nss/lib/jar/jzlib.h
@@ -0,0 +1,896 @@
+/* zlib.h -- interface of the 'zlib' general purpose compression library
+  version 1.0.4, Jul 24th, 1996.
+
+  Copyright (C) 1995-1996 Jean-loup Gailly and Mark Adler
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  Jean-loup Gailly        Mark Adler
+  gzip@prep.ai.mit.edu    madler@alumni.caltech.edu
+
+
+  The data format used by the zlib library is described by RFCs (Request for
+  Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt
+  (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
+*/
+/* This file was modified since it was taken from the zlib distribution */
+
+#ifndef _ZLIB_H
+#define _ZLIB_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef MOZILLA_CLIENT
+#include "jzconf.h"
+#else
+#include "zconf.h"
+#endif
+
+#define ZLIB_VERSION "1.0.4"
+
+/* 
+     The 'zlib' compression library provides in-memory compression and
+  decompression functions, including integrity checks of the uncompressed
+  data.  This version of the library supports only one compression method
+  (deflation) but other algorithms may be added later and will have the same
+  stream interface.
+
+     For compression the application must provide the output buffer and
+  may optionally provide the input buffer for optimization. For decompression,
+  the application must provide the input buffer and may optionally provide
+  the output buffer for optimization.
+
+     Compression can be done in a single step if the buffers are large
+  enough (for example if an input file is mmap'ed), or can be done by
+  repeated calls of the compression function.  In the latter case, the
+  application must provide more input and/or consume the output
+  (providing more output space) before each call.
+
+     The library does not install any signal handler. It is recommended to
+  add at least a handler for SIGSEGV when decompressing; the library checks
+  the consistency of the input data whenever possible but may go nuts
+  for some forms of corrupted input.
+*/
+
+typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size));
+typedef void   (*free_func)  OF((voidpf opaque, voidpf address));
+
+struct internal_state;
+
+typedef struct z_stream_s {
+    Bytef    *next_in;  /* next input byte */
+    uInt     avail_in;  /* number of bytes available at next_in */
+    uLong    total_in;  /* total nb of input bytes read so far */
+
+    Bytef    *next_out; /* next output byte should be put there */
+    uInt     avail_out; /* remaining free space at next_out */
+    uLong    total_out; /* total nb of bytes output so far */
+
+    char     *msg;      /* last error message, NULL if no error */
+    struct internal_state FAR *state; /* not visible by applications */
+
+    alloc_func zalloc;  /* used to allocate the internal state */
+    free_func  zfree;   /* used to free the internal state */
+    voidpf     opaque;  /* private data object passed to zalloc and zfree */
+
+    int     data_type;  /* best guess about the data type: ascii or binary */
+    uLong   adler;      /* adler32 value of the uncompressed data */
+    uLong   reserved;   /* reserved for future use */
+} z_stream;
+
+typedef z_stream FAR *z_streamp;
+
+/*
+   The application must update next_in and avail_in when avail_in has
+   dropped to zero. It must update next_out and avail_out when avail_out
+   has dropped to zero. The application must initialize zalloc, zfree and
+   opaque before calling the init function. All other fields are set by the
+   compression library and must not be updated by the application.
+
+   The opaque value provided by the application will be passed as the first
+   parameter for calls of zalloc and zfree. This can be useful for custom
+   memory management. The compression library attaches no meaning to the
+   opaque value.
+
+   zalloc must return Z_NULL if there is not enough memory for the object.
+   On 16-bit systems, the functions zalloc and zfree must be able to allocate
+   exactly 65536 bytes, but will not be required to allocate more than this
+   if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS,
+   pointers returned by zalloc for objects of exactly 65536 bytes *must*
+   have their offset normalized to zero. The default allocation function
+   provided by this library ensures this (see zutil.c). To reduce memory
+   requirements and avoid any allocation of 64K objects, at the expense of
+   compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h).
+
+   The fields total_in and total_out can be used for statistics or
+   progress reports. After compression, total_in holds the total size of
+   the uncompressed data and may be saved for use in the decompressor
+   (particularly if the decompressor wants to decompress everything in
+   a single step).
+*/
+
+                        /* constants */
+
+#define Z_NO_FLUSH      0
+#define Z_PARTIAL_FLUSH 1
+#define Z_SYNC_FLUSH    2
+#define Z_FULL_FLUSH    3
+#define Z_FINISH        4
+/* Allowed flush values; see deflate() below for details */
+
+#define Z_OK            0
+#define Z_STREAM_END    1
+#define Z_NEED_DICT     2
+#define Z_ERRNO        (-1)
+#define Z_STREAM_ERROR (-2)
+#define Z_DATA_ERROR   (-3)
+#define Z_MEM_ERROR    (-4)
+#define Z_BUF_ERROR    (-5)
+#define Z_VERSION_ERROR (-6)
+/* Return codes for the compression/decompression functions. Negative
+ * values are errors, positive values are used for special but normal events.
+ */
+
+#define Z_NO_COMPRESSION         0
+#define Z_BEST_SPEED             1
+#define Z_BEST_COMPRESSION       9
+#define Z_DEFAULT_COMPRESSION  (-1)
+/* compression levels */
+
+#define Z_FILTERED            1
+#define Z_HUFFMAN_ONLY        2
+#define Z_DEFAULT_STRATEGY    0
+/* compression strategy; see deflateInit2() below for details */
+
+#define Z_BINARY   0
+#define Z_ASCII    1
+#define Z_UNKNOWN  2
+/* Possible values of the data_type field */
+
+#define Z_DEFLATED   8
+/* The deflate compression method (the only one supported in this version) */
+
+#define Z_NULL  0  /* for initializing zalloc, zfree, opaque */
+
+#define zlib_version zlibVersion()
+/* for compatibility with versions < 1.0.2 */
+
+                        /* basic functions */
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern const char *) zlibVersion (void);
+#else
+extern const char * EXPORT zlibVersion OF((void));
+#endif
+/* The application can compare zlibVersion and ZLIB_VERSION for consistency.
+   If the first character differs, the library code actually used is
+   not compatible with the zlib.h header file used by the application.
+   This check is automatically made by deflateInit and inflateInit.
+ */
+
+/* 
+extern int EXPORT deflateInit OF((z_streamp strm, int level));
+
+     Initializes the internal stream state for compression. The fields
+   zalloc, zfree and opaque must be initialized before by the caller.
+   If zalloc and zfree are set to Z_NULL, deflateInit updates them to
+   use default allocation functions.
+
+     The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:
+   1 gives best speed, 9 gives best compression, 0 gives no compression at
+   all (the input data is simply copied a block at a time).
+   Z_DEFAULT_COMPRESSION requests a default compromise between speed and
+   compression (currently equivalent to level 6).
+
+     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_STREAM_ERROR if level is not a valid compression level,
+   Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible
+   with the version assumed by the caller (ZLIB_VERSION).
+   msg is set to null if there is no error message.  deflateInit does not
+   perform any compression: this will be done by deflate().
+*/
+
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflate (z_streamp strm, int flush);
+#else
+extern int EXPORT deflate OF((z_streamp strm, int flush));
+#endif
+/*
+  Performs one or both of the following actions:
+
+  - Compress more input starting at next_in and update next_in and avail_in
+    accordingly. If not all input can be processed (because there is not
+    enough room in the output buffer), next_in and avail_in are updated and
+    processing will resume at this point for the next call of deflate().
+
+  - Provide more output starting at next_out and update next_out and avail_out
+    accordingly. This action is forced if the parameter flush is non zero.
+    Forcing flush frequently degrades the compression ratio, so this parameter
+    should be set only when necessary (in interactive applications).
+    Some output may be provided even if flush is not set.
+
+  Before the call of deflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming
+  more output, and updating avail_in or avail_out accordingly; avail_out
+  should never be zero before the call. The application can consume the
+  compressed output when it wants, for example when the output buffer is full
+  (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK
+  and with zero avail_out, it must be called again after making room in the
+  output buffer because there might be more output pending.
+
+    If the parameter flush is set to Z_PARTIAL_FLUSH, the current compression
+  block is terminated and flushed to the output buffer so that the
+  decompressor can get all input data available so far. For method 9, a future
+  variant on method 8, the current block will be flushed but not terminated.
+  Z_SYNC_FLUSH has the same effect as partial flush except that the compressed
+  output is byte aligned (the compressor can clear its internal bit buffer)
+  and the current block is always terminated; this can be useful if the
+  compressor has to be restarted from scratch after an interruption (in which
+  case the internal state of the compressor may be lost).
+    If flush is set to Z_FULL_FLUSH, the compression block is terminated, a
+  special marker is output and the compression dictionary is discarded; this
+  is useful to allow the decompressor to synchronize if one compressed block
+  has been damaged (see inflateSync below).  Flushing degrades compression and
+  so should be used only when necessary.  Using Z_FULL_FLUSH too often can
+  seriously degrade the compression. If deflate returns with avail_out == 0,
+  this function must be called again with the same value of the flush
+  parameter and more output space (updated avail_out), until the flush is
+  complete (deflate returns with non-zero avail_out).
+
+    If the parameter flush is set to Z_FINISH, pending input is processed,
+  pending output is flushed and deflate returns with Z_STREAM_END if there
+  was enough output space; if deflate returns with Z_OK, this function must be
+  called again with Z_FINISH and more output space (updated avail_out) but no
+  more input data, until it returns with Z_STREAM_END or an error. After
+  deflate has returned Z_STREAM_END, the only possible operations on the
+  stream are deflateReset or deflateEnd.
+  
+    Z_FINISH can be used immediately after deflateInit if all the compression
+  is to be done in a single step. In this case, avail_out must be at least
+  0.1% larger than avail_in plus 12 bytes.  If deflate does not return
+  Z_STREAM_END, then it must be called again as described above.
+
+    deflate() may update data_type if it can make a good guess about
+  the input data type (Z_ASCII or Z_BINARY). In doubt, the data is considered
+  binary. This field is only for information purposes and does not affect
+  the compression algorithm in any manner.
+
+    deflate() returns Z_OK if some progress has been made (more input
+  processed or more output produced), Z_STREAM_END if all input has been
+  consumed and all output has been produced (only when flush is set to
+  Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example
+  if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible.
+*/
+
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateEnd (z_streamp strm);
+#else
+extern int EXPORT deflateEnd OF((z_streamp strm));
+#endif
+/*
+     All dynamically allocated data structures for this stream are freed.
+   This function discards any unprocessed input and does not flush any
+   pending output.
+
+     deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the
+   stream state was inconsistent, Z_DATA_ERROR if the stream was freed
+   prematurely (some input or output was discarded). In the error case,
+   msg may be set but then points to a static string (which must not be
+   deallocated).
+*/
+
+
+/* 
+extern int EXPORT inflateInit OF((z_streamp strm));
+
+     Initializes the internal stream state for decompression. The fields
+   zalloc, zfree and opaque must be initialized before by the caller.  If
+   zalloc and zfree are set to Z_NULL, inflateInit updates them to use default
+   allocation functions.
+
+     inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_VERSION_ERROR if the zlib library version is incompatible
+   with the version assumed by the caller.  msg is set to null if there is no
+   error message. inflateInit does not perform any decompression: this will be
+   done by inflate().
+*/
+
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflate (z_streamp strm, int flush);
+#else
+extern int EXPORT inflate OF((z_streamp strm, int flush));
+#endif
+/*
+  Performs one or both of the following actions:
+
+  - Decompress more input starting at next_in and update next_in and avail_in
+    accordingly. If not all input can be processed (because there is not
+    enough room in the output buffer), next_in is updated and processing
+    will resume at this point for the next call of inflate().
+
+  - Provide more output starting at next_out and update next_out and avail_out
+    accordingly.  inflate() provides as much output as possible, until there
+    is no more input data or no more space in the output buffer (see below
+    about the flush parameter).
+
+  Before the call of inflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming
+  more output, and updating the next_* and avail_* values accordingly.
+  The application can consume the uncompressed output when it wants, for
+  example when the output buffer is full (avail_out == 0), or after each
+  call of inflate(). If inflate returns Z_OK and with zero avail_out, it
+  must be called again after making room in the output buffer because there
+  might be more output pending.
+
+    If the parameter flush is set to Z_PARTIAL_FLUSH, inflate flushes as much
+  output as possible to the output buffer. The flushing behavior of inflate is
+  not specified for values of the flush parameter other than Z_PARTIAL_FLUSH
+  and Z_FINISH, but the current implementation actually flushes as much output
+  as possible anyway.
+
+    inflate() should normally be called until it returns Z_STREAM_END or an
+  error. However if all decompression is to be performed in a single step
+  (a single call of inflate), the parameter flush should be set to
+  Z_FINISH. In this case all pending input is processed and all pending
+  output is flushed; avail_out must be large enough to hold all the
+  uncompressed data. (The size of the uncompressed data may have been saved
+  by the compressor for this purpose.) The next operation on this stream must
+  be inflateEnd to deallocate the decompression state. The use of Z_FINISH
+  is never required, but can be used to inform inflate that a faster routine
+  may be used for the single inflate() call.
+
+    inflate() returns Z_OK if some progress has been made (more input
+  processed or more output produced), Z_STREAM_END if the end of the
+  compressed data has been reached and all uncompressed output has been
+  produced, Z_NEED_DICT if a preset dictionary is needed at this point (see
+  inflateSetDictionary below), Z_DATA_ERROR if the input data was corrupted,
+  Z_STREAM_ERROR if the stream structure was inconsistent (for example if
+  next_in or next_out was NULL), Z_MEM_ERROR if there was not enough memory,
+  Z_BUF_ERROR if no progress is possible or if there was not enough room in
+  the output buffer when Z_FINISH is used. In the Z_DATA_ERROR case, the
+  application may then call inflateSync to look for a good compression block.
+  In the Z_NEED_DICT case, strm->adler is set to the Adler32 value of the
+  dictionary chosen by the compressor.
+*/
+
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflateEnd (z_streamp strm);
+#else
+extern int EXPORT inflateEnd OF((z_streamp strm));
+#endif
+/*
+     All dynamically allocated data structures for this stream are freed.
+   This function discards any unprocessed input and does not flush any
+   pending output.
+
+     inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state
+   was inconsistent. In the error case, msg may be set but then points to a
+   static string (which must not be deallocated).
+*/
+
+                        /* Advanced functions */
+
+/*
+    The following functions are needed only in some special applications.
+*/
+
+/*   
+extern int EXPORT deflateInit2 OF((z_streamp strm,
+                                   int  level,
+                                   int  method,
+                                   int  windowBits,
+                                   int  memLevel,
+                                   int  strategy));
+
+     This is another version of deflateInit with more compression options. The
+   fields next_in, zalloc, zfree and opaque must be initialized before by
+   the caller.
+
+     The method parameter is the compression method. It must be Z_DEFLATED in
+   this version of the library. (Method 9 will allow a 64K history buffer and
+   partial block flushes.)
+
+     The windowBits parameter is the base two logarithm of the window size
+   (the size of the history buffer).  It should be in the range 8..15 for this
+   version of the library (the value 16 will be allowed for method 9). Larger
+   values of this parameter result in better compression at the expense of
+   memory usage. The default value is 15 if deflateInit is used instead.
+
+     The memLevel parameter specifies how much memory should be allocated
+   for the internal compression state. memLevel=1 uses minimum memory but
+   is slow and reduces compression ratio; memLevel=9 uses maximum memory
+   for optimal speed. The default value is 8. See zconf.h for total memory
+   usage as a function of windowBits and memLevel.
+
+     The strategy parameter is used to tune the compression algorithm. Use the
+   value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a
+   filter (or predictor), or Z_HUFFMAN_ONLY to force Huffman encoding only (no
+   string match).  Filtered data consists mostly of small values with a
+   somewhat random distribution. In this case, the compression algorithm is
+   tuned to compress them better. The effect of Z_FILTERED is to force more
+   Huffman coding and less string matching; it is somewhat intermediate
+   between Z_DEFAULT and Z_HUFFMAN_ONLY. The strategy parameter only affects
+   the compression ratio but not the correctness of the compressed output even
+   if it is not set appropriately.
+
+     If next_in is not null, the library will use this buffer to hold also
+   some history information; the buffer must either hold the entire input
+   data, or have at least 1<<(windowBits+1) bytes and be writable. If next_in
+   is null, the library will allocate its own history buffer (and leave next_in
+   null). next_out need not be provided here but must be provided by the
+   application for the next call of deflate().
+
+     If the history buffer is provided by the application, next_in must
+   must never be changed by the application since the compressor maintains
+   information inside this buffer from call to call; the application
+   must provide more input only by increasing avail_in. next_in is always
+   reset by the library in this case.
+
+      deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was
+   not enough memory, Z_STREAM_ERROR if a parameter is invalid (such as
+   an invalid method). msg is set to null if there is no error message.
+   deflateInit2 does not perform any compression: this will be done by
+   deflate(). 
+*/
+                            
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateSetDictionary (z_streamp strm,
+                                           const Bytef *dictionary,
+				           uInt  dictLength);
+#else
+extern int EXPORT deflateSetDictionary OF((z_streamp strm,
+                                           const Bytef *dictionary,
+				           uInt  dictLength));
+#endif
+/*
+     Initializes the compression dictionary (history buffer) from the given
+   byte sequence without producing any compressed output. This function must
+   be called immediately after deflateInit or deflateInit2, before any call
+   of deflate. The compressor and decompressor must use exactly the same
+   dictionary (see inflateSetDictionary).
+     The dictionary should consist of strings (byte sequences) that are likely
+   to be encountered later in the data to be compressed, with the most commonly
+   used strings preferably put towards the end of the dictionary. Using a
+   dictionary is most useful when the data to be compressed is short and
+   can be predicted with good accuracy; the data can then be compressed better
+   than with the default empty dictionary. In this version of the library,
+   only the last 32K bytes of the dictionary are used.
+     Upon return of this function, strm->adler is set to the Adler32 value
+   of the dictionary; the decompressor may later use this value to determine
+   which dictionary has been used by the compressor. (The Adler32 value
+   applies to the whole dictionary even if only a subset of the dictionary is
+   actually used by the compressor.)
+
+     deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a
+   parameter is invalid (such as NULL dictionary) or the stream state
+   is inconsistent (for example if deflate has already been called for this
+   stream). deflateSetDictionary does not perform any compression: this will
+   be done by deflate(). 
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateCopy (z_streamp dest, z_streamp source);
+#else
+extern int EXPORT deflateCopy OF((z_streamp dest, z_streamp source));
+#endif
+/*
+     Sets the destination stream as a complete copy of the source stream.  If
+   the source stream is using an application-supplied history buffer, a new
+   buffer is allocated for the destination stream.  The compressed output
+   buffer is always application-supplied. It's the responsibility of the
+   application to provide the correct values of next_out and avail_out for the
+   next call of deflate.
+
+     This function can be useful when several compression strategies will be
+   tried, for example when there are several ways of pre-processing the input
+   data with a filter. The streams that will be discarded should then be freed
+   by calling deflateEnd.  Note that deflateCopy duplicates the internal
+   compression state which can be quite large, so this strategy is slow and
+   can consume lots of memory.
+
+     deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
+   (such as zalloc being NULL). msg is left unchanged in both source and
+   destination.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateReset (z_streamp strm);
+#else
+extern int EXPORT deflateReset OF((z_streamp strm));
+#endif
+/*
+     This function is equivalent to deflateEnd followed by deflateInit,
+   but does not free and reallocate all the internal compression state.
+   The stream will keep the same compression level and any other attributes
+   that may have been set by deflateInit2.
+
+      deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being NULL).
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateParams (z_streamp strm, int level, int strategy);
+#else
+extern int EXPORT deflateParams OF((z_streamp strm, int level, int strategy));
+#endif
+/*
+     Dynamically update the compression level and compression strategy.
+   This can be used to switch between compression and straight copy of
+   the input data, or to switch to a different kind of input data requiring
+   a different strategy. If the compression level is changed, the input
+   available so far is compressed with the old level (and may be flushed);
+   the new level will take effect only at the next call of deflate().
+
+     Before the call of deflateParams, the stream state must be set as for
+   a call of deflate(), since the currently available input may have to
+   be compressed and flushed. In particular, strm->avail_out must be non-zero.
+
+     deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source
+   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR
+   if strm->avail_out was zero.
+*/
+
+/*   
+extern int EXPORT inflateInit2 OF((z_streamp strm,
+                                   int  windowBits));
+
+     This is another version of inflateInit with more compression options. The
+   fields next_out, zalloc, zfree and opaque must be initialized before by
+   the caller.
+
+     The windowBits parameter is the base two logarithm of the maximum window
+   size (the size of the history buffer).  It should be in the range 8..15 for
+   this version of the library (the value 16 will be allowed soon). The
+   default value is 15 if inflateInit is used instead. If a compressed stream
+   with a larger window size is given as input, inflate() will return with
+   the error code Z_DATA_ERROR instead of trying to allocate a larger window.
+
+     If next_out is not null, the library will use this buffer for the history
+   buffer; the buffer must either be large enough to hold the entire output
+   data, or have at least 1<<windowBits bytes.  If next_out is null, the
+   library will allocate its own buffer (and leave next_out null). next_in
+   need not be provided here but must be provided by the application for the
+   next call of inflate().
+
+     If the history buffer is provided by the application, next_out must
+   never be changed by the application since the decompressor maintains
+   history information inside this buffer from call to call; the application
+   can only reset next_out to the beginning of the history buffer when
+   avail_out is zero and all output has been consumed.
+
+      inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was
+   not enough memory, Z_STREAM_ERROR if a parameter is invalid (such as
+   windowBits < 8). msg is set to null if there is no error message.
+   inflateInit2 does not perform any decompression: this will be done by
+   inflate().
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflateSetDictionary (z_streamp strm,
+				           const Bytef *dictionary,
+					   uInt  dictLength);
+#else
+extern int EXPORT inflateSetDictionary OF((z_streamp strm,
+				           const Bytef *dictionary,
+					   uInt  dictLength));
+#endif
+/*
+     Initializes the decompression dictionary (history buffer) from the given
+   uncompressed byte sequence. This function must be called immediately after
+   a call of inflate if this call returned Z_NEED_DICT. The dictionary chosen
+   by the compressor can be determined from the Adler32 value returned by this
+   call of inflate. The compressor and decompressor must use exactly the same
+   dictionary (see deflateSetDictionary).
+
+     inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a
+   parameter is invalid (such as NULL dictionary) or the stream state is
+   inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the
+   expected one (incorrect Adler32 value). inflateSetDictionary does not
+   perform any decompression: this will be done by subsequent calls of
+   inflate().
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflateSync (z_streamp strm);
+#else
+extern int EXPORT inflateSync OF((z_streamp strm));
+#endif
+/* 
+    Skips invalid compressed data until the special marker (see deflate()
+  above) can be found, or until all available input is skipped. No output
+  is provided.
+
+    inflateSync returns Z_OK if the special marker has been found, Z_BUF_ERROR
+  if no more input was provided, Z_DATA_ERROR if no marker has been found,
+  or Z_STREAM_ERROR if the stream structure was inconsistent. In the success
+  case, the application may save the current current value of total_in which
+  indicates where valid compressed data was found. In the error case, the
+  application may repeatedly call inflateSync, providing more input each time,
+  until success or end of the input data.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflateReset (z_streamp strm);
+#else
+extern int EXPORT inflateReset OF((z_streamp strm));
+#endif
+/*
+     This function is equivalent to inflateEnd followed by inflateInit,
+   but does not free and reallocate all the internal decompression state.
+   The stream will keep attributes that may have been set by inflateInit2.
+
+      inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being NULL).
+*/
+
+
+                        /* utility functions */
+
+/*
+     The following utility functions are implemented on top of the
+   basic stream-oriented functions. To simplify the interface, some
+   default options are assumed (compression level, window size,
+   standard memory allocation functions). The source code of these
+   utility functions can easily be modified if you need special options.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) compress (Bytef *dest,   uLongf *destLen,
+			       const Bytef *source, uLong sourceLen);
+#else
+extern int EXPORT compress OF((Bytef *dest,   uLongf *destLen,
+			       const Bytef *source, uLong sourceLen));
+#endif
+/*
+     Compresses the source buffer into the destination buffer.  sourceLen is
+   the byte length of the source buffer. Upon entry, destLen is the total
+   size of the destination buffer, which must be at least 0.1% larger than
+   sourceLen plus 12 bytes. Upon exit, destLen is the actual size of the
+   compressed buffer.
+     This function can be used to compress a whole file at once if the
+   input file is mmap'ed.
+     compress returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_BUF_ERROR if there was not enough room in the output
+   buffer.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) uncompress (Bytef *dest,   uLongf *destLen,
+				 const Bytef *source, uLong sourceLen);
+#else
+extern int EXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
+				 const Bytef *source, uLong sourceLen));
+#endif
+/*
+     Decompresses the source buffer into the destination buffer.  sourceLen is
+   the byte length of the source buffer. Upon entry, destLen is the total
+   size of the destination buffer, which must be large enough to hold the
+   entire uncompressed data. (The size of the uncompressed data must have
+   been saved previously by the compressor and transmitted to the decompressor
+   by some mechanism outside the scope of this compression library.)
+   Upon exit, destLen is the actual size of the compressed buffer.
+     This function can be used to decompress a whole file at once if the
+   input file is mmap'ed.
+
+     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_BUF_ERROR if there was not enough room in the output
+   buffer, or Z_DATA_ERROR if the input data was corrupted.
+*/
+
+
+typedef voidp gzFile;
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern gzFile) gzopen  (const char *path, const char *mode);
+#else
+extern gzFile EXPORT gzopen  OF((const char *path, const char *mode));
+#endif
+/*
+     Opens a gzip (.gz) file for reading or writing. The mode parameter
+   is as in fopen ("rb" or "wb") but can also include a compression level
+   ("wb9").  gzopen can be used to read a file which is not in gzip format;
+   in this case gzread will directly read from the file without decompression.
+     gzopen returns NULL if the file could not be opened or if there was
+   insufficient memory to allocate the (de)compression state; errno
+   can be checked to distinguish the two cases (if errno is zero, the
+   zlib error is Z_MEM_ERROR).
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern gzFile) gzdopen  (int fd, const char *mode);
+#else
+extern gzFile EXPORT gzdopen  OF((int fd, const char *mode));
+#endif
+/*
+     gzdopen() associates a gzFile with the file descriptor fd.  File
+   descriptors are obtained from calls like open, dup, creat, pipe or
+   fileno (in the file has been previously opened with fopen).
+   The mode parameter is as in gzopen.
+     The next call of gzclose on the returned gzFile will also close the
+   file descriptor fd, just like fclose(fdopen(fd), mode) closes the file
+   descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode).
+     gzdopen returns NULL if there was insufficient memory to allocate
+   the (de)compression state.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int)    gzread  (gzFile file, voidp buf, unsigned len);
+#else
+extern int EXPORT    gzread  OF((gzFile file, voidp buf, unsigned len));
+#endif
+/*
+     Reads the given number of uncompressed bytes from the compressed file.
+   If the input file was not in gzip format, gzread copies the given number
+   of bytes into the buffer.
+     gzread returns the number of uncompressed bytes actually read (0 for
+   end of file, -1 for error). */
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int)    gzwrite (gzFile file, const voidp buf, unsigned len);
+#else
+extern int EXPORT    gzwrite OF((gzFile file, const voidp buf, unsigned len));
+#endif
+/*
+     Writes the given number of uncompressed bytes into the compressed file.
+   gzwrite returns the number of uncompressed bytes actually written
+   (0 in case of error).
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int)    gzflush (gzFile file, int flush);
+#else
+extern int EXPORT    gzflush OF((gzFile file, int flush));
+#endif
+/*
+     Flushes all pending output into the compressed file. The parameter
+   flush is as in the deflate() function. The return value is the zlib
+   error number (see function gzerror below). gzflush returns Z_OK if
+   the flush parameter is Z_FINISH and all output could be flushed.
+     gzflush should be called only when strictly necessary because it can
+   degrade compression.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int)    gzclose (gzFile file);
+#else
+extern int EXPORT    gzclose OF((gzFile file));
+#endif
+/*
+     Flushes all pending output if necessary, closes the compressed file
+   and deallocates all the (de)compression state. The return value is the zlib
+   error number (see function gzerror below).
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern const char *) gzerror (gzFile file, int *errnum);
+#else
+extern const char * EXPORT gzerror OF((gzFile file, int *errnum));
+#endif
+/*
+     Returns the error message for the last error which occurred on the
+   given compressed file. errnum is set to zlib error number. If an
+   error occurred in the file system and not in the compression library,
+   errnum is set to Z_ERRNO and the application may consult errno
+   to get the exact error code.
+*/
+
+                        /* checksum functions */
+
+/*
+     These functions are not related to compression but are exported
+   anyway because they might be useful in applications using the
+   compression library.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern uLong) adler32 (uLong adler, const Bytef *buf, uInt len);
+#else
+extern uLong EXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
+#endif
+
+/*
+     Update a running Adler-32 checksum with the bytes buf[0..len-1] and
+   return the updated checksum. If buf is NULL, this function returns
+   the required initial value for the checksum.
+   An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
+   much faster. Usage example:
+
+     uLong adler = adler32(0L, Z_NULL, 0);
+
+     while (read_buffer(buffer, length) != EOF) {
+       adler = adler32(adler, buffer, length);
+     }
+     if (adler != original_adler) error();
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern uLong) crc32   (uLong crc, const Bytef *buf, uInt len);
+#else
+extern uLong EXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
+#endif
+/*
+     Update a running crc with the bytes buf[0..len-1] and return the updated
+   crc. If buf is NULL, this function returns the required initial value
+   for the crc. Pre- and post-conditioning (one's complement) is performed
+   within this function so it shouldn't be done by the application.
+   Usage example:
+
+     uLong crc = crc32(0L, Z_NULL, 0);
+
+     while (read_buffer(buffer, length) != EOF) {
+       crc = crc32(crc, buffer, length);
+     }
+     if (crc != original_crc) error();
+*/
+
+
+                        /* various hacks, don't look :) */
+
+/* deflateInit and inflateInit are macros to allow checking the zlib version
+ * and the compiler's view of z_stream:
+ */
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateInit_ (z_streamp strm, int level, const char *version, 
+					int stream_size);
+PR_PUBLIC_API(extern int) inflateInit_ (z_streamp strm, const char *version, 
+					int stream_size);
+PR_PUBLIC_API(extern int) deflateInit2_ (z_streamp strm, int  level, int  method, 
+					 int windowBits, int memLevel, int strategy, 
+					 const char *version, int stream_size);
+PR_PUBLIC_API(extern int) inflateInit2_ (z_streamp strm, int  windowBits, 
+					 const char *version, int stream_size);
+#else
+extern int EXPORT deflateInit_ OF((z_streamp strm, int level, const char *version, 
+				   int stream_size));
+extern int EXPORT inflateInit_ OF((z_streamp strm, const char *version, 
+				   int stream_size));
+extern int EXPORT deflateInit2_ OF((z_streamp strm, int  level, int  method, 
+				    int windowBits, int memLevel, int strategy, 
+				    const char *version, int stream_size));
+extern int EXPORT inflateInit2_ OF((z_streamp strm, int  windowBits, 
+				    const char *version, int stream_size));
+#endif /* MOZILLA_CLIENT */
+
+
+#define deflateInit(strm, level) \
+        deflateInit_((strm), (level),       ZLIB_VERSION, sizeof(z_stream))
+#define inflateInit(strm) \
+        inflateInit_((strm),                ZLIB_VERSION, sizeof(z_stream))
+#define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \
+        deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\
+		      (strategy),           ZLIB_VERSION, sizeof(z_stream))
+#define inflateInit2(strm, windowBits) \
+        inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream))
+
+#if !defined(_Z_UTIL_H) && !defined(NO_DUMMY_DECL)
+    struct internal_state {int dummy;}; /* hack for buggy compilers */
+#endif
+
+uLongf *get_crc_table OF((void)); /* can be used by asm versions of crc32() */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _ZLIB_H */
diff --git a/security/nss/lib/jar/manifest.mn b/security/nss/lib/jar/manifest.mn
new file mode 100644
index 000000000..d6e70872d
--- /dev/null
+++ b/security/nss/lib/jar/manifest.mn
@@ -0,0 +1,60 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+MODULE = nss
+
+LIBRARY_NAME = jar
+
+CORE_DEPTH = ../../..
+
+CSRCS =	\
+	jarver.c \
+	jarsign.c \
+	jar.c \
+	jar-ds.c \
+	jarfile.c \
+	jarjart.c \
+	jarint.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+EXPORTS	 = jar.h jar-ds.h jarfile.h
+
+DEFINES = -DMOZILLA_CLIENT=1
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/libpkix/Makefile b/security/nss/lib/libpkix/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/config.mk b/security/nss/lib/libpkix/config.mk
new file mode 100755
index 000000000..289ac6eea
--- /dev/null
+++ b/security/nss/lib/libpkix/config.mk
@@ -0,0 +1,49 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+#  DEFINES+=-DPKIX_LISTDEBUG Can be used to turn on debug compilation
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/include/Makefile b/security/nss/lib/libpkix/include/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/include/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/include/config.mk b/security/nss/lib/libpkix/include/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/include/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/include/manifest.mn b/security/nss/lib/libpkix/include/manifest.mn
new file mode 100755
index 000000000..57163667c
--- /dev/null
+++ b/security/nss/lib/libpkix/include/manifest.mn
@@ -0,0 +1,65 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix.h \
+	pkix_crlsel.h \
+	pkix_errorstrings.h \
+	pkix_results.h \
+	pkixt.h \
+	pkix_certsel.h \
+	pkix_params.h \
+	pkix_revchecker.h \
+	pkix_certstore.h \
+	pkix_pl_pki.h \
+	pkix_sample_modules.h \
+	pkix_checker.h \
+	pkix_pl_system.h \
+	pkix_util.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	$(NULL)
+
+REQUIRES = dbm
diff --git a/security/nss/lib/libpkix/include/pkix.h b/security/nss/lib/libpkix/include/pkix.h
new file mode 100755
index 000000000..0be4c50e7
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix.h
@@ -0,0 +1,334 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines the public API for libpkix. These are the top-level
+ * functions in the library. They perform the primary operations of this
+ * library: building and validating chains of X.509 certificates.
+ *
+ */
+
+#ifndef _PKIX_H
+#define _PKIX_H
+
+#include "pkixt.h"
+#include "pkix_util.h"
+#include "pkix_params.h"
+#include "pkix_results.h"
+#include "pkix_certstore.h"
+#include "pkix_certsel.h"
+#include "pkix_crlsel.h"
+#include "pkix_checker.h"
+#include "pkix_revchecker.h"
+#include "pkix_pl_system.h"
+#include "pkix_pl_pki.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/*
+ * FUNCTION: PKIX_Initialize
+ * DESCRIPTION:
+ *
+ * No PKIX_* types and functions should be used before this function is called
+ * and returns successfully. This function should only be called once. If it
+ * is called more than once, the behavior is undefined.
+ *
+ * NSS applications are expected to call NSS_Init, and need not know that
+ * NSS will call this function (with "platformInitNeeded" set to PKIX_FALSE).
+ * PKIX applications are expected instead to call this function with
+ * "platformInitNeeded" set to PKIX_TRUE.
+ *
+ * This function initializes data structures critical to the operation of
+ * libpkix. It also ensures that the API version (major.minor) desired by the
+ * caller (the "desiredMajorVersion", "minDesiredMinorVersion", and
+ * "maxDesiredMinorVersion") is compatible with the API version supported by
+ * the library. As such, the library must support the "desiredMajorVersion"
+ * of the API and must support a minor version that falls between
+ * "minDesiredMinorVersion" and "maxDesiredMinorVersion", inclusive. If
+ * compatibility exists, the function returns NULL and stores the library's
+ * actual minor version at "pActualMinorVersion" (which may be greater than
+ * "desiredMinorVersion"). If no compatibility exists, the function returns a
+ * PKIX_Error pointer. If the caller wishes to specify that the largest
+ * minor version available should be used, then maxDesiredMinorVersion should
+ * be set to the macro PKIX_MAX_MINOR_VERSION (defined in pkixt.h).
+ *
+ * PARAMETERS:
+ *  "platformInitNeeded"
+ *      Boolean indicating whether the platform layer initialization code
+ *      has previously been run, or should be called from this function.
+ *  "desiredMajorVersion"
+ *      The major version of the libpkix API the application wishes to use.
+ *  "minDesiredMinorVersion"
+ *      The minimum minor version of the libpkix API the application wishes
+ *      to use.
+ *  "maxDesiredMinorVersion"
+ *      The maximum minor version of the libpkix API the application wishes
+ *      to use.
+ *  "pActualMinorVersion"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "pPlContext"
+ *      Address at which platform-specific context pointer is stored. Must
+ *      be non-NULL.
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Initialize Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Initialize(
+        PKIX_Boolean platformInitNeeded,
+        PKIX_UInt32 desiredMajorVersion,
+        PKIX_UInt32 minDesiredMinorVersion,
+        PKIX_UInt32 maxDesiredMinorVersion,
+        PKIX_UInt32 *pActualMinorVersion,
+        void **pPlContext);
+
+/*
+ * FUNCTION: PKIX_Shutdown
+ * DESCRIPTION:
+ *
+ *  This function deallocates any memory used by libpkix and shuts down any
+ *  ongoing operations. This function should only be called once. If it is
+ *  called more than once, the behavior is undefined.
+ *
+ *  No PKIX_* types and functions should be used after this function is called
+ *  and returns successfully.
+ * PARAMETERS:
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Shutdown(void *plContext);
+
+/*
+ * FUNCTION: PKIX_ValidateChain
+ * DESCRIPTION:
+ *
+ *  This function attempts to validate the CertChain that has been set in the
+ *  ValidateParams pointed to by "params" using an RFC 3280-compliant
+ *  algorithm. If successful, this function returns NULL and stores the
+ *  ValidateResult at "pResult", which holds additional information, such as
+ *  the policy tree and the target's public key. If unsuccessful, an Error is
+ *  returned. Note: This function does not currently support non-blocking I/O.
+ *
+ *  If "pVerifyTree" is non-NULL, a chain of VerifyNodes is created which
+ *  tracks the results of the validation. That is, either each node in the
+ *  chain has a NULL Error component, or the last node contains an Error
+ *  which indicates why the validation failed.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ValidateParams used to validate CertChain. Must be non-NULL.
+ *  "pResult"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "pVerifyTree"
+ *      Address where a VerifyTree is stored, if non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (See Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Validate Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ValidateChain(
+        PKIX_ValidateParams *params,
+        PKIX_ValidateResult **pResult,
+	PKIX_VerifyNode **pVerifyTree,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ValidateChain_NB
+ * DESCRIPTION:
+ *
+ *  This function is the equivalent of PKIX_ValidateChain, except that it
+ *  supports non-blocking I/O. When called with "pNBIOContext" pointing to NULL
+ *  it initiates a new chain validation as in PKIX_ValidateChain, ignoring the
+ *  value in all input variables except "params". If forced to suspend
+ *  processing by a WOULDBLOCK return from some operation, such as a CertStore
+ *  request, it stores the platform-dependent I/O context at "pNBIOContext" and
+ *  stores other intermediate variables at "pCertIndex", "pAnchorIndex", 
+ *  "pCheckerIndex", "pRevChecking", and "pCheckers".
+ *
+ *  When called subsequently with that non-NULL value at "pNBIOContext", it
+ *  relies on those intermediate values to be untouched, and it resumes chain
+ *  validation where it left off. Its behavior is undefined if any of the
+ *  intermediate values was not preserved.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ValidateParams used to validate CertChain. Must be non-NULL.
+ *  "pCertIndex"
+ *      The UInt32 value of the index to the Cert chain, indicating which Cert
+ *      is currently being processed.
+ *  "pAnchorIndex"
+ *      The UInt32 value of the index to the Anchor chain, indicating which
+ *      Trust Anchor is currently being processed.
+ *  "pCheckerIndex"
+ *      The UInt32 value of the index to the List of CertChainCheckers,
+ *      indicating which Checker is currently processing.
+ *  "pRevChecking"
+ *      The Boolean flag indicating whether normal checking or revocation
+ *      checking is occurring for the Cert indicated by "pCertIndex".
+ *  "pCheckers"
+ *      The address of the List of CertChainCheckers. Must be non-NULL.
+ *  "pNBIOContext"
+ *      The address of the platform-dependend I/O context. Must be a non-NULL
+ *      pointer to a NULL value for the call to initiate chain validation.
+ *  "pResult"
+ *      Address where ValidateResult object pointer will be stored. Must be
+ *      non-NULL.
+ *  "pVerifyTree"
+ *      Address where a VerifyTree is stored, if non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a VALIDATE Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */PKIX_Error *
+PKIX_ValidateChain_NB(
+	PKIX_ValidateParams *params,
+	PKIX_UInt32 *pCertIndex,
+	PKIX_UInt32 *pAnchorIndex,
+	PKIX_UInt32 *pCheckerIndex,
+	PKIX_Boolean *pRevChecking,
+	PKIX_List **pCheckers,
+	void **pNBIOContext,
+	PKIX_ValidateResult **pResult,
+	PKIX_VerifyNode **pVerifyTree,
+	void *plContext);
+
+/*
+ * FUNCTION: PKIX_BuildChain
+ * DESCRIPTION:
+ *
+ *  If called with a NULL "state", this function attempts to build and validate
+ *  a CertChain according to the ProcessingParams pointed to by "params", using
+ *  an RFC 3280-compliant validation algorithm. If successful, this function
+ *  returns NULL and stores the BuildResult at "pResult", which holds the built
+ *  CertChain, as well as additional information, such as the policy tree and
+ *  the target's public key. If unsuccessful, an Error is returned.
+ *
+ *  If the chain building is blocked by a CertStore using non-blocking I/O, this
+ *  function stores platform-dependent non-blocking I/O context at
+ *  "pNBIOContext", its state at "pState", and NULL at "pResult". The caller
+ *  may be able to determine, in a platform-dependent way, when the I/O has
+ *  completed. In any case, calling the function again with "pState" containing
+ *  the returned value will allow the chain building to resume.
+ *
+ *  If chain building is completed, either successfully or unsuccessfully, NULL
+ *  is stored at "pNBIOContext".
+ *
+ *  If "pVerifyTree" is non-NULL, a tree of VerifyNodes is created which
+ *  tracks the results of the building. That is, each node of the tree either
+ *  has a NULL Error component, or it is a leaf node and it contains an Error
+ *  which indicates why the chain building could not proceed on this branch.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams used to build and validate CertChain.
+ *      Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address where platform-dependent information is store if the build
+ *      is suspended waiting for non-blocking I/O. Must be non-NULL.
+ *  "pState"
+ *      Address of BuildChain state. Must be NULL on initial call, and the
+ *      value previously returned on subsequent calls.
+ *  "pResult"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "pVerifyTree"
+ *      Address where a VerifyTree is stored, if non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (See Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_BuildChain(
+        PKIX_ProcessingParams *params,
+        void **pNBIOContext,
+        void **pState,
+        PKIX_BuildResult **pResult,
+	PKIX_VerifyNode **pVerifyNode,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_H */
diff --git a/security/nss/lib/libpkix/include/pkix_certsel.h b/security/nss/lib/libpkix/include/pkix_certsel.h
new file mode 100755
index 000000000..8d424619c
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_certsel.h
@@ -0,0 +1,1803 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines functions associated with the PKIX_CertSelector and the
+ * PKIX_ComCertSelParams types.
+ *
+ */
+
+#ifndef _PKIX_CERTSEL_H
+#define _PKIX_CERTSEL_H
+
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/* PKIX_CertSelector
+ *
+ * PKIX_CertSelectors provide a standard way for the caller to select
+ * certificates based on particular criteria. A CertSelector is typically used
+ * by the caller to specify the constraints they wish to impose on the target
+ * certificate in a chain. (see pkix_params.h) A CertSelector is also often
+ * used to retrieve certificates from a CertStore that match the selector's
+ * criteria. (See pkix_certstore.h) For example, the caller may wish to only
+ * select those certificates that have a particular Subject Distinguished Name
+ * and a particular value for a private certificate extension. The
+ * MatchCallback allows the caller to specify the custom matching logic to be
+ * used by a CertSelector.
+ *
+ * By default, the MatchCallback is set to point to the default implementation
+ * provided by libpkix, which understands how to process the most common
+ * parameters. If the default implementation is used, the caller should set
+ * these common parameters using PKIX_CertSelector_SetCommonCertSelectorParams.
+ * Any common parameter that is not set is assumed to be disabled, which means
+ * the default MatchCallback implementation will select all certificates
+ * without regard to that particular disabled parameter. For example, if the
+ * SerialNumber parameter is not set, MatchCallback will not filter out any
+ * certificate based on its serial number. As such, if no parameters are set,
+ * all are disabled and any certificate will match. If a parameter is
+ * disabled, its associated PKIX_ComCertSelParams_Get* function returns a
+ * default value of NULL, or -1 for PKIX_ComCertSelParams_GetBasicConstraints
+ * and PKIX_ComCertSelParams_GetVersion, or 0 for
+ * PKIX_ComCertSelParams_GetKeyUsage.
+ *
+ * If a custom implementation is desired, the default implementation can be
+ * overridden by calling PKIX_CertSelector_SetMatchCallback. In this case, the
+ * CertSelector can be initialized with a certSelectorContext, which is where
+ * the caller can specify the desired parameters the caller wishes to match
+ * against. Note that this certSelectorContext must be an Object (although any
+ * object type), allowing it to be reference-counted and allowing it to
+ * provide the standard Object functions (Equals, Hashcode, ToString, Compare,
+ * Duplicate).
+ *
+ */
+
+/*
+ * FUNCTION: PKIX_CertSelector_MatchCallback
+ * DESCRIPTION:
+ *
+ *  This callback function determines whether the specified Cert pointed to by
+ *  "cert" matches the criteria of the CertSelector pointed to by "selector",
+ *  and stores the result at "pResult". If the Cert matches the CertSelector's
+ *  criteria, a value of PKIX_TRUE will be stored at "pResult"; otherwise a
+ *  value of PKIX_FALSE will be stored.
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CertSelector whose MatchCallback logic and parameters are
+ *      to be used. Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched using "selector".
+ *      Must be non-NULL.
+ *  "pResult"
+ *      Address where Boolean value will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_CertSelector_MatchCallback)(
+        PKIX_CertSelector *selector,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertSelector_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CertSelector using the Object pointed to by
+ *  "certSelectorContext" (if any) and stores it at "pSelector". As noted
+ *  above, by default, the MatchCallback is set to point to the default
+ *  implementation provided by libpkix, which understands how to process
+ *  ComCertSelParams objects. This is overridden if the MatchCallback pointed
+ *  to by "callback" is not NULL, in which case the parameters are specified
+ *  using the certSelectorContext.
+ *
+ * PARAMETERS:
+ *  "callback"
+ *      The MatchCallback function to be used.
+ *  "certSelectorContext"
+ *      Address of Object representing the CertSelector's context (if any).
+ *  "pSelector"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertSelector_Create(
+        PKIX_CertSelector_MatchCallback callback,
+        PKIX_PL_Object *certSelectorContext,
+        PKIX_CertSelector **pSelector,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertSelector_GetMatchCallback
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to "selector's" Match callback function and puts it in
+ *  "pCallback".
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      The CertSelector whose Match callback is desired. Must be non-NULL.
+ *  "pCallback"
+ *      Address where Match callback function pointer will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertSelector_GetMatchCallback(
+        PKIX_CertSelector *selector,
+        PKIX_CertSelector_MatchCallback *pCallback,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertSelector_GetCertSelectorContext
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a PKIX_PL_Object representing the context (if any)
+ *  of the CertSelector pointed to by "selector" and stores it at
+ *  "pCertSelectorContext".
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CertSelector whose context is to be stored.
+ *      Must be non-NULL.
+ *  "pCertSelectorContext"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertSelector_GetCertSelectorContext(
+        PKIX_CertSelector *selector,
+        PKIX_PL_Object **pCertSelectorContext,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the ComCertSelParams object that represent the
+ *  common parameters of the CertSelector pointed to by "selector" and stores
+ *  it at "pCommonCertSelectorParams". If there are no common parameters
+ *  stored with the CertSelector, this function stores NULL at
+ *  "pCommonCertSelectorParams".
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CertSelector whose ComCertSelParams object is to be stored.
+ *      Must be non-NULL.
+ *  "pCommonCertSelectorParams"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertSelector_GetCommonCertSelectorParams(
+        PKIX_CertSelector *selector,
+        PKIX_ComCertSelParams **pCommonCertSelectorParams,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams
+ * DESCRIPTION:
+ *
+ *  Sets the common parameters for the CertSelector pointed to by "selector"
+ *  using the ComCertSelParams object pointed to by "commonCertSelectorParams".
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CertSelector whose common parameters are to be set.
+ *      Must be non-NULL.
+ *  "commonCertSelectorParams"
+ *      Address of ComCertSelParams object representing the common parameters.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "selector"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertSelector_SetCommonCertSelectorParams(
+        PKIX_CertSelector *selector,
+        PKIX_ComCertSelParams *commonCertSelectorParams,
+        void *plContext);
+
+/* PKIX_ComCertSelParams
+ *
+ * PKIX_ComCertSelParams objects are X.509 parameters commonly used with
+ * CertSelectors, especially when enforcing constraints on a target
+ * certificate or determining which certificates to retrieve from a CertStore.
+ * ComCertSelParams objects are typically used with those CertSelectors that
+ * use the default implementation of MatchCallback, which understands how to
+ * process ComCertSelParams objects.
+ */
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new ComCertSelParams object and stores it at "pParams".
+ *
+ * PARAMETERS:
+ *  "pParams"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_Create(
+        PKIX_ComCertSelParams **pParams,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjAltNames
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of GeneralNames (if any) representing the
+ *  subject alternative names criterion that is set in the ComCertSelParams
+ *  object pointed to by "params" and stores it at "pNames". In order to match
+ *  against this criterion, a certificate must contain all or at least one of
+ *  the criterion's subject alternative names (depending on the result of
+ *  PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default behavior
+ *  requires a certificate to contain all of the criterion's subject
+ *  alternative names in order to match.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pNames", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject alternative names
+ *      criterion (if any) is to be stored. Must be non-NULL.
+ *  "pNames"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjAltNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_List **pNames, /* list of PKIX_PL_GeneralName */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjAltNames
+ * DESCRIPTION:
+ *
+ *  Sets the subject alternative names criterion of the ComCertSelParams object
+ *  pointed to by "params" using a List of GeneralNames pointed to by "names".
+ *  In order to match against this criterion, a certificate must contain all or
+ *  at least one of the criterion's subject alternative names (depending on the
+ *  result of PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default
+ *  behavior requires a certificate to contain all of the criterion's subject
+ *  alternative names in order to match.
+ *
+ *  If "names" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject alternative
+ *      names criterion is to be set. Must be non-NULL.
+ *  "names"
+ *      Address of List of GeneralNames used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjAltNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_List *names,  /* list of PKIX_PL_GeneralName */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_AddSubjAltName
+ * DESCRIPTION:
+ *
+ *  Adds to the subject alternative names criterion of the ComCertSelParams
+ *  object pointed to by "params" using the GeneralName pointed to by "name".
+ *  In order to match against this criterion, a certificate must contain all
+ *  or at least one of the criterion's subject alternative names (depending on
+ *  the result of PKIX_ComCertSelParams_GetMatchAllSubjAltNames). The default
+ *  behavior requires a certificate to contain all of the criterion's subject
+ *  alternative names in order to match.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject alternative names
+ *      criterion is to be added to. Must be non-NULL.
+ *  "name"
+ *      Address of GeneralName to be added.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_AddSubjAltName(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_GeneralName *name,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetPathToNames
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of GeneralNames (if any) representing the
+ *  path to names criterion that is set in the ComCertSelParams object pointed
+ *  to by "params" and stores it at "pNames". In order to match against this
+ *  criterion, a certificate must not include name constraints that would
+ *  prohibit building a path to the criterion's specified names.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pNames", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose path to names criterion
+ *      (if any) is to be stored. Must be non-NULL.
+ *  "pNames"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetPathToNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_List **pNames,  /* list of PKIX_PL_GeneralName */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetPathToNames
+ * DESCRIPTION:
+ *
+ *  Sets the path to names criterion of the ComCertSelParams object pointed to
+ *  by "params" using a List of GeneralNames pointed to by "names". In order to
+ *  match against this criterion, a certificate must not include name
+ *  constraints that would prohibit building a path to the criterion's
+ *  specified names.
+ *
+ *  If "names" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose path to names criterion
+ *      is to be set. Must be non-NULL.
+ *  "names"
+ *      Address of List of GeneralNames used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetPathToNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_List *names,    /* list of PKIX_PL_GeneralName */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_AddPathToName
+ * DESCRIPTION:
+ *
+ *  Adds to the path to names criterion of the ComCertSelParams object pointed
+ *  to by "params" using the GeneralName pointed to by "pathToName". In order
+ *  to match against this criterion, a certificate must not include name
+ *  constraints that would prohibit building a path to the criterion's
+ *  specified names.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose path to names criterion is to
+ *      be added to. Must be non-NULL.
+ *  "pathToName"
+ *      Address of GeneralName to be added.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_AddPathToName(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_GeneralName *pathToName,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the ByteArray (if any) representing the authority
+ *  key identifier criterion that is set in the ComCertSelParams object
+ *  pointed to by "params" and stores it at "pAuthKeyId". In order to match
+ *  against this criterion, a certificate must contain an
+ *  AuthorityKeyIdentifier extension whose value matches the criterion's
+ *  authority key identifier value.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pAuthKeyId", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose authority key identifier
+ *      criterion (if any) is to be stored. Must be non-NULL.
+ *  "pAuthKeyId"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetAuthorityKeyIdentifier(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray **pAuthKeyId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetAuthorityKeyIdentifier
+ * DESCRIPTION:
+ *
+ *  Sets the authority key identifier criterion of the ComCertSelParams object
+ *  pointed to by "params" to the ByteArray pointed to by "authKeyId". In
+ *  order to match against this criterion, a certificate must contain an
+ *  AuthorityKeyIdentifier extension whose value matches the criterion's
+ *  authority key identifier value.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose authority key identifier
+ *      criterion is to be set. Must be non-NULL.
+ *  "authKeyId"
+ *      Address of ByteArray used to set the criterion
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetAuthorityKeyIdentifier(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray *authKeyId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjKeyIdentifier
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the ByteArray (if any) representing the subject key
+ *  identifier criterion that is set in the ComCertSelParams object pointed to
+ *  by "params" and stores it at "pSubjKeyId". In order to match against this
+ *  criterion, a certificate must contain a SubjectKeyIdentifier extension
+ *  whose value matches the criterion's subject key identifier value.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pSubjKeyId", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject key identifier
+ *      criterion (if any) is to be stored. Must be non-NULL.
+ *  "pSubjKeyId"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjKeyIdentifier(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray **pSubjKeyId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjKeyIdentifier
+ * DESCRIPTION:
+ *
+ *  Sets the subject key identifier criterion of the ComCertSelParams object
+ *  pointed to by "params" using a ByteArray pointed to by "subjKeyId". In
+ *  order to match against this criterion, a certificate must contain an
+ *  SubjectKeyIdentifier extension whose value matches the criterion's subject
+ *  key identifier value.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject key identifier
+ *      criterion is to be set. Must be non-NULL.
+ *  "subjKeyId"
+ *      Address of ByteArray used to set the criterion
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjKeyIdentifier(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray *subKeyId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjPubKey
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the PublicKey (if any) representing the subject
+ *  public key criterion that is set in the ComCertSelParams object pointed to
+ *  by "params" and stores it at "pPubKey". In order to match against this
+ *  criterion, a certificate must contain a SubjectPublicKey that matches the
+ *  criterion's public key.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pPubKey", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject public key criterion
+ *      (if any) is to be stored. Must be non-NULL.
+ *  "pPubKey"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjPubKey(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_PublicKey **pPubKey,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjPubKey
+ * DESCRIPTION:
+ *
+ *  Sets the subject public key criterion of the ComCertSelParams object
+ *  pointed to by "params" using a PublicKey pointed to by "pubKey". In order
+ *  to match against this criterion, a certificate must contain a
+ *  SubjectPublicKey that matches the criterion's public key.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject public key
+ *      criterion is to be set. Must be non-NULL.
+ *  "pubKey"
+ *      Address of PublicKey used to set the criterion
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjPubKey(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_PublicKey *pubKey,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjPKAlgId
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the OID (if any) representing the subject public key
+ *  algorithm identifier criterion that is set in the ComCertSelParams object
+ *  pointed to by "params" and stores it at "pPubKey". In order to match
+ *  against this criterion, a certificate must contain a SubjectPublicKey with
+ *  an algorithm that matches the criterion's algorithm.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pAlgId", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject public key algorithm
+ *      identifier (if any) is to be stored. Must be non-NULL.
+ *  "pAlgId"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjPKAlgId(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_OID **pAlgId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjPKAlgId
+ * DESCRIPTION:
+ *
+ *  Sets the subject public key algorithm identifier criterion of the
+ *  ComCertSelParams object pointed to by "params" using an OID pointed to by
+ *  "algId". In order to match against this criterion, a certificate must
+ *  contain a SubjectPublicKey with an algorithm that matches the criterion's
+ *  algorithm.
+ *
+ *  If "algId" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject public key
+ *      algorithm identifier criterion is to be set. Must be non-NULL.
+ *  "algId"
+ *      Address of OID used to set criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjPKAlgId(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_OID *algId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetBasicConstraints
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the minimum path length (if any) representing the
+ *  basic constraints criterion that is set in the ComCertSelParams object
+ *  pointed to by "params" and stores it at "pMinPathLength". In order to
+ *  match against this criterion, there are several possibilities.
+ *
+ *  1) If the criterion's minimum path length is greater than or equal to zero,
+ *  a certificate must include a BasicConstraints extension with a pathLen of
+ *  at least this value.
+ *
+ *  2) If the criterion's minimum path length is -2, a certificate must be an
+ *  end-entity certificate.
+ *
+ *  3) If the criterion's minimum path length is -1, no basic constraints check
+ *  is done and all certificates are considered to match this criterion.
+ *
+ *  The semantics of other values of the criterion's minimum path length are
+ *  undefined but may be defined in future versions of the API.
+ *
+ *  If "params" does not have this criterion set, this function stores -1 at
+ *  "pMinPathLength", in which case all certificates are considered to match
+ *  this criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose basic constraints criterion
+ *      (if any) is to be stored. Must be non-NULL.
+ *  "pMinPathLength"
+ *      Address where PKIX_Int32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetBasicConstraints(
+        PKIX_ComCertSelParams *params,
+        PKIX_Int32 *pMinPathLength,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetBasicConstraints
+ * DESCRIPTION:
+ *
+ *  Sets the basic constraints criterion of the ComCertSelParams object
+ *  pointed to by "params" using the integer value of "minPathLength". In
+ *  order to match against this criterion, there are several possibilities.
+ *
+ *  1) If the criterion's minimum path length is greater than or equal to zero,
+ *  a certificate must include a BasicConstraints extension with a pathLen of
+ *  at least this value.
+ *
+ *  2) If the criterion's minimum path length is -2, a certificate must be an
+ *  end-entity certificate.
+ *
+ *  3) If the criterion's minimum path length is -1, no basic constraints check
+ *  is done and all certificates are considered to match this criterion.
+ *
+ *  The semantics of other values of the criterion's minimum path length are
+ *  undefined but may be defined in future versions of the API.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose basic constraints
+ *      criterion is to be set. Must be non-NULL.
+ *  "minPathLength"
+ *      Value of PKIX_Int32 used to set the criterion
+ *      (or -1 to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetBasicConstraints(
+        PKIX_ComCertSelParams *params,
+        PKIX_Int32 minPathLength,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetCertificate
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Cert (if any) representing the certificate
+ *  criterion that is set in the ComCertSelParams object pointed to by
+ *  "params" and stores it at "pCert". In order to match against this
+ *  criterion, a certificate must be equal to the criterion's certificate. If
+ *  this criterion is specified, it is usually not necessary to specify any
+ *  other criteria, since this criterion requires an exact certificate match.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pCert", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose certificate criterion
+ *      (if any) is to be stored. Must be non-NULL.
+ *  "pCert"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetCertificate(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert **pCert,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetCertificate
+ * DESCRIPTION:
+ *
+ *  Sets the certificate criterion of the ComCertSelParams object pointed to by
+ * "params" using a Cert pointed to by "cert". In order to match against this
+ *  criterion, a certificate must be equal to the criterion's certificate.
+ *  If this criterion is specified, it is usually not necessary to specify
+ *  any other criteria, since this criterion requires an exact certificate
+ *  match.
+ *
+ *  If "cert" is NULL, all certificates are considered to match this criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose certificate criterion is to be
+ *      set. Must be non-NULL.
+ *  "cert"
+ *      Address of Cert used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetCertificate(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetCertificateValid
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Date (if any) representing the certificate
+ *  validity criterion that is set in the ComCertSelParams object pointed to by
+ *  "params" and stores it at "pDate". In order to match against this
+ *  criterion, a certificate's validity period must include the criterion's
+ *  Date.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pDate", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose certificate validity criterion
+ *      (if any) is to be stored. Must be non-NULL.
+ *  "pDate"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetCertificateValid(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Date **pDate,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetCertificateValid
+ * DESCRIPTION:
+ *
+ *  Sets the certificate validity criterion of the ComCertSelParams object
+ *  pointed to by "params" using a Date pointed to by "date". In order to
+ *  match against this criterion, a certificate's validity period must include
+ *  the criterion's Date.
+ *
+ *  If "date" is NULL, all certificates are considered to match this criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose certificate validity criterion
+ *      is to be set. Must be non-NULL.
+ *  "date"
+ *      Address of Date used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetCertificateValid(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Date *date,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSerialNumber
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the BigInt (if any) representing the serial number
+ *  criterion that is set in the ComCertSelParams object pointed to by
+ *  "params" and stores it at "pSerialNumber". In order to match against this
+ *  criterion, a certificate must have a serial number equal to the
+ *  criterion's serial number.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pSerialNumber", in which case all certificates are considered to match
+ *  this criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose serial number criterion
+ *      (if any) is to be stored. Must be non-NULL.
+ *  "pSerialNumber"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSerialNumber(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_BigInt **pSerialNumber,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSerialNumber
+ * DESCRIPTION:
+ *
+ *  Sets the serial number criterion of the ComCertSelParams object pointed to
+ *  by "params" using a BigInt pointed to by "serialNumber". In order to match
+ *  against this criterion, a certificate must have a serial number equal to
+ *  the criterion's serial number.
+ *
+ *  If "serialNumber" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose serial number criterion is to
+ *      be set. Must be non-NULL.
+ *  "serialNumber"
+ *      Address of BigInt used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSerialNumber(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_BigInt *serialNumber,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetVersion
+ * DESCRIPTION:
+ *
+ *  Retrieves a PKIX_UInt32 (if any) representing the version criterion that is
+ *  set in the ComCertSelParams object pointed to by "params" and stores it at
+ *  "pVersion". In order to match against this criterion, a certificate's
+ *  version must be equal to the criterion's version.
+ *
+ *  The version number will either be 0, 1, or 2 (corresponding to
+ *  v1, v2, or v3, respectively).
+ *
+ *  If "params" does not have this criterion set, this function stores
+ *  0xFFFFFFFF at "pVersion", in which case all certificates are considered
+ *  to match this criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose version criterion (if any) is
+ *      to be stored. Must be non-NULL.
+ *  "pVersion"
+ *      Address where PKIX_Int32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetVersion(
+        PKIX_ComCertSelParams *params,
+        PKIX_UInt32 *pVersion,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetVersion
+ * DESCRIPTION:
+ *
+ *  Sets the version criterion of the ComCertSelParams object pointed to by
+ *  "params" using the integer value of "version". In order to match against
+ *  this criterion, a certificate's version must be equal to the criterion's
+ *  version. If the criterion's version is -1, no version check is done and
+ *  all certificates are considered to match this criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose version criterion is to be
+ *      set. Must be non-NULL.
+ *  "version"
+ *      Value of PKIX_Int32 used to set the criterion
+ *      (or -1 to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetVersion(
+        PKIX_ComCertSelParams *params,
+        PKIX_Int32 version,
+        void *plContext);
+
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetKeyUsage
+ * DESCRIPTION:
+ *
+ *  Retrieves a PKIX_UInt32 (if any) representing the key usage criterion that
+ *  is set in the ComCertSelParams object pointed to by "params" and stores it
+ *  at "pKeyUsage". In order to match against this criterion, a certificate
+ *  must allow the criterion's key usage values. Note that a certificate that
+ *  has no KeyUsage extension implicity allows all key usages. Note also that
+ *  this functions supports a maximum of 32 key usage bits.
+ *
+ *  If "params" does not have this criterion set, this function stores zero at
+ *  "pKeyUsage", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose key usage criterion (if any)
+ *      is to be stored. Must be non-NULL.
+ *  "pKeyUsage"
+ *      Address where PKIX_UInt32 will be stored. Must not be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetKeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_UInt32 *pKeyUsage,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetKeyUsage
+ * DESCRIPTION:
+ *
+ *  Sets the key usage criterion of the ComCertSelParams object pointed to by
+ *  "params" using the integer value of "keyUsage". In order to match against
+ *  this criterion, a certificate must allow the criterion's key usage values.
+ *  Note that a certificate that has no KeyUsage extension implicity allows
+ *  all key usages. Note also that this functions supports a maximum of 32 key
+ *  usage bits.
+ *
+ *  If the criterion's key usage value is zero, no key usage check is done and
+ *  all certificates are considered to match this criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose key usage criterion is to be
+ *      set. Must be non-NULL.
+ *  "keyUsage"
+ *      Value of PKIX_Int32 used to set the criterion
+ *      (or zero to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetKeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_UInt32 keyUsage,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetExtendedKeyUsage
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of OIDs (if any) representing the extended
+ *  key usage criterion that is set in the ComCertSelParams object pointed to
+ *  by "params" and stores it at "pExtKeyUsage". In order to match against this
+ *  criterion, a certificate's ExtendedKeyUsage extension must allow the
+ *  criterion's extended key usages. Note that a certificate that has no
+ *  ExtendedKeyUsage extension implicity allows all key purposes.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pExtKeyUsage", in which case all certificates are considered to match
+ *  this criterion.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose extended key usage criterion
+ *      (if any) is to be stored. Must be non-NULL.
+ *  "pExtKeyUsage"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetExtendedKeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_List **pExtKeyUsage, /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetExtendedKeyUsage
+ * DESCRIPTION:
+ *
+ *  Sets the extended key usage criterion of the ComCertSelParams object
+ *  pointed to by "params" using a List of OIDs pointed to by "extKeyUsage".
+ *  In order to match against this criterion, a certificate's ExtendedKeyUsage
+ *  extension must allow the criterion's extended key usages. Note that a
+ *  certificate that has no ExtendedKeyUsage extension implicitly allows all
+ *  key purposes.
+ *
+ *  If "extKeyUsage" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose extended key usage criterion
+ *      is to be set. Must be non-NULL.
+ *  "extKeyUsage"
+ *      Address of List of OIDs used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetExtendedKeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_List *extKeyUsage,  /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetPolicy
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of OIDs (if any) representing the policy
+ *  criterion that is set in the ComCertSelParams object pointed to by
+ *  "params" and stores it at "pPolicy". In order to match against this
+ *  criterion, a certificate's CertificatePolicies extension must include at
+ *  least one of the criterion's policies. If "params" has this criterion set,
+ *  but the List of OIDs is empty, then a certificate's CertificatePolicies
+ *  extension must include at least some policy.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pPolicy", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose policy criterion (if any) is
+ *      to be stored. Must be non-NULL.
+ *  "pPolicy"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetPolicy(
+        PKIX_ComCertSelParams *params,
+        PKIX_List **pPolicy,  /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetPolicy
+ * DESCRIPTION:
+ *
+ *  Sets the policy criterion of the ComCertSelParams object pointed to by
+ *  "params" using a List of OIDs pointed to by "policy". In order to match
+ *  against this criterion, a certificate's CertificatePolicies extension must
+ *  include at least one of the criterion's policies. If "params" has this
+ *  criterion set, but the List of OIDs is empty, then a certificate's
+ *  CertificatePolicies extension must include at least some policy.
+ *
+ *  If "policy" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose policy criterion is to be set.
+ *      Must be non-NULL.
+ *  "policy"
+ *      Address of List of OIDs used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetPolicy(
+        PKIX_ComCertSelParams *params,
+        PKIX_List *policy,    /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetIssuer
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the X500Name (if any) representing the issuer
+ *  criterion that is set in the ComCertSelParams object pointed to by
+ *  "params" and stores it at "pIssuer". In order to match against this
+ *  criterion, a certificate's IssuerName must match the criterion's issuer
+ *  name.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pIssuer", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose issuer criterion (if any) is
+ *      to be stored. Must be non-NULL.
+ *  "pIssuer"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetIssuer(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_X500Name **pIssuer,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetIssuer
+ * DESCRIPTION:
+ *
+ *  Sets the issuer criterion of the ComCertSelParams object pointed to by
+ *  "params" using an X500Name pointed to by "issuer". In order to match
+ *  against this criterion, a certificate's IssuerName must match the
+ *  criterion's issuer name.
+ *
+ *  If "issuer" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose issuer criterion is to be set.
+ *      Must be non-NULL.
+ *  "issuer"
+ *      Address of X500Name used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetIssuer(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_X500Name *issuer,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubject
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the X500Name (if any) representing the subject
+ *  criterion that is set in the ComCertSelParams object pointed to by
+ *  "params" and stores it at "pSubject". In order to match against this
+ *  criterion, a certificate's SubjectName must match the criterion's subject
+ *  name.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pSubject", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject criterion (if any) is
+ *      to be stored. Must be non-NULL.
+ *  "pSubject"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubject(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_X500Name **pSubject,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubject
+ * DESCRIPTION:
+ *
+ *  Sets the subject criterion of the ComCertSelParams object pointed to by
+ *  "params" using an X500Name pointed to by "subject". In order to match
+ *  against this criterion, a certificate's SubjectName must match the
+ *  criterion's subject name.
+ *
+ *  If "subject" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject criterion is to be
+ *      set. Must be non-NULL.
+ *  "subject"
+ *      Address of X500Name used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubject(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_X500Name *subject,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjectAsByteArray
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the ByteArray (if any) representing the subject
+ *  criterion that is set in the ComCertSelParams object pointed to by
+ *  "params" and stores it at "pSubject". In order to match against this
+ *  criterion, a certificate's SubjectName must match the criterion's subject
+ *  name.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pSubject", in which case all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject criterion (if any) is
+ *      to be stored. Must be non-NULL.
+ *  "pSubject"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjectAsByteArray(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray **pSubject,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjectAsByteArray
+ * DESCRIPTION:
+ *
+ *  Sets the subject criterion of the ComCertSelParams object pointed to by
+ *  "params" using a ByteArray pointed to by "subject". In order to match
+ *  against this criterion, a certificate's SubjectName must match the
+ *  criterion's subject name.
+ *
+ *  If "subject" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose subject criterion is to be
+ *      set. Must be non-NULL.
+ *  "subject"
+ *      Address of ByteArray used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjectAsByteArray(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray *subject,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetNameConstraints
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the X500Name (if any) representing the name
+ *  constraints criterion that is set in the ComCertSelParams object pointed
+ *  to by "params" and stores it at "pConstraints". In order to match against
+ *  this criterion, a certificate's subject and subject alternative names must
+ *  be allowed by the criterion's name constraints.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pConstraints", in which case all certificates are considered to match
+ *  this criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose name constraints criterion
+ *      (if any) is to be stored. Must be non-NULL.
+ *  "pConstraints"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetNameConstraints(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_CertNameConstraints **pConstraints,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetNameConstraints
+ * DESCRIPTION:
+ *
+ *  Sets the name constraints criterion of the ComCertSelParams object pointed
+ *  to by "params" using the CertNameConstraints pointed to by "constraints".
+ *  In order to match against this criterion, a certificate's subject and
+ *  subject alternative names must be allowed by the criterion's name
+ *  constraints.
+ *
+ *  If "constraints" is NULL, all certificates are considered to match this
+ *  criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose name constraints criterion is
+ *      to be set. Must be non-NULL.
+ *  "constraints"
+ *      Address of CertNameConstraints used to set the criterion
+ *      (or NULL to disable the criterion).
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetNameConstraints(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_CertNameConstraints *constraints,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetMatchAllSubjAltNames
+ * DESCRIPTION:
+ *
+ *  Checks whether the ComCertSelParams object pointed to by "params" indicate
+ *  that all subject alternative names are to be matched and stores the Boolean
+ *  result at "pMatch". This Boolean value determines the behavior of the
+ *  subject alternative names criterion.
+ *
+ *  In order to match against the subject alternative names criterion, if the
+ *  Boolean value at "pMatch" is PKIX_TRUE, a certificate must contain all of
+ *  the criterion's subject alternative names. If the Boolean value at
+ *  "pMatch" is PKIX_FALSE, a certificate must contain at least one of the
+ *  criterion's subject alternative names. The default behavior is as if the
+ *  Boolean value at "pMatch" is PKIX_TRUE.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object used to determine whether all
+ *      subject alternative names must be matched. Must be non-NULL.
+ *  "pMatch"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetMatchAllSubjAltNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_Boolean *pMatch,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetMatchAllSubjAltNames
+ * DESCRIPTION:
+ *
+ *  Sets the match flag of the ComCertSelParams object pointed to by "params"
+ *  using the Boolean value of "match". This Boolean value determines the
+ *  behavior of the subject alternative names criterion.
+ *
+ *  In order to match against the subject alternative names criterion, if the
+ *  "match" is PKIX_TRUE, a certificate must contain all of the criterion's
+ *  subject alternative names. If the "match" is PKIX_FALSE, a certificate
+ *  must contain at least one of the criterion's subject alternative names.
+ *  The default behavior is as if "match" is PKIX_TRUE.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams object whose match flag is to be set.
+ *      Must be non-NULL.
+ *  "match"
+ *      Boolean value used to set the match flag.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetMatchAllSubjAltNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_Boolean match,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_CERTSEL_H */
diff --git a/security/nss/lib/libpkix/include/pkix_certstore.h b/security/nss/lib/libpkix/include/pkix_certstore.h
new file mode 100755
index 000000000..8a123a22f
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_certstore.h
@@ -0,0 +1,601 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines functions associated with the PKIX_CertStore type.
+ *
+ */
+
+
+#ifndef _PKIX_CERTSTORE_H
+#define _PKIX_CERTSTORE_H
+
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/* PKIX_CertStore
+ *
+ * A PKIX_CertStore provides a standard way for the caller to retrieve
+ * certificates and CRLs from a particular repository (or "store") of
+ * certificates and CRLs, including LDAP directories, flat files, local
+ * databases, etc. The CertCallback allows custom certificate retrieval logic
+ * to be used while the CRLCallback allows custom CRL retrieval logic to be
+ * used. Additionally, a CertStore can be initialized with a certStoreContext,
+ * which is where the caller can specify configuration data such as the host
+ * name of an LDAP server. Note that this certStoreContext must be an
+ * Object (although any object type), allowing it to be reference-counted and
+ * allowing it to provide the standard Object functions (Equals, Hashcode,
+ * ToString, Compare, Duplicate). Please note that each certStoreContext must
+ * provide Equals and Hashcode functions in order for the caching (on Cert and
+ * CertChain) to work correctly. When providing those two functions, it is not
+ * required that all the components of the object be hashed or checked for 
+ * equality, but merely that the functions distinguish between unique
+ * instances of the certStoreContext.
+ *
+ * Once the caller has created the CertStore object, the caller then specifies
+ * these CertStore objects in a ProcessingParams object and passes that object
+ * to PKIX_ValidateChain or PKIX_BuildChain, which uses the objects to call the
+ * user's callback functions as needed during the validation or building
+ * process.
+ *
+ * The order of CertStores stored (as a list) at ProcessingParams determines
+ * the order in which certificates are retrieved. Trusted CertStores should
+ * precede non-trusted ones on the list of CertStores so their certificates
+ * are evaluated ahead of other certificates selected on the basis of the same
+ * selector criteria.
+ *
+ * The CheckTrustCallback function is used when the CertStore object
+ * supports trust status, which means a Cert's trust status can be altered
+ * dynamically. When a CertStore object is created, if the
+ * CheckTrustCallback is initialized to be non-NULL, this CertStore is
+ * defaulted as supporting trust. Then whenever a Cert needs to (re)check its
+ * trust status, this callback can be invoked. When a Cert is retrieved by
+ * a CertStore supports trust, at its GetCertCallback, the CertStore
+ * information should be updated in Cert's data structure so the link between
+ * the Cert and CertStore exists.
+ *
+ */
+
+/*
+ * FUNCTION: PKIX_CertStore_CertCallback
+ * DESCRIPTION:
+ *
+ *  This callback function retrieves from the CertStore pointed to by "store"
+ *  all the certificates that match the CertSelector pointed to by "selector".
+ *  It places these certificates in a List and stores a pointer to the List at
+ *  "pCerts". If no certificates are found which match the CertSelector's
+ *  criteria, this function stores an empty List at "pCerts". In either case, if
+ *  the operation is completed, NULL is stored at "pNBIOContext".
+ *
+ *  A CertStore which uses non-blocking I/O may store platform-dependent
+ *  information at "pNBIOContext" and NULL at "pCerts" to indicate that I/O is
+ *  pending. A subsequent call to PKIX_CertStore_CertContinue is required to
+ *  finish the operation and to obtain the List of Certs.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore from which Certs are to be retrieved.
+ *      Must be non-NULL.
+ *  "selector"
+ *      Address of CertSelector whose criteria must be satisfied.
+ *      Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is stored if the
+ *      operation is suspended for non-blocking I/O. Must be non-NULL.
+ *  "pCerts"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_CertStore_CertCallback)(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_CertContinue
+ * DESCRIPTION:
+ *
+ *  This function continues the non-blocking operation initiated by an earlier
+ *  call to the CertCallback function, for the CertStore pointed to by "store". 
+ *  If an earlier call did not terminate with the WOULDBLOCK indication (non-NULL
+ *  value returned in "pNBIOContext") calling this function will return a fatal
+ *  error. If the operation is completed the certificates found are placed in a
+ *  List, a pointer to which is stored at "pCerts". If no certificates are found
+ *  which match the CertSelector's criteria, this function stores an empty List
+ *  at "pCerts". In either case, if the operation is completed, NULL is stored
+ *  at "pNBIOContext".
+ *
+ *  If non-blocking I/O is still pending this function stores platform-dependent
+ *  information at "pNBIOContext" and NULL at "pCerts". A subsequent call to
+ *  PKIX_CertStore_CertContinue is required to finish the operation and to
+ *  obtain the List of Certs.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore from which Certs are to be retrieved.
+ *      Must be non-NULL.
+ *  "selector"
+ *      Address of CertSelector whose criteria must be satisfied.
+ *      Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is stored if the
+ *      operation is suspended for non-blocking I/O. Must be non-NULL.
+ *  "pCerts"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertStore_CertContinue(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
+        void *plContext);
+
+typedef PKIX_Error *
+(*PKIX_CertStore_CertContinueFunction)(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_CRLCallback
+ * DESCRIPTION:
+ *
+ *  This callback function retrieves from the CertStore pointed to by "store"
+ *  all the CRLs that match the CRLSelector pointed to by "selector". It
+ *  places these CRLs in a List and stores a pointer to the List at "pCRLs".
+ *  If no CRLs are found which match the CRLSelector's criteria, this function
+ *  stores an empty List at "pCRLs". In either case, if the operation is
+ *  completed, NULL is stored at "pNBIOContext".
+ *
+ *  A CertStore which uses non-blocking I/O may store platform-dependent
+ *  information at "pNBIOContext" and NULL at "pCrls" to indicate that I/O is
+ *  pending. A subsequent call to PKIX_CertStore_CRLContinue is required to
+ *  finish the operation and to obtain the List of Crls.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore from which CRLs are to be retrieved.
+ *      Must be non-NULL.
+ *  "selector"
+ *      Address of CRLSelector whose criteria must be satisfied.
+ *      Must be non-NULL.
+ *  "pCrls"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_CertStore_CRLCallback)(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrls,  /* list of PKIX_PL_CRL */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_CrlContinue
+ * DESCRIPTION:
+ *
+ *  This function continues the non-blocking operation initiated by an earlier
+ *  call to the CRLCallback function, for the CertStore pointed to by "store". 
+ *  If an earlier call did not terminate with the WOULDBLOCK indication (non-NULL
+ *  value returned in "pNBIOContext") calling this function will return a fatal
+ *  error. If the operation is completed the crls found are placed in a List, a
+ *  pointer to which is stored at "pCrls". If no crls are found which match the
+ *  CRLSelector's criteria, this function stores an empty List at "pCrls". In
+ *  either case, if the operation is completed, NULL is stored at "pNBIOContext".
+ *
+ *  If non-blocking I/O is still pending this function stores platform-dependent
+ *  information at "pNBIOContext" and NULL at "pCrls". A subsequent call to
+ *  PKIX_CertStore_CrlContinue is required to finish the operation and to
+ *  obtain the List of Crls.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore from which Crls are to be retrieved.
+ *      Must be non-NULL.
+ *  "selector"
+ *      Address of CRLSelector whose criteria must be satisfied.
+ *      Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is stored if the
+ *      operation is suspended for non-blocking I/O. Must be non-NULL.
+ *  "pCrls"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertStore_CrlContinue(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrls,  /* list of PKIX_PL_CRL */
+        void *plContext);
+
+typedef PKIX_Error *
+(*PKIX_CertStore_CrlContinueFunction)(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrls,  /* list of PKIX_PL_CRL */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_CheckTrustCallback
+ * DESCRIPTION:
+ *
+ *  This callback function rechecks "cert's" trust status from the CertStore
+ *  pointed to by "store".
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore from which Certs are to be checked.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert whose trust status needs to be rechecked.
+ *      Must be non-NULL.
+ *  "pTrusted"
+ *      Address of PKIX_Boolean where the trust status is returned.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_CertStore_CheckTrustCallback)(
+        PKIX_CertStore *store,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pTrusted,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CertStore and stores it at "pStore". The new CertStore uses
+ *  the CertCallback pointed to by "certCallback" and the CRLCallback pointed
+ *  to by "crlCallback" as its callback functions and uses the Object pointed
+ *  to by "certStoreContext" as its context . Note that this certStoreContext
+ *  must be an Object (although any object type), allowing it to be
+ *  reference-counted and allowing it to provide the standard Object functions
+ *  (Equals, Hashcode, ToString, Compare, Duplicate). Once created, a
+ *  CertStore object is immutable, although the underlying repository can
+ *  change. For example, a CertStore will often be a front-end for a database
+ *  or directory. The contents of that directory can change after the
+ *  CertStore object is created, but the CertStore object remains immutable.
+ *
+ * PARAMETERS:
+ *  "certCallback"
+ *      The CertCallback function to be used. Must be non-NULL.
+ *  "crlCallback"
+ *      The CRLCallback function to be used. Must be non-NULL.
+ *  "certContinue"
+ *      The function to be used to resume a certCallback that returned with a
+ *      WOULDBLOCK condition. Must be non-NULL if certStore supports non-blocking
+ *      I/O.
+ *  "crlContinue"
+ *      The function to be used to resume a crlCallback that returned with a
+ *      WOULDBLOCK condition. Must be non-NULL if certStore supports non-blocking
+ *      I/O.
+ *  "trustCallback"
+ *      Address of PKIX_CertStore_CheckTrustCallback which is called to
+ *      verify the trust status of Certs in this CertStore.
+ *  "certStoreContext"
+ *      Address of Object representing the CertStore's context (if any).
+ *  "cachedFlag"
+ *      If TRUE indicates data retrieved from CertStore should be cached.
+ *  "localFlag"
+ *      Boolean value indicating whether this CertStore is local.
+ *  "pStore"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertStore_Create(
+        PKIX_CertStore_CertCallback certCallback,
+        PKIX_CertStore_CRLCallback crlCallback,
+        PKIX_CertStore_CertContinueFunction certContinue,
+        PKIX_CertStore_CrlContinueFunction crlContinue,
+        PKIX_CertStore_CheckTrustCallback trustCallback,
+        PKIX_PL_Object *certStoreContext,
+        PKIX_Boolean cachedFlag,
+        PKIX_Boolean localFlag,
+        PKIX_CertStore **pStore,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_GetCertCallback
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to "store's" Cert callback function and put it in
+ *  "pCallback".
+ *
+ * PARAMETERS:
+ *  "store"
+ *      The CertStore whose Cert callback is desired. Must be non-NULL.
+ *  "pCallback"
+ *      Address where Cert callback function pointer will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertStore_GetCertCallback(
+        PKIX_CertStore *store,
+        PKIX_CertStore_CertCallback *pCallback,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_GetCRLCallback
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to "store's" CRL callback function and put it in
+ *  "pCallback".
+ *
+ * PARAMETERS:
+ *  "store"
+ *      The CertStore whose CRL callback is desired. Must be non-NULL.
+ *  "pCallback"
+ *      Address where CRL callback function pointer will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertStore_GetCRLCallback(
+        PKIX_CertStore *store,
+        PKIX_CertStore_CRLCallback *pCallback,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_GetTrustCallback
+ * DESCRIPTION:
+ *
+ *  Retrieves the function pointer to the CheckTrust callback function of the
+ *  CertStore pointed to by "store" and stores it at "pCallback".
+ *
+ * PARAMETERS:
+ *  "store"
+ *      The CertStore whose CheckTrust callback is desired. Must be non-NULL.
+ *  "pCallback"
+ *      Address where CheckTrust callback function pointer will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertStore_GetTrustCallback(
+        PKIX_CertStore *store,
+        PKIX_CertStore_CheckTrustCallback *pCallback,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_GetCertStoreContext
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Object representing the context (if any)
+ *  of the CertStore pointed to by "store" and stores it at
+ *  "pCertStoreContext".
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore whose context is to be stored. Must be non-NULL.
+ *  "pCertStoreContext"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertStore_GetCertStoreContext(
+        PKIX_CertStore *store,
+        PKIX_PL_Object **pCertStoreContext,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_GetCertStoreCacheFlag
+ * DESCRIPTION:
+ *
+ *  Retrieves the Boolean cache flag of the CertStore pointed to by "store" and
+ *  stores it at "pCachedFlag".
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore whose cache flag is to be stored. Must be non-NULL.
+ *  "pCacheFlag"
+ *      Address where the result will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertStore_GetCertStoreCacheFlag(
+        PKIX_CertStore *store,
+        PKIX_Boolean *pCacheFlag,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertStore_GetLocalFlag
+ * DESCRIPTION:
+ *
+ *  Retrieves the Boolean localFlag for the CertStore pointed to by "store" and
+ *  stores it at "pLocalFlag". The localFlag is TRUE if the CertStore can
+ *  fulfill a request without performing network I/O.
+ *
+ * PARAMETERS:
+ *  "store"
+ *      The CertStore whose Local flag is desired. Must be non-NULL.
+ *  "pCallback"
+ *      Address where the Boolean LocalFlag will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertStore_GetLocalFlag(
+        PKIX_CertStore *store,
+        PKIX_Boolean *pLocalFlag,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_CERTSTORE_H */
diff --git a/security/nss/lib/libpkix/include/pkix_checker.h b/security/nss/lib/libpkix/include/pkix_checker.h
new file mode 100755
index 000000000..236112e11
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_checker.h
@@ -0,0 +1,427 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines functions associated with the PKIX_CertChainChecker type.
+ *
+ */
+
+#ifndef _PKIX_CHECKER_H
+#define _PKIX_CHECKER_H
+
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/* PKIX_CertChainChecker
+ *
+ * PKIX_CertChainCheckers provide a standard way for the caller to insert their
+ * own custom checks to validate certificates. This may be useful in many
+ * scenarios, including when the caller wishes to validate private certificate
+ * extensions. The CheckCallback allows custom certificate processing to take
+ * place. Additionally, a CertChainChecker can optionally maintain state
+ * between successive calls to the CheckCallback. This certChainCheckerState
+ * must be an Object (although any object type), allowing it to be
+ * reference-counted and allowing it to provide the standard Object functions
+ * (Equals, Hashcode, ToString, Compare, Duplicate). If the caller wishes
+ * their CertChainChecker to be used during chain building, their
+ * certChainCheckerState object must implement an appropriate Duplicate
+ * function. The builder uses this Duplicate function when backtracking.
+ *
+ * Once the caller has created a CertChainChecker object, the caller then
+ * specifies a CertChainChecker object in a ProcessingParams object
+ * and passes the ProcessingParams object to PKIX_ValidateChain or
+ * PKIX_BuildChain, which uses the objects to call the user's callback
+ * functions as needed during the validation or building process.
+ *
+ * A CertChainChecker may be presented certificates in the "reverse" direction
+ * (from trust anchor to target) or in the "forward" direction (from target to
+ * trust anchor). All CertChainCheckers must support "reverse checking", while
+ * support for "forward checking" is optional, but recommended. If "forward
+ * checking" is not supported, building chains may be much less efficient. The
+ * PKIX_CertChainChecker_IsForwardCheckingSupported function is used to
+ * determine whether forward checking is supported, and the
+ * PKIX_CertChainChecker_IsForwardDirectionExpected function is used to
+ * determine whether the CertChainChecker has been initialized to expect the
+ * certificates to be presented in the "forward" direction.
+ */
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_CheckCallback
+ * DESCRIPTION:
+ *
+ *  This callback function checks whether the specified Cert pointed to by
+ *  "cert" is valid using "checker's" internal certChainCheckerState (if any)
+ *  and removes the critical extensions that it processes (if any) from the
+ *  List of OIDs (possibly empty) pointed to by "unresolvedCriticalExtensions".
+ *  If the checker finds that the certificate is not valid, an Error pointer is
+ *  returned.
+ *
+ *  If the checker uses non-blocking I/O, the address of a platform-dependent
+ *  non-blocking I/O context ("nbioContext") will be stored at "pNBIOContext",
+ *  which the caller may use, in a platform-dependent way, to wait, poll, or
+ *  otherwise determine when to try again. If the checker does not use
+ *  non-blocking I/O, NULL will always be stored at "pNBIOContext". If a non-NULL
+ *  value was stored, on a subsequent call the checker will attempt to complete
+ *  the pending I/O and, if successful, NULL will be stored at "pNBIOContext".
+ *
+ * PARAMETERS:
+ *  "checker"
+ *      Address of CertChainChecker whose certChainCheckerState and
+ *      CheckCallback logic is to be used. Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be validated using "checker".
+ *      Must be non-NULL.
+ *  "unresolvedCriticalExtensions"
+ *      Address of List of OIDs that represents the critical certificate
+ *      extensions that have yet to be resolved. This parameter may be
+ *      modified during the function call. Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which is stored a platform-dependent structure indicating
+ *      whether checking was suspended for non-blocking I/O. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_CertChainChecker_CheckCallback)(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,  /* list of PKIX_PL_OID */
+        void **pNBIOContext,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CertChainChecker and stores it at "pChecker". The new
+ *  CertChainChecker uses the CheckCallback pointed to by "callback" as its
+ *  callback function. It uses the Object pointed to by "initialState" (if
+ *  any) as its initial state. As noted above, the initial state Object must
+ *  provide a custom implementation of PKIX_PL_Object_Duplicate if the
+ *  CertChainChecker is to be used during certificate chain building.
+ *
+ *  A CertChainChecker may be presented certificates in the "reverse"
+ *  direction (from trust anchor to target) or in the "forward" direction
+ *  (from target to trust anchor). All CertChainCheckers must support
+ *  "reverse checking", while support for "forward checking" is optional. The
+ *  CertChainChecker is initialized with two Boolean flags that deal with this
+ *  distinction: "forwardCheckingSupported" and "forwardDirectionExpected".
+ *  If the "forwardCheckingSupported" Boolean flag is TRUE, it indicates that
+ *  this CertChainChecker is capable of checking certificates in the "forward"
+ *  direction (as well as the "reverse" direction, which all CertChainCheckers
+ *  MUST support). The "forwardDirectionExpected" Boolean flag indicates in
+ *  which direction the CertChainChecker should expect the certificates to be
+ *  presented. This is particularly useful for CertChainCheckers that are
+ *  capable of checking in either the "forward" direction or the "reverse"
+ *  direction, but have different processing steps depending on the direction.
+ *
+ *  The CertChainChecker also uses the List of OIDs pointed to by "extensions"
+ *  as the supported certificate extensions. All certificate extensions that
+ *  the CertChainChecker might possibly recognize and be able to process
+ *  should be included in the List of supported extensions. If "checker" does
+ *  not recognize or process any certificate extensions, "extensions" should
+ *  be set to NULL.
+ *
+ * PARAMETERS:
+ *  "callback"
+ *      The CheckCallback function to be used. Must be non-NULL.
+ *  "forwardCheckingSupported"
+ *      A Boolean value indicating whether or not this CertChainChecker is
+ *      capable of checking certificates in the "forward" direction.
+ *  "forwardDirectionExpected"
+ *      A Boolean value indicating whether or not this CertChainChecker should
+ *      be used to check in the "forward" direction.
+ *  "extensions"
+ *      Address of List of OIDs representing the supported extensions.
+ *  "initialState"
+ *      Address of Object representing the CertChainChecker's initial state
+ *      (if any).
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertChainChecker_Create(
+    PKIX_CertChainChecker_CheckCallback callback,
+    PKIX_Boolean forwardCheckingSupported,
+    PKIX_Boolean forwardDirectionExpected,
+    PKIX_List *extensions,  /* list of PKIX_PL_OID */
+    PKIX_PL_Object *initialState,
+    PKIX_CertChainChecker **pChecker,
+    void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_GetCheckCallback
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to "checker's" Check callback function and puts it in
+ *  "pCallback".
+ *
+ * PARAMETERS:
+ *  "checker"
+ *      The CertChainChecker whose Check callback is desired. Must be non-NULL.
+ *  "pCallback"
+ *      Address where Check callback function pointer will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertChainChecker_GetCheckCallback(
+        PKIX_CertChainChecker *checker,
+        PKIX_CertChainChecker_CheckCallback *pCallback,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_IsForwardCheckingSupported
+ * DESCRIPTION:
+ *
+ *  Checks whether forward checking is supported by the CertChainChecker
+ *  pointed to by "checker" and stores the Boolean result at
+ *  "pForwardCheckingSupported".
+ *
+ *  A CertChainChecker may be presented certificates in the "reverse"
+ *  direction (from trust anchor to target) or in the "forward" direction
+ *  (from target to trust anchor). All CertChainCheckers must support
+ *  "reverse checking", while support for "forward checking" is optional. This
+ *  function is used to determine whether forward checking is supported.
+ *
+ * PARAMETERS:
+ *  "checker"
+ *      The CertChainChecker whose ability to validate certificates in the
+ *      "forward" direction is to be checked. Must be non-NULL.
+ *  "pForwardCheckingSupported"
+ *      Destination of the Boolean result. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertChainChecker_IsForwardCheckingSupported(
+        PKIX_CertChainChecker *checker,
+        PKIX_Boolean *pForwardCheckingSupported,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_IsForwardDirectionExpected
+ * DESCRIPTION:
+ *
+ *  Checks whether the CertChainChecker pointed to by "checker" has been
+ *  initialized to expect the certificates to be presented in the "forward"
+ *  direction and stores the Boolean result at "pForwardDirectionExpected".
+ *
+ *  A CertChainChecker may be presented certificates in the "reverse"
+ *  direction (from trust anchor to target) or in the "forward" direction
+ *  (from target to trust anchor). All CertChainCheckers must support
+ *  "reverse checking", while support for "forward checking" is optional. This
+ *  function is used to determine in which direction the CertChainChecker
+ *  expects the certificates to be presented.
+ *
+ * PARAMETERS:
+ *  "checker"
+ *      The CertChainChecker that has been initialized to expect certificates
+ *      in either the "forward" or "reverse" directions. Must be non-NULL.
+ *  "pForwardDirectionExpected"
+ *      Destination of the Boolean result. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertChainChecker_IsForwardDirectionExpected(
+        PKIX_CertChainChecker *checker,
+        PKIX_Boolean *pForwardDirectionExpected,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_GetSupportedExtensions
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a List of OIDs (each OID corresponding to a
+ *  certificate extension supported by the CertChainChecker pointed to by
+ *  "checker") and stores it at "pExtensions". All certificate extensions that
+ *  the CertChainChecker might possibly recognize and be able to process
+ *  should be included in the List of supported extensions. If "checker" does
+ *  not recognize or process any certificate extensions, this function stores
+ *  NULL at "pExtensions".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "checker"
+ *      Address of CertChainChecker whose supported extension OIDs are to be
+ *      stored. Must be non-NULL.
+ *  "pExtensions"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertChainChecker_GetSupportedExtensions(
+        PKIX_CertChainChecker *checker,
+        PKIX_List **pExtensions, /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_GetCertChainCheckerState
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a PKIX_PL_Object representing the internal state
+ *  (if any) of the CertChainChecker pointed to by "checker" and stores it at
+ *  "pCertChainCheckerState".
+ *
+ * PARAMETERS:
+ *  "checker"
+ *      Address of CertChainChecker whose state is to be stored.
+ *      Must be non-NULL.
+ *  "pCertChainCheckerState"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertChainChecker_GetCertChainCheckerState(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Object **pCertChainCheckerState,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_SetCertChainCheckerState
+ * DESCRIPTION:
+ *
+ *  Sets the internal state of the CertChainChecker pointed to by "checker"
+ *  using the Object pointed to by "certChainCheckerState". If "checker" needs
+ *  a NULL internal state, "certChainCheckerState" should be set to NULL.
+ *
+ * PARAMETERS:
+ *  "checker"
+ *      Address of CertChainChecker whose state is to be set. Must be non-NULL.
+ *  "certChainCheckerState"
+ *      Address of Object representing internal state.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "checker"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CertChainChecker_SetCertChainCheckerState(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Object *certChainCheckerState,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_CHECKER_H */
diff --git a/security/nss/lib/libpkix/include/pkix_crlsel.h b/security/nss/lib/libpkix/include/pkix_crlsel.h
new file mode 100755
index 000000000..b750db7be
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_crlsel.h
@@ -0,0 +1,761 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines functions associated with the PKIX_CRLSelector and the
+ * PKIX_ComCRLSelParams types.
+ *
+ */
+
+
+#ifndef _PKIX_CRLSEL_H
+#define _PKIX_CRLSEL_H
+
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/* PKIX_CRLSelector
+ *
+ * PKIX_CRLSelectors provide a standard way for the caller to select CRLs
+ * based on particular criteria. A CRLSelector is typically used by libpkix
+ * to retrieve CRLs from a CertStore during certificate chain validation or
+ * building. (see pkix_certstore.h) For example, the caller may wish to only
+ * select those CRLs that have a particular issuer or a particular value for a
+ * private CRL extension. The MatchCallback allows the caller to specify the
+ * custom matching logic to be used by a CRLSelector.
+
+ * By default, the MatchCallback is set to point to the default implementation
+ * provided by libpkix, which understands how to process the most common
+ * parameters. If the default implementation is used, the caller should set
+ * these common parameters using PKIX_CRLSelector_SetCommonCRLSelectorParams.
+ * Any common parameter that is not set is assumed to be disabled, which means
+ * the default MatchCallback implementation will select all CRLs without
+ * regard to that particular disabled parameter. For example, if the
+ * MaxCRLNumber parameter is not set, MatchCallback will not filter out any
+ * CRL based on its CRL number. As such, if no parameters are set, all are
+ * disabled and any CRL will match. If a parameter is disabled, its associated
+ * PKIX_ComCRLSelParams_Get* function returns a default value of NULL.
+ *
+ * If a custom implementation is desired, the default implementation can be
+ * overridden by calling PKIX_CRLSelector_SetMatchCallback. In this case, the
+ * CRLSelector can be initialized with a crlSelectorContext, which is where
+ * the caller can specify the desired parameters the caller wishes to match
+ * against. Note that this crlSelectorContext must be a PKIX_PL_Object,
+ * allowing it to be reference-counted and allowing it to provide the standard
+ * PKIX_PL_Object functions (Equals, Hashcode, ToString, Compare, Duplicate).
+ *
+ */
+
+/*
+ * FUNCTION: PKIX_CRLSelector_MatchCallback
+ * DESCRIPTION:
+ *
+ *  This callback function determines whether the specified CRL pointed to by
+ *  "crl" matches the criteria of the CRLSelector pointed to by "selector".
+ *  If the CRL matches the CRLSelector's criteria, PKIX_TRUE is stored at
+ *  "pMatch". Otherwise PKIX_FALSE is stored at "pMatch".
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CRLSelector whose MatchCallback logic and parameters are
+ *      to be used. Must be non-NULL.
+ *  "crl"
+ *      Address of CRL that is to be matched using "selector". Must be non-NULL.
+ *  "pMatch"
+ *      Address at which Boolean result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same objects.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_CRLSelector_MatchCallback)(
+        PKIX_CRLSelector *selector,
+        PKIX_PL_CRL *crl,
+        PKIX_Boolean *pMatch,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CRLSelector_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CRLSelector using the Object pointed to by
+ *  "crlSelectorContext" (if any) and stores it at "pSelector". As noted
+ *  above, by default, the MatchCallback is set to point to the default
+ *  implementation provided by libpkix, which understands how to process
+ *  ComCRLSelParams. This is overridden if the MatchCallback pointed to by
+ *  "callback" is not NULL, in which case the parameters are specified using
+ *  the Object pointed to by "crlSelectorContext".
+ *
+ * PARAMETERS:
+ *  "callback"
+ *      The MatchCallback function to be used.
+ *  "crlSelectorContext"
+ *      Address of Object representing the CRLSelector's context (if any).
+ *  "pSelector"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CRLSelector_Create(
+        PKIX_CRLSelector_MatchCallback callback,
+        PKIX_PL_Object *crlSelectorContext,
+        PKIX_CRLSelector **pSelector,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CRLSelector_GetMatchCallback
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to "selector's" Match callback function and puts it in
+ *  "pCallback".
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      The CRLSelector whose Match callback is desired. Must be non-NULL.
+ *  "pCallback"
+ *      Address where Match callback function pointer will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CRLSelector_GetMatchCallback(
+        PKIX_CRLSelector *selector,
+        PKIX_CRLSelector_MatchCallback *pCallback,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CRLSelector_GetCRLSelectorContext
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a PKIX_PL_Object representing the context (if any)
+ *  of the CRLSelector pointed to by "selector" and stores it at
+ *  "pCRLSelectorContext".
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CRLSelector whose context is to be stored. Must be non-NULL.
+ *  "pCRLSelectorContext"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CRLSelector_GetCRLSelectorContext(
+        PKIX_CRLSelector *selector,
+        void **pCRLSelectorContext,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CRLSelector_GetCommonCRLSelectorParams
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the ComCRLSelParams object that represent the common
+ *  parameters of the CRLSelector pointed to by "selector" and stores it at
+ *  "pCommonCRLSelectorParams". If there are no common parameters stored with
+ *  the CRLSelector, this function stores NULL at "pCommonCRLSelectorParams".
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CRLSelector whose ComCRLSelParams are to be stored.
+ *      Must be non-NULL.
+ *  "pCommonCRLSelectorParams"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CRLSelector_GetCommonCRLSelectorParams(
+        PKIX_CRLSelector *selector,
+        PKIX_ComCRLSelParams **pCommonCRLSelectorParams,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_CRLSelector_SetCommonCRLSelectorParams
+ * DESCRIPTION:
+ *
+ *  Sets the common parameters for the CRLSelector pointed to by "selector"
+ *  using the ComCRLSelParams pointed to by "commonCRLSelectorParams".
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CRLSelector whose common parameters are to be set.
+ *      Must be non-NULL.
+ *  "commonCRLSelectorParams"
+ *      Address of ComCRLSelParams representing the common parameters.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "selector"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_CRLSelector_SetCommonCRLSelectorParams(
+        PKIX_CRLSelector *selector,
+        PKIX_ComCRLSelParams *commonCRLSelectorParams,
+        void *plContext);
+
+/* PKIX_ComCRLSelParams
+ *
+ * PKIX_ComCRLSelParams are X.509 parameters commonly used with CRLSelectors,
+ * especially determining which CRLs to retrieve from a CertStore.
+ * PKIX_ComCRLSelParams are typically used with those CRLSelectors that use
+ * the default implementation of MatchCallback, which understands how to
+ * process ComCRLSelParams.
+ */
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new ComCRLSelParams object and stores it at "pParams".
+ *
+ * PARAMETERS:
+ *  "pParams"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_Create(
+        PKIX_ComCRLSelParams **pParams,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetIssuerNames
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of X500Names (if any) representing the
+ *  issuer names criterion that is set in the ComCRLSelParams pointed to by
+ *  "params" and stores it at "pNames". In order to match against this
+ *  criterion, a CRL's IssuerName must match at least one of the criterion's
+ *  issuer names.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pNames", in which case all CRLs are considered to match.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParams whose issuer names criterion (if any) is to
+ *      be stored. Must be non-NULL.
+ *  "pNames"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetIssuerNames(
+        PKIX_ComCRLSelParams *params,
+        PKIX_List **pNames,  /* list of PKIX_PL_X500Name */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetIssuerNames
+ * DESCRIPTION:
+ *
+ *  Sets the issuer names criterion of the ComCRLSelParams pointed to by
+ *  "params" using a List of X500Names pointed to by "names". In order to match
+ *  against this criterion, a CRL's IssuerName must match at least one of the
+ *  criterion's issuer names.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParamsParams whose issuer names criterion is to be
+ *      set. Must be non-NULL.
+ *  "names"
+ *      Address of List of X500Names used to set the criterion
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetIssuerNames(
+        PKIX_ComCRLSelParams *params,
+        PKIX_List *names,   /* list of PKIX_PL_X500Name */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_AddIssuerName
+ * DESCRIPTION:
+ *
+ *  Adds to the issuer names criterion of the ComCRLSelParams pointed to by
+ *  "params" using the X500Name pointed to by "name". In order to match
+ *  against this criterion, a CRL's IssuerName must match at least one of the
+ *  criterion's issuer names.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParams whose issuer names criterion is to be added
+ *      to. Must be non-NULL.
+ *  "name"
+ *      Address of X500Name to be added.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_AddIssuerName(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_X500Name *name,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetCertificateChecking
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Cert (if any) representing the certificate whose
+ *  revocation status is being checked. This is not a criterion. It is simply
+ *  optional information that may help a CertStore find relevant CRLs.
+ *
+ *  If "params" does not have a certificate set, this function stores NULL at
+ *  "pCert", in which case there is no optional information to provide.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParams whose certificate being checked (if any) is
+ *      to be stored. Must be non-NULL.
+ *  "pCert"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetCertificateChecking(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_Cert **pCert,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetCertificateChecking
+ * DESCRIPTION:
+ *
+ *  Sets the ComCRLSelParams pointed to by "params" with the certificate
+ *  (pointed to by "cert") whose revocation status is being checked. This is
+ *  not a criterion. It is simply optional information that may help a
+ *  CertStore find relevant CRLs.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParams whose certificate being checked is to be
+ *      set. Must be non-NULL.
+ *  "cert"
+ *      Address of Cert whose revocation status is being checked
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetCertificateChecking(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_Cert *cert,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetDateAndTime
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Date (if any) representing the dateAndTime
+ *  criterion that is set in the ComCRLSelParams pointed to by "params" and
+ *  stores it at "pDate". In order to match against this criterion, a CRL's
+ *  thisUpdate component must be less than or equal to the criterion's
+ *  dateAndTime and the CRL's nextUpdate component must be later than the
+ *  criterion's dateAndTime. There is no match if the CRL does not contain a
+ *  nextUpdate component.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pDate", in which case all CRLs are considered to match.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParams whose dateAndTime criterion (if any) is to
+ *      be stored. Must be non-NULL.
+ *  "pDate"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetDateAndTime(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_Date **pDate,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetDateAndTime
+ * DESCRIPTION:
+ *
+ *  Sets the dateAndTime criterion of the ComCRLSelParams pointed to by
+ *  "params" using a Date pointed to by "date". In order to match against this
+ *  criterion, a CRL's thisUpdate component must be less than or equal to the
+ *  criterion's dateAndTime and the CRL's nextUpdate component must be later
+ *  than the criterion's dateAndTime. There is no match if the CRL does not
+ *  contain a nextUpdate component.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParamsParams whose dateAndTime criterion is to be
+ *      set. Must be non-NULL.
+ *  "date"
+ *      Address of Date used to set the criterion
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetDateAndTime(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_Date *date,
+        void *plContext);
+
+/* 
+ * FUNCTION: PKIX_ComCRLSelParams_GetNISTPolicyEnabled
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Boolean representing the NIST CRL policy
+ *  activation flag that is set in the ComCRLSelParams pointed to by "params"
+ *  and stores it at "enabled". If enabled, a CRL must have nextUpdate field.
+ *
+ *  Default value for this flag is TRUE.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParams whose NIST CRL policy criterion  is to
+ *      be stored. Must be non-NULL.
+ *  "pEnabled"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetNISTPolicyEnabled(
+        PKIX_ComCRLSelParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetNISTPolicyEnabled
+ * DESCRIPTION:
+ *
+ *  Sets the NIST crl policy criterion of the ComCRLSelParams pointed to by
+ *  "params" using a "enabled" flag. In order to match against this
+ *  criterion, a CRL's nextUpdate must be available and criterion's
+ *  dataAndTime must be within thisUpdate and nextUpdate time period.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParamsParams whose NIST CRL policy criterion
+ *      is to be set. Must be non-NULL.
+ *  "enabled"
+ *      Address of Bollean used to set the criterion
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetNISTPolicyEnabled(
+        PKIX_ComCRLSelParams *params,
+        PKIX_Boolean enabled,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetMaxCRLNumber
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the BigInt (if any) representing the maxCRLNumber
+ *  criterion that is set in the ComCRLSelParams pointed to by "params" and
+ *  stores it at "pNumber". In order to match against this criterion, a CRL
+ *  must have a CRL number extension whose value is less than or equal to the
+ *  criterion's value.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pNumber", in which case all CRLs are considered to match.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParams whose maxCRLNumber criterion (if any) is to
+ *      be stored. Must be non-NULL.
+ *  "pNumber"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetMaxCRLNumber(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_BigInt **pNumber,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetMaxCRLNumber
+ * DESCRIPTION:
+ *
+ *  Sets the maxCRLNumber criterion of the ComCRLSelParams pointed to by
+ *  "params" using a BigInt pointed to by "number". In order to match against
+ *  this criterion, a CRL must have a CRL number extension whose value is less
+ *  than or equal to the criterion's value.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParamsParams whose maxCRLNumber criterion is to be
+ *      set. Must be non-NULL.
+ *  "number"
+ *      Address of BigInt used to set the criterion
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetMaxCRLNumber(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_BigInt *number,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetMinCRLNumber
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the BigInt (if any) representing the minCRLNumber
+ *  criterion that is set in the ComCRLSelParams pointed to by "params" and
+ *  stores it at "pNumber". In order to match against this criterion, a CRL
+ *  must have a CRL number extension whose value is greater than or equal to
+ *  the criterion's value.
+ *
+ *  If "params" does not have this criterion set, this function stores NULL at
+ *  "pNumber", in which case all CRLs are considered to match.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParams whose minCRLNumber criterion (if any) is to
+ *      be stored. Must be non-NULL.
+ *  "pNumber"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetMinCRLNumber(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_BigInt **pNumber,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetMinCRLNumber
+ * DESCRIPTION:
+ *
+ *  Sets the minCRLNumber criterion of the ComCRLSelParams pointed to by
+ *  "params" using a BigInt pointed to by "number". In order to match against
+ *  this criterion, a CRL must have a CRL number extension whose value is
+ *  greater than or equal to the criterion's value.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCRLSelParamsParams whose minCRLNumber criterion is to be
+ *      set. Must be non-NULL.
+ *  "number"
+ *      Address of BigInt used to set the criterion
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetMinCRLNumber(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_BigInt *number,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_CRLSEL_H */
diff --git a/security/nss/lib/libpkix/include/pkix_errorstrings.h b/security/nss/lib/libpkix/include/pkix_errorstrings.h
new file mode 100755
index 000000000..c2226d72c
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -0,0 +1,1087 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This file is intended to be included after different definitions of
+ * PKIX_ERRORENTRY. It is included in pkixt.h to define a number for each error
+ * by defining PKIX_ERRORENTRY(x,y) as PKIX_ ## x  and then listing thim within
+ * an enum. It is included in pkix_error.c to define an array of error strings
+ * by defining PKIX_ERRORENTRY(x,y) #y and then listing thim within an array
+ * const char * const PKIX_ErrorText[]
+ */
+/* ALLOCERROR should always be the first */
+PKIX_ERRORENTRY(ALLOCERROR,Allocation Error,SEC_ERROR_NO_MEMORY),
+PKIX_ERRORENTRY(ADDHEADERFUNCTIONNOTSUPPORTED,AddHeader function not supported,0),
+PKIX_ERRORENTRY(ADDTOVERIFYLOGFAILED,pkix_AddToVerifyLog failed,0),
+PKIX_ERRORENTRY(AIAMGRCREATEFAILED,PKIX_PL_AIAMgr_Create failed,0),
+PKIX_ERRORENTRY(AIAMGRFINDLDAPCLIENTFAILED,pkix_pl_AiaMgr_FindLDAPClient failed,0),
+PKIX_ERRORENTRY(AIAMGRGETAIACERTSFAILED,PKIX_PL_AIAMgr_GetAIACerts failed,SEC_ERROR_UNKNOWN_ISSUER),
+PKIX_ERRORENTRY(AIAMGRGETHTTPCERTSFAILED,pkix_pl_AIAMgr_GetHTTPCerts failed,0),
+PKIX_ERRORENTRY(AIAMGRGETLDAPCERTSFAILED,pkix_pl_AIAMgr_GetLDAPCerts failed,0),
+PKIX_ERRORENTRY(ALGORITHMBYTESLENGTH0,Algorithm bytes length is 0,0),
+PKIX_ERRORENTRY(ALLOCATENEWCERTGENERALNAMEFAILED,Allocate new CERTGeneralName failed,0),
+PKIX_ERRORENTRY(AMBIGUOUSPARENTAGEOFVERIFYNODE,Ambiguous parentage of VerifyNode,0),
+PKIX_ERRORENTRY(ANCHORDIDNOTCHAINTOCERT,Anchor did not chain to Cert,0),
+PKIX_ERRORENTRY(ANCHORDIDNOTPASSCERTSELECTORCRITERIA,Anchor did not pass CertSelector criteria,0),
+PKIX_ERRORENTRY(APPENDLISTFAILED,pkix_pl_AppendList failed,0),
+PKIX_ERRORENTRY(ARGUMENTNOTSTRING,Argument is not a String,0),
+PKIX_ERRORENTRY(ARGUMENTSNOTBIGINTS,Arguments are not BigInts,0),
+PKIX_ERRORENTRY(ARGUMENTSNOTBYTEARRAYS,Arguments are not Byte Arrays,0),
+PKIX_ERRORENTRY(ARGUMENTSNOTDATES,Arguments are not Dates,0),
+PKIX_ERRORENTRY(ARGUMENTSNOTOIDS,Arguments are not OIDs,0),
+PKIX_ERRORENTRY(ATTEMPTTOADDDUPLICATEKEY,Attempt to add duplicate key,0),
+PKIX_ERRORENTRY(ATTEMPTTODECODEANINCOMPLETERESPONSE,Attempt to decode an incomplete response,SEC_ERROR_BAD_DER),
+PKIX_ERRORENTRY(ATTEMPTTODECREFALLOCERROR,Attempt to DecRef Alloc Error,0),
+PKIX_ERRORENTRY(ATTEMPTTOINCREFALLOCERROR,Attempt to IncRef Alloc Error,0),
+PKIX_ERRORENTRY(BADHTTPRESPONSE,Bad Http Response,SEC_ERROR_BAD_HTTP_RESPONSE),
+PKIX_ERRORENTRY(BASICCONSTRAINTSCHECKERINITIALIZEFAILED,pkix_BasicConstraintsChecker_Initialize failed,0),
+PKIX_ERRORENTRY(BASICCONSTRAINTSCHECKERSTATECREATEFAILED,PKIX_BasicConstraintsCheckerState_Create failed,0),
+PKIX_ERRORENTRY(BASICCONSTRAINTSGETCAFLAGFAILED,PKIX_PL_BasicConstraints_GetCAFlag failed,0),
+PKIX_ERRORENTRY(BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED,PKIX_PL_BasicConstraints_GetPathLenConstraint failed,0),
+PKIX_ERRORENTRY(BASICCONSTRAINTSVALIDATIONFAILEDCA,PKIX_BasicConstraints validation failed: CA Flag not set,SEC_ERROR_CA_CERT_INVALID),
+PKIX_ERRORENTRY(BASICCONSTRAINTSVALIDATIONFAILEDLN,PKIX_BasicConstraints validation failed: maximum length mismatch,SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID),
+PKIX_ERRORENTRY(BIGINTCOMPARATORFAILED,pkix_pl_BigInt_Comparator failed,0),
+PKIX_ERRORENTRY(BIGINTCREATEWITHBYTESFAILED,pkix_pl_BigInt_CreateWithBytes failed,0),
+PKIX_ERRORENTRY(BIGINTEQUALSFAILED,PKIX_PL_BigInt_Equals failed,0),
+PKIX_ERRORENTRY(BIGINTLENGTH0INVALID,BigInt length 0 is invalid,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(BIGINTTOSTRINGFAILED,pkix_pl_BigInt_ToString failed,0),
+PKIX_ERRORENTRY(BIGINTTOSTRINGHELPERFAILED,PKIX_PL_BigInt_ToString_Helper failed,0),
+PKIX_ERRORENTRY(BINDREJECTEDBYSERVER,BIND rejected by server,SEC_ERROR_BAD_LDAP_RESPONSE),
+PKIX_ERRORENTRY(BUILDANDVALIDATECHAINFAILED,Failed to build and validate a chain,0),
+PKIX_ERRORENTRY(BUILDBUILDSELECTORANDPARAMSFAILED,pkix_Build_BuildSelectorAndParams failed,0),
+PKIX_ERRORENTRY(BUILDCOMBINEWITHTRUSTFAILED,pkix_Build_CombineWithTrust failed,0),
+PKIX_ERRORENTRY(BUILDFORWARDDEPTHFIRSTSEARCHFAILED,pkix_BuildForwardDepthFirstSearch failed,0),
+PKIX_ERRORENTRY(BUILDGATHERCERTSFAILED,pkix_Build_GatherCerts failed,0),
+PKIX_ERRORENTRY(BUILDGETRESOURCELIMITSFAILED,pkix_Build_GetResourceLimits failed,0),
+PKIX_ERRORENTRY(BUILDINITIATEBUILDCHAINFAILED,pkix_Build_InitiateBuildChain failed,0),
+PKIX_ERRORENTRY(BUILDRESULTCREATEFAILED,pkix_BuildResult_Create failed,0),
+PKIX_ERRORENTRY(BUILDRESULTGETCERTCHAINFAILED,PKIX_BuildResult_GetCertChain failed,0),
+PKIX_ERRORENTRY(BUILDRESULTGETVALIDATERESULTFAILED,PKIX_BuildResult_GetValidateResult failed,0),
+PKIX_ERRORENTRY(BUILDREVCHECKPREPFAILED,pkix_Build_RevCheckPrep failed,0),
+PKIX_ERRORENTRY(BUILDSORTCANDIDATECERTSFAILED,pkix_Build_SortCandidateCerts failed,0),
+PKIX_ERRORENTRY(BUILDSTATECREATEFAILED,pkix_BuildState_Create failed,0),
+PKIX_ERRORENTRY(BUILDTRYSHORTCUTFAILED,pkix_Build_TryShortcut failed,0),
+PKIX_ERRORENTRY(BUILDUPDATEDATEFAILED,pkix_Build_UpdateDate failed,0),
+PKIX_ERRORENTRY(BUILDVALIDATEENTIRECHAINFAILED,pkix_Build_ValidateEntireChain failed,0),
+PKIX_ERRORENTRY(BUILDVALIDATIONCHECKERSFAILED,pkix_Build_ValidationCheckers failed,0),
+PKIX_ERRORENTRY(BUILDVERIFYCERTIFICATEFAILED,pkix_Build_VerifyCertificate failed,0),
+PKIX_ERRORENTRY(BYTEARRAYCOMPARATORFAILED,pkix_pl_ByteArray_Comparator failed,0),
+PKIX_ERRORENTRY(BYTEARRAYCREATEFAILED,PKIX_PL_ByteArray_Create failed,0),
+PKIX_ERRORENTRY(BYTEARRAYEQUALSFAILED,PKIX_PL_ByteArray_Equals failed,0),
+PKIX_ERRORENTRY(BYTEARRAYGETLENGTHFAILED,PKIX_PL_ByteArray_GetLength failed,0),
+PKIX_ERRORENTRY(BYTEARRAYGETPOINTERFAILED,PKIX_PL_ByteArray_GetPointer failed,0),
+PKIX_ERRORENTRY(BYTEARRAYTOHEXSTRINGFAILED,pkix_pl_ByteArray_ToHexString failed,0),
+PKIX_ERRORENTRY(BYTEARRAYTOSTRINGFAILED,PKIX_PL_ByteArray_ToString failed,0),
+PKIX_ERRORENTRY(CACHECERTADDFAILED,pkix_CacheCert_Add failed,0),
+PKIX_ERRORENTRY(CACHECERTCHAINADDFAILED,pkix_CacheCertChain_Add failed,0),
+PKIX_ERRORENTRY(CACHECERTCHAINLOOKUPFAILED,pkix_CacheCertChain_Lookup failed,0),
+PKIX_ERRORENTRY(CACHECERTCHAINREMOVEFAILED,pkix_CacheCertChain_Remove failed,0),
+PKIX_ERRORENTRY(CACHECRLENTRYADDFAILED,pkix_CacheCrlEntry_Add failed,0),
+PKIX_ERRORENTRY(CACHECRLENTRYLOOKUPFAILED,pkix_CacheCrlEntry_Lookup failed,0),
+PKIX_ERRORENTRY(CALLOCFAILED,PKIX_PL_Calloc failed,0),
+PKIX_ERRORENTRY(CANNOTCONVERTCERTUSAGETOPKIXKEYANDEKUSAGES, Fail to convert certificate usage to pkix KU and EKU,0),
+PKIX_ERRORENTRY(CANNOTOPENCOLLECTIONCERTSTORECONTEXTDIRECTORY,Cannot open CollectionCertStoreContext directory,0),
+PKIX_ERRORENTRY(CANTCREATESTRING,Cannot create PKIX_PL_String,0),
+PKIX_ERRORENTRY(CANTDECODEBINDRESPONSEFROMSERVER,Cannot decode BIND response from server,SEC_ERROR_BAD_LDAP_RESPONSE),
+PKIX_ERRORENTRY(CANTDECODESEARCHRESPONSEFROMSERVER,Cannot decode SEARCH response from server,SEC_ERROR_BAD_LDAP_RESPONSE),
+PKIX_ERRORENTRY(CANTENABLEREVOCATIONWITHOUTCERTSTORE,Cannot enable Revocation without CertStore,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(CANTLOADLIBSMIME,Cannot load smime3 library,0),
+PKIX_ERRORENTRY(CANTREREGISTERSYSTEMTYPE,Cannot reregister system type,0),
+PKIX_ERRORENTRY(CERTARECERTPOLICIESCRITICALFAILED,PKIX_PL_Cert_AreCertPoliciesCritical failed,0),
+PKIX_ERRORENTRY(CERTBASICCONSTRAINTSCREATEFAILED,pkix_pl_CertBasicConstraints_Create failed,0),
+PKIX_ERRORENTRY(CERTBASICCONSTRAINTSTOSTRINGFAILED,PKIX_PL_CertBasicConstraints_ToString failed,0),
+PKIX_ERRORENTRY(CERTCHAINCHECKERCHECKCALLBACKFAILED,PKIX_CertChainChecker_CheckCallback failed,0),
+PKIX_ERRORENTRY(CERTCHAINCHECKERCHECKFAILED,PKIX_CertChainChecker_Check failed,0),
+PKIX_ERRORENTRY(CERTCHAINCHECKERCREATEFAILED,PKIX_CertChainChecker_Create failed,0),
+PKIX_ERRORENTRY(CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED,PKIX_CertChainChecker_GetCertChainCheckerState failed,0),
+PKIX_ERRORENTRY(CERTCHAINCHECKERGETCHECKCALLBACKFAILED,PKIX_CertChainChecker_GetCheckCallback failed,0),
+PKIX_ERRORENTRY(CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED,PKIX_CertChainChecker_GetSupportedExtensions failed,0),
+PKIX_ERRORENTRY(CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED,PKIX_CertChainChecker_IsForwardCheckingSupported failed,0),
+PKIX_ERRORENTRY(CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED,PKIX_CertChainChecker_SetCertChainCheckerState failed,0),
+PKIX_ERRORENTRY(CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION,CertChain fails Certificate Policy validation,SEC_ERROR_POLICY_VALIDATION_FAILED),
+PKIX_ERRORENTRY(CERTCHAINTONSSCHAINFAILED,Fail to convert pkix cert chain to nss cert chain,0),
+PKIX_ERRORENTRY(CERTCHAINTOPKIXCERTLISTFAILED,Failed to convert nss cert chain to pkix cert chain,0),
+PKIX_ERRORENTRY(CERTCHECKCERTVALIDTIMESFAILED,CERT_CheckCertValidTimes failed,SEC_ERROR_EXPIRED_CERTIFICATE),
+PKIX_ERRORENTRY(CERTCHECKEXTENDEDKEYUSAGEFAILED,pkix_pl_Cert_CheckExtendedKeyUsage failed,0),
+PKIX_ERRORENTRY(CERTCHECKKEYUSAGEFAILED,CERT_CheckKeyUsage failed,0),
+PKIX_ERRORENTRY(CERTCHECKNAMECONSTRAINTSFAILED,PKIX_PL_Cert_CheckNameConstraints failed,0),
+PKIX_ERRORENTRY(CERTCHECKVALIDITYFAILED,PKIX_PL_Cert_CheckValidity failed,SEC_ERROR_CERT_NOT_VALID),
+PKIX_ERRORENTRY(CERTCOMPLETECRLDECODEDENTRIESFAILED,CERT_CompleteCRLDecodedEntries failed,0),
+PKIX_ERRORENTRY(CERTCOPYNAMECONSTRAINTFAILED,CERT_CopyNameConstraint failed,0),
+PKIX_ERRORENTRY(CERTCOPYNAMEFAILED,CERT_CopyName failed,0),
+PKIX_ERRORENTRY(CERTCREATEFAILED,PKIX_PL_Cert_Create failed,0),
+PKIX_ERRORENTRY(CERTCREATEGENERALNAMELISTFAILED,CERT_CreateGeneralNameList failed,0),
+PKIX_ERRORENTRY(CERTCREATETOLISTFAILED,pkix_pl_Cert_CreateToList failed,0),
+PKIX_ERRORENTRY(CERTCREATEWITHNSSCERTFAILED,pkix_pl_Cert_CreateWithNSSCert failed,0),
+PKIX_ERRORENTRY(CERTDECODEALTNAMEEXTENSIONFAILED,CERT_DecodeAltNameExtension failed,0),
+PKIX_ERRORENTRY(CERTDECODECERTIFICATEPOLICIESEXTENSIONFAILED,CERT_DecodeCertificatePoliciesExtension failed,0),
+PKIX_ERRORENTRY(CERTDECODEDERCERTIFICATEFAILED,CERT_DecodeDERCertificate failed,0),
+PKIX_ERRORENTRY(CERTDECODEDERCRLFAILED,CERT_DecodeDERCrl failed,0),
+PKIX_ERRORENTRY(CERTDECODEINHIBITANYEXTENSIONFAILED,CERT_DecodeInhibitAnyExtension failed,0),
+PKIX_ERRORENTRY(CERTDECODEINHIBITANYPOLICYFAILED,pkix_pl_Cert_DecodeInhibitAnyPolicy failed,0),
+PKIX_ERRORENTRY(CERTDECODEOIDSEQUENCEFAILED,CERT_DecodeOidSequence failed,0),
+PKIX_ERRORENTRY(CERTDECODEPOLICYCONSTRAINTSEXTENSIONFAILED,CERT_DecodePolicyConstraintsExtension failed,0),
+PKIX_ERRORENTRY(CERTDECODEPOLICYCONSTRAINTSFAILED,pkix_pl_Cert_DecodePolicyConstraints failed,0),
+PKIX_ERRORENTRY(CERTDECODEPOLICYINFOFAILED,pkix_pl_Cert_DecodePolicyInfo failed,0),
+PKIX_ERRORENTRY(CERTDECODEPOLICYMAPPINGFAILED,pkix_pl_Cert_DecodePolicyMapping failed,0),
+PKIX_ERRORENTRY(CERTDECODEPOLICYMAPPINGSEXTENSIONFAILED,CERT_DecodePolicyMappingsExtension failed,0),
+PKIX_ERRORENTRY(CERTEQUALSFAILED,pkix_pl_Cert_Equals failed,0),
+PKIX_ERRORENTRY(CERTFAILEDNAMECONSTRAINTSCHECKING,Cert failed NameConstraints checking,SEC_ERROR_CERT_NOT_IN_NAME_SPACE),
+PKIX_ERRORENTRY(CERTGETALLSUBJECTNAMESFAILED,PKIX_PL_Cert_GetAllSubjectNames failed,0),
+PKIX_ERRORENTRY(CERTGETAUTHORITYINFOACCESSFAILED,PKIX_PL_Cert_GetAuthorityInfoAccess failed,0),
+PKIX_ERRORENTRY(CERTGETAUTHORITYKEYIDENTIFIERFAILED,PKIX_PL_Cert_GetAuthorityKeyIdentifier failed,0),
+PKIX_ERRORENTRY(CERTGETBASICCONSTRAINTFAILED,PKIX_PL_Cert_GetBasicConstraint failed,0),
+PKIX_ERRORENTRY(CERTGETBASICCONSTRAINTSFAILED,PKIX_PL_Cert_GetBasicConstraints failed,0),
+PKIX_ERRORENTRY(CERTGETCACHEFLAGFAILED,PKIX_Cert_GetCacheFlag failed,0),
+PKIX_ERRORENTRY(CERTGETCERTCERTIFICATEFAILED,PKIX_PL_Cert_GetCERTCertificate failed,0),
+PKIX_ERRORENTRY(CERTGETCRITICALEXTENSIONOIDSFAILED,PKIX_PL_Cert_GetCriticalExtensionOIDs failed,0),
+PKIX_ERRORENTRY(CERTGETEXTENDEDKEYUSAGEFAILED,PKIX_PL_Cert_GetExtendedKeyUsage failed,0),
+PKIX_ERRORENTRY(CERTGETINHIBITANYPOLICYFAILED,PKIX_PL_Cert_GetInhibitAnyPolicy failed,0),
+PKIX_ERRORENTRY(CERTGETISSUERFAILED,PKIX_PL_Cert_GetIssuer failed,0),
+PKIX_ERRORENTRY(CERTGETNAMECONSTRAINTSFAILED,PKIX_PL_CertGetNameConstraints failed,0),
+PKIX_ERRORENTRY(CERTGETNSSSUBJECTALTNAMESFAILED,pkix_pl_Cert_GetNssSubjectAltNames failed,0),
+PKIX_ERRORENTRY(CERTGETPOLICYINFORMATIONFAILED,PKIX_PL_Cert_GetPolicyInformation failed,0),
+PKIX_ERRORENTRY(CERTGETPOLICYMAPPINGINHIBITEDFAILED,PKIX_PL_Cert_GetPolicyMappingInhibited failed,0),
+PKIX_ERRORENTRY(CERTGETPOLICYMAPPINGSFAILED,PKIX_PL_Cert_GetPolicyMappings failed,0),
+PKIX_ERRORENTRY(CERTGETREQUIREEXPLICITPOLICYFAILED,PKIX_PL_Cert_GetRequireExplicitPolicy failed,0),
+PKIX_ERRORENTRY(CERTGETSERIALNUMBERFAILED,PKIX_PL_Cert_GetSerialNumber failed,0),
+PKIX_ERRORENTRY(CERTGETSUBJALTNAMESFAILED,PKIX_PL_Cert_GetSubjAltNames failed,0),
+PKIX_ERRORENTRY(CERTGETSUBJECTALTNAMESFAILED,PKIX_PL_Cert_GetSubjectAltNames failed,0),
+PKIX_ERRORENTRY(CERTGETSUBJECTFAILED,PKIX_PL_Cert_GetSubject failed,0),
+PKIX_ERRORENTRY(CERTGETSUBJECTINFOACCESSFAILED,PKIX_PL_Cert_GetSubjectInfoAccess failed,0),
+PKIX_ERRORENTRY(CERTGETSUBJECTKEYIDENTIFIERFAILED,PKIX_PL_Cert_GetSubjectKeyIdentifier failed,0),
+PKIX_ERRORENTRY(CERTGETSUBJECTPUBLICKEYALGIDFAILED,PKIX_PL_Cert_GetSubjectPublicKeyAlgId failed,0),
+PKIX_ERRORENTRY(CERTGETSUBJECTPUBLICKEYFAILED,PKIX_PL_Cert_GetSubjectPublicKey failed,0),
+PKIX_ERRORENTRY(CERTGETVALIDITYNOTAFTERFAILED,PKIX_PL_Cert_GetValidityNotAfter failed,0),
+PKIX_ERRORENTRY(CERTGETVERSIONFAILED,PKIX_PL_Cert_GetVersion failed,0),
+PKIX_ERRORENTRY(CERTHASHCODEFAILED,PKIX_PL_Cert_Hashcode failed,0),
+PKIX_ERRORENTRY(CERTIFICATEDOESNTHAVEVALIDCRL,Certificate does not have a valid CRL,SEC_ERROR_CRL_NOT_FOUND),
+PKIX_ERRORENTRY(CERTIFICATEREVOKEDBYCRL,Certificate is revoked by CRL for key compromise,SEC_ERROR_REVOKED_CERTIFICATE),
+PKIX_ERRORENTRY(CERTIMPORTCERTIFICATEFUNCTIONFAILED,CERTImportCertificate function failed,0),
+PKIX_ERRORENTRY(CERTISCERTTRUSTEDFAILED,PKIX_PL_Cert_IsCertTrusted failed,SEC_ERROR_UNTRUSTED_CERT),
+PKIX_ERRORENTRY(CERTISEXTENSIONCRITICALFAILED,pkix_pl_Cert_IsExtensionCritical failed,0),
+PKIX_ERRORENTRY(CERTMERGENAMECONSTRAINTSFAILED,PKIX_PL_Cert_MergeNameConstraints failed,0),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCHECKNAMEINNAMESPACEFAILED,PKIX_PL_CertNameConstraints_CheckNameInNameSpace failed,SEC_ERROR_CERT_NOT_IN_NAME_SPACE),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED,PKIX_PL_CertNameConstraints_CheckNamesInNameSpace failed,SEC_ERROR_CERT_NOT_IN_NAME_SPACE),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCHECKNAMESPACENSSNAMESFAILED,pkix_pl_CertNameConstraints_CheckNameSpaceNssNames failed,SEC_ERROR_CERT_NOT_IN_NAME_SPACE),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED,pkix_pl_CertNameConstraints_CopyNssNameConstraints failed,0),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCREATEBYMERGEFAILED,pkix_pl_CertNameConstraints_CreateByMerge failed,0),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCREATEFAILED,pkix_pl_CertNameConstraints_Create failed,0),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSCREATEHELPERFAILED,pkix_pl_CertNameConstraints_Create_Helper failed,0),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSGETEXCLUDEDFAILED,pkix_pl_CertNameConstraints_GetExcluded failed,0),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSGETPERMITTEDFAILED,pkix_pl_CertNameConstraints_GetPermitted failed,0),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSMERGEFAILED,pkix_pl_CertNameConstraints_Merge failed,0),
+PKIX_ERRORENTRY(CERTNAMECONSTRAINTSTOSTRINGHELPERFAILED,pkix_pl_CertNameConstraints_ToString_Helper failed,0),
+PKIX_ERRORENTRY(CERTNAMETOASCIIFAILED,CERT_NameToAscii failed,0),
+PKIX_ERRORENTRY(CERTNOTALLOWEDTOSIGNCERTIFICATES,Cert not allowed to sign certificates,SEC_ERROR_CA_CERT_INVALID),
+PKIX_ERRORENTRY(CERTPOLICYINFOCREATEFAILED,pkix_pl_CertPolicyInfo_Create failed,0),
+PKIX_ERRORENTRY(CERTPOLICYINFOGETPOLICYIDFAILED,PKIX_PL_CertPolicyInfo_GetPolicyId failed,0),
+PKIX_ERRORENTRY(CERTPOLICYINFOGETPOLQUALIFIERSFAILED,PKIX_PL_CertPolicyInfo_GetPolQualifiers failed,0),
+PKIX_ERRORENTRY(CERTPOLICYMAPCREATEFAILED,pkix_pl_CertPolicyMap_Create failed,0),
+PKIX_ERRORENTRY(CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED,PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy failed,0),
+PKIX_ERRORENTRY(CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED,PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy failed,0),
+PKIX_ERRORENTRY(CERTPOLICYQUALIFIERCREATEFAILED,pkix_pl_CertPolicyQualifier_Create failed,0),
+PKIX_ERRORENTRY(CERTREJECTEDBYREVOCATIONCHECKER,Cert rejected by revocation checker,0),
+PKIX_ERRORENTRY(CERTSELECTORCHECKFAILED,Validation failed: CertSelector check failed,0),
+PKIX_ERRORENTRY(CERTSELECTORCREATEFAILED,PKIX_CertSelector_Create failed,0),
+PKIX_ERRORENTRY(CERTSELECTORFAILED,certSelector failed,0),
+PKIX_ERRORENTRY(CERTSELECTORGETCOMCERTSELPARAMSFAILED,PKIX_CertSelector_GetComCertSelParams failed,0),
+PKIX_ERRORENTRY(CERTSELECTORGETCOMMONCERTSELECTORPARAMFAILED,PKIX_CertSelector_GetCommonCertSelectorParam failed,0),
+PKIX_ERRORENTRY(CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED,PKIX_CertSelector_GetCommonCertSelectorParams failed,0),
+PKIX_ERRORENTRY(CERTSELECTORGETMATCHCALLBACKFAILED,PKIX_CertSelector_GetMatchCallback failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHAUTHKEYIDFAILED,pkix_CertSelector_Match_AuthKeyId failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHBASICCONSTRAINTFAILED,pkix_CertSelector_Match_BasicConstraint failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHCALLBACKFAILED,PKIX_CertSelector_MatchCallback failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHCERTIFICATEVALIDFAILED,pkix_CertSelector_Match_CertificateValid failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHFAILED,certSelectorMatch failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHNAMECONSTRAINTSFAILED,pkix_CertSelector_Match_NameConstraints failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHPATHTONAMESFAILED,pkix_CertSelector_Match_PathToNames failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHPOLICIESFAILED,pkix_CertSelector_Match_Policies failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJALTNAMESFAILED,pkix_CertSelector_Match_SubjAltNames failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJKEYIDFAILED,pkix_CertSelector_Match_SubjKeyId failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPKALGIDFAILED,pkix_CertSelector_Match_SubjPKAlgId failed,0),
+PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPUBKEYFAILED,pkix_CertSelector_Match_SubjPubKey failed,0),
+PKIX_ERRORENTRY(CERTSELECTORSELECTFAILED,pkix_CertSelector_Select failed,0),
+PKIX_ERRORENTRY(CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED,PKIX_CertSelector_SetCommonCertSelectorParams failed,0),
+PKIX_ERRORENTRY(CERTSETCACHEFLAGFAILED,PKIX_PL_Cert_SetCacheFlag failed,0),
+PKIX_ERRORENTRY(CERTSETTRUSTCERTSTOREFAILED,PKIX_PL_Cert_SetTrustCertStore failed,0),
+PKIX_ERRORENTRY(CERTSTORECERTCONTINUEFAILED,PKIX_CertStore_CertContinue failed,0),
+PKIX_ERRORENTRY(CERTSTORECERTCONTINUEFUNCTIONFAILED,PKIX_CertStore_CertContinueFunction failed,0),
+PKIX_ERRORENTRY(CERTSTORECREATEFAILED,PKIX_CertStore_Create failed,0),
+PKIX_ERRORENTRY(CERTSTORECRLCONTINUEFAILED,PKIX_CertStore_CrlContinue failed,0),
+PKIX_ERRORENTRY(CERTSTOREEQUALSFAILED,pkix_CertStore_Equals failed,0),
+PKIX_ERRORENTRY(CERTSTOREGETCERTCALLBACKFAILED,PKIX_CertStore_GetCertCallback failed,0),
+PKIX_ERRORENTRY(CERTSTOREGETCERTSTORECACHEFLAGFAILED,PKIX_CertStore_GetCertStoreCacheFlag failed,0),
+PKIX_ERRORENTRY(CERTSTOREGETCERTSTORECONTEXTFAILED,PKIX_CertStore_GetCertStoreContext failed,0),
+PKIX_ERRORENTRY(CERTSTOREGETCRLCALLBACKFAILED,PKIX_CertStore_GetCRLCallback failed,0),
+PKIX_ERRORENTRY(CERTSTOREGETLOCALFLAGFAILED,PKIX_CertStore_GetLocalFlag failed,0),
+PKIX_ERRORENTRY(CERTSTOREGETTRUSTCALLBACKFAILED,PKIX_CertStore_GetTrustCallback failed,0),
+PKIX_ERRORENTRY(CERTSTOREHASHCODEFAILED,pkix_CertStore_Hashcode failed,0),
+PKIX_ERRORENTRY(CERTTOSTRINGFAILED,PKIX_PL_Cert_ToString failed,0),
+PKIX_ERRORENTRY(CERTTOSTRINGHELPERFAILED,pkix_pl_Cert_ToString_Helper failed,0),
+PKIX_ERRORENTRY(CERTVERIFYKEYUSAGEFAILED,PKIX_PL_Cert_VerifyKeyUsage failed,0),
+PKIX_ERRORENTRY(CERTVERIFYSIGNATUREFAILED,PKIX_PL_Cert_VerifySignature failed,0),
+PKIX_ERRORENTRY(CHAINREJECTEDBYREVOCATIONCHECKER,Chain rejected by Revocation Checker,0),
+PKIX_ERRORENTRY(CHECKCERTAGAINSTANCHORFAILED,pkix_CheckCertAgainstAnchor failed,0),
+PKIX_ERRORENTRY(CHECKCERTFAILED,pkix_CheckCert failed,0),
+PKIX_ERRORENTRY(CHECKCHAINFAILED,pkix_CheckChain failed,0),
+PKIX_ERRORENTRY(CHECKTRUSTCALLBACKFAILED,CheckTrustCallback failed,0),
+PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTCREATECERTFAILED,pkix_pl_CollectionCertStoreContext_CreateCert failed,0),
+PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTCREATECRLFAILED,pkix_pl_CollectionCertStoreContext_CreateCRL failed,0),
+PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTGETSELECTCERTFAILED,pkix_pl_CollectionCertStoreContext_GetSelectCert failed,0),
+PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTGETSELECTCRLFAILED,pkix_pl_CollectionCertStoreContext_GetSelectCRL failed,0),
+PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTPOPULATECERTFAILED,pkix_pl_CollectionCertStoreContext_PopulateCert failed,0),
+PKIX_ERRORENTRY(COLLECTIONCERTSTORECONTEXTPOPULATECRLFAILED,pkix_pl_CollectionCertStoreContext_PopulateCRL failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSCREATEFAILED,PKIX_ComCertSelParams_Create failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED,PKIX_ComCertSelParams_GetAuthorityKeyIdentifier failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED,PKIX_ComCertSelParams_GetBasicConstraints failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETCERTIFICATEFAILED,PKIX_ComCertSelParams_GetCertificate failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_GetCertificateValid failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED,PKIX_ComCertSelParams_GetExtendedKeyUsage failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETISSUERFAILED,PKIX_ComCertSelParams_GetIssuer failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETKEYUSAGEFAILED,PKIX_ComCertSelParams_GetKeyUsage failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED,PKIX_ComCertSelParams_GetMatchAllSubjAltNames failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED,PKIX_ComCertSelParams_GetNameConstraints failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETPATHTONAMESFAILED,PKIX_ComCertSelParams_GetPathToNames failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETPOLICYFAILED,PKIX_ComCertSelParams_GetPolicy failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETSERIALNUMBERFAILED,PKIX_ComCertSelParams_GetSerialNumber failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJALTNAMESFAILED,PKIX_ComCertSelParams_GetSubjAltNames failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJECTFAILED,PKIX_ComCertSelParams_GetSubject failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED,PKIX_ComCertSelParams_GetSubjKeyIdentifier failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJPKALGIDFAILED,PKIX_ComCertSelParams_GetSubjPKAlgId failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETSUBJPUBKEYFAILED,PKIX_ComCertSelParams_GetSubjPubKey failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSGETVERSIONFAILED,PKIX_ComCertSelParams_GetVersion failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSSETBASICCONSTRAINTSFAILED,PKIX_ComCertSelParams_SetBasicConstraints failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEFAILED,PKIX_ComCertSelParams_SetCertificate failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_SetCertificateValid failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSSETEXTKEYUSAGEFAILED,PKIX_ComCertSelParams_SetExtendedKeyUsage failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSSETKEYUSAGEFAILED,PKIX_ComCertSelParams_SetKeyUsage failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED,PKIX_ComCertSelParams_SetNISTPolicyEnabled failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSSETPATHTONAMESFAILED,PKIX_ComCertSelParams_SetPathToNames failed,0),
+PKIX_ERRORENTRY(COMCERTSELPARAMSSETSUBJECTFAILED,PKIX_ComCertSelParams_SetSubject failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSADDISSUERNAMEFAILED,PKIX_ComCRLSelParams_AddIssuerName failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSCREATEFAILED,PKIX_ComCRLSelParams_Create failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSEQUALSFAILED,pkix_ComCRLSelParams_Equals failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSGETDATEANDTIMEFAILED,PKIX_ComCRLSelParams_GetDateAndTime failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSGETISSUERNAMESFAILED,PKIX_ComCRLSelParams_GetIssuerNames failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSGETMAXCRLNUMBERFAILED,PKIX_ComCRLSelParams_GetMaxCRLNumber failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSGETMINCRLNUMBERFAILED,PKIX_ComCRLSelParams_GetMinCRLNumber failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED,PKIX_ComCRLSelParams_GetNISTPolicyEnabled failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSSETDATEANDTIMEFAILED,PKIX_ComCRLSelParams_SetDateAndTime failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSTOSTRINGFAILED,pkix_ComCRLSelParams_ToString failed,0),
+PKIX_ERRORENTRY(COMCRLSELPARAMSTOSTRINGHELPERFAILED,pkix_ComCRLSelParams_ToString_Helper failed,0),
+PKIX_ERRORENTRY(COMPARATORCALLBACKFAILED,comparator callback failed,0),
+PKIX_ERRORENTRY(CONTENTTYPENOTPKCS7MIME,Content type is not application/pkcs7-mime,0),
+PKIX_ERRORENTRY(CONTENTTYPENOTPKIXCRL,Content type is not application/pkix-crl,SEC_ERROR_BAD_HTTP_RESPONSE),
+PKIX_ERRORENTRY(COULDNOTALLOCATEMEMORY,Could not allocate memory,0),
+PKIX_ERRORENTRY(COULDNOTALLOCATENEWSTRINGOBJECT,Could not allocate new string object,0),
+PKIX_ERRORENTRY(COULDNOTAPPENDCHILDTOPARENTSPOLICYNODELIST,Could not append child to parent PolicyNode list,0),
+PKIX_ERRORENTRY(COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST,Could not append child to parent VerifyNode list,0),
+PKIX_ERRORENTRY(COULDNOTCREATEAIAMGROBJECT,Could not create AiaMgr object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT,Could not create basic constraints state object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEBUILDPARAMSOBJECT,Could not create build params object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEBUILDRESULTOBJECT,Could not create build result object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECERTBASICCONSTRAINTSOBJECT,Could not create a CertBasicConstraints object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECERTCHAINCHECKEROBJECT,Could not create cert chain checker object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECERTNAMECONSTRAINTSOBJECT,Could not create CertNameConstraints object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECERTPOLICYINFOOBJECT,Could not create a CertPolicyInfo object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECERTPOLICYMAPOBJECT,Could not create a CertPolicyMap object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECERTPOLICYQUALIFIEROBJECT,Could not create a CertPolicyQualifier object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECERTSELECTOROBJECT,Could not create cert selector object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECERTSTOREOBJECT,Could not create CertStore object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECOLLECTIONCERTSTORECONTEXTOBJECT,Could not create CollectionCertStoreContext object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECOMMONCERTSELPARAMSOBJECT,Could not create common certsel params object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECOMMONCRLSELECTORPARAMSOBJECT,Could not create common crl selector params object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECRLENTRYOBJECT,Could not create CRLENTRY object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECRLOBJECT,Could not create CRL object,0),
+PKIX_ERRORENTRY(COULDNOTCREATECRLSELECTOROBJECT,Could not create CRLSelector object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT,Could not create DefaultCRLCheckerState object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEDEFAULTREVOCATIONCHECKEROBJECT,Could not create DefaultRevocationChecker object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEEKUCHECKERSTATEOBJECT,Could not create EkuCheckerState object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEFORWARDBUILDERSTATEOBJECT,Could not create forwardBuilder state object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEHASHTABLEOBJECT,Could not create HashTable object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEHTTPDEFAULTCLIENTOBJECT,Could not create HttpDefaultClient object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEINFOACCESSOBJECT,Could not create InfoAccess object,0),
+PKIX_ERRORENTRY(COULDNOTCREATELDAPDEFAULTCLIENTOBJECT,Could not create LdapDefaultClient object,0),
+PKIX_ERRORENTRY(COULDNOTCREATELOCKOBJECT,Could not create lock object,0),
+PKIX_ERRORENTRY(COULDNOTCREATELOGGEROBJECT,Could not create Logger object,0),
+PKIX_ERRORENTRY(COULDNOTCREATENAMECONSTRAINTSCHECKERSTATEOBJECT,Could not create NameConstraintsCheckerState object,0),
+PKIX_ERRORENTRY(COULDNOTCREATENSSDN,Could not create NSS DN,0),
+PKIX_ERRORENTRY(COULDNOTCREATEOBJECT,Could not create object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEOBJECTSTORAGE,Could not create object storage,0),
+PKIX_ERRORENTRY(COULDNOTCREATEPOLICYCHECKERSTATEOBJECT,Could not create policyChecker state object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEPOLICYNODEOBJECT,Could not create a PolicyNode object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEPROCESSINGPARAMSOBJECT,Could not create processing params object,0),
+PKIX_ERRORENTRY(COULDNOTCREATERESOURCELIMITOBJECT,Could not create ResourceLimit object,0),
+PKIX_ERRORENTRY(COULDNOTCREATESIGNATURECHECKERSTATEOBJECT,Could not create SignatureCheckerState object,0),
+PKIX_ERRORENTRY(COULDNOTCREATESOCKETOBJECT,Could not create Socket object,0),
+PKIX_ERRORENTRY(COULDNOTCREATESTRING,Could not create string,0),
+PKIX_ERRORENTRY(COULDNOTCREATETARGETCERTCHECKERSTATEOBJECT,Could not create target cert checker state object,0),
+PKIX_ERRORENTRY(COULDNOTCREATETRUSTANCHOROBJECT,Could not create trust anchor object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEVALIDATEPARAMSOBJECT,Could not create validate params object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEVALIDATERESULTOBJECT,Could not create validate result object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEVERIFYNODEOBJECT,Could not create a VerifyNode object,0),
+PKIX_ERRORENTRY(COULDNOTCREATEX500NAMEOBJECT,Could not create X500Name object,0),
+PKIX_ERRORENTRY(COULDNOTGETFIRSTOBJECTTYPE,Could not get first object type,0),
+PKIX_ERRORENTRY(COULDNOTGETSECONDOBJECTTYPE,Could not get second object type,0),
+PKIX_ERRORENTRY(COULDNOTGETTYPEOFSECONDARGUMENT,Could not get type of second argument,0),
+PKIX_ERRORENTRY(COULDNOTLOOKUPINHASHTABLE,Could not lookup in hashtable,0),
+PKIX_ERRORENTRY(COULDNOTMALLOCNEWKEY,Could not malloc new key,0),
+PKIX_ERRORENTRY(COULDNOTTESTWHETHERKEYSEQUAL,Could not test whether keys are equal,0),
+PKIX_ERRORENTRY(CREATECERTFAILED,CreateCert failed,0),
+PKIX_ERRORENTRY(CREATECRLSELECTORDUPLICATEOBJECTFAILED,Create CRLSelector Duplicate Object failed,0),
+PKIX_ERRORENTRY(CREATEPROCESSINGPARAMSFAILED,Failed to create processing parameters,0),
+PKIX_ERRORENTRY(CRLCREATEFAILED,PKIX_PL_CRL_Create failed,0),
+PKIX_ERRORENTRY(CRLCREATETOLISTFAILED,pkix_pl_CRL_CreateToList failed,0),
+PKIX_ERRORENTRY(CRLCREATEWITHSIGNEDCRLFAILED,pkix_pl_CRL_CreateWithSignedCRL failed,0),
+PKIX_ERRORENTRY(CRLCRITICALEXTENSIONOIDSNOTPROCESSED,CRL Critical Extension OIDs not processed,0),
+PKIX_ERRORENTRY(CRLENTRYCREATEFAILED,pkix_pl_CRLEntry_Create failed,0),
+PKIX_ERRORENTRY(CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED,CRLEntry Critical Extension was not processed,0),
+PKIX_ERRORENTRY(CRLENTRYEXTENSIONSEQUALSFAILED,PKIX_PL_CRLEntry_Extensions_Equals failed,0),
+PKIX_ERRORENTRY(CRLENTRYEXTENSIONSHASHCODEFAILED,pkix_pl_CRLEntry_Extensions_Hashcode failed,0),
+PKIX_ERRORENTRY(CRLENTRYGETCRITICALEXTENSIONOIDSFAILED,PKIX_PL_CRLEntry_GetCriticalExtensionOIDs failed,0),
+PKIX_ERRORENTRY(CRLENTRYGETCRLENTRYREASONCODEFAILED,PKIX_PL_CRLEntry_GetCRLEntryReasonCode failed,0),
+PKIX_ERRORENTRY(CRLENTRYTOSTRINGHELPERFAILED,pkix_pl_CRLEntry_ToString_Helper failed,0),
+PKIX_ERRORENTRY(CRLGETCRITICALEXTENSIONOIDSFAILED,PKIX_PL_CRL_GetCriticalExtensionOIDs failed,0),
+PKIX_ERRORENTRY(CRLGETCRLENTRIESFAILED,pkix_pl_CRL_GetCRLEntries failed,0),
+PKIX_ERRORENTRY(CRLGETCRLENTRYFORSERIALNUMBERFAILED,PKIX_PL_CRL_GetCRLEntryForSerialNumber failed,0),
+PKIX_ERRORENTRY(CRLGETCRLNUMBERFAILED,PKIX_PL_CRL_GetCRLNumber failed,0),
+PKIX_ERRORENTRY(CRLGETISSUERFAILED,PKIX_PL_CRL_GetIssuer failed,0),
+PKIX_ERRORENTRY(CRLGETSIGNATUREALGIDFAILED,pkix_pl_CRL_GetSignatureAlgId failed,0),
+PKIX_ERRORENTRY(CRLGETVERSIONFAILED,pkix_pl_CRL_GetVersion failed,0),
+PKIX_ERRORENTRY(CRLMAXNUMBERRANGEMATCHFAILED,CRL MaxNumber Range Match Failed,0),
+PKIX_ERRORENTRY(CRLSELECTORCREATEFAILED,PKIX_CRLSelector_Create failed,0),
+PKIX_ERRORENTRY(CRLSELECTORFAILED,crlSelector failed,0),
+PKIX_ERRORENTRY(CRLSELECTORGETCOMCERTSELPARAMSFAILED,PKIX_CRLSelector_GetComCertSelParams failed,0),
+PKIX_ERRORENTRY(CRLSELECTORGETMATCHCALLBACKFAILED,PKIX_CRLSelector_GetMatchCallback failed,0),
+PKIX_ERRORENTRY(CRLSELECTORMATCHCALLBACKFAILED,PKIX_CRLSelector_MatchCallback failed,0),
+PKIX_ERRORENTRY(CRLSELECTORMATCHFAILED,crlSelectorMatch failed,0),
+PKIX_ERRORENTRY(CRLSELECTORSELECTFAILED,pkix_CRLSelector_Select failed,0),
+PKIX_ERRORENTRY(CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED,PKIX_CRLSelector_SetCommonCRLSelectorParams failed,0),
+PKIX_ERRORENTRY(CRLSELECTORTOSTRINGHELPERFAILED,pkix_CRLSelector_ToString_Helper failed,0),
+PKIX_ERRORENTRY(CRLTOSTRINGHELPERFAILED,pkix_pl_CRL_ToString_Helper failed,0),
+PKIX_ERRORENTRY(CRLVERIFYUPDATETIMEFAILED,pkix_pl_CRL_VerifyUpdateTime failed,0),
+PKIX_ERRORENTRY(DATECREATECURRENTOFFBYSECONDSFAILED,PKIX_PL_Date_Create_CurrentOffBySeconds failed,0),
+PKIX_ERRORENTRY(DATECREATEFROMPRTIMEFAILED,pkix_pl_Date_CreateFromPRTime failed,0),
+PKIX_ERRORENTRY(DATECREATEUTCTIMEFAILED,PKIX_PL_Date_Create_UTCTime failed,0),
+PKIX_ERRORENTRY(DATEEQUALSFAILED,PKIX_PL_Date_Equals failed,0),
+PKIX_ERRORENTRY(DATEGETPRTIMEFAILED,pkix_pl_Date_GetPRTime failed,0),
+PKIX_ERRORENTRY(DATEHASHCODEFAILED,PKIX_PL_Date_Hashcode failed,0),
+PKIX_ERRORENTRY(DATETOSTRINGFAILED,PKIX_Date_ToString failed,0),
+PKIX_ERRORENTRY(DATETOSTRINGHELPERFAILED,pkix_pl_Date_ToString_Helper failed,0),
+PKIX_ERRORENTRY(DECIPHERONLYKEYUSAGENOTSUPPORTED,decipherOnly key usage not supported,0),
+PKIX_ERRORENTRY(DECODINGCERTNAMECONSTRAINTSFAILED,Decoding Cert NameConstraints failed,0),
+PKIX_ERRORENTRY(DEFAULTCRLCHECKERCHECKHELPERFAILED,pkix_DefaultCRLChecker_Check_Helper failed,0),
+PKIX_ERRORENTRY(DEFAULTCRLCHECKERCHECKSETSELECTORFAILED,pkix_DefaultCRLChecker_Check_SetSelector failed,0),
+PKIX_ERRORENTRY(DEFAULTCRLCHECKERCHECKSTOREFAILED,pkix_DefaultCRLChecker_Check_Store failed,0),
+PKIX_ERRORENTRY(DEFAULTCRLCHECKERINITIALIZEFAILED,pkix_DefaultCRLChecker_Initialize failed,0),
+PKIX_ERRORENTRY(DEFAULTCRLCHECKERSTATECREATEFAILED,pkix_DefaultCRLCheckerState_Create failed,0),
+PKIX_ERRORENTRY(DEFAULTREVCHECKERCREATEFAILED,pkix_DefaultRevChecker_Create failed,0),
+PKIX_ERRORENTRY(DEFAULTREVCHECKERINITIALIZEFAILED,pkix_DefaultRevChecker_Initialize failed,0),
+PKIX_ERRORENTRY(DEPTHWOULDEXCEEDRESOURCELIMITS,Depth would exceed Resource Limits,SEC_ERROR_OUT_OF_SEARCH_LIMITS),
+PKIX_ERRORENTRY(DERASCIITOTIMEFAILED,DER_AsciiToTime failed,0),
+PKIX_ERRORENTRY(DERDECODETIMECHOICEFAILED,DER_DecodeTimeChoice failed,0),
+PKIX_ERRORENTRY(DERDECODETIMECHOICEFORLASTUPDATEFAILED,DER_DecodeTimeChoice for lastUpdate failed,0),
+PKIX_ERRORENTRY(DERDECODETIMECHOICEFORNEXTUPDATEFAILED,DER_DecodeTimeChoice for nextUpdate failed,0),
+PKIX_ERRORENTRY(DERENCODETIMECHOICEFAILED,DER_EncodeTimeChoice failed,0),
+PKIX_ERRORENTRY(DERGENERALIZEDDAYTOASCIIFAILED,DER_GeneralizedDayToAscii failed,0),
+PKIX_ERRORENTRY(DERTIMETOUTCTIMEFAILED,DER_TimeToUTCTime failed,0),
+PKIX_ERRORENTRY(DERUTCTIMETOASCIIFAILED,DER_UTCTimeToAscii failed,0),
+PKIX_ERRORENTRY(DESTROYSPKIFAILED,pkix_pl_DestroySPKI failed,0),
+PKIX_ERRORENTRY(DIRECTORYNAMECREATEFAILED,pkix_pl_DirectoryName_Create failed,0),
+PKIX_ERRORENTRY(DUPLICATEIMMUTABLEFAILED,pkix_duplicateImmutable failed,0),
+PKIX_ERRORENTRY(EKUCHECKERGETREQUIREDEKUFAILED,pkix_pl_EkuChecker_GetRequiredEku failed,0),
+PKIX_ERRORENTRY(EKUCHECKERINITIALIZEFAILED,PKIX_PL_EkuChecker_Initialize failed,0),
+PKIX_ERRORENTRY(EKUCHECKERSTATECREATEFAILED,pkix_pl_EkuCheckerState_Create failed,0),
+PKIX_ERRORENTRY(ENABLEREVOCATIONWITHOUTCERTSTORE,Enable Revocation without CertStore,0),
+PKIX_ERRORENTRY(ERRORALLOCATINGMONITORLOCK,Error Allocating MonitorLock,0),
+PKIX_ERRORENTRY(ERRORALLOCATINGRWLOCK,Error Allocating RWLock,0),
+PKIX_ERRORENTRY(ERRORCREATINGCHILDSTRING,Error creating child string,0),
+PKIX_ERRORENTRY(ERRORCREATINGFORMATSTRING,Error creating format string,0),
+PKIX_ERRORENTRY(ERRORCREATINGINDENTSTRING,Error creating indent string,0),
+PKIX_ERRORENTRY(ERRORCREATINGITEMSTRING,Error creating item string,0),
+PKIX_ERRORENTRY(ERRORCREATINGLISTITEM,Error Creating List Item,0),
+PKIX_ERRORENTRY(ERRORCREATINGSUBTREESTRING,Error creating subtree string,0),
+PKIX_ERRORENTRY(ERRORCREATINGTABLELOCK,Error creating table lock,0),
+PKIX_ERRORENTRY(ERRORFINDINGORPROCESSINGURI,Error finding or processing URI,0),
+PKIX_ERRORENTRY(ERRORGETTINGCAUSESTRING,Error getting cause string,0),
+PKIX_ERRORENTRY(ERRORGETTINGCLASSTABLEENTRY,Error getting class table entry,0),
+PKIX_ERRORENTRY(ERRORGETTINGHASHCODE,Error getting hashcode,0),
+PKIX_ERRORENTRY(ERRORGETTINGSECONDOBJECTTYPE,Error getting second object type,0),
+PKIX_ERRORENTRY(ERRORINBYTEARRAYHASHCODE,Error in PKIX_PL_ByteArray_Hashcode,0),
+PKIX_ERRORENTRY(ERRORINGETTINGDESTRUCTOR,Error in getting destructor,0),
+PKIX_ERRORENTRY(ERRORINHASH,Error in pkix_hash,0),
+PKIX_ERRORENTRY(ERRORINLISTHASHCODE,Error in PKIX_List_Hashcode,0),
+PKIX_ERRORENTRY(ERRORINOBJECTDEFINEDESTROY,Error in object-defined destroy callback,0),
+PKIX_ERRORENTRY(ERRORINOIDHASHCODE,Error in PKIX_PL_OID_Hashcode,0),
+PKIX_ERRORENTRY(ERRORINRECURSIVEEQUALSCALL,Error in recursive equals call,0),
+PKIX_ERRORENTRY(ERRORINSINGLEPOLICYNODETOSTRING,Error in pkix_SinglePolicyNode_ToString,0),
+PKIX_ERRORENTRY(ERRORINSINGLEVERIFYNODETOSTRING,Error in pkix_SingleVerifyNode_ToString,0),
+PKIX_ERRORENTRY(ERRORINSPRINTF,Error in PKIX_PL_Sprintf,0),
+PKIX_ERRORENTRY(ERRORINSTRINGCREATE,Error in PKIX_PL_String_Create,0),
+PKIX_ERRORENTRY(ERRORLOCKINGOBJECT,Error locking object,0),
+PKIX_ERRORENTRY(ERRORTOSTRINGFAILED,PKIX_Error_ToString failed,0),
+PKIX_ERRORENTRY(ERRORTRAVERSINGBUCKET,Error traversing bucket,0),
+PKIX_ERRORENTRY(ERRORUNLOCKINGMUTEX,Error unlocking mutex,0),
+PKIX_ERRORENTRY(ERRORUNLOCKINGOBJECT,Error unlocking object,0),
+PKIX_ERRORENTRY(ESCASCIITOUTF16FAILED,pkix_EscASCII_to_UTF16 failed,0),
+PKIX_ERRORENTRY(EXPIRATIONCHECKERINITIALIZEFAILED,pkix_ExpirationChecker_Initialize failed,0),
+PKIX_ERRORENTRY(EXTENDEDKEYUSAGECHECKINGFAILED,Extended Key Usage Checking failed,SEC_ERROR_INADEQUATE_CERT_TYPE),
+PKIX_ERRORENTRY(EXTENDEDKEYUSAGEUSEROBJECT,Extended Key Usage User Object,0),
+PKIX_ERRORENTRY(EXTRACTPARAMETERSFAILED,pkix_ExtractParameters failed,0),
+PKIX_ERRORENTRY(FAILEDINENCODINGSEARCHREQUEST,failed in encoding searchRequest,SEC_ERROR_FAILED_TO_ENCODE_DATA),
+PKIX_ERRORENTRY(FAILEDTOGETNSSTRUSTANCHORS,Failed to get nss trusted roots,0),
+PKIX_ERRORENTRY(FAILEDTOGETTRUST, failed to get trust from the cert,0),
+PKIX_ERRORENTRY(FAILUREHASHINGCERT,Failure hashing Cert,0),
+PKIX_ERRORENTRY(FAILUREHASHINGERROR,Failure hashing Error,0),
+PKIX_ERRORENTRY(FAILUREHASHINGLISTEXPECTEDPOLICYSET,Failure hashing PKIX_List expectedPolicySet,0),
+PKIX_ERRORENTRY(FAILUREHASHINGLISTQUALIFIERSET,Failure hashing PKIX_List qualifierSet,0),
+PKIX_ERRORENTRY(FAILUREHASHINGOIDVALIDPOLICY,Failure hashing PKIX_PL_OID validPolicy,0),
+PKIX_ERRORENTRY(FANOUTEXCEEDSRESOURCELIMITS,Fanout exceeds Resource Limits,0),
+PKIX_ERRORENTRY(FETCHINGCACHEDCRLFAILED,Fetching Cached CRLfailed,0),
+PKIX_ERRORENTRY(FILLINPROCESSINGPARAMSFAILED,Fail to fill in parameters,0),
+PKIX_ERRORENTRY(FILLINRETURNRESULTSFAILED,Fail to fill in return results,0),
+PKIX_ERRORENTRY(FIRSTARGUMENTNOTANOID,FirstObject is not an OID,0),
+PKIX_ERRORENTRY(FIRSTARGUMENTNOTBYTEARRAY,FirstObject is not a ByteArray,0),
+PKIX_ERRORENTRY(FIRSTARGUMENTNOTCERTBASICCONSTRAINTSOBJECT,First argument is not a CertBasicConstraints Object,0),
+PKIX_ERRORENTRY(FIRSTDOUBLEHEXMUSTNOTBE00,First DoubleHex MUST NOT be 00,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(FIRSTFIELDMUSTBEBETWEEN02,First field must be between 0-2,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(FIRSTOBJARGUMENTNOTANOCSPRESPONSE,FirstObject is not an OcspResponse,0),
+PKIX_ERRORENTRY(FIRSTOBJARGUMENTNOTLDAPREQUEST,FirstObject is not a LdapRequest,0),
+PKIX_ERRORENTRY(FIRSTOBJARGUMENTNOTLDAPRESPONSE,FirstObject is not a LdapResponse,0),
+PKIX_ERRORENTRY(FIRSTOBJARGUMENTNOTOCSPREQUEST,FirstObject is not a OcspRequest,0),
+PKIX_ERRORENTRY(FIRSTOBJECTARGUMENTNOTANX500NAME,FirstObject is not an X500Name,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTANERROROBJECT,FirstObject is not an Error object,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTBIGINT,FirstObject not a BigInt,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTBUILDPARAMS,FirstObject is not a BuildParams,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTBUILDRESULT,FirstObject is not a BuildResult,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCERT,FirstObject is not a Cert,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTBASICCONSTRAINTS,FirstObject is not a CertBasicConstraints,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTNAMECONSTRAINTS,FirstObject is not a CertNameConstraints,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTPOLICYINFO,FirstObject is not a CertPolicyInfo,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTPOLICYMAP,FirstObject is not a CertPolicyMap,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCERTPOLICYQUALIFIER,FirstObject is not a CertPolicyQualifier,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCOMCRLSELPARAMS,FirstObject is not a ComCRLSelParams,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCRL,FirstObject is not a CRL,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCRLENTRY,FirstObject is not a CRLEntry,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTCRLSELECTOR,FirstObject is not a CRLSelector,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTDATE,FirstObject is not a Date,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTERROR,FirstObject is not an Error,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTGENERALNAME,FirstObject is not a GeneralName,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTINFOACCESS,FirstObject is not a InfoAccess,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTLIST,FirstObject is not a List,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTLOGGER,FirstObject is not a Logger,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTPOLICYNODE,FirstObject is not a PolicyNode,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTPROCESSINGPARAMS,FirstObject is not a ProcessingParams,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTPUBLICKEY,FirstObject is not a PublicKey,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTRESOURCELIMITS,FirstObject is not a ResourceLimits,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTSTRING,FirstObject is not a String,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTTRUSTANCHOR,FirstObject is not a TrustAnchor,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTVALIDATEPARAMS,FirstObject is not a ValidateParams,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTVALIDATERESULT,FirstObject is not a ValidateResult,0),
+PKIX_ERRORENTRY(FIRSTOBJECTNOTVERIFYNODE,FirstObject is not a VerifyNode,0),
+PKIX_ERRORENTRY(FIRSTPUBKEYTYPENULLKEY,firstPubKeyType is nullKey,0),
+PKIX_ERRORENTRY(FORWARDBUILDERSTATEDUMPSTATEFAILED,pkix_ForwardBuilderState_DumpState failed,0),
+PKIX_ERRORENTRY(FORWARDBUILDERSTATEISIOPENDINGFAILED,pkix_ForwardBuilderState_IsIOPending failed,0),
+PKIX_ERRORENTRY(FORWARDBUILDSTATECREATEFAILED,pkix_ForwardBuildState_Create failed,0),
+PKIX_ERRORENTRY(FREEFAILED,PKIX_PL_Free failed,0),
+PKIX_ERRORENTRY(GENERALNAMECREATEFAILED,pkix_pl_GeneralName_Create failed,0),
+PKIX_ERRORENTRY(GENERALNAMEGETNSSGENERALNAMEFAILED,pkix_pl_GeneralName_GetNssGeneralName failed,0),
+PKIX_ERRORENTRY(GENERALNAMESTRINGMISSINGDOUBLESLASH,GeneralName string missing double slash,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
+PKIX_ERRORENTRY(GENERALNAMESTRINGMISSINGLOCATIONTYPE,GeneralName string missing location type,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
+PKIX_ERRORENTRY(GENERALNAMESTRINGMISSINGSERVERSITE,GeneralName string missing server-site,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
+PKIX_ERRORENTRY(GENERALNAMETOSTRINGFAILED,pkix_pl_GeneralName_ToString failed,0),
+PKIX_ERRORENTRY(GENERALNAMETOSTRINGHELPERFAILED,pkix_pl_GeneralName_ToString_Helper failed,0),
+PKIX_ERRORENTRY(GENERICCLIENTNOTANLDAPDEFAULTCLIENT,genericClient is not an LdapDefaultClient,0),
+PKIX_ERRORENTRY(GETATTRIBUTESCALLEDFORNONENTRYMESSAGE,GetAttributes called for non-Entry message,SEC_ERROR_BAD_LDAP_RESPONSE),
+PKIX_ERRORENTRY(GETCERTSFAILED,getCerts failed,0),
+PKIX_ERRORENTRY(GETCRITICALEXTENSIONOIDSFAILED,pkix_GetCriticalExtensionOIDs failed,0),
+PKIX_ERRORENTRY(GETCRLSFAILED,getCrls failed,0),
+PKIX_ERRORENTRY(GETOIDTOKENFAILED,pkix_pl_getOIDToken failed,0),
+PKIX_ERRORENTRY(GETPKIXERRORCODEFAILED,Get PKIX error code failed,0),
+PKIX_ERRORENTRY(GETREQCERTIFICATEUSAGESFAILED,Fail to get required certificate usages,0),
+PKIX_ERRORENTRY(GETRESULTCODECALLEDFORNONRESULTMESSAGE,GetResultCode called for non-Result message,SEC_ERROR_BAD_LDAP_RESPONSE),
+PKIX_ERRORENTRY(GETRETCERTIFICATEUSAGESFAILED,Fail to get returned certificate usages,0),
+PKIX_ERRORENTRY(GETTRUSTEDCERTLISTFAILED,Fail to get trusted cert list,0),
+PKIX_ERRORENTRY(HASHFAILED,pkix_hash failed,0),
+PKIX_ERRORENTRY(HASHTABLEADDFAILED,PKIX_PL_HashTable_Add failed,0),
+PKIX_ERRORENTRY(HASHTABLECREATEFAILED,PKIX_PL_HashTable_Create failed,0),
+PKIX_ERRORENTRY(HASHTABLELOOKUPFAILED,PKIX_PL_HashTable_Lookup failed,0),
+PKIX_ERRORENTRY(HASHTABLEREMOVEFAILED,PKIX_PL_HashTable_Remove failed,0),
+PKIX_ERRORENTRY(HELPERBYTES2ASCIIFAILED,pkix_pl_helperBytes2Ascii failed,0),
+PKIX_ERRORENTRY(HELPERBYTES2ASCIINUMTOKENSZERO,pkix_pl_helperBytes2Ascii: numTokens is zero,0),
+PKIX_ERRORENTRY(HTTPCERTSTORECREATEREQUESTSESSIONFAILED,pkix_pl_HttpCertStore_CreateRequestSession failed,0),
+PKIX_ERRORENTRY(HTTPCERTSTORECREATEWITHASCIINAMEFAILED,PKIX_PL_HttpCertStore_CreateWithAsciiName failed,0),
+PKIX_ERRORENTRY(HTTPCERTSTOREDECODECERTPACKAGEFAILED,pkix_pl_HttpCertStore_DecodeCertPackage failed,0),
+PKIX_ERRORENTRY(HTTPCERTSTOREFINDSOCKETCONNECTIONFAILED,pkix_HttpCertStore_FindSocketConnection failed,0),
+PKIX_ERRORENTRY(HTTPCERTSTOREPROCESSCERTRESPONSEFAILED,pkix_pl_HttpCertStore_ProcessCertResponse failed,0),
+PKIX_ERRORENTRY(HTTPCERTSTOREPROCESSCRLRESPONSEFAILED,pkix_pl_HttpCertStore_ProcessCrlResponse failed,0),
+PKIX_ERRORENTRY(HTTPCLIENTCREATESESSIONFAILED,HttpClient->CreateSession failed,0),
+PKIX_ERRORENTRY(HTTPCLIENTININVALIDSTATE,HttpClient in invalid state,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTCONNECTCONTINUEFAILED,pkix_pl_HttpDefaultClient_ConnectContinue failed,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTCREATEFAILED,pkix_pl_HttpDefaultClient_Create failed,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTDISPATCHFAILED,pkix_pl_HttpDefaultClient_Dispatch failed,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTHDRCHECKCOMPLETEFAILED,pkix_pl_HttpDefaultClient_HdrCheckComplete failed,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTINILLEGALSTATE,HttpDefaultClient in illegal state,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTRECVBODYCONTINUEFAILED,pkix_pl_HttpDefaultClient_RecvBodyContinue failed,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTRECVBODYFAILED,pkix_pl_HttpDefaultClient_RecvBody failed,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTRECVHDRCONTINUEFAILED,pkix_pl_HttpDefaultClient_RecvHdrContinue failed,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTRECVHDRFAILED,pkix_pl_HttpDefaultClient_RecvHdr failed,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTSENDCONTINUEFAILED,pkix_pl_HttpDefaultClient_SendContinue failed,0),
+PKIX_ERRORENTRY(HTTPDEFAULTCLIENTSENDFAILED,pkix_pl_HttpDefaultClient_Send failed,0),
+PKIX_ERRORENTRY(HTTPSERVERERROR,HTTP Server Error,0),
+PKIX_ERRORENTRY(ILLEGALCHARACTERINESCAPEDASCII,Illegal character in Escaped ASCII String,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(ILLEGALCHARACTERINOID,Illegal character in OID,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(ILLEGALDOTINOID,Illegal period in OID,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(ILLEGALSURROGATEPAIR,Illegal surrogate pair in EscapedASCII,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(ILLEGALUNICODECHARACTER,Illegal Unicode character in EscapedASCII,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(ILLEGALUSEOFAMP,Illegal use of ampersand character,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(IMPOSSIBLECRITERIONFORCRLQUERY,Impossible criterion for Crl Query,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(INDEXOUTOFBOUNDS,Index out of bounds,SEC_ERROR_LIBPKIX_INTERNAL),
+PKIX_ERRORENTRY(INESCAPEDASCII,in EscapedASCII,0),
+PKIX_ERRORENTRY(INFOACCESSCREATEFAILED,pkix_pl_InfoAccess_Create failed,0),
+PKIX_ERRORENTRY(INFOACCESSCREATELISTFAILED,pkix_pl_InfoAccess_CreateList failed,0),
+PKIX_ERRORENTRY(INFOACCESSGETLOCATIONFAILED,PKIX_PL_InfoAccess_GetLocation failed,0),
+PKIX_ERRORENTRY(INFOACCESSGETLOCATIONTYPEFAILED,PKIX_PL_InfoAccess_GetLocationType failed,0),
+PKIX_ERRORENTRY(INFOACCESSGETMETHODFAILED,PKIX_PL_InfoAccess_GetMethod failed,0),
+PKIX_ERRORENTRY(INFOACCESSPARSELOCATIONFAILED,pkix_pl_InfoAccess_ParseLocation failed,0),
+PKIX_ERRORENTRY(INFOACCESSPARSETOKENSFAILED,pkix_pl_InfoAccess_ParseTokens failed,0),
+PKIX_ERRORENTRY(INITIALIZECHECKERSFAILED,pkix_InitializeCheckers failed,0),
+PKIX_ERRORENTRY(INITIALIZEFAILED,PKIX_PL_Initialize failed,0),
+PKIX_ERRORENTRY(INPUTLISTMUSTBEHEADER,Input List must be header,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(INPUTLISTSMUSTBELISTHEADERS,Input Lists must be list headers,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(INSUFFICIENTCRITERIAFORCERTQUERY,Insufficient criteria for Cert query,0),
+PKIX_ERRORENTRY(INSUFFICIENTCRITERIAFORCRLQUERY,Insufficient criteria for Crl Query,0),
+PKIX_ERRORENTRY(INTRUSTEDCERT,in Trusted Cert,0),
+PKIX_ERRORENTRY(INVALIDCHARACTERINBIGINT,Invalid character in BigInt,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(INVALIDDERENCODINGFOROID,Invalid DER-encoding for OID,0),
+PKIX_ERRORENTRY(INVALIDENCODINGOIDTOKENVALUETOOBIG,Invalid encoding: OID token value too big,0),
+PKIX_ERRORENTRY(INVALIDPOLICYMAPPINGINCLUDESANYPOLICY,Invalid policyMapping includes anyPolicy,SEC_ERROR_INVALID_POLICY_MAPPING),
+PKIX_ERRORENTRY(INVALIDSIGNINGCERTINOCSPRESPONSE,Invalid signing Cert in OCSP response,SEC_ERROR_OCSP_INVALID_SIGNING_CERT),
+PKIX_ERRORENTRY(INVALIDSTATUS,INVALID STATUS,0),
+PKIX_ERRORENTRY(INVALIDSTORETYPEFORSETTINGCONFIGDIR,Invalid Store type for Setting ConfigDir,0),
+PKIX_ERRORENTRY(IPADDRBYTES2ASCIIDATALENGTHZERO,pkix_pl_ipAddrBytes2Ascii: data length is zero,0),
+PKIX_ERRORENTRY(IPADDRBYTES2ASCIIFAILED,pkix_pl_ipAddrBytes2Ascii failed,0),
+PKIX_ERRORENTRY(ISCERTSELFISSUEDFAILED,pkix_IsCertSelfIssued failed,0),
+PKIX_ERRORENTRY(ISCERTSELFISSUEFAILED,pkix_IsCertSelfIssue failed,0),
+PKIX_ERRORENTRY(KEYUSAGEKEYCERTSIGNBITNOTON,Validation failed: KeyUsage KeyCertSign bit is not on,SEC_ERROR_CA_CERT_INVALID),
+PKIX_ERRORENTRY(KEYUSAGEKEYCRLSIGNBITNOTON,Validation failed: KeyUsage CRLSign bit is not on,0),
+PKIX_ERRORENTRY(LDAPCERTSTOREBUILDCERTLISTFAILED,pkix_pl_LdapCertStore_BuildCertList failed,0),
+PKIX_ERRORENTRY(LDAPCERTSTOREBUILDCRLLISTFAILED,pkix_pl_LdapCertStore_BuildCrlList failed,0),
+PKIX_ERRORENTRY(LDAPCERTSTOREDECODECROSSCERTPAIRFAILED,pkix_pl_LdapCertStore_DecodeCrossCertPair failed,0),
+PKIX_ERRORENTRY(LDAPCERTSTOREDESTROYAVALISTFAILED,pkix_pl_LdapCertStore_DestroyAVAList failed,0),
+PKIX_ERRORENTRY(LDAPCERTSTOREINILLEGALSTATE,LDAP CertStore in illegal state,0),
+PKIX_ERRORENTRY(LDAPCERTSTOREMAKENAMEAVALISTFAILED,pkix_pl_LdapCertStore_MakeNameAVAList failed,0),
+PKIX_ERRORENTRY(LDAPCLIENTINITIATEREQUESTFAILED,PKIX_PL_LdapClient_InitiateRequest failed,0),
+PKIX_ERRORENTRY(LDAPCLIENTRESUMEREQUESTFAILED,PKIX_PL_LdapClient_ResumeRequest failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTABANDONCONTINUEFAILED,pkix_pl_LdapDefaultClient_AbandonContinue failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTBINDCONTINUEFAILED,pkix_pl_LdapDefaultClient_BindContinue failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTBINDFAILED,pkix_pl_LdapDefaultClient_Bind failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTBINDRESPONSECONTINUEFAILED,pkix_pl_LdapDefaultClient_BindResponseContinue failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTBINDRESPONSEFAILED,pkix_pl_LdapDefaultClient_BindResponse failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTCONNECTCONTINUEFAILED,pkix_pl_LdapDefaultClient_ConnectContinue failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTCREATEBYNAMEFAILED,PKIX_PL_LdapDefaultClient_CreateByName failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTCREATEHELPERFAILED,pkix_pl_LdapDefaultClient_CreateHelper failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTDECODEBINDRESPONSEFAILED,pkix_pl_LdapDefaultClient_DecodeBindResponse failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTDISPATCHFAILED,pkix_pl_LdapDefaultClient_Dispatch failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTINILLEGALSTATE,LDAP DefaultClient in illegal state,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTMAKEABANDONFAILED,pkix_pl_LdapDefaultClient_MakeAbandon failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTMAKEANDFILTERFAILED,pkix_pl_LdapDefaultClient_MakeAndFilter failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTMAKEBINDFAILED,pkix_pl_LdapDefaultClient_MakeBind failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTMAKEUNBINDFAILED,pkix_pl_LdapDefaultClient_MakeUnbind failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVCHECKCOMPLETEFAILED,pkix_pl_LdapDefaultClient_RecvCheckComplete failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVCONTINUEFAILED,pkix_pl_LdapDefaultClient_RecvContinue failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVFAILED,pkix_pl_LdapDefaultClient_Recv failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVINITIALFAILED,pkix_pl_LdapDefaultClient_RecvInitial failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTRECVNONINITIALFAILED,pkix_pl_LdapDefaultClient_RecvNonInitial failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTSENDCONTINUEFAILED,pkix_pl_LdapDefaultClient_SendContinue failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTSENDFAILED,pkix_pl_LdapDefaultClient_Send failed,0),
+PKIX_ERRORENTRY(LDAPDEFAULTCLIENTVERIFYBINDRESPONSEFAILED,pkix_pl_LdapDefaultClient_VerifyBindResponse failed,0),
+PKIX_ERRORENTRY(LDAPREQUESTATTRSTRINGTOBITFAILED,pkix_pl_LdapRequest_AttrStringToBit failed,0),
+PKIX_ERRORENTRY(LDAPREQUESTATTRTYPETOBITFAILED,pkix_pl_LdapRequest_AttrTypeToBit failed,0),
+PKIX_ERRORENTRY(LDAPREQUESTCREATEFAILED,pkix_pl_LdapRequest_Create failed,0),
+PKIX_ERRORENTRY(LDAPREQUESTENCODEATTRSFAILED,pkix_pl_LdapRequest_EncodeAttrs failed,0),
+PKIX_ERRORENTRY(LDAPREQUESTGETENCODEDFAILED,pkix_pl_LdapRequest_GetEncoded failed,0),
+PKIX_ERRORENTRY(LDAPRESPONSEAPPENDFAILED,pkix_pl_LdapResponse_Append failed,0),
+PKIX_ERRORENTRY(LDAPRESPONSECREATEFAILED,pkix_pl_LdapResponseCreate failed,0),
+PKIX_ERRORENTRY(LDAPRESPONSEDECODEFAILED,pkix_pl_LDAPResponse_Decode failed,0),
+PKIX_ERRORENTRY(LDAPRESPONSEGETCAPACITYFAILED,pkix_pl_LdapResponse_GetCapacity failed,0),
+PKIX_ERRORENTRY(LDAPRESPONSEGETMESSAGEFAILED,pkix_pl_LdapResponse_GetMessage failed,0),
+PKIX_ERRORENTRY(LDAPRESPONSEGETMESSAGETYPEFAILED,pkix_pl_LdapResponse_GetMessageType failed,0),
+PKIX_ERRORENTRY(LDAPRESPONSEGETRESULTCODEFAILED,pkix_pl_LdapResponse_GetResultCode failed,0),
+PKIX_ERRORENTRY(LDAPRESPONSEISCOMPLETEFAILED,pkix_pl_LdapResponse_IsComplete failed,0),
+PKIX_ERRORENTRY(LISTAPPENDFAILED,PKIX_List_Append failed,0),
+PKIX_ERRORENTRY(LISTAPPENDITEMFAILED,PKIX_List_AppendItem failed,0),
+PKIX_ERRORENTRY(LISTAPPENDLISTFAILED,pkix_List_AppendList failed,0),
+PKIX_ERRORENTRY(LISTAPPENDUNIQUEFAILED,pkix_List_AppendUnique failed,0),
+PKIX_ERRORENTRY(LISTBUBBLESORTFAILED,pkix_List_BubbleSort failed,0),
+PKIX_ERRORENTRY(LISTCONTAINSFAILED,pkix_List_Contains failed,0),
+PKIX_ERRORENTRY(LISTCREATEFAILED,PKIX_List_Create failed,0),
+PKIX_ERRORENTRY(LISTCREATEINTERNALFAILED,pkix_List_Create_Internal failed,0),
+PKIX_ERRORENTRY(LISTDELETEITEMFAILED,PKIX_List_DeleteItem failed,0),
+PKIX_ERRORENTRY(LISTDUPLICATEFAILED,pkix_List_Duplicate failed,0),
+PKIX_ERRORENTRY(LISTEQUALSFAILED,PKIX_List_Equals failed,0),
+PKIX_ERRORENTRY(LISTGETELEMENTFAILED,pkix_List_GetElement failed,0),
+PKIX_ERRORENTRY(LISTGETITEMFAILED,PKIX_List_GetItem failed,0),
+PKIX_ERRORENTRY(LISTGETLENGTHFAILED,PKIX_List_GetLength failed,0),
+PKIX_ERRORENTRY(LISTHASHCODEFAILED,pkix_List_Hashcode failed,0),
+PKIX_ERRORENTRY(LISTINSERTITEMFAILED,PKIX_List_InsertItem failed,0),
+PKIX_ERRORENTRY(LISTISEMPTYFAILED,PKIX_List_IsEmpty failed,0),
+PKIX_ERRORENTRY(LISTQUICKSORTFAILED,pkix_List_QuickSort failed,0),
+PKIX_ERRORENTRY(LISTREMOVEFAILED,pkix_List_Remove failed,0),
+PKIX_ERRORENTRY(LISTREMOVEITEMSFAILED,pkix_List_RemoveItems failed,0),
+PKIX_ERRORENTRY(LISTREVERSELISTFAILED,PKIX_List_ReverseList failed,0),
+PKIX_ERRORENTRY(LISTSETIMMUTABLEFAILED,PKIX_List_SetImmutable failed,0),
+PKIX_ERRORENTRY(LISTSETITEMFAILED,PKIX_List_SetItem failed,0),
+PKIX_ERRORENTRY(LISTTOSTRINGFAILED,pkix_List_ToString failed,0),
+PKIX_ERRORENTRY(LISTTOSTRINGHELPERFAILED,pkix_List_ToString Helper failed,0),
+PKIX_ERRORENTRY(LOCATIONSTRINGNOTPROPERLYTERMINATED,Location string not properly terminated,0),
+PKIX_ERRORENTRY(LOCKHASNONZEROREADCOUNT,Lock has non-zero read count,0),
+PKIX_ERRORENTRY(LOCKOBJECTFAILED,pkix_LockObject failed,0),
+PKIX_ERRORENTRY(LOGGERDUPLICATEFAILED,pkix_Logger_Duplicate failed,0),
+PKIX_ERRORENTRY(LOGGINGLEVELEXCEEDSMAXIMUM,Logging Level exceeds Maximum,0),
+PKIX_ERRORENTRY(LOOPDISCOVEREDDUPCERTSNOTALLOWED,Loop discovered: duplicate certificates not allowed,SEC_ERROR_UNTRUSTED_ISSUER),
+PKIX_ERRORENTRY(LOOPOFERRORCAUSEDETECTED,Loop of error causes detected,0),
+PKIX_ERRORENTRY(MAJORVERSIONSDONTMATCH,Major versions do not match,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(MALLOCFAILED,PKIX_PL_Malloc failed,0),
+PKIX_ERRORENTRY(MEMLEAKGENERATEDERROR,Error generated for memory leak testing,SEC_ERROR_NO_MEMORY),
+PKIX_ERRORENTRY(MINORVERSIONNOTBETWEENDESIREDMINANDMAX,Minor version does not fall between desired minimum and maximum,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(MISSINGDSAPARAMETERS,Missing DSA parameters in Trusted Cert,SEC_ERROR_INVALID_KEY),
+PKIX_ERRORENTRY(MONITORLOCKCREATEFAILED,PKIX_PL_MonitorLock_Create failed,0),
+PKIX_ERRORENTRY(MONITORLOCKENTERFAILED,PKIX_PL_MonitorLock_Enter failed,0),
+PKIX_ERRORENTRY(MONITORLOCKEXITFAILED,PKIX_PL_MonitorLock_Exit failed,0),
+PKIX_ERRORENTRY(MUTEXLOCKFAILED,PKIX_PL_Mutex_Lock failed,0),
+PKIX_ERRORENTRY(NAMECHAININGCHECKERINITIALIZEFAILED,pkix_NameChainingChecker_Initialize failed,0),
+PKIX_ERRORENTRY(NAMECHAININGCHECKFAILED,Name Chaining Check failed,SEC_ERROR_UNKNOWN_ISSUER),
+PKIX_ERRORENTRY(NAMECOMPONENTWITHNOEQ,Name Component with no equal sign,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
+PKIX_ERRORENTRY(NAMECONSTRAINTSCHECKERINITIALIZEFAILED,pkix_NameConstraintsChecker_Initialize failed,0),
+PKIX_ERRORENTRY(NAMECONSTRAINTSCHECKERSTATECREATEFAILED,pkix_NameConstraintsCheckerState_Create failed,0),
+PKIX_ERRORENTRY(NAMETYPENOTSUPPORTED,name type not supported,0),
+PKIX_ERRORENTRY(NOCONTENTTYPEINHTTPRESPONSE,No content type in Http Response,SEC_ERROR_BAD_HTTP_RESPONSE),
+PKIX_ERRORENTRY(NODESMISSINGFROMCHAIN,Nodes missing from chain,0),
+PKIX_ERRORENTRY(NOREGISTEREDHTTPCLIENT,No registered Http Client,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(NORESPONSEDATAINHTTPRESPONSE,No responseData in Http Response,SEC_ERROR_BAD_HTTP_RESPONSE),
+PKIX_ERRORENTRY(NOTARGETCERTSUPPLIED,No target cert supplied,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(NOTDERPACKAGE,Not a DER package,0),
+PKIX_ERRORENTRY(NOTENOUGHNAMECOMPONENTSINGENERALNAME,Not enough name components in GeneralName,0),
+PKIX_ERRORENTRY(NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED,Failed to convert nss certificate usage to pkix ku and eku data structures,0),
+PKIX_ERRORENTRY(NSSCONTEXTCREATEFAILED,PKIX_PL_NssContext_Create failed,0),
+PKIX_ERRORENTRY(NSSCONTEXTDESTROYFAILED,PKIX_PL_NssContext_Destroy failed,0),
+PKIX_ERRORENTRY(NSSCONTEXTGETCHECKALLUSAGESFAILED, pkix_pl_NssContext_GetCheckAllUsages failed,0),
+PKIX_ERRORENTRY(NSSCONTEXTGETRETURNUSAGESFAILED, pkix_pl_NssContext_GetReturnUsages failed,0),
+PKIX_ERRORENTRY(NSSCONTEXTGETWINCXFAILED,pkix_pl_NssContext_GetWincx failed,0),
+PKIX_ERRORENTRY(NSSCONTEXTSETCERTSIGNCHECKFAILED, pkix_pl_NssContext_SetCertSignatureCheck,0),
+PKIX_ERRORENTRY(NSSCONTEXTSETCERTUSAGEFAILED, pkix_pl_NssContext_SetCertUsage failed,0),
+PKIX_ERRORENTRY(NSSCONTEXTSETCHECKALLUSAGESFAILED, pkix_pl_NssContext_SetCheckAllUsages failed,0),
+PKIX_ERRORENTRY(NSSCONTEXTSETRETURNEDCERTUSAGEFAILED, pkix_pl_NssContext_SetReturnedCertUsage,0),
+PKIX_ERRORENTRY(NSSCONTEXTSETRETURNUSAGESFAILED, pkix_pl_NssContext_SetReturnUsages failed,0),
+PKIX_ERRORENTRY(NSSTRUSTEDLISTISEMPTY,nss trusted roots list is empty,0),
+PKIX_ERRORENTRY(NULLARGUMENT,Null argument,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(NUMBUCKETSEQUALSZERO,NumBuckets equals zero,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(OBJECTALLOCFAILED,PKIX_PL_Object_Alloc failed,0),
+PKIX_ERRORENTRY(OBJECTARGUMENTNOTPOLICYMAP,object argument is not a PolicyMap,0),
+PKIX_ERRORENTRY(OBJECTCOMPARATORFAILED,PKIX_PL_Object_Comparator failed,0),
+PKIX_ERRORENTRY(OBJECTDEFINED,object-defined ,0),
+PKIX_ERRORENTRY(OBJECTDUPLICATECERTFAILED,PKIX_PL_Object_Duplicate Cert failed,0),
+PKIX_ERRORENTRY(OBJECTDUPLICATECONTEXTFAILED,PKIX_PL_Object_Duplicate Context failed,0),
+PKIX_ERRORENTRY(OBJECTDUPLICATEDATEFAILED,PKIX_PL_Object_Duplicate Date failed,0),
+PKIX_ERRORENTRY(OBJECTDUPLICATEFAILED,PKIX_PL_Object_Duplicate failed,0),
+PKIX_ERRORENTRY(OBJECTDUPLICATEISSUERNAMESFAILED,PKIX_PL_Object_Duplicate IssuerNames failed,0),
+PKIX_ERRORENTRY(OBJECTDUPLICATELISTFAILED,PKIX_PL_Object_Duplicate List failed,0),
+PKIX_ERRORENTRY(OBJECTDUPLICATEMAXCRLNUMBERFAILED,PKIX_PL_Object_Duplicate maxCRLNumber failed,0),
+PKIX_ERRORENTRY(OBJECTDUPLICATEMINCRLNUMBERFAILED,PKIX_PL_Object_Duplicate minCRLNumber failed,0),
+PKIX_ERRORENTRY(OBJECTDUPLICATEPARAMSFAILED,PKIX_PL_Object_Duplicate Params failed,0),
+PKIX_ERRORENTRY(OBJECTEQUALSFAILED,PKIX_PL_Object_Equals failed,0),
+PKIX_ERRORENTRY(OBJECTEQUALSFAILEDONCHILDREN,PKIX_PL_Object_Equals failed on children,0),
+PKIX_ERRORENTRY(OBJECTEQUALSFAILEDONEXPECTEDPOLICYSETS,PKIX_PL_Object_Equals failed on expectedPolicySets,0),
+PKIX_ERRORENTRY(OBJECTGETTYPEFAILED,PKIX_PL_Object_GetType failed,0),
+PKIX_ERRORENTRY(OBJECTHASHCODEFAILED,PKIX_PL_Object_Hashcode failed,0),
+PKIX_ERRORENTRY(OBJECTINVALIDATECACHEFAILED,PKIX_PL_Object_InvalidateCache failed,0),
+PKIX_ERRORENTRY(OBJECTISTYPEREGISTEREDFAILED,PKIX_PL_Object_IsTypeRegistered failed,0),
+PKIX_ERRORENTRY(OBJECTLOCKFAILED,PKIX_PL_Object_Lock failed,0),
+PKIX_ERRORENTRY(OBJECTNOTAIAMGR,Object is not a AIAMgr,0),
+PKIX_ERRORENTRY(OBJECTNOTANEKUCHECKERSTATE,Object is not an EKU Checker State,0),
+PKIX_ERRORENTRY(OBJECTNOTANERROR,Object is not an Error,0),
+PKIX_ERRORENTRY(OBJECTNOTANHTTPCERTSTORECONTEXT,Object is not an HttpCertStoreContext,0),
+PKIX_ERRORENTRY(OBJECTNOTANHTTPDEFAULTCLIENT,Object is not an HttpDefaultClient,0),
+PKIX_ERRORENTRY(OBJECTNOTANINFOACCESS,Object is not an InfoAccess,0),
+PKIX_ERRORENTRY(OBJECTNOTANLDAPDEFAULTCLIENT,Object is not an LdapDefaultClient,0),
+PKIX_ERRORENTRY(OBJECTNOTANOCSPRESPONSE,Object is not an OcspResponse,0),
+PKIX_ERRORENTRY(OBJECTNOTANOID,Object is not an OID,0),
+PKIX_ERRORENTRY(OBJECTNOTANSOCKET,Object is not an Socket,0),
+PKIX_ERRORENTRY(OBJECTNOTANX500NAME,Object is not an X500Name,0),
+PKIX_ERRORENTRY(OBJECTNOTBASICCONSTRAINTSCHECKERSTATE,Object is not a basic constraints checker state,0),
+PKIX_ERRORENTRY(OBJECTNOTBIGINT,Object is not a BigInt,0),
+PKIX_ERRORENTRY(OBJECTNOTBUILDPARAMS,Object is not a BuildParams,0),
+PKIX_ERRORENTRY(OBJECTNOTBUILDRESULT,Object is not a BuildResult,0),
+PKIX_ERRORENTRY(OBJECTNOTBYTEARRAY,Object is not a bytearray,0),
+PKIX_ERRORENTRY(OBJECTNOTCERT,Object is not a Cert,0),
+PKIX_ERRORENTRY(OBJECTNOTCERTBASICCONSTRAINTS,Object is not a CertBasicConstraints,0),
+PKIX_ERRORENTRY(OBJECTNOTCERTCHAINCHECKER,Object is not a cert chain checker,0),
+PKIX_ERRORENTRY(OBJECTNOTCERTNAMECONSTRAINTS,Object is not a CertNameConstraints,0),
+PKIX_ERRORENTRY(OBJECTNOTCERTPOLICYINFO,Object is not a CertPolicyInfo,0),
+PKIX_ERRORENTRY(OBJECTNOTCERTPOLICYMAP,Object is not a CertPolicyMap,0),
+PKIX_ERRORENTRY(OBJECTNOTCERTPOLICYQUALIFIER,Object is not a CertPolicyQualifier,0),
+PKIX_ERRORENTRY(OBJECTNOTCERTSELECTOR,Object is not a cert selector,0),
+PKIX_ERRORENTRY(OBJECTNOTCERTSTORE,Object is not a CertStore,0),
+PKIX_ERRORENTRY(OBJECTNOTCOLLECTIONCERTSTORECONTEXT,Object is not a CollectionCertStoreContext,0),
+PKIX_ERRORENTRY(OBJECTNOTCOMCERTSELPARAMS,Object is not a comCertSelParams,0),
+PKIX_ERRORENTRY(OBJECTNOTCOMCRLSELPARAMS,Object is not a ComCRLSelParams,0),
+PKIX_ERRORENTRY(OBJECTNOTCRL,Object is not a CRL,0),
+PKIX_ERRORENTRY(OBJECTNOTCRLENTRY,Object is not a CRLEntry,0),
+PKIX_ERRORENTRY(OBJECTNOTCRLSELECTOR,Object is not a CRLSelector,0),
+PKIX_ERRORENTRY(OBJECTNOTDATE,Object is not a Date,0),
+PKIX_ERRORENTRY(OBJECTNOTDEFAULTCRLCHECKERSTATE,Object is not a DefaultCRLCheckerState,0),
+PKIX_ERRORENTRY(OBJECTNOTDEFAULTREVOCATIONCHECKER,Object is not a DefaultRevocationChecker,0),
+PKIX_ERRORENTRY(OBJECTNOTFORWARDBUILDERSTATE,Object is not a PKIX_ForwardBuilderState,0),
+PKIX_ERRORENTRY(OBJECTNOTGENERALNAME,Object is not a GeneralName,0),
+PKIX_ERRORENTRY(OBJECTNOTHASHTABLE,Object is not a hashtable,0),
+PKIX_ERRORENTRY(OBJECTNOTINFOACCESS,Object is not a InfoAccess,0),
+PKIX_ERRORENTRY(OBJECTNOTLDAPREQUEST,Object is not a LdapRequest,0),
+PKIX_ERRORENTRY(OBJECTNOTLDAPRESPONSE,Object is not a LdapResponse,0),
+PKIX_ERRORENTRY(OBJECTNOTLIST,Object is not a list,0),
+PKIX_ERRORENTRY(OBJECTNOTLOGGER,Object is not a Logger,0),
+PKIX_ERRORENTRY(OBJECTNOTMONITORLOCK,Object is not a MonitorLock,0),
+PKIX_ERRORENTRY(OBJECTNOTMUTEX,Object is not a Mutex,0),
+PKIX_ERRORENTRY(OBJECTNOTNAMECONSTRAINTSCHECKERSTATE,Object is not a name constraints checker state,0),
+PKIX_ERRORENTRY(OBJECTNOTOCSPCERTID,Object is not an OcspCertID,0),
+PKIX_ERRORENTRY(OBJECTNOTOCSPCHECKER,Object is not an OCSPChecker,0),
+PKIX_ERRORENTRY(OBJECTNOTOCSPREQUEST,Object is not an OcspRequest,0),
+PKIX_ERRORENTRY(OBJECTNOTPOLICYCHECKERSTATE,Object is not a PKIX_PolicyCheckerState,0),
+PKIX_ERRORENTRY(OBJECTNOTPOLICYNODE,Object is not a PolicyNode,0),
+PKIX_ERRORENTRY(OBJECTNOTPROCESSINGPARAMS,Object is not a ProcessingParams,0),
+PKIX_ERRORENTRY(OBJECTNOTPUBLICKEY,Object is not a PublicKey,0),
+PKIX_ERRORENTRY(OBJECTNOTRESOURCELIMITS,Object is not a ResourceLimits,0),
+PKIX_ERRORENTRY(OBJECTNOTREVOCATIONCHECKER,Object is not a revocation checker,0),
+PKIX_ERRORENTRY(OBJECTNOTRWLOCK,Object is not a RWLock,0),
+PKIX_ERRORENTRY(OBJECTNOTSIGNATURECHECKERSTATE,Object is not a signature checker state,0),
+PKIX_ERRORENTRY(OBJECTNOTSOCKET,Object is not a Socket,0),
+PKIX_ERRORENTRY(OBJECTNOTSTRING,Object is not a string,0),
+PKIX_ERRORENTRY(OBJECTNOTTARGETCERTCHECKERSTATE,Object is not a target cert checker state,0),
+PKIX_ERRORENTRY(OBJECTNOTTRUSTANCHOR,Object is not a trustAnchor,0),
+PKIX_ERRORENTRY(OBJECTNOTVALIDATEPARAMS,Object is not a ValidateParams,0),
+PKIX_ERRORENTRY(OBJECTNOTVALIDATERESULT,Object is not a ValidateResult,0),
+PKIX_ERRORENTRY(OBJECTNOTVERIFYNODE,Object is not a VerifyNode,0),
+PKIX_ERRORENTRY(OBJECTREGISTERTYPEFAILED,PKIX_PL_Object_RegisterType failed,0),
+PKIX_ERRORENTRY(OBJECTRETRIEVEEQUALSCALLBACKFAILED,pkix_pl_Object_RetrieveEqualsCallback failed,0),
+PKIX_ERRORENTRY(OBJECTSPECIFICFUNCTIONFAILED,object-specific function failed,0),
+PKIX_ERRORENTRY(OBJECTSTILLREFERENCED,Object is still referenced,0),
+PKIX_ERRORENTRY(OBJECTTOSTRINGFAILED,PKIX_PL_Object_ToString failed,0),
+PKIX_ERRORENTRY(OBJECTTYPESDONOTMATCH,Object types do not match,0),
+PKIX_ERRORENTRY(OBJECTWITHNONPOSITIVEREFERENCES,Object with non-positive references,0),
+PKIX_ERRORENTRY(OCSPCERTIDCREATEFAILED,PKIX_PL_OcspCertID_Create failed,0),
+PKIX_ERRORENTRY(OCSPCERTIDGETFRESHCACHESTATUSFAILED,PKIX_PL_OcspCertID_GetFreshCacheStatus returned an error,0),
+PKIX_ERRORENTRY(OCSPCERTIDREMEMBEROCSPFAILUREDFAILED,PKIX_PL_OcspCertID_RememberOCSPProcessingFailure,0),
+PKIX_ERRORENTRY(OCSPCHECKERCREATEFAILED,PKIX_OcspChecker_Create failed,0),
+PKIX_ERRORENTRY(OCSPBADHTTPRESPONSE,Bad Http Response,SEC_ERROR_OCSP_BAD_HTTP_RESPONSE),
+PKIX_ERRORENTRY(OCSPREQUESTCREATEFAILED,PKIX_PL_OcspRequest_Create failed,0),
+PKIX_ERRORENTRY(OCSPREQUESTGETCERTIDFAILED,pkix_pl_OcspRequest_GetCertID failed,0),
+PKIX_ERRORENTRY(OCSPREQUESTGETENCODEDFAILED,pkix_pl_OcspRequest_GetEncoded failed,0),
+PKIX_ERRORENTRY(OCSPREQUESTGETLOCATIONFAILED,pkix_pl_OcspRequest_GetLocation failed,0),
+PKIX_ERRORENTRY(OCSPRESPONSECREATEFAILED,pkix_pl_OcspResponse_Create failed,0),
+PKIX_ERRORENTRY(OCSPRESPONSEDECODEFAILED,pkix_pl_OcspResponse_Decode failed,0),
+PKIX_ERRORENTRY(OCSPRESPONSEGETSTATUSFORCERTFAILED,pkix_pl_OcspResponse_GetStatusForCert failed,0),
+PKIX_ERRORENTRY(OCSPRESPONSEGETSTATUSRETURNEDANERROR,pkix_pl_OcspResponse_GetStatus returned an error,0),
+PKIX_ERRORENTRY(OCSPRESPONSESAYSCERTREVOKED,OCSP response says Cert revoked,SEC_ERROR_REVOKED_CERTIFICATE_OCSP),
+PKIX_ERRORENTRY(OCSPRESPONSEVERIFYSIGNATUREFAILED,pkix_pl_OcspResponse_VerifySignature failed,0),
+PKIX_ERRORENTRY(OCSPSERVERERROR,OCSP Server Error,SEC_ERROR_OCSP_SERVER_ERROR),
+PKIX_ERRORENTRY(OIDBYTES2ASCIIDATALENGTHZERO,pkix_pl_oidBytes2Ascii: data length is zero,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(OIDBYTES2ASCIIFAILED,pkix_pl_oidBytes2Ascii failed,0),
+PKIX_ERRORENTRY(OIDBYTESLENGTH0,Oid bytes length is 0,0),
+PKIX_ERRORENTRY(OIDCOMPARATORFAILED,pkix_pl_OID_Comparator failed,0),
+PKIX_ERRORENTRY(OIDCOMPONENTTOOBIG,Overflow error: OID component > 2^32,0),
+PKIX_ERRORENTRY(OIDCREATEFAILED,PKIX_PL_OID_Create failed,0),
+PKIX_ERRORENTRY(OIDEQUALFAILED,PKIX_PL_OID_Equal failed,0),
+PKIX_ERRORENTRY(OIDEQUALSFAILED,PKIX_PL_OID_Equals failed,0),
+PKIX_ERRORENTRY(OIDGETNEXTTOKENFAILED,pkix_pl_OID_GetNextToken failed,0),
+PKIX_ERRORENTRY(OIDHASHCODEFAILED,PKIX_PL_OID_Hashcode failed,0),
+PKIX_ERRORENTRY(OIDLENGTHTOOSHORT,OID length too short,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(OIDNEEDS2ORMOREFIELDS,OID needs 2 or more fields,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(OIDTOSTRINGFAILED,PKIX_PL_OID_ToString failed,0),
+PKIX_ERRORENTRY(OPERATIONNOTPERMITTEDONIMMUTABLELIST,Operation not permitted on Immutable List,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(OTHERNAMECREATEFAILED,pkix_pl_OtherName_Create failed,0),
+PKIX_ERRORENTRY(OUTOFMEMORY,Out of Memory,0),
+PKIX_ERRORENTRY(PATHLENCONSTRAINTINVALID,Certificate path length constraint is invalid,SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID),
+PKIX_ERRORENTRY(PK11CERTSTORECERTQUERYFAILED,pkix_pl_Pk11CertStore_CertQuery failed,0),
+PKIX_ERRORENTRY(PK11CERTSTORECREATEFAILED,PKIX_PL_Pk11CertStore_Create failed,0),
+PKIX_ERRORENTRY(PK11CERTSTORECRLQUERYFAILED,pkix_pl_Pk11CertStore_CrlQuery failed,0),
+PKIX_ERRORENTRY(PKIXUNKNOWNERROR,PKIX uninitialized error code,0),
+PKIX_ERRORENTRY(POLICYCHECKERCALCULATEINTERSECTIONFAILED,pkix_PolicyChecker_CalculateIntersection failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERCHECKANYFAILED,pkix_PolicyChecker_CheckAny failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERCHECKPOLICYRECURSIVEFAILED,pkix_PolicyChecker_CheckPolicyRecursive failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERERROR,PolicyChecker Error,0),
+PKIX_ERRORENTRY(POLICYCHECKERINITIALIZEFAILED,pkix_PolicyChecker_Initialize failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERMAKEMUTABLECOPYFAILED,pkix_PolicyChecker_MakeMutableCopy failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERMAKESINGLETONFAILED,pkix_PolicyChecker_MakeSingleton failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERMAPCONTAINSFAILED,pkix_PolicyChecker_MapContains failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED,pkix_PolicyChecker_MapGetMappedPolicies failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED,pkix_PolicyChecker_MapGetSubjectDomainPolicies failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERSPAWNFAILED,pkix_PolicyChecker_Spawn failed,0),
+PKIX_ERRORENTRY(POLICYCHECKERSTATECREATEFAILED,PKIX_PolicyCheckerState_Create failed,0),
+PKIX_ERRORENTRY(POLICYNODEADDTOPARENTFAILED,pkix_PolicyNode_AddToParent failed,0),
+PKIX_ERRORENTRY(POLICYNODECREATEFAILED,pkix_PolicyNode_Create failed,0),
+PKIX_ERRORENTRY(POLICYNODEDUPLICATEHELPERFAILED,pkix_PolicyNode_DuplicateHelper failed,0),
+PKIX_ERRORENTRY(POLICYNODEGETCHILDRENMUTABLEFAILED,pkix_PolicyNode_GetChildrenMutable failed,0),
+PKIX_ERRORENTRY(POLICYNODEGETDEPTHFAILED,PKIX_PolicyNode_GetDepth failed,0),
+PKIX_ERRORENTRY(POLICYNODEGETEXPECTEDPOLICIESFAILED,PKIX_PolicyNode_GetExpectedPolicies failed,0),
+PKIX_ERRORENTRY(POLICYNODEGETPARENTFAILED,PKIX_PolicyNode_GetParent failed,0),
+PKIX_ERRORENTRY(POLICYNODEGETPOLICYQUALIFIERSFAILED,PKIX_PolicyNode_GetPolicyQualifiers failed,0),
+PKIX_ERRORENTRY(POLICYNODEGETVALIDPOLICYFAILED,PKIX_PolicyNode_GetValidPolicy failed,0),
+PKIX_ERRORENTRY(POLICYNODEISCRITICALFAILED,PKIX_PolicyNode_IsCritical failed,0),
+PKIX_ERRORENTRY(POLICYNODEPRUNEFAILED,pkix_PolicyNode_Prune failed,0),
+PKIX_ERRORENTRY(POLICYTREETOOIDSFAILED,Failed to convert policy tree to oid,0),
+PKIX_ERRORENTRY(PORTARENAALLOCFAILED,PORT Arena Allocation failed, 0),
+PKIX_ERRORENTRY(PORTUCS2UTF8CONVERSIONFAILED,PORT_UCS2_UTF8Conversion failed.,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(PRACCEPTFAILED,PR_Accept failed,0),
+PKIX_ERRORENTRY(PRBINDFAILED,PR_Bind failed,0),
+PKIX_ERRORENTRY(PRCONNECTCONTINUEFAILED,PR_ConnectContinue failed,0),
+PKIX_ERRORENTRY(PRCONNECTFAILED,PR_Connect failed,0),
+PKIX_ERRORENTRY(PRENUMERATEHOSTENTFAILED,PR_EnumerateHostEnt failed.,0),
+PKIX_ERRORENTRY(PRGETHOSTBYNAMEREJECTSHOSTNAMEARGUMENT,PR_GetHostByName rejects hostname argument.,0),
+PKIX_ERRORENTRY(PRIMHASHTABLEADDFAILED,pkix_pl_PrimHashTable_Add failed,0),
+PKIX_ERRORENTRY(PRIMHASHTABLECREATEFAILED,pkix_pl_PrimHashTable_Create failed,0),
+PKIX_ERRORENTRY(PRIMHASHTABLEDESTROYFAILED,pkix_pl_PrimHashTable_Destroy failed,0),
+PKIX_ERRORENTRY(PRIMHASHTABLEGETBUCKETSIZEFAILED,pkix_pl_PrimHashTable_GetBucketSize failed,0),
+PKIX_ERRORENTRY(PRIMHASHTABLELOOKUPFAILED,pkix_pl_PrimHashTable_Lookup failed,0),
+PKIX_ERRORENTRY(PRIMHASHTABLEREMOVEFAILED,pkix_pl_PrimHashTable_Remove failed,0),
+PKIX_ERRORENTRY(PRLISTENFAILED,PR_Listen failed,0),
+PKIX_ERRORENTRY(PRNEWTCPSOCKETFAILED,PR_NewTCPSocket failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSADDCERTCHAINCHECKERFAILED,PKIX_ProcessingParams_AddCertChainChecker failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSADDCERTSTOREFAILED,PKIX_ProcessingParams_AddCertStore failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSCREATEFAILED,PKIX_ProcessingParams_Create failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED,PKIX_ProcessingParams_GetCertChainCheckers failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETCERTSTORESFAILED,PKIX_ProcessingParams_GetCertStores failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETDATEFAILED,PKIX_ProcessingParams_GetDate failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETHINTCERTSFAILED,PKIX_ProcessingParams_GetHintCerts failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETINITIALPOLICIESFAILED,PKIX_ProcessingParams_GetInitialPolicies failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED,pkix_ProcessingParams_GetNISTRevocationPolicyEnabled failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED,PKIX_ProcessingParams_GetPolicyQualifiersRejected failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETRESOURCELIMITSFAILED,PKIX_ProcessingParams_GetResourceLimits failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETREVOCATIONCHECKERSFAILED,PKIX_ProcessingParams_GetRevocationCheckers failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_GetRevocationEnabled failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_GetTargetCertConstraints failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSGETTRUSTANCHORSFAILED,PKIX_ProcessingParams_GetTrustAnchors failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED,PKIX_ProcessingParams_IsAnyPolicyInhibited failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSISEXPLICITPOLICYREQUIREDFAILED,PKIX_ProcessingParams_IsExplicitPolicyRequired failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSISPOLICYMAPPINGINHIBITEDFAILED,PKIX_ProcessingParams_IsPolicyMappingInhibited failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETANYPOLICYINHIBITED,PKIX_ProcessingParams_SetAnyPolicyInhibited failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETCERTSTORESFAILED,PKIX_ProcessingParams_SetCertStores failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETDATEFAILED,PKIX_ProcessingParams_SetDate failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED,PKIX_ProcessingParams_SetExplicitPolicyRequired failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETHINTCERTSFAILED,PKIX_ProcessingParams_SetHintCerts failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETINITIALPOLICIESFAILED,PKIX_ProcessingParams_SetInitialPolicies failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_SetNISTRevocationEnabled failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED,PKIX_ProcessingParams_SetPolicyMappingInhibited failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_SetRevocationEnabled failed,0),
+PKIX_ERRORENTRY(PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_SetTargetCertConstraints failed,0),
+PKIX_ERRORENTRY(PRPOLLFAILED,PR_Poll failed,0),
+PKIX_ERRORENTRY(PRPOLLRETBADFILENUM,PR_Poll failed,0),
+PKIX_ERRORENTRY(PRRECVFAILED,PR_Recv failed,0),
+PKIX_ERRORENTRY(PRRECVREPORTSNETWORKCONNECTIONCLOSED,PR_Recv reports network connection is closed,0),
+PKIX_ERRORENTRY(PRSENDFAILED,PR_Send failed,0),
+PKIX_ERRORENTRY(PRSHUTDOWNFAILED,PR_Shutdown failed,0),
+PKIX_ERRORENTRY(PRSMPRINTFFAILED,PR_smprintf failed,0),
+PKIX_ERRORENTRY(PRSNPRINTFFAILED,PR_snprintf failed,0),
+PKIX_ERRORENTRY(PUBKEYTYPENULLKEY,pubKeyType is nullKey,0),
+PKIX_ERRORENTRY(PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED,PKIX_PL_PublicKey_MakeInheritedDSAPublicKey failed,0),
+PKIX_ERRORENTRY(PUBLICKEYNEEDSDSAPARAMETERSFAILED,PKIX_PL_PublicKey_NeedsDSAParameters failed,0),
+PKIX_ERRORENTRY(PUBLICKEYTOSTRINGFAILED,PKIX_PL_PublicKey_ToString failed,0),
+PKIX_ERRORENTRY(PUBLICKEYTOSTRINGHELPERFAILED,pkix_pl_PublicKey_ToString_Helper failed,0),
+PKIX_ERRORENTRY(QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION,Qualifiers in critical Certificate Policy extension,0),
+PKIX_ERRORENTRY(REALLOCFAILED,PKIX_PL_Realloc failed,0),
+PKIX_ERRORENTRY(RECEIVEDCORRUPTEDOBJECTARGUMENT,Received corrupted object argument,0),
+PKIX_ERRORENTRY(REGISTERCERTSTOREFAILED,RegisterCertStores failed,0),
+PKIX_ERRORENTRY(REQUESTNOTANHTTPDEFAULTCLIENT,request is not an HttpDefaultClient,0),
+PKIX_ERRORENTRY(RESOURCELIMITSGETMAXDEPTHFAILED,PKIX_ResourceLimits_GetMaxDepth failed,0),
+PKIX_ERRORENTRY(RESOURCELIMITSGETMAXFANOUTFAILED,PKIX_ResourceLimits_GetMaxFanout failed,0),
+PKIX_ERRORENTRY(RESOURCELIMITSGETMAXTIMEFAILED,PKIX_ResourceLimits_GetMaxTime failed,0),
+PKIX_ERRORENTRY(RETRIEVEOUTPUTSFAILED,pkix_RetrieveOutputs failed,0),
+PKIX_ERRORENTRY(REVCHECKCERTFAILED,pkix_RevCheckCert failed,0),
+PKIX_ERRORENTRY(REVCHECKERCHECKFAILED,revCheckerCheck failed,0),
+PKIX_ERRORENTRY(REVOCATIONCHECKERCREATEFAILED,PKIX_RevocationChecker_Create failed,0),
+PKIX_ERRORENTRY(REVOCATIONCHECKERGETREVCALLBACKFAILED,PKIX_RevocationChecker_GetRevCallback failed,0),
+PKIX_ERRORENTRY(REVOCATIONCHECKERGETREVCHECKERCONTEXTFAILED,PKIX_RevocationChecker_GetRevCheckerContext failed,0),
+PKIX_ERRORENTRY(REVOKEDBYUNKNOWNCRLREASONCODE,Revoked by Unknown CRL ReasonCode,0),
+PKIX_ERRORENTRY(SEARCHRESPONSEPACKETOFUNKNOWNTYPE,SearchResponse packet of unknown type,SEC_ERROR_BAD_LDAP_RESPONSE),
+PKIX_ERRORENTRY(SECASN1ENCODEITEMFAILED,SEC_ASN1EncodeItem failed,SEC_ERROR_FAILED_TO_ENCODE_DATA),
+PKIX_ERRORENTRY(SECERRORUNKNOWNISSUER,Nss legacy err code: build failed. Issuer is unknown.,SEC_ERROR_UNKNOWN_ISSUER),
+PKIX_ERRORENTRY(SECKEYCOPYSUBJECTPUBLICKEYINFOFAILED,SECKEY_CopySubjectPublicKeyInfo failed,0),
+PKIX_ERRORENTRY(SECKEYEXTRACTPUBLICKEYFAILED,SECKEY_ExtractPublicKey failed,0),
+PKIX_ERRORENTRY(SECOIDCOPYALGORITHMIDFAILED,SECOID_CopyAlgorithmID failed,0),
+PKIX_ERRORENTRY(SECOIDFINDOIDTAGDESCRIPTIONFAILED,SECOID_FindOIDTag Description failed,0),
+PKIX_ERRORENTRY(SECONDFIELDMUSTBEBETWEEN039,Second field must be between 0-39,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(SECONDKEYDSAPUBLICKEY,Second key is a DSA public key but has null parameters,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(SECONDKEYNOTDSAPUBLICKEY,Second key is not a DSA public key,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(SECONDPUBKEYTYPENULLKEY,secondPubKeyType is nullKey,0),
+PKIX_ERRORENTRY(SECQUICKDERDECODERFAILED,SEC_QuickDERDecodeItem failed,0),
+PKIX_ERRORENTRY(SECREADPKCS7CERTSFAILED,SEC_ReadPKCS7Certs failed,0),
+PKIX_ERRORENTRY(SELECTORMATCHFAILED,selectorMatch failed,0),
+PKIX_ERRORENTRY(SESSIONNOTANHTTPDEFAULTCLIENT,session is not an HttpDefaultClient,0),
+PKIX_ERRORENTRY(SETPOLICIESFAILED,Fail to set cert validation policies,0),
+PKIX_ERRORENTRY(SHUTDOWNFAILED,PKIX_PL_Shutdown failed,0),
+PKIX_ERRORENTRY(SIGNATURECHECKERINITIALIZEFAILED,pkix_SignatureChecker_Initialize failed,0),
+PKIX_ERRORENTRY(SIGNATURECHECKERSTATECREATEFAILED,pkix_SignatureCheckerState_Create failed,0),
+PKIX_ERRORENTRY(SIGNATUREDIDNOTVERIFYWITHTHEPUBLICKEY,Signature did not verify with the public key,SEC_ERROR_BAD_SIGNATURE),
+PKIX_ERRORENTRY(SINGLEPOLICYNODEEQUALSFAILED,PKIX_PL_SinglePolicyNode_Equals failed,0),
+PKIX_ERRORENTRY(SINGLEPOLICYNODEHASHCODEFAILED,pkix_SinglePolicyNode_Hashcode failed,0),
+PKIX_ERRORENTRY(SINGLEPOLICYNODETOSTRINGFAILED,pkix_SinglePolicyNode_ToString failed,0),
+PKIX_ERRORENTRY(SINGLEVERIFYNODEEQUALSFAILED,PKIX_PL_SingleVerifyNode_Equals failed,0),
+PKIX_ERRORENTRY(SINGLEVERIFYNODEHASHCODEFAILED,pkix_SingleVerifyNode_Hashcode failed,0),
+PKIX_ERRORENTRY(SOCKETCONNECTCONTINUEFAILED,pkix_pl_Socket_ConnectContinue failed,0),
+PKIX_ERRORENTRY(SOCKETCONNECTFAILED,pkix_pl_Socket_Connect failed,0),
+PKIX_ERRORENTRY(SOCKETCREATEBYHOSTANDPORTFAILED,pkix_pl_Socket_CreateByHostAndPort failed,0),
+PKIX_ERRORENTRY(SOCKETCREATEBYNAMEFAILED,pkix_pl_Socket_CreateByName failed,0),
+PKIX_ERRORENTRY(SOCKETCREATECLIENTFAILED,pkix_pl_Socket_CreateClient failed,0),
+PKIX_ERRORENTRY(SOCKETCREATEFAILED,pkix_pl_Socket_Create failed,0),
+PKIX_ERRORENTRY(SOCKETCREATESERVERFAILED,pkix_pl_Socket_CreateServer failed,0),
+PKIX_ERRORENTRY(SOCKETEQUALSFAILED,PKIX_PL_Socket_Equals failed,0),
+PKIX_ERRORENTRY(SOCKETGETCALLBACKLISTFAILED,pkix_pl_Socket_GetCallbackList failed,0),
+PKIX_ERRORENTRY(SOCKETGETPRFILEDESCFAILED,pkix_pl_Socket_GetPRFileDesc failed,0),
+PKIX_ERRORENTRY(SOCKETHASHCODEFAILED,PKIX_PL_Socket_Hashcode failed,0),
+PKIX_ERRORENTRY(SOCKETPOLLFAILED,pkix_pl_Socket_Poll failed,0),
+PKIX_ERRORENTRY(SOCKETRECVFAILED,pkix_pl_Socket_Recv failed,0),
+PKIX_ERRORENTRY(SOCKETSENDFAILED,pkix_pl_Socket_Send failed,0),
+PKIX_ERRORENTRY(SOCKETSETNONBLOCKINGFAILED,pkix_pl_Socket_SetNonBlocking failed,0),
+PKIX_ERRORENTRY(SOURCESTRINGHASINVALIDLENGTH,Source string has invalid length,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(SPRINTFFAILED,PKIX_PL_Sprintf failed,0),
+PKIX_ERRORENTRY(STRINGCOMPARATORFAILED,pkix_pl_String_Comparator failed,0),
+PKIX_ERRORENTRY(STRINGCREATEFAILED,PKIX_PL_String_Create failed,0),
+PKIX_ERRORENTRY(STRINGEQUALSFAILED,pkix_pl_String_Equals failed,0),
+PKIX_ERRORENTRY(STRINGGETENCODEDFAILED,PKIX_PL_String_GetEncoded failed,0),
+PKIX_ERRORENTRY(STRINGHASHCODEFAILED,pkix_pl_String_Hashcode failed,0),
+PKIX_ERRORENTRY(SUBJALTNAMECHECKFAILED,Validation failed: SubjAltNamecheck failed,0),
+PKIX_ERRORENTRY(TARGETCERTCHECKERINITIALIZEFAILED,pkix_TargetCertChecker_Initialize failed,0),
+PKIX_ERRORENTRY(TARGETCERTCHECKERSTATECREATEFAILED,pkix_TargetCertCheckerState_Create failed,0),
+PKIX_ERRORENTRY(TESTANOTHERERRORMESSAGE, Another Error Message,0),
+PKIX_ERRORENTRY(TESTERRORMESSAGE, Error Message,0),
+PKIX_ERRORENTRY(TESTNOMATCHINGPOLICY, No Matching Policy,0),
+PKIX_ERRORENTRY(TESTNOTANERRORCRLSELECTMISMATCH, Not an error CRL Select mismatch,0),
+PKIX_ERRORENTRY(TESTPOLICYEXTWITHNOPOLICYQUALIFIERS, Policies extension but no Policy Qualifiers,0),
+PKIX_ERRORENTRY(TIMECONSUMEDEXCEEDSRESOURCELIMITS,Time consumed exceeds Resource Limits,SEC_ERROR_OUT_OF_SEARCH_LIMITS),
+PKIX_ERRORENTRY(TOOLITTLEDATAINDERSEQUENCE,Too little data in DER Sequence,0),
+PKIX_ERRORENTRY(TOOMUCHDATAINDERSEQUENCE,Too much data in DER Sequence,0),
+PKIX_ERRORENTRY(TOSTRINGFORTHISGENERALNAMETYPENOTSUPPORTED,ToString for this GeneralName type not supported,0),
+PKIX_ERRORENTRY(TRUNCATEDUNICODEINESCAPEDASCII,Truncated Unicode in EscapedASCII,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(TRUSTANCHORCREATEWITHCERTFAILED,PKIX_TrustAnchor_CreateWithCert failed,0),
+PKIX_ERRORENTRY(TRUSTANCHORGETCANAMEFAILED,PKIX_TrustAnchor_GetCAName failed,0),
+PKIX_ERRORENTRY(TRUSTANCHORGETCAPUBLICKEYFAILED,PKIX_TrustAnchor_GetCAPublicKey failed,0),
+PKIX_ERRORENTRY(TRUSTANCHORGETNAMECONSTRAINTSFAILED,PKIX_TrustAnchor_GetNameConstraints failed,0),
+PKIX_ERRORENTRY(TRUSTANCHORGETTRUSTEDCERTFAILED,PKIX_TrustAnchor_GetTrustedCert failed,0),
+PKIX_ERRORENTRY(TRUSTANCHORTOCERTFAILED,Fail to convert trust anchor to cert,0),
+PKIX_ERRORENTRY(TYPEALREADYREGISTERED,Type is already registered,0),
+PKIX_ERRORENTRY(UNABLETOADDACCEPTABLERESPONSESTOREQUEST,Unable to add acceptableResponses to request,0),
+PKIX_ERRORENTRY(UNABLETOADDCERTTOCERTLIST,Unable to add Cert to CertList,0),
+PKIX_ERRORENTRY(UNABLETOBUILDCHAIN,Unable to build chain,0),
+PKIX_ERRORENTRY(UNABLETOCREATECERTOCSPREQUEST,Unable to create a CertOCSPRequest,0),
+PKIX_ERRORENTRY(UNABLETOCREATECRLSTRING,Unable to create crlString,0),
+PKIX_ERRORENTRY(UNABLETOCREATEGENERALNAMEOFTHISTYPE,Unable to create GeneralName of this type,0),
+PKIX_ERRORENTRY(UNABLETOCREATEISSUER,Unable to create Issuer,0),
+PKIX_ERRORENTRY(UNABLETOCREATELIST,Unable to create list,0),
+PKIX_ERRORENTRY(UNABLETOCREATENEWCERTLIST,Unable to create a new CertList,0),
+PKIX_ERRORENTRY(UNABLETOCREATEPSTRING,Unable to create pString,0),
+PKIX_ERRORENTRY(UNABLETOFINDSTATUSINOCSPRESPONSE,Unable to find status in OCSP response,SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS),
+PKIX_ERRORENTRY(UNABLETOMAKELISTIMMUTABLE,Unable to make list immutable,0),
+PKIX_ERRORENTRY(UNABLETOOPENCERTFILE,Unable to open cert file,0),
+PKIX_ERRORENTRY(UNABLETOOPENCRLFILE,Unable to open crl file,0),
+PKIX_ERRORENTRY(UNABLETOPARSEOCSPRESPONSE,Unable to parse OCSP response,SEC_ERROR_OCSP_MALFORMED_RESPONSE),
+PKIX_ERRORENTRY(UNABLETOREADDERFROMCERTFILE,Unable to read DER from cert file,0),
+PKIX_ERRORENTRY(UNABLETOREADDERFROMCRLFILE,Unable to read DER from crl file,0),
+PKIX_ERRORENTRY(UNABLETOSETSOCKETTONONBLOCKING,Unable to set socket to non-blocking I/O,0),
+PKIX_ERRORENTRY(UNDEFINEDCALLBACK,Undefined callback,0),
+PKIX_ERRORENTRY(UNDEFINEDCLASSTABLEENTRY,Undefined class table entry,0),
+PKIX_ERRORENTRY(UNDEFINEDCOMPARATOR,Undefined Comparator,0),
+PKIX_ERRORENTRY(UNDEFINEDDUPLICATEFUNCTION,Undefined Duplicate function,0),
+PKIX_ERRORENTRY(UNDEFINEDEQUALSCALLBACK,Undefined equals callback,0),
+PKIX_ERRORENTRY(UNEXPECTEDERRORINESTABLISHINGCONNECTION,Unexpected error in establishing connection,0),
+PKIX_ERRORENTRY(UNEXPECTEDRESULTCODEINRESPONSE,Unexpected result code in Response,SEC_ERROR_BAD_LDAP_RESPONSE),
+PKIX_ERRORENTRY(UNKNOWNFORMAT,Unknown format,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(UNKNOWNINFOACCESSTYPE,Unknown InfoAccess type,SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE),
+PKIX_ERRORENTRY(UNKNOWNOBJECTOID,Unknown object OID,0),
+PKIX_ERRORENTRY(UNKNOWNOBJECTTYPE,Unknown object type,0),
+PKIX_ERRORENTRY(UNKNOWNTYPEARGUMENT,Unknown type argument,0),
+PKIX_ERRORENTRY(UNLOCKOBJECTFAILED,pkix_UnlockObject failed,0),
+PKIX_ERRORENTRY(UNRECOGNIZEDCRITICALEXTENSION,Unrecognized Critical Extension,SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
+PKIX_ERRORENTRY(UNRECOGNIZEDCRLENTRYCRITICALEXTENSION,Unrecognized CRLEntry Critical Extension,SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
+PKIX_ERRORENTRY(UNRECOGNIZEDPROTOCOLREQUESTED,Unrecognized protocol requested,0),
+PKIX_ERRORENTRY(UNRECOGNIZEDREQUESTMETHOD,Unrecognized request method,0),
+PKIX_ERRORENTRY(UNRECOGNIZEDTIMETYPE,Unrecognized time type,0),
+PKIX_ERRORENTRY(UNSUPPORTEDVERSIONOFHTTPCLIENT,Unsupported version of Http Client,0),
+PKIX_ERRORENTRY(URLPARSINGFAILED,URL Parsing failed,0),
+PKIX_ERRORENTRY(USERCHECKERCHECKFAILED,userCheckerCheck failed,0),
+PKIX_ERRORENTRY(UTF16ALIGNMENTERROR,UTF16 Alignment Error,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(UTF16HIGHZONEALIGNMENTERROR,UTF16 High Zone Alignment Error,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(UTF16LOWZONEERROR,UTF16 Low Zone Error,SEC_ERROR_INVALID_ARGS),
+PKIX_ERRORENTRY(UTF16TOESCASCIIFAILED,pkix_UTF16_to_EscASCII failed,0),
+PKIX_ERRORENTRY(UTF16TOUTF8FAILED,pkix_UTF16_to_UTF8 failed,0),
+PKIX_ERRORENTRY(UTF8TOUTF16FAILED,pkix_UTF8_to_UTF16 failed,0),
+PKIX_ERRORENTRY(VALIDATEBUILDUSEROIDSFAILED,pkix_Validate_BuildUserOIDs failed,0),
+PKIX_ERRORENTRY(VALIDATECERTCHAINFAILED,Failed to validate cert chain,0),
+PKIX_ERRORENTRY(VALIDATECHAINFAILED,PKIX_ValidateChain failed,0),
+PKIX_ERRORENTRY(VALIDATEPARAMSGETCERTCHAINFAILED,PKIX_ValidateParams_GetCertChain failed,0),
+PKIX_ERRORENTRY(VALIDATEPARAMSGETPROCESSINGPARAMSFAILED,PKIX_ValidateParams_GetProcessingParams failed,0),
+PKIX_ERRORENTRY(VALIDATERESULTCREATEFAILED,pkix_ValidateResult_Create failed,0),
+PKIX_ERRORENTRY(VALIDATERESULTGETPOLICYTREEFAILED,PKIX_ValidateResult_GetPolicyTree failed,0),
+PKIX_ERRORENTRY(VALIDATERESULTGETTRUSTANCHORFAILED,PKIX_ValidateResult_GetTrustAnchor failed,0),
+PKIX_ERRORENTRY(VALIDATIONFAILEDCERTSIGNATURECHECKING,Validation failed: Cert Signature checking,SEC_ERROR_BAD_SIGNATURE),
+PKIX_ERRORENTRY(VALIDATIONFAILEDNULLCERTPOINTER,Validation failed: NULL Cert pointer,0),
+PKIX_ERRORENTRY(VALIDATIONFAILEDPATHTONAMECHECKFAILED,Validation failed: PathToName check failed,SEC_ERROR_CERT_NOT_IN_NAME_SPACE),
+PKIX_ERRORENTRY(VALUEINESCAPEDASCII,value in EscapedASCII,0),
+PKIX_ERRORENTRY(VERIFYNODEADDTOCHAINFAILED,pkix_VerifyNode_AddToChain failed,0),
+PKIX_ERRORENTRY(VERIFYNODEADDTOTREEFAILED,pkix_VerifyNode_AddToTree failed,0),
+PKIX_ERRORENTRY(VERIFYNODECREATEFAILED,pkix_VerifyNode_Create failed,0),
+PKIX_ERRORENTRY(VERIFYNODEDUPLICATEHELPERFAILED,pkix_VerifyNode_DuplicateHelper failed,0),
+PKIX_ERRORENTRY(VERIFYNODEFINDERRORFAILED,pkix_VerifyNode_FindError failed,0),
+PKIX_ERRORENTRY(VERIFYNODESETDEPTHFAILED,pkix_VerifyNode_SetDepth failed,0),
+PKIX_ERRORENTRY(VERIFYNODESETERRORFAILED,pkix_VerifyNode_SetError failed,0),
+PKIX_ERRORENTRY(VERSIONVALUEMUSTBEV1ORV2,Version value must be V1(0) or V2(1),SEC_ERROR_CRL_INVALID),
+PKIX_ERRORENTRY(VERSIONVALUEMUSTBEV1V2ORV3,Version value must be v1(0) v2(1) or v3(2),SEC_ERROR_CERT_VALID),
+PKIX_ERRORENTRY(X500NAMECOMPAREDERBYTESFAILED,pkix_pl_X500Name_CompareDERBytes failed,0),
+PKIX_ERRORENTRY(X500NAMECREATEFAILED,PKIX_PL_X500Name_Create failed,0),
+PKIX_ERRORENTRY(X500NAMECREATEFROMCERTNAMEFAILED,pkix_pl_X500Name_CreateFromCERTName failed,0),
+PKIX_ERRORENTRY(X500NAMECREATEFROMUTF8FAILED,pkix_pl_X500Name_CreateFromUtf8 failed,0),
+PKIX_ERRORENTRY(X500NAMEEQUALSFAILED,PKIX_PL_X500Name_Equals failed,0),
+PKIX_ERRORENTRY(X500NAMEGETCOMMONNAMEFAILED,pkix_pl_X500Name_GetCommonName failed,0),
+PKIX_ERRORENTRY(X500NAMEGETCOUNTRYNAMEFAILED,pkix_pl_X500Name_GetCountryName failed,0),
+PKIX_ERRORENTRY(X500NAMEGETORGNAMEFAILED,pkix_pl_X500Name_GetOrgName failed,0),
+PKIX_ERRORENTRY(X500NAMEGETSECNAMEFAILED,pkix_pl_X500Name_GetSECName failed,0),
+PKIX_ERRORENTRY(X500NAMEHASHCODEFAILED,PKIX_PL_X500Name_Hashcode failed,0),
+PKIX_ERRORENTRY(X500NAMEMATCHFAILED,PKIX_PL_X500Name_Match failed,0),
+PKIX_ERRORENTRY(X500NAMETOSTRINGFAILED,PKIX_PL_X500Name_ToString failed,0),
+PKIX_ERRORENTRY(X500NAMETOSTRINGHELPERFAILED,pkix_pl_X500Name_ToString_Helper failed,0),
+PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding,0)
diff --git a/security/nss/lib/libpkix/include/pkix_params.h b/security/nss/lib/libpkix/include/pkix_params.h
new file mode 100755
index 000000000..8a2f05732
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_params.h
@@ -0,0 +1,1898 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines functions associated with the various parameters used
+ * by the top-level functions.
+ *
+ */
+
+#ifndef _PKIX_PARAMS_H
+#define _PKIX_PARAMS_H
+
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/* PKIX_ProcessingParams
+ *
+ * PKIX_ProcessingParams are parameters used when validating or building a
+ * chain of certificates. Using the parameters, the caller can specify several
+ * things, including the various inputs to the PKIX chain validation
+ * algorithm (such as trust anchors, initial policies, etc), any customized
+ * functionality (such as CertChainCheckers, RevocationCheckers, CertStores),
+ * and whether revocation checking should be disabled.
+ *
+ * Once the caller has created the ProcessingParams object, the caller then
+ * passes it to PKIX_ValidateChain or PKIX_BuildChain, which uses it to call
+ * the user's callback functions as needed during the validation or building
+ * process.
+ *
+ * If a parameter is not set (or is set to NULL), it will be set to the
+ * default value for that parameter. The default value for the Date parameter
+ * is NULL, which indicates the current time when the path is validated. The
+ * default for the remaining parameters is the least constrained.
+ */
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new ProcessingParams object. Trust anchor list is set to
+ *  newly created empty list of trust. In this case trust anchors will
+ *  be taken from provided cert store. Pointed to the created
+ *  ProcessingParams object is stored in "pParams".
+ *
+ * PARAMETERS:
+ *  "anchors"
+ *      Address of List of (non-empty) TrustAnchors to be used.
+ *      Must be non-NULL.
+ *  "pParams"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_Create(
+        PKIX_ProcessingParams **pParams,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetCertChainCheckers
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of CertChainCheckers (if any) that are set
+ *  in the ProcessingParams pointed to by "params" and stores it at
+ *  "pCheckers". Each CertChainChecker represents a custom certificate
+ *  validation check used by PKIX_ValidateChain or PKIX_BuildChain as needed
+ *  during the validation or building process. If "params" does not have any
+ *  CertChainCheckers, this function stores an empty List at "pCheckers".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of CertChainCheckers (if any)
+ *      are to be stored. Must be non-NULL.
+ *  "pCheckers"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetCertChainCheckers(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pCheckers, /* list of PKIX_CertChainChecker */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetCertChainCheckers
+ * DESCRIPTION:
+ *
+ *  Sets the ProcessingParams pointed to by "params" with a List of
+ *  CertChainCheckers pointed to by "checkers". Each CertChainChecker
+ *  represents a custom certificate validation check used by
+ *  PKIX_ValidateChain or PKIX_BuildChain as needed during the validation or
+ *  building process. If "checkers" is NULL, no CertChainCheckers will be used.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of CertChainCheckers is to be
+ *      set. Must be non-NULL.
+ *  "checkers"
+ *      Address of List of CertChainCheckers to be set. If NULL, no
+ *      CertChainCheckers will be used.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params" and "checkers"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetCertChainCheckers(
+        PKIX_ProcessingParams *params,
+        PKIX_List *checkers,  /* list of PKIX_CertChainChecker */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_AddCertChainChecker
+ * DESCRIPTION:
+ *
+ *  Adds the CertChainChecker pointed to by "checker" to the ProcessingParams
+ *  pointed to by "params". The CertChainChecker represents a custom
+ *  certificate validation check used by PKIX_ValidateChain or PKIX_BuildChain
+ *  as needed during the validation or building process.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be added to. Must be non-NULL.
+ *  "checker"
+ *      Address of CertChainChecker to be added. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_AddCertChainChecker(
+        PKIX_ProcessingParams *params,
+        PKIX_CertChainChecker *checker,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetRevocationCheckers
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of RevocationCheckers (if any) that are set
+ *  in the ProcessingParams pointed to by "params" and stores it at
+ *  "pRevCheckers". Each RevocationChecker represents a custom revocation
+ *  check used by PKIX_ValidateChain or PKIX_BuildChain as needed during the
+ *  validation or building process. If "params" does not have any
+ *  RevocationCheckers, this function stores an empty List at "pRevCheckers".
+ *  See the description of RevocationCheckers in pkix_revchecker.h for more
+ *  details.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of RevocationCheckers
+ *      is to be stored. Must be non-NULL.
+ *  "pRevCheckers"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetRevocationCheckers(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pRevCheckers, /* list of PKIX_RevocationChecker */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetRevocationCheckers
+ * DESCRIPTION:
+ *
+ *  Sets the ProcessingParams pointed to by "params" with a List of
+ *  RevocationCheckers pointed to by "revCheckers". Each RevocationChecker
+ *  represents a custom revocation check used by PKIX_ValidateChain or
+ *  PKIX_BuildChain as needed during the validation or building process.
+ *  If "revCheckers" is NULL, no custom RevocationCheckers will be used.
+ *  Note that standard CRL revocation checking is not affected by this
+ *  parameter. See the description of RevocationCheckers in pkix_revchecker.h
+ *  for more details.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of RevocationCheckers is to be
+ *      set. Must be non-NULL.
+ *  "revCheckers"
+ *      Address of List of RevocationCheckers to be set. If NULL, no custom
+ *      RevocationCheckers will be used.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetRevocationCheckers(
+        PKIX_ProcessingParams *params,
+        PKIX_List *revCheckers,  /* list of PKIX_RevocationChecker */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_AddRevocationChecker
+ * DESCRIPTION:
+ *
+ *  Adds the RevocationChecker pointed to by "checker" to the ProcessingParams
+ *  pointed to by "params". The RevocationChecker represents a custom
+ *  revocation check used by PKIX_ValidateChain or PKIX_BuildChain as needed
+ *  during the validation or building process. See the description of
+ *  RevocationCheckers in pkix_revchecker.h for more details.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be added to. Must be non-NULL.
+ *  "checker"
+ *      Address of RevocationChecker to be added. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_AddRevocationChecker(
+        PKIX_ProcessingParams *params,
+        PKIX_RevocationChecker *checker,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetCertStores
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of CertStores (if any) that are set in the
+ *  ProcessingParams pointed to by "params" and stores it at "pStores". Each
+ *  CertStore represents a particular repository from which certificates and
+ *  CRLs can be retrieved by PKIX_ValidateChain or PKIX_BuildChain as needed
+ *  during the validation or building process. If "params" does not have any
+ *  CertStores, this function stores an empty List at "pStores".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of CertStores (if any) are to
+ *      be stored. Must be non-NULL.
+ *  "pStores"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetCertStores(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pStores,  /* list of PKIX_CertStore */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetCertStores
+ * DESCRIPTION:
+ *
+ *  Sets the ProcessingParams pointed to by "params" with a List of CertStores
+ *  pointed to by "stores". Each CertStore represents a particular repository
+ *  from which certificates and CRLs can be retrieved by PKIX_ValidateChain or
+ *  PKIX_BuildChain as needed during the validation or building process. If
+ *  "stores" is NULL, no CertStores will be used.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of CertStores is to be set.
+ *      Must be non-NULL.
+ *  "stores"
+ *      Address of List of CertStores to be set. If NULL, no CertStores will
+ *      be used.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetCertStores(
+        PKIX_ProcessingParams *params,
+        PKIX_List *stores,  /* list of PKIX_CertStore */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_AddCertStore
+ * DESCRIPTION:
+ *
+ *  Adds the CertStore pointed to by "store" to the ProcessingParams pointed
+ *  to by "params". The CertStore represents a particular repository from
+ *  which certificates and CRLs can be retrieved by PKIX_ValidateChain or
+ *  PKIX_BuildChain as needed during the validation or building process.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be added to. Must be non-NULL.
+ *  "store"
+ *      Address of CertStore to be added.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_AddCertStore(
+        PKIX_ProcessingParams *params,
+        PKIX_CertStore *store,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetDate
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Date (if any) that is set in the
+ *  ProcessingParams pointed to by "params" and stores it at "pDate". The
+ *  Date represents the time for which the validation of the certificate chain
+ *  should be determined. If "params" does not have any Date set, this function
+ *  stores NULL at "pDate".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose Date (if any) is to be stored.
+ *      Must be non-NULL.
+ *  "pDate"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetDate(
+        PKIX_ProcessingParams *params,
+        PKIX_PL_Date **pDate,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetDate
+ * DESCRIPTION:
+ *
+ *  Sets the ProcessingParams pointed to by "params" with a Date pointed to by
+ *  "date". The Date represents the time for which the validation of the
+ *  certificate chain should be determined. If "date" is NULL, the current
+ *  time is used during validation.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose Date is to be set. Must be non-NULL.
+ *  "date"
+ *      Address of Date to be set. If NULL, current time is used.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetDate(
+        PKIX_ProcessingParams *params,
+        PKIX_PL_Date *date,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetInitialPolicies
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of OIDs (if any) that are set in the
+ *  ProcessingParams pointed to by "params" and stores it at "pInitPolicies".
+ *  Each OID represents an initial policy identifier, indicating that any
+ *  one of these policies would be acceptable to the certificate user for
+ *  the purposes of certification path processing. If "params" does not have
+ *  any initial policies, this function stores an empty List at
+ *  "pInitPolicies".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of OIDs (if any) are to be
+ *      stored. Must be non-NULL.
+ *  "pInitPolicies"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetInitialPolicies(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pInitPolicies,    /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetInitialPolicies
+ * DESCRIPTION:
+ *
+ *  Sets the ProcessingParams pointed to by "params" with a List of OIDs
+ *  pointed to by "initPolicies".
+ *
+ *  Each OID represents an initial policy identifier, indicating that any
+ *  one of these policies would be acceptable to the certificate user for
+ *  the purposes of certification path processing. By default, any policy
+ *  is acceptable (i.e. all policies), so a user that wants to allow any
+ *  policy as acceptable does not need to call this method. Similarly, if
+ *  initPolicies is NULL or points to an empty List, all policies are
+ *  acceptable.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of OIDs is to be set.
+ *      Must be non-NULL.
+ *  "initPolicies"
+ *      Address of List of OIDs to be set. If NULL or if pointing to an empty
+ *      List, all policies are acceptable.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetInitialPolicies(
+        PKIX_ProcessingParams *params,
+        PKIX_List *initPolicies,    /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetPolicyQualifiersRejected
+ * DESCRIPTION:
+ *
+ *  Checks whether the ProcessingParams pointed to by "params" indicate that
+ *  policy qualifiers should be rejected and stores the Boolean result at
+ *  "pRejected".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams used to determine whether or not policy
+ *      qualifiers should be rejected. Must be non-NULL.
+ *  "pRejected"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetPolicyQualifiersRejected(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pRejected,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetPolicyQualifiersRejected
+ * DESCRIPTION:
+ *
+ *  Specifies in the ProcessingParams pointed to by "params" whether policy
+ *  qualifiers are rejected using the Boolean value of "rejected".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be set. Must be non-NULL.
+ *  "rejected"
+ *      Boolean value indicating whether policy qualifiers are to be rejected.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetPolicyQualifiersRejected(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean rejected,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetTargetCertConstraints
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the CertSelector (if any) that is set in the
+ *  ProcessingParams pointed to by "params" and stores it at "pConstraints".
+ *  The CertSelector represents the constraints to be placed on the target
+ *  certificate. If "params" does not have any CertSelector set, this function
+ *  stores NULL at "pConstraints".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose CertSelector (if any) is to be
+ *      stored. Must be non-NULL.
+ *  "pConstraints"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetTargetCertConstraints(
+        PKIX_ProcessingParams *params,
+        PKIX_CertSelector **pConstraints,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetTargetCertConstraints
+ * DESCRIPTION:
+ *
+ *  Sets the ProcessingParams pointed to by "params" with a CertSelector
+ *  pointed to by "constraints". The CertSelector represents the constraints
+ *  to be placed on the target certificate. If "constraints" is NULL, no
+ *  constraints are defined.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose CertSelector is to be set.
+ *      Must be non-NULL.
+ *  "constraints"
+ *      Address of CertSelector to be set. If NULL, no constraints are defined.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetTargetCertConstraints(
+        PKIX_ProcessingParams *params,
+        PKIX_CertSelector *constraints,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetTrustAnchors
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of TrustAnchors that are set in
+ *  the ProcessingParams pointed to by "params" and stores it at "pAnchors".
+ *  If the function succeeds, the pointer to the List is guaranteed to be
+ *  non-NULL and the List is guaranteed to be non-empty.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of TrustAnchors are to
+ *      be stored. Must be non-NULL.
+ *  "pAnchors"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetTrustAnchors(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pAnchors,  /* list of TrustAnchor */
+        void *plContext);
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors
+ * DESCRIPTION:
+ *
+ * Sets user defined set of trust anchors. A certificate will be considered
+ * invalid if it does not chain to a trusted anchor from this list.
+ * 
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of TrustAnchors are to
+ *      be stored. Must be non-NULL.
+ *  "anchors"
+ *      Address of the trust anchors list object. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetTrustAnchors(
+        PKIX_ProcessingParams *params,
+        PKIX_List *pAnchors,  /* list of TrustAnchor */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetUseAIAForCertFetching
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Boolean. The boolean value represents
+ *  the switch value that is used to identify if url in cert AIA extension
+ *  may be used for cert fetching.
+ *  If the function succeeds, the pointer to the Boolean is guaranteed to be
+ *  non-NULL.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams. Must be non-NULL.
+ *  "pUseAIA"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetUseAIAForCertFetching(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pUseAIA,  /* list of TrustAnchor */
+        void *plContext);
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors
+ * DESCRIPTION:
+ *
+ * Sets switch value that defines if url in cert AIA extension
+ * may be used for cert fetching.
+ * 
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams.
+ *  "useAIA"
+ *      Address of the trust anchors list object. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetUseAIAForCertFetching(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean useAIA,  
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetHintCerts
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a List of Certs supplied by the user as a suggested
+ *  partial CertChain (subject to verification), that are set in the
+ *  ProcessingParams pointed to by "params", and stores it at "pHintCerts".
+ *  The List returned may be empty or NULL.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of TrustAnchors are to
+ *      be stored. Must be non-NULL.
+ *  "pHintCerts"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetHintCerts(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pHintCerts,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetHintCerts
+ * DESCRIPTION:
+ *
+ *  Stores a pointer to a List of Certs supplied by the user as a suggested
+ *  partial CertChain (subject to verification), as an element in the
+ *  ProcessingParams pointed to by "params". The List may be empty or NULL.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose List of HintCerts is to be stored.
+ *      Must be non-NULL.
+ *  "hintCerts"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetHintCerts(
+        PKIX_ProcessingParams *params,
+        PKIX_List *hintCerts,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetResourceLimits
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the ResourceLimits (if any) that is set in the
+ *  ProcessingParams pointed to by "params" and stores it at "pResourceLimits".
+ *  The ResourceLimits represent the maximum resource usage that the caller 
+ *  desires (such as MaxTime). The ValidateChain or BuildChain call will not
+ *  exceed these maximum limits. If "params" does not have any ResourceLimits
+ *  set, this function stores NULL at "pResourceLimits".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose ResourceLimits (if any) are to be
+ *      stored. Must be non-NULL.
+ *  "pResourceLimits"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetResourceLimits(
+        PKIX_ProcessingParams *params,
+        PKIX_ResourceLimits **pResourceLimits,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetResourceLimits
+ * DESCRIPTION:
+ *
+ *  Sets the ProcessingParams pointed to by "params" with a ResourceLimits
+ *  object pointed to by "resourceLimits". The ResourceLimits represent the
+ *  maximum resource usage that the caller desires (such as MaxTime). The
+ *  ValidateChain or BuildChain call will not exceed these maximum limits.
+ *  If "resourceLimits" is NULL, no ResourceLimits are defined.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose ResourceLimits are to be set.
+ *      Must be non-NULL.
+ *  "resourceLimits"
+ *      Address of ResourceLimits to be set. If NULL, no limits are defined.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetResourceLimits(
+        PKIX_ProcessingParams *params,
+        PKIX_ResourceLimits *resourceLimits,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsAnyPolicyInhibited
+ * DESCRIPTION:
+ *
+ *  Checks whether the ProcessingParams pointed to by "params" indicate that
+ *  anyPolicy is inhibited and stores the Boolean result at "pInhibited".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams used to determine whether or not anyPolicy
+ *      inhibited. Must be non-NULL.
+ *  "pInhibited"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsAnyPolicyInhibited(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pInhibited,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetAnyPolicyInhibited
+ * DESCRIPTION:
+ *
+ *  Specifies in the ProcessingParams pointed to by "params" whether anyPolicy
+ *  is inhibited using the Boolean value of "inhibited".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be set. Must be non-NULL.
+ *  "inhibited"
+ *      Boolean value indicating whether anyPolicy is to be inhibited.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetAnyPolicyInhibited(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean inhibited,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsExplicitPolicyRequired
+ * DESCRIPTION:
+ *
+ *  Checks whether the ProcessingParams pointed to by "params" indicate that
+ *  explicit policies are required and stores the Boolean result at
+ *  "pRequired".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams used to determine whether or not explicit
+ *      policies are required. Must be non-NULL.
+ *  "pRequired"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsExplicitPolicyRequired(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pRequired,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetExplicitPolicyRequired
+ * DESCRIPTION:
+ *
+ *  Specifies in the ProcessingParams pointed to by "params" whether explicit
+ *  policies are required using the Boolean value of "required".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be set. Must be non-NULL.
+ *  "required"
+ *      Boolean value indicating whether explicit policies are to be required.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetExplicitPolicyRequired(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean required,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsPolicyMappingInhibited
+ * DESCRIPTION:
+ *
+ *  Checks whether the ProcessingParams pointed to by "params" indicate that
+ *  policyMapping is inhibited and stores the Boolean result at "pInhibited".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams used to determine whether or not policy
+ *      mappings are inhibited. Must be non-NULL.
+ *  "pInhibited"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsPolicyMappingInhibited(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pInhibited,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetPolicyMappingInhibited
+ * DESCRIPTION:
+ *
+ *  Specifies in the ProcessingParams pointed to by "params" whether policy
+ *  mapping is inhibited using the Boolean value of "inhibited".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be set. Must be non-NULL.
+ *  "inhibited"
+ *      Boolean value indicating whether policy mapping is to be inhibited.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetPolicyMappingInhibited(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean inhibited,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsCRLRevocationCheckingEnabled
+ * DESCRIPTION:
+ *
+ *  Checks whether the ProcessingParams pointed to by "params" indicate that
+ *  CRL revocation checking is enabled and stores the Boolean result at
+ *  "pEnabled".
+ *
+ *  Note that this only applies to the default CRL revocation checking
+ *  provided by libpkix. Disabling CRL revocation checking will not apply to
+ *  any RevocationCheckers that have been added to the ProcessingParams by the
+ *  caller. By default, CRL revocation checking is enabled. See the
+ *  description of RevocationCheckers in pkix_revchecker.h for more details.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams used to determine whether or not CRL
+ *      revocation checking is enabled. Must be non-NULL.
+ *  "pEnabled"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsCRLRevocationCheckingEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetCRLRevocationCheckingEnabled
+ * DESCRIPTION:
+ *
+ *  Specifies in the ProcessingParams pointed to by "params" whether CRL
+ *  revocation checking is enabled using the Boolean value of "enabled".
+ *
+ *  Note that this only applies to the default CRL revocation checking
+ *  provided by libpkix. Disabling CRL revocation revocation will not apply to
+ *  any RevocationCheckers that have been added to the ProcessingParams by the
+ *  caller. By default, CRL revocation checking is enabled. See the
+ *  description of RevocationCheckers in pkix_revchecker.h for more details.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be set. Must be non-NULL.
+ *  "enabled"
+ *      Boolean value indicating whether CRL revocation checking is to
+ *      be enabled.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetRevocationEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean enabled,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled
+ * DESCRIPTION:
+ *
+ *  Checks whether the ProcessingParams pointed to by "params" indicate that
+ *  CRL revocation checking is enabled and revocation is done according to NIST
+ *  CRL policy which states that a valid CRL with nextUpdate field must be
+ *  available for certificate revocation checking.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams used to determine whether or not NIST CRL
+ *      revocation policy is enabled. Must be non-NULL.
+ *  "pEnabled"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled
+ * DESCRIPTION:
+ *
+ *  Specifies in the ProcessingParams pointed to by "params" whether NIST CRL
+ *  revocation checking is enabled using the Boolean value of "enabled".
+ *  (See PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled function
+ *  description)
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams to be set. Must be non-NULL.
+ *  "enabled"
+ *      Boolean value indicating whether nist CRL revocation checking is to
+ *      be enabled.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean enabled,
+        void *plContext);
+
+
+/* PKIX_ValidateParams
+ *
+ * PKIX_ValidateParams consists of a ProcessingParams object as well as the
+ * List of Certs (certChain) that the caller is trying to validate.
+ */
+
+/*
+ * FUNCTION: PKIX_ValidateParams_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new ValidateParams object and stores it at "pParams".
+ *
+ * PARAMETERS:
+ *  "procParams"
+ *      Address of ProcessingParams to be used. Must be non-NULL.
+ *  "chain"
+ *      Address of List of Certs (certChain) to be validated. Must be non-NULL.
+ *  "pParams"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ValidateParams_Create(
+        PKIX_ProcessingParams *procParams,
+        PKIX_List *chain,
+        PKIX_ValidateParams **pParams,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ValidateParams_GetProcessingParams
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the ProcessingParams that represent the basic
+ *  certificate processing parameters used during chain validation and chain
+ *  building from the ValidateParams pointed to by "valParams" and stores it
+ *  at "pProcParams". If the function succeeds, the pointer to the
+ *  ProcessingParams is guaranteed to be non-NULL.
+ *
+ * PARAMETERS:
+ *  "valParams"
+ *      Address of ValidateParams whose ProcessingParams are to be stored.
+ *      Must be non-NULL.
+ *  "pProcParams"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ValidateParams_GetProcessingParams(
+        PKIX_ValidateParams *valParams,
+        PKIX_ProcessingParams **pProcParams,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ValidateParams_GetCertChain
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of Certs (certChain) that is set in the
+ *  ValidateParams pointed to by "valParams" and stores it at "pChain". If the
+ *  function succeeds, the pointer to the CertChain is guaranteed to be
+ *  non-NULL.
+ *
+ * PARAMETERS:
+ *  "valParams"
+ *      Address of ValidateParams whose CertChain is to be stored.
+ *      Must be non-NULL.
+ *  "pChain"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ValidateParams_GetCertChain(
+        PKIX_ValidateParams *valParams,
+        PKIX_List **pChain,
+        void *plContext);
+
+/* PKIX_TrustAnchor
+ *
+ * A PKIX_TrustAnchor represents a trusted entity and can be specified using a
+ * self-signed certificate or using the trusted CA's name and public key. In
+ * order to limit the trust in the trusted entity, name constraints can also
+ * be imposed on the trust anchor.
+ */
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_CreateWithCert
+ * DESCRIPTION:
+ *
+ *  Creates a new TrustAnchor object using the Cert pointed to by "cert" as
+ *  the trusted certificate and stores it at "pAnchor". Once created, a
+ *  TrustAnchor is immutable.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert to use as trusted certificate. Must be non-NULL.
+ *  "pAnchor"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_TrustAnchor_CreateWithCert(
+        PKIX_PL_Cert *cert,
+        PKIX_TrustAnchor **pAnchor,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_CreateWithNameKeyPair
+ * DESCRIPTION:
+ *
+ *  Creates a new TrustAnchor object using the X500Name pointed to by "name",
+ *  and the PublicKey pointed to by "pubKey" and stores it at "pAnchor". The
+ *  CertNameConstraints pointed to by "nameConstraints" (if any) are used to
+ *  limit the trust placed in this trust anchor. To indicate that name
+ *  constraints don't apply, set "nameConstraints" to NULL. Once created, a
+ *  TrustAnchor is immutable.
+ *
+ * PARAMETERS:
+ *  "name"
+ *      Address of X500Name to use as name of trusted CA. Must be non-NULL.
+ *  "pubKey"
+ *      Address of PublicKey to use as trusted public key. Must be non-NULL.
+ *  "nameConstraints"
+ *      Address of CertNameConstraints to use as initial name constraints.
+ *      If NULL, no name constraints are applied.
+ *  "pAnchor"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_TrustAnchor_CreateWithNameKeyPair(
+        PKIX_PL_X500Name *name,
+        PKIX_PL_PublicKey *pubKey,
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_TrustAnchor **pAnchor,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_GetTrustedCert
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Cert that is set in the TrustAnchor pointed to
+ *  by "anchor" and stores it at "pCert". If "anchor" does not have a Cert
+ *  set, this function stores NULL at "pCert".
+ *
+ * PARAMETERS:
+ *  "anchor"
+ *      Address of TrustAnchor whose Cert is to be stored. Must be non-NULL.
+ *  "pChain"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_TrustAnchor_GetTrustedCert(
+        PKIX_TrustAnchor *anchor,
+        PKIX_PL_Cert **pCert,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_GetCAName
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the CA's X500Name (if any) that is set in the
+ *  TrustAnchor pointed to by "anchor" and stores it at "pCAName". If "anchor"
+ *  does not have an X500Name set, this function stores NULL at "pCAName".
+ *
+ * PARAMETERS:
+ *  "anchor"
+ *      Address of TrustAnchor whose CA Name is to be stored. Must be non-NULL.
+ *  "pCAName"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_TrustAnchor_GetCAName(
+        PKIX_TrustAnchor *anchor,
+        PKIX_PL_X500Name **pCAName,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_GetCAPublicKey
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the CA's PublicKey (if any) that is set in the
+ *  TrustAnchor pointed to by "anchor" and stores it at "pPubKey". If "anchor"
+ *  does not have a PublicKey set, this function stores NULL at "pPubKey".
+ *
+ * PARAMETERS:
+ *  "anchor"
+ *      Address of TrustAnchor whose CA PublicKey is to be stored.
+ *      Must be non-NULL.
+ *  "pPubKey"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_TrustAnchor_GetCAPublicKey(
+        PKIX_TrustAnchor *anchor,
+        PKIX_PL_PublicKey **pPubKey,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_GetNameConstraints
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the CertNameConstraints (if any) set in the
+ *  TrustAnchor pointed to by "anchor" and stores it at "pConstraints". If
+ *  "anchor" does not have any CertNameConstraints set, this function stores
+ *  NULL at "pConstraints".
+ *
+ * PARAMETERS:
+ *  "anchor"
+ *      Address of TrustAnchor whose CertNameConstraints are to be stored.
+ *      Must be non-NULL.
+ *  "pConstraints"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Params Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_TrustAnchor_GetNameConstraints(
+        PKIX_TrustAnchor *anchor,
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext);
+
+/* PKIX_ResourceLimits
+ *
+ *  A PKIX_ResourceLimits object represents the maximum resource usage that
+ *  the caller desires. The ValidateChain or BuildChain call
+ *  will not exceed these maximum limits. For example, the caller may want
+ *  a timeout value of 1 minute, meaning that if the ValidateChain or
+ *  BuildChain function is unable to finish in 1 minute, it should abort
+ *  with an Error.
+ */
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new ResourceLimits object and stores it at "pResourceLimits".
+ *
+ * PARAMETERS:
+ *  "pResourceLimits"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_Create(
+        PKIX_ResourceLimits **pResourceLimits,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxTime
+ * DESCRIPTION:
+ *
+ *  Retrieves a PKIX_UInt32 (if any) representing the maximum time that is
+ *  set in the ResourceLimits object pointed to by "resourceLimits" and stores
+ *  it at "pMaxTime". This maximum time (in seconds) should not be exceeded
+ *  by the function whose ProcessingParams contain this ResourceLimits object
+ *  (typically ValidateChain or BuildChain). It essentially functions as a
+ *  time-out value and is only appropriate if blocking I/O is being used.
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum time (in seconds) is
+ *      to be stored. Must be non-NULL.
+ *  "pMaxTime"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxTime(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 *pMaxTime,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxTime
+ * DESCRIPTION:
+ *
+ *  Sets the maximum time of the ResourceLimits object pointed to by
+ *  "resourceLimits" using the PKIX_UInt32 value of "maxTime". This
+ *  maximum time (in seconds) should not be exceeded by the function
+ *  whose ProcessingParams contain this ResourceLimits object
+ *  (typically ValidateChain or BuildChain). It essentially functions as a
+ *  time-out value and is only appropriate if blocking I/O is being used.
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum time (in seconds) is
+ *      to be set. Must be non-NULL.
+ *  "maxTime"
+ *      Value of PKIX_UInt32 representing the maximum time (in seconds)
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxTime(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 maxTime,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxFanout
+ * DESCRIPTION:
+ *
+ *  Retrieves a PKIX_UInt32 (if any) representing the maximum fanout that is
+ *  set in the ResourceLimits object pointed to by "resourceLimits" and stores
+ *  it at "pMaxFanout". This maximum fanout (number of certs) should not be
+ *  exceeded by the function whose ProcessingParams contain this ResourceLimits
+ *  object (typically ValidateChain or BuildChain). If the builder encounters
+ *  more than this maximum number of certificates when searching for the next
+ *  candidate certificate, it should abort and return an error. This
+ *  parameter is only relevant for ValidateChain if it needs to internally call
+ *  BuildChain (e.g. in order to build the chain to a CRL's issuer).
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum fanout (number of certs)
+ *      is to be stored. Must be non-NULL.
+ *  "pMaxFanout"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxFanout(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 *pMaxFanout,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxFanout
+ * DESCRIPTION:
+ *
+ *  Sets the maximum fanout of the ResourceLimits object pointed to by
+ *  "resourceLimits" using the PKIX_UInt32 value of "maxFanout". This maximum
+ *  fanout (number of certs) should not be exceeded by the function whose
+ *  ProcessingParams contain this ResourceLimits object (typically ValidateChain
+ *  or BuildChain). If the builder encounters more than this maximum number of
+ *  certificates when searching for the next candidate certificate, it should
+ *  abort and return an Error. This parameter is only relevant for ValidateChain
+ *  if it needs to internally call BuildChain (e.g. in order to build the
+ *  chain to a CRL's issuer).
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum fanout (number of certs)
+ *      is to be set. Must be non-NULL.
+ *  "maxFanout"
+ *      Value of PKIX_UInt32 representing the maximum fanout (number of certs)
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxFanout(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 maxFanout,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxDepth
+ * DESCRIPTION:
+ *
+ *  Retrieves a PKIX_UInt32 (if any) representing the maximum depth that is
+ *  set in the ResourceLimits object pointed to by "resourceLimits" and stores
+ *  it at "pMaxDepth". This maximum depth (number of certs) should not be
+ *  exceeded by the function whose ProcessingParams contain this ResourceLimits
+ *  object (typically ValidateChain or BuildChain). If the builder encounters
+ *  more than this maximum number of certificates when searching for the next
+ *  candidate certificate, it should abort and return an error. This
+ *  parameter is only relevant for ValidateChain if it needs to internally call
+ *  BuildChain (e.g. in order to build the chain to a CRL's issuer).
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum depth (number of certs)
+ *      is to be stored. Must be non-NULL.
+ *  "pMaxDepth"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxDepth(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 *pMaxDepth,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxDepth
+ * DESCRIPTION:
+ *
+ *  Sets the maximum depth of the ResourceLimits object pointed to by
+ *  "resourceLimits" using the PKIX_UInt32 value of "maxDepth". This maximum
+ *  depth (number of certs) should not be exceeded by the function whose
+ *  ProcessingParams contain this ResourceLimits object (typically ValidateChain
+ *  or BuildChain). If the builder encounters more than this maximum number of
+ *  certificates when searching for the next candidate certificate, it should
+ *  abort and return an Error. This parameter is only relevant for ValidateChain
+ *  if it needs to internally call BuildChain (e.g. in order to build the
+ *  chain to a CRL's issuer).
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum depth (number of certs)
+ *      is to be set. Must be non-NULL.
+ *  "maxDepth"
+ *      Value of PKIX_UInt32 representing the maximum depth (number of certs)
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxDepth(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 maxDepth,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxNumberOfCerts
+ * DESCRIPTION:
+ *
+ *  Retrieves a PKIX_UInt32 (if any) representing the maximum number of traversed
+ *  certs that is set in the ResourceLimits object pointed to by "resourceLimits"
+ *  and stores it at "pMaxNumber". This maximum number of traversed certs should
+ *  not be exceeded by the function whose ProcessingParams contain this ResourceLimits
+ *  object (typically ValidateChain or BuildChain). If the builder traverses more
+ *  than this number of certs during the build process, it should abort and
+ *  return an Error. This parameter is only relevant for ValidateChain if it
+ *  needs to internally call BuildChain (e.g. in order to build the chain to a
+ *  CRL's issuer).
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum number of traversed certs
+ *      is to be stored. Must be non-NULL.
+ *  "pMaxNumber"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxNumberOfCerts(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 *pMaxNumber,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxNumberOfCerts
+ * DESCRIPTION:
+ *
+ *  Sets the maximum number of traversed certs of the ResourceLimits object
+ *  pointed to by "resourceLimits" using the PKIX_UInt32 value of "maxNumber".
+ *  This maximum number of traversed certs should not be exceeded by the function 
+ *  whose ProcessingParams contain this ResourceLimits object (typically ValidateChain
+ *  or BuildChain). If the builder traverses more than this number of certs
+ *  during the build process, it should abort and return an Error. This parameter
+ *  is only relevant for ValidateChain if it needs to internally call BuildChain
+ *  (e.g. in order to build the chain to a CRL's issuer).
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum number of traversed certs
+ *      is to be set. Must be non-NULL.
+ *  "maxNumber"
+ *      Value of PKIX_UInt32 representing the maximum number of traversed certs
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxNumberOfCerts(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 maxNumber,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxNumberOfCRLs
+ * DESCRIPTION:
+ *
+ *  Retrieves a PKIX_UInt32 (if any) representing the maximum number of traversed
+ *  CRLs that is set in the ResourceLimits object pointed to by "resourceLimits"
+ *  and stores it at "pMaxNumber". This maximum number of traversed CRLs should
+ *  not be exceeded by the function whose ProcessingParams contain this ResourceLimits
+ *  object (typically ValidateChain or BuildChain). If the builder traverses more
+ *  than this number of CRLs during the build process, it should abort and
+ *  return an Error. This parameter is only relevant for ValidateChain if it
+ *  needs to internally call BuildChain (e.g. in order to build the chain to a
+ *  CRL's issuer).
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum number of traversed CRLs
+ *      is to be stored. Must be non-NULL.
+ *  "pMaxNumber"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxNumberOfCRLs(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 *pMaxNumber,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxNumberOfCRLs
+ * DESCRIPTION:
+ *
+ *  Sets the maximum number of traversed CRLs of the ResourceLimits object
+ *  pointed to by "resourceLimits" using the PKIX_UInt32 value of "maxNumber".
+ *  This maximum number of traversed CRLs should not be exceeded by the function 
+ *  whose ProcessingParams contain this ResourceLimits object (typically ValidateChain
+ *  or BuildChain). If the builder traverses more than this number of CRLs
+ *  during the build process, it should abort and return an Error. This parameter
+ *  is only relevant for ValidateChain if it needs to internally call BuildChain
+ *  (e.g. in order to build the chain to a CRL's issuer).
+ *
+ * PARAMETERS:
+ *  "resourceLimits"
+ *      Address of ResourceLimits object whose maximum number of traversed CRLs
+ *      is to be set. Must be non-NULL.
+ *  "maxNumber"
+ *      Value of PKIX_UInt32 representing the maximum number of traversed CRLs
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "params"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ResourceLimits Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxNumberOfCRLs(
+        PKIX_ResourceLimits *resourceLimits,
+        PKIX_UInt32 maxNumber,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PARAMS_H */
diff --git a/security/nss/lib/libpkix/include/pkix_pl_pki.h b/security/nss/lib/libpkix/include/pkix_pl_pki.h
new file mode 100755
index 000000000..5fbe92b5a
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h
@@ -0,0 +1,2626 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines several platform independent functions to
+ * manipulate certificates and CRLs in a portable manner.
+ *
+ */
+
+#ifndef _PKIX_PL_PKI_H
+#define _PKIX_PL_PKI_H
+
+#include "pkixt.h"
+#include "seccomon.h"
+#include "certt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/*
+ * Cert
+ *
+ * A Cert represents an X.509 certificate. It can be created using the bytes
+ * of a valid ASN.1 DER encoding. Once created, a Cert is immutable. The
+ * following functions include accessors (gettors) for the various components
+ * of an X.509 certificate. Also included are functions to perform various
+ * checks on a certificate, including name constraints, key usage, validity
+ * (expiration), and signature verification.
+ */
+
+/*
+ * FUNCTION: PKIX_PL_Cert_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new certificate using the bytes in the ByteArray pointed to by
+ *  "byteArray" and stores it at "pCert". If the bytes are not a valid ASN.1
+ *  DER encoding of a certificate, a PKIX_Error pointer is returned. Once
+ *  created, a Cert is immutable.
+ *
+ *  Certificate  ::=  SEQUENCE  {
+ *      tbsCertificate          TBSCertificate,
+ *      signatureAlgorithm      AlgorithmIdentifier,
+ *      signatureValue          BIT STRING  }
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *      algorithm               OBJECT IDENTIFIER,
+ *      parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *
+ *  TBSCertificate  ::=  SEQUENCE  {
+ *      version         [0]  EXPLICIT Version DEFAULT v1,
+ *      serialNumber    CertificateSerialNumber,
+ *      signature       AlgorithmIdentifier,
+ *      issuer          Name,
+ *      validity        Validity,
+ *      subject         Name,
+ *      subjectPublicKeyInfo SubjectPublicKeyInfo,
+ *      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                          -- If present, version MUST be v2 or v3
+ *      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                              -- If present, version MUST be v2 or v3
+ *      extensions      [3]  EXPLICIT Extensions OPTIONAL
+ *                              -- If present, version MUST be v3
+ *      }
+ *
+ *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ *
+ *  CertificateSerialNumber  ::=  INTEGER
+ *
+ *  Validity ::= SEQUENCE {
+ *      notBefore       Time,
+ *      notAfter        Time }
+ *
+ *  Time ::= CHOICE {
+ *      utcTime         UTCTime,
+ *      generalTime     GeneralizedTime }
+ *
+ *  UniqueIdentifier  ::=  BIT STRING
+ *
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *      algorithm               AlgorithmIdentifier,
+ *      subjectPublicKey        BIT STRING  }
+ *
+ *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+ *
+ *  Extension  ::=  SEQUENCE  {
+ *      extnID          OBJECT IDENTIFIER,
+ *      critical        BOOLEAN DEFAULT FALSE,
+ *      extnValue       OCTET STRING  }
+ *
+ * PARAMETERS:
+ *  "byteArray"
+ *      Address of ByteArray representing the CERT's DER encoding.
+ *      Must be non-NULL.
+ *  "pCert"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_Create(
+        PKIX_PL_ByteArray *byteArray,
+        PKIX_PL_Cert **pCert,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_CreateFromCERTCertificate
+ * DESCRIPTION:
+ *
+ * Creates a new certificate using passed in CERTCertificate object.
+ *
+ * PARAMETERS:
+ *  "nssCert"
+ *      The object that will be used to create new PKIX_PL_Cert.
+ *  "pCert"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_CreateFromCERTCertificate(
+        const CERTCertificate *nssCert,
+        PKIX_PL_Cert **pCert,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetCERTCertificate
+ * DESCRIPTION:
+ *
+ * Returns underlying CERTCertificate structure. Return CERTCertificate
+ * object is duplicated and should be destroyed by caller.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of PKIX_PL_Cert. Must be non-NULL.
+ *  "pCert"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetCERTCertificate(
+        PKIX_PL_Cert *cert,
+        CERTCertificate **pnssCert, 
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetVersion
+ * DESCRIPTION:
+ *
+ *  Retrieves the version of the Cert pointed to by "cert" and stores it at
+ *  "pVersion". The version number will either be 0, 1, or 2 (corresponding to
+ *  v1, v2, or v3, respectively).
+ *
+ *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose version is to be stored. Must be non-NULL.
+ *  "pVersion"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetVersion(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 *pVersion,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSerialNumber
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the BigInt that represents the serial number of the
+ *  Cert pointed to by "cert" and stores it at "pSerialNumber".
+ *
+ *  CertificateSerialNumber  ::=  INTEGER
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose serial number is to be stored. Must be non-NULL.
+ *  "pSerial"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSerialNumber(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_BigInt **pSerial,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetIssuer
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the X500Name that represents the issuer DN of the
+ *  Cert pointed to by "cert" and stores it at "pIssuer".
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose issuer is to be stored. Must be non-NULL.
+ *  "pIssuer"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetIssuer(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_X500Name **pIssuer,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubject
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the X500Name that represents the subject DN of the
+ *  Cert pointed to by "cert" and stores it at "pSubject". If the Cert does not
+ *  have a subject DN, this function stores NULL at "pSubject".
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose subject is to be stored. Must be non-NULL.
+ *  "pSubject"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubject(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_X500Name **pSubject,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKeyAlgId
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the OID that represents the subject public key
+ *  algorithm of the Cert pointed to by "cert" and stores it at
+ *  "pSubjKeyAlgId".
+ *
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *      algorithm               AlgorithmIdentifier,
+ *      subjectPublicKey        BIT STRING  }
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *      algorithm               OBJECT IDENTIFIER,
+ *      parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose subject public key algorithm OID is to be stored.
+ *      Must be non-NULL.
+ *  "pSubjKeyAlgId"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectPublicKeyAlgId(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_OID **pSubjKeyAlgId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKey
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the PublicKey that represents the subject public key
+ *  of the Cert pointed to by "cert" and stores it at "pPublicKey".
+ *
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *      algorithm               AlgorithmIdentifier,
+ *      subjectPublicKey        BIT STRING  }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose subject public key is to be stored.
+ *      Must be non-NULL.
+ *  "pPublicKey"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectPublicKey(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey **pPublicKey,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_PublicKey_NeedsDSAParameters
+ * DESCRIPTION:
+ *
+ * Determines if the PublicKey pointed to by "pubKey" is a DSA Key with null
+ * parameters and stores the result at "pNeedsParams". 
+ *
+ * PARAMETERS:
+ *  "pubKey"
+ *      Address of the Public Key of interest. Must be non-NULL.
+ *  "pNeedsParams"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a PublicKey Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_PublicKey_NeedsDSAParameters(
+        PKIX_PL_PublicKey *pubKey,
+        PKIX_Boolean *pNeedsParams,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
+ * DESCRIPTION:
+ *
+ * This function is used for DSA key parameter inheritance, which allows a
+ * first DSA key with omitted parameters (pointed to by "firstKey") to inherit
+ * the PQG parameters of a second DSA key that does have parameters. (pointed
+ * to by "secondKey"). Once created, a PublicKey is immutable.
+ *
+ * Specifically, the algorithm used by the function is:
+ *
+ * If the first PublicKey is not a DSA public key with omitted parameters,
+ *      the function stores NULL at "pResultKey". (No Error is returned)
+ * Else if the second PublicKey is not a DSA public key with non-NULL,
+ *      parameters, the function returns an Error.
+ * Else
+ *      the function creates a third PublicKey with a "Y" value from the
+ *      first PublicKey and the DSA parameters from the second PublicKey,
+ *      and stores it at "pResultKey".
+ *
+ * PARAMETERS:
+ *  "firstKey"
+ *      Address of a Public Key that needs to inherit DSA parameters.
+ *      Must be non-NULL.
+ *  "secondKey"
+ *      Address of a Public Key that has DSA parameters that will be inherited
+ *      by "firstKey". Must be non-NULL.
+ *  "pResultKey"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a PublicKey Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_PublicKey_MakeInheritedDSAPublicKey(
+        PKIX_PL_PublicKey *firstKey,
+        PKIX_PL_PublicKey *secondKey,
+        PKIX_PL_PublicKey **pResultKey,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetCriticalExtensionOIDs
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of OIDs (each OID corresponding to a
+ *  critical extension of the Cert pointed to by "cert") and stores it at
+ *  "pExtensions". If "cert" does not have any critical extensions, this
+ *  function stores an empty List at "pExtensions".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose critical extension OIDs are to be stored.
+ *      Must be non-NULL.
+ *  "pExtensions"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetCriticalExtensionOIDs(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pExtensions,  /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetAuthorityKeyIdentifier
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a ByteArray representing the authority key
+ *  identifier extension of the Cert pointed to by "cert" and stores it at
+ *  "pAuthKeyId".
+ *
+ *  Note that this function only retrieves the keyIdentifier component
+ *  (OCTET STRING) of the AuthorityKeyIdentifier extension, when present.
+ *
+ *  If "cert" does not have an AuthorityKeyIdentifier extension or if the
+ *  keyIdentifier component of the AuthorityKeyIdentifier extension is not
+ *  present, this function stores NULL at "pAuthKeyId".
+ *
+ *  AuthorityKeyIdentifier ::= SEQUENCE {
+ *      keyIdentifier                   [0] KeyIdentifier           OPTIONAL,
+ *      authorityCertIssuer             [1] GeneralNames            OPTIONAL,
+ *      authorityCertSerialNumber       [2] CertificateSerialNumber OPTIONAL  }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose authority key identifier is to be stored.
+ *      Must be non-NULL.
+ *  "pAuthKeyId"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetAuthorityKeyIdentifier(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_ByteArray **pAuthKeyId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectKeyIdentifier
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a ByteArray representing the subject key identifier
+ *  extension of the Cert pointed to by "cert" and stores it at "pSubjKeyId".
+ *  If "cert" does not have a SubjectKeyIdentifier extension, this function
+ *  stores NULL at "pSubjKeyId".
+ *
+ *  SubjectKeyIdentifier ::= KeyIdentifier
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose subject key identifier is to be stored.
+ *      Must be non-NULL.
+ *  "pSubjKeyId"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectKeyIdentifier(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_ByteArray **pSubjKeyId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectAltNames
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of GeneralNames (each GeneralName
+ *  representing a subject alternative name found in the subject alternative
+ *  names extension of the Cert pointed to by "cert") and stores it at
+ *  "pSubjectAltNames". If "cert" does not have a SubjectAlternativeNames
+ *  extension, this function stores NULL at "pSubjectAltNames".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ *  SubjectAltName ::= GeneralNames
+ *
+ *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ *  GeneralName ::= CHOICE {
+ *      otherName                       [0]     OtherName,
+ *      rfc822Name                      [1]     IA5String,
+ *      dNSName                         [2]     IA5String,
+ *      x400Address                     [3]     ORAddress,
+ *      directoryName                   [4]     Name,
+ *      ediPartyName                    [5]     EDIPartyName,
+ *      uniformResourceIdentifier       [6]     IA5String,
+ *      iPAddress                       [7]     OCTET STRING,
+ *      registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ *  OtherName ::= SEQUENCE {
+ *      type-id                         OBJECT IDENTIFIER,
+ *      value                           [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ *  EDIPartyName ::= SEQUENCE {
+ *      nameAssigner                    [0]     DirectoryString OPTIONAL,
+ *      partyName                       [1]     DirectoryString }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose subjectAltNames are to be stored.
+ *      Must be non-NULL.
+ *  "pSubjectAltNames"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectAltNames(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pSubjectAltNames,  /* list of PKIX_PL_GeneralName */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetAllSubjectNames
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of GeneralNames (each GeneralName
+ *  representing a subject DN or a subject alternative name found in the
+ *  subject alternative names extension of the Cert pointed to by "cert") and
+ *  stores it at "pAllSubjectNames".If the Subject DN of "cert" is empty and
+ *  it does not have a SubjectAlternativeNames extension, this function stores
+ *  NULL at "pAllSubjectNames".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose subject DN and subjectAltNames are to be stored.
+ *      Must be non-NULL.
+ *  "pAllSubjectNames"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetAllSubjectNames(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pAllSubjectNames,  /* list of PKIX_PL_GeneralName */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetExtendedKeyUsage
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a List of OIDs (each OID corresponding to an
+ *  extended key usage of the Cert pointed to by "cert") and stores it at
+ *  "pKeyUsage". If "cert" does not have an extended key usage extension, this
+ *  function stores a NULL at "pKeyUsage".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ *  KeyPurposeId ::= OBJECT IDENTIFIER
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose extended key usage OIDs are to be stored.
+ *      Must be non-NULL.
+ *  "pKeyUsage"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetExtendedKeyUsage(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pKeyUsage,  /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetNameConstraints
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a CertNameConstraints object representing the name
+ *  constraints extension of the Cert pointed to by "cert" and stores it at
+ *  "pNameConstraints".
+ *
+ *  If "cert" does not have a name constraints extension, this function stores
+ *  NULL at "pNameConstraints".
+ *
+ *  NameConstraints ::= SEQUENCE {
+ *      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
+ *      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
+ *
+ *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+ *
+ *  GeneralSubtree ::= SEQUENCE {
+ *      base                    GeneralName,
+ *      minimum         [0]     BaseDistance DEFAULT 0,
+ *      maximum         [1]     BaseDistance OPTIONAL }
+ *
+ *  BaseDistance ::= INTEGER (0..MAX)
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose name constraints extension is to be stored.
+ *      Must be non-NULL.
+ *  "pNameConstraints"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetNameConstraints(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetBasicConstraints
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a CertBasicConstraints object representing the basic
+ *  constraints extension of the Cert pointed to by "cert" and stores it at
+ *  "pBasicConstraints".
+ *
+ *  If "cert" does not have a basic constraints extension, this function stores
+ *  NULL at "pBasicConstraints". Once created, a CertBasicConstraints object
+ *  is immutable.
+ *
+ *  BasicConstraints ::= SEQUENCE {
+ *      cA                      BOOLEAN DEFAULT FALSE,
+ *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose basic constraints extension is to be stored.
+ *      Must be non-NULL.
+ *  "pBasicConstraints"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetBasicConstraints(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_CertBasicConstraints **pBasicConstraints,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_BasicConstraints_GetCAFlag
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a Boolean value representing the cA Flag component
+ *  of the CertBasicConstraints object pointed to by "basicConstraints" and
+ *  stores it at "pResult".
+ *
+ *  BasicConstraints ::= SEQUENCE {
+ *      cA                      BOOLEAN DEFAULT FALSE,
+ *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+ *
+ * PARAMETERS:
+ *  "basicConstraints"
+ *      Address of CertBasicConstraints whose cA Flag is to be stored.
+ *      Must be non-NULL.
+ *  "pResult"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_BasicConstraints_GetCAFlag(
+        PKIX_PL_CertBasicConstraints *basicConstraints,
+        PKIX_Boolean *pResult,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_BasicConstraints_GetPathLenConstraint
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to an integer value representing the pathLenConstraint
+ *  component of the CertBasicConstraints object pointed to by
+ *  "basicConstraints" and stores it at "pPathLenConstraint". If the
+ *  pathLenConstraint component is not present, this function stores -1 at
+ *  "pPathLenConstraint".
+ *
+ * PARAMETERS:
+ *  "basicConstraints"
+ *      Address of CertBasicConstraints whose pathLen is to be stored.
+ *      Must be non-NULL.
+ *  "pPathLenConstraint"
+ *      Address where PKIX_Int32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_BasicConstraints_GetPathLenConstraint(
+        PKIX_PL_CertBasicConstraints *basicConstraints,
+        PKIX_Int32 *pPathLenConstraint,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetPolicyInformation
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a List of CertPolicyInfos found in the certificate
+ *  policies extension of the Cert pointed to by "cert" and stores it at
+ *  "pPolicyInfo". If "cert" does not have a certificate policies extension,
+ *  this function stores NULL at "pPolicyInfo". Once created, a CertPolicyInfo
+ *  object is immutable.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ *  certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ *  PolicyInformation ::= SEQUENCE {
+ *      policyIdentifier   CertPolicyId,
+ *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+ *                              PolicyQualifierInfo OPTIONAL }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose CertPolicyInfos are to be stored.
+ *      Must be non-NULL.
+ *  "pPolicyInfo"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetPolicyInformation(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pPolicyInfo, /* list of PKIX_PL_CertPolicyInfo */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolicyId
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to an OID representing the policyIdentifier of the
+ *  CertPolicyInfo pointed to by "policyInfo" and stores it at "pCertPolicyId".
+ *
+ *  certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ *  PolicyInformation ::= SEQUENCE {
+ *      policyIdentifier   CertPolicyId,
+ *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+ *                              PolicyQualifierInfo OPTIONAL }
+ *
+ *  CertPolicyId ::= OBJECT IDENTIFIER
+ *
+ * PARAMETERS:
+ *  "policyInfo"
+ *      Address of CertPolicyInfo whose policy identifier is to be stored.
+ *      Must be non-NULL.
+ *  "pCertPolicyId"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CertPolicyInfo_GetPolicyId(
+        PKIX_PL_CertPolicyInfo *policyInfo,
+        PKIX_PL_OID **pCertPolicyId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolQualifiers
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a List of the CertPolicyQualifiers representing
+ *  the policyQualifiers of the CertPolicyInfo pointed to by "policyInfo" and
+ *  stores it at "pPolicyQualifiers". If "policyInfo" does not have any
+ *  policyQualifiers, this function stores NULL at "pPolicyQualifiers". Once
+ *  created, a CertPolicyQualifier is immutable.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ *  certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ *  PolicyInformation ::= SEQUENCE {
+ *      policyIdentifier   CertPolicyId,
+ *      policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+ *                              PolicyQualifierInfo OPTIONAL }
+ *
+ *  PolicyQualifierInfo ::= SEQUENCE {
+ *      policyQualifierId  PolicyQualifierId,
+ *      qualifier       ANY DEFINED BY policyQualifierId }
+ *
+ * PARAMETERS:
+ *  "policyInfo"
+ *      Address of CertPolicyInfo whose policy qualifiers List is to be stored.
+ *      Must be non-NULL.
+ *  "pPolicyQualifiers"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CertPolicyInfo_GetPolQualifiers(
+        PKIX_PL_CertPolicyInfo *policyInfo,
+        PKIX_List **pPolicyQualifiers, /* list of PKIX_PL_CertPolicyQualifier */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_PolicyQualifier_GetPolicyQualifierId
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to an OID representing the policyQualifierId of the
+ *  CertPolicyQualifier pointed to by "policyQualifier" and stores it at
+ *  "pPolicyQualifierId".
+ *
+ *  PolicyQualifierInfo ::= SEQUENCE {
+ *      policyQualifierId       PolicyQualifierId,
+ *      qualifier               ANY DEFINED BY policyQualifierId }
+ *
+ *  PolicyQualifierId ::=
+ *      OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
+ *
+ * PARAMETERS:
+ *  "policyQualifier"
+ *      Address of CertPolQualifier whose policyQualifierId is to be stored.
+ *      Must be non-NULL.
+ *  "pPolicyQualifierId"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_PolicyQualifier_GetPolicyQualifierId(
+        PKIX_PL_CertPolicyQualifier *policyQualifier,
+        PKIX_PL_OID **pPolicyQualifierId,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_PolicyQualifier_GetQualifier
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a ByteArray representing the qualifier of the
+ *  CertPolicyQualifier pointed to by "policyQualifier" and stores it at
+ *  "pQualifier".
+ *
+ *  PolicyQualifierInfo ::= SEQUENCE {
+ *      policyQualifierId       PolicyQualifierId,
+ *      qualifier               ANY DEFINED BY policyQualifierId }
+ *
+ * PARAMETERS:
+ *  "policyQualifier"
+ *      Address of CertPolicyQualifier whose qualifier is to be stored.
+ *      Must be non-NULL.
+ *  "pQualifier"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_PolicyQualifier_GetQualifier(
+        PKIX_PL_CertPolicyQualifier *policyQualifier,
+        PKIX_PL_ByteArray **pQualifier,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetPolicyMappings
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a List of CertPolicyMaps found in the policy
+ *  mappings extension of the Cert pointed to by "cert" and stores it at
+ *  "pPolicyMappings". If "cert" does not have a policy mappings extension,
+ *  this function stores NULL at "pPolicyMappings". Once created, a
+ *  CertPolicyMap is immutable.
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ *      issuerDomainPolicy      CertPolicyId,
+ *      subjectDomainPolicy     CertPolicyId }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose CertPolicyMaps are to be stored.
+ *      Must be non-NULL.
+ *  "pPolicyMappings"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetPolicyMappings(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pPolicyMappings, /* list of PKIX_PL_CertPolicyMap */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to an OID representing the issuerDomainPolicy of the
+ *  CertPolicyMap pointed to by "policyMapping" and stores it at
+ *  "pIssuerDomainPolicy".
+ *
+ *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ *      issuerDomainPolicy      CertPolicyId,
+ *      subjectDomainPolicy     CertPolicyId }
+ *
+ * PARAMETERS:
+ *  "policyMapping"
+ *      Address of CertPolicyMap whose issuerDomainPolicy is to be stored.
+ *      Must be non-NULL.
+ *  "pIssuerDomainPolicy"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy(
+        PKIX_PL_CertPolicyMap *policyMapping,
+        PKIX_PL_OID **pIssuerDomainPolicy,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to an OID representing the subjectDomainPolicy of the
+ *  CertPolicyMap pointed to by "policyMapping" and stores it at
+ *  "pSubjectDomainPolicy".
+ *
+ *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ *      issuerDomainPolicy      CertPolicyId,
+ *      subjectDomainPolicy     CertPolicyId }
+ *
+ * PARAMETERS:
+ *  "policyMapping"
+ *      Address of CertPolicyMap whose subjectDomainPolicy is to be stored.
+ *      Must be non-NULL.
+ *  "pSubjectDomainPolicy"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy(
+        PKIX_PL_CertPolicyMap *policyMapping,
+        PKIX_PL_OID **pSubjectDomainPolicy,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetRequireExplicitPolicy
+ * DESCRIPTION:
+ *
+ *  Retrieves the requireExplicitPolicy value of the policy constraints
+ *  extension of the Cert pointed to by "cert" and stores it at "pSkipCerts".
+ *  If "cert" does not have a policy constraints extension or the
+ *  requireExplicitPolicy component is not populated, this function stores -1
+ *  at "pSkipCerts".
+ *
+ *  PolicyConstraints ::= SEQUENCE {
+ *      requireExplicitPolicy   [0] SkipCerts OPTIONAL,
+ *      inhibitPolicyMapping    [1] SkipCerts OPTIONAL }
+ *
+ *  SkipCerts ::= INTEGER (0..MAX)
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose requireExplicitPolicy value is to be stored.
+ *      Must be non-NULL.
+ *  "pSkipCerts"
+ *      Address where PKIX_Int32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetRequireExplicitPolicy(
+        PKIX_PL_Cert *cert,
+        PKIX_Int32 *pSkipCerts,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetPolicyMappingInhibited
+ * DESCRIPTION:
+ *
+ *  Retrieves the inhibitPolicyMapping value of the policy constraints
+ *  extension of the Cert pointed to by "cert" and stores it at "pSkipCerts".
+ *  If "cert" does not have a policy constraints extension or the
+ *  inhibitPolicyMapping component is not populated, this function stores -1
+ *  at "pSkipCerts".
+ *
+ *  PolicyConstraints ::= SEQUENCE {
+ *      requireExplicitPolicy   [0] SkipCerts OPTIONAL,
+ *      inhibitPolicyMapping    [1] SkipCerts OPTIONAL }
+ *
+ *  SkipCerts ::= INTEGER (0..MAX)
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose requireExplicitPolicy value is to be stored.
+ *      Must be non-NULL.
+ *  "pSkipCerts"
+ *      Address where PKIX_Int32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetPolicyMappingInhibited(
+        PKIX_PL_Cert *cert,
+        PKIX_Int32 *pSkipCerts,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetInhibitAnyPolicy
+ * DESCRIPTION:
+ *
+ *  Retrieves the value of the inhibit any-policy extension of the Cert
+ *  pointed to by "cert" and stores it at "pSkipCerts". If "cert" does not have
+ *  an inhibit any-policy extension, this function stores -1 at "pSkipCerts".
+ *
+ *  InhibitAnyPolicy ::= SkipCerts
+ *
+ *  SkipCerts ::= INTEGER (0..MAX)
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose inhibit any-policy extensions value is to be
+ *      stored. Must be non-NULL.
+ *  "pSkipCerts"
+ *      Address where PKIX_Int32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetInhibitAnyPolicy(
+        PKIX_PL_Cert *cert,
+        PKIX_Int32 *pSkipCerts,
+        void *plContext);
+
+/* policy processing functions */
+
+/*
+ * FUNCTION: PKIX_PL_Cert_AreCertPoliciesCritical
+ * DESCRIPTION:
+ *
+ *  Checks whether the certificate policies extension of the Cert pointed to
+ *  by "cert" is critical and stores the Boolean result at "pCritical". If
+ *  "cert" does not have a certificate policies extension, this function
+ *  stores NULL at "pCritical".
+ *
+ *  XXX what distinguishes NULL from PKIX_FALSE?
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose certificate policies extension's criticality is
+ *      to be determined. Must be non-NULL.
+ *  "pCritical"
+ *      Address where PKIX_Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_AreCertPoliciesCritical(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pCritical,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_CheckNameConstraints
+ * DESCRIPTION:
+ *
+ *  Checks whether the subject distinguished name and subject alternative names
+ *  of the Cert pointed to by "cert" satisfy the CertNameConstraints pointed
+ *  to by "nameConstraints". If the CertNameConstraints are not satisfied, a
+ *  PKIX_Error pointer is returned. If "nameConstraints" is NULL, the function
+ *  does nothing.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose subject names are to be checked.
+ *      Must be non-NULL.
+ *  "nameConstraints"
+ *      Address of CertNameConstraints that need to be satisfied.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_CheckNameConstraints(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_MergeNameConstraints
+ * DESCRIPTION:
+ *
+ *  Merges the CertNameConstraints pointed to by "firstNC" and the
+ *  CertNameConstraints pointed to by "secondNC" and stores the merged
+ *  CertNameConstraints at "pResultNC". If "secondNC" is NULL, the
+ *  CertNameConstraints pointed to by "firstNC" is stored at "pResultNC".
+ *
+ *  Once created, a CertNameConstraints object is immutable.
+ *
+ * PARAMETERS:
+ *  "firstNC"
+ *      Address of first CertNameConstraints to be merged. Must be non-NULL.
+ *  "secondNC"
+ *      Address of second CertNameConstraints to be merged
+ *  "pResultNC"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_MergeNameConstraints(
+        PKIX_PL_CertNameConstraints *firstNC,
+        PKIX_PL_CertNameConstraints *secondNC,
+        PKIX_PL_CertNameConstraints **pResultNC,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_VerifyKeyUsage
+ * DESCRIPTION:
+ *
+ *  Verifies that the keyUsage bit(s) specified by "keyUsage" appear in the
+ *  keyUsage extension of the Cert pointed to by "cert". The keyUsage bit
+ *  values specified in pkixt.h are supported, and can be bitwise or'ed if
+ *  multiple bit values are to be verified. If the keyUsages do not all appear
+ *  in the keyUsage extension of "cert", a PKIX_Error pointer is returned.
+ *
+ *  KeyUsage ::= BIT STRING {
+ *      digitalSignature        (0),
+ *      nonRepudiation          (1),
+ *      keyEncipherment         (2),
+ *      dataEncipherment        (3),
+ *      keyAgreement            (4),
+ *      keyCertSign             (5),
+ *      cRLSign                 (6),
+ *      encipherOnly            (7),
+ *      decipherOnly            (8) }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose keyUsage bits are to be verified.
+ *      Must be non-NULL.
+ *  "keyUsage"
+ *      Constant representing keyUsage bit(s) that all must appear in keyUsage
+ *      extension of "cert".
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_VerifyKeyUsage(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 keyUsage,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_CheckValidity
+ * DESCRIPTION:
+ *
+ *  Checks whether the Cert pointed to by "cert" would be valid at the time
+ *  represented by the Date pointed to by "date". If "date" is NULL, then this
+ *  function checks whether the Cert would be valid at the current time. If the
+ *  Cert would not be valid at the specified Date, a PKIX_Error pointer is
+ *  returned.
+ *
+ *  Validity ::= SEQUENCE {
+ *      notBefore       Time,
+ *      notAfter        Time }
+ *
+ *  Time ::= CHOICE {
+ *      utcTime         UTCTime,
+ *      generalTime     GeneralizedTime }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose validity is to be checked. Must be non-NULL.
+ *  "date"
+ *      Address of Date at which the Cert is being checked for validity.
+ *      If NULL, the current time is used for the Date.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_CheckValidity(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_Date *date,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetValidityNotAfter
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the Date that represents the notAfter time of the
+ *  Certificate pointed to by "cert" and stores it at "pDate".
+ *
+ *  Validity ::= SEQUENCE {
+ *      notBefore       Time,
+ *      notAfter        Time }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose validity time is to be retrieved. Must be
+ *      non-NULL.
+ *  "date"
+ *      Address of Date at which the Cert's notAfter time is being retrieved.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetValidityNotAfter(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_Date **pDate,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_VerifySignature
+ * DESCRIPTION:
+ *
+ *  Verifies the signature on the Cert pointed to by "cert" using the
+ *  PublicKey pointed to by "pubKey". If the signature doesn't verify, an
+ *  Error pointer is returned.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose signature is to be verified. Must be non-NULL.
+ *  "pubKey"
+ *      Address of a Public Key used to verify the signature. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_VerifySignature(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey *pubKey,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_IsCertTrusted
+ * DESCRIPTION:
+ *
+ *  Checks the Cert specified by "cert" to determine, in a manner that depends
+ *  on the underlying platform, whether it is trusted, and stores the result in
+ *  "pTrusted". If a certificate is trusted it means that a chain built to that
+ *  certificate, and satisfying all the usage, policy, validity, and other
+ *  tests, is a valid chain and the End Entity certificate from which it was
+ *  built can be trusted.
+ *
+ *  If the Certificate is not intrinsically trustworthy, it still might end up a
+ *  component in a successful chain.
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of Cert whose trustworthiness is to be determined. Must be
+ *      non-NULL.
+ *  "pTrusted"
+ *      Address where the Boolean value will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CERT Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_IsCertTrusted(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pTrusted,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetCacheFlag
+ * DESCRIPTION:
+ *
+ *  Retrieves the value of the cache flag in "cert" and return it at address
+ *  pointed by "pCacheFlag". The initila cache flag is determined by the
+ *  CertStore this "cert" is fetched from. When CertStore is created, user
+ *  need to specify if the data should be cached.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose cache flag is fetched. Must be non-NULL.
+ *  "pCacheFlag"
+ *      Address where PKIX_Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetCacheFlag(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pCacheFlag,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_SetCacheFlag
+ * DESCRIPTION:
+ *
+ *  Set the value of the cache flag in "cert" base on the boolean value stored
+ *  at "cacheFlag". This function is meant to be used by CertStore after a
+ *  Cert is created.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert where "cacheFlag" is stored. Must be non-NULL.
+ *  "cacheFlag"
+ *      PKIX_Boolean flag for cache flag.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_SetCacheFlag(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean cacheFlag,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetTrustCertStore
+ * DESCRIPTION:
+ *
+ *  Retrieves the value of the CertStore in "cert" and return it at address
+ *  pointed by "pCertStore".
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose CertStore is fetched. Must be non-NULL.
+ *  "pTrustCertStore"
+ *      Address where CertStore will be stored and returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetTrustCertStore(
+        PKIX_PL_Cert *cert,
+        PKIX_CertStore **pTrustCertStore,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Cert_SetTrustCertStore
+ * DESCRIPTION:
+ *
+ *  Set the value of the CertStore "certStore" in "cert".
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert where "certStore" will be stored. Must be non-NULL.
+ *  "trustCertStore"
+ *      Address where the CertStore is. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_SetTrustCertStore(
+        PKIX_PL_Cert *cert,
+        PKIX_CertStore *trustCertStore,
+        void *plContext);
+
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetAuthorityInfoAccess
+ * DESCRIPTION:
+ *
+ *  Retrieves the value(s) of the Authority Information Access in "cert" and
+ *  returns it in a list at address pointed by "pAuthorityInfoAccess".
+ *
+ *  SubjectInfoAccess ::=
+ *    SEQUENCE SIZE (1..MAX) of AccessDescription
+ *    AccessDescription ::= SEQUENCE {
+ *        accessMethod     OBJECT IDENTIFIER,
+ *        accessLocation   GeneralName
+ *    }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose Authority Information Access is fetched.
+ *      Must be non-NULL.
+ *  "pAuthorityInfoAccess"
+ *      Address where Authority InfoAccess will be stored and returned.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetAuthorityInfoAccess(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */
+        void *plContext);
+
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectInfoAccess
+ * DESCRIPTION:
+ *
+ *  Retrieves the value(s) of the Subject Information Access in "cert" and
+ *  returns it in a list at address pointed by "pSubjectInfoAccess".
+ *
+ *  SubjectInfoAccess ::=
+ *    SEQUENCE SIZE (1..MAX) of AccessDescription
+ *    AccessDescription ::= SEQUENCE {
+ *        accessMethod     OBJECT IDENTIFIER,
+ *        accessLocation   GeneralName
+ *    }
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert whose Subject Information Access is fetched.
+ *      Must be non-NULL.
+ *  "pSubjectInfoAccess"
+ *      Address where Subject InfoAccess will be stored and returned.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectInfoAccess(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pSiaList, /* of PKIX_PL_InfoAccess */
+        void *plContext);
+
+
+/*
+ * InfoAccess 
+ *
+ * To hold Authority Information Access or Subject Information Access
+ * retrieved from a Certificate.
+ */
+
+#define PKIX_INFOACCESS_OCSP          1
+#define PKIX_INFOACCESS_CA_ISSUERS    2
+#define PKIX_INFOACCESS_TIMESTAMPING  3
+#define PKIX_INFOACCESS_CA_REPOSITORY 5
+
+#define PKIX_INFOACCESS_LOCATION_UNKNOWN 0
+#define PKIX_INFOACCESS_LOCATION_HTTP    1
+#define PKIX_INFOACCESS_LOCATION_LDAP    2
+
+/*
+ * FUNCTION: PKIX_PL_InfoAccess_GetMethod
+ * DESCRIPTION:
+ *
+ *  Stores the method of the Information Access from "infoAccess" and
+ *  returns in "pMethod".
+ *
+ *  SubjectInfoAccess ::=
+ *    AccessDescription ::= SEQUENCE {
+ *        accessMethod     OBJECT IDENTIFIER,
+ *        accessLocation   GeneralName
+ *    }
+ *
+ * PARAMETERS:
+ *  "infoAccess"
+ *      Address of PKIX_PL_InfoAccess that has the access data.
+ *      Must be non-NULL.
+ *  "pMethod"
+ *      Address where access method will be stored and returned.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_InfoAccess_GetMethod(
+        PKIX_PL_InfoAccess *infoAccess,
+        PKIX_UInt32 *pMethod,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_InfoAccess_GetLocation
+ * DESCRIPTION:
+ *
+ *  Stores the location of the Information Access from "infoAccess" and
+ *  returns in "pLocation".
+ *
+ *  SubjectInfoAccess ::=
+ *    AccessDescription ::= SEQUENCE {
+ *        accessMethod     OBJECT IDENTIFIER,
+ *        accessLocation   GeneralName
+ *    }
+ *
+ * PARAMETERS:
+ *  "infoAccess"
+ *      Address of PKIX_PL_InfoAccess that has the access data.
+ *      Must be non-NULL.
+ *  "pLocation"
+ *      Address where access location will be stored and returned.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_InfoAccess_GetLocation(
+        PKIX_PL_InfoAccess *infoAccess,
+        PKIX_PL_GeneralName **pLocation,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_InfoAccess_GetLocationType
+ * DESCRIPTION:
+ *
+ *  Stores the type of location of the Information Access from "infoAccess" and
+ *  returns in "pType".
+ *
+ *  SubjectInfoAccess ::=
+ *    AccessDescription ::= SEQUENCE {
+ *        accessMethod     OBJECT IDENTIFIER,
+ *        accessLocation   GeneralName
+ *    }
+ *
+ * PARAMETERS:
+ *  "infoAccess"
+ *      Address of PKIX_PL_InfoAccess that has the access data.
+ *      Must be non-NULL.
+ *  "pType"
+ *      Address where access location type will be stored and returned.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_InfoAccess_GetLocationType(
+        PKIX_PL_InfoAccess *infoAccess,
+        PKIX_UInt32 *pType,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_InfoAccess_GetAIACerts(
+        PKIX_PL_InfoAccess *ia,
+        void **pNBIOContext,
+        void **pHandle,
+        PKIX_List **pCerts,
+        void *plContext);
+
+/*
+ * CRL
+ *
+ * A CRL represents an X.509 certificate revocation list. It can be created
+ * using the bytes of a valid ASN.1 DER encoding. Once created, a CRL is
+ * immutable. The following functions include accessors (gettors) for the
+ * various components of an X.509 CRL, as well as a function for signature
+ * verification.
+ */
+
+/*
+ * FUNCTION: PKIX_PL_CRL_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CRL using the bytes in the ByteArray pointed to by
+ *  "byteArray" and stores it at "pCRL". If the bytes are not a valid ASN.1
+ *  DER encoding of a CRL, a PKIX_Error pointer is returned. Once created, a
+ *  CRL is immutable.
+ *
+ *  CertificateList  ::=  SEQUENCE  {
+ *      tbsCertList             TBSCertList,
+ *      signatureAlgorithm      AlgorithmIdentifier,
+ *      signatureValue          BIT STRING  }
+ *
+ *  TBSCertList  ::=  SEQUENCE  {
+ *      version                 Version OPTIONAL,
+ *                              -- if present, MUST be v2
+ *      signature               AlgorithmIdentifier,
+ *      issuer                  Name,
+ *      thisUpdate              Time,
+ *      nextUpdate              Time OPTIONAL,
+ *      revokedCertificates     SEQUENCE OF SEQUENCE  {
+ *              userCertificate         CertificateSerialNumber,
+ *              revocationDate          Time,
+ *              crlEntryExtensions      Extensions OPTIONAL
+ *                                      -- if present, MUST be v2
+ *                              }  OPTIONAL,
+ *      crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+ *                                      -- if present, MUST be v2
+ *      }
+ *
+ * PARAMETERS:
+ *  "byteArray"
+ *      Address of ByteArray representing the CRL's DER encoding.
+ *      Must be non-NULL.
+ *  "pCRL"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CRL_Create(
+        PKIX_PL_ByteArray *byteArray,
+        PKIX_PL_CRL **pCRL,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CRL_GetIssuer
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the X500Name that represents the issuer of the CRL
+ *  pointed to by "crl" and stores it at "pCRLIssuer".
+ *
+ * PARAMETERS:
+ *  "crl"
+ *      Address of CRL whose issuer is to be stored. Must be non-NULL.
+ *  "pCRLIssuer"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CRL_GetIssuer(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_X500Name **pCRLIssuer,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CRL_GetCriticalExtensionOIDs
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of OIDs (each OID corresponding to a
+ *  critical extension of the CRL pointed to by "crl") and stores it at
+ *  "pExtensions". If "crl" does not have any critical extensions, this
+ *  function stores an empty List at "pExtensions".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "crl"
+ *      Address of CRL whose critical extension OIDs are to be stored.
+ *      Must be non-NULL.
+ *  "pExtensions"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CRL_GetCriticalExtensionOIDs(
+        PKIX_PL_CRL *crl,
+        PKIX_List **pExtensions,   /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CRL_GetCRLEntryForSerialNumber
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the CRLEntry (found in the CRL pointed to by "crl")
+ *  corresponding to the BigInt pointed to by "serialNumber" and stores it at
+ *  "pCRLEntry". If there is no such CRLEntry, this functions stores NULL at
+ *  "pCRLEntry". Once created, a CRLEntry is immutable.
+ *
+ * PARAMETERS:
+ *  "crl"
+ *      Address of CRL whose CRL Entries are to be searched. Must be non-NULL.
+ *  "serialNumber"
+ *      Address of BigInt representing serial number of certificate whose
+ *      CRLEntry is to be found. Must be non-NULL.
+ *  "pCRLEntry"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CRL_GetCRLEntryForSerialNumber(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_BigInt *serialNumber,
+        PKIX_PL_CRLEntry **pCRLEntry,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CRL_GetCRLNumber
+ * DESCRIPTION:
+ *  Retrieves the CRL Number from extension. This is non-critical extension.
+ *
+ * PARAMETERS:
+ *  "crl"
+ *      Address of CRL whose version is to be stored. Must be non-NULL.
+ *  "pCrlNumber"
+ *      Address where a CRL Number will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CRL_GetCRLNumber(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_BigInt **pCrlNumber,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CRL_VerifyUpdateTime
+ * DESCRIPTION:
+ *
+ *  Checks whether the CRL pointed to by "crl" would be valid at the time
+ *  represented by the Date pointed to by "date" and stores the Boolean result
+ *  at "pResult". This check is done only when NIST policy is enforced.
+ *
+ *  Time ::= CHOICE {
+ *      utcTime         UTCTime,
+ *      generalTime     GeneralizedTime }
+ *
+ * PARAMETERS:
+ *  "crl"
+ *      Address of CRL whose validity is to be checked. Must be non-NULL.
+ *  "date"
+ *      Address of Date at which the CRL is being checked for validity.
+ *      Must be non-NULL.
+ *  "pResult"
+ *      Address of Boolean result. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CRL_VerifyUpdateTime(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_Date *date,
+        PKIX_Boolean *pResult,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CRL_VerifySignature
+ * DESCRIPTION:
+ *
+ *  Verifies the signature on the CRL pointed to by "crl" using the PublicKey
+ *  pointed to by "pubKey". If the signature doesn't verify, a PKIX_Error
+ *  pointer is returned.
+ *
+ * PARAMETERS:
+ *  "crl"
+ *      Address of CRL whose signature is to be verified. Must be non-NULL.
+ *  "pubKey"
+ *      Address of a Public Key used to verify the signature. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CRL_VerifySignature(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_PublicKey *pubKey,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+ * DESCRIPTION:
+ *
+ *  Retrieves the value of the reason code extension of the CRLEntry pointed
+ *  to by "crlEntry" and stores it at "pReason". If the "crlEntry" has no
+ *  reason code extension, this function stores -1 at "pReason".
+ *
+ *  CRLReason ::= ENUMERATED {
+ *      unspecified             (0),
+ *      keyCompromise           (1),
+ *      cACompromise            (2),
+ *      affiliationChanged      (3),
+ *      superseded              (4),
+ *      cessationOfOperation    (5),
+ *      certificateHold         (6),
+ *      removeFromCRL           (8),
+ *      privilegeWithdrawn      (9),
+ *      aACompromise            (10) }
+ *
+ * PARAMETERS:
+ *  "crlEntry"
+ *      Address of CRLEntry whose reason code bit values are to be returned
+ *      at "pReason". Must be non-NULL.
+ *  "pReason"
+ *      Address of PKIX_Int32 where reason code is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CRLEntry_GetCRLEntryReasonCode(
+        PKIX_PL_CRLEntry *crlEntry,
+        PKIX_Int32 *pReason,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of OIDs (each OID corresponding to a
+ *  critical extension of the CRLEntry pointed to by "crlEntry") and stores it
+ *  at "pExtensions". If "crlEntry" does not have any critical extensions, this
+ *  function stores an empty List at "pExtensions".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "crlEntry"
+ *      Address of CRLEntry whose critical extension OIDs are to be stored.
+ *      Must be non-NULL.
+ *  "pExtensions"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CRLEntry_GetCriticalExtensionOIDs(
+        PKIX_PL_CRLEntry *crlEntry,
+        PKIX_List **pExtensions,  /* list of PKIX_PL_OID */
+        void *plContext);
+
+#ifdef BUILD_LIBPKIX_TESTS
+/*
+ * FUNCTION: PKIX_PL_X500Name_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new X500Name using the UTF8 string representation pointed to by
+ *  "stringRep" and stores it at "pName". Once created, an X500Name is
+ *  immutable.
+ *
+ *  Name ::= CHOICE {
+ *    RDNSequence }
+ *
+ *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+ *
+ *  RelativeDistinguishedName ::=
+ *    SET OF AttributeTypeAndValue
+ *
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *      type    AttributeType,
+ *      value   AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ *
+ *  DirectoryString ::= CHOICE {
+ *      teletexString           TeletexString (SIZE (1..MAX)),
+ *      printableString         PrintableString (SIZE (1..MAX)),
+ *      universalString         UniversalString (SIZE (1..MAX)),
+ *      utf8String              UTF8String (SIZE (1..MAX)),
+ *      bmpString               BMPString (SIZE (1..MAX)) }
+ *
+ * PARAMETERS:
+ *  "stringRep"
+ *      Address of UTF8 String representation of X500Name. Must be non-NULL.
+ *  "pName"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an X500Name Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_X500Name_Create (
+        PKIX_PL_String *stringRep,
+        PKIX_PL_X500Name **pName,
+        void *plContext);
+
+#endif /* BUILD_LIBPKIX_TESTS */
+
+/*
+ * FUNCTION: PKIX_PL_X500Name_CreateFromCERTName
+ * DESCRIPTION:
+ * 
+ * The function creates x500Name using der encoded DN and/or pointer to
+ * CERTName. If arument "name" is NULL, but derName is supplied when
+ * the function generates nssDN(CERTName type) from der data. If derName
+ * is not supplied, CERTName *name will not be used to generate DN DER
+ * encoding.
+ *
+ * PARAMETERS:
+ *  "derName"
+ *      Address of DER representation of X500Name. Can be NULL
+ *  "name"
+ *      Address of CERTName representation of X500Name. Can be NULL
+ *  "pName"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an X500Name Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_X500Name_CreateFromCERTName(
+        SECItem *derName,
+        CERTName *name,
+        PKIX_PL_X500Name **pName,
+        void *plContext);
+
+
+/*
+ * TYPE: PKIX_PL_X500Name_Match
+ * DESCRIPTION:
+ *  Checks whether the X500Name pointed to by "firstX500Name" MATCHES the
+ *  X500Name pointed to by "secondX500Name" and stores the boolean result at
+ *  "pResult". Two X500Names MATCH if they meet the conditions specified by
+ *  RFC 3280 (section 4.1.2.4). Namely:
+ *
+ *      "This specification requires only a subset of the name comparison
+ *      functionality specified in the X.500 series of specifications.
+ *      Conforming implementations are REQUIRED to implement the following
+ *      name comparison rules:
+ *
+ *      (a)  attribute values encoded in different types (e.g., PrintableString
+ *      and BMPString) MAY be assumed to represent different strings;
+ *
+ *      (b) attribute values in types other than PrintableString are case
+ *      sensitive (this permits matching of attribute values as binary objects)
+ *
+ *      (c)  attribute values in PrintableString are not case sensitive
+ *      (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and
+ *
+ *      (d)  attribute values in PrintableString are compared after removing
+ *      leading and trailing white space and converting internal substrings of
+ *      one or more consecutive white space characters to a single space."
+ *
+ * PARAMETERS:
+ *  "firstX500Name"
+ *      Address of first X500Name to compare. Must be non-NULL.
+ *  "secondX500Name"
+ *      Address of second X500Name to compare. Must be non-NULL.
+ *  "pResult"
+ *      Address of Boolean result. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an X500Name Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_X500Name_Match(
+        PKIX_PL_X500Name *firstX500Name,
+        PKIX_PL_X500Name *secondX500Name,
+        PKIX_Boolean *pResult,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Date_Create_UTCTime
+ * DESCRIPTION:
+ *  Creates a new Date of type UTCTime using the string representation pointed
+ *  to by "stringRep" and stores it at "pDate". The UTCTime restriction means
+ *  that the year can only be specified by the least significant two digits
+ *  (YY). As such, Only the years 1950-2049 can be represented. If "stringRep"
+ *  is NULL, this function creates a new Date representing the current time
+ *  and stores it at "pDate". Once created, a Date is immutable.
+ *
+ *  If YY is greater than or equal to 50, the year is interpreted as 19YY.
+ *  If YY is less than 50, the year is interpreted as 20YY.
+ *
+ *  The string representation of the date must be in the following form:
+ *      "YYMMDDhhmmssZ" where:
+ *
+ *  YY is the least significant two digits of the year
+ *  MM is the month (01 to 12)
+ *  DD is the day (01 to 31)
+ *  hh is the hour (00 to 23)
+ *  mm are the minutes (00 to 59)
+ *  ss are the seconds (00 to 59)
+ *  Z indicates that local time is GMT
+ *
+ * PARAMETERS:
+ *  "stringRep"
+ *      Address of String representation of Date.
+ *      If NULL, current time is used.
+ *  "pDate"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Date Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Date_Create_UTCTime (
+        PKIX_PL_String *stringRep,
+        PKIX_PL_Date **pDate,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Date_Create_UTCTime
+ * DESCRIPTION:
+ *  Creates a new Date from PRTime data.
+ *
+ * PARAMETERS:
+ *  "time"
+ *      Represented time in PRTime type.
+ *  "pDate"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Date Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Date_CreateFromPRTime(
+        PRTime time,
+        PKIX_PL_Date **pDate,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Date_Create_CurrentOffBySeconds
+ * DESCRIPTION:
+ *  Creates a new Date of type UTCTime for current time with seconds off by
+ *  "secondsOffset" and returns it at "pDate".
+ *
+ * PARAMETERS:
+ *  "secondsOffset"
+ *      A PKIX_Int32 indicates the time offset from current. If "secondsOffset"
+ *      is negative, the time is in past.
+ *  "pDate"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Date Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Date_Create_CurrentOffBySeconds(
+        PKIX_Int32 secondsOffset,
+        PKIX_PL_Date **pDate,
+        void *plContext);
+
+#ifdef BUILD_LIBPKIX_TESTS
+/*
+ * FUNCTION: PKIX_PL_GeneralName_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new GeneralName of type "nameType" using the string
+ *  representation pointed to by "stringRep" and stores it at "pGName".
+ *  All of the GeneralName type format values specified in pkixt.h are
+ *  supported, with the exception of PKIX_OTHER_NAME, PKIX_EDIPARTY_NAME,
+ *  PKIX_IP_NAME, and PKIX_X400_ADDRESS. A PKIX_ESCASCII string representation
+ *  should be used for all supported nameTypes, with the exception of
+ *  registeredID and directoryName. For registeredID, the string representation
+ *  should be the same as that used by PKIX_PL_OID_Create. For directoryName,
+ *  the string representation should be the same as that used by
+ *  PKIX_PL_X500Name_Create. If an unsupported name type is used, an Error is
+ *  returned. Once created, a GeneralName is immutable.
+ *
+ *  GeneralName ::= CHOICE {
+ *      otherName                       [0]     OtherName,
+ *      rfc822Name                      [1]     IA5String,
+ *      dNSName                         [2]     IA5String,
+ *      x400Address                     [3]     ORAddress,
+ *      directoryName                   [4]     Name,
+ *      ediPartyName                    [5]     EDIPartyName,
+ *      uniformResourceIdentifier       [6]     IA5String,
+ *      iPAddress                       [7]     OCTET STRING,
+ *      registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ *
+ * NOTE: This function is allowed to be called only by pkix tests programs.
+ * 
+ * PARAMETERS:
+ *  "nameType"
+ *      Type of GeneralName to be created. This must be one of the GeneralName
+ *      type format values specified in pkixt.h
+ *  "stringRep"
+ *      Address of String representation of GeneralName. Must be non-NULL.
+ *  "pGName"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a GeneralName Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_GeneralName_Create (
+        PKIX_UInt32 nameType,
+        PKIX_PL_String *stringRep,
+        PKIX_PL_GeneralName **pGName,
+        void *plContext);
+#endif /* BUILD_LIBPKIX_TESTS */
+
+/*
+ * FUNCTION: PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
+ * DESCRIPTION:
+ *
+ *  This function checks whether names in "nameList" comply with
+ *  "nameConstraints". It stores PKIX_TRUE at "pCheckPass" if the names meet the
+ *  requirement of the NameConstraints, PKIX_FALSE otherwise.
+ *
+ * PARAMETERS
+ *  "nameList"
+ *      List of GeneralNames that are checked for compliance. May be empty
+ *      or NULL.
+ *  "nameConstraints"
+ *      Address of CertNameConstraints that provides lists of permitted
+ *      and excluded names. Must be non-NULL.
+ *  "pCheckPass"
+ *      Address where PKIX_TRUE is returned if the all names in "nameList" are
+ *      valid. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CertNameConstraints_CheckNamesInNameSpace(
+        PKIX_List *nameList, /* List of PKIX_PL_GeneralName */
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean *pCheckPass,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_AIAMgr_Create
+ * DESCRIPTION:
+ *
+ *  This function creates an AIAMgr to handle retrieval of Certs and CRLs
+ *  from servers given by AIA Certificate extensions. It manages connections
+ *  and caches. The manager created is stored at "pAIAMgr".
+ *
+ * PARAMETERS:
+ *  "pAIAMgr"
+ *      The address at which the result is stored. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an AIAMgr Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_AIAMgr_Create(
+        PKIX_PL_AIAMgr **pAIAMgr,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_AIAMgr_GetAIACerts
+ * DESCRIPTION:
+ *
+ *  This function uses the AIAMgr pointed to by "aiaMgr" to retrieve the Certs
+ *  specified by an AIA certificate extension, if any, in the Cert pointed to by
+ *  "prevCert", storing the results at "pCerts". If the certificate has no such
+ *  extension, this function stores NULL at "pCerts".
+ *
+ *  If the request is suspended for non-blocking I/O, a platform-dependent
+ *  context is stored at "pNBIOContext" and NULL is stored at "pCerts". This
+ *  return is referred to as the WOULDBLOCK state. Note that the caller must
+ *  check for a non-NULL value at "pNBIOContext", to distinguish this state from
+ *  the "no such extension" return described in the first paragraph. (The
+ *  alternative would be to return an empty List, but it seemed wrong to incur
+ *  the overhead of creating and destroying an empty List for the most common
+ *  situation.)
+ *
+ *  After a WOULDBLOCK return, the user may continue the operation by calling
+ *  pkix_AIAMgr_GetAIACerts (possibly more than once, if the function again
+ *  returns in the WOULDBLOCK state) with the previously-returned non-NULL
+ *  value of "pNBIOContext". When results are complete, NULL is stored at
+ *  "pNBIOContext", and the results (which may be NULL) are stored at "pCerts".
+ *
+ * PARAMETERS:
+ *  "aiaMgr"
+ *      The AIAMgr which controls the retrieval of certificates. Must be
+ *      non-NULL.
+ *  "prevCert"
+ *      Address of PKIX_PL_Cert which may provide an AIA or SIA extension. Must
+ *      be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is returned if request
+ *      is suspended for non-blocking I/O. Must be non-NULL.
+ *  "pCerts"
+ *      Address at which the returned List is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an AIAMgr Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_AIAMgr_GetAIACerts(
+        PKIX_PL_AIAMgr *aiaMgr,
+        PKIX_PL_Cert *prevCert,
+        void **pNBIOContext,
+        PKIX_List **pCerts,
+        void *plContext);
+
+typedef PKIX_Error *
+(*PKIX_PL_OcspResponse_VerifyCallback)(
+        PKIX_PL_Cert *signerCert,
+        PKIX_PL_Date *producedAt,
+        PKIX_ProcessingParams *procParams,
+        void **pNBIOContext,
+        void **pState,
+        PKIX_BuildResult **pBuildResult,
+        PKIX_VerifyNode **pVerifyTree,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_OcspRequest_Create(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_OcspCertID *cid,
+        PKIX_PL_Date *validity,
+        PKIX_PL_Cert *signerCert,
+        PKIX_Boolean *pURIFound,
+        PKIX_PL_OcspRequest **pRequest,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_OcspResponse_Create(
+        PKIX_PL_OcspRequest *request,
+        void *responder,
+        PKIX_PL_OcspResponse_VerifyCallback verifyFcn,
+        void **pNBIOContext,
+        PKIX_PL_OcspResponse **pResponse,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_OcspResponse_Decode(
+        PKIX_PL_OcspResponse *response,
+        PKIX_Boolean *passed,
+        SECErrorCodes *pReturnCode,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_OcspResponse_GetStatus(
+        PKIX_PL_OcspResponse *response,
+        PKIX_Boolean *passed,
+        SECErrorCodes *pReturnCode,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_OcspResponse_VerifySignature(
+        PKIX_PL_OcspResponse *response,
+        PKIX_PL_Cert *cert,
+        PKIX_ProcessingParams *procParams,
+        PKIX_Boolean *pPassed,
+        void **pNBIOContext,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_OcspResponse_GetStatusForCert(
+        PKIX_PL_OcspCertID *cid,
+        PKIX_PL_OcspResponse *response,
+        PKIX_Boolean *pPassed,
+        SECErrorCodes *pReturnCode,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_PKI_H */
diff --git a/security/nss/lib/libpkix/include/pkix_pl_system.h b/security/nss/lib/libpkix/include/pkix_pl_system.h
new file mode 100755
index 000000000..447ea1e5e
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_pl_system.h
@@ -0,0 +1,1561 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines several platform independent functions to make system
+ * calls in a portable manner.
+ *
+ */
+
+#ifndef _PKIX_PL_SYSTEM_H
+#define _PKIX_PL_SYSTEM_H
+
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/*
+ * FUNCTION: PKIX_PL_Initialize
+ * DESCRIPTION:
+ *
+ *  XXX If this function is really only meant to be used by PKIX_Initialize,
+ *  why don't we just put it in a private header file rather than the public
+ *  API. I think it may confuse users.
+ *
+ *  This function should NOT be called by applications. It is only meant to
+ *  be used internally. The application needs only to call PKIX_Initialize,
+ *  which in turn will call this function.
+ *
+ *  This function initializes data structures critical to the operation of
+ *  libpkix. If initialization is not successful, an Error pointer is
+ *  returned. This function should only be called once. If it is called more
+ *  than once, the behavior is undefined.
+ *
+ *  No PKIX_* types and functions should be used before this function is
+ *  called and returns successfully.
+ *
+ * PARAMETERS:
+ *  "platformInitNeeded"
+ *      Boolean indicating whether platform initialization is to be called
+ *  "useArenas"
+ *      Boolean indicating whether allocation is to be done using arenas or
+ *      individual allocation (malloc).
+ *  "pPlContext"
+ *      Address at which platform-specific context pointer is stored. Must be
+ *      non-NULL.
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ *
+ *  This function assumes that no other thread is calling this function while
+ *  it is executing.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Initialize(
+        PKIX_Boolean platformInitNeeded,
+        PKIX_Boolean useArenas,
+        void **pPlContext);
+
+/*
+ * FUNCTION: PKIX_PL_Shutdown
+ * DESCRIPTION:
+ *
+ *  XXX If this function is really only meant to be used by PKIX_Shutdown,
+ *  why don't we just put it in a private header file rather than the public
+ *  API. I think it may confuse users.
+ *
+ *  This function should NOT be called by applications. It is only meant to
+ *  be used internally. The application needs only to call PKIX_Shutdown,
+ *  which in turn will call this function.
+ *
+ *  This function deallocates any memory used by the Portability Layer (PL)
+ *  component of the libpkix library and shuts down any ongoing operations.
+ *  This function should only be called once. If it is called more than once,
+ *  the behavior is undefined.
+ *
+ *  No PKIX_* types and functions should be used after this function is called
+ *  and returns successfully.
+ *
+ * PARAMETERS:
+ *  "platformInitNeeded"
+ *      Boolean value of whether PKIX initialized NSS: PKIX_TRUE if we
+ *      called nssInit, PKIX_FALSE otherwise
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ *
+ *  This function makes use of global variables and should only be called once.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Shutdown(void *plContext);
+
+/* standard memory management operations (not reference-counted) */
+
+/*
+ * FUNCTION: PKIX_PL_Malloc
+ * DESCRIPTION:
+ *
+ *  Allocates a block of "size" bytes. The bytes are not initialized. A
+ *  pointer to the newly allocated memory will be stored at "pMemory". The
+ *  memory allocated by PKIX_PL_Malloc() may only be freed by PKIX_PL_Free().
+ *  If "size" equals zero, this function stores NULL at "pMemory".
+ *
+ * PARAMETERS:
+ *  "size"
+ *      Number of bytes to allocate.
+ *  "pMemory"
+ *      Address where newly allocated pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread safety depends on underlying thread safety of platform used by PL.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Malloc(
+        PKIX_UInt32 size,
+        void **pMemory,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Calloc
+ * DESCRIPTION:
+ *
+ *  Allocates memory for an array of "nElem" elements, with each element
+ *  requiring "elSize" bytes, and with all the bits initialized to zero. A
+ *  pointer to the newly allocated memory will be stored at "pMemory". The
+ *  memory allocated by PKIX_PL_Calloc() may only be freed by PKIX_PL_Free().
+ *  If "nElem" equals zero or "elSize" equals zero, this function stores NULL
+ *  at "pMemory".
+ *
+ * PARAMETERS:
+ *  "nElem"
+ *      Number of elements needed.
+ *  "elSize"
+ *      Number of bytes needed per element.
+ *  "pMemory"
+ *      Address where newly allocated pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread safety depends on underlying thread safety of platform used by PL.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Calloc(
+        PKIX_UInt32 nElem,
+        PKIX_UInt32 elSize,
+        void **pMemory,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Realloc
+ * DESCRIPTION:
+ *
+ *  Resizes an existing block of memory (pointed to by "ptr") to "size" bytes.
+ *  Stores a pointer to the resized memory at "pNewPtr". The "ptr" must
+ *  originate from either PKIX_PL_Malloc(), PKIX_PL_Realloc(), or
+ *  PKIX_PL_Calloc(). If "ptr" is NULL, this function behaves as if
+ *  PKIX_PL_Malloc were called. If "ptr" is not NULL and "size" equals zero,
+ *  the memory pointed to by "ptr" is deallocated and this function stores
+ *  NULL at "pPtr".
+ *
+ * PARAMETERS:
+ *  "ptr"
+ *      A pointer to an existing block of memory.
+ *  "size"
+ *      New size in bytes.
+ *  "pPtr"
+ *      Address where newly allocated pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread safety depends on underlying thread safety of platform used by PL.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Realloc(
+        void *ptr,
+        PKIX_UInt32 size,
+        void **pNewPtr,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Free
+ * DESCRIPTION:
+ *
+ *  Frees a block of memory pointed to by "ptr". This value must originate with
+ *  either PKIX_PL_Malloc(), PKIX_PL_Calloc, or PKIX_PL_Realloc(). If "ptr" is
+ *  NULL, the function has no effect.
+ *
+ * PARAMETERS:
+ *  "ptr"
+ *      A pointer to an existing block of memory.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread safety depends on underlying thread safety of platform used by PL.
+ * RETURNS:
+ *  Returns NULL always.
+ */
+PKIX_Error *
+PKIX_PL_Free(
+        void *ptr,
+        void *plContext);
+
+/* Callback Types
+ *
+ * The next few typedefs define function pointer types for the standard
+ * functions associated with every object type. See the Implementation
+ * Guidelines or the comments below for more information.
+ */
+
+/*
+ * TYPE: PKIX_PL_DestructorCallback
+ * DESCRIPTION:
+ *
+ *  This callback function destroys (or DecRef's) any pointers contained in
+ *  the user data for the Object pointed to by "object" before the Object is
+ *  destroyed.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object to destroy. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts (as long as they're not operating on the same
+ *  object and nobody else is performing an operation on the object at the
+ *  same time). Both of these conditions should be guaranteed by the fact that
+ *  the object's ref count was reduced to 0 in a lock that's still held when
+ *  this callback is called.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_PL_DestructorCallback)(
+        PKIX_PL_Object *object,
+        void *plContext);
+
+/*
+ * TYPE: PKIX_PL_EqualsCallback
+ * DESCRIPTION:
+ *
+ *  This callback function compares the Object pointed to by "firstObject" with
+ *  the Object pointed to by "secondObject" for equality and stores the result
+ *  at "pResult" (PKIX_TRUE if equal; PKIX_FALSE if not).
+ *
+ * PARAMETERS:
+ *  "firstObject"
+ *      Address of first object to compare. Must be non-NULL.
+ *  "secondObject"
+ *      Address of second object to compare. Must be non-NULL.
+ *  "pResult"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same objects.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_PL_EqualsCallback)(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext);
+
+/*
+ * TYPE: PKIX_PL_HashcodeCallback
+ * DESCRIPTION:
+ *
+ *  This callback function computes the hashcode of the Object pointed to by
+ *  "object" and stores the result at "pValue".
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object whose hashcode is desired. Must be non-NULL.
+ *  "pValue"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_PL_HashcodeCallback)(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pValue,
+        void *plContext);
+
+/*
+ * TYPE: PKIX_PL_ToStringCallback
+ * DESCRIPTION:
+ *
+ *  This callback function converts the Object pointed to by "object" to a
+ *  string representation and stores the result at "pString".
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Object to get a string representation from. Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_PL_ToStringCallback)(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext);
+
+/*
+ * TYPE: PKIX_PL_ComparatorCallback
+ * DESCRIPTION:
+ *
+ *  This callback function determines how the Object pointed to by
+ *  "firstObject" compares to the Object pointed to by "secondObject" and
+ *  stores the result at "pResult".
+ *
+ *  Result is less than 0 if firstObject < secondObject
+ *  Result equals 0 if firstObject = secondObject
+ *  Result is greater than 0 if firstObject > secondObject
+ *
+ * PARAMETERS:
+ *  "firstObject"
+ *      Address of the first Object to compare. Must be non-NULL.
+ *  "secondObject"
+ *      Address of the second Object to compare. Must be non-NULL.
+ *  "pResult"
+ *      Address where PKIX_Int32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same objects.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_PL_ComparatorCallback)(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext);
+
+/*
+ * TYPE: PKIX_PL_DuplicateCallback
+ * DESCRIPTION:
+ *
+ *  This callback function creates a copy of the Object pointed to by "object"
+ *  and stores it at "pNewObject". Changes to the copy will not affect the
+ *  original and vice versa.
+ *
+ *  Note that if "object" is immutable, the Duplicate callback function simply
+ *  needs to increment the reference count on "object" and return a reference
+ *  to "object".
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of the object to be copied. Must be non-NULL.
+ *  "pNewObject"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_PL_DuplicateCallback)(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext);
+
+/* reference-counted objects */
+
+/*
+ * FUNCTION: PKIX_PL_Object_Alloc
+ * DESCRIPTION:
+ *
+ *  Allocates a new Object of type "type" with "size" bytes and stores the
+ *  resulting pointer at "pObject". The reference count of the newly
+ *  allocated object will be initialized to 1. To improve performance, each
+ *  object maintains a small cache for the results of Hashcode and ToString.
+ *  Mutable objects should call InvalidateCache whenever changes are made to
+ *  the object's state (after creation). If an error occurs during allocation,
+ *  "pObject" will be set to NULL. If "size" equals zero, this function creates
+ *  an Object with a reference count of 1, and places a pointer to unallocated
+ *  memory at "pMemory".
+ *
+ * PARAMETERS:
+ *  "type"
+ *      The type code of this object. See pkixt.h for codes. The type code
+ *      must be previously registered with PKIX_PL_Object_RegisterType().
+ *  "size"
+ *      The number of bytes needed for this object.
+ *  "pMemory"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_Alloc(
+        PKIX_TYPENUM type,
+        PKIX_UInt32 size,
+        PKIX_PL_Object **pObject,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_IsTypeRegistered
+ * DESCRIPTION:
+ *
+ *  Checks whether "type" has been registered by a previous call to
+ *  PKIX_PL_Object_RegisterType() and stores the Boolean result at "pBool".
+ *  This function will typically only be called by constructors for specific
+ *  types.
+ *
+ * PARAMETERS:
+ *  "type"
+ *      The type code to check if valid.
+ *  "pBool"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_IsTypeRegistered(
+        PKIX_UInt32 type,
+        PKIX_Boolean *pBool,
+        void *plContext);
+
+#ifdef PKIX_USER_OBJECT_TYPE
+/*
+ * FUNCTION: PKIX_PL_Object_RegisterType
+ * DESCRIPTION:
+ *
+ *  Registers a new Object with type value "type" and associates it with a set
+ *  of functions ("destructor", "equalsFunction", "hashcodeFunction",
+ *  "toStringFunction", "comparator", "duplicateFunction"). The new type value
+ *  is also associated with a string pointed to by "description", which is used
+ *  by the default ToStringCallback. This function may only be called with a
+ *  particular "type" value once. If "destructor", "equalsFunction",
+ *  "hashcodeFunction", or "toStringFunction" are NULL, default functions will
+ *  be registered. However, if "comparator" and "duplicateFunction" are NULL,
+ *  no functions will be registered and calls to PKIX_PL_Object_Compare and
+ *  PKIX_PL_Object_Duplicate will result in an error.
+ *
+ * PARAMETERS:
+ *  "type"
+ *      The type code.
+ *  "description"
+ *      The string used by the default ToStringCallback. Default used if NULL.
+ *  "destructor"
+ *      The DestructorCallback function to be set. Default used if NULL.
+ *  "equalsFunction"
+ *      The EqualsCallback function to be set. Default used if NULL.
+ *  "hashcodeFunction"
+ *      The HashcodeCallback function to be set. Default used if NULL.

+ *  "toStringFunction"
+ *      The ToStringCallback function to be set. Default used if NULL.
+ *  "comparator"
+ *      The ComparatorCallback function to be set. None set if NULL. If no
+ *      callback function is set in this field, calls to
+ *      PKIX_PL_Object_Compare() will result in an error.
+ *  "duplicateFunction"
+ *      The DuplicateCallback function to be set. None set if NULL. If no
+ *      callback function is set in this field, calls to
+ *      PKIX_PL_Object_Duplicate() will result in an error.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if "type" is already registered.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_RegisterType(
+        PKIX_UInt32 type,
+        char *description,
+        PKIX_PL_DestructorCallback destructor,
+        PKIX_PL_EqualsCallback equalsFunction,
+        PKIX_PL_HashcodeCallback hashcodeFunction,
+        PKIX_PL_ToStringCallback toStringFunction,
+        PKIX_PL_ComparatorCallback comparator,
+        PKIX_PL_DuplicateCallback duplicateFunction,
+        void *plContext);
+
+#endif
+/*
+ * FUNCTION: PKIX_PL_Object_InvalidateCache
+ * DESCRIPTION:
+ *
+ *  Invalidates the cache of the Object pointed to by "object". The cache
+ *  contains results of Hashcode and ToString. This function should be used by
+ *  mutable objects whenever changes are made to the Object's state (after
+ *  creation).
+ *
+ *  For example, if ToString is called on a mutable Object, the result will be
+ *  computed, cached, and returned. If the Object's state does not change, a
+ *  subsequent call to ToString will recognize that the relevant result is
+ *  cached and will simply return the result (without calling the Object's
+ *  ToStringCallback to recompute it). However, when the Object's state
+ *  changes, the cache needs to be invalidated in order to force a subsequent
+ *  call to ToString to recompute the result.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object whose cache is to be invalidated. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY
+ *  Thread Safe - Object Type Table is locked during modification.
+ *
+ *  Multiple threads can safely call this function without worrying about
+ *  conflicts, even if they're operating on the same object.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_InvalidateCache(
+        PKIX_PL_Object *object,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_IncRef
+ * DESCRIPTION:
+ *
+ *  Increments the reference count of the Object pointed to by "object".
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object whose reference count is to be incremented.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_IncRef(
+        PKIX_PL_Object *object,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_DecRef
+ * DESCRIPTION:
+ *
+ *  Decrements the reference count of the Object pointed to by "object". If the
+ *  resulting reference count is zero, the destructor (if any) registered for
+ *  the Object's type (by PKIX_PL_RegisterType) will be called and then the
+ *  Object will be destroyed.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object whose reference count is to be decremented.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  If destructor is not called, multiple threads can safely call this function
+ *  without worrying about conflicts, even if they're operating on the same
+ *  object. If destructor is called, thread safety depends on the callback
+ *  defined by PKIX_PL_RegisterType().
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_DecRef(
+        PKIX_PL_Object *object,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_Equals
+ * DESCRIPTION:
+ *
+ *  Compares the Object pointed to by "firstObject" with the Object pointed to
+ *  by "secondObject" for equality using the callback function registered for
+ *  "firstObject"'s type, and stores the Boolean result at "pResult". While
+ *  typical callbacks will return PKIX_FALSE if the objects are of different
+ *  types, other callbacks may be capable of comparing objects of different
+ *  types [which may correctly result in cases where Equals(first, second)
+ *  differs from Equals(second, first)].
+ *
+ * PARAMETERS:
+ *  "firstObject"
+ *      Address of the first Object to compare. Must be non-NULL.
+ *      The EqualsCallback for this Object will be called.
+ *  "secondObject"
+ *      Address of the second Object to compare. Must be non-NULL.
+ *  "pResult"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread safety depends on the callback defined by PKIX_PL_RegisterType().
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_Hashcode
+ * DESCRIPTION:
+ *
+ *  Computes a hashcode of the Object pointed to by "object" using the
+ *  callback registered for "object"'s type and stores it at "pValue". Two
+ *  objects which are equal should have the same hashcode. Once a call to
+ *  Hashcode has been made, the results are cached and subsequent calls to
+ *  Hashcode will return the cached value. For mutable objects, an
+ *  InvalidateCache function is provided, which should be called whenever
+ *  changes are made to the object's state (after creation).
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of the Object whose hashcode is desired. Must be non-NULL.
+ *      The HashcodeCallback for this object will be called.
+ *  "pValue"
+ *      Address where PKIX_Int32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread safety depends on the callback defined by PKIX_PL_RegisterType().
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pValue,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_ToString
+ * DESCRIPTION:
+ *
+ *  Creates a string representation of the Object pointed to by "object" using
+ *  the callback registered for "object"'s type and stores it at "pString".
+ *  Once a call to ToString has been made, the results are cached and
+ *  subsequent calls to ToString will return the cached value. For mutable
+ *  objects, an InvalidateCache function is provided, which should be called
+ *  whenever changes are made to the object's state (after creation).
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object whose string representation is desired.
+ *      Must be non-NULL. The ToStringCallback for this object will be called.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread safety depends on the callback defined by PKIX_PL_RegisterType().
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_Compare
+ * DESCRIPTION:
+ *
+ *  Compares the Object pointed to by "firstObject" and the Object pointed to
+ *  by "secondObject" using the comparator registered for "firstObject"'s type
+ *  and stores the result at "pResult". Different types may be compared. This
+ *  may correctly result in cases where Compare(first, second) is not the
+ *  opposite of Compare(second, first). The PKIX_Int32 value stored at
+ *  "pResult" will be:
+ *   Less than 0 if "firstObject" < "secondObject"
+ *   Equals to 0 if "firstObject" = "secondObject"
+ *   Greater than 0 if "firstObject" > "secondObject"
+ *
+ * PARAMETERS:
+ *  "firstObject"
+ *      Address of first Object to compare. Must be non-NULL.
+ *      The ComparatorCallback for this object will be called.
+ *  "secondObject"
+ *      Address of second object to compare. Must be non-NULL.
+ *  "pResult
+ *      Address where PKIX_Int32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread safety depends on the comparator defined by PKIX_PL_RegisterType().
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_Compare(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_Duplicate
+ * DESCRIPTION:
+ *
+ *  Creates a duplicate copy of the Object pointed to by "object" using the
+ *  callback registered for "object"'s type and stores the copy at
+ *  "pNewObject". Changes to the new object will not affect the original and
+ *  vice versa.
+ *
+ *  Note that if "object" is immutable, the Duplicate callback function simply
+ *  needs to increment the reference count on "object" and return a reference
+ *  to "object".
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object to be duplicated. Must be non-NULL.
+ *      The DuplicateCallback for this Object will be called.
+ *  "pNewObject"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread safety depends on the callback defined by PKIX_PL_RegisterType().
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_GetType
+ * DESCRIPTION:
+ *
+ *  Retrieves the type code of the Object pointed to by "object" and stores it
+ *  at "pType". See pkixt.h for type codes.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object whose type is desired. Must be non-NULL.
+ *  "pType"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_GetType(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pType,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_Lock
+ * DESCRIPTION:
+ *
+ *  Locks the Mutex associated with the Object pointed to by "object". When an
+ *  object is created, it is associated with an object-specific Mutex to allow
+ *  for synchronization when the fields of the object are modified.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object whose Mutex is to be locked. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_Lock(
+        PKIX_PL_Object *object,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Object_Unlock
+ * DESCRIPTION:
+ *
+ *  Unlocks the Mutex associated with the Object pointed to by "object". When
+ *  an object is created, it is associated with an object-specific Mutex to
+ *  allow for synchronization when the fields of the object are modified.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object whose Mutex is to be unlocked. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Object_Unlock(
+        PKIX_PL_Object *object,
+        void *plContext);
+
+/* mutexes (locks) */
+
+/*
+ * FUNCTION: PKIX_PL_Mutex_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new Mutex and stores it at "pNewLock".
+ *
+ * PARAMETERS:
+ *  "pNewLock"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Mutex_Create(
+        PKIX_PL_Mutex **pNewLock,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Mutex_Lock
+ * DESCRIPTION:
+ *
+ *  Locks the Mutex pointed to by "lock". If the Mutex is already locked, this
+ *  function will block the current thread until the mutex can be locked by
+ *  this thread.
+ *
+ * PARAMETERS:
+ *  "lock"
+ *      Address of Mutex to lock. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Mutex_Lock(
+        PKIX_PL_Mutex *lock,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Mutex_Unlock
+ * DESCRIPTION:
+ *
+ *  Unlocks the Mutex pointed to by "lock" if the current thread holds the
+ *  Mutex.
+ *
+ * PARAMETERS:
+ *  "lock"
+ *      Address of Mutex to unlock. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Mutex_Unlock(
+        PKIX_PL_Mutex *lock,
+        void *plContext);
+
+/* monitor (locks) */
+
+/*
+ * FUNCTION: PKIX_PL_MonitorLock_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new PKIX_PL_MonitorLock and stores it at "pNewLock".
+ *
+ * PARAMETERS:
+ *  "pNewLock"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_MonitorLock_Create(
+        PKIX_PL_MonitorLock **pNewLock,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_MonitorLock_Enter
+ * DESCRIPTION:
+ *
+ *  Locks the MonitorLock pointed to by "lock". If the MonitorLock is already
+ *  locked by other thread, this function will block the current thread. If
+ *  the "lock" had been locked by current thread, this function will NOT block.
+ *
+ * PARAMETERS:
+ *  "lock"
+ *      Address of MonitorLock to lock. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_MonitorLock_Enter(
+        PKIX_PL_MonitorLock *lock,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_MonitorLock_Exit
+ * DESCRIPTION:
+ *
+ *  Unlocks the MonitorLock pointed to by "lock" if the lock counter of 
+ *  current thread holds the MonitorLock reach 0, the lock is released.
+ *
+ * PARAMETERS:
+ *  "lock"
+ *      Address of MonitorLock to unlock. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_MonitorLock_Exit(
+        PKIX_PL_MonitorLock *lock,
+        void *plContext);
+
+/* strings and formatted printing */
+
+/*
+ * FUNCTION: PKIX_PL_String_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new String using the data pointed to by "pString", the
+ *  PKIX_UInt32 pointed to by "stringLen", and the PKIX_UInt32 pointed to by
+ *  "fmtIndicator" and stores it at "pString". If the format is PKIX_ESCASCII
+ *  the "stringLen" parameter is ignored and the string extends until a zero
+ *  byte is  found. Once created, a String object is immutable.
+ *
+ *  Valid formats are:
+ *      PKIX_ESCASCII
+ *      PKIX_ESCASCII_DEBUG
+ *      PKIX_UTF8
+ *      PKIX_UTF8_NULL_TERM
+ *      PKIX_UTF16
+ *
+ * PARAMETERS:
+ *  "fmtIndicator"
+ *      Format that "stringRep" is encoded with. Must be non-NULL.
+ *  "stringRep"
+ *      Address of encoded string representation. Must be non-NULL.
+ *  "stringLen"
+ *      Length of data stored at stringRep.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a String Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_String_Create(
+        PKIX_UInt32 fmtIndicator,
+        const void *stringRep,
+        PKIX_UInt32 stringLen,
+        PKIX_PL_String **pString,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_Sprintf
+ * DESCRIPTION:
+ *
+ *  Creates a formatted string at "pOut" using the given format "fmt" and a
+ *  variable length list of arguments. The format flags are identical to
+ *  standard C with the exception that %s expects a PKIX_PL_String*, rather
+ *  than a char *, and that {%d, %i, %o, %u, %x, %X} expect PKIX_UInt32 or
+ *  PKIX_Int32 instead of int or unsigned int.
+ *
+ * PARAMETERS:
+ *  "pOut"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *  "fmt"
+ *      Address of format string. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Not Thread Safe - Caller must have exclusive access to all arguments.
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a String Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Sprintf(
+        PKIX_PL_String **pOut,
+        void *plContext,
+        const PKIX_PL_String *fmt, ...);
+
+/*
+ * FUNCTION: PKIX_PL_GetString
+ * DESCRIPTION:
+ *
+ *  Retrieves the String associated with the value of "stringID" (if any) and
+ *  stores it at "pString". If no such string is associated with "stringID",
+ *  this function uses "defaultString" to create a String and stores it at
+ *  "pString".
+ *
+ * PARAMETERS:
+ *  "stringID"
+ *      PKIX_UInt32 valud of string identifier.
+ *  "defaultString"
+ *      Address of a PKIX_ESCASCII encoded string representation.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a String Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_GetString(
+        PKIX_UInt32 stringID,
+        char *defaultString,
+        PKIX_PL_String **pString,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_String_GetEncoded
+ * DESCRIPTION:
+ *
+ *  Retrieves the value of the String pointed to by "string" in the encoding
+ *  specified by "fmtIndicator" and stores the result in "pStringRep" and
+ *  "pLength", respectively. Note that "pStringRep" is not reference counted
+ *  and will need to be freed with PKIX_PL_Free().
+ *
+ * PARAMETERS:
+ *  "string"
+ *      Address of String whose encoded value is desired. Must be non-NULL.
+ *  "fmtIndicator"
+ *      Format of encoding. Supported formats are:
+ *      PKIX_ESCASCII, PKIX_ESCASII_DEBUG, PKIX_UTF8, PKIX_UTF8_NULL_TERM, and
+ *      PKIX_UTF16. XXX Where are these documented?
+ *  "pStringRep"
+ *      Address where pointer to encoded value will be stored.
+ *      Must be non-NULL.
+ *  "pLength"
+ *      Address where byte length of encoded value will be stored.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a String Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_String_GetEncoded(
+        PKIX_PL_String *string,
+        PKIX_UInt32 fmtIndicator,
+        void **pStringRep,
+        PKIX_UInt32 *pLength,
+        void *plContext);
+
+/*
+ * Hashtable
+ *
+ * A hashtable is a very efficient data structure used for mapping keys to
+ * values. Any non-null PKIX_PL_Object can be used as a key or as a value,
+ * provided that it correctly implements the PKIX_PL_EqualsCallback and the
+ * PKIX_PL_HashcodeCallback. A hashtable consists of several buckets, with
+ * each bucket capable of holding a linked list of key/value mappings. When
+ * adding, retrieving, or deleting a value, the hashcode of the key is used to
+ * determine which bucket's linked list is relevant. The corresponding
+ * key/value pair is then appended, retrieved, or deleted.
+ */
+
+/*
+ * FUNCTION: PKIX_PL_HashTable_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new Hashtable with an initial capacity of "numBuckets" buckets
+ *  and "maxEntriesPerBucket" of entries limit for each bucket and stores it
+ *  at "pResult".
+ *
+ * PARAMETERS:
+ *  "numBuckets"
+ *      The initial number of hash table buckets. Must be non-zero.
+ *  "maxEntriesPerBucket"
+ *      The limit of entries per bucket. Zero means no limit.
+ *  "pResult"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_HashTable_Create(
+        PKIX_UInt32 numBuckets,
+        PKIX_UInt32 maxEntriesPerBucket,
+        PKIX_PL_HashTable **pResult,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_HashTable_Add
+ * DESCRIPTION:
+ *
+ *  Adds a key/value mapping using the Objects pointed to by "key" and "value"
+ *  to the Hashtable pointed to by "ht".
+ *
+ *  Function increments key/value reference counts. Caller is responsible to
+ *  to decrement(destroy) key/value ref counts(objects). 
+ *
+ * PARAMETERS:
+ *  "ht"
+ *      Address of Hashtable to be added to. Must be non-NULL.
+ *  "key"
+ *      Address of Object to be associated with "value". Must be non-NULL.
+ *  "value"
+ *      Address of Object to be added to Hashtable. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "ht"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Hashtable Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_HashTable_Add(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_Object *key,
+        PKIX_PL_Object *value,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_HashTable_Remove
+ * DESCRIPTION:
+ *
+ *  Removes the Object value whose key is equal to the Object pointed to by
+ *  "key" from the Hashtable pointed to by "ht". If no such object exists,
+ *  this function throws an Error.
+ *
+ *  Function frees "value" object. Caller is responsible to free "key"
+ *  object.
+ *
+ * PARAMETERS:
+ *  "ht"
+ *      Address of Hashtable to remove object from. Must be non-NULL.
+ *  "key"
+ *      Address of Object used for lookup. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "ht"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Hashtable Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_HashTable_Remove(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_Object *key,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_HashTable_Lookup
+ * DESCRIPTION:
+ *
+ *  Retrieves the Object whose key equals the Object pointed to by "key" from
+ *  the Hashtable associated with "ht" and stores it at "pResult". If no
+ *  Object is found, this function stores NULL at "pResult".
+ *
+ * PARAMETERS:
+ *  "ht"
+ *      Address of Hashtable to lookup Object from. Must be non-NULL.
+ *  "key"
+ *      Address of key Object used for lookup. Must be non-NULL.
+ *  "pResult"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Hashtable Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_HashTable_Lookup(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_Object *key,
+        PKIX_PL_Object **pResult,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_ByteArray_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new ByteArray using "length" bytes of data pointed to by "array"
+ *  and stores it at "pByteArray". Once created, a ByteArray is immutable.
+ *
+ * PARAMETERS:
+ *  "array"
+ *      Address of source data.
+ *  "length"
+ *      Number of bytes to copy.
+ *  "pByteArray"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_ByteArray_Create(
+        void *array,
+        PKIX_UInt32 length,
+        PKIX_PL_ByteArray **pByteArray,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_ByteArray_GetPointer
+ * DESCRIPTION:
+ *
+ *  Allocates enough memory to hold the contents of the ByteArray pointed to
+ *  by "byteArray", copies the data from the ByteArray pointed to by
+ *  "byteArray" into the newly allocated memory, and stores a pointer to the
+ *  memory at "pArray". Note that "pArray" is not reference counted. It will
+ *  need to be freed with PKIX_PL_Free().
+ *
+ * PARAMETERS:
+ *  "byteArray"
+ *      Address of ByteArray whose data is desired. Must be non-NULL.
+ *  "pArray"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_ByteArray_GetPointer(
+        PKIX_PL_ByteArray *byteArray,
+        void **pArray,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_ByteArray_GetLength
+ * DESCRIPTION:
+ *
+ *  Retrieves the length of the ByteArray pointed to by "byteArray" and stores
+ *  the length at "pLength".
+ *
+ * PARAMETERS:
+ *  "byteArray"
+ *      Address of ByteArray whose length is desired. Must be non-NULL.
+ *  "pLength"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_ByteArray_GetLength(
+        PKIX_PL_ByteArray *byteArray,
+        PKIX_UInt32 *pLength,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_OID_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new OID using the string pointed to by "stringRep" and stores it
+ *  at "pOID". The string representation is a null-terminated char * consisting
+ *  of decimal components separated by dots. All other characters are illegal.
+ *  The first field must be be 0, 1 or 2. If the first field is 0 or 1, the
+ *  second field must be between 0 and 39. All fields must be ASCII decimal
+ *  digits less than or equal to 2^32. Once created, an OID is immutable.
+ *
+ *  The regexp format is as follows:
+ *   OID := [0,1,2](.NUM)+
+ *   NUM := [0-9]+
+ *
+ * PARAMETERS:
+ *  "stringRep"
+ *      Address of character data representing an OID. Must be non-NULL.
+ *  "pOID"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OID Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_OID_Create(
+        char *stringRep,
+        PKIX_PL_OID **pOID,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_BigInt_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new BigInt using the source String pointed to by "stringRep" and
+ *  stores it at "pBigInt". Valid source Strings consist of an even number of
+ *  hexadecimal digits, which are always interpreted as a positive number.
+ *  Once created, a BigInt is immutable.
+ *
+ *  The regexp format is:
+ *      HexDigit  ::= [0-9] | [A-F] | [a-f]
+ *      DoubleHex ::= HexDigit HexDigit
+ *      BigIntSrc ::= (DoubleHex)+
+ *
+ *  Note that since we are using DoubleHex, the number of characters in the
+ *  source MUST be even. Additionally, the first DoubleHex MUST NOT be "00"
+ *  unless it is the only DoubleHex.
+ *
+ *  Valid  :    "09"
+ *  Valid  :    "00"    (special case where first and only DoubleHex is "00")
+ *  Invalid:    "9"     (not DoubleHex: odd number of characters)
+ *  Invalid:    "0009"  (first DoubleHex is "00")
+ *
+ *  XXX Why does this take a String object while OID_Create takes a char* ?
+ *  Perhaps because OID_Create is often used with constant strings and
+ *  this function isn't. That's a good reason, but we should explain it
+ *  (if it's right)
+ * PARAMETERS:
+ *  "stringRep"
+ *      Address of String representing a BigInt. Must be non-NULL.
+ *  "pBigInt"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a BigInt Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_BigInt_Create(
+        PKIX_PL_String *stringRep,
+        PKIX_PL_BigInt **pBigInt,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+/*
+ * FUNCTION: PKIX_PL_GetPLErrorCode
+ * DESCRIPTION:
+ *
+ *  Returns error code from PL layer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  PL layer error code. 
+ */
+int
+PKIX_PL_GetPLErrorCode();
+
+#endif /* _LIBPKIX_SYSTEM_H */
diff --git a/security/nss/lib/libpkix/include/pkix_results.h b/security/nss/lib/libpkix/include/pkix_results.h
new file mode 100755
index 000000000..ea9e77883
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_results.h
@@ -0,0 +1,458 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines functions associated with the results used
+ * by the top-level functions.
+ *
+ */
+
+#ifndef _PKIX_RESULTS_H
+#define _PKIX_RESULTS_H
+
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+/* PKIX_ValidateResult
+ *
+ * PKIX_ValidateResult represents the result of a PKIX_ValidateChain call. It
+ * consists of the valid policy tree and public key resulting from validation,
+ * as well as the trust anchor used for this chain. Once created, a
+ * ValidateResult object is immutable.
+ */
+
+/*
+ * FUNCTION: PKIX_ValidateResult_GetPolicyTree
+ * DESCRIPTION:
+ *
+ *  Retrieves the PolicyNode component (representing the valid_policy_tree)
+ *  from the ValidateResult object pointed to by "result" and stores it at
+ *  "pPolicyTree".
+ *
+ * PARAMETERS:
+ *  "result"
+ *      Address of ValidateResult whose policy tree is to be stored. Must be
+ *      non-NULL.
+ *  "pPolicyTree"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ValidateResult_GetPolicyTree(
+        PKIX_ValidateResult *result,
+        PKIX_PolicyNode **pPolicyTree,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ValidateResult_GetPublicKey
+ * DESCRIPTION:
+ *
+ *  Retrieves the PublicKey component (representing the valid public_key) of
+ *  the ValidateResult object pointed to by "result" and stores it at
+ *  "pPublicKey".
+ *
+ * PARAMETERS:
+ *  "result"
+ *      Address of ValidateResult whose public key is to be stored.
+ *      Must be non-NULL.
+ *  "pPublicKey"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ValidateResult_GetPublicKey(
+        PKIX_ValidateResult *result,
+        PKIX_PL_PublicKey **pPublicKey,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_ValidateResult_GetTrustAnchor
+ * DESCRIPTION:
+ *
+ *  Retrieves the TrustAnchor component (representing the trust anchor used
+ *  during chain validation) of the ValidateResult object pointed to by
+ *  "result" and stores it at "pTrustAnchor".
+ *
+ * PARAMETERS:
+ *  "result"
+ *      Address of ValidateResult whose trust anchor is to be stored.
+ *      Must be non-NULL.
+ *  "pTrustAnchor"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_ValidateResult_GetTrustAnchor(
+        PKIX_ValidateResult *result,
+        PKIX_TrustAnchor **pTrustAnchor,
+        void *plContext);
+
+/* PKIX_BuildResult
+ *
+ * PKIX_BuildResult represents the result of a PKIX_BuildChain call. It
+ * consists of a ValidateResult object, as well as the built and validated
+ * CertChain. Once created, a BuildResult object is immutable.
+ */
+
+/*
+ * FUNCTION: PKIX_BuildResult_GetValidateResult
+ * DESCRIPTION:
+ *
+ *  Retrieves the ValidateResult component (representing the build's validate
+ *  result) of the BuildResult object pointed to by "result" and stores it at
+ *  "pResult".
+ *
+ * PARAMETERS:
+ *  "result"
+ *      Address of BuildResult whose ValidateResult component is to be stored.
+ *      Must be non-NULL.
+ *  "pResult"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_BuildResult_GetValidateResult(
+        PKIX_BuildResult *result,
+        PKIX_ValidateResult **pResult,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_BuildResult_GetCertChain
+ * DESCRIPTION:
+ *
+ *  Retrieves the List of Certs (certChain) component (representing the built
+ *  and validated CertChain) of the BuildResult object pointed to by "result"
+ *  and stores it at "pChain".
+ *
+ * PARAMETERS:
+ *  "result"
+ *      Address of BuildResult whose CertChain component is to be stored.
+ *      Must be non-NULL.
+ *  "pChain"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_BuildResult_GetCertChain(
+        PKIX_BuildResult *result,
+        PKIX_List **pChain,
+        void *plContext);
+
+/* PKIX_PolicyNode
+ *
+ * PKIX_PolicyNode represents a node in the policy tree returned in
+ * ValidateResult. The policy tree is the same length as the validated
+ * certificate chain and the nodes are associated with a particular depth
+ * (corresponding to a particular certificate in the chain).
+ * PKIX_ValidateResult_GetPolicyTree returns the root node of the valid policy
+ * tree. Other nodes can be accessed using the getChildren and getParents
+ * functions, and individual elements of a node can be accessed with the
+ * appropriate gettors. Once created, a PolicyNode is immutable.
+ */
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetChildren
+ * DESCRIPTION:
+ *
+ *  Retrieves the List of PolicyNodes representing the child nodes of the
+ *  Policy Node pointed to by "node" and stores it at "pChildren". If "node"
+ *  has no child nodes, this function stores an empty List at "pChildren".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode whose child nodes are to be stored.
+ *      Must be non-NULL.
+ *  "pChildren"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetChildren(
+        PKIX_PolicyNode *node,
+        PKIX_List **pChildren,  /* list of PKIX_PolicyNode */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetParent
+ * DESCRIPTION:
+ *
+ *  Retrieves the PolicyNode representing the parent node of the PolicyNode
+ *  pointed to by "node" and stores it at "pParent". If "node" has no parent
+ *  node, this function stores NULL at "pParent".
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode whose parent node is to be stored.
+ *      Must be non-NULL.
+ *  "pParent"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetParent(
+        PKIX_PolicyNode *node,
+        PKIX_PolicyNode **pParent,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetValidPolicy
+ * DESCRIPTION:
+ *
+ *  Retrieves the OID representing the valid policy of the PolicyNode pointed
+ *  to by "node" and stores it at "pValidPolicy".
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode whose valid policy is to be stored.
+ *      Must be non-NULL.
+ *  "pValidPolicy"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetValidPolicy(
+        PKIX_PolicyNode *node,
+        PKIX_PL_OID **pValidPolicy,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetPolicyQualifiers
+ * DESCRIPTION:
+ *
+ *  Retrieves the List of CertPolicyQualifiers representing the policy
+ *  qualifiers associated with the PolicyNode pointed to by "node" and stores
+ *  it at "pQualifiers". If "node" has no policy qualifiers, this function
+ *  stores an empty List at "pQualifiers".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode whose policy qualifiers are to be stored.
+ *      Must be non-NULL.
+ *  "pQualifiers"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetPolicyQualifiers(
+        PKIX_PolicyNode *node,
+        PKIX_List **pQualifiers,  /* list of PKIX_PL_CertPolicyQualifier */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetExpectedPolicies
+ * DESCRIPTION:
+ *
+ *  Retrieves the List of OIDs representing the expected policies associated
+ *  with the PolicyNode pointed to by "node" and stores it at "pExpPolicies".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode whose expected policies are to be stored.
+ *      Must be non-NULL.
+ *  "pExpPolicies"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetExpectedPolicies(
+        PKIX_PolicyNode *node,
+        PKIX_List **pExpPolicies,  /* list of PKIX_PL_OID */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PolicyNode_IsCritical
+ * DESCRIPTION:
+ *
+ *  Checks the criticality field of the PolicyNode pointed to by "node" and
+ *  stores the Boolean result at "pCritical".
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode whose criticality field is examined.
+ *      Must be non-NULL.
+ *  "pCritical"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PolicyNode_IsCritical(
+        PKIX_PolicyNode *node,
+        PKIX_Boolean *pCritical,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetDepth
+ * DESCRIPTION:
+ *
+ *  Retrieves the depth component of the PolicyNode pointed to by "node" and
+ *  stores it at "pDepth".
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode whose depth component is to be stored.
+ *      Must be non-NULL.
+ *  "pDepth"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Result Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetDepth(
+        PKIX_PolicyNode *node,
+        PKIX_UInt32 *pDepth,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_RESULTS_H */
diff --git a/security/nss/lib/libpkix/include/pkix_revchecker.h b/security/nss/lib/libpkix/include/pkix_revchecker.h
new file mode 100755
index 000000000..55ff847d4
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_revchecker.h
@@ -0,0 +1,268 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines functions associated with the PKIX_RevocationChecker
+ * type.
+ *
+ */
+
+#ifndef _PKIX_REVCHECKER_H
+#define _PKIX_REVCHECKER_H
+
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/* PKIX_RevocationChecker
+ *
+ * PKIX_RevocationCheckers provide a standard way for the caller to insert
+ * their own custom revocation checks to verify the revocation status of
+ * certificates. This may be useful in many scenarios, including when the
+ * caller wishes to use their own revocation checking mechanism instead of (or
+ * in addition to) the default revocation checking mechanism provided by
+ * libpkix, which uses CRLs. The RevCallback allows custom revocation checking
+ * to take place. Additionally, the RevocationChecker can be initialized with
+ * a revCheckerContext, which is where the caller can specify configuration
+ * data such as the IP address of a revocation server. Note that this
+ * revCheckerContext must be a PKIX_PL_Object, allowing it to be
+ * reference-counted and allowing it to provide the standard PKIX_PL_Object
+ * functions (Equals, Hashcode, ToString, Compare, Duplicate).
+ *
+ * Once the caller has created the RevocationChecker object(s), the caller
+ * then specifies the RevocationChecker object(s) in a ProcessingParams object
+ * and passes that object to PKIX_ValidateChain or PKIX_BuildChain, which uses
+ * the objects to call the user's callback functions as needed during the
+ * validation or building process.
+ *
+ * Note that if multiple revocation checkers are added, the order is
+ * important, in that each revocation checker will be called sequentially
+ * until the revocation status can be determined or all the revocation checkers
+ * have been called. Also note that the default CRL revocation checker will
+ * always be called last after all the custom revocation checkers have been
+ * called. This default CRL revocation checking can be disabled by calling
+ * PKIX_ProcessingParams_SetRevocationEnabled with a Boolean parameter of
+ * PKIX_FALSE. This will ONLY disable the CRL revocation checker, not the
+ * custom RevocationCheckers specified by the caller.
+ *
+ * For example, assume the caller specifies an OCSP RevocationChecker in the
+ * ProcessingParams object. Let's look at two scenarios:
+ *
+ * 1) SetRevocationEnabled(PKIX_FALSE)
+ *
+ *      The OCSP RevocationChecker will be used. If it is unable to determine
+ *      whether the certificate has been revoked (perhaps the network is down),
+ *      the revocation check fails safe and the certificate is rejected
+ *      (assumed to be revoked).
+ *
+ * 2) SetRevocationEnabled(PKIX_TRUE)
+ *      [This doesn't need to be called, since this is the default behavior]
+ *
+ *      The OCSP RevocationChecker will be used first. If it is unable to
+ *      determine whether the certificate has been revoked (perhaps the network
+ *      is down), the default CRL revocation checker is used next. If it is
+ *      also unable to determine whether the certificate has been revoked, the
+ *      revocation check fails safe. Note that this is a useful scenario where
+ *      the CRL check is only done if the OCSP check is unable to take place.
+ */
+
+/*
+ * FUNCTION: PKIX_RevocationChecker_RevCallback
+ * DESCRIPTION:
+ *
+ *  This callback function determines the revocation status of the specified
+ *  Cert pointed to by "cert" and stores it at "pResultCode". If a checker
+ *  initiates non-blocking I/O, it stores a platform-dependent non-blocking
+ *  I/O context at "pNBIOContext". A subsequent call with that same value on
+ *  input allows the operation to continue. On completion, with no non-blocking
+ *  I/O pending, NULL is stored at "pNBIOContext".
+ *
+ * PARAMETERS:
+ *  "revCheckerContext"
+ *      Address of RevocationCheckerContext for the RevocationChecker whose
+ *      RevCallback logic is to be used. Must be non-NULL.
+ *  "cert"
+ *      Address of Cert whose revocation status is to be determined.
+ *      Must be non-NULL.
+ *  "procParams"
+ *      Address of ProcessingParams used to initialize the checker.
+ *      Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent non-blocking I/O context is stored.
+ *      Must be non-NULL.
+ *  "pResultCode"
+ *      Address where revocation status will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same objects.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a RevocationChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_RevocationChecker_RevCallback)(
+        PKIX_PL_Object *revCheckerContext,
+        PKIX_PL_Cert *cert,
+        PKIX_ProcessingParams *procParams,
+        void **pNBIOContext,
+        PKIX_UInt32 *pResultCode,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_RevocationChecker_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new RevocationChecker using the Object pointed to by
+ *  "revCheckerContext" (if any) and stores it at "pRevChecker". The new
+ *  RevocationChecker uses the RevCallback pointed to by "callback". Once
+ *  created, a RevocationChecker is immutable.
+ * PARAMETERS:
+ *  "callback"
+ *      The RevCallback function to be used. Must be non-NULL.
+ *  "revCheckerContext"
+ *      Address of Object representing the RevocationChecker's context.
+ *  "pRevChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see THREAD SAFETY DEFINITIONS at top of file)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a RevocationChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_RevocationChecker_Create(
+        PKIX_RevocationChecker_RevCallback callback,
+        PKIX_PL_Object *revCheckerContext,
+        PKIX_RevocationChecker **pRevChecker,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_RevocationChecker_GetRevCallback
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to "revChecker's" Rev callback function and puts it in
+ *  "pCallback".
+ *
+ * PARAMETERS:
+ *  "revChecker"
+ *      The RevocationChecker whose Rev callback is desired. Must be non-NULL.
+ *  "pCallback"
+ *      Address where Rev callback function pointer will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see THREAD SAFETY DEFINITIONS at top of file)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a RevocationChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_RevocationChecker_GetRevCallback(
+        PKIX_RevocationChecker *revChecker,
+        PKIX_RevocationChecker_RevCallback *pCallback,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_RevocationChecker_GetRevCheckerContext
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a PKIX_PL_Object representing the context (if any)
+ *  of the RevocationChecker pointed to by "revChecker" and stores it at
+ *  "pRevCheckerContext".
+ *
+ * PARAMETERS:
+ *  "revChecker"
+ *      Address of RevocationChecker whose context is to be stored.
+ *      Must be non-NULL.
+ *  "pRevCheckerContext"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see THREAD SAFETY DEFINITIONS at top of file)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a RevocationChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_RevocationChecker_GetRevCheckerContext(
+        PKIX_RevocationChecker *revChecker,
+        PKIX_PL_Object **pRevCheckerContext,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_REVCHECKER_H */
diff --git a/security/nss/lib/libpkix/include/pkix_sample_modules.h b/security/nss/lib/libpkix/include/pkix_sample_modules.h
new file mode 100755
index 000000000..4d498b5a2
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_sample_modules.h
@@ -0,0 +1,429 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines functions associated with CertStore types.
+ *
+ */
+
+
+#ifndef _PKIX_SAMPLEMODULES_H
+#define _PKIX_SAMPLEMODULES_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/* PKIX_PL_CollectionCertStore
+ *
+ * A PKIX_CollectionCertStore provides an example for showing how to retrieve
+ * certificates and CRLs from a repository, such as a directory in the system.
+ * It is expected the directory is an absolute directory which contains CRL
+ * and Cert data files.  CRL files are expected to have the suffix of .crl
+ * and Cert files are expected to have the suffix of .crt .
+ *
+ * Once the caller has created the CollectionCertStoreContext object, the caller
+ * then can call pkix_pl_CollectionCertStore_GetCert or
+ * pkix_pl_CollectionCertStore_GetCRL to obtain Lists of PKIX_PL_Cert or
+ * PKIX_PL_CRL objects, respectively.
+ */
+
+/*
+ * FUNCTION: PKIX_PL_CollectionCertStore_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CollectionCertStore and returns it at
+ *      "pColCertStore".
+ *
+ * PARAMETERS:
+ *  "storeDir"
+ *      The absolute path where *.crl files are located.
+ *  "pColCertStoreContext"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CollectionCertStoreContext Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_CollectionCertStore_Create(
+        PKIX_PL_String *storeDir,
+        PKIX_CertStore **pCertStore,
+        void *plContext);
+
+/* PKIX_PL_PK11CertStore
+ *
+ * A PKIX_PL_PK11CertStore retrieves certificates and CRLs from a PKCS11
+ * database. The directory that contains the cert8.db, key3.db, and secmod.db
+ * files that comprise a PKCS11 database are specified in NSS initialization.
+ *
+ * Once the caller has created the Pk11CertStore object, the caller can call
+ * pkix_pl_Pk11CertStore_GetCert or pkix_pl_Pk11CertStore_GetCert to obtain
+ * a List of PKIX_PL_Certs or PKIX_PL_CRL objects, respectively.
+ */
+
+/*
+ * FUNCTION: PKIX_PL_Pk11CertStore_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new Pk11CertStore and returns it at "pPk11CertStore".
+ *
+ * PARAMETERS:
+ *  "pPk11CertStore"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_Pk11CertStore_Create(
+        PKIX_CertStore **pPk11CertStore,
+        void *plContext);
+
+/* PKIX_PL_LdapCertStore
+ *
+ * A PKIX_PL_LdapCertStore retrieves certificates and CRLs from an LDAP server
+ * over a socket connection. It used the LDAP protocol as described in RFC1777.
+ *
+ * Once the caller has created the LdapCertStore object, the caller can call
+ * pkix_pl_LdapCertStore_GetCert or pkix_pl_LdapCertStore_GetCert to obtain
+ * a List of PKIX_PL_Certs or PKIX_PL_CRL objects, respectively.
+ */
+
+/*
+ * FUNCTION: PKIX_PL_LdapDefaultClient_Create
+ * DESCRIPTION:
+ *
+ *  Creates an LdapDefaultClient using the PRNetAddr poined to by "sockaddr",
+ *  with a timeout value of "timeout", and a BindAPI pointed to by "bindAPI";
+ *  and stores the address of the default LdapClient at "pClient".
+ *
+ *  At the time of this version, there are unresolved questions about the LDAP
+ *  protocol. Although RFC1777 describes a BIND and UNBIND message, it is not
+ *  clear whether they are appropriate to this application. We have tested only
+ *  using servers that do not expect authentication, and that reject BIND
+ *  messages. It is not clear what values might be appropriate for the bindname
+ *  and authentication fields, which are currently implemented as char strings
+ *  supplied by the caller. (If this changes, the API and possibly the templates
+ *  will have to change.) Therefore the Client_Create API contains a BindAPI
+ *  structure, a union, which will have to be revised and extended when this
+ *  area of the protocol is better understood.
+ *
+ * PARAMETERS:
+ *  "sockaddr"
+ *      Address of the PRNetAddr to be used for the socket connection. Must be
+ *      non-NULL.
+ *  "timeout"
+ *      The PRIntervalTime value to be used as a timeout value in socket calls;
+ *      a zero value indicates non-blocking I/O is to be used.
+ *  "bindAPI"
+ *      The address of a BindAPI to be used if a BIND message is required. If
+ *      this argument is NULL, no Bind (or Unbind) will be sent.
+ *  "pClient"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_LdapDefaultClient_Create(
+        PRNetAddr *sockaddr,
+        PRIntervalTime timeout,
+        LDAPBindAPI *bindAPI,
+        PKIX_PL_LdapDefaultClient **pClient,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_LdapDefaultClient_CreateByName
+ * DESCRIPTION:
+ *
+ *  Creates an LdapDefaultClient using the hostname poined to by "hostname",
+ *  with a timeout value of "timeout", and a BindAPI pointed to by "bindAPI";
+ *  and stores the address of the default LdapClient at "pClient".
+ *
+ *  At the time of this version, there are unresolved questions about the LDAP
+ *  protocol. Although RFC1777 describes a BIND and UNBIND message, it is not
+ *  clear whether they are appropriate to this application. We have tested only
+ *  using servers that do not expect authentication, and that reject BIND
+ *  messages. It is not clear what values might be appropriate for the bindname
+ *  and authentication fields, which are currently implemented as char strings
+ *  supplied by the caller. (If this changes, the API and possibly the templates
+ *  will have to change.) Therefore the Client_Create API contains a BindAPI
+ *  structure, a union, which will have to be revised and extended when this
+ *  area of the protocol is better understood.
+ *
+ * PARAMETERS:
+ *  "hostname"
+ *      Address of the hostname to be used for the socket connection. Must be
+ *      non-NULL.
+ *  "timeout"
+ *      The PRIntervalTime value to be used as a timeout value in socket calls;
+ *      a zero value indicates non-blocking I/O is to be used.
+ *  "bindAPI"
+ *      The address of a BindAPI to be used if a BIND message is required. If
+ *      this argument is NULL, no Bind (or Unbind) will be sent.
+ *  "pClient"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_LdapDefaultClient_CreateByName(
+        char *hostname,
+        PRIntervalTime timeout,
+        LDAPBindAPI *bindAPI,
+        PKIX_PL_LdapDefaultClient **pClient,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_LdapCertStore_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new LdapCertStore using the LdapClient pointed to by "client",
+ *  and stores the address of the CertStore at "pCertStore".
+ *
+ * PARAMETERS:
+ *  "client"
+ *      Address of the LdapClient to be used. Must be non-NULL.
+ *  "pCertStore"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_LdapCertStore_Create(
+        PKIX_PL_LdapClient *client,
+        PKIX_CertStore **pCertStore,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_EkuChecker_Create
+ *
+ * DESCRIPTION:
+ *  Create a CertChainChecker with EkuCheckerState and add it into
+ *  PKIX_ProcessingParams object.
+ *
+ * PARAMETERS
+ *  "params"
+ *      a PKIX_ProcessingParams links to PKIX_ComCertSelParams where a list of
+ *      Extended Key Usage OIDs specified by application can be retrieved for
+ *      verification.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a UserDefinedModules Error if the function fails in a non-fatal
+ *  way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+PKIX_PL_EkuChecker_Create(
+        PKIX_ProcessingParams *params,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_PL_EkuChecker_GetRequiredEku
+ *
+ * DESCRIPTION:
+ *  This function retrieves application specified ExtenedKeyUsage(s) from
+ *  ComCertSetparams and converts its OID representations to SECCertUsageEnum.
+ *  The result is stored and returned in bit mask at "pRequiredExtKeyUsage".
+ *
+ * PARAMETERS
+ *  "certSelector"
+ *      a PKIX_CertSelector links to PKIX_ComCertSelParams where a list of
+ *      Extended Key Usage OIDs specified by application can be retrieved for
+ *      verification. Must be non-NULL.
+ *  "pRequiredExtKeyUsage"
+ *      Address where the result is returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a UserDefinedModules Error if the function fails in a non-fatal
+ *  way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_pl_EkuChecker_GetRequiredEku(
+        PKIX_CertSelector *certSelector,
+        PKIX_UInt32 *pRequiredExtKeyUsage,
+        void *plContext);
+
+/* PKIX_PL_NssContext
+ *
+ * A PKIX_PL_NssContext provides an example showing how the "plContext"
+ * argument, that is part of every libpkix function call, can be used.
+ * The "plContext" is the Portability Layer Context, which can be used
+ * to communicate layer-specific information from the application to the
+ * underlying Portability Layer (while bypassing the Portable Code, which
+ * blindly passes the plContext on to every function call).
+ *
+ * In this case, NSS serves as both the application and the Portability Layer.
+ * We define an NSS-specific structure, which includes an arena and a number
+ * of SECCertificateUsage bit flags encoded as a PKIX_UInt32. A third argument,
+ * wincx, is used on Windows platforms for PKCS11 access, and should be set to
+ * NULL for other platforms.
+ * Before calling any of the libpkix functions, the caller should create the NSS
+ * context, by calling PKIX_PL_NssContext_Create, and provide that NSS context
+ * as the "plContext" argument in every libpkix function call the caller makes.
+ * When the caller is finished using the NSS context (usually just after he
+ * calls PKIX_Shutdown), the caller should call PKIX_PL_NssContext_Destroy to
+ * free the NSS context structure.
+ */
+
+/*
+ * FUNCTION: PKIX_PL_NssContext_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new NssContext using the certificate usage(s) specified by
+ *  "certUsage" and stores it at "pNssContext". This function also internally
+ *  creates an arena and stores it as part of the NssContext structure. Unlike
+ *  most other libpkix API functions, this function does not take a "plContext"
+ *  parameter.
+ *
+ * PARAMETERS:
+ *  "certUsage"
+ *      The desired SECCertificateUsage(s).
+ *  "useNssArena"
+ *      Boolean flag indicates NSS Arena is used for memory allocation.
+ *  "wincx"
+ *      A Windows-dependent pointer for PKCS11 token handling.
+ *  "pNssContext"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Context Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_NssContext_Create(
+        PKIX_UInt32 certificateUsage,
+        PKIX_Boolean useNssArena,
+        void *wincx,
+        void **pNssContext);
+
+/*
+ * FUNCTION: PKIX_PL_NssContext_Destroy
+ * DESCRIPTION:
+ *
+ *  Frees the structure pointed to by "nssContext" along with any of its
+ *  associated memory. Unlike most other libpkix API functions, this function
+ *  does not take a "plContext" parameter.
+ *
+ * PARAMETERS:
+ *  "nssContext"
+ *      Address of NssContext to be destroyed. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Context Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_NssContext_Destroy(
+        void *nssContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_SAMPLEMODULES_H */
diff --git a/security/nss/lib/libpkix/include/pkix_util.h b/security/nss/lib/libpkix/include/pkix_util.h
new file mode 100755
index 000000000..619c9c05d
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkix_util.h
@@ -0,0 +1,974 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * These functions provide support for a number of other functions
+ * by creating and manipulating data structures used by those functions.
+ *
+ */
+
+#ifndef _PKIX_UTIL_H
+#define _PKIX_UTIL_H
+
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* General
+ *
+ * Please refer to the libpkix Programmer's Guide for detailed information
+ * about how to use the libpkix library. Certain key warnings and notices from
+ * that document are repeated here for emphasis.
+ *
+ * All identifiers in this file (and all public identifiers defined in
+ * libpkix) begin with "PKIX_". Private identifiers only intended for use
+ * within the library begin with "pkix_".
+ *
+ * A function returns NULL upon success, and a PKIX_Error pointer upon failure.
+ *
+ * Unless otherwise noted, for all accessor (gettor) functions that return a
+ * PKIX_PL_Object pointer, callers should assume that this pointer refers to a
+ * shared object. Therefore, the caller should treat this shared object as
+ * read-only and should not modify this shared object. When done using the
+ * shared object, the caller should release the reference to the object by
+ * using the PKIX_PL_Object_DecRef function.
+ *
+ * While a function is executing, if its arguments (or anything referred to by
+ * its arguments) are modified, free'd, or destroyed, the function's behavior
+ * is undefined.
+ *
+ */
+
+/* PKIX_Logger
+ *
+ * PKIX_Loggers provide a standard way for the caller to insert custom logging
+ * facilities. These are used by libpkix to log errors, debug information,
+ * status, etc. The LogCallback allows custom logging to take place.
+ * Additionally, a Logger can be initialized with a loggerContext, which is
+ * where the caller can specify configuration data such as the name of a
+ * logfile or database. Note that this loggerContext must be a PKIX_PL_Object,
+ * allowing it to be reference-counted and allowing it to provide the standard
+ * PKIX_PL_Object functions (Equals, Hashcode, ToString, Compare, Duplicate).
+ *
+ * Once the caller has created the Logger object(s) (and set the loggerContext
+ * (if any) and the Log callback), the caller then registers these Loggers
+ * with the system by calling PKIX_SetLoggers or PKIX_AddLogger. All log
+ * entries will then be logged using the specified Loggers. If multiple
+ * Loggers are specified, every log entry will be logged with each of them.
+ *
+ * XXX Maybe give some guidance somewhere on how much detail each logging
+ * level should have and where component boundaries should be. Maybe in
+ * Implementor's Guide or Programmer's Guide.
+ */
+
+#define PKIX_LOGGER_LEVEL_TRACE                5
+#define PKIX_LOGGER_LEVEL_DEBUG                4
+#define PKIX_LOGGER_LEVEL_WARNING              3
+#define PKIX_LOGGER_LEVEL_ERROR                2
+#define PKIX_LOGGER_LEVEL_FATALERROR           1
+
+#define PKIX_LOGGER_LEVEL_MAX                  5
+
+/*
+ * FUNCTION: PKIX_Logger_LogCallback
+ * DESCRIPTION:
+ *
+ *  This callback function logs a log entry containing the String pointed to
+ *  by "message", the integer value of logLevel, and the String pointed to by
+ *  "logComponent". A log entry can be associated with a particular log
+ *  level (i.e. level 3) and a particular log component (i.e. "CertStore").
+ *  For example, someone reading the log may only be interested in very general
+ *  log entries so they look only for log level 1. Similarly, they may only be
+ *  interested in log entries pertaining to the CertStore component so they
+ *  look only for that log component. This function can be used before calling
+ *  PKIX_Initialize.
+ *
+ * PARAMETERS:
+ *  "logger"
+ *      Address of logger whose LogCallback is to be used. Must be non-NULL.
+ *  "message"
+ *      Address of String that is to be logged used "logger". Must be non-NULL.
+ *  "logLevel"
+ *      Integer value representing the log level for this entry. The higher the
+ *      level, the more detail. Must be non-NULL.
+ *  "logComponent"
+ *      PKIXERRORNUM value (defined in pkixt.h) designating the log component
+ *      for this entry.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe
+ *
+ *  Multiple threads must be able to safely call this function without
+ *  worrying about conflicts, even if they're operating on the same objects.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+typedef PKIX_Error *
+(*PKIX_Logger_LogCallback)(
+        PKIX_Logger *logger,
+        PKIX_PL_String *message,
+        PKIX_UInt32 logLevel,
+        PKIX_ERRORCLASS logComponent,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Logger_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new Logger using the Object pointed to by "loggerContext"
+ *  (if any) and stores it at "pLogger". The new Logger uses the LogCallback
+ *  pointed to by "callback". The Logger's maximum logging level is initially
+ *  set to a very high level and its logging component is set to NULL (all
+ *  components).
+ *
+ * PARAMETERS:
+ *  "callback"
+ *      The LogCallback function to be used. Must be non-NULL.
+ *  "loggerContext"
+ *      Address of Object representing the Logger's context (if any).
+ *  "pLogger"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Logger_Create(
+        PKIX_Logger_LogCallback callback,
+        PKIX_PL_Object *loggerContext,
+        PKIX_Logger **pLogger,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Logger_GetLogCallback
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to "logger's" Log callback function and puts it in
+ *  "pCallback".
+ *
+ * PARAMETERS:
+ *  "logger"
+ *      Address of Logger whose Log callback is desired. Must be non-NULL.
+ *  "pCallback"
+ *      Address where Log callback function pointer will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Logger_GetLogCallback(
+        PKIX_Logger *logger,
+        PKIX_Logger_LogCallback *pCallback,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Logger_GetLoggerContext
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a PKIX_PL_Object representing the context (if any)
+ *  of the Logger pointed to by "logger" and stores it at "pLoggerContext".
+ *
+ * PARAMETERS:
+ *  "logger"
+ *      Address of Logger whose context is to be stored. Must be non-NULL.
+ *  "pLoggerContext"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Logger_GetLoggerContext(
+        PKIX_Logger *logger,
+        PKIX_PL_Object **pLoggerContext,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Logger_GetMaxLoggingLevel
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a PKIX_UInt32 representing the maximum logging
+ *  level of the Logger pointed to by "logger" and stores it at "pLevel". Only
+ *  log entries whose log level is less than or equal to this maximum logging
+ *  level will be logged.
+ *
+ * PARAMETERS:
+ *  "logger"
+ *      Address of Logger whose maximum logging level is to be stored.
+ *      Must be non-NULL.
+ *  "pLevel"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Logger_GetMaxLoggingLevel(
+        PKIX_Logger *logger,
+        PKIX_UInt32 *pLevel,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Logger_SetMaxLoggingLevel
+ * DESCRIPTION:
+ *
+ *  Sets the maximum logging level of the Logger pointed to by "logger" with
+ *  the integer value of "level".
+ *
+ * PARAMETERS:
+ *  "logger"
+ *      Address of Logger whose maximum logging level is to be set.
+ *      Must be non-NULL.
+ *  "level"
+ *      Maximum logging level to be set
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "logger"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Logger_SetMaxLoggingLevel(
+        PKIX_Logger *logger,
+        PKIX_UInt32 level,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Logger_GetLoggingComponent
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to a String representing the logging component of the
+ *  Logger pointed to by "logger" and stores it at "pComponent". Only log
+ *  entries whose log component matches the specified logging component will
+ *  be logged.
+ *
+ * PARAMETERS:
+ *  "logger"
+ *      Address of Logger whose logging component is to be stored.
+ *      Must be non-NULL.
+ *  "pComponent"
+ *      Address where PKIXERRORNUM will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Logger_GetLoggingComponent(
+        PKIX_Logger *logger,
+        PKIX_ERRORCLASS *pComponent,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Logger_SetLoggingComponent
+ * DESCRIPTION:
+ *
+ *  Sets the logging component of the Logger pointed to by "logger" with the
+ *  PKIXERRORNUM pointed to by "component". To match a small set of components,
+ *  create a Logger for each.
+ *
+ * PARAMETERS:
+ *  "logger"
+ *      Address of Logger whose logging component is to be set.
+ *      Must be non-NULL.
+ *  "component"
+ *      PKIXERRORNUM value representing logging component to be set.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "logger"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Logger_SetLoggingComponent(
+        PKIX_Logger *logger,
+        PKIX_ERRORCLASS component,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_GetLoggers
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of Loggers (if any) being used for logging
+ *  by libpkix and stores it at "pLoggers". If no loggers are being used, this
+ *  function stores an empty List at "pLoggers".
+ *
+ *  Note that the List returned by this function is immutable.
+ *
+ * PARAMETERS:
+ *  "pLoggers"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_GetLoggers(
+        PKIX_List **pLoggers,  /* list of PKIX_Logger */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_SetLoggers
+ * DESCRIPTION:
+ *
+ *  Sets the Loggers to be used by libpkix to the List of Loggers pointed to
+ *  by "loggers". If "loggers" is NULL, no Loggers will be used.
+ *
+ * PARAMETERS:
+ *  "loggers"
+ *      Address of List of Loggers to be set. NULL for no Loggers.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_SetLoggers(
+        PKIX_List *loggers,  /* list of PKIX_Logger */
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_AddLogger
+ * DESCRIPTION:
+ *
+ *  Adds the Logger pointed to by "logger" to the List of Loggers used by
+ *  libpkix.
+ *
+ * PARAMETERS:
+ *  "logger"
+ *      Address of Logger to be added. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Logger Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_AddLogger(
+        PKIX_Logger *logger,
+        void *plContext);
+
+/* Functions pertaining to the PKIX_Error type */
+
+/* Error
+ *
+ * An Error object is returned by a function upon encountering some error
+ * condition. Each Error is associated with an errorCode specified in pkixt.h.
+ * The remaining components of an Error are optional. An Error's description
+ * specifies a text message describing the Error. An Error's supplementary info
+ * specifies additional information that might be useful. Finally, an Error's
+ * cause specifies the underlying Error (if any) that resulted in this Error
+ * being returned, thereby allowing Errors to be chained so that an entire
+ * "error stack trace" can be represented. Once created, an Error is immutable.
+ *
+ * Note that the Error's supplementary info must be an Object (although any
+ * object type), allowing it to be reference-counted and allowing it to
+ * provide the standard Object functions (Equals, Hashcode, ToString, Compare,
+ * Duplicate).
+ *
+ * Errors are classified as either being fatal or non-fatal. If a function
+ * fails in an unrecoverable way, it returns an Error whose errorCode is
+ * PKIX_FATAL_ERROR. If such an error is encountered, the caller should
+ * not attempt to recover since something seriously wrong has happened
+ * (e.g. corrupted memory, memory finished, etc.). All other errorCodes
+ * are considered non-fatal errors and can be handled by the caller as they
+ * see fit.
+ */
+
+/*
+ * FUNCTION: PKIX_Error_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new Error using the value of "errorCode", the Error pointed to by
+ *  "cause" (if any), the Object pointed to by "info" (if any), and the String
+ *  pointed to by "desc" and stores it at "pError". If any error occurs during
+ *  error allocation, it will be returned without chaining, since new errors
+ *  cannot be created. Once created, an Error is immutable.
+ *
+ * PARAMETERS:
+ *  "errorCode"
+ *      Value of error code.
+ *  "cause"
+ *      Address of Error representing error's cause.
+ *      NULL if none or unspecified.
+ *  "info"
+ *      Address of Object representing error's supplementary information.
+ *      NULL if none.
+ *  "desc"
+ *      Address of String representing error's description. NULL if none.
+ *  "pError"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Error_Create(
+        PKIX_ERRORCLASS errClass,
+        PKIX_Error *cause,
+        PKIX_PL_Object *info,
+        PKIX_ERRORCODE errCode,
+        PKIX_Error **pError,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Error_GetErrorClass
+ * DESCRIPTION:
+ *
+ *  Retrieves the error class of the Error pointed to by "error" and 
+ *  stores it at "pClass". Supported error codes are defined in pkixt.h.
+ *
+ * PARAMETERS:
+ *  "error"
+ *      Address of Error whose error code is desired. Must be non-NULL.
+ *  "pClass"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Error_GetErrorClass(
+        PKIX_Error *error,
+        PKIX_ERRORCLASS *pClass,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Error_GetErrorCode
+ * DESCRIPTION:
+ *
+ *  Retrieves the error code of the Error pointed to by "error" and 
+ *  stores it at "pCode". Supported error codes are defined in pkixt.h.
+ *
+ * PARAMETERS:
+ *  "error"
+ *      Address of Error whose error code is desired. Must be non-NULL.
+ *  "pCode"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Error_GetErrorCode(
+        PKIX_Error *error,
+        PKIX_ERRORCODE *pCode,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Error_GetCause
+ * DESCRIPTION:
+ *
+ *  Retrieves the cause of the Error pointed to by "error" and stores it at
+ *  "pCause". If no cause was specified, NULL will be stored at "pCause".
+ *
+ * PARAMETERS:
+ *  "error"
+ *      Address of Error whose cause is desired. Must be non-NULL.
+ *  "pCause"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Error_GetCause(
+        PKIX_Error *error,
+        PKIX_Error **pCause,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Error_GetSupplementaryInfo
+ * DESCRIPTION:
+ *
+ *  Retrieves the supplementary info of the Error pointed to by "error" and
+ *  stores it at "pInfo".
+ *
+ * PARAMETERS:
+ *  "error"
+ *      Address of Error whose info is desired. Must be non-NULL.
+ *  "pInfo"
+ *      Address where info pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Error_GetSupplementaryInfo(
+        PKIX_Error *error,
+        PKIX_PL_Object **pInfo,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_Error_GetDescription
+ * DESCRIPTION:
+ *
+ *  Retrieves the description of the Error pointed to by "error" and stores it
+ *  at "pDesc". If no description was specified, NULL will be stored at
+ *  "pDesc".
+ *
+ * PARAMETERS:
+ *  "error"
+ *      Address of Error whose description is desired. Must be non-NULL.
+ *  "pDesc"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_Error_GetDescription(
+        PKIX_Error *error,
+        PKIX_PL_String **pDesc,
+        void *plContext);
+
+/* PKIX_List
+ *
+ * Represents a collection of items. NULL is considered a valid item.
+ */
+
+/*
+ * FUNCTION: PKIX_List_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new List and stores it at "pList". The List is initially empty
+ *  and holds no items. To initially add items to the List, use
+ *  PKIX_List_AppendItem
+ *
+ * PARAMETERS:
+ *  "pList"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_Create(
+        PKIX_List **pList,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_SetImmutable
+ * DESCRIPTION:
+ *
+ *  Sets the List pointed to by "list" to be immutable. If a caller tries to
+ *  change a List after it has been marked immutable (i.e. by calling
+ *  PKIX_List_AppendItem, PKIX_List_InsertItem, PKIX_List_SetItem, or
+ *  PKIX_List_DeleteItem), an Error is returned.
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List to be marked immutable. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "list"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_SetImmutable(
+        PKIX_List *list,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_IsImmutable
+ * DESCRIPTION:
+ *
+ *  Checks whether the List pointed to by "list" is immutable and stores
+ *  the Boolean result at "pImmutable". If a caller tries to change a List
+ *  after it has been marked immutable (i.e. by calling PKIX_List_AppendItem,
+ *  PKIX_List_InsertItem, PKIX_List_SetItem, or PKIX_List_DeleteItem), an
+ *  Error is returned.
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List whose immutability is to be determined.
+ *      Must be non-NULL.
+ *  "pImmutable"
+ *      Address where PKIX_Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_IsImmutable(
+        PKIX_List *list,
+        PKIX_Boolean *pImmutable,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_GetLength
+ * DESCRIPTION:
+ *
+ *  Retrieves the length of the List pointed to by "list" and stores it at
+ *  "pLength".
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List whose length is desired. Must be non-NULL.
+ *  "pLength"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_GetLength(
+        PKIX_List *list,
+        PKIX_UInt32 *pLength,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_IsEmpty
+ * DESCRIPTION:
+ *
+ *  Checks whether the List pointed to by "list" is empty and stores
+ *  the Boolean result at "pEmpty".
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List whose emptiness is to be determined. Must be non-NULL.
+ *  "pEmpty"
+ *      Address where PKIX_Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_IsEmpty(
+        PKIX_List *list,
+        PKIX_Boolean *pEmpty,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_AppendItem
+ * DESCRIPTION:
+ *
+ *  Appends the Object pointed to by "item" after the last non-NULL item in
+ *  List pointed to by "list", if any. Note that a List may validly contain
+ *  NULL items. Appending "c" into the List ("a", NULL, "b", NULL) will result
+ *  in ("a", NULL, "b", "c").
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List to append to. Must be non-NULL.
+ *  "item"
+ *      Address of new item to append.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "list"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_AppendItem(
+        PKIX_List *list,
+        PKIX_PL_Object *item,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_InsertItem
+ * DESCRIPTION:
+ *
+ *  Inserts the Object pointed to by "item" into the List pointed to by "list"
+ *  at the given "index". The index counts from zero and must be less than the
+ *  List's length. Existing list entries at or after this index will be moved
+ *  to the next highest index.
+ *
+ *  XXX why not allow equal to length which would be equivalent to AppendItem?
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List to insert into. Must be non-NULL.
+ *  "index"
+ *      Position to insert into. Must be less than List's length.
+ *  "item"
+ *      Address of new item to append.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "list"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_InsertItem(
+        PKIX_List *list,
+        PKIX_UInt32 index,
+        PKIX_PL_Object *item,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_GetItem
+ * DESCRIPTION:
+ *
+ *  Copies the "list"'s item at "index" into "pItem". The index counts from
+ *  zero and must be less than the list's length. Increments the reference
+ *  count on the returned object, if non-NULL.
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List to get item from. Must be non-NULL.
+ *  "index"
+ *      Index of list to get item from. Must be less than List's length.
+ *  "pItem"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_GetItem(
+        PKIX_List *list,
+        PKIX_UInt32 index,
+        PKIX_PL_Object **pItem,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_SetItem
+ * DESCRIPTION:
+ *
+ *  Sets the item at "index" of the List pointed to by "list" with the Object
+ *  pointed to by "item". The index counts from zero and must be less than the
+ *  List's length. The previous entry at this index will have its reference
+ *  count decremented and the new entry will have its reference count
+ *  incremented.
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List to modify. Must be non-NULL.
+ *  "index"
+ *      Position in List to set. Must be less than List's length.
+ *  "item"
+ *      Address of Object to set at "index".
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "list"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_SetItem(
+        PKIX_List *list,
+        PKIX_UInt32 index,
+        PKIX_PL_Object *item,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_DeleteItem
+ *
+ *  Deletes the item at "index" from the List pointed to by "list". The index
+ *  counts from zero and must be less than the List's length. Note that this
+ *  function does not destroy the List. It simply decrements the reference
+ *  count of the item at "index" in the List, deletes that item from the list
+ *  and moves all subsequent entries to a lower index in the list. If there is
+ *  only a single element in the List and that element is deleted, then the
+ *  List will be empty.
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List to delete from. Must be non-NULL.
+ *  "index"
+ *      Position in List to delete. Must be less than List's length.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "list"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_DeleteItem(
+        PKIX_List *list,
+        PKIX_UInt32 index,
+        void *plContext);
+
+/*
+ * FUNCTION: PKIX_List_ReverseList
+ * DESCRIPTION:
+ *
+ *  Creates a new List whose elements are in the reverse order as the elements
+ *  of the Object pointed to by "list" and stores the copy at "pReversedList".
+ *  If "list" is empty, the new reversed List will be a copy of "list".
+ *  Changes to the new object will not affect the original and vice versa.
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List whose elements are to be reversed. Must be non-NULL.
+ *  "pReversedList"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_List_ReverseList(
+        PKIX_List *list,
+        PKIX_List **pReversedList,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_UTIL_H */
diff --git a/security/nss/lib/libpkix/include/pkixt.h b/security/nss/lib/libpkix/include/pkixt.h
new file mode 100755
index 000000000..0842c6e8b
--- /dev/null
+++ b/security/nss/lib/libpkix/include/pkixt.h
@@ -0,0 +1,494 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *   Red Hat, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file defines the types in the libpkix API.
+ * XXX Maybe we should specify the API version number in all API header files
+ *
+ */
+
+#ifndef _PKIXT_H
+#define _PKIXT_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "secerr.h"
+
+/* Types
+ *
+ * This header file provides typedefs for the abstract types used by libpkix.
+ * It also provides several useful macros.
+ *
+ * Note that all these abstract types are typedef'd as opaque structures. This
+ * is intended to discourage the caller from looking at the contents directly,
+ * since the format of the contents may change from one version of the library
+ * to the next. Instead, callers should only access these types using the
+ * functions defined in the public header files.
+ *
+ * An instance of an abstract type defined in this file is called an "object"
+ * here, although C does not have real support for objects.
+ *
+ * Because C does not typically have automatic garbage collection, the caller
+ * is expected to release the reference to any object that they create or that
+ * is returned to them by a libpkix function. The caller should do this by
+ * using the PKIX_PL_Object_DecRef function. Note that the caller should not
+ * release the reference to an object if the object has been passed to a
+ * libpkix function and that function has not returned.
+ *
+ * Please refer to libpkix Programmer's Guide for more details.
+ */
+
+/* Version
+ *
+ * These macros specify the major and minor version of the libpkix API defined
+ * by this header file.
+ */
+
+#define PKIX_MAJOR_VERSION              ((PKIX_UInt32) 0)
+#define PKIX_MINOR_VERSION              ((PKIX_UInt32) 3)
+
+/* Maximum minor version
+ *
+ * This macro is used to specify that the caller wants the largest minor
+ * version available.
+ */
+
+#define PKIX_MAX_MINOR_VERSION          ((PKIX_UInt32) 4000000000)
+
+/* Define Cert Store type for database access */
+#define PKIX_STORE_TYPE_NONE            0
+#define PKIX_STORE_TYPE_PK11            1
+
+/* Portable Code (PC) data types
+ *
+ * These types are used to perform the primary operations of this library:
+ * building and validating chains of X.509 certificates.
+ */
+
+typedef struct PKIX_ErrorStruct PKIX_Error;
+typedef struct PKIX_ProcessingParamsStruct PKIX_ProcessingParams;
+typedef struct PKIX_ValidateParamsStruct PKIX_ValidateParams;
+typedef struct PKIX_ValidateResultStruct PKIX_ValidateResult;
+typedef struct PKIX_ResourceLimitsStruct PKIX_ResourceLimits;
+typedef struct PKIX_BuildResultStruct PKIX_BuildResult;
+typedef struct PKIX_CertStoreStruct PKIX_CertStore;
+typedef struct PKIX_CertChainCheckerStruct PKIX_CertChainChecker;
+typedef struct PKIX_RevocationCheckerStruct PKIX_RevocationChecker;
+typedef struct PKIX_CertSelectorStruct PKIX_CertSelector;
+typedef struct PKIX_CRLSelectorStruct PKIX_CRLSelector;
+typedef struct PKIX_ComCertSelParamsStruct PKIX_ComCertSelParams;
+typedef struct PKIX_ComCRLSelParamsStruct PKIX_ComCRLSelParams;
+typedef struct PKIX_TrustAnchorStruct PKIX_TrustAnchor;
+typedef struct PKIX_PolicyNodeStruct PKIX_PolicyNode;
+typedef struct PKIX_LoggerStruct PKIX_Logger;
+typedef struct PKIX_ListStruct PKIX_List;
+typedef struct PKIX_ForwardBuilderStateStruct PKIX_ForwardBuilderState;
+typedef struct PKIX_DefaultRevocationCheckerStruct
+                        PKIX_DefaultRevocationChecker;
+typedef struct PKIX_OcspCheckerStruct PKIX_OcspChecker;
+typedef struct PKIX_VerifyNodeStruct PKIX_VerifyNode;
+
+/* Portability Layer (PL) data types
+ *
+ * These types are used are used as portable data types that are defined
+ * consistently across platforms
+ */
+
+typedef struct PKIX_PL_ObjectStruct PKIX_PL_Object;
+typedef struct PKIX_PL_ByteArrayStruct PKIX_PL_ByteArray;
+typedef struct PKIX_PL_HashTableStruct PKIX_PL_HashTable;
+typedef struct PKIX_PL_MutexStruct PKIX_PL_Mutex;
+typedef struct PKIX_PL_RWLockStruct PKIX_PL_RWLock;
+typedef struct PKIX_PL_MonitorLockStruct PKIX_PL_MonitorLock;
+typedef struct PKIX_PL_BigIntStruct PKIX_PL_BigInt;
+typedef struct PKIX_PL_StringStruct PKIX_PL_String;
+typedef struct PKIX_PL_OIDStruct PKIX_PL_OID;
+typedef struct PKIX_PL_CertStruct PKIX_PL_Cert;
+typedef struct PKIX_PL_GeneralNameStruct PKIX_PL_GeneralName;
+typedef struct PKIX_PL_X500NameStruct PKIX_PL_X500Name;
+typedef struct PKIX_PL_PublicKeyStruct PKIX_PL_PublicKey;
+typedef struct PKIX_PL_DateStruct PKIX_PL_Date;
+typedef struct PKIX_PL_CertNameConstraintsStruct PKIX_PL_CertNameConstraints;
+typedef struct PKIX_PL_CertBasicConstraintsStruct PKIX_PL_CertBasicConstraints;
+typedef struct PKIX_PL_CertPoliciesStruct PKIX_PL_CertPolicies;
+typedef struct PKIX_PL_CertPolicyInfoStruct PKIX_PL_CertPolicyInfo;
+typedef struct PKIX_PL_CertPolicyQualifierStruct PKIX_PL_CertPolicyQualifier;
+typedef struct PKIX_PL_CertPolicyMapStruct PKIX_PL_CertPolicyMap;
+typedef struct PKIX_PL_CRLStruct PKIX_PL_CRL;
+typedef struct PKIX_PL_CRLEntryStruct PKIX_PL_CRLEntry;
+typedef struct PKIX_PL_CollectionCertStoreStruct PKIX_PL_CollectionCertStore;
+typedef struct PKIX_PL_CollectionCertStoreContext
+                        PKIX_PL_CollectionCertStoreContext;
+typedef struct PKIX_PL_LdapCertStoreContext PKIX_PL_LdapCertStoreContext;
+typedef struct PKIX_PL_LdapRequestStruct PKIX_PL_LdapRequest;
+typedef struct PKIX_PL_LdapResponseStruct PKIX_PL_LdapResponse;
+typedef struct PKIX_PL_LdapDefaultClientStruct PKIX_PL_LdapDefaultClient;
+typedef struct PKIX_PL_SocketStruct PKIX_PL_Socket;
+typedef struct PKIX_PL_InfoAccessStruct PKIX_PL_InfoAccess;
+typedef struct PKIX_PL_AIAMgrStruct PKIX_PL_AIAMgr;
+typedef struct PKIX_PL_OcspCertIDStruct PKIX_PL_OcspCertID;
+typedef struct PKIX_PL_OcspRequestStruct PKIX_PL_OcspRequest;
+typedef struct PKIX_PL_OcspResponseStruct PKIX_PL_OcspResponse;
+typedef struct PKIX_PL_HttpClientStruct PKIX_PL_HttpClient;
+typedef struct PKIX_PL_HttpDefaultClientStruct PKIX_PL_HttpDefaultClient;
+typedef struct PKIX_PL_HttpCertStoreContextStruct PKIX_PL_HttpCertStoreContext;
+
+/* Primitive types
+ *
+ * In order to guarantee desired behavior as well as platform-independence, we
+ * typedef these types depending on the platform. XXX This needs more work!
+ */
+
+/* XXX Try compiling these files (and maybe the whole libpkix-nss) on Win32.
+ * We don't know what type is at least 32 bits long. ISO C probably requires
+ * at least 32 bits for long. we could default to that and only list platforms
+ * where that's not true.
+ *
+ * #elif
+ * #error
+ * #endif
+ */
+
+/* currently, int is 32 bits on all our supported platforms */
+
+typedef unsigned int PKIX_UInt32;
+typedef int PKIX_Int32;
+
+typedef int PKIX_Boolean;
+
+/* Object Types
+ *
+ * Every reference-counted PKIX_PL_Object is associated with an integer type.
+ */
+#define PKIX_TYPES \
+    TYPEMACRO(AIAMGR), \
+    TYPEMACRO(BASICCONSTRAINTSCHECKERSTATE), \
+    TYPEMACRO(BIGINT), \
+    TYPEMACRO(BUILDRESULT), \
+    TYPEMACRO(BYTEARRAY), \
+    TYPEMACRO(CERT), \
+    TYPEMACRO(CERTBASICCONSTRAINTS), \
+    TYPEMACRO(CERTCHAINCHECKER), \
+    TYPEMACRO(CERTNAMECONSTRAINTS), \
+    TYPEMACRO(CERTNAMECONSTRAINTSCHECKERSTATE), \
+    TYPEMACRO(CERTPOLICYCHECKERSTATE), \
+    TYPEMACRO(CERTPOLICYINFO), \
+    TYPEMACRO(CERTPOLICYMAP), \
+    TYPEMACRO(CERTPOLICYNODE), \
+    TYPEMACRO(CERTPOLICYQUALIFIER), \
+    TYPEMACRO(CERTSELECTOR), \
+    TYPEMACRO(CERTSTORE), \
+    TYPEMACRO(COLLECTIONCERTSTORECONTEXT), \
+    TYPEMACRO(COMCERTSELPARAMS), \
+    TYPEMACRO(COMCRLSELPARAMS), \
+    TYPEMACRO(CRL), \
+    TYPEMACRO(CRLENTRY), \
+    TYPEMACRO(CRLSELECTOR), \
+    TYPEMACRO(DATE), \
+    TYPEMACRO(DEFAULTCRLCHECKERSTATE), \
+    TYPEMACRO(DEFAULTREVOCATIONCHECKER), \
+    TYPEMACRO(EKUCHECKER), \
+    TYPEMACRO(ERROR), \
+    TYPEMACRO(FORWARDBUILDERSTATE), \
+    TYPEMACRO(GENERALNAME), \
+    TYPEMACRO(HASHTABLE), \
+    TYPEMACRO(HTTPCERTSTORECONTEXT), \
+    TYPEMACRO(HTTPDEFAULTCLIENT), \
+    TYPEMACRO(INFOACCESS), \
+    TYPEMACRO(LDAPDEFAULTCLIENT), \
+    TYPEMACRO(LDAPREQUEST), \
+    TYPEMACRO(LDAPRESPONSE), \
+    TYPEMACRO(LIST), \
+    TYPEMACRO(LOGGER), \
+    TYPEMACRO(MONITORLOCK), \
+    TYPEMACRO(MUTEX), \
+    TYPEMACRO(OBJECT), \
+    TYPEMACRO(OCSPCERTID), \
+    TYPEMACRO(OCSPCHECKER), \
+    TYPEMACRO(OCSPREQUEST), \
+    TYPEMACRO(OCSPRESPONSE), \
+    TYPEMACRO(OID), \
+    TYPEMACRO(PROCESSINGPARAMS), \
+    TYPEMACRO(PUBLICKEY), \
+    TYPEMACRO(RESOURCELIMITS), \
+    TYPEMACRO(REVOCATIONCHECKER), \
+    TYPEMACRO(RWLOCK), \
+    TYPEMACRO(SIGNATURECHECKERSTATE), \
+    TYPEMACRO(SOCKET), \
+    TYPEMACRO(STRING), \
+    TYPEMACRO(TARGETCERTCHECKERSTATE), \
+    TYPEMACRO(TRUSTANCHOR), \
+    TYPEMACRO(VALIDATEPARAMS), \
+    TYPEMACRO(VALIDATERESULT), \
+    TYPEMACRO(VERIFYNODE), \
+    TYPEMACRO(X500NAME)
+
+#define TYPEMACRO(type) PKIX_ ## type ## _TYPE
+
+typedef enum {     /* Now invoke all those TYPEMACROs to assign the numbers */
+   PKIX_TYPES,
+   PKIX_NUMTYPES   /* This gets PKIX_NUMTYPES defined as the total number */
+} PKIX_TYPENUM;
+
+
+#ifdef PKIX_USER_OBJECT_TYPE
+
+/* User Define Object Types
+ *
+ * User may define their own object types offset from PKIX_USER_OBJECT_TYPE
+ */
+#define PKIX_USER_OBJECT_TYPEBASE 1000
+
+#endif /* PKIX_USER_OBJECT_TYPE */
+
+/* Error Codes
+ *
+ * This list is used to define a set of PKIX_Error exception class numbers.
+ * ERRMACRO is redefined to produce a corresponding set of
+ * strings in the table "const char *PKIX_ERRORCLASSNAMES[PKIX_NUMERRORCLASSES]" in
+ * pkix_error.c. For example, since the fifth ERRMACRO entry is MUTEX, then
+ * PKIX_MUTEX_ERROR is defined in pkixt.h as 4, and PKIX_ERRORCLASSNAMES[4] is
+ * initialized in pkix_error.c with the value "MUTEX".
+ */
+#define PKIX_ERRORCLASSES \
+   ERRMACRO(AIAMGR), \
+   ERRMACRO(BASICCONSTRAINTSCHECKERSTATE), \
+   ERRMACRO(BIGINT), \
+   ERRMACRO(BUILD), \
+   ERRMACRO(BUILDRESULT), \
+   ERRMACRO(BYTEARRAY), \
+   ERRMACRO(CERT), \
+   ERRMACRO(CERTBASICCONSTRAINTS), \
+   ERRMACRO(CERTCHAINCHECKER), \
+   ERRMACRO(CERTNAMECONSTRAINTS), \
+   ERRMACRO(CERTNAMECONSTRAINTSCHECKERSTATE), \
+   ERRMACRO(CERTPOLICYCHECKERSTATE), \
+   ERRMACRO(CERTPOLICYINFO), \
+   ERRMACRO(CERTPOLICYMAP), \
+   ERRMACRO(CERTPOLICYNODE), \
+   ERRMACRO(CERTPOLICYQUALIFIER), \
+   ERRMACRO(CERTSELECTOR), \
+   ERRMACRO(CERTSTORE), \
+   ERRMACRO(CERTVFYPKIX), \
+   ERRMACRO(COLLECTIONCERTSTORECONTEXT), \
+   ERRMACRO(COMCERTSELPARAMS), \
+   ERRMACRO(COMCRLSELPARAMS), \
+   ERRMACRO(CONTEXT), \
+   ERRMACRO(CRL), \
+   ERRMACRO(CRLENTRY), \
+   ERRMACRO(CRLSELECTOR), \
+   ERRMACRO(DATE), \
+   ERRMACRO(DEFAULTCRLCHECKERSTATE), \
+   ERRMACRO(DEFAULTREVOCATIONCHECKER), \
+   ERRMACRO(EKUCHECKER), \
+   ERRMACRO(ERROR), \
+   ERRMACRO(FATAL), \
+   ERRMACRO(FORWARDBUILDERSTATE), \
+   ERRMACRO(GENERALNAME), \
+   ERRMACRO(HASHTABLE), \
+   ERRMACRO(HTTPCERTSTORECONTEXT), \
+   ERRMACRO(HTTPDEFAULTCLIENT), \
+   ERRMACRO(INFOACCESS), \
+   ERRMACRO(LDAPCLIENT), \
+   ERRMACRO(LDAPDEFAULTCLIENT), \
+   ERRMACRO(LDAPREQUEST), \
+   ERRMACRO(LDAPRESPONSE), \
+   ERRMACRO(LIFECYCLE), \
+   ERRMACRO(LIST), \
+   ERRMACRO(LOGGER), \
+   ERRMACRO(MEM), \
+   ERRMACRO(MONITORLOCK), \
+   ERRMACRO(MUTEX), \
+   ERRMACRO(OBJECT), \
+   ERRMACRO(OCSPCERTID), \
+   ERRMACRO(OCSPCHECKER), \
+   ERRMACRO(OCSPREQUEST), \
+   ERRMACRO(OCSPRESPONSE), \
+   ERRMACRO(OID), \
+   ERRMACRO(PROCESSINGPARAMS), \
+   ERRMACRO(PUBLICKEY), \
+   ERRMACRO(RESOURCELIMITS), \
+   ERRMACRO(REVOCATIONCHECKER), \
+   ERRMACRO(RWLOCK), \
+   ERRMACRO(SIGNATURECHECKERSTATE), \
+   ERRMACRO(SOCKET), \
+   ERRMACRO(STRING), \
+   ERRMACRO(TARGETCERTCHECKERSTATE), \
+   ERRMACRO(TRUSTANCHOR), \
+   ERRMACRO(USERDEFINEDMODULES), \
+   ERRMACRO(VALIDATE), \
+   ERRMACRO(VALIDATEPARAMS), \
+   ERRMACRO(VALIDATERESULT), \
+   ERRMACRO(VERIFYNODE), \
+   ERRMACRO(X500NAME)
+
+#define ERRMACRO(type) PKIX_ ## type ## _ERROR
+
+typedef enum {     /* Now invoke all those ERRMACROs to assign the numbers */
+   PKIX_ERRORCLASSES,
+   PKIX_NUMERRORCLASSES   /* This gets PKIX_NUMERRORCLASSES defined as the total number */
+} PKIX_ERRORCLASS;
+
+/* Now define error strings (for internationalization) */
+
+#define PKIX_ERRORENTRY(name,desc,plerr) PKIX_ ## name
+
+/* Define all the error numbers */
+typedef enum    {
+#include "pkix_errorstrings.h"
+} PKIX_ERRORCODE;
+
+extern const char * const PKIX_ErrorText[];
+
+/* String Formats
+ *
+ * These formats specify supported encoding formats for Strings.
+ */
+
+#define PKIX_ESCASCII           0
+#define PKIX_UTF8               1
+#define PKIX_UTF16              2
+#define PKIX_UTF8_NULL_TERM     3
+#define PKIX_ESCASCII_DEBUG     4
+
+/* Name Types
+ *
+ * These types specify supported formats for GeneralNames.
+ */
+
+#define PKIX_OTHER_NAME         1
+#define PKIX_RFC822_NAME        2
+#define PKIX_DNS_NAME           3
+#define PKIX_X400_ADDRESS       4
+#define PKIX_DIRECTORY_NAME     5
+#define PKIX_EDIPARTY_NAME      6
+#define PKIX_URI_NAME           7
+#define PKIX_IP_NAME            8
+#define PKIX_OID_NAME           9
+
+/* Key Usages
+ *
+ * These types specify supported Key Usages
+ */
+
+#define PKIX_DIGITAL_SIGNATURE  0x001
+#define PKIX_NON_REPUDIATION    0x002
+#define PKIX_KEY_ENCIPHERMENT   0x004
+#define PKIX_DATA_ENCIPHERMENT  0x008
+#define PKIX_KEY_AGREEMENT      0x010
+#define PKIX_KEY_CERT_SIGN      0x020
+#define PKIX_CRL_SIGN           0x040
+#define PKIX_ENCIPHER_ONLY      0x080
+#define PKIX_DECIPHER_ONLY      0x100
+
+/* Reason Flags
+ *
+ * These macros specify supported Reason Flags
+ */
+
+#define PKIX_UNUSED                     0x001
+#define PKIX_KEY_COMPROMISE             0x002
+#define PKIX_CA_COMPROMISE              0x004
+#define PKIX_AFFILIATION_CHANGED        0x008
+#define PKIX_SUPERSEDED                 0x010
+#define PKIX_CESSATION_OF_OPERATION     0x020
+#define PKIX_CERTIFICATE_HOLD           0x040
+#define PKIX_PRIVILEGE_WITHDRAWN        0x080
+#define PKIX_AA_COMPROMISE              0x100
+
+/* Boolean values
+ *
+ * These macros specify the Boolean values of TRUE and FALSE
+ * XXX Is it the case that any non-zero value is actually considered TRUE
+ * and this is just a convenient mnemonic macro?
+ */
+
+#define PKIX_TRUE                       ((PKIX_Boolean) 1)
+#define PKIX_FALSE                      ((PKIX_Boolean) 0)
+
+/*
+ * Define constants for basic constraints selector
+ *      (see comments in pkix_certsel.h)
+ */
+
+#define PKIX_CERTSEL_ENDENTITY_MIN_PATHLENGTH (-2)
+#define PKIX_CERTSEL_ALL_MATCH_MIN_PATHLENGTH (-1)
+
+/*
+ * PKIX_ALLOC_ERROR is a special error object hard-coded into the pkix_error.o
+ * object file. It is thrown if system memory cannot be allocated or may be
+ * thrown for other unrecoverable errors. PKIX_ALLOC_ERROR is immutable.
+ * IncRef, DecRef and all Settor functions cannot be called.
+ * XXX Does anyone actually need to know about this?
+ * XXX Why no DecRef? Would be good to handle it the same.
+ */
+
+PKIX_Error* PKIX_ALLOC_ERROR(void);
+
+/*
+ * In a CertBasicConstraints extension, if the CA flag is set,
+ * indicating the certificate refers to a Certification
+ * Authority, then the pathLen field indicates how many intermediate
+ * certificates (not counting self-signed ones) can exist in a valid
+ * chain following this certificate. If the pathLen has the value
+ * of this constant, then the length of the chain is unlimited
+ */
+#define PKIX_UNLIMITED_PATH_CONSTRAINT ((PKIX_Int32) -1)
+
+/*
+ * Define Certificate Extension hard-coded OID's
+ */
+#define PKIX_CERTKEYUSAGE_OID                  "2.5.29.15"
+#define PKIX_CERTSUBJALTNAME_OID               "2.5.29.17"
+#define PKIX_BASICCONSTRAINTS_OID              "2.5.29.19"
+#define PKIX_CRLREASONCODE_OID                 "2.5.29.21"
+#define PKIX_NAMECONSTRAINTS_OID               "2.5.29.30"
+#define PKIX_CERTIFICATEPOLICIES_OID           "2.5.29.32"
+#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID "2.5.29.32.0"
+#define PKIX_POLICYMAPPINGS_OID                "2.5.29.33"
+#define PKIX_POLICYCONSTRAINTS_OID             "2.5.29.36"
+#define PKIX_EXTENDEDKEYUSAGE_OID              "2.5.29.37"
+#define PKIX_INHIBITANYPOLICY_OID              "2.5.29.54"
+#define PKIX_NSCERTTYPE_OID "2.16.840.1.113730.1.1"
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIXT_H */
diff --git a/security/nss/lib/libpkix/manifest.mn b/security/nss/lib/libpkix/manifest.mn
new file mode 100755
index 000000000..9836689e9
--- /dev/null
+++ b/security/nss/lib/libpkix/manifest.mn
@@ -0,0 +1,46 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+DEPTH      = ../../..
+
+#
+DIRS =  include pkix pkix_pl_nss \
+	$(NULL)
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/libpkix/pkix/Makefile b/security/nss/lib/libpkix/pkix/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix/certsel/Makefile b/security/nss/lib/libpkix/pkix/certsel/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix/certsel/config.mk b/security/nss/lib/libpkix/pkix/certsel/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix/certsel/manifest.mn b/security/nss/lib/libpkix/pkix/certsel/manifest.mn
new file mode 100755
index 000000000..c5d1b4e01
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/manifest.mn
@@ -0,0 +1,58 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_certselector.h \
+	pkix_comcertselparams.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_certselector.c \
+	pkix_comcertselparams.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixcertsel
+
diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
new file mode 100755
index 000000000..1ea99ac4a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
@@ -0,0 +1,1782 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_certselector.c
+ *
+ * CertSelector Object Functions
+ *
+ */
+
+#include "pkix_certselector.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_CertSelector_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CertSelector_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_CertSelector *selector = NULL;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a cert selector */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTSELECTOR);
+
+        selector = (PKIX_CertSelector *)object;
+        PKIX_DECREF(selector->params);
+        PKIX_DECREF(selector->context);
+
+cleanup:
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Duplicate
+ * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CertSelector_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_CertSelector *certSelectorDuplicate = NULL;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Duplicate");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTSELECTOR);
+
+        certSelector = (PKIX_CertSelector *)object;
+
+        PKIX_CHECK(PKIX_CertSelector_Create
+                    (certSelector->matchCallback,
+                    certSelector->context,
+                    &certSelectorDuplicate,
+                    plContext),
+                    PKIX_CERTSELECTORCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_Duplicate
+                    ((PKIX_PL_Object *)certSelector->params,
+                    (PKIX_PL_Object **)&certSelectorDuplicate->params,
+                    plContext),
+                    PKIX_OBJECTDUPLICATEFAILED);
+
+        *pNewObject = (PKIX_PL_Object *)certSelectorDuplicate;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(certSelectorDuplicate);
+        }
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_BasicConstraint
+ * DESCRIPTION:
+ *
+ *  Determines whether the Cert pointed to by "cert" matches the basic
+ *  constraints criterion using the basic constraints field of the
+ *  ComCertSelParams pointed to by "params". If the basic constraints field is
+ *  -1, no basic constraints check is done and the Cert is considered to match
+ *  the basic constraints criterion. If the Cert does not match the basic
+ *  constraints criterion, an Error pointer is returned.
+ *
+ *  In order to match against this criterion, there are several possibilities.
+ *
+ *  1) If the criterion's minimum path length is greater than or equal to zero,
+ *  a certificate must include a BasicConstraints extension with a pathLen of
+ *  at least this value.
+ *
+ *  2) If the criterion's minimum path length is -2, a certificate must be an
+ *  end-entity certificate.
+ *
+ *  3) If the criterion's minimum path length is -1, no basic constraints check
+ *  is done and all certificates are considered to match this criterion.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose basic constraints field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * OUTPUT PARAMETERS ON FAILURE:
+ *   If the function returns a failure,
+ *   the output parameters of this function are undefined.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_BasicConstraint(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
+        PKIX_Boolean caFlag = PKIX_FALSE; /* EE Cert by default */
+        PKIX_Int32 pathLength = 0;
+        PKIX_Int32 minPathLength = 0;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_BasicConstraint");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+        *pResult = PKIX_TRUE;
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetBasicConstraints
+                (params, &minPathLength, plContext),
+                PKIX_COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED);
+
+        /* If the minPathLength is unlimited (-1), no checking */
+        if (minPathLength == PKIX_CERTSEL_ALL_MATCH_MIN_PATHLENGTH) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
+                    (cert, &basicConstraints, plContext),
+                    PKIX_CERTGETBASICCONSTRAINTSFAILED);
+
+        if (basicConstraints != NULL) {
+                PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
+                            (basicConstraints, &caFlag, plContext),
+                            PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
+
+                PKIX_CHECK(PKIX_PL_BasicConstraints_GetPathLenConstraint
+                        (basicConstraints, &pathLength, plContext),
+                        PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
+        }
+
+        /*
+         * if minPathLength >= 0, the cert must have a BasicConstraints ext and
+         * the pathLength in this cert
+         * BasicConstraints needs to be >= minPathLength.
+         */
+        if (minPathLength >= 0){
+                if ((!basicConstraints) || (caFlag == PKIX_FALSE)){
+                        PKIX_ERROR(PKIX_CERTNOTALLOWEDTOSIGNCERTIFICATES);
+                } else if ((pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) &&
+                            (pathLength < minPathLength)){
+                        PKIX_CERTSELECTOR_DEBUG
+                            ("Basic Constraints path length match failed\n");
+                        *pResult = PKIX_FALSE;
+                        PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
+                }
+        }
+
+        /* if the minPathLength is -2, this cert must be an end-entity cert. */
+        if (minPathLength == PKIX_CERTSEL_ENDENTITY_MIN_PATHLENGTH) {
+                if (caFlag == PKIX_TRUE) {
+                    PKIX_CERTSELECTOR_DEBUG
+                        ("Basic Constraints end-entity match failed\n");
+                    *pResult = PKIX_FALSE;
+                    PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(basicConstraints);
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_Policies
+ * DESCRIPTION:
+ *
+ *  Determines whether the Cert pointed to by "cert" matches the policy
+ *  constraints specified in the ComCertsSelParams given by "params".
+ *  If "params" specifies a policy constraint of NULL, all certificates
+ *  match. If "params" specifies an empty list, "cert" must have at least
+ *  some policy. Otherwise "cert" must include at least one of the
+ *  policies in the list. See the description of PKIX_CertSelector in
+ *  pkix_certsel.h for more.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose policy criterion (if any) is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_Policies(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 numConstraintPolicies = 0;
+        PKIX_UInt32 numCertPolicies = 0;
+        PKIX_UInt32 certPolicyIndex = 0;
+        PKIX_Boolean result = PKIX_FALSE;
+        PKIX_List *constraintPolicies = NULL; /* List of PKIX_PL_OID */
+        PKIX_List *certPolicyInfos = NULL; /* List of PKIX_PL_CertPolicyInfo */
+        PKIX_PL_CertPolicyInfo *policyInfo = NULL;
+        PKIX_PL_OID *polOID = NULL;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_Policies");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetPolicy
+                (params, &constraintPolicies, plContext),
+                PKIX_COMCERTSELPARAMSGETPOLICYFAILED);
+
+        /* If constraintPolicies is NULL, all certificates "match" */
+        if (constraintPolicies) {
+            PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
+                (cert, &certPolicyInfos, plContext),
+                PKIX_CERTGETPOLICYINFORMATIONFAILED);
+
+            /* No hope of a match if cert has no policies */
+            if (!certPolicyInfos) {
+                PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+
+            }
+
+            PKIX_CHECK(PKIX_List_GetLength
+                (constraintPolicies, &numConstraintPolicies, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+            if (numConstraintPolicies > 0) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (certPolicyInfos, &numCertPolicies, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                for (certPolicyIndex = 0;
+                        ((!result) && (certPolicyIndex < numCertPolicies));
+                        certPolicyIndex++) {
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                                (certPolicyInfos,
+                                certPolicyIndex,
+                                (PKIX_PL_Object **)&policyInfo,
+                                plContext),
+                                PKIX_LISTGETELEMENTFAILED);
+                        PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
+                                (policyInfo, &polOID, plContext),
+                                PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
+
+                        PKIX_CHECK(pkix_List_Contains
+                                (constraintPolicies,
+                                (PKIX_PL_Object *)polOID,
+                                &result,
+                                plContext),
+                                PKIX_LISTCONTAINSFAILED);
+                        PKIX_DECREF(policyInfo);
+                        PKIX_DECREF(polOID);
+                }
+                if (!result) {
+                        PKIX_CERTSELECTOR_DEBUG
+                                ("Certificate has no acceptable policies\n");
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+                }
+            }
+        }
+
+cleanup:
+
+        PKIX_DECREF(constraintPolicies);
+        PKIX_DECREF(certPolicyInfos);
+        PKIX_DECREF(policyInfo);
+        PKIX_DECREF(polOID);
+
+        PKIX_RETURN(CERTSELECTOR);
+
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_CertificateValid
+ * DESCRIPTION:
+ *
+ *  Determines whether the Cert pointed to by "cert" matches the certificate
+ *  validity criterion using the CertificateValid field of the
+ *  ComCertSelParams pointed to by "params". If the CertificateValid field is
+ *  NULL, no validity check is done and the Cert is considered to match
+ *  the CertificateValid criterion. If the CertificateValid field specifies a
+ *  Date prior to the notBefore field in the Cert, or greater than the notAfter
+ *  field in the Cert, an Error is returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose certValid field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_CertificateValid(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_Date *validityTime = NULL;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_CertificateValid");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
+                (params, &validityTime, plContext),
+                PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
+
+        /* If the validityTime is not set, all certificates are acceptable */
+        if (validityTime) {
+                PKIX_CHECK(PKIX_PL_Cert_CheckValidity
+                        (cert, validityTime, plContext),
+                        PKIX_CERTCHECKVALIDITYFAILED);
+        }
+
+cleanup:
+
+        PKIX_DECREF(validityTime);
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_NameConstraints
+ * DESCRIPTION:
+ *
+ *  Determines whether the Cert pointed to by "cert" matches the name
+ *  constraints criterion specified in the ComCertSelParams pointed to by
+ *  "params". If the name constraints field is NULL, no name constraints check
+ *  is done and the Cert is considered to match the name constraints criterion.
+ *  If the Cert does not match the name constraints criterion, an Error pointer
+ *  is returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose name constraints field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_NameConstraints(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_NameConstraints");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetNameConstraints
+                (params, &nameConstraints, plContext),
+                PKIX_COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED);
+
+        if (nameConstraints != NULL) {
+
+                PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
+                    (cert, nameConstraints, plContext),
+                    PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
+        }
+
+cleanup:
+
+        PKIX_DECREF(nameConstraints);
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_PathToNames
+ * DESCRIPTION:
+ *
+ *  Determines whether the names at pathToNames in "params" complies with the
+ *  NameConstraints pointed to by "cert". If the pathToNames field is NULL
+ *  or there is no name constraints for this "cert", no checking is done
+ *  and the Cert is considered to match the name constraints criterion.
+ *  If the Cert does not match the name constraints criterion, an Error
+ *  pointer is returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose PathToNames field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_PathToNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_List *pathToNamesList = NULL;
+        PKIX_Boolean passed = PKIX_FALSE;
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_PathToNames");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames
+                (params, &pathToNamesList, plContext),
+                PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED);
+
+        if (pathToNamesList != NULL) {
+
+            PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+                    (cert, &nameConstraints, plContext),
+                    PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
+            if (nameConstraints != NULL) {
+
+                PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
+                        (pathToNamesList, nameConstraints, &passed, plContext),
+                        PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED);
+
+                if (passed != PKIX_TRUE) {
+                        PKIX_CERTSELECTOR_DEBUG("PathToName Match failed\n");
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+                }
+            }
+
+        }
+
+cleanup:
+
+        PKIX_DECREF(nameConstraints);
+        PKIX_DECREF(pathToNamesList);
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_SubjAltNames
+ * DESCRIPTION:
+ *
+ *  Determines whether the names at subjAltNames in "params" match with the
+ *  SubjAltNames pointed to by "cert". If the subjAltNames field is NULL,
+ *  no name checking is done and the Cert is considered to match the
+ *  criterion. If the Cert does not match the criterion, an Error pointer
+ *  is returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose SubjAltNames field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_SubjAltNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_List *subjAltNamesList = NULL;
+        PKIX_List *certSubjAltNames = NULL;
+        PKIX_PL_GeneralName *name = NULL;
+        PKIX_Boolean checkPassed = PKIX_FALSE;
+        PKIX_Boolean matchAll = PKIX_TRUE;
+        PKIX_UInt32 i, numItems;
+        PKIX_UInt32 matchCount = 0;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjAltNames");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
+                    (params, &matchAll, plContext),
+                    PKIX_COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames
+                    (params, &subjAltNamesList, plContext),
+                    PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
+
+        if (subjAltNamesList != NULL) {
+
+            PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
+                    (cert, &certSubjAltNames, plContext),
+                    PKIX_CERTGETSUBJALTNAMESFAILED);
+
+            if (certSubjAltNames != NULL) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (subjAltNamesList, &numItems, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numItems; i++) {
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                            (subjAltNamesList,
+                            i,
+                            (PKIX_PL_Object **) &name,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(pkix_List_Contains
+                            (certSubjAltNames,
+                            (PKIX_PL_Object *) name,
+                            &checkPassed,
+                            plContext),
+                            PKIX_LISTCONTAINSFAILED);
+
+                        PKIX_DECREF(name);
+
+                        if (checkPassed == PKIX_TRUE) {
+
+                            if (matchAll == PKIX_FALSE) {
+                                /* one match is good enough */
+                                matchCount = numItems;
+                                break;
+                            } else {
+                            /* else continue checking next */
+                                matchCount++;
+                            }
+
+                        }
+
+                }
+
+                if (matchCount != numItems) {
+                        PKIX_CERTSELECTOR_DEBUG("SubjAltName Match failed\n");
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+                }
+
+            } else {
+
+                PKIX_CERTSELECTOR_DEBUG
+                        ("SubjAltName Match failed: Cert has no SubjAltName\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+            }
+
+        }
+
+cleanup:
+
+        PKIX_DECREF(name);
+        PKIX_DECREF(certSubjAltNames);
+        PKIX_DECREF(subjAltNamesList);
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_ExtendedKeyUsage
+ * DESCRIPTION:
+ *
+ *  Determines whether the names at ExtKeyUsage in "params" matches with the
+ *  ExtKeyUsage pointed to by "cert". If the ExtKeyUsage criterion or
+ *  ExtKeyUsage in "cert" is NULL, no checking is done and the Cert is
+ *  considered a match. If the Cert does not match, an Error pointer is
+ *  returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose ExtKeyUsage field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_ExtendedKeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_List *extKeyUsageList = NULL;
+        PKIX_List *certExtKeyUsageList = NULL;
+        PKIX_PL_OID *ekuOid = NULL;
+        PKIX_Boolean isContained = PKIX_FALSE;
+        PKIX_UInt32 numItems = 0;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_ExtendedKeyUsage");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
+                    (params, &extKeyUsageList, plContext),
+                    PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
+
+        if (extKeyUsageList == NULL) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
+                    (cert, &certExtKeyUsageList, plContext),
+                    PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
+
+        if (certExtKeyUsageList != NULL) {
+
+            PKIX_CHECK(PKIX_List_GetLength
+                    (extKeyUsageList, &numItems, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+            for (i = 0; i < numItems; i++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                    (extKeyUsageList, i, (PKIX_PL_Object **)&ekuOid, plContext),
+                    PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(pkix_List_Contains
+                    (certExtKeyUsageList,
+                    (PKIX_PL_Object *)ekuOid,
+                    &isContained,
+                    plContext),
+                    PKIX_LISTCONTAINSFAILED);
+
+                PKIX_DECREF(ekuOid);
+
+                if (isContained != PKIX_TRUE) {
+                        PKIX_CERTSELECTOR_DEBUG
+                                ("Extended Key Usage Match failed\n");
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+                }
+            }
+        }
+
+cleanup:
+
+        PKIX_DECREF(ekuOid);
+        PKIX_DECREF(extKeyUsageList);
+        PKIX_DECREF(certExtKeyUsageList);
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_KeyUsage
+ * DESCRIPTION:
+ *
+ *  Determines whether the bits at KeyUsage in "params" matches with the
+ *  KeyUsage pointed to by "cert". If the KeyUsage in params is 0
+ *  no checking is done and the Cert is considered a match. If the Cert does
+ *  not match, an Error pointer is returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose ExtKeyUsage field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_KeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 keyUsage = 0;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_KeyUsage");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
+                    (params, &keyUsage, plContext),
+                    PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
+
+        if (keyUsage != 0) {
+
+            PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
+                        (cert, keyUsage, plContext),
+                        PKIX_CERTVERIFYKEYUSAGEFAILED);
+
+        }
+
+cleanup:
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_SubjKeyId
+ * DESCRIPTION:
+ *
+ *  Determines whether the bytes at subjKeyId in "params" matches with the
+ *  Subject Key Identifier pointed to by "cert". If the subjKeyId in params is
+ *  set to NULL, no checking is done and the Cert is considered a match. If
+ *  the Cert does not match, an Error pointer is returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose subjKeyId field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_SubjKeyId(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *selSubjKeyId = NULL;
+        PKIX_PL_ByteArray *certSubjKeyId = NULL;
+        PKIX_Boolean equals = PKIX_FALSE;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjKeyId");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSubjKeyIdentifier
+                    (params, &selSubjKeyId, plContext),
+                    PKIX_COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED);
+
+        if (selSubjKeyId != NULL) {
+
+                PKIX_CHECK(PKIX_PL_Cert_GetSubjectKeyIdentifier
+                    (cert, &certSubjKeyId, plContext),
+                    PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
+
+                if (certSubjKeyId != NULL) {
+                        PKIX_CHECK(PKIX_PL_Object_Equals
+                                ((PKIX_PL_Object *)selSubjKeyId,
+                                (PKIX_PL_Object *)certSubjKeyId,
+                                &equals,
+                                plContext),
+                                PKIX_OBJECTEQUALSFAILED);
+
+                        if (equals != PKIX_TRUE) {
+                            PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match failed\n");
+                            *pResult = PKIX_FALSE;
+                            goto cleanup;
+                        }
+                } else {
+                    PKIX_CERTSELECTOR_DEBUG
+                        ("SubjKeyId Match failed: Cert has no SubjKeyId\n");
+                    *pResult = PKIX_FALSE;
+                    goto cleanup;
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(selSubjKeyId);
+        PKIX_DECREF(certSubjKeyId);
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_AuthKeyId
+ * DESCRIPTION:
+ *
+ *  Determines whether the bytes at authKeyId in "params" matches with the
+ *  Authority Key Identifier pointed to by "cert". If the authKeyId in params
+ *  is set to NULL, no checking is done and the Cert is considered a match. If
+ *  the Cert does not match, an Error pointer is returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose authKeyId field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_AuthKeyId(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *selAuthKeyId = NULL;
+        PKIX_PL_ByteArray *certAuthKeyId = NULL;
+        PKIX_Boolean equals = PKIX_FALSE;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_AuthKeyId");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
+                    (params, &selAuthKeyId, plContext),
+                    PKIX_COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED);
+
+        if (selAuthKeyId != NULL) {
+
+                PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier
+                    (cert, &certAuthKeyId, plContext),
+                    PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
+
+                if (certAuthKeyId != NULL) {
+                        PKIX_CHECK(PKIX_PL_Object_Equals
+                                ((PKIX_PL_Object *)selAuthKeyId,
+                                (PKIX_PL_Object *)certAuthKeyId,
+                                &equals,
+                                plContext),
+                                PKIX_OBJECTEQUALSFAILED);
+
+                        if (equals != PKIX_TRUE) {
+                            PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match failed\n");
+                            *pResult = PKIX_FALSE;
+                            goto cleanup;
+                        }
+                } else {
+                    PKIX_CERTSELECTOR_DEBUG
+                        ("AuthKeyId Match failed: Cert has no AuthKeyId\n");
+                    *pResult = PKIX_FALSE;
+                    goto cleanup;
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(selAuthKeyId);
+        PKIX_DECREF(certAuthKeyId);
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_SubjPKAlgId
+ * DESCRIPTION:
+ *
+ *  Determines whether the OID at subjPKAlgId in "params" matches with the
+ *  Subject Public Key Alg Id pointed to by "cert". If the subjPKAlgId in params
+ *  is set to NULL, no checking is done and the Cert is considered a match. If
+ *  the Cert does not match, an Error pointer is returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose subjPKAlgId field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_SubjPKAlgId(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_OID *selPKAlgId = NULL;
+        PKIX_PL_OID *certPKAlgId = NULL;
+        PKIX_Boolean equals = PKIX_FALSE;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPKAlgId");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPKAlgId
+                    (params, &selPKAlgId, plContext),
+                    PKIX_COMCERTSELPARAMSGETSUBJPKALGIDFAILED);
+
+        if (selPKAlgId != NULL) {
+
+                PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKeyAlgId
+                    (cert, &certPKAlgId, plContext),
+                    PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED);
+
+                if (certPKAlgId != NULL) {
+                        PKIX_CHECK(PKIX_PL_Object_Equals
+                                ((PKIX_PL_Object *)selPKAlgId,
+                                (PKIX_PL_Object *)certPKAlgId,
+                                &equals,
+                                plContext),
+                                PKIX_OBJECTEQUALSFAILED);
+
+                        if (equals != PKIX_TRUE) {
+                            PKIX_CERTSELECTOR_DEBUG
+                                ("SubjPKAlgId Match failed\n");
+                            *pResult = PKIX_FALSE;
+                            goto cleanup;
+                        }
+                } else {
+                    PKIX_CERTSELECTOR_DEBUG
+                        ("SubjPKAlgId Match failed: Cert has no SubjPKAlgId\n");
+                    *pResult = PKIX_FALSE;
+                    goto cleanup;
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(selPKAlgId);
+        PKIX_DECREF(certPKAlgId);
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Match_SubjPubKey
+ * DESCRIPTION:
+ *
+ *  Determines whether the key at subjPubKey in "params" matches with the
+ *  Subject Public Key pointed to by "cert". If the subjPubKey in params
+ *  is set to NULL, no checking is done and the Cert is considered a match. If
+ *  the Cert does not match, an Error pointer is returned.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ComCertSelParams whose subPubKey field is used.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched. Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_Match_SubjPubKey(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_PublicKey *selPK = NULL;
+        PKIX_PL_PublicKey *certPK = NULL;
+        PKIX_Boolean equals = PKIX_FALSE;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPubKey");
+        PKIX_NULLCHECK_THREE(params, cert, pResult);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPubKey
+                    (params, &selPK, plContext),
+                    PKIX_COMCERTSELPARAMSGETSUBJPUBKEYFAILED);
+
+        if (selPK != NULL) {
+
+                PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                    (cert, &certPK, plContext),
+                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+                if (certPK != NULL) {
+                        PKIX_CHECK(PKIX_PL_Object_Equals
+                                ((PKIX_PL_Object *)selPK,
+                                (PKIX_PL_Object *)certPK,
+                                &equals,
+                                plContext),
+                                PKIX_OBJECTEQUALSFAILED);
+
+                        if (equals != PKIX_TRUE) {
+                            PKIX_CERTSELECTOR_DEBUG
+                                ("Subject Public Key Match failed\n");
+                            *pResult = PKIX_FALSE;
+                            goto cleanup;
+                        }
+
+                } else {
+                    PKIX_CERTSELECTOR_DEBUG
+                        ("SubjPubKey Match failed: Cert has no SubjPubKey\n");
+                    *pResult = PKIX_FALSE;
+                    goto cleanup;
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(selPK);
+        PKIX_DECREF(certPK);
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_DefaultMatch
+ * DESCRIPTION:
+ *
+ *  This default match function determines whether the specified Cert pointed
+ *  to by "cert" matches the criteria of the CertSelector pointed to by
+ *  "selector". If the Cert satisfies the CertSelector's criteria, PKIX_TRUE
+ *  is stored at "pResult". If the Cert does not match the CertSelector's
+ *  criteria, PKIX_FALSE is stored at "pResult". 
+ *
+ *  This default match function understands how to process the most common
+ *  parameters. Any common parameter that is not set is assumed to be disabled,
+ *  which means this function will select all certificates without regard to
+ *  that particular disabled parameter. For example, if the SerialNumber
+ *  parameter is not set, this function will not filter out any certificate
+ *  based on its serial number. As such, if no parameters are set, all are
+ *  disabled and any certificate will match. If a parameter is disabled, its
+ *  associated PKIX_ComCertSelParams_Get* function returns a default value.
+ *  That value is -1 for PKIX_ComCertSelParams_GetBasicConstraints and
+ *  PKIX_ComCertSelParams_GetVersion, 0 for PKIX_ComCertSelParams_GetKeyUsage,
+ *  and NULL for all other Get functions.
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CertSelector whose MatchCallback logic and parameters are
+ *      to be used. Must be non-NULL.
+ *  "cert"
+ *      Address of Cert that is to be matched using "selector".
+ *      Must be non-NULL.
+ *  "pResult"
+ *      Address of PKIX_Boolean that returns the match result.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CertSelector_DefaultMatch(
+        PKIX_CertSelector *selector,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_PL_X500Name *certSubject = NULL;
+        PKIX_PL_X500Name *selSubject = NULL;
+        PKIX_PL_X500Name *certIssuer = NULL;
+        PKIX_PL_X500Name *selIssuer = NULL;
+        PKIX_PL_BigInt *certSerialNumber = NULL;
+        PKIX_PL_BigInt *selSerialNumber = NULL;
+        PKIX_PL_Cert *selCert = NULL;
+        PKIX_PL_Date *selDate = NULL;
+        PKIX_UInt32 requiredKeyUsage = 0;
+        PKIX_UInt32 selVersion = 0xFFFFFFFF;
+        PKIX_UInt32 certVersion = 0;
+        PKIX_Boolean result = PKIX_TRUE;
+
+#ifdef PKIX_BUILDDEBUG
+        PKIX_PL_String *certString = NULL;
+        void *certAscii = NULL;
+        PKIX_UInt32 certAsciiLen;
+#endif
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch");
+        PKIX_NULLCHECK_THREE(selector, cert, pResult);
+
+        *pResult = PKIX_TRUE;
+
+        PKIX_INCREF(selector->params);
+        params = selector->params;
+
+        if (params == NULL){
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetVersion
+                    (params, &selVersion, plContext),
+                    PKIX_COMCERTSELPARAMSGETVERSIONFAILED);
+
+        if (selVersion != 0xFFFFFFFF){
+                PKIX_CHECK(PKIX_PL_Cert_GetVersion
+                            (cert, &certVersion, plContext),
+                            PKIX_CERTGETVERSIONFAILED);
+
+                if (selVersion != certVersion) {
+                        PKIX_CERTSELECTOR_DEBUG("Version Match FAILED\n");
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+                }
+        }
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
+                    (params, &selSubject, plContext),
+                    PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
+
+        if (selSubject){
+                PKIX_CHECK(PKIX_PL_Cert_GetSubject
+                            (cert, &certSubject, plContext),
+                            PKIX_CERTGETSUBJECTFAILED);
+
+                if (certSubject){
+                        PKIX_CHECK(PKIX_PL_X500Name_Match
+                            (selSubject, certSubject, &result, plContext),
+                            PKIX_X500NAMEMATCHFAILED);
+
+                        if (result == PKIX_FALSE){
+                                PKIX_CERTSELECTOR_DEBUG
+                                        ("Subject Match FAILED\n");
+                                *pResult = PKIX_FALSE;
+                                goto cleanup;
+                        }
+                } else { /* cert has no subject */
+                        PKIX_CERTSELECTOR_DEBUG("Subject Match FAILED\n");
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+
+                }
+        }
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetIssuer
+                    (params, &selIssuer, plContext),
+                    PKIX_COMCERTSELPARAMSGETISSUERFAILED);
+
+        if (selIssuer){
+                PKIX_CHECK(PKIX_PL_Cert_GetIssuer
+                            (cert, &certIssuer, plContext),
+                            PKIX_CERTGETISSUERFAILED);
+
+                PKIX_CHECK(PKIX_PL_X500Name_Match
+                            (selIssuer, certIssuer, &result, plContext),
+                            PKIX_X500NAMEMATCHFAILED);
+
+                if (result == PKIX_FALSE){
+                        PKIX_CERTSELECTOR_DEBUG("Issuer Match FAILED\n");
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+                }
+        }
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSerialNumber
+                    (params, &selSerialNumber, plContext),
+                    PKIX_COMCERTSELPARAMSGETSERIALNUMBERFAILED);
+
+        if (selSerialNumber){
+                PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
+                            (cert, &certSerialNumber, plContext),
+                            PKIX_CERTGETSERIALNUMBERFAILED);
+
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object *)selSerialNumber,
+                            (PKIX_PL_Object *)certSerialNumber,
+                            &result,
+                            plContext),
+                            PKIX_OBJECTEQUALSFAILED);
+
+                if (result == PKIX_FALSE){
+                        PKIX_CERTSELECTOR_DEBUG("Serial Number Match FAILED\n");
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+                }
+        }
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetCertificate
+                    (params, &selCert, plContext),
+                    PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
+
+        if (selCert){
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object *) selCert,
+                            (PKIX_PL_Object *) cert,
+                            &result,
+                            plContext),
+                            PKIX_OBJECTEQUALSFAILED);
+
+                if (result == PKIX_FALSE){
+                        PKIX_CERTSELECTOR_DEBUG("Certificate Match FAILED\n");
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+                }
+        }
+
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
+                    (params, &selDate, plContext),
+                    PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
+
+        if (selDate){
+                PKIX_CHECK(PKIX_PL_Cert_CheckValidity
+                            (cert, selDate, plContext),
+                            PKIX_CERTCHECKVALIDITYFAILED);
+        }
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
+                    (params, &requiredKeyUsage, plContext),
+                    PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
+
+        if (requiredKeyUsage != 0) {
+                PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
+                            (cert, requiredKeyUsage, plContext),
+                            PKIX_CERTVERIFYKEYUSAGEFAILED);
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("BasicConstraint Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_Policies
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHPOLICIESFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("Policies Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_CertificateValid
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("CertificateValid Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_NameConstraints
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("NameConstraints Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_PathToNames
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("PathToNames Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("SubjAltNames Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("ExtendedKeyUsage Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_KeyUsage
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHKEYUSAGEFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("KeyUsage Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("SubjPKAlgId Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey
+                    (params, cert, &result, plContext),
+                    PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
+
+        if (result == PKIX_FALSE){
+                PKIX_CERTSELECTOR_DEBUG("SubjPubKey Match FAILED\n");
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        /* if we reach here, the cert has successfully matched criteria */
+
+
+#ifdef PKIX_BUILDDEBUG
+
+        PKIX_CHECK(pkix_pl_Cert_ToString_Helper
+                    (cert, PKIX_TRUE, &certString, plContext),
+                    PKIX_CERTTOSTRINGHELPERFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                (certString,
+                PKIX_ESCASCII,
+                &certAscii,
+                &certAsciiLen,
+                plContext),
+                PKIX_STRINGGETENCODEDFAILED);
+
+        PKIX_CERTSELECTOR_DEBUG_ARG("Cert Selected:\n%s\n", certAscii);
+
+#endif
+
+cleanup:
+
+#ifdef PKIX_BUILDDEBUG
+        PKIX_DECREF(certString);
+        PKIX_FREE(certAscii);
+#endif
+
+        PKIX_DECREF(certSubject);
+        PKIX_DECREF(selSubject);
+        PKIX_DECREF(certIssuer);
+        PKIX_DECREF(selIssuer);
+        PKIX_DECREF(certSerialNumber);
+        PKIX_DECREF(selSerialNumber);
+        PKIX_DECREF(selCert);
+        PKIX_DECREF(selDate);
+        PKIX_DECREF(params);
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERTSELECTOR_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_CertSelector_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_RegisterSelf");
+
+        entry.description = "CertSelector";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_CertSelector);
+        entry.destructor = pkix_CertSelector_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_CertSelector_Duplicate;
+
+        systemClasses[PKIX_CERTSELECTOR_TYPE] = entry;
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+
+/*
+ * FUNCTION: PKIX_CertSelector_Create (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_Create(
+        PKIX_CertSelector_MatchCallback callback,
+        PKIX_PL_Object *certSelectorContext,
+        PKIX_CertSelector **pSelector,
+        void *plContext)
+{
+        PKIX_CertSelector *selector = NULL;
+
+        PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Create");
+        PKIX_NULLCHECK_ONE(pSelector);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CERTSELECTOR_TYPE,
+                    sizeof (PKIX_CertSelector),
+                    (PKIX_PL_Object **)&selector,
+                    plContext),
+                    PKIX_COULDNOTCREATECERTSELECTOROBJECT);
+
+        /*
+         * if user specified a particular match callback, we use that one.
+         * otherwise, we use the default match implementation which
+         * understands how to process PKIX_ComCertSelParams
+         */
+
+        if (callback){
+                selector->matchCallback = callback;
+        } else {
+                selector->matchCallback = pkix_CertSelector_DefaultMatch;
+        }
+
+        /* initialize other fields */
+        selector->params = NULL;
+
+        PKIX_INCREF(certSelectorContext);
+        selector->context = certSelectorContext;
+
+        *pSelector = selector;
+
+cleanup:
+
+        PKIX_RETURN(CERTSELECTOR);
+
+}
+
+/*
+ * FUNCTION: PKIX_CertSelector_GetMatchCallback
+ *      (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_GetMatchCallback(
+        PKIX_CertSelector *selector,
+        PKIX_CertSelector_MatchCallback *pCallback,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetMatchCallback");
+        PKIX_NULLCHECK_TWO(selector, pCallback);
+
+        *pCallback = selector->matchCallback;
+
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: PKIX_CertSelector_GetCertSelectorContext
+ *      (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_GetCertSelectorContext(
+        PKIX_CertSelector *selector,
+        PKIX_PL_Object **pCertSelectorContext,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetCertSelectorContext");
+        PKIX_NULLCHECK_TWO(selector, pCertSelectorContext);
+
+        PKIX_INCREF(selector->context);
+
+        *pCertSelectorContext = selector->context;
+
+cleanup:
+        PKIX_RETURN(CERTSELECTOR);
+}
+
+/*
+ * FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams
+ *      (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_GetCommonCertSelectorParams(
+        PKIX_CertSelector *selector,
+        PKIX_ComCertSelParams **pParams,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSELECTOR,
+                    "PKIX_CertSelector_GetCommonCertSelectorParams");
+
+        PKIX_NULLCHECK_TWO(selector, pParams);
+
+        PKIX_INCREF(selector->params);
+        *pParams = selector->params;
+
+cleanup:
+        PKIX_RETURN(CERTSELECTOR);
+
+}
+
+/*
+ * FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams
+ *      (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_CertSelector_SetCommonCertSelectorParams(
+        PKIX_CertSelector *selector,
+        PKIX_ComCertSelParams *params,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSELECTOR,
+                    "PKIX_CertSelector_SetCommonCertSelectorParams");
+
+        PKIX_NULLCHECK_ONE(selector);
+
+        PKIX_DECREF(selector->params);
+        PKIX_INCREF(params);
+        selector->params = params;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)selector, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CERTSELECTOR);
+
+}
+
+/*
+ * FUNCTION: pkix_CertSelector_Select
+ * DESCRIPTION:
+ *
+ *  This function applies the selector pointed to by "selector" to each Cert,
+ *  in turn, in the List pointed to by "before", and creates a List containing
+ *  all the Certs that matched, or passed the selection process, storing that
+ *  List at "pAfter". If no Certs match, an empty List is stored at "pAfter".
+ *
+ *  The List returned in "pAfter" is immutable.
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CertSelelector to be applied to the List. Must be non-NULL.
+ *  "before"
+ *      Address of List that is to be filtered. Must be non-NULL.
+ *  "pAfter"
+ *      Address at which resulting List, possibly empty, is stored. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CertSelector_Select(
+	PKIX_CertSelector *selector,
+	PKIX_List *before,
+	PKIX_List **pAfter,
+	void *plContext)
+{
+	PKIX_Boolean match = PKIX_FALSE;
+	PKIX_UInt32 numBefore = 0;
+	PKIX_UInt32 i = 0;
+	PKIX_List *filtered = NULL;
+	PKIX_PL_Cert *candidate = NULL;
+
+        PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Select");
+        PKIX_NULLCHECK_THREE(selector, before, pAfter);
+
+        PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (i = 0; i < numBefore; i++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (before, i, (PKIX_PL_Object **)&candidate, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK_ONLY_FATAL(selector->matchCallback
+                        (selector, candidate, &match, plContext),
+                        PKIX_CERTSELECTORMATCHCALLBACKFAILED);
+
+                if ((!(PKIX_ERROR_RECEIVED)) && (match == PKIX_TRUE)) {
+
+                        PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
+                                (filtered,
+                                (PKIX_PL_Object *)candidate,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                }
+
+                pkixTempErrorReceived = PKIX_FALSE;
+                PKIX_DECREF(candidate);
+        }
+
+        PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        /* Don't throw away the list if one Cert was bad! */
+        pkixTempErrorReceived = PKIX_FALSE;
+
+        *pAfter = filtered;
+        filtered = NULL;
+
+cleanup:
+
+        PKIX_DECREF(filtered);
+        PKIX_DECREF(candidate);
+
+        PKIX_RETURN(CERTSELECTOR);
+
+}
diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.h b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.h
new file mode 100755
index 000000000..28676b9cd
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.h
@@ -0,0 +1,74 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_certselector.h
+ *
+ * CertSelector Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_CERTSELECTOR_H
+#define _PKIX_CERTSELECTOR_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_CertSelectorStruct {
+        PKIX_CertSelector_MatchCallback matchCallback;
+        PKIX_ComCertSelParams *params;
+        PKIX_PL_Object *context;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_CertSelector_Select(
+	PKIX_CertSelector *selector,
+	PKIX_List *before,
+	PKIX_List **pAfter,
+	void *plContext);
+
+PKIX_Error *pkix_CertSelector_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_CERTSELECTOR_H */
diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c
new file mode 100755
index 000000000..dbc153964
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c
@@ -0,0 +1,1183 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_comcertselparams.c
+ *
+ * ComCertSelParams Object Functions
+ *
+ */
+
+#include "pkix_comcertselparams.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_ComCertSelParams_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ComCertSelParams_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_ComCertSelParams *params = NULL;
+
+        PKIX_ENTER(COMCERTSELPARAMS, "pkix_ComCertSelParams_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a comCertSelParams object */
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_COMCERTSELPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTCOMCERTSELPARAMS);
+
+        params = (PKIX_ComCertSelParams *)object;
+
+        PKIX_DECREF(params->subject);
+        PKIX_DECREF(params->policies);
+        PKIX_DECREF(params->cert);
+        PKIX_DECREF(params->nameConstraints);
+        PKIX_DECREF(params->pathToNames);
+        PKIX_DECREF(params->subjAltNames);
+        PKIX_DECREF(params->date);
+        PKIX_DECREF(params->extKeyUsage);
+        PKIX_DECREF(params->certValid);
+        PKIX_DECREF(params->issuer);
+        PKIX_DECREF(params->serialNumber);
+        PKIX_DECREF(params->authKeyId);
+        PKIX_DECREF(params->subjKeyId);
+        PKIX_DECREF(params->subjPubKey);
+        PKIX_DECREF(params->subjPKAlgId);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCertSelParams_Duplicate
+ * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ComCertSelParams_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_ComCertSelParams *paramsDuplicate = NULL;
+
+        PKIX_ENTER(COMCERTSELPARAMS, "pkix_ComCertSelParams_Duplicate");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_COMCERTSELPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTCOMCERTSELPARAMS);
+
+        params = (PKIX_ComCertSelParams *)object;
+
+        PKIX_CHECK(PKIX_ComCertSelParams_Create(&paramsDuplicate, plContext),
+                    PKIX_COMCERTSELPARAMSCREATEFAILED);
+
+        paramsDuplicate->minPathLength = params->minPathLength;
+        paramsDuplicate->matchAllSubjAltNames = params->matchAllSubjAltNames;
+
+        PKIX_DUPLICATE(params->subject, &paramsDuplicate->subject, plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE(params->policies, &paramsDuplicate->policies, plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        if (params->cert){
+                PKIX_CHECK(PKIX_PL_Object_Duplicate
+                            ((PKIX_PL_Object *)params->cert,
+                            (PKIX_PL_Object **)&paramsDuplicate->cert,
+                            plContext),
+                            PKIX_OBJECTDUPLICATEFAILED);
+        }
+
+        PKIX_DUPLICATE
+                (params->nameConstraints,
+                &paramsDuplicate->nameConstraints,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE
+                (params->pathToNames,
+                &paramsDuplicate->pathToNames,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE
+                (params->subjAltNames,
+                &paramsDuplicate->subjAltNames,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        if (params->date){
+                PKIX_CHECK(PKIX_PL_Object_Duplicate
+                            ((PKIX_PL_Object *)params->date,
+                            (PKIX_PL_Object **)&paramsDuplicate->date,
+                            plContext),
+                            PKIX_OBJECTDUPLICATEFAILED);
+        }
+
+        paramsDuplicate->keyUsage = params->keyUsage;
+
+        PKIX_DUPLICATE(params->certValid,
+                &paramsDuplicate->certValid,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE(params->issuer,
+                &paramsDuplicate->issuer,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE(params->serialNumber,
+                &paramsDuplicate->serialNumber,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE(params->authKeyId,
+                &paramsDuplicate->authKeyId,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE(params->subjKeyId,
+                &paramsDuplicate->subjKeyId,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE(params->subjPubKey,
+                &paramsDuplicate->subjPubKey,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE(params->subjPKAlgId,
+                &paramsDuplicate->subjPKAlgId,
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        *pNewObject = (PKIX_PL_Object *)paramsDuplicate;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(paramsDuplicate);
+        }
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCertSelParams_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_COMCERTSELPARAMS_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_ComCertSelParams_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(COMCERTSELPARAMS, "pkix_ComCertSelParams_RegisterSelf");
+
+        entry.description = "ComCertSelParams";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_ComCertSelParams);
+        entry.destructor = pkix_ComCertSelParams_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_ComCertSelParams_Duplicate;
+
+        systemClasses[PKIX_COMCERTSELPARAMS_TYPE] = entry;
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_Create (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_Create(
+        PKIX_ComCertSelParams **pParams,
+        void *plContext)
+{
+        PKIX_ComCertSelParams *params = NULL;
+
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_Create");
+        PKIX_NULLCHECK_ONE(pParams);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_COMCERTSELPARAMS_TYPE,
+                    sizeof (PKIX_ComCertSelParams),
+                    (PKIX_PL_Object **)&params,
+                    plContext),
+                    PKIX_COULDNOTCREATECOMMONCERTSELPARAMSOBJECT);
+
+        /* initialize fields */
+        params->version = 0xFFFFFFFF;
+        params->minPathLength = -1;
+        params->matchAllSubjAltNames = PKIX_TRUE;
+        params->subject = NULL;
+        params->policies = NULL;
+        params->cert = NULL;
+        params->nameConstraints = NULL;
+        params->pathToNames = NULL;
+        params->subjAltNames = NULL;
+        params->extKeyUsage = NULL;
+        params->keyUsage = 0;
+        params->extKeyUsage = NULL;
+        params->keyUsage = 0;
+        params->date = NULL;
+        params->certValid = NULL;
+        params->issuer = NULL;
+        params->serialNumber = NULL;
+        params->authKeyId = NULL;
+        params->subjKeyId = NULL;
+        params->subjPubKey = NULL;
+        params->subjPKAlgId = NULL;
+
+        *pParams = params;
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubject (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubject(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_X500Name **pSubject,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSubject");
+        PKIX_NULLCHECK_TWO(params, pSubject);
+
+        PKIX_INCREF(params->subject);
+
+        *pSubject = params->subject;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubject (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubject(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_X500Name *subject,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetSubject");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->subject);
+
+        PKIX_INCREF(subject);
+
+        params->subject = subject;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetBasicConstraints
+ *      (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetBasicConstraints(
+        PKIX_ComCertSelParams *params,
+        PKIX_Int32 *pMinPathLength,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                    "PKIX_ComCertSelParams_GetBasicConstraints");
+        PKIX_NULLCHECK_TWO(params, pMinPathLength);
+
+        *pMinPathLength = params->minPathLength;
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetBasicConstraints
+ *      (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetBasicConstraints(
+        PKIX_ComCertSelParams *params,
+        PKIX_Int32 minPathLength,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                    "PKIX_ComCertSelParams_SetBasicConstraints");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->minPathLength = minPathLength;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetPolicy (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetPolicy(
+        PKIX_ComCertSelParams *params,
+        PKIX_List **pPolicy, /* List of PKIX_PL_OID */
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetPolicy");
+        PKIX_NULLCHECK_TWO(params, pPolicy);
+
+        PKIX_INCREF(params->policies);
+        *pPolicy = params->policies;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetPolicy (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetPolicy(
+        PKIX_ComCertSelParams *params,
+        PKIX_List *policy, /* List of PKIX_PL_OID */
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetPolicy");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->policies);
+        PKIX_INCREF(policy);
+        params->policies = policy;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetCertificate
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetCertificate(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert **pCert,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetCertificate");
+        PKIX_NULLCHECK_TWO(params, pCert);
+
+        PKIX_INCREF(params->cert);
+        *pCert = params->cert;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetCertificate
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetCertificate(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Cert *cert,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetCertificate");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->cert);
+        PKIX_INCREF(cert);
+        params->cert = cert;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetCertificateValid
+ *      (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetCertificateValid(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Date **pDate,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                    "PKIX_ComCertSelParams_GetCertificateValid");
+
+        PKIX_NULLCHECK_TWO(params, pDate);
+
+        PKIX_INCREF(params->date);
+        *pDate = params->date;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetCertificateValid
+ *      (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetCertificateValid(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_Date *date,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                    "PKIX_ComCertSelParams_SetCertificateValid");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->date);
+        PKIX_INCREF(date);
+        params->date = date;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetNameConstraints
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetNameConstraints(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                "PKIX_ComCertSelParams_GetNameConstraints");
+        PKIX_NULLCHECK_TWO(params, pNameConstraints);
+
+        PKIX_INCREF(params->nameConstraints);
+
+        *pNameConstraints = params->nameConstraints;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetNameConstraints
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetNameConstraints(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                "PKIX_ComCertSelParams_SetNameConstraints");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->nameConstraints);
+        PKIX_INCREF(nameConstraints);
+        params->nameConstraints = nameConstraints;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetPathToNames
+ * (see comments in pkix_certsel.h)
+ */PKIX_Error *
+PKIX_ComCertSelParams_GetPathToNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_List **pNames,  /* list of PKIX_PL_GeneralName */
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetPathToNames");
+        PKIX_NULLCHECK_TWO(params, pNames);
+
+        PKIX_INCREF(params->pathToNames);
+
+        *pNames = params->pathToNames;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetPathToNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetPathToNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_List *names,  /* list of PKIX_PL_GeneralName */
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetPathToNames");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->pathToNames);
+        PKIX_INCREF(names);
+
+        params->pathToNames = names;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_AddPathToName
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_AddPathToName(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_GeneralName *name,
+        void *plContext)
+{
+        PKIX_List *pathToNamesList = NULL;
+
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_AddPathToName");
+        PKIX_NULLCHECK_ONE(params);
+
+        if (name == NULL) {
+                goto cleanup;
+        }
+
+        if (params->pathToNames == NULL) {
+                /* Create a list for name item */
+                PKIX_CHECK(PKIX_List_Create(&pathToNamesList, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+                params->pathToNames = pathToNamesList;
+        }
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (params->pathToNames, (PKIX_PL_Object *)name, plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjAltNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_List **pNames, /* list of PKIX_PL_GeneralName */
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSubjAltNames");
+        PKIX_NULLCHECK_TWO(params, pNames);
+
+        PKIX_INCREF(params->subjAltNames);
+
+        *pNames = params->subjAltNames;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjAltNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_List *names,  /* list of PKIX_PL_GeneralName */
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetSubjAltNames");
+        PKIX_NULLCHECK_TWO(params, names);
+
+        PKIX_DECREF(params->subjAltNames);
+        PKIX_INCREF(names);
+
+        params->subjAltNames = names;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_AddSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_AddSubjAltName(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_GeneralName *name,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_AddSubjAltName");
+        PKIX_NULLCHECK_TWO(params, name);
+
+        if (params->subjAltNames == NULL) {
+                PKIX_CHECK(PKIX_List_Create(&list, plContext),
+                        PKIX_LISTCREATEFAILED);
+                params->subjAltNames = list;
+        }
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (params->subjAltNames, (PKIX_PL_Object *)name, plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS)
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetMatchAllSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetMatchAllSubjAltNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_Boolean *pMatch,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                "PKIX_ComCertSelParams_GetMatchAllSubjAltNames");
+        PKIX_NULLCHECK_TWO(params, pMatch);
+
+        *pMatch = params->matchAllSubjAltNames;
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetMatchAllSubjAltNames
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetMatchAllSubjAltNames(
+        PKIX_ComCertSelParams *params,
+        PKIX_Boolean match,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                "PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->matchAllSubjAltNames = match;
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetExtendedKeyUsage
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetExtendedKeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_List **pExtKeyUsage, /* list of PKIX_PL_OID */
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                "PKIX_ComCertSelParams_GetExtendedKeyUsage");
+        PKIX_NULLCHECK_TWO(params, pExtKeyUsage);
+
+        PKIX_INCREF(params->extKeyUsage);
+        *pExtKeyUsage = params->extKeyUsage;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetExtendedKeyUsage
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetExtendedKeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_List *extKeyUsage,  /* list of PKIX_PL_OID */
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                "PKIX_ComCertSelParams_SetExtendedKeyUsage");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->extKeyUsage);
+        PKIX_INCREF(extKeyUsage);
+
+        params->extKeyUsage = extKeyUsage;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetKeyUsage
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetKeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_UInt32 *pKeyUsage,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                "PKIX_ComCertSelParams_GetKeyUsage");
+        PKIX_NULLCHECK_TWO(params, pKeyUsage);
+
+        *pKeyUsage = params->keyUsage;
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetKeyUsage
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetKeyUsage(
+        PKIX_ComCertSelParams *params,
+        PKIX_UInt32 keyUsage,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                "PKIX_ComCertSelParams_SetKeyUsage");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->keyUsage = keyUsage;
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetIssuer
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetIssuer(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_X500Name **pIssuer,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetIssuer");
+        PKIX_NULLCHECK_TWO(params, pIssuer);
+
+        PKIX_INCREF(params->issuer);
+        *pIssuer = params->issuer;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetIssuer
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetIssuer(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_X500Name *issuer,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetIssuer");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->issuer);
+        PKIX_INCREF(issuer);
+        params->issuer = issuer;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSerialNumber
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSerialNumber(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_BigInt **pSerialNumber,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSerialNumber");
+        PKIX_NULLCHECK_TWO(params, pSerialNumber);
+
+        PKIX_INCREF(params->serialNumber);
+        *pSerialNumber = params->serialNumber;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSerialNumber
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSerialNumber(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_BigInt *serialNumber,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetSerialNumber");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->serialNumber);
+        PKIX_INCREF(serialNumber);
+        params->serialNumber = serialNumber;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetVersion
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetVersion(
+        PKIX_ComCertSelParams *params,
+        PKIX_UInt32 *pVersion,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetVersion");
+        PKIX_NULLCHECK_TWO(params, pVersion);
+
+        *pVersion = params->version;
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetVersion
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetVersion(
+        PKIX_ComCertSelParams *params,
+        PKIX_Int32 version,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetVersion");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->version = version;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjKeyIdentifier
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjKeyIdentifier(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray **pSubjKeyId,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                    "PKIX_ComCertSelParams_GetSubjKeyIdentifier");
+        PKIX_NULLCHECK_TWO(params, pSubjKeyId);
+
+        PKIX_INCREF(params->subjKeyId);
+
+        *pSubjKeyId = params->subjKeyId;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjKeyIdentifier
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjKeyIdentifier(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray *subjKeyId,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                    "PKIX_ComCertSelParams_SetSubjKeyIdentifier");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->subjKeyId);
+        PKIX_INCREF(subjKeyId);
+
+        params->subjKeyId = subjKeyId;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetAuthorityKeyIdentifier(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray **pAuthKeyId,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                    "PKIX_ComCertSelParams_GetAuthorityKeyIdentifier");
+        PKIX_NULLCHECK_TWO(params, pAuthKeyId);
+
+        PKIX_INCREF(params->authKeyId);
+
+        *pAuthKeyId = params->authKeyId;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetAuthorityKeyIdentifier
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetAuthorityKeyIdentifier(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_ByteArray *authKeyId,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                    "PKIX_ComCertSelParams_SetAuthKeyIdentifier");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->authKeyId);
+        PKIX_INCREF(authKeyId);
+
+        params->authKeyId = authKeyId;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjPubKey
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjPubKey(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_PublicKey **pSubjPubKey,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSubjPubKey");
+        PKIX_NULLCHECK_TWO(params, pSubjPubKey);
+
+        PKIX_INCREF(params->subjPubKey);
+
+        *pSubjPubKey = params->subjPubKey;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjPubKey
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjPubKey(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_PublicKey *subjPubKey,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS,
+                    "PKIX_ComCertSelParams_SetSubjPubKey");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->subjPubKey);
+        PKIX_INCREF(subjPubKey);
+
+        params->subjPubKey = subjPubKey;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_GetSubjPKAlgId
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_GetSubjPKAlgId(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_OID **pAlgId,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetSubjPKAlgId");
+        PKIX_NULLCHECK_TWO(params, pAlgId);
+
+        PKIX_INCREF(params->subjPKAlgId);
+
+        *pAlgId = params->subjPKAlgId;
+
+cleanup:
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCertSelParams_SetSubjPKAlgId
+ * (see comments in pkix_certsel.h)
+ */
+PKIX_Error *
+PKIX_ComCertSelParams_SetSubjPKAlgId(
+        PKIX_ComCertSelParams *params,
+        PKIX_PL_OID *algId,
+        void *plContext)
+{
+        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetSubjPKAlgId");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->subjPKAlgId);
+        PKIX_INCREF(algId);
+
+        params->subjPKAlgId = algId;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCERTSELPARAMS);
+}
diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h
new file mode 100755
index 000000000..af778802d
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h
@@ -0,0 +1,89 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_comcertselparams.h
+ *
+ * ComCertSelParams Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_COMCERTSELPARAMS_H
+#define _PKIX_COMCERTSELPARAMS_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * pathToNamesConstraint is Name Constraints generated based on the
+ * pathToNames. We save a cached copy to save regeneration for each
+ * check. SubjAltNames also has its cache, since SubjAltNames are
+ * verified by checker, its cache copy is stored in checkerstate.
+ */
+struct PKIX_ComCertSelParamsStruct {
+        PKIX_Int32 version;
+        PKIX_Int32 minPathLength;
+        PKIX_Boolean matchAllSubjAltNames;
+        PKIX_PL_X500Name *subject;
+        PKIX_List *policies; /* List of PKIX_PL_OID */
+        PKIX_PL_Cert *cert;
+        PKIX_PL_CertNameConstraints *nameConstraints;
+        PKIX_List *pathToNames; /* List of PKIX_PL_GeneralNames */
+        PKIX_List *subjAltNames; /* List of PKIX_PL_GeneralNames */
+        PKIX_List *extKeyUsage; /* List of PKIX_PL_OID */
+        PKIX_UInt32 keyUsage;
+        PKIX_PL_Date *date;
+        PKIX_PL_Date *certValid;
+        PKIX_PL_X500Name *issuer;
+        PKIX_PL_BigInt *serialNumber;
+        PKIX_PL_ByteArray *authKeyId;
+        PKIX_PL_ByteArray *subjKeyId;
+        PKIX_PL_PublicKey *subjPubKey;
+        PKIX_PL_OID *subjPKAlgId;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_ComCertSelParams_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_COMCERTSELPARAMS_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/Makefile b/security/nss/lib/libpkix/pkix/checker/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix/checker/config.mk b/security/nss/lib/libpkix/pkix/checker/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix/checker/manifest.mn b/security/nss/lib/libpkix/pkix/checker/manifest.mn
new file mode 100755
index 000000000..b30b5236c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/manifest.mn
@@ -0,0 +1,78 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_basicconstraintschecker.h \
+	pkix_certchainchecker.h \
+	pkix_defaultcrlchecker.h \
+	pkix_defaultrevchecker.h \
+	pkix_expirationchecker.h \
+	pkix_namechainingchecker.h \
+	pkix_nameconstraintschecker.h \
+	pkix_ocspchecker.h \
+	pkix_policychecker.h \
+	pkix_revocationchecker.h \
+	pkix_signaturechecker.h \
+	pkix_targetcertchecker.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_basicconstraintschecker.c \
+	pkix_certchainchecker.c \
+	pkix_defaultcrlchecker.c \
+	pkix_defaultrevchecker.c \
+	pkix_expirationchecker.c \
+	pkix_namechainingchecker.c \
+	pkix_nameconstraintschecker.c \
+	pkix_ocspchecker.c \
+	pkix_revocationchecker.c \
+	pkix_policychecker.c \
+	pkix_signaturechecker.c \
+	pkix_targetcertchecker.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixchecker
+
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c
new file mode 100755
index 000000000..809d4be3b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c
@@ -0,0 +1,339 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_basicconstraintschecker.c
+ *
+ * Functions for basic constraints validation
+ *
+ */
+
+#include "pkix_basicconstraintschecker.h"
+
+/* --Private-BasicConstraintsCheckerState-Functions------------------------- */
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BasicConstraintsCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_BasicConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+                    "pkix_BasicConstraintsCheckerState_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a basic constraints checker state */
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTBASICCONSTRAINTSCHECKERSTATE);
+
+        state = (pkix_BasicConstraintsCheckerState *)object;
+
+        PKIX_DECREF(state->basicConstraintsOID);
+
+cleanup:
+
+        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+                "pkix_BasicConstraintsCheckerState_RegisterSelf");
+
+        entry.description = "BasicConstraintsCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_BasicConstraintsCheckerState);
+        entry.destructor = pkix_BasicConstraintsCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new BasicConstraintsCheckerState using the number of certs in
+ *  the chain represented by "certsRemaining" and stores it at "pState".
+ *
+ * PARAMETERS:
+ *  "certsRemaining"
+ *      Number of certificates in the chain.
+ *  "pState"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a BasicConstraintsCheckerState Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_BasicConstraintsCheckerState_Create(
+        PKIX_UInt32 certsRemaining,
+        pkix_BasicConstraintsCheckerState **pState,
+        void *plContext)
+{
+        pkix_BasicConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+                    "pkix_BasicConstraintsCheckerState_Create");
+
+        PKIX_NULLCHECK_ONE(pState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE,
+                    sizeof (pkix_BasicConstraintsCheckerState),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT);
+
+        /* initialize fields */
+        state->certsRemaining = certsRemaining;
+        state->maxPathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_BASICCONSTRAINTS_OID,
+                    &state->basicConstraintsOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        *pState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/* --Private-BasicConstraintsChecker-Functions------------------------------ */
+
+/*
+ * FUNCTION: pkix_BasicConstraintsChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_BasicConstraintsChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,  /* list of PKIX_PL_OID */
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
+        pkix_BasicConstraintsCheckerState *state = NULL;
+        PKIX_Boolean caFlag = PKIX_FALSE;
+        PKIX_Int32 pathLength = 0;
+        PKIX_Int32 maxPathLength_now;
+        PKIX_Boolean isSelfIssued = PKIX_FALSE;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        state->certsRemaining--;
+
+        if (state->certsRemaining != 0) {
+
+                PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
+                    (cert, &basicConstraints, plContext),
+                    PKIX_CERTGETBASICCONSTRAINTSFAILED);
+
+                /* get CA Flag and path length */
+                if (basicConstraints != NULL) {
+                        PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
+                            (basicConstraints,
+                            &caFlag,
+                            plContext),
+                            PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
+
+                if (caFlag == PKIX_TRUE) {
+                        PKIX_CHECK
+                            (PKIX_PL_BasicConstraints_GetPathLenConstraint
+                            (basicConstraints,
+                            &pathLength,
+                            plContext),
+                            PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
+                }
+
+                }else{
+                        caFlag = PKIX_FALSE;
+                        pathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
+                }
+
+                PKIX_CHECK(pkix_IsCertSelfIssued
+                        (cert,
+                        &isSelfIssued,
+                        plContext),
+                        PKIX_ISCERTSELFISSUEDFAILED);
+
+                maxPathLength_now = state->maxPathLength;
+
+                if (isSelfIssued != PKIX_TRUE) {
+
+                    /* Not last CA Cert, but maxPathLength is down to zero */
+                    if (maxPathLength_now == 0) {
+                        PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDLN);
+                    }
+
+                    if (caFlag == PKIX_FALSE) {
+                        PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDCA);
+                    }
+
+                    if (maxPathLength_now > 0) { /* can be unlimited (-1) */
+                        maxPathLength_now--;
+                    }
+
+                }
+
+                if (caFlag == PKIX_TRUE) {
+                    if (maxPathLength_now == PKIX_UNLIMITED_PATH_CONSTRAINT){
+                            maxPathLength_now = pathLength;
+                    } else {
+                            /* If pathLength is not specified, don't set */
+                        if (pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) {
+                            maxPathLength_now =
+                                    (maxPathLength_now > pathLength)?
+                                    pathLength:maxPathLength_now;
+                        }
+                    }
+                }
+
+                state->maxPathLength = maxPathLength_now;
+        }
+
+        /* Remove Basic Constraints Extension OID from list */
+        if (unresolvedCriticalExtensions != NULL) {
+
+                PKIX_CHECK(pkix_List_Remove
+                            (unresolvedCriticalExtensions,
+                            (PKIX_PL_Object *) state->basicConstraintsOID,
+                            plContext),
+                            PKIX_LISTREMOVEFAILED);
+        }
+
+
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                    (checker, (PKIX_PL_Object *)state, plContext),
+                    PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+
+cleanup:
+        PKIX_DECREF(state);
+        PKIX_DECREF(basicConstraints);
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsChecker_Initialize
+ * DESCRIPTION:
+ *  Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_BasicConstraintsChecker_Initialize(
+        PKIX_UInt32 certsRemaining,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        pkix_BasicConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(pkix_BasicConstraintsCheckerState_Create
+                    (certsRemaining, &state, plContext),
+                    PKIX_BASICCONSTRAINTSCHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_BasicConstraintsChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *)state,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCHECKFAILED);
+
+cleanup:
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.h
new file mode 100755
index 000000000..0b8049013
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.h
@@ -0,0 +1,75 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_basicconstraintschecker.h
+ *
+ * Header file for basic constraints checker.
+ *
+ */
+
+#ifndef _PKIX_BASICCONSTRAINTSCHECKER_H
+#define _PKIX_BASICCONSTRAINTSCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_BasicConstraintsCheckerStateStruct \
+        pkix_BasicConstraintsCheckerState;
+
+struct pkix_BasicConstraintsCheckerStateStruct{
+        PKIX_PL_OID *basicConstraintsOID;
+        PKIX_Int32 certsRemaining;
+        PKIX_Int32 maxPathLength;
+};
+
+PKIX_Error *
+pkix_BasicConstraintsChecker_Initialize(
+        PKIX_UInt32 numCerts,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+PKIX_Error *
+pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_BASICCONSTRAINTSCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_certchainchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_certchainchecker.c
new file mode 100755
index 000000000..0818a0566
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_certchainchecker.c
@@ -0,0 +1,355 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_certchainchecker.c
+ *
+ * CertChainChecker Object Functions
+ *
+ */
+
+#include "pkix_certchainchecker.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_CertChainChecker_Destroy
+ *      (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CertChainChecker_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_CertChainChecker *checker = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_CertChainChecker_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a cert chain checker */
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_CERTCHAINCHECKER_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTCHAINCHECKER);
+
+        checker = (PKIX_CertChainChecker *)object;
+
+        PKIX_DECREF(checker->extensions);
+        PKIX_DECREF(checker->state);
+
+cleanup:
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_CertChainChecker_Duplicate
+ * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CertChainChecker_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_CertChainChecker *checker = NULL;
+        PKIX_CertChainChecker *checkerDuplicate = NULL;
+        PKIX_List *extensionsDuplicate = NULL;
+        PKIX_PL_Object *stateDuplicate = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_CertChainChecker_Duplicate");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_CERTCHAINCHECKER_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTCHAINCHECKER);
+
+        checker = (PKIX_CertChainChecker *)object;
+
+        if (checker->extensions){
+                PKIX_CHECK(PKIX_PL_Object_Duplicate
+                            ((PKIX_PL_Object *)checker->extensions,
+                            (PKIX_PL_Object **)&extensionsDuplicate,
+                            plContext),
+                            PKIX_OBJECTDUPLICATEFAILED);
+        }
+
+        if (checker->state){
+                PKIX_CHECK(PKIX_PL_Object_Duplicate
+                            ((PKIX_PL_Object *)checker->state,
+                            (PKIX_PL_Object **)&stateDuplicate,
+                            plContext),
+                            PKIX_OBJECTDUPLICATEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (checker->checkCallback,
+                    checker->forwardChecking,
+                    checker->isForwardDirectionExpected,
+                    extensionsDuplicate,
+                    stateDuplicate,
+                    &checkerDuplicate,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+        *pNewObject = (PKIX_PL_Object *)checkerDuplicate;
+
+cleanup:
+
+        PKIX_DECREF(extensionsDuplicate);
+        PKIX_DECREF(stateDuplicate);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_CertChainChecker_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERTCHAINCHECKER_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_CertChainChecker_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_CertChainChecker_RegisterSelf");
+
+        entry.description = "CertChainChecker";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_CertChainChecker);
+        entry.destructor = pkix_CertChainChecker_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_CertChainChecker_Duplicate;
+
+        systemClasses[PKIX_CERTCHAINCHECKER_TYPE] = entry;
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_Create (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_CertChainChecker_Create(
+    PKIX_CertChainChecker_CheckCallback callback,
+    PKIX_Boolean forwardCheckingSupported,
+    PKIX_Boolean isForwardDirectionExpected,
+    PKIX_List *list,  /* list of PKIX_PL_OID */
+    PKIX_PL_Object *initialState,
+    PKIX_CertChainChecker **pChecker,
+    void *plContext)
+{
+        PKIX_CertChainChecker *checker = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "PKIX_CertChainChecker_Create");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CERTCHAINCHECKER_TYPE,
+                    sizeof (PKIX_CertChainChecker),
+                    (PKIX_PL_Object **)&checker,
+                    plContext),
+                    PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT);
+
+        /* initialize fields */
+        checker->checkCallback = callback;
+        checker->forwardChecking = forwardCheckingSupported;
+        checker->isForwardDirectionExpected = isForwardDirectionExpected;
+
+        PKIX_INCREF(list);
+        checker->extensions = list;
+
+        PKIX_INCREF(initialState);
+        checker->state = initialState;
+
+        *pChecker = checker;
+        checker = NULL;
+cleanup:
+        
+        PKIX_DECREF(checker);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_GetCheckCallback
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_CertChainChecker_GetCheckCallback(
+        PKIX_CertChainChecker *checker,
+        PKIX_CertChainChecker_CheckCallback *pCallback,
+        void *plContext)
+{
+        PKIX_ENTER(CERTCHAINCHECKER, "PKIX_CertChainChecker_GetCheckCallback");
+        PKIX_NULLCHECK_TWO(checker, pCallback);
+
+        *pCallback = checker->checkCallback;
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_IsForwardCheckingSupported
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_CertChainChecker_IsForwardCheckingSupported(
+        PKIX_CertChainChecker *checker,
+        PKIX_Boolean *pForwardCheckingSupported,
+        void *plContext)
+{
+        PKIX_ENTER
+                (CERTCHAINCHECKER,
+                "PKIX_CertChainChecker_IsForwardCheckingSupported");
+        PKIX_NULLCHECK_TWO(checker, pForwardCheckingSupported);
+
+        *pForwardCheckingSupported = checker->forwardChecking;
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_IsForwardDirectionExpected
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_CertChainChecker_IsForwardDirectionExpected(
+        PKIX_CertChainChecker *checker,
+        PKIX_Boolean *pForwardDirectionExpected,
+        void *plContext)
+{
+        PKIX_ENTER
+                (CERTCHAINCHECKER,
+                "PKIX_CertChainChecker_IsForwardDirectionExpected");
+        PKIX_NULLCHECK_TWO(checker, pForwardDirectionExpected);
+
+        *pForwardDirectionExpected = checker->isForwardDirectionExpected;
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_GetCertChainCheckerState
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_CertChainChecker_GetCertChainCheckerState(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Object **pCertChainCheckerState,
+        void *plContext)
+{
+        PKIX_ENTER(CERTCHAINCHECKER,
+                    "PKIX_CertChainChecker_GetCertChainCheckerState");
+
+        PKIX_NULLCHECK_TWO(checker, pCertChainCheckerState);
+
+        PKIX_INCREF(checker->state);
+
+        *pCertChainCheckerState = checker->state;
+
+cleanup:
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_SetCertChainCheckerState
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_CertChainChecker_SetCertChainCheckerState(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Object *certChainCheckerState,
+        void *plContext)
+{
+        PKIX_ENTER(CERTCHAINCHECKER,
+                    "PKIX_CertChainChecker_SetCertChainCheckerState");
+
+        PKIX_NULLCHECK_ONE(checker);
+
+        /* DecRef old contents */
+        PKIX_DECREF(checker->state);
+
+        PKIX_INCREF(certChainCheckerState);
+        checker->state = certChainCheckerState;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)checker, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: PKIX_CertChainChecker_GetSupportedExtensions
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_CertChainChecker_GetSupportedExtensions(
+        PKIX_CertChainChecker *checker,
+        PKIX_List **pExtensions, /* list of PKIX_PL_OID */
+        void *plContext)
+{
+        PKIX_ENTER(CERTCHAINCHECKER,
+                    "PKIX_CertChainChecker_GetSupportedExtensions");
+
+        PKIX_NULLCHECK_TWO(checker, pExtensions);
+
+        PKIX_INCREF(checker->extensions);
+
+        *pExtensions = checker->extensions;
+
+cleanup:
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_certchainchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_certchainchecker.h
new file mode 100755
index 000000000..445b7452d
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_certchainchecker.h
@@ -0,0 +1,69 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_certchainchecker.h
+ *
+ * CertChainChecker Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_CERTCHAINCHECKER_H
+#define _PKIX_CERTCHAINCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_CertChainCheckerStruct {
+        PKIX_CertChainChecker_CheckCallback checkCallback;
+        PKIX_List *extensions;
+        PKIX_PL_Object *state;
+        PKIX_Boolean forwardChecking;
+        PKIX_Boolean isForwardDirectionExpected;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_CertChainChecker_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_CERTCHAINCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c
new file mode 100755
index 000000000..da333ae7e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c
@@ -0,0 +1,1205 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_defaultcrlchecker.c
+ *
+ * Functions for default CRL Checkers
+ *
+ */
+#define CERTCHAINCHECKERDEBUG 1
+
+#include "pkix_defaultcrlchecker.h"
+
+static char *reasonCodeMsgString[] = {
+	"Certificate is revoked by CRL for unspecified reason"
+	"Certificate is revoked by CRL for key compromise",
+	"Certificate is revoked by CRL for CA compromise",
+	"Certificate is revoked by CRL for affiliation changed",
+	"Certificate is revoked by CRL for being superseded",
+	"Certificate is revoked by CRL for cessation of operation",
+	"Certificate is revoked by CRL for certificate hold",
+	"Certificate is revoked by CRL for undefined reason",
+	"Certificate is revoked by CRL for being removed from CRL",
+	"Certificate is revoked by CRL for privilege withdrawn",
+	"Certificate is revoked by CRL for aACompromise",
+};
+
+static const int numReasonCodes = 
+    sizeof(reasonCodeMsgString) / sizeof(reasonCodeMsgString[0]);
+
+/* --Private-DefaultCRLCheckerState-Functions------------------------------- */
+
+/*
+ * FUNCTION: pkix_DefaultCRLCheckerstate_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_DefaultCRLCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_DefaultCRLCheckerState *state = NULL;
+
+        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
+                    "pkix_DefaultCRLCheckerState_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a default CRL checker state */
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
+                    PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
+
+        state = (pkix_DefaultCRLCheckerState *)object;
+
+        state->certHasValidCrl = PKIX_FALSE;
+        state->prevCertCrlSign = PKIX_FALSE;
+        state->reasonCodeMask = 0;
+
+        PKIX_DECREF(state->certStores);
+        PKIX_DECREF(state->testDate);
+        PKIX_DECREF(state->prevPublicKey);
+        PKIX_DECREF(state->prevPublicKeyList);
+        PKIX_DECREF(state->crlReasonCodeOID);
+        PKIX_DECREF(state->certIssuer);
+        PKIX_DECREF(state->certSerialNumber);
+        PKIX_DECREF(state->crlSelector);
+        state->crlStoreIndex = 0;
+        state->numCrlStores = 0;
+
+cleanup:
+
+        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLCheckerState_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_DEFAULTCRLCHECKERSTATE_TYPE and its related functions
+ *  with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
+                    "pkix_DefaultCRLCheckerState_RegisterSelf");
+
+        entry.description = "DefaultCRLCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_DefaultCRLCheckerState);
+        entry.destructor = pkix_DefaultCRLCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_DEFAULTCRLCHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLCheckerState_Create
+ *
+ * DESCRIPTION:
+ *  Allocate and initialize DefaultCRLChecker state data.
+ *
+ * PARAMETERS
+ *  "certStores"
+ *      Address of CertStore List to be stored in state. Must be non-NULL.
+ *  "testDate"
+ *      Address of PKIX_PL_Date to be checked. May be NULL.
+ *  "trustedPubKey"
+ *      Trusted Anchor Public Key for verifying first Cert in the chain.
+ *      Must be non-NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "nistCRLPolicyEnabled"
+ *      If enabled, enforce nist crl policy.
+ *  "pCheckerState"
+ *      Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a DefaultCrlCheckerState Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLCheckerState_Create(
+    PKIX_List *certStores,
+    PKIX_PL_Date *testDate,
+    PKIX_PL_PublicKey *trustedPubKey,
+    PKIX_UInt32 certsRemaining,
+    PKIX_Boolean nistCRLPolicyEnabled,
+    pkix_DefaultCRLCheckerState **pCheckerState,
+    void *plContext)
+{
+        pkix_DefaultCRLCheckerState *state = NULL;
+
+        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
+                    "pkix_DefaultCRLCheckerState_Create");
+        PKIX_NULLCHECK_TWO(certStores, pCheckerState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
+                    sizeof (pkix_DefaultCRLCheckerState),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT);
+
+        /* Initialize fields */
+
+        PKIX_INCREF(certStores);
+        state->certStores = certStores;
+
+        PKIX_INCREF(testDate);
+        state->testDate = testDate;
+
+        PKIX_INCREF(trustedPubKey);
+        state->prevPublicKey = trustedPubKey;
+
+        state->certHasValidCrl = PKIX_FALSE;
+        state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
+        state->prevCertCrlSign = PKIX_TRUE;
+        state->prevPublicKeyList = NULL;
+        state->reasonCodeMask = 0;
+        state->certsRemaining = certsRemaining;
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_CRLREASONCODE_OID,
+                    &state->crlReasonCodeOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        state->certIssuer = NULL;
+        state->certSerialNumber = NULL;
+        state->crlSelector = NULL;
+        state->crlStoreIndex = 0;
+        state->numCrlStores = 0;
+
+        *pCheckerState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
+}
+
+/* --Private-DefaultCRLChecker-Functions------------------------------------ */
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_CheckCRLs
+ *
+ * DESCRIPTION:
+ *  Check validity of "cert" based on CRLs at "crlList" that has correct
+ *  signature verification with "publicKey".
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of Cert which has the certificate data. Must be non-NULL.
+ *  "certIssuer"
+ *      Address of Issuer that associates with the Cert. Must be non-NULL.
+ *  "certSerialNumber"
+ *      Address of Serial Number that associates with the Cert. Must be 
+ *      non-NULL.
+ *  "publicKey"
+ *      Address of Public Key that associates with the Cert Issuer.
+ *      Must be non-NULL.
+ *  "crlList"
+ *      A List CRLs that the certificate is verified upon. Must be non-NULL.
+ *  "state"
+ *      Address of DefaultCRLCheckerState which keeps dynamic state data.
+ *      Must be non-NULL.
+ *  "pCrlEntryList"
+ *      Address of PKIX_PL_CrlEntry List that contains valid CrlEntries for
+ *      this Cert. May be NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLChecker_CheckCRLs(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_X500Name *certIssuer,
+        PKIX_PL_BigInt *certSerialNumber,
+        PKIX_PL_PublicKey *publicKey,
+        PKIX_List *crlList,
+        pkix_DefaultCRLCheckerState *state,
+        PKIX_List **pCrlEntryList,
+        void *plContext)
+{
+        PKIX_PL_CRL *crl = NULL;
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+        PKIX_PL_PublicKey *pKey = NULL;
+        PKIX_List *unresCrlCritExtOIDs = NULL;
+        PKIX_List *unresCrlEntryCritExtOIDs = NULL;
+        PKIX_List *crlEntryList = NULL;
+        PKIX_Error *verifyFail = NULL;
+        PKIX_UInt32 numCrls = 0;
+        PKIX_UInt32 numKeys = 0;
+        PKIX_UInt32 numCritExtOIDs = 0;
+        PKIX_Boolean crlVerified = PKIX_FALSE;
+        PKIX_Boolean crlRevoking = PKIX_FALSE;
+        PKIX_Int32 reasonCode = 0;
+        PKIX_UInt32 i;
+        PKIX_Int32 j;
+
+        PKIX_ENTER(CERTCHAINCHECKER,
+                    "pkix_DefaultCRLChecker_CheckCRLs");
+        PKIX_NULLCHECK_FOUR(cert, publicKey, crlList, state);
+
+        PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        if (state->prevPublicKeyList != NULL) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                    (state->prevPublicKeyList, &numKeys, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+        }
+
+        /* Check if Cert is not revoked by any the the CRLs */
+
+        for (i = 0; i < numCrls; i++){
+
+                PKIX_CHECK(PKIX_List_GetItem
+                            (crlList, i, (PKIX_PL_Object **)&crl, plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                /*
+                 * Checking serial number (issuer done in selector) then
+                 * verify signature. If matches, get the CRL reason(s).
+                 */
+
+                if (state->prevCertCrlSign == PKIX_TRUE) {
+                        verifyFail = PKIX_PL_CRL_VerifySignature
+                                (crl, publicKey, plContext);
+                        if (verifyFail == NULL) {
+                                crlVerified = PKIX_TRUE;
+                        } else {
+                                crlVerified = PKIX_FALSE;
+                                PKIX_DECREF(verifyFail);
+                        }
+                }
+
+                if (crlVerified == PKIX_FALSE) {
+
+                    /* Verify from old key(s) on the list */
+                    for (j = numKeys - 1; j >= 0; j--) {
+
+                            PKIX_CHECK(PKIX_List_GetItem
+                                (state->prevPublicKeyList,
+                                j,
+                                (PKIX_PL_Object **) &pKey,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                            verifyFail = PKIX_PL_CRL_VerifySignature
+                                (crl, pKey, plContext);
+
+                            if (verifyFail == NULL) {
+                                crlVerified = PKIX_TRUE;
+                                break;
+                            } else {
+                                crlVerified = PKIX_FALSE;
+                                PKIX_DECREF(verifyFail);
+                            }
+
+                            PKIX_DECREF(pKey);
+                    }
+                }
+
+                if (crlVerified == PKIX_FALSE) {
+                    /* try next one ... */
+                    goto cleanup_loop;
+                }
+
+                state->certHasValidCrl = PKIX_TRUE;
+
+                PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
+                            (crl, &unresCrlCritExtOIDs, plContext),
+                            PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
+
+                /*
+                 * XXX Advanced CRL work - should put a
+                 * Loop here to process and remove critical
+                 * extension oids.
+                 */
+
+                if (unresCrlCritExtOIDs) {
+
+                    PKIX_CHECK(PKIX_List_GetLength(unresCrlCritExtOIDs,
+                        &numCritExtOIDs,
+                        plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                    if (numCritExtOIDs != 0) {
+                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
+                                (PKIX_CRLCRITICALEXTENSIONOIDSNOTPROCESSED);
+                        /*
+                         * Uncomment this after we have implemented
+                         * checkers for all the critical extensions.
+                         *
+                         * PKIX_ERROR
+                         *      ("Unrecognized CRL Critical Extension");
+                         */
+                    }
+                }
+
+                PKIX_CHECK(PKIX_PL_CRL_GetCRLEntryForSerialNumber
+                            (crl, certSerialNumber, &crlEntry, plContext),
+                            PKIX_CRLGETCRLENTRYFORSERIALNUMBERFAILED);
+
+                if (crlEntry == NULL) {
+                    goto cleanup_loop;
+                }
+
+                crlRevoking = PKIX_TRUE;
+
+                PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+                            (crlEntry,
+                            &reasonCode,
+                            plContext),
+                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
+
+                /* This is a valid CRLEntry, return it for caching */
+                if (crlEntryList == NULL) {
+                    PKIX_CHECK(PKIX_List_Create(&crlEntryList, plContext),
+                            PKIX_LISTCREATEFAILED);
+
+                }
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                        (crlEntryList, (PKIX_PL_Object *) crlEntry, plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+
+                /* Set reason code in state for advance CRL reviewing */
+
+                if (reasonCode >= 0) {
+                    if (reasonCode >= numReasonCodes) 
+		        reasonCode = 0;
+
+                    state->reasonCodeMask |= 1 << reasonCode;
+                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
+                        ("CRL revocation Reason: %s\n ",
+                        reasonCodeMsgString[reasonCode]);
+
+                } else {
+                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
+                        ("Revoked by Unknown CRL ReasonCode");
+                }
+
+                PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
+                            (crlEntry, &unresCrlEntryCritExtOIDs, plContext),
+                            PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED);
+                if (unresCrlEntryCritExtOIDs) {
+
+                    PKIX_CHECK(pkix_List_Remove
+                            (unresCrlEntryCritExtOIDs,
+                            (PKIX_PL_Object *) state->crlReasonCodeOID,
+                            plContext),
+                            PKIX_LISTREMOVEFAILED);
+
+                    PKIX_CHECK(PKIX_List_GetLength(unresCrlEntryCritExtOIDs,
+                        &numCritExtOIDs,
+                        plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                    if (numCritExtOIDs != 0) {
+
+                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
+                            (PKIX_CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED);
+                        PKIX_ERROR(PKIX_UNRECOGNIZEDCRLENTRYCRITICALEXTENSION);
+                    }
+                }
+
+        cleanup_loop:
+
+                PKIX_DECREF(pKey);
+                PKIX_DECREF(verifyFail);
+                PKIX_DECREF(pKey);
+                PKIX_DECREF(crlEntry);
+                PKIX_DECREF(crl);
+                PKIX_DECREF(unresCrlCritExtOIDs);
+                PKIX_DECREF(unresCrlEntryCritExtOIDs);
+        }
+
+        *pCrlEntryList = crlEntryList;
+
+        if (crlRevoking == PKIX_TRUE) {
+
+                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
+        }
+
+cleanup:
+
+        PKIX_DECREF(pKey);
+        PKIX_DECREF(verifyFail);
+        PKIX_DECREF(crlEntry);
+        PKIX_DECREF(crl);
+        PKIX_DECREF(unresCrlCritExtOIDs);
+        PKIX_DECREF(unresCrlEntryCritExtOIDs);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector
+ *
+ * DESCRIPTION:
+ *  This function creates a CRLSelector suitable for finding a CRL for
+ *  the Cert pointed to by "cert", setting the result in the
+ *  defaultCRLCheckerState pointed to by "state".
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of Cert for which a CRLSelector is to be constructed. Must be
+ *      non-NULL.
+ *  "state"
+ *      Address of defaultCRLCheckerState whose CRLSelector is to be set. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a DefaultCrlCheckerState Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_SetSelector(
+        PKIX_PL_Cert *cert,
+        pkix_DefaultCRLCheckerState *state,
+        void *plContext)
+{
+        PKIX_PL_X500Name *certIssuer = NULL;
+        PKIX_PL_BigInt *certSerialNumber = NULL;
+        PKIX_PL_Date *nowDate = NULL;
+        PKIX_ComCRLSelParams *comCrlSelParams = NULL;
+        PKIX_CRLSelector *crlSelector = NULL;
+
+        PKIX_ENTER
+                (CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector");
+        PKIX_NULLCHECK_TWO(cert, state);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext),
+                PKIX_CERTGETISSUERFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
+                (cert, &certSerialNumber, plContext),
+                PKIX_CERTGETSERIALNUMBERFAILED);
+
+        if (state->testDate != NULL) {
+
+                PKIX_INCREF(state->testDate);
+                nowDate = state->testDate;
+
+        } else {
+
+                PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
+                        (NULL, &nowDate, plContext),
+                        PKIX_DATECREATEUTCTIMEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_Create
+                (&comCrlSelParams, plContext),
+                PKIX_COMCRLSELPARAMSCREATEFAILED);
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName
+                (comCrlSelParams, certIssuer, plContext),
+                PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime
+                (comCrlSelParams, nowDate, plContext),
+                PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
+                (comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
+                PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
+
+        PKIX_CHECK(PKIX_CRLSelector_Create
+                (NULL,
+                NULL, /* never used? (PKIX_PL_Object *)checker, */
+                &crlSelector,
+                plContext),
+                PKIX_CRLSELECTORCREATEFAILED);
+
+        PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams
+                (crlSelector, comCrlSelParams, plContext),
+                PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
+
+        PKIX_DECREF(state->certIssuer);
+        PKIX_INCREF(certIssuer);
+        state->certIssuer = certIssuer;
+        PKIX_DECREF(state->certSerialNumber);
+        PKIX_INCREF(certSerialNumber);
+        state->certSerialNumber = certSerialNumber;
+        PKIX_DECREF(state->crlSelector);
+        PKIX_INCREF(crlSelector);
+        state->crlSelector = crlSelector;
+
+        state->crlStoreIndex = 0;
+
+        PKIX_CHECK(PKIX_List_GetLength
+                    (state->certStores, &(state->numCrlStores), plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        state->certHasValidCrl = PKIX_FALSE;
+
+cleanup:
+
+        PKIX_DECREF(certIssuer);
+        PKIX_DECREF(certSerialNumber);
+        PKIX_DECREF(nowDate);
+        PKIX_DECREF(comCrlSelParams);
+        PKIX_DECREF(crlSelector);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check_Store
+ *
+ * DESCRIPTION:
+ *  Checks the certStore pointed to by "certStore" for a CRL that may determine
+ *  whether the Cert pointed to by "cert" has been revoked.
+ *
+ * PARAMETERS
+ *  "checker"
+ *      Address of CertChainChecker which has the state data.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Certificate that is to be validated. Must be non-NULL.
+ *  "prevPublicKey"
+ *      Address of previous public key in the backward chain. May be NULL.
+ *  "state"
+ *      Address of DefaultCrlCheckerState. Must be non-NULL.
+ *  "unresolvedCriticalExtensions"
+ *      A List OIDs. Not **yet** used in this checker function.
+ *  "certStore"
+ *      Address of the CertStore to be queried for a relevant CRL. Must be
+ *      non-NULL.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is stored if processing
+ *      is suspended for non-blocking I/O. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a DefaultCrlCheckerState Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLChecker_Check_Store(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey *prevPublicKey,
+        pkix_DefaultCRLCheckerState *state,
+        PKIX_List *unresolvedCriticalExtensions,
+        PKIX_CertStore *certStore,
+        void **pNBIOContext,
+        void *plContext)
+{
+
+        PKIX_Boolean cacheFlag = PKIX_FALSE;
+        PKIX_Boolean cacheHit = PKIX_FALSE;
+        PKIX_UInt32 numEntries = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_Int32 reasonCode = 0;
+        PKIX_UInt32 allReasonCodes = 0;
+        PKIX_List *crlList = NULL;
+        PKIX_List *crlEntryList = NULL;
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+        PKIX_Error *checkCrlFail = NULL;
+        PKIX_CertStore_CRLCallback getCrls = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Store");
+        PKIX_NULLCHECK_TWO(checker, cert);
+        PKIX_NULLCHECK_THREE(state, certStore, pNBIOContext);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        /* Are this CertStore's entries in cache? */
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
+                (certStore, &cacheFlag, plContext),
+                PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
+
+        if (cacheFlag) {
+
+                PKIX_CHECK(pkix_CacheCrlEntry_Lookup
+                        (certStore,
+                        state->certIssuer,
+                        state->certSerialNumber,
+                        &cacheHit,
+                        &crlEntryList,
+                        plContext),
+                        PKIX_CACHECRLENTRYLOOKUPFAILED);
+
+        }
+
+        if (cacheHit) {
+
+                /* Use cached data */
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (crlEntryList, &numEntries, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numEntries; i++) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                            (crlEntryList,
+                            i,
+                            (PKIX_PL_Object **)&crlEntry,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+                            (crlEntry, &reasonCode, plContext),
+                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
+
+		    if (reasonCode >= 0) {
+			if (reasonCode >= numReasonCodes) 
+			    reasonCode = 0;
+
+			allReasonCodes |= (1 << reasonCode);
+
+			PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
+                                    ("CRL revocation Reason: %s\n ",
+                                    reasonCodeMsgString[reasonCode]);
+
+                    }
+
+                    PKIX_DECREF(crlEntry);
+                }
+
+                state->reasonCodeMask |= allReasonCodes;
+
+                if (allReasonCodes != 0) {
+
+                        PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
+                }
+ 
+                PKIX_DECREF(crlEntryList);
+
+       } else {
+
+                if (nbioContext == NULL) {
+                        PKIX_CHECK(PKIX_CertStore_GetCRLCallback
+                                (certStore, &getCrls, plContext),
+                                PKIX_CERTSTOREGETCRLCALLBACKFAILED);
+
+                        PKIX_CHECK(getCrls
+                                (certStore,
+                                state->crlSelector,
+                                &nbioContext,
+                                &crlList,
+                                plContext),
+                                PKIX_GETCRLSFAILED);
+                } else {
+                        PKIX_CHECK(PKIX_CertStore_CrlContinue
+                                (certStore,
+                                state->crlSelector,
+                                &nbioContext,
+                                &crlList,
+                                plContext),
+                                PKIX_CERTSTORECRLCONTINUEFAILED);
+                }
+
+                /*
+                 * Verify Certificate validity: if one CertStore provides
+                 * reason code, we stop here. Instead of exhausting all
+                 * CertStores to get all possible reason codes associated
+                 *  with the Cert. May be expanded if desire otherwise.
+                 */
+
+                if (crlList == NULL) {
+
+                        *pNBIOContext = nbioContext;
+                } else {
+
+                        *pNBIOContext = NULL;
+
+                        checkCrlFail = pkix_DefaultCRLChecker_CheckCRLs
+                                (cert,
+                                state->certIssuer,
+                                state->certSerialNumber,
+                                prevPublicKey,
+                                crlList,
+                                state,
+                                &crlEntryList,
+                                plContext);
+
+                        if (checkCrlFail) {
+                                if (crlEntryList != NULL) {
+                                        /* Add to cache */
+                                        PKIX_CHECK(pkix_CacheCrlEntry_Add
+                                               (certStore,
+                                               state->certIssuer,
+                                               state->certSerialNumber,
+                                               crlEntryList,
+                                               plContext),
+                                               PKIX_CACHECRLENTRYADDFAILED);
+                                }
+                                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
+                        }
+                }
+
+                PKIX_DECREF(crlList);
+
+        }
+
+cleanup:
+        PKIX_DECREF(crlEntryList);
+        PKIX_DECREF(crlEntry);
+        PKIX_DECREF(crlList);
+        PKIX_DECREF(checkCrlFail);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check_Helper
+ *
+ * DESCRIPTION:
+ *  Check if the Cert has been revoked based on the CRL's data. It exhausts all
+ *  CertStores and match CRLs at those stores for the certificate. It set the
+ *  current date and issuer in CRLSelector to fetching CRL data from cache.
+ *
+ * PARAMETERS
+ *  "checker"
+ *      Address of CertChainChecker which has the state data.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Certificate that is to be validated. Must be non-NULL.
+ *  "prevPublicKey"
+ *      Address of previous public key in the backward chain. May be NULL.
+ *  "state"
+ *      Address of DefaultCrlCheckerState. Must be non-NULL.
+ *  "unresolvedCriticalExtensions"
+ *      A List OIDs. Not **yet** used in this checker function.
+ *  "useOnlyLocal"
+ *      Boolean value indicating whether to use or bypass remote CertStores
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is stored if processing
+ *      is suspended for non-blocking I/O. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_Helper(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey *prevPublicKey,
+        pkix_DefaultCRLCheckerState *state,
+        PKIX_List *unresolvedCriticalExtensions,
+        PKIX_Boolean useOnlyLocal,
+        void **pNBIOContext,
+        void *plContext)
+{
+
+        void *nbioContext = NULL;
+        PKIX_Boolean certStoreCanBeUsed = PKIX_FALSE;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_Error *storeError = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Helper");
+        PKIX_NULLCHECK_THREE(checker, cert, state);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL; /* prepare for Error exit */
+
+        while ((state->crlStoreIndex) < (state->numCrlStores)) {
+
+                /*
+                 * For Basic CRL work, exit the loop when there is a valid
+                 * CRL. For advance CRL, need to exhaust CRL until all
+                 * reason masks are checked or a revocation is found.
+                 */
+
+                if (state->certHasValidCrl == PKIX_TRUE) {
+                        break;
+                }
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (state->certStores,
+                        state->crlStoreIndex,
+                        (PKIX_PL_Object **)&certStore,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                if (useOnlyLocal == PKIX_FALSE) {
+                        certStoreCanBeUsed = PKIX_TRUE;
+                } else {
+                        PKIX_CHECK(PKIX_CertStore_GetLocalFlag
+                                (certStore, &certStoreCanBeUsed, plContext),
+                                PKIX_CERTSTOREGETLOCALFLAGFAILED);
+                }
+
+                if (certStoreCanBeUsed == PKIX_TRUE)
+                {
+			/* Catch and re-throw error to preserve information */
+			storeError = pkix_DefaultCRLChecker_Check_Store
+			        (checker,
+			        cert,
+			        prevPublicKey,
+			        state,
+			        unresolvedCriticalExtensions,
+			        certStore,
+			        &nbioContext,
+			        plContext);
+			PKIX_CHECK
+				(storeError,
+				PKIX_DEFAULTCRLCHECKERCHECKSTOREFAILED);
+
+                        if (nbioContext != NULL) {
+                                /* I/O still pending. Exit and resume later. */
+                                *pNBIOContext = nbioContext;
+                                goto cleanup;
+                        }
+                }
+
+                PKIX_DECREF(certStore);
+                state->crlStoreIndex++;
+        } /* while ((state->crlStoreIndex) < (state->numCrlStores)) */
+
+        if (state->nistCRLPolicyEnabled != PKIX_FALSE &&
+            state->certHasValidCrl == PKIX_FALSE) {
+            PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
+        }
+
+cleanup:
+
+        PKIX_DECREF(certStore);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check
+ *
+ * DESCRIPTION:
+ *  Check if the Cert has been revoked based the CRLs data.  This function
+ *  maintains the checker state to be current.
+ *
+ * PARAMETERS
+ *  "checker"
+ *      Address of CertChainChecker which has the state data.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Certificate that is to be validated. Must be non-NULL.
+ *  "unresolvedCriticalExtensions"
+ *      A List OIDs. Not **yet** used in this checker function.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        pkix_DefaultCRLCheckerState *state = NULL;
+        PKIX_PL_PublicKey *publicKey = NULL;
+        PKIX_PL_PublicKey *newPublicKey = NULL;
+        PKIX_Error *checkKeyUsageFail = NULL;
+        PKIX_Boolean selfIssued = PKIX_FALSE;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL; /* prepare for Error exit */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                    (cert, &publicKey, plContext),
+                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+        /*
+         * If we already have a selector, we were in the middle of checking
+         * when a certStore returned with non-blocking I/O pendning.
+         */
+        if ((state->crlSelector) == NULL) {
+                state->certsRemaining--;
+
+                PKIX_NULLCHECK_ONE(state->prevPublicKey);
+
+                if (state->prevCertCrlSign == PKIX_FALSE) {
+                        PKIX_ERROR
+                                (PKIX_KEYUSAGEKEYCRLSIGNBITNOTON);
+                }
+
+                /* Set up CRLSelector */
+                PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
+                        (cert, state, plContext),
+                        PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
+
+        }
+
+        PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper
+                    (checker,
+                    cert,
+                    state->prevPublicKey,
+                    state,
+                    unresolvedCriticalExtensions,
+                    PKIX_FALSE,
+                    &nbioContext,
+                    plContext),
+                    PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED);
+
+        if (nbioContext != NULL) {
+                *pNBIOContext = nbioContext;
+                goto cleanup;
+        }
+
+        PKIX_DECREF(state->crlSelector);
+
+        /*
+         * Some NIST test case in 4.5.* use different publicKeys for
+         * Cert and its CRL on the chain. Self-issued Certs are used
+         * to speciy multiple keys for those cases. That is why we apply
+         * the following algorithm:
+         *
+         * Check if Cert is self-issued. If so, the public key of the Cert
+         * that issues this Cert (old key) can be used together with this
+         * current key (new key) for key verification. If there are multiple
+         * self-issued certs, keys of those Certs (old keys) can also be used
+         * for key verification. Old key(s) is saved in a list (PrevPublickKey-
+         * List) and cleared when a Cert is no longer self-issued.
+         * PrevPublicKey keep key of the previous Cert.
+         * PrevPublicKeyList keep key(s) of Cert before the previous one.
+         */
+        PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
+                    PKIX_ISCERTSELFISSUEFAILED);
+
+        if (selfIssued == PKIX_TRUE) {
+
+                if (state->prevPublicKeyList == NULL) {
+
+                        PKIX_CHECK(PKIX_List_Create
+                            (&state->prevPublicKeyList, plContext),
+                            PKIX_LISTCREATEFAILED);
+
+                }
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                            (state->prevPublicKeyList,
+                            (PKIX_PL_Object *) state->prevPublicKey,
+                            plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+
+        } else {
+                /* Not self-issued Cert any more, clear old key(s) saved */
+                PKIX_DECREF(state->prevPublicKeyList);
+        }
+
+        /* Make inheritance and save current Public Key */
+        PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
+                    (publicKey, state->prevPublicKey, &newPublicKey, plContext),
+                    PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
+
+        if (newPublicKey == NULL){
+                PKIX_INCREF(publicKey);
+                newPublicKey = publicKey;
+        }
+
+        PKIX_DECREF(state->prevPublicKey);
+        PKIX_INCREF(newPublicKey);
+        state->prevPublicKey = newPublicKey;
+
+        /* Save current Cert's crlSign bit for CRL checking later */
+        if (state->certsRemaining != 0) {
+                checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
+                        (cert, PKIX_CRL_SIGN, plContext);
+
+                state->prevCertCrlSign = (checkKeyUsageFail == NULL)?
+                        PKIX_TRUE : PKIX_FALSE;
+
+                PKIX_DECREF(checkKeyUsageFail);
+        }
+
+/*
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                (checker, (PKIX_PL_Object *)state, plContext),
+                PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+ */
+
+cleanup:
+
+        PKIX_DECREF(state);
+        PKIX_DECREF(publicKey);
+        PKIX_DECREF(newPublicKey);
+        PKIX_DECREF(checkKeyUsageFail);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Initialize
+ *
+ * DESCRIPTION:
+ *  Create a CertChainChecker with DefaultCRLCheckerState.
+ *
+ * PARAMETERS
+ *  "certStores"
+ *      Address of CertStore List to be stored in state. Must be non-NULL.
+ *  "testDate"
+ *      Address of PKIX_PL_Date to be checked. May be NULL.
+ *  "trustedPubKey"
+ *      Address of Public Key of Trust Anchor. Must be non-NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "nistPolicyEnabled"
+ *      Enable NIST crl policy.
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultCRLChecker_Initialize(
+        PKIX_List *certStores,
+        PKIX_PL_Date *testDate,
+        PKIX_PL_PublicKey *trustedPubKey,
+        PKIX_UInt32 certsRemaining,
+        PKIX_Boolean nistPolicyEnabled,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        pkix_DefaultCRLCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Initialize");
+        PKIX_NULLCHECK_TWO(certStores, pChecker);
+
+        PKIX_CHECK(pkix_DefaultCRLCheckerState_Create
+                    (certStores,
+                    testDate,
+                    trustedPubKey,
+                    certsRemaining,
+                    nistPolicyEnabled, 
+                    &state,
+                    plContext),
+                    PKIX_DEFAULTCRLCHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_DefaultCRLChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *) state,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.h
new file mode 100755
index 000000000..1aa4f3f0f
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.h
@@ -0,0 +1,108 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_defaultcrlchecker.h
+ *
+ * Header file for default CRL function
+ *
+ */
+
+#ifndef _PKIX_DEFAULTCRLCHECKER_H
+#define _PKIX_DEFAULTCRLCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_DefaultCRLCheckerState pkix_DefaultCRLCheckerState;
+
+struct pkix_DefaultCRLCheckerState {
+        PKIX_List *certStores; /* list of CertStore */
+        PKIX_PL_Date *testDate;
+        PKIX_Boolean certHasValidCrl;
+        PKIX_Boolean nistCRLPolicyEnabled;
+        PKIX_Boolean prevCertCrlSign;
+        PKIX_PL_PublicKey *prevPublicKey; /* Subject PubKey of last cert */
+        PKIX_List *prevPublicKeyList; /* of PKIX_PL_PublicKey */
+        PKIX_UInt32 reasonCodeMask;
+        PKIX_UInt32 certsRemaining;
+        PKIX_PL_OID *crlReasonCodeOID;
+
+        PKIX_PL_X500Name *certIssuer;
+        PKIX_PL_BigInt *certSerialNumber;
+        PKIX_CRLSelector *crlSelector;
+        PKIX_UInt32 crlStoreIndex;
+        PKIX_UInt32 numCrlStores;
+};
+
+PKIX_Error *
+pkix_DefaultCRLChecker_Initialize(
+        PKIX_List *certStores,
+        PKIX_PL_Date *testDate,
+        PKIX_PL_PublicKey *trustedPubKey,
+        PKIX_UInt32 certsRemaining,
+        PKIX_Boolean nistCRLPolicyEnabled,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_Helper(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey *prevPublicKey,
+        pkix_DefaultCRLCheckerState *state,
+        PKIX_List *unresolvedCriticalExtensions,
+        PKIX_Boolean useOnlyLocal,
+        void **pNBIOContext,
+        void *plContext);
+
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_SetSelector(
+        PKIX_PL_Cert *cert,
+        pkix_DefaultCRLCheckerState *state,
+        void *plContext);
+
+PKIX_Error *
+pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_DEFAULTCRLCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_defaultrevchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_defaultrevchecker.c
new file mode 100644
index 000000000..82034984c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_defaultrevchecker.c
@@ -0,0 +1,403 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_defaultrevchecker.c
+ *
+ * Functions for default Revocation Checker
+ *
+ */
+
+#include "pkix_defaultrevchecker.h"
+
+/* --Private-DefaultRevChecker-Functions------------------------------- */
+
+/*
+ * FUNCTION: pkix_DefaultRevChecker_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_DefaultRevChecker_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_DefaultRevocationChecker *revChecker = NULL;
+
+        PKIX_ENTER(DEFAULTREVOCATIONCHECKER,
+                    "pkix_DefaultRevChecker_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a DefaultRevocationChecker */
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_DEFAULTREVOCATIONCHECKER_TYPE, plContext),
+                PKIX_OBJECTNOTDEFAULTREVOCATIONCHECKER);
+
+        revChecker = (PKIX_DefaultRevocationChecker *)object;
+
+        PKIX_DECREF(revChecker->certChainChecker);
+        PKIX_DECREF(revChecker->certStores);
+        PKIX_DECREF(revChecker->testDate);
+        PKIX_DECREF(revChecker->trustedPubKey);
+
+cleanup:
+
+        PKIX_RETURN(DEFAULTREVOCATIONCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultRevocationChecker_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_DEFAULTREVOCATIONCHECKER_TYPE and its related functions
+ *  with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_DefaultRevocationChecker_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(DEFAULTREVOCATIONCHECKER,
+                    "pkix_DefaultRevocationChecker_RegisterSelf");
+
+        entry.description = "DefaultRevocationChecker";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_DefaultRevocationChecker);
+        entry.destructor = pkix_DefaultRevChecker_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_DEFAULTREVOCATIONCHECKER_TYPE] = entry;
+
+        PKIX_RETURN(DEFAULTREVOCATIONCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultRevChecker_Create
+ *
+ * DESCRIPTION:
+ *  This function uses the List of certStores given by "certStores", the Date
+ *  given by "testDate", the PublicKey given by "trustedPubKey", and the number
+ *  of certs remaining in the chain given by "certsRemaining" to create a
+ *  DefaultRevocationChecker, which is stored at "pRevChecker".
+ *
+ * PARAMETERS
+ *  "certStores"
+ *      Address of CertStore List to be stored in state. Must be non-NULL.
+ *  "testDate"
+ *      Address of PKIX_PL_Date to be checked. May be NULL.
+ *  "trustedPubKey"
+ *      Address of Public Key of Trust Anchor. Must be non-NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "pRevChecker"
+ *      Address of DefaultRevocationChecker that is returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a DefaultRevocationChecker Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultRevChecker_Create(
+        PKIX_List *certStores,
+        PKIX_PL_Date *testDate,
+        PKIX_PL_PublicKey *trustedPubKey,
+        PKIX_UInt32 certsRemaining,
+        PKIX_DefaultRevocationChecker **pRevChecker,
+        void *plContext)
+{
+        PKIX_DefaultRevocationChecker *revChecker = NULL;
+
+        PKIX_ENTER(DEFAULTREVOCATIONCHECKER, "pkix_DefaultRevChecker_Create");
+        PKIX_NULLCHECK_THREE(certStores, trustedPubKey, pRevChecker);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_DEFAULTREVOCATIONCHECKER_TYPE,
+                sizeof (PKIX_DefaultRevocationChecker),
+                (PKIX_PL_Object **)&revChecker,
+                plContext),
+                PKIX_COULDNOTCREATEDEFAULTREVOCATIONCHECKEROBJECT);
+
+        /* Initialize fields */
+
+        revChecker->certChainChecker = NULL;
+        revChecker->check = NULL;
+
+        PKIX_INCREF(certStores);
+        revChecker->certStores = certStores;
+
+        PKIX_INCREF(testDate);
+        revChecker->testDate = testDate;
+
+        PKIX_INCREF(trustedPubKey);
+        revChecker->trustedPubKey = trustedPubKey;
+
+        revChecker->certsRemaining = certsRemaining;
+
+        *pRevChecker = revChecker;
+        revChecker = NULL;
+
+cleanup:
+
+        PKIX_DECREF(revChecker);
+
+        PKIX_RETURN(DEFAULTREVOCATIONCHECKER);
+}
+
+/* --Private-DefaultRevChecker-Functions------------------------------------ */
+
+/*
+ * FUNCTION: pkix_DefaultRevChecker_Check
+ *
+ * DESCRIPTION:
+ *  Check if the Cert has been revoked based on the CRLs data.  This function
+ *  maintains the checker state to be current.
+ *
+ * PARAMETERS
+ *  "checkerContext"
+ *      Address of RevocationCheckerContext which has the state data.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Certificate that is to be validated. Must be non-NULL.
+ *  "procParams"
+ *      Address of ProcessingParams used to initialize the ExpirationChecker
+ *      and TargetCertChecker. Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent non-blocking I/O context is stored.
+ *      Must be non-NULL.
+ *  "pResultCode"
+ *      Address where revocation status will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a RevocationChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultRevChecker_Check(
+        PKIX_PL_Object *checkerContext,
+        PKIX_PL_Cert *cert,
+        PKIX_ProcessingParams *procParams,
+        void **pNBIOContext,
+        PKIX_UInt32 *pReasonCode,
+        void *plContext)
+{
+        PKIX_DefaultRevocationChecker *defaultRevChecker = NULL;
+        PKIX_CertChainChecker *crlChecker = NULL;
+        PKIX_PL_Object *crlCheckerState = NULL;
+        PKIX_CertChainChecker_CheckCallback check = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(REVOCATIONCHECKER, "pkix_DefaultRevChecker_Check");
+        PKIX_NULLCHECK_FOUR(checkerContext, cert, pNBIOContext, pReasonCode);
+
+        /* Check that this object is a DefaultRevocationChecker */
+        PKIX_CHECK(pkix_CheckType
+                ((PKIX_PL_Object *)checkerContext,
+                PKIX_DEFAULTREVOCATIONCHECKER_TYPE,
+                plContext),
+                PKIX_OBJECTNOTDEFAULTREVOCATIONCHECKER);
+
+        defaultRevChecker = (PKIX_DefaultRevocationChecker *)checkerContext;
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = 0;
+        *pReasonCode = 0;
+
+        /*
+         * If we haven't yet created a defaultCrlChecker to do the actual work,
+         * create one now.
+         */
+        if (defaultRevChecker->certChainChecker == NULL) {
+                PKIX_Boolean nistCRLPolicyEnabled = PR_TRUE;
+                if (procParams) {
+                    PKIX_CHECK(
+                        pkix_ProcessingParams_GetNISTRevocationPolicyEnabled
+                        (procParams, &nistCRLPolicyEnabled, plContext),
+                        PKIX_PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED);
+                }
+
+                PKIX_CHECK(pkix_DefaultCRLChecker_Initialize
+                        (defaultRevChecker->certStores,
+                        defaultRevChecker->testDate,
+                        defaultRevChecker->trustedPubKey,
+                        defaultRevChecker->certsRemaining,
+                        nistCRLPolicyEnabled,
+                        &crlChecker,
+                        plContext),
+                        PKIX_DEFAULTCRLCHECKERINITIALIZEFAILED);
+
+                PKIX_CHECK(PKIX_CertChainChecker_GetCheckCallback
+                        (crlChecker, &check, plContext),
+                        PKIX_CERTCHAINCHECKERGETCHECKCALLBACKFAILED);
+
+                defaultRevChecker->certChainChecker = crlChecker;
+                defaultRevChecker->check = check;
+        }
+
+        /*
+         * The defaultCRLChecker, which we are using, wants a CRLSelector
+         * (in its state) to select the Issuer of the target Cert.
+         */
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                (defaultRevChecker->certChainChecker,
+                &crlCheckerState,
+                plContext),
+                PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_CHECK(pkix_CheckType
+                (crlCheckerState, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
+
+        /* Set up CRLSelector */
+        PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
+                (cert,
+                (pkix_DefaultCRLCheckerState *)crlCheckerState,
+                plContext),
+                PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
+
+        PKIX_CHECK
+                (PKIX_CertChainChecker_SetCertChainCheckerState
+                (defaultRevChecker->certChainChecker,
+                crlCheckerState,
+                plContext),
+                PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_CHECK(defaultRevChecker->check
+                (defaultRevChecker->certChainChecker,
+                cert,
+                NULL,
+                &nbioContext,
+                plContext),
+                PKIX_CERTCHAINCHECKERCHECKCALLBACKFAILED);
+
+        *pNBIOContext = nbioContext;
+
+cleanup:
+
+        PKIX_DECREF(crlCheckerState);
+
+        PKIX_RETURN(REVOCATIONCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultRevChecker_Initialize
+ *
+ * DESCRIPTION:
+ *  Create a CertChainChecker with DefaultRevChecker.
+ *
+ * PARAMETERS
+ *  "certStores"
+ *      Address of CertStore List to be stored in state. Must be non-NULL.
+ *  "testDate"
+ *      Address of PKIX_PL_Date to be checked. May be NULL.
+ *  "trustedPubKey"
+ *      Address of Public Key of Trust Anchor. Must be non-NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultRevChecker_Initialize(
+        PKIX_List *certStores,
+        PKIX_PL_Date *testDate,
+        PKIX_PL_PublicKey *trustedPubKey,
+        PKIX_UInt32 certsRemaining,
+        PKIX_RevocationChecker **pChecker,
+        void *plContext)
+{
+        PKIX_DefaultRevocationChecker *revChecker = NULL;
+
+        PKIX_ENTER(REVOCATIONCHECKER, "pkix_DefaultRevChecker_Initialize");
+        PKIX_NULLCHECK_TWO(certStores, pChecker);
+
+        PKIX_CHECK(pkix_DefaultRevChecker_Create
+                (certStores,
+                testDate,
+                trustedPubKey,
+                certsRemaining,
+                &revChecker,
+                plContext),
+                PKIX_DEFAULTREVCHECKERCREATEFAILED);
+
+        PKIX_CHECK(PKIX_RevocationChecker_Create
+                (pkix_DefaultRevChecker_Check,
+                (PKIX_PL_Object *)revChecker,
+                pChecker,
+                plContext),
+                PKIX_REVOCATIONCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(revChecker);
+
+        PKIX_RETURN(REVOCATIONCHECKER);
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_defaultrevchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_defaultrevchecker.h
new file mode 100644
index 000000000..db58411b8
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_defaultrevchecker.h
@@ -0,0 +1,78 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_defaultrevchecker.h
+ *
+ * Header file for default revocation checker
+ *
+ */
+
+#ifndef _PKIX_DEFAULTREVCHECKER_H
+#define _PKIX_DEFAULTREVCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_DefaultRevocationCheckerStruct {
+        PKIX_CertChainChecker *certChainChecker;
+        PKIX_CertChainChecker_CheckCallback check;
+        PKIX_List *certStores;
+        PKIX_PL_Date *testDate;
+        PKIX_PL_PublicKey *trustedPubKey;
+        PKIX_UInt32 certsRemaining;
+};
+
+PKIX_Error *
+pkix_DefaultRevChecker_Initialize(
+        PKIX_List *certStores,
+        PKIX_PL_Date *testDate,
+        PKIX_PL_PublicKey *trustedPubKey,
+        PKIX_UInt32 certsRemaining,
+        PKIX_RevocationChecker **pRevChecker,
+        void *plContext);
+
+PKIX_Error *
+pkix_DefaultRevocationChecker_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_DEFAULTREVCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.c
new file mode 100755
index 000000000..9236f2a80
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.c
@@ -0,0 +1,146 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_expirationchecker.c
+ *
+ * Functions for expiration validation
+ *
+ */
+
+
+#include "pkix_expirationchecker.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_ExpirationChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_ExpirationChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_PL_Date *testDate = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_ExpirationChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&testDate, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_CheckValidity(cert, testDate, plContext),
+                    PKIX_CERTCHECKVALIDITYFAILED);
+
+cleanup:
+
+        PKIX_DECREF(testDate);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_ExpirationChecker_Initialize
+ * DESCRIPTION:
+ *
+ *  Creates a new CertChainChecker and stores it at "pChecker", where it will
+ *  used by pkix_ExpirationChecker_Check to check that the certificate has not
+ *  expired with respect to the Date pointed to by "testDate." If "testDate"
+ *  is NULL, then the CertChainChecker will check that a certificate has not
+ *  expired with respect to the current date and time.
+ *
+ * PARAMETERS:
+ *  "testDate"
+ *      Address of Date representing the point in time at which the cert is to
+ *      be validated. If "testDate" is NULL, the current date and time is used.
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_ExpirationChecker_Initialize(
+        PKIX_PL_Date *testDate,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        PKIX_PL_Date *myDate = NULL;
+        PKIX_PL_Date *nowDate = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_ExpirationChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        /* if testDate is NULL, we use the current time */
+        if (!testDate){
+                PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
+                            (NULL, &nowDate, plContext),
+                            PKIX_DATECREATEUTCTIMEFAILED);
+                myDate = nowDate;
+        } else {
+                myDate = testDate;
+        }
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_ExpirationChecker_Check,
+                    PKIX_TRUE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *)myDate,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(nowDate);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.h
new file mode 100755
index 000000000..649fb98e2
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.h
@@ -0,0 +1,63 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_expirationchecker.h
+ *
+ * Header file for validate expiration function
+ *
+ */
+
+#ifndef _PKIX_EXPIRATIONCHECKER_H
+#define _PKIX_EXPIRATIONCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+PKIX_Error *
+pkix_ExpirationChecker_Initialize(
+        PKIX_PL_Date *testDate,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_EXPIRATIONCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.c
new file mode 100755
index 000000000..366d70f57
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.c
@@ -0,0 +1,154 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_namechainingchecker.c
+ *
+ * Functions for name chaining validation
+ *
+ */
+
+
+#include "pkix_namechainingchecker.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_NameChainingChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_NameChainingChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_PL_X500Name *prevSubject = NULL;
+        PKIX_PL_X500Name *currIssuer = NULL;
+        PKIX_PL_X500Name *currSubject = NULL;
+        PKIX_Boolean result;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameChainingChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&prevSubject, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &currIssuer, plContext),
+                    PKIX_CERTGETISSUERFAILED);
+
+        if (prevSubject){
+                PKIX_CHECK(PKIX_PL_X500Name_Match
+                            (prevSubject, currIssuer, &result, plContext),
+                            PKIX_X500NAMEMATCHFAILED);
+                if (!result){
+                        PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
+                }
+        } else {
+                PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
+        }
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &currSubject, plContext),
+                    PKIX_CERTGETSUBJECTFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                    (checker, (PKIX_PL_Object *)currSubject, plContext),
+                    PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(prevSubject);
+        PKIX_DECREF(currIssuer);
+        PKIX_DECREF(currSubject);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_NameChainingChecker_Initialize
+ * DESCRIPTION:
+ *
+ *  Creates a new CertChainChecker and stores it at "pChecker", where it will
+ *  be used by pkix_NameChainingChecker_Check to check that the issuer name
+ *  of the certificate matches the subject name in the checker's state. The
+ *  X500Name pointed to by "trustedCAName" is used to initialize the checker's
+ *  state.
+ *
+ * PARAMETERS:
+ *  "trustedCAName"
+ *      Address of X500Name representing the trusted CA Name used to
+ *      initialize the state of this checker. Must be non-NULL.
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_NameChainingChecker_Initialize(
+        PKIX_PL_X500Name *trustedCAName,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        PKIX_ENTER(CERTCHAINCHECKER, "PKIX_NameChainingChecker_Initialize");
+        PKIX_NULLCHECK_TWO(pChecker, trustedCAName);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_NameChainingChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *)trustedCAName,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.h
new file mode 100755
index 000000000..fe45709b5
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.h
@@ -0,0 +1,63 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_namechainingchecker.h
+ *
+ * Header file for name chaining checker.
+ *
+ */
+
+#ifndef _PKIX_NAMECHAININGCHECKER_H
+#define _PKIX_NAMECHAININGCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+PKIX_Error *
+pkix_NameChainingChecker_Initialize(
+        PKIX_PL_X500Name *trustedCAName,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_NAMECHAININGCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
new file mode 100755
index 000000000..738d82508
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
@@ -0,0 +1,338 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_nameconstraintschecker.c
+ *
+ * Functions for Name Constraints Checkers
+ *
+ */
+
+#include "pkix_nameconstraintschecker.h"
+
+/* --Private-NameConstraintsCheckerState-Functions---------------------- */
+
+/*
+ * FUNCTION: pkix_NameConstraintsCheckerstate_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_NameConstraintsCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_NameConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
+                    "pkix_NameConstraintsCheckerState_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that object type */
+        PKIX_CHECK(pkix_CheckType
+            (object, PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE, plContext),
+            PKIX_OBJECTNOTNAMECONSTRAINTSCHECKERSTATE);
+
+        state = (pkix_NameConstraintsCheckerState *)object;
+
+        PKIX_DECREF(state->nameConstraints);
+        PKIX_DECREF(state->nameConstraintsOID);
+
+cleanup:
+
+        PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_NameConstraintsCheckerState_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_NameConstraintsCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
+                    "pkix_NameConstraintsCheckerState_RegisterSelf");
+
+        entry.description = "NameConstraintsCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_NameConstraintsCheckerState);
+        entry.destructor = pkix_NameConstraintsCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_NameConstraintsCheckerState_Create
+ *
+ * DESCRIPTION:
+ *  Allocate and initialize NameConstraintsChecker state data.
+ *
+ * PARAMETERS
+ *  "nameConstraints"
+ *      Address of NameConstraints to be stored in state. May be NULL.
+ *  "numCerts"
+ *      Number of certificates in the validation chain. This data is used
+ *      to identify end-entity.
+ *  "pCheckerState"
+ *      Address of NameConstraintsCheckerState that is returned. Must be
+ *      non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CERTNAMECONSTRAINTSCHECKERSTATE Error if the function fails in
+ *  a non-fatal way.
+ *  Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_NameConstraintsCheckerState_Create(
+    PKIX_PL_CertNameConstraints *nameConstraints,
+    PKIX_UInt32 numCerts,
+    pkix_NameConstraintsCheckerState **pCheckerState,
+    void *plContext)
+{
+        pkix_NameConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
+                    "pkix_NameConstraintsCheckerState_Create");
+        PKIX_NULLCHECK_ONE(pCheckerState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE,
+                    sizeof (pkix_NameConstraintsCheckerState),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATENAMECONSTRAINTSCHECKERSTATEOBJECT);
+
+        /* Initialize fields */
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_NAMECONSTRAINTS_OID,
+                    &state->nameConstraintsOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        PKIX_INCREF(nameConstraints);
+
+        state->nameConstraints = nameConstraints;
+        state->certsRemaining = numCerts;
+
+        *pCheckerState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
+}
+
+/* --Private-NameConstraintsChecker-Functions------------------------- */
+
+/*
+ * FUNCTION: pkix_NameConstraintsChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+static PKIX_Error *
+pkix_NameConstraintsChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        pkix_NameConstraintsCheckerState *state = NULL;
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+        PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL;
+        PKIX_Boolean selfIssued = PKIX_FALSE;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        state->certsRemaining--;
+
+        /* Get status of self issued */
+        PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
+                    PKIX_ISCERTSELFISSUEDFAILED);
+
+        /* Check on non self-issued and if so only for last cert */
+        if (selfIssued == PKIX_FALSE ||
+            (selfIssued == PKIX_TRUE && state->certsRemaining == 0)) {
+                PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
+                    (cert, state->nameConstraints, plContext),
+                    PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
+        }
+
+        if (state->certsRemaining != 0) {
+
+            PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+                    (cert, &nameConstraints, plContext),
+                    PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
+            /* Merge with previous name constraints kept in state */
+
+            if (nameConstraints != NULL) {
+
+                if (state->nameConstraints == NULL) {
+
+                        state->nameConstraints = nameConstraints;
+
+                } else {
+
+                        PKIX_CHECK(PKIX_PL_Cert_MergeNameConstraints
+                                (nameConstraints,
+                                state->nameConstraints,
+                                &mergedNameConstraints,
+                                plContext),
+                                PKIX_CERTMERGENAMECONSTRAINTSFAILED);
+
+                        PKIX_DECREF(nameConstraints);
+                        PKIX_DECREF(state->nameConstraints);
+
+                        state->nameConstraints = mergedNameConstraints;
+                }
+
+                /* Remove Name Constraints Extension OID from list */
+                if (unresolvedCriticalExtensions != NULL) {
+                        PKIX_CHECK(pkix_List_Remove
+                                    (unresolvedCriticalExtensions,
+                                    (PKIX_PL_Object *)state->nameConstraintsOID,
+                                    plContext),
+                                    PKIX_LISTREMOVEFAILED);
+                }
+            }
+        }
+
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                    (checker, (PKIX_PL_Object *)state, plContext),
+                    PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_NameConstraintsChecker_Initialize
+ *
+ * DESCRIPTION:
+ *  Create a CertChainChecker with a NameConstraintsCheckerState. The
+ *  NameConstraintsCheckerState is created with "trustedNC" and "numCerts"
+ *  as its initial state. The CertChainChecker for the NameConstraints is
+ *  returned at address of "pChecker".
+ *
+ * PARAMETERS
+ *  "trustedNC"
+ *      The NameConstraints from trusted anchor Cert is stored at "trustedNC"
+ *      for initialization. May be NULL.
+ *  "numCerts"
+ *      Number of certificates in the validation chain. This data is used
+ *      to identify end-entity.
+ *  "pChecker"
+ *      Address of CertChainChecker to bo created and returned.
+ *      Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CERTCHAINCHECKER Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_NameConstraintsChecker_Initialize(
+        PKIX_PL_CertNameConstraints *trustedNC,
+        PKIX_UInt32 numCerts,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        pkix_NameConstraintsCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(pkix_NameConstraintsCheckerState_Create
+                    (trustedNC, numCerts, &state, plContext),
+                    PKIX_NAMECONSTRAINTSCHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_NameConstraintsChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *) state,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.h
new file mode 100755
index 000000000..66d383bc7
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.h
@@ -0,0 +1,76 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_nameconstraintschecker.h
+ *
+ * Header file for validate Name Constraints Checker function
+ *
+ */
+
+#ifndef _PKIX_NAMECONSTRAINTSCHECKER_H
+#define _PKIX_NAMECONSTRAINTSCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_NameConstraintsCheckerState \
+        pkix_NameConstraintsCheckerState;
+
+struct pkix_NameConstraintsCheckerState {
+        PKIX_PL_CertNameConstraints *nameConstraints;
+        PKIX_PL_OID *nameConstraintsOID;
+        PKIX_UInt32 certsRemaining;
+};
+
+PKIX_Error *
+pkix_NameConstraintsChecker_Initialize(
+        PKIX_PL_CertNameConstraints *trustedNC,
+        PKIX_UInt32 numCerts,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+PKIX_Error *
+pkix_NameConstraintsCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_NAMECONSTRAINTSCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
new file mode 100644
index 000000000..912fd40e0
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
@@ -0,0 +1,447 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *   Red Hat, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_ocspchecker.c
+ *
+ * OcspChecker Object Functions
+ *
+ */
+
+#include "pkix_ocspchecker.h"
+#include "pkix_pl_ocspcertid.h"
+#include "pkix_error.h"
+
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_OcspChecker_Destroy
+ *      (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_OcspChecker_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_OcspChecker *checker = NULL;
+
+        PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a ocsp checker */
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_OCSPCHECKER_TYPE, plContext),
+                    PKIX_OBJECTNOTOCSPCHECKER);
+
+        checker = (PKIX_OcspChecker *)object;
+
+	PKIX_DECREF(checker->response);
+        PKIX_DECREF(checker->validityTime);
+        PKIX_DECREF(checker->cert);
+
+        /* These are not yet ref-counted objects */
+        /* PKIX_DECREF(checker->passwordInfo); */
+        /* PKIX_DECREF(checker->responder); */
+        /* PKIX_DECREF(checker->nbioContext); */
+
+cleanup:
+
+        PKIX_RETURN(OCSPCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_OcspChecker_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_OCSPCHECKER_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_OcspChecker_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_RegisterSelf");
+
+        entry.description = "OcspChecker";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_OcspChecker);
+        entry.destructor = pkix_OcspChecker_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_OCSPCHECKER_TYPE] = entry;
+
+        PKIX_RETURN(OCSPCHECKER);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_OcspChecker_Check (see comments in pkix_checker.h)
+ */
+
+/*
+ * The OCSPChecker is created in an idle state, and remains in this state until
+ * either (a) the default Responder has been set and enabled, and a Check
+ * request is received with no responder specified, or (b) a Check request is
+ * received with a specified responder. A request message is constructed and
+ * given to the HttpClient. If non-blocking I/O is used the client may return
+ * with WOULDBLOCK, in which case the OCSPChecker returns the WOULDBLOCK
+ * condition to its caller in turn. On a subsequent call the I/O is resumed.
+ * When a response is received it is decoded and the results provided to the
+ * caller.
+ *
+ */
+static PKIX_Error *
+pkix_OcspChecker_Check(
+        PKIX_PL_Object *checkerObject,
+        PKIX_PL_Cert *cert,
+        PKIX_ProcessingParams *procParams,
+        void **pNBIOContext,
+        PKIX_UInt32 *pResultCode,
+        void *plContext)
+{
+        SECErrorCodes resultCode = SEC_ERROR_REVOKED_CERTIFICATE_OCSP;
+        PKIX_Boolean uriFound = PKIX_FALSE;
+        PKIX_Boolean passed = PKIX_FALSE;
+        PKIX_OcspChecker *checker = NULL;
+        PKIX_PL_OcspCertID *cid = NULL;
+        PKIX_PL_OcspRequest *request = NULL;
+        PKIX_PL_Date *validity = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_Check");
+        PKIX_NULLCHECK_FOUR(checkerObject, cert, pNBIOContext, pResultCode);
+
+        PKIX_CHECK(pkix_CheckType
+                (checkerObject, PKIX_OCSPCHECKER_TYPE, plContext),
+                PKIX_OBJECTNOTOCSPCHECKER);
+
+        checker = (PKIX_OcspChecker *)checkerObject;
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = 0;
+
+        /* assert(checker->nbioContext == nbioContext) */
+
+        if (nbioContext == 0) {
+                /* We are initiating a check, not resuming previous I/O. */
+
+                PKIX_Boolean hasFreshStatus = PKIX_FALSE;
+                PKIX_Boolean statusIsGood = PKIX_FALSE;
+
+                PKIX_CHECK(PKIX_PL_OcspCertID_Create
+                        (cert,
+                        validity,
+                        &cid,
+                        plContext),
+                        PKIX_OCSPCERTIDCREATEFAILED);
+
+                if (!cid) {
+                        goto cleanup;
+                }
+
+                PKIX_CHECK(PKIX_PL_OcspCertID_GetFreshCacheStatus
+                        (cid, 
+                        validity, 
+                        &hasFreshStatus, 
+                        &statusIsGood,
+                        &resultCode,
+                        plContext),
+                        PKIX_OCSPCERTIDGETFRESHCACHESTATUSFAILED);
+
+                if (hasFreshStatus) {
+                        /* avoid updating the cache with a cached result... */
+                        passed = PKIX_TRUE; 
+
+                        if (statusIsGood) {
+                                resultCode = 0;
+                        }
+                        goto cleanup;
+                }
+                PKIX_INCREF(cert);
+                PKIX_DECREF(checker->cert);
+                checker->cert = cert;
+
+                /* create request */
+                PKIX_CHECK(pkix_pl_OcspRequest_Create
+                        (cert,
+                        cid,
+                        validity,
+                        NULL,           /* PKIX_PL_Cert *signerCert */
+                        &uriFound,
+                        &request,
+                        plContext),
+                        PKIX_OCSPREQUESTCREATEFAILED);
+                
+                /* No uri to check is considered passing! */
+                if (uriFound == PKIX_FALSE) {
+                        /* no caching for certs lacking URI */
+                        passed = PKIX_TRUE;
+                        resultCode = 0;
+                        goto cleanup;
+                }
+
+        }
+
+        /* Do we already have a response object? */
+        if ((checker->response) == NULL) {
+        	/* send request and create a response object */
+	        PKIX_CHECK(pkix_pl_OcspResponse_Create
+	                (request,
+	                checker->responder,
+	                checker->verifyFcn,
+	                &nbioContext,
+	                &(checker->response),
+	                plContext),
+	                PKIX_OCSPRESPONSECREATEFAILED);
+
+        	if (nbioContext != 0) {
+                	*pNBIOContext = nbioContext;
+	                goto cleanup;
+	        }
+
+	        PKIX_CHECK(pkix_pl_OcspResponse_Decode
+        	        ((checker->response), &passed, &resultCode, plContext),
+                	PKIX_OCSPRESPONSEDECODEFAILED);
+                
+	        if (passed == PKIX_FALSE) {
+        	        goto cleanup;
+	        }
+
+        	PKIX_CHECK(pkix_pl_OcspResponse_GetStatus
+                	((checker->response), &passed, &resultCode, plContext),
+	                PKIX_OCSPRESPONSEGETSTATUSRETURNEDANERROR);
+                
+        	if (passed == PKIX_FALSE) {
+                	goto cleanup;
+	        }
+	}
+
+        PKIX_CHECK(pkix_pl_OcspResponse_VerifySignature
+                ((checker->response),
+                cert,
+                procParams,
+                &passed,
+		&nbioContext,
+                plContext),
+                PKIX_OCSPRESPONSEVERIFYSIGNATUREFAILED);
+
+       	if (nbioContext != 0) {
+               	*pNBIOContext = nbioContext;
+                goto cleanup;
+        }
+
+        if (passed == PKIX_FALSE) {
+                resultCode = PORT_GetError();
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_pl_OcspResponse_GetStatusForCert
+                (cid, (checker->response), &passed, &resultCode, plContext),
+                PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED);
+
+cleanup:
+        if (!passed && cid && cid->certID) {
+                /* We still own the certID object, which means that 
+                 * it did not get consumed to create a cache entry.
+                 * Let's make sure there is one.
+                 */
+                PKIX_Error *err;
+                err = PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
+                        cid, plContext);
+                if (err) {
+                        PKIX_PL_Object_DecRef((PKIX_PL_Object*)err, plContext);
+                }
+        }
+
+        *pResultCode = (PKIX_UInt32)resultCode;
+
+        PKIX_DECREF(cid);
+        PKIX_DECREF(request);
+        if (checker) {
+            PKIX_DECREF(checker->response);
+        }
+
+        PKIX_RETURN(OCSPCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_OcspChecker_Create
+ */
+PKIX_Error *
+pkix_OcspChecker_Create(
+        PKIX_PL_Date *validityTime,
+        void *passwordInfo,
+        void *responder,
+        PKIX_OcspChecker **pChecker,
+        void *plContext)
+{
+        PKIX_OcspChecker *checkerObject = NULL;
+
+        PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_Create");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_OCSPCHECKER_TYPE,
+                    sizeof (PKIX_OcspChecker),
+                    (PKIX_PL_Object **)&checkerObject,
+                    plContext),
+                    PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT);
+
+        /* initialize fields */
+        checkerObject->response = NULL;
+        PKIX_INCREF(validityTime);
+        checkerObject->validityTime = validityTime;
+        checkerObject->clientIsDefault = PKIX_FALSE;
+        checkerObject->verifyFcn = NULL;
+        checkerObject->cert = NULL;
+
+        /* These void*'s will need INCREFs if they become PKIX_PL_Objects */
+        checkerObject->passwordInfo = passwordInfo;
+        checkerObject->responder = responder;
+        checkerObject->nbioContext = NULL;
+
+        *pChecker = checkerObject;
+        checkerObject = NULL;
+
+cleanup:
+
+        PKIX_DECREF(checkerObject);
+
+        PKIX_RETURN(OCSPCHECKER);
+
+}
+
+/*
+ * FUNCTION: PKIX_OcspChecker_SetPasswordInfo
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_OcspChecker_SetPasswordInfo(
+        PKIX_OcspChecker *checker,
+        void *passwordInfo,
+        void *plContext)
+{
+        PKIX_ENTER(OCSPCHECKER, "PKIX_OcspChecker_SetPasswordInfo");
+        PKIX_NULLCHECK_ONE(checker);
+
+        checker->passwordInfo = passwordInfo;
+
+        PKIX_RETURN(OCSPCHECKER);
+}
+
+/*
+ * FUNCTION: PKIX_OcspChecker_SetOCSPResponder
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_OcspChecker_SetOCSPResponder(
+        PKIX_OcspChecker *checker,
+        void *ocspResponder,
+        void *plContext)
+{
+        PKIX_ENTER(OCSPCHECKER, "PKIX_OcspChecker_SetOCSPResponder");
+        PKIX_NULLCHECK_ONE(checker);
+
+        checker->responder = ocspResponder;
+
+        PKIX_RETURN(OCSPCHECKER);
+}
+
+/*
+ * FUNCTION: PKIX_OcspChecker_SetVerifyFcn
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_OcspChecker_SetVerifyFcn(
+        PKIX_OcspChecker *checker,
+        PKIX_PL_OcspResponse_VerifyCallback verifyFcn,
+        void *plContext)
+{
+        PKIX_ENTER(OCSPCHECKER, "PKIX_OcspChecker_SetVerifyFcn");
+        PKIX_NULLCHECK_ONE(checker);
+
+        checker->verifyFcn = verifyFcn;
+
+        PKIX_RETURN(OCSPCHECKER);
+}
+
+PKIX_Error *
+PKIX_OcspChecker_Initialize(
+        PKIX_PL_Date *validityTime,
+        void *passwordInfo,
+        void *responder,
+        PKIX_RevocationChecker **pChecker,
+        void *plContext)
+{
+        PKIX_OcspChecker *oChecker = NULL;
+
+        PKIX_ENTER(OCSPCHECKER, "PKIX_OcspChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(pkix_OcspChecker_Create
+                (validityTime, passwordInfo, responder, &oChecker, plContext),
+                PKIX_OCSPCHECKERCREATEFAILED);
+
+        PKIX_CHECK(PKIX_RevocationChecker_Create
+                (pkix_OcspChecker_Check,
+                (PKIX_PL_Object *)oChecker,
+                pChecker,
+                plContext),
+                PKIX_REVOCATIONCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(oChecker);
+
+        PKIX_RETURN(OCSPCHECKER);
+}
+
+
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h
new file mode 100644
index 000000000..c3ee6bcf8
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h
@@ -0,0 +1,98 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_ocspchecker.h
+ *
+ * OcspChecker Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_OCSPCHECKER_H
+#define _PKIX_OCSPCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_OcspCheckerStruct {
+        PKIX_PL_OcspResponse *response;
+        PKIX_PL_Date *validityTime;
+        PKIX_Boolean clientIsDefault;
+        void *passwordInfo;
+        void *responder;
+        PKIX_PL_OcspResponse_VerifyCallback verifyFcn;
+        void *nbioContext;
+        PKIX_PL_Cert *cert;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_OcspChecker_RegisterSelf(void *plContext);
+
+PKIX_Error *
+PKIX_OcspChecker_SetPasswordInfo(
+        PKIX_OcspChecker *checker,
+        void *passwordInfo,
+        void *plContext);
+
+PKIX_Error *
+PKIX_OcspChecker_SetOCSPResponder(
+        PKIX_OcspChecker *checker,
+        void *ocspResponder,
+        void *plContext);
+
+PKIX_Error *
+PKIX_OcspChecker_SetVerifyFcn(
+        PKIX_OcspChecker *checker,
+        PKIX_PL_OcspResponse_VerifyCallback verifyFcn,
+        void *plContext);
+
+PKIX_Error *
+PKIX_OcspChecker_Initialize(
+        PKIX_PL_Date *validityTime,
+        void *passwordInfo,
+        void *responder,
+        PKIX_RevocationChecker **pChecker,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_OCSPCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c
new file mode 100755
index 000000000..162f4763d
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c
@@ -0,0 +1,2795 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_policychecker.c
+ *
+ * Functions for Policy Checker
+ *
+ */
+#include "pkix_policychecker.h"
+
+/* --Forward declarations----------------------------------------------- */
+
+static PKIX_Error *
+pkix_PolicyChecker_MakeSingleton(
+        PKIX_PL_Object *listItem,
+        PKIX_Boolean immutability,
+        PKIX_List **pList,
+        void *plContext);
+
+/* --Private-PolicyCheckerState-Functions---------------------------------- */
+
+/*
+ * FUNCTION:pkix_PolicyCheckerState_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PolicyCheckerState *checkerState = NULL;
+
+        PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTPOLICYCHECKERSTATE);
+
+        checkerState = (PKIX_PolicyCheckerState *)object;
+
+        PKIX_DECREF(checkerState->certPoliciesExtension);
+        PKIX_DECREF(checkerState->policyMappingsExtension);
+        PKIX_DECREF(checkerState->policyConstraintsExtension);
+        PKIX_DECREF(checkerState->inhibitAnyPolicyExtension);
+        PKIX_DECREF(checkerState->anyPolicyOID);
+        PKIX_DECREF(checkerState->validPolicyTree);
+        PKIX_DECREF(checkerState->userInitialPolicySet);
+        PKIX_DECREF(checkerState->mappedUserInitialPolicySet);
+
+        checkerState->policyQualifiersRejected = PKIX_FALSE;
+        checkerState->explicitPolicy = 0;
+        checkerState->inhibitAnyPolicy = 0;
+        checkerState->policyMapping = 0;
+        checkerState->numCerts = 0;
+        checkerState->certsProcessed = 0;
+        checkerState->certPoliciesCritical = PKIX_FALSE;
+
+        PKIX_DECREF(checkerState->anyPolicyNodeAtBottom);
+        PKIX_DECREF(checkerState->newAnyPolicyNode);
+        PKIX_DECREF(checkerState->mappedPolicyOIDs);
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyCheckerState_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyCheckerState_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pCheckerStateString,
+        void *plContext)
+{
+        PKIX_PolicyCheckerState *state = NULL;
+        PKIX_PL_String *resultString = NULL;
+        PKIX_PL_String *policiesExtOIDString = NULL;
+        PKIX_PL_String *policyMapOIDString = NULL;
+        PKIX_PL_String *policyConstrOIDString = NULL;
+        PKIX_PL_String *inhAnyPolOIDString = NULL;
+        PKIX_PL_String *anyPolicyOIDString = NULL;
+        PKIX_PL_String *validPolicyTreeString = NULL;
+        PKIX_PL_String *userInitialPolicySetString = NULL;
+        PKIX_PL_String *mappedUserPolicySetString = NULL;
+        PKIX_PL_String *mappedPolicyOIDsString = NULL;
+        PKIX_PL_String *anyAtBottomString = NULL;
+        PKIX_PL_String *newAnyPolicyString = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *trueString = NULL;
+        PKIX_PL_String *falseString = NULL;
+        PKIX_PL_String *nullString = NULL;
+        PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
+        PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
+        PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
+        PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE;
+        PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
+        PKIX_Boolean certPoliciesCritical = PKIX_FALSE;
+        char *asciiFormat =
+                "{\n"
+                "\tcertPoliciesExtension:    \t%s\n"
+                "\tpolicyMappingsExtension:  \t%s\n"
+                "\tpolicyConstraintsExtension:\t%s\n"
+                "\tinhibitAnyPolicyExtension:\t%s\n"
+                "\tanyPolicyOID:             \t%s\n"
+                "\tinitialIsAnyPolicy:       \t%s\n"
+                "\tvalidPolicyTree:          \t%s\n"
+                "\tuserInitialPolicySet:     \t%s\n"
+                "\tmappedUserPolicySet:      \t%s\n"
+                "\tpolicyQualifiersRejected: \t%s\n"
+                "\tinitialPolMappingInhibit: \t%s\n"
+                "\tinitialExplicitPolicy:    \t%s\n"
+                "\tinitialAnyPolicyInhibit:  \t%s\n"
+                "\texplicitPolicy:           \t%d\n"
+                "\tinhibitAnyPolicy:         \t%d\n"
+                "\tpolicyMapping:            \t%d\n"
+                "\tnumCerts:                 \t%d\n"
+                "\tcertsProcessed:           \t%d\n"
+                "\tanyPolicyNodeAtBottom:    \t%s\n"
+                "\tnewAnyPolicyNode:         \t%s\n"
+                "\tcertPoliciesCritical:     \t%s\n"
+                "\tmappedPolicyOIDs:         \t%s\n"
+                "}";
+
+        PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString");
+
+        PKIX_NULLCHECK_TWO(object, pCheckerStateString);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTPOLICYCHECKERSTATE);
+
+        state = (PKIX_PolicyCheckerState *)object;
+        PKIX_NULLCHECK_THREE
+                (state->certPoliciesExtension,
+                state->policyMappingsExtension,
+                state->policyConstraintsExtension);
+        PKIX_NULLCHECK_THREE
+                (state->inhibitAnyPolicyExtension,
+                state->anyPolicyOID,
+                state->userInitialPolicySet);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
+                PKIX_STRINGCREATEFAILED);
+        /*
+         * Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a
+         * PKIX_PL_String is complicated enough, it's worth checking, for
+         * each, to make sure the string is needed.
+         */
+        initialPolicyMappingInhibit = state->initialPolicyMappingInhibit;
+        initialExplicitPolicy = state->initialExplicitPolicy;
+        initialAnyPolicyInhibit = state->initialAnyPolicyInhibit;
+        initialIsAnyPolicy = state->initialIsAnyPolicy;
+        policyQualifiersRejected = state->policyQualifiersRejected;
+        certPoliciesCritical = state->certPoliciesCritical;
+
+        if (initialPolicyMappingInhibit || initialExplicitPolicy ||
+            initialAnyPolicyInhibit || initialIsAnyPolicy ||
+            policyQualifiersRejected || certPoliciesCritical) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII, "TRUE", 0, &trueString, plContext),
+                        PKIX_STRINGCREATEFAILED);
+        }
+        if (!initialPolicyMappingInhibit || !initialExplicitPolicy ||
+            !initialAnyPolicyInhibit || !initialIsAnyPolicy ||
+            !policyQualifiersRejected || !certPoliciesCritical) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII, "FALSE", 0, &falseString, plContext),
+                        PKIX_STRINGCREATEFAILED);
+        }
+        if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII, "(null)", 0, &nullString, plContext),
+                        PKIX_STRINGCREATEFAILED);
+        }
+
+        PKIX_TOSTRING
+                (state->certPoliciesExtension, &policiesExtOIDString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->policyMappingsExtension,
+                &policyMapOIDString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->policyConstraintsExtension,
+                &policyConstrOIDString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->inhibitAnyPolicyExtension,
+                &inhAnyPolOIDString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->userInitialPolicySet,
+                &userInitialPolicySetString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->mappedUserInitialPolicySet,
+                &mappedUserPolicySetString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        if (state->anyPolicyNodeAtBottom) {
+                PKIX_CHECK(pkix_SinglePolicyNode_ToString
+                        (state->anyPolicyNodeAtBottom,
+                        &anyAtBottomString,
+                        plContext),
+                        PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
+        } else {
+                PKIX_INCREF(nullString);
+                anyAtBottomString = nullString;
+        }
+
+        if (state->newAnyPolicyNode) {
+                PKIX_CHECK(pkix_SinglePolicyNode_ToString
+                        (state->newAnyPolicyNode,
+                        &newAnyPolicyString,
+                        plContext),
+                        PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
+        } else {
+                PKIX_INCREF(nullString);
+                newAnyPolicyString = nullString;
+        }
+
+        PKIX_TOSTRING
+                (state->mappedPolicyOIDs,
+                &mappedPolicyOIDsString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&resultString,
+                plContext,
+                formatString,
+                policiesExtOIDString,
+                policyMapOIDString,
+                policyConstrOIDString,
+                inhAnyPolOIDString,
+                anyPolicyOIDString,
+                initialIsAnyPolicy?trueString:falseString,
+                validPolicyTreeString,
+                userInitialPolicySetString,
+                mappedUserPolicySetString,
+                policyQualifiersRejected?trueString:falseString,
+                initialPolicyMappingInhibit?trueString:falseString,
+                initialExplicitPolicy?trueString:falseString,
+                initialAnyPolicyInhibit?trueString:falseString,
+                state->explicitPolicy,
+                state->inhibitAnyPolicy,
+                state->policyMapping,
+                state->numCerts,
+                state->certsProcessed,
+                anyAtBottomString,
+                newAnyPolicyString,
+                certPoliciesCritical?trueString:falseString,
+                mappedPolicyOIDsString),
+                PKIX_SPRINTFFAILED);
+
+        *pCheckerStateString = resultString;
+
+cleanup:
+        PKIX_DECREF(policiesExtOIDString);
+        PKIX_DECREF(policyMapOIDString);
+        PKIX_DECREF(policyConstrOIDString);
+        PKIX_DECREF(inhAnyPolOIDString);
+        PKIX_DECREF(anyPolicyOIDString);
+        PKIX_DECREF(validPolicyTreeString);
+        PKIX_DECREF(userInitialPolicySetString);
+        PKIX_DECREF(mappedUserPolicySetString);
+        PKIX_DECREF(anyAtBottomString);
+        PKIX_DECREF(newAnyPolicyString);
+        PKIX_DECREF(mappedPolicyOIDsString);
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(trueString);
+        PKIX_DECREF(falseString);
+        PKIX_DECREF(nullString);
+
+        PKIX_RETURN(CERTPOLICYCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyCheckerState_RegisterSelf
+ * DESCRIPTION:
+ *
+ *  Registers PKIX_POLICYCHECKERSTATE_TYPE and its related functions
+ *      with systemClasses[]
+ *
+ * PARAMETERS:
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_PolicyCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER
+                (CERTPOLICYCHECKERSTATE,
+                "pkix_PolicyCheckerState_RegisterSelf");
+
+        entry.description = "PolicyCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PolicyCheckerState);
+        entry.destructor = pkix_PolicyCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = pkix_PolicyCheckerState_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_CERTPOLICYCHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(CERTPOLICYCHECKERSTATE);
+}
+
+/*
+ * FUNCTION:pkix_PolicyCheckerState_Create
+ * DESCRIPTION:
+ *
+ *  Creates a PolicyCheckerState Object, using the List pointed to
+ *  by "initialPolicies" for the user-initial-policy-set, the Boolean value
+ *  of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
+ *  the Boolean value of "initialPolicyMappingInhibit" for the
+ *  inhibitPolicyMappings parameter, the Boolean value of
+ *  "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
+ *  Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
+ *  parameter, and the UInt32 value of "numCerts" as the number of
+ *  certificates in the chain; and stores the Object at "pCheckerState".
+ *
+ * PARAMETERS:
+ *  "initialPolicies"
+ *      Address of List of OIDs comprising the user-initial-policy-set; the List
+ *      may be empty, but must be non-NULL
+ *  "policyQualifiersRejected"
+ *      Boolean value of the policyQualifiersRejected parameter
+ *  "initialPolicyMappingInhibit"
+ *      Boolean value of the inhibitPolicyMappings parameter
+ *  "initialExplicitPolicy"
+ *      Boolean value of the initialExplicitPolicy parameter
+ *  "initialAnyPolicyInhibit"
+ *      Boolean value of the inhibitAnyPolicy parameter
+ *  "numCerts"
+ *      Number of certificates in the chain to be validated
+ *  "pCheckerState"
+ *      Address where PolicyCheckerState will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertPolicyCheckerState Error if the functions fails in a
+ *      non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyCheckerState_Create(
+        PKIX_List *initialPolicies,
+        PKIX_Boolean policyQualifiersRejected,
+        PKIX_Boolean initialPolicyMappingInhibit,
+        PKIX_Boolean initialExplicitPolicy,
+        PKIX_Boolean initialAnyPolicyInhibit,
+        PKIX_UInt32 numCerts,
+        PKIX_PolicyCheckerState **pCheckerState,
+        void *plContext)
+{
+        PKIX_PolicyCheckerState *checkerState = NULL;
+        PKIX_PolicyNode *policyNode = NULL;
+        PKIX_List *anyPolicyList = NULL;
+
+        PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Create");
+        PKIX_NULLCHECK_TWO(initialPolicies, pCheckerState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_CERTPOLICYCHECKERSTATE_TYPE,
+                sizeof (PKIX_PolicyCheckerState),
+                (PKIX_PL_Object **)&checkerState,
+                plContext),
+                PKIX_COULDNOTCREATEPOLICYCHECKERSTATEOBJECT);
+
+        /* Create constant PKIX_PL_OIDs: */
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                (PKIX_CERTIFICATEPOLICIES_OID,
+                &(checkerState->certPoliciesExtension),
+                plContext),
+                PKIX_OIDCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                (PKIX_POLICYMAPPINGS_OID,
+                &(checkerState->policyMappingsExtension),
+                plContext),
+                PKIX_OIDCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                (PKIX_POLICYCONSTRAINTS_OID,
+                &(checkerState->policyConstraintsExtension),
+                plContext),
+                PKIX_OIDCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                (PKIX_INHIBITANYPOLICY_OID,
+                &(checkerState->inhibitAnyPolicyExtension),
+                plContext),
+                PKIX_OIDCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                (PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID,
+                &(checkerState->anyPolicyOID),
+                plContext),
+                PKIX_OIDCREATEFAILED);
+
+        /* Create an initial policy set from argument supplied */
+        PKIX_INCREF(initialPolicies);
+        checkerState->userInitialPolicySet = initialPolicies;
+        PKIX_INCREF(initialPolicies);
+        checkerState->mappedUserInitialPolicySet = initialPolicies;
+
+        PKIX_CHECK(pkix_List_Contains
+                (initialPolicies,
+                (PKIX_PL_Object *)(checkerState->anyPolicyOID),
+                &(checkerState->initialIsAnyPolicy),
+                plContext),
+                PKIX_LISTCONTAINSFAILED);
+
+        checkerState->policyQualifiersRejected =
+                policyQualifiersRejected;
+        checkerState->initialExplicitPolicy = initialExplicitPolicy;
+        checkerState->explicitPolicy =
+                (initialExplicitPolicy? 0: numCerts + 1);
+        checkerState->initialAnyPolicyInhibit = initialAnyPolicyInhibit;
+        checkerState->inhibitAnyPolicy =
+                (initialAnyPolicyInhibit? 0: numCerts + 1);
+        checkerState->initialPolicyMappingInhibit = initialPolicyMappingInhibit;
+        checkerState->policyMapping =
+                (initialPolicyMappingInhibit? 0: numCerts + 1);
+                ;
+        checkerState->numCerts = numCerts;
+        checkerState->certsProcessed = 0;
+        checkerState->certPoliciesCritical = PKIX_FALSE;
+
+        /* Create a valid_policy_tree as in RFC3280 6.1.2(a) */
+        PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
+                ((PKIX_PL_Object *)(checkerState->anyPolicyOID),
+                PKIX_TRUE,
+                &anyPolicyList,
+                plContext),
+                PKIX_POLICYCHECKERMAKESINGLETONFAILED);
+
+        PKIX_CHECK(pkix_PolicyNode_Create
+                (checkerState->anyPolicyOID,    /* validPolicy */
+                NULL,                           /* qualifier set */
+                PKIX_FALSE,                     /* criticality */
+                anyPolicyList,                  /* expectedPolicySet */
+                &policyNode,
+                plContext),
+                PKIX_POLICYNODECREATEFAILED);
+        checkerState->validPolicyTree = policyNode;
+
+        /*
+         * Since the initial validPolicyTree specifies
+         * ANY_POLICY, begin with a pointer to the root node.
+         */
+        PKIX_INCREF(policyNode);
+        checkerState->anyPolicyNodeAtBottom = policyNode;
+
+        checkerState->newAnyPolicyNode = NULL;
+
+        checkerState->mappedPolicyOIDs = NULL;
+
+        *pCheckerState = checkerState;
+        checkerState = NULL;
+
+cleanup:
+
+        PKIX_DECREF(checkerState);
+
+        PKIX_DECREF(anyPolicyList);
+
+        PKIX_RETURN(CERTPOLICYCHECKERSTATE);
+}
+
+/* --Private-PolicyChecker-Functions--------------------------------------- */
+
+/*
+ * FUNCTION: pkix_PolicyChecker_MapContains
+ * DESCRIPTION:
+ *
+ *  Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to
+ *  determine whether the OID pointed to by "policy" is among the
+ *  issuerDomainPolicies or subjectDomainPolicies of "certPolicyMaps", and
+ *  stores the result in "pFound".
+ *
+ *  This function is intended to allow an efficient check that the proscription
+ *  against anyPolicy being mapped, described in RFC3280 Section 6.1.4(a), is
+ *  not violated.
+ *
+ * PARAMETERS:
+ *  "certPolicyMaps"
+ *      Address of List of CertPolicyMaps to be searched. May be empty, but
+ *      must be non-NULL
+ *  "policy"
+ *      Address of OID to be checked for. Must be non-NULL
+ *  "pFound"
+ *      Address where the result of the search will be stored. Must be non-NULL.
+ *  "plContext"
+ *      platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_PolicyChecker_MapContains(
+        PKIX_List *certPolicyMaps,
+        PKIX_PL_OID *policy,
+        PKIX_Boolean *pFound,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyMap *map = NULL;
+        PKIX_UInt32 numEntries = 0;
+        PKIX_UInt32 index = 0;
+        PKIX_Boolean match = PKIX_FALSE;
+        PKIX_PL_OID *issuerDomainPolicy = NULL;
+        PKIX_PL_OID *subjectDomainPolicy = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MapContains");
+        PKIX_NULLCHECK_THREE(certPolicyMaps, policy, pFound);
+
+        PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (index = 0; (!match) && (index < numEntries); index++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                    (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
+                    PKIX_LISTGETITEMFAILED);
+
+                PKIX_NULLCHECK_ONE(map);
+
+                PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
+                        (map, &issuerDomainPolicy, plContext),
+                        PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
+
+                PKIX_EQUALS
+                        (policy, issuerDomainPolicy, &match, plContext,
+                        PKIX_OBJECTEQUALSFAILED);
+
+                if (!match) {
+                        PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
+                                (map, &subjectDomainPolicy, plContext),
+                                PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
+
+                        PKIX_EQUALS
+                                (policy, subjectDomainPolicy, &match, plContext,
+                                PKIX_OBJECTEQUALSFAILED);
+                }
+
+                PKIX_DECREF(map);
+                PKIX_DECREF(issuerDomainPolicy);
+                PKIX_DECREF(subjectDomainPolicy);
+        }
+
+        *pFound = match;
+
+cleanup:
+
+        PKIX_DECREF(map);
+        PKIX_DECREF(issuerDomainPolicy);
+        PKIX_DECREF(subjectDomainPolicy);
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_MapGetSubjectDomainPolicies
+ * DESCRIPTION:
+ *
+ *  Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to create
+ *  a list of all SubjectDomainPolicies for which the IssuerDomainPolicy is the
+ *  policy pointed to by "policy", and stores the result in
+ *  "pSubjectDomainPolicies".
+ *
+ *  If the List of CertPolicyMaps provided in "certPolicyMaps" is NULL, the
+ *  resulting List will be NULL. If there are CertPolicyMaps, but none that
+ *  include "policy" as an IssuerDomainPolicy, the returned List pointer will
+ *  be NULL. Otherwise, the returned List will contain the SubjectDomainPolicies
+ *  of all CertPolicyMaps for which "policy" is the IssuerDomainPolicy. If a
+ *  List is returned it will be immutable.
+ *
+ * PARAMETERS:
+ *  "certPolicyMaps"
+ *      Address of List of CertPolicyMaps to be searched. May be empty or NULL.
+ *  "policy"
+ *      Address of OID to be checked for. Must be non-NULL
+ *  "pSubjectDomainPolicies"
+ *      Address where the result of the search will be stored. Must be non-NULL.
+ *  "plContext"
+ *      platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_PolicyChecker_MapGetSubjectDomainPolicies(
+        PKIX_List *certPolicyMaps,
+        PKIX_PL_OID *policy,
+        PKIX_List **pSubjectDomainPolicies,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyMap *map = NULL;
+        PKIX_List *subjectList = NULL;
+        PKIX_UInt32 numEntries = 0;
+        PKIX_UInt32 index = 0;
+        PKIX_Boolean match = PKIX_FALSE;
+        PKIX_PL_OID *issuerDomainPolicy = NULL;
+        PKIX_PL_OID *subjectDomainPolicy = NULL;
+
+        PKIX_ENTER
+                (CERTCHAINCHECKER,
+                "pkix_PolicyChecker_MapGetSubjectDomainPolicies");
+        PKIX_NULLCHECK_TWO(policy, pSubjectDomainPolicies);
+
+        if (certPolicyMaps) {
+                PKIX_CHECK(PKIX_List_GetLength
+                    (certPolicyMaps,
+                    &numEntries,
+                    plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+        }
+
+        for (index = 0; index < numEntries; index++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                    (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
+                    PKIX_LISTGETITEMFAILED);
+
+                PKIX_NULLCHECK_ONE(map);
+
+                PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
+                        (map, &issuerDomainPolicy, plContext),
+                        PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
+
+                PKIX_EQUALS
+                    (policy, issuerDomainPolicy, &match, plContext,
+                    PKIX_OBJECTEQUALSFAILED);
+
+                if (match) {
+                    if (!subjectList) {
+                        PKIX_CHECK(PKIX_List_Create(&subjectList, plContext),
+                                PKIX_LISTCREATEFAILED);
+                    }
+
+                    PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
+                        (map, &subjectDomainPolicy, plContext),
+                        PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
+
+                    PKIX_CHECK(PKIX_List_AppendItem
+                        (subjectList,
+                        (PKIX_PL_Object *)subjectDomainPolicy,
+                        plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+                }
+
+                PKIX_DECREF(map);
+                PKIX_DECREF(issuerDomainPolicy);
+                PKIX_DECREF(subjectDomainPolicy);
+        }
+
+        if (subjectList) {
+                PKIX_CHECK(PKIX_List_SetImmutable(subjectList, plContext),
+                        PKIX_LISTSETIMMUTABLEFAILED);
+        }
+
+        *pSubjectDomainPolicies = subjectList;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(subjectList);
+        }
+
+        PKIX_DECREF(map);
+        PKIX_DECREF(issuerDomainPolicy);
+        PKIX_DECREF(subjectDomainPolicy);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_MapGetMappedPolicies
+ * DESCRIPTION:
+ *
+ *  Checks the List of CertPolicyMaps pointed to by "certPolicyMaps" to create a
+ *  List of all IssuerDomainPolicies, and stores the result in
+ * "pMappedPolicies".
+ *
+ *  The caller may not rely on the IssuerDomainPolicies to be in any particular
+ *  order. IssuerDomainPolicies that appear in more than one CertPolicyMap will
+ *  only appear once in "pMappedPolicies". If "certPolicyMaps" is empty the
+ *  result will be an empty List. The created List is mutable.
+ *
+ * PARAMETERS:
+ *  "certPolicyMaps"
+ *      Address of List of CertPolicyMaps to be searched. May be empty, but
+ *      must be non-NULL.
+ *  "pMappedPolicies"
+ *      Address where the result will be stored. Must be non-NULL.
+ *  "plContext"
+ *      platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_PolicyChecker_MapGetMappedPolicies(
+        PKIX_List *certPolicyMaps,
+        PKIX_List **pMappedPolicies,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyMap *map = NULL;
+        PKIX_List *mappedList = NULL;
+        PKIX_UInt32 numEntries = 0;
+        PKIX_UInt32 index = 0;
+        PKIX_Boolean isContained = PKIX_FALSE;
+        PKIX_PL_OID *issuerDomainPolicy = NULL;
+
+        PKIX_ENTER
+                (CERTCHAINCHECKER, "pkix_PolicyChecker_MapGetMappedPolicies");
+        PKIX_NULLCHECK_TWO(certPolicyMaps, pMappedPolicies);
+
+        PKIX_CHECK(PKIX_List_Create(&mappedList, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (index = 0; index < numEntries; index++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                    (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
+                    PKIX_LISTGETITEMFAILED);
+
+                PKIX_NULLCHECK_ONE(map);
+
+                PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
+                        (map, &issuerDomainPolicy, plContext),
+                        PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
+
+                PKIX_CHECK(pkix_List_Contains
+                        (mappedList,
+                        (PKIX_PL_Object *)issuerDomainPolicy,
+                        &isContained,
+                        plContext),
+                        PKIX_LISTCONTAINSFAILED);
+
+                if (isContained == PKIX_FALSE) {
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (mappedList,
+                                (PKIX_PL_Object *)issuerDomainPolicy,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                }
+
+                PKIX_DECREF(map);
+                PKIX_DECREF(issuerDomainPolicy);
+        }
+
+        *pMappedPolicies = mappedList;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(mappedList);
+        }
+
+        PKIX_DECREF(map);
+        PKIX_DECREF(issuerDomainPolicy);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_MakeMutableCopy
+ * DESCRIPTION:
+ *
+ *  Creates a mutable copy of the List pointed to by "list", which may or may
+ *  not be immutable, and stores the address at "pMutableCopy".
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List to be copied. Must be non-NULL.
+ *  "pMutableCopy"
+ *      Address where mutable copy will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyChecker_MakeMutableCopy(
+        PKIX_List *list,
+        PKIX_List **pMutableCopy,
+        void *plContext)
+{
+        PKIX_List *newList = NULL;
+        PKIX_UInt32 listLen = 0;
+        PKIX_UInt32 listIx = 0;
+        PKIX_PL_Object *object;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeMutableCopy");
+        PKIX_NULLCHECK_TWO(list, pMutableCopy);
+
+        PKIX_CHECK(PKIX_List_Create(&newList, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(list, &listLen, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (listIx = 0; listIx < listLen; listIx++) {
+
+                PKIX_CHECK(PKIX_List_GetItem(list, listIx, &object, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem(newList, object, plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_DECREF(object);
+        }
+
+        *pMutableCopy = newList;
+        newList = NULL;
+        
+cleanup:
+        PKIX_DECREF(newList);
+        PKIX_DECREF(object);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_MakeSingleton
+ * DESCRIPTION:
+ *
+ *  Creates a new List containing the Object pointed to by "listItem", using
+ *  the Boolean value of "immutability" to determine whether to set the List
+ *  immutable, and stores the address at "pList".
+ *
+ * PARAMETERS:
+ *  "listItem"
+ *      Address of Object to be inserted into the new List. Must be non-NULL.
+ *  "immutability"
+ *      Boolean value indicating whether new List is to be immutable
+ *  "pList"
+ *      Address where List will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyChecker_MakeSingleton(
+        PKIX_PL_Object *listItem,
+        PKIX_Boolean immutability,
+        PKIX_List **pList,
+        void *plContext)
+{
+        PKIX_List *newList = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeSingleton");
+        PKIX_NULLCHECK_TWO(listItem, pList);
+
+        PKIX_CHECK(PKIX_List_Create(&newList, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (newList, (PKIX_PL_Object *)listItem, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        if (immutability) {
+                PKIX_CHECK(PKIX_List_SetImmutable(newList, plContext),
+                        PKIX_LISTSETIMMUTABLEFAILED);
+        }
+
+        *pList = newList;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(newList);
+        }
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_Spawn
+ * DESCRIPTION:
+ *
+ *  Creates a new childNode for the parent pointed to by "parent", using
+ *  the OID pointed to by "policyOID", the List of CertPolicyQualifiers
+ *  pointed to by "qualifiers", the List of OIDs pointed to by
+ *  "subjectDomainPolicies", and the PolicyCheckerState pointed to by
+ *  "state". The new node will be added to "parent".
+ *
+ *  The validPolicy of the new node is set from the OID pointed to by
+ *  "policyOID". The policy qualifiers for the new node is set from the
+ *  List of qualifiers pointed to by "qualifiers", and may be NULL or
+ *  empty if the argument provided was NULL or empty. The criticality is
+ *  set according to the criticality obtained from the PolicyCheckerState.
+ *  If "subjectDomainPolicies" is NULL, the expectedPolicySet of the
+ *  child is set to contain the same policy as the validPolicy. If
+ *  "subjectDomainPolicies" is not NULL, it is used as the value for
+ *  the expectedPolicySet.
+ *
+ *  The PolicyCheckerState also contains a constant, anyPolicy, which is
+ *  compared to "policyOID". If they match, the address of the childNode
+ * is saved in the state's newAnyPolicyNode.
+ *
+ * PARAMETERS:
+ *  "parent"
+ *      Address of PolicyNode to which the child will be linked. Must be
+ *      non-NULL.
+ *  "policyOID"
+ *      Address of OID of the new child's validPolicy and also, if
+ *      subjectDomainPolicies is NULL, of the new child's expectedPolicySet.
+ *      Must be non-NULL.
+ *  "qualifiers"
+ *      Address of List of CertPolicyQualifiers. May be NULL or empty.
+ *  "subjectDomainPolicies"
+ *      Address of List of OIDs indicating the policies to which "policy" is
+ *      mapped. May be empty or NULL.
+ *  "state"
+ *      Address of the current PKIX_PolicyCheckerState. Must be non-NULL..
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyChecker_Spawn(
+        PKIX_PolicyNode *parent,
+        PKIX_PL_OID *policyOID,
+        PKIX_List *qualifiers,  /* CertPolicyQualifiers */
+        PKIX_List *subjectDomainPolicies,
+        PKIX_PolicyCheckerState *state,
+        void *plContext)
+{
+        PKIX_List *expectedSet = NULL; /* OIDs */
+        PKIX_PolicyNode *childNode = NULL;
+        PKIX_Boolean match = PKIX_FALSE;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Spawn");
+        PKIX_NULLCHECK_THREE(policyOID, parent, state);
+
+        if (subjectDomainPolicies) {
+
+                PKIX_INCREF(subjectDomainPolicies);
+                expectedSet = subjectDomainPolicies;
+
+        } else {
+                /* Create the child's ExpectedPolicy Set */
+                PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
+                        ((PKIX_PL_Object *)policyOID,
+                        PKIX_TRUE,      /* make expectedPolicySet immutable */
+                        &expectedSet,
+                        plContext),
+                        PKIX_POLICYCHECKERMAKESINGLETONFAILED);
+        }
+
+        PKIX_CHECK(pkix_PolicyNode_Create
+                (policyOID,
+                qualifiers,
+                state->certPoliciesCritical,
+                expectedSet,
+                &childNode,
+                plContext),
+                PKIX_POLICYNODECREATEFAILED);
+
+        /*
+         * If we had a non-empty mapping, we know the new node could not
+         * have been created with a validPolicy of anyPolicy. Otherwise,
+         * check whether we just created a new node with anyPolicy, because
+         * in that case we want to save the child pointer in newAnyPolicyNode.
+         */
+        if (!subjectDomainPolicies) {
+                PKIX_EQUALS(policyOID, state->anyPolicyOID, &match, plContext,
+                        PKIX_OBJECTEQUALSFAILED);
+
+                if (match) {
+                        PKIX_DECREF(state->newAnyPolicyNode);
+                        PKIX_INCREF(childNode);
+                        state->newAnyPolicyNode = childNode;
+                }
+        }
+
+        PKIX_CHECK(pkix_PolicyNode_AddToParent(parent, childNode, plContext),
+                PKIX_POLICYNODEADDTOPARENTFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)state, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+        PKIX_DECREF(childNode);
+        PKIX_DECREF(expectedSet);
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_CheckPolicyRecursive
+ * DESCRIPTION:
+ *
+ *  Performs policy processing for the policy whose OID is pointed to by
+ *  "policyOID" and whose List of CertPolicyQualifiers is pointed to by
+ *  "policyQualifiers", using the List of policy OIDs pointed to by
+ *  "subjectDomainPolicies" and the PolicyNode pointed to by "currentNode",
+ *  in accordance with the current PolicyCheckerState pointed to by "state",
+ *  and setting "pChildNodeCreated" to TRUE if a new childNode is created.
+ *  Note: "pChildNodeCreated" is not set to FALSE if no childNode is created.
+ *  The intent of the design is that the caller can set a variable to FALSE
+ *  initially, prior to a recursive set of calls. At the end, the variable
+ *  can be tested to see whether *any* of the calls created a child node.
+ *
+ *  If the currentNode is not at the bottom of the tree, this function
+ *  calls itself recursively for each child of currentNode. At the bottom of
+ *  the tree, it creates new child nodes as appropriate. This function will
+ *  never be called with policy = anyPolicy.
+ *
+ *  This function implements the processing described in RFC3280
+ *  Section 6.1.3(d)(1)(i).
+ *
+ * PARAMETERS:
+ *  "policyOID"
+ *      Address of OID of the policy to be checked for. Must be non-NULL.
+ *  "policyQualifiers"
+ *      Address of List of CertPolicyQualifiers of the policy to be checked for.
+ *      May be empty or NULL.
+ *  "subjectDomainPolicies"
+ *      Address of List of OIDs indicating the policies to which "policy" is
+ *      mapped. May be empty or NULL.
+ *  "currentNode"
+ *      Address of PolicyNode whose descendants will be checked, if not at the
+ *      bottom of the tree; or whose expectedPolicySet will be compared to
+ *      "policy", if at the bottom. Must be non-NULL.
+ *  "state"
+ *      Address of PolicyCheckerState of the current PolicyChecker. Must be
+ *      non-NULL.
+ *  "pChildNodeCreated"
+ *      Address of the Boolean that will be set TRUE if this function
+ *      creates a child node. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyChecker_CheckPolicyRecursive(
+        PKIX_PL_OID *policyOID,
+        PKIX_List *policyQualifiers,
+        PKIX_List *subjectDomainPolicies,
+        PKIX_PolicyNode *currentNode,
+        PKIX_PolicyCheckerState *state,
+        PKIX_Boolean *pChildNodeCreated,
+        void *plContext)
+{
+        PKIX_UInt32 depth = 0;
+        PKIX_UInt32 numChildren = 0;
+        PKIX_UInt32 childIx = 0;
+        PKIX_Boolean isIncluded = PKIX_FALSE;
+        PKIX_List *children = NULL;     /* PolicyNodes */
+        PKIX_PolicyNode *childNode = NULL;
+        PKIX_List *expectedPolicies = NULL; /* OIDs */
+
+        PKIX_ENTER
+                (CERTCHAINCHECKER,
+                "pkix_PolicyChecker_CheckPolicyRecursive");
+        PKIX_NULLCHECK_FOUR(policyOID, currentNode, state, pChildNodeCreated);
+
+        /* if not at the bottom of the tree */
+        PKIX_CHECK(PKIX_PolicyNode_GetDepth
+                (currentNode, &depth, plContext),
+                PKIX_POLICYNODEGETDEPTHFAILED);
+
+        if (depth < (state->certsProcessed)) {
+                PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
+                        (currentNode, &children, plContext),
+                        PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
+
+                if (children) {
+                        PKIX_CHECK(PKIX_List_GetLength
+                                (children, &numChildren, plContext),
+                                PKIX_LISTGETLENGTHFAILED);
+                }
+
+                for (childIx = 0; childIx < numChildren; childIx++) {
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                            (children,
+                            childIx,
+                            (PKIX_PL_Object **)&childNode,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
+                            (policyOID,
+                            policyQualifiers,
+                            subjectDomainPolicies,
+                            childNode,
+                            state,
+                            pChildNodeCreated,
+                            plContext),
+                            PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
+
+                        PKIX_DECREF(childNode);
+                }
+        } else { /* if at the bottom of the tree */
+
+                /* Check whether policy is in this node's expectedPolicySet */
+                PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
+                        (currentNode, &expectedPolicies, plContext),
+                        PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
+
+                PKIX_NULLCHECK_ONE(expectedPolicies);
+
+                PKIX_CHECK(pkix_List_Contains
+                        (expectedPolicies,
+                        (PKIX_PL_Object *)policyOID,
+                        &isIncluded,
+                        plContext),
+                        PKIX_LISTCONTAINSFAILED);
+
+                if (isIncluded) {
+                        PKIX_CHECK(pkix_PolicyChecker_Spawn
+                                (currentNode,
+                                policyOID,
+                                policyQualifiers,
+                                subjectDomainPolicies,
+                                state,
+                                plContext),
+                                PKIX_POLICYCHECKERSPAWNFAILED);
+
+                        *pChildNodeCreated = PKIX_TRUE;
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(children);
+        PKIX_DECREF(childNode);
+        PKIX_DECREF(expectedPolicies);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_CheckPolicy
+ * DESCRIPTION:
+ *
+ *  Performs the non-recursive portion of the policy processing for the policy
+ *  whose OID is pointed to by "policyOID" and whose List of
+ *  CertPolicyQualifiers is pointed to by "policyQualifiers", for the
+ *  Certificate pointed to by "cert" with the List of CertPolicyMaps pointed
+ *  to by "maps", in accordance with the current PolicyCheckerState pointed
+ *  to by "state".
+ *
+ *  This function implements the processing described in RFC3280
+ *  Section 6.1.3(d)(1)(i).
+ *
+ * PARAMETERS:
+ *  "policyOID"
+ *      Address of OID of the policy to be checked for. Must be non-NULL.
+ *  "policyQualifiers"
+ *      Address of List of CertPolicyQualifiers of the policy to be checked for.
+ *      May be empty or NULL.
+ *  "cert"
+ *      Address of the current certificate. Must be non-NULL.
+ *  "maps"
+ *      Address of List of CertPolicyMaps for the current certificate
+ *  "state"
+ *      Address of PolicyCheckerState of the current PolicyChecker. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyChecker_CheckPolicy(
+        PKIX_PL_OID *policyOID,
+        PKIX_List *policyQualifiers,
+        PKIX_PL_Cert *cert,
+        PKIX_List *maps,
+        PKIX_PolicyCheckerState *state,
+        void *plContext)
+{
+        PKIX_Boolean childNodeCreated = PKIX_FALSE;
+        PKIX_Boolean okToSpawn = PKIX_FALSE;
+        PKIX_Boolean found = PKIX_FALSE;
+        PKIX_List *subjectDomainPolicies = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckPolicy");
+        PKIX_NULLCHECK_THREE(policyOID, cert, state);
+
+        /*
+         * If this is not the last certificate, get the set of
+         * subjectDomainPolicies that "policy" maps to, according to the
+         * current cert's policy mapping extension. That set will be NULL
+         * if the current cert does not have a policy mapping extension,
+         * or if the current policy is not mapped.
+         */
+        if (state->certsProcessed != (state->numCerts - 1)) {
+            PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
+                (maps, policyOID, &subjectDomainPolicies, plContext),
+                PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
+        }
+
+        /*
+         * Section 6.1.4(b)(2) tells us that if policyMapping is zero, we
+         * will have to delete any nodes created with validPolicies equal to
+         * policies that appear as issuerDomainPolicies in a policy mapping
+         * extension. Let's avoid creating any such nodes.
+         */
+        if ((state->policyMapping) == 0) {
+                if (subjectDomainPolicies) {
+                        goto cleanup;
+                }
+        }
+
+        PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
+                (policyOID,
+                policyQualifiers,
+                subjectDomainPolicies,
+                state->validPolicyTree,
+                state,
+                &childNodeCreated,
+                plContext),
+                PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
+
+        if (!childNodeCreated) {
+                /*
+                 * Section 6.1.3(d)(1)(ii)
+                 * There was no match. If there was a node at
+                 * depth i-1 with valid policy anyPolicy,
+                 * generate a node subordinate to that.
+                 *
+                 * But that means this created node would be in
+                 * the valid-policy-node-set, and will be
+                 * pruned in 6.1.5(g)(iii)(2) unless it is in
+                 * the user-initial-policy-set or the user-
+                 * initial-policy-set is {anyPolicy}. So check,
+                 * and don't create it if it will be pruned.
+                 */
+                if (state->anyPolicyNodeAtBottom) {
+                        if (state->initialIsAnyPolicy) {
+                                okToSpawn = PKIX_TRUE;
+                        } else {
+                                PKIX_CHECK(pkix_List_Contains
+                                        (state->mappedUserInitialPolicySet,
+                                        (PKIX_PL_Object *)policyOID,
+                                        &okToSpawn,
+                                        plContext),
+                                        PKIX_LISTCONTAINSFAILED);
+                        }
+                        if (okToSpawn) {
+                                PKIX_CHECK(pkix_PolicyChecker_Spawn
+                                        (state->anyPolicyNodeAtBottom,
+                                        policyOID,
+                                        policyQualifiers,
+                                        subjectDomainPolicies,
+                                        state,
+                                        plContext),
+                                        PKIX_POLICYCHECKERSPAWNFAILED);
+                                childNodeCreated = PKIX_TRUE;
+                        }
+                }
+        }
+
+        if (childNodeCreated) {
+                /*
+                 * If this policy had qualifiers, and the certificate policies
+                 * extension was marked critical, and the user cannot deal with
+                 * policy qualifiers, throw an error.
+                 */
+                if (policyQualifiers &&
+                    state->certPoliciesCritical &&
+                    state->policyQualifiersRejected) {
+                    PKIX_ERROR
+                        (PKIX_QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION);
+                }
+                /*
+                 * If the policy we just propagated was in the list of mapped
+                 * policies, remove it from the list. That list is used, at the
+                 * end, to determine policies that have not been propagated.
+                 */
+                if (state->mappedPolicyOIDs) {
+                        PKIX_CHECK(pkix_List_Contains
+                                (state->mappedPolicyOIDs,
+                                (PKIX_PL_Object *)policyOID,
+                                &found,
+                                plContext),
+                                PKIX_LISTCONTAINSFAILED);
+                        if (found) {
+                                PKIX_CHECK(pkix_List_Remove
+                                        (state->mappedPolicyOIDs,
+                                        (PKIX_PL_Object *)policyOID,
+                                        plContext),
+                                        PKIX_LISTREMOVEFAILED);
+                        }
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(subjectDomainPolicies);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_CheckAny
+ * DESCRIPTION:
+ *  Performs the creation of PolicyNodes, for the PolicyNode pointed to by
+ *  "currentNode" and PolicyNodes subordinate to it, using the List of
+ *  qualifiers pointed to by "qualsOfAny", in accordance with the current
+ *  certificate's PolicyMaps pointed to by "policyMaps" and the current
+ *  PolicyCheckerState pointed to by "state".
+ *
+ *  If the currentNode is not just above the bottom of the validPolicyTree, this
+ *  function calls itself recursively for each child of currentNode. At the
+ *  level just above the bottom, for each policy in the currentNode's
+ *  expectedPolicySet not already present in a child node, it creates a new
+ *  child node. The validPolicy of the child created, and its expectedPolicySet,
+ *  will be the policy from the currentNode's expectedPolicySet. The policy
+ *  qualifiers will be the qualifiers from the current certificate's anyPolicy,
+ *  the "qualsOfAny" parameter. If the currentNode's expectedSet includes
+ *  anyPolicy, a childNode will be created with a policy of anyPolicy. This is
+ *  the only way such a node can be created.
+ *
+ *  This function is called only when anyPolicy is one of the current
+ *  certificate's policies. This function implements the processing described
+ *  in RFC3280 Section 6.1.3(d)(2).
+ *
+ * PARAMETERS:
+ *  "currentNode"
+ *      Address of PolicyNode whose descendants will be checked, if not at the
+ *      bottom of the tree; or whose expectedPolicySet will be compared to those
+ *      in "alreadyPresent", if at the bottom. Must be non-NULL.
+ *  "qualsOfAny"
+ *      Address of List of qualifiers of the anyPolicy in the current
+ *      certificate. May be empty or NULL.
+ *  "policyMaps"
+ *      Address of the List of PolicyMaps of the current certificate. May be
+ *      empty or NULL.
+ *  "state"
+ *      Address of the current state of the PKIX_PolicyChecker.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyChecker_CheckAny(
+        PKIX_PolicyNode *currentNode,
+        PKIX_List *qualsOfAny,  /* CertPolicyQualifiers */
+        PKIX_List *policyMaps,  /* CertPolicyMaps */
+        PKIX_PolicyCheckerState *state,
+        void *plContext)
+{
+        PKIX_UInt32 depth = 0;
+        PKIX_UInt32 numChildren = 0;
+        PKIX_UInt32 childIx = 0;
+        PKIX_UInt32 numPolicies = 0;
+        PKIX_UInt32 polx = 0;
+        PKIX_Boolean isIncluded = PKIX_FALSE;
+        PKIX_List *children = NULL;     /* PolicyNodes */
+        PKIX_PolicyNode *childNode = NULL;
+        PKIX_List *expectedPolicies = NULL; /* OIDs */
+        PKIX_PL_OID *policyOID = NULL;
+        PKIX_PL_OID *childPolicy = NULL;
+        PKIX_List *subjectDomainPolicies = NULL;  /* OIDs */
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckAny");
+        PKIX_NULLCHECK_TWO(currentNode, state);
+
+        PKIX_CHECK(PKIX_PolicyNode_GetDepth
+                (currentNode, &depth, plContext),
+                PKIX_POLICYNODEGETDEPTHFAILED);
+
+        PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
+                (currentNode, &children, plContext),
+                PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
+
+        if (children) {
+                PKIX_CHECK(PKIX_List_GetLength
+                        (children, &numChildren, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+        }
+
+        if (depth < (state->certsProcessed)) {
+                for (childIx = 0; childIx < numChildren; childIx++) {
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                                (children,
+                                childIx,
+                                (PKIX_PL_Object **)&childNode,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                        PKIX_NULLCHECK_ONE(childNode);
+                        PKIX_CHECK(pkix_PolicyChecker_CheckAny
+                                (childNode,
+                                qualsOfAny,
+                                policyMaps,
+                                state,
+                                plContext),
+                                PKIX_POLICYCHECKERCHECKANYFAILED);
+
+                        PKIX_DECREF(childNode);
+                }
+        } else { /* if at the bottom of the tree */
+
+            PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
+                (currentNode, &expectedPolicies, plContext),
+                PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
+
+            /* Expected Policy Set is not allowed to be NULL */
+            PKIX_NULLCHECK_ONE(expectedPolicies);
+
+            PKIX_CHECK(PKIX_List_GetLength
+                (expectedPolicies, &numPolicies, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+            for (polx = 0; polx < numPolicies; polx++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                    (expectedPolicies,
+                    polx,
+                    (PKIX_PL_Object **)&policyOID,
+                    plContext),
+                    PKIX_LISTGETITEMFAILED);
+
+                PKIX_NULLCHECK_ONE(policyOID);
+
+                isIncluded = PKIX_FALSE;
+
+                for (childIx = 0;
+                    (!isIncluded && (childIx < numChildren));
+                    childIx++) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (children,
+                        childIx,
+                        (PKIX_PL_Object **)&childNode,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                    PKIX_NULLCHECK_ONE(childNode);
+
+                    PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
+                        (childNode, &childPolicy, plContext),
+                        PKIX_POLICYNODEGETVALIDPOLICYFAILED);
+
+                    PKIX_NULLCHECK_ONE(childPolicy);
+
+                    PKIX_EQUALS(policyOID, childPolicy, &isIncluded, plContext,
+                        PKIX_OBJECTEQUALSFAILED);
+
+                    PKIX_DECREF(childNode);
+                    PKIX_DECREF(childPolicy);
+                }
+
+                if (!isIncluded) {
+                    if (policyMaps) {
+                        PKIX_CHECK
+                          (pkix_PolicyChecker_MapGetSubjectDomainPolicies
+                          (policyMaps,
+                          policyOID,
+                          &subjectDomainPolicies,
+                          plContext),
+                          PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
+                    }
+                    PKIX_CHECK(pkix_PolicyChecker_Spawn
+                        (currentNode,
+                        policyOID,
+                        qualsOfAny,
+                        subjectDomainPolicies,
+                        state,
+                        plContext),
+                        PKIX_POLICYCHECKERSPAWNFAILED);
+                    PKIX_DECREF(subjectDomainPolicies);
+                }
+
+                PKIX_DECREF(policyOID);
+            }
+        }
+
+cleanup:
+
+        PKIX_DECREF(children);
+        PKIX_DECREF(childNode);
+        PKIX_DECREF(expectedPolicies);
+        PKIX_DECREF(policyOID);
+        PKIX_DECREF(childPolicy);
+        PKIX_DECREF(subjectDomainPolicies);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_CalculateIntersection
+ * DESCRIPTION:
+ *
+ *  Processes the PolicyNode pointed to by "currentNode", and its descendants,
+ *  using the PolicyCheckerState pointed to by "state", using the List at
+ *  the address pointed to by "nominees" the OIDs of policies that are in the
+ *  user-initial-policy-set but are not represented among the nodes at the
+ *  bottom of the tree, and storing at "pShouldBePruned" the value TRUE if
+ *  currentNode is childless at the end of this processing, FALSE if it has
+ *  children or is at the bottom of the tree.
+ *
+ *  When this function is called at the top level, "nominees" should be the List
+ *  of all policies in the user-initial-policy-set. Policies that are
+ *  represented in the valid-policy-node-set are removed from this List. As a
+ *  result when nodes are created according to 6.1.5.(g)(iii)(3)(b), a node will
+ *  be created for each policy remaining in this List.
+ *
+ *  This function implements the calculation of the intersection of the
+ *  validPolicyTree with the user-initial-policy-set, as described in
+ *  RFC 3280 6.1.5(g)(iii).
+ *
+ * PARAMETERS:
+ *  "currentNode"
+ *      Address of PolicyNode whose descendants will be processed as described.
+ *      Must be non-NULL.
+ *  "state"
+ *      Address of the current state of the PKIX_PolicyChecker. Must be non-NULL
+ *  "nominees"
+ *      Address of List of the OIDs for which nodes should be created to replace
+ *      anyPolicy nodes. Must be non-NULL but may be empty.
+ *  "pShouldBePruned"
+ *      Address where Boolean return value, set to TRUE if this PolicyNode
+ *      should be deleted, is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyChecker_CalculateIntersection(
+        PKIX_PolicyNode *currentNode,
+        PKIX_PolicyCheckerState *state,
+        PKIX_List *nominees, /* OIDs */
+        PKIX_Boolean *pShouldBePruned,
+        void *plContext)
+{
+        PKIX_Boolean currentPolicyIsAny = PKIX_FALSE;
+        PKIX_Boolean parentPolicyIsAny = PKIX_FALSE;
+        PKIX_Boolean currentPolicyIsValid = PKIX_FALSE;
+        PKIX_Boolean shouldBePruned = PKIX_FALSE;
+        PKIX_Boolean priorCriticality = PKIX_FALSE;
+        PKIX_UInt32 depth = 0;
+        PKIX_UInt32 numChildren = 0;
+        PKIX_UInt32 childIndex = 0;
+        PKIX_UInt32 numNominees = 0;
+        PKIX_UInt32 polIx = 0;
+        PKIX_PL_OID *currentPolicy = NULL;
+        PKIX_PL_OID *parentPolicy = NULL;
+        PKIX_PL_OID *substPolicy = NULL;
+        PKIX_PolicyNode *parent = NULL;
+        PKIX_PolicyNode *child = NULL;
+        PKIX_List *children = NULL; /* PolicyNodes */
+        PKIX_List *policyQualifiers = NULL;
+
+        PKIX_ENTER
+                (CERTCHAINCHECKER,
+                "pkix_PolicyChecker_CalculateIntersection");
+
+        PKIX_NULLCHECK_FOUR(currentNode, state, nominees, pShouldBePruned);
+
+        PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
+                (currentNode, &currentPolicy, plContext),
+                PKIX_POLICYNODEGETVALIDPOLICYFAILED);
+
+        PKIX_NULLCHECK_TWO(state->anyPolicyOID, currentPolicy);
+
+        PKIX_EQUALS
+                (state->anyPolicyOID,
+                currentPolicy,
+                &currentPolicyIsAny,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        PKIX_CHECK(PKIX_PolicyNode_GetParent(currentNode, &parent, plContext),
+                PKIX_POLICYNODEGETPARENTFAILED);
+
+        if (currentPolicyIsAny == PKIX_FALSE) {
+
+                /*
+                 * If we are at the top of the tree, or if our
+                 * parent's validPolicy is anyPolicy, we are in
+                 * the valid policy node set.
+                 */
+                if (parent) {
+                        PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
+                                (parent, &parentPolicy, plContext),
+                                PKIX_POLICYNODEGETVALIDPOLICYFAILED);
+
+                        PKIX_NULLCHECK_ONE(parentPolicy);
+
+                        PKIX_EQUALS
+                                (state->anyPolicyOID,
+                                parentPolicy,
+                                &parentPolicyIsAny,
+                                plContext,
+                                PKIX_OBJECTEQUALSFAILED);
+                }
+
+                /*
+                 * Section 6.1.5(g)(iii)(2)
+                 * If this node's policy is not in the user-initial-policy-set,
+                 * it is not in the intersection. Prune it.
+                 */
+                if (!parent || parentPolicyIsAny) {
+                        PKIX_CHECK(pkix_List_Contains
+                                (state->userInitialPolicySet,
+                                (PKIX_PL_Object *)currentPolicy,
+                                &currentPolicyIsValid,
+                                plContext),
+                                PKIX_LISTCONTAINSFAILED);
+                        if (!currentPolicyIsValid) {
+                                *pShouldBePruned = PKIX_TRUE;
+                                goto cleanup;
+                        }
+
+                        /*
+                         * If this node's policy is in the user-initial-policy-
+                         * set, it will propagate that policy into the next
+                         * level of the tree. Remove the policy from the list
+                         * of policies that an anyPolicy will spawn.
+                         */
+                        PKIX_CHECK(pkix_List_Remove
+                                (nominees,
+                                (PKIX_PL_Object *)currentPolicy,
+                                plContext),
+                                PKIX_LISTREMOVEFAILED);
+                }
+        }
+
+
+        /* Are we at the bottom of the tree? */
+
+        PKIX_CHECK(PKIX_PolicyNode_GetDepth
+                (currentNode, &depth, plContext),
+                PKIX_POLICYNODEGETDEPTHFAILED);
+
+        if (depth == (state->numCerts)) {
+                /*
+                 * Section 6.1.5(g)(iii)(3)
+                 * Replace anyPolicy nodes...
+                 */
+                if (currentPolicyIsAny == PKIX_TRUE) {
+
+                        /* replace this node */
+
+                        PKIX_CHECK(PKIX_List_GetLength
+                            (nominees, &numNominees, plContext),
+                            PKIX_LISTGETLENGTHFAILED);
+
+                        if (numNominees) {
+
+                            PKIX_CHECK(PKIX_PolicyNode_GetPolicyQualifiers
+                                (currentNode,
+                                &policyQualifiers,
+                                plContext),
+                                PKIX_POLICYNODEGETPOLICYQUALIFIERSFAILED);
+
+                            PKIX_CHECK(PKIX_PolicyNode_IsCritical
+                                (currentNode, &priorCriticality, plContext),
+                                PKIX_POLICYNODEISCRITICALFAILED);
+                        }
+
+                        PKIX_NULLCHECK_ONE(parent);
+
+                        for (polIx = 0; polIx < numNominees; polIx++) {
+
+                            PKIX_CHECK(PKIX_List_GetItem
+                                (nominees,
+                                polIx,
+                                (PKIX_PL_Object **)&substPolicy,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                            PKIX_CHECK(pkix_PolicyChecker_Spawn
+                                (parent,
+                                substPolicy,
+                                policyQualifiers,
+                                NULL,
+                                state,
+                                plContext),
+                                PKIX_POLICYCHECKERSPAWNFAILED);
+
+                            PKIX_DECREF(substPolicy);
+
+                        }
+                        /* remove currentNode from parent */
+                        *pShouldBePruned = PKIX_TRUE;
+                        /*
+                         * We can get away with augmenting the parent's List
+                         * of children because we started at the end and went
+                         * toward the beginning. New nodes are added at the end.
+                         */
+                }
+        } else {
+                /*
+                 * Section 6.1.5(g)(iii)(4)
+                 * Prune any childless nodes above the bottom level
+                 */
+                PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
+                        (currentNode, &children, plContext),
+                        PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
+
+                /* CurrentNode should have been pruned if childless. */
+                PKIX_NULLCHECK_ONE(children);
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (children, &numChildren, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                for (childIndex = numChildren; childIndex > 0; childIndex--) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (children,
+                        childIndex - 1,
+                        (PKIX_PL_Object **)&child,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
+                        (child, state, nominees, &shouldBePruned, plContext),
+                        PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
+
+                    if (PKIX_TRUE == shouldBePruned) {
+
+                        PKIX_CHECK(PKIX_List_DeleteItem
+                                (children, childIndex - 1, plContext),
+                                PKIX_LISTDELETEITEMFAILED);
+                        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                                ((PKIX_PL_Object *)state, plContext),
+                                PKIX_OBJECTINVALIDATECACHEFAILED);
+                    }
+
+                    PKIX_DECREF(child);
+                }
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (children, &numChildren, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                if (numChildren == 0) {
+                        *pShouldBePruned = PKIX_TRUE;
+                }
+        }
+cleanup:
+        PKIX_DECREF(currentPolicy);
+        PKIX_DECREF(parentPolicy);
+        PKIX_DECREF(substPolicy);
+        PKIX_DECREF(parent);
+        PKIX_DECREF(child);
+        PKIX_DECREF(children);
+        PKIX_DECREF(policyQualifiers);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_PolicyMapProcessing
+ * DESCRIPTION:
+ *
+ *  Performs the processing of Policies in the List of CertPolicyMaps pointed
+ *  to by "policyMaps", using and updating the PolicyCheckerState pointed to by
+ *  "state".
+ *
+ *  This function implements the policyMap processing described in RFC3280
+ *  Section 6.1.4(b)(1), after certificate i has been processed, in preparation
+ *  for certificate i+1. Section references are to that document.
+ *
+ * PARAMETERS:
+ *  "policyMaps"
+ *      Address of the List of CertPolicyMaps presented by certificate i.
+ *      Must be non-NULL.
+ *  "certPoliciesIncludeAny"
+ *      Boolean value which is PKIX_TRUE if the current certificate asserts
+ *      anyPolicy, PKIX_FALSE otherwise.
+ *  "qualsOfAny"
+ *      Address of List of qualifiers of the anyPolicy in the current
+ *      certificate. May be empty or NULL.
+ *  "state"
+ *      Address of the current state of the PKIX_PolicyChecker.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyChecker_PolicyMapProcessing(
+        PKIX_List *policyMaps,  /* CertPolicyMaps */
+        PKIX_Boolean certPoliciesIncludeAny,
+        PKIX_List *qualsOfAny,
+        PKIX_PolicyCheckerState *state,
+        void *plContext)
+{
+        PKIX_UInt32 numPolicies = 0;
+        PKIX_UInt32 polX = 0;
+        PKIX_PL_OID *policyOID = NULL;
+        PKIX_List *newMappedPolicies = NULL;  /* OIDs */
+        PKIX_List *subjectDomainPolicies = NULL;  /* OIDs */
+
+        PKIX_ENTER
+                (CERTCHAINCHECKER,
+                "pkix_PolicyChecker_PolicyMapProcessing");
+        PKIX_NULLCHECK_THREE(policyMaps, state, state->userInitialPolicySet);
+
+        /*
+         * For each policy in mappedUserInitialPolicySet, if it is not mapped,
+         * append it to new policySet; if it is mapped, append its
+         * subjectDomainPolicies to new policySet. When done, this new
+         * policySet will replace mappedUserInitialPolicySet.
+         */
+        PKIX_CHECK(PKIX_List_Create
+                (&newMappedPolicies, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength
+                (state->mappedUserInitialPolicySet,
+                &numPolicies,
+                plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (polX = 0; polX < numPolicies; polX++) {
+
+            PKIX_CHECK(PKIX_List_GetItem
+                (state->mappedUserInitialPolicySet,
+                polX,
+                (PKIX_PL_Object **)&policyOID,
+                plContext),
+                PKIX_LISTGETITEMFAILED);
+
+            PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
+                (policyMaps,
+                policyOID,
+                &subjectDomainPolicies,
+                plContext),
+                PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
+
+            if (subjectDomainPolicies) {
+
+                PKIX_CHECK(pkix_List_AppendUnique
+                        (newMappedPolicies,
+                        subjectDomainPolicies,
+                        plContext),
+                        PKIX_LISTAPPENDUNIQUEFAILED);
+
+                PKIX_DECREF(subjectDomainPolicies);
+
+            } else {
+                PKIX_CHECK(PKIX_List_AppendItem
+                        (newMappedPolicies,
+                        (PKIX_PL_Object *)policyOID,
+                        plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+            }
+            PKIX_DECREF(policyOID);
+        }
+
+        /*
+         * For each policy ID-P remaining in mappedPolicyOIDs, it has not been
+         * propagated to the bottom of the tree (depth i). If policyMapping
+         * is greater than zero and this cert contains anyPolicy and the tree
+         * contains an anyPolicy node at depth i-1, then we must create a node
+         * with validPolicy ID-P, the policy qualifiers of anyPolicy in
+         * this certificate, and expectedPolicySet the subjectDomainPolicies
+         * that ID-P maps to. We also then add those subjectDomainPolicies to
+         * the list of policies that will be accepted in the next certificate,
+         * the mappedUserInitialPolicySet.
+         */
+
+        if ((state->policyMapping > 0) && (certPoliciesIncludeAny) &&
+            (state->anyPolicyNodeAtBottom) && (state->mappedPolicyOIDs)) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                    (state->mappedPolicyOIDs,
+                    &numPolicies,
+                    plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+                for (polX = 0; polX < numPolicies; polX++) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (state->mappedPolicyOIDs,
+                        polX,
+                        (PKIX_PL_Object **)&policyOID,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
+                        (policyMaps,
+                        policyOID,
+                        &subjectDomainPolicies,
+                        plContext),
+                        PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
+
+                    PKIX_CHECK(pkix_PolicyChecker_Spawn
+                        (state->anyPolicyNodeAtBottom,
+                        policyOID,
+                        qualsOfAny,
+                        subjectDomainPolicies,
+                        state,
+                        plContext),
+                        PKIX_POLICYCHECKERSPAWNFAILED);
+
+                    PKIX_CHECK(pkix_List_AppendUnique
+                        (newMappedPolicies,
+                        subjectDomainPolicies,
+                        plContext),
+                        PKIX_LISTAPPENDUNIQUEFAILED);
+
+                    PKIX_DECREF(subjectDomainPolicies);
+                    PKIX_DECREF(policyOID);
+                }
+        }
+
+        PKIX_CHECK(PKIX_List_SetImmutable(newMappedPolicies, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        PKIX_DECREF(state->mappedUserInitialPolicySet);
+        PKIX_INCREF(newMappedPolicies);
+
+        state->mappedUserInitialPolicySet = newMappedPolicies;
+
+cleanup:
+
+        PKIX_DECREF(policyOID);
+        PKIX_DECREF(newMappedPolicies);
+        PKIX_DECREF(subjectDomainPolicies);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_WrapUpProcessing
+ * DESCRIPTION:
+ *
+ *  Performs the wrap-up processing for the Cert pointed to by "cert",
+ *  using and updating the PolicyCheckerState pointed to by "state".
+ *
+ *  This function implements the wrap-up processing described in RFC3280
+ *  Section 6.1.5, after the final certificate has been processed. Section
+ *  references in the comments are to that document.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of the current (presumably the end entity) certificate.
+ *      Must be non-NULL.
+ *  "state"
+ *      Address of the current state of the PKIX_PolicyChecker.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_PolicyChecker_WrapUpProcessing(
+        PKIX_PL_Cert *cert,
+        PKIX_PolicyCheckerState *state,
+        void *plContext)
+{
+        PKIX_Int32 explicitPolicySkipCerts = 0;
+        PKIX_Boolean isSelfIssued = PKIX_FALSE;
+        PKIX_Boolean shouldBePruned = PKIX_FALSE;
+        PKIX_List *nominees = NULL; /* OIDs */
+#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
+        PKIX_PL_String *stateString = NULL;
+        char *stateAscii = NULL;
+        PKIX_UInt32 length;
+#endif
+
+        PKIX_ENTER
+                (CERTCHAINCHECKER,
+                "pkix_PolicyChecker_WrapUpProcessing");
+        PKIX_NULLCHECK_THREE(cert, state, state->userInitialPolicySet);
+
+#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)state, &stateString, plContext),
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    (stateString,
+                    PKIX_ESCASCII,
+                    (void **)&stateAscii,
+                    &length,
+                    plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+
+        PKIX_DEBUG_ARG("%s\n", stateAscii);
+
+        PKIX_FREE(stateAscii);
+        PKIX_DECREF(stateString);
+#endif
+
+        /* Section 6.1.5(a) ... */
+        PKIX_CHECK(pkix_IsCertSelfIssued
+                (cert, &isSelfIssued, plContext),
+                PKIX_ISCERTSELFISSUEDFAILED);
+
+        if (!isSelfIssued) {
+                if (state->explicitPolicy > 0) {
+
+                        state->explicitPolicy--;
+
+                        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                                ((PKIX_PL_Object *)state, plContext),
+                                PKIX_OBJECTINVALIDATECACHEFAILED);
+                }
+        }
+
+        /* Section 6.1.5(b) ... */
+        PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
+                (cert, &explicitPolicySkipCerts, plContext),
+                PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
+
+        if (explicitPolicySkipCerts  == 0) {
+                state->explicitPolicy = 0;
+        }
+
+        /* Section 6.1.5(g)(i) ... */
+
+        if (!(state->validPolicyTree)) {
+                goto cleanup;
+        }
+
+        /* Section 6.1.5(g)(ii) ... */
+
+        if (state->initialIsAnyPolicy) {
+                goto cleanup;
+        }
+
+        /*
+         * Section 6.1.5(g)(iii) ...
+         * Create a list of policies which could be substituted for anyPolicy.
+         * Start with a (mutable) copy of user-initial-policy-set.
+         */
+        PKIX_CHECK(pkix_PolicyChecker_MakeMutableCopy
+                (state->userInitialPolicySet, &nominees, plContext),
+                PKIX_POLICYCHECKERMAKEMUTABLECOPYFAILED);
+
+        PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
+                (state->validPolicyTree, /* node at top of tree */
+                state,
+                nominees,
+                &shouldBePruned,
+                plContext),
+                PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
+
+        if (PKIX_TRUE == shouldBePruned) {
+                PKIX_DECREF(state->validPolicyTree);
+        }
+
+        if (state->validPolicyTree) {
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)state->validPolicyTree, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)state, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
+        if (state->validPolicyTree) {
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object*)state, &stateString, plContext),
+                        PKIX_OBJECTTOSTRINGFAILED);
+
+                PKIX_CHECK(PKIX_PL_String_GetEncoded
+                            (stateString,
+                            PKIX_ESCASCII,
+                            (void **)&stateAscii,
+                            &length,
+                            plContext),
+                            PKIX_STRINGGETENCODEDFAILED);
+
+                PKIX_DEBUG_ARG
+                        ("After CalculateIntersection:\n%s\n", stateAscii);
+
+                PKIX_FREE(stateAscii);
+                PKIX_DECREF(stateString);
+        } else {
+                PKIX_DEBUG("validPolicyTree is NULL\n");
+        }
+#endif
+
+        /* Section 6.1.5(g)(iii)(4) ... */
+
+        if (state->validPolicyTree) {
+
+                PKIX_CHECK(pkix_PolicyNode_Prune
+                        (state->validPolicyTree,
+                        state->numCerts,
+                        &shouldBePruned,
+                        plContext),
+                        PKIX_POLICYNODEPRUNEFAILED);
+
+                if (shouldBePruned) {
+                        PKIX_DECREF(state->validPolicyTree);
+                }
+        }
+
+        if (state->validPolicyTree) {
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)state->validPolicyTree, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)state, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)state, &stateString, plContext),
+                PKIX_OBJECTTOSTRINGFAILED);
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    (stateString,
+                    PKIX_ESCASCII,
+                    (void **)&stateAscii,
+                    &length,
+                    plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+        PKIX_DEBUG_ARG("%s\n", stateAscii);
+
+        PKIX_FREE(stateAscii);
+        PKIX_DECREF(stateString);
+#endif
+
+cleanup:
+
+        PKIX_DECREF(nominees);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+
+/*
+ * FUNCTION: pkix_PolicyChecker_Check
+ * (see comments in pkix_checker.h for PKIX_CertChainChecker_CheckCallback)
+ *
+ * Labels referring to sections, such as "Section 6.1.3(d)", refer to
+ * sections of RFC3280, Section 6.1.3 Basic Certificate Processing.
+ *
+ * If a non-fatal error occurs, it is unlikely that policy processing can
+ * continue. But it is still possible that chain validation could succeed if
+ * policy processing is non-critical. So if this function receives a non-fatal
+ * error from a lower level routine, it aborts policy processing by setting
+ * the validPolicyTree to NULL and tries to continue.
+ *
+ */
+static PKIX_Error *
+pkix_PolicyChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticals,  /* OIDs */
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_UInt32 numPolicies = 0;
+        PKIX_UInt32 polX = 0;
+        PKIX_Boolean result = PKIX_FALSE;
+        PKIX_Int32 inhibitMappingSkipCerts = 0;
+        PKIX_Int32 explicitPolicySkipCerts = 0;
+        PKIX_Int32 inhibitAnyPolicySkipCerts = 0;
+        PKIX_Boolean shouldBePruned = PKIX_FALSE;
+        PKIX_Boolean isSelfIssued = PKIX_FALSE;
+        PKIX_Boolean certPoliciesIncludeAny = PKIX_FALSE;
+        PKIX_Boolean doAnyPolicyProcessing = PKIX_FALSE;
+
+        PKIX_PolicyCheckerState *state = NULL;
+        PKIX_List *certPolicyInfos = NULL; /* CertPolicyInfos */
+        PKIX_PL_CertPolicyInfo *policy = NULL;
+        PKIX_PL_OID *policyOID = NULL;
+        PKIX_List *qualsOfAny = NULL; /* CertPolicyQualifiers */
+        PKIX_List *policyQualifiers = NULL; /* CertPolicyQualifiers */
+        PKIX_List *policyMaps = NULL; /* CertPolicyMaps */
+        PKIX_List *mappedPolicies = NULL; /* OIDs */
+        PKIX_Error *subroutineErr = NULL;
+#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
+        PKIX_PL_String *stateString = NULL;
+        char *stateAscii = NULL;
+        PKIX_PL_String *certString = NULL;
+        char *certAscii = NULL;
+        PKIX_UInt32 length;
+#endif
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Check");
+        PKIX_NULLCHECK_FOUR(checker, cert, unresolvedCriticals, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_NULLCHECK_TWO(state, state->certPoliciesExtension);
+
+#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)state, &stateString, plContext),
+                PKIX_OBJECTTOSTRINGFAILED);
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    (stateString,
+                    PKIX_ESCASCII,
+                    (void **)&stateAscii,
+                    &length,
+                    plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+        PKIX_DEBUG_ARG("On entry %s\n", stateAscii);
+        PKIX_FREE(stateAscii);
+        PKIX_DECREF(stateString);
+#endif
+
+        /*
+         * Section 6.1.4(a)
+         * If this is not the last certificate, and if
+         * policyMapping extension is present, check that no
+         * issuerDomainPolicy or subjectDomainPolicy is equal to the
+         * special policy anyPolicy.
+         */
+        if (state->certsProcessed != (state->numCerts - 1)) {
+                PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings
+                        (cert, &policyMaps, plContext),
+                        PKIX_CERTGETPOLICYMAPPINGSFAILED);
+        }
+
+        if (policyMaps) {
+
+                PKIX_CHECK(pkix_PolicyChecker_MapContains
+                        (policyMaps, state->anyPolicyOID, &result, plContext),
+                        PKIX_POLICYCHECKERMAPCONTAINSFAILED);
+
+                if (result) {
+                        PKIX_ERROR(PKIX_INVALIDPOLICYMAPPINGINCLUDESANYPOLICY);
+                }
+
+                PKIX_CHECK(pkix_PolicyChecker_MapGetMappedPolicies
+                        (policyMaps, &mappedPolicies, plContext),
+                        PKIX_POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED);
+
+                PKIX_DECREF(state->mappedPolicyOIDs);
+                PKIX_INCREF(mappedPolicies);
+                state->mappedPolicyOIDs = mappedPolicies;
+        }
+
+        /* Section 6.1.3(d) */
+        if (state->validPolicyTree) {
+
+            PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
+                (cert, &certPolicyInfos, plContext),
+                PKIX_CERTGETPOLICYINFORMATIONFAILED);
+
+            if (certPolicyInfos) {
+                PKIX_CHECK(PKIX_List_GetLength
+                        (certPolicyInfos, &numPolicies, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+            }
+
+            if (numPolicies > 0) {
+
+                PKIX_CHECK(PKIX_PL_Cert_AreCertPoliciesCritical
+                        (cert, &(state->certPoliciesCritical), plContext),
+                        PKIX_CERTARECERTPOLICIESCRITICALFAILED);
+
+                /* Section 6.1.3(d)(1) For each policy not equal to anyPolicy */
+                for (polX = 0; polX < numPolicies; polX++) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (certPolicyInfos,
+                        polX,
+                        (PKIX_PL_Object **)&policy,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
+                        (policy, &policyOID, plContext),
+                        PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
+
+                    PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolQualifiers
+                        (policy, &policyQualifiers, plContext),
+                        PKIX_CERTPOLICYINFOGETPOLQUALIFIERSFAILED);
+
+                    PKIX_EQUALS
+                        (state->anyPolicyOID,
+                        policyOID,
+                        &result,
+                        plContext,
+                        PKIX_OIDEQUALFAILED);
+
+                    if (result == PKIX_FALSE) {
+
+                        /* Section 6.1.3(d)(1)(i) */
+                        subroutineErr = pkix_PolicyChecker_CheckPolicy
+                                (policyOID,
+                                policyQualifiers,
+                                cert,
+                                policyMaps,
+                                state,
+                                plContext);
+                        if (subroutineErr) {
+                                goto subrErrorCleanup;
+                        }
+
+                    } else {
+                        /*
+                         * No descent (yet) for anyPolicy, but we will need
+                         * the policyQualifiers for anyPolicy in 6.1.3(d)(2)
+                         */
+                        PKIX_DECREF(qualsOfAny);
+                        PKIX_INCREF(policyQualifiers);
+                        qualsOfAny = policyQualifiers;
+                        certPoliciesIncludeAny = PKIX_TRUE;
+                    }
+                    PKIX_DECREF(policy);
+                    PKIX_DECREF(policyOID);
+                    PKIX_DECREF(policyQualifiers);
+                }
+
+                /* Section 6.1.3(d)(2) */
+                if (certPoliciesIncludeAny == PKIX_TRUE) {
+                        if (state->inhibitAnyPolicy > 0) {
+                                doAnyPolicyProcessing = PKIX_TRUE;
+                        } else {
+                            /* We haven't yet counted the current cert */
+                            if (((state->certsProcessed) + 1) <
+                                (state->numCerts)) {
+
+                                PKIX_CHECK(pkix_IsCertSelfIssued
+                                        (cert,
+                                        &doAnyPolicyProcessing,
+                                        plContext),
+                                        PKIX_ISCERTSELFISSUEDFAILED);
+                            }
+                        }
+                        if (doAnyPolicyProcessing) {
+                            subroutineErr = pkix_PolicyChecker_CheckAny
+                                (state->validPolicyTree,
+                                qualsOfAny,
+                                policyMaps,
+                                state,
+                                plContext);
+                            if (subroutineErr) {
+                                goto subrErrorCleanup;
+                            }
+                        }
+                }
+
+                /* Section 6.1.3(d)(3) */
+                if (state->validPolicyTree) {
+                        subroutineErr = pkix_PolicyNode_Prune
+                                (state->validPolicyTree,
+                                state->certsProcessed + 1,
+                                &shouldBePruned,
+                                plContext);
+                        if (subroutineErr) {
+                                goto subrErrorCleanup;
+                        }
+                        if (shouldBePruned) {
+                                PKIX_DECREF(state->validPolicyTree);
+                                PKIX_DECREF(state->anyPolicyNodeAtBottom);
+                        }
+                }
+
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)state, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+
+            } else {
+                /* Section 6.1.3(e) */
+                PKIX_DECREF(state->validPolicyTree);
+                PKIX_DECREF(state->anyPolicyNodeAtBottom);
+                PKIX_DECREF(state->newAnyPolicyNode);
+
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)state, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+            }
+        }
+
+        /* Section 6.1.3(f) */
+        if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
+                PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
+        }
+
+        /*
+         * Remove Policy OIDs from list of unresolved critical
+         * extensions, if present.
+         */
+        PKIX_CHECK(pkix_List_Remove
+                (unresolvedCriticals,
+                (PKIX_PL_Object *)state->certPoliciesExtension,
+                plContext),
+                PKIX_LISTREMOVEFAILED);
+
+        PKIX_CHECK(pkix_List_Remove
+                (unresolvedCriticals,
+                (PKIX_PL_Object *)state->policyMappingsExtension,
+                plContext),
+                PKIX_LISTREMOVEFAILED);
+
+        PKIX_CHECK(pkix_List_Remove
+                (unresolvedCriticals,
+                (PKIX_PL_Object *)state->policyConstraintsExtension,
+                plContext),
+                PKIX_LISTREMOVEFAILED);
+
+        PKIX_CHECK(pkix_List_Remove
+                (unresolvedCriticals,
+                (PKIX_PL_Object *)state->inhibitAnyPolicyExtension,
+                plContext),
+                PKIX_LISTREMOVEFAILED);
+
+        state->certsProcessed++;
+
+        /* If this was not the last certificate, do next-cert preparation */
+        if (state->certsProcessed != state->numCerts) {
+
+                if (policyMaps) {
+                        subroutineErr = pkix_PolicyChecker_PolicyMapProcessing
+                                (policyMaps,
+                                certPoliciesIncludeAny,
+                                qualsOfAny,
+                                state,
+                                plContext);
+                        if (subroutineErr) {
+                                goto subrErrorCleanup;
+                        }
+                }
+
+                /* update anyPolicyNodeAtBottom pointer */
+                PKIX_DECREF(state->anyPolicyNodeAtBottom);
+                state->anyPolicyNodeAtBottom = state->newAnyPolicyNode;
+                state->newAnyPolicyNode = NULL;
+
+                /* Section 6.1.4(h) */
+                PKIX_CHECK(pkix_IsCertSelfIssued
+                        (cert, &isSelfIssued, plContext),
+                        PKIX_ISCERTSELFISSUEDFAILED);
+
+                if (!isSelfIssued) {
+                        if (state->explicitPolicy > 0) {
+                            state->explicitPolicy--;
+                        }
+                        if (state->policyMapping > 0) {
+                            state->policyMapping--;
+                        }
+                        if (state->inhibitAnyPolicy > 0) {
+                            state->inhibitAnyPolicy--;
+                        }
+                }
+
+                /* Section 6.1.4(i) */
+                PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
+                        (cert, &explicitPolicySkipCerts, plContext),
+                        PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
+
+                if (explicitPolicySkipCerts != -1) {
+                        if (((PKIX_UInt32)explicitPolicySkipCerts) <
+                            (state->explicitPolicy)) {
+                                state->explicitPolicy =
+                                   ((PKIX_UInt32) explicitPolicySkipCerts);
+                        }
+                }
+
+                PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited
+                        (cert, &inhibitMappingSkipCerts, plContext),
+                        PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED);
+
+                if (inhibitMappingSkipCerts != -1) {
+                        if (((PKIX_UInt32)inhibitMappingSkipCerts) <
+                            (state->policyMapping)) {
+                                state->policyMapping =
+                                    ((PKIX_UInt32)inhibitMappingSkipCerts);
+                        }
+                }
+
+                PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy
+                        (cert, &inhibitAnyPolicySkipCerts, plContext),
+                        PKIX_CERTGETINHIBITANYPOLICYFAILED);
+
+                if (inhibitAnyPolicySkipCerts != -1) {
+                        if (((PKIX_UInt32)inhibitAnyPolicySkipCerts) <
+                            (state->inhibitAnyPolicy)) {
+                                state->inhibitAnyPolicy =
+                                    ((PKIX_UInt32)inhibitAnyPolicySkipCerts);
+                        }
+                }
+
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)state, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        } else { /* If this was the last certificate, do wrap-up processing */
+
+                /* Section 6.1.5 */
+                subroutineErr = pkix_PolicyChecker_WrapUpProcessing
+                        (cert, state, plContext);
+                if (subroutineErr) {
+                        goto subrErrorCleanup;
+                }
+
+                if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
+                    PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
+                }
+
+                PKIX_DECREF(state->anyPolicyNodeAtBottom);
+                PKIX_DECREF(state->newAnyPolicyNode);
+        }
+
+
+        if (subroutineErr) {
+
+subrErrorCleanup:
+                /* We had an error. Was it a fatal error? */
+                pkixErrorClass = subroutineErr->errClass;
+                if (pkixErrorClass == PKIX_FATAL_ERROR) {
+                    pkixErrorResult = subroutineErr;
+                    subroutineErr = NULL;
+                    goto cleanup;
+                }
+                /*
+                 * Abort policy processing, and then determine whether
+                 * we can continue without policy processing.
+                 */
+                PKIX_DECREF(state->validPolicyTree);
+                PKIX_DECREF(state->anyPolicyNodeAtBottom);
+                PKIX_DECREF(state->newAnyPolicyNode);
+                if (state->explicitPolicy == 0) {
+                    PKIX_ERROR
+                        (PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
+                }
+        }
+
+        /* Checking is complete. Save state for the next certificate. */
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                (checker, (PKIX_PL_Object *)state, plContext),
+                PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+cleanup:
+
+#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
+        if (cert) {
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object*)cert, &certString, plContext),
+                        PKIX_OBJECTTOSTRINGFAILED);
+                PKIX_CHECK(PKIX_PL_String_GetEncoded
+                            (certString,
+                            PKIX_ESCASCII,
+                            (void **)&certAscii,
+                            &length,
+                            plContext),
+                            PKIX_STRINGGETENCODEDFAILED);
+                PKIX_DEBUG_ARG("Cert was %s\n", certAscii);
+                PKIX_FREE(certAscii);
+                PKIX_DECREF(certString);
+        }
+        if (state) {
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object*)state, &stateString, plContext),
+                        PKIX_OBJECTTOSTRINGFAILED);
+                PKIX_CHECK(PKIX_PL_String_GetEncoded
+                            (stateString,
+                            PKIX_ESCASCII,
+                            (void **)&stateAscii,
+                            &length,
+                            plContext),
+                            PKIX_STRINGGETENCODEDFAILED);
+                PKIX_DEBUG_ARG("On exit %s\n", stateAscii);
+                PKIX_FREE(stateAscii);
+                PKIX_DECREF(stateString);
+        }
+#endif
+
+        PKIX_DECREF(state);
+        PKIX_DECREF(certPolicyInfos);
+        PKIX_DECREF(policy);
+        PKIX_DECREF(qualsOfAny);
+        PKIX_DECREF(policyQualifiers);
+        PKIX_DECREF(policyOID);
+        PKIX_DECREF(subroutineErr);
+        PKIX_DECREF(policyMaps);
+        PKIX_DECREF(mappedPolicies);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_PolicyChecker_Initialize
+ * DESCRIPTION:
+ *
+ *  Creates and initializes a PolicyChecker, using the List pointed to
+ *  by "initialPolicies" for the user-initial-policy-set, the Boolean value
+ *  of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
+ *  the Boolean value of "initialPolicyMappingInhibit" for the
+ *  inhibitPolicyMappings parameter, the Boolean value of
+ *  "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
+ *  Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
+ *  parameter, and the UInt32 value of "numCerts" as the number of
+ *  certificates in the chain; and stores the Checker at "pChecker".
+ *
+ * PARAMETERS:
+ *  "initialPolicies"
+ *      Address of List of OIDs comprising the user-initial-policy-set; the List
+ *      may be empty or NULL
+ *  "policyQualifiersRejected"
+ *      Boolean value of the policyQualifiersRejected parameter
+ *  "initialPolicyMappingInhibit"
+ *      Boolean value of the inhibitPolicyMappings parameter
+ *  "initialExplicitPolicy"
+ *      Boolean value of the initialExplicitPolicy parameter
+ *  "initialAnyPolicyInhibit"
+ *      Boolean value of the inhibitAnyPolicy parameter
+ *  "numCerts"
+ *      Number of certificates in the chain to be validated
+ *  "pChecker"
+ *      Address to store the created PolicyChecker. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a CertChainChecker Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_PolicyChecker_Initialize(
+        PKIX_List *initialPolicies,
+        PKIX_Boolean policyQualifiersRejected,
+        PKIX_Boolean initialPolicyMappingInhibit,
+        PKIX_Boolean initialExplicitPolicy,
+        PKIX_Boolean initialAnyPolicyInhibit,
+        PKIX_UInt32 numCerts,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        PKIX_PolicyCheckerState *polCheckerState = NULL;
+        PKIX_List *policyExtensions = NULL;     /* OIDs */
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(pkix_PolicyCheckerState_Create
+                (initialPolicies,
+                policyQualifiersRejected,
+                initialPolicyMappingInhibit,
+                initialExplicitPolicy,
+                initialAnyPolicyInhibit,
+                numCerts,
+                &polCheckerState,
+                plContext),
+                PKIX_POLICYCHECKERSTATECREATEFAILED);
+
+        /* Create the list of extensions that we handle */
+        PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
+                ((PKIX_PL_Object *)(polCheckerState->certPoliciesExtension),
+                PKIX_TRUE,
+                &policyExtensions,
+                plContext),
+                PKIX_POLICYCHECKERMAKESINGLETONFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                (pkix_PolicyChecker_Check,
+                PKIX_FALSE,     /* forwardCheckingSupported */
+                PKIX_FALSE,
+                policyExtensions,
+                (PKIX_PL_Object *)polCheckerState,
+                pChecker,
+                plContext),
+                PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+        PKIX_DECREF(polCheckerState);
+        PKIX_DECREF(policyExtensions);
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.h
new file mode 100755
index 000000000..10efa9795
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.h
@@ -0,0 +1,106 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_policychecker.h
+ *
+ * Header file for policy checker.
+ *
+ */
+
+#ifndef _PKIX_POLICYCHECKER_H
+#define _PKIX_POLICYCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct PKIX_PolicyCheckerStateStruct PKIX_PolicyCheckerState;
+
+struct PKIX_PolicyCheckerStateStruct{
+        PKIX_PL_OID *certPoliciesExtension;             /* const */
+        PKIX_PL_OID *policyMappingsExtension;           /* const */
+        PKIX_PL_OID *policyConstraintsExtension;        /* const */
+        PKIX_PL_OID *inhibitAnyPolicyExtension;         /* const */
+        PKIX_PL_OID *anyPolicyOID;                      /* const */
+        PKIX_Boolean initialIsAnyPolicy;                /* const */
+        PKIX_PolicyNode *validPolicyTree;
+        PKIX_List *userInitialPolicySet;                /* immutable */
+        PKIX_List *mappedUserInitialPolicySet;
+        PKIX_Boolean policyQualifiersRejected;
+        PKIX_Boolean initialPolicyMappingInhibit;
+        PKIX_Boolean initialExplicitPolicy;
+        PKIX_Boolean initialAnyPolicyInhibit;
+        PKIX_UInt32 explicitPolicy;
+        PKIX_UInt32 inhibitAnyPolicy;
+        PKIX_UInt32 policyMapping;
+        PKIX_UInt32 numCerts;
+        PKIX_UInt32 certsProcessed;
+        PKIX_PolicyNode *anyPolicyNodeAtBottom;
+        PKIX_PolicyNode *newAnyPolicyNode;
+        /*
+         * The following variables do not survive from one
+         * certificate to the next. They are needed at each
+         * level of recursive routines, any by placing them
+         * in the state object we can pass fewer arguments.
+         */
+        PKIX_Boolean certPoliciesCritical;
+        PKIX_List *mappedPolicyOIDs;
+};
+
+PKIX_Error *
+pkix_PolicyChecker_Initialize(
+        PKIX_List *initialPolicies,
+        PKIX_Boolean policyQualifiersRejected,
+        PKIX_Boolean initialPolicyMappingInhibit,
+        PKIX_Boolean initialExplicitPolicy,
+        PKIX_Boolean initialAnyPolicyInhibit,
+        PKIX_UInt32 numCerts,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+/* --Private-Functions-------------------------------------------- */
+
+PKIX_Error *
+pkix_PolicyCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_POLICYCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
new file mode 100755
index 000000000..27559323d
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
@@ -0,0 +1,238 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_revocationchecker.c
+ *
+ * RevocationChecker Object Functions
+ *
+ */
+
+#include "pkix_revocationchecker.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_RevocationChecker_Destroy
+ *      (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_RevocationChecker_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_RevocationChecker *checker = NULL;
+
+        PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a revocation checker */
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
+                    PKIX_OBJECTNOTREVOCATIONCHECKER);
+
+        checker = (PKIX_RevocationChecker *)object;
+
+        PKIX_DECREF(checker->revCheckerContext);
+
+cleanup:
+
+        PKIX_RETURN(REVOCATIONCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_RevocationChecker_Duplicate
+ * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_RevocationChecker_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_RevocationChecker *checker = NULL;
+        PKIX_RevocationChecker *checkerDuplicate = NULL;
+        PKIX_PL_Object *contextDuplicate = NULL;
+
+        PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Duplicate");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTCHAINCHECKER);
+
+        checker = (PKIX_RevocationChecker *)object;
+
+        if (checker->revCheckerContext){
+                PKIX_CHECK(PKIX_PL_Object_Duplicate
+                            ((PKIX_PL_Object *)checker->revCheckerContext,
+                            (PKIX_PL_Object **)&contextDuplicate,
+                            plContext),
+                            PKIX_OBJECTDUPLICATEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_RevocationChecker_Create
+                    (checker->checkCallback,
+                    contextDuplicate,
+                    &checkerDuplicate,
+                    plContext),
+                    PKIX_REVOCATIONCHECKERCREATEFAILED);
+
+        *pNewObject = (PKIX_PL_Object *)checkerDuplicate;
+
+cleanup:
+
+        PKIX_DECREF(contextDuplicate);
+
+        PKIX_RETURN(REVOCATIONCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_RevocationChecker_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_REVOCATIONCHECKER_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_RevocationChecker_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_RegisterSelf");
+
+        entry.description = "RevocationChecker";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_RevocationChecker);
+        entry.destructor = pkix_RevocationChecker_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
+
+        systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
+
+        PKIX_RETURN(REVOCATIONCHECKER);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+
+/*
+ * FUNCTION: PKIX_RevocationChecker_Create (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_RevocationChecker_Create(
+    PKIX_RevocationChecker_RevCallback callback,
+    PKIX_PL_Object *revCheckerContext,
+    PKIX_RevocationChecker **pChecker,
+    void *plContext)
+{
+        PKIX_RevocationChecker *checker = NULL;
+
+        PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Create");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_REVOCATIONCHECKER_TYPE,
+                    sizeof (PKIX_RevocationChecker),
+                    (PKIX_PL_Object **)&checker,
+                    plContext),
+                    PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT);
+
+        /* initialize fields */
+        checker->checkCallback = callback;
+
+        PKIX_INCREF(revCheckerContext);
+        checker->revCheckerContext = revCheckerContext;
+
+        *pChecker = checker;
+
+cleanup:
+
+        PKIX_RETURN(REVOCATIONCHECKER);
+
+}
+
+/*
+ * FUNCTION: PKIX_RevocationChecker_GetCheckCallback
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_RevocationChecker_GetRevCallback(
+        PKIX_RevocationChecker *checker,
+        PKIX_RevocationChecker_RevCallback *pCallback,
+        void *plContext)
+{
+        PKIX_ENTER
+                (REVOCATIONCHECKER, "PKIX_RevocationChecker_GetRevCallback");
+        PKIX_NULLCHECK_TWO(checker, pCallback);
+
+        *pCallback = checker->checkCallback;
+
+        PKIX_RETURN(REVOCATIONCHECKER);
+}
+
+/*
+ * FUNCTION: PKIX_RevocationChecker_GetRevCheckerContext
+ *      (see comments in pkix_checker.h)
+ */
+PKIX_Error *
+PKIX_RevocationChecker_GetRevCheckerContext(
+        PKIX_RevocationChecker *checker,
+        PKIX_PL_Object **pRevCheckerContext,
+        void *plContext)
+{
+        PKIX_ENTER(REVOCATIONCHECKER,
+                    "PKIX_RevocationChecker_GetRevCheckerContext");
+
+        PKIX_NULLCHECK_TWO(checker, pRevCheckerContext);
+
+        PKIX_INCREF(checker->revCheckerContext);
+
+        *pRevCheckerContext = checker->revCheckerContext;
+
+cleanup:
+        PKIX_RETURN(REVOCATIONCHECKER);
+
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h
new file mode 100755
index 000000000..df0d042c2
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h
@@ -0,0 +1,66 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_revocationchecker.h
+ *
+ * RevocationChecker Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_REVOCATIONCHECKER_H
+#define _PKIX_REVOCATIONCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_RevocationCheckerStruct {
+        PKIX_RevocationChecker_RevCallback checkCallback;
+        PKIX_PL_Object *revCheckerContext;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_RevocationChecker_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_REVOCATIONCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.c
new file mode 100755
index 000000000..b03ef432c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.c
@@ -0,0 +1,475 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_signaturechecker.c
+ *
+ * Functions for signature validation
+ *
+ */
+
+#include "pkix_signaturechecker.h"
+
+/*
+ * FUNCTION: pkix_SignatureCheckerstate_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_SignatureCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_SignatureCheckerState *state = NULL;
+
+        PKIX_ENTER(SIGNATURECHECKERSTATE,
+                    "pkix_SignatureCheckerState_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a signature checker state */
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_SIGNATURECHECKERSTATE_TYPE, plContext),
+                    PKIX_OBJECTNOTSIGNATURECHECKERSTATE);
+
+        state = (pkix_SignatureCheckerState *) object;
+
+        state->prevCertCertSign = PKIX_FALSE;
+
+        PKIX_DECREF(state->prevPublicKey);
+        PKIX_DECREF(state->prevPublicKeyList);
+        PKIX_DECREF(state->keyUsageOID);
+
+cleanup:
+
+        PKIX_RETURN(SIGNATURECHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_SignatureCheckerState_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_SIGNATURECHECKERSTATE_TYPE and its related functions
+ *  with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_SignatureCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(SIGNATURECHECKERSTATE,
+                    "pkix_SignatureCheckerState_RegisterSelf");
+
+        entry.description = "SignatureCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_SignatureCheckerState);
+        entry.destructor = pkix_SignatureCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_SIGNATURECHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(SIGNATURECHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_SignatureCheckerState_Create
+ *
+ * DESCRIPTION:
+ *  Allocate and initialize SignatureChecker state data.
+ *
+ * PARAMETERS
+ *  "trustedPubKey"
+ *      Address of trusted Anchor Public Key for verifying first Cert in the
+ *      chain. Must be non-NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "pCheckerState"
+ *      Address where SignatureCheckerState will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a SignatureCheckerState Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_SignatureCheckerState_Create(
+    PKIX_PL_PublicKey *trustedPubKey,
+    PKIX_UInt32 certsRemaining,
+    pkix_SignatureCheckerState **pCheckerState,
+    void *plContext)
+{
+        pkix_SignatureCheckerState *state = NULL;
+        PKIX_PL_OID *keyUsageOID = NULL;
+
+        PKIX_ENTER(SIGNATURECHECKERSTATE, "pkix_SignatureCheckerState_Create");
+        PKIX_NULLCHECK_TWO(trustedPubKey, pCheckerState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_SIGNATURECHECKERSTATE_TYPE,
+                    sizeof (pkix_SignatureCheckerState),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATESIGNATURECHECKERSTATEOBJECT);
+
+        /* Initialize fields */
+
+        state->prevCertCertSign = PKIX_TRUE;
+        state->prevPublicKeyList = NULL;
+        state->certsRemaining = certsRemaining;
+
+        PKIX_INCREF(trustedPubKey);
+        state->prevPublicKey = trustedPubKey;
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_CERTKEYUSAGE_OID,
+                    &keyUsageOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        state->keyUsageOID = keyUsageOID;
+        keyUsageOID = NULL;
+
+        *pCheckerState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(keyUsageOID);
+        PKIX_DECREF(state); 
+
+        PKIX_RETURN(SIGNATURECHECKERSTATE);
+}
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_SignatureChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_SignatureChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        pkix_SignatureCheckerState *state = NULL;
+        PKIX_PL_PublicKey *prevPubKey = NULL;
+        PKIX_PL_PublicKey *currPubKey = NULL;
+        PKIX_PL_PublicKey *newPubKey = NULL;
+        PKIX_PL_PublicKey *pKey = NULL;
+        PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
+        PKIX_Error *checkKeyUsageFail = NULL;
+        PKIX_Error *verifyFail = NULL;
+        PKIX_Boolean certVerified = PKIX_FALSE;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_SignatureChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        (state->certsRemaining)--;
+
+        PKIX_INCREF(state->prevPublicKey);
+        prevPubKey = state->prevPublicKey;
+
+        /*
+         * Previous Cert doesn't have CertSign bit on for signature
+         * verification and it is not a self-issued Cert so there is no
+         * old key saved. This is considered error.
+         */
+        if (state->prevCertCertSign == PKIX_FALSE &&
+                state->prevPublicKeyList == NULL) {
+                    PKIX_ERROR(PKIX_KEYUSAGEKEYCERTSIGNBITNOTON);
+        }
+
+        /* Previous Cert is valid for signature verification, try it first */
+        if (state->prevCertCertSign == PKIX_TRUE) {
+                verifyFail = PKIX_PL_Cert_VerifySignature
+                        (cert, prevPubKey, plContext);
+                if (verifyFail == NULL) {
+                        certVerified = PKIX_TRUE;
+                } else {
+                        certVerified = PKIX_FALSE;
+                        PKIX_DECREF(verifyFail);
+                }
+        }
+
+#ifdef NIST_TEST_4_5_4_AND_4_5_6
+
+        /*
+         * Following codes under this compiler flag is implemented for
+         * special cases of NIST tests 4.5.4 and 4.5.6. We are not sure
+         * we should handle these two tests as what is implemented so the
+         * codes are commented out, and the tests fails (for now).
+         * For Cert chain validation, our assumption is all the Certs on
+         * the chain are using its previous Cert's public key to decode
+         * its current key. But for thses two tests, keys are used not
+         * in this precedent order, we can either
+         * 1) Use what is implemented here: take in what Cert order NIST
+         *    specified and for continuous self-issued Certs, stacking up
+         *    their keys and tries all of them in FILO order.
+         *    But this method breaks the idea of chain key presdency.
+         * 2) Use Build Chain facility: we will specify the valid Certs
+         *    order (means key precedency is kept) and count on Build Chain
+         *    to get the Certs that can fill for the needed keys. This may have
+         *    performance impact.
+         * 3) Fetch Certs from CertStore: we will specifiy the valid Certs
+         *    order and use CertSelector on SubjectName to get a list of
+         *    candidates Certs to fill in for the needed keys.
+         * Anyhow, the codes are kept around just in case we want to use
+         * solution one...
+         */
+
+        /* If failed and previous key is self-issued, try its old key(s) */
+        if (certVerified == PKIX_FALSE && state->prevPublicKeyList != NULL) {
+
+                /* Verify from keys on the list */
+                PKIX_CHECK(PKIX_List_GetLength
+                        (state->prevPublicKeyList, &numKeys, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                for (i = numKeys - 1; i >= 0; i--) {
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                                (state->prevPublicKeyList,
+                                i,
+                                (PKIX_PL_Object **) &pKey,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                        verifyFail = PKIX_PL_Cert_VerifySignature
+                                (cert, pKey, plContext);
+
+                        if (verifyFail == NULL) {
+                                certVerified = PKIX_TRUE;
+                                break;
+                        } else {
+                                certVerified = PKIX_FALSE;
+                                PKIX_DECREF(verifyFail);
+                        }
+
+                        PKIX_DECREF(pKey);
+                }
+        }
+#endif
+
+        if (certVerified == PKIX_FALSE) {
+                PKIX_ERROR(PKIX_VALIDATIONFAILEDCERTSIGNATURECHECKING);
+        }
+
+#ifdef NIST_TEST_4_5_4_AND_4_5_6
+        /*
+         * Check if Cert is self-issued. If so, the old key(s) is saved, in
+         * conjunction to the new key, for verifying CERT validity later.
+         */
+        PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
+                    PKIX_ISCERTSELFISSUEFAILED);
+
+        /*
+         * Check if Cert is self-issued. If so, the public key of the Cert
+         * that issues this Cert (old key) can be used together with this
+         * current key (new key) for key verification. If there are multiple
+         * self-issued certs, keys of those Certs (old keys) can also be used
+         * for key verification. Old key(s) is saved in a list (PrevPublickKey-
+         * List) and cleared when a Cert is no longer self-issued. PrevPublic-
+         * Key keep key of the previous Cert.
+         */
+        if (selfIssued == PKIX_TRUE) {
+
+            /* Make sure previous Cert is valid for signature verification */
+            if (state->prevCertCertSign == PKIX_TRUE) {
+
+                if (state->prevPublicKeyList == NULL) {
+
+                        PKIX_CHECK(PKIX_List_Create
+                                (&state->prevPublicKeyList, plContext),
+                                PKIX_LISTCREATEFALIED);
+
+                }
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                            (state->prevPublicKeyList,
+                            (PKIX_PL_Object *) state->prevPublicKey,
+                            plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+            }
+
+        } else {
+            /* Not self-issued Cert any more, clear old key(s) saved */
+            PKIX_DECREF(state->prevPublicKeyList);
+        }
+#endif
+
+        /* Save current key as prevPublicKey */
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                    (cert, &currPubKey, plContext),
+                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+        PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
+                    (currPubKey, prevPubKey, &newPubKey, plContext),
+                    PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
+
+        if (newPubKey == NULL){
+                PKIX_INCREF(currPubKey);
+                newPubKey = currPubKey;
+        }
+
+        PKIX_INCREF(newPubKey);
+        PKIX_DECREF(state->prevPublicKey);
+
+        state->prevPublicKey = newPubKey;
+
+        /* Save this Cert key usage CertSign bit */
+        if (state->certsRemaining != 0) {
+                checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
+                        (cert, PKIX_KEY_CERT_SIGN, plContext);
+
+                state->prevCertCertSign = (checkKeyUsageFail == NULL)?
+                        PKIX_TRUE:PKIX_FALSE;
+
+                PKIX_DECREF(checkKeyUsageFail);
+        }
+
+        /* Remove Key Usage Extension OID from list */
+        if (unresolvedCriticalExtensions != NULL) {
+
+                PKIX_CHECK(pkix_List_Remove
+                            (unresolvedCriticalExtensions,
+                            (PKIX_PL_Object *) state->keyUsageOID,
+                            plContext),
+                            PKIX_LISTREMOVEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+                    (checker, (PKIX_PL_Object *)state, plContext),
+                    PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(state);
+        PKIX_DECREF(pKey);
+        PKIX_DECREF(prevPubKey);
+        PKIX_DECREF(currPubKey);
+        PKIX_DECREF(newPubKey);
+        PKIX_DECREF(basicConstraints);
+        PKIX_DECREF(verifyFail);
+        PKIX_DECREF(checkKeyUsageFail);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_SignatureChecker_Initialize
+ * DESCRIPTION:
+ *
+ *  Creates a new CertChainChecker and stores it at "pChecker", where it will
+ *  be used by pkix_SignatureChecker_Check to check that the public key in
+ *  the checker's state is able to successfully validate the certificate's
+ *  signature. The PublicKey pointed to by "trustedPubKey" is used to
+ *  initialize the checker's state.
+ *
+ * PARAMETERS:
+ *  "trustedPubKey"
+ *      Address of PublicKey representing the trusted public key used to
+ *      initialize the state of this checker. Must be non-NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_SignatureChecker_Initialize(
+        PKIX_PL_PublicKey *trustedPubKey,
+        PKIX_UInt32 certsRemaining,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        pkix_SignatureCheckerState* state = NULL;
+        PKIX_ENTER(CERTCHAINCHECKER, "PKIX_SignatureChecker_Initialize");
+        PKIX_NULLCHECK_TWO(pChecker, trustedPubKey);
+
+        PKIX_CHECK(pkix_SignatureCheckerState_Create
+                    (trustedPubKey, certsRemaining, &state, plContext),
+                    PKIX_SIGNATURECHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_SignatureChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *) state,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.h
new file mode 100755
index 000000000..7cfc0cecc
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.h
@@ -0,0 +1,77 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_signaturechecker.h
+ *
+ * Header file for validate signature function
+ *
+ */
+
+#ifndef _PKIX_SIGNATURECHECKER_H
+#define _PKIX_SIGNATURECHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_SignatureCheckerState pkix_SignatureCheckerState;
+
+struct pkix_SignatureCheckerState {
+        PKIX_Boolean prevCertCertSign;
+        PKIX_UInt32 certsRemaining;
+        PKIX_PL_PublicKey *prevPublicKey; /* Subject PubKey of last cert */
+        PKIX_List *prevPublicKeyList; /* of PKIX_PL_PublicKey */
+        PKIX_PL_OID *keyUsageOID;
+};
+
+PKIX_Error *
+pkix_SignatureChecker_Initialize(
+        PKIX_PL_PublicKey *trustedPubKey,
+        PKIX_UInt32 certsRemaining,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+PKIX_Error *
+pkix_SignatureCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_SIGNATURECHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
new file mode 100755
index 000000000..57486fa2c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
@@ -0,0 +1,546 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_targetcertchecker.c
+ *
+ * Functions for target cert validation
+ *
+ */
+
+
+#include "pkix_targetcertchecker.h"
+
+/* --Private-TargetCertCheckerState-Functions------------------------------- */
+
+/*
+ * FUNCTION: pkix_TargetCertCheckerState_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_TargetCertCheckerState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_TargetCertCheckerState *state = NULL;
+
+        PKIX_ENTER(TARGETCERTCHECKERSTATE,
+                    "pkix_TargetCertCheckerState_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a target cert checker state */
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_TARGETCERTCHECKERSTATE_TYPE, plContext),
+                    PKIX_OBJECTNOTTARGETCERTCHECKERSTATE);
+
+        state = (pkix_TargetCertCheckerState *)object;
+
+        PKIX_DECREF(state->certSelector);
+        PKIX_DECREF(state->extKeyUsageOID);
+        PKIX_DECREF(state->subjAltNameOID);
+        PKIX_DECREF(state->pathToNameList);
+        PKIX_DECREF(state->extKeyUsageList);
+        PKIX_DECREF(state->subjAltNameList);
+
+cleanup:
+
+        PKIX_RETURN(TARGETCERTCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_TargetCertCheckerState_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_TARGETCERTCHECKERSTATE_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_TargetCertCheckerState_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(TARGETCERTCHECKERSTATE,
+                    "pkix_TargetCertCheckerState_RegisterSelf");
+
+        entry.description = "TargetCertCheckerState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_TargetCertCheckerState);
+        entry.destructor = pkix_TargetCertCheckerState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_TARGETCERTCHECKERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(TARGETCERTCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_TargetCertCheckerState_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new TargetCertCheckerState using the CertSelector pointed to
+ *  by "certSelector" and the number of certs represented by "certsRemaining"
+ *  and stores it at "pState".
+ *
+ * PARAMETERS:
+ *  "certSelector"
+ *      Address of CertSelector representing the criteria against which the
+ *      final certificate in a chain is to be matched. Must be non-NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "pState"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a TargetCertCheckerState Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_TargetCertCheckerState_Create(
+    PKIX_CertSelector *certSelector,
+    PKIX_UInt32 certsRemaining,
+    pkix_TargetCertCheckerState **pState,
+    void *plContext)
+{
+        pkix_TargetCertCheckerState *state = NULL;
+        PKIX_ComCertSelParams *certSelectorParams = NULL;
+        PKIX_List *pathToNameList = NULL;
+        PKIX_List *extKeyUsageList = NULL;
+        PKIX_List *subjAltNameList = NULL;
+        PKIX_PL_OID *extKeyUsageOID = NULL;
+        PKIX_PL_OID *subjAltNameOID = NULL;
+        PKIX_Boolean subjAltNameMatchAll = PKIX_TRUE;
+
+        PKIX_ENTER(TARGETCERTCHECKERSTATE,
+                    "pkix_TargetCertCheckerState_Create");
+        PKIX_NULLCHECK_ONE(pState);
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_EXTENDEDKEYUSAGE_OID,
+                    &extKeyUsageOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_CERTSUBJALTNAME_OID,
+                    &subjAltNameOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_TARGETCERTCHECKERSTATE_TYPE,
+                    sizeof (pkix_TargetCertCheckerState),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATETARGETCERTCHECKERSTATEOBJECT);
+
+        /* initialize fields */
+
+        if (certSelector != NULL) {
+
+                PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
+                        (certSelector, &certSelectorParams, plContext),
+                        PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMFAILED);
+
+                if (certSelectorParams != NULL) {
+
+                        PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames
+                            (certSelectorParams,
+                            &pathToNameList,
+                            plContext),
+                            PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED);
+
+                        PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
+                            (certSelectorParams,
+                            &extKeyUsageList,
+                            plContext),
+                            PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
+
+                        PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames
+                            (certSelectorParams,
+                            &subjAltNameList,
+                            plContext),
+                            PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
+
+                        PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
+                            (certSelectorParams,
+                            &subjAltNameMatchAll,
+                            plContext),
+                            PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
+                }
+        }
+
+        state->certsRemaining = certsRemaining;
+        state->subjAltNameMatchAll = subjAltNameMatchAll;
+
+        PKIX_INCREF(certSelector);
+        state->certSelector = certSelector;
+
+        state->pathToNameList = pathToNameList;
+        pathToNameList = NULL;
+
+        state->extKeyUsageList = extKeyUsageList;
+        extKeyUsageList = NULL;
+
+        state->subjAltNameList = subjAltNameList;
+        subjAltNameList = NULL;
+
+        state->extKeyUsageOID = extKeyUsageOID;
+        extKeyUsageOID = NULL;
+
+        state->subjAltNameOID = subjAltNameOID;
+        subjAltNameOID = NULL;
+
+        *pState = state;
+        state = NULL;
+
+cleanup:
+        
+        PKIX_DECREF(extKeyUsageOID);
+        PKIX_DECREF(subjAltNameOID);
+        PKIX_DECREF(pathToNameList);
+        PKIX_DECREF(extKeyUsageList);
+        PKIX_DECREF(subjAltNameList);
+        PKIX_DECREF(state);
+
+        PKIX_DECREF(certSelectorParams);
+
+        PKIX_RETURN(TARGETCERTCHECKERSTATE);
+
+}
+
+/* --Private-TargetCertChecker-Functions------------------------------- */
+
+/*
+ * FUNCTION: pkix_TargetCertChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_TargetCertChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        pkix_TargetCertCheckerState *state = NULL;
+        PKIX_CertSelector_MatchCallback certSelectorMatch = NULL;
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+        PKIX_List *certSubjAltNames = NULL;
+        PKIX_List *certExtKeyUsageList = NULL;
+        PKIX_PL_GeneralName *name = NULL;
+        PKIX_PL_X500Name *certSubjectName = NULL;
+        PKIX_Boolean checkPassed = PKIX_FALSE;
+        PKIX_UInt32 numItems, i;
+        PKIX_UInt32 matchCount = 0;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_TargetCertChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* we never block on pending I/O */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        (state->certsRemaining)--;
+
+        if (state->pathToNameList != NULL) {
+
+                PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+                    (cert, &nameConstraints, plContext),
+                    PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
+                /*
+                 * XXX We should either make the following call a public one
+                 * so it is legal to call from the portability layer or we
+                 * should try to create pathToNameList as CertNameConstraints
+                 * then call the existing check function.
+                 */
+                PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
+                    (state->pathToNameList,
+                    nameConstraints,
+                    &checkPassed,
+                    plContext),
+                    PKIX_CERTNAMECONSTRAINTSCHECKNAMEINNAMESPACEFAILED);
+
+                if (checkPassed != PKIX_TRUE) {
+                    PKIX_ERROR(PKIX_VALIDATIONFAILEDPATHTONAMECHECKFAILED);
+                }
+
+        }
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
+                    (cert, &certSubjAltNames, plContext),
+                    PKIX_CERTGETSUBJALTNAMESFAILED);
+
+        if (state->subjAltNameList != NULL && certSubjAltNames != NULL) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (state->subjAltNameList, &numItems, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numItems; i++) {
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                            (state->subjAltNameList,
+                            i,
+                            (PKIX_PL_Object **) &name,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(pkix_List_Contains
+                            (certSubjAltNames,
+                            (PKIX_PL_Object *) name,
+                            &checkPassed,
+                            plContext),
+                            PKIX_LISTCONTAINSFAILED);
+
+                        PKIX_DECREF(name);
+
+                        if (checkPassed == PKIX_TRUE) {
+
+                            if (state->subjAltNameMatchAll == PKIX_FALSE) {
+                                matchCount = numItems;
+                                break;
+                            } else {
+                                /* else continue checking next */
+                                matchCount++;
+                            }
+
+                        }
+                }
+
+                if (matchCount != numItems) {
+                        PKIX_ERROR(PKIX_SUBJALTNAMECHECKFAILED);
+
+                }
+
+        }
+
+        if (state->certsRemaining == 0) {
+
+                if (state->certSelector != NULL) {
+
+                        PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
+                            (state->certSelector,
+                            &certSelectorMatch,
+                            plContext),
+                            PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
+
+                        PKIX_CHECK(certSelectorMatch
+                            (state->certSelector,
+                            cert,
+                            &checkPassed,
+                            plContext),
+                            PKIX_CERTSELECTORMATCHFAILED);
+
+                        if (checkPassed != PKIX_TRUE){
+                                PKIX_ERROR(PKIX_CERTSELECTORCHECKFAILED);
+                        }
+
+                        /*
+                         * There are two Extended Key Usage Checkings
+                         * available :
+                         * 1) here at the targetcertchecker where we
+                         *    verify the Extended Key Usage OIDs application
+                         *    specifies via ComCertSelParams are included
+                         *    in Cert's Extended Key Usage OID's. Note,
+                         *    this is an OID to OID comparison and only last
+                         *    Cert is checked.
+                         * 2) at user defined ekuchecker where checking
+                         *    is applied to all Certs on the chain and
+                         *    the NSS Extended Key Usage algorithm is
+                         *    used. In order to invoke this checking, not
+                         *    only does the ComCertSelparams needs to be
+                         *    set, the EKU initialize call is required to
+                         *    activate the checking.
+                         *
+                         * XXX We use the same ComCertSelParams Set/Get
+                         * functions to set the parameters for both cases.
+                         * We may want to separate them in the future.
+                         */
+
+                        PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
+                            (cert, &certExtKeyUsageList, plContext),
+                            PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
+
+
+                        if (state->extKeyUsageList != NULL &&
+                            certExtKeyUsageList != NULL) {
+
+                            PKIX_CHECK(PKIX_List_GetLength
+                                (state->extKeyUsageList, &numItems, plContext),
+                                PKIX_LISTGETLENGTHFAILED);
+
+                            for (i = 0; i < numItems; i++) {
+
+                                PKIX_CHECK(PKIX_List_GetItem
+                                        (state->extKeyUsageList,
+                                        i,
+                                        (PKIX_PL_Object **) &name,
+                                        plContext),
+                                        PKIX_LISTGETITEMFAILED);
+
+                                PKIX_CHECK(pkix_List_Contains
+                                        (certExtKeyUsageList,
+                                        (PKIX_PL_Object *) name,
+                                        &checkPassed,
+                                        plContext),
+                                        PKIX_LISTCONTAINSFAILED);
+
+                                PKIX_DECREF(name);
+
+                                if (checkPassed != PKIX_TRUE) {
+                                    PKIX_ERROR
+                                        (PKIX_EXTENDEDKEYUSAGECHECKINGFAILED);
+
+                                }
+                            }
+
+                        }
+
+                }
+        }
+
+        /* Remove Critical Extension OID from list */
+        if (unresolvedCriticalExtensions != NULL) {
+
+                PKIX_CHECK(pkix_List_Remove
+                            (unresolvedCriticalExtensions,
+                            (PKIX_PL_Object *) state->extKeyUsageOID,
+                            plContext),
+                            PKIX_LISTREMOVEFAILED);
+
+                PKIX_CHECK(PKIX_PL_Cert_GetSubject
+                            (cert, &certSubjectName, plContext),
+                            PKIX_CERTGETSUBJECTFAILED);
+
+                if (certSubjAltNames != NULL) {
+                        PKIX_CHECK(pkix_List_Remove
+                            (unresolvedCriticalExtensions,
+                            (PKIX_PL_Object *) state->subjAltNameOID,
+                            plContext),
+                            PKIX_LISTREMOVEFAILED);
+                }
+
+        }
+
+cleanup:
+
+        PKIX_DECREF(nameConstraints);
+        PKIX_DECREF(certSubjAltNames);
+        PKIX_DECREF(certExtKeyUsageList);
+        PKIX_DECREF(certSubjectName);
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_TargetCertChecker_Initialize
+ * DESCRIPTION:
+ *
+ *  Creates a new CertChainChecker and stores it at "pChecker", where it will
+ *  used by pkix_TargetCertChecker_Check to check that the final certificate
+ *  of a chain meets the criteria of the CertSelector pointed to by
+ *  "certSelector". The number of certs remaining in the chain, represented by
+ *  "certsRemaining" is used to initialize the checker's state.
+ *
+ * PARAMETERS:
+ *  "certSelector"
+ *      Address of CertSelector representing the criteria against which the
+ *      final certificate in a chain is to be matched. May be NULL.
+ *  "certsRemaining"
+ *      Number of certificates remaining in the chain.
+ *  "pChecker"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_TargetCertChecker_Initialize(
+        PKIX_CertSelector *certSelector,
+        PKIX_UInt32 certsRemaining,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext)
+{
+        pkix_TargetCertCheckerState *state = NULL;
+
+        PKIX_ENTER(CERTCHAINCHECKER, "pkix_TargetCertChecker_Initialize");
+        PKIX_NULLCHECK_ONE(pChecker);
+
+        PKIX_CHECK(pkix_TargetCertCheckerState_Create
+                    (certSelector, certsRemaining, &state, plContext),
+                    PKIX_TARGETCERTCHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                    (pkix_TargetCertChecker_Check,
+                    PKIX_FALSE,
+                    PKIX_FALSE,
+                    NULL,
+                    (PKIX_PL_Object *)state,
+                    pChecker,
+                    plContext),
+                    PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(CERTCHAINCHECKER);
+}
diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.h
new file mode 100755
index 000000000..0a888bade
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.h
@@ -0,0 +1,80 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_targetcertchecker.h
+ *
+ * Header file for validate target cert function
+ *
+ */
+
+#ifndef _PKIX_TARGETCERTCHECKER_H
+#define _PKIX_TARGETCERTCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_TargetCertCheckerState pkix_TargetCertCheckerState;
+
+struct pkix_TargetCertCheckerState {
+        PKIX_CertSelector *certSelector;
+        PKIX_List *pathToNameList;
+        PKIX_List *extKeyUsageList; /* List of PKIX_PL_OID */
+        PKIX_List *subjAltNameList;
+        PKIX_Boolean subjAltNameMatchAll;
+        PKIX_UInt32 certsRemaining;
+        PKIX_PL_OID *extKeyUsageOID;
+        PKIX_PL_OID *subjAltNameOID;
+};
+
+PKIX_Error *
+pkix_TargetCertChecker_Initialize(
+        PKIX_CertSelector *certSelector,
+        PKIX_UInt32 certsRemaining,
+        PKIX_CertChainChecker **pChecker,
+        void *plContext);
+
+PKIX_Error *
+pkix_TargetCertCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_TARGETCERTCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix/config.mk b/security/nss/lib/libpkix/pkix/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix/crlsel/Makefile b/security/nss/lib/libpkix/pkix/crlsel/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/crlsel/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix/crlsel/config.mk b/security/nss/lib/libpkix/pkix/crlsel/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/crlsel/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix/crlsel/manifest.mn b/security/nss/lib/libpkix/pkix/crlsel/manifest.mn
new file mode 100755
index 000000000..0679f260d
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/crlsel/manifest.mn
@@ -0,0 +1,58 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_comcrlselparams.h \
+	pkix_crlselector.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_crlselector.c \
+	pkix_comcrlselparams.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixcrlsel
+
diff --git a/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.c b/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.c
new file mode 100755
index 000000000..1e68891c4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.c
@@ -0,0 +1,833 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_comcrlselparams.c
+ *
+ * ComCRLSelParams Function Definitions
+ *
+ */
+
+#include "pkix_comcrlselparams.h"
+
+/* --ComCRLSelParams-Private-Functions------------------------------------ */
+
+/*
+ * FUNCTION: pkix_ComCrlSelParams_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ComCRLSelParams_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_ComCRLSelParams *params = NULL;
+
+        PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_COMCRLSELPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTCOMCRLSELPARAMS);
+
+        params = (PKIX_ComCRLSelParams *)object;
+
+        PKIX_DECREF(params->issuerNames);
+        PKIX_DECREF(params->cert);
+        PKIX_DECREF(params->date);
+        PKIX_DECREF(params->maxCRLNumber);
+        PKIX_DECREF(params->minCRLNumber);
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCRLSelParams_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Helper function that creates a string representation of ComCRLSelParams
+ *  pointed to by "crlParams" and stores the result at "pString".
+ *
+ * PARAMETERS
+ *  "crlParams"
+ *      Address of ComCRLSelParams whose string representation is desired.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address of object pointer's destination. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLEntry Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_ComCRLSelParams_ToString_Helper(
+        PKIX_ComCRLSelParams *crlParams,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *crlIssuerNamesString = NULL;
+        PKIX_PL_String *crlDateString = NULL;
+        PKIX_PL_String *crlMaxCRLNumberString = NULL;
+        PKIX_PL_String *crlMinCRLNumberString = NULL;
+        PKIX_PL_String *crlCertString = NULL;
+        PKIX_PL_String *crlParamsString = NULL;
+        char *asciiFormat = NULL;
+        PKIX_PL_String *formatString = NULL;
+
+        PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_ToString_Helper");
+        PKIX_NULLCHECK_TWO(crlParams, pString);
+
+        asciiFormat =
+                "\n\t[\n"
+                "\tIssuerNames:     %s\n"
+                "\tDate:            %s\n"
+                "\tmaxCRLNumber:    %s\n"
+                "\tminCRLNumber:    %s\n"
+                "\tCertificate:     %s\n"
+                "\t]\n";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        PKIX_TOSTRING
+                (crlParams->issuerNames, &crlIssuerNamesString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        PKIX_TOSTRING(crlParams->date, &crlDateString, plContext,
+                PKIX_DATETOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (crlParams->maxCRLNumber, &crlMaxCRLNumberString, plContext,
+                PKIX_BIGINTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (crlParams->minCRLNumber, &crlMinCRLNumberString, plContext,
+                PKIX_BIGINTTOSTRINGFAILED);
+
+        PKIX_TOSTRING(crlParams->cert, &crlCertString, plContext,
+                PKIX_CERTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&crlParamsString,
+                    plContext,
+                    formatString,
+                    crlIssuerNamesString,
+                    crlDateString,
+                    crlMaxCRLNumberString,
+                    crlMinCRLNumberString,
+                    crlCertString),
+                    PKIX_SPRINTFFAILED);
+
+        *pString = crlParamsString;
+
+cleanup:
+
+        PKIX_DECREF(crlIssuerNamesString);
+        PKIX_DECREF(crlDateString);
+        PKIX_DECREF(crlMaxCRLNumberString);
+        PKIX_DECREF(crlMinCRLNumberString);
+        PKIX_DECREF(crlCertString);
+        PKIX_DECREF(formatString);
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCRLSelParams_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ComCRLSelParams_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *crlParamsString = NULL;
+        PKIX_ComCRLSelParams *crlParams = NULL;
+
+        PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_COMCRLSELPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTCOMCRLSELPARAMS);
+
+        crlParams = (PKIX_ComCRLSelParams *) object;
+
+        PKIX_CHECK(pkix_ComCRLSelParams_ToString_Helper
+                    (crlParams, &crlParamsString, plContext),
+                    PKIX_COMCRLSELPARAMSTOSTRINGHELPERFAILED);
+
+        *pString = crlParamsString;
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCRLSelParams_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ComCRLSelParams_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_ComCRLSelParams *crlParams = NULL;
+        PKIX_UInt32 namesHash = 0;
+        PKIX_UInt32 certHash = 0;
+        PKIX_UInt32 dateHash = 0;
+        PKIX_UInt32 maxCRLNumberHash = 0;
+        PKIX_UInt32 minCRLNumberHash = 0;
+        PKIX_UInt32 hash = 0;
+
+        PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_COMCRLSELPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTCOMCRLSELPARAMS);
+
+        crlParams = (PKIX_ComCRLSelParams *)object;
+
+        PKIX_HASHCODE(crlParams->issuerNames, &namesHash, plContext,
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(crlParams->cert, &certHash, plContext,
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(crlParams->date, &dateHash, plContext,
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(crlParams->maxCRLNumber, &maxCRLNumberHash, plContext,
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(crlParams->minCRLNumber, &minCRLNumberHash, plContext,
+                    PKIX_OBJECTHASHCODEFAILED);
+
+
+        hash = (((namesHash << 3) + certHash) << 3) + dateHash;
+        hash = (hash << 3) + maxCRLNumberHash + minCRLNumberHash;
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCRLSelParams_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ComCRLSelParams_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_ComCRLSelParams *firstCrlParams = NULL;
+        PKIX_ComCRLSelParams *secondCrlParams = NULL;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+
+        PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a ComCRLSelParams */
+        PKIX_CHECK(pkix_CheckType
+                    (firstObject, PKIX_COMCRLSELPARAMS_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTCOMCRLSELPARAMS);
+
+        firstCrlParams = (PKIX_ComCRLSelParams *)firstObject;
+        secondCrlParams = (PKIX_ComCRLSelParams *)secondObject;
+
+        /*
+         * Since we know firstObject is a ComCRLSelParams, if both references
+         * are identical, they must be equal
+         */
+        if (firstCrlParams == secondCrlParams){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondComCRLSelParams isn't a ComCRLSelParams, we don't
+         * throw an error. We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    ((PKIX_PL_Object *)secondCrlParams, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        if (secondType != PKIX_COMCRLSELPARAMS_TYPE) {
+                goto cleanup;
+        }
+
+        /* Compare Issuer Names */
+        PKIX_EQUALS
+                    (firstCrlParams->issuerNames,
+                    secondCrlParams->issuerNames,
+                    &cmpResult,
+                    plContext,
+                    PKIX_LISTEQUALSFAILED);
+
+        if (cmpResult != PKIX_TRUE) {
+                goto cleanup;
+        }
+
+        /* Compare Date */
+        PKIX_EQUALS
+                    (firstCrlParams->date,
+                    secondCrlParams->date,
+                    &cmpResult,
+                    plContext,
+                    PKIX_DATEEQUALSFAILED);
+
+        if (cmpResult != PKIX_TRUE) {
+                goto cleanup;
+        }
+
+        /* Compare Max CRL Number */
+        PKIX_EQUALS
+                    (firstCrlParams->maxCRLNumber,
+                    secondCrlParams->maxCRLNumber,
+                    &cmpResult,
+                    plContext,
+                    PKIX_BIGINTEQUALSFAILED);
+
+        if (cmpResult != PKIX_TRUE) {
+                goto cleanup;
+        }
+
+        /* Compare Min CRL Number */
+        PKIX_EQUALS
+                    (firstCrlParams->minCRLNumber,
+                    secondCrlParams->minCRLNumber,
+                    &cmpResult,
+                    plContext,
+                    PKIX_BIGINTEQUALSFAILED);
+
+        if (cmpResult != PKIX_TRUE) {
+                goto cleanup;
+        }
+
+        /* Compare Cert */
+        PKIX_EQUALS
+                    (firstCrlParams->cert,
+                    secondCrlParams->cert,
+                    &cmpResult,
+                    plContext,
+                    PKIX_CERTEQUALSFAILED);
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCRLSelParams_Duplicate
+ * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ComCRLSelParams_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_ComCRLSelParams *old;
+        PKIX_ComCRLSelParams *new;
+
+        PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_Duplicate");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_COMCRLSELPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTCOMCRLSELPARAMS);
+
+        old = (PKIX_ComCRLSelParams *)object;
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_COMCRLSELPARAMS_TYPE,
+                    (PKIX_UInt32)(sizeof (PKIX_ComCRLSelParams)),
+                    (PKIX_PL_Object **)&new,
+                    plContext),
+                    PKIX_OBJECTALLOCFAILED);
+
+        PKIX_DUPLICATE(old->cert, &new->cert, plContext,
+                    PKIX_OBJECTDUPLICATECERTFAILED);
+
+        PKIX_DUPLICATE(old->issuerNames, &new->issuerNames, plContext,
+                    PKIX_OBJECTDUPLICATEISSUERNAMESFAILED);
+
+        PKIX_DUPLICATE(old->date, &new->date, plContext,
+                    PKIX_OBJECTDUPLICATEDATEFAILED);
+
+        PKIX_DUPLICATE(old->maxCRLNumber, &new->maxCRLNumber, plContext,
+                    PKIX_OBJECTDUPLICATEMAXCRLNUMBERFAILED);
+
+        PKIX_DUPLICATE(old->minCRLNumber, &new->minCRLNumber, plContext,
+                    PKIX_OBJECTDUPLICATEMINCRLNUMBERFAILED);
+
+        *pNewObject = (PKIX_PL_Object *)new;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(new);
+        }
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ComCrlSelParams_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_COMCRLSELPARAMS_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_ComCRLSelParams_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(COMCRLSELPARAMS, "pkix_ComCRLSelParams_RegisterSelf");
+
+        entry.description = "ComCRLSelParams";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_ComCRLSelParams);
+        entry.destructor = pkix_ComCRLSelParams_Destroy;
+        entry.equalsFunction = pkix_ComCRLSelParams_Equals;
+        entry.hashcodeFunction = pkix_ComCRLSelParams_Hashcode;
+        entry.toStringFunction = pkix_ComCRLSelParams_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_ComCRLSelParams_Duplicate;
+
+        systemClasses[PKIX_COMCRLSELPARAMS_TYPE] = entry;
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/* --ComCRLSelParams-Public-Functions------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_Create (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_Create(
+        PKIX_ComCRLSelParams **pParams,
+        void *plContext)
+{
+        PKIX_ComCRLSelParams *params = NULL;
+
+        PKIX_ENTER(COMCRLSELPARAMS, "PKIX_ComCRLSelParams_Create");
+        PKIX_NULLCHECK_ONE(pParams);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_COMCRLSELPARAMS_TYPE,
+                    sizeof (PKIX_ComCRLSelParams),
+                    (PKIX_PL_Object **)&params,
+                    plContext),
+                    PKIX_COULDNOTCREATECOMMONCRLSELECTORPARAMSOBJECT);
+
+        /* initialize fields */
+        params->issuerNames = NULL;
+        params->cert = NULL;
+        params->date = NULL;
+        params->nistPolicyEnabled = PKIX_TRUE;
+        params->maxCRLNumber = NULL;
+        params->minCRLNumber = NULL;
+
+        *pParams = params;
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetIssuerNames (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetIssuerNames(
+        PKIX_ComCRLSelParams *params,
+        PKIX_List **pIssuerNames,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS, "PKIX_ComCRLSelParams_GetIssuerNames");
+        PKIX_NULLCHECK_TWO(params, pIssuerNames);
+
+        PKIX_INCREF(params->issuerNames);
+
+        *pIssuerNames = params->issuerNames;
+
+cleanup:
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetIssuerNames (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetIssuerNames(
+        PKIX_ComCRLSelParams *params,
+        PKIX_List *names,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS, "PKIX_ComCRLSelParams_SetIssuerNames");
+        PKIX_NULLCHECK_ONE(params); /* allows null for names from spec */
+
+        PKIX_DECREF(params->issuerNames);
+
+        PKIX_INCREF(names); /* if NULL, allows to reset for no action */
+
+        params->issuerNames = names;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_AddIssuerName (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_AddIssuerName(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_X500Name *name,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+
+        PKIX_ENTER(COMCRLSELPARAMS, "PKIX_ComCRLSelParams_AddIssuerName");
+        PKIX_NULLCHECK_ONE(params);
+
+        if (name != NULL) {
+
+                if (params->issuerNames == NULL) {
+
+                    PKIX_CHECK(PKIX_List_Create(&list, plContext),
+                        PKIX_LISTCREATEFAILED);
+                        params->issuerNames = list;
+                }
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                    (params->issuerNames, (PKIX_PL_Object *)name, plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        }
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetCertificateChecking
+ * (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetCertificateChecking(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_Cert **pCert,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_GetCertificateChecking");
+        PKIX_NULLCHECK_TWO(params, pCert);
+
+        PKIX_INCREF(params->cert);
+
+        *pCert = params->cert;
+
+cleanup:
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetCertificateChecking
+ * (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetCertificateChecking(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_Cert *cert,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_SetCertificateChecking");
+        PKIX_NULLCHECK_ONE(params); /* allows cert to be NULL from spec */
+
+        PKIX_DECREF(params->cert);
+
+        PKIX_INCREF(cert);
+
+        params->cert = cert;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetDateAndTime (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetDateAndTime(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_Date **pDate,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_GetDateAndTime");
+        PKIX_NULLCHECK_TWO(params, pDate);
+
+        PKIX_INCREF(params->date);
+
+        *pDate = params->date;
+
+cleanup:
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetDateAndTime (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetDateAndTime(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_Date *date,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_SetDateAndTime");
+        PKIX_NULLCHECK_ONE(params); /* allows date to be NULL from spec */
+
+        PKIX_DECREF (params->date);
+
+        PKIX_INCREF(date);
+
+        params->date = date;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetDateAndTime (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetNISTPolicyEnabled(
+        PKIX_ComCRLSelParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_GetNISTPolicyEnabled");
+        PKIX_NULLCHECK_TWO(params, pEnabled);
+
+        *pEnabled = params->nistPolicyEnabled;
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetDateAndTime (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetNISTPolicyEnabled(
+        PKIX_ComCRLSelParams *params,
+        PKIX_Boolean enabled,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_SetNISTPolicyEnabled");
+        PKIX_NULLCHECK_ONE(params); /* allows date to be NULL from spec */
+
+        params->nistPolicyEnabled = enabled;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetMaxCRLNumber
+ * (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetMaxCRLNumber(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_BigInt **pMaxCRLNumber,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_GetMaxCRLNumber");
+        PKIX_NULLCHECK_TWO(params, pMaxCRLNumber);
+
+        PKIX_INCREF(params->maxCRLNumber);
+
+        *pMaxCRLNumber = params->maxCRLNumber;
+
+cleanup:
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetMaxCRLNumber
+ * (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetMaxCRLNumber(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_BigInt *maxCRLNumber,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_SetMaxCRLNumber");
+        PKIX_NULLCHECK_ONE(params); /* maxCRLNumber can be NULL - from spec */
+
+        PKIX_DECREF(params->maxCRLNumber);
+
+        PKIX_INCREF(maxCRLNumber);
+
+        params->maxCRLNumber = maxCRLNumber;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_GetMinCRLNumber
+ * (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_GetMinCRLNumber(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_BigInt **pMinCRLNumber,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_GetMinCRLNumber");
+        PKIX_NULLCHECK_TWO(params, pMinCRLNumber);
+
+        PKIX_INCREF(params->minCRLNumber);
+
+        *pMinCRLNumber = params->minCRLNumber;
+
+cleanup:
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ComCRLSelParams_SetMinCRLNumber
+ * (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_ComCRLSelParams_SetMinCRLNumber(
+        PKIX_ComCRLSelParams *params,
+        PKIX_PL_BigInt *minCRLNumber,
+        void *plContext)
+{
+        PKIX_ENTER(COMCRLSELPARAMS,
+                    "PKIX_ComCRLSelParams_SetMinCRLNumber");
+        PKIX_NULLCHECK_ONE(params); /* minCRLNumber can be NULL - from spec */
+
+        PKIX_DECREF(params->minCRLNumber);
+
+        PKIX_INCREF(minCRLNumber);
+
+        params->minCRLNumber = minCRLNumber;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(COMCRLSELPARAMS);
+}
diff --git a/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.h b/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.h
new file mode 100755
index 000000000..7b6a55f11
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/crlsel/pkix_comcrlselparams.h
@@ -0,0 +1,70 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_comcrlselparams.h
+ *
+ * ComCrlSelParams Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_COMCRLSELPARAMS_H
+#define _PKIX_COMCRLSELPARAMS_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_ComCRLSelParamsStruct {
+        PKIX_List *issuerNames; /* list of PKIX_PL_X500Name */
+        PKIX_PL_Cert *cert; /* certificate being checked */
+        PKIX_PL_Date *date;
+        PKIX_Boolean nistPolicyEnabled;
+        PKIX_PL_BigInt *maxCRLNumber;
+        PKIX_PL_BigInt *minCRLNumber;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_ComCRLSelParams_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_COMCRLSELPARAMS_H */
diff --git a/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c b/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c
new file mode 100755
index 000000000..a81f4aca1
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.c
@@ -0,0 +1,833 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_crlselector.c
+ *
+ * CRLSelector Function Definitions
+ *
+ */
+
+#include "pkix_crlselector.h"
+
+/* --CRLSelector Private-Functions-------------------------------------- */
+
+/*
+ * FUNCTION: pkix_CRLSelector_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CRLSelector_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_CRLSelector *selector = NULL;
+
+        PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
+                    PKIX_OBJECTNOTCRLSELECTOR);
+
+        selector = (PKIX_CRLSelector *)object;
+
+        selector->matchCallback = NULL;
+
+        PKIX_DECREF(selector->params);
+        PKIX_DECREF(selector->context);
+
+cleanup:
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CRLSelector_ToString_Helper
+ *
+ * DESCRIPTION:
+ *  Helper function that creates a string representation of CRLSelector
+ *  pointed to by "crlParams" and stores its address in the object pointed to
+ *  by "pString".
+ *
+ * PARAMETERS
+ *  "list"
+ *      Address of CRLSelector whose string representation is desired.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address of object pointer's destination. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CRLSelector_ToString_Helper(
+        PKIX_CRLSelector *crlSelector,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *crlSelectorString = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *crlParamsString = NULL;
+        PKIX_PL_String *crlContextString = NULL;
+        char *asciiFormat = NULL;
+
+        PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString_Helper");
+        PKIX_NULLCHECK_TWO(crlSelector, pString);
+        PKIX_NULLCHECK_ONE(crlSelector->params);
+
+        asciiFormat =
+                "\n\t[\n"
+                "\tMatchCallback: 0x%x\n"
+                "\tParams:          %s\n"
+                "\tContext:         %s\n"
+                "\t]\n";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        /* Params */
+        PKIX_TOSTRING
+                    ((PKIX_PL_Object *)crlSelector->params,
+                    &crlParamsString,
+                    plContext,
+                    PKIX_COMCRLSELPARAMSTOSTRINGFAILED);
+
+        /* Context */
+        PKIX_TOSTRING(crlSelector->context, &crlContextString, plContext,
+                    PKIX_LISTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&crlSelectorString,
+                    plContext,
+                    formatString,
+                    crlSelector->matchCallback,
+                    crlParamsString,
+                    crlContextString),
+                    PKIX_SPRINTFFAILED);
+
+        *pString = crlSelectorString;
+
+cleanup:
+
+        PKIX_DECREF(crlParamsString);
+        PKIX_DECREF(crlContextString);
+        PKIX_DECREF(formatString);
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CRLSelector_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CRLSelector_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *crlSelectorString = NULL;
+        PKIX_CRLSelector *crlSelector = NULL;
+
+        PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
+                    PKIX_OBJECTNOTCRLSELECTOR);
+
+        crlSelector = (PKIX_CRLSelector *) object;
+
+        PKIX_CHECK(pkix_CRLSelector_ToString_Helper
+                    (crlSelector, &crlSelectorString, plContext),
+                    PKIX_CRLSELECTORTOSTRINGHELPERFAILED);
+
+        *pString = crlSelectorString;
+
+cleanup:
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CRLSelector_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CRLSelector_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_UInt32 paramsHash = 0;
+        PKIX_UInt32 contextHash = 0;
+        PKIX_UInt32 hash = 0;
+
+        PKIX_CRLSelector *crlSelector = NULL;
+
+        PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
+                    PKIX_OBJECTNOTCRLSELECTOR);
+
+        crlSelector = (PKIX_CRLSelector *)object;
+
+        PKIX_HASHCODE(crlSelector->params, &paramsHash, plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(crlSelector->context, &contextHash, plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        hash = 31 * ((PKIX_UInt32)crlSelector->matchCallback +
+                    (contextHash << 3)) + paramsHash;
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CRLSelector_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CRLSelector_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_CRLSelector *firstCrlSelector = NULL;
+        PKIX_CRLSelector *secondCrlSelector = NULL;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+
+        PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a CRLSelector */
+        PKIX_CHECK(pkix_CheckType
+                    (firstObject, PKIX_CRLSELECTOR_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTCRLSELECTOR);
+
+        firstCrlSelector = (PKIX_CRLSelector *)firstObject;
+        secondCrlSelector = (PKIX_CRLSelector *)secondObject;
+
+        /*
+         * Since we know firstObject is a CRLSelector, if both references are
+         * identical, they must be equal
+         */
+        if (firstCrlSelector == secondCrlSelector){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondCRLSelector isn't a CRLSelector, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    ((PKIX_PL_Object *)secondCrlSelector,
+                    &secondType,
+                    plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        if (secondType != PKIX_CRLSELECTOR_TYPE) {
+                goto cleanup;
+        }
+
+        /* Compare MatchCallback address */
+        cmpResult = (firstCrlSelector->matchCallback ==
+                    secondCrlSelector->matchCallback);
+
+        if (cmpResult == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        /* Compare Common CRL Selector Params */
+        PKIX_EQUALS
+                (firstCrlSelector->params,
+                secondCrlSelector->params,
+                &cmpResult,
+                plContext,
+                PKIX_COMCRLSELPARAMSEQUALSFAILED);
+
+
+        if (cmpResult == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        /* Compare Context */
+        PKIX_EQUALS
+                (firstCrlSelector->context,
+                secondCrlSelector->context,
+                &cmpResult,
+                plContext,
+                PKIX_COMCRLSELPARAMSEQUALSFAILED);
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CRLSelector_Duplicate
+ * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CRLSelector_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_CRLSelector *old;
+        PKIX_CRLSelector *new;
+
+        PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Duplicate");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_CRLSELECTOR_TYPE, plContext),
+                    PKIX_OBJECTNOTCRLSELECTOR);
+
+        old = (PKIX_CRLSelector *)object;
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CRLSELECTOR_TYPE,
+                    (PKIX_UInt32)(sizeof (PKIX_CRLSelector)),
+                    (PKIX_PL_Object **)&new,
+                    plContext),
+                    PKIX_CREATECRLSELECTORDUPLICATEOBJECTFAILED);
+
+        new->matchCallback = old->matchCallback;
+
+        PKIX_DUPLICATE(old->params, &new->params, plContext,
+                    PKIX_OBJECTDUPLICATEPARAMSFAILED);
+
+        PKIX_DUPLICATE(old->context, &new->context, plContext,
+                PKIX_OBJECTDUPLICATECONTEXTFAILED);
+
+        *pNewObject = (PKIX_PL_Object *)new;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(new);
+        }
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CRLSelector_DefaultMatch
+ *
+ * DESCRIPTION:
+ *  This function compares the parameter values (Issuer, date, and CRL number)
+ *  set in the ComCRLSelParams of the CRLSelector pointed to by "selector" with
+ *  the corresponding values in the CRL pointed to by "crl". When all the
+ *  criteria set in the parameter values match the values in "crl", PKIX_TRUE is
+ *  stored at "pMatch". If the CRL does not match the CRLSelector's criteria,
+ *  PKIX_FALSE is stored at "pMatch".
+ *
+ * PARAMETERS
+ *  "selector"
+ *      Address of CRLSelector which is verified for a match
+ *      Must be non-NULL.
+ *  "crl"
+ *      Address of the CRL object to be verified. Must be non-NULL.
+ *  "pMatch"
+ *      Address at which Boolean result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CRLSelector_DefaultMatch(
+        PKIX_CRLSelector *selector,
+        PKIX_PL_CRL *crl,
+        PKIX_Boolean *pMatch,
+        void *plContext)
+{
+        PKIX_ComCRLSelParams *params = NULL;
+        PKIX_PL_X500Name *crlIssuerName = NULL;
+        PKIX_PL_X500Name *issuerName = NULL;
+        PKIX_List *selIssuerNames = NULL;
+        PKIX_PL_Date *selDate = NULL;
+        PKIX_Boolean result = PKIX_TRUE;
+        PKIX_UInt32 numIssuers = 0;
+        PKIX_UInt32 i;
+        PKIX_PL_BigInt *minCRLNumber = NULL;
+        PKIX_PL_BigInt *maxCRLNumber = NULL;
+        PKIX_PL_BigInt *crlNumber = NULL;
+        PKIX_Boolean nistPolicyEnabled = PKIX_FALSE;
+
+        PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_DefaultMatch");
+        PKIX_NULLCHECK_TWO(selector, crl);
+
+        *pMatch = PKIX_TRUE;
+        params = selector->params;
+
+        /* No matching parameter provided, just a match */
+        if (params == NULL) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames
+                    (params, &selIssuerNames, plContext),
+                    PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED);
+
+        /* Check for Issuers */
+        if (selIssuerNames != NULL){
+
+                result = PKIX_FALSE;
+
+                PKIX_CHECK(PKIX_PL_CRL_GetIssuer
+                            (crl, &crlIssuerName, plContext),
+                            PKIX_CRLGETISSUERFAILED);
+
+                PKIX_CHECK(PKIX_List_GetLength
+                            (selIssuerNames, &numIssuers, plContext),
+                            PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numIssuers; i++){
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                                    (selIssuerNames,
+                                    i,
+                                    (PKIX_PL_Object **)&issuerName,
+                                    plContext),
+                                    PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(PKIX_PL_X500Name_Match
+                                    (crlIssuerName,
+                                    issuerName,
+                                    &result,
+                                    plContext),
+                                    PKIX_X500NAMEMATCHFAILED);
+
+                        PKIX_DECREF(issuerName);
+
+                        if (result == PKIX_TRUE) {
+                                break;
+                        }
+                }
+
+                if (result == PKIX_FALSE) {
+                        PKIX_CRLSELECTOR_DEBUG("Issuer Match Failed\N");
+                        *pMatch = PKIX_FALSE;
+                        goto cleanup;
+                }
+
+        }
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_GetDateAndTime
+                    (params, &selDate, plContext),
+                    PKIX_COMCRLSELPARAMSGETDATEANDTIMEFAILED);
+
+        /* Check for Date */
+        if (selDate != NULL){
+
+                PKIX_CHECK(PKIX_ComCRLSelParams_GetNISTPolicyEnabled
+                            (params, &nistPolicyEnabled, plContext),
+                           PKIX_COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED);
+
+                /* check crl dates only for if NIST policies enforced */
+                if (nistPolicyEnabled) {
+                        result = PKIX_FALSE;
+                    
+                        PKIX_CHECK(PKIX_PL_CRL_VerifyUpdateTime
+                                   (crl, selDate, &result, plContext),
+                                   PKIX_CRLVERIFYUPDATETIMEFAILED);
+                    
+                        if (result == PKIX_FALSE) {
+                                *pMatch = PKIX_FALSE;
+                                goto cleanup;
+                        }
+                }
+
+        }
+
+        /* Check for CRL number in range */
+        PKIX_CHECK(PKIX_PL_CRL_GetCRLNumber(crl, &crlNumber, plContext),
+                    PKIX_CRLGETCRLNUMBERFAILED);
+
+        if (crlNumber != NULL) {
+                result = PKIX_FALSE;
+
+                PKIX_CHECK(PKIX_ComCRLSelParams_GetMinCRLNumber
+                            (params, &minCRLNumber, plContext),
+                            PKIX_COMCRLSELPARAMSGETMINCRLNUMBERFAILED);
+
+                if (minCRLNumber != NULL) {
+
+                        PKIX_CHECK(PKIX_PL_Object_Compare
+                                    ((PKIX_PL_Object *)minCRLNumber,
+                                    (PKIX_PL_Object *)crlNumber,
+                                    &result,
+                                    plContext),
+                                    PKIX_OBJECTCOMPARATORFAILED);
+
+                        if (result == 1) {
+                                PKIX_CRLSELECTOR_DEBUG
+					("CRL MinNumber Range Match Failed\n");
+                        	*pMatch = PKIX_FALSE;
+	                        goto cleanup;
+                        }
+                }
+
+                PKIX_CHECK(PKIX_ComCRLSelParams_GetMaxCRLNumber
+                            (params, &maxCRLNumber, plContext),
+                            PKIX_COMCRLSELPARAMSGETMAXCRLNUMBERFAILED);
+
+                if (maxCRLNumber != NULL) {
+
+                        PKIX_CHECK(PKIX_PL_Object_Compare
+                                    ((PKIX_PL_Object *)crlNumber,
+                                    (PKIX_PL_Object *)maxCRLNumber,
+                                    &result,
+                                    plContext),
+                                    PKIX_OBJECTCOMPARATORFAILED);
+
+                        if (result == 1) {
+                               PKIX_CRLSELECTOR_DEBUG 
+					(PKIX_CRLMAXNUMBERRANGEMATCHFAILED);
+                        	*pMatch = PKIX_FALSE;
+	                        goto cleanup;
+                        }
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(selIssuerNames);
+        PKIX_DECREF(selDate);
+        PKIX_DECREF(crlIssuerName);
+        PKIX_DECREF(issuerName);
+        PKIX_DECREF(crlNumber);
+        PKIX_DECREF(minCRLNumber);
+        PKIX_DECREF(maxCRLNumber);
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CRLSelector_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CRLSELECTOR_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_CRLSelector_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_RegisterSelf");
+
+        entry.description = "CRLSelector";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_CRLSelector);
+        entry.destructor = pkix_CRLSelector_Destroy;
+        entry.equalsFunction = pkix_CRLSelector_Equals;
+        entry.hashcodeFunction = pkix_CRLSelector_Hashcode;
+        entry.toStringFunction = pkix_CRLSelector_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_CRLSelector_Duplicate;
+
+        systemClasses[PKIX_CRLSELECTOR_TYPE] = entry;
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/* --CRLSelector-Public-Functions---------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_CRLSelector_Create (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_CRLSelector_Create(
+        PKIX_CRLSelector_MatchCallback callback,
+        PKIX_PL_Object *crlSelectorContext,
+        PKIX_CRLSelector **pSelector,
+        void *plContext)
+{
+        PKIX_CRLSelector *selector = NULL;
+
+        PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Create");
+        PKIX_NULLCHECK_ONE(pSelector);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CRLSELECTOR_TYPE,
+                    sizeof (PKIX_CRLSelector),
+                    (PKIX_PL_Object **)&selector,
+                    plContext),
+                    PKIX_COULDNOTCREATECRLSELECTOROBJECT);
+
+        /*
+         * if user specified a particular match callback, we use that one.
+         * otherwise, we use the default match provided.
+         */
+
+        if (callback != NULL){
+                selector->matchCallback = callback;
+        } else {
+                selector->matchCallback = pkix_CRLSelector_DefaultMatch;
+        }
+
+        /* initialize other fields */
+        selector->params = NULL;
+
+        PKIX_INCREF(crlSelectorContext);
+        selector->context = crlSelectorContext;
+
+        *pSelector = selector;
+        selector = NULL;
+
+cleanup:
+
+        PKIX_DECREF(selector);
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: PKIX_CRLSelector_GetMatchCallback (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_CRLSelector_GetMatchCallback(
+        PKIX_CRLSelector *selector,
+        PKIX_CRLSelector_MatchCallback *pCallback,
+        void *plContext)
+{
+        PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetMatchCallback");
+        PKIX_NULLCHECK_TWO(selector, pCallback);
+
+        *pCallback = selector->matchCallback;
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+
+/*
+ * FUNCTION: PKIX_CRLSelector_GetCRLSelectorContext
+ * (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_CRLSelector_GetCRLSelectorContext(
+        PKIX_CRLSelector *selector,
+        void **pCrlSelectorContext,
+        void *plContext)
+{
+        PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCRLSelectorContext");
+        PKIX_NULLCHECK_TWO(selector, pCrlSelectorContext);
+
+        PKIX_INCREF(selector->context);
+
+        *pCrlSelectorContext = selector->context;
+
+cleanup:
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: PKIX_CRLSelector_GetCommonCRLSelectorParams
+ * (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_CRLSelector_GetCommonCRLSelectorParams(
+        PKIX_CRLSelector *selector,
+        PKIX_ComCRLSelParams **pParams,
+        void *plContext)
+{
+        PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCommonCRLSelectorParams");
+        PKIX_NULLCHECK_TWO(selector, pParams);
+
+        PKIX_INCREF(selector->params);
+
+        *pParams = selector->params;
+
+cleanup:
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: PKIX_CRLSelector_SetCommonCRLSelectorParams
+ * (see comments in pkix_crlsel.h)
+ */
+PKIX_Error *
+PKIX_CRLSelector_SetCommonCRLSelectorParams(
+        PKIX_CRLSelector *selector,
+        PKIX_ComCRLSelParams *params,
+        void *plContext)
+{
+        PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_SetCommonCRLSelectorParams");
+        PKIX_NULLCHECK_TWO(selector, params);
+
+        PKIX_DECREF(selector->params);
+
+        PKIX_INCREF(params);
+        selector->params = params;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)selector, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CRLSELECTOR);
+}
+
+/*
+ * FUNCTION: pkix_CRLSelector_Select
+ * DESCRIPTION:
+ *
+ *  This function applies the selector pointed to by "selector" to each CRL,
+ *  in turn, in the List pointed to by "before", and creates a List containing
+ *  all the CRLs that matched, or passed the selection process, storing that
+ *  List at "pAfter". If no CRLs match, an empty List is stored at "pAfter".
+ *
+ *  The List returned in "pAfter" is immutable.
+ *
+ * PARAMETERS:
+ *  "selector"
+ *      Address of CRLSelelector to be applied to the List. Must be non-NULL.
+ *  "before"
+ *      Address of List that is to be filtered. Must be non-NULL.
+ *  "pAfter"
+ *      Address at which resulting List, possibly empty, is stored. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLSelector Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CRLSelector_Select(
+	PKIX_CRLSelector *selector,
+	PKIX_List *before,
+	PKIX_List **pAfter,
+	void *plContext)
+{
+	PKIX_Boolean match = PKIX_FALSE;
+	PKIX_UInt32 numBefore = 0;
+	PKIX_UInt32 i = 0;
+	PKIX_List *filtered = NULL;
+	PKIX_PL_CRL *candidate = NULL;
+
+        PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Select");
+        PKIX_NULLCHECK_THREE(selector, before, pAfter);
+
+        PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (i = 0; i < numBefore; i++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (before, i, (PKIX_PL_Object **)&candidate, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK_ONLY_FATAL(selector->matchCallback
+                        (selector, candidate, &match, plContext),
+                        PKIX_CRLSELECTORMATCHCALLBACKFAILED);
+
+                if (!(PKIX_ERROR_RECEIVED) && match == PKIX_TRUE) {
+
+                        PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
+                                (filtered,
+                                (PKIX_PL_Object *)candidate,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                }
+
+                pkixTempErrorReceived = PKIX_FALSE;
+                PKIX_DECREF(candidate);
+        }
+
+        PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        /* Don't throw away the list if one CRL was bad! */
+        pkixTempErrorReceived = PKIX_FALSE;
+
+        *pAfter = filtered;
+        filtered = NULL;
+
+cleanup:
+
+        PKIX_DECREF(filtered);
+        PKIX_DECREF(candidate);
+
+        PKIX_RETURN(CRLSELECTOR);
+
+}
diff --git a/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.h b/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.h
new file mode 100755
index 000000000..be4abf10c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/crlsel/pkix_crlselector.h
@@ -0,0 +1,74 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_crlselector.h
+ *
+ * CrlSelector Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_CRLSELECTOR_H
+#define _PKIX_CRLSELECTOR_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_CRLSelectorStruct {
+        PKIX_CRLSelector_MatchCallback matchCallback;
+        PKIX_ComCRLSelParams *params;
+        PKIX_PL_Object *context;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_CRLSelector_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_CRLSelector_Select(
+	PKIX_CRLSelector *selector,
+	PKIX_List *before,
+	PKIX_List **pAfter,
+	void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_CRLSELECTOR_H */
diff --git a/security/nss/lib/libpkix/pkix/manifest.mn b/security/nss/lib/libpkix/pkix/manifest.mn
new file mode 100755
index 000000000..db157350a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/manifest.mn
@@ -0,0 +1,44 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../..
+DEPTH      = ../../../..
+
+#
+DIRS =  certsel crlsel checker params results store top util \
+	$(NULL)
+
diff --git a/security/nss/lib/libpkix/pkix/params/Makefile b/security/nss/lib/libpkix/pkix/params/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix/params/config.mk b/security/nss/lib/libpkix/pkix/params/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix/params/manifest.mn b/security/nss/lib/libpkix/pkix/params/manifest.mn
new file mode 100755
index 000000000..deadc6a1c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/manifest.mn
@@ -0,0 +1,62 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_procparams.h \
+	pkix_trustanchor.h \
+	pkix_valparams.h \
+	pkix_resourcelimits.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_trustanchor.c \
+	pkix_procparams.c \
+	pkix_valparams.c \
+	pkix_resourcelimits.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixparams
+
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_buildparams.c b/security/nss/lib/libpkix/pkix/params/pkix_buildparams.c
new file mode 100755
index 000000000..cba794c86
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_buildparams.c
@@ -0,0 +1,317 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_buildparams.c
+ *
+ * Build Params Object Functions
+ *
+ */
+
+#include "pkix_buildparams.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_BuildParams_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BuildParams_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_BuildParams *params = NULL;
+
+        PKIX_ENTER(BUILDPARAMS, "pkix_BuildParams_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a build params object */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BUILDPARAMS_TYPE, plContext),
+                    "Object is not a build params object");
+
+        params = (PKIX_BuildParams *)object;
+
+        PKIX_DECREF(params->procParams);
+
+cleanup:
+
+        PKIX_RETURN(BUILDPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_BuildParams_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BuildParams_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+        PKIX_BuildParams *firstBuildParams = NULL;
+        PKIX_BuildParams *secondBuildParams = NULL;
+
+        PKIX_ENTER(BUILDPARAMS, "pkix_BuildParams_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        PKIX_CHECK(pkix_CheckType(first, PKIX_BUILDPARAMS_TYPE, plContext),
+                    "First Argument is not a BuildParams object");
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        *pResult = PKIX_FALSE;
+
+        if (secondType != PKIX_BUILDPARAMS_TYPE) goto cleanup;
+
+        firstBuildParams = (PKIX_BuildParams *)first;
+        secondBuildParams = (PKIX_BuildParams *)second;
+
+        PKIX_CHECK(PKIX_PL_Object_Equals
+                    ((PKIX_PL_Object *)firstBuildParams->procParams,
+                    (PKIX_PL_Object *)secondBuildParams->procParams,
+                    &cmpResult,
+                    plContext),
+                    PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(BUILDPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_BuildParams_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BuildParams_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_BuildParams *buildParams = NULL;
+        PKIX_UInt32 hash = 0;
+        PKIX_UInt32 procParamsHash = 0;
+
+        PKIX_ENTER(BUILDPARAMS, "pkix_BuildParams_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BUILDPARAMS_TYPE, plContext),
+                    "Object is not a processingParams object");
+
+        buildParams = (PKIX_BuildParams*)object;
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                    ((PKIX_PL_Object *)buildParams->procParams,
+                    &procParamsHash,
+                    plContext),
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        hash = 31 * procParamsHash;
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(BUILDPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_BuildParams_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BuildParams_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_BuildParams *buildParams = NULL;
+        char *asciiFormat = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *buildParamsString = NULL;
+
+        PKIX_PL_String *procParamsString = NULL;
+
+        PKIX_ENTER(BUILDPARAMS, "pkix_BuildParams_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BUILDPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTBUILDPARAMS);
+
+        asciiFormat =
+                "[\n"
+                "\tProcessing Params: \n"
+                "\t********BEGIN PROCESSING PARAMS********\n"
+                "\t\t%s\n"
+                "\t********END PROCESSING PARAMS********\n"
+                "]\n";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        buildParams = (PKIX_BuildParams*)object;
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                    ((PKIX_PL_Object*)buildParams->procParams,
+                    &procParamsString,
+                    plContext),
+                    PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&buildParamsString,
+                    plContext,
+                    formatString,
+                    procParamsString),
+                    PKIX_SPRINTFFAILED);
+
+        *pString = buildParamsString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(procParamsString);
+
+        PKIX_RETURN(BUILDPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_BuildParams_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_BUILDPARAMS_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_BuildParams_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(BUILDPARAMS, "pkix_BuildParams_RegisterSelf");
+
+        entry.description = "BuildParams";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_BuildParams);
+        entry.destructor = pkix_BuildParams_Destroy;
+        entry.equalsFunction = pkix_BuildParams_Equals;
+        entry.hashcodeFunction = pkix_BuildParams_Hashcode;
+        entry.toStringFunction = pkix_BuildParams_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_BUILDPARAMS_TYPE] = entry;
+
+        PKIX_RETURN(BUILDPARAMS);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_BuildParams_Create (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_BuildParams_Create(
+        PKIX_ProcessingParams *procParams,
+        PKIX_BuildParams **pParams,
+        void *plContext)
+{
+        PKIX_BuildParams *params = NULL;
+
+        PKIX_ENTER(BUILDPARAMS, "PKIX_BuildParams_Create");
+        PKIX_NULLCHECK_TWO(procParams, pParams);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_BUILDPARAMS_TYPE,
+                    sizeof (PKIX_BuildParams),
+                    (PKIX_PL_Object **)&params,
+                    plContext),
+                    PKIX_COULDNOTCREATEBUILDPARAMSOBJECT);
+
+        /* initialize fields */
+        PKIX_INCREF(procParams);
+        params->procParams = procParams;
+
+        *pParams = params;
+        params = NULL;
+
+cleanup:
+
+        PKIX_DECREF(params);
+
+        PKIX_RETURN(BUILDPARAMS);
+
+}
+
+/*
+ * FUNCTION: PKIX_BuildParams_GetProcessingParams
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_BuildParams_GetProcessingParams(
+        PKIX_BuildParams *buildParams,
+        PKIX_ProcessingParams **pProcParams,
+        void *plContext)
+{
+        PKIX_ENTER(BUILDPARAMS, "PKIX_BuildParams_GetProcessingParams");
+        PKIX_NULLCHECK_TWO(buildParams, pProcParams);
+
+        PKIX_INCREF(buildParams->procParams);
+
+        *pProcParams = buildParams->procParams;
+
+cleanup:
+        PKIX_RETURN(BUILDPARAMS);
+}
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_buildparams.h b/security/nss/lib/libpkix/pkix/params/pkix_buildparams.h
new file mode 100755
index 000000000..5da2bc149
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_buildparams.h
@@ -0,0 +1,65 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_buildparams.h
+ *
+ * BuildParams Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_BUILDPARAMS_H
+#define _PKIX_BUILDPARAMS_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_BuildParamsStruct {
+        PKIX_ProcessingParams *procParams;      /* Never NULL */
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_BuildParams_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_BUILDPARAMS_H */
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_procparams.c b/security/nss/lib/libpkix/pkix/params/pkix_procparams.c
new file mode 100755
index 000000000..8d330d97b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.c
@@ -0,0 +1,1599 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_procparams.c
+ *
+ * ProcessingParams Object Functions
+ *
+ */
+
+#include "pkix_procparams.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_ProcessingParams_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ProcessingParams_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_ProcessingParams *params = NULL;
+
+        PKIX_ENTER(PROCESSINGPARAMS, "pkix_ProcessingParams_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a processing params object */
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_PROCESSINGPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTPROCESSINGPARAMS);
+
+        params = (PKIX_ProcessingParams *)object;
+
+        PKIX_DECREF(params->trustAnchors);
+        PKIX_DECREF(params->hintCerts);
+        PKIX_DECREF(params->constraints);
+        PKIX_DECREF(params->date);
+        PKIX_DECREF(params->initialPolicies);
+        PKIX_DECREF(params->certChainCheckers);
+        PKIX_DECREF(params->revCheckers);
+        PKIX_DECREF(params->certStores);
+        PKIX_DECREF(params->resourceLimits);
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ProcessingParams_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ProcessingParams_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+        PKIX_ProcessingParams *firstProcParams = NULL;
+        PKIX_ProcessingParams *secondProcParams = NULL;
+
+        PKIX_ENTER(PROCESSINGPARAMS, "pkix_ProcessingParams_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        PKIX_CHECK(pkix_CheckType(first, PKIX_PROCESSINGPARAMS_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTPROCESSINGPARAMS);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        *pResult = PKIX_FALSE;
+
+        if (secondType != PKIX_PROCESSINGPARAMS_TYPE) goto cleanup;
+
+        firstProcParams = (PKIX_ProcessingParams *)first;
+        secondProcParams = (PKIX_ProcessingParams *)second;
+
+        /* Do the simplest tests first */
+        if ((firstProcParams->qualifiersRejected) !=
+            (secondProcParams->qualifiersRejected)) {
+                goto cleanup;
+        }
+
+        if (firstProcParams->isCrlRevocationCheckingEnabled !=
+            secondProcParams->isCrlRevocationCheckingEnabled) {
+                goto cleanup;
+        }
+        if (firstProcParams->isCrlRevocationCheckingEnabledWithNISTPolicy !=
+            secondProcParams->isCrlRevocationCheckingEnabledWithNISTPolicy) {
+                goto cleanup;
+        }
+
+        /* trustAnchors can never be NULL */
+
+        PKIX_EQUALS
+                (firstProcParams->trustAnchors,
+                secondProcParams->trustAnchors,
+                &cmpResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        PKIX_EQUALS
+                (firstProcParams->hintCerts,
+                secondProcParams->hintCerts,
+                &cmpResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        PKIX_EQUALS
+                (firstProcParams->date,
+                secondProcParams->date,
+                &cmpResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        PKIX_EQUALS
+                (firstProcParams->constraints,
+                secondProcParams->constraints,
+                &cmpResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        PKIX_EQUALS
+                (firstProcParams->initialPolicies,
+                secondProcParams->initialPolicies,
+                &cmpResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        /* There is no Equals function for CertChainCheckers */
+
+        PKIX_EQUALS
+                    ((PKIX_PL_Object *)firstProcParams->certStores,
+                    (PKIX_PL_Object *)secondProcParams->certStores,
+                    &cmpResult,
+                    plContext,
+                    PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        PKIX_EQUALS
+                (firstProcParams->resourceLimits,
+                secondProcParams->resourceLimits,
+                &cmpResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (cmpResult == PKIX_FALSE) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ProcessingParams_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ProcessingParams_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_UInt32 hash = 0;
+        PKIX_UInt32 anchorsHash = 0;
+        PKIX_UInt32 hintCertsHash = 0;
+        PKIX_UInt32 dateHash = 0;
+        PKIX_UInt32 constraintsHash = 0;
+        PKIX_UInt32 initialHash = 0;
+        PKIX_UInt32 rejectedHash = 0;
+        PKIX_UInt32 certChainCheckersHash = 0;
+        PKIX_UInt32 revCheckersHash = 0;
+        PKIX_UInt32 certStoresHash = 0;
+        PKIX_UInt32 resourceLimitsHash = 0;
+
+        PKIX_ENTER(PROCESSINGPARAMS, "pkix_ProcessingParams_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_PROCESSINGPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTPROCESSINGPARAMS);
+
+        procParams = (PKIX_ProcessingParams*)object;
+
+        PKIX_HASHCODE(procParams->trustAnchors, &anchorsHash, plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(procParams->hintCerts, &hintCertsHash, plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(procParams->date, &dateHash, plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(procParams->constraints, &constraintsHash, plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(procParams->initialPolicies, &initialHash, plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        rejectedHash = procParams->qualifiersRejected;
+
+        /* There is no Hash function for CertChainCheckers */
+
+        PKIX_HASHCODE(procParams->certStores, &certStoresHash, plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE(procParams->resourceLimits,
+                &resourceLimitsHash,
+                plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        hash = (31 * ((31 * anchorsHash) + hintCertsHash + dateHash)) +
+                constraintsHash + initialHash + rejectedHash;
+
+        hash += ((((certStoresHash + resourceLimitsHash) << 7) +
+                certChainCheckersHash + revCheckersHash +
+                procParams->isCrlRevocationCheckingEnabled +
+                procParams->isCrlRevocationCheckingEnabledWithNISTPolicy) << 7);
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ProcessingParams_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ProcessingParams_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_ProcessingParams *procParams = NULL;
+        char *asciiFormat = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *procParamsString = NULL;
+        PKIX_PL_String *anchorsString = NULL;
+        PKIX_PL_String *dateString = NULL;
+        PKIX_PL_String *constraintsString = NULL;
+        PKIX_PL_String *InitialPoliciesString = NULL;
+        PKIX_PL_String *qualsRejectedString = NULL;
+        PKIX_List *certStores = NULL;
+        PKIX_PL_String *certStoresString = NULL;
+        PKIX_PL_String *resourceLimitsString = NULL;
+
+        PKIX_ENTER(PROCESSINGPARAMS, "pkix_ProcessingParams_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_PROCESSINGPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTPROCESSINGPARAMS);
+
+        asciiFormat =
+                "[\n"
+                "\tTrust Anchors: \n"
+                "\t********BEGIN LIST OF TRUST ANCHORS********\n"
+                "\t\t%s\n"
+                "\t********END LIST OF TRUST ANCHORS********\n"
+                "\tDate:    \t\t%s\n"
+                "\tTarget Constraints:    %s\n"
+                "\tInitial Policies:      %s\n"
+                "\tQualifiers Rejected:   %s\n"
+                "\tCert Stores:           %s\n"
+                "\tResource Limits:       %s\n"
+                "\tCRL Checking Enabled:  %d\n"
+                "]\n";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        procParams = (PKIX_ProcessingParams*)object;
+
+        PKIX_TOSTRING(procParams->trustAnchors, &anchorsString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING(procParams->date, &dateString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING(procParams->constraints, &constraintsString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (procParams->initialPolicies, &InitialPoliciesString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII,
+                (procParams->qualifiersRejected)?"TRUE":"FALSE",
+                0,
+                &qualsRejectedString,
+                plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        /* There is no ToString function for CertChainCheckers */
+
+       PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
+                (procParams, &certStores, plContext),
+                PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
+
+        PKIX_TOSTRING(certStores, &certStoresString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        PKIX_TOSTRING(procParams->resourceLimits,
+                &resourceLimitsString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&procParamsString,
+                plContext,
+                formatString,
+                anchorsString,
+                dateString,
+                constraintsString,
+                InitialPoliciesString,
+                qualsRejectedString,
+                certStoresString,
+                resourceLimitsString,
+                procParams->isCrlRevocationCheckingEnabled,
+                procParams->isCrlRevocationCheckingEnabledWithNISTPolicy),
+                PKIX_SPRINTFFAILED);
+
+        *pString = procParamsString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(anchorsString);
+        PKIX_DECREF(dateString);
+        PKIX_DECREF(constraintsString);
+        PKIX_DECREF(InitialPoliciesString);
+        PKIX_DECREF(qualsRejectedString);
+        PKIX_DECREF(certStores);
+        PKIX_DECREF(certStoresString);
+        PKIX_DECREF(resourceLimitsString);
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ProcessingParams_Duplicate
+ * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ProcessingParams_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_ProcessingParams *params = NULL;
+        PKIX_ProcessingParams *paramsDuplicate = NULL;
+
+        PKIX_ENTER(PROCESSINGPARAMS, "pkix_ProcessingParams_Duplicate");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_PROCESSINGPARAMS_TYPE, plContext),
+                PKIX_OBJECTNOTPROCESSINGPARAMS);
+
+        params = (PKIX_ProcessingParams *)object;
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_PROCESSINGPARAMS_TYPE,
+                sizeof (PKIX_ProcessingParams),
+                (PKIX_PL_Object **)&paramsDuplicate,
+                plContext),
+                PKIX_PROCESSINGPARAMSCREATEFAILED);
+
+        /* initialize fields */
+        PKIX_DUPLICATE
+                (params->trustAnchors,
+                &(paramsDuplicate->trustAnchors),
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE
+                (params->hintCerts, &(paramsDuplicate->hintCerts), plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE
+                (params->constraints,
+                &(paramsDuplicate->constraints),
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE
+                (params->date, &(paramsDuplicate->date), plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE
+                (params->initialPolicies,
+                &(paramsDuplicate->initialPolicies),
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        paramsDuplicate->initialPolicyMappingInhibit =
+                params->initialPolicyMappingInhibit;
+        paramsDuplicate->initialAnyPolicyInhibit =
+                params->initialAnyPolicyInhibit;
+        paramsDuplicate->initialExplicitPolicy = params->initialExplicitPolicy;
+        paramsDuplicate->qualifiersRejected = params->qualifiersRejected;
+
+        PKIX_DUPLICATE
+                (params->certChainCheckers,
+                &(paramsDuplicate->certChainCheckers),
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE
+                (params->revCheckers,
+                &(paramsDuplicate->revCheckers),
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE
+                (params->certStores, &(paramsDuplicate->certStores), plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        PKIX_DUPLICATE
+                (params->resourceLimits,
+                &(paramsDuplicate->resourceLimits),
+                plContext,
+                PKIX_OBJECTDUPLICATEFAILED);
+
+        paramsDuplicate->isCrlRevocationCheckingEnabled =
+                params->isCrlRevocationCheckingEnabled;
+
+        paramsDuplicate->isCrlRevocationCheckingEnabledWithNISTPolicy =
+                params->isCrlRevocationCheckingEnabledWithNISTPolicy;
+
+        *pNewObject = (PKIX_PL_Object *)paramsDuplicate;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(paramsDuplicate);
+        }
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+
+}
+
+/*
+ * FUNCTION: pkix_ProcessingParams_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_PROCESSINGPARAMS_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_ProcessingParams_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(PROCESSINGPARAMS, "pkix_ProcessingParams_RegisterSelf");
+
+        entry.description = "ProcessingParams";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_ProcessingParams);
+        entry.destructor = pkix_ProcessingParams_Destroy;
+        entry.equalsFunction = pkix_ProcessingParams_Equals;
+        entry.hashcodeFunction = pkix_ProcessingParams_Hashcode;
+        entry.toStringFunction = pkix_ProcessingParams_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_ProcessingParams_Duplicate;
+
+        systemClasses[PKIX_PROCESSINGPARAMS_TYPE] = entry;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_Create (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_Create(
+        PKIX_ProcessingParams **pParams,
+        void *plContext)
+{
+        PKIX_ProcessingParams *params = NULL;
+
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_Create");
+        PKIX_NULLCHECK_ONE(pParams);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_PROCESSINGPARAMS_TYPE,
+                    sizeof (PKIX_ProcessingParams),
+                    (PKIX_PL_Object **)&params,
+                    plContext),
+                    PKIX_COULDNOTCREATEPROCESSINGPARAMSOBJECT);
+
+        /* initialize fields */
+        PKIX_CHECK(PKIX_List_Create(&params->trustAnchors, plContext),
+                   PKIX_LISTCREATEFAILED);
+        PKIX_CHECK(PKIX_List_SetImmutable(params->trustAnchors, plContext),
+                    PKIX_LISTSETIMMUTABLEFAILED);
+
+        params->hintCerts = NULL;
+        params->constraints = NULL;
+        params->date = NULL;
+        params->initialPolicies = NULL;
+        params->initialPolicyMappingInhibit = PKIX_FALSE;
+        params->initialAnyPolicyInhibit = PKIX_FALSE;
+        params->initialExplicitPolicy = PKIX_FALSE;
+        params->qualifiersRejected = PKIX_FALSE;
+        params->certChainCheckers = NULL;
+        params->revCheckers = NULL;
+        params->certStores = NULL;
+        params->resourceLimits = NULL;
+
+        params->isCrlRevocationCheckingEnabled = PKIX_TRUE;
+
+        params->isCrlRevocationCheckingEnabledWithNISTPolicy = PKIX_TRUE;
+
+        params->useAIAForCertFetching = PKIX_FALSE;
+
+        *pParams = params;
+        params = NULL;
+
+cleanup:
+
+        PKIX_DECREF(params);
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetUseAIAForCertFetching
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetUseAIAForCertFetching(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pUseAIA,  /* list of TrustAnchor */
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_GetUseAIAForCertFetching");
+        PKIX_NULLCHECK_TWO(params, pUseAIA);
+
+        *pUseAIA = params->useAIAForCertFetching;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetUseAIAForCertFetching
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetUseAIAForCertFetching(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean useAIA,  
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_SetUseAIAForCertFetching");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->useAIAForCertFetching = useAIA;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetTrustAnchors(
+        PKIX_ProcessingParams *params,
+        PKIX_List *anchors,  /* list of TrustAnchor */
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_SetTrustAnchors");
+        PKIX_NULLCHECK_TWO(params, anchors);
+
+        PKIX_DECREF(params->trustAnchors);
+
+        PKIX_INCREF(anchors);
+        params->trustAnchors = anchors;
+        PKIX_CHECK(PKIX_List_SetImmutable(params->trustAnchors, plContext),
+                    PKIX_LISTSETIMMUTABLEFAILED);
+
+cleanup:
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetTrustAnchors
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetTrustAnchors(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pAnchors,  /* list of TrustAnchor */
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_GetTrustAnchors");
+        PKIX_NULLCHECK_TWO(params, pAnchors);
+
+        PKIX_INCREF(params->trustAnchors);
+
+        *pAnchors = params->trustAnchors;
+
+cleanup:
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetDate (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetDate(
+        PKIX_ProcessingParams *params,
+        PKIX_PL_Date **pDate,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_GetDate");
+        PKIX_NULLCHECK_TWO(params, pDate);
+
+        PKIX_INCREF(params->date);
+        *pDate = params->date;
+
+cleanup:
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetDate (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetDate(
+        PKIX_ProcessingParams *params,
+        PKIX_PL_Date *date,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_SetDate");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->date);
+
+        PKIX_INCREF(date);
+        params->date = date;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED && params) {
+            PKIX_DECREF(params->date);
+        }
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetTargetCertConstraints
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetTargetCertConstraints(
+        PKIX_ProcessingParams *params,
+        PKIX_CertSelector **pConstraints,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "PKIX_ProcessingParams_GetTargetCertConstraints");
+
+        PKIX_NULLCHECK_TWO(params, pConstraints);
+
+        PKIX_INCREF(params->constraints);
+        *pConstraints = params->constraints;
+
+cleanup:
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetTargetCertConstraints
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetTargetCertConstraints(
+        PKIX_ProcessingParams *params,
+        PKIX_CertSelector *constraints,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "PKIX_ProcessingParams_SetTargetCertConstraints");
+
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->constraints);
+
+        PKIX_INCREF(constraints);
+        params->constraints = constraints;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED && params) {
+            PKIX_DECREF(params->constraints);
+        }
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetInitialPolicies
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetInitialPolicies(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pInitPolicies, /* list of PKIX_PL_OID */
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_GetInitialPolicies");
+
+        PKIX_NULLCHECK_TWO(params, pInitPolicies);
+
+        if (params->initialPolicies == NULL) {
+                PKIX_CHECK(PKIX_List_Create
+                        (&params->initialPolicies, plContext),
+                        PKIX_UNABLETOCREATELIST);
+                PKIX_CHECK(PKIX_List_SetImmutable
+                        (params->initialPolicies, plContext),
+                        PKIX_UNABLETOMAKELISTIMMUTABLE);
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)params, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+        }
+
+        PKIX_INCREF(params->initialPolicies);
+        *pInitPolicies = params->initialPolicies;
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetInitialPolicies
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetInitialPolicies(
+        PKIX_ProcessingParams *params,
+        PKIX_List *initPolicies, /* list of PKIX_PL_OID */
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_SetInitialPolicies");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->initialPolicies);
+
+        PKIX_INCREF(initPolicies);
+        params->initialPolicies = initPolicies;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)params, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED && params) {
+            PKIX_DECREF(params->initialPolicies);
+        }
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetPolicyQualifiersRejected
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetPolicyQualifiersRejected(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pRejected,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_GetPolicyQualifiersRejected");
+
+        PKIX_NULLCHECK_TWO(params, pRejected);
+
+        *pRejected = params->qualifiersRejected;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetPolicyQualifiersRejected
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetPolicyQualifiersRejected(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean rejected,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_SetPolicyQualifiersRejected");
+
+        PKIX_NULLCHECK_ONE(params);
+
+        params->qualifiersRejected = rejected;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)params, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetCertChainCheckers
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetCertChainCheckers(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pCheckers,  /* list of PKIX_CertChainChecker */
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_GetCertChainCheckers");
+        PKIX_NULLCHECK_TWO(params, pCheckers);
+
+        PKIX_INCREF(params->certChainCheckers);
+        *pCheckers = params->certChainCheckers;
+
+cleanup:
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetCertChainCheckers
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetCertChainCheckers(
+        PKIX_ProcessingParams *params,
+        PKIX_List *checkers,  /* list of PKIX_CertChainChecker */
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_SetCertChainCheckers");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->certChainCheckers);
+
+        PKIX_INCREF(checkers);
+        params->certChainCheckers = checkers;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)params, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED && params) {
+            PKIX_DECREF(params->certChainCheckers);
+        }
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_AddCertChainCheckers
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_AddCertChainChecker(
+        PKIX_ProcessingParams *params,
+        PKIX_CertChainChecker *checker,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_AddCertChainChecker");
+        PKIX_NULLCHECK_TWO(params, checker);
+
+        if (params->certChainCheckers == NULL) {
+
+                PKIX_CHECK(PKIX_List_Create(&list, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+                params->certChainCheckers = list;
+        }
+
+        PKIX_CHECK(PKIX_List_AppendItem
+            (params->certChainCheckers, (PKIX_PL_Object *)checker, plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+            ((PKIX_PL_Object *)params, plContext),
+            PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        list = NULL;
+
+cleanup:
+
+        if (list && params) {
+            PKIX_DECREF(params->certChainCheckers);
+        }
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetRevocationCheckers
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetRevocationCheckers(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pCheckers,  /* list of PKIX_RevocationChecker */
+        void *plContext)
+{
+
+        PKIX_ENTER
+            (PROCESSINGPARAMS, "PKIX_ProcessingParams_GetRevocationCheckers");
+        PKIX_NULLCHECK_TWO(params, pCheckers);
+
+        if (params->revCheckers == NULL) {
+		PKIX_CHECK(PKIX_List_Create
+			(&(params->revCheckers), plContext),
+			PKIX_LISTCREATEFAILED);
+	}
+
+        PKIX_INCREF(params->revCheckers);
+
+        *pCheckers = params->revCheckers;
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetRevocationCheckers
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetRevocationCheckers(
+        PKIX_ProcessingParams *params,
+        PKIX_List *checkers,  /* list of PKIX_RevocationChecker */
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_SetRevocationCheckers");
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->revCheckers);
+
+        PKIX_INCREF(checkers);
+        params->revCheckers = checkers;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)params, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED && params) {
+            PKIX_DECREF(params->revCheckers);
+        }
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_AddRevocationCheckers
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_AddRevocationChecker(
+        PKIX_ProcessingParams *params,
+        PKIX_RevocationChecker *checker,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_AddRevocationChecker");
+        PKIX_NULLCHECK_TWO(params, checker);
+
+        if (params->revCheckers == NULL) {
+
+                PKIX_CHECK(PKIX_List_Create(&list, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+                params->revCheckers = list;
+        }
+
+        PKIX_CHECK(PKIX_List_AppendItem
+            (params->revCheckers, (PKIX_PL_Object *)checker, plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+            ((PKIX_PL_Object *)params, plContext),
+            PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        list = NULL;
+
+cleanup:
+
+        if (list && params) {
+            PKIX_DECREF(params->revCheckers);
+        }
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetCertStores
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetCertStores(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pStores,  /* list of PKIX_CertStore */
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_GetCertStores");
+
+        PKIX_NULLCHECK_TWO(params, pStores);
+
+        if (!params->certStores){
+                PKIX_CHECK(PKIX_List_Create(&params->certStores, plContext),
+                            PKIX_UNABLETOCREATELIST);
+        }
+
+        PKIX_INCREF(params->certStores);
+        *pStores = params->certStores;
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetCertStores
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetCertStores(
+        PKIX_ProcessingParams *params,
+        PKIX_List *stores,  /* list of PKIX_CertStore */
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_SetCertStores");
+
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->certStores);
+
+        PKIX_INCREF(stores);
+        params->certStores = stores;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)params, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED && params) {
+            PKIX_DECREF(params->certStores);
+        }
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_AddCertStore
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_AddCertStore(
+        PKIX_ProcessingParams *params,
+        PKIX_CertStore *store,
+        void *plContext)
+{
+        PKIX_List *certStores = NULL;
+
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_AddCertStore");
+        PKIX_NULLCHECK_TWO(params, store);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
+                    (params, &certStores, plContext),
+                    PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (certStores, (PKIX_PL_Object *)store, plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(certStores);
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsCRLRevocationCheckingEnabled
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsCRLRevocationCheckingEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "PKIX_ProcessingParams_IsCRLRevocationCheckingEnabled");
+        PKIX_NULLCHECK_TWO(params, pEnabled);
+
+        *pEnabled = params->isCrlRevocationCheckingEnabled;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetRevocationEnabled
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetRevocationEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean enabled,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "PKIX_ProcessingParams_SetRevocationEnabled");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->isCrlRevocationCheckingEnabled = enabled;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ProcessingParams_GetRevocationEnabled
+ *
+ * DESCRIPTION:
+ *  Retrieves the boolean value indicating whether Revocation Checking
+ *  should be performed, from the ProcessingParams pointed to by "params",
+ *  and stores the result at "pEnable".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose revocationEnabled flag is to be
+ *      retrieved. Must be non-NULL.
+ *  "pEnable"
+ *      Address where Boolean value will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_ProcessingParams_GetRevocationEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "pkix_ProcessingParams_GetRevocationEnabled");
+
+        PKIX_NULLCHECK_TWO(params, pEnabled);
+
+        *pEnabled = params->isCrlRevocationCheckingEnabled;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "PKIX_ProcessingParams_IsNISTRevocationPolicyEnabled");
+        PKIX_NULLCHECK_TWO(params, pEnabled);
+
+        *pEnabled = params->isCrlRevocationCheckingEnabledWithNISTPolicy;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean enabled,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled");
+        PKIX_NULLCHECK_ONE(params);
+
+        params->isCrlRevocationCheckingEnabledWithNISTPolicy = enabled;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ProcessingParams_GetNISTRevocationPolicyEnabled
+ *
+ * DESCRIPTION:
+ *  Retrieves the boolean value from the ProcessingParams pointed to by
+ *  "params", and stores the result at "pEnable". The value indicates
+ *  whether Revocation Checking should be performed according to nist
+ *  revocation policy.
+ *
+ * PARAMETERS:
+ *  "params"
+ *      Address of ProcessingParams whose revocationEnabledWithNistPolicy
+ *      flag is to be retrieved. Must be non-NULL.
+ *  "pEnable"
+ *      Address where Boolean value will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_ProcessingParams_GetNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext)
+{
+
+        PKIX_ENTER(PROCESSINGPARAMS,
+                    "pkix_ProcessingParams_GetNISTRevocationPolicyEnabled");
+
+        PKIX_NULLCHECK_TWO(params, pEnabled);
+
+        *pEnabled = params->isCrlRevocationCheckingEnabledWithNISTPolicy;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetResourceLimits
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetResourceLimits(
+        PKIX_ProcessingParams *params,
+        PKIX_ResourceLimits *resourceLimits,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_SetResourceLimits");
+
+        PKIX_NULLCHECK_TWO(params, resourceLimits);
+
+        PKIX_DECREF(params->resourceLimits);
+        PKIX_INCREF(resourceLimits);
+        params->resourceLimits = resourceLimits;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED && params) {
+            PKIX_DECREF(params->resourceLimits);
+        }
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetResourceLimits
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetResourceLimits(
+        PKIX_ProcessingParams *params,
+        PKIX_ResourceLimits **pResourceLimits,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                   "PKIX_ProcessingParams_GetResourceLimits");
+
+        PKIX_NULLCHECK_TWO(params, pResourceLimits);
+
+        PKIX_INCREF(params->resourceLimits);
+        *pResourceLimits = params->resourceLimits;
+
+cleanup:
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsAnyPolicyInhibited
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsAnyPolicyInhibited(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pInhibited,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_IsAnyPolicyInhibited");
+
+        PKIX_NULLCHECK_TWO(params, pInhibited);
+
+        *pInhibited = params->initialAnyPolicyInhibit;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetAnyPolicyInhibited
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetAnyPolicyInhibited(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean inhibited,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_SetAnyPolicyInhibited");
+
+        PKIX_NULLCHECK_ONE(params);
+
+        params->initialAnyPolicyInhibit = inhibited;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsExplicitPolicyRequired
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsExplicitPolicyRequired(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pRequired,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_IsExplicitPolicyRequired");
+
+        PKIX_NULLCHECK_TWO(params, pRequired);
+
+        *pRequired = params->initialExplicitPolicy;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetExplicitPolicyRequired
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetExplicitPolicyRequired(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean required,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_SetExplicitPolicyRequired");
+
+        PKIX_NULLCHECK_ONE(params);
+
+        params->initialExplicitPolicy = required;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_IsPolicyMappingInhibited
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_IsPolicyMappingInhibited(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pInhibited,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_IsPolicyMappingInhibited");
+
+        PKIX_NULLCHECK_TWO(params, pInhibited);
+
+        *pInhibited = params->initialPolicyMappingInhibit;
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetPolicyMappingInhibited
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetPolicyMappingInhibited(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean inhibited,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS,
+                "PKIX_ProcessingParams_SetPolicyMappingInhibited");
+
+        PKIX_NULLCHECK_ONE(params);
+
+        params->initialPolicyMappingInhibit = inhibited;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)params, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_SetHintCerts
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_SetHintCerts(
+        PKIX_ProcessingParams *params,
+        PKIX_List *hintCerts,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_SetHintCerts");
+
+        PKIX_NULLCHECK_ONE(params);
+
+        PKIX_DECREF(params->hintCerts);
+        PKIX_INCREF(hintCerts);
+        params->hintCerts = hintCerts;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED && params) {
+            PKIX_DECREF(params->hintCerts);
+        }
+
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ProcessingParams_GetHintCerts
+ * (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ProcessingParams_GetHintCerts(
+        PKIX_ProcessingParams *params,
+        PKIX_List **pHintCerts,
+        void *plContext)
+{
+        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_GetHintCerts");
+
+        PKIX_NULLCHECK_TWO(params, pHintCerts);
+
+        PKIX_INCREF(params->hintCerts);
+        *pHintCerts = params->hintCerts;
+
+cleanup:
+        PKIX_RETURN(PROCESSINGPARAMS);
+}
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_procparams.h b/security/nss/lib/libpkix/pkix/params/pkix_procparams.h
new file mode 100755
index 000000000..6367fefb3
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.h
@@ -0,0 +1,93 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_procparams.h
+ *
+ * ProcessingParams Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_PROCESSINGPARAMS_H
+#define _PKIX_PROCESSINGPARAMS_H
+
+#include "pkix_tools.h"
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_ProcessingParamsStruct {
+        PKIX_List *trustAnchors;        /* Never NULL */
+        PKIX_List *hintCerts;	/* user-supplied partial chain, may be NULL */
+        PKIX_CertSelector *constraints;
+        PKIX_PL_Date *date;
+        PKIX_List *initialPolicies;     /* list of PKIX_PL_OID */
+        PKIX_Boolean initialPolicyMappingInhibit;
+        PKIX_Boolean initialAnyPolicyInhibit;
+        PKIX_Boolean initialExplicitPolicy;
+        PKIX_Boolean qualifiersRejected;
+        PKIX_List *certChainCheckers;
+        PKIX_List *revCheckers;
+        PKIX_List *certStores;
+        PKIX_Boolean isCrlRevocationCheckingEnabled;
+        PKIX_Boolean isCrlRevocationCheckingEnabledWithNISTPolicy;
+        PKIX_ResourceLimits *resourceLimits;
+        PKIX_Boolean useAIAForCertFetching;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_ProcessingParams_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_ProcessingParams_GetRevocationEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext);
+
+PKIX_Error *
+pkix_ProcessingParams_GetNISTRevocationPolicyEnabled(
+        PKIX_ProcessingParams *params,
+        PKIX_Boolean *pEnabled,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PROCESSINGPARAMS_H */
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_resourcelimits.c b/security/nss/lib/libpkix/pkix/params/pkix_resourcelimits.c
new file mode 100755
index 000000000..2a3a14b2b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_resourcelimits.c
@@ -0,0 +1,466 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_resourcelimits.c
+ *
+ * Resourcelimits Params Object Functions
+ *
+ */
+
+#include "pkix_resourcelimits.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_ResourceLimits_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ResourceLimits_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_ResourceLimits *rLimits = NULL;
+
+        PKIX_ENTER(RESOURCELIMITS, "pkix_ResourceLimits_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a ResourceLimits object */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_RESOURCELIMITS_TYPE, plContext),
+                    PKIX_OBJECTNOTRESOURCELIMITS);
+
+        rLimits = (PKIX_ResourceLimits *)object;
+
+        rLimits->maxTime = 0;
+        rLimits->maxFanout = 0;
+        rLimits->maxDepth = 0;
+        rLimits->maxCertsNumber = 0;
+        rLimits->maxCrlsNumber = 0;
+
+cleanup:
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: pkix_ResourceLimits_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ResourceLimits_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+        PKIX_ResourceLimits *firstRLimits = NULL;
+        PKIX_ResourceLimits *secondRLimits = NULL;
+
+        PKIX_ENTER(RESOURCELIMITS, "pkix_ResourceLimits_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        PKIX_CHECK(pkix_CheckType(first, PKIX_RESOURCELIMITS_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTRESOURCELIMITS);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        *pResult = PKIX_FALSE;
+
+        if (secondType != PKIX_RESOURCELIMITS_TYPE) goto cleanup;
+
+        firstRLimits = (PKIX_ResourceLimits *)first;
+        secondRLimits = (PKIX_ResourceLimits *)second;
+
+        cmpResult = (firstRLimits->maxTime == secondRLimits->maxTime) &&
+                    (firstRLimits->maxFanout == secondRLimits->maxFanout) &&
+                    (firstRLimits->maxDepth == secondRLimits->maxDepth) &&
+                    (firstRLimits->maxCertsNumber == 
+                        secondRLimits->maxCertsNumber) &&
+                    (firstRLimits->maxCrlsNumber == 
+                        secondRLimits->maxCrlsNumber);
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: pkix_ResourceLimits_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ResourceLimits_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_ResourceLimits *rLimits = NULL;
+        PKIX_UInt32 hash = 0;
+
+        PKIX_ENTER(RESOURCELIMITS, "pkix_ResourceLimits_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_RESOURCELIMITS_TYPE, plContext),
+                    PKIX_OBJECTNOTRESOURCELIMITS);
+
+        rLimits = (PKIX_ResourceLimits*)object;
+
+        hash = 31 * rLimits->maxTime + (rLimits->maxFanout << 1) +
+                (rLimits->maxDepth << 2) + (rLimits->maxCertsNumber << 3) +
+                rLimits->maxCrlsNumber;
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: pkix_ResourceLimits_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ResourceLimits_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_ResourceLimits *rLimits = NULL;
+        char *asciiFormat = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *rLimitsString = NULL;
+
+        PKIX_ENTER(RESOURCELIMITS, "pkix_ResourceLimits_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_RESOURCELIMITS_TYPE, plContext),
+                    PKIX_OBJECTNOTRESOURCELIMITS);
+
+        /* maxCertsNumber and maxCrlsNumber are not supported */
+        asciiFormat =
+                "[\n"
+                "\tMaxTime:           \t\t%d\n"
+                "\tMaxFanout:         \t\t%d\n"
+                "\tMaxDepth:         \t\t%d\n"
+                "]\n";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        rLimits = (PKIX_ResourceLimits*)object;
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&rLimitsString,
+                    plContext,
+                    formatString,
+                    rLimits->maxTime,
+                    rLimits->maxFanout,
+                    rLimits->maxDepth),
+                    PKIX_SPRINTFFAILED);
+
+        *pString = rLimitsString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: pkix_ResourceLimits_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_RESOURCELIMITS_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_ResourceLimits_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(RESOURCELIMITS, "pkix_ResourceLimits_RegisterSelf");
+
+        entry.description = "ResourceLimits";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_ResourceLimits);
+        entry.destructor = pkix_ResourceLimits_Destroy;
+        entry.equalsFunction = pkix_ResourceLimits_Equals;
+        entry.hashcodeFunction = pkix_ResourceLimits_Hashcode;
+        entry.toStringFunction = pkix_ResourceLimits_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_RESOURCELIMITS_TYPE] = entry;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_Create (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_Create(
+        PKIX_ResourceLimits **pResourceLimits,
+        void *plContext)
+{
+        PKIX_ResourceLimits *rLimits = NULL;
+
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_Create");
+        PKIX_NULLCHECK_ONE(pResourceLimits);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_RESOURCELIMITS_TYPE,
+                    sizeof (PKIX_ResourceLimits),
+                    (PKIX_PL_Object **)&rLimits,
+                    plContext),
+                    PKIX_COULDNOTCREATERESOURCELIMITOBJECT);
+
+        /* initialize fields */
+        rLimits->maxTime = 0;
+        rLimits->maxFanout = 0;
+        rLimits->maxDepth = 0;
+        rLimits->maxCertsNumber = 0;
+        rLimits->maxCrlsNumber = 0;
+
+        *pResourceLimits = rLimits;
+
+cleanup:
+
+        PKIX_RETURN(RESOURCELIMITS);
+
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxTime
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxTime(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 *pMaxTime,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_GetMaxTime");
+        PKIX_NULLCHECK_TWO(rLimits, pMaxTime);
+
+        *pMaxTime = rLimits->maxTime;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxTime
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxTime(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 maxTime,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_SetMaxTime");
+        PKIX_NULLCHECK_ONE(rLimits);
+
+        rLimits->maxTime = maxTime;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxFanout
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxFanout(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 *pMaxFanout,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_GetMaxFanout");
+        PKIX_NULLCHECK_TWO(rLimits, pMaxFanout);
+
+        *pMaxFanout = rLimits->maxFanout;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxFanout
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxFanout(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 maxFanout,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_SetMaxFanout");
+        PKIX_NULLCHECK_ONE(rLimits);
+
+        rLimits->maxFanout = maxFanout;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxDepth
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxDepth(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 *pMaxDepth,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_GetMaxDepth");
+        PKIX_NULLCHECK_TWO(rLimits, pMaxDepth);
+
+        *pMaxDepth = rLimits->maxDepth;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxDepth
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxDepth(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 maxDepth,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_SetMaxDepth");
+        PKIX_NULLCHECK_ONE(rLimits);
+
+        rLimits->maxDepth = maxDepth;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxNumberOfCerts
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxNumberOfCerts(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 *pMaxNumber,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_GetMaxNumberOfCerts");
+        PKIX_NULLCHECK_TWO(rLimits, pMaxNumber);
+
+        *pMaxNumber = rLimits->maxCertsNumber;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxNumberOfCerts
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxNumberOfCerts(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 maxNumber,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_SetMaxNumberOfCerts");
+        PKIX_NULLCHECK_ONE(rLimits);
+
+        rLimits->maxCertsNumber = maxNumber;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_GetMaxNumberOfCRLs
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_GetMaxNumberOfCRLs(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 *pMaxNumber,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_GetMaxNumberOfCRLs");
+        PKIX_NULLCHECK_TWO(rLimits, pMaxNumber);
+
+        *pMaxNumber = rLimits->maxCrlsNumber;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
+
+/*
+ * FUNCTION: PKIX_ResourceLimits_SetMaxNumberOfCRLs
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ResourceLimits_SetMaxNumberOfCRLs(
+        PKIX_ResourceLimits *rLimits,
+        PKIX_UInt32 maxNumber,
+        void *plContext)
+{
+        PKIX_ENTER(RESOURCELIMITS, "PKIX_ResourceLimits_SetMaxNumberOfCRLs");
+        PKIX_NULLCHECK_ONE(rLimits);
+
+        rLimits->maxCrlsNumber = maxNumber;
+
+        PKIX_RETURN(RESOURCELIMITS);
+}
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_resourcelimits.h b/security/nss/lib/libpkix/pkix/params/pkix_resourcelimits.h
new file mode 100755
index 000000000..8788f4dff
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_resourcelimits.h
@@ -0,0 +1,69 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_resourcelimits.h
+ *
+ * ResourceLimits Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_RESOURCELIMITS_H
+#define _PKIX_RESOURCELIMITS_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_ResourceLimitsStruct {
+        PKIX_UInt32 maxTime;
+        PKIX_UInt32 maxFanout;
+        PKIX_UInt32 maxDepth;
+        PKIX_UInt32 maxCertsNumber;
+        PKIX_UInt32 maxCrlsNumber;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_ResourceLimits_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_RESOURCELIMITS_H */
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
new file mode 100755
index 000000000..5a8507e46
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
@@ -0,0 +1,540 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_trustanchor.c
+ *
+ * TrustAnchor Object Functions
+ *
+ */
+
+#include "pkix_trustanchor.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_TrustAnchor_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_TrustAnchor_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_TrustAnchor *anchor = NULL;
+
+        PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a trust anchor */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_TRUSTANCHOR_TYPE, plContext),
+                    PKIX_OBJECTNOTTRUSTANCHOR);
+
+        anchor = (PKIX_TrustAnchor *)object;
+
+        PKIX_DECREF(anchor->trustedCert);
+        PKIX_DECREF(anchor->caName);
+        PKIX_DECREF(anchor->caPubKey);
+        PKIX_DECREF(anchor->nameConstraints);
+
+cleanup:
+
+        PKIX_RETURN(TRUSTANCHOR);
+}
+
+/*
+ * FUNCTION: pkix_TrustAnchor_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_TrustAnchor_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+        PKIX_TrustAnchor *firstAnchor = NULL;
+        PKIX_TrustAnchor *secondAnchor = NULL;
+        PKIX_PL_Cert *firstCert = NULL;
+        PKIX_PL_Cert *secondCert = NULL;
+
+        PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        PKIX_CHECK(pkix_CheckType(first, PKIX_TRUSTANCHOR_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTTRUSTANCHOR);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        *pResult = PKIX_FALSE;
+
+        if (secondType != PKIX_TRUSTANCHOR_TYPE) goto cleanup;
+
+        firstAnchor = (PKIX_TrustAnchor *)first;
+        secondAnchor = (PKIX_TrustAnchor *)second;
+
+        firstCert = firstAnchor->trustedCert;
+        secondCert = secondAnchor->trustedCert;
+
+        if ((firstCert && !secondCert) || (!firstCert && secondCert)){
+                goto cleanup;
+        }
+
+        if (firstCert && secondCert){
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object *)firstCert,
+                            (PKIX_PL_Object *)secondCert,
+                            &cmpResult,
+                            plContext),
+                            PKIX_OBJECTEQUALSFAILED);
+        } else {
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object *)firstAnchor->caName,
+                            (PKIX_PL_Object *)secondAnchor->caName,
+                            &cmpResult,
+                            plContext),
+                            PKIX_OBJECTEQUALSFAILED);
+
+                if (!cmpResult) goto cleanup;
+
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object *)firstAnchor->caPubKey,
+                            (PKIX_PL_Object *)secondAnchor->caPubKey,
+                            &cmpResult,
+                            plContext),
+                            PKIX_OBJECTEQUALSFAILED);
+
+                if (!cmpResult) goto cleanup;
+
+                PKIX_EQUALS
+                        (firstAnchor->nameConstraints,
+                        secondAnchor->nameConstraints,
+                        &cmpResult,
+                        plContext,
+                        PKIX_OBJECTEQUALSFAILED);
+
+                if (!cmpResult) goto cleanup;
+
+        }
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(TRUSTANCHOR);
+}
+
+/*
+ * FUNCTION: pkix_TrustAnchor_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_TrustAnchor_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_UInt32 hash = 0;
+        PKIX_UInt32 certHash = 0;
+        PKIX_UInt32 nameHash = 0;
+        PKIX_UInt32 pubKeyHash = 0;
+        PKIX_UInt32 ncHash = 0;
+
+        PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_TRUSTANCHOR_TYPE, plContext),
+                    PKIX_OBJECTNOTTRUSTANCHOR);
+
+        anchor = (PKIX_TrustAnchor*)object;
+        cert = anchor->trustedCert;
+
+        if (cert){
+                PKIX_CHECK(PKIX_PL_Object_Hashcode
+                            ((PKIX_PL_Object *)cert,
+                            &certHash,
+                            plContext),
+                            PKIX_OBJECTHASHCODEFAILED);
+
+                hash = certHash;
+
+        } else {
+                PKIX_CHECK(PKIX_PL_Object_Hashcode
+                            ((PKIX_PL_Object *)anchor->caName,
+                            &nameHash,
+                            plContext),
+                            PKIX_OBJECTHASHCODEFAILED);
+
+                PKIX_CHECK(PKIX_PL_Object_Hashcode
+                            ((PKIX_PL_Object *)anchor->caPubKey,
+                            &pubKeyHash,
+                            plContext),
+                            PKIX_OBJECTHASHCODEFAILED);
+
+                PKIX_HASHCODE(anchor->nameConstraints, &ncHash, plContext,
+                        PKIX_OBJECTHASHCODEFAILED);
+
+                hash = 31 * nameHash + pubKeyHash + ncHash;
+
+        }
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(TRUSTANCHOR);
+}
+
+/*
+ * FUNCTION: pkix_TrustAnchor_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_TrustAnchor_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_TrustAnchor *anchor = NULL;
+        char *asciiFormat = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *anchorString = NULL;
+        PKIX_PL_String *certString = NULL;
+        PKIX_PL_String *nameString = NULL;
+        PKIX_PL_String *pubKeyString = NULL;
+        PKIX_PL_String *nameConstraintsString = NULL;
+
+        PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_TRUSTANCHOR_TYPE, plContext),
+                    PKIX_OBJECTNOTTRUSTANCHOR);
+
+        anchor = (PKIX_TrustAnchor*)object;
+
+        if (anchor->trustedCert){
+                asciiFormat =
+                        "[\n"
+                        "\tTrusted Cert:	%s\n"
+                        "]\n";
+
+                PKIX_CHECK(PKIX_PL_String_Create
+                            (PKIX_ESCASCII,
+                            asciiFormat,
+                            0,
+                            &formatString,
+                            plContext),
+                            PKIX_STRINGCREATEFAILED);
+
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                            ((PKIX_PL_Object *)anchor->trustedCert,
+                            &certString,
+                            plContext),
+                            PKIX_OBJECTTOSTRINGFAILED);
+
+                PKIX_CHECK(PKIX_PL_Sprintf
+                            (&anchorString,
+                            plContext,
+                            formatString,
+                            certString),
+                            PKIX_SPRINTFFAILED);
+        } else {
+                asciiFormat =
+                        "[\n"
+                        "\tTrusted CA Name:         %s\n"
+                        "\tTrusted CA PublicKey:    %s\n"
+                        "\tInitial Name Constraints:%s\n"
+                        "]\n";
+
+                PKIX_CHECK(PKIX_PL_String_Create
+                            (PKIX_ESCASCII,
+                            asciiFormat,
+                            0,
+                            &formatString,
+                            plContext),
+                            PKIX_STRINGCREATEFAILED);
+
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                            ((PKIX_PL_Object *)anchor->caName,
+                            &nameString,
+                            plContext),
+                            PKIX_OBJECTTOSTRINGFAILED);
+
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                            ((PKIX_PL_Object *)anchor->caPubKey,
+                            &pubKeyString,
+                            plContext),
+                            PKIX_OBJECTTOSTRINGFAILED);
+
+                PKIX_TOSTRING
+                        (anchor->nameConstraints,
+                        &nameConstraintsString,
+                        plContext,
+                        PKIX_OBJECTTOSTRINGFAILED);
+
+                PKIX_CHECK(PKIX_PL_Sprintf
+                            (&anchorString,
+                            plContext,
+                            formatString,
+                            nameString,
+                            pubKeyString,
+                            nameConstraintsString),
+                            PKIX_SPRINTFFAILED);
+        }
+
+        *pString = anchorString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(certString);
+        PKIX_DECREF(nameString);
+        PKIX_DECREF(pubKeyString);
+        PKIX_DECREF(nameConstraintsString);
+
+        PKIX_RETURN(TRUSTANCHOR);
+}
+
+/*
+ * FUNCTION: pkix_TrustAnchor_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_TRUSTANCHOR_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_TrustAnchor_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_RegisterSelf");
+
+        entry.description = "TrustAnchor";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_TrustAnchor);
+        entry.destructor = pkix_TrustAnchor_Destroy;
+        entry.equalsFunction = pkix_TrustAnchor_Equals;
+        entry.hashcodeFunction = pkix_TrustAnchor_Hashcode;
+        entry.toStringFunction = pkix_TrustAnchor_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_TRUSTANCHOR_TYPE] = entry;
+
+        PKIX_RETURN(TRUSTANCHOR);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_CreateWithCert (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_TrustAnchor_CreateWithCert(
+        PKIX_PL_Cert *cert,
+        PKIX_TrustAnchor **pAnchor,
+        void *plContext)
+{
+        PKIX_TrustAnchor *anchor = NULL;
+
+        PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_CreateWithCert");
+        PKIX_NULLCHECK_TWO(cert, pAnchor);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_TRUSTANCHOR_TYPE,
+                    sizeof (PKIX_TrustAnchor),
+                    (PKIX_PL_Object **)&anchor,
+                    plContext),
+                    PKIX_COULDNOTCREATETRUSTANCHOROBJECT);
+
+        /* initialize fields */
+        PKIX_INCREF(cert);
+        anchor->trustedCert = cert;
+
+        anchor->caName = NULL;
+        anchor->caPubKey = NULL;
+        anchor->nameConstraints = NULL;
+
+        *pAnchor = anchor;
+        anchor = NULL;
+
+cleanup:
+
+        PKIX_DECREF(anchor);
+
+        PKIX_RETURN(TRUSTANCHOR);
+
+}
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_CreateWithNameKeyPair
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_TrustAnchor_CreateWithNameKeyPair(
+        PKIX_PL_X500Name *name,
+        PKIX_PL_PublicKey *pubKey,
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_TrustAnchor **pAnchor,
+        void *plContext)
+{
+        PKIX_TrustAnchor *anchor = NULL;
+
+        PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_CreateWithNameKeyPair");
+        PKIX_NULLCHECK_THREE(name, pubKey, pAnchor);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_TRUSTANCHOR_TYPE,
+                    sizeof (PKIX_TrustAnchor),
+                    (PKIX_PL_Object **)&anchor,
+                    plContext),
+                    PKIX_COULDNOTCREATETRUSTANCHOROBJECT);
+
+        /* initialize fields */
+        anchor->trustedCert = NULL;
+
+        PKIX_INCREF(name);
+        anchor->caName = name;
+
+        PKIX_INCREF(pubKey);
+        anchor->caPubKey = pubKey;
+
+        PKIX_INCREF(nameConstraints);
+        anchor->nameConstraints = nameConstraints;
+
+        *pAnchor = anchor;
+        anchor = NULL;
+cleanup:
+
+        PKIX_DECREF(anchor);
+
+        PKIX_RETURN(TRUSTANCHOR);
+}
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_GetTrustedCert (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_TrustAnchor_GetTrustedCert(
+        PKIX_TrustAnchor *anchor,
+        PKIX_PL_Cert **pCert,
+        void *plContext)
+{
+        PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_GetTrustedCert");
+        PKIX_NULLCHECK_TWO(anchor, pCert);
+
+        PKIX_INCREF(anchor->trustedCert);
+
+        *pCert = anchor->trustedCert;
+
+cleanup:
+        PKIX_RETURN(TRUSTANCHOR);
+
+}
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_GetCAName (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_TrustAnchor_GetCAName(
+        PKIX_TrustAnchor *anchor,
+        PKIX_PL_X500Name **pCAName,
+        void *plContext)
+{
+        PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_GetCAName");
+        PKIX_NULLCHECK_TWO(anchor, pCAName);
+
+        PKIX_INCREF(anchor->caName);
+
+        *pCAName = anchor->caName;
+
+cleanup:
+        PKIX_RETURN(TRUSTANCHOR);
+
+}
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_GetCAPublicKey (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_TrustAnchor_GetCAPublicKey(
+        PKIX_TrustAnchor *anchor,
+        PKIX_PL_PublicKey **pPubKey,
+        void *plContext)
+{
+        PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_GetCAPublicKey");
+        PKIX_NULLCHECK_TWO(anchor, pPubKey);
+
+        PKIX_INCREF(anchor->caPubKey);
+
+        *pPubKey = anchor->caPubKey;
+
+cleanup:
+        PKIX_RETURN(TRUSTANCHOR);
+}
+
+/*
+ * FUNCTION: PKIX_TrustAnchor_GetNameConstraints
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_TrustAnchor_GetNameConstraints(
+        PKIX_TrustAnchor *anchor,
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext)
+{
+        PKIX_ENTER(TRUSTANCHOR, "PKIX_TrustAnchor_GetNameConstraints");
+        PKIX_NULLCHECK_TWO(anchor, pNameConstraints);
+
+        PKIX_INCREF(anchor->nameConstraints);
+
+        *pNameConstraints = anchor->nameConstraints;
+
+cleanup:
+        PKIX_RETURN(TRUSTANCHOR);
+}
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.h b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.h
new file mode 100755
index 000000000..06ec97d0c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.h
@@ -0,0 +1,68 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_trustanchor.h
+ *
+ * TrustAnchor Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_TRUSTANCHOR_H
+#define _PKIX_TRUSTANCHOR_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_TrustAnchorStruct {
+        PKIX_PL_Cert *trustedCert;
+        PKIX_PL_X500Name *caName;
+        PKIX_PL_PublicKey *caPubKey;
+        PKIX_PL_CertNameConstraints *nameConstraints;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_TrustAnchor_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_TRUSTANCHOR_H */
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_valparams.c b/security/nss/lib/libpkix/pkix/params/pkix_valparams.c
new file mode 100755
index 000000000..d45b8b720
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_valparams.c
@@ -0,0 +1,368 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_valparams.c
+ *
+ * Validate Params Object Functions
+ *
+ */
+
+#include "pkix_valparams.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_ValidateParams_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ValidateParams_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_ValidateParams *params = NULL;
+
+        PKIX_ENTER(VALIDATEPARAMS, "pkix_ValidateParams_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a validate params object */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_VALIDATEPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTVALIDATEPARAMS);
+
+        params = (PKIX_ValidateParams *)object;
+
+        PKIX_DECREF(params->procParams);
+        PKIX_DECREF(params->chain);
+
+cleanup:
+
+        PKIX_RETURN(VALIDATEPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ValidateParams_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ValidateParams_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+        PKIX_ValidateParams *firstValParams = NULL;
+        PKIX_ValidateParams *secondValParams = NULL;
+
+        PKIX_ENTER(VALIDATEPARAMS, "pkix_ValidateParams_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        PKIX_CHECK(pkix_CheckType(first, PKIX_VALIDATEPARAMS_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTVALIDATEPARAMS);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        *pResult = PKIX_FALSE;
+
+        if (secondType != PKIX_VALIDATEPARAMS_TYPE) goto cleanup;
+
+        firstValParams = (PKIX_ValidateParams *)first;
+        secondValParams = (PKIX_ValidateParams *)second;
+
+        PKIX_CHECK(PKIX_PL_Object_Equals
+                    ((PKIX_PL_Object *)firstValParams->procParams,
+                    (PKIX_PL_Object *)secondValParams->procParams,
+                    &cmpResult,
+                    plContext),
+                    PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        PKIX_CHECK(PKIX_PL_Object_Equals
+                    ((PKIX_PL_Object *)firstValParams->chain,
+                    (PKIX_PL_Object *)secondValParams->chain,
+                    &cmpResult,
+                    plContext),
+                    PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(VALIDATEPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ValidateParams_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ValidateParams_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_ValidateParams *valParams = NULL;
+        PKIX_UInt32 hash = 0;
+        PKIX_UInt32 procParamsHash = 0;
+        PKIX_UInt32 chainHash = 0;
+
+        PKIX_ENTER(VALIDATEPARAMS, "pkix_ValidateParams_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_VALIDATEPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTVALIDATEPARAMS);
+
+        valParams = (PKIX_ValidateParams*)object;
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                    ((PKIX_PL_Object *)valParams->procParams,
+                    &procParamsHash,
+                    plContext),
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                    ((PKIX_PL_Object *)valParams->chain,
+                    &chainHash,
+                    plContext),
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        hash = 31 * procParamsHash + chainHash;
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(VALIDATEPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ValidateParams_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ValidateParams_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_ValidateParams *valParams = NULL;
+        char *asciiFormat = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *valParamsString = NULL;
+
+        PKIX_PL_String *procParamsString = NULL;
+        PKIX_PL_String *chainString = NULL;
+
+        PKIX_ENTER(VALIDATEPARAMS, "pkix_ValidateParams_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_VALIDATEPARAMS_TYPE, plContext),
+                    PKIX_OBJECTNOTVALIDATEPARAMS);
+
+        asciiFormat =
+                "[\n"
+                "\tProcessing Params: \n"
+                "\t********BEGIN PROCESSING PARAMS********\n"
+                "\t\t%s\n"
+                "\t********END PROCESSING PARAMS********\n"
+                "\tChain:    \t\t%s\n"
+                "]\n";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        valParams = (PKIX_ValidateParams*)object;
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                    ((PKIX_PL_Object*)valParams->procParams,
+                    &procParamsString,
+                    plContext),
+                    PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                    ((PKIX_PL_Object *)valParams->chain,
+                    &chainString,
+                    plContext),
+                    PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&valParamsString,
+                    plContext,
+                    formatString,
+                    procParamsString,
+                    chainString),
+                    PKIX_SPRINTFFAILED);
+
+        *pString = valParamsString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(procParamsString);
+        PKIX_DECREF(chainString);
+
+        PKIX_RETURN(VALIDATEPARAMS);
+}
+
+/*
+ * FUNCTION: pkix_ValidateParams_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_VALIDATEPARAMS_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_ValidateParams_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(VALIDATEPARAMS, "pkix_ValidateParams_RegisterSelf");
+
+        entry.description = "ValidateParams";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_ValidateParams);
+        entry.destructor = pkix_ValidateParams_Destroy;
+        entry.equalsFunction = pkix_ValidateParams_Equals;
+        entry.hashcodeFunction = pkix_ValidateParams_Hashcode;
+        entry.toStringFunction = pkix_ValidateParams_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_VALIDATEPARAMS_TYPE] = entry;
+
+        PKIX_RETURN(VALIDATEPARAMS);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_ValidateParams_Create (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ValidateParams_Create(
+        PKIX_ProcessingParams *procParams,
+        PKIX_List *chain,
+        PKIX_ValidateParams **pParams,
+        void *plContext)
+{
+        PKIX_ValidateParams *params = NULL;
+
+        PKIX_ENTER(VALIDATEPARAMS, "PKIX_ValidateParams_Create");
+        PKIX_NULLCHECK_THREE(procParams, chain, pParams);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_VALIDATEPARAMS_TYPE,
+                    sizeof (PKIX_ValidateParams),
+                    (PKIX_PL_Object **)&params,
+                    plContext),
+                    PKIX_COULDNOTCREATEVALIDATEPARAMSOBJECT);
+
+        /* initialize fields */
+        PKIX_INCREF(procParams);
+        params->procParams = procParams;
+
+        PKIX_INCREF(chain);
+        params->chain = chain;
+
+        *pParams = params;
+        params = NULL;
+
+cleanup:
+
+        PKIX_DECREF(params);
+
+        PKIX_RETURN(VALIDATEPARAMS);
+
+}
+
+/*
+ * FUNCTION: PKIX_ValidateParams_GetProcessingParams
+ *      (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ValidateParams_GetProcessingParams(
+        PKIX_ValidateParams *valParams,
+        PKIX_ProcessingParams **pProcParams,
+        void *plContext)
+{
+        PKIX_ENTER(VALIDATEPARAMS, "PKIX_ValidateParams_GetProcessingParams");
+        PKIX_NULLCHECK_TWO(valParams, pProcParams);
+
+        PKIX_INCREF(valParams->procParams);
+
+        *pProcParams = valParams->procParams;
+
+cleanup:
+        PKIX_RETURN(VALIDATEPARAMS);
+}
+
+/*
+ * FUNCTION: PKIX_ValidateParams_GetCertChain (see comments in pkix_params.h)
+ */
+PKIX_Error *
+PKIX_ValidateParams_GetCertChain(
+        PKIX_ValidateParams *valParams,
+        PKIX_List **pChain,
+        void *plContext)
+{
+        PKIX_ENTER(VALIDATEPARAMS, "PKIX_ValidateParams_GetCertChain");
+        PKIX_NULLCHECK_TWO(valParams, pChain);
+
+        PKIX_INCREF(valParams->chain);
+
+        *pChain = valParams->chain;
+
+cleanup:
+        PKIX_RETURN(VALIDATEPARAMS);
+}
diff --git a/security/nss/lib/libpkix/pkix/params/pkix_valparams.h b/security/nss/lib/libpkix/pkix/params/pkix_valparams.h
new file mode 100755
index 000000000..7f908645e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/params/pkix_valparams.h
@@ -0,0 +1,66 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_valparams.h
+ *
+ * ValidateParams Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_VALIDATEPARAMS_H
+#define _PKIX_VALIDATEPARAMS_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_ValidateParamsStruct {
+        PKIX_ProcessingParams *procParams;      /* Never NULL */
+        PKIX_List *chain;                       /* Never NULL */
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_ValidateParams_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_VALIDATEPARAMS_H */
diff --git a/security/nss/lib/libpkix/pkix/results/Makefile b/security/nss/lib/libpkix/pkix/results/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix/results/config.mk b/security/nss/lib/libpkix/pkix/results/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix/results/manifest.mn b/security/nss/lib/libpkix/pkix/results/manifest.mn
new file mode 100755
index 000000000..bcc975800
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/manifest.mn
@@ -0,0 +1,62 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_buildresult.h \
+	pkix_policynode.h \
+	pkix_valresult.h \
+	pkix_verifynode.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_buildresult.c \
+	pkix_policynode.c \
+	pkix_valresult.c \
+	pkix_verifynode.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixresults
+
diff --git a/security/nss/lib/libpkix/pkix/results/pkix_buildresult.c b/security/nss/lib/libpkix/pkix/results/pkix_buildresult.c
new file mode 100755
index 000000000..95683f16e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/pkix_buildresult.c
@@ -0,0 +1,395 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_buildresult.c
+ *
+ * BuildResult Object Functions
+ *
+ */
+
+#include "pkix_buildresult.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_BuildResult_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BuildResult_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_BuildResult *result = NULL;
+
+        PKIX_ENTER(BUILDRESULT, "pkix_BuildResult_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a build result object */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BUILDRESULT_TYPE, plContext),
+                    PKIX_OBJECTNOTBUILDRESULT);
+
+        result = (PKIX_BuildResult *)object;
+
+        PKIX_DECREF(result->valResult);
+        PKIX_DECREF(result->certChain);
+
+cleanup:
+
+        PKIX_RETURN(BUILDRESULT);
+}
+
+/*
+ * FUNCTION: pkix_BuildResult_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BuildResult_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+        PKIX_BuildResult *firstBuildResult = NULL;
+        PKIX_BuildResult *secondBuildResult = NULL;
+
+        PKIX_ENTER(BUILDRESULT, "pkix_BuildResult_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        PKIX_CHECK(pkix_CheckType(first, PKIX_BUILDRESULT_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTBUILDRESULT);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        *pResult = PKIX_FALSE;
+
+        if (secondType != PKIX_BUILDRESULT_TYPE) goto cleanup;
+
+        firstBuildResult = (PKIX_BuildResult *)first;
+        secondBuildResult = (PKIX_BuildResult *)second;
+
+        PKIX_CHECK(PKIX_PL_Object_Equals
+                    ((PKIX_PL_Object *)firstBuildResult->valResult,
+                    (PKIX_PL_Object *)secondBuildResult->valResult,
+                    &cmpResult,
+                    plContext),
+                    PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        PKIX_CHECK(PKIX_PL_Object_Equals
+                    ((PKIX_PL_Object *)firstBuildResult->certChain,
+                    (PKIX_PL_Object *)secondBuildResult->certChain,
+                    &cmpResult,
+                    plContext),
+                    PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        /*
+         * The remaining case is that both are null,
+         * which we consider equality.
+         *      cmpResult = PKIX_TRUE;
+         */
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(BUILDRESULT);
+}
+
+/*
+ * FUNCTION: pkix_BuildResult_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BuildResult_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_BuildResult *buildResult = NULL;
+        PKIX_UInt32 hash = 0;
+        PKIX_UInt32 valResultHash = 0;
+        PKIX_UInt32 certChainHash = 0;
+
+        PKIX_ENTER(BUILDRESULT, "pkix_BuildResult_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BUILDRESULT_TYPE, plContext),
+                    PKIX_OBJECTNOTBUILDRESULT);
+
+        buildResult = (PKIX_BuildResult*)object;
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                    ((PKIX_PL_Object *)buildResult->valResult,
+                    &valResultHash,
+                    plContext),
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                    ((PKIX_PL_Object *)buildResult->certChain,
+                    &certChainHash,
+                    plContext),
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        hash = 31*(31 * valResultHash + certChainHash);
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(BUILDRESULT);
+}
+
+/*
+ * FUNCTION: pkix_BuildResult_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BuildResult_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_BuildResult *buildResult = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *buildResultString = NULL;
+
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_List *certChain = NULL;
+
+        PKIX_PL_String *valResultString = NULL;
+        PKIX_PL_String *certChainString = NULL;
+
+        char *asciiFormat =
+                "[\n"
+                "\tValidateResult: \t\t%s"
+                "\tCertChain:    \t\t%s\n"
+                "]\n";
+
+        PKIX_ENTER(BUILDRESULT, "pkix_BuildResult_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BUILDRESULT_TYPE, plContext),
+                PKIX_OBJECTNOTBUILDRESULT);
+
+        buildResult = (PKIX_BuildResult*)object;
+
+        valResult = buildResult->valResult;
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object *)valResult, &valResultString, plContext),
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        certChain = buildResult->certChain;
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object *)certChain, &certChainString, plContext),
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&buildResultString,
+                plContext,
+                formatString,
+                valResultString,
+                certChainString),
+                PKIX_SPRINTFFAILED);
+
+        *pString = buildResultString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(valResultString);
+        PKIX_DECREF(certChainString);
+
+        PKIX_RETURN(BUILDRESULT);
+}
+
+/*
+ * FUNCTION: pkix_BuildResult_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_BUILDRESULT_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_BuildResult_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(BUILDRESULT, "pkix_BuildResult_RegisterSelf");
+
+        entry.description = "BuildResult";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_BuildResult);
+        entry.destructor = pkix_BuildResult_Destroy;
+        entry.equalsFunction = pkix_BuildResult_Equals;
+        entry.hashcodeFunction = pkix_BuildResult_Hashcode;
+        entry.toStringFunction = pkix_BuildResult_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_BUILDRESULT_TYPE] = entry;
+
+        PKIX_RETURN(BUILDRESULT);
+}
+
+/*
+ * FUNCTION: pkix_BuildResult_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new BuildResult Object using the ValidateResult pointed to by
+ *  "valResult" and the List pointed to by "certChain", and stores it at
+ *  "pResult".
+ *
+ * PARAMETERS
+ *  "valResult"
+ *      Address of ValidateResult component. Must be non-NULL.
+ *  "certChain
+ *      Address of List component. Must be non-NULL.
+ *  "pResult"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_BuildResult_Create(
+        PKIX_ValidateResult *valResult,
+        PKIX_List *certChain,
+        PKIX_BuildResult **pResult,
+        void *plContext)
+{
+        PKIX_BuildResult *result = NULL;
+
+        PKIX_ENTER(BUILDRESULT, "pkix_BuildResult_Create");
+        PKIX_NULLCHECK_THREE(valResult, certChain, pResult);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_BUILDRESULT_TYPE,
+                    sizeof (PKIX_BuildResult),
+                    (PKIX_PL_Object **)&result,
+                    plContext),
+                    PKIX_COULDNOTCREATEBUILDRESULTOBJECT);
+
+        /* initialize fields */
+
+        PKIX_INCREF(valResult);
+        result->valResult = valResult;
+
+        PKIX_INCREF(certChain);
+        result->certChain = certChain;
+
+        PKIX_CHECK(PKIX_List_SetImmutable(result->certChain, plContext),
+                     PKIX_LISTSETIMMUTABLEFAILED);
+
+        *pResult = result;
+        result = NULL;
+
+cleanup:
+
+        PKIX_DECREF(result);
+
+        PKIX_RETURN(BUILDRESULT);
+
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+
+/*
+ * FUNCTION: PKIX_BuildResult_GetValidateResult
+ *      (see comments in pkix_result.h)
+ */
+PKIX_Error *
+PKIX_BuildResult_GetValidateResult(
+        PKIX_BuildResult *result,
+        PKIX_ValidateResult **pResult,
+        void *plContext)
+{
+        PKIX_ENTER(BUILDRESULT, "PKIX_BuildResult_GetValidateResult");
+        PKIX_NULLCHECK_TWO(result, pResult);
+
+        PKIX_INCREF(result->valResult);
+        *pResult = result->valResult;
+
+cleanup:
+        PKIX_RETURN(BUILDRESULT);
+}
+
+
+
+/*
+ * FUNCTION: PKIX_BuildResult_GetCertChain
+ *      (see comments in pkix_result.h)
+ */
+PKIX_Error *
+PKIX_BuildResult_GetCertChain(
+        PKIX_BuildResult *result,
+        PKIX_List **pChain,
+        void *plContext)
+{
+        PKIX_ENTER(BUILDRESULT, "PKIX_BuildResult_GetCertChain");
+        PKIX_NULLCHECK_TWO(result, pChain);
+
+        PKIX_INCREF(result->certChain);
+        *pChain = result->certChain;
+
+cleanup:
+        PKIX_RETURN(BUILDRESULT);
+}
diff --git a/security/nss/lib/libpkix/pkix/results/pkix_buildresult.h b/security/nss/lib/libpkix/pkix/results/pkix_buildresult.h
new file mode 100755
index 000000000..f36c8840a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/pkix_buildresult.h
@@ -0,0 +1,73 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_buildresult.h
+ *
+ * BuildResult Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_BUILDRESULT_H
+#define _PKIX_BUILDRESULT_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_BuildResultStruct {
+        PKIX_ValidateResult *valResult;
+        PKIX_List *certChain;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_BuildResult_Create(
+        PKIX_ValidateResult *valResult,
+        PKIX_List *certChain,
+        PKIX_BuildResult **pResult,
+        void *plContext);
+
+PKIX_Error *pkix_BuildResult_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_BUILDRESULT_H */
diff --git a/security/nss/lib/libpkix/pkix/results/pkix_policynode.c b/security/nss/lib/libpkix/pkix/results/pkix_policynode.c
new file mode 100755
index 000000000..2a3e647eb
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/pkix_policynode.c
@@ -0,0 +1,1410 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_policynode.c
+ *
+ * Policy Node Object Type Definition
+ *
+ */
+
+#include "pkix_policynode.h"
+
+/* --Private-PolicyNode-Functions---------------------------------- */
+
+/*
+ * FUNCTION: pkix_PolicyNode_GetChildrenMutable
+ * DESCRIPTION:
+ *
+ *  Retrieves the List of PolicyNodes representing the child nodes of the
+ *  Policy Node pointed to by "node" and stores it at "pChildren". If "node"
+ *  has no List of child nodes, this function stores NULL at "pChildren".
+ *
+ *  Note that the List returned by this function may be mutable. This function
+ *  differs from the public function PKIX_PolicyNode_GetChildren in that
+ *  respect. (It also differs in that the public function creates an empty
+ *  List, if necessary, rather than storing NULL.)
+ *
+ *  During certificate processing, children Lists are created and modified.
+ *  Once the list is accessed using the public call, the List is set immutable.
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode whose child nodes are to be stored.
+ *      Must be non-NULL.
+ *  "pChildren"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a PolicyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_PolicyNode_GetChildrenMutable(
+        PKIX_PolicyNode *node,
+        PKIX_List **pChildren,  /* list of PKIX_PolicyNode */
+        void *plContext)
+{
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_GetChildrenMutable");
+
+        PKIX_NULLCHECK_TWO(node, pChildren);
+
+        PKIX_INCREF(node->children);
+
+        *pChildren = node->children;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new PolicyNode using the OID pointed to by "validPolicy", the List
+ *  of CertPolicyQualifiers pointed to by "qualifierSet", the criticality
+ *  indicated by the Boolean value of "criticality", and the List of OIDs
+ *  pointed to by "expectedPolicySet", and stores the result at "pObject". The
+ *  criticality should be derived from whether the certificate policy extension
+ *  was marked as critical in the certificate that led to creation of this
+ *  PolicyNode. The "qualifierSet" and "expectedPolicySet" Lists are made
+ *  immutable. The PolicyNode pointers to parent and to children are initialized
+ *  to NULL, and the depth is set to zero; those values should be set by using
+ *  the pkix_PolicyNode_AddToParent function.
+ *
+ * PARAMETERS
+ *  "validPolicy"
+ *      Address of OID of the valid policy for the path. Must be non-NULL
+ *  "qualifierSet"
+ *      Address of List of CertPolicyQualifiers associated with the validpolicy.
+ *      May be NULL
+ *  "criticality"
+ *      Boolean indicator of whether the criticality should be set in this
+ *      PolicyNode
+ *  "expectedPolicySet"
+ *      Address of List of OIDs that would satisfy this policy in the next
+ *      certificate. Must be non-NULL
+ *  "pObject"
+ *      Address where the PolicyNode pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a PolicyNode Error if the function fails  in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_PolicyNode_Create(
+        PKIX_PL_OID *validPolicy,
+        PKIX_List *qualifierSet,
+        PKIX_Boolean criticality,
+        PKIX_List *expectedPolicySet,
+        PKIX_PolicyNode **pObject,
+        void *plContext)
+{
+        PKIX_PolicyNode *node = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_Create");
+
+        PKIX_NULLCHECK_THREE(validPolicy, expectedPolicySet, pObject);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_CERTPOLICYNODE_TYPE,
+                sizeof (PKIX_PolicyNode),
+                (PKIX_PL_Object **)&node,
+                plContext),
+                PKIX_COULDNOTCREATEPOLICYNODEOBJECT);
+
+        PKIX_INCREF(validPolicy);
+        node->validPolicy = validPolicy;
+
+        PKIX_INCREF(qualifierSet);
+        node->qualifierSet = qualifierSet;
+        if (qualifierSet) {
+                PKIX_CHECK(PKIX_List_SetImmutable(qualifierSet, plContext),
+                        PKIX_LISTSETIMMUTABLEFAILED);
+        }
+
+        node->criticality = criticality;
+
+        PKIX_INCREF(expectedPolicySet);
+        node->expectedPolicySet = expectedPolicySet;
+        PKIX_CHECK(PKIX_List_SetImmutable(expectedPolicySet, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        node->parent = NULL;
+        node->children = NULL;
+        node->depth = 0;
+
+        *pObject = node;
+        node = NULL;
+
+cleanup:
+
+        PKIX_DECREF(node);
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_AddToParent
+ * DESCRIPTION:
+ *
+ *  Adds the PolicyNode pointed to by "child" to the List of children of
+ *  the PolicyNode pointed to by "parentNode". If "parentNode" had a
+ *  NULL pointer for the List of children, a new List is created containing
+ *  "child". Otherwise "child" is appended to the existing List. The
+ *  parent field in "child" is set to "parent", and the depth field is
+ *  set to one more than the corresponding value in "parent".
+ *
+ *  Depth, in this context, means distance from the root node, which
+ *  is at depth zero.
+ *
+ * PARAMETERS:
+ *  "parentNode"
+ *      Address of PolicyNode whose List of child PolicyNodes is to be
+ *      created or appended to. Must be non-NULL.
+ *  "child"
+ *      Address of PolicyNode to be added to parentNode's List. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a PolicyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_PolicyNode_AddToParent(
+        PKIX_PolicyNode *parentNode,
+        PKIX_PolicyNode *child,
+        void *plContext)
+{
+        PKIX_List *listOfChildren = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_AddToParent");
+
+        PKIX_NULLCHECK_TWO(parentNode, child);
+
+        listOfChildren = parentNode->children;
+        if (listOfChildren == NULL) {
+                PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
+                        PKIX_LISTCREATEFAILED);
+                parentNode->children = listOfChildren;
+        }
+
+        /*
+         * Note: this link is not reference-counted. The link from parent
+         * to child is counted (actually, the parent "owns" a List which
+         * "owns" children), but the children do not "own" the parent.
+         * Otherwise, there would be loops.
+         */
+        child->parent = parentNode;
+
+        child->depth = 1 + (parentNode->depth);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (listOfChildren, (PKIX_PL_Object *)child, plContext),
+                PKIX_COULDNOTAPPENDCHILDTOPARENTSPOLICYNODELIST);
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)parentNode, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)child, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_Prune
+ * DESCRIPTION:
+ *
+ *  Prunes a tree below the PolicyNode whose address is pointed to by "node",
+ *  using the UInt32 value of "height" as the distance from the leaf level,
+ *  and storing at "pDelete" the Boolean value of whether this PolicyNode is,
+ *  after pruning, childless and should be pruned.
+ *
+ *  Any PolicyNode at height 0 is allowed to survive. If the height is greater
+ *  than zero, pkix_PolicyNode_Prune is called recursively for each child of
+ *  the current PolicyNode. After this process, a node with no children
+ *  stores PKIX_TRUE in "pDelete" to indicate that it should be deleted.
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of the PolicyNode to be pruned. Must be non-NULL.
+ *  "height"
+ *      UInt32 value for the distance from the leaf level
+ *  "pDelete"
+ *      Address to store the Boolean return value of PKIX_TRUE if this node
+ *      should be pruned, or PKIX_FALSE if there remains at least one
+ *      branch of the required height. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a PolicyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_PolicyNode_Prune(
+        PKIX_PolicyNode *node,
+        PKIX_UInt32 height,
+        PKIX_Boolean *pDelete,
+        void *plContext)
+{
+        PKIX_Boolean childless = PKIX_FALSE;
+        PKIX_Boolean shouldBePruned = PKIX_FALSE;
+        PKIX_UInt32 listSize = 0;
+        PKIX_UInt32 listIndex = 0;
+        PKIX_PolicyNode *candidate = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_Prune");
+
+        PKIX_NULLCHECK_TWO(node, pDelete);
+
+        /* Don't prune at the leaf */
+        if (height == 0) {
+                goto cleanup;
+        }
+
+        /* Above the bottom level, childless nodes get pruned */
+        if (!(node->children)) {
+                childless = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * This node has children. If they are leaf nodes,
+         * we know they will live. Otherwise, check them out.
+         */
+        if (height > 1) {
+                PKIX_CHECK(PKIX_List_GetLength
+                        (node->children, &listSize, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+                /*
+                 * By working backwards from the end of the list,
+                 * we avoid having to worry about possible
+                 * decreases in the size of the list, as we
+                 * delete items. The only nuisance is that since the
+                 * index is UInt32, we can't check for it to reach -1;
+                 * we have to use the 1-based index, rather than the
+                 * 0-based index that PKIX_List functions require.
+                 */
+                for (listIndex = listSize; listIndex > 0; listIndex--) {
+                        PKIX_CHECK(PKIX_List_GetItem
+                                (node->children,
+                                (listIndex - 1),
+                                (PKIX_PL_Object **)&candidate,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(pkix_PolicyNode_Prune
+                                (candidate,
+                                height - 1,
+                                &shouldBePruned,
+                                plContext),
+                                PKIX_POLICYNODEPRUNEFAILED);
+
+                        if (shouldBePruned == PKIX_TRUE) {
+                                PKIX_CHECK(PKIX_List_DeleteItem
+                                        (node->children,
+                                        (listIndex - 1),
+                                        plContext),
+                                        PKIX_LISTDELETEITEMFAILED);
+                        }
+
+                        PKIX_DECREF(candidate);
+                }
+        }
+
+        /* Prune if this node has *become* childless */
+        PKIX_CHECK(PKIX_List_GetLength
+                (node->children, &listSize, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+        if (listSize == 0) {
+                childless = PKIX_TRUE;
+        }
+
+        /*
+         * Even if we did not change this node, or any of its children,
+         * maybe a [great-]*grandchild was pruned.
+         */
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)node, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+        *pDelete = childless;
+
+        PKIX_DECREF(candidate);
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_SinglePolicyNode_ToString
+ * DESCRIPTION:
+ *
+ *  Creates a String representation of the attributes of the PolicyNode
+ *  pointed to by "node", other than its parents or children, and
+ *  stores the result at "pString".
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode to be described by the string. Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if function succeeds
+ *  Returns a PolicyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in a fatal way
+ */
+PKIX_Error *
+pkix_SinglePolicyNode_ToString(
+        PKIX_PolicyNode *node,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *fmtString = NULL;
+        PKIX_PL_String *validString = NULL;
+        PKIX_PL_String *qualifierString = NULL;
+        PKIX_PL_String *criticalityString = NULL;
+        PKIX_PL_String *expectedString = NULL;
+        PKIX_PL_String *outString = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_SinglePolicyNode_ToString");
+        PKIX_NULLCHECK_TWO(node, pString);
+        PKIX_NULLCHECK_TWO(node->validPolicy, node->expectedPolicySet);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII,
+                "{%s,%s,%s,%s,%d}",
+                0,
+                &fmtString,
+                plContext),
+                PKIX_CANTCREATESTRING);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object *)(node->validPolicy),
+                &validString,
+                plContext),
+                PKIX_OIDTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object *)(node->expectedPolicySet),
+                &expectedString,
+                plContext),
+                PKIX_LISTTOSTRINGFAILED);
+
+        if (node->qualifierSet) {
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object *)(node->qualifierSet),
+                        &qualifierString,
+                        plContext),
+                        PKIX_LISTTOSTRINGFAILED);
+        } else {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        "{}",
+                        0,
+                        &qualifierString,
+                        plContext),
+                        PKIX_CANTCREATESTRING);
+        }
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII,
+                (node->criticality)?"Critical":"Not Critical",
+                0,
+                &criticalityString,
+                plContext),
+                PKIX_CANTCREATESTRING);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&outString,
+                plContext,
+                fmtString,
+                validString,
+                qualifierString,
+                criticalityString,
+                expectedString,
+                node->depth),
+                PKIX_SPRINTFFAILED);
+
+        *pString = outString;
+
+cleanup:
+
+        PKIX_DECREF(fmtString);
+        PKIX_DECREF(validString);
+        PKIX_DECREF(qualifierString);
+        PKIX_DECREF(criticalityString);
+        PKIX_DECREF(expectedString);
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Produces a String representation of a PolicyNode tree below the PolicyNode
+ *  pointed to by "rootNode", with each line of output prefixed by the String
+ *  pointed to by "indent", and stores the result at "pTreeString". It is
+ *  called recursively, with ever-increasing indentation, for successively
+ *  lower nodes on the tree.
+ *
+ * PARAMETERS:
+ *  "rootNode"
+ *      Address of PolicyNode subtree. Must be non-NULL.
+ *  "indent"
+ *      Address of String to be prefixed to each line of output. May be NULL
+ *      if no indentation is desired
+ *  "pTreeString"
+ *      Address where the resulting String will be stored; must be non-NULL
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a PolicyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_PolicyNode_ToString_Helper(
+        PKIX_PolicyNode *rootNode,
+        PKIX_PL_String *indent,
+        PKIX_PL_String **pTreeString,
+        void *plContext)
+{
+        PKIX_PL_String *nextIndentFormat = NULL;
+        PKIX_PL_String *thisNodeFormat = NULL;
+        PKIX_PL_String *childrenFormat = NULL;
+        PKIX_PL_String *nextIndentString = NULL;
+        PKIX_PL_String *resultString = NULL;
+        PKIX_PL_String *thisItemString = NULL;
+        PKIX_PL_String *childString = NULL;
+        PKIX_PolicyNode *childNode = NULL;
+        PKIX_UInt32 numberOfChildren = 0;
+        PKIX_UInt32 childIndex = 0;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_ToString_Helper");
+
+        PKIX_NULLCHECK_TWO(rootNode, pTreeString);
+
+        /* Create a string for this node */
+        PKIX_CHECK(pkix_SinglePolicyNode_ToString
+                (rootNode, &thisItemString, plContext),
+                PKIX_ERRORINSINGLEPOLICYNODETOSTRING);
+
+        if (indent) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        "%s%s",
+                        0,
+                        &thisNodeFormat,
+                        plContext),
+                        PKIX_ERRORCREATINGFORMATSTRING);
+
+                PKIX_CHECK(PKIX_PL_Sprintf
+                        (&resultString,
+                        plContext,
+                        thisNodeFormat,
+                        indent,
+                        thisItemString),
+                        PKIX_ERRORINSPRINTF);
+        } else {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        "%s",
+                        0,
+                        &thisNodeFormat,
+                        plContext),
+                        PKIX_ERRORCREATINGFORMATSTRING);
+
+                PKIX_CHECK(PKIX_PL_Sprintf
+                        (&resultString,
+                        plContext,
+                        thisNodeFormat,
+                        thisItemString),
+                        PKIX_ERRORINSPRINTF);
+        }
+
+        PKIX_DECREF(thisItemString);
+        thisItemString = resultString;
+
+        /* if no children, we are done */
+        if (rootNode->children) {
+                PKIX_CHECK(PKIX_List_GetLength
+                        (rootNode->children, &numberOfChildren, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+        }
+
+        if (numberOfChildren != 0) {
+                /*
+                 * We create a string for each child in turn,
+                 * concatenating them to thisItemString.
+                 */
+
+                /* Prepare an indent string for each child */
+                if (indent) {
+                        PKIX_CHECK(PKIX_PL_String_Create
+                                (PKIX_ESCASCII,
+                                "%s. ",
+                                0,
+                                &nextIndentFormat,
+                                plContext),
+                                PKIX_ERRORCREATINGFORMATSTRING);
+
+                        PKIX_CHECK(PKIX_PL_Sprintf
+                                (&nextIndentString,
+                                plContext,
+                                nextIndentFormat,
+                                indent),
+                                PKIX_ERRORINSPRINTF);
+                } else {
+                        PKIX_CHECK(PKIX_PL_String_Create
+                                (PKIX_ESCASCII,
+                                ". ",
+                                0,
+                                &nextIndentString,
+                                plContext),
+                                PKIX_ERRORCREATINGINDENTSTRING);
+                }
+
+                /* Prepare the format for concatenation. */
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        "%s\n%s",
+                        0,
+                        &childrenFormat,
+                        plContext),
+                        PKIX_ERRORCREATINGFORMATSTRING);
+
+                for (childIndex = 0;
+                        childIndex < numberOfChildren;
+                        childIndex++) {
+                        PKIX_CHECK(PKIX_List_GetItem
+                                (rootNode->children,
+                                childIndex,
+                                (PKIX_PL_Object **)&childNode,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(pkix_PolicyNode_ToString_Helper
+                                (childNode,
+                                nextIndentString,
+                                &childString,
+                                plContext),
+                                PKIX_ERRORCREATINGCHILDSTRING);
+
+
+                        PKIX_CHECK(PKIX_PL_Sprintf
+                                (&resultString,
+                                plContext,
+                                childrenFormat,
+                                thisItemString,
+                                childString),
+                        PKIX_ERRORINSPRINTF);
+
+                        PKIX_DECREF(childNode);
+                        PKIX_DECREF(childString);
+                        PKIX_DECREF(thisItemString);
+
+                        thisItemString = resultString;
+                }
+        }
+
+        *pTreeString = thisItemString;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(thisItemString);
+        }
+
+        PKIX_DECREF(nextIndentFormat);
+        PKIX_DECREF(thisNodeFormat);
+        PKIX_DECREF(childrenFormat);
+        PKIX_DECREF(nextIndentString);
+        PKIX_DECREF(childString);
+        PKIX_DECREF(childNode);
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyNode_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pTreeString,
+        void *plContext)
+{
+        PKIX_PolicyNode *rootNode = NULL;
+        PKIX_PL_String *resultString = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_ToString");
+
+        PKIX_NULLCHECK_TWO(object, pTreeString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYNODE_TYPE, plContext),
+                PKIX_OBJECTNOTPOLICYNODE);
+
+        rootNode = (PKIX_PolicyNode *)object;
+
+        PKIX_CHECK(pkix_PolicyNode_ToString_Helper
+                (rootNode, NULL, &resultString, plContext),
+                PKIX_ERRORCREATINGSUBTREESTRING);
+
+        *pTreeString = resultString;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyNode_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PolicyNode *node = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYNODE_TYPE, plContext),
+                PKIX_OBJECTNOTPOLICYNODE);
+
+        node = (PKIX_PolicyNode*)object;
+
+        node->criticality = PKIX_FALSE;
+        PKIX_DECREF(node->validPolicy);
+        PKIX_DECREF(node->qualifierSet);
+        PKIX_DECREF(node->expectedPolicySet);
+        PKIX_DECREF(node->children);
+
+        /*
+         * Note: the link to parent is not reference-counted. See comment
+         * in pkix_PolicyNode_AddToParent for more details.
+         */
+        node->parent = NULL;
+        node->depth = 0;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_SinglePolicyNode_Hashcode
+ * DESCRIPTION:
+ *
+ *  Computes the hashcode of the attributes of the PolicyNode pointed to by
+ *  "node", other than its parents and children, and stores the result at
+ *  "pHashcode".
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of PolicyNode to be hashcoded; must be non-NULL
+ *  "pHashcode"
+ *      Address where UInt32 result will be stored; must be non-NULL
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if function succeeds
+ *  Returns a PolicyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in a fatal way
+ */
+static PKIX_Error *
+pkix_SinglePolicyNode_Hashcode(
+        PKIX_PolicyNode *node,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_UInt32 componentHash = 0;
+        PKIX_UInt32 nodeHash = 0;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_SinglePolicyNode_Hashcode");
+        PKIX_NULLCHECK_TWO(node, pHashcode);
+        PKIX_NULLCHECK_TWO(node->validPolicy, node->expectedPolicySet);
+
+        PKIX_HASHCODE
+                (node->qualifierSet,
+                &nodeHash,
+                plContext,
+                PKIX_FAILUREHASHINGLISTQUALIFIERSET);
+
+        if (PKIX_TRUE == (node->criticality)) {
+                nodeHash = 31*nodeHash + 0xff;
+        } else {
+                nodeHash = 31*nodeHash + 0x00;
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                ((PKIX_PL_Object *)node->validPolicy,
+                &componentHash,
+                plContext),
+                PKIX_FAILUREHASHINGOIDVALIDPOLICY);
+
+        nodeHash = 31*nodeHash + componentHash;
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                ((PKIX_PL_Object *)node->expectedPolicySet,
+                &componentHash,
+                plContext),
+                PKIX_FAILUREHASHINGLISTEXPECTEDPOLICYSET);
+
+        nodeHash = 31*nodeHash + componentHash;
+
+        *pHashcode = nodeHash;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyNode_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PolicyNode *node = NULL;
+        PKIX_UInt32 childrenHash = 0;
+        PKIX_UInt32 nodeHash = 0;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYNODE_TYPE, plContext),
+                PKIX_OBJECTNOTPOLICYNODE);
+
+        node = (PKIX_PolicyNode *)object;
+
+        PKIX_CHECK(pkix_SinglePolicyNode_Hashcode
+                (node, &nodeHash, plContext),
+                PKIX_SINGLEPOLICYNODEHASHCODEFAILED);
+
+        nodeHash = 31*nodeHash + (PKIX_UInt32)(node->parent);
+
+        PKIX_HASHCODE
+                (node->children,
+                &childrenHash,
+                plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        nodeHash = 31*nodeHash + childrenHash;
+
+        *pHashcode = nodeHash;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_SinglePolicyNode_Equals
+ * DESCRIPTION:
+ *
+ *  Compares for equality the components of the PolicyNode pointed to by
+ *  "firstPN", other than its parents and children, with those of the
+ *  PolicyNode pointed to by "secondPN" and stores the result at "pResult"
+ *  (PKIX_TRUE if equal; PKIX_FALSE if not).
+ *
+ * PARAMETERS:
+ *  "firstPN"
+ *      Address of first of the PolicyNodes to be compared; must be non-NULL
+ *  "secondPN"
+ *      Address of second of the PolicyNodes to be compared; must be non-NULL
+ *  "pResult"
+ *      Address where Boolean will be stored; must be non-NULL
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if function succeeds
+ *  Returns a PolicyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in a fatal way
+ */
+static PKIX_Error *
+pkix_SinglePolicyNode_Equals(
+        PKIX_PolicyNode *firstPN,
+        PKIX_PolicyNode *secondPN,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_Boolean compResult = PKIX_FALSE;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_SinglePolicyNode_Equals");
+        PKIX_NULLCHECK_THREE(firstPN, secondPN, pResult);
+
+        /* If both references are identical, they must be equal */
+        if (firstPN == secondPN) {
+                compResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * It seems we have to do the comparisons. Do
+         * the easiest ones first.
+         */
+        if ((firstPN->criticality) != (secondPN->criticality)) {
+                goto cleanup;
+        }
+        if ((firstPN->depth) != (secondPN->depth)) {
+                goto cleanup;
+        }
+
+        PKIX_EQUALS
+                (firstPN->qualifierSet,
+                secondPN->qualifierSet,
+                &compResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (compResult == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        /* These fields must be non-NULL */
+        PKIX_NULLCHECK_TWO(firstPN->validPolicy, secondPN->validPolicy);
+
+        PKIX_EQUALS
+                (firstPN->validPolicy,
+                secondPN->validPolicy,
+                &compResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (compResult == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        /* These fields must be non-NULL */
+        PKIX_NULLCHECK_TWO
+                (firstPN->expectedPolicySet, secondPN->expectedPolicySet);
+
+        PKIX_EQUALS
+                (firstPN->expectedPolicySet,
+                secondPN->expectedPolicySet,
+                &compResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILEDONEXPECTEDPOLICYSETS);
+
+cleanup:
+
+        *pResult = compResult;
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyNode_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PolicyNode *firstPN = NULL;
+        PKIX_PolicyNode *secondPN = NULL;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean compResult = PKIX_FALSE;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a PolicyNode */
+        PKIX_CHECK(pkix_CheckType
+                (firstObject, PKIX_CERTPOLICYNODE_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTPOLICYNODE);
+
+        /*
+         * Since we know firstObject is a PolicyNode,
+         * if both references are identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                compResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a PolicyNode, we
+         * don't throw an error. We simply return FALSE.
+         */
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        if (secondType != PKIX_CERTPOLICYNODE_TYPE) {
+                goto cleanup;
+        }
+
+        /*
+         * Oh, well, we have to do the comparisons. Do
+         * the easiest ones first.
+         */
+        firstPN = (PKIX_PolicyNode *)firstObject;
+        secondPN = (PKIX_PolicyNode *)secondObject;
+
+        /*
+         * We don't require the parents to be identical. In the
+         * course of traversing the tree, we will have checked the
+         * attributes of the parent nodes, and checking the lists
+         * of children will determine whether they match.
+         */
+
+        PKIX_EQUALS
+                (firstPN->children,
+                secondPN->children,
+                &compResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILEDONCHILDREN);
+
+        if (compResult == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_SinglePolicyNode_Equals
+                (firstPN, secondPN, &compResult, plContext),
+                PKIX_SINGLEPOLICYNODEEQUALSFAILED);
+
+cleanup:
+
+        *pResult = compResult;
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_DuplicateHelper
+ * DESCRIPTION:
+ *
+ *  Duplicates the PolicyNode whose address is pointed to by "original",
+ *  and stores the result at "pNewNode", if a non-NULL pointer is provided
+ *  for "pNewNode". In addition, the created PolicyNode is added as a child
+ *  to "parent", if a non-NULL pointer is provided for "parent". Then this
+ *  function is called recursively to duplicate each of the children of
+ *  "original". At the top level this function is called with a null
+ *  "parent" and a non-NULL "pNewNode". Below the top level "parent" will
+ *  be non-NULL and "pNewNode" will be NULL.
+ *
+ * PARAMETERS:
+ *  "original"
+ *      Address of PolicyNode to be copied; must be non-NULL
+ *  "parent"
+ *      Address of PolicyNode to which the created node is to be added as a
+ *      child; NULL for the top-level call and non-NULL below the top level
+ *  "pNewNode"
+ *      Address to store the node created; should be NULL if "parent" is
+ *      non-NULL and vice versa
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if function succeeds
+ *  Returns a PolicyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in a fatal way
+ */
+static PKIX_Error *
+pkix_PolicyNode_DuplicateHelper(
+        PKIX_PolicyNode *original,
+        PKIX_PolicyNode *parent,
+        PKIX_PolicyNode **pNewNode,
+        void *plContext)
+{
+        PKIX_UInt32 numChildren = 0;
+        PKIX_UInt32 childIndex = 0;
+        PKIX_List *children = NULL; /* List of PKIX_PolicyNode */
+        PKIX_PolicyNode *copy = NULL;
+        PKIX_PolicyNode *child = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_DuplicateHelper");
+
+        PKIX_NULLCHECK_THREE
+                (original, original->validPolicy, original->expectedPolicySet);
+
+        /*
+         * These components are immutable, so copying the pointers
+         * is sufficient. The create function increments the reference
+         * counts as it stores the pointers into the new object.
+         */
+        PKIX_CHECK(pkix_PolicyNode_Create
+                (original->validPolicy,
+                original->qualifierSet,
+                original->criticality,
+                original->expectedPolicySet,
+                &copy,
+                plContext),
+                PKIX_POLICYNODECREATEFAILED);
+
+        if (parent) {
+                PKIX_CHECK(pkix_PolicyNode_AddToParent(parent, copy, plContext),
+                        PKIX_POLICYNODEADDTOPARENTFAILED);
+        }
+
+        /* Are there any children to duplicate? */
+        children = original->children;
+
+        if (children) {
+            PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+        }
+
+        for (childIndex = 0; childIndex < numChildren; childIndex++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                        (children,
+                        childIndex,
+                        (PKIX_PL_Object **)&child,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(pkix_PolicyNode_DuplicateHelper
+                        (child, copy, NULL, plContext),
+                        PKIX_POLICYNODEDUPLICATEHELPERFAILED);
+
+                PKIX_DECREF(child);
+        }
+
+        if (pNewNode) {
+                *pNewNode = copy;
+                copy = NULL; /* no DecRef if we give our handle away */
+        }
+
+cleanup:
+        PKIX_DECREF(copy);
+        PKIX_DECREF(child);
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_Duplicate
+ * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyNode_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_PolicyNode *original = NULL;
+        PKIX_PolicyNode *copy = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_Duplicate");
+
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYNODE_TYPE, plContext),
+                PKIX_OBJECTNOTPOLICYNODE);
+
+        original = (PKIX_PolicyNode *)object;
+
+        PKIX_CHECK(pkix_PolicyNode_DuplicateHelper
+                (original, NULL, &copy, plContext),
+                PKIX_POLICYNODEDUPLICATEHELPERFAILED);
+
+        *pNewObject = (PKIX_PL_Object *)copy;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyNode_RegisterSelf
+ * DESCRIPTION:
+ *
+ *  Registers PKIX_CERTPOLICYNODE_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize,
+ *  which should only be called once, it is acceptable that
+ *  this function is not thread-safe.
+ */
+PKIX_Error *
+pkix_PolicyNode_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_RegisterSelf");
+
+        entry.description = "PolicyNode";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PolicyNode);
+        entry.destructor = pkix_PolicyNode_Destroy;
+        entry.equalsFunction = pkix_PolicyNode_Equals;
+        entry.hashcodeFunction = pkix_PolicyNode_Hashcode;
+        entry.toStringFunction = pkix_PolicyNode_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_PolicyNode_Duplicate;
+
+        systemClasses[PKIX_CERTPOLICYNODE_TYPE] = entry;
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+
+/* --Public-PolicyNode-Functions----------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetChildren
+ * (see description of this function in pkix_results.h)
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetChildren(
+        PKIX_PolicyNode *node,
+        PKIX_List **pChildren,  /* list of PKIX_PolicyNode */
+        void *plContext)
+{
+        PKIX_List *children = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "PKIX_PolicyNode_GetChildren");
+
+        PKIX_NULLCHECK_TWO(node, pChildren);
+
+        PKIX_INCREF(node->children);
+        children = node->children;
+
+        if (!children) {
+                PKIX_CHECK(PKIX_List_Create(&children, plContext),
+                        PKIX_LISTCREATEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_List_SetImmutable(children, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        *pChildren = children;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(children);
+        }
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetParent
+ * (see description of this function in pkix_results.h)
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetParent(
+        PKIX_PolicyNode *node,
+        PKIX_PolicyNode **pParent,
+        void *plContext)
+{
+
+        PKIX_ENTER(CERTPOLICYNODE, "PKIX_PolicyNode_GetParent");
+
+        PKIX_NULLCHECK_TWO(node, pParent);
+
+        PKIX_INCREF(node->parent);
+        *pParent = node->parent;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetValidPolicy
+ * (see description of this function in pkix_results.h)
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetValidPolicy(
+        PKIX_PolicyNode *node,
+        PKIX_PL_OID **pValidPolicy,
+        void *plContext)
+{
+
+        PKIX_ENTER(CERTPOLICYNODE, "PKIX_PolicyNode_GetValidPolicy");
+
+        PKIX_NULLCHECK_TWO(node, pValidPolicy);
+
+        PKIX_INCREF(node->validPolicy);
+        *pValidPolicy = node->validPolicy;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetPolicyQualifiers
+ * (see description of this function in pkix_results.h)
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetPolicyQualifiers(
+        PKIX_PolicyNode *node,
+        PKIX_List **pQualifiers,  /* list of PKIX_PL_CertPolicyQualifier */
+        void *plContext)
+{
+        PKIX_List *qualifiers = NULL;
+
+        PKIX_ENTER(CERTPOLICYNODE, "PKIX_PolicyNode_GetPolicyQualifiers");
+
+        PKIX_NULLCHECK_TWO(node, pQualifiers);
+
+        PKIX_INCREF(node->qualifierSet);
+        qualifiers = node->qualifierSet;
+
+        if (!qualifiers) {
+                PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext),
+                        PKIX_LISTCREATEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_List_SetImmutable(qualifiers, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        *pQualifiers = qualifiers;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetExpectedPolicies
+ * (see description of this function in pkix_results.h)
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetExpectedPolicies(
+        PKIX_PolicyNode *node,
+        PKIX_List **pExpPolicies,  /* list of PKIX_PL_OID */
+        void *plContext)
+{
+
+        PKIX_ENTER(CERTPOLICYNODE, "PKIX_PolicyNode_GetExpectedPolicies");
+
+        PKIX_NULLCHECK_TWO(node, pExpPolicies);
+
+        PKIX_INCREF(node->expectedPolicySet);
+        *pExpPolicies = node->expectedPolicySet;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: PKIX_PolicyNode_IsCritical
+ * (see description of this function in pkix_results.h)
+ */
+PKIX_Error *
+PKIX_PolicyNode_IsCritical(
+        PKIX_PolicyNode *node,
+        PKIX_Boolean *pCritical,
+        void *plContext)
+{
+
+        PKIX_ENTER(CERTPOLICYNODE, "PKIX_PolicyNode_IsCritical");
+
+        PKIX_NULLCHECK_TWO(node, pCritical);
+
+        *pCritical = node->criticality;
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
+
+/*
+ * FUNCTION: PKIX_PolicyNode_GetDepth
+ * (see description of this function in pkix_results.h)
+ */
+PKIX_Error *
+PKIX_PolicyNode_GetDepth(
+        PKIX_PolicyNode *node,
+        PKIX_UInt32 *pDepth,
+        void *plContext)
+{
+
+        PKIX_ENTER(CERTPOLICYNODE, "PKIX_PolicyNode_GetDepth");
+
+        PKIX_NULLCHECK_TWO(node, pDepth);
+
+        *pDepth = node->depth;
+
+        PKIX_RETURN(CERTPOLICYNODE);
+}
diff --git a/security/nss/lib/libpkix/pkix/results/pkix_policynode.h b/security/nss/lib/libpkix/pkix/results/pkix_policynode.h
new file mode 100755
index 000000000..240b74b51
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/pkix_policynode.h
@@ -0,0 +1,107 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_policynode.h
+ *
+ * PolicyNode Type Definitions
+ *
+ */
+
+#ifndef _PKIX_POLICYNODE_H
+#define _PKIX_POLICYNODE_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* This structure reflects the contents of a policy node...
+ */
+struct PKIX_PolicyNodeStruct {
+    PKIX_PL_OID *validPolicy;
+    PKIX_List *qualifierSet;    /* CertPolicyQualifiers */
+    PKIX_Boolean criticality;
+    PKIX_List *expectedPolicySet;       /* OIDs */
+    PKIX_PolicyNode *parent;
+    PKIX_List *children;                /* PolicyNodes */
+    PKIX_UInt32 depth;
+};
+
+PKIX_Error *
+pkix_SinglePolicyNode_ToString(
+        PKIX_PolicyNode *node,
+        PKIX_PL_String **pString,
+        void *plContext);
+
+PKIX_Error *
+pkix_PolicyNode_GetChildrenMutable(
+        PKIX_PolicyNode *node,
+        PKIX_List **pChildren,  /* PolicyNodes */
+        void *plContext);
+
+PKIX_Error *
+pkix_PolicyNode_Create(
+        PKIX_PL_OID *validPolicy,
+        PKIX_List *qualifierSet,        /* CertPolicyQualifiers */
+        PKIX_Boolean criticality,
+        PKIX_List *expectedPolicySet,   /* OIDs */
+        PKIX_PolicyNode **pObject,
+        void *plContext);
+
+PKIX_Error *
+pkix_PolicyNode_AddToParent(
+        PKIX_PolicyNode *parentNode,
+        PKIX_PolicyNode *child,
+        void *plContext);
+
+PKIX_Error *
+pkix_PolicyNode_Prune(
+        PKIX_PolicyNode *node,
+        PKIX_UInt32 depth,
+        PKIX_Boolean *pDelete,
+        void *plContext);
+
+PKIX_Error *
+pkix_PolicyNode_RegisterSelf(
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_POLICYNODE_H */
diff --git a/security/nss/lib/libpkix/pkix/results/pkix_valresult.c b/security/nss/lib/libpkix/pkix/results/pkix_valresult.c
new file mode 100755
index 000000000..4d02c7e5b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/pkix_valresult.c
@@ -0,0 +1,465 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_valresult.c
+ *
+ * ValidateResult Object Functions
+ *
+ */
+
+#include "pkix_valresult.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_ValidateResult_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ValidateResult_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_ValidateResult *result = NULL;
+
+        PKIX_ENTER(VALIDATERESULT, "pkix_ValidateResult_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a validate result object */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_VALIDATERESULT_TYPE, plContext),
+                PKIX_OBJECTNOTVALIDATERESULT);
+
+        result = (PKIX_ValidateResult *)object;
+
+        PKIX_DECREF(result->anchor);
+        PKIX_DECREF(result->pubKey);
+        PKIX_DECREF(result->policyTree);
+
+cleanup:
+
+        PKIX_RETURN(VALIDATERESULT);
+}
+
+/*
+ * FUNCTION: pkix_ValidateResult_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ValidateResult_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+        PKIX_ValidateResult *firstValResult = NULL;
+        PKIX_ValidateResult *secondValResult = NULL;
+        PKIX_PolicyNode *firstTree = NULL;
+        PKIX_PolicyNode *secondTree = NULL;
+
+        PKIX_ENTER(VALIDATERESULT, "pkix_ValidateResult_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        PKIX_CHECK(pkix_CheckType(first, PKIX_VALIDATERESULT_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTVALIDATERESULT);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        *pResult = PKIX_FALSE;
+
+        if (secondType != PKIX_VALIDATERESULT_TYPE) goto cleanup;
+
+        firstValResult = (PKIX_ValidateResult *)first;
+        secondValResult = (PKIX_ValidateResult *)second;
+
+        PKIX_CHECK(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)firstValResult->pubKey,
+                (PKIX_PL_Object *)secondValResult->pubKey,
+                &cmpResult,
+                plContext),
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        PKIX_CHECK(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)firstValResult->anchor,
+                (PKIX_PL_Object *)secondValResult->anchor,
+                &cmpResult,
+                plContext),
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (!cmpResult) goto cleanup;
+
+        firstTree = firstValResult->policyTree;
+        secondTree = secondValResult->policyTree;
+
+        if ((firstTree != NULL) && (secondTree != NULL)) {
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                        ((PKIX_PL_Object *)firstTree,
+                        (PKIX_PL_Object *)secondTree,
+                        &cmpResult,
+                        plContext),
+                        PKIX_OBJECTEQUALSFAILED);
+        } else {
+                if (PKIX_EXACTLY_ONE_NULL(firstTree, secondTree)) {
+                        cmpResult = PKIX_FALSE;
+                }
+        }
+
+        /*
+         * The remaining case is that both are null,
+         * which we consider equality.
+         *      cmpResult = PKIX_TRUE;
+         */
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(VALIDATERESULT);
+}
+
+/*
+ * FUNCTION: pkix_ValidateResult_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ValidateResult_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_UInt32 hash = 0;
+        PKIX_UInt32 pubKeyHash = 0;
+        PKIX_UInt32 anchorHash = 0;
+        PKIX_UInt32 policyTreeHash = 0;
+        PKIX_PolicyNode *policyTree = NULL;
+
+        PKIX_ENTER(VALIDATERESULT, "pkix_ValidateResult_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_VALIDATERESULT_TYPE, plContext),
+                PKIX_OBJECTNOTVALIDATERESULT);
+
+        valResult = (PKIX_ValidateResult*)object;
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                ((PKIX_PL_Object *)valResult->pubKey, &pubKeyHash, plContext),
+                PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                ((PKIX_PL_Object *)valResult->anchor, &anchorHash, plContext),
+                PKIX_OBJECTHASHCODEFAILED);
+
+        policyTree = valResult->policyTree;
+        if (policyTree) {
+                PKIX_CHECK(PKIX_PL_Object_Hashcode
+                        ((PKIX_PL_Object *)valResult->policyTree,
+                        &policyTreeHash,
+                        plContext),
+                        PKIX_OBJECTHASHCODEFAILED);
+        }
+
+        hash = 31*(31 * pubKeyHash + anchorHash) + policyTreeHash;
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(VALIDATERESULT);
+}
+
+/*
+ * FUNCTION: pkix_ValidateResult_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ValidateResult_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *valResultString = NULL;
+
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_PL_PublicKey *pubKey = NULL;
+        PKIX_PolicyNode *policyTree = NULL;
+
+        PKIX_PL_String *anchorString = NULL;
+        PKIX_PL_String *pubKeyString = NULL;
+        PKIX_PL_String *treeString = NULL;
+        char *asciiNullString = "(null)";
+        char *asciiFormat =
+                "[\n"
+                "\tTrustAnchor: \t\t%s"
+                "\tPubKey:    \t\t%s\n"
+                "\tPolicyTree:  \t\t%s\n"
+                "]\n";
+
+        PKIX_ENTER(VALIDATERESULT, "pkix_ValidateResult_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_VALIDATERESULT_TYPE, plContext),
+                PKIX_OBJECTNOTVALIDATERESULT);
+
+        valResult = (PKIX_ValidateResult*)object;
+
+        anchor = valResult->anchor;
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object *)anchor, &anchorString, plContext),
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        pubKey = valResult->pubKey;
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object *)pubKey, &pubKeyString, plContext),
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_ValidateResult_GetPolicyTree
+                (valResult, &policyTree, plContext),
+                PKIX_VALIDATERESULTGETPOLICYTREEFAILED);
+
+        if (policyTree) {
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                        ((PKIX_PL_Object *)policyTree, &treeString, plContext),
+                        PKIX_OBJECTTOSTRINGFAILED);
+        } else {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        asciiNullString,
+                        0,
+                        &treeString,
+                        plContext),
+                        PKIX_STRINGCREATEFAILED);
+        }
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&valResultString,
+                plContext,
+                formatString,
+                anchorString,
+                pubKeyString,
+                treeString),
+                PKIX_SPRINTFFAILED);
+
+        *pString = valResultString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(anchorString);
+        PKIX_DECREF(pubKeyString);
+        PKIX_DECREF(policyTree);
+        PKIX_DECREF(treeString);
+
+        PKIX_RETURN(VALIDATERESULT);
+}
+
+/*
+ * FUNCTION: pkix_ValidateResult_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_VALIDATERESULT_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_ValidateResult_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(VALIDATERESULT, "pkix_ValidateResult_RegisterSelf");
+
+        entry.description = "ValidateResult";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_ValidateResult);
+        entry.destructor = pkix_ValidateResult_Destroy;
+        entry.equalsFunction = pkix_ValidateResult_Equals;
+        entry.hashcodeFunction = pkix_ValidateResult_Hashcode;
+        entry.toStringFunction = pkix_ValidateResult_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_VALIDATERESULT_TYPE] = entry;
+
+        PKIX_RETURN(VALIDATERESULT);
+}
+
+/*
+ * FUNCTION: pkix_ValidateResult_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new ValidateResult Object using the PublicKey pointed to by
+ *  "pubKey", the TrustAnchor pointed to by "anchor", and the PolicyNode
+ *  pointed to by "policyTree", and stores it at "pResult".
+ *
+ * PARAMETERS
+ *  "pubKey"
+ *      PublicKey of the desired ValidateResult. Must be non-NULL.
+ *  "anchor"
+ *      TrustAnchor of the desired Validateresult. Must be non-NULL.
+ *  "policyTree"
+ *      PolicyNode of the desired ValidateResult; may be NULL
+ *  "pResult"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_ValidateResult_Create(
+        PKIX_PL_PublicKey *pubKey,
+        PKIX_TrustAnchor *anchor,
+        PKIX_PolicyNode *policyTree,
+        PKIX_ValidateResult **pResult,
+        void *plContext)
+{
+        PKIX_ValidateResult *result = NULL;
+
+        PKIX_ENTER(VALIDATERESULT, "pkix_ValidateResult_Create");
+        PKIX_NULLCHECK_THREE(pubKey, anchor, pResult);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_VALIDATERESULT_TYPE,
+                    sizeof (PKIX_ValidateResult),
+                    (PKIX_PL_Object **)&result,
+                    plContext),
+                    PKIX_COULDNOTCREATEVALIDATERESULTOBJECT);
+
+        /* initialize fields */
+
+        PKIX_INCREF(pubKey);
+        result->pubKey = pubKey;
+
+        PKIX_INCREF(anchor);
+        result->anchor = anchor;
+
+        PKIX_INCREF(policyTree);
+        result->policyTree = policyTree;
+
+        *pResult = result;
+        result = NULL;
+
+cleanup:
+
+        PKIX_DECREF(result);
+
+        PKIX_RETURN(VALIDATERESULT);
+
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_ValidateResult_GetPublicKey
+ *      (see comments in pkix_result.h)
+ */
+PKIX_Error *
+PKIX_ValidateResult_GetPublicKey(
+        PKIX_ValidateResult *result,
+        PKIX_PL_PublicKey **pPublicKey,
+        void *plContext)
+{
+        PKIX_ENTER(VALIDATERESULT, "PKIX_ValidateResult_GetPublicKey");
+        PKIX_NULLCHECK_TWO(result, pPublicKey);
+
+        PKIX_INCREF(result->pubKey);
+        *pPublicKey = result->pubKey;
+
+cleanup:
+        PKIX_RETURN(VALIDATERESULT);
+}
+
+/*
+ * FUNCTION: PKIX_ValidateResult_GetTrustAnchor
+ *      (see comments in pkix_result.h)
+ */
+PKIX_Error *
+PKIX_ValidateResult_GetTrustAnchor(
+        PKIX_ValidateResult *result,
+        PKIX_TrustAnchor **pTrustAnchor,
+        void *plContext)
+{
+        PKIX_ENTER(VALIDATERESULT, "PKIX_ValidateResult_GetTrustAnchor");
+        PKIX_NULLCHECK_TWO(result, pTrustAnchor);
+
+        PKIX_INCREF(result->anchor);
+        *pTrustAnchor = result->anchor;
+
+cleanup:
+        PKIX_RETURN(VALIDATERESULT);
+}
+
+/*
+ * FUNCTION: PKIX_ValidateResult_GetPolicyTree
+ *      (see comments in pkix_result.h)
+ */
+PKIX_Error *
+PKIX_ValidateResult_GetPolicyTree(
+        PKIX_ValidateResult *result,
+        PKIX_PolicyNode **pPolicyTree,
+        void *plContext)
+{
+        PKIX_ENTER(VALIDATERESULT, "PKIX_ValidateResult_GetPolicyTree");
+        PKIX_NULLCHECK_TWO(result, pPolicyTree);
+
+        PKIX_INCREF(result->policyTree);
+        (*pPolicyTree) = result->policyTree;
+
+cleanup:
+        PKIX_RETURN(VALIDATERESULT);
+}
diff --git a/security/nss/lib/libpkix/pkix/results/pkix_valresult.h b/security/nss/lib/libpkix/pkix/results/pkix_valresult.h
new file mode 100755
index 000000000..eea4b7887
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/pkix_valresult.h
@@ -0,0 +1,76 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_valresult.h
+ *
+ * ValidateResult Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_VALIDATERESULT_H
+#define _PKIX_VALIDATERESULT_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_ValidateResultStruct {
+        PKIX_PL_PublicKey *pubKey;
+        PKIX_TrustAnchor *anchor;
+        PKIX_PolicyNode *policyTree;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_ValidateResult_Create(
+        PKIX_PL_PublicKey *pubKey,
+        PKIX_TrustAnchor *anchor,
+        PKIX_PolicyNode *policyTree,
+        PKIX_ValidateResult **pResult,
+        void *plContext);
+
+PKIX_Error *pkix_ValidateResult_RegisterSelf(void *plContext);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_VALIDATERESULT_H */
diff --git a/security/nss/lib/libpkix/pkix/results/pkix_verifynode.c b/security/nss/lib/libpkix/pkix/results/pkix_verifynode.c
new file mode 100755
index 000000000..d1bc7c290
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/pkix_verifynode.c
@@ -0,0 +1,1216 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_verifynode.c
+ *
+ * Verify Node Object Type Definition
+ *
+ */
+
+#include "pkix_verifynode.h"
+
+/* --Private-VerifyNode-Functions---------------------------------- */
+
+/*
+ * FUNCTION: pkix_VerifyNode_Create
+ * DESCRIPTION:
+ *
+ *  This function creates a VerifyNode using the Cert pointed to by "cert",
+ *  the depth given by "depth", and the Error pointed to by "error", storing
+ *  the result at "pObject".
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of Cert for the node. Must be non-NULL
+ *  "depth"
+ *      UInt32 value of the depth for this node.
+ *  "error"
+ *      Address of Error for the node.
+ *  "pObject"
+ *      Address where the VerifyNode pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_VerifyNode_Create(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 depth,
+        PKIX_Error *error,
+        PKIX_VerifyNode **pObject,
+        void *plContext)
+{
+        PKIX_VerifyNode *node = NULL;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Create");
+
+        PKIX_NULLCHECK_TWO(cert, pObject);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_VERIFYNODE_TYPE,
+                sizeof (PKIX_VerifyNode),
+                (PKIX_PL_Object **)&node,
+                plContext),
+                PKIX_COULDNOTCREATEVERIFYNODEOBJECT);
+
+        PKIX_INCREF(cert);
+        node->verifyCert = cert;
+
+        PKIX_INCREF(error);
+        node->error = error;
+
+        node->depth = depth;
+
+        node->children = NULL;
+
+        *pObject = node;
+        node = NULL;
+
+cleanup:
+
+        PKIX_DECREF(node);
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_AddToChain
+ * DESCRIPTION:
+ *
+ *  Adds the VerifyNode pointed to by "child", at the appropriate depth, to the
+ *  List of children of the VerifyNode pointed to by "parentNode". The chain of
+ *  VerifyNodes is traversed until a VerifyNode is found at a depth one less
+ *  than that specified in "child". An Error is returned if there is no parent
+ *  at a suitable depth.
+ *
+ *  If "parentNode" has a NULL pointer for the List of children, a new List is
+ *  created containing "child". Otherwise "child" is appended to the existing
+ *  List.
+ *
+ *  Depth, in this context, means distance from the root node, which
+ *  is at depth zero.
+ *
+ * PARAMETERS:
+ *  "parentNode"
+ *      Address of VerifyNode whose List of child VerifyNodes is to be
+ *      created or appended to. Must be non-NULL.
+ *  "child"
+ *      Address of VerifyNode to be added to parentNode's List. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a VerifyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_VerifyNode_AddToChain(
+        PKIX_VerifyNode *parentNode,
+        PKIX_VerifyNode *child,
+        void *plContext)
+{
+        PKIX_VerifyNode *successor = NULL;
+        PKIX_List *listOfChildren = NULL;
+        PKIX_UInt32 numChildren = 0;
+        PKIX_UInt32 parentDepth = 0;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_AddToChain");
+        PKIX_NULLCHECK_TWO(parentNode, child);
+
+        parentDepth = parentNode->depth;
+        listOfChildren = parentNode->children;
+        if (listOfChildren == NULL) {
+
+                if (parentDepth != (child->depth - 1)) {
+                        PKIX_ERROR(PKIX_NODESMISSINGFROMCHAIN);
+                }
+
+                PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
+                        PKIX_LISTCREATEFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                        (listOfChildren, (PKIX_PL_Object *)child, plContext),
+                        PKIX_COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST);
+
+                parentNode->children = listOfChildren;
+        } else {
+                /* get number of children */
+                PKIX_CHECK(PKIX_List_GetLength
+                        (listOfChildren, &numChildren, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                if (numChildren != 1) {
+                        PKIX_ERROR(PKIX_AMBIGUOUSPARENTAGEOFVERIFYNODE);
+                }
+
+                /* successor = listOfChildren[0] */
+                PKIX_CHECK(PKIX_List_GetItem
+                        (listOfChildren,
+                        0,
+                        (PKIX_PL_Object **)&successor,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(pkix_VerifyNode_AddToChain
+                        (successor, child, plContext),
+                        PKIX_VERIFYNODEADDTOCHAINFAILED);
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)parentNode, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+        PKIX_DECREF(successor);
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_SetDepth
+ * DESCRIPTION:
+ *
+ *  The function sets the depth field of each VerifyNode in the List "children"
+ *  to the value given by "depth", and recursively sets the depth of any
+ *  successive generations to the successive values.
+ *
+ * PARAMETERS:
+ *  "children"
+ *      The List of VerifyNodes. Must be non-NULL.
+ *  "depth"
+ *      The value of the depth field to be set in members of the List.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_VerifyNode_SetDepth(PKIX_List *children,
+        PKIX_UInt32 depth,
+        void *plContext)
+{
+        PKIX_UInt32 numChildren = 0;
+        PKIX_UInt32 chIx = 0;
+        PKIX_VerifyNode *child = NULL;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_SetDepth");
+        PKIX_NULLCHECK_ONE(children);
+
+        PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (chIx = 0; chIx < numChildren; chIx++) {
+               PKIX_CHECK(PKIX_List_GetItem
+                        (children, chIx, (PKIX_PL_Object **)&child, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                child->depth = depth;
+
+                if (child->children != NULL) {
+                        PKIX_CHECK(pkix_VerifyNode_SetDepth
+                                (child->children, depth + 1, plContext),
+                                PKIX_VERIFYNODESETDEPTHFAILED);
+                }
+
+                PKIX_DECREF(child);
+        }
+
+cleanup:
+
+        PKIX_DECREF(child);
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_AddToTree
+ * DESCRIPTION:
+ *
+ *  Adds the VerifyNode pointed to by "child" to the List of children of the
+ *  VerifyNode pointed to by "parentNode". If "parentNode" has a NULL pointer
+ *  for the List of children, a new List is created containing "child".
+ *  Otherwise "child" is appended to the existing List. The depth field of
+ *  "child" is set to one more than the corresponding value in "parent", and
+ *  if the "child" itself has child nodes, their depth fields are updated
+ *  accordingly.
+ *
+ *  Depth, in this context, means distance from the root node, which
+ *  is at depth zero.
+ *
+ * PARAMETERS:
+ *  "parentNode"
+ *      Address of VerifyNode whose List of child VerifyNodes is to be
+ *      created or appended to. Must be non-NULL.
+ *  "child"
+ *      Address of VerifyNode to be added to parentNode's List. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_VerifyNode_AddToTree(
+        PKIX_VerifyNode *parentNode,
+        PKIX_VerifyNode *child,
+        void *plContext)
+{
+        PKIX_List *listOfChildren = NULL;
+        PKIX_UInt32 parentDepth = 0;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_AddToTree");
+        PKIX_NULLCHECK_TWO(parentNode, child);
+
+        parentDepth = parentNode->depth;
+        listOfChildren = parentNode->children;
+        if (listOfChildren == NULL) {
+
+                PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
+                        PKIX_LISTCREATEFAILED);
+
+                parentNode->children = listOfChildren;
+        }
+
+        child->depth = parentDepth + 1;
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (parentNode->children, (PKIX_PL_Object *)child, plContext),
+                PKIX_COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST);
+
+        if (child->children != NULL) {
+                PKIX_CHECK(pkix_VerifyNode_SetDepth
+                        (child->children, child->depth + 1, plContext),
+                        PKIX_VERIFYNODESETDEPTHFAILED);
+        }
+
+
+cleanup:
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_SingleVerifyNode_ToString
+ * DESCRIPTION:
+ *
+ *  Creates a String representation of the attributes of the VerifyNode pointed
+ *  to by "node", other than its children, and stores the result at "pString".
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of VerifyNode to be described by the string. Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if function succeeds
+ *  Returns a VerifyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in a fatal way
+ */
+PKIX_Error *
+pkix_SingleVerifyNode_ToString(
+        PKIX_VerifyNode *node,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *fmtString = NULL;
+        PKIX_PL_String *errorString = NULL;
+        PKIX_PL_String *outString = NULL;
+
+        PKIX_PL_X500Name *issuerName = NULL;
+        PKIX_PL_X500Name *subjectName = NULL;
+        PKIX_PL_String *issuerString = NULL;
+        PKIX_PL_String *subjectString = NULL;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_ToString");
+        PKIX_NULLCHECK_THREE(node, pString, node->verifyCert);
+
+        PKIX_TOSTRING(node->error, &errorString, plContext,
+                PKIX_ERRORTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetIssuer
+                (node->verifyCert, &issuerName, plContext),
+                PKIX_CERTGETISSUERFAILED);
+
+        PKIX_TOSTRING(issuerName, &issuerString, plContext,
+                PKIX_X500NAMETOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSubject
+                (node->verifyCert, &subjectName, plContext),
+                PKIX_CERTGETSUBJECTFAILED);
+
+        PKIX_TOSTRING(subjectName, &subjectString, plContext,
+                PKIX_X500NAMETOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII,
+                "CERT[Issuer:%s, Subject:%s], depth=%d, error=%s",
+                0,
+                &fmtString,
+                plContext),
+                PKIX_CANTCREATESTRING);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&outString,
+                plContext,
+                fmtString,
+                issuerString,
+                subjectString,
+                node->depth,
+                errorString),
+                PKIX_SPRINTFFAILED);
+
+        *pString = outString;
+
+cleanup:
+
+        PKIX_DECREF(fmtString);
+        PKIX_DECREF(errorString);
+        PKIX_DECREF(issuerName);
+        PKIX_DECREF(subjectName);
+        PKIX_DECREF(issuerString);
+        PKIX_DECREF(subjectString);
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Produces a String representation of a VerifyNode tree below the VerifyNode
+ *  pointed to by "rootNode", with each line of output prefixed by the String
+ *  pointed to by "indent", and stores the result at "pTreeString". It is
+ *  called recursively, with ever-increasing indentation, for successively
+ *  lower nodes on the tree.
+ *
+ * PARAMETERS:
+ *  "rootNode"
+ *      Address of VerifyNode subtree. Must be non-NULL.
+ *  "indent"
+ *      Address of String to be prefixed to each line of output. May be NULL
+ *      if no indentation is desired
+ *  "pTreeString"
+ *      Address where the resulting String will be stored; must be non-NULL
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a VerifyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_VerifyNode_ToString_Helper(
+        PKIX_VerifyNode *rootNode,
+        PKIX_PL_String *indent,
+        PKIX_PL_String **pTreeString,
+        void *plContext)
+{
+        PKIX_PL_String *nextIndentFormat = NULL;
+        PKIX_PL_String *thisNodeFormat = NULL;
+        PKIX_PL_String *childrenFormat = NULL;
+        PKIX_PL_String *nextIndentString = NULL;
+        PKIX_PL_String *resultString = NULL;
+        PKIX_PL_String *thisItemString = NULL;
+        PKIX_PL_String *childString = NULL;
+        PKIX_VerifyNode *childNode = NULL;
+        PKIX_UInt32 numberOfChildren = 0;
+        PKIX_UInt32 childIndex = 0;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_ToString_Helper");
+
+        PKIX_NULLCHECK_TWO(rootNode, pTreeString);
+
+        /* Create a string for this node */
+        PKIX_CHECK(pkix_SingleVerifyNode_ToString
+                (rootNode, &thisItemString, plContext),
+                PKIX_ERRORINSINGLEVERIFYNODETOSTRING);
+
+        if (indent) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        "%s%s",
+                        0,
+                        &thisNodeFormat,
+                        plContext),
+                        PKIX_ERRORCREATINGFORMATSTRING);
+
+                PKIX_CHECK(PKIX_PL_Sprintf
+                        (&resultString,
+                        plContext,
+                        thisNodeFormat,
+                        indent,
+                        thisItemString),
+                        PKIX_ERRORINSPRINTF);
+        } else {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        "%s",
+                        0,
+                        &thisNodeFormat,
+                        plContext),
+                        PKIX_ERRORCREATINGFORMATSTRING);
+
+                PKIX_CHECK(PKIX_PL_Sprintf
+                        (&resultString,
+                        plContext,
+                        thisNodeFormat,
+                        thisItemString),
+                        PKIX_ERRORINSPRINTF);
+        }
+
+        PKIX_DECREF(thisItemString);
+        thisItemString = resultString;
+
+        /* if no children, we are done */
+        if (rootNode->children) {
+                PKIX_CHECK(PKIX_List_GetLength
+                        (rootNode->children, &numberOfChildren, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+        }
+
+        if (numberOfChildren != 0) {
+                /*
+                 * We create a string for each child in turn,
+                 * concatenating them to thisItemString.
+                 */
+
+                /* Prepare an indent string for each child */
+                if (indent) {
+                        PKIX_CHECK(PKIX_PL_String_Create
+                                (PKIX_ESCASCII,
+                                "%s. ",
+                                0,
+                                &nextIndentFormat,
+                                plContext),
+                                PKIX_ERRORCREATINGFORMATSTRING);
+
+                        PKIX_CHECK(PKIX_PL_Sprintf
+                                (&nextIndentString,
+                                plContext,
+                                nextIndentFormat,
+                                indent),
+                                PKIX_ERRORINSPRINTF);
+                } else {
+                        PKIX_CHECK(PKIX_PL_String_Create
+                                (PKIX_ESCASCII,
+                                ". ",
+                                0,
+                                &nextIndentString,
+                                plContext),
+                                PKIX_ERRORCREATINGINDENTSTRING);
+                }
+
+                /* Prepare the format for concatenation. */
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        "%s\n%s",
+                        0,
+                        &childrenFormat,
+                        plContext),
+                        PKIX_ERRORCREATINGFORMATSTRING);
+
+                for (childIndex = 0;
+                        childIndex < numberOfChildren;
+                        childIndex++) {
+                        PKIX_CHECK(PKIX_List_GetItem
+                                (rootNode->children,
+                                childIndex,
+                                (PKIX_PL_Object **)&childNode,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(pkix_VerifyNode_ToString_Helper
+                                (childNode,
+                                nextIndentString,
+                                &childString,
+                                plContext),
+                                PKIX_ERRORCREATINGCHILDSTRING);
+
+
+                        PKIX_CHECK(PKIX_PL_Sprintf
+                                (&resultString,
+                                plContext,
+                                childrenFormat,
+                                thisItemString,
+                                childString),
+                        PKIX_ERRORINSPRINTF);
+
+                        PKIX_DECREF(childNode);
+                        PKIX_DECREF(childString);
+                        PKIX_DECREF(thisItemString);
+
+                        thisItemString = resultString;
+                }
+        }
+
+        *pTreeString = thisItemString;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(thisItemString);
+        }
+
+        PKIX_DECREF(nextIndentFormat);
+        PKIX_DECREF(thisNodeFormat);
+        PKIX_DECREF(childrenFormat);
+        PKIX_DECREF(nextIndentString);
+        PKIX_DECREF(childString);
+        PKIX_DECREF(childNode);
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_VerifyNode_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pTreeString,
+        void *plContext)
+{
+        PKIX_VerifyNode *rootNode = NULL;
+        PKIX_PL_String *resultString = NULL;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_ToString");
+
+        PKIX_NULLCHECK_TWO(object, pTreeString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_VERIFYNODE_TYPE, plContext),
+                PKIX_OBJECTNOTVERIFYNODE);
+
+        rootNode = (PKIX_VerifyNode *)object;
+
+        PKIX_CHECK(pkix_VerifyNode_ToString_Helper
+                (rootNode, NULL, &resultString, plContext),
+                PKIX_ERRORCREATINGSUBTREESTRING);
+
+        *pTreeString = resultString;
+
+cleanup:
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_VerifyNode_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_VerifyNode *node = NULL;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_VERIFYNODE_TYPE, plContext),
+                PKIX_OBJECTNOTVERIFYNODE);
+
+        node = (PKIX_VerifyNode*)object;
+
+        PKIX_DECREF(node->verifyCert);
+        PKIX_DECREF(node->children);
+        PKIX_DECREF(node->error);
+
+        node->depth = 0;
+
+cleanup:
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_SingleVerifyNode_Hashcode
+ * DESCRIPTION:
+ *
+ *  Computes the hashcode of the attributes of the VerifyNode pointed to by
+ *  "node", other than its parents and children, and stores the result at
+ *  "pHashcode".
+ *
+ * PARAMETERS:
+ *  "node"
+ *      Address of VerifyNode to be hashcoded; must be non-NULL
+ *  "pHashcode"
+ *      Address where UInt32 result will be stored; must be non-NULL
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if function succeeds
+ *  Returns a VerifyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in a fatal way
+ */
+static PKIX_Error *
+pkix_SingleVerifyNode_Hashcode(
+        PKIX_VerifyNode *node,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_UInt32 errorHash = 0;
+        PKIX_UInt32 nodeHash = 0;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_Hashcode");
+        PKIX_NULLCHECK_TWO(node, pHashcode);
+
+        PKIX_HASHCODE
+                (node->verifyCert,
+                &nodeHash,
+                plContext,
+                PKIX_FAILUREHASHINGCERT);
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                ((PKIX_PL_Object *)node->error,
+                &errorHash,
+                plContext),
+                PKIX_FAILUREHASHINGERROR);
+
+        nodeHash = 31*nodeHash + errorHash;
+        *pHashcode = nodeHash;
+
+cleanup:
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_VerifyNode_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_VerifyNode *node = NULL;
+        PKIX_UInt32 childrenHash = 0;
+        PKIX_UInt32 nodeHash = 0;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_VERIFYNODE_TYPE, plContext),
+                PKIX_OBJECTNOTVERIFYNODE);
+
+        node = (PKIX_VerifyNode *)object;
+
+        PKIX_CHECK(pkix_SingleVerifyNode_Hashcode
+                (node, &nodeHash, plContext),
+                PKIX_SINGLEVERIFYNODEHASHCODEFAILED);
+
+        PKIX_HASHCODE
+                (node->children,
+                &childrenHash,
+                plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        nodeHash = 31*nodeHash + childrenHash;
+
+        *pHashcode = nodeHash;
+
+cleanup:
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_SingleVerifyNode_Equals
+ * DESCRIPTION:
+ *
+ *  Compares for equality the components of the VerifyNode pointed to by
+ *  "firstPN", other than its parents and children, with those of the
+ *  VerifyNode pointed to by "secondPN" and stores the result at "pResult"
+ *  (PKIX_TRUE if equal; PKIX_FALSE if not).
+ *
+ * PARAMETERS:
+ *  "firstPN"
+ *      Address of first of the VerifyNodes to be compared; must be non-NULL
+ *  "secondPN"
+ *      Address of second of the VerifyNodes to be compared; must be non-NULL
+ *  "pResult"
+ *      Address where Boolean will be stored; must be non-NULL
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if function succeeds
+ *  Returns a VerifyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in a fatal way
+ */
+static PKIX_Error *
+pkix_SingleVerifyNode_Equals(
+        PKIX_VerifyNode *firstVN,
+        PKIX_VerifyNode *secondVN,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_Boolean compResult = PKIX_FALSE;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_Equals");
+        PKIX_NULLCHECK_THREE(firstVN, secondVN, pResult);
+
+        /* If both references are identical, they must be equal */
+        if (firstVN == secondVN) {
+                compResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * It seems we have to do the comparisons. Do
+         * the easiest ones first.
+         */
+        if ((firstVN->depth) != (secondVN->depth)) {
+                goto cleanup;
+        }
+
+        /* These fields must be non-NULL */
+        PKIX_NULLCHECK_TWO(firstVN->verifyCert, secondVN->verifyCert);
+
+        PKIX_EQUALS
+                (firstVN->verifyCert,
+                secondVN->verifyCert,
+                &compResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (compResult == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        PKIX_EQUALS
+                (firstVN->error,
+                secondVN->error,
+                &compResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+cleanup:
+
+        *pResult = compResult;
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_VerifyNode_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_VerifyNode *firstVN = NULL;
+        PKIX_VerifyNode *secondVN = NULL;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean compResult = PKIX_FALSE;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a VerifyNode */
+        PKIX_CHECK(pkix_CheckType
+                (firstObject, PKIX_VERIFYNODE_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTVERIFYNODE);
+
+        /*
+         * Since we know firstObject is a VerifyNode,
+         * if both references are identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                compResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a VerifyNode, we
+         * don't throw an error. We simply return FALSE.
+         */
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        if (secondType != PKIX_VERIFYNODE_TYPE) {
+                goto cleanup;
+        }
+
+        /*
+         * Oh, well, we have to do the comparisons. Do
+         * the easiest ones first.
+         */
+        firstVN = (PKIX_VerifyNode *)firstObject;
+        secondVN = (PKIX_VerifyNode *)secondObject;
+
+        PKIX_CHECK(pkix_SingleVerifyNode_Equals
+                (firstVN, secondVN, &compResult, plContext),
+                PKIX_SINGLEVERIFYNODEEQUALSFAILED);
+
+        if (compResult == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        PKIX_EQUALS
+                (firstVN->children,
+                secondVN->children,
+                &compResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILEDONCHILDREN);
+
+cleanup:
+
+        *pResult = compResult;
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_DuplicateHelper
+ * DESCRIPTION:
+ *
+ *  Duplicates the VerifyNode whose address is pointed to by "original",
+ *  and stores the result at "pNewNode", if a non-NULL pointer is provided
+ *  for "pNewNode". In addition, the created VerifyNode is added as a child
+ *  to "parent", if a non-NULL pointer is provided for "parent". Then this
+ *  function is called recursively to duplicate each of the children of
+ *  "original". At the top level this function is called with a null
+ *  "parent" and a non-NULL "pNewNode". Below the top level "parent" will
+ *  be non-NULL and "pNewNode" will be NULL.
+ *
+ * PARAMETERS:
+ *  "original"
+ *      Address of VerifyNode to be copied; must be non-NULL
+ *  "parent"
+ *      Address of VerifyNode to which the created node is to be added as a
+ *      child; NULL for the top-level call and non-NULL below the top level
+ *  "pNewNode"
+ *      Address to store the node created; should be NULL if "parent" is
+ *      non-NULL and vice versa
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if function succeeds
+ *  Returns a VerifyNode Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in a fatal way
+ */
+static PKIX_Error *
+pkix_VerifyNode_DuplicateHelper(
+        PKIX_VerifyNode *original,
+        PKIX_VerifyNode *parent,
+        PKIX_VerifyNode **pNewNode,
+        void *plContext)
+{
+        PKIX_UInt32 numChildren = 0;
+        PKIX_UInt32 childIndex = 0;
+        PKIX_List *children = NULL; /* List of PKIX_VerifyNode */
+        PKIX_VerifyNode *copy = NULL;
+        PKIX_VerifyNode *child = NULL;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_DuplicateHelper");
+
+        PKIX_NULLCHECK_TWO
+                (original, original->verifyCert);
+
+        /*
+         * These components are immutable, so copying the pointers
+         * is sufficient. The create function increments the reference
+         * counts as it stores the pointers into the new object.
+         */
+        PKIX_CHECK(pkix_VerifyNode_Create
+                (original->verifyCert,
+                original->depth,
+                original->error,
+                &copy,
+                plContext),
+                PKIX_VERIFYNODECREATEFAILED);
+
+        /* Are there any children to duplicate? */
+        children = original->children;
+
+        if (children) {
+            PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+        }
+
+        for (childIndex = 0; childIndex < numChildren; childIndex++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                        (children,
+                        childIndex,
+                        (PKIX_PL_Object **)&child,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(pkix_VerifyNode_DuplicateHelper
+                        (child, copy, NULL, plContext),
+                        PKIX_VERIFYNODEDUPLICATEHELPERFAILED);
+
+                PKIX_DECREF(child);
+        }
+
+        if (pNewNode) {
+                *pNewNode = copy;
+                copy = NULL; /* no DecRef if we give our handle away */
+        }
+
+cleanup:
+        PKIX_DECREF(copy);
+        PKIX_DECREF(child);
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_Duplicate
+ * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_VerifyNode_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_VerifyNode *original = NULL;
+        PKIX_VerifyNode *copy = NULL;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_Duplicate");
+
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_VERIFYNODE_TYPE, plContext),
+                PKIX_OBJECTNOTVERIFYNODE);
+
+        original = (PKIX_VerifyNode *)object;
+
+        PKIX_CHECK(pkix_VerifyNode_DuplicateHelper
+                (original, NULL, &copy, plContext),
+                PKIX_VERIFYNODEDUPLICATEHELPERFAILED);
+
+        *pNewObject = (PKIX_PL_Object *)copy;
+
+cleanup:
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: pkix_VerifyNode_RegisterSelf
+ * DESCRIPTION:
+ *
+ *  Registers PKIX_VERIFYNODE_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize,
+ *  which should only be called once, it is acceptable that
+ *  this function is not thread-safe.
+ */
+PKIX_Error *
+pkix_VerifyNode_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_RegisterSelf");
+
+        entry.description = "VerifyNode";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_VerifyNode);
+        entry.destructor = pkix_VerifyNode_Destroy;
+        entry.equalsFunction = pkix_VerifyNode_Equals;
+        entry.hashcodeFunction = pkix_VerifyNode_Hashcode;
+        entry.toStringFunction = pkix_VerifyNode_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_VerifyNode_Duplicate;
+
+        systemClasses[PKIX_VERIFYNODE_TYPE] = entry;
+
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/* --Public-VerifyNode-Functions----------------------------------- */
+
+/*
+ * FUNCTION: PKIX_VerifyNode_SetError
+ * DESCRIPTION:
+ *
+ *  This function sets the Error field of the VerifyNode pointed to by "node"
+ *  to contain the Error pointed to by "error".
+ *
+ * PARAMETERS:
+ *  "node"
+ *      The address of the VerifyNode to be modified. Must be non-NULL.
+ *  "error"
+ *      The address of the Error to be stored.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_VerifyNode_SetError(
+        PKIX_VerifyNode *node,
+        PKIX_Error *error,
+        void *plContext)
+{
+
+        PKIX_ENTER(VERIFYNODE, "PKIX_VerifyNode_SetError");
+
+        PKIX_NULLCHECK_TWO(node, error);
+
+        PKIX_DECREF(node->error); /* should have been NULL */
+        PKIX_INCREF(error);
+        node->error = error;
+
+cleanup:
+        PKIX_RETURN(VERIFYNODE);
+}
+
+/*
+ * FUNCTION: PKIX_VerifyNode_FindError
+ * DESCRIPTION:
+ *
+ * Finds meaningful error in the log. For now, just returns the first
+ * error it finds in. In the future the function should be changed to
+ * return a top priority error.
+ *
+ * PARAMETERS:
+ *  "node"
+ *      The address of the VerifyNode to be modified. Must be non-NULL.
+ *  "error"
+ *      The address of a pointer the error will be returned to.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_VerifyNode_FindError(
+        PKIX_VerifyNode *node,
+        PKIX_Error **error,
+        void *plContext)
+{
+    PKIX_VerifyNode *childNode = NULL;
+
+    PKIX_ENTER(VERIFYNODE, "PKIX_VerifyNode_FindError");
+
+    /* Make sure the return address is initialized with NULL */
+    PKIX_DECREF(*error);
+
+    if (!node)
+        goto cleanup;
+    
+    /* First, try to get error from lowest level. */
+    if (node->children) {
+        PKIX_UInt32 length = 0;
+        PKIX_UInt32 index = 0;
+
+        PKIX_CHECK(
+            PKIX_List_GetLength(node->children, &length,
+                                plContext),
+            PKIX_LISTGETLENGTHFAILED);
+        for (index = 0;index < length;index++) {
+            PKIX_CHECK(
+                PKIX_List_GetItem(node->children, index,
+                                  (PKIX_PL_Object**)&childNode, plContext),
+                PKIX_LISTGETITEMFAILED);
+            if (!childNode)
+                continue;
+            PKIX_CHECK(
+                pkix_VerifyNode_FindError(childNode, error,
+                                          plContext),
+                PKIX_VERIFYNODEFINDERRORFAILED);
+            PKIX_DECREF(childNode);
+            if (*error) {
+                goto cleanup;
+            }
+        }
+    }
+    
+    if (node->error) {
+        PKIX_INCREF(node->error);
+        *error = node->error;
+    }
+
+cleanup:
+    PKIX_DECREF(childNode);
+    
+    PKIX_RETURN(VERIFYNODE);
+}
diff --git a/security/nss/lib/libpkix/pkix/results/pkix_verifynode.h b/security/nss/lib/libpkix/pkix/results/pkix_verifynode.h
new file mode 100755
index 000000000..3621dabc7
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/results/pkix_verifynode.h
@@ -0,0 +1,108 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_verifynode.h
+ *
+ * VerifyNode Type Definitions
+ *
+ */
+
+#ifndef _PKIX_VERIFYNODE_H
+#define _PKIX_VERIFYNODE_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* This structure reflects the contents of a verify node...
+ */
+struct PKIX_VerifyNodeStruct {
+    PKIX_PL_Cert *verifyCert;
+    PKIX_List *children;                /* VerifyNodes */
+    PKIX_UInt32 depth;
+    PKIX_Error *error;
+};
+
+PKIX_Error *
+pkix_SingleVerifyNode_ToString(
+        PKIX_VerifyNode *node,
+        PKIX_PL_String **pString,
+        void *plContext);
+
+PKIX_Error *
+pkix_VerifyNode_Create(
+        PKIX_PL_Cert *verifyCert,
+        PKIX_UInt32 depth,
+        PKIX_Error *error,
+        PKIX_VerifyNode **pObject,
+        void *plContext);
+
+PKIX_Error *
+pkix_VerifyNode_AddToChain(
+        PKIX_VerifyNode *parentNode,
+        PKIX_VerifyNode *child,
+        void *plContext);
+
+PKIX_Error *
+pkix_VerifyNode_AddToTree(
+        PKIX_VerifyNode *parentNode,
+        PKIX_VerifyNode *child,
+        void *plContext);
+
+PKIX_Error *
+pkix_VerifyNode_SetError(
+        PKIX_VerifyNode *node,
+        PKIX_Error *error,
+        void *plContext);
+
+PKIX_Error *
+pkix_VerifyNode_RegisterSelf(
+        void *plContext);
+
+PKIX_Error *
+pkix_VerifyNode_FindError(
+        PKIX_VerifyNode *node,
+        PKIX_Error **error,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_VERIFYNODE_H */
diff --git a/security/nss/lib/libpkix/pkix/store/Makefile b/security/nss/lib/libpkix/pkix/store/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/store/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix/store/config.mk b/security/nss/lib/libpkix/pkix/store/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/store/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix/store/manifest.mn b/security/nss/lib/libpkix/pkix/store/manifest.mn
new file mode 100755
index 000000000..95101f26c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/store/manifest.mn
@@ -0,0 +1,56 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_store.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_store.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixstore
+
diff --git a/security/nss/lib/libpkix/pkix/store/pkix_store.c b/security/nss/lib/libpkix/pkix/store/pkix_store.c
new file mode 100755
index 000000000..d41675b69
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/store/pkix_store.c
@@ -0,0 +1,408 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_store.c
+ *
+ * CertStore Function Definitions
+ *
+ */
+
+#include "pkix_store.h"
+
+/* --CertStore-Private-Functions----------------------------------------- */
+
+/*
+ * FUNCTION: pkix_CertStore_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CertStore_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_CertStore *certStore = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_CertStore_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a CertStore object */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSTORE_TYPE, plContext),
+                PKIX_OBJECTNOTCERTSTORE);
+
+        certStore = (PKIX_CertStore *)object;
+
+        certStore->certCallback = NULL;
+        certStore->crlCallback = NULL;
+        certStore->certContinue = NULL;
+        certStore->crlContinue = NULL;
+        certStore->trustCallback = NULL;
+
+        PKIX_DECREF(certStore->certStoreContext);
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_CertStore_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CertStore_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_CertStore *certStore = NULL;
+        PKIX_UInt32 tempHash = 0;
+
+        PKIX_ENTER(CERTSTORE, "pkix_CertStore_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSTORE_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTSTORE);
+
+        certStore = (PKIX_CertStore *)object;
+
+        if (certStore->certStoreContext) {
+                PKIX_CHECK(PKIX_PL_Object_Hashcode
+                    ((PKIX_PL_Object *) certStore->certStoreContext,
+                    &tempHash,
+                    plContext),
+                   PKIX_CERTSTOREHASHCODEFAILED);
+        }
+
+        *pHashcode = (PKIX_UInt32) certStore->certCallback +
+                     (PKIX_UInt32) certStore->crlCallback +
+                     (PKIX_UInt32) certStore->certContinue +
+                     (PKIX_UInt32) certStore->crlContinue +
+                     (PKIX_UInt32) certStore->trustCallback +
+                     (tempHash << 7);
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_CertStore_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_CertStore_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_CertStore *firstCS = NULL;
+        PKIX_CertStore *secondCS = NULL;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+
+        PKIX_ENTER(CERTSTORE, "pkix_CertStore_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        PKIX_CHECK(pkix_CheckTypes
+                    (firstObject, secondObject, PKIX_CERTSTORE_TYPE, plContext),
+                    PKIX_ARGUMENTSNOTDATES);
+
+        firstCS = (PKIX_CertStore *)firstObject;
+        secondCS = (PKIX_CertStore *)secondObject;
+
+        cmpResult = (firstCS->certCallback == secondCS->certCallback) &&
+            (firstCS->crlCallback == secondCS->crlCallback) &&
+            (firstCS->certContinue == secondCS->certContinue) &&
+            (firstCS->crlContinue == secondCS->crlContinue) &&
+            (firstCS->trustCallback == secondCS->trustCallback);
+
+        if (cmpResult &&
+            (firstCS->certStoreContext != secondCS->certStoreContext)) {
+
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                    ((PKIX_PL_Object *) firstCS->certStoreContext,
+                    (PKIX_PL_Object *) secondCS->certStoreContext,
+                    &cmpResult,
+                    plContext),
+                    PKIX_CERTSTOREEQUALSFAILED);
+        }
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_CertStore_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERTSTORE_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_CertStore_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTSTORE, "pkix_CertStore_RegisterSelf");
+
+        entry.description = "CertStore";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_CertStore);
+        entry.destructor = pkix_CertStore_Destroy;
+        entry.equalsFunction = pkix_CertStore_Equals;
+        entry.hashcodeFunction = pkix_CertStore_Hashcode;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_CERTSTORE_TYPE] = entry;
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/* --CertStore-Public-Functions------------------------------------------ */
+
+/*
+ * FUNCTION: PKIX_CertStore_Create (see comments in pkix_certstore.h)
+ */
+PKIX_Error *
+PKIX_CertStore_Create(
+        PKIX_CertStore_CertCallback certCallback,
+        PKIX_CertStore_CRLCallback crlCallback,
+        PKIX_CertStore_CertContinueFunction certContinue,
+        PKIX_CertStore_CrlContinueFunction crlContinue,
+        PKIX_CertStore_CheckTrustCallback trustCallback,
+        PKIX_PL_Object *certStoreContext,
+        PKIX_Boolean cacheFlag,
+        PKIX_Boolean localFlag,
+        PKIX_CertStore **pStore,
+        void *plContext)
+{
+        PKIX_CertStore *certStore = NULL;
+
+        PKIX_ENTER(CERTSTORE, "PKIX_CertStore_Create");
+        PKIX_NULLCHECK_THREE(certCallback, crlCallback, pStore);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CERTSTORE_TYPE,
+                    sizeof (PKIX_CertStore),
+                    (PKIX_PL_Object **)&certStore,
+                    plContext),
+                    PKIX_COULDNOTCREATECERTSTOREOBJECT);
+
+        certStore->certCallback = certCallback;
+        certStore->crlCallback = crlCallback;
+        certStore->certContinue = certContinue;
+        certStore->crlContinue = crlContinue;
+        certStore->trustCallback = trustCallback;
+        certStore->cacheFlag = cacheFlag;
+        certStore->localFlag = localFlag;
+
+        PKIX_INCREF(certStoreContext);
+        certStore->certStoreContext = certStoreContext;
+
+        *pStore = certStore;
+        certStore = NULL;
+
+cleanup:
+
+        PKIX_DECREF(certStore);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: PKIX_CertStore_GetCertCallback (see comments in pkix_certstore.h)
+ */
+PKIX_Error *
+PKIX_CertStore_GetCertCallback(
+        PKIX_CertStore *store,
+        PKIX_CertStore_CertCallback *pCallback,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSTORE, "PKIX_CertStore_GetCertCallback");
+        PKIX_NULLCHECK_TWO(store, pCallback);
+
+        *pCallback = store->certCallback;
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: PKIX_CertStore_GetCRLCallback (see comments in pkix_certstore.h)
+ */
+PKIX_Error *
+PKIX_CertStore_GetCRLCallback(
+        PKIX_CertStore *store,
+        PKIX_CertStore_CRLCallback *pCallback,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSTORE, "PKIX_CertStore_GetCRLCallback");
+        PKIX_NULLCHECK_TWO(store, pCallback);
+
+        *pCallback = store->crlCallback;
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: PKIX_CertStore_CertContinue (see comments in pkix_certstore.h)
+ */
+PKIX_Error *
+PKIX_CertStore_CertContinue(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCertList,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSTORE, "PKIX_CertStore_CertContinue");
+        PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList);
+
+        PKIX_CHECK(store->certContinue
+                (store, selector, pNBIOContext, pCertList, plContext),
+                PKIX_CERTSTORECERTCONTINUEFUNCTIONFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: PKIX_CertStore_CrlContinue (see comments in pkix_certstore.h)
+ */
+PKIX_Error *
+PKIX_CertStore_CrlContinue(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSTORE, "PKIX_CertStore_CrlContinue");
+        PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCrlList);
+
+        PKIX_CHECK(store->crlContinue
+                (store, selector, pNBIOContext, pCrlList, plContext),
+                PKIX_CERTSTORECRLCONTINUEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: PKIX_CertStore_GetTrustCallback (see comments in pkix_certstore.h)
+ */
+PKIX_Error *
+PKIX_CertStore_GetTrustCallback(
+        PKIX_CertStore *store,
+        PKIX_CertStore_CheckTrustCallback *pCallback,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSTORE, "PKIX_CertStore_GetTrustCallback");
+        PKIX_NULLCHECK_TWO(store, pCallback);
+
+        *pCallback = store->trustCallback;
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: PKIX_CertStore_GetCertStoreContext
+ * (see comments in pkix_certstore.h)
+ */
+PKIX_Error *
+PKIX_CertStore_GetCertStoreContext(
+        PKIX_CertStore *store,
+        PKIX_PL_Object **pCertStoreContext,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSTORE, "PKIX_CertStore_GetCertStoreContext");
+        PKIX_NULLCHECK_TWO(store, pCertStoreContext);
+
+        PKIX_INCREF(store->certStoreContext);
+        *pCertStoreContext = store->certStoreContext;
+
+cleanup:
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: PKIX_CertStore_GetCertStoreCacheFlag
+ * (see comments in pkix_certstore.h)
+ */
+PKIX_Error *
+PKIX_CertStore_GetCertStoreCacheFlag(
+        PKIX_CertStore *store,
+        PKIX_Boolean *pCacheFlag,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSTORE, "PKIX_CertStore_GetCertStoreCacheFlag");
+        PKIX_NULLCHECK_TWO(store, pCacheFlag);
+
+        *pCacheFlag = store->cacheFlag;
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: PKIX_CertStore_GetLocalFlag
+ * (see comments in pkix_certstore.h)
+ */
+PKIX_Error *
+PKIX_CertStore_GetLocalFlag(
+        PKIX_CertStore *store,
+        PKIX_Boolean *pLocalFlag,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSTORE, "PKIX_CertStore_GetLocalFlag");
+        PKIX_NULLCHECK_TWO(store, pLocalFlag);
+
+        *pLocalFlag = store->localFlag;
+
+        PKIX_RETURN(CERTSTORE);
+}
diff --git a/security/nss/lib/libpkix/pkix/store/pkix_store.h b/security/nss/lib/libpkix/pkix/store/pkix_store.h
new file mode 100755
index 000000000..7b378ff98
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/store/pkix_store.h
@@ -0,0 +1,72 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_store.h
+ *
+ * CertStore Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_STORE_H
+#define _PKIX_STORE_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_CertStoreStruct {
+        PKIX_CertStore_CertCallback certCallback;
+        PKIX_CertStore_CRLCallback crlCallback;
+        PKIX_CertStore_CertContinueFunction certContinue;
+        PKIX_CertStore_CrlContinueFunction crlContinue;
+        PKIX_CertStore_CheckTrustCallback trustCallback;
+        PKIX_PL_Object *certStoreContext;
+        PKIX_Boolean cacheFlag;
+        PKIX_Boolean localFlag; /* TRUE if CertStore is local */
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_CertStore_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_STORE_H */
diff --git a/security/nss/lib/libpkix/pkix/top/Makefile b/security/nss/lib/libpkix/pkix/top/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/top/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix/top/config.mk b/security/nss/lib/libpkix/pkix/top/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/top/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix/top/manifest.mn b/security/nss/lib/libpkix/pkix/top/manifest.mn
new file mode 100755
index 000000000..67efa32fa
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/top/manifest.mn
@@ -0,0 +1,60 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_build.h \
+	pkix_lifecycle.h \
+	pkix_validate.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_validate.c \
+	pkix_lifecycle.c \
+	pkix_build.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixtop
+
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c
new file mode 100755
index 000000000..be6535ef7
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -0,0 +1,4499 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_build.c
+ *
+ * Top level buildChain function
+ *
+ */
+
+/* #define PKIX_BUILDDEBUG 1 */
+/* #define PKIX_FORWARDBUILDERSTATEDEBUG 1 */
+
+#include "pkix_build.h"
+
+extern PRLogModuleInfo *pkixLog;
+
+#ifdef DEBUG_kaie
+void
+pkix_trace_dump_cert(const char *info, PKIX_PL_Cert *cert, void *plContext)
+{
+        if (pkixLog && PR_LOG_TEST(pkixLog, PR_LOG_DEBUG)) {
+            PKIX_PL_String *unString;
+            char *unAscii;
+            PKIX_UInt32 length;
+    
+            PKIX_TOSTRING
+                    ((PKIX_PL_Object*)cert,
+                    &unString,
+                    plContext,
+                    PKIX_OBJECTTOSTRINGFAILED);
+    
+            PKIX_PL_String_GetEncoded
+                        (unString,
+                        PKIX_ESCASCII,
+                        (void **)&unAscii,
+                        &length,
+                        plContext);
+    
+            PR_LOG(pkixLog, PR_LOG_DEBUG, ("====> %s\n", info));
+            PR_LOG(pkixLog, PR_LOG_DEBUG, ("====> cert: %s\n", unAscii));
+    
+            PKIX_DECREF(unString);
+            PKIX_FREE(unAscii);
+        }
+
+cleanup:
+return;
+}
+#endif
+
+/*
+ * List of critical extension OIDs associate with what build chain has
+ * checked. Those OIDs need to be removed from the unresolved critical
+ * extension OIDs list manually (instead of by checker automatically).
+ */
+static char *buildCheckedCritExtOIDs[] = {
+        PKIX_CERTKEYUSAGE_OID,
+        PKIX_CERTSUBJALTNAME_OID,
+        PKIX_BASICCONSTRAINTS_OID,
+        PKIX_NAMECONSTRAINTS_OID,
+        PKIX_EXTENDEDKEYUSAGE_OID,
+        PKIX_NSCERTTYPE_OID,
+        NULL
+};
+
+/* --Private-ForwardBuilderState-Functions---------------------------------- */
+
+/*
+ * FUNCTION: pkix_ForwardBuilderState_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ForwardBuilderState_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_ForwardBuilderState *state = NULL;
+
+        PKIX_ENTER(FORWARDBUILDERSTATE, "pkix_ForwardBuilderState_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_FORWARDBUILDERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTFORWARDBUILDERSTATE);
+
+        state = (PKIX_ForwardBuilderState *)object;
+
+        state->status = BUILD_INITIAL;
+        state->traversedCACerts = 0;
+        state->certStoreIndex = 0;
+        state->numCerts = 0;
+        state->numAias = 0;
+        state->certIndex = 0;
+        state->aiaIndex = 0;
+        state->anchorIndex = 0;
+        state->certCheckedIndex = 0;
+        state->checkerIndex = 0;
+        state->hintCertIndex = 0;
+        state->numFanout = 0;
+        state->numDepth = 0;
+        state->reasonCode = 0;
+        state->dsaParamsNeeded = PKIX_FALSE;
+        state->revCheckDelayed = PKIX_FALSE;
+        state->canBeCached = PKIX_FALSE;
+        state->useOnlyLocal = PKIX_FALSE;
+        state->revChecking = PKIX_FALSE;
+        state->usingHintCerts = PKIX_FALSE;
+        state->certLoopingDetected = PKIX_FALSE;
+        PKIX_DECREF(state->validityDate);
+        PKIX_DECREF(state->prevCert);
+        PKIX_DECREF(state->candidateCert);
+        PKIX_DECREF(state->traversedSubjNames);
+        PKIX_DECREF(state->trustChain);
+        PKIX_DECREF(state->aia);
+        PKIX_DECREF(state->candidateCerts);
+        PKIX_DECREF(state->reversedCertChain);
+        PKIX_DECREF(state->checkedCritExtOIDs);
+        PKIX_DECREF(state->checkerChain);
+        PKIX_DECREF(state->revCheckers);
+        PKIX_DECREF(state->certSel);
+        PKIX_DECREF(state->verifyNode);
+        PKIX_DECREF(state->client);
+
+        /*
+         * If we ever add a child link we have to be careful not to have loops
+         * in the Destroy process. But with one-way links we should be okay.
+         */
+        if (state->parentState == NULL) {
+                state->buildConstants.numAnchors = 0;
+                state->buildConstants.numCertStores = 0;
+                state->buildConstants.numHintCerts = 0;
+                state->buildConstants.procParams = 0;
+                PKIX_DECREF(state->buildConstants.testDate);
+                PKIX_DECREF(state->buildConstants.timeLimit);
+                PKIX_DECREF(state->buildConstants.targetCert);
+                PKIX_DECREF(state->buildConstants.targetPubKey);
+                PKIX_DECREF(state->buildConstants.certStores);
+                PKIX_DECREF(state->buildConstants.anchors);
+                PKIX_DECREF(state->buildConstants.userCheckers);
+                PKIX_DECREF(state->buildConstants.hintCerts);
+                PKIX_DECREF(state->buildConstants.crlChecker);
+                PKIX_DECREF(state->buildConstants.aiaMgr);
+        } else {
+                PKIX_DECREF(state->parentState);
+        }
+
+cleanup:
+
+        PKIX_RETURN(FORWARDBUILDERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_ForwardBuilderState_Create
+ *
+ * DESCRIPTION:
+ *  Allocate and initialize a ForwardBuilderState.
+ *
+ * PARAMETERS
+ *  "traversedCACerts"
+ *      Number of CA certificates traversed.
+ *  "numFanout"
+ *      Number of Certs that can be considered at this level (0 = no limit)
+ *  "numDepth"
+ *      Number of additional levels that can be searched (0 = no limit)
+ *  "dsaParamsNeeded"
+ *      Boolean value indicating whether DSA parameters are needed.
+ *  "revCheckDelayed"
+ *      Boolean value indicating whether rev check is delayed until after
+ *      entire chain is built.
+ *  "canBeCached"
+ *      Boolean value indicating whether all certs on the chain can be cached.
+ *  "validityDate"
+ *      Address of Date at which build chain Certs' most restricted validity
+ *      time is kept. May be NULL.
+ *  "prevCert"
+ *      Address of Cert just traversed. Must be non-NULL.
+ *  "traversedSubjNames"
+ *      Address of List of GeneralNames that have been traversed.
+ *      Must be non-NULL.
+ *  "trustChain"
+ *      Address of List of certificates traversed. Must be non-NULL.
+ *  "parentState"
+ *      Address of previous ForwardBuilder state
+ *  "pState"
+ *      Address where ForwardBuilderState will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_ForwardBuilderState_Create(
+        PKIX_Int32 traversedCACerts,
+        PKIX_UInt32 numFanout,
+        PKIX_UInt32 numDepth,
+        PKIX_Boolean dsaParamsNeeded,
+        PKIX_Boolean revCheckDelayed,
+        PKIX_Boolean canBeCached,
+        PKIX_PL_Date *validityDate,
+        PKIX_PL_Cert *prevCert,
+        PKIX_List *traversedSubjNames,
+        PKIX_List *trustChain,
+        PKIX_ForwardBuilderState *parentState,
+        PKIX_ForwardBuilderState **pState,
+        void *plContext)
+{
+        PKIX_ForwardBuilderState *state = NULL;
+
+        PKIX_ENTER(FORWARDBUILDERSTATE, "pkix_ForwardBuilderState_Create");
+        PKIX_NULLCHECK_FOUR(prevCert, traversedSubjNames, pState, trustChain);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_FORWARDBUILDERSTATE_TYPE,
+                sizeof (PKIX_ForwardBuilderState),
+                (PKIX_PL_Object **)&state,
+                plContext),
+                PKIX_COULDNOTCREATEFORWARDBUILDERSTATEOBJECT);
+
+        state->status = BUILD_INITIAL;
+        state->traversedCACerts = traversedCACerts;
+        state->certStoreIndex = 0;
+        state->numCerts = 0;
+        state->numAias = 0;
+        state->certIndex = 0;
+        state->aiaIndex = 0;
+        state->anchorIndex = 0;
+        state->certCheckedIndex = 0;
+        state->checkerIndex = 0;
+        state->hintCertIndex = 0;
+        state->numFanout = numFanout;
+        state->numDepth = numDepth;
+        state->reasonCode = 0;
+        state->revChecking = numDepth;
+        state->dsaParamsNeeded = dsaParamsNeeded;
+        state->revCheckDelayed = revCheckDelayed;
+        state->canBeCached = canBeCached;
+        state->useOnlyLocal = PKIX_TRUE;
+        state->revChecking = PKIX_FALSE;
+        state->usingHintCerts = PKIX_FALSE;
+        state->certLoopingDetected = PKIX_FALSE;
+
+        PKIX_INCREF(validityDate);
+        state->validityDate = validityDate;
+
+        PKIX_INCREF(prevCert);
+        state->prevCert = prevCert;
+
+        state->candidateCert = NULL;
+
+        PKIX_INCREF(traversedSubjNames);
+        state->traversedSubjNames = traversedSubjNames;
+
+        PKIX_INCREF(trustChain);
+        state->trustChain = trustChain;
+
+        state->aia = NULL;
+        state->candidateCerts = NULL;
+        state->reversedCertChain = NULL;
+        state->checkedCritExtOIDs = NULL;
+        state->checkerChain = NULL;
+        state->revCheckers = NULL;
+        state->certSel = NULL;
+        state->verifyNode = NULL;
+        state->client = NULL;
+
+        PKIX_INCREF(parentState);
+        state->parentState = parentState;
+
+        if (parentState != NULL) {
+                state->buildConstants.numAnchors =
+                         parentState->buildConstants.numAnchors;
+                state->buildConstants.numCertStores = 
+                        parentState->buildConstants.numCertStores; 
+                state->buildConstants.numHintCerts = 
+                        parentState->buildConstants.numHintCerts; 
+                state->buildConstants.maxFanout =
+                        parentState->buildConstants.maxFanout;
+                state->buildConstants.maxDepth =
+                        parentState->buildConstants.maxDepth;
+                state->buildConstants.maxTime =
+                        parentState->buildConstants.maxTime;
+                state->buildConstants.procParams = 
+                        parentState->buildConstants.procParams; 
+                state->buildConstants.testDate =
+                        parentState->buildConstants.testDate;
+                state->buildConstants.timeLimit =
+                        parentState->buildConstants.timeLimit;
+                state->buildConstants.targetCert =
+                        parentState->buildConstants.targetCert;
+                state->buildConstants.targetPubKey =
+                        parentState->buildConstants.targetPubKey;
+                state->buildConstants.certStores =
+                        parentState->buildConstants.certStores;
+                state->buildConstants.anchors =
+                        parentState->buildConstants.anchors;
+                state->buildConstants.userCheckers =
+                        parentState->buildConstants.userCheckers;
+                state->buildConstants.hintCerts =
+                        parentState->buildConstants.hintCerts;
+                state->buildConstants.crlChecker =
+                        parentState->buildConstants.crlChecker;
+                state->buildConstants.aiaMgr =
+                        parentState->buildConstants.aiaMgr;
+        }
+
+        *pState = state;
+        state = NULL;
+cleanup:
+        
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(FORWARDBUILDERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_Build_GetResourceLimits
+ *
+ * DESCRIPTION:
+ *  Retrieve Resource Limits from ProcessingParams and initialize them in
+ *  BuildConstants.
+ *
+ * PARAMETERS
+ *  "buildConstants"
+ *      Address of a BuildConstants structure containing objects and values
+ *      that remain constant throughout the building of a chain. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_GetResourceLimits(
+        BuildConstants *buildConstants,
+        void *plContext)
+{
+        PKIX_ResourceLimits *resourceLimits = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_GetResourceLimits");
+        PKIX_NULLCHECK_ONE(buildConstants);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetResourceLimits
+                (buildConstants->procParams, &resourceLimits, plContext),
+                PKIX_PROCESSINGPARAMSGETRESOURCELIMITSFAILED);
+
+        buildConstants->maxFanout = 0;
+        buildConstants->maxDepth = 0;
+        buildConstants->maxTime = 0;
+
+        if (resourceLimits) {
+
+                PKIX_CHECK(PKIX_ResourceLimits_GetMaxFanout
+                        (resourceLimits, &buildConstants->maxFanout, plContext),
+                        PKIX_RESOURCELIMITSGETMAXFANOUTFAILED);
+
+                PKIX_CHECK(PKIX_ResourceLimits_GetMaxDepth
+                        (resourceLimits, &buildConstants->maxDepth, plContext),
+                        PKIX_RESOURCELIMITSGETMAXDEPTHFAILED);
+
+                PKIX_CHECK(PKIX_ResourceLimits_GetMaxTime
+                        (resourceLimits, &buildConstants->maxTime, plContext),
+                        PKIX_RESOURCELIMITSGETMAXTIMEFAILED);
+        }
+
+cleanup:
+
+        PKIX_DECREF(resourceLimits);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_ForwardBuilderState_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_ForwardBuilderState_ToString
+        (PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_ForwardBuilderState *state = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *resultString = NULL;
+        PKIX_PL_String *buildStatusString = NULL;
+        PKIX_PL_String *validityDateString = NULL;
+        PKIX_PL_String *prevCertString = NULL;
+        PKIX_PL_String *candidateCertString = NULL;
+        PKIX_PL_String *traversedSubjNamesString = NULL;
+        PKIX_PL_String *trustChainString = NULL;
+        PKIX_PL_String *candidateCertsString = NULL;
+        PKIX_PL_String *certSelString = NULL;
+        PKIX_PL_String *verifyNodeString = NULL;
+        PKIX_PL_String *parentStateString = NULL;
+        char *asciiFormat = "\n"
+                "\t{buildStatus: \t%s\n"
+                "\ttraversedCACerts: \t%d\n"
+                "\tcertStoreIndex: \t%d\n"
+                "\tnumCerts: \t%d\n"
+                "\tnumAias: \t%d\n"
+                "\tcertIndex: \t%d\n"
+                "\taiaIndex: \t%d\n"
+                "\tnumFanout: \t%d\n"
+                "\tnumDepth:  \t%d\n"
+                "\treasonCode:  \t%d\n"
+                "\tdsaParamsNeeded: \t%d\n"
+                "\trevCheckDelayed: \t%d\n"
+                "\tcanBeCached: \t%d\n"
+                "\tuseOnlyLocal: \t%d\n"
+                "\trevChecking: \t%d\n"
+                "\tvalidityDate: \t%s\n"
+                "\tprevCert: \t%s\n"
+                "\tcandidateCert: \t%s\n"
+                "\ttraversedSubjNames: \t%s\n"
+                "\ttrustChain: \t%s\n"
+                "\tcandidateCerts: \t%s\n"
+                "\tcertSel: \t%s\n"
+                "\tverifyNode: \t%s\n"
+                "\tparentState: \t%s}\n";
+        char *asciiStatus = NULL;
+
+        PKIX_ENTER(FORWARDBUILDERSTATE, "pkix_ForwardBuilderState_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_FORWARDBUILDERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTFORWARDBUILDERSTATE);
+
+        state = (PKIX_ForwardBuilderState *)object;
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        switch (state->status) {
+            case BUILD_SHORTCUTPENDING: asciiStatus = "BUILD_SHORTCUTPENDING";
+                                        break;
+            case BUILD_INITIAL:         asciiStatus = "BUILD_INITIAL";
+                                        break;
+            case BUILD_TRYAIA:          asciiStatus = "BUILD_TRYAIA";
+                                        break;
+            case BUILD_AIAPENDING:      asciiStatus = "BUILD_AIAPENDING";
+                                        break;
+            case BUILD_COLLECTINGCERTS: asciiStatus = "BUILD_COLLECTINGCERTS";
+                                        break;
+            case BUILD_GATHERPENDING:   asciiStatus = "BUILD_GATHERPENDING";
+                                        break;
+            case BUILD_CERTVALIDATING:  asciiStatus = "BUILD_CERTVALIDATING";
+                                        break;
+            case BUILD_ABANDONNODE:     asciiStatus = "BUILD_ABANDONNODE";
+                                        break;
+            case BUILD_CRLPREP:         asciiStatus = "BUILD_CRLPREP";
+                                        break;
+            case BUILD_CRL1:            asciiStatus = "BUILD_CRL1";
+                                        break;
+            case BUILD_DATEPREP:        asciiStatus = "BUILD_DATEPREP";
+                                        break;
+            case BUILD_CHECKTRUSTED:    asciiStatus = "BUILD_CHECKTRUSTED";
+                                        break;
+            case BUILD_CHECKTRUSTED2:   asciiStatus = "BUILD_CHECKTRUSTED2";
+                                        break;
+            case BUILD_ADDTOCHAIN:      asciiStatus = "BUILD_ADDTOCHAIN";
+                                        break;
+            case BUILD_CHECKWITHANCHORS:asciiStatus = "BUILD_CHECKWITHANCHORS";
+                                        break;
+            case BUILD_CRL2PREP:        asciiStatus = "BUILD_CRL2PREP";
+                                        break;
+            case BUILD_CRL2:            asciiStatus = "BUILD_CRL2";
+                                        break;
+            case BUILD_VALCHAIN:        asciiStatus = "BUILD_VALCHAIN";
+                                        break;
+            case BUILD_VALCHAIN2:       asciiStatus = "BUILD_VALCHAIN2";
+                                        break;
+            case BUILD_EXTENDCHAIN:     asciiStatus = "BUILD_EXTENDCHAIN";
+                                        break;
+            case BUILD_GETNEXTCERT:     asciiStatus = "BUILD_GETNEXTCERT";
+                                        break;
+            default:                    asciiStatus = "INVALID STATUS";
+                                        break;
+        }
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiStatus, 0, &buildStatusString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        PKIX_TOSTRING
+               (state->validityDate, &validityDateString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+               (state->prevCert, &prevCertString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->candidateCert, &candidateCertString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->traversedSubjNames,
+                &traversedSubjNamesString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->trustChain, &trustChainString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->candidateCerts, &candidateCertsString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->certSel, &certSelString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->verifyNode, &verifyNodeString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (state->parentState, &parentStateString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&resultString,
+                plContext,
+                formatString,
+                buildStatusString,
+                (PKIX_Int32)state->traversedCACerts,
+                (PKIX_UInt32)state->certStoreIndex,
+                (PKIX_UInt32)state->numCerts,
+                (PKIX_UInt32)state->numAias,
+                (PKIX_UInt32)state->certIndex,
+                (PKIX_UInt32)state->aiaIndex,
+                (PKIX_UInt32)state->numFanout,
+                (PKIX_UInt32)state->numDepth,
+                (PKIX_UInt32)state->reasonCode,
+                state->dsaParamsNeeded,
+                state->revCheckDelayed,
+                state->canBeCached,
+                state->useOnlyLocal,
+                state->revChecking,
+                validityDateString,
+                prevCertString,
+                candidateCertString,
+                traversedSubjNamesString,
+                trustChainString,
+                candidateCertsString,
+                certSelString,
+                verifyNodeString,
+                parentStateString),
+                PKIX_SPRINTFFAILED);
+
+        *pString = resultString;
+
+cleanup:
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(buildStatusString);
+        PKIX_DECREF(validityDateString);
+        PKIX_DECREF(prevCertString);
+        PKIX_DECREF(candidateCertString);
+        PKIX_DECREF(traversedSubjNamesString);
+        PKIX_DECREF(trustChainString);
+        PKIX_DECREF(candidateCertsString);
+        PKIX_DECREF(certSelString);
+        PKIX_DECREF(verifyNodeString);
+        PKIX_DECREF(parentStateString);
+
+        PKIX_RETURN(FORWARDBUILDERSTATE);
+
+}
+
+/*
+ * FUNCTION: pkix_ForwardBuilderState_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_FORWARDBUILDERSTATE_TYPE and its related functions
+ *  with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_ForwardBuilderState_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(FORWARDBUILDERSTATE,
+                    "pkix_ForwardBuilderState_RegisterSelf");
+
+        entry.description = "ForwardBuilderState";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_ForwardBuilderState);
+        entry.destructor = pkix_ForwardBuilderState_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = pkix_ForwardBuilderState_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_FORWARDBUILDERSTATE_TYPE] = entry;
+
+        PKIX_RETURN(FORWARDBUILDERSTATE);
+}
+
+#if PKIX_FORWARDBUILDERSTATEDEBUG
+/*
+ * FUNCTION: pkix_ForwardBuilderState_DumpState
+ *
+ * DESCRIPTION:
+ *  This function invokes the ToString function on the argument pointed to
+ *  by "state".
+ * PARAMETERS:
+ *  "state"
+ *      The address of the ForwardBuilderState object. Must be non-NULL.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ */
+PKIX_Error *
+pkix_ForwardBuilderState_DumpState(
+        PKIX_ForwardBuilderState *state,
+        void *plContext)
+{
+        PKIX_PL_String *stateString = NULL;
+        char *stateAscii = NULL;
+        PKIX_UInt32 length;
+
+        PKIX_ENTER(FORWARDBUILDERSTATE,"pkix_ForwardBuilderState_DumpState");
+        PKIX_NULLCHECK_ONE(state);
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)state, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object*)state, &stateString, plContext),
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    (stateString,
+                    PKIX_ESCASCII,
+                    (void **)&stateAscii,
+                    &length,
+                    plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+
+        PKIX_DEBUG_ARG("In Phase 1: state = %s\n", stateAscii);
+
+        PKIX_FREE(stateAscii);
+        PKIX_DECREF(stateString);
+
+cleanup:
+        PKIX_RETURN(FORWARDBUILDERSTATE);
+}
+#endif
+
+/*
+ * FUNCTION: pkix_ForwardBuilderState_IsIOPending
+ * DESCRIPTION:
+ *
+ *  This function determines whether the state of the ForwardBuilderState
+ *  pointed to by "state" indicates I/O is in progress, and stores the Boolean
+ *  result at "pPending".
+ *
+ * PARAMETERS:
+ *  "state"
+ *      The address of the ForwardBuilderState object. Must be non-NULL.
+ *  "pPending"
+ *      The address at which the result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a ForwardBuilderState Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error*
+pkix_ForwardBuilderState_IsIOPending(
+        PKIX_ForwardBuilderState *state,
+        PKIX_Boolean *pPending,
+        void *plContext)
+{
+        PKIX_ENTER(FORWARDBUILDERSTATE, "pkix_ForwardBuilderState_IsIOPending");
+        PKIX_NULLCHECK_TWO(state, pPending);
+
+        if ((state->status == BUILD_GATHERPENDING) ||
+            (state->status == BUILD_CRL1) ||
+            (state->status == BUILD_CRL2) ||
+            (state->status == BUILD_CHECKTRUSTED2) ||
+            (state->status == BUILD_VALCHAIN2) ||
+            (state->status == BUILD_AIAPENDING)) {
+                *pPending = PKIX_TRUE;
+        } else {
+                *pPending = PKIX_FALSE;
+        }
+
+        PKIX_RETURN(FORWARDBUILDERSTATE);
+}
+
+/* --Private-BuildChain-Functions------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_Build_CheckCertAgainstAnchor
+ * DESCRIPTION:
+ *
+ *  Checks whether the Cert pointed to by "candidateCert" successfully chains to
+ *  the TrustAnchor pointed to by "anchor". Successful chaining includes
+ *  successful subject/issuer name chaining, using the List of traversed subject
+ *  names pointed to by "traversedSubjNames" to check for name constraints
+ *  violation, and successful signature verification. If the "candidateCert"
+ *  successfully chains, PKIX_TRUE is stored at the address pointed to by
+ *  "pPassed". Otherwise PKIX_FALSE is stored.
+ *
+ *  If a non-NULL VerifyNode is supplied, then this function will, in the event
+ *  of a failure, set the Error associated with the failure in the VerifyNode.
+ *  .
+ *
+ * PARAMETERS:
+ *  "candidateCert"
+ *      Address of Cert that is being checked. Must be non-NULL.
+ *  "anchor"
+ *      Address of TrustAnchor with which the Cert must successfully chain.
+ *      Must be non-NULL.
+ *  "traversedSubjNames"
+ *      Address of List of subject names in certificates previously traversed.
+ *      Must be non-NULL.
+ *  "pPassed"
+ *      Address at which Boolean result is stored. Must be non-NULL.
+ *  "verifyNode"
+ *      Address of the VerifyNode to receive the Error. May be NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_CheckCertAgainstAnchor(
+        PKIX_PL_Cert *candidateCert,
+        PKIX_TrustAnchor *anchor,
+        PKIX_List *traversedSubjNames,
+        PKIX_Boolean *pPassed,
+        PKIX_VerifyNode *verifyNode,
+        void *plContext)
+{
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_CertNameConstraints *anchorNC = NULL;
+        PKIX_CertSelector *certSel = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_PL_X500Name *trustedSubject = NULL;
+        PKIX_PL_X500Name *candidateIssuer = NULL;
+        PKIX_CertSelector_MatchCallback selectorMatch = NULL;
+        PKIX_Boolean certMatch = PKIX_TRUE;
+        PKIX_Boolean anchorMatch = PKIX_FALSE;
+        PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_VerifyNode *anchorVerifyNode = NULL;
+        PKIX_Error *verifyError = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_CheckCertAgainstAnchor");
+        PKIX_NULLCHECK_THREE(anchor, candidateCert, pPassed);
+
+        *pPassed = PKIX_FALSE;
+
+        PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
+                    (anchor, &trustedCert, plContext),
+                    PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSubject
+                    (trustedCert, &trustedSubject, plContext),
+                    PKIX_CERTGETSUBJECTFAILED);
+
+        PKIX_NULLCHECK_ONE(trustedSubject);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetIssuer
+                    (candidateCert, &candidateIssuer, plContext),
+                    PKIX_CERTGETISSUERFAILED);
+
+        PKIX_CHECK(PKIX_PL_X500Name_Match
+                    (trustedSubject, candidateIssuer, &anchorMatch, plContext),
+                    PKIX_X500NAMEMATCHFAILED);
+
+        if (!anchorMatch) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints
+                    (anchor, &anchorNC, plContext),
+                    PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED);
+
+        if (anchorNC == NULL) {
+                PKIX_CHECK(PKIX_CertSelector_Create
+                            (NULL, NULL, &certSel, plContext),
+                            PKIX_CERTSELECTORCREATEFAILED);
+
+                PKIX_CHECK(PKIX_ComCertSelParams_Create
+                            (&certSelParams, plContext),
+                            PKIX_COMCERTSELPARAMSCREATEFAILED);
+
+                PKIX_NULLCHECK_ONE(traversedSubjNames);
+
+                PKIX_CHECK(PKIX_ComCertSelParams_SetPathToNames
+                        (certSelParams, traversedSubjNames, plContext),
+                        PKIX_COMCERTSELPARAMSSETPATHTONAMESFAILED);
+
+                PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
+                        (certSel, certSelParams, plContext),
+                        PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
+
+                PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
+                        (certSel, &selectorMatch, plContext),
+                        PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
+
+                PKIX_CHECK(selectorMatch
+                        (certSel, candidateCert, &certMatch, plContext),
+                        PKIX_SELECTORMATCHFAILED);
+
+                if (!certMatch) {
+                        goto cleanup;
+                }
+
+        }
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                (trustedCert, &trustedPubKey, plContext),
+                PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_VerifySignature
+                   (candidateCert, trustedPubKey, plContext),
+                   PKIX_CERTVERIFYSIGNATUREFAILED);
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED || !anchorMatch || !certMatch) {
+                if (pkixErrorClass == PKIX_FATAL_ERROR) {
+                        goto fatal;
+                }
+                if (verifyNode != NULL) {
+                        if (!anchorMatch) {
+                            PKIX_ERROR_CREATE
+                                (BUILD,
+                                PKIX_ANCHORDIDNOTCHAINTOCERT,
+                                verifyError);
+                        } else if (!certMatch) {
+                            PKIX_ERROR_CREATE
+                                (BUILD,
+                                PKIX_ANCHORDIDNOTPASSCERTSELECTORCRITERIA,
+                                verifyError);
+                        } else {
+                            verifyError = pkixErrorResult;
+                            pkixErrorResult = NULL;
+                        }
+                        PKIX_DECREF(pkixErrorResult);
+                }
+        } else {
+                *pPassed = PKIX_TRUE;
+        }
+
+        if (verifyNode != NULL) {
+                PKIX_CHECK_FATAL(pkix_VerifyNode_Create
+                        (trustedCert,
+                        1,
+                        verifyError,
+                        &anchorVerifyNode,
+                        plContext),
+                        PKIX_VERIFYNODECREATEFAILED);
+                PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
+                        (verifyNode, anchorVerifyNode, plContext),
+                        PKIX_VERIFYNODEADDTOTREEFAILED);
+                PKIX_DECREF(verifyError);
+        }
+
+fatal:
+        PKIX_DECREF(verifyError);
+        PKIX_DECREF(anchorVerifyNode);
+        PKIX_DECREF(trustedCert);
+        PKIX_DECREF(anchorNC);
+        PKIX_DECREF(certSel);
+        PKIX_DECREF(certSelParams);
+        PKIX_DECREF(trustedSubject);
+        PKIX_DECREF(trustedPubKey);
+        PKIX_DECREF(candidateIssuer);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_SortCertComparator
+ * DESCRIPTION:
+ *
+ *  This Function takes two Certificates cast in "obj1" and "obj2",
+ *  compares their validity NotAfter dates and returns the result at
+ *  "pResult". The comparison key(s) can be expanded by using other
+ *  data in the Certificate in the future.
+ *
+ * PARAMETERS:
+ *  "obj1"
+ *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+ *      Must be non-NULL.
+ *  "obj2"
+ *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+ *      Must be non-NULL.
+ *  "pResult"
+ *      Address where the comparison result is returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_SortCertComparator(
+        PKIX_PL_Object *obj1,
+        PKIX_PL_Object *obj2,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_PL_Date *date1 = NULL;
+        PKIX_PL_Date *date2 = NULL;
+        PKIX_Boolean result = PKIX_FALSE;
+
+        PKIX_ENTER(BUILD, "pkix_Build_SortCertComparator");
+        PKIX_NULLCHECK_THREE(obj1, obj2, pResult);
+
+        /*
+         * For sorting candidate certificates, we use NotAfter date as the
+         * sorted key for now (can be expanded if desired in the future).
+         *
+         * In PKIX_BuildChain, the List of CertStores was reordered so that
+         * trusted CertStores are ahead of untrusted CertStores. That sort, or
+         * this one, could be taken out if it is determined that it doesn't help
+         * performance, or in some way hinders the solution of choosing desired
+         * candidates.
+         */
+
+        PKIX_CHECK(pkix_CheckType(obj1, PKIX_CERT_TYPE, plContext),
+                    PKIX_OBJECTNOTCERT);
+        PKIX_CHECK(pkix_CheckType(obj2, PKIX_CERT_TYPE, plContext),
+                    PKIX_OBJECTNOTCERT);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetValidityNotAfter
+                ((PKIX_PL_Cert *)obj1, &date1, plContext),
+                PKIX_CERTGETVALIDITYNOTAFTERFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetValidityNotAfter
+                ((PKIX_PL_Cert *)obj2, &date2, plContext),
+                PKIX_CERTGETVALIDITYNOTAFTERFAILED);
+        
+        PKIX_CHECK(PKIX_PL_Object_Compare
+                ((PKIX_PL_Object *)date1,
+                (PKIX_PL_Object *)date2,
+                &result,
+                plContext),
+                PKIX_OBJECTCOMPARATORFAILED);
+
+        *pResult = !result;
+
+cleanup:
+
+        PKIX_DECREF(date1);
+        PKIX_DECREF(date2);
+
+        PKIX_RETURN(BUILD);
+}
+
+/* This local error check macro */
+#define ERROR_CHECK(errCode) \
+    if (pkixErrorResult) { \
+        if (pkixLog) { \
+            PR_LOG(pkixLog, PR_LOG_DEBUG, ("====> ERROR_CHECK code %s\n", #errCode)); \
+        } \
+        pkixTempErrorReceived = PKIX_TRUE; \
+        pkixErrorClass = pkixErrorResult->errClass; \
+        if (pkixErrorClass == PKIX_FATAL_ERROR) { \
+            goto cleanup; \
+        } \
+        if (verifyNode) { \
+            PKIX_DECREF(verifyNode->error); \
+            PKIX_INCREF(pkixErrorResult); \
+            verifyNode->error = pkixErrorResult; \
+        } \
+        pkixErrorCode = errCode; \
+        pkixErrorMsg = PKIX_ErrorText[errCode]; \
+        goto cleanup; \
+    }
+
+/*
+ * FUNCTION: pkix_Build_VerifyCertificate
+ * DESCRIPTION:
+ *
+ *  Checks whether the previous Cert stored in the ForwardBuilderState pointed
+ *  to by "state" successfully chains, including signature verification, to the
+ *  candidate Cert also stored in "state", using the Boolean value in "trusted"
+ *  to determine whether "candidateCert" is trusted. Using the Boolean value in
+ *  "revocationChecking" for the existence of revocation checking, it sets
+ *  "pNeedsCRLChecking" to PKIX_TRUE if the candidate Cert needs to be checked
+ *  against Certificate Revocation Lists.
+ *
+ *  First it checks whether "candidateCert" has already been traversed by
+ *  determining whether it is contained in the List of traversed Certs. It
+ *  checks the candidate Cert with user checkers, if any, in the List pointed to
+ *  by "userCheckers". It then runs the signature validation. Finally, it
+ *  determines the appropriate value for "pNeedsCRLChecking".
+ *
+ *  If this Certificate fails verification, and state->verifyNode is non-NULL,
+ *  this function sets the Error code into the verifyNode.
+ *
+ * PARAMETERS:
+ *  "state"
+ *      Address of ForwardBuilderState to be used. Must be non-NULL.
+ *  "userCheckers"
+ *      Address of a List of CertChainCheckers to be used, if present, to
+ *      validate the candidateCert.
+ *  "revocationChecking"
+ *      Boolean indication of whether revocation checking is available, either
+ *      as a CertChainChecker or a List of RevocationCheckers.
+ *  "trusted"
+ *      Boolean value of trust for the candidate Cert
+ *  "pNeedsCRLChecking"
+ *      Address where Boolean CRL-checking-needed value is stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_VerifyCertificate(
+        PKIX_ForwardBuilderState *state,
+        PKIX_List *userCheckers,
+        PKIX_Boolean revocationChecking,
+        PKIX_Boolean *pTrusted,
+        PKIX_Boolean *pNeedsCRLChecking,
+        PKIX_VerifyNode *verifyNode,
+        void *plContext)
+{
+        PKIX_UInt32 numUserCheckers = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_Boolean loopFound = PKIX_FALSE;
+        PKIX_Boolean dsaParamsNeeded = PKIX_FALSE;
+        PKIX_Boolean isSelfIssued = PKIX_FALSE;
+        PKIX_Boolean supportForwardChecking = PKIX_FALSE;
+        PKIX_Boolean trusted = PKIX_FALSE;
+        PKIX_PL_Cert *candidateCert = NULL;
+        PKIX_PL_PublicKey *candidatePubKey = NULL;
+        PKIX_CertChainChecker *userChecker = NULL;
+        PKIX_CertChainChecker_CheckCallback checkerCheck = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_VerifyCertificate");
+        PKIX_NULLCHECK_THREE(state, pTrusted, pNeedsCRLChecking);
+        PKIX_NULLCHECK_THREE
+                (state->candidateCerts, state->prevCert, state->trustChain);
+
+        *pNeedsCRLChecking = PKIX_FALSE;
+
+        PKIX_INCREF(state->candidateCert);
+        candidateCert = state->candidateCert;
+
+        /* If user defined trust anchor list is not empty, do not
+         * trust any certs except to the ones that are in the list */
+        if (!state->buildConstants.numAnchors) {
+            PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
+                       (candidateCert, &trusted, plContext),
+                       PKIX_CERTISCERTTRUSTEDFAILED);
+        }
+
+        *pTrusted = trusted;
+
+        /* check for loops */
+        PKIX_CHECK(pkix_List_Contains
+                (state->trustChain,
+                (PKIX_PL_Object *)candidateCert,
+                &loopFound,
+                plContext),
+                PKIX_LISTCONTAINSFAILED);
+
+        if (loopFound) {
+                if (verifyNode != NULL) {
+                        PKIX_Error *verifyError = NULL;
+                        PKIX_ERROR_CREATE
+                                (BUILD,
+                                PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED,
+                                verifyError);
+                        PKIX_DECREF(verifyNode->error);
+                        verifyNode->error = verifyError;
+                }
+                /* Even if error logged, still need to abort
+                 * if cert is not trusted. */
+                if (!trusted) {
+                        PKIX_ERROR(PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
+                }
+                state->certLoopingDetected = PKIX_TRUE;
+        }
+
+        if (userCheckers != NULL) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                    (userCheckers, &numUserCheckers, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numUserCheckers; i++) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (userCheckers,
+                        i,
+                        (PKIX_PL_Object **) &userChecker,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK
+                        (PKIX_CertChainChecker_IsForwardCheckingSupported
+                        (userChecker, &supportForwardChecking, plContext),
+                        PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED);
+
+                    if (supportForwardChecking == PKIX_TRUE) {
+
+                        PKIX_CHECK(PKIX_CertChainChecker_GetCheckCallback
+                            (userChecker, &checkerCheck, plContext),
+                            PKIX_CERTCHAINCHECKERGETCHECKCALLBACKFAILED);
+
+                        pkixErrorResult =
+                            checkerCheck(userChecker, candidateCert, NULL,
+                                         &nbioContext, plContext);
+
+                        ERROR_CHECK(PKIX_USERCHECKERCHECKFAILED);
+                    }
+
+                    PKIX_DECREF(userChecker);
+                }
+        }
+
+        /* signature check */
+
+        if ((!(state->dsaParamsNeeded)) || trusted) {
+                PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                            (candidateCert, &candidatePubKey, plContext),
+                            PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+                PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters
+                            (candidatePubKey, &dsaParamsNeeded, plContext),
+                            PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED);
+
+                if (dsaParamsNeeded) {
+                        if (trusted) {
+                                PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS);
+                        } else {
+                                state->dsaParamsNeeded = PKIX_TRUE;
+                                goto cleanup;
+                        }
+                }
+
+                pkixErrorResult = PKIX_PL_Cert_VerifyKeyUsage
+                        (candidateCert, PKIX_KEY_CERT_SIGN, plContext);
+
+                ERROR_CHECK(PKIX_CERTVERIFYKEYUSAGEFAILED);
+
+                pkixErrorResult = PKIX_PL_Cert_VerifySignature
+                        (state->prevCert, candidatePubKey, plContext);
+
+                ERROR_CHECK(PKIX_CERTVERIFYSIGNATUREFAILED);
+
+                if (revocationChecking) {
+                        if (!trusted) {
+                            if (state->revCheckDelayed) {
+                                goto cleanup;
+                            } else {
+                                PKIX_CHECK(pkix_IsCertSelfIssued
+                                        (candidateCert,
+                                        &isSelfIssued,
+                                        plContext),
+                                        PKIX_ISCERTSELFISSUEDFAILED);
+
+                                if (isSelfIssued) {
+                                        state->revCheckDelayed = PKIX_TRUE;
+                                        goto cleanup;
+                                }
+                            }
+                        }
+
+                        *pNeedsCRLChecking = PKIX_TRUE;
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(candidateCert);
+        PKIX_DECREF(candidatePubKey);
+        PKIX_DECREF(userChecker);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_ValidationCheckers
+ * DESCRIPTION:
+ *
+ *  Creates a List of Objects to be used in determining whether the List of
+ *  Certs pointed to by "certChain" successfully validates using the
+ *  ForwardBuilderState pointed to by "state", and the TrustAnchor pointed to by
+ *  "anchor". These objects are a reversed Cert Chain, consisting of the certs
+ *  in "certChain" in reversed order, suitable for presenting to the
+ *  CertChainCheckers; a List of critical extension OIDS that have already been
+ *  processed in forward building; a List of CertChainCheckers to be called, and
+ *  a List of RevocationCheckers to be called. These results are stored in
+ *  fields of "state".
+ *
+ * PARAMETERS:
+ *  "state"
+ *      Address of ForwardBuilderState to be used. Must be non-NULL.
+ *  "certChain"
+ *      Address of List of Certs to be validated. Must be non-NULL.
+ *  "anchor"
+ *      Address of TrustAnchor to be used. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_ValidationCheckers(
+        PKIX_ForwardBuilderState *state,
+        PKIX_List *certChain,
+        PKIX_TrustAnchor *anchor,
+        void *plContext)
+{
+        PKIX_List *checkers = NULL;
+        PKIX_List *initialPolicies = NULL;
+        PKIX_List *reversedCertChain = NULL;
+        PKIX_List *buildCheckedCritExtOIDsList = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_CertChainChecker *sigChecker = NULL;
+        PKIX_CertChainChecker *crlChecker = NULL;
+        PKIX_CertChainChecker *policyChecker = NULL;
+        PKIX_CertChainChecker *userChecker = NULL;
+        PKIX_RevocationChecker *revChecker = NULL;
+        PKIX_List *userCheckersList = NULL;
+        PKIX_List *userCheckerExtOIDs = NULL;
+        PKIX_List *revCheckers = NULL;
+        PKIX_PL_OID *oid = NULL;
+        PKIX_Boolean supportForwardChecking = PKIX_FALSE;
+        PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
+        PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
+        PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
+        PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
+        PKIX_UInt32 numChainCerts;
+        PKIX_UInt32 numCertCheckers;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(BUILD, "pkix_Build_ValidationCheckers");
+        PKIX_NULLCHECK_THREE(state, certChain, anchor);
+
+        PKIX_CHECK(PKIX_List_Create(&checkers, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_ReverseList
+                (certChain, &reversedCertChain, plContext),
+                PKIX_LISTREVERSELISTFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength
+                (reversedCertChain, &numChainCerts, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        procParams = state->buildConstants.procParams;
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetInitialPolicies
+                (procParams, &initialPolicies, plContext),
+                PKIX_PROCESSINGPARAMSGETINITIALPOLICIESFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetPolicyQualifiersRejected
+                (procParams, &policyQualifiersRejected, plContext),
+                PKIX_PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_IsPolicyMappingInhibited
+                (procParams, &initialPolicyMappingInhibit, plContext),
+                PKIX_PROCESSINGPARAMSISPOLICYMAPPINGINHIBITEDFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_IsAnyPolicyInhibited
+                (procParams, &initialAnyPolicyInhibit, plContext),
+                PKIX_PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_IsExplicitPolicyRequired
+                (procParams, &initialExplicitPolicy, plContext),
+                PKIX_PROCESSINGPARAMSISEXPLICITPOLICYREQUIREDFAILED);
+
+        PKIX_CHECK(pkix_PolicyChecker_Initialize
+                (initialPolicies,
+                policyQualifiersRejected,
+                initialPolicyMappingInhibit,
+                initialExplicitPolicy,
+                initialAnyPolicyInhibit,
+                numChainCerts,
+                &policyChecker,
+                plContext),
+                PKIX_POLICYCHECKERINITIALIZEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (checkers, (PKIX_PL_Object *)policyChecker, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        /*
+         * Create an OID list that contains critical extensions processed
+         * by BuildChain. These are specified in a static const array.
+         */
+        PKIX_CHECK(PKIX_List_Create(&buildCheckedCritExtOIDsList, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        for (i = 0; buildCheckedCritExtOIDs[i] != NULL; i++) {
+                PKIX_CHECK(PKIX_PL_OID_Create
+                        (buildCheckedCritExtOIDs[i], &oid, plContext),
+                        PKIX_OIDCREATEFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                        (buildCheckedCritExtOIDsList,
+                        (PKIX_PL_Object *) oid,
+                        plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_DECREF(oid);
+        }
+
+        if (state->buildConstants.userCheckers != NULL) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (state->buildConstants.userCheckers,
+                        &numCertCheckers,
+                        plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numCertCheckers; i++) {
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                            (state->buildConstants.userCheckers,
+                            i,
+                            (PKIX_PL_Object **) &userChecker,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK
+                            (PKIX_CertChainChecker_IsForwardCheckingSupported
+                            (userChecker, &supportForwardChecking, plContext),
+                            PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED);
+
+                        /*
+                         * If this userChecker supports forwardChecking then it
+                         * should have been checked during build chain. Skip
+                         * checking but need to add checker's extension OIDs
+                         * to buildCheckedCritExtOIDsList.
+                         */
+                        if (supportForwardChecking == PKIX_TRUE) {
+
+                          PKIX_CHECK
+                            (PKIX_CertChainChecker_GetSupportedExtensions
+                            (userChecker, &userCheckerExtOIDs, plContext),
+                            PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED);
+
+                          if (userCheckerExtOIDs != NULL) {
+                            PKIX_CHECK(pkix_List_AppendList
+                                (buildCheckedCritExtOIDsList,
+                                userCheckerExtOIDs,
+                                plContext),
+                                PKIX_LISTAPPENDLISTFAILED);
+                          }
+
+                        } else {
+                            PKIX_CHECK(PKIX_List_AppendItem
+                                (checkers,
+                                (PKIX_PL_Object *)userChecker,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                        }
+
+                        PKIX_DECREF(userCheckerExtOIDs);
+                        PKIX_DECREF(userChecker);
+                }
+        }
+
+        if (procParams->revCheckers) {
+            PKIX_CHECK(
+                PKIX_PL_Object_Duplicate(
+                    (PKIX_PL_Object*)procParams->revCheckers,
+                    (PKIX_PL_Object **)&revCheckers,
+                    plContext),
+                PKIX_LISTDUPLICATEFAILED);
+        } else {
+            PKIX_CHECK(PKIX_List_Create(&revCheckers, plContext),
+                       PKIX_LISTCREATEFAILED);
+        }
+
+        if ((state->dsaParamsNeeded) || (state->revCheckDelayed)) {
+
+                if ((state->dsaParamsNeeded) ||
+                    (state->buildConstants.crlChecker)) {
+
+                        PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
+                                (anchor, &trustedCert, plContext),
+                                PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+
+                        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                                (trustedCert, &trustedPubKey, plContext),
+                                PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+                        PKIX_NULLCHECK_ONE(state->buildConstants.certStores);
+
+#if 0
+                        PKIX_CHECK(pkix_DefaultCRLChecker_Initialize
+                                (state->buildConstants.certStores,
+                                state->buildConstants.testDate,
+                                trustedPubKey,
+                                numChainCerts,
+                                &crlChecker,
+                                plContext),
+                                PKIX_DEFAULTCRLCHECKERINITIALIZEFAILED);
+
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (checkers,
+                                (PKIX_PL_Object *)crlChecker,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+#else
+                        PKIX_CHECK(pkix_DefaultRevChecker_Initialize
+                                (state->buildConstants.certStores,
+                                state->buildConstants.testDate,
+                                trustedPubKey,
+                                numChainCerts,
+                                &revChecker,
+                                plContext),
+                                PKIX_DEFAULTREVCHECKERINITIALIZEFAILED);
+
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (revCheckers,
+                                (PKIX_PL_Object *)revChecker,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+
+#endif
+
+                        if (state->dsaParamsNeeded) {
+
+                                PKIX_CHECK(pkix_SignatureChecker_Initialize
+                                        (trustedPubKey,
+                                        numChainCerts,
+                                        &sigChecker,
+                                        plContext),
+                                        PKIX_SIGNATURECHECKERINITIALIZEFAILED);
+
+                                PKIX_CHECK(PKIX_List_AppendItem
+                                        (checkers,
+                                        (PKIX_PL_Object *)sigChecker,
+                                        plContext),
+                                        PKIX_LISTAPPENDITEMFAILED);
+                        }
+                }
+        }
+
+        PKIX_INCREF(reversedCertChain);
+        state->reversedCertChain = reversedCertChain;
+        PKIX_INCREF(buildCheckedCritExtOIDsList);
+        state->checkedCritExtOIDs = buildCheckedCritExtOIDsList;
+        PKIX_INCREF(checkers);
+        state->checkerChain = checkers;
+        PKIX_INCREF(revCheckers);
+        state->revCheckers = revCheckers;
+        state->certCheckedIndex = 0;
+        state->checkerIndex = 0;
+        state->revChecking = PKIX_FALSE;
+
+
+cleanup:
+
+        PKIX_DECREF(oid);
+        PKIX_DECREF(reversedCertChain);
+        PKIX_DECREF(buildCheckedCritExtOIDsList);
+        PKIX_DECREF(checkers);
+        PKIX_DECREF(revCheckers);
+        PKIX_DECREF(revChecker);
+        PKIX_DECREF(initialPolicies);
+        PKIX_DECREF(trustedCert);
+        PKIX_DECREF(trustedPubKey);
+        PKIX_DECREF(sigChecker);
+        PKIX_DECREF(crlChecker);
+        PKIX_DECREF(policyChecker);
+        PKIX_DECREF(userChecker);
+        PKIX_DECREF(userCheckersList);
+        PKIX_DECREF(userCheckerExtOIDs);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_ValidateEntireChain
+ * DESCRIPTION:
+ *
+ *  Checks whether the current List of Certs successfully validates using the 
+ *  TrustAnchor pointed to by "anchor" and other parameters contained, as was
+ *  the Cert List, in "state".
+ *
+ *  If a checker using non-blocking I/O returns with a non-NULL non-blocking I/O
+ *  context (NBIOContext), an indication that I/O is in progress and the
+ *  checking has not been completed, this function stores that context at
+ *  "pNBIOContext". Otherwise, it stores NULL at "pNBIOContext".
+ *
+ *  If not awaiting I/O and if successful, a ValidateResult is created
+ *  containing the Public Key of the target certificate (including DSA parameter
+ *  inheritance, if any) and the PolicyNode representing the policy tree output
+ *  by the validation algorithm.  If not successful, an Error pointer is
+ *  returned.
+ *
+ * PARAMETERS:
+ *  "state"
+ *      Address of ForwardBuilderState to be used. Must be non-NULL.
+ *  "anchor"
+ *      Address of TrustAnchor to be used. Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which the NBIOContext is stored indicating whether the
+ *      validation is complete. Must be non-NULL.
+ *  "pValResult"
+ *      Address at which the ValidateResult is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_ValidateEntireChain(
+        PKIX_ForwardBuilderState *state,
+        PKIX_TrustAnchor *anchor,
+        void **pNBIOContext,
+        PKIX_ValidateResult **pValResult,
+        PKIX_VerifyNode *verifyNode,
+        void *plContext)
+{
+        PKIX_UInt32 numChainCerts = 0;
+        PKIX_PL_PublicKey *subjPubKey = NULL;
+        PKIX_PolicyNode *policyTree = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_ValidateEntireChain");
+        PKIX_NULLCHECK_FOUR(state, anchor, pNBIOContext, pValResult);
+
+        *pNBIOContext = NULL; /* prepare for case of error exit */
+
+        PKIX_CHECK(PKIX_List_GetLength
+                (state->reversedCertChain, &numChainCerts, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        pkixErrorResult =
+            pkix_CheckChain(state->reversedCertChain, numChainCerts,
+                            state->checkerChain, state->revCheckers,
+                            state->checkedCritExtOIDs,
+                            state->buildConstants.procParams,
+                            &state->certCheckedIndex, &state->checkerIndex,
+                            &state->revChecking, &state->reasonCode,
+                            &nbioContext, &subjPubKey, &policyTree, NULL,
+                            plContext);
+
+        if (nbioContext != NULL) {
+                *pNBIOContext = nbioContext;
+                goto cleanup;
+        }
+
+        ERROR_CHECK(PKIX_CHECKCHAINFAILED);
+
+        if (state->reasonCode != 0) {
+                PKIX_ERROR(PKIX_CHAINREJECTEDBYREVOCATIONCHECKER);
+        }
+
+        if (state->dsaParamsNeeded == PKIX_FALSE) {
+                PKIX_INCREF(state->buildConstants.targetPubKey);
+                subjPubKey = state->buildConstants.targetPubKey;
+        }
+
+        PKIX_CHECK(pkix_ValidateResult_Create
+                (subjPubKey, anchor, policyTree, &valResult, plContext),
+                PKIX_VALIDATERESULTCREATEFAILED);
+
+        *pValResult = valResult;
+        valResult = NULL;
+
+cleanup:
+        PKIX_DECREF(subjPubKey);
+        PKIX_DECREF(policyTree);
+        PKIX_DECREF(valResult);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_SortCandidateCerts
+ * DESCRIPTION:
+ *
+ *  This function sorts a List of candidate Certs pointed to by "candidates"
+ *  using an algorithm that places Certs most likely to produce a successful
+ *  chain at the front of the list, storing the resulting sorted List at
+ *  "pSortedCandidates".
+ *
+ *  At present the only sort criterion is that trusted Certs go ahead of
+ *  untrusted Certs.
+ *
+ * PARAMETERS:
+ *  "candidates"
+ *      Address of List of Candidate Certs to be sorted. Must be non-NULL.
+ *  "pSortedCandidates"
+ *      Address at which sorted List is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_SortCandidateCerts(
+        PKIX_List *candidates,
+        PKIX_List **pSortedCandidates,
+        void *plContext)
+{
+        PKIX_List *sortedList = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_SortCandidateCerts");
+        PKIX_NULLCHECK_TWO(candidates, pSortedCandidates);
+
+        /*
+         * Both bubble and quick sort algorithms are available.
+         * For a list of fewer than around 100 items, the bubble sort is more
+         * efficient. (This number was determined by experimenting with both
+         * algorithms on a Java List.)
+         * If the candidate list is very small, using the sort can drag down
+         * the performance a little bit.
+         */
+
+        PKIX_CHECK(pkix_List_BubbleSort
+                (candidates,
+                pkix_Build_SortCertComparator,
+                &sortedList,
+                plContext),
+                PKIX_LISTBUBBLESORTFAILED);
+
+        *pSortedCandidates = sortedList;
+
+cleanup:
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_BuildSelectorAndParams
+ * DESCRIPTION:
+ *
+ *  This function creates a CertSelector, initialized with an appropriate
+ *  ComCertSelParams, using the variables provided in the ForwardBuilderState
+ *  pointed to by "state". The CertSelector created is stored in the certsel
+ *  element of "state".
+ *
+ * PARAMETERS:
+ *  "state"
+ *      Address of ForwardBuilderState to be used. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_BuildSelectorAndParams(
+        PKIX_ForwardBuilderState *state,
+        void *plContext)
+{
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSel = NULL;
+        PKIX_PL_X500Name *currentIssuer = NULL;
+        PKIX_PL_Date *testDate = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_BuildSelectorAndParams");
+        PKIX_NULLCHECK_THREE(state, state->prevCert, state->traversedSubjNames);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetIssuer
+                (state->prevCert, &currentIssuer, plContext),
+                PKIX_CERTGETISSUERFAILED);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_Create(&certSelParams, plContext),
+                PKIX_COMCERTSELPARAMSCREATEFAILED);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_SetSubject
+                (certSelParams, currentIssuer, plContext),
+                PKIX_COMCERTSELPARAMSSETSUBJECTFAILED);
+
+        PKIX_INCREF(state->buildConstants.testDate);
+        testDate = state->buildConstants.testDate;
+
+        PKIX_CHECK(PKIX_ComCertSelParams_SetCertificateValid
+                (certSelParams, testDate, plContext),
+                PKIX_COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_SetBasicConstraints
+                (certSelParams, state->traversedCACerts, plContext),
+                PKIX_COMCERTSELPARAMSSETBASICCONSTRAINTSFAILED);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_SetPathToNames
+                (certSelParams, state->traversedSubjNames, plContext),
+                PKIX_COMCERTSELPARAMSSETPATHTONAMESFAILED);
+
+        PKIX_CHECK(PKIX_CertSelector_Create
+                (NULL, NULL, &state->certSel, plContext),
+                PKIX_CERTSELECTORCREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
+                (state->certSel, certSelParams, plContext),
+                PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
+
+        PKIX_CHECK(PKIX_List_Create(&state->candidateCerts, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        state->certStoreIndex = 0;
+
+cleanup:
+        PKIX_DECREF(certSelParams);
+        PKIX_DECREF(certSel);
+        PKIX_DECREF(currentIssuer);
+        PKIX_DECREF(testDate);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_CombineWithTrust
+ * DESCRIPTION:
+ *
+ *  Adds each Cert in the List pointed to by "fromList" to the List pointed
+ *  to by "toList", if it is not already a member of that List. If it is a
+ *  member of both Lists, then the two instances are checked to see if either
+ *  is trusted, in which case the trusted one is retained. In other words,
+ *  "toList" becomes the union of the two sets, with trust preserved.
+ *
+ *  It is assumed that fromList does not contain duplicates. Therefore as
+ *  elements of "fromlist" are added to "tolist", subsequent additions do
+ *  not need to be checked for equality against these new members.
+ *
+ * PARAMETERS:
+ *  "fromList"
+ *      Address of a List of Certs to be added, if not already present, to
+ *      "toList". Must be non-NULL, but may be empty.
+ *  "toList"
+ *      Address of a List of Certs to be augmented by "fromList". Must be
+ *      non-NULL, but may be empty.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "toList"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a Build Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+static PKIX_Error *
+pkix_Build_CombineWithTrust(
+        PKIX_List *toList,
+        PKIX_List *fromList,
+        void *plContext)
+{
+        PKIX_Boolean match = PKIX_FALSE;
+        PKIX_Boolean trusted = PKIX_FALSE;
+        PKIX_UInt32 fromlistLen = 0;
+        PKIX_UInt32 originalTolistLen = 0;
+        PKIX_UInt32 fromlistIx = 0;
+        PKIX_UInt32 tolistIx = 0;
+        PKIX_PL_Object *fObject = NULL;
+        PKIX_PL_Object *tObject = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_CombineWithTrust");
+        PKIX_NULLCHECK_TWO(fromList, toList);
+
+        PKIX_CHECK(PKIX_List_GetLength(fromList, &fromlistLen, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(toList, &originalTolistLen, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (fromlistIx = 0; fromlistIx < fromlistLen; fromlistIx++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (fromList, fromlistIx, &fObject, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_NULLCHECK_ONE(fObject);
+
+                match = PKIX_FALSE;
+                for (tolistIx = 0; tolistIx < originalTolistLen; tolistIx++) {
+                        PKIX_CHECK(PKIX_List_GetItem
+                                (toList, tolistIx, &tObject, plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                        PKIX_NULLCHECK_ONE(tObject);
+
+                        PKIX_CHECK(PKIX_PL_Object_Equals
+                                (fObject, tObject, &match, plContext),
+                                PKIX_OBJECTEQUALSFAILED);
+
+                        if (match) {
+                                PKIX_CHECK(pkix_CheckType
+                                        (tObject, PKIX_CERT_TYPE, plContext),
+                                        PKIX_OBJECTNOTCERT);
+
+                                PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
+                                        ((PKIX_PL_Cert *)tObject, &trusted,
+                                         plContext),
+                                        PKIX_CERTISCERTTRUSTEDFAILED);
+        
+                                /* If tObject is a trusted cert, keep it. */
+                                if (trusted == PKIX_TRUE) {
+                                        PKIX_DECREF(tObject);
+                                        break;
+                                }
+
+                                PKIX_CHECK(pkix_CheckType
+                                        (fObject, PKIX_CERT_TYPE, plContext),
+                                        PKIX_OBJECTNOTCERT);
+
+                                PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
+                                        ((PKIX_PL_Cert *)fObject, &trusted,
+                                         plContext),
+                                        PKIX_CERTISCERTTRUSTEDFAILED);
+
+                                /* If fObject is a trusted cert, replace it. */
+                                if (trusted == PKIX_TRUE) {
+                                        PKIX_CHECK(PKIX_List_SetItem
+                                                (toList,
+                                                tolistIx,
+                                                fObject,
+                                                plContext),
+                                                PKIX_LISTSETITEMFAILED);
+                                        PKIX_DECREF(tObject);
+                                        break;
+                                }
+                        }
+                        PKIX_DECREF(tObject);
+                }
+
+                if (match == PKIX_FALSE) {
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (toList, fObject, plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                }
+
+                PKIX_DECREF(fObject);
+        }
+
+cleanup:
+
+        PKIX_DECREF(fObject);
+        PKIX_DECREF(tObject);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_GatherCerts
+ * DESCRIPTION:
+ *
+ *  This function traverses the CertStores in the List of CertStores contained
+ *  in "state",  using the certSelector and other parameters contained in
+ *  "state", to obtain a List of all available Certs that satisfy the criteria.
+ *  If a CertStore has a cache, "certSelParams" is used both to query the cache
+ *  and, if an actual CertStore search occurred, to update the cache. (Behavior
+ *  is undefined if "certSelParams" is different from the parameters that were
+ *  used to initialize the certSelector in "state".)
+ * 
+ *  If a CertStore using non-blocking I/O returns with an indication that I/O is
+ *  in progress and the checking has not been completed, this function stores
+ *  platform-dependent information at "pNBIOContext". Otherwise it stores NULL
+ *  at "pNBIOContext", and state is updated with the results of the search.
+ *
+ * PARAMETERS:
+ *  "state"
+ *      Address of ForwardBuilderState to be used. Must be non-NULL.
+ *  "certSelParams"
+ *      Address of ComCertSelParams which were used in creating the current
+ *      CertSelector, and to be used in querying and updating any caches that
+ *      may be associated with with the CertStores.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is returned if request
+ *      is suspended for non-blocking I/O. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+/* return NULL if wouldblock, empty list if none found, else list of found */
+static PKIX_Error *
+pkix_Build_GatherCerts(
+        PKIX_ForwardBuilderState *state,
+        PKIX_ComCertSelParams *certSelParams,
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_Boolean certStoreIsCached = PKIX_FALSE;
+        PKIX_Boolean certStoreIsLocal = PKIX_FALSE;
+        PKIX_Boolean foundInCache = PKIX_FALSE;
+        PKIX_Boolean listIsEmpty = PKIX_FALSE;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_CertStore_CertCallback getCerts = NULL;
+        PKIX_List *certsFound = NULL;
+        PKIX_List *sorted = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_GatherCerts");
+        PKIX_NULLCHECK_THREE(state, certSelParams, pNBIOContext);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        PKIX_CHECK(
+            PKIX_List_IsEmpty(state->candidateCerts, &listIsEmpty, plContext),
+            PKIX_LISTISEMPTYFAILED);
+
+        /* The caller is responsible to make sure that the list is empty */
+#ifdef UNDEF
+        /* I suspect that the list will not be empty. Commenting the assertion
+         * out for now. More work needs to be done for bug 418544 to clean up
+         * code related to candidateCerts list */
+        PORT_Assert(listIsEmpty);
+#endif
+        if (!listIsEmpty) {
+            PKIX_DECREF(state->candidateCerts);
+            PKIX_CHECK(PKIX_List_Create(&state->candidateCerts, plContext),
+                       PKIX_LISTCREATEFAILED);
+        }
+
+        while (state->certStoreIndex < state->buildConstants.numCertStores) {
+
+                /* Get the current CertStore */
+                PKIX_CHECK(PKIX_List_GetItem
+                        (state->buildConstants.certStores,
+                        state->certStoreIndex,
+                        (PKIX_PL_Object **)&certStore,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_CertStore_GetLocalFlag
+                           (certStore, &certStoreIsLocal, plContext),
+                           PKIX_CERTSTOREGETLOCALFLAGFAILED);
+
+                if (state->useOnlyLocal == certStoreIsLocal) {
+                    /* If GATHERPENDING, we've already checked the cache */
+                    if (state->status == BUILD_GATHERPENDING) {
+                        certStoreIsCached = PKIX_FALSE;
+                        foundInCache = PKIX_FALSE;
+                    } else {
+                        PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
+                                (certStore, &certStoreIsCached, plContext),
+                                PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
+
+                        if (certStoreIsCached) {
+                        /*
+                         * Look for Certs in the cache, using the SubjectName as
+                         * the key. Then the ComCertSelParams are used to filter
+                         * for qualified certs. If none are found, then the
+                         * certStores are queried. When we eventually add items
+                         * to the cache, we will only add items that passed the
+                         * ComCertSelParams filter, rather than all Certs which
+                         * matched the SubjectName.
+                         */
+
+                                PKIX_CHECK(pkix_CacheCert_Lookup
+                                        (certStore,
+                                        certSelParams,
+                                        state->buildConstants.testDate,
+                                        &foundInCache,
+                                        &certsFound,
+                                        plContext),
+                                        PKIX_CACHECERTCHAINLOOKUPFAILED);
+
+                        }
+                    }
+
+                    /*
+                     * XXX need to verify if Cert is trusted, hence may not
+                     * be worth it to have the Cert Cached or
+                     * If it is trusted, don't cache, but once there is cached
+                     * certs, we won't get certs from database any more.
+                     * can use flag to force not getting certs from cache
+                     */
+                    if (!foundInCache) {
+
+                        if (nbioContext == NULL) {
+                                PKIX_CHECK(PKIX_CertStore_GetCertCallback
+                                        (certStore, &getCerts, plContext),
+                                        PKIX_CERTSTOREGETCERTCALLBACKFAILED);
+
+                                PKIX_CHECK(getCerts
+                                        (certStore,
+                                        state->certSel,
+                                        &nbioContext,
+                                        &certsFound,
+                                        plContext),
+                                        PKIX_GETCERTSFAILED);
+                        } else {
+                                PKIX_CHECK(PKIX_CertStore_CertContinue
+                                        (certStore,
+                                        state->certSel,
+                                        &nbioContext,
+                                        &certsFound,
+                                        plContext),
+                                        PKIX_CERTSTORECERTCONTINUEFAILED);
+                        }
+
+                        if (certStoreIsCached && certsFound) {
+
+                                PKIX_CHECK(pkix_CacheCert_Add
+                                        (certStore,
+                                        certSelParams,
+                                        certsFound,
+                                        plContext),
+                                        PKIX_CACHECERTADDFAILED);
+                        }
+                    }
+
+                    /*
+                     * getCerts returns an empty list for "NONE FOUND",
+                     * a NULL list for "would block"
+                     */
+                    if (certsFound == NULL) {
+                        state->status = BUILD_GATHERPENDING;
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                    } else {
+                        PKIX_CHECK(pkix_Build_CombineWithTrust
+                                (state->candidateCerts, certsFound, plContext),
+                                PKIX_BUILDCOMBINEWITHTRUSTFAILED);
+                        PKIX_DECREF(certsFound);
+                    }
+                }
+
+                /* Are there any more certStores to query? */
+                PKIX_DECREF(certStore);
+                ++(state->certStoreIndex);
+        }
+
+        /* No, return the list we have gathered */
+        PKIX_CHECK(PKIX_List_GetLength
+                (state->candidateCerts, &state->numCerts, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        if (state->numCerts > 1) {
+                /* sort Certs to try to optimize search */
+                PKIX_CHECK(pkix_Build_SortCandidateCerts
+                        (state->candidateCerts, &sorted, plContext),
+                        PKIX_BUILDSORTCANDIDATECERTSFAILED);
+
+                PKIX_DECREF(state->candidateCerts);
+                state->candidateCerts = sorted;
+                sorted = NULL;
+        }
+
+        state->certIndex = 0;
+
+cleanup:
+
+        PKIX_DECREF(certStore);
+        PKIX_DECREF(certsFound);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_UpdateDate
+ * DESCRIPTION:
+ *
+ *  This function updates the validityDate contained in "state", for the current
+ *  CertChain contained in "state", to include the validityDate of the
+ *  candidateCert contained in "state". The validityDate of a chain is the
+ *  earliest of all the notAfter dates contained in the respective Certificates.
+ *
+ * PARAMETERS:
+ *  "state"
+ *      Address of ForwardBuilderState to be used. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_UpdateDate(
+        PKIX_ForwardBuilderState *state,
+        void *plContext)
+{
+        PKIX_Boolean canBeCached = PKIX_FALSE;
+        PKIX_Int32 comparison = 0;
+        PKIX_PL_Date *notAfter = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_UpdateDate");
+        PKIX_NULLCHECK_ONE(state);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetCacheFlag
+                (state->candidateCert, &canBeCached, plContext),
+                PKIX_CERTGETCACHEFLAGFAILED);
+
+        state->canBeCached = state->canBeCached && canBeCached;
+        if (state->canBeCached == PKIX_TRUE) {
+
+                /*
+                 * So far, all certs can be cached. Update cert
+                 * chain validity time, which is the earliest of
+                 * all certs' notAfter times.
+                 */
+                PKIX_CHECK(PKIX_PL_Cert_GetValidityNotAfter
+                        (state->candidateCert, &notAfter, plContext),
+                        PKIX_CERTGETVALIDITYNOTAFTERFAILED);
+
+                if (state->validityDate == NULL) {
+                        state->validityDate = notAfter;
+                        notAfter = NULL;
+                } else {
+                        PKIX_CHECK(PKIX_PL_Object_Compare
+                                ((PKIX_PL_Object *)state->validityDate,
+                                (PKIX_PL_Object *)notAfter,
+                                &comparison,
+                                plContext),
+                                PKIX_OBJECTCOMPARATORFAILED);
+                        if (comparison > 0) {
+                                PKIX_DECREF(state->validityDate);
+                                state->validityDate = notAfter;
+                                notAfter = NULL;
+                        }
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(notAfter);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_RevCheckPrep
+ * DESCRIPTION:
+ *
+ *  This function prepares the CertChainCheckerState of the crlChecker contained
+ *  in "state" for checking the Certificate pointed to by "certToCheck".
+ *
+ * PARAMETERS:
+ *  "state"
+ *      Address of ForwardBuilderState to be used. Must be non-NULL.
+ *  "certToCheck"
+ *      Address of Certificate to be checked. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_RevCheckPrep(
+        PKIX_ForwardBuilderState *state,
+        PKIX_PL_Cert *certToCheck,
+        void *plContext)
+{
+        PKIX_PL_Object *crlCheckerState = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_RevCheckPrep");
+        PKIX_NULLCHECK_ONE(state);
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                (state->buildConstants.crlChecker, &crlCheckerState, plContext),
+                PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        PKIX_CHECK(pkix_CheckType
+                (crlCheckerState, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
+                PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
+
+        /* Set up CRLSelector */
+        PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
+                (certToCheck,
+                (pkix_DefaultCRLCheckerState *) crlCheckerState,
+                plContext),
+                PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
+
+        PKIX_CHECK
+                (PKIX_CertChainChecker_SetCertChainCheckerState
+                (state->buildConstants.crlChecker, crlCheckerState, plContext),
+                PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(crlCheckerState);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_BuildForwardDepthFirstSearch
+ * DESCRIPTION:
+ *
+ *  This function performs a depth first search in the "forward" direction (from
+ *  the target Cert to the trust anchor). A non-NULL targetCert must be stored
+ *  in the ForwardBuilderState before this function is called. It is not written
+ *  recursively since execution may be suspended in in any of several places
+ *  pending completion of non-blocking I/O. This iterative structure makes it
+ *  much easier to resume where it left off.
+ *
+ *  Since the nature of the search is recursive, the recursion is handled by
+ *  chaining states. That is, each new step involves creating a new
+ *  ForwardBuilderState linked to its predecessor. If a step turns out to be
+ *  fruitless, the state of the predecessor is restored and the next alternative
+ *  is tried. When a search is successful, values needed from the last state
+ *  (canBeCached and validityDate) are copied to the state provided by the
+ *  caller, so that the caller can retrieve those values.
+ *
+ *  There are three return arguments, the NBIOContext, the ValidateResult and
+ *  the ForwardBuilderState. If NBIOContext is non-NULL, it means the search is
+ *  suspended until the results of a non-blocking IO become available. The
+ *  caller may wait for the completion using platform-dependent methods and then
+ *  call this function again, allowing it to resume the search. If NBIOContext
+ *  is NULL and the ValidateResult is non-NULL, it means the search has
+ *  concluded successfully. If the NBIOContext is NULL but the ValidateResult is
+ *  NULL, it means the search was unsuccessful.
+ *
+ *  This function performs several steps at each node in the constructed chain:
+ *
+ *  1) It retrieves Certs from the registered CertStores that match the
+ *  criteria established by the ForwardBuilderState pointed to by "state", such
+ *  as a subject name matching the issuer name of the previous Cert. If there
+ *  are no matching Certs, the function returns to the previous, or "parent",
+ *  state and tries to continue the chain building with another of the Certs
+ *  obtained from the CertStores as possible issuers for that parent Cert.
+ *
+ *  2) For each candidate Cert returned by the CertStores, this function checks
+ *  whether the Cert is valid. If it is trusted, this function checks whether
+ *  this Cert might serve as a TrustAnchor for a complete chain.
+ *
+ *  3) It determines whether this Cert, in conjunction with any of the
+ *  TrustAnchors, might complete a chain. A complete chain, from this or the
+ *  preceding step, is checked to see whether it is valid as a complete
+ *  chain, including the checks that cannot be done in the forward direction.
+ *
+ *  4) If this Cert chains successfully, but is not a complete chain, that is,
+ *  we have not reached a trusted Cert, a new ForwardBuilderState is created
+ *  with this Cert as the immediate predecessor, and we continue in step (1),
+ *  attempting to get Certs from the CertStores with this Certs "issuer" as
+ *  their subject.
+ *
+ *  5) If an entire chain validates successfully, then we are done. A
+ *  ValidateResult is created containing the Public Key of the target
+ *  certificate (including DSA parameter inheritance, if any) and the
+ *  PolicyNode representing the policy tree output by the validation algorithm,
+ *  and stored at pValResult, and the function exits returning NULL.
+ *
+ *  5) If the entire chain does not validate successfully, the algorithm
+ *  discards the latest Cert and continues in step 2 with the next candidate
+ *  Cert, backing up to a parent state when no more possibilities exist at a
+ *  given level, and returning failure when we try to back up but discover we
+ *  are at the top level.
+ *
+ * PARAMETERS:
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is returned if building
+ *      is suspended for non-blocking I/O. Must be non-NULL.
+ *  "pState"
+ *      Address at which input ForwardBuilderState is found, and at which output
+ *      ForwardBuilderState is stored. Must be non-NULL.
+ *  "pValResult"
+ *      Address at which the ValidateResult is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_BuildForwardDepthFirstSearch(
+        void **pNBIOContext,
+        PKIX_ForwardBuilderState *state,
+        PKIX_ValidateResult **pValResult,
+        void *plContext)
+{
+        PKIX_Boolean outOfOptions = PKIX_FALSE;
+        PKIX_Boolean trusted = PKIX_FALSE;
+        PKIX_Boolean isSelfIssued = PKIX_FALSE;
+        PKIX_Boolean canBeCached = PKIX_FALSE;
+        PKIX_Boolean passed = PKIX_FALSE;
+        PKIX_Boolean revocationCheckingExists = PKIX_FALSE;
+        PKIX_Boolean needsCRLChecking = PKIX_FALSE;
+        PKIX_Boolean ioPending = PKIX_FALSE;
+        PKIX_PL_Date *validityDate = NULL;
+        PKIX_PL_Date *currTime  = NULL;
+        PKIX_Int32 childTraversedCACerts = 0;
+        PKIX_UInt32 numSubjectNames = 0;
+        PKIX_UInt32 numChained = 0;
+        PKIX_Int32 cmpTimeResult = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 certsSoFar = 0;
+        PKIX_List *childTraversedSubjNames = NULL;
+        PKIX_List *subjectNames = NULL;
+        PKIX_List *unfilteredCerts = NULL;
+        PKIX_List *filteredCerts = NULL;
+        PKIX_PL_Object *subjectName = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_ForwardBuilderState *childState = NULL;
+        PKIX_ForwardBuilderState *parentState = NULL;
+        PKIX_PL_Object *crlCheckerState = NULL;
+        PKIX_PL_PublicKey *candidatePubKey = NULL;
+        PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_TrustAnchor *trustAnchor = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_VerifyNode *verifyNode = NULL;
+        PKIX_Error *verifyError = NULL;
+        PKIX_Error *finalError = NULL;
+        void *nbio = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_BuildForwardDepthFirstSearch");
+        PKIX_NULLCHECK_THREE(pNBIOContext, state, pValResult);
+
+        nbio = *pNBIOContext;
+        *pNBIOContext = NULL;
+        PKIX_INCREF(state->validityDate);
+        validityDate = state->validityDate;
+        canBeCached = state->canBeCached;
+        PKIX_DECREF(*pValResult);
+
+        /*
+         * We return if successful; if we fall off the end
+         * of this "while" clause our search has failed.
+         */
+        while (outOfOptions == PKIX_FALSE) {
+
+            if (state->buildConstants.maxTime != 0) {
+                    PKIX_DECREF(currTime);
+                    PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
+                            (NULL, &currTime, plContext),
+                            PKIX_DATECREATEUTCTIMEFAILED);
+
+                    PKIX_CHECK(PKIX_PL_Object_Compare
+                             ((PKIX_PL_Object *)state->buildConstants.timeLimit,
+                             (PKIX_PL_Object *)currTime,
+                             &cmpTimeResult,
+                             plContext),
+                             PKIX_OBJECTCOMPARATORFAILED);
+
+                    if (cmpTimeResult < 0) {
+                        if (state->verifyNode != NULL) {
+                                PKIX_ERROR_CREATE
+                                    (BUILD,
+                                    PKIX_TIMECONSUMEDEXCEEDSRESOURCELIMITS,
+                                    verifyError);
+                                PKIX_CHECK_FATAL(pkix_VerifyNode_SetError
+                                    (state->verifyNode,
+                                    verifyError,
+                                    plContext),
+                                    PKIX_VERIFYNODESETERRORFAILED);
+                                PKIX_DECREF(finalError);
+                                finalError = verifyError;
+                                verifyError = NULL;
+                        }
+                        /* Even if we logged error, we still have to abort */
+                        PKIX_ERROR(PKIX_TIMECONSUMEDEXCEEDSRESOURCELIMITS);
+                    }
+            }
+
+            if (state->status == BUILD_INITIAL) {
+
+                PKIX_CHECK(pkix_Build_BuildSelectorAndParams(state, plContext),
+                        PKIX_BUILDBUILDSELECTORANDPARAMSFAILED);
+
+                /*
+                 * If the caller supplied a partial certChain (hintCerts) try
+                 * the next one from that List before we go to the certStores.
+                 */
+                if (state->buildConstants.numHintCerts > 0) {
+                        /* How many Certs does our trust chain have already? */
+                        PKIX_CHECK(PKIX_List_GetLength
+                                (state->trustChain, &certsSoFar, plContext),
+                                PKIX_LISTGETLENGTHFAILED);
+
+                        /* That includes the target Cert. Don't count it. */
+                        certsSoFar--;
+
+                        /* Are we still within range of the partial chain? */
+                        if (certsSoFar >= state->buildConstants.numHintCerts) {
+                                state->status = BUILD_TRYAIA;
+                        } else {
+                                /*
+                                 * If we already have n certs, we want the n+1th
+                                 * (i.e., index = n) from the list of hints.
+                                 */
+                                PKIX_DECREF(state->candidateCert);
+                                PKIX_CHECK(PKIX_List_GetItem
+                                    (state->buildConstants.hintCerts,
+                                    certsSoFar,
+                                    (PKIX_PL_Object **)&state->candidateCert,
+                                    plContext),
+                                    PKIX_LISTGETITEMFAILED);
+
+                                PKIX_CHECK(PKIX_List_AppendItem
+                                    (state->candidateCerts,
+                                    (PKIX_PL_Object *)state->candidateCert,
+                                    plContext),
+                                    PKIX_LISTAPPENDITEMFAILED);
+
+                                state->numCerts = 1;
+                                state->usingHintCerts = PKIX_TRUE;
+                                state->status = BUILD_CERTVALIDATING;
+                        }
+                } else {
+                        state->status = BUILD_TRYAIA;
+                }
+
+            }
+
+            if (state->status == BUILD_TRYAIA) {
+                if (state->useOnlyLocal == PKIX_TRUE) {
+                        state->status = BUILD_COLLECTINGCERTS;
+                } else {
+                        state->status = BUILD_AIAPENDING;
+                }
+            }
+
+            if (state->status == BUILD_AIAPENDING &&
+                state->buildConstants.aiaMgr) {
+                PKIX_CHECK(PKIX_PL_AIAMgr_GetAIACerts
+                        (state->buildConstants.aiaMgr,
+                        state->prevCert,
+                        &nbio,
+                        &unfilteredCerts,
+                        plContext),
+                        PKIX_AIAMGRGETAIACERTSFAILED);
+
+                if (nbio != NULL) {
+                        /* IO still pending, resume later */
+                        *pNBIOContext = nbio;
+                        goto cleanup;
+                }
+
+                state->numCerts = 0;
+
+#ifdef PKIX_BUILDDEBUG
+                /* Turn this on to trace the List of Certs, before CertSelect */
+                {
+                                PKIX_PL_String *unString;
+                                char *unAscii;
+                                PKIX_UInt32 length;
+                                PKIX_TOSTRING
+                                        ((PKIX_PL_Object*)unfilteredCerts,
+                                        &unString,
+                                        plContext,
+                                        PKIX_OBJECTTOSTRINGFAILED);
+
+                                PKIX_CHECK(PKIX_PL_String_GetEncoded
+                                        (unString,
+                                        PKIX_ESCASCII,
+                                        (void **)&unAscii,
+                                        &length,
+                                        plContext),
+                                        PKIX_STRINGGETENCODEDFAILED);
+
+                                PKIX_DEBUG_ARG
+                                        ("unfilteredCerts = %s\n", unAscii);
+                                PKIX_DECREF(unString);
+                                PKIX_FREE(unAscii);
+                }
+#endif
+
+                /* Note: Certs winnowed here don't get into VerifyTree. */
+                if (unfilteredCerts) {
+                        PKIX_CHECK(pkix_CertSelector_Select
+                                (state->certSel,
+                                unfilteredCerts,
+                                &filteredCerts,
+                                plContext),
+                                PKIX_CERTSELECTORSELECTFAILED);
+
+                        PKIX_DECREF(unfilteredCerts);
+
+                        PKIX_CHECK(PKIX_List_GetLength
+                                (filteredCerts, &(state->numCerts), plContext),
+                                PKIX_LISTGETLENGTHFAILED);
+
+#ifdef PKIX_BUILDDEBUG
+                /* Turn this on to trace the List of Certs, after CertSelect */
+                {
+                        PKIX_PL_String *unString;
+                        char *unAscii;
+                        PKIX_UInt32 length;
+                        PKIX_TOSTRING
+                                ((PKIX_PL_Object*)filteredCerts,
+                                &unString,
+                                plContext,
+                                PKIX_OBJECTTOSTRINGFAILED);
+
+                        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                                    (unString,
+                                    PKIX_ESCASCII,
+                                    (void **)&unAscii,
+                                    &length,
+                                    plContext),
+                                    PKIX_STRINGGETENCODEDFAILED);
+
+                        PKIX_DEBUG_ARG("filteredCerts = %s\n", unAscii);
+                        PKIX_DECREF(unString);
+                        PKIX_FREE(unAscii);
+                }
+#endif
+
+                        PKIX_DECREF(state->candidateCerts);
+                        state->candidateCerts = filteredCerts;
+                        state->certIndex = 0;
+                        filteredCerts = NULL;
+                }
+
+                /* Are there any Certs to try? */
+                if (state->numCerts > 0) {
+                        state->status = BUILD_CERTVALIDATING;
+                } else {
+                        state->status = BUILD_COLLECTINGCERTS;
+                }
+            }
+
+            PKIX_DECREF(certSelParams);
+            PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
+                (state->certSel, &certSelParams, plContext),
+                PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
+
+            /* **** Querying the CertStores ***** */
+            if ((state->status == BUILD_COLLECTINGCERTS) ||
+                (state->status == BUILD_GATHERPENDING)) {
+
+#if PKIX_FORWARDBUILDERSTATEDEBUG
+                PKIX_CHECK(pkix_ForwardBuilderState_DumpState
+                        (state, plContext),
+                        PKIX_FORWARDBUILDERSTATEDUMPSTATEFAILED);
+#endif
+
+                PKIX_CHECK(pkix_Build_GatherCerts
+                        (state, certSelParams, &nbio, plContext),
+                        PKIX_BUILDGATHERCERTSFAILED);
+
+                if (nbio != NULL) {
+                        /* IO still pending, resume later */
+                        *pNBIOContext = nbio;
+                        goto cleanup;
+                }
+
+                /* Are there any Certs to try? */
+                if (state->numCerts > 0) {
+                        state->status = BUILD_CERTVALIDATING;
+                } else {
+                        state->status = BUILD_ABANDONNODE;
+                }
+            }
+
+            /* ****Phase 2 - Chain building***** */
+
+#if PKIX_FORWARDBUILDERSTATEDEBUG
+            PKIX_CHECK(pkix_ForwardBuilderState_DumpState(state, plContext),
+                    PKIX_FORWARDBUILDERSTATEDUMPSTATEFAILED);
+#endif
+
+            if (state->status == BUILD_CERTVALIDATING) {
+                    revocationCheckingExists =
+                        (state->buildConstants.crlChecker != NULL);
+
+                    if ((revocationCheckingExists == PKIX_FALSE) &&
+                        (state->revCheckers != NULL)) {
+                            PKIX_CHECK(PKIX_List_GetLength
+                                    (state->revCheckers, &i, plContext),
+                                    PKIX_LISTGETLENGTHFAILED);
+                            if (i > 0) {
+                                    revocationCheckingExists = PKIX_TRUE;
+                            }
+                    }
+
+                    PKIX_DECREF(state->candidateCert);
+                    PKIX_CHECK(PKIX_List_GetItem
+                            (state->candidateCerts,
+                            state->certIndex,
+                            (PKIX_PL_Object **)&(state->candidateCert),
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                    if ((state->verifyNode) != NULL) {
+                            PKIX_CHECK_FATAL(pkix_VerifyNode_Create
+                                    (state->candidateCert,
+                                    0,
+                                    NULL,
+                                    &verifyNode,
+                                    plContext),
+                                    PKIX_VERIFYNODECREATEFAILED);
+                    }
+
+#ifdef DEBUG_kaie
+                    pkix_trace_dump_cert(
+                      "pkix_BuildForwardDepthFirstSearch calling pkix_Build_VerifyCertificate",
+                      state->candidateCert, plContext);
+#endif
+
+                    /* If failure, this function sets Error in verifyNode */
+                    verifyError = pkix_Build_VerifyCertificate
+                            (state,
+                            state->buildConstants.userCheckers,
+                            revocationCheckingExists,
+                            &trusted,
+                            &needsCRLChecking,
+                            verifyNode,
+                            plContext);
+
+                    if (verifyError) {
+                            pkixTempErrorReceived = PKIX_TRUE;
+                            pkixErrorClass = verifyError->errClass;
+                            if (pkixErrorClass == PKIX_FATAL_ERROR) {
+                                pkixErrorResult = verifyError;
+                                verifyError = NULL;
+                                goto fatal;
+                            }
+                    }
+
+                    if (PKIX_ERROR_RECEIVED) {
+                            if (state->verifyNode != NULL) {
+                                PKIX_CHECK_FATAL(pkix_VerifyNode_SetError
+                                    (verifyNode, verifyError, plContext),
+                                    PKIX_VERIFYNODESETERRORFAILED);
+                                PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
+                                        (state->verifyNode,
+                                        verifyNode,
+                                        plContext),
+                                        PKIX_VERIFYNODEADDTOTREEFAILED);
+                                PKIX_DECREF(verifyNode);
+                            }
+                            pkixTempErrorReceived = PKIX_FALSE;
+                            PKIX_DECREF(finalError);
+                            finalError = verifyError;
+                            verifyError = NULL;
+                            if (state->certLoopingDetected) {
+                                PKIX_ERROR
+                                    (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
+                            }
+                            state->status = BUILD_GETNEXTCERT;
+                    } else if (needsCRLChecking) {
+                            state->status = BUILD_CRLPREP;
+                    } else {
+                            state->status = BUILD_DATEPREP;
+                    }
+            }
+
+            if (state->status == BUILD_CRLPREP) {
+
+                    PKIX_CHECK(pkix_Build_RevCheckPrep
+                            (state, state->prevCert, plContext),
+                            PKIX_BUILDREVCHECKPREPFAILED);
+
+                    state->status = BUILD_CRL1;
+            }
+
+            if (state->status == BUILD_CRL1) {
+
+                PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                        (state->candidateCert,
+                        &candidatePubKey,
+                        plContext),
+                        PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+                PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                        (state->buildConstants.crlChecker,
+                        &crlCheckerState,
+                        plContext),
+                        PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+                PKIX_CHECK(pkix_CheckType
+                        (crlCheckerState,
+                        PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
+                        plContext),
+                        PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
+
+                verifyError = pkix_DefaultCRLChecker_Check_Helper
+                        (state->buildConstants.crlChecker,
+                        state->prevCert,
+                        candidatePubKey,
+                        (pkix_DefaultCRLCheckerState *) crlCheckerState,
+                        NULL, /* unresolved crit extensions */
+                        state->useOnlyLocal,
+                        &nbio,
+                        plContext);
+                if (verifyError) {
+                    pkixTempErrorReceived = PKIX_TRUE;
+                    pkixErrorClass = verifyError->errClass;
+                    if (pkixErrorClass == PKIX_FATAL_ERROR) {
+                        pkixErrorResult = verifyError;
+                        verifyError = NULL;
+                        goto fatal;
+                    }
+                }
+
+                PKIX_DECREF(candidatePubKey);
+                PKIX_DECREF(crlCheckerState);
+
+                if (nbio != NULL) {
+                    /* IO still pending, resume later */
+                    goto cleanup;
+                } else if (PKIX_ERROR_RECEIVED) {
+                    if (state->verifyNode != NULL) {
+                            PKIX_CHECK_FATAL(pkix_VerifyNode_SetError
+                                    (verifyNode, verifyError, plContext),
+                                    PKIX_VERIFYNODESETERRORFAILED);
+                            PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
+                                    (state->verifyNode,
+                                    verifyNode,
+                                    plContext),
+                                    PKIX_VERIFYNODEADDTOTREEFAILED);
+                            PKIX_DECREF(verifyNode);
+                    }
+                    pkixTempErrorReceived = PKIX_FALSE;
+                    PKIX_DECREF(finalError);
+                    finalError = verifyError;
+                    verifyError = NULL;
+                    if (state->certLoopingDetected) {
+                            PKIX_ERROR
+                                (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
+                    }
+                    state->status = BUILD_GETNEXTCERT;
+                } else {
+                    state->status = BUILD_DATEPREP;
+                }
+            }
+
+            if (state->status == BUILD_DATEPREP) {
+                    /* Keep track of whether this chain can be cached */
+                    PKIX_CHECK(pkix_Build_UpdateDate(state, plContext),
+                            PKIX_BUILDUPDATEDATEFAILED);
+    
+                    canBeCached = state->canBeCached;
+                    PKIX_DECREF(validityDate);
+                    PKIX_INCREF(state->validityDate);
+                    validityDate = state->validityDate;
+                    if (trusted == PKIX_TRUE) {
+                            state->status = BUILD_CHECKTRUSTED;
+                    } else {
+                            state->status = BUILD_ADDTOCHAIN;
+                    }
+            }
+
+            if (state->status == BUILD_CHECKTRUSTED) {
+
+                    /*
+                     * If this cert is trusted, try to validate the entire
+                     * chain using this certificate as trust anchor.
+                     */
+                    PKIX_CHECK(PKIX_TrustAnchor_CreateWithCert
+                      (state->candidateCert,
+                      &trustAnchor,
+                      plContext),
+                      PKIX_TRUSTANCHORCREATEWITHCERTFAILED);
+
+                    PKIX_CHECK(pkix_Build_ValidationCheckers
+                      (state,
+                      state->trustChain,
+                      trustAnchor,
+                      plContext),
+                      PKIX_BUILDVALIDATIONCHECKERSFAILED);
+
+                    state->status = BUILD_CHECKTRUSTED2;
+            }
+
+            if (state->status == BUILD_CHECKTRUSTED2) {
+                    PKIX_CHECK_ONLY_FATAL(pkix_Build_ValidateEntireChain
+                        (state,
+                        trustAnchor,
+                        &nbio, &valResult,
+                        verifyNode,
+                        plContext),
+                        PKIX_BUILDVALIDATEENTIRECHAINFAILED);
+
+                    if (nbio != NULL) {
+                            /* IO still pending, resume later */
+                            goto cleanup;
+                    } else {
+                            PKIX_DECREF(state->reversedCertChain);
+                            PKIX_DECREF(state->checkedCritExtOIDs);
+                            PKIX_DECREF(state->checkerChain);
+                            PKIX_DECREF(state->revCheckers);
+                            if (state->verifyNode != NULL) {
+                                PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
+                                        (state->verifyNode,
+                                        verifyNode,
+                                        plContext),
+                                        PKIX_VERIFYNODEADDTOTREEFAILED);
+                                PKIX_DECREF(verifyNode);
+                            }
+
+                            if (!PKIX_ERROR_RECEIVED) {
+                                *pValResult = valResult;
+                                valResult = NULL;
+                                /* Change state so IsIOPending is FALSE */
+                                state->status = BUILD_CHECKTRUSTED;
+                                goto cleanup;
+                            }
+                            /* Reset temp error that was set by 
+                             * PKIX_CHECK_ONLY_FATAL and continue */
+                            pkixTempErrorReceived = PKIX_FALSE;
+                            PKIX_DECREF(trustAnchor);
+                    }
+
+                    /*
+                     * If chain doesn't validate with a trusted Cert,
+                     * adding more Certs to it can't help.
+                     */
+                    if (state->certLoopingDetected) {
+                            PKIX_ERROR
+                                (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
+                    }
+                    state->status = BUILD_GETNEXTCERT;
+            }
+
+            /*
+             * This Cert was not trusted. Add it to our chain, and
+             * continue building. If we don't reach a trust anchor,
+             * we'll take it off later and continue without it.
+             */
+            if (state->status == BUILD_ADDTOCHAIN) {
+                    PKIX_CHECK(PKIX_List_AppendItem
+                            (state->trustChain,
+                            (PKIX_PL_Object *)state->candidateCert,
+                            plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+
+                    state->status = BUILD_CHECKWITHANCHORS;
+                    state->anchorIndex = 0;
+            }
+
+            while ((state->status == BUILD_CHECKWITHANCHORS) ||
+                (state->status == BUILD_CRL2) ||
+                (state->status == BUILD_VALCHAIN2)) {
+                    if (state->anchorIndex >=
+                            state->buildConstants.numAnchors) {
+                                   state->status = BUILD_EXTENDCHAIN;
+                            break;
+                    } else {
+
+                            PKIX_CHECK(PKIX_List_GetItem
+                                    (state->buildConstants.anchors,
+                                    state->anchorIndex,
+                                    (PKIX_PL_Object **)&trustAnchor,
+                                    plContext),
+                                    PKIX_LISTGETITEMFAILED);
+
+                    }
+
+                    if (state->status == BUILD_CHECKWITHANCHORS) {
+
+                            /*
+                             * Does this Trust Anchor chain to this cert?
+                             * (If state->verifyNode is non-NULL, this function
+                             * chains a verifyNode for each anchor checked.)
+                             */
+                            PKIX_CHECK(pkix_Build_CheckCertAgainstAnchor
+                                    (state->candidateCert,
+                                    trustAnchor,
+                                    state->traversedSubjNames,
+                                    &passed,
+                                    verifyNode,
+                                    plContext),
+                                    PKIX_CHECKCERTAGAINSTANCHORFAILED);
+
+                            if (passed == PKIX_TRUE) {
+                                    if (state->buildConstants.crlChecker) {
+                                            state->status = BUILD_CRL2PREP;
+                                    } else {
+                                            state->status = BUILD_VALCHAIN;
+                                    }
+                            } /* else increment anchorIndex and try next */
+                    }
+
+                    if (state->status == BUILD_CRL2PREP) {
+                            PKIX_CHECK(pkix_Build_RevCheckPrep
+                                    (state, state->candidateCert, plContext),
+                                    PKIX_BUILDREVCHECKPREPFAILED);
+                            state->status = BUILD_CRL2;
+                    }
+ 
+                    if (state->status == BUILD_CRL2) {
+                      PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
+                          (trustAnchor, &trustedCert, plContext),
+                          PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+
+                      PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                          (trustedCert, &trustedPubKey, plContext),
+                          PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+                      PKIX_CHECK
+                          (PKIX_CertChainChecker_GetCertChainCheckerState
+                          (state->buildConstants.crlChecker,
+                          &crlCheckerState,
+                          plContext),
+                          PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+                      PKIX_CHECK(pkix_CheckType
+                          (crlCheckerState,
+                          PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
+                          plContext),
+                          PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
+
+                      verifyError = pkix_DefaultCRLChecker_Check_Helper
+                          (state->buildConstants.crlChecker,
+                          state->candidateCert,
+                          trustedPubKey,
+                          (pkix_DefaultCRLCheckerState *) crlCheckerState,
+                          NULL, /* unresolved crit extensions */
+                          state->useOnlyLocal,
+                          &nbio,
+                          plContext);
+                      if (verifyError) {
+                          pkixTempErrorReceived = PKIX_TRUE;
+                          pkixErrorClass = verifyError->errClass;
+                          if (pkixErrorClass == PKIX_FATAL_ERROR) {
+                              pkixErrorResult = verifyError;
+                              verifyError = NULL;
+                              goto fatal;
+                          }
+                      }
+
+                      PKIX_DECREF(trustedCert);
+                      PKIX_DECREF(trustedPubKey);
+                      PKIX_DECREF(crlCheckerState);
+
+                      if (nbio != NULL) {
+                              /* IO still pending, resume later */
+                              goto cleanup;
+                      } else if (PKIX_ERROR_RECEIVED) {
+                              if (state->verifyNode != NULL) {
+                                  PKIX_CHECK_FATAL
+                                      (pkix_VerifyNode_SetError
+                                      (verifyNode,
+                                      verifyError,
+                                      plContext),
+                                      PKIX_VERIFYNODESETERRORFAILED);
+                              }
+                              pkixTempErrorReceived = PKIX_FALSE;
+                              PKIX_DECREF(finalError);
+                              finalError = verifyError;
+                              verifyError = NULL;
+                              /* try again with the next trust anchor */
+                              state->status = BUILD_CHECKWITHANCHORS;
+                      } else {
+                              state->status = BUILD_VALCHAIN;
+                      }
+                    }
+
+                    if (state->status == BUILD_VALCHAIN) {
+                            /* Does the chain pass all validation tests? */
+                            PKIX_CHECK(pkix_Build_ValidationCheckers
+                                    (state,
+                                    state->trustChain,
+                                    trustAnchor,
+                                    plContext),
+                                    PKIX_BUILDVALIDATIONCHECKERSFAILED);
+
+                            state->status = BUILD_VALCHAIN2;
+                    }
+
+                    if (state->status == BUILD_VALCHAIN2) {
+                            PKIX_CHECK_ONLY_FATAL
+                                    (pkix_Build_ValidateEntireChain
+                                    (state,
+                                    trustAnchor,
+                                    &nbio,
+                                    &valResult,
+                                    verifyNode,
+                                    plContext),
+                                    PKIX_BUILDVALIDATEENTIRECHAINFAILED);
+
+                            if (nbio != NULL) {
+                                    /* IO still pending, resume later */
+                                    goto cleanup;
+                            } else {
+                                    PKIX_DECREF(state->reversedCertChain);
+                                    PKIX_DECREF(state->checkedCritExtOIDs);
+                                    PKIX_DECREF(state->checkerChain);
+                                    PKIX_DECREF(state->revCheckers);
+                                    if (!PKIX_ERROR_RECEIVED) {
+                                        *pValResult = valResult;
+                                        valResult = NULL;
+                                        if (state->verifyNode != NULL) {
+                                            PKIX_CHECK_FATAL
+                                                (pkix_VerifyNode_AddToTree
+                                                        (state->verifyNode,
+                                                        verifyNode,
+                                                        plContext),
+                                                PKIX_VERIFYNODEADDTOTREEFAILED);
+                                            PKIX_DECREF(verifyNode);
+                                        }
+                                        /* Make IsIOPending FALSE */
+                                        state->status = BUILD_VALCHAIN;
+                                        goto cleanup;
+                                    }
+                                    /* Reset temp error that was set by 
+                                     * PKIX_CHECK_ONLY_FATAL and continue */
+                                    pkixTempErrorReceived = PKIX_FALSE;
+                            }
+
+                            state->status = BUILD_CHECKWITHANCHORS;
+                    }
+
+                    PKIX_DECREF(trustAnchor);
+                    state->anchorIndex++;
+            } /* while (anchorIndex < numAnchors) */
+
+            if (state->status == BUILD_EXTENDCHAIN) {
+
+                    /* Check whether we are allowed to extend the chain */
+                    if ((state->buildConstants.maxDepth != 0) &&
+                        (state->numDepth <= 1)) {
+
+                        if (state->verifyNode != NULL) {
+                                PKIX_ERROR_CREATE
+                                    (BUILD,
+                                    PKIX_DEPTHWOULDEXCEEDRESOURCELIMITS,
+                                    verifyError);
+                                PKIX_CHECK_FATAL(pkix_VerifyNode_SetError
+                                    (verifyNode, verifyError, plContext),
+                                    PKIX_VERIFYNODESETERRORFAILED);
+                                PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
+                                    (state->verifyNode, verifyNode, plContext),
+                                    PKIX_VERIFYNODEADDTOTREEFAILED);
+                                PKIX_DECREF(verifyNode);
+                                PKIX_DECREF(finalError);
+                                finalError = verifyError;
+                                verifyError = NULL;
+                        }
+                        /* Even if error logged, still need to abort */
+                        PKIX_ERROR(PKIX_DEPTHWOULDEXCEEDRESOURCELIMITS);
+                    }
+
+                    PKIX_CHECK(pkix_IsCertSelfIssued
+                            (state->candidateCert, &isSelfIssued, plContext),
+                            PKIX_ISCERTSELFISSUEDFAILED);
+                 
+                    PKIX_CHECK(PKIX_PL_Object_Duplicate
+                            ((PKIX_PL_Object *)state->traversedSubjNames,
+                            (PKIX_PL_Object **)&childTraversedSubjNames,
+                            plContext),
+                            PKIX_OBJECTDUPLICATEFAILED);
+         
+                    if (isSelfIssued) {
+                            childTraversedCACerts = state->traversedCACerts;
+                    } else {
+                            childTraversedCACerts = state->traversedCACerts + 1;
+                 
+                            PKIX_CHECK(PKIX_PL_Cert_GetAllSubjectNames
+                                (state->candidateCert,
+                                &subjectNames,
+                                plContext),
+                                PKIX_CERTGETALLSUBJECTNAMESFAILED);
+                 
+                            if (subjectNames) {
+                                PKIX_CHECK(PKIX_List_GetLength
+                                    (subjectNames,
+                                    &numSubjectNames,
+                                    plContext),
+                                    PKIX_LISTGETLENGTHFAILED);
+         
+                            } else {
+                                numSubjectNames = 0;
+                            }
+
+                            for (i = 0; i < numSubjectNames; i++) {
+                                PKIX_CHECK(PKIX_List_GetItem
+                                    (subjectNames,
+                                    i,
+                                    &subjectName,
+                                    plContext),
+                                    PKIX_LISTGETITEMFAILED);
+                                PKIX_NULLCHECK_ONE
+                                    (state->traversedSubjNames);
+                                PKIX_CHECK(PKIX_List_AppendItem
+                                    (state->traversedSubjNames,
+                                    subjectName,
+                                    plContext),
+                                    PKIX_LISTAPPENDITEMFAILED);
+                                PKIX_DECREF(subjectName);
+                            }
+                            PKIX_DECREF(subjectNames);
+                        }
+            
+                        PKIX_CHECK(pkix_ForwardBuilderState_Create
+                            (childTraversedCACerts,
+                            state->buildConstants.maxFanout,
+                            state->numDepth - 1,
+                            state->dsaParamsNeeded,
+                            state->revCheckDelayed,
+                            canBeCached,
+                            validityDate,
+                            state->candidateCert,
+                            childTraversedSubjNames,
+                            state->trustChain,
+                            state,
+                            &childState,
+                            plContext),
+                            PKIX_FORWARDBUILDSTATECREATEFAILED);
+
+                        PKIX_DECREF(childTraversedSubjNames);
+                        PKIX_DECREF(certSelParams);
+                        childState->verifyNode = verifyNode;
+                        verifyNode = NULL;
+                        PKIX_DECREF(state);
+                        state = childState; /* state->status == BUILD_INITIAL */
+                        childState = NULL;
+                        continue; /* with while (!outOfOptions) */
+            }
+
+            if (state->status == BUILD_GETNEXTCERT) {
+                    pkixTempErrorReceived = PKIX_FALSE;
+                    PKIX_DECREF(state->candidateCert);
+
+                    /*
+                     * If we were using a Cert from the callier-supplied partial
+                     * chain, delete it and go to the certStores.
+                     */
+                    if (state->usingHintCerts == PKIX_TRUE) {
+
+                            PKIX_DECREF(state->candidateCerts);
+                            PKIX_CHECK(PKIX_List_Create
+                                (&state->candidateCerts, plContext),
+                                PKIX_LISTCREATEFAILED);
+
+                            state->numCerts = 0;
+                            state->usingHintCerts = PKIX_FALSE;
+                            state->status = BUILD_TRYAIA;
+                            continue;
+
+                    } else if (++(state->certIndex) < (state->numCerts)) {
+
+                            if ((state->buildConstants.maxFanout != 0) &&
+                                (--(state->numFanout) == 0)) {
+
+                                if (state->verifyNode != NULL) {
+                                        PKIX_ERROR_CREATE
+                                            (BUILD,
+                                            PKIX_FANOUTEXCEEDSRESOURCELIMITS,
+                                            verifyError);
+                                        PKIX_CHECK_FATAL
+                                            (pkix_VerifyNode_SetError
+                                            (state->verifyNode,
+                                            verifyError,
+                                            plContext),
+                                            PKIX_VERIFYNODESETERRORFAILED);
+                                        PKIX_DECREF(finalError);
+                                        finalError = verifyError;
+                                        verifyError = NULL;
+                                }
+                                /* Even if error logged, still need to abort */
+                                PKIX_ERROR
+                                        (PKIX_FANOUTEXCEEDSRESOURCELIMITS);
+                            }
+                            state->status = BUILD_CERTVALIDATING;
+                            continue;
+                    }
+            }
+
+            /*
+             * Adding the current cert to the chain didn't help. If our search
+             * has been restricted to local certStores, try opening up the
+             * search and see whether that helps. Otherwise, back up to the
+             * parent cert, and see if there are any more to try.
+             */
+            if (state->useOnlyLocal == PKIX_TRUE) {
+                state->useOnlyLocal = PKIX_FALSE;
+                state->certStoreIndex = 0;
+                state->numFanout = state->buildConstants.maxFanout;
+                state->status = BUILD_TRYAIA;
+            } else do {
+                if (state->parentState == NULL) {
+                        /* We are at the top level, and can't back up! */
+                        outOfOptions = PKIX_TRUE;
+                } else {
+
+                        /*
+                         * Try the next cert, if any, for this parent.
+                         * Otherwise keep backing up until we reach a
+                         * parent with more certs to try.
+                         */
+                        PKIX_CHECK(PKIX_List_GetLength
+                                (state->trustChain, &numChained, plContext),
+                                PKIX_LISTGETLENGTHFAILED);
+                        PKIX_CHECK(PKIX_List_DeleteItem
+                                (state->trustChain, numChained - 1, plContext),
+                                PKIX_LISTDELETEITEMFAILED);
+                        PKIX_INCREF(state->parentState);
+                        parentState = state->parentState;
+                        PKIX_DECREF(verifyNode);
+                        verifyNode = state->verifyNode;
+                        state->verifyNode = NULL;
+                        PKIX_DECREF(state);
+                        state = parentState;
+                        parentState = NULL;
+                        if (state->verifyNode != NULL) {
+                                PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
+                                        (state->verifyNode,
+                                        verifyNode,
+                                        plContext),
+                                        PKIX_VERIFYNODEADDTOTREEFAILED);
+                                PKIX_DECREF(verifyNode);
+                        }
+                        PKIX_DECREF(validityDate);
+                        PKIX_INCREF(state->validityDate);
+                        validityDate = state->validityDate;
+                        canBeCached = state->canBeCached;
+
+                        /* Are there any more Certs to try? */
+                        if (++(state->certIndex) < (state->numCerts)) {
+                                state->status = BUILD_CERTVALIDATING;
+                                PKIX_DECREF(state->candidateCert);
+                                break;
+                        }
+                        if (state->useOnlyLocal == PKIX_TRUE) {
+                            /* Clean up and go for AIA round. */
+                            state->useOnlyLocal = PKIX_FALSE;
+                            state->certStoreIndex = 0;
+                            state->numFanout = state->buildConstants.maxFanout;
+                            state->status = BUILD_TRYAIA;
+                            break;
+                        }
+                }
+                PKIX_DECREF(state->candidateCert);
+            } while (outOfOptions == PKIX_FALSE);
+
+        } /* while (outOfOptions == PKIX_FALSE) */
+
+cleanup:
+
+        if (pkixErrorClass == PKIX_FATAL_ERROR) {
+            goto fatal;
+        }
+
+        /* verifyNode should be equal to NULL at this point. Assert it.
+         * Temporarelly use verifyError to store an error ref to which we
+         * have in pkixErrorResult. This is done to prevent error cloberring
+         * while using macros below. */
+        PORT_Assert(verifyError == NULL);
+        verifyError = pkixErrorResult;
+
+        /*
+         * We were called with an initialState that had no parent. If we are
+         * returning with an error or with a result, we must destroy any state
+         * that we created (any state with a parent).
+         */
+
+        PKIX_CHECK_FATAL(pkix_ForwardBuilderState_IsIOPending
+                         (state, &ioPending, plContext),
+                PKIX_FORWARDBUILDERSTATEISIOPENDINGFAILED);
+
+        if (ioPending == PKIX_FALSE) {
+                while (state->parentState) {
+                        PKIX_INCREF(state->parentState);
+                        parentState = state->parentState;
+                        PKIX_DECREF(verifyNode);
+                        verifyNode = state->verifyNode;
+                        state->verifyNode = NULL;
+                        PKIX_DECREF(state);
+                        state = parentState;
+                        parentState = NULL;
+                        if (state->verifyNode != NULL) {
+                                PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
+                                        (state->verifyNode,
+                                        verifyNode,
+                                        plContext),
+                                        PKIX_VERIFYNODEADDTOTREEFAILED);
+                                PKIX_DECREF(verifyNode);
+                        }
+                }
+                state->canBeCached = canBeCached;
+                PKIX_DECREF(state->validityDate);
+                state->validityDate = validityDate;
+                validityDate = NULL;
+        }
+        if (!*pValResult && !verifyError) {
+            if (!finalError) {
+                PKIX_CHECK_FATAL(
+                    pkix_VerifyNode_FindError(state->verifyNode,
+                                              &finalError,
+                                              plContext),
+                    PKIX_VERIFYNODEFINDERRORFAILED);
+            }
+            if (finalError) {
+                pkixErrorResult = finalError;
+                pkixErrorCode = PKIX_BUILDFORWARDDEPTHFIRSTSEARCHFAILED;
+                finalError = NULL;
+                goto fatal;
+            }
+            pkixErrorCode = PKIX_SECERRORUNKNOWNISSUER;
+            pkixErrorReceived = PKIX_TRUE;
+        } else {
+            pkixErrorResult = verifyError;
+            verifyError = NULL;
+        }
+
+fatal:
+        PKIX_DECREF(parentState);
+        PKIX_DECREF(childState);
+        PKIX_DECREF(valResult);
+        PKIX_DECREF(verifyError);
+        PKIX_DECREF(finalError);
+        PKIX_DECREF(verifyNode);
+        PKIX_DECREF(candidatePubKey);
+        PKIX_DECREF(trustedPubKey);
+        PKIX_DECREF(childTraversedSubjNames);
+        PKIX_DECREF(certSelParams);
+        PKIX_DECREF(subjectNames);
+        PKIX_DECREF(subjectName);
+        PKIX_DECREF(trustAnchor);
+        PKIX_DECREF(validityDate);
+        PKIX_DECREF(crlCheckerState);
+        PKIX_DECREF(currTime);
+        PKIX_DECREF(filteredCerts);
+        PKIX_DECREF(unfilteredCerts);
+        PKIX_DECREF(trustedCert);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_TryShortcut
+ * DESCRIPTION:
+ *
+ *  This function checks whether the target cert in "state", subject to the name
+ *  constraints specified by "targetSubjNames", forms a complete trust chain
+ *  with any of the trust anchors.
+ * 
+ *  If a crlChecker using non-blocking I/O returns with an indication that I/O
+ *  is in progress, this function stores the NBIOContext (returned by the
+ *  checker) at "pNBIOContext". Otherwise, it stores NULL at "pNBIOContext" and
+ *  indicates in "pAnchor" whether a complete trust chain was found. If no
+ *  successful trust chain is found, NULL is stored at "pAnchor". If a
+ *  successful trust chain is found, the anchor that completed the chain is
+ *  stored at "pAnchor".
+ *
+ * PARAMETERS:
+ *  "state"
+ *      Address of ForwardBuilderState to be used. Must be non-NULL.
+ *  "targetSubjNames"
+ *      Address of List of subject names in targetCertificate. Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which the NBIOContext is stored indicating whether the
+ *      checking is complete. Must be non-NULL.
+ *  "pAnchor"
+ *      Address at which successful trustAnchor is stored, if trustAnchor and
+ *      Certificate form a complete trust chain. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_TryShortcut(
+        PKIX_ForwardBuilderState *state,
+        PKIX_List *targetSubjNames,
+        void **pNBIOContext,
+        PKIX_TrustAnchor **pAnchor,
+        PKIX_ValidateResult **pValResult,
+        void *plContext)
+{
+        PKIX_Boolean passed = PKIX_FALSE;
+        void *nbioContext = NULL;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_PL_Object *crlCheckerState = NULL;
+        PKIX_Error *validationError = NULL;
+        PKIX_VerifyNode *verifyNode = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_TryShortcut");
+        PKIX_NULLCHECK_THREE(state, pNBIOContext, pAnchor);
+
+        *pNBIOContext = NULL; /* prepare in case of error exit */
+
+        /*
+         * Does the target cert, with any of our trust
+         * anchors, form a complete trust chain?
+         */
+        while (state->anchorIndex < state->buildConstants.numAnchors) {
+                PKIX_CHECK(PKIX_List_GetItem
+                        (state->buildConstants.anchors,
+                        state->anchorIndex,
+                        (PKIX_PL_Object **)&anchor,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+                PKIX_CHECK(pkix_Build_CheckCertAgainstAnchor
+                        (state->prevCert,
+                        anchor,
+                        targetSubjNames,
+                        &passed,
+                        state->verifyNode,
+                        plContext),
+                        PKIX_CHECKCERTAGAINSTANCHORFAILED);
+
+                if (passed != PKIX_TRUE) {
+                    PKIX_DECREF(anchor);
+                    state->anchorIndex++;
+                    continue;
+                }
+
+                if (state->buildConstants.crlChecker != NULL) {
+
+                    PKIX_DECREF(trustedCert);
+                    PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
+                               (anchor, &trustedCert, plContext),
+                               PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+                    
+                    PKIX_DECREF(trustedPubKey);
+                    PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                               (trustedCert, &trustedPubKey, plContext),
+                               PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+                    
+                    PKIX_DECREF(crlCheckerState);
+                    PKIX_CHECK
+                        (PKIX_CertChainChecker_GetCertChainCheckerState
+                         (state->buildConstants.crlChecker,
+                          &crlCheckerState,
+                          plContext),
+                         PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+                    
+                    PKIX_CHECK(pkix_CheckType
+                               (crlCheckerState,
+                                PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
+                                plContext),
+                               PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
+
+                    /* Set up CRLSelector */
+                    PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
+                               (state->prevCert,
+                                (pkix_DefaultCRLCheckerState *) crlCheckerState,
+                                plContext),
+                               PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
+                    
+                    validationError =
+                        pkix_DefaultCRLChecker_Check_Helper
+                        (state->buildConstants.crlChecker,
+                         state->prevCert,
+                         trustedPubKey,
+                         (pkix_DefaultCRLCheckerState *) crlCheckerState,
+                         NULL, /* unresolved crit extensions */
+                         PKIX_FALSE,
+                         &nbioContext,
+                         plContext);
+
+                    if (validationError) {
+                        pkixErrorClass = validationError->errClass;
+                        if (pkixErrorClass == PKIX_FATAL_ERROR) {
+                            pkixErrorResult = validationError;
+                            validationError = NULL;
+                            goto cleanup;
+                        }
+                        if (state->verifyNode) {
+                            PKIX_CHECK_FATAL(
+                                pkix_VerifyNode_Create(state->prevCert,
+                                                       0, validationError,
+                                                       &verifyNode,
+                                                       plContext),
+                                PKIX_VERIFYNODECREATEFAILED);
+                            PKIX_CHECK_FATAL(
+                                pkix_VerifyNode_AddToTree(state->verifyNode,
+                                                          verifyNode,
+                                                          plContext),
+                                PKIX_VERIFYNODEADDTOTREEFAILED);
+                            PKIX_DECREF(verifyNode);
+                        }
+                        PKIX_DECREF(validationError);
+                        /* contunue to the next anchor */
+                        PKIX_DECREF(anchor);
+                        state->anchorIndex++;
+                        continue;
+                    }
+                    if (nbioContext != NULL) {
+                        state->status = BUILD_SHORTCUTPENDING;
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                    }
+                }
+
+                PKIX_CHECK_FATAL(
+                    pkix_VerifyNode_Create(state->prevCert, 0, NULL,
+                                           &verifyNode,
+                                           plContext),
+                    PKIX_VERIFYNODECREATEFAILED);
+                
+                PKIX_CHECK(
+                    pkix_Build_ValidationCheckers(state, state->trustChain,
+                                                  anchor, plContext),
+                    PKIX_BUILDVALIDATIONCHECKERSFAILED);
+                
+                PKIX_CHECK_ONLY_FATAL(
+                    pkix_Build_ValidateEntireChain(state, anchor, &nbioContext,
+                                                   &valResult, verifyNode,
+                                                   plContext),
+                    PKIX_BUILDVALIDATEENTIRECHAINFAILED);
+                
+                if (nbioContext != NULL) {
+                    /* IO still pending, resume later */
+                    *pNBIOContext = nbioContext;
+                    goto cleanup;
+                }
+                /* Cleanup after pkix_Build_ValidateEntireChain. */
+                PKIX_DECREF(state->reversedCertChain);
+                PKIX_DECREF(state->checkedCritExtOIDs);
+                PKIX_DECREF(state->checkerChain);
+                PKIX_DECREF(state->revCheckers);
+                if (state->verifyNode != NULL) {
+                    PKIX_CHECK_FATAL(
+                        pkix_VerifyNode_AddToTree(state->verifyNode,
+                                                  verifyNode, plContext),
+                        PKIX_VERIFYNODEADDTOTREEFAILED);
+                    PKIX_DECREF(verifyNode);
+                }
+                
+                if (!PKIX_ERROR_RECEIVED) {
+                    *pValResult = valResult;
+                    valResult = NULL;
+                    break;
+                }
+                /* Reset temp error that was set by 
+                 * PKIX_CHECK_ONLY_FATAL and continue */
+                pkixTempErrorReceived = PKIX_FALSE;
+                PKIX_DECREF(anchor);
+                state->anchorIndex++;
+        } /* while (state->anchorIndex < state->buildConstants.numAnchors) */
+
+        *pAnchor = anchor;
+        anchor = NULL;
+
+cleanup:
+fatal:
+
+        PKIX_DECREF(validationError);
+        PKIX_DECREF(valResult);
+        PKIX_DECREF(verifyNode);
+        PKIX_DECREF(trustedCert);
+        PKIX_DECREF(trustedPubKey);
+        PKIX_DECREF(crlCheckerState);
+        PKIX_DECREF(anchor);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_CheckInCache
+ * DESCRIPTION:
+ *
+ * The function tries to locate a chain for a cert in the cert chain cache.
+ * If found, the chain goes through revocation chacking and returned back to
+ * caller. Chains that fail revocation check get removed from cache.
+ * 
+ * PARAMETERS:
+ *  "state"
+ *      Address of ForwardBuilderState to be used. Must be non-NULL.
+ *  "pBuildResult"
+ *      Address at which the BuildResult is stored, after a successful build.
+ *      Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which the NBIOContext is stored indicating whether the
+ *      validation is complete. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error*
+pkix_Build_CheckInCache(
+        PKIX_ForwardBuilderState *state,
+        PKIX_BuildResult **pBuildResult,
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_PL_Cert *targetCert = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_PL_Date *testDate = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_TrustAnchor *matchingAnchor = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_Boolean cacheHit = PKIX_FALSE;
+        PKIX_Boolean trusted = PKIX_FALSE;
+        PKIX_Boolean stillValid = PKIX_FALSE;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_CheckInCache");
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        targetCert = state->buildConstants.targetCert;
+        anchors = state->buildConstants.anchors;
+        testDate = state->buildConstants.testDate;
+
+        /* Check whether this cert verification has been cached. */
+        PKIX_CHECK(pkix_CacheCertChain_Lookup
+                   (targetCert,
+                    anchors,
+                    testDate,
+                    &cacheHit,
+                    &buildResult,
+                    plContext),
+                   PKIX_CACHECERTCHAINLOOKUPFAILED);
+        
+        if (!cacheHit) {
+            goto cleanup;
+        }
+        
+        /*
+         * We found something in cache. Verify that the anchor
+         * cert is still trusted,
+         */
+        PKIX_CHECK(PKIX_BuildResult_GetValidateResult
+                   (buildResult, &valResult, plContext),
+                   PKIX_BUILDRESULTGETVALIDATERESULTFAILED);
+        
+        PKIX_CHECK(PKIX_ValidateResult_GetTrustAnchor
+                       (valResult, &matchingAnchor, plContext),
+                   PKIX_VALIDATERESULTGETTRUSTANCHORFAILED);
+        
+        PKIX_DECREF(valResult);
+        
+        PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
+                   (matchingAnchor, &trustedCert, plContext),
+                   PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+        
+        PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
+                   (trustedCert, &trusted, plContext),
+                   PKIX_CERTISCERTTRUSTEDFAILED);
+        
+        if (!trusted) {
+            goto cleanup;
+        }
+        /*
+         * Since the key usage may vary for different
+         * applications, we need to verify the chain again.
+         * Reverification will be improved with a fix for 397805.
+         */
+        PKIX_CHECK(PKIX_BuildResult_GetCertChain
+                   (buildResult, &certList, plContext),
+                   PKIX_BUILDRESULTGETCERTCHAINFAILED);
+        
+        /* setting this variable will trigger addition rev
+         * checker into cert chain checker list */
+        state->revCheckDelayed = PKIX_TRUE;
+        
+        PKIX_CHECK(pkix_Build_ValidationCheckers
+                   (state,
+                    certList,
+                    matchingAnchor,
+                    plContext),
+                   PKIX_BUILDVALIDATIONCHECKERSFAILED);
+        
+        state->revCheckDelayed = PKIX_FALSE;
+
+        PKIX_CHECK_ONLY_FATAL(
+            pkix_Build_ValidateEntireChain(state, matchingAnchor,
+                                           &nbioContext, &valResult,
+                                           state->verifyNode, plContext),
+            PKIX_BUILDVALIDATEENTIRECHAINFAILED);
+
+        if (nbioContext != NULL) {
+            /* IO still pending, resume later */
+            *pNBIOContext = nbioContext;
+            goto cleanup;
+        }
+        PKIX_DECREF(state->reversedCertChain);
+        PKIX_DECREF(state->checkedCritExtOIDs);
+        PKIX_DECREF(state->checkerChain);
+        PKIX_DECREF(state->revCheckers);
+        
+        if (!PKIX_ERROR_RECEIVED) {
+            /* The result from cache is still valid. But we replace an old*/
+            *pBuildResult = buildResult;
+            buildResult = NULL;
+            stillValid = PKIX_TRUE;
+        }
+
+cleanup:
+
+        if (!nbioContext && cacheHit && !(trusted && stillValid)) {
+            /* The anchor of this chain is no longer trusted or
+             * chain cert(s) has been revoked.
+             * Invalidate this result in the cache */
+            PKIX_CHECK_FATAL(pkix_CacheCertChain_Remove
+                       (targetCert,
+                        anchors,
+                        plContext),
+                       PKIX_CACHECERTCHAINREMOVEFAILED);
+        }
+
+fatal:
+       PKIX_DECREF(buildResult);
+       PKIX_DECREF(valResult);
+       PKIX_DECREF(certList);
+       PKIX_DECREF(matchingAnchor);
+       PKIX_DECREF(trustedCert);
+
+       
+       PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_InitiateBuildChain
+ * DESCRIPTION:
+ *
+ *  This function initiates the search for a BuildChain, using the parameters
+ *  provided in "procParams" and, if continuing a search that was suspended
+ *  for I/O, using the ForwardBuilderState pointed to by "state".
+ *
+ *  If a successful chain is built, this function stores the BuildResult at
+ *  "pBuildResult". Alternatively, if an operation using non-blocking I/O
+ *  is in progress and the operation has not been completed, this function
+ *  stores the platform-dependent non-blocking I/O context (nbioContext) at
+ *  "pNBIOContext", the FowardBuilderState at "pState", and NULL at
+ *  "pBuildResult". Finally, if chain building was unsuccessful, this function
+ *  stores NULL at both "pState" and at "pBuildResult".
+ *
+ *  Note: This function is re-entered only for the case of non-blocking I/O
+ *  in the "short-cut" attempt to build a chain using the target Certificate
+ *  directly with one of the trustAnchors. For all other cases, resumption
+ *  after non-blocking I/O is via pkix_Build_ResumeBuildChain.
+ *
+ * PARAMETERS:
+ *  "procParams"
+ *      Address of the ProcessingParams for the search. Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which the NBIOContext is stored indicating whether the
+ *      validation is complete. Must be non-NULL.
+ *  "pState"
+ *      Address at which the ForwardBuilderState is stored, if the chain
+ *      building is suspended for waiting I/O; also, the address at which the
+ *      ForwardBuilderState is provided for resumption of the chain building
+ *      attempt. Must be non-NULL.
+ *  "pBuildResult"
+ *      Address at which the BuildResult is stored, after a successful build.
+ *      Must be non-NULL.
+ *  "pVerifyNode"
+ *      Address at which a VerifyNode chain is returned, if non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_InitiateBuildChain(
+        PKIX_ProcessingParams *procParams,
+        void **pNBIOContext,
+        PKIX_ForwardBuilderState **pState,
+        PKIX_BuildResult **pBuildResult,
+        PKIX_VerifyNode **pVerifyNode,
+        void *plContext)
+{
+        PKIX_UInt32 numAnchors = 0;
+        PKIX_UInt32 numCertStores = 0;
+        PKIX_UInt32 numHintCerts = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_Boolean dsaParamsNeeded = PKIX_FALSE;
+        PKIX_Boolean isCrlEnabled = PKIX_FALSE;
+        PKIX_Boolean nistCRLPolicyEnabled = PKIX_TRUE;
+        PKIX_Boolean isDuplicate = PKIX_FALSE;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_CertSelector *targetConstraints = NULL;
+        PKIX_ComCertSelParams *targetParams = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *targetSubjNames = NULL;
+        PKIX_PL_Cert *targetCert = NULL;
+        PKIX_PL_Object *firstHintCert = NULL;
+        PKIX_CertChainChecker *crlChecker = NULL;
+        PKIX_List *certStores = NULL;
+        PKIX_CertStore *certStore = NULL;
+        PKIX_List *userCheckers = NULL;
+        PKIX_List *hintCerts = NULL;
+        PKIX_PL_Date *testDate = NULL;
+        PKIX_PL_PublicKey *targetPubKey = NULL;
+        void *nbioContext = NULL;
+        BuildConstants buildConstants;
+
+        PKIX_List *tentativeChain = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_TrustAnchor *matchingAnchor = NULL;
+        PKIX_ForwardBuilderState *state = NULL;
+        PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
+        PKIX_PL_AIAMgr *aiaMgr = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_InitiateBuildChain");
+        PKIX_NULLCHECK_FOUR(procParams, pNBIOContext, pState, pBuildResult);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        state = *pState;
+        *pState = NULL; /* no net change in reference count */
+
+        if (state == NULL) {
+            PKIX_CHECK(PKIX_ProcessingParams_GetDate
+                    (procParams, &testDate, plContext),
+                    PKIX_PROCESSINGPARAMSGETDATEFAILED);
+    
+            if (!testDate) {
+                    PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
+                            (NULL, &testDate, plContext),
+                            PKIX_DATECREATEUTCTIMEFAILED);
+            }
+    
+            PKIX_CHECK(PKIX_ProcessingParams_GetTrustAnchors
+                    (procParams, &anchors, plContext),
+                    PKIX_PROCESSINGPARAMSGETTRUSTANCHORSFAILED);
+    
+            PKIX_CHECK(PKIX_List_GetLength(anchors, &numAnchors, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+    
+            /* retrieve stuff from targetCertConstraints */
+    
+            PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
+                    (procParams, &targetConstraints, plContext),
+                    PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
+    
+            PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
+                    (targetConstraints, &targetParams, plContext),
+                    PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
+    
+            PKIX_CHECK(PKIX_ComCertSelParams_GetCertificate
+                    (targetParams, &targetCert, plContext),
+                    PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
+    
+            PKIX_CHECK(PKIX_ProcessingParams_GetHintCerts
+                        (procParams, &hintCerts, plContext),
+                        PKIX_PROCESSINGPARAMSGETHINTCERTSFAILED);
+    
+            if (hintCerts != NULL) {
+                    PKIX_CHECK(PKIX_List_GetLength
+                            (hintCerts, &numHintCerts, plContext),
+                            PKIX_LISTGETLENGTHFAILED);
+            }
+
+            /*
+             * Caller must provide either a target Cert
+             * (in ComCertSelParams->Certificate) or a partial Cert
+             * chain (in ProcParams->HintCerts).
+             */
+
+            if (targetCert == NULL) {
+
+                    /* Use first cert of hintCerts as the targetCert */
+                    if (numHintCerts == 0) {
+                            PKIX_ERROR(PKIX_NOTARGETCERTSUPPLIED);
+                    }
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                            (hintCerts,
+                            0,
+                            (PKIX_PL_Object **)&targetCert,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK(PKIX_List_DeleteItem(hintCerts, 0, plContext),
+                            PKIX_LISTGETITEMFAILED);
+            } else {
+
+                    /*
+                     * If the first hintCert is the same as the targetCert,
+                     * delete it from hintCerts.
+                     */ 
+                    if (numHintCerts != 0) {
+                            PKIX_CHECK(PKIX_List_GetItem
+                                    (hintCerts, 0, &firstHintCert, plContext),
+                                    PKIX_LISTGETITEMFAILED);
+
+                            PKIX_CHECK(PKIX_PL_Object_Equals
+                                    ((PKIX_PL_Object *)targetCert,
+                                    firstHintCert,
+                                    &isDuplicate,
+                                    plContext),
+                                    PKIX_OBJECTEQUALSFAILED);
+
+                            if (isDuplicate) {
+                                    PKIX_CHECK(PKIX_List_DeleteItem
+                                    (hintCerts, 0, plContext),
+                                    PKIX_LISTGETITEMFAILED);
+                            }
+                            PKIX_DECREF(firstHintCert);
+                    }
+
+            }
+
+            if (targetCert == NULL) {
+                PKIX_ERROR(PKIX_NOTARGETCERTSUPPLIED);
+            }
+
+            PKIX_CHECK(PKIX_PL_Cert_GetAllSubjectNames
+                    (targetCert,
+                    &targetSubjNames,
+                    plContext),
+                    PKIX_CERTGETALLSUBJECTNAMESFAILED);
+    
+            PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                    (targetCert, &targetPubKey, plContext),
+                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+    
+            PKIX_CHECK(PKIX_List_Create(&tentativeChain, plContext),
+                    PKIX_LISTCREATEFAILED);
+    
+            PKIX_CHECK(PKIX_List_AppendItem
+                    (tentativeChain, (PKIX_PL_Object *)targetCert, plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+    
+            PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters
+                    (targetPubKey, &dsaParamsNeeded, plContext),
+                    PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED);
+    
+            /* Failure here is reportable */
+            pkixErrorResult = PKIX_PL_Cert_CheckValidity
+                    (targetCert, testDate, plContext);
+            if (pkixErrorResult) {
+                    pkixErrorClass = pkixErrorResult->errClass;
+                    if (pkixErrorClass == PKIX_FATAL_ERROR) {
+                        goto cleanup;
+                    }
+                    if (pVerifyNode != NULL) {
+                            PKIX_Error *tempResult =
+                                pkix_VerifyNode_Create(targetCert, 0,
+                                                       pkixErrorResult,
+                                                       pVerifyNode,
+                                                       plContext);
+                            if (tempResult) {
+                                PKIX_DECREF(pkixErrorResult);
+                                pkixErrorResult = tempResult;
+                                pkixErrorCode = PKIX_VERIFYNODECREATEFAILED;
+                                pkixErrorClass = PKIX_FATAL_ERROR;
+                                goto cleanup;
+                            }
+                    }
+                    pkixErrorCode = PKIX_CERTCHECKVALIDITYFAILED;
+                    goto cleanup;
+            }
+    
+            PKIX_CHECK(pkix_ProcessingParams_GetRevocationEnabled
+                    (procParams, &isCrlEnabled, plContext),
+                    PKIX_PROCESSINGPARAMSGETREVOCATIONENABLEDFAILED);
+    
+            PKIX_CHECK(
+                pkix_ProcessingParams_GetNISTRevocationPolicyEnabled
+                (procParams, &nistCRLPolicyEnabled, plContext),
+                PKIX_PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED);
+
+
+            PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
+                    (procParams, &certStores, plContext),
+                    PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
+    
+            PKIX_CHECK(PKIX_List_GetLength
+                    (certStores, &numCertStores, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+    
+            /* Reorder CertStores so trusted are at front of the List */
+            if (numCertStores > 1) {
+                for (i = numCertStores - 1; i > 0; i--) {
+                    PKIX_CHECK_ONLY_FATAL(PKIX_List_GetItem
+                        (certStores,
+                        i,
+                        (PKIX_PL_Object **)&certStore,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+                    PKIX_CHECK_ONLY_FATAL(PKIX_CertStore_GetTrustCallback
+                        (certStore, &trustCallback, plContext),
+                        PKIX_CERTSTOREGETTRUSTCALLBACKFAILED);
+    
+                    if (trustCallback != NULL) {
+                        /* Is a trusted Cert, move CertStore to front */
+                        PKIX_CHECK(PKIX_List_DeleteItem
+                            (certStores, i, plContext),
+                            PKIX_LISTDELETEITEMFAILED);
+                        PKIX_CHECK(PKIX_List_InsertItem
+                            (certStores,
+                            0,
+                            (PKIX_PL_Object *)certStore,
+                            plContext),
+                        PKIX_LISTINSERTITEMFAILED);
+    
+                    }
+    
+                    PKIX_DECREF(certStore);
+                }
+            }
+    
+            PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers
+                        (procParams, &userCheckers, plContext),
+                        PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED);
+    
+            if (isCrlEnabled) {
+                    if (numCertStores > 0) {
+                            PKIX_CHECK(pkix_DefaultCRLChecker_Initialize
+                                    (certStores,
+                                    testDate,
+                                    NULL,
+                                    0,
+                                    nistCRLPolicyEnabled,
+                                    &crlChecker,
+                                    plContext),
+                                    PKIX_DEFAULTCRLCHECKERINITIALIZEFAILED);
+                    } else {
+                        PKIX_ERROR(PKIX_CANTENABLEREVOCATIONWITHOUTCERTSTORE);
+                    }
+            }
+    
+            /* Do not initialize AIA manager if we are not going to fetch
+             * cert using aia url. */
+            if (procParams->useAIAForCertFetching) {
+                PKIX_CHECK(PKIX_PL_AIAMgr_Create(&aiaMgr, plContext),
+                           PKIX_AIAMGRCREATEFAILED);
+            }
+
+            /*
+             * We initialize all the fields of buildConstants here, in one place,
+             * just to help keep track and ensure that we got everything.
+             */
+    
+            buildConstants.numAnchors = numAnchors;
+            buildConstants.numCertStores = numCertStores;
+            buildConstants.numHintCerts = numHintCerts;
+            buildConstants.procParams = procParams;
+            buildConstants.testDate = testDate;
+            buildConstants.timeLimit = NULL;
+            buildConstants.targetCert = targetCert;
+            buildConstants.targetPubKey = targetPubKey;
+            buildConstants.certStores = certStores;
+            buildConstants.anchors = anchors;
+            buildConstants.userCheckers = userCheckers;
+            buildConstants.hintCerts = hintCerts;
+            buildConstants.crlChecker = crlChecker;
+            buildConstants.aiaMgr = aiaMgr;
+                
+            PKIX_CHECK(pkix_Build_GetResourceLimits(&buildConstants, plContext),
+                    PKIX_BUILDGETRESOURCELIMITSFAILED);
+    
+            PKIX_CHECK(pkix_ForwardBuilderState_Create
+                    (0,              /* PKIX_UInt32 traversedCACerts */
+                    buildConstants.maxFanout,
+                    buildConstants.maxDepth,
+                    dsaParamsNeeded, /* PKIX_Boolean dsaParamsNeeded */
+                    PKIX_FALSE,      /* PKIX_Boolean revCheckDelayed */
+                    PKIX_TRUE,       /* PKIX_Boolean canBeCached */
+                    NULL,            /* PKIX_Date *validityDate */
+                    targetCert,      /* PKIX_PL_Cert *prevCert */
+                    targetSubjNames, /* PKIX_List *traversedSubjNames */
+                    tentativeChain,  /* PKIX_List *trustChain */
+                    NULL,            /* PKIX_ForwardBuilderState *parent */
+                    &state,          /* PKIX_ForwardBuilderState **pState */
+                    plContext),
+                    PKIX_BUILDSTATECREATEFAILED);
+    
+            state->buildConstants.numAnchors = buildConstants.numAnchors;
+            state->buildConstants.numCertStores = buildConstants.numCertStores; 
+            state->buildConstants.numHintCerts = buildConstants.numHintCerts;
+            state->buildConstants.maxFanout = buildConstants.maxFanout;
+            state->buildConstants.maxDepth = buildConstants.maxDepth;
+            state->buildConstants.maxTime = buildConstants.maxTime;
+            state->buildConstants.procParams = buildConstants.procParams; 
+            PKIX_INCREF(buildConstants.testDate);
+            state->buildConstants.testDate = buildConstants.testDate;
+            state->buildConstants.timeLimit = buildConstants.timeLimit;
+            PKIX_INCREF(buildConstants.targetCert);
+            state->buildConstants.targetCert = buildConstants.targetCert;
+            PKIX_INCREF(buildConstants.targetPubKey);
+            state->buildConstants.targetPubKey =
+                    buildConstants.targetPubKey;
+            PKIX_INCREF(buildConstants.certStores);
+            state->buildConstants.certStores = buildConstants.certStores;
+            PKIX_INCREF(buildConstants.anchors);
+            state->buildConstants.anchors = buildConstants.anchors;
+            PKIX_INCREF(buildConstants.userCheckers);
+            state->buildConstants.userCheckers =
+                    buildConstants.userCheckers;
+            PKIX_INCREF(buildConstants.hintCerts);
+            state->buildConstants.hintCerts = buildConstants.hintCerts;
+            PKIX_INCREF(buildConstants.crlChecker);
+            state->buildConstants.crlChecker = buildConstants.crlChecker;
+            state->buildConstants.aiaMgr = buildConstants.aiaMgr;
+            aiaMgr = NULL;
+
+            if (buildConstants.maxTime != 0) {
+                    PKIX_CHECK(PKIX_PL_Date_Create_CurrentOffBySeconds
+                            (buildConstants.maxTime,
+                            &state->buildConstants.timeLimit,
+                            plContext),
+                            PKIX_DATECREATECURRENTOFFBYSECONDSFAILED);
+            }
+
+            if (pVerifyNode != NULL) {
+                PKIX_Error *tempResult =
+                    pkix_VerifyNode_Create(targetCert, 0, NULL,
+                                           &(state->verifyNode),
+                                           plContext);
+                if (tempResult) {
+                    pkixErrorResult = tempResult;
+                    pkixErrorCode = PKIX_VERIFYNODECREATEFAILED;
+                    pkixErrorClass = PKIX_FATAL_ERROR;
+                    goto cleanup;
+                }
+            }
+
+            PKIX_CHECK(
+                pkix_Build_CheckInCache(state, &buildResult,
+                                        &nbioContext, plContext),
+                PKIX_UNABLETOBUILDCHAIN);
+            if (nbioContext) {
+                *pNBIOContext = nbioContext;
+                *pState = state;
+                state = NULL;
+                goto cleanup;
+            }
+            if (buildResult) {
+                *pBuildResult = buildResult;
+                if (pVerifyNode != NULL) {
+                    *pVerifyNode = state->verifyNode;
+                    state->verifyNode = NULL;
+                }
+                goto cleanup;
+            }
+        }
+
+        /* If we're resuming after non-blocking I/O we need to get SubjNames */
+        if (targetSubjNames == NULL) {
+            PKIX_CHECK(PKIX_PL_Cert_GetAllSubjectNames
+                    (state->buildConstants.targetCert,
+                    &targetSubjNames,
+                    plContext),
+                    PKIX_CERTGETALLSUBJECTNAMESFAILED);
+        }
+
+        /*
+         * We can avoid the search if this cert, with any of our trust
+         * anchors, forms a complete trust chain.
+         */
+        PKIX_CHECK_ONLY_FATAL(pkix_Build_TryShortcut
+                (state,
+                targetSubjNames,
+                &nbioContext,
+                &matchingAnchor,
+                &valResult,
+                plContext),
+                PKIX_BUILDTRYSHORTCUTFAILED);
+
+        if (nbioContext != NULL) {
+                *pNBIOContext = nbioContext;
+                PKIX_INCREF(state);
+                *pState = state;
+                goto cleanup;
+        }
+
+        state->status = BUILD_INITIAL;
+
+        if (!matchingAnchor) {
+                pkixErrorResult =
+                    pkix_BuildForwardDepthFirstSearch(&nbioContext, state,
+                                                      &valResult, plContext);
+        }
+
+        /* non-null nbioContext means the build would block */
+        if (pkixErrorResult == NULL && nbioContext != NULL) {
+
+                *pNBIOContext = nbioContext;
+                *pBuildResult = NULL;
+
+        /* no valResult means the build has failed */
+        } else {
+                if (pVerifyNode != NULL) {
+                        PKIX_INCREF(state->verifyNode);
+                        *pVerifyNode = state->verifyNode;
+                }
+
+                if (valResult == NULL || pkixErrorResult)
+                        PKIX_ERROR(PKIX_UNABLETOBUILDCHAIN);
+                PKIX_CHECK(
+                    pkix_BuildResult_Create(valResult, state->trustChain,
+                                            &buildResult, plContext),
+                    PKIX_BUILDRESULTCREATEFAILED);
+                *pBuildResult = buildResult;
+        }
+
+        *pState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(targetConstraints);
+        PKIX_DECREF(targetParams);
+        PKIX_DECREF(anchors);
+        PKIX_DECREF(targetSubjNames);
+        PKIX_DECREF(targetCert);
+        PKIX_DECREF(crlChecker);
+        PKIX_DECREF(certStores);
+        PKIX_DECREF(certStore);
+        PKIX_DECREF(userCheckers);
+        PKIX_DECREF(hintCerts);
+        PKIX_DECREF(firstHintCert);
+        PKIX_DECREF(testDate);
+        PKIX_DECREF(targetPubKey);
+        PKIX_DECREF(tentativeChain);
+        PKIX_DECREF(valResult);
+        PKIX_DECREF(certList);
+        PKIX_DECREF(matchingAnchor);
+        PKIX_DECREF(trustedCert);
+        PKIX_DECREF(state);
+        PKIX_DECREF(aiaMgr);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_Build_ResumeBuildChain
+ * DESCRIPTION:
+ *
+ *  This function continues the search for a BuildChain, using the parameters
+ *  provided in "procParams" and the ForwardBuilderState pointed to by "state".
+ *
+ *  If a successful chain is built, this function stores the BuildResult at
+ *  "pBuildResult". Alternatively, if an operation using non-blocking I/O
+ *  is in progress and the operation has not been completed, this function
+ *  stores the FowardBuilderState at "pState" and NULL at "pBuildResult".
+ *  Finally, if chain building was unsuccessful, this function stores NULL
+ *  at both "pState" and at "pBuildResult".
+ *
+ * PARAMETERS:
+ *  "pNBIOContext"
+ *      Address at which the NBIOContext is stored indicating whether the
+ *      validation is complete. Must be non-NULL.
+ *  "pState"
+ *     Address at which the ForwardBuilderState is provided for resumption of
+ *     the chain building attempt; also, the address at which the
+ *     ForwardBuilderStateis stored, if the chain building is suspended for
+ *     waiting I/O. Must be non-NULL.
+ *  "pBuildResult"
+ *      Address at which the BuildResult is stored, after a successful build.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Build Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Build_ResumeBuildChain(
+        void **pNBIOContext,
+        PKIX_ForwardBuilderState *state,
+        PKIX_BuildResult **pBuildResult,
+        PKIX_VerifyNode **pVerifyNode,
+        void *plContext)
+{
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_Build_ResumeBuildChain");
+        PKIX_NULLCHECK_TWO(state, pBuildResult);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        pkixErrorResult =
+            pkix_BuildForwardDepthFirstSearch(&nbioContext, state,
+                                              &valResult, plContext);
+
+        /* non-null nbioContext means the build would block */
+        if (pkixErrorResult == NULL && nbioContext != NULL) {
+
+                *pNBIOContext = nbioContext;
+                *pBuildResult = NULL;
+
+        /* no valResult means the build has failed */
+        } else {
+                if (pVerifyNode != NULL) {
+                    PKIX_INCREF(state->verifyNode);
+                    *pVerifyNode = state->verifyNode;
+                }
+
+                if (valResult == NULL || pkixErrorResult)
+                    PKIX_ERROR(PKIX_UNABLETOBUILDCHAIN);
+
+                PKIX_CHECK(
+                    pkix_BuildResult_Create(valResult, state->trustChain,
+                                            &buildResult, plContext),
+                    PKIX_BUILDRESULTCREATEFAILED);
+                *pBuildResult = buildResult;
+        }
+
+cleanup:
+
+        PKIX_DECREF(valResult);
+
+        PKIX_RETURN(BUILD);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_BuildChain (see comments in pkix.h)
+ */
+PKIX_Error *
+PKIX_BuildChain(
+        PKIX_ProcessingParams *procParams,
+        void **pNBIOContext,
+        void **pState,
+        PKIX_BuildResult **pBuildResult,
+        PKIX_VerifyNode **pVerifyNode,
+        void *plContext)
+{
+        PKIX_ForwardBuilderState *state = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(BUILD, "PKIX_BuildChain");
+        PKIX_NULLCHECK_FOUR(procParams, pNBIOContext, pState, pBuildResult);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        if (*pState == NULL) {
+                PKIX_CHECK(pkix_Build_InitiateBuildChain
+                        (procParams,
+                        &nbioContext,
+                        &state,
+                        &buildResult,
+                        pVerifyNode,
+                        plContext),
+                        PKIX_BUILDINITIATEBUILDCHAINFAILED);
+        } else {
+                state = (PKIX_ForwardBuilderState *)(*pState);
+                *pState = NULL; /* no net change in reference count */
+                if (state->status == BUILD_SHORTCUTPENDING) {
+                        PKIX_CHECK(pkix_Build_InitiateBuildChain
+                                (procParams,
+                                &nbioContext,
+                                &state,
+                                &buildResult,
+                                pVerifyNode,
+                                plContext),
+                                PKIX_BUILDINITIATEBUILDCHAINFAILED);
+                } else {
+                        PKIX_CHECK(pkix_Build_ResumeBuildChain
+                                (&nbioContext,
+                                state,
+                                &buildResult,
+                                pVerifyNode,
+                                plContext),
+                                PKIX_BUILDINITIATEBUILDCHAINFAILED);
+                }
+        }
+
+        /* non-null nbioContext means the build would block */
+        if (nbioContext != NULL) {
+
+                *pNBIOContext = nbioContext;
+                *pState = state;
+                state = NULL;
+                *pBuildResult = NULL;
+
+        /* no buildResult means the build has failed */
+        } else if (buildResult == NULL) {
+                PKIX_ERROR(PKIX_UNABLETOBUILDCHAIN);
+        } else {
+                /*
+                 * If we made a successful chain by combining the target Cert
+                 * with one of the Trust Anchors, we may have never created a
+                 * validityDate. We treat this situation as
+                 * canBeCached = PKIX_FALSE.
+                 */
+                if ((state != NULL) &&
+                    ((state->validityDate) != NULL) &&
+                    (state->canBeCached)) {
+                        PKIX_CHECK(pkix_CacheCertChain_Add
+                                (state->buildConstants.targetCert,
+                                state->buildConstants.anchors,
+                                state->validityDate,
+                                buildResult,
+                                plContext),
+                                PKIX_CACHECERTCHAINADDFAILED);
+                }
+
+                *pState = NULL;
+                *pBuildResult = buildResult;
+                buildResult = NULL;
+        }
+
+cleanup:
+        PKIX_DECREF(buildResult);
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(BUILD);
+}
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.h b/security/nss/lib/libpkix/pkix/top/pkix_build.h
new file mode 100755
index 000000000..a4458c103
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.h
@@ -0,0 +1,158 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_build.h
+ *
+ * Header file for buildChain function
+ *
+ */
+
+#ifndef _PKIX_BUILD_H
+#define _PKIX_BUILD_H
+#include "pkix_tools.h"
+#include "pkix_pl_ldapt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+        BUILD_SHORTCUTPENDING,
+        BUILD_INITIAL,
+        BUILD_TRYAIA,
+        BUILD_AIAPENDING,
+        BUILD_COLLECTINGCERTS,
+        BUILD_GATHERPENDING,
+        BUILD_CERTVALIDATING,
+        BUILD_ABANDONNODE,
+        BUILD_CRLPREP,
+        BUILD_CRL1,
+        BUILD_DATEPREP,
+        BUILD_CHECKTRUSTED,
+        BUILD_CHECKTRUSTED2,
+        BUILD_ADDTOCHAIN,
+        BUILD_CHECKWITHANCHORS,
+        BUILD_CRL2PREP,
+        BUILD_CRL2,
+        BUILD_VALCHAIN,
+        BUILD_VALCHAIN2,
+        BUILD_EXTENDCHAIN,
+        BUILD_GETNEXTCERT
+} BuildStatus;
+
+typedef struct BuildConstantsStruct BuildConstants;
+
+/*
+ * These fields (the ones that are objects) are not reference-counted
+ * in *each* state, but only in the root, the state that has no parent.
+ * That saves time in creation and destruction of child states, but is
+ * safe enough since they are constants.
+ */
+struct BuildConstantsStruct {
+        PKIX_UInt32 numAnchors;
+        PKIX_UInt32 numCertStores;
+        PKIX_UInt32 numHintCerts;
+        PKIX_UInt32 maxDepth;
+        PKIX_UInt32 maxFanout;
+        PKIX_UInt32 maxTime;
+        PKIX_ProcessingParams *procParams;
+        PKIX_PL_Date *testDate;
+        PKIX_PL_Date *timeLimit;
+        PKIX_PL_Cert *targetCert;
+        PKIX_PL_PublicKey *targetPubKey;
+        PKIX_List *certStores;
+        PKIX_List *anchors;
+        PKIX_List *userCheckers;
+        PKIX_List *hintCerts;
+        PKIX_CertChainChecker *crlChecker;
+        PKIX_PL_AIAMgr *aiaMgr;
+        PKIX_Boolean useAIAForCertFetching;
+};
+
+struct PKIX_ForwardBuilderStateStruct{
+        BuildStatus status;
+        PKIX_Int32 traversedCACerts;
+        PKIX_UInt32 certStoreIndex;
+        PKIX_UInt32 numCerts;
+        PKIX_UInt32 numAias;
+        PKIX_UInt32 certIndex;
+        PKIX_UInt32 aiaIndex;
+        PKIX_UInt32 anchorIndex;
+        PKIX_UInt32 certCheckedIndex;
+        PKIX_UInt32 checkerIndex;
+        PKIX_UInt32 hintCertIndex;
+        PKIX_UInt32 numFanout;
+        PKIX_UInt32 numDepth;
+        PKIX_UInt32 reasonCode;
+        PKIX_Boolean dsaParamsNeeded;
+        PKIX_Boolean revCheckDelayed;
+        PKIX_Boolean canBeCached;
+        PKIX_Boolean useOnlyLocal;
+        PKIX_Boolean revChecking;
+        PKIX_Boolean usingHintCerts;
+        PKIX_Boolean certLoopingDetected;
+        PKIX_PL_Date *validityDate;
+        PKIX_PL_Cert *prevCert;
+        PKIX_PL_Cert *candidateCert;
+        PKIX_List *traversedSubjNames;
+        PKIX_List *trustChain;
+        PKIX_List *aia;
+        PKIX_List *candidateCerts;
+        PKIX_List *reversedCertChain;
+        PKIX_List *checkedCritExtOIDs;
+        PKIX_List *checkerChain;
+        PKIX_List *revCheckers;
+        PKIX_CertSelector *certSel;
+        PKIX_VerifyNode *verifyNode;
+        void *client; /* messageHandler, such as LDAPClient */
+        PKIX_ForwardBuilderState *parentState;
+        BuildConstants buildConstants;
+};
+
+/* --Private-Functions-------------------------------------------- */
+
+PKIX_Error *
+pkix_ForwardBuilderState_RegisterSelf(void *plContext);
+
+PKIX_Error *
+PKIX_Build_GetNBIOContext(void *state, void **pNBIOContext, void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_BUILD_H */
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_lifecycle.c b/security/nss/lib/libpkix/pkix/top/pkix_lifecycle.c
new file mode 100755
index 000000000..3d377cce0
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/top/pkix_lifecycle.c
@@ -0,0 +1,242 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_lifecycle.c
+ *
+ * Top level initialize and shutdown functions
+ *
+ */
+
+#include "pkix_lifecycle.h"
+
+static PKIX_Boolean pkixIsInitialized;
+
+/* Lock used by Logger - is reentrant by the same thread */
+extern PKIX_PL_MonitorLock *pkixLoggerLock;
+
+/* 
+ * Following pkix_* variables are for debugging purpose. They should be taken
+ * out eventually. The purpose is to verify cache tables usage (via debugger).
+ */
+int pkix_ccAddCount = 0;
+int pkix_ccLookupCount = 0;
+int pkix_ccRemoveCount = 0;
+int pkix_cAddCount = 0;
+int pkix_cLookupCount = 0;
+int pkix_cRemoveCount = 0;
+int pkix_ceAddCount = 0;
+int pkix_ceLookupCount = 0;
+
+PKIX_PL_HashTable *cachedCrlSigTable = NULL;
+PKIX_PL_HashTable *cachedCertSigTable = NULL;
+PKIX_PL_HashTable *cachedCertChainTable = NULL;
+PKIX_PL_HashTable *cachedCertTable = NULL;
+PKIX_PL_HashTable *cachedCrlEntryTable = NULL;
+PKIX_PL_HashTable *aiaConnectionCache = NULL;
+PKIX_PL_HashTable *httpSocketCache = NULL;
+
+extern PKIX_List *pkixLoggers;
+extern PKIX_List *pkixLoggersErrors;
+extern PKIX_List *pkixLoggersDebugTrace;
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_Initialize (see comments in pkix.h)
+ */
+PKIX_Error *
+PKIX_Initialize(
+        PKIX_Boolean platformInitNeeded,
+        PKIX_UInt32 desiredMajorVersion,
+        PKIX_UInt32 minDesiredMinorVersion,
+        PKIX_UInt32 maxDesiredMinorVersion,
+        PKIX_UInt32 *pActualMinorVersion,
+        void **pPlContext)
+{
+        void *plContext = NULL;
+
+        PKIX_ENTER(LIFECYCLE, "PKIX_Initialize");
+        PKIX_NULLCHECK_ONE(pPlContext);
+
+        /*
+         * If we are called a second time other than in the situation handled
+         * above, we return a positive status.
+         */
+        if (pkixIsInitialized){
+                /* Already initialized */
+                PKIX_RETURN(LIFECYCLE);
+        }
+
+        PKIX_CHECK(PKIX_PL_Initialize
+                (platformInitNeeded, PKIX_FALSE, &plContext),
+                PKIX_INITIALIZEFAILED);
+
+        *pPlContext = plContext;
+
+        if (desiredMajorVersion != PKIX_MAJOR_VERSION){
+                PKIX_ERROR(PKIX_MAJORVERSIONSDONTMATCH);
+        }
+
+        if ((minDesiredMinorVersion > PKIX_MINOR_VERSION) ||
+            (maxDesiredMinorVersion < PKIX_MINOR_VERSION)){
+                PKIX_ERROR(PKIX_MINORVERSIONNOTBETWEENDESIREDMINANDMAX);
+        }
+
+        *pActualMinorVersion = PKIX_MINOR_VERSION;
+
+        /* Create Cache Tables
+         * Do not initialize hash tables for object leak test */
+#if !defined(PKIX_OBJECT_LEAK_TEST)
+        PKIX_CHECK(PKIX_PL_HashTable_Create
+                   (32, 0, &cachedCertSigTable, plContext),
+                   PKIX_HASHTABLECREATEFAILED);
+        
+        PKIX_CHECK(PKIX_PL_HashTable_Create
+                   (32, 0, &cachedCrlSigTable, plContext),
+                   PKIX_HASHTABLECREATEFAILED);
+        
+        PKIX_CHECK(PKIX_PL_HashTable_Create
+                       (32, 10, &cachedCertChainTable, plContext),
+                   PKIX_HASHTABLECREATEFAILED);
+        
+        PKIX_CHECK(PKIX_PL_HashTable_Create
+                       (32, 10, &cachedCertTable, plContext),
+                   PKIX_HASHTABLECREATEFAILED);
+        
+        PKIX_CHECK(PKIX_PL_HashTable_Create
+                   (32, 10, &cachedCrlEntryTable, plContext),
+                   PKIX_HASHTABLECREATEFAILED);
+        
+        PKIX_CHECK(PKIX_PL_HashTable_Create
+                   (5, 5, &aiaConnectionCache, plContext),
+                   PKIX_HASHTABLECREATEFAILED);
+        
+        PKIX_CHECK(PKIX_PL_HashTable_Create
+                   (5, 5, &httpSocketCache, plContext),
+                   PKIX_HASHTABLECREATEFAILED);
+        
+        if (pkixLoggerLock == NULL) {
+            PKIX_CHECK(PKIX_PL_MonitorLock_Create
+                       (&pkixLoggerLock, plContext),
+                       PKIX_MONITORLOCKCREATEFAILED);
+        }
+#else
+        fnInvTable = PL_NewHashTable(0, pkix_ErrorGen_Hash,
+                                     PL_CompareValues,
+                                     PL_CompareValues, NULL, NULL);
+        if (!fnInvTable) {
+            PKIX_ERROR(PKIX_HASHTABLECREATEFAILED);
+        }
+        
+        fnStackNameArr = PORT_ZNewArray(char*, MAX_STACK_DEPTH);
+        if (!fnStackNameArr) {
+            PKIX_ERROR(PKIX_HASHTABLECREATEFAILED);
+        }
+
+        fnStackInvCountArr = PORT_ZNewArray(PKIX_UInt32, MAX_STACK_DEPTH);
+        if (!fnStackInvCountArr) {
+            PKIX_ERROR(PKIX_HASHTABLECREATEFAILED);
+        }
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+        pkixIsInitialized = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(LIFECYCLE);
+}
+
+/*
+ * FUNCTION: PKIX_Shutdown (see comments in pkix.h)
+ */
+PKIX_Error *
+PKIX_Shutdown(void *plContext)
+{
+        PKIX_List *savedPkixLoggers = NULL;
+        PKIX_List *savedPkixLoggersErrors = NULL;
+        PKIX_List *savedPkixLoggersDebugTrace = NULL;
+
+        PKIX_ENTER(LIFECYCLE, "PKIX_Shutdown");
+
+        if (!pkixIsInitialized){
+                /* The library was not initialized */
+                PKIX_RETURN(LIFECYCLE);
+        }
+
+        pkixIsInitialized = PKIX_FALSE;
+
+        if (pkixLoggers) {
+                savedPkixLoggers = pkixLoggers;
+                savedPkixLoggersErrors = pkixLoggersErrors;
+                savedPkixLoggersDebugTrace = pkixLoggersDebugTrace;
+                pkixLoggers = NULL;
+                pkixLoggersErrors = NULL;
+                pkixLoggersDebugTrace = NULL;
+                PKIX_DECREF(savedPkixLoggers);
+                PKIX_DECREF(savedPkixLoggersErrors);
+                PKIX_DECREF(savedPkixLoggersDebugTrace);
+        }
+        PKIX_DECREF(pkixLoggerLock);
+
+        /* Destroy Cache Tables */
+        PKIX_DECREF(cachedCertSigTable);
+        PKIX_DECREF(cachedCrlSigTable);
+        PKIX_DECREF(cachedCertChainTable);
+        PKIX_DECREF(cachedCertTable);
+        PKIX_DECREF(cachedCrlEntryTable);
+        PKIX_DECREF(aiaConnectionCache);
+        PKIX_DECREF(httpSocketCache);
+
+        /* Clean up any temporary errors that happened during shutdown */
+        if (pkixErrorList) {
+            PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorList, plContext);
+            pkixErrorList = NULL;
+        }
+
+        PKIX_CHECK(PKIX_PL_Shutdown(plContext),
+                PKIX_SHUTDOWNFAILED);
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+        PORT_Free(fnStackInvCountArr);
+        PORT_Free(fnStackNameArr);
+        PL_HashTableDestroy(fnInvTable);
+#endif
+
+cleanup:
+
+        PKIX_RETURN(LIFECYCLE);
+}
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_lifecycle.h b/security/nss/lib/libpkix/pkix/top/pkix_lifecycle.h
new file mode 100755
index 000000000..f07ab2a6a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/top/pkix_lifecycle.h
@@ -0,0 +1,56 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_lifecycle.h
+ *
+ * Header file for initialize and shutdown functions.
+ *
+ */
+
+#ifndef _PKIX_LIFECYCLE_H
+#define _PKIX_LIFECYCLE_H
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_LIFECYCLE_H */
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_validate.c b/security/nss/lib/libpkix/pkix/top/pkix_validate.c
new file mode 100755
index 000000000..ef81b63a2
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/top/pkix_validate.c
@@ -0,0 +1,1574 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_validate.c
+ *
+ * Top level validateChain function
+ *
+ */
+
+#include "pkix_validate.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_AddToVerifyLog
+ * DESCRIPTION:
+ *
+ *  This function returns immediately if the address for the VerifyNode tree
+ *  pointed to by "pVerifyTree" is NULL. Otherwise it creates a new VerifyNode
+ *  from the Cert pointed to by "cert" and the Error pointed to by "error",
+ *  and inserts it at the depth in the VerifyNode tree determined by "depth". A
+ *  depth of zero means that this function creates the root node of a new tree.
+ *
+ *  Note: this function does not include the means of choosing among branches
+ *  of a tree. It is intended for non-branching trees, that is, where each
+ *  parent node has only a single child node.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      The address of the Cert to be included in the new VerifyNode. Must be
+ *      non-NULL.
+ *  "depth"
+ *      The UInt32 value of the depth.
+ *  "error"
+ *      The address of the Error to be included in the new VerifyNode.
+ *  "pVerifyTree"
+ *      The address of the VerifyNode tree into which the created VerifyNode
+ *      is to be inserted. The node is not created if VerifyTree is NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Validate Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_AddToVerifyLog(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 depth,
+        PKIX_Error *error,
+        PKIX_VerifyNode **pVerifyTree,
+        void *plContext)
+{
+
+        PKIX_VerifyNode *verifyNode = NULL;
+
+        PKIX_ENTER(VALIDATE, "pkix_AddToVerifyLog");
+        PKIX_NULLCHECK_ONE(cert);
+
+        if (pVerifyTree) { /* nothing to do if no address given for log */
+
+                PKIX_CHECK(pkix_VerifyNode_Create
+                        (cert, depth, error, &verifyNode, plContext),
+                        PKIX_VERIFYNODECREATEFAILED);
+
+                if (depth == 0) {
+                        /* We just created the root node */
+                        *pVerifyTree = verifyNode;
+                } else {
+                        PKIX_CHECK(pkix_VerifyNode_AddToChain
+                                (*pVerifyTree, verifyNode, plContext),
+                                PKIX_VERIFYNODEADDTOCHAINFAILED);
+                }
+        }
+
+cleanup:
+
+        PKIX_RETURN(VALIDATE);
+
+}
+
+/*
+ * FUNCTION: pkix_CheckCert
+ * DESCRIPTION:
+ *
+ *  Checks whether the Cert pointed to by "cert" successfully validates
+ *  using the List of CertChainCheckers pointed to by "checkers". If the
+ *  certificate does not validate, an Error pointer is returned.
+ *
+ *  This function should be called initially with the UInt32 pointed to by
+ *  "pCheckerIndex" containing zero, and the pointer at "pNBIOContext"
+ *  containing NULL. If a checker does non-blocking I/O, this function will
+ *  return with the index of that checker stored at "pCheckerIndex" and a
+ *  platform-dependent non-blocking I/O context stored at "pNBIOContext".
+ *  A subsequent call to this function with those values intact will allow the
+ *  checking to resume where it left off. This should be repeated until the
+ *  function returns with NULL stored at "pNBIOContext".
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert to validate. Must be non-NULL.
+ *  "checkers"
+ *      List of CertChainCheckers which must each validate the certificate.
+ *      Must be non-NULL.
+ *  "checkedExtOIDs"
+ *      List of PKIX_PL_OID that has been processed. If called from building
+ *      chain, it is the list of critical extension OIDs that has been
+ *      processed prior to validation. May be NULL.
+ *  "pCheckerIndex"
+ *      Address at which is stored the the index, within the List "checkers",
+ *      of a checker whose processing was interrupted by non-blocking I/O.
+ *      Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which is stored platform-specific non-blocking I/O context.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Validate Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_CheckCert(
+        PKIX_PL_Cert *cert,
+        PKIX_List *checkers,
+        PKIX_List *checkedExtOIDsList,
+        PKIX_UInt32 *pCheckerIndex,
+        void **pNBIOContext,
+        void *plContext)
+{
+        PKIX_CertChainChecker_CheckCallback checkerCheck = NULL;
+        PKIX_CertChainChecker *checker = NULL;
+        PKIX_List *unresCritExtOIDs = NULL;
+        PKIX_UInt32 numCheckers;
+        PKIX_UInt32 numUnresCritExtOIDs = 0;
+        PKIX_UInt32 checkerIndex = 0;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(VALIDATE, "pkix_CheckCert");
+        PKIX_NULLCHECK_FOUR(cert, checkers, pCheckerIndex, pNBIOContext);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL; /* prepare for case of error exit */
+
+        PKIX_CHECK(PKIX_PL_Cert_GetCriticalExtensionOIDs
+                    (cert, &unresCritExtOIDs, plContext),
+                    PKIX_CERTGETCRITICALEXTENSIONOIDSFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(checkers, &numCheckers, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        for (checkerIndex = *pCheckerIndex;
+                checkerIndex < numCheckers;
+                checkerIndex++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (checkers,
+                        checkerIndex,
+                        (PKIX_PL_Object **)&checker,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_CertChainChecker_GetCheckCallback
+                        (checker, &checkerCheck, plContext),
+                        PKIX_CERTCHAINCHECKERGETCHECKCALLBACKFAILED);
+
+                PKIX_CHECK(checkerCheck(checker, cert, unresCritExtOIDs,
+                                        &nbioContext,  plContext),
+                           PKIX_CERTCHAINCHECKERCHECKFAILED);
+
+                if (nbioContext != NULL) {
+                        *pCheckerIndex = checkerIndex;
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                }
+
+                PKIX_DECREF(checker);
+        }
+
+        if (unresCritExtOIDs){
+
+#ifdef PKIX_VALIDATEDEBUG
+                {
+                        PKIX_PL_String *oidString = NULL;
+                        PKIX_UInt32 length;
+                        char *oidAscii = NULL;
+                        PKIX_TOSTRING(unresCritExtOIDs, &oidString, plContext,
+                                PKIX_LISTTOSTRINGFAILED);
+                        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                                (oidString,
+                                PKIX_ESCASCII,
+                                (void **) &oidAscii,
+                                &length,
+                                plContext),
+                                PKIX_STRINGGETENCODEDFAILED);
+                        PKIX_VALIDATE_DEBUG_ARG
+                                ("unrecognized critical extension OIDs:"
+                                " %s\n", oidAscii);
+                        PKIX_DECREF(oidString);
+                        PKIX_PL_Free(oidAscii, plContext);
+                }
+#endif
+
+                if (checkedExtOIDsList != NULL) {
+                 /* Take out OID's that had been processed, if any */
+                        PKIX_CHECK(pkix_List_RemoveItems
+                                (unresCritExtOIDs,
+                                checkedExtOIDsList,
+                                plContext),
+                                PKIX_LISTREMOVEITEMSFAILED);
+                }
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (unresCritExtOIDs, &numUnresCritExtOIDs, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                if (numUnresCritExtOIDs != 0){
+                        PKIX_ERROR(PKIX_UNRECOGNIZEDCRITICALEXTENSION);
+                }
+
+        }
+
+cleanup:
+
+        PKIX_DECREF(checker);
+        PKIX_DECREF(unresCritExtOIDs);
+
+        PKIX_RETURN(VALIDATE);
+
+}
+
+/*
+ * FUNCTION: pkix_RevCheckCert
+ * DESCRIPTION:
+ *
+ *  Checks whether the Cert pointed to by "cert" successfully validates
+ *  using the List of RevocationCheckers pointed to by "checkers". If the
+ *  certificate has been revoked, a nonzero Reason Code is returned.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert to validate. Must be non-NULL.
+ *  "checkers"
+ *      List of RevocationCheckers which must each validate the certificate.
+ *      Must be non-NULL.
+ *  "procParams"
+ *      Address of ProcessingParams used to initialize the ExpirationChecker
+ *      and TargetCertChecker. Must be non-NULL.
+ *  "pCheckerIndex"
+ *      Address at which is stored the the index, within the List "checkers",
+ *      of a checker whose processing was interrupted by non-blocking I/O.
+ *      Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which is stored platform-specific non-blocking I/O context.
+ *      Must be non-NULL.
+ *  "pResultCode"
+ *      Address at which is stored the revocation code of a revoked Cert.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Validate Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_RevCheckCert(
+        PKIX_PL_Cert *cert,
+        PKIX_List *checkers,
+        PKIX_ProcessingParams *procParams,
+        PKIX_UInt32 *pCheckerIndex,
+        void **pNBIOContext,
+        PKIX_UInt32 *pResultCode,
+        void *plContext)
+{
+        PKIX_RevocationChecker_RevCallback revCheckerCheck = NULL;
+        PKIX_RevocationChecker *checker = NULL;
+        PKIX_UInt32 numCheckers;
+        PKIX_UInt32 resultCode = 0;
+        PKIX_UInt32 checkerIndex = 0;
+        PKIX_PL_Object *checkerContext = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(VALIDATE, "pkix_RevCheckCert");
+        PKIX_NULLCHECK_THREE(cert, checkers, pCheckerIndex);
+        PKIX_NULLCHECK_TWO(pNBIOContext, pResultCode);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL; /* prepare for case of error exit */
+
+        PKIX_CHECK(PKIX_List_GetLength(checkers, &numCheckers, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        for (checkerIndex = *pCheckerIndex;
+                checkerIndex < numCheckers;
+                checkerIndex++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (checkers,
+                        checkerIndex,
+                        (PKIX_PL_Object **)&checker,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_RevocationChecker_GetRevCallback
+                        (checker, &revCheckerCheck, plContext),
+                        PKIX_REVOCATIONCHECKERGETREVCALLBACKFAILED);
+
+                PKIX_CHECK(PKIX_RevocationChecker_GetRevCheckerContext
+                        (checker, &checkerContext, plContext),
+                        PKIX_REVOCATIONCHECKERGETREVCHECKERCONTEXTFAILED);
+
+                PKIX_CHECK(revCheckerCheck
+                        (checkerContext,
+                        cert,
+                        procParams,
+                        &nbioContext,
+                        &resultCode,
+                        plContext),
+                        PKIX_REVCHECKERCHECKFAILED);
+
+                if (nbioContext != NULL) {
+                        *pCheckerIndex = checkerIndex;
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                }
+
+                if (resultCode != 0) {
+                        *pResultCode = resultCode;
+                        goto cleanup;
+                }
+
+                PKIX_DECREF(checker);
+                PKIX_DECREF(checkerContext);
+        }
+
+cleanup:
+
+        PKIX_DECREF(checker);
+        PKIX_DECREF(checkerContext);
+
+        PKIX_RETURN(VALIDATE);
+
+}
+
+/*
+ * FUNCTION: pkix_InitializeCheckers
+ * DESCRIPTION:
+ *
+ *  Creates several checkers and initializes them with values derived from the
+ *  TrustAnchor pointed to by "anchor", the ProcessingParams pointed to by
+ *  "procParams", and the number of Certs in the Chain, represented by
+ *  "numCerts". The List of checkers is stored at "pCheckers".
+ *
+ * PARAMETERS:
+ *  "anchor"
+ *      Address of TrustAnchor used to initialize the SignatureChecker and
+ *      NameChainingChecker. Must be non-NULL.
+ *  "procParams"
+ *      Address of ProcessingParams used to initialize the ExpirationChecker
+ *      and TargetCertChecker. Must be non-NULL.
+ *  "numCerts"
+ *      Number of certificates in the CertChain.
+ *  "pCheckers"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Validate Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_InitializeCheckers(
+        PKIX_TrustAnchor *anchor,
+        PKIX_ProcessingParams *procParams,
+        PKIX_UInt32 numCerts,
+        PKIX_List **pCheckers,
+        void *plContext)
+{
+        PKIX_CertChainChecker *targetCertChecker = NULL;
+        PKIX_CertChainChecker *expirationChecker = NULL;
+        PKIX_CertChainChecker *nameChainingChecker = NULL;
+        PKIX_CertChainChecker *nameConstraintsChecker = NULL;
+        PKIX_CertChainChecker *basicConstraintsChecker = NULL;
+        PKIX_CertChainChecker *policyChecker = NULL;
+        PKIX_CertChainChecker *sigChecker = NULL;
+        PKIX_CertChainChecker *defaultCrlChecker = NULL;
+        PKIX_CertChainChecker *userChecker = NULL;
+        PKIX_PL_X500Name *trustedCAName = NULL;
+        PKIX_PL_PublicKey *trustedPubKey = NULL;
+        PKIX_List *checkers = NULL;
+        PKIX_PL_Date *testDate = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_PL_Cert *trustedCert = NULL;
+        PKIX_PL_CertNameConstraints *trustedNC = NULL;
+        PKIX_List *initialPolicies = NULL;
+        PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
+        PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
+        PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
+        PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
+        PKIX_List *userCheckersList = NULL;
+        PKIX_List *certStores = NULL;
+        PKIX_UInt32 numCertStores = 0;
+        PKIX_UInt32 numCertCheckers = 0;
+        PKIX_Boolean isCrlEnabled = PKIX_TRUE;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(VALIDATE, "pkix_InitializeCheckers");
+        PKIX_NULLCHECK_THREE(anchor, procParams, pCheckers);
+        PKIX_CHECK(PKIX_List_Create(&checkers, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        /*
+         * The TrustAnchor may have been created using CreateWithCert
+         * (in which case GetCAPublicKey and GetCAName will return NULL)
+         * or may have been created using CreateWithNameKeyPair (in which
+         * case GetTrustedCert will return NULL. So we call GetTrustedCert
+         * and populate trustedPubKey and trustedCAName accordingly.
+         */
+
+        PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
+                (anchor, &trustedCert, plContext),
+                    PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+
+        if (trustedCert){
+                PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                            (trustedCert, &trustedPubKey, plContext),
+                            PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+                PKIX_CHECK(PKIX_PL_Cert_GetSubject
+                            (trustedCert, &trustedCAName, plContext),
+                            PKIX_CERTGETSUBJECTFAILED);
+        } else {
+                PKIX_CHECK(PKIX_TrustAnchor_GetCAPublicKey
+                            (anchor, &trustedPubKey, plContext),
+                            PKIX_TRUSTANCHORGETCAPUBLICKEYFAILED);
+
+                PKIX_CHECK(PKIX_TrustAnchor_GetCAName
+                            (anchor, &trustedCAName, plContext),
+                            PKIX_TRUSTANCHORGETCANAMEFAILED);
+        }
+
+        PKIX_NULLCHECK_TWO(trustedPubKey, trustedCAName);
+
+        PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints
+                (anchor, &trustedNC, plContext),
+                PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
+                (procParams, &certSelector, plContext),
+                PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetDate
+                (procParams, &testDate, plContext),
+                PKIX_PROCESSINGPARAMSGETDATEFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetInitialPolicies
+                (procParams, &initialPolicies, plContext),
+                PKIX_PROCESSINGPARAMSGETINITIALPOLICIESFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetPolicyQualifiersRejected
+                (procParams, &policyQualifiersRejected, plContext),
+                PKIX_PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_IsPolicyMappingInhibited
+                (procParams, &initialPolicyMappingInhibit, plContext),
+                PKIX_PROCESSINGPARAMSISPOLICYMAPPINGINHIBITEDFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_IsAnyPolicyInhibited
+                (procParams, &initialAnyPolicyInhibit, plContext),
+                PKIX_PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_IsExplicitPolicyRequired
+                (procParams, &initialExplicitPolicy, plContext),
+                PKIX_PROCESSINGPARAMSISEXPLICITPOLICYREQUIREDFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
+                (procParams, &certStores, plContext),
+                PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers
+                (procParams, &userCheckersList, plContext),
+                PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED);
+
+        PKIX_CHECK(pkix_ProcessingParams_GetRevocationEnabled
+                (procParams, &isCrlEnabled, plContext),
+                PKIX_PROCESSINGPARAMSGETREVOCATIONENABLEDFAILED);
+
+        /* now, initialize all the checkers */
+        PKIX_CHECK(pkix_TargetCertChecker_Initialize
+                (certSelector, numCerts, &targetCertChecker, plContext),
+                PKIX_TARGETCERTCHECKERINITIALIZEFAILED);
+
+        PKIX_CHECK(pkix_ExpirationChecker_Initialize
+                (testDate, &expirationChecker, plContext),
+                PKIX_EXPIRATIONCHECKERINITIALIZEFAILED);
+
+        PKIX_CHECK(pkix_NameChainingChecker_Initialize
+                (trustedCAName, &nameChainingChecker, plContext),
+                PKIX_NAMECHAININGCHECKERINITIALIZEFAILED);
+
+        PKIX_CHECK(pkix_NameConstraintsChecker_Initialize
+                (trustedNC, numCerts, &nameConstraintsChecker, plContext),
+                PKIX_NAMECONSTRAINTSCHECKERINITIALIZEFAILED);
+
+        PKIX_CHECK(pkix_BasicConstraintsChecker_Initialize
+                (numCerts, &basicConstraintsChecker, plContext),
+                PKIX_BASICCONSTRAINTSCHECKERINITIALIZEFAILED);
+
+        PKIX_CHECK(pkix_PolicyChecker_Initialize
+                (initialPolicies,
+                policyQualifiersRejected,
+                initialPolicyMappingInhibit,
+                initialExplicitPolicy,
+                initialAnyPolicyInhibit,
+                numCerts,
+                &policyChecker,
+                plContext),
+                PKIX_POLICYCHECKERINITIALIZEFAILED);
+
+        PKIX_CHECK(pkix_SignatureChecker_Initialize
+                    (trustedPubKey, numCerts, &sigChecker, plContext),
+                    PKIX_SIGNATURECHECKERINITIALIZEFAILED);
+
+        if (isCrlEnabled) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                    (certStores, &numCertStores, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+                if (numCertStores > 0) {
+                        PKIX_Boolean nistCRLPolicyEnabled = PR_TRUE;
+
+                        PKIX_CHECK(
+                        pkix_ProcessingParams_GetNISTRevocationPolicyEnabled
+                        (procParams, &nistCRLPolicyEnabled, plContext),
+                        PKIX_PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED);
+
+                        PKIX_CHECK(pkix_DefaultCRLChecker_Initialize
+                            (certStores,
+                            testDate,
+                            trustedPubKey,
+                            numCerts,
+                            nistCRLPolicyEnabled,
+                            &defaultCrlChecker,
+                            plContext),
+                            PKIX_DEFAULTCRLCHECKERINITIALIZEFAILED);
+
+                        PKIX_CHECK(PKIX_List_AppendItem
+                            (checkers,
+                            (PKIX_PL_Object *)defaultCrlChecker,
+                            plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+                } else {
+                        PKIX_ERROR(PKIX_ENABLEREVOCATIONWITHOUTCERTSTORE);
+                }
+        }
+
+        if (userCheckersList != NULL) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                    (userCheckersList, &numCertCheckers, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numCertCheckers; i++) {
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                            (userCheckersList,
+                            i,
+                            (PKIX_PL_Object **) &userChecker,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(PKIX_List_AppendItem
+                            (checkers,
+                            (PKIX_PL_Object *)userChecker,
+                            plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+
+                        PKIX_DECREF(userChecker);
+                }
+        }
+
+        PKIX_CHECK(PKIX_List_AppendItem
+            (checkers, (PKIX_PL_Object *)targetCertChecker, plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+            (checkers, (PKIX_PL_Object *)expirationChecker, plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+            (checkers, (PKIX_PL_Object *)nameChainingChecker, plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+            (checkers, (PKIX_PL_Object *)nameConstraintsChecker, plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+            (checkers, (PKIX_PL_Object *)basicConstraintsChecker, plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+            (checkers, (PKIX_PL_Object *)policyChecker, plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+            (checkers, (PKIX_PL_Object *)sigChecker, plContext),
+            PKIX_LISTAPPENDITEMFAILED);
+
+        *pCheckers = checkers;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(checkers);
+        }
+
+        PKIX_DECREF(certSelector);
+        PKIX_DECREF(testDate);
+        PKIX_DECREF(initialPolicies);
+        PKIX_DECREF(targetCertChecker);
+        PKIX_DECREF(expirationChecker);
+        PKIX_DECREF(nameChainingChecker);
+        PKIX_DECREF(nameConstraintsChecker);
+        PKIX_DECREF(basicConstraintsChecker);
+        PKIX_DECREF(policyChecker);
+        PKIX_DECREF(sigChecker);
+        PKIX_DECREF(trustedCAName);
+        PKIX_DECREF(trustedPubKey);
+        PKIX_DECREF(trustedNC);
+        PKIX_DECREF(trustedCert);
+        PKIX_DECREF(defaultCrlChecker);
+        PKIX_DECREF(userCheckersList);
+        PKIX_DECREF(certStores);
+        PKIX_DECREF(userChecker);
+
+        PKIX_RETURN(VALIDATE);
+}
+
+/*
+ * FUNCTION: pkix_RetrieveOutputs
+ * DESCRIPTION:
+ *
+ *  This function queries the respective states of the List of checkers in
+ *  "checkers" to to obtain the final public key from the SignatureChecker
+ *  and the policy tree from the PolicyChecker, storing those values at
+ *  "pFinalSubjPubKey" and "pPolicyTree", respectively.
+ *
+ * PARAMETERS:
+ *  "checkers"
+ *      Address of List of checkers to be queried. Must be non-NULL.
+ *  "pFinalSubjPubKey"
+ *      Address where final public key will be stored. Must be non-NULL.
+ *  "pPolicyTree"
+ *      Address where policy tree will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Validate Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_RetrieveOutputs(
+        PKIX_List *checkers,
+        PKIX_PL_PublicKey **pFinalSubjPubKey,
+        PKIX_PolicyNode **pPolicyTree,
+        void *plContext)
+{
+        PKIX_PL_PublicKey *finalSubjPubKey = NULL;
+        PKIX_PolicyNode *validPolicyTree = NULL;
+        PKIX_CertChainChecker *checker = NULL;
+        PKIX_PL_Object *state = NULL;
+        PKIX_UInt32 numCheckers = 0;
+        PKIX_UInt32 type;
+        PKIX_Int32 j;
+
+        PKIX_ENTER(VALIDATE, "pkix_RetrieveOutputs");
+
+        PKIX_NULLCHECK_TWO(checkers, pPolicyTree);
+
+        /*
+         * To optimize the search, we guess that the sigChecker is
+         * last in the tree and is preceded by the policyChecker. We
+         * search toward the front of the chain. Remember that List
+         * items are indexed 0..(numItems - 1).
+         */
+
+        PKIX_CHECK(PKIX_List_GetLength(checkers, &numCheckers, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (j = numCheckers - 1; j >= 0; j--){
+                PKIX_CHECK(PKIX_List_GetItem
+                        (checkers, j, (PKIX_PL_Object **)&checker, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                        (checker, &state, plContext),
+                        PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+                /* user defined checker may have no state */
+                if (state != NULL) {
+
+                    PKIX_CHECK(PKIX_PL_Object_GetType(state, &type, plContext),
+                            PKIX_OBJECTGETTYPEFAILED);
+
+                    if (type == PKIX_SIGNATURECHECKERSTATE_TYPE){
+                        /* final pubKey will include any inherited DSA params */
+                        finalSubjPubKey =
+                            ((pkix_SignatureCheckerState *)state)->
+                                prevPublicKey;
+                        PKIX_INCREF(finalSubjPubKey);
+                        *pFinalSubjPubKey = finalSubjPubKey;
+                    }
+
+                    if (type == PKIX_CERTPOLICYCHECKERSTATE_TYPE) {
+                        validPolicyTree =
+                            ((PKIX_PolicyCheckerState *)state)->validPolicyTree;
+                        break;
+                    }
+                }
+
+                PKIX_DECREF(checker);
+                PKIX_DECREF(state);
+        }
+
+        PKIX_INCREF(validPolicyTree);
+        *pPolicyTree = validPolicyTree;
+
+cleanup:
+
+        PKIX_DECREF(checker);
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(VALIDATE);
+
+}
+
+/*
+ * FUNCTION: pkix_CheckChain
+ * DESCRIPTION:
+ *
+ *  Checks whether the List of Certs pointed to by "certs", containing
+ *  "numCerts" entries, successfully validates using each CertChainChecker in
+ *  the List pointed to by "checkers" and has not been revoked, according to any
+ *  of the Revocation Checkers in the List pointed to by "revCheckers". Checkers
+ *  are expected to remove from "removeCheckedExtOIDs" and extensions that they
+ *  process. Indices to the certChain and the checkerChain are obtained and
+ *  returned in "pCertCheckedIndex" and "pCheckerIndex", respectively. These
+ *  should be set to zero prior to the initial call, but may be changed (and
+ *  must be supplied on subsequent calls) if processing is suspended for non-
+ *  blocking I/O. Each time a Cert passes from being validated by one of the
+ *  CertChainCheckers to being checked by a Revocation Checker, the Boolean
+ *  stored at "pRevChecking" is changed from FALSE to TRUE. If the Cert is
+ *  rejected by a Revocation Checker, its reason code is returned at
+ *  "pReasonCode. If the List of Certs successfully validates, the public key i
+ *  the final certificate is obtained and stored at "pFinalSubjPubKey" and the
+ *  validPolicyTree, which could be NULL, is stored at pPolicyTree. If the List
+ *  of Certs fails to validate, an Error pointer is returned.
+ *
+ *  If "pVerifyTree" is non-NULL, a chain of VerifyNodes is created which
+ *  tracks the results of the validation. That is, either each node in the
+ *  chain has a NULL Error component, or the last node contains an Error
+ *  which indicates why the validation failed.
+ *
+ *  The number of Certs in the List, represented by "numCerts", is used to
+ *  determine which Cert is the final Cert.
+ *
+ * PARAMETERS:
+ *  "certs"
+ *      Address of List of Certs to validate. Must be non-NULL.
+ *  "numCerts"
+ *      Number of certificates in the List of certificates.
+ *  "checkers"
+ *      List of CertChainCheckers which must each validate the List of
+ *      certificates. Must be non-NULL.
+ *  "revCheckers"
+ *      List of RevocationCheckers which must each not reject the List of
+ *      certificates. May be empty, but must be non-NULL.
+ *  "removeCheckedExtOIDs"
+ *      List of PKIX_PL_OID that has been processed. If called from building
+ *      chain, it is the list of critical extension OIDs that has been
+ *      processed prior to validation. Extension OIDs that may be processed by
+ *      user defined checker processes are also in the list. May be NULL.
+ *  "procParams"
+ *      Address of ProcessingParams used to initialize various checkers. Must
+ *      be non-NULL.
+ *  "pCertCheckedIndex"
+ *      Address where Int32 index to the Cert chain is obtained and
+ *      returned. Must be non-NULL.
+ *  "pCheckerIndex"
+ *      Address where Int32 index to the CheckerChain is obtained and
+ *      returned. Must be non-NULL.
+ *  "pRevChecking"
+ *      Address where Boolean is obtained and returned, indicating, if FALSE,
+ *      that CertChainCheckers are being called; or, if TRUE, that RevCheckers
+ *      are being called. Must be non-NULL.
+ *  "pReasonCode"
+ *      Address where UInt32 results of revocation checking are stored. Must be
+ *      non-NULL.
+ *  "pNBIOContext"
+ *      Address where platform-dependent context is stored if checking is
+ *      suspended for non-blocking I/O. Must be non-NULL.
+ *  "pFinalSubjPubKey"
+ *      Address where the final public key will be stored. Must be non-NULL.
+ *  "pPolicyTree"
+ *      Address where the final validPolicyTree is stored. Must be non-NULL.
+ *  "pVerifyTree"
+ *      Address where a VerifyTree is stored, if non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Validate Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CheckChain(
+        PKIX_List *certs,
+        PKIX_UInt32 numCerts,
+        PKIX_List *checkers,
+        PKIX_List *revCheckers,
+        PKIX_List *removeCheckedExtOIDs,
+        PKIX_ProcessingParams *procParams,
+        PKIX_UInt32 *pCertCheckedIndex,
+        PKIX_UInt32 *pCheckerIndex,
+        PKIX_Boolean *pRevChecking,
+        PKIX_UInt32 *pReasonCode,
+        void **pNBIOContext,
+        PKIX_PL_PublicKey **pFinalSubjPubKey,
+        PKIX_PolicyNode **pPolicyTree,
+        PKIX_VerifyNode **pVerifyTree,
+        void *plContext)
+{
+        PKIX_UInt32 j = 0;
+        SECErrorCodes reasonCode = 0;
+        PKIX_Boolean revChecking = PKIX_FALSE;
+        PKIX_Error *checkCertError = NULL;
+        void *nbioContext = NULL;
+        PKIX_PL_Cert *cert = NULL;
+
+        PKIX_ENTER(VALIDATE, "pkix_CheckChain");
+        PKIX_NULLCHECK_FOUR(certs, checkers, revCheckers, pCertCheckedIndex);
+        PKIX_NULLCHECK_THREE(pCheckerIndex, pRevChecking, pReasonCode);
+        PKIX_NULLCHECK_THREE(pNBIOContext, pFinalSubjPubKey, pPolicyTree);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+        revChecking = *pRevChecking;
+
+        for (j = *pCertCheckedIndex; j < numCerts; j++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (certs, j, (PKIX_PL_Object **)&cert, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                /* check if cert pointer is valid */
+                PORT_Assert(cert);
+                if (cert == NULL) {
+                    continue;
+                }
+
+#ifdef DEBUG_kaie
+                pkix_trace_dump_cert("pkix_CheckChain", cert, plContext);
+#endif
+
+                if (revChecking == PKIX_FALSE) {
+
+                        PKIX_CHECK(pkix_CheckCert
+                                (cert,
+                                checkers,
+                                removeCheckedExtOIDs,
+                                pCheckerIndex,
+                                &nbioContext,
+                                plContext),
+                                PKIX_CHECKCERTFAILED);
+
+                        if (nbioContext != NULL) {
+                                *pCertCheckedIndex = j;
+                                *pRevChecking = revChecking;
+                                *pNBIOContext = nbioContext;
+                                goto cleanup;
+                        }
+
+                        revChecking = PKIX_TRUE;
+                        *pCheckerIndex = 0;
+                }
+
+                if (revChecking == PKIX_TRUE) {
+
+                        PKIX_CHECK(pkix_RevCheckCert
+                                (cert,
+                                revCheckers,
+                                procParams,
+                                pCheckerIndex,
+                                &nbioContext,
+                                (PKIX_UInt32 *)&reasonCode,
+                                plContext),
+                                PKIX_REVCHECKCERTFAILED);
+
+                        if (nbioContext != NULL) {
+                                *pCertCheckedIndex = j;
+                                *pRevChecking = revChecking;
+                                *pNBIOContext = nbioContext;
+                                goto cleanup;
+                        }
+
+                        if (reasonCode != 0) {
+                            *pReasonCode = (PKIX_UInt32)reasonCode;
+                            pkixErrorReceived = PKIX_TRUE;
+                            if (reasonCode ==
+                                SEC_ERROR_OCSP_INVALID_SIGNING_CERT) {
+                                    pkixErrorCode =
+                                        PKIX_INVALIDSIGNINGCERTINOCSPRESPONSE;
+                            } else if (reasonCode ==
+                                SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS) {
+                                    pkixErrorCode =
+                                        PKIX_UNABLETOFINDSTATUSINOCSPRESPONSE;
+                            } else if (reasonCode ==
+                                SEC_ERROR_OCSP_MALFORMED_RESPONSE) {
+                                    pkixErrorCode =
+                                        PKIX_UNABLETOPARSEOCSPRESPONSE;
+                            } else if (reasonCode ==
+                                SEC_ERROR_REVOKED_CERTIFICATE_OCSP) {
+                                    pkixErrorCode =
+                                        PKIX_OCSPRESPONSESAYSCERTREVOKED;
+                            } else {
+                                    pkixErrorCode =
+                                        PKIX_CERTREJECTEDBYREVOCATIONCHECKER;
+                            }
+                            PKIX_ERROR_CREATE
+                                (VALIDATE, pkixErrorCode, pkixErrorResult);
+                            goto cleanup;
+                        }
+
+                        revChecking = PKIX_FALSE;
+                        *pCheckerIndex = 0;
+                }
+
+                PKIX_CHECK(pkix_AddToVerifyLog
+                        (cert, j, NULL, pVerifyTree, plContext),
+                        PKIX_ADDTOVERIFYLOGFAILED);
+                PKIX_DECREF(cert);
+        }
+
+        PKIX_CHECK(pkix_RetrieveOutputs
+                    (checkers, pFinalSubjPubKey, pPolicyTree, plContext),
+                    PKIX_RETRIEVEOUTPUTSFAILED);
+
+        *pReasonCode = (PKIX_UInt32)reasonCode;
+        *pNBIOContext = NULL;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED && cert) {
+            pkixErrorReceived = PKIX_TRUE;
+            pkixErrorCode = pkixErrorResult->errCode;
+            checkCertError = pkixErrorResult;
+            
+            PKIX_CHECK_FATAL(
+                pkix_AddToVerifyLog(cert, j, checkCertError, pVerifyTree,
+                                    plContext),
+                PKIX_ADDTOVERIFYLOGFAILED);
+            pkixErrorResult = checkCertError;
+            checkCertError = NULL;
+        }
+
+fatal:
+        PKIX_DECREF(checkCertError);
+        PKIX_DECREF(cert);
+
+        PKIX_RETURN(VALIDATE);
+}
+
+/*
+ * FUNCTION: pkix_ExtractParameters
+ * DESCRIPTION:
+ *
+ *  Extracts several parameters from the ValidateParams object pointed to by
+ *  "valParams" and stores the CertChain at "pChain", the List of Certs at
+ *  "pCerts", the number of Certs in the chain at "pNumCerts", the
+ *  ProcessingParams object at "pProcParams", the List of TrustAnchors at
+ *  "pAnchors", and the number of TrustAnchors at "pNumAnchors".
+ *
+ * PARAMETERS:
+ *  "valParams"
+ *      Address of ValidateParams from which the parameters are extracted.
+ *      Must be non-NULL.
+ *  "pCerts"
+ *      Address where object pointer for List of Certs will be stored.
+ *      Must be non-NULL.
+ *  "pNumCerts"
+ *      Address where number of Certs will be stored. Must be non-NULL.
+ *  "pProcParams"
+ *      Address where object pointer for ProcessingParams will be stored.
+ *      Must be non-NULL.
+ *  "pAnchors"
+ *      Address where object pointer for List of Anchors will be stored.
+ *      Must be non-NULL.
+ *  "pNumAnchors"
+ *      Address where number of Anchors will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Validate Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_ExtractParameters(
+        PKIX_ValidateParams *valParams,
+        PKIX_List **pCerts,
+        PKIX_UInt32 *pNumCerts,
+        PKIX_ProcessingParams **pProcParams,
+        PKIX_List **pAnchors,
+        PKIX_UInt32 *pNumAnchors,
+        void *plContext)
+{
+        PKIX_ENTER(VALIDATE, "pkix_ExtractParameters");
+        PKIX_NULLCHECK_THREE(valParams, pCerts, pNumCerts);
+        PKIX_NULLCHECK_THREE(pProcParams, pAnchors, pNumAnchors);
+
+        /* extract relevant parameters from chain */
+        PKIX_CHECK(PKIX_ValidateParams_GetCertChain
+                (valParams, pCerts, plContext),
+                PKIX_VALIDATEPARAMSGETCERTCHAINFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(*pCerts, pNumCerts, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        /* extract relevant parameters from procParams */
+        PKIX_CHECK(PKIX_ValidateParams_GetProcessingParams
+                (valParams, pProcParams, plContext),
+                PKIX_VALIDATEPARAMSGETPROCESSINGPARAMSFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetTrustAnchors
+                (*pProcParams, pAnchors, plContext),
+                PKIX_PROCESSINGPARAMSGETTRUSTANCHORSFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(*pAnchors, pNumAnchors, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+cleanup:
+
+        PKIX_RETURN(VALIDATE);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_ValidateChain (see comments in pkix.h)
+ */
+PKIX_Error *
+PKIX_ValidateChain(
+        PKIX_ValidateParams *valParams,
+        PKIX_ValidateResult **pResult,
+        PKIX_VerifyNode **pVerifyTree,
+        void *plContext)
+{
+        PKIX_Error *chainFailed = NULL;
+
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_CertChainChecker *userChecker = NULL;
+        PKIX_List *certs = NULL;
+        PKIX_List *checkers = NULL;
+        PKIX_List *revCheckers = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *userCheckers = NULL;
+        PKIX_List *userCheckerExtOIDs = NULL;
+        PKIX_List *validateCheckedCritExtOIDsList = NULL;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_PL_PublicKey *finalPubKey = NULL;
+        PKIX_PolicyNode *validPolicyTree = NULL;
+        PKIX_Boolean supportForwarding = PKIX_FALSE;
+        PKIX_Boolean revChecking = PKIX_FALSE;
+        PKIX_UInt32 i, numCerts, numAnchors;
+        PKIX_UInt32 numUserCheckers = 0;
+        PKIX_UInt32 certCheckedIndex = 0;
+        PKIX_UInt32 checkerIndex = 0;
+        PKIX_UInt32 reasonCode = 0;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(VALIDATE, "PKIX_ValidateChain");
+        PKIX_NULLCHECK_TWO(valParams, pResult);
+
+        /* extract various parameters from valParams */
+        PKIX_CHECK(pkix_ExtractParameters
+                    (valParams,
+                    &certs,
+                    &numCerts,
+                    &procParams,
+                    &anchors,
+                    &numAnchors,
+                    plContext),
+                    PKIX_EXTRACTPARAMETERSFAILED);
+
+        /*
+         * setup an extension OID list that user had defined for his checker
+         * processing. User checker is not responsible for taking out OIDs
+         * from unresolved critical extension list as the libpkix checker
+         * is doing. Here we add those user checkers' OIDs to the removal
+         * list to be taken out by CheckChain
+         */
+        PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers
+                    (procParams, &userCheckers, plContext),
+                    PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED);
+
+        if (userCheckers != NULL) {
+
+                PKIX_CHECK(PKIX_List_Create
+                    (&validateCheckedCritExtOIDsList,
+                    plContext),
+                    PKIX_LISTCREATEFAILED);
+
+                PKIX_CHECK(PKIX_List_GetLength
+                    (userCheckers, &numUserCheckers, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numUserCheckers; i++) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (userCheckers,
+                        i,
+                        (PKIX_PL_Object **) &userChecker,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK
+                        (PKIX_CertChainChecker_IsForwardCheckingSupported
+                        (userChecker, &supportForwarding, plContext),
+                        PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED);
+
+                    if (supportForwarding == PKIX_FALSE) {
+
+                        PKIX_CHECK
+                            (PKIX_CertChainChecker_GetSupportedExtensions
+                            (userChecker, &userCheckerExtOIDs, plContext),
+                            PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED);
+
+                        if (userCheckerExtOIDs != NULL) {
+                            PKIX_CHECK(pkix_List_AppendList
+                                (validateCheckedCritExtOIDsList,
+                                userCheckerExtOIDs,
+                                plContext),
+                                PKIX_LISTAPPENDLISTFAILED);
+                        }
+                    }
+
+                    PKIX_DECREF(userCheckerExtOIDs);
+                    PKIX_DECREF(userChecker);
+                }
+        }
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetRevocationCheckers
+                (procParams, &revCheckers, plContext),
+                PKIX_PROCESSINGPARAMSGETREVOCATIONCHECKERSFAILED);
+
+        /* try to validate the chain with each anchor */
+        for (i = 0; i < numAnchors; i++){
+
+                /* get trust anchor */
+                PKIX_CHECK(PKIX_List_GetItem
+                        (anchors, i, (PKIX_PL_Object **)&anchor, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                /* initialize checkers using information from trust anchor */
+                PKIX_CHECK(pkix_InitializeCheckers
+                        (anchor, procParams, numCerts, &checkers, plContext),
+                        PKIX_INITIALIZECHECKERSFAILED);
+
+                /*
+                 * Validate the chain using this trust anchor and these
+                 * checkers. (WARNING: checkers that use non-blocking I/O
+                 * are not currently supported.)
+                 */
+                certCheckedIndex = 0;
+                checkerIndex = 0;
+                revChecking = PKIX_FALSE;
+                chainFailed = pkix_CheckChain
+                        (certs,
+                        numCerts,
+                        checkers,
+                        revCheckers,
+                        validateCheckedCritExtOIDsList,
+                        procParams,
+                        &certCheckedIndex,
+                        &checkerIndex,
+                        &revChecking,
+                        &reasonCode,
+                        &nbioContext,
+                        &finalPubKey,
+                        &validPolicyTree,
+                        pVerifyTree,
+                        plContext);
+
+                if (chainFailed || (reasonCode != 0)) {
+
+                        /* cert chain failed to validate */
+
+                        PKIX_DECREF(chainFailed);
+                        PKIX_DECREF(anchor);
+                        PKIX_DECREF(checkers);
+                        PKIX_DECREF(validPolicyTree);
+
+                        /* if last anchor, we fail; else, we try next anchor */
+                        if (i == (numAnchors - 1)) { /* last anchor */
+                                PKIX_ERROR(PKIX_VALIDATECHAINFAILED);
+                        }
+
+                } else {
+
+                        /* cert chain successfully validated! */
+                        PKIX_CHECK(pkix_ValidateResult_Create
+                                (finalPubKey,
+                                anchor,
+                                validPolicyTree,
+                                &valResult,
+                                plContext),
+                                PKIX_VALIDATERESULTCREATEFAILED);
+
+                        *pResult = valResult;
+
+                        /* no need to try any more anchors in the loop */
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(finalPubKey);
+        PKIX_DECREF(certs);
+        PKIX_DECREF(anchors);
+        PKIX_DECREF(anchor);
+        PKIX_DECREF(checkers);
+        PKIX_DECREF(revCheckers);
+        PKIX_DECREF(validPolicyTree);
+        PKIX_DECREF(chainFailed);
+        PKIX_DECREF(procParams);
+        PKIX_DECREF(userCheckers);
+        PKIX_DECREF(validateCheckedCritExtOIDsList);
+
+        PKIX_RETURN(VALIDATE);
+}
+
+/*
+ * FUNCTION: pkix_Validate_BuildUserOIDs
+ * DESCRIPTION:
+ *
+ *  This function creates a List of the OIDs that are processed by the user
+ *  checkers in the List pointed to by "userCheckers", storing the resulting
+ *  List at "pUserCritOIDs". If the List of userCheckers is NULL, the output
+ *  List will be NULL. Otherwise the output List will be non-NULL, but may be
+ *  empty.
+ *
+ * PARAMETERS:
+ *  "userCheckers"
+ *      The address of the List of userCheckers.
+ *  "pUserCritOIDs"
+ *      The address at which the List is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a VALIDATE Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_Validate_BuildUserOIDs(
+        PKIX_List *userCheckers,
+        PKIX_List **pUserCritOIDs,
+        void *plContext)
+{
+        PKIX_UInt32 numUserCheckers = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_List *userCritOIDs = NULL;
+        PKIX_List *userCheckerExtOIDs = NULL;
+        PKIX_Boolean supportForwarding = PKIX_FALSE;
+        PKIX_CertChainChecker *userChecker = NULL;
+
+        PKIX_ENTER(VALIDATE, "pkix_Validate_BuildUserOIDs");
+        PKIX_NULLCHECK_ONE(pUserCritOIDs);
+
+        if (userCheckers != NULL) {
+            PKIX_CHECK(PKIX_List_Create(&userCritOIDs, plContext),
+                PKIX_LISTCREATEFAILED);
+
+            PKIX_CHECK(PKIX_List_GetLength
+                (userCheckers, &numUserCheckers, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+            for (i = 0; i < numUserCheckers; i++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                    (userCheckers,
+                    i,
+                    (PKIX_PL_Object **) &userChecker,
+                    plContext),
+                    PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_CertChainChecker_IsForwardCheckingSupported
+                    (userChecker, &supportForwarding, plContext),
+                    PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED);
+
+                if (supportForwarding == PKIX_FALSE) {
+
+                    PKIX_CHECK(PKIX_CertChainChecker_GetSupportedExtensions
+                        (userChecker, &userCheckerExtOIDs, plContext),
+                        PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED);
+
+                    if (userCheckerExtOIDs != NULL) {
+                        PKIX_CHECK(pkix_List_AppendList
+                            (userCritOIDs, userCheckerExtOIDs, plContext),
+                            PKIX_LISTAPPENDLISTFAILED);
+                    }
+                }
+
+                PKIX_DECREF(userCheckerExtOIDs);
+                PKIX_DECREF(userChecker);
+            }
+        }
+
+        *pUserCritOIDs = userCritOIDs;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(userCritOIDs);
+        }
+
+        PKIX_DECREF(userCheckerExtOIDs);
+        PKIX_DECREF(userChecker);
+
+        PKIX_RETURN(VALIDATE);
+}
+
+/*
+ * FUNCTION: PKIX_ValidateChain_nb (see comments in pkix.h)
+ */
+PKIX_Error *
+PKIX_ValidateChain_NB(
+        PKIX_ValidateParams *valParams,
+        PKIX_UInt32 *pCertIndex,
+        PKIX_UInt32 *pAnchorIndex,
+        PKIX_UInt32 *pCheckerIndex,
+        PKIX_Boolean *pRevChecking,
+        PKIX_List **pCheckers,
+        void **pNBIOContext,
+        PKIX_ValidateResult **pResult,
+        PKIX_VerifyNode **pVerifyTree,
+        void *plContext)
+{
+        PKIX_UInt32 numCerts = 0;
+        PKIX_UInt32 numAnchors = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 certIndex = 0;
+        PKIX_UInt32 anchorIndex = 0;
+        PKIX_UInt32 checkerIndex = 0;
+        PKIX_UInt32 reasonCode = 0;
+        PKIX_Boolean revChecking = PKIX_FALSE;
+        PKIX_List *certs = NULL;
+        PKIX_List *anchors = NULL;
+        PKIX_List *checkers = NULL;
+        PKIX_List *userCheckers = NULL;
+        PKIX_List *revCheckers = NULL;
+        PKIX_List *validateCheckedCritExtOIDsList = NULL;
+        PKIX_TrustAnchor *anchor = NULL;
+        PKIX_ValidateResult *valResult = NULL;
+        PKIX_PL_PublicKey *finalPubKey = NULL;
+        PKIX_PolicyNode *validPolicyTree = NULL;
+        PKIX_ProcessingParams *procParams = NULL;
+        PKIX_Error *chainFailed = NULL;
+        void *nbioContext = NULL;
+
+        PKIX_ENTER(VALIDATE, "PKIX_ValidateChain_NB");
+        PKIX_NULLCHECK_FOUR
+                (valParams, pCertIndex, pAnchorIndex, pCheckerIndex);
+        PKIX_NULLCHECK_FOUR(pRevChecking, pCheckers, pNBIOContext, pResult);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        /* extract various parameters from valParams */
+        PKIX_CHECK(pkix_ExtractParameters
+                    (valParams,
+                    &certs,
+                    &numCerts,
+                    &procParams,
+                    &anchors,
+                    &numAnchors,
+                    plContext),
+                    PKIX_EXTRACTPARAMETERSFAILED);
+
+        /*
+         * Create a List of the OIDs that will be processed by the user
+         * checkers. User checkers are not responsible for removing OIDs from
+         * the List of unresolved critical extensions, as libpkix checkers are.
+         * So we add those user checkers' OIDs to the removal list to be taken
+         * out by CheckChain.
+         */
+        PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers
+                (procParams, &userCheckers, plContext),
+                PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED);
+
+        PKIX_CHECK(pkix_Validate_BuildUserOIDs
+                (userCheckers, &validateCheckedCritExtOIDsList, plContext),
+                PKIX_VALIDATEBUILDUSEROIDSFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetRevocationCheckers
+                (procParams, &revCheckers, plContext),
+                PKIX_PROCESSINGPARAMSGETREVOCATIONCHECKERSFAILED);
+
+        /* Are we resuming after a WOULDBLOCK return, or starting anew ? */
+        if (nbioContext != NULL) {
+                /* Resuming */
+                certIndex = *pCertIndex;
+                anchorIndex = *pAnchorIndex;
+                checkerIndex = *pCheckerIndex;
+                revChecking = *pRevChecking;
+                checkers = *pCheckers;
+                *pCheckers = NULL;
+        }
+
+        /* try to validate the chain with each anchor */
+        for (i = anchorIndex; i < numAnchors; i++) {
+
+                /* get trust anchor */
+                PKIX_CHECK(PKIX_List_GetItem
+                        (anchors, i, (PKIX_PL_Object **)&anchor, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                /* initialize checkers using information from trust anchor */
+                if (nbioContext == NULL) {
+                        PKIX_CHECK(pkix_InitializeCheckers
+                                (anchor,
+                                procParams,
+                                numCerts,
+                                &checkers,
+                                plContext),
+                                PKIX_INITIALIZECHECKERSFAILED);
+                }
+
+                /*
+                 * Validate the chain using this trust anchor and these
+                 * checkers.
+                 */
+                chainFailed = pkix_CheckChain
+                        (certs,
+                        numCerts,
+                        checkers,
+                        revCheckers,
+                        validateCheckedCritExtOIDsList,
+                        procParams,
+                        &certIndex,
+                        &checkerIndex,
+                        &revChecking,
+                        &reasonCode,
+                        &nbioContext,
+                        &finalPubKey,
+                        &validPolicyTree,
+                        pVerifyTree,
+                        plContext);
+
+                if (nbioContext != NULL) {
+                        *pCertIndex = certIndex;
+                        *pAnchorIndex = anchorIndex;
+                        *pCheckerIndex = checkerIndex;
+                        *pRevChecking = revChecking;
+                        PKIX_INCREF(checkers);
+                        *pCheckers = checkers;
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                }
+
+                if (chainFailed || (reasonCode != 0)) {
+
+                        /* cert chain failed to validate */
+
+                        PKIX_DECREF(chainFailed);
+                        PKIX_DECREF(anchor);
+                        PKIX_DECREF(checkers);
+                        PKIX_DECREF(validPolicyTree);
+
+                        /* if last anchor, we fail; else, we try next anchor */
+                        if (i == (numAnchors - 1)) { /* last anchor */
+                                PKIX_ERROR(PKIX_VALIDATECHAINFAILED);
+                        }
+
+                } else {
+
+                        /* cert chain successfully validated! */
+                        PKIX_CHECK(pkix_ValidateResult_Create
+                                (finalPubKey,
+                                anchor,
+                                validPolicyTree,
+                                &valResult,
+                                plContext),
+                                PKIX_VALIDATERESULTCREATEFAILED);
+
+                        *pResult = valResult;
+
+                        /* no need to try any more anchors in the loop */
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(finalPubKey);
+        PKIX_DECREF(certs);
+        PKIX_DECREF(anchors);
+        PKIX_DECREF(anchor);
+        PKIX_DECREF(checkers);
+        PKIX_DECREF(revCheckers);
+        PKIX_DECREF(validPolicyTree);
+        PKIX_DECREF(chainFailed);
+        PKIX_DECREF(procParams);
+        PKIX_DECREF(userCheckers);
+        PKIX_DECREF(validateCheckedCritExtOIDsList);
+
+        PKIX_RETURN(VALIDATE);
+}
diff --git a/security/nss/lib/libpkix/pkix/top/pkix_validate.h b/security/nss/lib/libpkix/pkix/top/pkix_validate.h
new file mode 100755
index 000000000..96b77908b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/top/pkix_validate.h
@@ -0,0 +1,74 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_validate.h
+ *
+ * Header file for validateChain function
+ *
+ */
+
+#ifndef _PKIX_VALIDATE_H
+#define _PKIX_VALIDATE_H
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+PKIX_Error *
+pkix_CheckChain(
+        PKIX_List *certs,
+        PKIX_UInt32 numCerts,
+        PKIX_List *checkers,
+        PKIX_List *revCheckers,
+        PKIX_List *buildCheckedExtOIDs,
+        PKIX_ProcessingParams *procParams,
+        PKIX_UInt32 *pCertCheckedIndex,
+        PKIX_UInt32 *pCheckerIndex,
+        PKIX_Boolean *pRevChecking,
+        PKIX_UInt32 *pReasonCode,
+        void **pNBIOContext,
+        PKIX_PL_PublicKey **pFinalSubjPubKey,
+        PKIX_PolicyNode **pPolicyTree,
+        PKIX_VerifyNode **pVerifyTree,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_VALIDATE_H */
diff --git a/security/nss/lib/libpkix/pkix/util/Makefile b/security/nss/lib/libpkix/pkix/util/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix/util/config.mk b/security/nss/lib/libpkix/pkix/util/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix/util/manifest.mn b/security/nss/lib/libpkix/pkix/util/manifest.mn
new file mode 100755
index 000000000..8776310b4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/manifest.mn
@@ -0,0 +1,63 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_tools.h \
+	pkix_error.h \
+	pkix_logger.h \
+	pkix_list.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_tools.c \
+	pkix_error.c \
+	pkix_logger.c \
+	pkix_list.c \
+	pkix_errpaths.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixutil
+
diff --git a/security/nss/lib/libpkix/pkix/util/pkix_error.c b/security/nss/lib/libpkix/pkix/util/pkix_error.c
new file mode 100755
index 000000000..e2b5fc9a9
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/pkix_error.c
@@ -0,0 +1,579 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_error.c
+ *
+ * Error Object Functions
+ *
+ */
+
+#include "pkix_error.h"
+
+#undef PKIX_ERRORENTRY
+
+#define PKIX_ERRORENTRY(name,desc,nsserr) #desc
+
+const char * const PKIX_ErrorText[] =
+{
+#include "pkix_errorstrings.h"
+};
+
+extern const int PKIX_PLErrorIndex[];
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_Error_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_Error_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_Error *firstError = NULL;
+        PKIX_Error *secondError = NULL;
+        PKIX_Error *firstCause = NULL;
+        PKIX_Error *secondCause = NULL;
+        PKIX_PL_Object *firstInfo = NULL;
+        PKIX_PL_Object *secondInfo = NULL;
+        PKIX_ERRORCLASS firstClass, secondClass;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean boolResult, unequalFlag;
+
+        PKIX_ENTER(ERROR, "pkix_Error_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        unequalFlag = PKIX_FALSE;
+
+        /* First just compare pointer values to save time */
+        if (firstObject == secondObject) {
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        } else {
+                /* Result will only be set to true if all tests pass */
+                *pResult = PKIX_FALSE;
+        }
+
+        PKIX_CHECK(pkix_CheckType(firstObject, PKIX_ERROR_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTANERROROBJECT);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_ERRORGETTINGSECONDOBJECTTYPE);
+
+        /* If types differ, then return false. Result is already set */
+        if (secondType != PKIX_ERROR_TYPE) goto cleanup;
+
+        /* It is safe to cast to PKIX_Error */
+        firstError = (PKIX_Error *) firstObject;
+        secondError = (PKIX_Error *) secondObject;
+
+        /* Compare error codes */
+        firstClass = firstError->errClass;
+        secondClass = secondError->errClass;
+
+        /* If codes differ, return false. Result is already set */
+        if (firstClass != secondClass) goto cleanup;
+
+        /* Compare causes */
+        firstCause = firstError->cause;
+        secondCause = secondError->cause;
+
+        /* Ensure that either both or none of the causes are NULL */
+        if (((firstCause != NULL) && (secondCause == NULL))||
+            ((firstCause == NULL) && (secondCause != NULL)))
+                unequalFlag = PKIX_TRUE;
+
+        if ((firstCause != NULL) && (secondCause != NULL)) {
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object*)firstCause,
+                            (PKIX_PL_Object*)secondCause,
+                            &boolResult,
+                            plContext),
+                            PKIX_ERRORINRECURSIVEEQUALSCALL);
+
+                /* Set the unequalFlag so that we return after dec refing */
+                if (boolResult == 0) unequalFlag = PKIX_TRUE;
+        }
+
+        /* If the cause errors are not equal, return null */
+        if (unequalFlag) goto cleanup;
+
+        /* Compare info fields */
+        firstInfo = firstError->info;
+        secondInfo = secondError->info;
+
+        if (firstInfo != secondInfo) goto cleanup;
+
+        /* Ensure that either both or none of the infos are NULL */
+        if (((firstInfo != NULL) && (secondInfo == NULL))||
+            ((firstInfo == NULL) && (secondInfo != NULL)))
+                unequalFlag = PKIX_TRUE;
+
+        if ((firstInfo != NULL) && (secondInfo != NULL)) {
+
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object*)firstInfo,
+                            (PKIX_PL_Object*)secondInfo,
+                            &boolResult,
+                            plContext),
+                            PKIX_ERRORINRECURSIVEEQUALSCALL);
+
+                /* Set the unequalFlag so that we return after dec refing */
+                if (boolResult == 0) unequalFlag = PKIX_TRUE;
+        }
+
+        /* If the infos are not equal, return null */
+        if (unequalFlag) goto cleanup;
+
+
+        /* Compare descs */
+        if (firstError->errCode != secondError->errCode) {
+                unequalFlag = PKIX_TRUE;
+        }
+
+        if (firstError->plErr != secondError->plErr) {
+                unequalFlag = PKIX_TRUE;
+        }
+
+        /* If the unequalFlag was set, return false */
+        if (unequalFlag) goto cleanup;
+
+        /* Errors are equal in all fields at this point */
+        *pResult = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(ERROR);
+}
+
+/*
+ * FUNCTION: pkix_Error_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_Error_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_Error *error = NULL;
+
+        PKIX_ENTER(ERROR, "pkix_Error_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_ERROR_TYPE, plContext),
+                PKIX_OBJECTNOTANERROR);
+
+        error = (PKIX_Error *)object;
+
+        PKIX_DECREF(error->cause);
+
+        PKIX_DECREF(error->info);
+
+cleanup:
+
+        PKIX_RETURN(ERROR);
+}
+
+
+/* XXX This is not thread safe */
+static PKIX_UInt32 pkix_error_cause_depth = 1;
+
+/*
+ * FUNCTION: pkix_Error_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_Error_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_Error *error = NULL;
+        PKIX_Error *cause = NULL;
+        PKIX_PL_String *desc = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *causeString = NULL;
+        PKIX_PL_String *optCauseString = NULL;
+        PKIX_PL_String *errorNameString = NULL;
+        char *format = NULL;
+        PKIX_ERRORCLASS errClass;
+
+        PKIX_ENTER(ERROR, "pkix_Error_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_ERROR_TYPE, plContext),
+                PKIX_OBJECTNOTANERROR);
+
+        error = (PKIX_Error *)object;
+
+        /* Get this error's errClass, description and the string of its cause */
+        errClass = error->errClass;
+
+        /* Get the description string */
+        PKIX_Error_GetDescription(error, &desc, plContext);
+            
+        /* Get the cause */
+        cause = error->cause;
+
+        /* Get the causes's description string */
+        if (cause != NULL) {
+                pkix_error_cause_depth++;
+
+                /* Get the cause string */
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                            ((PKIX_PL_Object*)cause, &causeString, plContext),
+                            PKIX_ERRORGETTINGCAUSESTRING);
+
+                format = "\n*** Cause (%d): %s";
+
+                PKIX_CHECK(PKIX_PL_String_Create
+                            (PKIX_ESCASCII,
+                            format,
+                            0,
+                            &formatString,
+                            plContext),
+                            PKIX_STRINGCREATEFAILED);
+
+                /* Create the optional Cause String */
+                PKIX_CHECK(PKIX_PL_Sprintf
+                            (&optCauseString,
+                            plContext,
+                            formatString,
+                            pkix_error_cause_depth,
+                            causeString),
+                            PKIX_SPRINTFFAILED);
+
+                PKIX_DECREF(formatString);
+
+                pkix_error_cause_depth--;
+        }
+
+        /* Create the Format String */
+        if (optCauseString != NULL) {
+                format = "*** %s Error- %s%s";
+        } else {
+                format = "*** %s Error- %s";
+        }
+
+        /* Ensure that error errClass is known, otherwise default to Object */
+        if (errClass >= PKIX_NUMERRORCLASSES) {
+                errClass = 0;
+        }
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    (void *)PKIX_ERRORCLASSNAMES[errClass],
+                    0,
+                    &errorNameString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    format,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        /* Create the output String */
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (pString,
+                    plContext,
+                    formatString,
+                    errorNameString,
+                    desc,
+                    optCauseString),
+                    PKIX_SPRINTFFAILED);
+
+cleanup:
+
+        PKIX_DECREF(desc);
+        PKIX_DECREF(causeString);
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(optCauseString);
+        PKIX_DECREF(errorNameString);
+
+        PKIX_RETURN(ERROR);
+}
+
+/*
+ * FUNCTION: pkix_Error_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_Error_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pResult,
+        void *plContext)
+{
+        PKIX_ENTER(ERROR, "pkix_Error_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pResult);
+
+        /* XXX Unimplemented */
+        /* XXX Need to make hashcodes equal when two errors are equal */
+        *pResult = (PKIX_UInt32)object;
+
+        PKIX_RETURN(ERROR);
+}
+
+/* --Initializers------------------------------------------------- */
+
+/*
+ * PKIX_ERRORCLASSNAMES is an array of strings, with each string holding a
+ * descriptive name for an error errClass. This is used by the default
+ * PKIX_PL_Error_ToString function.
+ *
+ * Note: PKIX_ERRORCLASSES is defined in pkixt.h as a list of error types.
+ * (More precisely, as a list of invocations of ERRMACRO(type).) The
+ * macro is expanded in pkixt.h to define error numbers, and here to
+ * provide corresponding strings. For example, since the fifth ERRMACRO
+ * entry is MUTEX, then PKIX_MUTEX_ERROR is defined in pkixt.h as 4, and
+ * PKIX_ERRORCLASSNAMES[4] is initialized here with the value "MUTEX".
+ */
+#undef ERRMACRO
+#define ERRMACRO(type) #type
+
+const char *
+PKIX_ERRORCLASSNAMES[PKIX_NUMERRORCLASSES] =
+{
+    PKIX_ERRORCLASSES
+};
+
+/*
+ * FUNCTION: pkix_Error_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_ERROR_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_Error_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(ERROR, "pkix_Error_RegisterSelf");
+
+        entry.description = "Error";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_Error);
+        entry.destructor = pkix_Error_Destroy;
+        entry.equalsFunction = pkix_Error_Equals;
+        entry.hashcodeFunction = pkix_Error_Hashcode;
+        entry.toStringFunction = pkix_Error_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_ERROR_TYPE] = entry;
+
+        PKIX_RETURN(ERROR);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_Error_Create (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Error_Create(
+        PKIX_ERRORCLASS errClass,
+        PKIX_Error *cause,
+        PKIX_PL_Object *info,
+        PKIX_ERRORCODE errCode,
+        PKIX_Error **pError,
+        void *plContext)
+{
+        PKIX_Error *tempCause = NULL;
+        PKIX_Error *error = NULL;
+
+        PKIX_ENTER(ERROR, "PKIX_Error_Create");
+
+        PKIX_NULLCHECK_ONE(pError);
+
+        /*
+         * when called here, if PKIX_PL_Object_Alloc returns an error,
+         * it must be a PKIX_ALLOC_ERROR
+         */
+        pkixErrorResult = PKIX_PL_Object_Alloc
+                (PKIX_ERROR_TYPE,
+                ((PKIX_UInt32)(sizeof (PKIX_Error))),
+                (PKIX_PL_Object **)&error,
+                plContext);
+
+        if (pkixErrorResult) return (pkixErrorResult);
+
+        error->errClass = errClass;
+
+        /* Ensure we don't have a loop. Follow causes until NULL */
+        for (tempCause = cause;
+            tempCause != NULL;
+            tempCause = tempCause->cause) {
+                /* If we detect a loop, throw a new error */
+                if (tempCause == error) {
+                        PKIX_ERROR(PKIX_LOOPOFERRORCAUSEDETECTED);
+                }
+        }
+
+        PKIX_INCREF(cause);
+        error->cause = cause;
+
+        PKIX_INCREF(info);
+        error->info = info;
+
+        error->errCode = errCode;
+
+        error->plErr = PKIX_PLErrorIndex[error->errCode];
+
+        *pError = error;
+        error = NULL;
+
+cleanup:
+        /* PKIX-XXX Fix for leak during error creation */
+        PKIX_DECREF(error);
+
+        PKIX_RETURN(ERROR);
+}
+
+/*
+ * FUNCTION: PKIX_Error_GetErrorClass (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Error_GetErrorClass(
+        PKIX_Error *error,
+        PKIX_ERRORCLASS *pClass,
+        void *plContext)
+{
+        PKIX_ENTER(ERROR, "PKIX_Error_GetErrorClass");
+        PKIX_NULLCHECK_TWO(error, pClass);
+
+        *pClass = error->errClass;
+
+        PKIX_RETURN(ERROR);
+}
+
+/*
+ * FUNCTION: PKIX_Error_GetErrorCode (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Error_GetErrorCode(
+        PKIX_Error *error,
+        PKIX_ERRORCODE *pCode,
+        void *plContext)
+{
+        PKIX_ENTER(ERROR, "PKIX_Error_GetErrorCode");
+        PKIX_NULLCHECK_TWO(error, pCode);
+
+        *pCode = error->errCode;
+
+        PKIX_RETURN(ERROR);
+}
+
+/*
+ * FUNCTION: PKIX_Error_GetCause (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Error_GetCause(
+        PKIX_Error *error,
+        PKIX_Error **pCause,
+        void *plContext)
+{
+        PKIX_ENTER(ERROR, "PKIX_Error_GetCause");
+        PKIX_NULLCHECK_TWO(error, pCause);
+
+        if (error->cause != PKIX_ALLOC_ERROR()){
+                PKIX_INCREF(error->cause);
+        }
+
+        *pCause = error->cause;
+
+cleanup:
+        PKIX_RETURN(ERROR);
+}
+
+/*
+ * FUNCTION: PKIX_Error_GetSupplementaryInfo (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Error_GetSupplementaryInfo(
+        PKIX_Error *error,
+        PKIX_PL_Object **pInfo,
+        void *plContext)
+{
+        PKIX_ENTER(ERROR, "PKIX_Error_GetSupplementaryInfo");
+        PKIX_NULLCHECK_TWO(error, pInfo);
+
+        PKIX_INCREF(error->info);
+
+        *pInfo = error->info;
+
+cleanup:
+        PKIX_RETURN(ERROR);
+}
+
+/*
+ * FUNCTION: PKIX_Error_GetDescription (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Error_GetDescription(
+        PKIX_Error *error,
+        PKIX_PL_String **pDesc,
+        void *plContext)
+{
+        PKIX_PL_String *descString = NULL;
+
+        PKIX_ENTER(ERROR, "PKIX_Error_GetDescription");
+        PKIX_NULLCHECK_TWO(error, pDesc);
+
+        PKIX_PL_String_Create(PKIX_ESCASCII,
+                              (void *)PKIX_ErrorText[error->errCode],
+                              0,
+                              &descString,
+                              plContext);
+
+        *pDesc = descString;
+
+        PKIX_RETURN(ERROR);
+}
diff --git a/security/nss/lib/libpkix/pkix/util/pkix_error.h b/security/nss/lib/libpkix/pkix/util/pkix_error.h
new file mode 100755
index 000000000..bfda7cf85
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/pkix_error.h
@@ -0,0 +1,69 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_error.h
+ *
+ * Error Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_ERROR_H
+#define _PKIX_ERROR_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_ErrorStruct {
+        PKIX_ERRORCODE errCode;
+        PKIX_ERRORCLASS errClass;  /* was formerly "code" */
+        PKIX_UInt32 plErr;
+        PKIX_Error *cause;
+        PKIX_PL_Object *info;
+};
+
+/* see source file for function documentation */
+
+extern PKIX_Error * pkix_Error_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_ERROR_H */
diff --git a/security/nss/lib/libpkix/pkix/util/pkix_errpaths.c b/security/nss/lib/libpkix/pkix/util/pkix_errpaths.c
new file mode 100644
index 000000000..56bb759a4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/pkix_errpaths.c
@@ -0,0 +1,136 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_errpaths.c
+ *
+ * Error Handling Helper Functions
+ *
+ */
+
+#define PKIX_STDVARS_POINTER
+#include "pkix_error.h"
+
+const PKIX_StdVars zeroStdVars;
+
+PKIX_Error*
+PKIX_DoThrow(PKIX_StdVars * stdVars, PKIX_ERRORCLASS errClass, 
+             PKIX_ERRORCODE errCode, PKIX_ERRORCLASS overrideClass,
+             void *plContext)
+{
+    if (!pkixErrorReceived && !pkixErrorResult && pkixErrorList) { 
+        pkixTempResult = PKIX_List_GetItem(pkixErrorList, 0, 
+                         (PKIX_PL_Object**)&pkixReturnResult,
+                                           plContext); 
+    } else { 
+        pkixTempResult = (PKIX_Error*)pkix_Throw(errClass, myFuncName, errCode,
+                                                 overrideClass, pkixErrorResult,
+                                                 &pkixReturnResult, plContext);
+    }
+    if (pkixReturnResult) {
+        if (pkixErrorResult != PKIX_ALLOC_ERROR()) {
+            PKIX_DECREF(pkixErrorResult);
+        }
+        pkixTempResult = pkixReturnResult;
+    } else if (pkixErrorResult) {
+        if (pkixTempResult != PKIX_ALLOC_ERROR()) {
+            PKIX_DECREF(pkixTempResult);
+        }
+        pkixTempResult = pkixErrorResult;
+    }
+    if (pkixErrorList) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorList, plContext);
+        pkixErrorList = NULL;
+    }
+    return pkixTempResult;
+}
+
+PKIX_Error *
+PKIX_DoReturn(PKIX_StdVars * stdVars, PKIX_ERRORCLASS errClass,
+              PKIX_Boolean doLogger, void *plContext)
+{
+    PKIX_OBJECT_UNLOCK(lockedObject);
+    if (pkixErrorReceived || pkixErrorResult || pkixErrorList)
+	return PKIX_DoThrow(stdVars, errClass, pkixErrorCode, pkixErrorClass,
+                             plContext);
+    /* PKIX_DEBUG_EXIT(type); */
+    if (doLogger)
+	_PKIX_DEBUG_TRACE(pkixLoggersDebugTrace, "<<<", PKIX_LOGGER_LEVEL_TRACE);
+    return NULL;
+}
+
+/* PKIX_DoAddError - creates the list of received error if it does not exist
+ * yet and adds newly received error into the list. */
+void
+PKIX_DoAddError(PKIX_StdVars *stdVars, PKIX_Error *error, void * plContext)
+{
+    PKIX_List *localList = NULL;
+    PKIX_Error *localError = NULL;
+    PKIX_Boolean listCreated = PKIX_FALSE;
+
+    if (!pkixErrorList) {
+        localError = PKIX_List_Create(&localList, plContext);
+        if (localError)
+            goto cleanup;
+        listCreated = PKIX_TRUE;
+    } else {
+        localList = pkixErrorList;
+    }
+
+    localError = PKIX_List_AppendItem(localList, (PKIX_PL_Object*)error,
+                                      plContext);
+    PORT_Assert (localError == NULL);
+    if (localError != NULL) {
+        if (listCreated) {
+            /* ignore the error code of DecRef function */
+            PKIX_PL_Object_DecRef((PKIX_PL_Object*)localList, plContext);
+            localList = NULL;
+        }
+    } else {
+        pkixErrorList = localList;
+    }
+
+cleanup:
+
+    if (localError && localError != PKIX_ALLOC_ERROR()) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object*)localError, plContext);
+    }
+
+    if (error && error != PKIX_ALLOC_ERROR()) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object*)error, plContext);
+    }
+}
+
diff --git a/security/nss/lib/libpkix/pkix/util/pkix_list.c b/security/nss/lib/libpkix/pkix/util/pkix_list.c
new file mode 100755
index 000000000..8d5c8889d
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/pkix_list.c
@@ -0,0 +1,1725 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_list.c
+ *
+ * List Object Functions
+ *
+ */
+
+#include "pkix_list.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_List_Create_Internal
+ * DESCRIPTION:
+ *
+ *  Creates a new List, using the Boolean value of "isHeader" to determine
+ *  whether the new List should be a header, and stores it at "pList". The
+ *  List is initially empty and holds no items. To initially add items to
+ *  the List, use PKIX_List_AppendItem.
+ *
+ * PARAMETERS:
+ *  "isHeader"
+ *      Boolean value indicating whether new List should be a header.
+ *  "pList"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_List_Create_Internal(
+        PKIX_Boolean isHeader,
+        PKIX_List **pList,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+
+        PKIX_ENTER(LIST, "pkix_List_Create_Internal");
+        PKIX_NULLCHECK_ONE(pList);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_LIST_TYPE,
+                    ((PKIX_UInt32)(sizeof (PKIX_List))),
+                    (PKIX_PL_Object **)&list, plContext),
+                    PKIX_ERRORCREATINGLISTITEM);
+
+        list->item = NULL;
+        list->next = NULL;
+        list->immutable = PKIX_FALSE;
+        list->length = 0;
+        list->isHeader = isHeader;
+
+        *pList = list;
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_List_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+
+        PKIX_ENTER(LIST, "pkix_List_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a list */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LIST_TYPE, plContext),
+                    PKIX_OBJECTNOTLIST);
+
+        list = (PKIX_List *)object;
+
+        /* We have a valid list. DecRef its item and recurse on next */
+        PKIX_DECREF(list->item);
+        PKIX_DECREF(list->next);
+        list->immutable = PKIX_FALSE;
+        list->length = 0;
+        list->isHeader = PKIX_FALSE;
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Helper function that creates a string representation of the List pointed
+ *  to by "list" and stores its address in the object pointed to by "pString".
+ *
+ * PARAMETERS
+ *  "list"
+ *      Address of List whose string representation is desired.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address of object pointer's destination. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a List Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_List_ToString_Helper(
+        PKIX_List *list,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *itemString = NULL;
+        PKIX_PL_String *nextString = NULL;
+        PKIX_PL_String *format = NULL;
+        PKIX_Boolean empty;
+
+        PKIX_ENTER(LIST, "pkix_List_ToString_Helper");
+        PKIX_NULLCHECK_TWO(list, pString);
+
+        /* special case when list is the header */
+        if (list->isHeader){
+
+                PKIX_CHECK(PKIX_List_IsEmpty(list, &empty, plContext),
+                            PKIX_LISTISEMPTYFAILED);
+
+                if (empty){
+                        PKIX_CHECK(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    "EMPTY",
+                                    0,
+                                    &itemString,
+                                    plContext),
+                                    PKIX_ERRORCREATINGITEMSTRING);
+                        (*pString) = itemString;
+                        PKIX_DEBUG_EXIT(LIST);
+                        return (NULL);
+                } else {
+                        PKIX_CHECK(pkix_List_ToString_Helper
+                                    (list->next, &itemString, plContext),
+                                    PKIX_LISTTOSTRINGHELPERFAILED);
+                }
+
+                /* Create a string object from the format */
+                PKIX_CHECK(PKIX_PL_String_Create
+                            (PKIX_ESCASCII, "%s", 0, &format, plContext),
+                            PKIX_STRINGCREATEFAILED);
+
+                PKIX_CHECK(PKIX_PL_Sprintf
+                            (pString, plContext, format, itemString),
+                            PKIX_SPRINTFFAILED);
+        } else {
+                /* Get a string for this list's item */
+                if (list->item == NULL) {
+                        PKIX_CHECK(PKIX_PL_String_Create
+                                    (PKIX_ESCASCII,
+                                    "(null)",
+                                    0,
+                                    &itemString,
+                                    plContext),
+                                    PKIX_STRINGCREATEFAILED);
+                } else {
+                        PKIX_CHECK(PKIX_PL_Object_ToString
+                                    ((PKIX_PL_Object*)list->item,
+                                    &itemString,
+                                    plContext),
+                                    PKIX_OBJECTTOSTRINGFAILED);
+                }
+                if (list->next == NULL) {
+                        /* Just return the itemstring */
+                        (*pString) = itemString;
+                        PKIX_DEBUG_EXIT(LIST);
+                        return (NULL);
+                }
+
+                /* Recursive call to get string for this list's next pointer */
+                PKIX_CHECK(pkix_List_ToString_Helper
+                            (list->next, &nextString, plContext),
+                            PKIX_LISTTOSTRINGHELPERFAILED);
+
+                /* Create a string object from the format */
+                PKIX_CHECK(PKIX_PL_String_Create
+                            (PKIX_ESCASCII,
+                            "%s, %s",
+                            0,
+                            &format,
+                            plContext),
+                            PKIX_STRINGCREATEFAILED);
+
+                PKIX_CHECK(PKIX_PL_Sprintf
+                            (pString,
+                            plContext,
+                            format,
+                            itemString,
+                            nextString),
+                            PKIX_SPRINTFFAILED);
+        }
+
+cleanup:
+
+        PKIX_DECREF(itemString);
+        PKIX_DECREF(nextString);
+        PKIX_DECREF(format);
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_List_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+        PKIX_PL_String *listString = NULL;
+        PKIX_PL_String *format = NULL;
+
+        PKIX_ENTER(LIST, "pkix_List_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LIST_TYPE, plContext),
+                    PKIX_OBJECTNOTLIST);
+
+        list = (PKIX_List *)object;
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        PKIX_CHECK(pkix_List_ToString_Helper(list, &listString, plContext),
+                    PKIX_LISTTOSTRINGHELPERFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII, "(%s)", 0, &format, plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf(pString, plContext, format, listString),
+                    PKIX_SPRINTFFAILED);
+
+cleanup:
+
+        PKIX_DECREF(listString);
+        PKIX_DECREF(format);
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_List_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+        PKIX_List *firstList = NULL;
+        PKIX_List *secondList = NULL;
+        PKIX_UInt32 firstLength = 0;
+        PKIX_UInt32 secondLength = 0;
+        PKIX_PL_Object *firstItem = NULL;
+        PKIX_PL_Object *secondItem = NULL;
+        PKIX_UInt32 i = 0;
+
+        PKIX_ENTER(LIST, "pkix_List_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        /* test that first is a List */
+        PKIX_CHECK(pkix_CheckType(first, PKIX_LIST_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTLIST);
+
+        /*
+         * Since we know first is a List, if both references are
+         * identical, they must be equal
+         */
+        if (first == second){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If second isn't a List, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_LIST_TYPE) goto cleanup;
+
+        firstList = (PKIX_List *)first;
+        secondList = (PKIX_List *)second;
+
+        if ((!firstList->isHeader) && (!secondList->isHeader)){
+                PKIX_ERROR(PKIX_INPUTLISTSMUSTBELISTHEADERS);
+        }
+
+        firstLength = firstList->length;
+        secondLength = secondList->length;
+
+        cmpResult = PKIX_FALSE;
+        if (firstLength == secondLength){
+                for (i = 0, cmpResult = PKIX_TRUE;
+                    ((i < firstLength) && cmpResult);
+                    i++){
+                        PKIX_CHECK(PKIX_List_GetItem
+                                    (firstList, i, &firstItem, plContext),
+                                    PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                                    (secondList, i, &secondItem, plContext),
+                                    PKIX_LISTGETITEMFAILED);
+
+                        if ((!firstItem && secondItem) ||
+                            (firstItem && !secondItem)){
+                                        cmpResult = PKIX_FALSE;
+                        } else if (!firstItem && !secondItem){
+                                continue;
+                        } else {
+                                PKIX_CHECK(PKIX_PL_Object_Equals
+                                            (firstItem,
+                                            secondItem,
+                                            &cmpResult,
+                                            plContext),
+                                            PKIX_OBJECTEQUALSFAILED);
+
+                                PKIX_DECREF(firstItem);
+                                PKIX_DECREF(secondItem);
+                        }
+                }
+        }
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_DECREF(firstItem);
+        PKIX_DECREF(secondItem);
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_List_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+        PKIX_PL_Object *element = NULL;
+        PKIX_UInt32 hash = 0;
+        PKIX_UInt32 tempHash = 0;
+        PKIX_UInt32 length, i;
+
+        PKIX_ENTER(LIST, "pkix_List_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LIST_TYPE, plContext),
+                    PKIX_OBJECTNOTLIST);
+
+        list = (PKIX_List *)object;
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        length = list->length;
+
+        for (i = 0; i < length; i++){
+                PKIX_CHECK(PKIX_List_GetItem(list, i, &element, plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                if (!element){
+                        tempHash = 100;
+                } else {
+                        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                                    (element, &tempHash, plContext),
+                                    PKIX_LISTHASHCODEFAILED);
+                }
+
+                hash = 31 * hash + tempHash;
+
+                PKIX_DECREF(element);
+        }
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_DECREF(element);
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_Duplicate
+ * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_List_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+        PKIX_List *listDuplicate = NULL;
+
+        PKIX_ENTER(LIST, "pkix_List_Duplicate");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LIST_TYPE, plContext),
+                    PKIX_OBJECTNOTLIST);
+
+        list = (PKIX_List *)object;
+
+        if (list->immutable){
+                PKIX_CHECK(pkix_duplicateImmutable
+                            (object, pNewObject, plContext),
+                            PKIX_DUPLICATEIMMUTABLEFAILED);
+        } else {
+
+                PKIX_CHECK(pkix_List_Create_Internal
+                            (list->isHeader, &listDuplicate, plContext),
+                            PKIX_LISTCREATEINTERNALFAILED);
+
+                listDuplicate->length = list->length;
+
+                PKIX_INCREF(list->item);
+                listDuplicate->item = list->item;
+
+                if (list->next == NULL){
+                        listDuplicate->next = NULL;
+                } else {
+                        /* Recursively Duplicate list */
+                        PKIX_CHECK(pkix_List_Duplicate
+                                    ((PKIX_PL_Object *)list->next,
+                                    (PKIX_PL_Object **)&listDuplicate->next,
+                                    plContext),
+                                    PKIX_LISTDUPLICATEFAILED);
+                }
+
+                *pNewObject = (PKIX_PL_Object *)listDuplicate;
+        }
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(listDuplicate);
+        }
+
+        PKIX_RETURN(LIST);
+}
+
+
+/*
+ * FUNCTION: pkix_List_GetElement
+ * DESCRIPTION:
+ *
+ *  Copies the "list"'s element at "index" into "element". The input List must
+ *  be the header of the List (as opposed to being an element of the List). The
+ *  index counts from zero and must be less than the List's length. This
+ *  function does NOT increment the reference count of the List element since
+ *  the returned element's reference will not be stored by the calling
+ *  function.
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Address of List (must be header) to get element from. Must be non-NULL.
+ *  "index"
+ *      Index of list to get element from. Must be less than List's length.
+ *  "pElement"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_List_GetElement(
+        PKIX_List *list,
+        PKIX_UInt32 index,
+        PKIX_List **pElement,
+        void *plContext)
+{
+        PKIX_List *iterator = NULL;
+        PKIX_UInt32 length;
+        PKIX_UInt32 position = 0;
+
+        PKIX_ENTER(LIST, "pkix_List_GetElement");
+        PKIX_NULLCHECK_TWO(list, pElement);
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        length = list->length;
+
+        if (index >= length) {
+                PKIX_ERROR(PKIX_INDEXOUTOFBOUNDS);
+        }
+
+        for (iterator = list; position++ <= index; iterator = iterator->next)
+                ;
+
+        (*pElement) = iterator;
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+
+/*
+ * FUNCTION: pkix_List_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_LIST_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_List_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(LIST, "pkix_List_RegisterSelf");
+
+        entry.description = "List";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_List);
+        entry.destructor = pkix_List_Destroy;
+        entry.equalsFunction = pkix_List_Equals;
+        entry.hashcodeFunction = pkix_List_Hashcode;
+        entry.toStringFunction = pkix_List_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_List_Duplicate;
+
+        systemClasses[PKIX_LIST_TYPE] = entry;
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_Contains
+ * DESCRIPTION:
+ *
+ *  Checks a List pointed to by "list", to determine whether it includes
+ *  an entry that is equal to the Object pointed to by "object", and stores
+ *  the result in "pFound".
+ *
+ * PARAMETERS:
+ *  "list"
+ *      List to be searched; may be empty; must be non-NULL
+ *  "object"
+ *      Object to be checked for; must be non-NULL
+ *  "pFound"
+ *      Address where the result of the search will be stored. Must
+ *      be non-NULL
+ *  "plContext"
+ *      platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_List_Contains(
+        PKIX_List *list,
+        PKIX_PL_Object *object,
+        PKIX_Boolean *pFound,
+        void *plContext)
+{
+        PKIX_PL_Object *current = NULL;
+        PKIX_UInt32 numEntries = 0;
+        PKIX_UInt32 index = 0;
+        PKIX_Boolean match = PKIX_FALSE;
+
+        PKIX_ENTER(LIST, "pkix_List_Contains");
+        PKIX_NULLCHECK_THREE(list, object, pFound);
+
+        PKIX_CHECK(PKIX_List_GetLength(list, &numEntries, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (index = 0; index < numEntries; index++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                        (list, index, &current, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                if (current) {
+                        PKIX_CHECK(PKIX_PL_Object_Equals
+                                (object, current, &match, plContext),
+                                PKIX_OBJECTEQUALSFAILED);
+
+                        PKIX_DECREF(current);
+                }
+
+                if (match) {
+                        break;
+                }
+        }
+
+        *pFound = match;
+
+cleanup:
+
+        PKIX_DECREF(current);
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_Remove
+ * DESCRIPTION:
+ *
+ *  Traverses the List pointed to by "list", to find and delete an entry
+ *  that is equal to the Object pointed to by "object". If no such entry
+ *  is found the function does not return an error.
+ *
+ * PARAMETERS:
+ *  "list"
+ *      List to be searched; may be empty; must be non-NULL
+ *  "object"
+ *      Object to be checked for and deleted, if found; must be non-NULL
+ *  "plContext"
+ *      platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a Validate Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_List_Remove(
+        PKIX_List *list,
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Object *current = NULL;
+        PKIX_UInt32 numEntries = 0;
+        PKIX_UInt32 index = 0;
+        PKIX_Boolean match = PKIX_FALSE;
+
+        PKIX_ENTER(LIST, "pkix_List_Remove");
+        PKIX_NULLCHECK_TWO(list, object);
+
+        PKIX_CHECK(PKIX_List_GetLength(list, &numEntries, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (index = 0; index < numEntries; index++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                        (list, index, &current, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                if (current) {
+                        PKIX_CHECK(PKIX_PL_Object_Equals
+                                (object, current, &match, plContext),
+                                PKIX_OBJECTEQUALSFAILED);
+
+                        PKIX_DECREF(current);
+                }
+
+                if (match) {
+                        PKIX_CHECK(PKIX_List_DeleteItem
+                                (list, index, plContext),
+                                PKIX_LISTDELETEITEMFAILED);
+                        break;
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(current);
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_RemoveItems
+ * DESCRIPTION:
+ *
+ *  Traverses the List pointed to by "list", to find and delete an entry
+ *  that is equal to the Object in the "deleteList". If no such entry
+ *  is found the function does not return an error.
+ *
+ * PARAMETERS:
+ *  "list"
+ *      Object in "list" is checked for object in "deleteList" and deleted if
+ *      found; may be empty; must be non-NULL
+ *  "deleteList"
+ *      List of objects to be searched ; may be empty; must be non-NULL
+ *  "plContext"
+ *      platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a Validate Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_List_RemoveItems(
+        PKIX_List *list,
+        PKIX_List *deleteList,
+        void *plContext)
+{
+        PKIX_PL_Object *current = NULL;
+        PKIX_UInt32 numEntries = 0;
+        PKIX_UInt32 index = 0;
+
+        PKIX_ENTER(LIST, "pkix_List_RemoveItems");
+        PKIX_NULLCHECK_TWO(list, deleteList);
+
+        PKIX_CHECK(PKIX_List_GetLength(deleteList, &numEntries, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (index = 0; index < numEntries; index++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                        (deleteList, index, &current, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                if (current) {
+                        PKIX_CHECK(pkix_List_Remove
+                                (list, current, plContext),
+                                PKIX_OBJECTEQUALSFAILED);
+
+                        PKIX_DECREF(current);
+                }
+        }
+
+cleanup:
+
+        PKIX_DECREF(current);
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_MergeLists
+ * DESCRIPTION:
+ *
+ *  Creates a new list consisting of the items from "firstList", followed by
+ *  the items on "secondList", returns the new list at "pMergedList". If
+ *  both input lists are NULL or empty, the result is an empty list. If an error
+ *  occurs, the result is NULL.
+ *
+ * PARAMETERS:
+ *  "firstList"
+ *      Address of list to be merged from. May be NULL or empty.
+ *  "secondList"
+ *      Address of list to be merged from. May be NULL or empty.
+ *  "pMergedList"
+ *      Address where returned object is stored.
+ *  "plContext"
+ *      platform-specific context pointer * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a List Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_List_MergeLists(
+        PKIX_List *firstList,
+        PKIX_List *secondList,
+        PKIX_List **pMergedList,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+        PKIX_PL_Object *item = NULL;
+        PKIX_UInt32 numItems = 0;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(LIST, "pkix_List_MergeLists");
+        PKIX_NULLCHECK_ONE(pMergedList);
+
+        *pMergedList = NULL;
+
+        PKIX_CHECK(PKIX_List_Create(&list, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        if (firstList != NULL) {
+
+                PKIX_CHECK(PKIX_List_GetLength(firstList, &numItems, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+        }
+
+        for (i = 0; i < numItems; i++) {
+
+                PKIX_CHECK(PKIX_List_GetItem(firstList, i, &item, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem(list, item, plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_DECREF(item);
+        }
+
+        numItems = 0;
+        if (secondList != NULL) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (secondList,
+                        &numItems,
+                        plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+        }
+
+        for (i = 0; i < numItems; i++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (secondList, i, &item, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                        (list, item, plContext), PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_DECREF(item);
+        }
+
+        *pMergedList = list;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(list);
+        }
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_AppendList
+ * DESCRIPTION:
+ *
+ *  Append items on "fromList" to the "toList". Item reference count on
+ *  "toList" is not incremented, but items appended from "fromList" are
+ *  incremented.
+ *
+ * PARAMETERS:
+ *  "toList"
+ *      Address of list to be appended to. Must be non-NULL.
+ *  "fromList"
+ *      Address of list to be appended from. May be NULL or empty.
+ *  "plContext"
+ *      platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a List Error if the functions fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_List_AppendList(
+        PKIX_List *toList,
+        PKIX_List *fromList,
+        void *plContext)
+{
+        PKIX_PL_Object *item = NULL;
+        PKIX_UInt32 numItems = 0;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(LIST, "pkix_List_AppendList");
+        PKIX_NULLCHECK_ONE(toList);
+
+        /* if fromList is NULL or is an empty list, no action */
+
+        if (fromList == NULL) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_List_GetLength(fromList, &numItems, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        if (numItems == 0) {
+                goto cleanup;
+        }
+
+        for (i = 0; i < numItems; i++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (fromList, i, &item, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem(toList, item, plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_DECREF(item);
+        }
+
+cleanup:
+
+        PKIX_DECREF(item);
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_AppendUnique
+ * DESCRIPTION:
+ *
+ *  Adds each Object in the List pointed to by "fromList" to the List pointed
+ *  to by "toList", if it is not already a member of that List. In other words,
+ *  "toList" becomes the union of the two sets.
+ *
+ * PARAMETERS:
+ *  "toList"
+ *      Address of a List of Objects to be augmented by "fromList". Must be
+ *      non-NULL, but may be empty.
+ *  "fromList"
+ *      Address of a List of Objects to be added, if not already present, to
+ *      "toList". Must be non-NULL, but may be empty.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "toList"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_List_AppendUnique(
+        PKIX_List *toList,
+        PKIX_List *fromList,
+        void *plContext)
+{
+        PKIX_Boolean isContained = PKIX_FALSE;
+        PKIX_UInt32 listLen = 0;
+        PKIX_UInt32 listIx = 0;
+        PKIX_PL_Object *object = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_List_AppendUnique");
+        PKIX_NULLCHECK_TWO(fromList, toList);
+
+        PKIX_CHECK(PKIX_List_GetLength(fromList, &listLen, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (listIx = 0; listIx < listLen; listIx++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (fromList, listIx, &object, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(pkix_List_Contains
+                        (toList, object, &isContained, plContext),
+                        PKIX_LISTCONTAINSFAILED);
+
+                if (isContained == PKIX_FALSE) {
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (toList, object, plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                }
+
+                PKIX_DECREF(object);
+        }
+
+cleanup:
+
+        PKIX_DECREF(object);
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_QuickSort
+ * DESCRIPTION:
+ *
+ *  Sorts List of Objects "fromList" using "comparatorCallback"'s result as
+ *  comasrison key and returns the sorted List at "pSortedList". The sorting
+ *  algorithm used is quick sort (n*logn).
+ *
+ * PARAMETERS:
+ *  "fromList"
+ *      Address of a List of Objects to be sorted. Must be non-NULL, but may be
+ *      empty.
+ *  "comparatorCallback"
+ *      Address of callback function that will compare two Objects on the List.
+ *      It should return -1 for less, 0 for equal and 1 for greater. The
+ *      callback implementation chooses what in Objects to be compared. Must be
+ *      non-NULL.
+ *  "pSortedList"
+ *      Address of a List of Objects that shall be sorted and returned. Must be
+ *      non-NULL, but may be empty.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "toList"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_List_QuickSort(
+        PKIX_List *fromList,
+        PKIX_List_SortComparatorCallback comparator,
+        PKIX_List **pSortedList,
+        void *plContext)
+{
+        PKIX_List *sortedList = NULL;
+        PKIX_List *lessList = NULL;
+        PKIX_List *greaterList = NULL;
+        PKIX_List *sortedLessList = NULL;
+        PKIX_List *sortedGreaterList = NULL;
+        PKIX_PL_Object *object = NULL;
+        PKIX_PL_Object *cmpObj = NULL;
+        PKIX_Int32 cmpResult = 0;
+        PKIX_UInt32 size = 0;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(BUILD, "pkix_List_QuickSort");
+        PKIX_NULLCHECK_THREE(fromList, comparator, pSortedList);
+
+        PKIX_CHECK(PKIX_List_GetLength(fromList, &size, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        PKIX_CHECK(PKIX_List_Create(&lessList, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_Create(&greaterList, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_GetItem
+                (fromList, 0, &object, plContext),
+                PKIX_LISTGETITEMFAILED);
+
+        /*
+         * Pick the first item on the list as the one to be compared.
+         * Separate rest of the itmes into two lists: less-than or greater-
+         * than lists. Sort those two lists recursively. Insert sorted
+         * less-than list before the picked item and append the greater-
+         * than list after the picked item.
+         */
+        for (i = 1; i < size; i++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (fromList, i, &cmpObj, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(comparator(object, cmpObj, &cmpResult, plContext),
+                        PKIX_COMPARATORCALLBACKFAILED);
+
+                if (cmpResult >= 0) {
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (lessList, cmpObj, plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                } else {
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (greaterList, cmpObj, plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                }
+                PKIX_DECREF(cmpObj);
+        }
+
+        PKIX_CHECK(PKIX_List_Create(&sortedList, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(lessList, &size, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        if (size > 1) {
+
+                PKIX_CHECK(pkix_List_QuickSort
+                        (lessList, comparator, &sortedLessList, plContext),
+                        PKIX_LISTQUICKSORTFAILED);
+
+                PKIX_CHECK(pkix_List_AppendList
+                        (sortedList, sortedLessList, plContext),
+                        PKIX_LISTAPPENDLISTFAILED);
+        } else {
+                PKIX_CHECK(pkix_List_AppendList
+                        (sortedList, lessList, plContext),
+                        PKIX_LISTAPPENDLISTFAILED);
+        }
+
+        PKIX_CHECK(PKIX_List_AppendItem(sortedList, object, plContext),
+                PKIX_LISTAPPENDFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(greaterList, &size, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        if (size > 1) {
+
+                PKIX_CHECK(pkix_List_QuickSort
+                        (greaterList, comparator, &sortedGreaterList, plContext),
+                        PKIX_LISTQUICKSORTFAILED);
+
+                PKIX_CHECK(pkix_List_AppendList
+                        (sortedList, sortedGreaterList, plContext),
+                        PKIX_LISTAPPENDLISTFAILED);
+        } else {
+                PKIX_CHECK(pkix_List_AppendList
+                        (sortedList, greaterList, plContext),
+                        PKIX_LISTAPPENDLISTFAILED);
+        }
+
+        *pSortedList = sortedList;
+
+cleanup:
+
+        PKIX_DECREF(cmpObj);
+        PKIX_DECREF(object);
+        PKIX_DECREF(sortedGreaterList);
+        PKIX_DECREF(sortedLessList);
+        PKIX_DECREF(greaterList);
+        PKIX_DECREF(lessList);
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: pkix_List_BubbleSort
+ * DESCRIPTION:
+ *
+ *  Sorts List of Objects "fromList" using "comparatorCallback"'s result as
+ *  comasrison key and returns the sorted List at "pSortedList". The sorting
+ *  algorithm used is bubble sort (n*n).
+ *
+ * PARAMETERS:
+ *  "fromList"
+ *      Address of a List of Objects to be sorted. Must be non-NULL, but may be
+ *      empty.
+ *  "comparatorCallback"
+ *      Address of callback function that will compare two Objects on the List.
+ *      It should return -1 for less, 0 for equal and 1 for greater. The
+ *      callback implementation chooses what in Objects to be compared. Must be
+ *      non-NULL.
+ *  "pSortedList"
+ *      Address of a List of Objects that shall be sorted and returned. Must be
+ *      non-NULL, but may be empty.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "toList"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_List_BubbleSort(
+        PKIX_List *fromList,
+        PKIX_List_SortComparatorCallback comparator,
+        PKIX_List **pSortedList,
+        void *plContext)
+{
+        PKIX_List *sortedList = NULL;
+        PKIX_PL_Object *cmpObj = NULL;
+        PKIX_PL_Object *leastObj = NULL;
+        PKIX_Int32 cmpResult = 0;
+        PKIX_UInt32 size = 0;
+        PKIX_UInt32 i, j;
+
+        PKIX_ENTER(BUILD, "pkix_List_BubbleSort");
+        PKIX_NULLCHECK_THREE(fromList, comparator, pSortedList);
+
+        PKIX_CHECK(pkix_List_Duplicate
+                ((PKIX_PL_Object *) fromList,
+                (PKIX_PL_Object **) &sortedList,
+                 plContext),
+                PKIX_LISTDUPLICATEFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(sortedList, &size, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        if (size > 1) {
+
+        /*
+         * Move from the first of the item on the list, For each iteration,
+         * compare and swap the least value to the head of the comparisoning
+         * sub-list.
+         */
+            for (i = 0; i < size - 1; i++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (sortedList, i, &leastObj, plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                for (j = i + 1; j < size; j++) {
+                        PKIX_CHECK(PKIX_List_GetItem
+                                (sortedList, j, &cmpObj, plContext),
+                                PKIX_LISTGETITEMFAILED);
+                        PKIX_CHECK(comparator
+                                (leastObj, cmpObj, &cmpResult, plContext),
+                                PKIX_COMPARATORCALLBACKFAILED);
+                        if (cmpResult > 0) {
+                                PKIX_CHECK(PKIX_List_SetItem
+                                           (sortedList, j, leastObj, plContext),
+                                           PKIX_LISTSETITEMFAILED);
+
+                                PKIX_DECREF(leastObj);
+                                leastObj = cmpObj;
+                                cmpObj = NULL;
+                        } else {
+                                PKIX_DECREF(cmpObj);
+                        }
+                }
+                PKIX_CHECK(PKIX_List_SetItem
+                           (sortedList, i, leastObj, plContext),
+                           PKIX_LISTSETITEMFAILED);
+
+                PKIX_DECREF(leastObj);
+            }
+                
+        }
+
+        *pSortedList = sortedList;
+
+cleanup:
+
+        PKIX_DECREF(leastObj);
+        PKIX_DECREF(cmpObj);
+
+        PKIX_RETURN(LIST);
+}
+
+/* --Public-List-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_List_Create (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_Create(
+        PKIX_List **pList,
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+
+        PKIX_ENTER(LIST, "PKIX_List_Create");
+        PKIX_NULLCHECK_ONE(pList);
+
+        PKIX_CHECK(pkix_List_Create_Internal(PKIX_TRUE, &list, plContext),
+                    PKIX_LISTCREATEINTERNALFAILED);
+
+        *pList = list;
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_SetImmutable (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_SetImmutable(
+        PKIX_List *list,
+        void *plContext)
+{
+        PKIX_ENTER(LIST, "PKIX_List_SetImmutable");
+        PKIX_NULLCHECK_ONE(list);
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        list->immutable = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_IsImmutable (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_IsImmutable(
+        PKIX_List *list,
+        PKIX_Boolean *pImmutable,
+        void *plContext)
+{
+        PKIX_ENTER(LIST, "PKIX_List_IsImmutable");
+        PKIX_NULLCHECK_TWO(list, pImmutable);
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        *pImmutable = list->immutable;
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_GetLength (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_GetLength(
+        PKIX_List *list,
+        PKIX_UInt32 *pLength,
+        void *plContext)
+{
+        PKIX_ENTER(LIST, "PKIX_List_GetLength");
+        PKIX_NULLCHECK_TWO(list, pLength);
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        *pLength = list->length;
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_IsEmpty (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_IsEmpty(
+        PKIX_List *list,
+        PKIX_Boolean *pEmpty,
+        void *plContext)
+{
+        PKIX_UInt32 length;
+
+        PKIX_ENTER(LIST, "PKIX_List_IsEmpty");
+        PKIX_NULLCHECK_TWO(list, pEmpty);
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        length = list->length;
+
+        if (length == 0){
+                *pEmpty = PKIX_TRUE;
+        } else {
+                *pEmpty = PKIX_FALSE;
+        }
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_AppendItem (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_AppendItem(
+        PKIX_List *list,
+        PKIX_PL_Object *item,
+        void *plContext)
+{
+        PKIX_List *lastElement = NULL;
+        PKIX_List *newElement = NULL;
+        PKIX_UInt32 length, i;
+
+        PKIX_ENTER(LIST, "PKIX_List_AppendItem");
+        PKIX_NULLCHECK_ONE(list);
+
+        if (list->immutable){
+                PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+        }
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        length = list->length;
+
+        /* find last element of list and create new element there */
+
+        lastElement = list;
+        for (i = 0; i < length; i++){
+                lastElement = lastElement->next;
+        }
+
+        PKIX_CHECK(pkix_List_Create_Internal
+                    (PKIX_FALSE, &newElement, plContext),
+                    PKIX_LISTCREATEINTERNALFAILED);
+
+        PKIX_INCREF(item);
+        newElement->item = item;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)list, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        lastElement->next = newElement;
+        newElement = NULL;
+        list->length += 1;
+
+cleanup:
+
+        PKIX_DECREF(newElement);
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_InsertItem (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_InsertItem(
+        PKIX_List *list,
+        PKIX_UInt32 index,
+        PKIX_PL_Object *item,
+        void *plContext)
+{
+        PKIX_List *element = NULL;
+        PKIX_List *newElem = NULL;
+
+        PKIX_ENTER(LIST, "PKIX_List_InsertItem");
+        PKIX_NULLCHECK_ONE(list);
+
+
+        if (list->immutable){
+                PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+        }
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        PKIX_CHECK(pkix_List_GetElement(list, index, &element, plContext),
+                    PKIX_LISTGETELEMENTFAILED);
+
+        /* Create a new list object */
+        PKIX_CHECK(pkix_List_Create_Internal(PKIX_FALSE, &newElem, plContext),
+                    PKIX_LISTCREATEINTERNALFAILED);
+
+        /* Copy the old element's contents into the new element */
+        newElem->item = element->item;
+
+        /* Set the new element's next pointer to the old element's next */
+        newElem->next = element->next;
+
+        /* Set the old element's next pointer to the new element */
+        element->next = newElem;
+
+        PKIX_INCREF(item);
+        element->item = item;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)list, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        list->length = list->length + 1;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(newElem);
+        }
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_GetItem (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_GetItem(
+        PKIX_List *list,
+        PKIX_UInt32 index,
+        PKIX_PL_Object **pItem,
+        void *plContext)
+{
+        PKIX_List *element = NULL;
+
+        PKIX_ENTER(LIST, "PKIX_List_GetItem");
+        PKIX_NULLCHECK_TWO(list, pItem);
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        PKIX_CHECK(pkix_List_GetElement(list, index, &element, plContext),
+                    PKIX_LISTGETELEMENTFAILED);
+
+        PKIX_INCREF(element->item);
+        *pItem = element->item;
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_SetItem (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_SetItem(
+        PKIX_List *list,
+        PKIX_UInt32 index,
+        PKIX_PL_Object *item,
+        void *plContext)
+{
+        PKIX_List *element;
+
+        PKIX_ENTER(LIST, "PKIX_List_SetItem");
+        PKIX_NULLCHECK_ONE(list);
+
+        if (list->immutable){
+                PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+        }
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        PKIX_CHECK(pkix_List_GetElement(list, index, &element, plContext),
+                    PKIX_LISTGETELEMENTFAILED);
+
+        /* DecRef old contents */
+        PKIX_DECREF(element->item);
+
+        /* Set New Contents */
+        PKIX_INCREF(item);
+        element->item = item;
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)list, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_DeleteItem (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_DeleteItem(
+        PKIX_List *list,
+        PKIX_UInt32 index,
+        void *plContext)
+{
+        PKIX_List *element = NULL;
+        PKIX_List *prevElement = NULL;
+        PKIX_List *nextElement = NULL;
+
+        PKIX_ENTER(LIST, "PKIX_List_DeleteItem");
+        PKIX_NULLCHECK_ONE(list);
+
+        if (list->immutable){
+                PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+        }
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        PKIX_CHECK(pkix_List_GetElement(list, index, &element, plContext),
+                    PKIX_LISTGETELEMENTFAILED);
+
+        /* DecRef old contents */
+        PKIX_DECREF(element->item);
+
+        nextElement = element->next;
+
+        if (nextElement != NULL) {
+                /* If the next element exists, splice it out. */
+
+                /* Don't need to change ref counts for targets of next */
+                element->item = nextElement->item;
+                nextElement->item = NULL;
+
+                /* Don't need to change ref counts for targets of next */
+                element->next = nextElement->next;
+                nextElement->next = NULL;
+
+                PKIX_DECREF(nextElement);
+
+        } else { /* The element is at the tail of the list */
+                if (index != 0) {
+                        PKIX_CHECK(pkix_List_GetElement
+                                    (list, index-1, &prevElement, plContext),
+                                    PKIX_LISTGETELEMENTFAILED);
+                } else if (index == 0){ /* prevElement must be header */
+                        prevElement = list;
+                }
+                prevElement->next = NULL;
+
+                /* Delete the element */
+                PKIX_DECREF(element);
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                    ((PKIX_PL_Object *)list, plContext),
+                    PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        list->length = list->length - 1;
+
+cleanup:
+
+        PKIX_RETURN(LIST);
+}
+
+/*
+ * FUNCTION: PKIX_List_ReverseList (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_List_ReverseList(
+        PKIX_List *list,
+        PKIX_List **pReversedList,
+        void *plContext)
+{
+        PKIX_List *reversedList = NULL;
+        PKIX_PL_Object *item = NULL;
+        PKIX_PL_Object *duplicateItem = NULL;
+        PKIX_UInt32 length, i;
+
+        PKIX_ENTER(LIST, "pkix_List_ReverseList");
+        PKIX_NULLCHECK_TWO(list, pReversedList);
+
+        if (!list->isHeader){
+                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
+        }
+
+        length = list->length;
+
+        /* Create a new list object */
+        PKIX_CHECK(PKIX_List_Create(&reversedList, plContext),
+                    PKIX_LISTCREATEINTERNALFAILED);
+
+        /*
+         * Starting with the last item and traversing backwards (from
+         * the original list), append each item to the reversed list
+         */
+
+        for (i = 1; i <= length; i++){
+                PKIX_CHECK(PKIX_List_GetItem
+                            (list, (length - i), &item, plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_PL_Object_Duplicate
+                            (item, &duplicateItem, plContext),
+                            PKIX_LISTDUPLICATEFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                            (reversedList, duplicateItem, plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_DECREF(item);
+                PKIX_DECREF(duplicateItem);
+        }
+
+        *pReversedList = reversedList;
+
+cleanup:
+
+        PKIX_DECREF(item);
+        PKIX_DECREF(duplicateItem);
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(reversedList);
+        }
+
+        PKIX_RETURN(LIST);
+}
diff --git a/security/nss/lib/libpkix/pkix/util/pkix_list.h b/security/nss/lib/libpkix/pkix/util/pkix_list.h
new file mode 100755
index 000000000..d283743d1
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/pkix_list.h
@@ -0,0 +1,128 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_list.h
+ *
+ * List Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_LIST_H
+#define _PKIX_LIST_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef PKIX_Error *
+(*PKIX_List_SortComparatorCallback)(
+        PKIX_PL_Object *obj1,
+        PKIX_PL_Object *obj2,
+        PKIX_Int32 *pResult,
+        void *plContext);
+
+struct PKIX_ListStruct {
+        PKIX_PL_Object *item;
+        PKIX_List *next;
+        PKIX_Boolean immutable;
+        PKIX_UInt32 length;
+        PKIX_Boolean isHeader;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_List_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_List_Contains(
+        PKIX_List *list,
+        PKIX_PL_Object *object,
+        PKIX_Boolean *pFound,
+        void *plContext);
+
+PKIX_Error *
+pkix_List_Remove(
+        PKIX_List *list,
+        PKIX_PL_Object *target,
+        void *plContext);
+
+PKIX_Error *
+pkix_List_MergeLists(
+        PKIX_List *firstList,
+        PKIX_List *secondList,
+        PKIX_List **pMergedList,
+        void *plContext);
+
+PKIX_Error *
+pkix_List_AppendList(
+        PKIX_List *toList,
+        PKIX_List *fromList,
+        void *plContext);
+
+PKIX_Error *
+pkix_List_AppendUnique(
+        PKIX_List *toList,
+        PKIX_List *fromList,
+        void *plContext);
+
+PKIX_Error *
+pkix_List_RemoveItems(
+        PKIX_List *list,
+        PKIX_List *deleteList,
+        void *plContext);
+
+PKIX_Error *
+pkix_List_QuickSort(
+        PKIX_List *fromList,
+        PKIX_List_SortComparatorCallback comparator,
+        PKIX_List **pSortedList,
+        void *plContext);
+
+PKIX_Error *
+pkix_List_BubbleSort(
+        PKIX_List *fromList,
+        PKIX_List_SortComparatorCallback comparator,
+        PKIX_List **pSortedList,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_LIST_H */
diff --git a/security/nss/lib/libpkix/pkix/util/pkix_logger.c b/security/nss/lib/libpkix/pkix/util/pkix_logger.c
new file mode 100644
index 000000000..d8677b7d5
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/pkix_logger.c
@@ -0,0 +1,1092 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_logger.c
+ *
+ * Logger Object Functions
+ *
+ */
+
+#include "pkix_logger.h"
+
+/* Global variable to keep PKIX_Logger List */
+PKIX_List *pkixLoggers = NULL;
+
+/*
+ * Once the Logger has been set, for any logging related operations, we have
+ * to go through the List to find a match, and if found, issue the
+ * corresponding callback. The overhead to check for DEBUG and TRACE in each
+ * PKIX function entering and exiting is very expensive (400X), and redundant
+ * if they are not the interest of the Logger. Therefore, the PKIX_Logger List
+ * pkixLoggers is separated into two lists based on its Loggers' trace level.
+ *
+ * Whenever the pkixLoggers List is updated by PKIX_Logger_AddLogger() or
+ * PKIX_Logger_SetLoggers(), we destroy and reconstruct pkixLoggersErrors
+ * and pkixLoggersDebugTrace Logger Lists. The ERROR, FATAL_ERROR and
+ * WARNING goes to pkixLoggersErrors and the DEBUG and TRACE goes to
+ * pkixLoggersDebugTrace.
+ *
+ * Currently we provide five logging levels and the default setting are by:
+ *
+ *     PKIX_FATAL_ERROR() macro invokes pkix_Logger_Check of FATAL_ERROR level
+ *     PKIX_ERROR() macro invokes pkix_Logger_Check of ERROR level
+ *     WARNING is not invoked as default
+ *     PKIX_DEBUG() macro invokes pkix_Logger_Check of DEBUG level. This needs
+ *         compilation -DPKIX_<component>DEBUG flag to turn on 
+ *     PKIX_ENTER() and PKIX_RETURN() macros invoke pkix_Logger_Check of TRACE
+ *         level. TRACE provides duplicate information of DEBUG, but needs no
+ *         recompilation and cannot choose component. To allow application
+ *         to use DEBUG level, TRACE is put as last.
+ *
+ */
+PKIX_List *pkixLoggersErrors = NULL;
+PKIX_List *pkixLoggersDebugTrace = NULL;
+
+/* To ensure atomic update on pkixLoggers lists */
+PKIX_PL_MonitorLock *pkixLoggerLock = NULL;
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_Logger_CheckErrors
+ * DESCRIPTION:
+ *
+ *  This function goes through each PKIX_Logger at "pkixLoggersList" and
+ *  checks if "maxLevel" and "logComponent" satisfies what is specified in the
+ *  PKIX_Logger. If satisfies, it invokes the callback in PKIX_Logger and
+ *  passes a PKIX_PL_String that is the concatenation of "message" and 
+ *  "message2" to the application for processing. 
+ *  Since this call is inserted into a handful of PKIX macros, no macros are
+ *  applied in this function, to avoid infinite recursion.
+ *  If an error occurs, this call is aborted.
+ *
+ * PARAMETERS:
+ *  "pkixLoggersList"
+ *      A list of PKIX_Loggers to be examined for invoking callback. Must be
+ *      non-NULL.
+ *  "message"
+ *      Address of "message" to be logged. Must be non-NULL.
+ *  "message2"
+ *      Address of "message2" to be concatenated and logged. May be NULL.
+ *  "logComponent"
+ *      A PKIX_UInt32 that indicates the component the message is from.
+ *  "maxLevel"
+ *      A PKIX_UInt32 that represents the level of severity of the message.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a Fatal Error if the function fails in an unrecoverable way
+ */
+PKIX_Error *
+pkix_Logger_Check(
+        PKIX_List *pkixLoggersList,
+        const char *message,
+        const char *message2,
+        PKIX_ERRORCLASS logComponent,
+        PKIX_UInt32 currentLevel,
+        void *plContext)
+{
+        PKIX_Logger *logger = NULL;
+        PKIX_List *savedPkixLoggersErrors = NULL;
+        PKIX_List *savedPkixLoggersDebugTrace = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *messageString = NULL;
+        PKIX_PL_String *message2String = NULL;
+        PKIX_PL_String *msgString = NULL;
+        PKIX_Error *error = NULL;
+        PKIX_Boolean needLogging = PKIX_FALSE;
+        PKIX_UInt32 i, length;
+
+        /*
+         * We cannot use any the PKIX_ macros here, since this function is
+         * called from some of these macros. It can create infinite recursion.
+         */
+
+        if ((pkixLoggersList == NULL) || (message == NULL)) {
+                return(NULL);
+        }
+
+        /*
+         * Disable all subsequent loggings to avoid recursion. The result is
+         * if other thread is calling this function at the same time, there
+         * won't be any logging because the pkixLoggersErrors and
+         * pkixLoggersDebugTrace are set to null.
+         * It would be nice if we provide control per thread (e.g. make
+         * plContext threadable) then we can avoid the recursion by setting
+         * flag at plContext. Then other thread's logging won't be affected.
+         *
+         * Also we need to use a reentrant Lock. Although we avoid recursion
+         * for TRACE. When there is an ERROR occurs in subsequent call, this
+         * function will be called.
+         */
+
+        error = PKIX_PL_MonitorLock_Enter(pkixLoggerLock, plContext);
+        if (error) { return(NULL); }
+
+        savedPkixLoggersDebugTrace = pkixLoggersDebugTrace;
+        pkixLoggersDebugTrace = NULL;
+        savedPkixLoggersErrors = pkixLoggersErrors;
+        pkixLoggersErrors = NULL;
+
+        /* Convert message and message2 to String */
+        error = PKIX_PL_String_Create
+                    (PKIX_ESCASCII, message, 0, &messageString, plContext);
+        if (error) { goto cleanup; }
+
+        if (message2) {
+                error = PKIX_PL_String_Create
+                    (PKIX_ESCASCII, message2, 0, &message2String, plContext);
+                if (error) { goto cleanup; }
+                error = PKIX_PL_String_Create
+                    (PKIX_ESCASCII, "%s %s", 0, &formatString, plContext);
+                if (error) { goto cleanup; }
+
+        } else {
+                error = PKIX_PL_String_Create
+                    (PKIX_ESCASCII, "%s", 0, &formatString, plContext);
+                if (error) { goto cleanup; }
+
+        }
+
+        error = PKIX_PL_Sprintf
+                    (&msgString,
+                    plContext,
+                    formatString,
+                    messageString,
+                    message2String);
+        if (error) { goto cleanup; }
+
+        /* Go through the Logger list */
+
+        error = PKIX_List_GetLength(pkixLoggersList, &length, plContext);
+        if (error) { goto cleanup; }
+
+        for (i = 0; i < length; i++) {
+
+                error = PKIX_List_GetItem
+                    (pkixLoggersList,
+                    i,
+                    (PKIX_PL_Object **) &logger,
+                    plContext);
+                if (error) { goto cleanup; }
+
+                /* Intended logging level less or equal than the max */
+                needLogging = (currentLevel <= logger->maxLevel);
+
+                if (needLogging && (logger->callback)) {
+
+                    /*
+                     * We separate Logger into two lists based on log level
+                     * but log level is not modified. We need to check here to
+                     * avoid logging the higher log level (lower value) twice.
+                     */
+                    if (pkixLoggersList == pkixLoggersErrors) {
+                            needLogging = needLogging && 
+                                (currentLevel <= PKIX_LOGGER_LEVEL_WARNING);
+                    } else if (pkixLoggersList == pkixLoggersDebugTrace) {
+                            needLogging = needLogging && 
+                                (currentLevel > PKIX_LOGGER_LEVEL_WARNING);
+                    }
+                
+                    if (needLogging) {
+                        if (logComponent == logger->logComponent) {
+                            needLogging = PKIX_TRUE;
+                        } else {
+                            needLogging = PKIX_FALSE;
+                        }
+                    }
+
+                    if (needLogging) {
+                        error = logger->callback
+                                (logger,
+                                msgString,
+                                currentLevel,
+                                logComponent,
+                                plContext);
+                        if (error) { goto cleanup; }
+                    }
+                }
+
+                error = PKIX_PL_Object_DecRef
+                        ((PKIX_PL_Object *)logger, plContext);
+                logger = NULL;
+                if (error) { goto cleanup; }
+
+        }
+
+cleanup:
+
+        if (formatString) {
+                error = PKIX_PL_Object_DecRef
+                        ((PKIX_PL_Object *)formatString, plContext);
+        }
+
+        if (messageString) {
+                error = PKIX_PL_Object_DecRef
+                         ((PKIX_PL_Object *)messageString, plContext);
+        }
+
+        if (message2String) {
+                error = PKIX_PL_Object_DecRef
+                        ((PKIX_PL_Object *)message2String, plContext);
+        }
+
+        if (msgString) {
+                error = PKIX_PL_Object_DecRef
+                        ((PKIX_PL_Object *)msgString, plContext);
+        }
+
+        if (logger) {
+                error = PKIX_PL_Object_DecRef
+                        ((PKIX_PL_Object *)logger, plContext);
+        }
+
+        if (pkixLoggersErrors == NULL && savedPkixLoggersErrors != NULL) {
+                pkixLoggersErrors = savedPkixLoggersErrors;
+        } 
+
+        if (pkixLoggersDebugTrace == NULL && 
+           savedPkixLoggersDebugTrace != NULL) {
+                pkixLoggersDebugTrace = savedPkixLoggersDebugTrace;
+        }
+
+        error = PKIX_PL_MonitorLock_Exit(pkixLoggerLock, plContext);
+        if (error) { return(NULL); }
+
+        return(NULL);
+}
+
+/*
+ * FUNCTION: pkix_Logger_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_Logger_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_Logger *logger = NULL;
+
+        PKIX_ENTER(LOGGER, "pkix_Logger_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Check that this object is a logger */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LOGGER_TYPE, plContext),
+                    PKIX_OBJECTNOTLOGGER);
+
+        logger = (PKIX_Logger *)object;
+
+        /* We have a valid logger. DecRef its item and recurse on next */
+
+        logger->callback = NULL;
+        PKIX_DECREF(logger->context);
+        logger->logComponent = (PKIX_ERRORCLASS)NULL;
+
+cleanup:
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: pkix_Logger_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_Logger_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_Logger *logger = NULL;
+        char *asciiFormat = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *contextString = NULL;
+        PKIX_PL_String *componentString = NULL;
+        PKIX_PL_String *loggerString = NULL;
+
+        PKIX_ENTER(LOGGER, "pkix_Logger_ToString_Helper");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        /* Check that this object is a logger */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LOGGER_TYPE, plContext),
+                    PKIX_OBJECTNOTLOGGER);
+
+        logger = (PKIX_Logger *)object;
+
+        asciiFormat =
+                "[\n"
+                "\tLogger: \n"
+                "\tContext:          %s\n"
+                "\tMaximum Level:    %d\n"
+                "\tComponent Name:   %s\n"
+                "]\n";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        PKIX_TOSTRING(logger->context, &contextString, plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII,
+                (void *)PKIX_ERRORCLASSNAMES[logger->logComponent],
+                0,
+                &componentString,
+                plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&loggerString,
+                plContext,
+                formatString,
+                contextString,
+                logger->maxLevel,
+                componentString),
+                PKIX_SPRINTFFAILED);
+
+        *pString = loggerString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(contextString);
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: pkix_Logger_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_Logger_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+        PKIX_Logger *firstLogger = NULL;
+        PKIX_Logger *secondLogger = NULL;
+
+        PKIX_ENTER(LOGGER, "pkix_Logger_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        /* test that first is a Logger */
+        PKIX_CHECK(pkix_CheckType(first, PKIX_LOGGER_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTLOGGER);
+
+        /*
+         * Since we know first is a Logger, if both references are
+         * identical, they must be equal
+         */
+        if (first == second){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If second isn't a Logger, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_LOGGER_TYPE) goto cleanup;
+
+        firstLogger = (PKIX_Logger *)first;
+        secondLogger = (PKIX_Logger *)second;
+
+        cmpResult = PKIX_FALSE;
+
+        if (firstLogger->callback != secondLogger->callback) {
+                goto cleanup;
+        }
+
+        if (firstLogger->logComponent != secondLogger->logComponent) {
+                goto cleanup;
+        }
+
+        PKIX_EQUALS  
+                (firstLogger->context,
+                secondLogger->context,
+                &cmpResult,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (cmpResult == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        if (firstLogger->maxLevel != secondLogger->maxLevel) {
+                goto cleanup;
+        }
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: pkix_Logger_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_Logger_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_Logger *logger = NULL;
+        PKIX_UInt32 hash = 0;
+        PKIX_UInt32 tempHash = 0;
+
+        PKIX_ENTER(LOGGER, "pkix_Logger_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LOGGER_TYPE, plContext),
+                    PKIX_OBJECTNOTLOGGER);
+
+        logger = (PKIX_Logger *)object;
+
+        PKIX_HASHCODE(logger->context, &tempHash, plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        hash = (((((PKIX_UInt32) logger->callback + tempHash) << 7) +
+                logger->maxLevel) << 7) + (PKIX_UInt32)logger->logComponent;
+
+        *pHashcode = hash;
+
+cleanup:
+
+        PKIX_RETURN(LOGGER);
+}
+
+
+/*
+ * FUNCTION: pkix_Logger_Duplicate
+ * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_Logger_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_Logger *logger = NULL;
+        PKIX_Logger *dupLogger = NULL;
+
+        PKIX_ENTER(LOGGER, "pkix_Logger_Duplicate");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType
+                    ((PKIX_PL_Object *)object, PKIX_LOGGER_TYPE, plContext),
+                    PKIX_OBJECTNOTLOGGER);
+
+        logger = (PKIX_Logger *) object;
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_LOGGER_TYPE,
+                    sizeof (PKIX_Logger),
+                    (PKIX_PL_Object **)&dupLogger,
+                    plContext),
+                    PKIX_COULDNOTCREATELOGGEROBJECT);
+
+        dupLogger->callback = logger->callback;
+        dupLogger->maxLevel = logger->maxLevel;
+        
+        PKIX_DUPLICATE
+                    (logger->context,
+                    &dupLogger->context,
+                    plContext,
+                    PKIX_OBJECTDUPLICATEFAILED);
+
+        dupLogger->logComponent = logger->logComponent;
+
+        *pNewObject = (PKIX_PL_Object *) dupLogger;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(dupLogger);
+        }
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: pkix_Logger_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_LOGGER_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_Logger_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(LOGGER, "pkix_Logger_RegisterSelf");
+
+        entry.description = "Logger";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_Logger);
+        entry.destructor = pkix_Logger_Destroy;
+        entry.equalsFunction = pkix_Logger_Equals;
+        entry.hashcodeFunction = pkix_Logger_Hashcode;
+        entry.toStringFunction = pkix_Logger_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_Logger_Duplicate;
+
+        systemClasses[PKIX_LOGGER_TYPE] = entry;
+
+        PKIX_RETURN(LOGGER);
+}
+
+/* --Public-Logger-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_Logger_Create (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Logger_Create(
+        PKIX_Logger_LogCallback callback,
+        PKIX_PL_Object *loggerContext,
+        PKIX_Logger **pLogger,
+        void *plContext)
+{
+        PKIX_Logger *logger = NULL;
+
+        PKIX_ENTER(LOGGER, "PKIX_Logger_Create");
+        PKIX_NULLCHECK_ONE(pLogger);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_LOGGER_TYPE,
+                    sizeof (PKIX_Logger),
+                    (PKIX_PL_Object **)&logger,
+                    plContext),
+                    PKIX_COULDNOTCREATELOGGEROBJECT);
+
+        logger->callback = callback;
+        logger->maxLevel = 0;
+        logger->logComponent = (PKIX_ERRORCLASS)NULL;
+
+        PKIX_INCREF(loggerContext);
+        logger->context = loggerContext;
+
+        *pLogger = logger;
+        logger = NULL;
+
+cleanup:
+
+        PKIX_DECREF(logger);
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: PKIX_Logger_GetLogCallback (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Logger_GetLogCallback(
+        PKIX_Logger *logger,
+        PKIX_Logger_LogCallback *pCallback,
+        void *plContext)
+{
+        PKIX_ENTER(LOGGER, "PKIX_Logger_GetLogCallback");
+        PKIX_NULLCHECK_TWO(logger, pCallback);
+
+        *pCallback = logger->callback;
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: PKIX_Logger_GetLoggerContext (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Logger_GetLoggerContext(
+        PKIX_Logger *logger,
+        PKIX_PL_Object **pLoggerContext,
+        void *plContext)
+{
+        PKIX_ENTER(LOGGER, "PKIX_Logger_GetLoggerContex");
+        PKIX_NULLCHECK_TWO(logger, pLoggerContext);
+
+        PKIX_INCREF(logger->context);
+        *pLoggerContext = logger->context;
+
+cleanup:
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: PKIX_Logger_GetMaxLoggingLevel (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Logger_GetMaxLoggingLevel(
+        PKIX_Logger *logger,
+        PKIX_UInt32 *pLevel,
+        void *plContext)
+{
+        PKIX_ENTER(LOGGER, "PKIX_Logger_GetMaxLoggingLevel");
+        PKIX_NULLCHECK_TWO(logger, pLevel);
+
+        *pLevel = logger->maxLevel;
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: PKIX_Logger_SetMaxLoggingLevel (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Logger_SetMaxLoggingLevel(
+        PKIX_Logger *logger,
+        PKIX_UInt32 level,
+        void *plContext)
+{
+        PKIX_ENTER(LOGGER, "PKIX_Logger_SetMaxLoggingLevel");
+        PKIX_NULLCHECK_ONE(logger);
+
+        if (level > PKIX_LOGGER_LEVEL_MAX) {
+                PKIX_ERROR(PKIX_LOGGINGLEVELEXCEEDSMAXIMUM);
+        } else {
+                logger->maxLevel = level;
+        }
+
+cleanup:
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: PKIX_Logger_GetLoggingComponent (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Logger_GetLoggingComponent(
+        PKIX_Logger *logger,
+        PKIX_ERRORCLASS *pComponent,
+        void *plContext)
+{
+        PKIX_ENTER(LOGGER, "PKIX_Logger_GetLoggingComponent");
+        PKIX_NULLCHECK_TWO(logger, pComponent);
+
+        *pComponent = logger->logComponent;
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: PKIX_Logger_SetLoggingComponent (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_Logger_SetLoggingComponent(
+        PKIX_Logger *logger,
+        PKIX_ERRORCLASS component,
+        void *plContext)
+{
+        PKIX_ENTER(LOGGER, "PKIX_Logger_SetLoggingComponent");
+        PKIX_NULLCHECK_ONE(logger);
+
+        logger->logComponent = component;
+
+        PKIX_RETURN(LOGGER);
+}
+
+
+/*
+ * Following PKIX_GetLoggers(), PKIX_SetLoggers() and PKIX_AddLogger() are
+ * documented as not thread-safe. However they are thread-safe now. We need
+ * the lock when accessing the logger lists.
+ */
+
+/*
+ * FUNCTION: PKIX_Logger_GetLoggers (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_GetLoggers(
+        PKIX_List **pLoggers,  /* list of PKIX_Logger */
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+        PKIX_List *savedPkixLoggersDebugTrace = NULL;
+        PKIX_List *savedPkixLoggersErrors = NULL;
+        PKIX_Logger *logger = NULL;
+        PKIX_Logger *dupLogger = NULL;
+        PKIX_UInt32 i, length;
+        PKIX_Boolean locked = PKIX_FALSE;
+
+        PKIX_ENTER(LOGGER, "PKIX_Logger_GetLoggers");
+        PKIX_NULLCHECK_ONE(pLoggers);
+
+        PKIX_CHECK(PKIX_PL_MonitorLock_Enter(pkixLoggerLock, plContext),
+                PKIX_MONITORLOCKENTERFAILED);
+        locked = PKIX_TRUE;
+
+        /*
+         * Temporarily disable DEBUG/TRACE Logging to avoid possible
+         * deadlock:
+         * When the Logger List is being accessed, e.g. by PKIX_ENTER or
+         * PKIX_DECREF, pkix_Logger_Check may check whether logging
+         * is requested, creating a deadlock situation.
+         */
+        savedPkixLoggersDebugTrace = pkixLoggersDebugTrace;
+        pkixLoggersDebugTrace = NULL;
+        savedPkixLoggersErrors = pkixLoggersErrors;
+        pkixLoggersErrors = NULL;
+
+        if (pkixLoggers == NULL) {
+                length = 0;
+        } else {
+                PKIX_CHECK(PKIX_List_GetLength
+                    (pkixLoggers, &length, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+        }
+
+        /* Create a list and copy the pkixLoggers item to the list */
+        PKIX_CHECK(PKIX_List_Create(&list, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        for (i = 0; i < length; i++) {
+
+            PKIX_CHECK(PKIX_List_GetItem
+                        (pkixLoggers,
+                        i,
+                        (PKIX_PL_Object **) &logger,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+            PKIX_CHECK(pkix_Logger_Duplicate
+                        ((PKIX_PL_Object *)logger,
+                        (PKIX_PL_Object **)&dupLogger,
+                        plContext),
+                        PKIX_LOGGERDUPLICATEFAILED);
+
+            PKIX_CHECK(PKIX_List_AppendItem
+                        (list,
+                        (PKIX_PL_Object *) dupLogger,
+                        plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+
+            PKIX_DECREF(logger);
+            PKIX_DECREF(dupLogger);
+        }
+
+        /* Set the list to be immutable */
+        PKIX_CHECK(PKIX_List_SetImmutable(list, plContext),
+                        PKIX_LISTSETIMMUTABLEFAILED);
+
+        *pLoggers = list;
+
+cleanup:
+
+        PKIX_DECREF(logger);
+
+        /* Restore logging capability */
+        pkixLoggersDebugTrace = savedPkixLoggersDebugTrace;
+        pkixLoggersErrors = savedPkixLoggersErrors;
+
+        if (locked) {
+                PKIX_CHECK(PKIX_PL_MonitorLock_Exit(pkixLoggerLock, plContext),
+                        PKIX_MONITORLOCKEXITFAILED);
+        }
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: PKIX_Logger_SetLoggers (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_SetLoggers(
+        PKIX_List *loggers,  /* list of PKIX_Logger */
+        void *plContext)
+{
+        PKIX_List *list = NULL;
+        PKIX_List *savedPkixLoggersErrors = NULL;
+        PKIX_List *savedPkixLoggersDebugTrace = NULL;
+        PKIX_Logger *logger = NULL;
+        PKIX_Logger *dupLogger = NULL;
+        PKIX_Boolean locked = PKIX_FALSE;
+        PKIX_UInt32 i, length;
+
+        PKIX_ENTER(LOGGER, "PKIX_SetLoggers");
+
+        PKIX_CHECK(PKIX_PL_MonitorLock_Enter(pkixLoggerLock, plContext),
+                PKIX_MONITORLOCKENTERFAILED);
+        locked = PKIX_TRUE;
+
+        /* Disable tracing, etc. to avoid recursion and deadlock */
+        savedPkixLoggersDebugTrace = pkixLoggersDebugTrace;
+        pkixLoggersDebugTrace = NULL;
+        savedPkixLoggersErrors = pkixLoggersErrors;
+        pkixLoggersErrors = NULL;
+
+        /* discard any prior loggers */
+        PKIX_DECREF(pkixLoggers);
+        PKIX_DECREF(savedPkixLoggersErrors);
+        PKIX_DECREF(savedPkixLoggersDebugTrace);
+
+        if (loggers != NULL) {
+
+                PKIX_CHECK(PKIX_List_Create(&list, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+                PKIX_CHECK(PKIX_List_GetLength(loggers, &length, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < length; i++) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (loggers,
+                        i,
+                        (PKIX_PL_Object **) &logger,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK(pkix_Logger_Duplicate
+                        ((PKIX_PL_Object *)logger,
+                        (PKIX_PL_Object **)&dupLogger,
+                        plContext),
+                        PKIX_LOGGERDUPLICATEFAILED);
+
+                    PKIX_CHECK(PKIX_List_AppendItem
+                        (list,
+                        (PKIX_PL_Object *) dupLogger,
+                        plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+
+                    /* Make two lists */
+
+                    /* Put in pkixLoggersErrors in any case*/
+
+                    if (savedPkixLoggersErrors == NULL) {
+
+                        PKIX_CHECK(PKIX_List_Create
+                                (&savedPkixLoggersErrors,
+                                plContext),
+                                PKIX_LISTCREATEFAILED);
+                    }
+        
+                    PKIX_CHECK(PKIX_List_AppendItem
+                            (savedPkixLoggersErrors,
+                            (PKIX_PL_Object *) dupLogger,
+                            plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+
+                    if (logger->maxLevel > PKIX_LOGGER_LEVEL_WARNING) {
+
+                        /* Put in pkixLoggersDebugTrace */
+
+                        if (savedPkixLoggersDebugTrace == NULL) {
+
+                            PKIX_CHECK(PKIX_List_Create
+                                    (&savedPkixLoggersDebugTrace,
+                                    plContext),
+                                    PKIX_LISTCREATEFAILED);
+                        }
+        
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (savedPkixLoggersDebugTrace,
+                                (PKIX_PL_Object *) dupLogger,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                    }
+                    PKIX_DECREF(logger);
+                    PKIX_DECREF(dupLogger);
+
+                }
+
+                pkixLoggers = list;
+        }
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(list);
+                PKIX_DECREF(savedPkixLoggersErrors);
+                PKIX_DECREF(savedPkixLoggersDebugTrace);
+                pkixLoggers = NULL;
+        }
+
+        PKIX_DECREF(logger);
+
+        /* Reenable logging capability with new lists */
+        pkixLoggersErrors = savedPkixLoggersErrors;
+        pkixLoggersDebugTrace = savedPkixLoggersDebugTrace;
+
+        if (locked) {
+                PKIX_CHECK(PKIX_PL_MonitorLock_Exit(pkixLoggerLock, plContext),
+                        PKIX_MONITORLOCKEXITFAILED);
+        }
+
+        PKIX_RETURN(LOGGER);
+}
+
+/*
+ * FUNCTION: PKIX_Logger_AddLogger (see comments in pkix_util.h)
+ */
+PKIX_Error *
+PKIX_AddLogger(
+        PKIX_Logger *logger,
+        void *plContext)
+{
+        PKIX_Logger *dupLogger = NULL;
+        PKIX_Logger *addLogger = NULL;
+        PKIX_List *savedPkixLoggersErrors = NULL;
+        PKIX_List *savedPkixLoggersDebugTrace = NULL;
+        PKIX_Boolean locked = PKIX_FALSE;
+        PKIX_UInt32 i, length;
+
+        PKIX_ENTER(LOGGER, "PKIX_Logger_AddLogger");
+        PKIX_NULLCHECK_ONE(logger);
+
+        PKIX_CHECK(PKIX_PL_MonitorLock_Enter(pkixLoggerLock, plContext),
+                PKIX_MONITORLOCKENTERFAILED);
+        locked = PKIX_TRUE;
+
+        savedPkixLoggersDebugTrace = pkixLoggersDebugTrace;
+        pkixLoggersDebugTrace = NULL;
+        savedPkixLoggersErrors = pkixLoggersErrors;
+        pkixLoggersErrors = NULL;
+
+        PKIX_DECREF(savedPkixLoggersErrors);
+        PKIX_DECREF(savedPkixLoggersDebugTrace);
+
+        if (pkixLoggers == NULL) {
+
+            PKIX_CHECK(PKIX_List_Create(&pkixLoggers, plContext),
+                    PKIX_LISTCREATEFAILED);
+        }
+
+        PKIX_CHECK(pkix_Logger_Duplicate
+                    ((PKIX_PL_Object *)logger,
+                    (PKIX_PL_Object **)&dupLogger,
+                    plContext),
+                    PKIX_LOGGERDUPLICATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (pkixLoggers,
+                    (PKIX_PL_Object *) dupLogger,
+                    plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(pkixLoggers, &length, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        /* Reconstruct pkixLoggersErrors and pkixLoggersDebugTrace */
+        for (i = 0; i < length; i++) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (pkixLoggers,
+                        i,
+                        (PKIX_PL_Object **) &addLogger,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+
+                /* Put in pkixLoggersErrors */
+
+                if (savedPkixLoggersErrors == NULL) {
+
+                        PKIX_CHECK(PKIX_List_Create
+                                    (&savedPkixLoggersErrors,
+                                    plContext),
+                                    PKIX_LISTCREATEFAILED);
+                }
+        
+                PKIX_CHECK(PKIX_List_AppendItem
+                        (savedPkixLoggersErrors,
+                        (PKIX_PL_Object *) addLogger,
+                        plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+                            
+                if (addLogger->maxLevel > PKIX_LOGGER_LEVEL_WARNING) {
+
+                        /* Put in pkixLoggersDebugTrace */
+
+                        if (savedPkixLoggersDebugTrace == NULL) {
+
+                            PKIX_CHECK(PKIX_List_Create
+                                    (&savedPkixLoggersDebugTrace,
+                                    plContext),
+                                    PKIX_LISTCREATEFAILED);
+                        }
+
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (savedPkixLoggersDebugTrace,
+                                (PKIX_PL_Object *) addLogger,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                }
+
+                PKIX_DECREF(addLogger);
+
+        }
+
+cleanup:
+
+        PKIX_DECREF(dupLogger);
+        PKIX_DECREF(addLogger);
+
+        /* Restore logging capability */
+        pkixLoggersErrors = savedPkixLoggersErrors;
+        pkixLoggersDebugTrace = savedPkixLoggersDebugTrace;
+
+        if (locked) {
+                PKIX_CHECK(PKIX_PL_MonitorLock_Exit(pkixLoggerLock, plContext),
+                        PKIX_MONITORLOCKEXITFAILED);
+        }
+
+       PKIX_RETURN(LOGGER);
+}
diff --git a/security/nss/lib/libpkix/pkix/util/pkix_logger.h b/security/nss/lib/libpkix/pkix/util/pkix_logger.h
new file mode 100644
index 000000000..4184b4bd7
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/pkix_logger.h
@@ -0,0 +1,81 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_logger.h
+ *
+ * Logger Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_LOGGER_H
+#define _PKIX_LOGGER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern PKIX_List *pkixLoggers;
+extern PKIX_List *pkixLoggersErrors;
+extern PKIX_List *pkixLoggersDebugTrace;
+
+struct PKIX_LoggerStruct {
+        PKIX_Logger_LogCallback callback;
+        PKIX_PL_Object *context;
+        PKIX_UInt32 maxLevel;
+        PKIX_ERRORCLASS logComponent;
+};
+
+PKIX_Error *
+pkix_Logger_Check(
+        PKIX_List *pkixLoggersList,
+        const char *message,
+        const char *message2,
+        PKIX_ERRORCLASS logComponent,
+        PKIX_UInt32 maxLevel,
+        void *plContext);
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_Logger_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_LOGGER_H */
diff --git a/security/nss/lib/libpkix/pkix/util/pkix_tools.c b/security/nss/lib/libpkix/pkix/util/pkix_tools.c
new file mode 100755
index 000000000..f4ff2dca2
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/pkix_tools.c
@@ -0,0 +1,1549 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_tools.c
+ *
+ * Private Utility Functions
+ *
+ */
+
+#include "pkix_tools.h"
+
+#define CACHE_ITEM_PERIOD_SECONDS  (3600)  /* one hour */
+
+/*
+ * This cahce period is only for CertCache. A Cert from a trusted CertStore
+ * should be checked more frequently for update new arrival, etc.
+ */
+#define CACHE_TRUST_ITEM_PERIOD_SECONDS  (CACHE_ITEM_PERIOD_SECONDS/10)
+
+extern PKIX_PL_HashTable *cachedCertChainTable;
+extern PKIX_PL_HashTable *cachedCertTable;
+extern PKIX_PL_HashTable *cachedCrlEntryTable;
+
+/* Following variables are used to checked cache hits - can be taken out */
+extern int pkix_ccAddCount;
+extern int pkix_ccLookupCount;
+extern int pkix_ccRemoveCount;
+extern int pkix_cAddCount;
+extern int pkix_cLookupCount;
+extern int pkix_cRemoveCount;
+extern int pkix_ceAddCount;
+extern int pkix_ceLookupCount;
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+/* Following variables are used for object leak test */
+char *nonNullValue = "Non Empty Value";
+PKIX_Boolean noErrorState = PKIX_TRUE;
+PKIX_Boolean runningLeakTest;
+PKIX_Boolean errorGenerated;
+PKIX_UInt32 stackPosition;
+PKIX_UInt32 *fnStackInvCountArr;
+char **fnStackNameArr;
+PLHashTable *fnInvTable;
+PKIX_UInt32 testStartFnStackPosition;
+char *errorFnStackString;
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+/* --Private-Functions-------------------------------------------- */
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+/*
+ * FUNCTION: pkix_ErrorGen_Hash
+ * DESCRIPTION:
+ *
+ * Hash function to be used in object leak test hash table.
+ *
+ */
+PLHashNumber PR_CALLBACK
+pkix_ErrorGen_Hash (const void *key)
+{
+    char *str = NULL;
+    PLHashNumber rv = (*(PRUint8*)key) << 5;
+    PRUint32 i, counter = 0;
+    PRUint8 *rvc = (PRUint8 *)&rv;
+
+    while ((str = fnStackNameArr[counter++]) != NULL) {
+        PRUint32 len = strlen(str);
+        for( i = 0; i < len; i++ ) {
+            rvc[ i % sizeof(rv) ] ^= *str;
+            str++;
+        }
+    }
+
+    return rv;
+}
+
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+/*
+ * FUNCTION: pkix_IsCertSelfIssued
+ * DESCRIPTION:
+ *
+ *  Checks whether the Cert pointed to by "cert" is self-issued and stores the
+ *  Boolean result at "pSelfIssued". A Cert is considered self-issued if the
+ *  Cert's issuer matches the Cert's subject. If the subject or issuer is
+ *  not specified, a PKIX_FALSE is returned.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *      Address of Cert used to determine whether Cert is self-issued.
+ *      Must be non-NULL.
+ *  "pSelfIssued"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_IsCertSelfIssued(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pSelfIssued,
+        void *plContext)
+{
+        PKIX_PL_X500Name *subject = NULL;
+        PKIX_PL_X500Name *issuer = NULL;
+
+        PKIX_ENTER(CERT, "pkix_IsCertSelfIssued");
+        PKIX_NULLCHECK_TWO(cert, pSelfIssued);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &subject, plContext),
+                    PKIX_CERTGETSUBJECTFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &issuer, plContext),
+                    PKIX_CERTGETISSUERFAILED);
+
+        if (subject == NULL || issuer == NULL) {
+                *pSelfIssued = PKIX_FALSE;
+        } else {
+
+                PKIX_CHECK(PKIX_PL_X500Name_Match
+                    (subject, issuer, pSelfIssued, plContext),
+                    PKIX_X500NAMEMATCHFAILED);
+        }
+
+cleanup:
+        PKIX_DECREF(subject);
+        PKIX_DECREF(issuer);
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_Throw
+ * DESCRIPTION:
+ *
+ *  Creates an Error using the value of "errorCode", the character array
+ *  pointed to by "funcName", the character array pointed to by "errorText",
+ *  and the Error pointed to by "cause" (if any), and stores it at "pError".
+ *
+ *  If "cause" is not NULL and has an errorCode of "PKIX_FATAL_ERROR",
+ *  then there is no point creating a new Error object. Rather, we simply
+ *  store "cause" at "pError".
+ *
+ * PARAMETERS:
+ *  "errorCode"
+ *      Value of error code.
+ *  "funcName"
+ *      Address of EscASCII array representing name of function throwing error.
+ *      Must be non-NULL.
+ *  "errnum"
+ *      PKIX_ERRMSGNUM of error description for new error.
+ *  "cause"
+ *      Address of Error representing error's cause.
+ *  "pError"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_Throw(
+        PKIX_ERRORCLASS errorClass,
+        const char *funcName,
+        PKIX_ERRORCODE errorCode,
+        PKIX_ERRORCLASS overrideClass,
+        PKIX_Error *cause,
+        PKIX_Error **pError,
+        void *plContext)
+{
+        PKIX_Error *error = NULL;
+
+        PKIX_ENTER(ERROR, "pkix_Throw");
+        PKIX_NULLCHECK_TWO(funcName, pError);
+
+        *pError = NULL;
+
+#ifdef PKIX_OBJECT_LEAK_TEST        
+        noErrorState = PKIX_TRUE;
+        if (pkixLog) {
+            PR_LOG(pkixLog, 4, ("Error in function \"%s\":\"%s\" with cause \"%s\"\n",
+                                funcName, PKIX_ErrorText[errorCode],
+                                (cause ? PKIX_ErrorText[cause->errCode] : "null")));
+
+            PORT_Assert(strcmp(funcName, "PKIX_PL_Object_DecRef"));
+        }
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+        /* if cause has error class of PKIX_FATAL_ERROR, return immediately */
+        if (cause) {
+                if (cause->errClass == PKIX_FATAL_ERROR){
+                        PKIX_INCREF(cause);
+                        *pError = cause;
+                        goto cleanup;
+                }
+        }
+        
+        if (overrideClass == PKIX_FATAL_ERROR){
+                errorClass = overrideClass;
+        }
+
+       pkixTempResult = PKIX_Error_Create(errorClass, cause, NULL,
+                                           errorCode, &error, plContext);
+       
+       if (!pkixTempResult) {
+           /* Setting plErr error code:
+            *    get it from PORT_GetError if it is a leaf error and
+            *    default error code does not exist(eq 0)               */
+           if (!cause && !error->plErr) {
+               error->plErr = PKIX_PL_GetPLErrorCode();
+           }
+       }
+
+       *pError = error;
+
+cleanup:
+
+        PKIX_DEBUG_EXIT(ERROR);
+        pkixErrorClass = 0;
+#ifdef PKIX_OBJECT_LEAK_TEST        
+        noErrorState = PKIX_FALSE;
+
+        if (runningLeakTest && fnStackNameArr) {
+            PR_LOG(pkixLog, 5,
+                   ("%s%*s<- %s(%d) - %s\n", (errorGenerated ? "*" : " "),
+                    stackPosition, " ", fnStackNameArr[stackPosition],
+                    stackPosition, myFuncName));
+            fnStackNameArr[stackPosition--] = NULL;
+        }
+#endif /* PKIX_OBJECT_LEAK_TEST */
+        return (pkixTempResult);
+}
+
+/*
+ * FUNCTION: pkix_CheckTypes
+ * DESCRIPTION:
+ *
+ *  Checks that the types of the Object pointed to by "first" and the Object
+ *  pointed to by "second" are both equal to the value of "type". If they
+ *  are not equal, a PKIX_Error is returned.
+ *
+ * PARAMETERS:
+ *  "first"
+ *      Address of first Object. Must be non-NULL.
+ *  "second"
+ *      Address of second Object. Must be non-NULL.
+ *  "type"
+ *      Value of type to check against.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CheckTypes(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_UInt32 type,
+        void *plContext)
+{
+        PKIX_UInt32 firstType, secondType;
+
+        PKIX_ENTER(OBJECT, "pkix_CheckTypes");
+        PKIX_NULLCHECK_TWO(first, second);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(first, &firstType, plContext),
+                    PKIX_COULDNOTGETFIRSTOBJECTTYPE);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETSECONDOBJECTTYPE);
+
+        if ((firstType != type)||(firstType != secondType)) {
+                PKIX_ERROR(PKIX_OBJECTTYPESDONOTMATCH);
+        }
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: pkix_CheckType
+ * DESCRIPTION:
+ *
+ *  Checks that the type of the Object pointed to by "object" is equal to the
+ *  value of "type". If it is not equal, a PKIX_Error is returned.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object. Must be non-NULL.
+ *  "type"
+ *      Value of type to check against.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CheckType(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 type,
+        void *plContext)
+{
+        return (pkix_CheckTypes(object, object, type, plContext));
+}
+
+/*
+ * FUNCTION: pkix_hash
+ * DESCRIPTION:
+ *
+ *  Computes a hash value for "length" bytes starting at the array of bytes
+ *  pointed to by "bytes" and stores the result at "pHash".
+ *
+ *  XXX To speed this up, we could probably read 32 bits at a time from
+ *  bytes (maybe even 64 bits on some platforms)
+ *
+ * PARAMETERS:
+ *  "bytes"
+ *      Address of array of bytes to hash. Must be non-NULL.
+ *  "length"
+ *      Number of bytes to hash.
+ *  "pHash"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_hash(
+        const unsigned char *bytes,
+        PKIX_UInt32 length,
+        PKIX_UInt32 *pHash,
+        void *plContext)
+{
+        PKIX_UInt32 i;
+        PKIX_UInt32 hash;
+
+        PKIX_ENTER(OBJECT, "pkix_hash");
+        PKIX_NULLCHECK_TWO(bytes, pHash);
+
+        hash = 0;
+        for (i = 0; i < length; i++) {
+                /* hash = 31 * hash + bytes[i]; */
+                hash = (hash << 5) - hash + bytes[i];
+        }
+
+        *pHash = hash;
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: pkix_countArray
+ * DESCRIPTION:
+ *
+ *  Counts the number of elements in the  null-terminated array of pointers
+ *  pointed to by "array" and returns the result.
+ *
+ * PARAMETERS
+ *  "array"
+ *      Address of null-terminated array of pointers.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns the number of elements in the array.
+ */
+PKIX_UInt32
+pkix_countArray(void **array)
+{
+        PKIX_UInt32 count = 0;
+
+        if (array) {
+                while (*array++) {
+                        count++;
+                }
+        }
+        return (count);
+}
+
+/*
+ * FUNCTION: pkix_duplicateImmutable
+ * DESCRIPTION:
+ *
+ *  Convenience callback function used for duplicating immutable objects.
+ *  Since the objects can not be modified, this function simply increments the
+ *  reference count on the object, and returns a reference to that object.
+ *
+ *  (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
+ */
+PKIX_Error *
+pkix_duplicateImmutable(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_ENTER(OBJECT, "pkix_duplicateImmutable");
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_INCREF(object);
+
+        *pNewObject = object;
+
+cleanup:
+        PKIX_RETURN(OBJECT);
+}
+
+/* --String-Encoding-Conversion-Functions------------------------ */
+
+/*
+ * FUNCTION: pkix_hex2i
+ * DESCRIPTION:
+ *
+ *  Converts hexadecimal character "c" to its integer value and returns result.
+ *
+ * PARAMETERS
+ *  "c"
+ *      Character to convert to a hex value.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  The hexadecimal value of "c". Otherwise -1. (Unsigned 0xFFFFFFFF).
+ */
+PKIX_UInt32
+pkix_hex2i(char c)
+{
+        if ((c >= '0')&&(c <= '9'))
+                return (c-'0');
+        else if ((c >= 'a')&&(c <= 'f'))
+                return (c-'a'+10);
+        else if ((c >= 'A')&&(c <= 'F'))
+                return (c-'A'+10);
+        else
+                return ((PKIX_UInt32)(-1));
+}
+
+/*
+ * FUNCTION: pkix_i2hex
+ * DESCRIPTION:
+ *
+ *  Converts integer value "digit" to its ASCII hex value
+ *
+ * PARAMETERS
+ *  "digit"
+ *      Value of integer to convert to ASCII hex value. Must be 0-15.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  The ASCII hexadecimal value of "digit".
+ */
+char
+pkix_i2hex(char digit)
+{
+        if ((digit >= 0)&&(digit <= 9))
+                return (digit+'0');
+        else if ((digit >= 0xa)&&(digit <= 0xf))
+                return (digit - 10 + 'a');
+        else
+                return (-1);
+}
+
+/*
+ * FUNCTION: pkix_isPlaintext
+ * DESCRIPTION:
+ *
+ *  Returns whether character "c" is plaintext using EscASCII or EscASCII_Debug
+ *  depending on the value of "debug".
+ *
+ *  In EscASCII, [01, 7E] except '&' are plaintext.
+ *  In EscASCII_Debug [20, 7E] except '&' are plaintext.
+ *
+ * PARAMETERS:
+ *  "c"
+ *      Character to check.
+ *  "debug"
+ *      Value of debug flag.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  True if "c" is plaintext.
+ */
+PKIX_Boolean
+pkix_isPlaintext(unsigned char c, PKIX_Boolean debug) {
+        return ((c >= 0x01)&&(c <= 0x7E)&&(c != '&')&&(!debug || (c >= 20)));
+}
+
+/* --Cache-Functions------------------------ */
+
+/*
+ * FUNCTION: pkix_CacheCertChain_Lookup
+ * DESCRIPTION:
+ *
+ *  Look up CertChain Hash Table for a cached BuildResult based on "targetCert"
+ *  and "anchors" as the hash keys. If there is no item to match the key,
+ *  PKIX_FALSE is stored at "pFound". If an item is found, its cache time is
+ *  compared to "testDate". If expired, the item is removed and PKIX_FALSE is
+ *  stored at "pFound". Otherwise, PKIX_TRUE is stored at "pFound" and the 
+ *  BuildResult is stored at "pBuildResult".
+ *  The hashtable is maintained in the following ways:
+ *  1) When creating the hashtable, maximum bucket size can be specified (0 for
+ *     unlimited). If items in a bucket reaches its full size, an new addition
+ *     will trigger the removal of the old as FIFO sequence.
+ *  2) A PKIX_PL_Date created with current time offset by constant 
+ *     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
+ *     When an item is retrieved, this date is compared against "testDate" for
+ *     validity. If comparison indicates this item is expired, the item is
+ *     removed from the bucket.
+ *
+ * PARAMETERS:
+ *  "targetCert"
+ *      Address of Target Cert as key to retrieve this CertChain. Must be 
+ *      non-NULL.
+ *  "anchors"
+ *      Address of PKIX_List of "anchors" is used as key to retrive CertChain.
+ *      Must be non-NULL.
+ *  "testDate"
+ *      Address of PKIX_PL_Date for verifying time validity and cache validity.
+ *      May be NULL. If testDate is NULL, this cache item will not be out-dated.
+ *  "pFound"
+ *      Address of PKIX_Boolean indicating valid data is found.
+ *      Must be non-NULL.
+ *  "pBuildResult"
+ *      Address where BuildResult will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CacheCertChain_Lookup(
+        PKIX_PL_Cert* targetCert,
+        PKIX_List* anchors,
+        PKIX_PL_Date *testDate,
+        PKIX_Boolean *pFound,
+        PKIX_BuildResult **pBuildResult,
+        void *plContext)
+{
+        PKIX_List *cachedValues = NULL;
+        PKIX_List *cachedKeys = NULL;
+        PKIX_Error *cachedCertChainError = NULL;
+        PKIX_PL_Date *cacheValidUntilDate = NULL;
+        PKIX_PL_Date *validityDate = NULL;
+        PKIX_Int32 cmpValidTimeResult = 0;
+        PKIX_Int32 cmpCacheTimeResult = 0;
+
+        PKIX_ENTER(BUILD, "pkix_CacheCertChain_Lookup");
+
+        PKIX_NULLCHECK_FOUR(targetCert, anchors, pFound, pBuildResult);
+
+        *pFound = PKIX_FALSE;
+
+        /* use trust anchors and target cert as hash key */
+
+        PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys,
+                    (PKIX_PL_Object *)targetCert,
+                    plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys,
+                    (PKIX_PL_Object *)anchors,
+                    plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        cachedCertChainError = PKIX_PL_HashTable_Lookup
+                    (cachedCertChainTable,
+                    (PKIX_PL_Object *) cachedKeys,
+                    (PKIX_PL_Object **) &cachedValues,
+                    plContext);
+
+        pkix_ccLookupCount++;
+
+        /* retrieve data from hashed value list */
+
+        if (cachedValues != NULL && cachedCertChainError == NULL) {
+
+            PKIX_CHECK(PKIX_List_GetItem
+                    (cachedValues,
+                    0,
+                    (PKIX_PL_Object **) &cacheValidUntilDate,
+                    plContext),
+                    PKIX_LISTGETITEMFAILED);
+
+            /* check validity time and cache age time */
+            PKIX_CHECK(PKIX_List_GetItem
+                    (cachedValues,
+                    1,
+                    (PKIX_PL_Object **) &validityDate,
+                    plContext),
+                    PKIX_LISTGETITEMFAILED);
+
+            /* if testDate is not set, this cache item is not out-dated */
+            if (testDate) {
+
+                PKIX_CHECK(PKIX_PL_Object_Compare
+                     ((PKIX_PL_Object *)testDate,
+                     (PKIX_PL_Object *)cacheValidUntilDate,
+                     &cmpCacheTimeResult,
+                     plContext),
+                     PKIX_OBJECTCOMPARATORFAILED);
+
+                PKIX_CHECK(PKIX_PL_Object_Compare
+                     ((PKIX_PL_Object *)testDate,
+                     (PKIX_PL_Object *)validityDate,
+                     &cmpValidTimeResult,
+                     plContext),
+                     PKIX_OBJECTCOMPARATORFAILED);
+            }
+
+            /* certs' date are all valid and cache item is not old */
+            if (cmpValidTimeResult <= 0 && cmpCacheTimeResult <=0) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                    (cachedValues,
+                    2,
+                    (PKIX_PL_Object **) pBuildResult,
+                    plContext),
+                    PKIX_LISTGETITEMFAILED);
+
+                *pFound = PKIX_TRUE;
+
+            } else {
+
+                pkix_ccRemoveCount++;
+                *pFound = PKIX_FALSE;
+
+                /* out-dated item, remove it from cache */
+                PKIX_CHECK(PKIX_PL_HashTable_Remove
+                    (cachedCertChainTable,
+                    (PKIX_PL_Object *) cachedKeys,
+                    plContext),
+                    PKIX_HASHTABLEREMOVEFAILED);
+            }
+        }
+
+cleanup:
+
+        PKIX_DECREF(cachedValues);
+        PKIX_DECREF(cachedKeys);
+        PKIX_DECREF(cachedCertChainError);
+        PKIX_DECREF(cacheValidUntilDate);
+        PKIX_DECREF(validityDate);
+
+        PKIX_RETURN(BUILD);
+
+}
+
+/*
+ * FUNCTION: pkix_CacheCertChain_Remove
+ * DESCRIPTION:
+ *
+ *  Remove CertChain Hash Table entry based on "targetCert" and "anchors"
+ *  as the hash keys. If there is no item to match the key, no action is
+ *  taken.
+ *  The hashtable is maintained in the following ways:
+ *  1) When creating the hashtable, maximum bucket size can be specified (0 for
+ *     unlimited). If items in a bucket reaches its full size, an new addition
+ *     will trigger the removal of the old as FIFO sequence.
+ *  2) A PKIX_PL_Date created with current time offset by constant 
+ *     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
+ *     When an item is retrieved, this date is compared against "testDate" for
+ *     validity. If comparison indicates this item is expired, the item is
+ *     removed from the bucket.
+ *
+ * PARAMETERS:
+ *  "targetCert"
+ *      Address of Target Cert as key to retrieve this CertChain. Must be 
+ *      non-NULL.
+ *  "anchors"
+ *      Address of PKIX_List of "anchors" is used as key to retrive CertChain.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CacheCertChain_Remove(
+        PKIX_PL_Cert* targetCert,
+        PKIX_List* anchors,
+        void *plContext)
+{
+        PKIX_List *cachedKeys = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_CacheCertChain_Remove");
+        PKIX_NULLCHECK_TWO(targetCert, anchors);
+
+        /* use trust anchors and target cert as hash key */
+
+        PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys,
+                    (PKIX_PL_Object *)targetCert,
+                    plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys,
+                    (PKIX_PL_Object *)anchors,
+                    plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK_ONLY_FATAL(PKIX_PL_HashTable_Remove
+                    (cachedCertChainTable,
+                    (PKIX_PL_Object *) cachedKeys,
+                    plContext),
+                    PKIX_HASHTABLEREMOVEFAILED);
+
+        pkix_ccRemoveCount++;
+
+cleanup:
+
+        PKIX_DECREF(cachedKeys);
+
+        PKIX_RETURN(BUILD);
+
+}
+
+/*
+ * FUNCTION: pkix_CacheCertChain_Add
+ * DESCRIPTION:
+ *
+ *  Add a BuildResult to the CertChain Hash Table for a "buildResult" with
+ *  "targetCert" and "anchors" as the hash keys.
+ *  "validityDate" is the most restricted notAfter date of all Certs in
+ *  this CertChain and is verified when this BuildChain is retrieved.
+ *  The hashtable is maintained in the following ways:
+ *  1) When creating the hashtable, maximum bucket size can be specified (0 for
+ *     unlimited). If items in a bucket reaches its full size, an new addition
+ *     will trigger the removal of the old as FIFO sequence.
+ *  2) A PKIX_PL_Date created with current time offset by constant 
+ *     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
+ *     When an item is retrieved, this date is compared against "testDate" for
+ *     validity. If comparison indicates this item is expired, the item is
+ *     removed from the bucket.
+ *
+ * PARAMETERS:
+ *  "targetCert"
+ *      Address of Target Cert as key to retrieve this CertChain. Must be 
+ *      non-NULL.
+ *  "anchors"
+ *      Address of PKIX_List of "anchors" is used as key to retrive CertChain.
+ *      Must be non-NULL.
+ *  "validityDate"
+ *      Address of PKIX_PL_Date contains the most restriced notAfter time of
+ *      all "certs". Must be non-NULL.
+ *      Address of PKIX_Boolean indicating valid data is found.
+ *      Must be non-NULL.
+ *  "buildResult"
+ *      Address of BuildResult to be cached. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CacheCertChain_Add(
+        PKIX_PL_Cert* targetCert,
+        PKIX_List* anchors,
+        PKIX_PL_Date *validityDate,
+        PKIX_BuildResult *buildResult,
+        void *plContext)
+{
+        PKIX_List *cachedValues = NULL;
+        PKIX_List *cachedKeys = NULL;
+        PKIX_Error *cachedCertChainError = NULL;
+        PKIX_PL_Date *cacheValidUntilDate = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_CacheCertChain_Add");
+
+        PKIX_NULLCHECK_FOUR(targetCert, anchors, validityDate, buildResult);
+
+        PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedKeys, (PKIX_PL_Object *)targetCert, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedKeys, (PKIX_PL_Object *)anchors, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_Create(&cachedValues, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Date_Create_CurrentOffBySeconds
+                (CACHE_ITEM_PERIOD_SECONDS,
+                &cacheValidUntilDate,
+                plContext),
+               PKIX_DATECREATECURRENTOFFBYSECONDSFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedValues,
+                (PKIX_PL_Object *)cacheValidUntilDate,
+                plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedValues, (PKIX_PL_Object *)validityDate, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedValues, (PKIX_PL_Object *)buildResult, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        cachedCertChainError = PKIX_PL_HashTable_Add
+                (cachedCertChainTable,
+                (PKIX_PL_Object *) cachedKeys,
+                (PKIX_PL_Object *) cachedValues,
+                plContext);
+
+        pkix_ccAddCount++;
+
+        if (cachedCertChainError != NULL) {
+                PKIX_DEBUG("PKIX_PL_HashTable_Add for CertChain skipped: "
+                        "entry existed\n");
+        }
+
+cleanup:
+
+        PKIX_DECREF(cachedValues);
+        PKIX_DECREF(cachedKeys);
+        PKIX_DECREF(cachedCertChainError);
+        PKIX_DECREF(cacheValidUntilDate);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_CacheCert_Lookup
+ * DESCRIPTION:
+ *
+ *  Look up Cert Hash Table for a cached item based on "store" and Subject in
+ *  "certSelParams" as the hash keys and returns values Certs in "pCerts".
+ *  If there isn't an item to match the key, a PKIX_FALSE is returned at
+ *  "pFound". The item's cache time is verified with "testDate". If out-dated,
+ *  this item is removed and PKIX_FALSE is returned at "pFound".
+ *  This hashtable is maintained in the following ways:
+ *  1) When creating the hashtable, maximum bucket size can be specified (0 for
+ *     unlimited). If items in a bucket reaches its full size, an new addition
+ *     will trigger the removal of the old as FIFO sequence.
+ *  2) A PKIX_PL_Date created with current time offset by constant 
+ *     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
+ *     If the CertStore this Cert is from is a trusted one, the cache period is
+ *     shorter so cache can be updated more frequently.
+ *     When an item is retrieved, this date is compared against "testDate" for
+ *     validity. If comparison indicates this item is expired, the item is
+ *     removed from the bucket.
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore as key to retrieve this CertChain. Must be 
+ *      non-NULL.
+ *  "certSelParams"
+ *      Address of ComCertSelParams that its subject is used as key to retrieve
+ *      this CertChain. Must be non-NULL.
+ *  "testDate"
+ *      Address of PKIX_PL_Date for verifying time cache validity.
+ *      Must be non-NULL. If testDate is NULL, this cache item won't be out
+ *      dated.
+ *  "pFound"
+ *      Address of KPKIX_Boolean indicating valid data is found.
+ *      Must be non-NULL.
+ *  "pCerts"
+ *      Address PKIX_List where the CertChain will be stored. Must be no-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CacheCert_Lookup(
+        PKIX_CertStore *store,
+        PKIX_ComCertSelParams *certSelParams,
+        PKIX_PL_Date *testDate,
+        PKIX_Boolean *pFound,
+        PKIX_List** pCerts,
+        void *plContext)
+{
+        PKIX_PL_Cert *cert = NULL;
+        PKIX_List *cachedKeys = NULL;
+        PKIX_List *cachedValues = NULL;
+        PKIX_List *cachedCertList = NULL;
+        PKIX_List *selCertList = NULL;
+        PKIX_PL_X500Name *subject = NULL;
+        PKIX_PL_Date *invalidAfterDate = NULL;
+        PKIX_PL_Date *cacheValidUntilDate = NULL;
+        PKIX_CertSelector *certSel = NULL;
+        PKIX_Error *cachedCertError = NULL;
+        PKIX_CertSelector_MatchCallback selectorMatch = NULL;
+        PKIX_Int32 cmpValidTimeResult = PKIX_FALSE;
+        PKIX_Int32 cmpCacheTimeResult = 0;
+        PKIX_Boolean certMatch = PKIX_FALSE;
+        PKIX_UInt32 numItems = 0;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(BUILD, "pkix_CacheCert_Lookup");
+        PKIX_NULLCHECK_TWO(store, certSelParams);
+        PKIX_NULLCHECK_TWO(pFound, pCerts);
+
+        *pFound = PKIX_FALSE;
+
+        PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedKeys, (PKIX_PL_Object *)store, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
+                (certSelParams, &subject, plContext),
+                PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
+
+        PKIX_NULLCHECK_ONE(subject);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedKeys, (PKIX_PL_Object *)subject, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        cachedCertError = PKIX_PL_HashTable_Lookup
+                    (cachedCertTable,
+                    (PKIX_PL_Object *) cachedKeys,
+                    (PKIX_PL_Object **) &cachedValues,
+                    plContext);
+        pkix_cLookupCount++;
+
+        if (cachedValues != NULL && cachedCertError == NULL) {
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (cachedValues,
+                        0,
+                        (PKIX_PL_Object **) &cacheValidUntilDate,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                if (testDate) {
+                    PKIX_CHECK(PKIX_PL_Object_Compare
+                         ((PKIX_PL_Object *)testDate,
+                         (PKIX_PL_Object *)cacheValidUntilDate,
+                         &cmpCacheTimeResult,
+                         plContext),
+                         PKIX_OBJECTCOMPARATORFAILED);
+                }
+
+                if (cmpCacheTimeResult <= 0) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (cachedValues,
+                        1,
+                        (PKIX_PL_Object **) &cachedCertList,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                    /*
+                     * Certs put on cache satifies only for Subject,
+                     * user selector and ComCertSelParams to filter.
+                     */
+                    PKIX_CHECK(PKIX_CertSelector_Create
+                          (NULL, NULL, &certSel, plContext),
+                          PKIX_CERTSELECTORCREATEFAILED);
+
+                    PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
+                          (certSel, certSelParams, plContext),
+                          PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
+
+                    PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
+                          (certSel, &selectorMatch, plContext),
+                          PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
+
+                    PKIX_CHECK(PKIX_List_Create(&selCertList, plContext),
+                            PKIX_LISTCREATEFAILED);
+
+                    /* 
+                     * If any of the Cert on the list is out-dated, invalidate
+                     * this cache item.
+                     */
+                    PKIX_CHECK(PKIX_List_GetLength
+                        (cachedCertList, &numItems, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                    for (i = 0; i < numItems; i++){
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                            (cachedCertList,
+                            i,
+                            (PKIX_PL_Object **)&cert,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(PKIX_PL_Cert_GetValidityNotAfter
+                            (cert, &invalidAfterDate, plContext),
+                            PKIX_CERTGETVALIDITYNOTAFTERFAILED);
+
+                        if (testDate) {
+                            PKIX_CHECK(PKIX_PL_Object_Compare
+                                ((PKIX_PL_Object *)invalidAfterDate,
+                                (PKIX_PL_Object *)testDate,
+                                &cmpValidTimeResult,
+                                plContext),
+                                PKIX_OBJECTCOMPARATORFAILED);
+                        }
+
+                        if (cmpValidTimeResult < 0) {
+
+                            pkix_cRemoveCount++;
+                            *pFound = PKIX_FALSE;
+
+                            /* one cert is out-dated, remove item from cache */
+                            PKIX_CHECK(PKIX_PL_HashTable_Remove
+                                    (cachedCertTable,
+                                    (PKIX_PL_Object *) cachedKeys,
+                                    plContext),
+                                    PKIX_HASHTABLEREMOVEFAILED);
+                            goto cleanup;
+                        }
+
+                        PKIX_CHECK(selectorMatch
+                                    (certSel,
+                                    cert,
+                                    &certMatch,
+                                    plContext),
+                                    PKIX_SELECTORMATCHFAILED);
+
+                        if (certMatch){
+                            /* put on the return list */
+                            PKIX_CHECK(PKIX_List_AppendItem
+                                   (selCertList,
+                                   (PKIX_PL_Object *)cert,
+                                   plContext),
+                                  PKIX_LISTAPPENDITEMFAILED);
+
+                            *pFound = PKIX_TRUE;
+                        }
+
+                        PKIX_DECREF(cert);
+                        PKIX_DECREF(invalidAfterDate);
+
+                    }
+
+                    if (*pFound) {
+                        PKIX_INCREF(selCertList);
+                        *pCerts = selCertList;
+                    }
+
+                } else {
+
+                    pkix_cRemoveCount++;
+                    *pFound = PKIX_FALSE;
+                    /* cache item is out-dated, remove it from cache */
+                    PKIX_CHECK(PKIX_PL_HashTable_Remove
+                                (cachedCertTable,
+                                (PKIX_PL_Object *) cachedKeys,
+                                plContext),
+                                PKIX_HASHTABLEREMOVEFAILED);
+                }
+
+        } 
+
+cleanup:
+
+        PKIX_DECREF(subject);
+        PKIX_DECREF(certSel);
+        PKIX_DECREF(cachedKeys);
+        PKIX_DECREF(cachedValues);
+        PKIX_DECREF(cacheValidUntilDate);
+        PKIX_DECREF(cert);
+        PKIX_DECREF(cachedCertList);
+        PKIX_DECREF(selCertList);
+        PKIX_DECREF(invalidAfterDate);
+        PKIX_DECREF(cachedCertError);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_CacheCert_Add
+ * DESCRIPTION:
+ *
+ *  Add Cert Hash Table for a cached item based on "store" and Subject in
+ *  "certSelParams" as the hash keys and have "certs" as the key value.
+ *  This hashtable is maintained in the following ways:
+ *  1) When creating the hashtable, maximum bucket size can be specified (0 for
+ *     unlimited). If items in a bucket reaches its full size, an new addition
+ *     will trigger the removal of the old as FIFO sequence.
+ *  2) A PKIX_PL_Date created with current time offset by constant 
+ *     CACHE_ITEM_PERIOD_SECONDS is attached to each item in the Hash Table.
+ *     If the CertStore this Cert is from is a trusted one, the cache period is
+ *     shorter so cache can be updated more frequently.
+ *     When an item is retrieved, this date is compared against "testDate" for
+ *     validity. If comparison indicates this item is expired, the item is
+ *     removed from the bucket.
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore as key to retrieve this CertChain. Must be 
+ *      non-NULL.
+ *  "certSelParams"
+ *      Address of ComCertSelParams that its subject is used as key to retrieve
+ *      this CertChain. Must be non-NULL.
+ *  "certs"
+ *      Address PKIX_List of Certs will be stored. Must be no-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CacheCert_Add(
+        PKIX_CertStore *store,
+        PKIX_ComCertSelParams *certSelParams,
+        PKIX_List* certs,
+        void *plContext)
+{
+        PKIX_List *cachedKeys = NULL;
+        PKIX_List *cachedValues = NULL;
+        PKIX_PL_Date *cacheValidUntilDate = NULL;
+        PKIX_PL_X500Name *subject = NULL;
+        PKIX_Error *cachedCertError = NULL;
+        PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
+        PKIX_UInt32 cachePeriod = CACHE_ITEM_PERIOD_SECONDS;
+        PKIX_UInt32 numCerts = 0;
+
+        PKIX_ENTER(BUILD, "pkix_CacheCert_Add");
+        PKIX_NULLCHECK_THREE(store, certSelParams, certs);
+
+        PKIX_CHECK(PKIX_List_GetLength(certs, &numCerts,
+                                       plContext),
+                   PKIX_LISTGETLENGTHFAILED);
+        if (numCerts == 0) {
+            /* Don't want to add an empty list. */
+            goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedKeys, (PKIX_PL_Object *)store, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
+                (certSelParams, &subject, plContext),
+                PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
+
+        PKIX_NULLCHECK_ONE(subject);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedKeys, (PKIX_PL_Object *)subject, plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_Create(&cachedValues, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_CertStore_GetTrustCallback
+                (store, &trustCallback, plContext),
+                PKIX_CERTSTOREGETTRUSTCALLBACKFAILED);
+
+        if (trustCallback) {
+                cachePeriod = CACHE_TRUST_ITEM_PERIOD_SECONDS;
+        }
+
+        PKIX_CHECK(PKIX_PL_Date_Create_CurrentOffBySeconds
+               (cachePeriod, &cacheValidUntilDate, plContext),
+               PKIX_DATECREATECURRENTOFFBYSECONDSFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedValues,
+                (PKIX_PL_Object *)cacheValidUntilDate,
+                plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                (cachedValues,
+                (PKIX_PL_Object *)certs,
+                plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+
+        cachedCertError = PKIX_PL_HashTable_Add
+                    (cachedCertTable,
+                    (PKIX_PL_Object *) cachedKeys,
+                    (PKIX_PL_Object *) cachedValues,
+                    plContext);
+
+        pkix_cAddCount++;
+
+        if (cachedCertError != NULL) {
+                PKIX_DEBUG("PKIX_PL_HashTable_Add for Certs skipped: "
+                        "entry existed\n");
+        }
+
+cleanup:
+
+        PKIX_DECREF(subject);
+        PKIX_DECREF(cachedKeys);
+        PKIX_DECREF(cachedValues);
+        PKIX_DECREF(cacheValidUntilDate);
+        PKIX_DECREF(cachedCertError);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_CacheCrlEntry_Lookup
+ * DESCRIPTION:
+ *
+ *  Look up CrlEntry Hash Table for a cached item based on "store",
+ *  "certIssuer" and "certSerialNumber" as the hash keys and returns values
+ *  "pCrls". If there isn't an item to match the key, a PKIX_FALSE is
+ *  returned at "pFound".
+ *  This hashtable is maintained in the following way:
+ *  1) When creating the hashtable, maximum bucket size can be specified (0 for
+ *     unlimited). If items in a bucket reaches its full size, an new addition
+ *     will trigger the removal of the old as FIFO sequence.
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore as key to retrieve this CertChain. Must be 
+ *      non-NULL.
+ *  "certIssuer"
+ *      Address of X500Name that is used as key to retrieve the CRLEntries.
+ *      Must be non-NULL.
+ *  "certSerialNumber"
+ *      Address of BigInt that is used as key to retrieve the CRLEntries.
+ *      Must be non-NULL.
+ *  "pFound"
+ *      Address of KPKIX_Boolean indicating valid data is found.
+ *      Must be non-NULL.
+ *  "pCrls"
+ *      Address PKIX_List where the CRLEntry will be stored. Must be no-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CacheCrlEntry_Lookup(
+        PKIX_CertStore *store,
+        PKIX_PL_X500Name *certIssuer,
+        PKIX_PL_BigInt *certSerialNumber,
+        PKIX_Boolean *pFound,
+        PKIX_List** pCrls,
+        void *plContext)
+{
+        PKIX_List *cachedKeys = NULL;
+        PKIX_List *cachedCrlEntryList = NULL;
+        PKIX_Error *cachedCrlEntryError = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_CacheCrlEntry_Lookup");
+        PKIX_NULLCHECK_THREE(store, certIssuer, certSerialNumber);
+        PKIX_NULLCHECK_TWO(pFound, pCrls);
+
+        *pFound = PKIX_FALSE;
+
+        /* Find CrlEntry(s) by issuer and serial number */
+         
+        PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys, (PKIX_PL_Object *)store, plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys, (PKIX_PL_Object *)certIssuer, plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys,
+                    (PKIX_PL_Object *)certSerialNumber,
+                    plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        cachedCrlEntryError = PKIX_PL_HashTable_Lookup
+                    (cachedCrlEntryTable,
+                    (PKIX_PL_Object *) cachedKeys,
+                    (PKIX_PL_Object **) &cachedCrlEntryList,
+                    plContext);
+        pkix_ceLookupCount++;
+
+        /* 
+         * We don't need check Date to invalidate this cache item,
+         * the item is uniquely defined and won't be reverted. Let
+         * the FIFO for cleaning up.
+         */
+
+        if (cachedCrlEntryList != NULL && cachedCrlEntryError == NULL ) {
+
+                PKIX_INCREF(cachedCrlEntryList);
+                *pCrls = cachedCrlEntryList;
+
+                *pFound = PKIX_TRUE;
+
+        } else {
+
+                *pFound = PKIX_FALSE;
+        }
+
+cleanup:
+
+        PKIX_DECREF(cachedKeys);
+        PKIX_DECREF(cachedCrlEntryList);
+        PKIX_DECREF(cachedCrlEntryError);
+
+        PKIX_RETURN(BUILD);
+}
+
+/*
+ * FUNCTION: pkix_CacheCrlEntry_Add
+ * DESCRIPTION:
+ *
+ *  Look up CrlEntry Hash Table for a cached item based on "store",
+ *  "certIssuer" and "certSerialNumber" as the hash keys and have "pCrls" as
+ *  the hash value. If there isn't an item to match the key, a PKIX_FALSE is
+ *  returned at "pFound".
+ *  This hashtable is maintained in the following way:
+ *  1) When creating the hashtable, maximum bucket size can be specified (0 for
+ *     unlimited). If items in a bucket reaches its full size, an new addition
+ *     will trigger the removal of the old as FIFO sequence.
+ *
+ * PARAMETERS:
+ *  "store"
+ *      Address of CertStore as key to retrieve this CertChain. Must be 
+ *      non-NULL.
+ *  "certIssuer"
+ *      Address of X500Name that is used as key to retrieve the CRLEntries.
+ *      Must be non-NULL.
+ *  "certSerialNumber"
+ *      Address of BigInt that is used as key to retrieve the CRLEntries.
+ *      Must be non-NULL.
+ *  "crls"
+ *      Address PKIX_List where the CRLEntry is stored. Must be no-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Error Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_CacheCrlEntry_Add(
+        PKIX_CertStore *store,
+        PKIX_PL_X500Name *certIssuer,
+        PKIX_PL_BigInt *certSerialNumber,
+        PKIX_List* crls,
+        void *plContext)
+{
+        PKIX_List *cachedKeys = NULL;
+        PKIX_Error *cachedCrlEntryError = NULL;
+
+        PKIX_ENTER(BUILD, "pkix_CacheCrlEntry_Add");
+        PKIX_NULLCHECK_THREE(store, certIssuer, certSerialNumber);
+        PKIX_NULLCHECK_ONE(crls);
+
+        /* Add CrlEntry(s) by issuer and serial number */
+         
+        PKIX_CHECK(PKIX_List_Create(&cachedKeys, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys, (PKIX_PL_Object *)store, plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys, (PKIX_PL_Object *)certIssuer, plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (cachedKeys,
+                    (PKIX_PL_Object *)certSerialNumber,
+                    plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        cachedCrlEntryError = PKIX_PL_HashTable_Add
+                    (cachedCrlEntryTable,
+                    (PKIX_PL_Object *) cachedKeys,
+                    (PKIX_PL_Object *) crls,
+                    plContext);
+        pkix_ceAddCount++;
+
+cleanup:
+
+        PKIX_DECREF(cachedKeys);
+        PKIX_DECREF(cachedCrlEntryError);
+
+        PKIX_RETURN(BUILD);
+}
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+
+/* TEST_START_FN and testStartFnStackPosition define at what state
+ * of the stack the object leak testing should begin. The condition
+ * in pkix_CheckForGeneratedError works the following way: do leak
+ * testing if at position testStartFnStackPosition in stack array
+ * (fnStackNameArr) we have called function TEST_START_FN.
+ * Note, that stack array get filled only when executing libpkix
+ * functions.
+ * */
+#define TEST_START_FN "PKIX_BuildChain"
+
+PKIX_Error*
+pkix_CheckForGeneratedError(PKIX_StdVars * stdVars, 
+                            PKIX_ERRORCLASS errClass, 
+                            char * fnName,
+                            PKIX_Boolean *errSetFlag,
+                            void * plContext)
+{
+    PKIX_Error *genErr = NULL;
+    PKIX_UInt32 pos = 0;
+    PKIX_UInt32 strLen = 0;
+
+    if (fnName) { 
+        if (fnStackNameArr[testStartFnStackPosition] == NULL ||
+            strcmp(fnStackNameArr[testStartFnStackPosition], TEST_START_FN)
+            ) {
+            /* return with out error if not with in boundary */
+            return NULL;
+        }
+        if (!strcmp(fnName, TEST_START_FN)) {
+            *errSetFlag = PKIX_TRUE;
+            noErrorState = PKIX_FALSE;
+            errorGenerated = PKIX_FALSE;
+        }
+    }   
+
+    if (noErrorState || errorGenerated)  return NULL;
+
+    if (fnName && (
+        !strcmp(fnName, "PKIX_PL_Object_DecRef") ||
+        !strcmp(fnName, "PKIX_PL_Object_Unlock") ||
+        !strcmp(fnName, "pkix_UnlockObject") ||
+        !strcmp(fnName, "pkix_Throw") ||
+        !strcmp(fnName, "pkix_trace_dump_cert") ||
+        !strcmp(fnName, "PKIX_PL_Free"))) {
+        /* do not generate error for this functions */
+        noErrorState = PKIX_TRUE;
+        *errSetFlag = PKIX_TRUE;
+        return NULL;
+    }
+
+    if (PL_HashTableLookup(fnInvTable, &fnStackInvCountArr[stackPosition - 1])) {
+        return NULL;
+    }
+
+    PL_HashTableAdd(fnInvTable, &fnStackInvCountArr[stackPosition - 1], nonNullValue);
+    errorGenerated = PKIX_TRUE;
+    noErrorState = PKIX_TRUE;
+    genErr = PKIX_DoThrow(stdVars, errClass, PKIX_MEMLEAKGENERATEDERROR,
+                          errClass, plContext);
+    while(fnStackNameArr[pos]) {
+        strLen += PORT_Strlen(fnStackNameArr[pos++]) + 1;
+    }
+    pos = 0;
+    errorFnStackString = PORT_ZAlloc(strLen);
+    while(fnStackNameArr[pos]) {
+        strcat(errorFnStackString, "/");
+        strcat(errorFnStackString, fnStackNameArr[pos++]);
+    }
+    noErrorState = PKIX_FALSE;
+    
+    return genErr;
+}
+#endif /* PKIX_OBJECT_LEAK_TEST */
diff --git a/security/nss/lib/libpkix/pkix/util/pkix_tools.h b/security/nss/lib/libpkix/pkix/util/pkix_tools.h
new file mode 100755
index 000000000..f4fcb4a6e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/util/pkix_tools.h
@@ -0,0 +1,1597 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *   Red Hat, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_tools.h
+ *
+ * Header for Utility Functions and Macros
+ *
+ */
+
+#ifndef _PKIX_TOOLS_H
+#define _PKIX_TOOLS_H
+
+#include "pkix.h"
+#include <stddef.h>
+#include <stdio.h>
+#include "secport.h"
+
+/* private PKIX system headers */
+#include "pkix_basicconstraintschecker.h"
+#include "pkix_buildresult.h"
+#include "pkix_certchainchecker.h"
+#include "pkix_certselector.h"
+#include "pkix_comcertselparams.h"
+#include "pkix_comcrlselparams.h"
+#include "pkix_crlselector.h"
+#include "pkix_defaultcrlchecker.h"
+#include "pkix_defaultrevchecker.h"
+#include "pkix_error.h"
+#include "pkix_expirationchecker.h"
+#include "pkix_list.h"
+#include "pkix_logger.h"
+#include "pkix_namechainingchecker.h"
+#include "pkix_nameconstraintschecker.h"
+#include "pkix_ocspchecker.h"
+#include "pkix_policychecker.h"
+#include "pkix_policynode.h"
+#include "pkix_procparams.h"
+#include "pkix_resourcelimits.h"
+#include "pkix_revocationchecker.h"
+#include "pkix_signaturechecker.h"
+#include "pkix_store.h"
+#include "pkix_targetcertchecker.h"
+#include "pkix_validate.h"
+#include "pkix_valresult.h"
+#include "pkix_verifynode.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkixStdVarsStr {
+    const char        *aMyFuncName;
+    PKIX_Error        *aPkixErrorResult;
+    PKIX_Error        *aPkixTempResult;
+    PKIX_Error        *aPkixReturnResult;
+    PKIX_ERRORCODE     aPkixErrorCode;
+    const char        *aPkixErrorMsg;
+    PKIX_Boolean       aPkixErrorReceived;
+    PKIX_Boolean       aPkixTempErrorReceived;
+    PKIX_ERRORCLASS    aPkixErrorClass;
+    PKIX_UInt32        aPkixType;
+    PKIX_PL_Object    *aLockedObject;
+    PKIX_List         *aPkixErrorList;
+} PKIX_StdVars;
+
+#ifdef PKIX_STDVARS_POINTER
+#define myFuncName                  stdVars->aMyFuncName
+#define pkixErrorResult             stdVars->aPkixErrorResult
+#define pkixTempResult              stdVars->aPkixTempResult
+#define pkixReturnResult            stdVars->aPkixReturnResult
+#define pkixErrorCode               stdVars->aPkixErrorCode
+#define pkixErrorMsg                stdVars->aPkixErrorMsg
+#define pkixErrorReceived           stdVars->aPkixErrorReceived
+#define pkixTempErrorReceived       stdVars->aPkixTempErrorReceived 
+#define pkixErrorClass              stdVars->aPkixErrorClass
+#define pkixType                    stdVars->aPkixType
+#define lockedObject                stdVars->aLockedObject
+#define pkixErrorList               stdVars->aPkixErrorList
+#define stdVarsPtr                  stdVars
+#else
+#define myFuncName                  stdVars.aMyFuncName
+#define pkixErrorResult             stdVars.aPkixErrorResult
+#define pkixTempResult              stdVars.aPkixTempResult
+#define pkixReturnResult            stdVars.aPkixReturnResult
+#define pkixErrorCode               stdVars.aPkixErrorCode
+#define pkixErrorMsg                stdVars.aPkixErrorMsg
+#define pkixErrorReceived           stdVars.aPkixErrorReceived
+#define pkixTempErrorReceived       stdVars.aPkixTempErrorReceived 
+#define pkixErrorClass              stdVars.aPkixErrorClass
+#define pkixType                    stdVars.aPkixType
+#define lockedObject                stdVars.aLockedObject
+#define pkixErrorList               stdVars.aPkixErrorList
+#define stdVarsPtr                  &stdVars
+#endif
+
+extern PKIX_Error * PKIX_DoReturn(PKIX_StdVars * stdVars, 
+                                  PKIX_ERRORCLASS errClass, 
+                                  PKIX_Boolean doLogger,
+                                  void * plContext);
+
+extern PKIX_Error * PKIX_DoThrow(PKIX_StdVars * stdVars, 
+                                 PKIX_ERRORCLASS errClass, 
+                                 PKIX_ERRORCODE errCode,
+                                 PKIX_ERRORCLASS overrideClass, 
+                                 void * plContext);
+
+extern void PKIX_DoAddError(PKIX_StdVars * stdVars, 
+                            PKIX_Error * error,
+                            void * plContext);
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+extern PKIX_Error * pkix_CheckForGeneratedError(PKIX_StdVars * stdVars, 
+                                                PKIX_ERRORCLASS errClass, 
+                                                char * fnName,
+                                                PKIX_Boolean *errorStateSet,
+                                                void * plContext);
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+extern const PKIX_StdVars zeroStdVars;
+
+extern PRLogModuleInfo *pkixLog;
+
+/*
+ * UTILITY MACROS
+ * Documentation for these common utility macros can be found in the
+ * Implementation Guidelines document (Section 4.3)
+ *
+ * In general, macros with multiple statements (or a single "if" statement)
+ * use the "do {<body>} while (0)" technique in order to convert the multiple
+ * statements into one statement, thus avoiding the dangling else problem.
+ * For macros which ALWAYS exit with a "return" or "goto", there is no
+ * need to use this technique (and it yields compiler warnings of "statement
+ * not reached"), so we just use "{<body>}" to group the statements together.
+ */
+
+#if !defined (PKIX_OBJECT_LEAK_TEST)
+
+#define PKIX_STD_VARS(funcName) \
+    static const char cMyFuncName[] = {funcName}; \
+    PKIX_StdVars      stdVars = zeroStdVars; \
+    myFuncName = cMyFuncName
+
+
+#else /* PKIX_OBJECT_LEAK_TEST */
+
+extern char **fnStackNameArr;
+extern PKIX_UInt32 *fnStackInvCountArr;
+extern PKIX_UInt32  stackPosition;
+extern PKIX_Boolean noErrorState;
+extern PKIX_Boolean errorGenerated;
+extern PKIX_Boolean runningLeakTest;
+extern PLHashTable *fnInvTable;
+extern PKIX_UInt32 testStartFnStackPosition;
+extern char *errorFnStackString;
+
+extern PLHashNumber PR_CALLBACK pkix_ErrorGen_Hash (const void *key);
+
+#define PKIX_STD_VARS(funcName) \
+    static const char cMyFuncName[] = {funcName}; \
+    PKIX_StdVars      stdVars = zeroStdVars; \
+    PKIX_Boolean      errorSetFlag = PKIX_FALSE; \
+    myFuncName = cMyFuncName; \
+    if (runningLeakTest) { \
+        if (fnStackNameArr) { \
+            fnStackInvCountArr[stackPosition] += 1; \
+            stackPosition += 1; \
+            fnStackInvCountArr[stackPosition] = 0; \
+            fnStackNameArr[stackPosition] = (char*)myFuncName; \
+            fnStackNameArr[stackPosition + 1] = NULL; \
+            PR_LOG(pkixLog, 5, \
+                    ("%s%*s+> %s(%d) - %s\n", (errorGenerated ? "*" : " "), \
+                             stackPosition, " ", fnStackNameArr[stackPosition], \
+                             stackPosition, myFuncName)); \
+        } \
+        do { \
+            pkixErrorResult = pkix_CheckForGeneratedError(&stdVars, PKIX_MEM_ERROR, \
+                                                          funcName, &errorSetFlag, \
+                                                          plContext); \
+            if (pkixErrorResult) { \
+                 PR_LOG(pkixLog, 5, \
+                    ("%s%*s<- %s(%d) - %s\n", (errorGenerated ? "*" : " "), \
+                              stackPosition, " ", fnStackNameArr[stackPosition], \
+                              stackPosition, myFuncName)); \
+                 fnStackNameArr[stackPosition--] = NULL; \
+                 if (errorSetFlag) { \
+                       noErrorState = (noErrorState) ? PKIX_FALSE : PKIX_TRUE; \
+                 } \
+                 return pkixErrorResult; \
+            } \
+        } while (0); \
+    }
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+#ifdef DEBUG
+#define _PKIX_DEBUG_TRACE(cond, prefix, level) \
+    do { \
+	if (cond) { \
+	    pkix_Logger_Check(pkixLoggersDebugTrace, myFuncName, \
+	                      prefix, pkixType, level, plContext); \
+	} \
+    } while (0)
+#else
+#define _PKIX_DEBUG_TRACE(cond, prefix, level) 
+#endif
+
+#define _PKIX_LOG_ERROR(msg, level) \
+    { \
+	if (pkixLoggersErrors) { \
+	    pkix_Logger_Check(pkixLoggersErrors, msg, \
+	                      NULL, pkixType, level, plContext); \
+	} \
+    }
+
+#define PKIX_ENTER(type, funcName) \
+    PKIX_STD_VARS(funcName); \
+    pkixType = PKIX_ ## type ## _ERROR; \
+    PKIX_DEBUG_ENTER(type); \
+    _PKIX_DEBUG_TRACE(pkixLoggersDebugTrace, ">>>", PKIX_LOGGER_LEVEL_TRACE);
+
+#define PKIX_ENTER_NO_LOGGER(type, funcName) \
+    PKIX_STD_VARS(funcName); \
+    pkixType = PKIX_ ## type ## _ERROR; \
+    PKIX_DEBUG_ENTER(type);
+
+#define PKIX_DEBUG_ENTER(type) \
+    PKIX_ ## type ## _DEBUG_ARG("( Entering %s).\n", myFuncName)
+
+#define PKIX_DEBUG_EXIT(type) \
+    PKIX_ ## type ## _DEBUG_ARG("( Exiting %s).\n", myFuncName)
+
+#define PKIX_OBJECT_UNLOCK(obj) \
+    do { \
+	if (obj && lockedObject == (PKIX_PL_Object *)(obj)){ \
+	    pkixTempResult = \
+		    PKIX_PL_Object_Unlock \
+		    ((PKIX_PL_Object *)(obj), plContext); \
+	    if (pkixTempResult) { \
+		PKIX_DoAddError(stdVarsPtr, pkixTempResult, plContext); \
+		pkixTempResult = NULL; \
+	    } \
+	    lockedObject = NULL; \
+	} else { \
+	    PORT_Assert(lockedObject == NULL); \
+	} \
+    } while (0)
+
+#define PKIX_DECREF(obj) \
+    do { \
+	if (obj){ \
+	    pkixTempResult = PKIX_PL_Object_DecRef \
+			((PKIX_PL_Object *)(obj), plContext); \
+	    if (pkixTempResult) { \
+		PKIX_DoAddError(stdVarsPtr, pkixTempResult, plContext); \
+		pkixTempResult = NULL; \
+	    } \
+	    obj = NULL; \
+	} \
+    } while (0)
+
+#define PKIX_THROW(type, descNum) \
+    return PKIX_DoThrow(&stdVars, (PKIX_ ## type ## _ERROR), descNum, \
+                        pkixErrorClass, plContext);
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+#define PKIX_RETURN(type) \
+    if (runningLeakTest && fnStackNameArr) { \
+        PR_LOG(pkixLog, 5, \
+               ("%s%*s<- %s(%d) - %s\n", (errorGenerated ? "*" : " "), \
+               stackPosition, " ", fnStackNameArr[stackPosition], \
+               stackPosition, myFuncName)); \
+        fnStackNameArr[stackPosition--] = NULL; \
+        if (errorSetFlag) noErrorState = (noErrorState) ? PKIX_FALSE : PKIX_TRUE; \
+    } \
+    return PKIX_DoReturn(&stdVars, (PKIX_ ## type ## _ERROR), PKIX_TRUE, plContext);
+#else
+#define PKIX_RETURN(type) \
+    return PKIX_DoReturn(&stdVars, (PKIX_ ## type ## _ERROR), PKIX_TRUE, plContext);
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+
+#if defined(DEBUG) && !defined(DEBUG_nb95248)
+#define PKIX_RETURN_NO_LOGGER(type) \
+    { \
+	PKIX_OBJECT_UNLOCK(lockedObject); \
+	if ((pkixErrorReceived) || (pkixErrorResult) || pkixErrorList) \
+	    PKIX_THROW(type, pkixErrorCode); \
+	PKIX_DEBUG_EXIT(type); \
+	return NULL; \
+    }
+#else
+#define PKIX_RETURN_NO_LOGGER(type) \
+    return PKIX_DoReturn(&stdVars, (PKIX_ ## type ## _ERROR), PKIX_FALSE, plContext);
+#endif
+
+/* disable to disable ;-) */
+/* #define WANT_TRACE_CHECK_FAILURES */
+
+#ifdef WANT_TRACE_CHECK_FAILURES
+#define TRACE_CHECK_FAILURE(what, errorstring) \
+    if (pkixLog) { \
+      PR_LOG(pkixLog, PR_LOG_DEBUG, \
+        ("====> [%s] failed: %s\n", #what, errorstring)); \
+    }
+#else
+#define TRACE_CHECK_FAILURE(what, errorstring)
+#endif
+
+#define PKIX_CHECK(func, descNum) \
+    do { \
+	pkixErrorResult = (func); \
+	if (pkixErrorResult) { \
+            TRACE_CHECK_FAILURE((func), PKIX_ErrorText[descNum]) \
+	    pkixErrorClass = pkixErrorResult->errClass; \
+	    pkixErrorCode = descNum; \
+	    pkixErrorMsg = PKIX_ErrorText[descNum]; \
+	    goto cleanup; \
+	} \
+    } while (0)
+
+#define PKIX_CHECK_ONLY_FATAL(func, descNum) \
+    do { \
+	pkixTempErrorReceived = PKIX_FALSE; \
+	pkixErrorResult = (func); \
+	if (pkixErrorResult) { \
+            TRACE_CHECK_FAILURE((func), PKIX_ErrorText[descNum]) \
+	    pkixTempErrorReceived = PKIX_TRUE; \
+	    pkixErrorClass = pkixErrorResult->errClass; \
+            if (pkixErrorClass == PKIX_FATAL_ERROR) { \
+	         goto cleanup; \
+	    } \
+	    PKIX_DECREF(pkixErrorResult); \
+	} \
+    } while (0)
+
+#define PKIX_LOG_ERROR(descNum) \
+    _PKIX_LOG_ERROR(PKIX_ErrorText[descNum], PKIX_LOGGER_LEVEL_ERROR)
+
+#define PKIX_ERROR(descNum) \
+    { \
+	PKIX_LOG_ERROR(descNum) \
+	pkixErrorReceived = PKIX_TRUE; \
+	pkixErrorCode = descNum; \
+	pkixErrorMsg = PKIX_ErrorText[descNum]; \
+	goto cleanup; \
+    }
+
+#define PKIX_ERROR_ALLOC_ERROR() \
+    { \
+	PKIX_LOG_ERROR(PKIX_ALLOCERROR) \
+	pkixErrorReceived = PKIX_TRUE; \
+	pkixErrorResult = PKIX_ALLOC_ERROR(); \
+	goto cleanup; \
+    }
+
+#define PKIX_ERROR_FATAL(descNum) \
+    { \
+	pkixErrorReceived = PKIX_TRUE; \
+	pkixErrorMsg = PKIX_ErrorText[descNum]; \
+	pkixErrorCode = descNum; \
+	pkixErrorClass = PKIX_FATAL_ERROR; \
+	_PKIX_LOG_ERROR(pkixErrorMsg, PKIX_LOGGER_LEVEL_FATALERROR); \
+	goto cleanup; \
+    }
+
+#define PKIX_CHECK_FATAL(func, descNum) \
+    do { \
+	pkixErrorResult = (func); \
+	if (pkixErrorResult) { \
+                TRACE_CHECK_FAILURE((func), PKIX_ErrorText[descNum]) \
+		pkixErrorReceived = PKIX_TRUE; \
+		pkixErrorMsg = PKIX_ErrorText[descNum]; \
+		pkixErrorCode = descNum; \
+		pkixErrorClass = PKIX_FATAL_ERROR; \
+		_PKIX_LOG_ERROR(pkixErrorMsg, PKIX_LOGGER_LEVEL_FATALERROR); \
+		goto fatal; \
+	} \
+    } while (0)
+
+#define PKIX_NULLCHECK_ONE(a) \
+    do { \
+	if ((a) == NULL){ \
+	    pkixErrorReceived = PKIX_TRUE; \
+	    pkixErrorMsg = PKIX_ErrorText[PKIX_NULLARGUMENT]; \
+	    pkixErrorCode = PKIX_NULLARGUMENT; \
+	    PKIX_RETURN(FATAL); \
+	} \
+    } while (0)
+
+#define PKIX_NULLCHECK_TWO(a, b) \
+    do { \
+	if (((a) == NULL) || ((b) == NULL)){ \
+	    pkixErrorReceived = PKIX_TRUE; \
+	    pkixErrorMsg = PKIX_ErrorText[PKIX_NULLARGUMENT]; \
+	    pkixErrorCode = PKIX_NULLARGUMENT; \
+	    PKIX_RETURN(FATAL); \
+	} \
+    } while (0)
+
+#define PKIX_NULLCHECK_THREE(a, b, c) \
+    do { \
+	if (((a) == NULL) || ((b) == NULL) || ((c) == NULL)){ \
+	    pkixErrorReceived = PKIX_TRUE; \
+	    pkixErrorMsg = PKIX_ErrorText[PKIX_NULLARGUMENT]; \
+	    pkixErrorCode = PKIX_NULLARGUMENT; \
+	    PKIX_RETURN(FATAL); \
+	} \
+    } while (0)
+
+#define PKIX_NULLCHECK_FOUR(a, b, c, d) \
+    do { \
+	if (((a) == NULL) || ((b) == NULL) || \
+	    ((c) == NULL) || ((d) == NULL)){ \
+	    pkixErrorReceived = PKIX_TRUE; \
+	    pkixErrorMsg = PKIX_ErrorText[PKIX_NULLARGUMENT]; \
+	    pkixErrorCode = PKIX_NULLARGUMENT; \
+	    PKIX_RETURN(FATAL); \
+	} \
+    } while (0)
+
+#define PKIX_OBJECT_LOCK(obj) \
+    do { \
+	if (obj) { \
+	    pkixTempResult = \
+		PKIX_PL_Object_Lock((PKIX_PL_Object*)(obj), plContext); \
+	    if (pkixTempResult) { \
+		PKIX_DoAddError(stdVarsPtr, pkixTempResult, plContext); \
+		pkixTempResult = NULL; \
+		pkixErrorCode = PKIX_OBJECTLOCKFAILED; \
+		goto cleanup; \
+	    } \
+	    lockedObject = (PKIX_PL_Object *)(obj); \
+	} \
+    } while (0)
+
+#define PKIX_ERROR_CREATE(type, descNum, error) \
+    { \
+	pkixTempResult = (PKIX_Error*)pkix_Throw \
+		(PKIX_ ## type ## _ERROR,  myFuncName, \
+		descNum, PKIX_ ## type ## _ERROR, pkixErrorResult, \
+		&error, plContext); \
+	if (pkixTempResult) { \
+	    error = pkixTempResult; \
+	    pkixTempResult = NULL; \
+	} \
+    }
+		
+
+#define PKIX_ERROR_RECEIVED \
+    (pkixErrorReceived || pkixErrorResult || pkixTempErrorReceived || \
+     pkixErrorList)
+
+#define PKIX_INCREF(obj) \
+    do { \
+	if (obj){ \
+	    pkixTempResult = PKIX_PL_Object_IncRef \
+			((PKIX_PL_Object *)(obj), plContext); \
+	    if (pkixTempResult) { \
+		PKIX_DoAddError(&stdVars, pkixTempResult, plContext); \
+		pkixTempResult = NULL; \
+		goto cleanup; \
+	    } \
+	} \
+    } while (0)
+
+#define PKIX_FREE(obj) \
+    do { \
+	if (obj) { \
+	    pkixTempResult = PKIX_PL_Free((obj), plContext); \
+	    if (pkixTempResult) { \
+		PKIX_DoAddError(&stdVars, pkixTempResult, plContext); \
+		pkixTempResult = NULL; \
+	    } \
+	    obj = NULL; \
+	} \
+    } while (0)
+
+#define PKIX_EXACTLY_ONE_NULL(a, b) (((a) && !(b)) || ((b) && !(a)))
+
+/* DIGIT MACROS */
+
+#define PKIX_ISDIGIT(c) (((c) >= '0') && ((c) <= '9'))
+
+#define PKIX_ISXDIGIT(c) \
+    (PKIX_ISDIGIT(c) || ( (((c)|0x20) >= 'a') && (((c)|0x20) <= 'f') ))
+
+#define PKIX_TOSTRING(a, b, c, d) \
+    do { \
+	int descNum; \
+	if ((a) != NULL) { \
+	    pkixErrorResult =  \
+		PKIX_PL_Object_ToString((PKIX_PL_Object *)(a), (b), (c)); \
+	    descNum = (d); \
+	} else { \
+	    pkixErrorResult =  \
+		PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, (b), (c)); \
+	    descNum = PKIX_STRINGCREATEFAILED; \
+	} \
+	PKIX_CHECK(pkixErrorResult, descNum); \
+    } while (0)
+
+#define PKIX_EQUALS(a, b, c, d, e) \
+    do { \
+	if ((a) != NULL && (b) != NULL) { \
+	    PKIX_CHECK(PKIX_PL_Object_Equals\
+			((PKIX_PL_Object *)(a), \
+			(PKIX_PL_Object*)(b), \
+			(c), \
+			(d)), \
+			(e)); \
+	} else if ((a) == NULL && (b) == NULL) { \
+	    *(c) = PKIX_TRUE; \
+	} else { \
+	    *(c) = PKIX_FALSE; \
+	} \
+    } while (0)
+
+#define PKIX_HASHCODE(a, b, c, d) \
+    do { \
+	if ((a) != NULL) { \
+	    PKIX_CHECK(PKIX_PL_Object_Hashcode\
+		((PKIX_PL_Object *)(a), (b), (c)), (d)); \
+	} else { \
+	    *(b) = 0; \
+	} \
+    } while (0)
+
+#define PKIX_DUPLICATE(a, b, c, d) \
+    do { \
+	if ((a) != NULL) { \
+	    PKIX_CHECK(PKIX_PL_Object_Duplicate\
+			((PKIX_PL_Object *)(a), \
+			(PKIX_PL_Object **)(b), \
+			(c)), \
+			(d)); \
+	} else { \
+	    *(b) = (a); \
+	} \
+    } while (0)
+
+/*
+ * DEBUG MACROS
+ *
+ * Each type has an associated debug flag, which can
+ * be set on the compiler line using "-D<debugflag>". For convenience,
+ * "-DPKIX_DEBUGALL" turns on debug for all the components.
+ *
+ * If a type's debug flag is defined, then its two associated macros
+ * are defined: PKIX_type_DEBUG(expr) and PKIX_type_DEBUG_ARG(expr, arg),
+ * which call PKIX_DEBUG(expr) and PKIX_DEBUG_ARG(expr, arg) respectively,
+ * which, in turn, enable standard and consistently formatted output.
+ *
+ * If a type's debug flag is not defined, the two associated macros
+ * are defined as a NO-OP. As such, any PKIX_type_DEBUG or PKIX_type_DEBUG_ARG
+ * macros for an undefined type will be stripped from the code during
+ * pre-processing, thereby reducing code size.
+ */
+
+#ifdef PKIX_DEBUGALL
+#define PKIX_REFCOUNTDEBUG                        1
+#define PKIX_MEMDEBUG                             1
+#define PKIX_MUTEXDEBUG                           1
+#define PKIX_OBJECTDEBUG                          1
+#define PKIX_STRINGDEBUG                          1
+#define PKIX_OIDDEBUG                             1
+#define PKIX_LISTDEBUG                            1
+#define PKIX_ERRORDEBUG                           1
+#define PKIX_BYTEARRAYDEBUG                       1
+#define PKIX_RWLOCKDEBUG                          1
+#define PKIX_BIGINTDEBUG                          1
+#define PKIX_HASHTABLEDEBUG                       1
+#define PKIX_X500NAMEDEBUG                        1
+#define PKIX_GENERALNAMEDEBUG                     1
+#define PKIX_PUBLICKEYDEBUG                       1
+#define PKIX_CERTDEBUG                            1
+#define PKIX_HTTPCLIENTDEBUG                      1
+#define PKIX_DATEDEBUG                            1
+#define PKIX_TRUSTANCHORDEBUG                     1
+#define PKIX_PROCESSINGPARAMSDEBUG                1
+#define PKIX_VALIDATEPARAMSDEBUG                  1
+#define PKIX_VALIDATERESULTDEBUG                  1
+#define PKIX_VALIDATEDEBUG                        1
+#define PKIX_CERTCHAINCHECKERDEBUG                1
+#define PKIX_REVOCATIONCHECKERDEBUG               1
+#define PKIX_CERTSELECTORDEBUG                    1
+#define PKIX_COMCERTSELPARAMSDEBUG                1
+#define PKIX_TARGETCERTCHECKERSTATEDEBUG          1
+#define PKIX_INITIALIZEPARAMSDEBUG                1
+#define PKIX_CERTBASICCONSTRAINTSDEBUG            1
+#define PKIX_CERTNAMECONSTRAINTSDEBUG             1
+#define PKIX_CERTNAMECONSTRAINTSCHECKERSTATEDEBUG 1
+#define PKIX_SUBJALTNAMECHECKERSTATEDEBUG         1
+
+#define PKIX_CERTPOLICYQUALIFIERDEBUG             1
+#define PKIX_CERTPOLICYINFODEBUG                  1
+#define PKIX_CERTPOLICYNODEDEBUG                  1
+#define PKIX_CERTPOLICYCHECKERSTATEDEBUG          1
+#define PKIX_LIFECYCLEDEBUG                       1
+#define PKIX_BASICCONSTRAINTSCHECKERSTATEDEBUG    1
+#define PKIX_CRLDEBUG                             1
+#define PKIX_CRLENTRYDEBUG                        1
+#define PKIX_CRLSELECTORDEBUG                     1
+#define PKIX_COMCRLSELPARAMSDEBUG                 1
+#define PKIX_CERTSTOREDEBUG                       1
+#define PKIX_COLLECTIONCERTSTORECONTEXTDEBUG      1
+#define PKIX_DEFAULTCRLCHECKERSTATEDEBUG          1
+#define PKIX_CERTPOLICYMAPDEBUG                   1
+#define PKIX_BUILDDEBUG                           1
+#define PKIX_BUILDRESULTDEBUG                     1
+#define PKIX_FORWARDBUILDERSTATEDEBUG             1
+#define PKIX_SIGNATURECHECKERSTATEDEBUG           1
+#define PKIX_USERDEFINEDMODULESDEBUG              1
+#define PKIX_CONTEXTDEBUG                         1
+#define PKIX_DEFAULTREVOCATIONCHECKERDEBUG        1
+#define PKIX_LDAPREQUESTDEBUG                     1
+#define PKIX_LDAPRESPONSEDEBUG                    1
+#define PKIX_LDAPCLIENTDEBUG                      1
+#define PKIX_LDAPDEFAULTCLIENTDEBUG               1
+#define PKIX_SOCKETDEBUG                          1
+#define PKIX_RESOURCELIMITSDEBUG                  1
+#define PKIX_LOGGERDEBUG                          1
+#define PKIX_MONITORLOCKDEBUG                     1
+#define PKIX_INFOACCESSDEBUG                      1
+#define PKIX_AIAMGRDEBUG                          1
+#define PKIX_OCSPCHECKERDEBUG                     1
+#define PKIX_OCSPREQUESTDEBUG                     1
+#define PKIX_OCSPRESPONSEDEBUG                    1
+#define PKIX_HTTPDEFAULTCLIENTDEBUG               1
+#define PKIX_HTTPCERTSTORECONTEXTDEBUG            1
+#define PKIX_VERIFYNODEDEBUG                      1
+#endif
+
+/*
+ * XXX Both PKIX_DEBUG and PKIX_DEBUG_ARG currently use printf.
+ * This needs to be replaced with Loggers.
+ */
+
+#define PKIX_DEBUG(expr) \
+    do { \
+	_PKIX_DEBUG_TRACE(pkixLoggersErrors, expr, PKIX_LOGGER_LEVEL_DEBUG); \
+	(void) printf("(%s: ", myFuncName); \
+	(void) printf(expr); \
+    } while (0)
+
+/* Logging doesn't support DEBUG with ARG: cannot convert control and arg */
+#define PKIX_DEBUG_ARG(expr, arg) \
+    do { \
+	(void) printf("(%s: ", myFuncName); \
+	(void) printf(expr, arg); \
+    } while (0)
+
+#if PKIX_FATALDEBUG
+#define PKIX_FATAL_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_FATAL_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_FATAL_DEBUG(expr)
+#define PKIX_FATAL_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_REFCOUNTDEBUG
+#define PKIX_REF_COUNT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_REF_COUNT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_REF_COUNT_DEBUG(expr)
+#define PKIX_REF_COUNT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_MEMDEBUG
+#define PKIX_MEM_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_MEM_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_MEM_DEBUG(expr)
+#define PKIX_MEM_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_MUTEXDEBUG
+#define PKIX_MUTEX_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_MUTEX_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_MUTEX_DEBUG(expr)
+#define PKIX_MUTEX_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_OBJECTDEBUG
+#define PKIX_OBJECT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_OBJECT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_OBJECT_DEBUG(expr)
+#define PKIX_OBJECT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_ERRORDEBUG
+#define PKIX_ERROR_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_ERROR_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_ERROR_DEBUG(expr)
+#define PKIX_ERROR_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_STRINGDEBUG
+#define PKIX_STRING_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_STRING_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_STRING_DEBUG(expr)
+#define PKIX_STRING_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_OIDDEBUG
+#define PKIX_OID_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_OID_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_OID_DEBUG(expr)
+#define PKIX_OID_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_LISTDEBUG
+#define PKIX_LIST_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_LIST_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_LIST_DEBUG(expr)
+#define PKIX_LIST_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_RWLOCKDEBUG
+#define PKIX_RWLOCK_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_RWLOCK_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_RWLOCK_DEBUG(expr)
+#define PKIX_RWLOCK_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_BYTEARRAYDEBUG
+#define PKIX_BYTEARRAY_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_BYTEARRAY_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_BYTEARRAY_DEBUG(expr)
+#define PKIX_BYTEARRAY_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_HASHTABLEDEBUG
+#define PKIX_HASHTABLE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_HASHTABLE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_HASHTABLE_DEBUG(expr)
+#define PKIX_HASHTABLE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_X500NAMEDEBUG
+#define PKIX_X500NAME_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_X500NAME_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_X500NAME_DEBUG(expr)
+#define PKIX_X500NAME_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_GENERALNAMEDEBUG
+#define PKIX_GENERALNAME_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_GENERALNAME_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_GENERALNAME_DEBUG(expr)
+#define PKIX_GENERALNAME_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_PUBLICKEYDEBUG
+#define PKIX_PUBLICKEY_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_PUBLICKEY_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_PUBLICKEY_DEBUG(expr)
+#define PKIX_PUBLICKEY_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTDEBUG
+#define PKIX_CERT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERT_DEBUG(expr)
+#define PKIX_CERT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_HTTPCLIENTDEBUG
+#define PKIX_HTTPCLIENT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_HTTPCLIENT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_HTTPCLIENT_DEBUG(expr)
+#define PKIX_HTTPCLIENT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_BIGINTDEBUG
+#define PKIX_BIGINT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_BIGINT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_BIGINT_DEBUG(expr)
+#define PKIX_BIGINT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_DATEDEBUG
+#define PKIX_DATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_DATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_DATE_DEBUG(expr)
+#define PKIX_DATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_TRUSTANCHORDEBUG
+#define PKIX_TRUSTANCHOR_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_TRUSTANCHOR_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_TRUSTANCHOR_DEBUG(expr)
+#define PKIX_TRUSTANCHOR_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_PROCESSINGPARAMSDEBUG
+#define PKIX_PROCESSINGPARAMS_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_PROCESSINGPARAMS_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_PROCESSINGPARAMS_DEBUG(expr)
+#define PKIX_PROCESSINGPARAMS_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_VALIDATEPARAMSDEBUG
+#define PKIX_VALIDATEPARAMS_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_VALIDATEPARAMS_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_VALIDATEPARAMS_DEBUG(expr)
+#define PKIX_VALIDATEPARAMS_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_VALIDATERESULTDEBUG
+#define PKIX_VALIDATERESULT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_VALIDATERESULT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_VALIDATERESULT_DEBUG(expr)
+#define PKIX_VALIDATERESULT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_VALIDATEDEBUG
+#define PKIX_VALIDATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_VALIDATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_VALIDATE_DEBUG(expr)
+#define PKIX_VALIDATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_BUILDDEBUG
+#define PKIX_BUILD_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_BUILD_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_BUILD_DEBUG(expr)
+#define PKIX_BUILD_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTCHAINCHECKERDEBUG
+#define PKIX_CERTCHAINCHECKER_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTCHAINCHECKER_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTCHAINCHECKER_DEBUG(expr)
+#define PKIX_CERTCHAINCHECKER_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_REVOCATIONCHECKERDEBUG
+#define PKIX_REVOCATIONCHECKER_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_REVOCATIONCHECKER_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_REVOCATIONCHECKER_DEBUG(expr)
+#define PKIX_REVOCATIONCHECKER_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTSELECTORDEBUG
+#define PKIX_CERTSELECTOR_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTSELECTOR_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTSELECTOR_DEBUG(expr)
+#define PKIX_CERTSELECTOR_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_COMCERTSELPARAMSDEBUG
+#define PKIX_COMCERTSELPARAMS_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_COMCERTSELPARAMS_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_COMCERTSELPARAMS_DEBUG(expr)
+#define PKIX_COMCERTSELPARAMS_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_TARGETCERTCHECKERSTATEDEBUG
+#define PKIX_TARGETCERTCHECKERSTATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_TARGETCERTCHECKERSTATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_TARGETCERTCHECKERSTATE_DEBUG(expr)
+#define PKIX_TARGETCERTCHECKERSTATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_BASICCONSTRAINTSCHECKERSTATEDEBUG
+#define PKIX_BASICCONSTRAINTSCHECKERSTATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_BASICCONSTRAINTSCHECKERSTATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_BASICCONSTRAINTSCHECKERSTATE_DEBUG(expr)
+#define PKIX_BASICCONSTRAINTSCHECKERSTATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_INITIALIZEPARAMSDEBUG
+#define PKIX_INITIALIZEPARAMS_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_INITIALIZEPARAMS_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_INITIALIZEPARAMS_DEBUG(expr)
+#define PKIX_INITIALIZEPARAMS_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTBASICCONSTRAINTSDEBUG
+#define PKIX_CERTBASICCONSTRAINTS_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTBASICCONSTRAINTS_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTBASICCONSTRAINTS_DEBUG(expr)
+#define PKIX_CERTBASICCONSTRAINTS_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTNAMECONSTRAINTSDEBUG
+#define PKIX_CERTNAMECONSTRAINTS_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTNAMECONSTRAINTS_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTNAMECONSTRAINTS_DEBUG(expr)
+#define PKIX_CERTNAMECONSTRAINTS_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTNAMECONSTRAINTSCHECKERSTATEDEBUG
+#define PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_DEBUG(expr)
+#define PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_SUBJALTNAMECHECKERSTATEDEBUG
+#define PKIX_SUBJALTNAMECHECKERSTATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_SUBJALTNAMECHECKERSTATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_SUBJALTNAMECHECKERSTATE_DEBUG(expr)
+#define PKIX_SUBJALTNAMECHECKERSTATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTPOLICYQUALIFIERDEBUG
+#define PKIX_CERTPOLICYQUALIFIER_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTPOLICYQUALIFIER_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTPOLICYQUALIFIER_DEBUG(expr)
+#define PKIX_CERTPOLICYQUALIFIER_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTPOLICYINFODEBUG
+#define PKIX_CERTPOLICYINFO_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTPOLICYINFO_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTPOLICYINFO_DEBUG(expr)
+#define PKIX_CERTPOLICYINFO_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTPOLICYNODEDEBUG
+#define PKIX_CERTPOLICYNODE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTPOLICYNODE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTPOLICYNODE_DEBUG(expr)
+#define PKIX_CERTPOLICYNODE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
+#define PKIX_CERTPOLICYCHECKERSTATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTPOLICYCHECKERSTATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTPOLICYCHECKERSTATE_DEBUG(expr)
+#define PKIX_CERTPOLICYCHECKERSTATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_LIFECYCLEDEBUG
+#define PKIX_LIFECYCLE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_LIFECYCLE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_LIFECYCLE_DEBUG(expr)
+#define PKIX_LIFECYCLE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_BASICCONSTRAINTSCHECKERSTATEDEBUG
+#define PKIX_BASICCONSTRAINTSCHECKERSTATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_BASICCONSTRAINTSCHECKERSTATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_BASICCONSTRAINTSCHECKERSTATE_DEBUG(expr)
+#define PKIX_BASICCONSTRAINTSCHECKERSTATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CRLDEBUG
+#define PKIX_CRL_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CRL_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CRL_DEBUG(expr)
+#define PKIX_CRL_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CRLENTRYDEBUG
+#define PKIX_CRLENTRY_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CRLENTRY_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CRLENTRY_DEBUG(expr)
+#define PKIX_CRLENTRY_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CRLSELECTORDEBUG
+#define PKIX_CRLSELECTOR_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CRLSELECTOR_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CRLSELECTOR_DEBUG(expr)
+#define PKIX_CRLSELECTOR_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_COMCRLSELPARAMSDEBUG
+#define PKIX_COMCRLSELPARAMS_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_COMCRLSELPARAMS_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_COMCRLSELPARAMS_DEBUG(expr)
+#define PKIX_COMCRLSELPARAMS_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTSTOREDEBUG
+#define PKIX_CERTSTORE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTSTORE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTSTORE_DEBUG(expr)
+#define PKIX_CERTSTORE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_COLLECTIONCERTSTORECONTEXTDEBUG
+#define PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG(expr)
+#define PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_DEFAULTCRLCHECKERSTATEDEBUG
+#define PKIX_DEFAULTCRLCHECKERSTATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_DEFAULTCRLCHECKERSTATE_DEBUG(expr)
+#define PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTPOLICYMAPDEBUG
+#define PKIX_CERTPOLICYMAP_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTPOLICYMAP_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTPOLICYMAP_DEBUG(expr)
+#define PKIX_CERTPOLICYMAP_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_BUILDRESULTDEBUG
+#define PKIX_BUILDRESULT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_BUILDRESULT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_BUILDRESULT_DEBUG(expr)
+#define PKIX_BUILDRESULT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_FORWARDBUILDERSTATEDEBUG
+#define PKIX_FORWARDBUILDERSTATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_FORWARDBUILDERSTATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_FORWARDBUILDERSTATE_DEBUG(expr)
+#define PKIX_FORWARDBUILDERSTATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_SIGNATURECHECKERSTATEDEBUG
+#define PKIX_SIGNATURECHECKERSTATE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_SIGNATURECHECKERSTATE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_SIGNATURECHECKERSTATE_DEBUG(expr)
+#define PKIX_SIGNATURECHECKERSTATE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_USERDEFINEDMODULESDEBUG
+#define PKIX_USERDEFINEDMODULES_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_USERDEFINEDMODULES_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_USERDEFINEDMODULES_DEBUG(expr)
+#define PKIX_USERDEFINEDMODULES_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CONTEXTDEBUG
+#define PKIX_CONTEXT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CONTEXT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CONTEXT_DEBUG(expr)
+#define PKIX_CONTEXT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_DEFAULTREVOCATIONCHECKERDEBUG
+#define PKIX_DEFAULTREVOCATIONCHECKER_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_DEFAULTREVOCATIONCHECKER_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_DEFAULTREVOCATIONCHECKER_DEBUG(expr)
+#define PKIX_DEFAULTREVOCATIONCHECKER_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_LDAPREQUESTDEBUG
+#define PKIX_LDAPREQUEST_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_LDAPREQUEST_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_LDAPREQUEST_DEBUG(expr)
+#define PKIX_LDAPREQUEST_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_LDAPRESPONSEDEBUG
+#define PKIX_LDAPRESPONSE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_LDAPRESPONSE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_LDAPRESPONSE_DEBUG(expr)
+#define PKIX_LDAPRESPONSE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_LDAPCLIENTDEBUG
+#define PKIX_LDAPCLIENT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_LDAPCLIENT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_LDAPCLIENT_DEBUG(expr)
+#define PKIX_LDAPCLIENT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_LDAPDEFAULTCLIENTDEBUG
+#define PKIX_LDAPDEFAULTCLIENT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_LDAPDEFAULTCLIENT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_LDAPDEFAULTCLIENT_DEBUG(expr)
+#define PKIX_LDAPDEFAULTCLIENT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_SOCKETDEBUG
+#define PKIX_SOCKET_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_SOCKET_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_SOCKET_DEBUG(expr)
+#define PKIX_SOCKET_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_RESOURCELIMITSDEBUG
+#define PKIX_RESOURCELIMITS_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_RESOURCELIMITS_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_RESOURCELIMITS_DEBUG(expr)
+#define PKIX_RESOURCELIMITS_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_LOGGERDEBUG
+#define PKIX_LOGGER_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_LOGGER_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_LOGGER_DEBUG(expr)
+#define PKIX_LOGGER_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_MONITORLOCKDEBUG
+#define PKIX_MONITORLOCK_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_MONITORLOCK_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_MONITORLOCK_DEBUG(expr)
+#define PKIX_MONITORLOCK_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_INFOACCESSDEBUG
+#define PKIX_INFOACCESS_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_INFOACCESS_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_INFOACCESS_DEBUG(expr)
+#define PKIX_INFOACCESS_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_AIAMGRDEBUG
+#define PKIX_AIAMGR_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_AIAMGR_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_AIAMGR_DEBUG(expr)
+#define PKIX_AIAMGR_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_OCSPCHECKERDEBUG
+#define PKIX_OCSPCHECKER_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_OCSPCHECKER_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_OCSPCHECKER_DEBUG(expr)
+#define PKIX_OCSPCHECKER_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_OCSPCERTIDDEBUG
+#define PKIX_OCSPCERTID_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_OCSPCERTID_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_OCSPCERTID_DEBUG(expr)
+#define PKIX_OCSPCERTID_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_OCSPREQUESTDEBUG
+#define PKIX_OCSPREQUEST_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_OCSPREQUEST_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_OCSPREQUEST_DEBUG(expr)
+#define PKIX_OCSPREQUEST_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_OCSPRESPONSEDEBUG
+#define PKIX_OCSPRESPONSE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_OCSPRESPONSE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_OCSPRESPONSE_DEBUG(expr)
+#define PKIX_OCSPRESPONSE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_HTTPDEFAULTCLIENTDEBUG
+#define PKIX_HTTPDEFAULTCLIENT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_HTTPDEFAULTCLIENT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_HTTPDEFAULTCLIENT_DEBUG(expr)
+#define PKIX_HTTPDEFAULTCLIENT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_HTTPCERTSTORECONTEXTDEBUG
+#define PKIX_HTTPCERTSTORECONTEXT_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_HTTPCERTSTORECONTEXT_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_HTTPCERTSTORECONTEXT_DEBUG(expr)
+#define PKIX_HTTPCERTSTORECONTEXT_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_VERIFYNODEDEBUG
+#define PKIX_VERIFYNODE_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_VERIFYNODE_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_VERIFYNODE_DEBUG(expr)
+#define PKIX_VERIFYNODE_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_EKUCHECKER
+#define PKIX_EKUCHECKER_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_EKUCHECKER_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_EKUCHECKER_DEBUG(expr)
+#define PKIX_EKUCHECKER_DEBUG_ARG(expr, arg)
+#endif
+
+#if PKIX_CERTVFYPKIXDEBUG
+#define PKIX_CERTVFYPKIX_DEBUG(expr) \
+        PKIX_DEBUG(expr)
+#define PKIX_CERTVFYPKIX_DEBUG_ARG(expr, arg) \
+        PKIX_DEBUG_ARG(expr, arg)
+#else
+#define PKIX_CERTVFYPKIX_DEBUG(expr)
+#define PKIX_CERTVFYPKIX_DEBUG_ARG(expr, arg)
+#endif
+
+/*
+ * All object types register themselves with the system using a
+ * pkix_ClassTable_Entry, which consists of a set of functions for that
+ * type and an ASCII string (char *) which is used by the default
+ * ToStringCallback (if necessary). System types register themselves directly
+ * when their respective PKIX_"type"_RegisterSelf functions are called.
+ * User-defined types can be registered using PKIX_PL_Object_RegisterType.
+ * (see comments in pkix_pl_system.h)
+ */
+
+typedef struct pkix_ClassTable_EntryStruct pkix_ClassTable_Entry;
+struct pkix_ClassTable_EntryStruct {
+        char *description;
+        PKIX_Int32 objCounter;
+        PKIX_Int32 typeObjectSize;
+        PKIX_PL_DestructorCallback destructor;
+        PKIX_PL_EqualsCallback equalsFunction;
+        PKIX_PL_HashcodeCallback hashcodeFunction;
+        PKIX_PL_ToStringCallback toStringFunction;
+        PKIX_PL_ComparatorCallback comparator;
+        PKIX_PL_DuplicateCallback duplicateFunction;
+};
+
+/*
+ * PKIX_ERRORCLASSNAMES is an array of strings, with each string holding a
+ * descriptive name for an error code. This is used by the default
+ * PKIX_PL_Error_ToString function.
+ */
+extern const char *PKIX_ERRORCLASSNAMES[PKIX_NUMERRORCLASSES];
+
+#define MAX_STACK_DEPTH         1000
+
+extern PRLogModuleInfo *pkixLog;
+
+#define PKIX_MAGIC_HEADER           (PKIX_UInt32) 0xBEEFC0DE
+#define PKIX_MAGIC_HEADER_DESTROYED (PKIX_UInt32) 0xDEADC0DE
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_IsCertSelfIssued(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pSelfIssued,
+        void *plContext);
+
+PKIX_Error *
+pkix_Throw(
+        PKIX_ERRORCLASS errClass,
+        const char *funcName,
+        PKIX_ERRORCODE errorTextCode,
+        PKIX_ERRORCLASS overrideClass,
+        PKIX_Error *cause,
+        PKIX_Error **pError,
+        void *plContext);
+
+PKIX_Error *
+pkix_CheckTypes(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_UInt32 type,
+        void *plContext);
+
+PKIX_Error *
+pkix_CheckType(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 type,
+        void *plContext);
+
+PKIX_Error *
+pkix_hash(
+        const unsigned char *bytes,
+        PKIX_UInt32 length,
+        PKIX_UInt32 *hash,
+        void *plContext);
+
+PKIX_Error *
+pkix_duplicateImmutable(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext);
+
+PKIX_UInt32
+pkix_countArray(void **array);
+
+PKIX_UInt32
+pkix_hex2i(char c);
+
+char
+pkix_i2hex(char c);
+
+PKIX_Boolean
+pkix_isPlaintext(unsigned char c, PKIX_Boolean debug);
+
+PKIX_Error *
+pkix_CacheCertChain_Lookup(
+        PKIX_PL_Cert* targetCert,
+        PKIX_List* anchors,
+        PKIX_PL_Date *testDate,
+        PKIX_Boolean *pFound,
+        PKIX_BuildResult **pBuildResult,
+        void *plContext);
+
+PKIX_Error *
+pkix_CacheCertChain_Remove(
+        PKIX_PL_Cert* targetCert,
+        PKIX_List* anchors,
+        void *plContext);
+
+PKIX_Error *
+pkix_CacheCertChain_Add(
+        PKIX_PL_Cert* targetCert,
+        PKIX_List* anchors,
+        PKIX_PL_Date *validityDate,
+        PKIX_BuildResult *buildResult,
+        void *plContext);
+
+PKIX_Error *
+pkix_CacheCert_Lookup(
+        PKIX_CertStore *store,
+        PKIX_ComCertSelParams *certSelParams,
+        PKIX_PL_Date *testDate,
+        PKIX_Boolean *pFound,
+        PKIX_List** pCerts,
+        void *plContext);
+
+PKIX_Error *
+pkix_CacheCert_Add(
+        PKIX_CertStore *store,
+        PKIX_ComCertSelParams *certSelParams,
+        PKIX_List* certs,
+        void *plContext);
+
+PKIX_Error *
+pkix_CacheCrlEntry_Lookup(
+        PKIX_CertStore *store,
+        PKIX_PL_X500Name *certIssuer,
+        PKIX_PL_BigInt *certSerialNumber,
+        PKIX_Boolean *pFound,
+        PKIX_List** pCrlEntryList,
+        void *plContext);
+
+PKIX_Error *
+pkix_CacheCrlEntry_Add(
+        PKIX_CertStore *store,
+        PKIX_PL_X500Name *certIssuer,
+        PKIX_PL_BigInt *certSerialNumber,
+        PKIX_List* crlEntryList,
+        void *plContext);
+
+#ifdef PR_LOGGING
+void
+pkix_trace_dump_cert(
+        const char *info, 
+        PKIX_PL_Cert *cert, 
+        void *plContext);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_TOOLS_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/Makefile b/security/nss/lib/libpkix/pkix_pl_nss/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/config.mk b/security/nss/lib/libpkix/pkix_pl_nss/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/manifest.mn
new file mode 100755
index 000000000..dfc2b3ae4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/manifest.mn
@@ -0,0 +1,44 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../..
+DEPTH      = ../../../..
+
+#
+DIRS =  pki system module \
+	$(NULL)
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/Makefile b/security/nss/lib/libpkix/pkix_pl_nss/module/Makefile
new file mode 100755
index 000000000..a06b8bed4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/config.mk b/security/nss/lib/libpkix/pkix_pl_nss/module/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
new file mode 100755
index 000000000..5a5176a6f
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
@@ -0,0 +1,83 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_pl_aiamgr.h \
+	pkix_pl_colcertstore.h \
+	pkix_pl_ekuchecker.h \
+	pkix_pl_httpcertstore.h \
+	pkix_pl_httpdefaultclient.h \
+	pkix_pl_ldapt.h \
+	pkix_pl_ldapcertstore.h \
+	pkix_pl_ldapresponse.h \
+	pkix_pl_ldaprequest.h \
+	pkix_pl_ldapdefaultclient.h \
+	pkix_pl_nsscontext.h \
+	pkix_pl_pk11certstore.h \
+	pkix_pl_socket.h \
+	$(NULL)
+
+MODULE = nss
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
+
+
+CSRCS = \
+	pkix_pl_aiamgr.c \
+	pkix_pl_ekuchecker.c \
+	pkix_pl_colcertstore.c \
+	pkix_pl_httpcertstore.c \
+	pkix_pl_httpdefaultclient.c \
+	pkix_pl_ldaptemplates.c \
+	pkix_pl_ldapcertstore.c \
+	pkix_pl_ldapresponse.c \
+	pkix_pl_ldaprequest.c \
+	pkix_pl_ldapdefaultclient.c \
+	pkix_pl_nsscontext.c \
+	pkix_pl_pk11certstore.c \
+	pkix_pl_socket.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixmodule
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
new file mode 100644
index 000000000..707e94c9e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
@@ -0,0 +1,718 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_aiamgr.c
+ *
+ * AIAMgr Object Definitions
+ *
+ */
+
+#include "pkix_pl_aiamgr.h"
+extern PKIX_PL_HashTable *aiaConnectionCache;
+
+/* --Virtual-LdapClient-Functions------------------------------------ */
+
+PKIX_Error *
+PKIX_PL_LdapClient_InitiateRequest(
+        PKIX_PL_LdapClient *client,
+        LDAPRequestParams *requestParams,
+        void **pNBIO,
+        PKIX_List **pResponse,
+        void *plContext)
+{
+        PKIX_ENTER(LDAPCLIENT, "PKIX_PL_LdapClient_InitiateRequest");
+        PKIX_NULLCHECK_TWO(client, client->initiateFcn);
+
+        PKIX_CHECK(client->initiateFcn
+                (client, requestParams, pNBIO, pResponse, plContext),
+                PKIX_LDAPCLIENTINITIATEREQUESTFAILED);
+cleanup:
+
+        PKIX_RETURN(LDAPCLIENT);
+
+}
+
+PKIX_Error *
+PKIX_PL_LdapClient_ResumeRequest(
+        PKIX_PL_LdapClient *client,
+        void **pNBIO,
+        PKIX_List **pResponse,
+        void *plContext)
+{
+        PKIX_ENTER(LDAPCLIENT, "PKIX_PL_LdapClient_ResumeRequest");
+        PKIX_NULLCHECK_TWO(client, client->resumeFcn);
+
+        PKIX_CHECK(client->resumeFcn
+                (client, pNBIO, pResponse, plContext),
+                PKIX_LDAPCLIENTRESUMEREQUESTFAILED);
+cleanup:
+
+        PKIX_RETURN(LDAPCLIENT);
+
+}
+
+/* --Private-AIAMgr-Functions----------------------------------*/
+
+/*
+ * FUNCTION: pkix_pl_AIAMgr_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_pki.h)
+ */
+static PKIX_Error *
+pkix_pl_AIAMgr_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_AIAMgr *aiaMgr = NULL;
+
+        PKIX_ENTER(AIAMGR, "pkix_pl_AIAMgr_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_AIAMGR_TYPE, plContext),
+                PKIX_OBJECTNOTAIAMGR);
+
+        aiaMgr = (PKIX_PL_AIAMgr *)object;
+
+        /* pointer to cert cache */
+        /* pointer to crl cache */
+        aiaMgr->method = 0;
+        aiaMgr->aiaIndex = 0;
+        aiaMgr->numAias = 0;
+        PKIX_DECREF(aiaMgr->aia);
+        PKIX_DECREF(aiaMgr->location);
+        PKIX_DECREF(aiaMgr->results);
+        PKIX_DECREF(aiaMgr->client.ldapClient);
+
+cleanup:
+
+        PKIX_RETURN(AIAMGR);
+}
+
+/*
+ * FUNCTION: pkix_pl_AIAMgr_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_AIAMGR_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_AIAMgr_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(AIAMGR,
+                "pkix_pl_AIAMgr_RegisterSelf");
+
+        entry.description = "AIAMgr";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_AIAMgr);
+        entry.destructor = pkix_pl_AIAMgr_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_AIAMGR_TYPE] = entry;
+
+        PKIX_RETURN(AIAMGR);
+}
+
+/*
+ * FUNCTION: pkix_pl_AiaMgr_FindLDAPClient
+ * DESCRIPTION:
+ *
+ *  This function checks the collection of LDAPClient connections held by the
+ *  AIAMgr pointed to by "aiaMgr" for one matching the domain name given by
+ *  "domainName". The string may include a port number: e.g., "betty.nist.gov"
+ *  or "nss.red.iplanet.com:1389". If a match is found, that LDAPClient is
+ *  stored at "pClient". Otherwise, an LDAPClient is created and added to the
+ *  collection, and then stored at "pClient".
+ *
+ * PARAMETERS:
+ *  "aiaMgr"
+ *      The AIAMgr whose LDAPClient connected are to be managed. Must be
+ *      non-NULL.
+ *  "domainName"
+ *      Address of a string pointing to a server name. Must be non-NULL.
+ *  "pClient"
+ *      Address at which the returned LDAPClient is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an AIAMgr Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_AiaMgr_FindLDAPClient(
+        PKIX_PL_AIAMgr *aiaMgr,
+        char *domainName,
+        PKIX_PL_LdapClient **pClient,
+        void *plContext)
+{
+        PKIX_PL_String *domainString = NULL;
+        PKIX_PL_LdapDefaultClient *client = NULL;
+
+        PKIX_ENTER(AIAMGR, "pkix_pl_AiaMgr_FindLDAPClient");
+        PKIX_NULLCHECK_THREE(aiaMgr, domainName, pClient);
+
+        /* create PKIX_PL_String from domain name */
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, domainName, 0, &domainString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        /* Is this domainName already in cache? */
+        PKIX_CHECK(PKIX_PL_HashTable_Lookup
+                (aiaConnectionCache,
+                (PKIX_PL_Object *)domainString,
+                (PKIX_PL_Object **)&client,
+                plContext),
+                PKIX_HASHTABLELOOKUPFAILED);
+
+        if (client == NULL) {
+
+                /* No, create a connection (and cache it) */
+                PKIX_CHECK(PKIX_PL_LdapDefaultClient_CreateByName
+                        (domainName,
+                         /* Do not use NBIO until we verify, that
+                          * it is working */
+                        PR_INTERVAL_NO_TIMEOUT, /* PR_INTERVAL_NO_WAIT, */
+                        NULL,
+                        &client,
+                        plContext),
+                        PKIX_LDAPDEFAULTCLIENTCREATEBYNAMEFAILED);
+
+                PKIX_CHECK(PKIX_PL_HashTable_Add
+                        (aiaConnectionCache,
+                        (PKIX_PL_Object *)domainString,
+                        (PKIX_PL_Object *)client,
+                        plContext),
+                        PKIX_HASHTABLEADDFAILED);
+
+        }
+
+        *pClient = (PKIX_PL_LdapClient *)client;
+
+cleanup:
+
+        PKIX_DECREF(domainString);
+
+        PKIX_RETURN(AIAMGR);
+}
+
+PKIX_Error *
+pkix_pl_AIAMgr_GetHTTPCerts(
+        PKIX_PL_AIAMgr *aiaMgr,
+	PKIX_PL_InfoAccess *ia,
+	void **pNBIOContext,
+	PKIX_List **pCerts,
+        void *plContext)
+{
+        PKIX_PL_GeneralName *location = NULL;
+        PKIX_PL_String *locationString = NULL;
+	PKIX_UInt32 len = 0;
+	PRUint16 port = 0;
+	const SEC_HttpClientFcn *httpClient = NULL;
+	const SEC_HttpClientFcnV1 *hcv1 = NULL;
+	SECStatus rv = SECFailure;
+	SEC_HTTP_SERVER_SESSION serverSession = NULL;
+	SEC_HTTP_REQUEST_SESSION requestSession = NULL;	
+	char *path = NULL;
+	char *hostname = NULL;
+	char *locationAscii = NULL;
+	void *nbio = NULL;
+	PRUint16 responseCode = 0;
+	const char *responseContentType = NULL;
+	const char *responseData = NULL;
+	PRUint32 responseDataLen = 0;
+
+        PKIX_ENTER(AIAMGR, "pkix_pl_AIAMgr_GetHTTPCerts");
+        PKIX_NULLCHECK_FOUR(aiaMgr, ia, pNBIOContext, pCerts);
+
+        nbio = *pNBIOContext;
+        *pNBIOContext = NULL;
+        *pCerts = NULL;
+
+        if (nbio == NULL) { /* a new request */
+
+                PKIX_CHECK(PKIX_PL_InfoAccess_GetLocation
+                        (ia, &location, plContext),
+                       PKIX_INFOACCESSGETLOCATIONFAILED);
+
+                /* find or create httpClient = default client */
+		httpClient = SEC_GetRegisteredHttpClient();
+		aiaMgr->client.hdata.httpClient = httpClient;
+
+		if (httpClient->version == 1) {
+
+			hcv1 = &(httpClient->fcnTable.ftable1);
+
+			/* create server session */
+			PKIX_TOSTRING(location, &locationString, plContext,
+				PKIX_GENERALNAMETOSTRINGFAILED);
+
+			PKIX_CHECK(PKIX_PL_String_GetEncoded
+				(locationString,
+				PKIX_ESCASCII,
+				(void **)&locationAscii,
+				&len,
+				plContext),
+				PKIX_STRINGGETENCODEDFAILED);
+
+			PKIX_PL_NSSCALLRV
+				(AIAMGR, rv, CERT_ParseURL,
+				(locationAscii, &hostname, &port, &path));
+
+			if ((rv != SECSuccess) ||
+			    (hostname == NULL) ||
+			    (path == NULL)) {
+				PKIX_ERROR(PKIX_URLPARSINGFAILED);
+			}
+
+			PKIX_PL_NSSCALLRV
+                        	(AIAMGR, rv, hcv1->createSessionFcn,
+                        	(hostname, port, &serverSession));
+
+	                if (rv != SECSuccess) {
+				PKIX_ERROR(PKIX_HTTPCLIENTCREATESESSIONFAILED);
+			}
+
+			aiaMgr->client.hdata.serverSession = serverSession;
+
+			/* create request session */
+			PKIX_PL_NSSCALLRV
+                        	(AIAMGR, rv, hcv1->createFcn,
+                        	(serverSession,
+                        	"http",
+                        	path,
+                        	"GET",
+                        	PR_TicksPerSecond() * 60,
+                        	&requestSession));
+
+                	if (rv != SECSuccess) {
+                        	if (path != NULL) {
+                                	PORT_Free(path);
+                        	}
+                        	PKIX_ERROR(PKIX_HTTPSERVERERROR);
+                	}
+
+			aiaMgr->client.hdata.requestSession = requestSession;
+		} else {
+			PKIX_ERROR(PKIX_UNSUPPORTEDVERSIONOFHTTPCLIENT);
+		}
+	}
+
+	httpClient = aiaMgr->client.hdata.httpClient;
+
+	if (httpClient->version == 1) {
+
+		hcv1 = &(httpClient->fcnTable.ftable1);
+		requestSession = aiaMgr->client.hdata.requestSession;
+
+		/* trySendAndReceive */
+		PKIX_PL_NSSCALLRV
+                        (AIAMGR, rv, hcv1->trySendAndReceiveFcn,
+                        (requestSession,
+                        (PRPollDesc **)&nbio,
+                        &responseCode,
+                        (const char **)&responseContentType,
+                        NULL, /* &responseHeaders */
+                        (const char **)&responseData,
+                        &responseDataLen));
+
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_HTTPSERVERERROR);
+                }
+
+                if (nbio != 0) {
+                        *pNBIOContext = nbio;
+                        goto cleanup;
+                }
+
+		PKIX_CHECK(pkix_pl_HttpCertStore_ProcessCertResponse
+	                (responseCode,
+	                responseContentType,
+	                responseData,
+	                responseDataLen,
+	                pCerts,
+	                plContext),
+	                PKIX_HTTPCERTSTOREPROCESSCERTRESPONSEFAILED);
+                
+                /* Session and request cleanup in case of success */
+                if (aiaMgr->client.hdata.requestSession != NULL) {
+                    (*hcv1->freeFcn)(aiaMgr->client.hdata.requestSession);
+                    aiaMgr->client.hdata.requestSession = NULL;
+                }
+                if (aiaMgr->client.hdata.serverSession != NULL) {
+                    (*hcv1->freeSessionFcn)(aiaMgr->client.hdata.serverSession);
+                    aiaMgr->client.hdata.serverSession = NULL;
+                }
+                aiaMgr->client.hdata.httpClient = 0; /* callback fn */
+
+        } else  {
+		PKIX_ERROR(PKIX_UNSUPPORTEDVERSIONOFHTTPCLIENT);
+	}
+
+cleanup:
+        /* Session and request cleanup in case of error. Passing through without cleanup
+         * if interrupted by blocked IO. */
+        if (PKIX_ERROR_RECEIVED && aiaMgr) {
+            if (aiaMgr->client.hdata.requestSession != NULL) {
+                (*hcv1->freeFcn)(aiaMgr->client.hdata.requestSession);
+                aiaMgr->client.hdata.requestSession = NULL;
+            }
+            if (aiaMgr->client.hdata.serverSession != NULL) {
+                (*hcv1->freeSessionFcn)(aiaMgr->client.hdata.serverSession);
+                aiaMgr->client.hdata.serverSession = NULL;
+            }
+            aiaMgr->client.hdata.httpClient = 0; /* callback fn */
+        }
+
+        PKIX_DECREF(location);
+        PKIX_DECREF(locationString);
+
+        if (locationAscii) {
+            PORT_Free(locationAscii);
+        }
+
+        PKIX_RETURN(AIAMGR);
+}
+
+PKIX_Error *
+pkix_pl_AIAMgr_GetLDAPCerts(
+        PKIX_PL_AIAMgr *aiaMgr,
+	PKIX_PL_InfoAccess *ia,
+	void **pNBIOContext,
+	PKIX_List **pCerts,
+        void *plContext)
+{
+        PKIX_List *result = NULL;
+        PKIX_PL_GeneralName *location = NULL;
+        PKIX_PL_LdapClient *client = NULL;
+        LDAPRequestParams request;
+        PRArenaPool *arena = NULL;
+        char *domainName = NULL;
+	void *nbio = NULL;
+
+        PKIX_ENTER(AIAMGR, "pkix_pl_AIAMgr_GetLDAPCerts");
+        PKIX_NULLCHECK_FOUR(aiaMgr, ia, pNBIOContext, pCerts);
+
+        nbio = *pNBIOContext;
+        *pNBIOContext = NULL;
+        *pCerts = NULL;
+
+        if (nbio == NULL) { /* a new request */
+
+                /* Initiate an LDAP request */
+
+                request.scope = WHOLE_SUBTREE;
+                request.derefAliases = NEVER_DEREF;
+                request.sizeLimit = 0;
+                request.timeLimit = 0;
+
+                PKIX_CHECK(PKIX_PL_InfoAccess_GetLocation
+                        (ia, &location, plContext),
+                        PKIX_INFOACCESSGETLOCATIONFAILED);
+
+                /*
+                 * Get a short-lived arena. We'll be done with
+                 * this space once the request is encoded.
+                 */
+                PKIX_PL_NSSCALLRV(AIAMGR, arena, PORT_NewArena,
+                        (DER_DEFAULT_CHUNKSIZE));
+
+                if (!arena) {
+                        PKIX_ERROR_FATAL(PKIX_OUTOFMEMORY);
+                }
+
+                PKIX_CHECK(pkix_pl_InfoAccess_ParseLocation
+                        (location, arena, &request, &domainName, plContext),
+                        PKIX_INFOACCESSPARSELOCATIONFAILED);
+
+                PKIX_DECREF(location);
+
+                /* Find or create a connection to LDAP server */
+                PKIX_CHECK(pkix_pl_AiaMgr_FindLDAPClient
+                        (aiaMgr, domainName, &client, plContext),
+                        PKIX_AIAMGRFINDLDAPCLIENTFAILED);
+
+                aiaMgr->client.ldapClient = client;
+
+                PKIX_CHECK(PKIX_PL_LdapClient_InitiateRequest
+                        (aiaMgr->client.ldapClient,
+			&request,
+			&nbio,
+			&result,
+			plContext),
+                        PKIX_LDAPCLIENTINITIATEREQUESTFAILED);
+
+                PKIX_PL_NSSCALL(AIAMGR, PORT_FreeArena, (arena, PR_FALSE));
+
+        } else {
+
+                PKIX_CHECK(PKIX_PL_LdapClient_ResumeRequest
+                        (aiaMgr->client.ldapClient, &nbio, &result, plContext),
+                        PKIX_LDAPCLIENTRESUMEREQUESTFAILED);
+
+        }
+
+        if (nbio != NULL) { /* WOULDBLOCK */
+                *pNBIOContext = nbio;
+                *pCerts = NULL;
+                goto cleanup;
+        }
+
+	PKIX_DECREF(aiaMgr->client.ldapClient);
+
+	if (result == NULL) {
+		*pCerts = NULL;
+	} else {
+		PKIX_CHECK(pkix_pl_LdapCertStore_BuildCertList
+			(result, pCerts, plContext),
+			PKIX_LDAPCERTSTOREBUILDCERTLISTFAILED);
+	}
+
+	*pNBIOContext = nbio;
+
+cleanup:
+
+        if (arena && (PKIX_ERROR_RECEIVED)) {
+                PKIX_PL_NSSCALL(AIAMGR, PORT_FreeArena, (arena, PR_FALSE));
+        }
+
+        if (PKIX_ERROR_RECEIVED) {
+	        PKIX_DECREF(aiaMgr->client.ldapClient);
+	}
+
+        PKIX_DECREF(location);
+
+        PKIX_RETURN(AIAMGR);
+}
+
+/*
+ * FUNCTION: PKIX_PL_AIAMgr_Create
+ * DESCRIPTION:
+ *
+ *  This function creates an AIAMgr, storing the result at "pAIAMgr".
+ *
+ * PARAMETERS:
+ *  "pAIAMGR"
+ *      Address at which the returned AIAMgr is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an AIAMgr Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_AIAMgr_Create(
+        PKIX_PL_AIAMgr **pAIAMgr,
+        void *plContext)
+{
+        PKIX_PL_AIAMgr *aiaMgr = NULL;
+
+        PKIX_ENTER(AIAMGR, "PKIX_PL_AIAMgr_Create");
+        PKIX_NULLCHECK_ONE(pAIAMgr);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_AIAMGR_TYPE,
+                sizeof(PKIX_PL_AIAMgr),
+                (PKIX_PL_Object **)&aiaMgr,
+                plContext),
+                PKIX_COULDNOTCREATEAIAMGROBJECT);
+        /* pointer to cert cache */
+        /* pointer to crl cache */
+        aiaMgr->method = 0;
+        aiaMgr->aiaIndex = 0;
+        aiaMgr->numAias = 0;
+        aiaMgr->aia = NULL;
+        aiaMgr->location = NULL;
+        aiaMgr->results = NULL;
+        aiaMgr->client.hdata.httpClient = NULL;
+	aiaMgr->client.hdata.serverSession = NULL;
+	aiaMgr->client.hdata.requestSession = NULL;
+
+        *pAIAMgr = aiaMgr;
+
+cleanup:
+
+        PKIX_RETURN(AIAMGR);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_AIAMgr_GetAIACerts (see description in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_AIAMgr_GetAIACerts(
+        PKIX_PL_AIAMgr *aiaMgr,
+        PKIX_PL_Cert *prevCert,
+        void **pNBIOContext,
+        PKIX_List **pCerts,
+        void *plContext)
+{
+        PKIX_UInt32 numAias = 0;
+        PKIX_UInt32 aiaIndex = 0;
+        PKIX_UInt32 iaType = PKIX_INFOACCESS_LOCATION_UNKNOWN;
+        PKIX_List *certs = NULL;
+        PKIX_PL_InfoAccess *ia = NULL;
+        void *nbio = NULL;
+
+        PKIX_ENTER(AIAMGR, "PKIX_PL_AIAMgr_GetAIACerts");
+        PKIX_NULLCHECK_FOUR(aiaMgr, prevCert, pNBIOContext, pCerts);
+
+        nbio = *pNBIOContext;
+        *pCerts = NULL;
+        *pNBIOContext = NULL;
+
+        if (nbio == NULL) { /* a new request */
+
+                /* Does this Cert have an AIA extension? */
+                PKIX_CHECK(PKIX_PL_Cert_GetAuthorityInfoAccess
+                        (prevCert, &aiaMgr->aia, plContext),
+                        PKIX_CERTGETAUTHORITYINFOACCESSFAILED);
+
+                if (aiaMgr->aia != NULL) {
+                        PKIX_CHECK(PKIX_List_GetLength
+                                (aiaMgr->aia, &numAias, plContext),
+                                PKIX_LISTGETLENGTHFAILED);
+                }
+
+                /* And if so, does it have any entries? */
+                if ((aiaMgr->aia == NULL) || (numAias == 0)) {
+                        *pCerts = NULL;
+                        goto cleanup;
+                }
+
+                aiaMgr->aiaIndex = 0;
+                aiaMgr->numAias = numAias;
+                aiaMgr->results = NULL;
+
+        }
+
+        for (aiaIndex = aiaMgr->aiaIndex;
+                aiaIndex < aiaMgr->numAias;
+                aiaIndex ++) {
+                PKIX_UInt32 method = 0;
+
+                PKIX_CHECK(PKIX_List_GetItem
+                        (aiaMgr->aia,
+                        aiaIndex,
+                        (PKIX_PL_Object **)&ia,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_PL_InfoAccess_GetMethod
+                        (ia, &method, plContext),
+                        PKIX_INFOACCESSGETMETHODFAILED);
+
+                if (method != PKIX_INFOACCESS_CA_ISSUERS &&
+                    method != PKIX_INFOACCESS_CA_REPOSITORY) {
+                    PKIX_DECREF(ia);
+                    continue;
+                }
+                
+                PKIX_CHECK(PKIX_PL_InfoAccess_GetLocationType
+                        (ia, &iaType, plContext),
+                        PKIX_INFOACCESSGETLOCATIONTYPEFAILED);
+
+                if (iaType == PKIX_INFOACCESS_LOCATION_HTTP) {
+			PKIX_CHECK(pkix_pl_AIAMgr_GetHTTPCerts
+				(aiaMgr, ia, &nbio, &certs, plContext),
+				PKIX_AIAMGRGETHTTPCERTSFAILED);
+                } else if (iaType == PKIX_INFOACCESS_LOCATION_LDAP) {
+			PKIX_CHECK(pkix_pl_AIAMgr_GetLDAPCerts
+				(aiaMgr, ia, &nbio, &certs, plContext),
+				PKIX_AIAMGRGETLDAPCERTSFAILED);
+                } else {
+                        /* We only support http and ldap requests. */
+			PKIX_ERROR(PKIX_UNKNOWNINFOACCESSTYPE);
+                }
+
+                if (nbio != NULL) { /* WOULDBLOCK */
+                        aiaMgr->aiaIndex = aiaIndex;
+                        *pNBIOContext = nbio;
+                        *pCerts = NULL;
+                        goto cleanup;
+                }
+
+                /*
+                 * We can't just use and modify the List we received.
+                 * Because it's cached, it's set immutable.
+                 */
+                if (aiaMgr->results == NULL) {
+                        PKIX_CHECK(PKIX_List_Create
+                                (&(aiaMgr->results), plContext),
+                                PKIX_LISTCREATEFAILED);
+                }
+                PKIX_CHECK(pkix_List_AppendList
+                        (aiaMgr->results, certs, plContext),
+                        PKIX_APPENDLISTFAILED);
+                PKIX_DECREF(certs);
+
+                PKIX_DECREF(ia);
+        }
+
+        PKIX_DECREF(aiaMgr->aia);
+
+        *pNBIOContext = NULL;
+        *pCerts = aiaMgr->results;
+        aiaMgr->results = NULL;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(aiaMgr->aia);
+                PKIX_DECREF(aiaMgr->results);
+                PKIX_DECREF(aiaMgr->client.ldapClient);
+        }
+
+        PKIX_DECREF(ia);
+
+        PKIX_RETURN(AIAMGR);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h
new file mode 100644
index 000000000..4922ea76b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h
@@ -0,0 +1,94 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_aiamgr.h
+ *
+ * AIAMgr Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_AIAMGR_H
+#define _PKIX_PL_AIAMGR_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_AIAMgrStruct {
+        /* pointer to cert cache */
+        /* pointer to crl cache */
+        PKIX_UInt32 method;
+        PKIX_UInt32 aiaIndex;
+        PKIX_UInt32 numAias;
+        PKIX_List *aia;
+        PKIX_PL_GeneralName *location;
+        PKIX_List *results;
+	union {
+	        PKIX_PL_LdapClient *ldapClient;
+		struct {
+		        const SEC_HttpClientFcn *httpClient;
+			SEC_HTTP_SERVER_SESSION serverSession;
+			SEC_HTTP_REQUEST_SESSION requestSession;
+			char *path;
+		} hdata;
+	} client;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_AIAMgr_RegisterSelf(void *plContext);
+
+PKIX_Error *PKIX_PL_LdapClient_InitiateRequest(
+        PKIX_PL_LdapClient *client,
+        LDAPRequestParams *requestParams,
+        void **pPollDesc,
+        PKIX_List **pResponse,
+        void *plContext);
+
+PKIX_Error *PKIX_PL_LdapClient_ResumeRequest(
+        PKIX_PL_LdapClient *client,
+        void **pPollDesc,
+        PKIX_List **pResponse,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_AIAMGR_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c
new file mode 100755
index 000000000..2f6a55d50
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c
@@ -0,0 +1,1332 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_colcertstore.c
+ *
+ * CollectionCertStore Function Definitions
+ *
+ */
+
+#include "pkix_pl_colcertstore.h"
+
+/*
+ * This Object is going to be taken out from libpkix SOON. The following
+ * function is copied from nss/cmd library, but not supported by NSS as
+ * public API. We use it since ColCertStore are read in Cert/Crl from
+ * files and need this support.
+ */
+
+static SECStatus
+SECU_FileToItem(SECItem *dst, PRFileDesc *src)
+{
+    PRFileInfo info;
+    PRInt32 numBytes;
+    PRStatus prStatus;
+
+    prStatus = PR_GetOpenFileInfo(src, &info);
+
+    if (prStatus != PR_SUCCESS) {
+        PORT_SetError(SEC_ERROR_IO);
+        return SECFailure;
+    }
+
+    /* XXX workaround for 3.1, not all utils zero dst before sending */
+    dst->data = 0;
+    if (!SECITEM_AllocItem(NULL, dst, info.size))
+        goto loser;
+
+    numBytes = PR_Read(src, dst->data, info.size);
+    if (numBytes != info.size) {
+        PORT_SetError(SEC_ERROR_IO);
+        goto loser;
+    }
+
+    return SECSuccess;
+loser:
+    SECITEM_FreeItem(dst, PR_FALSE);
+    return SECFailure;
+}
+
+static SECStatus
+SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
+{
+    SECStatus rv;
+    if (ascii) {
+        /* First convert ascii to binary */
+        SECItem filedata;
+        char *asc, *body;
+
+        /* Read in ascii data */
+        rv = SECU_FileToItem(&filedata, inFile);
+        asc = (char *)filedata.data;
+        if (!asc) {
+            fprintf(stderr, "unable to read data from input file\n");
+            return SECFailure;
+        }
+
+        /* check for headers and trailers and remove them */
+        if ((body = strstr(asc, "-----BEGIN")) != NULL) {
+            char *trailer = NULL;
+            asc = body;
+            body = PORT_Strchr(body, '\n');
+            if (!body)
+                body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
+            if (body)
+                trailer = strstr(++body, "-----END");
+            if (trailer != NULL) {
+                *trailer = '\0';
+            } else {
+                fprintf(stderr, "input has header but no trailer\n");
+                PORT_Free(filedata.data);
+                return SECFailure;
+            }
+        } else {
+            body = asc;
+        }
+     
+        /* Convert to binary */
+        rv = ATOB_ConvertAsciiToItem(der, body);
+        if (rv) {
+            return SECFailure;
+        }
+
+        PORT_Free(filedata.data);
+    } else {
+        /* Read in binary der */
+        rv = SECU_FileToItem(der, inFile);
+        if (rv) {
+            return SECFailure;
+        }
+    }
+    return SECSuccess;
+}
+
+/*
+ * FUNCTION: PKIX_PL_CollectionCertStoreContext_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CollectionCertStoreContext using the String pointed to
+ *  by "storeDir" and stores it at "pColCertStoreContext".
+ *
+ * PARAMETERS:
+ *  "storeDir"
+ *      The absolute path where *.crl and *.crt files are located.
+ *  "pColCertStoreContext"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CollectionCertStoreContext Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_Create(
+        PKIX_PL_String *storeDir,
+        PKIX_PL_CollectionCertStoreContext **pColCertStoreContext,
+        void *plContext)
+{
+        PKIX_PL_CollectionCertStoreContext *colCertStoreContext = NULL;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_Create");
+        PKIX_NULLCHECK_TWO(storeDir, pColCertStoreContext);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_COLLECTIONCERTSTORECONTEXT_TYPE,
+                    sizeof (PKIX_PL_CollectionCertStoreContext),
+                    (PKIX_PL_Object **)&colCertStoreContext,
+                    plContext),
+                    PKIX_COULDNOTCREATECOLLECTIONCERTSTORECONTEXTOBJECT);
+
+        PKIX_INCREF(storeDir);
+        colCertStoreContext->storeDir = storeDir;
+
+        colCertStoreContext->crlList = NULL;
+        colCertStoreContext->certList = NULL;
+
+        *pColCertStoreContext = colCertStoreContext;
+        colCertStoreContext = NULL;
+
+cleanup:
+
+        PKIX_DECREF(colCertStoreContext);
+
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_CollectionCertStoreContext *colCertStoreContext = NULL;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_COLLECTIONCERTSTORECONTEXT_TYPE, plContext),
+                    PKIX_OBJECTNOTCOLLECTIONCERTSTORECONTEXT);
+
+        colCertStoreContext = (PKIX_PL_CollectionCertStoreContext *)object;
+
+        PKIX_DECREF(colCertStoreContext->storeDir);
+        PKIX_DECREF(colCertStoreContext->crlList);
+        PKIX_DECREF(colCertStoreContext->certList);
+
+cleanup:
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_CollectionCertStoreContext *collectionCSContext = NULL;
+        PKIX_UInt32 tempHash = 0;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object,
+                    PKIX_COLLECTIONCERTSTORECONTEXT_TYPE,
+                    plContext),
+                    PKIX_OBJECTNOTCOLLECTIONCERTSTORECONTEXT);
+
+        collectionCSContext = (PKIX_PL_CollectionCertStoreContext *)object;
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                    ((PKIX_PL_Object *) collectionCSContext->storeDir,
+                    &tempHash,
+                    plContext),
+                   PKIX_STRINGHASHCODEFAILED);
+
+        *pHashcode = tempHash << 7;
+
+        /* should not hash on crlList and certList, values are dynamic */
+
+cleanup:
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_PL_CollectionCertStoreContext *firstCCSContext = NULL;
+        PKIX_PL_CollectionCertStoreContext *secondCCSContext = NULL;
+        PKIX_Boolean cmpResult = 0;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        PKIX_CHECK(pkix_CheckTypes
+                    (firstObject,
+                    secondObject,
+                    PKIX_COLLECTIONCERTSTORECONTEXT_TYPE,
+                    plContext),
+                    PKIX_OBJECTNOTCOLLECTIONCERTSTORECONTEXT);
+
+        firstCCSContext = (PKIX_PL_CollectionCertStoreContext *)firstObject;
+        secondCCSContext = (PKIX_PL_CollectionCertStoreContext *)secondObject;
+
+        if (firstCCSContext->storeDir == secondCCSContext->storeDir) {
+
+                cmpResult = PKIX_TRUE;
+
+        } else {
+
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                    ((PKIX_PL_Object *) firstCCSContext->storeDir,
+                    (PKIX_PL_Object *) secondCCSContext->storeDir,
+                    &cmpResult,
+                    plContext),
+                    PKIX_STRINGEQUALSFAILED);
+        }
+
+        *pResult = cmpResult;
+
+        /* should not check equal on crlList and certList, data are dynamic */
+
+cleanup:
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStore_CheckTrust
+ * DESCRIPTION:
+ * This function checks the trust status of this "cert" that was retrieved
+ * from the CertStore "store" and returns its trust status at "pTrusted".
+ *
+ * PARAMETERS:
+ * "store"
+ *      Address of the CertStore. Must be non-NULL.
+ * "cert"
+ *      Address of the Cert. Must be non-NULL.
+ * "pTrusted"
+ *      Address of PKIX_Boolean where the "cert" trust status is returned.
+ *      Must be non-NULL.
+ * "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStore_CheckTrust(
+        PKIX_CertStore *store,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pTrusted,
+        void *plContext)
+{
+        PKIX_ENTER(CERTSTORE, "pkix_pl_CollectionCertStore_CheckTrust");
+        PKIX_NULLCHECK_THREE(store, cert, pTrusted);
+
+        *pTrusted = PKIX_TRUE;
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_CreateCert
+ * DESCRIPTION:
+ *
+ *  Creates Cert using data file path name pointed to by "certFileName" and
+ *  stores it at "pCert". If the Cert can not be decoded, NULL is stored
+ *  at "pCert".
+ *
+ * PARAMETERS
+ *  "certFileName" - Address of Cert data file path name. Must be non-NULL.
+ *  "pCert" - Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CollectionCertStoreContext Error if the function fails in
+ *              a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_CreateCert(
+        const char *certFileName,
+        PKIX_PL_Cert **pCert,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        PRFileDesc *inFile = NULL;
+        SECItem certDER;
+        void *buf = NULL;
+        PKIX_UInt32 len;
+        SECStatus rv;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_CreateCert");
+        PKIX_NULLCHECK_TWO(certFileName, pCert);
+
+        *pCert = NULL;
+        certDER.data = NULL;
+
+        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_Open.\n");
+        inFile = PR_Open(certFileName, PR_RDONLY, 0);
+
+        if (!inFile){
+                PKIX_ERROR(PKIX_UNABLETOOPENCERTFILE);
+        } else {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling SECU_ReadDerFromFile.\n");
+                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+                if (!rv){
+                        buf = (void *)certDER.data;
+                        len = certDER.len;
+
+                        PKIX_CHECK(PKIX_PL_ByteArray_Create
+                                    (buf, len, &byteArray, plContext),
+                                    PKIX_BYTEARRAYCREATEFAILED);
+
+                        PKIX_CHECK(PKIX_PL_Cert_Create
+                                    (byteArray, &cert, plContext),
+                                    PKIX_CERTCREATEFAILED);
+
+                        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                                ("\t\t Calling SECITEM_FreeItem.\n");
+                        SECITEM_FreeItem(&certDER, PR_FALSE);
+
+                } else {
+                        PKIX_ERROR(PKIX_UNABLETOREADDERFROMCERTFILE);
+                }
+        }
+
+        *pCert = cert;
+
+cleanup:
+        if (inFile){
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_CloseDir.\n");
+                PR_Close(inFile);
+        }
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling SECITEM_FreeItem).\n");
+                SECITEM_FreeItem(&certDER, PR_FALSE);
+
+                PKIX_DECREF(cert);
+        }
+        PKIX_DECREF(byteArray);
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_CreateCRL
+ * DESCRIPTION:
+ *
+ *  Creates CRL using data file path name pointed to by "crlFileName" and
+ *  stores it at "pCrl". If the CRL can not be decoded, NULL is stored
+ *  at "pCrl".
+ *
+ * PARAMETERS
+ *  "crlFileName" - Address of CRL data file path name. Must be non-NULL.
+ *  "pCrl" - Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CollectionCertStoreContext Error if the function fails in
+ *              a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_CreateCRL(
+        const char *crlFileName,
+        PKIX_PL_CRL **pCrl,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+        PKIX_PL_CRL *crl = NULL;
+        PRFileDesc *inFile = NULL;
+        SECItem crlDER;
+        void *buf = NULL;
+        PKIX_UInt32 len;
+        SECStatus rv;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_CreateCRL");
+        PKIX_NULLCHECK_TWO(crlFileName, pCrl);
+
+        *pCrl = NULL;
+        crlDER.data = NULL;
+
+        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_Open.\n");
+        inFile = PR_Open(crlFileName, PR_RDONLY, 0);
+
+        if (!inFile){
+                PKIX_ERROR(PKIX_UNABLETOOPENCRLFILE);
+        } else {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling SECU_ReadDerFromFile.\n");
+                rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+                if (!rv){
+                        buf = (void *)crlDER.data;
+                        len = crlDER.len;
+
+                        PKIX_CHECK(PKIX_PL_ByteArray_Create
+                                (buf, len, &byteArray, plContext),
+                                PKIX_BYTEARRAYCREATEFAILED);
+
+                        PKIX_CHECK(PKIX_PL_CRL_Create
+                                (byteArray, &crl, plContext),
+                                PKIX_CRLCREATEFAILED);
+
+                        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                                ("\t\t Calling SECITEM_FreeItem.\n");
+                        SECITEM_FreeItem(&crlDER, PR_FALSE);
+
+                } else {
+                        PKIX_ERROR(PKIX_UNABLETOREADDERFROMCRLFILE);
+                }
+        }
+
+        *pCrl = crl;
+
+cleanup:
+        if (inFile){
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_CloseDir.\n");
+                PR_Close(inFile);
+        }
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling SECITEM_FreeItem).\n");
+                SECITEM_FreeItem(&crlDER, PR_FALSE);
+
+                PKIX_DECREF(crl);
+                if (crlDER.data != NULL) {
+                        SECITEM_FreeItem(&crlDER, PR_FALSE);
+                }
+        }
+
+        PKIX_DECREF(byteArray);
+
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_PopulateCert
+ * DESCRIPTION:
+ *
+ *  Create list of Certs from *.crt files at directory specified in dirName,
+ *  Not recursive to sub-directory. Also assume the directory contents are
+ *  not changed dynamically.
+ *
+ * PARAMETERS
+ *  "colCertStoreContext" - Address of CollectionCertStoreContext
+ *              where the dirName is specified and where the return
+ *              Certs are stored as a list. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - A lock at top level is required.
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CollectionCertStoreContext Error if the function fails in
+ *              a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_PopulateCert(
+        PKIX_PL_CollectionCertStoreContext *colCertStoreContext,
+        void *plContext)
+{
+        PKIX_List *certList = NULL;
+        PKIX_PL_Cert *certItem = NULL;
+        char *dirName = NULL;
+        char *prErrorText = NULL;
+        char *pathName = NULL;
+        PKIX_UInt32 dirNameLen = 0;
+        PRErrorCode prError = 0;
+        PRInt32 prErrorTextLen = 0;
+        PRDir *dir = NULL;
+        PRDirEntry *dirEntry = NULL;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_PopulateCert");
+        PKIX_NULLCHECK_ONE(colCertStoreContext);
+
+        /* convert directory to ascii */
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    (colCertStoreContext->storeDir,
+                    PKIX_ESCASCII,
+                    (void **)&dirName,
+                    &dirNameLen,
+                    plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+
+        /* create cert list, if no cert file, should return an empty list */
+
+        PKIX_CHECK(PKIX_List_Create(&certList, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        /* open directory and read in .crt files */
+
+        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_OpenDir.\n");
+        dir = PR_OpenDir(dirName);
+
+        if (!dir) {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG_ARG
+                        ("\t\t Directory Name:%s\n", dirName);
+                PKIX_ERROR(PKIX_CANNOTOPENCOLLECTIONCERTSTORECONTEXTDIRECTORY);
+        }
+
+        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_ReadDir.\n");
+        dirEntry = PR_ReadDir(dir, PR_SKIP_HIDDEN | PR_SKIP_BOTH);
+
+        if (!dirEntry) {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Empty directory.\n");
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_GetError.\n");
+                prError = PR_GetError();
+        }
+
+        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_SetError.\n");
+        PR_SetError(0, 0);
+
+        while (dirEntry != NULL && prError == 0) {
+                if (PL_strrstr(dirEntry->name, ".crt") ==
+                    dirEntry->name + PL_strlen(dirEntry->name) - 4) {
+
+                        PKIX_CHECK_ONLY_FATAL
+                                (PKIX_PL_Malloc
+                                (dirNameLen + PL_strlen(dirEntry->name) + 2,
+                                (void **)&pathName,
+                                plContext),
+                                PKIX_MALLOCFAILED);
+
+                        if ((!PKIX_ERROR_RECEIVED) && (pathName != NULL)){
+
+                                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                                    ("\t\t Calling PL_strcpy for dirName.\n");
+                                PL_strcpy(pathName, dirName);
+                                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                                    ("\t\t Calling PL_strcat for dirName.\n");
+                                PL_strcat(pathName, "/");
+                                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                                        ("\t\t Calling PL_strcat for /.\n");
+                                PL_strcat(pathName, dirEntry->name);
+
+                                PKIX_CHECK_ONLY_FATAL
+                                (pkix_pl_CollectionCertStoreContext_CreateCert
+                                    (pathName, &certItem, plContext),
+                              PKIX_COLLECTIONCERTSTORECONTEXTCREATECERTFAILED);
+
+                                if (!PKIX_ERROR_RECEIVED){
+                                        PKIX_CHECK_ONLY_FATAL
+                                                (PKIX_List_AppendItem
+                                                (certList,
+                                                (PKIX_PL_Object *)certItem,
+                                                plContext),
+                                                PKIX_LISTAPPENDITEMFAILED);
+                                }
+                        }
+
+                        PKIX_DECREF(certItem);
+                        PKIX_FREE(pathName);
+                }
+
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_SetError.\n");
+                PR_SetError(0, 0);
+
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_ReadDir.\n");
+                dirEntry = PR_ReadDir(dir, PR_SKIP_HIDDEN | PR_SKIP_BOTH);
+
+                if (!dirEntry) {
+                    PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_GetError.\n");
+                    prError = PR_GetError();
+                }
+        }
+
+        if ((prError != 0) && (prError != PR_NO_MORE_FILES_ERROR)) {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_GetErrorText.\n");
+                prErrorTextLen = PR_GetErrorText(prErrorText);
+                /* PKIX_ERROR(prErrorText); */
+                pkixErrorReceived = PKIX_TRUE;
+                pkixErrorMsg = prErrorText;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_List_SetImmutable(certList, plContext),
+                    PKIX_LISTSETIMMUTABLEFAILED);
+
+        PKIX_INCREF(certList);
+        colCertStoreContext->certList = certList;
+
+cleanup:
+        if (dir) {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_CloseDir.\n");
+                PR_CloseDir(dir);
+        }
+
+        PKIX_FREE(prErrorText);
+        PKIX_FREE(pathName);
+        PKIX_FREE(dirName);
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(certList);
+        }
+
+        PKIX_DECREF(certItem);
+        PKIX_DECREF(certList);
+
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_PopulateCRL
+ * DESCRIPTION:
+ *
+ *  Create list of CRLs from *.crl files at directory specified in dirName,
+ *  Not recursive to sub-dirctory. Also assume the directory contents are
+ *  not changed dynamically.
+ *
+ * PARAMETERS
+ *  "colCertStoreContext" - Address of CollectionCertStoreContext
+ *              where the dirName is specified and where the return
+ *              CRLs are stored as a list. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - A lock at top level is required.
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CollectionCertStoreContext Error if the function fails in
+ *              a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_PopulateCRL(
+        PKIX_PL_CollectionCertStoreContext *colCertStoreContext,
+        void *plContext)
+{
+        PKIX_List *crlList = NULL;
+        PKIX_PL_CRL *crlItem = NULL;
+        char *dirName = NULL;
+        char *prErrorText = NULL;
+        char *pathName = NULL;
+        PKIX_UInt32 dirNameLen = 0;
+        PRErrorCode prError = 0;
+        PRInt32 prErrorTextLen = 0;
+        PRDir *dir = NULL;
+        PRDirEntry *dirEntry = NULL;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_PopulateCRL");
+        PKIX_NULLCHECK_ONE(colCertStoreContext);
+
+        /* convert directory to ascii */
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    (colCertStoreContext->storeDir,
+                    PKIX_ESCASCII,
+                    (void **)&dirName,
+                    &dirNameLen,
+                    plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+
+        /* create CRL list, if no CRL file, should return an empty list */
+
+        PKIX_CHECK(PKIX_List_Create(&crlList, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        /* open directory and read in .crl files */
+
+        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_OpenDir.\n");
+        dir = PR_OpenDir(dirName);
+
+        if (!dir) {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG_ARG
+                        ("\t\t Directory Name:%s\n", dirName);
+                PKIX_ERROR(PKIX_CANNOTOPENCOLLECTIONCERTSTORECONTEXTDIRECTORY);
+        }
+
+        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_ReadDir.\n");
+        dirEntry = PR_ReadDir(dir, PR_SKIP_HIDDEN | PR_SKIP_BOTH);
+
+        if (!dirEntry) {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Empty directory.\n");
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_GetError.\n");
+                prError = PR_GetError();
+        }
+
+        PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG("\t\t Calling PR_SetError.\n");
+        PR_SetError(0, 0);
+
+        while (dirEntry != NULL && prError == 0) {
+                if (PL_strrstr(dirEntry->name, ".crl") ==
+                    dirEntry->name + PL_strlen(dirEntry->name) - 4) {
+
+                        PKIX_CHECK_ONLY_FATAL
+                                (PKIX_PL_Malloc
+                                (dirNameLen + PL_strlen(dirEntry->name) + 2,
+                                (void **)&pathName,
+                                plContext),
+                                PKIX_MALLOCFAILED);
+
+                        if ((!PKIX_ERROR_RECEIVED) && (pathName != NULL)){
+
+                                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                                    ("\t\t Calling PL_strcpy for dirName.\n");
+                                PL_strcpy(pathName, dirName);
+                                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                                    ("\t\t Calling PL_strcat for dirName.\n");
+                                PL_strcat(pathName, "/");
+                                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                                        ("\t\t Calling PL_strcat for /.\n");
+                                PL_strcat(pathName, dirEntry->name);
+
+                        PKIX_CHECK_ONLY_FATAL
+                                (pkix_pl_CollectionCertStoreContext_CreateCRL
+                                (pathName, &crlItem, plContext),
+                                PKIX_COLLECTIONCERTSTORECONTEXTCREATECRLFAILED);
+
+                                if (!PKIX_ERROR_RECEIVED){
+                                        PKIX_CHECK_ONLY_FATAL
+                                                (PKIX_List_AppendItem
+                                                (crlList,
+                                                (PKIX_PL_Object *)crlItem,
+                                                plContext),
+                                                PKIX_LISTAPPENDITEMFAILED);
+                                }
+                        }
+
+                        PKIX_DECREF(crlItem);
+                        PKIX_FREE(pathName);
+                }
+
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_SetError.\n");
+                PR_SetError(0, 0);
+
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_ReadDir.\n");
+                dirEntry = PR_ReadDir(dir, PR_SKIP_HIDDEN | PR_SKIP_BOTH);
+
+                if (!dirEntry) {
+                    PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_GetError.\n");
+                    prError = PR_GetError();
+                }
+        }
+
+        if ((prError != 0) && (prError != PR_NO_MORE_FILES_ERROR)) {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_GetErrorText.\n");
+                prErrorTextLen = PR_GetErrorText(prErrorText);
+
+                /* PKIX_ERROR(prErrorText); */
+                pkixErrorReceived = PKIX_TRUE;
+                pkixErrorMsg = prErrorText;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_List_SetImmutable(crlList, plContext),
+                    PKIX_LISTSETIMMUTABLEFAILED);
+
+        PKIX_INCREF(crlList);
+        colCertStoreContext->crlList = crlList;
+
+cleanup:
+        if (dir) {
+                PKIX_COLLECTIONCERTSTORECONTEXT_DEBUG
+                        ("\t\t Calling PR_CloseDir.\n");
+                PR_CloseDir(dir);
+        }
+
+        PKIX_FREE(prErrorText);
+        PKIX_FREE(pathName);
+        PKIX_FREE(dirName);
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(crlList);
+        }
+
+        PKIX_DECREF(crlItem);
+        PKIX_DECREF(crlList);
+
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_GetSelectedCert
+ * DESCRIPTION:
+ *
+ *  Finds the Certs that match the criterion of the CertSelector pointed
+ *  to by "selector" using the List of Certs pointed to by "certList" and
+ *  stores the matching Certs at "pSelectedCertList".
+ *
+ *  Not recursive to sub-directory.
+ *
+ * PARAMETERS
+ *  "certList" - Address of List of Certs to be searched. Must be non-NULL.
+ *  "colCertStoreContext" - Address of CollectionCertStoreContext
+ *              where the cached Certs are stored.
+ *  "selector" - CertSelector for chosing Cert based on Params set
+ *  "pSelectedCertList" - Certs that qualified by selector.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - A lock at top level is required.
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CollectionCertStoreContext Error if the function fails in
+ *              a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_GetSelectedCert(
+        PKIX_List *certList,
+        PKIX_CertSelector *selector,
+        PKIX_List **pSelectedCertList,
+        void *plContext)
+{
+        PKIX_List *selectCertList = NULL;
+        PKIX_PL_Cert *certItem = NULL;
+        PKIX_CertSelector_MatchCallback certSelectorMatch = NULL;
+        PKIX_Boolean pass = PKIX_TRUE;
+        PKIX_UInt32 numCerts = 0;
+        PKIX_UInt32 i = 0;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_GetSelectedCert");
+        PKIX_NULLCHECK_THREE(certList, selector, pSelectedCertList);
+
+        PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
+                    (selector, &certSelectorMatch, plContext),
+                    PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(certList, &numCerts, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        if (certSelectorMatch) {
+
+                PKIX_CHECK(PKIX_List_Create(&selectCertList, plContext),
+                            PKIX_LISTCREATEFAILED);
+
+                for (i = 0; i < numCerts; i++) {
+                        PKIX_CHECK_ONLY_FATAL
+                                (PKIX_List_GetItem
+                                (certList,
+                                i,
+                                (PKIX_PL_Object **) &certItem,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                        if (!PKIX_ERROR_RECEIVED){
+                                PKIX_CHECK_ONLY_FATAL
+                                        (certSelectorMatch
+                                        (selector, certItem, &pass, plContext),
+                                        PKIX_CERTSELECTORMATCHFAILED);
+
+                                if (!PKIX_ERROR_RECEIVED && pass){
+                                        PKIX_CHECK_ONLY_FATAL
+                                                (PKIX_List_AppendItem
+                                                (selectCertList,
+                                                (PKIX_PL_Object *)certItem,
+                                                plContext),
+                                                PKIX_LISTAPPENDITEMFAILED);
+                                }
+                        }
+
+                        PKIX_DECREF(certItem);
+                }
+
+        } else {
+
+                PKIX_INCREF(certList);
+
+                selectCertList = certList;
+        }
+
+        *pSelectedCertList = selectCertList;
+
+cleanup:
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_GetSelectedCRL
+ * DESCRIPTION:
+ *
+ *  Finds the CRLs that match the criterion of the CRLSelector pointed
+ *  to by "selector" using the List of CRLs pointed to by "crlList" and
+ *  stores the matching CRLs at "pSelectedCrlList".
+ *
+ *  Not recursive to sub-directory.
+ *
+ * PARAMETERS
+ *  "crlList" - Address of List of CRLs to be searched. Must be non-NULL
+ *  "selector" - CRLSelector for chosing CRL based on Params set
+ *  "pSelectedCrlList" - CRLs that qualified by selector.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - A lock at top level is required.
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CollectionCertStoreContext Error if the function fails in
+ *              a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CollectionCertStoreContext_GetSelectedCRL(
+        PKIX_List *crlList,
+        PKIX_CRLSelector *selector,
+        PKIX_List **pSelectedCrlList,
+        void *plContext)
+{
+        PKIX_List *selectCrlList = NULL;
+        PKIX_PL_CRL *crlItem = NULL;
+        PKIX_CRLSelector_MatchCallback crlSelectorMatch = NULL;
+        PKIX_UInt32 numCrls = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_Boolean match = PKIX_FALSE;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_GetSelectedCRL");
+        PKIX_NULLCHECK_THREE(crlList, selector, pSelectedCrlList);
+
+        PKIX_CHECK(PKIX_CRLSelector_GetMatchCallback
+                    (selector, &crlSelectorMatch, plContext),
+                    PKIX_CRLSELECTORGETMATCHCALLBACKFAILED);
+
+        PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        if (crlSelectorMatch) {
+
+                PKIX_CHECK(PKIX_List_Create(&selectCrlList, plContext),
+                            PKIX_LISTCREATEFAILED);
+
+                for (i = 0; i < numCrls; i++) {
+                        PKIX_CHECK_ONLY_FATAL(PKIX_List_GetItem
+                                (crlList,
+                                i,
+                                (PKIX_PL_Object **) &crlItem,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                        if (!PKIX_ERROR_RECEIVED){
+                                PKIX_CHECK_ONLY_FATAL
+                                        (crlSelectorMatch
+                                        (selector, crlItem, &match, plContext),
+                                        PKIX_CRLSELECTORMATCHFAILED);
+
+                                if (!(PKIX_ERROR_RECEIVED) && match) {
+                                        PKIX_CHECK_ONLY_FATAL
+                                                (PKIX_List_AppendItem
+                                                (selectCrlList,
+                                                (PKIX_PL_Object *)crlItem,
+                                                plContext),
+                                                PKIX_LISTAPPENDITEMFAILED);
+                                }
+                        }
+
+                        PKIX_DECREF(crlItem);
+                }
+        } else {
+
+                PKIX_INCREF(crlList);
+
+                selectCrlList = crlList;
+        }
+
+        /* Don't throw away the list if one CRL was bad! */
+        pkixTempErrorReceived = PKIX_FALSE;
+
+        *pSelectedCrlList = selectCrlList;
+
+cleanup:
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStore_GetCert
+ * DESCRIPTION:
+ *
+ *  Retrieve Certs in a list of PKIX_PL_Cert object.
+ *
+ * PARAMETERS:
+ *  "colCertStoreContext"
+ *      The object CertStore is the object passed in by checker call.
+ *  "crlSelector"
+ *      CRLSelector specifies criteria for chosing CRL's
+ *  "pNBIOContext"
+ *      Address where platform-dependent information is returned for CertStores
+ *      that use non-blocking I/O. Must be non-NULL.
+ *  "pCertList"
+ *      Address where object pointer will be returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CollectionCertStore_GetCert(
+        PKIX_CertStore *certStore,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCerts,
+        void *plContext)
+{
+        PKIX_PL_CollectionCertStoreContext *colCertStoreContext = NULL;
+        PKIX_List *selectedCerts = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_CollectionCertStore_GetCert");
+        PKIX_NULLCHECK_FOUR(certStore, selector, pNBIOContext, pCerts);
+
+        *pNBIOContext = NULL;   /* We don't use non-blocking I/O */
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                    (certStore,
+                    (PKIX_PL_Object **) &colCertStoreContext,
+                    plContext),
+                    PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        if (colCertStoreContext->certList == NULL) {
+
+                PKIX_OBJECT_LOCK(colCertStoreContext);
+
+                /*
+                 * Certs in the directory are cached based on the
+                 * assumption that the directory contents won't be
+                 * changed dynamically.
+                 */
+                if (colCertStoreContext->certList == NULL){
+                    PKIX_CHECK(pkix_pl_CollectionCertStoreContext_PopulateCert
+                            (colCertStoreContext, plContext),
+                            PKIX_COLLECTIONCERTSTORECONTEXTPOPULATECERTFAILED);
+                }
+
+                PKIX_OBJECT_UNLOCK(colCertStoreContext);
+        }
+
+        PKIX_CHECK(pkix_pl_CollectionCertStoreContext_GetSelectedCert
+                    (colCertStoreContext->certList,
+                    selector,
+                    &selectedCerts,
+                    plContext),
+                    PKIX_COLLECTIONCERTSTORECONTEXTGETSELECTCERTFAILED);
+
+        *pCerts = selectedCerts;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_DECREF(colCertStoreContext);
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStore_GetCRL
+ * DESCRIPTION:
+ *
+ *  Retrieve CRL's in a list of PKIX_PL_CRL object.
+ *
+ * PARAMETERS:
+ *  "colCertStoreContext"
+ *      The object CertStore is passed in by checker call.
+ *  "crlSelector"
+ *      CRLSelector specifies criteria for chosing CRL's
+ *  "pNBIOContext"
+ *      Address where platform-dependent information is returned for CertStores
+ *      that use non-blocking I/O. Must be non-NULL.
+ *  "pCrlList"
+ *      Address where object pointer will be returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CollectionCertStore_GetCRL(
+        PKIX_CertStore *certStore,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+        PKIX_PL_CollectionCertStoreContext *colCertStoreContext = NULL;
+        PKIX_List *selectCrl = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_CollectionCertStore_GetCRL");
+        PKIX_NULLCHECK_FOUR(certStore, selector, pNBIOContext, pCrlList);
+
+        *pNBIOContext = NULL;   /* We don't use non-blocking I/O */
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                    (certStore,
+                    (PKIX_PL_Object **) &colCertStoreContext,
+                    plContext),
+                    PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        if (colCertStoreContext->crlList == NULL) {
+
+                PKIX_OBJECT_LOCK(colCertStoreContext);
+
+                /*
+                 * CRLs in the directory are cached based on the
+                 * assumption that the directory contents won't be
+                 * changed dynamically.
+                 */
+                if (colCertStoreContext->crlList == NULL){
+                    PKIX_CHECK(pkix_pl_CollectionCertStoreContext_PopulateCRL
+                            (colCertStoreContext, plContext),
+                            PKIX_COLLECTIONCERTSTORECONTEXTPOPULATECRLFAILED);
+                }
+
+                PKIX_OBJECT_UNLOCK(colCertStoreContext);
+
+        }
+
+        PKIX_CHECK(pkix_pl_CollectionCertStoreContext_GetSelectedCRL
+                    (colCertStoreContext->crlList,
+                    selector,
+                    &selectCrl,
+                    plContext),
+                    PKIX_COLLECTIONCERTSTORECONTEXTGETSELECTCRLFAILED);
+
+        *pCrlList = selectCrl;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_DECREF(colCertStoreContext);
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_CollectionCertStoreContext_RegisterSelf
+ * DESCRIPTION:
+ *
+ *  Registers PKIX_PL_COLLECTIONCERTSTORECONTEXT_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_CollectionCertStoreContext_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(COLLECTIONCERTSTORECONTEXT,
+                    "pkix_pl_CollectionCertStoreContext_RegisterSelf");
+
+        entry.description = "CollectionCertStoreContext";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_CollectionCertStoreContext);
+        entry.destructor = pkix_pl_CollectionCertStoreContext_Destroy;
+        entry.equalsFunction = pkix_pl_CollectionCertStoreContext_Equals;
+        entry.hashcodeFunction = pkix_pl_CollectionCertStoreContext_Hashcode;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_COLLECTIONCERTSTORECONTEXT_TYPE] = entry;
+
+        PKIX_RETURN(COLLECTIONCERTSTORECONTEXT);
+}
+
+/* --Public-CollectionCertStoreContext-Functions--------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_CollectionCertStore_Create
+ * (see comments in pkix_samples_modules.h)
+ */
+PKIX_Error *
+PKIX_PL_CollectionCertStore_Create(
+        PKIX_PL_String *storeDir,
+        PKIX_CertStore **pCertStore,
+        void *plContext)
+{
+        PKIX_PL_CollectionCertStoreContext *colCertStoreContext = NULL;
+        PKIX_CertStore *certStore = NULL;
+
+        PKIX_ENTER(CERTSTORE, "PKIX_PL_CollectionCertStore_Create");
+        PKIX_NULLCHECK_TWO(storeDir, pCertStore);
+
+        PKIX_CHECK(pkix_pl_CollectionCertStoreContext_Create
+                    (storeDir, &colCertStoreContext, plContext),
+                    PKIX_COULDNOTCREATECOLLECTIONCERTSTORECONTEXTOBJECT);
+
+        PKIX_CHECK(PKIX_CertStore_Create
+                    (pkix_pl_CollectionCertStore_GetCert,
+                    pkix_pl_CollectionCertStore_GetCRL,
+                    NULL, /* GetCertContinue */
+                    NULL, /* GetCRLContinue */
+                    pkix_pl_CollectionCertStore_CheckTrust,
+                    (PKIX_PL_Object *)colCertStoreContext,
+                    PKIX_TRUE, /* cache flag */
+                    PKIX_TRUE, /* local - no network I/O */
+                    &certStore,
+                    plContext),
+                    PKIX_CERTSTORECREATEFAILED);
+
+        PKIX_DECREF(colCertStoreContext);
+
+        *pCertStore = certStore;
+
+cleanup:
+        PKIX_RETURN(CERTSTORE);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.h
new file mode 100755
index 000000000..4e837f752
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.h
@@ -0,0 +1,67 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_colcertstore.h
+ *
+ * CollectionCertstore Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_PL_COLCERTSTORE_H
+#define _PKIX_PL_COLCERTSTORE_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_CollectionCertStoreContext {
+        PKIX_PL_String *storeDir;
+        PKIX_List *crlList;
+        PKIX_List *certList;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_CollectionCertStoreContext_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_COLCERTSTORE_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c
new file mode 100755
index 000000000..19777d6fe
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.c
@@ -0,0 +1,458 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ekuchecker.c
+ *
+ * User Defined ExtenedKeyUsage Function Definitions
+ *
+ */
+
+#include "pkix_pl_ekuchecker.h"
+
+char *ekuOidStrings[] = {
+        "1.3.6.1.5.5.7.3.1",    /* id-kp-serverAuth */
+        "1.3.6.1.5.5.7.3.2",    /* id-kp-clientAuth */
+        "1.3.6.1.5.5.7.3.3",    /* id-kp-codeSigning */
+        "1.3.6.1.5.5.7.3.4",    /* id-kp-emailProtection */
+        "1.3.6.1.5.5.7.3.8",    /* id-kp-timeStamping */
+        "1.3.6.1.5.5.7.3.9",    /* id-kp-OCSPSigning */
+        NULL
+};
+
+#define CERTUSAGE_NONE (-1)
+
+PKIX_Int32 ekuCertUsages[] = {
+        1<<certUsageSSLServer,
+        1<<certUsageSSLClient,
+        1<<certUsageObjectSigner,
+        1<<certUsageEmailRecipient | 1<<certUsageEmailSigner,
+        CERTUSAGE_NONE,
+        1<<certUsageStatusResponder
+};
+
+/*
+ * FUNCTION: pkix_pl_EkuChecker_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_EkuChecker_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        pkix_pl_EkuChecker *ekuCheckerState = NULL;
+
+        PKIX_ENTER(EKUCHECKER, "pkix_pl_EkuChecker_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_EKUCHECKER_TYPE, plContext),
+                    PKIX_OBJECTNOTANEKUCHECKERSTATE);
+
+        ekuCheckerState = (pkix_pl_EkuChecker *)object;
+
+        PKIX_DECREF(ekuCheckerState->ekuOID);
+
+cleanup:
+
+        PKIX_RETURN(EKUCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_pl_EkuChecker_GetRequiredEku
+ *
+ * DESCRIPTION:
+ *  This function retrieves application specified ExtenedKeyUsage(s) from
+ *  ComCertSetparams and converts its OID representations to SECCertUsageEnum.
+ *  The result is stored and returned in bit mask at "pRequiredExtKeyUsage".
+ *
+ * PARAMETERS
+ *  "certSelector"
+ *      a PKIX_CertSelector links to PKIX_ComCertSelParams where a list of
+ *      Extended Key Usage OIDs specified by application can be retrieved for
+ *      verification. Must be non-NULL.
+ *  "pRequiredExtKeyUsage"
+ *      Address where the result is returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a UserDefinedModules Error if the function fails in a non-fatal
+ *  way.
+ *  Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_pl_EkuChecker_GetRequiredEku(
+        PKIX_CertSelector *certSelector,
+        PKIX_UInt32 *pRequiredExtKeyUsage,
+        void *plContext)
+{
+        PKIX_ComCertSelParams *comCertSelParams = NULL;
+        PKIX_List *supportedOids = NULL;
+        PKIX_List *requiredOid = NULL;
+        PKIX_UInt32 requiredExtKeyUsage = 0;
+        PKIX_UInt32 numItems = 0;
+        PKIX_PL_OID *ekuOid = NULL;
+        PKIX_UInt32 i;
+        PKIX_Boolean isContained = PKIX_FALSE;
+
+        PKIX_ENTER(EKUCHECKER, "pkix_pl_EkuChecker_GetRequiredEku");
+        PKIX_NULLCHECK_TWO(certSelector, pRequiredExtKeyUsage);
+
+        /* Get initial EKU OIDs from ComCertSelParams, if set */
+        PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
+                    (certSelector, &comCertSelParams, plContext),
+                    PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
+
+        if (comCertSelParams != NULL) {
+
+                PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
+                        (comCertSelParams, &requiredOid, plContext),
+                        PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
+
+        }
+
+        /* Map application specified EKU OIDs to NSS SECCertUsageEnum */
+
+        if (requiredOid != NULL) {
+
+            PKIX_CHECK(PKIX_List_Create(&supportedOids, plContext),
+                        PKIX_LISTCREATEFAILED);
+
+            /* Create a supported OIDs list */
+            i = 0;
+            while (ekuOidStrings[i] != NULL) {
+
+                    PKIX_CHECK(PKIX_PL_OID_Create
+                                (ekuOidStrings[i],
+                                &ekuOid,
+                                plContext),
+                                PKIX_OIDCREATEFAILED);
+
+                    PKIX_CHECK(PKIX_List_AppendItem
+                                (supportedOids,
+                                (PKIX_PL_Object *)ekuOid,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+
+                    PKIX_DECREF(ekuOid);
+                    i++;
+            }
+
+            /* Map from OID's to SECCertUsageEnum */
+            PKIX_CHECK(PKIX_List_GetLength
+                        (supportedOids, &numItems, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+            for (i = 0; i < numItems; i++) {
+
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (supportedOids,
+                        i,
+                        (PKIX_PL_Object **)&ekuOid,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                    PKIX_CHECK(pkix_List_Contains
+                        (requiredOid,
+                        (PKIX_PL_Object *)ekuOid,
+                        &isContained,
+                        plContext),
+                        PKIX_LISTCONTAINSFAILED);
+
+                    PKIX_DECREF(ekuOid);
+
+                    if (isContained == PKIX_TRUE &&
+                        ekuCertUsages[i] != CERTUSAGE_NONE) {
+
+                            requiredExtKeyUsage |= ekuCertUsages[i];
+                    }
+            }
+        }
+
+        *pRequiredExtKeyUsage = requiredExtKeyUsage;
+
+cleanup:
+
+        PKIX_DECREF(ekuOid);
+        PKIX_DECREF(requiredOid);
+        PKIX_DECREF(supportedOids);
+        PKIX_DECREF(comCertSelParams);
+
+        PKIX_RETURN(EKUCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_EkuChecker_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new Extend Key Usage CheckerState using "params" to retrieve
+ *  application specified EKU for verification and stores it at "pState".
+ *
+ * PARAMETERS:
+ *  "params"
+ *      a PKIX_ProcessingParams links to PKIX_ComCertSelParams where a list of
+ *      Extended Key Usage OIDs specified by application can be retrieved for
+ *      verification.
+ *  "pState"
+ *      Address where state pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a UserDefinedModules Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_EkuChecker_Create(
+        PKIX_ProcessingParams *params,
+        pkix_pl_EkuChecker **pState,
+        void *plContext)
+{
+        pkix_pl_EkuChecker *state = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        PKIX_UInt32 requiredExtKeyUsage = 0;
+
+        PKIX_ENTER(EKUCHECKER, "pkix_pl_EkuChecker_Create");
+        PKIX_NULLCHECK_TWO(params, pState);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_EKUCHECKER_TYPE,
+                    sizeof (pkix_pl_EkuChecker),
+                    (PKIX_PL_Object **)&state,
+                    plContext),
+                    PKIX_COULDNOTCREATEEKUCHECKERSTATEOBJECT);
+
+
+        PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
+                    (params, &certSelector, plContext),
+                    PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
+
+        if (certSelector != NULL) {
+
+                PKIX_CHECK(pkix_pl_EkuChecker_GetRequiredEku
+                            (certSelector, &requiredExtKeyUsage, plContext),
+                            PKIX_EKUCHECKERGETREQUIREDEKUFAILED);
+        }
+
+        PKIX_CHECK(PKIX_PL_OID_Create
+                    (PKIX_EXTENDEDKEYUSAGE_OID,
+                    &state->ekuOID,
+                    plContext),
+                    PKIX_OIDCREATEFAILED);
+
+        state->requiredExtKeyUsage = requiredExtKeyUsage;
+
+        *pState = state;
+        state = NULL;
+
+cleanup:
+
+        PKIX_DECREF(certSelector);
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(EKUCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_pl_EkuChecker_Check
+ * DESCRIPTION:
+ *
+ *  This function determines the Extended Key Usage OIDs specified by the
+ *  application is included in the Extended Key Usage OIDs of this "cert".
+ *
+ * PARAMETERS:
+ *  "checker"
+ *      Address of CertChainChecker which has the state data.
+ *      Must be non-NULL.
+ *  "cert"
+ *      Address of Certificate that is to be validated. Must be non-NULL.
+ *  "unresolvedCriticalExtensions"
+ *      A List OIDs. The OID for Extended Key Usage is removed.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a UserDefinedModules Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_EkuChecker_Check(
+        PKIX_CertChainChecker *checker,
+        PKIX_PL_Cert *cert,
+        PKIX_List *unresolvedCriticalExtensions,
+        void **pNBIOContext,
+        void *plContext)
+{
+        pkix_pl_EkuChecker *state = NULL;
+        PKIX_Boolean checkPassed = PKIX_TRUE;
+
+        PKIX_ENTER(EKUCHECKER, "pkix_pl_EkuChecker_Check");
+        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+        *pNBIOContext = NULL; /* no non-blocking IO */
+
+        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+                    (checker, (PKIX_PL_Object **)&state, plContext),
+                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+        if (state->requiredExtKeyUsage != 0) {
+
+                PKIX_CHECK(pkix_pl_Cert_CheckExtendedKeyUsage
+                        (cert,
+                        state->requiredExtKeyUsage,
+                        &checkPassed,
+                        plContext),
+                        PKIX_CERTCHECKEXTENDEDKEYUSAGEFAILED);
+
+                if (checkPassed == PKIX_FALSE) {
+                        PKIX_ERROR(PKIX_EXTENDEDKEYUSAGECHECKINGFAILED);
+                }
+
+        }
+
+cleanup:
+
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(EKUCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_pl_EkuChecker_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_PL_HTTPCERTSTORECONTEXT_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_EkuChecker_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER
+            (EKUCHECKER,
+                "pkix_pl_EkuChecker_RegisterSelf");
+
+        entry.description = "EkuChecker";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(pkix_pl_EkuChecker);
+        entry.destructor = pkix_pl_EkuChecker_Destroy,
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_EKUCHECKER_TYPE] = entry;
+
+        PKIX_RETURN(EKUCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_pl_EkuChecker_Initialize
+ * (see comments in pkix_sample_modules.h)
+ */
+PKIX_Error *
+PKIX_PL_EkuChecker_Create(
+        PKIX_ProcessingParams *params,
+        void *plContext)
+{
+        PKIX_CertChainChecker *checker = NULL;
+        pkix_pl_EkuChecker *state = NULL;
+        PKIX_List *critExtOIDsList = NULL;
+
+        PKIX_ENTER(EKUCHECKER, "PKIX_PL_EkuChecker_Initialize");
+        PKIX_NULLCHECK_ONE(params);
+
+        /*
+         * This function and functions in this file provide an example of how
+         * an application defined checker can be hooked into libpkix.
+         */
+
+        PKIX_CHECK(pkix_pl_EkuChecker_Create
+                    (params, &state, plContext),
+                    PKIX_EKUCHECKERSTATECREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_Create(&critExtOIDsList, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                    (critExtOIDsList,
+                    (PKIX_PL_Object *)state->ekuOID,
+                    plContext),
+                    PKIX_LISTAPPENDITEMFAILED);
+
+        PKIX_CHECK(PKIX_CertChainChecker_Create
+                (pkix_pl_EkuChecker_Check,
+                PKIX_TRUE,                 /* forwardCheckingSupported */
+                PKIX_FALSE,                /* forwardDirectionExpected */
+                critExtOIDsList,
+                (PKIX_PL_Object *) state,
+                &checker,
+                plContext),
+                PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+        PKIX_CHECK(PKIX_ProcessingParams_AddCertChainChecker
+                    (params, checker, plContext),
+                    PKIX_PROCESSINGPARAMSADDCERTCHAINCHECKERFAILED);
+
+cleanup:
+
+        PKIX_DECREF(critExtOIDsList);
+        PKIX_DECREF(checker);
+        PKIX_DECREF(state);
+
+        PKIX_RETURN(EKUCHECKER);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.h
new file mode 100755
index 000000000..01bb71fd1
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ekuchecker.h
@@ -0,0 +1,67 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ekuchecker.h
+ *
+ * User Defined Object Type Extended Key Usage Definition
+ *
+ */
+
+#ifndef _PKIX_PL_EKUCHECKER_H
+#define _PKIX_PL_EKUCHECKER_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_pl_EkuChecker pkix_pl_EkuChecker;
+
+struct pkix_pl_EkuChecker {
+        PKIX_UInt32 requiredExtKeyUsage;
+        PKIX_PL_OID *ekuOID;
+};
+
+/* see source file for function documentation */
+PKIX_Error *pkix_pl_EkuChecker_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_EKUCHECKER_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
new file mode 100755
index 000000000..8739b9b5a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
@@ -0,0 +1,1207 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_httpcertstore.c
+ *
+ * HTTPCertStore Function Definitions
+ *
+ */
+
+/* We can't decode the length of a message without at least this many bytes */
+
+#include "pkix_pl_httpcertstore.h"
+extern PKIX_PL_HashTable *httpSocketCache;
+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
+SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)
+
+SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SECOID_AlgorithmIDTemplate)
+/* SEC_ASN1_CHOOSER_DECLARE(SEC_SetOfAnyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
+
+const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTIssuerAndSN) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTIssuerAndSN,derIssuer) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTIssuerAndSN,issuer),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTIssuerAndSN,serialNumber) },
+    { 0 }
+};
+
+const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECAlgorithmID) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SECAlgorithmID,algorithm), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(SECAlgorithmID,parameters), },
+    { 0, }
+}; */
+
+/* --Private-HttpCertStoreContext-Object Functions----------------------- */
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStoreContext_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_HttpCertStoreContext_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        const SEC_HttpClientFcnV1 *hcv1 = NULL;
+        PKIX_PL_HttpCertStoreContext *context = NULL;
+
+        PKIX_ENTER
+                (HTTPCERTSTORECONTEXT, "pkix_pl_HttpCertStoreContext_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_HTTPCERTSTORECONTEXT_TYPE, plContext),
+                    PKIX_OBJECTNOTANHTTPCERTSTORECONTEXT);
+
+        context = (PKIX_PL_HttpCertStoreContext *)object;
+
+        hcv1 = (const SEC_HttpClientFcnV1 *)(context->client);
+
+        if (context->requestSession != NULL) {
+                PKIX_PL_NSSCALL(HTTPCERTSTORECONTEXT, hcv1->freeFcn,
+                        (context->requestSession));
+                context->requestSession = NULL;
+        }
+
+        if (context->serverSession != NULL) {
+                PKIX_PL_NSSCALL(HTTPCERTSTORECONTEXT, hcv1->freeSessionFcn,
+                        (context->serverSession));
+                context->serverSession = NULL;
+        }
+
+        if (context->path != NULL) {
+                PKIX_PL_NSSCALL
+                        (HTTPCERTSTORECONTEXT, PORT_Free, (context->path));
+                context->path = NULL;
+        }
+
+cleanup:
+
+        PKIX_RETURN(HTTPCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStoreContext_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_PL_HTTPCERTSTORECONTEXT_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_HttpCertStoreContext_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER
+                (HTTPCERTSTORECONTEXT,
+                "pkix_pl_HttpCertStoreContext_RegisterSelf");
+
+        entry.description = "HttpCertStoreContext";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_HttpCertStoreContext);
+        entry.destructor = pkix_pl_HttpCertStoreContext_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_HTTPCERTSTORECONTEXT_TYPE] = entry;
+
+        PKIX_RETURN(HTTPCERTSTORECONTEXT);
+}
+
+
+/* --Private-Http-CertStore-Database-Functions----------------------- */
+
+typedef struct callbackContextStruct  {
+        PKIX_List  *pkixCertList;
+        PKIX_Error *error;
+        void       *plContext;
+} callbackContext;
+
+
+/*
+ * FUNCTION: certCallback
+ * DESCRIPTION:
+ *
+ *  This function processes the null-terminated array of SECItems produced by
+ *  extracting the contents of a signedData message received in response to an
+ *  HTTP cert query. Its address is supplied as a callback function to
+ *  CERT_DecodeCertPackage; it is not expected to be called directly.
+ *
+ *  Note that it does not conform to the libpkix API standard of returning
+ *  a PKIX_Error*. It returns a SECStatus.
+ *
+ * PARAMETERS:
+ *  "arg"
+ *      The address of the callbackContext provided as a void* argument to
+ *      CERT_DecodeCertPackage. Must be non-NULL.
+ *  "secitemCerts"
+ *      The address of the null-terminated array of SECItems. Must be non-NULL.
+ *  "numcerts"
+ *      The number of SECItems found in the signedData. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns SECSuccess if the function succeeds.
+ *  Returns SECFailure if the function fails.
+ */
+static SECStatus
+certCallback(void *arg, SECItem **secitemCerts, int numcerts)
+{
+        callbackContext *cbContext;
+        PKIX_List *pkixCertList = NULL;
+        PKIX_Error *error = NULL;
+        void *plContext = NULL;
+        int itemNum = 0;
+
+        if ((arg == NULL) || (secitemCerts == NULL)) {
+                return (SECFailure);
+        }
+
+        cbContext = (callbackContext *)arg;
+        plContext = cbContext->plContext;
+        pkixCertList = cbContext->pkixCertList;
+
+        for (; itemNum < numcerts; itemNum++ ) {
+                error = pkix_pl_Cert_CreateToList(secitemCerts[itemNum],
+                                                  pkixCertList, plContext);
+                if (error != NULL) {
+                    if (error->errClass == PKIX_FATAL_ERROR) {
+                        cbContext->error = error;
+                        return SECFailure;
+                    } 
+                    /* reuse "error" since we could not destruct the old *
+                     * value */
+                    error = PKIX_PL_Object_DecRef((PKIX_PL_Object *)error,
+                                                        plContext);
+                    if (error) {
+                        /* Treat decref failure as a fatal error.
+                         * In this case will leak error, but can not do
+                         * anything about it. */
+                        error->errClass = PKIX_FATAL_ERROR;
+                        cbContext->error = error;
+                        return SECFailure;
+                    }
+                }
+        }
+
+        return SECSuccess;
+}
+
+
+typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen,
+                                          CERTImportCertificateFunc f, void *arg);
+
+
+struct pkix_DecodeFuncStr {
+    pkix_DecodeCertsFunc func;          /* function pointer to the 
+                                         * CERT_DecodeCertPackage function */
+    PRLibrary *smimeLib;                /* Pointer to the smime shared lib*/
+    PRCallOnceType once;
+};
+
+static struct pkix_DecodeFuncStr pkix_decodeFunc;
+static const PRCallOnceType pkix_pristine;
+
+#define SMIME_LIB_NAME SHLIB_PREFIX"smime3."SHLIB_SUFFIX
+
+/*
+ * load the smime library and look up the SEC_ReadPKCS7Certs function.
+ *  we do this so we don't have a circular depenency on the smime library,
+ *  and also so we don't have to load the smime library in applications that
+ * don't use it.
+ */
+static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
+{
+    pkix_decodeFunc.smimeLib = 
+		PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
+    if (pkix_decodeFunc.smimeLib == NULL) {
+	return PR_FAILURE;
+    }
+
+    pkix_decodeFunc.func = (pkix_DecodeCertsFunc) PR_FindFunctionSymbol(
+		pkix_decodeFunc.smimeLib, "CERT_DecodeCertPackage");
+    if (!pkix_decodeFunc.func) {
+	return PR_FAILURE;
+    }
+    return PR_SUCCESS;
+
+}
+
+/*
+ * clears our global state on shutdown. 
+ */
+void
+pkix_pl_HttpCertStore_Shutdown(void *plContext)
+{
+    if (pkix_decodeFunc.smimeLib) {
+	PR_UnloadLibrary(pkix_decodeFunc.smimeLib);
+	pkix_decodeFunc.smimeLib = NULL;
+    }
+    /* the function pointer just need to be cleared, not freed */
+    pkix_decodeFunc.func = NULL;
+    pkix_decodeFunc.once = pkix_pristine;
+}
+
+/*
+ * This function is based on CERT_DecodeCertPackage from lib/pkcs7/certread.c
+ * read an old style ascii or binary certificate chain
+ */
+PKIX_Error *
+pkix_pl_HttpCertStore_DecodeCertPackage
+        (const char *certbuf,
+        int certlen,
+        CERTImportCertificateFunc f,
+        void *arg,
+        void *plContext)
+{
+   
+        PRStatus status;
+        SECStatus rv;
+
+        PKIX_ENTER
+                (HTTPCERTSTORECONTEXT,
+                "pkix_pl_HttpCertStore_DecodeCertPackage");
+        PKIX_NULLCHECK_TWO(certbuf, f);
+
+        status = PR_CallOnce(&pkix_decodeFunc.once, pkix_getDecodeFunction);
+
+        if (status != PR_SUCCESS) {
+               PKIX_ERROR(PKIX_CANTLOADLIBSMIME);
+        }
+
+        /* paranoia, shouldn't happen if status == PR_SUCCESS); */
+        if (!pkix_decodeFunc.func) {
+               PKIX_ERROR(PKIX_CANTLOADLIBSMIME);
+        }
+
+        rv = (*pkix_decodeFunc.func)((char*)certbuf, certlen, f, arg);
+
+        if (rv != SECSuccess) {
+                PKIX_ERROR (PKIX_SECREADPKCS7CERTSFAILED);
+        }
+    
+
+cleanup:
+
+        PKIX_RETURN(HTTPCERTSTORECONTEXT);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStore_ProcessCertResponse
+ * DESCRIPTION:
+ *
+ *  This function verifies that the response code pointed to by "responseCode"
+ *  and the content type pointed to by "responseContentType" are as expected,
+ *  and then decodes the data pointed to by "responseData", of length
+ *  "responseDataLen", into a List of Certs, possibly empty, which is returned
+ *  at "pCertList".
+ *
+ * PARAMETERS:
+ *  "responseCode"
+ *      The value of the HTTP response code.
+ *  "responseContentType"
+ *      The address of the Content-type string. Must be non-NULL.
+ *  "responseData"
+ *      The address of the message data. Must be non-NULL.
+ *  "responseDataLen"
+ *      The length of the message data.
+ *  "pCertList"
+ *      The address of the List that is created. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpCertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_HttpCertStore_ProcessCertResponse(
+        PRUint16 responseCode,
+        const char *responseContentType,
+        const char *responseData,
+        PRUint32 responseDataLen,
+        PKIX_List **pCertList,
+        void *plContext)
+{
+        callbackContext cbContext;
+
+        PKIX_ENTER(HTTPCERTSTORECONTEXT,
+                "pkix_pl_HttpCertStore_ProcessCertResponse");
+        
+        cbContext.error = NULL;
+        cbContext.plContext = plContext;
+        cbContext.pkixCertList = NULL;
+
+        PKIX_NULLCHECK_ONE(pCertList);
+
+        if (responseCode != 200) {
+                PKIX_ERROR(PKIX_BADHTTPRESPONSE);
+        }
+
+        /* check that response type is application/pkcs7-mime */
+        if (responseContentType == NULL) {
+                PKIX_ERROR(PKIX_NOCONTENTTYPEINHTTPRESPONSE);
+        }
+
+        if (responseData == NULL) {
+                PKIX_ERROR(PKIX_NORESPONSEDATAINHTTPRESPONSE);
+        }
+
+        PKIX_CHECK(
+            PKIX_List_Create(&cbContext.pkixCertList, plContext),
+            PKIX_LISTCREATEFAILED);
+        
+        PKIX_CHECK_ONLY_FATAL(
+            pkix_pl_HttpCertStore_DecodeCertPackage(responseData,
+                                                    responseDataLen,
+                                                    certCallback,
+                                                    &cbContext,
+                                                    plContext),
+            PKIX_HTTPCERTSTOREDECODECERTPACKAGEFAILED);
+        if (cbContext.error) {
+            /* Aborting on a fatal error(See certCallback fn) */
+            pkixErrorResult = cbContext.error;
+            goto cleanup;
+        }
+        
+        *pCertList = cbContext.pkixCertList;
+        cbContext.pkixCertList = NULL;
+
+cleanup:
+
+        PKIX_DECREF(cbContext.pkixCertList);
+
+        PKIX_RETURN(HTTPCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStore_ProcessCrlResponse
+ * DESCRIPTION:
+ *
+ *  This function verifies that the response code pointed to by "responseCode"
+ *  and the content type pointed to by "responseContentType" are as expected,
+ *  and then decodes the data pointed to by "responseData", of length
+ *  "responseDataLen", into a List of Crls, possibly empty, which is returned
+ *  at "pCrlList".
+ *
+ * PARAMETERS:
+ *  "responseCode"
+ *      The value of the HTTP response code.
+ *  "responseContentType"
+ *      The address of the Content-type string. Must be non-NULL.
+ *  "responseData"
+ *      The address of the message data. Must be non-NULL.
+ *  "responseDataLen"
+ *      The length of the message data.
+ *  "pCrlList"
+ *      The address of the List that is created. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpCertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_HttpCertStore_ProcessCrlResponse(
+        PRUint16 responseCode,
+        const char *responseContentType,
+        const char *responseData,
+        PRUint32 responseDataLen,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+        PRArenaPool *arena = NULL;
+        SECItem *encodedResponse = NULL;
+        PRInt16 compareVal = 0;
+        PKIX_List *crls = NULL;
+
+        PKIX_ENTER
+                (HTTPCERTSTORECONTEXT,
+                "pkix_pl_HttpCertStore_ProcessCrlResponse");
+        PKIX_NULLCHECK_ONE(pCrlList);
+
+        if (responseCode != 200) {
+                PKIX_ERROR(PKIX_BADHTTPRESPONSE);
+        }
+
+        /* check that response type is application/pkix-crl */
+        if (responseContentType == NULL) {
+                PKIX_ERROR(PKIX_NOCONTENTTYPEINHTTPRESPONSE);
+        }
+
+        PKIX_PL_NSSCALLRV
+                (HTTPCERTSTORECONTEXT, compareVal, PORT_Strcasecmp,
+                (responseContentType, "application/pkix-crl"));
+
+        if (compareVal != 0) {
+                PKIX_ERROR(PKIX_CONTENTTYPENOTPKIXCRL);
+        }
+
+        /* Make a SECItem of the response data */
+        PKIX_PL_NSSCALLRV(HTTPCERTSTORECONTEXT, arena, PORT_NewArena,
+                (DER_DEFAULT_CHUNKSIZE));
+
+        if (arena == NULL) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        if (responseData == NULL) {
+                PKIX_ERROR(PKIX_NORESPONSEDATAINHTTPRESPONSE);
+        }
+
+        PKIX_PL_NSSCALLRV
+                (HTTPCERTSTORECONTEXT, encodedResponse, SECITEM_AllocItem,
+                (arena, NULL, responseDataLen));
+
+        if (encodedResponse == NULL) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        PKIX_PL_NSSCALL(HTTPCERTSTORECONTEXT, PORT_Memcpy,
+                (encodedResponse->data, responseData, responseDataLen));
+
+        PKIX_CHECK(PKIX_List_Create(&crls, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        PKIX_CHECK(pkix_pl_CRL_CreateToList
+                (encodedResponse, crls, plContext),
+                PKIX_CRLCREATETOLISTFAILED);
+
+        *pCrlList = crls;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(crls);
+        }
+
+        if (arena != NULL) {
+                PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena, (arena, PR_FALSE));
+        }
+
+
+        PKIX_RETURN(HTTPCERTSTORECONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStore_CreateRequestSession
+ * DESCRIPTION:
+ *
+ *  This function takes elements from the HttpCertStoreContext pointed to by
+ *  "context" (path, client, and serverSession) and creates a RequestSession.
+ *  See the HTTPClient API described in ocspt.h for further details.
+ *
+ * PARAMETERS:
+ *  "context"
+ *      The address of the HttpCertStoreContext. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpCertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_HttpCertStore_CreateRequestSession(
+        PKIX_PL_HttpCertStoreContext *context,
+        void *plContext)
+{
+        const SEC_HttpClientFcnV1 *hcv1 = NULL;
+        SECStatus rv = SECFailure;
+        char *pathString = NULL;
+
+        PKIX_ENTER
+                (HTTPCERTSTORECONTEXT,
+                "pkix_pl_HttpCertStore_CreateRequestSession");
+        PKIX_NULLCHECK_TWO(context, context->serverSession);
+
+        pathString = PR_smprintf("%s", context->path);
+
+        if (context->client->version == 1) {
+                hcv1 = &(context->client->fcnTable.ftable1);
+
+                if (context->requestSession != NULL) {
+                        PKIX_PL_NSSCALL(HTTPCERTSTORECONTEXT, hcv1->freeFcn,
+                                (context->requestSession));
+                        context->requestSession = 0;
+                }
+
+                PKIX_PL_NSSCALLRV
+                        (HTTPCERTSTORECONTEXT, rv, hcv1->createFcn,
+                        (context->serverSession,
+                        "http",
+                        pathString,
+                        "GET",
+                        PR_TicksPerSecond() * 60,
+                        &(context->requestSession)));
+
+                if (rv != SECSuccess) {
+                        if (pathString != NULL) {
+                                PORT_Free(pathString);
+                        }
+                        PKIX_ERROR(PKIX_HTTPSERVERERROR);
+                }
+        } else {
+                PKIX_ERROR(PKIX_UNSUPPORTEDVERSIONOFHTTPCLIENT);
+        }
+
+cleanup:
+
+        PKIX_RETURN(HTTPCERTSTORECONTEXT);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStore_GetCert
+ *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_HttpCertStore_GetCert(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCertList,
+        void *plContext)
+{
+        const SEC_HttpClientFcnV1 *hcv1 = NULL;
+        PKIX_PL_HttpCertStoreContext *context = NULL;
+        void *nbioContext = NULL;
+        SECStatus rv = SECFailure;
+        PRUint16 responseCode = 0;
+        const char *responseContentType = NULL;
+        const char *responseData = NULL;
+        PRUint32 responseDataLen = 0;
+        PKIX_List *certList = NULL;
+
+        PKIX_ENTER(HTTPCERTSTORECONTEXT, "pkix_pl_HttpCertStore_GetCert");
+        PKIX_NULLCHECK_THREE(store, selector, pCertList);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                (store, (PKIX_PL_Object **)&context, plContext),
+                PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        if (context->client->version == 1) {
+                hcv1 = &(context->client->fcnTable.ftable1);
+
+                PKIX_CHECK(pkix_pl_HttpCertStore_CreateRequestSession
+                        (context, plContext),
+                        PKIX_HTTPCERTSTORECREATEREQUESTSESSIONFAILED);
+
+                PKIX_PL_NSSCALLRV
+                        (HTTPCERTSTORECONTEXT, rv, hcv1->trySendAndReceiveFcn,
+                        (context->requestSession,
+                        (PRPollDesc **)&nbioContext,
+                        &responseCode,
+                        (const char **)&responseContentType,
+                        NULL, /* &responseHeaders */
+                        (const char **)&responseData,
+                        &responseDataLen));
+
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_HTTPSERVERERROR);
+                }
+
+                if (nbioContext != 0) {
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                }
+
+        } else {
+                PKIX_ERROR(PKIX_UNSUPPORTEDVERSIONOFHTTPCLIENT);
+        }
+
+        PKIX_CHECK(pkix_pl_HttpCertStore_ProcessCertResponse
+                (responseCode,
+                responseContentType,
+                responseData,
+                responseDataLen,
+                &certList,
+                plContext),
+                PKIX_HTTPCERTSTOREPROCESSCERTRESPONSEFAILED);
+
+        *pCertList = certList;
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStore_GetCertContinue
+ *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_HttpCertStore_GetCertContinue(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCertList,
+        void *plContext)
+{
+        const SEC_HttpClientFcnV1 *hcv1 = NULL;
+        PKIX_PL_HttpCertStoreContext *context = NULL;
+        void *nbioContext = NULL;
+        SECStatus rv = SECFailure;
+        PRUint16 responseCode = 0;
+        const char *responseContentType = NULL;
+        const char *responseData = NULL;
+        PRUint32 responseDataLen = 0;
+        PKIX_List *certList = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_HttpCertStore_GetCertContinue");
+        PKIX_NULLCHECK_THREE(store, selector, pCertList);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                (store, (PKIX_PL_Object **)&context, plContext),
+                PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        if (context->client->version == 1) {
+                hcv1 = &(context->client->fcnTable.ftable1);
+
+                PKIX_NULLCHECK_ONE(context->requestSession);
+
+                PKIX_PL_NSSCALLRV
+                        (HTTPCERTSTORECONTEXT, rv, hcv1->trySendAndReceiveFcn,
+                        (context->requestSession,
+                        (PRPollDesc **)&nbioContext,
+                        &responseCode,
+                        (const char **)&responseContentType,
+                        NULL, /* &responseHeaders */
+                        (const char **)&responseData,
+                        &responseDataLen));
+
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_HTTPSERVERERROR);
+                }
+
+                if (nbioContext != 0) {
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                }
+
+        } else {
+                PKIX_ERROR(PKIX_UNSUPPORTEDVERSIONOFHTTPCLIENT);
+        }
+
+        PKIX_CHECK(pkix_pl_HttpCertStore_ProcessCertResponse
+                (responseCode,
+                responseContentType,
+                responseData,
+                responseDataLen,
+                &certList,
+                plContext),
+                PKIX_HTTPCERTSTOREPROCESSCERTRESPONSEFAILED);
+
+        *pCertList = certList;
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStore_GetCRL
+ *  (see description of PKIX_CertStore_CRLCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_HttpCertStore_GetCRL(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+
+        const SEC_HttpClientFcnV1 *hcv1 = NULL;
+        PKIX_PL_HttpCertStoreContext *context = NULL;
+        void *nbioContext = NULL;
+        SECStatus rv = SECFailure;
+        PRUint16 responseCode = 0;
+        const char *responseContentType = NULL;
+        const char *responseData = NULL;
+        PRUint32 responseDataLen = 0;
+        PKIX_List *crlList = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_HttpCertStore_GetCRL");
+        PKIX_NULLCHECK_THREE(store, selector, pCrlList);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                (store, (PKIX_PL_Object **)&context, plContext),
+                PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        if (context->client->version == 1) {
+                hcv1 = &(context->client->fcnTable.ftable1);
+
+                PKIX_CHECK(pkix_pl_HttpCertStore_CreateRequestSession
+                        (context, plContext),
+                        PKIX_HTTPCERTSTORECREATEREQUESTSESSIONFAILED);
+
+                PKIX_PL_NSSCALLRV
+                        (HTTPCERTSTORECONTEXT, rv, hcv1->trySendAndReceiveFcn,
+                        (context->requestSession,
+                        (PRPollDesc **)&nbioContext,
+                        &responseCode,
+                        (const char **)&responseContentType,
+                        NULL, /* &responseHeaders */
+                        (const char **)&responseData,
+                        &responseDataLen));
+
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_HTTPSERVERERROR);
+                }
+
+                if (nbioContext != 0) {
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                }
+
+        } else {
+                PKIX_ERROR(PKIX_UNSUPPORTEDVERSIONOFHTTPCLIENT);
+        }
+
+        PKIX_CHECK(pkix_pl_HttpCertStore_ProcessCrlResponse
+                (responseCode,
+                responseContentType,
+                responseData,
+                responseDataLen,
+                &crlList,
+                plContext),
+                PKIX_HTTPCERTSTOREPROCESSCRLRESPONSEFAILED);
+
+        *pCrlList = crlList;
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStore_GetCRLContinue
+ *  (see description of PKIX_CertStore_CRLCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_HttpCertStore_GetCRLContinue(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+        const SEC_HttpClientFcnV1 *hcv1 = NULL;
+        PKIX_PL_HttpCertStoreContext *context = NULL;
+        void *nbioContext = NULL;
+        SECStatus rv = SECFailure;
+        PRUint16 responseCode = 0;
+        const char *responseContentType = NULL;
+        const char *responseData = NULL;
+        PRUint32 responseDataLen = 0;
+        PKIX_List *crlList = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_HttpCertStore_GetCRLContinue");
+        PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCrlList);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                (store, (PKIX_PL_Object **)&context, plContext),
+                PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        if (context->client->version == 1) {
+                hcv1 = &(context->client->fcnTable.ftable1);
+
+                PKIX_CHECK(pkix_pl_HttpCertStore_CreateRequestSession
+                        (context, plContext),
+                        PKIX_HTTPCERTSTORECREATEREQUESTSESSIONFAILED);
+
+                PKIX_PL_NSSCALLRV
+                        (HTTPCERTSTORECONTEXT, rv, hcv1->trySendAndReceiveFcn,
+                        (context->requestSession,
+                        (PRPollDesc **)&nbioContext,
+                        &responseCode,
+                        (const char **)&responseContentType,
+                        NULL, /* &responseHeaders */
+                        (const char **)&responseData,
+                        &responseDataLen));
+
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_HTTPSERVERERROR);
+                }
+
+                if (nbioContext != 0) {
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                }
+
+        } else {
+                PKIX_ERROR(PKIX_UNSUPPORTEDVERSIONOFHTTPCLIENT);
+        }
+
+        PKIX_CHECK(pkix_pl_HttpCertStore_ProcessCrlResponse
+                (responseCode,
+                responseContentType,
+                responseData,
+                responseDataLen,
+                &crlList,
+                plContext),
+                PKIX_HTTPCERTSTOREPROCESSCRLRESPONSEFAILED);
+
+        *pCrlList = crlList;
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/* --Public-HttpCertStore-Functions----------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_HttpCertStore_CreateWithAsciiName
+ * DESCRIPTION:
+ *
+ *  This function uses the HttpClient pointed to by "client" and the string
+ *  (hostname:portnum/path, with portnum optional) pointed to by "locationAscii"
+ *  to create an HttpCertStore connected to the desired location, storing the
+ *  created CertStore at "pCertStore".
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpClient. Must be non-NULL.
+ *  "locationAscii"
+ *      The address of the character string indicating the hostname, port, and
+ *      path to be queried for Certs or Crls. Must be non-NULL.
+ *  "pCertStore"
+ *      The address in which the object is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpCertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_HttpCertStore_CreateWithAsciiName(
+        PKIX_PL_HttpClient *client,
+        char *locationAscii,
+        PKIX_CertStore **pCertStore,
+        void *plContext)
+{
+        const SEC_HttpClientFcn *clientFcn = NULL;
+        const SEC_HttpClientFcnV1 *hcv1 = NULL;
+        PKIX_PL_HttpCertStoreContext *httpCertStore = NULL;
+        PKIX_CertStore *certStore = NULL;
+        char *hostname = NULL;
+        char *path = NULL;
+        PRUint16 port = 0;
+        SECStatus rv = SECFailure;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_HttpCertStore_CreateWithAsciiName");
+        PKIX_NULLCHECK_TWO(locationAscii, pCertStore);
+
+        if (client == NULL) {
+                clientFcn = SEC_GetRegisteredHttpClient();
+                if (clientFcn == NULL) {
+                        PKIX_ERROR(PKIX_NOREGISTEREDHTTPCLIENT);
+                }
+        } else {
+                clientFcn = (const SEC_HttpClientFcn *)client;
+        }
+
+        /* create a PKIX_PL_HttpCertStore object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                  (PKIX_HTTPCERTSTORECONTEXT_TYPE,
+                  sizeof (PKIX_PL_HttpCertStoreContext),
+                  (PKIX_PL_Object **)&httpCertStore,
+                  plContext),
+                  PKIX_COULDNOTCREATEOBJECT);
+
+        /* Initialize fields */
+        httpCertStore->client = clientFcn; /* not a PKIX object! */
+
+        /* parse location -> hostname, port, path */
+        PKIX_PL_NSSCALLRV(CERTSTORE, rv, CERT_ParseURL,
+                (locationAscii, &hostname, &port, &path));
+
+        if ((hostname == NULL) || (path == NULL)) {
+                PKIX_ERROR(PKIX_URLPARSINGFAILED);
+        }
+
+        httpCertStore->path = path;
+
+        if (clientFcn->version == 1) {
+
+                hcv1 = &(clientFcn->fcnTable.ftable1);
+
+                PKIX_PL_NSSCALLRV
+                        (HTTPCERTSTORECONTEXT,
+                        rv,
+                        hcv1->createSessionFcn,
+                        (hostname, port, &(httpCertStore->serverSession)));
+
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_HTTPCLIENTCREATESESSIONFAILED);
+                }
+        } else {
+                PKIX_ERROR(PKIX_UNSUPPORTEDVERSIONOFHTTPCLIENT);
+        }
+
+        httpCertStore->requestSession = NULL;
+
+        PKIX_CHECK(PKIX_CertStore_Create
+                (pkix_pl_HttpCertStore_GetCert,
+                pkix_pl_HttpCertStore_GetCRL,
+                pkix_pl_HttpCertStore_GetCertContinue,
+                pkix_pl_HttpCertStore_GetCRLContinue,
+                NULL,       /* don't support trust */
+                (PKIX_PL_Object *)httpCertStore,
+                PKIX_TRUE,  /* cache flag */
+                PKIX_FALSE, /* not local */
+                &certStore,
+                plContext),
+                PKIX_CERTSTORECREATEFAILED);
+
+        *pCertStore = certStore;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(httpCertStore);
+        }
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: PKIX_PL_HttpCertStore_Create
+ * (see comments in pkix_samples_modules.h)
+ */
+PKIX_Error *
+PKIX_PL_HttpCertStore_Create(
+        PKIX_PL_HttpClient *client,
+        PKIX_PL_GeneralName *location,
+        PKIX_CertStore **pCertStore,
+        void *plContext)
+{
+        PKIX_PL_String *locationString = NULL;
+        char *locationAscii = NULL;
+        PKIX_UInt32 len = 0;
+
+        PKIX_ENTER(CERTSTORE, "PKIX_PL_HttpCertStore_Create");
+        PKIX_NULLCHECK_TWO(location, pCertStore);
+
+        PKIX_TOSTRING(location, &locationString, plContext,
+                PKIX_GENERALNAMETOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                (locationString,
+                PKIX_ESCASCII,
+                (void **)&locationAscii,
+                &len,
+                plContext),
+                PKIX_STRINGGETENCODEDFAILED);
+
+        PKIX_CHECK(pkix_pl_HttpCertStore_CreateWithAsciiName
+                (client, locationAscii, pCertStore, plContext),
+                PKIX_HTTPCERTSTORECREATEWITHASCIINAMEFAILED);
+
+cleanup:
+
+        PKIX_DECREF(locationString);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_HttpCertStore_FindSocketConnection
+ * DESCRIPTION:
+ *
+        PRIntervalTime timeout,
+        char *hostname,
+        PRUint16 portnum,
+        PRErrorCode *pStatus,
+        PKIX_PL_Socket **pSocket,
+
+ *  This function checks for an existing socket, creating a new one if unable
+ *  to find an existing one, for the host pointed to by "hostname" and the port
+ *  pointed to by "portnum". If a new socket is created the PRIntervalTime in
+ *  "timeout" will be used for the timeout value and a creation status is
+ *  returned at "pStatus". The address of the socket is stored at "pSocket".
+ *
+ * PARAMETERS:
+ *  "timeout"
+ *      The PRIntervalTime of the timeout value.
+ *  "hostname"
+ *      The address of the string containing the hostname. Must be non-NULL.
+ *  "portnum"
+ *      The port number for the desired socket.
+ *  "pStatus"
+ *      The address at which the status is stored. Must be non-NULL.
+ *  "pSocket"
+ *      The address at which the socket is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpCertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_HttpCertStore_FindSocketConnection(
+        PRIntervalTime timeout,
+        char *hostname,
+        PRUint16 portnum,
+        PRErrorCode *pStatus,
+        PKIX_PL_Socket **pSocket,
+        void *plContext)
+{
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *hostString = NULL;
+        PKIX_PL_String *domainString = NULL;
+        PKIX_PL_Socket *socket = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_HttpCertStore_FindSocketConnection");
+        PKIX_NULLCHECK_THREE(hostname, pStatus, pSocket);
+
+        *pStatus = 0;
+
+        /* create PKIX_PL_String from hostname and port */
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, "%s:%d", 0, &formatString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+#if 0
+hostname = "variation.red.iplanet.com";
+portnum = 2001;
+#endif
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, hostname, 0, &hostString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&domainString, plContext, formatString, hostString, portnum),
+                PKIX_STRINGCREATEFAILED);
+
+        /* Is this domainName already in cache? */
+        PKIX_CHECK(PKIX_PL_HashTable_Lookup
+                (httpSocketCache,
+                (PKIX_PL_Object *)domainString,
+                (PKIX_PL_Object **)&socket,
+                plContext),
+                PKIX_HASHTABLELOOKUPFAILED);
+
+        if (socket == NULL) {
+
+                /* No, create a connection (and cache it) */
+                PKIX_CHECK(pkix_pl_Socket_CreateByHostAndPort
+                        (PKIX_FALSE,       /* create a client, not a server */
+                        timeout,
+                        hostname,
+                        portnum,
+                        pStatus,
+                        &socket,
+                        plContext),
+                        PKIX_SOCKETCREATEBYHOSTANDPORTFAILED);
+
+                PKIX_CHECK(PKIX_PL_HashTable_Add
+                        (httpSocketCache,
+                        (PKIX_PL_Object *)domainString,
+                        (PKIX_PL_Object *)socket,
+                        plContext),
+                        PKIX_HASHTABLEADDFAILED);
+
+        }
+
+        *pSocket = socket;
+        socket = NULL;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(hostString);
+        PKIX_DECREF(domainString);
+        PKIX_DECREF(socket);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.h
new file mode 100644
index 000000000..97e45b70c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.h
@@ -0,0 +1,95 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_httpcertstore.h
+ *
+ * HTTPCertstore Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_PL_HTTPCERTSTORE_H
+#define _PKIX_PL_HTTPCERTSTORE_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_HttpCertStoreContextStruct {
+        const SEC_HttpClientFcn *client;
+        SEC_HTTP_SERVER_SESSION serverSession;
+        SEC_HTTP_REQUEST_SESSION requestSession;
+	char *path;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_HttpCertStoreContext_RegisterSelf(void *plContext);
+
+void pkix_pl_HttpCertStore_Shutdown(void *plContext);
+
+PKIX_Error *
+pkix_pl_HttpCertStore_CreateWithAsciiName(
+        PKIX_PL_HttpClient *client,
+	char *locationAscii,
+        PKIX_CertStore **pCertStore,
+        void *plContext);
+
+PKIX_Error *
+pkix_HttpCertStore_FindSocketConnection(
+        PRIntervalTime timeout,
+        char *hostname,
+        PRUint16 portnum,
+        PRErrorCode *pStatus,
+        PKIX_PL_Socket **pSocket,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_HttpCertStore_ProcessCertResponse(
+	PRUint16 responseCode,
+	const char *responseContentType,
+	const char *responseData,
+        PRUint32 responseDataLen,
+	PKIX_List **pCertList,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_HTTPCERTSTORE_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
new file mode 100644
index 000000000..30b2a53c7
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
@@ -0,0 +1,1710 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_httpdefaultclient.c
+ *
+ * HTTPDefaultClient Function Definitions
+ *
+ */
+
+#include "pkix_pl_httpdefaultclient.h"
+
+static void *plContext = NULL;
+
+/*
+ * The interface specification for an http client requires that it register
+ * a function table of type SEC_HttpClientFcn, which is defined as a union
+ * of tables, of which only version 1 is defined at present.
+ *
+ * Note: these functions violate the PKIX calling conventions, in that they
+ * return SECStatus rather than PKIX_Error*, and that they do not provide a
+ * plContext argument. They are implemented here as calls to PKIX functions,
+ * but the plContext value is circularly defined - a true kludge. Its value
+ * is saved at the time of the call to pkix_pl_HttpDefaultClient_Create for
+ * subsequent use, but since that initial call comes from the
+ * pkix_pl_HttpDefaultClient_CreateSessionFcn, it's not really getting saved.
+ */
+static SEC_HttpClientFcnV1 vtable = {
+        pkix_pl_HttpDefaultClient_CreateSessionFcn,
+        pkix_pl_HttpDefaultClient_KeepAliveSessionFcn,
+        pkix_pl_HttpDefaultClient_FreeSessionFcn,
+        pkix_pl_HttpDefaultClient_RequestCreateFcn,
+        pkix_pl_HttpDefaultClient_SetPostDataFcn,
+        pkix_pl_HttpDefaultClient_AddHeaderFcn,
+        pkix_pl_HttpDefaultClient_TrySendAndReceiveFcn,
+        pkix_pl_HttpDefaultClient_CancelFcn,
+        pkix_pl_HttpDefaultClient_FreeFcn
+};
+
+static SEC_HttpClientFcn httpClient;
+
+static const char *eohMarker = "\r\n\r\n";
+static const PKIX_UInt32 eohMarkLen = 4; /* strlen(eohMarker) */
+static const char *crlf = "\r\n";
+static const PKIX_UInt32 crlfLen = 2; /* strlen(crlf) */
+static const char *httpprotocol = "HTTP/";
+static const PKIX_UInt32 httpprotocolLen = 5; /* strlen(httpprotocol) */
+
+/* --Private-HttpDefaultClient-Functions------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_HdrCheckComplete
+ * DESCRIPTION:
+ *
+ *  This function determines whether the headers in the current receive buffer
+ *  in the HttpDefaultClient pointed to by "client" are complete. If so, the
+ *  input data is checked for status code, content-type and content-length are
+ *  extracted, and the client is set up to read the body of the response.
+ *  Otherwise, the client is set up to continue reading header data.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpDefaultClient object. Must be non-NULL.
+ *  "bytesRead"
+ *      The UInt32 number of bytes received in the latest read.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_HdrCheckComplete(
+        PKIX_PL_HttpDefaultClient *client,
+        PKIX_UInt32 bytesRead,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_UInt32 alreadyScanned = 0;
+        PKIX_UInt32 searchOffset = 0;
+        PKIX_UInt32 comp = 0;
+        PKIX_UInt32 headerLength = 0;
+        PKIX_UInt32 contentLength = 0;
+        char *eoh = NULL;
+        char *statusLineEnd = NULL;
+        char *space = NULL;
+        char *nextHeader = NULL;
+        const char *httpcode = NULL;
+        char *thisHeaderEnd = NULL;
+        char *value = NULL;
+        char *colon = NULL;
+	char *copy = NULL;
+        char *body = NULL;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT,
+                "pkix_pl_HttpDefaultClient_HdrCheckComplete");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        *pKeepGoing = PKIX_FALSE;
+
+        /* Does buffer contain end-of-header marker? */
+        alreadyScanned = client->alreadyScanned;
+        /*
+         * If this is the initial buffer, we have to scan from the beginning.
+         * If we scanned, failed to find eohMarker, and read some more, we
+         * only have to scan from where we left off.
+         */
+        if (alreadyScanned > eohMarkLen) {
+                searchOffset = alreadyScanned - eohMarkLen;
+                PKIX_PL_NSSCALLRV(HTTPDEFAULTCLIENT, eoh, PL_strnstr,
+                        (&(client->rcvBuf[searchOffset]),
+                        eohMarker,
+                        client->capacity - searchOffset));
+        } else {
+                PKIX_PL_NSSCALLRV(HTTPDEFAULTCLIENT, eoh, PL_strnstr,
+                        (client->rcvBuf, eohMarker, bytesRead));
+        }
+
+        alreadyScanned += bytesRead;
+        client->alreadyScanned = alreadyScanned;
+
+        if (eoh == NULL) { /* did we see end-of-header? */
+
+                /* No. Continue to read header data */
+                client->connectStatus = HTTP_RECV_HDR;
+                *pKeepGoing = PKIX_TRUE;
+                goto cleanup;
+
+        }
+
+        /* Yes. Calculate how many bytes in header (not counting eohMarker) */
+        headerLength = (eoh - client->rcvBuf);
+
+        /* allocate space to copy header (and for the NULL terminator) */
+        PKIX_CHECK(PKIX_PL_Malloc(headerLength + 1, (void **)&copy, plContext),
+                PKIX_MALLOCFAILED);
+
+        /* copy header data before we corrupt it (by storing NULLs) */
+        PORT_Memcpy(copy, client->rcvBuf, headerLength);
+
+	/* Store the NULL terminator */
+	copy[headerLength] = '\0';
+
+	client->rcvHeaders = copy;
+
+        /* Did caller want a pointer to header? */
+        if (client->rcv_http_headers != NULL) {
+
+                /* store pointer for caller */
+                *(client->rcv_http_headers) = copy;
+        }
+
+        /* Check that message status is okay. */
+
+        PKIX_PL_NSSCALLRV(HTTPDEFAULTCLIENT, statusLineEnd, PL_strnstr,
+                (client->rcvBuf, crlf, client->capacity));
+
+        if (statusLineEnd == NULL) {
+                client->connectStatus = HTTP_ERROR;
+                PKIX_PL_NSSCALL(HTTPDEFAULTCLIENT, PORT_SetError,
+                        (SEC_ERROR_OCSP_BAD_HTTP_RESPONSE));
+                goto cleanup;
+        }
+
+        *statusLineEnd = '\0';
+
+        PKIX_PL_NSSCALLRV(HTTPDEFAULTCLIENT, space, strchr,
+                ((const char *)client->rcvBuf, ' '));
+        
+        if (space == NULL) {
+                client->connectStatus = HTTP_ERROR;
+                goto cleanup;
+        }
+
+        PKIX_PL_NSSCALLRV(HTTPDEFAULTCLIENT, comp, PORT_Strncasecmp,
+                ((const char *)client->rcvBuf,
+                httpprotocol,
+                httpprotocolLen));
+        
+        if (comp != 0) {
+                client->connectStatus = HTTP_ERROR;
+                goto cleanup;
+        }
+
+        httpcode = space + 1;
+
+        PKIX_PL_NSSCALLRV(HTTPDEFAULTCLIENT, space, strchr,
+                (httpcode, ' '));
+
+        if (space == NULL) {
+                client->connectStatus = HTTP_ERROR;
+                goto cleanup;
+        }
+
+        *space = '\0';
+
+        PKIX_PL_NSSCALLRV(HTTPDEFAULTCLIENT, client->responseCode, atoi,
+                (httpcode));
+
+        if (client->responseCode != 200) {
+                client->connectStatus = HTTP_ERROR;
+                goto cleanup;
+        }
+
+        /* Find the content-type and content-length */
+        nextHeader = statusLineEnd + crlfLen;
+        *eoh = '\0';
+        do {
+                thisHeaderEnd = NULL;
+                value = NULL;
+                PKIX_PL_NSSCALLRV(HTTPDEFAULTCLIENT, colon, strchr,
+                        (nextHeader, ':'));
+
+                if (colon == NULL) {
+                        client->connectStatus = HTTP_ERROR;
+                        goto cleanup;
+                }
+
+                *colon = '\0';
+                value = colon + 1;
+                if (*value != ' ') {
+                        client->connectStatus = HTTP_ERROR;
+                        goto cleanup;
+                }
+                value++;
+                PKIX_PL_NSSCALLRV
+                        (HTTPDEFAULTCLIENT, thisHeaderEnd, strstr,
+                        (value, crlf));
+                if (thisHeaderEnd != NULL) {
+                        *thisHeaderEnd = '\0';
+                }
+                PKIX_PL_NSSCALLRV
+                        (HTTPDEFAULTCLIENT, comp, PORT_Strcasecmp,
+                        (nextHeader, "content-type"));
+                if (comp == 0) {
+                        client->rcvContentType = value;
+                } else {
+                        PKIX_PL_NSSCALLRV
+                                (HTTPDEFAULTCLIENT,
+                                comp,
+                                PORT_Strcasecmp,
+                                (nextHeader, "content-length"));
+                        if (comp == 0) {
+                                contentLength = atoi(value);
+                        }
+                }
+                if (thisHeaderEnd != NULL) {
+                        nextHeader = thisHeaderEnd + crlfLen;
+                } else {
+                        nextHeader = NULL;
+                }
+        } while ((nextHeader != NULL) && (nextHeader < (eoh + crlfLen)));
+                
+        /* Did caller provide a pointer to return content-type? */
+        if (client->rcv_http_content_type != NULL) {
+                *(client->rcv_http_content_type) = client->rcvContentType;
+        }
+
+        if (client->rcvContentType == NULL) {
+                client->connectStatus = HTTP_ERROR;
+                goto cleanup;
+        }
+#if 0
+/* XXX move this code into ocsp checker */
+ else {
+                PKIX_PL_NSSCALLRV
+                        (HTTPDEFAULTCLIENT,
+                        comp,
+                        PORT_Strcasecmp,
+                        (client->rcvContentType, "application/ocsp-response"));
+                if (comp != 0) {
+                        client->connectStatus = HTTP_ERROR;
+                        goto cleanup;
+                }
+        }
+#endif
+
+        /*
+         * The headers have passed validation. Now figure out whether the
+         * message is within the caller's size limit (if one was specified).
+         */
+
+        client->rcv_http_data_len = contentLength;
+        if (client->maxResponseLen > 0) {
+                if (client->maxResponseLen < contentLength) {
+                        client->connectStatus = HTTP_ERROR;
+                        goto cleanup;
+                }
+        }
+
+        /* allocate a buffer of size contentLength  for the content */
+        PKIX_CHECK(PKIX_PL_Malloc(contentLength, (void **)&body, plContext),
+                PKIX_MALLOCFAILED);
+
+        /* How many bytes remain in current buffer, beyond the header? */
+        headerLength += eohMarkLen;
+        client->currentBytesAvailable -= headerLength;
+
+        /* copy any remaining bytes in current buffer into new buffer */
+        if (client->currentBytesAvailable > 0) {
+                PORT_Memcpy(body, &(client->rcvBuf[headerLength]),
+                                     client->currentBytesAvailable);
+        }
+
+        PKIX_CHECK(PKIX_PL_Free(client->rcvBuf, plContext),
+                PKIX_FREEFAILED);
+        client->rcvBuf = body;
+
+        /*
+         * Do we have all of the message body, or do we need to read some more?
+         */
+
+        if (client->currentBytesAvailable < contentLength) {
+                client->bytesToRead =
+                        contentLength - client->currentBytesAvailable;
+		client->alreadyScanned = 0;
+                client->connectStatus = HTTP_RECV_BODY;
+        } else {
+                client->connectStatus = HTTP_COMPLETE;
+                *pKeepGoing = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        *pKeepGoing = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_HttpDefaultClient_Create
+ * DESCRIPTION:
+ *
+ *  This function creates a new HttpDefaultClient, and stores the result at
+ *  "pClient".
+ *
+ *  The HttpClient API does not include a plContext argument in its
+ *  function calls. Its value at the time of this Create call must be the
+ *  same as when the client is invoked.
+ *
+ * PARAMETERS:
+ *  "host"
+ *      The name of the server with which we hope to exchange messages. Must
+ *      be non-NULL.
+ *  "portnum"
+ *      The port number to be used for our connection to the server.
+ *  "pClient"
+ *      The address at which the created HttpDefaultClient is to be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_Create(
+        const char *host,
+        PRUint16 portnum,
+        PKIX_PL_HttpDefaultClient **pClient,
+        void *plContext)
+{
+        PKIX_PL_HttpDefaultClient *client = NULL;
+
+        PKIX_ENTER(HTTPDEFAULTCLIENT, "PKIX_PL_HttpDefaultClient_Create");
+        PKIX_NULLCHECK_ONE(pClient);
+
+        /* allocate an HttpDefaultClient */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_HTTPDEFAULTCLIENT_TYPE,
+                sizeof (PKIX_PL_HttpDefaultClient),
+                (PKIX_PL_Object **)&client,
+                plContext),
+                PKIX_COULDNOTCREATEHTTPDEFAULTCLIENTOBJECT);
+
+        client->connectStatus = HTTP_NOT_CONNECTED;
+        client->portnum = portnum;
+        client->timeout = PR_INTERVAL_NO_WAIT; /* PR_INTERVAL_NO_TIMEOUT; */
+        client->bytesToWrite = 0;
+        client->bytesToRead = 0;
+        client->send_http_data_len = 0;
+        client->rcv_http_data_len = 0;
+        client->capacity = 0;
+        client->alreadyScanned = 0;
+        client->currentBytesAvailable = 0;
+        client->responseCode = 0;
+        client->maxResponseLen = 0;
+        client->GETLen = 0;
+        client->POSTLen = 0;
+        client->pRcv_http_data_len = NULL;
+        client->callbackList = NULL;
+        client->GETBuf = NULL;
+        client->POSTBuf = NULL;
+        client->rcvBuf = NULL;
+        client->host = host;
+        client->path = NULL;
+        client->rcvContentType = NULL;
+        client->rcvHeaders = NULL;
+        client->send_http_method = HTTP_POST_METHOD;
+        client->send_http_content_type = NULL;
+        client->send_http_data = NULL;
+        client->rcv_http_response_code = NULL;
+        client->rcv_http_content_type = NULL;
+        client->rcv_http_headers = NULL;
+        client->rcv_http_data = NULL;
+        client->socket = NULL;
+
+        /*
+         * The HttpClient API does not include a plContext argument in its
+         * function calls. Save it here.
+         */
+        client->plContext = plContext;
+
+        *pClient = client;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(client);
+        }
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_HttpDefaultClient *client = NULL;
+
+        PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_HTTPDEFAULTCLIENT_TYPE, plContext),
+                    PKIX_OBJECTNOTANHTTPDEFAULTCLIENT);
+
+        client = (PKIX_PL_HttpDefaultClient *)object;
+
+        PKIX_PL_Free(client->rcvHeaders, plContext);
+        client->rcvHeaders = NULL;
+
+        if (client->GETBuf != NULL) {
+                PR_smprintf_free(client->GETBuf);
+                client->GETBuf = NULL;
+        }
+
+        if (client->POSTBuf != NULL) {
+                PKIX_PL_Free(client->POSTBuf, plContext);
+                client->POSTBuf = NULL;
+        }
+
+        if (client->rcvBuf != NULL) {
+                PKIX_PL_Free(client->rcvBuf, plContext);
+                client->rcvBuf = NULL;
+        }
+
+        PKIX_DECREF(client->socket);
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_PL_HTTPDEFAULTCLIENT_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_HttpDefaultClient_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT,
+                "pkix_pl_HttpDefaultClient_RegisterSelf");
+
+        entry.description = "HttpDefaultClient";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_HttpDefaultClient);
+        entry.destructor = pkix_pl_HttpDefaultClient_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_HTTPDEFAULTCLIENT_TYPE] = entry;
+
+        httpClient.version = 1;
+        httpClient.fcnTable.ftable1 = vtable;
+        (void)SEC_RegisterDefaultHttpClient(&httpClient);
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/* --Private-HttpDefaultClient-I/O-Functions---------------------------- */
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_ConnectContinue
+ * DESCRIPTION:
+ *
+ *  This function determines whether a socket Connect initiated earlier for the
+ *  HttpDefaultClient "client" has completed, and stores in "pKeepGoing" a flag
+ *  indicating whether processing can continue without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_ConnectContinue(
+        PKIX_PL_HttpDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PRErrorCode status;
+        PKIX_Boolean keepGoing = PKIX_FALSE;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT,
+                "pkix_pl_HttpDefaultClient_ConnectContinue");
+        PKIX_NULLCHECK_ONE(client);
+
+        callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
+
+        PKIX_CHECK(callbackList->connectcontinueCallback
+                (client->socket, &status, plContext),
+                PKIX_SOCKETCONNECTCONTINUEFAILED);
+
+        if (status == 0) {
+                client->connectStatus = HTTP_CONNECTED;
+                keepGoing = PKIX_TRUE;
+        } else if (status != PR_IN_PROGRESS_ERROR) {
+                PKIX_ERROR(PKIX_UNEXPECTEDERRORINESTABLISHINGCONNECTION);
+        }
+
+        *pKeepGoing = keepGoing;
+
+cleanup:
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_Send
+ * DESCRIPTION:
+ *
+ *  This function creates and sends HTTP-protocol headers and, if applicable,
+ *  data, for the HttpDefaultClient "client", and stores in "pKeepGoing" a flag
+ *  indicating whether processing can continue without further input, and at
+ *  "pBytesTransferred" the number of bytes sent.
+ *
+ *  If "pBytesTransferred" is zero, it indicates that non-blocking I/O is in use
+ *  and that transmission has not completed.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "pBytesTransferred"
+ *      The address at which the number of bytes sent is stored. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_Send(
+        PKIX_PL_HttpDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        PKIX_UInt32 *pBytesTransferred,
+        void *plContext)
+{
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_Int32 lenToWrite = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+        char *dataToWrite = NULL;
+
+        PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Send");
+        PKIX_NULLCHECK_THREE(client, pKeepGoing, pBytesTransferred);
+
+        *pKeepGoing = PKIX_FALSE;
+
+        /* Do we have anything waiting to go? */
+        if ((client->GETBuf) || (client->POSTBuf)) {
+
+                if (client->GETBuf) {
+                        dataToWrite = client->GETBuf;
+                        lenToWrite = client->GETLen;
+                } else {
+                        dataToWrite = client->POSTBuf;
+                        lenToWrite = client->POSTLen;
+                }
+
+                callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
+
+                PKIX_CHECK(callbackList->sendCallback
+                        (client->socket,
+                        dataToWrite,
+                        lenToWrite,
+                        &bytesWritten,
+                        plContext),
+                        PKIX_SOCKETSENDFAILED);
+
+                client->rcvBuf = NULL;
+                client->capacity = 0;
+                client->alreadyScanned = 0;
+                client->currentBytesAvailable = 0;
+
+                /*
+                 * If the send completed we can proceed to try for the
+                 * response. If the send did not complete we will have
+                 * to poll for completion later.
+                 */
+                if (bytesWritten >= 0) {
+                        client->connectStatus = HTTP_RECV_HDR;
+                        *pKeepGoing = PKIX_TRUE;
+                } else {
+                        client->connectStatus = HTTP_SEND_PENDING;
+                        *pKeepGoing = PKIX_FALSE;
+                }
+
+        }
+
+        *pBytesTransferred = bytesWritten;
+
+cleanup:
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_SendContinue
+ * DESCRIPTION:
+ *
+ *  This function determines whether the sending of the HTTP message for the
+ *  HttpDefaultClient "client" has completed, and stores in "pKeepGoing" a
+ *  flag indicating whether processing can continue without further input, and
+ *  at "pBytesTransferred" the number of bytes sent.
+ *
+ *  If "pBytesTransferred" is zero, it indicates that non-blocking I/O is in use
+ *  and that transmission has not completed.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "pBytesTransferred"
+ *      The address at which the number of bytes sent is stored. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_SendContinue(
+        PKIX_PL_HttpDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        PKIX_UInt32 *pBytesTransferred,
+        void *plContext)
+{
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_SendContinue");
+        PKIX_NULLCHECK_THREE(client, pKeepGoing, pBytesTransferred);
+
+        *pKeepGoing = PKIX_FALSE;
+
+        callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
+
+        PKIX_CHECK(callbackList->pollCallback
+                (client->socket, &bytesWritten, NULL, plContext),
+                PKIX_SOCKETPOLLFAILED);
+
+        /*
+         * If the send completed we can proceed to try for the
+         * response. If the send did not complete we will have
+         * continue to poll.
+         */
+        if (bytesWritten >= 0) {
+                       client->connectStatus = HTTP_RECV_HDR;
+                *pKeepGoing = PKIX_TRUE;
+        }
+
+        *pBytesTransferred = bytesWritten;
+
+cleanup:
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_RecvHdr
+ * DESCRIPTION:
+ *
+ *  This function receives HTTP headers for the HttpDefaultClient "client", and
+ *  stores in "pKeepGoing" a flag indicating whether processing can continue
+ *  without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_RecvHdr(
+        PKIX_PL_HttpDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_UInt32 bytesToRead = 0;
+        PKIX_Int32 bytesRead = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_RecvHdr");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        /*
+         * rcvbuf, capacity, alreadyScanned, and currentBytesAvailable were
+         * initialized when we wrote the headers. We begin by reading
+         * HTTP_OCSP_BUFSIZE bytes, repeatedly increasing the buffersize and
+         * reading again if necessary, until we have read the end-of-header
+         * marker, "\r\n\r\n", or have reached our maximum.
+         */
+        client->capacity += HTTP_OCSP_BUFSIZE;
+        PKIX_CHECK(PKIX_PL_Realloc
+                (client->rcvBuf,
+                client->capacity,
+                (void **)&(client->rcvBuf),
+                plContext),
+                PKIX_REALLOCFAILED);
+
+        bytesToRead = client->capacity - client->alreadyScanned;
+
+        callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
+
+        PKIX_CHECK(callbackList->recvCallback
+                (client->socket,
+                (void *)&(client->rcvBuf[client->alreadyScanned]),
+                bytesToRead,
+                &bytesRead,
+                plContext),
+                PKIX_SOCKETRECVFAILED);
+
+        if (bytesRead > 0) {
+
+                client->currentBytesAvailable += bytesRead;
+
+                PKIX_CHECK(pkix_pl_HttpDefaultClient_HdrCheckComplete
+                        (client, bytesRead, pKeepGoing, plContext),
+                        PKIX_HTTPDEFAULTCLIENTHDRCHECKCOMPLETEFAILED);
+
+        } else {
+
+                client->connectStatus = HTTP_RECV_HDR_PENDING;
+                *pKeepGoing = PKIX_FALSE;
+
+        }
+
+cleanup:
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_RecvHdrContinue
+ * DESCRIPTION:
+ *
+ *  This function determines whether the receiving of the HTTP headers for the
+ *  HttpDefaultClient "client" has completed, and stores in "pKeepGoing" a flag
+ *  indicating whether processing can continue without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_RecvHdrContinue(
+        PKIX_PL_HttpDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Int32 bytesRead = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT,
+                "pkix_pl_HttpDefaultClient_RecvHdrContinue");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
+
+        PKIX_CHECK(callbackList->pollCallback
+                (client->socket, NULL, &bytesRead, plContext),
+                PKIX_SOCKETPOLLFAILED);
+
+        if (bytesRead > 0) {
+                client->currentBytesAvailable += bytesRead;
+
+                PKIX_CHECK(pkix_pl_HttpDefaultClient_HdrCheckComplete
+                        (client, bytesRead, pKeepGoing, plContext),
+                        PKIX_HTTPDEFAULTCLIENTHDRCHECKCOMPLETEFAILED);
+
+        } else {
+
+                *pKeepGoing = PKIX_FALSE;
+
+        }
+
+cleanup:
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_RecvBody
+ * DESCRIPTION:
+ *
+ *  This function processes the contents of the first buffer of a received
+ *  HTTP-protocol message for the HttpDefaultClient "client", and stores in
+ *  "pKeepGoing" a flag indicating whether processing can continue without
+ *  further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_RecvBody(
+        PKIX_PL_HttpDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Int32 bytesRead = 0;
+
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_RecvBody");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
+
+        PKIX_CHECK(callbackList->recvCallback
+                (client->socket,
+                (void *)&(client->rcvBuf[client->currentBytesAvailable]),
+                client->bytesToRead,
+                &bytesRead,
+                plContext),
+                PKIX_SOCKETRECVFAILED);
+
+        if (bytesRead > 0) {
+
+		/* We got something. Did we get it all? */
+                client->currentBytesAvailable += bytesRead;
+
+		if (client->bytesToRead > (PKIX_UInt32)bytesRead) {
+                	client->bytesToRead -= (PKIX_UInt32)bytesRead;
+			*pKeepGoing = PKIX_TRUE;
+		} else {
+	                client->connectStatus = HTTP_COMPLETE;
+	                *pKeepGoing = PKIX_FALSE;
+		}
+
+        } else {
+
+                client->connectStatus = HTTP_RECV_BODY_PENDING;
+                *pKeepGoing = PKIX_TRUE;
+        }
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_RecvBodyContinue
+ * DESCRIPTION:
+ *
+ *  This function checks for completion of a read of a response HTTP-protocol
+ *  message for the HttpDefaultClient "client", and stores in "pKeepGoing" a
+ *  flag indicating whether processing can continue without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_RecvBodyContinue(
+        PKIX_PL_HttpDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Int32 bytesRead = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT,
+                "pkix_pl_HttpDefaultClient_RecvBodyContinue");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
+
+        PKIX_CHECK(callbackList->pollCallback
+                (client->socket, NULL, &bytesRead, plContext),
+                PKIX_SOCKETPOLLFAILED);
+
+
+        if (bytesRead > 0) {
+
+		/* We got something. Did we get it all? */
+                client->currentBytesAvailable += bytesRead;
+                client->bytesToRead -= bytesRead;
+
+		if (client->bytesToRead > 0) {
+                	client->connectStatus = HTTP_RECV_BODY;
+			*pKeepGoing = PKIX_TRUE;
+		} else {
+	                client->connectStatus = HTTP_COMPLETE;
+	                *pKeepGoing = PKIX_FALSE;
+		}
+        }
+
+        *pKeepGoing = PKIX_FALSE;
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_HttpDefaultClient_Dispatch
+ * DESCRIPTION:
+ *
+ *  This function is the state machine dispatcher for the HttpDefaultClient
+ *  pointed to by "client". Results are returned by changes to various fields
+ *  in the context.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the HttpDefaultClient object. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HttpDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_HttpDefaultClient_Dispatch(
+        PKIX_PL_HttpDefaultClient *client,
+        void *plContext)
+{
+        PKIX_UInt32 bytesTransferred = 0;
+        PKIX_Boolean keepGoing = PKIX_TRUE;
+
+        PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Dispatch");
+        PKIX_NULLCHECK_ONE(client);
+
+        while (keepGoing) {
+                switch (client->connectStatus) {
+                case HTTP_CONNECT_PENDING:
+                    PKIX_CHECK(pkix_pl_HttpDefaultClient_ConnectContinue
+                        (client, &keepGoing, plContext),
+                        PKIX_HTTPDEFAULTCLIENTCONNECTCONTINUEFAILED);
+                    break;
+                case HTTP_CONNECTED:
+                    PKIX_CHECK(pkix_pl_HttpDefaultClient_Send
+                        (client, &keepGoing, &bytesTransferred, plContext),
+                        PKIX_HTTPDEFAULTCLIENTSENDFAILED);
+                    break;
+                case HTTP_SEND_PENDING:
+                    PKIX_CHECK(pkix_pl_HttpDefaultClient_SendContinue
+                        (client, &keepGoing, &bytesTransferred, plContext),
+                        PKIX_HTTPDEFAULTCLIENTSENDCONTINUEFAILED);
+                    break;
+                case HTTP_RECV_HDR:
+                    PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvHdr
+                        (client, &keepGoing, plContext),
+                        PKIX_HTTPDEFAULTCLIENTRECVHDRFAILED);
+                    break;
+                case HTTP_RECV_HDR_PENDING:
+                    PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvHdrContinue
+                        (client, &keepGoing, plContext),
+                        PKIX_HTTPDEFAULTCLIENTRECVHDRCONTINUEFAILED);
+                    break;
+                case HTTP_RECV_BODY:
+                    PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvBody
+                        (client, &keepGoing, plContext),
+                        PKIX_HTTPDEFAULTCLIENTRECVBODYFAILED);
+                    break;
+                case HTTP_RECV_BODY_PENDING:
+                    PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvBodyContinue
+                        (client, &keepGoing, plContext),
+                        PKIX_HTTPDEFAULTCLIENTRECVBODYCONTINUEFAILED);
+                    break;
+                case HTTP_ERROR:
+                case HTTP_COMPLETE:
+                    keepGoing = PKIX_FALSE;
+                    break;
+                case HTTP_NOT_CONNECTED:
+                default:
+                    PKIX_ERROR(PKIX_HTTPDEFAULTCLIENTINILLEGALSTATE);
+                }
+        }
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+}
+
+/*
+ * --HttpClient vtable functions
+ * See comments in ocspt.h for the function (wrappers) that return SECStatus.
+ * The functions that return PKIX_Error* are the libpkix implementations.
+ */
+
+PKIX_Error *
+pkix_pl_HttpDefaultClient_CreateSession(
+        const char *host,
+        PRUint16 portnum,
+        SEC_HTTP_SERVER_SESSION *pSession,
+        void *plContext)
+{
+        PKIX_PL_HttpDefaultClient *client = NULL;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_CreateSession");
+        PKIX_NULLCHECK_TWO(host, pSession);
+
+        PKIX_CHECK(pkix_pl_HttpDefaultClient_Create
+                (host, portnum, &client, plContext),
+                PKIX_HTTPDEFAULTCLIENTCREATEFAILED);
+
+        *pSession = (SEC_HTTP_SERVER_SESSION)client;
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+
+}
+
+PKIX_Error *
+pkix_pl_HttpDefaultClient_KeepAliveSession(
+        SEC_HTTP_SERVER_SESSION session,
+        PRPollDesc **pPollDesc,
+        void *plContext)
+{
+        PKIX_PL_HttpDefaultClient *client = NULL;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT,
+                "pkix_pl_HttpDefaultClient_KeepAliveSession");
+        PKIX_NULLCHECK_TWO(session, pPollDesc);
+
+        PKIX_CHECK(pkix_CheckType
+                ((PKIX_PL_Object *)session,
+                PKIX_HTTPDEFAULTCLIENT_TYPE,
+                plContext),
+                PKIX_SESSIONNOTANHTTPDEFAULTCLIENT);
+
+        client = (PKIX_PL_HttpDefaultClient *)session;
+
+        /* XXX Not implemented */
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+
+}
+
+PKIX_Error *
+pkix_pl_HttpDefaultClient_RequestCreate(
+        SEC_HTTP_SERVER_SESSION session,
+        const char *http_protocol_variant, /* usually "http" */
+        const char *path_and_query_string,
+        const char *http_request_method, 
+        const PRIntervalTime timeout, 
+        SEC_HTTP_REQUEST_SESSION *pRequest,
+        void *plContext)
+{
+        PKIX_PL_HttpDefaultClient *client = NULL;
+        PKIX_PL_Socket *socket = NULL;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+        PRFileDesc *fileDesc = NULL;
+        PRErrorCode status = 0;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_RequestCreate");
+        PKIX_NULLCHECK_TWO(session, pRequest);
+
+        PKIX_CHECK(pkix_CheckType
+                ((PKIX_PL_Object *)session,
+                PKIX_HTTPDEFAULTCLIENT_TYPE,
+                plContext),
+                PKIX_SESSIONNOTANHTTPDEFAULTCLIENT);
+
+        client = (PKIX_PL_HttpDefaultClient *)session;
+
+        /* We only know how to do http */
+        if (PORT_Strncasecmp(http_protocol_variant, "http", 4) != 0) {
+                PKIX_ERROR(PKIX_UNRECOGNIZEDPROTOCOLREQUESTED);
+        }
+
+        if (PORT_Strncasecmp(http_request_method, "POST", 4) == 0) {
+                client->send_http_method = HTTP_POST_METHOD;
+        } else if (PORT_Strncasecmp(http_request_method, "GET", 3) == 0) {
+                client->send_http_method = HTTP_GET_METHOD;
+        } else {
+                /* We only know how to do POST and GET */
+                PKIX_ERROR(PKIX_UNRECOGNIZEDREQUESTMETHOD);
+        }
+
+        client->path = path_and_query_string;
+
+        client->timeout = timeout;
+
+#if 0
+	PKIX_CHECK(pkix_HttpCertStore_FindSocketConnection
+                (timeout,
+                "variation.red.iplanet.com", /* (char *)client->host, */
+                2001,   /* client->portnum, */
+                &status,
+                &socket,
+                plContext),
+		PKIX_HTTPCERTSTOREFINDSOCKETCONNECTIONFAILED);
+#else
+	PKIX_CHECK(pkix_HttpCertStore_FindSocketConnection
+                (timeout,
+                (char *)client->host,
+                client->portnum,
+                &status,
+                &socket,
+                plContext),
+		PKIX_HTTPCERTSTOREFINDSOCKETCONNECTIONFAILED);
+#endif
+
+        client->socket = socket;
+
+        PKIX_CHECK(pkix_pl_Socket_GetCallbackList
+                (socket, &callbackList, plContext),
+                PKIX_SOCKETGETCALLBACKLISTFAILED);
+
+        client->callbackList = (void *)callbackList;
+
+        PKIX_CHECK(pkix_pl_Socket_GetPRFileDesc
+                (socket, &fileDesc, plContext),
+                PKIX_SOCKETGETPRFILEDESCFAILED);
+
+        client->pollDesc.fd = fileDesc;
+        client->pollDesc.in_flags = 0;
+        client->pollDesc.out_flags = 0;
+
+        client->send_http_data = NULL;
+        client->send_http_data_len = 0;
+        client->send_http_content_type = NULL;
+
+        client->connectStatus =
+                 ((status == 0) ? HTTP_CONNECTED : HTTP_CONNECT_PENDING);
+
+        /* Request object is the same object as Session object */
+        PKIX_INCREF(client);
+        *pRequest = client;
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+
+}
+
+PKIX_Error *
+pkix_pl_HttpDefaultClient_SetPostData(
+        SEC_HTTP_REQUEST_SESSION request,
+        const char *http_data, 
+        const PRUint32 http_data_len,
+        const char *http_content_type,
+        void *plContext)
+{
+        PKIX_PL_HttpDefaultClient *client = NULL;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT,
+                "pkix_pl_HttpDefaultClient_SetPostData");
+        PKIX_NULLCHECK_ONE(request);
+
+        PKIX_CHECK(pkix_CheckType
+                ((PKIX_PL_Object *)request,
+                PKIX_HTTPDEFAULTCLIENT_TYPE,
+                plContext),
+                PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
+
+        client = (PKIX_PL_HttpDefaultClient *)request;
+
+        client->send_http_data = http_data;
+        client->send_http_data_len = http_data_len;
+        client->send_http_content_type = http_content_type;
+
+        /* Caller is allowed to give NULL or empty string for content_type */
+        if ((client->send_http_content_type == NULL) ||
+            (*(client->send_http_content_type) == '\0')) {
+                client->send_http_content_type = "application/ocsp-request";
+        }
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+
+}
+
+PKIX_Error *
+pkix_pl_HttpDefaultClient_TrySendAndReceive(
+        SEC_HTTP_REQUEST_SESSION request,
+        PRUint16 *http_response_code, 
+        const char **http_response_content_type, 
+        const char **http_response_headers, 
+        const char **http_response_data, 
+        PRUint32 *http_response_data_len, 
+        PRPollDesc **pPollDesc,
+        SECStatus *pSECReturn,
+        void *plContext)        
+{
+        PKIX_PL_HttpDefaultClient *client = NULL;
+        PKIX_UInt32 postLen = 0;
+        PRPollDesc *pollDesc = NULL;
+        char *sendbuf = NULL;
+
+        PKIX_ENTER
+                (HTTPDEFAULTCLIENT,
+                "pkix_pl_HttpDefaultClient_TrySendAndReceive");
+
+        PKIX_NULLCHECK_ONE(request);
+
+        PKIX_CHECK(pkix_CheckType
+                ((PKIX_PL_Object *)request,
+                PKIX_HTTPDEFAULTCLIENT_TYPE,
+                plContext),
+                PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
+
+        client = (PKIX_PL_HttpDefaultClient *)request;
+
+        if (!pPollDesc && client->timeout == 0) {
+            PKIX_ERROR_FATAL(PKIX_NULLARGUMENT);
+        }
+
+        if (pPollDesc) {
+            pollDesc = *pPollDesc;
+        }
+
+        /* if not continuing from an earlier WOULDBLOCK return... */
+        if (pollDesc == NULL) {
+
+                if (!((client->connectStatus == HTTP_CONNECTED) ||
+                     (client->connectStatus == HTTP_CONNECT_PENDING))) {
+                        PKIX_ERROR(PKIX_HTTPCLIENTININVALIDSTATE);
+                }
+
+                /* Did caller provide a value for response length? */
+                if (http_response_data_len != NULL) {
+                        client->pRcv_http_data_len = http_response_data_len;
+                        client->maxResponseLen = *http_response_data_len;
+                }
+
+                client->rcv_http_response_code = http_response_code;
+                client->rcv_http_content_type = http_response_content_type;
+                client->rcv_http_headers = http_response_headers;
+                client->rcv_http_data = http_response_data;
+
+                /* prepare the message */
+                if (client->send_http_method == HTTP_POST_METHOD) {
+                        PKIX_PL_NSSCALLRV
+                            (HTTPDEFAULTCLIENT, sendbuf, PR_smprintf,
+                            ("POST %s HTTP/1.0\r\nHost: %s:%d\r\n"
+                            "Content-Type: %s\r\nContent-Length: %u\r\n\r\n",
+                            client->path,
+                            client->host,
+                            client->portnum,
+                            client->send_http_content_type,
+                            client->send_http_data_len));
+
+                        PKIX_PL_NSSCALLRV
+                                (HTTPDEFAULTCLIENT, postLen, PORT_Strlen,
+                                (sendbuf));
+
+                        client->POSTLen = postLen + client->send_http_data_len;
+
+                        /* allocate postBuffer big enough for header + data */
+                        PKIX_CHECK(PKIX_PL_Malloc
+                                (client->POSTLen,
+                                (void **)&(client->POSTBuf),
+                                plContext),
+                                PKIX_MALLOCFAILED);
+
+                        /* copy header into postBuffer */
+                        PORT_Memcpy(client->POSTBuf, sendbuf, postLen);
+
+                        /* append data after header */
+                        PORT_Memcpy(&client->POSTBuf[postLen],
+                                    client->send_http_data,
+                                    client->send_http_data_len);
+
+                        /* PR_smprintf_free original header buffer */
+                        PKIX_PL_NSSCALL
+                                (HTTPDEFAULTCLIENT, PR_smprintf_free,
+                                (sendbuf));
+                        
+                } else if (client->send_http_method == HTTP_GET_METHOD) {
+                        PKIX_PL_NSSCALLRV
+                            (HTTPDEFAULTCLIENT, sendbuf, PR_smprintf,
+                            ("GET %s HTTP/1.1\r\nHost: %s:%d\r\n\r\n",
+                            client->path,
+                            client->host,
+                            client->portnum));
+
+                        client->GETBuf = sendbuf;
+
+                        PKIX_PL_NSSCALLRV
+                                (HTTPDEFAULTCLIENT, client->GETLen, PORT_Strlen,
+                                (sendbuf));
+                }
+
+        }
+
+        /* continue according to state */
+        PKIX_CHECK(pkix_pl_HttpDefaultClient_Dispatch(client, plContext),
+                PKIX_HTTPDEFAULTCLIENTDISPATCHFAILED);
+
+        switch (client->connectStatus) {
+                case HTTP_CONNECT_PENDING:
+                case HTTP_SEND_PENDING:
+                case HTTP_RECV_HDR_PENDING:
+                case HTTP_RECV_BODY_PENDING:
+                        pollDesc = &(client->pollDesc);
+                        *pSECReturn = SECWouldBlock;
+                        break;
+                case HTTP_ERROR:
+                        /* Did caller provide a pointer for length? */
+                        if (client->pRcv_http_data_len != NULL) {
+                                /* Was error "response too big?" */
+                                if (client->maxResponseLen >=
+                                        client->rcv_http_data_len) {
+                                        /* Yes, report needed space */
+                                        *(client->pRcv_http_data_len) =
+                                                 client->rcv_http_data_len;
+                                } else {
+                                        /* No, report problem other than size */
+                                        *(client->pRcv_http_data_len) = 0;
+                                }
+                        }
+
+                        pollDesc = NULL;
+                        *pSECReturn = SECFailure;
+                        break;
+                case HTTP_COMPLETE:
+                        *(client->rcv_http_response_code) =
+                                client->responseCode;
+                        if (client->pRcv_http_data_len != NULL) {
+                                *http_response_data_len =
+                                         client->rcv_http_data_len;
+                        }
+                        if (client->rcv_http_data != NULL) {
+                                *(client->rcv_http_data) = client->rcvBuf;
+                        }
+                        pollDesc = NULL;
+                        *pSECReturn = SECSuccess;
+                        break;
+                case HTTP_NOT_CONNECTED:
+                case HTTP_CONNECTED:
+                case HTTP_RECV_HDR:
+                case HTTP_RECV_BODY:
+                default:
+                        pollDesc = NULL;
+                        *pSECReturn = SECFailure;
+                        PKIX_ERROR(PKIX_HTTPCLIENTININVALIDSTATE);
+                        break;
+        }
+
+        if (pPollDesc) {
+            *pPollDesc = pollDesc;
+        }
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+
+}
+
+PKIX_Error *
+pkix_pl_HttpDefaultClient_Cancel(
+        SEC_HTTP_REQUEST_SESSION request,
+        void *plContext)
+{
+        PKIX_PL_HttpDefaultClient *client = NULL;
+
+        PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Cancel");
+        PKIX_NULLCHECK_ONE(request);
+
+        PKIX_CHECK(pkix_CheckType
+                ((PKIX_PL_Object *)request,
+                PKIX_HTTPDEFAULTCLIENT_TYPE,
+                plContext),
+                PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
+
+        client = (PKIX_PL_HttpDefaultClient *)request;
+
+        /* XXX Not implemented */
+
+cleanup:
+
+        PKIX_RETURN(HTTPDEFAULTCLIENT);
+
+}
+
+SECStatus
+pkix_pl_HttpDefaultClient_CreateSessionFcn(
+        const char *host,
+        PRUint16 portnum,
+        SEC_HTTP_SERVER_SESSION *pSession)
+{
+        PKIX_Error *err = pkix_pl_HttpDefaultClient_CreateSession
+                (host, portnum, pSession, plContext);
+
+        if (err) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)err, plContext);
+                return SECFailure;
+        }
+        return SECSuccess;
+}
+
+SECStatus
+pkix_pl_HttpDefaultClient_KeepAliveSessionFcn(
+        SEC_HTTP_SERVER_SESSION session,
+        PRPollDesc **pPollDesc)
+{
+        PKIX_Error *err = pkix_pl_HttpDefaultClient_KeepAliveSession
+                (session, pPollDesc, plContext);
+
+        if (err) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)err, plContext);
+                return SECFailure;
+        }
+        return SECSuccess;
+}
+
+SECStatus
+pkix_pl_HttpDefaultClient_FreeSessionFcn(
+        SEC_HTTP_SERVER_SESSION session)
+{
+        PKIX_Error *err =
+            PKIX_PL_Object_DecRef((PKIX_PL_Object *)(session), plContext);
+
+        if (err) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)err, plContext);
+                return SECFailure;
+        }
+        return SECSuccess;
+}
+
+SECStatus
+pkix_pl_HttpDefaultClient_RequestCreateFcn(
+        SEC_HTTP_SERVER_SESSION session,
+        const char *http_protocol_variant, /* usually "http" */
+        const char *path_and_query_string,
+        const char *http_request_method, 
+        const PRIntervalTime timeout, 
+        SEC_HTTP_REQUEST_SESSION *pRequest)
+{
+        PKIX_Error *err = pkix_pl_HttpDefaultClient_RequestCreate
+                (session,
+                http_protocol_variant,
+                path_and_query_string,
+                http_request_method,
+                timeout,
+                pRequest,
+                plContext);
+
+        if (err) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)err, plContext);
+                return SECFailure;
+        }
+        return SECSuccess;
+}
+
+SECStatus
+pkix_pl_HttpDefaultClient_SetPostDataFcn(
+        SEC_HTTP_REQUEST_SESSION request,
+        const char *http_data, 
+        const PRUint32 http_data_len,
+        const char *http_content_type)
+{
+        PKIX_Error *err =
+            pkix_pl_HttpDefaultClient_SetPostData(request, http_data,
+                                                  http_data_len,
+                                                  http_content_type,
+                                                  plContext);
+        if (err) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)err, plContext);
+                return SECFailure;
+        }
+        return SECSuccess;
+}
+
+SECStatus
+pkix_pl_HttpDefaultClient_AddHeaderFcn(
+        SEC_HTTP_REQUEST_SESSION request,
+        const char *http_header_name, 
+        const char *http_header_value)
+{
+        /* Not supported */
+        return SECFailure;
+}
+
+SECStatus
+pkix_pl_HttpDefaultClient_TrySendAndReceiveFcn(
+        SEC_HTTP_REQUEST_SESSION request,
+        PRPollDesc **pPollDesc,
+        PRUint16 *http_response_code, 
+        const char **http_response_content_type, 
+        const char **http_response_headers, 
+        const char **http_response_data, 
+        PRUint32 *http_response_data_len) 
+{
+        SECStatus rv = SECFailure;
+
+        PKIX_Error *err = pkix_pl_HttpDefaultClient_TrySendAndReceive
+                (request,
+                http_response_code, 
+                http_response_content_type, 
+                http_response_headers, 
+                http_response_data, 
+                http_response_data_len,
+                pPollDesc,
+                &rv,
+                plContext);
+
+        if (err) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)err, plContext);
+                return rv;
+        }
+        return SECSuccess;
+}
+
+SECStatus
+pkix_pl_HttpDefaultClient_CancelFcn(
+        SEC_HTTP_REQUEST_SESSION request)
+{
+        PKIX_Error *err = pkix_pl_HttpDefaultClient_Cancel(request, plContext);
+
+        if (err) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)err, plContext);
+                return SECFailure;
+        }
+        return SECSuccess;
+}
+
+SECStatus
+pkix_pl_HttpDefaultClient_FreeFcn(
+        SEC_HTTP_REQUEST_SESSION request)
+{
+        PKIX_Error *err =
+            PKIX_PL_Object_DecRef((PKIX_PL_Object *)(request), plContext);
+
+        if (err) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object *)err, plContext);
+                return SECFailure;
+        }
+        return SECSuccess;
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.h
new file mode 100644
index 000000000..918959f04
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.h
@@ -0,0 +1,172 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_httpdefaultclient.h
+ *
+ * HTTPDefaultClient Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_PL_HTTPDEFAULTCLIENT_H
+#define _PKIX_PL_HTTPDEFAULTCLIENT_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define HTTP_OCSP_BUFSIZE 1024
+
+typedef enum {
+        HTTP_NOT_CONNECTED,
+        HTTP_CONNECT_PENDING,
+        HTTP_CONNECTED,
+        HTTP_SEND_PENDING,
+        HTTP_RECV_HDR,
+        HTTP_RECV_HDR_PENDING,
+        HTTP_RECV_BODY,
+        HTTP_RECV_BODY_PENDING,
+        HTTP_COMPLETE,
+        HTTP_ERROR
+} HttpConnectStatus;
+
+typedef enum {
+	HTTP_POST_METHOD,
+	HTTP_GET_METHOD
+} HttpMethod;
+
+struct PKIX_PL_HttpDefaultClientStruct {
+        HttpConnectStatus connectStatus;
+        PRUint16 portnum;
+        PRIntervalTime timeout;
+        PKIX_UInt32 bytesToWrite;
+        PKIX_UInt32 bytesToRead;
+        PKIX_UInt32 send_http_data_len;
+        PKIX_UInt32 rcv_http_data_len;
+        PKIX_UInt32 capacity;
+        PKIX_UInt32 alreadyScanned;
+        PKIX_UInt32 currentBytesAvailable;
+        PKIX_UInt32 responseCode;
+        PKIX_UInt32 maxResponseLen;
+        PKIX_UInt32 GETLen;
+        PKIX_UInt32 POSTLen;
+        PRUint32 *pRcv_http_data_len;
+        PRPollDesc pollDesc;
+        void *callbackList; /* cast this to (PKIX_PL_Socket_Callback *) */
+        char *GETBuf;
+        char *POSTBuf;
+        char *rcvBuf;
+        const char *host;
+        const char *path;
+        const char *rcvContentType;
+        void *rcvHeaders;
+        HttpMethod send_http_method;
+        const char *send_http_content_type;
+        const char *send_http_data;
+        PRUint16 *rcv_http_response_code;
+        const char **rcv_http_content_type;
+        const char **rcv_http_headers;
+        const char **rcv_http_data;
+        PKIX_PL_Socket *socket;
+        void *plContext;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_HttpDefaultClient_RegisterSelf(void *plContext);
+
+SECStatus
+pkix_pl_HttpDefaultClient_CreateSessionFcn(
+        const char *host,
+        PRUint16 portnum,
+        SEC_HTTP_SERVER_SESSION *pSession);
+
+SECStatus
+pkix_pl_HttpDefaultClient_KeepAliveSessionFcn(
+        SEC_HTTP_SERVER_SESSION session,
+        PRPollDesc **pPollDesc);
+
+SECStatus
+pkix_pl_HttpDefaultClient_FreeSessionFcn(
+        SEC_HTTP_SERVER_SESSION session);
+
+SECStatus
+pkix_pl_HttpDefaultClient_RequestCreateFcn(
+        SEC_HTTP_SERVER_SESSION session,
+        const char *http_protocol_variant, /* usually "http" */
+        const char *path_and_query_string,
+        const char *http_request_method, 
+        const PRIntervalTime timeout, 
+        SEC_HTTP_REQUEST_SESSION *pRequest);
+
+SECStatus
+pkix_pl_HttpDefaultClient_SetPostDataFcn(
+        SEC_HTTP_REQUEST_SESSION request,
+        const char *http_data, 
+        const PRUint32 http_data_len,
+        const char *http_content_type);
+
+SECStatus
+pkix_pl_HttpDefaultClient_AddHeaderFcn(
+        SEC_HTTP_REQUEST_SESSION request,
+        const char *http_header_name, 
+        const char *http_header_value);
+
+SECStatus
+pkix_pl_HttpDefaultClient_TrySendAndReceiveFcn(
+        SEC_HTTP_REQUEST_SESSION request,
+        PRPollDesc **pPollDesc,
+        PRUint16 *http_response_code, 
+        const char **http_response_content_type, 
+        const char **http_response_headers, 
+        const char **http_response_data, 
+        PRUint32 *http_response_data_len); 
+
+SECStatus
+pkix_pl_HttpDefaultClient_CancelFcn(
+        SEC_HTTP_REQUEST_SESSION request);
+
+SECStatus
+pkix_pl_HttpDefaultClient_FreeFcn(
+        SEC_HTTP_REQUEST_SESSION request);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_HTTPDEFAULTCLIENT_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c
new file mode 100644
index 000000000..c2d32556a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c
@@ -0,0 +1,1102 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ldapcertstore.c
+ *
+ * LDAPCertStore Function Definitions
+ *
+ */
+
+/* We can't decode the length of a message without at least this many bytes */
+#define MINIMUM_MSG_LENGTH 5
+
+#include "pkix_pl_ldapcertstore.h"
+
+/* --Private-Ldap-CertStore-Database-Functions----------------------- */
+
+/*
+ * FUNCTION: pkix_pl_LdapCertStore_DecodeCrossCertPair
+ * DESCRIPTION:
+ *
+ *  This function decodes a DER-encoded CrossCertPair pointed to by
+ *  "responseList" and extracts and decodes the Certificates in that pair,
+ *  adding the resulting Certs, if the decoding was successful, to the List
+ *  (possibly empty) pointed to by "certList". If none of the objects
+ *  can be decoded into a Cert, the List is returned unchanged.
+ *
+ * PARAMETERS:
+ *  "derCCPItem"
+ *      The address of the SECItem containing the DER representation of the
+ *      CrossCertPair. Must be non-NULL.
+ *  "certList"
+ *      The address of the List to which the decoded Certs are added. May be
+ *      empty, but must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapCertStore_DecodeCrossCertPair(
+        SECItem *derCCPItem,
+        PKIX_List *certList,
+        void *plContext)
+{
+        LDAPCertPair certPair = {{ siBuffer, NULL, 0 }, { siBuffer, NULL, 0 }};
+        SECStatus rv = SECFailure;
+
+        PRArenaPool *tempArena = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_DecodeCrossCertPair");
+        PKIX_NULLCHECK_TWO(derCCPItem, certList);
+
+        tempArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (!tempArena) {
+            PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        rv = SEC_ASN1DecodeItem(tempArena, &certPair, PKIX_PL_LDAPCrossCertPairTemplate,
+                                derCCPItem);
+        if (rv != SECSuccess) {
+                goto cleanup;
+        }
+
+        if (certPair.forward.data != NULL) {
+
+            PKIX_CHECK(
+                pkix_pl_Cert_CreateToList(&certPair.forward, certList,
+                                          plContext),
+                PKIX_CERTCREATETOLISTFAILED);
+        }
+
+        if (certPair.reverse.data != NULL) {
+
+            PKIX_CHECK(
+                pkix_pl_Cert_CreateToList(&certPair.reverse, certList,
+                                          plContext),
+                PKIX_CERTCREATETOLISTFAILED);
+        }
+
+cleanup:
+        if (tempArena) {
+            PORT_FreeArena(tempArena, PR_FALSE);
+        }
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapCertStore_BuildCertList
+ * DESCRIPTION:
+ *
+ *  This function takes a List of LdapResponse objects pointed to by
+ *  "responseList" and extracts and decodes the Certificates in those responses,
+ *  storing the List of those Certificates at "pCerts". If none of the objects
+ *  can be decoded into a Cert, the returned List is empty.
+ *
+ * PARAMETERS:
+ *  "responseList"
+ *      The address of the List of LdapResponses. Must be non-NULL.
+ *  "pCerts"
+ *      The address at which the result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapCertStore_BuildCertList(
+        PKIX_List *responseList,
+        PKIX_List **pCerts,
+        void *plContext)
+{
+        PKIX_UInt32 numResponses = 0;
+        PKIX_UInt32 respIx = 0;
+        LdapAttrMask attrBits = 0;
+        PKIX_PL_LdapResponse *response = NULL;
+        PKIX_List *certList = NULL;
+        LDAPMessage *message = NULL;
+        LDAPSearchResponseEntry *sre = NULL;
+        LDAPSearchResponseAttr **sreAttrArray = NULL;
+        LDAPSearchResponseAttr *sreAttr = NULL;
+        SECItem *attrType = NULL;
+        SECItem **attrVal = NULL;
+        SECItem *derCertItem = NULL;
+
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_BuildCertList");
+        PKIX_NULLCHECK_TWO(responseList, pCerts);
+
+        PKIX_CHECK(PKIX_List_Create(&certList, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        /* extract certs from response */
+        PKIX_CHECK(PKIX_List_GetLength
+                (responseList, &numResponses, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (respIx = 0; respIx < numResponses; respIx++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                        (responseList,
+                        respIx,
+                        (PKIX_PL_Object **)&response,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(pkix_pl_LdapResponse_GetMessage
+                        (response, &message, plContext),
+                        PKIX_LDAPRESPONSEGETMESSAGEFAILED);
+
+                sre = &(message->protocolOp.op.searchResponseEntryMsg);
+                sreAttrArray = sre->attributes;
+
+                /* Get next element of null-terminated array */
+                sreAttr = *sreAttrArray++;
+                while (sreAttr != NULL) {
+                    attrType = &(sreAttr->attrType);
+                    PKIX_CHECK(pkix_pl_LdapRequest_AttrTypeToBit
+                        (attrType, &attrBits, plContext),
+                        PKIX_LDAPREQUESTATTRTYPETOBITFAILED);
+                    /* Is this attrVal a Certificate? */
+                    if (((LDAPATTR_CACERT | LDAPATTR_USERCERT) &
+                            attrBits) == attrBits) {
+                        attrVal = sreAttr->val;
+                        derCertItem = *attrVal++;
+                        while (derCertItem != 0) {
+                            /* create a PKIX_PL_Cert from derCert */
+                            PKIX_CHECK(pkix_pl_Cert_CreateToList
+                                (derCertItem, certList, plContext),
+                                PKIX_CERTCREATETOLISTFAILED);
+                            derCertItem = *attrVal++;
+                        }
+                    } else if ((LDAPATTR_CROSSPAIRCERT & attrBits) == attrBits){
+                        /* Is this attrVal a CrossPairCertificate? */
+                        attrVal = sreAttr->val;
+                        derCertItem = *attrVal++;
+                        while (derCertItem != 0) {
+                            /* create PKIX_PL_Certs from derCert */
+                            PKIX_CHECK(pkix_pl_LdapCertStore_DecodeCrossCertPair
+                                (derCertItem, certList, plContext),
+                                PKIX_LDAPCERTSTOREDECODECROSSCERTPAIRFAILED);
+                            derCertItem = *attrVal++;
+                        }
+                    }
+                    sreAttr = *sreAttrArray++;
+                }
+                PKIX_DECREF(response);
+        }
+
+        *pCerts = certList;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(certList);
+        }
+
+        PKIX_DECREF(response);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapCertStore_BuildCrlList
+ * DESCRIPTION:
+ *
+ *  This function takes a List of LdapResponse objects pointed to by
+ *  "responseList" and extracts and decodes the CRLs in those responses, storing
+ *  the List of those CRLs at "pCrls". If none of the objects can be decoded
+ *  into a CRL, the returned List is empty.
+ *
+ * PARAMETERS:
+ *  "responseList"
+ *      The address of the List of LdapResponses. Must be non-NULL.
+ *  "pCrls"
+ *      The address at which the result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapCertStore_BuildCrlList(
+        PKIX_List *responseList,
+        PKIX_List **pCrls,
+        void *plContext)
+{
+        PKIX_UInt32 numResponses = 0;
+        PKIX_UInt32 respIx = 0;
+        LdapAttrMask attrBits = 0;
+        PKIX_PL_LdapResponse *response = NULL;
+        PKIX_List *crlList = NULL;
+        LDAPMessage *message = NULL;
+        LDAPSearchResponseEntry *sre = NULL;
+        LDAPSearchResponseAttr **sreAttrArray = NULL;
+        LDAPSearchResponseAttr *sreAttr = NULL;
+        SECItem *attrType = NULL;
+        SECItem **attrVal = NULL;
+
+        SECItem *derCrlItem = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_BuildCrlList");
+        PKIX_NULLCHECK_TWO(responseList, pCrls);
+
+        PKIX_CHECK(PKIX_List_Create(&crlList, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        /* extract crls from response */
+        PKIX_CHECK(PKIX_List_GetLength
+                (responseList, &numResponses, plContext),
+                PKIX_LISTGETLENGTHFAILED);
+
+        for (respIx = 0; respIx < numResponses; respIx++) {
+                PKIX_CHECK(PKIX_List_GetItem
+                        (responseList,
+                        respIx,
+                        (PKIX_PL_Object **)&response,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(pkix_pl_LdapResponse_GetMessage
+                        (response, &message, plContext),
+                        PKIX_LDAPRESPONSEGETMESSAGEFAILED);
+
+                sre = &(message->protocolOp.op.searchResponseEntryMsg);
+                sreAttrArray = sre->attributes;
+
+                /* Get next element of null-terminated array */
+                sreAttr = *sreAttrArray++;
+                while (sreAttr != NULL) {
+                    attrType = &(sreAttr->attrType);
+                    PKIX_CHECK(pkix_pl_LdapRequest_AttrTypeToBit
+                        (attrType, &attrBits, plContext),
+                        PKIX_LDAPREQUESTATTRTYPETOBITFAILED);
+                    /* Is this attrVal a Revocation List? */
+                    if (((LDAPATTR_CERTREVLIST | LDAPATTR_AUTHREVLIST) &
+                            attrBits) == attrBits) {
+                        attrVal = sreAttr->val;
+                        derCrlItem = *attrVal++;
+                        while (derCrlItem != 0) {
+                            /* create a PKIX_PL_Crl from derCrl */
+                            PKIX_CHECK_ONLY_FATAL(
+                                pkix_pl_CRL_CreateToList(derCrlItem, crlList,
+                                                         plContext),
+                                PKIX_CRLCREATETOLISTFAILED);
+                            derCrlItem = *attrVal++;
+                        }
+                        /* Clean up after PKIX_CHECK_ONLY_FATAL */
+                        pkixTempErrorReceived = PKIX_FALSE;
+                    }
+                    sreAttr = *sreAttrArray++;
+                }
+                PKIX_DECREF(response);
+        }
+
+        *pCrls = crlList;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(crlList);
+        }
+
+        PKIX_DECREF(response);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapCertStore_DestroyAVAList
+ * DESCRIPTION:
+ *
+ *  This function frees the space allocated for the components of the
+ *  equalFilters that make up the andFilter pointed to by "filter".
+ *
+ * PARAMETERS:
+ *  "requestParams"
+ *      The address of the andFilter whose components are to be freed. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapCertStore_DestroyAVAList(
+        LDAPNameComponent **nameComponents,
+        void *plContext)
+{
+        LDAPNameComponent **currentNC = NULL;
+        unsigned char *component = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_DestroyAVAList");
+        PKIX_NULLCHECK_ONE(nameComponents);
+
+        /* Set currentNC to point to first AVA pointer */
+        currentNC = nameComponents;
+
+        while ((*currentNC) != NULL) {
+                component = (*currentNC)->attrValue;
+                if (component != NULL) {
+                        PORT_Free(component);
+                }
+                currentNC++;
+        }
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapCertStore_MakeNameAVAList
+ * DESCRIPTION:
+ *
+ *  This function allocates space from the arena pointed to by "arena" to
+ *  construct a filter that will match components of the X500Name pointed to
+ *  by "name", and stores the resulting filter at "pFilter".
+ *
+ *  "name" is checked for commonName and organizationName components (cn=,
+ *  and o=). The component strings are extracted using the family of
+ *  CERT_Get* functions, and each must be freed with PORT_Free.
+ *
+ *  It is not clear which components should be in a request, so, for now,
+ *  we stop adding components after we have found one.
+ *
+ * PARAMETERS:
+ *  "arena"
+ *      The address of the PRArenaPool used in creating the filter. Must be
+ *       non-NULL.
+ *  "name"
+ *      The address of the X500Name whose components define the desired
+ *      matches. Must be non-NULL.
+ *  "pList"
+ *      The address at which the result is stored.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapCertStore_MakeNameAVAList(
+        PRArenaPool *arena,
+        PKIX_PL_X500Name *subjectName, 
+        LDAPNameComponent ***pList,
+        void *plContext)
+{
+        LDAPNameComponent **setOfNameComponents;
+        LDAPNameComponent *currentNameComponent = NULL;
+        PKIX_UInt32 componentsPresent = 0;
+        void *v = NULL;
+        unsigned char *component = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_MakeNameAVAList");
+        PKIX_NULLCHECK_THREE(arena, subjectName, pList);
+
+        /* Increase this if additional components may be extracted */
+#define MAX_NUM_COMPONENTS 3
+
+        /* Space for (MAX_NUM_COMPONENTS + 1) pointers to LDAPNameComponents */
+        PKIX_PL_NSSCALLRV(CERTSTORE, v, PORT_ArenaZAlloc,
+                (arena, (MAX_NUM_COMPONENTS + 1)*sizeof(LDAPNameComponent *)));
+        setOfNameComponents = (LDAPNameComponent **)v;
+
+        /* Space for MAX_NUM_COMPONENTS LDAPNameComponents */
+        PKIX_PL_NSSCALLRV(CERTSTORE, v, PORT_ArenaZNewArray,
+                (arena, LDAPNameComponent, MAX_NUM_COMPONENTS));
+
+        currentNameComponent = (LDAPNameComponent *)v;
+
+        /* Try for commonName */
+        PKIX_CHECK(pkix_pl_X500Name_GetCommonName
+                (subjectName, &component, plContext),
+                PKIX_X500NAMEGETCOMMONNAMEFAILED);
+        if (component) {
+                setOfNameComponents[componentsPresent] = currentNameComponent;
+                currentNameComponent->attrType = (unsigned char *)"cn";
+                currentNameComponent->attrValue = component;
+                componentsPresent++;
+                currentNameComponent++;
+        }
+
+        /*
+         * The LDAP specification says we can send multiple name components
+         * in an "AND" filter, but the LDAP Servers don't seem to be able to
+         * handle such requests. So we'll quit after the cn component.
+         */
+#if 0
+        /* Try for orgName */
+        PKIX_CHECK(pkix_pl_X500Name_GetOrgName
+                (subjectName, &component, plContext),
+                PKIX_X500NAMEGETORGNAMEFAILED);
+        if (component) {
+                setOfNameComponents[componentsPresent] = currentNameComponent;
+                currentNameComponent->attrType = (unsigned char *)"o";
+                currentNameComponent->attrValue = component;
+                componentsPresent++;
+                currentNameComponent++;
+        }
+
+        /* Try for countryName */
+        PKIX_CHECK(pkix_pl_X500Name_GetCountryName
+                (subjectName, &component, plContext),
+                PKIX_X500NAMEGETCOUNTRYNAMEFAILED);
+        if (component) {
+                setOfNameComponents[componentsPresent] = currentNameComponent;
+                currentNameComponent->attrType = (unsigned char *)"c";
+                currentNameComponent->attrValue = component;
+                componentsPresent++;
+                currentNameComponent++;
+        }
+#endif
+
+        setOfNameComponents[componentsPresent] = NULL;
+
+        *pList = setOfNameComponents;
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+
+}
+
+#if 0
+/*
+ * FUNCTION: pkix_pl_LdapCertstore_ConvertCertResponses
+ * DESCRIPTION:
+ *
+ *  This function processes the List of LDAPResponses pointed to by "responses"
+ *  into a List of resulting Certs, storing the result at "pCerts". If there
+ *  are no responses converted successfully, a NULL may be stored.
+ *
+ * PARAMETERS:
+ *  "responses"
+ *      The LDAPResponses whose contents are to be converted. Must be non-NULL.
+ *  "pCerts"
+ *      Address at which the returned List is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapCertStore_ConvertCertResponses(
+        PKIX_List *responses,
+        PKIX_List **pCerts,
+        void *plContext)
+{
+        PKIX_List *unfiltered = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_ConvertCertResponses");
+        PKIX_NULLCHECK_TWO(responses, pCerts);
+
+        /*
+         * We have a List of LdapResponse objects that have to be
+         * turned into Certs.
+         */
+        PKIX_CHECK(pkix_pl_LdapCertStore_BuildCertList
+                (responses, &unfiltered, plContext),
+                PKIX_LDAPCERTSTOREBUILDCERTLISTFAILED);
+
+        *pCerts = unfiltered;
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
+#endif
+
+/*
+ * FUNCTION: pkix_pl_LdapCertStore_GetCert
+ *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_LdapCertStore_GetCert(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCertList,
+        void *plContext)
+{
+        PRArenaPool *requestArena = NULL;
+        LDAPRequestParams requestParams;
+        void *pollDesc = NULL;
+        PKIX_Int32 minPathLen = 0;
+        PKIX_Boolean cacheFlag = PKIX_FALSE;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_PL_LdapCertStoreContext *lcs = NULL;
+        PKIX_List *responses = NULL;
+        PKIX_List *unfilteredCerts = NULL;
+        PKIX_List *filteredCerts = NULL;
+        PKIX_PL_X500Name *subjectName = 0;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCert");
+        PKIX_NULLCHECK_THREE(store, selector, pCertList);
+
+        requestParams.baseObject = "c=US";
+        requestParams.scope = WHOLE_SUBTREE;
+        requestParams.derefAliases = NEVER_DEREF;
+        requestParams.sizeLimit = 0;
+        requestParams.timeLimit = 0;
+
+        /* Prepare elements for request filter */
+
+        /*
+         * Get a short-lived arena. We'll be done with this space once
+         * the request is encoded.
+         */
+        requestArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (!requestArena) {
+                PKIX_ERROR_FATAL(PKIX_OUTOFMEMORY);
+        }
+
+        PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
+                (selector, &params, plContext),
+                PKIX_CERTSELECTORGETCOMCERTSELPARAMSFAILED);
+
+        /*
+         * If we have the subject name for the desired subject,
+         * ask the server for Certs with that subject.
+         */
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
+                (params, &subjectName, plContext),
+                PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetBasicConstraints
+                (params, &minPathLen, plContext),
+                PKIX_COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED);
+
+        if (subjectName) {
+                PKIX_CHECK(pkix_pl_LdapCertStore_MakeNameAVAList
+                        (requestArena,
+                        subjectName,
+                        &(requestParams.nc),
+                        plContext),
+                        PKIX_LDAPCERTSTOREMAKENAMEAVALISTFAILED);
+
+                if (*requestParams.nc == NULL) {
+                        /*
+                         * The subjectName may not include any components
+                         * that we know how to encode. We do not return
+                         * an error, because the caller did not necessarily
+                         * do anything wrong, but we return an empty List.
+                         */
+                        PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena,
+                                (requestArena, PR_FALSE));
+
+                        PKIX_CHECK(PKIX_List_Create(&filteredCerts, plContext),
+                                PKIX_LISTCREATEFAILED);
+
+                        PKIX_CHECK(PKIX_List_SetImmutable
+                                (filteredCerts, plContext),
+                                PKIX_LISTSETIMMUTABLEFAILED);
+
+                        *pNBIOContext = NULL;
+                        *pCertList = filteredCerts;
+                        filteredCerts = NULL;
+                        goto cleanup;
+                }
+        } else {
+                PKIX_ERROR(PKIX_INSUFFICIENTCRITERIAFORCERTQUERY);
+        }
+
+        /* Prepare attribute field of request */
+
+        requestParams.attributes = 0;
+
+        if (minPathLen < 0) {
+                requestParams.attributes |= LDAPATTR_USERCERT;
+        }
+
+        if (minPathLen > -2) {
+                requestParams.attributes |=
+                        LDAPATTR_CACERT | LDAPATTR_CROSSPAIRCERT;
+        }
+
+        /* All request fields are done */
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                (store, (PKIX_PL_Object **)&lcs, plContext),
+                PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        PKIX_CHECK(PKIX_PL_LdapClient_InitiateRequest
+                ((PKIX_PL_LdapClient *)lcs,
+                &requestParams,
+                &pollDesc,
+                &responses,
+                plContext),
+                PKIX_LDAPCLIENTINITIATEREQUESTFAILED);
+
+        PKIX_CHECK(pkix_pl_LdapCertStore_DestroyAVAList
+                (requestParams.nc, plContext),
+                PKIX_LDAPCERTSTOREDESTROYAVALISTFAILED);
+
+        if (requestArena) {
+                PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena,
+                        (requestArena, PR_FALSE));
+                requestArena = NULL;
+        }
+
+        if (pollDesc != NULL) {
+                /* client is waiting for non-blocking I/O to complete */
+                *pNBIOContext = (void *)pollDesc;
+                *pCertList = NULL;
+                goto cleanup;
+        }
+        /* LdapClient has given us a response! */
+
+        if (responses) {
+                PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
+                        (store, &cacheFlag, plContext),
+                        PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
+
+                PKIX_CHECK(pkix_pl_LdapCertStore_BuildCertList
+                        (responses, &unfilteredCerts, plContext),
+                        PKIX_LDAPCERTSTOREBUILDCERTLISTFAILED);
+
+                PKIX_CHECK(pkix_CertSelector_Select
+                        (selector, unfilteredCerts, &filteredCerts, plContext),
+                        PKIX_CERTSELECTORSELECTFAILED);
+        }
+
+        *pNBIOContext = NULL;
+        *pCertList = filteredCerts;
+        filteredCerts = NULL;
+
+cleanup:
+
+        PKIX_DECREF(params);
+        PKIX_DECREF(subjectName);
+        PKIX_DECREF(responses);
+        PKIX_DECREF(unfilteredCerts);
+        PKIX_DECREF(filteredCerts);
+        PKIX_DECREF(lcs);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapCertStore_GetCertContinue
+ *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_LdapCertStore_GetCertContinue(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCertList,
+        void *plContext)
+{
+        PKIX_Boolean cacheFlag = PKIX_FALSE;
+        PKIX_PL_LdapCertStoreContext *lcs = NULL;
+        void *pollDesc = NULL;
+        PKIX_List *responses = NULL;
+        PKIX_List *unfilteredCerts = NULL;
+        PKIX_List *filteredCerts = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCertContinue");
+        PKIX_NULLCHECK_THREE(store, selector, pCertList);
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                (store, (PKIX_PL_Object **)&lcs, plContext),
+                PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        PKIX_CHECK(PKIX_PL_LdapClient_ResumeRequest
+                ((PKIX_PL_LdapClient *)lcs, &pollDesc, &responses, plContext),
+                PKIX_LDAPCLIENTRESUMEREQUESTFAILED);
+
+        if (pollDesc != NULL) {
+                /* client is waiting for non-blocking I/O to complete */
+                *pNBIOContext = (void *)pollDesc;
+                *pCertList = NULL;
+                goto cleanup;
+        }
+        /* LdapClient has given us a response! */
+
+        if (responses) {
+                PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
+                        (store, &cacheFlag, plContext),
+                        PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
+
+                PKIX_CHECK(pkix_pl_LdapCertStore_BuildCertList
+                        (responses, &unfilteredCerts, plContext),
+                        PKIX_LDAPCERTSTOREBUILDCERTLISTFAILED);
+
+                PKIX_CHECK(pkix_CertSelector_Select
+                        (selector, unfilteredCerts, &filteredCerts, plContext),
+                        PKIX_CERTSELECTORSELECTFAILED);
+        }
+
+        *pNBIOContext = NULL;
+        *pCertList = filteredCerts;
+
+cleanup:
+
+        PKIX_DECREF(responses);
+        PKIX_DECREF(unfilteredCerts);
+        PKIX_DECREF(lcs);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapCertStore_GetCRL
+ *  (see description of PKIX_CertStore_CRLCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_LdapCertStore_GetCRL(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+        LDAPRequestParams requestParams;
+        void *pollDesc = NULL;
+        PRArenaPool *requestArena = NULL;
+        PKIX_UInt32 numNames = 0;
+        PKIX_UInt32 thisName = 0;
+        PKIX_PL_CRL *candidate = NULL;
+        PKIX_List *responses = NULL;
+        PKIX_List *issuerNames = NULL;
+        PKIX_List *filteredCRLs = NULL;
+        PKIX_List *unfilteredCRLs = NULL;
+        PKIX_PL_X500Name *issuer = NULL;
+        PKIX_PL_LdapCertStoreContext *lcs = NULL;
+        PKIX_ComCRLSelParams *params = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCRL");
+        PKIX_NULLCHECK_THREE(store, selector, pCrlList);
+
+        requestParams.baseObject = "c=US";
+        requestParams.scope = WHOLE_SUBTREE;
+        requestParams.derefAliases = NEVER_DEREF;
+        requestParams.sizeLimit = 0;
+        requestParams.timeLimit = 0;
+        requestParams.attributes = LDAPATTR_CERTREVLIST | LDAPATTR_AUTHREVLIST;
+        /* Prepare elements for request filter */
+
+        /*
+         * Get a short-lived arena. We'll be done with this space once
+         * the request is encoded.
+         */
+        PKIX_PL_NSSCALLRV
+            (CERTSTORE, requestArena, PORT_NewArena, (DER_DEFAULT_CHUNKSIZE));
+
+        if (!requestArena) {
+                PKIX_ERROR_FATAL(PKIX_OUTOFMEMORY);
+        }
+
+        PKIX_CHECK(PKIX_CRLSelector_GetCommonCRLSelectorParams
+                (selector, &params, plContext),
+                PKIX_CRLSELECTORGETCOMCERTSELPARAMSFAILED);
+
+        PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames
+                (params, &issuerNames, plContext),
+                PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED);
+
+        /*
+         * The specification for PKIX_ComCRLSelParams_GetIssuerNames in
+         * pkix_crlsel.h says that if the criterion is not set we get a null
+         * pointer. If we get an empty List the criterion is impossible to
+         * meet ("must match at least one of the names in the List").
+         */
+        if (issuerNames) {
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (issuerNames, &numNames, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                if (numNames > 0) {
+                        for (thisName = 0; thisName < numNames; thisName++) {
+                                PKIX_CHECK(PKIX_List_GetItem
+                                (issuerNames,
+                                thisName,
+                                (PKIX_PL_Object **)&issuer,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                                PKIX_CHECK
+                                        (pkix_pl_LdapCertStore_MakeNameAVAList
+                                        (requestArena,
+                                        issuer,
+                                        &(requestParams.nc),
+                                        plContext),
+                                        PKIX_LDAPCERTSTOREMAKENAMEAVALISTFAILED);
+
+                                PKIX_DECREF(issuer);
+
+                                if (*requestParams.nc == NULL) {
+                                        /*
+                                         * The issuer may not include any
+                                         * components that we know how to
+                                         * encode. We do not return an error,
+                                         * because the caller did not
+                                         * necessarily do anything wrong, but
+                                         * we return an empty List.
+                                         */
+                                        PKIX_PL_NSSCALL
+                                                (CERTSTORE, PORT_FreeArena,
+                                                (requestArena, PR_FALSE));
+
+                                        PKIX_CHECK(PKIX_List_Create
+                                                (&filteredCRLs, plContext),
+                                                PKIX_LISTCREATEFAILED);
+
+                                        PKIX_CHECK(PKIX_List_SetImmutable
+                                                (filteredCRLs, plContext),
+                                               PKIX_LISTSETIMMUTABLEFAILED);
+
+                                        *pNBIOContext = NULL;
+                                        *pCrlList = filteredCRLs;
+                                        goto cleanup;
+                                }
+
+                                /*
+                                 * LDAP Servers don't seem to be able to handle
+                                 * requests with more than more than one name.
+                                 */
+                                break;
+                        }
+                } else {
+                        PKIX_ERROR(PKIX_IMPOSSIBLECRITERIONFORCRLQUERY);
+                }
+        } else {
+                PKIX_ERROR(PKIX_IMPOSSIBLECRITERIONFORCRLQUERY);
+        }
+
+        /* All request fields are done */
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                (store, (PKIX_PL_Object **)&lcs, plContext),
+                PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        PKIX_CHECK(PKIX_PL_LdapClient_InitiateRequest
+                ((PKIX_PL_LdapClient *)lcs,
+                &requestParams,
+                &pollDesc,
+                &responses,
+                plContext),
+                PKIX_LDAPCLIENTINITIATEREQUESTFAILED);
+
+        PKIX_CHECK(pkix_pl_LdapCertStore_DestroyAVAList
+                (requestParams.nc, plContext),
+                PKIX_LDAPCERTSTOREDESTROYAVALISTFAILED);
+
+        if (requestArena) {
+                PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena,
+                        (requestArena, PR_FALSE));
+        }
+
+        if (pollDesc != NULL) {
+                /* client is waiting for non-blocking I/O to complete */
+                *pNBIOContext = (void *)pollDesc;
+                *pCrlList = NULL;
+                goto cleanup;
+        }
+        /* client has finished! */
+
+        if (responses) {
+
+                /*
+                 * We have a List of LdapResponse objects that still have to be
+                 * turned into Crls.
+                 */
+                PKIX_CHECK(pkix_pl_LdapCertStore_BuildCrlList
+                        (responses, &unfilteredCRLs, plContext),
+                        PKIX_LDAPCERTSTOREBUILDCRLLISTFAILED);
+
+                PKIX_CHECK(pkix_CRLSelector_Select
+                        (selector, unfilteredCRLs, &filteredCRLs, plContext),
+                        PKIX_CRLSELECTORSELECTFAILED);
+
+        }
+
+        /* Don't throw away the list if one CRL was bad! */
+        pkixTempErrorReceived = PKIX_FALSE;
+
+        *pNBIOContext = NULL;
+        *pCrlList = filteredCRLs;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(filteredCRLs);
+        }
+
+        PKIX_DECREF(params);
+        PKIX_DECREF(issuerNames);
+        PKIX_DECREF(issuer);
+        PKIX_DECREF(candidate);
+        PKIX_DECREF(responses);
+        PKIX_DECREF(unfilteredCRLs);
+        PKIX_DECREF(lcs);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapCertStore_GetCRLContinue
+ *  (see description of PKIX_CertStore_CRLCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_LdapCertStore_GetCRLContinue(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+        void *nbio = NULL;
+        PKIX_PL_CRL *candidate = NULL;
+        PKIX_List *responses = NULL;
+        PKIX_PL_LdapCertStoreContext *lcs = NULL;
+        PKIX_List *filteredCRLs = NULL;
+        PKIX_List *unfilteredCRLs = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCRLContinue");
+        PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCrlList);
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreContext
+                (store, (PKIX_PL_Object **)&lcs, plContext),
+                PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED);
+
+        PKIX_CHECK(PKIX_PL_LdapClient_ResumeRequest
+                ((PKIX_PL_LdapClient *)lcs, &nbio, &responses, plContext),
+                PKIX_LDAPCLIENTRESUMEREQUESTFAILED);
+
+        if (nbio != NULL) {
+                /* client is waiting for non-blocking I/O to complete */
+                *pNBIOContext = (void *)nbio;
+                *pCrlList = NULL;
+                goto cleanup;
+        }
+        /* client has finished! */
+
+        if (responses) {
+
+                /*
+                 * We have a List of LdapResponse objects that still have to be
+                 * turned into Crls.
+                 */
+                PKIX_CHECK(pkix_pl_LdapCertStore_BuildCrlList
+                        (responses, &unfilteredCRLs, plContext),
+                        PKIX_LDAPCERTSTOREBUILDCRLLISTFAILED);
+
+                PKIX_CHECK(pkix_CRLSelector_Select
+                        (selector, unfilteredCRLs, &filteredCRLs, plContext),
+                        PKIX_CRLSELECTORSELECTFAILED);
+
+                PKIX_CHECK(PKIX_List_SetImmutable(filteredCRLs, plContext),
+                        PKIX_LISTSETIMMUTABLEFAILED);
+
+        }
+
+        /* Don't throw away the list if one CRL was bad! */
+        pkixTempErrorReceived = PKIX_FALSE;
+
+        *pCrlList = filteredCRLs;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(filteredCRLs);
+        }
+
+        PKIX_DECREF(candidate);
+        PKIX_DECREF(responses);
+        PKIX_DECREF(unfilteredCRLs);
+        PKIX_DECREF(lcs);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/* --Public-LdapCertStore-Functions----------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_LdapCertStore_Create
+ * (see comments in pkix_samples_modules.h)
+ */
+PKIX_Error *
+PKIX_PL_LdapCertStore_Create(
+        PKIX_PL_LdapClient *client,
+        PKIX_CertStore **pCertStore,
+        void *plContext)
+{
+        PKIX_CertStore *certStore = NULL;
+
+        PKIX_ENTER(CERTSTORE, "PKIX_PL_LdapCertStore_Create");
+        PKIX_NULLCHECK_TWO(client, pCertStore);
+
+        PKIX_CHECK(PKIX_CertStore_Create
+                (pkix_pl_LdapCertStore_GetCert,
+                pkix_pl_LdapCertStore_GetCRL,
+                pkix_pl_LdapCertStore_GetCertContinue,
+                pkix_pl_LdapCertStore_GetCRLContinue,
+                NULL,       /* don't support trust */
+                (PKIX_PL_Object *)client,
+                PKIX_TRUE,  /* cache flag */
+                PKIX_FALSE, /* not local */
+                &certStore,
+                plContext),
+                PKIX_CERTSTORECREATEFAILED);
+
+        *pCertStore = certStore;
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.h
new file mode 100644
index 000000000..249c229c9
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.h
@@ -0,0 +1,108 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ldapcertstore.h
+ *
+ * LDAPCertstore Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_PL_LDAPCERTSTORE_H
+#define _PKIX_PL_LDAPCERTSTORE_H
+
+#include "pkix_pl_ldapt.h"
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * At the time of this version, there are unresolved questions about the LDAP
+ * protocol. Although RFC1777 describes a BIND and UNBIND message, it is not
+ * clear whether they are appropriate to this application. We have tested only
+ * using servers that do not expect authentication, and that reject BIND
+ * messages. It is not clear what values might be appropriate for the bindname
+ * and authentication fields, which are currently implemented as char strings
+ * supplied by the caller. (If this changes, the API and possibly the templates
+ * will have to change.) Therefore the CertStore_Create API contains a BindAPI
+ * structure, a union, which will have to be revised and extended when this
+ * area of the protocol is better understood.
+ *
+ * It is further assumed that a given LdapCertStore will connect only to a
+ * single server, and that the creation of the socket will initiate the
+ * CONNECT. Therefore the LdapCertStore handles only the case of continuing
+ * the connection, if nonblocking I/O is being used.
+ */
+
+typedef enum {
+        LDAP_CONNECT_PENDING,
+        LDAP_CONNECTED,
+        LDAP_BIND_PENDING,
+        LDAP_BIND_RESPONSE,
+        LDAP_BIND_RESPONSE_PENDING,
+        LDAP_BOUND,
+        LDAP_SEND_PENDING,
+        LDAP_RECV,
+        LDAP_RECV_PENDING,
+        LDAP_RECV_INITIAL,
+        LDAP_RECV_NONINITIAL,
+        LDAP_ABANDON_PENDING
+} LDAPConnectStatus;
+
+#define LDAP_CACHEBUCKETS       128
+#define RCVBUFSIZE              512
+
+struct PKIX_PL_LdapCertStoreContext {
+        PKIX_PL_LdapClient *client;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_LdapCertStoreContext_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapCertStore_BuildCertList(
+        PKIX_List *responseList,
+        PKIX_List **pCerts,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_LDAPCERTSTORE_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c
new file mode 100644
index 000000000..45da0ab3f
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c
@@ -0,0 +1,2526 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ldapdefaultclient.c
+ *
+ * LDAPDefaultClient Function Definitions
+ *
+ */
+
+/* We can't decode the length of a message without at least this many bytes */
+#define MINIMUM_MSG_LENGTH 5
+
+#include "pkix_pl_ldapdefaultclient.h"
+
+/* --Private-LdapDefaultClient-Message-Building-Functions---------------- */
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_MakeBind
+ * DESCRIPTION:
+ *
+ *  This function creates and encodes a Bind message, using the arena pointed
+ *  to by "arena", the version number contained in "versionData", the
+ *  LDAPBindAPI pointed to by "bindAPI", and the messageID contained in
+ *  "msgNum", and stores a pointer to the encoded string at "pBindMsg".
+ *
+ *  See pkix_pl_ldaptemplates.c for the ASN.1 description of a Bind message.
+ *
+ *  This code is not used if the DefaultClient was created with a NULL pointer
+ *  supplied for the LDAPBindAPI structure. (Bind and Unbind do not seem to be
+ *  expected for anonymous Search requests.)
+ *
+ * PARAMETERS:
+ *  "arena"
+ *      The address of the PRArenaPool used in encoding the message. Must be
+ *       non-NULL.
+ *  "versionData"
+ *      The Int32 containing the version number to be encoded in the Bind
+ *      message.
+ *  "bindAPI"
+ *      The address of the LDAPBindAPI to be encoded in the Bind message. Must
+ *      be non-NULL.
+ *  "msgNum"
+ *      The Int32 containing the MessageID to be encoded in the Bind message.
+ *  "pBindMsg"
+ *      The address at which the encoded Bind message will be stored. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_MakeBind(
+        PRArenaPool *arena,
+        PKIX_Int32 versionData,
+        LDAPBindAPI *bindAPI,
+        PKIX_UInt32 msgNum,
+        SECItem **pBindMsg,
+        void *plContext)
+{
+        LDAPMessage msg;
+        char version = '\0';
+        SECItem *encoded = NULL;
+        PKIX_UInt32 len = 0;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_MakeBind");
+        PKIX_NULLCHECK_TWO(arena, pBindMsg);
+
+        PKIX_PL_NSSCALL(LDAPDEFAULTCLIENT, PORT_Memset,
+                (&msg, 0, sizeof (LDAPMessage)));
+
+        version = (char)versionData;
+
+        msg.messageID.type = siUnsignedInteger;
+        msg.messageID.data = (void*)&msgNum;
+        msg.messageID.len = sizeof (msgNum);
+
+        msg.protocolOp.selector = LDAP_BIND_TYPE;
+
+        msg.protocolOp.op.bindMsg.version.type = siUnsignedInteger;
+        msg.protocolOp.op.bindMsg.version.data = (void *)&version;
+        msg.protocolOp.op.bindMsg.version.len = sizeof (char);
+
+        /*
+         * XXX At present we only know how to handle anonymous requests (no
+         * authentication), and we are guessing how to do simple authentication.
+         * This section will need to be revised and extended when other
+         * authentication is needed.
+         */
+        if (bindAPI->selector == SIMPLE_AUTH) {
+                msg.protocolOp.op.bindMsg.bindName.type = siAsciiString;
+                msg.protocolOp.op.bindMsg.bindName.data =
+                        (void *)bindAPI->chooser.simple.bindName;
+                len = PL_strlen(bindAPI->chooser.simple.bindName);
+                msg.protocolOp.op.bindMsg.bindName.len = len;
+
+                msg.protocolOp.op.bindMsg.authentication.type = siAsciiString;
+                msg.protocolOp.op.bindMsg.authentication.data =
+                        (void *)bindAPI->chooser.simple.authentication;
+                len = PL_strlen(bindAPI->chooser.simple.authentication);
+                msg.protocolOp.op.bindMsg.authentication.len = len;
+        }
+
+        PKIX_PL_NSSCALLRV(LDAPDEFAULTCLIENT, encoded, SEC_ASN1EncodeItem,
+                (arena, NULL, (void *)&msg, PKIX_PL_LDAPMessageTemplate));
+        if (!encoded) {
+                PKIX_ERROR(PKIX_SECASN1ENCODEITEMFAILED);
+        }
+
+        *pBindMsg = encoded;
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_MakeUnbind
+ * DESCRIPTION:
+ *
+ *  This function creates and encodes a Unbind message, using the arena pointed
+ *  to by "arena" and the messageID contained in "msgNum", and stores a pointer
+ *  to the encoded string at "pUnbindMsg".
+ *
+ *  See pkix_pl_ldaptemplates.c for the ASN.1 description of an Unbind message.
+ *
+ *  This code is not used if the DefaultClient was created with a NULL pointer
+ *  supplied for the LDAPBindAPI structure. (Bind and Unbind do not seem to be
+ *  expected for anonymous Search requests.)
+ *
+ * PARAMETERS:
+ *  "arena"
+ *      The address of the PRArenaPool used in encoding the message. Must be
+ *       non-NULL.
+ *  "msgNum"
+ *      The Int32 containing the MessageID to be encoded in the Unbind message.
+ *  "pUnbindMsg"
+ *      The address at which the encoded Unbind message will be stored. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_MakeUnbind(
+        PRArenaPool *arena,
+        PKIX_UInt32 msgNum,
+        SECItem **pUnbindMsg,
+        void *plContext)
+{
+        LDAPMessage msg;
+        SECItem *encoded = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_MakeUnbind");
+        PKIX_NULLCHECK_TWO(arena, pUnbindMsg);
+
+        PKIX_PL_NSSCALL(LDAPDEFAULTCLIENT, PORT_Memset,
+                (&msg, 0, sizeof (LDAPMessage)));
+
+        msg.messageID.type = siUnsignedInteger;
+        msg.messageID.data = (void*)&msgNum;
+        msg.messageID.len = sizeof (msgNum);
+
+        msg.protocolOp.selector = LDAP_UNBIND_TYPE;
+
+        msg.protocolOp.op.unbindMsg.dummy.type = siBuffer;
+        msg.protocolOp.op.unbindMsg.dummy.data = NULL;
+        msg.protocolOp.op.unbindMsg.dummy.len = 0;
+
+        PKIX_PL_NSSCALLRV(LDAPDEFAULTCLIENT, encoded, SEC_ASN1EncodeItem,
+                (arena, NULL, (void *)&msg, PKIX_PL_LDAPMessageTemplate));
+        if (!encoded) {
+                PKIX_ERROR(PKIX_SECASN1ENCODEITEMFAILED);
+        }
+
+        *pUnbindMsg = encoded;
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_MakeAbandon
+ * DESCRIPTION:
+ *
+ *  This function creates and encodes a Abandon message, using the arena pointed
+ *  to by "arena" and the messageID contained in "msgNum", and stores a pointer
+ *  to the encoded string at "pAbandonMsg".
+ *
+ *  See pkix_pl_ldaptemplates.c for the ASN.1 description of an Abandon message.
+ *
+ * PARAMETERS:
+ *  "arena"
+ *      The address of the PRArenaPool used in encoding the message. Must be
+ *       non-NULL.
+ *  "msgNum"
+ *      The Int32 containing the MessageID to be encoded in the Abandon message.
+ *  "pAbandonMsg"
+ *      The address at which the encoded Abandon message will be stored. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_MakeAbandon(
+        PRArenaPool *arena,
+        PKIX_UInt32 msgNum,
+        SECItem **pAbandonMsg,
+        void *plContext)
+{
+        LDAPMessage msg;
+        SECItem *encoded = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_MakeAbandon");
+        PKIX_NULLCHECK_TWO(arena, pAbandonMsg);
+
+        PKIX_PL_NSSCALL(LDAPDEFAULTCLIENT, PORT_Memset,
+                (&msg, 0, sizeof (LDAPMessage)));
+
+        msg.messageID.type = siUnsignedInteger;
+        msg.messageID.data = (void*)&msgNum;
+        msg.messageID.len = sizeof (msgNum);
+
+        msg.protocolOp.selector = LDAP_ABANDONREQUEST_TYPE;
+
+        msg.protocolOp.op.abandonRequestMsg.messageID.type = siBuffer;
+        msg.protocolOp.op.abandonRequestMsg.messageID.data = (void*)&msgNum;
+        msg.protocolOp.op.abandonRequestMsg.messageID.len = sizeof (msgNum);
+
+        PKIX_PL_NSSCALLRV(LDAPDEFAULTCLIENT, encoded, SEC_ASN1EncodeItem,
+                (arena, NULL, (void *)&msg, PKIX_PL_LDAPMessageTemplate));
+        if (!encoded) {
+                PKIX_ERROR(PKIX_SECASN1ENCODEITEMFAILED);
+        }
+
+        *pAbandonMsg = encoded;
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_DecodeBindResponse
+ * DESCRIPTION:
+ *
+ *  This function decodes the encoded data pointed to by "src", using the arena
+ *  pointed to by "arena", storing the decoded LDAPMessage at "pBindResponse"
+ *  and the decoding status at "pStatus".
+ *
+ * PARAMETERS:
+ *  "arena"
+ *      The address of the PRArenaPool to be used in decoding the message. Must
+ *      be  non-NULL.
+ *  "src"
+ *      The address of the SECItem containing the DER- (or BER-)encoded string.
+ *       Must be non-NULL.
+ *  "pBindResponse"
+ *      The address at which the LDAPMessage is stored, if the decoding is
+ *      successful (the returned status is SECSuccess). Must be non-NULL.
+ *  "pStatus"
+ *      The address at which the decoding status is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_DecodeBindResponse(
+        PRArenaPool *arena,
+        SECItem *src,
+        LDAPMessage *pBindResponse,
+        SECStatus *pStatus,
+        void *plContext)
+{
+        SECStatus rv = SECFailure;
+        LDAPMessage response;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT,
+                "pkix_pl_LdapDefaultClient_DecodeBindResponse");
+        PKIX_NULLCHECK_FOUR(arena, src, pBindResponse, pStatus);
+
+        PKIX_PL_NSSCALL
+                (LDAPDEFAULTCLIENT,
+                PORT_Memset,
+                (&response, 0, sizeof (LDAPMessage)));
+
+        PKIX_PL_NSSCALLRV(LDAPDEFAULTCLIENT, rv, SEC_ASN1DecodeItem,
+            (arena, &response, PKIX_PL_LDAPMessageTemplate, src));
+
+        if (rv == SECSuccess) {
+                *pBindResponse = response;
+        }
+
+        *pStatus = rv;
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_VerifyBindResponse
+ * DESCRIPTION:
+ *
+ *  This function verifies that the contents of the message in the rcvbuf of
+ *  the LdapDefaultClient object pointed to by "client",  and whose length is
+ *  provided by "buflen", is a response to a successful Bind.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "buflen"
+ *      The value of the number of bytes in the receive buffer.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_VerifyBindResponse(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_UInt32 bufLen,
+        void *plContext)
+{
+        SECItem decode = {siBuffer, NULL, 0};
+        SECStatus rv = SECFailure;
+        LDAPMessage msg;
+        LDAPBindResponse *ldapBindResponse = NULL;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT,
+                "pkix_pl_LdapDefaultClient_VerifyBindResponse");
+        PKIX_NULLCHECK_TWO(client, client->rcvBuf);
+
+        decode.data = (void *)(client->rcvBuf);
+        decode.len = bufLen;
+
+        PKIX_CHECK(pkix_pl_LdapDefaultClient_DecodeBindResponse
+                (client->arena, &decode, &msg, &rv, plContext),
+                PKIX_LDAPDEFAULTCLIENTDECODEBINDRESPONSEFAILED);
+
+        if (rv == SECSuccess) {
+                ldapBindResponse = &msg.protocolOp.op.bindResponseMsg;
+                if (*(ldapBindResponse->resultCode.data) == SUCCESS) {
+                        client->connectStatus = BOUND;
+                } else {
+                        PKIX_ERROR(PKIX_BINDREJECTEDBYSERVER);
+                }
+        } else {
+                PKIX_ERROR(PKIX_CANTDECODEBINDRESPONSEFROMSERVER);
+        }
+
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_RecvCheckComplete
+ * DESCRIPTION:
+ *
+ *  This function determines whether the current response in the
+ *  LdapDefaultClient pointed to by "client" is complete, in the sense that all
+ *  bytes required to satisfy the message length field in the encoding have been
+ *  received. If so, the pointer to input data is updated to reflect the number
+ *  of bytes consumed, provided by "bytesProcessed". The state machine flag
+ *  pointed to by "pKeepGoing" is updated to indicate whether processing can
+ *  continue without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "bytesProcessed"
+ *      The UInt32 value of the number of bytes consumed from the current
+ *      buffer.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_RecvCheckComplete(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_UInt32 bytesProcessed,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Boolean complete = PKIX_FALSE;
+        SECStatus rv = SECFailure;
+        LDAPMessageType messageType = 0;
+        LDAPResultCode resultCode = 0;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT,
+                "pkix_pl_LdapDefaultClient_RecvCheckComplete");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        PKIX_CHECK(pkix_pl_LdapResponse_IsComplete
+                (client->currentResponse, &complete, plContext),
+                PKIX_LDAPRESPONSEISCOMPLETEFAILED);
+
+        if (complete) {
+                PKIX_CHECK(pkix_pl_LdapResponse_Decode
+                       (client->arena, client->currentResponse, &rv, plContext),
+                        PKIX_LDAPRESPONSEDECODEFAILED);
+
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_CANTDECODESEARCHRESPONSEFROMSERVER);
+                }
+
+                PKIX_CHECK(pkix_pl_LdapResponse_GetMessageType
+                        (client->currentResponse, &messageType, plContext),
+                        PKIX_LDAPRESPONSEGETMESSAGETYPEFAILED);
+
+                if (messageType == LDAP_SEARCHRESPONSEENTRY_TYPE) {
+
+                        if (client->entriesFound == NULL) {
+                                PKIX_CHECK(PKIX_List_Create
+                                    (&(client->entriesFound), plContext),
+                                    PKIX_LISTCREATEFAILED);
+                        }
+
+                        PKIX_CHECK(PKIX_List_AppendItem
+                                (client->entriesFound,
+                                (PKIX_PL_Object *)client->currentResponse,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+
+                        PKIX_DECREF(client->currentResponse);
+
+                        /* current receive buffer empty? */
+                        if (client->currentBytesAvailable == 0) {
+                                client->connectStatus = RECV;
+                                *pKeepGoing = PKIX_TRUE;
+                        } else {
+                                client->connectStatus = RECV_INITIAL;
+                                client->currentInPtr = &((char *)
+                                    (client->currentInPtr))[bytesProcessed];
+                                *pKeepGoing = PKIX_TRUE;
+                        }
+
+                } else if (messageType == LDAP_SEARCHRESPONSERESULT_TYPE) {
+                        PKIX_CHECK(pkix_pl_LdapResponse_GetResultCode
+                                (client->currentResponse,
+                                &resultCode,
+                                plContext),
+                                PKIX_LDAPRESPONSEGETRESULTCODEFAILED);
+
+                        if ((client->entriesFound == NULL) &&
+                            ((resultCode == SUCCESS) ||
+                            (resultCode == NOSUCHOBJECT))) {
+                                PKIX_CHECK(PKIX_List_Create
+                                    (&(client->entriesFound), plContext),
+                                    PKIX_LISTCREATEFAILED);
+                        } else if (resultCode == SUCCESS) {
+                                PKIX_CHECK(PKIX_List_SetImmutable
+                                    (client->entriesFound, plContext),
+                                    PKIX_LISTSETIMMUTABLEFAILED);
+                                PKIX_CHECK(PKIX_PL_HashTable_Add
+                                    (client->cachePtr,
+                                    (PKIX_PL_Object *)client->currentRequest,
+                                    (PKIX_PL_Object *)client->entriesFound,
+                                    plContext),
+                                    PKIX_HASHTABLEADDFAILED);
+                        } else {
+                            PKIX_ERROR(PKIX_UNEXPECTEDRESULTCODEINRESPONSE);
+                        }
+
+                        client->connectStatus = BOUND;
+                        *pKeepGoing = PKIX_FALSE;
+                        PKIX_DECREF(client->currentResponse);
+
+                } else {
+                        PKIX_ERROR(PKIX_SEARCHRESPONSEPACKETOFUNKNOWNTYPE);
+                }
+        } else {
+                client->connectStatus = RECV;
+                *pKeepGoing = PKIX_TRUE;
+        }
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/* --Private-LdapDefaultClient-Object-Functions------------------------- */
+
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_InitiateRequest(
+        PKIX_PL_LdapClient *client,
+        LDAPRequestParams *requestParams,
+        void **pPollDesc,
+        PKIX_List **pResponse,
+        void *plContext);
+
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_ResumeRequest(
+        PKIX_PL_LdapClient *client,
+        void **pPollDesc,
+        PKIX_List **pResponse,
+        void *plContext);
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_CreateHelper
+ * DESCRIPTION:
+ *
+ *  This function creates a new LdapDefaultClient using the Socket pointed to
+ *  by "socket", the PRIntervalTime pointed to by "timeout", and the
+ *  LDAPBindAPI pointed to by "bindAPI", and stores the result at "pClient".
+ *
+ *  A value of zero for "timeout" means the LDAPClient will use non-blocking
+ *  I/O.
+ *
+ * PARAMETERS:
+ *  "socket"
+ *      Address of the Socket to be used for the client. Must be non-NULL.
+ *  "bindAPI"
+ *      The address of the LDAPBindAPI containing the Bind information to be
+ *      encoded in the Bind message.
+ *  "pClient"
+ *      The address at which the created LdapDefaultClient is to be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapDefaultClient_CreateHelper(
+        PKIX_PL_Socket *socket,
+        LDAPBindAPI *bindAPI,
+        PKIX_PL_LdapDefaultClient **pClient,
+        void *plContext)
+{
+        PKIX_PL_HashTable *ht;
+        PKIX_PL_LdapDefaultClient *ldapDefaultClient = NULL;
+        PKIX_PL_Socket_Callback *callbackList;
+        PRFileDesc *fileDesc = NULL;
+        PRArenaPool *arena = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_CreateHelper");
+        PKIX_NULLCHECK_TWO(socket, pClient);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_LDAPDEFAULTCLIENT_TYPE,
+                    sizeof (PKIX_PL_LdapDefaultClient),
+                    (PKIX_PL_Object **)&ldapDefaultClient,
+                    plContext),
+                    PKIX_COULDNOTCREATELDAPDEFAULTCLIENTOBJECT);
+
+        ldapDefaultClient->vtable.initiateFcn =
+                pkix_pl_LdapDefaultClient_InitiateRequest;
+        ldapDefaultClient->vtable.resumeFcn =
+                pkix_pl_LdapDefaultClient_ResumeRequest;
+
+        PKIX_CHECK(pkix_pl_Socket_GetPRFileDesc
+                (socket, &fileDesc, plContext),
+                PKIX_SOCKETGETPRFILEDESCFAILED);
+
+        ldapDefaultClient->pollDesc.fd = fileDesc;
+        ldapDefaultClient->pollDesc.in_flags = 0;
+        ldapDefaultClient->pollDesc.out_flags = 0;
+
+        ldapDefaultClient->bindAPI = bindAPI;
+
+        PKIX_CHECK(PKIX_PL_HashTable_Create
+                (LDAP_CACHEBUCKETS, 0, &ht, plContext),
+                PKIX_HASHTABLECREATEFAILED);
+
+        ldapDefaultClient->cachePtr = ht;
+
+        PKIX_CHECK(pkix_pl_Socket_GetCallbackList
+                (socket, &callbackList, plContext),
+                PKIX_SOCKETGETCALLBACKLISTFAILED);
+
+        ldapDefaultClient->callbackList = callbackList;
+
+        PKIX_INCREF(socket);
+        ldapDefaultClient->clientSocket = socket;
+
+        ldapDefaultClient->messageID = 0;
+
+        ldapDefaultClient->bindAPI = bindAPI;
+
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (!arena) {
+            PKIX_ERROR_FATAL(PKIX_OUTOFMEMORY);
+        }
+        ldapDefaultClient->arena = arena;
+
+        ldapDefaultClient->sendBuf = NULL;
+        ldapDefaultClient->bytesToWrite = 0;
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                (RCVBUFSIZE, &ldapDefaultClient->rcvBuf, plContext),
+                PKIX_MALLOCFAILED);
+        ldapDefaultClient->capacity = RCVBUFSIZE;
+
+        ldapDefaultClient->bindMsg = NULL;
+        ldapDefaultClient->bindMsgLen = 0;
+
+        ldapDefaultClient->entriesFound = NULL;
+        ldapDefaultClient->currentRequest = NULL;
+        ldapDefaultClient->currentResponse = NULL;
+
+        *pClient = ldapDefaultClient;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(ldapDefaultClient);
+        }
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_LdapDefaultClient_Create
+ * DESCRIPTION:
+ *
+ *  This function creates a new LdapDefaultClient using the PRNetAddr pointed to
+ *  by "sockaddr", the PRIntervalTime pointed to by "timeout", and the
+ *  LDAPBindAPI pointed to by "bindAPI", and stores the result at "pClient".
+ *
+ *  A value of zero for "timeout" means the LDAPClient will use non-blocking
+ *  I/O.
+ *
+ * PARAMETERS:
+ *  "sockaddr"
+ *      Address of the PRNetAddr to be used for the socket connection. Must be
+ *      non-NULL.
+ *  "timeout"
+ *      The PRIntervalTime to be used in I/O requests for this client.
+ *  "bindAPI"
+ *      The address of the LDAPBindAPI containing the Bind information to be
+ *      encoded in the Bind message.
+ *  "pClient"
+ *      The address at which the created LdapDefaultClient is to be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_LdapDefaultClient_Create(
+        PRNetAddr *sockaddr,
+        PRIntervalTime timeout,
+        LDAPBindAPI *bindAPI,
+        PKIX_PL_LdapDefaultClient **pClient,
+        void *plContext)
+{
+        PRErrorCode status = 0;
+        PKIX_PL_Socket *socket = NULL;
+        PKIX_PL_LdapDefaultClient *client = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "PKIX_PL_LdapDefaultClient_Create");
+        PKIX_NULLCHECK_TWO(sockaddr, pClient);
+
+        PKIX_CHECK(pkix_pl_Socket_Create
+                (PKIX_FALSE, timeout, sockaddr, &status, &socket, plContext),
+                PKIX_SOCKETCREATEFAILED);
+
+        PKIX_CHECK(pkix_pl_LdapDefaultClient_CreateHelper
+                (socket, bindAPI, &client, plContext),
+                PKIX_LDAPDEFAULTCLIENTCREATEHELPERFAILED);
+
+        /* Did Socket_Create say the connection was made? */
+        if (status == 0) {
+                if (client->bindAPI != NULL) {
+                        client->connectStatus = CONNECTED;
+                } else {
+                        client->connectStatus = BOUND;
+                }
+        } else {
+                client->connectStatus = CONNECT_PENDING;
+        }
+
+        *pClient = client;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(client);
+        }
+
+        PKIX_DECREF(socket);
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_LdapDefaultClient_CreateByName
+ * DESCRIPTION:
+ *
+ *  This function creates a new LdapDefaultClient using the hostname pointed to
+ *  by "hostname", the PRIntervalTime pointed to by "timeout", and the
+ *  LDAPBindAPI pointed to by "bindAPI", and stores the result at "pClient".
+ *
+ *  A value of zero for "timeout" means the LDAPClient will use non-blocking
+ *  I/O.
+ *
+ * PARAMETERS:
+ *  "hostname"
+ *      Address of the hostname to be used for the socket connection. Must be
+ *      non-NULL.
+ *  "timeout"
+ *      The PRIntervalTime to be used in I/O requests for this client.
+ *  "bindAPI"
+ *      The address of the LDAPBindAPI containing the Bind information to be
+ *      encoded in the Bind message.
+ *  "pClient"
+ *      The address at which the created LdapDefaultClient is to be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_LdapDefaultClient_CreateByName(
+        char *hostname,
+        PRIntervalTime timeout,
+        LDAPBindAPI *bindAPI,
+        PKIX_PL_LdapDefaultClient **pClient,
+        void *plContext)
+{
+        PRErrorCode status = 0;
+        PKIX_PL_Socket *socket = NULL;
+        PKIX_PL_LdapDefaultClient *client = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "PKIX_PL_LdapDefaultClient_CreateByName");
+        PKIX_NULLCHECK_TWO(hostname, pClient);
+
+        PKIX_CHECK(pkix_pl_Socket_CreateByName
+                (PKIX_FALSE, timeout, hostname, &status, &socket, plContext),
+                PKIX_SOCKETCREATEBYNAMEFAILED);
+
+        PKIX_CHECK(pkix_pl_LdapDefaultClient_CreateHelper
+                (socket, bindAPI, &client, plContext),
+                PKIX_LDAPDEFAULTCLIENTCREATEHELPERFAILED);
+
+        /* Did Socket_Create say the connection was made? */
+        if (status == 0) {
+                if (client->bindAPI != NULL) {
+                        client->connectStatus = CONNECTED;
+                } else {
+                        client->connectStatus = BOUND;
+                }
+        } else {
+                client->connectStatus = CONNECT_PENDING;
+        }
+
+        *pClient = client;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(client);
+        }
+
+        PKIX_DECREF(socket);
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_PL_LdapDefaultClient *client = NULL;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+        SECItem *encoded = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT,
+                    "pkix_pl_LdapDefaultClient_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_LDAPDEFAULTCLIENT_TYPE, plContext),
+                    PKIX_OBJECTNOTANLDAPDEFAULTCLIENT);
+
+        client = (PKIX_PL_LdapDefaultClient *)object;
+
+        switch (client->connectStatus) {
+        case CONNECT_PENDING:
+                break;
+        case CONNECTED:
+        case BIND_PENDING:
+        case BIND_RESPONSE:
+        case BIND_RESPONSE_PENDING:
+        case BOUND:
+        case SEND_PENDING:
+        case RECV:
+        case RECV_PENDING:
+        case RECV_INITIAL:
+        case RECV_NONINITIAL:
+        case ABANDON_PENDING:
+                if (client->bindAPI != NULL) {
+                        PKIX_CHECK(pkix_pl_LdapDefaultClient_MakeUnbind
+                                (client->arena,
+                                ++(client->messageID),
+                                &encoded,
+                                plContext),
+                                PKIX_LDAPDEFAULTCLIENTMAKEUNBINDFAILED);
+
+                        callbackList =
+                                (PKIX_PL_Socket_Callback *)(client->callbackList);
+                        PKIX_CHECK(callbackList->sendCallback
+                                (client->clientSocket,
+                                encoded->data,
+                                encoded->len,
+                                &bytesWritten,
+                                plContext),
+                                PKIX_SOCKETSENDFAILED);
+                }
+                break;
+        default:
+                PKIX_ERROR(PKIX_LDAPDEFAULTCLIENTINILLEGALSTATE);
+        }
+
+        PKIX_DECREF(client->cachePtr);
+        PKIX_DECREF(client->clientSocket);
+        PKIX_DECREF(client->entriesFound);
+        PKIX_DECREF(client->currentRequest);
+        PKIX_DECREF(client->currentResponse);
+
+        PKIX_CHECK(PKIX_PL_Free
+		(client->rcvBuf, plContext), PKIX_FREEFAILED);
+
+        PKIX_PL_NSSCALL
+                (LDAPDEFAULTCLIENT,
+                PORT_FreeArena,
+                (client->arena, PR_FALSE));
+
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_LdapDefaultClient *ldapDefaultClient = NULL;
+        PKIX_UInt32 tempHash = 0;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_LDAPDEFAULTCLIENT_TYPE, plContext),
+                PKIX_OBJECTNOTANLDAPDEFAULTCLIENT);
+
+        ldapDefaultClient = (PKIX_PL_LdapDefaultClient *)object;
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                ((PKIX_PL_Object *)ldapDefaultClient->clientSocket,
+                &tempHash,
+                plContext),
+                PKIX_SOCKETHASHCODEFAILED);
+
+        if (ldapDefaultClient->bindAPI != NULL) {
+                tempHash = (tempHash << 7) +
+                        ldapDefaultClient->bindAPI->selector;
+        }
+
+        *pHashcode = tempHash;
+
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_PL_LdapDefaultClient *firstClientContext = NULL;
+        PKIX_PL_LdapDefaultClient *secondClientContext = NULL;
+        PKIX_Int32 compare = 0;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        *pResult = PKIX_FALSE;
+
+        PKIX_CHECK(pkix_CheckTypes
+                (firstObject,
+                secondObject,
+                PKIX_LDAPDEFAULTCLIENT_TYPE,
+                plContext),
+                PKIX_OBJECTNOTANLDAPDEFAULTCLIENT);
+
+        firstClientContext = (PKIX_PL_LdapDefaultClient *)firstObject;
+        secondClientContext = (PKIX_PL_LdapDefaultClient *)secondObject;
+
+        if (firstClientContext == secondClientContext) {
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_Equals
+                ((PKIX_PL_Object *)firstClientContext->clientSocket,
+                (PKIX_PL_Object *)secondClientContext->clientSocket,
+                &compare,
+                plContext),
+                PKIX_SOCKETEQUALSFAILED);
+
+        if (!compare) {
+                goto cleanup;
+        }
+
+        if (PKIX_EXACTLY_ONE_NULL
+                (firstClientContext->bindAPI, secondClientContext->bindAPI)) {
+                goto cleanup;
+        }
+
+        if (firstClientContext->bindAPI) {
+                if (firstClientContext->bindAPI->selector !=
+                    secondClientContext->bindAPI->selector) {
+                        goto cleanup;
+                }
+        }
+
+        *pResult = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_PL_LDAPDEFAULTCLIENT_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_LdapDefaultClient_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT,
+                "pkix_pl_LdapDefaultClient_RegisterSelf");
+
+        entry.description = "LdapDefaultClient";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_LdapDefaultClient);
+        entry.destructor = pkix_pl_LdapDefaultClient_Destroy;
+        entry.equalsFunction = pkix_pl_LdapDefaultClient_Equals;
+        entry.hashcodeFunction = pkix_pl_LdapDefaultClient_Hashcode;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_LDAPDEFAULTCLIENT_TYPE] = entry;
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_GetPollDesc
+ * DESCRIPTION:
+ *
+ *  This function retrieves the PRPollDesc from the LdapDefaultClient
+ *  pointed to by "context" and stores the address at "pPollDesc".
+ *
+ * PARAMETERS:
+ *  "context"
+ *      The LdapDefaultClient whose PRPollDesc is desired. Must be non-NULL.
+ *  "pPollDesc"
+ *      Address where PRPollDesc will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapDefaultClient_GetPollDesc(
+        PKIX_PL_LdapDefaultClient *context,
+        PRPollDesc **pPollDesc,
+        void *plContext)
+{
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT,
+                "pkix_pl_LdapDefaultClient_GetPollDesc");
+        PKIX_NULLCHECK_TWO(context, pPollDesc);
+
+        *pPollDesc = &(context->pollDesc);
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/* --Private-Ldap-CertStore-I/O-Functions---------------------------- */
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_ConnectContinue
+ * DESCRIPTION:
+ *
+ *  This function determines whether a socket Connect initiated earlier for the
+ *  CertStore embodied in the LdapDefaultClient "client" has completed, and
+ *  stores in "pKeepGoing" a flag indicating whether processing can continue
+ *  without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_ConnectContinue(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_PL_Socket_Callback *callbackList;
+        PRErrorCode status;
+        PKIX_Boolean keepGoing = PKIX_FALSE;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT,
+                "pkix_pl_LdapDefaultClient_ConnectContinue");
+        PKIX_NULLCHECK_ONE(client);
+
+        callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+        PKIX_CHECK(callbackList->connectcontinueCallback
+                (client->clientSocket, &status, plContext),
+                PKIX_SOCKETCONNECTCONTINUEFAILED);
+
+        if (status == 0) {
+                if (client->bindAPI != NULL) {
+                        client->connectStatus = CONNECTED;
+                } else {
+                        client->connectStatus = BOUND;
+                }
+                keepGoing = PKIX_FALSE;
+        } else if (status != PR_IN_PROGRESS_ERROR) {
+                PKIX_ERROR(PKIX_UNEXPECTEDERRORINESTABLISHINGCONNECTION);
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)client, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        *pKeepGoing = keepGoing;
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_Bind
+ * DESCRIPTION:
+ *
+ *  This function creates and sends the LDAP-protocol Bind message for the
+ *  CertStore embodied in the LdapDefaultClient "client", and stores in
+ *  "pKeepGoing" a flag indicating whether processing can continue without
+ *  further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_Bind(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        SECItem *encoded = NULL;
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_PL_Socket_Callback *callbackList;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_Bind");
+        PKIX_NULLCHECK_ONE(client);
+
+        /* if we have not yet constructed the BIND message, build it now */
+        if (!(client->bindMsg)) {
+                PKIX_CHECK(pkix_pl_LdapDefaultClient_MakeBind
+                        (client->arena,
+                        3,
+                        client->bindAPI,
+                        client->messageID,
+                        &encoded,
+                        plContext),
+                        PKIX_LDAPDEFAULTCLIENTMAKEBINDFAILED);
+                client->bindMsg = encoded->data;
+                client->bindMsgLen = encoded->len;
+        }
+
+        callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+        PKIX_CHECK(callbackList->sendCallback
+                (client->clientSocket,
+                client->bindMsg,
+                client->bindMsgLen,
+                &bytesWritten,
+                plContext),
+                PKIX_SOCKETSENDFAILED);
+
+        client->lastIO = PR_Now();
+
+        if (bytesWritten < 0) {
+                client->connectStatus = BIND_PENDING;
+                *pKeepGoing = PKIX_FALSE;
+        } else {
+                client->connectStatus = BIND_RESPONSE;
+                *pKeepGoing = PKIX_TRUE;
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)client, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_BindContinue
+ * DESCRIPTION:
+ *
+ *  This function determines whether the LDAP-protocol Bind message for the
+ *  CertStore embodied in the LdapDefaultClient "client" has completed, and
+ *  stores in "pKeepGoing" a flag indicating whether processing can continue
+ *  without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *pkix_pl_LdapDefaultClient_BindContinue(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_BindContinue");
+        PKIX_NULLCHECK_ONE(client);
+
+        *pKeepGoing = PKIX_FALSE;
+
+        callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+        PKIX_CHECK(callbackList->pollCallback
+                (client->clientSocket, &bytesWritten, NULL, plContext),
+                PKIX_SOCKETPOLLFAILED);
+
+        /*
+         * If the send completed we can proceed to try for the
+         * response. If the send did not complete we will have
+         * continue to poll.
+         */
+        if (bytesWritten >= 0) {
+
+                client->connectStatus = BIND_RESPONSE;
+
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)client, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+
+                *pKeepGoing = PKIX_TRUE;
+        }
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_BindResponse
+ * DESCRIPTION:
+ *
+ *  This function attempts to read the LDAP-protocol BindResponse message for
+ *  the CertStore embodied in the LdapDefaultClient "client", and stores in
+ *  "pKeepGoing" a flag indicating whether processing can continue without
+ *  further input.
+ *
+ *  If a BindResponse is received with a Result code of 0 (success), we
+ *  continue with the connection. If a non-zero Result code is received,
+ *  we throw an Error. Some more sophisticated handling of that condition
+ *  might be in order in the future.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_BindResponse(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Int32 bytesRead = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_BindResponse");
+        PKIX_NULLCHECK_TWO(client, client->rcvBuf);
+
+        callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+        PKIX_CHECK(callbackList->recvCallback
+                (client->clientSocket,
+                client->rcvBuf,
+                client->capacity,
+                &bytesRead,
+                plContext),
+                PKIX_SOCKETRECVFAILED);
+
+        client->lastIO = PR_Now();
+
+        if (bytesRead > 0) {
+                PKIX_CHECK(pkix_pl_LdapDefaultClient_VerifyBindResponse
+                        (client, bytesRead, plContext),
+                        PKIX_LDAPDEFAULTCLIENTVERIFYBINDRESPONSEFAILED);
+                /*
+                 * XXX What should we do if failure? At present if
+                 * VerifyBindResponse throws an Error, we do too.
+                 */
+                client->connectStatus = BOUND;
+        } else {
+                client->connectStatus = BIND_RESPONSE_PENDING;
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)client, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        *pKeepGoing = PKIX_TRUE;
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_BindResponseContinue
+ * DESCRIPTION:
+ *
+ *  This function determines whether the LDAP-protocol BindResponse message for
+ *  the CertStore embodied in the LdapDefaultClient "client" has completed, and
+ *  stores in "pKeepGoing" a flag indicating whether processing can continue
+ *  without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_BindResponseContinue(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Int32 bytesRead = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT,
+                "pkix_pl_LdapDefaultClient_BindResponseContinue");
+        PKIX_NULLCHECK_ONE(client);
+
+        callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+        PKIX_CHECK(callbackList->pollCallback
+                (client->clientSocket, NULL, &bytesRead, plContext),
+                PKIX_SOCKETPOLLFAILED);
+
+        if (bytesRead > 0) {
+                PKIX_CHECK(pkix_pl_LdapDefaultClient_VerifyBindResponse
+                        (client, bytesRead, plContext),
+                        PKIX_LDAPDEFAULTCLIENTVERIFYBINDRESPONSEFAILED);
+                client->connectStatus = BOUND;
+
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)client, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+
+                *pKeepGoing = PKIX_TRUE;
+        } else {
+                *pKeepGoing = PKIX_FALSE;
+        }
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_Send
+ * DESCRIPTION:
+ *
+ *  This function creates and sends an LDAP-protocol message for the
+ *  CertStore embodied in the LdapDefaultClient "client", and stores in
+ *  "pKeepGoing" a flag indicating whether processing can continue without
+ *  further input, and at "pBytesTransferred" the number of bytes sent.
+ *
+ *  If "pBytesTransferred" is zero, it indicates that non-blocking I/O is in use
+ *  and that transmission has not completed.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "pBytesTransferred"
+ *      The address at which the number of bytes sent is stored. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_Send(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        PKIX_UInt32 *pBytesTransferred,
+        void *plContext)
+{
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_Send");
+        PKIX_NULLCHECK_THREE(client, pKeepGoing, pBytesTransferred);
+
+        *pKeepGoing = PKIX_FALSE;
+
+        /* Do we have anything waiting to go? */
+        if (client->sendBuf) {
+                callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+                PKIX_CHECK(callbackList->sendCallback
+                        (client->clientSocket,
+                        client->sendBuf,
+                        client->bytesToWrite,
+                        &bytesWritten,
+                        plContext),
+                        PKIX_SOCKETSENDFAILED);
+
+                client->lastIO = PR_Now();
+
+                /*
+                 * If the send completed we can proceed to try for the
+                 * response. If the send did not complete we will have
+                 * to poll for completion later.
+                 */
+                if (bytesWritten >= 0) {
+                        client->sendBuf = NULL;
+                        client->connectStatus = RECV;
+                        *pKeepGoing = PKIX_TRUE;
+
+                } else {
+                        *pKeepGoing = PKIX_FALSE;
+                        client->connectStatus = SEND_PENDING;
+                }
+
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)client, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+        *pBytesTransferred = bytesWritten;
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_SendContinue
+ * DESCRIPTION:
+ *
+ *  This function determines whether the sending of the LDAP-protocol message
+ *  for the CertStore embodied in the LdapDefaultClient "client" has completed,
+ *  and stores in "pKeepGoing" a flag indicating whether processing can continue
+ *  without further input, and at "pBytesTransferred" the number of bytes sent.
+ *
+ *  If "pBytesTransferred" is zero, it indicates that non-blocking I/O is in use
+ *  and that transmission has not completed.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "pBytesTransferred"
+ *      The address at which the number of bytes sent is stored. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_SendContinue(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        PKIX_UInt32 *pBytesTransferred,
+        void *plContext)
+{
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_SendContinue");
+        PKIX_NULLCHECK_THREE(client, pKeepGoing, pBytesTransferred);
+
+        *pKeepGoing = PKIX_FALSE;
+
+        callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+        PKIX_CHECK(callbackList->pollCallback
+                (client->clientSocket, &bytesWritten, NULL, plContext),
+                PKIX_SOCKETPOLLFAILED);
+
+        /*
+         * If the send completed we can proceed to try for the
+         * response. If the send did not complete we will have
+         * continue to poll.
+         */
+        if (bytesWritten >= 0) {
+                client->sendBuf = NULL;
+                client->connectStatus = RECV;
+
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)client, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+
+                *pKeepGoing = PKIX_TRUE;
+        }
+
+        *pBytesTransferred = bytesWritten;
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_Recv
+ * DESCRIPTION:
+ *
+ *  This function receives an LDAP-protocol message for the CertStore embodied
+ *  in the LdapDefaultClient "client", and stores in "pKeepGoing" a flag
+ *  indicating whether processing can continue without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_Recv(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Int32 bytesRead = 0;
+        PKIX_UInt32 bytesToRead = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_Recv");
+        PKIX_NULLCHECK_THREE(client, pKeepGoing, client->rcvBuf);
+
+        callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+        /*
+         * If we attempt to fill our buffer with every read, we increase
+         * the risk of an ugly situation: one or two bytes of a new message
+         * left over at the end of processing one message. With such a
+         * fragment, we can't decode a byte count and so won't know how much
+         * space to allocate for the next LdapResponse. We try to avoid that
+         * case by reading just enough to complete the current message, unless
+         * there will be at least MINIMUM_MSG_LENGTH bytes left over.
+         */
+        if (client->currentResponse) {
+                PKIX_CHECK(pkix_pl_LdapResponse_GetCapacity
+                        (client->currentResponse, &bytesToRead, plContext),
+                        PKIX_LDAPRESPONSEGETCAPACITYFAILED);
+                if ((bytesToRead > client->capacity) ||
+                    ((bytesToRead + MINIMUM_MSG_LENGTH) < client->capacity)) {
+                        bytesToRead = client->capacity;
+                }
+        } else {
+                bytesToRead = client->capacity;
+        }
+
+        client->currentBytesAvailable = 0;
+
+        PKIX_CHECK(callbackList->recvCallback
+                (client->clientSocket,
+                (void *)client->rcvBuf,
+                bytesToRead,
+                &bytesRead,
+                plContext),
+                PKIX_SOCKETRECVFAILED);
+
+        client->currentInPtr = client->rcvBuf;
+        client->lastIO = PR_Now();
+
+        if (bytesRead > 0) {
+                client->currentBytesAvailable = bytesRead;
+                client->connectStatus = RECV_INITIAL;
+                *pKeepGoing = PKIX_TRUE;
+        } else {
+                client->connectStatus = RECV_PENDING;
+                *pKeepGoing = PKIX_FALSE;
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                ((PKIX_PL_Object *)client, plContext),
+                PKIX_OBJECTINVALIDATECACHEFAILED);
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_RecvContinue
+ * DESCRIPTION:
+ *
+ *  This function determines whether the receiving of the LDAP-protocol message
+ *  for the CertStore embodied in the LdapDefaultClient "client" has completed,
+ *  and stores in "pKeepGoing" a flag indicating whether processing can continue
+ *  without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_RecvContinue(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Int32 bytesRead = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_RecvContinue");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+        PKIX_CHECK(callbackList->pollCallback
+                (client->clientSocket, NULL, &bytesRead, plContext),
+                PKIX_SOCKETPOLLFAILED);
+
+        if (bytesRead > 0) {
+                client->currentBytesAvailable += bytesRead;
+                client->connectStatus = RECV_INITIAL;
+                *pKeepGoing = PKIX_TRUE;
+
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)client, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+        } else {
+                *pKeepGoing = PKIX_FALSE;
+        }
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_AbandonContinue
+ * DESCRIPTION:
+ *
+ *  This function determines whether the abandon-message request of the
+ *  LDAP-protocol message for the CertStore embodied in the LdapDefaultClient
+ *  "client" has completed, and stores in "pKeepGoing" a flag indicating whether
+ *  processing can continue without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_AbandonContinue(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_AbandonContinue");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+
+        PKIX_CHECK(callbackList->pollCallback
+                (client->clientSocket, &bytesWritten, NULL, plContext),
+                PKIX_SOCKETPOLLFAILED);
+
+        if (bytesWritten > 0) {
+                client->connectStatus = BOUND;
+                *pKeepGoing = PKIX_TRUE;
+
+                PKIX_CHECK(PKIX_PL_Object_InvalidateCache
+                        ((PKIX_PL_Object *)client, plContext),
+                        PKIX_OBJECTINVALIDATECACHEFAILED);
+        } else {
+                *pKeepGoing = PKIX_FALSE;
+        }
+
+cleanup:
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_RecvInitial
+ * DESCRIPTION:
+ *
+ *  This function processes the contents of the first buffer of a received
+ *  LDAP-protocol message for the CertStore embodied in the LdapDefaultClient
+ *  "client", and stores in "pKeepGoing" a flag indicating whether processing can
+ *  continue without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_RecvInitial(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+        unsigned char *msgBuf = NULL;
+        unsigned char *to = NULL;
+        unsigned char *from = NULL;
+        PKIX_UInt32 dataIndex = 0;
+        PKIX_UInt32 messageIdLen = 0;
+        PKIX_UInt32 messageLength = 0;
+        PKIX_UInt32 sizeofLength = 0;
+        PKIX_UInt32 bytesProcessed = 0;
+        unsigned char messageChar = 0;
+        LDAPMessageType messageType = 0;
+        PKIX_Int32 bytesRead = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_RecvInitial");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        /*
+         * Is there an LDAPResponse in progress? I.e., have we
+         * already processed the tag and length at the beginning of
+         * the message?
+         */
+        if (client->currentResponse) {
+                client->connectStatus = RECV_NONINITIAL;
+                *pKeepGoing = PKIX_TRUE;
+                goto cleanup;
+        }
+        msgBuf = client->currentInPtr;
+
+        /* Do we have enough of the message to decode the message length? */
+        if (client->currentBytesAvailable < MINIMUM_MSG_LENGTH) {
+                /*
+                 * No! Move these few bytes to the beginning of rcvBuf
+                 * and hang another read.
+                 */
+
+                to = (unsigned char *)client->rcvBuf;
+                from = client->currentInPtr;
+                for (dataIndex = 0;
+                    dataIndex < client->currentBytesAvailable;
+                    dataIndex++) {
+                        *to++ = *from++;
+                }
+                callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+                PKIX_CHECK(callbackList->recvCallback
+                        (client->clientSocket,
+                        (void *)to,
+                        client->capacity - client->currentBytesAvailable,
+                        &bytesRead,
+                        plContext),
+                        PKIX_SOCKETRECVFAILED);
+
+                client->currentInPtr = client->rcvBuf;
+                client->lastIO = PR_Now();
+
+                if (bytesRead <= 0) {
+                        client->connectStatus = RECV_PENDING;
+                        *pKeepGoing = PKIX_FALSE;
+                        goto cleanup;
+                } else {
+                        client->currentBytesAvailable += bytesRead;
+                }
+        }
+
+        /*
+         * We have to determine whether the response is an entry, with
+         * application-specific tag LDAP_SEARCHRESPONSEENTRY_TYPE, or a
+         * resultCode, with application tag LDAP_SEARCHRESPONSERESULT_TYPE.
+         * First, we have to figure out where to look for the tag.
+         */
+
+        /* Is the message length short form (one octet) or long form? */
+        if ((msgBuf[1] & 0x80) != 0) {
+                sizeofLength = msgBuf[1] & 0x7F;
+                for (dataIndex = 0; dataIndex < sizeofLength; dataIndex++) {
+                        messageLength =
+                                (messageLength << 8) + msgBuf[dataIndex + 2];
+                }
+        } else {
+                messageLength = msgBuf[1];
+        }
+
+        /* How many bytes did the messageID require? */
+        messageIdLen = msgBuf[dataIndex + 3];
+
+        messageChar = msgBuf[dataIndex + messageIdLen + 4];
+
+        /* Are we looking at an Entry message or a ResultCode message? */
+        if ((SEC_ASN1_CONSTRUCTED | SEC_ASN1_APPLICATION |
+            LDAP_SEARCHRESPONSEENTRY_TYPE) == messageChar) {
+
+                messageType = LDAP_SEARCHRESPONSEENTRY_TYPE;
+
+        } else if ((SEC_ASN1_CONSTRUCTED | SEC_ASN1_APPLICATION |
+            LDAP_SEARCHRESPONSERESULT_TYPE) == messageChar) {
+
+                messageType = LDAP_SEARCHRESPONSERESULT_TYPE;
+
+        } else {
+
+                PKIX_ERROR(PKIX_SEARCHRESPONSEPACKETOFUNKNOWNTYPE);
+
+        }
+
+        /*
+         * messageLength is the length from (tag, length, value).
+         * We have to allocate space for the tag and length bits too.
+         */
+        PKIX_CHECK(pkix_pl_LdapResponse_Create
+                (messageType,
+                messageLength + dataIndex + 2,
+                client->currentBytesAvailable,
+                msgBuf,
+                &bytesProcessed,
+                &(client->currentResponse),
+                plContext),
+                PKIX_LDAPRESPONSECREATEFAILED);
+
+        client->currentBytesAvailable -= bytesProcessed;
+
+        PKIX_CHECK(pkix_pl_LdapDefaultClient_RecvCheckComplete
+                (client, bytesProcessed, pKeepGoing, plContext),
+                PKIX_LDAPDEFAULTCLIENTRECVCHECKCOMPLETEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_RecvNonInitial
+ * DESCRIPTION:
+ *
+ *  This function processes the contents of buffers, after the first, of a
+ *  received LDAP-protocol message for the CertStore embodied in the
+ *  LdapDefaultClient "client", and stores in "pKeepGoing" a flag indicating
+ *  whether processing can continue without further input.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pKeepGoing"
+ *      The address at which the Boolean state machine flag is stored to
+ *      indicate whether processing can continue without further input.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_RecvNonInitial(
+        PKIX_PL_LdapDefaultClient *client,
+        PKIX_Boolean *pKeepGoing,
+        void *plContext)
+{
+
+        PKIX_UInt32 bytesProcessed = 0;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_RecvNonInitial");
+        PKIX_NULLCHECK_TWO(client, pKeepGoing);
+
+        PKIX_CHECK(pkix_pl_LdapResponse_Append
+                (client->currentResponse,
+                client->currentBytesAvailable,
+                client->currentInPtr,
+                &bytesProcessed,
+                plContext),
+                PKIX_LDAPRESPONSEAPPENDFAILED);
+
+        client->currentBytesAvailable -= bytesProcessed;
+
+        PKIX_CHECK(pkix_pl_LdapDefaultClient_RecvCheckComplete
+                (client, bytesProcessed, pKeepGoing, plContext),
+                PKIX_LDAPDEFAULTCLIENTRECVCHECKCOMPLETEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_Dispatch
+ * DESCRIPTION:
+ *
+ *  This function is the state machine dispatcher for the CertStore embodied in
+ *  the LdapDefaultClient pointed to by "client". Results are returned by
+ *  changes to various fields in the context.
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_Dispatch(
+        PKIX_PL_LdapDefaultClient *client,
+        void *plContext)
+{
+        PKIX_UInt32 bytesTransferred = 0;
+        PKIX_Boolean keepGoing = PKIX_TRUE;
+
+        PKIX_ENTER(LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_Dispatch");
+        PKIX_NULLCHECK_ONE(client);
+
+        while (keepGoing) {
+                switch (client->connectStatus) {
+                case CONNECT_PENDING:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_ConnectContinue
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTCONNECTCONTINUEFAILED);
+                        break;
+                case CONNECTED:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_Bind
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTBINDFAILED);
+                        break;
+                case BIND_PENDING:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_BindContinue
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTBINDCONTINUEFAILED);
+                        break;
+                case BIND_RESPONSE:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_BindResponse
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTBINDRESPONSEFAILED);
+                        break;
+                case BIND_RESPONSE_PENDING:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_BindResponseContinue
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTBINDRESPONSECONTINUEFAILED);
+                        break;
+                case BOUND:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_Send
+                                (client, &keepGoing, &bytesTransferred, plContext),
+                                PKIX_LDAPDEFAULTCLIENTSENDFAILED);
+                        break;
+                case SEND_PENDING:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_SendContinue
+                                (client, &keepGoing, &bytesTransferred, plContext),
+                                PKIX_LDAPDEFAULTCLIENTSENDCONTINUEFAILED);
+                        break;
+                case RECV:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_Recv
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTRECVFAILED);
+                        break;
+                case RECV_PENDING:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_RecvContinue
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTRECVCONTINUEFAILED);
+                        break;
+                case RECV_INITIAL:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_RecvInitial
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTRECVINITIALFAILED);
+                        break;
+                case RECV_NONINITIAL:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_RecvNonInitial
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTRECVNONINITIALFAILED);
+                        break;
+                case ABANDON_PENDING:
+                        PKIX_CHECK
+                                (pkix_pl_LdapDefaultClient_AbandonContinue
+                                (client, &keepGoing, plContext),
+                                PKIX_LDAPDEFAULTCLIENTABANDONCONTINUEFAILED);
+                        break;
+                default:
+                        PKIX_ERROR(PKIX_LDAPCERTSTOREINILLEGALSTATE);
+                }
+        }
+
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_MakeAndFilter
+ * DESCRIPTION:
+ *
+ *  This function allocates space from the arena pointed to by "arena" to
+ *  construct a filter that will match components of the X500Name pointed to by
+ *  XXX...
+ *
+ * PARAMETERS:
+ *  "arena"
+ *      The address of the PRArenaPool used in creating the filter. Must be
+ *       non-NULL.
+ *  "nameComponent"
+ *      The address of a NULL-terminated list of LDAPNameComponents
+ *      Must be non-NULL.
+ *  "pFilter"
+ *      The address at which the result is stored.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_MakeAndFilter(
+        PRArenaPool *arena,
+        LDAPNameComponent **nameComponents,
+        LDAPFilter **pFilter,
+        void *plContext)
+{
+        LDAPFilter **setOfFilter;
+        LDAPFilter *andFilter = NULL;
+        LDAPFilter *currentFilter = NULL;
+        PKIX_UInt32 componentsPresent = 0;
+        void *v = NULL;
+        unsigned char *component = NULL;
+        LDAPNameComponent **componentP = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapDefaultClient_MakeAndFilter");
+        PKIX_NULLCHECK_THREE(arena, nameComponents, pFilter);
+
+        /* count how many components we were provided */
+        for (componentP = nameComponents, componentsPresent = 0;
+                *(componentP++) != NULL;
+                componentsPresent++) {}
+
+        /* Space for (componentsPresent + 1) pointers to LDAPFilter */
+        PKIX_PL_NSSCALLRV(CERTSTORE, v, PORT_ArenaZAlloc,
+                (arena, (componentsPresent + 1)*sizeof(LDAPFilter *)));
+        setOfFilter = (LDAPFilter **)v;
+
+        /* Space for AndFilter and <componentsPresent> EqualFilters */
+        PKIX_PL_NSSCALLRV(CERTSTORE, v, PORT_ArenaZNewArray,
+                (arena, LDAPFilter, componentsPresent + 1));
+        setOfFilter[0] = (LDAPFilter *)v;
+
+        /* Claim the first array element for the ANDFilter */
+        andFilter = setOfFilter[0];
+
+        /* Set ANDFilter to point to the first EqualFilter pointer */
+        andFilter->selector = LDAP_ANDFILTER_TYPE;
+        andFilter->filter.andFilter.filters = setOfFilter;
+
+        currentFilter = andFilter + 1;
+
+        for (componentP = nameComponents, componentsPresent = 0;
+                *(componentP) != NULL; componentP++) {
+                setOfFilter[componentsPresent++] = currentFilter;
+                currentFilter->selector = LDAP_EQUALFILTER_TYPE;
+                component = (*componentP)->attrType;
+                currentFilter->filter.equalFilter.attrType.data = component;
+                currentFilter->filter.equalFilter.attrType.len = 
+                        PL_strlen((const char *)component);
+                component = (*componentP)->attrValue;
+                currentFilter->filter.equalFilter.attrValue.data = component;
+                currentFilter->filter.equalFilter.attrValue.len =
+                        PL_strlen((const char *)component);
+                currentFilter++;
+        }
+
+        setOfFilter[componentsPresent] = NULL;
+
+        *pFilter = andFilter;
+
+        PKIX_RETURN(CERTSTORE);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_InitiateRequest
+ * DESCRIPTION:
+ *
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "requestParams"
+ *      The address of an LdapClientParams object. Must be non-NULL.
+ *  "pPollDesc"
+ *      The location where the address of the PRPollDesc is stored, if the
+ *      client returns with I/O pending.
+ *  "pResponse"
+ *      The address where the List of LDAPResponses, or NULL for an
+ *      unfinished request, is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_InitiateRequest(
+        PKIX_PL_LdapClient *genericClient,
+        LDAPRequestParams *requestParams,
+        void **pPollDesc,
+        PKIX_List **pResponse,
+        void *plContext)
+{
+        PKIX_List *searchResponseList = NULL;
+        SECItem *encoded = NULL;
+        LDAPFilter *filter = NULL;
+        PKIX_PL_LdapDefaultClient *client = 0;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT,
+                "pkix_pl_LdapDefaultClient_InitiateRequest");
+        PKIX_NULLCHECK_FOUR(genericClient, requestParams, pPollDesc, pResponse);
+
+        PKIX_CHECK(pkix_CheckType
+                ((PKIX_PL_Object *)genericClient,
+                PKIX_LDAPDEFAULTCLIENT_TYPE,
+                plContext),
+                PKIX_GENERICCLIENTNOTANLDAPDEFAULTCLIENT);
+
+        client = (PKIX_PL_LdapDefaultClient *)genericClient;
+
+        PKIX_CHECK(pkix_pl_LdapDefaultClient_MakeAndFilter
+                (client->arena, requestParams->nc, &filter, plContext),
+                PKIX_LDAPDEFAULTCLIENTMAKEANDFILTERFAILED);
+
+        PKIX_CHECK(pkix_pl_LdapRequest_Create
+                (client->arena,
+                client->messageID++,
+                requestParams->baseObject,
+                requestParams->scope,
+                requestParams->derefAliases,
+                requestParams->sizeLimit,
+                requestParams->timeLimit,
+                PKIX_FALSE,    /* attrs only */
+                filter,
+                requestParams->attributes,
+                &client->currentRequest,
+                plContext),
+                PKIX_LDAPREQUESTCREATEFAILED);
+
+        /* check hashtable for matching request */
+        PKIX_CHECK(PKIX_PL_HashTable_Lookup
+                (client->cachePtr,
+                (PKIX_PL_Object *)(client->currentRequest),
+                (PKIX_PL_Object **)&searchResponseList,
+                plContext),
+                PKIX_HASHTABLELOOKUPFAILED);
+
+        if (searchResponseList != NULL) {
+                *pPollDesc = NULL;
+                *pResponse = searchResponseList;
+                PKIX_DECREF(client->currentRequest);
+                goto cleanup;
+        }
+
+        /* It wasn't cached. We'll have to actually send it. */
+
+        PKIX_CHECK(pkix_pl_LdapRequest_GetEncoded
+                (client->currentRequest, &encoded, plContext),
+                PKIX_LDAPREQUESTGETENCODEDFAILED);
+
+        client->sendBuf = encoded->data;
+        client->bytesToWrite = encoded->len;
+
+        PKIX_CHECK(pkix_pl_LdapDefaultClient_Dispatch(client, plContext),
+                PKIX_LDAPDEFAULTCLIENTDISPATCHFAILED);
+
+        /*
+         * It's not enough that we may be done with a particular read.
+         * We're still processing the transaction until we've gotten the
+         * SearchResponseResult message and returned to the BOUND state.
+         * Otherwise we must still have a read pending, and must hold off
+         * on returning results.
+         */
+        if ((client->connectStatus == BOUND) &&
+	    (client->entriesFound != NULL)) {
+                *pPollDesc = NULL;
+                *pResponse = client->entriesFound;
+                client->entriesFound = NULL;
+                PKIX_DECREF(client->currentRequest);
+        } else {
+                *pPollDesc = &client->pollDesc;
+                *pResponse = NULL;
+        }
+
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapDefaultClient_ResumeRequest
+ * DESCRIPTION:
+ *
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The address of the LdapDefaultClient object. Must be non-NULL.
+ *  "pPollDesc"
+ *      The location where the address of the PRPollDesc is stored, if the
+ *      client returns with I/O pending.
+ *  "pResponse"
+ *      The address where the List of LDAPResponses, or NULL for an
+ *      unfinished request, is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a LdapDefaultClient Error if the function fails in a
+ *      non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapDefaultClient_ResumeRequest(
+        PKIX_PL_LdapClient *genericClient,
+        void **pPollDesc,
+        PKIX_List **pResponse,
+        void *plContext)
+{
+        PKIX_PL_LdapDefaultClient *client = 0;
+
+        PKIX_ENTER
+                (LDAPDEFAULTCLIENT, "pkix_pl_LdapDefaultClient_ResumeRequest");
+        PKIX_NULLCHECK_THREE(genericClient, pPollDesc, pResponse);
+
+        PKIX_CHECK(pkix_CheckType
+                ((PKIX_PL_Object *)genericClient,
+                PKIX_LDAPDEFAULTCLIENT_TYPE,
+                plContext),
+                PKIX_GENERICCLIENTNOTANLDAPDEFAULTCLIENT);
+
+        client = (PKIX_PL_LdapDefaultClient *)genericClient;
+
+        PKIX_CHECK(pkix_pl_LdapDefaultClient_Dispatch(client, plContext),
+                PKIX_LDAPDEFAULTCLIENTDISPATCHFAILED);
+
+        /*
+         * It's not enough that we may be done with a particular read.
+         * We're still processing the transaction until we've gotten the
+         * SearchResponseResult message and returned to the BOUND state.
+         * Otherwise we must still have a read pending, and must hold off
+         * on returning results.
+         */
+        if ((client->connectStatus == BOUND) &&
+	    (client->entriesFound != NULL)) {
+                *pPollDesc = NULL;
+                *pResponse = client->entriesFound;
+                client->entriesFound = NULL;
+                PKIX_DECREF(client->currentRequest);
+        } else {
+                *pPollDesc = &client->pollDesc;
+                *pResponse = NULL;
+        }
+
+cleanup:
+
+        PKIX_RETURN(LDAPDEFAULTCLIENT);
+
+}
+
+/* --Public-LdapDefaultClient-Functions----------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_LdapDefaultClient_AbandonRequest
+ * DESCRIPTION:
+ *
+ *  This function creates and sends an LDAP-protocol "Abandon" message to the 
+ *  server connected to the LdapDefaultClient pointed to by "client".
+ *
+ * PARAMETERS:
+ *  "client"
+ *      The LdapDefaultClient whose connection is to be abandoned. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_LdapDefaultClient_AbandonRequest(
+        PKIX_PL_LdapDefaultClient *client,
+        void *plContext)
+{
+        PKIX_Int32 bytesWritten = 0;
+        PKIX_PL_Socket_Callback *callbackList = NULL;
+        SECItem *encoded = NULL;
+
+        PKIX_ENTER(CERTSTORE, "PKIX_PL_LdapDefaultClient_AbandonRequest");
+        PKIX_NULLCHECK_ONE(client);
+
+        if (client->connectStatus == RECV_PENDING) {
+                PKIX_CHECK(pkix_pl_LdapDefaultClient_MakeAbandon
+                        (client->arena,
+                        (client->messageID) - 1,
+                        &encoded,
+                        plContext),
+                        PKIX_LDAPDEFAULTCLIENTMAKEABANDONFAILED);
+
+                callbackList = (PKIX_PL_Socket_Callback *)(client->callbackList);
+                PKIX_CHECK(callbackList->sendCallback
+                        (client->clientSocket,
+                        encoded->data,
+                        encoded->len,
+                        &bytesWritten,
+                        plContext),
+                        PKIX_SOCKETSENDFAILED);
+
+                if (bytesWritten < 0) {
+                        client->connectStatus = ABANDON_PENDING;
+                } else {
+                        client->connectStatus = BOUND;
+                }
+        }
+
+        PKIX_DECREF(client->entriesFound);
+        PKIX_DECREF(client->currentRequest);
+        PKIX_DECREF(client->currentResponse);
+
+cleanup:
+
+        PKIX_DECREF(client);
+
+        PKIX_RETURN(CERTSTORE);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.h
new file mode 100644
index 000000000..9bc24188e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.h
@@ -0,0 +1,115 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ldapdefaultclient.h
+ *
+ * LDAPDefaultClient Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_PL_LDAPDEFAULTCLIENT_H
+#define _PKIX_PL_LDAPDEFAULTCLIENT_H
+
+#include "pkix_pl_ldapt.h"
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * At the time of this version, there are unresolved questions about the LDAP
+ * protocol. Although RFC1777 describes a BIND and UNBIND message, it is not
+ * clear whether they are appropriate to this application. We have tested only
+ * using servers that do not expect authentication, and that reject BIND
+ * messages. It is not clear what values might be appropriate for the bindname
+ * and authentication fields, which are currently implemented as char strings
+ * supplied by the caller. (If this changes, the API and possibly the templates
+ * will have to change.) Therefore the LDAPClient_Create API contains a
+ * BindAPI structure, a union, which will have to be revised and extended when
+ * this area of the protocol is better understood.
+ *
+ */
+
+typedef enum {
+        CONNECT_PENDING,
+        CONNECTED,
+        BIND_PENDING,
+        BIND_RESPONSE,
+        BIND_RESPONSE_PENDING,
+        BOUND,
+        SEND_PENDING,
+        RECV,
+        RECV_PENDING,
+        RECV_INITIAL,
+        RECV_NONINITIAL,
+        ABANDON_PENDING
+} LdapClientConnectStatus;
+
+struct PKIX_PL_LdapDefaultClientStruct {
+        PKIX_PL_LdapClient vtable;
+        LdapClientConnectStatus connectStatus;
+        PKIX_UInt32 messageID;
+        PKIX_PL_HashTable *cachePtr;
+        PKIX_PL_Socket *clientSocket;
+        PRPollDesc pollDesc;
+        void *callbackList; /* cast this to (PKIX_PL_Socket_Callback *) */
+        LDAPBindAPI *bindAPI;
+        PRArenaPool *arena;
+        PRTime lastIO;
+        void *sendBuf;
+        PKIX_UInt32 bytesToWrite;
+        void *rcvBuf;
+        PKIX_UInt32 capacity;
+        void *currentInPtr;
+        PKIX_UInt32 currentBytesAvailable;
+        void *bindMsg;
+        PKIX_UInt32 bindMsgLen;
+        PKIX_List *entriesFound;
+        PKIX_PL_LdapRequest *currentRequest;
+        PKIX_PL_LdapResponse *currentResponse;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_LdapDefaultClient_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_LDAPDEFAULTCLIENT_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.c
new file mode 100644
index 000000000..b728f3c14
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.c
@@ -0,0 +1,794 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ldaprequest.c
+ *
+ */
+
+#include "pkix_pl_ldaprequest.h"
+
+/* --Private-LdapRequest-Functions------------------------------------- */
+
+/* Note: lengths do not include the NULL terminator */
+static const char caAttr[] = "caCertificate;binary";
+static unsigned int caAttrLen = sizeof(caAttr) - 1;
+static const char uAttr[] = "userCertificate;binary";
+static unsigned int uAttrLen = sizeof(uAttr) - 1;
+static const char ccpAttr[] = "crossCertificatePair;binary";
+static unsigned int ccpAttrLen = sizeof(ccpAttr) - 1;
+static const char crlAttr[] = "certificateRevocationList;binary";
+static unsigned int crlAttrLen = sizeof(crlAttr) - 1;
+static const char arlAttr[] = "authorityRevocationList;binary";
+static unsigned int arlAttrLen = sizeof(arlAttr) - 1;
+
+/*
+ * XXX If this function were moved into pkix_pl_ldapcertstore.c then all of
+ * LdapRequest and LdapResponse could be considered part of the LDAP client.
+ * But the constants, above, would have to be copied as well, and they are
+ * also needed in pkix_pl_LdapRequest_EncodeAttrs. So there would have to be
+ * two copies.
+ */
+
+/*
+ * FUNCTION: pkix_pl_LdapRequest_AttrTypeToBit
+ * DESCRIPTION:
+ *
+ *  This function creates an attribute mask bit corresponding to the SECItem
+ *  pointed to by "attrType", storing the result at "pAttrBit". The comparison
+ *  is case-insensitive. If "attrType" does not match any of the known types,
+ *  zero is stored at "pAttrBit".
+ *
+ * PARAMETERS
+ *  "attrType"
+ *      The address of the SECItem whose string contents are to be compared to
+ *      the various known attribute types. Must be non-NULL.
+ *  "pAttrBit"
+ *      The address where the result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapRequest Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapRequest_AttrTypeToBit(
+        SECItem *attrType,
+        LdapAttrMask *pAttrBit,
+        void *plContext)
+{
+        LdapAttrMask attrBit = 0;
+        unsigned int attrLen = 0;
+        const char *s = NULL;
+
+        PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_AttrTypeToBit");
+        PKIX_NULLCHECK_TWO(attrType, pAttrBit);
+
+        s = (const char *)attrType->data;
+        attrLen = attrType->len;
+
+        /*
+         * Taking note of the fact that all of the comparand strings are
+         * different lengths, we do a slight optimization. If a string
+         * length matches but the string does not match, we skip comparing
+         * to the other strings. If new strings are added to the comparand
+         * list, and any are of equal length, be careful to change the
+         * grouping of tests accordingly.
+         */
+        if (attrLen == caAttrLen) {
+                if (PORT_Strncasecmp(caAttr, s, attrLen) == 0) {
+                        attrBit = LDAPATTR_CACERT;
+                }
+        } else if (attrLen == uAttrLen) {
+                if (PORT_Strncasecmp(uAttr, s, attrLen) == 0) {
+                        attrBit = LDAPATTR_USERCERT;
+                }
+        } else if (attrLen == ccpAttrLen) {
+                if (PORT_Strncasecmp(ccpAttr, s, attrLen) == 0) {
+                        attrBit = LDAPATTR_CROSSPAIRCERT;
+                }
+        } else if (attrLen == crlAttrLen) {
+                if (PORT_Strncasecmp(crlAttr, s, attrLen) == 0) {
+                        attrBit = LDAPATTR_CERTREVLIST;
+                }
+        } else if (attrLen == arlAttrLen) {
+                if (PORT_Strncasecmp(arlAttr, s, attrLen) == 0) {
+                        attrBit = LDAPATTR_AUTHREVLIST;
+                }
+        }
+
+        *pAttrBit = attrBit;
+
+        PKIX_RETURN(LDAPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapRequest_AttrStringToBit
+ * DESCRIPTION:
+ *
+ *  This function creates an attribute mask bit corresponding to the null-
+ *  terminated string pointed to by "attrString", storing the result at
+ *  "pAttrBit". The comparison is case-insensitive. If "attrString" does not
+ *  match any of the known types, zero is stored at "pAttrBit".
+ *
+ * PARAMETERS
+ *  "attrString"
+ *      The address of the null-terminated string whose contents are to be compared to
+ *      the various known attribute types. Must be non-NULL.
+ *  "pAttrBit"
+ *      The address where the result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapRequest Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapRequest_AttrStringToBit(
+        char *attrString,
+        LdapAttrMask *pAttrBit,
+        void *plContext)
+{
+        LdapAttrMask attrBit = 0;
+        unsigned int attrLen = 0;
+
+        PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_AttrStringToBit");
+        PKIX_NULLCHECK_TWO(attrString, pAttrBit);
+
+        attrLen = PL_strlen(attrString);
+
+        /*
+         * Taking note of the fact that all of the comparand strings are
+         * different lengths, we do a slight optimization. If a string
+         * length matches but the string does not match, we skip comparing
+         * to the other strings. If new strings are added to the comparand
+         * list, and any are of equal length, be careful to change the
+         * grouping of tests accordingly.
+         */
+        if (attrLen == caAttrLen) {
+                if (PORT_Strncasecmp(caAttr, attrString, attrLen) == 0) {
+                        attrBit = LDAPATTR_CACERT;
+                }
+        } else if (attrLen == uAttrLen) {
+                if (PORT_Strncasecmp(uAttr, attrString, attrLen) == 0) {
+                        attrBit = LDAPATTR_USERCERT;
+                }
+        } else if (attrLen == ccpAttrLen) {
+                if (PORT_Strncasecmp(ccpAttr, attrString, attrLen) == 0) {
+                        attrBit = LDAPATTR_CROSSPAIRCERT;
+                }
+        } else if (attrLen == crlAttrLen) {
+                if (PORT_Strncasecmp(crlAttr, attrString, attrLen) == 0) {
+                        attrBit = LDAPATTR_CERTREVLIST;
+                }
+        } else if (attrLen == arlAttrLen) {
+                if (PORT_Strncasecmp(arlAttr, attrString, attrLen) == 0) {
+                        attrBit = LDAPATTR_AUTHREVLIST;
+                }
+        }
+
+        *pAttrBit = attrBit;
+
+        PKIX_RETURN(LDAPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapRequest_EncodeAttrs
+ * DESCRIPTION:
+ *
+ *  This function obtains the attribute mask bits from the LdapRequest pointed
+ *  to by "request", creates the corresponding array of AttributeTypes for the
+ *  encoding of the SearchRequest message.
+ *
+ * PARAMETERS
+ *  "request"
+ *      The address of the LdapRequest whose attributes are to be encoded. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapRequest Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_LdapRequest_EncodeAttrs(
+        PKIX_PL_LdapRequest *request,
+        void *plContext)
+{
+        SECItem **attrArray = NULL;
+        PKIX_UInt32 attrIndex = 0;
+        LdapAttrMask attrBits;
+
+        PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_EncodeAttrs");
+        PKIX_NULLCHECK_ONE(request);
+
+        /* construct "attrs" according to bits in request->attrBits */
+        attrBits = request->attrBits;
+        attrArray = request->attrArray;
+        if ((attrBits & LDAPATTR_CACERT) == LDAPATTR_CACERT) {
+                attrArray[attrIndex] = &(request->attributes[attrIndex]);
+                request->attributes[attrIndex].type = siAsciiString;
+                request->attributes[attrIndex].data = (unsigned char *)caAttr;
+                request->attributes[attrIndex].len = caAttrLen;
+                attrIndex++;
+        }
+        if ((attrBits & LDAPATTR_USERCERT) == LDAPATTR_USERCERT) {
+                attrArray[attrIndex] = &(request->attributes[attrIndex]);
+                request->attributes[attrIndex].type = siAsciiString;
+                request->attributes[attrIndex].data = (unsigned char *)uAttr;
+                request->attributes[attrIndex].len = uAttrLen;
+                attrIndex++;
+        }
+        if ((attrBits & LDAPATTR_CROSSPAIRCERT) == LDAPATTR_CROSSPAIRCERT) {
+                attrArray[attrIndex] = &(request->attributes[attrIndex]);
+                request->attributes[attrIndex].type = siAsciiString;
+                request->attributes[attrIndex].data = (unsigned char *)ccpAttr;
+                request->attributes[attrIndex].len = ccpAttrLen;
+                attrIndex++;
+        }
+        if ((attrBits & LDAPATTR_CERTREVLIST) == LDAPATTR_CERTREVLIST) {
+                attrArray[attrIndex] = &(request->attributes[attrIndex]);
+                request->attributes[attrIndex].type = siAsciiString;
+                request->attributes[attrIndex].data = (unsigned char *)crlAttr;
+                request->attributes[attrIndex].len = crlAttrLen;
+                attrIndex++;
+        }
+        if ((attrBits & LDAPATTR_AUTHREVLIST) == LDAPATTR_AUTHREVLIST) {
+                attrArray[attrIndex] = &(request->attributes[attrIndex]);
+                request->attributes[attrIndex].type = siAsciiString;
+                request->attributes[attrIndex].data = (unsigned char *)arlAttr;
+                request->attributes[attrIndex].len = arlAttrLen;
+                attrIndex++;
+        }
+        attrArray[attrIndex] = (SECItem *)NULL;
+
+        PKIX_RETURN(LDAPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapRequest_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_LdapRequest_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_LdapRequest *ldapRq = NULL;
+
+        PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LDAPREQUEST_TYPE, plContext),
+                    PKIX_OBJECTNOTLDAPREQUEST);
+
+        ldapRq = (PKIX_PL_LdapRequest *)object;
+
+        /*
+         * All dynamic fields in an LDAPRequest are allocated
+         * in an arena, and will be freed when the arena is destroyed.
+         */
+
+cleanup:
+
+        PKIX_RETURN(LDAPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapRequest_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_LdapRequest_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_UInt32 dataLen = 0;
+        PKIX_UInt32 dindex = 0;
+        PKIX_UInt32 sizeOfLength = 0;
+        PKIX_UInt32 idLen = 0;
+        const unsigned char *msgBuf = NULL;
+        PKIX_PL_LdapRequest *ldapRq = NULL;
+
+        PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LDAPREQUEST_TYPE, plContext),
+                    PKIX_OBJECTNOTLDAPREQUEST);
+
+        ldapRq = (PKIX_PL_LdapRequest *)object;
+
+        *pHashcode = 0;
+
+        /*
+         * Two requests that differ only in msgnum are a match! Therefore,
+         * start hashcoding beyond the encoded messageID field.
+         */
+        if (ldapRq->encoded) {
+                msgBuf = (const unsigned char *)ldapRq->encoded->data;
+                /* Is message length short form (one octet) or long form? */
+                if ((msgBuf[1] & 0x80) != 0) {
+                        sizeOfLength = msgBuf[1] & 0x7F;
+                        for (dindex = 0; dindex < sizeOfLength; dindex++) {
+                                dataLen = (dataLen << 8) + msgBuf[dindex + 2];
+                        }
+                } else {
+                        dataLen = msgBuf[1];
+                }
+
+                /* How many bytes for the messageID? (Assume short form) */
+                idLen = msgBuf[dindex + 3] + 2;
+                dindex += idLen;
+                dataLen -= idLen;
+                msgBuf = &msgBuf[dindex + 2];
+
+                PKIX_CHECK(pkix_hash(msgBuf, dataLen, pHashcode, plContext),
+                        PKIX_HASHFAILED);
+        }
+
+cleanup:
+
+        PKIX_RETURN(LDAPREQUEST);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapRequest_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_LdapRequest_Equals(
+        PKIX_PL_Object *firstObj,
+        PKIX_PL_Object *secondObj,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_LdapRequest *firstReq = NULL;
+        PKIX_PL_LdapRequest *secondReq = NULL;
+        PKIX_UInt32 secondType = 0;
+        PKIX_UInt32 firstLen = 0;
+        const unsigned char *firstData = NULL;
+        const unsigned char *secondData = NULL;
+        PKIX_UInt32 sizeOfLength = 0;
+        PKIX_UInt32 dindex = 0;
+        PKIX_UInt32 i = 0;
+
+        PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_Equals");
+        PKIX_NULLCHECK_THREE(firstObj, secondObj, pResult);
+
+        /* test that firstObj is a LdapRequest */
+        PKIX_CHECK(pkix_CheckType(firstObj, PKIX_LDAPREQUEST_TYPE, plContext),
+                    PKIX_FIRSTOBJARGUMENTNOTLDAPREQUEST);
+
+        /*
+         * Since we know firstObj is a LdapRequest, if both references are
+         * identical, they must be equal
+         */
+        if (firstObj == secondObj){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObj isn't a LdapRequest, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObj, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_LDAPREQUEST_TYPE) {
+                goto cleanup;
+        }
+
+        firstReq = (PKIX_PL_LdapRequest *)firstObj;
+        secondReq = (PKIX_PL_LdapRequest *)secondObj;
+
+        /* If either lacks an encoded string, they cannot be compared */
+        if (!(firstReq->encoded) || !(secondReq->encoded)) {
+                goto cleanup;
+        }
+
+        if (firstReq->encoded->len != secondReq->encoded->len) {
+                goto cleanup;
+        }
+
+        firstData = (const unsigned char *)firstReq->encoded->data;
+        secondData = (const unsigned char *)secondReq->encoded->data;
+
+        /*
+         * Two requests that differ only in msgnum are equal! Therefore,
+         * start the byte comparison beyond the encoded messageID field.
+         */
+
+        /* Is message length short form (one octet) or long form? */
+        if ((firstData[1] & 0x80) != 0) {
+                sizeOfLength = firstData[1] & 0x7F;
+                for (dindex = 0; dindex < sizeOfLength; dindex++) {
+                        firstLen = (firstLen << 8) + firstData[dindex + 2];
+                }
+        } else {
+                firstLen = firstData[1];
+        }
+
+        /* How many bytes for the messageID? (Assume short form) */
+        i = firstData[dindex + 3] + 2;
+        dindex += i;
+        firstLen -= i;
+        firstData = &firstData[dindex + 2];
+
+        /*
+         * In theory, we have to calculate where the second message data
+         * begins by checking its length encodings. But if these messages
+         * are equal, we can re-use the calculation we already did. If they
+         * are not equal, the byte comparisons will surely fail.
+         */
+
+        secondData = &secondData[dindex + 2];
+        
+        for (i = 0; i < firstLen; i++) {
+                if (firstData[i] != secondData[i]) {
+                        goto cleanup;
+                }
+        }
+
+        *pResult = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(LDAPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapRequest_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_LDAPREQUEST_TYPE and its related functions with
+ *  systemClasses[]
+ * PARAMETERS:
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_LdapRequest_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_RegisterSelf");
+
+        entry.description = "LdapRequest";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_LdapRequest);
+        entry.destructor = pkix_pl_LdapRequest_Destroy;
+        entry.equalsFunction = pkix_pl_LdapRequest_Equals;
+        entry.hashcodeFunction = pkix_pl_LdapRequest_Hashcode;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_LDAPREQUEST_TYPE] = entry;
+
+        PKIX_RETURN(LDAPREQUEST);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_LdapRequest_Create
+ * DESCRIPTION:
+ *
+ *  This function creates an LdapRequest using the PRArenaPool pointed to by
+ *  "arena", a message number whose value is "msgnum", a base object pointed to
+ *  by "issuerDN", a scope whose value is "scope", a derefAliases flag whose
+ *  value is "derefAliases", a sizeLimit whose value is "sizeLimit", a timeLimit
+ *  whose value is "timeLimit", an attrsOnly flag whose value is "attrsOnly", a
+ *  filter whose value is "filter", and attribute bits whose value is
+ *  "attrBits"; storing the result at "pRequestMsg".
+ *
+ *  See pkix_pl_ldaptemplates.c (and below) for the ASN.1 representation of
+ *  message components, and see pkix_pl_ldapt.h for data types.
+ *
+ * PARAMETERS
+ *  "arena"
+ *      The address of the PRArenaPool to be used in the encoding. Must be
+ *      non-NULL.
+ *  "msgnum"
+ *      The UInt32 message number to be used for the messageID component of the
+ *      LDAP message exchange.
+ *  "issuerDN"
+ *      The address of the string to be used for the baseObject component of the
+ *      LDAP SearchRequest message. Must be non-NULL.
+ *  "scope"
+ *      The (enumerated) ScopeType to be used for the scope component of the
+ *      LDAP SearchRequest message
+ *  "derefAliases"
+ *      The (enumerated) DerefType to be used for the derefAliases component of
+ *      the LDAP SearchRequest message
+ *  "sizeLimit"
+ *      The UInt32 value to be used for the sizeLimit component of the LDAP
+ *      SearchRequest message
+ *  "timeLimit"
+ *      The UInt32 value to be used for the timeLimit component of the LDAP
+ *      SearchRequest message
+ *  "attrsOnly"
+ *      The Boolean value to be used for the attrsOnly component of the LDAP
+ *      SearchRequest message
+ *  "filter"
+ *      The filter to be used for the filter component of the LDAP
+ *      SearchRequest message
+ *  "attrBits"
+ *      The LdapAttrMask bits indicating the attributes to be included in the
+ *      attributes sequence of the LDAP SearchRequest message
+ *  "pRequestMsg"
+ *      The address at which the address of the LdapRequest is stored. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapRequest Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+/*
+ * SearchRequest ::=
+ *      [APPLICATION 3] SEQUENCE {
+ *              baseObject      LDAPDN,
+ *              scope           ENUMERATED {
+ *                                      baseObject              (0),
+ *                                      singleLevel             (1),
+ *                                      wholeSubtree            (2)
+ *                              },
+ *              derefAliases    ENUMERATED {
+ *                                      neverDerefAliases       (0),
+ *                                      derefInSearching        (1),
+ *                                      derefFindingBaseObj     (2),
+ *                                      alwaysDerefAliases      (3)
+ *                              },
+ *              sizeLimit       INTEGER (0 .. MAXINT),
+ *                              -- value of 0 implies no sizeLimit
+ *              timeLimit       INTEGER (0 .. MAXINT),
+ *                              -- value of 0 implies no timeLimit
+ *              attrsOnly       BOOLEAN,
+ *                              -- TRUE, if only attributes (without values)
+ *                              -- to be returned
+ *              filter          Filter,
+ *              attributes      SEQUENCE OF AttributeType
+ *      }
+ *
+ * Filter ::=
+ *      CHOICE {
+ *              and             [0] SET OF Filter,
+ *              or              [1] SET OF Filter,
+ *              not             [2] Filter,
+ *              equalityMatch   [3] AttributeValueAssertion,
+ *              substrings      [4] SubstringFilter,
+ *              greaterOrEqual  [5] AttributeValueAssertion,
+ *              lessOrEqual     [6] AttributeValueAssertion,
+ *              present         [7] AttributeType,
+ *              approxMatch     [8] AttributeValueAssertion
+ *      }
+ *
+ * SubstringFilter ::=
+ *      SEQUENCE {
+ *              type            AttributeType,
+ *              SEQUENCE OF CHOICE {
+ *                      initial [0] LDAPString,
+ *                      any     [1] LDAPString,
+ *                      final   [2] LDAPString,
+ *              }
+ *      }
+ *
+ * AttributeValueAssertion ::=
+ *      SEQUENCE {
+ *              attributeType   AttributeType,
+ *              attributeValue  AttributeValue,
+ *      }
+ *
+ * AttributeValue ::= OCTET STRING
+ *
+ * AttributeType ::= LDAPString
+ *               -- text name of the attribute, or dotted
+ *               -- OID representation
+ *
+ * LDAPDN ::= LDAPString
+ *
+ * LDAPString ::= OCTET STRING
+ *
+ */
+PKIX_Error *
+pkix_pl_LdapRequest_Create(
+        PRArenaPool *arena,
+        PKIX_UInt32 msgnum,
+        char *issuerDN,
+        ScopeType scope,
+        DerefType derefAliases,
+        PKIX_UInt32 sizeLimit,
+        PKIX_UInt32 timeLimit,
+        char attrsOnly,
+        LDAPFilter *filter,
+        LdapAttrMask attrBits,
+        PKIX_PL_LdapRequest **pRequestMsg,
+        void *plContext)
+{
+        LDAPMessage msg;
+        LDAPSearch *search;
+        PKIX_PL_LdapRequest *ldapRequest = NULL;
+        char scopeTypeAsChar;
+        char derefAliasesTypeAsChar;
+        SECItem *attrArray[MAX_LDAPATTRS + 1];
+
+        PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_Create");
+        PKIX_NULLCHECK_THREE(arena, issuerDN, pRequestMsg);
+
+        /* create a PKIX_PL_LdapRequest object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_LDAPREQUEST_TYPE,
+                    sizeof (PKIX_PL_LdapRequest),
+                    (PKIX_PL_Object **)&ldapRequest,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        ldapRequest->arena = arena;
+        ldapRequest->msgnum = msgnum;
+        ldapRequest->issuerDN = issuerDN;
+        ldapRequest->scope = scope;
+        ldapRequest->derefAliases = derefAliases;
+        ldapRequest->sizeLimit = sizeLimit;
+        ldapRequest->timeLimit = timeLimit;
+        ldapRequest->attrsOnly = attrsOnly;
+        ldapRequest->filter = filter;
+        ldapRequest->attrBits = attrBits;
+
+        ldapRequest->attrArray = attrArray;
+
+        PKIX_CHECK(pkix_pl_LdapRequest_EncodeAttrs
+                (ldapRequest, plContext),
+                PKIX_LDAPREQUESTENCODEATTRSFAILED);
+
+        PKIX_PL_NSSCALL
+                (LDAPREQUEST, PORT_Memset, (&msg, 0, sizeof (LDAPMessage)));
+
+        msg.messageID.type = siUnsignedInteger;
+        msg.messageID.data = (void*)&msgnum;
+        msg.messageID.len = sizeof (msgnum);
+
+        msg.protocolOp.selector = LDAP_SEARCH_TYPE;
+
+        search = &(msg.protocolOp.op.searchMsg);
+
+        search->baseObject.type = siAsciiString;
+        search->baseObject.data = (void *)issuerDN;
+        search->baseObject.len = PL_strlen(issuerDN);
+        scopeTypeAsChar = (char)scope;
+        search->scope.type = siUnsignedInteger;
+        search->scope.data = (void *)&scopeTypeAsChar;
+        search->scope.len = sizeof (scopeTypeAsChar);
+        derefAliasesTypeAsChar = (char)derefAliases;
+        search->derefAliases.type = siUnsignedInteger;
+        search->derefAliases.data =
+                (void *)&derefAliasesTypeAsChar;
+        search->derefAliases.len =
+                sizeof (derefAliasesTypeAsChar);
+        search->sizeLimit.type = siUnsignedInteger;
+        search->sizeLimit.data = (void *)&sizeLimit;
+        search->sizeLimit.len = sizeof (PKIX_UInt32);
+        search->timeLimit.type = siUnsignedInteger;
+        search->timeLimit.data = (void *)&timeLimit;
+        search->timeLimit.len = sizeof (PKIX_UInt32);
+        search->attrsOnly.type = siBuffer;
+        search->attrsOnly.data = (void *)&attrsOnly;
+        search->attrsOnly.len = sizeof (attrsOnly);
+
+        PKIX_PL_NSSCALL
+                (LDAPREQUEST,
+                PORT_Memcpy,
+                (&search->filter, filter, sizeof (LDAPFilter)));
+
+        search->attributes = attrArray;
+
+        PKIX_PL_NSSCALLRV
+                (LDAPREQUEST, ldapRequest->encoded, SEC_ASN1EncodeItem,
+                (arena, NULL, (void *)&msg, PKIX_PL_LDAPMessageTemplate));
+
+        if (!(ldapRequest->encoded)) {
+                PKIX_ERROR(PKIX_FAILEDINENCODINGSEARCHREQUEST);
+        }
+
+        *pRequestMsg = ldapRequest;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(ldapRequest);
+        }
+
+        PKIX_RETURN(LDAPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapRequest_GetEncoded
+ * DESCRIPTION:
+ *
+ *  This function obtains the encoded message from the LdapRequest pointed to
+ *  by "request", storing the result at "pRequestBuf".
+ *
+ * PARAMETERS
+ *  "request"
+ *      The address of the LdapRequest whose encoded message is to be
+ *      retrieved. Must be non-NULL.
+ *  "pRequestBuf"
+ *      The address at which is stored the address of the encoded message. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapRequest Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapRequest_GetEncoded(
+        PKIX_PL_LdapRequest *request,
+        SECItem **pRequestBuf,
+        void *plContext)
+{
+        PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_GetEncoded");
+        PKIX_NULLCHECK_TWO(request, pRequestBuf);
+
+        *pRequestBuf = request->encoded;
+
+        PKIX_RETURN(LDAPREQUEST);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.h
new file mode 100644
index 000000000..11be6780d
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.h
@@ -0,0 +1,119 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ldaprequest.h
+ *
+ * LdapRequest Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_LDAPREQUEST_H
+#define _PKIX_PL_LDAPREQUEST_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+        USER_CERT,
+        CA_CERT,
+        CROSS_CERT,
+        CRL,
+        ARL,
+        DELTA_CRL
+} PKIX_PL_LdapAttr;
+
+struct PKIX_PL_LdapRequestStruct{
+        PRArenaPool *arena;
+        PKIX_UInt32 msgnum;
+        char *issuerDN;
+        ScopeType scope;
+        DerefType derefAliases;
+        PKIX_UInt32 sizeLimit;
+        PKIX_UInt32 timeLimit;
+        char attrsOnly;
+        LDAPFilter *filter;
+        LdapAttrMask attrBits;
+        SECItem attributes[MAX_LDAPATTRS];
+        SECItem **attrArray;
+        SECItem *encoded;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_LdapRequest_Create(
+        PRArenaPool *arena,
+        PKIX_UInt32 msgnum,
+        char *issuerDN,
+        ScopeType scope,
+        DerefType derefAliases,
+        PKIX_UInt32 sizeLimit,
+        PKIX_UInt32 timeLimit,
+        char attrsOnly,
+        LDAPFilter *filter,
+        LdapAttrMask attrBits,
+        PKIX_PL_LdapRequest **pRequestMsg,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapRequest_AttrTypeToBit(
+        SECItem *attrType,
+        LdapAttrMask *pAttrBit,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapRequest_AttrStringToBit(
+        char *attrString,
+        LdapAttrMask *pAttrBit,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapRequest_GetEncoded(
+        PKIX_PL_LdapRequest *request,
+        SECItem **pRequestBuf,
+        void *plContext);
+
+PKIX_Error *pkix_pl_LdapRequest_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_LDAPREQUEST_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapresponse.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapresponse.c
new file mode 100644
index 000000000..a3915b1a4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapresponse.c
@@ -0,0 +1,819 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ldapresponse.c
+ *
+ */
+
+#include <fcntl.h>
+#include "pkix_pl_ldapresponse.h"
+
+/* --Private-LdapResponse-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_LdapResponse_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_LdapResponse *ldapRsp = NULL;
+        LDAPMessage *m = NULL;
+        LDAPSearchResponseEntry *entry = NULL;
+        LDAPSearchResponseResult *result = NULL;
+        LDAPSearchResponseAttr **attributes = NULL;
+        LDAPSearchResponseAttr *attr = NULL;
+        SECItem **valp = NULL;
+        SECItem *val = NULL;
+
+        PKIX_ENTER(LDAPRESPONSE, "pkix_pl_LdapResponse_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LDAPRESPONSE_TYPE, plContext),
+                    PKIX_OBJECTNOTLDAPRESPONSE);
+
+        ldapRsp = (PKIX_PL_LdapResponse *)object;
+
+        m = &ldapRsp->decoded;
+
+        if (m->messageID.data != NULL) {
+                PR_Free(m->messageID.data);
+        }
+
+        if (m->protocolOp.selector ==
+                LDAP_SEARCHRESPONSEENTRY_TYPE) {
+                entry = &m->protocolOp.op.searchResponseEntryMsg;
+                if (entry->objectName.data != NULL) {
+                        PR_Free(entry->objectName.data);
+                }
+                if (entry->attributes != NULL) {
+                        for (attributes = entry->attributes;
+                                *attributes != NULL;
+                                attributes++) {
+                                attr = *attributes;
+                                PR_Free(attr->attrType.data);
+                                for (valp = attr->val; *valp != NULL; valp++) {
+                                        val = *valp;
+                                        if (val->data != NULL) {
+                                                PR_Free(val->data);
+                                        }
+                                        PR_Free(val);
+                                }
+                                PR_Free(attr->val);
+                                PR_Free(attr);
+                        }
+                        PR_Free(entry->attributes);
+                }
+        } else if (m->protocolOp.selector ==
+                LDAP_SEARCHRESPONSERESULT_TYPE) {
+                result = &m->protocolOp.op.searchResponseResultMsg;
+                if (result->resultCode.data != NULL) {
+                        PR_Free(result->resultCode.data);
+                }
+        }
+
+        PKIX_FREE(ldapRsp->derEncoded.data);
+
+cleanup:
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_LdapResponse_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_UInt32 dataLen = 0;
+        PKIX_UInt32 dindex = 0;
+        PKIX_UInt32 sizeOfLength = 0;
+        PKIX_UInt32 idLen = 0;
+        const unsigned char *msgBuf = NULL;
+        PKIX_PL_LdapResponse *ldapRsp = NULL;
+
+        PKIX_ENTER(LDAPRESPONSE, "pkix_pl_LdapResponse_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_LDAPRESPONSE_TYPE, plContext),
+                    PKIX_OBJECTNOTLDAPRESPONSE);
+
+        ldapRsp = (PKIX_PL_LdapResponse *)object;
+
+        *pHashcode = 0;
+
+        /*
+         * Two responses that differ only in msgnum are a match! Therefore,
+         * start hashcoding beyond the encoded messageID field.
+         */
+        if (ldapRsp->derEncoded.data) {
+                msgBuf = (const unsigned char *)ldapRsp->derEncoded.data;
+                /* Is message length short form (one octet) or long form? */
+                if ((msgBuf[1] & 0x80) != 0) {
+                        sizeOfLength = msgBuf[1] & 0x7F;
+                        for (dindex = 0; dindex < sizeOfLength; dindex++) {
+                                dataLen = (dataLen << 8) + msgBuf[dindex + 2];
+                        }
+                } else {
+                        dataLen = msgBuf[1];
+                }
+
+                /* How many bytes for the messageID? (Assume short form) */
+                idLen = msgBuf[dindex + 3] + 2;
+                dindex += idLen;
+                dataLen -= idLen;
+                msgBuf = &msgBuf[dindex + 2];
+
+                PKIX_CHECK(pkix_hash(msgBuf, dataLen, pHashcode, plContext),
+                        PKIX_HASHFAILED);
+        }
+
+cleanup:
+
+        PKIX_RETURN(LDAPRESPONSE);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_LdapResponse_Equals(
+        PKIX_PL_Object *firstObj,
+        PKIX_PL_Object *secondObj,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_LdapResponse *rsp1 = NULL;
+        PKIX_PL_LdapResponse *rsp2 = NULL;
+        PKIX_UInt32 secondType = 0;
+        PKIX_UInt32 firstLen = 0;
+        const unsigned char *firstData = NULL;
+        const unsigned char *secondData = NULL;
+        PKIX_UInt32 sizeOfLength = 0;
+        PKIX_UInt32 dindex = 0;
+        PKIX_UInt32 i = 0;
+
+        PKIX_ENTER(LDAPRESPONSE, "pkix_pl_LdapResponse_Equals");
+        PKIX_NULLCHECK_THREE(firstObj, secondObj, pResult);
+
+        /* test that firstObj is a LdapResponse */
+        PKIX_CHECK(pkix_CheckType(firstObj, PKIX_LDAPRESPONSE_TYPE, plContext),
+                    PKIX_FIRSTOBJARGUMENTNOTLDAPRESPONSE);
+
+        /*
+         * Since we know firstObj is a LdapResponse, if both references are
+         * identical, they must be equal
+         */
+        if (firstObj == secondObj){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObj isn't a LdapResponse, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType(secondObj, &secondType, plContext),
+                PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_LDAPRESPONSE_TYPE) {
+                goto cleanup;
+        }
+
+        rsp1 = (PKIX_PL_LdapResponse *)firstObj;
+        rsp2 = (PKIX_PL_LdapResponse *)secondObj;
+
+        /* If either lacks an encoded string, they cannot be compared */
+        if (!(rsp1->derEncoded.data) || !(rsp2->derEncoded.data)) {
+                goto cleanup;
+        }
+
+        if (rsp1->derEncoded.len != rsp2->derEncoded.len) {
+                goto cleanup;
+        }
+
+        firstData = (const unsigned char *)rsp1->derEncoded.data;
+        secondData = (const unsigned char *)rsp2->derEncoded.data;
+
+        /*
+         * Two responses that differ only in msgnum are equal! Therefore,
+         * start the byte comparison beyond the encoded messageID field.
+         */
+
+        /* Is message length short form (one octet) or long form? */
+        if ((firstData[1] & 0x80) != 0) {
+                sizeOfLength = firstData[1] & 0x7F;
+                for (dindex = 0; dindex < sizeOfLength; dindex++) {
+                        firstLen = (firstLen << 8) + firstData[dindex + 2];
+                }
+        } else {
+                firstLen = firstData[1];
+        }
+
+        /* How many bytes for the messageID? (Assume short form) */
+        i = firstData[dindex + 3] + 2;
+        dindex += i;
+        firstLen -= i;
+        firstData = &firstData[dindex + 2];
+
+        /*
+         * In theory, we have to calculate where the second message data
+         * begins by checking its length encodings. But if these messages
+         * are equal, we can re-use the calculation we already did. If they
+         * are not equal, the byte comparisons will surely fail.
+         */
+
+        secondData = &secondData[dindex + 2];
+        
+        for (i = 0; i < firstLen; i++) {
+                if (firstData[i] != secondData[i]) {
+                        goto cleanup;
+                }
+        }
+
+        *pResult = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_LDAPRESPONSE_TYPE and its related functions with
+ *  systemClasses[]
+ * PARAMETERS:
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(LDAPRESPONSE, "pkix_pl_LdapResponse_RegisterSelf");
+
+        entry.description = "LdapResponse";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_LdapResponse);
+        entry.destructor = pkix_pl_LdapResponse_Destroy;
+        entry.equalsFunction = pkix_pl_LdapResponse_Equals;
+        entry.hashcodeFunction = pkix_pl_LdapResponse_Hashcode;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_LDAPRESPONSE_TYPE] = entry;
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_Create
+ * DESCRIPTION:
+ *
+ *  This function creates an LdapResponse for the LDAPMessageType provided in
+ *  "responseType" and a buffer capacity provided by "totalLength". It copies
+ *  into its buffer either "totalLength" or "bytesAvailable" bytes, whichever
+ *  is less, from the buffer pointed to by "partialData", storing the number of
+ *  bytes copied at "pBytesConsumed" and storing the address of the LdapResponse
+ *  at "pLdapResponse".
+ *
+ *  If a message is complete in a single I/O buffer, the LdapResponse will be
+ *  complete when this function returns. If the message carries over into
+ *  additional buffers, their contents will be added to the LdapResponse by
+ *  susequent calls to pkix_pl_LdapResponse_Append.
+ *
+ * PARAMETERS
+ *  "responseType"
+ *      The value of the message type (LDAP_SEARCHRESPONSEENTRY_TYPE or
+ *      LDAP_SEARCHRESPONSERESULT_TYPE) for the LdapResponse being created
+ *  "totalLength"
+ *      The UInt32 value for the total length of the encoded message to be
+ *      stored in the LdapResponse
+ *  "bytesAvailable"
+ *      The UInt32 value for the number of bytes of data available in the
+ *      current buffer.
+ *  "partialData"
+ *      The address from which data is to be copied.
+ *  "pBytesConsumed"
+ *      The address at which is stored the UInt32 number of bytes taken from the
+ *      current buffer. If this number is less than "bytesAvailable", then bytes
+ *      remain in the buffer for the next LdapResponse. Must be non-NULL.
+ *  "pLdapResponse"
+ *      The address where the created LdapResponse is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_Create(
+        LDAPMessageType responseType,
+        PKIX_UInt32 totalLength,
+        PKIX_UInt32 bytesAvailable,
+        void *partialData,
+        PKIX_UInt32 *pBytesConsumed,
+        PKIX_PL_LdapResponse **pLdapResponse,
+        void *plContext)
+{
+        PKIX_UInt32 bytesConsumed = 0;
+        PKIX_PL_LdapResponse *ldapResponse = NULL;
+        void *data = NULL;
+
+        PKIX_ENTER(LDAPRESPONSE, "PKIX_PL_LdapResponse_Create");
+        PKIX_NULLCHECK_ONE(pLdapResponse);
+
+        if (bytesAvailable <= totalLength) {
+                bytesConsumed = bytesAvailable;
+        } else {
+                bytesConsumed = totalLength;
+        }
+
+        /* create a PKIX_PL_LdapResponse object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_LDAPRESPONSE_TYPE,
+                    sizeof (PKIX_PL_LdapResponse),
+                    (PKIX_PL_Object **)&ldapResponse,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        ldapResponse->decoded.protocolOp.selector = responseType;
+        ldapResponse->totalLength = totalLength;
+        ldapResponse->partialLength = bytesConsumed;
+
+        if (totalLength != 0){
+                /* Alloc space for array */
+                PKIX_NULLCHECK_ONE(partialData);
+
+                PKIX_CHECK(PKIX_PL_Malloc
+                    (totalLength,
+                    &data,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+
+                PKIX_PL_NSSCALL
+                    (LDAPRESPONSE,
+                    PORT_Memcpy,
+                    (data, partialData, bytesConsumed));
+        }
+
+        ldapResponse->derEncoded.type = siBuffer;
+        ldapResponse->derEncoded.data = data;
+        ldapResponse->derEncoded.len = totalLength;
+        *pBytesConsumed = bytesConsumed;
+        *pLdapResponse = ldapResponse;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(ldapResponse);
+        }
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_Append
+ * DESCRIPTION:
+ *
+ *  This function updates the LdapResponse pointed to by "response" with up to
+ *  "incrLength" from the buffer pointer to by "incrData", storing the number of
+ *  bytes copied at "pBytesConsumed".
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the LdapResponse being updated. Must be non-zero.
+ *  "incrLength"
+ *      The UInt32 value for the number of bytes of data available in the
+ *      current buffer.
+ *  "incrData"
+ *      The address from which data is to be copied.
+ *  "pBytesConsumed"
+ *      The address at which is stored the UInt32 number of bytes taken from the
+ *      current buffer. If this number is less than "incrLength", then bytes
+ *      remain in the buffer for the next LdapResponse. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_Append(
+        PKIX_PL_LdapResponse *response,
+        PKIX_UInt32 incrLength,
+        void *incrData,
+        PKIX_UInt32 *pBytesConsumed,
+        void *plContext)
+{
+        PKIX_UInt32 newPartialLength = 0;
+        PKIX_UInt32 bytesConsumed = 0;
+        void *dest = NULL;
+
+        PKIX_ENTER(LDAPRESPONSE, "PKIX_PL_LdapResponse_Append");
+        PKIX_NULLCHECK_TWO(response, pBytesConsumed);
+
+        if (incrLength > 0) {
+
+                /* Calculate how many bytes we have room for. */
+                bytesConsumed =
+                        response->totalLength - response->partialLength;
+
+                if (bytesConsumed > incrLength) {
+                        bytesConsumed = incrLength;
+                }
+
+                newPartialLength = response->partialLength + bytesConsumed;
+
+                PKIX_NULLCHECK_ONE(incrData);
+
+                dest = &(((char *)response->derEncoded.data)[
+                        response->partialLength]);
+
+                PKIX_PL_NSSCALL
+                        (LDAPRESPONSE,
+                        PORT_Memcpy,
+                        (dest, incrData, bytesConsumed));
+
+                response->partialLength = newPartialLength;
+        }
+
+        *pBytesConsumed = bytesConsumed;
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_IsComplete
+ * DESCRIPTION:
+ *
+ *  This function determines whether the LdapResponse pointed to by "response"
+ *  contains all the data called for by the "totalLength" parameter provided
+ *  when it was created, storing PKIX_TRUE at "pIsComplete" if so, and
+ *  PKIX_FALSE otherwise.
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the LdapResponse being evaluaTED. Must be non-zero.
+ *  "incrLength"
+ *      The UInt32 value for the number of bytes of data available in the
+ *      current buffer.
+ *  "incrData"
+ *      The address from which data is to be copied.
+ *  "pIsComplete"
+ *      The address at which is stored the Boolean indication of whether the
+ *      LdapResponse is complete. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_IsComplete(
+        PKIX_PL_LdapResponse *response,
+        PKIX_Boolean *pIsComplete,
+        void *plContext)
+{
+        PKIX_ENTER(LDAPRESPONSE, "PKIX_PL_LdapResponse_IsComplete");
+        PKIX_NULLCHECK_TWO(response, pIsComplete);
+
+        if (response->totalLength == response->partialLength) {
+                *pIsComplete = PKIX_TRUE;
+        } else {
+                *pIsComplete = PKIX_FALSE;
+        }
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_Decode
+ * DESCRIPTION:
+ *
+ *  This function decodes the DER data contained in the LdapResponse pointed to
+ *  by "response", using the arena pointed to by "arena", and storing at
+ *  "pStatus" SECSuccess if the decoding was successful and SECFailure
+ *  otherwise. The decoded message is stored in an element of "response".
+ *
+ * PARAMETERS
+ *  "arena"
+ *      The address of the PRArenaPool to be used in the decoding. Must be
+ *      non-NULL.
+ *  "response"
+ *      The address of the LdapResponse whose DER data is to be decoded. Must
+ *      be non-NULL.
+ *  "pStatus"
+ *      The address at which is stored the status from the decoding, SECSuccess
+ *      if successful, SECFailure otherwise. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_Decode(
+        PRArenaPool *arena,
+        PKIX_PL_LdapResponse *response,
+        SECStatus *pStatus,
+        void *plContext)
+{
+        LDAPMessage *msg;
+        SECStatus rv = SECFailure;
+
+        PKIX_ENTER(LDAPRESPONSE, "PKIX_PL_LdapResponse_Decode");
+        PKIX_NULLCHECK_THREE(arena, response, pStatus);
+
+        if (response->totalLength != response->partialLength) {
+                PKIX_ERROR(PKIX_ATTEMPTTODECODEANINCOMPLETERESPONSE);
+        }
+
+        msg = &(response->decoded);
+
+        PKIX_PL_NSSCALL
+                (LDAPRESPONSE, PORT_Memset, (msg, 0, sizeof (LDAPMessage)));
+
+        PKIX_PL_NSSCALLRV(LDAPRESPONSE, rv, SEC_ASN1DecodeItem,
+            (NULL, msg, PKIX_PL_LDAPMessageTemplate, &(response->derEncoded)));
+
+        *pStatus = rv;
+cleanup:
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_GetMessage
+ * DESCRIPTION:
+ *
+ *  This function obtains the decoded message from the LdapResponse pointed to
+ *  by "response", storing the result at "pMessage".
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the LdapResponse whose decoded message is to be
+ *      retrieved. Must be non-NULL.
+ *  "pMessage"
+ *      The address at which is stored the address of the decoded message. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_GetMessage(
+        PKIX_PL_LdapResponse *response,
+        LDAPMessage **pMessage,
+        void *plContext)
+{
+        PKIX_ENTER(LDAPRESPONSE, "PKIX_PL_LdapResponse_GetMessage");
+        PKIX_NULLCHECK_TWO(response, pMessage);
+
+        *pMessage = &response->decoded;
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_GetCapacity
+ * DESCRIPTION:
+ *
+ *  This function obtains from the LdapResponse pointed to by "response" the
+ *  number of bytes remaining to be read, based on the totalLength that was
+ *  provided to LdapResponse_Create and the data subsequently provided to
+ *  LdapResponse_Append, storing the result at "pMessage".
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the LdapResponse whose remaining capacity is to be
+ *      retrieved. Must be non-NULL.
+ *  "pCapacity"
+ *      The address at which is stored the address of the decoded message. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_GetCapacity(
+        PKIX_PL_LdapResponse *response,
+        PKIX_UInt32 *pCapacity,
+        void *plContext)
+{
+        PKIX_ENTER(LDAPRESPONSE, "PKIX_PL_LdapResponse_GetCapacity");
+        PKIX_NULLCHECK_TWO(response, pCapacity);
+
+        *pCapacity = response->totalLength - response->partialLength;
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_GetMessageType
+ * DESCRIPTION:
+ *
+ *  This function obtains the message type from the LdapResponse pointed to
+ *  by "response", storing the result at "pMessageType".
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the LdapResponse whose message type is to be
+ *      retrieved. Must be non-NULL.
+ *  "pMessageType" 
+ *      The address at which is stored the type of the response message. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_GetMessageType(
+        PKIX_PL_LdapResponse *response,
+        LDAPMessageType *pMessageType,
+        void *plContext)
+{
+        PKIX_ENTER(LDAPRESPONSE, "PKIX_PL_LdapResponse_GetMessageType");
+        PKIX_NULLCHECK_TWO(response, pMessageType);
+
+        *pMessageType = response->decoded.protocolOp.selector;
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_GetResultCode
+ * DESCRIPTION:
+ *
+ *  This function obtains the result code from the LdapResponse pointed to
+ *  by "response", storing the result at "pResultCode".
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the LdapResponse whose result code is to be
+ *      retrieved. Must be non-NULL.
+ *  "pResultCode"
+ *      The address at which is stored the address of the decoded message. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_GetResultCode(
+        PKIX_PL_LdapResponse *response,
+        LDAPResultCode *pResultCode,
+        void *plContext)
+{
+        LDAPMessageType messageType = 0;
+        LDAPSearchResponseResult *resultMsg = NULL;
+
+        PKIX_ENTER(LDAPRESPONSE, "PKIX_PL_LdapResponse_GetResultCode");
+        PKIX_NULLCHECK_TWO(response, pResultCode);
+
+        messageType = response->decoded.protocolOp.selector;
+
+        if (messageType != LDAP_SEARCHRESPONSERESULT_TYPE) {
+                PKIX_ERROR(PKIX_GETRESULTCODECALLEDFORNONRESULTMESSAGE);
+        }
+
+        resultMsg = &response->decoded.protocolOp.op.searchResponseResultMsg;
+
+        *pResultCode = *(char *)(resultMsg->resultCode.data);
+
+cleanup:
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_LdapResponse_GetAttributes
+ * DESCRIPTION:
+ *
+ *  This function obtains the attributes from the LdapResponse pointed to
+ *  by "response", storing the result at "pAttributes".
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the LdapResponse whose decoded message is to be
+ *      retrieved. Must be non-NULL.
+ *  "pAttributes"
+ *      The address at which is stored the attributes of the message. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an LdapResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_LdapResponse_GetAttributes(
+        PKIX_PL_LdapResponse *response,
+        LDAPSearchResponseAttr ***pAttributes,
+        void *plContext)
+{
+        LDAPMessageType messageType = 0;
+
+        PKIX_ENTER(LDAPRESPONSE, "PKIX_PL_LdapResponse_GetResultCode");
+        PKIX_NULLCHECK_TWO(response, pAttributes);
+
+        messageType = response->decoded.protocolOp.selector;
+
+        if (messageType != LDAP_SEARCHRESPONSEENTRY_TYPE) {
+                PKIX_ERROR(PKIX_GETATTRIBUTESCALLEDFORNONENTRYMESSAGE);
+        }
+
+        *pAttributes = response->
+                decoded.protocolOp.op.searchResponseEntryMsg.attributes;
+
+cleanup:
+
+        PKIX_RETURN(LDAPRESPONSE);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapresponse.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapresponse.h
new file mode 100644
index 000000000..81a837fde
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapresponse.h
@@ -0,0 +1,129 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ldapresponse.h
+ *
+ * LdapResponse Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_LDAPRESPONSE_H
+#define _PKIX_PL_LDAPRESPONSE_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_LdapResponseStruct{
+        LDAPMessage decoded;
+        PKIX_UInt32 partialLength;
+        PKIX_UInt32 totalLength;
+        SECItem derEncoded;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_LdapResponse_Create(
+        LDAPMessageType responseType,
+        PKIX_UInt32 totalLength,
+        PKIX_UInt32 bytesAvailable,
+        void *partialData,
+        PKIX_UInt32 *pBytesConsumed,
+        PKIX_PL_LdapResponse **pResponse,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapResponse_Append(
+        PKIX_PL_LdapResponse *response,
+        PKIX_UInt32 partialLength,
+        void *partialData,
+        PKIX_UInt32 *bytesConsumed,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapResponse_IsComplete(
+        PKIX_PL_LdapResponse *response,
+        PKIX_Boolean *pIsComplete,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapResponse_Decode(
+        PRArenaPool *arena,
+        PKIX_PL_LdapResponse *response,
+        SECStatus *pStatus,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapResponse_GetMessage(
+        PKIX_PL_LdapResponse *response,
+        LDAPMessage **pMessage,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapResponse_GetMessageType(
+        PKIX_PL_LdapResponse *response,
+        LDAPMessageType *pMessageType,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapResponse_GetCapacity(
+        PKIX_PL_LdapResponse *response,
+        PKIX_UInt32 *pCapacity,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapResponse_GetResultCode(
+        PKIX_PL_LdapResponse *response,
+        LDAPResultCode *pResultCode,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_LdapResponse_GetAttributes(
+        PKIX_PL_LdapResponse *response,
+        LDAPSearchResponseAttr ***pAttributes,
+        void *plContext);
+
+PKIX_Error *pkix_pl_LdapResponse_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_LDAPRESPONSE_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapt.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapt.h
new file mode 100644
index 000000000..66eda1f4f
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapt.h
@@ -0,0 +1,348 @@
+/*
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _LDAP_H_
+#define _LDAP_H_
+
+#include "certt.h"
+#include "pkixt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern const SEC_ASN1Template PKIX_PL_LDAPCrossCertPairTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(PKIX_PL_LDAPCrossCertPairTemplate)
+extern const SEC_ASN1Template PKIX_PL_LDAPMessageTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(PKIX_PL_LDAPMessageTemplate)
+extern const SEC_ASN1Template LDAPFilterTemplate[];
+SEC_ASN1_CHOOSER_DECLARE(LDAPFilterTemplate)
+
+/* ********************************************************************** */
+
+#define SEC_ASN1_LDAP_STRING SEC_ASN1_OCTET_STRING
+
+#define LDAPATTR_CACERT         (1<<0)
+#define LDAPATTR_USERCERT       (1<<1)
+#define LDAPATTR_CROSSPAIRCERT  (1<<2)
+#define LDAPATTR_CERTREVLIST    (1<<3)
+#define LDAPATTR_AUTHREVLIST    (1<<4)
+#define MAX_LDAPATTRS                   5
+typedef PKIX_UInt32 LdapAttrMask;
+
+typedef enum {
+        SIMPLE_AUTH                     = 0,
+        KRBV42LDAP_AUTH                 = 1,
+        KRBV42DSA_AUTH                  = 2
+} AuthType;
+
+typedef enum {
+        BASE_OBJECT                     = 0,
+        SINGLE_LEVEL                    = 1,
+        WHOLE_SUBTREE                   = 2
+} ScopeType;
+
+typedef enum {
+        NEVER_DEREF                     = 0,
+        DEREF_IN_SEARCHING              = 1,
+        DEREF_FINDING_BASEOBJ           = 2,
+        ALWAYS_DEREF                    = 3
+} DerefType;
+
+typedef enum {
+        LDAP_INITIALSUBSTRING_TYPE      = 0,
+        LDAP_ANYSUBSTRING_TYPE          = 1,
+        LDAP_FINALSUBSTRING_TYPE        = 2
+} LDAPSubstringFilterType;
+
+typedef enum {
+        LDAP_ANDFILTER_TYPE             = 0,
+        LDAP_ORFILTER_TYPE              = 1,
+        LDAP_NOTFILTER_TYPE             = 2,
+        LDAP_EQUALFILTER_TYPE           = 3,
+        LDAP_SUBSTRINGFILTER_TYPE       = 4,
+        LDAP_GREATEROREQUALFILTER_TYPE  = 5,
+        LDAP_LESSOREQUALFILTER_TYPE     = 6,
+        LDAP_PRESENTFILTER_TYPE         = 7,
+        LDAP_APPROXMATCHFILTER_TYPE     = 8
+} LDAPFilterType;
+
+typedef enum {
+        LDAP_BIND_TYPE                  = 0,
+        LDAP_BINDRESPONSE_TYPE          = 1,
+        LDAP_UNBIND_TYPE                = 2,
+        LDAP_SEARCH_TYPE                = 3,
+        LDAP_SEARCHRESPONSEENTRY_TYPE   = 4,
+        LDAP_SEARCHRESPONSERESULT_TYPE  = 5,
+        LDAP_ABANDONREQUEST_TYPE        = 16
+} LDAPMessageType;
+
+typedef enum {
+        SUCCESS                         = 0,
+        OPERATIONSERROR                 = 1,
+        PROTOCOLERROR                   = 2,
+        TIMELIMITEXCEEDED               = 3,
+        SIZELIMITEXCEEDED               = 4,
+        COMPAREFALSE                    = 5,
+        COMPARETRUE                     = 6,
+        AUTHMETHODNOTSUPPORTED          = 7,
+        STRONGAUTHREQUIRED              = 8,
+        NOSUCHATTRIBUTE                 = 16,
+        UNDEFINEDATTRIBUTETYPE          = 17,
+        INAPPROPRIATEMATCHING           = 18,
+        CONSTRAINTVIOLATION             = 19,
+        ATTRIBUTEORVALUEEXISTS          = 20,
+        INVALIDATTRIBUTESYNTAX          = 21,
+        NOSUCHOBJECT                    = 32,
+        ALIASPROBLEM                    = 33,
+        INVALIDDNSYNTAX                 = 34,
+        ISLEAF                          = 35,
+        ALIASDEREFERENCINGPROBLEM       = 36,
+        INAPPROPRIATEAUTHENTICATION     = 48,
+        INVALIDCREDENTIALS              = 49,
+        INSUFFICIENTACCESSRIGHTS        = 50,
+        BUSY                            = 51,
+        UNAVAILABLE                     = 52,
+        UNWILLINGTOPERFORM              = 53,
+        LOOPDETECT                      = 54,
+        NAMINGVIOLATION                 = 64,
+        OBJECTCLASSVIOLATION            = 65,
+        NOTALLOWEDONNONLEAF             = 66,
+        NOTALLOWEDONRDN                 = 67,
+        ENTRYALREADYEXISTS              = 68,
+        OBJECTCLASSMODSPROHIBITED       = 69,
+        OTHER                           = 80
+} LDAPResultCode;
+
+typedef struct LDAPLocationStruct                LDAPLocation;
+typedef struct LDAPCertPairStruct                LDAPCertPair;
+typedef struct LDAPSimpleBindStruct              LDAPSimpleBind;
+typedef struct LDAPBindAPIStruct                 LDAPBindAPI;
+typedef struct LDAPBindStruct                    LDAPBind;
+typedef struct LDAPResultStruct                  LDAPBindResponse;
+typedef struct LDAPResultStruct                  LDAPResult;
+typedef struct LDAPSearchResponseAttrStruct      LDAPSearchResponseAttr;
+typedef struct LDAPSearchResponseEntryStruct     LDAPSearchResponseEntry;
+typedef struct LDAPResultStruct                  LDAPSearchResponseResult;
+typedef struct LDAPUnbindStruct                  LDAPUnbind;
+typedef struct LDAPFilterStruct                  LDAPFilter;
+typedef struct LDAPAndFilterStruct               LDAPAndFilter;
+typedef struct LDAPNotFilterStruct               LDAPNotFilter;
+typedef struct LDAPSubstringStruct               LDAPSubstring;
+typedef struct LDAPSubstringFilterStruct         LDAPSubstringFilter;
+typedef struct LDAPPresentFilterStruct           LDAPPresentFilter;
+typedef struct LDAPAttributeValueAssertionStruct LDAPAttributeValueAssertion;
+typedef struct LDAPNameComponentStruct           LDAPNameComponent;
+typedef struct LDAPRequestParamsStruct           LDAPRequestParams;
+typedef struct LDAPSearchStruct                  LDAPSearch;
+typedef struct LDAPAbandonRequestStruct          LDAPAbandonRequest;
+typedef struct protocolOpStruct                  LDAPProtocolOp;
+typedef struct LDAPMessageStruct                 LDAPMessage;
+typedef LDAPAndFilter                            LDAPOrFilter;
+typedef LDAPAttributeValueAssertion              LDAPEqualFilter;
+typedef LDAPAttributeValueAssertion              LDAPGreaterOrEqualFilter;
+typedef LDAPAttributeValueAssertion              LDAPLessOrEqualFilter;
+typedef LDAPAttributeValueAssertion              LDAPApproxMatchFilter;
+
+struct LDAPLocationStruct {
+        PRArenaPool *arena;
+        void *serverSite;
+        void **filterString;
+        void **attrBitString;
+};
+
+struct LDAPCertPairStruct {
+        SECItem forward;
+        SECItem reverse;
+};
+
+struct LDAPSimpleBindStruct {
+        char *bindName;
+        char *authentication;
+};
+
+struct LDAPBindAPIStruct {
+        AuthType selector;
+        union {
+                LDAPSimpleBind simple;
+        } chooser;
+};
+
+struct LDAPBindStruct {
+        SECItem version;
+        SECItem bindName;
+        SECItem authentication;
+};
+
+struct LDAPResultStruct {
+        SECItem resultCode;
+        SECItem matchedDN;
+        SECItem errorMessage;
+};
+
+struct LDAPSearchResponseAttrStruct {
+        SECItem attrType;
+        SECItem **val;
+};
+
+struct LDAPSearchResponseEntryStruct {
+        SECItem objectName;
+        LDAPSearchResponseAttr **attributes;
+};
+
+struct LDAPUnbindStruct {
+        SECItem dummy;
+};
+
+struct LDAPAndFilterStruct {
+        LDAPFilter **filters;
+};
+
+struct LDAPNotFilterStruct {
+        LDAPFilter *filter;
+};
+
+struct LDAPSubstringStruct {
+        LDAPSubstringFilterType selector;
+        SECItem item;
+};
+
+struct LDAPSubstringFilterStruct {
+        SECItem attrType;
+        LDAPSubstring *strings;
+};
+
+struct LDAPPresentFilterStruct {
+        SECItem attrType;
+};
+
+struct LDAPAttributeValueAssertionStruct {
+        SECItem attrType;
+        SECItem attrValue;
+};
+
+struct LDAPFilterStruct {
+        LDAPFilterType selector;
+        union {
+                LDAPAndFilter andFilter;
+                LDAPOrFilter orFilter;
+                LDAPNotFilter notFilter;
+                LDAPEqualFilter equalFilter;
+                LDAPSubstringFilter substringFilter;
+                LDAPGreaterOrEqualFilter greaterOrEqualFilter;
+                LDAPLessOrEqualFilter lessOrEqualFilter;
+                LDAPPresentFilter presentFilter;
+                LDAPApproxMatchFilter approxMatchFilter;
+        } filter;
+};
+
+struct LDAPNameComponentStruct {
+        unsigned char *attrType;
+        unsigned char *attrValue;
+};
+
+struct LDAPRequestParamsStruct {
+        char *baseObject;          /* e.g. "c=US" */
+        ScopeType scope;
+        DerefType derefAliases;
+        PKIX_UInt32 sizeLimit;     /* 0 = no limit */
+        PRIntervalTime timeLimit;  /* 0 = no limit */
+        LDAPNameComponent **nc; /* e.g. {{"cn","xxx"},{"o","yyy"},NULL} */
+        LdapAttrMask attributes;
+};
+
+struct LDAPSearchStruct {
+        SECItem baseObject;
+        SECItem scope;
+        SECItem derefAliases;
+        SECItem sizeLimit;
+        SECItem timeLimit;
+        SECItem attrsOnly;
+        LDAPFilter filter;
+        SECItem **attributes;
+};
+
+struct LDAPAbandonRequestStruct {
+        SECItem messageID;
+};
+
+struct protocolOpStruct {
+        LDAPMessageType selector;
+        union {
+                LDAPBind bindMsg;
+                LDAPBindResponse bindResponseMsg;
+                LDAPUnbind unbindMsg;
+                LDAPSearch searchMsg;
+                LDAPSearchResponseEntry searchResponseEntryMsg;
+                LDAPSearchResponseResult searchResponseResultMsg;
+                LDAPAbandonRequest abandonRequestMsg;
+        } op;
+};
+
+struct LDAPMessageStruct {
+        SECItem messageID;
+        LDAPProtocolOp protocolOp;
+};
+
+typedef struct PKIX_PL_LdapClientStruct PKIX_PL_LdapClient;
+
+typedef PKIX_Error *
+(*PKIX_PL_LdapClient_InitiateFcn)(
+        PKIX_PL_LdapClient *client,
+        LDAPRequestParams *requestParams,
+        void **pNBIO,
+        PKIX_List **pResponse,
+        void *plContext);
+
+typedef PKIX_Error *
+(*PKIX_PL_LdapClient_ResumeFcn)(
+        PKIX_PL_LdapClient *client,
+        void **pNBIO,
+        PKIX_List **pResponse,
+        void *plContext);
+
+struct PKIX_PL_LdapClientStruct {
+        PKIX_PL_LdapClient_InitiateFcn initiateFcn;
+        PKIX_PL_LdapClient_ResumeFcn resumeFcn;
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaptemplates.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaptemplates.c
new file mode 100644
index 000000000..abd9fcb51
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaptemplates.c
@@ -0,0 +1,451 @@
+/*
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "pkix_pl_ldapt.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_NullTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+
+/*
+ * CertificatePair      ::= SEQUENCE {
+ *      forward [0]     Certificate OPTIONAL,
+ *      reverse [1]     Certificate OPTIONAL
+ *                      -- at least one of the pair shall be present --
+ *  }
+ */
+
+const SEC_ASN1Template PKIX_PL_LDAPCrossCertPairTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(LDAPCertPair) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        SEC_ASN1_EXPLICIT | SEC_ASN1_XTRN | 0,
+        offsetof(LDAPCertPair, forward), SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        SEC_ASN1_EXPLICIT | SEC_ASN1_XTRN | 1,
+        offsetof(LDAPCertPair, reverse), SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+/*
+ * BindRequest ::=
+ *      [APPLICATION 0] SEQUENCE {
+ *                      version INTEGER (1..127),
+ *                      name    LDAPDN,
+ *                      authentication CHOICE {
+ *                              simple          [0] OCTET STRING,
+ *                              krbv42LDAP      [1] OCTET STRING,
+ *                              krbv42DSA       [2] OCTET STRING
+ *                      }
+ *      }
+ *
+ * LDAPDN ::= LDAPString
+ *
+ * LDAPString ::= OCTET STRING
+ */
+
+#define LDAPStringTemplate SEC_ASN1_SUB(SEC_OctetStringTemplate)
+
+static const SEC_ASN1Template LDAPBindApplTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL },
+    { SEC_ASN1_INTEGER, offsetof(LDAPBind, version) },
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPBind, bindName) },
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPBind, authentication) },
+    { 0 }
+};
+
+static const SEC_ASN1Template LDAPBindTemplate[] = {
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_APPLICATION | LDAP_BIND_TYPE, 0,
+        LDAPBindApplTemplate, sizeof (LDAPBind) }
+};
+
+/*
+ * BindResponse ::= [APPLICATION 1] LDAPResult
+ *
+ * LDAPResult ::=
+ *      SEQUENCE {
+ *              resultCode      ENUMERATED {
+ *                              success                         (0),
+ *                              operationsError                 (1),
+ *                              protocolError                   (2),
+ *                              timeLimitExceeded               (3),
+ *                              sizeLimitExceeded               (4),
+ *                              compareFalse                    (5),
+ *                              compareTrue                     (6),
+ *                              authMethodNotSupported          (7),
+ *                              strongAuthRequired              (8),
+ *                              noSuchAttribute                 (16),
+ *                              undefinedAttributeType          (17),
+ *                              inappropriateMatching           (18),
+ *                              constraintViolation             (19),
+ *                              attributeOrValueExists          (20),
+ *                              invalidAttributeSyntax          (21),
+ *                              noSuchObject                    (32),
+ *                              aliasProblem                    (33),
+ *                              invalidDNSyntax                 (34),
+ *                              isLeaf                          (35),
+ *                              aliasDereferencingProblem       (36),
+ *                              inappropriateAuthentication     (48),
+ *                              invalidCredentials              (49),
+ *                              insufficientAccessRights        (50),
+ *                              busy                            (51),
+ *                              unavailable                     (52),
+ *                              unwillingToPerform              (53),
+ *                              loopDetect                      (54),
+ *                              namingViolation                 (64),
+ *                              objectClassViolation            (65),
+ *                              notAllowedOnNonLeaf             (66),
+ *                              notAllowedOnRDN                 (67),
+ *                              entryAlreadyExists              (68),
+ *                              objectClassModsProhibited       (69),
+ *                              other                           (80)
+ *                              },
+ *              matchedDN       LDAPDN,
+ *              errorMessage    LDAPString
+ *      }
+ */
+
+static const SEC_ASN1Template LDAPResultTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL },
+    { SEC_ASN1_ENUMERATED, offsetof(LDAPResult, resultCode) },
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPResult, matchedDN) },
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPResult, errorMessage) },
+    { 0 }
+};
+
+static const SEC_ASN1Template LDAPBindResponseTemplate[] = {
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_APPLICATION | LDAP_BINDRESPONSE_TYPE, 0,
+        LDAPResultTemplate, sizeof (LDAPBindResponse) }
+};
+
+/*
+ * UnbindRequest ::= [APPLICATION 2] NULL
+ */
+
+static const SEC_ASN1Template LDAPUnbindTemplate[] = {
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_APPLICATION | SEC_ASN1_XTRN |
+        LDAP_UNBIND_TYPE , 0, SEC_ASN1_SUB(SEC_NullTemplate) }
+};
+
+/*
+ * AttributeValueAssertion ::=
+ *      SEQUENCE {
+ *              attributeType   AttributeType,
+ *              attributeValue  AttributeValue,
+ *      }
+ *
+ * AttributeType ::= LDAPString
+ *               -- text name of the attribute, or dotted
+ *               -- OID representation
+ *
+ * AttributeValue ::= OCTET STRING
+ */
+
+#define LDAPAttributeTypeTemplate LDAPStringTemplate
+
+/*
+ * SubstringFilter ::=
+ *      SEQUENCE {
+ *              type            AttributeType,
+ *              SEQUENCE OF CHOICE {
+ *                      initial [0] LDAPString,
+ *                      any     [1] LDAPString,
+ *                      final   [2] LDAPString,
+ *              }
+ *      }
+ */
+
+#define LDAPSubstringFilterInitialTemplate LDAPStringTemplate
+#define LDAPSubstringFilterAnyTemplate LDAPStringTemplate
+#define LDAPSubstringFilterFinalTemplate LDAPStringTemplate
+
+static const SEC_ASN1Template LDAPSubstringFilterChoiceTemplate[] = {
+    { SEC_ASN1_CHOICE, offsetof(LDAPSubstring, selector), 0,
+        sizeof (LDAPFilter) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+        offsetof(LDAPSubstring, item),
+        LDAPSubstringFilterInitialTemplate,
+        LDAP_INITIALSUBSTRING_TYPE },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+        offsetof(LDAPSubstring, item),
+        LDAPSubstringFilterAnyTemplate,
+        LDAP_ANYSUBSTRING_TYPE },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
+        offsetof(LDAPSubstring, item),
+        LDAPSubstringFilterFinalTemplate,
+        LDAP_FINALSUBSTRING_TYPE },
+    { 0 }
+};
+
+/*
+ * Filter ::=
+ *      CHOICE {
+ *              and             [0] SET OF Filter,
+ *              or              [1] SET OF Filter,
+ *              not             [2] Filter,
+ *              equalityMatch   [3] AttributeValueAssertion,
+ *              substrings      [4] SubstringFilter,
+ *              greaterOrEqual  [5] AttributeValueAssertion,
+ *              lessOrEqual     [6] AttributeValueAssertion,
+ *              present         [7] AttributeType,
+ *              approxMatch     [8] AttributeValueAssertion
+        }
+ */
+
+static const SEC_ASN1Template LDAPSubstringFilterTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (LDAPSubstringFilter) },
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPSubstringFilter, attrType) },
+    { SEC_ASN1_SEQUENCE_OF, offsetof(LDAPSubstringFilter, strings),
+        LDAPSubstringFilterChoiceTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template LDAPFilterTemplate[]; /* forward reference */
+
+static const SEC_ASN1Template LDAPSetOfFiltersTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, LDAPFilterTemplate }
+};
+
+static const SEC_ASN1Template LDAPAVAFilterTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (LDAPAttributeValueAssertion) },
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPAttributeValueAssertion, attrType) },
+    { SEC_ASN1_OCTET_STRING, offsetof(LDAPAttributeValueAssertion, attrValue) },
+    { 0 }
+};
+
+static const SEC_ASN1Template LDAPPresentFilterTemplate[] = {
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPPresentFilter, attrType) }
+};
+
+#define LDAPEqualFilterTemplate LDAPAVAFilterTemplate
+#define LDAPGreaterOrEqualFilterTemplate LDAPAVAFilterTemplate
+#define LDAPLessOrEqualFilterTemplate LDAPAVAFilterTemplate
+#define LDAPApproxMatchFilterTemplate LDAPAVAFilterTemplate
+
+const SEC_ASN1Template LDAPFilterTemplate[] = {
+    { SEC_ASN1_CHOICE, offsetof(LDAPFilter, selector), 0, sizeof(LDAPFilter) },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        LDAP_ANDFILTER_TYPE,
+        offsetof(LDAPFilter, filter.andFilter.filters),
+        LDAPSetOfFiltersTemplate, LDAP_ANDFILTER_TYPE },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        LDAP_ORFILTER_TYPE,
+        offsetof(LDAPFilter, filter.orFilter.filters),
+        LDAPSetOfFiltersTemplate, LDAP_ORFILTER_TYPE },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        LDAP_NOTFILTER_TYPE | SEC_ASN1_POINTER,
+        offsetof(LDAPFilter, filter.notFilter),
+        LDAPFilterTemplate, LDAP_NOTFILTER_TYPE },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        LDAP_EQUALFILTER_TYPE,
+        offsetof(LDAPFilter, filter.equalFilter),
+        LDAPEqualFilterTemplate, LDAP_EQUALFILTER_TYPE },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        LDAP_SUBSTRINGFILTER_TYPE, offsetof(LDAPFilter, filter.substringFilter),
+        LDAPSubstringFilterTemplate, LDAP_SUBSTRINGFILTER_TYPE },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        LDAP_GREATEROREQUALFILTER_TYPE,
+        offsetof(LDAPFilter, filter.greaterOrEqualFilter),
+        LDAPGreaterOrEqualFilterTemplate, LDAP_GREATEROREQUALFILTER_TYPE },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        LDAP_LESSOREQUALFILTER_TYPE,
+        offsetof(LDAPFilter, filter.lessOrEqualFilter),
+        LDAPLessOrEqualFilterTemplate, LDAP_LESSOREQUALFILTER_TYPE },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        LDAP_PRESENTFILTER_TYPE,
+        offsetof(LDAPFilter, filter.presentFilter),
+        LDAPPresentFilterTemplate, LDAP_PRESENTFILTER_TYPE },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+        LDAP_APPROXMATCHFILTER_TYPE,
+        offsetof(LDAPFilter, filter.approxMatchFilter),
+        LDAPApproxMatchFilterTemplate, LDAP_APPROXMATCHFILTER_TYPE },
+    { 0 }
+};
+
+/*
+ * SearchRequest ::=
+ *      [APPLICATION 3] SEQUENCE {
+ *              baseObject      LDAPDN,
+ *              scope           ENUMERATED {
+ *                                      baseObject              (0),
+ *                                      singleLevel             (1),
+ *                                      wholeSubtree            (2)
+ *                              },
+ *              derefAliases    ENUMERATED {
+ *                                      neverDerefAliases       (0),
+ *                                      derefInSearching        (1),
+ *                                      derefFindingBaseObj     (2),
+ *                                      alwaysDerefAliases      (3)
+ *                              },
+ *              sizeLimit       INTEGER (0 .. MAXINT),
+ *                              -- value of 0 implies no sizeLimit
+ *              timeLimit       INTEGER (0 .. MAXINT),
+ *                              -- value of 0 implies no timeLimit
+ *              attrsOnly       BOOLEAN,
+ *                              -- TRUE, if only attributes (without values)
+ *                              -- to be returned
+ *              filter          Filter,
+ *              attributes      SEQUENCE OF AttributeType
+ *      }
+ */
+
+static const SEC_ASN1Template LDAPAttributeTemplate[] = {
+    { SEC_ASN1_LDAP_STRING, 0, NULL, sizeof (SECItem) }
+};
+
+static const SEC_ASN1Template LDAPSearchApplTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL },
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPSearch, baseObject) },
+    { SEC_ASN1_ENUMERATED, offsetof(LDAPSearch, scope) },
+    { SEC_ASN1_ENUMERATED, offsetof(LDAPSearch, derefAliases) },
+    { SEC_ASN1_INTEGER, offsetof(LDAPSearch, sizeLimit) },
+    { SEC_ASN1_INTEGER, offsetof(LDAPSearch, timeLimit) },
+    { SEC_ASN1_BOOLEAN, offsetof(LDAPSearch, attrsOnly) },
+    { SEC_ASN1_INLINE, offsetof(LDAPSearch, filter), LDAPFilterTemplate },
+    { SEC_ASN1_SEQUENCE_OF, offsetof(LDAPSearch, attributes), LDAPAttributeTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template LDAPSearchTemplate[] = {
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_APPLICATION | LDAP_SEARCH_TYPE, 0,
+        LDAPSearchApplTemplate, sizeof (LDAPSearch) } 
+};
+
+/*
+ * SearchResponse ::=
+ *      CHOICE {
+ *              entry   [APPLICATION 4] SEQUENCE {
+ *                              objectName      LDAPDN,
+ *                              attributes      SEQUENCE OF SEQUENCE {
+ *                                                      AttributeType,
+ *                                                      SET OF AttributeValue
+ *                                              }
+ *                      }
+ *              resultCode [APPLICATION 5] LDAPResult
+ *      }
+ */
+
+static const SEC_ASN1Template LDAPSearchResponseAttrTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(LDAPSearchResponseAttr) },
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPSearchResponseAttr, attrType) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(LDAPSearchResponseAttr, val),
+        LDAPStringTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template LDAPEntryTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL },
+    { SEC_ASN1_LDAP_STRING, offsetof(LDAPSearchResponseEntry, objectName) },
+    { SEC_ASN1_SEQUENCE_OF, offsetof(LDAPSearchResponseEntry, attributes),
+        LDAPSearchResponseAttrTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template LDAPSearchResponseEntryTemplate[] = {
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_APPLICATION | LDAP_SEARCHRESPONSEENTRY_TYPE, 0,
+        LDAPEntryTemplate, sizeof (LDAPSearchResponseEntry) }
+};
+
+static const SEC_ASN1Template LDAPSearchResponseResultTemplate[] = {
+    { SEC_ASN1_APPLICATION | LDAP_SEARCHRESPONSERESULT_TYPE, 0,
+        LDAPResultTemplate, sizeof (LDAPSearchResponseResult) }
+};
+
+/*
+ * AbandonRequest ::=
+ *      [APPLICATION 16] MessageID
+ */
+
+static const SEC_ASN1Template LDAPAbandonTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(LDAPAbandonRequest, messageID) }
+};
+
+static const SEC_ASN1Template LDAPAbandonRequestTemplate[] = {
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_APPLICATION | LDAP_ABANDONREQUEST_TYPE, 0,
+        LDAPAbandonTemplate, sizeof (LDAPAbandonRequest) }
+};
+
+/*
+ * LDAPMessage ::=
+ *      SEQUENCE {
+ *              messageID       MessageID,
+ *              protocolOp      CHOICE {
+ *                                      bindRequest     BindRequest,
+ *                                      bindResponse    BindResponse,
+ *                                      unbindRequest   UnbindRequest,
+ *                                      searchRequest   SearchRequest,
+ *                                      searchResponse  SearchResponse,
+ *                                      abandonRequest  AbandonRequest
+ *                              }
+ *      }
+ *
+ *                                      (other choices exist, not shown)
+ *
+ * MessageID ::= INTEGER (0 .. maxInt)
+ */
+
+static const SEC_ASN1Template LDAPMessageProtocolOpTemplate[] = {
+    { SEC_ASN1_CHOICE, offsetof(LDAPProtocolOp, selector), 0, sizeof (LDAPProtocolOp) },
+    { SEC_ASN1_INLINE, offsetof(LDAPProtocolOp, op.bindMsg),
+        LDAPBindTemplate, LDAP_BIND_TYPE },
+    { SEC_ASN1_INLINE, offsetof(LDAPProtocolOp, op.bindResponseMsg),
+        LDAPBindResponseTemplate, LDAP_BINDRESPONSE_TYPE },
+    { SEC_ASN1_INLINE, offsetof(LDAPProtocolOp, op.unbindMsg),
+        LDAPUnbindTemplate, LDAP_UNBIND_TYPE },
+    { SEC_ASN1_INLINE, offsetof(LDAPProtocolOp, op.searchMsg),
+        LDAPSearchTemplate, LDAP_SEARCH_TYPE },
+    { SEC_ASN1_INLINE, offsetof(LDAPProtocolOp, op.searchResponseEntryMsg),
+        LDAPSearchResponseEntryTemplate, LDAP_SEARCHRESPONSEENTRY_TYPE },
+    { SEC_ASN1_INLINE, offsetof(LDAPProtocolOp, op.searchResponseResultMsg),
+        LDAPSearchResponseResultTemplate, LDAP_SEARCHRESPONSERESULT_TYPE },
+    { SEC_ASN1_INLINE, offsetof(LDAPProtocolOp, op.abandonRequestMsg),
+        LDAPAbandonRequestTemplate, LDAP_ABANDONREQUEST_TYPE },
+    { 0 }
+};
+
+const SEC_ASN1Template PKIX_PL_LDAPMessageTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL },
+    { SEC_ASN1_INTEGER, offsetof(LDAPMessage, messageID) },
+    { SEC_ASN1_INLINE, offsetof(LDAPMessage, protocolOp),
+        LDAPMessageProtocolOpTemplate },
+    { 0 }
+};
+
+/* This function simply returns the address of the message template.
+ * This is necessary for Windows DLLs.
+ */
+SEC_ASN1_CHOOSER_IMPLEMENT(PKIX_PL_LDAPMessageTemplate)
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c
new file mode 100755
index 000000000..96457c3cc
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c
@@ -0,0 +1,253 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_nsscontext.c
+ *
+ * NSSContext Function Definitions
+ *
+ */
+
+
+#include "pkix_pl_nsscontext.h"
+
+/* --Public-NSSContext-Functions--------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_NssContext_Create
+ * (see comments in pkix_samples_modules.h)
+ */
+PKIX_Error *
+PKIX_PL_NssContext_Create(
+        PKIX_UInt32 certificateUsage,
+        PKIX_Boolean useNssArena,
+        void *wincx,
+        void **pNssContext)
+{
+        PKIX_PL_NssContext *context = NULL;
+        PRArenaPool *arena = NULL;
+        void *plContext = NULL;
+
+        PKIX_ENTER(CONTEXT, "PKIX_PL_NssContext_Create");
+        PKIX_NULLCHECK_ONE(pNssContext);
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                   (sizeof(PKIX_PL_NssContext), (void **)&context, NULL),
+                   PKIX_MALLOCFAILED);
+
+        if (useNssArena == PKIX_TRUE) {
+                PKIX_CONTEXT_DEBUG("\t\tCalling PORT_NewArena\n");
+                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        }
+        
+        context->arena = arena;
+        context->certificateUsage = (SECCertificateUsage)certificateUsage;
+        context->wincx = wincx;
+
+        *pNssContext = context;
+
+cleanup:
+
+        PKIX_RETURN(CONTEXT);
+}
+
+
+/*
+ * FUNCTION: PKIX_PL_NssContext_Destroy
+ * (see comments in pkix_samples_modules.h)
+ */
+PKIX_Error *
+PKIX_PL_NssContext_Destroy(
+        void *nssContext)
+{
+        void *plContext = NULL;
+        PKIX_PL_NssContext *context = NULL;
+
+        PKIX_ENTER(CONTEXT, "PKIX_PL_NssContext_Destroy");
+        PKIX_NULLCHECK_ONE(nssContext);
+
+        context = (PKIX_PL_NssContext*)nssContext;
+
+        if (context->arena != NULL) {
+                PKIX_CONTEXT_DEBUG("\t\tCalling PORT_FreeArena\n");
+                PORT_FreeArena(context->arena, PKIX_FALSE);
+        }
+
+        PKIX_PL_Free(nssContext, NULL);
+
+        PKIX_RETURN(CONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_NssContext_GetCertUsage
+ * DESCRIPTION:
+ *
+ *  This function obtains the platform-dependent SECCertificateUsage  parameter
+ *  from the context object pointed to by "nssContext", storing the result at
+ *  "pCertUsage".
+ *
+ * PARAMETERS:
+ *  "nssContext"
+ *      The address of the context object whose wincx parameter is to be
+ *      obtained. Must be non-NULL.
+ *  "pCertUsage"
+ *      The address where the result is stored. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_NssContext_GetCertUsage(
+        PKIX_PL_NssContext *nssContext,
+        SECCertificateUsage *pCertUsage)
+{
+        void *plContext = NULL;
+
+        PKIX_ENTER(CONTEXT, "pkix_pl_NssContext_GetCertUsage");
+        PKIX_NULLCHECK_TWO(nssContext, pCertUsage);
+
+        *pCertUsage = nssContext->certificateUsage;
+
+        PKIX_RETURN(CONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_NssContext_SetCertUsage
+ * DESCRIPTION:
+ *
+ *  This function sets the platform-dependent SECCertificateUsage parameter in
+ *  the context object pointed to by "nssContext" to the value provided in
+ *  "certUsage".
+ *
+ * PARAMETERS:
+ *  "certUsage"
+ *      Platform-dependent value to be stored.
+ *  "nssContext"
+ *      The address of the context object whose wincx parameter is to be
+ *      obtained. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_NssContext_SetCertUsage(
+        SECCertificateUsage certUsage,
+        PKIX_PL_NssContext *nssContext)
+{
+        void *plContext = NULL;
+
+        PKIX_ENTER(CONTEXT, "pkix_pl_NssContext_SetCertUsage");
+        PKIX_NULLCHECK_ONE(nssContext);
+
+        nssContext->certificateUsage = certUsage;
+
+        PKIX_RETURN(CONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_NssContext_GetWincx
+ * DESCRIPTION:
+ *
+ *  This function obtains the platform-dependent wincx parameter from the
+ *  context object pointed to by "nssContext", storing the result at "pWincx".
+ *
+ * PARAMETERS:
+ *  "nssContext"
+ *      The address of the context object whose wincx parameter is to be
+ *      obtained. Must be non-NULL.
+ *  "pWincx"
+ *      The address where the result is stored. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_NssContext_GetWincx(
+        PKIX_PL_NssContext *nssContext,
+        void **pWincx)
+{
+        void *plContext = NULL;
+        PKIX_PL_NssContext *context = NULL;
+
+        PKIX_ENTER(CONTEXT, "pkix_pl_NssContext_GetWincx");
+        PKIX_NULLCHECK_TWO(nssContext, pWincx);
+
+        context = (PKIX_PL_NssContext *)nssContext;
+
+        *pWincx = context->wincx;
+
+        PKIX_RETURN(CONTEXT);
+}
+
+/*
+ * FUNCTION: pkix_pl_NssContext_SetWincx
+ * DESCRIPTION:
+ *
+ *  This function sets the platform-dependent wincx parameter in the context
+ *  object pointed to by "nssContext" to the value provided in "wincx".
+ *
+ * PARAMETERS:
+ *  "wincx"
+ *      Platform-dependent value to be stored.
+ *  "nssContext"
+ *      The address of the context object whose wincx parameter is to be
+ *      obtained. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_NssContext_SetWincx(
+        void *wincx,
+        PKIX_PL_NssContext *nssContext)
+{
+        void *plContext = NULL;
+
+        PKIX_ENTER(CONTEXT, "pkix_pl_NssContext_SetWincx");
+        PKIX_NULLCHECK_ONE(nssContext);
+
+        nssContext->wincx = wincx;
+
+        PKIX_RETURN(CONTEXT);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h
new file mode 100755
index 000000000..253890b7e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h
@@ -0,0 +1,80 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_nsscontext.h
+ *
+ * NSSContext Object Type Definition
+ *
+ */
+
+
+#ifndef _PKIX_PL_NSSCONTEXT_H
+#define _PKIX_PL_NSSCONTEXT_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct PKIX_PL_NssContextStruct PKIX_PL_NssContext;
+
+struct PKIX_PL_NssContextStruct {
+        SECCertificateUsage certificateUsage;
+        PRArenaPool *arena;
+        void *wincx;
+};
+
+PKIX_Error *
+pkix_pl_NssContext_GetCertUsage
+        (PKIX_PL_NssContext *nssContext, SECCertificateUsage *pCertUsage);
+
+PKIX_Error *
+pkix_pl_NssContext_SetCertUsage
+        (SECCertificateUsage certUsage, PKIX_PL_NssContext *nssContext);
+
+PKIX_Error *
+pkix_pl_NssContext_GetWincx(PKIX_PL_NssContext *nssContext, void **pWincx);
+
+PKIX_Error *
+pkix_pl_NssContext_SetWincx(void *wincx, PKIX_PL_NssContext *nssContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_NSSCONTEXT_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
new file mode 100755
index 000000000..3b5ce65ee
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
@@ -0,0 +1,735 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_pk11certstore.c
+ *
+ * PKCS11CertStore Function Definitions
+ *
+ */
+
+#include "pkix_pl_pk11certstore.h"
+
+/* --Private-Pk11CertStore-Functions---------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_Pk11CertStore_CheckTrust
+ * DESCRIPTION:
+ * This function checks the trust status of this "cert" that was retrieved
+ * from the CertStore "store" and returns its trust status at "pTrusted".
+ *
+ * PARAMETERS:
+ * "store"
+ *      Address of the CertStore. Must be non-NULL.
+ * "cert"
+ *      Address of the Cert. Must be non-NULL.
+ * "pTrusted"
+ *      Address of PKIX_Boolean where the "cert" trust status is returned.
+ *      Must be non-NULL.
+ * "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Pk11CertStore_CheckTrust(
+        PKIX_CertStore *store,
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pTrusted,
+        void *plContext)
+{
+        SECStatus rv = SECFailure;
+        PKIX_Boolean trusted = PKIX_FALSE;
+        SECCertUsage certUsage = 0;
+        SECCertificateUsage certificateUsage;
+        unsigned int requiredFlags;
+        SECTrustType trustType;
+        CERTCertTrust trust;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_CheckTrust");
+        PKIX_NULLCHECK_THREE(store, cert, pTrusted);
+        PKIX_NULLCHECK_ONE(cert->nssCert);
+
+        certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
+
+        /* ensure we obtained a single usage bit only */
+        PORT_Assert(!(certificateUsage & (certificateUsage - 1)));
+
+        /* convert SECertificateUsage (bit mask) to SECCertUsage (enum) */
+        while (0 != (certificateUsage = certificateUsage >> 1)) { certUsage++; }
+
+        rv = CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, &trustType);
+        if (rv == SECSuccess) {
+                rv = CERT_GetCertTrust(cert->nssCert, &trust);
+        }
+
+        if (rv == SECSuccess) {
+            unsigned int certFlags;
+
+            if (certUsage != certUsageAnyCA &&
+                certUsage != certUsageStatusResponder) {
+                CERTCertificate *nssCert = cert->nssCert;
+                
+                if (certUsage == certUsageVerifyCA) {
+                    if (nssCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) {
+                        trustType = trustEmail;
+                    } else if (nssCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
+                        trustType = trustSSL;
+                    } else {
+                        trustType = trustObjectSigning;
+                    }
+                }
+                
+                certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType);
+                if ((certFlags & requiredFlags) == requiredFlags) {
+                    trusted = PKIX_TRUE;
+                }
+            } else {
+                for (trustType = trustSSL; trustType < trustTypeNone;
+                     trustType++) {
+                    certFlags =
+                        SEC_GET_TRUST_FLAGS((&trust), trustType);
+                    if ((certFlags & requiredFlags) == requiredFlags) {
+                        trusted = PKIX_TRUE;
+                        break;
+                    }
+                }
+            }
+        }
+
+        *pTrusted = trusted;
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Pk11CertStore_CertQuery
+ * DESCRIPTION:
+ *
+ *  This function obtains from the database the Certs specified by the
+ *  ComCertSelParams pointed to by "params" and stores the resulting
+ *  List at "pSelected". If no matching Certs are found, a NULL pointer
+ *  will be stored.
+ *
+ *  This function uses a "smart" database query if the Subject has been set
+ *  in ComCertSelParams. Otherwise, it uses a very inefficient call to
+ *  retrieve all Certs in the database (and run them through the selector).
+ *
+ * PARAMETERS:
+ * "params"
+ *      Address of the ComCertSelParams. Must be non-NULL.
+ * "pSelected"
+ *      Address at which List will be stored. Must be non-NULL.
+ * "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Pk11CertStore_CertQuery(
+        PKIX_ComCertSelParams *params,
+        PKIX_List **pSelected,
+        void *plContext)
+{
+        PRBool validOnly = PR_FALSE;
+        PRTime prtime = 0;
+        PKIX_PL_X500Name *subjectName = NULL;
+        PKIX_PL_Date *certValid = NULL;
+        PKIX_List *certList = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        CERTCertList *pk11CertList = NULL;
+        CERTCertListNode *node = NULL;
+        CERTCertificate *nssCert = NULL;
+        CERTCertDBHandle *dbHandle = NULL;
+
+        PRArenaPool *arena = NULL;
+        SECItem *nameItem = NULL;
+        void *wincx = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_CertQuery");
+        PKIX_NULLCHECK_TWO(params, pSelected);
+
+        /* avoid multiple calls to retrieve a constant */
+        PKIX_PL_NSSCALLRV(CERTSTORE, dbHandle, CERT_GetDefaultCertDB, ());
+
+        /*
+         * Any of the ComCertSelParams may be obtained and used to constrain
+         * the database query, to allow the use of a "smart" query. See
+         * pkix_certsel.h for a list of the PKIX_ComCertSelParams_Get*
+         * calls available. No corresponding "smart" queries exist at present,
+         * except for CERT_CreateSubjectCertList based on Subject. When others
+         * are added, corresponding code should be added to
+         * pkix_pl_Pk11CertStore_CertQuery to use them when appropriate
+         * selector parameters have been set.
+         */
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
+                (params, &subjectName, plContext),
+                PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
+
+        PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
+                (params, &certValid, plContext),
+                PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
+
+        /* If caller specified a Date, convert it to PRTime */
+        if (certValid) {
+                PKIX_CHECK(pkix_pl_Date_GetPRTime
+                        (certValid, &prtime, plContext),
+                        PKIX_DATEGETPRTIMEFAILED);
+                validOnly = PR_TRUE;
+        }
+
+        /*
+         * If we have the subject name for the desired subject,
+         * ask the database for Certs with that subject. Otherwise
+         * ask the database for all Certs.
+         */
+        if (subjectName) {
+                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+                if (arena) {
+
+                        PKIX_CHECK(pkix_pl_X500Name_GetDERName
+                                (subjectName, arena, &nameItem, plContext),
+                                PKIX_X500NAMEGETSECNAMEFAILED);
+
+                        if (nameItem) {
+
+                            PKIX_PL_NSSCALLRV
+                                (CERTSTORE,
+                                pk11CertList,
+                                CERT_CreateSubjectCertList,
+                                (NULL, dbHandle, nameItem, prtime, validOnly));
+                        }
+                        PKIX_PL_NSSCALL
+                                (CERTSTORE, PORT_FreeArena, (arena, PR_FALSE));
+                        arena = NULL;
+                }
+
+        } else {
+
+                PKIX_CHECK(pkix_pl_NssContext_GetWincx
+                        ((PKIX_PL_NssContext *)plContext, &wincx),
+                        PKIX_NSSCONTEXTGETWINCXFAILED);
+
+                PKIX_PL_NSSCALLRV
+                        (CERTSTORE,
+                        pk11CertList,
+                        PK11_ListCerts,
+                        (PK11CertListAll, wincx));
+        }
+
+        if (pk11CertList) {
+
+                PKIX_CHECK(PKIX_List_Create(&certList, plContext),
+                        PKIX_LISTCREATEFAILED);
+
+                for (node = CERT_LIST_HEAD(pk11CertList);
+                    !(CERT_LIST_END(node, pk11CertList));
+                    node = CERT_LIST_NEXT(node)) {
+
+                        PKIX_PL_NSSCALLRV
+                                (CERTSTORE,
+                                nssCert,
+                                CERT_NewTempCertificate,
+                                        (dbHandle,
+                                        &(node->cert->derCert),
+                                        NULL, /* nickname */
+                                        PR_FALSE,
+                                        PR_TRUE)); /* copyDER */
+
+                        if (!nssCert) {
+                                continue; /* just skip bad certs */
+                        }
+
+                        PKIX_CHECK_ONLY_FATAL(pkix_pl_Cert_CreateWithNSSCert
+                                (nssCert, &cert, plContext),
+                                PKIX_CERTCREATEWITHNSSCERTFAILED);
+
+                        if (PKIX_ERROR_RECEIVED) {
+                                CERT_DestroyCertificate(nssCert);
+                                nssCert = NULL;
+                                continue; /* just skip bad certs */
+                        }
+
+                        PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
+                                (certList, (PKIX_PL_Object *)cert, plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+
+                        PKIX_DECREF(cert);
+
+                }
+
+                /* Don't throw away the list if one cert was bad! */
+                pkixTempErrorReceived = PKIX_FALSE;
+        }
+
+        *pSelected = certList;
+        certList = NULL;
+
+cleanup:
+        
+        if (pk11CertList) {
+            CERT_DestroyCertList(pk11CertList);
+        }
+        if (arena) {
+            PORT_FreeArena(arena, PR_FALSE);
+        }
+
+        PKIX_DECREF(subjectName);
+        PKIX_DECREF(certValid);
+        PKIX_DECREF(cert);
+        PKIX_DECREF(certList);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Pk11CertStore_CrlQuery
+ * DESCRIPTION:
+ *
+ *  This function obtains from the database the CRLs specified by the
+ *  ComCRLSelParams pointed to by "params" and stores the List at "pSelected".
+ *  If no Crls are found matching the criteria a NULL pointer is stored.
+ *
+ *  This function uses a "smart" database query if IssuerNames has been set
+ *  in ComCertSelParams. Otherwise, it would have to use a very inefficient
+ *  call to retrieve all Crls in the database (and run them through the
+ *  selector). In addition to being inefficient, this usage would cause a
+ *  memory leak because we have no mechanism at present for releasing a List
+ *  of Crls that occupy the same arena. Therefore this function returns a
+ *  CertStore Error if the selector has not been provided with parameters
+ *  that allow for a "smart" query. (Currently, only the Issuer Name meets
+ *  this requirement.)
+ *
+ * PARAMETERS:
+ * "params"
+ *      Address of the ComCRLSelParams. Must be non-NULL.
+ * "pSelected"
+ *      Address at which List will be stored. Must be non-NULL.
+ * "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Pk11CertStore_CrlQuery(
+        PKIX_ComCRLSelParams *params,
+        PKIX_List **pSelected,
+        void *plContext)
+{
+        PKIX_UInt32 nameIx = 0;
+        PKIX_UInt32 numNames = 0;
+        PKIX_List *issuerNames = NULL;
+        PKIX_PL_X500Name *issuer = NULL;
+        PRArenaPool *arena = NULL;
+        SECItem *nameItem = NULL;
+        SECStatus rv = SECFailure;
+        PKIX_List *crlList = NULL;
+        PKIX_PL_CRL *crl = NULL;
+        CRLDPCache* dpcache = NULL;
+        CERTSignedCrl** crls = NULL;
+        PRBool writeLocked = PR_FALSE;
+        PRUint16 status = 0;
+        void *wincx = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_CrlQuery");
+        PKIX_NULLCHECK_TWO(params, pSelected);
+
+        PKIX_CHECK(pkix_pl_NssContext_GetWincx
+                ((PKIX_PL_NssContext *)plContext, &wincx),
+                PKIX_NSSCONTEXTGETWINCXFAILED);
+
+        /*
+         * If we have <info> for <a smart query>,
+         * ask the database for Crls meeting those constraints.
+         */
+        PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames
+                (params, &issuerNames, plContext),
+                PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED);
+
+        /*
+         * The specification for PKIX_ComCRLSelParams_GetIssuerNames in
+         * pkix_crlsel.h says that if the IssuerNames is not set we get a null
+         * pointer. If the user set IssuerNames to an empty List he has
+         * provided a criterion impossible to meet ("must match at least one
+         * of the names in the List").
+         */
+        if (issuerNames) {
+
+            PKIX_CHECK(PKIX_List_Create(&crlList, plContext),
+                        PKIX_LISTCREATEFAILED);
+
+            PKIX_CHECK(PKIX_List_GetLength
+                        (issuerNames, &numNames, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+            if (arena) {
+
+                for (nameIx = 0; nameIx < numNames; nameIx++) {
+                    PKIX_CHECK(PKIX_List_GetItem
+                        (issuerNames,
+                        nameIx,
+                        (PKIX_PL_Object **)&issuer,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+                    PKIX_CHECK(pkix_pl_X500Name_GetDERName
+                        (issuer, arena, &nameItem, plContext),
+                        PKIX_X500NAMEGETSECNAMEFAILED);
+                    if (nameItem) {
+                        /*
+                         * Successive calls append CRLs to
+                         * the end of the list. If failure,
+                         * no CRLs were appended.
+                         */
+                        rv = AcquireDPCache(NULL, nameItem, NULL, 0,
+                                            wincx, &dpcache, &writeLocked);
+                        if (rv == SECFailure) {
+                            PKIX_ERROR(PKIX_FETCHINGCACHEDCRLFAILED);
+                        }
+
+                        PKIX_PL_NSSCALLRV
+                            (CERTSTORE, rv, DPCache_GetAllCRLs,
+                            (dpcache, arena, &crls, &status));
+
+                        if ((status & (~CRL_CACHE_INVALID_CRLS)) != 0) {
+                            PKIX_ERROR(PKIX_FETCHINGCACHEDCRLFAILED);
+                        }
+
+                        while (crls != NULL && *crls != NULL) {
+
+                            PKIX_CHECK_ONLY_FATAL
+                                (pkix_pl_CRL_CreateWithSignedCRL
+                                (*crls, &crl, plContext),
+                                PKIX_CRLCREATEWITHSIGNEDCRLFAILED);
+
+                            if (PKIX_ERROR_RECEIVED) {
+                                PKIX_DECREF(crl);
+                                crls++;
+                                continue; /* just skip bad certs */
+                            }
+
+                            PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
+                                (crlList, (PKIX_PL_Object *)crl, plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+
+                            PKIX_DECREF(crl);
+                            crls++;
+                        }
+
+                        /* Don't throw away the list if one cert was bad! */
+                        pkixTempErrorReceived = PKIX_FALSE;
+                        
+                    }
+                    PKIX_DECREF(issuer);
+                }
+
+            }
+        } else {
+                PKIX_ERROR(PKIX_INSUFFICIENTCRITERIAFORCRLQUERY);
+        }
+
+        *pSelected = crlList;
+        crlList = NULL;
+
+cleanup:
+
+        PKIX_DECREF(crlList);
+
+        ReleaseDPCache(dpcache, writeLocked);
+
+        if (arena) {
+            PORT_FreeArena(arena, PR_FALSE);
+        }
+
+        PKIX_DECREF(issuerNames);
+        PKIX_DECREF(issuer);
+        PKIX_DECREF(crl);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Pk11CertStore_GetCert
+ *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_Pk11CertStore_GetCert(
+        PKIX_CertStore *store,
+        PKIX_CertSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCertList,
+        void *plContext)
+{
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 numFound = 0;
+        PKIX_PL_Cert *candidate = NULL;
+        PKIX_List *selected = NULL;
+        PKIX_List *filtered = NULL;
+        PKIX_CertSelector_MatchCallback callback = NULL;
+        PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
+        PKIX_ComCertSelParams *params = NULL;
+        PKIX_Boolean pass = PKIX_TRUE;
+        PKIX_Boolean cacheFlag = PKIX_FALSE;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_GetCert");
+        PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList);
+
+        *pNBIOContext = NULL;   /* We don't use non-blocking I/O */
+
+        PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
+                (selector, &callback, plContext),
+                PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
+
+        PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
+                (selector, &params, plContext),
+                PKIX_CERTSELECTORGETCOMCERTSELPARAMSFAILED);
+
+        PKIX_CHECK(pkix_pl_Pk11CertStore_CertQuery
+                (params, &selected, plContext),
+                PKIX_PK11CERTSTORECERTQUERYFAILED);
+
+        if (selected) {
+                PKIX_CHECK(PKIX_List_GetLength(selected, &numFound, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+        }
+
+        PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
+                (store, &cacheFlag, plContext),
+                PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
+
+        PKIX_CHECK(PKIX_CertStore_GetTrustCallback
+                (store, &trustCallback, plContext),
+                PKIX_CERTSTOREGETTRUSTCALLBACKFAILED);
+
+        PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        for (i = 0; i < numFound; i++) {
+                PKIX_CHECK_ONLY_FATAL(PKIX_List_GetItem
+                        (selected,
+                        i,
+                        (PKIX_PL_Object **)&candidate,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                if (PKIX_ERROR_RECEIVED) {
+                        continue; /* just skip bad certs */
+                }
+
+                PKIX_CHECK_ONLY_FATAL(callback
+                        (selector, candidate, &pass, plContext),
+                        PKIX_CERTSELECTORFAILED);
+
+                if (!(PKIX_ERROR_RECEIVED) && pass) {
+
+                        PKIX_CHECK(PKIX_PL_Cert_SetCacheFlag
+                                (candidate, cacheFlag, plContext),
+                                PKIX_CERTSETCACHEFLAGFAILED);
+
+                        if (trustCallback) {
+                                PKIX_CHECK(PKIX_PL_Cert_SetTrustCertStore
+                                    (candidate, store, plContext),
+                                    PKIX_CERTSETTRUSTCERTSTOREFAILED);
+                        }
+
+                        PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
+                                (filtered,
+                                (PKIX_PL_Object *)candidate,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                }
+
+                PKIX_DECREF(candidate);
+        }
+
+        /* Don't throw away the list if one cert was bad! */
+        pkixTempErrorReceived = PKIX_FALSE;
+
+        PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        *pCertList = filtered;
+        filtered = NULL;
+
+cleanup:
+
+        PKIX_DECREF(filtered);
+        PKIX_DECREF(candidate);
+        PKIX_DECREF(selected);
+        PKIX_DECREF(params);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Pk11CertStore_GetCRL
+ *  (see description of PKIX_CertStore_CRLCallback in pkix_certstore.h)
+ */
+PKIX_Error *
+pkix_pl_Pk11CertStore_GetCRL(
+        PKIX_CertStore *store,
+        PKIX_CRLSelector *selector,
+        void **pNBIOContext,
+        PKIX_List **pCrlList,
+        void *plContext)
+{
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 numFound = 0;
+        PKIX_Boolean match = PKIX_FALSE;
+        PKIX_PL_CRL *candidate = NULL;
+        PKIX_List *selected = NULL;
+        PKIX_List *filtered = NULL;
+        PKIX_CRLSelector_MatchCallback callback = NULL;
+        PKIX_ComCRLSelParams *params = NULL;
+
+        PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_GetCRL");
+        PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCrlList);
+
+        *pNBIOContext = NULL;   /* We don't use non-blocking I/O */
+
+        PKIX_CHECK(PKIX_CRLSelector_GetMatchCallback
+                (selector, &callback, plContext),
+                PKIX_CRLSELECTORGETMATCHCALLBACKFAILED);
+
+        PKIX_CHECK(PKIX_CRLSelector_GetCommonCRLSelectorParams
+                (selector, &params, plContext),
+                PKIX_CRLSELECTORGETCOMCERTSELPARAMSFAILED);
+
+        PKIX_CHECK(pkix_pl_Pk11CertStore_CrlQuery
+                (params, &selected, plContext),
+                PKIX_PK11CERTSTORECRLQUERYFAILED);
+
+        if (selected) {
+                PKIX_CHECK(PKIX_List_GetLength(selected, &numFound, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+        }
+
+        PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        for (i = 0; i < numFound; i++) {
+                PKIX_CHECK_ONLY_FATAL(PKIX_List_GetItem
+                        (selected,
+                        i,
+                        (PKIX_PL_Object **)&candidate,
+                        plContext),
+                        PKIX_LISTGETITEMFAILED);
+
+                if (PKIX_ERROR_RECEIVED) {
+                        continue; /* just skip bad CRLs */
+                }
+
+                PKIX_CHECK_ONLY_FATAL(callback
+                        (selector, candidate, &match, plContext),
+                        PKIX_CRLSELECTORFAILED);
+
+                if (!(PKIX_ERROR_RECEIVED) && match) {
+                        PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
+                                (filtered,
+                                (PKIX_PL_Object *)candidate,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+                }
+
+                PKIX_DECREF(candidate);
+        }
+
+        /* Don't throw away the list if one CRL was bad! */
+        pkixTempErrorReceived = PKIX_FALSE;
+
+        PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        *pCrlList = filtered;
+        filtered = NULL;
+
+cleanup:
+
+        PKIX_DECREF(filtered);
+        PKIX_DECREF(candidate);
+        PKIX_DECREF(selected);
+        PKIX_DECREF(params);
+
+        PKIX_RETURN(CERTSTORE);
+}
+
+/* --Public-Pk11CertStore-Functions----------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_Pk11CertStore_Create
+ * (see comments in pkix_samples_modules.h)
+ */
+PKIX_Error *
+PKIX_PL_Pk11CertStore_Create(
+        PKIX_CertStore **pCertStore,
+        void *plContext)
+{
+        PKIX_CertStore *certStore = NULL;
+
+        PKIX_ENTER(CERTSTORE, "PKIX_PL_Pk11CertStore_Create");
+        PKIX_NULLCHECK_ONE(pCertStore);
+
+        PKIX_CHECK(PKIX_CertStore_Create
+                (pkix_pl_Pk11CertStore_GetCert,
+                pkix_pl_Pk11CertStore_GetCRL,
+                NULL, /* getCertContinue */
+                NULL, /* getCrlContinue */
+                pkix_pl_Pk11CertStore_CheckTrust,
+                NULL,
+                PKIX_TRUE, /* cache flag */
+                PKIX_TRUE, /* local - no network I/O */
+                &certStore,
+                plContext),
+                PKIX_CERTSTORECREATEFAILED);
+
+        *pCertStore = certStore;
+
+cleanup:
+
+        PKIX_RETURN(CERTSTORE);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.h
new file mode 100755
index 000000000..ab9ad89fc
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.h
@@ -0,0 +1,64 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_pk11certstore.h
+ *
+ * PK11Certstore Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_PL_PK11CERTSTORE_H
+#define _PKIX_PL_PK11CERTSTORE_H
+
+#include "pkix_pl_common.h"
+#include "certi.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* see source file for function documentation */
+PKIX_Error *
+PKIX_PL_Pk11CertStore_Create(
+        PKIX_CertStore **pCertStore,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_PK11CERTSTORE_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
new file mode 100644
index 000000000..c29e361bf
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
@@ -0,0 +1,1723 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_socket.c
+ *
+ * Socket Function Definitions
+ *
+ */
+
+/*
+ * If Socket Tracing is active, messages sent and received will be
+ * timestamped and dumped (to stdout) in standard hex-dump format. E.g.,
+ *
+ * 1116612359156140:
+ * 28F0: 48 65 6C 6C 6F 2C 20 77   6F 72 6C 64 21 00    Hello, world!.
+ *
+ * The timestamp is not formatted to be meaningful except as an increasing
+ * value of seconds.microseconds, which is good enough to correlate two
+ * sides of a message exchange and to figure durations.
+ *
+ * Code to perform Socket tracing will be compiled in if PKIX_SOCKETTRACE
+ * is defined, but that doesn't mean socket tracing is active. Tracing also
+ * requires that the Boolean socketTraceFlag is set to PKIX_TRUE. That is
+ * the default value, but it can be overridden by using the debugger to
+ * change its value -- allowing tracing to be turned on and off at various
+ * breakpoints -- or by setting the environment variable SOCKETTRACE. A
+ * value of 1 sets socketTraceFlag to PKIX_TRUE (tracing on), and any other
+ * value sets socketTraceFlag to PKIX_FALSE (tracing off). The environment
+ * value is checked during system initialization.
+ */
+#ifndef BUILD_OPT
+#define PKIX_SOCKETTRACE 1
+#endif
+
+#ifdef PKIX_SOCKETDEBUG
+#define PKIX_SOCKETTRACE 1
+#endif
+
+#include "pkix_pl_socket.h"
+
+/* --Private-Socket-Functions---------------------------------- */
+
+#ifdef PKIX_SOCKETTRACE
+static PKIX_Boolean socketTraceFlag = PKIX_FALSE;
+
+/*
+ * FUNCTION: pkix_pl_socket_timestamp
+ * DESCRIPTION:
+ *
+ *  This functions prints to stdout the time of day, as obtained from the
+ *  system function gettimeofday, as seconds.microseconds. Its resolution
+ *  is whatever the system call provides.
+ *
+ * PARAMETERS:
+ *  none
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static void pkix_pl_socket_timestamp() {
+        PRInt64 prTime;
+        prTime = PR_Now();
+        printf("%lld:\n", prTime);
+}
+
+/*
+ * FUNCTION: pkix_pl_socket_hexDigit
+ * DESCRIPTION:
+ *
+ *  This functions prints to stdout the byte "byteVal" as two hex digits.
+ *
+ * PARAMETERS:
+ *  "byteVal"
+ *      The value to be printed.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static void pkix_pl_socket_hexDigit(char byteVal) {
+        int n = 0;
+        char cHi = '\0';
+        char cLow = '\0';
+        n = ((byteVal >> 4) & 0xf);
+        if (n > 9) {
+                cHi = (char) ((n - 10) + 'A');
+        } else {
+                cHi = (char) (n + '0');
+        }
+        n = byteVal & 0xf;
+        if (n > 9) {
+                cLow = (char) ((n - 10) + 'A');
+        } else {
+                cLow = (char) (n + '0');
+        }
+        (void) printf("%c%c", cHi, cLow);
+}
+
+/*
+ * FUNCTION: pkix_pl_socket_linePrefix
+ * DESCRIPTION:
+ *
+ *  This functions prints to stdout the address provided by "addr" as four
+ *  hexadecimal digits followed by a colon and a space.
+ *
+ * PARAMETERS:
+ *  "addr"
+ *      The address to be printed
+ *  none
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static void pkix_pl_socket_linePrefix(PKIX_UInt32 addr) {
+        pkix_pl_socket_hexDigit((char)((addr >> 8) & 0xff));
+        pkix_pl_socket_hexDigit((char)(addr & 0xff));
+        (void) printf(": ");
+}
+
+/*
+ * FUNCTION: pkix_pl_socket_traceLine
+ * DESCRIPTION:
+ *
+ *  This functions prints to stdout the sixteen bytes beginning at the
+ *  address pointed to by "ptr". The bytes are printed as sixteen pairs
+ *  of hexadecimal characters followed by an ascii interpretation, in which
+ *  characters from 0x20 to 0x7d are shown as their ascii equivalents, and
+ *  other values are represented as periods.
+ *
+ * PARAMETERS:
+ *  "ptr"
+ *      The address of the first of the bytes to be printed
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static void pkix_pl_socket_traceLine(char *ptr) {
+        PKIX_UInt32 i = 0;
+        pkix_pl_socket_linePrefix((PKIX_UInt32)ptr);
+        for (i = 0; i < 16; i++) {
+                printf(" ");
+                pkix_pl_socket_hexDigit(ptr[i]);
+                if (i == 7) {
+                        printf("  ");
+                }
+        }
+        printf("  ");
+        for (i = 0; i < 16; i++) {
+                if ((ptr[i] < ' ') || (ptr[i] > '}')) {
+                        printf(".");
+                } else {
+                        printf("%c", ptr[i]);
+                }
+        }
+        printf("\n");
+}
+
+/*
+ * FUNCTION: pkix_pl_socket_tracePartialLine
+ * DESCRIPTION:
+ *
+ *  This functions prints to stdout the number of bytes given by "nBytes",
+ *  beginning at the address pointed to by "ptr". The bytes are printed as
+ *  pairs of hexadecimal characters followed by an ascii interpretation, in
+ *  which characters from 0x20 to 0x7d are shown as their ascii equivalents,
+ *  and other values are represented as periods.
+ *
+ * PARAMETERS:
+ *  "ptr"
+ *      The address of the first of the bytes to be printed
+ *  "nBytes"
+ *      The Int32 value giving the number of bytes to be printed. If "nBytes"
+ *      is greater than sixteen, the results will be unattractive.
+ *  none
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static void pkix_pl_socket_tracePartialLine(char *ptr, PKIX_UInt32 nBytes) {
+        PKIX_UInt32 i = 0;
+        if (nBytes > 0) {
+                pkix_pl_socket_linePrefix((PKIX_UInt32)ptr);
+        }
+        for (i = 0; i < nBytes; i++) {
+                printf(" ");
+                pkix_pl_socket_hexDigit(ptr[i]);
+                if (i == 7) {
+                        printf("  ");
+                }
+        }
+        for (i = nBytes; i < 16; i++) {
+                printf("   ");
+                if (i == 7) {
+                        printf("  ");
+                }
+        }
+        printf("  ");
+        for (i = 0; i < nBytes; i++) {
+                if ((ptr[i] < ' ') || (ptr[i] > '}')) {
+                        printf(".");
+                } else {
+                        printf("%c", ptr[i]);
+                }
+        }
+        printf("\n");
+}
+
+/*
+ * FUNCTION: pkix_pl_socket_tracebuff
+ * DESCRIPTION:
+ *
+ *  This functions prints to stdout the number of bytes given by "nBytes",
+ *  beginning with the byte pointed to by "buf". The output is preceded by
+ *  a timestamp, and each group of sixteen (and a remainder, if any) is
+ *  preceded by its address. The contents are shown in hexadecimal and as
+ *  ascii characters. If "nBytes" is zero, the timestamp and starting
+ *  address are displayed.
+ *
+ * PARAMETERS:
+ *  "buf"
+ *      The starting address of the bytes to be printed
+ *  "nBytes"
+ *      The number of bytes to be printed
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+void pkix_pl_socket_tracebuff(void *buf, PKIX_UInt32 nBytes) {
+        PKIX_UInt32 bytesRemaining = nBytes;
+        PKIX_UInt32 offset = 0;
+        char *bufptr = (char *)buf;
+
+        if (socketTraceFlag == PKIX_FALSE) return;
+
+        pkix_pl_socket_timestamp();
+        /*
+         * Special case: if called with length of zero, just do address
+         */
+        if (nBytes == 0) {
+                pkix_pl_socket_linePrefix((PKIX_UInt32)buf);
+                printf("\n");
+        } else {
+                while (bytesRemaining >= 16) {
+                        pkix_pl_socket_traceLine(&bufptr[offset]);
+                        bytesRemaining -= 16;
+                        offset += 16;
+                }
+                pkix_pl_socket_tracePartialLine
+                        (&bufptr[offset], bytesRemaining);
+        }
+}
+
+#endif
+
+/*
+ * FUNCTION: pkix_pl_Socket_SetNonBlocking
+ * DESCRIPTION:
+ *
+ *  This functions sets the socket represented by the PRFileDesc "fileDesc"
+ *  to nonblocking mode.
+ *
+ * PARAMETERS:
+ *  "fileDesc"
+ *      The address of the PRFileDesc whose I/O mode is to be set
+ *      non-blocking. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_SetNonBlocking(
+        PRFileDesc *fileDesc,
+        void *plContext)
+{
+        PRStatus rv = PR_FAILURE;
+        PRSocketOptionData sockOptionData;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_SetNonBlocking");
+        PKIX_NULLCHECK_ONE(fileDesc);
+
+        sockOptionData.option = PR_SockOpt_Nonblocking;
+        sockOptionData.value.non_blocking = PR_TRUE;
+
+        PKIX_PL_NSSCALLRV(SOCKET, rv, fileDesc->methods->setsocketoption,
+                (fileDesc, &sockOptionData));
+
+        if (rv != PR_SUCCESS) {
+                PKIX_ERROR(PKIX_UNABLETOSETSOCKETTONONBLOCKING);
+        }
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_CreateClient
+ * DESCRIPTION:
+ *
+ *  This functions creates a client socket for the PKIX_PL_Socket pointed to
+ *  by "socket". If "socket" was created with a timeout value of zero, the
+ *  client socket is set to use nonblocking I/O.
+ *
+ * PARAMETERS:
+ *  "socket"
+ *      The address of the Socket for which a client socket is to be
+ *      created. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+
+static PKIX_Error *
+pkix_pl_Socket_CreateClient(
+        PKIX_PL_Socket *socket,
+        void *plContext)
+{
+#ifdef PKIX_SOCKETDEBUG
+        PRErrorCode errorcode = 0;
+#endif
+        PRFileDesc *mySock = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateClient");
+        PKIX_NULLCHECK_ONE(socket);
+
+        PKIX_PL_NSSCALLRV(SOCKET, mySock, PR_NewTCPSocket, ());
+        if (!mySock) {
+#ifdef PKIX_SOCKETDEBUG
+                errorcode = PR_GetError();
+                printf
+                        ("pkix_pl_Socket_CreateClient: %s\n",
+                        PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+        }
+
+#ifdef PKIX_SOCKETDEBUG
+        printf("Created socket, PRFileDesc @  %#X\n", mySock);
+#endif
+
+        socket->clientSock = mySock;
+        socket->status = SOCKET_UNCONNECTED;
+        if (socket->timeout == 0) {
+                PKIX_CHECK(pkix_pl_Socket_SetNonBlocking(mySock, plContext),
+                        PKIX_SOCKETSETNONBLOCKINGFAILED);
+        }
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_CreateServer
+ * DESCRIPTION:
+ *
+ *  This functions creates a server socket for the PKIX_PL_Socket pointed to
+ *  by "socket". If "socket" was created with a timeout value of zero, the
+ *  server socket is set to use nonblocking I/O.
+ *
+ *  Warning: there seems to be a problem with operating a server socket in
+ *  non-blocking mode. If the server calls Recv prior to a corresponding
+ *  Send, the message may be lost.
+ *
+ * PARAMETERS:
+ *  "socket"
+ *      The address of the Socket for which a server socket is to be
+ *      created. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_CreateServer(
+        PKIX_PL_Socket *socket,
+        void *plContext)
+{
+/* #ifdef PKIX_SOCKETDEBUG */
+        PRErrorCode errorcode = 0;
+/* #endif */
+        PRStatus rv = PR_FAILURE;
+        PRFileDesc *serverSock = NULL;
+        PRSocketOptionData sockOptionData;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateServer");
+        PKIX_NULLCHECK_ONE(socket);
+
+        PKIX_PL_NSSCALLRV(SOCKET, serverSock, PR_NewTCPSocket, ());
+        if (!serverSock) {
+#ifdef PKIX_SOCKETDEBUG
+                errorcode = PR_GetError();
+                printf
+                        ("pkix_pl_Socket_CreateServer: %s\n",
+                        PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+        }
+
+        socket->serverSock = serverSock;
+
+#ifdef PKIX_SOCKETDEBUG
+        printf("Created socket, PRFileDesc @  %#X\n", serverSock);
+#endif
+
+        if (socket->timeout == 0) {
+                PKIX_CHECK(pkix_pl_Socket_SetNonBlocking(serverSock, plContext),
+                        PKIX_SOCKETSETNONBLOCKINGFAILED);
+        }
+
+        sockOptionData.option = PR_SockOpt_Reuseaddr;
+        sockOptionData.value.reuse_addr = PR_TRUE;
+
+        PKIX_PL_NSSCALLRV(SOCKET, rv, serverSock->methods->setsocketoption,
+                (serverSock, &sockOptionData));
+
+        if (rv != PR_SUCCESS) {
+                PKIX_ERROR(PKIX_UNABLETOSETSOCKETTONONBLOCKING);
+        }
+
+        PKIX_PL_NSSCALLRV(SOCKET, rv, PR_Bind, (serverSock, socket->netAddr));
+
+        if (rv == PR_FAILURE) {
+/* #ifdef PKIX_SOCKETDEBUG */
+                errorcode = PR_GetError();
+                printf
+                        ("pkix_pl_Socket_CreateServer: %s\n",
+                        PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+/* #endif */
+                PKIX_ERROR(PKIX_PRBINDFAILED);
+        }
+
+#ifdef PKIX_SOCKETDEBUG
+        printf("Successful bind!\n");
+#endif
+
+        socket->status = SOCKET_BOUND;
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Connect
+ * DESCRIPTION:
+ *
+ *  This functions performs the connect function for the client socket
+ *  specified in "socket", storing the status at "pStatus".
+ *
+ * PARAMETERS:
+ *  "socket"
+ *      The address of the Socket for which a connect is to be performed.
+ *      Must be non-NULL.
+ *  "pStatus"
+ *      The address at which the connection status is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_Connect(
+        PKIX_PL_Socket *socket,
+        PRErrorCode *pStatus,
+        void *plContext)
+{
+        PRStatus rv = PR_FAILURE;
+        PRErrorCode errorcode = 0;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Connect");
+        PKIX_NULLCHECK_TWO(socket, socket->clientSock);
+
+        PKIX_PL_NSSCALLRV(SOCKET, rv, PR_Connect,
+                (socket->clientSock, socket->netAddr, socket->timeout));
+
+        if (rv == PR_FAILURE) {
+                errorcode = PR_GetError();
+                *pStatus = errorcode;
+                if (errorcode == PR_IN_PROGRESS_ERROR) {
+                        socket->status = SOCKET_CONNECTPENDING;
+                        goto cleanup;
+                } else {
+#ifdef PKIX_SOCKETDEBUG
+                        printf
+                                ("pkix_pl_Socket_Connect: %s\n",
+                                PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                        PKIX_ERROR(PKIX_PRCONNECTFAILED);
+                }
+        }
+
+#ifdef PKIX_SOCKETDEBUG
+        printf("Successful connect!\n");
+#endif
+
+        *pStatus = 0;
+        socket->status = SOCKET_CONNECTED;
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_ConnectContinue
+ * DESCRIPTION:
+ *
+ *  This functions continues the connect function for the client socket
+ *  specified in "socket", storing the status at "pStatus". It is expected that
+ *  the non-blocking connect has returned PR_IN_PROGRESS_ERROR.
+ *
+ * PARAMETERS:
+ *  "socket"
+ *      The address of the Socket for which a connect is to be continued.
+ *      Must be non-NULL.
+ *  "pStatus"
+ *      The address at which the connection status is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_ConnectContinue(
+        PKIX_PL_Socket *socket,
+        PRErrorCode *pStatus,
+        void *plContext)
+{
+        PRStatus rv = PR_FAILURE;
+        PRErrorCode errorcode = 0;
+        PRPollDesc pollDesc;
+        PRInt32 numEvents = 0;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_ConnectContinue");
+        PKIX_NULLCHECK_TWO(socket, socket->clientSock);
+
+        pollDesc.fd = socket->clientSock;
+        pollDesc.in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
+        pollDesc.out_flags = 0;
+        PKIX_PL_NSSCALLRV(SOCKET, numEvents, PR_Poll, (&pollDesc, 1, 0));
+        if (numEvents < 0) {
+                PKIX_ERROR(PKIX_PRPOLLFAILED);
+        }
+
+        if (numEvents == 0) {
+                *pStatus = PR_IN_PROGRESS_ERROR;
+                goto cleanup;
+        }
+
+        PKIX_PL_NSSCALLRV(SOCKET, rv, PR_ConnectContinue,
+                (socket->clientSock, pollDesc.out_flags));
+
+        /*
+         * PR_ConnectContinue sometimes lies. It returns PR_SUCCESS
+         * even though the connection is not yet ready. But its deceit
+         * is betrayed by the contents of out_flags!
+         */
+        if ((rv == PR_SUCCESS) && (pollDesc.out_flags == PR_POLL_ERR)) {
+                *pStatus = PR_IN_PROGRESS_ERROR;
+                goto cleanup;
+        }
+
+        if (rv == PR_FAILURE) {
+                errorcode = PR_GetError();
+                *pStatus = errorcode;
+                if (errorcode == PR_IN_PROGRESS_ERROR) {
+                        goto cleanup;
+                } else {
+#ifdef PKIX_SOCKETDEBUG
+                        printf
+                                ("pkix_pl_Socket_ConnectContinue: %s\n",
+                                PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                        PKIX_ERROR(PKIX_PRCONNECTCONTINUEFAILED);
+                }
+        }
+
+#ifdef PKIX_SOCKETDEBUG
+        printf("Successful connect!\n");
+#endif
+
+        *pStatus = 0;
+        socket->status = SOCKET_CONNECTED;
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Socket_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Socket *socket = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_SOCKET_TYPE, plContext),
+                    PKIX_OBJECTNOTANSOCKET);
+
+        socket = (PKIX_PL_Socket *)object;
+
+        if (socket->isServer) {
+                if (socket->serverSock) {
+                        PR_Close(socket->serverSock);
+                }
+        } else {
+                if (socket->clientSock) {
+                        PR_Close(socket->clientSock);
+                }
+        }
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Socket_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_Socket *socket = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_SOCKET_TYPE, plContext),
+                PKIX_OBJECTNOTSOCKET);
+
+        socket = (PKIX_PL_Socket *)object;
+
+        *pHashcode = (((socket->timeout << 3) +
+                 (socket->netAddr->inet.family << 3)) +
+                 (*((PKIX_UInt32 *)&(socket->netAddr->inet.ip)))) +
+                 socket->netAddr->inet.port;
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Socket_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_PL_Socket *firstSocket = NULL;
+        PKIX_PL_Socket *secondSocket = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        *pResult = PKIX_FALSE;
+
+        PKIX_CHECK(pkix_CheckTypes
+                (firstObject, secondObject, PKIX_SOCKET_TYPE, plContext),
+                PKIX_OBJECTNOTSOCKET);
+
+        firstSocket = (PKIX_PL_Socket *)firstObject;
+        secondSocket = (PKIX_PL_Socket *)secondObject;
+
+        if (firstSocket->timeout != secondSocket->timeout) {
+                goto cleanup;
+        }
+
+        if (firstSocket->netAddr == secondSocket->netAddr) {
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        if ((firstSocket->netAddr->inet.family !=
+                secondSocket->netAddr->inet.family) ||
+            (*((PKIX_UInt32 *)&(firstSocket->netAddr->inet.ip)) !=
+                *((PKIX_UInt32 *)&(secondSocket->netAddr->inet.ip))) ||
+            (firstSocket->netAddr->inet.port !=
+                secondSocket->netAddr->inet.port)) {
+
+                goto cleanup;
+
+        }
+
+        *pResult = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_PL_SOCKET_TYPE and its related
+ *  functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_Socket_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_RegisterSelf");
+
+        entry.description = "Socket";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_Socket);
+        entry.destructor = pkix_pl_Socket_Destroy;
+        entry.equalsFunction = pkix_pl_Socket_Equals;
+        entry.hashcodeFunction = pkix_pl_Socket_Hashcode;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_SOCKET_TYPE] = entry;
+
+#ifdef PKIX_SOCKETTRACE
+        {
+                char *val = NULL;
+                val = PR_GetEnv("SOCKETTRACE");
+                /* Is SOCKETTRACE set in the environment? */
+                if ((val != NULL) && (*val != '\0')) {
+                        socketTraceFlag =
+                                ((*val == '1')?PKIX_TRUE:PKIX_FALSE);
+                }
+        }
+#endif
+
+        PKIX_RETURN(SOCKET);
+}
+
+/* --Public-Socket-Functions----------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_Socket_Listen
+ * DESCRIPTION:
+ *
+ *  This functions establishes a listening queue for the server Socket
+ *  pointed to by "socket".
+ *
+ * PARAMETERS:
+ *  "socket"
+ *      The address of the server socket for which the queue is to be
+ *      established. Must be non-NULL.
+ *  "backlog"
+ *      The UInt32 value of the length of the queue to be established.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_Listen(
+        PKIX_PL_Socket *socket,
+        PKIX_UInt32 backlog,
+        void *plContext)
+{
+#ifdef PKIX_SOCKETDEBUG
+        PRErrorCode errorcode = 0;
+#endif
+        PRStatus rv = PR_FAILURE;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Listen");
+        PKIX_NULLCHECK_TWO(socket, socket->serverSock);
+
+        PKIX_PL_NSSCALLRV(SOCKET, rv, PR_Listen,
+                (socket->serverSock, (PRIntn)backlog));
+
+        if (rv == PR_FAILURE) {
+#ifdef PKIX_SOCKETDEBUG
+                errorcode = PR_GetError();
+                printf
+                        ("pkix_pl_Socket_Listen: %s\n",
+                        PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                PKIX_ERROR(PKIX_PRLISTENFAILED);
+        }
+
+#ifdef PKIX_SOCKETDEBUG
+        printf("Successful listen!\n");
+#endif
+
+        socket->status = SOCKET_LISTENING;
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Shutdown
+ * DESCRIPTION:
+ *
+ *  This functions performs the shutdown of any connections controlled by the
+ *  socket pointed to by "socket".
+ *
+ * PARAMETERS:
+ *  "socket"
+ *      The address of the socket to be shut down. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_Shutdown(
+        PKIX_PL_Socket *socket,
+        void *plContext)
+{
+#ifdef PKIX_SOCKETDEBUG
+        PRErrorCode errorcode = 0;
+#endif
+        PRStatus rv = PR_FAILURE;
+        PRFileDesc *fileDesc = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Shutdown");
+        PKIX_NULLCHECK_ONE(socket);
+
+        fileDesc =
+                (socket->isServer)?(socket->serverSock):(socket->clientSock);
+
+        PKIX_PL_NSSCALLRV(SOCKET, rv, PR_Shutdown,
+                (fileDesc, PR_SHUTDOWN_BOTH));
+
+        if (rv == PR_FAILURE) {
+#ifdef PKIX_SOCKETDEBUG
+                errorcode = PR_GetError();
+                printf
+                        ("pkix_pl_Socket_Shutdown: %s\n",
+                        PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                PKIX_ERROR(PKIX_PRSHUTDOWNFAILED);
+        }
+        socket->status = SOCKET_SHUTDOWN;
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Send
+ * DESCRIPTION:
+ *
+ *  This functions sends a message using the socket pointed to by "sendSock",
+ *  from the buffer pointed to by "buf", of the number of bytes given by
+ *  "bytesToWrite", storing the number of bytes actually written at
+ *  "pBytesWritten". If "socket" is in non-blocking mode, the send operation
+ *  may store -1 at "pBytesWritten" and the write is not complete until a
+ *  corresponding pkix_pl_Poll call has indicated its completion by returning
+ *  a non-negative value for bytes written.
+ *
+ * PARAMETERS:
+ *  "sendSock"
+ *      The address of the Socket on which the message is to be sent. Must
+ *      be non-NULL.
+ *  "buf"
+ *      The address of the data to be sent. Must be non-NULL.
+ *  "bytesToWrite""
+ *      The UInt32 value indicating the number of bytes to write.
+ *  "pBytesWritten"
+ *      The address at which the Int32 value indicating the number of bytes
+ *      actually written is to be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_Send(
+        PKIX_PL_Socket *sendSock,
+        void *buf,
+        PKIX_UInt32 bytesToWrite,
+        PKIX_Int32 *pBytesWritten,
+        void *plContext)
+{
+        PRInt32 bytesWritten = 0;
+        PRErrorCode errorcode = 0;
+        PRFileDesc *fd = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Send");
+        PKIX_NULLCHECK_TWO(buf, pBytesWritten);
+
+        fd = sendSock->clientSock;
+
+        PKIX_PL_NSSCALLRV(SOCKET, bytesWritten, PR_Send,
+                (fd, buf, (PRInt32)bytesToWrite, 0, sendSock->timeout));
+
+        if (bytesWritten >= 0) {
+                if (sendSock->status == SOCKET_SENDRCVPENDING) {
+                        sendSock->status = SOCKET_RCVPENDING;
+                } else {
+                        sendSock->status = SOCKET_CONNECTED;
+                }
+#ifdef PKIX_SOCKETTRACE
+                pkix_pl_socket_tracebuff(buf, bytesWritten);
+#endif
+        } else {
+                errorcode = PR_GetError();
+                if (errorcode != PR_WOULD_BLOCK_ERROR) {
+#ifdef PKIX_SOCKETDEBUG
+                        printf
+                                ("pkix_pl_Socket_Send: %s\n",
+                                PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                        PKIX_ERROR(PKIX_PRSENDFAILED);
+                }
+
+                sendSock->writeBuf = buf;
+                sendSock->writeBufSize = bytesToWrite;
+                if (sendSock->status == SOCKET_RCVPENDING) {
+                        sendSock->status = SOCKET_SENDRCVPENDING;
+                } else {
+                        sendSock->status = SOCKET_SENDPENDING;
+                }
+        }
+
+        *pBytesWritten = (PKIX_Int32)bytesWritten;
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Recv
+ * DESCRIPTION:
+ *
+ *  This functions receives a message on the socket pointed to by "rcvSock",
+ *  into the buffer pointed to by "buf", of capacity given by "capacity",
+ *  storing the number of bytes actually received at "pBytesRead". If "socket"
+ *  is in non-blocking mode, the receive operation may store -1 at
+ *  "pBytesWritten". In that case the write is not complete until a
+ *  corresponding pkix_pl_Poll call has indicated its completion by returning
+ *  a non-negative value for bytes read.
+ *
+ * PARAMETERS:
+ *  "rcvSock"
+ *      The address of the Socket on which the message is to be received.
+ *      Must be non-NULL.
+ *  "buf"
+ *      The address of the buffer into which the message is to be received.
+ *      Must be non-NULL.
+ *  "capacity"
+ *      The UInt32 value of the size of the buffer; that is, the maximum
+ *      number of bytes that can be received.
+ *  "pBytesRead"
+ *      The address at which is stored the Int32 value of the number of bytes
+ *      actually received.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_Recv(
+        PKIX_PL_Socket *rcvSock,
+        void *buf,
+        PKIX_UInt32 capacity,
+        PKIX_Int32 *pBytesRead,
+        void *plContext)
+{
+        PRErrorCode errorcode = 0;
+        PRInt32 bytesRead = 0;
+        PRFileDesc *fd = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Recv");
+        PKIX_NULLCHECK_THREE(rcvSock, buf, pBytesRead);
+
+        fd = rcvSock->clientSock;
+
+        PKIX_PL_NSSCALLRV(SOCKET, bytesRead, PR_Recv,
+                (fd, buf, (PRInt32)capacity, 0, rcvSock->timeout));
+
+        if (bytesRead > 0) {
+                if (rcvSock->status == SOCKET_SENDRCVPENDING) {
+                        rcvSock->status = SOCKET_SENDPENDING;
+                } else {
+                        rcvSock->status = SOCKET_CONNECTED;
+                }
+#ifdef PKIX_SOCKETTRACE
+                pkix_pl_socket_tracebuff(buf, bytesRead);
+#endif
+        } else if (bytesRead == 0) {
+                PKIX_ERROR(PKIX_PRRECVREPORTSNETWORKCONNECTIONCLOSED);
+        } else {
+                errorcode = PR_GetError();
+                if (errorcode != PR_WOULD_BLOCK_ERROR) {
+#ifdef PKIX_SOCKETDEBUG
+                        printf
+                                ("pkix_pl_Socket_Recv: %s\n",
+                                PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                        PKIX_ERROR(PKIX_PRRECVFAILED);
+                }
+                rcvSock->readBuf = buf;
+                rcvSock->readBufSize = capacity;
+                if (rcvSock->status == SOCKET_SENDPENDING) {
+                        rcvSock->status = SOCKET_SENDRCVPENDING;
+                } else {
+                        rcvSock->status = SOCKET_RCVPENDING;
+                }
+
+        }
+
+        *pBytesRead = (PKIX_Int32)bytesRead;
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Poll
+ * DESCRIPTION:
+ *
+ *  This functions checks for completion of an earlier Send or Recv on the
+ *  socket pointed to by "sock", storing in "pBytesWritten" the number of bytes
+ *  written by a completed Send and in "pBytesRead" the number of bytes
+ *  received in a completed Recv. A value of -1 returned indicates the
+ *  operation has still not completed. A NULL pointer may be supplied for
+ *  "pBytesWritten" to avoid checking for completion of a Send. A NULL pointer
+ *  may be supplied for "pBytesRead" to avoid checking for completion of a Recv.
+ *
+ * PARAMETERS:
+ *  "sock"
+ *      The address of the socket for which completions are to be checked.
+ *  "pBytesWritten"
+ *      The address at which the number of bytes written is to be stored, if
+ *      a pending Send has completed. If NULL, Sends are not checked.
+ *  "pBytesRead"
+ *      The address at which the number of bytes read is to be stored, if
+ *      a pending Recv has completed. If NULL, Recvs are not checked.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_Poll(
+        PKIX_PL_Socket *sock,
+        PKIX_Int32 *pBytesWritten,
+        PKIX_Int32 *pBytesRead,
+        void *plContext)
+{
+        PRPollDesc pollDesc;
+        PRInt32 numEvents = 0;
+        PKIX_Int32 bytesRead = 0;
+        PKIX_Int32 bytesWritten = 0;
+        PRErrorCode errorcode = 0;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Poll");
+        PKIX_NULLCHECK_ONE(sock);
+
+        pollDesc.fd = sock->clientSock;
+        pollDesc.in_flags = 0;
+        pollDesc.out_flags = 0;
+
+        if ((pBytesWritten) &&
+            ((sock->status == SOCKET_SENDPENDING) ||
+            (sock->status = SOCKET_SENDRCVPENDING))) {
+                pollDesc.in_flags = PR_POLL_WRITE;
+        }
+
+        if ((pBytesRead) &&
+            ((sock->status = SOCKET_RCVPENDING) ||
+            (sock->status = SOCKET_SENDRCVPENDING))) {
+                pollDesc.in_flags |= PR_POLL_READ;
+        }
+
+        PKIX_PL_NSSCALLRV(SOCKET, numEvents, PR_Poll, (&pollDesc, 1, 0));
+
+        if (numEvents < 0) {
+                PKIX_ERROR(PKIX_PRPOLLFAILED);
+        } else if (numEvents > 0) {
+                if (pollDesc.out_flags & PR_POLL_WRITE) {
+                        PKIX_CHECK(pkix_pl_Socket_Send
+                                (sock,
+                                sock->writeBuf,
+                                sock->writeBufSize,
+                                &bytesWritten,
+                                plContext),
+                                PKIX_SOCKETSENDFAILED);
+                        *pBytesWritten = (PKIX_Int32)bytesWritten;
+                        if (bytesWritten >= 0) {
+                                sock->writeBuf = NULL;
+                                sock->writeBufSize = 0;
+                        }
+                }
+
+                if (pollDesc.out_flags & PR_POLL_READ) {
+                        PKIX_CHECK(pkix_pl_Socket_Recv
+                                (sock,
+                                sock->readBuf,
+                                sock->readBufSize,
+                                &bytesRead,
+                                plContext),
+                                PKIX_SOCKETRECVFAILED);
+                        *pBytesRead = (PKIX_Int32)bytesRead;
+                        if (bytesRead >= 0) {
+                                sock->readBuf = NULL;
+                                sock->readBufSize = 0;
+                        }
+                }
+        } else if (numEvents == 0) {
+                errorcode = PR_GetError();
+                if (errorcode != PR_WOULD_BLOCK_ERROR) {
+#ifdef PKIX_SOCKETDEBUG
+                        printf
+                                ("pkix_pl_Socket_Poll: %s\n",
+                                PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                        PKIX_ERROR(PKIX_PRPOLLFAILED);
+                }
+                if (pBytesWritten) {
+                        *pBytesWritten = 0;
+                }
+                if (pBytesRead) {
+                        *pBytesRead = 0;
+                }
+        }
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Accept
+ * DESCRIPTION:
+ *
+ *  This functions accepts a client connection for the server Socket pointed
+ *  to by "serverSocket", creating a new Socket and storing the result at
+ *  "pRendezvousSocket". If "serverSocket" is in non-blocking mode, this
+ *  function will return NULL if there is no client connection to accept.
+ *  Otherwise this function will block until a connection is available.
+ *  When a client connection is available the new Socket will have the same
+ *  blocking/non-blocking property as "serverSocket".
+ *
+ * PARAMETERS:
+ *   "serverSocket"
+ *      The address of the Socket for which a client connection is to be
+ *      accepted. Must be non-NULL.
+ *   "pRendezvousSocket"
+ *      The address at which the created Socket is stored, when a client
+ *      connection is available, or at which NULL is stored, if no connection
+ *      is available for a non-blocking "serverSocket". Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
+ * RETURNS:
+ *  none
+ */
+static PKIX_Error *
+pkix_pl_Socket_Accept(
+        PKIX_PL_Socket *serverSocket,
+        PKIX_PL_Socket **pRendezvousSocket,
+        void *plContext)
+{
+        PRErrorCode errorcode = 0;
+        PRFileDesc *rendezvousSock = NULL;
+        PRNetAddr *clientAddr = NULL;
+        PKIX_PL_Socket *newSocket = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Accept");
+        PKIX_NULLCHECK_TWO(serverSocket, pRendezvousSocket);
+
+        PKIX_PL_NSSCALLRV(SOCKET, rendezvousSock, PR_Accept,
+                (serverSocket->serverSock, clientAddr, serverSocket->timeout));
+
+        if (!rendezvousSock) {
+                errorcode = PR_GetError();
+                if (errorcode != PR_WOULD_BLOCK_ERROR) {
+#ifdef PKIX_SOCKETDEBUG
+                        printf
+                                ("pkix_pl_Socket_Accept: %s\n",
+                                PR_ErrorToString(errorcode, PR_LANGUAGE_EN));
+#endif
+                        PKIX_ERROR(PKIX_PRACCEPTFAILED);
+                }
+                serverSocket->status = SOCKET_ACCEPTPENDING;
+                *pRendezvousSocket = NULL;
+                goto cleanup;
+
+        }
+
+#ifdef PKIX_SOCKETDEBUG
+        printf("Successful accept!\n");
+#endif
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_SOCKET_TYPE,
+                    sizeof (PKIX_PL_Socket),
+                    (PKIX_PL_Object **)&newSocket,
+                    plContext),
+                    PKIX_COULDNOTCREATESOCKETOBJECT);
+
+        newSocket->isServer = PKIX_FALSE;
+        newSocket->timeout = serverSocket->timeout;
+        newSocket->clientSock = rendezvousSock;
+        newSocket->serverSock = NULL;
+        newSocket->netAddr = NULL;
+        newSocket->status = SOCKET_CONNECTED;
+        newSocket->callbackList.shutdownCallback = pkix_pl_Socket_Shutdown;
+        newSocket->callbackList.listenCallback = pkix_pl_Socket_Listen;
+        newSocket->callbackList.acceptCallback = pkix_pl_Socket_Accept;
+        newSocket->callbackList.connectcontinueCallback =
+                pkix_pl_Socket_ConnectContinue;
+        newSocket->callbackList.sendCallback = pkix_pl_Socket_Send;
+        newSocket->callbackList.recvCallback = pkix_pl_Socket_Recv;
+        newSocket->callbackList.pollCallback = pkix_pl_Socket_Poll;
+
+        if (serverSocket->timeout == 0) {
+                PKIX_CHECK(pkix_pl_Socket_SetNonBlocking
+                        (rendezvousSock, plContext),
+                        PKIX_SOCKETSETNONBLOCKINGFAILED);
+        }
+
+        *pRendezvousSocket = newSocket;
+
+cleanup:
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_Create
+ * DESCRIPTION:
+ *
+ *  This function creates a new Socket, setting it to be a server or a client
+ *  according to the value of "isServer", setting its timeout value from
+ *  "timeout" and server address from "netAddr", and stores the created Socket
+ *  at "pSocket".
+ *
+ * PARAMETERS:
+ *  "isServer"
+ *      The Boolean value indicating if PKIX_TRUE, that a server socket (using
+ *      Bind, Listen, and Accept) is to be created, or if PKIX_FALSE, that a
+ *      client socket (using Connect) is to be created.
+ *  "timeout"
+ *      A PRTimeInterval value to be used for I/O waits for this socket. If
+ *      zero, non-blocking I/O is to be used.
+ *  "netAddr"
+ *      The PRNetAddr to be used for the Bind function, if this is a server
+ *      socket, or for the Connect, if this is a client socket.
+ *  "pSocket"
+ *      The address at which the Socket is to be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Socket Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Socket_Create(
+        PKIX_Boolean isServer,
+        PRIntervalTime timeout,
+        PRNetAddr *netAddr,
+        PRErrorCode *status,
+        PKIX_PL_Socket **pSocket,
+        void *plContext)
+{
+        PKIX_PL_Socket *socket = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_Create");
+        PKIX_NULLCHECK_ONE(pSocket);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_SOCKET_TYPE,
+                    sizeof (PKIX_PL_Socket),
+                    (PKIX_PL_Object **)&socket,
+                    plContext),
+                    PKIX_COULDNOTCREATESOCKETOBJECT);
+
+        socket->isServer = isServer;
+        socket->timeout = timeout;
+        socket->clientSock = NULL;
+        socket->serverSock = NULL;
+        socket->netAddr = netAddr;
+
+        socket->callbackList.listenCallback = pkix_pl_Socket_Listen;
+        socket->callbackList.acceptCallback = pkix_pl_Socket_Accept;
+        socket->callbackList.connectcontinueCallback =
+                 pkix_pl_Socket_ConnectContinue;
+        socket->callbackList.sendCallback = pkix_pl_Socket_Send;
+        socket->callbackList.recvCallback = pkix_pl_Socket_Recv;
+        socket->callbackList.pollCallback = pkix_pl_Socket_Poll;
+        socket->callbackList.shutdownCallback = pkix_pl_Socket_Shutdown;
+
+        if (isServer) {
+                PKIX_CHECK(pkix_pl_Socket_CreateServer(socket, plContext),
+                        PKIX_SOCKETCREATESERVERFAILED);
+                *status = 0;
+        } else {
+                socket->timeout = timeout;
+                PKIX_CHECK(pkix_pl_Socket_CreateClient(socket, plContext),
+                        PKIX_SOCKETCREATECLIENTFAILED);
+                PKIX_CHECK(pkix_pl_Socket_Connect(socket, status, plContext),
+                        PKIX_SOCKETCONNECTFAILED);
+        }
+
+        *pSocket = socket;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(socket);
+        }
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_CreateByName
+ * DESCRIPTION:
+ *
+ *  This function creates a new Socket, setting it to be a server or a client
+ *  according to the value of "isServer", setting its timeout value from
+ *  "timeout" and server address and port number from "serverName", and stores
+ *  the status at "pStatus" and the created Socket at "pSocket".
+ *
+ *  If isServer is PKIX_TRUE, it is attempted to create the socket with an ip
+ *  address of PR_INADDR_ANY.
+ *
+ * PARAMETERS:
+ *  "isServer"
+ *      The Boolean value indicating if PKIX_TRUE, that a server socket (using
+ *      Bind, Listen, and Accept) is to be created, or if PKIX_FALSE, that a
+ *      client socket (using Connect) is to be created.
+ *  "timeout"
+ *      A PRTimeInterval value to be used for I/O waits for this socket. If
+ *      zero, non-blocking I/O is to be used.
+ *  "serverName"
+ *      Address of a character string consisting of the server's domain name
+ *      followed by a colon and a port number for the desired socket.
+ *  "pStatus"
+ *      Address at which the PRErrorCode resulting from the create is
+ *      stored. Must be non-NULL.
+ *  "pSocket"
+ *      The address at which the Socket is to be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Socket Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Socket_CreateByName(
+        PKIX_Boolean isServer,
+        PRIntervalTime timeout,
+        char *serverName,
+        PRErrorCode *pStatus,
+        PKIX_PL_Socket **pSocket,
+        void *plContext)
+{
+        PRNetAddr netAddr;
+        PKIX_PL_Socket *socket = NULL;
+        char *sepPtr = NULL;
+        PRHostEnt hostent;
+        PRIntn hostenum;
+        PRStatus prstatus = PR_FAILURE;
+        char buf[PR_NETDB_BUF_SIZE];
+        PRUint16 portNum = 0;
+        char *localCopyName = NULL;
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateByName");
+        PKIX_NULLCHECK_TWO(serverName, pSocket);
+
+        localCopyName = PL_strdup(serverName);
+
+        sepPtr = strchr(localCopyName, ':');
+        /* First strip off the portnum, if present, from the end of the name */
+        if (sepPtr) {
+                *sepPtr++ = '\0';
+                 portNum = (PRUint16)atoi(sepPtr);
+        } else {
+                 portNum = (PRUint16)LDAP_PORT;
+        }
+
+        prstatus = PR_GetHostByName(localCopyName, buf, sizeof(buf), &hostent);
+
+        if ((prstatus != PR_SUCCESS) || (hostent.h_length != 4)) {
+                /*
+                 * The hostname may be a fully-qualified name. Try using just
+                 * the leftmost component in our lookup.
+                 */
+                sepPtr = strchr(localCopyName, '.');
+                if (sepPtr) {
+                        *sepPtr++ = '\0';
+                }
+                prstatus = PR_GetHostByName
+                        (localCopyName, buf, sizeof(buf), &hostent);
+
+                if ((prstatus != PR_SUCCESS) || (hostent.h_length != 4)) {
+                        PKIX_ERROR
+                                (PKIX_PRGETHOSTBYNAMEREJECTSHOSTNAMEARGUMENT);
+                }
+        }
+
+        netAddr.inet.family = PR_AF_INET;
+        netAddr.inet.port = PR_htons(portNum);
+
+        if (isServer) {
+
+                netAddr.inet.ip = PR_INADDR_ANY;
+
+        } else {
+
+                hostenum = PR_EnumerateHostEnt(0, &hostent, portNum, &netAddr);
+                if (hostenum == -1) {
+                        PKIX_ERROR(PKIX_PRENUMERATEHOSTENTFAILED);
+                }
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_SOCKET_TYPE,
+                sizeof (PKIX_PL_Socket),
+                (PKIX_PL_Object **)&socket,
+                plContext),
+                PKIX_COULDNOTCREATESOCKETOBJECT);
+
+        socket->isServer = isServer;
+        socket->timeout = timeout;
+        socket->clientSock = NULL;
+        socket->serverSock = NULL;
+        socket->netAddr = &netAddr;
+
+        socket->callbackList.listenCallback = pkix_pl_Socket_Listen;
+        socket->callbackList.acceptCallback = pkix_pl_Socket_Accept;
+        socket->callbackList.connectcontinueCallback =
+                 pkix_pl_Socket_ConnectContinue;
+        socket->callbackList.sendCallback = pkix_pl_Socket_Send;
+        socket->callbackList.recvCallback = pkix_pl_Socket_Recv;
+        socket->callbackList.pollCallback = pkix_pl_Socket_Poll;
+        socket->callbackList.shutdownCallback = pkix_pl_Socket_Shutdown;
+
+        if (isServer) {
+                PKIX_CHECK(pkix_pl_Socket_CreateServer(socket, plContext),
+                        PKIX_SOCKETCREATESERVERFAILED);
+                *pStatus = 0;
+        } else {
+                PKIX_CHECK(pkix_pl_Socket_CreateClient(socket, plContext),
+                        PKIX_SOCKETCREATECLIENTFAILED);
+                PKIX_CHECK(pkix_pl_Socket_Connect(socket, pStatus, plContext),
+                        PKIX_SOCKETCONNECTFAILED);
+        }
+
+        *pSocket = socket;
+
+cleanup:
+        PL_strfree(localCopyName);
+
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(socket);
+        }
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_CreateByHostAndPort
+ * DESCRIPTION:
+ *
+ *  This function creates a new Socket, setting it to be a server or a client
+ *  according to the value of "isServer", setting its timeout value from
+ *  "timeout", host from "hostname", and port number from "portNum", and stores
+ *  the status at "pStatus" and the created Socket at "pSocket".
+ *
+ *  If isServer is PKIX_TRUE, it is attempted to create the socket with an ip
+ *  address of PR_INADDR_ANY.
+ *
+ * PARAMETERS:
+ *  "isServer"
+ *      The Boolean value indicating if PKIX_TRUE, that a server socket (using
+ *      Bind, Listen, and Accept) is to be created, or if PKIX_FALSE, that a
+ *      client socket (using Connect) is to be created.
+ *  "timeout"
+ *      A PRTimeInterval value to be used for I/O waits for this socket. If
+ *      zero, non-blocking I/O is to be used.
+ *  "hostname"
+ *      Address of a character string consisting of the server's domain name.
+ *  "portNum"
+ *      UInt16 value of the port number for the desired socket.
+ *  "pStatus"
+ *      Address at which the PRErrorCode resulting from the create is
+ *      stored. Must be non-NULL.
+ *  "pSocket"
+ *      The address at which the Socket is to be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Socket Error if the function fails in
+ *      a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Socket_CreateByHostAndPort(
+        PKIX_Boolean isServer,
+        PRIntervalTime timeout,
+        char *hostname,
+        PRUint16 portnum,
+        PRErrorCode *pStatus,
+        PKIX_PL_Socket **pSocket,
+        void *plContext)
+{
+        PRNetAddr netAddr;
+        PKIX_PL_Socket *socket = NULL;
+        char *sepPtr = NULL;
+        PRHostEnt hostent;
+        PRIntn hostenum;
+        PRStatus prstatus = PR_FAILURE;
+        char buf[PR_NETDB_BUF_SIZE];
+
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateByHostAndPort");
+        PKIX_NULLCHECK_THREE(hostname, pStatus, pSocket);
+
+
+        prstatus = PR_GetHostByName(hostname, buf, sizeof(buf), &hostent);
+
+        if ((prstatus != PR_SUCCESS) || (hostent.h_length != 4)) {
+                /*
+                 * The hostname may be a fully-qualified name. Try using just
+                 * the leftmost component in our lookup.
+                 */
+                sepPtr = strchr(hostname, '.');
+                if (sepPtr) {
+                        *sepPtr++ = '\0';
+                }
+                prstatus = PR_GetHostByName(hostname, buf, sizeof(buf), &hostent);
+
+                if ((prstatus != PR_SUCCESS) || (hostent.h_length != 4)) {
+                        PKIX_ERROR
+                                (PKIX_PRGETHOSTBYNAMEREJECTSHOSTNAMEARGUMENT);
+                }
+        }
+
+        netAddr.inet.family = PR_AF_INET;
+        netAddr.inet.port = PR_htons(portnum);
+
+        if (isServer) {
+
+                netAddr.inet.ip = PR_INADDR_ANY;
+
+        } else {
+
+                hostenum = PR_EnumerateHostEnt(0, &hostent, portnum, &netAddr);
+                if (hostenum == -1) {
+                        PKIX_ERROR(PKIX_PRENUMERATEHOSTENTFAILED);
+                }
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_SOCKET_TYPE,
+                sizeof (PKIX_PL_Socket),
+                (PKIX_PL_Object **)&socket,
+                plContext),
+                PKIX_COULDNOTCREATESOCKETOBJECT);
+
+        socket->isServer = isServer;
+        socket->timeout = timeout;
+        socket->clientSock = NULL;
+        socket->serverSock = NULL;
+        socket->netAddr = &netAddr;
+
+        socket->callbackList.listenCallback = pkix_pl_Socket_Listen;
+        socket->callbackList.acceptCallback = pkix_pl_Socket_Accept;
+        socket->callbackList.connectcontinueCallback =
+                 pkix_pl_Socket_ConnectContinue;
+        socket->callbackList.sendCallback = pkix_pl_Socket_Send;
+        socket->callbackList.recvCallback = pkix_pl_Socket_Recv;
+        socket->callbackList.pollCallback = pkix_pl_Socket_Poll;
+        socket->callbackList.shutdownCallback = pkix_pl_Socket_Shutdown;
+
+        if (isServer) {
+                PKIX_CHECK(pkix_pl_Socket_CreateServer(socket, plContext),
+                        PKIX_SOCKETCREATESERVERFAILED);
+                *pStatus = 0;
+        } else {
+                PKIX_CHECK(pkix_pl_Socket_CreateClient(socket, plContext),
+                        PKIX_SOCKETCREATECLIENTFAILED);
+                PKIX_CHECK(pkix_pl_Socket_Connect(socket, pStatus, plContext),
+                        PKIX_SOCKETCONNECTFAILED);
+        }
+
+        *pSocket = socket;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+                PKIX_DECREF(socket);
+        }
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_GetCallbackList
+ */
+PKIX_Error *
+pkix_pl_Socket_GetCallbackList(
+        PKIX_PL_Socket *socket,
+        PKIX_PL_Socket_Callback **pCallbackList,
+        void *plContext)
+{
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_GetCallbackList");
+        PKIX_NULLCHECK_TWO(socket, pCallbackList);
+
+        *pCallbackList = &(socket->callbackList);
+
+        PKIX_RETURN(SOCKET);
+}
+
+/*
+ * FUNCTION: pkix_pl_Socket_GetPRFileDesc
+ */
+PKIX_Error *
+pkix_pl_Socket_GetPRFileDesc(
+        PKIX_PL_Socket *socket,
+        PRFileDesc **pDesc,
+        void *plContext)
+{
+        PKIX_ENTER(SOCKET, "pkix_pl_Socket_GetPRFileDesc");
+        PKIX_NULLCHECK_TWO(socket, pDesc);
+
+        *pDesc = socket->clientSock;
+
+        PKIX_RETURN(SOCKET);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.h b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.h
new file mode 100644
index 000000000..133c620c3
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.h
@@ -0,0 +1,242 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_socket.h
+ *
+ * Socket Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_PL_SOCKET_H
+#define _PKIX_PL_SOCKET_H
+
+#include <errno.h>
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+        SOCKET_BOUND,
+        SOCKET_LISTENING,
+        SOCKET_ACCEPTPENDING,
+        SOCKET_UNCONNECTED,
+        SOCKET_CONNECTPENDING,
+        SOCKET_CONNECTED,
+        SOCKET_SENDPENDING,
+        SOCKET_RCVPENDING,
+        SOCKET_SENDRCVPENDING,
+        SOCKET_SHUTDOWN
+} SockStatus;
+
+/* This is the default port number, if none is supplied to CreateByName. */
+#define LDAP_PORT 389
+
+/*
+ * These callbacks allow a user to substitute a counterfeit socket in places
+ * where a PKIX_PL_Socket is expected. A conforming usage will use the
+ * ListenCallback function instead of Listen, AcceptCallback instead of Accept,
+ * etc. The counterfeit socket may have special capabilites such as the
+ * ability to do proxy authentication, etc.
+ */
+
+typedef PKIX_Error *
+(*pkix_pl_Socket_ListenCallback)(
+        PKIX_PL_Socket *socket,
+        PKIX_UInt32 backlog,
+        void *plContext);
+
+typedef PKIX_Error *
+(*pkix_pl_Socket_AcceptCallback)(
+        PKIX_PL_Socket *socket,
+        PKIX_PL_Socket **pRendezvousSock,
+        void *plContext);
+
+typedef PKIX_Error *
+(*pkix_pl_Socket_ConnectContinueCallback)(
+        PKIX_PL_Socket *socket,
+        PRErrorCode *pStatus,
+        void *plContext);
+
+typedef PKIX_Error *
+(*pkix_pl_Socket_SendCallback)(
+        PKIX_PL_Socket *sendSock,
+        void *buf,
+        PKIX_UInt32 bytesToWrite,
+        PKIX_Int32 *pBytesWritten,
+        void *plContext);
+
+typedef PKIX_Error *
+(*pkix_pl_Socket_RecvCallback)(
+        PKIX_PL_Socket *rcvSock,
+        void *buf,
+        PKIX_UInt32 capacity,
+        PKIX_Int32 *pBytesRead,
+        void *plContext);
+
+typedef PKIX_Error *
+(*pkix_pl_Socket_PollCallback)(
+        PKIX_PL_Socket *sock,
+        PKIX_Int32 *pBytesWritten,
+        PKIX_Int32 *pBytesRead,
+        void *plContext);
+
+typedef PKIX_Error *
+(*pkix_pl_Socket_ShutdownCallback)(
+        PKIX_PL_Socket *socket, void *plContext);
+
+typedef struct PKIX_PL_Socket_CallbackStruct {
+        pkix_pl_Socket_ListenCallback listenCallback;
+        pkix_pl_Socket_AcceptCallback acceptCallback;
+        pkix_pl_Socket_ConnectContinueCallback connectcontinueCallback;
+        pkix_pl_Socket_SendCallback sendCallback;
+        pkix_pl_Socket_RecvCallback recvCallback;
+        pkix_pl_Socket_PollCallback pollCallback;
+        pkix_pl_Socket_ShutdownCallback shutdownCallback;
+} PKIX_PL_Socket_Callback;
+
+struct PKIX_PL_SocketStruct {
+        PKIX_Boolean isServer;
+        PRIntervalTime timeout; /* zero for non-blocking I/O */
+        SockStatus status;
+        PRFileDesc *clientSock;
+        PRFileDesc *serverSock;
+        void *readBuf;
+        void *writeBuf;
+        PKIX_UInt32 readBufSize;
+        PKIX_UInt32 writeBufSize;
+        PRNetAddr *netAddr;
+        PKIX_PL_Socket_Callback callbackList;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_Socket_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_pl_Socket_Create(
+        PKIX_Boolean isServer,
+        PRIntervalTime timeout, /* zero for non-blocking I/O */
+        PRNetAddr *netAddr,
+        PRErrorCode *status,
+        PKIX_PL_Socket **pSocket,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_Socket_CreateByName(
+        PKIX_Boolean isServer,
+        PRIntervalTime timeout,
+        char *serverName,
+        PRErrorCode *pStatus,
+        PKIX_PL_Socket **pSocket,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_Socket_CreateByHostAndPort(
+        PKIX_Boolean isServer,
+        PRIntervalTime timeout,
+        char *hostname,
+        PRUint16 portnum,
+        PRErrorCode *pStatus,
+        PKIX_PL_Socket **pSocket,
+        void *plContext);
+
+/* Do not use these functions directly; use their callback variants instead
+ *      static PKIX_Error *
+ *      pkix_pl_Socket_Listen(
+ *              PKIX_PL_Socket *socket,
+ *              PKIX_UInt32 backlog,
+ *              void *plContext);
+ *      
+ *      static PKIX_Error *
+ *      pkix_pl_Socket_Accept(
+ *              PKIX_PL_Socket *socket,
+ *              PKIX_PL_Socket **pRendezvousSock,
+ *              void *plContext);
+ *      
+ *      static PKIX_Error *
+ *      pkix_pl_Socket_ConnectContinue(
+ *              PKIX_PL_Socket *socket,
+ *              PRErrorCode *pStatus,
+ *              void *plContext);
+ *      
+ *      static PKIX_Error *
+ *      pkix_pl_Socket_Send(
+ *              PKIX_PL_Socket *sendSock,
+ *              void *buf,
+ *              PKIX_UInt32 bytesToWrite,
+ *              PKIX_Int32 *pBytesWritten,
+ *              void *plContext);
+ *      
+ *      static PKIX_Error *
+ *      pkix_pl_Socket_Recv(
+ *              PKIX_PL_Socket *rcvSock,
+ *              void *buf,
+ *              PKIX_UInt32 capacity,
+ *              PKIX_Int32 *pBytesRead,
+ *              void *plContext);
+ *      
+ *      static PKIX_Error *
+ *      pkix_pl_Socket_Poll(
+ *              PKIX_PL_Socket *sock,
+ *              PKIX_Int32 *pBytesWritten,
+ *              PKIX_Int32 *pBytesRead,
+ *              void *plContext);
+ *      
+ *      static PKIX_Error *
+ *      pkix_pl_Socket_Shutdown(
+ *              PKIX_PL_Socket *socket, void *plContext);
+ */
+
+PKIX_Error *
+pkix_pl_Socket_GetCallbackList(
+        PKIX_PL_Socket *socket,
+        PKIX_PL_Socket_Callback **pCallbackList,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_Socket_GetPRFileDesc(
+        PKIX_PL_Socket *socket,
+        PRFileDesc **pDesc,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_SOCKET_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/Makefile b/security/nss/lib/libpkix/pkix_pl_nss/pki/Makefile
new file mode 100755
index 000000000..42adc1f4a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/Makefile
@@ -0,0 +1,82 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/config.mk b/security/nss/lib/libpkix/pkix_pl_nss/pki/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn
new file mode 100755
index 000000000..34941a36c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn
@@ -0,0 +1,87 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#   Red Hat, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_pl_basicconstraints.h \
+	pkix_pl_cert.h \
+	pkix_pl_certpolicyinfo.h \
+	pkix_pl_certpolicymap.h \
+	pkix_pl_certpolicyqualifier.h \
+	pkix_pl_crl.h \
+	pkix_pl_crlentry.h \
+	pkix_pl_date.h \
+	pkix_pl_generalname.h \
+	pkix_pl_infoaccess.h \
+	pkix_pl_nameconstraints.h \
+	pkix_pl_ocsprequest.h \
+	pkix_pl_ocspresponse.h \
+	pkix_pl_publickey.h \
+	pkix_pl_x500name.h \
+	pkix_pl_ocspcertid.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_pl_basicconstraints.c \
+	pkix_pl_cert.c \
+	pkix_pl_certpolicyinfo.c \
+	pkix_pl_certpolicymap.c \
+	pkix_pl_certpolicyqualifier.c \
+	pkix_pl_crl.c \
+	pkix_pl_crlentry.c \
+	pkix_pl_date.c \
+	pkix_pl_generalname.c \
+	pkix_pl_infoaccess.c \
+	pkix_pl_nameconstraints.c \
+	pkix_pl_ocsprequest.c \
+	pkix_pl_ocspresponse.c \
+	pkix_pl_publickey.c \
+	pkix_pl_x500name.c \
+	pkix_pl_ocspcertid.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixpki
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_basicconstraints.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_basicconstraints.c
new file mode 100644
index 000000000..85ce3fa65
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_basicconstraints.c
@@ -0,0 +1,440 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_basicconstraints.c
+ *
+ * BasicConstraints Object Functions
+ *
+ */
+
+#include "pkix_pl_basicconstraints.h"
+
+/*
+ * FUNCTION: pkix_pl_CertBasicConstraints_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CertBasicConstraints object whose CA Flag has the value
+ *  given by the Boolean value of "isCA" and whose path length field has the
+ *  value given by the "pathLen" argument and stores it at "pObject".
+ *
+ * PARAMETERS
+ *  "isCA"
+ *      Boolean value with the desired value of CA Flag.
+ *  "pathLen"
+ *      a PKIX_Int32 with the desired value of path length
+ *  "pObject"
+ *      Address of object pointer's destination. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertBasicConstraints Error if the function fails
+ *  in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CertBasicConstraints_Create(
+        PKIX_Boolean isCA,
+        PKIX_Int32 pathLen,
+        PKIX_PL_CertBasicConstraints **pObject,
+        void *plContext)
+{
+        PKIX_PL_CertBasicConstraints *basic = NULL;
+
+        PKIX_ENTER(CERTBASICCONSTRAINTS,
+                    "pkix_pl_CertBasicConstraints_Create");
+        PKIX_NULLCHECK_ONE(pObject);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CERTBASICCONSTRAINTS_TYPE,
+                    sizeof (PKIX_PL_CertBasicConstraints),
+                    (PKIX_PL_Object **)&basic,
+                    plContext),
+                    PKIX_COULDNOTCREATECERTBASICCONSTRAINTSOBJECT);
+
+        basic->isCA = isCA;
+
+        /* pathLen has meaning only for CAs, but it's not worth checking */
+        basic->pathLen = pathLen;
+
+        *pObject = basic;
+
+cleanup:
+
+        PKIX_RETURN(CERTBASICCONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertBasicConstraints_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertBasicConstraints_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_CertBasicConstraints *certB = NULL;
+
+        PKIX_ENTER(CERTBASICCONSTRAINTS,
+                "pkix_pl_CertBasicConstraints_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_CERTBASICCONSTRAINTS_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTBASICCONSTRAINTS);
+
+        certB = (PKIX_PL_CertBasicConstraints*)object;
+
+        certB->isCA = PKIX_FALSE;
+        certB->pathLen = 0;
+
+cleanup:
+
+        PKIX_RETURN(CERTBASICCONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertBasicConstraints_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertBasicConstraints_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *certBasicConstraintsString = NULL;
+        PKIX_PL_CertBasicConstraints *certB = NULL;
+        PKIX_Boolean isCA = PKIX_FALSE;
+        PKIX_Int32 pathLen = 0;
+        PKIX_PL_String *outString = NULL;
+        char *fmtString = NULL;
+        PKIX_Boolean pathlenArg = PKIX_FALSE;
+
+        PKIX_ENTER(CERTBASICCONSTRAINTS,
+                "pkix_pl_CertBasicConstraints_toString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_CERTBASICCONSTRAINTS_TYPE, plContext),
+                    PKIX_FIRSTARGUMENTNOTCERTBASICCONSTRAINTSOBJECT);
+
+        certB = (PKIX_PL_CertBasicConstraints *)object;
+
+        /*
+         * if CA == TRUE
+         *      if pathLen == CERT_UNLIMITED_PATH_CONSTRAINT
+         *              print "CA(-1)"
+         *      else print "CA(nnn)"
+         * if CA == FALSE, print "~CA"
+         */
+
+        isCA = certB->isCA;
+
+        if (isCA) {
+                pathLen = certB->pathLen;
+
+                if (pathLen == CERT_UNLIMITED_PATH_CONSTRAINT) {
+                        /* print "CA(-1)" */
+                        fmtString = "CA(-1)";
+                        pathlenArg = PKIX_FALSE;
+                } else {
+                        /* print "CA(pathLen)" */
+                        fmtString = "CA(%d)";
+                        pathlenArg = PKIX_TRUE;
+                }
+        } else {
+                /* print "~CA" */
+                fmtString = "~CA";
+                pathlenArg = PKIX_FALSE;
+        }
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    fmtString,
+                    0,
+                    &certBasicConstraintsString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        if (pathlenArg) {
+                PKIX_CHECK(PKIX_PL_Sprintf
+                            (&outString,
+                            plContext,
+                            certBasicConstraintsString,
+                            pathLen),
+                            PKIX_SPRINTFFAILED);
+        } else {
+                PKIX_CHECK(PKIX_PL_Sprintf
+                            (&outString,
+                            plContext,
+                            certBasicConstraintsString),
+                            PKIX_SPRINTFFAILED);
+        }
+
+        *pString = outString;
+
+cleanup:
+
+        PKIX_DECREF(certBasicConstraintsString);
+
+        PKIX_RETURN(CERTBASICCONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertBasicConstraints_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertBasicConstraints_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_CertBasicConstraints *certB = NULL;
+        PKIX_Boolean isCA = PKIX_FALSE;
+        PKIX_Int32 pathLen = 0;
+        PKIX_Int32 hashInput = 0;
+        PKIX_UInt32 cbcHash = 0;
+
+        PKIX_ENTER(CERTBASICCONSTRAINTS,
+                "pkix_pl_CertBasicConstraints_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_CERTBASICCONSTRAINTS_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTBASICCONSTRAINTS);
+
+        certB = (PKIX_PL_CertBasicConstraints *)object;
+
+        /*
+         * if CA == TRUE
+         *      hash(pathLen + 1 - PKIX_UNLIMITED_PATH_CONSTRAINT)
+         * if CA == FALSE, hash(0)
+         */
+
+        isCA = certB->isCA;
+
+        if (isCA) {
+                pathLen = certB->pathLen;
+
+                hashInput = pathLen + 1 - PKIX_UNLIMITED_PATH_CONSTRAINT;
+        }
+
+        PKIX_CHECK(pkix_hash
+                    ((const unsigned char *)&hashInput,
+                    sizeof (hashInput),
+                    &cbcHash,
+                    plContext),
+                    PKIX_HASHFAILED);
+
+        *pHashcode = cbcHash;
+
+cleanup:
+
+        PKIX_RETURN(CERTBASICCONSTRAINTS);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_CertBasicConstraints_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertBasicConstraints_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_CertBasicConstraints *firstCBC = NULL;
+        PKIX_PL_CertBasicConstraints *secondCBC = NULL;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean firstIsCA = PKIX_FALSE;
+        PKIX_Boolean secondIsCA = PKIX_FALSE;
+        PKIX_Int32 firstPathLen = 0;
+        PKIX_Int32 secondPathLen = 0;
+
+        PKIX_ENTER(CERTBASICCONSTRAINTS,
+                "pkix_pl_CertBasicConstraints_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a CertBasicConstraints */
+        PKIX_CHECK(pkix_CheckType
+                    (firstObject, PKIX_CERTBASICCONSTRAINTS_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTCERTBASICCONSTRAINTS);
+
+        /*
+         * Since we know firstObject is a CertBasicConstraints,
+         * if both references are identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a CertBasicConstraints, we
+         * don't throw an error. We simply return FALSE.
+         */
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_CERTBASICCONSTRAINTS_TYPE) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        firstCBC = (PKIX_PL_CertBasicConstraints *)firstObject;
+        secondCBC = (PKIX_PL_CertBasicConstraints *)secondObject;
+
+        /*
+         * Compare the value of the CAFlag components
+         */
+
+        firstIsCA = firstCBC->isCA;
+
+        /*
+         * Failure here would be an error, not merely a miscompare,
+         * since we know second is a CertBasicConstraints.
+         */
+        secondIsCA = secondCBC->isCA;
+
+        /*
+         * If isCA flags differ, the objects are not equal.
+         */
+        if (secondIsCA != firstIsCA) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        /*
+         * If isCA was FALSE, the objects are equal, because
+         * pathLen is meaningless in that case.
+         */
+        if (!firstIsCA) {
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        firstPathLen = firstCBC->pathLen;
+        secondPathLen = secondCBC->pathLen;
+
+        *pResult = (secondPathLen == firstPathLen);
+
+cleanup:
+
+        PKIX_RETURN(CERTBASICCONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertBasicConstraints_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERTBASICCONSTRAINTS_TYPE and its related
+ *  functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize,
+ *  which should only be called once, it is acceptable that
+ *  this function is not thread-safe.
+ */
+PKIX_Error *
+pkix_pl_CertBasicConstraints_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTBASICCONSTRAINTS,
+                "pkix_pl_CertBasicConstraints_RegisterSelf");
+
+        entry.description = "CertBasicConstraints";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_CertBasicConstraints);
+        entry.destructor = pkix_pl_CertBasicConstraints_Destroy;
+        entry.equalsFunction = pkix_pl_CertBasicConstraints_Equals;
+        entry.hashcodeFunction = pkix_pl_CertBasicConstraints_Hashcode;
+        entry.toStringFunction = pkix_pl_CertBasicConstraints_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_CERTBASICCONSTRAINTS_TYPE] = entry;
+
+        PKIX_RETURN(CERTBASICCONSTRAINTS);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_BasicConstraints_GetCAFlag
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_BasicConstraints_GetCAFlag(
+        PKIX_PL_CertBasicConstraints *basicConstraints,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_ENTER(CERTBASICCONSTRAINTS,
+                "PKIX_PL_BasicConstraintsGetCAFlag");
+        PKIX_NULLCHECK_TWO(basicConstraints, pResult);
+
+        *pResult = basicConstraints->isCA;
+
+        PKIX_RETURN(CERTBASICCONSTRAINTS);
+}
+
+/*
+ * FUNCTION: PKIX_PL_BasicConstraints_GetPathLenConstraint
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_BasicConstraints_GetPathLenConstraint(
+        PKIX_PL_CertBasicConstraints *basicConstraints,
+        PKIX_Int32 *pPathLenConstraint,
+        void *plContext)
+{
+        PKIX_ENTER(CERTBASICCONSTRAINTS,
+                "PKIX_PL_BasicConstraintsGetPathLenConstraint");
+        PKIX_NULLCHECK_TWO(basicConstraints, pPathLenConstraint);
+
+        *pPathLenConstraint = basicConstraints->pathLen;
+
+        PKIX_RETURN(CERTBASICCONSTRAINTS);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_basicconstraints.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_basicconstraints.h
new file mode 100644
index 000000000..359ff76c0
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_basicconstraints.h
@@ -0,0 +1,80 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_basicconstraints.h
+ *
+ * BasicConstraints Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_BASICCONSTRAINTS_H
+#define _PKIX_PL_BASICCONSTRAINTS_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* This structure reflects the contents of the basic constraints
+ * extension as described in Section 4.2.1.10 of RFC 3280.
+ * The cA flag indicates whether the public key in this certificate
+ * belongs to a certification authority. The pathLen constraint
+ * gives the maximum number of non-self-issued intermediate certificates
+ * that may follow this certificate in a valid certification path.
+ */
+struct PKIX_PL_CertBasicConstraintsStruct {
+        PKIX_Boolean isCA;
+        PKIX_Int32 pathLen;
+};
+
+PKIX_Error *
+pkix_pl_CertBasicConstraints_Create(
+        PKIX_Boolean isCA,
+        PKIX_Int32 pathLen,
+        PKIX_PL_CertBasicConstraints **object,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_CertBasicConstraints_RegisterSelf(
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_BASICCONSTRAINTS_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
new file mode 100644
index 000000000..8f259fadf
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -0,0 +1,3580 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_cert.c
+ *
+ * Certificate Object Functions
+ *
+ */
+
+#include "pkix_pl_cert.h"
+
+extern PKIX_PL_HashTable *cachedCertSigTable;
+
+/* --Private-Cert-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_Cert_IsExtensionCritical
+ * DESCRIPTION:
+ *
+ *  Checks the Cert specified by "cert" to determine whether the extension
+ *  whose tag is the UInt32 value given by "tag" is marked as a critical
+ *  extension, and stores the result in "pCritical".
+ *
+ *  Tags are the index into the table "oids" of SECOidData defined in the
+ *  file secoid.c. Constants, such as SEC_OID_X509_CERTIFICATE_POLICIES, are
+ *  are defined in secoidt.h for most of the table entries.
+ *
+ *  If the specified tag is invalid (not in the list of tags) or if the
+ *  extension is not found in the certificate, PKIX_FALSE is stored.
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of Cert whose extensions are to be examined. Must be non-NULL.
+ *  "tag"
+ *      The UInt32 value of the tag for the extension whose criticality is
+ *      to be determined
+ *  "pCritical"
+ *      Address where the Boolean value will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Cert_IsExtensionCritical(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 tag,
+        PKIX_Boolean *pCritical,
+        void *plContext)
+{
+        PKIX_Boolean criticality = PKIX_FALSE;
+        CERTCertExtension **extensions = NULL;
+        SECStatus rv;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_IsExtensionCritical");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pCritical);
+
+        extensions = cert->nssCert->extensions;
+        PKIX_NULLCHECK_ONE(extensions);
+
+        PKIX_CERT_DEBUG("\t\tCalling CERT_GetExtenCriticality).\n");
+        rv = CERT_GetExtenCriticality(extensions, tag, &criticality);
+        if (SECSuccess == rv) {
+                *pCritical = criticality;
+        } else {
+                *pCritical = PKIX_FALSE;
+        }
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_DecodePolicyInfo
+ * DESCRIPTION:
+ *
+ *  Decodes the contents of the CertificatePolicy extension in the
+ *  CERTCertificate pointed to by "nssCert", to create a List of
+ *  CertPolicyInfos, which is stored at the address "pCertPolicyInfos".
+ *  A CERTCertificate contains the DER representation of the Cert.
+ *  If this certificate does not have a CertificatePolicy extension,
+ *  NULL will be stored. If a List is returned, it will be immutable.
+ *
+ * PARAMETERS
+ *  "nssCert"
+ *      Address of the Cert data whose extension is to be examined. Must be
+ *      non-NULL.
+ *  "pCertPolicyInfos"
+ *      Address where the List of CertPolicyInfos will be stored. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Cert_DecodePolicyInfo(
+        CERTCertificate *nssCert,
+        PKIX_List **pCertPolicyInfos,
+        void *plContext)
+{
+
+        SECStatus rv;
+        SECItem encodedCertPolicyInfo;
+
+        /* Allocated in the arena; freed in CERT_Destroy... */
+        CERTCertificatePolicies *certPol = NULL;
+        CERTPolicyInfo **policyInfos = NULL;
+        CERTPolicyInfo *policyInfo = NULL;
+        CERTPolicyQualifier **policyQualifiers = NULL;
+        CERTPolicyQualifier *policyQualifier = NULL;
+
+        /* Holder for the return value */
+        PKIX_List *infos = NULL;
+
+        char *oidAscii = NULL;
+        PKIX_PL_OID *pkixOID = NULL;
+        PKIX_List *qualifiers = NULL;
+        PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
+        PKIX_PL_CertPolicyQualifier *certPolicyQualifier = NULL;
+        PKIX_PL_ByteArray *qualifierArray = NULL;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_DecodePolicyInfo");
+        PKIX_NULLCHECK_TWO(nssCert, pCertPolicyInfos);
+
+        /* get PolicyInfo as a SECItem */
+        PKIX_CERT_DEBUG("\t\tCERT_FindCertExtension).\n");
+        rv = CERT_FindCertExtension
+                (nssCert,
+                SEC_OID_X509_CERTIFICATE_POLICIES,
+                &encodedCertPolicyInfo);
+        if (SECSuccess != rv) {
+                *pCertPolicyInfos = NULL;
+                goto cleanup;
+        }
+
+        /* translate PolicyInfo to CERTCertificatePolicies */
+        PKIX_CERT_DEBUG("\t\tCERT_DecodeCertificatePoliciesExtension).\n");
+        certPol = CERT_DecodeCertificatePoliciesExtension
+                (&encodedCertPolicyInfo);
+
+        PORT_Free(encodedCertPolicyInfo.data);
+
+        if (NULL == certPol) {
+                PKIX_ERROR(PKIX_CERTDECODECERTIFICATEPOLICIESEXTENSIONFAILED);
+        }
+
+        /*
+         * Check whether there are any policyInfos, so we can
+         * avoid creating an unnecessary List
+         */
+        policyInfos = certPol->policyInfos;
+        if (!policyInfos) {
+                *pCertPolicyInfos = NULL;
+                goto cleanup;
+        }
+
+        /* create a List of CertPolicyInfo Objects */
+        PKIX_CHECK(PKIX_List_Create(&infos, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        /*
+         * Traverse the CERTCertificatePolicies structure,
+         * building each PKIX_PL_CertPolicyInfo object in turn
+         */
+        while (*policyInfos != NULL) {
+                policyInfo = *policyInfos;
+                policyQualifiers = policyInfo->policyQualifiers;
+                if (policyQualifiers) {
+                        /* create a PKIX_List of PKIX_PL_CertPolicyQualifiers */
+                        PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext),
+                                PKIX_LISTCREATEFAILED);
+
+                        while (*policyQualifiers != NULL) {
+                            policyQualifier = *policyQualifiers;
+
+                            /* create the qualifier's OID object */
+
+                            PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                                (&(policyQualifier->qualifierID),
+                                &oidAscii,
+                                plContext),
+                                PKIX_OIDBYTES2ASCIIFAILED);
+
+                            PKIX_CHECK(PKIX_PL_OID_Create
+                                (oidAscii, &pkixOID, plContext),
+                                PKIX_OIDCREATEFAILED);
+
+                            /* create qualifier's ByteArray object */
+
+                            PKIX_CHECK(PKIX_PL_ByteArray_Create
+                                (policyQualifier->qualifierValue.data,
+                                policyQualifier->qualifierValue.len,
+                                &qualifierArray,
+                                plContext),
+                                PKIX_BYTEARRAYCREATEFAILED);
+
+                            /* create a CertPolicyQualifier object */
+
+                            PKIX_CHECK(pkix_pl_CertPolicyQualifier_Create
+                                (pkixOID,
+                                qualifierArray,
+                                &certPolicyQualifier,
+                                plContext),
+                                PKIX_CERTPOLICYQUALIFIERCREATEFAILED);
+
+                            PKIX_CHECK(PKIX_List_AppendItem
+                                (qualifiers,
+                                (PKIX_PL_Object *)certPolicyQualifier,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+
+                            PKIX_FREE(oidAscii);
+                            PKIX_DECREF(pkixOID);
+                            PKIX_DECREF(qualifierArray);
+                            PKIX_DECREF(certPolicyQualifier);
+
+                            policyQualifiers++;
+                        }
+
+                        PKIX_CHECK(PKIX_List_SetImmutable
+                                (qualifiers, plContext),
+                                PKIX_LISTSETIMMUTABLEFAILED);
+                }
+
+
+                /*
+                 * Create an OID object pkixOID from policyInfo->policyID.
+                 * (The CERTPolicyInfo structure has an oid field, but it
+                 * is of type SECOidTag. This function wants a SECItem.)
+                 */
+
+                PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                        (&(policyInfo->policyID), &oidAscii, plContext),
+                        PKIX_OIDBYTES2ASCIIFAILED);
+
+                PKIX_CHECK(PKIX_PL_OID_Create
+                        (oidAscii, &pkixOID, plContext),
+                        PKIX_OIDCREATEFAILED);
+
+                /* Create a CertPolicyInfo object */
+                PKIX_CHECK(pkix_pl_CertPolicyInfo_Create
+                        (pkixOID, qualifiers, &certPolicyInfo, plContext),
+                        PKIX_CERTPOLICYINFOCREATEFAILED);
+
+                /* Append the new CertPolicyInfo object to the list */
+                PKIX_CHECK(PKIX_List_AppendItem
+                        (infos, (PKIX_PL_Object *)certPolicyInfo, plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_FREE(oidAscii);
+                PKIX_DECREF(pkixOID);
+                PKIX_DECREF(qualifiers);
+                PKIX_DECREF(certPolicyInfo);
+
+                policyInfos++;
+        }
+
+        /*
+         * If there were no policies, we went straight to
+         * cleanup, so we don't have to NULLCHECK infos.
+         */
+        PKIX_CHECK(PKIX_List_SetImmutable(infos, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        *pCertPolicyInfos = infos;
+
+cleanup:
+        if (certPol) {
+            PKIX_CERT_DEBUG
+                ("\t\tCalling CERT_DestroyCertificatePoliciesExtension).\n");
+            CERT_DestroyCertificatePoliciesExtension(certPol);
+        }
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(infos);
+        }
+
+        PKIX_FREE(oidAscii);
+        PKIX_DECREF(pkixOID);
+        PKIX_DECREF(qualifiers);
+        PKIX_DECREF(certPolicyInfo);
+        PKIX_DECREF(certPolicyQualifier);
+        PKIX_DECREF(qualifierArray);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_DecodePolicyMapping
+ * DESCRIPTION:
+ *
+ *  Decodes the contents of the PolicyMapping extension of the CERTCertificate
+ *  pointed to by "nssCert", storing the resulting List of CertPolicyMaps at
+ *  the address pointed to by "pCertPolicyMaps". If this certificate does not
+ *  have a PolicyMapping extension, NULL will be stored. If a List is returned,
+ *  it will be immutable.
+ *
+ * PARAMETERS
+ *  "nssCert"
+ *      Address of the Cert data whose extension is to be examined. Must be
+ *      non-NULL.
+ *  "pCertPolicyMaps"
+ *      Address where the List of CertPolicyMaps will be stored. Must be
+ *      non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Cert_DecodePolicyMapping(
+        CERTCertificate *nssCert,
+        PKIX_List **pCertPolicyMaps,
+        void *plContext)
+{
+        SECStatus rv;
+        SECItem encodedCertPolicyMaps;
+
+        /* Allocated in the arena; freed in CERT_Destroy... */
+        CERTCertificatePolicyMappings *certPolMaps = NULL;
+        CERTPolicyMap **policyMaps = NULL;
+        CERTPolicyMap *policyMap = NULL;
+
+        /* Holder for the return value */
+        PKIX_List *maps = NULL;
+
+        char *issuerPolicyOIDAscii = NULL;
+        char *subjectPolicyOIDAscii = NULL;
+        PKIX_PL_OID *issuerDomainOID = NULL;
+        PKIX_PL_OID *subjectDomainOID = NULL;
+        PKIX_PL_CertPolicyMap *certPolicyMap = NULL;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_DecodePolicyMapping");
+        PKIX_NULLCHECK_TWO(nssCert, pCertPolicyMaps);
+
+        /* get PolicyMappings as a SECItem */
+        PKIX_CERT_DEBUG("\t\tCERT_FindCertExtension).\n");
+        rv = CERT_FindCertExtension
+                (nssCert, SEC_OID_X509_POLICY_MAPPINGS, &encodedCertPolicyMaps);
+        if (SECSuccess != rv) {
+                *pCertPolicyMaps = NULL;
+                goto cleanup;
+        }
+
+        /* translate PolicyMaps to CERTCertificatePolicyMappings */
+        certPolMaps = CERT_DecodePolicyMappingsExtension
+                (&encodedCertPolicyMaps);
+
+        PORT_Free(encodedCertPolicyMaps.data);
+
+        if (!certPolMaps) {
+                PKIX_ERROR(PKIX_CERTDECODEPOLICYMAPPINGSEXTENSIONFAILED);
+        }
+
+        PKIX_NULLCHECK_ONE(certPolMaps->policyMaps);
+
+        policyMaps = certPolMaps->policyMaps;
+
+        /* create a List of CertPolicyMap Objects */
+        PKIX_CHECK(PKIX_List_Create(&maps, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        /*
+         * Traverse the CERTCertificatePolicyMappings structure,
+         * building each CertPolicyMap object in turn
+         */
+        do {
+                policyMap = *policyMaps;
+
+                /* create the OID for the issuer Domain Policy */
+
+                PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                        (&(policyMap->issuerDomainPolicy),
+                        &issuerPolicyOIDAscii,
+                        plContext),
+                        PKIX_OIDBYTES2ASCIIFAILED);
+
+                PKIX_CHECK(PKIX_PL_OID_Create
+                        (issuerPolicyOIDAscii, &issuerDomainOID, plContext),
+                        PKIX_OIDCREATEFAILED);
+
+                /* create the OID for the subject Domain Policy */
+
+                PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                        (&(policyMap->subjectDomainPolicy),
+                        &subjectPolicyOIDAscii,
+                        plContext),
+                        PKIX_OIDBYTES2ASCIIFAILED);
+
+                PKIX_CHECK(PKIX_PL_OID_Create
+                        (subjectPolicyOIDAscii, &subjectDomainOID, plContext),
+                        PKIX_OIDCREATEFAILED);
+
+                /* create the CertPolicyMap */
+
+                PKIX_CHECK(pkix_pl_CertPolicyMap_Create
+                        (issuerDomainOID,
+                        subjectDomainOID,
+                        &certPolicyMap,
+                        plContext),
+                        PKIX_CERTPOLICYMAPCREATEFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                        (maps, (PKIX_PL_Object *)certPolicyMap, plContext),
+                        PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_FREE(issuerPolicyOIDAscii);
+                PKIX_FREE(subjectPolicyOIDAscii);
+                PKIX_DECREF(issuerDomainOID);
+                PKIX_DECREF(subjectDomainOID);
+                PKIX_DECREF(certPolicyMap);
+
+                policyMaps++;
+        } while (*policyMaps != NULL);
+
+        PKIX_CHECK(PKIX_List_SetImmutable(maps, plContext),
+                PKIX_LISTSETIMMUTABLEFAILED);
+
+        *pCertPolicyMaps = maps;
+
+cleanup:
+        if (certPolMaps) {
+            PKIX_CERT_DEBUG
+                ("\t\tCalling CERT_DestroyPolicyMappingsExtension).\n");
+            CERT_DestroyPolicyMappingsExtension(certPolMaps);
+        }
+
+        PKIX_FREE(issuerPolicyOIDAscii);
+        PKIX_FREE(subjectPolicyOIDAscii);
+        PKIX_DECREF(issuerDomainOID);
+        PKIX_DECREF(subjectDomainOID);
+        PKIX_DECREF(certPolicyMap);
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_DecodePolicyConstraints
+ * DESCRIPTION:
+ *
+ *  Decodes the contents of the PolicyConstraints extension in the
+ *  CERTCertificate pointed to by "nssCert", to obtain SkipCerts values
+ *  which are stored at the addresses "pExplicitPolicySkipCerts" and
+ *  "pInhibitMappingSkipCerts", respectively. If this certificate does
+ *  not have an PolicyConstraints extension, or if either of the optional
+ *  components is not supplied, this function stores a value of -1 for any
+ *  missing component.
+ *
+ * PARAMETERS
+ *  "nssCert"
+ *      Address of the Cert data whose extension is to be examined. Must be
+ *      non-NULL.
+ *  "pExplicitPolicySkipCerts"
+ *      Address where the SkipCert value for the requireExplicitPolicy
+ *      component will be stored. Must be non-NULL.
+ *  "pInhibitMappingSkipCerts"
+ *      Address where the SkipCert value for the inhibitPolicyMapping
+ *      component will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Cert_DecodePolicyConstraints(
+        CERTCertificate *nssCert,
+        PKIX_Int32 *pExplicitPolicySkipCerts,
+        PKIX_Int32 *pInhibitMappingSkipCerts,
+        void *plContext)
+{
+        CERTCertificatePolicyConstraints policyConstraints;
+        SECStatus rv;
+        SECItem encodedCertPolicyConstraints;
+        PKIX_Int32 explicitPolicySkipCerts = -1;
+        PKIX_Int32 inhibitMappingSkipCerts = -1;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_DecodePolicyConstraints");
+        PKIX_NULLCHECK_THREE
+                (nssCert, pExplicitPolicySkipCerts, pInhibitMappingSkipCerts);
+
+        /* get the two skipCert values as SECItems */
+        PKIX_CERT_DEBUG("\t\tCalling CERT_FindCertExtension).\n");
+        rv = CERT_FindCertExtension
+                (nssCert,
+                SEC_OID_X509_POLICY_CONSTRAINTS,
+                &encodedCertPolicyConstraints);
+
+        if (rv == SECSuccess) {
+
+                policyConstraints.explicitPolicySkipCerts.data =
+                        (unsigned char *)&explicitPolicySkipCerts;
+                policyConstraints.inhibitMappingSkipCerts.data =
+                        (unsigned char *)&inhibitMappingSkipCerts;
+
+                /* translate DER to CERTCertificatePolicyConstraints */
+                rv = CERT_DecodePolicyConstraintsExtension
+                        (&policyConstraints, &encodedCertPolicyConstraints);
+
+                PORT_Free(encodedCertPolicyConstraints.data);
+
+                if (rv != SECSuccess) {
+                    PKIX_ERROR
+                        (PKIX_CERTDECODEPOLICYCONSTRAINTSEXTENSIONFAILED);
+                }
+        }
+
+        *pExplicitPolicySkipCerts = explicitPolicySkipCerts;
+        *pInhibitMappingSkipCerts = inhibitMappingSkipCerts;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_DecodeInhibitAnyPolicy
+ * DESCRIPTION:
+ *
+ *  Decodes the contents of the InhibitAnyPolicy extension in the
+ *  CERTCertificate pointed to by "nssCert", to obtain a SkipCerts value,
+ *  which is stored at the address "pSkipCerts". If this certificate does
+ *  not have an InhibitAnyPolicy extension, -1 will be stored.
+ *
+ * PARAMETERS
+ *  "nssCert"
+ *      Address of the Cert data whose InhibitAnyPolicy extension is to be
+ *      processed. Must be non-NULL.
+ *  "pSkipCerts"
+ *      Address where the SkipCert value from the InhibitAnyPolicy extension
+ *      will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Cert_DecodeInhibitAnyPolicy(
+        CERTCertificate *nssCert,
+        PKIX_Int32 *pSkipCerts,
+        void *plContext)
+{
+        CERTCertificateInhibitAny inhibitAny;
+        SECStatus rv;
+        SECItem encodedCertInhibitAny;
+        PKIX_Int32 skipCerts = -1;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_DecodeInhibitAnyPolicy");
+        PKIX_NULLCHECK_TWO(nssCert, pSkipCerts);
+
+        /* get InhibitAny as a SECItem */
+        PKIX_CERT_DEBUG("\t\tCalling CERT_FindCertExtension).\n");
+        rv = CERT_FindCertExtension
+                (nssCert, SEC_OID_X509_INHIBIT_ANY_POLICY, &encodedCertInhibitAny);
+
+        if (rv == SECSuccess) {
+                inhibitAny.inhibitAnySkipCerts.data =
+                        (unsigned char *)&skipCerts;
+
+                /* translate DER to CERTCertificateInhibitAny */
+                rv = CERT_DecodeInhibitAnyExtension
+                        (&inhibitAny, &encodedCertInhibitAny);
+
+                PORT_Free(encodedCertInhibitAny.data);
+
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_CERTDECODEINHIBITANYEXTENSIONFAILED);
+                }
+        }
+
+        *pSkipCerts = skipCerts;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_GetNssSubjectAltNames
+ * DESCRIPTION:
+ *
+ *  Retrieves the Subject Alternative Names of the certificate specified by
+ *  "cert" and stores it at "pNssSubjAltNames". If the Subject Alternative
+ *  Name extension is not present, NULL is returned at "pNssSubjAltNames".
+ *  If the Subject Alternative Names has not been previously decoded, it is
+ *  decoded here with lock on the "cert" unless the flag "hasLock" indicates
+ *  the lock had been obtained at a higher call level.
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of the certificate whose Subject Alternative Names extensions
+ *      is retrieved. Must be non-NULL.
+ *  "hasLock"
+ *      Boolean indicates caller has acquired a lock.
+ *      Must be non-NULL.
+ *  "pNssSubjAltNames"
+ *      Address where the returned Subject Alternative Names will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Cert_GetNssSubjectAltNames(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean hasLock,
+        CERTGeneralName **pNssSubjAltNames,
+        void *plContext)
+{
+        CERTCertificate *nssCert = NULL;
+        CERTGeneralName *nssOriginalAltName = NULL;
+        PLArenaPool *arena = NULL;
+        SECItem altNameExtension = {siBuffer, NULL, 0};
+        SECStatus rv = SECFailure;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_GetNssSubjectAltNames");
+        PKIX_NULLCHECK_THREE(cert, pNssSubjAltNames, cert->nssCert);
+
+        nssCert = cert->nssCert;
+
+        if ((cert->nssSubjAltNames == NULL) && (!cert->subjAltNamesAbsent)){
+
+                if (!hasLock) {
+                    PKIX_OBJECT_LOCK(cert);
+                }
+
+                if ((cert->nssSubjAltNames == NULL) &&
+                    (!cert->subjAltNamesAbsent)){
+
+                    PKIX_PL_NSSCALLRV(CERT, rv, CERT_FindCertExtension,
+                        (nssCert,
+                        SEC_OID_X509_SUBJECT_ALT_NAME,
+                        &altNameExtension));
+
+                    if (rv != SECSuccess) {
+                        *pNssSubjAltNames = NULL;
+                        cert->subjAltNamesAbsent = PKIX_TRUE;
+                        goto cleanup;
+                    }
+
+                    if (cert->arenaNameConstraints == NULL) {
+                        PKIX_PL_NSSCALLRV(CERT, arena, PORT_NewArena,
+                                (DER_DEFAULT_CHUNKSIZE));
+
+                        if (arena == NULL) {
+                            PKIX_ERROR(PKIX_OUTOFMEMORY);
+                        }
+                        cert->arenaNameConstraints = arena;
+                    }
+
+                    PKIX_PL_NSSCALLRV
+                        (CERT,
+                        nssOriginalAltName,
+                        (CERTGeneralName *) CERT_DecodeAltNameExtension,
+                        (cert->arenaNameConstraints, &altNameExtension));
+
+                    PKIX_PL_NSSCALL(CERT, PORT_Free, (altNameExtension.data));
+
+                    if (nssOriginalAltName == NULL) {
+                        PKIX_ERROR(PKIX_CERTDECODEALTNAMEEXTENSIONFAILED);
+                    }
+                    cert->nssSubjAltNames = nssOriginalAltName;
+
+                }
+
+                if (!hasLock) {
+                    PKIX_OBJECT_UNLOCK(cert);
+                }
+        }
+
+        *pNssSubjAltNames = cert->nssSubjAltNames;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_CheckExtendKeyUsage
+ * DESCRIPTION:
+ *
+ *  For each of the ON bit in "requiredExtendedKeyUsages" that represents its
+ *  SECCertUsageEnum type, this function checks "cert"'s certType (extended
+ *  key usage) and key usage with what is required for SECCertUsageEnum type.
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of the certificate whose Extended Key Usage extensions
+ *      is retrieved. Must be non-NULL.
+ *  "requiredExtendedKeyUsages"
+ *      An unsigned integer, its bit location is ON based on the required key
+ *      usage value representing in SECCertUsageEnum.
+ *  "pPass"
+ *      Address where the return value, indicating key usage check passed, is
+ *       stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Cert_CheckExtendedKeyUsage(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 requiredExtendedKeyUsages,
+        PKIX_Boolean *pPass,
+        void *plContext)
+{
+        PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
+        PKIX_UInt32 certType = 0;
+        PKIX_UInt32 requiredKeyUsage = 0;
+        PKIX_UInt32 requiredCertType = 0;
+        PKIX_UInt32 requiredExtendedKeyUsage = 0;
+        PKIX_UInt32 i;
+        PKIX_Boolean isCA = PKIX_FALSE;
+        SECStatus rv = SECFailure;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_CheckExtendKeyUsage");
+        PKIX_NULLCHECK_THREE(cert, pPass, cert->nssCert);
+
+        *pPass = PKIX_FALSE;
+
+        PKIX_CERT_DEBUG("\t\tCalling cert_GetCertType).\n");
+        cert_GetCertType(cert->nssCert);
+        certType = cert->nssCert->nsCertType;
+
+        PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
+                    (cert,
+                    &basicConstraints,
+                    plContext),
+                    PKIX_CERTGETBASICCONSTRAINTFAILED);
+
+        if (basicConstraints != NULL) {
+                PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
+                    (basicConstraints, &isCA, plContext),
+                    PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
+        }
+
+        i = 0;
+        while (requiredExtendedKeyUsages != 0) {
+
+                /* Find the bit location of the right-most non-zero bit */
+                while (requiredExtendedKeyUsages != 0) {
+                        if (((1 << i) & requiredExtendedKeyUsages) != 0) {
+                                requiredExtendedKeyUsage = 1 << i;
+                                break;
+                        }
+                        i++;
+                }
+                requiredExtendedKeyUsages ^= requiredExtendedKeyUsage;
+
+                requiredExtendedKeyUsage = i;
+
+                PKIX_PL_NSSCALLRV(CERT, rv, CERT_KeyUsageAndTypeForCertUsage,
+                        (requiredExtendedKeyUsage,
+                        isCA,
+                        &requiredKeyUsage,
+                        &requiredCertType));
+
+                if (!(certType & requiredCertType)) {
+                        goto cleanup;
+                }
+
+                PKIX_PL_NSSCALLRV(CERT, rv, CERT_CheckKeyUsage,
+                        (cert->nssCert, requiredKeyUsage));
+                if (rv != SECSuccess) {
+                        goto cleanup;
+                }
+                i++;
+
+        }
+
+        *pPass = PKIX_TRUE;
+
+cleanup:
+        PKIX_DECREF(basicConstraints);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Helper function that creates a string representation of the Cert pointed
+ *  to by "cert" and stores it at "pString", where the value of
+ *  "partialString" determines whether a full or partial representation of
+ *  the Cert is stored.
+ *
+ * PARAMETERS
+ *  "cert"
+ *      Address of Cert whose string representation is desired.
+ *      Must be non-NULL.
+ *  "partialString"
+ *      Boolean indicating whether a partial Cert representation is desired.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Cert_ToString_Helper(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean partialString,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *certString = NULL;
+        char *asciiFormat = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_UInt32 certVersion;
+        PKIX_PL_BigInt *certSN = NULL;
+        PKIX_PL_String *certSNString = NULL;
+        PKIX_PL_X500Name *certIssuer = NULL;
+        PKIX_PL_String *certIssuerString = NULL;
+        PKIX_PL_X500Name *certSubject = NULL;
+        PKIX_PL_String *certSubjectString = NULL;
+        PKIX_PL_String *notBeforeString = NULL;
+        PKIX_PL_String *notAfterString = NULL;
+        PKIX_List *subjAltNames = NULL;
+        PKIX_PL_String *subjAltNamesString = NULL;
+        PKIX_PL_ByteArray *authKeyId = NULL;
+        PKIX_PL_String *authKeyIdString = NULL;
+        PKIX_PL_ByteArray *subjKeyId = NULL;
+        PKIX_PL_String *subjKeyIdString = NULL;
+        PKIX_PL_PublicKey *nssPubKey = NULL;
+        PKIX_PL_String *nssPubKeyString = NULL;
+        PKIX_List *critExtOIDs = NULL;
+        PKIX_PL_String *critExtOIDsString = NULL;
+        PKIX_List *extKeyUsages = NULL;
+        PKIX_PL_String *extKeyUsagesString = NULL;
+        PKIX_PL_CertBasicConstraints *basicConstraint = NULL;
+        PKIX_PL_String *certBasicConstraintsString = NULL;
+        PKIX_List *policyInfo = NULL;
+        PKIX_PL_String *certPolicyInfoString = NULL;
+        PKIX_List *certPolicyMappings = NULL;
+        PKIX_PL_String *certPolicyMappingsString = NULL;
+        PKIX_Int32 certExplicitPolicy = 0;
+        PKIX_Int32 certInhibitMapping = 0;
+        PKIX_Int32 certInhibitAnyPolicy = 0;
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+        PKIX_PL_String *nameConstraintsString = NULL;
+        PKIX_List *authorityInfoAccess = NULL;
+        PKIX_PL_String *authorityInfoAccessString = NULL;
+        PKIX_List *subjectInfoAccess = NULL;
+        PKIX_PL_String *subjectInfoAccessString = NULL;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_ToString_Helper");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pString);
+
+        /*
+         * XXX Add to this format as certificate components are developed.
+         */
+
+        if (partialString){
+                asciiFormat =
+                        "\t[Issuer:          %s\n"
+                        "\t Subject:         %s]";
+        } else {
+                asciiFormat =
+                        "[\n"
+                        "\tVersion:         v%d\n"
+                        "\tSerialNumber:    %s\n"
+                        "\tIssuer:          %s\n"
+                        "\tSubject:         %s\n"
+                        "\tValidity: [From: %s\n"
+                        "\t           To:   %s]\n"
+                        "\tSubjectAltNames: %s\n"
+                        "\tAuthorityKeyId:  %s\n"
+                        "\tSubjectKeyId:    %s\n"
+                        "\tSubjPubKeyAlgId: %s\n"
+                        "\tCritExtOIDs:     %s\n"
+                        "\tExtKeyUsages:    %s\n"
+                        "\tBasicConstraint: %s\n"
+                        "\tCertPolicyInfo:  %s\n"
+                        "\tPolicyMappings:  %s\n"
+                        "\tExplicitPolicy:  %d\n"
+                        "\tInhibitMapping:  %d\n"
+                        "\tInhibitAnyPolicy:%d\n"
+                        "\tNameConstraints: %s\n"
+                        "\tAuthorityInfoAccess: %s\n"
+                        "\tSubjectInfoAccess: %s\n"
+                        "\tCacheFlag:       %d\n"
+                        "]\n";
+        }
+
+
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        /* Issuer */
+        PKIX_CHECK(PKIX_PL_Cert_GetIssuer
+                (cert, &certIssuer, plContext),
+                PKIX_CERTGETISSUERFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object *)certIssuer, &certIssuerString, plContext),
+                PKIX_X500NAMETOSTRINGFAILED);
+
+        /* Subject */
+        PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &certSubject, plContext),
+                PKIX_CERTGETSUBJECTFAILED);
+
+        PKIX_TOSTRING(certSubject, &certSubjectString, plContext,
+                PKIX_X500NAMETOSTRINGFAILED);
+
+        if (partialString){
+                PKIX_CHECK(PKIX_PL_Sprintf
+                            (&certString,
+                            plContext,
+                            formatString,
+                            certIssuerString,
+                            certSubjectString),
+                            PKIX_SPRINTFFAILED);
+
+                *pString = certString;
+                goto cleanup;
+        }
+
+        /* Version */
+        PKIX_CHECK(PKIX_PL_Cert_GetVersion(cert, &certVersion, plContext),
+                PKIX_CERTGETVERSIONFAILED);
+
+        /* SerialNumber */
+        PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber(cert, &certSN, plContext),
+                PKIX_CERTGETSERIALNUMBERFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object *)certSN, &certSNString, plContext),
+                PKIX_BIGINTTOSTRINGFAILED);
+
+        /* Validity: NotBefore */
+        PKIX_CHECK(pkix_pl_Date_ToString_Helper
+                (&(cert->nssCert->validity.notBefore),
+                &notBeforeString,
+                plContext),
+                PKIX_DATETOSTRINGHELPERFAILED);
+
+        /* Validity: NotAfter */
+        PKIX_CHECK(pkix_pl_Date_ToString_Helper
+                (&(cert->nssCert->validity.notAfter),
+                &notAfterString,
+                plContext),
+                PKIX_DATETOSTRINGHELPERFAILED);
+
+        /* SubjectAltNames */
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
+                (cert, &subjAltNames, plContext),
+                PKIX_CERTGETSUBJECTALTNAMESFAILED);
+
+        PKIX_TOSTRING(subjAltNames, &subjAltNamesString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        /* AuthorityKeyIdentifier */
+        PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier
+                (cert, &authKeyId, plContext),
+                PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
+
+        PKIX_TOSTRING(authKeyId, &authKeyIdString, plContext,
+                PKIX_BYTEARRAYTOSTRINGFAILED);
+
+        /* SubjectKeyIdentifier */
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectKeyIdentifier
+                (cert, &subjKeyId, plContext),
+                PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
+
+        PKIX_TOSTRING(subjKeyId, &subjKeyIdString, plContext,
+                PKIX_BYTEARRAYTOSTRINGFAILED);
+
+        /* SubjectPublicKey */
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                    (cert, &nssPubKey, plContext),
+                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                ((PKIX_PL_Object *)nssPubKey, &nssPubKeyString, plContext),
+                PKIX_PUBLICKEYTOSTRINGFAILED);
+
+        /* CriticalExtensionOIDs */
+        PKIX_CHECK(PKIX_PL_Cert_GetCriticalExtensionOIDs
+                (cert, &critExtOIDs, plContext),
+                PKIX_CERTGETCRITICALEXTENSIONOIDSFAILED);
+
+        PKIX_TOSTRING(critExtOIDs, &critExtOIDsString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        /* ExtendedKeyUsages */
+        PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
+                (cert, &extKeyUsages, plContext),
+                PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
+
+        PKIX_TOSTRING(extKeyUsages, &extKeyUsagesString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        /* CertBasicConstraints */
+        PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
+                (cert, &basicConstraint, plContext),
+                PKIX_CERTGETBASICCONSTRAINTSFAILED);
+
+        PKIX_TOSTRING(basicConstraint, &certBasicConstraintsString, plContext,
+                PKIX_CERTBASICCONSTRAINTSTOSTRINGFAILED);
+
+        /* CertPolicyInfo */
+        PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
+                (cert, &policyInfo, plContext),
+                PKIX_CERTGETPOLICYINFORMATIONFAILED);
+
+        PKIX_TOSTRING(policyInfo, &certPolicyInfoString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        /* Advanced Policies */
+        PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings
+                (cert, &certPolicyMappings, plContext),
+                PKIX_CERTGETPOLICYMAPPINGSFAILED);
+
+        PKIX_TOSTRING(certPolicyMappings, &certPolicyMappingsString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
+                (cert, &certExplicitPolicy, plContext),
+                PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited
+                (cert, &certInhibitMapping, plContext),
+                PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED);
+
+        PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy
+                (cert, &certInhibitAnyPolicy, plContext),
+                PKIX_CERTGETINHIBITANYPOLICYFAILED);
+
+        /* Name Constraints */
+        PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+                (cert, &nameConstraints, plContext),
+                PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
+        PKIX_TOSTRING(nameConstraints, &nameConstraintsString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        /* Authority Information Access */
+        PKIX_CHECK(PKIX_PL_Cert_GetAuthorityInfoAccess
+                (cert, &authorityInfoAccess, plContext),
+                PKIX_CERTGETAUTHORITYINFOACCESSFAILED);
+
+        PKIX_TOSTRING(authorityInfoAccess, &authorityInfoAccessString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        /* Subject Information Access */
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectInfoAccess
+                (cert, &subjectInfoAccess, plContext),
+                PKIX_CERTGETSUBJECTINFOACCESSFAILED);
+
+        PKIX_TOSTRING(subjectInfoAccess, &subjectInfoAccessString, plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&certString,
+                    plContext,
+                    formatString,
+                    certVersion + 1,
+                    certSNString,
+                    certIssuerString,
+                    certSubjectString,
+                    notBeforeString,
+                    notAfterString,
+                    subjAltNamesString,
+                    authKeyIdString,
+                    subjKeyIdString,
+                    nssPubKeyString,
+                    critExtOIDsString,
+                    extKeyUsagesString,
+                    certBasicConstraintsString,
+                    certPolicyInfoString,
+                    certPolicyMappingsString,
+                    certExplicitPolicy,         /* an Int32, not a String */
+                    certInhibitMapping,         /* an Int32, not a String */
+                    certInhibitAnyPolicy,       /* an Int32, not a String */
+                    nameConstraintsString,
+                    authorityInfoAccessString,
+                    subjectInfoAccessString,
+                    cert->cacheFlag),           /* a boolean */
+                    PKIX_SPRINTFFAILED);
+
+        *pString = certString;
+
+cleanup:
+        PKIX_DECREF(certSN);
+        PKIX_DECREF(certSNString);
+        PKIX_DECREF(certIssuer);
+        PKIX_DECREF(certIssuerString);
+        PKIX_DECREF(certSubject);
+        PKIX_DECREF(certSubjectString);
+        PKIX_DECREF(notBeforeString);
+        PKIX_DECREF(notAfterString);
+        PKIX_DECREF(subjAltNames);
+        PKIX_DECREF(subjAltNamesString);
+        PKIX_DECREF(authKeyId);
+        PKIX_DECREF(authKeyIdString);
+        PKIX_DECREF(subjKeyId);
+        PKIX_DECREF(subjKeyIdString);
+        PKIX_DECREF(nssPubKey);
+        PKIX_DECREF(nssPubKeyString);
+        PKIX_DECREF(critExtOIDs);
+        PKIX_DECREF(critExtOIDsString);
+        PKIX_DECREF(extKeyUsages);
+        PKIX_DECREF(extKeyUsagesString);
+        PKIX_DECREF(basicConstraint);
+        PKIX_DECREF(certBasicConstraintsString);
+        PKIX_DECREF(policyInfo);
+        PKIX_DECREF(certPolicyInfoString);
+        PKIX_DECREF(certPolicyMappings);
+        PKIX_DECREF(certPolicyMappingsString);
+        PKIX_DECREF(nameConstraints);
+        PKIX_DECREF(nameConstraintsString);
+        PKIX_DECREF(authorityInfoAccess);
+        PKIX_DECREF(authorityInfoAccessString);
+        PKIX_DECREF(subjectInfoAccess);
+        PKIX_DECREF(subjectInfoAccessString);
+        PKIX_DECREF(formatString);
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Cert_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Cert *cert = NULL;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERT_TYPE, plContext),
+                    PKIX_OBJECTNOTCERT);
+
+        cert = (PKIX_PL_Cert*)object;
+
+        PKIX_DECREF(cert->subject);
+        PKIX_DECREF(cert->issuer);
+        PKIX_DECREF(cert->subjAltNames);
+        PKIX_DECREF(cert->publicKeyAlgId);
+        PKIX_DECREF(cert->publicKey);
+        PKIX_DECREF(cert->serialNumber);
+        PKIX_DECREF(cert->critExtOids);
+        PKIX_DECREF(cert->authKeyId);
+        PKIX_DECREF(cert->subjKeyId);
+        PKIX_DECREF(cert->extKeyUsages);
+        PKIX_DECREF(cert->certBasicConstraints);
+        PKIX_DECREF(cert->certPolicyInfos);
+        PKIX_DECREF(cert->certPolicyMappings);
+        PKIX_DECREF(cert->nameConstraints);
+        PKIX_DECREF(cert->store);
+        PKIX_DECREF(cert->authorityInfoAccess);
+        PKIX_DECREF(cert->subjectInfoAccess);
+
+        if (cert->arenaNameConstraints){
+                /* This arena was allocated for SubjectAltNames */
+                PKIX_PL_NSSCALL(CERT, PORT_FreeArena,
+                        (cert->arenaNameConstraints, PR_FALSE));
+
+                cert->arenaNameConstraints = NULL;
+                cert->nssSubjAltNames = NULL;
+        }
+
+        CERT_DestroyCertificate(cert->nssCert);
+        cert->nssCert = NULL;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Cert_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *certString = NULL;
+        PKIX_PL_Cert *pkixCert = NULL;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_toString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERT_TYPE, plContext),
+                    PKIX_OBJECTNOTCERT);
+
+        pkixCert = (PKIX_PL_Cert *)object;
+
+        PKIX_CHECK(pkix_pl_Cert_ToString_Helper
+                    (pkixCert, PKIX_FALSE, &certString, plContext),
+                    PKIX_CERTTOSTRINGHELPERFAILED);
+
+        *pString = certString;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Cert_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_Cert *pkixCert = NULL;
+        CERTCertificate *nssCert = NULL;
+        unsigned char *derBytes = NULL;
+        PKIX_UInt32 derLength;
+        PKIX_UInt32 certHash;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERT_TYPE, plContext),
+                    PKIX_OBJECTNOTCERT);
+
+        pkixCert = (PKIX_PL_Cert *)object;
+
+        nssCert = pkixCert->nssCert;
+        derBytes = (nssCert->derCert).data;
+        derLength = (nssCert->derCert).len;
+
+        PKIX_CHECK(pkix_hash(derBytes, derLength, &certHash, plContext),
+                    PKIX_HASHFAILED);
+
+        *pHashcode = certHash;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_Cert_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Cert_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        CERTCertificate *firstCert = NULL;
+        CERTCertificate *secondCert = NULL;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a Cert */
+        PKIX_CHECK(pkix_CheckType(firstObject, PKIX_CERT_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTCERT);
+
+        /*
+         * Since we know firstObject is a Cert, if both references are
+         * identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a Cert, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_CERT_TYPE) goto cleanup;
+
+        firstCert = ((PKIX_PL_Cert *)firstObject)->nssCert;
+        secondCert = ((PKIX_PL_Cert *)secondObject)->nssCert;
+
+        PKIX_NULLCHECK_TWO(firstCert, secondCert);
+
+        /* CERT_CompareCerts does byte comparison on DER encodings of certs */
+        PKIX_CERT_DEBUG("\t\tCalling CERT_CompareCerts).\n");
+        cmpResult = CERT_CompareCerts(firstCert, secondCert);
+
+        *pResult = cmpResult;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_Cert_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_RegisterSelf");
+
+        entry.description = "Cert";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_Cert);
+        entry.destructor = pkix_pl_Cert_Destroy;
+        entry.equalsFunction = pkix_pl_Cert_Equals;
+        entry.hashcodeFunction = pkix_pl_Cert_Hashcode;
+        entry.toStringFunction = pkix_pl_Cert_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_CERT_TYPE] = entry;
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_CreateWithNSSCert
+ * DESCRIPTION:
+ *
+ *  Creates a new certificate using the CERTCertificate pointed to by "nssCert"
+ *  and stores it at "pCert". Once created, a Cert is immutable.
+ *
+ *  This function is primarily used as a convenience function for the
+ *  performance tests that have easy access to a CERTCertificate.
+ *
+ * PARAMETERS:
+ *  "nssCert"
+ *      Address of CERTCertificate representing the NSS certificate.
+ *      Must be non-NULL.
+ *  "pCert"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Cert_CreateWithNSSCert(
+        CERTCertificate *nssCert,
+        PKIX_PL_Cert **pCert,
+        void *plContext)
+{
+        PKIX_PL_Cert *cert = NULL;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_CreateWithNSSCert");
+        PKIX_NULLCHECK_TWO(pCert, nssCert);
+
+        /* create a PKIX_PL_Cert object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CERT_TYPE,
+                    sizeof (PKIX_PL_Cert),
+                    (PKIX_PL_Object **)&cert,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        /* populate the nssCert field */
+        cert->nssCert = nssCert;
+
+        /* initialize remaining fields */
+        /*
+         * Fields ending with Absent are initialized to PKIX_FALSE so that the
+         * first time we need the value we will look for it. If we find it is
+         * actually absent, the flag will at that time be set to PKIX_TRUE to
+         * prevent searching for it later.
+         * Fields ending with Processed are those where a value is defined
+         * for the Absent case, and a value of zero is possible. When the
+         * flag is still true we have to look for the field, set the default
+         * value if necessary, and set the Processed flag to PKIX_TRUE.
+         */
+        cert->subject = NULL;
+        cert->issuer = NULL;
+        cert->subjAltNames = NULL;
+        cert->subjAltNamesAbsent = PKIX_FALSE;
+        cert->publicKeyAlgId = NULL;
+        cert->publicKey = NULL;
+        cert->serialNumber = NULL;
+        cert->critExtOids = NULL;
+        cert->subjKeyId = NULL;
+        cert->subjKeyIdAbsent = PKIX_FALSE;
+        cert->authKeyId = NULL;
+        cert->authKeyIdAbsent = PKIX_FALSE;
+        cert->extKeyUsages = NULL;
+        cert->extKeyUsagesAbsent = PKIX_FALSE;
+        cert->certBasicConstraints = NULL;
+        cert->basicConstraintsAbsent = PKIX_FALSE;
+        cert->certPolicyInfos = NULL;
+        cert->policyInfoAbsent = PKIX_FALSE;
+        cert->policyMappingsAbsent = PKIX_FALSE;
+        cert->certPolicyMappings = NULL;
+        cert->policyConstraintsProcessed = PKIX_FALSE;
+        cert->policyConstraintsExplicitPolicySkipCerts = 0;
+        cert->policyConstraintsInhibitMappingSkipCerts = 0;
+        cert->inhibitAnyPolicyProcessed = PKIX_FALSE;
+        cert->inhibitAnySkipCerts = 0;
+        cert->nameConstraints = NULL;
+        cert->nameConstraintsAbsent = PKIX_FALSE;
+        cert->arenaNameConstraints = NULL;
+        cert->nssSubjAltNames = NULL;
+        cert->cacheFlag = PKIX_FALSE;
+        cert->store = NULL;
+        cert->authorityInfoAccess = NULL;
+        cert->subjectInfoAccess = NULL;
+
+        *pCert = cert;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Cert_CreateToList
+ * DESCRIPTION:
+ *
+ *  Creates a new certificate using the DER-encoding pointed to by "derCertItem"
+ *  and appends it to the list pointed to by "certList". If Cert creation fails,
+ *  the function returns with certList unchanged, but any decoding Error is
+ *  discarded.
+ *
+ * PARAMETERS:
+ *  "derCertItem"
+ *      Address of SECItem containing the DER representation of a certificate.
+ *      Must be non-NULL.
+ *  "certList"
+ *      Address of List to which the Cert will be appended, if successfully
+ *      created. May be empty, but must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Cert_CreateToList(
+        SECItem *derCertItem,
+        PKIX_List *certList,
+        void *plContext)
+{
+        CERTCertificate *nssCert = NULL;
+        PKIX_PL_Cert *cert = NULL;
+        CERTCertDBHandle *handle;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_CreateToList");
+        PKIX_NULLCHECK_TWO(derCertItem, certList);
+
+        handle  = CERT_GetDefaultCertDB();
+        nssCert = CERT_NewTempCertificate(handle, derCertItem,
+					  /* nickname */ NULL, 
+					  /* isPerm   */ PR_FALSE, 
+					  /* copyDer  */ PR_TRUE);
+        if (!nssCert) {
+            goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_pl_Cert_CreateWithNSSCert
+                   (nssCert, &cert, plContext),
+                   PKIX_CERTCREATEWITHNSSCERTFAILED);
+
+        nssCert = NULL;
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                   (certList, (PKIX_PL_Object *) cert, plContext),
+                   PKIX_LISTAPPENDITEMFAILED);
+
+cleanup:
+        if (nssCert) {
+            CERT_DestroyCertificate(nssCert);
+        }
+
+        PKIX_DECREF(cert);
+        PKIX_RETURN(CERT);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_Cert_Create (see comments in pkix_pl_pki.h)
+ * XXX We may want to cache the cert after parsing it, so it can be reused
+ * XXX Are the NSS/NSPR functions thread safe
+ */
+PKIX_Error *
+PKIX_PL_Cert_Create(
+        PKIX_PL_ByteArray *byteArray,
+        PKIX_PL_Cert **pCert,
+        void *plContext)
+{
+        CERTCertificate *nssCert = NULL;
+        SECItem *derCertItem = NULL;
+        void *derBytes = NULL;
+        PKIX_UInt32 derLength;
+        PKIX_Boolean copyDER;
+        PKIX_PL_Cert *cert = NULL;
+        CERTCertDBHandle *handle;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_Create");
+        PKIX_NULLCHECK_TWO(pCert, byteArray);
+
+        PKIX_CHECK(PKIX_PL_ByteArray_GetPointer
+                    (byteArray, &derBytes, plContext),
+                    PKIX_BYTEARRAYGETPOINTERFAILED);
+
+        PKIX_CHECK(PKIX_PL_ByteArray_GetLength
+                    (byteArray, &derLength, plContext),
+                    PKIX_BYTEARRAYGETLENGTHFAILED);
+
+        derCertItem = SECITEM_AllocItem(NULL, NULL, derLength);
+        if (derCertItem == NULL){
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        (void) PORT_Memcpy(derCertItem->data, derBytes, derLength);
+
+        /*
+         * setting copyDER to true forces NSS to make its own copy of the DER,
+         * allowing us to free our copy without worrying about whether NSS
+         * is still using it
+         */
+        copyDER = PKIX_TRUE;
+        handle  = CERT_GetDefaultCertDB();
+        nssCert = CERT_NewTempCertificate(handle, derCertItem,
+					  /* nickname */ NULL, 
+					  /* isPerm   */ PR_FALSE, 
+					  /* copyDer  */ PR_TRUE);
+        if (!nssCert){
+                PKIX_ERROR(PKIX_CERTDECODEDERCERTIFICATEFAILED);
+        }
+
+        PKIX_CHECK(pkix_pl_Cert_CreateWithNSSCert
+                (nssCert, &cert, plContext),
+                PKIX_CERTCREATEWITHNSSCERTFAILED);
+
+        *pCert = cert;
+
+cleanup:
+        if (derCertItem){
+                SECITEM_FreeItem(derCertItem, PKIX_TRUE);
+        }
+
+        if (nssCert && PKIX_ERROR_RECEIVED){
+                PKIX_CERT_DEBUG("\t\tCalling CERT_DestroyCertificate).\n");
+                CERT_DestroyCertificate(nssCert);
+                nssCert = NULL;
+        }
+
+        PKIX_FREE(derBytes);
+        PKIX_RETURN(CERT);
+}
+
+
+/*
+ * FUNCTION: PKIX_PL_Cert_CreateFromCERTCertificate
+ *  (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_CreateFromCERTCertificate(
+        const CERTCertificate *nssCert,
+        PKIX_PL_Cert **pCert,
+        void *plContext)
+{
+        void *buf = NULL;
+        PKIX_UInt32 len;
+        PKIX_PL_ByteArray *byteArray = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_CreateWithNssCert");
+        PKIX_NULLCHECK_TWO(pCert, nssCert);
+
+        buf = (void*)nssCert->derCert.data;
+        len = nssCert->derCert.len;
+
+        PKIX_CHECK(
+            PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext),
+            PKIX_BYTEARRAYCREATEFAILED);
+
+        PKIX_CHECK(
+            PKIX_PL_Cert_Create(byteArray, pCert, plContext),
+            PKIX_CERTCREATEWITHNSSCERTFAILED);
+
+#ifdef PKIX_UNDEF
+        /* will be tested and used as a patch for bug 391612 */
+        nssCert = CERT_DupCertificate(nssInCert);
+
+        PKIX_CHECK(pkix_pl_Cert_CreateWithNSSCert
+                (nssCert, &cert, plContext),
+                PKIX_CERTCREATEWITHNSSCERTFAILED);
+#endif /* PKIX_UNDEF */
+
+cleanup:
+
+#ifdef PKIX_UNDEF
+        if (nssCert && PKIX_ERROR_RECEIVED){
+                PKIX_CERT_DEBUG("\t\tCalling CERT_DestroyCertificate).\n");
+                CERT_DestroyCertificate(nssCert);
+                nssCert = NULL;
+        }
+#endif /* PKIX_UNDEF */
+
+        PKIX_DECREF(byteArray);
+        PKIX_RETURN(CERT);
+}
+
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetVersion (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetVersion(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 *pVersion,
+        void *plContext)
+{
+        CERTCertificate *nssCert = NULL;
+        PKIX_UInt32 myVersion = 1;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetVersion");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pVersion);
+
+        nssCert = cert->nssCert;
+        if (nssCert->version.data) {
+                myVersion = *(nssCert->version.data);
+        }
+
+        if (myVersion > 2){
+                PKIX_ERROR(PKIX_VERSIONVALUEMUSTBEV1V2ORV3);
+        }
+
+        *pVersion = myVersion;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSerialNumber (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSerialNumber(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_BigInt **pSerialNumber,
+        void *plContext)
+{
+        CERTCertificate *nssCert = NULL;
+        SECItem serialNumItem;
+        PKIX_PL_BigInt *serialNumber = NULL;
+        char *bytes = NULL;
+        PKIX_UInt32 length;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSerialNumber");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSerialNumber);
+
+        if (cert->serialNumber == NULL){
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (cert->serialNumber == NULL){
+
+                        nssCert = cert->nssCert;
+                        serialNumItem = nssCert->serialNumber;
+
+                        length = serialNumItem.len;
+                        bytes = (char *)serialNumItem.data;
+
+                        PKIX_CHECK(pkix_pl_BigInt_CreateWithBytes
+                                    (bytes, length, &serialNumber, plContext),
+                                    PKIX_BIGINTCREATEWITHBYTESFAILED);
+
+                        /* save a cached copy in case it is asked for again */
+                        cert->serialNumber = serialNumber;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->serialNumber);
+        *pSerialNumber = cert->serialNumber;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubject (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubject(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_X500Name **pCertSubject,
+        void *plContext)
+{
+        PKIX_PL_X500Name *pkixSubject = NULL;
+        CERTName *subjName = NULL;
+        SECItem  *derSubjName = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubject");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pCertSubject);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (cert->subject == NULL){
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (cert->subject == NULL){
+
+                        subjName = &cert->nssCert->subject;
+                        derSubjName = &cert->nssCert->derSubject;
+
+                        /* if there is no subject name */
+                        if (derSubjName->data == NULL) {
+
+                                pkixSubject = NULL;
+
+                        } else {
+                                PKIX_CHECK(PKIX_PL_X500Name_CreateFromCERTName
+                                    (derSubjName, subjName, &pkixSubject,
+                                     plContext),
+                                    PKIX_X500NAMECREATEFROMCERTNAMEFAILED);
+
+                        }
+                        /* save a cached copy in case it is asked for again */
+                        cert->subject = pkixSubject;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->subject);
+        *pCertSubject = cert->subject;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetIssuer (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetIssuer(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_X500Name **pCertIssuer,
+        void *plContext)
+{
+        PKIX_PL_X500Name *pkixIssuer = NULL;
+        SECItem  *derIssuerName = NULL;
+        CERTName *issuerName = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetIssuer");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pCertIssuer);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (cert->issuer == NULL){
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (cert->issuer == NULL){
+
+                        issuerName = &cert->nssCert->issuer;
+                        derIssuerName = &cert->nssCert->derIssuer;
+
+                        /* if there is no subject name */
+                        PKIX_CHECK(PKIX_PL_X500Name_CreateFromCERTName
+                                    (derIssuerName, issuerName,
+                                     &pkixIssuer, plContext),
+                                    PKIX_X500NAMECREATEFROMCERTNAMEFAILED);
+
+                        /* save a cached copy in case it is asked for again */
+                        cert->issuer = pkixIssuer;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->issuer);
+        *pCertIssuer = cert->issuer;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectAltNames (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectAltNames(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pSubjectAltNames,  /* list of PKIX_PL_GeneralName */
+        void *plContext)
+{
+        PKIX_PL_GeneralName *pkixAltName = NULL;
+        PKIX_List *altNamesList = NULL;
+
+        CERTGeneralName *nssOriginalAltName = NULL;
+        CERTGeneralName *nssTempAltName = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectAltNames");
+        PKIX_NULLCHECK_TWO(cert, pSubjectAltNames);
+
+        /* if we don't have a cached copy from before, we create one */
+        if ((cert->subjAltNames == NULL) && (!cert->subjAltNamesAbsent)){
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if ((cert->subjAltNames == NULL) &&
+                    (!cert->subjAltNamesAbsent)){
+
+                        PKIX_CHECK(pkix_pl_Cert_GetNssSubjectAltNames
+                                (cert,
+                                PKIX_TRUE,
+                                &nssOriginalAltName,
+                                plContext),
+                                PKIX_CERTGETNSSSUBJECTALTNAMESFAILED);
+
+                        if (nssOriginalAltName == NULL) {
+                                cert->subjAltNamesAbsent = PKIX_TRUE;
+                                pSubjectAltNames = NULL;
+                                goto cleanup;
+                        }
+
+                        nssTempAltName = nssOriginalAltName;
+
+                        PKIX_CHECK(PKIX_List_Create(&altNamesList, plContext),
+                                PKIX_LISTCREATEFAILED);
+
+                        do {
+                            PKIX_CHECK(pkix_pl_GeneralName_Create
+                                (nssTempAltName, &pkixAltName, plContext),
+                                PKIX_GENERALNAMECREATEFAILED);
+
+                            PKIX_CHECK(PKIX_List_AppendItem
+                                (altNamesList,
+                                (PKIX_PL_Object *)pkixAltName,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+
+                            PKIX_DECREF(pkixAltName);
+
+                            PKIX_CERT_DEBUG
+                                ("\t\tCalling CERT_GetNextGeneralName).\n");
+                            nssTempAltName = CERT_GetNextGeneralName
+                                (nssTempAltName);
+
+                        } while (nssTempAltName != nssOriginalAltName);
+
+                        /* save a cached copy in case it is asked for again */
+                        cert->subjAltNames = altNamesList;
+                        PKIX_CHECK(PKIX_List_SetImmutable
+                                (cert->subjAltNames, plContext),
+                                PKIX_LISTSETIMMUTABLEFAILED);
+
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->subjAltNames);
+
+        *pSubjectAltNames = cert->subjAltNames;
+
+cleanup:
+        PKIX_DECREF(pkixAltName);
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(altNamesList);
+        }
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetAllSubjectNames (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetAllSubjectNames(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pAllSubjectNames,  /* list of PKIX_PL_GeneralName */
+        void *plContext)
+{
+        CERTGeneralName *nssOriginalSubjectName = NULL;
+        CERTGeneralName *nssTempSubjectName = NULL;
+        PKIX_List *allSubjectNames = NULL;
+        PKIX_PL_GeneralName *pkixSubjectName = NULL;
+        PLArenaPool *arena = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetAllSubjectNames");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pAllSubjectNames);
+
+
+        if (cert->nssCert->subjectName == NULL){
+                /* if there is no subject DN, just get altnames */
+
+                PKIX_CHECK(pkix_pl_Cert_GetNssSubjectAltNames
+                            (cert,
+                            PKIX_FALSE, /* hasLock */
+                            &nssOriginalSubjectName,
+                            plContext),
+                            PKIX_CERTGETNSSSUBJECTALTNAMESFAILED);
+
+        } else { /* get subject DN and altnames */
+
+                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+                if (arena == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }
+
+                /* This NSS call returns both Subject and  Subject Alt Names */
+                PKIX_CERT_DEBUG("\t\tCalling CERT_GetCertificateNames\n");
+                nssOriginalSubjectName =
+                        CERT_GetCertificateNames(cert->nssCert, arena);
+        }
+
+        if (nssOriginalSubjectName == NULL) {
+                pAllSubjectNames = NULL;
+                goto cleanup;
+        }
+
+        nssTempSubjectName = nssOriginalSubjectName;
+
+        PKIX_CHECK(PKIX_List_Create(&allSubjectNames, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        do {
+                PKIX_CHECK(pkix_pl_GeneralName_Create
+                            (nssTempSubjectName, &pkixSubjectName, plContext),
+                            PKIX_GENERALNAMECREATEFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                            (allSubjectNames,
+                            (PKIX_PL_Object *)pkixSubjectName,
+                            plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_DECREF(pkixSubjectName);
+
+                PKIX_CERT_DEBUG
+                        ("\t\tCalling CERT_GetNextGeneralName).\n");
+                nssTempSubjectName = CERT_GetNextGeneralName
+                        (nssTempSubjectName);
+        } while (nssTempSubjectName != nssOriginalSubjectName);
+
+        *pAllSubjectNames = allSubjectNames;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(allSubjectNames);
+        }
+
+        if (arena){
+                PORT_FreeArena(arena, PR_FALSE);
+        }
+        PKIX_DECREF(pkixSubjectName);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKeyAlgId
+ *      (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectPublicKeyAlgId(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_OID **pSubjKeyAlgId,
+        void *plContext)
+{
+        CERTCertificate *nssCert = NULL;
+        PKIX_PL_OID *pubKeyAlgId = NULL;
+        SECAlgorithmID algorithm;
+        SECItem algBytes;
+        char *asciiOID = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSubjKeyAlgId);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (cert->publicKeyAlgId == NULL){
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (cert->publicKeyAlgId == NULL){
+
+                        nssCert = cert->nssCert;
+                        algorithm = nssCert->subjectPublicKeyInfo.algorithm;
+                        algBytes = algorithm.algorithm;
+
+                        PKIX_NULLCHECK_ONE(algBytes.data);
+                        if (algBytes.len == 0) {
+                                PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
+                        }
+
+                        PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                                    (&algBytes, &asciiOID, plContext),
+                                    PKIX_OIDBYTES2ASCIIFAILED);
+
+                        PKIX_CHECK(PKIX_PL_OID_Create
+                                    (asciiOID, &pubKeyAlgId, plContext),
+                                    PKIX_OIDCREATEFAILED);
+
+                        /* save a cached copy in case it is asked for again */
+                        cert->publicKeyAlgId = pubKeyAlgId;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->publicKeyAlgId);
+        *pSubjKeyAlgId = cert->publicKeyAlgId;
+
+cleanup:
+        PKIX_FREE(asciiOID);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectPublicKey (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectPublicKey(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey **pPublicKey,
+        void *plContext)
+{
+        PKIX_PL_PublicKey *pkixPubKey = NULL;
+        SECStatus rv;
+
+        CERTSubjectPublicKeyInfo *from = NULL;
+        CERTSubjectPublicKeyInfo *to = NULL;
+        SECItem *fromItem = NULL;
+        SECItem *toItem = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectPublicKey");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pPublicKey);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (cert->publicKey == NULL){
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (cert->publicKey == NULL){
+
+                        /* create a PKIX_PL_PublicKey object */
+                        PKIX_CHECK(PKIX_PL_Object_Alloc
+                                    (PKIX_PUBLICKEY_TYPE,
+                                    sizeof (PKIX_PL_PublicKey),
+                                    (PKIX_PL_Object **)&pkixPubKey,
+                                    plContext),
+                                    PKIX_COULDNOTCREATEOBJECT);
+
+                        /* initialize fields */
+                        pkixPubKey->nssSPKI = NULL;
+
+                        /* populate the SPKI field */
+                        PKIX_CHECK(PKIX_PL_Malloc
+                                    (sizeof (CERTSubjectPublicKeyInfo),
+                                    (void **)&pkixPubKey->nssSPKI,
+                                    plContext),
+                                    PKIX_MALLOCFAILED);
+
+                        to = pkixPubKey->nssSPKI;
+                        from  = &cert->nssCert->subjectPublicKeyInfo;
+
+                        PKIX_NULLCHECK_TWO(to, from);
+
+                        PKIX_CERT_DEBUG
+                                ("\t\tCalling SECOID_CopyAlgorithmID).\n");
+                        rv = SECOID_CopyAlgorithmID
+                                (NULL, &to->algorithm, &from->algorithm);
+                        if (rv != SECSuccess) {
+                                PKIX_ERROR(PKIX_SECOIDCOPYALGORITHMIDFAILED);
+                        }
+
+                        /*
+                         * NSS stores the length of subjectPublicKey in bits.
+                         * Therefore, we use that length converted to bytes
+                         * using ((length+7)>>3) before calling PORT_Memcpy
+                         * in order to avoid "read from uninitialized memory"
+                         * errors.
+                         */
+
+                        toItem = &to->subjectPublicKey;
+                        fromItem = &from->subjectPublicKey;
+
+                        PKIX_NULLCHECK_TWO(toItem, fromItem);
+
+                        toItem->type = fromItem->type;
+
+                        toItem->data =
+                                (unsigned char*) PORT_ZAlloc(fromItem->len);
+                        if (!toItem->data){
+                                PKIX_ERROR(PKIX_OUTOFMEMORY);
+                        }
+
+                        (void) PORT_Memcpy(toItem->data,
+                                    fromItem->data,
+                                    (fromItem->len + 7)>>3);
+                        toItem->len = fromItem->len;
+
+                        /* save a cached copy in case it is asked for again */
+                        cert->publicKey = pkixPubKey;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->publicKey);
+        *pPublicKey = cert->publicKey;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED && pkixPubKey){
+                PKIX_DECREF(pkixPubKey);
+                cert->publicKey = NULL;
+        }
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetCriticalExtensionOIDs
+ *      (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetCriticalExtensionOIDs(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pList,  /* list of PKIX_PL_OID */
+        void *plContext)
+{
+        PKIX_List *oidsList = NULL;
+        CERTCertExtension **extensions = NULL;
+        CERTCertificate *nssCert = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetCriticalExtensionOIDs");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pList);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (cert->critExtOids == NULL) {
+
+            PKIX_OBJECT_LOCK(cert);
+
+            if (cert->critExtOids == NULL) {
+
+                nssCert = cert->nssCert;
+
+                /*
+                 * ASN.1 for Extension
+                 *
+                 * Extension  ::=  SEQUENCE  {
+                 *      extnID          OBJECT IDENTIFIER,
+                 *      critical        BOOLEAN DEFAULT FALSE,
+                 *      extnValue       OCTET STRING  }
+                 *
+                 */
+
+                extensions = nssCert->extensions;
+
+                PKIX_CHECK(pkix_pl_OID_GetCriticalExtensionOIDs
+                            (extensions, &oidsList, plContext),
+                            PKIX_GETCRITICALEXTENSIONOIDSFAILED);
+
+                /* save a cached copy in case it is asked for again */
+                cert->critExtOids = oidsList;
+            }
+
+            PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        /* We should return a copy of the List since this list changes */
+        PKIX_DUPLICATE(cert->critExtOids, pList, plContext,
+                PKIX_OBJECTDUPLICATELISTFAILED);
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetAuthorityKeyIdentifier
+ *      (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetAuthorityKeyIdentifier(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_ByteArray **pAuthKeyId,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *authKeyId = NULL;
+        CERTCertificate *nssCert = NULL;
+        CERTAuthKeyID *authKeyIdExtension = NULL;
+        PLArenaPool *arena = NULL;
+        SECItem retItem;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetAuthorityKeyIdentifier");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pAuthKeyId);
+
+        /* if we don't have a cached copy from before, we create one */
+        if ((cert->authKeyId == NULL) && (!cert->authKeyIdAbsent)){
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if ((cert->authKeyId == NULL) && (!cert->authKeyIdAbsent)){
+
+                        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+                        if (arena == NULL) {
+                                PKIX_ERROR(PKIX_OUTOFMEMORY);
+                        }
+
+                        nssCert = cert->nssCert;
+
+                        authKeyIdExtension =
+                                CERT_FindAuthKeyIDExten(arena, nssCert);
+                        if (authKeyIdExtension == NULL){
+                                cert->authKeyIdAbsent = PKIX_TRUE;
+                                *pAuthKeyId = NULL;
+                                goto cleanup;
+                        }
+
+                        retItem = authKeyIdExtension->keyID;
+
+                        if (retItem.len == 0){
+                                cert->authKeyIdAbsent = PKIX_TRUE;
+                                *pAuthKeyId = NULL;
+                                goto cleanup;
+                        }
+
+                        PKIX_CHECK(PKIX_PL_ByteArray_Create
+                                    (retItem.data,
+                                    retItem.len,
+                                    &authKeyId,
+                                    plContext),
+                                    PKIX_BYTEARRAYCREATEFAILED);
+
+                        /* save a cached copy in case it is asked for again */
+                        cert->authKeyId = authKeyId;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->authKeyId);
+        *pAuthKeyId = cert->authKeyId;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        if (arena){
+                PORT_FreeArena(arena, PR_FALSE);
+        }
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectKeyIdentifier
+ *      (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectKeyIdentifier(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_ByteArray **pSubjKeyId,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *subjKeyId = NULL;
+        CERTCertificate *nssCert = NULL;
+        SECItem *retItem = NULL;
+        SECStatus status;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectKeyIdentifier");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSubjKeyId);
+
+        /* if we don't have a cached copy from before, we create one */
+        if ((cert->subjKeyId == NULL) && (!cert->subjKeyIdAbsent)){
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if ((cert->subjKeyId == NULL) && (!cert->subjKeyIdAbsent)){
+
+                        retItem = SECITEM_AllocItem(NULL, NULL, 0);
+                        if (retItem == NULL){
+                                PKIX_ERROR(PKIX_OUTOFMEMORY);
+                        }
+
+                        nssCert = cert->nssCert;
+
+                        status = CERT_FindSubjectKeyIDExtension
+                                (nssCert, retItem);
+                        if (status != SECSuccess) {
+                                cert->subjKeyIdAbsent = PKIX_TRUE;
+                                *pSubjKeyId = NULL;
+                                goto cleanup;
+                        }
+
+                        PKIX_CHECK(PKIX_PL_ByteArray_Create
+                                    (retItem->data,
+                                    retItem->len,
+                                    &subjKeyId,
+                                    plContext),
+                                    PKIX_BYTEARRAYCREATEFAILED);
+
+                        /* save a cached copy in case it is asked for again */
+                        cert->subjKeyId = subjKeyId;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->subjKeyId);
+        *pSubjKeyId = cert->subjKeyId;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        if (retItem){
+                SECITEM_FreeItem(retItem, PKIX_TRUE);
+        }
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetExtendedKeyUsage (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetExtendedKeyUsage(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pKeyUsage,  /* list of PKIX_PL_OID */
+        void *plContext)
+{
+        CERTOidSequence *extKeyUsage = NULL;
+        CERTCertificate *nssCert = NULL;
+        PKIX_PL_OID *pkixOID = NULL;
+        PKIX_List *oidsList = NULL;
+        char *oidAscii = NULL;
+        SECItem **oids = NULL;
+        SECItem *oid = NULL;
+        SECItem encodedExtKeyUsage;
+        SECStatus rv;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetExtendedKeyUsage");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pKeyUsage);
+
+        /* if we don't have a cached copy from before, we create one */
+        if ((cert->extKeyUsages == NULL) && (!cert->extKeyUsagesAbsent)){
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if ((cert->extKeyUsages == NULL) &&
+                    (!cert->extKeyUsagesAbsent)){
+
+                        nssCert = cert->nssCert;
+
+                        rv = CERT_FindCertExtension
+                                (nssCert, SEC_OID_X509_EXT_KEY_USAGE,
+                                &encodedExtKeyUsage);
+                        if (rv != SECSuccess){
+                                cert->extKeyUsagesAbsent = PKIX_TRUE;
+                                *pKeyUsage = NULL;
+                                goto cleanup;
+                        }
+
+                        extKeyUsage =
+                                CERT_DecodeOidSequence(&encodedExtKeyUsage);
+                        if (extKeyUsage == NULL){
+                                PKIX_ERROR(PKIX_CERTDECODEOIDSEQUENCEFAILED);
+                        }
+
+                        PORT_Free(encodedExtKeyUsage.data);
+
+                        oids = extKeyUsage->oids;
+
+                        if (!oids){
+                                /* no extended key usage extensions found */
+                                cert->extKeyUsagesAbsent = PKIX_TRUE;
+                                *pKeyUsage = NULL;
+                                goto cleanup;
+                        }
+
+                        PKIX_CHECK(PKIX_List_Create(&oidsList, plContext),
+                                    PKIX_LISTCREATEFAILED);
+
+                        while (*oids){
+                                oid = *oids++;
+
+                                PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                                            (oid, &oidAscii, plContext),
+                                            PKIX_OIDBYTES2ASCIIFAILED);
+
+                                PKIX_CHECK(PKIX_PL_OID_Create
+                                            (oidAscii, &pkixOID, plContext),
+                                            PKIX_OIDCREATEFAILED);
+
+                                PKIX_CHECK(PKIX_List_AppendItem
+                                            (oidsList,
+                                            (PKIX_PL_Object *)pkixOID,
+                                            plContext),
+                                            PKIX_LISTAPPENDITEMFAILED);
+
+                                PKIX_FREE(oidAscii);
+
+                                PKIX_DECREF(pkixOID);
+                        }
+
+                        /* save a cached copy in case it is asked for again */
+                        cert->extKeyUsages = oidsList;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        if (cert->extKeyUsages){
+
+                PKIX_INCREF(cert->extKeyUsages);
+
+                PKIX_CHECK(PKIX_List_SetImmutable
+                            (cert->extKeyUsages, plContext),
+                            PKIX_LISTSETIMMUTABLEFAILED);
+        }
+
+        *pKeyUsage = cert->extKeyUsages;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+
+        PKIX_FREE(oidAscii);
+        PKIX_DECREF(pkixOID);
+
+        CERT_DestroyOidSequence(extKeyUsage);
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(oidsList);
+        }
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetBasicConstraints
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetBasicConstraints(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_CertBasicConstraints **pBasicConstraints,
+        void *plContext)
+{
+        CERTCertificate *nssCert = NULL;
+        CERTBasicConstraints nssBasicConstraint;
+        SECStatus rv;
+        PKIX_PL_CertBasicConstraints *basic;
+        PKIX_Int32 pathLen = 0;
+        PKIX_Boolean isCA = PKIX_FALSE;
+        enum {
+          realBC, synthBC, absentBC
+        } constraintSource = absentBC;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetBasicConstraints");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pBasicConstraints);
+
+        /* if we don't have a cached copy from before, we create one */
+        if ((cert->certBasicConstraints == NULL) &&
+                (!cert->basicConstraintsAbsent)) {
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if ((cert->certBasicConstraints == NULL) &&
+                    (!cert->basicConstraintsAbsent)) {
+
+                        nssCert = cert->nssCert;
+
+                        PKIX_CERT_DEBUG(
+                            "\t\tCalling Cert_FindBasicConstraintExten\n");
+                        rv = CERT_FindBasicConstraintExten
+                                (nssCert, &nssBasicConstraint);
+                        if (rv == SECSuccess) {
+                            constraintSource = realBC;
+                        }
+
+                        if (constraintSource == absentBC) {
+                            /* can we deduce it's a CA and create a 
+                               synthetic constraint?
+                            */
+                            CERTCertTrust trust;
+                            rv = CERT_GetCertTrust(nssCert, &trust);
+                            if (rv == SECSuccess) {
+                                int anyWantedFlag = CERTDB_TRUSTED_CA | CERTDB_VALID_CA;
+                                if ((trust.sslFlags & anyWantedFlag) 
+                                    || (trust.emailFlags & anyWantedFlag) 
+                                    || (trust.objectSigningFlags & anyWantedFlag)) {
+
+                                    constraintSource = synthBC;
+                                }
+                            }
+                        }
+
+                        if (constraintSource == absentBC) {
+                            cert->basicConstraintsAbsent = PKIX_TRUE;
+                            *pBasicConstraints = NULL;
+                            goto cleanup;
+                        }
+                }
+
+                if (constraintSource == synthBC) {
+                    isCA = PKIX_TRUE;
+                    pathLen = PKIX_UNLIMITED_PATH_CONSTRAINT;
+                } else {
+                    isCA = (nssBasicConstraint.isCA)?PKIX_TRUE:PKIX_FALSE;
+    
+                    /* The pathLen has meaning only for CAs */
+                    if (isCA) {
+                        if (CERT_UNLIMITED_PATH_CONSTRAINT ==
+                            nssBasicConstraint.pathLenConstraint) {
+                            pathLen = PKIX_UNLIMITED_PATH_CONSTRAINT;
+                        } else {
+                            pathLen = nssBasicConstraint.pathLenConstraint;
+                        }
+                    }
+                }
+
+                PKIX_CHECK(pkix_pl_CertBasicConstraints_Create
+                            (isCA, pathLen, &basic, plContext),
+                            PKIX_CERTBASICCONSTRAINTSCREATEFAILED);
+
+                /* save a cached copy in case it is asked for again */
+                cert->certBasicConstraints = basic;
+        }
+
+        PKIX_INCREF(cert->certBasicConstraints);
+        *pBasicConstraints = cert->certBasicConstraints;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetPolicyInformation
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetPolicyInformation(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pPolicyInfo,
+        void *plContext)
+{
+        PKIX_List *policyList = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetPolicyInformation");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pPolicyInfo);
+
+        /* if we don't have a cached copy from before, we create one */
+        if ((cert->certPolicyInfos == NULL) &&
+                (!cert->policyInfoAbsent)) {
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if ((cert->certPolicyInfos == NULL) &&
+                    (!cert->policyInfoAbsent)) {
+
+                        PKIX_CHECK(pkix_pl_Cert_DecodePolicyInfo
+                                (cert->nssCert, &policyList, plContext),
+                                PKIX_CERTDECODEPOLICYINFOFAILED);
+
+                        if (!policyList) {
+                                cert->policyInfoAbsent = PKIX_TRUE;
+                                *pPolicyInfo = NULL;
+                                goto cleanup;
+                        }
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+
+                /* save a cached copy in case it is asked for again */
+                cert->certPolicyInfos = policyList;
+        }
+
+        PKIX_INCREF(cert->certPolicyInfos);
+
+        *pPolicyInfo = cert->certPolicyInfos;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetPolicyMappings (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetPolicyMappings(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pPolicyMappings, /* list of PKIX_PL_CertPolicyMap */
+        void *plContext)
+{
+        PKIX_List *policyMappings = NULL; /* list of PKIX_PL_CertPolicyMap */
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetPolicyMappings");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pPolicyMappings);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (!(cert->certPolicyMappings) && !(cert->policyMappingsAbsent)) {
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (!(cert->certPolicyMappings) &&
+                    !(cert->policyMappingsAbsent)) {
+
+                        PKIX_CHECK(pkix_pl_Cert_DecodePolicyMapping
+                                (cert->nssCert, &policyMappings, plContext),
+                                PKIX_CERTDECODEPOLICYMAPPINGFAILED);
+
+                        if (!policyMappings) {
+                                cert->policyMappingsAbsent = PKIX_TRUE;
+                                *pPolicyMappings = NULL;
+                                goto cleanup;
+                        }
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+
+                /* save a cached copy in case it is asked for again */
+                cert->certPolicyMappings = policyMappings;
+        }
+
+        PKIX_INCREF(cert->certPolicyMappings);
+        *pPolicyMappings = cert->certPolicyMappings;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetRequireExplicitPolicy
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetRequireExplicitPolicy(
+        PKIX_PL_Cert *cert,
+        PKIX_Int32 *pSkipCerts,
+        void *plContext)
+{
+        PKIX_Int32 explicitPolicySkipCerts = 0;
+        PKIX_Int32 inhibitMappingSkipCerts = 0;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetRequireExplicitPolicy");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSkipCerts);
+
+        if (!(cert->policyConstraintsProcessed)) {
+                PKIX_OBJECT_LOCK(cert);
+
+                if (!(cert->policyConstraintsProcessed)) {
+
+                        /*
+                         * If we can't process it now, we probably will be
+                         * unable to process it later. Set the default value.
+                         */
+                        cert->policyConstraintsProcessed = PKIX_TRUE;
+                        cert->policyConstraintsExplicitPolicySkipCerts = -1;
+                        cert->policyConstraintsInhibitMappingSkipCerts = -1;
+
+                        PKIX_CHECK(pkix_pl_Cert_DecodePolicyConstraints
+                                (cert->nssCert,
+                                &explicitPolicySkipCerts,
+                                &inhibitMappingSkipCerts,
+                                plContext),
+                                PKIX_CERTDECODEPOLICYCONSTRAINTSFAILED);
+
+                        cert->policyConstraintsExplicitPolicySkipCerts =
+                                explicitPolicySkipCerts;
+                        cert->policyConstraintsInhibitMappingSkipCerts =
+                                inhibitMappingSkipCerts;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        *pSkipCerts = cert->policyConstraintsExplicitPolicySkipCerts;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetPolicyMappingInhibited
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetPolicyMappingInhibited(
+        PKIX_PL_Cert *cert,
+        PKIX_Int32 *pSkipCerts,
+        void *plContext)
+{
+        PKIX_Int32 explicitPolicySkipCerts = 0;
+        PKIX_Int32 inhibitMappingSkipCerts = 0;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetPolicyMappingInhibited");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSkipCerts);
+
+        if (!(cert->policyConstraintsProcessed)) {
+                PKIX_OBJECT_LOCK(cert);
+
+                if (!(cert->policyConstraintsProcessed)) {
+
+                        /*
+                         * If we can't process it now, we probably will be
+                         * unable to process it later. Set the default value.
+                         */
+                        cert->policyConstraintsProcessed = PKIX_TRUE;
+                        cert->policyConstraintsExplicitPolicySkipCerts = -1;
+                        cert->policyConstraintsInhibitMappingSkipCerts = -1;
+
+                        PKIX_CHECK(pkix_pl_Cert_DecodePolicyConstraints
+                                (cert->nssCert,
+                                &explicitPolicySkipCerts,
+                                &inhibitMappingSkipCerts,
+                                plContext),
+                                PKIX_CERTDECODEPOLICYCONSTRAINTSFAILED);
+
+                        cert->policyConstraintsExplicitPolicySkipCerts =
+                                explicitPolicySkipCerts;
+                        cert->policyConstraintsInhibitMappingSkipCerts =
+                                inhibitMappingSkipCerts;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        *pSkipCerts = cert->policyConstraintsInhibitMappingSkipCerts;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetInhibitAnyPolicy (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetInhibitAnyPolicy(
+        PKIX_PL_Cert *cert,
+        PKIX_Int32 *pSkipCerts,
+        void *plContext)
+{
+        PKIX_Int32 skipCerts = 0;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetInhibitAnyPolicy");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSkipCerts);
+
+        if (!(cert->inhibitAnyPolicyProcessed)) {
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (!(cert->inhibitAnyPolicyProcessed)) {
+
+                        /*
+                         * If we can't process it now, we probably will be
+                         * unable to process it later. Set the default value.
+                         */
+                        cert->inhibitAnyPolicyProcessed = PKIX_TRUE;
+                        cert->inhibitAnySkipCerts = -1;
+
+                        PKIX_CHECK(pkix_pl_Cert_DecodeInhibitAnyPolicy
+                                (cert->nssCert, &skipCerts, plContext),
+                                PKIX_CERTDECODEINHIBITANYPOLICYFAILED);
+
+                        cert->inhibitAnySkipCerts = skipCerts;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        *pSkipCerts = cert->inhibitAnySkipCerts;
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_AreCertPoliciesCritical
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_AreCertPoliciesCritical(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pCritical,
+        void *plContext)
+{
+        PKIX_Boolean criticality = PKIX_FALSE;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_AreCertPoliciesCritical");
+        PKIX_NULLCHECK_TWO(cert, pCritical);
+
+        PKIX_CHECK(pkix_pl_Cert_IsExtensionCritical(
+                cert,
+                SEC_OID_X509_CERTIFICATE_POLICIES,
+                &criticality,
+                plContext),
+                PKIX_CERTISEXTENSIONCRITICALFAILED);
+
+        *pCritical = criticality;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_VerifySignature (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_VerifySignature(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_PublicKey *pubKey,
+        void *plContext)
+{
+        CERTCertificate *nssCert = NULL;
+        SECKEYPublicKey *nssPubKey = NULL;
+        CERTSignedData *tbsCert = NULL;
+        PKIX_PL_Cert *cachedCert = NULL;
+        PKIX_Error *verifySig = NULL;
+        PKIX_Error *cachedSig = NULL;
+        SECStatus status;
+        PKIX_Boolean certEqual = PKIX_FALSE;
+        PKIX_Boolean certInHash = PKIX_FALSE;
+        void* wincx = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_VerifySignature");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pubKey);
+
+        verifySig = PKIX_PL_HashTable_Lookup
+                        (cachedCertSigTable,
+                        (PKIX_PL_Object *) pubKey,
+                        (PKIX_PL_Object **) &cachedCert,
+                        plContext);
+
+        if (cachedCert != NULL && verifySig == NULL) {
+                /* Cached Signature Table lookup succeed */
+                PKIX_EQUALS(cert, cachedCert, &certEqual, plContext,
+                            PKIX_OBJECTEQUALSFAILED);
+                if (certEqual == PKIX_TRUE) {
+                        goto cleanup;
+                }
+                /* Different PubKey may hash to same value, skip add */
+                certInHash = PKIX_TRUE;
+        }
+
+        nssCert = cert->nssCert;
+        tbsCert = &nssCert->signatureWrap;
+
+        PKIX_CERT_DEBUG("\t\tCalling SECKEY_ExtractPublicKey).\n");
+        nssPubKey = SECKEY_ExtractPublicKey(pubKey->nssSPKI);
+        if (!nssPubKey){
+                PKIX_ERROR(PKIX_SECKEYEXTRACTPUBLICKEYFAILED);
+        }
+
+        PKIX_CERT_DEBUG("\t\tCalling CERT_VerifySignedDataWithPublicKey).\n");
+
+        PKIX_CHECK(pkix_pl_NssContext_GetWincx
+                   ((PKIX_PL_NssContext *)plContext, &wincx),
+                   PKIX_NSSCONTEXTGETWINCXFAILED);
+
+        status = CERT_VerifySignedDataWithPublicKey(tbsCert, nssPubKey, wincx);
+
+        if (status != SECSuccess) {
+                PKIX_ERROR(PKIX_SIGNATUREDIDNOTVERIFYWITHTHEPUBLICKEY);
+        }
+
+        if (certInHash == PKIX_FALSE) {
+                cachedSig = PKIX_PL_HashTable_Add
+                        (cachedCertSigTable,
+                        (PKIX_PL_Object *) pubKey,
+                        (PKIX_PL_Object *) cert,
+                        plContext);
+
+                if (cachedSig != NULL) {
+                        PKIX_DEBUG("PKIX_PL_HashTable_Add skipped: entry existed\n");
+                }
+        }
+
+cleanup:
+        if (nssPubKey){
+                PKIX_CERT_DEBUG("\t\tCalling SECKEY_DestroyPublicKey).\n");
+                SECKEY_DestroyPublicKey(nssPubKey);
+        }
+
+        PKIX_DECREF(cachedCert);
+        PKIX_DECREF(verifySig);
+        PKIX_DECREF(cachedSig);
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_CheckValidity (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_CheckValidity(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_Date *date,
+        void *plContext)
+{
+        SECCertTimeValidity val;
+        PRTime timeToCheck;
+        PKIX_Boolean allowOverride;
+        SECCertificateUsage requiredUsages;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_CheckValidity");
+        PKIX_NULLCHECK_ONE(cert);
+
+        /* if the caller supplies a date, we use it; else, use current time */
+        if (date != NULL){
+                PKIX_CHECK(pkix_pl_Date_GetPRTime
+                        (date, &timeToCheck, plContext),
+                        PKIX_DATEGETPRTIMEFAILED);
+        } else {
+                timeToCheck = PR_Now();
+        }
+
+        requiredUsages = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
+        allowOverride =
+            (PRBool)((requiredUsages & certificateUsageSSLServer) ||
+                     (requiredUsages & certificateUsageSSLServerWithStepUp));
+        val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);
+        if (val != secCertTimeValid){
+                PKIX_ERROR(PKIX_CERTCHECKCERTVALIDTIMESFAILED);
+        }
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetValidityNotAfter (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetValidityNotAfter(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_Date **pDate,
+        void *plContext)
+{
+        PRTime prtime;
+        SECStatus rv = SECFailure;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetValidityNotAfter");
+        PKIX_NULLCHECK_TWO(cert, pDate);
+
+        PKIX_DATE_DEBUG("\t\tCalling DER_DecodeTimeChoice).\n");
+        rv = DER_DecodeTimeChoice(&prtime, &(cert->nssCert->validity.notAfter));
+        if (rv != SECSuccess){
+                PKIX_ERROR(PKIX_DERDECODETIMECHOICEFAILED);
+        }
+
+        PKIX_CHECK(pkix_pl_Date_CreateFromPRTime
+                    (prtime, pDate, plContext),
+                    PKIX_DATECREATEFROMPRTIMEFAILED);
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_VerifyKeyUsage (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_VerifyKeyUsage(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 keyUsage,
+        void *plContext)
+{
+        CERTCertificate *nssCert = NULL;
+        PKIX_UInt32 nssKeyUsage = 0;
+        SECStatus status;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_VerifyKeyUsage");
+        PKIX_NULLCHECK_TWO(cert, cert->nssCert);
+
+        nssCert = cert->nssCert;
+
+        /* if cert doesn't have keyUsage extension, all keyUsages are valid */
+        if (!nssCert->keyUsagePresent){
+                goto cleanup;
+        }
+
+        if (keyUsage & PKIX_DIGITAL_SIGNATURE){
+                nssKeyUsage = nssKeyUsage | KU_DIGITAL_SIGNATURE;
+        }
+
+        if (keyUsage & PKIX_NON_REPUDIATION){
+                nssKeyUsage = nssKeyUsage | KU_NON_REPUDIATION;
+        }
+
+        if (keyUsage & PKIX_KEY_ENCIPHERMENT){
+                nssKeyUsage = nssKeyUsage | KU_KEY_ENCIPHERMENT;
+        }
+
+        if (keyUsage & PKIX_DATA_ENCIPHERMENT){
+                nssKeyUsage = nssKeyUsage | KU_DATA_ENCIPHERMENT;
+        }
+
+        if (keyUsage & PKIX_KEY_AGREEMENT){
+                nssKeyUsage = nssKeyUsage | KU_KEY_AGREEMENT;
+        }
+
+        if (keyUsage & PKIX_KEY_CERT_SIGN){
+                nssKeyUsage = nssKeyUsage | KU_KEY_CERT_SIGN;
+        }
+
+        if (keyUsage & PKIX_CRL_SIGN){
+                nssKeyUsage = nssKeyUsage | KU_CRL_SIGN;
+        }
+
+        if (keyUsage & PKIX_ENCIPHER_ONLY){
+                nssKeyUsage = nssKeyUsage | 0x01;
+        }
+
+        if (keyUsage & PKIX_DECIPHER_ONLY){
+                /* XXX we should support this once it is fixed in NSS */
+                PKIX_ERROR(PKIX_DECIPHERONLYKEYUSAGENOTSUPPORTED);
+        }
+
+        status = CERT_CheckKeyUsage(nssCert, nssKeyUsage);
+        if (status != SECSuccess) {
+                PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
+        }
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetNameConstraints
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetNameConstraints(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetNameConstraints");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pNameConstraints);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (cert->nameConstraints == NULL && !cert->nameConstraintsAbsent) {
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (cert->nameConstraints == NULL &&
+                    !cert->nameConstraintsAbsent) {
+
+                        PKIX_CHECK(pkix_pl_CertNameConstraints_Create
+                                (cert->nssCert, &nameConstraints, plContext),
+                                PKIX_CERTNAMECONSTRAINTSCREATEFAILED);
+
+                        if (nameConstraints == NULL) {
+                                cert->nameConstraintsAbsent = PKIX_TRUE;
+                        }
+
+                        cert->nameConstraints = nameConstraints;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+
+        }
+
+        PKIX_INCREF(cert->nameConstraints);
+
+        *pNameConstraints = cert->nameConstraints;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_CheckNameConstraints
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_CheckNameConstraints(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        void *plContext)
+{
+        PKIX_Boolean checkPass = PKIX_TRUE;
+        CERTGeneralName *nssSubjectNames = NULL;
+        PLArenaPool *arena = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_CheckNameConstraints");
+        PKIX_NULLCHECK_ONE(cert);
+
+        if (nameConstraints != NULL) {
+
+                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+                if (arena == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }
+
+                /* This NSS call returns both Subject and  Subject Alt Names */
+                PKIX_CERT_DEBUG("\t\tCalling CERT_GetCertificateNames\n");
+                nssSubjectNames = CERT_GetCertificateNames
+                        (cert->nssCert, arena);
+
+                PKIX_CHECK(pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
+                        (nssSubjectNames,
+                        nameConstraints,
+                        &checkPass,
+                        plContext),
+                        PKIX_CERTNAMECONSTRAINTSCHECKNAMESPACENSSNAMESFAILED);
+
+                if (checkPass != PKIX_TRUE) {
+                        PKIX_ERROR(PKIX_CERTFAILEDNAMECONSTRAINTSCHECKING);
+                }
+        }
+
+cleanup:
+        if (arena){
+                PORT_FreeArena(arena, PR_FALSE);
+        }
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_MergeNameConstraints
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_MergeNameConstraints(
+        PKIX_PL_CertNameConstraints *firstNC,
+        PKIX_PL_CertNameConstraints *secondNC,
+        PKIX_PL_CertNameConstraints **pResultNC,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *mergedNC = NULL;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_MergeNameConstraints");
+        PKIX_NULLCHECK_TWO(firstNC, pResultNC);
+
+        if (secondNC == NULL) {
+
+                PKIX_INCREF(firstNC);
+                *pResultNC = firstNC;
+
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_Merge
+                (firstNC, secondNC, &mergedNC, plContext),
+                PKIX_CERTNAMECONSTRAINTSMERGEFAILED);
+
+        *pResultNC = mergedNC;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_IsCertTrusted
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_IsCertTrusted(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pTrusted,
+        void *plContext)
+{
+        PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
+        SECCertUsage certUsage = 0;
+        PKIX_Boolean trusted = PKIX_FALSE;
+        SECStatus rv = SECFailure;
+        unsigned int requiredFlags;
+        SECTrustType trustType;
+        CERTCertTrust trust;
+        CERTCertificate *nssCert = NULL;
+        SECCertificateUsage certificateUsage;
+
+        PKIX_ENTER(CERT, "pkix_pl_Cert_IsCertTrusted");
+        PKIX_NULLCHECK_TWO(cert, pTrusted);
+
+        /* no key usage information and store is not trusted */
+        if (plContext == NULL || cert->store == NULL) {
+                *pTrusted = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        if (cert->store) {
+                PKIX_CHECK(PKIX_CertStore_GetTrustCallback
+                        (cert->store, &trustCallback, plContext),
+                        PKIX_CERTSTOREGETTRUSTCALLBACKFAILED);
+
+                PKIX_CHECK_ONLY_FATAL(trustCallback
+                        (cert->store, cert, &trusted, plContext),
+                        PKIX_CHECKTRUSTCALLBACKFAILED);
+
+                if (PKIX_ERROR_RECEIVED || (trusted == PKIX_FALSE)) {
+
+                        *pTrusted = PKIX_FALSE;
+                        goto cleanup;
+                }
+
+        }
+
+        certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
+
+        /* ensure we obtained a single usage bit only */
+        PORT_Assert(!(certificateUsage & (certificateUsage - 1)));
+
+        /* convert SECertificateUsage (bit mask) to SECCertUsage (enum) */
+        while (0 != (certificateUsage = certificateUsage >> 1)) { certUsage++; }
+
+        rv = CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags, &trustType);
+        if (rv != SECSuccess) {
+                *pTrusted = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        nssCert = cert->nssCert;
+
+        rv = CERT_GetCertTrust(nssCert, &trust);
+        if (rv == SECSuccess) {
+                unsigned int certFlags;
+                certFlags = SEC_GET_TRUST_FLAGS((&trust), trustType);
+                if ((certFlags & requiredFlags) == requiredFlags) {
+                        trusted = PKIX_TRUE;
+                }
+        }
+
+        *pTrusted = trusted;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetCacheFlag (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetCacheFlag(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean *pCacheFlag,
+        void *plContext)
+{
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetCacheFlag");
+        PKIX_NULLCHECK_TWO(cert, pCacheFlag);
+
+        *pCacheFlag = cert->cacheFlag;
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_SetCacheFlag (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_SetCacheFlag(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean cacheFlag,
+        void *plContext)
+{
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_SetCacheFlag");
+        PKIX_NULLCHECK_ONE(cert);
+
+        cert->cacheFlag = cacheFlag;
+
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetTrustCertStore (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetTrustCertStore(
+        PKIX_PL_Cert *cert,
+        PKIX_CertStore **pTrustCertStore,
+        void *plContext)
+{
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetTrustCertStore");
+        PKIX_NULLCHECK_TWO(cert, pTrustCertStore);
+
+        PKIX_INCREF(cert->store);
+        *pTrustCertStore = cert->store;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_SetTrustCertStore (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_SetTrustCertStore(
+        PKIX_PL_Cert *cert,
+        PKIX_CertStore *trustCertStore,
+        void *plContext)
+{
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_SetTrustCertStore");
+        PKIX_NULLCHECK_TWO(cert, trustCertStore);
+
+        PKIX_INCREF(trustCertStore);
+        cert->store = trustCertStore;
+
+cleanup:
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetAuthorityInfoAccess
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetAuthorityInfoAccess(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */
+        void *plContext)
+{
+        PKIX_List *aiaList = NULL; /* of PKIX_PL_InfoAccess */
+        SECItem *encodedAIA = NULL;
+        CERTAuthInfoAccess **aia = NULL;
+        PLArenaPool *arena = NULL;
+        SECStatus rv;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetAuthorityInfoAccess");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pAiaList);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (cert->authorityInfoAccess == NULL) {
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (cert->authorityInfoAccess == NULL) {
+
+                    PKIX_PL_NSSCALLRV(CERT, encodedAIA, SECITEM_AllocItem,
+                        (NULL, NULL, 0));
+
+                    if (encodedAIA == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                    }
+
+                    PKIX_PL_NSSCALLRV(CERT, rv, CERT_FindCertExtension,
+                        (cert->nssCert,
+                        SEC_OID_X509_AUTH_INFO_ACCESS,
+                        encodedAIA));
+
+                    if (rv == SECFailure) {
+                        goto cleanup;
+                    }
+
+                    PKIX_PL_NSSCALLRV(CERT, arena, PORT_NewArena,
+                        (DER_DEFAULT_CHUNKSIZE));
+
+                    if (arena == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                    }
+
+                    PKIX_PL_NSSCALLRV
+                        (CERT, aia, CERT_DecodeAuthInfoAccessExtension,
+                        (arena, encodedAIA));
+
+                    PKIX_CHECK(pkix_pl_InfoAccess_CreateList
+                        (aia, &aiaList, plContext),
+                        PKIX_INFOACCESSCREATELISTFAILED);
+
+                    cert->authorityInfoAccess = aiaList;
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->authorityInfoAccess);
+
+        *pAiaList = cert->authorityInfoAccess;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        if (arena != NULL) {
+                PORT_FreeArena(arena, PR_FALSE);
+        }
+
+        if (encodedAIA != NULL) {
+                SECITEM_FreeItem(encodedAIA, PR_TRUE);
+        }
+
+        PKIX_RETURN(CERT);
+}
+
+/* XXX Following defines belongs to NSS */
+static const unsigned char siaOIDString[] = {0x2b, 0x06, 0x01, 0x05, 0x05,
+                                0x07, 0x01, 0x0b};
+#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetSubjectInfoAccess
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetSubjectInfoAccess(
+        PKIX_PL_Cert *cert,
+        PKIX_List **pSiaList, /* of PKIX_PL_InfoAccess */
+        void *plContext)
+{
+        PKIX_List *siaList; /* of PKIX_PL_InfoAccess */
+        SECItem siaOID = OI(siaOIDString);
+        SECItem *encodedSubjInfoAccess = NULL;
+        CERTAuthInfoAccess **subjInfoAccess = NULL;
+        PLArenaPool *arena = NULL;
+        SECStatus rv;
+
+        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectInfoAccess");
+        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSiaList);
+
+        /* XXX
+         * Codes to deal with SubjectInfoAccess OID should be moved to
+         * NSS soon. I implemented them here so we don't touch NSS
+         * source tree, from JP's suggestion.
+         */
+
+        /* if we don't have a cached copy from before, we create one */
+        if (cert->subjectInfoAccess == NULL) {
+
+                PKIX_OBJECT_LOCK(cert);
+
+                if (cert->subjectInfoAccess == NULL) {
+
+                    encodedSubjInfoAccess = SECITEM_AllocItem(NULL, NULL, 0);
+                    if (encodedSubjInfoAccess == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                    }
+
+                    PKIX_CERT_DEBUG
+                        ("\t\tCalling CERT_FindCertExtensionByOID).\n");
+                    rv = CERT_FindCertExtensionByOID
+                                (cert->nssCert, &siaOID, encodedSubjInfoAccess);
+
+                    if (rv == SECFailure) {
+                        goto cleanup;
+                    }
+
+                    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+                    if (arena == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                    }
+
+                    /* XXX
+                     * Decode Subject Information Access -
+                     * since its type is the same as Authority Information
+                     * Access, reuse the call. NSS- change name to avoid
+                     * confusion.
+                     */
+                    PKIX_CERT_DEBUG
+                        ("\t\tCalling CERT_DecodeAuthInfoAccessExtension).\n");
+                    subjInfoAccess = CERT_DecodeAuthInfoAccessExtension
+                        (arena, encodedSubjInfoAccess);
+
+                    PKIX_CHECK(pkix_pl_InfoAccess_CreateList
+                            (subjInfoAccess, &siaList, plContext),
+                            PKIX_INFOACCESSCREATELISTFAILED);
+
+                    cert->subjectInfoAccess = siaList;
+
+                }
+
+                PKIX_OBJECT_UNLOCK(cert);
+        }
+
+        PKIX_INCREF(cert->subjectInfoAccess);
+        *pSiaList = cert->subjectInfoAccess;
+
+cleanup:
+	PKIX_OBJECT_UNLOCK(lockedObject);
+        if (arena != NULL) {
+                PORT_FreeArena(arena, PR_FALSE);
+        }
+
+        if (encodedSubjInfoAccess != NULL) {
+                SECITEM_FreeItem(encodedSubjInfoAccess, PR_TRUE);
+        }
+        PKIX_RETURN(CERT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Cert_GetCERTCertificate
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Cert_GetCERTCertificate(
+        PKIX_PL_Cert *cert,
+        CERTCertificate **pnssCert, 
+        void *plContext)
+{
+    PKIX_ENTER(CERT, "PKIX_PL_Cert_GetNssCert");
+    PKIX_NULLCHECK_TWO(cert, pnssCert);
+
+    *pnssCert = CERT_DupCertificate(cert->nssCert);
+
+    PKIX_RETURN(CERT);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h
new file mode 100644
index 000000000..067ef03f2
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h
@@ -0,0 +1,132 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_cert.h
+ *
+ * Certificate Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_CERT_H
+#define _PKIX_PL_CERT_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_CertStruct {
+        CERTCertificate *nssCert;
+        CERTGeneralName *nssSubjAltNames;
+        PLArenaPool *arenaNameConstraints;
+        PKIX_PL_X500Name *issuer;
+        PKIX_PL_X500Name *subject;
+        PKIX_List *subjAltNames;
+        PKIX_Boolean subjAltNamesAbsent;
+        PKIX_PL_OID *publicKeyAlgId;
+        PKIX_PL_PublicKey *publicKey;
+        PKIX_PL_BigInt *serialNumber;
+        PKIX_List *critExtOids;
+        PKIX_PL_ByteArray *subjKeyId;
+        PKIX_Boolean subjKeyIdAbsent;
+        PKIX_PL_ByteArray *authKeyId;
+        PKIX_Boolean authKeyIdAbsent;
+        PKIX_List *extKeyUsages;
+        PKIX_Boolean extKeyUsagesAbsent;
+        PKIX_PL_CertBasicConstraints *certBasicConstraints;
+        PKIX_Boolean basicConstraintsAbsent;
+        PKIX_List *certPolicyInfos;
+        PKIX_Boolean policyInfoAbsent;
+        PKIX_Boolean policyMappingsAbsent;
+        PKIX_List *certPolicyMappings; /* List of PKIX_PL_CertPolicyMap */
+        PKIX_Boolean policyConstraintsProcessed;
+        PKIX_Int32 policyConstraintsExplicitPolicySkipCerts;
+        PKIX_Int32 policyConstraintsInhibitMappingSkipCerts;
+        PKIX_Boolean inhibitAnyPolicyProcessed;
+        PKIX_Int32 inhibitAnySkipCerts;
+        PKIX_PL_CertNameConstraints *nameConstraints;
+        PKIX_Boolean nameConstraintsAbsent;
+        PKIX_Boolean cacheFlag;
+        PKIX_CertStore *store;
+        PKIX_List *authorityInfoAccess; /* list of PKIX_PL_InfoAccess */
+        PKIX_List *subjectInfoAccess; /* list of PKIX_PL_InfoAccess */
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_Cert_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_pl_Cert_CreateWithNSSCert(
+        CERTCertificate *nssCert,
+        PKIX_PL_Cert **pCert,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_Cert_CreateToList(
+        SECItem *derCertItem,
+        PKIX_List *certList,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_Cert_CheckSubjectAltNameConstraints(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean matchAll,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_Cert_ToString_Helper(
+        PKIX_PL_Cert *cert,
+        PKIX_Boolean partialString,
+        PKIX_PL_String **pString,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_Cert_CheckExtendedKeyUsage(
+        PKIX_PL_Cert *cert,
+        PKIX_UInt32 requiredExtendedKeyUsages,
+        PKIX_Boolean *pPass,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_CERT_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyinfo.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyinfo.c
new file mode 100644
index 000000000..97f5e934e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyinfo.c
@@ -0,0 +1,404 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_certpolicyinfo.c
+ *
+ * CertPolicyInfo Type Functions
+ *
+ */
+
+#include "pkix_pl_certpolicyinfo.h"
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyInfo_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CertPolicyInfo Object using the OID pointed to by "oid" and
+ *  the List of CertPolicyQualifiers pointed to by "qualifiers", and stores it
+ *  at "pObject". If a non-NULL list is provided, the caller is expected to
+ *  have already set it to be immutable. The caller may provide an empty List,
+ *  but a NULL List is preferable so a user does not need to call
+ *  List_GetLength to get the number of qualifiers.
+ *
+ * PARAMETERS
+ *  "oid"
+ *      OID of the desired PolicyInfo ID; must be non-NULL
+ *  "qualifiers"
+ *      List of CertPolicyQualifiers; may be NULL or empty
+ *  "pObject"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CertPolicyInfo_Create(
+        PKIX_PL_OID *oid,
+        PKIX_List *qualifiers,
+        PKIX_PL_CertPolicyInfo **pObject,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyInfo *policyInfo = NULL;
+
+        PKIX_ENTER(CERTPOLICYINFO, "pkix_pl_CertPolicyInfo_Create");
+
+        PKIX_NULLCHECK_TWO(oid, pObject);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_CERTPOLICYINFO_TYPE,
+                sizeof (PKIX_PL_CertPolicyInfo),
+                (PKIX_PL_Object **)&policyInfo,
+                plContext),
+                PKIX_COULDNOTCREATECERTPOLICYINFOOBJECT);
+
+        PKIX_INCREF(oid);
+        policyInfo->cpID = oid;
+
+        PKIX_INCREF(qualifiers);
+        policyInfo->policyQualifiers = qualifiers;
+
+        *pObject = policyInfo;
+        policyInfo = NULL;
+
+cleanup:
+        PKIX_DECREF(policyInfo);
+
+        PKIX_RETURN(CERTPOLICYINFO);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyInfo_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyInfo_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyInfo *certPI = NULL;
+
+        PKIX_ENTER(CERTPOLICYINFO, "pkix_pl_CertPolicyInfo_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYINFO_TYPE, plContext),
+                PKIX_OBJECTNOTCERTPOLICYINFO);
+
+        certPI = (PKIX_PL_CertPolicyInfo*)object;
+
+        PKIX_DECREF(certPI->cpID);
+        PKIX_DECREF(certPI->policyQualifiers);
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYINFO);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyInfo_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyInfo_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyInfo *certPI = NULL;
+        PKIX_PL_String *oidString = NULL;
+        PKIX_PL_String *listString = NULL;
+        PKIX_PL_String *format = NULL;
+        PKIX_PL_String *outString = NULL;
+
+        PKIX_ENTER(CERTPOLICYINFO, "pkix_pl_CertPolicyInfo_ToString");
+
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYINFO_TYPE, plContext),
+                PKIX_OBJECTNOTCERTPOLICYINFO);
+
+        certPI = (PKIX_PL_CertPolicyInfo *)object;
+
+        PKIX_NULLCHECK_ONE(certPI->cpID);
+
+        PKIX_TOSTRING
+                (certPI->cpID,
+                &oidString,
+                plContext,
+                PKIX_OIDTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (certPI->policyQualifiers,
+                &listString,
+                plContext,
+                PKIX_LISTTOSTRINGFAILED);
+
+        /* Put them together in the form OID[Qualifiers] */
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, "%s[%s]", 0, &format, plContext),
+                PKIX_ERRORINSTRINGCREATE);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&outString, plContext, format, oidString, listString),
+                PKIX_ERRORINSPRINTF);
+
+        *pString = outString;
+
+cleanup:
+
+        PKIX_DECREF(oidString);
+        PKIX_DECREF(listString);
+        PKIX_DECREF(format);
+        PKIX_RETURN(CERTPOLICYINFO);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyInfo_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyInfo_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyInfo *certPI = NULL;
+        PKIX_UInt32 oidHash = 0;
+        PKIX_UInt32 listHash = 0;
+
+        PKIX_ENTER(CERTPOLICYINFO, "pkix_pl_CertPolicyInfo_Hashcode");
+
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYINFO_TYPE, plContext),
+                PKIX_OBJECTNOTCERTPOLICYINFO);
+
+        certPI = (PKIX_PL_CertPolicyInfo *)object;
+
+        PKIX_NULLCHECK_ONE(certPI->cpID);
+
+        PKIX_HASHCODE
+                (certPI->cpID,
+                &oidHash,
+                plContext,
+                PKIX_ERRORINOIDHASHCODE);
+
+        PKIX_HASHCODE
+                (certPI->policyQualifiers,
+                &listHash,
+                plContext,
+                PKIX_ERRORINLISTHASHCODE);
+
+        *pHashcode = (31 * oidHash) + listHash;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYINFO);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyInfo_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyInfo_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyInfo *firstCPI = NULL;
+        PKIX_PL_CertPolicyInfo *secondCPI = NULL;
+        PKIX_UInt32 secondType = 0;
+        PKIX_Boolean compare = PKIX_FALSE;
+
+        PKIX_ENTER(CERTPOLICYINFO, "pkix_pl_CertPolicyInfo_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a CertPolicyInfo */
+        PKIX_CHECK(pkix_CheckType
+                (firstObject, PKIX_CERTPOLICYINFO_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTCERTPOLICYINFO);
+
+        /*
+         * Since we know firstObject is a CertPolicyInfo,
+         * if both references are identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a CertPolicyInfo, we
+         * don't throw an error. We simply return FALSE.
+         */
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                (secondObject, &secondType, plContext),
+                PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_CERTPOLICYINFO_TYPE) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        firstCPI = (PKIX_PL_CertPolicyInfo *)firstObject;
+        secondCPI = (PKIX_PL_CertPolicyInfo *)secondObject;
+
+        /*
+         * Compare the value of the OID components
+         */
+
+        PKIX_NULLCHECK_TWO(firstCPI->cpID, secondCPI->cpID);
+
+        PKIX_EQUALS
+                (firstCPI->cpID,
+                secondCPI->cpID,
+                &compare,
+                plContext,
+                PKIX_OIDEQUALSFAILED);
+
+        /*
+         * If the OIDs did not match, we don't need to
+         * compare the Lists. If the OIDs did match,
+         * the return value is the value of the
+         * List comparison.
+         */
+        if (compare) {
+                PKIX_EQUALS
+                        (firstCPI->policyQualifiers,
+                        secondCPI->policyQualifiers,
+                        &compare,
+                        plContext,
+                        PKIX_LISTEQUALSFAILED);
+        }
+
+        *pResult = compare;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYINFO);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyInfo_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERTPOLICYINFO_TYPE and its related
+ *  functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize,
+ *  which should only be called once, it is acceptable that
+ *  this function is not thread-safe.
+ */
+PKIX_Error *
+pkix_pl_CertPolicyInfo_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTPOLICYINFO, "pkix_pl_CertPolicyInfo_RegisterSelf");
+
+        entry.description = "CertPolicyInfo";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_CertPolicyInfo);
+        entry.destructor = pkix_pl_CertPolicyInfo_Destroy;
+        entry.equalsFunction = pkix_pl_CertPolicyInfo_Equals;
+        entry.hashcodeFunction = pkix_pl_CertPolicyInfo_Hashcode;
+        entry.toStringFunction = pkix_pl_CertPolicyInfo_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_CERTPOLICYINFO_TYPE] = entry;
+
+        PKIX_RETURN(CERTPOLICYINFO);
+}
+
+/* --Public-CertPolicyInfo-Functions------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolicyId
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CertPolicyInfo_GetPolicyId(
+        PKIX_PL_CertPolicyInfo *policyInfo,
+        PKIX_PL_OID **pPolicyId,
+        void *plContext)
+{
+        PKIX_ENTER(CERTPOLICYINFO, "PKIX_PL_CertPolicyInfo_GetPolicyId");
+
+        PKIX_NULLCHECK_TWO(policyInfo, pPolicyId);
+
+        PKIX_INCREF(policyInfo->cpID);
+
+        *pPolicyId = policyInfo->cpID;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYINFO);
+}
+
+/*
+ * FUNCTION: PKIX_PL_CertPolicyInfo_GetPolQualifiers
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CertPolicyInfo_GetPolQualifiers(
+        PKIX_PL_CertPolicyInfo *policyInfo,
+        PKIX_List **pQuals,
+        void *plContext)
+{
+        PKIX_ENTER(CERTPOLICYINFO, "PKIX_PL_CertPolicyInfo_GetPolQualifiers");
+
+        PKIX_NULLCHECK_TWO(policyInfo, pQuals);
+
+        PKIX_INCREF(policyInfo->policyQualifiers);
+
+        /*
+         * This List is created in PKIX_PL_Cert_DecodePolicyInfo
+         * and is set immutable immediately after being created.
+         */
+        *pQuals = policyInfo->policyQualifiers;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYINFO);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyinfo.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyinfo.h
new file mode 100644
index 000000000..2110514d6
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyinfo.h
@@ -0,0 +1,83 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_certpolicyinfo.h
+ *
+ * PolicyInfo Type Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_POLICYINFO_H
+#define _PKIX_PL_POLICYINFO_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * This structure reflects the contents of the policy info extension as
+ * described in Section 4.2.1.5 of RFC3280.
+ *
+ *  PolicyInformation ::= SEQUENCE {
+ *      policyIdentifier        CertPolicyId,
+ *      PolicyQualifiers        SEQUENCE SIZE (1..MAX) OF
+ *                                  PolicyQualifierInfo OPTIONAL }
+ *
+ */
+struct PKIX_PL_CertPolicyInfoStruct {
+        PKIX_PL_OID *cpID;
+        PKIX_List *policyQualifiers; /* LIST of PKIX_PL_CertPolicyQualifier */
+};
+
+PKIX_Error *
+pkix_pl_CertPolicyInfo_Create(
+        PKIX_PL_OID *oid,
+        PKIX_List *qualifiers,
+        PKIX_PL_CertPolicyInfo **pObject,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_CertPolicyInfo_RegisterSelf(
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_POLICYINFO_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicymap.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicymap.c
new file mode 100644
index 000000000..cd0b7e055
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicymap.c
@@ -0,0 +1,417 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_certpolicymap.c
+ *
+ * CertPolicyMap Type Functions
+ *
+ */
+
+#include "pkix_pl_certpolicymap.h"
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyMap_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new CertPolicyMap Object pairing the OID given by
+ *  "issuerDomainPolicy" with the OID given by "subjectDomainPolicy", and
+ *  stores the result at "pCertPolicyMap".
+ *
+ * PARAMETERS
+ *  "issuerDomainPolicy"
+ *      Address of the OID of the IssuerDomainPolicy. Must be non-NULL.
+ *  "subjectDomainPolicy"
+ *      Address of the OID of the SubjectDomainPolicy. Must be non-NULL.
+ *  "pCertPolicyMap"
+ *      Address where CertPolicyMap pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertPolicyMap Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CertPolicyMap_Create(
+        PKIX_PL_OID *issuerDomainPolicy,
+        PKIX_PL_OID *subjectDomainPolicy,
+        PKIX_PL_CertPolicyMap **pCertPolicyMap,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyMap *policyMap = NULL;
+
+        PKIX_ENTER(CERTPOLICYMAP, "pkix_pl_CertPolicyMap_Create");
+
+        PKIX_NULLCHECK_THREE
+                (issuerDomainPolicy, subjectDomainPolicy, pCertPolicyMap);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_CERTPOLICYMAP_TYPE,
+                sizeof (PKIX_PL_CertPolicyMap),
+                (PKIX_PL_Object **)&policyMap,
+                plContext),
+                PKIX_COULDNOTCREATECERTPOLICYMAPOBJECT);
+
+        PKIX_INCREF(issuerDomainPolicy);
+        policyMap->issuerDomainPolicy = issuerDomainPolicy;
+
+        PKIX_INCREF(subjectDomainPolicy);
+        policyMap->subjectDomainPolicy = subjectDomainPolicy;
+
+        *pCertPolicyMap = policyMap;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYMAP);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyMap_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyMap_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyMap *certMap = NULL;
+
+        PKIX_ENTER(CERTPOLICYMAP, "pkix_pl_CertPolicyMap_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYMAP_TYPE, plContext),
+                PKIX_OBJECTNOTCERTPOLICYMAP);
+
+        certMap = (PKIX_PL_CertPolicyMap*)object;
+
+        PKIX_DECREF(certMap->issuerDomainPolicy);
+        PKIX_DECREF(certMap->subjectDomainPolicy);
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYMAP);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyMap_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyMap_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyMap *certMap = NULL;
+        PKIX_PL_String *format = NULL;
+        PKIX_PL_String *outString = NULL;
+        PKIX_PL_String *issuerString = NULL;
+        PKIX_PL_String *subjectString = NULL;
+
+        PKIX_ENTER(CERTPOLICYMAP, "pkix_pl_CertPolicyMap_ToString");
+
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYMAP_TYPE, plContext),
+                PKIX_OBJECTNOTCERTPOLICYMAP);
+
+        certMap = (PKIX_PL_CertPolicyMap *)object;
+
+        PKIX_TOSTRING
+                (certMap->issuerDomainPolicy,
+                &issuerString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        PKIX_TOSTRING
+                (certMap->subjectDomainPolicy,
+                &subjectString,
+                plContext,
+                PKIX_OBJECTTOSTRINGFAILED);
+
+        /* Put them together in the form issuerPolicy=>subjectPolicy */
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, "%s=>%s", 0, &format, plContext),
+                PKIX_ERRORINSTRINGCREATE);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&outString, plContext, format, issuerString, subjectString),
+                PKIX_ERRORINSPRINTF);
+
+        *pString = outString;
+
+cleanup:
+        PKIX_DECREF(format);
+        PKIX_DECREF(issuerString);
+        PKIX_DECREF(subjectString);
+
+        PKIX_RETURN(CERTPOLICYMAP);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyMap_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyMap_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_UInt32 issuerHash = 0;
+        PKIX_UInt32 subjectHash = 0;
+        PKIX_PL_CertPolicyMap *certMap = NULL;
+
+        PKIX_ENTER(CERTPOLICYMAP, "pkix_pl_CertPolicyMap_Hashcode");
+
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYMAP_TYPE, plContext),
+                PKIX_OBJECTNOTCERTPOLICYMAP);
+
+        certMap = (PKIX_PL_CertPolicyMap *)object;
+
+        PKIX_HASHCODE
+                (certMap->issuerDomainPolicy,
+                &issuerHash,
+                plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_HASHCODE
+                (certMap->subjectDomainPolicy,
+                &subjectHash,
+                plContext,
+                PKIX_OBJECTHASHCODEFAILED);
+
+        *pHashcode = issuerHash*31 + subjectHash;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYMAP);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyMap_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyMap_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyMap *firstCertMap = NULL;
+        PKIX_PL_CertPolicyMap *secondCertMap = NULL;
+        PKIX_UInt32 secondType = 0;
+        PKIX_Boolean compare = PKIX_FALSE;
+
+        PKIX_ENTER(CERTPOLICYMAP, "pkix_pl_CertPolicyMap_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a CertPolicyMap */
+        PKIX_CHECK(pkix_CheckType
+                (firstObject, PKIX_CERTPOLICYMAP_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTCERTPOLICYMAP);
+
+        /*
+         * Since we know firstObject is a CertPolicyMap,
+         * if both references are identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a CertPolicyMap, we
+         * don't throw an error. We simply return FALSE.
+         */
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                (secondObject, &secondType, plContext),
+                PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_CERTPOLICYMAP_TYPE) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        firstCertMap = (PKIX_PL_CertPolicyMap *)firstObject;
+        secondCertMap = (PKIX_PL_CertPolicyMap *)secondObject;
+
+        PKIX_EQUALS
+                (firstCertMap->issuerDomainPolicy,
+                secondCertMap->issuerDomainPolicy,
+                &compare,
+                plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (compare) {
+                PKIX_EQUALS
+                        (firstCertMap->subjectDomainPolicy,
+                        secondCertMap->subjectDomainPolicy,
+                        &compare,
+                        plContext,
+                        PKIX_OBJECTEQUALSFAILED);
+        }
+
+        *pResult = compare;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYMAP);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyMap_Duplicate
+ * (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyMap_Duplicate(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyMap *original = NULL;
+        PKIX_PL_CertPolicyMap *copy = NULL;
+
+        PKIX_ENTER(CERTPOLICYMAP, "pkix_pl_CertPolicyMap_Duplicate");
+
+        PKIX_NULLCHECK_TWO(object, pNewObject);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYMAP_TYPE, plContext),
+                PKIX_OBJECTARGUMENTNOTPOLICYMAP);
+
+        original = (PKIX_PL_CertPolicyMap *)object;
+
+        PKIX_CHECK(pkix_pl_CertPolicyMap_Create
+                (original->issuerDomainPolicy,
+                original->subjectDomainPolicy,
+                &copy,
+                plContext),
+                PKIX_CERTPOLICYMAPCREATEFAILED);
+
+        *pNewObject = (PKIX_PL_Object *)copy;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYMAP);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyMap_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERTPOLICYMAP_TYPE and its related
+ *  functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize,
+ *  which should only be called once, it is acceptable that
+ *  this function is not thread-safe.
+ */
+PKIX_Error *
+pkix_pl_CertPolicyMap_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTPOLICYMAP, "pkix_pl_CertPolicyMap_RegisterSelf");
+
+        entry.description = "CertPolicyMap";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_CertPolicyMap);
+        entry.destructor = pkix_pl_CertPolicyMap_Destroy;
+        entry.equalsFunction = pkix_pl_CertPolicyMap_Equals;
+        entry.hashcodeFunction = pkix_pl_CertPolicyMap_Hashcode;
+        entry.toStringFunction = pkix_pl_CertPolicyMap_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_pl_CertPolicyMap_Duplicate;
+
+        systemClasses[PKIX_CERTPOLICYMAP_TYPE] = entry;
+
+        PKIX_RETURN(CERTPOLICYMAP);
+}
+
+/* --Public-CertPolicyMap-Functions------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy(
+        PKIX_PL_CertPolicyMap *policyMapping,
+        PKIX_PL_OID **pIssuerDomainPolicy,
+        void *plContext)
+{
+        PKIX_ENTER
+                (CERTPOLICYMAP, "PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy");
+
+        PKIX_NULLCHECK_TWO(policyMapping, pIssuerDomainPolicy);
+
+        PKIX_INCREF(policyMapping->issuerDomainPolicy);
+        *pIssuerDomainPolicy = policyMapping->issuerDomainPolicy;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYMAP);
+}
+
+/*
+ * FUNCTION: PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy(
+        PKIX_PL_CertPolicyMap *policyMapping,
+        PKIX_PL_OID **pSubjectDomainPolicy,
+        void *plContext)
+{
+        PKIX_ENTER
+                (CERTPOLICYMAP, "PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy");
+
+        PKIX_NULLCHECK_TWO(policyMapping, pSubjectDomainPolicy);
+
+        PKIX_INCREF(policyMapping->subjectDomainPolicy);
+        *pSubjectDomainPolicy = policyMapping->subjectDomainPolicy;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYMAP);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicymap.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicymap.h
new file mode 100644
index 000000000..9a84089ea
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicymap.h
@@ -0,0 +1,82 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_certpolicymap.h
+ *
+ * CertPolicyMap Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_CERTPOLICYMAP_H
+#define _PKIX_PL_CERTPOLICYMAP_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * This structure reflects the contents of the policy mapping extension as
+ * described in Section 4.2.1.6 of RFC3280.
+ *
+ *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ *      issuerDomainPolicy      CertPolicyId,
+ *      subjectDomainPolicy     CertPolicyId }
+ *
+ */
+struct PKIX_PL_CertPolicyMapStruct {
+        PKIX_PL_OID *issuerDomainPolicy;
+        PKIX_PL_OID *subjectDomainPolicy;
+};
+
+PKIX_Error *
+pkix_pl_CertPolicyMap_Create(
+        PKIX_PL_OID *issuerDomainPolicy,
+        PKIX_PL_OID *subjectDomainPolicy,
+        PKIX_PL_CertPolicyMap **pObject,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_CertPolicyMap_RegisterSelf(
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_CERTPOLICYMAP_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyqualifier.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyqualifier.c
new file mode 100644
index 000000000..a2ebc99aa
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyqualifier.c
@@ -0,0 +1,398 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_certpolicyqualifier.c
+ *
+ * CertPolicyQualifier Type Functions
+ *
+ */
+
+#include "pkix_pl_certpolicyqualifier.h"
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyQualifier_Create
+ * DESCRIPTION:
+ *
+ *  Creates a CertPolicyQualifier object with the OID given by "oid"
+ *  and the ByteArray given by "qualifier", and stores it at "pObject".
+ *
+ * PARAMETERS
+ *  "oid"
+ *      Address of OID of the desired policyQualifierId; must be non-NULL
+ *  "qualifier"
+ *      Address of ByteArray with the desired value of the qualifier;
+ *      must be non-NULL
+ *  "pObject"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CertPolicyQualifier_Create(
+        PKIX_PL_OID *oid,
+        PKIX_PL_ByteArray *qualifier,
+        PKIX_PL_CertPolicyQualifier **pObject,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyQualifier *qual = NULL;
+
+        PKIX_ENTER(CERTPOLICYQUALIFIER, "pkix_pl_CertPolicyQualifier_Create");
+
+        PKIX_NULLCHECK_THREE(oid, qualifier, pObject);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_CERTPOLICYQUALIFIER_TYPE,
+                sizeof (PKIX_PL_CertPolicyQualifier),
+                (PKIX_PL_Object **)&qual,
+                plContext),
+                PKIX_COULDNOTCREATECERTPOLICYQUALIFIEROBJECT);
+
+        PKIX_INCREF(oid);
+        qual->policyQualifierId = oid;
+
+        PKIX_INCREF(qualifier);
+        qual->qualifier = qualifier;
+
+        *pObject = qual;
+        qual = NULL;
+
+cleanup:
+        PKIX_DECREF(qual);
+
+        PKIX_RETURN(CERTPOLICYQUALIFIER);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyQualifier_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyQualifier_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyQualifier *certPQ = NULL;
+
+        PKIX_ENTER(CERTPOLICYQUALIFIER, "pkix_pl_CertPolicyQualifier_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYQUALIFIER_TYPE, plContext),
+                PKIX_OBJECTNOTCERTPOLICYQUALIFIER);
+
+        certPQ = (PKIX_PL_CertPolicyQualifier*)object;
+
+        PKIX_DECREF(certPQ->policyQualifierId);
+        PKIX_DECREF(certPQ->qualifier);
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYQUALIFIER);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyQualifier_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyQualifier_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyQualifier *certPQ = NULL;
+        char *asciiFormat = "%s:%s";
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *pqIDString = NULL;
+        PKIX_PL_String *pqValString = NULL;
+        PKIX_PL_String *outString = NULL;
+
+        PKIX_ENTER(CERTPOLICYQUALIFIER, "pkix_pl_CertPolicyQualifier_ToString");
+
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYQUALIFIER_TYPE, plContext),
+                PKIX_OBJECTNOTCERTPOLICYQUALIFIER);
+
+        certPQ = (PKIX_PL_CertPolicyQualifier *)object;
+
+        /*
+         * The policyQualifierId is required. If there is no qualifier,
+         * we should have a ByteArray of zero length.
+         */
+        PKIX_NULLCHECK_TWO(certPQ->policyQualifierId, certPQ->qualifier);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+        PKIX_TOSTRING(certPQ->policyQualifierId, &pqIDString, plContext,
+                PKIX_OIDTOSTRINGFAILED);
+
+        PKIX_CHECK(pkix_pl_ByteArray_ToHexString
+                (certPQ->qualifier, &pqValString, plContext),
+                PKIX_BYTEARRAYTOHEXSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                (&outString, plContext, formatString, pqIDString, pqValString),
+                PKIX_SPRINTFFAILED);
+
+        *pString = outString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(pqIDString);
+        PKIX_DECREF(pqValString);
+        PKIX_RETURN(CERTPOLICYQUALIFIER);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyQualifier_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyQualifier_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyQualifier *certPQ = NULL;
+        PKIX_UInt32 cpidHash = 0;
+        PKIX_UInt32 cpqHash = 0;
+
+        PKIX_ENTER(CERTPOLICYQUALIFIER, "pkix_pl_CertPolicyQualifier_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTPOLICYQUALIFIER_TYPE, plContext),
+                PKIX_OBJECTNOTCERTPOLICYQUALIFIER);
+
+        certPQ = (PKIX_PL_CertPolicyQualifier *)object;
+
+        PKIX_NULLCHECK_TWO(certPQ->policyQualifierId, certPQ->qualifier);
+
+        PKIX_HASHCODE(certPQ->policyQualifierId, &cpidHash, plContext,
+                PKIX_ERRORINOIDHASHCODE);
+
+        PKIX_HASHCODE(certPQ->qualifier, &cpqHash, plContext,
+                PKIX_ERRORINBYTEARRAYHASHCODE);
+
+        *pHashcode = cpidHash*31 + cpqHash;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYQUALIFIER);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyQualifier_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertPolicyQualifier_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_CertPolicyQualifier *firstCPQ = NULL;
+        PKIX_PL_CertPolicyQualifier *secondCPQ = NULL;
+        PKIX_UInt32 secondType = 0;
+        PKIX_Boolean compare = PKIX_FALSE;
+
+        PKIX_ENTER(CERTPOLICYQUALIFIER, "pkix_pl_CertPolicyQualifier_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a CertPolicyQualifier */
+        PKIX_CHECK(pkix_CheckType
+                (firstObject, PKIX_CERTPOLICYQUALIFIER_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTCERTPOLICYQUALIFIER);
+
+        /*
+         * Since we know firstObject is a CertPolicyQualifier,
+         * if both references are identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a CertPolicyQualifier, we
+         * don't throw an error. We simply return FALSE.
+         */
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                (secondObject, &secondType, plContext),
+                PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_CERTPOLICYQUALIFIER_TYPE) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        firstCPQ = (PKIX_PL_CertPolicyQualifier *)firstObject;
+        secondCPQ = (PKIX_PL_CertPolicyQualifier *)secondObject;
+
+        /*
+         * Compare the value of the OID components
+         */
+
+        PKIX_NULLCHECK_TWO
+                (firstCPQ->policyQualifierId, secondCPQ->policyQualifierId);
+
+        PKIX_EQUALS
+                (firstCPQ->policyQualifierId,
+                secondCPQ->policyQualifierId,
+                &compare,
+                plContext,
+                PKIX_OIDEQUALSFAILED);
+
+        /*
+         * If the OIDs did not match, we don't need to
+         * compare the ByteArrays. If the OIDs did match,
+         * the return value is the value of the
+         * ByteArray comparison.
+         */
+        if (compare) {
+                PKIX_NULLCHECK_TWO(firstCPQ->qualifier, secondCPQ->qualifier);
+
+                PKIX_EQUALS
+                        (firstCPQ->qualifier,
+                        secondCPQ->qualifier,
+                        &compare,
+                        plContext,
+                        PKIX_BYTEARRAYEQUALSFAILED);
+        }
+
+        *pResult = compare;
+
+cleanup:
+
+        PKIX_RETURN(CERTPOLICYQUALIFIER);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertPolicyQualifier_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERTPOLICYQUALIFIER_TYPE and its related
+ *  functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize,
+ *  which should only be called once, it is acceptable that
+ *  this function is not thread-safe.
+ */
+PKIX_Error *
+pkix_pl_CertPolicyQualifier_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTPOLICYQUALIFIER,
+                "pkix_pl_CertPolicyQualifier_RegisterSelf");
+
+        entry.description = "CertPolicyQualifier";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_CertPolicyQualifier);
+        entry.destructor = pkix_pl_CertPolicyQualifier_Destroy;
+        entry.equalsFunction = pkix_pl_CertPolicyQualifier_Equals;
+        entry.hashcodeFunction = pkix_pl_CertPolicyQualifier_Hashcode;
+        entry.toStringFunction = pkix_pl_CertPolicyQualifier_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_CERTPOLICYQUALIFIER_TYPE] = entry;
+
+        PKIX_RETURN(CERTPOLICYQUALIFIER);
+}
+
+/* --Public-CertPolicyQualifier-Functions------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_PolicyQualifier_GetPolicyQualifierId
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_PolicyQualifier_GetPolicyQualifierId(
+        PKIX_PL_CertPolicyQualifier *policyQualifierInfo,
+        PKIX_PL_OID **pPolicyQualifierId,
+        void *plContext)
+{
+        PKIX_ENTER(CERTPOLICYQUALIFIER,
+                "PKIX_PL_PolicyQualifier_GetPolicyQualifierId");
+
+        PKIX_NULLCHECK_TWO(policyQualifierInfo, pPolicyQualifierId);
+
+        PKIX_INCREF(policyQualifierInfo->policyQualifierId);
+
+        *pPolicyQualifierId = policyQualifierInfo->policyQualifierId;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYQUALIFIER);
+}
+
+/*
+ * FUNCTION: PKIX_PL_PolicyQualifier_GetQualifier
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_PolicyQualifier_GetQualifier(
+        PKIX_PL_CertPolicyQualifier *policyQualifierInfo,
+        PKIX_PL_ByteArray **pQualifier,
+        void *plContext)
+{
+        PKIX_ENTER(CERTPOLICYQUALIFIER, "PKIX_PL_PolicyQualifier_GetQualifier");
+
+        PKIX_NULLCHECK_TWO(policyQualifierInfo, pQualifier);
+
+        PKIX_INCREF(policyQualifierInfo->qualifier);
+
+        *pQualifier = policyQualifierInfo->qualifier;
+
+cleanup:
+        PKIX_RETURN(CERTPOLICYQUALIFIER);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyqualifier.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyqualifier.h
new file mode 100644
index 000000000..1594568f2
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_certpolicyqualifier.h
@@ -0,0 +1,85 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_certpolicyqualifier.h
+ *
+ * PolicyQualifier Type Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_POLICYQUALIFIER_H
+#define _PKIX_PL_POLICYQUALIFIER_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * This structure reflects the contents of the policy qualifier extension as
+ * described in Section 4.2.1.5 of RFC3280.
+ *
+ *  PolicyQualifierInfo ::= SEQUENCE {
+ *      policyQualifierId       PolicyQualifierId,
+ *      qualifier               ANY DEFINED BY policyQualifierId }
+ *
+ *  PolicyQualifierId ::=
+ *      OBJECT IDENTIFIER (id-qt-cps | id-qt-unotice)
+ *
+ */
+struct PKIX_PL_CertPolicyQualifierStruct {
+        PKIX_PL_OID *policyQualifierId;
+        PKIX_PL_ByteArray *qualifier;
+};
+
+PKIX_Error *
+pkix_pl_CertPolicyQualifier_Create(
+        PKIX_PL_OID *oid,
+        PKIX_PL_ByteArray *qualifierArray,
+        PKIX_PL_CertPolicyQualifier **pObject,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_CertPolicyQualifier_RegisterSelf(
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_POLICYQUALIFIER_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
new file mode 100644
index 000000000..1f38ba35e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
@@ -0,0 +1,1224 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_crl.c
+ *
+ * CRL Function Definitions
+ *
+ */
+
+#include "pkix_pl_crl.h"
+
+extern PKIX_PL_HashTable *cachedCrlSigTable;
+
+/* --Private-CRL-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_CRL_GetVersion
+ * DESCRIPTION:
+ *
+ *  Retrieves the version of the CRL pointed to by "crl" and stores it at
+ *  "pVersion". The version number will either be 0 or 1 (corresponding to
+ *  v1 or v2, respectively).
+ *
+ *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ *
+ * PARAMETERS:
+ *  "crl"
+ *      Address of CRL whose version is to be stored. Must be non-NULL.
+ *  "pVersion"
+ *      Address where a version will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CRL_GetVersion(
+        PKIX_PL_CRL *crl,
+        PKIX_UInt32 *pVersion,
+        void *plContext)
+{
+        PKIX_UInt32 myVersion;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_GetVersion");
+        PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pVersion);
+
+        PKIX_NULLCHECK_ONE(crl->nssSignedCrl->crl.version.data);
+
+        myVersion = *(crl->nssSignedCrl->crl.version.data);
+
+        if (myVersion > 1) {
+                PKIX_ERROR(PKIX_VERSIONVALUEMUSTBEV1ORV2);
+        }
+
+        *pVersion = myVersion;
+
+cleanup:
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: PKIX_PL_CRL_GetCRLNumber (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CRL_GetCRLNumber(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_BigInt **pCrlNumber,
+        void *plContext)
+{
+        PKIX_PL_BigInt *crlNumber = NULL;
+        SECItem nssCrlNumber;
+        PLArenaPool *arena = NULL;
+        SECStatus status;
+        PKIX_UInt32 length = 0;
+        char *bytes = NULL;
+
+        PKIX_ENTER(CRL, "PKIX_PL_CRL_GetCRLNumber");
+        PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pCrlNumber);
+
+        if (!crl->crlNumberAbsent && crl->crlNumber == NULL) {
+
+            PKIX_OBJECT_LOCK(crl);
+
+            if (!crl->crlNumberAbsent && crl->crlNumber == NULL) {
+
+                nssCrlNumber.type = 0;
+                nssCrlNumber.len = 0;
+                nssCrlNumber.data = NULL;
+
+                PKIX_CRL_DEBUG("\t\tCalling PORT_NewArena).\n");
+                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+                if (arena == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }
+
+                PKIX_CRL_DEBUG("\t\tCalling CERT_FindCRLNumberExten\n");
+                status = CERT_FindCRLNumberExten
+                        (arena, &crl->nssSignedCrl->crl, &nssCrlNumber);
+
+                if (status == SECSuccess) {
+                        /* Get data in bytes then convert to bigint */
+                        length = nssCrlNumber.len;
+                        bytes = (char *)nssCrlNumber.data;
+
+                        PKIX_CHECK(pkix_pl_BigInt_CreateWithBytes
+                                    (bytes, length, &crlNumber, plContext),
+                                    PKIX_BIGINTCREATEWITHBYTESFAILED);
+
+                        /* arena release does the job 
+                        PKIX_CRL_DEBUG("\t\tCalling SECITEM_FreeItem\n");
+                        SECITEM_FreeItem(&nssCrlNumber, PKIX_FALSE);
+                        */
+                        crl->crlNumber = crlNumber;
+
+                } else {
+
+                        crl->crlNumberAbsent = PKIX_TRUE;
+                }
+            }
+
+            PKIX_OBJECT_UNLOCK(crl);
+
+        }
+
+        PKIX_INCREF(crl->crlNumber);
+
+        *pCrlNumber = crl->crlNumber;
+
+cleanup:
+
+        if (arena){
+                PKIX_CRL_DEBUG("\t\tCalling PORT_FreeArena).\n");
+                PORT_FreeArena(arena, PR_FALSE);
+        }
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_GetSignatureAlgId
+ *
+ * DESCRIPTION:
+ *  Retrieves a pointer to the OID that represents the signature algorithm of
+ *  the CRL pointed to by "crl" and stores it at "pSignatureAlgId".
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *      algorithm               OBJECT IDENTIFIER,
+ *      parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *
+ * PARAMETERS:
+ *  "crl"
+ *      Address of CRL whose signature algorithm OID is to be stored.
+ *      Must be non-NULL.
+ *  "pSignatureAlgId"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CRL_GetSignatureAlgId(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_OID **pSignatureAlgId,
+        void *plContext)
+{
+        CERTCrl *nssCrl = NULL;
+        PKIX_PL_OID *signatureAlgId = NULL;
+        SECAlgorithmID algorithm;
+        SECItem algBytes;
+        char *asciiOID = NULL;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_GetSignatureAlgId");
+        PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pSignatureAlgId);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (crl->signatureAlgId == NULL){
+
+                PKIX_OBJECT_LOCK(crl);
+
+                if (crl->signatureAlgId == NULL){
+
+                        nssCrl = &(crl->nssSignedCrl->crl);
+                        algorithm = nssCrl->signatureAlg;
+                        algBytes = algorithm.algorithm;
+
+                        PKIX_NULLCHECK_ONE(algBytes.data);
+                        if (algBytes.len == 0) {
+                                PKIX_ERROR_FATAL(PKIX_OIDBYTESLENGTH0);
+                        }
+
+                        PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                                    (&algBytes, &asciiOID, plContext),
+                                    PKIX_OIDBYTES2ASCIIFAILED);
+
+                        PKIX_CHECK(PKIX_PL_OID_Create
+                                    (asciiOID, &signatureAlgId, plContext),
+                                    PKIX_OIDCREATEFAILED);
+
+                        /* save a cached copy in case it is asked for again */
+                        crl->signatureAlgId = signatureAlgId;
+                }
+
+                PKIX_OBJECT_UNLOCK(crl);
+
+        }
+
+        PKIX_INCREF(crl->signatureAlgId);
+        *pSignatureAlgId = crl->signatureAlgId;
+
+cleanup:
+
+        PKIX_FREE(asciiOID);
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_GetCRLEntries
+ * DESCRIPTION:
+ *
+ *  Retrieves a pointer to the List of CRLEntries found in the CRL pointed to
+ *  by "crl" and stores it at "pCRLEntries". If there are no CRLEntries,
+ *  this functions stores NULL at "pCRLEntries".
+ *
+ * PARAMETERS:
+ *  "crl"
+ *      Address of CRL whose CRL Entries are to be retrieved. Must be non-NULL.
+ *  "pCRLEntries"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CRL_GetCRLEntries(
+        PKIX_PL_CRL *crl,
+        PKIX_List **pCrlEntries,
+        void *plContext)
+{
+        PKIX_List *entryList = NULL;
+        CERTCrl *nssCrl = NULL;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_GetCRLEntries");
+        PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pCrlEntries);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (crl->crlEntryList == NULL) {
+
+                PKIX_OBJECT_LOCK(crl);
+
+                if (crl->crlEntryList == NULL){
+
+                        nssCrl = &(crl->nssSignedCrl->crl);
+
+                        PKIX_CHECK(pkix_pl_CRLEntry_Create
+                                    (nssCrl->entries, &entryList, plContext),
+                                    PKIX_CRLENTRYCREATEFAILED);
+
+                        PKIX_CHECK(PKIX_List_SetImmutable
+                                    (entryList, plContext),
+                                    PKIX_LISTSETIMMUTABLEFAILED);
+
+                        crl->crlEntryList = entryList;
+                }
+
+                PKIX_OBJECT_UNLOCK(crl);
+
+        }
+
+        PKIX_INCREF(crl->crlEntryList);
+
+        *pCrlEntries = crl->crlEntryList;
+
+cleanup:
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CRL_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_CRL *crl = NULL;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CRL_TYPE, plContext),
+                    PKIX_OBJECTNOTCRL);
+
+        crl = (PKIX_PL_CRL*)object;
+
+        PKIX_NULLCHECK_ONE(crl->nssSignedCrl);
+
+        PKIX_CRL_DEBUG("\t\tCalling CERT_DestroyCrl\n");
+        CERT_DestroyCrl(crl->nssSignedCrl);
+        crl->nssSignedCrl = NULL;
+        crl->crlNumberAbsent = PKIX_FALSE;
+
+        PKIX_DECREF(crl->issuer);
+        PKIX_DECREF(crl->signatureAlgId);
+        PKIX_DECREF(crl->crlNumber);
+        PKIX_DECREF(crl->crlEntryList);
+        PKIX_DECREF(crl->critExtOids);
+
+cleanup:
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Helper function that creates a string representation of the CRL pointed
+ *  to by "crl" and stores it at "pString".
+ *
+ * PARAMETERS
+ *  "crl"
+ *      Address of CRL whose string representation is desired.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CRL_ToString_Helper(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        char *asciiFormat = NULL;
+        PKIX_UInt32 crlVersion;
+        PKIX_PL_X500Name *crlIssuer = NULL;
+        PKIX_PL_OID *nssSignatureAlgId = NULL;
+        PKIX_PL_BigInt *crlNumber = NULL;
+        PKIX_List *crlEntryList = NULL;
+        PKIX_List *critExtOIDs = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *crlIssuerString = NULL;
+        PKIX_PL_String *lastUpdateString = NULL;
+        PKIX_PL_String *nextUpdateString = NULL;
+        PKIX_PL_String *nssSignatureAlgIdString = NULL;
+        PKIX_PL_String *crlNumberString = NULL;
+        PKIX_PL_String *crlEntryListString = NULL;
+        PKIX_PL_String *critExtOIDsString = NULL;
+        PKIX_PL_String *crlString = NULL;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_ToString_Helper");
+        PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pString);
+
+        asciiFormat =
+                "[\n"
+                "\tVersion:         v%d\n"
+                "\tIssuer:          %s\n"
+                "\tUpdate:   [Last: %s\n"
+                "\t           Next: %s]\n"
+                "\tSignatureAlgId:  %s\n"
+                "\tCRL Number     : %s\n"
+                "\n"
+                "\tEntry List:      %s\n"
+                "\n"
+                "\tCritExtOIDs:     %s\n"
+                "]\n";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        /* Version */
+        PKIX_CHECK(pkix_pl_CRL_GetVersion(crl, &crlVersion, plContext),
+                    PKIX_CRLGETVERSIONFAILED);
+
+        /* Issuer */
+        PKIX_CHECK(PKIX_PL_CRL_GetIssuer(crl, &crlIssuer, plContext),
+                    PKIX_CRLGETISSUERFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                    ((PKIX_PL_Object *)crlIssuer, &crlIssuerString, plContext),
+                    PKIX_X500NAMETOSTRINGFAILED);
+
+        /* This update - No Date object created, use nss data directly */
+        PKIX_CHECK(pkix_pl_Date_ToString_Helper
+                    (&(crl->nssSignedCrl->crl.lastUpdate),
+                    &lastUpdateString,
+                    plContext),
+                    PKIX_DATETOSTRINGHELPERFAILED);
+
+        /* Next update - No Date object created, use nss data directly */
+        PKIX_CHECK(pkix_pl_Date_ToString_Helper
+                    (&(crl->nssSignedCrl->crl.nextUpdate),
+                    &nextUpdateString,
+                    plContext),
+                    PKIX_DATETOSTRINGHELPERFAILED);
+
+        /* Signature Algorithm Id */
+        PKIX_CHECK(pkix_pl_CRL_GetSignatureAlgId
+                    (crl, &nssSignatureAlgId, plContext),
+                    PKIX_CRLGETSIGNATUREALGIDFAILED);
+
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                    ((PKIX_PL_Object *)nssSignatureAlgId,
+                    &nssSignatureAlgIdString,
+                    plContext),
+                    PKIX_OIDTOSTRINGFAILED);
+
+        /* CRL Number */
+        PKIX_CHECK(PKIX_PL_CRL_GetCRLNumber
+                    (crl, &crlNumber, plContext),
+                    PKIX_CRLGETCRLNUMBERFAILED);
+
+        PKIX_TOSTRING(crlNumber, &crlNumberString, plContext,
+                    PKIX_BIGINTTOSTRINGFAILED);
+
+        /* CRL Entries */
+        PKIX_CHECK(pkix_pl_CRL_GetCRLEntries(crl, &crlEntryList, plContext),
+                    PKIX_CRLGETCRLENTRIESFAILED);
+
+        PKIX_TOSTRING(crlEntryList, &crlEntryListString, plContext,
+                    PKIX_LISTTOSTRINGFAILED);
+
+        /* CriticalExtensionOIDs */
+        PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
+                    (crl, &critExtOIDs, plContext),
+                    PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
+
+        PKIX_TOSTRING(critExtOIDs, &critExtOIDsString, plContext,
+                    PKIX_LISTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&crlString,
+                    plContext,
+                    formatString,
+                    crlVersion + 1,
+                    crlIssuerString,
+                    lastUpdateString,
+                    nextUpdateString,
+                    nssSignatureAlgIdString,
+                    crlNumberString,
+                    crlEntryListString,
+                    critExtOIDsString),
+                    PKIX_SPRINTFFAILED);
+
+        *pString = crlString;
+
+cleanup:
+
+        PKIX_DECREF(crlIssuer);
+        PKIX_DECREF(nssSignatureAlgId);
+        PKIX_DECREF(crlNumber);
+        PKIX_DECREF(crlEntryList);
+        PKIX_DECREF(critExtOIDs);
+        PKIX_DECREF(crlIssuerString);
+        PKIX_DECREF(lastUpdateString);
+        PKIX_DECREF(nextUpdateString);
+        PKIX_DECREF(nssSignatureAlgIdString);
+        PKIX_DECREF(crlNumberString);
+        PKIX_DECREF(crlEntryListString);
+        PKIX_DECREF(critExtOIDsString);
+        PKIX_DECREF(formatString);
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CRL_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *crlString = NULL;
+        PKIX_PL_CRL *crl = NULL;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CRL_TYPE, plContext),
+                    PKIX_OBJECTNOTCRL);
+
+        crl = (PKIX_PL_CRL *) object;
+
+        PKIX_CHECK(pkix_pl_CRL_ToString_Helper(crl, &crlString, plContext),
+                    PKIX_CRLTOSTRINGHELPERFAILED);
+
+        *pString = crlString;
+
+cleanup:
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CRL_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_CRL *crl = NULL;
+        unsigned char *derBytes = NULL;
+        PKIX_UInt32 derLength;
+        PKIX_UInt32 certHash;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CRL_TYPE, plContext),
+                    PKIX_OBJECTNOTCRL);
+
+        crl = (PKIX_PL_CRL *)object;
+
+        PKIX_NULLCHECK_TWO(crl->nssSignedCrl, crl->nssSignedCrl->derCrl);
+
+        derBytes = (crl->nssSignedCrl->derCrl)->data;
+        derLength = (crl->nssSignedCrl->derCrl)->len;
+
+        PKIX_NULLCHECK_ONE(derBytes);
+        PKIX_CHECK(pkix_hash(derBytes, derLength, &certHash, plContext),
+                    PKIX_ERRORINHASH);
+
+        *pHashcode = certHash;
+
+cleanup:
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CRL_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_CRL *firstCrl = NULL;
+        PKIX_PL_CRL *secondCrl = NULL;
+        PKIX_UInt32 secondType;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a CRL */
+        PKIX_CHECK(pkix_CheckType(firstObject, PKIX_CRL_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTCRL);
+
+        firstCrl = (PKIX_PL_CRL *)firstObject;
+        secondCrl = (PKIX_PL_CRL *)secondObject;
+
+        /*
+         * Since we know firstObject is a CRL, if both references are
+         * identical, they must be equal
+         */
+        if (firstCrl == secondCrl){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondCrl isn't a CRL, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    ((PKIX_PL_Object *)secondCrl, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_CRL_TYPE) goto cleanup;
+
+        /* Compare DER Bytes */
+        PKIX_NULLCHECK_TWO
+                (firstCrl->nssSignedCrl,
+                firstCrl->nssSignedCrl->derCrl);
+
+        PKIX_NULLCHECK_TWO
+                (secondCrl->nssSignedCrl,
+                secondCrl->nssSignedCrl->derCrl);
+
+        PKIX_CRL_DEBUG("\t\tCalling SECITEM_CompareItem on derCrl\n");
+        if (SECITEM_CompareItem(firstCrl->nssSignedCrl->derCrl,
+                                secondCrl->nssSignedCrl->derCrl) == SECEqual) {
+                *pResult = PKIX_TRUE;
+        }
+
+cleanup:
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_RegisterSelf
+ *
+ * DESCRIPTION:
+ *  Registers PKIX_CRL_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_CRL_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_RegisterSelf");
+
+        entry.description = "CRL";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_CRL);
+        entry.destructor = pkix_pl_CRL_Destroy;
+        entry.equalsFunction = pkix_pl_CRL_Equals;
+        entry.hashcodeFunction = pkix_pl_CRL_Hashcode;
+        entry.toStringFunction = pkix_pl_CRL_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_CRL_TYPE] = entry;
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: PKIX_PL_CRL_VerifyUpdateTime (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CRL_VerifyUpdateTime(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_Date *date,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PRTime timeToCheck;
+        PRTime nextUpdate;
+        PRTime lastUpdate;
+        SECStatus status;
+        CERTCrl *nssCrl = NULL;
+        SECItem *nextUpdateDer = NULL;
+        PKIX_Boolean haveNextUpdate = PR_FALSE;
+
+        PKIX_ENTER(CRL, "PKIX_PL_CRL_VerifyUpdateTime");
+        PKIX_NULLCHECK_FOUR(crl, crl->nssSignedCrl, date, pResult);
+
+        nssCrl = &(crl->nssSignedCrl->crl);
+
+        PKIX_CRL_DEBUG("\t\tCalling DER_DecodeTimeChoice on date\n");
+        status = DER_DecodeTimeChoice(&timeToCheck, &(date->nssTime));
+        if (status != SECSuccess) {
+                PKIX_ERROR(PKIX_DERDECODETIMECHOICEFAILED);
+        }
+
+        /* nextUpdate can be NULL. Checking before using it */
+        nextUpdateDer = &nssCrl->nextUpdate;
+        if (nextUpdateDer->data && nextUpdateDer->len) {
+                haveNextUpdate = PR_TRUE;
+                status = DER_DecodeTimeChoice(&nextUpdate, nextUpdateDer);
+                if (status != SECSuccess) {
+                        PKIX_ERROR(PKIX_DERDECODETIMECHOICEFORNEXTUPDATEFAILED);
+                }
+        }
+
+        status = DER_DecodeTimeChoice(&lastUpdate, &(nssCrl->lastUpdate));
+        if (status != SECSuccess) {
+                PKIX_ERROR(PKIX_DERDECODETIMECHOICEFORLASTUPDATEFAILED);
+        }
+
+        if (!haveNextUpdate || nextUpdate < timeToCheck) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        if (lastUpdate <= timeToCheck) {
+                *pResult = PKIX_TRUE;
+        } else {
+                *pResult = PKIX_FALSE;
+        }
+
+cleanup:
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_CreateWithSignedCRL
+ * DESCRIPTION:
+ *
+ *  Creates a new CRL using the CERTSignedCrl pointed to by "nssSignedCrl"
+ *  and stores it at "pCRL". If the decoding of the CERTSignedCrl fails,
+ *  a PKIX_Error is returned.
+ *
+ * PARAMETERS:
+ *  "nssSignedCrl"
+ *      Address of CERTSignedCrl. Must be non-NULL.
+ *  "pCRL"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CRL_CreateWithSignedCRL(
+        CERTSignedCrl *nssSignedCrl,
+        PKIX_PL_CRL **pCrl,
+        void *plContext)
+{
+        SECStatus status;
+        PKIX_PL_CRL *crl = NULL;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_CreateWithSignedCRL");
+        PKIX_NULLCHECK_TWO(nssSignedCrl, pCrl);
+
+        /* create a PKIX_PL_CRL object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CRL_TYPE,
+                    sizeof (PKIX_PL_CRL),
+                    (PKIX_PL_Object **)&crl,
+                    plContext),
+                    PKIX_COULDNOTCREATECRLOBJECT);
+
+        /* populate the nssSignedCrl field */
+        crl->nssSignedCrl = nssSignedCrl;
+
+        PKIX_CRL_DEBUG("\t\tCalling CERT_CompleteCRLDecodeEntries\n");
+        status = CERT_CompleteCRLDecodeEntries(crl->nssSignedCrl);
+
+        if (status != SECSuccess) {
+                PKIX_ERROR(PKIX_CERTCOMPLETECRLDECODEDENTRIESFAILED);
+        }
+
+        crl->issuer = NULL;
+        crl->signatureAlgId = NULL;
+        crl->crlNumber = NULL;
+        crl->crlNumberAbsent = PKIX_FALSE;
+        crl->crlEntryList = NULL;
+        crl->critExtOids = NULL;
+
+        *pCrl = crl;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(crl);
+        }
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRL_CreateToList
+ * DESCRIPTION:
+ *
+ *  This function decodes a DER-encoded Certificate Revocation List pointed to
+ *  by "derCrlItem", adding the resulting PKIX_PL_CRL, if the decoding was
+ *  successful, to the List (possibly empty) pointed to by "crlList".
+ *
+ * PARAMETERS:
+ *  "derCrlItem"
+ *      The address of the SECItem containing the DER-encoded Certificate
+ *      Revocation List. Must be non-NULL.
+ *  "crlList"
+ *      The address of the List to which the decoded CRL is added. May be
+ *      empty, but must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CertStore Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CRL_CreateToList(
+        SECItem *derCrlItem,
+        PKIX_List *crlList,
+        void *plContext)
+{
+        CERTSignedCrl *nssCrl = NULL;
+        PKIX_PL_CRL *crl = NULL;
+
+        PKIX_ENTER(CRL, "pkix_pl_CRL_CreateToList");
+        PKIX_NULLCHECK_TWO(derCrlItem, crlList);
+
+        nssCrl = CERT_DecodeDERCrl(NULL, derCrlItem, SEC_CRL_TYPE);
+        if (nssCrl == NULL) {
+            goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_pl_CRL_CreateWithSignedCRL
+                   (nssCrl, &crl, plContext),
+                   PKIX_CRLCREATEWITHSIGNEDCRLFAILED);
+        
+        nssCrl = NULL;
+
+        PKIX_CHECK(PKIX_List_AppendItem
+                   (crlList, (PKIX_PL_Object *) crl, plContext),
+                   PKIX_LISTAPPENDITEMFAILED);
+
+cleanup:
+        if (nssCrl) {
+            SEC_DestroyCrl(nssCrl);
+        }
+
+        PKIX_DECREF(crl);
+
+        PKIX_RETURN(CRL);
+}
+
+/* --Public-CRL-Functions------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_CRL_Create (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CRL_Create(
+        PKIX_PL_ByteArray *byteArray,
+        PKIX_PL_CRL **pCrl,
+        void *plContext)
+{
+        CERTSignedCrl *nssSignedCrl = NULL;
+        SECItem *derCrlItem = NULL;
+        void *derBytes = NULL;
+        PKIX_UInt32 derLength;
+        PKIX_PL_CRL *crl = NULL;
+
+        PKIX_ENTER(CRL, "PKIX_PL_CRL_Create");
+        PKIX_NULLCHECK_TWO(byteArray, pCrl);
+
+        PKIX_CHECK(PKIX_PL_ByteArray_GetLength
+                    (byteArray, &derLength, plContext),
+                    PKIX_BYTEARRAYGETLENGTHFAILED);
+
+        if (derLength == 0){
+                PKIX_ERROR(PKIX_ZEROLENGTHBYTEARRAYFORCRLENCODING);
+        }
+
+        PKIX_CHECK(PKIX_PL_ByteArray_GetPointer
+                    (byteArray, &derBytes, plContext),
+                    PKIX_BYTEARRAYGETPOINTERFAILED);
+
+        PKIX_CRL_DEBUG("\t\tCalling SECITEM_AllocItem\n");
+        derCrlItem = SECITEM_AllocItem(NULL, NULL, derLength);
+        if (derCrlItem == NULL){
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        PKIX_CRL_DEBUG("\t\tCalling PORT_Memcpy\n");
+        (void) PORT_Memcpy(derCrlItem->data, derBytes, derLength);
+
+        PKIX_CRL_DEBUG("\t\tCalling CERT_DecodeDERCrl\n");
+        nssSignedCrl = CERT_DecodeDERCrl(NULL, derCrlItem, SEC_CRL_TYPE);
+        if (nssSignedCrl == NULL){
+                PKIX_ERROR(PKIX_CERTDECODEDERCRLFAILED);
+        }
+
+        PKIX_CHECK(pkix_pl_CRL_CreateWithSignedCRL
+                (nssSignedCrl, &crl, plContext),
+                PKIX_CRLCREATEWITHSIGNEDCRLFAILED);
+
+        *pCrl = crl;
+
+cleanup:
+
+        if (derCrlItem != NULL){
+                PKIX_CRL_DEBUG("\t\tCalling SECITEM_FreeItem\n");
+                SECITEM_FreeItem(derCrlItem, PKIX_TRUE);
+                derCrlItem = NULL;
+        }
+
+        if (PKIX_ERROR_RECEIVED){
+                if (nssSignedCrl != NULL) {
+                        PKIX_CRL_DEBUG("\t\tCalling CERT_DestroyCrl\n");
+                        CERT_DestroyCrl(nssSignedCrl);
+                        nssSignedCrl = NULL;
+                }
+
+                PKIX_DECREF(crl);
+        }
+
+        PKIX_FREE(derBytes);
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: PKIX_PL_CRL_GetIssuer (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CRL_GetIssuer(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_X500Name **pCRLIssuer,
+        void *plContext)
+{
+        PKIX_PL_String *crlString = NULL;
+        PKIX_PL_X500Name *issuer = NULL;
+        SECItem  *derIssuerName = NULL;
+        CERTName *issuerName = NULL;
+
+        PKIX_ENTER(CRL, "PKIX_PL_CRL_GetIssuer");
+        PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pCRLIssuer);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (crl->issuer == NULL){
+
+                PKIX_OBJECT_LOCK(crl);
+
+                if (crl->issuer == NULL) {
+
+                        issuerName = &crl->nssSignedCrl->crl.name;
+                        derIssuerName = &crl->nssSignedCrl->crl.derName;
+
+                        PKIX_CHECK(
+                            PKIX_PL_X500Name_CreateFromCERTName(derIssuerName,
+                                                                issuerName,
+                                                                &issuer,
+                                                                plContext),
+                            PKIX_X500NAMECREATEFROMCERTNAMEFAILED);
+                        
+                        /* save a cached copy in case it is asked for again */
+                        crl->issuer = issuer;
+                }
+
+                PKIX_OBJECT_UNLOCK(crl);
+
+        }
+
+        PKIX_INCREF(crl->issuer);
+
+        *pCRLIssuer = crl->issuer;
+
+cleanup:
+
+        PKIX_DECREF(crlString);
+
+        PKIX_RETURN(CRL);
+}
+
+
+/*
+ * FUNCTION: PKIX_PL_CRL_GetCriticalExtensionOIDs
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CRL_GetCriticalExtensionOIDs(
+        PKIX_PL_CRL *crl,
+        PKIX_List **pExtensions,   /* list of PKIX_PL_OID */
+        void *plContext)
+{
+        PKIX_List *oidsList = NULL;
+        CERTCertExtension **extensions = NULL;
+        CERTCrl *nssSignedCrl = NULL;
+
+        PKIX_ENTER(CRL, "PKIX_PL_CRL_GetCriticalExtensionOIDs");
+        PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pExtensions);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (crl->critExtOids == NULL) {
+
+                PKIX_OBJECT_LOCK(crl);
+
+                nssSignedCrl = &(crl->nssSignedCrl->crl);
+                extensions = nssSignedCrl->extensions;
+
+                if (crl->critExtOids == NULL) {
+
+                        PKIX_CHECK(pkix_pl_OID_GetCriticalExtensionOIDs
+                                    (extensions, &oidsList, plContext),
+                                    PKIX_GETCRITICALEXTENSIONOIDSFAILED);
+
+                        crl->critExtOids = oidsList;
+                }
+
+                PKIX_OBJECT_UNLOCK(crl);
+
+        }
+
+        /* We should return a copy of the List since this list changes */
+        PKIX_DUPLICATE(crl->critExtOids, pExtensions, plContext,
+                PKIX_OBJECTDUPLICATELISTFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CRL);
+}
+
+
+/*
+ * FUNCTION: PKIX_PL_CRL_GetCRLEntryForSerialNumber
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CRL_GetCRLEntryForSerialNumber(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_BigInt *serialNumber,
+        PKIX_PL_CRLEntry **pCRLEntry,
+        void *plContext)
+{
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+        PKIX_List *crlEntryList = NULL;
+        PKIX_UInt32 numEntries = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+
+        PKIX_ENTER(CRL, "PKIX_PL_CRL_GetCRLEntryForSerialNumber");
+        PKIX_NULLCHECK_THREE(crl, serialNumber, pCRLEntry);
+
+        /* Assume there is no entry for Serial Number at start */
+        *pCRLEntry = NULL;
+
+        PKIX_CHECK(pkix_pl_CRL_GetCRLEntries(crl, &crlEntryList, plContext),
+                    PKIX_CRLGETCRLENTRIESFAILED);
+
+        if (crlEntryList == NULL) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(PKIX_List_GetLength(crlEntryList, &numEntries, plContext),
+                    PKIX_LISTGETLENGTHFAILED);
+
+        for (i = 0; i < numEntries; i++){
+
+                PKIX_CHECK(PKIX_List_GetItem
+                            (crlEntryList,
+                            i,
+                            (PKIX_PL_Object **)&crlEntry,
+                            plContext),
+                            PKIX_LISTGETITEMFAILED);
+
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object *)crlEntry->serialNumber,
+                            (PKIX_PL_Object *)serialNumber,
+                            &cmpResult,
+                            plContext),
+                            PKIX_OBJECTEQUALSFAILED);
+
+                /* Found the entry for Serial Number */
+                if (cmpResult == PKIX_TRUE) {
+                        *pCRLEntry = crlEntry;
+                        goto cleanup;
+                }
+
+                PKIX_DECREF(crlEntry);
+        }
+
+cleanup:
+
+        PKIX_DECREF(crlEntryList);
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(crlEntry);
+        }
+
+        PKIX_RETURN(CRL);
+}
+
+/*
+ * FUNCTION: PKIX_PL_CRL_VerifySignature (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CRL_VerifySignature(
+        PKIX_PL_CRL *crl,
+        PKIX_PL_PublicKey *pubKey,
+        void *plContext)
+{
+        PKIX_PL_CRL *cachedCrl = NULL;
+        PKIX_Error *verifySig = NULL;
+        PKIX_Error *cachedSig = NULL;
+        PKIX_Boolean crlEqual = PKIX_FALSE;
+        PKIX_Boolean crlInHash= PKIX_FALSE;
+        CERTSignedCrl *nssSignedCrl = NULL;
+        SECKEYPublicKey *nssPubKey = NULL;
+        CERTSignedData *tbsCrl = NULL;
+        void* wincx = NULL;
+        SECStatus status;
+
+        PKIX_ENTER(CRL, "PKIX_PL_CRL_VerifySignature");
+        PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pubKey);
+
+        verifySig = PKIX_PL_HashTable_Lookup
+                (cachedCrlSigTable,
+                (PKIX_PL_Object *) pubKey,
+                (PKIX_PL_Object **) &cachedCrl,
+                plContext);
+
+        if (cachedCrl != NULL && verifySig == NULL) {
+                /* Cached Signature Table lookup succeed */
+                PKIX_EQUALS(crl, cachedCrl, &crlEqual, plContext,
+                            PKIX_OBJECTEQUALSFAILED);
+                if (crlEqual == PKIX_TRUE) {
+                        goto cleanup;
+                }
+                /* Different PubKey may hash to same value, skip add */
+                crlInHash = PKIX_TRUE;
+        }
+
+        nssSignedCrl = crl->nssSignedCrl;
+        tbsCrl = &nssSignedCrl->signatureWrap;
+
+        PKIX_CRL_DEBUG("\t\tCalling SECKEY_ExtractPublicKey\n");
+        nssPubKey = SECKEY_ExtractPublicKey(pubKey->nssSPKI);
+        if (!nssPubKey){
+                PKIX_ERROR(PKIX_SECKEYEXTRACTPUBLICKEYFAILED);
+        }
+
+        PKIX_CHECK(pkix_pl_NssContext_GetWincx
+                   ((PKIX_PL_NssContext *)plContext, &wincx),
+                   PKIX_NSSCONTEXTGETWINCXFAILED);
+
+        PKIX_CRL_DEBUG("\t\tCalling CERT_VerifySignedDataWithPublicKey\n");
+        status = CERT_VerifySignedDataWithPublicKey(tbsCrl, nssPubKey, wincx);
+
+        if (status != SECSuccess) {
+                PKIX_ERROR(PKIX_SIGNATUREDIDNOTVERIFYWITHTHEPUBLICKEY);
+        }
+
+        if (crlInHash == PKIX_FALSE) {
+                cachedSig = PKIX_PL_HashTable_Add
+                        (cachedCrlSigTable,
+                        (PKIX_PL_Object *) pubKey,
+                        (PKIX_PL_Object *) crl,
+                        plContext);
+
+                if (cachedSig != NULL) {
+                        PKIX_DEBUG("PKIX_PL_HashTable_Add skipped: entry existed\n");
+                }
+        }
+
+cleanup:
+
+        if (nssPubKey){
+                PKIX_CRL_DEBUG("\t\tCalling SECKEY_DestroyPublicKey\n");
+                SECKEY_DestroyPublicKey(nssPubKey);
+                nssPubKey = NULL;
+        }
+
+        PKIX_DECREF(cachedCrl);
+        PKIX_DECREF(verifySig);
+        PKIX_DECREF(cachedSig);
+
+        PKIX_RETURN(CRL);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.h
new file mode 100644
index 000000000..a00e6d1b0
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.h
@@ -0,0 +1,83 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_crl.h
+ *
+ * CRL Object Type Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_CRL_H
+#define _PKIX_PL_CRL_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_CRLStruct {
+        CERTSignedCrl *nssSignedCrl;
+        PKIX_PL_X500Name *issuer;
+        PKIX_PL_OID *signatureAlgId;
+        PKIX_PL_BigInt *crlNumber;
+        PKIX_Boolean crlNumberAbsent;
+        PKIX_List *crlEntryList; /* list of PKIX_PL_CRLEntry */
+        PKIX_List *critExtOids;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_CRL_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_pl_CRL_CreateWithSignedCRL(
+        CERTSignedCrl *nssSignedCrl,
+        PKIX_PL_CRL **pCrl,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_CRL_CreateToList(
+        SECItem *derCrlItem,
+        PKIX_List *crlList,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_CRL_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crlentry.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crlentry.c
new file mode 100644
index 000000000..3d742a94a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crlentry.c
@@ -0,0 +1,913 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_crlentry.c
+ *
+ * CRLENTRY Function Definitions
+ *
+ */
+
+#include "pkix_pl_crlentry.h"
+
+/* --Private-CRLEntry-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_CRLEntry_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CRLEntry_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CRLENTRY_TYPE, plContext),
+                    PKIX_OBJECTNOTCRLENTRY);
+
+        crlEntry = (PKIX_PL_CRLEntry*)object;
+
+        /* crlEntry->nssCrlEntry is freed by NSS when freeing CRL */
+        crlEntry->userReasonCode = 0;
+        crlEntry->userReasonCodeAbsent = PKIX_FALSE;
+        crlEntry->nssCrlEntry = NULL;
+        PKIX_DECREF(crlEntry->serialNumber);
+        PKIX_DECREF(crlEntry->critExtOids);
+
+cleanup:
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRLEntry_ToString_Helper
+ *
+ * DESCRIPTION:
+ *  Helper function that creates a string representation of the CRLEntry
+ *  pointed to by "crlEntry" and stores it at "pString".
+ *
+ * PARAMETERS
+ *  "crlEntry"
+ *      Address of CRLEntry whose string representation is desired.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLEntry Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CRLEntry_ToString_Helper(
+        PKIX_PL_CRLEntry *crlEntry,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        char *asciiFormat = NULL;
+        PKIX_List *critExtOIDs = NULL;
+        PKIX_PL_String *crlEntryString = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *crlSerialNumberString = NULL;
+        PKIX_PL_String *crlRevocationDateString = NULL;
+        PKIX_PL_String *critExtOIDsString = NULL;
+        PKIX_Int32 reasonCode = 0;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_ToString_Helper");
+        PKIX_NULLCHECK_FOUR
+                (crlEntry,
+                crlEntry->serialNumber,
+                crlEntry->nssCrlEntry,
+                pString);
+
+        asciiFormat =
+                "\n\t[\n"
+                "\tSerialNumber:    %s\n"
+                "\tReasonCode:      %d\n"
+                "\tRevocationDate:  %s\n"
+                "\tCritExtOIDs:     %s\n"
+                "\t]\n\t";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        /* SerialNumber */
+        PKIX_CHECK(PKIX_PL_Object_ToString
+                    ((PKIX_PL_Object *)crlEntry->serialNumber,
+                    &crlSerialNumberString,
+                    plContext),
+                    PKIX_BIGINTTOSTRINGHELPERFAILED);
+
+        /* RevocationDate - No Date object created, use nss data directly */
+        PKIX_CHECK(pkix_pl_Date_ToString_Helper
+                    (&(crlEntry->nssCrlEntry->revocationDate),
+                    &crlRevocationDateString,
+                    plContext),
+                    PKIX_DATETOSTRINGHELPERFAILED);
+
+        /* CriticalExtensionOIDs */
+        PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
+                    (crlEntry, &critExtOIDs, plContext),
+                    PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED);
+
+        PKIX_TOSTRING(critExtOIDs, &critExtOIDsString, plContext,
+                    PKIX_LISTTOSTRINGFAILED);
+
+        /* Revocation Reason Code */
+        PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+                            (crlEntry, &reasonCode, plContext),
+                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&crlEntryString,
+                    plContext,
+                    formatString,
+                    crlSerialNumberString,
+                    reasonCode,
+                    crlRevocationDateString,
+                    critExtOIDsString),
+                    PKIX_SPRINTFFAILED);
+
+        *pString = crlEntryString;
+
+cleanup:
+
+        PKIX_DECREF(critExtOIDs);
+        PKIX_DECREF(crlSerialNumberString);
+        PKIX_DECREF(crlRevocationDateString);
+        PKIX_DECREF(critExtOIDsString);
+        PKIX_DECREF(formatString);
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRLEntry_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CRLEntry_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *crlEntryString = NULL;
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CRLENTRY_TYPE, plContext),
+                    PKIX_OBJECTNOTCRLENTRY);
+
+        crlEntry = (PKIX_PL_CRLEntry *) object;
+
+        PKIX_CHECK(pkix_pl_CRLEntry_ToString_Helper
+                    (crlEntry, &crlEntryString, plContext),
+                    PKIX_CRLENTRYTOSTRINGHELPERFAILED);
+
+        *pString = crlEntryString;
+
+cleanup:
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRLEntry_Extensions_Hashcode
+ * DESCRIPTION:
+ *
+ *  For each CRL Entry extension stored at NSS structure CERTCertExtension,
+ *  get its derbyte data and do the hash.
+ *
+ * PARAMETERS
+ *  "extensions"
+ *      Address of arrray of CERTCertExtension whose hash value is desired.
+ *      Must be non-NULL.
+ *  "pHashValue"
+ *      Address where the final hash value is returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditional Thread Safe
+ *  Though the value of extensions once created is not supposed to change,
+ *  it may be de-allocated while we are accessing it. But since we are
+ *  validating the object, it is unlikely we or someone is de-allocating
+ *  at the moment.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OID Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CRLEntry_Extensions_Hashcode(
+        CERTCertExtension **extensions,
+        PKIX_UInt32 *pHashValue,
+        void *plContext)
+{
+        CERTCertExtension *extension = NULL;
+        PRArenaPool *arena = NULL;
+        PKIX_UInt32 extHash = 0;
+        PKIX_UInt32 hashValue = 0;
+        SECItem *derBytes = NULL;
+        SECItem *resultSecItem = NULL;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_Extensions_Hashcode");
+        PKIX_NULLCHECK_TWO(extensions, pHashValue);
+
+        if (extensions) {
+
+                PKIX_CRLENTRY_DEBUG("\t\tCalling PORT_NewArena\n");
+                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+                if (arena == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }
+
+                while (*extensions) {
+
+                        extension = *extensions++;
+
+                        PKIX_NULLCHECK_ONE(extension);
+
+                        PKIX_CRLENTRY_DEBUG("\t\tCalling PORT_ArenaZNew\n");
+                        derBytes = PORT_ArenaZNew(arena, SECItem);
+                        if (derBytes == NULL) {
+                                PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+                        }
+
+                        PKIX_CRLENTRY_DEBUG
+                                ("\t\tCalling SEC_ASN1EncodeItem\n");
+                        resultSecItem = SEC_ASN1EncodeItem
+                                (arena,
+                                derBytes,
+                                extension,
+                                CERT_CertExtensionTemplate);
+
+                        if (resultSecItem == NULL){
+                                PKIX_ERROR(PKIX_SECASN1ENCODEITEMFAILED);
+                        }
+
+                        PKIX_CHECK(pkix_hash
+                                (derBytes->data,
+                                derBytes->len,
+                                &extHash,
+                                plContext),
+                                PKIX_HASHFAILED);
+
+                        hashValue += (extHash << 7);
+
+                }
+        }
+
+        *pHashValue = hashValue;
+
+cleanup:
+
+        if (arena){
+                /* Note that freeing the arena also frees derBytes */
+                PKIX_CRLENTRY_DEBUG("\t\tCalling PORT_FreeArena\n");
+                PORT_FreeArena(arena, PR_FALSE);
+                arena = NULL;
+        }
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRLEntry_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CRLEntry_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        SECItem *nssDate = NULL;
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+        PKIX_UInt32 crlEntryHash;
+        PKIX_UInt32 hashValue;
+        PKIX_Int32 reasonCode = 0;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_CRLENTRY_TYPE, plContext),
+                    PKIX_OBJECTNOTCRLENTRY);
+
+        crlEntry = (PKIX_PL_CRLEntry *)object;
+
+        PKIX_NULLCHECK_ONE(crlEntry->nssCrlEntry);
+        nssDate = &(crlEntry->nssCrlEntry->revocationDate);
+
+        PKIX_NULLCHECK_ONE(nssDate->data);
+
+        PKIX_CHECK(pkix_hash
+                ((const unsigned char *)nssDate->data,
+                nssDate->len,
+                &crlEntryHash,
+                plContext),
+                PKIX_ERRORGETTINGHASHCODE);
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode
+                ((PKIX_PL_Object *)crlEntry->serialNumber,
+                &hashValue,
+                plContext),
+                PKIX_OBJECTHASHCODEFAILED);
+
+        crlEntryHash += (hashValue << 7);
+
+        hashValue = 0;
+
+        if (crlEntry->nssCrlEntry->extensions) {
+
+                PKIX_CHECK(pkix_pl_CRLEntry_Extensions_Hashcode
+                    (crlEntry->nssCrlEntry->extensions, &hashValue, plContext),
+                    PKIX_CRLENTRYEXTENSIONSHASHCODEFAILED);
+        }
+
+        crlEntryHash += (hashValue << 7);
+
+        PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+                (crlEntry, &reasonCode, plContext),
+                PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
+
+        crlEntryHash += (reasonCode + 777) << 3;
+
+        *pHashcode = crlEntryHash;
+
+cleanup:
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRLENTRY_Extensions_Equals
+ * DESCRIPTION:
+ *
+ *  Compare each extension's DERbyte data in "firstExtensions" with extension
+ *  in "secondExtensions" in sequential order and store the result in
+ *  "pResult".
+ *
+ * PARAMETERS
+ *  "firstExtensions"
+ *      Address of first NSS structure CERTCertExtension to be compared.
+ *      Must be non-NULL.
+ *  "secondExtensions"
+ *      Address of second NSS structure CERTCertExtension to be compared.
+ *      Must be non-NULL.
+ *  "pResult"
+ *      Address where the comparison result is returned. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *  Though the value of extensions once created is not supposed to change,
+ *  it may be de-allocated while we are accessing it. But since we are
+ *  validating the object, it is unlikely we or someone is de-allocating
+ *  at the moment.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OID Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CRLEntry_Extensions_Equals(
+        CERTCertExtension **extensions1,
+        CERTCertExtension **extensions2,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        CERTCertExtension **firstExtensions;
+        CERTCertExtension **secondExtensions;
+        CERTCertExtension *firstExtension = NULL;
+        CERTCertExtension *secondExtension = NULL;
+        PRArenaPool *arena = NULL;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+        SECItem *firstDerBytes = NULL;
+        SECItem *secondDerBytes = NULL;
+        SECItem *firstResultSecItem = NULL;
+        SECItem *secondResultSecItem = NULL;
+        PKIX_UInt32 firstNumExt = 0;
+        PKIX_UInt32 secondNumExt = 0;
+        SECComparison secResult;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_Extensions_Equals");
+        PKIX_NULLCHECK_THREE(extensions1, extensions2, pResult);
+
+        firstExtensions = extensions1;
+        secondExtensions = extensions2;
+
+        if (firstExtensions) {
+                while (*firstExtensions) {
+                        firstExtension = *firstExtensions++;
+                        firstNumExt++;
+                }
+        }
+
+        if (secondExtensions) {
+                while (*secondExtensions) {
+                        secondExtension = *secondExtensions++;
+                        secondNumExt++;
+                }
+        }
+
+        if (firstNumExt != secondNumExt) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        if (firstNumExt == 0 && secondNumExt == 0) {
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /* now have equal number, but non-zero extension items to compare */
+
+        firstExtensions = extensions1;
+        secondExtensions = extensions2;
+
+        cmpResult = PKIX_TRUE;
+
+        PKIX_CRLENTRY_DEBUG("\t\tCalling PORT_NewArena\n");
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE*2);
+        if (arena == NULL) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        while (firstNumExt--) {
+
+                firstExtension = *firstExtensions++;
+                secondExtension = *secondExtensions++;
+
+                PKIX_NULLCHECK_TWO(firstExtension, secondExtension);
+
+                PKIX_CRLENTRY_DEBUG("\t\tCalling PORT_ArenaZNew\n");
+                firstDerBytes = PORT_ArenaZNew(arena, SECItem);
+                if (firstDerBytes == NULL) {
+                        PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+                }
+
+                PKIX_CRLENTRY_DEBUG("\t\tCalling PORT_ArenaZNew\n");
+                secondDerBytes = PORT_ArenaZNew(arena, SECItem);
+                if (secondDerBytes == NULL) {
+                        PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+                }
+
+                PKIX_CRLENTRY_DEBUG
+                        ("\t\tCalling SEC_ASN1EncodeItem\n");
+                firstResultSecItem = SEC_ASN1EncodeItem
+                        (arena,
+                        firstDerBytes,
+                        firstExtension,
+                        CERT_CertExtensionTemplate);
+
+                if (firstResultSecItem == NULL){
+                        PKIX_ERROR(PKIX_SECASN1ENCODEITEMFAILED);
+                }
+
+                PKIX_CRLENTRY_DEBUG
+                        ("\t\tCalling SEC_ASN1EncodeItem\n");
+                secondResultSecItem = SEC_ASN1EncodeItem
+                        (arena,
+                        secondDerBytes,
+                        secondExtension,
+                        CERT_CertExtensionTemplate);
+
+                if (secondResultSecItem == NULL){
+                        PKIX_ERROR(PKIX_SECASN1ENCODEITEMFAILED);
+                }
+
+                PKIX_CRLENTRY_DEBUG("\t\tCalling SECITEM_CompareItem\n");
+                secResult = SECITEM_CompareItem
+                        (firstResultSecItem, secondResultSecItem);
+
+                if (secResult != SECEqual) {
+                        cmpResult = PKIX_FALSE;
+                        break;
+                }
+
+        }
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        if (arena){
+                /* Note that freeing the arena also frees derBytes */
+                PKIX_CRLENTRY_DEBUG("\t\tCalling PORT_FreeArena\n");
+                PORT_FreeArena(arena, PR_FALSE);
+                arena = NULL;
+        }
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRLEntry_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CRLEntry_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_CRLEntry *firstCrlEntry = NULL;
+        PKIX_PL_CRLEntry *secondCrlEntry = NULL;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a CRLEntry */
+        PKIX_CHECK(pkix_CheckType(firstObject, PKIX_CRLENTRY_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTCRLENTRY);
+
+        firstCrlEntry = (PKIX_PL_CRLEntry *)firstObject;
+        secondCrlEntry = (PKIX_PL_CRLEntry *)secondObject;
+
+        PKIX_NULLCHECK_TWO
+                (firstCrlEntry->nssCrlEntry, secondCrlEntry->nssCrlEntry);
+
+        /*
+         * Since we know firstObject is a CRLEntry, if both references are
+         * identical, they must be equal
+         */
+        if (firstCrlEntry == secondCrlEntry){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondCrlEntry isn't a CRL Entry, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    ((PKIX_PL_Object *)secondCrlEntry, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_CRLENTRY_TYPE) goto cleanup;
+
+        /* Compare userSerialNumber */
+        PKIX_CRLENTRY_DEBUG("\t\tCalling SECITEM_CompareItem\n");
+        if (SECITEM_CompareItem(
+            &(((PKIX_PL_CRLEntry *)firstCrlEntry)->nssCrlEntry->serialNumber),
+            &(((PKIX_PL_CRLEntry *)secondCrlEntry)->nssCrlEntry->serialNumber))
+            != SECEqual) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        /* Compare revocationDate */
+        PKIX_CRLENTRY_DEBUG("\t\tCalling SECITEM_CompareItem\n");
+        if (SECITEM_CompareItem
+            (&(((PKIX_PL_CRLEntry *)firstCrlEntry)->nssCrlEntry->
+                revocationDate),
+            &(((PKIX_PL_CRLEntry *)secondCrlEntry)->nssCrlEntry->
+                revocationDate))
+            != SECEqual) {
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        /* Compare Critical Extension List */
+        PKIX_CHECK(pkix_pl_CRLEntry_Extensions_Equals
+                    (firstCrlEntry->nssCrlEntry->extensions,
+                    secondCrlEntry->nssCrlEntry->extensions,
+                    &cmpResult,
+                    plContext),
+                    PKIX_CRLENTRYEXTENSIONSEQUALSFAILED);
+
+        if (cmpResult != PKIX_TRUE){
+                *pResult = PKIX_FALSE;
+                goto cleanup;
+        }
+
+        cmpResult = (firstCrlEntry->userReasonCode ==
+                    secondCrlEntry->userReasonCode);
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRLEntry_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CRLEntry_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_CRLEntry_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_RegisterSelf");
+
+        entry.description = "CRLEntry";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_CRLEntry);
+        entry.destructor = pkix_pl_CRLEntry_Destroy;
+        entry.equalsFunction = pkix_pl_CRLEntry_Equals;
+        entry.hashcodeFunction = pkix_pl_CRLEntry_Hashcode;
+        entry.toStringFunction = pkix_pl_CRLEntry_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_CRLENTRY_TYPE] = entry;
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRLEntry_CreateEntry
+ * DESCRIPTION:
+ *
+ *  Creates a new CRLEntry using the CertCrlEntry pointed to by "nssCrlEntry"
+ *  and stores it at "pCrlEntry". Once created, a CRLEntry is immutable.
+ *
+ *  revokedCertificates SEQUENCE OF SEQUENCE  {
+ *              userCertificate         CertificateSerialNumber,
+ *              revocationDate          Time,
+ *              crlEntryExtensions      Extensions OPTIONAL
+ *                                      -- if present, MUST be v2
+ *
+ * PARAMETERS:
+ *  "nssCrlEntry"
+ *      Address of CERTCrlEntry representing an NSS CRL entry.
+ *      Must be non-NULL.
+ *  "pCrlEntry"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLEntry Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CRLEntry_CreateEntry(
+        CERTCrlEntry *nssCrlEntry, /* entry data to be created from */
+        PKIX_PL_CRLEntry **pCrlEntry,
+        void *plContext)
+{
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_CreateEntry");
+        PKIX_NULLCHECK_TWO(nssCrlEntry, pCrlEntry);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CRLENTRY_TYPE,
+                    sizeof (PKIX_PL_CRLEntry),
+                    (PKIX_PL_Object **)&crlEntry,
+                    plContext),
+                    PKIX_COULDNOTCREATECRLENTRYOBJECT);
+
+        crlEntry->nssCrlEntry = nssCrlEntry;
+        crlEntry->serialNumber = NULL;
+        crlEntry->critExtOids = NULL;
+        crlEntry->userReasonCode = 0;
+        crlEntry->userReasonCodeAbsent = PKIX_FALSE;
+
+        *pCrlEntry = crlEntry;
+
+cleanup:
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: pkix_pl_CRLEntry_Create
+ * DESCRIPTION:
+ *
+ *  Creates a List of CRLEntries using the array of CERTCrlEntries pointed to
+ *  by "nssCrlEntries" and stores it at "pCrlEntryList". If "nssCrlEntries" is
+ *  NULL, this function stores an empty List at "pCrlEntryList".
+ *                              }
+ * PARAMETERS:
+ *  "nssCrlEntries"
+ *      Address of array of CERTCrlEntries representing NSS CRL entries.
+ *      Can be NULL if CRL has no NSS CRL entries.
+ *  "pCrlEntryList"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRLEntry Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CRLEntry_Create(
+        CERTCrlEntry **nssCrlEntries, /* head of entry list */
+        PKIX_List **pCrlEntryList,
+        void *plContext)
+{
+        PKIX_List *entryList = NULL;
+        PKIX_PL_CRLEntry *crlEntry = NULL;
+        CERTCrlEntry **entries = NULL;
+        SECItem serialNumberItem;
+        PKIX_PL_BigInt *serialNumber;
+        char *bytes = NULL;
+        PKIX_UInt32 length;
+
+        PKIX_ENTER(CRLENTRY, "pkix_pl_CRLEntry_Create");
+        PKIX_NULLCHECK_ONE(pCrlEntryList);
+
+        entries = nssCrlEntries;
+
+        PKIX_CHECK(PKIX_List_Create(&entryList, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        if (entries) {
+            while (*entries){
+                PKIX_CHECK(pkix_pl_CRLEntry_CreateEntry
+                            (*entries, &crlEntry, plContext),
+                            PKIX_COULDNOTCREATECRLENTRYOBJECT);
+
+                /* Get Serial Number */
+                serialNumberItem = (*entries)->serialNumber;
+                length = serialNumberItem.len;
+                bytes = (char *)serialNumberItem.data;
+
+                PKIX_CHECK(pkix_pl_BigInt_CreateWithBytes
+                            (bytes, length, &serialNumber, plContext),
+                            PKIX_BIGINTCREATEWITHBYTESFAILED);
+
+                crlEntry->serialNumber = serialNumber;
+                crlEntry->nssCrlEntry = *entries;
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                            (entryList, (PKIX_PL_Object *)crlEntry, plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+
+                PKIX_DECREF(crlEntry);
+
+                entries++;
+            }
+        }
+
+        *pCrlEntryList = entryList;
+
+cleanup:
+        PKIX_DECREF(crlEntry);
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(entryList);
+        }
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/* --Public-CRLENTRY-Functions------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CRLEntry_GetCRLEntryReasonCode (
+        PKIX_PL_CRLEntry *crlEntry,
+        PKIX_Int32 *pReason,
+        void *plContext)
+{
+        SECStatus status;
+        CERTCRLEntryReasonCode nssReasonCode;
+
+        PKIX_ENTER(CRLENTRY, "PKIX_PL_CRLEntry_GetCRLEntryReasonCode");
+        PKIX_NULLCHECK_TWO(crlEntry, pReason);
+
+        if (!crlEntry->userReasonCodeAbsent && crlEntry->userReasonCode == 0) {
+
+            PKIX_OBJECT_LOCK(crlEntry);
+
+            if (!crlEntry->userReasonCodeAbsent &&
+                crlEntry->userReasonCode == 0) {
+
+                /* reason code has not been cached in */
+                PKIX_CRLENTRY_DEBUG("\t\tCERT_FindCRLEntryReasonExten.\n");
+                status = CERT_FindCRLEntryReasonExten
+                        (crlEntry->nssCrlEntry, &nssReasonCode);
+
+                if (status == SECSuccess) {
+                        crlEntry->userReasonCode = (PKIX_Int32) nssReasonCode;
+                } else {
+                        crlEntry->userReasonCodeAbsent = PKIX_TRUE;
+                }
+            }
+
+            PKIX_OBJECT_UNLOCK(crlEntry);
+
+        }
+
+        *pReason = crlEntry->userReasonCode;
+
+cleanup:
+
+        PKIX_RETURN(CRLENTRY);
+}
+
+/*
+ * FUNCTION: PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_CRLEntry_GetCriticalExtensionOIDs (
+        PKIX_PL_CRLEntry *crlEntry,
+        PKIX_List **pList,  /* list of PKIX_PL_OID */
+        void *plContext)
+{
+        PKIX_List *oidsList = NULL;
+        CERTCertExtension **extensions;
+
+        PKIX_ENTER(CRLENTRY, "PKIX_PL_CRLEntry_GetCriticalExtensionOIDs");
+        PKIX_NULLCHECK_THREE(crlEntry, crlEntry->nssCrlEntry, pList);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (crlEntry->critExtOids == NULL) {
+
+                PKIX_OBJECT_LOCK(crlEntry);
+
+                if (crlEntry->critExtOids == NULL) {
+
+                        extensions = crlEntry->nssCrlEntry->extensions;
+
+                        PKIX_CHECK(pkix_pl_OID_GetCriticalExtensionOIDs
+                                    (extensions, &oidsList, plContext),
+                                    PKIX_GETCRITICALEXTENSIONOIDSFAILED);
+
+                        crlEntry->critExtOids = oidsList;
+                }
+
+                PKIX_OBJECT_UNLOCK(crlEntry);
+
+        }
+
+        /* We should return a copy of the List since this list changes */
+        PKIX_DUPLICATE(crlEntry->critExtOids, pList, plContext,
+                PKIX_OBJECTDUPLICATELISTFAILED);
+
+cleanup:
+
+        PKIX_RETURN(CRLENTRY);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crlentry.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crlentry.h
new file mode 100644
index 000000000..7f66acc2a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crlentry.h
@@ -0,0 +1,79 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_crlentry.h
+ *
+ * CRL Entry Type Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_CRLENTRY_H
+#define _PKIX_PL_CRLENTRY_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define PKIX_PL_CRL_REASONCODE_NOTSET (-1)
+
+struct PKIX_PL_CRLEntryStruct {
+        CERTCrlEntry *nssCrlEntry;
+        PKIX_PL_BigInt *serialNumber;
+        PKIX_List *critExtOids;
+        PKIX_Int32 userReasonCode;
+        PKIX_Boolean userReasonCodeAbsent;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_CRLEntry_RegisterSelf(void *plContext);
+
+/* following functions are called by CRL only hence not public */
+
+PKIX_Error *
+pkix_pl_CRLEntry_Create(
+        CERTCrlEntry **nssCrlEntry, /* head of entry list */
+        PKIX_List **pCrlEntryList,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_CRLENTRY_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_date.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_date.c
new file mode 100644
index 000000000..d5b5998df
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_date.c
@@ -0,0 +1,588 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_date.c
+ *
+ * Date Object Definitions
+ *
+ */
+
+#include "pkix_pl_date.h"
+
+/* --Private-Date-Functions------------------------------------- */
+/*
+ * FUNCTION: pkix_pl_Date_GetPRTime
+ * DESCRIPTION:
+ *
+ *  Translates into a PRTime the Date embodied by the Date object pointed to
+ *  by "date", and stores it at "pPRTime".
+ *
+ * PARAMETERS
+ *  "date"
+ *      Address of Date whose PRTime representation is desired. Must be
+ *      non-NULL.
+ *  "pPRTime"
+ *      Address where PRTime value will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Date Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Date_GetPRTime(
+        PKIX_PL_Date *date,
+        PRTime *pPRTime,
+        void *plContext)
+{
+        SECStatus rv = SECFailure;
+
+        PKIX_ENTER(DATE, "PKIX_PL_Date_GetPRTime");
+        PKIX_NULLCHECK_TWO(date, pPRTime);
+
+        PKIX_DATE_DEBUG("\t\tCalling DER_DecodeTimeChoice).\n");
+        rv = DER_DecodeTimeChoice(pPRTime, &date->nssTime);
+
+        if (rv == SECFailure) {
+                PKIX_ERROR(PKIX_DERDECODETIMECHOICEFAILED);
+        }
+
+cleanup:
+
+        PKIX_RETURN(DATE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Date_CreateFromPRTime
+ * DESCRIPTION:
+ *
+ *  Creates a new Date from the PRTime whose value is "prtime", and stores the
+ *  result at "pDate".
+ *
+ * PARAMETERS
+ *  "prtime"
+ *      The PRTime value to be embodied in the new Date object.
+ *  "pDate"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Date Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Date_CreateFromPRTime(
+        PRTime prtime,
+        PKIX_PL_Date **pDate,
+        void *plContext)
+{
+        SECItem nssTime = { 0, NULL, 0 };
+        SECStatus rv = SECFailure;
+        PKIX_PL_Date *date = NULL;
+
+        PKIX_ENTER(DATE, "PKIX_PL_Date_CreateFromPRTime");
+        PKIX_NULLCHECK_ONE(pDate);
+
+        PKIX_DATE_DEBUG("\t\tCalling DER_EncodeTimeChoice).\n");
+        rv = DER_EncodeTimeChoice(NULL, &nssTime, prtime);
+
+        if (rv == SECFailure) {
+                PKIX_ERROR(PKIX_DERENCODETIMECHOICEFAILED);
+        }
+
+        /* create a PKIX_PL_Date object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_DATE_TYPE,
+                    sizeof (PKIX_PL_Date),
+                    (PKIX_PL_Object **)&date,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        /* populate the nssTime field */
+        date->nssTime = nssTime;
+
+        *pDate = date;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PR_Free(nssTime.data);
+        }
+
+        PKIX_RETURN(DATE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Date_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Helper function that creates a string representation of the SECItem pointed
+ *  to by "nssTime" (which represents a date) and stores it at "pString".
+ *
+ * PARAMETERS
+ *  "nssTime"
+ *      Address of SECItem whose string representation is desired.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Date Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Date_ToString_Helper(
+        SECItem *nssTime,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        char *asciiDate = NULL;
+
+        PKIX_ENTER(DATE, "pkix_pl_Date_ToString_Helper");
+        PKIX_NULLCHECK_TWO(nssTime, pString);
+
+        switch (nssTime->type) {
+        case siUTCTime:
+                PKIX_PL_NSSCALLRV
+                        (DATE, asciiDate, DER_UTCDayToAscii, (nssTime));
+                if (!asciiDate){
+                        PKIX_ERROR(PKIX_DERUTCTIMETOASCIIFAILED);
+                }
+                break;
+        case siGeneralizedTime:
+                /*
+                 * we don't currently have any way to create GeneralizedTime.
+                 * this code is only here so that it will be in place when
+                 * we do have the capability to create GeneralizedTime.
+                 */
+                PKIX_PL_NSSCALLRV
+                        (DATE, asciiDate, DER_GeneralizedDayToAscii, (nssTime));
+                if (!asciiDate){
+                        PKIX_ERROR(PKIX_DERGENERALIZEDDAYTOASCIIFAILED);
+                }
+                break;
+        default:
+                PKIX_ERROR(PKIX_UNRECOGNIZEDTIMETYPE);
+        }
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII, asciiDate, 0, pString, plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+cleanup:
+
+        PR_Free(asciiDate);
+
+        PKIX_RETURN(DATE);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_Date_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Date_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Date *date = NULL;
+
+        PKIX_ENTER(DATE, "pkix_pl_Date_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_DATE_TYPE, plContext),
+                    PKIX_OBJECTNOTDATE);
+
+        date = (PKIX_PL_Date *)object;
+
+        PR_Free(date->nssTime.data);
+
+cleanup:
+
+        PKIX_RETURN(DATE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Date_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Date_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *dateString = NULL;
+        PKIX_PL_Date *date = NULL;
+        SECItem *nssTime = NULL;
+        char *asciiDate = NULL;
+
+        PKIX_ENTER(DATE, "pkix_pl_Date_toString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_DATE_TYPE, plContext),
+                    PKIX_OBJECTNOTDATE);
+
+        date = (PKIX_PL_Date *)object;
+
+        nssTime = &date->nssTime;
+
+        PKIX_CHECK(pkix_pl_Date_ToString_Helper
+                    (nssTime, &dateString, plContext),
+                    PKIX_DATETOSTRINGHELPERFAILED);
+
+        *pString = dateString;
+
+cleanup:
+
+        PKIX_FREE(asciiDate);
+
+        PKIX_RETURN(DATE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Date_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Date_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_Date *date = NULL;
+        SECItem *nssTime = NULL;
+        PKIX_UInt32 dateHash;
+
+        PKIX_ENTER(DATE, "pkix_pl_Date_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_DATE_TYPE, plContext),
+                    PKIX_OBJECTNOTDATE);
+
+        date = (PKIX_PL_Date *)object;
+
+        nssTime = &date->nssTime;
+
+        PKIX_CHECK
+                (pkix_hash
+                ((const unsigned char *)nssTime->data,
+                nssTime->len,
+                &dateHash,
+                plContext),
+                PKIX_HASHFAILED);
+
+        *pHashcode = dateHash;
+
+cleanup:
+
+        PKIX_RETURN(DATE);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_Date_Comparator
+ * (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Date_Comparator(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        SECItem *firstTime = NULL;
+        SECItem *secondTime = NULL;
+        SECComparison cmpResult;
+
+        PKIX_ENTER(DATE, "pkix_pl_Date_Comparator");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        PKIX_CHECK(pkix_CheckTypes
+                    (firstObject, secondObject, PKIX_DATE_TYPE, plContext),
+                    PKIX_ARGUMENTSNOTDATES);
+
+        firstTime = &((PKIX_PL_Date *)firstObject)->nssTime;
+        secondTime = &((PKIX_PL_Date *)secondObject)->nssTime;
+
+        PKIX_DATE_DEBUG("\t\tCalling SECITEM_CompareItem).\n");
+        cmpResult = SECITEM_CompareItem(firstTime, secondTime);
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(DATE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Date_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Date_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+
+        /* note: pkix_pl_Date can only represent UTCTime,not GeneralizedTime */
+
+        SECItem *firstTime = NULL;
+        SECItem *secondTime = NULL;
+        PKIX_UInt32 secondType;
+        SECComparison cmpResult;
+
+        PKIX_ENTER(DATE, "pkix_pl_Date_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a Date */
+        PKIX_CHECK(pkix_CheckType(firstObject, PKIX_DATE_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTDATE);
+
+        /*
+         * Since we know firstObject is a Date, if both references are
+         * identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a Date, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_DATE_TYPE) goto cleanup;
+
+        firstTime = &((PKIX_PL_Date *)firstObject)->nssTime;
+        secondTime = &((PKIX_PL_Date *)secondObject)->nssTime;
+
+        PKIX_DATE_DEBUG("\t\tCalling SECITEM_CompareItem).\n");
+        cmpResult = SECITEM_CompareItem(firstTime, secondTime);
+
+        *pResult = (cmpResult == SECEqual);
+
+cleanup:
+
+        PKIX_RETURN(DATE);
+}
+
+/*
+ * FUNCTION: pkix_pl_Date_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_DATE_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_Date_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(DATE, "pkix_pl_Date_RegisterSelf");
+
+        entry.description = "Date";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_Date);
+        entry.destructor = pkix_pl_Date_Destroy;
+        entry.equalsFunction = pkix_pl_Date_Equals;
+        entry.hashcodeFunction = pkix_pl_Date_Hashcode;
+        entry.toStringFunction = pkix_pl_Date_ToString;
+        entry.comparator = pkix_pl_Date_Comparator;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_DATE_TYPE] = entry;
+
+        PKIX_RETURN(DATE);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_Date_Create_UTCTime (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Date_Create_UTCTime(
+        PKIX_PL_String *stringRep,
+        PKIX_PL_Date **pDate,
+        void *plContext)
+{
+        PKIX_PL_Date *date = NULL;
+        char *asciiString = NULL;
+        PKIX_UInt32 escAsciiLength;
+        SECItem nssTime;
+        SECStatus rv;
+        PRTime time;
+
+        PKIX_ENTER(DATE, "PKIX_PL_Date_Create_UTCTime");
+        PKIX_NULLCHECK_ONE(pDate);
+
+        if (stringRep == NULL){
+                PKIX_DATE_DEBUG("\t\tCalling PR_Now).\n");
+                time = PR_Now();
+        } else {
+                /* convert the input PKIX_PL_String to PKIX_ESCASCII */
+                PKIX_CHECK(PKIX_PL_String_GetEncoded
+                            (stringRep,
+                            PKIX_ESCASCII,
+                            (void **)&asciiString,
+                            &escAsciiLength,
+                            plContext),
+                            PKIX_STRINGGETENCODEDFAILED);
+
+                PKIX_DATE_DEBUG("\t\tCalling DER_AsciiToTime).\n");
+                /* DER_AsciiToTime only supports UTCTime (2-digit years) */
+                rv = DER_AsciiToTime(&time, asciiString);
+                if (rv != SECSuccess){
+                        PKIX_ERROR(PKIX_DERASCIITOTIMEFAILED);
+                }
+        }
+
+        PKIX_DATE_DEBUG("\t\tCalling DER_TimeToUTCTime).\n");
+        rv = DER_TimeToUTCTime(&nssTime, time);
+        if (rv != SECSuccess){
+                PKIX_ERROR(PKIX_DERTIMETOUTCTIMEFAILED);
+        }
+
+        /* create a PKIX_PL_Date object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_DATE_TYPE,
+                    sizeof (PKIX_PL_Date),
+                    (PKIX_PL_Object **)&date,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        /* populate the nssTime field */
+        date->nssTime = nssTime;
+
+        *pDate = date;
+
+cleanup:
+
+        PKIX_FREE(asciiString);
+
+        if (PKIX_ERROR_RECEIVED){
+                PR_Free(nssTime.data);
+        }
+
+        PKIX_RETURN(DATE);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Date_Create_CurrentOffBySeconds
+ * (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_Date_Create_CurrentOffBySeconds(
+        PKIX_Int32 secondsOffset,
+        PKIX_PL_Date **pDate,
+        void *plContext)
+{
+        PKIX_PL_Date *date = NULL;
+        SECItem nssTime;
+        SECStatus rv;
+        PRTime time;
+
+        PKIX_ENTER(DATE, "PKIX_PL_Date_Create_CurrentOffBySeconds");
+        PKIX_NULLCHECK_ONE(pDate);
+
+        PKIX_DATE_DEBUG("\t\tCalling PR_Now).\n");
+        time = PR_Now();
+
+        time += (secondsOffset * PR_USEC_PER_SEC);
+
+        PKIX_DATE_DEBUG("\t\tCalling DER_TimeToUTCTime).\n");
+        rv = DER_TimeToUTCTime(&nssTime, time);
+        if (rv != SECSuccess){
+                PKIX_ERROR(PKIX_DERTIMETOUTCTIMEFAILED);
+        }
+
+        /* create a PKIX_PL_Date object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_DATE_TYPE,
+                    sizeof (PKIX_PL_Date),
+                    (PKIX_PL_Object **)&date,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        /* populate the nssTime field */
+        date->nssTime = nssTime;
+
+        *pDate = date;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PR_Free(nssTime.data);
+        }
+
+        PKIX_RETURN(DATE);
+}
+
+PKIX_Error *
+PKIX_PL_Date_CreateFromPRTime(
+        PRTime prtime,
+        PKIX_PL_Date **pDate,
+        void *plContext)
+{
+    PKIX_ENTER(DATE, "PKIX_PL_Date_CreateFromPRTime");
+    PKIX_CHECK(
+        pkix_pl_Date_CreateFromPRTime(prtime, pDate, plContext),
+        PKIX_DATECREATEFROMPRTIMEFAILED);
+
+cleanup:
+    PKIX_RETURN(DATE);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_date.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_date.h
new file mode 100644
index 000000000..4211f506b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_date.h
@@ -0,0 +1,88 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_date.h
+ *
+ * Date Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_DATE_H
+#define _PKIX_PL_DATE_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_DateStruct{
+        SECItem nssTime;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_Date_ToString_Helper(
+        SECItem *nssTime,
+        PKIX_PL_String **pString,
+        void *plContext);
+
+PKIX_Error *pkix_pl_Date_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_pl_Date_GetPRTime(
+        PKIX_PL_Date *date,
+        PRTime *pPRTime,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_Date_CreateFromPRTime(
+        PRTime prtime,
+        PKIX_PL_Date **pDate,
+        void *plContext);
+
+PKIX_Error *
+PKIX_PL_Date_CreateFromPRTime(
+        PRTime prtime,
+        PKIX_PL_Date **pDate,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_DATE_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c
new file mode 100644
index 000000000..b4056f320
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c
@@ -0,0 +1,932 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_generalname.c
+ *
+ * GeneralName Object Definitions
+ *
+ */
+
+#include "pkix_pl_generalname.h"
+
+/* --Private-GeneralName-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_GeneralName_GetNssGeneralName
+ * DESCRIPTION:
+ *
+ *  Retrieves the NSS representation of the PKIX_PL_GeneralName pointed by
+ *  "genName" and stores it at "pNssGenName". The NSS data type CERTGeneralName
+ *  is stored in this object when the object was created.
+ *
+ * PARAMETERS:
+ *  "genName"
+ *      Address of PKIX_PL_GeneralName. Must be non-NULL.
+ *  "pNssGenName"
+ *      Address where CERTGeneralName will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a GeneralName Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_GeneralName_GetNssGeneralName(
+        PKIX_PL_GeneralName *genName,
+        CERTGeneralName **pNssGenName,
+        void *plContext)
+{
+        CERTGeneralName *nssGenName = NULL;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_GetNssGeneralName");
+        PKIX_NULLCHECK_THREE(genName, pNssGenName, genName->nssGeneralNameList);
+
+        nssGenName = genName->nssGeneralNameList->name;
+
+        *pNssGenName = nssGenName;
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_OtherName_Create
+ * DESCRIPTION:
+ *
+ *  Creates new OtherName which represents the CERTGeneralName pointed to by
+ *  "nssAltName" and stores it at "pOtherName".
+ *
+ * PARAMETERS:
+ *  "nssAltName"
+ *      Address of CERTGeneralName. Must be non-NULL.
+ *  "pOtherName"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a GeneralName Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_OtherName_Create(
+        CERTGeneralName *nssAltName,
+        OtherName **pOtherName,
+        void *plContext)
+{
+        OtherName *otherName = NULL;
+        SECItem secItemName;
+        SECItem secItemOID;
+        SECStatus rv;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_OtherName_Create");
+        PKIX_NULLCHECK_TWO(nssAltName, pOtherName);
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (sizeof (OtherName), (void **)&otherName, plContext),
+                    PKIX_MALLOCFAILED);
+
+        /* make a copy of the name field */
+        PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CopyItem).\n");
+        rv = SECITEM_CopyItem
+                (NULL, &otherName->name, &nssAltName->name.OthName.name);
+        if (rv != SECSuccess) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        /* make a copy of the oid field */
+        PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CopyItem).\n");
+        rv = SECITEM_CopyItem
+                (NULL, &otherName->oid, &nssAltName->name.OthName.oid);
+        if (rv != SECSuccess) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        *pOtherName = otherName;
+
+cleanup:
+
+        if (otherName && PKIX_ERROR_RECEIVED){
+                secItemName = otherName->name;
+                secItemOID = otherName->oid;
+
+                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_FreeItem).\n");
+                SECITEM_FreeItem(&secItemName, PR_FALSE);
+
+                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_FreeItem).\n");
+                SECITEM_FreeItem(&secItemOID, PR_FALSE);
+
+                PKIX_FREE(otherName);
+                otherName = NULL;
+        }
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_DirectoryName_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new X500Name which represents the directoryName component of the
+ *  CERTGeneralName pointed to by "nssAltName" and stores it at "pX500Name".
+ *
+ * PARAMETERS:
+ *  "nssAltName"
+ *      Address of CERTGeneralName. Must be non-NULL.
+ *  "pX500Name"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a GeneralName Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_DirectoryName_Create(
+        CERTGeneralName *nssAltName,
+        PKIX_PL_X500Name **pX500Name,
+        void *plContext)
+{
+        PKIX_PL_X500Name *pkixDN = NULL;
+        CERTName *dirName = NULL;
+        PKIX_PL_String *pkixDNString = NULL;
+        char *utf8String = NULL;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_DirectoryName_Create");
+        PKIX_NULLCHECK_TWO(nssAltName, pX500Name);
+
+        dirName = &nssAltName->name.directoryName;
+
+        PKIX_CHECK(PKIX_PL_X500Name_CreateFromCERTName(NULL, dirName, 
+                                                       &pkixDN, plContext),
+                   PKIX_X500NAMECREATEFROMCERTNAMEFAILED);
+
+        *pX500Name = pkixDN;
+
+cleanup:
+
+        PR_Free(utf8String);
+        PKIX_DECREF(pkixDNString);
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_GeneralName_Create
+ * DESCRIPTION:
+ *
+ *  Creates new GeneralName which represents the CERTGeneralName pointed to by
+ *  "nssAltName" and stores it at "pGenName".
+ *
+ * PARAMETERS:
+ *  "nssAltName"
+ *      Address of CERTGeneralName. Must be non-NULL.
+ *  "pGenName"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a GeneralName Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_GeneralName_Create(
+        CERTGeneralName *nssAltName,
+        PKIX_PL_GeneralName **pGenName,
+        void *plContext)
+{
+        PKIX_PL_GeneralName *genName = NULL;
+        PKIX_PL_X500Name *pkixDN = NULL;
+        PKIX_PL_OID *pkixOID = NULL;
+        OtherName *otherName = NULL;
+        CERTGeneralNameList *nssGenNameList = NULL;
+        CERTGeneralNameType nameType;
+        SECItem *secItem = NULL;
+        char *asciiName = NULL;
+        SECStatus rv;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Create");
+        PKIX_NULLCHECK_TWO(nssAltName, pGenName);
+
+        /* create a PKIX_PL_GeneralName object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_GENERALNAME_TYPE,
+                    sizeof (PKIX_PL_GeneralName),
+                    (PKIX_PL_Object **)&genName,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        nameType = nssAltName->type;
+
+        /*
+         * We use CERT_CreateGeneralNameList to create just one CERTGeneralName
+         * item for memory allocation reason. If we want to just create one
+         * item, we have to use the calling path CERT_NewGeneralName, then
+         * CERT_CopyOneGeneralName. With this calling path, if we pass
+         * the arena argument as NULL, in CERT_CopyOneGeneralName's subsequent
+         * call to CERT_CopyName, it assumes arena should be valid, hence
+         * segmentation error (not sure this is a NSS bug, certainly it is
+         * not consistent). But on the other hand, we don't want to keep an
+         * arena record here explicitely for every PKIX_PL_GeneralName.
+         * So I concluded it is better to use CERT_CreateGeneralNameList,
+         * which keeps an arena pointer in its data structure and also masks
+         * out details calls from this libpkix level.
+         */
+
+        PKIX_GENERALNAME_DEBUG("\t\tCalling CERT_CreateGeneralNameList).\n");
+        nssGenNameList = CERT_CreateGeneralNameList(nssAltName);
+
+        if (nssGenNameList == NULL) {
+                PKIX_ERROR(PKIX_CERTCREATEGENERALNAMELISTFAILED);
+        }
+
+        genName->nssGeneralNameList = nssGenNameList;
+
+        /* initialize fields */
+        genName->type = nameType;
+        genName->directoryName = NULL;
+        genName->OthName = NULL;
+        genName->other = NULL;
+        genName->oid = NULL;
+
+        switch (nameType){
+        case certOtherName:
+
+                PKIX_CHECK(pkix_pl_OtherName_Create
+                            (nssAltName, &otherName, plContext),
+                            PKIX_OTHERNAMECREATEFAILED);
+
+                genName->OthName = otherName;
+                break;
+
+        case certDirectoryName:
+
+                PKIX_CHECK(pkix_pl_DirectoryName_Create
+                            (nssAltName, &pkixDN, plContext),
+                            PKIX_DIRECTORYNAMECREATEFAILED);
+
+                genName->directoryName = pkixDN;
+                break;
+        case certRegisterID:
+
+                PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                            (&nssAltName->name.other, &asciiName, plContext),
+                            PKIX_OIDBYTES2ASCIIFAILED);
+
+                PKIX_CHECK(PKIX_PL_OID_Create(asciiName, &pkixOID, plContext),
+                            PKIX_OIDCREATEFAILED);
+
+                genName->oid = pkixOID;
+                break;
+        case certDNSName:
+        case certEDIPartyName:
+        case certIPAddress:
+        case certRFC822Name:
+        case certX400Address:
+        case certURI:
+
+                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_AllocItem).\n");
+                secItem = SECITEM_AllocItem(NULL, NULL, 0);
+                if (secItem == NULL){
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }
+
+                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CopyItem).\n");
+                rv = SECITEM_CopyItem(NULL, secItem, &nssAltName->name.other);
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }
+
+                genName->other = secItem;
+                break;
+        default:
+                PKIX_ERROR(PKIX_NAMETYPENOTSUPPORTED);
+        }
+
+        *pGenName = genName;
+cleanup:
+
+        PKIX_FREE(asciiName);
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(genName);
+                if (secItem){
+                        PKIX_GENERALNAME_DEBUG
+                                ("\t\tCalling SECITEM_FreeItem).\n");
+                        SECITEM_FreeItem(secItem, PR_TRUE);
+                        secItem = NULL;
+                }
+        }
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_GeneralName_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Helper function that creates a string representation of the GeneralName
+ *  pointed to by "name" and stores it at "pString" Different mechanisms are
+ *  used to create the string, depending on the type of the GeneralName.
+ *
+ * PARAMETERS
+ *  "name"
+ *      Address of GeneralName whose string representation is desired.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a GeneralName Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_GeneralName_ToString_Helper(
+        PKIX_PL_GeneralName *name,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_X500Name *pkixDN = NULL;
+        PKIX_PL_OID *pkixOID = NULL;
+        char *x400AsciiName = NULL;
+        char *ediPartyName = NULL;
+        char *asciiName = NULL;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_ToString_Helper");
+        PKIX_NULLCHECK_TWO(name, pString);
+
+        switch (name->type) {
+        case certRFC822Name:
+        case certDNSName:
+        case certURI:
+                /*
+                 * Note that we can't use PKIX_ESCASCII here because
+                 * name->other->data is not guaranteed to be null-terminated.
+                 */
+
+                PKIX_NULLCHECK_ONE(name->other);
+
+                PKIX_CHECK(PKIX_PL_String_Create(PKIX_UTF8,
+                                                (name->other)->data,
+                                                (name->other)->len,
+                                                pString,
+                                                plContext),
+                            PKIX_STRINGCREATEFAILED);
+                break;
+        case certEDIPartyName:
+                /* XXX print out the actual bytes */
+                ediPartyName = "EDIPartyName: <DER-encoded value>";
+                PKIX_CHECK(PKIX_PL_String_Create(PKIX_ESCASCII,
+                                                ediPartyName,
+                                                0,
+                                                pString,
+                                                plContext),
+                            PKIX_STRINGCREATEFAILED);
+                break;
+        case certX400Address:
+                /* XXX print out the actual bytes */
+                x400AsciiName = "X400Address: <DER-encoded value>";
+                PKIX_CHECK(PKIX_PL_String_Create(PKIX_ESCASCII,
+                                                x400AsciiName,
+                                                0,
+                                                pString,
+                                                plContext),
+                            PKIX_STRINGCREATEFAILED);
+                break;
+        case certIPAddress:
+                PKIX_CHECK(pkix_pl_ipAddrBytes2Ascii
+                            (name->other, &asciiName, plContext),
+                            PKIX_IPADDRBYTES2ASCIIFAILED);
+
+                PKIX_CHECK(PKIX_PL_String_Create(PKIX_ESCASCII,
+                                                asciiName,
+                                                0,
+                                                pString,
+                                                plContext),
+                            PKIX_STRINGCREATEFAILED);
+                break;
+        case certOtherName:
+                PKIX_NULLCHECK_ONE(name->OthName);
+
+                /* we only print type-id - don't know how to print value */
+                /* XXX print out the bytes of the value */
+                PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                            (&name->OthName->oid, &asciiName, plContext),
+                            PKIX_OIDBYTES2ASCIIFAILED);
+
+                PKIX_CHECK(PKIX_PL_String_Create
+                            (PKIX_ESCASCII,
+                            asciiName,
+                            0,
+                            pString,
+                            plContext),
+                            PKIX_STRINGCREATEFAILED);
+                break;
+        case certRegisterID:
+                pkixOID = name->oid;
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                            ((PKIX_PL_Object *)pkixOID, pString, plContext),
+                            PKIX_OIDTOSTRINGFAILED);
+                break;
+        case certDirectoryName:
+                pkixDN = name->directoryName;
+                PKIX_CHECK(PKIX_PL_Object_ToString
+                            ((PKIX_PL_Object *)pkixDN, pString, plContext),
+                            PKIX_X500NAMETOSTRINGFAILED);
+                break;
+        default:
+                PKIX_ERROR
+                        (PKIX_TOSTRINGFORTHISGENERALNAMETYPENOTSUPPORTED);
+        }
+
+cleanup:
+
+        PKIX_FREE(asciiName);
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_GeneralName_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_GeneralName_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_GeneralName *name = NULL;
+        SECItem secItemName;
+        SECItem secItemOID;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_GENERALNAME_TYPE, plContext),
+                    PKIX_OBJECTNOTGENERALNAME);
+
+        name = (PKIX_PL_GeneralName *)object;
+
+        PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_FreeItem).\n");
+        SECITEM_FreeItem(name->other, PR_TRUE);
+        name->other = NULL;
+
+        if (name->OthName){
+                secItemName = name->OthName->name;
+                secItemOID = name->OthName->oid;
+
+                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_FreeItem).\n");
+                SECITEM_FreeItem(&secItemName, PR_FALSE);
+
+                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_FreeItem).\n");
+                SECITEM_FreeItem(&secItemOID, PR_FALSE);
+
+                PKIX_FREE(name->OthName);
+                name->OthName = NULL;
+        }
+
+        if (name->nssGeneralNameList != NULL) {
+                PKIX_GENERALNAME_DEBUG
+                        ("\t\tCalling CERT_DestroyGeneralNameList).\n");
+                CERT_DestroyGeneralNameList(name->nssGeneralNameList);
+        }
+
+        PKIX_DECREF(name->directoryName);
+        PKIX_DECREF(name->oid);
+
+cleanup:
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_GeneralName_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_GeneralName_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *nameString = NULL;
+        PKIX_PL_GeneralName *name = NULL;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_toString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_GENERALNAME_TYPE, plContext),
+                    PKIX_OBJECTNOTGENERALNAME);
+
+        name = (PKIX_PL_GeneralName *)object;
+
+        PKIX_CHECK(pkix_pl_GeneralName_ToString_Helper
+                    (name, &nameString, plContext),
+                    PKIX_GENERALNAMETOSTRINGHELPERFAILED);
+
+        *pString = nameString;
+
+cleanup:
+
+
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_GeneralName_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_GeneralName_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_GeneralName *name = NULL;
+        PKIX_UInt32 firstHash, secondHash, nameHash;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_GENERALNAME_TYPE, plContext),
+                    PKIX_OBJECTNOTGENERALNAME);
+
+        name = (PKIX_PL_GeneralName *)object;
+
+        switch (name->type) {
+        case certRFC822Name:
+        case certDNSName:
+        case certX400Address:
+        case certEDIPartyName:
+        case certURI:
+        case certIPAddress:
+                PKIX_NULLCHECK_ONE(name->other);
+                PKIX_CHECK(pkix_hash
+                            ((const unsigned char *)
+                            name->other->data,
+                            name->other->len,
+                            &nameHash,
+                            plContext),
+                            PKIX_HASHFAILED);
+                break;
+        case certRegisterID:
+                PKIX_CHECK(PKIX_PL_Object_Hashcode
+                            ((PKIX_PL_Object *)name->oid,
+                            &nameHash,
+                            plContext),
+                            PKIX_OIDHASHCODEFAILED);
+                break;
+        case certOtherName:
+                PKIX_NULLCHECK_ONE(name->OthName);
+                PKIX_CHECK(pkix_hash
+                            ((const unsigned char *)
+                            name->OthName->oid.data,
+                            name->OthName->oid.len,
+                            &firstHash,
+                            plContext),
+                            PKIX_HASHFAILED);
+
+                PKIX_CHECK(pkix_hash
+                            ((const unsigned char *)
+                            name->OthName->name.data,
+                            name->OthName->name.len,
+                            &secondHash,
+                            plContext),
+                            PKIX_HASHFAILED);
+
+                nameHash = firstHash + secondHash;
+                break;
+        case certDirectoryName:
+                PKIX_CHECK(PKIX_PL_Object_Hashcode
+                            ((PKIX_PL_Object *)
+                            name->directoryName,
+                            &nameHash,
+                            plContext),
+                            PKIX_X500NAMEHASHCODEFAILED);
+                break;
+        }
+
+        *pHashcode = nameHash;
+
+cleanup:
+
+        PKIX_RETURN(GENERALNAME);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_GeneralName_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_GeneralName_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_GeneralName *firstName = NULL;
+        PKIX_PL_GeneralName *secondName = NULL;
+        PKIX_UInt32 secondType;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a GeneralName */
+        PKIX_CHECK(pkix_CheckType
+                    (firstObject, PKIX_GENERALNAME_TYPE, plContext),
+                    PKIX_FIRSTOBJECTNOTGENERALNAME);
+
+        /*
+         * Since we know firstObject is a GeneralName, if both references are
+         * identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a GeneralName, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_GENERALNAME_TYPE){
+                goto cleanup;
+        }
+
+        firstName = (PKIX_PL_GeneralName *)firstObject;
+        secondName = (PKIX_PL_GeneralName *)secondObject;
+
+        if (firstName->type != secondName->type){
+                goto cleanup;
+        }
+
+        switch (firstName->type) {
+        case certRFC822Name:
+        case certDNSName:
+        case certX400Address:
+        case certEDIPartyName:
+        case certURI:
+        case certIPAddress:
+                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CompareItem).\n");
+                if (SECITEM_CompareItem(firstName->other,
+                                        secondName->other) != SECEqual) {
+                        goto cleanup;
+                }
+                break;
+        case certRegisterID:
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object *)firstName->oid,
+                            (PKIX_PL_Object *)secondName->oid,
+                            pResult,
+                            plContext),
+                            PKIX_OIDEQUALSFAILED);
+                goto cleanup;
+        case certOtherName:
+                PKIX_NULLCHECK_TWO(firstName->OthName, secondName->OthName);
+                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CompareItem).\n");
+                if (SECITEM_CompareItem(&firstName->OthName->oid,
+                                        &secondName->OthName->oid)
+                    != SECEqual ||
+                    SECITEM_CompareItem(&firstName->OthName->name,
+                                        &secondName->OthName->name)
+                    != SECEqual) {
+                        goto cleanup;
+                }
+                break;
+        case certDirectoryName:
+                PKIX_CHECK(PKIX_PL_Object_Equals
+                            ((PKIX_PL_Object *)firstName->directoryName,
+                            (PKIX_PL_Object *)secondName->directoryName,
+                            pResult,
+                            plContext),
+                            PKIX_X500NAMEEQUALSFAILED);
+                goto cleanup;
+        }
+
+        *pResult = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_GeneralName_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_GENERALNAME_TYPE and related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_GeneralName_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_RegisterSelf");
+
+        entry.description = "GeneralName";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_GeneralName);
+        entry.destructor = pkix_pl_GeneralName_Destroy;
+        entry.equalsFunction = pkix_pl_GeneralName_Equals;
+        entry.hashcodeFunction = pkix_pl_GeneralName_Hashcode;
+        entry.toStringFunction = pkix_pl_GeneralName_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_GENERALNAME_TYPE] = entry;
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+#ifdef BUILD_LIBPKIX_TESTS
+/*
+ * FUNCTION: PKIX_PL_GeneralName_Create (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_GeneralName_Create(
+        PKIX_UInt32 nameType,
+        PKIX_PL_String *stringRep,
+        PKIX_PL_GeneralName **pGName,
+        void *plContext)
+{
+        PKIX_PL_X500Name *pkixDN = NULL;
+        PKIX_PL_OID *pkixOID = NULL;
+        SECItem *secItem = NULL;
+        char *asciiString = NULL;
+        PKIX_UInt32 length = 0;
+        PKIX_PL_GeneralName *genName = NULL;
+        CERTGeneralName *nssGenName = NULL;
+        CERTGeneralNameList *nssGenNameList = NULL;
+        CERTName *nssCertName = NULL;
+        PLArenaPool *arena = NULL;
+
+        PKIX_ENTER(GENERALNAME, "PKIX_PL_GeneralName_Create");
+        PKIX_NULLCHECK_TWO(pGName, stringRep);
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    (stringRep,
+                    PKIX_ESCASCII,
+                    (void **)&asciiString,
+                    &length,
+                    plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+
+        /* Create a temporary CERTGeneralName */
+        PKIX_GENERALNAME_DEBUG("\t\tCalling PL_strlen).\n");
+        length = PL_strlen(asciiString);
+        PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_AllocItem).\n");
+        secItem = SECITEM_AllocItem(NULL, NULL, length);
+        PKIX_GENERALNAME_DEBUG("\t\tCalling PORT_Memcpy).\n");
+        (void) PORT_Memcpy(secItem->data, asciiString, length);
+        PKIX_CERT_DEBUG("\t\tCalling PORT_NewArena).\n");
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (arena == NULL) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+        PKIX_GENERALNAME_DEBUG("\t\tCalling CERT_NewGeneralName).\n");
+        nssGenName = CERT_NewGeneralName(arena, nameType);
+        if (nssGenName == NULL) {
+                PKIX_ERROR(PKIX_ALLOCATENEWCERTGENERALNAMEFAILED);
+        }
+
+        switch (nameType) {
+        case certRFC822Name:
+        case certDNSName:
+        case certURI:
+                nssGenName->name.other = *secItem;
+                break;
+
+        case certDirectoryName:
+
+                PKIX_CHECK(PKIX_PL_X500Name_Create
+                            (stringRep, &pkixDN, plContext),
+                            PKIX_X500NAMECREATEFAILED);
+
+                PKIX_GENERALNAME_DEBUG("\t\tCalling CERT_AsciiToName).\n");
+                nssCertName = CERT_AsciiToName(asciiString);
+                nssGenName->name.directoryName = *nssCertName;
+                break;
+
+        case certRegisterID:
+                PKIX_CHECK(PKIX_PL_OID_Create
+                            (asciiString, &pkixOID, plContext),
+                            PKIX_OIDCREATEFAILED);
+                nssGenName->name.other = *secItem;
+                break;
+        default:
+                /* including IPAddress, EDIPartyName, OtherName, X400Address */
+                PKIX_ERROR(PKIX_UNABLETOCREATEGENERALNAMEOFTHISTYPE);
+        }
+
+        /* create a PKIX_PL_GeneralName object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_GENERALNAME_TYPE,
+                    sizeof (PKIX_PL_GeneralName),
+                    (PKIX_PL_Object **)&genName,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        /* create a CERTGeneralNameList */
+        nssGenName->type = nameType;
+        PKIX_GENERALNAME_DEBUG("\t\tCalling CERT_CreateGeneralNameList).\n");
+        nssGenNameList = CERT_CreateGeneralNameList(nssGenName);
+        if (nssGenNameList == NULL) {
+                PKIX_ERROR(PKIX_CERTCREATEGENERALNAMELISTFAILED);
+        }
+        genName->nssGeneralNameList = nssGenNameList;
+
+        /* initialize fields */
+        genName->type = nameType;
+        genName->directoryName = pkixDN;
+        genName->OthName = NULL;
+        genName->other = secItem;
+        genName->oid = pkixOID;
+
+        *pGName = genName;
+cleanup:
+
+        PKIX_FREE(asciiString);
+
+        if (nssCertName != NULL) {
+                PKIX_CERT_DEBUG("\t\tCalling CERT_DestroyName).\n");
+                CERT_DestroyName(nssCertName);
+        }
+
+        if (arena){ /* will free nssGenName */
+                PKIX_CERT_DEBUG("\t\tCalling PORT_FreeArena).\n");
+                PORT_FreeArena(arena, PR_FALSE);
+        }
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(pkixDN);
+                PKIX_DECREF(pkixOID);
+
+                PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_FreeItem).\n");
+                if (secItem){
+                        SECITEM_FreeItem(secItem, PR_TRUE);
+                        secItem = NULL;
+                }
+        }
+
+        PKIX_RETURN(GENERALNAME);
+}
+
+#endif /* BUILD_LIBPKIX_TESTS */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.h
new file mode 100644
index 000000000..5d3298f9a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.h
@@ -0,0 +1,82 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_generalname.h
+ *
+ * GeneralName Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_GENERALNAME_H
+#define _PKIX_PL_GENERALNAME_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_GeneralNameStruct{
+        CERTGeneralNameList *nssGeneralNameList;
+        CERTGeneralNameType type;
+        PKIX_PL_X500Name *directoryName;
+        PKIX_PL_OID *oid;
+        OtherName *OthName;
+        SECItem *other;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_GeneralName_Create(
+        CERTGeneralName *nssAltName,
+        PKIX_PL_GeneralName **pGenName,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_GeneralName_GetNssGeneralName(
+        PKIX_PL_GeneralName *genName,
+        CERTGeneralName **pNssGenName,
+        void *plContext);
+
+PKIX_Error *pkix_pl_GeneralName_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_GENERALNAME_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
new file mode 100644
index 000000000..996544cc3
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
@@ -0,0 +1,928 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_infoaccess.c
+ *
+ * InfoAccess Object Definitions
+ *
+ */
+
+#include "pkix_pl_infoaccess.h"
+
+/* XXX Following SEC_OID_PKIX defines should be merged in NSS */
+#define SEC_OID_PKIX_CA_REPOSITORY     1003
+#define SEC_OID_PKIX_TIMESTAMPING      1005
+/* XXX Following OID defines hould be moved to NSS */
+static const unsigned char siaTimeStampingOID[] = {0x2b, 0x06, 0x01, 0x05,
+                                0x05, 0x07, 0x030, 0x03};
+static const unsigned char siaCaRepositoryOID[] = {0x2b, 0x06, 0x01, 0x05,
+                                0x05, 0x07, 0x030, 0x05};
+
+
+/* --Private-InfoAccess-Functions----------------------------------*/
+
+/*
+ * FUNCTION: pkix_pl_InfoAccess_Create
+ * DESCRIPTION:
+ *
+ *  This function creates an InfoAccess from the method provided in "method" and
+ *  the GeneralName provided in "generalName" and stores the result at
+ *  "pInfoAccess".
+ *
+ * PARAMETERS
+ *  "method"
+ *      The UInt32 value to be stored as the method field of the InfoAccess.
+ *  "generalName"
+ *      The GeneralName to be stored as the generalName field of the InfoAccess.
+ *      Must be non-NULL.
+ *  "pInfoAccess"
+ *      Address where the result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_InfoAccess_Create(
+        PKIX_UInt32 method,
+        PKIX_PL_GeneralName *generalName,
+        PKIX_PL_InfoAccess **pInfoAccess,
+        void *plContext)
+{
+
+        PKIX_PL_InfoAccess *infoAccess = NULL;
+
+        PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_Create");
+        PKIX_NULLCHECK_TWO(generalName, pInfoAccess);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_INFOACCESS_TYPE,
+                sizeof (PKIX_PL_InfoAccess),
+                (PKIX_PL_Object **)&infoAccess,
+                plContext),
+                PKIX_COULDNOTCREATEINFOACCESSOBJECT);
+
+        infoAccess->method = method;
+
+        PKIX_INCREF(generalName);
+        infoAccess->location = generalName;
+
+        *pInfoAccess = infoAccess;
+        infoAccess = NULL;
+
+cleanup:
+        PKIX_DECREF(infoAccess);
+
+        PKIX_RETURN(INFOACCESS);
+}
+
+/*
+ * FUNCTION: pkix_pl_InfoAccess_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_pki.h)
+ */
+static PKIX_Error *
+pkix_pl_InfoAccess_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_InfoAccess *infoAccess = NULL;
+
+        PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_INFOACCESS_TYPE, plContext),
+                PKIX_OBJECTNOTANINFOACCESS);
+
+        infoAccess = (PKIX_PL_InfoAccess *)object;
+
+        PKIX_DECREF(infoAccess->location);
+
+cleanup:
+
+        PKIX_RETURN(INFOACCESS);
+}
+
+/*
+ * FUNCTION: pkix_pl_InfoAccess_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_pki.h)
+ */
+static PKIX_Error *
+pkix_pl_InfoAccess_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_InfoAccess *infoAccess;
+        PKIX_PL_String *infoAccessString = NULL;
+        char *asciiFormat = NULL;
+        char *asciiMethod = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *methodString = NULL;
+        PKIX_PL_String *locationString = NULL;
+
+        PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_INFOACCESS_TYPE, plContext),
+                    PKIX_OBJECTNOTINFOACCESS);
+
+        infoAccess = (PKIX_PL_InfoAccess *)object;
+
+        asciiFormat =
+                "["
+                "method:%s, "
+                "location:%s"
+                "]";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        switch(infoAccess->method) {
+            case PKIX_INFOACCESS_CA_ISSUERS:
+                    asciiMethod = "caIssuers";
+                    break;
+            case PKIX_INFOACCESS_OCSP:
+                    asciiMethod = "ocsp";
+                    break;
+            case PKIX_INFOACCESS_TIMESTAMPING:
+                    asciiMethod = "timestamping";
+                    break;
+            case PKIX_INFOACCESS_CA_REPOSITORY:
+                    asciiMethod = "caRepository";
+                    break;
+            default:
+                    asciiMethod = "unknown";
+        }
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiMethod,
+                    0,
+                    &methodString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        PKIX_TOSTRING(infoAccess->location, &locationString, plContext,
+                    PKIX_GENERALNAMETOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&infoAccessString,
+                    plContext,
+                    formatString,
+                    methodString,
+                    locationString),
+                    PKIX_SPRINTFFAILED);
+
+        *pString = infoAccessString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(methodString);
+        PKIX_DECREF(locationString);
+
+        PKIX_RETURN(INFOACCESS);
+}
+
+/*
+ * FUNCTION: pkix_pl_InfoAccess_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_pki.h)
+ */
+static PKIX_Error *
+pkix_pl_InfoAccess_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_InfoAccess *infoAccess = NULL;
+        PKIX_UInt32 infoAccessHash;
+
+        PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_INFOACCESS_TYPE, plContext),
+                    PKIX_OBJECTNOTINFOACCESS);
+
+        infoAccess = (PKIX_PL_InfoAccess *)object;
+
+        PKIX_HASHCODE(infoAccess->location, &infoAccessHash, plContext,
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        infoAccessHash += (infoAccess->method << 7);
+
+        *pHashcode = infoAccessHash;
+
+cleanup:
+
+        PKIX_RETURN(INFOACCESS);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_InfoAccess_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_pki.h)
+ */
+static PKIX_Error *
+pkix_pl_InfoAccess_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_InfoAccess *firstInfoAccess = NULL;
+        PKIX_PL_InfoAccess *secondInfoAccess = NULL;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult;
+
+        PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a InfoAccess */
+        PKIX_CHECK(pkix_CheckType
+                (firstObject, PKIX_INFOACCESS_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTINFOACCESS);
+
+        /*
+         * Since we know firstObject is a InfoAccess, if both references are
+         * identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a InfoAccess, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_INFOACCESS_TYPE) goto cleanup;
+
+        firstInfoAccess = (PKIX_PL_InfoAccess *)firstObject;
+        secondInfoAccess = (PKIX_PL_InfoAccess *)secondObject;
+
+        *pResult = PKIX_FALSE;
+
+        if (firstInfoAccess->method != secondInfoAccess->method) {
+                goto cleanup;
+        }
+
+        PKIX_EQUALS(firstInfoAccess, secondInfoAccess, &cmpResult, plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        *pResult = cmpResult;
+
+cleanup:
+
+        PKIX_RETURN(INFOACCESS);
+}
+
+/*
+ * FUNCTION: pkix_pl_InfoAccess_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_INFOACCESS_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_InfoAccess_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(INFOACCESS,
+                "pkix_pl_InfoAccess_RegisterSelf");
+
+        entry.description = "InfoAccess";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_InfoAccess);
+        entry.destructor = pkix_pl_InfoAccess_Destroy;
+        entry.equalsFunction = pkix_pl_InfoAccess_Equals;
+        entry.hashcodeFunction = pkix_pl_InfoAccess_Hashcode;
+        entry.toStringFunction = pkix_pl_InfoAccess_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_INFOACCESS_TYPE] = entry;
+
+        PKIX_RETURN(INFOACCESS);
+}
+
+/*
+ * FUNCTION: pkix_pl_InfoAccess_CreateList
+ * DESCRIPTION:
+ *
+ *  Based on data in CERTAuthInfoAccess array "nssInfoAccess", this function
+ *  creates and returns a PKIX_List of PKIX_PL_InfoAccess at "pInfoAccessList".
+ *
+ * PARAMETERS
+ *  "nssInfoAccess"
+ *      The pointer array of CERTAuthInfoAccess that contains access data.
+ *      May be NULL.
+ *  "pInfoAccessList"
+ *      Address where a list of PKIX_PL_InfoAccess is returned.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_InfoAccess_CreateList(
+        CERTAuthInfoAccess **nssInfoAccess,
+        PKIX_List **pInfoAccessList, /* of PKIX_PL_InfoAccess */
+        void *plContext)
+{
+        PKIX_List *infoAccessList = NULL;
+        PKIX_PL_InfoAccess *infoAccess = NULL;
+        PKIX_PL_GeneralName *location = NULL;
+        PKIX_UInt32 method;
+        int i;
+
+        PKIX_ENTER(INFOACCESS, "PKIX_PL_InfoAccess_CreateList");
+        PKIX_NULLCHECK_ONE(pInfoAccessList);
+
+        PKIX_CHECK(PKIX_List_Create(&infoAccessList, plContext),
+                PKIX_LISTCREATEFAILED);
+
+        if (nssInfoAccess == NULL) {
+                goto cleanup;
+        }
+
+        for (i = 0; nssInfoAccess[i] != NULL; i++) {
+
+                if (nssInfoAccess[i]->location == NULL) {
+                    continue;
+                }
+
+                PKIX_CHECK(pkix_pl_GeneralName_Create
+                        (nssInfoAccess[i]->location, &location, plContext),
+                        PKIX_GENERALNAMECREATEFAILED);
+
+                PKIX_CERT_DEBUG("\t\tCalling SECOID_FindOIDTag).\n");
+                method = SECOID_FindOIDTag(&nssInfoAccess[i]->method);
+
+                if (method == 0) {
+
+                /* XXX
+                 * This part of code is definitely hacking, need NSS decode
+                 * support. We can reuse the CERT_DecodeAuthInfoAccessExtension
+                 * since SIA and AIA are all the same type. However NSS need
+                 * to add SIA, CaRepository, TimeStamping OID definitions and
+                 * the numerical method, timeStamping and caRepository values.
+                 *
+                 * We assume now, since method is 0, implies the method for SIA
+                 * was not decoded by CERT_DecodeAuthInfoAccessExtension()
+                 * so we compare and put value in. This part should be taken
+                 * out eventually if CERT_DecodeInfoAccessExtension (*renamed*)
+                 * is doing the job.
+                 */
+
+                        PKIX_CERT_DEBUG("\t\tCalling PORT_Strncmp).\n");
+                        if (PORT_Strncmp
+                                ((char *)nssInfoAccess[i]->method.data,
+                                (char *)siaTimeStampingOID,
+                                nssInfoAccess[i]->method.len) == 0) {
+                                method = SEC_OID_PKIX_TIMESTAMPING;
+                        } else if (PORT_Strncmp
+                                ((char *)nssInfoAccess[i]->method.data,
+                                (char *)siaCaRepositoryOID,
+                                nssInfoAccess[i]->method.len) == 0) {
+                                method = SEC_OID_PKIX_CA_REPOSITORY;
+                        }
+                }
+
+                /* Map NSS access method value into PKIX constant */
+                switch(method) {
+                        case SEC_OID_PKIX_CA_ISSUERS:
+                                method = PKIX_INFOACCESS_CA_ISSUERS;
+                                break;
+                        case SEC_OID_PKIX_OCSP:
+                                method = PKIX_INFOACCESS_OCSP;
+                                break;
+                        case SEC_OID_PKIX_TIMESTAMPING:
+                                method = PKIX_INFOACCESS_TIMESTAMPING;
+                                break;
+                        case SEC_OID_PKIX_CA_REPOSITORY:
+                                method = PKIX_INFOACCESS_CA_REPOSITORY;
+                                break;
+                        default:
+                                break;
+                }
+
+                PKIX_CHECK(pkix_pl_InfoAccess_Create
+                        (method, location, &infoAccess, plContext),
+                        PKIX_INFOACCESSCREATEFAILED);
+
+                PKIX_CHECK(PKIX_List_AppendItem
+                            (infoAccessList,
+                            (PKIX_PL_Object *)infoAccess,
+                            plContext),
+                            PKIX_LISTAPPENDITEMFAILED);
+                PKIX_DECREF(infoAccess);
+                PKIX_DECREF(location);
+        }
+
+        *pInfoAccessList = infoAccessList;
+        infoAccessList = NULL;
+
+cleanup:
+
+        PKIX_DECREF(infoAccessList);
+        PKIX_DECREF(infoAccess);
+        PKIX_DECREF(location);
+
+        PKIX_RETURN(INFOACCESS);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_InfoAccess_GetMethod (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_InfoAccess_GetMethod(
+        PKIX_PL_InfoAccess *infoAccess,
+        PKIX_UInt32 *pMethod,
+        void *plContext)
+{
+        PKIX_ENTER(INFOACCESS, "PKIX_PL_InfoAccess_GetMethod");
+        PKIX_NULLCHECK_TWO(infoAccess, pMethod);
+
+        *pMethod = infoAccess->method;
+
+        PKIX_RETURN(INFOACCESS);
+}
+
+/*
+ * FUNCTION: PKIX_PL_InfoAccess_GetLocation (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_InfoAccess_GetLocation(
+        PKIX_PL_InfoAccess *infoAccess,
+        PKIX_PL_GeneralName **pLocation,
+        void *plContext)
+{
+        PKIX_ENTER(INFOACCESS, "PKIX_PL_InfoAccess_GetLocation");
+        PKIX_NULLCHECK_TWO(infoAccess, pLocation);
+
+        PKIX_INCREF(infoAccess->location);
+
+        *pLocation = infoAccess->location;
+
+cleanup:
+        PKIX_RETURN(INFOACCESS);
+}
+
+/*
+ * FUNCTION: PKIX_PL_InfoAccess_GetLocationType (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_InfoAccess_GetLocationType(
+        PKIX_PL_InfoAccess *infoAccess,
+        PKIX_UInt32 *pType,
+        void *plContext)
+{
+        PKIX_PL_String *locationString = NULL;
+        PKIX_UInt32 type = PKIX_INFOACCESS_LOCATION_UNKNOWN;
+        PKIX_UInt32 len = 0;
+        void *location = NULL;
+
+        PKIX_ENTER(INFOACCESS, "PKIX_PL_InfoAccess_GetLocationType");
+        PKIX_NULLCHECK_TWO(infoAccess, pType);
+
+        if (infoAccess->location != NULL) {
+
+                PKIX_TOSTRING(infoAccess->location, &locationString, plContext,
+                    PKIX_GENERALNAMETOSTRINGFAILED);
+
+                PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    (locationString, PKIX_ESCASCII, &location, &len, plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+
+                PKIX_OID_DEBUG("\tCalling PORT_Strcmp).\n");
+                if (PORT_Strncmp(location, "ldap:", 5) == 0){
+                        type = PKIX_INFOACCESS_LOCATION_LDAP;
+                } else
+                if (PORT_Strncmp(location, "http:", 5) == 0){
+                        type = PKIX_INFOACCESS_LOCATION_HTTP;
+                }
+        }
+
+        *pType = type;
+
+cleanup:
+
+        PKIX_PL_Free(location, plContext);
+        PKIX_DECREF(locationString);
+
+        PKIX_RETURN(INFOACCESS);
+}
+
+/*
+ * FUNCTION: pkix_pl_InfoAccess_ParseTokens
+ * DESCRIPTION:
+ *
+ *  This function parses the string beginning at "startPos" into tokens using
+ *  the separator contained in "separator" and the terminator contained in
+ *  "terminator", copying the tokens into space allocated from the arena
+ *  pointed to by "arena". It stores in "tokens" a null-terminated array of
+ *  pointers to those tokens.
+ *
+ * PARAMETERS
+ *  "arena"
+ *      Address of a PRArenaPool to be used in populating the LDAPLocation.
+ *      Must be non-NULL.
+ *  "startPos"
+ *      The address of char string that contains a subset of ldap location.
+ *  "tokens"
+ *      The address of an array of char string for storing returned tokens.
+ *      Must be non-NULL.
+ *  "separator"
+ *      The character that is taken as token separator. Must be non-NULL.
+ *  "terminator"
+ *      The character that is taken as parsing terminator. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an InfoAccess Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_InfoAccess_ParseTokens(
+        PRArenaPool *arena,
+        char **startPos, /* return update */
+        char ***tokens,
+        char separator,
+        char terminator,
+        void *plContext)
+{
+        PKIX_UInt32 len = 0;
+        PKIX_UInt32 numFilters = 0;
+        PKIX_Int32 cmpResult = -1;
+        char *endPos = NULL;
+        char *p = NULL;
+        char **filterP = NULL;
+
+        PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_ParseTokens");
+        PKIX_NULLCHECK_THREE(arena, startPos, tokens);
+
+        endPos = *startPos;
+
+        /* First pass: parse to <terminator> to count number of components */
+        numFilters = 0;
+        while (*endPos != terminator && *endPos != '\0') {
+                endPos++;
+                if (*endPos == separator) {
+                        numFilters++;
+                }
+        }
+
+        if (*endPos != terminator) {
+                PKIX_ERROR(PKIX_LOCATIONSTRINGNOTPROPERLYTERMINATED);
+        }
+
+        /* Last one doesn't have a "," as separator, although we allow it */
+        if (*(endPos-1) != ',') {
+                numFilters++;
+        }
+
+        /*
+         * If string is a=xx, b=yy, c=zz, etc., use a=xx for filter,
+         * and everything else for the base
+         */
+        if (numFilters > 2) numFilters = 2;
+
+        filterP = PORT_ArenaZNewArray(arena, void*, numFilters+1);
+        if (filterP == NULL) {
+            PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+        }
+
+        /* Second pass: parse to fill in components in token array */
+        *tokens = filterP;
+        endPos = *startPos;
+
+        while (numFilters) {
+            if (*endPos == separator || *endPos == terminator) {
+                    len = endPos - *startPos;
+                    p = PORT_ArenaZAlloc(arena, len+1);
+                    if (p == NULL) {
+                        PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+                    }
+
+                    *filterP = p;
+
+                    while (len) {
+                            if (**startPos == '%') {
+                            /* replace %20 by blank */
+                                cmpResult = strncmp(*startPos, "%20", 3);
+                                if (cmpResult == 0) {
+                                    *p = ' ';
+                                    *startPos += 3;
+                                    len -= 3;
+                                }
+                            } else {
+                                *p = **startPos;
+                                (*startPos)++;
+                                len--;
+                            }
+                            p++;
+                    }
+
+                    *p = '\0';
+                    filterP++;
+                    numFilters--;
+
+                    separator = terminator;
+
+                    if (endPos == '\0') {
+                        break;
+                    } else {
+                        endPos++;
+                        *startPos = endPos;
+                        continue;
+                    }
+            }
+            endPos++;
+        }
+
+        *filterP = NULL;
+
+cleanup:
+
+        PKIX_RETURN(INFOACCESS);
+}
+
+/*
+ * FUNCTION: pkix_pl_InfoAccess_ParseLocation
+ * DESCRIPTION:
+ *
+ *  This function parses the GeneralName pointed to by "generalName" into the
+ *  fields of the LDAPRequestParams pointed to by "request" and a domainName
+ *  pointed to by "pDomainName", using the PRArenaPool pointed to by "arena" to
+ *  allocate storage for the request components and for the domainName string.
+ *
+ *  The expected GeneralName string should be in the format described by the
+ *  following BNF:
+ *
+ *  ldap://<ldap-server-site>/[cn=<cname>][,o=<org>][,c=<country>]?
+ *  [caCertificate|crossCertificatPair|certificateRevocationList];
+ *  [binary|<other-type>]
+ *  [[,caCertificate|crossCertificatPair|certificateRevocationList]
+ *   [binary|<other-type>]]*
+ *
+ * PARAMETERS
+ *  "generalName"
+ *      Address of the GeneralName whose LDAPLocation is to be parsed. Must be
+ *      non-NULL.
+ *  "arena"
+ *      Address of PRArenaPool to be used for the domainName and for components
+ *      of the LDAPRequest. Must be non-NULL.
+ *  "request"
+ *      Address of the LDAPRequestParams into which request components are
+ *      stored. Must be non-NULL.
+ *  *pDomainName"
+ *      Address at which the domainName is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an InfoAccess Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_InfoAccess_ParseLocation(
+        PKIX_PL_GeneralName *generalName,
+        PRArenaPool *arena,
+        LDAPRequestParams *request,
+        char **pDomainName,
+        void *plContext)
+{
+        PKIX_PL_String *locationString = NULL;
+        PKIX_UInt32 len = 0;
+        PKIX_UInt32 ncIndex = 0;
+        char *domainName = NULL;
+        char **avaArray = NULL;
+        char **attrArray = NULL;
+        char *attr = NULL;
+        char *locationAscii = NULL;
+        char *startPos = NULL;
+        char *endPos = NULL;
+        char *avaPtr = NULL;
+        LdapAttrMask attrBit = 0;
+        LDAPNameComponent **setOfNameComponent = NULL;
+        LDAPNameComponent *nameComponent = NULL;
+
+        PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_ParseLocation");
+        PKIX_NULLCHECK_FOUR(generalName, arena, request, pDomainName);
+
+        PKIX_TOSTRING(generalName, &locationString, plContext,
+                PKIX_GENERALNAMETOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                (locationString,
+                PKIX_ESCASCII,
+                (void **)&locationAscii,
+                &len,
+                plContext),
+                PKIX_STRINGGETENCODEDFAILED);
+
+#if 0
+        /* For testing inside the firewall... */
+        locationAscii = "ldap://nss.red.iplanet.com:1389/cn=Good%20CA,o="
+                "Test%20Certificates,c=US?caCertificate;binary";
+#endif
+
+        /* Skip "ldap:" */
+        endPos = locationAscii;
+        while (*endPos != ':' && *endPos != '\0') {
+                endPos++;
+        }
+        if (*endPos == '\0') {
+                PKIX_ERROR(PKIX_GENERALNAMESTRINGMISSINGLOCATIONTYPE);
+        }
+
+        /* Skip "//" */
+        endPos++;
+        if (*endPos != '\0' && *(endPos+1) != '0' &&
+            *endPos == '/' && *(endPos+1) == '/') {
+                endPos += 2;
+        } else {
+                PKIX_ERROR(PKIX_GENERALNAMESTRINGMISSINGDOUBLESLASH);
+        }
+
+        /* Get the server-site */
+        startPos = endPos;
+        while(*endPos != '/' && *(endPos) != '\0') {
+                endPos++;
+        }
+        if (*endPos == '\0') {
+                PKIX_ERROR(PKIX_GENERALNAMESTRINGMISSINGSERVERSITE);
+        }
+
+        len = endPos - startPos;
+        endPos++;
+
+        domainName = PORT_ArenaZAlloc(arena, len + 1);
+        if (!domainName) {
+            PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+        }
+
+        PORT_Memcpy(domainName, startPos, len);
+
+        domainName[len] = '\0';
+
+        *pDomainName = domainName;
+
+        /*
+         * Get a list of AttrValueAssertions (such as 
+         * "cn=CommonName, o=Organization, c=US" into a null-terminated array
+         */
+        startPos = endPos;
+        PKIX_CHECK(pkix_pl_InfoAccess_ParseTokens
+                (arena,
+                &startPos,
+                (char ***) &avaArray,
+                ',',
+                '?',
+                plContext),
+                PKIX_INFOACCESSPARSETOKENSFAILED);
+
+        /* Count how many AVAs we have */
+        for (len = 0; avaArray[len] != NULL; len++) {}
+
+        if (len < 2) {
+                PKIX_ERROR(PKIX_NOTENOUGHNAMECOMPONENTSINGENERALNAME);
+        }
+
+        /* Use last name component for baseObject */
+        request->baseObject = avaArray[len - 1];
+
+        /* Use only one component for filter. LDAP servers aren't too smart. */
+        len = 2;   /* Eliminate this when servers get smarter. */
+
+        avaArray[len - 1] = NULL;
+
+        /* Get room for null-terminated array of (LdapNameComponent *) */
+        setOfNameComponent = PORT_ArenaZNewArray(arena, LDAPNameComponent *, len);
+        if (setOfNameComponent == NULL) {
+            PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+        }
+
+        /* Get room for the remaining LdapNameComponents */
+        nameComponent = PORT_ArenaZNewArray(arena, LDAPNameComponent, --len);
+        if (nameComponent == NULL) {
+            PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+        }
+
+        /* Convert remaining AVAs to LDAPNameComponents */
+        for (ncIndex = 0; ncIndex < len; ncIndex ++) {
+                setOfNameComponent[ncIndex] = nameComponent;
+                avaPtr = avaArray[ncIndex];
+                nameComponent->attrType = (unsigned char *)avaPtr;
+                while ((*avaPtr != '=') && (*avaPtr != '\0')) {
+                        avaPtr++;
+                        if (avaPtr == '\0') {
+                                PKIX_ERROR(PKIX_NAMECOMPONENTWITHNOEQ);
+                        }
+                }
+                *(avaPtr++) = '\0';
+                nameComponent->attrValue = (unsigned char *)avaPtr;
+                nameComponent++;
+        }
+
+        setOfNameComponent[len] = NULL;
+        request->nc = setOfNameComponent;
+                
+        /*
+         * Get a list of AttrTypes (such as 
+         * "caCertificate;binary, crossCertificatePair;binary") into
+         * a null-terminated array
+         */
+
+        PKIX_CHECK(pkix_pl_InfoAccess_ParseTokens
+                (arena,
+                (char **) &startPos,
+                (char ***) &attrArray,
+                ',',
+                '\0',
+                plContext),
+                PKIX_INFOACCESSPARSETOKENSFAILED);
+
+        /* Convert array of Attr Types into a bit mask */
+        request->attributes = 0;
+        attr = attrArray[0];
+        while (attr != NULL) {
+                PKIX_CHECK(pkix_pl_LdapRequest_AttrStringToBit
+                        (attr, &attrBit, plContext),
+                        PKIX_LDAPREQUESTATTRSTRINGTOBITFAILED);
+                request->attributes |= attrBit;
+                attr = *(++attrArray);
+        }
+
+cleanup:
+
+        PKIX_PL_Free(locationAscii, plContext);
+        PKIX_DECREF(locationString);
+
+        PKIX_RETURN(INFOACCESS);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h
new file mode 100644
index 000000000..735446547
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h
@@ -0,0 +1,80 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_infoaccess.h
+ *
+ * InfoAccess Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_INFOACCESS_H
+#define _PKIX_PL_INFOACCESS_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_InfoAccessStruct{
+        PKIX_UInt32 method;
+        PKIX_PL_GeneralName *location;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_InfoAccess_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_pl_InfoAccess_CreateList(
+        CERTAuthInfoAccess **authInfoAccess,
+        PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_InfoAccess_ParseLocation(
+        PKIX_PL_GeneralName *generalName,
+        PRArenaPool *arena,
+        LDAPRequestParams *request,
+        char **pDomainName,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_INFOACCESS_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c
new file mode 100644
index 000000000..a0127668b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c
@@ -0,0 +1,1307 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_nameconstraints.c
+ *
+ * Name Constraints Object Functions Definitions
+ *
+ */
+
+#include "pkix_pl_nameconstraints.h"
+
+
+/* --Private-NameConstraints-Functions----------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_GetPermitted
+ * DESCRIPTION:
+ *
+ *  This function retrieve name constraints permitted list from NSS
+ *  data in "nameConstraints" and returns a PKIX_PL_GeneralName list
+ *  in "pPermittedList".
+ *
+ * PARAMETERS
+ *  "nameConstraints"
+ *      Address of CertNameConstraints which has a pointer to
+ *      CERTNameConstraints data. Must be non-NULL.
+ *  "pPermittedList"
+ *      Address where returned permitted name list is stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_GetPermitted(
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_List **pPermittedList,
+        void *plContext)
+{
+        CERTNameConstraints *nssNameConstraints = NULL;
+        CERTNameConstraints **nssNameConstraintsList = NULL;
+        CERTNameConstraint *nssPermitted = NULL;
+        CERTNameConstraint *firstPermitted = NULL;
+        PKIX_List *permittedList = NULL;
+        PKIX_PL_GeneralName *name = NULL;
+        PKIX_UInt32 numItems = 0;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS,
+                "pkix_pl_CertNameConstraints_GetPermitted");
+        PKIX_NULLCHECK_TWO(nameConstraints, pPermittedList);
+
+        /*
+         * nssNameConstraints is an array of CERTNameConstraints
+         * pointers where CERTNameConstraints keep its permitted and excluded
+         * lists as pointer array of CERTNameConstraint.
+         */
+
+        if (nameConstraints->permittedList == NULL) {
+
+            PKIX_OBJECT_LOCK(nameConstraints);
+
+            if (nameConstraints->permittedList == NULL) {
+
+                PKIX_CHECK(PKIX_List_Create(&permittedList, plContext),
+                        PKIX_LISTCREATEFAILED);
+
+                numItems = nameConstraints->numNssNameConstraints;
+                nssNameConstraintsList =
+                        nameConstraints->nssNameConstraintsList;
+
+                for (i = 0; i < numItems; i++) {
+
+                    PKIX_NULLCHECK_ONE(nssNameConstraintsList);
+                    nssNameConstraints = *(nssNameConstraintsList + i);
+                    PKIX_NULLCHECK_ONE(nssNameConstraints);
+
+                    if (nssNameConstraints->permited != NULL) {
+
+                        nssPermitted = nssNameConstraints->permited;
+                        firstPermitted = nssPermitted;
+
+                        do {
+
+                            PKIX_CHECK(pkix_pl_GeneralName_Create
+                                (&nssPermitted->name, &name, plContext),
+                                PKIX_GENERALNAMECREATEFAILED);
+
+                            PKIX_CHECK(PKIX_List_AppendItem
+                                (permittedList,
+                                (PKIX_PL_Object *)name,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+
+                            PKIX_DECREF(name);
+
+                            PKIX_CERTNAMECONSTRAINTS_DEBUG
+                                ("\t\tCalling CERT_GetNextNameConstraint\n");
+                            nssPermitted = CERT_GetNextNameConstraint
+                                (nssPermitted);
+
+                        } while (nssPermitted != firstPermitted);
+
+                    }
+                }
+
+                PKIX_CHECK(PKIX_List_SetImmutable(permittedList, plContext),
+                            PKIX_LISTSETIMMUTABLEFAILED);
+
+                nameConstraints->permittedList = permittedList;
+
+            }
+
+            PKIX_OBJECT_UNLOCK(nameConstraints);
+
+        }
+
+        PKIX_INCREF(nameConstraints->permittedList);
+
+        *pPermittedList = nameConstraints->permittedList;
+
+cleanup:
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_GetExcluded
+ * DESCRIPTION:
+ *
+ *  This function retrieve name constraints excluded list from NSS
+ *  data in "nameConstraints" and returns a PKIX_PL_GeneralName list
+ *  in "pExcludedList".
+ *
+ * PARAMETERS
+ *  "nameConstraints"
+ *      Address of CertNameConstraints which has a pointer to NSS data.
+ *      Must be non-NULL.
+ *  "pPermittedList"
+ *      Address where returned excluded name list is stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_GetExcluded(
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_List **pExcludedList,
+        void *plContext)
+{
+        CERTNameConstraints *nssNameConstraints = NULL;
+        CERTNameConstraints **nssNameConstraintsList = NULL;
+        CERTNameConstraint *nssExcluded = NULL;
+        CERTNameConstraint *firstExcluded = NULL;
+        PKIX_List *excludedList = NULL;
+        PKIX_PL_GeneralName *name = NULL;
+        PKIX_UInt32 numItems = 0;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS,
+                "pkix_pl_CertNameConstraints_GetExcluded");
+        PKIX_NULLCHECK_TWO(nameConstraints, pExcludedList);
+
+        if (nameConstraints->excludedList == NULL) {
+
+            PKIX_OBJECT_LOCK(nameConstraints);
+
+            if (nameConstraints->excludedList == NULL) {
+
+                PKIX_CHECK(PKIX_List_Create(&excludedList, plContext),
+                            PKIX_LISTCREATEFAILED);
+
+                numItems = nameConstraints->numNssNameConstraints;
+                nssNameConstraintsList =
+                        nameConstraints->nssNameConstraintsList;
+
+                for (i = 0; i < numItems; i++) {
+
+                    PKIX_NULLCHECK_ONE(nssNameConstraintsList);
+                    nssNameConstraints = *(nssNameConstraintsList + i);
+                    PKIX_NULLCHECK_ONE(nssNameConstraints);
+
+                    if (nssNameConstraints->excluded != NULL) {
+
+                        nssExcluded = nssNameConstraints->excluded;
+                        firstExcluded = nssExcluded;
+
+                        do {
+
+                            PKIX_CHECK(pkix_pl_GeneralName_Create
+                                (&nssExcluded->name, &name, plContext),
+                                PKIX_GENERALNAMECREATEFAILED);
+
+                            PKIX_CHECK(PKIX_List_AppendItem
+                                (excludedList,
+                                (PKIX_PL_Object *)name,
+                                plContext),
+                                PKIX_LISTAPPENDITEMFAILED);
+
+                            PKIX_DECREF(name);
+
+                            PKIX_CERTNAMECONSTRAINTS_DEBUG
+                                ("\t\tCalling CERT_GetNextNameConstraint\n");
+                            nssExcluded = CERT_GetNextNameConstraint
+                                (nssExcluded);
+
+                        } while (nssExcluded != firstExcluded);
+
+                    }
+
+                }
+                PKIX_CHECK(PKIX_List_SetImmutable(excludedList, plContext),
+                            PKIX_LISTSETIMMUTABLEFAILED);
+
+                nameConstraints->excludedList = excludedList;
+
+            }
+
+            PKIX_OBJECT_UNLOCK(nameConstraints);
+        }
+
+        PKIX_INCREF(nameConstraints->excludedList);
+
+        *pExcludedList = nameConstraints->excludedList;
+
+cleanup:
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
+ * DESCRIPTION:
+ *
+ *  This function checks if CERTGeneral names in "nssSubjectNames" complies
+ *  with the permitted and excluded names in "nameConstraints". It returns
+ *  PKIX_TRUE in "pCheckPass", if the Names satify the name space of the
+ *  permitted list and if the Names are not in the excluded list. Otherwise,
+ *  it returns PKIX_FALSE.
+ *
+ * PARAMETERS
+ *  "nssSubjectNames"
+ *      List of CERTGeneralName that nameConstraints verification is based on.
+ *  "nameConstraints"
+ *      Address of CertNameConstraints that provides lists of permitted
+ *      and excluded names. Must be non-NULL.
+ *  "pCheckPass"
+ *      Address where PKIX_TRUE is returned if the all names in "nameList" are
+ *      valid.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CertNameConstraints_CheckNameSpaceNssNames(
+        CERTGeneralName *nssSubjectNames,
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean *pCheckPass,
+        void *plContext)
+{
+        CERTNameConstraints **nssNameConstraintsList = NULL;
+        CERTNameConstraints *nssNameConstraints = NULL;
+        CERTGeneralName *nssMatchName = NULL;
+        PRArenaPool *arena = NULL;
+        PKIX_UInt32 numItems = 0;
+        PKIX_UInt32 i;
+        SECStatus status = SECSuccess;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS,
+                "pkix_pl_CertNameConstraints_CheckNameSpaceNssNames");
+        PKIX_NULLCHECK_THREE(nssSubjectNames, nameConstraints, pCheckPass);
+
+        *pCheckPass = PKIX_TRUE;
+
+        PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (arena == NULL) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        nssMatchName = nssSubjectNames;
+        nssNameConstraintsList = nameConstraints->nssNameConstraintsList;
+
+        /*
+         * CERTNameConstraint items in each permitted or excluded list
+         * is verified as OR condition. That means, if one item matched,
+         * then the checking on the remaining items on the list is skipped.
+         * (see NSS cert_CompareNameWithConstraints(...)).
+         * Items on PKIX_PL_NameConstraint's nssNameConstraints are verified
+         * as AND condition. PKIX_PL_NameConstraint keeps an array of pointers
+         * of CERTNameConstraints resulting from merging multiple
+         * PKIX_PL_NameConstraints. Since each CERTNameConstraint are created
+         * for different entity, a union condition of these entities then is
+         * performed.
+         */
+
+        do {
+
+            numItems = nameConstraints->numNssNameConstraints;
+
+            for (i = 0; i < numItems; i++) {
+
+                PKIX_NULLCHECK_ONE(nssNameConstraintsList);
+                nssNameConstraints = *(nssNameConstraintsList + i);
+                PKIX_NULLCHECK_ONE(nssNameConstraints);
+
+                PKIX_CERTNAMECONSTRAINTS_DEBUG
+                        ("\t\tCalling CERT_CheckNameSpace\n");
+                status = CERT_CheckNameSpace
+                        (arena, nssNameConstraints, nssMatchName);
+                if (status != SECSuccess) {
+                        break;
+                }
+
+            }
+
+            if (status != SECSuccess) {
+                    break;
+            }
+
+            PKIX_CERTNAMECONSTRAINTS_DEBUG
+                    ("\t\tCalling CERT_GetNextGeneralName\n");
+            nssMatchName = CERT_GetNextGeneralName(nssMatchName);
+
+        } while (nssMatchName != nssSubjectNames);
+
+        if (status == SECFailure) {
+
+                *pCheckPass = PKIX_FALSE;
+        }
+
+cleanup:
+
+        if (arena){
+                PKIX_CERTNAMECONSTRAINTS_DEBUG
+                        ("\t\tCalling PORT_FreeArena).\n");
+                PORT_FreeArena(arena, PR_FALSE);
+        }
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_NameConstraints_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType
+                (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
+                PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
+
+        nameConstraints = (PKIX_PL_CertNameConstraints *)object;
+
+        PKIX_CHECK(PKIX_PL_Free
+                    (nameConstraints->nssNameConstraintsList, plContext),
+                    PKIX_FREEFAILED);
+
+        if (nameConstraints->arena){
+                PKIX_CERTNAMECONSTRAINTS_DEBUG
+                        ("\t\tCalling PORT_FreeArena).\n");
+                PORT_FreeArena(nameConstraints->arena, PR_FALSE);
+                nameConstraints->arena = NULL;
+        }
+
+        PKIX_DECREF(nameConstraints->permittedList);
+        PKIX_DECREF(nameConstraints->excludedList);
+
+cleanup:
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Helper function that creates a string representation of the object
+ *  NameConstraints and stores it at "pString".
+ *
+ * PARAMETERS
+ *  "nameConstraints"
+ *      Address of CertNameConstraints whose string representation is
+ *      desired. Must be non-NULL.
+ *  "pString"
+ *      Address where string object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a
+ *  non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_ToString_Helper(
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        char *asciiFormat = NULL;
+        PKIX_PL_String *formatString = NULL;
+        PKIX_List *permittedList = NULL;
+        PKIX_List *excludedList = NULL;
+        PKIX_PL_String *permittedListString = NULL;
+        PKIX_PL_String *excludedListString = NULL;
+        PKIX_PL_String *nameConstraintsString = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS,
+                    "pkix_pl_CertNameConstraints_ToString_Helper");
+        PKIX_NULLCHECK_TWO(nameConstraints, pString);
+
+        asciiFormat =
+                "[\n"
+                "\t\tPermitted Name:  %s\n"
+                "\t\tExcluded Name:   %s\n"
+                "\t]\n";
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    asciiFormat,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
+                    (nameConstraints, &permittedList, plContext),
+                    PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
+
+        PKIX_TOSTRING(permittedList, &permittedListString, plContext,
+                    PKIX_LISTTOSTRINGFAILED);
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
+                    (nameConstraints, &excludedList, plContext),
+                    PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
+
+        PKIX_TOSTRING(excludedList, &excludedListString, plContext,
+                    PKIX_LISTTOSTRINGFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (&nameConstraintsString,
+                    plContext,
+                    formatString,
+                    permittedListString,
+                    excludedListString),
+                    PKIX_SPRINTFFAILED);
+
+        *pString = nameConstraintsString;
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(permittedList);
+        PKIX_DECREF(excludedList);
+        PKIX_DECREF(permittedListString);
+        PKIX_DECREF(excludedListString);
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *nameConstraintsString = NULL;
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(
+                    object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
+
+        nameConstraints = (PKIX_PL_CertNameConstraints *)object;
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_ToString_Helper
+                    (nameConstraints, &nameConstraintsString, plContext),
+                    PKIX_CERTNAMECONSTRAINTSTOSTRINGHELPERFAILED);
+
+        *pString = nameConstraintsString;
+
+cleanup:
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+        PKIX_List *permittedList = NULL;
+        PKIX_List *excludedList = NULL;
+        PKIX_UInt32 permitHash = 0;
+        PKIX_UInt32 excludeHash = 0;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType
+                    (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
+                    PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
+
+        nameConstraints = (PKIX_PL_CertNameConstraints *)object;
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
+                    (nameConstraints, &permittedList, plContext),
+                    PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
+
+        PKIX_HASHCODE(permittedList, &permitHash, plContext,
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
+                    (nameConstraints, &excludedList, plContext),
+                    PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
+
+        PKIX_HASHCODE(excludedList, &excludeHash, plContext,
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        *pHashcode = (((permitHash << 7) + excludeHash) << 7) +
+                nameConstraints->numNssNameConstraints;
+
+cleanup:
+
+        PKIX_DECREF(permittedList);
+        PKIX_DECREF(excludedList);
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *firstNC = NULL;
+        PKIX_PL_CertNameConstraints *secondNC = NULL;
+        PKIX_List *firstPermittedList = NULL;
+        PKIX_List *secondPermittedList = NULL;
+        PKIX_List *firstExcludedList = NULL;
+        PKIX_List *secondExcludedList = NULL;
+        PKIX_UInt32 secondType;
+        PKIX_Boolean cmpResult = PKIX_FALSE;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a CertNameConstraints */
+        PKIX_CHECK(pkix_CheckType
+                (firstObject, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTCERTNAMECONSTRAINTS);
+
+        firstNC = (PKIX_PL_CertNameConstraints *)firstObject;
+        secondNC = (PKIX_PL_CertNameConstraints *)secondObject;
+
+        /*
+         * Since we know firstObject is a CertNameConstraints, if both
+         * references are identical, they must be equal
+         */
+        if (firstNC == secondNC){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondNC isn't a CertNameConstraints, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    ((PKIX_PL_Object *)secondNC, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        if (secondType != PKIX_CERTNAMECONSTRAINTS_TYPE) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
+                    (firstNC, &firstPermittedList, plContext),
+                    PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
+                    (secondNC, &secondPermittedList, plContext),
+                    PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
+
+        PKIX_EQUALS
+                (firstPermittedList, secondPermittedList, &cmpResult, plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (cmpResult != PKIX_TRUE) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
+                    (firstNC, &firstExcludedList, plContext),
+                    PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
+                    (secondNC, &secondExcludedList, plContext),
+                    PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
+
+        PKIX_EQUALS
+                (firstExcludedList, secondExcludedList, &cmpResult, plContext,
+                PKIX_OBJECTEQUALSFAILED);
+
+        if (cmpResult != PKIX_TRUE) {
+                goto cleanup;
+        }
+
+        /*
+         * numNssNameConstraints is not checked because it is basically a
+         * merge count, it cannot determine the data equality.
+         */
+
+        *pResult = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_DECREF(firstPermittedList);
+        PKIX_DECREF(secondPermittedList);
+        PKIX_DECREF(firstExcludedList);
+        PKIX_DECREF(secondExcludedList);
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_CERTNAMECONSTRAINTS_TYPE and its related functions with
+ *  systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_CertNameConstraints_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS,
+                    "pkix_pl_CertNameConstraints_RegisterSelf");
+
+        entry.description = "CertNameConstraints";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_CertNameConstraints);
+        entry.destructor = pkix_pl_CertNameConstraints_Destroy;
+        entry.equalsFunction = pkix_pl_CertNameConstraints_Equals;
+        entry.hashcodeFunction = pkix_pl_CertNameConstraints_Hashcode;
+        entry.toStringFunction = pkix_pl_CertNameConstraints_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_CERTNAMECONSTRAINTS_TYPE] = entry;
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_Create_Helper
+ *
+ * DESCRIPTION:
+ *  This function retrieves name constraints in "nssNameConstraints",
+ *  converts and stores the result in a PKIX_PL_CertNameConstraints object.
+ *
+ * PARAMETERS
+ *  "nssNameConstraints"
+ *      Address of CERTNameConstraints that contains this object's data.
+ *      Must be non-NULL.
+ *  "pNameConstraints"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *      A NULL value will be returned if there is no Name Constraints extension.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_Create_Helper(
+        CERTNameConstraints *nssNameConstraints,
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+        CERTNameConstraints **nssNameConstraintPtr = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS,
+                    "pkix_pl_CertNameConstraints_Create_Helper");
+        PKIX_NULLCHECK_TWO(nssNameConstraints, pNameConstraints);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_CERTNAMECONSTRAINTS_TYPE,
+                    sizeof (PKIX_PL_CertNameConstraints),
+                    (PKIX_PL_Object **)&nameConstraints,
+                    plContext),
+                    PKIX_COULDNOTCREATECERTNAMECONSTRAINTSOBJECT);
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (sizeof (CERTNameConstraint *),
+                    (void *)&nssNameConstraintPtr,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+
+        nameConstraints->numNssNameConstraints = 1;
+        nameConstraints->nssNameConstraintsList = nssNameConstraintPtr;
+        *nssNameConstraintPtr = nssNameConstraints;
+
+        nameConstraints->permittedList = NULL;
+        nameConstraints->excludedList = NULL;
+        nameConstraints->arena = NULL;
+
+        *pNameConstraints = nameConstraints;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(nameConstraints);
+        }
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_Create
+ *
+ * DESCRIPTION:
+ *  function that allocates and initialize the object CertNameConstraints.
+ *
+ * PARAMETERS
+ *  "nssCert"
+ *      Address of CERT that contains this object's data.
+ *      Must be non-NULL.
+ *  "pNameConstraints"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *      A NULL value will be returned if there is no Name Constraints extension.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CertNameConstraints_Create(
+        CERTCertificate *nssCert,
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+        CERTNameConstraints *nssNameConstraints = NULL;
+        PLArenaPool *arena = NULL;
+        SECStatus status;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Create");
+        PKIX_NULLCHECK_THREE(nssCert, pNameConstraints, nssCert->arena);
+
+        PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (arena == NULL) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        PKIX_CERTNAMECONSTRAINTS_DEBUG
+                ("\t\tCalling CERT_FindNameConstraintsExten\n");
+        status = CERT_FindNameConstraintsExten
+                (arena, nssCert, &nssNameConstraints);
+
+        if (status != SECSuccess) {
+                PKIX_ERROR(PKIX_DECODINGCERTNAMECONSTRAINTSFAILED);
+        }
+
+        if (nssNameConstraints == NULL) {
+                *pNameConstraints = NULL;
+                if (arena){
+                        PKIX_CERTNAMECONSTRAINTS_DEBUG
+                                ("\t\tCalling PORT_FreeArena).\n");
+                        PORT_FreeArena(arena, PR_FALSE);
+                }
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
+                    (nssNameConstraints, &nameConstraints, plContext),
+                    PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
+
+        nameConstraints->arena = arena;
+
+        *pNameConstraints = nameConstraints;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                if (arena){
+                        PKIX_CERTNAMECONSTRAINTS_DEBUG
+                                ("\t\tCalling PORT_FreeArena).\n");
+                        PORT_FreeArena(arena, PR_FALSE);
+                }
+        }
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_CreateByMerge
+ *
+ * DESCRIPTION:
+ *
+ *  This function allocates and creates a PKIX_PL_NameConstraint object
+ *  for merging. It also allocates CERTNameConstraints data space for the
+ *  merged NSS NameConstraints data.
+ *
+ * PARAMETERS
+ *  "pNameConstraints"
+ *      Address where object pointer will be stored and returned.
+ *      Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_CreateByMerge(
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+        CERTNameConstraints *nssNameConstraints = NULL;
+        PLArenaPool *arena = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS,
+                    "pkix_pl_CertNameConstraints_CreateByMerge");
+        PKIX_NULLCHECK_ONE(pNameConstraints);
+
+        PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (arena == NULL) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
+        nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
+        if (nssNameConstraints == NULL) {
+                PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+        }
+
+        nssNameConstraints->permited = NULL;
+        nssNameConstraints->excluded = NULL;
+        nssNameConstraints->DERPermited = NULL;
+        nssNameConstraints->DERExcluded = NULL;
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
+                    (nssNameConstraints, &nameConstraints, plContext),
+                    PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
+
+        nameConstraints->arena = arena;
+
+        *pNameConstraints = nameConstraints;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                if (arena){
+                        PKIX_CERTNAMECONSTRAINTS_DEBUG
+                                ("\t\tCalling PORT_FreeArena).\n");
+                        PORT_FreeArena(arena, PR_FALSE);
+                }
+        }
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_CopyNssNameConstraints
+ *
+ * DESCRIPTION:
+ *
+ *  This function allocates and copies data to a NSS CERTNameConstraints from
+ *  the NameConstraints given by "srcNC" and stores the result at "pDestNC". It
+ *  copies items on both the permitted and excluded lists, but not the
+ *  DERPermited and DERExcluded.
+ *
+ * PARAMETERS
+ *  "arena"
+ *      Memory pool where object data is allocated from. Must be non-NULL.
+ *  "srcNC"
+ *      Address of the NameConstraints to copy from. Must be non-NULL.
+ *  "pDestNC"
+ *      Address where new copied object is stored and returned.
+ *      Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_CertNameConstraints_CopyNssNameConstraints(
+        PLArenaPool *arena,
+        CERTNameConstraints *srcNC,
+        CERTNameConstraints **pDestNC,
+        void *plContext)
+{
+        CERTNameConstraints *nssNameConstraints = NULL;
+        CERTNameConstraint *nssNameConstraintHead = NULL;
+        CERTNameConstraint *nssCurrent = NULL;
+        CERTNameConstraint *nssCopyTo = NULL;
+        CERTNameConstraint *nssCopyFrom = NULL;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS,
+                    "pkix_pl_CertNameConstraints_CopyNssNameConstraints");
+        PKIX_NULLCHECK_THREE(arena, srcNC, pDestNC);
+
+        PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
+        nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
+        if (nssNameConstraints == NULL) {
+                PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+        }
+
+        if (srcNC->permited) {
+
+            nssCopyFrom = srcNC->permited;
+
+            do {
+
+                nssCopyTo = NULL;
+                PKIX_CERTNAMECONSTRAINTS_DEBUG
+                        ("\t\tCalling CERT_CopyNameConstraint).\n");
+                nssCopyTo = CERT_CopyNameConstraint
+                        (arena, nssCopyTo, nssCopyFrom);
+                if (nssCopyTo == NULL) {
+                        PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
+                }
+                if (nssCurrent == NULL) {
+                        nssCurrent = nssNameConstraintHead = nssCopyTo;
+                } else {
+                        PKIX_CERTNAMECONSTRAINTS_DEBUG
+                                ("\t\tCalling CERT_AddNameConstraint).\n");
+                        nssCurrent = CERT_AddNameConstraint
+                                (nssCurrent, nssCopyTo);
+                }
+
+                PKIX_CERTNAMECONSTRAINTS_DEBUG
+                        ("\t\tCalling CERT_GetNextNameConstrain).\n");
+                nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
+
+            } while (nssCopyFrom != srcNC->permited);
+
+            nssNameConstraints->permited = nssNameConstraintHead;
+        }
+
+        if (srcNC->excluded) {
+
+            nssCurrent = NULL;
+            nssCopyFrom = srcNC->excluded;
+
+            do {
+
+                /*
+                 * Cannot use CERT_DupGeneralNameList, which just increments
+                 * refcount. We need our own copy since arena is for each
+                 * PKIX_PL_NameConstraints. Perhaps contribute this code
+                 * as CERT_CopyGeneralNameList (in the future).
+                 */
+                nssCopyTo = NULL;
+                PKIX_CERTNAMECONSTRAINTS_DEBUG
+                        ("\t\tCalling CERT_CopyNameConstraint).\n");
+                nssCopyTo = CERT_CopyNameConstraint
+                        (arena, nssCopyTo, nssCopyFrom);
+                if (nssCopyTo == NULL) {
+                        PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
+                }
+                if (nssCurrent == NULL) {
+                        nssCurrent = nssNameConstraintHead = nssCopyTo;
+                } else {
+                        PKIX_CERTNAMECONSTRAINTS_DEBUG
+                                ("\t\tCalling CERT_AddNameConstraint).\n");
+                        nssCurrent = CERT_AddNameConstraint
+                                (nssCurrent, nssCopyTo);
+                }
+
+                PKIX_CERTNAMECONSTRAINTS_DEBUG
+                        ("\t\tCalling CERT_GetNextNameConstrain).\n");
+                nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
+
+            } while (nssCopyFrom != srcNC->excluded);
+
+            nssNameConstraints->excluded = nssNameConstraintHead;
+        }
+
+        *pDestNC = nssNameConstraints;
+
+cleanup:
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/*
+ * FUNCTION: pkix_pl_CertNameConstraints_Merge
+ *
+ * DESCRIPTION:
+ *
+ *  This function merges two NameConstraints pointed to by "firstNC" and
+ *  "secondNC" and stores the result in "pMergedNC".
+ *
+ * PARAMETERS
+ *  "firstNC"
+ *      Address of the first NameConstraints to be merged. Must be non-NULL.
+ *  "secondNC"
+ *      Address of the second NameConstraints to be merged. Must be non-NULL.
+ *  "pMergedNC"
+ *      Address where the merge result is stored and returned. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a NameConstraints Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_CertNameConstraints_Merge(
+        PKIX_PL_CertNameConstraints *firstNC,
+        PKIX_PL_CertNameConstraints *secondNC,
+        PKIX_PL_CertNameConstraints **pMergedNC,
+        void *plContext)
+{
+        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+        CERTNameConstraints **nssNCto = NULL;
+        CERTNameConstraints **nssNCfrom = NULL;
+        CERTNameConstraints *nssNameConstraints = NULL;
+        PKIX_UInt32 numNssItems = 0;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Merge");
+        PKIX_NULLCHECK_THREE(firstNC, secondNC, pMergedNC);
+
+        PKIX_CHECK(pkix_pl_CertNameConstraints_CreateByMerge
+                    (&nameConstraints, plContext),
+                    PKIX_CERTNAMECONSTRAINTSCREATEBYMERGEFAILED);
+
+        /* Merge NSSCertConstraint lists */
+
+        numNssItems = firstNC->numNssNameConstraints +
+                    secondNC->numNssNameConstraints;
+
+        /* Free the default space (only one entry) allocated by create */
+        PKIX_CHECK(PKIX_PL_Free
+                    (nameConstraints->nssNameConstraintsList, plContext),
+                    PKIX_FREEFAILED);
+
+        /* Reallocate the size we need */
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (numNssItems * sizeof (CERTNameConstraint *),
+                    (void *)&nssNCto,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+
+        nameConstraints->nssNameConstraintsList = nssNCto;
+
+        nssNCfrom = firstNC->nssNameConstraintsList;
+
+        for (i = 0; i < firstNC->numNssNameConstraints; i++) {
+
+                PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
+                        (nameConstraints->arena,
+                        *nssNCfrom,
+                        &nssNameConstraints,
+                        plContext),
+                        PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
+
+                *nssNCto = nssNameConstraints;
+
+                nssNCto++;
+                nssNCfrom++;
+        }
+
+        nssNCfrom = secondNC->nssNameConstraintsList;
+
+        for (i = 0; i < secondNC->numNssNameConstraints; i++) {
+
+                PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
+                        (nameConstraints->arena,
+                        *nssNCfrom,
+                        &nssNameConstraints,
+                        plContext),
+                        PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
+
+                *nssNCto = nssNameConstraints;
+
+                nssNCto++;
+                nssNCfrom++;
+        }
+
+        nameConstraints->numNssNameConstraints = numNssItems;
+        nameConstraints->permittedList = NULL;
+        nameConstraints->excludedList = NULL;
+
+        *pMergedNC = nameConstraints;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(nameConstraints);
+        }
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
+
+/* --Public-NameConstraints-Functions-------------------------------- */
+
+/*
+ * FUNCTION:  PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
+ * (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_CertNameConstraints_CheckNamesInNameSpace(
+        PKIX_List *nameList, /* List of PKIX_PL_GeneralName */
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean *pCheckPass,
+        void *plContext)
+{
+        CERTNameConstraints **nssNameConstraintsList = NULL;
+        CERTNameConstraints *nssNameConstraints = NULL;
+        CERTGeneralName *nssMatchName = NULL;
+        PRArenaPool *arena = NULL;
+        PKIX_PL_GeneralName *name = NULL;
+        PKIX_UInt32 numNameItems = 0;
+        PKIX_UInt32 numNCItems = 0;
+        PKIX_UInt32 i, j;
+        SECStatus status = SECSuccess;
+
+        PKIX_ENTER(CERTNAMECONSTRAINTS,
+                "PKIX_PL_CertNameConstraints_CheckNamesInNameSpace");
+        PKIX_NULLCHECK_TWO(nameConstraints, pCheckPass);
+
+        *pCheckPass = PKIX_TRUE;
+
+        if (nameList != NULL) {
+
+                PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
+                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+                if (arena == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }
+
+                nssNameConstraintsList =
+                        nameConstraints->nssNameConstraintsList;
+                PKIX_NULLCHECK_ONE(nssNameConstraintsList);
+                numNCItems = nameConstraints->numNssNameConstraints;
+
+                PKIX_CHECK(PKIX_List_GetLength
+                        (nameList, &numNameItems, plContext),
+                        PKIX_LISTGETLENGTHFAILED);
+
+                for (i = 0; i < numNameItems; i++) {
+
+                        PKIX_CHECK(PKIX_List_GetItem
+                                (nameList,
+                                i,
+                                (PKIX_PL_Object **) &name,
+                                plContext),
+                                PKIX_LISTGETITEMFAILED);
+
+                        PKIX_CHECK(pkix_pl_GeneralName_GetNssGeneralName
+                                (name, &nssMatchName, plContext),
+                                PKIX_GENERALNAMEGETNSSGENERALNAMEFAILED);
+
+                        PKIX_DECREF(name);
+
+                        for (j = 0; j < numNCItems; j++) {
+
+                            nssNameConstraints = *(nssNameConstraintsList + j);
+                            PKIX_NULLCHECK_ONE(nssNameConstraints);
+
+                            PKIX_CERTNAMECONSTRAINTS_DEBUG
+                                ("\t\tCalling CERT_CheckNameSpace\n");
+                            status = CERT_CheckNameSpace
+                                (arena, nssNameConstraints, nssMatchName);
+                            if (status != SECSuccess) {
+                                break;
+                            }
+
+                        }
+
+                        if (status != SECSuccess) {
+                            break;
+                        }
+
+                }
+        }
+
+        if (status == SECFailure) {
+                *pCheckPass = PKIX_FALSE;
+        }
+
+cleanup:
+
+        if (arena){
+                PKIX_CERTNAMECONSTRAINTS_DEBUG
+                        ("\t\tCalling PORT_FreeArena).\n");
+                PORT_FreeArena(arena, PR_FALSE);
+        }
+
+        PKIX_RETURN(CERTNAMECONSTRAINTS);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.h
new file mode 100644
index 000000000..92e4a3d25
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.h
@@ -0,0 +1,101 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_nameconstraints.h
+ *
+ * Name Constraints Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_NAMECONSTRAINTS_H
+#define _PKIX_PL_NAMECONSTRAINTS_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_CertNameConstraintsStruct {
+        PLArenaPool *arena;
+        CERTNameConstraints **nssNameConstraintsList;
+        PKIX_UInt32 numNssNameConstraints;
+        PKIX_List *permittedList; /* list of PKIX_PL_GeneralName */
+        PKIX_List *excludedList; /* list of PKIX_PL_GeneralName */
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_CertNameConstraints_RegisterSelf(void *plContext);
+
+PKIX_Error *pkix_pl_CertNameConstraints_Create(
+        CERTCertificate *nssCert,
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_CertNameConstraints_CreateWithNames(
+        PKIX_List *names, /* List of PKIX_PL_GeneralName */
+        PKIX_PL_CertNameConstraints **pNameConstraints,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_CertNameConstraints_CheckNameSpaceNssNames(
+        CERTGeneralName *nssSubjectNames,
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean *pCheckPass,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_CertNameConstraints_CheckNameSpacePkixNames(
+        PKIX_List *nameList,
+        PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean *pCheckPass,
+        void *plContext);
+
+
+PKIX_Error *pkix_pl_CertNameConstraints_Merge(
+        PKIX_PL_CertNameConstraints *firstNC,
+        PKIX_PL_CertNameConstraints *secondNC,
+        PKIX_PL_CertNameConstraints **pMergedNC,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_NAMECONSTRAINTS_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
new file mode 100644
index 000000000..452d0a240
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
@@ -0,0 +1,283 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Red Hat, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ocspcertid.c
+ *
+ * Certificate ID Object for OCSP
+ *
+ */
+
+#include "pkix_pl_ocspcertid.h"
+
+/* --Private-Cert-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_OcspCertID_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OcspCertID_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_OcspCertID *certID = NULL;
+
+        PKIX_ENTER(OCSPCERTID, "pkix_pl_OcspCertID_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPCERTID_TYPE, plContext),
+                    PKIX_OBJECTNOTOCSPCERTID);
+
+        certID = (PKIX_PL_OcspCertID *)object;
+
+        if (certID->certID) {
+                CERT_DestroyOCSPCertID(certID->certID);
+        }
+
+cleanup:
+
+        PKIX_RETURN(OCSPCERTID);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspCertID_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_PUBLICKEY_TYPE and its related functions 
+ *  with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_OcspCertID_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(OCSPCERTID, "pkix_pl_OcspCertID_RegisterSelf");
+
+        entry.description = "OcspCertID";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_OcspCertID);
+        entry.destructor = pkix_pl_OcspCertID_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+        systemClasses[PKIX_OCSPCERTID_TYPE] = entry;
+
+        PKIX_RETURN(OCSPCERTID);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_OcspCertID_Create
+ * DESCRIPTION:
+ *
+ *  This function creates an OcspCertID for a given certificate,
+ *  to be used with OCSP transactions.
+ *
+ *  If a Date is provided in "validity" it may be used in the search for the
+ *  issuer of "cert" but has no effect on the request itself.
+ *
+ * PARAMETERS:
+ *  "cert"
+ *     Address of the Cert for which an OcspCertID is to be created. Must be
+ *     non-NULL.
+ *  "validity"
+ *     Address of the Date for which the Cert's validity is to be determined.
+ *     May be NULL.
+ *  "object"
+ *     Address at which the result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OcspCertID Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_OcspCertID_Create(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_Date *validity,
+        PKIX_PL_OcspCertID **object,
+        void *plContext)
+{
+        PKIX_PL_OcspCertID *cid = NULL;
+        int64 time = 0;
+
+        PKIX_ENTER(DATE, "PKIX_PL_OcspCertID_Create");
+        PKIX_NULLCHECK_TWO(cert, object);
+    
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_OCSPCERTID_TYPE,
+                    sizeof (PKIX_PL_OcspCertID),
+                    (PKIX_PL_Object **)&cid,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        if (validity != NULL) {
+                PKIX_CHECK(pkix_pl_Date_GetPRTime(validity, &time, plContext),
+                        PKIX_DATEGETPRTIMEFAILED);
+        } else {
+                time = PR_Now();
+        }
+
+        cid->certID = CERT_CreateOCSPCertID(cert->nssCert, time);
+        if (!cid->certID) {
+                PKIX_ERROR(PKIX_COULDNOTCREATEOBJECT);
+        }
+
+        *object = cid;
+        cid = NULL;
+cleanup:
+        PKIX_DECREF(cid);
+        PKIX_RETURN(OCSPCERTID);
+}
+
+/*
+ * FUNCTION: PKIX_PL_OcspCertID_GetFreshCacheStatus
+ * DESCRIPTION:
+ *
+ *  This function may return cached OCSP results for the provided
+ *  certificate, but only if stored information is still considered to be
+ *  fresh.
+ *
+ * PARAMETERS
+ *  "cid"
+ *      A certificate ID as used by OCSP
+ *  "validity"
+ *      Optional date parameter to request validity for a specifc time.
+ *  "hasFreshStatus"
+ *      Output parameter, if the function successed to find fresh cached
+ *      information, this will be set to true. Must be non-NULL.
+ *  "statusIsGood"
+ *      The good/bad result stored in the cache. Must be non-NULL.
+ *  "missingResponseError"
+ *      If OCSP status is "bad", this variable may indicate the exact
+ *      reason why the previous OCSP request had failed.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OcspCertID Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_OcspCertID_GetFreshCacheStatus(
+        PKIX_PL_OcspCertID *cid, 
+        PKIX_PL_Date *validity,
+        PKIX_Boolean *hasFreshStatus,
+        PKIX_Boolean *statusIsGood,
+        SECErrorCodes *missingResponseError,
+        void *plContext)
+{
+        int64 time = 0;
+        SECStatus rv;
+        SECStatus rvOcsp;
+
+        PKIX_ENTER(DATE, "PKIX_PL_OcspCertID_GetFreshCacheStatus");
+        PKIX_NULLCHECK_THREE(cid, hasFreshStatus, statusIsGood);
+
+        if (validity != NULL) {
+                PKIX_CHECK(pkix_pl_Date_GetPRTime(validity, &time, plContext),
+                        PKIX_DATEGETPRTIMEFAILED);
+        } else {
+                time = PR_Now();
+        }
+
+        rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
+                cid->certID, time, PR_TRUE, /*ignoreGlobalOcspFailureSetting*/
+                &rvOcsp, missingResponseError);
+
+        *hasFreshStatus = (rv == SECSuccess);
+        if (*hasFreshStatus) {
+                *statusIsGood = (rvOcsp == SECSuccess);
+        }
+cleanup:
+        PKIX_RETURN(OCSPCERTID);
+}
+
+/*
+ * FUNCTION: PKIX_PL_OcspCertID_RememberOCSPProcessingFailure
+ * DESCRIPTION:
+ *
+ *  Information about the current failure associated to the given certID
+ *  will be remembered in the cache, potentially allowing future calls
+ *  to prevent repetitive OCSP requests.
+ *  After this function got called, it may no longer be safe to
+ *  use the provided cid parameter, because ownership might have been
+ *  transfered to the cache. This status will be recorded inside the
+ *  cid object.
+ *
+ * PARAMETERS
+ *  "cid"
+ *      The certificate ID associated to a failed OCSP processing.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OcspCertID Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
+        PKIX_PL_OcspCertID *cid, 
+        void *plContext)
+{
+        PRBool certIDWasConsumed = PR_FALSE;
+
+        PKIX_ENTER(DATE, "PKIX_PL_OcspCertID_RememberOCSPProcessingFailure");
+        PKIX_NULLCHECK_TWO(cid, cid->certID);
+
+        cert_RememberOCSPProcessingFailure(cid->certID, &certIDWasConsumed);
+
+        if (certIDWasConsumed) {
+                cid->certID = NULL;
+        }
+
+        PKIX_RETURN(OCSPCERTID);
+}
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.h
new file mode 100644
index 000000000..d36b19493
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.h
@@ -0,0 +1,86 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2008 Red Hat, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Red Hat, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ocspcertid.h
+ *
+ * Public Key Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_OCSPCERTID_H
+#define _PKIX_PL_OCSPCERTID_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_OcspCertIDStruct {
+        CERTOCSPCertID *certID;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_OcspCertID_RegisterSelf(void *plContext);
+
+PKIX_Error *
+PKIX_PL_OcspCertID_Create(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_Date *validity,
+        PKIX_PL_OcspCertID **object,
+        void *plContext);
+
+PKIX_Error *
+PKIX_PL_OcspCertID_GetFreshCacheStatus(
+        PKIX_PL_OcspCertID *cid, 
+        PKIX_PL_Date *validity,
+        PKIX_Boolean *hasFreshStatus,
+        PKIX_Boolean *statusIsGood,
+        SECErrorCodes *missingResponseError,
+        void *plContext);
+
+PKIX_Error *
+PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
+        PKIX_PL_OcspCertID *cid, 
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_OCSPCERTID_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
new file mode 100644
index 000000000..0ab8e5d48
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
@@ -0,0 +1,467 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ocsprequest.c
+ *
+ */
+
+#include "pkix_pl_ocsprequest.h"
+
+/* --Private-OcspRequest-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_OcspRequest_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OcspRequest_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_OcspRequest *ocspReq = NULL;
+
+        PKIX_ENTER(OCSPREQUEST, "pkix_pl_OcspRequest_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPREQUEST_TYPE, plContext),
+                    PKIX_OBJECTNOTOCSPREQUEST);
+
+        ocspReq = (PKIX_PL_OcspRequest *)object;
+
+        if (ocspReq->decoded != NULL) {
+                CERT_DestroyOCSPRequest(ocspReq->decoded);
+        }
+
+        if (ocspReq->encoded != NULL) {
+                SECITEM_FreeItem(ocspReq->encoded, PR_TRUE);
+        }
+
+        if (ocspReq->location != NULL) {
+                PORT_Free(ocspReq->location);
+        }
+
+        PKIX_DECREF(ocspReq->cert);
+        PKIX_DECREF(ocspReq->validity);
+        PKIX_DECREF(ocspReq->signerCert);
+
+cleanup:
+
+        PKIX_RETURN(OCSPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspRequest_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OcspRequest_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_UInt32 certHash = 0;
+        PKIX_UInt32 dateHash = 0;
+        PKIX_UInt32 extensionHash = 0;
+        PKIX_UInt32 signerHash = 0;
+        PKIX_PL_OcspRequest *ocspRq = NULL;
+
+        PKIX_ENTER(OCSPREQUEST, "pkix_pl_OcspRequest_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPREQUEST_TYPE, plContext),
+                    PKIX_OBJECTNOTOCSPREQUEST);
+
+        ocspRq = (PKIX_PL_OcspRequest *)object;
+
+        *pHashcode = 0;
+
+        PKIX_HASHCODE(ocspRq->cert, &certHash, plContext,
+                PKIX_CERTHASHCODEFAILED);
+
+        PKIX_HASHCODE(ocspRq->validity, &dateHash, plContext,
+                PKIX_DATEHASHCODEFAILED);
+
+        if (ocspRq->addServiceLocator == PKIX_TRUE) {
+                extensionHash = 0xff;
+        }
+
+        PKIX_HASHCODE(ocspRq->signerCert, &signerHash, plContext,
+                PKIX_CERTHASHCODEFAILED);
+
+        *pHashcode = (((((extensionHash << 8) || certHash) << 8) ||
+                dateHash) << 8) || signerHash;
+
+cleanup:
+
+        PKIX_RETURN(OCSPREQUEST);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspRequest_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OcspRequest_Equals(
+        PKIX_PL_Object *firstObj,
+        PKIX_PL_Object *secondObj,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_Boolean match = PKIX_FALSE;
+        PKIX_UInt32 secondType = 0;
+        PKIX_PL_OcspRequest *firstReq = NULL;
+        PKIX_PL_OcspRequest *secondReq = NULL;
+
+        PKIX_ENTER(OCSPREQUEST, "pkix_pl_OcspRequest_Equals");
+        PKIX_NULLCHECK_THREE(firstObj, secondObj, pResult);
+
+        /* test that firstObj is a OcspRequest */
+        PKIX_CHECK(pkix_CheckType(firstObj, PKIX_OCSPREQUEST_TYPE, plContext),
+                    PKIX_FIRSTOBJARGUMENTNOTOCSPREQUEST);
+
+        /*
+         * Since we know firstObj is a OcspRequest, if both references are
+         * identical, they must be equal
+         */
+        if (firstObj == secondObj){
+                match = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObj isn't a OcspRequest, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObj, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_OCSPREQUEST_TYPE) {
+                goto cleanup;
+        }
+
+        firstReq = (PKIX_PL_OcspRequest *)firstObj;
+        secondReq = (PKIX_PL_OcspRequest *)secondObj;
+
+        if (firstReq->addServiceLocator != secondReq->addServiceLocator) {
+                goto cleanup;
+        }
+
+        PKIX_EQUALS(firstReq->cert, secondReq->cert, &match, plContext,
+                PKIX_CERTEQUALSFAILED);
+
+        if (match == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        PKIX_EQUALS(firstReq->validity, secondReq->validity, &match, plContext,
+                PKIX_DATEEQUALSFAILED);
+
+        if (match == PKIX_FALSE) {
+                goto cleanup;
+        }
+
+        PKIX_EQUALS
+                (firstReq->signerCert, secondReq->signerCert, &match, plContext,
+                PKIX_CERTEQUALSFAILED);
+
+cleanup:
+
+        *pResult = match;
+
+        PKIX_RETURN(OCSPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspRequest_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_OCSPREQUEST_TYPE and its related functions with
+ *  systemClasses[]
+ * PARAMETERS:
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_OcspRequest_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(OCSPREQUEST, "pkix_pl_OcspRequest_RegisterSelf");
+
+        entry.description = "OcspRequest";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_OcspRequest);
+        entry.destructor = pkix_pl_OcspRequest_Destroy;
+        entry.equalsFunction = pkix_pl_OcspRequest_Equals;
+        entry.hashcodeFunction = pkix_pl_OcspRequest_Hashcode;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_OCSPREQUEST_TYPE] = entry;
+
+        PKIX_RETURN(OCSPREQUEST);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_OcspRequest_Create
+ * DESCRIPTION:
+ *
+ *  This function creates an OcspRequest to be used in validating the Cert
+ *  pointed to by "cert" and storing the result at "pRequest". If a URI
+ *  is found for an OCSP responder, PKIX_TRUE is stored at "pURIFound". If no
+ *  URI is found, PKIX_FALSE is stored.
+ *
+ *  If a Date is provided in "validity" it may be used in the search for the
+ *  issuer of "cert" but has no effect on the request itself. If
+ *  "addServiceLocator" is TRUE, the AddServiceLocator extension will be
+ *  included in the Request. If "signerCert" is provided it will be used to sign
+ *  the Request. (Note: this signed request feature is not currently supported.)
+ *
+ * PARAMETERS:
+ *  "cert"
+ *     Address of the Cert for which an OcspRequest is to be created. Must be
+ *     non-NULL.
+ *  "validity"
+ *     Address of the Date for which the Cert's validity is to be determined.
+ *     May be NULL.
+ *  "signerCert"
+ *     Address of the Cert to be used, if present, in signing the request.
+ *     May be NULL.
+ *  "pRequest"
+ *     Address at which the result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OcspRequest Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_OcspRequest_Create(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_OcspCertID *cid,
+        PKIX_PL_Date *validity,
+        PKIX_PL_Cert *signerCert,
+        PKIX_Boolean *pURIFound,
+        PKIX_PL_OcspRequest **pRequest,
+        void *plContext)
+{
+        PKIX_PL_OcspRequest *ocspRequest = NULL;
+
+        CERTCertDBHandle *handle = NULL;
+        SECStatus rv = SECFailure;
+        SECItem *encoding = NULL;
+        CERTOCSPRequest *certRequest = NULL;
+        int64 time = 0;
+        PRBool addServiceLocatorExtension = PR_FALSE;
+        CERTCertificate *nssCert = NULL;
+        CERTCertificate *nssSignerCert = NULL;
+        char *location = NULL;
+        PRErrorCode locError = 0;
+
+        PKIX_ENTER(OCSPREQUEST, "pkix_pl_OcspRequest_Create");
+        PKIX_NULLCHECK_TWO(cert, pRequest);
+
+        /* create a PKIX_PL_OcspRequest object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_OCSPREQUEST_TYPE,
+                    sizeof (PKIX_PL_OcspRequest),
+                    (PKIX_PL_Object **)&ocspRequest,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        PKIX_INCREF(cert);
+        ocspRequest->cert = cert;
+
+        PKIX_INCREF(validity);
+        ocspRequest->validity = validity;
+
+        PKIX_INCREF(signerCert);
+        ocspRequest->signerCert = signerCert;
+
+        ocspRequest->decoded = NULL;
+        ocspRequest->encoded = NULL;
+
+        ocspRequest->location = NULL;
+
+        nssCert = cert->nssCert;
+
+        /*
+         * Does this Cert have an Authority Information Access extension with
+         * the URI of an OCSP responder?
+         */
+        handle = CERT_GetDefaultCertDB();
+        location = ocsp_GetResponderLocation(handle, nssCert,
+                                             &addServiceLocatorExtension);
+        if (location == NULL) {
+                locError = PORT_GetError();
+                if (locError == SEC_ERROR_EXTENSION_NOT_FOUND ||
+                    locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
+                    PORT_SetError(0);
+                    *pURIFound = PKIX_FALSE;
+                    goto cleanup;
+                }
+                PKIX_ERROR(PKIX_ERRORFINDINGORPROCESSINGURI);
+        }
+
+        ocspRequest->location = location;
+        *pURIFound = PKIX_TRUE;
+
+        if (signerCert != NULL) {
+                nssSignerCert = signerCert->nssCert;
+        }
+
+        if (validity != NULL) {
+		PKIX_CHECK(pkix_pl_Date_GetPRTime(validity, &time, plContext),
+			PKIX_DATEGETPRTIMEFAILED);
+        } else {
+                time = PR_Now();
+	}
+
+        certRequest = cert_CreateSingleCertOCSPRequest(
+                cid->certID, cert->nssCert, time, 
+                addServiceLocatorExtension, nssSignerCert);
+
+        ocspRequest->decoded = certRequest;
+
+        if (certRequest == NULL) {
+                PKIX_ERROR(PKIX_UNABLETOCREATECERTOCSPREQUEST);
+        }
+
+        rv = CERT_AddOCSPAcceptableResponses(
+                certRequest, SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+
+        if (rv == SECFailure) {
+                PKIX_ERROR(PKIX_UNABLETOADDACCEPTABLERESPONSESTOREQUEST);
+        }
+
+        encoding = CERT_EncodeOCSPRequest(NULL, certRequest, NULL);
+
+        ocspRequest->encoded = encoding;
+
+        *pRequest = ocspRequest;
+        ocspRequest = NULL;
+
+cleanup:
+        PKIX_DECREF(ocspRequest);
+
+        PKIX_RETURN(OCSPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspRequest_GetEncoded
+ * DESCRIPTION:
+ *
+ *  This function obtains the encoded message from the OcspRequest pointed to
+ *  by "request", storing the result at "pRequest".
+ *
+ * PARAMETERS
+ *  "request"
+ *      The address of the OcspRequest whose encoded message is to be
+ *      retrieved. Must be non-NULL.
+ *  "pRequest"
+ *      The address at which is stored the address of the encoded message. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_OcspRequest_GetEncoded(
+        PKIX_PL_OcspRequest *request,
+        SECItem **pRequest,
+        void *plContext)
+{
+        PKIX_ENTER(OCSPREQUEST, "pkix_pl_OcspRequest_GetEncoded");
+        PKIX_NULLCHECK_TWO(request, pRequest);
+
+        *pRequest = request->encoded;
+
+        PKIX_RETURN(OCSPREQUEST);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspRequest_GetLocation
+ * DESCRIPTION:
+ *
+ *  This function obtains the location from the OcspRequest pointed to
+ *  by "request", storing the result at "pLocation".
+ *
+ * PARAMETERS
+ *  "request"
+ *      The address of the OcspRequest whose encoded message is to be
+ *      retrieved. Must be non-NULL.
+ *  "pLocation"
+ *      The address at which is stored the address of the location. Must
+ *      be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_OcspRequest_GetLocation(
+        PKIX_PL_OcspRequest *request,
+        char **pLocation,
+        void *plContext)
+{
+        PKIX_ENTER(OCSPREQUEST, "pkix_pl_OcspRequest_GetLocation");
+        PKIX_NULLCHECK_TWO(request, pLocation);
+
+        *pLocation = request->location;
+
+        PKIX_RETURN(OCSPREQUEST);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
new file mode 100644
index 000000000..573c8240c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h
@@ -0,0 +1,93 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ocsprequest.h
+ *
+ * OcspRequest Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_OCSPREQUEST_H
+#define _PKIX_PL_OCSPREQUEST_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_OcspRequestStruct{
+        PKIX_PL_Cert *cert;
+        PKIX_PL_Date *validity;
+        PKIX_Boolean addServiceLocator;
+        PKIX_PL_Cert *signerCert;
+        CERTOCSPRequest *decoded;
+        SECItem *encoded;
+        char *location;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_OcspRequest_Create(
+        PKIX_PL_Cert *cert,
+        PKIX_PL_OcspCertID *cid,
+        PKIX_PL_Date *validity,
+        PKIX_PL_Cert *signerCert,
+        PKIX_Boolean *pURIFound,
+        PKIX_PL_OcspRequest **pRequest,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_OcspRequest_GetEncoded(
+        PKIX_PL_OcspRequest *request,
+        SECItem **pRequest,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_OcspRequest_GetLocation(
+        PKIX_PL_OcspRequest *request,
+        char **pLocation,
+        void *plContext);
+
+PKIX_Error *pkix_pl_OcspRequest_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_OCSPREQUEST_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
new file mode 100644
index 000000000..5f178ce1b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
@@ -0,0 +1,1037 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ocspresponse.c
+ *
+ */
+
+#include "pkix_pl_ocspresponse.h"
+
+/* ----Public functions------------------------------------- */
+/*
+ * This is the libpkix replacement for CERT_VerifyOCSPResponseSignature.
+ * It is used if it has been set as the verifyFcn member of ocspChecker.
+ */
+PKIX_Error *
+PKIX_PL_OcspResponse_UseBuildChain(
+        PKIX_PL_Cert *signerCert,
+	PKIX_PL_Date *producedAt,
+        PKIX_ProcessingParams *procParams,
+        void **pNBIOContext,
+        void **pState,
+        PKIX_BuildResult **pBuildResult,
+        PKIX_VerifyNode **pVerifyTree,
+	void *plContext)
+{
+        PKIX_ProcessingParams *caProcParams = NULL;
+        PKIX_PL_Date *date = NULL;
+        PKIX_ComCertSelParams *certSelParams = NULL;
+        PKIX_CertSelector *certSelector = NULL;
+        void *nbioContext = NULL;
+        PKIX_Error *buildError = NULL;
+
+        PKIX_ENTER(OCSPRESPONSE, "pkix_OcspResponse_UseBuildChain");
+        PKIX_NULLCHECK_THREE(signerCert, producedAt, procParams);
+        PKIX_NULLCHECK_THREE(pNBIOContext, pState, pBuildResult);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        /* Are we resuming after a WOULDBLOCK return, or starting anew ? */
+        if (nbioContext == NULL) {
+                /* Starting anew */
+		PKIX_CHECK(PKIX_PL_Object_Duplicate
+                        ((PKIX_PL_Object *)procParams,
+                        (PKIX_PL_Object **)&caProcParams,
+                        plContext),
+        	        PKIX_OBJECTDUPLICATEFAILED);
+
+		PKIX_CHECK(PKIX_ProcessingParams_SetDate(procParams, date, plContext),
+	                PKIX_PROCESSINGPARAMSSETDATEFAILED);
+
+	        /* create CertSelector with target certificate in params */
+
+		PKIX_CHECK(PKIX_CertSelector_Create
+	                (NULL, NULL, &certSelector, plContext),
+	                PKIX_CERTSELECTORCREATEFAILED);
+
+		PKIX_CHECK(PKIX_ComCertSelParams_Create
+	                (&certSelParams, plContext),
+	                PKIX_COMCERTSELPARAMSCREATEFAILED);
+
+	        PKIX_CHECK(PKIX_ComCertSelParams_SetCertificate
+        	        (certSelParams, signerCert, plContext),
+                	PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED);
+
+	        PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
+	                (certSelector, certSelParams, plContext),
+	                PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
+
+	        PKIX_CHECK(PKIX_ProcessingParams_SetTargetCertConstraints
+        	        (caProcParams, certSelector, plContext),
+                	PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
+	}
+
+        buildError = PKIX_BuildChain
+                (caProcParams,
+                &nbioContext,
+                pState,
+                pBuildResult,
+		pVerifyTree,
+                plContext);
+
+        /* non-null nbioContext means the build would block */
+        if (nbioContext != NULL) {
+
+                *pNBIOContext = nbioContext;
+
+        /* no buildResult means the build has failed */
+        } else if (buildError) {
+                pkixErrorResult = buildError;
+                buildError = NULL;
+        } else {
+                PKIX_DECREF(*pState);
+        }
+
+cleanup:
+
+        PKIX_DECREF(caProcParams);
+        PKIX_DECREF(date);
+        PKIX_DECREF(certSelParams);
+        PKIX_DECREF(certSelector);
+
+        PKIX_RETURN(OCSPRESPONSE);
+}
+
+/* --Private-OcspResponse-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_OcspResponse_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OcspResponse_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_OcspResponse *ocspRsp = NULL;
+        const SEC_HttpClientFcn *httpClient = NULL;
+        const SEC_HttpClientFcnV1 *hcv1 = NULL;
+
+        PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext),
+                    PKIX_OBJECTNOTANOCSPRESPONSE);
+
+        ocspRsp = (PKIX_PL_OcspResponse *)object;
+
+        if (ocspRsp->nssOCSPResponse != NULL) {
+                CERT_DestroyOCSPResponse(ocspRsp->nssOCSPResponse);
+                ocspRsp->nssOCSPResponse = NULL;
+        }
+
+        if (ocspRsp->signerCert != NULL) {
+                CERT_DestroyCertificate(ocspRsp->signerCert);
+                ocspRsp->signerCert = NULL;
+        }
+
+        httpClient = (const SEC_HttpClientFcn *)(ocspRsp->httpClient);
+
+        if (httpClient && (httpClient->version == 1)) {
+
+                hcv1 = &(httpClient->fcnTable.ftable1);
+
+                if (ocspRsp->requestSession != NULL) {
+                        hcv1->freeFcn(ocspRsp->requestSession);
+                        ocspRsp->requestSession = NULL;
+                }
+
+                if (ocspRsp->serverSession != NULL) {
+                        hcv1->freeSessionFcn(ocspRsp->serverSession);
+                        ocspRsp->serverSession = NULL;
+                }
+        }
+
+        if (ocspRsp->arena != NULL) {
+                PORT_FreeArena(ocspRsp->arena, PR_FALSE);
+                ocspRsp->arena = NULL;
+        }
+
+	PKIX_DECREF(ocspRsp->producedAtDate);
+	PKIX_DECREF(ocspRsp->pkixSignerCert);
+	PKIX_DECREF(ocspRsp->request);
+
+cleanup:
+
+        PKIX_RETURN(OCSPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspResponse_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OcspResponse_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_OcspResponse *ocspRsp = NULL;
+
+        PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext),
+                    PKIX_OBJECTNOTANOCSPRESPONSE);
+
+        ocspRsp = (PKIX_PL_OcspResponse *)object;
+
+        if (ocspRsp->encodedResponse->data == NULL) {
+                *pHashcode = 0;
+        } else {
+                PKIX_CHECK(pkix_hash
+                        (ocspRsp->encodedResponse->data,
+                        ocspRsp->encodedResponse->len,
+                        pHashcode,
+                        plContext),
+                        PKIX_HASHFAILED);
+        }
+
+cleanup:
+
+        PKIX_RETURN(OCSPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspResponse_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OcspResponse_Equals(
+        PKIX_PL_Object *firstObj,
+        PKIX_PL_Object *secondObj,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType = 0;
+        PKIX_UInt32 firstLen = 0;
+        PKIX_UInt32 i = 0;
+        PKIX_PL_OcspResponse *rsp1 = NULL;
+        PKIX_PL_OcspResponse *rsp2 = NULL;
+        const unsigned char *firstData = NULL;
+        const unsigned char *secondData = NULL;
+
+        PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Equals");
+        PKIX_NULLCHECK_THREE(firstObj, secondObj, pResult);
+
+        /* test that firstObj is a OcspResponse */
+        PKIX_CHECK(pkix_CheckType(firstObj, PKIX_OCSPRESPONSE_TYPE, plContext),
+                    PKIX_FIRSTOBJARGUMENTNOTANOCSPRESPONSE);
+
+        /*
+         * Since we know firstObj is a OcspResponse, if both references are
+         * identical, they must be equal
+         */
+        if (firstObj == secondObj){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObj isn't a OcspResponse, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType(secondObj, &secondType, plContext),
+                PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_OCSPRESPONSE_TYPE) {
+                goto cleanup;
+        }
+
+        rsp1 = (PKIX_PL_OcspResponse *)firstObj;
+        rsp2 = (PKIX_PL_OcspResponse *)secondObj;
+
+        /* If either lacks an encoded string, they cannot be compared */
+        firstData = (const unsigned char *)rsp1->encodedResponse->data;
+        secondData = (const unsigned char *)rsp2->encodedResponse->data;
+        if ((firstData == NULL) || (secondData == NULL)) {
+                goto cleanup;
+        }
+
+        firstLen = rsp1->encodedResponse->len;
+
+        if (firstLen != rsp2->encodedResponse->len) {
+                goto cleanup;
+        }
+
+        for (i = 0; i < firstLen; i++) {
+                if (*firstData++ != *secondData++) {
+                        goto cleanup;
+                }
+        }
+
+        *pResult = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(OCSPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspResponse_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_OCSPRESPONSE_TYPE and its related functions with
+ *  systemClasses[]
+ * PARAMETERS:
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_OcspResponse_RegisterSelf(void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_RegisterSelf");
+
+        entry.description = "OcspResponse";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_OcspResponse);
+        entry.destructor = pkix_pl_OcspResponse_Destroy;
+        entry.equalsFunction = pkix_pl_OcspResponse_Equals;
+        entry.hashcodeFunction = pkix_pl_OcspResponse_Hashcode;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_OCSPRESPONSE_TYPE] = entry;
+
+        PKIX_RETURN(OCSPRESPONSE);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_OcspResponse_Create
+ * DESCRIPTION:
+ *
+ *  This function transmits the OcspRequest pointed to by "request" and obtains
+ *  an OcspResponse, which it stores at "pOcspResponse". If the HTTPClient
+ *  supports non-blocking I/O this function may store a non-NULL value at
+ *  "pNBIOContext" (the WOULDBLOCK condition). In that case the caller should
+ *  make a subsequent call with the same value in "pNBIOContext" and
+ *  "pOcspResponse" to resume the operation. Additional WOULDBLOCK returns may
+ *  occur; the caller should persist until a return occurs with NULL stored at
+ *  "pNBIOContext".
+ *
+ *  If a SEC_HttpClientFcn "responder" is supplied, it is used as the client
+ *  to which the OCSP query is sent. If none is supplied, the default responder
+ *  is used.
+ *
+ *  If an OcspResponse_VerifyCallback "verifyFcn" is supplied, it is used to
+ *  verify the Cert received from the responder as the signer. If none is
+ *  supplied, the default verification function is used.
+ *
+ *  The contents of "request" are ignored on calls subsequent to a WOULDBLOCK
+ *  return, and the caller is permitted to supply NULL.
+ *
+ * PARAMETERS
+ *  "request"
+ *      Address of the OcspRequest for which a response is desired.
+ *  "responder"
+ *      Address, if non-NULL, of the SEC_HttpClientFcn to be sent the OCSP
+ *      query.
+ *  "verifyFcn"
+ *      Address, if non-NULL, of the OcspResponse_VerifyCallback function to be
+ *      used to verify the Cert of the OCSP responder.
+ *  "pNBIOContext"
+ *      Address at which platform-dependent information is stored for handling
+ *      of non-blocking I/O. Must be non-NULL.
+ *  "pOcspResponse"
+ *      The address where the created OcspResponse is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OcspResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_OcspResponse_Create(
+        PKIX_PL_OcspRequest *request,
+        void *responder,
+        PKIX_PL_OcspResponse_VerifyCallback verifyFcn,
+        void **pNBIOContext,
+        PKIX_PL_OcspResponse **pResponse,
+        void *plContext)
+{
+        void *nbioContext = NULL;
+        PKIX_PL_OcspResponse *ocspResponse = NULL;
+        const SEC_HttpClientFcn *httpClient = NULL;
+        const SEC_HttpClientFcnV1 *hcv1 = NULL;
+        SECStatus rv = SECFailure;
+        char *location = NULL;
+        char *hostname = NULL;
+        char *path = NULL;
+        PRUint16 port = 0;
+        SEC_HTTP_SERVER_SESSION serverSession = NULL;
+        SEC_HTTP_REQUEST_SESSION requestSession = NULL;
+        SECItem *encodedRequest = NULL;
+        PRUint16 responseCode = 0;
+        char *responseData = NULL;
+        PRUint32 responseDataLen = 0;
+
+        PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Create");
+        PKIX_NULLCHECK_TWO(pNBIOContext, pResponse);
+
+        nbioContext = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        if (nbioContext != NULL) {
+
+                ocspResponse = *pResponse;
+                PKIX_NULLCHECK_ONE(ocspResponse);
+
+                httpClient = ocspResponse->httpClient;
+                serverSession = ocspResponse->serverSession;
+                requestSession = ocspResponse->requestSession;
+                PKIX_NULLCHECK_THREE(httpClient, serverSession, requestSession);
+
+        } else {
+
+                PKIX_NULLCHECK_ONE(request);
+
+                PKIX_CHECK(pkix_pl_OcspRequest_GetEncoded
+                        (request, &encodedRequest, plContext),
+                        PKIX_OCSPREQUESTGETENCODEDFAILED);
+
+                /* prepare initial message to HTTPClient */
+
+                /* Is there a default responder and is it enabled? */
+                if (!responder) {
+                        PKIX_PL_NSSCALLRV
+                                (OCSPRESPONSE,
+                                responder,
+                                (void *)SEC_GetRegisteredHttpClient,
+                                ());
+                }
+
+                httpClient = (const SEC_HttpClientFcn *)responder;
+
+                if (httpClient && (httpClient->version == 1)) {
+
+                        hcv1 = &(httpClient->fcnTable.ftable1);
+
+                        PKIX_CHECK(pkix_pl_OcspRequest_GetLocation
+                                (request, &location, plContext),
+                                PKIX_OCSPREQUESTGETLOCATIONFAILED);
+
+                        /* parse location -> hostname, port, path */    
+                        PKIX_PL_NSSCALLRV(OCSPRESPONSE, rv, CERT_ParseURL,
+                                (location, &hostname, &port, &path));
+
+                        if ((hostname == NULL) || (path == NULL)) {
+                                PKIX_ERROR(PKIX_URLPARSINGFAILED);
+                        }
+
+                        PKIX_PL_NSSCALLRV
+                                (OCSPRESPONSE,
+                                rv,
+                                hcv1->createSessionFcn,
+                                (hostname, port, &serverSession));
+
+                        if (rv != SECSuccess) {
+                                PKIX_ERROR(PKIX_OCSPSERVERERROR);
+                        }       
+
+                        PKIX_PL_NSSCALLRV
+                                (OCSPRESPONSE, rv, hcv1->createFcn,
+                                (serverSession,
+                                "http",
+                                path,
+                                "POST",
+                                PR_TicksPerSecond() * 60,
+                                &requestSession));
+
+                        if (rv != SECSuccess) {
+                                PKIX_ERROR(PKIX_OCSPSERVERERROR);
+                        }       
+
+                        PKIX_PL_NSSCALLRV
+                                (OCSPRESPONSE, rv, hcv1->setPostDataFcn,
+                                (requestSession,
+                                (char *)encodedRequest->data,
+                                encodedRequest->len,
+                                "application/ocsp-request"));
+
+                        if (rv != SECSuccess) {
+                                PKIX_ERROR(PKIX_OCSPSERVERERROR);
+                        }       
+
+                        /* create a PKIX_PL_OcspResponse object */
+                        PKIX_CHECK(PKIX_PL_Object_Alloc
+                                    (PKIX_OCSPRESPONSE_TYPE,
+                                    sizeof (PKIX_PL_OcspResponse),
+                                    (PKIX_PL_Object **)&ocspResponse,
+                                    plContext),
+                                    PKIX_COULDNOTCREATEOBJECT);
+
+                        PKIX_INCREF(request);
+                        ocspResponse->request = request;
+                        ocspResponse->httpClient = httpClient;
+                        ocspResponse->serverSession = serverSession;
+                        ocspResponse->requestSession = requestSession;
+                        ocspResponse->verifyFcn = verifyFcn;
+                        ocspResponse->handle = CERT_GetDefaultCertDB();
+                        ocspResponse->encodedResponse = NULL;
+                        ocspResponse->arena = NULL;
+                        ocspResponse->producedAt = 0;
+                        ocspResponse->producedAtDate = NULL;
+                        ocspResponse->pkixSignerCert = NULL;
+                        ocspResponse->nssOCSPResponse = NULL;
+                        ocspResponse->signerCert = NULL;
+                }
+        }
+
+        /* begin or resume IO to HTTPClient */
+        if (httpClient && (httpClient->version == 1)) {
+
+                hcv1 = &(httpClient->fcnTable.ftable1);
+
+                responseDataLen = MAX_OCSP_RESPONSE_LEN;
+
+                PKIX_PL_NSSCALLRV(OCSPRESPONSE, rv, hcv1->trySendAndReceiveFcn,
+                        (requestSession,
+                        (PRPollDesc **)&nbioContext,
+                        &responseCode,
+                        NULL,   /* responseContentType */
+                        NULL,   /* responseHeaders */
+                        (const char **)&responseData,
+                        &responseDataLen));
+
+                if (rv != SECSuccess) {
+                        PKIX_ERROR(PKIX_OCSPSERVERERROR);
+                }       
+
+                if (nbioContext != NULL) {
+                        *pNBIOContext = nbioContext;
+                        goto cleanup;
+                }
+
+                if (responseCode != 200) {
+                        PKIX_ERROR(PKIX_OCSPBADHTTPRESPONSE);
+                }
+
+
+                PKIX_PL_NSSCALLRV
+                        (OCSPRESPONSE, ocspResponse->arena, PORT_NewArena,
+                        (DER_DEFAULT_CHUNKSIZE));
+
+                if (ocspResponse->arena == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }
+
+                PKIX_PL_NSSCALLRV
+                        (OCSPRESPONSE,
+                        ocspResponse->encodedResponse,
+                        SECITEM_AllocItem,
+                        (ocspResponse->arena, NULL, responseDataLen));
+
+                if (ocspResponse->encodedResponse == NULL) {
+                        PKIX_ERROR(PKIX_OUTOFMEMORY);
+                }
+
+                PKIX_PL_NSSCALL(OCSPRESPONSE, PORT_Memcpy,
+                        (ocspResponse->encodedResponse->data,
+                        responseData,
+                        responseDataLen));
+
+        }
+
+        *pResponse = ocspResponse;
+
+cleanup:
+
+        if (path != NULL) {
+                PKIX_PL_NSSCALL(OCSPRESPONSE, PORT_Free, (path));
+        }
+
+        if (hostname != NULL) {
+                PKIX_PL_NSSCALL(OCSPRESPONSE, PORT_Free, (hostname));
+        }
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(ocspResponse);
+        }
+
+        PKIX_RETURN(OCSPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspResponse_Decode
+ * DESCRIPTION:
+ *
+ *  This function decodes the DER data contained in the OcspResponse pointed to
+ *  by "response", storing PKIX_TRUE at "pPassed" if the decoding was
+ *  successful, and PKIX_FALSE otherwise.
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the OcspResponse whose DER data is to be decoded. Must
+ *      be non-NULL.
+ *  "pPassed"
+ *      Address at which the Boolean result is stored. Must be non-NULL.
+ *  "pReturnCode"
+ *      Address at which the SECErrorCodes result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OcspResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+
+PKIX_Error *
+pkix_pl_OcspResponse_Decode(
+        PKIX_PL_OcspResponse *response,
+        PKIX_Boolean *pPassed,
+        SECErrorCodes *pReturnCode,
+        void *plContext)
+{
+
+        PKIX_ENTER(OCSPRESPONSE, "PKIX_PL_OcspResponse_Decode");
+        PKIX_NULLCHECK_TWO(response, response->encodedResponse);
+
+        response->nssOCSPResponse =
+            CERT_DecodeOCSPResponse(response->encodedResponse);
+
+	if (response->nssOCSPResponse != NULL) {
+                *pPassed = PKIX_TRUE;
+                *pReturnCode = 0;
+        } else {
+                *pPassed = PKIX_FALSE;
+                *pReturnCode = PORT_GetError();
+        }
+
+        PKIX_RETURN(OCSPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspResponse_GetStatus
+ * DESCRIPTION:
+ *
+ *  This function checks the response status of the OcspResponse pointed to
+ *  by "response", storing PKIX_TRUE at "pPassed" if the responder understood
+ *  the request and considered it valid, and PKIX_FALSE otherwise.
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the OcspResponse whose status is to be retrieved. Must
+ *      be non-NULL.
+ *  "pPassed"
+ *      Address at which the Boolean result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OcspResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+
+PKIX_Error *
+pkix_pl_OcspResponse_GetStatus(
+        PKIX_PL_OcspResponse *response,
+        PKIX_Boolean *pPassed,
+        SECErrorCodes *pReturnCode,
+        void *plContext)
+{
+        SECStatus rv = SECFailure;
+
+        PKIX_ENTER(OCSPRESPONSE, "PKIX_PL_OcspResponse_GetStatus");
+        PKIX_NULLCHECK_FOUR(response, response->nssOCSPResponse, pPassed, pReturnCode);
+
+        rv = CERT_GetOCSPResponseStatus(response->nssOCSPResponse);
+
+	if (rv == SECSuccess) {
+                *pPassed = PKIX_TRUE;
+                *pReturnCode = 0;
+        } else {
+                *pPassed = PKIX_FALSE;
+                *pReturnCode = PORT_GetError();
+        }
+
+        PKIX_RETURN(OCSPRESPONSE);
+}
+
+
+PKIX_Error*
+pkix_pl_OcspResponse_CallCertVerify(
+        PKIX_PL_OcspResponse *response,
+        PKIX_ProcessingParams *procParams,
+        SECCertUsage certUsage,
+        void **state,
+        PKIX_BuildResult **buildResult,
+        void **pNBIOContext,
+        void *plContext)
+{
+    SECStatus rv = SECFailure;
+
+    PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_CallCertVerify");
+
+    if (response->verifyFcn != NULL) {
+        void *lplContext = NULL;
+        
+        PKIX_CHECK(
+            PKIX_PL_NssContext_Create(((SECCertificateUsage)1) << certUsage,
+                                      PKIX_FALSE, NULL, &lplContext),
+            PKIX_NSSCONTEXTCREATEFAILED);
+
+        PKIX_CHECK(
+            (response->verifyFcn)(response->pkixSignerCert,
+                                  response->producedAtDate,
+                                  procParams, pNBIOContext,
+                                  state, buildResult,
+                                  NULL, lplContext),
+            PKIX_CERTVERIFYKEYUSAGEFAILED);
+        rv = SECSuccess;
+    } else {
+        rv = CERT_VerifyCert(response->handle, response->signerCert, PKIX_TRUE,
+                             certUsage, response->producedAt, NULL, NULL);
+        if (rv != SECSuccess) {
+            PKIX_ERROR(PKIX_CERTVERIFYKEYUSAGEFAILED);
+        }
+    }
+
+cleanup:
+    if (rv != SECSuccess) {
+        PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
+    }
+
+    PKIX_RETURN(OCSPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspResponse_VerifySignature
+ * DESCRIPTION:
+ *
+ *  This function verifies the ocspResponse signature field in the OcspResponse
+ *  pointed to by "response", storing PKIX_TRUE at "pPassed" if verification
+ *  is successful and PKIX_FALSE otherwise. If verification is unsuccessful an
+ *  error code (an enumeration of type SECErrorCodes) is stored at *pReturnCode.
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the OcspResponse whose signature field is to be
+ *      retrieved. Must be non-NULL.
+ *  "cert"
+ *      The address of the Cert for which the OCSP query was made. Must be
+ *      non-NULL.
+ *  "procParams"
+ *      Address of ProcessingParams used to initialize the ExpirationChecker
+ *      and TargetCertChecker. Must be non-NULL.
+ *  "pPassed"
+ *      Address at which the Boolean result is stored. Must be non-NULL.
+ *  "pNBIOContext"
+ *      Address at which the NBIOContext is stored indicating whether the
+ *      checking is complete. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OcspResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_OcspResponse_VerifySignature(
+        PKIX_PL_OcspResponse *response,
+        PKIX_PL_Cert *cert,
+        PKIX_ProcessingParams *procParams,
+        PKIX_Boolean *pPassed,
+        void **pNBIOContext,
+        void *plContext)
+{
+        SECStatus rv = SECFailure;
+        CERTOCSPResponse *nssOCSPResponse = NULL;
+        CERTCertificate *issuerCert = NULL;
+        PKIX_BuildResult *buildResult = NULL;
+        void *nbio = NULL;
+        void *state = NULL;
+
+        ocspSignature *signature = NULL;
+        ocspResponseData *tbsData = NULL;
+        SECItem *tbsResponseDataDER = NULL;
+
+
+        PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_VerifySignature");
+        PKIX_NULLCHECK_FOUR(response, cert, pPassed,  pNBIOContext);
+
+        nbio = *pNBIOContext;
+        *pNBIOContext = NULL;
+
+        nssOCSPResponse = response->nssOCSPResponse;
+        if (nssOCSPResponse == NULL) {
+            PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+            goto cleanup;
+        }
+
+        tbsData =
+            ocsp_GetResponseData(nssOCSPResponse, &tbsResponseDataDER);
+        
+        signature = ocsp_GetResponseSignature(nssOCSPResponse);
+
+
+        /* Are we resuming after a WOULDBLOCK response? */
+        if (nbio == NULL) {
+            /* No, this is a new query */
+
+            issuerCert = CERT_FindCertIssuer(cert->nssCert, PR_Now(),
+                                             certUsageAnyCA);
+            
+            /*
+             * If this signature has already gone through verification,
+             * just return the cached result.
+             */
+            if (signature->wasChecked) {
+                if (signature->status == SECSuccess) {
+                    response->signerCert =
+                        CERT_DupCertificate(signature->cert);
+                } else {
+                    PORT_SetError(signature->failureReason);
+                    goto cleanup;
+                }
+            }
+            
+            response->signerCert = 
+                ocsp_GetSignerCertificate(response->handle, tbsData,
+                                          signature, issuerCert);
+            
+            if (response->signerCert == NULL) {
+                PORT_SetError(SEC_ERROR_UNKNOWN_SIGNER);
+                goto cleanup;
+            }
+            
+            PKIX_CHECK( 
+                PKIX_PL_Cert_CreateFromCERTCertificate(response->signerCert,
+                                                       &(response->pkixSignerCert),
+                                                       plContext),
+                PKIX_CERTCREATEWITHNSSCERTFAILED);
+            
+            /*
+             * We could mark this true at the top of this function, or
+             * always below at "finish", but if the problem was just that
+             * we could not find the signer's cert, leave that as if the
+             * signature hasn't been checked. Maybe a subsequent call will
+             * have better luck.
+             */
+            signature->wasChecked = PR_TRUE;
+            
+            /*
+             * We are about to verify the signer certificate; we need to
+             * specify *when* that certificate must be valid -- for our
+             * purposes we expect it to be valid when the response was
+             * signed. The value of "producedAt" is the signing time.
+             */
+            rv = DER_GeneralizedTimeToTime(&response->producedAt,
+                                           &tbsData->producedAt);
+            if (rv != SECSuccess) {
+                PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+                goto cleanup;
+            }
+            
+            /*
+             * We need producedAtDate and pkixSignerCert if we are calling a
+             * user-supplied verification function. Let's put their
+             * creation before the code that gets repeated when
+             * non-blocking I/O is used.
+             */
+            
+            PKIX_CHECK(
+                pkix_pl_Date_CreateFromPRTime((PRTime)response->producedAt,
+                                              &(response->producedAtDate),
+                                              plContext),
+                PKIX_DATECREATEFROMPRTIMEFAILED);
+            
+	}
+        
+        /*
+         * Just because we have a cert does not mean it is any good; check
+         * it for validity, trust and usage. Use the caller-supplied
+         * verification function, if one was supplied.
+         */
+        if (ocsp_CertIsOCSPDefaultResponder(response->handle,
+                                            response->signerCert)) {
+            rv = SECSuccess;
+        } else {
+            SECCertUsage certUsage;
+            if (CERT_IsCACert(response->signerCert, NULL)) {
+                certUsage = certUsageVerifyCA;
+            } else {
+                certUsage = certUsageStatusResponder;
+            }
+            PKIX_CHECK_ONLY_FATAL(
+                pkix_pl_OcspResponse_CallCertVerify(response, procParams,
+                                                    certUsage, &state,
+                                                    &buildResult, &nbio,
+                                                    plContext),
+                PKIX_CERTVERIFYKEYUSAGEFAILED);
+            if (pkixTempErrorReceived) {
+                rv = SECFailure;
+                goto cleanup;
+            }
+            if (nbio != NULL) {
+                *pNBIOContext = nbio;
+                goto cleanup;
+            }            
+        }
+
+        rv = ocsp_VerifyResponseSignature(response->signerCert, signature,
+                                          tbsResponseDataDER, NULL);
+        
+cleanup:
+        if (rv == SECSuccess) {
+            *pPassed = PKIX_TRUE;
+        } else {
+            *pPassed = PKIX_FALSE;
+        }
+        
+        if (signature) {
+            if (signature->wasChecked) {
+                signature->status = rv;
+            }
+            
+            if (rv != SECSuccess) {
+                signature->failureReason = PORT_GetError();
+                if (response->signerCert != NULL) {
+                    CERT_DestroyCertificate(response->signerCert);
+                    response->signerCert = NULL;
+                }
+            } else {
+                /* Save signer's certificate in signature. */
+                signature->cert = CERT_DupCertificate(response->signerCert);
+            }
+        }
+
+	if (issuerCert)
+	    CERT_DestroyCertificate(issuerCert);
+        
+        PKIX_RETURN(OCSPRESPONSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_OcspResponse_GetStatusForCert
+ * DESCRIPTION:
+ *
+ *  This function checks the revocation status of the Cert for which the
+ *  OcspResponse was obtained, storing PKIX_TRUE at "pPassed" if the Cert has
+ *  not been revoked and PKIX_FALSE otherwise.
+ *
+ * PARAMETERS
+ *  "response"
+ *      The address of the OcspResponse whose certificate status is to be
+ *      retrieved. Must be non-NULL.
+ *  "pPassed"
+ *      Address at which the Boolean result is stored. Must be non-NULL.
+ *  "pReturnCode"
+ *      Address at which the SECErrorCodes result is stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OcspResponse Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_OcspResponse_GetStatusForCert(
+        PKIX_PL_OcspCertID *cid,
+        PKIX_PL_OcspResponse *response,
+        PKIX_Boolean *pPassed,
+        SECErrorCodes *pReturnCode,
+        void *plContext)
+{
+        SECStatus rv = SECFailure;
+        SECStatus rvCache;
+        PRBool certIDWasConsumed = PR_FALSE;
+
+        PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_GetStatusForCert");
+        PKIX_NULLCHECK_THREE(response, pPassed, pReturnCode);
+
+        /*
+         * It is an error to call this function except following a successful
+         * return from pkix_pl_OcspResponse_VerifySignature, which would have
+         * set response->signerCert.
+         */
+        PKIX_NULLCHECK_TWO(response->signerCert, response->request);
+        PKIX_NULLCHECK_TWO(cid, cid->certID);
+
+        rv = cert_ProcessOCSPResponse(response->handle,
+                                      response->nssOCSPResponse,
+                                      cid->certID,
+                                      response->signerCert,
+                                      PR_Now(),
+                                      &certIDWasConsumed,
+                                      &rvCache);
+        if (certIDWasConsumed) {
+                cid->certID = NULL;
+        }
+
+	if (rv == SECSuccess) {
+                *pPassed = PKIX_TRUE;
+                *pReturnCode = 0;
+        } else {
+                *pPassed = PKIX_FALSE;
+                *pReturnCode = PORT_GetError();
+        }
+
+        PKIX_RETURN(OCSPRESPONSE);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h
new file mode 100644
index 000000000..f42356f6c
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h
@@ -0,0 +1,95 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_ocspresponse.h
+ *
+ * OcspResponse Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_OCSPRESPONSE_H
+#define _PKIX_PL_OCSPRESPONSE_H
+
+#include "pkix_pl_common.h"
+#include "pkix_pl_ocspcertid.h"
+#include "hasht.h"
+#include "cryptohi.h"
+#include "ocspti.h"
+#include "ocspi.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define MAX_OCSP_RESPONSE_LEN (64*1024)
+
+struct PKIX_PL_OcspResponseStruct{
+        PRArenaPool *arena;
+        const PKIX_PL_OcspRequest *request;
+        const SEC_HttpClientFcn *httpClient;
+        SEC_HTTP_SERVER_SESSION serverSession;
+        SEC_HTTP_REQUEST_SESSION requestSession;
+        PKIX_PL_OcspResponse_VerifyCallback verifyFcn;
+        SECItem *encodedResponse;
+        CERTCertDBHandle *handle;
+        int64 producedAt;
+        PKIX_PL_Date *producedAtDate;
+        PKIX_PL_Cert *pkixSignerCert;
+        CERTOCSPResponse *nssOCSPResponse;
+        CERTCertificate *signerCert;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_OcspResponse_RegisterSelf(void *plContext);
+
+PKIX_Error *
+PKIX_PL_OcspResponse_UseBuildChain(
+        PKIX_PL_Cert *signerCert,
+	PKIX_PL_Date *producedAt,
+        PKIX_ProcessingParams *procParams,
+        void **pNBIOContext,
+        void **pState,
+        PKIX_BuildResult **pBuildResult,
+        PKIX_VerifyNode **pVerifyTree,
+	void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_OCSPRESPONSE_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_publickey.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_publickey.c
new file mode 100644
index 000000000..68cf098ab
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_publickey.c
@@ -0,0 +1,525 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_publickey.c
+ *
+ * Certificate Object Functions
+ *
+ */
+
+#include "pkix_pl_publickey.h"
+
+/* --Private-Cert-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_PublicKey_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Helper function that creates a string representation of the PublicKey
+ *  pointed to by "pkixPubKey" and stores it at "pString".
+ *
+ * PARAMETERS
+ *  "pkixPubKey"
+ *      Address of PublicKey whose string representation is desired.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a PublicKey Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_PublicKey_ToString_Helper(
+        PKIX_PL_PublicKey *pkixPubKey,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        SECAlgorithmID algorithm;
+        SECOidTag pubKeyTag;
+        char *asciiOID = NULL;
+        PKIX_Boolean freeAsciiOID = PKIX_FALSE;
+        SECItem oidBytes;
+
+        PKIX_ENTER(PUBLICKEY, "pkix_pl_PublicKey_ToString_Helper");
+        PKIX_NULLCHECK_THREE(pkixPubKey, pkixPubKey->nssSPKI, pString);
+
+        /*
+         * XXX for now, we print out public key algorithm's
+         * description - add params and bytes later
+         */
+
+        /*
+         * If the algorithm OID is known to NSS,
+         * we print out the ASCII description that is
+         * registered with NSS. Otherwise, if unknown,
+         * we print out the OID numbers (eg. "1.2.840.3")
+         */
+
+        algorithm = pkixPubKey->nssSPKI->algorithm;
+
+        PKIX_PUBLICKEY_DEBUG("\t\tCalling SECOID_GetAlgorithmTag).\n");
+        pubKeyTag = SECOID_GetAlgorithmTag(&algorithm);
+        if (pubKeyTag != SEC_OID_UNKNOWN){
+                PKIX_PUBLICKEY_DEBUG
+                        ("\t\tCalling SECOID_FindOIDTagDescription).\n");
+                asciiOID = (char *)SECOID_FindOIDTagDescription(pubKeyTag);
+                if (!asciiOID){
+                        PKIX_ERROR(PKIX_SECOIDFINDOIDTAGDESCRIPTIONFAILED);
+                }
+        } else { /* pubKeyTag == SEC_OID_UNKNOWN */
+                oidBytes = algorithm.algorithm;
+                PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                            (&oidBytes, &asciiOID, plContext),
+                            PKIX_OIDBYTES2ASCIIFAILED);
+                freeAsciiOID = PKIX_TRUE;
+        }
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, (void *)asciiOID, 0, pString, plContext),
+                PKIX_UNABLETOCREATEPSTRING);
+
+cleanup:
+
+        /*
+         * we only free asciiOID if it was malloc'ed by pkix_pl_oidBytes2Ascii
+         */
+        if (freeAsciiOID){
+                PKIX_FREE(asciiOID);
+        }
+
+        PKIX_RETURN(PUBLICKEY);
+}
+
+/*
+ * FUNCTION: pkix_pl_DestroySPKI
+ * DESCRIPTION:
+ *  Frees all memory associated with the CERTSubjectPublicKeyInfo pointed to
+ *  by "nssSPKI".
+ * PARAMETERS
+ *  "nssSPKI"
+ *      Address of CERTSubjectPublicKeyInfo. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_DestroySPKI(
+        CERTSubjectPublicKeyInfo *nssSPKI,
+        void *plContext)
+{
+        PKIX_ENTER(PUBLICKEY, "pkix_pl_DestroySPKI");
+
+        PKIX_NULLCHECK_ONE(nssSPKI);
+
+        PKIX_PUBLICKEY_DEBUG("\t\tCalling SECOID_DestroyAlgorithmID).\n");
+        SECOID_DestroyAlgorithmID(&nssSPKI->algorithm, PKIX_FALSE);
+
+        PKIX_PUBLICKEY_DEBUG("\t\tCalling SECITEM_FreeItem).\n");
+        SECITEM_FreeItem(&nssSPKI->subjectPublicKey, PKIX_FALSE);
+
+        PKIX_RETURN(PUBLICKEY);
+}
+
+/*
+ * FUNCTION: pkix_pl_PublicKey_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_PublicKey_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_PublicKey *pubKey = NULL;
+
+        PKIX_ENTER(PUBLICKEY, "pkix_pl_PublicKey_Destroy");
+
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_PUBLICKEY_TYPE, plContext),
+                    PKIX_OBJECTNOTPUBLICKEY);
+
+        pubKey = (PKIX_PL_PublicKey *)object;
+
+        if (pubKey->nssSPKI) {
+
+            PKIX_CHECK(pkix_pl_DestroySPKI(pubKey->nssSPKI, plContext),
+                       PKIX_DESTROYSPKIFAILED);
+            
+            PKIX_FREE(pubKey->nssSPKI);
+        }
+
+cleanup:
+
+        PKIX_RETURN(PUBLICKEY);
+}
+
+/*
+ * FUNCTION: pkix_pl_PublicKey_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_PublicKey_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_PublicKey *pkixPubKey = NULL;
+        PKIX_PL_String *pubKeyString = NULL;
+
+        PKIX_ENTER(PUBLICKEY, "pkix_pl_PublicKey_toString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_PUBLICKEY_TYPE, plContext),
+                    PKIX_OBJECTNOTPUBLICKEY);
+
+        pkixPubKey = (PKIX_PL_PublicKey *)object;
+
+        PKIX_CHECK(pkix_pl_PublicKey_ToString_Helper
+                    (pkixPubKey, &pubKeyString, plContext),
+                    PKIX_PUBLICKEYTOSTRINGHELPERFAILED);
+
+        *pString = pubKeyString;
+
+cleanup:
+
+        PKIX_RETURN(PUBLICKEY);
+}
+
+/*
+ * FUNCTION: pkix_pl_PublicKey_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_PublicKey_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_PublicKey *pkixPubKey = NULL;
+        SECItem algOID;
+        SECItem algParams;
+        SECItem nssPubKey;
+        PKIX_UInt32 algOIDHash;
+        PKIX_UInt32 algParamsHash;
+        PKIX_UInt32 pubKeyHash;
+        PKIX_UInt32 fullHash;
+
+        PKIX_ENTER(PUBLICKEY, "pkix_pl_PublicKey_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_PUBLICKEY_TYPE, plContext),
+                    PKIX_OBJECTNOTPUBLICKEY);
+
+        pkixPubKey = (PKIX_PL_PublicKey *)object;
+
+        PKIX_NULLCHECK_ONE(pkixPubKey->nssSPKI);
+
+        algOID = pkixPubKey->nssSPKI->algorithm.algorithm;
+        algParams = pkixPubKey->nssSPKI->algorithm.parameters;
+        nssPubKey = pkixPubKey->nssSPKI->subjectPublicKey;
+
+        PKIX_CHECK(pkix_hash
+                    (algOID.data, algOID.len, &algOIDHash, plContext),
+                    PKIX_HASHFAILED);
+
+        PKIX_CHECK(pkix_hash
+                    (algParams.data, algParams.len, &algParamsHash, plContext),
+                    PKIX_HASHFAILED);
+
+        PKIX_CHECK(pkix_hash
+                    (nssPubKey.data, nssPubKey.len, &pubKeyHash, plContext),
+                    PKIX_HASHFAILED);
+
+        fullHash = algOIDHash + algParamsHash + pubKeyHash;
+
+        *pHashcode = pubKeyHash;
+
+cleanup:
+
+        PKIX_RETURN(PUBLICKEY);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_PublicKey_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_PublicKey_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_PublicKey *firstPKIXPubKey = NULL;
+        PKIX_PL_PublicKey *secondPKIXPubKey = NULL;
+        CERTSubjectPublicKeyInfo *firstSPKI = NULL;
+        CERTSubjectPublicKeyInfo *secondSPKI = NULL;
+        SECComparison cmpResult;
+        PKIX_UInt32 secondType;
+
+        PKIX_ENTER(PUBLICKEY, "pkix_pl_PublicKey_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is a PublicKey */
+        PKIX_CHECK(pkix_CheckType(firstObject, PKIX_PUBLICKEY_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTPUBLICKEY);
+
+        /*
+         * Since we know firstObject is a PublicKey, if both references are
+         * identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't a PublicKey, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_PUBLICKEY_TYPE) goto cleanup;
+
+        firstPKIXPubKey = ((PKIX_PL_PublicKey *)firstObject);
+        secondPKIXPubKey = (PKIX_PL_PublicKey *)secondObject;
+
+        firstSPKI = firstPKIXPubKey->nssSPKI;
+        secondSPKI = secondPKIXPubKey->nssSPKI;
+
+        PKIX_NULLCHECK_TWO(firstSPKI, secondSPKI);
+
+        PKIX_PL_NSSCALLRV(PUBLICKEY, cmpResult, SECOID_CompareAlgorithmID,
+                        (&firstSPKI->algorithm, &secondSPKI->algorithm));
+
+        if (cmpResult == SECEqual){
+                PKIX_PUBLICKEY_DEBUG("\t\tCalling SECITEM_CompareItem).\n");
+                cmpResult = SECITEM_CompareItem
+                                (&firstSPKI->subjectPublicKey,
+                                &secondSPKI->subjectPublicKey);
+        }
+
+        *pResult = (cmpResult == SECEqual)?PKIX_TRUE:PKIX_FALSE;
+
+cleanup:
+
+        PKIX_RETURN(PUBLICKEY);
+}
+
+/*
+ * FUNCTION: pkix_pl_PublicKey_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_PUBLICKEY_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_PublicKey_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(PUBLICKEY, "pkix_pl_PublicKey_RegisterSelf");
+
+        entry.description = "PublicKey";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_PublicKey);
+        entry.destructor = pkix_pl_PublicKey_Destroy;
+        entry.equalsFunction = pkix_pl_PublicKey_Equals;
+        entry.hashcodeFunction = pkix_pl_PublicKey_Hashcode;
+        entry.toStringFunction = pkix_pl_PublicKey_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+        systemClasses[PKIX_PUBLICKEY_TYPE] = entry;
+
+        PKIX_RETURN(PUBLICKEY);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_PublicKey_NeedsDSAParameters
+ *              (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_PublicKey_NeedsDSAParameters(
+        PKIX_PL_PublicKey *pubKey,
+        PKIX_Boolean *pNeedsParams,
+        void *plContext)
+{
+        CERTSubjectPublicKeyInfo *nssSPKI = NULL;
+        KeyType pubKeyType;
+        PKIX_Boolean needsParams = PKIX_FALSE;
+
+        PKIX_ENTER(PUBLICKEY, "PKIX_PL_PublicKey_NeedsDSAParameters");
+        PKIX_NULLCHECK_TWO(pubKey, pNeedsParams);
+
+        nssSPKI = pubKey->nssSPKI;
+
+        PKIX_PUBLICKEY_DEBUG("\t\tCalling CERT_GetCertKeyType).\n");
+        pubKeyType = CERT_GetCertKeyType(nssSPKI);
+        if (!pubKeyType){
+                PKIX_ERROR(PKIX_PUBKEYTYPENULLKEY);
+        }
+
+        if ((pubKeyType == dsaKey) &&
+            (nssSPKI->algorithm.parameters.len == 0)){
+                needsParams = PKIX_TRUE;
+        }
+
+        *pNeedsParams = needsParams;
+
+cleanup:
+
+        PKIX_RETURN(PUBLICKEY);
+}
+
+/*
+ * FUNCTION: PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
+ *              (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_PublicKey_MakeInheritedDSAPublicKey(
+        PKIX_PL_PublicKey *firstKey,
+        PKIX_PL_PublicKey *secondKey,
+        PKIX_PL_PublicKey **pResultKey,
+        void *plContext)
+{
+        CERTSubjectPublicKeyInfo *firstSPKI = NULL;
+        CERTSubjectPublicKeyInfo *secondSPKI = NULL;
+        CERTSubjectPublicKeyInfo *thirdSPKI = NULL;
+        PKIX_PL_PublicKey *resultKey = NULL;
+        KeyType firstPubKeyType;
+        KeyType secondPubKeyType;
+        SECStatus rv;
+
+        PKIX_ENTER(PUBLICKEY, "PKIX_PL_PublicKey_MakeInheritedDSAPublicKey");
+        PKIX_NULLCHECK_THREE(firstKey, secondKey, pResultKey);
+        PKIX_NULLCHECK_TWO(firstKey->nssSPKI, secondKey->nssSPKI);
+
+        firstSPKI = firstKey->nssSPKI;
+        secondSPKI = secondKey->nssSPKI;
+
+        PKIX_PUBLICKEY_DEBUG("\t\tCalling CERT_GetCertKeyType).\n");
+        firstPubKeyType = CERT_GetCertKeyType(firstSPKI);
+        if (!firstPubKeyType){
+                PKIX_ERROR(PKIX_FIRSTPUBKEYTYPENULLKEY);
+        }
+
+        PKIX_PUBLICKEY_DEBUG("\t\tCalling CERT_GetCertKeyType).\n");
+        secondPubKeyType = CERT_GetCertKeyType(secondSPKI);
+        if (!secondPubKeyType){
+                PKIX_ERROR(PKIX_SECONDPUBKEYTYPENULLKEY);
+        }
+
+        if ((firstPubKeyType == dsaKey) &&
+            (firstSPKI->algorithm.parameters.len == 0)){
+                if (secondPubKeyType != dsaKey) {
+                        PKIX_ERROR(PKIX_SECONDKEYNOTDSAPUBLICKEY);
+                } else if (secondSPKI->algorithm.parameters.len == 0) {
+                        PKIX_ERROR
+                                (PKIX_SECONDKEYDSAPUBLICKEY);
+                } else {
+                        PKIX_CHECK(PKIX_PL_Calloc
+                                    (1,
+                                    sizeof (CERTSubjectPublicKeyInfo),
+                                    (void **)&thirdSPKI,
+                                    plContext),
+                                    PKIX_CALLOCFAILED);
+
+                        PKIX_PUBLICKEY_DEBUG
+                                ("\t\tCalling"
+                                "SECKEY_CopySubjectPublicKeyInfo).\n");
+                        rv = SECKEY_CopySubjectPublicKeyInfo
+                                (NULL, thirdSPKI, firstSPKI);
+                        if (rv != SECSuccess) {
+                            PKIX_ERROR
+                                    (PKIX_SECKEYCOPYSUBJECTPUBLICKEYINFOFAILED);
+                        }
+
+                        PKIX_PUBLICKEY_DEBUG
+                                ("\t\tCalling SECITEM_CopyItem).\n");
+                        rv = SECITEM_CopyItem(NULL,
+                                            &thirdSPKI->algorithm.parameters,
+                                            &secondSPKI->algorithm.parameters);
+
+                        if (rv != SECSuccess) {
+                                PKIX_ERROR(PKIX_OUTOFMEMORY);
+                        }
+
+                        /* create a PKIX_PL_PublicKey object */
+                        PKIX_CHECK(PKIX_PL_Object_Alloc
+                                    (PKIX_PUBLICKEY_TYPE,
+                                    sizeof (PKIX_PL_PublicKey),
+                                    (PKIX_PL_Object **)&resultKey,
+                                    plContext),
+                                    PKIX_COULDNOTCREATEOBJECT);
+
+                        /* populate the SPKI field */
+                        resultKey->nssSPKI = thirdSPKI;
+                        *pResultKey = resultKey;
+                }
+        } else {
+                *pResultKey = NULL;
+        }
+
+cleanup:
+
+        if (thirdSPKI && PKIX_ERROR_RECEIVED){
+                PKIX_CHECK(pkix_pl_DestroySPKI(thirdSPKI, plContext),
+                            PKIX_DESTROYSPKIFAILED);
+                PKIX_FREE(thirdSPKI);
+        }
+
+        PKIX_RETURN(PUBLICKEY);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_publickey.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_publickey.h
new file mode 100644
index 000000000..8ce303ab4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_publickey.h
@@ -0,0 +1,71 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_publickey.h
+ *
+ * Public Key Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_PUBLICKEY_H
+#define _PKIX_PL_PUBLICKEY_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_PublicKeyStruct {
+        CERTSubjectPublicKeyInfo *nssSPKI;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_PublicKey_RegisterSelf(void *plContext);
+
+PKIX_Error *
+PKIX_PL_PublicKey_NeedsDSAParameters(
+        PKIX_PL_PublicKey *pubKey,
+        PKIX_Boolean *pNeedsParams,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_PUBLICKEY_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.c
new file mode 100644
index 000000000..39d730a15
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.c
@@ -0,0 +1,751 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_x500name.c
+ *
+ * X500Name Object Functions
+ *
+ */
+
+#include "pkix_pl_x500name.h"
+
+/* --Private-X500Name-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_X500Name_ToString_Helper
+ * DESCRIPTION:
+ *
+ *  Helper function that creates a string representation of the X500Name
+ *  pointed to by "name" and stores it at "pString".
+ *
+ * PARAMETERS
+ *  "name"
+ *      Address of X500Name whose string representation is desired.
+ *      Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a X500Name Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_X500Name_ToString_Helper(
+        PKIX_PL_X500Name *name,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        CERTName *nssDN = NULL;
+        char *utf8String = NULL;
+        PKIX_UInt32 utf8Length;
+
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_ToString_Helper");
+        PKIX_NULLCHECK_TWO(name, pString);
+        nssDN = &name->nssDN;
+
+        /* this should really be called CERT_NameToUTF8 */
+        utf8String = CERT_NameToAsciiInvertible(nssDN, CERT_N2A_INVERTIBLE);
+        if (!utf8String){
+                PKIX_ERROR(PKIX_CERTNAMETOASCIIFAILED);
+        }
+
+        PKIX_X500NAME_DEBUG("\t\tCalling PL_strlen).\n");
+        utf8Length = PL_strlen(utf8String);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_UTF8, utf8String, utf8Length, pString, plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+cleanup:
+
+        PR_Free(utf8String);
+
+        PKIX_RETURN(X500NAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_X500Name_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_X500Name_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_X500Name *name = NULL;
+
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_X500NAME_TYPE, plContext),
+                    PKIX_OBJECTNOTANX500NAME);
+
+        name = (PKIX_PL_X500Name *)object;
+
+        /* PORT_FreeArena will destroy arena, and, allocated on it, CERTName
+         * and SECItem */
+        if (name->arena) {
+            PORT_FreeArena(name->arena, PR_FALSE);
+            name->arena = NULL;
+        }
+
+cleanup:
+
+        PKIX_RETURN(X500NAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_X500Name_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_X500Name_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *nameString = NULL;
+        PKIX_PL_X500Name *name = NULL;
+
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_toString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_X500NAME_TYPE, plContext),
+                    PKIX_OBJECTNOTANX500NAME);
+
+        name = (PKIX_PL_X500Name *)object;
+
+        PKIX_CHECK(pkix_pl_X500Name_ToString_Helper
+                    (name, &nameString, plContext),
+                    PKIX_X500NAMETOSTRINGHELPERFAILED);
+
+        *pString = nameString;
+
+cleanup:
+
+        PKIX_RETURN(X500NAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_X500Name_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_X500Name_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_X500Name *name = NULL;
+        SECItem *derBytes = NULL;
+        PKIX_UInt32 nameHash;
+
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_X500NAME_TYPE, plContext),
+                    PKIX_OBJECTNOTANX500NAME);
+
+        name = (PKIX_PL_X500Name *)object;
+
+        /* we hash over the bytes in the DER encoding */
+
+        derBytes = &name->derName;
+
+        PKIX_CHECK(pkix_hash
+                    (derBytes->data, derBytes->len, &nameHash, plContext),
+                    PKIX_HASHFAILED);
+
+        *pHashcode = nameHash;
+
+cleanup:
+
+        PKIX_RETURN(X500NAME);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_X500Name_Equals
+ * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_X500Name_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* test that firstObject is an X500Name */
+        PKIX_CHECK(pkix_CheckType(firstObject, PKIX_X500NAME_TYPE, plContext),
+                    PKIX_FIRSTOBJECTARGUMENTNOTANX500NAME);
+
+        /*
+         * Since we know firstObject is an X500Name, if both references are
+         * identical, they must be equal
+         */
+        if (firstObject == secondObject){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        /*
+         * If secondObject isn't an X500Name, we don't throw an error.
+         * We simply return a Boolean result of FALSE
+         */
+        *pResult = PKIX_FALSE;
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                    (secondObject, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+        if (secondType != PKIX_X500NAME_TYPE) goto cleanup;
+
+        PKIX_CHECK(
+            PKIX_PL_X500Name_Match((PKIX_PL_X500Name *)firstObject,
+                                   (PKIX_PL_X500Name *)secondObject,
+                                   pResult, plContext),
+            PKIX_X500NAMEMATCHFAILED);
+
+cleanup:
+
+        PKIX_RETURN(X500NAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_X500Name_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_X500NAME_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_X500Name_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_RegisterSelf");
+
+        entry.description = "X500Name";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_X500Name);
+        entry.destructor = pkix_pl_X500Name_Destroy;
+        entry.equalsFunction = pkix_pl_X500Name_Equals;
+        entry.hashcodeFunction = pkix_pl_X500Name_Hashcode;
+        entry.toStringFunction = pkix_pl_X500Name_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_X500NAME_TYPE] = entry;
+
+        PKIX_RETURN(X500NAME);
+}
+
+#ifdef BUILD_LIBPKIX_TESTS
+/*
+ * FUNCTION: pkix_pl_X500Name_CreateFromUtf8
+ *
+ * DESCRIPTION:
+ *  Creates an X500Name object from the RFC1485 string representation pointed
+ *  to by "stringRep", and stores the result at "pName". If the string cannot
+ *  be successfully converted, a non-fatal error is returned.
+ *
+ * NOTE: ifdefed BUILD_LIBPKIX_TESTS function: this function is allowed to be
+ * called only by pkix tests programs.
+ * 
+ * PARAMETERS:
+ *  "stringRep"
+ *      Address of the RFC1485 string to be converted. Must be non-NULL.
+ *  "pName"
+ *      Address where the X500Name result will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an X500NAME Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_X500Name_CreateFromUtf8(
+        char *stringRep,
+        PKIX_PL_X500Name **pName,
+        void *plContext)
+{
+        PKIX_PL_X500Name *x500Name = NULL;
+        PRArenaPool *arena = NULL;
+        CERTName *nssDN = NULL;
+        SECItem *resultSecItem = NULL;
+        
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_CreateFromUtf8");
+        PKIX_NULLCHECK_TWO(pName, stringRep);
+
+        nssDN = CERT_AsciiToName(stringRep);
+        if (nssDN == NULL) {
+            PKIX_ERROR(PKIX_COULDNOTCREATENSSDN);
+        }
+
+        arena = nssDN->arena;
+
+        /* create a PKIX_PL_X500Name object */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_X500NAME_TYPE,
+                    sizeof (PKIX_PL_X500Name),
+                    (PKIX_PL_Object **)&x500Name,
+                    plContext),
+                    PKIX_COULDNOTCREATEX500NAMEOBJECT);
+
+        /* populate the nssDN field */
+        x500Name->arena = arena;
+        x500Name->nssDN.arena = arena;
+        x500Name->nssDN.rdns = nssDN->rdns;
+        
+        resultSecItem =
+            SEC_ASN1EncodeItem(arena, &x500Name->derName, nssDN,
+                               CERT_NameTemplate);
+        
+        if (resultSecItem == NULL){
+            PKIX_ERROR(PKIX_SECASN1ENCODEITEMFAILED);
+        }
+
+        *pName = x500Name;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+            if (x500Name) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object*)x500Name,
+                                      plContext);
+            } else if (nssDN) {
+                CERT_DestroyName(nssDN);
+            }
+        }
+
+        PKIX_RETURN(X500NAME);
+}
+#endif /* BUILD_LIBPKIX_TESTS */
+
+/*
+ * FUNCTION: pkix_pl_X500Name_GetCERTName
+ *
+ * DESCRIPTION:
+ * 
+ * Returns the pointer to CERTName member of X500Name structure.
+ *
+ * Returned pointed should not be freed.2
+ *
+ * PARAMETERS:
+ *  "xname"
+ *      Address of X500Name whose OrganizationName is to be extracted. Must be
+ *      non-NULL.
+ *  "pCERTName"
+ *      Address where result will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_X500Name_GetCERTName(
+        PKIX_PL_X500Name *xname,
+        CERTName **pCERTName,
+        void *plContext)
+{
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_GetCERTName");
+        PKIX_NULLCHECK_TWO(xname, pCERTName);
+
+        *pCERTName = &xname->nssDN;
+
+        PKIX_RETURN(X500NAME);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_X500Name_CreateFromCERTName (see comments in pkix_pl_pki.h)
+ */
+
+PKIX_Error *
+PKIX_PL_X500Name_CreateFromCERTName(
+        SECItem *derName,
+        CERTName *name, 
+        PKIX_PL_X500Name **pName,
+        void *plContext)
+{
+        PRArenaPool *arena = NULL;
+        SECStatus rv = SECFailure;
+        PKIX_PL_X500Name *x500Name = NULL;
+
+        PKIX_ENTER(X500NAME, "PKIX_PL_X500Name_CreateFromCERTName");
+        PKIX_NULLCHECK_ONE(pName);
+        if (derName == NULL && name == NULL) {
+            PKIX_ERROR(PKIX_NULLARGUMENT);
+        }
+
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (arena == NULL) {
+            PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+        
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_X500NAME_TYPE,
+                    sizeof (PKIX_PL_X500Name),
+                    (PKIX_PL_Object **)&x500Name,
+                    plContext),
+                    PKIX_COULDNOTCREATEX500NAMEOBJECT);
+
+        x500Name->arena = arena;
+        x500Name->nssDN.arena = NULL;
+
+        if (derName != NULL) {
+            rv = SECITEM_CopyItem(arena, &x500Name->derName, derName);
+            if (rv == SECFailure) {
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+            }
+        }            
+
+        if (name != NULL) {
+            rv = CERT_CopyName(arena, &x500Name->nssDN, name);
+            if (rv == SECFailure) {
+                PKIX_ERROR(PKIX_CERTCOPYNAMEFAILED);
+            }
+        } else {
+            rv = SEC_QuickDERDecodeItem(arena, &x500Name->nssDN,
+                                        CERT_NameTemplate,
+                                        &x500Name->derName);
+            if (rv == SECFailure) {
+                PKIX_ERROR(PKIX_SECQUICKDERDECODERFAILED);
+            }
+        }
+
+        *pName = x500Name;
+
+cleanup:
+        if (PKIX_ERROR_RECEIVED) {
+            if (x500Name) {
+                PKIX_PL_Object_DecRef((PKIX_PL_Object*)x500Name,
+                                      plContext);
+            } else if (arena) {                
+                PORT_FreeArena(arena, PR_FALSE);
+            }
+        }
+
+        PKIX_RETURN(X500NAME);
+}
+
+#ifdef BUILD_LIBPKIX_TESTS
+/*
+ * FUNCTION: PKIX_PL_X500Name_Create (see comments in pkix_pl_pki.h)
+ *
+ * NOTE: ifdefed BUILD_LIBPKIX_TESTS function: this function is allowed
+ * to be called only by pkix tests programs.
+ */
+PKIX_Error *
+PKIX_PL_X500Name_Create(
+        PKIX_PL_String *stringRep,
+        PKIX_PL_X500Name **pName,
+        void *plContext)
+{
+        char *utf8String = NULL;
+        PKIX_UInt32 utf8Length = 0;
+
+        PKIX_ENTER(X500NAME, "PKIX_PL_X500Name_Create");
+        PKIX_NULLCHECK_TWO(pName, stringRep);
+
+        /*
+         * convert the input PKIX_PL_String to PKIX_UTF8_NULL_TERM.
+         * we need to use this format specifier because
+         * CERT_AsciiToName expects a NULL-terminated UTF8 string.
+         * Since UTF8 allow NUL characters in the middle of the
+         * string, this is buggy. However, as a workaround, using
+         * PKIX_UTF8_NULL_TERM gives us a NULL-terminated UTF8 string.
+         */
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    (stringRep,
+                    PKIX_UTF8_NULL_TERM,
+                    (void **)&utf8String,
+                    &utf8Length,
+                    plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+
+        PKIX_CHECK(
+            pkix_pl_X500Name_CreateFromUtf8(utf8String,
+                                            pName, plContext),
+            PKIX_X500NAMECREATEFROMUTF8FAILED);
+
+cleanup:
+        PKIX_FREE(utf8String);
+
+        PKIX_RETURN(X500NAME);
+}
+#endif /* BUILD_LIBPKIX_TESTS */
+
+/*
+ * FUNCTION: PKIX_PL_X500Name_Match (see comments in pkix_pl_pki.h)
+ */
+PKIX_Error *
+PKIX_PL_X500Name_Match(
+        PKIX_PL_X500Name *firstX500Name,
+        PKIX_PL_X500Name *secondX500Name,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        SECItem *firstDerName = NULL;
+        SECItem *secondDerName = NULL;
+        SECComparison cmpResult;
+
+        PKIX_ENTER(X500NAME, "PKIX_PL_X500Name_Match");
+        PKIX_NULLCHECK_THREE(firstX500Name, secondX500Name, pResult);
+
+        if (firstX500Name == secondX500Name){
+                *pResult = PKIX_TRUE;
+                goto cleanup;
+        }
+
+        firstDerName = &firstX500Name->derName;
+        secondDerName = &secondX500Name->derName;
+
+        PKIX_NULLCHECK_TWO(firstDerName->data, secondDerName->data);
+
+        cmpResult = SECITEM_CompareItem(firstDerName, secondDerName);
+        if (cmpResult != SECEqual) {
+            cmpResult = CERT_CompareName(&firstX500Name->nssDN,
+                                         &secondX500Name->nssDN);
+        }
+
+        *pResult = (cmpResult == SECEqual);
+                   
+cleanup:
+
+        PKIX_RETURN(X500NAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_X500Name_GetSECName
+ *
+ * DESCRIPTION:
+ *  Returns a copy of CERTName DER representation allocated on passed in arena.
+ *  If allocation on arena can not be done, NULL is stored at "pSECName".
+ *
+ * PARAMETERS:
+ *  "xname"
+ *      Address of X500Name whose CERTName flag is to be encoded. Must be
+ *      non-NULL.
+ *  "arena"
+ *      Address of the PRArenaPool to be used in the encoding, and in which
+ *      "pSECName" will be allocated. Must be non-NULL.
+ *  "pSECName"
+ *      Address where result will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_X500Name_GetDERName(
+        PKIX_PL_X500Name *xname,
+        PRArenaPool *arena,
+        SECItem **pDERName,
+        void *plContext)
+{
+        SECItem *derName = NULL;
+
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_GetDERName");
+
+        PKIX_NULLCHECK_THREE(xname, arena, pDERName);
+
+        /* Return NULL is X500Name was not created from DER  */
+        if (xname->derName.data == NULL) {
+            *pDERName = NULL;
+            goto cleanup;
+        }
+
+        derName = SECITEM_ArenaDupItem(arena, &xname->derName);
+        if (derName == NULL) {
+            PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        *pDERName = derName;
+cleanup:
+
+        PKIX_RETURN(X500NAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_X500Name_GetCommonName
+ *
+ * DESCRIPTION:
+ *  Extracts the CommonName component of the X500Name object pointed to by
+ *  "xname", and stores the result at "pCommonName". If the CommonName cannot
+ *  be successfully extracted, NULL is stored at "pCommonName".
+ *
+ *  The returned string must be freed with PORT_Free.
+ *
+ * PARAMETERS:
+ *  "xname"
+ *      Address of X500Name whose CommonName is to be extracted. Must be
+ *      non-NULL.
+ *  "pCommonName"
+ *      Address where result will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_X500Name_GetCommonName(
+        PKIX_PL_X500Name *xname,
+        unsigned char **pCommonName,
+        void *plContext)
+{
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_GetCommonName");
+        PKIX_NULLCHECK_TWO(xname, pCommonName);
+
+        *pCommonName = (unsigned char *)CERT_GetCommonName(&xname->nssDN);
+
+        PKIX_RETURN(X500NAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_X500Name_GetCountryName
+ *
+ * DESCRIPTION:
+ *  Extracts the CountryName component of the X500Name object pointed to by
+ *  "xname", and stores the result at "pCountryName". If the CountryName cannot
+ *  be successfully extracted, NULL is stored at "pCountryName".
+ *
+ *  The returned string must be freed with PORT_Free.
+ *
+ * PARAMETERS:
+ *  "xname"
+ *      Address of X500Name whose CountryName is to be extracted. Must be
+ *      non-NULL.
+ *  "pCountryName"
+ *      Address where result will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_X500Name_GetCountryName(
+        PKIX_PL_X500Name *xname,
+        unsigned char **pCountryName,
+        void *plContext)
+{
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_GetCountryName");
+        PKIX_NULLCHECK_TWO(xname, pCountryName);
+
+        *pCountryName = (unsigned char*)CERT_GetCountryName(&xname->nssDN);
+
+        PKIX_RETURN(X500NAME);
+}
+
+/*
+ * FUNCTION: pkix_pl_X500Name_GetOrgName
+ *
+ * DESCRIPTION:
+ *  Extracts the OrganizationName component of the X500Name object pointed to by
+ *  "xname", and stores the result at "pOrgName". If the OrganizationName cannot
+ *  be successfully extracted, NULL is stored at "pOrgName".
+ *
+ *  The returned string must be freed with PORT_Free.
+ *
+ * PARAMETERS:
+ *  "xname"
+ *      Address of X500Name whose OrganizationName is to be extracted. Must be
+ *      non-NULL.
+ *  "pOrgName"
+ *      Address where result will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_X500Name_GetOrgName(
+        PKIX_PL_X500Name *xname,
+        unsigned char **pOrgName,
+        void *plContext)
+{
+        PKIX_ENTER(X500NAME, "pkix_pl_X500Name_GetOrgName");
+        PKIX_NULLCHECK_TWO(xname, pOrgName);
+
+        *pOrgName = (unsigned char*)CERT_GetOrgName(&xname->nssDN);
+
+        PKIX_RETURN(X500NAME);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.h
new file mode 100644
index 000000000..73e25e611
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.h
@@ -0,0 +1,107 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_x500name.h
+ *
+ * X500Name Object Type Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_X500NAME_H
+#define _PKIX_PL_X500NAME_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+struct PKIX_PL_X500NameStruct{
+        PRArenaPool *arena; /* X500Name arena. Shared arena with nssDN
+                             * and derName */
+        CERTName nssDN;
+        SECItem derName;    /* adding DER encoded CERTName to the structure
+                             * to avoid unnecessary name encoding when pass
+                             * der name to cert finder */
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *pkix_pl_X500Name_RegisterSelf(void *plContext);
+
+PKIX_Error *pkix_pl_X500Name_GetDERName(
+        PKIX_PL_X500Name *xname,
+        PRArenaPool *arena,
+        SECItem **pSECName,
+        void *plContext);
+
+#ifdef BUILD_LIBPKIX_TESTS
+PKIX_Error * pkix_pl_X500Name_CreateFromUtf8(
+        char *stringRep,
+        PKIX_PL_X500Name **pName,
+        void *plContext);
+#endif /* BUILD_LIBPKIX_TESTS */
+
+PKIX_Error *pkix_pl_X500Name_GetCommonName(
+        PKIX_PL_X500Name *xname,
+        unsigned char **pCommonName,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_X500Name_GetCountryName(
+        PKIX_PL_X500Name *xname,
+        unsigned char **pCountryName,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_X500Name_GetOrgName(
+        PKIX_PL_X500Name *xname,
+        unsigned char **pOrgName,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_X500Name_GetCERTName(
+        PKIX_PL_X500Name *xname,
+        CERTName **pCERTName,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_X500NAME_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/Makefile b/security/nss/lib/libpkix/pkix_pl_nss/system/Makefile
new file mode 100755
index 000000000..42adc1f4a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/Makefile
@@ -0,0 +1,82 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/config.mk b/security/nss/lib/libpkix/pkix_pl_nss/system/config.mk
new file mode 100755
index 000000000..6f3fb7b4b
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/config.mk
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn
new file mode 100755
index 000000000..bcf03ee37
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn
@@ -0,0 +1,81 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pkix_pl_common.h \
+	pkix_pl_mem.h \
+	pkix_pl_object.h \
+	pkix_pl_string.h \
+	pkix_pl_primhash.h \
+	pkix_pl_bigint.h \
+	pkix_pl_mutex.h \
+	pkix_pl_bytearray.h \
+	pkix_pl_lifecycle.h \
+	pkix_pl_oid.h \
+	pkix_pl_hashtable.h \
+	pkix_pl_rwlock.h \
+	pkix_pl_monitorlock.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	pkix_pl_bigint.c \
+	pkix_pl_bytearray.c \
+	pkix_pl_common.c \
+	pkix_pl_error.c \
+	pkix_pl_hashtable.c \
+	pkix_pl_lifecycle.c \
+	pkix_pl_mem.c \
+	pkix_pl_monitorlock.c \
+	pkix_pl_mutex.c \
+	pkix_pl_object.c \
+	pkix_pl_oid.c \
+	pkix_pl_primhash.c \
+	pkix_pl_rwlock.c \
+	pkix_pl_string.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkixsystem
+
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bigint.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bigint.c
new file mode 100755
index 000000000..7a5bdee37
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bigint.c
@@ -0,0 +1,431 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_bigint.c
+ *
+ * BigInt Object Functions
+ *
+ */
+
+#include "pkix_pl_bigint.h"
+
+/* --Private-Big-Int-Functions------------------------------------ */
+
+/*
+ * FUNCTION: pkix_pl_BigInt_Comparator
+ * (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_BigInt_Comparator(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_PL_BigInt *firstBigInt = NULL;
+        PKIX_PL_BigInt *secondBigInt = NULL;
+        char *firstPtr = NULL;
+        char *secondPtr = NULL;
+        PKIX_UInt32 firstLen, secondLen;
+
+        PKIX_ENTER(BIGINT, "pkix_pl_BigInt_Comparator");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        PKIX_CHECK(pkix_CheckTypes
+                    (firstObject, secondObject, PKIX_BIGINT_TYPE, plContext),
+                    PKIX_ARGUMENTSNOTBIGINTS);
+
+        /* It's safe to cast */
+        firstBigInt = (PKIX_PL_BigInt*)firstObject;
+        secondBigInt = (PKIX_PL_BigInt*)secondObject;
+
+        *pResult = 0;
+        firstPtr = firstBigInt->dataRep;
+        secondPtr = secondBigInt->dataRep;
+        firstLen = firstBigInt->length;
+        secondLen = secondBigInt->length;
+
+        if (firstLen < secondLen) {
+                *pResult = -1;
+        } else if (firstLen > secondLen) {
+                *pResult = 1;
+        } else if (firstLen == secondLen) {
+                PKIX_BIGINT_DEBUG("\t\tCalling PORT_Memcmp).\n");
+                *pResult = PORT_Memcmp(firstPtr, secondPtr, firstLen);
+        }
+
+cleanup:
+
+        PKIX_RETURN(BIGINT);
+}
+
+/*
+ * FUNCTION: pkix_pl_BigInt_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_BigInt_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_BigInt *bigInt = NULL;
+
+        PKIX_ENTER(BIGINT, "pkix_pl_BigInt_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BIGINT_TYPE, plContext),
+                    PKIX_OBJECTNOTBIGINT);
+
+        bigInt = (PKIX_PL_BigInt*)object;
+
+        PKIX_FREE(bigInt->dataRep);
+        bigInt->dataRep = NULL;
+        bigInt->length = 0;
+
+cleanup:
+
+        PKIX_RETURN(BIGINT);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_BigInt_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_BigInt_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_BigInt *bigInt = NULL;
+        char *outputText = NULL;
+        PKIX_UInt32 i, j, lengthChars;
+
+        PKIX_ENTER(BIGINT, "pkix_pl_BigInt_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BIGINT_TYPE, plContext),
+                    PKIX_OBJECTNOTBIGINT);
+
+        bigInt = (PKIX_PL_BigInt*)object;
+
+        /* number of chars = 2 * (number of bytes) + null terminator */
+        lengthChars = (bigInt->length * 2) + 1;
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (lengthChars, (void **)&outputText, plContext),
+                    PKIX_MALLOCFAILED);
+
+        for (i = 0, j = 0; i < bigInt->length; i += 1, j += 2){
+                outputText[j] = pkix_i2hex
+                        ((char) ((*(bigInt->dataRep+i) & 0xf0) >> 4));
+                outputText[j+1] = pkix_i2hex
+                        ((char) (*(bigInt->dataRep+i) & 0x0f));
+        }
+
+        outputText[lengthChars-1] = '\0';
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    outputText,
+                    0,
+                    pString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+cleanup:
+
+        PKIX_FREE(outputText);
+
+        PKIX_RETURN(BIGINT);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_BigInt_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_BigInt_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_BigInt *bigInt = NULL;
+
+        PKIX_ENTER(BIGINT, "pkix_pl_BigInt_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BIGINT_TYPE, plContext),
+                    PKIX_OBJECTNOTBIGINT);
+
+        bigInt = (PKIX_PL_BigInt*)object;
+
+        PKIX_CHECK(pkix_hash
+                    ((void *)bigInt->dataRep,
+                    bigInt->length,
+                    pHashcode,
+                    plContext),
+                    PKIX_HASHFAILED);
+
+cleanup:
+
+        PKIX_RETURN(BIGINT);
+}
+
+/*
+ * FUNCTION: pkix_pl_BigInt_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_BigInt_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Int32 cmpResult = 0;
+
+        PKIX_ENTER(BIGINT, "pkix_pl_BigInt_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        PKIX_CHECK(pkix_CheckType(first, PKIX_BIGINT_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTBIGINT);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        *pResult = PKIX_FALSE;
+
+        if (secondType != PKIX_BIGINT_TYPE) goto cleanup;
+
+        PKIX_CHECK(pkix_pl_BigInt_Comparator
+                (first, second, &cmpResult, plContext),
+                PKIX_BIGINTCOMPARATORFAILED);
+
+        *pResult = (cmpResult == 0);
+
+cleanup:
+
+        PKIX_RETURN(BIGINT);
+}
+
+/*
+ * FUNCTION: pkix_pl_BigInt_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_BIGINT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_BigInt_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(BIGINT, "pkix_pl_BigInt_RegisterSelf");
+
+        entry.description = "BigInt";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_BigInt);
+        entry.destructor = pkix_pl_BigInt_Destroy;
+        entry.equalsFunction = pkix_pl_BigInt_Equals;
+        entry.hashcodeFunction = pkix_pl_BigInt_Hashcode;
+        entry.toStringFunction = pkix_pl_BigInt_ToString;
+        entry.comparator = pkix_pl_BigInt_Comparator;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_BIGINT_TYPE] = entry;
+
+        PKIX_RETURN(BIGINT);
+}
+
+/*
+ * FUNCTION: pkix_pl_BigInt_CreateWithBytes
+ * DESCRIPTION:
+ *
+ *  Creates a new BigInt of size "length" representing the array of bytes
+ *  pointed to by "bytes" and stores it at "pBigInt". The caller should make
+ *  sure that the first byte is not 0x00 (unless it is the the only byte).
+ *  This function does not do that checking.
+ *
+ *  Once created, a PKIX_PL_BigInt object is immutable.
+ *
+ * PARAMETERS:
+ *  "bytes"
+ *      Address of array of bytes. Must be non-NULL.
+ *  "length"
+ *      Length of the array. Must be non-zero.
+ *  "pBigInt"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext" - Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_BigInt_CreateWithBytes(
+        char *bytes,
+        PKIX_UInt32 length,
+        PKIX_PL_BigInt **pBigInt,
+        void *plContext)
+{
+        PKIX_PL_BigInt *bigInt = NULL;
+
+        PKIX_ENTER(BIGINT, "pkix_pl_BigInt_CreateWithBytes");
+        PKIX_NULLCHECK_TWO(pBigInt, bytes);
+
+        if (length == 0) {
+                PKIX_ERROR(PKIX_BIGINTLENGTH0INVALID)
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_BIGINT_TYPE,
+                sizeof (PKIX_PL_BigInt),
+                (PKIX_PL_Object **)&bigInt,
+                plContext),
+                PKIX_COULDNOTCREATEOBJECT);
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (length, (void **)&(bigInt->dataRep), plContext),
+                    PKIX_MALLOCFAILED);
+
+        PKIX_BIGINT_DEBUG("\t\tCalling PORT_Memcpy).\n");
+        (void) PORT_Memcpy(bigInt->dataRep, bytes, length);
+
+        bigInt->length = length;
+
+        *pBigInt = bigInt;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(bigInt);
+        }
+
+        PKIX_RETURN(BIGINT);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_BigInt_Create (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_BigInt_Create(
+        PKIX_PL_String *stringRep,
+        PKIX_PL_BigInt **pBigInt,
+        void *plContext)
+{
+        PKIX_PL_BigInt *bigInt = NULL;
+        char *asciiString = NULL;
+        PKIX_UInt32 lengthBytes;
+        PKIX_UInt32 lengthString;
+        PKIX_UInt32 i;
+        char currChar;
+
+        PKIX_ENTER(BIGINT, "PKIX_PL_BigInt_Create");
+        PKIX_NULLCHECK_TWO(pBigInt, stringRep);
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                (stringRep,
+                PKIX_ESCASCII,
+                (void **)&asciiString,
+                &lengthString,
+                plContext),
+                PKIX_STRINGGETENCODEDFAILED);
+
+        if ((lengthString == 0) || ((lengthString % 2) != 0)){
+                PKIX_ERROR(PKIX_SOURCESTRINGHASINVALIDLENGTH);
+        }
+
+        if (lengthString != 2){
+                if ((asciiString[0] == '0') && (asciiString[1] == '0')){
+                        PKIX_ERROR(PKIX_FIRSTDOUBLEHEXMUSTNOTBE00);
+                }
+        }
+
+        for (i = 0; i < lengthString; i++) {
+                currChar = asciiString[i];
+                if (!PKIX_ISXDIGIT(currChar)){
+                        PKIX_ERROR(PKIX_INVALIDCHARACTERINBIGINT);
+                }
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_BIGINT_TYPE,
+                sizeof (PKIX_PL_BigInt),
+                (PKIX_PL_Object **)&bigInt,
+                plContext),
+                PKIX_COULDNOTCREATEOBJECT);
+
+        /* number of bytes = 0.5 * (number of chars) */
+        lengthBytes = lengthString/2;
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (lengthBytes, (void **)&(bigInt->dataRep), plContext),
+                    PKIX_MALLOCFAILED);
+
+        for (i = 0; i < lengthString; i += 2){
+                (bigInt->dataRep)[i/2] =
+                        (pkix_hex2i(asciiString[i])<<4) |
+                        pkix_hex2i(asciiString[i+1]);
+        }
+
+        bigInt->length = lengthBytes;
+
+        *pBigInt = bigInt;
+
+cleanup:
+
+        PKIX_FREE(asciiString);
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(bigInt);
+        }
+
+        PKIX_RETURN(BIGINT);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bigint.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bigint.h
new file mode 100755
index 000000000..c921af49a
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bigint.h
@@ -0,0 +1,73 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_bigint.h
+ *
+ * Bigint Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_BIGINT_H
+#define _PKIX_PL_BIGINT_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_BigIntStruct {
+        char *dataRep;
+        PKIX_UInt32 length;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_BigInt_CreateWithBytes(
+        char *bytes,
+        PKIX_UInt32 length,
+        PKIX_PL_BigInt **pBigInt,
+        void *plContext);
+
+PKIX_Error *pkix_pl_BigInt_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_BIGINT_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bytearray.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bytearray.c
new file mode 100755
index 000000000..8e9f423e2
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bytearray.c
@@ -0,0 +1,537 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_bytearray.c
+ *
+ * ByteArray Object Functions
+ *
+ */
+
+#include "pkix_pl_bytearray.h"
+
+/* --Private-ByteArray-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_ByteArray_ToHexString
+ * DESCRIPTION:
+ *
+ *  Creates a hex-String representation of the ByteArray pointed to by "array"
+ *  and stores the result at "pString". The hex-String consists of hex-digit
+ *  pairs separated by spaces, and the entire string enclosed within square
+ *  brackets, e.g. [43 61 6E 20 79 6F 75 20 72 65 61 64 20 74 68 69 73 3F].
+ *  A zero-length ByteArray is represented as [].
+ * PARAMETERS
+ *  "array"
+ *      ByteArray to be represented by the hex-String; must be non-NULL
+ *  "pString"
+ *      Address where String will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Cert Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_ByteArray_ToHexString(
+        PKIX_PL_ByteArray *array,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        char *tempText = NULL;
+        char *stringText = NULL; /* "[XX XX XX ...]" */
+        PKIX_UInt32 i, outputLen, bufferSize;
+
+        PKIX_ENTER(BYTEARRAY, "pkix_pl_ByteArray_ToHexString");
+        PKIX_NULLCHECK_TWO(array, pString);
+
+        if ((array->length) == 0) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII, "[]", 0, pString, plContext),
+                        PKIX_COULDNOTCREATESTRING);
+        } else {
+                /*
+                 * Allocate space for format string
+                 * '[' + "XX" + (n-1)*" XX" + ']' + '\0'
+                 */
+                bufferSize = 2 + (3*(array->length));
+
+                PKIX_CHECK(PKIX_PL_Malloc
+                        (bufferSize, (void **)&stringText, plContext),
+                        PKIX_COULDNOTALLOCATEMEMORY);
+
+                stringText[0] = 0;
+                outputLen = 0;
+
+                PKIX_BYTEARRAY_DEBUG("\tCalling PR_smprintf).\n");
+                tempText = PR_smprintf
+                        ("[%02X", (0x0FF&((char *)(array->array))[0]));
+                PKIX_BYTEARRAY_DEBUG("\tCalling PL_strlen).\n");
+                outputLen += PL_strlen(tempText);
+
+                PKIX_BYTEARRAY_DEBUG("\tCalling PL_strcat).\n");
+                stringText = PL_strcat(stringText, tempText);
+
+                PKIX_BYTEARRAY_DEBUG("\tCalling PR_smprintf_free).\n");
+                PR_smprintf_free(tempText);
+
+                for (i = 1; i < array->length; i++) {
+                        PKIX_BYTEARRAY_DEBUG("\tCalling PR_smprintf).\n");
+                        tempText = PR_smprintf
+                                (" %02X", (0x0FF&((char *)(array->array))[i]));
+
+                        if (tempText == NULL){
+                                PKIX_ERROR(PKIX_PRSMPRINTFFAILED);
+                        }
+
+                        PKIX_BYTEARRAY_DEBUG("\tCalling PL_strlen).\n");
+                        outputLen += PL_strlen(tempText);
+
+                        PKIX_BYTEARRAY_DEBUG("\tCalling PL_strcat).\n");
+                        stringText = PL_strcat(stringText, tempText);
+
+                        PKIX_BYTEARRAY_DEBUG("\tCalling PR_smprintf_free).\n");
+                        PR_smprintf_free(tempText);
+                        tempText = NULL;
+                }
+
+                stringText[outputLen++] = ']';
+                stringText[outputLen] = 0;
+
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII,
+                        stringText,
+                        0,
+                        pString,
+                        plContext),
+                        PKIX_COULDNOTCREATESTRING);
+        }
+
+cleanup:
+
+        PKIX_FREE(stringText);
+        PKIX_RETURN(BYTEARRAY);
+}
+
+/*
+ * FUNCTION: pkix_pl_ByteArray_Comparator
+ * (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h)
+ *
+ *  NOTE:
+ *  It is not clear that this definition of comparing byte arrays makes
+ *  sense. It does allow you to tell whether two blocks of memory are
+ *  identical, so we only use it for the Equals function (i.e. we don't
+ *  register it as a Compare function for ByteArray).
+ */
+static PKIX_Error *
+pkix_pl_ByteArray_Comparator(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *firstByteArray = NULL;
+        PKIX_PL_ByteArray *secondByteArray = NULL;
+        unsigned char *firstData = NULL;
+        unsigned char *secondData = NULL;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(BYTEARRAY, "pkix_pl_ByteArray_Comparator");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        PKIX_CHECK(pkix_CheckTypes
+                (firstObject, secondObject, PKIX_BYTEARRAY_TYPE, plContext),
+                PKIX_ARGUMENTSNOTBYTEARRAYS);
+
+        /* It's safe to cast */
+        firstByteArray = (PKIX_PL_ByteArray *)firstObject;
+        secondByteArray = (PKIX_PL_ByteArray *)secondObject;
+
+        *pResult = 0;
+        firstData = (unsigned char *)firstByteArray->array;
+        secondData = (unsigned char *)secondByteArray->array;
+
+        if (firstByteArray->length < secondByteArray->length) {
+                *pResult = -1;
+        } else if (firstByteArray->length > secondByteArray->length) {
+                *pResult = 1;
+        } else if (firstByteArray->length == secondByteArray->length) {
+                /* Check if both array contents are identical */
+                for (i = 0;
+                    (i < firstByteArray->length) && (*pResult == 0);
+                    i++) {
+                        if (firstData[i] < secondData[i]) {
+                                *pResult = -1;
+                        } else if (firstData[i] > secondData[i]) {
+                                *pResult = 1;
+                        }
+                }
+        }
+
+cleanup:
+
+        PKIX_RETURN(BYTEARRAY);
+}
+
+/*
+ * FUNCTION: pkix_pl_ByteArray_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_ByteArray_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *array = NULL;
+        char *tempText = NULL;
+        char *stringText = NULL; /* "[OOO, OOO, ... OOO]" */
+        PKIX_UInt32 i, outputLen, bufferSize;
+
+        PKIX_ENTER(BYTEARRAY, "pkix_pl_ByteArray_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BYTEARRAY_TYPE, plContext),
+                    PKIX_OBJECTNOTBYTEARRAY);
+
+        array = (PKIX_PL_ByteArray *)object;
+
+        if ((array->length) == 0) {
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII, "[]", 0, pString, plContext),
+                        PKIX_COULDNOTCREATESTRING);
+        } else {
+                /* Allocate space for "XXX, ". */
+                bufferSize = 2+5*array->length;
+
+                /* Allocate space for format string */
+                PKIX_CHECK(PKIX_PL_Malloc
+                        (bufferSize, (void **)&stringText, plContext),
+                        PKIX_MALLOCFAILED);
+
+                stringText[0] = 0;
+                outputLen = 0;
+
+                PKIX_BYTEARRAY_DEBUG("\tCalling PR_smprintf).\n");
+                tempText =
+                        PR_smprintf
+                            ("[%03u", (0x0FF&((char *)(array->array))[0]));
+                PKIX_BYTEARRAY_DEBUG("\tCalling PL_strlen).\n");
+                outputLen += PL_strlen(tempText);
+
+                PKIX_BYTEARRAY_DEBUG("\tCalling PL_strcat).\n");
+                stringText = PL_strcat(stringText, tempText);
+
+                PKIX_BYTEARRAY_DEBUG("\tCalling PR_smprintf_free).\n");
+                PR_smprintf_free(tempText);
+
+                for (i = 1; i < array->length; i++) {
+                        PKIX_BYTEARRAY_DEBUG("\tCalling PR_smprintf).\n");
+                        tempText = PR_smprintf
+                                (", %03u",
+                                (0x0FF&((char *)(array->array))[i]));
+
+                        if (tempText == NULL){
+                                PKIX_ERROR(PKIX_PRSMPRINTFFAILED);
+                        }
+
+                        PKIX_BYTEARRAY_DEBUG("\tCalling PL_strlen).\n");
+                        outputLen += PL_strlen(tempText);
+
+                        PKIX_BYTEARRAY_DEBUG("\tCalling PL_strcat).\n");
+                        stringText = PL_strcat(stringText, tempText);
+
+                        PKIX_BYTEARRAY_DEBUG("\tCalling PR_smprintf_free).\n");
+                        PR_smprintf_free(tempText);
+                        tempText = NULL;
+                }
+
+                stringText[outputLen++] = ']';
+                stringText[outputLen] = 0;
+
+                PKIX_CHECK(PKIX_PL_String_Create
+                        (PKIX_ESCASCII, stringText, 0, pString, plContext),
+                        PKIX_STRINGCREATEFAILED);
+
+        }
+
+cleanup:
+
+        PKIX_FREE(stringText);
+        PKIX_RETURN(BYTEARRAY);
+}
+
+/*
+ * FUNCTION: pkix_pl_ByteArray_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_ByteArray_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Int32 cmpResult = 0;
+
+        PKIX_ENTER(BYTEARRAY, "pkix_pl_ByteArray_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        /* Sanity check: Test that "first" is a ByteArray */
+        PKIX_CHECK(pkix_CheckType(first, PKIX_BYTEARRAY_TYPE, plContext),
+                    PKIX_FIRSTARGUMENTNOTBYTEARRAY);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        /* If types differ, then we will return false */
+        *pResult = PKIX_FALSE;
+
+        /* Second type may not be a BA */
+        if (secondType != PKIX_BYTEARRAY_TYPE) goto cleanup;
+
+        /* It's safe to cast here */
+        PKIX_CHECK(pkix_pl_ByteArray_Comparator
+                (first, second, &cmpResult, plContext),
+                PKIX_BYTEARRAYCOMPARATORFAILED);
+
+        /* ByteArrays are equal iff Comparator Result is 0 */
+        *pResult = (cmpResult == 0);
+
+cleanup:
+
+        PKIX_RETURN(BYTEARRAY);
+}
+
+/*
+ * FUNCTION: pkix_pl_ByteArray_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_ByteArray_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *array = NULL;
+
+        PKIX_ENTER(BYTEARRAY, "pkix_pl_ByteArray_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BYTEARRAY_TYPE, plContext),
+                    PKIX_OBJECTNOTBYTEARRAY);
+
+        array = (PKIX_PL_ByteArray*)object;
+
+        PKIX_FREE(array->array);
+        array->array = NULL;
+        array->length = 0;
+
+cleanup:
+
+        PKIX_RETURN(BYTEARRAY);
+}
+
+/*
+ * FUNCTION: pkix_pl_ByteArray_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_ByteArray_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *array = NULL;
+
+        PKIX_ENTER(BYTEARRAY, "pkix_pl_ByteArray_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_BYTEARRAY_TYPE, plContext),
+                    PKIX_OBJECTNOTBYTEARRAY);
+
+        array = (PKIX_PL_ByteArray*)object;
+
+        PKIX_CHECK(pkix_hash
+                ((const unsigned char *)array->array,
+                array->length,
+                pHashcode,
+                plContext),
+                PKIX_HASHFAILED);
+
+cleanup:
+
+        PKIX_RETURN(BYTEARRAY);
+}
+
+/*
+ * FUNCTION: pkix_pl_ByteArray_RegisterSelf
+ * DESCRIPTION:
+ * Registers PKIX_BYTEARRAY_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_ByteArray_RegisterSelf(void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(BYTEARRAY, "pkix_pl_ByteArray_RegisterSelf");
+
+        entry.description = "ByteArray";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_ByteArray);
+        entry.destructor = pkix_pl_ByteArray_Destroy;
+        entry.equalsFunction = pkix_pl_ByteArray_Equals;
+        entry.hashcodeFunction = pkix_pl_ByteArray_Hashcode;
+        entry.toStringFunction = pkix_pl_ByteArray_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_BYTEARRAY_TYPE] = entry;
+
+        PKIX_RETURN(BYTEARRAY);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_ByteArray_Create (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_ByteArray_Create(
+        void *array,
+        PKIX_UInt32 length,
+        PKIX_PL_ByteArray **pByteArray,
+        void *plContext)
+{
+        PKIX_PL_ByteArray *byteArray = NULL;
+
+        PKIX_ENTER(BYTEARRAY, "PKIX_PL_ByteArray_Create");
+        PKIX_NULLCHECK_ONE(pByteArray);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_BYTEARRAY_TYPE,
+                sizeof (PKIX_PL_ByteArray),
+                (PKIX_PL_Object **)&byteArray,
+                plContext),
+                PKIX_COULDNOTCREATEOBJECTSTORAGE);
+
+        byteArray->length = length;
+        byteArray->array = NULL;
+
+        if (length != 0){
+                /* Alloc space for array */
+                PKIX_NULLCHECK_ONE(array);
+
+                PKIX_CHECK(PKIX_PL_Malloc
+                            (length, (void**)&(byteArray->array), plContext),
+                            PKIX_MALLOCFAILED);
+
+                PKIX_BYTEARRAY_DEBUG("\tCalling PORT_Memcpy).\n");
+                (void) PORT_Memcpy(byteArray->array, array, length);
+        }
+
+        *pByteArray = byteArray;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(byteArray);
+        }
+
+        PKIX_RETURN(BYTEARRAY);
+}
+
+/*
+ * FUNCTION: PKIX_PL_ByteArray_GetPointer (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_ByteArray_GetPointer(
+        PKIX_PL_ByteArray *byteArray,
+        void **pArray,
+        void *plContext)
+{
+        void *bytes = NULL;
+        PKIX_ENTER(BYTEARRAY, "PKIX_PL_ByteArray_GetPointer");
+        PKIX_NULLCHECK_TWO(byteArray, pArray);
+
+        if (byteArray->length != 0){
+                PKIX_CHECK(PKIX_PL_Malloc
+                            (byteArray->length, &bytes, plContext),
+                            PKIX_MALLOCFAILED);
+
+                PKIX_BYTEARRAY_DEBUG("\tCalling PORT_Memcpy).\n");
+                (void) PORT_Memcpy
+                        (bytes, byteArray->array, byteArray->length);
+        }
+
+        *pArray = bytes;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_FREE(bytes);
+        }
+
+        PKIX_RETURN(BYTEARRAY);
+}
+
+/*
+ * FUNCTION: PKIX_PL_ByteArray_GetLength (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_ByteArray_GetLength(
+        PKIX_PL_ByteArray *byteArray,
+        PKIX_UInt32 *pLength,
+        void *plContext)
+{
+        PKIX_ENTER(BYTEARRAY, "PKIX_PL_ByteArray_GetLength");
+        PKIX_NULLCHECK_TWO(byteArray, pLength);
+
+        *pLength = byteArray->length;
+
+        PKIX_RETURN(BYTEARRAY);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bytearray.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bytearray.h
new file mode 100755
index 000000000..b1f017c7e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_bytearray.h
@@ -0,0 +1,73 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_bytearray.h
+ *
+ * ByteArray Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_BYTEARRAY_H
+#define _PKIX_PL_BYTEARRAY_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_ByteArrayStruct {
+        void *array;
+        PKIX_UInt32 length;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_ByteArray_ToHexString(
+        PKIX_PL_ByteArray *array,
+        PKIX_PL_String **pString,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_ByteArray_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_BYTEARRAY_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.c
new file mode 100755
index 000000000..232c6a483
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.c
@@ -0,0 +1,1106 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_common.c
+ *
+ * Common utility functions used by various PKIX_PL functions
+ *
+ */
+
+#include "pkix_pl_common.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_LockObject
+ * DESCRIPTION:
+ *
+ *  Locks the object pointed to by "object".
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of object. Must be non-NULL
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_LockObject(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Object *objectHeader;
+
+        PKIX_ENTER(OBJECT, "pkix_LockObject");
+        PKIX_NULLCHECK_ONE(object);
+
+        if (object == (PKIX_PL_Object *)PKIX_ALLOC_ERROR()) {
+                goto cleanup;
+        }
+
+        PKIX_OBJECT_DEBUG("\tShifting object pointer).\n");
+        /* The header is sizeof(PKIX_PL_Object) before the object pointer */
+
+        objectHeader = object-1;
+
+        PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+        PR_Lock(objectHeader->lock);
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: pkix_UnlockObject
+ * DESCRIPTION:
+ *
+ *  Unlocks the object pointed to by "object".
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object. Must be non-NULL
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_UnlockObject(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Object *objectHeader;
+        PRStatus result;
+
+        PKIX_ENTER(OBJECT, "pkix_UnlockObject");
+        PKIX_NULLCHECK_ONE(object);
+
+        if (object == (PKIX_PL_Object *)PKIX_ALLOC_ERROR()) {
+                goto cleanup;
+        }
+
+        PKIX_OBJECT_DEBUG("\tShifting object pointer).\n");
+        /* The header is sizeof(PKIX_PL_Object) before the object pointer */
+
+        objectHeader = object-1;
+
+        PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+        result = PR_Unlock(objectHeader->lock);
+
+        if (result == PR_FAILURE) {
+                PKIX_OBJECT_DEBUG("\tPR_Unlock failed.).\n");
+                PKIX_ERROR_FATAL(PKIX_ERRORUNLOCKINGOBJECT);
+        }
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: pkix_pl_UInt32_Overflows
+ * DESCRIPTION:
+ *
+ *  Returns a PKIX_Boolean indicating whether the unsigned integer
+ *  represented by "string" is too large to fit in 32-bits (i.e.
+ *  whether it overflows). With the exception of the string "0",
+ *  all other strings are stripped of any leading zeros. It is assumed
+ *  that every character in "string" is from the set {'0' - '9'}.
+ *
+ * PARAMETERS
+ *  "string"
+ *      Address of array of bytes representing PKIX_UInt32 that's being tested
+ *      for 32-bit overflow
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  PKIX_TRUE if PKIX_UInt32 represented by "string" overflows;
+ *  PKIX_FALSE otherwise
+ */
+PKIX_Boolean
+pkix_pl_UInt32_Overflows(char *string){
+        char *firstNonZero = NULL;
+        PKIX_UInt32 length, i;
+        char *MAX_UINT32_STRING = "4294967295";
+
+        PKIX_DEBUG_ENTER(OID);
+
+        PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
+        length = PL_strlen(string);
+
+        if (length < MAX_DIGITS_32){
+                return (PKIX_FALSE);
+        }
+
+        firstNonZero = string;
+        for (i = 0; i < length; i++){
+                if (*string == '0'){
+                        firstNonZero++;
+                }
+        }
+
+        PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
+        length = PL_strlen(firstNonZero);
+
+        if (length > MAX_DIGITS_32){
+                return (PKIX_TRUE);
+        }
+
+        PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
+        if (length == MAX_DIGITS_32){
+                PKIX_OID_DEBUG("\tCalling PORT_Strcmp).\n");
+                if (PORT_Strcmp(firstNonZero, MAX_UINT32_STRING) > 0){
+                        return (PKIX_TRUE);
+                }
+        }
+
+        return (PKIX_FALSE);
+}
+
+/*
+ * FUNCTION: pkix_pl_getOIDToken
+ * DESCRIPTION:
+ *
+ *  Takes the array of DER-encoded bytes pointed to by "derBytes"
+ *  (representing an OID) and the value of "index" representing the index into
+ *  the array, and decodes the bytes until an integer token is retrieved. If
+ *  successful, this function stores the integer component at "pToken" and
+ *  stores the index representing the next byte in the array at "pIndex"
+ *  (following the last byte that was used in the decoding). This new output
+ *  index can be used in subsequent calls as an input index, allowing each
+ *  token of the OID to be retrieved consecutively. Note that there is a
+ *  special case for the first byte, in that it encodes two separate integer
+ *  tokens. For example, the byte {2a} represents the integer tokens {1,2}.
+ *  This special case is not handled here and must be handled by the caller.
+ *
+ * PARAMETERS
+ *  "derBytes"
+ *      Address of array of bytes representing a DER-encoded OID.
+ *      Must be non-NULL.
+ *  "index"
+ *      Index into the array that this function will begin decoding at.
+ *  "pToken"
+ *      Destination for decoded OID token. Must be non-NULL.
+ *  "pIndex"
+ *      Destination for index of next byte following last byte used.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_getOIDToken(
+        char *derBytes,
+        PKIX_UInt32 index,
+        PKIX_UInt32 *pToken,
+        PKIX_UInt32 *pIndex,
+        void *plContext)
+{
+        PKIX_UInt32 retval, i, tmp;
+
+        PKIX_ENTER(OID, "pkix_pl_getOIDToken");
+        PKIX_NULLCHECK_THREE(derBytes, pToken, pIndex);
+
+        /*
+         * We should only need to parse a maximum of four bytes, because
+         * RFC 3280 "mandates support for OIDs which have arc elements
+         * with values that are less than 2^28, that is, they MUST be between
+         * 0 and 268,435,455, inclusive.  This allows each arc element to be
+         * represented within a single 32 bit word."
+         */
+
+        for (i = 0, retval = 0; i < 4; i++) {
+            retval <<= 7;
+            tmp = derBytes[index];
+            index++;
+            retval |= (tmp & 0x07f);
+            if ((tmp & 0x080) == 0){
+                    *pToken = retval;
+                    *pIndex = index;
+                    goto cleanup;
+            }
+        }
+
+        PKIX_ERROR(PKIX_INVALIDENCODINGOIDTOKENVALUETOOBIG);
+
+cleanup:
+
+        PKIX_RETURN(OID);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_helperBytes2Ascii
+ * DESCRIPTION:
+ *
+ *  Converts an array of integers pointed to by "tokens" with a length of
+ *  "numTokens", to an ASCII string consisting of those integers with dots in
+ *  between them and stores the result at "pAscii". The ASCII representation is
+ *  guaranteed to end with a NUL character. This is particularly useful for
+ *  OID's and IP Addresses.
+ *
+ *  The return value "pAscii" is not reference-counted and will need to
+ *  be freed with PKIX_PL_Free.
+ *
+ * PARAMETERS
+ *  "tokens"
+ *      Address of array of integers. Must be non-NULL.
+ *  "numTokens"
+ *      Length of array of integers. Must be non-zero.
+ *  "pAscii"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_helperBytes2Ascii(
+        PKIX_UInt32 *tokens,
+        PKIX_UInt32 numTokens,
+        char **pAscii,
+        void *plContext)
+{
+        char *tempString = NULL;
+        char *outputString = NULL;
+        char *format = "%d";
+        PKIX_UInt32 i = 0;
+        PKIX_UInt32 outputLen = 0;
+        PKIX_Int32 error;
+
+        PKIX_ENTER(OBJECT, "pkix_pl_helperBytes2Ascii");
+        PKIX_NULLCHECK_TWO(tokens, pAscii);
+
+        if (numTokens == 0) {
+                PKIX_ERROR_FATAL(PKIX_HELPERBYTES2ASCIINUMTOKENSZERO);
+        }
+
+        /*
+         * tempString will hold the string representation of a PKIX_UInt32 type
+         * The maximum value that can be held by an unsigned 32-bit integer
+         * is (2^32 - 1) = 4294967295 (which is ten digits long)
+         * Since tempString will hold the string representation of a
+         * PKIX_UInt32, we allocate 11 bytes for it (1 byte for '\0')
+         */
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (MAX_DIGITS_32 + 1, (void **)&tempString, plContext),
+                    PKIX_MALLOCFAILED);
+
+        for (i = 0; i < numTokens; i++){
+                PKIX_OBJECT_DEBUG("\tCalling PR_snprintf).\n");
+                error = PR_snprintf(tempString,
+                                    MAX_DIGITS_32 + 1,
+                                    format,
+                                    tokens[i]);
+                if (error == -1){
+                        PKIX_ERROR(PKIX_PRSNPRINTFFAILED);
+                }
+
+                PKIX_OBJECT_DEBUG("\tCalling PL_strlen).\n");
+                outputLen += PL_strlen(tempString);
+
+                /* Include a dot to separate each number */
+                outputLen++;
+        }
+
+        /* Allocate space for the destination string */
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (outputLen, (void **)&outputString, plContext),
+                    PKIX_MALLOCFAILED);
+
+        *outputString = '\0';
+
+        /* Concatenate all strings together */
+        for (i = 0; i < numTokens; i++){
+
+                PKIX_OBJECT_DEBUG("\tCalling PR_snprintf).\n");
+                error = PR_snprintf(tempString,
+                                    MAX_DIGITS_32 + 1,
+                                    format,
+                                    tokens[i]);
+                if (error == -1){
+                        PKIX_ERROR(PKIX_PRSNPRINTFFAILED);
+                }
+
+                PKIX_OBJECT_DEBUG("\tCalling PL_strcat).\n");
+                (void) PL_strcat(outputString, tempString);
+
+                /* we don't want to put a "." at the very end */
+                if (i < (numTokens - 1)){
+                        PKIX_OBJECT_DEBUG("\tCalling PL_strcat).\n");
+                        (void) PL_strcat(outputString, ".");
+                }
+        }
+
+        /* Ensure output string ends with terminating null */
+        outputString[outputLen-1] = '\0';
+
+        *pAscii = outputString;
+        outputString = NULL;
+
+cleanup:
+        
+        PKIX_FREE(outputString);
+        PKIX_FREE(tempString);
+
+        PKIX_RETURN(OBJECT);
+
+}
+
+/*
+ * FUNCTION: pkix_pl_ipAddrBytes2Ascii
+ * DESCRIPTION:
+ *
+ *  Converts the DER encoding of an IPAddress pointed to by "secItem" to an
+ *  ASCII representation and stores the result at "pAscii". The ASCII
+ *  representation is guaranteed to end with a NUL character. The input
+ *  SECItem must contain non-NULL data and must have a positive length.
+ *
+ *  The return value "pAscii" is not reference-counted and will need to
+ *  be freed with PKIX_PL_Free.
+ *  XXX this function assumes that IPv4 addresses are being used
+ *  XXX what about IPv6? can NSS tell the difference
+ *
+ * PARAMETERS
+ *  "secItem"
+ *      Address of SECItem which contains bytes and length of DER encoding.
+ *      Must be non-NULL.
+ *  "pAscii"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_ipAddrBytes2Ascii(
+        SECItem *secItem,
+        char **pAscii,
+        void *plContext)
+{
+        char *data = NULL;
+        PKIX_UInt32 *tokens = NULL;
+        PKIX_UInt32 numTokens = 0;
+        PKIX_UInt32 i = 0;
+        char *asciiString = NULL;
+
+        PKIX_ENTER(OBJECT, "pkix_pl_ipAddrBytes2Ascii");
+        PKIX_NULLCHECK_THREE(secItem, pAscii, secItem->data);
+
+        if (secItem->len == 0) {
+                PKIX_ERROR_FATAL(PKIX_IPADDRBYTES2ASCIIDATALENGTHZERO);
+        }
+
+        data = (char *)(secItem->data);
+        numTokens = secItem->len;
+
+        /* allocate space for array of integers */
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (numTokens * sizeof (PKIX_UInt32),
+                    (void **)&tokens,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+
+        /* populate array of integers */
+        for (i = 0; i < numTokens; i++){
+                tokens[i] = data[i];
+        }
+
+        /* convert array of integers to ASCII */
+        PKIX_CHECK(pkix_pl_helperBytes2Ascii
+                    (tokens, numTokens, &asciiString, plContext),
+                    PKIX_HELPERBYTES2ASCIIFAILED);
+
+        *pAscii = asciiString;
+
+cleanup:
+
+        PKIX_FREE(tokens);
+
+        PKIX_RETURN(OBJECT);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_oidBytes2Ascii
+ * DESCRIPTION:
+ *
+ *  Converts the DER encoding of an OID pointed to by "secItem" to an ASCII
+ *  representation and stores it at "pAscii". The ASCII representation is
+ *  guaranteed to end with a NUL character. The input SECItem must contain
+ *  non-NULL data and must have a positive length.
+ *
+ *  Example: the six bytes {2a 86 48 86 f7 0d} represent the
+ *  four integer tokens {1, 2, 840, 113549}, which we will convert
+ *  into ASCII yielding "1.2.840.113549"
+ *
+ *  The return value "pAscii" is not reference-counted and will need to
+ *  be freed with PKIX_PL_Free.
+ *
+ * PARAMETERS
+ *  "secItem"
+ *      Address of SECItem which contains bytes and length of DER encoding.
+ *      Must be non-NULL.
+ *  "pAscii"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OID Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_oidBytes2Ascii(
+        SECItem *secItem,
+        char **pAscii,
+        void *plContext)
+{
+        char *data = NULL;
+        PKIX_UInt32 *tokens = NULL;
+        PKIX_UInt32 token = 0;
+        PKIX_UInt32 numBytes = 0;
+        PKIX_UInt32 numTokens = 0;
+        PKIX_UInt32 i = 0, x = 0, y = 0;
+        PKIX_UInt32 index = 0;
+        char *asciiString = NULL;
+
+        PKIX_ENTER(OID, "pkix_pl_oidBytes2Ascii");
+        PKIX_NULLCHECK_THREE(secItem, pAscii, secItem->data);
+
+        if (secItem->len == 0) {
+                PKIX_ERROR_FATAL(PKIX_OIDBYTES2ASCIIDATALENGTHZERO);
+        }
+
+        data = (char *)(secItem->data);
+        numBytes = secItem->len;
+        numTokens = 0;
+
+        /* calculate how many integer tokens are represented by the bytes. */
+        for (i = 0; i < numBytes; i++){
+                if ((data[i] & 0x080) == 0){
+                        numTokens++;
+                }
+        }
+
+        /* if we are unable to retrieve any tokens at all, we throw an error */
+        if (numTokens == 0){
+                PKIX_ERROR(PKIX_INVALIDDERENCODINGFOROID);
+        }
+
+        /* add one more token b/c the first byte always contains two tokens */
+        numTokens++;
+
+        /* allocate space for array of integers */
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (numTokens * sizeof (PKIX_UInt32),
+                    (void **)&tokens,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+
+        /* populate array of integers */
+        for (i = 0; i < numTokens; i++){
+
+                /* retrieve integer token */
+                PKIX_CHECK(pkix_pl_getOIDToken
+                            (data, index, &token, &index, plContext),
+                            PKIX_GETOIDTOKENFAILED);
+
+                if (i == 0){
+
+                        /*
+                         * special case: the first DER-encoded byte represents
+                         * two tokens. We take advantage of fact that first
+                         * token must be 0, 1, or 2; and second token must be
+                         * between {0, 39} inclusive if first token is 0 or 1.
+                         */
+
+                        if (token < 40)
+                                x = 0;
+                        else if (token < 80)
+                                x = 1;
+                        else
+                                x = 2;
+                        y = token - (x * 40);
+
+                        tokens[0] = x;
+                        tokens[1] = y;
+                        i++;
+                } else {
+                        tokens[i] = token;
+                }
+        }
+
+        /* convert array of integers to ASCII */
+        PKIX_CHECK(pkix_pl_helperBytes2Ascii
+                    (tokens, numTokens, &asciiString, plContext),
+                    PKIX_HELPERBYTES2ASCIIFAILED);
+
+        *pAscii = asciiString;
+
+cleanup:
+
+        PKIX_FREE(tokens);
+        PKIX_RETURN(OID);
+
+}
+
+/*
+ * FUNCTION: pkix_UTF16_to_EscASCII
+ * DESCRIPTION:
+ *
+ *  Converts array of bytes pointed to by "utf16String" with length of
+ *  "utf16Length" (which must be even) into a freshly allocated Escaped ASCII
+ *  string and stores a pointer to that string at "pDest" and stores the
+ *  string's length at "pLength". The Escaped ASCII string's length does not
+ *  include the final NUL character. The caller is responsible for freeing
+ *  "pDest" using PKIX_PL_Free. If "debug" is set, uses EscASCII_Debug
+ *  encoding.
+ *
+ * PARAMETERS:
+ *  "utf16String"
+ *      Address of array of bytes representing data source. Must be non-NULL.
+ *  "utf16Length"
+ *      Length of data source. Must be even.
+ *  "debug"
+ *      Boolean value indicating whether debug mode is desired.
+ *  "pDest"
+ *      Address where data will be stored. Must be non-NULL.
+ *  "pLength"
+ *      Address where data length will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a String Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_UTF16_to_EscASCII(
+        void *utf16String,
+        PKIX_UInt32 utf16Length,
+        PKIX_Boolean debug,
+        char **pDest,
+        PKIX_UInt32 *pLength,
+        void *plContext)
+{
+        char *destPtr = NULL;
+        PKIX_UInt32 i, charLen;
+        PKIX_UInt32 x = 0, y = 0, z = 0;
+        unsigned char *utf16Char = (unsigned char *)utf16String;
+
+        PKIX_ENTER(STRING, "pkix_UTF16_to_EscASCII");
+        PKIX_NULLCHECK_THREE(utf16String, pDest, pLength);
+
+        /* Assume every pair of bytes becomes &#xNNNN; */
+        charLen = 4*utf16Length;
+
+        /* utf16Lenght must be even */
+        if ((utf16Length % 2) != 0){
+                PKIX_ERROR(PKIX_UTF16ALIGNMENTERROR);
+        }
+
+        /* Count how many bytes we need */
+        for (i = 0; i < utf16Length; i += 2) {
+                if ((utf16Char[i] == 0x00)&&
+                        pkix_isPlaintext(utf16Char[i+1], debug)) {
+                        if (utf16Char[i+1] == '&') {
+                                /* Need to convert this to &amp; */
+                                charLen -= 3;
+                        } else {
+                                /* We can fit this into one char */
+                                charLen -= 7;
+                        }
+                } else if ((utf16Char[i] >= 0xD8) && (utf16Char[i] <= 0xDB)) {
+                        if ((i+3) >= utf16Length) {
+                                PKIX_ERROR(PKIX_UTF16HIGHZONEALIGNMENTERROR);
+                        } else if ((utf16Char[i+2] >= 0xDC)&&
+                                (utf16Char[i+2] <= 0xDF)) {
+                                /* Quartet of bytes will become &#xNNNNNNNN; */
+                                charLen -= 4;
+                                /* Quartet of bytes will produce 12 chars */
+                                i += 2;
+                        } else {
+                                /* Second pair should be DC00-DFFF */
+                                PKIX_ERROR(PKIX_UTF16LOWZONEERROR);
+                        }
+                }
+        }
+
+        *pLength = charLen;
+
+        /* Ensure this string is null terminated */
+        charLen++;
+
+        /* Allocate space for character array */
+        PKIX_CHECK(PKIX_PL_Malloc(charLen, (void **)pDest, plContext),
+                    PKIX_MALLOCFAILED);
+
+        destPtr = *pDest;
+        for (i = 0; i < utf16Length; i += 2) {
+                if ((utf16Char[i] == 0x00)&&
+                    pkix_isPlaintext(utf16Char[i+1], debug)) {
+                        /* Write a single character */
+                        *destPtr++ = utf16Char[i+1];
+                } else if ((utf16Char[i+1] == '&') && (utf16Char[i] == 0x00)){
+                        *destPtr++ = '&';
+                        *destPtr++ = 'a';
+                        *destPtr++ = 'm';
+                        *destPtr++ = 'p';
+                        *destPtr++ = ';';
+                } else if ((utf16Char[i] >= 0xD8)&&
+                            (utf16Char[i] <= 0xDB)&&
+                            (utf16Char[i+2] >= 0xDC)&&
+                            (utf16Char[i+2] <= 0xDF)) {
+                        /*
+                         * Special UTF pairs are of the form:
+                         * x = D800..DBFF; y = DC00..DFFF;
+                         * The result is of the form:
+                         * ((x - D800) * 400 + (y - DC00)) + 0001 0000
+                         */
+                        x = 0x0FFFF & ((utf16Char[i]<<8) | utf16Char[i+1]);
+                        y = 0x0FFFF & ((utf16Char[i+2]<<8) | utf16Char[i+3]);
+                        z = ((x - 0xD800) * 0x400 + (y - 0xDC00)) + 0x00010000;
+
+                        /* Sprintf &#xNNNNNNNN; */
+                        PKIX_STRING_DEBUG("\tCalling PR_snprintf).\n");
+                        if (PR_snprintf(destPtr, 13, "&#x%08X;", z) ==
+                            (PKIX_UInt32)(-1)) {
+                                PKIX_ERROR(PKIX_PRSNPRINTFFAILED);
+                        }
+                        i += 2;
+                        destPtr += 12;
+                } else {
+                        /* Sprintf &#xNNNN; */
+                        PKIX_STRING_DEBUG("\tCalling PR_snprintf).\n");
+                        if (PR_snprintf
+                            (destPtr,
+                            9,
+                            "&#x%02X%02X;",
+                            utf16Char[i],
+                            utf16Char[i+1]) ==
+                            (PKIX_UInt32)(-1)) {
+                                PKIX_ERROR(PKIX_PRSNPRINTFFAILED);
+                        }
+                        destPtr += 8;
+                }
+        }
+        *destPtr = '\0';
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_FREE(*pDest);
+        }
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: pkix_EscASCII_to_UTF16
+ * DESCRIPTION:
+ *
+ *  Converts array of bytes pointed to by "escAsciiString" with length of
+ *  "escAsciiLength" into a freshly allocated UTF-16 string and stores a
+ *  pointer to that string at "pDest" and stores the string's length at
+ *  "pLength". The caller is responsible for freeing "pDest" using
+ *  PKIX_PL_Free. If "debug" is set, uses EscASCII_Debug encoding.
+ *
+ * PARAMETERS:
+ *  "escAsciiString"
+ *      Address of array of bytes representing data source. Must be non-NULL.
+ *  "escAsciiLength"
+ *      Length of data source. Must be even.
+ *  "debug"
+ *      Boolean value indicating whether debug mode is desired.
+ *  "pDest"
+ *      Address where data will be stored. Must be non-NULL.
+ *  "pLength"
+ *      Address where data length will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a String Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_EscASCII_to_UTF16(
+        char *escAsciiString,
+        PKIX_UInt32 escAsciiLen,
+        PKIX_Boolean debug,
+        void **pDest,
+        PKIX_UInt32 *pLength,
+        void *plContext)
+{
+        PKIX_UInt32 newLen, i, j, charSize;
+        PKIX_UInt32 x = 0, y = 0, z = 0;
+        unsigned char *destPtr = NULL;
+        unsigned char testChar, testChar2;
+        unsigned char *stringData = (unsigned char *)escAsciiString;
+
+        PKIX_ENTER(STRING, "pkix_EscASCII_to_UTF16");
+        PKIX_NULLCHECK_THREE(escAsciiString, pDest, pLength);
+
+        if (escAsciiLen == 0) {
+                PKIX_CHECK(PKIX_PL_Malloc(escAsciiLen, pDest, plContext),
+                            PKIX_MALLOCFAILED);
+                goto cleanup;
+        }
+
+        /* Assume each unicode character takes two bytes */
+        newLen = escAsciiLen*2;
+
+        /* Count up number of unicode encoded  characters */
+        for (i = 0; i < escAsciiLen; i++) {
+                if (!pkix_isPlaintext(stringData[i], debug)&&
+                    (stringData[i] != '&')) {
+                        PKIX_ERROR(PKIX_ILLEGALCHARACTERINESCAPEDASCII);
+                } else if (PL_strstr(escAsciiString+i, "&amp;") ==
+                            escAsciiString+i) {
+                        /* Convert EscAscii "&amp;" to two bytes */
+                        newLen -= 8;
+                        i += 4;
+                } else if ((PL_strstr(escAsciiString+i, "&#x") ==
+                            escAsciiString+i)||
+                            (PL_strstr(escAsciiString+i, "&#X") ==
+                            escAsciiString+i)) {
+                        if (((i+7) <= escAsciiLen)&&
+                            (escAsciiString[i+7] == ';')) {
+                                /* Convert &#xNNNN; to two bytes */
+                                newLen -= 14;
+                                i += 7;
+                        } else if (((i+11) <= escAsciiLen)&&
+                                (escAsciiString[i+11] == ';')) {
+                                /* Convert &#xNNNNNNNN; to four bytes */
+                                newLen -= 20;
+                                i += 11;
+                        } else {
+                                PKIX_ERROR(PKIX_ILLEGALUSEOFAMP);
+                        }
+                }
+        }
+
+        PKIX_CHECK(PKIX_PL_Malloc(newLen, pDest, plContext),
+                    PKIX_MALLOCFAILED);
+
+        /* Copy into newly allocated space */
+        destPtr = (unsigned char *)*pDest;
+
+        i = 0;
+        while (i < escAsciiLen) {
+                /* Copy each byte until you hit a &amp; */
+                if (pkix_isPlaintext(escAsciiString[i], debug)) {
+                        *destPtr++ = 0x00;
+                        *destPtr++ = escAsciiString[i++];
+                } else if (PL_strstr(escAsciiString+i, "&amp;") ==
+                            escAsciiString+i) {
+                        /* Convert EscAscii "&amp;" to two bytes */
+                        *destPtr++ = 0x00;
+                        *destPtr++ = '&';
+                        i += 5;
+                } else if (((PL_strstr(escAsciiString+i, "&#x") ==
+                            escAsciiString+i)||
+                            (PL_strstr(escAsciiString+i, "&#X") ==
+                            escAsciiString+i))&&
+                            ((i+7) <= escAsciiLen)) {
+
+                        /* We're either looking at &#xNNNN; or &#xNNNNNNNN; */
+                        charSize = (escAsciiString[i+7] == ';')?4:8;
+
+                        /* Skip past the &#x */
+                        i += 3;
+
+                        /* Make sure there is a terminating semi-colon */
+                        if (((i+charSize) > escAsciiLen)||
+                            (escAsciiString[i+charSize] != ';')) {
+                                PKIX_ERROR(PKIX_TRUNCATEDUNICODEINESCAPEDASCII);
+                        }
+
+                        for (j = 0; j < charSize; j++) {
+                                if (!PKIX_ISXDIGIT
+                                    (escAsciiString[i+j])) {
+                                        PKIX_ERROR(PKIX_ILLEGALUNICODECHARACTER);
+                                } else if (charSize == 8) {
+                                        x |= (pkix_hex2i
+                                                        (escAsciiString[i+j]))
+                                                        <<(4*(7-j));
+                                }
+                        }
+
+                        testChar =
+                                (pkix_hex2i(escAsciiString[i])<<4)|
+                                pkix_hex2i(escAsciiString[i+1]);
+                        testChar2 =
+                                (pkix_hex2i(escAsciiString[i+2])<<4)|
+                                pkix_hex2i(escAsciiString[i+3]);
+
+                        if (charSize == 4) {
+                                if ((testChar >= 0xD8)&&
+                                    (testChar <= 0xDF)) {
+                                        PKIX_ERROR(PKIX_ILLEGALSURROGATEPAIR);
+                                } else if ((testChar == 0x00)&&
+                                  pkix_isPlaintext(testChar2, debug)) {
+                                      PKIX_ERROR(
+                                          PKIX_ILLEGALCHARACTERINESCAPEDASCII);
+                                }
+                                *destPtr++ = testChar;
+                                *destPtr++ = testChar2;
+                        } else if (charSize == 8) {
+                                /* First two chars must be 0001-0010 */
+                                if (!((testChar == 0x00)&&
+                                    ((testChar2 >= 0x01)&&
+                                    (testChar2 <= 0x10)))) {
+                                      PKIX_ERROR(
+                                          PKIX_ILLEGALCHARACTERINESCAPEDASCII);
+                                }
+                                /*
+                                 * Unicode Strings of the form:
+                                 * x =  0001 0000..0010 FFFF
+                                 * Encoded as pairs of UTF-16 where
+                                 * y = ((x - 0001 0000) / 400) + D800
+                                 * z = ((x - 0001 0000) % 400) + DC00
+                                 */
+                                x -= 0x00010000;
+                                y = (x/0x400)+ 0xD800;
+                                z = (x%0x400)+ 0xDC00;
+
+                                /* Copy four bytes */
+                                *destPtr++ = (y&0xFF00)>>8;
+                                *destPtr++ = (y&0x00FF);
+                                *destPtr++ = (z&0xFF00)>>8;
+                                *destPtr++ = (z&0x00FF);
+                        }
+                        /* Move past the Hex digits and the semi-colon */
+                        i += charSize+1;
+                } else {
+                        /* Do not allow any other non-plaintext character */
+                        PKIX_ERROR(PKIX_ILLEGALCHARACTERINESCAPEDASCII);
+                }
+        }
+
+        *pLength = newLen;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_FREE(*pDest);
+        }
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: pkix_UTF16_to_UTF8
+ * DESCRIPTION:
+ *
+ *  Converts array of bytes pointed to by "utf16String" with length of
+ *  "utf16Length" into a freshly allocated UTF-8 string and stores a pointer
+ *  to that string at "pDest" and stores the string's length at "pLength" (not
+ *  counting the null terminator, if requested. The caller is responsible for
+ *  freeing "pDest" using PKIX_PL_Free.
+ *
+ * PARAMETERS:
+ *  "utf16String"
+ *      Address of array of bytes representing data source. Must be non-NULL.
+ *  "utf16Length"
+ *      Length of data source. Must be even.
+ *  "null-term"
+ *      Boolean value indicating whether output should be null-terminated.
+ *  "pDest"
+ *      Address where data will be stored. Must be non-NULL.
+ *  "pLength"
+ *      Address where data length will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a String Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_UTF16_to_UTF8(
+        void *utf16String,
+        PKIX_UInt32 utf16Length,
+        PKIX_Boolean null_term,
+        void **pDest,
+        PKIX_UInt32 *pLength,
+        void *plContext)
+{
+        PKIX_Boolean result;
+        PKIX_UInt32 reallocLen;
+        char *endPtr = NULL;
+
+        PKIX_ENTER(STRING, "pkix_UTF16_to_UTF8");
+        PKIX_NULLCHECK_THREE(utf16String, pDest, pLength);
+
+        /* XXX How big can a UTF8 string be compared to a UTF16? */
+        PKIX_CHECK(PKIX_PL_Calloc(1, utf16Length*2, pDest, plContext),
+                    PKIX_CALLOCFAILED);
+
+        PKIX_STRING_DEBUG("\tCalling PORT_UCS2_UTF8Conversion).\n");
+        result = PORT_UCS2_UTF8Conversion
+                (PKIX_FALSE, /* False = From UCS2 */
+                (unsigned char *)utf16String,
+                utf16Length,
+                (unsigned char *)*pDest,
+                utf16Length*2, /* Max Size */
+                pLength);
+        if (result == PR_FALSE){
+                PKIX_ERROR(PKIX_PORTUCS2UTF8CONVERSIONFAILED);
+        }
+
+        reallocLen = *pLength;
+
+        if (null_term){
+                reallocLen++;
+        }
+
+        PKIX_CHECK(PKIX_PL_Realloc(*pDest, reallocLen, pDest, plContext),
+                    PKIX_REALLOCFAILED);
+
+        if (null_term){
+                endPtr = (char*)*pDest + reallocLen - 1;
+                *endPtr = '\0';
+        }
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_FREE(*pDest);
+        }
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: pkix_UTF8_to_UTF16
+ * DESCRIPTION:
+ *
+ *  Converts array of bytes pointed to by "utf8String" with length of
+ *  "utf8Length" into a freshly allocated UTF-16 string and stores a pointer
+ *  to that string at "pDest" and stores the string's length at "pLength". The
+ *  caller is responsible for freeing "pDest" using PKIX_PL_Free.
+ *
+ * PARAMETERS:
+ *  "utf8String"
+ *      Address of array of bytes representing data source. Must be non-NULL.
+ *  "utf8Length"
+ *      Length of data source. Must be even.
+ *  "pDest"
+ *      Address where data will be stored. Must be non-NULL.
+ *  "pLength"
+ *      Address where data length will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a String Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_UTF8_to_UTF16(
+        void *utf8String,
+        PKIX_UInt32 utf8Length,
+        void **pDest,
+        PKIX_UInt32 *pLength,
+        void *plContext)
+{
+        PKIX_Boolean result;
+
+        PKIX_ENTER(STRING, "pkix_UTF8_to_UTF16");
+        PKIX_NULLCHECK_THREE(utf8String, pDest, pLength);
+
+        /* XXX How big can a UTF8 string be compared to a UTF16? */
+        PKIX_CHECK(PKIX_PL_Calloc(1, utf8Length*2, pDest, plContext),
+                    PKIX_MALLOCFAILED);
+
+        PKIX_STRING_DEBUG("\tCalling PORT_UCS2_UTF8Conversion).\n");
+        result = PORT_UCS2_UTF8Conversion
+                (PKIX_TRUE, /* True = From UTF8 */
+                (unsigned char *)utf8String,
+                utf8Length,
+                (unsigned char *)*pDest,
+                utf8Length*2, /* Max Size */
+                pLength);
+        if (result == PR_FALSE){
+                PKIX_ERROR(PKIX_PORTUCS2UTF8CONVERSIONFAILED);
+        }
+
+        PKIX_CHECK(PKIX_PL_Realloc(*pDest, *pLength, pDest, plContext),
+                    PKIX_REALLOCFAILED);
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_FREE(*pDest);
+        }
+
+        PKIX_RETURN(STRING);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h
new file mode 100755
index 000000000..a365deee7
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h
@@ -0,0 +1,188 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_common.h
+ *
+ * Common central header file included by all PL source files
+ *
+ */
+
+#ifndef _PKIX_PL_COMMON_H
+#define _PKIX_PL_COMMON_H
+
+/* PKIX HEADERS */
+#include "pkix_tools.h"
+
+/* NSS headers */
+#include "nss.h"
+#include "secport.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "base64.h"
+#include "cert.h"
+#include "certdb.h"
+#include "genname.h"
+#include "xconst.h"
+#include "keyhi.h"
+#include "ocsp.h"
+#include "ocspt.h"
+#include "pk11pub.h"
+#include "pkcs11.h"
+#include "pkcs11t.h"
+#include "prio.h"
+
+/* NSPR headers */
+#include "nspr.h"
+
+/* private PKIX_PL_NSS system headers */
+#include "pkix_pl_object.h"
+#include "pkix_pl_string.h"
+#include "pkix_pl_ldapt.h"
+#include "pkix_pl_aiamgr.h"
+#include "pkix_pl_bigint.h"
+#include "pkix_pl_oid.h"
+#include "pkix_pl_x500name.h"
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_publickey.h"
+#include "pkix_pl_bytearray.h"
+#include "pkix_pl_date.h"
+#include "pkix_pl_primhash.h"
+#include "pkix_pl_basicconstraints.h"
+#include "pkix_pl_bytearray.h"
+#include "pkix_pl_cert.h"
+#include "pkix_pl_certpolicyinfo.h"
+#include "pkix_pl_certpolicymap.h"
+#include "pkix_pl_certpolicyqualifier.h"
+#include "pkix_pl_crl.h"
+#include "pkix_pl_crlentry.h"
+#include "pkix_pl_nameconstraints.h"
+#include "pkix_pl_ocsprequest.h"
+#include "pkix_pl_ocspresponse.h"
+#include "pkix_pl_pk11certstore.h"
+#include "pkix_pl_socket.h"
+#include "pkix_pl_ldapcertstore.h"
+#include "pkix_pl_ldaprequest.h"
+#include "pkix_pl_ldapresponse.h"
+#include "pkix_pl_nsscontext.h"
+#include "pkix_pl_httpcertstore.h"
+#include "pkix_pl_httpdefaultclient.h"
+#include "pkix_pl_infoaccess.h"
+#include "pkix_sample_modules.h"
+#include "pkix_pl_ekuchecker.h"
+
+#define MAX_DIGITS_32 (PKIX_UInt32) 10
+
+#define PKIX_PL_NSSCALL(type, func, args)  \
+        PKIX_ ## type ## _DEBUG_ARG("( Calling %s).\n", #func); \
+        (func args)
+
+#define PKIX_PL_NSSCALLRV(type, lvalue, func, args)  \
+        PKIX_ ## type ## _DEBUG_ARG("( Calling %s).\n", #func); \
+        lvalue = (func args)
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_LockObject(
+        PKIX_PL_Object *object,
+        void *plContext);
+
+PKIX_Error *
+pkix_UnlockObject(
+        PKIX_PL_Object *object,
+        void *plContext);
+
+PKIX_Boolean
+pkix_pl_UInt32_Overflows(char *string);
+
+PKIX_Error *
+pkix_pl_helperBytes2Ascii(
+        PKIX_UInt32 *tokens,
+        PKIX_UInt32 numTokens,
+        char **pAscii,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_ipAddrBytes2Ascii(
+        SECItem *secItem,
+        char **pAscii,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_oidBytes2Ascii(
+        SECItem *secItem,
+        char **pAscii,
+        void *plContext);
+
+/* --String-Encoding-Conversion-Functions------------------------ */
+
+PKIX_Error *
+pkix_UTF16_to_EscASCII(
+        void *utf16String,
+        PKIX_UInt32 utf16Length,
+        PKIX_Boolean debug,
+        char **pDest,
+        PKIX_UInt32 *pLength,
+        void *plContext);
+
+PKIX_Error *
+pkix_EscASCII_to_UTF16(
+        char *escAsciiString,
+        PKIX_UInt32 escAsciiLen,
+        PKIX_Boolean debug,
+        void **pDest,
+        PKIX_UInt32 *pLength,
+        void *plContext);
+
+PKIX_Error *
+pkix_UTF16_to_UTF8(
+        void *utf16String,
+        PKIX_UInt32 utf16Length,
+        PKIX_Boolean null_Term,
+        void **pDest,
+        PKIX_UInt32 *pLength,
+        void *plContext);
+
+PKIX_Error *
+pkix_UTF8_to_UTF16(
+        void *utf8Source,
+        PKIX_UInt32 utf8Length,
+        void **pDest,
+        PKIX_UInt32 *pLength,
+        void *plContext);
+
+#endif /* _PKIX_PL_COMMON_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_error.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_error.c
new file mode 100644
index 000000000..30eae99a4
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_error.c
@@ -0,0 +1,59 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_error.c
+ *
+ * PL error functions
+ *
+ */
+
+#include "pkix_pl_common.h"
+
+#undef PKIX_ERRORENTRY
+
+#define PKIX_ERRORENTRY(name,desc,plerr) plerr
+
+const SECErrorCodes PKIX_PLErrorIndex[] =
+{
+#include "pkix_errorstrings.h"
+};
+
+int
+PKIX_PL_GetPLErrorCode()
+{
+    return PORT_GetError();
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c
new file mode 100755
index 000000000..4a1e3914f
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c
@@ -0,0 +1,417 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_hashtable.c
+ *
+ * Hashtable Object Functions
+ *
+ */
+
+#include "pkix_pl_hashtable.h"
+
+/* --Private-Structure-------------------------------------------- */
+
+struct PKIX_PL_HashTableStruct {
+        pkix_pl_PrimHashTable *primHash;
+        PKIX_PL_Mutex *tableLock;
+        PKIX_UInt32 maxEntriesPerBucket;
+};
+
+/* --Private-Functions-------------------------------------------- */
+
+#define PKIX_MUTEX_UNLOCK(mutex) \
+    do { \
+        if (mutex && lockedMutex == (PKIX_PL_Mutex *)(mutex)) { \
+            pkixTempResult = \
+                PKIX_PL_Mutex_Unlock((mutex), plContext); \
+            PORT_Assert(pkixTempResult == NULL); \
+            if (pkixTempResult) { \
+                PKIX_DoAddError(&stdVars, pkixTempResult, plContext); \
+                pkixTempResult = NULL; \
+            } \
+            lockedMutex = NULL; \
+        } else { \
+            PORT_Assert(lockedMutex == NULL); \
+        }\
+    } while (0)
+
+
+#define PKIX_MUTEX_LOCK(mutex) \
+    do { \
+        if (mutex){ \
+            PORT_Assert(lockedMutex == NULL); \
+            PKIX_CHECK(PKIX_PL_Mutex_Lock((mutex), plContext), \
+                       PKIX_MUTEXLOCKFAILED); \
+            lockedMutex = (mutex); \
+        } \
+    } while (0)
+
+/*
+ * FUNCTION: pkix_pl_HashTable_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_HashTable_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_HashTable *ht = NULL;
+        pkix_pl_HT_Elem *item = NULL;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_HashTable_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_HASHTABLE_TYPE, plContext),
+                    PKIX_OBJECTNOTHASHTABLE);
+
+        ht = (PKIX_PL_HashTable*) object;
+
+        /* DecRef every object in the primitive hash table */
+        for (i = 0; i < ht->primHash->size; i++) {
+                for (item = ht->primHash->buckets[i];
+                    item != NULL;
+                    item = item->next) {
+                        PKIX_DECREF(item->key);
+                        PKIX_DECREF(item->value);
+                }
+        }
+
+        PKIX_CHECK(pkix_pl_PrimHashTable_Destroy(ht->primHash, plContext),
+                    PKIX_PRIMHASHTABLEDESTROYFAILED);
+
+        PKIX_DECREF(ht->tableLock);
+
+cleanup:
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/*
+ * FUNCTION: pkix_pl_HashTable_RegisterSelf
+ * DESCRIPTION:
+ * Registers PKIX_HASHTABLE_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_HashTable_RegisterSelf(
+        void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_HashTable_RegisterSelf");
+
+        entry.description = "HashTable";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_HashTable);
+        entry.destructor = pkix_pl_HashTable_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_HASHTABLE_TYPE] = entry;
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_HashTable_Create (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_HashTable_Create(
+        PKIX_UInt32 numBuckets,
+        PKIX_UInt32 maxEntriesPerBucket,
+        PKIX_PL_HashTable **pResult,
+        void *plContext)
+{
+        PKIX_PL_HashTable *hashTable = NULL;
+
+        PKIX_ENTER(HASHTABLE, "PKIX_PL_HashTable_Create");
+        PKIX_NULLCHECK_ONE(pResult);
+
+        if (numBuckets == 0) {
+                PKIX_ERROR(PKIX_NUMBUCKETSEQUALSZERO);
+        }
+
+        /* Allocate a new hashtable */
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                (PKIX_HASHTABLE_TYPE,
+                sizeof (PKIX_PL_HashTable),
+                (PKIX_PL_Object **)&hashTable,
+                plContext),
+                PKIX_COULDNOTCREATEHASHTABLEOBJECT);
+
+        /* Create the underlying primitive hash table type */
+        PKIX_CHECK(pkix_pl_PrimHashTable_Create
+                    (numBuckets, &hashTable->primHash, plContext),
+                    PKIX_PRIMHASHTABLECREATEFAILED);
+
+        /* Create a lock for this table */
+        PKIX_CHECK(PKIX_PL_Mutex_Create(&hashTable->tableLock, plContext),
+                    PKIX_ERRORCREATINGTABLELOCK);
+
+        hashTable->maxEntriesPerBucket = maxEntriesPerBucket;
+
+        *pResult = hashTable;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(hashTable);
+        }
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/*
+ * FUNCTION: PKIX_PL_HashTable_Add (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_HashTable_Add(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_Object *key,
+        PKIX_PL_Object *value,
+        void *plContext)
+{
+        PKIX_PL_Mutex  *lockedMutex = NULL;
+        PKIX_PL_Object *deletedKey = NULL;
+        PKIX_PL_Object *deletedValue = NULL;
+        PKIX_UInt32 hashCode;
+        PKIX_PL_EqualsCallback keyComp;
+        PKIX_UInt32 bucketSize = 0;
+
+        PKIX_ENTER(HASHTABLE, "PKIX_PL_HashTable_Add");
+
+#if !defined(PKIX_OBJECT_LEAK_TEST)
+        PKIX_NULLCHECK_THREE(ht, key, value);
+#else
+        PKIX_NULLCHECK_TWO(key, value);
+
+        if (ht == NULL) {
+            PKIX_RETURN(HASHTABLE);
+        }
+#endif
+        /* Insert into primitive hashtable */
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode(key, &hashCode, plContext),
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_CHECK(pkix_pl_Object_RetrieveEqualsCallback
+                    (key, &keyComp, plContext),
+                    PKIX_OBJECTRETRIEVEEQUALSCALLBACKFAILED);
+
+        PKIX_MUTEX_LOCK(ht->tableLock);
+
+        PKIX_CHECK(pkix_pl_PrimHashTable_GetBucketSize
+                (ht->primHash,
+                hashCode,
+                &bucketSize,
+                plContext),
+                PKIX_PRIMHASHTABLEGETBUCKETSIZEFAILED);
+
+        if (ht->maxEntriesPerBucket != 0 &&
+            bucketSize >= ht->maxEntriesPerBucket) {
+                /* drop the last one in the bucket */
+                PKIX_CHECK(pkix_pl_PrimHashTable_RemoveFIFO
+                        (ht->primHash,
+                        hashCode,
+                        (void **) &deletedKey,
+                        (void **) &deletedValue,
+                        plContext),
+                        PKIX_PRIMHASHTABLEGETBUCKETSIZEFAILED);
+                PKIX_DECREF(deletedKey);
+                PKIX_DECREF(deletedValue);
+        }
+
+        PKIX_CHECK(pkix_pl_PrimHashTable_Add
+                (ht->primHash,
+                (void *)key,
+                (void *)value,
+                hashCode,
+                keyComp,
+                plContext),
+                PKIX_PRIMHASHTABLEADDFAILED);
+
+        PKIX_MUTEX_UNLOCK(ht->tableLock);
+
+        PKIX_INCREF(key);
+        PKIX_INCREF(value);
+
+        /*
+         * we don't call PKIX_PL_InvalidateCache here b/c we have
+         * not implemented toString or hashcode for this Object
+         */
+
+cleanup:
+
+        PKIX_MUTEX_UNLOCK(ht->tableLock);
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/*
+ * FUNCTION: PKIX_PL_HashTable_Remove (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_HashTable_Remove(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_Object *key,
+        void *plContext)
+{
+        PKIX_PL_Mutex  *lockedMutex = NULL;
+        PKIX_PL_Object *origKey = NULL;
+        PKIX_PL_Object *value = NULL;
+        PKIX_UInt32 hashCode;
+        PKIX_PL_EqualsCallback keyComp;
+
+        PKIX_ENTER(HASHTABLE, "PKIX_PL_HashTable_Remove");
+
+#if !defined(PKIX_OBJECT_LEAK_TEST)
+        PKIX_NULLCHECK_TWO(ht, key);
+#else
+        PKIX_NULLCHECK_ONE(key);
+
+        if (ht == NULL) {
+            PKIX_RETURN(HASHTABLE);
+        }
+#endif
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode(key, &hashCode, plContext),
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_CHECK(pkix_pl_Object_RetrieveEqualsCallback
+                    (key, &keyComp, plContext),
+                    PKIX_OBJECTRETRIEVEEQUALSCALLBACKFAILED);
+
+        PKIX_MUTEX_LOCK(ht->tableLock);
+
+        /* Remove from primitive hashtable */
+        PKIX_CHECK(pkix_pl_PrimHashTable_Remove
+                (ht->primHash,
+                (void *)key,
+                hashCode,
+                keyComp,
+                (void **)&origKey,
+                (void **)&value,
+                plContext),
+                PKIX_PRIMHASHTABLEREMOVEFAILED);
+
+        PKIX_MUTEX_UNLOCK(ht->tableLock);
+
+        PKIX_DECREF(origKey);
+        PKIX_DECREF(value);
+
+        /*
+         * we don't call PKIX_PL_InvalidateCache here b/c we have
+         * not implemented toString or hashcode for this Object
+         */
+
+cleanup:
+
+        PKIX_MUTEX_UNLOCK(ht->tableLock);
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/*
+ * FUNCTION: PKIX_PL_HashTable_Lookup (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_HashTable_Lookup(
+        PKIX_PL_HashTable *ht,
+        PKIX_PL_Object *key,
+        PKIX_PL_Object **pResult,
+        void *plContext)
+{
+        PKIX_PL_Mutex *lockedMutex = NULL;
+        PKIX_UInt32 hashCode;
+        PKIX_PL_EqualsCallback keyComp;
+        PKIX_PL_Object *result = NULL;
+
+        PKIX_ENTER(HASHTABLE, "PKIX_PL_HashTable_Lookup");
+
+#if !defined(PKIX_OBJECT_LEAK_TEST)
+        PKIX_NULLCHECK_THREE(ht, key, pResult);
+#else
+        PKIX_NULLCHECK_TWO(key, pResult);
+
+        if (ht == NULL) {
+            PKIX_RETURN(HASHTABLE);
+        }
+#endif
+
+        PKIX_CHECK(PKIX_PL_Object_Hashcode(key, &hashCode, plContext),
+                    PKIX_OBJECTHASHCODEFAILED);
+
+        PKIX_CHECK(pkix_pl_Object_RetrieveEqualsCallback
+                    (key, &keyComp, plContext),
+                    PKIX_OBJECTRETRIEVEEQUALSCALLBACKFAILED);
+
+        PKIX_MUTEX_LOCK(ht->tableLock);
+
+        /* Lookup in primitive hashtable */
+        PKIX_CHECK(pkix_pl_PrimHashTable_Lookup
+                (ht->primHash,
+                (void *)key,
+                hashCode,
+                keyComp,
+                (void **)&result,
+                plContext),
+                PKIX_PRIMHASHTABLELOOKUPFAILED);
+
+        PKIX_MUTEX_UNLOCK(ht->tableLock);
+
+        PKIX_INCREF(result);
+        *pResult = result;
+
+cleanup:
+        
+        PKIX_MUTEX_UNLOCK(ht->tableLock);
+
+        PKIX_RETURN(HASHTABLE);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.h
new file mode 100755
index 000000000..17ee05e44
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.h
@@ -0,0 +1,62 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_hashtable.h
+ *
+ * Hashtable Object Definition
+ *
+ */
+
+#ifndef _PKIX_PL_HASHTABLE_H
+#define _PKIX_PL_HASHTABLE_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_HashTable_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_HASHTABLE_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
new file mode 100755
index 000000000..0773f1fb7
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
@@ -0,0 +1,304 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_lifecycle.c
+ *
+ * Lifecycle Functions for the PKIX PL library.
+ *
+ */
+
+#include "pkix_pl_lifecycle.h"
+
+PKIX_Boolean pkix_pl_initialized = PKIX_FALSE;
+pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+PRLock *classTableLock;
+PRLogModuleInfo *pkixLog = NULL;
+
+/*
+ * PKIX_ALLOC_ERROR is a special error object hard-coded into the
+ * pkix_error.o object file. It is thrown if system memory cannot be
+ * allocated. PKIX_ALLOC_ERROR is immutable.
+ * IncRef, DecRef, and Settor functions cannot be called.
+ */
+
+/* Keep this structure definition here for its is used only once here */
+struct PKIX_Alloc_Error_ObjectStruct {
+        PKIX_PL_Object header;
+        PKIX_Error error;
+};
+typedef struct PKIX_Alloc_Error_ObjectStruct PKIX_Alloc_Error_Object;
+
+static PKIX_Alloc_Error_Object pkix_Alloc_Error_Data = {
+    {
+        (PKIX_UInt32)PKIX_MAGIC_HEADER, /* PKIX_UInt32 magicHeader */
+        (PKIX_UInt32)PKIX_ERROR_TYPE,   /* PKIX_UInt32 type */
+        (PKIX_UInt32)1,                 /* PKIX_UInt32 references */
+        /* Warning! Cannot Ref Count with NULL lock */
+        (void *)0,                      /* PRLock *lock */
+        (PKIX_PL_String *)0,            /* PKIX_PL_String *stringRep */
+        (PKIX_UInt32)0,                 /* PKIX_UInt32 hashcode */
+        (PKIX_Boolean)PKIX_FALSE,       /* PKIX_Boolean hashcodeCached */
+    }, {
+        (PKIX_ERRORCODE)0,              /* PKIX_ERRORCODE errCode; */
+        (PKIX_ERRORCLASS)PKIX_FATAL_ERROR,/* PKIX_ERRORCLASS errClass */
+        (PKIX_UInt32)SEC_ERROR_LIBPKIX_INTERNAL, /* default PL Error Code */
+        (PKIX_Error *)0,                /* PKIX_Error *cause */
+        (PKIX_PL_Object *)0,            /* PKIX_PL_Object *info */
+   }
+};
+
+PKIX_Error* PKIX_ALLOC_ERROR(void)
+{
+    return &pkix_Alloc_Error_Data.error;
+}
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+SECStatus
+pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable)
+{
+    int   typeCounter = 0;
+
+    for (; typeCounter < PKIX_NUMTYPES; typeCounter++) {
+        pkix_ClassTable_Entry *entry = &systemClasses[typeCounter];
+
+        objCountTable[typeCounter] = entry->objCounter;
+    }
+
+    return SECSuccess;
+}
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+
+PKIX_UInt32
+pkix_pl_lifecycle_ObjectLeakCheck(int *initObjCountTable)
+{
+        int   typeCounter = 0;
+        PKIX_UInt32 numObjects = 0;
+        char  classNameBuff[128];
+        char *className = NULL;
+
+        for (; typeCounter < PKIX_NUMTYPES; typeCounter++) {
+                pkix_ClassTable_Entry *entry = &systemClasses[typeCounter];
+                PKIX_UInt32 objCountDiff = entry->objCounter;
+
+                if (initObjCountTable) {
+                    PKIX_UInt32 initialCount = initObjCountTable[typeCounter];
+                    objCountDiff = (entry->objCounter > initialCount) ?
+                        entry->objCounter - initialCount : 0;
+                }
+
+                numObjects += objCountDiff;
+                
+                if (!pkixLog || !objCountDiff) {
+                    continue;
+                }
+                className = entry->description;
+                if (!className) {
+                    className = classNameBuff;
+                    sprintf(className, "Unknown(ref %d)", 
+                            entry->objCounter);
+                }
+
+                PR_LOG(pkixLog, 1, ("Class %s leaked %d objects of "
+                        "size %d bytes, total = %d bytes\n", className, 
+                        objCountDiff, entry->typeObjectSize,
+                        objCountDiff * entry->typeObjectSize));
+        }
+ 
+        return numObjects;
+}
+
+/*
+ * PKIX_PL_Initialize (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Initialize(
+        PKIX_Boolean platformInitNeeded,
+        PKIX_Boolean useArenas,
+        void **pPlContext)
+{
+        void *plContext = NULL;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Initialize");
+
+        /*
+         * This function can only be called once. If it has already been
+         * called, we return a positive status.
+         */
+        if (pkix_pl_initialized) {
+            PKIX_RETURN(OBJECT);
+        }
+
+        classTableLock = PR_NewLock();
+        if (classTableLock == NULL) {
+            return PKIX_ALLOC_ERROR();
+        }
+
+        if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
+            pkixLog = PR_NewLogModule("pkix");
+        }
+        /*
+         * Register Object, it is the base object of all other objects.
+         */
+        pkix_pl_Object_RegisterSelf(plContext);
+
+        /*
+         * Register Error and String, since they will be needed if
+         * there is a problem in registering any other type.
+         */
+        pkix_Error_RegisterSelf(plContext);
+        pkix_pl_String_RegisterSelf(plContext);
+
+
+        /*
+         * We register all other system types
+         * (They don't need to be in order, but it's
+         * easier to keep track of what types are registered
+         * if we register them in the same order as their
+         * numbers, defined in pkixt.h.
+         */
+        pkix_pl_BigInt_RegisterSelf(plContext);   /* 1-10 */
+        pkix_pl_ByteArray_RegisterSelf(plContext);
+        pkix_pl_HashTable_RegisterSelf(plContext);
+        pkix_List_RegisterSelf(plContext);
+        pkix_Logger_RegisterSelf(plContext);
+        pkix_pl_Mutex_RegisterSelf(plContext);
+        pkix_pl_OID_RegisterSelf(plContext);
+        pkix_pl_RWLock_RegisterSelf(plContext);
+
+        pkix_pl_CertBasicConstraints_RegisterSelf(plContext); /* 11-20 */
+        pkix_pl_Cert_RegisterSelf(plContext);
+        pkix_pl_CRL_RegisterSelf(plContext);
+        pkix_pl_CRLEntry_RegisterSelf(plContext);
+        pkix_pl_Date_RegisterSelf(plContext);
+        pkix_pl_GeneralName_RegisterSelf(plContext);
+        pkix_pl_CertNameConstraints_RegisterSelf(plContext);
+        pkix_pl_PublicKey_RegisterSelf(plContext);
+        pkix_TrustAnchor_RegisterSelf(plContext);
+
+        pkix_pl_X500Name_RegisterSelf(plContext);   /* 21-30 */
+        pkix_pl_HttpCertStoreContext_RegisterSelf(plContext);
+        pkix_BuildResult_RegisterSelf(plContext);
+        pkix_ProcessingParams_RegisterSelf(plContext);
+        pkix_ValidateParams_RegisterSelf(plContext);
+        pkix_ValidateResult_RegisterSelf(plContext);
+        pkix_CertStore_RegisterSelf(plContext);
+        pkix_CertChainChecker_RegisterSelf(plContext);
+        pkix_RevocationChecker_RegisterSelf(plContext);
+        pkix_CertSelector_RegisterSelf(plContext);
+
+        pkix_ComCertSelParams_RegisterSelf(plContext);   /* 31-40 */
+        pkix_CRLSelector_RegisterSelf(plContext);
+        pkix_ComCRLSelParams_RegisterSelf(plContext);
+        pkix_pl_CertPolicyInfo_RegisterSelf(plContext);
+        pkix_pl_CertPolicyQualifier_RegisterSelf(plContext);
+        pkix_pl_CertPolicyMap_RegisterSelf(plContext);
+        pkix_PolicyNode_RegisterSelf(plContext);
+        pkix_TargetCertCheckerState_RegisterSelf(plContext);
+        pkix_BasicConstraintsCheckerState_RegisterSelf(plContext);
+        pkix_PolicyCheckerState_RegisterSelf(plContext);
+
+        pkix_pl_CollectionCertStoreContext_RegisterSelf(plContext); /* 41-50 */
+        pkix_DefaultCRLCheckerState_RegisterSelf(plContext);
+        pkix_ForwardBuilderState_RegisterSelf(plContext);
+        pkix_SignatureCheckerState_RegisterSelf(plContext);
+        pkix_NameConstraintsCheckerState_RegisterSelf(plContext);
+        pkix_DefaultRevocationChecker_RegisterSelf(plContext);
+        pkix_pl_LdapRequest_RegisterSelf(plContext);
+        pkix_pl_LdapResponse_RegisterSelf(plContext);
+        pkix_pl_LdapDefaultClient_RegisterSelf(plContext);
+        pkix_pl_Socket_RegisterSelf(plContext);
+
+        pkix_ResourceLimits_RegisterSelf(plContext); /* 51-59 */
+        pkix_pl_MonitorLock_RegisterSelf(plContext);
+        pkix_pl_InfoAccess_RegisterSelf(plContext);
+        pkix_pl_AIAMgr_RegisterSelf(plContext);
+        pkix_OcspChecker_RegisterSelf(plContext);
+        pkix_pl_OcspCertID_RegisterSelf(plContext);
+        pkix_pl_OcspRequest_RegisterSelf(plContext);
+        pkix_pl_OcspResponse_RegisterSelf(plContext);
+        pkix_pl_HttpDefaultClient_RegisterSelf(plContext);
+        pkix_VerifyNode_RegisterSelf(plContext);
+        pkix_pl_EkuChecker_RegisterSelf(plContext);
+
+        if (pPlContext) {
+            PKIX_CHECK(PKIX_PL_NssContext_Create
+                       (0, useArenas, NULL, &plContext),
+                       PKIX_NSSCONTEXTCREATEFAILED);
+            
+            *pPlContext = plContext;
+        }
+
+        pkix_pl_initialized = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * PKIX_PL_Shutdown (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Shutdown(void *plContext)
+{
+        PKIX_UInt32 numLeakedObjects = 0;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Shutdown");
+
+        if (!pkix_pl_initialized) {
+            /* The library was not initilized */
+            PKIX_RETURN(OBJECT);
+        }
+
+        PR_DestroyLock(classTableLock);
+
+        pkix_pl_HttpCertStore_Shutdown(plContext);
+
+        numLeakedObjects = pkix_pl_lifecycle_ObjectLeakCheck(NULL);
+        if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
+           PORT_Assert(numLeakedObjects == 0);
+        }
+
+        if (plContext != NULL) {
+                PKIX_PL_NssContext_Destroy(plContext);
+        }
+
+        pkix_pl_initialized = PKIX_FALSE;
+
+        PKIX_RETURN(OBJECT);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h
new file mode 100755
index 000000000..80e1e0027
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h
@@ -0,0 +1,122 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_lifecycle.h
+ *
+ * Lifecycle Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_LIFECYCLE_H
+#define _PKIX_PL_LIFECYCLE_H
+
+#include "pkix_pl_common.h"
+#include "pkix_pl_oid.h"
+#include "pkix_pl_aiamgr.h"
+#include "pkix_pl_bigint.h"
+#include "pkix_pl_bytearray.h"
+#include "pkix_pl_hashtable.h"
+#include "pkix_pl_mutex.h"
+#include "pkix_pl_rwlock.h"
+#include "pkix_pl_monitorlock.h"
+#include "pkix_pl_string.h"
+#include "pkix_pl_cert.h"
+#include "pkix_pl_x500name.h"
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_publickey.h"
+#include "pkix_pl_date.h"
+#include "pkix_pl_basicconstraints.h"
+#include "pkix_pl_certpolicyinfo.h"
+#include "pkix_pl_certpolicymap.h"
+#include "pkix_pl_certpolicyqualifier.h"
+#include "pkix_pl_crlentry.h"
+#include "pkix_pl_crl.h"
+#include "pkix_pl_colcertstore.h"
+#include "pkix_pl_ldapcertstore.h"
+#include "pkix_pl_ldapdefaultclient.h"
+#include "pkix_pl_ldaprequest.h"
+#include "pkix_pl_ldapresponse.h"
+#include "pkix_pl_socket.h"
+#include "pkix_pl_infoaccess.h"
+#include "pkix_store.h"
+#include "pkix_error.h"
+#include "pkix_logger.h"
+#include "pkix_list.h"
+#include "pkix_trustanchor.h"
+#include "pkix_procparams.h"
+#include "pkix_valparams.h"
+#include "pkix_valresult.h"
+#include "pkix_verifynode.h"
+#include "pkix_resourcelimits.h"
+#include "pkix_certchainchecker.h"
+#include "pkix_revocationchecker.h"
+#include "pkix_certselector.h"
+#include "pkix_comcertselparams.h"
+#include "pkix_crlselector.h"
+#include "pkix_comcrlselparams.h"
+#include "pkix_targetcertchecker.h"
+#include "pkix_basicconstraintschecker.h"
+#include "pkix_policynode.h"
+#include "pkix_policychecker.h"
+#include "pkix_defaultcrlchecker.h"
+#include "pkix_signaturechecker.h"
+#include "pkix_buildresult.h"
+#include "pkix_build.h"
+#include "pkix_pl_nameconstraints.h"
+#include "pkix_nameconstraintschecker.h"
+#include "pkix_ocspchecker.h"
+#include "pkix_pl_ocspcertid.h"
+#include "pkix_pl_ocsprequest.h"
+#include "pkix_pl_ocspresponse.h"
+#include "pkix_pl_httpdefaultclient.h"
+#include "pkix_pl_httpcertstore.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_InitializeParamsStruct {
+        PKIX_List *loggers;
+        PKIX_UInt32 majorVersion;
+        PKIX_UInt32 minorVersion;
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_LIFECYCLE_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mem.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mem.c
new file mode 100755
index 000000000..90873fc62
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mem.c
@@ -0,0 +1,201 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_mem.c
+ *
+ * Memory Management Functions
+ *
+ */
+
+#include "pkix_pl_mem.h"
+
+/*
+ * FUNCTION: PKIX_PL_Malloc (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Malloc(
+        PKIX_UInt32 size,
+        void **pMemory,
+        void *plContext)
+{
+        PKIX_PL_NssContext *nssContext = NULL;
+        void *result = NULL;
+
+        PKIX_ENTER(MEM, "PKIX_PL_Malloc");
+        PKIX_NULLCHECK_ONE(pMemory);
+
+        if (size == 0){
+                *pMemory = NULL;
+        } else {
+
+                nssContext = (PKIX_PL_NssContext *)plContext; 
+
+                if (nssContext != NULL && nssContext->arena != NULL) {
+                    PKIX_MEM_DEBUG("\tCalling PORT_ArenaAlloc.\n");
+                    *pMemory = PORT_ArenaAlloc(nssContext->arena, size);
+                } else {
+                    PKIX_MEM_DEBUG("\tCalling PR_Malloc.\n");
+                    result = (void *) PR_Malloc(size);
+
+                    if (result == NULL) {
+                        PKIX_MEM_DEBUG("Fatal Error Occurred: "
+                                        "PR_Malloc failed.\n");
+                        PKIX_ERROR_ALLOC_ERROR();
+                    } else {
+                        *pMemory = result;
+                    }
+                }
+        }
+
+cleanup:
+        PKIX_RETURN(MEM);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Calloc (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Calloc(
+        PKIX_UInt32 nElem,
+        PKIX_UInt32 elSize,
+        void **pMemory,
+        void *plContext)
+{
+        PKIX_PL_NssContext *nssContext = NULL;
+        void *result = NULL;
+
+        PKIX_ENTER(MEM, "PKIX_PL_Calloc");
+        PKIX_NULLCHECK_ONE(pMemory);
+
+        if ((nElem == 0) || (elSize == 0)){
+                *pMemory = NULL;
+        } else {
+
+                nssContext = (PKIX_PL_NssContext *)plContext; 
+
+                if (nssContext != NULL && nssContext->arena != NULL) {
+                    PKIX_MEM_DEBUG("\tCalling PORT_ArenaAlloc.\n");
+                    *pMemory = PORT_ArenaAlloc(nssContext->arena, elSize);
+                } else {
+                    PKIX_MEM_DEBUG("\tCalling PR_Calloc.\n");
+                    result = (void *) PR_Calloc(nElem, elSize);
+
+                    if (result == NULL) {
+                        PKIX_MEM_DEBUG("Fatal Error Occurred: "
+                                        "PR_Calloc failed.\n");
+                        PKIX_ERROR_ALLOC_ERROR();
+                    } else {
+                        *pMemory = result;
+                    }
+                }
+        }
+
+cleanup:
+
+        PKIX_RETURN(MEM);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Realloc (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Realloc(
+        void *ptr,
+        PKIX_UInt32 size,
+        void **pMemory,
+        void *plContext)
+{
+        PKIX_PL_NssContext *nssContext = NULL;
+        void *result = NULL;
+
+        PKIX_ENTER(MEM, "PKIX_PL_Realloc");
+        PKIX_NULLCHECK_ONE(pMemory);
+
+        nssContext = (PKIX_PL_NssContext *)plContext; 
+
+        if (nssContext != NULL && nssContext->arena != NULL) {
+                PKIX_MEM_DEBUG("\tCalling PORT_ArenaAlloc.\n");
+                result = PORT_ArenaAlloc(nssContext->arena, size);
+
+                if (result){
+                        PKIX_MEM_DEBUG("\tCalling PORT_Memcpy.\n");
+                        PORT_Memcpy(result, ptr, size);
+                }
+                *pMemory = result;
+        } else {
+                PKIX_MEM_DEBUG("\tCalling PR_Realloc.\n");
+                result = (void *) PR_Realloc(ptr, size);
+
+                if (result == NULL) {
+                        if (size == 0){
+                                *pMemory = NULL;
+                        } else {
+                                PKIX_MEM_DEBUG
+                                        ("Fatal Error Occurred: "
+                                        "PR_Realloc failed.\n");
+                                PKIX_ERROR_ALLOC_ERROR();
+                        }
+                } else {
+                        *pMemory = result;
+                }
+        }
+
+cleanup:
+
+        PKIX_RETURN(MEM);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Free (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Free(
+        void *ptr,
+        /* ARGSUSED */ void *plContext)
+{
+        PKIX_PL_NssContext *context = NULL;
+
+        PKIX_ENTER(MEM, "PKIX_PL_Free");
+
+        context = (PKIX_PL_NssContext *) plContext;
+        if (context == NULL || context->arena == NULL) {
+            PKIX_MEM_DEBUG("\tCalling PR_Free.\n");
+            (void) PR_Free(ptr);
+        }
+
+        PKIX_RETURN(MEM);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mem.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mem.h
new file mode 100755
index 000000000..497f1277e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mem.h
@@ -0,0 +1,57 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_mem.h
+ *
+ * Memory Management Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_MEM_H
+#define _PKIX_PL_MEM_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_MEM_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_monitorlock.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_monitorlock.c
new file mode 100755
index 000000000..b5699e106
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_monitorlock.c
@@ -0,0 +1,169 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_monitorlock.c
+ *
+ * Read/Write Lock Functions
+ *
+ */
+
+#include "pkix_pl_monitorlock.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+static PKIX_Error *
+pkix_pl_MonitorLock_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_MonitorLock* monitorLock = NULL;
+
+        PKIX_ENTER(MONITORLOCK, "pkix_pl_MonitorLock_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_MONITORLOCK_TYPE, plContext),
+                    PKIX_OBJECTNOTMONITORLOCK);
+
+        monitorLock = (PKIX_PL_MonitorLock*) object;
+
+        PKIX_MONITORLOCK_DEBUG("Calling PR_DestroyMonitor)\n");
+        PR_DestroyMonitor(monitorLock->lock);
+        monitorLock->lock = NULL;
+
+cleanup:
+
+        PKIX_RETURN(MONITORLOCK);
+}
+
+/*
+ * FUNCTION: pkix_pl_MonitorLock_RegisterSelf
+ * DESCRIPTION:
+ * Registers PKIX_MONITORLOCK_TYPE and its related functions with
+ * systemClasses[].
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_MonitorLock_RegisterSelf(
+        void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(MONITORLOCK, "pkix_pl_MonitorLock_RegisterSelf");
+
+        entry.description = "MonitorLock";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_MonitorLock);
+        entry.destructor = pkix_pl_MonitorLock_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_MONITORLOCK_TYPE] = entry;
+
+        PKIX_RETURN(MONITORLOCK);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+PKIX_Error *
+PKIX_PL_MonitorLock_Create(
+        PKIX_PL_MonitorLock **pNewLock,
+        void *plContext)
+{
+        PKIX_PL_MonitorLock *monitorLock = NULL;
+
+        PKIX_ENTER(MONITORLOCK, "PKIX_PL_MonitorLock_Create");
+        PKIX_NULLCHECK_ONE(pNewLock);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_MONITORLOCK_TYPE,
+                    sizeof (PKIX_PL_MonitorLock),
+                    (PKIX_PL_Object **)&monitorLock,
+                    plContext),
+                    PKIX_ERRORALLOCATINGMONITORLOCK);
+
+        PKIX_MONITORLOCK_DEBUG("\tCalling PR_NewMonitor)\n");
+        monitorLock->lock = PR_NewMonitor();
+
+        if (monitorLock->lock == NULL) {
+                PKIX_DECREF(monitorLock);
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        *pNewLock = monitorLock;
+
+cleanup:
+
+        PKIX_RETURN(MONITORLOCK);
+}
+
+PKIX_Error *
+PKIX_PL_MonitorLock_Enter(
+        PKIX_PL_MonitorLock *monitorLock,
+        void *plContext)
+{
+        PKIX_ENTER_NO_LOGGER(MONITORLOCK, "PKIX_PL_MonitorLock_Enter");
+        PKIX_NULLCHECK_ONE(monitorLock);
+
+        PKIX_MONITORLOCK_DEBUG("\tCalling PR_EnterMonitor)\n");
+        (void) PR_EnterMonitor(monitorLock->lock);
+
+        PKIX_RETURN_NO_LOGGER(MONITORLOCK);
+}
+
+PKIX_Error *
+PKIX_PL_MonitorLock_Exit(
+        PKIX_PL_MonitorLock *monitorLock,
+        void *plContext)
+{
+        PKIX_ENTER_NO_LOGGER(MONITORLOCK, "PKIX_PL_MonitorLock_Exit");
+        PKIX_NULLCHECK_ONE(monitorLock);
+
+        PKIX_MONITORLOCK_DEBUG("\tCalling PR_ExitMonitor)\n");
+        PR_ExitMonitor(monitorLock->lock);
+
+        PKIX_RETURN_NO_LOGGER(MONITORLOCK);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_monitorlock.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_monitorlock.h
new file mode 100755
index 000000000..951ad7d1d
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_monitorlock.h
@@ -0,0 +1,66 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_monitorlock.h
+ *
+ * Read/Write Lock Definition
+ *
+ */
+
+#ifndef _PKIX_PL_MONITORLOCK_H
+#define _PKIX_PL_MONITORLOCK_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_MonitorLockStruct {
+        PRMonitor* lock;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_MonitorLock_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_MONITORLOCK_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mutex.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mutex.c
new file mode 100755
index 000000000..1d3d9d94d
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mutex.c
@@ -0,0 +1,196 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_mutex.c
+ *
+ * Mutual Exclusion (Lock) Object Functions
+ *
+ */
+
+#include "pkix_pl_mutex.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_Mutex_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_Mutex_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Mutex *mutex = NULL;
+
+        PKIX_ENTER(MUTEX, "pkix_pl_Mutex_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Sanity check: Test that "object" is a mutex */
+        PKIX_CHECK(pkix_CheckType(object, PKIX_MUTEX_TYPE, plContext),
+                    PKIX_OBJECTNOTMUTEX);
+
+        mutex = (PKIX_PL_Mutex*) object;
+
+        PKIX_MUTEX_DEBUG("\tCalling PR_DestroyLock).\n");
+        PR_DestroyLock(mutex->lock);
+        mutex->lock = NULL;
+
+cleanup:
+
+        PKIX_RETURN(MUTEX);
+}
+
+/*
+ * FUNCTION: pkix_pl_Mutex_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_MUTEX_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_Mutex_RegisterSelf(
+        /* ARGSUSED */ void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(MUTEX, "pkix_pl_Mutex_RegisterSelf");
+
+        entry.description = "Mutex";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_Mutex);
+        entry.destructor = pkix_pl_Mutex_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_MUTEX_TYPE] = entry;
+
+        PKIX_RETURN(MUTEX);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_Mutex_Create (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Mutex_Create(
+        PKIX_PL_Mutex **pNewLock,
+        void *plContext)
+{
+        PKIX_PL_Mutex *mutex = NULL;
+
+        PKIX_ENTER(MUTEX, "PKIX_PL_Mutex_Create");
+        PKIX_NULLCHECK_ONE(pNewLock);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_MUTEX_TYPE,
+                    sizeof (PKIX_PL_Mutex),
+                    (PKIX_PL_Object **)&mutex,
+                    plContext),
+                    PKIX_COULDNOTCREATELOCKOBJECT);
+
+        PKIX_MUTEX_DEBUG("\tCalling PR_NewLock).\n");
+        mutex->lock = PR_NewLock();
+
+        /* If an error occured in NSPR, report it here */
+        if (mutex->lock == NULL) {
+                PKIX_DECREF(mutex);
+                PKIX_ERROR_ALLOC_ERROR();
+        }
+
+        *pNewLock = mutex;
+
+cleanup:
+
+        PKIX_RETURN(MUTEX);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Mutex_Lock (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Mutex_Lock(
+        PKIX_PL_Mutex *mutex,
+        void *plContext)
+{
+        PKIX_ENTER(MUTEX, "PKIX_PL_Mutex_Lock");
+        PKIX_NULLCHECK_ONE(mutex);
+
+        PKIX_MUTEX_DEBUG("\tCalling PR_Lock).\n");
+        PR_Lock(mutex->lock);
+
+        PKIX_MUTEX_DEBUG_ARG("(Thread %u just acquired the lock)\n",
+                        (PKIX_UInt32)PR_GetCurrentThread());
+
+        PKIX_RETURN(MUTEX);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Mutex_Unlock (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Mutex_Unlock(
+        PKIX_PL_Mutex *mutex,
+        void *plContext)
+{
+        PRStatus result;
+
+        PKIX_ENTER(MUTEX, "PKIX_PL_Mutex_Unlock");
+        PKIX_NULLCHECK_ONE(mutex);
+
+        PKIX_MUTEX_DEBUG("\tCalling PR_Unlock).\n");
+        result = PR_Unlock(mutex->lock);
+
+        PKIX_MUTEX_DEBUG_ARG("(Thread %u just released the lock)\n",
+                        (PKIX_UInt32)PR_GetCurrentThread());
+
+        if (result == PR_FAILURE) {
+                PKIX_ERROR_FATAL(PKIX_ERRORUNLOCKINGMUTEX);
+        }
+
+cleanup:
+        PKIX_RETURN(MUTEX);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mutex.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mutex.h
new file mode 100755
index 000000000..8c83021bb
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_mutex.h
@@ -0,0 +1,66 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_mutex.h
+ *
+ * Mutual Exclusion (Lock) Object Type Definition
+ *
+ */
+
+#ifndef _PKIX_PL_MUTEX_H
+#define _PKIX_PL_MUTEX_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_MutexStruct {
+        PRLock* lock;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_Mutex_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_MUTEX_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
new file mode 100755
index 000000000..49de05e19
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
@@ -0,0 +1,1485 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_object.c
+ *
+ * Object Construction, Destruction and Callback Functions
+ *
+ */
+
+#include "pkix_pl_object.h"
+
+#ifdef PKIX_USER_OBJECT_TYPE
+/* --Class-Table-Initializers------------------------------------ */
+
+/*
+ * Create storage space for 20 Class Table buckets.
+ * These are only for user-defined types. System types are registered
+ * separately by PKIX_PL_Initialize.
+ */
+
+static pkix_pl_HT_Elem*
+pkix_Raw_ClassTable_Buckets[] = {
+        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+};
+
+/*
+ * Allocate static memory for a ClassTable.
+ * XXX This assumes the bucket pointer will fit into a PKIX_UInt32
+ */
+static pkix_pl_PrimHashTable pkix_Raw_ClassTable = {
+        (void *)pkix_Raw_ClassTable_Buckets, /* Buckets */
+        20 /* Number of Buckets */
+};
+static pkix_pl_PrimHashTable * classTable = &pkix_Raw_ClassTable;
+#endif /* PKIX_USER_OBJECT_TYPE */
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_Object_GetHeader
+ * DESCRIPTION:
+ *
+ *  Shifts Object pointed to by "object" by the sizeof(PKIX_PL_Object) and
+ *  stores the value at "pObjectHeader".
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object to shift. Must be non-NULL.
+ *  "pObjectHeader"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Object_GetHeader(
+        PKIX_PL_Object *object,
+        PKIX_PL_Object **pObjectHeader,
+        void *plContext)
+{
+        PKIX_PL_Object *header = NULL;
+        PKIX_UInt32 objType;
+
+        PKIX_ENTER(OBJECT, "pkix_pl_Object_GetHeader");
+        PKIX_NULLCHECK_TWO(object, pObjectHeader);
+
+        PKIX_OBJECT_DEBUG("\tShifting object pointer).\n");
+
+        /* The header is sizeof(PKIX_PL_Object) before the object pointer */
+        header = (PKIX_PL_Object *)((char *)object - sizeof(PKIX_PL_Object));
+
+        objType = header->type;
+
+        if (objType >= PKIX_NUMTYPES) { /* if this is a user-defined type */
+#ifdef PKIX_USER_OBJECT_TYPE
+                pkix_ClassTable_Entry *ctEntry = NULL;
+
+                PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                PR_Lock(classTableLock);
+
+                PKIX_CHECK(pkix_pl_PrimHashTable_Lookup
+                            (classTable,
+                            (void *)&objType,
+                            objType,
+                            NULL,
+                            (void **)&ctEntry,
+                            plContext),
+                            PKIX_ERRORGETTINGCLASSTABLEENTRY);
+
+                PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+                PR_Unlock(classTableLock);
+
+                if (ctEntry == NULL) {
+                        PKIX_ERROR_FATAL(PKIX_UNKNOWNOBJECTTYPE);
+                }
+#else
+                PORT_Assert(objType < PKIX_NUMTYPES);
+                pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                pkixErrorClass = PKIX_FATAL_ERROR;
+                goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+        }
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+        PORT_Assert(header && header->magicHeader == PKIX_MAGIC_HEADER);
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+        if ((header == NULL)||
+            (header->magicHeader != PKIX_MAGIC_HEADER)) {
+                PKIX_ERROR_ALLOC_ERROR();
+        }
+
+        *pObjectHeader = header;
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: pkix_Destroy_Object
+ * DESCRIPTION:
+ *
+ *  Destroys and deallocates Object pointed to by "object". The caller is
+ *  assumed to hold the Object's lock, which is acquired in
+ *  PKIX_PL_Object_DecRef().
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object to destroy. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Object_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Object *objectHeader = NULL;
+
+        PKIX_ENTER(OBJECT, "pkix_pl_Object_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+        PKIX_CHECK_FATAL(pkix_pl_Object_GetHeader(object, &objectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+#else
+        PKIX_CHECK(pkix_pl_Object_GetHeader(object, &objectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+        /* Attempt to delete an object still being used */
+        if (objectHeader->references != 0) {
+                PKIX_ERROR_FATAL(PKIX_OBJECTSTILLREFERENCED);
+        }
+
+        PKIX_DECREF(objectHeader->stringRep);
+
+        /* Destroy this object's lock */
+        PKIX_OBJECT_DEBUG("\tCalling PR_DestroyLock).\n");
+        PR_DestroyLock(objectHeader->lock);
+        objectHeader->lock = NULL;
+        object = NULL;
+
+        objectHeader->magicHeader = PKIX_MAGIC_HEADER_DESTROYED;
+
+#ifdef PKIX_OBJECT_LEAK_TEST
+        memset(objectHeader, 0xbf, systemClasses[PKIX_OBJECT_TYPE].typeObjectSize);
+#endif
+
+        PKIX_FREE(objectHeader);
+
+cleanup:
+#ifdef PKIX_OBJECT_LEAK_TEST
+fatal:
+#endif
+
+        PKIX_RETURN(OBJECT);
+}
+
+/* --Default-Callbacks-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_Object_Equals_Default
+ * DESCRIPTION:
+ *
+ *  Default Object_Equals callback: Compares the address of the Object pointed
+ *  to by "firstObject" with the address of the Object pointed to by
+ *  "secondObject" and stores the Boolean result at "pResult".
+ *
+ * PARAMETERS:
+ *  "firstObject"
+ *      Address of first Object to compare. Must be non-NULL.
+ *  "secondObject"
+ *      Address of second Object to compare. Must be non-NULL.
+ *  "pResult"
+ *      Address where Boolean result will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Object_Equals_Default(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_ENTER(OBJECT, "pkix_pl_Object_Equals_Default");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* Just compare pointer values */
+        *pResult = (firstObject == secondObject)?PKIX_TRUE:PKIX_FALSE;
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Object_ToString_Default
+ * DESCRIPTION:
+ *
+ *  Default Object_ToString callback: Creates a string consisting of the
+ *  typename and address of the Object pointed to by "object" and stores
+ *  the result at "pString". The format for the string is
+ *  "TypeName@Address: <address>", where the default typename is "Object".
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object to convert to a string. Must be non-NULL.
+ *  "pString"
+ *      Address where object pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Object_ToString_Default(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *formatString = NULL;
+        PKIX_PL_String *descString = NULL;
+        char *format = "%s@Address: %x";
+        char *description = NULL;
+        PKIX_UInt32 objType;
+
+        PKIX_ENTER(OBJECT, "pkix_pl_Object_ToString_Default");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(object, &objType, plContext),
+                    PKIX_OBJECTGETTYPEFAILED);
+
+        if (objType >= PKIX_NUMTYPES){
+#ifdef PKIX_USER_OBJECT_TYPE
+                pkix_ClassTable_Entry *ctEntry = NULL;
+
+                PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                PR_Lock(classTableLock);
+                pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                        (classTable,
+                        (void *)&objType,
+                        objType,
+                        NULL,
+                        (void **)&ctEntry,
+                        plContext);
+                PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+                PR_Unlock(classTableLock);
+                if (pkixErrorResult){
+                        PKIX_ERROR_FATAL(PKIX_ERRORGETTINGCLASSTABLEENTRY);
+                }
+
+                if (ctEntry == NULL){
+                        PKIX_ERROR_FATAL(PKIX_UNDEFINEDCLASSTABLEENTRY);
+                } else {
+                        description = ctEntry->description;
+                        if (description == NULL) {
+                            description = "User Type Object";
+                        }
+                }
+#else
+                PORT_Assert (0);
+                pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                pkixErrorClass = PKIX_FATAL_ERROR;
+                goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+        } else {
+                description = systemClasses[objType].description;
+        }
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    (void *)format,
+                    0,
+                    &formatString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII,
+                    (void *)description,
+                    0,
+                    &descString,
+                    plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        PKIX_CHECK(PKIX_PL_Sprintf
+                    (pString,
+                    plContext,
+                    formatString,
+                    descString,
+                    object),
+                    PKIX_SPRINTFFAILED);
+
+cleanup:
+
+        PKIX_DECREF(formatString);
+        PKIX_DECREF(descString);
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Object_Hashcode_Default
+ * DESCRIPTION:
+ *
+ *  Default Object_Hashcode callback. Creates the a hashcode value using the
+ *  address of the Object pointed to by "object" and stores the result at
+ *  "pValue".
+ *
+ *  XXX This isn't great since addresses are not uniformly distributed.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object to compute hashcode for. Must be non-NULL.
+ *  "pValue"
+ *      Address where PKIX_UInt32 will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_Object_Hashcode_Default(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pValue,
+        void *plContext)
+{
+#ifdef NSS_USE_64
+	union {
+		void *pointer;
+		PKIX_UInt32 hilo[2];
+	} extracter;
+#endif
+
+        PKIX_ENTER(OBJECT, "pkix_pl_Object_Hashcode_Default");
+        PKIX_NULLCHECK_TWO(object, pValue);
+
+#ifdef NSS_USE_64
+	extracter.pointer = object;
+        *pValue = extracter.hilo[1];
+#else
+        *pValue = (PKIX_UInt32)object;
+#endif
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Object_RetrieveEqualsCallback
+ * DESCRIPTION:
+ *
+ *  Retrieves Equals callback function of Object pointed to by "object and
+ *  stores it at "pEqualsCallback". If the object's type is one of the system
+ *  types, its callback function is retrieved from the systemClasses array;
+ *  otherwise, its callback function is retrieve from the classTable hash
+ *  table where user-defined types are stored.
+ *
+ * PARAMETERS:
+ *  "object"
+ *      Address of Object whose equals callback is desired. Must be non-NULL.
+ *  "pEqualsCallback"
+ *      Address where EqualsCallback function pointer will be stored.
+ *      Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an Object Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_Object_RetrieveEqualsCallback(
+        PKIX_PL_Object *object,
+        PKIX_PL_EqualsCallback *pEqualsCallback,
+        void *plContext)
+{
+        PKIX_PL_Object *objectHeader = NULL;
+        PKIX_PL_EqualsCallback func = NULL;
+        pkix_ClassTable_Entry entry;
+        PKIX_UInt32 objType;
+
+        PKIX_ENTER(OBJECT, "pkix_pl_Object_RetrieveEqualsCallback");
+        PKIX_NULLCHECK_TWO(object, pEqualsCallback);
+
+        PKIX_CHECK(pkix_pl_Object_GetHeader
+                    (object, &objectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        objType = objectHeader->type;
+
+        if (objType >= PKIX_NUMTYPES){
+#ifdef PKIX_USER_OBJECT_TYPE
+                pkix_ClassTable_Entry *ctEntry = NULL;
+
+                PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                PR_Lock(classTableLock);
+                pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                        (classTable,
+                        (void *)&objType,
+                        objType,
+                        NULL,
+                        (void **)&ctEntry,
+                        plContext);
+                PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+                PR_Unlock(classTableLock);
+                if (pkixErrorResult){
+                        PKIX_ERROR(PKIX_ERRORGETTINGCLASSTABLEENTRY);
+                }
+
+                if ((ctEntry == NULL) || (ctEntry->equalsFunction == NULL)) {
+                        PKIX_ERROR(PKIX_UNDEFINEDEQUALSCALLBACK);
+                } else {
+                        *pEqualsCallback = ctEntry->equalsFunction;
+                }
+#else
+                PORT_Assert (0);
+                pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                pkixErrorClass = PKIX_FATAL_ERROR;
+                goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+        } else {
+                entry = systemClasses[objType];
+                func = entry.equalsFunction;
+                if (func == NULL){
+                        func = pkix_pl_Object_Equals_Default;
+                }
+                *pEqualsCallback = func;
+        }
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: pkix_pl_Object_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_OBJECT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ *
+ *  PKIX_PL_Object should have all function pointes to be to NULL: they
+ *  work as proxy function to a real objects.
+ *  
+ */
+PKIX_Error *
+pkix_pl_Object_RegisterSelf(void *plContext)
+{
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(ERROR, "pkix_pl_Object_RegisterSelf");
+
+        entry.description = "Object";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_Object);
+        entry.destructor = NULL;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_OBJECT_TYPE] = entry;
+
+        PKIX_RETURN(ERROR);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_Object_Alloc (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_Alloc(
+        PKIX_TYPENUM objType,
+        PKIX_UInt32 size,
+        PKIX_PL_Object **pObject,
+        void *plContext)
+{
+        PKIX_PL_Object *object = NULL;
+        pkix_ClassTable_Entry *ctEntry = NULL;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_Alloc");
+        PKIX_NULLCHECK_ONE(pObject);
+
+        /*
+         * We need to ensure that user-defined types have been registered.
+         * All system types have already been registered by PKIX_PL_Initialize.
+         */
+
+        if (objType >= PKIX_NUMTYPES) { /* i.e. if this is a user-defined type */
+#ifdef PKIX_USER_OBJECT_TYPE
+                PKIX_Boolean typeRegistered;
+                PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                PR_Lock(classTableLock);
+                pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                        (classTable,
+                        (void *)&objType,
+                        objType,
+                        NULL,
+                        (void **)&ctEntry,
+                        plContext);
+                PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+                PR_Unlock(classTableLock);
+                if (pkixErrorResult){
+                        PKIX_ERROR_FATAL(PKIX_COULDNOTLOOKUPINHASHTABLE);
+                }
+
+                typeRegistered = (ctEntry != NULL);
+
+                if (!typeRegistered) {
+                        PKIX_ERROR_FATAL(PKIX_UNKNOWNTYPEARGUMENT);
+                }
+#else
+                PORT_Assert (0);
+                pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                pkixErrorClass = PKIX_FATAL_ERROR;
+                goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+        } else {
+                ctEntry = &systemClasses[objType];
+        }
+        
+        PORT_Assert(size == ctEntry->typeObjectSize);
+
+        /* Allocate space for the object header and the requested size */
+#ifdef PKIX_OBJECT_LEAK_TEST       
+        PKIX_CHECK(PKIX_PL_Calloc
+                    (1,
+                    ((PKIX_UInt32)sizeof (PKIX_PL_Object))+size,
+                    (void **)&object,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+#else
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (((PKIX_UInt32)sizeof (PKIX_PL_Object))+size,
+                    (void **)&object,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+#endif /* PKIX_OBJECT_LEAK_TEST */
+
+        /* Initialize all object fields */
+        object->magicHeader = PKIX_MAGIC_HEADER;
+        object->type = objType;
+        object->references = 1; /* Default to a single reference */
+        object->stringRep = NULL;
+        object->hashcode = 0;
+        object->hashcodeCached = 0;
+
+        /* Cannot use PKIX_PL_Mutex because it depends on Object */
+        /* Using NSPR Locks instead */
+        PKIX_OBJECT_DEBUG("\tCalling PR_NewLock).\n");
+        object->lock = PR_NewLock();
+        if (object->lock == NULL) {
+                PKIX_ERROR_ALLOC_ERROR();
+        }
+
+        PKIX_OBJECT_DEBUG("\tShifting object pointer).\n");
+
+
+        /* Return a pointer to the user data. Need to offset by object size */
+        *pObject = object + 1;
+        object = NULL;
+
+        /* Atomically increment object counter */
+        PR_AtomicIncrement(&ctEntry->objCounter);
+
+cleanup:
+
+        PKIX_FREE(object);
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Object_IsTypeRegistered (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_IsTypeRegistered(
+        PKIX_UInt32 objType,
+        PKIX_Boolean *pBool,
+        void *plContext)
+{
+#ifdef PKIX_USER_OBJECT_TYPE
+        pkix_ClassTable_Entry *ctEntry = NULL;
+#endif
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_IsTypeRegistered");
+        PKIX_NULLCHECK_ONE(pBool);
+
+        /* first, we handle the system types */
+        if (objType < PKIX_NUMTYPES) {
+                *pBool = PKIX_TRUE;
+                goto cleanup;
+        }
+
+#ifndef PKIX_USER_OBJECT_TYPE
+        PORT_Assert (0);
+        pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+        pkixErrorClass = PKIX_FATAL_ERROR;
+#else
+        PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+        PR_Lock(classTableLock);
+        pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                (classTable,
+                (void *)&objType,
+                objType,
+                NULL,
+                (void **)&ctEntry,
+                plContext);
+        PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+        PR_Unlock(classTableLock);
+
+        if (pkixErrorResult){
+                PKIX_ERROR_FATAL(PKIX_COULDNOTLOOKUPINHASHTABLE);
+        }
+
+        *pBool = (ctEntry != NULL);
+#endif /* PKIX_USER_OBJECT_TYPE */
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+#ifdef PKIX_USER_OBJECT_TYPE
+/*
+ * FUNCTION: PKIX_PL_Object_RegisterType (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_RegisterType(
+        PKIX_UInt32 objType,
+        char *description,
+        PKIX_PL_DestructorCallback destructor,
+        PKIX_PL_EqualsCallback equalsFunction,
+        PKIX_PL_HashcodeCallback hashcodeFunction,
+        PKIX_PL_ToStringCallback toStringFunction,
+        PKIX_PL_ComparatorCallback comparator,
+        PKIX_PL_DuplicateCallback duplicateFunction,
+        void *plContext)
+{
+        pkix_ClassTable_Entry *ctEntry = NULL;
+        pkix_pl_Integer *key = NULL;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_RegisterType");
+
+        /*
+         * System types are registered on startup by PKIX_PL_Initialize.
+         * These can not be overwritten.
+         */
+
+        if (objType < PKIX_NUMTYPES) { /* if this is a system type */
+                PKIX_ERROR(PKIX_CANTREREGISTERSYSTEMTYPE);
+        }
+
+        PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+        PR_Lock(classTableLock);
+        PKIX_CHECK(pkix_pl_PrimHashTable_Lookup
+                    (classTable,
+                    (void *)&objType,
+                    objType,
+                    NULL,
+                    (void **)&ctEntry,
+                    plContext),
+                    PKIX_PRIMHASHTABLELOOKUPFAILED);
+
+        /* If the type is already registered, throw an error */
+        if (ctEntry) {
+                PKIX_ERROR(PKIX_TYPEALREADYREGISTERED);
+        }
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (((PKIX_UInt32)sizeof (pkix_ClassTable_Entry)),
+                    (void **)&ctEntry,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+
+        /* Set Default Values if none specified */
+
+        if (description == NULL){
+                description = "Object";
+        }
+
+        if (equalsFunction == NULL) {
+                equalsFunction = pkix_pl_Object_Equals_Default;
+        }
+
+        if (toStringFunction == NULL) {
+                toStringFunction = pkix_pl_Object_ToString_Default;
+        }
+
+        if (hashcodeFunction == NULL) {
+                hashcodeFunction = pkix_pl_Object_Hashcode_Default;
+        }
+
+        ctEntry->destructor = destructor;
+        ctEntry->equalsFunction = equalsFunction;
+        ctEntry->toStringFunction = toStringFunction;
+        ctEntry->hashcodeFunction = hashcodeFunction;
+        ctEntry->comparator = comparator;
+        ctEntry->duplicateFunction = duplicateFunction;
+        ctEntry->description = description;
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (((PKIX_UInt32)sizeof (pkix_pl_Integer)),
+                    (void **)&key,
+                    plContext),
+                    PKIX_COULDNOTMALLOCNEWKEY);
+
+        key->ht_int = objType;
+
+        PKIX_CHECK(pkix_pl_PrimHashTable_Add
+                    (classTable,
+                    (void *)key,
+                    (void *)ctEntry,
+                    objType,
+                    NULL,
+                    plContext),
+                    PKIX_PRIMHASHTABLEADDFAILED);
+
+cleanup:
+        PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+        PR_Unlock(classTableLock);
+
+        PKIX_RETURN(OBJECT);
+}
+#endif /* PKIX_USER_OBJECT_TYPE */
+
+/*
+ * FUNCTION: PKIX_PL_Object_IncRef (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_IncRef(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Object *objectHeader = NULL;
+        PKIX_PL_NssContext *context = NULL;
+        PKIX_Int32 refCount = 0;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_IncRef");
+        PKIX_NULLCHECK_ONE(object);
+
+        if (plContext){
+                /* 
+                 * PKIX_PL_NssContext is not a complete PKIX Type, it doesn't
+                 * have a header therefore we cannot verify its type before
+                 * casting.
+                 */  
+                context = (PKIX_PL_NssContext *) plContext;
+                if (context->arena != NULL) {
+                        goto cleanup;
+                }
+        }
+
+        if (object == (PKIX_PL_Object*)PKIX_ALLOC_ERROR()) {
+                goto cleanup;
+        }
+
+        /* Shift pointer from user data to object header */
+        PKIX_CHECK(pkix_pl_Object_GetHeader(object, &objectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        /* This object should never have zero references */
+        refCount = PR_AtomicIncrement(&objectHeader->references);
+
+        if (refCount <= 1) {
+                PKIX_THROW(FATAL, PKIX_OBJECTWITHNONPOSITIVEREFERENCES);
+        }
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Object_DecRef (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_DecRef(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_Int32 refCount = 0;
+        PKIX_PL_Object *objectHeader = NULL;
+        PKIX_PL_NssContext *context = NULL;
+            
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_DecRef");
+        PKIX_NULLCHECK_ONE(object);
+
+        if (plContext){
+                /* 
+                 * PKIX_PL_NssContext is not a complete PKIX Type, it doesn't
+                 * have a header therefore we cannot verify its type before
+                 * casting.
+                 */  
+                context = (PKIX_PL_NssContext *) plContext;
+                if (context->arena != NULL) {
+                        goto cleanup;
+                }
+        }
+
+        if (object == (PKIX_PL_Object*)PKIX_ALLOC_ERROR()) {
+                goto cleanup;
+        }
+
+        /* Shift pointer from user data to object header */
+        PKIX_CHECK(pkix_pl_Object_GetHeader(object, &objectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        refCount = PR_AtomicDecrement(&objectHeader->references);
+
+        if (refCount == 0) {
+            PKIX_PL_DestructorCallback destructor = NULL;
+            pkix_ClassTable_Entry *ctEntry = NULL;
+            PKIX_UInt32 objType = objectHeader->type;
+            
+            /* first, special handling for system types */
+            if (objType >= PKIX_NUMTYPES){
+#ifdef PKIX_USER_OBJECT_TYPE
+                PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                PR_Lock(classTableLock);
+                pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                    (classTable,
+                     (void *)&objType,
+                     objType,
+                     NULL,
+                     (void **)&ctEntry,
+                     plContext);
+                PKIX_OBJECT_DEBUG
+                    ("\tCalling PR_Unlock).\n");
+                PR_Unlock(classTableLock);
+                if (pkixErrorResult){
+                    PKIX_ERROR_FATAL
+                        (PKIX_ERRORINGETTINGDESTRUCTOR);
+                }
+                
+                if (ctEntry != NULL){
+                    destructor = ctEntry->destructor;
+                }
+#else
+                PORT_Assert (0);
+                pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                pkixErrorClass = PKIX_FATAL_ERROR;
+                goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+            } else {
+                ctEntry = &systemClasses[objType];
+                destructor = ctEntry->destructor;
+            }
+            
+            if (destructor != NULL){
+                /* Call destructor on user data if necessary */
+                pkixErrorResult = destructor(object, plContext);
+                if (pkixErrorResult) {
+                    pkixErrorClass = PKIX_FATAL_ERROR;
+                    PKIX_DoAddError(stdVarsPtr, pkixErrorResult, plContext);
+                    pkixErrorResult = NULL;
+                }
+            }
+            
+            /* Atomically decrement object counter */
+            PR_AtomicDecrement(&ctEntry->objCounter);
+            
+            /* pkix_pl_Object_Destroy assumes the lock is held */
+            /* It will call unlock and destroy the object */
+            pkixErrorResult = pkix_pl_Object_Destroy(object, plContext);
+            goto cleanup;
+        }
+
+        if (refCount < 0) {
+            PKIX_ERROR_ALLOC_ERROR();
+        }
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+
+
+/*
+ * FUNCTION: PKIX_PL_Object_Equals (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_PL_Object *firstObjectHeader = NULL;
+        PKIX_PL_Object *secondObjectHeader = NULL;
+        PKIX_PL_EqualsCallback func = NULL;
+        pkix_ClassTable_Entry entry;
+        PKIX_UInt32 objType;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        PKIX_CHECK(pkix_pl_Object_GetHeader
+                    (firstObject, &firstObjectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        PKIX_CHECK(pkix_pl_Object_GetHeader
+                    (secondObject, &secondObjectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        /* if hashcodes are cached but not equal, objects can't be equal */
+        if (firstObjectHeader->hashcodeCached &&
+            secondObjectHeader->hashcodeCached){
+                if (firstObjectHeader->hashcode !=
+                    secondObjectHeader->hashcode){
+                        *pResult = PKIX_FALSE;
+                        goto cleanup;
+                }
+        }
+
+        objType = firstObjectHeader->type;
+
+        if (objType >= PKIX_NUMTYPES) {
+#ifdef PKIX_USER_OBJECT_TYPE
+                pkix_ClassTable_Entry *ctEntry = NULL;
+                PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                PR_Lock(classTableLock);
+                pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                        (classTable,
+                        (void *)&firstObjectHeader->type,
+                        firstObjectHeader->type,
+                        NULL,
+                        (void **)&ctEntry,
+                        plContext);
+                PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+                PR_Unlock(classTableLock);
+
+                if (pkixErrorResult){
+                        PKIX_ERROR_FATAL(PKIX_ERRORGETTINGCLASSTABLEENTRY);
+                }
+
+                if ((ctEntry == NULL) || (ctEntry->equalsFunction == NULL)) {
+                        PKIX_ERROR_FATAL(PKIX_UNDEFINEDCALLBACK);
+                } else {
+                        func = ctEntry->equalsFunction;
+                }
+#else
+                PORT_Assert (0);
+                pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                pkixErrorClass = PKIX_FATAL_ERROR;
+                goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+        } else {
+                entry = systemClasses[objType];
+                func = entry.equalsFunction;
+                if (func == NULL){
+                        func = pkix_pl_Object_Equals_Default;
+                }
+        }
+
+        PKIX_CHECK(func(firstObject, secondObject, pResult, plContext),
+                    PKIX_OBJECTSPECIFICFUNCTIONFAILED);
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Object_Duplicate (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_Duplicate(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object **pNewObject,
+        void *plContext)
+{
+        PKIX_PL_Object *firstObjectHeader = NULL;
+        PKIX_PL_DuplicateCallback func = NULL;
+        pkix_ClassTable_Entry entry;
+        PKIX_UInt32 objType;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_Duplicate");
+        PKIX_NULLCHECK_TWO(firstObject, pNewObject);
+
+        PKIX_CHECK(pkix_pl_Object_GetHeader
+                    (firstObject, &firstObjectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        objType = firstObjectHeader->type;
+
+        if (objType >= PKIX_NUMTYPES) {
+#ifdef PKIX_USER_OBJECT_TYPE
+                pkix_ClassTable_Entry *ctEntry = NULL;
+
+                PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                PR_Lock(classTableLock);
+                pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                        (classTable,
+                        (void *)&objType,
+                        objType,
+                        NULL,
+                        (void **)&ctEntry,
+                        plContext);
+                PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+                PR_Unlock(classTableLock);
+
+                if (pkixErrorResult){
+                        PKIX_ERROR_FATAL(PKIX_ERRORGETTINGCLASSTABLEENTRY);
+                }
+
+                if ((ctEntry == NULL) || (ctEntry->duplicateFunction == NULL)) {
+                        PKIX_ERROR_FATAL(PKIX_UNDEFINEDCALLBACK);
+                } else {
+                        func = ctEntry->duplicateFunction;
+                }
+#else
+                PORT_Assert (0);
+                pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                pkixErrorClass = PKIX_FATAL_ERROR;
+                goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+        } else {
+                entry = systemClasses[objType];
+                func = entry.duplicateFunction;
+                if (!func){
+                        PKIX_ERROR_FATAL(PKIX_UNDEFINEDDUPLICATEFUNCTION);
+                }
+        }
+
+        PKIX_CHECK(func(firstObject, pNewObject, plContext),
+                    PKIX_OBJECTSPECIFICFUNCTIONFAILED);
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Object_Hashcode (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pValue,
+        void *plContext)
+{
+        PKIX_PL_Object *objectHeader = NULL;
+        PKIX_PL_HashcodeCallback func = NULL;
+        pkix_ClassTable_Entry entry;
+        PKIX_UInt32 objectHash;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pValue);
+
+        /* Shift pointer from user data to object header */
+        PKIX_CHECK(pkix_pl_Object_GetHeader(object, &objectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (!objectHeader->hashcodeCached){
+
+                PKIX_UInt32 objType = objectHeader->type;
+
+                /* first, special handling for system types */
+                if (objType >= PKIX_NUMTYPES){
+#ifdef PKIX_USER_OBJECT_TYPE            
+                        pkix_ClassTable_Entry *ctEntry = NULL;
+
+                        PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                        PR_Lock(classTableLock);
+                        pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                                (classTable,
+                                (void *)&objType,
+                                objType,
+                                NULL,
+                                (void **)&ctEntry,
+                                plContext);
+                        PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+                        PR_Unlock(classTableLock);
+
+                        if (pkixErrorResult){
+                                PKIX_ERROR_FATAL
+                                        (PKIX_ERRORGETTINGCLASSTABLEENTRY);
+                        }
+
+                        if ((ctEntry == NULL) ||
+                            (ctEntry->hashcodeFunction == NULL)) {
+                                PKIX_ERROR_FATAL(PKIX_UNDEFINEDCALLBACK);
+                        }
+
+                        func = ctEntry->hashcodeFunction;
+#else
+                        PORT_Assert (0);
+                        pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                        pkixErrorClass = PKIX_FATAL_ERROR;
+                        goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+                } else {
+                        entry = systemClasses[objType];
+                        func = entry.hashcodeFunction;
+                        if (func == NULL){
+                                func = pkix_pl_Object_Hashcode_Default;
+                        }
+                }
+
+                PKIX_CHECK(func(object, &objectHash, plContext),
+                            PKIX_OBJECTSPECIFICFUNCTIONFAILED);
+
+                if (!objectHeader->hashcodeCached){
+
+                        PKIX_CHECK(pkix_LockObject(object, plContext),
+                                    PKIX_ERRORLOCKINGOBJECT);
+
+                        if (!objectHeader->hashcodeCached){
+                                /* save cached copy in case we need it again */
+                                objectHeader->hashcode = objectHash;
+                                objectHeader->hashcodeCached = PKIX_TRUE;
+                        }
+
+                        PKIX_CHECK(pkix_UnlockObject(object, plContext),
+                                    PKIX_ERRORUNLOCKINGOBJECT);
+                }
+        }
+
+        *pValue = objectHeader->hashcode;
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Object_ToString (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_Object *objectHeader = NULL;
+        PKIX_PL_ToStringCallback func = NULL;
+        pkix_ClassTable_Entry entry;
+        PKIX_PL_String *objectString = NULL;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        /* Shift pointer from user data to object header */
+        PKIX_CHECK(pkix_pl_Object_GetHeader(object, &objectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        /* if we don't have a cached copy from before, we create one */
+        if (!objectHeader->stringRep){
+
+                PKIX_UInt32 objType = objectHeader->type;
+
+                if (objType >= PKIX_NUMTYPES){
+#ifdef PKIX_USER_OBJECT_TYPE
+                        pkix_ClassTable_Entry *ctEntry = NULL;
+
+                        PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                        PR_Lock(classTableLock);
+                        pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                                (classTable,
+                                (void *)&objType,
+                                objType,
+                                NULL,
+                                (void **)&ctEntry,
+                                plContext);
+                        PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+                        PR_Unlock(classTableLock);
+                        if (pkixErrorResult){
+                                PKIX_ERROR_FATAL
+                                        (PKIX_ERRORGETTINGCLASSTABLEENTRY);
+                        }
+
+                        if ((ctEntry == NULL) ||
+                            (ctEntry->toStringFunction == NULL)) {
+                                PKIX_ERROR_FATAL(PKIX_UNDEFINEDCALLBACK);
+                        }
+
+                        func = ctEntry->toStringFunction;
+#else
+                        PORT_Assert (0);
+                        pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                        pkixErrorClass = PKIX_FATAL_ERROR;
+                        goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+                } else {
+                        entry = systemClasses[objType];
+                        func = entry.toStringFunction;
+                        if (func == NULL){
+                                func = pkix_pl_Object_ToString_Default;
+                        }
+                }
+
+                PKIX_CHECK(func(object, &objectString, plContext),
+                            PKIX_OBJECTSPECIFICFUNCTIONFAILED);
+
+                if (!objectHeader->stringRep){
+
+                        PKIX_CHECK(pkix_LockObject(object, plContext),
+                                    PKIX_ERRORLOCKINGOBJECT);
+
+                        if (!objectHeader->stringRep){
+                                /* save a cached copy */
+                                objectHeader->stringRep = objectString;
+                                objectString = NULL;
+                        }
+
+                        PKIX_CHECK(pkix_UnlockObject(object, plContext),
+                                    PKIX_ERRORUNLOCKINGOBJECT);
+                }
+        }
+
+
+        *pString = objectHeader->stringRep;
+        objectHeader->stringRep = NULL;
+
+cleanup:
+        if (objectHeader) {
+            PKIX_DECREF(objectHeader->stringRep);
+        }
+        PKIX_DECREF(objectString);
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Object_InvalidateCache (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_InvalidateCache(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_Object *objectHeader = NULL;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_InvalidateCache");
+        PKIX_NULLCHECK_ONE(object);
+
+        /* Shift pointer from user data to object header */
+        PKIX_CHECK(pkix_pl_Object_GetHeader(object, &objectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        PKIX_CHECK(pkix_LockObject(object, plContext),
+                    PKIX_ERRORLOCKINGOBJECT);
+
+        /* invalidate hashcode */
+        objectHeader->hashcode = 0;
+        objectHeader->hashcodeCached = PKIX_FALSE;
+
+        PKIX_DECREF(objectHeader->stringRep);
+
+        PKIX_CHECK(pkix_UnlockObject(object, plContext),
+                    PKIX_ERRORUNLOCKINGOBJECT);
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Object_Compare (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_Compare(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_PL_Object *firstObjectHeader = NULL;
+        PKIX_PL_Object *secondObjectHeader = NULL;
+        PKIX_PL_ComparatorCallback func = NULL;
+        pkix_ClassTable_Entry entry;
+        PKIX_UInt32 objType;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_Compare");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* Shift pointer from user data to object header */
+        PKIX_CHECK(pkix_pl_Object_GetHeader
+                    (firstObject, &firstObjectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        /* Shift pointer from user data to object header */
+        PKIX_CHECK(pkix_pl_Object_GetHeader
+                    (secondObject, &secondObjectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        objType = firstObjectHeader->type;
+
+        if (objType >= PKIX_NUMTYPES){
+#ifdef PKIX_USER_OBJECT_TYPE
+                pkix_ClassTable_Entry *ctEntry = NULL;
+
+                PKIX_OBJECT_DEBUG("\tCalling PR_Lock).\n");
+                PR_Lock(classTableLock);
+                pkixErrorResult = pkix_pl_PrimHashTable_Lookup
+                        (classTable,
+                        (void *)&objType,
+                        objType,
+                        NULL,
+                        (void **)&ctEntry,
+                        plContext);
+                PKIX_OBJECT_DEBUG("\tCalling PR_Unlock).\n");
+                PR_Unlock(classTableLock);
+                if (pkixErrorResult){
+                        PKIX_ERROR_FATAL(PKIX_ERRORGETTINGCLASSTABLEENTRY);
+                }
+
+                if ((ctEntry == NULL) || (ctEntry->comparator == NULL)) {
+                        PKIX_ERROR_FATAL(PKIX_UNDEFINEDCOMPARATOR);
+                }
+
+                func = ctEntry->comparator;
+#else
+                PORT_Assert (0);
+                pkixErrorCode = PKIX_UNKNOWNOBJECTTYPE;
+                pkixErrorClass = PKIX_FATAL_ERROR;
+                goto cleanup;
+#endif /* PKIX_USER_OBJECT_TYPE */
+        } else {
+                /* special handling for system types */
+                entry = systemClasses[objType];
+                func = entry.comparator;
+                if (!func){
+                        PKIX_ERROR(PKIX_UNDEFINEDCOMPARATOR);
+                }
+        }
+
+        PKIX_CHECK(func(firstObject, secondObject, pResult, plContext),
+                    PKIX_OBJECTSPECIFICFUNCTIONFAILED);
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Object_Lock (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_Lock(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_Lock");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_LockObject(object, plContext),
+                    PKIX_LOCKOBJECTFAILED);
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Object_Unlock (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_Unlock(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_Unlock");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_UnlockObject(object, plContext),
+                    PKIX_UNLOCKOBJECTFAILED);
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
+
+
+/*
+ * FUNCTION: PKIX_PL_Object_GetType (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Object_GetType(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pType,
+        void *plContext)
+{
+        PKIX_PL_Object *objectHeader = NULL;
+
+        PKIX_ENTER(OBJECT, "PKIX_PL_Object_GetType");
+        PKIX_NULLCHECK_TWO(object, pType);
+
+        /* Shift pointer from user data to object header */
+        PKIX_CHECK(pkix_pl_Object_GetHeader(object, &objectHeader, plContext),
+                    PKIX_RECEIVEDCORRUPTEDOBJECTARGUMENT);
+
+        *pType = objectHeader->type;
+
+cleanup:
+
+        PKIX_RETURN(OBJECT);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h
new file mode 100755
index 000000000..872f169cc
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h
@@ -0,0 +1,109 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_object.h
+ *
+ * Object Construction, Destruction and Callback Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_OBJECT_H
+#define _PKIX_PL_OBJECT_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Object Implementation Notes:
+ *
+ * Allocating a new object creates an object header and a block of
+ * uninitialized user data. A pointer to this uninitialized data is
+ * returned to the user. The structure looks as follows:
+ *
+ * +--------------------+
+ * | MAGIC HEADER       |
+ * | (object header)    |
+ * +--------------------+
+ * | user data          | -- pointer returned from PKIX_PL_Object_Alloc
+ * +--------------------+
+ *
+ * Object operations receive a pointer to raw user data as an argument.
+ * The macro HEADER(object) returns a pointer to the object header.
+ * An assertion then verifies that the first field is the MAGIC_HEADER.
+ */
+
+/* PKIX_PL_Object Structure Definition */
+struct PKIX_PL_ObjectStruct {
+        PKIX_UInt32 magicHeader;
+        PKIX_UInt32 type;
+        PKIX_Int32 references;
+        PRLock *lock;
+        PKIX_PL_String *stringRep;
+        PKIX_UInt32 hashcode;
+        PKIX_Boolean hashcodeCached;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_Object_RetrieveEqualsCallback(
+        PKIX_PL_Object *object,
+        PKIX_PL_EqualsCallback *equalsCallback,
+        void *plContext);
+
+extern PKIX_Boolean initializing;
+extern PKIX_Boolean initialized;
+
+#ifdef PKIX_USER_OBJECT_TYPE
+
+extern PRLock *classTableLock;
+
+#endif
+
+extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+
+PKIX_Error *
+pkix_pl_Object_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_OBJECT_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
new file mode 100755
index 000000000..b0333a126
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -0,0 +1,554 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_oid.c
+ *
+ * OID Object Functions
+ *
+ */
+
+#include "pkix_pl_oid.h"
+
+/* --Private-OID-Functions---------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_OID_Comparator
+ * (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OID_Comparator(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_PL_OID *firstOID = NULL;
+        PKIX_PL_OID *secondOID = NULL;
+        PKIX_UInt32 minLength;
+
+        PKIX_ENTER(OID, "pkix_pl_OID_Comparator");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        PKIX_CHECK(pkix_CheckTypes
+                    (firstObject, secondObject, PKIX_OID_TYPE, plContext),
+                    PKIX_ARGUMENTSNOTOIDS);
+
+        firstOID = (PKIX_PL_OID*)firstObject;
+        secondOID = (PKIX_PL_OID*)secondObject;
+
+        *pResult = 0;
+
+        minLength = (firstOID->length < secondOID->length)?
+                firstOID->length:
+                secondOID->length;
+
+        /* Check if both array contents are identical */
+        PKIX_OID_DEBUG("\tCalling PORT_Memcmp).\n");
+        *pResult = PORT_Memcmp
+                (firstOID->components,
+                secondOID->components,
+                minLength * sizeof (PKIX_UInt32));
+
+cleanup:
+        PKIX_RETURN(OID);
+}
+
+/*
+ * FUNCTION: pkix_pl_OID_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OID_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_OID *oid = NULL;
+
+        PKIX_ENTER(OID, "pkix_pl_OID_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
+                    PKIX_OBJECTNOTANOID);
+
+        oid = (PKIX_PL_OID*)object;
+
+        PKIX_FREE(oid->components);
+        oid->length = 0;
+
+cleanup:
+
+        PKIX_RETURN(OID);
+}
+
+/*
+ * FUNCTION: pkix_pl_OID_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OID_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_OID *pkixOID = NULL;
+
+        PKIX_ENTER(OID, "pkix_pl_OID_HashCode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
+                    PKIX_OBJECTNOTANOID);
+
+        pkixOID = (PKIX_PL_OID *)object;
+
+        PKIX_CHECK(pkix_hash
+                    ((unsigned char *)pkixOID->components,
+                    pkixOID->length * sizeof (PKIX_UInt32),
+                    pHashcode,
+                    plContext),
+                    PKIX_HASHFAILED);
+cleanup:
+
+        PKIX_RETURN(OID);
+}
+
+/*
+ * FUNCTION: pkix_pl_OID_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OID_Equals(
+        PKIX_PL_Object *first,
+        PKIX_PL_Object *second,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Int32 cmpResult;
+
+        PKIX_ENTER(OID, "pkix_pl_OID_Equals");
+        PKIX_NULLCHECK_THREE(first, second, pResult);
+
+        PKIX_CHECK(pkix_CheckType(first, PKIX_OID_TYPE, plContext),
+                    PKIX_FIRSTARGUMENTNOTANOID);
+
+        PKIX_CHECK(PKIX_PL_Object_GetType(second, &secondType, plContext),
+                    PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        *pResult = PKIX_FALSE;
+
+        /*
+         * Do a quick check that the second object is an OID.
+         * If so, check that their lengths are equal.
+         */
+        if ((secondType != PKIX_OID_TYPE)||
+            (((PKIX_PL_OID*)first)->length !=
+            ((PKIX_PL_OID*)second)->length)) {
+                goto cleanup;
+        }
+
+        PKIX_CHECK(pkix_pl_OID_Comparator
+                    (first, second, &cmpResult, plContext),
+                    PKIX_OIDCOMPARATORFAILED);
+
+        *pResult = (cmpResult == 0);
+
+cleanup:
+
+        PKIX_RETURN(OID);
+}
+
+/*
+ * FUNCTION: pkix_pl_OID_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_OID_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_UInt32 *components = NULL;
+        PKIX_UInt32 length;
+        char *ascii = NULL;
+
+        PKIX_ENTER(OID, "pkix_pl_OID_toString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
+                    PKIX_OBJECTNOTANOID);
+
+        components = ((PKIX_PL_OID*)object)->components;
+        length = ((PKIX_PL_OID*)object)->length;
+
+        PKIX_CHECK(pkix_pl_helperBytes2Ascii
+                    (components, length, &ascii, plContext),
+                    PKIX_HELPERBYTES2ASCIIFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, ascii, 0, pString, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+cleanup:
+
+        PKIX_FREE(ascii);
+
+        PKIX_RETURN(OID);
+}
+
+/*
+ * FUNCTION: pkix_pl_OID_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_OID_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_OID_RegisterSelf(
+        void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(OID, "pkix_pl_OID_RegisterSelf");
+
+        entry.description = "OID";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_OID);
+        entry.destructor = pkix_pl_OID_Destroy;
+        entry.equalsFunction = pkix_pl_OID_Equals;
+        entry.hashcodeFunction = pkix_pl_OID_Hashcode;
+        entry.toStringFunction = pkix_pl_OID_ToString;
+        entry.comparator = pkix_pl_OID_Comparator;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_OID_TYPE] = entry;
+
+        PKIX_RETURN(OID);
+}
+
+/*
+ * FUNCTION: pkix_pl_OID_GetNextToken
+ * DESCRIPTION:
+ *
+ *  This function is essentially a thread safe version of strtok, except
+ *  that we always use '.' (dot) for the token separator.
+ *
+ *  Searches for tokens in the string pointed to by "input", using '.' (dot)
+ *  as the token separator. If "input" contains multiple tokens, the first
+ *  token is stored at "pToken", the character immediately follow the first
+ *  token is replaced by a null character, and the rekmainder of "input" is
+ *  stored at "pRem". If no additional tokens are available, this function
+ *  stores NULL at "pToken".
+ *
+ * PARAMETERS
+ *  "input"
+ *      Address of string to be tokenized. May be NULL.
+ *  "pToken"
+ *      Destination for OID token. Must be non-NULL.
+ *  "pRem"
+ *      Destination for pointer to remainder of string. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns an OID Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_OID_GetNextToken(
+        char *input,
+        char **pToken,
+        char **pRem,
+        void *plContext)
+{
+        char *token = input;
+
+        PKIX_ENTER(OID, "pkix_pl_OID_GetNextToken");
+        PKIX_NULLCHECK_TWO(pToken, pRem);
+
+        if (token == NULL){
+                *pToken = token;
+                goto cleanup;
+        }
+
+        while (*input != '.' && *input != '\0'){
+                input++;
+        }
+
+        if (*input == '.'){
+                *input = 0;
+                *pRem = input + 1;
+        } else { /* NULL case */
+                *pRem = NULL;
+        }
+
+        *pToken = token;
+
+cleanup:
+
+        PKIX_RETURN(OID);
+}
+
+/*
+ * FUNCTION: pkix_pl_OID_GetCriticalExtensionOIDs
+ * DESCRIPTION:
+ *
+ *  Converts the extensions in "extensions" array that are critical to
+ *  PKIX_PL_OID and returns the result as a PKIX_List in "pPidList".
+ *  If there is no critical extension, an empty list is returned.
+ *
+ * PARAMETERS
+ *  "extension"
+ *      an array of extension pointers. May be NULL.
+ *  "pOidsList"
+ *      Address where the list of OIDs is returned. Must be non-NULL.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a CRL Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_OID_GetCriticalExtensionOIDs(
+        CERTCertExtension **extensions,
+        PKIX_List **pOidsList,
+        void *plContext)
+{
+        PKIX_List *oidsList = NULL;
+        CERTCertExtension *extension = NULL;
+        PKIX_PL_OID *pkixOID = NULL;
+        SECItem critical;
+        SECItem oid;
+        char *oidAscii = NULL;
+
+        PKIX_ENTER(OID, "pkix_pl_OID_GetCriticalExtensionOIDs");
+        PKIX_NULLCHECK_ONE(pOidsList);
+
+        PKIX_CHECK(PKIX_List_Create(&oidsList, plContext),
+                    PKIX_LISTCREATEFAILED);
+
+        if (extensions){
+
+                while (*extensions){
+                        extension = *extensions++;
+
+                    PKIX_NULLCHECK_ONE(extension);
+
+                    /* extension is critical */
+                    critical = extension->critical;
+
+                    if (critical.len != 0){
+
+                            if (critical.data[0] == 0xff) {
+                            oid = extension->id;
+
+                            PKIX_CHECK(pkix_pl_oidBytes2Ascii
+                                    (&oid, &oidAscii, plContext),
+                                    PKIX_OIDBYTES2ASCIIFAILED);
+
+                            PKIX_CHECK(PKIX_PL_OID_Create
+                                    (oidAscii, &pkixOID, plContext),
+                                    PKIX_OIDCREATEFAILED);
+
+                            PKIX_CHECK(PKIX_List_AppendItem
+                                    (oidsList,
+                                    (PKIX_PL_Object *)pkixOID,
+                                    plContext),
+                                    PKIX_LISTAPPENDITEMFAILED);
+                            }
+                    }
+
+                    PKIX_FREE(oidAscii);
+                    PKIX_DECREF(pkixOID);
+                }
+        }
+
+        *pOidsList = oidsList;
+        oidsList = NULL;
+        
+cleanup:
+        PKIX_DECREF(oidsList);
+        PKIX_FREE(oidAscii);
+        PKIX_DECREF(pkixOID);
+        PKIX_RETURN(OID);
+}
+
+/* --Public-Functions------------------------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_OID_Create(
+        char *stringRep,
+        PKIX_PL_OID **pOID,
+        void *plContext)
+{
+        PKIX_PL_OID *oid = NULL;
+        char *strCpy1 = NULL;
+        char *strCpy2 = NULL;
+        char *token = NULL;
+        PKIX_UInt32 numTokens, i, length;
+        PKIX_UInt32 value;
+        PKIX_Boolean firstFieldTwo;
+        PKIX_UInt32 *components = NULL;
+        char *rem = NULL;
+
+        PKIX_ENTER(OID, "PKIX_PL_OID_Create");
+        PKIX_NULLCHECK_TWO(pOID, stringRep);
+
+        PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
+        length = PL_strlen(stringRep);
+
+        if (length < 3) {
+                PKIX_ERROR(PKIX_OIDLENGTHTOOSHORT);
+        }
+
+        for (i = 0; i < length; i++) {
+                if ((!PKIX_ISDIGIT(stringRep[i]))&&(stringRep[i] != '.')) {
+                        PKIX_ERROR(PKIX_ILLEGALCHARACTERINOID);
+                }
+        }
+
+        /* Check that string doesn't have extra dots */
+        if ((stringRep[0] == '.') ||
+            (stringRep[length-1] == '.')||
+            (PL_strstr(stringRep, "..") != NULL)) {
+                PKIX_ERROR(PKIX_ILLEGALDOTINOID);
+        }
+
+        PKIX_OID_DEBUG("\tCalling PL_strdup).\n");
+
+        strCpy1 = PL_strdup(stringRep);
+        strCpy2 = PL_strdup(stringRep);
+
+        /* Validate and tally the number of tokens */
+
+        PKIX_CHECK(pkix_pl_OID_GetNextToken
+                    (strCpy1, &token, &rem, plContext),
+                    PKIX_OIDGETNEXTTOKENFAILED);
+
+        for (numTokens = 0; token != NULL; numTokens++){
+                if (numTokens == 0) {
+                        /* We know the string is all digits */
+                        PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
+                        value = PORT_Atoi(token);
+                        if (value > 2) {
+                                PKIX_ERROR(PKIX_FIRSTFIELDMUSTBEBETWEEN02);
+                        }
+
+                        /* Set a flag if the first field is 2 */
+                        firstFieldTwo = (value == 2);
+                } else if (numTokens == 1) {
+                        PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
+                        value = PORT_Atoi(token);
+                        if ((!firstFieldTwo)&&(value > 39)) {
+                                PKIX_ERROR
+                                        (PKIX_SECONDFIELDMUSTBEBETWEEN039);
+                        }
+                }
+
+                /* Check for 32-bit overflow */
+                if (pkix_pl_UInt32_Overflows(token)){
+                        PKIX_ERROR(PKIX_OIDCOMPONENTTOOBIG);
+                }
+
+                PKIX_CHECK(pkix_pl_OID_GetNextToken
+                            (rem, &token, &rem, plContext),
+                            PKIX_OIDGETNEXTTOKENFAILED);
+        }
+
+        if (numTokens < 2) {
+                PKIX_ERROR(PKIX_OIDNEEDS2ORMOREFIELDS);
+        }
+
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (numTokens * sizeof (PKIX_UInt32),
+                    (void **)&components, plContext),
+                    PKIX_MALLOCFAILED);
+
+        PKIX_CHECK(pkix_pl_OID_GetNextToken
+                    (strCpy2, &token, &rem, plContext),
+                    PKIX_OIDGETNEXTTOKENFAILED);
+
+        for (i = 0; token != NULL; i++){
+                PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
+                components[i] = PORT_Atoi(token);
+
+                PKIX_CHECK(pkix_pl_OID_GetNextToken
+                            (rem, &token, &rem, plContext),
+                            PKIX_OIDGETNEXTTOKENFAILED);
+        }
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_OID_TYPE,
+                    sizeof (PKIX_PL_OID),
+                    (PKIX_PL_Object **)&oid,
+                    plContext),
+                    PKIX_COULDNOTCREATEOBJECT);
+
+        oid->length = numTokens;
+        oid->components = components;
+
+        *pOID = oid;
+
+cleanup:
+
+        if (strCpy1){
+                PKIX_OID_DEBUG("\tCalling PL_strfree).\n");
+                PL_strfree(strCpy1);
+        }
+
+        if (strCpy2){
+                PKIX_OID_DEBUG("\tCalling PL_strfree).\n");
+                PL_strfree(strCpy2);
+        }
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_FREE(components);
+        }
+
+        PKIX_RETURN(OID);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h
new file mode 100755
index 000000000..d0327909e
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h
@@ -0,0 +1,73 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_oid.h
+ *
+ * OID Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_OID_H
+#define _PKIX_PL_OID_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_OIDStruct {
+        PKIX_UInt32 *components;
+        PKIX_UInt32 length;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_OID_RegisterSelf(void *plContext);
+
+PKIX_Error *
+pkix_pl_OID_GetCriticalExtensionOIDs(
+        CERTCertExtension **extensions,
+        PKIX_List **pOidsList,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_OID_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_primhash.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_primhash.c
new file mode 100755
index 000000000..4386c81af
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_primhash.c
@@ -0,0 +1,617 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_primhash.c
+ *
+ * Primitive (non-object) Hashtable Functions
+ *
+ */
+
+#include "pkix_pl_primhash.h"
+
+/* --Private-Functions---------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_KeyComparator_Default
+ * DESCRIPTION:
+ *
+ *  Compares the integer pointed to by "firstKey" with the integer pointed to
+ *  by "secondKey" for equality and stores the Boolean result at "pResult".
+ *  This default key comparator assumes each key is a PKIX_UInt32, and it
+ *  simply tests them for equality.
+ *
+ * PARAMETERS:
+ *  "firstKey"
+ *      Address of the first integer key to compare. Must be non-NULL.
+ *      The EqualsCallback for this Object will be called.
+ *  "secondKey"
+ *      Address of the second integer key to compare. Must be non-NULL.
+ *  "pResult"
+ *      Address where Boolean will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_pl_KeyComparator_Default(
+        PKIX_UInt32 *firstKey,
+        PKIX_UInt32 *secondKey,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        /* Assume both keys are pointers to PKIX_UInt32 */
+        PKIX_UInt32 firstInt, secondInt;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_KeyComparator_Default");
+        PKIX_NULLCHECK_THREE(firstKey, secondKey, pResult);
+
+        firstInt = *firstKey;
+        secondInt = *secondKey;
+
+        *pResult = (firstInt == secondInt)?PKIX_TRUE:PKIX_FALSE;
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_PrimHashTable_Create
+ * DESCRIPTION:
+ *
+ *  Creates a new PrimHashtable object with a number of buckets equal to
+ *  "numBuckets" and stores the result at "pResult".
+ *
+ * PARAMETERS:
+ *  "numBuckets"
+ *      The number of hash table buckets. Must be non-zero.
+ *  "pResult"
+ *      Address where PrimHashTable pointer will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_PrimHashTable_Create(
+        PKIX_UInt32 numBuckets,
+        pkix_pl_PrimHashTable **pResult,
+        void *plContext)
+{
+        pkix_pl_PrimHashTable *primHashTable = NULL;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_PrimHashTable_Create");
+        PKIX_NULLCHECK_ONE(pResult);
+
+        if (numBuckets == 0) {
+                PKIX_ERROR(PKIX_NUMBUCKETSEQUALSZERO);
+        }
+
+        /* Allocate a new hashtable */
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (sizeof (pkix_pl_PrimHashTable),
+                    (void **)&primHashTable,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+
+        primHashTable->size = numBuckets;
+
+        /* Allocate space for the buckets */
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (numBuckets * sizeof (pkix_pl_HT_Elem*),
+                    (void **)&primHashTable->buckets,
+                    plContext),
+                    PKIX_MALLOCFAILED);
+
+        for (i = 0; i < numBuckets; i++) {
+                primHashTable->buckets[i] = NULL;
+        }
+
+        *pResult = primHashTable;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_FREE(primHashTable);
+        }
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/*
+ * FUNCTION: pkix_pl_PrimHashTable_Add
+ * DESCRIPTION:
+ *
+ *  Adds the value pointed to by "value" to the PrimHashTable pointed to by
+ *  "ht" using the key pointed to by "key" and the hashCode value equal to
+ *  "hashCode", using the function pointed to by "keyComp" to compare keys.
+ *  Assumes the key is either a PKIX_UInt32 or a PKIX_PL_Object. If the value
+ *  already exists in the hashtable, this function returns a non-fatal error.
+ *
+ * PARAMETERS:
+ *  "ht"
+ *      Address of PrimHashtable to insert into. Must be non-NULL.
+ *  "key"
+ *      Address of key. Typically a PKIX_UInt32 or PKIX_PL_Object.
+ *      Must be non-NULL.
+ *  "value"
+ *      Address of Object to be added to PrimHashtable. Must be non-NULL.
+ *  "hashCode"
+ *      Hashcode value of the key.
+ *  "keyComp"
+ *      Address of function used to determine if two keys are equal.
+ *      If NULL, pkix_pl_KeyComparator_Default is used.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "ht"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HashTable Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_PrimHashTable_Add(
+        pkix_pl_PrimHashTable *ht,
+        void *key,
+        void *value,
+        PKIX_UInt32 hashCode,
+        PKIX_PL_EqualsCallback keyComp,
+        void *plContext)
+{
+        pkix_pl_HT_Elem **elemPtr = NULL;
+        pkix_pl_HT_Elem *element = NULL;
+        PKIX_Boolean compResult = PKIX_FALSE;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_PrimHashTable_Add");
+        PKIX_NULLCHECK_THREE(ht, key, value);
+
+        for (elemPtr = &((ht->buckets)[hashCode%ht->size]), element = *elemPtr;
+            element != NULL; elemPtr = &(element->next), element = *elemPtr) {
+
+                if (element->hashCode != hashCode){
+                        /* no possibility of a match */
+                        continue;
+                }
+
+                if (keyComp == NULL){
+                        PKIX_CHECK(pkix_pl_KeyComparator_Default
+                                ((PKIX_UInt32 *)key,
+                                (PKIX_UInt32 *)(element->key),
+                                &compResult,
+                                plContext),
+                                PKIX_COULDNOTTESTWHETHERKEYSEQUAL);
+                } else {
+                        PKIX_CHECK(keyComp
+                                ((PKIX_PL_Object *)key,
+                                (PKIX_PL_Object *)(element->key),
+                                &compResult,
+                                plContext),
+                                PKIX_COULDNOTTESTWHETHERKEYSEQUAL);
+                }
+
+                if ((element->hashCode == hashCode) &&
+                    (compResult == PKIX_TRUE)){
+                        /* Same key already exists in the table */
+                    PKIX_ERROR(PKIX_ATTEMPTTOADDDUPLICATEKEY);
+                }
+        }
+
+        /* Next Element should be NULL at this point */
+        if (element != NULL) {
+                PKIX_ERROR(PKIX_ERRORTRAVERSINGBUCKET);
+        }
+
+        /* Create a new HT_Elem */
+        PKIX_CHECK(PKIX_PL_Malloc
+                    (sizeof (pkix_pl_HT_Elem), (void **)elemPtr, plContext),
+                    PKIX_MALLOCFAILED);
+
+        element = *elemPtr;
+
+        element->key = key;
+        element->value = value;
+        element->hashCode = hashCode;
+        element->next = NULL;
+
+cleanup:
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/*
+ * FUNCTION: pkix_pl_PrimHashTable_Remove
+ * DESCRIPTION:
+ *
+ *  Removes any objects with the key pointed to by "key" and hashCode value
+ *  equal to "hashCode" from the PrimHashtable pointed to by "ht", using the
+ *  function pointed to by "keyComp" to compare keys, and stores the object's
+ *  value at "pResult". Assumes "key" is a PKIX_UInt32 or a PKIX_PL_Object.
+ *  This function sets "pResult" to NULL if the key is not in the hashtable.
+ *
+ * PARAMETERS:
+ *  "ht"
+ *      Address of PrimHashtable to remove object. Must be non-NULL.
+ *  "key"
+ *      Address of key for lookup. Typically a PKIX_UInt32 or PKIX_PL_Object.
+ *      Must be non-NULL.
+ *  "value"
+ *      Address of Object to be added to PrimHashtable. Must be non-NULL.
+ *  "hashCode"
+ *      Hashcode value of the key.
+ *  "keyComp"
+ *      Address of function used to determine if two keys are equal.
+ *      If NULL, pkix_pl_KeyComparator_Default is used.
+ *  "pResult"
+ *      Address where value will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "ht"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HashTable Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_PrimHashTable_Remove(
+        pkix_pl_PrimHashTable *ht,
+        void *key,
+        PKIX_UInt32 hashCode,
+        PKIX_PL_EqualsCallback keyComp,
+        void **pKey,
+        void **pValue,
+        void *plContext)
+{
+        pkix_pl_HT_Elem *element = NULL;
+        pkix_pl_HT_Elem *prior = NULL;
+        PKIX_Boolean compResult;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_PrimHashTable_Remove");
+        PKIX_NULLCHECK_FOUR(ht, key, pKey, pValue);
+
+        *pKey = NULL;
+        *pValue = NULL;
+
+        for (element = ht->buckets[hashCode%ht->size], prior = element;
+            (element != NULL);
+            prior = element, element = element->next) {
+
+                if (element->hashCode != hashCode){
+                        /* no possibility of a match */
+                        continue;
+                }
+
+                if (keyComp == NULL){
+                        PKIX_CHECK(pkix_pl_KeyComparator_Default
+                                ((PKIX_UInt32 *)key,
+                                (PKIX_UInt32 *)(element->key),
+                                &compResult,
+                                plContext),
+                                PKIX_COULDNOTTESTWHETHERKEYSEQUAL);
+                } else {
+                        PKIX_CHECK(keyComp
+                                ((PKIX_PL_Object *)key,
+                                (PKIX_PL_Object *)(element->key),
+                                &compResult,
+                                plContext),
+                                PKIX_COULDNOTTESTWHETHERKEYSEQUAL);
+                }
+
+                if ((element->hashCode == hashCode) &&
+                    (compResult == PKIX_TRUE)){
+                        if (element != prior) {
+                                prior->next = element->next;
+                        } else {
+                                ht->buckets[hashCode%ht->size] = element->next;
+                        }
+                        *pKey = element->key;
+                        *pValue = element->value;
+                        element->key = NULL;
+                        element->value = NULL;
+                        element->next = NULL;
+                        PKIX_FREE(element);
+                        goto cleanup;
+                }
+        }
+
+cleanup:
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+
+/*
+ * FUNCTION: pkix_pl_HashTableLookup
+ * DESCRIPTION:
+ *
+ *  Looks up object using the key pointed to by "key" and hashCode value
+ *  equal to "hashCode" from the PrimHashtable pointed to by "ht", using the
+ *  function pointed to by "keyComp" to compare keys, and stores the object's
+ *  value at "pResult". Assumes "key" is a PKIX_UInt32 or a PKIX_PL_Object.
+ *  This function sets "pResult" to NULL if the key is not in the hashtable.
+ *
+ * PARAMETERS:
+ *  "ht"
+ *      Address of PrimHashtable to lookup object from. Must be non-NULL.
+ *  "key"
+ *      Address of key for lookup. Typically a PKIX_UInt32 or PKIX_PL_Object.
+ *      Must be non-NULL.
+ *  "keyComp"
+ *      Address of function used to determine if two keys are equal.
+ *      If NULL, pkix_pl_KeyComparator_Default is used.
+ *  "hashCode"
+ *      Hashcode value of the key.
+ *  "pResult"
+ *      Address where value will be stored. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Conditionally Thread Safe
+ *      (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_PrimHashTable_Lookup(
+        pkix_pl_PrimHashTable *ht,
+        void *key,
+        PKIX_UInt32 hashCode,
+        PKIX_PL_EqualsCallback keyComp,
+        void **pResult,
+        void *plContext)
+{
+        pkix_pl_HT_Elem *element = NULL;
+        PKIX_Boolean compResult = PKIX_FALSE;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_PrimHashTable_Lookup");
+        PKIX_NULLCHECK_THREE(ht, key, pResult);
+
+        *pResult = NULL;
+
+        for (element = (ht->buckets)[hashCode%ht->size];
+            (element != NULL) && (*pResult == NULL);
+            element = element->next) {
+
+                if (element->hashCode != hashCode){
+                        /* no possibility of a match */
+                        continue;
+                }
+
+                if (keyComp == NULL){
+                        PKIX_CHECK(pkix_pl_KeyComparator_Default
+                                ((PKIX_UInt32 *)key,
+                                (PKIX_UInt32 *)(element->key),
+                                &compResult,
+                                plContext),
+                                PKIX_COULDNOTTESTWHETHERKEYSEQUAL);
+                } else {
+                       pkixErrorResult =
+                           keyComp((PKIX_PL_Object *)key,
+                                   (PKIX_PL_Object *)(element->key),
+                                   &compResult,
+                                   plContext);
+                       if (pkixErrorResult) {
+                           pkixErrorClass = PKIX_FATAL_ERROR;
+                           pkixErrorCode = PKIX_COULDNOTTESTWHETHERKEYSEQUAL;
+                           goto cleanup;
+                       }
+                }
+
+                if ((element->hashCode == hashCode) &&
+                    (compResult == PKIX_TRUE)){
+                        *pResult = element->value;
+                        goto cleanup;
+                }
+        }
+
+        /* if we've reached here, specified key doesn't exist in hashtable */
+        *pResult = NULL;
+
+cleanup:
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/*
+ * FUNCTION: pkix_pl_PrimHashTable_Destroy
+ *
+ *  Destroys PrimHashTable pointed to by "ht".
+ *
+ * PARAMETERS:
+ *  "ht"
+ *      Address of PrimHashtable to free. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "ht"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS
+ *  Returns NULL if the function succeeds.
+ *  Returns a HashTable Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_PrimHashTable_Destroy(
+        pkix_pl_PrimHashTable *ht,
+        void *plContext)
+{
+        pkix_pl_HT_Elem *element = NULL;
+        pkix_pl_HT_Elem *temp = NULL;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_PrimHashTable_Destroy");
+        PKIX_NULLCHECK_ONE(ht);
+
+        /* Free each element (list) */
+        for (i = 0; i < ht->size; i++) {
+                for (element = ht->buckets[i];
+                    element != NULL;
+                    element = temp) {
+                        temp = element->next;
+                        element->value = NULL;
+                        element->key = NULL;
+                        element->hashCode = 0;
+                        element->next = NULL;
+                        PKIX_FREE(element);
+                }
+        }
+
+        /* Free the pointer to the list array */
+        PKIX_FREE(ht->buckets);
+        ht->size = 0;
+
+        /* Free the table itself */
+        PKIX_FREE(ht);
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/*
+ * FUNCTION: pkix_pl_PrimHashTable_GetBucketSize
+ * DESCRIPTION:
+ *
+ *  Retruns number of entries in the bucket the "hashCode" is designated in
+ *  the hashtable "ht" in the address "pBucketSize".
+ *
+ * PARAMETERS:
+ *  "ht"
+ *      Address of PrimHashtable to get entries count. Must be non-NULL.
+ *  "hashCode"
+ *      Hashcode value of the key.
+ *  "pBucketSize"
+ *      Address that an PKIX_UInt32 is returned for number of entries in the
+ *      bucket associated with the hashCode. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "ht"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HashTable Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_PrimHashTable_GetBucketSize(
+        pkix_pl_PrimHashTable *ht,
+        PKIX_UInt32 hashCode,
+        PKIX_UInt32 *pBucketSize,
+        void *plContext)
+{
+        pkix_pl_HT_Elem **elemPtr = NULL;
+        pkix_pl_HT_Elem *element = NULL;
+        PKIX_UInt32 bucketSize = 0;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_PrimHashTable_GetBucketSize");
+        PKIX_NULLCHECK_TWO(ht, pBucketSize);
+
+        for (elemPtr = &((ht->buckets)[hashCode%ht->size]), element = *elemPtr;
+            element != NULL; elemPtr = &(element->next), element = *elemPtr) {
+                bucketSize++;
+	}
+
+        *pBucketSize = bucketSize;
+
+        PKIX_RETURN(HASHTABLE);
+}
+
+/*
+ * FUNCTION: pkix_pl_PrimHashTable_RemoveFIFO
+ * DESCRIPTION:
+ *
+ *  Remove the first entry in the bucket the "hashCode" is designated in
+ *  the hashtable "ht". Since new entry is added at end of the link list
+ *  the first one is the oldest (FI) therefore removed first (FO).
+ *
+ * PARAMETERS:
+ *  "ht"
+ *      Address of PrimHashtable to get entries count. Must be non-NULL.
+ *  "hashCode"
+ *      Hashcode value of the key.
+ *  "pKey"
+ *      Address of key of the entry deleted. Must be non-NULL.
+ *  "pValue"
+ *      Address of Value of the entry deleted. Must be non-NULL.
+ *  "plContext"
+ *      Platform-specific context pointer.
+ * THREAD SAFETY:
+ *  Not Thread Safe - assumes exclusive access to "ht"
+ *  (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ *  Returns NULL if the function succeeds.
+ *  Returns a HashTable Error if the function fails in a non-fatal way.
+ *  Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_pl_PrimHashTable_RemoveFIFO(
+        pkix_pl_PrimHashTable *ht,
+        PKIX_UInt32 hashCode,
+        void **pKey,
+        void **pValue,
+        void *plContext)
+{
+        pkix_pl_HT_Elem *element = NULL;
+
+        PKIX_ENTER(HASHTABLE, "pkix_pl_PrimHashTable_Remove");
+        PKIX_NULLCHECK_THREE(ht, pKey, pValue);
+
+        element = (ht->buckets)[hashCode%ht->size];
+
+        if (element != NULL) {
+
+                *pKey = element->key;
+                *pValue = element->value;
+                ht->buckets[hashCode%ht->size] = element->next;
+                element->key = NULL;
+                element->value = NULL;
+                element->next = NULL;
+                PKIX_FREE(element);
+        }
+
+        PKIX_RETURN(HASHTABLE);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_primhash.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_primhash.h
new file mode 100755
index 000000000..5fdf258ac
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_primhash.h
@@ -0,0 +1,135 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_primhash.h
+ *
+ * Primitive Hashtable Definition
+ *
+ */
+
+#ifndef _PKIX_PL_PRIMHASH_H
+#define _PKIX_PL_PRIMHASH_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_pl_HT_Elem pkix_pl_HT_Elem;
+
+typedef struct pkix_pl_PrimHashTable pkix_pl_PrimHashTable;
+
+typedef struct pkix_pl_Integer pkix_pl_Integer;
+
+struct pkix_pl_Integer{
+        PKIX_UInt32 ht_int;
+};
+
+struct pkix_pl_HT_Elem {
+        void *key;
+        void *value;
+        PKIX_UInt32 hashCode;
+        pkix_pl_HT_Elem *next;
+};
+
+struct pkix_pl_PrimHashTable {
+        pkix_pl_HT_Elem **buckets;
+        PKIX_UInt32 size;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_PrimHashTable_Create(
+        PKIX_UInt32 numBuckets,
+        pkix_pl_PrimHashTable **pResult,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_PrimHashTable_Add(
+        pkix_pl_PrimHashTable *ht,
+        void *key,
+        void *value,
+        PKIX_UInt32 hashCode,
+        PKIX_PL_EqualsCallback keyComp,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_PrimHashTable_Remove(
+        pkix_pl_PrimHashTable *ht,
+        void *key,
+        PKIX_UInt32 hashCode,
+        PKIX_PL_EqualsCallback keyComp,
+        void **pKey,
+        void **pValue,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_PrimHashTable_Lookup(
+        pkix_pl_PrimHashTable *ht,
+        void *key,
+        PKIX_UInt32 hashCode,
+        PKIX_PL_EqualsCallback keyComp,
+        void **pResult,
+        void *plContext);
+
+PKIX_Error*
+pkix_pl_PrimHashTable_Destroy(
+        pkix_pl_PrimHashTable *ht,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_PrimHashTable_GetBucketSize(
+        pkix_pl_PrimHashTable *ht,
+        PKIX_UInt32 hashCode,
+        PKIX_UInt32 *pBucketSize,
+        void *plContext);
+
+PKIX_Error *
+pkix_pl_PrimHashTable_RemoveFIFO(
+        pkix_pl_PrimHashTable *ht,
+        PKIX_UInt32 hashCode,
+        void **pKey,
+        void **pValue,
+        void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_PRIMHASH_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_rwlock.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_rwlock.c
new file mode 100755
index 000000000..cedbddaed
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_rwlock.c
@@ -0,0 +1,250 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_rwlock.c
+ *
+ * Read/Write Lock Functions
+ *
+ */
+
+#include "pkix_pl_rwlock.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+static PKIX_Error *
+pkix_pl_RWLock_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_RWLock* rwlock = NULL;
+
+        PKIX_ENTER(RWLOCK, "pkix_pl_RWLock_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_RWLOCK_TYPE, plContext),
+                    PKIX_OBJECTNOTRWLOCK);
+
+        rwlock = (PKIX_PL_RWLock*) object;
+
+        PKIX_RWLOCK_DEBUG("Calling PR_DestroyRWLock)\n");
+        PR_DestroyRWLock(rwlock->lock);
+        rwlock->lock = NULL;
+
+cleanup:
+
+        PKIX_RETURN(RWLOCK);
+}
+
+/*
+ * FUNCTION: pkix_pl_RWLock_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_RWLOCK_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_RWLock_RegisterSelf(
+        void *plContext)
+{
+
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(RWLOCK, "pkix_pl_RWLock_RegisterSelf");
+
+        entry.description = "RWLock";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_RWLock);
+        entry.destructor = pkix_pl_RWLock_Destroy;
+        entry.equalsFunction = NULL;
+        entry.hashcodeFunction = NULL;
+        entry.toStringFunction = NULL;
+        entry.comparator = NULL;
+        entry.duplicateFunction = NULL;
+
+        systemClasses[PKIX_RWLOCK_TYPE] = entry;
+
+        PKIX_RETURN(RWLOCK);
+}
+
+/* --Public-Functions--------------------------------------------- */
+
+PKIX_Error *
+PKIX_PL_RWLock_Create(
+        PKIX_PL_RWLock **pNewLock,
+        void *plContext)
+{
+        PKIX_PL_RWLock *rwLock = NULL;
+
+        PKIX_ENTER(RWLOCK, "PKIX_PL_RWLock_Create");
+        PKIX_NULLCHECK_ONE(pNewLock);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_RWLOCK_TYPE,
+                    sizeof (PKIX_PL_RWLock),
+                    (PKIX_PL_Object **)&rwLock,
+                    plContext),
+                    PKIX_ERRORALLOCATINGRWLOCK);
+
+        PKIX_RWLOCK_DEBUG("\tCalling PR_NewRWLock)\n");
+        rwLock->lock = PR_NewRWLock(PR_RWLOCK_RANK_NONE, "PKIX RWLock");
+
+        if (rwLock->lock == NULL) {
+                PKIX_DECREF(rwLock);
+                PKIX_ERROR(PKIX_OUTOFMEMORY);
+        }
+
+        rwLock->readCount = 0;
+        rwLock->writeLocked = PKIX_FALSE;
+
+        *pNewLock = rwLock;
+
+cleanup:
+
+        PKIX_RETURN(RWLOCK);
+}
+
+PKIX_Error *
+PKIX_PL_AcquireReaderLock(
+        PKIX_PL_RWLock *lock,
+        void *plContext)
+{
+        PKIX_ENTER(RWLOCK, "PKIX_PL_AcquireReaderLock");
+        PKIX_NULLCHECK_ONE(lock);
+
+        PKIX_RWLOCK_DEBUG("\tCalling PR_RWLock_Rlock)\n");
+        (void) PR_RWLock_Rlock(lock->lock);
+
+        lock->readCount++;
+
+        PKIX_RETURN(RWLOCK);
+}
+
+PKIX_Error *
+PKIX_PL_ReleaseReaderLock(
+        PKIX_PL_RWLock *lock,
+        void *plContext)
+{
+        PKIX_ENTER(RWLOCK, "PKIX_PL_ReleaseReaderLock");
+        PKIX_NULLCHECK_ONE(lock);
+
+        PKIX_RWLOCK_DEBUG("\tCalling PR_RWLock_Unlock)\n");
+        (void) PR_RWLock_Unlock(lock->lock);
+
+        lock->readCount--;
+
+        PKIX_RETURN(RWLOCK);
+}
+
+PKIX_Error *
+PKIX_PL_IsReaderLockHeld(
+        PKIX_PL_RWLock *lock,
+        PKIX_Boolean *pIsHeld,
+        void *plContext)
+{
+        PKIX_ENTER(RWLOCK, "PKIX_PL_IsReaderLockHeld");
+        PKIX_NULLCHECK_TWO(lock, pIsHeld);
+
+        *pIsHeld = (lock->readCount > 0)?PKIX_TRUE:PKIX_FALSE;
+
+        PKIX_RETURN(RWLOCK);
+}
+
+PKIX_Error *
+PKIX_PL_AcquireWriterLock(
+        PKIX_PL_RWLock *lock,
+        void *plContext)
+{
+        PKIX_ENTER(RWLOCK, "PKIX_PL_AcquireWriterLock");
+        PKIX_NULLCHECK_ONE(lock);
+
+        PKIX_RWLOCK_DEBUG("\tCalling PR_RWLock_Wlock\n");
+        (void) PR_RWLock_Wlock(lock->lock);
+
+        if (lock->readCount > 0) {
+                PKIX_ERROR(PKIX_LOCKHASNONZEROREADCOUNT);
+        }
+
+        /* We should never acquire a write lock if the lock is held */
+        lock->writeLocked = PKIX_TRUE;
+
+cleanup:
+
+        PKIX_RETURN(RWLOCK);
+}
+
+PKIX_Error *
+PKIX_PL_ReleaseWriterLock(
+        PKIX_PL_RWLock *lock,
+        void *plContext)
+{
+        PKIX_ENTER(RWLOCK, "PKIX_PL_ReleaseWriterLock");
+        PKIX_NULLCHECK_ONE(lock);
+
+        if (lock->readCount > 0) {
+                PKIX_ERROR(PKIX_LOCKHASNONZEROREADCOUNT);
+        }
+
+        PKIX_RWLOCK_DEBUG("\tCalling PR_RWLock_Unlock)\n");
+        (void) PR_RWLock_Unlock(lock->lock);
+
+        /* XXX Need to think about thread safety here */
+        /* There should be a single lock holder  */
+        lock->writeLocked = PKIX_FALSE;
+
+cleanup:
+
+        PKIX_RETURN(RWLOCK);
+}
+
+PKIX_Error *
+PKIX_PL_IsWriterLockHeld(
+        PKIX_PL_RWLock *lock,
+        PKIX_Boolean *pIsHeld,
+        void *plContext)
+{
+        PKIX_ENTER(RWLOCK, "PKIX_PL_IsWriterLockHeld");
+        PKIX_NULLCHECK_TWO(lock, pIsHeld);
+
+        *pIsHeld = lock->writeLocked;
+
+        PKIX_RETURN(RWLOCK);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_rwlock.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_rwlock.h
new file mode 100755
index 000000000..1f9d7261f
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_rwlock.h
@@ -0,0 +1,68 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_rwlock.h
+ *
+ * Read/Write Lock Definition
+ *
+ */
+
+#ifndef _PKIX_PL_RWLOCK_H
+#define _PKIX_PL_RWLOCK_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_RWLockStruct {
+        PRRWLock* lock;
+        PKIX_UInt32 readCount;
+        PKIX_Boolean writeLocked;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_RWLock_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_RWLOCK_H */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_string.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_string.c
new file mode 100755
index 000000000..0c129d9d7
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_string.c
@@ -0,0 +1,654 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_string.c
+ *
+ * String Object Functions
+ *
+ */
+
+#include "pkix_pl_string.h"
+
+/* --Private-String-Functions------------------------------------- */
+
+/*
+ * FUNCTION: pkix_pl_String_Comparator
+ * (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h)
+ *
+ * NOTE:
+ *  This function is a utility function called by pkix_pl_String_Equals().
+ *  It is not officially registered as a comparator.
+ */
+static PKIX_Error *
+pkix_pl_String_Comparator(
+        PKIX_PL_String *firstString,
+        PKIX_PL_String *secondString,
+        PKIX_Int32 *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 i;
+        PKIX_Int32 result;
+        unsigned char *p1 = NULL;
+        unsigned char *p2 = NULL;
+
+        PKIX_ENTER(STRING, "pkix_pl_String_Comparator");
+        PKIX_NULLCHECK_THREE(firstString, secondString, pResult);
+
+        result = 0;
+
+        p1 = (unsigned char*) firstString->utf16String;
+        p2 = (unsigned char*) secondString->utf16String;
+
+        /* Compare characters until you find a difference */
+        for (i = 0; ((i < firstString->utf16Length) &&
+                    (i < secondString->utf16Length) &&
+                    result == 0); i++, p1++, p2++) {
+                if (*p1 < *p2){
+                        result = -1;
+                } else if (*p1 > *p2){
+                        result = 1;
+                }
+        }
+
+        /* If two arrays are identical so far, the longer one is greater */
+        if (result == 0) {
+                if (firstString->utf16Length < secondString->utf16Length) {
+                        result = -1;
+                } else if (firstString->utf16Length >
+                            secondString->utf16Length) {
+                        result = 1;
+                }
+        }
+
+        *pResult = result;
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: pkix_pl_String_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_String_Destroy(
+        PKIX_PL_Object *object,
+        void *plContext)
+{
+        PKIX_PL_String *string = NULL;
+
+        PKIX_ENTER(STRING, "pkix_pl_String_Destroy");
+        PKIX_NULLCHECK_ONE(object);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_STRING_TYPE, plContext),
+                    PKIX_ARGUMENTNOTSTRING);
+
+        string = (PKIX_PL_String*)object;
+
+        /* XXX For debugging Destroy EscASCII String  */
+        if (string->escAsciiString != NULL) {
+                PKIX_FREE(string->escAsciiString);
+                string->escAsciiString = NULL;
+                string->escAsciiLength = 0;
+        }
+
+        /* Destroy UTF16 String */
+        if (string->utf16String != NULL) {
+                PKIX_FREE(string->utf16String);
+                string->utf16String = NULL;
+                string->utf16Length = 0;
+        }
+
+cleanup:
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: pkix_pl_String_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_String_ToString(
+        PKIX_PL_Object *object,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *string = NULL;
+        char *ascii = NULL;
+        PKIX_UInt32 length;
+
+        PKIX_ENTER(STRING, "pkix_pl_String_ToString");
+        PKIX_NULLCHECK_TWO(object, pString);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_STRING_TYPE, plContext),
+                    PKIX_ARGUMENTNOTSTRING);
+
+        string = (PKIX_PL_String*)object;
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                (string, PKIX_ESCASCII, (void **)&ascii, &length, plContext),
+                PKIX_STRINGGETENCODEDFAILED);
+
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII, ascii, 0, pString, plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+        goto cleanup;
+
+cleanup:
+
+        PKIX_FREE(ascii);
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: pkix_pl_String_Equals
+ * (see comments for PKIX_PL_EqualsCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_String_Equals(
+        PKIX_PL_Object *firstObject,
+        PKIX_PL_Object *secondObject,
+        PKIX_Boolean *pResult,
+        void *plContext)
+{
+        PKIX_UInt32 secondType;
+        PKIX_Int32 cmpResult = 0;
+
+        PKIX_ENTER(STRING, "pkix_pl_String_Equals");
+        PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
+
+        /* Sanity check: Test that "firstObject" is a Strings */
+        PKIX_CHECK(pkix_CheckType(firstObject, PKIX_STRING_TYPE, plContext),
+                PKIX_FIRSTOBJECTNOTSTRING);
+
+        /* "SecondObject" doesn't have to be a string */
+        PKIX_CHECK(PKIX_PL_Object_GetType
+                (secondObject, &secondType, plContext),
+                PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
+
+        /* If types differ, then we will return false */
+        *pResult = PKIX_FALSE;
+
+        if (secondType != PKIX_STRING_TYPE) goto cleanup;
+
+        /* It's safe to cast here */
+        PKIX_CHECK(pkix_pl_String_Comparator
+                ((PKIX_PL_String*)firstObject,
+                (PKIX_PL_String*)secondObject,
+                &cmpResult,
+                plContext),
+                PKIX_STRINGCOMPARATORFAILED);
+
+        /* Strings are equal iff Comparator Result is 0 */
+        *pResult = (cmpResult == 0);
+
+cleanup:
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: pkix_pl_String_Hashcode
+ * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_pl_String_Hashcode(
+        PKIX_PL_Object *object,
+        PKIX_UInt32 *pHashcode,
+        void *plContext)
+{
+        PKIX_PL_String *string = NULL;
+
+        PKIX_ENTER(STRING, "pkix_pl_String_Hashcode");
+        PKIX_NULLCHECK_TWO(object, pHashcode);
+
+        PKIX_CHECK(pkix_CheckType(object, PKIX_STRING_TYPE, plContext),
+                PKIX_OBJECTNOTSTRING);
+
+        string = (PKIX_PL_String*)object;
+
+        PKIX_CHECK(pkix_hash
+                ((const unsigned char *)string->utf16String,
+                string->utf16Length,
+                pHashcode,
+                plContext),
+                PKIX_HASHFAILED);
+
+cleanup:
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: pkix_pl_String_RegisterSelf
+ * DESCRIPTION:
+ *  Registers PKIX_STRING_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ *  Not Thread Safe - for performance and complexity reasons
+ *
+ *  Since this function is only called by PKIX_PL_Initialize, which should
+ *  only be called once, it is acceptable that this function is not
+ *  thread-safe.
+ */
+PKIX_Error *
+pkix_pl_String_RegisterSelf(
+        void *plContext)
+{
+        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+        pkix_ClassTable_Entry entry;
+
+        PKIX_ENTER(STRING, "pkix_pl_String_RegisterSelf");
+
+        entry.description = "String";
+        entry.objCounter = 0;
+        entry.typeObjectSize = sizeof(PKIX_PL_String);
+        entry.destructor = pkix_pl_String_Destroy;
+        entry.equalsFunction = pkix_pl_String_Equals;
+        entry.hashcodeFunction = pkix_pl_String_Hashcode;
+        entry.toStringFunction = pkix_pl_String_ToString;
+        entry.comparator = NULL;
+        entry.duplicateFunction = pkix_duplicateImmutable;
+
+        systemClasses[PKIX_STRING_TYPE] = entry;
+
+        PKIX_RETURN(STRING);
+}
+
+
+/* --Public-String-Functions----------------------------------------- */
+
+/*
+ * FUNCTION: PKIX_PL_String_Create (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_String_Create(
+        PKIX_UInt32 fmtIndicator,
+        const void *stringRep,
+        PKIX_UInt32 stringLen,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_PL_String *string = NULL;
+        unsigned char *utf16Char = NULL;
+        PKIX_UInt32 i;
+
+        PKIX_ENTER(STRING, "PKIX_PL_String_Create");
+        PKIX_NULLCHECK_TWO(pString, stringRep);
+
+        PKIX_CHECK(PKIX_PL_Object_Alloc
+                    (PKIX_STRING_TYPE,
+                    sizeof (PKIX_PL_String),
+                    (PKIX_PL_Object **)&string,
+                    plContext),
+                    PKIX_COULDNOTALLOCATENEWSTRINGOBJECT);
+
+        string->utf16String = NULL;
+        string->utf16Length = 0;
+
+        /* XXX For Debugging */
+        string->escAsciiString = NULL;
+        string->escAsciiLength = 0;
+
+        switch (fmtIndicator) {
+        case PKIX_ESCASCII: case PKIX_ESCASCII_DEBUG:
+                PKIX_STRING_DEBUG("\tCalling PL_strlen).\n");
+                string->escAsciiLength = PL_strlen(stringRep);
+
+                /* XXX Cache for Debugging */
+                PKIX_CHECK(PKIX_PL_Malloc
+                            ((string->escAsciiLength)+1,
+                            (void **)&string->escAsciiString,
+                            plContext),
+                            PKIX_MALLOCFAILED);
+
+                (void) PORT_Memcpy
+                        (string->escAsciiString,
+                        (void *)((char *)stringRep),
+                        (string->escAsciiLength)+1);
+
+                /* Convert the EscASCII string to UTF16 */
+                PKIX_CHECK(pkix_EscASCII_to_UTF16
+                            (string->escAsciiString,
+                            string->escAsciiLength,
+                            (fmtIndicator == PKIX_ESCASCII_DEBUG),
+                            &string->utf16String,
+                            &string->utf16Length,
+                            plContext),
+                            PKIX_ESCASCIITOUTF16FAILED);
+                break;
+        case PKIX_UTF8:
+                /* Convert the UTF8 string to UTF16 */
+                PKIX_CHECK(pkix_UTF8_to_UTF16
+                            (stringRep,
+                            stringLen,
+                            &string->utf16String,
+                            &string->utf16Length,
+                            plContext),
+                            PKIX_UTF8TOUTF16FAILED);
+                break;
+        case PKIX_UTF16:
+                /* UTF16 Strings must be even in length */
+                if (stringLen%2 == 1) {
+                        PKIX_DECREF(string);
+                        PKIX_ERROR(PKIX_UTF16ALIGNMENTERROR);
+                }
+
+                utf16Char = (unsigned char *)stringRep;
+
+                /* Make sure this is a valid UTF-16 String */
+                for (i = 0; \
+                    (i < stringLen) && (pkixErrorResult == NULL); \
+                    i += 2) {
+                        /* Check that surrogate pairs are valid */
+                        if ((utf16Char[i] >= 0xD8)&&
+                            (utf16Char[i] <= 0xDB)) {
+                                if ((i+2) >= stringLen) {
+                                  PKIX_ERROR(PKIX_UTF16HIGHZONEALIGNMENTERROR);
+                                  /* Second pair should be DC00-DFFF */
+                                } else if (!((utf16Char[i+2] >= 0xDC)&&
+                                      (utf16Char[i+2] <= 0xDF))) {
+                                  PKIX_ERROR(PKIX_UTF16LOWZONEERROR);
+                                } else {
+                                  /*  Surrogate quartet is valid. */
+                                  i += 2;
+                                }
+                        }
+                }
+
+                /* Create UTF16 String */
+                string->utf16Length = stringLen;
+
+                /* Alloc space for string */
+                PKIX_CHECK(PKIX_PL_Malloc
+                            (stringLen, &string->utf16String, plContext),
+                            PKIX_MALLOCFAILED);
+
+                PKIX_STRING_DEBUG("\tCalling PORT_Memcpy).\n");
+                (void) PORT_Memcpy
+                        (string->utf16String, stringRep, stringLen);
+                break;
+
+        default:
+                PKIX_ERROR(PKIX_UNKNOWNFORMAT);
+        }
+
+        *pString = string;
+
+cleanup:
+
+        if (PKIX_ERROR_RECEIVED){
+                PKIX_DECREF(string);
+        }
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: PKIX_PL_Sprintf (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_Sprintf(
+        PKIX_PL_String **pOut,
+        void *plContext,
+        const PKIX_PL_String *fmt,
+        ...)
+{
+        PKIX_PL_String *tempString = NULL;
+        PKIX_UInt32 tempUInt = 0;
+        void *pArg = NULL;
+        char *asciiText =  NULL;
+        char *asciiFormat = NULL;
+        char *convertedAsciiFormat = NULL;
+        char *convertedAsciiFormatBase = NULL;
+        va_list args;
+        PKIX_UInt32 length, i, j, dummyLen;
+
+        PKIX_ENTER(STRING, "PKIX_PL_Sprintf");
+        PKIX_NULLCHECK_TWO(pOut, fmt);
+
+        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                    ((PKIX_PL_String *)fmt,
+                    PKIX_ESCASCII,
+                    (void **)&asciiFormat,
+                    &length,
+                    plContext),
+                    PKIX_STRINGGETENCODEDFAILED);
+
+        PKIX_STRING_DEBUG("\tCalling PR_Malloc).\n");
+        convertedAsciiFormat = PR_Malloc(length + 1);
+        if (convertedAsciiFormat == NULL)
+                PKIX_ERROR_ALLOC_ERROR();
+
+        convertedAsciiFormatBase = convertedAsciiFormat;
+
+        PKIX_STRING_DEBUG("\tCalling va_start).\n");
+        va_start(args, fmt);
+
+        i = 0;
+        j = 0;
+        while (i < length) {
+                if ((asciiFormat[i] == '%')&&((i+1) < length)) {
+                        switch (asciiFormat[i+1]) {
+                        case 's':
+                                convertedAsciiFormat[j++] = asciiFormat[i++];
+                                convertedAsciiFormat[j++] = asciiFormat[i++];
+                                convertedAsciiFormat[j] = '\0';
+
+                                tempString = va_arg(args, PKIX_PL_String *);
+                                if (tempString != NULL) {
+                                        PKIX_CHECK(PKIX_PL_String_GetEncoded
+                                                ((PKIX_PL_String*)
+                                                tempString,
+                                                PKIX_ESCASCII,
+                                                &pArg,
+                                                &dummyLen,
+                                                plContext),
+                                                PKIX_STRINGGETENCODEDFAILED);
+                                } else {
+                                        /* there may be a NULL in var_args */
+                                        pArg = NULL;
+                                }
+                                if (asciiText != NULL) {
+                                    asciiText = PR_sprintf_append(asciiText,
+                                          (const char *)convertedAsciiFormat,
+                                          pArg);
+                                } else {
+                                    asciiText = PR_smprintf
+                                        ((const char *)convertedAsciiFormat,
+                                        pArg);
+                                }
+                                if (pArg != NULL) {
+                                        PKIX_PL_Free(pArg, plContext);
+                                        pArg = NULL;
+                                }
+                                convertedAsciiFormat += j;
+                                j = 0;
+                                break;
+                         case 'd':
+                         case 'i':
+                         case 'o':
+                         case 'u':
+                         case 'x':
+                         case 'X':
+                                convertedAsciiFormat[j++] = asciiFormat[i++];
+                                convertedAsciiFormat[j++] = asciiFormat[i++];
+                                convertedAsciiFormat[j] = '\0';
+
+                                tempUInt = va_arg(args, PKIX_UInt32);
+                                if (asciiText != NULL) {
+                                    asciiText = PR_sprintf_append(asciiText,
+                                          (const char *)convertedAsciiFormat,
+                                          tempUInt);
+                                } else {
+                                    asciiText = PR_smprintf
+                                        ((const char *)convertedAsciiFormat,
+                                        tempUInt);
+                                }     
+                                convertedAsciiFormat += j;
+                                j = 0;
+                                break;
+                        default:
+                                convertedAsciiFormat[j++] = asciiFormat[i++];
+                                convertedAsciiFormat[j++] = asciiFormat[i++];
+                                break;
+                        }
+                } else {
+                        convertedAsciiFormat[j++] = asciiFormat[i++];
+                }
+        }
+
+        /* for constant string value at end of fmt */
+        if (j > 0) {
+                convertedAsciiFormat[j] = '\0';
+                if (asciiText != NULL) {
+                    asciiText = PR_sprintf_append(asciiText,
+                                    (const char *)convertedAsciiFormat);
+                } else {
+                    asciiText = PR_smprintf((const char *)convertedAsciiFormat);
+                }
+        }
+
+        va_end(args);
+
+        /* Copy temporary char * into a string object */
+        PKIX_CHECK(PKIX_PL_String_Create
+                (PKIX_ESCASCII, (void *)asciiText, 0, pOut, plContext),
+                PKIX_STRINGCREATEFAILED);
+
+cleanup:
+
+        PKIX_FREE(asciiFormat);
+
+        if (convertedAsciiFormatBase){
+                PR_Free(convertedAsciiFormatBase);
+        }
+
+        if (asciiText){
+                PKIX_STRING_DEBUG("\tCalling PR_smprintf_free).\n");
+                PR_smprintf_free(asciiText);
+        }
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: PKIX_PL_GetString (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_GetString(
+        /* ARGSUSED */ PKIX_UInt32 stringID,
+        char *defaultString,
+        PKIX_PL_String **pString,
+        void *plContext)
+{
+        PKIX_ENTER(STRING, "PKIX_PL_GetString");
+        PKIX_NULLCHECK_TWO(pString, defaultString);
+
+        /* XXX Optimization - use stringID for caching */
+        PKIX_CHECK(PKIX_PL_String_Create
+                    (PKIX_ESCASCII, defaultString, 0, pString, plContext),
+                    PKIX_STRINGCREATEFAILED);
+
+cleanup:
+
+        PKIX_RETURN(STRING);
+}
+
+/*
+ * FUNCTION: PKIX_PL_String_GetEncoded (see comments in pkix_pl_system.h)
+ */
+PKIX_Error *
+PKIX_PL_String_GetEncoded(
+        PKIX_PL_String *string,
+        PKIX_UInt32 fmtIndicator,
+        void **pStringRep,
+        PKIX_UInt32 *pLength,
+        void *plContext)
+{
+        PKIX_ENTER(STRING, "PKIX_PL_String_GetEncoded");
+        PKIX_NULLCHECK_THREE(string, pStringRep, pLength);
+
+        switch (fmtIndicator) {
+        case PKIX_ESCASCII: case PKIX_ESCASCII_DEBUG:
+                PKIX_CHECK(pkix_UTF16_to_EscASCII
+                            (string->utf16String,
+                            string->utf16Length,
+                            (fmtIndicator == PKIX_ESCASCII_DEBUG),
+                            (char **)pStringRep,
+                            pLength,
+                            plContext),
+                            PKIX_UTF16TOESCASCIIFAILED);
+                break;
+        case PKIX_UTF8:
+                PKIX_CHECK(pkix_UTF16_to_UTF8
+                            (string->utf16String,
+                            string->utf16Length,
+                            PKIX_FALSE,
+                            pStringRep,
+                            pLength,
+                            plContext),
+                            PKIX_UTF16TOUTF8FAILED);
+                break;
+        case PKIX_UTF8_NULL_TERM:
+                PKIX_CHECK(pkix_UTF16_to_UTF8
+                            (string->utf16String,
+                            string->utf16Length,
+                            PKIX_TRUE,
+                            pStringRep,
+                            pLength,
+                            plContext),
+                            PKIX_UTF16TOUTF8FAILED);
+                break;
+        case PKIX_UTF16:
+                *pLength = string->utf16Length;
+
+                PKIX_CHECK(PKIX_PL_Malloc(*pLength, pStringRep, plContext),
+                            PKIX_MALLOCFAILED);
+
+                PKIX_STRING_DEBUG("\tCalling PORT_Memcpy).\n");
+                (void) PORT_Memcpy(*pStringRep, string->utf16String, *pLength);
+                break;
+        default:
+                PKIX_ERROR(PKIX_UNKNOWNFORMAT);
+        }
+
+cleanup:
+
+        PKIX_RETURN(STRING);
+}
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_string.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_string.h
new file mode 100755
index 000000000..d5d784bd3
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_string.h
@@ -0,0 +1,70 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_pl_string.h
+ *
+ * String Object Definitions
+ *
+ */
+
+#ifndef _PKIX_PL_STRING_H
+#define _PKIX_PL_STRING_H
+
+#include "pkix_pl_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct PKIX_PL_StringStruct {
+        void* utf16String;
+        PKIX_UInt32 utf16Length;
+        /* XXX For Debugging  */
+        char* escAsciiString;
+        PKIX_UInt32 escAsciiLength;
+};
+
+/* see source file for function documentation */
+
+PKIX_Error *
+pkix_pl_String_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_PL_STRING_H */
diff --git a/security/nss/lib/manifest.mn b/security/nss/lib/manifest.mn
new file mode 100644
index 000000000..935c2ccf6
--- /dev/null
+++ b/security/nss/lib/manifest.mn
@@ -0,0 +1,66 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../..
+DEPTH      = ../..
+
+#
+# organized by DLL
+#
+#  softoken and prereqs.
+#  stan (not a separate dll yet)
+#  libpkix (not a separate dll)
+#  nss base (traditional)
+#  ssl
+#  smime
+#  ckfw (builtins module)
+#  crmf jar (not dll's)
+DIRS =  util freebl softoken \
+	base dev pki pki1 \
+	libpkix \
+	certdb certhigh pk11wrap cryptohi nss \
+	ssl \
+	pkcs12 pkcs7 smime \
+	crmf jar \
+	ckfw      \
+	$(NULL)
+
+#  fortcrypt  is no longer built
+
+#
+# these dirs are not built at the moment
+#
+#NOBUILD_DIRS = jar
diff --git a/security/nss/lib/nss/Makefile b/security/nss/lib/nss/Makefile
new file mode 100644
index 000000000..a84a73705
--- /dev/null
+++ b/security/nss/lib/nss/Makefile
@@ -0,0 +1,78 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
diff --git a/security/nss/lib/nss/config.mk b/security/nss/lib/nss/config.mk
new file mode 100644
index 000000000..195448df1
--- /dev/null
+++ b/security/nss/lib/nss/config.mk
@@ -0,0 +1,160 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+RES = $(OBJDIR)/$(LIBRARY_NAME).res
+RESNAME = $(LIBRARY_NAME).rc
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4\
+	$(NULL)
+else # ! NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/nssutil3.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+else
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+
+endif
+
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+SHARED_LIBRARY_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certsel.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)checker.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)params.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)results.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)top.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)util.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)crlsel.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)store.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)system.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)module.$(LIB_SUFFIX) \
+	$(NULL)
+
+SHARED_LIBRARY_DIRS = \
+	../certhigh \
+	../cryptohi \
+	../pk11wrap \
+	../certdb \
+	../pki \
+	../dev \
+	../base \
+	../libpkix/pkix/certsel \
+	../libpkix/pkix/checker \
+	../libpkix/pkix/params \
+	../libpkix/pkix/results \
+	../libpkix/pkix/top \
+	../libpkix/pkix/util \
+	../libpkix/pkix/crlsel \
+	../libpkix/pkix/store \
+	../libpkix/pkix_pl_nss/pki \
+	../libpkix/pkix_pl_nss/system \
+	../libpkix/pkix_pl_nss/module \
+	$(NULL)
+
+ifeq ($(OS_TARGET),SunOS)
+ifeq ($(BUILD_SUN_PKG), 1)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+ifeq ($(USE_64), 1)
+MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
+else
+MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps'
+endif
+else
+MKSHLIB += -R '$$ORIGIN'
+endif
+endif
+
+ifeq ($(OS_ARCH), HP-UX) 
+ifneq ($(OS_TEST), ia64)
+# pa-risc
+ifeq ($(USE_64), 1)
+MKSHLIB += +b '$$ORIGIN'
+endif
+endif
+endif
+
+ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
+ifndef NS_USE_GCC
+# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
+# but do not put it in the import library.  See bug 142575.
+DEFINES += -DWIN32_NSS3_DLL_COMPAT
+DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
+endif
+endif
diff --git a/security/nss/lib/nss/manifest.mn b/security/nss/lib/nss/manifest.mn
new file mode 100644
index 000000000..b3bbd97a2
--- /dev/null
+++ b/security/nss/lib/nss/manifest.mn
@@ -0,0 +1,63 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	nssrenam.h \
+	$(NULL)
+
+EXPORTS = \
+	nss.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	nssinit.c \
+	nssver.c \
+	utilwrap.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+MAPFILE = $(OBJDIR)/nss.def
+
+LIBRARY_NAME = nss
+LIBRARY_VERSION = 3
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
new file mode 100644
index 000000000..44edf672e
--- /dev/null
+++ b/security/nss/lib/nss/nss.def
@@ -0,0 +1,966 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2000
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#   Dr Stephen Henson <stephen.henson@gemplus.com>
+;+#   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+NSS_3.2 {       # NSS 3.2 release
+;+    global:
+LIBRARY nss3	;-
+EXPORTS		;-
+ATOB_AsciiToData;
+BTOA_ConvertItemToAscii;
+BTOA_DataToAscii;
+CERT_AsciiToName;
+CERT_CertTimesValid;
+CERT_CheckCertValidTimes;
+CERT_CreateCertificateRequest;
+CERT_ChangeCertTrust;
+CERT_DecodeDERCrl;
+CERT_DestroyCertificateRequest;
+CERT_DestroyCertList;
+CERT_DestroyName;
+CERT_EnableOCSPChecking;
+CERT_FormatName;
+CERT_DestroyCertificate;
+CERT_DupCertificate;
+CERT_FreeDistNames;
+CERT_FreeNicknames;
+CERT_GetAVATag;
+CERT_GetCertEmailAddress;
+CERT_GetCertNicknames;
+CERT_GetCertIssuerAndSN;
+CERT_GetCertTrust;
+CERT_GetCertUid;
+CERT_GetCommonName;
+CERT_GetCountryName;
+CERT_GetDBContentVersion;
+CERT_GetDefaultCertDB;
+CERT_GetDomainComponentName;
+CERT_GetLocalityName;
+CERT_GetOrgName;
+CERT_GetOrgUnitName;
+CERT_GetSSLCACerts;
+CERT_GetSlopTime;
+CERT_GetStateName;
+CERT_ImportCAChain;
+CERT_NameToAscii;
+CERT_RFC1485_EscapeAndQuote;
+CERT_SetSlopTime;
+CERT_VerifyCertName;
+CERT_VerifyCertNow;
+DER_UTCDayToAscii;
+DER_UTCTimeToAscii;
+DER_GeneralizedTimeToTime;
+NSS_Init;
+NSS_Initialize;
+NSS_InitReadWrite;
+NSS_NoDB_Init;
+NSS_Shutdown;
+NSS_VersionCheck;
+PK11_Authenticate;
+PK11_ChangePW;
+PK11_CheckUserPassword;
+PK11_CipherOp;
+PK11_CloneContext;
+PK11_ConfigurePKCS11;
+PK11_CreateContextBySymKey;
+PK11_CreateDigestContext;
+PK11_DestroyContext;
+PK11_DestroyTokenObject;
+PK11_DigestBegin;
+PK11_DigestOp;
+PK11_DigestFinal;
+PK11_DoesMechanism;
+PK11_FindCertFromNickname;
+PK11_FindCertFromDERCert;
+PK11_FindCertByIssuerAndSN;
+PK11_FindKeyByAnyCert;
+PK11_FindKeyByDERCert;
+PK11_FindSlotByName;
+PK11_Finalize;
+PK11_FortezzaHasKEA;
+PK11_FreeSlot;
+PK11_FreeSlotList;
+PK11_FreeSymKey;
+PK11_GenerateKeyPair;
+PK11_GenerateRandom;
+PK11_GenerateNewParam;
+PK11_GetAllTokens;
+PK11_GetBlockSize;
+PK11_GetFirstSafe;
+PK11_GetInternalKeySlot;
+PK11_GetInternalSlot;
+PK11_GetSlotName;
+PK11_GetTokenName;
+PK11_HashBuf;
+PK11_IsFIPS;
+PK11_IsFriendly;
+PK11_IsInternal;
+PK11_IsHW;
+PK11_IsPresent;
+PK11_IsReadOnly;
+PK11_KeyGen;
+PK11_ListCerts;
+PK11_NeedLogin;
+PK11_RandomUpdate;
+PK11_SetPasswordFunc;
+PK11_SetSlotPWValues;
+PORT_Alloc;
+PORT_Free;
+PORT_GetError;
+PORT_SetError;
+PORT_SetUCS4_UTF8ConversionFunction;
+PORT_SetUCS2_UTF8ConversionFunction;
+PORT_SetUCS2_ASCIIConversionFunction;
+SECITEM_CopyItem;
+SECITEM_DupItem;
+SECITEM_FreeItem;
+SECITEM_ZfreeItem;
+SECKEY_ConvertToPublicKey;
+SECKEY_CopyPrivateKey;
+SECKEY_CreateSubjectPublicKeyInfo;
+SECKEY_DestroyPrivateKey;
+SECKEY_DestroySubjectPublicKeyInfo;
+SECMOD_IsModulePresent;
+SECOID_FindOIDTagDescription;
+SECOID_GetAlgorithmTag;
+SEC_DeletePermCertificate;
+SEC_DeletePermCRL;
+SEC_DerSignData;
+SEC_DestroyCrl;
+SEC_FindCrlByDERCert;
+SEC_FindCrlByName;
+SEC_LookupCrls;
+SEC_NewCrl;
+;+#
+;+# The following symbols are exported only to make libssl3.so work. 
+;+# These are still private!!!
+;+#
+__CERT_NewTempCertificate;
+__PK11_CreateContextByRawKey;
+__PK11_GetKeyData;
+__nss_InitLock;
+CERT_CertChainFromCert;
+CERT_DestroyCertificateList;
+CERT_DupCertList;
+CERT_ExtractPublicKey;
+CERT_FindCertByName;
+DER_Lengths;
+DSAU_DecodeDerSig;
+DSAU_EncodeDerSig;
+HASH_GetHashObject;
+NSSRWLock_Destroy;
+NSSRWLock_HaveWriteLock;
+NSSRWLock_LockRead;
+NSSRWLock_LockWrite;
+NSSRWLock_New;
+NSSRWLock_UnlockRead;
+NSSRWLock_UnlockWrite;
+NSS_PutEnv;
+PK11_Derive;
+PK11_DeriveWithFlags;
+PK11_DigestKey;
+PK11_FindBestKEAMatch;
+PK11_FindFixedKey;
+PK11_GenerateFortezzaIV;
+PK11_GetBestKeyLength;
+PK11_GetBestSlot;
+PK11_GetBestSlotMultiple;
+PK11_GetBestWrapMechanism;
+PK11_GetCurrentWrapIndex;
+PK11_GetMechanism;
+PK11_GetModuleID;
+PK11_GetPrivateModulusLen;
+PK11_GetSlotFromKey;
+PK11_GetSlotFromPrivateKey;
+PK11_GetSlotID;
+PK11_GetSlotSeries;
+PK11_GetTokenInfo;
+PK11_GetWindow;
+PK11_GetWrapKey;
+PK11_IVFromParam;
+PK11_MakeKEAPubKey;
+PK11_ParamFromIV;
+PK11_PubDecryptRaw;
+PK11_PubDerive;
+PK11_PubEncryptRaw;
+PK11_PubUnwrapSymKey;
+PK11_PubWrapSymKey;
+PK11_ReferenceSymKey;
+PK11_RestoreContext;
+PK11_SaveContext;
+PK11_SetFortezzaHack;
+PK11_SetWrapKey;
+PK11_Sign;
+PK11_SignatureLen;
+PK11_SymKeyFromHandle;
+PK11_TokenExists;
+PK11_UnwrapSymKey;
+PK11_UnwrapSymKeyWithFlags;
+PK11_Verify;
+PK11_VerifyKeyOK;
+PK11_WrapSymKey;
+PORT_ArenaAlloc;
+PORT_ArenaZAlloc;
+PORT_FreeArena;
+PORT_NewArena;
+PORT_Realloc;
+PORT_ZAlloc;
+PORT_ZFree;
+RSA_FormatBlock;
+SECITEM_CompareItem;
+SECKEY_CreateRSAPrivateKey;
+SECKEY_DestroyPublicKey;
+SECKEY_PublicKeyStrength;
+SECKEY_UpdateCertPQG;
+SECMOD_LookupSlot;
+SGN_Begin;
+SGN_DestroyContext;
+SGN_End;
+SGN_NewContext;
+SGN_Update;
+VFY_Begin;
+VFY_CreateContext;
+VFY_DestroyContext;
+VFY_End;
+VFY_Update;
+;+#
+;+# The following symbols are exported only to make libsmime3.so work. 
+;+# These are still private!!!
+;+#
+__CERT_ClosePermCertDB;
+__CERT_DecodeDERCertificate;
+__CERT_TraversePermCertsForNickname;
+__CERT_TraversePermCertsForSubject;
+__PBE_CreateContext;
+__PBE_DestroyContext;
+__PBE_GenerateBits;
+ATOB_ConvertAsciiToItem;
+CERT_AddCertToListTail;
+CERT_CertListFromCert;
+CERT_DestroyCertArray;
+CERT_FindCertByDERCert;
+CERT_FindCertByIssuerAndSN;
+CERT_FindSMimeProfile;
+CERT_ImportCerts;
+CERT_NewCertList;
+CERT_OpenCertDBFilename;
+CERT_SaveSMimeProfile;
+CERT_VerifyCert;
+DER_GetInteger;
+DER_TimeToUTCTime;
+DER_UTCTimeToTime;
+PK11_AlgtagToMechanism;
+PK11_BlockData;
+PK11_CreatePBEAlgorithmID;
+PK11_DestroyObject;
+PK11_ExportEncryptedPrivateKeyInfo;
+PK11_ExportPrivateKeyInfo;
+PK11_FindCertAndKeyByRecipientList;
+PK11_FindCertAndKeyByRecipientListNew;
+PK11_FindCertInSlot;
+PK11_FindPrivateKeyFromCert;
+PK11_FortezzaMapSig;
+PK11_GetKeyLength;
+PK11_GetKeyStrength;
+PK11_ImportCertForKeyToSlot;
+PK11_ImportEncryptedPrivateKeyInfo;
+PK11_ImportPrivateKeyInfo;
+PK11_MapPBEMechanismToCryptoMechanism;
+PK11_PBEKeyGen;
+PK11_ParamFromAlgid;
+PK11_ParamToAlgid;
+PK11_TraverseCertsForNicknameInSlot;
+PK11_TraverseCertsForSubjectInSlot;
+PORT_ArenaGrow;
+PORT_ArenaMark;
+PORT_ArenaRelease;
+PORT_ArenaStrdup;
+PORT_ArenaUnmark;
+PORT_UCS2_ASCIIConversion;
+PORT_UCS2_UTF8Conversion;
+SECITEM_AllocItem;
+SECKEY_CopyEncryptedPrivateKeyInfo;
+SECKEY_CopyPrivateKeyInfo;
+SECKEY_DestroyEncryptedPrivateKeyInfo;
+SECKEY_DestroyPrivateKeyInfo;
+SECOID_CompareAlgorithmID;
+SECOID_CopyAlgorithmID;
+SECOID_DestroyAlgorithmID;
+SECOID_FindOID;
+SECOID_FindOIDByTag;
+SECOID_FindOIDTag;
+SECOID_SetAlgorithmID;
+SEC_ASN1DecodeInteger;
+SEC_ASN1DecodeItem;
+SEC_ASN1DecoderClearFilterProc;
+SEC_ASN1DecoderClearNotifyProc;
+SEC_ASN1DecoderFinish;
+SEC_ASN1DecoderSetFilterProc;
+SEC_ASN1DecoderSetNotifyProc;
+SEC_ASN1DecoderStart;
+SEC_ASN1DecoderUpdate;
+SEC_ASN1Encode;
+SEC_ASN1EncodeInteger;
+SEC_ASN1EncodeItem;
+SEC_ASN1EncoderClearNotifyProc;
+SEC_ASN1EncoderClearStreaming;
+SEC_ASN1EncoderClearTakeFromBuf;
+SEC_ASN1EncoderFinish;
+SEC_ASN1EncoderSetNotifyProc;
+SEC_ASN1EncoderSetStreaming;
+SEC_ASN1EncoderSetTakeFromBuf;
+SEC_ASN1EncoderStart;
+SEC_ASN1EncoderUpdate;
+SEC_ASN1LengthLength;
+SEC_PKCS5GetCryptoAlgorithm;
+SEC_PKCS5GetKeyLength;
+SEC_PKCS5GetPBEAlgorithm;
+SEC_PKCS5IsAlgorithmPBEAlg;
+SEC_SignData;
+SGN_CompareDigestInfo;
+SGN_CopyDigestInfo;
+SGN_CreateDigestInfo;
+SGN_DestroyDigestInfo;
+SGN_Digest;
+VFY_VerifyData;
+VFY_VerifyDigest;
+;+#
+;+# Data objects
+;+#
+;+# Don't export these DATA symbols on Windows because they don't work right.
+;+# Use the SEC_ASN1_GET / SEC_ASN1_SUB / SEC_ASN1_XTRN macros to access them.
+;;CERT_CrlTemplate DATA ;
+;;CERT_SignedDataTemplate DATA ;
+;;CERT_CertificateTemplate DATA ;
+;;CERT_CertificateRequestTemplate DATA ;
+;;CERT_IssuerAndSNTemplate DATA ;
+;;CERT_SetOfSignedCrlTemplate DATA ;
+;;SECKEY_DSAPublicKeyTemplate DATA ;
+;;SECKEY_EncryptedPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PointerToEncryptedPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PointerToPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PrivateKeyInfoTemplate DATA ;
+;;SECKEY_RSAPublicKeyTemplate DATA ;
+;;SECOID_AlgorithmIDTemplate DATA ;
+;;SEC_AnyTemplate DATA ;
+;;SEC_BMPStringTemplate DATA ;
+;;SEC_BitStringTemplate DATA ;
+;;SEC_GeneralizedTimeTemplate DATA ;
+;;SEC_IA5StringTemplate DATA ;
+;;SEC_IntegerTemplate DATA ;
+;;SEC_ObjectIDTemplate DATA ;
+;;SEC_OctetStringTemplate DATA ;
+;;SEC_PointerToAnyTemplate DATA ;
+;;SEC_PointerToOctetStringTemplate DATA ;
+;;SEC_SetOfAnyTemplate DATA ;
+;;SEC_UTCTimeTemplate DATA ;
+;;sgn_DigestInfoTemplate DATA ;
+NSS_Get_CERT_CrlTemplate;
+NSS_Get_CERT_SignedDataTemplate;
+NSS_Get_CERT_CertificateTemplate;
+NSS_Get_CERT_CertificateRequestTemplate;
+NSS_Get_CERT_IssuerAndSNTemplate;
+NSS_Get_CERT_SetOfSignedCrlTemplate;
+NSS_Get_SECKEY_DSAPublicKeyTemplate;
+NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PrivateKeyInfoTemplate;
+NSS_Get_SECKEY_RSAPublicKeyTemplate;
+NSS_Get_SECOID_AlgorithmIDTemplate;
+NSS_Get_SEC_AnyTemplate;
+NSS_Get_SEC_BMPStringTemplate;
+NSS_Get_SEC_BitStringTemplate;
+NSS_Get_SEC_GeneralizedTimeTemplate;
+NSS_Get_SEC_IA5StringTemplate;
+NSS_Get_SEC_IntegerTemplate;
+NSS_Get_SEC_ObjectIDTemplate;
+NSS_Get_SEC_OctetStringTemplate;
+NSS_Get_SEC_PointerToAnyTemplate;
+NSS_Get_SEC_PointerToOctetStringTemplate;
+NSS_Get_SEC_SetOfAnyTemplate;
+NSS_Get_SEC_UTCTimeTemplate;
+NSS_Get_sgn_DigestInfoTemplate;
+;+# commands
+CERT_DecodeBasicConstraintValue;
+CERT_DecodeOidSequence;
+CERT_DecodeUserNotice;
+CERT_DecodeCertificatePoliciesExtension;
+CERT_DestroyCertificatePoliciesExtension;
+CERT_FindCertByNicknameOrEmailAddr;
+CERT_FindCertByNickname;
+CERT_GenTime2FormattedAscii;
+CERT_Hexify;
+CERT_CompareName;
+PK11SDR_Encrypt;
+PK11SDR_Decrypt;
+NSSBase64Decoder_Create;
+NSSBase64Decoder_Destroy;
+NSSBase64Decoder_Update;
+NSSBase64Encoder_Create;
+NSSBase64Encoder_Destroy;
+NSSBase64Encoder_Update;
+;+#PK11_DoPassword;
+;+#PK11_FindKeyByKeyID;
+PK11_InitPin;
+PK11_NeedUserInit;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.2.1 {       # NSS 3.2.1 release
+;+    global:
+CERT_AddRDN;
+CERT_CreateRDN;
+CERT_CreateAVA;
+CERT_CreateName;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.3 { 	# NSS 3.3. release
+;+    global:
+CERT_CheckCertUsage;
+CERT_FindCertIssuer;
+PK11_GetModule;
+SECKEY_CreateDHPrivateKey;
+SECKEY_GetPublicKeyType;
+SECMOD_AddNewModule;
+;+#
+;+# The following symbols are exported only to make JSS work.
+;+# These are still private!!!
+;+#
+CERT_DisableOCSPChecking;
+CERT_DisableOCSPDefaultResponder;
+CERT_EnableOCSPDefaultResponder;
+CERT_GetCertTimes;
+CERT_ImportCAChainTrusted;
+CERT_ImportCRL;
+CERT_IsCACert;
+CERT_IsCADERCert;
+CERT_SetOCSPDefaultResponder;
+PBE_CreateContext;
+PBE_DestroyContext;
+PBE_GenerateBits;
+PK11_CheckSSOPassword;
+PK11_CopySymKeyForSigning;
+PK11_DeleteTokenCertAndKey;
+PK11_DEREncodePublicKey;
+PK11_ExtractKeyValue;
+PK11_FindCertsFromNickname;
+PK11_FindKeyByKeyID;
+PK11_GetIVLength;
+PK11_GetKeyData;
+PK11_GetKeyType;
+PK11_GetLowLevelKeyIDForCert;
+PK11_GetLowLevelKeyIDForPrivateKey;
+PK11_GetSlotPWValues;
+PK11_ImportCertForKey;
+PK11_ImportDERCertForKey;
+PK11_ImportDERPrivateKeyInfo;
+PK11_ImportSymKey;
+PK11_IsLoggedIn;
+PK11_KeyForDERCertExists;
+PK11_KeyForCertExists;
+PK11_ListPrivateKeysInSlot;
+PK11_ListCertsInSlot;
+PK11_Logout;
+PK11_NeedPWInit;
+PK11_MakeIDFromPubKey;
+PK11_PQG_DestroyParams;
+PK11_PQG_DestroyVerify;
+PK11_PQG_GetBaseFromParams;
+PK11_PQG_GetCounterFromVerify;
+PK11_PQG_GetHFromVerify;
+PK11_PQG_GetPrimeFromParams;
+PK11_PQG_GetSeedFromVerify;
+PK11_PQG_GetSubPrimeFromParams;
+PK11_PQG_NewParams;
+PK11_PQG_NewVerify;
+PK11_PQG_ParamGen;
+PK11_PQG_ParamGenSeedLen;
+PK11_PQG_VerifyParams;
+PK11_ReferenceSlot;
+PK11_SeedRandom;
+PK11_UnwrapPrivKey;
+PK11_VerifyRecover;
+PK11_WrapPrivKey;
+SEC_CertNicknameConflict;
+SEC_PKCS5GetIV;
+SECMOD_DeleteInternalModule;
+SECMOD_DestroyModule;
+SECMOD_GetDefaultModuleList;
+SECMOD_GetDefaultModuleListLock;
+SECMOD_GetInternalModule;
+SECMOD_GetReadLock;
+SECMOD_ReferenceModule;
+SECMOD_ReleaseReadLock;
+SECKEY_AddPrivateKeyToListTail;
+SECKEY_EncodeDERSubjectPublicKeyInfo;
+SECKEY_ExtractPublicKey;
+SECKEY_DestroyPrivateKeyList;
+SECKEY_GetPrivateKeyType;
+SECKEY_HashPassword;
+SECKEY_ImportDERPublicKey;
+SECKEY_NewPrivateKeyList;
+SECKEY_RemovePrivateKeyListNode;
+VFY_EndWithSignature;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.3.1 { 	# NSS 3.3.1 release
+;+    global:
+;+#
+;+# The following symbols are exported only to make libsmime3.so work. 
+;+# These are still private!!!
+;+#
+PK11_CreatePBEParams;
+PK11_DestroyPBEParams;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.4 { 	# NSS 3.4 release
+;+    global:
+SECMOD_AddNewModuleEx;
+SECMOD_DeleteModule;
+SECMOD_FreeModuleSpecList;
+SECMOD_GetModuleSpecList;
+SECMOD_LoadModule;
+SECMOD_LoadUserModule;
+SECMOD_UnloadUserModule;
+SECMOD_UpdateModule;
+;+# for PKCS #12
+PK11_RawPBEKeyGen;
+;+# for PSM
+__CERT_AddTempCertToPerm;
+CERT_AddOKDomainName;
+CERT_CopyName;
+CERT_CreateSubjectCertList;
+CERT_DecodeAVAValue;
+;+#CERT_DecodeCertFromPackage;
+CERT_DecodeGeneralName;
+CERT_DecodeTrustString;
+CERT_DerNameToAscii;
+CERT_EncodeGeneralName;
+CERT_FilterCertListByCANames;
+CERT_FilterCertListByUsage;
+CERT_FindCertExtension;
+CERT_FindKeyUsageExtension;
+CERT_FindUserCertByUsage;
+CERT_FindUserCertsByUsage;
+CERT_GetCertChainFromCert;
+CERT_GetOCSPAuthorityInfoAccessLocation;
+CERT_KeyFromDERCrl;
+CERT_MakeCANickname;
+CERT_NicknameStringsFromCertList;
+CERT_VerifySignedData;
+DER_Encode;
+HASH_Begin;
+HASH_Create;
+HASH_Destroy;
+HASH_End;
+HASH_ResultLen;
+HASH_Update;
+NSSBase64_DecodeBuffer;   # from Stan
+NSSBase64_EncodeItem;   # from Stan
+PK11_GetKeyGen;
+PK11_GetMinimumPwdLength;
+PK11_GetNextSafe;
+PK11_GetPadMechanism;
+PK11_GetSlotInfo;
+PK11_HasRootCerts;
+PK11_IsDisabled;
+PK11_LoadPrivKey;
+PK11_LogoutAll;
+PK11_MechanismToAlgtag;
+PK11_ResetToken;
+PK11_TraverseSlotCerts;
+SEC_ASN1Decode;
+SECKEY_CopySubjectPublicKeyInfo;
+SECMOD_CreateModule;
+SECMOD_FindModule;
+SECMOD_FindSlot;
+SECMOD_PubCipherFlagstoInternal;
+SECMOD_PubMechFlagstoInternal;
+;;CERT_NameTemplate DATA ;
+;;CERT_SubjectPublicKeyInfoTemplate DATA ;
+;;SEC_BooleanTemplate DATA ;
+;;SEC_NullTemplate DATA ;
+;;SEC_SignedCertificateTemplate DATA ;
+;;SEC_UTF8StringTemplate DATA ;
+NSS_Get_CERT_NameTemplate;
+NSS_Get_CERT_SubjectPublicKeyInfoTemplate;
+NSS_Get_SEC_BooleanTemplate;
+NSS_Get_SEC_NullTemplate;
+NSS_Get_SEC_SignedCertificateTemplate;
+NSS_Get_SEC_UTF8StringTemplate;
+;+# for JSS
+PK11_DeleteTokenPrivateKey;
+PK11_DeleteTokenPublicKey;
+PK11_DeleteTokenSymKey;
+PK11_GetNextSymKey;
+PK11_GetPQGParamsFromPrivateKey;
+PK11_GetPrivateKeyNickname;
+PK11_GetPublicKeyNickname;
+PK11_GetSymKeyNickname;
+PK11_ImportDERPrivateKeyInfoAndReturnKey;
+PK11_ImportPrivateKeyInfoAndReturnKey;
+PK11_ImportPublicKey;
+PK11_ImportSymKeyWithFlags;
+PK11_ListFixedKeysInSlot;
+PK11_ListPrivKeysInSlot;
+PK11_ListPublicKeysInSlot;
+PK11_ProtectedAuthenticationPath;
+PK11_SetPrivateKeyNickname;
+PK11_SetPublicKeyNickname;
+PK11_SetSymKeyNickname;
+SECKEY_DecodeDERSubjectPublicKeyInfo;
+SECKEY_DestroyPublicKeyList;
+;+# for debugging
+nss_DumpCertificateCacheInfo;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.5 { 	# cert creation APIs used by certutil
+;+    global:
+CERT_AddExtension;
+CERT_CopyRDN;
+CERT_CreateCertificate;
+CERT_CreateValidity;
+CERT_DestroyValidity;
+CERT_EncodeAndAddBitStrExtension;
+CERT_EncodeAuthKeyID;
+CERT_EncodeBasicConstraintValue;
+CERT_EncodeCRLDistributionPoints;
+CERT_FinishExtensions;
+CERT_StartCertExtensions;
+DER_AsciiToTime;
+PK11_ImportCert;
+PORT_Strdup;
+SECMOD_CanDeleteInternalModule;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.6 { 	# NSS 3.6 release
+;+    global:
+CERT_AddOCSPAcceptableResponses;
+CERT_CompleteCRLDecodeEntries;
+CERT_CreateOCSPCertID;
+CERT_CreateOCSPRequest;
+CERT_DecodeDERCrlWithFlags;
+CERT_DecodeOCSPResponse;
+CERT_DestroyOCSPCertID;
+CERT_DestroyOCSPRequest;
+CERT_EncodeOCSPRequest;
+CERT_FilterCertListForUserCerts;
+CERT_GetOCSPResponseStatus;
+CERT_GetOCSPStatusForCertID;
+CERT_IsUserCert;
+CERT_RemoveCertListNode;
+CERT_VerifyCACertForUsage;
+CERT_VerifyCertificate;
+CERT_VerifyCertificateNow;
+CERT_VerifyOCSPResponseSignature;
+PK11_ConvertSessionPrivKeyToTokenPrivKey;
+PK11_ConvertSessionSymKeyToTokenSymKey;
+PK11_GetModInfo;
+PK11_GetPBEIV;
+PK11_ImportCRL;
+PK11_ImportDERCert;
+PK11_PubUnwrapSymKeyWithFlags;
+PK11_SaveContextAlloc;
+PK11_TokenKeyGen;
+SEC_QuickDERDecodeItem;
+SECKEY_CopyPublicKey;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.7 { 	# NSS 3.7 release
+;+    global:
+CERT_CRLCacheRefreshIssuer;
+CERT_DestroyOCSPResponse;
+CERT_EncodeAltNameExtension;
+CERT_FindCertBySubjectKeyID;
+CERT_FindSubjectKeyIDExtension;
+CERT_GetFirstEmailAddress;
+CERT_GetNextEmailAddress;
+CERT_VerifySignedDataWithPublicKey;
+CERT_VerifySignedDataWithPublicKeyInfo;
+PK11_WaitForTokenEvent;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.7.1 { 	# NSS 3.7.1 release
+;+    global:
+PK11_TokenRefresh;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.8 { 	# NSS 3.8 release
+;+    global:
+CERT_IsRootDERCert;
+HASH_GetHashObjectByOidTag;
+HASH_GetHashTypeByOidTag;
+PK11_GetDefaultArray;
+PK11_GetDefaultFlags;
+PK11_GetDisabledReason;
+PK11_UpdateSlotAttribute;
+PK11_UserEnableSlot;
+PK11_UserDisableSlot;
+SECITEM_ItemsAreEqual;
+SECKEY_CreateECPrivateKey;
+SECKEY_PublicKeyStrengthInBits;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.9 { 	# NSS 3.9 release
+;+    global:
+CERT_DestroyOidSequence;
+CERT_GetOidString;
+;;CERT_TimeChoiceTemplate DATA ;
+DER_DecodeTimeChoice;
+DER_EncodeTimeChoice;
+DSAU_DecodeDerSigToLen;
+DSAU_EncodeDerSigWithLen;
+NSS_Get_CERT_TimeChoiceTemplate;
+PK11_DeriveWithFlagsPerm;
+PK11_ExportEncryptedPrivKeyInfo;
+PK11_FindSlotsByNames;
+PK11_GetSymKeyType;
+PK11_MoveSymKey;
+PK11_PubDeriveWithKDF;
+PK11_PubUnwrapSymKeyWithFlagsPerm;
+PK11_UnwrapSymKeyWithFlagsPerm;
+SECITEM_ArenaDupItem;
+SECMOD_GetDBModuleList;
+SECMOD_GetDeadModuleList;
+SEC_ASN1DecoderAbort;
+SEC_ASN1EncoderAbort;
+SEC_DupCrl;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.9.2 { 	# NSS 3.9.2 release
+;+    global:
+NSS_IsInitialized;
+PK11_DestroyGenericObject;
+PK11_DestroyGenericObjects;
+PK11_FindGenericObjects;
+PK11_GetNextGenericObject;
+PK11_GetPrevGenericObject;
+PK11_LinkGenericObject;
+PK11_ReadRawAttribute;
+PK11_UnlinkGenericObject;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.9.3 { 	# NSS 3.9.3 release
+;+    global:
+PK11_GetCertFromPrivateKey;
+PK11_PrivDecryptPKCS1;
+PK11_PubEncryptPKCS1;
+SECMOD_CancelWait;
+SECMOD_HasRemovableSlots;
+SECMOD_UpdateSlotList;
+SECMOD_WaitForAnyTokenEvent;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.10 { 	# NSS 3.10 release
+;+    global:
+CERT_CacheCRL;
+CERT_DecodeAltNameExtension;
+CERT_DecodeAuthInfoAccessExtension;
+CERT_DecodeAuthKeyID;
+CERT_DecodeCRLDistributionPoints;
+CERT_DecodeNameConstraintsExtension;
+CERT_DecodePrivKeyUsagePeriodExtension;
+CERT_DestroyUserNotice;
+CERT_FinishCertificateRequestAttributes;
+CERT_GetCertificateNames;
+CERT_GetCertificateRequestExtensions;
+CERT_GetNextGeneralName;
+CERT_GetNextNameConstraint;
+CERT_GetPrevGeneralName;
+CERT_GetPrevNameConstraint;
+CERT_MergeExtensions;
+CERT_StartCertificateRequestAttributes;
+CERT_StartCRLEntryExtensions;
+CERT_StartCRLExtensions;
+CERT_UncacheCRL;
+HASH_Clone;
+HASH_HashBuf;
+HASH_ResultLenByOidTag;
+HASH_ResultLenContext;
+SEC_GetSignatureAlgorithmOidTag;
+SECKEY_CacheStaticFlags;
+SECOID_AddEntry;
+;+#
+;+# Data objects
+;+#
+;+# Don't export these DATA symbols on Windows because they don't work right.
+;+# Use the SEC_ASN1_GET / SEC_ASN1_SUB / SEC_ASN1_XTRN macros to access them.
+;;CERT_SequenceOfCertExtensionTemplate DATA ;
+;;CERT_SignedCrlTemplate DATA ;
+NSS_Get_CERT_SequenceOfCertExtensionTemplate;
+NSS_Get_CERT_SignedCrlTemplate;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.10.2 { 	# NSS 3.10.2 release
+;+    global:
+PK11_TokenKeyGenWithFlags;
+PK11_GenerateKeyPairWithFlags;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.11 { 	# NSS 3.11 release
+;+    global:
+CERT_CompareValidityTimes;
+PK11_CopyTokenPrivKeyToSessionPrivKey;
+PK11_FreeSlotListElement;
+PK11_GenerateRandomOnSlot;
+PK11_GetSymKeyUserData;
+PK11_MapSignKeyType;
+PK11_SetSymKeyUserData;
+SECMOD_CloseUserDB;
+SECMOD_HasRootCerts;
+SECMOD_OpenUserDB;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.11.1 {
+;+    global:
+NSS_RegisterShutdown;
+NSS_UnregisterShutdown;
+SEC_ASN1EncodeUnsignedInteger;
+SEC_RegisterDefaultHttpClient;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.11.2 {
+;+    global:
+SECKEY_SignatureLen;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.11.7 {
+;+    global:
+CERT_SetOCSPFailureMode;
+CERT_OCSPCacheSettings;
+CERT_ClearOCSPCache;
+DER_GeneralizedDayToAscii;
+DER_TimeChoiceDayToAscii;
+DER_TimeToGeneralizedTime;
+DER_TimeToGeneralizedTimeArena;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.11.9 {
+;+    global:
+PK11_UnconfigurePKCS11;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.12 { 	# NSS 3.12 release
+;+    global:
+CERT_CheckNameSpace;
+CERT_EncodeCertPoliciesExtension;
+CERT_EncodeInfoAccessExtension;
+CERT_EncodeInhibitAnyExtension;
+CERT_EncodeNoticeReference;
+CERT_EncodePolicyConstraintsExtension;
+CERT_EncodePolicyMappingExtension;
+CERT_EncodeSubjectKeyID;
+CERT_EncodeUserNotice;
+CERT_FindCRLEntryReasonExten;
+CERT_FindCRLNumberExten;
+CERT_FindNameConstraintsExten;
+CERT_GetClassicOCSPDisabledPolicy;
+CERT_GetClassicOCSPEnabledHardFailurePolicy;
+CERT_GetClassicOCSPEnabledSoftFailurePolicy;
+CERT_GetPKIXVerifyNistRevocationPolicy;
+CERT_GetUsePKIXForValidation;
+CERT_GetValidDNSPatternsFromCert;
+CERT_NewTempCertificate;
+CERT_SetOCSPTimeout;
+CERT_SetUsePKIXForValidation;
+CERT_PKIXVerifyCert;
+HASH_GetType;
+NSS_InitWithMerge;
+PK11_CreateMergeLog;
+PK11_CreateGenericObject;
+PK11_CreatePBEV2AlgorithmID;
+PK11_DestroyMergeLog;
+PK11_GenerateKeyPairWithOpFlags;
+PK11_GetAllSlotsForCert;
+PK11_GetPBECryptoMechanism;
+PK11_IsRemovable;
+PK11_MergeTokens;
+PK11_WriteRawAttribute;
+SECKEY_ECParamsToBasePointOrderLen;
+SECKEY_ECParamsToKeySize;
+SECMOD_DeleteModuleEx;
+SEC_GetRegisteredHttpClient;
+SEC_PKCS5IsAlgorithmPBEAlgTag;
+VFY_CreateContextDirect;
+VFY_CreateContextWithAlgorithmID;
+VFY_VerifyDataDirect;
+VFY_VerifyDataWithAlgorithmID;
+VFY_VerifyDigestDirect;
+VFY_VerifyDigestWithAlgorithmID;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.12.1 { 	# NSS 3.12.1 release
+;+    global:
+CERT_NameToAsciiInvertible;
+PK11_FindCertFromDERCertItem;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
new file mode 100644
index 000000000..2c594a021
--- /dev/null
+++ b/security/nss/lib/nss/nss.h
@@ -0,0 +1,265 @@
+/*
+ * NSS utility functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef __nss_h_
+#define __nss_h_
+
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+/* The private macro _NSS_ECC_STRING is for NSS internal use only. */
+#ifdef NSS_ENABLE_ECC
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+#define _NSS_ECC_STRING " Extended ECC"
+#else
+#define _NSS_ECC_STRING " Basic ECC"
+#endif
+#else
+#define _NSS_ECC_STRING ""
+#endif
+
+/* The private macro _NSS_CUSTOMIZED is for NSS internal use only. */
+#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
+#define _NSS_CUSTOMIZED " (Customized build)"
+#else
+#define _NSS_CUSTOMIZED 
+#endif
+
+/*
+ * NSS's major version, minor version, patch level, and whether
+ * this is a beta release.
+ *
+ * The format of the version string should be
+ *     "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
+ */
+#define NSS_VERSION  "3.12.2" _NSS_ECC_STRING " Beta" _NSS_CUSTOMIZED
+#define NSS_VMAJOR   3
+#define NSS_VMINOR   12
+#define NSS_VPATCH   2
+#define NSS_BETA     PR_TRUE
+
+/*
+ * Return a boolean that indicates whether the underlying library
+ * will perform as the caller expects.
+ *
+ * The only argument is a string, which should be the verson
+ * identifier of the NSS library. That string will be compared
+ * against a string that represents the actual build version of
+ * the NSS library.  It also invokes the version checking functions
+ * of the dependent libraries such as NSPR.
+ */
+extern PRBool NSS_VersionCheck(const char *importedVersion);
+
+/*
+ * Open the Cert, Key, and Security Module databases, read only.
+ * Initialize the Random Number Generator.
+ * Does not initialize the cipher policies or enables.
+ * Default policy settings disallow all ciphers.
+ */
+extern SECStatus NSS_Init(const char *configdir);
+
+/*
+ * Returns whether NSS has already been initialized or not.
+ */
+extern PRBool NSS_IsInitialized(void);
+
+/*
+ * Open the Cert, Key, and Security Module databases, read/write.
+ * Initialize the Random Number Generator.
+ * Does not initialize the cipher policies or enables.
+ * Default policy settings disallow all ciphers.
+ */
+extern SECStatus NSS_InitReadWrite(const char *configdir);
+
+/*
+ * Open the Cert, Key, and Security Module databases, read/write.
+ * Initialize the Random Number Generator.
+ * Does not initialize the cipher policies or enables.
+ * Default policy settings disallow all ciphers.
+ *
+ * This allows using application defined prefixes for the cert and key db's
+ * and an alternate name for the secmod database. NOTE: In future releases,
+ * the database prefixes my not necessarily map to database names.
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * 			"https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * 			"https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * flags - change the open options of NSS_Initialize as follows:
+ * 	NSS_INIT_READONLY - Open the databases read only.
+ * 	NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just 
+ * 			initialize the volatile certdb.
+ * 	NSS_INIT_NOMODDB  - Don't open the security module DB, just 
+ *			initialize the 	PKCS #11 module.
+ *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the 
+ * 			databases cannot be opened.
+ *      NSS_INIT_NOROOTINIT - Don't try to look for the root certs module
+ *			automatically.
+ *      NSS_INIT_OPTIMIZESPACE - Use smaller tables and caches.
+ *      NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are
+ *                      thread-safe, ie. that support locking - either OS
+ *                      locking or NSS-provided locks . If a PKCS#11
+ *                      module isn't thread-safe, don't serialize its
+ *                      calls; just don't load it instead. This is necessary
+ *                      if another piece of code is using the same PKCS#11
+ *                      modules that NSS is accessing without going through
+ *                      NSS, for example the Java SunPKCS11 provider.
+ *      NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED
+ *                      error when loading PKCS#11 modules. This is necessary
+ *                      if another piece of code is using the same PKCS#11
+ *                      modules that NSS is accessing without going through
+ *                      NSS, for example Java SunPKCS11 provider.
+ *      NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any
+ *                      PKCS#11 module. This may be necessary in order to
+ *                      ensure continuous operation and proper shutdown
+ *                      sequence if another piece of code is using the same
+ *                      PKCS#11 modules that NSS is accessing without going
+ *                      through NSS, for example Java SunPKCS11 provider.
+ *                      The following limitation applies when this is set :
+ *                      SECMOD_WaitForAnyTokenEvent will not use
+ *                      C_WaitForSlotEvent, in order to prevent the need for
+ *                      C_Finalize. This call will be emulated instead.
+ *      NSS_INIT_RESERVED - Currently has no effect, but may be used in the
+ *                      future to trigger better cooperation between PKCS#11
+ *                      modules used by both NSS and the Java SunPKCS11
+ *                      provider. This should occur after a new flag is defined
+ *                      for C_Initialize by the PKCS#11 working group.
+ *      NSS_INIT_COOPERATE - Sets 4 recommended options for applications that
+ *                      use both NSS and the Java SunPKCS11 provider.
+ *
+ * Also NOTE: This is not the recommended method for initializing NSS. 
+ * The prefered method is NSS_init().
+ */
+#define NSS_INIT_READONLY	0x1
+#define NSS_INIT_NOCERTDB	0x2
+#define NSS_INIT_NOMODDB	0x4
+#define NSS_INIT_FORCEOPEN	0x8
+#define NSS_INIT_NOROOTINIT     0x10
+#define NSS_INIT_OPTIMIZESPACE  0x20
+#define NSS_INIT_PK11THREADSAFE   0x40
+#define NSS_INIT_PK11RELOAD       0x80
+#define NSS_INIT_NOPK11FINALIZE   0x100
+#define NSS_INIT_RESERVED         0x200
+
+#define NSS_INIT_COOPERATE NSS_INIT_PK11THREADSAFE | \
+        NSS_INIT_PK11RELOAD | \
+        NSS_INIT_NOPK11FINALIZE | \
+        NSS_INIT_RESERVED
+
+#ifdef macintosh
+#define SECMOD_DB "Security Modules"
+#else
+#define SECMOD_DB "secmod.db"
+#endif
+
+extern SECStatus NSS_Initialize(const char *configdir, 
+	const char *certPrefix, const char *keyPrefix, 
+	const char *secmodName, PRUint32 flags);
+
+/*
+ * same as NSS_Init, but checks to see if we need to merge an
+ * old database in.
+ *   updatedir is the directory where the old database lives.
+ *   updCertPrefix is the certPrefix for the old database.
+ *   updKeyPrefix is the keyPrefix for the old database.
+ *   updateID is a unique identifier chosen by the application for
+ *      the specific database.
+ *   updatName is the name the user will be prompted for when
+ *      asking to authenticate to the old database  */
+extern SECStatus NSS_InitWithMerge(const char *configdir, 
+	const char *certPrefix, const char *keyPrefix, const char *secmodName,
+	const char *updatedir,  const char *updCertPrefix, 
+	const char *updKeyPrefix, const char *updateID, 
+	const char *updateName, PRUint32 flags);
+/*
+ * initialize NSS without a creating cert db's, key db's, or secmod db's.
+ */
+SECStatus NSS_NoDB_Init(const char *configdir);
+
+/*
+ * Allow applications and libraries to register with NSS so that they are called
+ * when NSS shuts down.
+ *
+ * void *appData application specific data passed in by the application at 
+ * NSS_RegisterShutdown() time.
+ * void *nssData is NULL in this release, but is reserved for future versions of 
+ * NSS to pass some future status information * back to the shutdown function. 
+ *
+ * If the shutdown function returns SECFailure,
+ * Shutdown will still complete, but NSS_Shutdown() will return SECFailure.
+ */
+typedef SECStatus (*NSS_ShutdownFunc)(void *appData, void *nssData);
+
+/*
+ * Register a shutdown function.
+ */
+SECStatus NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
+
+/*
+ * Remove an existing shutdown function (you may do this if your library is
+ * complete and going away, but NSS is still running).
+ */
+SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
+
+/* 
+ * Close the Cert, Key databases.
+ */
+extern SECStatus NSS_Shutdown(void);
+
+/*
+ * set the PKCS #11 strings for the internal token.
+ */
+void PK11_ConfigurePKCS11(const char *man, const char *libdes, 
+	const char *tokdes, const char *ptokdes, const char *slotdes, 
+	const char *pslotdes, const char *fslotdes, const char *fpslotdes,
+        int minPwd, int pwRequired);
+
+/*
+ * Dump the contents of the certificate cache and the temporary cert store.
+ * Use to detect leaked references of certs at shutdown time.
+ */
+void nss_DumpCertificateCacheInfo(void);
+
+SEC_END_PROTOS
+
+#endif /* __nss_h_ */
diff --git a/security/nss/lib/nss/nss.rc b/security/nss/lib/nss/nss.rc
new file mode 100644
index 000000000..156309e6a
--- /dev/null
+++ b/security/nss/lib/nss/nss.rc
@@ -0,0 +1,100 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nss.h"
+#include <winver.h>
+
+#define MY_LIBNAME "nss"
+#define MY_FILEDESCRIPTION "NSS Base Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
new file mode 100644
index 000000000..2e4760b2d
--- /dev/null
+++ b/security/nss/lib/nss/nssinit.c
@@ -0,0 +1,973 @@
+/*
+ * NSS utility functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <ctype.h>
+#include "seccomon.h"
+#include "prinit.h"
+#include "prprf.h"
+#include "prmem.h"
+#include "cert.h"
+#include "key.h"
+#include "ssl.h"
+#include "sslproto.h"
+#include "secmod.h"
+#include "secoid.h"
+#include "nss.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "nssbase.h"
+#include "pkixt.h"
+#include "pkix.h"
+#include "pkix_tools.h"
+
+#include "pki3hack.h"
+#include "certi.h"
+#include "secmodi.h"
+#include "ocspti.h"
+#include "ocspi.h"
+
+/*
+ * On Windows nss3.dll needs to export the symbol 'mktemp' to be
+ * fully backward compatible with the nss3.dll in NSS 3.2.x and
+ * 3.3.x.  This symbol was unintentionally exported and its
+ * definition (in DBM) was moved from nss3.dll to softokn3.dll
+ * in NSS 3.4.  See bug 142575.
+ */
+#ifdef WIN32_NSS3_DLL_COMPAT
+#include <io.h>
+
+/* exported as 'mktemp' */
+char *
+nss_mktemp(char *path)
+{
+    return _mktemp(path);
+}
+#endif
+
+#define NSS_MAX_FLAG_SIZE  sizeof("readOnly")+sizeof("noCertDB")+ \
+	sizeof("noModDB")+sizeof("forceOpen")+sizeof("passwordRequired")+ \
+	sizeof ("optimizeSpace")
+#define NSS_DEFAULT_MOD_NAME "NSS Internal Module"
+
+static char *
+nss_makeFlags(PRBool readOnly, PRBool noCertDB, 
+				PRBool noModDB, PRBool forceOpen, 
+				PRBool passwordRequired, PRBool optimizeSpace) 
+{
+    char *flags = (char *)PORT_Alloc(NSS_MAX_FLAG_SIZE);
+    PRBool first = PR_TRUE;
+
+    PORT_Memset(flags,0,NSS_MAX_FLAG_SIZE);
+    if (readOnly) {
+        PORT_Strcat(flags,"readOnly");
+        first = PR_FALSE;
+    }
+    if (noCertDB) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"noCertDB");
+        first = PR_FALSE;
+    }
+    if (noModDB) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"noModDB");
+        first = PR_FALSE;
+    }
+    if (forceOpen) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"forceOpen");
+        first = PR_FALSE;
+    }
+    if (passwordRequired) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"passwordRequired");
+        first = PR_FALSE;
+    }
+    if (optimizeSpace) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"optimizeSpace");
+        first = PR_FALSE;
+    }
+    return flags;
+}
+
+/*
+ * statics to remember the PK11_ConfigurePKCS11()
+ * info.
+ */
+static char * pk11_config_strings = NULL;
+static char * pk11_config_name = NULL;
+static PRBool pk11_password_required = PR_FALSE;
+
+/*
+ * this is a legacy configuration function which used to be part of
+ * the PKCS #11 internal token.
+ */
+void
+PK11_ConfigurePKCS11(const char *man, const char *libdes, const char *tokdes,
+	const char *ptokdes, const char *slotdes, const char *pslotdes, 
+	const char *fslotdes, const char *fpslotdes, int minPwd, int pwRequired)
+{
+   char *strings = NULL;
+   char *newStrings;
+
+   /* make sure the internationalization was done correctly... */
+   strings = PR_smprintf("");
+   if (strings == NULL) return;
+
+    if (man) {
+        newStrings = PR_smprintf("%s manufacturerID='%s'",strings,man);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (libdes) {
+        newStrings = PR_smprintf("%s libraryDescription='%s'",strings,libdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+	if (pk11_config_name != NULL) {
+	    PORT_Free(pk11_config_name);
+	}
+	pk11_config_name = PORT_Strdup(libdes);
+    }
+   if (strings == NULL) return;
+
+    if (tokdes) {
+        newStrings = PR_smprintf("%s cryptoTokenDescription='%s'",strings,
+								tokdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (ptokdes) {
+        newStrings = PR_smprintf("%s dbTokenDescription='%s'",strings,ptokdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (slotdes) {
+        newStrings = PR_smprintf("%s cryptoSlotDescription='%s'",strings,
+								slotdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (pslotdes) {
+        newStrings = PR_smprintf("%s dbSlotDescription='%s'",strings,pslotdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (fslotdes) {
+        newStrings = PR_smprintf("%s FIPSSlotDescription='%s'",
+							strings,fslotdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (fpslotdes) {
+        newStrings = PR_smprintf("%s FIPSTokenDescription='%s'",
+							strings,fpslotdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    newStrings = PR_smprintf("%s minPS=%d", strings, minPwd);
+    PR_smprintf_free(strings);
+    strings = newStrings;
+   if (strings == NULL) return;
+
+    if (pk11_config_strings != NULL) {
+	PR_smprintf_free(pk11_config_strings);
+    }
+    pk11_config_strings = strings;
+    pk11_password_required = pwRequired;
+
+    return;
+}
+
+void PK11_UnconfigurePKCS11(void)
+{
+    if (pk11_config_strings != NULL) {
+	PR_smprintf_free(pk11_config_strings);
+        pk11_config_strings = NULL;
+    }
+    if (pk11_config_name) {
+        PORT_Free(pk11_config_name);
+        pk11_config_name = NULL;
+    }
+}
+
+static char *
+nss_addEscape(const char *string, char quote)
+{
+    char *newString = 0;
+    int escapes = 0, size = 0;
+    const char *src;
+    char *dest;
+
+    for (src=string; *src ; src++) {
+	if ((*src == quote) || (*src == '\\')) escapes++;
+	size++;
+    }
+
+    newString = PORT_ZAlloc(escapes+size+1); 
+    if (newString == NULL) {
+	return NULL;
+    }
+
+    for (src=string, dest=newString; *src; src++,dest++) {
+	if ((*src == '\\') || (*src == quote)) {
+	    *dest++ = '\\';
+	}
+	*dest = *src;
+    }
+
+    return newString;
+}
+
+static char *
+nss_doubleEscape(const char *string)
+{
+    char *round1 = NULL;
+    char *retValue = NULL;
+    if (string == NULL) {
+	goto done;
+    }
+    round1 = nss_addEscape(string,'\'');
+    if (round1) {
+	retValue = nss_addEscape(round1,'"');
+	PORT_Free(round1);
+    }
+
+done:
+    if (retValue == NULL) {
+	retValue = PORT_Strdup("");
+    }
+    return retValue;
+}
+
+
+/*
+ * The following code is an attempt to automagically find the external root
+ * module.
+ * Note: Keep the #if-defined chunks in order. HPUX must select before UNIX.
+ */
+
+static const char *dllname =
+#if defined(XP_WIN32) || defined(XP_OS2)
+	"nssckbi.dll";
+#elif defined(HPUX) && !defined(__ia64)  /* HP-UX PA-RISC */
+	"libnssckbi.sl";
+#elif defined(DARWIN)
+	"libnssckbi.dylib";
+#elif defined(XP_UNIX) || defined(XP_BEOS)
+	"libnssckbi.so";
+#else
+	#error "Uh! Oh! I don't know about this platform."
+#endif
+
+/* Should we have platform ifdefs here??? */
+#define FILE_SEP '/'
+
+static void nss_FindExternalRootPaths(const char *dbpath, 
+                                      const char* secmodprefix,
+                              char** retoldpath, char** retnewpath)
+{
+    char *path, *oldpath = NULL, *lastsep;
+    int len, path_len, secmod_len, dll_len;
+
+    path_len = PORT_Strlen(dbpath);
+    secmod_len = secmodprefix ? PORT_Strlen(secmodprefix) : 0;
+    dll_len = PORT_Strlen(dllname);
+    len = path_len + secmod_len + dll_len + 2; /* FILE_SEP + NULL */
+
+    path = PORT_Alloc(len);
+    if (path == NULL) return;
+
+    /* back up to the top of the directory */
+    PORT_Memcpy(path,dbpath,path_len);
+    if (path[path_len-1] != FILE_SEP) {
+        path[path_len++] = FILE_SEP;
+    }
+    PORT_Strcpy(&path[path_len],dllname);
+    if (secmod_len > 0) {
+        lastsep = PORT_Strrchr(secmodprefix, FILE_SEP);
+        if (lastsep) {
+            int secmoddir_len = lastsep-secmodprefix+1; /* FILE_SEP */
+            oldpath = PORT_Alloc(len);
+            if (oldpath == NULL) {
+                PORT_Free(path);
+                return;
+            }
+            PORT_Memcpy(oldpath,path,path_len);
+            PORT_Memcpy(&oldpath[path_len],secmodprefix,secmoddir_len);
+            PORT_Strcpy(&oldpath[path_len+secmoddir_len],dllname);
+        }
+    }
+    *retoldpath = oldpath;
+    *retnewpath = path;
+    return;
+}
+
+static void nss_FreeExternalRootPaths(char* oldpath, char* path)
+{
+    if (path) {
+        PORT_Free(path);
+    }
+    if (oldpath) {
+        PORT_Free(oldpath);
+    }
+}
+
+static void
+nss_FindExternalRoot(const char *dbpath, const char* secmodprefix)
+{
+	char *path = NULL;
+        char *oldpath = NULL;
+        PRBool hasrootcerts = PR_FALSE;
+
+        /*
+         * 'oldpath' is the external root path in NSS 3.3.x or older.
+         * For backward compatibility we try to load the root certs
+         * module with the old path first.
+         */
+        nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path);
+        if (oldpath) {
+            (void) SECMOD_AddNewModule("Root Certs",oldpath, 0, 0);
+            hasrootcerts = SECMOD_HasRootCerts();
+        }
+        if (path && !hasrootcerts) {
+	    (void) SECMOD_AddNewModule("Root Certs",path, 0, 0);
+        }
+        nss_FreeExternalRootPaths(oldpath, path);
+	return;
+}
+
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * 			"https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * 			"https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be opened read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the 
+ *			Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the 
+ *			PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ * 			be opened.
+ */
+
+static PRBool nss_IsInitted = PR_FALSE;
+static void* plContext = NULL;
+
+static SECStatus nss_InitShutdownList(void);
+
+#ifdef DEBUG
+static CERTCertificate dummyCert;
+#endif
+
+static SECStatus
+nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
+		 const char *secmodName, const char *updateDir, 
+		 const char *updCertPrefix, const char *updKeyPrefix,
+		 const char *updateID, const char *updateName,
+			PRBool readOnly, PRBool noCertDB, 
+			PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
+			PRBool optimizeSpace, PRBool noSingleThreadedModules,
+			PRBool allowAlreadyInitializedModules,
+			PRBool dontFinalizeModules)
+{
+    char *moduleSpec = NULL;
+    char *flags = NULL;
+    SECStatus rv = SECFailure;
+    char *lconfigdir = NULL;
+    char *lcertPrefix = NULL;
+    char *lkeyPrefix = NULL;
+    char *lsecmodName = NULL;
+    char *lupdateDir = NULL;
+    char *lupdCertPrefix = NULL;
+    char *lupdKeyPrefix = NULL;
+    char *lupdateID = NULL;
+    char *lupdateName = NULL;
+    PKIX_UInt32 actualMinorVersion = 0;
+    PKIX_Error *pkixError = NULL;;
+
+    if (nss_IsInitted) {
+	return SECSuccess;
+    }
+
+    /* New option bits must not change the size of CERTCertificate. */
+    PORT_Assert(sizeof(dummyCert.options) == sizeof(void *));
+
+    if (SECSuccess != cert_InitLocks()) {
+        return SECFailure;
+    }
+
+    if (SECSuccess != InitCRLCache()) {
+        return SECFailure;
+    }
+    
+    if (SECSuccess != OCSP_InitGlobal()) {
+        return SECFailure;
+    }
+
+    flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
+					pk11_password_required, optimizeSpace);
+    if (flags == NULL) return rv;
+
+    /*
+     * configdir is double nested, and Windows uses the same character
+     * for file seps as we use for escapes! (sigh).
+     */
+    lconfigdir = nss_doubleEscape(configdir);
+    if (lconfigdir == NULL) {
+	goto loser;
+    }
+    lcertPrefix = nss_doubleEscape(certPrefix);
+    if (lcertPrefix == NULL) {
+	goto loser;
+    }
+    lkeyPrefix = nss_doubleEscape(keyPrefix);
+    if (lkeyPrefix == NULL) {
+	goto loser;
+    }
+    lsecmodName = nss_doubleEscape(secmodName);
+    if (lsecmodName == NULL) {
+	goto loser;
+    }
+    lupdateDir = nss_doubleEscape(updateDir);
+    if (lupdateDir == NULL) {
+	goto loser;
+    }
+    lupdCertPrefix = nss_doubleEscape(updCertPrefix);
+    if (lupdCertPrefix == NULL) {
+	goto loser;
+    }
+    lupdKeyPrefix = nss_doubleEscape(updKeyPrefix);
+    if (lupdKeyPrefix == NULL) {
+	goto loser;
+    }
+    lupdateID = nss_doubleEscape(updateID);
+    if (lupdateID == NULL) {
+	goto loser;
+    }
+    lupdateName = nss_doubleEscape(updateName);
+    if (lupdateName == NULL) {
+	goto loser;
+    }
+    if (noSingleThreadedModules || allowAlreadyInitializedModules ||
+        dontFinalizeModules) {
+        pk11_setGlobalOptions(noSingleThreadedModules,
+                              allowAlreadyInitializedModules,
+                              dontFinalizeModules);
+    }
+
+    moduleSpec = PR_smprintf(
+     "name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' "
+     "secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' "
+     "updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s\" "
+     "NSS=\"flags=internal,moduleDB,moduleDBOnly,critical\"",
+		pk11_config_name ? pk11_config_name : NSS_DEFAULT_MOD_NAME,
+		lconfigdir,lcertPrefix,lkeyPrefix,lsecmodName,flags,
+		lupdateDir, lupdCertPrefix, lupdKeyPrefix, lupdateID, 
+		lupdateName, pk11_config_strings ? pk11_config_strings : "");
+
+loser:
+    PORT_Free(flags);
+    if (lconfigdir) PORT_Free(lconfigdir);
+    if (lcertPrefix) PORT_Free(lcertPrefix);
+    if (lkeyPrefix) PORT_Free(lkeyPrefix);
+    if (lsecmodName) PORT_Free(lsecmodName);
+    if (lupdateDir) PORT_Free(lupdateDir);
+    if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
+    if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
+    if (lupdateID) PORT_Free(lupdateID);
+    if (lupdateName) PORT_Free(lupdateName);
+
+    if (moduleSpec) {
+	SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
+	PR_smprintf_free(moduleSpec);
+	if (module) {
+	    if (module->loaded) rv=SECSuccess;
+	    SECMOD_DestroyModule(module);
+	}
+    }
+
+    if (rv == SECSuccess) {
+	if (SECOID_Init() != SECSuccess) {
+	    return SECFailure;
+	}
+	if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
+	    return SECFailure;
+	}
+	if (nss_InitShutdownList() != SECSuccess) {
+	    return SECFailure;
+	}
+	CERT_SetDefaultCertDB((CERTCertDBHandle *)
+				STAN_GetDefaultTrustDomain());
+	if ((!noModDB) && (!noCertDB) && (!noRootInit)) {
+	    if (!SECMOD_HasRootCerts()) {
+		nss_FindExternalRoot(configdir, secmodName);
+	    }
+	}
+	pk11sdr_Init();
+	cert_CreateSubjectKeyIDHashTable();
+	nss_IsInitted = PR_TRUE;
+    }
+
+    if (SECSuccess == rv) {
+	pkixError = PKIX_Initialize
+	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
+	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
+
+	if (pkixError != NULL) {
+	    rv = SECFailure;
+	} else {
+            char *ev = getenv("NSS_ENABLE_PKIX_VERIFY");
+            if (ev && ev[0]) {
+                CERT_SetUsePKIXForValidation(PR_TRUE);
+            }
+        }
+    }
+
+    return rv;
+}
+
+
+SECStatus
+NSS_Init(const char *configdir)
+{
+    return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "",
+		PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, 
+		PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
+}
+
+SECStatus
+NSS_InitReadWrite(const char *configdir)
+{
+    return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "",
+		PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, 
+		PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
+}
+
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * 			"https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * 			"https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * flags - change the open options of NSS_Initialize as follows:
+ * 	NSS_INIT_READONLY - Open the databases read only.
+ * 	NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just 
+ * 			initialize the volatile certdb.
+ * 	NSS_INIT_NOMODDB  - Don't open the security module DB, just 
+ *			initialize the 	PKCS #11 module.
+ *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the 
+ * 			databases cannot be opened.
+ *      NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are
+ *                      thread-safe, ie. that support locking - either OS
+ *                      locking or NSS-provided locks . If a PKCS#11
+ *                      module isn't thread-safe, don't serialize its
+ *                      calls; just don't load it instead. This is necessary
+ *                      if another piece of code is using the same PKCS#11
+ *                      modules that NSS is accessing without going through
+ *                      NSS, for example the Java SunPKCS11 provider.
+ *      NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED
+ *                      error when loading PKCS#11 modules. This is necessary
+ *                      if another piece of code is using the same PKCS#11
+ *                      modules that NSS is accessing without going through
+ *                      NSS, for example Java SunPKCS11 provider.
+ *      NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any
+ *                      PKCS#11 module. This may be necessary in order to
+ *                      ensure continuous operation and proper shutdown
+ *                      sequence if another piece of code is using the same
+ *                      PKCS#11 modules that NSS is accessing without going
+ *                      through NSS, for example Java SunPKCS11 provider.
+ *                      The following limitation applies when this is set :
+ *                      SECMOD_WaitForAnyTokenEvent will not use
+ *                      C_WaitForSlotEvent, in order to prevent the need for
+ *                      C_Finalize. This call will be emulated instead.
+ *      NSS_INIT_RESERVED - Currently has no effect, but may be used in the
+ *                      future to trigger better cooperation between PKCS#11
+ *                      modules used by both NSS and the Java SunPKCS11
+ *                      provider. This should occur after a new flag is defined
+ *                      for C_Initialize by the PKCS#11 working group.
+ *      NSS_INIT_COOPERATE - Sets 4 recommended options for applications that
+ *                      use both NSS and the Java SunPKCS11 provider. 
+ */
+SECStatus
+NSS_Initialize(const char *configdir, const char *certPrefix, 
+	const char *keyPrefix, const char *secmodName, PRUint32 flags)
+{
+    return nss_Init(configdir, certPrefix, keyPrefix, secmodName,
+	"", "", "", "", "",
+	((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
+	((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
+	((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
+	((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
+	((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT),
+	((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
+        ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
+        ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
+        ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
+}
+
+SECStatus
+NSS_InitWithMerge(const char *configdir, const char *certPrefix, 
+	const char *keyPrefix, const char *secmodName, 
+	const char *updateDir, const char *updCertPrefix,
+	const char *updKeyPrefix, const char *updateID, 
+	const char *updateName, PRUint32 flags)
+{
+    return nss_Init(configdir, certPrefix, keyPrefix, secmodName,
+	updateDir, updCertPrefix, updKeyPrefix, updateID, updateName,
+	((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
+	((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
+	((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
+	((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
+	((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT),
+	((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
+        ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
+        ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
+        ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
+}
+
+/*
+ * initialize NSS without a creating cert db's, key db's, or secmod db's.
+ */
+SECStatus
+NSS_NoDB_Init(const char * configdir)
+{
+      return nss_Init("","","","", "", "", "", "", "",
+			PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,
+			PR_FALSE,PR_FALSE,PR_FALSE);
+}
+
+
+#define NSS_SHUTDOWN_STEP 10
+
+struct NSSShutdownFuncPair {
+    NSS_ShutdownFunc	func;
+    void		*appData;
+};
+
+static struct NSSShutdownListStr {
+    PZLock		*lock;
+    int			allocatedFuncs;
+    int			peakFuncs;
+    struct NSSShutdownFuncPair	*funcs;
+} nssShutdownList = { 0 };
+
+/*
+ * find and existing shutdown function
+ */
+static int 
+nss_GetShutdownEntry(NSS_ShutdownFunc sFunc, void *appData)
+{
+    int count, i;
+    count = nssShutdownList.peakFuncs;
+    /* expect the list to be short, just do a linear search */
+    for (i=0; i < count; i++) {
+	if ((nssShutdownList.funcs[i].func == sFunc) &&
+	    (nssShutdownList.funcs[i].appData == appData)){
+	    return i;
+	}
+    }
+    return -1;
+}
+    
+/*
+ * register a callback to be called when NSS shuts down
+ */
+SECStatus
+NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData)
+{
+    int i;
+
+    if (!nss_IsInitted) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    if (sFunc == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    PORT_Assert(nssShutdownList.lock);
+    PZ_Lock(nssShutdownList.lock);
+
+    /* make sure we don't have a duplicate */
+    i = nss_GetShutdownEntry(sFunc, appData);
+    if (i >= 0) {
+	PZ_Unlock(nssShutdownList.lock);
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    /* find an empty slot */
+    i = nss_GetShutdownEntry(NULL, NULL);
+    if (i >= 0) {
+	nssShutdownList.funcs[i].func = sFunc;
+	nssShutdownList.funcs[i].appData = appData;
+	PZ_Unlock(nssShutdownList.lock);
+	return SECSuccess;
+    }
+    if (nssShutdownList.allocatedFuncs == nssShutdownList.peakFuncs) {
+	struct NSSShutdownFuncPair *funcs = 
+		(struct NSSShutdownFuncPair *)PORT_Realloc
+		(nssShutdownList.funcs, 
+		(nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP) 
+		*sizeof(struct NSSShutdownFuncPair));
+	if (!funcs) {
+	    return SECFailure;
+	}
+	nssShutdownList.funcs = funcs;
+	nssShutdownList.allocatedFuncs += NSS_SHUTDOWN_STEP;
+    }
+    nssShutdownList.funcs[nssShutdownList.peakFuncs].func = sFunc;
+    nssShutdownList.funcs[nssShutdownList.peakFuncs].appData = appData;
+    nssShutdownList.peakFuncs++;
+    PZ_Unlock(nssShutdownList.lock);
+    return SECSuccess;
+}
+
+/*
+ * unregister a callback so it won't get called on shutdown.
+ */
+SECStatus
+NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData)
+{
+    int i;
+    if (!nss_IsInitted) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+
+    PORT_Assert(nssShutdownList.lock);
+    PZ_Lock(nssShutdownList.lock);
+    i = nss_GetShutdownEntry(sFunc, appData);
+    if (i >= 0) {
+	nssShutdownList.funcs[i].func = NULL;
+	nssShutdownList.funcs[i].appData = NULL;
+    }
+    PZ_Unlock(nssShutdownList.lock);
+
+    if (i < 0) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * bring up and shutdown the shutdown list
+ */
+static SECStatus
+nss_InitShutdownList(void)
+{
+    nssShutdownList.lock = PZ_NewLock(nssILockOther);
+    if (nssShutdownList.lock == NULL) {
+	return SECFailure;
+    }
+    nssShutdownList.funcs = PORT_ZNewArray(struct NSSShutdownFuncPair, 
+				           NSS_SHUTDOWN_STEP);
+    if (nssShutdownList.funcs == NULL) {
+	PZ_DestroyLock(nssShutdownList.lock);
+    	nssShutdownList.lock = NULL;
+	return SECFailure;
+    }
+    nssShutdownList.allocatedFuncs = NSS_SHUTDOWN_STEP;
+    nssShutdownList.peakFuncs = 0;
+
+    return SECSuccess;
+}
+
+static SECStatus
+nss_ShutdownShutdownList(void)
+{
+    SECStatus rv = SECSuccess;
+    int i;
+
+    /* call all the registerd functions first */
+    for (i=0; i < nssShutdownList.peakFuncs; i++) {
+	struct NSSShutdownFuncPair *funcPair = &nssShutdownList.funcs[i];
+	if (funcPair->func) {
+	    if ((*funcPair->func)(funcPair->appData,NULL) != SECSuccess) {
+		rv = SECFailure;
+	    }
+	}
+    }
+
+    nssShutdownList.peakFuncs = 0;
+    nssShutdownList.allocatedFuncs = 0;
+    PORT_Free(nssShutdownList.funcs);
+    nssShutdownList.funcs = NULL;
+    if (nssShutdownList.lock) {
+	PZ_DestroyLock(nssShutdownList.lock);
+    }
+    nssShutdownList.lock = NULL;
+    return rv;
+}
+
+
+extern const NSSError NSS_ERROR_BUSY;
+
+SECStatus
+NSS_Shutdown(void)
+{
+    SECStatus shutdownRV = SECSuccess;
+    SECStatus rv;
+    PRStatus status;
+
+    if (!nss_IsInitted) {
+	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return SECFailure;
+    }
+
+    rv = nss_ShutdownShutdownList();
+    if (rv != SECSuccess) {
+	shutdownRV = SECFailure;
+    }
+    cert_DestroyLocks();
+    ShutdownCRLCache();
+    OCSP_ShutdownGlobal();
+    PKIX_Shutdown(plContext);
+    SECOID_Shutdown();
+    status = STAN_Shutdown();
+    cert_DestroySubjectKeyIDHashTable();
+    rv = SECMOD_Shutdown();
+    if (rv != SECSuccess) {
+	shutdownRV = SECFailure;
+    }
+    pk11sdr_Shutdown();
+    /*
+     * A thread's error stack is automatically destroyed when the thread
+     * terminates, except for the primordial thread, whose error stack is
+     * destroyed by PR_Cleanup.  Since NSS is usually shut down by the
+     * primordial thread and many NSS-based apps don't call PR_Cleanup,
+     * we destroy the calling thread's error stack here.
+     */
+    nss_DestroyErrorStack();
+    nssArena_Shutdown();
+    if (status == PR_FAILURE) {
+	if (NSS_GetError() == NSS_ERROR_BUSY) {
+	    PORT_SetError(SEC_ERROR_BUSY);
+	}
+	shutdownRV = SECFailure;
+    }
+    nss_IsInitted = PR_FALSE;
+    return shutdownRV;
+}
+
+PRBool
+NSS_IsInitialized(void)
+{
+    return nss_IsInitted;
+}
+
+
+extern const char __nss_base_rcsid[];
+extern const char __nss_base_sccsid[];
+
+PRBool
+NSS_VersionCheck(const char *importedVersion)
+{
+    /*
+     * This is the secret handshake algorithm.
+     *
+     * This release has a simple version compatibility
+     * check algorithm.  This release is not backward
+     * compatible with previous major releases.  It is
+     * not compatible with future major, minor, or
+     * patch releases.
+     */
+    int vmajor = 0, vminor = 0, vpatch = 0;
+    const char *ptr = importedVersion;
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_base_rcsid[0] + __nss_base_sccsid[0]; 
+
+    while (isdigit(*ptr)) {
+        vmajor = 10 * vmajor + *ptr - '0';
+        ptr++;
+    }
+    if (*ptr == '.') {
+        ptr++;
+        while (isdigit(*ptr)) {
+            vminor = 10 * vminor + *ptr - '0';
+            ptr++;
+        }
+        if (*ptr == '.') {
+            ptr++;
+            while (isdigit(*ptr)) {
+                vpatch = 10 * vpatch + *ptr - '0';
+                ptr++;
+            }
+        }
+    }
+
+    if (vmajor != NSS_VMAJOR) {
+        return PR_FALSE;
+    }
+    if (vmajor == NSS_VMAJOR && vminor > NSS_VMINOR) {
+        return PR_FALSE;
+    }
+    if (vmajor == NSS_VMAJOR && vminor == NSS_VMINOR && vpatch > NSS_VPATCH) {
+        return PR_FALSE;
+    }
+    /* Check dependent libraries */
+    if (PR_VersionCheck(PR_VERSION) == PR_FALSE) {
+        return PR_FALSE;
+    }
+    return PR_TRUE;
+}
diff --git a/security/nss/lib/nss/nssrenam.h b/security/nss/lib/nss/nssrenam.h
new file mode 100644
index 000000000..156646cdd
--- /dev/null
+++ b/security/nss/lib/nss/nssrenam.h
@@ -0,0 +1,47 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __nssrenam_h_
+#define __nssrenam_h_
+
+#define CERT_AddTempCertToPerm __CERT_AddTempCertToPerm
+#define PK11_CreateContextByRawKey __PK11_CreateContextByRawKey
+#define CERT_ClosePermCertDB __CERT_ClosePermCertDB
+#define CERT_DecodeDERCertificate __CERT_DecodeDERCertificate
+#define CERT_TraversePermCertsForNickname __CERT_TraversePermCertsForNickname
+#define CERT_TraversePermCertsForSubject __CERT_TraversePermCertsForSubject
+
+#endif /* __nssrenam_h_ */
diff --git a/security/nss/lib/nss/nssver.c b/security/nss/lib/nss/nssver.c
new file mode 100644
index 000000000..9d7f8136e
--- /dev/null
+++ b/security/nss/lib/nss/nssver.c
@@ -0,0 +1,56 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Library identity and versioning */
+
+#include "nss.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_base_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_base_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/nss/pkixpriv.def b/security/nss/lib/nss/pkixpriv.def
new file mode 100644
index 000000000..165ebf393
--- /dev/null
+++ b/security/nss/lib/nss/pkixpriv.def
@@ -0,0 +1,318 @@
+;+LIBPKIXprivate {
+;+    global:
+;+# libpkix functions
+;+# May not become part of the NSS public API. Needed for unit testing for now.
+NSS_Get_PKIX_PL_LDAPMessageTemplate;
+PKIX_PL_LDAPMessageTemplate;
+PKIX_ALLOC_ERROR;
+PKIX_BuildChain;
+pkix_BuildResult_Create;
+PKIX_BuildResult_GetCertChain;
+PKIX_BuildResult_GetValidateResult;
+PKIX_CertChainChecker_Create;
+PKIX_CertChainChecker_GetCertChainCheckerState;
+PKIX_CertChainChecker_GetCheckCallback;
+PKIX_CertChainChecker_GetSupportedExtensions;
+PKIX_CertChainChecker_IsForwardCheckingSupported;
+PKIX_CertChainChecker_IsForwardDirectionExpected;
+PKIX_CertChainChecker_SetCertChainCheckerState;
+PKIX_CertSelector_Create;
+PKIX_CertSelector_GetCertSelectorContext;
+PKIX_CertSelector_GetCommonCertSelectorParams;
+PKIX_CertSelector_GetMatchCallback;
+PKIX_CertSelector_SetCommonCertSelectorParams;
+PKIX_CertStore_CertContinue;
+PKIX_CertStore_Create;
+PKIX_CertStore_CrlContinue;
+PKIX_CertStore_GetCertCallback;
+PKIX_CertStore_GetCertStoreContext;
+PKIX_CertStore_GetCRLCallback;
+PKIX_CertStore_GetTrustCallback;
+pkix_CheckType;
+PKIX_ComCertSelParams_AddPathToName;
+PKIX_ComCertSelParams_AddSubjAltName;
+PKIX_ComCertSelParams_Create;
+PKIX_ComCertSelParams_GetAuthorityKeyIdentifier;
+PKIX_ComCertSelParams_GetBasicConstraints;
+PKIX_ComCertSelParams_GetCertificate;
+PKIX_ComCertSelParams_GetCertificateValid;
+PKIX_ComCertSelParams_GetExtendedKeyUsage;
+PKIX_ComCertSelParams_GetIssuer;
+PKIX_ComCertSelParams_GetKeyUsage;
+PKIX_ComCertSelParams_GetMatchAllSubjAltNames;
+PKIX_ComCertSelParams_GetNameConstraints;
+PKIX_ComCertSelParams_GetPathToNames;
+PKIX_ComCertSelParams_GetPolicy;
+PKIX_ComCertSelParams_GetSerialNumber;
+PKIX_ComCertSelParams_GetSubjAltNames;
+PKIX_ComCertSelParams_GetSubject;
+PKIX_ComCertSelParams_GetSubjKeyIdentifier;
+PKIX_ComCertSelParams_GetSubjPKAlgId;
+PKIX_ComCertSelParams_GetSubjPubKey;
+PKIX_ComCertSelParams_GetVersion;
+PKIX_ComCertSelParams_SetAuthorityKeyIdentifier;
+PKIX_ComCertSelParams_SetBasicConstraints;
+PKIX_ComCertSelParams_SetCertificate;
+PKIX_ComCertSelParams_SetCertificateValid;
+PKIX_ComCertSelParams_SetExtendedKeyUsage;
+PKIX_ComCertSelParams_SetIssuer;
+PKIX_ComCertSelParams_SetKeyUsage;
+PKIX_ComCertSelParams_SetMatchAllSubjAltNames;
+PKIX_ComCertSelParams_SetNameConstraints;
+PKIX_ComCertSelParams_SetPathToNames;
+PKIX_ComCertSelParams_SetPolicy;
+PKIX_ComCertSelParams_SetSerialNumber;
+PKIX_ComCertSelParams_SetSubjAltNames;
+PKIX_ComCertSelParams_SetSubject;
+PKIX_ComCertSelParams_SetSubjKeyIdentifier;
+PKIX_ComCertSelParams_SetSubjPKAlgId;
+PKIX_ComCertSelParams_SetSubjPubKey;
+PKIX_ComCertSelParams_SetVersion;
+PKIX_ComCRLSelParams_AddIssuerName;
+PKIX_ComCRLSelParams_Create;
+PKIX_ComCRLSelParams_GetCertificateChecking;
+PKIX_ComCRLSelParams_GetDateAndTime;
+PKIX_ComCRLSelParams_GetIssuerNames;
+PKIX_ComCRLSelParams_GetMaxCRLNumber;
+PKIX_ComCRLSelParams_GetMinCRLNumber;
+PKIX_ComCRLSelParams_SetCertificateChecking;
+PKIX_ComCRLSelParams_SetDateAndTime;
+PKIX_ComCRLSelParams_SetIssuerNames;
+PKIX_ComCRLSelParams_SetMaxCRLNumber;
+PKIX_ComCRLSelParams_SetMinCRLNumber;
+PKIX_CRLSelector_Create;
+PKIX_CRLSelector_GetCommonCRLSelectorParams;
+PKIX_CRLSelector_GetCRLSelectorContext;
+PKIX_CRLSelector_GetMatchCallback;
+PKIX_CRLSelector_SetCommonCRLSelectorParams;
+pkix_DefaultRevChecker_Initialize;
+PKIX_Error_Create;
+PKIX_Error_GetCause;
+PKIX_Error_GetDescription;
+PKIX_Error_GetErrorClass;
+PKIX_Error_GetSupplementaryInfo;
+PKIX_ERRORCLASSNAMES DATA ;
+PKIX_Initialize;
+PKIX_Initialize_SetConfigDir;
+PKIX_List_AppendItem;
+PKIX_List_Create;
+PKIX_List_DeleteItem;
+PKIX_List_GetItem;
+PKIX_List_GetLength;
+PKIX_List_InsertItem;
+PKIX_List_IsEmpty;
+PKIX_List_IsImmutable;
+PKIX_List_ReverseList;
+PKIX_List_SetImmutable;
+PKIX_List_SetItem;
+PKIX_AddLogger;
+PKIX_GetLoggers;
+PKIX_SetLoggers;
+PKIX_Logger_Create;
+PKIX_Logger_GetLoggerContext;
+PKIX_Logger_GetLoggingComponent;
+PKIX_Logger_GetLogCallback;
+PKIX_Logger_GetMaxLoggingLevel;
+PKIX_Logger_SetLoggingComponent;
+PKIX_Logger_SetMaxLoggingLevel;
+PKIX_OcspChecker_Initialize;
+PKIX_OcspChecker_SetOCSPResponder;
+PKIX_OcspChecker_SetPasswordInfo;
+PKIX_OcspChecker_SetVerifyFcn;
+PKIX_PL_AcquireReaderLock;
+PKIX_PL_AcquireWriterLock;
+PKIX_PL_BasicConstraints_GetCAFlag;
+PKIX_PL_BasicConstraints_GetPathLenConstraint;
+PKIX_PL_BigInt_Create;
+PKIX_PL_ByteArray_Create;
+PKIX_PL_ByteArray_GetLength;
+PKIX_PL_ByteArray_GetPointer;
+PKIX_PL_Cert_AreCertPoliciesCritical;
+PKIX_PL_Cert_CheckNameConstraints;
+PKIX_PL_Cert_CheckValidity;
+PKIX_PL_Cert_Create;
+pkix_pl_Cert_CreateToList;
+pkix_pl_Cert_CreateWithNSSCert;
+PKIX_PL_Cert_GetAuthorityInfoAccess;
+PKIX_PL_Cert_GetAuthorityKeyIdentifier;
+PKIX_PL_Cert_GetBasicConstraints;
+PKIX_PL_Cert_GetCriticalExtensionOIDs;
+PKIX_PL_Cert_GetExtendedKeyUsage;
+PKIX_PL_Cert_GetInhibitAnyPolicy;
+PKIX_PL_Cert_GetIssuer;
+PKIX_PL_Cert_GetNameConstraints;
+PKIX_PL_Cert_GetPolicyInformation;
+PKIX_PL_Cert_GetPolicyMappingInhibited;
+PKIX_PL_Cert_GetPolicyMappings;
+PKIX_PL_Cert_GetRequireExplicitPolicy;
+PKIX_PL_Cert_GetSerialNumber;
+PKIX_PL_Cert_GetSubject;
+PKIX_PL_Cert_GetSubjectAltNames;
+PKIX_PL_Cert_GetSubjectInfoAccess;
+PKIX_PL_Cert_GetSubjectKeyIdentifier;
+PKIX_PL_Cert_GetSubjectPublicKey;
+PKIX_PL_Cert_GetSubjectPublicKeyAlgId;
+PKIX_PL_Cert_GetVersion;
+PKIX_PL_Cert_IsCertTrusted;
+PKIX_PL_Cert_MergeNameConstraints;
+PKIX_PL_Cert_VerifyKeyUsage;
+PKIX_PL_Cert_VerifySignature;
+PKIX_PL_CertPolicyInfo_GetPolicyId;
+PKIX_PL_CertPolicyInfo_GetPolQualifiers;
+PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy;
+PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy;
+PKIX_PL_CollectionCertStore_Create;
+PKIX_PL_CRL_Create;
+pkix_pl_CRL_CreateToList;
+PKIX_PL_CRL_GetCriticalExtensionOIDs;
+PKIX_PL_CRL_GetCRLEntryForSerialNumber;
+PKIX_PL_CRL_GetIssuer;
+PKIX_PL_CRL_VerifySignature;
+PKIX_PL_CRLEntry_GetCriticalExtensionOIDs;
+PKIX_PL_CRLEntry_GetCRLEntryReasonCode;
+PKIX_PL_Date_Create_UTCTime;
+pkix_pl_Date_CreateFromPRTime;
+pkix_pl_Date_GetPRTime;
+PKIX_PL_EkuChecker_Initialize;
+PKIX_PL_Free;
+PKIX_PL_GeneralName_Create;
+PKIX_PL_GetString;
+PKIX_PL_HashTable_Add;
+PKIX_PL_HashTable_Create;
+PKIX_PL_HashTable_Lookup;
+PKIX_PL_HashTable_Remove;
+PKIX_PL_HttpCertStore_Create;
+pkix_pl_HttpCertStore_CreateWithAsciiName;
+PKIX_PL_Initialize;
+PKIX_PL_InfoAccess_GetMethod;
+PKIX_PL_InfoAccess_GetLocation;
+PKIX_PL_InfoAccess_GetLocationType;
+PKIX_PL_LdapCertStore_Create;
+PKIX_PL_LdapClient_InitiateRequest;
+PKIX_PL_LdapClient_ResumeRequest;
+PKIX_PL_LdapDefaultClient_AbandonRequest;
+PKIX_PL_LdapDefaultClient_Create;
+PKIX_PL_LdapDefaultClient_CreateByName;
+pkix_pl_LdapResponse_Create;
+PKIX_PL_Malloc;
+PKIX_PL_Memcpy;
+PKIX_PL_MonitorLock_Create;
+PKIX_PL_MonitorLock_Enter;
+PKIX_PL_MonitorLock_Exit;
+PKIX_PL_Mutex_Create;
+PKIX_PL_Mutex_Lock;
+PKIX_PL_Mutex_Unlock;
+PKIX_PL_NssContext_Create;
+PKIX_PL_Object_Alloc;
+PKIX_PL_Object_Compare;
+PKIX_PL_Object_DecRef;
+PKIX_PL_Object_Duplicate;
+PKIX_PL_Object_Equals;
+PKIX_PL_Object_GetType;
+PKIX_PL_Object_Hashcode;
+PKIX_PL_Object_IncRef;
+PKIX_PL_Object_IsTypeRegistered;
+PKIX_PL_Object_Lock;
+PKIX_PL_Object_RegisterType;
+PKIX_PL_Object_ToString;
+PKIX_PL_Object_Unlock;
+PKIX_PL_OID_Create;
+pkix_pl_OcspRequest_Create;
+pkix_pl_OcspResponse_Create;
+pkix_pl_OcspResponse_Decode;
+pkix_pl_OcspResponse_GetStatus;
+pkix_pl_OcspResponse_GetStatusForCert;
+PKIX_PL_OcspResponse_UseBuildChain;
+pkix_pl_OcspResponse_VerifySignature;
+PKIX_PL_Pk11CertStore_Create;
+PKIX_PL_PolicyQualifier_GetPolicyQualifierId;
+PKIX_PL_PolicyQualifier_GetQualifier;
+PKIX_PL_PublicKey_MakeInheritedDSAPublicKey;
+PKIX_PL_PublicKey_NeedsDSAParameters;
+PKIX_PL_Realloc;
+PKIX_PL_ReleaseReaderLock;
+PKIX_PL_ReleaseWriterLock;
+PKIX_PL_RWLock_Create;
+PKIX_PL_Shutdown;
+pkix_pl_Socket_Create;
+pkix_pl_Socket_CreateByName;
+pkix_pl_Socket_GetCallbackList;
+PKIX_PL_Sprintf;
+PKIX_PL_String_Create;
+PKIX_PL_String_GetEncoded;
+PKIX_PL_X500Name_Create;
+pkix_pl_X500Name_GetCommonName;
+pkix_pl_X500Name_GetCountryName;
+pkix_pl_X500Name_GetOrgName;
+PKIX_PL_X500Name_Match;
+pkix_PolicyNode_AddToParent;
+pkix_PolicyNode_Create;
+PKIX_PolicyNode_GetChildren;
+PKIX_PolicyNode_GetDepth;
+PKIX_PolicyNode_GetExpectedPolicies;
+PKIX_PolicyNode_GetParent;
+PKIX_PolicyNode_GetPolicyQualifiers;
+PKIX_PolicyNode_GetValidPolicy;
+PKIX_PolicyNode_IsCritical;
+pkix_PolicyNode_Prune;
+PKIX_ProcessingParams_AddCertChainChecker;
+PKIX_ProcessingParams_AddCertStore;
+PKIX_ProcessingParams_AddRevocationChecker;
+PKIX_ProcessingParams_Create;
+PKIX_ProcessingParams_GetCertChainCheckers;
+PKIX_ProcessingParams_GetCertStores;
+PKIX_ProcessingParams_GetDate;
+PKIX_ProcessingParams_GetHintCerts;
+PKIX_ProcessingParams_GetInitialPolicies;
+PKIX_ProcessingParams_GetPolicyQualifiersRejected;
+PKIX_ProcessingParams_GetResourceLimits;
+PKIX_ProcessingParams_GetRevocationCheckers;
+PKIX_ProcessingParams_GetTargetCertConstraints;
+PKIX_ProcessingParams_GetTrustAnchors;
+PKIX_ProcessingParams_IsAnyPolicyInhibited;
+PKIX_ProcessingParams_IsCRLRevocationCheckingEnabled;
+PKIX_ProcessingParams_IsExplicitPolicyRequired;
+PKIX_ProcessingParams_IsPolicyMappingInhibited;
+PKIX_ProcessingParams_SetAnyPolicyInhibited;
+PKIX_ProcessingParams_SetCertChainCheckers;
+PKIX_ProcessingParams_SetCertStores;
+PKIX_ProcessingParams_SetDate;
+PKIX_ProcessingParams_SetExplicitPolicyRequired;
+PKIX_ProcessingParams_SetHintCerts;
+PKIX_ProcessingParams_SetInitialPolicies;
+PKIX_ProcessingParams_SetPolicyMappingInhibited;
+PKIX_ProcessingParams_SetPolicyQualifiersRejected;
+PKIX_ProcessingParams_SetResourceLimits;
+PKIX_ProcessingParams_SetRevocationCheckers;
+PKIX_ProcessingParams_SetRevocationEnabled;
+PKIX_ProcessingParams_SetTargetCertConstraints;
+PKIX_RevocationChecker_Create;
+PKIX_RevocationChecker_GetRevCallback;
+PKIX_RevocationChecker_GetRevCheckerContext;
+PKIX_Shutdown;
+pkix_Throw;
+PKIX_TrustAnchor_CreateWithCert;
+PKIX_TrustAnchor_CreateWithNameKeyPair;
+PKIX_TrustAnchor_GetCAName;
+PKIX_TrustAnchor_GetCAPublicKey;
+PKIX_TrustAnchor_GetNameConstraints;
+PKIX_TrustAnchor_GetTrustedCert;
+PKIX_ValidateChain;
+PKIX_ValidateChain_NB;
+PKIX_ValidateParams_Create;
+PKIX_ValidateParams_GetCertChain;
+PKIX_ValidateParams_GetProcessingParams;
+pkix_ValidateResult_Create;
+PKIX_ValidateResult_GetPolicyTree;
+PKIX_ValidateResult_GetPublicKey;
+PKIX_ValidateResult_GetTrustAnchor;
+pkix_VerifyNode_AddToChain;
+pkix_VerifyNode_Create;
+PKIX_ResourceLimits_Create;
+PKIX_ResourceLimits_GetMaxDepth;
+PKIX_ResourceLimits_GetMaxFanout;
+PKIX_ResourceLimits_GetMaxTime;
+PKIX_ResourceLimits_SetMaxDepth;
+PKIX_ResourceLimits_SetMaxFanout;
+PKIX_ResourceLimits_SetMaxTime;
+;+};
diff --git a/security/nss/lib/nss/utilwrap.c b/security/nss/lib/nss/utilwrap.c
new file mode 100644
index 000000000..900ab325a
--- /dev/null
+++ b/security/nss/lib/nss/utilwrap.c
@@ -0,0 +1,826 @@
+/*
+ * NSS utility functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Network Security Services libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secport.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secdig.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "base64.h"
+#include "nssb64.h"
+#include "nssrwlk.h"
+#include "cert.h"
+#include "prerror.h"
+
+/* wrappers for implementation in libnssutil3 */
+#undef ATOB_AsciiToData
+#undef ATOB_ConvertAsciiToItem
+#undef BTOA_ConvertItemToAscii
+#undef BTOA_DataToAscii
+#undef CERT_GenTime2FormattedAscii
+#undef DER_AsciiToTime
+#undef DER_DecodeTimeChoice
+#undef DER_Encode
+#undef DER_EncodeTimeChoice
+#undef DER_GeneralizedDayToAscii
+#undef DER_GeneralizedTimeToTime
+#undef DER_GetInteger
+#undef DER_Lengths
+#undef DER_TimeChoiceDayToAscii
+#undef DER_TimeToGeneralizedTime
+#undef DER_TimeToGeneralizedTimeArena
+#undef DER_TimeToUTCTime
+#undef DER_UTCDayToAscii
+#undef DER_UTCTimeToAscii
+#undef DER_UTCTimeToTime
+#undef NSS_PutEnv
+#undef NSSBase64_DecodeBuffer
+#undef NSSBase64_EncodeItem
+#undef NSSBase64Decoder_Create
+#undef NSSBase64Decoder_Destroy
+#undef NSSBase64Decoder_Update
+#undef NSSBase64Encoder_Create
+#undef NSSBase64Encoder_Destroy
+#undef NSSBase64Encoder_Update
+#undef NSSRWLock_Destroy
+#undef NSSRWLock_HaveWriteLock
+#undef NSSRWLock_LockRead
+#undef NSSRWLock_LockWrite
+#undef NSSRWLock_New
+#undef NSSRWLock_UnlockRead
+#undef NSSRWLock_UnlockWrite
+#undef PORT_Alloc
+#undef PORT_ArenaAlloc
+#undef PORT_ArenaGrow
+#undef PORT_ArenaMark
+#undef PORT_ArenaRelease
+#undef PORT_ArenaStrdup
+#undef PORT_ArenaUnmark
+#undef PORT_ArenaZAlloc
+#undef PORT_Free
+#undef PORT_FreeArena
+#undef PORT_GetError
+#undef PORT_NewArena
+#undef PORT_Realloc
+#undef PORT_SetError
+#undef PORT_SetUCS2_ASCIIConversionFunction
+#undef PORT_SetUCS2_UTF8ConversionFunction
+#undef PORT_SetUCS4_UTF8ConversionFunction
+#undef PORT_Strdup
+#undef PORT_UCS2_ASCIIConversion
+#undef PORT_UCS2_UTF8Conversion
+#undef PORT_ZAlloc
+#undef PORT_ZFree
+#undef SEC_ASN1Decode
+#undef SEC_ASN1DecodeInteger
+#undef SEC_ASN1DecodeItem
+#undef SEC_ASN1DecoderAbort
+#undef SEC_ASN1DecoderClearFilterProc
+#undef SEC_ASN1DecoderClearNotifyProc
+#undef SEC_ASN1DecoderFinish
+#undef SEC_ASN1DecoderSetFilterProc
+#undef SEC_ASN1DecoderSetNotifyProc
+#undef SEC_ASN1DecoderStart
+#undef SEC_ASN1DecoderUpdate
+#undef SEC_ASN1Encode
+#undef SEC_ASN1EncodeInteger
+#undef SEC_ASN1EncodeItem
+#undef SEC_ASN1EncoderAbort
+#undef SEC_ASN1EncoderClearNotifyProc
+#undef SEC_ASN1EncoderClearStreaming
+#undef SEC_ASN1EncoderClearTakeFromBuf
+#undef SEC_ASN1EncoderFinish
+#undef SEC_ASN1EncoderSetNotifyProc
+#undef SEC_ASN1EncoderSetStreaming
+#undef SEC_ASN1EncoderSetTakeFromBuf
+#undef SEC_ASN1EncoderStart
+#undef SEC_ASN1EncoderUpdate
+#undef SEC_ASN1EncodeUnsignedInteger
+#undef SEC_ASN1LengthLength
+#undef SEC_QuickDERDecodeItem
+#undef SECITEM_AllocItem
+#undef SECITEM_ArenaDupItem
+#undef SECITEM_CompareItem
+#undef SECITEM_CopyItem
+#undef SECITEM_DupItem
+#undef SECITEM_FreeItem
+#undef SECITEM_ItemsAreEqual
+#undef SECITEM_ZfreeItem
+#undef SECOID_AddEntry
+#undef SECOID_CompareAlgorithmID
+#undef SECOID_CopyAlgorithmID
+#undef SECOID_DestroyAlgorithmID
+#undef SECOID_FindOID
+#undef SECOID_FindOIDByTag
+#undef SECOID_FindOIDTag
+#undef SECOID_FindOIDTagDescription
+#undef SECOID_GetAlgorithmTag
+#undef SECOID_SetAlgorithmID
+#undef SGN_CompareDigestInfo
+#undef SGN_CopyDigestInfo
+#undef SGN_CreateDigestInfo
+#undef SGN_DestroyDigestInfo
+
+void *
+PORT_Alloc(size_t bytes)
+{
+    return PORT_Alloc_Util(bytes);
+}
+
+void *
+PORT_Realloc(void *oldptr, size_t bytes)
+{
+    return PORT_Realloc_Util(oldptr, bytes);
+}
+
+void *
+PORT_ZAlloc(size_t bytes)
+{
+    return PORT_ZAlloc_Util(bytes);
+}
+
+void
+PORT_Free(void *ptr)
+{
+    PORT_Free_Util(ptr);
+}
+
+void
+PORT_ZFree(void *ptr, size_t len)
+{
+    PORT_ZFree_Util(ptr, len);
+}
+
+char *
+PORT_Strdup(const char *str)
+{
+    return PORT_Strdup_Util(str);
+}
+
+void
+PORT_SetError(int value)
+{
+    PORT_SetError_Util(value);
+}
+
+int
+PORT_GetError(void)
+{
+    return PORT_GetError_Util();
+}
+
+PLArenaPool *
+PORT_NewArena(unsigned long chunksize)
+{
+    return PORT_NewArena_Util(chunksize);
+}
+
+void *
+PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+{
+    return PORT_ArenaAlloc_Util(arena, size);
+}
+
+void *
+PORT_ArenaZAlloc(PLArenaPool *arena, size_t size)
+{
+    return PORT_ArenaZAlloc_Util(arena, size);
+}
+
+void
+PORT_FreeArena(PLArenaPool *arena, PRBool zero)
+{
+    PORT_FreeArena_Util(arena, zero);
+}
+
+void *
+PORT_ArenaGrow(PLArenaPool *arena, void *ptr, size_t oldsize, size_t newsize)
+{
+    return PORT_ArenaGrow_Util(arena, ptr, oldsize, newsize);
+}
+
+void *
+PORT_ArenaMark(PLArenaPool *arena)
+{
+    return PORT_ArenaMark_Util(arena);
+}
+
+void
+PORT_ArenaRelease(PLArenaPool *arena, void *mark)
+{
+    PORT_ArenaRelease_Util(arena, mark);
+}
+
+void
+PORT_ArenaUnmark(PLArenaPool *arena, void *mark)
+{
+    PORT_ArenaUnmark_Util(arena, mark);
+}
+
+char *
+PORT_ArenaStrdup(PLArenaPool *arena, const char *str)
+{
+    return PORT_ArenaStrdup_Util(arena, str);
+}
+
+void
+PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
+{
+    PORT_SetUCS4_UTF8ConversionFunction_Util(convFunc);
+}
+
+void
+PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc)
+{ 
+    PORT_SetUCS2_ASCIIConversionFunction_Util(convFunc);
+}
+
+void
+PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
+{ 
+    PORT_SetUCS2_UTF8ConversionFunction_Util(convFunc);
+}
+
+PRBool 
+PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
+			 unsigned int inBufLen, unsigned char *outBuf,
+			 unsigned int maxOutBufLen, unsigned int *outBufLen)
+{
+    return PORT_UCS2_UTF8Conversion_Util(toUnicode, inBuf, inBufLen, outBuf,
+                                          maxOutBufLen, outBufLen);
+} 
+
+PRBool 
+PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
+			  unsigned int inBufLen, unsigned char *outBuf,
+			  unsigned int maxOutBufLen, unsigned int *outBufLen,
+			  PRBool swapBytes)
+{
+    return PORT_UCS2_ASCIIConversion_Util(toUnicode, inBuf, inBufLen, outBuf,
+			  maxOutBufLen, outBufLen, swapBytes);
+}
+
+int
+NSS_PutEnv(const char * envVarName, const char * envValue)
+{
+    return NSS_PutEnv_Util(envVarName, envValue);
+}
+
+SECOidData *SECOID_FindOID( const SECItem *oid)
+{
+    return SECOID_FindOID_Util(oid);
+}
+
+SECOidTag SECOID_FindOIDTag(const SECItem *oid)
+{
+    return SECOID_FindOIDTag_Util(oid);
+}
+
+SECOidData *SECOID_FindOIDByTag(SECOidTag tagnum)
+{
+    return SECOID_FindOIDByTag_Util(tagnum);
+}
+
+SECStatus SECOID_SetAlgorithmID(PRArenaPool *arena, SECAlgorithmID *aid,
+				   SECOidTag tag, SECItem *params)
+{
+    return SECOID_SetAlgorithmID_Util(arena, aid, tag, params);
+}
+
+SECStatus SECOID_CopyAlgorithmID(PRArenaPool *arena, SECAlgorithmID *dest,
+				    SECAlgorithmID *src)
+{
+    return SECOID_CopyAlgorithmID_Util(arena, dest, src);
+}
+
+SECOidTag SECOID_GetAlgorithmTag(SECAlgorithmID *aid)
+{
+    return SECOID_GetAlgorithmTag_Util(aid);
+}
+
+void SECOID_DestroyAlgorithmID(SECAlgorithmID *aid, PRBool freeit)
+{
+    SECOID_DestroyAlgorithmID_Util(aid, freeit);
+}
+
+SECComparison SECOID_CompareAlgorithmID(SECAlgorithmID *a,
+					   SECAlgorithmID *b)
+{
+    return SECOID_CompareAlgorithmID_Util(a, b);
+}
+
+const char *SECOID_FindOIDTagDescription(SECOidTag tagnum)
+{
+    return SECOID_FindOIDTagDescription_Util(tagnum);
+}
+
+SECOidTag SECOID_AddEntry(const SECOidData * src)
+{
+    return SECOID_AddEntry_Util(src);
+}
+
+SECItem *SECITEM_AllocItem(PRArenaPool *arena, SECItem *item,
+				  unsigned int len)
+{
+    return SECITEM_AllocItem_Util(arena, item, len);
+}
+
+SECComparison SECITEM_CompareItem(const SECItem *a, const SECItem *b)
+{
+    return SECITEM_CompareItem_Util(a, b);
+}
+
+PRBool SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b)
+{
+    return SECITEM_ItemsAreEqual_Util(a, b);
+}
+
+SECStatus SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, 
+                                  const SECItem *from)
+{
+    return SECITEM_CopyItem_Util(arena, to, from);
+}
+
+SECItem *SECITEM_DupItem(const SECItem *from)
+{
+    return SECITEM_DupItem_Util(from);
+}
+
+SECItem *SECITEM_ArenaDupItem(PRArenaPool *arena, const SECItem *from)
+{
+    return SECITEM_ArenaDupItem_Util(arena, from);
+}
+
+void SECITEM_FreeItem(SECItem *zap, PRBool freeit)
+{
+    SECITEM_FreeItem_Util(zap, freeit);
+}
+
+void SECITEM_ZfreeItem(SECItem *zap, PRBool freeit)
+{
+    SECITEM_ZfreeItem_Util(zap, freeit);
+}
+
+SGNDigestInfo *SGN_CreateDigestInfo(SECOidTag algorithm,
+					   unsigned char *sig,
+					   unsigned int sigLen)
+{
+    return SGN_CreateDigestInfo_Util(algorithm, sig, sigLen);
+}
+
+void SGN_DestroyDigestInfo(SGNDigestInfo *info)
+{
+    SGN_DestroyDigestInfo_Util(info);
+}
+
+SECStatus  SGN_CopyDigestInfo(PRArenaPool *poolp,
+					SGNDigestInfo *a, 
+					SGNDigestInfo *b)
+{
+    return SGN_CopyDigestInfo_Util(poolp, a, b);
+}
+
+SECComparison SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b)
+{
+    return SGN_CompareDigestInfo_Util(a, b);
+}
+
+SECStatus DER_Encode(PRArenaPool *arena, SECItem *dest, DERTemplate *t,
+			   void *src)
+{
+    return DER_Encode_Util(arena, dest, t, src);
+}
+
+SECStatus DER_Lengths(SECItem *item, int *header_len_p,
+                             PRUint32 *contents_len_p)
+{
+    return DER_Lengths_Util(item, header_len_p, contents_len_p);
+}
+
+long DER_GetInteger(SECItem *src)
+{
+    return DER_GetInteger_Util(src);
+}
+
+SECStatus DER_TimeToUTCTime(SECItem *result, int64 time)
+{
+    return DER_TimeToUTCTime_Util(result, time);
+}
+
+SECStatus DER_AsciiToTime(int64 *result, const char *string)
+{
+    return DER_AsciiToTime_Util(result, string);
+}
+
+SECStatus DER_UTCTimeToTime(int64 *result, const SECItem *time)
+{
+    return DER_UTCTimeToTime_Util(result, time);
+}
+
+char *DER_UTCTimeToAscii(SECItem *utcTime)
+{
+    return DER_UTCTimeToAscii_Util(utcTime);
+}
+
+char *DER_UTCDayToAscii(SECItem *utctime)
+{
+    return DER_UTCDayToAscii_Util(utctime);
+}
+
+char *DER_GeneralizedDayToAscii(SECItem *gentime)
+{
+    return DER_GeneralizedDayToAscii_Util(gentime);
+}
+
+char *DER_TimeChoiceDayToAscii(SECItem *timechoice)
+{
+    return DER_TimeChoiceDayToAscii_Util(timechoice);
+}
+
+SECStatus DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime)
+{
+    return DER_TimeToGeneralizedTime_Util(dst, gmttime);
+}
+
+SECStatus DER_TimeToGeneralizedTimeArena(PRArenaPool* arenaOpt,
+                                                SECItem *dst, int64 gmttime)
+{
+    return DER_TimeToGeneralizedTimeArena_Util(arenaOpt, dst, gmttime);
+}
+
+SECStatus DER_GeneralizedTimeToTime(int64 *dst, const SECItem *time)
+{
+    return DER_GeneralizedTimeToTime_Util(dst, time);
+}
+
+char *CERT_GenTime2FormattedAscii (int64 genTime, char *format)
+{
+    return CERT_GenTime2FormattedAscii_Util(genTime, format);
+}
+
+SECStatus DER_DecodeTimeChoice(PRTime* output, const SECItem* input)
+{
+    return DER_DecodeTimeChoice_Util(output, input);
+}
+
+SECStatus DER_EncodeTimeChoice(PRArenaPool* arena, SECItem* output,
+                                       PRTime input)
+{
+    return DER_EncodeTimeChoice_Util(arena, output, input);
+}
+
+SEC_ASN1DecoderContext *SEC_ASN1DecoderStart(PRArenaPool *pool,
+						    void *dest,
+						    const SEC_ASN1Template *t)
+{
+    return SEC_ASN1DecoderStart_Util(pool, dest, t);
+}
+
+SECStatus SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
+				       const char *buf,
+				       unsigned long len)
+{
+    return SEC_ASN1DecoderUpdate_Util(cx, buf, len);
+}
+
+SECStatus SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx)
+{
+    return SEC_ASN1DecoderFinish_Util(cx);
+}
+
+void SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error)
+{
+    SEC_ASN1DecoderAbort_Util(cx, error);
+}
+
+void SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx,
+					 SEC_ASN1WriteProc fn,
+					 void *arg, PRBool no_store)
+{
+    SEC_ASN1DecoderSetFilterProc_Util(cx, fn, arg, no_store);
+}
+
+void SEC_ASN1DecoderClearFilterProc(SEC_ASN1DecoderContext *cx)
+{
+    SEC_ASN1DecoderClearFilterProc_Util(cx);
+}
+
+void SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx,
+					 SEC_ASN1NotifyProc fn,
+					 void *arg)
+{
+    SEC_ASN1DecoderSetNotifyProc_Util(cx, fn, arg);
+}
+
+void SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx)
+{
+    SEC_ASN1DecoderClearNotifyProc_Util(cx);
+}
+
+SECStatus SEC_ASN1Decode(PRArenaPool *pool, void *dest,
+				const SEC_ASN1Template *t,
+				const char *buf, long len)
+{
+    return SEC_ASN1Decode_Util(pool, dest, t, buf, len);
+}
+
+SECStatus SEC_ASN1DecodeItem(PRArenaPool *pool, void *dest,
+				    const SEC_ASN1Template *t,
+				    const SECItem *src)
+{
+    return SEC_ASN1DecodeItem_Util(pool, dest, t, src);
+}
+
+SECStatus SEC_QuickDERDecodeItem(PRArenaPool* arena, void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     const SECItem* src)
+{
+    return SEC_QuickDERDecodeItem_Util(arena, dest, templateEntry, src);
+}
+
+SEC_ASN1EncoderContext *SEC_ASN1EncoderStart(const void *src,
+						    const SEC_ASN1Template *t,
+						    SEC_ASN1WriteProc fn,
+						    void *output_arg)
+{
+    return SEC_ASN1EncoderStart_Util(src, t, fn, output_arg);
+}
+
+SECStatus SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx,
+				       const char *buf,
+				       unsigned long len)
+{
+    return SEC_ASN1EncoderUpdate_Util(cx, buf, len);
+}
+
+void SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx)
+{
+    SEC_ASN1EncoderFinish_Util(cx);
+}
+
+void SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error)
+{
+    SEC_ASN1EncoderAbort_Util(cx, error);
+}
+
+void SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx,
+					 SEC_ASN1NotifyProc fn,
+					 void *arg)
+{
+    SEC_ASN1EncoderSetNotifyProc_Util(cx, fn, arg);
+}
+
+void SEC_ASN1EncoderClearNotifyProc(SEC_ASN1EncoderContext *cx)
+{
+    SEC_ASN1EncoderClearNotifyProc_Util(cx);
+}
+
+void SEC_ASN1EncoderSetStreaming(SEC_ASN1EncoderContext *cx)
+{
+    SEC_ASN1EncoderSetStreaming_Util(cx);
+}
+
+void SEC_ASN1EncoderClearStreaming(SEC_ASN1EncoderContext *cx)
+{
+    SEC_ASN1EncoderClearStreaming_Util(cx);
+}
+
+void SEC_ASN1EncoderSetTakeFromBuf(SEC_ASN1EncoderContext *cx)
+{
+    SEC_ASN1EncoderSetTakeFromBuf_Util(cx);
+}
+
+void SEC_ASN1EncoderClearTakeFromBuf(SEC_ASN1EncoderContext *cx)
+{
+    SEC_ASN1EncoderClearTakeFromBuf_Util(cx);
+}
+
+SECStatus SEC_ASN1Encode(const void *src, const SEC_ASN1Template *t,
+				SEC_ASN1WriteProc output_proc,
+				void *output_arg)
+{
+    return SEC_ASN1Encode_Util(src, t, output_proc, output_arg);
+}
+
+SECItem * SEC_ASN1EncodeItem(PRArenaPool *pool, SECItem *dest,
+				    const void *src, const SEC_ASN1Template *t)
+{
+    return SEC_ASN1EncodeItem_Util(pool, dest, src, t);
+}
+
+SECItem * SEC_ASN1EncodeInteger(PRArenaPool *pool,
+				       SECItem *dest, long value)
+{
+    return SEC_ASN1EncodeInteger_Util(pool, dest, value);
+}
+
+SECItem * SEC_ASN1EncodeUnsignedInteger(PRArenaPool *pool,
+					       SECItem *dest,
+					       unsigned long value)
+{
+    return SEC_ASN1EncodeUnsignedInteger_Util(pool, dest, value);
+}
+
+SECStatus SEC_ASN1DecodeInteger(SECItem *src,
+				       unsigned long *value)
+{
+    return SEC_ASN1DecodeInteger_Util(src, value);
+}
+
+int SEC_ASN1LengthLength (unsigned long len)
+{
+    return SEC_ASN1LengthLength_Util(len);
+}
+
+char *BTOA_DataToAscii(const unsigned char *data, unsigned int len)
+{
+    return BTOA_DataToAscii_Util(data, len);
+}
+
+unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp)
+{
+    return ATOB_AsciiToData_Util(string, lenp);
+}
+ 
+SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii)
+{
+    return ATOB_ConvertAsciiToItem_Util(binary_item, ascii);
+}
+
+char *BTOA_ConvertItemToAscii(SECItem *binary_item)
+{
+    return BTOA_ConvertItemToAscii_Util(binary_item);
+}
+
+NSSBase64Decoder *
+NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
+					       PRInt32),
+			 void *output_arg)
+{
+    return NSSBase64Decoder_Create_Util(output_fn, output_arg);
+}
+
+NSSBase64Encoder *
+NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
+			 void *output_arg)
+{
+    return NSSBase64Encoder_Create_Util(output_fn, output_arg);
+}
+
+SECStatus
+NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
+			 PRUint32 size)
+{
+    return NSSBase64Decoder_Update_Util(data, buffer, size);
+}
+
+SECStatus
+NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
+			 PRUint32 size)
+{
+    return NSSBase64Encoder_Update_Util(data, buffer, size);
+}
+
+SECStatus
+NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p)
+{
+    return NSSBase64Decoder_Destroy_Util(data, abort_p);
+}
+
+SECStatus
+NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p)
+{
+    return NSSBase64Encoder_Destroy_Util(data, abort_p);
+}
+
+SECItem *
+NSSBase64_DecodeBuffer (PRArenaPool *arenaOpt, SECItem *outItemOpt,
+			const char *inStr, unsigned int inLen)
+{
+    return NSSBase64_DecodeBuffer_Util(arenaOpt, outItemOpt, inStr, inLen);
+}
+
+char *
+NSSBase64_EncodeItem (PRArenaPool *arenaOpt, char *outStrOpt,
+		      unsigned int maxOutLen, SECItem *inItem)
+{
+    return NSSBase64_EncodeItem_Util(arenaOpt, outStrOpt, maxOutLen, inItem);
+}
+
+NSSRWLock* NSSRWLock_New(PRUint32 lock_rank, const char *lock_name)
+{
+    return NSSRWLock_New_Util(lock_rank, lock_name);
+}
+
+void NSSRWLock_Destroy(NSSRWLock *lock)
+{
+    NSSRWLock_Destroy_Util(lock);
+}
+
+void NSSRWLock_LockRead(NSSRWLock *lock)
+{
+    NSSRWLock_LockRead_Util(lock);
+}
+
+void NSSRWLock_LockWrite(NSSRWLock *lock)
+{
+    NSSRWLock_LockWrite_Util(lock);
+}
+
+void NSSRWLock_UnlockRead(NSSRWLock *lock)
+{
+    NSSRWLock_UnlockRead_Util(lock);
+}
+
+void NSSRWLock_UnlockWrite(NSSRWLock *lock)
+{
+    NSSRWLock_UnlockWrite_Util(lock);
+}
+
+PRBool NSSRWLock_HaveWriteLock(NSSRWLock *rwlock)
+{
+    return NSSRWLock_HaveWriteLock_Util(rwlock);
+}
+
+SECStatus __nss_InitLock(   PZLock    **ppLock, nssILockType ltype )
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+/* templates duplicated in libnss3 and libnssutil3 */
+
+#undef NSS_Get_SEC_AnyTemplate
+#undef NSS_Get_SEC_BitStringTemplate
+#undef NSS_Get_SEC_BMPStringTemplate
+#undef NSS_Get_SEC_BooleanTemplate
+#undef NSS_Get_SEC_GeneralizedTimeTemplate
+#undef NSS_Get_SEC_IA5StringTemplate
+#undef NSS_Get_SEC_IntegerTemplate
+#undef NSS_Get_SEC_NullTemplate
+#undef NSS_Get_SEC_ObjectIDTemplate
+#undef NSS_Get_SEC_OctetStringTemplate
+#undef NSS_Get_SEC_PointerToAnyTemplate
+#undef NSS_Get_SEC_PointerToOctetStringTemplate
+#undef NSS_Get_SEC_SetOfAnyTemplate
+#undef NSS_Get_SEC_UTCTimeTemplate
+#undef NSS_Get_SEC_UTF8StringTemplate
+#undef NSS_Get_SECOID_AlgorithmIDTemplate
+#undef NSS_Get_sgn_DigestInfoTemplate
+#undef SEC_AnyTemplate
+#undef SEC_BitStringTemplate
+#undef SEC_BMPStringTemplate
+#undef SEC_BooleanTemplate
+#undef SEC_GeneralizedTimeTemplate
+#undef SEC_IA5StringTemplate
+#undef SEC_IntegerTemplate
+#undef SEC_NullTemplate
+#undef SEC_ObjectIDTemplate
+#undef SEC_OctetStringTemplate
+#undef SEC_PointerToAnyTemplate
+#undef SEC_PointerToOctetStringTemplate
+#undef SEC_SetOfAnyTemplate
+#undef SEC_UTCTimeTemplate
+#undef SEC_UTF8StringTemplate
+#undef SECOID_AlgorithmIDTemplate
+#undef sgn_DigestInfoTemplate
+
+#include "templates.c"
+
diff --git a/security/nss/lib/pk11wrap/Makefile b/security/nss/lib/pk11wrap/Makefile
new file mode 100644
index 000000000..a3cca6ab0
--- /dev/null
+++ b/security/nss/lib/pk11wrap/Makefile
@@ -0,0 +1,92 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
+# pk11slot.c in 64-bit mode for unknown reasons.  A workaround is
+# to compile it with optimizations turned on.  (Bugzilla bug #63815)
+ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
+ifeq ($(USE_64),1)
+ifndef BUILD_OPT
+$(OBJDIR)/pk11slot.o: pk11slot.c
+	@$(MAKE_OBJDIR)
+	$(CC) -o $@ -c -O2 $(CFLAGS) $<
+endif
+endif
+endif
diff --git a/security/nss/lib/pk11wrap/config.mk b/security/nss/lib/pk11wrap/config.mk
new file mode 100644
index 000000000..665828c63
--- /dev/null
+++ b/security/nss/lib/pk11wrap/config.mk
@@ -0,0 +1,47 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/pk11wrap/debug_module.c b/security/nss/lib/pk11wrap/debug_module.c
new file mode 100644
index 000000000..5197d960e
--- /dev/null
+++ b/security/nss/lib/pk11wrap/debug_module.c
@@ -0,0 +1,2743 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "prlog.h"
+#include <stdio.h>
+#include "cert.h"  /* for CERT_DerNameToAscii & CERT_Hexify */
+
+static PRLogModuleInfo *modlog = NULL;
+
+static CK_FUNCTION_LIST_PTR module_functions;
+
+static CK_FUNCTION_LIST debug_functions;
+
+static void print_final_statistics(void);
+
+#define STRING static const char 
+
+STRING fmt_flags[]                = "  flags = 0x%x";
+STRING fmt_hKey[]                 = "  hKey = 0x%x";
+STRING fmt_hObject[]              = "  hObject = 0x%x";
+STRING fmt_hSession[]             = "  hSession = 0x%x";
+STRING fmt_manufacturerID[]       = "  manufacturerID = \"%.32s\"";
+STRING fmt_pData[]                = "  pData = 0x%p";
+STRING fmt_pDigest[]              = "  pDigest = 0x%p";
+STRING fmt_pEncryptedData[]       = "  pEncryptedData = 0x%p";
+STRING fmt_pEncryptedPart[]       = "  pEncryptedPart = 0x%p";
+STRING fmt_pInfo[]                = "  pInfo = 0x%p";
+STRING fmt_pMechanism[]           = "  pMechanism = 0x%p";
+STRING fmt_pOperationState[]      = "  pOperationState = 0x%p";
+STRING fmt_pPart[]                = "  pPart = 0x%p";
+STRING fmt_pPin[]                 = "  pPin = 0x%p";
+STRING fmt_pSignature[]           = "  pSignature = 0x%p";
+STRING fmt_pTemplate[]            = "  pTemplate = 0x%p";
+STRING fmt_pWrappedKey[]          = "  pWrappedKey = 0x%p";
+STRING fmt_phKey[]                = "  phKey = 0x%p";
+STRING fmt_phObject[]             = "  phObject = 0x%p";
+STRING fmt_pulCount[]             = "  pulCount = 0x%p";
+STRING fmt_pulDataLen[]           = "  pulDataLen = 0x%p";
+STRING fmt_pulDigestLen[]         = "  pulDigestLen = 0x%p";
+STRING fmt_pulEncryptedPartLen[]  = "  pulEncryptedPartLen = 0x%p";
+STRING fmt_pulPartLen[]           = "  pulPartLen = 0x%p";
+STRING fmt_pulSignatureLen[]      = "  pulSignatureLen = 0x%p";
+STRING fmt_slotID[]               = "  slotID = 0x%x";
+STRING fmt_sphKey[]               = "  *phKey = 0x%x";
+STRING fmt_spulCount[]            = "  *pulCount = 0x%x";
+STRING fmt_spulDataLen[]          = "  *pulDataLen = 0x%x";
+STRING fmt_spulDigestLen[]        = "  *pulDigestLen = 0x%x";
+STRING fmt_spulEncryptedPartLen[] = "  *pulEncryptedPartLen = 0x%x";
+STRING fmt_spulPartLen[]          = "  *pulPartLen = 0x%x";
+STRING fmt_spulSignatureLen[]     = "  *pulSignatureLen = 0x%x";
+STRING fmt_ulAttributeCount[]     = "  ulAttributeCount = %d";
+STRING fmt_ulCount[]              = "  ulCount = %d";
+STRING fmt_ulDataLen[]            = "  ulDataLen = %d";
+STRING fmt_ulEncryptedPartLen[]   = "  ulEncryptedPartLen = %d";
+STRING fmt_ulPartLen[]            = "  ulPartLen = %d";
+STRING fmt_ulPinLen[]             = "  ulPinLen = %d";
+STRING fmt_ulSignatureLen[]       = "  ulSignatureLen = %d";
+
+STRING fmt_fwVersion[]            = "  firmware version: %d.%d";
+STRING fmt_hwVersion[]            = "  hardware version: %d.%d";
+STRING fmt_s_qsq_d[]              = "    %s = \"%s\" [%d]";
+STRING fmt_s_s_d[]                = "    %s = %s [%d]";
+STRING fmt_invalid_handle[]       = " (CK_INVALID_HANDLE)";
+
+
+static void get_attr_type_str(CK_ATTRIBUTE_TYPE atype, char *str, int len)
+{
+#define CASE(attr) case attr: a = #attr ; break
+
+    const char * a = NULL;
+
+    switch (atype) {
+    CASE(CKA_CLASS);
+    CASE(CKA_TOKEN);
+    CASE(CKA_PRIVATE);
+    CASE(CKA_LABEL);
+    CASE(CKA_APPLICATION);
+    CASE(CKA_VALUE);
+    CASE(CKA_OBJECT_ID);
+    CASE(CKA_CERTIFICATE_TYPE);
+    CASE(CKA_ISSUER);
+    CASE(CKA_SERIAL_NUMBER);
+    CASE(CKA_AC_ISSUER);
+    CASE(CKA_OWNER);
+    CASE(CKA_ATTR_TYPES);
+    CASE(CKA_TRUSTED);
+    CASE(CKA_KEY_TYPE);
+    CASE(CKA_SUBJECT);
+    CASE(CKA_ID);
+    CASE(CKA_SENSITIVE);
+    CASE(CKA_ENCRYPT);
+    CASE(CKA_DECRYPT);
+    CASE(CKA_WRAP);
+    CASE(CKA_UNWRAP);
+    CASE(CKA_SIGN);
+    CASE(CKA_SIGN_RECOVER);
+    CASE(CKA_VERIFY);
+    CASE(CKA_VERIFY_RECOVER);
+    CASE(CKA_DERIVE);
+    CASE(CKA_START_DATE);
+    CASE(CKA_END_DATE);
+    CASE(CKA_MODULUS);
+    CASE(CKA_MODULUS_BITS);
+    CASE(CKA_PUBLIC_EXPONENT);
+    CASE(CKA_PRIVATE_EXPONENT);
+    CASE(CKA_PRIME_1);
+    CASE(CKA_PRIME_2);
+    CASE(CKA_EXPONENT_1);
+    CASE(CKA_EXPONENT_2);
+    CASE(CKA_COEFFICIENT);
+    CASE(CKA_PRIME);
+    CASE(CKA_SUBPRIME);
+    CASE(CKA_BASE);
+    CASE(CKA_PRIME_BITS);
+    CASE(CKA_SUB_PRIME_BITS);
+    CASE(CKA_VALUE_BITS);
+    CASE(CKA_VALUE_LEN);
+    CASE(CKA_EXTRACTABLE);
+    CASE(CKA_LOCAL);
+    CASE(CKA_NEVER_EXTRACTABLE);
+    CASE(CKA_ALWAYS_SENSITIVE);
+    CASE(CKA_KEY_GEN_MECHANISM);
+    CASE(CKA_MODIFIABLE);
+    CASE(CKA_ECDSA_PARAMS);
+    CASE(CKA_EC_POINT);
+    CASE(CKA_SECONDARY_AUTH);
+    CASE(CKA_AUTH_PIN_FLAGS);
+    CASE(CKA_HW_FEATURE_TYPE);
+    CASE(CKA_RESET_ON_INIT);
+    CASE(CKA_HAS_RESET);
+    CASE(CKA_VENDOR_DEFINED);
+    CASE(CKA_NETSCAPE_URL);
+    CASE(CKA_NETSCAPE_EMAIL);
+    CASE(CKA_NETSCAPE_SMIME_INFO);
+    CASE(CKA_NETSCAPE_SMIME_TIMESTAMP);
+    CASE(CKA_NETSCAPE_PKCS8_SALT);
+    CASE(CKA_NETSCAPE_PASSWORD_CHECK);
+    CASE(CKA_NETSCAPE_EXPIRES);
+    CASE(CKA_NETSCAPE_KRL);
+    CASE(CKA_NETSCAPE_PQG_COUNTER);
+    CASE(CKA_NETSCAPE_PQG_SEED);
+    CASE(CKA_NETSCAPE_PQG_H);
+    CASE(CKA_NETSCAPE_PQG_SEED_BITS);
+    CASE(CKA_TRUST);
+    CASE(CKA_TRUST_DIGITAL_SIGNATURE);
+    CASE(CKA_TRUST_NON_REPUDIATION);
+    CASE(CKA_TRUST_KEY_ENCIPHERMENT);
+    CASE(CKA_TRUST_DATA_ENCIPHERMENT);
+    CASE(CKA_TRUST_KEY_AGREEMENT);
+    CASE(CKA_TRUST_KEY_CERT_SIGN);
+    CASE(CKA_TRUST_CRL_SIGN);
+    CASE(CKA_TRUST_SERVER_AUTH);
+    CASE(CKA_TRUST_CLIENT_AUTH);
+    CASE(CKA_TRUST_CODE_SIGNING);
+    CASE(CKA_TRUST_EMAIL_PROTECTION);
+    CASE(CKA_TRUST_IPSEC_END_SYSTEM);
+    CASE(CKA_TRUST_IPSEC_TUNNEL);
+    CASE(CKA_TRUST_IPSEC_USER);
+    CASE(CKA_TRUST_TIME_STAMPING);
+    CASE(CKA_CERT_SHA1_HASH);
+    CASE(CKA_CERT_MD5_HASH);
+    CASE(CKA_NETSCAPE_DB);
+    CASE(CKA_NETSCAPE_TRUST);
+    default: break;
+    }
+    if (a)
+	PR_snprintf(str, len, "%s", a);
+    else
+	PR_snprintf(str, len, "0x%p", atype);
+}
+
+static void get_obj_class(CK_OBJECT_CLASS objClass, char *str, int len)
+{
+
+    const char * a = NULL;
+
+    switch (objClass) {
+    CASE(CKO_DATA);
+    CASE(CKO_CERTIFICATE);
+    CASE(CKO_PUBLIC_KEY);
+    CASE(CKO_PRIVATE_KEY);
+    CASE(CKO_SECRET_KEY);
+    CASE(CKO_HW_FEATURE);
+    CASE(CKO_DOMAIN_PARAMETERS);
+    CASE(CKO_NETSCAPE_CRL);
+    CASE(CKO_NETSCAPE_SMIME);
+    CASE(CKO_NETSCAPE_TRUST);
+    CASE(CKO_NETSCAPE_BUILTIN_ROOT_LIST);
+    default: break;
+    }
+    if (a)
+	PR_snprintf(str, len, "%s", a);
+    else
+	PR_snprintf(str, len, "0x%p", objClass);
+}
+
+static void get_trust_val(CK_TRUST trust, char *str, int len)
+{
+    const char * a = NULL;
+
+    switch (trust) {
+    CASE(CKT_NETSCAPE_TRUSTED);
+    CASE(CKT_NETSCAPE_TRUSTED_DELEGATOR);
+    CASE(CKT_NETSCAPE_UNTRUSTED);
+    CASE(CKT_NETSCAPE_MUST_VERIFY);
+    CASE(CKT_NETSCAPE_TRUST_UNKNOWN);
+    CASE(CKT_NETSCAPE_VALID);
+    CASE(CKT_NETSCAPE_VALID_DELEGATOR);
+    default: break;
+    }
+    if (a)
+	PR_snprintf(str, len, "%s", a);
+    else
+	PR_snprintf(str, len, "0x%p", trust);
+}
+
+static void log_rv(CK_RV rv)
+{
+    const char * a = NULL;
+
+    switch (rv) {
+    CASE(CKR_OK);
+    CASE(CKR_CANCEL);
+    CASE(CKR_HOST_MEMORY);
+    CASE(CKR_SLOT_ID_INVALID);
+    CASE(CKR_GENERAL_ERROR);
+    CASE(CKR_FUNCTION_FAILED);
+    CASE(CKR_ARGUMENTS_BAD);
+    CASE(CKR_NO_EVENT);
+    CASE(CKR_NEED_TO_CREATE_THREADS);
+    CASE(CKR_CANT_LOCK);
+    CASE(CKR_ATTRIBUTE_READ_ONLY);
+    CASE(CKR_ATTRIBUTE_SENSITIVE);
+    CASE(CKR_ATTRIBUTE_TYPE_INVALID);
+    CASE(CKR_ATTRIBUTE_VALUE_INVALID);
+    CASE(CKR_DATA_INVALID);
+    CASE(CKR_DATA_LEN_RANGE);
+    CASE(CKR_DEVICE_ERROR);
+    CASE(CKR_DEVICE_MEMORY);
+    CASE(CKR_DEVICE_REMOVED);
+    CASE(CKR_ENCRYPTED_DATA_INVALID);
+    CASE(CKR_ENCRYPTED_DATA_LEN_RANGE);
+    CASE(CKR_FUNCTION_CANCELED);
+    CASE(CKR_FUNCTION_NOT_PARALLEL);
+    CASE(CKR_FUNCTION_NOT_SUPPORTED);
+    CASE(CKR_KEY_HANDLE_INVALID);
+    CASE(CKR_KEY_SIZE_RANGE);
+    CASE(CKR_KEY_TYPE_INCONSISTENT);
+    CASE(CKR_KEY_NOT_NEEDED);
+    CASE(CKR_KEY_CHANGED);
+    CASE(CKR_KEY_NEEDED);
+    CASE(CKR_KEY_INDIGESTIBLE);
+    CASE(CKR_KEY_FUNCTION_NOT_PERMITTED);
+    CASE(CKR_KEY_NOT_WRAPPABLE);
+    CASE(CKR_KEY_UNEXTRACTABLE);
+    CASE(CKR_MECHANISM_INVALID);
+    CASE(CKR_MECHANISM_PARAM_INVALID);
+    CASE(CKR_OBJECT_HANDLE_INVALID);
+    CASE(CKR_OPERATION_ACTIVE);
+    CASE(CKR_OPERATION_NOT_INITIALIZED);
+    CASE(CKR_PIN_INCORRECT);
+    CASE(CKR_PIN_INVALID);
+    CASE(CKR_PIN_LEN_RANGE);
+    CASE(CKR_PIN_EXPIRED);
+    CASE(CKR_PIN_LOCKED);
+    CASE(CKR_SESSION_CLOSED);
+    CASE(CKR_SESSION_COUNT);
+    CASE(CKR_SESSION_HANDLE_INVALID);
+    CASE(CKR_SESSION_PARALLEL_NOT_SUPPORTED);
+    CASE(CKR_SESSION_READ_ONLY);
+    CASE(CKR_SESSION_EXISTS);
+    CASE(CKR_SESSION_READ_ONLY_EXISTS);
+    CASE(CKR_SESSION_READ_WRITE_SO_EXISTS);
+    CASE(CKR_SIGNATURE_INVALID);
+    CASE(CKR_SIGNATURE_LEN_RANGE);
+    CASE(CKR_TEMPLATE_INCOMPLETE);
+    CASE(CKR_TEMPLATE_INCONSISTENT);
+    CASE(CKR_TOKEN_NOT_PRESENT);
+    CASE(CKR_TOKEN_NOT_RECOGNIZED);
+    CASE(CKR_TOKEN_WRITE_PROTECTED);
+    CASE(CKR_UNWRAPPING_KEY_HANDLE_INVALID);
+    CASE(CKR_UNWRAPPING_KEY_SIZE_RANGE);
+    CASE(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT);
+    CASE(CKR_USER_ALREADY_LOGGED_IN);
+    CASE(CKR_USER_NOT_LOGGED_IN);
+    CASE(CKR_USER_PIN_NOT_INITIALIZED);
+    CASE(CKR_USER_TYPE_INVALID);
+    CASE(CKR_USER_ANOTHER_ALREADY_LOGGED_IN);
+    CASE(CKR_USER_TOO_MANY_TYPES);
+    CASE(CKR_WRAPPED_KEY_INVALID);
+    CASE(CKR_WRAPPED_KEY_LEN_RANGE);
+    CASE(CKR_WRAPPING_KEY_HANDLE_INVALID);
+    CASE(CKR_WRAPPING_KEY_SIZE_RANGE);
+    CASE(CKR_WRAPPING_KEY_TYPE_INCONSISTENT);
+    CASE(CKR_RANDOM_SEED_NOT_SUPPORTED);
+    CASE(CKR_RANDOM_NO_RNG);
+    CASE(CKR_DOMAIN_PARAMS_INVALID);
+    CASE(CKR_BUFFER_TOO_SMALL);
+    CASE(CKR_SAVED_STATE_INVALID);
+    CASE(CKR_INFORMATION_SENSITIVE);
+    CASE(CKR_STATE_UNSAVEABLE);
+    CASE(CKR_CRYPTOKI_NOT_INITIALIZED);
+    CASE(CKR_CRYPTOKI_ALREADY_INITIALIZED);
+    CASE(CKR_MUTEX_BAD);
+    CASE(CKR_MUTEX_NOT_LOCKED);
+    CASE(CKR_FUNCTION_REJECTED);
+    CASE(CKR_KEY_PARAMS_INVALID);
+    default: break;
+    }
+    if (a)
+	PR_LOG(modlog, 1, ("  rv = %s\n", a));
+    else
+	PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
+}
+
+static void log_state(CK_STATE state)
+{
+    const char * a = NULL;
+
+    switch (state) {
+    CASE(CKS_RO_PUBLIC_SESSION);
+    CASE(CKS_RO_USER_FUNCTIONS);
+    CASE(CKS_RW_PUBLIC_SESSION);
+    CASE(CKS_RW_USER_FUNCTIONS);
+    CASE(CKS_RW_SO_FUNCTIONS);
+    default: break;
+    }
+    if (a)
+	PR_LOG(modlog, 1, ("  state = %s\n", a));
+    else
+	PR_LOG(modlog, 1, ("  state = 0x%x\n", state));
+}
+
+static void log_handle(int level, const char * format, CK_ULONG handle)
+{
+    char fmtBuf[80];
+    if (handle)
+	PR_LOG(modlog, level, (format, handle));
+    else {
+	PL_strncpyz(fmtBuf, format, sizeof fmtBuf);
+	PL_strcatn(fmtBuf, sizeof fmtBuf, fmt_invalid_handle);
+	PR_LOG(modlog, level, (fmtBuf, handle));
+    }
+}
+
+static void print_mechanism(CK_MECHANISM_PTR m)
+{
+
+    const char * a = NULL;
+
+    switch (m->mechanism) {
+    CASE(CKM_AES_CBC);
+    CASE(CKM_AES_CBC_ENCRYPT_DATA);
+    CASE(CKM_AES_CBC_PAD);
+    CASE(CKM_AES_ECB);
+    CASE(CKM_AES_ECB_ENCRYPT_DATA);
+    CASE(CKM_AES_KEY_GEN);
+    CASE(CKM_AES_MAC);
+    CASE(CKM_AES_MAC_GENERAL);
+    CASE(CKM_CAMELLIA_CBC);
+    CASE(CKM_CAMELLIA_CBC_ENCRYPT_DATA);
+    CASE(CKM_CAMELLIA_CBC_PAD);
+    CASE(CKM_CAMELLIA_ECB);
+    CASE(CKM_CAMELLIA_ECB_ENCRYPT_DATA);
+    CASE(CKM_CAMELLIA_KEY_GEN);
+    CASE(CKM_CAMELLIA_MAC);
+    CASE(CKM_CAMELLIA_MAC_GENERAL);
+    CASE(CKM_CDMF_CBC);
+    CASE(CKM_CDMF_CBC_PAD);
+    CASE(CKM_CDMF_ECB);
+    CASE(CKM_CDMF_KEY_GEN);
+    CASE(CKM_CDMF_MAC);
+    CASE(CKM_CDMF_MAC_GENERAL);
+    CASE(CKM_CMS_SIG);
+    CASE(CKM_CONCATENATE_BASE_AND_DATA);
+    CASE(CKM_CONCATENATE_BASE_AND_KEY);
+    CASE(CKM_CONCATENATE_DATA_AND_BASE);
+    CASE(CKM_DES2_KEY_GEN);
+    CASE(CKM_DES3_CBC);
+    CASE(CKM_DES3_CBC_ENCRYPT_DATA);
+    CASE(CKM_DES3_CBC_PAD);
+    CASE(CKM_DES3_ECB);
+    CASE(CKM_DES3_ECB_ENCRYPT_DATA);
+    CASE(CKM_DES3_KEY_GEN);
+    CASE(CKM_DES3_MAC);
+    CASE(CKM_DES3_MAC_GENERAL);
+    CASE(CKM_DES_CBC);
+    CASE(CKM_DES_CBC_ENCRYPT_DATA);
+    CASE(CKM_DES_CBC_PAD);
+    CASE(CKM_DES_CFB64);
+    CASE(CKM_DES_CFB8);
+    CASE(CKM_DES_ECB);
+    CASE(CKM_DES_ECB_ENCRYPT_DATA);
+    CASE(CKM_DES_KEY_GEN);
+    CASE(CKM_DES_MAC);
+    CASE(CKM_DES_MAC_GENERAL);
+    CASE(CKM_DES_OFB64);
+    CASE(CKM_DES_OFB8);
+    CASE(CKM_DH_PKCS_DERIVE);
+    CASE(CKM_DH_PKCS_KEY_PAIR_GEN);
+    CASE(CKM_DH_PKCS_PARAMETER_GEN);
+    CASE(CKM_DSA);
+    CASE(CKM_DSA_KEY_PAIR_GEN);
+    CASE(CKM_DSA_PARAMETER_GEN);
+    CASE(CKM_DSA_SHA1);
+    CASE(CKM_ECDH1_COFACTOR_DERIVE);
+    CASE(CKM_ECDH1_DERIVE);
+    CASE(CKM_ECDSA);
+    CASE(CKM_ECDSA_SHA1);
+    CASE(CKM_ECMQV_DERIVE);
+    CASE(CKM_EC_KEY_PAIR_GEN);	     /* also CASE(CKM_ECDSA_KEY_PAIR_GEN); */
+    CASE(CKM_EXTRACT_KEY_FROM_KEY);
+    CASE(CKM_FASTHASH);
+    CASE(CKM_FORTEZZA_TIMESTAMP);
+    CASE(CKM_GENERIC_SECRET_KEY_GEN);
+    CASE(CKM_IDEA_CBC);
+    CASE(CKM_IDEA_CBC_PAD);
+    CASE(CKM_IDEA_ECB);
+    CASE(CKM_IDEA_KEY_GEN);
+    CASE(CKM_IDEA_MAC);
+    CASE(CKM_IDEA_MAC_GENERAL);
+    CASE(CKM_KEA_KEY_DERIVE);
+    CASE(CKM_KEA_KEY_PAIR_GEN);
+    CASE(CKM_KEY_WRAP_LYNKS);
+    CASE(CKM_KEY_WRAP_SET_OAEP);
+    CASE(CKM_MD2);
+    CASE(CKM_MD2_HMAC);
+    CASE(CKM_MD2_HMAC_GENERAL);
+    CASE(CKM_MD2_KEY_DERIVATION);
+    CASE(CKM_MD2_RSA_PKCS);
+    CASE(CKM_MD5);
+    CASE(CKM_MD5_HMAC);
+    CASE(CKM_MD5_HMAC_GENERAL);
+    CASE(CKM_MD5_KEY_DERIVATION);
+    CASE(CKM_MD5_RSA_PKCS);
+    CASE(CKM_PBA_SHA1_WITH_SHA1_HMAC);
+    CASE(CKM_PBE_MD2_DES_CBC);
+    CASE(CKM_PBE_MD5_DES_CBC);
+    CASE(CKM_PBE_SHA1_DES2_EDE_CBC);
+    CASE(CKM_PBE_SHA1_DES3_EDE_CBC);
+    CASE(CKM_PBE_SHA1_RC2_128_CBC);
+    CASE(CKM_PBE_SHA1_RC2_40_CBC);
+    CASE(CKM_PBE_SHA1_RC4_128);
+    CASE(CKM_PBE_SHA1_RC4_40);
+    CASE(CKM_PKCS5_PBKD2);
+    CASE(CKM_RC2_CBC);
+    CASE(CKM_RC2_CBC_PAD);
+    CASE(CKM_RC2_ECB);
+    CASE(CKM_RC2_KEY_GEN);
+    CASE(CKM_RC2_MAC);
+    CASE(CKM_RC2_MAC_GENERAL);
+    CASE(CKM_RC4);
+    CASE(CKM_RC4_KEY_GEN);
+    CASE(CKM_RC5_CBC);
+    CASE(CKM_RC5_CBC_PAD);
+    CASE(CKM_RC5_ECB);
+    CASE(CKM_RC5_KEY_GEN);
+    CASE(CKM_RC5_MAC);
+    CASE(CKM_RC5_MAC_GENERAL);
+    CASE(CKM_RIPEMD128);
+    CASE(CKM_RIPEMD128_HMAC);
+    CASE(CKM_RIPEMD128_HMAC_GENERAL);
+    CASE(CKM_RIPEMD128_RSA_PKCS);
+    CASE(CKM_RIPEMD160);
+    CASE(CKM_RIPEMD160_HMAC);
+    CASE(CKM_RIPEMD160_HMAC_GENERAL);
+    CASE(CKM_RIPEMD160_RSA_PKCS);
+    CASE(CKM_RSA_9796);
+    CASE(CKM_RSA_PKCS);
+    CASE(CKM_RSA_PKCS_KEY_PAIR_GEN);
+    CASE(CKM_RSA_PKCS_OAEP);
+    CASE(CKM_RSA_PKCS_PSS);
+    CASE(CKM_RSA_X9_31);
+    CASE(CKM_RSA_X9_31_KEY_PAIR_GEN);
+    CASE(CKM_RSA_X_509);
+    CASE(CKM_SHA1_KEY_DERIVATION);
+    CASE(CKM_SHA1_RSA_PKCS);
+    CASE(CKM_SHA1_RSA_PKCS_PSS);
+    CASE(CKM_SHA1_RSA_X9_31);
+    CASE(CKM_SHA224);
+    CASE(CKM_SHA224_HMAC);
+    CASE(CKM_SHA224_HMAC_GENERAL);
+    CASE(CKM_SHA224_KEY_DERIVATION);
+    CASE(CKM_SHA224_RSA_PKCS);
+    CASE(CKM_SHA224_RSA_PKCS_PSS);
+    CASE(CKM_SHA256);
+    CASE(CKM_SHA256_HMAC);
+    CASE(CKM_SHA256_HMAC_GENERAL);
+    CASE(CKM_SHA256_KEY_DERIVATION);
+    CASE(CKM_SHA256_RSA_PKCS);
+    CASE(CKM_SHA256_RSA_PKCS_PSS);
+    CASE(CKM_SHA384);
+    CASE(CKM_SHA384_HMAC);
+    CASE(CKM_SHA384_HMAC_GENERAL);
+    CASE(CKM_SHA384_KEY_DERIVATION);
+    CASE(CKM_SHA384_RSA_PKCS);
+    CASE(CKM_SHA384_RSA_PKCS_PSS);
+    CASE(CKM_SHA512);
+    CASE(CKM_SHA512_HMAC);
+    CASE(CKM_SHA512_HMAC_GENERAL);
+    CASE(CKM_SHA512_KEY_DERIVATION);
+    CASE(CKM_SHA512_RSA_PKCS);
+    CASE(CKM_SHA512_RSA_PKCS_PSS);
+    CASE(CKM_SHA_1);
+    CASE(CKM_SHA_1_HMAC);
+    CASE(CKM_SHA_1_HMAC_GENERAL);
+    CASE(CKM_SKIPJACK_CBC64);
+    CASE(CKM_SKIPJACK_CFB16);
+    CASE(CKM_SKIPJACK_CFB32);
+    CASE(CKM_SKIPJACK_CFB64);
+    CASE(CKM_SKIPJACK_CFB8);
+    CASE(CKM_SKIPJACK_ECB64);
+    CASE(CKM_SKIPJACK_KEY_GEN);
+    CASE(CKM_SKIPJACK_OFB64);
+    CASE(CKM_SKIPJACK_PRIVATE_WRAP);
+    CASE(CKM_SKIPJACK_RELAYX);
+    CASE(CKM_SKIPJACK_WRAP);
+    CASE(CKM_SSL3_KEY_AND_MAC_DERIVE);
+    CASE(CKM_SSL3_MASTER_KEY_DERIVE);
+    CASE(CKM_SSL3_MASTER_KEY_DERIVE_DH);
+    CASE(CKM_SSL3_MD5_MAC);
+    CASE(CKM_SSL3_PRE_MASTER_KEY_GEN);
+    CASE(CKM_SSL3_SHA1_MAC);
+    CASE(CKM_TLS_KEY_AND_MAC_DERIVE);
+    CASE(CKM_TLS_MASTER_KEY_DERIVE);
+    CASE(CKM_TLS_MASTER_KEY_DERIVE_DH);
+    CASE(CKM_TLS_PRE_MASTER_KEY_GEN);
+    CASE(CKM_TLS_PRF);
+    CASE(CKM_TWOFISH_CBC);
+    CASE(CKM_TWOFISH_KEY_GEN);
+    CASE(CKM_X9_42_DH_DERIVE);
+    CASE(CKM_X9_42_DH_HYBRID_DERIVE);
+    CASE(CKM_X9_42_DH_KEY_PAIR_GEN);
+    CASE(CKM_X9_42_DH_PARAMETER_GEN);
+    CASE(CKM_X9_42_MQV_DERIVE);
+    CASE(CKM_XOR_BASE_AND_DATA);
+    default: break;
+    }
+    if (a)
+	PR_LOG(modlog, 4, ("      mechanism = %s", a));
+    else
+	PR_LOG(modlog, 4, ("      mechanism = 0x%p", m->mechanism));
+}
+
+static void get_key_type(CK_KEY_TYPE keyType, char *str, int len)
+{
+
+    const char * a = NULL;
+
+    switch (keyType) {
+    CASE(CKK_AES);
+    CASE(CKK_CAMELLIA);
+    CASE(CKK_CDMF);
+    CASE(CKK_DES);
+    CASE(CKK_DES2);
+    CASE(CKK_DES3);
+    CASE(CKK_DH);
+    CASE(CKK_DSA);
+    CASE(CKK_EC);		/* also CASE(CKK_ECDSA); */
+    CASE(CKK_GENERIC_SECRET);
+    CASE(CKK_IDEA);
+    CASE(CKK_INVALID_KEY_TYPE);
+    CASE(CKK_KEA);
+    CASE(CKK_RC2);
+    CASE(CKK_RC4);
+    CASE(CKK_RC5);
+    CASE(CKK_RSA);
+    CASE(CKK_SKIPJACK);
+    CASE(CKK_TWOFISH);
+    CASE(CKK_X9_42_DH);
+    default: break;
+    }
+    if (a)
+	PR_snprintf(str, len, "%s", a);
+    else
+	PR_snprintf(str, len, "0x%p", keyType);
+}
+
+static void print_attr_value(CK_ATTRIBUTE_PTR attr)
+{
+    char atype[48];
+    char valstr[49];
+    int len;
+
+    get_attr_type_str(attr->type, atype, sizeof atype);
+    switch (attr->type) {
+    case CKA_ALWAYS_SENSITIVE:
+    case CKA_DECRYPT:
+    case CKA_DERIVE:
+    case CKA_ENCRYPT:
+    case CKA_EXTRACTABLE:
+    case CKA_LOCAL:
+    case CKA_MODIFIABLE:
+    case CKA_NEVER_EXTRACTABLE:
+    case CKA_PRIVATE:
+    case CKA_SENSITIVE:
+    case CKA_SIGN:
+    case CKA_SIGN_RECOVER:
+    case CKA_TOKEN:
+    case CKA_UNWRAP:
+    case CKA_VERIFY:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+	if (attr->ulValueLen > 0 && attr->pValue) {
+	    CK_BBOOL tf = *((CK_BBOOL *)attr->pValue);
+	    PR_LOG(modlog, 4, (fmt_s_s_d, 
+	           atype, tf ? "CK_TRUE" : "CK_FALSE", attr->ulValueLen));
+	    break;
+	}
+    case CKA_CLASS:
+	if (attr->ulValueLen > 0 && attr->pValue) {
+	    CK_OBJECT_CLASS objClass = *((CK_OBJECT_CLASS *)attr->pValue);
+	    get_obj_class(objClass, valstr, sizeof valstr);
+	    PR_LOG(modlog, 4, (fmt_s_s_d, 
+	           atype, valstr, attr->ulValueLen));
+	    break;
+	}
+    case CKA_TRUST_CLIENT_AUTH:
+    case CKA_TRUST_CODE_SIGNING:
+    case CKA_TRUST_EMAIL_PROTECTION:
+    case CKA_TRUST_SERVER_AUTH:
+	if (attr->ulValueLen > 0 && attr->pValue) {
+	    CK_TRUST trust = *((CK_TRUST *)attr->pValue);
+	    get_trust_val(trust, valstr, sizeof valstr);
+	    PR_LOG(modlog, 4, (fmt_s_s_d, 
+	           atype, valstr, attr->ulValueLen));
+	    break;
+	}
+    case CKA_KEY_TYPE:
+	if (attr->ulValueLen > 0 && attr->pValue) {
+	    CK_KEY_TYPE keyType = *((CK_KEY_TYPE *)attr->pValue);
+	    get_obj_class(keyType, valstr, sizeof valstr);
+	    PR_LOG(modlog, 4, (fmt_s_s_d, 
+	           atype, valstr, attr->ulValueLen));
+	    break;
+	}
+    case CKA_LABEL:
+    case CKA_NETSCAPE_EMAIL:
+    case CKA_NETSCAPE_URL:
+	if (attr->ulValueLen > 0 && attr->pValue) {
+	    len = PR_MIN(attr->ulValueLen + 1, sizeof valstr);
+	    PR_snprintf(valstr, len, "%s", attr->pValue);
+	    PR_LOG(modlog, 4, (fmt_s_qsq_d, 
+	           atype, valstr, attr->ulValueLen));
+	    break;
+	}
+    case CKA_ISSUER:
+    case CKA_SUBJECT:
+	if (attr->ulValueLen > 0 && attr->pValue) {
+	    char * asciiName;
+	    SECItem derName;
+	    derName.type = siDERNameBuffer;
+	    derName.data = attr->pValue;
+	    derName.len  = attr->ulValueLen;
+	    asciiName = CERT_DerNameToAscii(&derName);
+	    if (asciiName) {
+		PR_LOG(modlog, 4, (fmt_s_s_d, 
+		       atype, asciiName, attr->ulValueLen));
+	    	PORT_Free(asciiName);
+		break;
+	    }
+	    /* else fall through and treat like a binary buffer */
+	}
+    case CKA_ID:
+	if (attr->ulValueLen > 0 && attr->pValue) {
+	    unsigned char * pV = attr->pValue;
+	    for (len = (int)attr->ulValueLen; len > 0; --len) {
+		unsigned int ch = *pV++;
+		if (ch >= 0x20 && ch < 0x7f) 
+		    continue;
+		if (!ch && len == 1)  /* will ignore NUL if last character */
+		    continue;
+		break;
+	    }
+	    if (!len) {	/* entire string is printable */
+		len = PR_MIN(attr->ulValueLen + 1, sizeof valstr);
+		PR_snprintf(valstr, len, "%s", attr->pValue);
+		PR_LOG(modlog, 4, (fmt_s_qsq_d, 
+		       atype, valstr, attr->ulValueLen));
+		break;
+	    }
+	    /* else fall through and treat like a binary buffer */
+	}
+    case CKA_SERIAL_NUMBER:
+    default:
+	if (attr->ulValueLen > 0 && attr->pValue) {
+	    char * hexBuf;
+	    SECItem attrBuf;
+	    attrBuf.type = siDERNameBuffer;
+	    attrBuf.data = attr->pValue;
+	    attrBuf.len  = PR_MIN(attr->ulValueLen, (sizeof valstr)/2);
+
+	    hexBuf = CERT_Hexify(&attrBuf, PR_FALSE);
+	    if (hexBuf) {
+		PR_LOG(modlog, 4, (fmt_s_s_d, 
+		       atype, hexBuf, attr->ulValueLen));
+	    	PORT_Free(hexBuf);
+		break;
+	    }
+	    /* else fall through and show only the address. :( */
+	}
+	PR_LOG(modlog, 4, ("    %s = [0x%p] [%d]", 
+	       atype, attr->pValue, attr->ulValueLen));
+	break;
+    }
+}
+
+static void print_template(CK_ATTRIBUTE_PTR templ, CK_ULONG tlen)
+{
+    CK_ULONG i;
+    for (i=0; i<tlen; i++) {
+	print_attr_value(&templ[i]);
+    }
+}
+
+struct nssdbg_prof_str {
+    PRUint32 time;
+    PRUint32 calls;
+    char *function;
+};
+
+#define NSSDBG_DEFINE(func) { 0, 0, #func }
+
+struct nssdbg_prof_str nssdbg_prof_data[] = {
+#define FUNC_C_INITIALIZE 0
+    NSSDBG_DEFINE(C_Initialize),
+#define FUNC_C_FINALIZE 1
+    NSSDBG_DEFINE(C_Finalize),
+#define FUNC_C_GETINFO 2
+    NSSDBG_DEFINE(C_GetInfo),
+#define FUNC_C_GETFUNCITONLIST 3
+    NSSDBG_DEFINE(C_GetFunctionList),
+#define FUNC_C_GETSLOTLIST 4
+    NSSDBG_DEFINE(C_GetSlotList),
+#define FUNC_C_GETSLOTINFO 5
+    NSSDBG_DEFINE(C_GetSlotInfo),
+#define FUNC_C_GETTOKENINFO 6
+    NSSDBG_DEFINE(C_GetTokenInfo),
+#define FUNC_C_GETMECHANISMLIST 7
+    NSSDBG_DEFINE(C_GetMechanismList),
+#define FUNC_C_GETMECHANISMINFO 8
+    NSSDBG_DEFINE(C_GetMechanismInfo),
+#define FUNC_C_INITTOKEN 9
+    NSSDBG_DEFINE(C_InitToken),
+#define FUNC_C_INITPIN 10
+    NSSDBG_DEFINE(C_InitPIN),
+#define FUNC_C_SETPIN 11
+    NSSDBG_DEFINE(C_SetPIN),
+#define FUNC_C_OPENSESSION 12
+    NSSDBG_DEFINE(C_OpenSession),
+#define FUNC_C_CLOSESESSION 13
+    NSSDBG_DEFINE(C_CloseSession),
+#define FUNC_C_CLOSEALLSESSIONS 14
+    NSSDBG_DEFINE(C_CloseAllSessions),
+#define FUNC_C_GETSESSIONINFO 15
+    NSSDBG_DEFINE(C_GetSessionInfo),
+#define FUNC_C_GETOPERATIONSTATE 16
+    NSSDBG_DEFINE(C_GetOperationState),
+#define FUNC_C_SETOPERATIONSTATE 17
+    NSSDBG_DEFINE(C_SetOperationState),
+#define FUNC_C_LOGIN 18
+    NSSDBG_DEFINE(C_Login),
+#define FUNC_C_LOGOUT 19
+    NSSDBG_DEFINE(C_Logout),
+#define FUNC_C_CREATEOBJECT 20
+    NSSDBG_DEFINE(C_CreateObject),
+#define FUNC_C_COPYOBJECT 21
+    NSSDBG_DEFINE(C_CopyObject),
+#define FUNC_C_DESTROYOBJECT 22
+    NSSDBG_DEFINE(C_DestroyObject),
+#define FUNC_C_GETOBJECTSIZE  23
+    NSSDBG_DEFINE(C_GetObjectSize),
+#define FUNC_C_GETATTRIBUTEVALUE 24
+    NSSDBG_DEFINE(C_GetAttributeValue),
+#define FUNC_C_SETATTRIBUTEVALUE 25
+    NSSDBG_DEFINE(C_SetAttributeValue),
+#define FUNC_C_FINDOBJECTSINIT 26
+    NSSDBG_DEFINE(C_FindObjectsInit),
+#define FUNC_C_FINDOBJECTS 27
+    NSSDBG_DEFINE(C_FindObjects),
+#define FUNC_C_FINDOBJECTSFINAL 28
+    NSSDBG_DEFINE(C_FindObjectsFinal),
+#define FUNC_C_ENCRYPTINIT 29
+    NSSDBG_DEFINE(C_EncryptInit),
+#define FUNC_C_ENCRYPT 30
+    NSSDBG_DEFINE(C_Encrypt),
+#define FUNC_C_ENCRYPTUPDATE 31
+    NSSDBG_DEFINE(C_EncryptUpdate),
+#define FUNC_C_ENCRYPTFINAL 32
+    NSSDBG_DEFINE(C_EncryptFinal),
+#define FUNC_C_DECRYPTINIT 33
+    NSSDBG_DEFINE(C_DecryptInit),
+#define FUNC_C_DECRYPT 34
+    NSSDBG_DEFINE(C_Decrypt),
+#define FUNC_C_DECRYPTUPDATE 35
+    NSSDBG_DEFINE(C_DecryptUpdate),
+#define FUNC_C_DECRYPTFINAL 36
+    NSSDBG_DEFINE(C_DecryptFinal),
+#define FUNC_C_DIGESTINIT 37
+    NSSDBG_DEFINE(C_DigestInit),
+#define FUNC_C_DIGEST 38
+    NSSDBG_DEFINE(C_Digest),
+#define FUNC_C_DIGESTUPDATE 39
+    NSSDBG_DEFINE(C_DigestUpdate),
+#define FUNC_C_DIGESTKEY 40
+    NSSDBG_DEFINE(C_DigestKey),
+#define FUNC_C_DIGESTFINAL 41
+    NSSDBG_DEFINE(C_DigestFinal),
+#define FUNC_C_SIGNINIT 42
+    NSSDBG_DEFINE(C_SignInit),
+#define FUNC_C_SIGN 43
+    NSSDBG_DEFINE(C_Sign),
+#define FUNC_C_SIGNUPDATE 44
+    NSSDBG_DEFINE(C_SignUpdate),
+#define FUNC_C_SIGNFINAL 45
+    NSSDBG_DEFINE(C_SignFinal),
+#define FUNC_C_SIGNRECOVERINIT 46
+    NSSDBG_DEFINE(C_SignRecoverInit),
+#define FUNC_C_SIGNRECOVER 47
+    NSSDBG_DEFINE(C_SignRecover),
+#define FUNC_C_VERIFYINIT 48
+    NSSDBG_DEFINE(C_VerifyInit),
+#define FUNC_C_VERIFY 49
+    NSSDBG_DEFINE(C_Verify),
+#define FUNC_C_VERIFYUPDATE 50
+    NSSDBG_DEFINE(C_VerifyUpdate),
+#define FUNC_C_VERIFYFINAL 51
+    NSSDBG_DEFINE(C_VerifyFinal),
+#define FUNC_C_VERIFYRECOVERINIT 52
+    NSSDBG_DEFINE(C_VerifyRecoverInit),
+#define FUNC_C_VERIFYRECOVER 53
+    NSSDBG_DEFINE(C_VerifyRecover),
+#define FUNC_C_DIGESTENCRYPTUPDATE 54
+    NSSDBG_DEFINE(C_DigestEncryptUpdate),
+#define FUNC_C_DECRYPTDIGESTUPDATE 55
+    NSSDBG_DEFINE(C_DecryptDigestUpdate),
+#define FUNC_C_SIGNENCRYPTUPDATE 56
+    NSSDBG_DEFINE(C_SignEncryptUpdate),
+#define FUNC_C_DECRYPTVERIFYUPDATE 57
+    NSSDBG_DEFINE(C_DecryptVerifyUpdate),
+#define FUNC_C_GENERATEKEY 58
+    NSSDBG_DEFINE(C_GenerateKey),
+#define FUNC_C_GENERATEKEYPAIR 59
+    NSSDBG_DEFINE(C_GenerateKeyPair),
+#define FUNC_C_WRAPKEY 60
+    NSSDBG_DEFINE(C_WrapKey),
+#define FUNC_C_UNWRAPKEY 61
+    NSSDBG_DEFINE(C_UnWrapKey),
+#define FUNC_C_DERIVEKEY 62 
+    NSSDBG_DEFINE(C_DeriveKey),
+#define FUNC_C_SEEDRANDOM 63
+    NSSDBG_DEFINE(C_SeedRandom),
+#define FUNC_C_GENERATERANDOM 64
+    NSSDBG_DEFINE(C_GenerateRandom),
+#define FUNC_C_GETFUNCTIONSTATUS 65
+    NSSDBG_DEFINE(C_GetFunctionStatus),
+#define FUNC_C_CANCELFUNCTION 66
+    NSSDBG_DEFINE(C_CancelFunction),
+#define FUNC_C_WAITFORSLOTEVENT 67
+    NSSDBG_DEFINE(C_WaitForSlotEvent)
+};
+
+int nssdbg_prof_size = sizeof(nssdbg_prof_data)/sizeof(nssdbg_prof_data[0]);
+    
+
+static void nssdbg_finish_time(PRInt32 fun_number, PRIntervalTime start)
+{
+    PRIntervalTime ival;
+    PRIntervalTime end = PR_IntervalNow();
+
+    ival = end-start;
+    /* sigh, lie to PRAtomic add and say we are using signed values */
+    PR_AtomicAdd((PRInt32 *)&nssdbg_prof_data[fun_number].time, (PRInt32)ival);
+}
+
+static void nssdbg_start_time(PRInt32 fun_number, PRIntervalTime *start)
+{
+    PR_AtomicIncrement((PRInt32 *)&nssdbg_prof_data[fun_number].calls);
+    *start = PR_IntervalNow();
+}
+
+#define COMMON_DEFINITIONS \
+    CK_RV rv; \
+    PRIntervalTime start
+
+CK_RV NSSDBGC_Initialize(
+  CK_VOID_PTR pInitArgs
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_Initialize"));
+    PR_LOG(modlog, 3, ("  pInitArgs = 0x%p", pInitArgs));
+    nssdbg_start_time(FUNC_C_INITIALIZE,&start);
+    rv = module_functions->C_Initialize(pInitArgs);
+    nssdbg_finish_time(FUNC_C_INITIALIZE,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_Finalize(
+  CK_VOID_PTR pReserved
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_Finalize"));
+    PR_LOG(modlog, 3, ("  pReserved = 0x%p", pReserved));
+    nssdbg_start_time(FUNC_C_FINALIZE,&start);
+    rv = module_functions->C_Finalize(pReserved);
+    nssdbg_finish_time(FUNC_C_FINALIZE,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetInfo(
+  CK_INFO_PTR pInfo
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetInfo"));
+    PR_LOG(modlog, 3, (fmt_pInfo, pInfo));
+    nssdbg_start_time(FUNC_C_GETINFO,&start);
+    rv = module_functions->C_GetInfo(pInfo);
+    nssdbg_finish_time(FUNC_C_GETINFO,start);
+    if (rv == CKR_OK) {
+	PR_LOG(modlog, 4, ("  cryptoki version: %d.%d", 
+			   pInfo->cryptokiVersion.major,
+			   pInfo->cryptokiVersion.minor));
+	PR_LOG(modlog, 4, (fmt_manufacturerID, pInfo->manufacturerID));
+	PR_LOG(modlog, 4, ("  library description = \"%.32s\"", 
+	                   pInfo->libraryDescription));
+	PR_LOG(modlog, 4, ("  library version: %d.%d", 
+			   pInfo->libraryVersion.major,
+			   pInfo->libraryVersion.minor));
+    }
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetFunctionList(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetFunctionList"));
+    PR_LOG(modlog, 3, ("  ppFunctionList = 0x%p", ppFunctionList));
+    nssdbg_start_time(FUNC_C_GETFUNCITONLIST,&start);
+    rv = module_functions->C_GetFunctionList(ppFunctionList);
+    nssdbg_finish_time(FUNC_C_GETFUNCITONLIST,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetSlotList(
+  CK_BBOOL       tokenPresent,
+  CK_SLOT_ID_PTR pSlotList,
+  CK_ULONG_PTR   pulCount
+)
+{
+    COMMON_DEFINITIONS;
+
+    CK_ULONG i;
+    PR_LOG(modlog, 1, ("C_GetSlotList"));
+    PR_LOG(modlog, 3, ("  tokenPresent = 0x%x", tokenPresent));
+    PR_LOG(modlog, 3, ("  pSlotList = 0x%p", pSlotList));
+    PR_LOG(modlog, 3, (fmt_pulCount, pulCount));
+    nssdbg_start_time(FUNC_C_GETSLOTLIST,&start);
+    rv = module_functions->C_GetSlotList(tokenPresent, pSlotList, pulCount);
+    nssdbg_finish_time(FUNC_C_GETSLOTLIST,start);
+    PR_LOG(modlog, 4, (fmt_spulCount, *pulCount));
+    if (pSlotList) {
+	for (i=0; i<*pulCount; i++) {
+	    PR_LOG(modlog, 4, ("  slotID[%d] = %x", i, pSlotList[i]));
+	}
+    }
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetSlotInfo(
+  CK_SLOT_ID       slotID,
+  CK_SLOT_INFO_PTR pInfo
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetSlotInfo"));
+    PR_LOG(modlog, 3, (fmt_slotID, slotID));
+    PR_LOG(modlog, 3, (fmt_pInfo, pInfo));
+    nssdbg_start_time(FUNC_C_GETSLOTINFO,&start);
+    rv = module_functions->C_GetSlotInfo(slotID, pInfo);
+    nssdbg_finish_time(FUNC_C_GETSLOTINFO,start);
+    if (rv == CKR_OK) {
+	PR_LOG(modlog, 4, ("  slotDescription = \"%.64s\"", 
+	                   pInfo->slotDescription));
+	PR_LOG(modlog, 4, (fmt_manufacturerID, pInfo->manufacturerID));
+	PR_LOG(modlog, 4, ("  flags = %s %s %s",
+	    pInfo->flags & CKF_HW_SLOT          ? "CKF_HW_SLOT" : "",
+	    pInfo->flags & CKF_REMOVABLE_DEVICE ? "CKF_REMOVABLE_DEVICE" : "",
+	    pInfo->flags & CKF_TOKEN_PRESENT    ? "CKF_TOKEN_PRESENT" : ""));
+	PR_LOG(modlog, 4, (fmt_hwVersion, 
+			    pInfo->hardwareVersion.major,
+			    pInfo->hardwareVersion.minor));
+	PR_LOG(modlog, 4, (fmt_fwVersion, 
+			    pInfo->firmwareVersion.major,
+			    pInfo->firmwareVersion.minor));
+    }
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetTokenInfo(
+  CK_SLOT_ID        slotID,
+  CK_TOKEN_INFO_PTR pInfo
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetTokenInfo"));
+    PR_LOG(modlog, 3, (fmt_slotID, slotID));
+    PR_LOG(modlog, 3, (fmt_pInfo, pInfo));
+    nssdbg_start_time(FUNC_C_GETTOKENINFO,&start);
+    rv = module_functions->C_GetTokenInfo(slotID, pInfo);
+    nssdbg_finish_time(FUNC_C_GETTOKENINFO,start);
+    if (rv == CKR_OK) {
+    	PR_LOG(modlog, 4, ("  label = \"%.32s\"", pInfo->label));
+	PR_LOG(modlog, 4, (fmt_manufacturerID, pInfo->manufacturerID));
+    	PR_LOG(modlog, 4, ("  model = \"%.16s\"", pInfo->model));
+    	PR_LOG(modlog, 4, ("  serial = \"%.16s\"", pInfo->serialNumber));
+	PR_LOG(modlog, 4, ("  flags = %s %s %s %s",
+	    pInfo->flags & CKF_RNG             ? "CKF_RNG" : "",
+	    pInfo->flags & CKF_WRITE_PROTECTED ? "CKF_WRITE_PROTECTED" : "",
+	    pInfo->flags & CKF_LOGIN_REQUIRED  ? "CKF_LOGIN_REQUIRED" : "",
+	    pInfo->flags & CKF_USER_PIN_INITIALIZED ? "CKF_USER_PIN_INIT" : ""));
+	PR_LOG(modlog, 4, ("  maxSessions = %u, Sessions = %u", 
+	                   pInfo->ulMaxSessionCount, pInfo->ulSessionCount));
+	PR_LOG(modlog, 4, ("  maxRwSessions = %u, RwSessions = %u", 
+	                   pInfo->ulMaxRwSessionCount, 
+			   pInfo->ulRwSessionCount));
+	/* ignore Max & Min Pin Len, Public and Private Memory */
+	PR_LOG(modlog, 4, (fmt_hwVersion, 
+			    pInfo->hardwareVersion.major,
+			    pInfo->hardwareVersion.minor));
+	PR_LOG(modlog, 4, (fmt_fwVersion, 
+			    pInfo->firmwareVersion.major,
+			    pInfo->firmwareVersion.minor));
+    }
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetMechanismList(
+  CK_SLOT_ID            slotID,
+  CK_MECHANISM_TYPE_PTR pMechanismList,
+  CK_ULONG_PTR          pulCount
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetMechanismList"));
+    PR_LOG(modlog, 3, (fmt_slotID, slotID));
+    PR_LOG(modlog, 3, ("  pMechanismList = 0x%p", pMechanismList));
+    PR_LOG(modlog, 3, (fmt_pulCount, pulCount));
+    nssdbg_start_time(FUNC_C_GETMECHANISMLIST,&start);
+    rv = module_functions->C_GetMechanismList(slotID,
+                                 pMechanismList,
+                                 pulCount);
+    nssdbg_finish_time(FUNC_C_GETMECHANISMLIST,start);
+    PR_LOG(modlog, 4, (fmt_spulCount, *pulCount));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetMechanismInfo(
+  CK_SLOT_ID            slotID,
+  CK_MECHANISM_TYPE     type,
+  CK_MECHANISM_INFO_PTR pInfo
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetMechanismInfo"));
+    PR_LOG(modlog, 3, (fmt_slotID, slotID));
+    PR_LOG(modlog, 3, ("  type = 0x%x", type));
+    PR_LOG(modlog, 3, (fmt_pInfo, pInfo));
+    nssdbg_start_time(FUNC_C_GETMECHANISMINFO,&start);
+    rv = module_functions->C_GetMechanismInfo(slotID,
+                                 type,
+                                 pInfo);
+    nssdbg_finish_time(FUNC_C_GETMECHANISMINFO,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_InitToken(
+  CK_SLOT_ID  slotID,
+  CK_CHAR_PTR pPin,
+  CK_ULONG    ulPinLen,
+  CK_CHAR_PTR pLabel
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_InitToken"));
+    PR_LOG(modlog, 3, (fmt_slotID, slotID));
+    PR_LOG(modlog, 3, (fmt_pPin, pPin));
+    PR_LOG(modlog, 3, (fmt_ulPinLen, ulPinLen));
+    PR_LOG(modlog, 3, ("  pLabel = 0x%p", pLabel));
+    nssdbg_start_time(FUNC_C_INITTOKEN,&start);
+    rv = module_functions->C_InitToken(slotID,
+                                 pPin,
+                                 ulPinLen,
+                                 pLabel);
+    nssdbg_finish_time(FUNC_C_INITTOKEN,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_InitPIN(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR       pPin,
+  CK_ULONG          ulPinLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_InitPIN"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pPin, pPin));
+    PR_LOG(modlog, 3, (fmt_ulPinLen, ulPinLen));
+    nssdbg_start_time(FUNC_C_INITPIN,&start);
+    rv = module_functions->C_InitPIN(hSession,
+                                 pPin,
+                                 ulPinLen);
+    nssdbg_finish_time(FUNC_C_INITPIN,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SetPIN(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR       pOldPin,
+  CK_ULONG          ulOldLen,
+  CK_CHAR_PTR       pNewPin,
+  CK_ULONG          ulNewLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SetPIN"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, ("  pOldPin = 0x%p", pOldPin));
+    PR_LOG(modlog, 3, ("  ulOldLen = %d", ulOldLen));
+    PR_LOG(modlog, 3, ("  pNewPin = 0x%p", pNewPin));
+    PR_LOG(modlog, 3, ("  ulNewLen = %d", ulNewLen));
+    nssdbg_start_time(FUNC_C_SETPIN,&start);
+    rv = module_functions->C_SetPIN(hSession,
+                                 pOldPin,
+                                 ulOldLen,
+                                 pNewPin,
+                                 ulNewLen);
+    nssdbg_finish_time(FUNC_C_SETPIN,start);
+    log_rv(rv);
+    return rv;
+}
+
+static PRUint32 numOpenSessions = 0;
+static PRUint32 maxOpenSessions = 0;
+
+CK_RV NSSDBGC_OpenSession(
+  CK_SLOT_ID            slotID,
+  CK_FLAGS              flags,
+  CK_VOID_PTR           pApplication,
+  CK_NOTIFY             Notify,
+  CK_SESSION_HANDLE_PTR phSession
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_AtomicIncrement((PRInt32 *)&numOpenSessions);
+    maxOpenSessions = PR_MAX(numOpenSessions, maxOpenSessions);
+    PR_LOG(modlog, 1, ("C_OpenSession"));
+    PR_LOG(modlog, 3, (fmt_slotID, slotID));
+    PR_LOG(modlog, 3, (fmt_flags, flags));
+    PR_LOG(modlog, 3, ("  pApplication = 0x%p", pApplication));
+    PR_LOG(modlog, 3, ("  Notify = 0x%x", Notify));
+    PR_LOG(modlog, 3, ("  phSession = 0x%p", phSession));
+    nssdbg_start_time(FUNC_C_OPENSESSION,&start);
+    rv = module_functions->C_OpenSession(slotID,
+                                 flags,
+                                 pApplication,
+                                 Notify,
+                                 phSession);
+    nssdbg_finish_time(FUNC_C_OPENSESSION,start);
+    log_handle(4, "  *phSession = 0x%x", *phSession);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_CloseSession(
+  CK_SESSION_HANDLE hSession
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_AtomicDecrement((PRInt32 *)&numOpenSessions);
+    PR_LOG(modlog, 1, ("C_CloseSession"));
+    log_handle(3, fmt_hSession, hSession);
+    nssdbg_start_time(FUNC_C_CLOSESESSION,&start);
+    rv = module_functions->C_CloseSession(hSession);
+    nssdbg_finish_time(FUNC_C_CLOSESESSION,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_CloseAllSessions(
+  CK_SLOT_ID slotID
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_CloseAllSessions"));
+    PR_LOG(modlog, 3, (fmt_slotID, slotID));
+    nssdbg_start_time(FUNC_C_CLOSEALLSESSIONS,&start);
+    rv = module_functions->C_CloseAllSessions(slotID);
+    nssdbg_finish_time(FUNC_C_CLOSEALLSESSIONS,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetSessionInfo(
+  CK_SESSION_HANDLE   hSession,
+  CK_SESSION_INFO_PTR pInfo
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetSessionInfo"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pInfo, pInfo));
+    nssdbg_start_time(FUNC_C_GETSESSIONINFO,&start);
+    rv = module_functions->C_GetSessionInfo(hSession,
+                                 pInfo);
+    nssdbg_finish_time(FUNC_C_GETSESSIONINFO,start);
+    if (rv == CKR_OK) {
+	PR_LOG(modlog, 4, (fmt_slotID, pInfo->slotID));
+	log_state(pInfo->state);
+	PR_LOG(modlog, 4, ("  flags = %s %s",
+	    pInfo->flags & CKF_RW_SESSION     ? "CKF_RW_SESSION" : "",
+	    pInfo->flags & CKF_SERIAL_SESSION ? "CKF_SERIAL_SESSION" : ""));
+	PR_LOG(modlog, 4, ("  deviceError = 0x%x", pInfo->ulDeviceError));
+    }
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetOperationState(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pOperationState,
+  CK_ULONG_PTR      pulOperationStateLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetOperationState"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pOperationState, pOperationState));
+    PR_LOG(modlog, 3, ("  pulOperationStateLen = 0x%p", pulOperationStateLen));
+    nssdbg_start_time(FUNC_C_GETOPERATIONSTATE,&start);
+    rv = module_functions->C_GetOperationState(hSession,
+                                 pOperationState,
+                                 pulOperationStateLen);
+    nssdbg_finish_time(FUNC_C_GETOPERATIONSTATE,start);
+    PR_LOG(modlog, 4, ("  *pulOperationStateLen = 0x%x", *pulOperationStateLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SetOperationState(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR      pOperationState,
+  CK_ULONG         ulOperationStateLen,
+  CK_OBJECT_HANDLE hEncryptionKey,
+  CK_OBJECT_HANDLE hAuthenticationKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SetOperationState"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pOperationState, pOperationState));
+    PR_LOG(modlog, 3, ("  ulOperationStateLen = %d", ulOperationStateLen));
+    log_handle(3, "  hEncryptionKey = 0x%x", hEncryptionKey);
+    log_handle(3, "  hAuthenticationKey = 0x%x", hAuthenticationKey);
+    nssdbg_start_time(FUNC_C_SETOPERATIONSTATE,&start);
+    rv = module_functions->C_SetOperationState(hSession,
+                                 pOperationState,
+                                 ulOperationStateLen,
+                                 hEncryptionKey,
+                                 hAuthenticationKey);
+    nssdbg_finish_time(FUNC_C_SETOPERATIONSTATE,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_Login(
+  CK_SESSION_HANDLE hSession,
+  CK_USER_TYPE      userType,
+  CK_CHAR_PTR       pPin,
+  CK_ULONG          ulPinLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_Login"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, ("  userType = 0x%x", userType));
+    PR_LOG(modlog, 3, (fmt_pPin, pPin));
+    PR_LOG(modlog, 3, (fmt_ulPinLen, ulPinLen));
+    nssdbg_start_time(FUNC_C_LOGIN,&start);
+    rv = module_functions->C_Login(hSession,
+                                 userType,
+                                 pPin,
+                                 ulPinLen);
+    nssdbg_finish_time(FUNC_C_LOGIN,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_Logout(
+  CK_SESSION_HANDLE hSession
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_Logout"));
+    log_handle(3, fmt_hSession, hSession);
+    nssdbg_start_time(FUNC_C_LOGOUT,&start);
+    rv = module_functions->C_Logout(hSession);
+    nssdbg_finish_time(FUNC_C_LOGOUT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_CreateObject(
+  CK_SESSION_HANDLE    hSession,
+  CK_ATTRIBUTE_PTR     pTemplate,
+  CK_ULONG             ulCount,
+  CK_OBJECT_HANDLE_PTR phObject
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_CreateObject"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate));
+    PR_LOG(modlog, 3, (fmt_ulCount, ulCount));
+    PR_LOG(modlog, 3, (fmt_phObject, phObject));
+    print_template(pTemplate, ulCount);
+    nssdbg_start_time(FUNC_C_CREATEOBJECT,&start);
+    rv = module_functions->C_CreateObject(hSession,
+                                 pTemplate,
+                                 ulCount,
+                                 phObject);
+    nssdbg_finish_time(FUNC_C_CREATEOBJECT,start);
+    log_handle(4, "  *phObject = 0x%x", *phObject);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_CopyObject(
+  CK_SESSION_HANDLE    hSession,
+  CK_OBJECT_HANDLE     hObject,
+  CK_ATTRIBUTE_PTR     pTemplate,
+  CK_ULONG             ulCount,
+  CK_OBJECT_HANDLE_PTR phNewObject
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_CopyObject"));
+    log_handle(3, fmt_hSession, hSession);
+    log_handle(3, fmt_hObject, hObject);
+    PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate));
+    PR_LOG(modlog, 3, (fmt_ulCount, ulCount));
+    PR_LOG(modlog, 3, ("  phNewObject = 0x%p", phNewObject));
+    print_template(pTemplate, ulCount);
+    nssdbg_start_time(FUNC_C_COPYOBJECT,&start);
+    rv = module_functions->C_CopyObject(hSession,
+                                 hObject,
+                                 pTemplate,
+                                 ulCount,
+                                 phNewObject);
+    nssdbg_finish_time(FUNC_C_COPYOBJECT,start);
+    log_handle(4, "  *phNewObject = 0x%x", *phNewObject);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DestroyObject(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE  hObject
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DestroyObject"));
+    log_handle(3, fmt_hSession, hSession);
+    log_handle(3, fmt_hObject, hObject);
+    nssdbg_start_time(FUNC_C_DESTROYOBJECT,&start);
+    rv = module_functions->C_DestroyObject(hSession,
+                                 hObject);
+    nssdbg_finish_time(FUNC_C_DESTROYOBJECT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetObjectSize(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE  hObject,
+  CK_ULONG_PTR      pulSize
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetObjectSize"));
+    log_handle(3, fmt_hSession, hSession);
+    log_handle(3, fmt_hObject, hObject);
+    PR_LOG(modlog, 3, ("  pulSize = 0x%p", pulSize));
+    nssdbg_start_time(FUNC_C_GETOBJECTSIZE,&start);
+    rv = module_functions->C_GetObjectSize(hSession,
+                                 hObject,
+                                 pulSize);
+    nssdbg_finish_time(FUNC_C_GETOBJECTSIZE,start);
+    PR_LOG(modlog, 4, ("  *pulSize = 0x%x", *pulSize));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetAttributeValue(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE  hObject,
+  CK_ATTRIBUTE_PTR  pTemplate,
+  CK_ULONG          ulCount
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetAttributeValue"));
+    log_handle(3, fmt_hSession, hSession);
+    log_handle(3, fmt_hObject, hObject);
+    PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate));
+    PR_LOG(modlog, 3, (fmt_ulCount, ulCount));
+    nssdbg_start_time(FUNC_C_GETATTRIBUTEVALUE,&start);
+    rv = module_functions->C_GetAttributeValue(hSession,
+                                 hObject,
+                                 pTemplate,
+                                 ulCount);
+    nssdbg_finish_time(FUNC_C_GETATTRIBUTEVALUE,start);
+    print_template(pTemplate, ulCount);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SetAttributeValue(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE  hObject,
+  CK_ATTRIBUTE_PTR  pTemplate,
+  CK_ULONG          ulCount
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SetAttributeValue"));
+    log_handle(3, fmt_hSession, hSession);
+    log_handle(3, fmt_hObject, hObject);
+    PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate));
+    PR_LOG(modlog, 3, (fmt_ulCount, ulCount));
+    print_template(pTemplate, ulCount);
+    nssdbg_start_time(FUNC_C_SETATTRIBUTEVALUE,&start);
+    rv = module_functions->C_SetAttributeValue(hSession,
+                                 hObject,
+                                 pTemplate,
+                                 ulCount);
+    nssdbg_finish_time(FUNC_C_SETATTRIBUTEVALUE,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_FindObjectsInit(
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR  pTemplate,
+  CK_ULONG          ulCount
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_FindObjectsInit"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate));
+    PR_LOG(modlog, 3, (fmt_ulCount, ulCount));
+    print_template(pTemplate, ulCount);
+    nssdbg_start_time(FUNC_C_FINDOBJECTSINIT,&start);
+    rv = module_functions->C_FindObjectsInit(hSession,
+                                 pTemplate,
+                                 ulCount);
+    nssdbg_finish_time(FUNC_C_FINDOBJECTSINIT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_FindObjects(
+  CK_SESSION_HANDLE    hSession,
+  CK_OBJECT_HANDLE_PTR phObject,
+  CK_ULONG             ulMaxObjectCount,
+  CK_ULONG_PTR         pulObjectCount
+)
+{
+    COMMON_DEFINITIONS;
+    CK_ULONG i;
+
+    PR_LOG(modlog, 1, ("C_FindObjects"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_phObject, phObject));
+    PR_LOG(modlog, 3, ("  ulMaxObjectCount = %d", ulMaxObjectCount));
+    PR_LOG(modlog, 3, ("  pulObjectCount = 0x%p", pulObjectCount));
+    nssdbg_start_time(FUNC_C_FINDOBJECTS,&start);
+    rv = module_functions->C_FindObjects(hSession,
+                                 phObject,
+                                 ulMaxObjectCount,
+                                 pulObjectCount);
+    nssdbg_finish_time(FUNC_C_FINDOBJECTS,start);
+    PR_LOG(modlog, 4, ("  *pulObjectCount = 0x%x", *pulObjectCount));
+    for (i=0; i<*pulObjectCount; i++) {
+	PR_LOG(modlog, 4, ("  phObject[%d] = 0x%x%s", i, phObject[i],
+	       phObject[i] ? "" : fmt_invalid_handle));
+    }
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_FindObjectsFinal(
+  CK_SESSION_HANDLE hSession
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_FindObjectsFinal"));
+    log_handle(3, fmt_hSession, hSession);
+    nssdbg_start_time(FUNC_C_FINDOBJECTSFINAL,&start);
+    rv = module_functions->C_FindObjectsFinal(hSession);
+    nssdbg_finish_time(FUNC_C_FINDOBJECTSFINAL,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_EncryptInit(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR  pMechanism,
+  CK_OBJECT_HANDLE  hKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_EncryptInit"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    log_handle(3, fmt_hKey, hKey);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_ENCRYPTINIT,&start);
+    rv = module_functions->C_EncryptInit(hSession,
+                                 pMechanism,
+                                 hKey);
+    nssdbg_finish_time(FUNC_C_ENCRYPTINIT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_Encrypt(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pData,
+  CK_ULONG          ulDataLen,
+  CK_BYTE_PTR       pEncryptedData,
+  CK_ULONG_PTR      pulEncryptedDataLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_Encrypt"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pData, pData));
+    PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen));
+    PR_LOG(modlog, 3, (fmt_pEncryptedData, pEncryptedData));
+    PR_LOG(modlog, 3, ("  pulEncryptedDataLen = 0x%p", pulEncryptedDataLen));
+    nssdbg_start_time(FUNC_C_ENCRYPT,&start);
+    rv = module_functions->C_Encrypt(hSession,
+                                 pData,
+                                 ulDataLen,
+                                 pEncryptedData,
+                                 pulEncryptedDataLen);
+    nssdbg_finish_time(FUNC_C_ENCRYPT,start);
+    PR_LOG(modlog, 4, ("  *pulEncryptedDataLen = 0x%x", *pulEncryptedDataLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_EncryptUpdate(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pPart,
+  CK_ULONG          ulPartLen,
+  CK_BYTE_PTR       pEncryptedPart,
+  CK_ULONG_PTR      pulEncryptedPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_EncryptUpdate"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pPart, pPart));
+    PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen));
+    PR_LOG(modlog, 3, (fmt_pEncryptedPart, pEncryptedPart));
+    PR_LOG(modlog, 3, (fmt_pulEncryptedPartLen, pulEncryptedPartLen));
+    nssdbg_start_time(FUNC_C_ENCRYPTUPDATE,&start);
+    rv = module_functions->C_EncryptUpdate(hSession,
+                                 pPart,
+                                 ulPartLen,
+                                 pEncryptedPart,
+                                 pulEncryptedPartLen);
+    nssdbg_finish_time(FUNC_C_ENCRYPTUPDATE,start);
+    PR_LOG(modlog, 4, (fmt_spulEncryptedPartLen, *pulEncryptedPartLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_EncryptFinal(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pLastEncryptedPart,
+  CK_ULONG_PTR      pulLastEncryptedPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_EncryptFinal"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, ("  pLastEncryptedPart = 0x%p", pLastEncryptedPart));
+    PR_LOG(modlog, 3, ("  pulLastEncryptedPartLen = 0x%p", pulLastEncryptedPartLen));
+    nssdbg_start_time(FUNC_C_ENCRYPTFINAL,&start);
+    rv = module_functions->C_EncryptFinal(hSession,
+                                 pLastEncryptedPart,
+                                 pulLastEncryptedPartLen);
+    nssdbg_finish_time(FUNC_C_ENCRYPTFINAL,start);
+    PR_LOG(modlog, 4, ("  *pulLastEncryptedPartLen = 0x%x", *pulLastEncryptedPartLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DecryptInit(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR  pMechanism,
+  CK_OBJECT_HANDLE  hKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DecryptInit"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    log_handle(3, fmt_hKey, hKey);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_DECRYPTINIT,&start);
+    rv = module_functions->C_DecryptInit(hSession,
+                                 pMechanism,
+                                 hKey);
+    nssdbg_finish_time(FUNC_C_DECRYPTINIT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_Decrypt(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pEncryptedData,
+  CK_ULONG          ulEncryptedDataLen,
+  CK_BYTE_PTR       pData,
+  CK_ULONG_PTR      pulDataLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_Decrypt"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pEncryptedData, pEncryptedData));
+    PR_LOG(modlog, 3, ("  ulEncryptedDataLen = %d", ulEncryptedDataLen));
+    PR_LOG(modlog, 3, (fmt_pData, pData));
+    PR_LOG(modlog, 3, (fmt_pulDataLen, pulDataLen));
+    nssdbg_start_time(FUNC_C_DECRYPT,&start);
+    rv = module_functions->C_Decrypt(hSession,
+                                 pEncryptedData,
+                                 ulEncryptedDataLen,
+                                 pData,
+                                 pulDataLen);
+    nssdbg_finish_time(FUNC_C_DECRYPT,start);
+    PR_LOG(modlog, 4, (fmt_spulDataLen, *pulDataLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DecryptUpdate(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pEncryptedPart,
+  CK_ULONG          ulEncryptedPartLen,
+  CK_BYTE_PTR       pPart,
+  CK_ULONG_PTR      pulPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DecryptUpdate"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pEncryptedPart, pEncryptedPart));
+    PR_LOG(modlog, 3, (fmt_ulEncryptedPartLen, ulEncryptedPartLen));
+    PR_LOG(modlog, 3, (fmt_pPart, pPart));
+    PR_LOG(modlog, 3, (fmt_pulPartLen, pulPartLen));
+    nssdbg_start_time(FUNC_C_DECRYPTUPDATE,&start);
+    rv = module_functions->C_DecryptUpdate(hSession,
+                                 pEncryptedPart,
+                                 ulEncryptedPartLen,
+                                 pPart,
+                                 pulPartLen);
+    nssdbg_finish_time(FUNC_C_DECRYPTUPDATE,start);
+    PR_LOG(modlog, 4, (fmt_spulPartLen, *pulPartLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DecryptFinal(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pLastPart,
+  CK_ULONG_PTR      pulLastPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DecryptFinal"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, ("  pLastPart = 0x%p", pLastPart));
+    PR_LOG(modlog, 3, ("  pulLastPartLen = 0x%p", pulLastPartLen));
+    nssdbg_start_time(FUNC_C_DECRYPTFINAL,&start);
+    rv = module_functions->C_DecryptFinal(hSession,
+                                 pLastPart,
+                                 pulLastPartLen);
+    nssdbg_finish_time(FUNC_C_DECRYPTFINAL,start);
+    PR_LOG(modlog, 4, ("  *pulLastPartLen = 0x%x", *pulLastPartLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DigestInit(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR  pMechanism
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DigestInit"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_DIGESTINIT,&start);
+    rv = module_functions->C_DigestInit(hSession,
+                                 pMechanism);
+    nssdbg_finish_time(FUNC_C_DIGESTINIT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_Digest(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pData,
+  CK_ULONG          ulDataLen,
+  CK_BYTE_PTR       pDigest,
+  CK_ULONG_PTR      pulDigestLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_Digest"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pData, pData));
+    PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen));
+    PR_LOG(modlog, 3, (fmt_pDigest, pDigest));
+    PR_LOG(modlog, 3, (fmt_pulDigestLen, pulDigestLen));
+    nssdbg_start_time(FUNC_C_DIGEST,&start);
+    rv = module_functions->C_Digest(hSession,
+                                 pData,
+                                 ulDataLen,
+                                 pDigest,
+                                 pulDigestLen);
+    nssdbg_finish_time(FUNC_C_DIGEST,start);
+    PR_LOG(modlog, 4, (fmt_spulDigestLen, *pulDigestLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DigestUpdate(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pPart,
+  CK_ULONG          ulPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DigestUpdate"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pPart, pPart));
+    PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen));
+    nssdbg_start_time(FUNC_C_DIGESTUPDATE,&start);
+    rv = module_functions->C_DigestUpdate(hSession,
+                                 pPart,
+                                 ulPartLen);
+    nssdbg_finish_time(FUNC_C_DIGESTUPDATE,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DigestKey(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE  hKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DigestKey"));
+    log_handle(3, fmt_hSession, hSession);
+    nssdbg_start_time(FUNC_C_DIGESTKEY,&start);
+    rv = module_functions->C_DigestKey(hSession,
+                                 hKey);
+    nssdbg_finish_time(FUNC_C_DIGESTKEY,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DigestFinal(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pDigest,
+  CK_ULONG_PTR      pulDigestLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DigestFinal"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pDigest, pDigest));
+    PR_LOG(modlog, 3, (fmt_pulDigestLen, pulDigestLen));
+    nssdbg_start_time(FUNC_C_DIGESTFINAL,&start);
+    rv = module_functions->C_DigestFinal(hSession,
+                                 pDigest,
+                                 pulDigestLen);
+    nssdbg_finish_time(FUNC_C_DIGESTFINAL,start);
+    PR_LOG(modlog, 4, (fmt_spulDigestLen, *pulDigestLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SignInit(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR  pMechanism,
+  CK_OBJECT_HANDLE  hKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SignInit"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    log_handle(3, fmt_hKey, hKey);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_SIGNINIT,&start);
+    rv = module_functions->C_SignInit(hSession,
+                                 pMechanism,
+                                 hKey);
+    nssdbg_finish_time(FUNC_C_SIGNINIT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_Sign(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pData,
+  CK_ULONG          ulDataLen,
+  CK_BYTE_PTR       pSignature,
+  CK_ULONG_PTR      pulSignatureLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_Sign"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pData, pData));
+    PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen));
+    PR_LOG(modlog, 3, (fmt_pSignature, pSignature));
+    PR_LOG(modlog, 3, (fmt_pulSignatureLen, pulSignatureLen));
+    nssdbg_start_time(FUNC_C_SIGN,&start);
+    rv = module_functions->C_Sign(hSession,
+                                 pData,
+                                 ulDataLen,
+                                 pSignature,
+                                 pulSignatureLen);
+    nssdbg_finish_time(FUNC_C_SIGN,start);
+    PR_LOG(modlog, 4, (fmt_spulSignatureLen, *pulSignatureLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SignUpdate(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pPart,
+  CK_ULONG          ulPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SignUpdate"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pPart, pPart));
+    PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen));
+    nssdbg_start_time(FUNC_C_SIGNUPDATE,&start);
+    rv = module_functions->C_SignUpdate(hSession,
+                                 pPart,
+                                 ulPartLen);
+    nssdbg_finish_time(FUNC_C_SIGNUPDATE,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SignFinal(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pSignature,
+  CK_ULONG_PTR      pulSignatureLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SignFinal"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pSignature, pSignature));
+    PR_LOG(modlog, 3, (fmt_pulSignatureLen, pulSignatureLen));
+    nssdbg_start_time(FUNC_C_SIGNFINAL,&start);
+    rv = module_functions->C_SignFinal(hSession,
+                                 pSignature,
+                                 pulSignatureLen);
+    nssdbg_finish_time(FUNC_C_SIGNFINAL,start);
+    PR_LOG(modlog, 4, (fmt_spulSignatureLen, *pulSignatureLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SignRecoverInit(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR  pMechanism,
+  CK_OBJECT_HANDLE  hKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SignRecoverInit"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    log_handle(3, fmt_hKey, hKey);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_SIGNRECOVERINIT,&start);
+    rv = module_functions->C_SignRecoverInit(hSession,
+                                 pMechanism,
+                                 hKey);
+    nssdbg_finish_time(FUNC_C_SIGNRECOVERINIT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SignRecover(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pData,
+  CK_ULONG          ulDataLen,
+  CK_BYTE_PTR       pSignature,
+  CK_ULONG_PTR      pulSignatureLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SignRecover"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pData, pData));
+    PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen));
+    PR_LOG(modlog, 3, (fmt_pSignature, pSignature));
+    PR_LOG(modlog, 3, (fmt_pulSignatureLen, pulSignatureLen));
+    nssdbg_start_time(FUNC_C_SIGNRECOVER,&start);
+    rv = module_functions->C_SignRecover(hSession,
+                                 pData,
+                                 ulDataLen,
+                                 pSignature,
+                                 pulSignatureLen);
+    nssdbg_finish_time(FUNC_C_SIGNRECOVER,start);
+    PR_LOG(modlog, 4, (fmt_spulSignatureLen, *pulSignatureLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_VerifyInit(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR  pMechanism,
+  CK_OBJECT_HANDLE  hKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_VerifyInit"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    log_handle(3, fmt_hKey, hKey);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_VERIFYINIT,&start);
+    rv = module_functions->C_VerifyInit(hSession,
+                                 pMechanism,
+                                 hKey);
+    nssdbg_finish_time(FUNC_C_VERIFYINIT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_Verify(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pData,
+  CK_ULONG          ulDataLen,
+  CK_BYTE_PTR       pSignature,
+  CK_ULONG          ulSignatureLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_Verify"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pData, pData));
+    PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen));
+    PR_LOG(modlog, 3, (fmt_pSignature, pSignature));
+    PR_LOG(modlog, 3, (fmt_ulSignatureLen, ulSignatureLen));
+    nssdbg_start_time(FUNC_C_VERIFY,&start);
+    rv = module_functions->C_Verify(hSession,
+                                 pData,
+                                 ulDataLen,
+                                 pSignature,
+                                 ulSignatureLen);
+    nssdbg_finish_time(FUNC_C_VERIFY,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_VerifyUpdate(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pPart,
+  CK_ULONG          ulPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_VerifyUpdate"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pPart, pPart));
+    PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen));
+    nssdbg_start_time(FUNC_C_VERIFYUPDATE,&start);
+    rv = module_functions->C_VerifyUpdate(hSession,
+                                 pPart,
+                                 ulPartLen);
+    nssdbg_finish_time(FUNC_C_VERIFYUPDATE,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_VerifyFinal(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pSignature,
+  CK_ULONG          ulSignatureLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_VerifyFinal"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pSignature, pSignature));
+    PR_LOG(modlog, 3, (fmt_ulSignatureLen, ulSignatureLen));
+    nssdbg_start_time(FUNC_C_VERIFYFINAL,&start);
+    rv = module_functions->C_VerifyFinal(hSession,
+                                 pSignature,
+                                 ulSignatureLen);
+    nssdbg_finish_time(FUNC_C_VERIFYFINAL,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_VerifyRecoverInit(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR  pMechanism,
+  CK_OBJECT_HANDLE  hKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_VerifyRecoverInit"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    log_handle(3, fmt_hKey, hKey);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_VERIFYRECOVERINIT,&start);
+    rv = module_functions->C_VerifyRecoverInit(hSession,
+                                 pMechanism,
+                                 hKey);
+    nssdbg_finish_time(FUNC_C_VERIFYRECOVERINIT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_VerifyRecover(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pSignature,
+  CK_ULONG          ulSignatureLen,
+  CK_BYTE_PTR       pData,
+  CK_ULONG_PTR      pulDataLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_VerifyRecover"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pSignature, pSignature));
+    PR_LOG(modlog, 3, (fmt_ulSignatureLen, ulSignatureLen));
+    PR_LOG(modlog, 3, (fmt_pData, pData));
+    PR_LOG(modlog, 3, (fmt_pulDataLen, pulDataLen));
+    nssdbg_start_time(FUNC_C_VERIFYRECOVER,&start);
+    rv = module_functions->C_VerifyRecover(hSession,
+                                 pSignature,
+                                 ulSignatureLen,
+                                 pData,
+                                 pulDataLen);
+    nssdbg_finish_time(FUNC_C_VERIFYRECOVER,start);
+    PR_LOG(modlog, 4, (fmt_spulDataLen, *pulDataLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DigestEncryptUpdate(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pPart,
+  CK_ULONG          ulPartLen,
+  CK_BYTE_PTR       pEncryptedPart,
+  CK_ULONG_PTR      pulEncryptedPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DigestEncryptUpdate"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pPart, pPart));
+    PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen));
+    PR_LOG(modlog, 3, (fmt_pEncryptedPart, pEncryptedPart));
+    PR_LOG(modlog, 3, (fmt_pulEncryptedPartLen, pulEncryptedPartLen));
+    nssdbg_start_time(FUNC_C_DIGESTENCRYPTUPDATE,&start);
+    rv = module_functions->C_DigestEncryptUpdate(hSession,
+                                 pPart,
+                                 ulPartLen,
+                                 pEncryptedPart,
+                                 pulEncryptedPartLen);
+    nssdbg_finish_time(FUNC_C_DIGESTENCRYPTUPDATE,start);
+    PR_LOG(modlog, 4, (fmt_spulEncryptedPartLen, *pulEncryptedPartLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DecryptDigestUpdate(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pEncryptedPart,
+  CK_ULONG          ulEncryptedPartLen,
+  CK_BYTE_PTR       pPart,
+  CK_ULONG_PTR      pulPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DecryptDigestUpdate"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pEncryptedPart, pEncryptedPart));
+    PR_LOG(modlog, 3, (fmt_ulEncryptedPartLen, ulEncryptedPartLen));
+    PR_LOG(modlog, 3, (fmt_pPart, pPart));
+    PR_LOG(modlog, 3, (fmt_pulPartLen, pulPartLen));
+    nssdbg_start_time(FUNC_C_DECRYPTDIGESTUPDATE,&start);
+    rv = module_functions->C_DecryptDigestUpdate(hSession,
+                                 pEncryptedPart,
+                                 ulEncryptedPartLen,
+                                 pPart,
+                                 pulPartLen);
+    nssdbg_finish_time(FUNC_C_DECRYPTDIGESTUPDATE,start);
+    PR_LOG(modlog, 4, (fmt_spulPartLen, *pulPartLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SignEncryptUpdate(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pPart,
+  CK_ULONG          ulPartLen,
+  CK_BYTE_PTR       pEncryptedPart,
+  CK_ULONG_PTR      pulEncryptedPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SignEncryptUpdate"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pPart, pPart));
+    PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen));
+    PR_LOG(modlog, 3, (fmt_pEncryptedPart, pEncryptedPart));
+    PR_LOG(modlog, 3, (fmt_pulEncryptedPartLen, pulEncryptedPartLen));
+    nssdbg_start_time(FUNC_C_SIGNENCRYPTUPDATE,&start);
+    rv = module_functions->C_SignEncryptUpdate(hSession,
+                                 pPart,
+                                 ulPartLen,
+                                 pEncryptedPart,
+                                 pulEncryptedPartLen);
+    nssdbg_finish_time(FUNC_C_SIGNENCRYPTUPDATE,start);
+    PR_LOG(modlog, 4, (fmt_spulEncryptedPartLen, *pulEncryptedPartLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DecryptVerifyUpdate(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pEncryptedPart,
+  CK_ULONG          ulEncryptedPartLen,
+  CK_BYTE_PTR       pPart,
+  CK_ULONG_PTR      pulPartLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DecryptVerifyUpdate"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pEncryptedPart, pEncryptedPart));
+    PR_LOG(modlog, 3, (fmt_ulEncryptedPartLen, ulEncryptedPartLen));
+    PR_LOG(modlog, 3, (fmt_pPart, pPart));
+    PR_LOG(modlog, 3, (fmt_pulPartLen, pulPartLen));
+    nssdbg_start_time(FUNC_C_DECRYPTVERIFYUPDATE,&start);
+    rv = module_functions->C_DecryptVerifyUpdate(hSession,
+                                 pEncryptedPart,
+                                 ulEncryptedPartLen,
+                                 pPart,
+                                 pulPartLen);
+    nssdbg_finish_time(FUNC_C_DECRYPTVERIFYUPDATE,start);
+    PR_LOG(modlog, 4, (fmt_spulPartLen, *pulPartLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GenerateKey(
+  CK_SESSION_HANDLE    hSession,
+  CK_MECHANISM_PTR     pMechanism,
+  CK_ATTRIBUTE_PTR     pTemplate,
+  CK_ULONG             ulCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GenerateKey"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate));
+    PR_LOG(modlog, 3, (fmt_ulCount, ulCount));
+    PR_LOG(modlog, 3, (fmt_phKey, phKey));
+    print_template(pTemplate, ulCount);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_GENERATEKEY,&start);
+    rv = module_functions->C_GenerateKey(hSession,
+                                 pMechanism,
+                                 pTemplate,
+                                 ulCount,
+                                 phKey);
+    nssdbg_finish_time(FUNC_C_GENERATEKEY,start);
+    log_handle(4, fmt_sphKey, *phKey);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GenerateKeyPair(
+  CK_SESSION_HANDLE    hSession,
+  CK_MECHANISM_PTR     pMechanism,
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,
+  CK_ULONG             ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,
+  CK_ULONG             ulPrivateKeyAttributeCount,
+  CK_OBJECT_HANDLE_PTR phPublicKey,
+  CK_OBJECT_HANDLE_PTR phPrivateKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GenerateKeyPair"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    PR_LOG(modlog, 3, ("  pPublicKeyTemplate = 0x%p", pPublicKeyTemplate));
+    PR_LOG(modlog, 3, ("  ulPublicKeyAttributeCount = %d", ulPublicKeyAttributeCount));
+    PR_LOG(modlog, 3, ("  pPrivateKeyTemplate = 0x%p", pPrivateKeyTemplate));
+    PR_LOG(modlog, 3, ("  ulPrivateKeyAttributeCount = %d", ulPrivateKeyAttributeCount));
+    PR_LOG(modlog, 3, ("  phPublicKey = 0x%p", phPublicKey));
+    print_template(pPublicKeyTemplate, ulPublicKeyAttributeCount);
+    PR_LOG(modlog, 3, ("  phPrivateKey = 0x%p", phPrivateKey));
+    print_template(pPrivateKeyTemplate, ulPrivateKeyAttributeCount);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_GENERATEKEYPAIR,&start);
+    rv = module_functions->C_GenerateKeyPair(hSession,
+                                 pMechanism,
+                                 pPublicKeyTemplate,
+                                 ulPublicKeyAttributeCount,
+                                 pPrivateKeyTemplate,
+                                 ulPrivateKeyAttributeCount,
+                                 phPublicKey,
+                                 phPrivateKey);
+    nssdbg_finish_time(FUNC_C_GENERATEKEYPAIR,start);
+    log_handle(4, "  *phPublicKey = 0x%x", *phPublicKey);
+    log_handle(4, "  *phPrivateKey = 0x%x", *phPrivateKey);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_WrapKey(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR  pMechanism,
+  CK_OBJECT_HANDLE  hWrappingKey,
+  CK_OBJECT_HANDLE  hKey,
+  CK_BYTE_PTR       pWrappedKey,
+  CK_ULONG_PTR      pulWrappedKeyLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_WrapKey"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    log_handle(3, "  hWrappingKey = 0x%x", hWrappingKey);
+    log_handle(3, fmt_hKey, hKey);
+    PR_LOG(modlog, 3, (fmt_pWrappedKey, pWrappedKey));
+    PR_LOG(modlog, 3, ("  pulWrappedKeyLen = 0x%p", pulWrappedKeyLen));
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_WRAPKEY,&start);
+    rv = module_functions->C_WrapKey(hSession,
+                                 pMechanism,
+                                 hWrappingKey,
+                                 hKey,
+                                 pWrappedKey,
+                                 pulWrappedKeyLen);
+    nssdbg_finish_time(FUNC_C_WRAPKEY,start);
+    PR_LOG(modlog, 4, ("  *pulWrappedKeyLen = 0x%x", *pulWrappedKeyLen));
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_UnwrapKey(
+  CK_SESSION_HANDLE    hSession,
+  CK_MECHANISM_PTR     pMechanism,
+  CK_OBJECT_HANDLE     hUnwrappingKey,
+  CK_BYTE_PTR          pWrappedKey,
+  CK_ULONG             ulWrappedKeyLen,
+  CK_ATTRIBUTE_PTR     pTemplate,
+  CK_ULONG             ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_UnwrapKey"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    log_handle(3, "  hUnwrappingKey = 0x%x", hUnwrappingKey);
+    PR_LOG(modlog, 3, (fmt_pWrappedKey, pWrappedKey));
+    PR_LOG(modlog, 3, ("  ulWrappedKeyLen = %d", ulWrappedKeyLen));
+    PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate));
+    PR_LOG(modlog, 3, (fmt_ulAttributeCount, ulAttributeCount));
+    PR_LOG(modlog, 3, (fmt_phKey, phKey));
+    print_template(pTemplate, ulAttributeCount);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_UNWRAPKEY,&start);
+    rv = module_functions->C_UnwrapKey(hSession,
+                                 pMechanism,
+                                 hUnwrappingKey,
+                                 pWrappedKey,
+                                 ulWrappedKeyLen,
+                                 pTemplate,
+                                 ulAttributeCount,
+                                 phKey);
+    nssdbg_finish_time(FUNC_C_UNWRAPKEY,start);
+    log_handle(4, fmt_sphKey, *phKey);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_DeriveKey(
+  CK_SESSION_HANDLE    hSession,
+  CK_MECHANISM_PTR     pMechanism,
+  CK_OBJECT_HANDLE     hBaseKey,
+  CK_ATTRIBUTE_PTR     pTemplate,
+  CK_ULONG             ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_DeriveKey"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism));
+    log_handle(3, "  hBaseKey = 0x%x", hBaseKey);
+    PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate));
+    PR_LOG(modlog, 3, (fmt_ulAttributeCount, ulAttributeCount));
+    PR_LOG(modlog, 3, (fmt_phKey, phKey));
+    print_template(pTemplate, ulAttributeCount);
+    print_mechanism(pMechanism);
+    nssdbg_start_time(FUNC_C_DERIVEKEY,&start);
+    rv = module_functions->C_DeriveKey(hSession,
+                                 pMechanism,
+                                 hBaseKey,
+                                 pTemplate,
+                                 ulAttributeCount,
+                                 phKey);
+    nssdbg_finish_time(FUNC_C_DERIVEKEY,start);
+    log_handle(4, fmt_sphKey, *phKey);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_SeedRandom(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       pSeed,
+  CK_ULONG          ulSeedLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_SeedRandom"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, ("  pSeed = 0x%p", pSeed));
+    PR_LOG(modlog, 3, ("  ulSeedLen = %d", ulSeedLen));
+    nssdbg_start_time(FUNC_C_SEEDRANDOM,&start);
+    rv = module_functions->C_SeedRandom(hSession,
+                                 pSeed,
+                                 ulSeedLen);
+    nssdbg_finish_time(FUNC_C_SEEDRANDOM,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GenerateRandom(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR       RandomData,
+  CK_ULONG          ulRandomLen
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GenerateRandom"));
+    log_handle(3, fmt_hSession, hSession);
+    PR_LOG(modlog, 3, ("  RandomData = 0x%p", RandomData));
+    PR_LOG(modlog, 3, ("  ulRandomLen = %d", ulRandomLen));
+    nssdbg_start_time(FUNC_C_GENERATERANDOM,&start);
+    rv = module_functions->C_GenerateRandom(hSession,
+                                 RandomData,
+                                 ulRandomLen);
+    nssdbg_finish_time(FUNC_C_GENERATERANDOM,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_GetFunctionStatus(
+  CK_SESSION_HANDLE hSession
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_GetFunctionStatus"));
+    log_handle(3, fmt_hSession, hSession);
+    nssdbg_start_time(FUNC_C_GETFUNCTIONSTATUS,&start);
+    rv = module_functions->C_GetFunctionStatus(hSession);
+    nssdbg_finish_time(FUNC_C_GETFUNCTIONSTATUS,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_CancelFunction(
+  CK_SESSION_HANDLE hSession
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_CancelFunction"));
+    log_handle(3, fmt_hSession, hSession);
+    nssdbg_start_time(FUNC_C_CANCELFUNCTION,&start);
+    rv = module_functions->C_CancelFunction(hSession);
+    nssdbg_finish_time(FUNC_C_CANCELFUNCTION,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_RV NSSDBGC_WaitForSlotEvent(
+  CK_FLAGS       flags,
+  CK_SLOT_ID_PTR pSlot,
+  CK_VOID_PTR    pRserved
+)
+{
+    COMMON_DEFINITIONS;
+
+    PR_LOG(modlog, 1, ("C_WaitForSlotEvent"));
+    PR_LOG(modlog, 3, (fmt_flags, flags));
+    PR_LOG(modlog, 3, ("  pSlot = 0x%p", pSlot));
+    PR_LOG(modlog, 3, ("  pRserved = 0x%p", pRserved));
+    nssdbg_start_time(FUNC_C_WAITFORSLOTEVENT,&start);
+    rv = module_functions->C_WaitForSlotEvent(flags,
+                                 pSlot,
+                                 pRserved);
+    nssdbg_finish_time(FUNC_C_WAITFORSLOTEVENT,start);
+    log_rv(rv);
+    return rv;
+}
+
+CK_FUNCTION_LIST_PTR nss_InsertDeviceLog(
+  CK_FUNCTION_LIST_PTR devEPV
+)
+{
+    module_functions = devEPV;
+    modlog = PR_NewLogModule("nss_mod_log");
+    debug_functions.C_Initialize = NSSDBGC_Initialize;
+    debug_functions.C_Finalize = NSSDBGC_Finalize;
+    debug_functions.C_GetInfo = NSSDBGC_GetInfo;
+    debug_functions.C_GetFunctionList = NSSDBGC_GetFunctionList;
+    debug_functions.C_GetSlotList = NSSDBGC_GetSlotList;
+    debug_functions.C_GetSlotInfo = NSSDBGC_GetSlotInfo;
+    debug_functions.C_GetTokenInfo = NSSDBGC_GetTokenInfo;
+    debug_functions.C_GetMechanismList = NSSDBGC_GetMechanismList;
+    debug_functions.C_GetMechanismInfo = NSSDBGC_GetMechanismInfo;
+    debug_functions.C_InitToken = NSSDBGC_InitToken;
+    debug_functions.C_InitPIN = NSSDBGC_InitPIN;
+    debug_functions.C_SetPIN = NSSDBGC_SetPIN;
+    debug_functions.C_OpenSession = NSSDBGC_OpenSession;
+    debug_functions.C_CloseSession = NSSDBGC_CloseSession;
+    debug_functions.C_CloseAllSessions = NSSDBGC_CloseAllSessions;
+    debug_functions.C_GetSessionInfo = NSSDBGC_GetSessionInfo;
+    debug_functions.C_GetOperationState = NSSDBGC_GetOperationState;
+    debug_functions.C_SetOperationState = NSSDBGC_SetOperationState;
+    debug_functions.C_Login = NSSDBGC_Login;
+    debug_functions.C_Logout = NSSDBGC_Logout;
+    debug_functions.C_CreateObject = NSSDBGC_CreateObject;
+    debug_functions.C_CopyObject = NSSDBGC_CopyObject;
+    debug_functions.C_DestroyObject = NSSDBGC_DestroyObject;
+    debug_functions.C_GetObjectSize = NSSDBGC_GetObjectSize;
+    debug_functions.C_GetAttributeValue = NSSDBGC_GetAttributeValue;
+    debug_functions.C_SetAttributeValue = NSSDBGC_SetAttributeValue;
+    debug_functions.C_FindObjectsInit = NSSDBGC_FindObjectsInit;
+    debug_functions.C_FindObjects = NSSDBGC_FindObjects;
+    debug_functions.C_FindObjectsFinal = NSSDBGC_FindObjectsFinal;
+    debug_functions.C_EncryptInit = NSSDBGC_EncryptInit;
+    debug_functions.C_Encrypt = NSSDBGC_Encrypt;
+    debug_functions.C_EncryptUpdate = NSSDBGC_EncryptUpdate;
+    debug_functions.C_EncryptFinal = NSSDBGC_EncryptFinal;
+    debug_functions.C_DecryptInit = NSSDBGC_DecryptInit;
+    debug_functions.C_Decrypt = NSSDBGC_Decrypt;
+    debug_functions.C_DecryptUpdate = NSSDBGC_DecryptUpdate;
+    debug_functions.C_DecryptFinal = NSSDBGC_DecryptFinal;
+    debug_functions.C_DigestInit = NSSDBGC_DigestInit;
+    debug_functions.C_Digest = NSSDBGC_Digest;
+    debug_functions.C_DigestUpdate = NSSDBGC_DigestUpdate;
+    debug_functions.C_DigestKey = NSSDBGC_DigestKey;
+    debug_functions.C_DigestFinal = NSSDBGC_DigestFinal;
+    debug_functions.C_SignInit = NSSDBGC_SignInit;
+    debug_functions.C_Sign = NSSDBGC_Sign;
+    debug_functions.C_SignUpdate = NSSDBGC_SignUpdate;
+    debug_functions.C_SignFinal = NSSDBGC_SignFinal;
+    debug_functions.C_SignRecoverInit = NSSDBGC_SignRecoverInit;
+    debug_functions.C_SignRecover = NSSDBGC_SignRecover;
+    debug_functions.C_VerifyInit = NSSDBGC_VerifyInit;
+    debug_functions.C_Verify = NSSDBGC_Verify;
+    debug_functions.C_VerifyUpdate = NSSDBGC_VerifyUpdate;
+    debug_functions.C_VerifyFinal = NSSDBGC_VerifyFinal;
+    debug_functions.C_VerifyRecoverInit = NSSDBGC_VerifyRecoverInit;
+    debug_functions.C_VerifyRecover = NSSDBGC_VerifyRecover;
+    debug_functions.C_DigestEncryptUpdate = NSSDBGC_DigestEncryptUpdate;
+    debug_functions.C_DecryptDigestUpdate = NSSDBGC_DecryptDigestUpdate;
+    debug_functions.C_SignEncryptUpdate = NSSDBGC_SignEncryptUpdate;
+    debug_functions.C_DecryptVerifyUpdate = NSSDBGC_DecryptVerifyUpdate;
+    debug_functions.C_GenerateKey = NSSDBGC_GenerateKey;
+    debug_functions.C_GenerateKeyPair = NSSDBGC_GenerateKeyPair;
+    debug_functions.C_WrapKey = NSSDBGC_WrapKey;
+    debug_functions.C_UnwrapKey = NSSDBGC_UnwrapKey;
+    debug_functions.C_DeriveKey = NSSDBGC_DeriveKey;
+    debug_functions.C_SeedRandom = NSSDBGC_SeedRandom;
+    debug_functions.C_GenerateRandom = NSSDBGC_GenerateRandom;
+    debug_functions.C_GetFunctionStatus = NSSDBGC_GetFunctionStatus;
+    debug_functions.C_CancelFunction = NSSDBGC_CancelFunction;
+    debug_functions.C_WaitForSlotEvent = NSSDBGC_WaitForSlotEvent;
+    return &debug_functions;
+}
+
+/*
+ * scale the time factor up accordingly.
+ * This routine tries to keep at least 2 significant figures on output.
+ *    If the time is 0, then indicate that with a 'z' for units.
+ *    If the time is greater than 10 minutes, output the time in minutes.
+ *    If the time is less than 10 minutes but greater than 10 seconds output 
+ * the time in second.
+ *    If the time is less than 10 seconds but greater than 10 milliseconds 
+ * output * the time in millisecond.
+ *    If the time is less than 10 milliseconds but greater than 0 ticks output 
+ * the time in microsecond.
+ *
+ */
+static PRUint32 getPrintTime(PRIntervalTime time ,char **type)
+{
+	PRUint32 prTime;
+
+        /* detect a programming error by outputting 'bu' to the output stream
+	 * rather than crashing */
+ 	*type = "bug";
+	if (time == 0) {
+	    *type = "z";
+	    return 0;
+	}
+
+	prTime = PR_IntervalToSeconds(time);
+
+	if (prTime >= 600) {
+	    *type="m";
+	    return prTime/60;
+	}
+        if (prTime >= 10) {
+	    *type="s";
+	    return prTime;
+	} 
+	prTime = PR_IntervalToMilliseconds(time);
+        if (prTime >= 10) {
+	    *type="ms";
+	    return prTime;
+	} 
+ 	*type = "us";
+	return PR_IntervalToMicroseconds(time);
+}
+
+static void print_final_statistics(void)
+{
+    int total_calls = 0;
+    PRIntervalTime total_time = 0;
+    PRUint32 pr_total_time;
+    char *type;
+    char *fname;
+    FILE *outfile = NULL;
+    int i;
+
+    fname = PR_GetEnv("NSS_OUTPUT_FILE");
+    if (fname) {
+	/* need to add an optional process id to the filename */
+	outfile = fopen(fname,"w+");
+    }
+    if (!outfile) {
+	outfile = stdout;
+    }
+	
+
+    fprintf(outfile,"%-25s %10s %12s %12s %10s\n", "Function", "# Calls", 
+				"Time", "Avg.", "% Time");
+    fprintf(outfile,"\n");
+    for (i=0; i < nssdbg_prof_size; i++) {
+	total_calls += nssdbg_prof_data[i].calls;
+	total_time += nssdbg_prof_data[i].time;
+    }
+    for (i=0; i < nssdbg_prof_size; i++) {
+	PRIntervalTime time = nssdbg_prof_data[i].time;
+	PRUint32 usTime = PR_IntervalToMicroseconds(time);
+	PRUint32 prTime = 0;
+	PRUint32 calls = nssdbg_prof_data[i].calls;
+	/* don't print out functions that weren't even called */
+	if (calls == 0) {
+	    continue;
+	}
+
+	prTime = getPrintTime(time,&type);
+
+	fprintf(outfile,"%-25s %10d %10d%2s ", nssdbg_prof_data[i].function, 
+						calls, prTime, type);
+	/* for now always output the average in microseconds */
+	fprintf(outfile,"%10.2f%2s", (float)usTime / (float)calls, "us" );
+	fprintf(outfile,"%10.2f%%", ((float)time / (float)total_time) * 100);
+	fprintf(outfile,"\n");
+    }
+    fprintf(outfile,"\n");
+
+    pr_total_time = getPrintTime(total_time,&type);
+
+    fprintf(outfile,"%25s %10d %10d%2s\n", "Totals", total_calls, 
+							pr_total_time, type);
+    fprintf(outfile,"\n\nMaximum number of concurrent open sessions: %d\n\n",
+							 maxOpenSessions);
+    fflush (outfile);
+    if (outfile != stdout) {
+	fclose(outfile);
+    }
+}
+
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c
new file mode 100644
index 000000000..0d643f70c
--- /dev/null
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -0,0 +1,339 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#include "pki3hack.h"
+#include "dev3hack.h"
+#include "pkim.h"
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include "pk11func.h"
+#include "secmodti.h"
+#include "secerr.h"
+
+NSS_IMPLEMENT nssSession *
+nssSession_ImportNSS3Session(NSSArena *arenaOpt,
+                             CK_SESSION_HANDLE session, 
+                             PZLock *lock, PRBool rw)
+{
+    nssSession *rvSession = NULL;
+    if (session != CK_INVALID_SESSION) {
+	rvSession = nss_ZNEW(arenaOpt, nssSession);
+	if (rvSession) {
+	    rvSession->handle = session;
+	    rvSession->lock = lock;
+	    rvSession->ownLock = PR_FALSE;
+	    rvSession->isRW = rw;
+	}
+    }
+    return rvSession;
+}
+
+NSS_IMPLEMENT nssSession *
+nssSlot_CreateSession
+(
+  NSSSlot *slot,
+  NSSArena *arenaOpt,
+  PRBool readWrite
+)
+{
+    nssSession *rvSession;
+    rvSession = nss_ZNEW(arenaOpt, nssSession);
+    if (!rvSession) {
+	return (nssSession *)NULL;
+    }
+    if (readWrite) {
+	rvSession->handle = PK11_GetRWSession(slot->pk11slot);
+	if (rvSession->handle == CK_INVALID_HANDLE) {
+	    nss_ZFreeIf(rvSession);
+	    return NULL;
+	}
+	rvSession->isRW = PR_TRUE;
+	rvSession->slot = slot;
+        /*
+         * The session doesn't need its own lock.  Here's why.
+         * 1. If we are reusing the default RW session of the slot,
+         *    the slot lock is already locked to protect the session.
+         * 2. If the module is not thread safe, the slot (or rather
+         *    module) lock is already locked.
+         * 3. If the module is thread safe and we are using a new
+         *    session, no higher-level lock has been locked and we
+         *    would need a lock for the new session.  However, the
+         *    current usage of the session is that it is always
+         *    used and destroyed within the same function and never
+         *    shared with another thread.
+         * So the session is either already protected by another
+         * lock or only used by one thread.
+         */
+        rvSession->lock = NULL;
+        rvSession->ownLock = PR_FALSE;
+	return rvSession;
+    } else {
+	return NULL;
+    }
+}
+
+NSS_IMPLEMENT PRStatus
+nssSession_Destroy
+(
+  nssSession *s
+)
+{
+    CK_RV ckrv = CKR_OK;
+    if (s) {
+	if (s->isRW) {
+	    PK11_RestoreROSession(s->slot->pk11slot, s->handle);
+	}
+	nss_ZFreeIf(s);
+    }
+    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
+}
+
+static NSSSlot *
+nssSlot_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
+{
+    NSSSlot *rvSlot;
+    NSSArena *arena;
+    arena = nssArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    rvSlot = nss_ZNEW(arena, NSSSlot);
+    if (!rvSlot) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    rvSlot->base.refCount = 1;
+    rvSlot->base.lock = PZ_NewLock(nssILockOther);
+    rvSlot->base.arena = arena;
+    rvSlot->pk11slot = nss3slot;
+    rvSlot->epv = nss3slot->functionList;
+    rvSlot->slotID = nss3slot->slotID;
+    /* Grab the slot name from the PKCS#11 fixed-length buffer */
+    rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name,td->arena);
+    rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock;
+    return rvSlot;
+}
+
+NSSToken *
+nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
+{
+    NSSToken *rvToken;
+    NSSArena *arena;
+
+    /* Don't create a token object for a disabled slot */
+    if (nss3slot->disabled) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return NULL;
+    }
+    arena = nssArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    rvToken = nss_ZNEW(arena, NSSToken);
+    if (!rvToken) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    rvToken->base.refCount = 1;
+    rvToken->base.lock = PZ_NewLock(nssILockOther);
+    if (!rvToken->base.lock) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    rvToken->base.arena = arena;
+    rvToken->pk11slot = nss3slot;
+    rvToken->epv = nss3slot->functionList;
+    rvToken->defaultSession = nssSession_ImportNSS3Session(td->arena,
+                                                       nss3slot->session,
+                                                       nss3slot->sessionLock,
+                                                       nss3slot->defRWSession);
+#if 0 /* we should do this instead of blindly continuing. */
+    if (!rvToken->defaultSession) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+    	goto loser;
+    }
+#endif
+    if (!PK11_IsInternal(nss3slot) && PK11_IsHW(nss3slot)) {
+	rvToken->cache = nssTokenObjectCache_Create(rvToken, 
+	                                            PR_TRUE, PR_TRUE, PR_TRUE);
+	if (!rvToken->cache)
+	    goto loser;
+    }
+    rvToken->trustDomain = td;
+    /* Grab the token name from the PKCS#11 fixed-length buffer */
+    rvToken->base.name = nssUTF8_Duplicate(nss3slot->token_name,td->arena);
+    rvToken->slot = nssSlot_CreateFromPK11SlotInfo(td, nss3slot);
+    if (!rvToken->slot) {
+        goto loser;
+    }
+    rvToken->slot->token = rvToken;
+    if (rvToken->defaultSession)
+	rvToken->defaultSession->slot = rvToken->slot;
+    return rvToken;
+loser:
+    PZ_DestroyLock(rvToken->base.lock);
+    nssArena_Destroy(arena);
+    return NULL;
+}
+
+NSS_IMPLEMENT void
+nssToken_UpdateName(NSSToken *token)
+{
+    if (!token) {
+	return;
+    }
+    token->base.name = nssUTF8_Duplicate(token->pk11slot->token_name,token->base.arena);
+}
+
+NSS_IMPLEMENT PRBool
+nssSlot_IsPermanent
+(
+  NSSSlot *slot
+)
+{
+    return slot->pk11slot->isPerm;
+}
+
+NSS_IMPLEMENT PRBool
+nssSlot_IsFriendly
+(
+  NSSSlot *slot
+)
+{
+    return PK11_IsFriendly(slot->pk11slot);
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_Refresh(NSSToken *token)
+{
+    PK11SlotInfo *nss3slot;
+
+    if (!token) {
+	return PR_SUCCESS;
+    }
+    nss3slot = token->pk11slot;
+    token->defaultSession = 
+    	nssSession_ImportNSS3Session(token->slot->base.arena,
+				     nss3slot->session,
+				     nss3slot->sessionLock,
+				     nss3slot->defRWSession);
+    return token->defaultSession ? PR_SUCCESS : PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSlot_Refresh
+(
+  NSSSlot *slot
+)
+{
+    PK11SlotInfo *nss3slot = slot->pk11slot;
+    PRBool doit = PR_FALSE;
+    if (slot->token && slot->token->base.name[0] == 0) {
+	doit = PR_TRUE;
+    }
+    if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) {
+	return PR_FAILURE;
+    }
+    if (doit) {
+	nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, 
+	                                      slot->token);
+    }
+    return nssToken_Refresh(slot->token);
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_GetTrustOrder
+(
+  NSSToken *tok
+)
+{
+    PK11SlotInfo *slot;
+    SECMODModule *module;
+    slot = tok->pk11slot;
+    module = PK11_GetModule(slot);
+    return module->trustOrder;
+}
+
+NSS_IMPLEMENT PRBool
+nssSlot_IsLoggedIn
+(
+  NSSSlot *slot
+)
+{
+    if (!slot->pk11slot->needLogin) {
+	return PR_TRUE;
+    }
+    return PK11_IsLoggedIn(slot->pk11slot, NULL);
+}
+
+
+NSSTrustDomain *
+nssToken_GetTrustDomain(NSSToken *token)
+{
+    return token->trustDomain;
+}
+
+NSS_EXTERN PRStatus
+nssTrustDomain_RemoveTokenCertsFromCache
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+);
+
+NSS_IMPLEMENT PRStatus
+nssToken_NotifyCertsNotVisible
+(
+  NSSToken *tok
+)
+{
+    return nssTrustDomain_RemoveTokenCertsFromCache(tok->trustDomain, tok);
+}
+
diff --git a/security/nss/lib/pk11wrap/dev3hack.h b/security/nss/lib/pk11wrap/dev3hack.h
new file mode 100644
index 000000000..1bb2fac47
--- /dev/null
+++ b/security/nss/lib/pk11wrap/dev3hack.h
@@ -0,0 +1,66 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef DEVNSS3HACK_H
+#define DEVNSS3HACK_H
+
+#ifdef DEBUG
+static const char DEVNSS3HACK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "cert.h"
+
+PR_BEGIN_EXTERN_C
+
+NSS_EXTERN NSSToken *
+nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot);
+
+NSS_EXTERN void
+nssToken_UpdateName(NSSToken *);
+
+NSS_EXTERN PRStatus
+nssToken_Refresh(NSSToken *);
+
+NSSTrustDomain *
+nssToken_GetTrustDomain(NSSToken *token);
+
+void PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst);
+
+NSSToken * PK11Slot_GetNSSToken(PK11SlotInfo *sl);
+
+PR_END_EXTERN_C
+
+#endif /* DEVNSS3HACK_H */
diff --git a/security/nss/lib/pk11wrap/manifest.mn b/security/nss/lib/pk11wrap/manifest.mn
new file mode 100644
index 000000000..aa1a2c4f4
--- /dev/null
+++ b/security/nss/lib/pk11wrap/manifest.mn
@@ -0,0 +1,98 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	secmod.h \
+	secmodt.h \
+	secpkcs5.h \
+	pk11func.h \
+	pk11pub.h \
+	pk11priv.h \
+	pk11sdr.h \
+	pk11pqg.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	secmodi.h \
+	pk11init.h \
+	dev3hack.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	dev3hack.c \
+	pk11akey.c \
+	pk11auth.c \
+	pk11cert.c \
+	pk11cxt.c \
+	pk11err.c  \
+	pk11kea.c \
+	pk11list.c \
+	pk11load.c \
+	pk11mech.c \
+	pk11merge.c \
+	pk11nobj.c \
+	pk11obj.c \
+	pk11pars.c \
+	pk11pbe.c \
+	pk11pk12.c \
+	pk11pqg.c \
+	pk11sdr.c \
+	pk11skey.c \
+	pk11slot.c \
+	pk11util.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pk11wrap
+
+LIBRARY_VERSION = 3
+SOFTOKEN_LIBRARY_VERSION = 3
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" \
+        -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\" \
+        -DSOFTOKEN_SHLIB_VERSION=\"$(SOFTOKEN_LIBRARY_VERSION)\"
+
+# only add module debugging in opt builds if DEBUG_PKCS11 is set
+ifdef DEBUG_PKCS11
+  DEFINES += -DDEBUG_MODULE -DFORCE_PR_LOG
+endif
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c
new file mode 100644
index 000000000..78afd9f93
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -0,0 +1,2075 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file contains functions to manage asymetric keys, (public and
+ * private keys).
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11.h"
+#include "pkcs11t.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "key.h"
+#include "secitem.h"
+#include "secasn1.h" 
+#include "secoid.h" 
+#include "secerr.h"
+#include "sslerr.h"
+#include "sechash.h"
+
+#include "secpkcs5.h"  
+#include "ec.h"
+
+static SECItem *
+pk11_MakeIDFromPublicKey(SECKEYPublicKey *pubKey)
+{
+    /* set the ID to the public key so we can find it again */
+    SECItem *pubKeyIndex =  NULL;
+    switch (pubKey->keyType) {
+    case rsaKey:
+      pubKeyIndex = &pubKey->u.rsa.modulus;
+      break;
+    case dsaKey:
+      pubKeyIndex = &pubKey->u.dsa.publicValue;
+      break;
+    case dhKey:
+      pubKeyIndex = &pubKey->u.dh.publicValue;
+      break;      
+    case ecKey:
+      pubKeyIndex = &pubKey->u.ec.publicValue;
+      break;      
+    default:
+      return NULL;
+    }
+    PORT_Assert(pubKeyIndex != NULL);
+
+    return PK11_MakeIDFromPubKey(pubKeyIndex);
+} 
+
+/*
+ * import a public key into the desired slot
+ *
+ * This function takes a public key structure and creates a public key in a 
+ * given slot. If isToken is set, then a persistant public key is created.
+ *
+ * Note: it is possible for this function to return a handle for a key which
+ * is persistant, even if isToken is not set.
+ */
+CK_OBJECT_HANDLE
+PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, 
+								PRBool isToken)
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+    CK_OBJECT_HANDLE objectID;
+    CK_ATTRIBUTE theTemplate[11];
+    CK_ATTRIBUTE *signedattr = NULL;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    SECItem *ckaId = NULL;
+    int signedcount = 0;
+    int templateCount = 0;
+    SECStatus rv;
+
+    /* if we already have an object in the desired slot, use it */
+    if (!isToken && pubKey->pkcs11Slot == slot) {
+	return pubKey->pkcs11ID;
+    }
+
+    /* free the existing key */
+    if (pubKey->pkcs11Slot != NULL) {
+	PK11SlotInfo *oSlot = pubKey->pkcs11Slot;
+	if (!PK11_IsPermObject(pubKey->pkcs11Slot,pubKey->pkcs11ID)) {
+	    PK11_EnterSlotMonitor(oSlot);
+	    (void) PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session,
+							pubKey->pkcs11ID);
+	    PK11_ExitSlotMonitor(oSlot);
+	}
+	PK11_FreeSlot(oSlot);
+	pubKey->pkcs11Slot = NULL;
+    }
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, isToken ? &cktrue : &ckfalse,
+						 sizeof(CK_BBOOL) ); attrs++;
+    if (isToken) {
+	ckaId = pk11_MakeIDFromPublicKey(pubKey);
+	if (ckaId == NULL) {
+	    PORT_SetError( SEC_ERROR_BAD_KEY );
+	    return CK_INVALID_HANDLE;
+	}
+	PK11_SETATTRS(attrs, CKA_ID, ckaId->data, ckaId->len); attrs++;
+    }
+
+    /* now import the key */
+    {
+        switch (pubKey->keyType) {
+        case rsaKey:
+	    keyType = CKK_RSA;
+	    PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue, 
+						sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data,
+					 pubKey->u.rsa.modulus.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
+	     	pubKey->u.rsa.publicExponent.data,
+				 pubKey->u.rsa.publicExponent.len); attrs++;
+	    break;
+        case dsaKey:
+	    keyType = CKK_DSA;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dsa.params.prime.data,
+				pubKey->u.dsa.params.prime.len); attrs++;
+	    PK11_SETATTRS(attrs,CKA_SUBPRIME,pubKey->u.dsa.params.subPrime.data,
+				pubKey->u.dsa.params.subPrime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dsa.params.base.data,
+					pubKey->u.dsa.params.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dsa.publicValue.data, 
+					pubKey->u.dsa.publicValue.len); attrs++;
+	    break;
+	case fortezzaKey:
+	    keyType = CKK_DSA;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,pubKey->u.fortezza.params.prime.data,
+				pubKey->u.fortezza.params.prime.len); attrs++;
+	    PK11_SETATTRS(attrs,CKA_SUBPRIME,
+				pubKey->u.fortezza.params.subPrime.data,
+				pubKey->u.fortezza.params.subPrime.len);attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.fortezza.params.base.data,
+				pubKey->u.fortezza.params.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, 
+				pubKey->u.fortezza.DSSKey.len); attrs++;
+            break;
+        case dhKey:
+	    keyType = CKK_DH;
+	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dh.prime.data,
+				pubKey->u.dh.prime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dh.base.data,
+					pubKey->u.dh.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dh.publicValue.data, 
+					pubKey->u.dh.publicValue.len); attrs++;
+	    break;
+        case ecKey:
+	    keyType = CKK_EC;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
+	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_EC_PARAMS, 
+		          pubKey->u.ec.DEREncodedParams.data,
+		          pubKey->u.ec.DEREncodedParams.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_EC_POINT, pubKey->u.ec.publicValue.data,
+			  pubKey->u.ec.publicValue.len); attrs++;
+	    break;
+	default:
+	    PORT_SetError( SEC_ERROR_BAD_KEY );
+	    return CK_INVALID_HANDLE;
+	}
+
+	templateCount = attrs - theTemplate;
+	signedcount = attrs - signedattr;
+	PORT_Assert(templateCount <= (sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)));
+	for (attrs=signedattr; signedcount; attrs++, signedcount--) {
+		pk11_SignedToUnsigned(attrs);
+	} 
+        rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
+				 	templateCount, isToken, &objectID);
+	if (ckaId) {
+	    SECITEM_FreeItem(ckaId,PR_TRUE);
+	}
+	if ( rv != SECSuccess) {
+	    return CK_INVALID_HANDLE;
+	}
+    }
+
+    pubKey->pkcs11ID = objectID;
+    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
+
+    return objectID;
+}
+
+/*
+ * take an attribute and copy it into a secitem
+ */
+static CK_RV
+pk11_Attr2SecItem(PRArenaPool *arena, CK_ATTRIBUTE *attr, SECItem *item) 
+{
+    item->data = NULL;
+
+    (void)SECITEM_AllocItem(arena, item, attr->ulValueLen);
+    if (item->data == NULL) {
+	return CKR_HOST_MEMORY;
+    } 
+    PORT_Memcpy(item->data, attr->pValue, item->len);
+    return CKR_OK;
+}
+
+/*
+ * extract a public key from a slot and id
+ */
+SECKEYPublicKey *
+PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id)
+{
+    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+    PRArenaPool *arena;
+    PRArenaPool *tmp_arena;
+    SECKEYPublicKey *pubKey;
+    int templateCount = 0;
+    CK_KEY_TYPE pk11KeyType;
+    CK_RV crv;
+    CK_ATTRIBUTE template[8];
+    CK_ATTRIBUTE *attrs= template;
+    CK_ATTRIBUTE *modulus,*exponent,*base,*prime,*subprime,*value;
+    CK_ATTRIBUTE *ecparams;
+
+    /* if we didn't know the key type, get it */
+    if (keyType== nullKey) {
+
+        pk11KeyType = PK11_ReadULongAttribute(slot,id,CKA_KEY_TYPE);
+	if (pk11KeyType ==  CK_UNAVAILABLE_INFORMATION) {
+	    return NULL;
+	}
+	switch (pk11KeyType) {
+	case CKK_RSA:
+	    keyType = rsaKey;
+	    break;
+	case CKK_DSA:
+	    keyType = dsaKey;
+	    break;
+	case CKK_DH:
+	    keyType = dhKey;
+	    break;
+	case CKK_EC:
+	    keyType = ecKey;
+	    break;
+	default:
+	    PORT_SetError( SEC_ERROR_BAD_KEY );
+	    return NULL;
+	}
+    }
+
+
+    /* now we need to create space for the public key */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return NULL;
+    tmp_arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (tmp_arena == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+
+
+    pubKey = (SECKEYPublicKey *) 
+			PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
+    if (pubKey == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	PORT_FreeArena (tmp_arena, PR_FALSE);
+	return NULL;
+    }
+
+    pubKey->arena = arena;
+    pubKey->keyType = keyType;
+    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
+    pubKey->pkcs11ID = id;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, 
+						sizeof(keyClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType, 
+						sizeof(pk11KeyType) ); attrs++;
+    switch (pubKey->keyType) {
+    case rsaKey:
+	modulus = attrs;
+	PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0); attrs++; 
+	exponent = attrs;
+	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0); attrs++; 
+
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+	crv = pk11_Attr2SecItem(arena,modulus,&pubKey->u.rsa.modulus);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,exponent,&pubKey->u.rsa.publicExponent);
+	if (crv != CKR_OK) break;
+	break;
+    case dsaKey:
+	prime = attrs;
+	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
+	subprime = attrs;
+	PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0); attrs++; 
+	base = attrs;
+	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
+	value = attrs;
+	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dsa.params.prime);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,subprime,&pubKey->u.dsa.params.subPrime);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dsa.params.base);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dsa.publicValue);
+	if (crv != CKR_OK) break;
+	break;
+    case dhKey:
+	prime = attrs;
+	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
+	base = attrs;
+	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
+	value =attrs;
+	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DH)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dh.prime);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dh.base);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dh.publicValue);
+	if (crv != CKR_OK) break;
+	break;
+    case ecKey:
+	pubKey->u.ec.size = 0;
+	ecparams = attrs;
+	PK11_SETATTRS(attrs, CKA_EC_PARAMS, NULL, 0); attrs++; 
+	value =attrs;
+	PK11_SETATTRS(attrs, CKA_EC_POINT, NULL, 0); attrs++; 
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_EC)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+
+	crv = pk11_Attr2SecItem(arena,ecparams,
+	                        &pubKey->u.ec.DEREncodedParams);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.ec.publicValue);
+	if (crv != CKR_OK) break;
+	break;
+    case fortezzaKey:
+    case nullKey:
+    default:
+	crv = CKR_OBJECT_HANDLE_INVALID;
+	break;
+    }
+
+    PORT_FreeArena(tmp_arena,PR_FALSE);
+
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	PK11_FreeSlot(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    return pubKey;
+}
+
+/*
+ * Build a Private Key structure from raw PKCS #11 information.
+ */
+SECKEYPrivateKey *
+PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, 
+			PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx)
+{
+    PRArenaPool *arena;
+    SECKEYPrivateKey *privKey;
+    PRBool isPrivate;
+    SECStatus rv;
+
+    /* don't know? look it up */
+    if (keyType == nullKey) {
+	CK_KEY_TYPE pk11Type = CKK_RSA;
+
+	pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE);
+	isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN);
+	switch (pk11Type) {
+	case CKK_RSA: keyType = rsaKey; break;
+	case CKK_DSA: keyType = dsaKey; break;
+	case CKK_DH: keyType = dhKey; break;
+	case CKK_KEA: keyType = fortezzaKey; break;
+	case CKK_EC: keyType = ecKey; break;
+	default:
+		break;
+	}
+    }
+
+    /* if the key is private, make sure we are authenticated to the
+     * token before we try to use it */
+    isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE);
+    if (isPrivate) {
+	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+ 	if (rv != SECSuccess) {
+ 	    return NULL;
+ 	}
+    }
+
+    /* now we need to create space for the private key */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return NULL;
+
+    privKey = (SECKEYPrivateKey *) 
+			PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey));
+    if (privKey == NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return NULL;
+    }
+
+    privKey->arena = arena;
+    privKey->keyType = keyType;
+    privKey->pkcs11Slot = PK11_ReferenceSlot(slot);
+    privKey->pkcs11ID = privID;
+    privKey->pkcs11IsTemp = isTemp;
+    privKey->wincx = wincx;
+
+    return privKey;
+}
+
+
+PK11SlotInfo *
+PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    slot = PK11_ReferenceSlot(slot);
+    return slot;
+}
+
+/*
+ * Get the modulus length for raw parsing
+ */
+int
+PK11_GetPrivateModulusLen(SECKEYPrivateKey *key)
+{
+    CK_ATTRIBUTE theTemplate = { CKA_MODULUS, NULL, 0 };
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_RV crv;
+    int length;
+
+    switch (key->keyType) {
+    case rsaKey:
+	crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    return -1;
+	}
+	length = theTemplate.ulValueLen;
+	if ( *(unsigned char *)theTemplate.pValue == 0) {
+	    length--;
+	}
+	if (theTemplate.pValue != NULL)
+	    PORT_Free(theTemplate.pValue);
+	return (int) length;
+	
+    case fortezzaKey:
+    case dsaKey:
+    case dhKey:
+    default:
+	break;
+    }
+    if (theTemplate.pValue != NULL)
+	PORT_Free(theTemplate.pValue);
+    PORT_SetError( SEC_ERROR_INVALID_KEY );
+    return -1;
+}
+
+
+
+/*
+ * take a private key in one pkcs11 module and load it into another:
+ *  NOTE: the source private key is a rare animal... it can't be sensitive.
+ *  This is used to do a key gen using one pkcs11 module and storing the
+ *  result into another.
+ */
+static SECKEYPrivateKey *
+pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
+		SECKEYPublicKey *pubKey, PK11AttrFlags attrFlags) 
+{
+    CK_ATTRIBUTE privTemplate[] = {
+        /* class must be first */
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_KEY_TYPE, NULL, 0 },
+	{ CKA_ID, NULL, 0 },
+#ifdef notdef
+	{ CKA_LABEL, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+#endif
+	/* RSA */
+	{ CKA_MODULUS, NULL, 0 },
+	{ CKA_PRIVATE_EXPONENT, NULL, 0 },
+	{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+	{ CKA_PRIME_1, NULL, 0 },
+	{ CKA_PRIME_2, NULL, 0 },
+	{ CKA_EXPONENT_1, NULL, 0 },
+	{ CKA_EXPONENT_2, NULL, 0 },
+	{ CKA_COEFFICIENT, NULL, 0 },
+	/* reserve space for the attributes that may be
+	 * specified in attrFlags */
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_PRIVATE, NULL, 0 },
+	{ CKA_MODIFIABLE, NULL, 0 },
+	{ CKA_SENSITIVE, NULL, 0 },
+	{ CKA_EXTRACTABLE, NULL, 0 },
+#define NUM_RESERVED_ATTRS 5    /* number of reserved attributes above */
+    };
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_ATTRIBUTE *attrs = NULL, *ap;
+    const int templateSize = sizeof(privTemplate)/sizeof(privTemplate[0]);
+    PRArenaPool *arena;
+    CK_OBJECT_HANDLE objectID;
+    int i, count = 0;
+    int extra_count = 0;
+    CK_RV crv;
+    SECStatus rv;
+    PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0);
+
+    if (pk11_BadAttrFlags(attrFlags)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    for (i=0; i < templateSize; i++) {
+	if (privTemplate[i].type == CKA_MODULUS) {
+	    attrs= &privTemplate[i];
+	    count = i;
+	    break;
+	}
+    }
+    PORT_Assert(attrs != NULL);
+    if (attrs == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+    }
+
+    ap = attrs;
+
+    switch (privKey->keyType) {
+    case rsaKey:
+	count = templateSize - NUM_RESERVED_ATTRS;
+	extra_count = count - (attrs - privTemplate);
+	break;
+    case dsaKey:
+	ap->type = CKA_PRIME; ap++; count++; extra_count++;
+	ap->type = CKA_SUBPRIME; ap++; count++; extra_count++;
+	ap->type = CKA_BASE; ap++; count++; extra_count++;
+	ap->type = CKA_VALUE; ap++; count++; extra_count++;
+	break;
+    case dhKey:
+	ap->type = CKA_PRIME; ap++; count++; extra_count++;
+	ap->type = CKA_BASE; ap++; count++; extra_count++;
+	ap->type = CKA_VALUE; ap++; count++; extra_count++;
+	break;
+    case ecKey:
+	ap->type = CKA_EC_PARAMS; ap++; count++; extra_count++;
+	ap->type = CKA_VALUE; ap++; count++; extra_count++;
+	break;
+     default:
+	count = 0;
+	extra_count = 0;
+	break;
+     }
+
+     if (count == 0) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+     }
+
+     arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+     if (arena == NULL) return NULL;
+     /*
+      * read out the old attributes.
+      */
+     crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID,
+		privTemplate,count);
+     if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	PORT_FreeArena(arena, PR_TRUE);
+	return NULL;
+     }
+
+     /* Set token, private, modifiable, sensitive, and extractable */
+     count += pk11_AttrFlagsToAttributes(attrFlags, &privTemplate[count],
+					&cktrue, &ckfalse);
+
+     /* Not everyone can handle zero padded key values, give
+      * them the raw data as unsigned */
+     for (ap=attrs; extra_count; ap++, extra_count--) {
+	pk11_SignedToUnsigned(ap);
+     }
+
+     /* now Store the puppies */
+     rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate, 
+						count, token, &objectID);
+     PORT_FreeArena(arena, PR_TRUE);
+     if (rv != SECSuccess) {
+	return NULL;
+     }
+
+     /* try loading the public key */
+     if (pubKey) {
+	PK11_ImportPublicKey(slot, pubKey, token);
+	if (pubKey->pkcs11Slot) {
+	    PK11_FreeSlot(pubKey->pkcs11Slot);
+	    pubKey->pkcs11Slot = NULL;
+	    pubKey->pkcs11ID = CK_INVALID_HANDLE;
+	}
+     }
+
+     /* build new key structure */
+     return PK11_MakePrivKey(slot, privKey->keyType, !token, 
+						objectID, privKey->wincx);
+}
+
+static SECKEYPrivateKey *
+pk11_loadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
+		SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) 
+{
+    PK11AttrFlags attrFlags = 0;
+    if (token) {
+	attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE);
+    } else {
+	attrFlags |= (PK11_ATTR_SESSION | PK11_ATTR_PUBLIC);
+    }
+    if (sensitive) {
+	attrFlags |= PK11_ATTR_SENSITIVE;
+    } else {
+	attrFlags |= PK11_ATTR_INSENSITIVE;
+    }
+    return pk11_loadPrivKeyWithFlags(slot, privKey, pubKey, attrFlags);
+}
+
+/*
+ * export this for PSM
+ */
+SECKEYPrivateKey *
+PK11_LoadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
+		SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) 
+{
+    return pk11_loadPrivKey(slot,privKey,pubKey,token,sensitive);
+}
+
+
+/*
+ * Use the token to generate a key pair.
+ */
+SECKEYPrivateKey *
+PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
+   void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, 
+   CK_FLAGS opFlags, CK_FLAGS opFlagsMask, void *wincx)
+{
+    /* we have to use these native types because when we call PKCS 11 modules
+     * we have to make sure that we are using the correct sizes for all the
+     * parameters. */
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_ULONG modulusBits;
+    CK_BYTE publicExponent[4];
+    CK_ATTRIBUTE privTemplate[] = {
+	{ CKA_SENSITIVE, NULL, 0},
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_PRIVATE,  NULL, 0},
+	{ CKA_DERIVE,  NULL, 0},
+	{ CKA_UNWRAP,  NULL, 0},
+	{ CKA_SIGN,  NULL, 0},
+	{ CKA_DECRYPT,  NULL, 0},
+	{ CKA_EXTRACTABLE, NULL, 0},
+	{ CKA_MODIFIABLE,  NULL, 0},
+    };
+    CK_ATTRIBUTE rsaPubTemplate[] = {
+	{ CKA_MODULUS_BITS, NULL, 0},
+	{ CKA_PUBLIC_EXPONENT, NULL, 0},
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_DERIVE,  NULL, 0},
+	{ CKA_WRAP,  NULL, 0},
+	{ CKA_VERIFY,  NULL, 0},
+	{ CKA_VERIFY_RECOVER,  NULL, 0},
+	{ CKA_ENCRYPT,  NULL, 0},
+	{ CKA_MODIFIABLE,  NULL, 0},
+    };
+    CK_ATTRIBUTE dsaPubTemplate[] = {
+	{ CKA_PRIME, NULL, 0 },
+	{ CKA_SUBPRIME, NULL, 0 },
+	{ CKA_BASE, NULL, 0 },
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_DERIVE,  NULL, 0},
+	{ CKA_WRAP,  NULL, 0},
+	{ CKA_VERIFY,  NULL, 0},
+	{ CKA_VERIFY_RECOVER,  NULL, 0},
+	{ CKA_ENCRYPT,  NULL, 0},
+	{ CKA_MODIFIABLE,  NULL, 0},
+    };
+    CK_ATTRIBUTE dhPubTemplate[] = {
+      { CKA_PRIME, NULL, 0 }, 
+      { CKA_BASE, NULL, 0 }, 
+      { CKA_TOKEN,  NULL, 0},
+      { CKA_DERIVE,  NULL, 0},
+      { CKA_WRAP,  NULL, 0},
+      { CKA_VERIFY,  NULL, 0},
+      { CKA_VERIFY_RECOVER,  NULL, 0},
+      { CKA_ENCRYPT,  NULL, 0},
+      { CKA_MODIFIABLE,  NULL, 0},
+    };
+    CK_ATTRIBUTE ecPubTemplate[] = {
+      { CKA_EC_PARAMS, NULL, 0 }, 
+      { CKA_TOKEN,  NULL, 0},
+      { CKA_DERIVE,  NULL, 0},
+      { CKA_WRAP,  NULL, 0},
+      { CKA_VERIFY,  NULL, 0},
+      { CKA_VERIFY_RECOVER,  NULL, 0},
+      { CKA_ENCRYPT,  NULL, 0},
+      { CKA_MODIFIABLE,  NULL, 0},
+    };
+    SECKEYECParams * ecParams;
+
+    /*CK_ULONG key_size = 0;*/
+    CK_ATTRIBUTE *pubTemplate;
+    int privCount = 0;
+    int pubCount = 0;
+    PK11RSAGenParams *rsaParams;
+    SECKEYPQGParams *dsaParams;
+    SECKEYDHParams * dhParams;
+    CK_MECHANISM mechanism;
+    CK_MECHANISM test_mech;
+    CK_MECHANISM test_mech2;
+    CK_SESSION_HANDLE session_handle;
+    CK_RV crv;
+    CK_OBJECT_HANDLE privID,pubID;
+    SECKEYPrivateKey *privKey;
+    KeyType keyType;
+    PRBool restore;
+    int peCount,i;
+    CK_ATTRIBUTE *attrs;
+    CK_ATTRIBUTE *privattrs;
+    CK_ATTRIBUTE setTemplate;
+    CK_MECHANISM_INFO mechanism_info;
+    CK_OBJECT_CLASS keyClass;
+    SECItem *cka_id;
+    PRBool haslock = PR_FALSE;
+    PRBool pubIsToken = PR_FALSE;
+    PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0);
+    /* subset of attrFlags applicable to the public key */
+    PK11AttrFlags pubKeyAttrFlags = attrFlags &
+	(PK11_ATTR_TOKEN | PK11_ATTR_SESSION
+	| PK11_ATTR_MODIFIABLE | PK11_ATTR_UNMODIFIABLE);
+
+    if (pk11_BadAttrFlags(attrFlags)) {
+	PORT_SetError( SEC_ERROR_INVALID_ARGS );
+	return NULL;
+    }
+
+    /*
+     * The opFlags and opFlagMask parameters allow us to control the
+     * settings of the key usage attributes (CKA_ENCRYPT and friends).
+     * opFlagMask is set to one if the flag is specified in opFlags and 
+     *  zero if it is to take on a default value calculated by 
+     *  PK11_GenerateKeyPairWithOpFlags.
+     * opFlags specifies the actual value of the flag 1 or 0. 
+     *   Bits not corresponding to one bits in opFlagMask should be zero.
+     */
+
+    /* if we are trying to turn on a flag, it better be in the mask */
+    PORT_Assert ((opFlags & ~opFlagsMask) == 0);
+    opFlags &= opFlagsMask;
+
+    PORT_Assert(slot != NULL);
+    if (slot == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MODULE);
+	return NULL;
+    }
+
+    /* if our slot really doesn't do this mechanism, Generate the key
+     * in our internal token and write it out */
+    if (!PK11_DoesMechanism(slot,type)) {
+	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	/* don't loop forever looking for a slot */
+	if (slot == int_slot) {
+	    PK11_FreeSlot(int_slot);
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return NULL;
+	}
+
+	/* if there isn't a suitable slot, then we can't do the keygen */
+	if (int_slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+
+	/* generate the temporary key to load */
+	privKey = PK11_GenerateKeyPair(int_slot,type, param, pubKey, PR_FALSE, 
+							PR_FALSE, wincx);
+	PK11_FreeSlot(int_slot);
+
+	/* if successful, load the temp key into the new token */
+	if (privKey != NULL) {
+	    SECKEYPrivateKey *newPrivKey = pk11_loadPrivKeyWithFlags(slot,
+						privKey,*pubKey,attrFlags);
+	    SECKEY_DestroyPrivateKey(privKey);
+	    if (newPrivKey == NULL) {
+		SECKEY_DestroyPublicKey(*pubKey);
+		*pubKey = NULL;
+	    }
+	    return newPrivKey;
+	}
+	return NULL;
+   }
+
+
+    mechanism.mechanism = type;
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+    test_mech.pParameter = NULL;
+    test_mech.ulParameterLen = 0;
+    test_mech2.mechanism = CKM_INVALID_MECHANISM;
+    test_mech2.pParameter = NULL;
+    test_mech2.ulParameterLen = 0;
+
+    /* set up the private key template */
+    privattrs = privTemplate;
+    privattrs += pk11_AttrFlagsToAttributes(attrFlags, privattrs,
+						&cktrue, &ckfalse);
+
+    /* set up the mechanism specific info */
+    switch (type) {
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+    case CKM_RSA_X9_31_KEY_PAIR_GEN:
+	rsaParams = (PK11RSAGenParams *)param;
+	if (rsaParams->pe == 0) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return NULL;
+	}
+	modulusBits = rsaParams->keySizeInBits;
+	peCount = 0;
+
+	/* convert pe to a PKCS #11 string */
+	for (i=0; i < 4; i++) {
+	    if (peCount || (rsaParams->pe & 
+				((unsigned long)0xff000000L >> (i*8)))) {
+		publicExponent[peCount] = 
+				(CK_BYTE)((rsaParams->pe >> (3-i)*8) & 0xff);
+		peCount++;
+	    }
+	}
+	PORT_Assert(peCount != 0);
+	attrs = rsaPubTemplate;
+	PK11_SETATTRS(attrs, CKA_MODULUS_BITS, 
+				&modulusBits, sizeof(modulusBits)); attrs++;
+	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
+				publicExponent, peCount);attrs++;
+	pubTemplate = rsaPubTemplate;
+	keyType = rsaKey;
+	test_mech.mechanism = CKM_RSA_PKCS;
+	break;
+    case CKM_DSA_KEY_PAIR_GEN:
+	dsaParams = (SECKEYPQGParams *)param;
+	attrs = dsaPubTemplate;
+	PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data,
+				dsaParams->prime.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data,
+					dsaParams->subPrime.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data,
+						dsaParams->base.len); attrs++;
+	pubTemplate = dsaPubTemplate;
+	keyType = dsaKey;
+	test_mech.mechanism = CKM_DSA;
+	break;
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+        dhParams = (SECKEYDHParams *)param;
+        attrs = dhPubTemplate;
+        PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data,
+                      dhParams->prime.len);   attrs++;
+        PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data,
+                      dhParams->base.len);    attrs++;
+        pubTemplate = dhPubTemplate;
+        keyType = dhKey;
+        test_mech.mechanism = CKM_DH_PKCS_DERIVE;
+	break;
+    case CKM_EC_KEY_PAIR_GEN:
+        ecParams = (SECKEYECParams *)param;
+        attrs = ecPubTemplate;
+        PK11_SETATTRS(attrs, CKA_EC_PARAMS, ecParams->data, 
+	              ecParams->len);   attrs++;
+        pubTemplate = ecPubTemplate;
+        keyType = ecKey;
+	/*
+	 * ECC supports 2 different mechanism types (unlike RSA, which
+	 * supports different usages with the same mechanism).
+	 * We may need to query both mechanism types and or the results
+	 * together -- but we only do that if either the user has
+	 * requested both usages, or not specified any usages.
+	 */
+	if ((opFlags & (CKF_SIGN|CKF_DERIVE)) == (CKF_SIGN|CKF_DERIVE)) {
+	    /* We've explicitly turned on both flags, use both mechanism */
+	    test_mech.mechanism = CKM_ECDH1_DERIVE;
+	    test_mech2.mechanism = CKM_ECDSA;
+	} else if (opFlags & CKF_SIGN) {
+	    /* just do signing */
+	    test_mech.mechanism = CKM_ECDSA;
+	} else if (opFlags & CKF_DERIVE) {
+	    /* just do ECDH */
+	    test_mech.mechanism = CKM_ECDH1_DERIVE;
+	} else {
+	    /* neither was specified default to both */
+	    test_mech.mechanism = CKM_ECDH1_DERIVE;
+	    test_mech2.mechanism = CKM_ECDSA;
+	}
+        break;
+    default:
+	PORT_SetError( SEC_ERROR_BAD_KEY );
+	return NULL;
+    }
+
+    /* now query the slot to find out how "good" a key we can generate */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
+				test_mech.mechanism,&mechanism_info);
+    /*
+     * EC keys are used in multiple different types of mechanism, if we
+     * are using dual use keys, we need to query the second mechanism
+     * as well.
+     */
+    if (test_mech2.mechanism != CKM_INVALID_MECHANISM) {
+	CK_MECHANISM_INFO mechanism_info2;
+	CK_RV crv2;
+
+	if (crv != CKR_OK) {
+	    /* the first failed, make sure there is no trash in the
+	     * mechanism flags when we or it below */
+	    mechanism_info.flags = 0;
+	}
+	crv2 = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
+				test_mech2.mechanism, &mechanism_info2);
+	if (crv2 == CKR_OK) {
+	    crv = CKR_OK; /* succeed if either mechnaism info succeeds */
+	    /* combine the 2 sets of mechnanism flags */
+	    mechanism_info.flags |= mechanism_info2.flags;
+	}
+    }
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if ((crv != CKR_OK) || (mechanism_info.flags == 0)) {
+	/* must be old module... guess what it should be... */
+	switch (test_mech.mechanism) {
+	case CKM_RSA_PKCS:
+	    mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT | 
+		CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP);
+	    break;
+	case CKM_DSA:
+	    mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
+	    break;
+	case CKM_DH_PKCS_DERIVE:
+	    mechanism_info.flags = CKF_DERIVE;
+	    break;
+	case CKM_ECDH1_DERIVE:
+	    mechanism_info.flags = CKF_DERIVE;
+	    if (test_mech2.mechanism == CKM_ECDSA) {
+		mechanism_info.flags |= CKF_SIGN | CKF_VERIFY;
+	    }
+	    break;
+	case CKM_ECDSA:
+	    mechanism_info.flags =  CKF_SIGN | CKF_VERIFY;
+	    break;
+	default:
+	    break;
+	}
+    }
+    /* now adjust our flags according to the user's key usage passed to us */
+    mechanism_info.flags = (mechanism_info.flags & (~opFlagsMask)) | opFlags;
+    /* set the public key attributes */
+    attrs += pk11_AttrFlagsToAttributes(pubKeyAttrFlags, attrs,
+						&cktrue, &ckfalse);
+    PK11_SETATTRS(attrs, CKA_DERIVE, 
+		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_WRAP, 
+		mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_VERIFY, 
+		mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER, 
+		mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_ENCRYPT, 
+		mechanism_info.flags & CKF_ENCRYPT? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    /* set the private key attributes */
+    PK11_SETATTRS(privattrs, CKA_DERIVE, 
+		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_UNWRAP, 
+		mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_SIGN, 
+		mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_DECRYPT, 
+		mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+
+    if (token) {
+	session_handle = PK11_GetRWSession(slot);
+	haslock = PK11_RWSessionHasLock(slot,session_handle);
+	restore = PR_TRUE;
+    } else {
+	session_handle = slot->session;
+	if (session_handle != CK_INVALID_SESSION)
+	    PK11_EnterSlotMonitor(slot);
+	restore = PR_FALSE;
+	haslock = PR_TRUE;
+    }
+
+    if (session_handle == CK_INVALID_SESSION) {
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+	return NULL;
+    }
+    privCount = privattrs - privTemplate;
+    pubCount = attrs - pubTemplate;
+    crv = PK11_GETTAB(slot)->C_GenerateKeyPair(session_handle, &mechanism,
+	pubTemplate,pubCount,privTemplate,privCount,&pubID,&privID);
+
+    if (crv != CKR_OK) {
+	if (restore)  {
+	    PK11_RestoreROSession(slot,session_handle);
+	} else PK11_ExitSlotMonitor(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+    /* This locking code is dangerous and needs to be more thought
+     * out... the real problem is that we're holding the mutex open this long
+     */
+    if (haslock) { PK11_ExitSlotMonitor(slot); }
+
+    /* swap around the ID's for older PKCS #11 modules */
+    keyClass = PK11_ReadULongAttribute(slot,pubID,CKA_CLASS);
+    if (keyClass != CKO_PUBLIC_KEY) {
+	CK_OBJECT_HANDLE tmp = pubID;
+	pubID = privID;
+	privID = tmp;
+    }
+
+    *pubKey = PK11_ExtractPublicKey(slot, keyType, pubID);
+    if (*pubKey == NULL) {
+	if (restore)  {
+	    /* we may have to restore the mutex so it get's exited properly
+	     * in RestoreROSession */
+            if (haslock)  PK11_EnterSlotMonitor(slot); 
+	    PK11_RestoreROSession(slot,session_handle);
+	} 
+	PK11_DestroyObject(slot,pubID);
+	PK11_DestroyObject(slot,privID);
+	return NULL;
+    }
+
+    /* set the ID to the public key so we can find it again */
+    cka_id = pk11_MakeIDFromPublicKey(*pubKey);
+    pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN);
+
+    PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len);
+
+    if (haslock) { PK11_EnterSlotMonitor(slot); }
+    crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, privID,
+		&setTemplate, 1);
+   
+    if (crv == CKR_OK && pubIsToken) {
+    	crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID,
+		&setTemplate, 1);
+    }
+
+
+    if (restore) {
+	PK11_RestoreROSession(slot,session_handle);
+    } else {
+	PK11_ExitSlotMonitor(slot);
+    }
+    SECITEM_FreeItem(cka_id,PR_TRUE);
+
+
+    if (crv != CKR_OK) {
+	PK11_DestroyObject(slot,pubID);
+	PK11_DestroyObject(slot,privID);
+	PORT_SetError( PK11_MapError(crv) );
+	*pubKey = NULL;
+	return NULL;
+    }
+
+    privKey = PK11_MakePrivKey(slot,keyType,!token,privID,wincx);
+    if (privKey == NULL) {
+	SECKEY_DestroyPublicKey(*pubKey);
+	PK11_DestroyObject(slot,privID);
+	*pubKey = NULL;
+	return NULL;
+    }
+
+    return privKey;
+}
+
+SECKEYPrivateKey *
+PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
+   void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, void *wincx)
+{
+    return PK11_GenerateKeyPairWithOpFlags(slot,type,param,pubKey,attrFlags,
+					   0, 0, wincx);
+}
+
+/*
+ * Use the token to generate a key pair.
+ */
+SECKEYPrivateKey *
+PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
+   void *param, SECKEYPublicKey **pubKey, PRBool token, 
+					PRBool sensitive, void *wincx)
+{
+    PK11AttrFlags attrFlags = 0;
+
+    if (token) {
+	attrFlags |= PK11_ATTR_TOKEN;
+    } else {
+	attrFlags |= PK11_ATTR_SESSION;
+    }
+    if (sensitive) {
+	attrFlags |= (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE);
+    } else {
+	attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC);
+    }
+    return PK11_GenerateKeyPairWithFlags(slot, type, param, pubKey,
+						attrFlags, wincx);
+}
+
+/* build a public KEA key from the public value */
+SECKEYPublicKey *
+PK11_MakeKEAPubKey(unsigned char *keyData,int length)
+{
+    SECKEYPublicKey *pubk;
+    SECItem pkData;
+    SECStatus rv;
+    PRArenaPool *arena;
+
+    pkData.data = keyData;
+    pkData.len = length;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	return NULL;
+
+    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
+    if (pubk == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+
+    pubk->arena = arena;
+    pubk->pkcs11Slot = 0;
+    pubk->pkcs11ID = CK_INVALID_HANDLE;
+    pubk->keyType = fortezzaKey;
+    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData);
+    if (rv != SECSuccess) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+    return pubk;
+}
+
+SECStatus 
+PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
+			SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
+			SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+			PRBool isPrivate, KeyType keyType, 
+			unsigned int keyUsage, void *wincx)
+{
+    CK_MECHANISM_TYPE pbeMechType;
+    SECItem *crypto_param = NULL;
+    PK11SymKey *key = NULL;
+    SECStatus rv = SECSuccess;
+    CK_MECHANISM_TYPE cryptoMechType;
+    SECKEYPrivateKey *privKey = NULL;
+    PRBool faulty3DES = PR_FALSE;
+    int usageCount = 0;
+    CK_KEY_TYPE key_type;
+    CK_ATTRIBUTE_TYPE *usage = NULL;
+    CK_ATTRIBUTE_TYPE rsaUsage[] = {
+		 CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
+    CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
+    CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
+    CK_ATTRIBUTE_TYPE ecUsage[] = { CKA_SIGN, CKA_DERIVE };
+    if((epki == NULL) || (pwitem == NULL))
+	return SECFailure;
+
+    pbeMechType = PK11_AlgtagToMechanism(SECOID_FindOIDTag(
+					&epki->algorithm.algorithm));
+
+    switch (keyType) {
+    default:
+    case rsaKey:
+	key_type = CKK_RSA;
+	switch  (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) {
+	case KU_KEY_ENCIPHERMENT:
+	    usage = rsaUsage;
+	    usageCount = 2;
+	    break;
+	case KU_DIGITAL_SIGNATURE:
+	    usage = &rsaUsage[2];
+	    usageCount = 2;
+	    break;
+	case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE:
+	case 0: /* default to everything */
+	    usage = rsaUsage;
+	    usageCount = 4;
+	    break;
+	}
+        break;
+    case dhKey:
+	key_type = CKK_DH;
+	usage = dhUsage;
+	usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]);
+	break;
+    case dsaKey:
+	key_type = CKK_DSA;
+	usage = dsaUsage;
+	usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]);
+	break;
+    case ecKey:
+	key_type = CKK_EC;
+	switch  (keyUsage & (KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT)) {
+	case KU_DIGITAL_SIGNATURE:
+	    usage = ecUsage;
+	    usageCount = 1;
+	    break;
+	case KU_KEY_AGREEMENT:
+	    usage = &ecUsage[1];
+	    usageCount = 1;
+	    break;
+	case KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT:
+	default: /* default to everything */
+	    usage = ecUsage;
+	    usageCount = 2;
+	    break;
+	}
+	break;	
+    }
+
+try_faulty_3des:
+
+    key = PK11_PBEKeyGen(slot, &epki->algorithm, pwitem, faulty3DES, wincx);
+    if (key == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+    cryptoMechType = pk11_GetPBECryptoMechanism(&epki->algorithm,
+					 &crypto_param, pwitem, faulty3DES);
+    if (cryptoMechType == CKM_INVALID_MECHANISM) {
+	rv = SECFailure;
+	goto done;
+    }
+
+
+    cryptoMechType = PK11_GetPadMechanism(cryptoMechType);
+
+    PORT_Assert(usage != NULL);
+    PORT_Assert(usageCount != 0);
+    privKey = PK11_UnwrapPrivKey(slot, key, cryptoMechType, 
+				 crypto_param, &epki->encryptedData, 
+				 nickname, publicValue, isPerm, isPrivate,
+				 key_type, usage, usageCount, wincx);
+    if(privKey) {
+	SECKEY_DestroyPrivateKey(privKey);
+	privKey = NULL;
+	rv = SECSuccess;
+	goto done;
+    }
+
+    /* if we are unable to import the key and the pbeMechType is 
+     * CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that
+     * the encrypted blob was created with a buggy key generation method
+     * which is described in the PKCS 12 implementation notes.  So we
+     * need to try importing via that method.
+     */ 
+    if((pbeMechType == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) {
+	/* clean up after ourselves before redoing the key generation. */
+
+	PK11_FreeSymKey(key);
+	key = NULL;
+
+	if(crypto_param) {
+	    SECITEM_ZfreeItem(crypto_param, PR_TRUE);
+	    crypto_param = NULL;
+	}
+
+	faulty3DES = PR_TRUE;
+	goto try_faulty_3des;
+    }
+
+    /* key import really did fail */
+    rv = SECFailure;
+
+done:
+    if(crypto_param != NULL) {
+	SECITEM_ZfreeItem(crypto_param, PR_TRUE);
+    }
+
+    if(key != NULL) {
+    	PK11_FreeSymKey(key);
+    }
+
+    return rv;
+}
+
+SECKEYPrivateKeyInfo *
+PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx)
+{
+    return NULL;
+}
+
+SECKEYEncryptedPrivateKeyInfo * 
+PK11_ExportEncryptedPrivKeyInfo(
+   PK11SlotInfo     *slot,      /* optional, encrypt key in this slot */
+   SECOidTag         algTag,    /* encrypt key with this algorithm */
+   SECItem          *pwitem,    /* password for PBE encryption */
+   SECKEYPrivateKey *pk,        /* encrypt this private key */
+   int               iteration, /* interations for PBE alg */
+   void             *wincx)     /* context for password callback ? */
+{
+    SECKEYEncryptedPrivateKeyInfo *epki      = NULL;
+    PRArenaPool                   *arena     = NULL;
+    SECAlgorithmID                *algid;
+    SECOidTag			  pbeAlgTag = SEC_OID_UNKNOWN;
+    SECItem                       *crypto_param = NULL;
+    PK11SymKey                    *key       = NULL;
+    SECKEYPrivateKey		  *tmpPK = NULL;
+    SECStatus                      rv        = SECSuccess;
+    CK_RV                          crv;
+    CK_ULONG                       encBufLen;
+    CK_MECHANISM_TYPE              pbeMechType;
+    CK_MECHANISM_TYPE              cryptoMechType;
+    CK_MECHANISM                   cryptoMech;
+
+    if (!pwitem || !pk) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    algid = sec_pkcs5CreateAlgorithmID(algTag, SEC_OID_UNKNOWN, SEC_OID_UNKNOWN,
+				&pbeAlgTag, 0, NULL, iteration);
+    if (algid == NULL) {
+	return NULL;
+    }
+
+    arena = PORT_NewArena(2048);
+    if (arena)
+	epki = PORT_ArenaZNew(arena, SECKEYEncryptedPrivateKeyInfo);
+    if(epki == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    epki->arena = arena;
+
+
+    /* if we didn't specify a slot, use the slot the private key was in */
+    if (!slot) {
+	slot = pk->pkcs11Slot;
+    }
+
+    /* if we specified a different slot, and the private key slot can do the
+     * pbe key gen, generate the key in the private key slot so we don't have 
+     * to move it later */
+    pbeMechType = PK11_AlgtagToMechanism(pbeAlgTag);
+    if (slot != pk->pkcs11Slot) {
+	if (PK11_DoesMechanism(pk->pkcs11Slot,pbeMechType)) {
+	    slot = pk->pkcs11Slot;
+	}
+    }
+    key = PK11_PBEKeyGen(slot, algid, pwitem, PR_FALSE, wincx);
+    if (key == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    cryptoMechType = PK11_GetPBECryptoMechanism(algid, &crypto_param, pwitem);
+    if (cryptoMechType == CKM_INVALID_MECHANISM) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMechType);
+    cryptoMech.pParameter = crypto_param ? crypto_param->data : NULL;
+    cryptoMech.ulParameterLen = crypto_param ? crypto_param->len : 0;
+
+    /* If the key isn't in the private key slot, move it */
+    if (key->slot != pk->pkcs11Slot) {
+	PK11SymKey *newkey = pk11_CopyToSlot(pk->pkcs11Slot,
+						key->type, CKA_WRAP, key);
+	if (newkey == NULL) {
+            /* couldn't import the wrapping key, try exporting the
+             * private key */
+	    tmpPK = pk11_loadPrivKey(key->slot, pk, NULL, PR_FALSE, PR_TRUE);
+	    if (tmpPK == NULL) {
+		rv = SECFailure;
+		goto loser;
+	    }
+	    pk = tmpPK;
+	} else {
+	    /* free the old key and use the new key */
+	    PK11_FreeSymKey(key);
+	    key = newkey;
+	}
+    }
+    	
+    /* we are extracting an encrypted privateKey structure.
+     * which needs to be freed along with the buffer into which it is
+     * returned.  eventually, we should retrieve an encrypted key using
+     * pkcs8/pkcs5.
+     */
+    encBufLen = 0;
+    PK11_EnterSlotMonitor(pk->pkcs11Slot);
+    crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, 
+    		&cryptoMech, key->objectID, pk->pkcs11ID, NULL, 
+		&encBufLen); 
+    PK11_ExitSlotMonitor(pk->pkcs11Slot);
+    if (crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+    epki->encryptedData.data = PORT_ArenaAlloc(arena, encBufLen);
+    if (!epki->encryptedData.data) {
+	rv = SECFailure;
+	goto loser;
+    }
+    PK11_EnterSlotMonitor(pk->pkcs11Slot);
+    crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, 
+    		&cryptoMech, key->objectID, pk->pkcs11ID, 
+		epki->encryptedData.data, &encBufLen); 
+    PK11_ExitSlotMonitor(pk->pkcs11Slot);
+    epki->encryptedData.len = (unsigned int) encBufLen;
+    if(crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(!epki->encryptedData.len) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = SECOID_CopyAlgorithmID(arena, &epki->algorithm, algid);
+
+loser:
+    if(crypto_param != NULL) {
+	SECITEM_ZfreeItem(crypto_param, PR_TRUE);
+	crypto_param = NULL;
+    }
+
+    if(key != NULL) {
+    	PK11_FreeSymKey(key);
+    }
+    if (tmpPK != NULL) {
+	SECKEY_DestroyPrivateKey(tmpPK);
+    }
+    SECOID_DestroyAlgorithmID(algid, PR_TRUE);
+
+    if(rv == SECFailure) {
+	if(arena != NULL) {
+	    PORT_FreeArena(arena, PR_TRUE);
+	}
+	epki = NULL;
+    }
+
+    return epki;
+}
+
+SECKEYEncryptedPrivateKeyInfo * 
+PK11_ExportEncryptedPrivateKeyInfo(
+   PK11SlotInfo    *slot,      /* optional, encrypt key in this slot */
+   SECOidTag        algTag,    /* encrypt key with this algorithm */
+   SECItem         *pwitem,    /* password for PBE encryption */
+   CERTCertificate *cert,      /* wrap priv key for this user cert */
+   int              iteration, /* interations for PBE alg */
+   void            *wincx)     /* context for password callback ? */
+{
+    SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+    SECKEYPrivateKey              *pk   = PK11_FindKeyByAnyCert(cert, wincx);
+    if (pk != NULL) {
+	epki = PK11_ExportEncryptedPrivKeyInfo(slot, algTag, pwitem, pk, 
+	                                       iteration, wincx);
+	SECKEY_DestroyPrivateKey(pk);
+    }
+    return epki;
+}
+
+SECItem*
+PK11_DEREncodePublicKey(SECKEYPublicKey *pubk)
+{
+    CERTSubjectPublicKeyInfo *spki=NULL;
+    SECItem *spkiDER = NULL;
+
+    if( pubk == NULL ) {
+        return NULL;
+    }
+
+    /* get the subjectpublickeyinfo */
+    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
+    if( spki == NULL ) {
+        goto finish;
+    }
+
+    /* DER-encode the subjectpublickeyinfo */
+    spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL/*dest*/, spki,
+                    CERT_SubjectPublicKeyInfoTemplate);
+
+finish:
+    return spkiDER;
+}
+
+char *
+PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey)
+{
+    return PK11_GetObjectNickname(privKey->pkcs11Slot,privKey->pkcs11ID);
+}
+
+char *
+PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey)
+{
+    return PK11_GetObjectNickname(pubKey->pkcs11Slot,pubKey->pkcs11ID);
+}
+
+SECStatus
+PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, const char *nickname)
+{
+    return PK11_SetObjectNickname(privKey->pkcs11Slot,
+					privKey->pkcs11ID,nickname);
+}
+
+SECStatus
+PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, const char *nickname)
+{
+    return PK11_SetObjectNickname(pubKey->pkcs11Slot,
+					pubKey->pkcs11ID,nickname);
+}
+
+SECKEYPQGParams *
+PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey)
+{
+    CK_ATTRIBUTE pTemplate[] = {
+	{ CKA_PRIME, NULL, 0 },
+	{ CKA_SUBPRIME, NULL, 0 },
+	{ CKA_BASE, NULL, 0 },
+    };
+    int pTemplateLen = sizeof(pTemplate)/sizeof(pTemplate[0]);
+    PRArenaPool *arena = NULL;
+    SECKEYPQGParams *params;
+    CK_RV crv;
+
+
+    arena = PORT_NewArena(2048);
+    if (arena == NULL) {
+	goto loser;
+    }
+    params=(SECKEYPQGParams *)PORT_ArenaZAlloc(arena,sizeof(SECKEYPQGParams));
+    if (params == NULL) {
+	goto loser;
+    }
+
+    crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, 
+						pTemplate, pTemplateLen);
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+    params->arena = arena;
+    params->prime.data = pTemplate[0].pValue;
+    params->prime.len = pTemplate[0].ulValueLen;
+    params->subPrime.data = pTemplate[1].pValue;
+    params->subPrime.len = pTemplate[1].ulValueLen;
+    params->base.data = pTemplate[2].pValue;
+    params->base.len = pTemplate[2].ulValueLen;
+
+    return params;
+
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+    }
+    return NULL;
+}
+
+SECKEYPrivateKey*
+PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot,
+				      SECKEYPrivateKey *privKey)
+{
+    CK_RV             crv;
+    CK_OBJECT_HANDLE  newKeyID;
+
+    static const CK_BBOOL     ckfalse = CK_FALSE;
+    static const CK_ATTRIBUTE template[1] = { 
+       { CKA_TOKEN, (CK_BBOOL *)&ckfalse, sizeof ckfalse }
+    };
+
+    if (destSlot && destSlot != privKey->pkcs11Slot) {
+	SECKEYPrivateKey *newKey =
+	       pk11_loadPrivKey(destSlot, 
+				privKey, 
+			        NULL,     /* pubKey    */
+			        PR_FALSE, /* token     */
+			        PR_FALSE);/* sensitive */
+	if (newKey)
+	    return newKey;
+    }
+    destSlot = privKey->pkcs11Slot;
+    PK11_Authenticate(destSlot, PR_TRUE, privKey->wincx);
+    PK11_EnterSlotMonitor(destSlot);
+    crv = PK11_GETTAB(destSlot)->C_CopyObject(	destSlot->session, 
+						privKey->pkcs11ID,
+						(CK_ATTRIBUTE *)template, 
+						1, &newKeyID);
+    PK11_ExitSlotMonitor(destSlot);
+
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    return PK11_MakePrivKey(destSlot, privKey->keyType, PR_TRUE /*isTemp*/, 
+			    newKeyID, privKey->wincx);
+}
+
+SECKEYPrivateKey*
+PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void* wincx)
+{
+    PK11SlotInfo* slot = privk->pkcs11Slot;
+    CK_ATTRIBUTE template[1];
+    CK_ATTRIBUTE *attrs = template;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_RV crv;
+    CK_OBJECT_HANDLE newKeyID;
+    CK_SESSION_HANDLE rwsession;
+
+    PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); attrs++;
+
+    PK11_Authenticate(slot, PR_TRUE, wincx);
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+	return NULL;
+    }
+    crv = PK11_GETTAB(slot)->C_CopyObject(rwsession, privk->pkcs11ID,
+        template, 1, &newKeyID);
+    PK11_RestoreROSession(slot, rwsession);
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        return NULL;
+    }
+
+    return PK11_MakePrivKey(slot, nullKey /*KeyType*/, PR_FALSE /*isTemp*/,
+        newKeyID, NULL /*wincx*/);
+}
+
+/*
+ * destroy a private key if there are no matching certs.
+ * this function also frees the privKey structure.
+ */
+SECStatus
+PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey, PRBool force)
+{
+    CERTCertificate *cert=PK11_GetCertFromPrivateKey(privKey);
+    SECStatus rv = SECWouldBlock;
+
+    if (!cert || force) {
+	/* now, then it's safe for the key to go away */
+	rv = PK11_DestroyTokenObject(privKey->pkcs11Slot,privKey->pkcs11ID);
+    }
+    if (cert) {
+	CERT_DestroyCertificate(cert);
+    }
+    SECKEY_DestroyPrivateKey(privKey);
+    return rv;
+}
+
+/*
+ * destroy a private key if there are no matching certs.
+ * this function also frees the privKey structure.
+ */
+SECStatus
+PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey)
+{
+    /* now, then it's safe for the key to go away */
+    if (pubKey->pkcs11Slot == NULL) {
+	return SECFailure;
+    }
+    PK11_DestroyTokenObject(pubKey->pkcs11Slot,pubKey->pkcs11ID);
+    SECKEY_DestroyPublicKey(pubKey);
+    return SECSuccess;
+}
+
+/*
+ * key call back structure.
+ */
+typedef struct pk11KeyCallbackStr {
+	SECStatus (* callback)(SECKEYPrivateKey *,void *);
+	void *callbackArg;
+	void *wincx;
+} pk11KeyCallback;
+
+/*
+ * callback to map Object Handles to Private Keys;
+ */
+SECStatus
+pk11_DoKeys(PK11SlotInfo *slot, CK_OBJECT_HANDLE keyHandle, void *arg)
+{
+    SECStatus rv = SECSuccess;
+    SECKEYPrivateKey *privKey;
+    pk11KeyCallback *keycb = (pk11KeyCallback *) arg;
+    if (!arg) {
+        return SECFailure;
+    }
+
+    privKey = PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,keycb->wincx);
+
+    if (privKey == NULL) {
+	return SECFailure;
+    }
+
+    if (keycb->callback) {
+	rv = (*keycb->callback)(privKey,keycb->callbackArg);
+    }
+
+    SECKEY_DestroyPrivateKey(privKey);	    
+    return rv;
+}
+
+/***********************************************************************
+ * PK11_TraversePrivateKeysInSlot
+ *
+ * Traverses all the private keys on a slot.
+ *
+ * INPUTS
+ *      slot
+ *          The PKCS #11 slot whose private keys you want to traverse.
+ *      callback
+ *          A callback function that will be called for each key.
+ *      arg
+ *          An argument that will be passed to the callback function.
+ */
+SECStatus
+PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
+    SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg)
+{
+    pk11KeyCallback perKeyCB;
+    pk11TraverseSlot perObjectCB;
+    CK_OBJECT_CLASS privkClass = CKO_PRIVATE_KEY;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_ATTRIBUTE theTemplate[2];
+    int templateSize = 2;
+
+    theTemplate[0].type = CKA_CLASS;
+    theTemplate[0].pValue = &privkClass;
+    theTemplate[0].ulValueLen = sizeof(privkClass);
+    theTemplate[1].type = CKA_TOKEN;
+    theTemplate[1].pValue = &ckTrue;
+    theTemplate[1].ulValueLen = sizeof(ckTrue);
+
+    if(slot==NULL) {
+        return SECSuccess;
+    }
+
+    perObjectCB.callback = pk11_DoKeys;
+    perObjectCB.callbackArg = &perKeyCB;
+    perObjectCB.findTemplate = theTemplate;
+    perObjectCB.templateCount = templateSize;
+    perKeyCB.callback = callback;
+    perKeyCB.callbackArg = arg;
+    perKeyCB.wincx = NULL;
+
+    return PK11_TraverseSlot(slot, &perObjectCB);
+}
+
+/*
+ * return the private key with the given ID
+ */
+CK_OBJECT_HANDLE
+pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, SECItem *keyID)
+{
+    CK_OBJECT_CLASS privKey = CKO_PRIVATE_KEY;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 },
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_ATTRIBUTE *attrs = theTemplate;
+
+    PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len ); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &privKey, sizeof(privKey));
+
+    return pk11_FindObjectByTemplate(slot,theTemplate,tsize);
+} 
+
+
+SECKEYPrivateKey *
+PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx)
+{
+    CK_OBJECT_HANDLE keyHandle;
+    SECKEYPrivateKey *privKey;
+
+    keyHandle = pk11_FindPrivateKeyFromCertID(slot, keyID);
+    if (keyHandle == CK_INVALID_HANDLE) { 
+	return NULL;
+    }
+    privKey =  PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
+    return privKey;
+}
+
+/*
+ * Generate a CKA_ID from the relevant public key data. The CKA_ID is generated
+ * from the pubKeyData by SHA1_Hashing it to produce a smaller CKA_ID (to make
+ * smart cards happy.
+ */
+SECItem *
+PK11_MakeIDFromPubKey(SECItem *pubKeyData) 
+{
+    PK11Context *context;
+    SECItem *certCKA_ID;
+    SECStatus rv;
+
+    if (pubKeyData->len <= SHA1_LENGTH) {
+	/* probably an already hashed value. The strongest known public
+	 * key values <= 160 bits would be less than 40 bit symetric in
+	 * strength. Don't hash them, just return the value. There are
+	 * none at the time of this writing supported by previous versions
+	 * of NSS, so change is binary compatible safe */
+	return SECITEM_DupItem(pubKeyData);
+    }
+
+    context = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (context == NULL) {
+	return NULL;
+    }
+
+    rv = PK11_DigestBegin(context);
+    if (rv == SECSuccess) {
+    	rv = PK11_DigestOp(context,pubKeyData->data,pubKeyData->len);
+    }
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+
+    certCKA_ID = (SECItem *)PORT_Alloc(sizeof(SECItem));
+    if (certCKA_ID == NULL) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+
+    certCKA_ID->len = SHA1_LENGTH;
+    certCKA_ID->data = (unsigned char*)PORT_Alloc(certCKA_ID->len);
+    if (certCKA_ID->data == NULL) {
+	PORT_Free(certCKA_ID);
+	PK11_DestroyContext(context,PR_TRUE);
+        return NULL;
+    }
+
+    rv = PK11_DigestFinal(context,certCKA_ID->data,&certCKA_ID->len,
+								SHA1_LENGTH);
+    PK11_DestroyContext(context,PR_TRUE);
+    if (rv != SECSuccess) {
+    	SECITEM_FreeItem(certCKA_ID,PR_TRUE);
+	return NULL;
+    }
+
+    return certCKA_ID;
+}
+
+/* Looking for PK11_GetKeyIDFromPrivateKey?
+ * Call PK11_GetLowLevelKeyIDForPrivateKey instead.
+ */
+
+
+SECItem *
+PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *privKey)
+{
+    return pk11_GetLowLevelKeyFromHandle(privKey->pkcs11Slot,privKey->pkcs11ID);
+}
+
+static SECStatus
+privateKeyListCallback(SECKEYPrivateKey *key, void *arg)
+{
+    SECKEYPrivateKeyList *list = (SECKEYPrivateKeyList*)arg;
+    return SECKEY_AddPrivateKeyToListTail(list, SECKEY_CopyPrivateKey(key));
+}
+
+SECKEYPrivateKeyList*
+PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot)
+{
+    SECStatus status;
+    SECKEYPrivateKeyList *keys;
+
+    keys = SECKEY_NewPrivateKeyList();
+    if(keys == NULL) return NULL;
+
+    status = PK11_TraversePrivateKeysInSlot(slot, privateKeyListCallback,
+		(void*)keys);
+
+    if( status != SECSuccess ) {
+	SECKEY_DestroyPrivateKeyList(keys);
+	keys = NULL;
+    }
+
+    return keys;
+}
+
+SECKEYPublicKeyList*
+PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, char *nickname)
+{
+    CK_ATTRIBUTE findTemp[4];
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_OBJECT_CLASS keyclass = CKO_PUBLIC_KEY;
+    int tsize = 0;
+    int objCount = 0;
+    CK_OBJECT_HANDLE *key_ids;
+    SECKEYPublicKeyList *keys;
+    int i,len;
+
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
+    if (nickname) {
+	len = PORT_Strlen(nickname);
+	PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
+    }
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount);
+    if (key_ids == NULL) {
+	return NULL;
+    }
+    keys = SECKEY_NewPublicKeyList();
+    if (keys == NULL) {
+	PORT_Free(key_ids);
+	return NULL;
+    }
+
+    for (i=0; i < objCount ; i++) {
+	SECKEYPublicKey *pubKey = 
+				PK11_ExtractPublicKey(slot,nullKey,key_ids[i]);
+	if (pubKey) {
+	    SECKEY_AddPublicKeyToListTail(keys, pubKey);
+	}
+   }
+
+   PORT_Free(key_ids);
+   return keys;
+}
+
+SECKEYPrivateKeyList*
+PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx)
+{
+    CK_ATTRIBUTE findTemp[4];
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY;
+    int tsize = 0;
+    int objCount = 0;
+    CK_OBJECT_HANDLE *key_ids;
+    SECKEYPrivateKeyList *keys;
+    int i,len;
+
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
+    if (nickname) {
+	len = PORT_Strlen(nickname);
+	PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
+    }
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount);
+    if (key_ids == NULL) {
+	return NULL;
+    }
+    keys = SECKEY_NewPrivateKeyList();
+    if (keys == NULL) {
+	PORT_Free(key_ids);
+	return NULL;
+    }
+
+    for (i=0; i < objCount ; i++) {
+	SECKEYPrivateKey *privKey = 
+		PK11_MakePrivKey(slot,nullKey,PR_TRUE,key_ids[i],wincx);
+	SECKEY_AddPrivateKeyToListTail(keys, privKey);
+   }
+
+   PORT_Free(key_ids);
+   return keys;
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11auth.c b/security/nss/lib/pk11wrap/pk11auth.c
new file mode 100644
index 000000000..c957d1b46
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11auth.c
@@ -0,0 +1,784 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file deals with PKCS #11 passwords and authentication.
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11t.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "secerr.h"
+
+#include "pkim.h" 
+
+
+/*************************************************************
+ * local static and global data
+ *************************************************************/
+/*
+ * This structure keeps track of status that spans all the Slots.
+ * NOTE: This is a global data structure. It semantics expect thread crosstalk
+ * be very careful when you see it used. 
+ *  It's major purpose in life is to allow the user to log in one PER 
+ * Tranaction, even if a transaction spans threads. The problem is the user
+ * may have to enter a password one just to be able to look at the 
+ * personalities/certificates (s)he can use. Then if Auth every is one, they
+ * may have to enter the password again to use the card. See PK11_StartTransac
+ * and PK11_EndTransaction.
+ */
+static struct PK11GlobalStruct {
+   int transaction;
+   PRBool inTransaction;
+   char *(PR_CALLBACK *getPass)(PK11SlotInfo *,PRBool,void *);
+   PRBool (PR_CALLBACK *verifyPass)(PK11SlotInfo *,void *);
+   PRBool (PR_CALLBACK *isLoggedIn)(PK11SlotInfo *,void *);
+} PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL };
+ 
+/***********************************************************
+ * Password Utilities
+ ***********************************************************/
+/*
+ * Check the user's password. Log into the card if it's correct.
+ * succeed if the user is already logged in.
+ */
+SECStatus
+pk11_CheckPassword(PK11SlotInfo *slot,char *pw)
+{
+    int len = 0;
+    CK_RV crv;
+    SECStatus rv;
+    int64 currtime = PR_Now();
+    PRBool mustRetry;
+    int retry = 0;
+
+    if (slot->protectedAuthPath) {
+	len = 0;
+	pw = NULL;
+    } else if (pw == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    } else {
+	len = PORT_Strlen(pw);
+    }
+
+    do {
+	PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+						(unsigned char *)pw,len);
+	slot->lastLoginCheck = 0;
+	mustRetry = PR_FALSE;
+	PK11_ExitSlotMonitor(slot);
+	switch (crv) {
+	/* if we're already logged in, we're good to go */
+	case CKR_OK:
+	    slot->authTransact = PK11_Global.transaction;
+	    /* Fall through */
+	case CKR_USER_ALREADY_LOGGED_IN:
+	    slot->authTime = currtime;
+	    rv = SECSuccess;
+	    break;
+	case CKR_PIN_INCORRECT:
+	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	    rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+	    break;
+	/* someone called reset while we fetched the password, try again once
+	 * if the token is still there. */
+	case CKR_SESSION_HANDLE_INVALID:
+	case CKR_SESSION_CLOSED:
+	    if (retry++ == 0) {
+		rv = PK11_InitToken(slot,PR_FALSE);
+		if (rv == SECSuccess) {
+		    if (slot->session != CK_INVALID_SESSION) {
+			mustRetry = PR_TRUE;
+		    } else {
+			PORT_SetError(PK11_MapError(crv));
+			rv = SECFailure;
+		    }
+		}
+		break;
+	    }
+	    /* Fall through */
+	default:
+	    PORT_SetError(PK11_MapError(crv));
+	    rv = SECFailure; /* some failure we can't fix by retrying */
+	}
+    } while (mustRetry);
+    return rv;
+}
+
+/*
+ * Check the user's password. Logout before hand to make sure that
+ * we are really checking the password.
+ */
+SECStatus
+PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw)
+{
+    int len = 0;
+    CK_RV crv;
+    SECStatus rv;
+    int64 currtime = PR_Now();
+
+    if (slot->protectedAuthPath) {
+	len = 0;
+	pw = NULL;
+    } else if (pw == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    } else {
+	len = PORT_Strlen(pw);
+    }
+
+    /* force a logout */
+    PK11_EnterSlotMonitor(slot);
+    PK11_GETTAB(slot)->C_Logout(slot->session);
+
+    crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+					(unsigned char *)pw,len);
+    slot->lastLoginCheck = 0;
+    PK11_ExitSlotMonitor(slot);
+    switch (crv) {
+    /* if we're already logged in, we're good to go */
+    case CKR_OK:
+	slot->authTransact = PK11_Global.transaction;
+	slot->authTime = currtime;
+	rv = SECSuccess;
+	break;
+    case CKR_PIN_INCORRECT:
+	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+	break;
+    default:
+	PORT_SetError(PK11_MapError(crv));
+	rv = SECFailure; /* some failure we can't fix by retrying */
+    }
+    return rv;
+}
+
+SECStatus
+PK11_Logout(PK11SlotInfo *slot)
+{
+    CK_RV crv;
+
+    /* force a logout */
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_Logout(slot->session);
+    slot->lastLoginCheck = 0;
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return  SECSuccess;
+}
+
+/*
+ * transaction stuff is for when we test for the need to do every
+ * time auth to see if we already did it for this slot/transaction
+ */
+void PK11_StartAuthTransaction(void)
+{
+PK11_Global.transaction++;
+PK11_Global.inTransaction = PR_TRUE;
+}
+
+void PK11_EndAuthTransaction(void)
+{
+PK11_Global.transaction++;
+PK11_Global.inTransaction = PR_FALSE;
+}
+
+/*
+ * before we do a private key op, we check to see if we
+ * need to reauthenticate.
+ */
+void
+PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
+{
+    int askpw = slot->askpw;
+    PRBool NeedAuth = PR_FALSE;
+
+    if (!slot->needLogin) return;
+
+    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
+	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
+
+	if (def_slot) {
+	    askpw = def_slot->askpw;
+	    PK11_FreeSlot(def_slot);
+	}
+    }
+
+    /* timeouts are handled by isLoggedIn */
+    if (!PK11_IsLoggedIn(slot,wincx)) {
+	NeedAuth = PR_TRUE;
+    } else if (askpw == -1) {
+	if (!PK11_Global.inTransaction	||
+			 (PK11_Global.transaction != slot->authTransact)) {
+    	    PK11_EnterSlotMonitor(slot);
+	    PK11_GETTAB(slot)->C_Logout(slot->session);
+	    slot->lastLoginCheck = 0;
+    	    PK11_ExitSlotMonitor(slot);
+	    NeedAuth = PR_TRUE;
+	}
+    }
+    if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx);
+}
+
+void
+PK11_SlotDBUpdate(PK11SlotInfo *slot)
+{
+    SECMOD_UpdateModule(slot->module);
+}
+
+/*
+ * set new askpw and timeout values
+ */
+void
+PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout)
+{
+        slot->askpw = askpw;
+        slot->timeout = timeout;
+        slot->defaultFlags |= PK11_OWN_PW_DEFAULTS;
+        PK11_SlotDBUpdate(slot);
+}
+
+/*
+ * Get the askpw and timeout values for this slot
+ */
+void
+PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout)
+{
+    *askpw = slot->askpw;
+    *timeout = slot->timeout;
+
+    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
+	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
+
+	if (def_slot) {
+	    *askpw = def_slot->askpw;
+	    *timeout = def_slot->timeout;
+	    PK11_FreeSlot(def_slot);
+	}
+    }
+}
+
+/*
+ * Returns true if the token is needLogin and isn't logged in.
+ * This function is used to determine if authentication is needed
+ * before attempting a potentially privelleged operation.
+ */
+PRBool
+pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx)
+{
+    return slot->needLogin && !PK11_IsLoggedIn(slot,wincx);
+}
+
+/*
+ * make sure a slot is authenticated...
+ * This function only does the authentication if it is needed.
+ */
+SECStatus
+PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
+    if (pk11_LoginStillRequired(slot,wincx)) {
+	return PK11_DoPassword(slot,loadCerts,wincx);
+    }
+    return SECSuccess;
+}
+
+/*
+ * Authenticate to "unfriendly" tokens (tokens which need to be logged
+ * in to find the certs.
+ */
+SECStatus
+pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
+{
+    SECStatus rv = SECSuccess;
+    if (!PK11_IsFriendly(slot)) {
+	rv = PK11_Authenticate(slot, loadCerts, wincx);
+    }
+    return rv;
+}
+
+
+/*
+ * NOTE: this assumes that we are logged out of the card before hand
+ */
+SECStatus
+PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw)
+{
+    CK_SESSION_HANDLE rwsession;
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+    int len = 0;
+
+    /* get a rwsession */
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+    	return rv;
+    }
+
+    if (slot->protectedAuthPath) {
+	len = 0;
+	ssopw = NULL;
+    } else if (ssopw == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    } else {
+	len = PORT_Strlen(ssopw);
+    }
+
+    /* check the password */
+    crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
+						(unsigned char *)ssopw,len);
+    slot->lastLoginCheck = 0;
+    switch (crv) {
+    /* if we're already logged in, we're good to go */
+    case CKR_OK:
+	rv = SECSuccess;
+	break;
+    case CKR_PIN_INCORRECT:
+	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+	break;
+    default:
+	PORT_SetError(PK11_MapError(crv));
+	rv = SECFailure; /* some failure we can't fix by retrying */
+    }
+    PK11_GETTAB(slot)->C_Logout(rwsession);
+    slot->lastLoginCheck = 0;
+
+    /* release rwsession */
+    PK11_RestoreROSession(slot,rwsession);
+    return rv;
+}
+
+/*
+ * make sure the password conforms to your token's requirements.
+ */
+SECStatus
+PK11_VerifyPW(PK11SlotInfo *slot,char *pw)
+{
+    int len = PORT_Strlen(pw);
+
+    if ((slot->minPassword > len) || (slot->maxPassword < len)) {
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * initialize a user PIN Value
+ */
+SECStatus
+PK11_InitPin(PK11SlotInfo *slot, const char *ssopw, const char *userpw)
+{
+    CK_SESSION_HANDLE rwsession = CK_INVALID_SESSION;
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+    int len;
+    int ssolen;
+
+    if (userpw == NULL) userpw = "";
+    if (ssopw == NULL) ssopw = "";
+
+    len = PORT_Strlen(userpw);
+    ssolen = PORT_Strlen(ssopw);
+
+    /* get a rwsession */
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+	slot->lastLoginCheck = 0;
+    	return rv;
+    }
+
+    if (slot->protectedAuthPath) {
+	len = 0;
+	ssolen = 0;
+	ssopw = NULL;
+	userpw = NULL;
+    }
+
+    /* check the password */
+    crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO, 
+					  (unsigned char *)ssopw,ssolen);
+    slot->lastLoginCheck = 0;
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	goto done;
+    }
+
+    crv = PK11_GETTAB(slot)->C_InitPIN(rwsession,(unsigned char *)userpw,len);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+    } else {
+    	rv = SECSuccess;
+    }
+
+done:
+    PK11_GETTAB(slot)->C_Logout(rwsession);
+    slot->lastLoginCheck = 0;
+    PK11_RestoreROSession(slot,rwsession);
+    if (rv == SECSuccess) {
+        /* update our view of the world */
+        PK11_InitToken(slot,PR_TRUE);
+	if (slot->needLogin) {
+	    PK11_EnterSlotMonitor(slot);
+	    PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+						(unsigned char *)userpw,len);
+	    slot->lastLoginCheck = 0;
+	    PK11_ExitSlotMonitor(slot);
+	}
+    }
+    return rv;
+}
+
+/*
+ * Change an existing user password
+ */
+SECStatus
+PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw, const char *newpw)
+{
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+    int newLen;
+    int oldLen;
+    CK_SESSION_HANDLE rwsession;
+
+    if (newpw == NULL) newpw = "";
+    if (oldpw == NULL) oldpw = "";
+    newLen = PORT_Strlen(newpw);
+    oldLen = PORT_Strlen(oldpw);
+
+    /* get a rwsession */
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+    	return rv;
+    }
+
+    crv = PK11_GETTAB(slot)->C_SetPIN(rwsession,
+		(unsigned char *)oldpw,oldLen,(unsigned char *)newpw,newLen);
+    if (crv == CKR_OK) {
+	rv = SECSuccess;
+    } else {
+	PORT_SetError(PK11_MapError(crv));
+    }
+
+    PK11_RestoreROSession(slot,rwsession);
+
+    /* update our view of the world */
+    PK11_InitToken(slot,PR_TRUE);
+    return rv;
+}
+
+static char *
+pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void * wincx)
+{
+    if (PK11_Global.getPass == NULL) return NULL;
+    return (*PK11_Global.getPass)(slot, retry, wincx);
+}
+
+void
+PK11_SetPasswordFunc(PK11PasswordFunc func)
+{
+    PK11_Global.getPass = func;
+}
+
+void
+PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func)
+{
+    PK11_Global.verifyPass = func;
+}
+
+void
+PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func)
+{
+    PK11_Global.isLoggedIn = func;
+}
+
+
+/*
+ * authenticate to a slot. This loops until we can't recover, the user
+ * gives up, or we succeed. If we're already logged in and this function
+ * is called we will still prompt for a password, but we will probably
+ * succeed no matter what the password was (depending on the implementation
+ * of the PKCS 11 module.
+ */
+SECStatus
+PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
+{
+    SECStatus rv = SECFailure;
+    char * password;
+    PRBool attempt = PR_FALSE;
+
+    if (PK11_NeedUserInit(slot)) {
+	PORT_SetError(SEC_ERROR_IO);
+	return SECFailure;
+    }
+
+
+    /*
+     * Central server type applications which control access to multiple
+     * slave applications to single crypto devices need to virtuallize the
+     * login state. This is done by a callback out of PK11_IsLoggedIn and
+     * here. If we are actually logged in, then we got here because the
+     * higher level code told us that the particular client application may
+     * still need to be logged in. If that is the case, we simply tell the
+     * server code that it should now verify the clients password and tell us
+     * the results.
+     */
+    if (PK11_IsLoggedIn(slot,NULL) && 
+    			(PK11_Global.verifyPass != NULL)) {
+	if (!PK11_Global.verifyPass(slot,wincx)) {
+	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	    return SECFailure;
+	}
+	return SECSuccess;
+    }
+
+    /* get the password. This can drop out of the while loop
+     * for the following reasons:
+     * 	(1) the user refused to enter a password. 
+     *			(return error to caller)
+     *	(2) the token user password is disabled [usually due to
+     *	   too many failed authentication attempts].
+     *			(return error to caller)
+     *	(3) the password was successful.
+     */
+    while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) {
+	/* if the token has a protectedAuthPath, the application may have
+         * already issued the C_Login as part of it's pk11_GetPassword call.
+         * In this case the application will tell us what the results were in 
+         * the password value (retry or the authentication was successful) so
+	 * we can skip our own C_Login call (which would force the token to
+	 * try to login again).
+	 * 
+	 * Applications that don't know about protectedAuthPath will return a 
+	 * password, which we will ignore and trigger the token to 
+	 * 'authenticate' itself anyway. Hopefully the blinking display on 
+	 * the reader, or the flashing light under the thumbprint reader will 
+	 * attract the user's attention */
+	attempt = PR_TRUE;
+	if (slot->protectedAuthPath) {
+	    /* application tried to authenticate and failed. it wants to try
+	     * again, continue looping */
+	    if (strcmp(password, PK11_PW_RETRY) == 0) {
+		rv = SECWouldBlock;
+		PORT_Free(password);
+		continue;
+	    }
+	    /* applicaton tried to authenticate and succeeded we're done */
+	    if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) {
+		rv = SECSuccess;
+		PORT_Free(password);
+		break;
+	    }
+	}
+	rv = pk11_CheckPassword(slot,password);
+	PORT_Memset(password, 0, PORT_Strlen(password));
+	PORT_Free(password);
+	if (rv != SECWouldBlock) break;
+    }
+    if (rv == SECSuccess) {
+	if (!PK11_IsFriendly(slot)) {
+	    nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
+	                                      slot->nssToken);
+	}
+    } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+    return rv;
+}
+
+void PK11_LogoutAll(void)
+{
+    SECMODListLock *lock = SECMOD_GetDefaultModuleListLock();
+    SECMODModuleList *modList = SECMOD_GetDefaultModuleList();
+    SECMODModuleList *mlp = NULL;
+    int i;
+
+    /* NSS is not initialized, there are not tokens to log out */
+    if (lock == NULL) {
+	return;
+    }
+
+    SECMOD_GetReadLock(lock);
+    /* find the number of entries */
+    for (mlp = modList; mlp != NULL; mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    PK11_Logout(mlp->module->slots[i]);
+	}
+    }
+
+    SECMOD_ReleaseReadLock(lock);
+}
+
+int
+PK11_GetMinimumPwdLength(PK11SlotInfo *slot)
+{
+    return ((int)slot->minPassword);
+}
+
+/* Does this slot have a protected pin path? */
+PRBool
+PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot)
+{
+	return slot->protectedAuthPath;
+}
+
+/*
+ * we can initialize the password if 1) The toke is not inited 
+ * (need login == true and see need UserInit) or 2) the token has
+ * a NULL password. (slot->needLogin = false & need user Init = false).
+ */
+PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot)
+{
+    if (slot->needLogin && PK11_NeedUserInit(slot)) {
+	return PR_TRUE;
+    }
+    if (!slot->needLogin && !PK11_NeedUserInit(slot)) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+PRBool PK11_NeedPWInit()
+{
+    PK11SlotInfo *slot = PK11_GetInternalKeySlot();
+    PRBool ret = PK11_NeedPWInitForSlot(slot);
+
+    PK11_FreeSlot(slot);
+    return ret;
+}
+
+PRBool 
+pk11_InDelayPeriod(PRIntervalTime lastTime, PRIntervalTime delayTime, 
+						PRIntervalTime *retTime)
+{
+    PRIntervalTime time;
+
+    *retTime = time = PR_IntervalNow();
+    return (PRBool) (lastTime) && ((time-lastTime) < delayTime);
+}
+
+/*
+ * Determine if the token is logged in. We have to actually query the token,
+ * because it's state can change without intervention from us.
+ */
+PRBool
+PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx)
+{
+    CK_SESSION_INFO sessionInfo;
+    int askpw = slot->askpw;
+    int timeout = slot->timeout;
+    CK_RV crv;
+    PRIntervalTime curTime;
+    static PRIntervalTime login_delay_time = 0;
+
+    if (login_delay_time == 0) {
+	login_delay_time = PR_SecondsToInterval(1);
+    }
+
+    /* If we don't have our own password default values, use the system
+     * ones */
+    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
+	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
+
+	if (def_slot) {
+	    askpw = def_slot->askpw;
+	    timeout = def_slot->timeout;
+	    PK11_FreeSlot(def_slot);
+	}
+    }
+
+    if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) &&
+	(*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; }
+
+
+    /* forget the password if we've been inactive too long */
+    if (askpw == 1) {
+	int64 currtime = PR_Now();
+	int64 result;
+	int64 mult;
+	
+	LL_I2L(result, timeout);
+	LL_I2L(mult, 60*1000*1000);
+	LL_MUL(result,result,mult);
+	LL_ADD(result, result, slot->authTime);
+	if (LL_CMP(result, <, currtime) ) {
+	    PK11_EnterSlotMonitor(slot);
+	    PK11_GETTAB(slot)->C_Logout(slot->session);
+	    slot->lastLoginCheck = 0;
+	    PK11_ExitSlotMonitor(slot);
+	} else {
+	    slot->authTime = currtime;
+	}
+    }
+
+    PK11_EnterSlotMonitor(slot);
+    if (pk11_InDelayPeriod(slot->lastLoginCheck,login_delay_time, &curTime)) {
+	sessionInfo.state = slot->lastState;
+	crv = CKR_OK;
+    } else {
+	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
+	if (crv == CKR_OK) {
+	    slot->lastState = sessionInfo.state;
+	    slot->lastLoginCheck = curTime;
+	}
+    }
+    PK11_ExitSlotMonitor(slot);
+    /* if we can't get session info, something is really wrong */
+    if (crv != CKR_OK) {
+	slot->session = CK_INVALID_SESSION;
+	return PR_FALSE;
+    }
+
+    switch (sessionInfo.state) {
+    case CKS_RW_PUBLIC_SESSION:
+    case CKS_RO_PUBLIC_SESSION:
+    default:
+	break; /* fail */
+    case CKS_RW_USER_FUNCTIONS:
+    case CKS_RW_SO_FUNCTIONS:
+    case CKS_RO_USER_FUNCTIONS:
+	return PR_TRUE;
+    }
+    return PR_FALSE; 
+}
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
new file mode 100644
index 000000000..0a81785b7
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -0,0 +1,2498 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file manages PKCS #11 instances of certificates.
+ */
+
+#include "secport.h"
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "certi.h"
+#include "secitem.h"
+#include "key.h" 
+#include "secoid.h"
+#include "pkcs7t.h"
+#include "cmsreclist.h"
+
+#include "certdb.h"
+#include "secerr.h"
+#include "sslerr.h"
+
+#include "pki3hack.h"
+#include "dev3hack.h"
+
+#include "devm.h" 
+#include "nsspki.h"
+#include "pki.h"
+#include "pkim.h"
+#include "pkitm.h"
+#include "pkistore.h" /* to remove temp cert */
+#include "devt.h"
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
+
+struct nss3_cert_cbstr {
+    SECStatus(* callback)(CERTCertificate*, void *);
+    nssList *cached;
+    void *arg;
+};
+
+/* Translate from NSSCertificate to CERTCertificate, then pass the latter
+ * to a callback.
+ */
+static PRStatus convert_cert(NSSCertificate *c, void *arg)
+{
+    CERTCertificate *nss3cert;
+    SECStatus secrv;
+    struct nss3_cert_cbstr *nss3cb = (struct nss3_cert_cbstr *)arg;
+    /* 'c' is not adopted. caller will free it */
+    nss3cert = STAN_GetCERTCertificate(c);
+    if (!nss3cert) return PR_FAILURE;
+    secrv = (*nss3cb->callback)(nss3cert, nss3cb->arg);
+    return (secrv) ? PR_FAILURE : PR_SUCCESS;
+}
+
+/*
+ * build a cert nickname based on the token name and the label of the 
+ * certificate If the label in NULL, build a label based on the ID.
+ */
+static int toHex(int x) { return (x < 10) ? (x+'0') : (x+'a'-10); }
+#define MAX_CERT_ID 4
+#define DEFAULT_STRING "Cert ID "
+static char *
+pk11_buildNickname(PK11SlotInfo *slot,CK_ATTRIBUTE *cert_label,
+			CK_ATTRIBUTE *key_label, CK_ATTRIBUTE *cert_id)
+{
+    int prefixLen = PORT_Strlen(slot->token_name);
+    int suffixLen = 0;
+    char *suffix = NULL;
+    char buildNew[sizeof(DEFAULT_STRING)+MAX_CERT_ID*2];
+    char *next,*nickname;
+
+    if (cert_label && (cert_label->ulValueLen)) {
+	suffixLen = cert_label->ulValueLen;
+	suffix = (char*)cert_label->pValue;
+    } else if (key_label && (key_label->ulValueLen)) {
+	suffixLen = key_label->ulValueLen;
+	suffix = (char*)key_label->pValue;
+    } else if (cert_id && cert_id->ulValueLen > 0) {
+	int i,first = cert_id->ulValueLen - MAX_CERT_ID;
+	int offset = sizeof(DEFAULT_STRING);
+	char *idValue = (char *)cert_id->pValue;
+
+	PORT_Memcpy(buildNew,DEFAULT_STRING,sizeof(DEFAULT_STRING)-1);
+	next = buildNew + offset;
+	if (first < 0) first = 0;
+	for (i=first; i < (int) cert_id->ulValueLen; i++) {
+		*next++ = toHex((idValue[i] >> 4) & 0xf);
+		*next++ = toHex(idValue[i] & 0xf);
+	}
+	*next++ = 0;
+	suffix = buildNew;
+	suffixLen = PORT_Strlen(buildNew);
+    } else {
+	PORT_SetError( SEC_ERROR_LIBRARY_FAILURE );
+	return NULL;
+    }
+
+    /* if is internal key slot, add code to skip the prefix!! */
+    next = nickname = (char *)PORT_Alloc(prefixLen+1+suffixLen+1);
+    if (nickname == NULL) return NULL;
+
+    PORT_Memcpy(next,slot->token_name,prefixLen);
+    next += prefixLen;
+    *next++ = ':';
+    PORT_Memcpy(next,suffix,suffixLen);
+    next += suffixLen;
+    *next++ = 0;
+    return nickname;
+}
+
+PRBool
+PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
+						CK_OBJECT_HANDLE certID)
+{
+    CK_OBJECT_CLASS theClass;
+
+    if (slot == NULL) return PR_FALSE;
+    if (cert == NULL) return PR_FALSE;
+
+    theClass = CKO_PRIVATE_KEY;
+    if (pk11_LoginStillRequired(slot,NULL)) {
+	theClass = CKO_PUBLIC_KEY;
+    }
+    if (PK11_MatchItem(slot, certID , theClass) != CK_INVALID_HANDLE) {
+	return PR_TRUE;
+    }
+
+   if (theClass == CKO_PUBLIC_KEY) {
+	SECKEYPublicKey *pubKey= CERT_ExtractPublicKey(cert);
+	CK_ATTRIBUTE theTemplate;
+
+	if (pubKey == NULL) {
+	   return PR_FALSE;
+	}
+
+	PK11_SETATTRS(&theTemplate,0,NULL,0);
+	switch (pubKey->keyType) {
+	case rsaKey:
+	    PK11_SETATTRS(&theTemplate,CKA_MODULUS, pubKey->u.rsa.modulus.data,
+						pubKey->u.rsa.modulus.len);
+	    break;
+	case dsaKey:
+	    PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dsa.publicValue.data,
+						pubKey->u.dsa.publicValue.len);
+	    break;
+	case dhKey:
+	    PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dh.publicValue.data,
+						pubKey->u.dh.publicValue.len);
+	    break;
+	case ecKey:
+	    PK11_SETATTRS(&theTemplate,CKA_EC_POINT, 
+			  pubKey->u.ec.publicValue.data,
+			  pubKey->u.ec.publicValue.len);
+	    break;
+	case keaKey:
+	case fortezzaKey:
+	case nullKey:
+	    /* fall through and return false */
+	    break;
+	}
+
+	if (theTemplate.ulValueLen == 0) {
+	    SECKEY_DestroyPublicKey(pubKey);
+	    return PR_FALSE;
+	}
+	pk11_SignedToUnsigned(&theTemplate);
+	if (pk11_FindObjectByTemplate(slot,&theTemplate,1) != CK_INVALID_HANDLE) {
+	    SECKEY_DestroyPublicKey(pubKey);
+	    return PR_TRUE;
+	}
+	SECKEY_DestroyPublicKey(pubKey);
+    }
+    return PR_FALSE;
+}
+
+/*
+ * Check out if a cert has ID of zero. This is a magic ID that tells
+ * NSS that this cert may be an automagically trusted cert.
+ * The Cert has to be self signed as well. That check is done elsewhere.
+ *  
+ */
+PRBool
+pk11_isID0(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID)
+{
+    CK_ATTRIBUTE keyID = {CKA_ID, NULL, 0};
+    PRBool isZero = PR_FALSE;
+    int i;
+    CK_RV crv;
+
+
+    crv = PK11_GetAttributes(NULL,slot,certID,&keyID,1);
+    if (crv != CKR_OK) {
+	return isZero;
+    }
+
+    if (keyID.ulValueLen != 0) {
+	char *value = (char *)keyID.pValue;
+	isZero = PR_TRUE; /* ID exists, may be zero */
+	for (i=0; i < (int) keyID.ulValueLen; i++) {
+	    if (value[i] != 0) {
+		isZero = PR_FALSE; /* nope */
+		break;
+	    }
+	}
+    }
+    PORT_Free(keyID.pValue);
+    return isZero;
+
+}
+
+/*
+ * Create an NSSCertificate from a slot/certID pair, return it as a
+ * CERTCertificate.
+ */
+static CERTCertificate
+*pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, 
+			CK_ATTRIBUTE *privateLabel, char **nickptr)
+{
+    NSSCertificate *c;
+    nssCryptokiObject *co = NULL;
+    nssPKIObject *pkio;
+    NSSToken *token;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+
+    /* Get the cryptoki object from the handle */
+    token = PK11Slot_GetNSSToken(slot);
+    if (token->defaultSession) {
+	co = nssCryptokiObject_Create(token, token->defaultSession, certID);
+    } else {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+    }
+    if (!co) {
+	return NULL;
+    }
+
+    /* Create a PKI object from the cryptoki instance */
+    pkio = nssPKIObject_Create(NULL, co, td, NULL, nssPKIMonitor);
+    if (!pkio) {
+	nssCryptokiObject_Destroy(co);
+	return NULL;
+    }
+
+    /* Create a certificate */
+    c = nssCertificate_Create(pkio);
+    if (!c) {
+	nssPKIObject_Destroy(pkio);
+	return NULL;
+    }
+
+    nssTrustDomain_AddCertsToCache(td, &c, 1);
+
+    /* Build the old-fashioned nickname */
+    if ((nickptr) && (co->label)) {
+	CK_ATTRIBUTE label, id;
+	label.type = CKA_LABEL;
+	label.pValue = co->label;
+	label.ulValueLen = PORT_Strlen(co->label);
+	id.type = CKA_ID;
+	id.pValue = c->id.data;
+	id.ulValueLen = c->id.size;
+	*nickptr = pk11_buildNickname(slot, &label, privateLabel, &id);
+    }
+    return STAN_GetCERTCertificateOrRelease(c);
+}
+
+/*
+ * Build an CERTCertificate structure from a PKCS#11 object ID.... certID
+ * Must be a CertObject. This code does not explicitly checks that.
+ */
+CERTCertificate *
+PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
+						CK_ATTRIBUTE *privateLabel)
+{
+    char * nickname = NULL;
+    CERTCertificate *cert = NULL;
+    CERTCertTrust *trust;
+    PRBool isFortezzaRootCA = PR_FALSE;
+    PRBool swapNickname = PR_FALSE;
+
+    cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
+    if (cert == NULL) goto loser;
+	
+    if (nickname) {
+	if (cert->nickname != NULL) {
+		cert->dbnickname = cert->nickname;
+	} 
+	cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
+	PORT_Free(nickname);
+	nickname = NULL;
+	swapNickname = PR_TRUE;
+    }
+
+    /* remember where this cert came from.... If we have just looked
+     * it up from the database and it already has a slot, don't add a new
+     * one. */
+    if (cert->slot == NULL) {
+	cert->slot = PK11_ReferenceSlot(slot);
+	cert->pkcs11ID = certID;
+	cert->ownSlot = PR_TRUE;
+	cert->series = slot->series;
+    }
+
+    trust = (CERTCertTrust*)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust));
+    if (trust == NULL) goto loser;
+    PORT_Memset(trust,0, sizeof(CERTCertTrust));
+    cert->trust = trust;
+
+    
+
+    if(! pk11_HandleTrustObject(slot, cert, trust) ) {
+	unsigned int type;
+
+	/* build some cert trust flags */
+	if (CERT_IsCACert(cert, &type)) {
+	    unsigned int trustflags = CERTDB_VALID_CA;
+	   
+	    /* Allow PKCS #11 modules to give us trusted CA's. We only accept
+	     * valid CA's which are self-signed here. They must have an object
+	     * ID of '0'.  */ 
+	    if (pk11_isID0(slot,certID) && 
+		cert->isRoot) {
+		trustflags |= CERTDB_TRUSTED_CA;
+		/* is the slot a fortezza card? allow the user or
+		 * admin to turn on objectSigning, but don't turn
+		 * full trust on explicitly */
+		if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
+		    trust->objectSigningFlags |= CERTDB_VALID_CA;
+		    isFortezzaRootCA = PR_TRUE;
+		}
+	    }
+	    if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
+		trust->sslFlags |= trustflags;
+	    }
+	    if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
+		trust->emailFlags |= trustflags;
+	    }
+	    if ((type & NS_CERT_TYPE_OBJECT_SIGNING_CA) 
+					== NS_CERT_TYPE_OBJECT_SIGNING_CA) {
+		trust->objectSigningFlags |= trustflags;
+	    }
+	}
+    }
+
+    if (PK11_IsUserCert(slot,cert,certID)) {
+	trust->sslFlags |= CERTDB_USER;
+	trust->emailFlags |= CERTDB_USER;
+	/*    trust->objectSigningFlags |= CERTDB_USER; */
+    }
+
+    return cert;
+
+loser:
+    if (nickname) PORT_Free(nickname);
+    if (cert) CERT_DestroyCertificate(cert);
+    return NULL;
+}
+
+	
+/*
+ * Build get a certificate from a private key
+ */
+CERTCertificate *
+PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey)
+{
+    PK11SlotInfo *slot = privKey->pkcs11Slot;
+    CK_OBJECT_HANDLE handle = privKey->pkcs11ID;
+    CK_OBJECT_HANDLE certID = 
+		PK11_MatchItem(slot,handle,CKO_CERTIFICATE);
+    CERTCertificate *cert;
+
+    if (certID == CK_INVALID_HANDLE) {
+	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
+	return NULL;
+    }
+    cert = PK11_MakeCertFromHandle(slot,certID,NULL);
+    return (cert);
+
+}
+
+/*
+ * delete a cert and it's private key (if no other certs are pointing to the
+ * private key.
+ */
+SECStatus
+PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx)
+{
+    SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert,wincx);
+    CK_OBJECT_HANDLE pubKey;
+    PK11SlotInfo *slot = NULL;
+
+    pubKey = pk11_FindPubKeyByAnyCert(cert, &slot, wincx);
+    if (privKey) {
+	/* For 3.4, utilize the generic cert delete function */
+	SEC_DeletePermCertificate(cert);
+	PK11_DeleteTokenPrivateKey(privKey, PR_FALSE);
+    }
+    if ((pubKey != CK_INVALID_HANDLE) && (slot != NULL)) { 
+    	PK11_DestroyTokenObject(slot,pubKey);
+        PK11_FreeSlot(slot);
+    }
+    return SECSuccess;
+}
+
+/*
+ * cert callback structure
+ */
+typedef struct pk11DoCertCallbackStr {
+	SECStatus(* callback)(PK11SlotInfo *slot, CERTCertificate*, void *);
+	SECStatus(* noslotcallback)(CERTCertificate*, void *);
+	SECStatus(* itemcallback)(CERTCertificate*, SECItem *, void *);
+	void *callbackArg;
+} pk11DoCertCallback;
+
+
+typedef struct pk11CertCallbackStr {
+	SECStatus(* callback)(CERTCertificate*,SECItem *,void *);
+	void *callbackArg;
+} pk11CertCallback;
+
+struct fake_der_cb_argstr
+{
+    SECStatus(* callback)(CERTCertificate*, SECItem *, void *);
+    void *arg;
+};
+
+static SECStatus fake_der_cb(CERTCertificate *c, void *a)
+{
+    struct fake_der_cb_argstr *fda = (struct fake_der_cb_argstr *)a;
+    return (*fda->callback)(c, &c->derCert, fda->arg);
+}
+
+/*
+ * Extract all the certs on a card from a slot.
+ */
+SECStatus
+PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
+						void *arg, void *wincx) 
+{
+    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
+    struct fake_der_cb_argstr fda;
+    struct nss3_cert_cbstr pk11cb;
+
+    /* authenticate to the tokens first */
+    (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, wincx);
+
+    fda.callback = callback;
+    fda.arg = arg;
+    pk11cb.callback = fake_der_cb;
+    pk11cb.arg = &fda;
+    NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb);
+    return SECSuccess;
+}
+
+static void
+transfer_token_certs_to_collection(nssList *certList, NSSToken *token, 
+                                   nssPKIObjectCollection *collection)
+{
+    NSSCertificate **certs;
+    PRUint32 i, count;
+    NSSToken **tokens, **tp;
+    count = nssList_Count(certList);
+    if (count == 0) {
+	return;
+    }
+    certs = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
+    if (!certs) {
+	return;
+    }
+    nssList_GetArray(certList, (void **)certs, count);
+    for (i=0; i<count; i++) {
+	tokens = nssPKIObject_GetTokens(&certs[i]->object, NULL);
+	if (tokens) {
+	    for (tp = tokens; *tp; tp++) {
+		if (*tp == token) {
+		    nssPKIObjectCollection_AddObject(collection, 
+		                                     (nssPKIObject *)certs[i]);
+		}
+	    }
+	    nssTokenArray_Destroy(tokens);
+	}
+	CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(certs[i]));
+    }
+    nss_ZFreeIf(certs);
+}
+
+CERTCertificate *
+PK11_FindCertFromNickname(const char *nickname, void *wincx) 
+{
+    PRStatus status;
+    CERTCertificate *rvCert = NULL;
+    NSSCertificate *cert = NULL;
+    NSSCertificate **certs = NULL;
+    static const NSSUsage usage = {PR_TRUE /* ... */ };
+    NSSToken *token;
+    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
+    PK11SlotInfo *slot = NULL;
+    SECStatus rv;
+    char *nickCopy;
+    char *delimit = NULL;
+    char *tokenName;
+
+    nickCopy = PORT_Strdup(nickname);
+    if (!nickCopy) {
+        /* error code is set */
+        return NULL;
+    }
+    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
+	tokenName = nickCopy;
+	nickname = delimit + 1;
+	*delimit = '\0';
+	/* find token by name */
+	token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
+	if (token) {
+	    slot = PK11_ReferenceSlot(token->pk11slot);
+	} else {
+	    PORT_SetError(SEC_ERROR_NO_TOKEN);
+	}
+	*delimit = ':';
+    } else {
+	slot = PK11_GetInternalKeySlot();
+	token = PK11Slot_GetNSSToken(slot);
+    }
+    if (token) {
+	nssList *certList;
+	nssCryptokiObject **instances;
+	nssPKIObjectCollection *collection;
+	nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+	if (!PK11_IsPresent(slot)) {
+	    goto loser;
+	}
+   	rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+	collection = nssCertificateCollection_Create(defaultTD, NULL);
+	if (!collection) {
+	    goto loser;
+	}
+	certList = nssList_Create(NULL, PR_FALSE);
+	if (!certList) {
+	    nssPKIObjectCollection_Destroy(collection);
+	    goto loser;
+	}
+	(void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, 
+	                                                  nickname, 
+	                                                  certList);
+	transfer_token_certs_to_collection(certList, token, collection);
+	instances = nssToken_FindCertificatesByNickname(token,
+	                                                NULL,
+	                                                nickname,
+	                                                tokenOnly,
+	                                                0,
+	                                                &status);
+	nssPKIObjectCollection_AddInstances(collection, instances, 0);
+	nss_ZFreeIf(instances);
+	/* if it wasn't found, repeat the process for email address */
+	if (nssPKIObjectCollection_Count(collection) == 0 &&
+	    PORT_Strchr(nickname, '@') != NULL) 
+	{
+	    char* lowercaseName = CERT_FixupEmailAddr(nickname);
+	    if (lowercaseName) {
+		(void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, 
+								      lowercaseName, 
+								      certList);
+		transfer_token_certs_to_collection(certList, token, collection);
+		instances = nssToken_FindCertificatesByEmail(token,
+							     NULL,
+							     lowercaseName,
+							     tokenOnly,
+							     0,
+							     &status);
+		nssPKIObjectCollection_AddInstances(collection, instances, 0);
+		nss_ZFreeIf(instances);
+		PORT_Free(lowercaseName);
+	    }
+	}
+	certs = nssPKIObjectCollection_GetCertificates(collection, 
+	                                               NULL, 0, NULL);
+	nssPKIObjectCollection_Destroy(collection);
+	if (certs) {
+	    cert = nssCertificateArray_FindBestCertificate(certs, NULL, 
+	                                                   &usage, NULL);
+	    if (cert) {
+		rvCert = STAN_GetCERTCertificateOrRelease(cert);
+	    }
+	    nssCertificateArray_Destroy(certs);
+	}
+	nssList_Destroy(certList);
+    }
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    if (nickCopy) PORT_Free(nickCopy);
+    return rvCert;
+loser:
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    if (nickCopy) PORT_Free(nickCopy);
+    return NULL;
+}
+
+CERTCertList *
+PK11_FindCertsFromNickname(const char *nickname, void *wincx) 
+{
+    char *nickCopy;
+    char *delimit = NULL;
+    char *tokenName;
+    int i;
+    CERTCertList *certList = NULL;
+    nssPKIObjectCollection *collection = NULL;
+    NSSCertificate **foundCerts = NULL;
+    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
+    NSSCertificate *c;
+    NSSToken *token;
+    PK11SlotInfo *slot;
+    SECStatus rv;
+
+    nickCopy = PORT_Strdup(nickname);
+    if (!nickCopy) {
+        /* error code is set */
+        return NULL;
+    }
+    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
+	tokenName = nickCopy;
+	nickname = delimit + 1;
+	*delimit = '\0';
+	/* find token by name */
+	token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
+	if (token) {
+	    slot = PK11_ReferenceSlot(token->pk11slot);
+	} else {
+	    PORT_SetError(SEC_ERROR_NO_TOKEN);
+	    slot = NULL;
+	}
+	*delimit = ':';
+    } else {
+	slot = PK11_GetInternalKeySlot();
+	token = PK11Slot_GetNSSToken(slot);
+    }
+    if (token) {
+	PRStatus status;
+	nssList *nameList;
+	nssCryptokiObject **instances;
+	nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+   	rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) {
+	    PK11_FreeSlot(slot);
+    	    if (nickCopy) PORT_Free(nickCopy);
+	    return NULL;
+	}
+	collection = nssCertificateCollection_Create(defaultTD, NULL);
+	if (!collection) {
+	    PK11_FreeSlot(slot);
+	    if (nickCopy) PORT_Free(nickCopy);
+	    return NULL;
+	}
+	nameList = nssList_Create(NULL, PR_FALSE);
+	if (!nameList) {
+	    PK11_FreeSlot(slot);
+	    if (nickCopy) PORT_Free(nickCopy);
+	    return NULL;
+	}
+	(void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD,
+	                                                  nickname, 
+	                                                  nameList);
+	transfer_token_certs_to_collection(nameList, token, collection);
+	instances = nssToken_FindCertificatesByNickname(token,
+	                                                NULL,
+	                                                nickname,
+	                                                tokenOnly,
+	                                                0,
+	                                                &status);
+	nssPKIObjectCollection_AddInstances(collection, instances, 0);
+	nss_ZFreeIf(instances);
+
+        /* if it wasn't found, repeat the process for email address */
+        if (nssPKIObjectCollection_Count(collection) == 0 &&
+            PORT_Strchr(nickname, '@') != NULL) 
+        {
+            char* lowercaseName = CERT_FixupEmailAddr(nickname);
+            if (lowercaseName) {
+                (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, 
+                                                                      lowercaseName, 
+                                                                      nameList);
+                transfer_token_certs_to_collection(nameList, token, collection);
+                instances = nssToken_FindCertificatesByEmail(token,
+                                                             NULL,
+                                                             lowercaseName,
+                                                             tokenOnly,
+                                                             0,
+                                                             &status);
+                nssPKIObjectCollection_AddInstances(collection, instances, 0);
+                nss_ZFreeIf(instances);
+                PORT_Free(lowercaseName);
+            }
+        }
+
+        nssList_Destroy(nameList);
+	foundCerts = nssPKIObjectCollection_GetCertificates(collection,
+	                                                    NULL, 0, NULL);
+	nssPKIObjectCollection_Destroy(collection);
+    }
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    if (nickCopy) PORT_Free(nickCopy);
+    if (foundCerts) {
+	PRTime now = PR_Now();
+	certList = CERT_NewCertList();
+	for (i=0, c = *foundCerts; c; c = foundCerts[++i]) {
+	    if (certList) {
+	 	CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c);
+		/* c may be invalid after this, don't reference it */
+		if (certCert) {
+		    /* CERT_AddCertToListSorted adopts certCert  */
+		    CERT_AddCertToListSorted(certList, certCert,
+				CERT_SortCBValidity, &now);
+		}
+	    } else {
+		nssCertificate_Destroy(c);
+	    }
+	}
+	if (certList && CERT_LIST_HEAD(certList) == NULL) {
+	    CERT_DestroyCertList(certList);
+	    certList = NULL;
+	}
+	/* all the certs have been adopted or freed, free the  raw array */
+	nss_ZFreeIf(foundCerts);
+    }
+    return certList;
+}
+
+/*
+ * extract a key ID for a certificate...
+ * NOTE: We call this function from PKCS11.c If we ever use
+ * pkcs11 to extract the public key (we currently do not), this will break.
+ */
+SECItem *
+PK11_GetPubIndexKeyID(CERTCertificate *cert) 
+{
+    SECKEYPublicKey *pubk;
+    SECItem *newItem = NULL;
+
+    pubk = CERT_ExtractPublicKey(cert);
+    if (pubk == NULL) return NULL;
+
+    switch (pubk->keyType) {
+    case rsaKey:
+	newItem = SECITEM_DupItem(&pubk->u.rsa.modulus);
+	break;
+    case dsaKey:
+        newItem = SECITEM_DupItem(&pubk->u.dsa.publicValue);
+	break;
+    case dhKey:
+        newItem = SECITEM_DupItem(&pubk->u.dh.publicValue);
+	break;
+    case ecKey:
+        newItem = SECITEM_DupItem(&pubk->u.ec.publicValue);
+	break;
+    case fortezzaKey:
+    default:
+	newItem = NULL; /* Fortezza Fix later... */
+    }
+    SECKEY_DestroyPublicKey(pubk);
+    /* make hash of it */
+    return newItem;
+}
+
+/*
+ * generate a CKA_ID from a certificate.
+ */
+SECItem *
+pk11_mkcertKeyID(CERTCertificate *cert) 
+{
+    SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert) ;
+    SECItem *certCKA_ID;
+
+    if (pubKeyData == NULL) return NULL;
+    
+    certCKA_ID = PK11_MakeIDFromPubKey(pubKeyData);
+    SECITEM_FreeItem(pubKeyData,PR_TRUE);
+    return certCKA_ID;
+}
+
+/*
+ * Write the cert into the token.
+ */
+SECStatus
+PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, 
+		CK_OBJECT_HANDLE key, const char *nickname, 
+                PRBool includeTrust) 
+{
+    PRStatus status;
+    NSSCertificate *c;
+    nssCryptokiObject *keyobj, *certobj;
+    NSSToken *token = PK11Slot_GetNSSToken(slot);
+    SECItem *keyID = pk11_mkcertKeyID(cert);
+    char *emailAddr = NULL;
+    nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
+    nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
+
+    if (keyID == NULL) {
+	goto loser;
+    }
+
+    if (PK11_IsInternal(slot) && cert->emailAddr && cert->emailAddr[0]) {
+	emailAddr = cert->emailAddr;
+    }
+
+    /* need to get the cert as a stan cert */
+    if (cert->nssCertificate) {
+	c = cert->nssCertificate;
+    } else {
+	c = STAN_GetNSSCertificate(cert);
+	if (c == NULL) {
+	    goto loser;
+	}
+    }
+
+    if (c->object.cryptoContext) {
+	/* Delete the temp instance */
+	NSSCryptoContext *cc = c->object.cryptoContext;
+	nssCertificateStore_Lock(cc->certStore, &lockTrace);
+	nssCertificateStore_RemoveCertLOCKED(cc->certStore, c);
+	nssCertificateStore_Unlock(cc->certStore, &lockTrace, &unlockTrace);
+	c->object.cryptoContext = NULL;
+	cert->istemp = PR_FALSE;
+	cert->isperm = PR_TRUE;
+    }
+
+    /* set the id for the cert */
+    nssItem_Create(c->object.arena, &c->id, keyID->len, keyID->data);
+    if (!c->id.data) {
+	goto loser;
+    }
+
+    if (key != CK_INVALID_HANDLE) {
+	/* create an object for the key, ... */
+	keyobj = nss_ZNEW(NULL, nssCryptokiObject);
+	if (!keyobj) {
+	    goto loser;
+	}
+	keyobj->token = nssToken_AddRef(token);
+	keyobj->handle = key;
+	keyobj->isTokenObject = PR_TRUE;
+
+	/* ... in order to set matching attributes for the key */
+	status = nssCryptokiPrivateKey_SetCertificate(keyobj, NULL, nickname, 
+	                                              &c->id, &c->subject);
+	nssCryptokiObject_Destroy(keyobj);
+	if (status != PR_SUCCESS) {
+	    goto loser;
+	}
+    }
+
+    /* do the token import */
+    certobj = nssToken_ImportCertificate(token, NULL,
+                                         NSSCertificateType_PKIX,
+                                         &c->id,
+                                         nickname,
+                                         &c->encoding,
+                                         &c->issuer,
+                                         &c->subject,
+                                         &c->serial,
+					 emailAddr,
+                                         PR_TRUE);
+    if (!certobj) {
+	if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) {
+	    PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
+	    SECITEM_FreeItem(keyID,PR_TRUE);
+	    return SECFailure;
+	}
+	goto loser;
+    }
+    /* add the new instance to the cert, force an update of the
+     * CERTCertificate, and finish
+     */
+    nssPKIObject_AddInstance(&c->object, certobj);
+    nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
+    (void)STAN_ForceCERTCertificateUpdate(c);
+    SECITEM_FreeItem(keyID,PR_TRUE);
+    return SECSuccess;
+loser:
+    SECITEM_FreeItem(keyID,PR_TRUE);
+    PORT_SetError(SEC_ERROR_ADDING_CERT);
+    return SECFailure;
+}
+
+SECStatus
+PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
+		CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) 
+{
+    CERTCertificate *cert;
+    SECStatus rv;
+
+    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+                                   derCert, NULL, PR_FALSE, PR_TRUE);
+    if (cert == NULL) return SECFailure;
+
+    rv = PK11_ImportCert(slot, cert, key, nickname, includeTrust);
+    CERT_DestroyCertificate (cert);
+    return rv;
+}
+
+/*
+ * get a certificate handle, look at the cached handle first..
+ */
+CK_OBJECT_HANDLE
+pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, 
+					CK_ATTRIBUTE *theTemplate,int tsize)
+{
+    CK_OBJECT_HANDLE certh;
+
+    if (cert->slot == slot) {
+	certh = cert->pkcs11ID;
+	if ((certh == CK_INVALID_HANDLE) ||
+			(cert->series != slot->series)) {
+    	     certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
+	     cert->pkcs11ID = certh;
+	     cert->series = slot->series;
+	}
+    } else {
+    	certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
+    }
+    return certh;
+}
+
+/*
+ * return the private key From a given Cert
+ */
+SECKEYPrivateKey *
+PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert,
+								 void *wincx) 
+{
+    int err;
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_OBJECT_HANDLE certh;
+    CK_OBJECT_HANDLE keyh;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    PRBool needLogin;
+    SECStatus rv;
+
+    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
+						cert->derCert.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
+
+    /*
+     * issue the find
+     */
+    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+
+    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
+    if (certh == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    /*
+     * prevent a login race condition. If slot is logged in between
+     * our call to pk11_LoginStillRequired and the 
+     * PK11_MatchItem. The matchItem call will either succeed, or
+     * we will call it one more time after calling PK11_Authenticate 
+     * (which is a noop on an authenticated token).
+     */
+    needLogin = pk11_LoginStillRequired(slot,wincx);
+    keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
+    if ((keyh == CK_INVALID_HANDLE) && needLogin &&
+                        (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
+			 SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) {
+	/* try it again authenticated */
+	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) {
+	    return NULL;
+	}
+	keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
+    }
+    if (keyh == CK_INVALID_HANDLE) { 
+	return NULL; 
+    }
+    return PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyh, wincx);
+} 
+
+/*
+ * import a cert for a private key we have already generated. Set the label
+ * on both to be the nickname. This is for the Key Gen, orphaned key case.
+ */
+PK11SlotInfo *
+PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, 
+								void *wincx) 
+{
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    SECItem *keyID;
+    CK_OBJECT_HANDLE key;
+    PK11SlotInfo *slot = NULL;
+    SECStatus rv;
+    int err;
+
+    keyID = pk11_mkcertKeyID(cert);
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
+    if ((keyID == NULL) || (list == NULL)) {
+	if (keyID) SECITEM_FreeItem(keyID,PR_TRUE);
+	if (list) PK11_FreeSlotList(list);
+    	return NULL;
+    }
+
+    /* Look for the slot that holds the Key */
+    for (le = list->head ; le; le = le->next) {
+	/*
+	 * prevent a login race condition. If le->slot is logged in between
+	 * our call to pk11_LoginStillRequired and the 
+	 * pk11_FindPrivateKeyFromCertID, the find will either succeed, or
+	 * we will call it one more time after calling PK11_Authenticate 
+	 * (which is a noop on an authenticated token).
+	 */
+	PRBool needLogin = pk11_LoginStillRequired(le->slot,wincx);
+	key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
+	if ((key == CK_INVALID_HANDLE) && needLogin &&
+            		(SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
+			 SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) {
+	    /* authenticate and try again */
+	    rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
+	    if (rv != SECSuccess) continue;
+	    key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
+	}
+	if (key != CK_INVALID_HANDLE) {
+	    slot = PK11_ReferenceSlot(le->slot);
+	    if (keyPtr) *keyPtr = key;
+	    break;
+	}
+    }
+
+    SECITEM_FreeItem(keyID,PR_TRUE);
+    PK11_FreeSlotList(list);
+    return slot;
+
+}
+/*
+ * import a cert for a private key we have already generated. Set the label
+ * on both to be the nickname. This is for the Key Gen, orphaned key case.
+ */
+PK11SlotInfo *
+PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr, 
+								void *wincx) 
+{
+    CERTCertificate *cert;
+    PK11SlotInfo *slot = NULL;
+
+    /* letting this use go -- the only thing that the cert is used for is
+     * to get the ID attribute.
+     */
+    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if (cert == NULL) return NULL;
+
+    slot = PK11_KeyForCertExists(cert, keyPtr, wincx);
+    CERT_DestroyCertificate (cert);
+    return slot;
+}
+
+PK11SlotInfo *
+PK11_ImportCertForKey(CERTCertificate *cert, const char *nickname,
+                      void *wincx) 
+{
+    PK11SlotInfo *slot = NULL;
+    CK_OBJECT_HANDLE key;
+
+    slot = PK11_KeyForCertExists(cert,&key,wincx);
+
+    if (slot) {
+	if (PK11_ImportCert(slot,cert,key,nickname,PR_FALSE) != SECSuccess) {
+	    PK11_FreeSlot(slot);
+	    slot = NULL;
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_ADDING_CERT);
+    }
+
+    return slot;
+}
+
+PK11SlotInfo *
+PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx) 
+{
+    CERTCertificate *cert;
+    PK11SlotInfo *slot = NULL;
+
+    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+                                   derCert, NULL, PR_FALSE, PR_TRUE);
+    if (cert == NULL) return NULL;
+
+    slot = PK11_ImportCertForKey(cert, nickname, wincx);
+    CERT_DestroyCertificate (cert);
+    return slot;
+}
+
+static CK_OBJECT_HANDLE
+pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr, 
+		CK_ATTRIBUTE *searchTemplate, int count, void *wincx) 
+{
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
+    PK11SlotInfo *slot = NULL;
+    SECStatus rv;
+
+    *slotPtr = NULL;
+
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
+    if (list == NULL) {
+    	return CK_INVALID_HANDLE;
+    }
+
+
+    /* Look for the slot that holds the Key */
+    for (le = list->head ; le; le = le->next) {
+	rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) continue;
+
+	certHandle = pk11_FindObjectByTemplate(le->slot,searchTemplate,count);
+	if (certHandle != CK_INVALID_HANDLE) {
+	    slot = PK11_ReferenceSlot(le->slot);
+	    break;
+	}
+    }
+
+    PK11_FreeSlotList(list);
+
+    if (slot == NULL) {
+	return CK_INVALID_HANDLE;
+    }
+    *slotPtr = slot;
+    return certHandle;
+}
+
+CERTCertificate *
+PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, 
+				CERTIssuerAndSN *issuerSN, void *wincx)
+{
+    CERTCertificate *rvCert = NULL;
+    NSSCertificate *cert = NULL;
+    NSSDER issuer, serial;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    NSSToken *token = slot->nssToken;
+    nssSession *session;
+    nssCryptokiObject *instance = NULL;
+    nssPKIObject *object = NULL;
+    SECItem *derSerial;
+    PRStatus status;
+
+    if (!issuerSN || !issuerSN->derIssuer.data || !issuerSN->derIssuer.len ||
+        !issuerSN->serialNumber.data || !issuerSN->serialNumber.len || 
+	issuerSN->derIssuer.len    > CERT_MAX_DN_BYTES ||
+	issuerSN->serialNumber.len > CERT_MAX_SERIAL_NUMBER_BYTES ) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    /* Paranoia */
+    if (token == NULL) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return NULL;
+    }
+
+
+    /* PKCS#11 needs to use DER-encoded serial numbers.  Create a
+     * CERTIssuerAndSN that actually has the encoded value and pass that
+     * to PKCS#11 (and the crypto context).
+     */
+    derSerial = SEC_ASN1EncodeItem(NULL, NULL,
+                                   &issuerSN->serialNumber,
+                                   SEC_ASN1_GET(SEC_IntegerTemplate));
+    if (!derSerial) {
+	return NULL;
+    }
+
+    NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer);
+    NSSITEM_FROM_SECITEM(&serial, derSerial);
+
+    session = nssToken_GetDefaultSession(token);
+    if (!session) {
+	goto loser;
+    }
+
+    instance = nssToken_FindCertificateByIssuerAndSerialNumber(token,session,
+		&issuer, &serial, nssTokenSearchType_TokenForced, &status);
+
+    SECITEM_FreeItem(derSerial, PR_TRUE);
+
+    if (!instance) {
+	goto loser;
+    }
+    object = nssPKIObject_Create(NULL, instance, td, NULL, nssPKIMonitor);
+    if (!object) {
+	goto loser;
+    }
+    instance = NULL; /* adopted by the previous call */
+    cert = nssCertificate_Create(object);
+    if (!cert) {
+	goto loser;
+    }
+    object = NULL; /* adopted by the previous call */
+    nssTrustDomain_AddCertsToCache(td, &cert,1);
+    /* on failure, cert is freed below */
+    rvCert = STAN_GetCERTCertificate(cert);
+    if (!rvCert) {
+	goto loser;
+    }
+    return rvCert;
+
+loser:
+    if (instance) {
+	nssCryptokiObject_Destroy(instance);
+    }
+    if (object) {
+	nssPKIObject_Destroy(object);
+    }
+    if (cert) {
+	nssCertificate_Destroy(cert);
+    }
+    return NULL;
+}
+
+/*
+ * We're looking for a cert which we have the private key for that's on the
+ * list of recipients. This searches one slot.
+ * this is the new version for NSS SMIME code
+ * this stuff should REALLY be in the SMIME code, but some things in here are not public
+ * (they should be!)
+ */
+static CERTCertificate *
+pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipientlist, int *rlIndex, void *pwarg)
+{
+    NSSCMSRecipient *ri = NULL;
+    int i;
+
+    for (i=0; (ri = recipientlist[i]) != NULL; i++) {
+	CERTCertificate *cert = NULL;
+	if (ri->kind == RLSubjKeyID) {
+	    SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID);
+	    if (derCert) {
+		cert = PK11_FindCertFromDERCertItem(slot, derCert, pwarg);
+		SECITEM_FreeItem(derCert, PR_TRUE);
+	    }
+	} else {
+	    cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->id.issuerAndSN, 
+						     pwarg);
+	}
+	if (cert) {
+	    /* this isn't our cert */
+	    if ((cert->trust == NULL) ||
+       		((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
+		 CERT_DestroyCertificate(cert);
+		continue;
+	    }
+	    ri->slot = PK11_ReferenceSlot(slot);
+	    *rlIndex = i;
+	    return cert;
+	}
+    }
+    *rlIndex = -1;
+    return NULL;
+}
+
+/*
+ * This function is the same as above, but it searches all the slots.
+ * this is the new version for NSS SMIME code
+ * this stuff should REALLY be in the SMIME code, but some things in here are not public
+ * (they should be!)
+ */
+static CERTCertificate *
+pk11_AllFindCertObjectByRecipientNew(NSSCMSRecipient **recipientlist, void *wincx, int *rlIndex)
+{
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    CERTCertificate *cert = NULL;
+    SECStatus rv;
+
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
+    if (list == NULL) {
+    	return CK_INVALID_HANDLE;
+    }
+
+    /* Look for the slot that holds the Key */
+    for (le = list->head ; le; le = le->next) {
+	rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) continue;
+
+	cert = pk11_FindCertObjectByRecipientNew(le->slot, 
+					recipientlist, rlIndex, wincx);
+	if (cert)
+	    break;
+    }
+
+    PK11_FreeSlotList(list);
+
+    return cert;
+}
+
+/*
+ * We're looking for a cert which we have the private key for that's on the
+ * list of recipients. This searches one slot.
+ */
+static CERTCertificate *
+pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, 
+	SEC_PKCS7RecipientInfo **recipientArray,
+	SEC_PKCS7RecipientInfo **rip, void *pwarg)
+{
+    SEC_PKCS7RecipientInfo *ri = NULL;
+    int i;
+
+    for (i=0; (ri = recipientArray[i]) != NULL; i++) {
+	CERTCertificate *cert;
+
+	cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->issuerAndSN, 
+								pwarg);
+        if (cert) {
+	    /* this isn't our cert */
+	    if ((cert->trust == NULL) ||
+       		((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
+		 CERT_DestroyCertificate(cert);
+		continue;
+	    }
+	    *rip = ri;
+	    return cert;
+	}
+
+    }
+    *rip = NULL;
+    return NULL;
+}
+
+/*
+ * This function is the same as above, but it searches all the slots.
+ */
+static CERTCertificate *
+pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr, 
+	SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip,
+							void *wincx) 
+{
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    CERTCertificate * cert = NULL;
+    PK11SlotInfo *slot = NULL;
+    SECStatus rv;
+
+    *slotPtr = NULL;
+
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
+    if (list == NULL) {
+    	return CK_INVALID_HANDLE;
+    }
+
+    *rip = NULL;
+
+    /* Look for the slot that holds the Key */
+    for (le = list->head ; le; le = le->next) {
+	rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) continue;
+
+	cert = pk11_FindCertObjectByRecipient(le->slot, recipientArray, 
+							rip, wincx);
+	if (cert) {
+	    slot = PK11_ReferenceSlot(le->slot);
+	    break;
+	}
+    }
+
+    PK11_FreeSlotList(list);
+
+    if (slot == NULL) {
+	return NULL;
+    }
+    *slotPtr = slot;
+    PORT_Assert(cert != NULL);
+    return cert;
+}
+
+/*
+ * We need to invert the search logic for PKCS 7 because if we search for
+ * each cert on the list over all the slots, we wind up with lots of spurious
+ * password prompts. This way we get only one password prompt per slot, at
+ * the max, and most of the time we can find the cert, and only prompt for
+ * the key...
+ */
+CERTCertificate *
+PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slotPtr, 
+	SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
+				SECKEYPrivateKey**privKey, void *wincx)
+{
+    CERTCertificate *cert = NULL;
+
+    *privKey = NULL;
+    *slotPtr = NULL;
+    cert = pk11_AllFindCertObjectByRecipient(slotPtr,array,rip,wincx);
+    if (!cert) {
+	return NULL;
+    }
+
+    *privKey = PK11_FindKeyByAnyCert(cert, wincx);
+    if (*privKey == NULL) {
+	goto loser;
+    }
+
+    return cert;
+loser:
+    if (cert) CERT_DestroyCertificate(cert);
+    if (*slotPtr) PK11_FreeSlot(*slotPtr);
+    *slotPtr = NULL;
+    return NULL;
+}
+
+static PRCallOnceType keyIDHashCallOnce;
+
+static PRStatus PR_CALLBACK
+pk11_keyIDHash_populate(void *wincx)
+{
+    CERTCertList     *certList;
+    CERTCertListNode *node = NULL;
+    SECItem           subjKeyID = {siBuffer, NULL, 0};
+
+    certList = PK11_ListCerts(PK11CertListUser, wincx);
+    if (!certList) {
+	return PR_FAILURE;
+    }
+
+    for (node = CERT_LIST_HEAD(certList);
+         !CERT_LIST_END(node, certList);
+         node = CERT_LIST_NEXT(node)) {
+	if (CERT_FindSubjectKeyIDExtension(node->cert, 
+	                                   &subjKeyID) == SECSuccess && 
+	    subjKeyID.data != NULL) {
+	    cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert);
+	    SECITEM_FreeItem(&subjKeyID, PR_FALSE);
+	}
+    }
+    CERT_DestroyCertList(certList);
+    return PR_SUCCESS;
+}
+
+/*
+ * This is the new version of the above function for NSS SMIME code
+ * this stuff should REALLY be in the SMIME code, but some things in here are not public
+ * (they should be!)
+ */
+int
+PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, void *wincx)
+{
+    CERTCertificate *cert;
+    NSSCMSRecipient *rl;
+    PRStatus rv;
+    int rlIndex;
+
+    rv = PR_CallOnceWithArg(&keyIDHashCallOnce, pk11_keyIDHash_populate, wincx);
+    if (rv != PR_SUCCESS)
+	return -1;
+
+    cert = pk11_AllFindCertObjectByRecipientNew(recipientlist, wincx, &rlIndex);
+    if (!cert) {
+	return -1;
+    }
+
+    rl = recipientlist[rlIndex];
+
+    /* at this point, rl->slot is set */
+
+    rl->privkey = PK11_FindKeyByAnyCert(cert, wincx);
+    if (rl->privkey == NULL) {
+	goto loser;
+    }
+
+    /* make a cert from the cert handle */
+    rl->cert = cert;
+    return rlIndex;
+
+loser:
+    if (cert) CERT_DestroyCertificate(cert);
+    if (rl->slot) PK11_FreeSlot(rl->slot);
+    rl->slot = NULL;
+    return -1;
+}
+
+CERTCertificate *
+PK11_FindCertByIssuerAndSN(PK11SlotInfo **slotPtr, CERTIssuerAndSN *issuerSN,
+							 void *wincx)
+{
+    CERTCertificate *rvCert = NULL;
+    NSSCertificate *cert;
+    NSSDER issuer, serial;
+    NSSCryptoContext *cc;
+    SECItem *derSerial;
+
+    if (!issuerSN || !issuerSN->derIssuer.data || !issuerSN->derIssuer.len ||
+        !issuerSN->serialNumber.data || !issuerSN->serialNumber.len || 
+	issuerSN->derIssuer.len    > CERT_MAX_DN_BYTES ||
+	issuerSN->serialNumber.len > CERT_MAX_SERIAL_NUMBER_BYTES ) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    if (slotPtr) *slotPtr = NULL;
+
+    /* PKCS#11 needs to use DER-encoded serial numbers.  Create a
+     * CERTIssuerAndSN that actually has the encoded value and pass that
+     * to PKCS#11 (and the crypto context).
+     */
+    derSerial = SEC_ASN1EncodeItem(NULL, NULL,
+                                   &issuerSN->serialNumber,
+                                   SEC_ASN1_GET(SEC_IntegerTemplate));
+    if (!derSerial) {
+	return NULL;
+    }
+
+    NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer);
+    NSSITEM_FROM_SECITEM(&serial, derSerial);
+
+    cc = STAN_GetDefaultCryptoContext();
+    cert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(cc, 
+                                                                &issuer, 
+                                                                &serial);
+    if (cert) {
+	SECITEM_FreeItem(derSerial, PR_TRUE);
+	return STAN_GetCERTCertificateOrRelease(cert);
+    }
+
+    do {
+	/* free the old cert on retry. Associated slot was not present */
+	if (rvCert) {
+	    CERT_DestroyCertificate(rvCert);
+	    rvCert = NULL;
+ 	}
+
+	cert = NSSTrustDomain_FindCertificateByIssuerAndSerialNumber(
+                                                  STAN_GetDefaultTrustDomain(),
+                                                  &issuer,
+                                                  &serial);
+	if (!cert) {
+	    break;
+	}
+
+	rvCert = STAN_GetCERTCertificateOrRelease(cert);
+	if (rvCert == NULL) {
+	   break;
+	}
+
+	/* Check to see if the cert's token is still there */
+    } while (!PK11_IsPresent(rvCert->slot));
+
+    if (rvCert && slotPtr) *slotPtr = PK11_ReferenceSlot(rvCert->slot);
+
+    SECITEM_FreeItem(derSerial, PR_TRUE);
+    return rvCert;
+}
+
+CK_OBJECT_HANDLE
+PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot)
+{
+    CK_OBJECT_HANDLE certHandle;
+    CK_ATTRIBUTE searchTemplate	= { CKA_VALUE, NULL, 0 };
+    
+    PK11_SETATTRS(&searchTemplate, CKA_VALUE, cert->derCert.data,
+		  cert->derCert.len);
+
+    if (cert->slot) {
+	certHandle = pk11_getcerthandle(cert->slot,cert,&searchTemplate,1);
+	if (certHandle != CK_INVALID_HANDLE) {
+	    *pSlot = PK11_ReferenceSlot(cert->slot);
+	    return certHandle;
+	}
+    }
+
+    certHandle = pk11_FindCertObjectByTemplate(pSlot,&searchTemplate,1,wincx);
+    if (certHandle != CK_INVALID_HANDLE) {
+	if (cert->slot == NULL) {
+	    cert->slot = PK11_ReferenceSlot(*pSlot);
+	    cert->pkcs11ID = certHandle;
+	    cert->ownSlot = PR_TRUE;
+	    cert->series = cert->slot->series;
+	}
+    }
+
+    return(certHandle);
+}
+
+SECKEYPrivateKey *
+PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx)
+{
+    CK_OBJECT_HANDLE certHandle;
+    CK_OBJECT_HANDLE keyHandle;
+    PK11SlotInfo *slot = NULL;
+    SECKEYPrivateKey *privKey = NULL;
+    PRBool needLogin;
+    SECStatus rv;
+    int err;
+
+    certHandle = PK11_FindObjectForCert(cert, wincx, &slot);
+    if (certHandle == CK_INVALID_HANDLE) {
+	 return NULL;
+    }
+    /*
+     * prevent a login race condition. If slot is logged in between
+     * our call to pk11_LoginStillRequired and the 
+     * PK11_MatchItem. The matchItem call will either succeed, or
+     * we will call it one more time after calling PK11_Authenticate 
+     * (which is a noop on an authenticated token).
+     */
+    needLogin = pk11_LoginStillRequired(slot,wincx);
+    keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
+    if ((keyHandle == CK_INVALID_HANDLE) &&  needLogin &&
+			(SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
+			 SEC_ERROR_TOKEN_NOT_LOGGED_IN == err ) ) {
+	/* authenticate and try again */
+	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+	if (rv == SECSuccess) {
+            keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
+	}
+    }
+    if (keyHandle != CK_INVALID_HANDLE) { 
+        privKey =  PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
+    }
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    return privKey;
+}
+
+CK_OBJECT_HANDLE
+pk11_FindPubKeyByAnyCert(CERTCertificate *cert, PK11SlotInfo **slot, void *wincx)
+{
+    CK_OBJECT_HANDLE certHandle;
+    CK_OBJECT_HANDLE keyHandle;
+
+    certHandle = PK11_FindObjectForCert(cert, wincx, slot);
+    if (certHandle == CK_INVALID_HANDLE) {
+	 return CK_INVALID_HANDLE;
+    }
+    keyHandle = PK11_MatchItem(*slot,certHandle,CKO_PUBLIC_KEY);
+    if (keyHandle == CK_INVALID_HANDLE) { 
+	PK11_FreeSlot(*slot);
+	return CK_INVALID_HANDLE;
+    }
+    return keyHandle;
+}
+
+/*
+ * find the number of certs in the slot with the same subject name
+ */
+int
+PK11_NumberCertsForCertSubject(CERTCertificate *cert)
+{
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+    };
+    CK_ATTRIBUTE *attr = theTemplate;
+   int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+
+    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
+    PK11_SETATTRS(attr,CKA_SUBJECT,cert->derSubject.data,cert->derSubject.len);
+
+    if (cert->slot == NULL) {
+	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
+							PR_FALSE,PR_TRUE,NULL);
+	PK11SlotListElement *le;
+	int count = 0;
+
+	if (!list) {
+            /* error code is set */
+            return 0;
+	}
+
+	/* loop through all the fortezza tokens */
+	for (le = list->head; le; le = le->next) {
+	    count += PK11_NumberObjectsFor(le->slot,theTemplate,templateSize);
+	}
+	PK11_FreeSlotList(list);
+	return count;
+    }
+
+    return PK11_NumberObjectsFor(cert->slot,theTemplate,templateSize);
+}
+
+/*
+ *  Walk all the certs with the same subject
+ */
+SECStatus
+PK11_TraverseCertsForSubject(CERTCertificate *cert,
+        SECStatus(* callback)(CERTCertificate*, void *), void *arg)
+{
+    if(!cert) {
+	return SECFailure;
+    }
+    if (cert->slot == NULL) {
+	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
+							PR_FALSE,PR_TRUE,NULL);
+	PK11SlotListElement *le;
+
+	if (!list) {
+            /* error code is set */
+            return SECFailure;
+	}
+	/* loop through all the tokens */
+	for (le = list->head; le; le = le->next) {
+	    PK11_TraverseCertsForSubjectInSlot(cert,le->slot,callback,arg);
+	}
+	PK11_FreeSlotList(list);
+	return SECSuccess;
+
+    }
+
+    return PK11_TraverseCertsForSubjectInSlot(cert, cert->slot, callback, arg);
+}
+
+SECStatus
+PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot,
+	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    NSSToken *token;
+    NSSDER subject;
+    NSSTrustDomain *td;
+    nssList *subjectList;
+    nssPKIObjectCollection *collection;
+    nssCryptokiObject **instances;
+    NSSCertificate **certs;
+    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+    td = STAN_GetDefaultTrustDomain();
+    NSSITEM_FROM_SECITEM(&subject, &cert->derSubject);
+    token = PK11Slot_GetNSSToken(slot);
+    if (!nssToken_IsPresent(token)) {
+	return SECSuccess;
+    }
+    collection = nssCertificateCollection_Create(td, NULL);
+    if (!collection) {
+	return SECFailure;
+    }
+    subjectList = nssList_Create(NULL, PR_FALSE);
+    if (!subjectList) {
+	nssPKIObjectCollection_Destroy(collection);
+	return SECFailure;
+    }
+    (void)nssTrustDomain_GetCertsForSubjectFromCache(td, &subject, 
+                                                     subjectList);
+    transfer_token_certs_to_collection(subjectList, token, collection);
+    instances = nssToken_FindCertificatesBySubject(token, NULL,
+	                                           &subject, 
+	                                           tokenOnly, 0, &nssrv);
+    nssPKIObjectCollection_AddInstances(collection, instances, 0);
+    nss_ZFreeIf(instances);
+    nssList_Destroy(subjectList);
+    certs = nssPKIObjectCollection_GetCertificates(collection,
+                                                   NULL, 0, NULL);
+    nssPKIObjectCollection_Destroy(collection);
+    if (certs) {
+	CERTCertificate *oldie;
+	NSSCertificate **cp;
+	for (cp = certs; *cp; cp++) {
+	    oldie = STAN_GetCERTCertificate(*cp);
+	    if (!oldie) {
+		continue;
+	    }
+	    if ((*callback)(oldie, arg) != SECSuccess) {
+		nssrv = PR_FAILURE;
+		break;
+	    }
+	}
+	nssCertificateArray_Destroy(certs);
+    }
+    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+}
+
+SECStatus
+PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot,
+	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
+{
+    struct nss3_cert_cbstr pk11cb;
+    PRStatus nssrv = PR_SUCCESS;
+    NSSToken *token;
+    NSSTrustDomain *td;
+    NSSUTF8 *nick;
+    PRBool created = PR_FALSE;
+    nssCryptokiObject **instances;
+    nssPKIObjectCollection *collection = NULL;
+    NSSCertificate **certs;
+    nssList *nameList = NULL;
+    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+    pk11cb.callback = callback;
+    pk11cb.arg = arg;
+    token = PK11Slot_GetNSSToken(slot);
+    if (!nssToken_IsPresent(token)) {
+	return SECSuccess;
+    }
+    if (nickname->data[nickname->len-1] != '\0') {
+	nick = nssUTF8_Create(NULL, nssStringType_UTF8String, 
+	                      nickname->data, nickname->len);
+	created = PR_TRUE;
+    } else {
+	nick = (NSSUTF8 *)nickname->data;
+    }
+    td = STAN_GetDefaultTrustDomain();
+    collection = nssCertificateCollection_Create(td, NULL);
+    if (!collection) {
+	goto loser;
+    }
+    nameList = nssList_Create(NULL, PR_FALSE);
+    if (!nameList) {
+	goto loser;
+    }
+    (void)nssTrustDomain_GetCertsForNicknameFromCache(td, nick, nameList);
+    transfer_token_certs_to_collection(nameList, token, collection);
+    instances = nssToken_FindCertificatesByNickname(token, NULL,
+	                                            nick,
+	                                            tokenOnly, 0, &nssrv);
+    nssPKIObjectCollection_AddInstances(collection, instances, 0);
+    nss_ZFreeIf(instances);
+    nssList_Destroy(nameList);
+    certs = nssPKIObjectCollection_GetCertificates(collection,
+                                                   NULL, 0, NULL);
+    nssPKIObjectCollection_Destroy(collection);
+    if (certs) {
+	CERTCertificate *oldie;
+	NSSCertificate **cp;
+	for (cp = certs; *cp; cp++) {
+	    oldie = STAN_GetCERTCertificate(*cp);
+	    if (!oldie) {
+		continue;
+	    }
+	    if ((*callback)(oldie, arg) != SECSuccess) {
+		nssrv = PR_FAILURE;
+		break;
+	    }
+	}
+	nssCertificateArray_Destroy(certs);
+    }
+    if (created) nss_ZFreeIf(nick);
+    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+loser:
+    if (created) {
+	nss_ZFreeIf(nick);
+    }
+    if (collection) {
+	nssPKIObjectCollection_Destroy(collection);
+    }
+    if (nameList) {
+	nssList_Destroy(nameList);
+    }
+    return SECFailure;
+}
+
+SECStatus
+PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
+	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
+{
+    PRStatus nssrv;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    NSSToken *tok;
+    nssList *certList = NULL;
+    nssCryptokiObject **instances;
+    nssPKIObjectCollection *collection;
+    NSSCertificate **certs;
+    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+    tok = PK11Slot_GetNSSToken(slot);
+    if (!nssToken_IsPresent(tok)) {
+	return SECSuccess;
+    }
+    collection = nssCertificateCollection_Create(td, NULL);
+    if (!collection) {
+	return SECFailure;
+    }
+    certList = nssList_Create(NULL, PR_FALSE);
+    if (!certList) {
+	nssPKIObjectCollection_Destroy(collection);
+	return SECFailure;
+    }
+    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    transfer_token_certs_to_collection(certList, tok, collection);
+    instances = nssToken_FindObjects(tok, NULL, CKO_CERTIFICATE,
+                                     tokenOnly, 0, &nssrv);
+    nssPKIObjectCollection_AddInstances(collection, instances, 0);
+    nss_ZFreeIf(instances);
+    nssList_Destroy(certList);
+    certs = nssPKIObjectCollection_GetCertificates(collection,
+                                                   NULL, 0, NULL);
+    nssPKIObjectCollection_Destroy(collection);
+    if (certs) {
+	CERTCertificate *oldie;
+	NSSCertificate **cp;
+	for (cp = certs; *cp; cp++) {
+	    oldie = STAN_GetCERTCertificate(*cp);
+	    if (!oldie) {
+		continue;
+	    }
+	    if ((*callback)(oldie, arg) != SECSuccess) {
+		nssrv = PR_FAILURE;
+		break;
+	    }
+	}
+	nssCertificateArray_Destroy(certs);
+    }
+    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+}
+
+/*
+ * return the certificate associated with a derCert 
+ */
+CERTCertificate *
+PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert,
+								 void *wincx)
+{
+    return PK11_FindCertFromDERCertItem(slot, &cert->derCert, wincx);
+}
+
+CERTCertificate *
+PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, SECItem *inDerCert,
+								 void *wincx)
+
+{
+    NSSCertificate *c;
+    NSSDER derCert;
+    NSSToken *tok;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    SECStatus rv;
+
+    tok = PK11Slot_GetNSSToken(slot);
+    NSSITEM_FROM_SECITEM(&derCert, inDerCert);
+    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
+    if (rv != SECSuccess) {
+	PK11_FreeSlot(slot);
+	return NULL;
+    }
+    c = NSSTrustDomain_FindCertificateByEncodedCertificate(td, &derCert);
+    if (c) {
+	PRBool isToken = PR_FALSE;
+	NSSToken **tp;
+	NSSToken **tokens = nssPKIObject_GetTokens(&c->object, NULL);
+	if (tokens) {
+	    for (tp = tokens; *tp; tp++) {
+		if (*tp == tok) {
+		    isToken = PR_TRUE;
+		    break;
+		}
+	    }
+	    if (!isToken) {
+		NSSCertificate_Destroy(c);
+		c = NULL;
+	    }
+	    nssTokenArray_Destroy(tokens);
+	}
+    }
+    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
+} 
+
+/*
+ * import a cert for a private key we have already generated. Set the label
+ * on both to be the nickname.
+ */
+static CK_OBJECT_HANDLE 
+pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, 
+								void *wincx)
+{
+    SECItem *keyID;
+    CK_OBJECT_HANDLE key;
+    SECStatus rv;
+    PRBool needLogin;
+    int err;
+
+    if((slot == NULL) || (cert == NULL)) {
+	return CK_INVALID_HANDLE;
+    }
+
+    keyID = pk11_mkcertKeyID(cert);
+    if(keyID == NULL) {
+	return CK_INVALID_HANDLE;
+    }
+
+    /*
+     * prevent a login race condition. If slot is logged in between
+     * our call to pk11_LoginStillRequired and the 
+     * pk11_FindPrivateKeyFromCerID. The matchItem call will either succeed, or
+     * we will call it one more time after calling PK11_Authenticate 
+     * (which is a noop on an authenticated token).
+     */
+    needLogin = pk11_LoginStillRequired(slot,wincx);
+    key = pk11_FindPrivateKeyFromCertID(slot, keyID);
+    if ((key == CK_INVALID_HANDLE) && needLogin &&
+			(SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
+			 SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) {
+	/* authenticate and try again */
+	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) goto loser;
+	key = pk11_FindPrivateKeyFromCertID(slot, keyID);
+   }
+
+loser:
+    SECITEM_ZfreeItem(keyID, PR_TRUE);
+    return key;
+}
+
+SECKEYPrivateKey *
+PK11_FindKeyByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, 
+								void *wincx)
+{
+    CK_OBJECT_HANDLE keyHandle;
+
+    if((slot == NULL) || (cert == NULL)) {
+	return NULL;
+    }
+
+    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
+    if (keyHandle == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+
+    return PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,wincx);
+}
+
+SECStatus
+PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, 
+						char *nickname, 
+						PRBool addCertUsage,void *wincx)
+{
+    CK_OBJECT_HANDLE keyHandle;
+
+    if((slot == NULL) || (cert == NULL) || (nickname == NULL)) {
+	return SECFailure;
+    }
+
+    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
+    if (keyHandle == CK_INVALID_HANDLE) {
+	return SECFailure;
+    }
+
+    return PK11_ImportCert(slot, cert, keyHandle, nickname, addCertUsage);
+}   
+
+
+/* remove when the real version comes out */
+#define SEC_OID_MISSI_KEA 300  /* until we have v3 stuff merged */
+PRBool
+KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) {
+
+    if ( SECKEY_KEAParamCompare(server,cert) == SECEqual ) {
+        return PR_TRUE;
+    } else {
+	return PR_FALSE;
+    }
+}
+
+PRBool
+PK11_FortezzaHasKEA(CERTCertificate *cert) 
+{
+   /* look at the subject and see if it is a KEA for MISSI key */
+   SECOidData *oid;
+
+   if ((cert->trust == NULL) ||
+       ((cert->trust->sslFlags & CERTDB_USER) != CERTDB_USER)) {
+       return PR_FALSE;
+   }
+
+   oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);
+   if (!oid) {
+       return PR_FALSE;
+   }
+
+   return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) || 
+		(oid->offset == SEC_OID_MISSI_KEA_DSS) ||
+				(oid->offset == SEC_OID_MISSI_KEA)) ;
+}
+
+/*
+ * Find a kea cert on this slot that matches the domain of it's peer
+ */
+static CERTCertificate
+*pk11_GetKEAMate(PK11SlotInfo *slot,CERTCertificate *peer)
+{
+    int i;
+    CERTCertificate *returnedCert = NULL;
+
+    for (i=0; i < slot->cert_count; i++) {
+	CERTCertificate *cert = slot->cert_array[i];
+
+	if (PK11_FortezzaHasKEA(cert) && KEAPQGCompare(peer,cert)) {
+		returnedCert = CERT_DupCertificate(cert);
+		break;
+	}
+    }
+    return returnedCert;
+}
+
+/*
+ * The following is a FORTEZZA only Certificate request. We call this when we
+ * are doing a non-client auth SSL connection. We are only interested in the
+ * fortezza slots, and we are only interested in certs that share the same root
+ * key as the server.
+ */
+CERTCertificate *
+PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx)
+{
+    PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE,
+							PR_FALSE,PR_TRUE,wincx);
+    PK11SlotListElement *le;
+    CERTCertificate *returnedCert = NULL;
+    SECStatus rv;
+
+    if (!keaList) {
+        /* error code is set */
+        return NULL;
+    }
+
+    /* loop through all the fortezza tokens */
+    for (le = keaList->head; le; le = le->next) {
+        rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
+        if (rv != SECSuccess) continue;
+	if (le->slot->session == CK_INVALID_SESSION) {
+	    continue;
+	}
+	returnedCert = pk11_GetKEAMate(le->slot,server);
+	if (returnedCert) break;
+    }
+    PK11_FreeSlotList(keaList);
+
+    return returnedCert;
+}
+
+/*
+ * find a matched pair of kea certs to key exchange parameters from one 
+ * fortezza card to another as necessary.
+ */
+SECStatus
+PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2,
+	CERTCertificate **cert1, CERTCertificate **cert2)
+{
+    CERTCertificate *returnedCert = NULL;
+    int i;
+
+    for (i=0; i < slot1->cert_count; i++) {
+	CERTCertificate *cert = slot1->cert_array[i];
+
+	if (PK11_FortezzaHasKEA(cert)) {
+	    returnedCert = pk11_GetKEAMate(slot2,cert);
+	    if (returnedCert != NULL) {
+		*cert2 = returnedCert;
+		*cert1 = CERT_DupCertificate(cert);
+		return SECSuccess;
+	    }
+	}
+    }
+    return SECFailure;
+}
+
+/*
+ * return the private key From a given Cert
+ */
+CK_OBJECT_HANDLE
+PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
+{
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_ATTRIBUTE *attrs = theTemplate;
+    SECStatus rv;
+
+    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
+						cert->derCert.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
+
+    /*
+     * issue the find
+     */
+    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
+    if (rv != SECSuccess) {
+	return CK_INVALID_HANDLE;
+    }
+
+    return pk11_getcerthandle(slot,cert,theTemplate,tsize);
+}
+
+/* Looking for PK11_GetKeyIDFromCert?  
+ * Use PK11_GetLowLevelKeyIDForCert instead.
+ */
+
+
+struct listCertsStr {
+    PK11CertListType type;
+    CERTCertList *certList;
+};
+
+static PRStatus
+pk11ListCertCallback(NSSCertificate *c, void *arg)
+{
+    struct listCertsStr *listCertP = (struct listCertsStr *)arg;
+    CERTCertificate *newCert = NULL;
+    PK11CertListType type = listCertP->type;
+    CERTCertList *certList = listCertP->certList;
+    PRBool isUnique = PR_FALSE;
+    PRBool isCA = PR_FALSE;
+    char *nickname = NULL;
+    unsigned int certType;
+
+    if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique) ||
+        (type == PK11CertListCAUnique) || (type == PK11CertListUserUnique) ) {
+        /* only list one instance of each certificate, even if several exist */
+	isUnique = PR_TRUE;
+    }
+    if ((type == PK11CertListCA) || (type == PK11CertListRootUnique) ||
+        (type == PK11CertListCAUnique)) {
+	isCA = PR_TRUE;
+    }
+
+    /* if we want user certs and we don't have one skip this cert */
+    if ( ( (type == PK11CertListUser) || (type == PK11CertListUserUnique) ) && 
+		!NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) {
+	return PR_SUCCESS;
+    }
+
+    /* PK11CertListRootUnique means we want CA certs without a private key.
+     * This is for legacy app support . PK11CertListCAUnique should be used
+     * instead to get all CA certs, regardless of private key
+     */
+    if ((type == PK11CertListRootUnique) && 
+		NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) {
+	return PR_SUCCESS;
+    }
+
+    /* caller still owns the reference to 'c' */
+    newCert = STAN_GetCERTCertificate(c);
+    if (!newCert) {
+	return PR_SUCCESS;
+    }
+    /* if we want CA certs and it ain't one, skip it */
+    if( isCA  && (!CERT_IsCACert(newCert, &certType)) ) {
+	return PR_SUCCESS;
+    }
+    if (isUnique) {
+	CERT_DupCertificate(newCert);
+
+	nickname = STAN_GetCERTCertificateName(certList->arena, c);
+
+	/* put slot certs at the end */
+	if (newCert->slot && !PK11_IsInternal(newCert->slot)) {
+	    CERT_AddCertToListTailWithData(certList,newCert,nickname);
+	} else {
+	    CERT_AddCertToListHeadWithData(certList,newCert,nickname);
+	}
+    } else {
+	/* add multiple instances to the cert list */
+	nssCryptokiObject **ip;
+	nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
+	if (!instances) {
+	    return PR_SUCCESS;
+	}
+	for (ip = instances; *ip; ip++) {
+	    nssCryptokiObject *instance = *ip;
+	    PK11SlotInfo *slot = instance->token->pk11slot;
+
+	    /* put the same CERTCertificate in the list for all instances */
+	    CERT_DupCertificate(newCert);
+
+	    nickname = STAN_GetCERTCertificateNameForInstance(
+			certList->arena, c, instance);
+
+	    /* put slot certs at the end */
+	    if (slot && !PK11_IsInternal(slot)) {
+		CERT_AddCertToListTailWithData(certList,newCert,nickname);
+	    } else {
+		CERT_AddCertToListHeadWithData(certList,newCert,nickname);
+	    }
+	}
+	nssCryptokiObjectArray_Destroy(instances);
+    }
+    return PR_SUCCESS;
+}
+
+
+CERTCertList *
+PK11_ListCerts(PK11CertListType type, void *pwarg)
+{
+    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
+    CERTCertList *certList = NULL;
+    struct listCertsStr listCerts;
+    certList = CERT_NewCertList();
+    listCerts.type = type;
+    listCerts.certList = certList;
+
+    /* authenticate to the slots */
+    (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, pwarg);
+    NSSTrustDomain_TraverseCertificates(defaultTD, pk11ListCertCallback,
+								 &listCerts);
+    return certList;
+}
+    
+SECItem *
+PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
+					CERTCertificate *cert, void *wincx)
+{
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_OBJECT_HANDLE certHandle;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    PK11SlotInfo *slotRef = NULL;
+    SECItem *item;
+    SECStatus rv;
+
+    if (slot) {
+	PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
+						cert->derCert.len); attrs++;
+ 
+	rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) {
+	    return NULL;
+	}
+        certHandle = pk11_getcerthandle(slot,cert,theTemplate,tsize);
+    } else {
+    	certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef);
+	if (certHandle == CK_INVALID_HANDLE) {
+	   return pk11_mkcertKeyID(cert);
+	}
+	slot = slotRef;
+    }
+
+    if (certHandle == CK_INVALID_HANDLE) {
+	 return NULL;
+    }
+
+    item = pk11_GetLowLevelKeyFromHandle(slot,certHandle);
+    if (slotRef) PK11_FreeSlot(slotRef);
+    return item;
+}
+
+/* argument type for listCertsCallback */
+typedef struct {
+    CERTCertList *list;
+    PK11SlotInfo *slot;
+} ListCertsArg;
+
+static SECStatus
+listCertsCallback(CERTCertificate* cert, void*arg)
+{
+    ListCertsArg *cdata = (ListCertsArg*)arg;
+    char *nickname = NULL;
+    nssCryptokiObject *instance, **ci;
+    nssCryptokiObject **instances;
+    NSSCertificate *c = STAN_GetNSSCertificate(cert);
+
+    if (c == NULL) {
+        return SECFailure;
+    }
+    instances = nssPKIObject_GetInstances(&c->object);
+    if (!instances) {
+        return SECFailure;
+    }
+    instance = NULL;
+    for (ci = instances; *ci; ci++) {
+	if ((*ci)->token->pk11slot == cdata->slot) {
+	    instance = *ci;
+	    break;
+	}
+    }
+    PORT_Assert(instance != NULL);
+    if (!instance) {
+	nssCryptokiObjectArray_Destroy(instances);
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    nickname = STAN_GetCERTCertificateNameForInstance(cdata->list->arena,
+	c, instance);
+    nssCryptokiObjectArray_Destroy(instances);
+
+    return CERT_AddCertToListTailWithData(cdata->list, 
+				CERT_DupCertificate(cert),nickname);
+}
+
+CERTCertList *
+PK11_ListCertsInSlot(PK11SlotInfo *slot)
+{
+    SECStatus status;
+    CERTCertList *certs;
+    ListCertsArg cdata;
+
+    certs = CERT_NewCertList();
+    if(certs == NULL) return NULL;
+    cdata.list = certs;
+    cdata.slot = slot;
+
+    status = PK11_TraverseCertsInSlot(slot, listCertsCallback,
+		&cdata);
+
+    if( status != SECSuccess ) {
+	CERT_DestroyCertList(certs);
+	certs = NULL;
+    }
+
+    return certs;
+}
+
+PK11SlotList *
+PK11_GetAllSlotsForCert(CERTCertificate *cert, void *arg)
+{
+    NSSCertificate *c = STAN_GetNSSCertificate(cert);
+    /* add multiple instances to the cert list */
+    nssCryptokiObject **ip;
+    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
+    PK11SlotList *slotList;
+    PRBool found = PR_FALSE;
+
+    if (!cert) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    if (!instances) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return NULL;
+    }
+
+    slotList = PK11_NewSlotList();
+    if (!slotList) {
+	nssCryptokiObjectArray_Destroy(instances);
+	return NULL;
+    }
+
+    for (ip = instances; *ip; ip++) {
+	nssCryptokiObject *instance = *ip;
+	PK11SlotInfo *slot = instance->token->pk11slot;
+	if (slot) {
+	    PK11_AddSlotToList(slotList, slot);
+	    found = PR_TRUE;
+	}
+    }
+    if (!found) {
+	PK11_FreeSlotList(slotList);
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	slotList = NULL;
+    }
+
+    nssCryptokiObjectArray_Destroy(instances);
+    return slotList;
+}
diff --git a/security/nss/lib/pk11wrap/pk11cxt.c b/security/nss/lib/pk11wrap/pk11cxt.c
new file mode 100644
index 000000000..6b1837028
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11cxt.c
@@ -0,0 +1,1068 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file PK11Contexts which are  used in multipart hashing, 
+ * encryption/decryption, and signing/verication operations.
+ */
+
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "secoid.h" 
+#include "sechash.h"
+#include "secerr.h"
+
+static const SECItem pk11_null_params = { 0 };
+
+/**********************************************************************
+ *
+ *                   Now Deal with Crypto Contexts
+ *
+ **********************************************************************/
+
+/*
+ * the monitors...
+ */
+void
+PK11_EnterContextMonitor(PK11Context *cx) {
+    /* if we own the session and our slot is ThreadSafe, only monitor
+     * the Context */
+    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
+	/* Should this use monitors instead? */
+	PZ_Lock(cx->sessionLock);
+    } else {
+	PK11_EnterSlotMonitor(cx->slot);
+    }
+}
+
+void
+PK11_ExitContextMonitor(PK11Context *cx) {
+    /* if we own the session and our slot is ThreadSafe, only monitor
+     * the Context */
+    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
+	/* Should this use monitors instead? */
+	PZ_Unlock(cx->sessionLock);
+    } else {
+	PK11_ExitSlotMonitor(cx->slot);
+    }
+}
+
+/*
+ * Free up a Cipher Context
+ */
+void
+PK11_DestroyContext(PK11Context *context, PRBool freeit)
+{
+    pk11_CloseSession(context->slot,context->session,context->ownSession);
+    /* initialize the critical fields of the context */
+    if (context->savedData != NULL ) PORT_Free(context->savedData);
+    if (context->key) PK11_FreeSymKey(context->key);
+    if (context->param && context->param != &pk11_null_params)
+	SECITEM_FreeItem(context->param, PR_TRUE);
+    if (context->sessionLock) PZ_DestroyLock(context->sessionLock);
+    PK11_FreeSlot(context->slot);
+    if (freeit) PORT_Free(context);
+}
+
+/*
+ * save the current context. Allocate Space if necessary.
+ */
+static unsigned char *
+pk11_saveContextHelper(PK11Context *context, unsigned char *buffer, 
+                       unsigned long *savedLength)
+{
+    CK_RV crv;
+
+    /* If buffer is NULL, this will get the length */
+    crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session,
+                                                          (CK_BYTE_PTR)buffer,
+                                                          savedLength);
+    if (!buffer || (crv == CKR_BUFFER_TOO_SMALL)) {
+	/* the given buffer wasn't big enough (or was NULL), but we 
+	 * have the length, so try again with a new buffer and the 
+	 * correct length
+	 */
+	unsigned long bufLen = *savedLength;
+	buffer = PORT_Alloc(bufLen);
+	if (buffer == NULL) {
+	    return (unsigned char *)NULL;
+	}
+	crv = PK11_GETTAB(context->slot)->C_GetOperationState(
+	                                                  context->session,
+                                                          (CK_BYTE_PTR)buffer,
+                                                          savedLength);
+	if (crv != CKR_OK) {
+	    PORT_ZFree(buffer, bufLen);
+	}
+    }
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return (unsigned char *)NULL;
+    }
+    return buffer;
+}
+
+void *
+pk11_saveContext(PK11Context *context, void *space, unsigned long *savedLength)
+{
+    return pk11_saveContextHelper(context, 
+                                  (unsigned char *)space, savedLength);
+}
+
+/*
+ * restore the current context
+ */
+SECStatus
+pk11_restoreContext(PK11Context *context,void *space, unsigned long savedLength)
+{
+    CK_RV crv;
+    CK_OBJECT_HANDLE objectID = (context->key) ? context->key->objectID:
+			CK_INVALID_HANDLE;
+
+    PORT_Assert(space != NULL);
+    if (space == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(context->slot)->C_SetOperationState(context->session,
+        (CK_BYTE_PTR)space, savedLength, objectID, 0);
+    if (crv != CKR_OK) {
+       PORT_SetError( PK11_MapError(crv));
+       return SECFailure;
+   }
+   return SECSuccess;
+}
+
+SECStatus pk11_Finalize(PK11Context *context);
+
+/*
+ * Context initialization. Used by all flavors of CreateContext
+ */
+static SECStatus 
+pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info)
+{
+    CK_RV crv;
+    PK11SymKey *symKey = context->key;
+    SECStatus rv = SECSuccess;
+
+    switch (context->operation) {
+    case CKA_ENCRYPT:
+	crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_DECRYPT:
+	if (context->fortezzaHack) {
+	    CK_ULONG count = 0;;
+	    /* generate the IV for fortezza */
+	    crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
+				mech_info, symKey->objectID);
+	    if (crv != CKR_OK) break;
+	    PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
+				NULL, &count);
+	}
+	crv=PK11_GETTAB(context->slot)->C_DecryptInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestInit(context->session,
+				mech_info);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    return rv;
+}
+
+
+/*
+ * Common Helper Function do come up with a new context.
+ */
+static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type,
+     PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey,
+							     SECItem *param)
+{
+    CK_MECHANISM mech_info;
+    PK11Context *context;
+    SECStatus rv;
+	
+    PORT_Assert(slot != NULL);
+    if (!slot || (!symKey && operation != CKA_DIGEST)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    context = (PK11Context *) PORT_Alloc(sizeof(PK11Context));
+    if (context == NULL) {
+	return NULL;
+    }
+
+    /* now deal with the fortezza hack... the fortezza hack is an attempt
+     * to get around the issue of the card not allowing you to do a FORTEZZA
+     * LoadIV/Encrypt, which was added because such a combination could be
+     * use to circumvent the key escrow system. Unfortunately SSL needs to
+     * do this kind of operation, so in SSL we do a loadIV (to verify it),
+     * Then GenerateIV, and through away the first 8 bytes on either side
+     * of the connection.*/
+    context->fortezzaHack = PR_FALSE;
+    if (type == CKM_SKIPJACK_CBC64) {
+	if (symKey->origin == PK11_OriginFortezzaHack) {
+	    context->fortezzaHack = PR_TRUE;
+	}
+    }
+
+    /* initialize the critical fields of the context */
+    context->operation = operation;
+    context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL;
+    context->slot = PK11_ReferenceSlot(slot);
+    context->session = pk11_GetNewSession(slot,&context->ownSession);
+    context->cx = symKey ? symKey->cx : NULL;
+    /* get our session */
+    context->savedData = NULL;
+
+    /* save the parameters so that some digesting stuff can do multiple
+     * begins on a single context */
+    context->type = type;
+    if (param) {
+	if (param->len > 0) {
+	    context->param = SECITEM_DupItem(param);
+	} else {
+	    context->param = (SECItem *)&pk11_null_params;
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	context->param = NULL;
+    }
+    context->init = PR_FALSE;
+    context->sessionLock = PZ_NewLock(nssILockPK11cxt);
+    if ((context->param == NULL) || (context->sessionLock == NULL)) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+
+    mech_info.mechanism = type;
+    mech_info.pParameter = param->data;
+    mech_info.ulParameterLen = param->len;
+    PK11_EnterContextMonitor(context);
+    rv = pk11_context_init(context,&mech_info);
+    PK11_ExitContextMonitor(context);
+
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+    context->init = PR_TRUE;
+    return context;
+}
+
+
+/*
+ * put together the various PK11_Create_Context calls used by different
+ * parts of libsec.
+ */
+PK11Context *
+__PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, 
+						SECItem *param, void *wincx)
+{
+    PK11SymKey *symKey = NULL;
+    PK11Context *context = NULL;
+
+    /* first get a slot */
+    if (slot == NULL) {
+	slot = PK11_GetBestSlot(type,wincx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    goto loser;
+	}
+    } else {
+	PK11_ReferenceSlot(slot);
+    }
+
+    /* now import the key */
+    symKey = PK11_ImportSymKey(slot, type, origin, operation,  key, wincx);
+    if (symKey == NULL) goto loser;
+
+    context = PK11_CreateContextBySymKey(type, operation, symKey, param);
+
+loser:
+    if (symKey) {
+        PK11_FreeSymKey(symKey);
+    }
+    if (slot) {
+        PK11_FreeSlot(slot);
+    }
+
+    return context;
+}
+
+PK11Context *
+PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, 
+						SECItem *param, void *wincx)
+{
+    return __PK11_CreateContextByRawKey(slot, type, origin, operation,
+                                        key, param, wincx);
+}
+
+
+/*
+ * Create a context from a key. We really should make sure we aren't using
+ * the same key in multiple session!
+ */
+PK11Context *
+PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,CK_ATTRIBUTE_TYPE operation,
+			PK11SymKey *symKey, SECItem *param)
+{
+    PK11SymKey *newKey;
+    PK11Context *context;
+
+    /* if this slot doesn't support the mechanism, go to a slot that does */
+    newKey = pk11_ForceSlot(symKey,type,operation);
+    if (newKey == NULL) {
+	PK11_ReferenceSymKey(symKey);
+    } else {
+	symKey = newKey;
+    }
+
+
+    /* Context Adopts the symKey.... */
+    context = pk11_CreateNewContextInSlot(type, symKey->slot, operation, symKey,
+							     param);
+    PK11_FreeSymKey(symKey);
+    return context;
+}
+
+/*
+ * Digest contexts don't need keys, but the do need to find a slot.
+ * Macing should use PK11_CreateContextBySymKey.
+ */
+PK11Context *
+PK11_CreateDigestContext(SECOidTag hashAlg)
+{
+    /* digesting has to work without authentication to the slot */
+    CK_MECHANISM_TYPE type;
+    PK11SlotInfo *slot;
+    PK11Context *context;
+    SECItem param;
+
+    type = PK11_AlgtagToMechanism(hashAlg);
+    slot = PK11_GetBestSlot(type, NULL);
+    if (slot == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+
+    /* maybe should really be PK11_GenerateNewParam?? */
+    param.data = NULL;
+    param.len = 0;
+    param.type = 0;
+
+    context = pk11_CreateNewContextInSlot(type, slot, CKA_DIGEST, NULL, &param);
+    PK11_FreeSlot(slot);
+    return context;
+}
+
+/*
+ * create a new context which is the clone of the state of old context.
+ */
+PK11Context * PK11_CloneContext(PK11Context *old)
+{
+     PK11Context *newcx;
+     PRBool needFree = PR_FALSE;
+     SECStatus rv = SECSuccess;
+     void *data;
+     unsigned long len;
+
+     newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation,
+						old->key, old->param);
+     if (newcx == NULL) return NULL;
+
+     /* now clone the save state. First we need to find the save state
+      * of the old session. If the old context owns it's session,
+      * the state needs to be saved, otherwise the state is in saveData. */
+     if (old->ownSession) {
+        PK11_EnterContextMonitor(old);
+	data=pk11_saveContext(old,NULL,&len);
+        PK11_ExitContextMonitor(old);
+	needFree = PR_TRUE;
+     } else {
+	data = old->savedData;
+	len = old->savedLength;
+     }
+
+     if (data == NULL) {
+	PK11_DestroyContext(newcx,PR_TRUE);
+	return NULL;
+     }
+
+     /* now copy that state into our new context. Again we have different
+      * work if the new context owns it's own session. If it does, we
+      * restore the state gathered above. If it doesn't, we copy the
+      * saveData pointer... */
+     if (newcx->ownSession) {
+        PK11_EnterContextMonitor(newcx);
+	rv = pk11_restoreContext(newcx,data,len);
+        PK11_ExitContextMonitor(newcx);
+     } else {
+	PORT_Assert(newcx->savedData != NULL);
+	if ((newcx->savedData == NULL) || (newcx->savedLength < len)) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    rv = SECFailure;
+	} else {
+	    PORT_Memcpy(newcx->savedData,data,len);
+	    newcx->savedLength = len;
+	}
+    }
+
+    if (needFree) PORT_Free(data);
+
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(newcx,PR_TRUE);
+	return NULL;
+    }
+    return newcx;
+}
+
+/*
+ * save the current context state into a variable. Required to make FORTEZZA
+ * work.
+ */
+SECStatus
+PK11_SaveContext(PK11Context *cx,unsigned char *save,int *len, int saveLength)
+{
+    unsigned char * data = NULL;
+    CK_ULONG length = saveLength;
+
+    if (cx->ownSession) {
+        PK11_EnterContextMonitor(cx);
+	data = pk11_saveContextHelper(cx, save, &length);
+        PK11_ExitContextMonitor(cx);
+	if (data) *len = length;
+    } else if ((unsigned) saveLength >= cx->savedLength) {
+	data = (unsigned char*)cx->savedData;
+	if (cx->savedData) {
+	    PORT_Memcpy(save,cx->savedData,cx->savedLength);
+	}
+	*len = cx->savedLength;
+    }
+    if (data != NULL) {
+	if (cx->ownSession) {
+	    PORT_ZFree(data, length);
+	}
+	return SECSuccess;
+    } else {
+	return SECFailure;
+    }
+}
+
+/* same as above, but may allocate the return buffer. */
+unsigned char *
+PK11_SaveContextAlloc(PK11Context *cx,
+                      unsigned char *preAllocBuf, unsigned int pabLen,
+                      unsigned int *stateLen)
+{
+    unsigned char *stateBuf = NULL;
+    unsigned long length = (unsigned long)pabLen;
+
+    if (cx->ownSession) {
+        PK11_EnterContextMonitor(cx);
+	stateBuf = pk11_saveContextHelper(cx, preAllocBuf, &length);
+        PK11_ExitContextMonitor(cx);
+	*stateLen = (stateBuf != NULL) ? length : 0;
+    } else {
+	if (pabLen < cx->savedLength) {
+	    stateBuf = (unsigned char *)PORT_Alloc(cx->savedLength);
+	    if (!stateBuf) {
+		return (unsigned char *)NULL;
+	    }
+	} else {
+	    stateBuf = preAllocBuf;
+	}
+	if (cx->savedData) {
+	    PORT_Memcpy(stateBuf, cx->savedData, cx->savedLength);
+	}
+	*stateLen = cx->savedLength;
+    }
+    return stateBuf;
+}
+
+/*
+ * restore the context state into a new running context. Also required for
+ * FORTEZZA .
+ */
+SECStatus
+PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len)
+{
+    SECStatus rv = SECSuccess;
+    if (cx->ownSession) {
+        PK11_EnterContextMonitor(cx);
+	pk11_Finalize(cx);
+	rv = pk11_restoreContext(cx,save,len);
+        PK11_ExitContextMonitor(cx);
+    } else {
+	PORT_Assert(cx->savedData != NULL);
+	if ((cx->savedData == NULL) || (cx->savedLength < (unsigned) len)) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    rv = SECFailure;
+	} else {
+	    PORT_Memcpy(cx->savedData,save,len);
+	    cx->savedLength = len;
+	}
+    }
+    return rv;
+}
+
+/*
+ * This is  to get FIPS compliance until we can convert
+ * libjar to use PK11_ hashing functions. It returns PR_FALSE
+ * if we can't get a PK11 Context.
+ */
+PRBool
+PK11_HashOK(SECOidTag algID) {
+    PK11Context *cx;
+
+    cx = PK11_CreateDigestContext(algID);
+    if (cx == NULL) return PR_FALSE;
+    PK11_DestroyContext(cx, PR_TRUE);
+    return PR_TRUE;
+}
+
+
+
+/*
+ * start a new digesting or Mac'ing operation on this context
+ */
+SECStatus PK11_DigestBegin(PK11Context *cx)
+{
+    CK_MECHANISM mech_info;
+    SECStatus rv;
+
+    if (cx->init == PR_TRUE) {
+	return SECSuccess;
+    }
+
+    /*
+     * make sure the old context is clear first
+     */
+    PK11_EnterContextMonitor(cx);
+    pk11_Finalize(cx);
+
+    mech_info.mechanism = cx->type;
+    mech_info.pParameter = cx->param->data;
+    mech_info.ulParameterLen = cx->param->len;
+    rv = pk11_context_init(cx,&mech_info);
+    PK11_ExitContextMonitor(cx);
+
+    if (rv != SECSuccess) {
+	return SECFailure;
+    }
+    cx->init = PR_TRUE;
+    return SECSuccess;
+}
+
+SECStatus
+PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in, 
+								PRInt32 len) {
+    PK11Context *context;
+    unsigned int max_length;
+    unsigned int out_length;
+    SECStatus rv;
+
+    /* len will be passed to PK11_DigestOp as unsigned. */
+    if (len < 0) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    context = PK11_CreateDigestContext(hashAlg);
+    if (context == NULL) return SECFailure;
+
+    rv = PK11_DigestBegin(context);
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context, PR_TRUE);
+	return rv;
+    }
+
+    rv = PK11_DigestOp(context, in, len);
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context, PR_TRUE);
+	return rv;
+    }
+
+    /* XXX This really should have been an argument to this function! */
+    max_length = HASH_ResultLenByOidTag(hashAlg);
+    PORT_Assert(max_length);
+    if (!max_length)
+    	max_length = HASH_LENGTH_MAX;
+
+    rv = PK11_DigestFinal(context,out,&out_length,max_length);
+    PK11_DestroyContext(context, PR_TRUE);
+    return rv;
+}
+
+
+/*
+ * execute a bulk encryption operation
+ */
+SECStatus
+PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
+				int maxout, unsigned char *in, int inlen)
+{
+    CK_RV crv = CKR_OK;
+    CK_ULONG length = maxout;
+    CK_ULONG offset =0;
+    SECStatus rv = SECSuccess;
+    unsigned char *saveOut = out;
+    unsigned char *allocOut = NULL;
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+	    return rv;
+	}
+    }
+
+    /*
+     * The fortezza hack is to send 8 extra bytes on the first encrypted and
+     * loose them on the first decrypt.
+     */
+    if (context->fortezzaHack) {
+	unsigned char random[8];
+	if (context->operation == CKA_ENCRYPT) {
+	    PK11_ExitContextMonitor(context);
+	    rv = PK11_GenerateRandom(random,sizeof(random));
+    	    PK11_EnterContextMonitor(context);
+
+	    /* since we are offseting the output, we can't encrypt back into
+	     * the same buffer... allocate a temporary buffer just for this
+	     * call. */
+	    allocOut = out = (unsigned char*)PORT_Alloc(maxout);
+	    if (out == NULL) {
+		PK11_ExitContextMonitor(context);
+		return SECFailure;
+	    }
+	    crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
+		random,sizeof(random),out,&length);
+
+	    out += length;
+	    maxout -= length;
+	    offset = length;
+	} else if (context->operation == CKA_DECRYPT) {
+	    length = sizeof(random);
+	    crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
+		in,sizeof(random),random,&length);
+	    inlen -= length;
+	    in += length;
+	    context->fortezzaHack = PR_FALSE;
+	}
+    }
+
+    switch (context->operation) {
+    case CKA_ENCRYPT:
+	length = maxout;
+	crv=PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
+						in, inlen, out, &length);
+	length += offset;
+	break;
+    case CKA_DECRYPT:
+	length = maxout;
+	crv=PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
+						in, inlen, out, &length);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	*outlen = 0;
+        rv = SECFailure;
+    } else {
+    	*outlen = length;
+    }
+
+    if (context->fortezzaHack) {
+	if (context->operation == CKA_ENCRYPT) {
+	    PORT_Assert(allocOut);
+	    PORT_Memcpy(saveOut, allocOut, length);
+	    PORT_Free(allocOut);
+	}
+	context->fortezzaHack = PR_FALSE;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    PK11_ExitContextMonitor(context);
+    return rv;
+}
+
+/*
+ * execute a digest/signature operation
+ */
+SECStatus
+PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) 
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv = SECSuccess;
+
+    if (!in) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    context->init = PR_FALSE;
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+	    return rv;
+	}
+    }
+
+    switch (context->operation) {
+    /* also for MAC'ing */
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignUpdate(context->session,
+						     (unsigned char *)in, 
+						     inLen);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session,
+						       (unsigned char *)in, 
+						       inLen);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
+						       (unsigned char *)in, 
+						       inLen);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        rv = SECFailure;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    PK11_ExitContextMonitor(context);
+    return rv;
+}
+
+/*
+ * Digest a key if possible./
+ */
+SECStatus
+PK11_DigestKey(PK11Context *context, PK11SymKey *key)
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv = SECSuccess;
+    PK11SymKey *newKey = NULL;
+
+    if (!context || !key) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    if (context->slot != key->slot) {
+	newKey = pk11_CopyToSlot(context->slot,CKM_SSL3_SHA1_MAC,CKA_SIGN,key);
+    } else {
+	newKey = PK11_ReferenceSymKey(key);
+    }
+
+    context->init = PR_FALSE;
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+            PK11_FreeSymKey(newKey);
+	    return rv;
+	}
+    }
+
+
+    if (newKey == NULL) {
+	crv = CKR_KEY_TYPE_INCONSISTENT;
+	if (key->data.data) {
+	    crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
+					key->data.data,key->data.len);
+	}
+    } else {
+	crv=PK11_GETTAB(context->slot)->C_DigestKey(context->session,
+							newKey->objectID);
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        rv = SECFailure;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    PK11_ExitContextMonitor(context);
+    if (newKey) PK11_FreeSymKey(newKey);
+    return rv;
+}
+
+/*
+ * externally callable version of the lowercase pk11_finalize().
+ */
+SECStatus
+PK11_Finalize(PK11Context *context) {
+    SECStatus rv;
+
+    PK11_EnterContextMonitor(context);
+    rv = pk11_Finalize(context);
+    PK11_ExitContextMonitor(context);
+    return rv;
+}
+
+/*
+ * clean up a cipher operation, so the session can be used by
+ * someone new.
+ */
+SECStatus
+pk11_Finalize(PK11Context *context)
+{
+    CK_ULONG count = 0;
+    CK_RV crv;
+    unsigned char stackBuf[256];
+    unsigned char *buffer = NULL;
+
+    if (!context->ownSession) {
+	return SECSuccess;
+    }
+
+finalize:
+    switch (context->operation) {
+    case CKA_ENCRYPT:
+	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
+	                                               buffer, &count);
+	break;
+    case CKA_DECRYPT:
+	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
+	                                                 buffer, &count);
+	break;
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
+	                                            buffer, &count);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
+	                                              buffer, count);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
+	                                              buffer, &count);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+	if (buffer != stackBuf) {
+	    PORT_Free(buffer);
+	}
+	if (crv == CKR_OPERATION_NOT_INITIALIZED) {
+	    /* if there's no operation, it is finalized */
+	    return SECSuccess;
+	}
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+
+    /* try to finalize the session with a buffer */
+    if (buffer == NULL) { 
+	if (count <= sizeof stackBuf) {
+	    buffer = stackBuf;
+	} else {
+	    buffer = PORT_Alloc(count);
+	    if (buffer == NULL) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		return SECFailure;
+	    }
+	}
+	goto finalize;
+    }
+    if (buffer != stackBuf) {
+	PORT_Free(buffer);
+    }
+    return SECSuccess;
+}
+
+/*
+ *  Return the final digested or signed data...
+ *  this routine can either take pre initialized data, or allocate data
+ *  either out of an arena or out of the standard heap.
+ */
+SECStatus
+PK11_DigestFinal(PK11Context *context,unsigned char *data, 
+			unsigned int *outLen, unsigned int length)
+{
+    CK_ULONG len;
+    CK_RV crv;
+    SECStatus rv;
+
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+	    return rv;
+	}
+    }
+
+    len = length;
+    switch (context->operation) {
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
+				data,&len);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
+				data,len);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
+				data,&len);
+	break;
+    case CKA_ENCRYPT:
+	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
+				data, &len);
+	break;
+    case CKA_DECRYPT:
+	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
+				data, &len);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+    PK11_ExitContextMonitor(context);
+
+    *outLen = (unsigned int) len;
+    context->init = PR_FALSE; /* allow Begin to start up again */
+
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11err.c b/security/nss/lib/pk11wrap/pk11err.c
new file mode 100644
index 000000000..d58f49de2
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11err.c
@@ -0,0 +1,156 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ * this file maps PKCS11 Errors into SECErrors
+ *  This is an information reducing process, since most errors are reflected
+ *  back to the user (the user doesn't care about invalid flags, or active
+ *  operations). If any of these errors need more detail in the upper layers
+ *  which call PK11 library functions, we can add more SEC_ERROR_XXX functions
+ *  and change there mappings here.
+ */
+#include "pkcs11t.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+#ifdef PK11_ERROR_USE_ARRAY 
+
+/*
+ * build a static array of entries...
+ */
+static struct {
+	CK_RV pk11_error;
+	int   sec_error;
+} pk11_error_map = {
+#define MAPERROR(x,y) {x, y},
+
+#else
+
+/* the default is to use a big switch statement */
+int
+PK11_MapError(CK_RV rv) {
+
+	switch (rv) {
+#define MAPERROR(x,y) case x: return y;
+
+#endif
+
+/* the guts mapping */
+	MAPERROR(CKR_OK, 0)
+	MAPERROR(CKR_CANCEL, SEC_ERROR_IO)
+	MAPERROR(CKR_HOST_MEMORY, SEC_ERROR_NO_MEMORY)
+	MAPERROR(CKR_SLOT_ID_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_ARGUMENTS_BAD, SEC_ERROR_INVALID_ARGS)
+	MAPERROR(CKR_ATTRIBUTE_READ_ONLY, SEC_ERROR_READ_ONLY)
+	MAPERROR(CKR_ATTRIBUTE_SENSITIVE, SEC_ERROR_IO) /* XX SENSITIVE */
+	MAPERROR(CKR_ATTRIBUTE_TYPE_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_ATTRIBUTE_VALUE_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_BUFFER_TOO_SMALL, SEC_ERROR_OUTPUT_LEN)
+	MAPERROR(CKR_DATA_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_DATA_LEN_RANGE, SEC_ERROR_INPUT_LEN)
+	MAPERROR(CKR_DEVICE_ERROR, SEC_ERROR_IO)
+	MAPERROR(CKR_DEVICE_MEMORY, SEC_ERROR_NO_MEMORY)
+	MAPERROR(CKR_DEVICE_REMOVED, SEC_ERROR_NO_TOKEN)
+	MAPERROR(CKR_ENCRYPTED_DATA_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_ENCRYPTED_DATA_LEN_RANGE, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_FUNCTION_CANCELED, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_FUNCTION_NOT_PARALLEL, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_MECHANISM_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_MECHANISM_PARAM_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_NO_EVENT, SEC_ERROR_NO_EVENT)
+	MAPERROR(CKR_OBJECT_HANDLE_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_OPERATION_ACTIVE, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_OPERATION_NOT_INITIALIZED,SEC_ERROR_LIBRARY_FAILURE )
+	MAPERROR(CKR_PIN_INCORRECT, SEC_ERROR_BAD_PASSWORD)
+	MAPERROR(CKR_PIN_INVALID, SEC_ERROR_INVALID_PASSWORD)
+	MAPERROR(CKR_PIN_LEN_RANGE, SEC_ERROR_INVALID_PASSWORD)
+	MAPERROR(CKR_SESSION_CLOSED, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_SESSION_COUNT, SEC_ERROR_NO_MEMORY) /* XXXX? */
+	MAPERROR(CKR_SESSION_HANDLE_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_SESSION_PARALLEL_NOT_SUPPORTED, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_SESSION_READ_ONLY, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_SIGNATURE_INVALID, SEC_ERROR_BAD_SIGNATURE)
+	MAPERROR(CKR_SIGNATURE_LEN_RANGE, SEC_ERROR_BAD_SIGNATURE)
+	MAPERROR(CKR_TEMPLATE_INCOMPLETE, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_TEMPLATE_INCONSISTENT, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_TOKEN_NOT_PRESENT, SEC_ERROR_NO_TOKEN)
+	MAPERROR(CKR_TOKEN_NOT_RECOGNIZED, SEC_ERROR_IO)
+	MAPERROR(CKR_TOKEN_WRITE_PROTECTED, SEC_ERROR_READ_ONLY)
+	MAPERROR(CKR_UNWRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_UNWRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_USER_ALREADY_LOGGED_IN, 0)
+	MAPERROR(CKR_USER_NOT_LOGGED_IN, SEC_ERROR_TOKEN_NOT_LOGGED_IN)
+	MAPERROR(CKR_USER_PIN_NOT_INITIALIZED, SEC_ERROR_NO_TOKEN)
+	MAPERROR(CKR_USER_TYPE_INVALID, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_WRAPPED_KEY_INVALID, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_WRAPPED_KEY_LEN_RANGE, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_WRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_WRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_WRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_VENDOR_DEFINED, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_NETSCAPE_CERTDB_FAILED, SEC_ERROR_BAD_DATABASE)
+	MAPERROR(CKR_NETSCAPE_KEYDB_FAILED, SEC_ERROR_BAD_DATABASE)
+	MAPERROR(CKR_CANT_LOCK, SEC_ERROR_INCOMPATIBLE_PKCS11)
+
+#ifdef PK11_ERROR_USE_ARRAY 
+};
+
+int
+PK11_MapError(CK_RV rv) {
+    int size = sizeof(pk11_error_map)/sizeof(pk11_error_map[0]);
+
+    for (i=0; i < size; i++) {
+	if (pk11_error_map[i].pk11_error == rv) {
+	    return pk11_error_map[i].sec_error;
+	}
+    }
+    return SEC_ERROR_IO;
+ }
+
+
+#else
+
+    default:
+	break;
+    }
+    return SEC_ERROR_IO;
+}
+
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h
new file mode 100644
index 000000000..087d094cf
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11func.h
@@ -0,0 +1,46 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _PK11FUNC_H_
+#define _PK11FUNC_H_
+
+/*
+ * the original pk11func.h had a mix of public and private functions.
+ * continue to provide those for backward compatibility.
+ */
+#include "pk11pub.h"
+#include "pk11priv.h"
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11init.h b/security/nss/lib/pk11wrap/pk11init.h
new file mode 100644
index 000000000..d91a0d37f
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11init.h
@@ -0,0 +1,55 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal header file included in pk11wrap dir, or in softoken
+ */
+#ifndef _PK11_INIT_H_
+#define _PK11_INIT_H_ 1
+
+/* hold slot default flags until we initialize a slot. This structure is only
+ * useful between the time we define a module (either by hand or from the
+ * database) and the time the module is loaded. Not reference counted  */
+struct PK11PreSlotInfoStr {
+    CK_SLOT_ID slotID;  	/* slot these flags are for */
+    unsigned long defaultFlags; /* bit mask of default implementation this slot
+				 * provides */
+    int askpw;			/* slot specific password bits */
+    long timeout;		/* slot specific timeout value */
+    char hasRootCerts;		/* is this the root cert PKCS #11 module? */
+    char hasRootTrust;		/* is this the root cert PKCS #11 module? */
+};
+
+#endif /* _PK11_INIT_H_ 1 */
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c
new file mode 100644
index 000000000..3d2a52ad5
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11kea.c
@@ -0,0 +1,163 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file implements the Symkey wrapper and the PKCS context
+ * Interfaces.
+ */
+
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "key.h"
+#include "secasn1.h"
+#include "sechash.h"
+#include "cert.h"
+#include "secerr.h"
+
+/*
+ * find an RSA public key on a card
+ */
+static CK_OBJECT_HANDLE
+pk11_FindRSAPubKey(PK11SlotInfo *slot)
+{
+    CK_KEY_TYPE key_type = CKK_RSA;
+    CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY;
+    CK_ATTRIBUTE theTemplate[2];
+    int template_count = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_ATTRIBUTE *attrs = theTemplate;
+
+    PK11_SETATTRS(attrs,CKA_CLASS,&class_type,sizeof(class_type)); attrs++;
+    PK11_SETATTRS(attrs,CKA_KEY_TYPE,&key_type,sizeof(key_type)); attrs++;
+    template_count = attrs - theTemplate;
+    PR_ASSERT(template_count <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
+
+    return pk11_FindObjectByTemplate(slot,theTemplate,template_count);
+}
+
+PK11SymKey *
+pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+		 CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, 
+					PRBool isPerm, PK11SymKey *symKey)
+{
+    PK11SymKey *newSymKey = NULL;
+    SECStatus rv;
+    /* performance improvement can go here --- use a generated key at startup
+     * to generate a per token wrapping key. If it exists, use it, otherwise 
+     * do a full key exchange. */
+
+    /* find a common Key Exchange algorithm */
+    /* RSA */
+    if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && 
+				PK11_DoesMechanism(slot,CKM_RSA_PKCS)) {
+	CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE;
+	SECKEYPublicKey *pubKey = NULL;
+	SECKEYPrivateKey *privKey = NULL;
+	SECItem wrapData;
+	unsigned int     symKeyLength = PK11_GetKeyLength(symKey);
+
+	wrapData.data = NULL;
+
+	/* find RSA Public Key on target */
+	pubKeyHandle = pk11_FindRSAPubKey(slot);
+	if (pubKeyHandle != CK_INVALID_HANDLE) {
+	    privKeyHandle = PK11_MatchItem(slot,pubKeyHandle,CKO_PRIVATE_KEY);
+	}
+
+	/* if no key exists, generate a key pair */
+	if (privKeyHandle == CK_INVALID_HANDLE) {
+	    PK11RSAGenParams rsaParams;
+
+	    if (symKeyLength > 53) /* bytes */ {
+		/* we'd have to generate an RSA key pair > 512 bits long,
+		** and that's too costly.  Don't even try. 
+		*/
+		PORT_SetError( SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY );
+		goto rsa_failed;
+	    }
+	    rsaParams.keySizeInBits = 
+	        (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
+	    rsaParams.pe  = 0x10001;
+	    privKey = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN, 
+			    &rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx);
+	} else {
+	    /* if keys exist, build SECKEY data structures for them */
+	    privKey = PK11_MakePrivKey(slot,nullKey, PR_TRUE, privKeyHandle,
+					symKey->cx);
+	    if (privKey != NULL) {
+    		pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle);
+		if (pubKey && pubKey->pkcs11Slot) {
+		    PK11_FreeSlot(pubKey->pkcs11Slot);
+		    pubKey->pkcs11Slot = NULL;
+		    pubKey->pkcs11ID = CK_INVALID_HANDLE;
+		}
+	    }
+	}
+	if (privKey == NULL) goto rsa_failed;
+	if (pubKey == NULL)  goto rsa_failed;
+
+        wrapData.len  = SECKEY_PublicKeyStrength(pubKey);
+        if (!wrapData.len) goto rsa_failed;
+        wrapData.data = PORT_Alloc(wrapData.len);
+        if (wrapData.data == NULL) goto rsa_failed;
+
+	/* now wrap the keys in and out */
+	rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData);
+	if (rv == SECSuccess) {
+	    newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey,
+			&wrapData,type,operation,symKeyLength,flags,isPerm);
+	    /* make sure we wound up where we wanted to be! */
+	    if (newSymKey && newSymKey->slot != slot) {
+		PK11_FreeSymKey(newSymKey);
+		newSymKey = NULL;
+	    }
+	}
+rsa_failed:
+	if (wrapData.data != NULL) PORT_Free(wrapData.data);
+	if (privKey != NULL) SECKEY_DestroyPrivateKey(privKey);
+	if (pubKey != NULL) SECKEY_DestroyPublicKey(pubKey);
+
+	return  newSymKey;
+    }
+    PORT_SetError( SEC_ERROR_NO_MODULE );
+    return NULL;
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11list.c b/security/nss/lib/pk11wrap/pk11list.c
new file mode 100644
index 000000000..24885b832
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11list.c
@@ -0,0 +1,127 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Locking and queue management primatives
+ *
+ */
+
+#include "seccomon.h"
+#include "nssilock.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "nssrwlk.h"
+
+/*
+ * create a new lock for a Module List
+ */
+SECMODListLock *SECMOD_NewListLock()
+{
+    return NSSRWLock_New( 10, "moduleListLock");
+}
+
+/*
+ * destroy the lock
+ */
+void SECMOD_DestroyListLock(SECMODListLock *lock) 
+{
+    NSSRWLock_Destroy(lock);
+}
+
+
+/*
+ * Lock the List for Read: NOTE: this assumes the reading isn't so common
+ * the writing will be starved.
+ */
+void SECMOD_GetReadLock(SECMODListLock *modLock) 
+{
+    NSSRWLock_LockRead(modLock);
+}
+
+/*
+ * Release the Read lock
+ */
+void SECMOD_ReleaseReadLock(SECMODListLock *modLock) 
+{
+    NSSRWLock_UnlockRead(modLock);
+}
+
+
+/*
+ * lock the list for Write
+ */
+void SECMOD_GetWriteLock(SECMODListLock *modLock) 
+{
+    NSSRWLock_LockWrite(modLock);
+}
+
+
+/*
+ * Release the Write Lock: NOTE, this code is pretty inefficient if you have
+ * lots of write collisions.
+ */
+void SECMOD_ReleaseWriteLock(SECMODListLock *modLock) 
+{
+    NSSRWLock_UnlockWrite(modLock);
+}
+
+
+/*
+ * must Hold the Write lock
+ */
+void
+SECMOD_RemoveList(SECMODModuleList **parent, SECMODModuleList *child) 
+{
+    *parent = child->next;
+    child->next = NULL;
+}
+
+/*
+ * if lock is not specified, it must already be held
+ */
+void
+SECMOD_AddList(SECMODModuleList *parent, SECMODModuleList *child, 
+							SECMODListLock *lock) 
+{
+    if (lock) { SECMOD_GetWriteLock(lock); }
+
+    child->next = parent->next;
+    parent->next = child;
+
+   if (lock) { SECMOD_ReleaseWriteLock(lock); }
+}
+
+
diff --git a/security/nss/lib/pk11wrap/pk11load.c b/security/nss/lib/pk11wrap/pk11load.c
new file mode 100644
index 000000000..c8de0b8ca
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11load.c
@@ -0,0 +1,507 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * The following handles the loading, unloading and management of
+ * various PCKS #11 modules
+ */
+#define FORCE_PR_LOG 1
+#include "seccomon.h"
+#include "pkcs11.h"
+#include "secmod.h"
+#include "prlink.h"
+#include "pk11func.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "nssilock.h"
+#include "secerr.h"
+#include "prenv.h"
+
+#define DEBUG_MODULE 1
+
+#ifdef DEBUG_MODULE
+static char *modToDBG = NULL;
+
+#include "debug_module.c"
+#endif
+
+/* build the PKCS #11 2.01 lock files */
+CK_RV PR_CALLBACK secmodCreateMutext(CK_VOID_PTR_PTR pmutex) {
+    *pmutex = (CK_VOID_PTR) PZ_NewLock(nssILockOther);
+    if ( *pmutex ) return CKR_OK;
+    return CKR_HOST_MEMORY;
+}
+
+CK_RV PR_CALLBACK secmodDestroyMutext(CK_VOID_PTR mutext) {
+    PZ_DestroyLock((PZLock *)mutext);
+    return CKR_OK;
+}
+
+CK_RV PR_CALLBACK secmodLockMutext(CK_VOID_PTR mutext) {
+    PZ_Lock((PZLock *)mutext);
+    return CKR_OK;
+}
+
+CK_RV PR_CALLBACK secmodUnlockMutext(CK_VOID_PTR mutext) {
+    PZ_Unlock((PZLock *)mutext);
+    return CKR_OK;
+}
+
+static SECMODModuleID  nextModuleID = 1;
+static const CK_C_INITIALIZE_ARGS secmodLockFunctions = {
+    secmodCreateMutext, secmodDestroyMutext, secmodLockMutext, 
+    secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS|
+	CKF_OS_LOCKING_OK
+    ,NULL
+};
+
+static PRBool loadSingleThreadedModules = PR_TRUE;
+static PRBool enforceAlreadyInitializedError = PR_TRUE;
+static PRBool finalizeModules = PR_TRUE;
+
+/* set global options for NSS PKCS#11 module loader */
+SECStatus pk11_setGlobalOptions(PRBool noSingleThreadedModules,
+                                PRBool allowAlreadyInitializedModules,
+                                PRBool dontFinalizeModules)
+{
+    if (noSingleThreadedModules) {
+        loadSingleThreadedModules = PR_FALSE;
+    } else {
+        loadSingleThreadedModules = PR_TRUE;
+    }
+    if (allowAlreadyInitializedModules) {
+        enforceAlreadyInitializedError = PR_FALSE;
+    } else {
+        enforceAlreadyInitializedError = PR_TRUE;
+    }
+    if (dontFinalizeModules) {
+        finalizeModules = PR_FALSE;
+    } else {
+        finalizeModules = PR_TRUE;
+    }
+    return SECSuccess;
+}
+
+PRBool pk11_getFinalizeModulesOption(void)
+{
+    return finalizeModules;
+}
+
+/*
+ * collect the steps we need to initialize a module in a single function
+ */
+SECStatus
+secmod_ModuleInit(SECMODModule *mod, PRBool* alreadyLoaded)
+{
+    CK_C_INITIALIZE_ARGS moduleArgs;
+    CK_VOID_PTR pInitArgs;
+    CK_RV crv;
+
+    if (!mod || !alreadyLoaded) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (mod->isThreadSafe == PR_FALSE) {
+	pInitArgs = NULL;
+    } else if (mod->libraryParams == NULL) {
+	pInitArgs = (void *) &secmodLockFunctions;
+    } else {
+	moduleArgs = secmodLockFunctions;
+	moduleArgs.LibraryParameters = (void *) mod->libraryParams;
+	pInitArgs = &moduleArgs;
+    }
+    crv = PK11_GETTAB(mod)->C_Initialize(pInitArgs);
+    if ((CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) &&
+        (!enforceAlreadyInitializedError)) {
+        *alreadyLoaded = PR_TRUE;
+        return SECSuccess;
+    }
+    if (crv != CKR_OK) {
+	if (pInitArgs == NULL ||
+		crv == CKR_NETSCAPE_CERTDB_FAILED ||
+		crv == CKR_NETSCAPE_KEYDB_FAILED) {
+	    PORT_SetError(PK11_MapError(crv));
+	    return SECFailure;
+	}
+	if (!loadSingleThreadedModules) {
+	    PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11);
+	    return SECFailure;
+	}
+	mod->isThreadSafe = PR_FALSE;
+    	crv = PK11_GETTAB(mod)->C_Initialize(NULL);
+	if ((CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) &&
+	    (!enforceAlreadyInitializedError)) {
+	    *alreadyLoaded = PR_TRUE;
+	    return SECSuccess;
+	}
+    	if (crv != CKR_OK)  {
+	    PORT_SetError(PK11_MapError(crv));
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+/*
+ * set the hasRootCerts flags in the module so it can be stored back
+ * into the database.
+ */
+void
+SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) {
+    PK11PreSlotInfo *psi = NULL;
+    int i;
+
+    if (slot->hasRootCerts) {
+	for (i=0; i < mod->slotInfoCount; i++) {
+	    if (slot->slotID == mod->slotInfo[i].slotID) {
+		psi = &mod->slotInfo[i];
+		break;
+	    }
+	}
+	if (psi == NULL) {
+	   /* allocate more slots */
+	   PK11PreSlotInfo *psi_list = (PK11PreSlotInfo *)
+		PORT_ArenaAlloc(mod->arena,
+			(mod->slotInfoCount+1)* sizeof(PK11PreSlotInfo));
+	   /* copy the old ones */
+	   if (mod->slotInfoCount > 0) {
+		PORT_Memcpy(psi_list,mod->slotInfo,
+				(mod->slotInfoCount)*sizeof(PK11PreSlotInfo));
+	   }
+	   /* assign psi to the last new slot */
+	   psi = &psi_list[mod->slotInfoCount];
+	   psi->slotID = slot->slotID;
+	   psi->askpw = 0;
+	   psi->timeout = 0;
+	   psi ->defaultFlags = 0;
+
+	   /* increment module count & store new list */
+	   mod->slotInfo = psi_list;
+	   mod->slotInfoCount++;
+	   
+	}
+	psi->hasRootCerts = 1;
+    }
+}
+
+static const char* NameOfThisSharedLib =
+    SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX;
+static const char* softoken_default_name =
+    SHLIB_PREFIX"softokn"SOFTOKEN_SHLIB_VERSION"."SHLIB_SUFFIX;
+static const PRCallOnceType pristineCallOnce;
+static PRCallOnceType loadSoftokenOnce;
+static PRLibrary* softokenLib;
+static PRInt32 softokenLoadCount;
+
+#include "prio.h"
+#include "prprf.h"
+#include <stdio.h>
+#include "prsystem.h"
+
+#include "../freebl/genload.c"
+
+/* This function must be run only once. */
+/*  determine if hybrid platform, then actually load the DSO. */
+static PRStatus
+softoken_LoadDSO( void ) 
+{
+  PRLibrary *  handle;
+  const char * name = softoken_default_name;
+
+  if (!name) {
+    PR_SetError(PR_LOAD_LIBRARY_ERROR, 0);
+    return PR_FAILURE;
+  }
+
+  handle = loader_LoadLibrary(name);
+  if (handle) {
+    softokenLib = handle;
+    return PR_SUCCESS;
+  }
+  return PR_FAILURE;
+}
+
+/*
+ * load a new module into our address space and initialize it.
+ */
+SECStatus
+SECMOD_LoadPKCS11Module(SECMODModule *mod) {
+    PRLibrary *library = NULL;
+    CK_C_GetFunctionList entry = NULL;
+    char * full_name;
+    CK_INFO info;
+    CK_ULONG slotCount = 0;
+    SECStatus rv;
+    PRBool alreadyLoaded = PR_FALSE;
+    char *disableUnload = NULL;
+
+    if (mod->loaded) return SECSuccess;
+
+    /* intenal modules get loaded from their internal list */
+    if (mod->internal) {
+    /*
+     * Loads softoken as a dynamic library,
+     * even though the rest of NSS assumes this as the "internal" module.
+     */
+    if (!softokenLib && 
+        PR_SUCCESS != PR_CallOnce(&loadSoftokenOnce, &softoken_LoadDSO))
+        return SECFailure;
+
+    PR_AtomicIncrement(&softokenLoadCount);
+
+    if (mod->isFIPS) {
+        entry = (CK_C_GetFunctionList) 
+                    PR_FindSymbol(softokenLib, "FC_GetFunctionList");
+    } else {
+        entry = (CK_C_GetFunctionList) 
+                    PR_FindSymbol(softokenLib, "NSC_GetFunctionList");
+    }
+
+    if (!entry)
+        return SECFailure;
+
+    if (mod->isModuleDB) {
+        mod->moduleDBFunc = (CK_C_GetFunctionList) 
+                    PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
+    }
+
+    if (mod->moduleDBOnly) {
+        mod->loaded = PR_TRUE;
+        return SECSuccess;
+    }
+    } else {
+	/* Not internal, load the DLL and look up C_GetFunctionList */
+	if (mod->dllName == NULL) {
+	    return SECFailure;
+	}
+
+#ifdef notdef
+	/* look up the library name */
+	full_name = PR_GetLibraryName(PR_GetLibraryPath(),mod->dllName);
+	if (full_name == NULL) {
+	    return SECFailure;
+	}
+#else
+	full_name = PORT_Strdup(mod->dllName);
+#endif
+
+	/* load the library. If this succeeds, then we have to remember to
+	 * unload the library if anything goes wrong from here on out...
+	 */
+	library = PR_LoadLibrary(full_name);
+	mod->library = (void *)library;
+#ifdef notdef
+	PR_FreeLibraryName(full_name);
+#else
+	PORT_Free(full_name);
+#endif
+
+	if (library == NULL) {
+	    return SECFailure;
+	}
+
+	/*
+	 * now we need to get the entry point to find the function pointers
+	 */
+	if (!mod->moduleDBOnly) {
+	    entry = (CK_C_GetFunctionList)
+			PR_FindSymbol(library, "C_GetFunctionList");
+	}
+	if (mod->isModuleDB) {
+	    mod->moduleDBFunc = (void *)
+			PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
+	}
+	if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
+	if (entry == NULL) {
+	    if (mod->isModuleDB) {
+		mod->loaded = PR_TRUE;
+		mod->moduleDBOnly = PR_TRUE;
+		return SECSuccess;
+	    }
+	    PR_UnloadLibrary(library);
+	    return SECFailure;
+	}
+    }
+
+    /*
+     * We need to get the function list
+     */
+    if ((*entry)((CK_FUNCTION_LIST_PTR *)&mod->functionList) != CKR_OK) 
+								goto fail;
+
+#ifdef DEBUG_MODULE
+    if (PR_TRUE) {
+	modToDBG = PR_GetEnv("NSS_DEBUG_PKCS11_MODULE");
+	if (modToDBG && strcmp(mod->commonName, modToDBG) == 0) {
+	    mod->functionList = (void *)nss_InsertDeviceLog(
+	                           (CK_FUNCTION_LIST_PTR)mod->functionList);
+	}
+    }
+#endif
+
+    mod->isThreadSafe = PR_TRUE;
+
+    /* Now we initialize the module */
+    rv = secmod_ModuleInit(mod, &alreadyLoaded);
+    if (rv != SECSuccess) {
+	goto fail;
+    }
+
+    /* check the version number */
+    if (PK11_GETTAB(mod)->C_GetInfo(&info) != CKR_OK) goto fail2;
+    if (info.cryptokiVersion.major != 2) goto fail2;
+    /* all 2.0 are a priori *not* thread safe */
+    if (info.cryptokiVersion.minor < 1) {
+        if (!loadSingleThreadedModules) {
+            PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11);
+            goto fail2;
+        } else {
+            mod->isThreadSafe = PR_FALSE;
+        }
+    }
+    mod->cryptokiVersion = info.cryptokiVersion;
+
+    /* If we don't have a common name, get it from the PKCS 11 module */
+    if ((mod->commonName == NULL) || (mod->commonName[0] == 0)) {
+	mod->commonName = PK11_MakeString(mod->arena,NULL,
+	   (char *)info.libraryDescription, sizeof(info.libraryDescription));
+	if (mod->commonName == NULL) goto fail2;
+    }
+    
+
+    /* initialize the Slots */
+    if (PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, NULL, &slotCount) == CKR_OK) {
+	CK_SLOT_ID *slotIDs;
+	int i;
+	CK_RV crv;
+
+	mod->slots = (PK11SlotInfo **)PORT_ArenaAlloc(mod->arena,
+					sizeof(PK11SlotInfo *) * slotCount);
+	if (mod->slots == NULL) goto fail2;
+
+	slotIDs = (CK_SLOT_ID *) PORT_Alloc(sizeof(CK_SLOT_ID)*slotCount);
+	if (slotIDs == NULL) {
+	    goto fail2;
+	}  
+	crv = PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, slotIDs, &slotCount);
+	if (crv != CKR_OK) {
+	    PORT_Free(slotIDs);
+	    goto fail2;
+	}
+
+	/* Initialize each slot */
+	for (i=0; i < (int)slotCount; i++) {
+	    mod->slots[i] = PK11_NewSlotInfo(mod);
+	    PK11_InitSlot(mod,slotIDs[i],mod->slots[i]);
+	    /* look down the slot info table */
+	    PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
+	    SECMOD_SetRootCerts(mod->slots[i],mod);
+	}
+	mod->slotCount = slotCount;
+	mod->slotInfoCount = 0;
+	PORT_Free(slotIDs);
+    }
+    
+    mod->loaded = PR_TRUE;
+    mod->moduleID = nextModuleID++;
+    return SECSuccess;
+fail2:
+    if (enforceAlreadyInitializedError || (!alreadyLoaded)) {
+        PK11_GETTAB(mod)->C_Finalize(NULL);
+    }
+fail:
+    mod->functionList = NULL;
+    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    if (library && !disableUnload) {
+        PR_UnloadLibrary(library);
+    }
+    return SECFailure;
+}
+
+SECStatus
+SECMOD_UnloadModule(SECMODModule *mod) {
+    PRLibrary *library;
+    char *disableUnload = NULL;
+
+    if (!mod->loaded) {
+	return SECFailure;
+    }
+    if (finalizeModules) {
+        if (!mod->moduleDBOnly) PK11_GETTAB(mod)->C_Finalize(NULL);
+    }
+    mod->moduleID = 0;
+    mod->loaded = PR_FALSE;
+    
+    /* do we want the semantics to allow unloading the internal library?
+     * if not, we should change this to SECFailure and move it above the
+     * mod->loaded = PR_FALSE; */
+    if (mod->internal) {
+        if (0 == PR_AtomicDecrement(&softokenLoadCount)) {
+          if (softokenLib) {
+              disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+              if (!disableUnload) {
+                  PRStatus status = PR_UnloadLibrary(softokenLib);
+                  PORT_Assert(PR_SUCCESS == status);
+              }
+              softokenLib = NULL;
+          }
+          loadSoftokenOnce = pristineCallOnce;
+        }
+	return SECSuccess;
+    }
+
+    library = (PRLibrary *)mod->library;
+    /* paranoia */
+    if (library == NULL) {
+	return SECFailure;
+    }
+
+    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    if (!disableUnload) {
+        PR_UnloadLibrary(library);
+    }
+    return SECSuccess;
+}
+
+void
+nss_DumpModuleLog(void)
+{
+#ifdef DEBUG_MODULE
+    if (modToDBG) {
+	print_final_statistics();
+    }
+#endif
+}
diff --git a/security/nss/lib/pk11wrap/pk11mech.c b/security/nss/lib/pk11wrap/pk11mech.c
new file mode 100644
index 000000000..1bc48738c
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11mech.c
@@ -0,0 +1,1863 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file maps various PKCS #11 Mechanisms to related mechanisms, key
+ * types, and ASN.1 encodings.
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "pkcs11t.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "secder.h"
+#include "secasn1.h" 
+#include "secoid.h"
+#include "secerr.h"
+
+/*************************************************************
+ * local static and global data
+ *************************************************************/
+
+/*
+ * Tables used for Extended mechanism mapping (currently not used)
+ */
+typedef struct {
+	CK_MECHANISM_TYPE keyGen;
+	CK_KEY_TYPE keyType;
+	CK_MECHANISM_TYPE type;
+	CK_MECHANISM_TYPE padType;
+	int blockSize;
+	int iv;
+} pk11MechanismData;
+	
+static pk11MechanismData pk11_default = 
+  { CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET, 
+	CKM_FAKE_RANDOM, CKM_FAKE_RANDOM, 8, 8 };
+static pk11MechanismData *pk11_MechanismTable = NULL;
+static int pk11_MechTableSize = 0;
+static int pk11_MechEntrySize = 0;
+
+/*
+ * list of mechanisms we're willing to wrap secret keys with.
+ * This list is ordered by preference.
+ */
+CK_MECHANISM_TYPE wrapMechanismList[] = {
+    CKM_DES3_ECB,
+    CKM_CAST5_ECB,
+    CKM_AES_ECB,
+    CKM_CAMELLIA_ECB,
+    CKM_CAST5_ECB,
+    CKM_DES_ECB,
+    CKM_KEY_WRAP_LYNKS,
+    CKM_IDEA_ECB,
+    CKM_CAST3_ECB,
+    CKM_CAST_ECB,
+    CKM_RC5_ECB,
+    CKM_RC2_ECB,
+    CKM_CDMF_ECB,
+    CKM_SKIPJACK_WRAP,
+};
+
+int wrapMechanismCount = sizeof(wrapMechanismList)/sizeof(wrapMechanismList[0]);
+
+/*********************************************************************
+ *       Mechanism Mapping functions
+ *********************************************************************/
+
+/*
+ * lookup an entry in the mechanism table. If none found, return the
+ * default structure.
+ */
+static pk11MechanismData *
+pk11_lookup(CK_MECHANISM_TYPE type)
+{
+    int i;
+    for (i=0; i < pk11_MechEntrySize; i++) {
+	if (pk11_MechanismTable[i].type == type) {
+	     return (&pk11_MechanismTable[i]);
+	}
+    }
+    return &pk11_default;
+}
+
+/*
+ * find the best key wrap mechanism for this slot.
+ */
+CK_MECHANISM_TYPE
+PK11_GetBestWrapMechanism(PK11SlotInfo *slot)
+{
+    int i;
+    for (i=0; i < wrapMechanismCount; i++) {
+	if (PK11_DoesMechanism(slot,wrapMechanismList[i])) {
+	    return wrapMechanismList[i];
+	}
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+/*
+ * NOTE: This is not thread safe. Called at init time, and when loading
+ * a new Entry. It is reasonably safe as long as it is not re-entered
+ * (readers will always see a consistant table)
+ *
+ * This routine is called to add entries to the mechanism table, once there,
+ * they can not be removed.
+ */
+void
+PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
+		 	CK_MECHANISM_TYPE keyGen, 
+			CK_MECHANISM_TYPE padType,
+			int ivLen, int blockSize)
+{
+    int tableSize = pk11_MechTableSize;
+    int size = pk11_MechEntrySize;
+    int entry = size++;
+    pk11MechanismData *old = pk11_MechanismTable;
+    pk11MechanismData *newt = pk11_MechanismTable;
+
+	
+    if (size > tableSize) {
+	int oldTableSize = tableSize;
+	tableSize += 10;
+	newt = PORT_NewArray(pk11MechanismData, tableSize);
+	if (newt == NULL) return;
+
+	if (old) PORT_Memcpy(newt, old, oldTableSize*sizeof(*newt));
+    } else old = NULL;
+
+    newt[entry].type = type;
+    newt[entry].keyType = key;
+    newt[entry].keyGen = keyGen;
+    newt[entry].padType = padType;
+    newt[entry].iv = ivLen;
+    newt[entry].blockSize = blockSize;
+
+    pk11_MechanismTable = newt;
+    pk11_MechTableSize = tableSize;
+    pk11_MechEntrySize = size;
+    if (old) PORT_Free(old);
+}
+
+/*
+ * Get the key type needed for the given mechanism
+ */
+CK_MECHANISM_TYPE
+PK11_GetKeyMechanism(CK_KEY_TYPE type)
+{
+    switch (type) {
+    case CKK_CAMELLIA:
+	return CKM_CAMELLIA_CBC;
+    case CKK_AES:
+	return CKM_AES_CBC;
+    case CKK_DES:
+	return CKM_DES_CBC;
+    case CKK_DES3:
+	return CKM_DES3_KEY_GEN;
+    case CKK_DES2:
+	return CKM_DES2_KEY_GEN;
+    case CKK_CDMF:
+	return CKM_CDMF_CBC;
+    case CKK_RC2:
+	return CKM_RC2_CBC;
+    case CKK_RC4:
+	return CKM_RC4;
+    case CKK_RC5:
+	return CKM_RC5_CBC;
+    case CKK_SKIPJACK:
+	return CKM_SKIPJACK_CBC64;
+    case CKK_BATON:
+	return CKM_BATON_CBC128;
+    case CKK_JUNIPER:
+	return CKM_JUNIPER_CBC128;
+    case CKK_IDEA:
+	return CKM_IDEA_CBC;
+    case CKK_CAST:
+	return CKM_CAST_CBC;
+    case CKK_CAST3:
+	return CKM_CAST3_CBC;
+    case CKK_CAST5:
+	return CKM_CAST5_CBC;
+    case CKK_RSA:
+	return CKM_RSA_PKCS;
+    case CKK_DSA:
+	return CKM_DSA;
+    case CKK_DH:
+	return CKM_DH_PKCS_DERIVE;
+    case CKK_KEA:
+	return CKM_KEA_KEY_DERIVE;
+    case CKK_EC:  /* CKK_ECDSA is deprecated */
+	return CKM_ECDSA;
+    case CKK_GENERIC_SECRET:
+    default:
+	return CKM_SHA_1_HMAC;
+    }
+}
+
+/*
+ * Get the key type needed for the given mechanism
+ */
+CK_MECHANISM_TYPE
+PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
+{
+    switch (type) {
+    case CKM_CAMELLIA_ECB:
+    case CKM_CAMELLIA_CBC:
+    case CKM_CAMELLIA_MAC:
+    case CKM_CAMELLIA_MAC_GENERAL:
+    case CKM_CAMELLIA_CBC_PAD:
+    case CKM_CAMELLIA_KEY_GEN:
+	return CKK_CAMELLIA;
+    case CKM_AES_ECB:
+    case CKM_AES_CBC:
+    case CKM_AES_MAC:
+    case CKM_AES_MAC_GENERAL:
+    case CKM_AES_CBC_PAD:
+    case CKM_AES_KEY_GEN:
+    case CKM_NETSCAPE_AES_KEY_WRAP:
+    case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
+	return CKK_AES;
+    case CKM_DES_ECB:
+    case CKM_DES_CBC:
+    case CKM_DES_MAC:
+    case CKM_DES_MAC_GENERAL:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES_KEY_GEN:
+    case CKM_KEY_WRAP_LYNKS:
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+	return CKK_DES;
+    case CKM_DES3_ECB:
+    case CKM_DES3_CBC:
+    case CKM_DES3_MAC:
+    case CKM_DES3_MAC_GENERAL:
+    case CKM_DES3_CBC_PAD:
+	return (len == 16) ? CKK_DES2 : CKK_DES3;
+    case CKM_DES2_KEY_GEN:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+	return CKK_DES2;
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_DES3_KEY_GEN:
+	return CKK_DES3;
+    case CKM_CDMF_ECB:
+    case CKM_CDMF_CBC:
+    case CKM_CDMF_MAC:
+    case CKM_CDMF_MAC_GENERAL:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CDMF_KEY_GEN:
+	return CKK_CDMF;
+    case CKM_RC2_ECB:
+    case CKM_RC2_CBC:
+    case CKM_RC2_MAC:
+    case CKM_RC2_MAC_GENERAL:
+    case CKM_RC2_CBC_PAD:
+    case CKM_RC2_KEY_GEN:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+	return CKK_RC2;
+    case CKM_RC4:
+    case CKM_RC4_KEY_GEN:
+	return CKK_RC4;
+    case CKM_RC5_ECB:
+    case CKM_RC5_CBC:
+    case CKM_RC5_MAC:
+    case CKM_RC5_MAC_GENERAL:
+    case CKM_RC5_CBC_PAD:
+    case CKM_RC5_KEY_GEN:
+	return CKK_RC5;
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_SKIPJACK_KEY_GEN:
+    case CKM_SKIPJACK_WRAP:
+    case CKM_SKIPJACK_PRIVATE_WRAP:
+	return CKK_SKIPJACK;
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_BATON_WRAP:
+    case CKM_BATON_KEY_GEN:
+	return CKK_BATON;
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+    case CKM_JUNIPER_WRAP:
+    case CKM_JUNIPER_KEY_GEN:
+	return CKK_JUNIPER;
+    case CKM_IDEA_CBC:
+    case CKM_IDEA_ECB:
+    case CKM_IDEA_MAC:
+    case CKM_IDEA_MAC_GENERAL:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_IDEA_KEY_GEN:
+	return CKK_IDEA;
+    case CKM_CAST_ECB:
+    case CKM_CAST_CBC:
+    case CKM_CAST_MAC:
+    case CKM_CAST_MAC_GENERAL:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST_KEY_GEN:
+    case CKM_PBE_MD5_CAST_CBC:
+	return CKK_CAST;
+    case CKM_CAST3_ECB:
+    case CKM_CAST3_CBC:
+    case CKM_CAST3_MAC:
+    case CKM_CAST3_MAC_GENERAL:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST3_KEY_GEN:
+    case CKM_PBE_MD5_CAST3_CBC:
+	return CKK_CAST3;
+    case CKM_CAST5_ECB:
+    case CKM_CAST5_CBC:
+    case CKM_CAST5_MAC:
+    case CKM_CAST5_MAC_GENERAL:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_CAST5_KEY_GEN:
+    case CKM_PBE_MD5_CAST5_CBC:
+	return CKK_CAST5;
+    case CKM_RSA_PKCS:
+    case CKM_RSA_9796:
+    case CKM_RSA_X_509:
+    case CKM_MD2_RSA_PKCS:
+    case CKM_MD5_RSA_PKCS:
+    case CKM_SHA1_RSA_PKCS:
+    case CKM_SHA256_RSA_PKCS:
+    case CKM_SHA384_RSA_PKCS:
+    case CKM_SHA512_RSA_PKCS:
+    case CKM_KEY_WRAP_SET_OAEP:
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+    case CKM_RSA_X9_31_KEY_PAIR_GEN:
+	return CKK_RSA;
+    case CKM_DSA:
+    case CKM_DSA_SHA1:
+    case CKM_DSA_KEY_PAIR_GEN:
+	return CKK_DSA;
+    case CKM_DH_PKCS_DERIVE:
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+	return CKK_DH;
+    case CKM_KEA_KEY_DERIVE:
+    case CKM_KEA_KEY_PAIR_GEN:
+	return CKK_KEA;
+    case CKM_ECDSA:
+    case CKM_ECDSA_SHA1:
+    case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
+    case CKM_ECDH1_DERIVE:
+	return CKK_EC;  /* CKK_ECDSA is deprecated */
+    case CKM_SSL3_PRE_MASTER_KEY_GEN:
+    case CKM_GENERIC_SECRET_KEY_GEN:
+    case CKM_SSL3_MASTER_KEY_DERIVE:
+    case CKM_SSL3_MASTER_KEY_DERIVE_DH:
+    case CKM_SSL3_KEY_AND_MAC_DERIVE:
+    case CKM_SSL3_SHA1_MAC:
+    case CKM_SSL3_MD5_MAC:
+    case CKM_TLS_MASTER_KEY_DERIVE:
+    case CKM_TLS_MASTER_KEY_DERIVE_DH:
+    case CKM_TLS_KEY_AND_MAC_DERIVE:
+    case CKM_SHA_1_HMAC:
+    case CKM_SHA_1_HMAC_GENERAL:
+    case CKM_SHA256_HMAC:
+    case CKM_SHA256_HMAC_GENERAL:
+    case CKM_SHA384_HMAC:
+    case CKM_SHA384_HMAC_GENERAL:
+    case CKM_SHA512_HMAC:
+    case CKM_SHA512_HMAC_GENERAL:
+    case CKM_MD2_HMAC:
+    case CKM_MD2_HMAC_GENERAL:
+    case CKM_MD5_HMAC:
+    case CKM_MD5_HMAC_GENERAL:
+    case CKM_TLS_PRF_GENERAL:
+	return CKK_GENERIC_SECRET;
+    default:
+	return pk11_lookup(type)->keyType;
+    }
+}
+
+/*
+ * Get the Key Gen Mechanism needed for the given 
+ * crypto mechanism
+ */
+CK_MECHANISM_TYPE
+PK11_GetKeyGen(CK_MECHANISM_TYPE type)
+{
+    return PK11_GetKeyGenWithSize(type, 0);
+}
+
+CK_MECHANISM_TYPE
+PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size)
+{
+    switch (type) {
+    case CKM_CAMELLIA_ECB:
+    case CKM_CAMELLIA_CBC:
+    case CKM_CAMELLIA_MAC:
+    case CKM_CAMELLIA_MAC_GENERAL:
+    case CKM_CAMELLIA_CBC_PAD:
+    case CKM_CAMELLIA_KEY_GEN:
+	return CKM_CAMELLIA_KEY_GEN;
+    case CKM_AES_ECB:
+    case CKM_AES_CBC:
+    case CKM_AES_MAC:
+    case CKM_AES_MAC_GENERAL:
+    case CKM_AES_CBC_PAD:
+    case CKM_AES_KEY_GEN:
+	return CKM_AES_KEY_GEN;
+    case CKM_DES_ECB:
+    case CKM_DES_CBC:
+    case CKM_DES_MAC:
+    case CKM_DES_MAC_GENERAL:
+    case CKM_KEY_WRAP_LYNKS:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES_KEY_GEN:
+	return CKM_DES_KEY_GEN;
+    case CKM_DES3_ECB:
+    case CKM_DES3_CBC:
+    case CKM_DES3_MAC:
+    case CKM_DES3_MAC_GENERAL:
+    case CKM_DES3_CBC_PAD:
+	return (size == 16) ? CKM_DES2_KEY_GEN : CKM_DES3_KEY_GEN;
+    case CKM_DES3_KEY_GEN:
+	return CKM_DES3_KEY_GEN;
+    case CKM_DES2_KEY_GEN:
+	return CKM_DES2_KEY_GEN;
+    case CKM_CDMF_ECB:
+    case CKM_CDMF_CBC:
+    case CKM_CDMF_MAC:
+    case CKM_CDMF_MAC_GENERAL:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CDMF_KEY_GEN:
+	return CKM_CDMF_KEY_GEN;
+    case CKM_RC2_ECB:
+    case CKM_RC2_CBC:
+    case CKM_RC2_MAC:
+    case CKM_RC2_MAC_GENERAL:
+    case CKM_RC2_CBC_PAD:
+    case CKM_RC2_KEY_GEN:
+	return CKM_RC2_KEY_GEN;
+    case CKM_RC4:
+    case CKM_RC4_KEY_GEN:
+	return CKM_RC4_KEY_GEN;
+    case CKM_RC5_ECB:
+    case CKM_RC5_CBC:
+    case CKM_RC5_MAC:
+    case CKM_RC5_MAC_GENERAL:
+    case CKM_RC5_CBC_PAD:
+    case CKM_RC5_KEY_GEN:
+	return CKM_RC5_KEY_GEN;
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_SKIPJACK_WRAP:
+    case CKM_SKIPJACK_KEY_GEN:
+	return CKM_SKIPJACK_KEY_GEN;
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_BATON_WRAP:
+    case CKM_BATON_KEY_GEN:
+	return CKM_BATON_KEY_GEN;
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+    case CKM_JUNIPER_WRAP:
+    case CKM_JUNIPER_KEY_GEN:
+	return CKM_JUNIPER_KEY_GEN;
+    case CKM_IDEA_CBC:
+    case CKM_IDEA_ECB:
+    case CKM_IDEA_MAC:
+    case CKM_IDEA_MAC_GENERAL:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_IDEA_KEY_GEN:
+	return CKM_IDEA_KEY_GEN;
+    case CKM_CAST_ECB:
+    case CKM_CAST_CBC:
+    case CKM_CAST_MAC:
+    case CKM_CAST_MAC_GENERAL:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST_KEY_GEN:
+	return CKM_CAST_KEY_GEN;
+    case CKM_CAST3_ECB:
+    case CKM_CAST3_CBC:
+    case CKM_CAST3_MAC:
+    case CKM_CAST3_MAC_GENERAL:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST3_KEY_GEN:
+	return CKM_CAST3_KEY_GEN;
+    case CKM_CAST5_ECB:
+    case CKM_CAST5_CBC:
+    case CKM_CAST5_MAC:
+    case CKM_CAST5_MAC_GENERAL:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_CAST5_KEY_GEN:
+	return CKM_CAST5_KEY_GEN;
+    case CKM_RSA_PKCS:
+    case CKM_RSA_9796:
+    case CKM_RSA_X_509:
+    case CKM_MD2_RSA_PKCS:
+    case CKM_MD5_RSA_PKCS:
+    case CKM_SHA1_RSA_PKCS:
+    case CKM_SHA256_RSA_PKCS:
+    case CKM_SHA384_RSA_PKCS:
+    case CKM_SHA512_RSA_PKCS:
+    case CKM_KEY_WRAP_SET_OAEP:
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+	return CKM_RSA_PKCS_KEY_PAIR_GEN;
+    case CKM_RSA_X9_31_KEY_PAIR_GEN:
+	return CKM_RSA_X9_31_KEY_PAIR_GEN;
+    case CKM_DSA:
+    case CKM_DSA_SHA1:
+    case CKM_DSA_KEY_PAIR_GEN:
+	return CKM_DSA_KEY_PAIR_GEN;
+    case CKM_DH_PKCS_DERIVE:
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+	return CKM_DH_PKCS_KEY_PAIR_GEN;
+    case CKM_KEA_KEY_DERIVE:
+    case CKM_KEA_KEY_PAIR_GEN:
+	return CKM_KEA_KEY_PAIR_GEN;
+    case CKM_ECDSA:
+    case CKM_ECDSA_SHA1:
+    case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
+    case CKM_ECDH1_DERIVE:
+        return CKM_EC_KEY_PAIR_GEN; 
+    case CKM_SSL3_PRE_MASTER_KEY_GEN:
+    case CKM_SSL3_MASTER_KEY_DERIVE:
+    case CKM_SSL3_KEY_AND_MAC_DERIVE:
+    case CKM_SSL3_SHA1_MAC:
+    case CKM_SSL3_MD5_MAC:
+    case CKM_TLS_MASTER_KEY_DERIVE:
+    case CKM_TLS_KEY_AND_MAC_DERIVE:
+	return CKM_SSL3_PRE_MASTER_KEY_GEN;
+    case CKM_SHA_1_HMAC:
+    case CKM_SHA_1_HMAC_GENERAL:
+    case CKM_SHA256_HMAC:
+    case CKM_SHA256_HMAC_GENERAL:
+    case CKM_SHA384_HMAC:
+    case CKM_SHA384_HMAC_GENERAL:
+    case CKM_SHA512_HMAC:
+    case CKM_SHA512_HMAC_GENERAL:
+    case CKM_MD2_HMAC:
+    case CKM_MD2_HMAC_GENERAL:
+    case CKM_MD5_HMAC:
+    case CKM_MD5_HMAC_GENERAL:
+    case CKM_TLS_PRF_GENERAL:
+    case CKM_GENERIC_SECRET_KEY_GEN:
+	return CKM_GENERIC_SECRET_KEY_GEN;
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+    case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    case CKM_PKCS5_PBKD2:
+    	return type;
+    default:
+	return pk11_lookup(type)->keyGen;
+    }
+}
+
+/*
+ * get the mechanism block size
+ */
+int
+PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params)
+{
+    CK_RC5_PARAMS *rc5_params;
+    CK_RC5_CBC_PARAMS *rc5_cbc_params;
+    switch (type) {
+    case CKM_RC5_ECB:
+	if ((params) && (params->data)) {
+	    rc5_params = (CK_RC5_PARAMS *) params->data;
+	    return (rc5_params->ulWordsize)*2;
+	}
+	return 8;
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	if ((params) && (params->data)) {
+	    rc5_cbc_params = (CK_RC5_CBC_PARAMS *) params->data;
+	    return (rc5_cbc_params->ulWordsize)*2;
+	}
+	return 8;
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_RC2_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+    case CKM_RC2_CBC:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_RC2_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+	return 8;
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+	return 4;
+    case CKM_CAMELLIA_ECB:
+    case CKM_CAMELLIA_CBC:
+    case CKM_CAMELLIA_CBC_PAD:
+    case CKM_AES_ECB:
+    case CKM_AES_CBC:
+    case CKM_AES_CBC_PAD:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	return 16;
+    case CKM_BATON_ECB96:
+	return 12;
+    case CKM_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+	return 0;
+    case CKM_RSA_PKCS:
+    case CKM_RSA_9796:
+    case CKM_RSA_X_509:
+	/*actually it's the modulus length of the key!*/
+	return -1;	/* failure */
+    default:
+	return pk11_lookup(type)->blockSize;
+    }
+}
+
+/*
+ * get the iv length
+ */
+int
+PK11_GetIVLength(CK_MECHANISM_TYPE type)
+{
+    switch (type) {
+    case CKM_CAMELLIA_ECB:
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_RC2_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_SKIPJACK_WRAP:
+    case CKM_BATON_WRAP:
+    case CKM_RC5_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+	return 0;
+    case CKM_RC2_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    case CKM_RC5_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_RC2_CBC_PAD:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_RC5_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+	return 8;
+    case CKM_CAMELLIA_CBC:
+    case CKM_CAMELLIA_CBC_PAD:
+    case CKM_AES_CBC:
+    case CKM_AES_CBC_PAD:
+	return 16;
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	return 24;
+    case CKM_RC4:
+    case CKM_RSA_PKCS:
+    case CKM_RSA_9796:
+    case CKM_RSA_X_509:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+	return 0;
+    default:
+	return pk11_lookup(type)->iv;
+    }
+}
+
+
+/* These next two utilities are here to help facilitate future
+ * Dynamic Encrypt/Decrypt symetric key mechanisms, and to allow functions
+ * like SSL and S-MIME to automatically add them.
+ */
+SECItem *
+pk11_ParamFromIVWithLen(CK_MECHANISM_TYPE type, SECItem *iv, int keyLen)
+{
+    CK_RC2_CBC_PARAMS *rc2_params = NULL;
+    CK_RC2_PARAMS *rc2_ecb_params = NULL;
+    CK_RC5_PARAMS *rc5_params = NULL;
+    CK_RC5_CBC_PARAMS *rc5_cbc_params = NULL;
+    SECItem *param;
+
+    param = (SECItem *)PORT_Alloc(sizeof(SECItem));
+    if (param == NULL) return NULL;
+    param->data = NULL;
+    param->len = 0;
+    param->type = 0;
+    switch (type) {
+    case CKM_CAMELLIA_ECB:
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+    case CKM_RSA_9796:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+    case CKM_RC4:
+	break;
+    case CKM_RC2_ECB:
+	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
+	if (rc2_ecb_params == NULL) break;
+	/*  Maybe we should pass the key size in too to get this value? */
+	*rc2_ecb_params = keyLen ? keyLen*8 : 128;
+	param->data = (unsigned char *) rc2_ecb_params;
+	param->len = sizeof(CK_RC2_PARAMS);
+	break;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
+	if (rc2_params == NULL) break;
+	/* Maybe we should pass the key size in too to get this value? */
+	rc2_params->ulEffectiveBits = keyLen ? keyLen*8 : 128;
+	if (iv && iv->data)
+	    PORT_Memcpy(rc2_params->iv,iv->data,sizeof(rc2_params->iv));
+	param->data = (unsigned char *) rc2_params;
+	param->len = sizeof(CK_RC2_CBC_PARAMS);
+	break;
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	rc5_cbc_params = (CK_RC5_CBC_PARAMS *)
+		PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + ((iv) ? iv->len : 0));
+	if (rc5_cbc_params == NULL) break;
+	if (iv && iv->data && iv->len) {
+	    rc5_cbc_params->pIv = ((CK_BYTE_PTR) rc5_cbc_params) 
+						+ sizeof(CK_RC5_CBC_PARAMS);
+	    PORT_Memcpy(rc5_cbc_params->pIv,iv->data,iv->len);
+	    rc5_cbc_params->ulIvLen = iv->len;
+	    rc5_cbc_params->ulWordsize = iv->len/2;
+	} else {
+	    rc5_cbc_params->ulWordsize = 4;
+	    rc5_cbc_params->pIv = NULL;
+	    rc5_cbc_params->ulIvLen = 0;
+	}
+	rc5_cbc_params->ulRounds = 16;
+	param->data = (unsigned char *) rc5_cbc_params;
+	param->len = sizeof(CK_RC5_CBC_PARAMS);
+	break;
+    case CKM_RC5_ECB:
+	rc5_params = (CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS));
+	if (rc5_params == NULL) break;
+	if (iv && iv->data && iv->len) {
+	    rc5_params->ulWordsize = iv->len/2;
+	} else {
+	    rc5_params->ulWordsize = 4;
+	}
+	rc5_params->ulRounds = 16;
+	param->data = (unsigned char *) rc5_params;
+	param->len = sizeof(CK_RC5_PARAMS);
+	break;
+    case CKM_CAMELLIA_CBC:
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_CAMELLIA_CBC_PAD:
+    case CKM_AES_CBC_PAD:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	if ((iv == NULL) || (iv->data == NULL)) break;
+	param->data = (unsigned char*)PORT_Alloc(iv->len);
+	if (param->data != NULL) {
+	    PORT_Memcpy(param->data,iv->data,iv->len);
+	    param->len = iv->len;
+	}
+	break;
+     /* unknown mechanism, pass IV in if it's there */
+     default:
+	if (pk11_lookup(type)->iv == 0) {
+	    break;
+	}
+	if ((iv == NULL) || (iv->data == NULL)) {
+	    break;
+	}
+	param->data = (unsigned char*)PORT_Alloc(iv->len);
+	if (param->data != NULL) {
+	    PORT_Memcpy(param->data,iv->data,iv->len);
+	    param->len = iv->len;
+	}
+	break;
+     }
+     return param;
+}
+
+/* These next two utilities are here to help facilitate future
+ * Dynamic Encrypt/Decrypt symetric key mechanisms, and to allow functions
+ * like SSL and S-MIME to automatically add them.
+ */
+SECItem *
+PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv)
+{
+    return pk11_ParamFromIVWithLen(type, iv, 0);
+}
+
+unsigned char *
+PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len)
+{
+    CK_RC2_CBC_PARAMS *rc2_params;
+    CK_RC5_CBC_PARAMS *rc5_cbc_params;
+
+    *len = 0;
+    switch (type) {
+    case CKM_CAMELLIA_ECB:
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+    case CKM_RSA_9796:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+    case CKM_RC4:
+	return NULL;
+    case CKM_RC2_ECB:
+	return NULL;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+	rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
+        *len = sizeof(rc2_params->iv);
+	return &rc2_params->iv[0];
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	rc5_cbc_params = (CK_RC5_CBC_PARAMS *) param->data;
+	*len = rc5_cbc_params->ulIvLen;
+	return rc5_cbc_params->pIv;
+    case CKM_CAMELLIA_CBC:
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_CAMELLIA_CBC_PAD:
+    case CKM_AES_CBC_PAD:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	break;
+     /* unknown mechanism, pass IV in if it's there */
+     default:
+	break;
+     }
+     if (param->data) {
+	*len = param->len;
+     }
+     return param->data;
+}
+
+typedef struct sec_rc5cbcParameterStr {
+    SECItem version;
+    SECItem rounds;
+    SECItem blockSizeInBits;
+    SECItem iv;
+} sec_rc5cbcParameter;
+
+static const SEC_ASN1Template sec_rc5ecb_parameter_template[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(sec_rc5cbcParameter) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,version) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,rounds) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,blockSizeInBits) },
+    { 0 }
+};
+
+static const SEC_ASN1Template sec_rc5cbc_parameter_template[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(sec_rc5cbcParameter) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,version) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,rounds) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,blockSizeInBits) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(sec_rc5cbcParameter,iv) },
+    { 0 }
+};
+
+typedef struct sec_rc2cbcParameterStr {
+    SECItem rc2ParameterVersion;
+    SECItem iv;
+} sec_rc2cbcParameter;
+
+static const SEC_ASN1Template sec_rc2cbc_parameter_template[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(sec_rc2cbcParameter) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(sec_rc2cbcParameter,iv) },
+    { 0 }
+};
+
+static const SEC_ASN1Template sec_rc2ecb_parameter_template[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(sec_rc2cbcParameter) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
+    { 0 }
+};
+
+/* S/MIME picked id values to represent differnt keysizes */
+/* I do have a formula, but it ain't pretty, and it only works because you
+ * can always match three points to a parabola:) */
+static unsigned char  rc2_map(SECItem *version)
+{
+    long x;
+
+    x = DER_GetInteger(version);
+    
+    switch (x) {
+        case 58: return 128;
+        case 120: return 64;
+        case 160: return 40;
+    }
+    return 128; 
+}
+
+static unsigned long  rc2_unmap(unsigned long x)
+{
+    switch (x) {
+        case 128: return 58;
+        case 64: return 120;
+        case 40: return 160;
+    }
+    return 58; 
+}
+
+
+
+/* Generate a mechaism param from a type, and iv. */
+SECItem *
+PK11_ParamFromAlgid(SECAlgorithmID *algid)
+{
+    CK_RC2_CBC_PARAMS * rc2_cbc_params = NULL;
+    CK_RC2_PARAMS *     rc2_ecb_params = NULL;
+    CK_RC5_CBC_PARAMS * rc5_cbc_params = NULL;
+    CK_RC5_PARAMS *     rc5_ecb_params = NULL;
+    PRArenaPool *       arena          = NULL;
+    SECItem *           mech           = NULL;
+    SECOidTag           algtag;
+    SECStatus           rv;
+    CK_MECHANISM_TYPE   type;
+    /* initialize these to prevent UMRs in the ASN1 decoder. */
+    SECItem             iv  =   {siBuffer, NULL, 0};
+    sec_rc2cbcParameter rc2 = { {siBuffer, NULL, 0}, {siBuffer, NULL, 0} };
+    sec_rc5cbcParameter rc5 = { {siBuffer, NULL, 0}, {siBuffer, NULL, 0},
+                                {siBuffer, NULL, 0}, {siBuffer, NULL, 0} };
+
+    algtag = SECOID_GetAlgorithmTag(algid);
+    type = PK11_AlgtagToMechanism(algtag);
+
+    mech = PORT_New(SECItem);
+    if (mech == NULL) {
+    	return NULL;
+    }
+    mech->type = siBuffer;
+    mech->data = NULL;
+    mech->len  = 0;
+
+    arena = PORT_NewArena(1024);
+    if (!arena) {
+    	goto loser;
+    }
+
+    /* handle the complicated cases */
+    switch (type) {
+    case CKM_RC2_ECB:
+        rv = SEC_ASN1DecodeItem(arena, &rc2 ,sec_rc2ecb_parameter_template,
+							&(algid->parameters));
+	if (rv != SECSuccess) { 
+	    goto loser;
+	}
+	rc2_ecb_params = PORT_New(CK_RC2_PARAMS);
+	if (rc2_ecb_params == NULL) {
+	    goto loser;
+	}
+	*rc2_ecb_params = rc2_map(&rc2.rc2ParameterVersion);
+	mech->data = (unsigned char *) rc2_ecb_params;
+	mech->len  = sizeof *rc2_ecb_params;
+	break;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+        rv = SEC_ASN1DecodeItem(arena, &rc2 ,sec_rc2cbc_parameter_template,
+							&(algid->parameters));
+	if (rv != SECSuccess) { 
+	    goto loser;
+	}
+	rc2_cbc_params = PORT_New(CK_RC2_CBC_PARAMS);
+	if (rc2_cbc_params == NULL) {
+	    goto loser;
+	}
+	mech->data = (unsigned char *) rc2_cbc_params;
+	mech->len  = sizeof *rc2_cbc_params;
+	rc2_cbc_params->ulEffectiveBits = rc2_map(&rc2.rc2ParameterVersion);
+	if (rc2.iv.len != sizeof rc2_cbc_params->iv) {
+	    PORT_SetError(SEC_ERROR_INPUT_LEN);
+	    goto loser;
+	}
+	PORT_Memcpy(rc2_cbc_params->iv, rc2.iv.data, rc2.iv.len);
+	break;
+    case CKM_RC5_ECB:
+        rv = SEC_ASN1DecodeItem(arena, &rc5 ,sec_rc5ecb_parameter_template,
+							&(algid->parameters));
+	if (rv != SECSuccess) { 
+	    goto loser;
+	}
+	rc5_ecb_params = PORT_New(CK_RC5_PARAMS);
+	if (rc5_ecb_params == NULL) {
+	    goto loser;
+	}
+	rc5_ecb_params->ulRounds   = DER_GetInteger(&rc5.rounds);
+	rc5_ecb_params->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
+	mech->data = (unsigned char *) rc5_ecb_params;
+	mech->len = sizeof *rc5_ecb_params;
+	break;
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+        rv = SEC_ASN1DecodeItem(arena, &rc5 ,sec_rc5cbc_parameter_template,
+							&(algid->parameters));
+	if (rv != SECSuccess) { 
+	    goto loser;
+	}
+	rc5_cbc_params = (CK_RC5_CBC_PARAMS *)
+		PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + rc5.iv.len);
+	if (rc5_cbc_params == NULL) {
+	    goto loser;
+	}
+	mech->data = (unsigned char *) rc5_cbc_params;
+	mech->len = sizeof *rc5_cbc_params;
+	rc5_cbc_params->ulRounds   = DER_GetInteger(&rc5.rounds);
+	rc5_cbc_params->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
+        rc5_cbc_params->pIv        = ((CK_BYTE_PTR)rc5_cbc_params)
+						+ sizeof(CK_RC5_CBC_PARAMS);
+        rc5_cbc_params->ulIvLen    = rc5.iv.len;
+	PORT_Memcpy(rc5_cbc_params->pIv, rc5.iv.data, rc5.iv.len);
+	break;
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+    case CKM_PKCS5_PBKD2:
+	rv = pbe_PK11AlgidToParam(algid,mech);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+	break;
+    case CKM_RC4:
+    case CKM_CAMELLIA_ECB:
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+	break;
+
+    default:
+	if (pk11_lookup(type)->iv == 0) {
+	    break;
+	}
+	/* FALL THROUGH */
+    case CKM_CAMELLIA_CBC:
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_CAMELLIA_CBC_PAD:
+    case CKM_AES_CBC_PAD:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	/* simple cases are simply octet string encoded IVs */
+	rv = SEC_ASN1DecodeItem(arena, &iv,
+                                SEC_ASN1_GET(SEC_OctetStringTemplate),
+                                &(algid->parameters));
+	if (rv != SECSuccess || iv.data == NULL) {
+	    goto loser;
+	}
+	/* XXX Should be some IV length sanity check here. */
+	mech->data = (unsigned char*)PORT_Alloc(iv.len);
+	if (mech->data == NULL) {
+	    goto loser;
+	}
+	PORT_Memcpy(mech->data, iv.data, iv.len);
+	mech->len = iv.len;
+	break;
+    }
+    PORT_FreeArena(arena, PR_FALSE);
+    return mech;
+
+loser:
+    if (arena)
+    	PORT_FreeArena(arena, PR_FALSE);
+    SECITEM_FreeItem(mech,PR_TRUE);
+    return NULL;
+}
+
+/*
+ * Generate an IV for the given mechanism 
+ */
+static SECStatus
+pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) {
+    int iv_size = PK11_GetIVLength(type);
+    SECStatus rv;
+
+    iv->len = iv_size;
+    if (iv_size == 0) { 
+	iv->data = NULL;
+	return SECSuccess;
+    }
+
+    iv->data = (unsigned char *) PORT_Alloc(iv_size);
+    if (iv->data == NULL) {
+	iv->len = 0;
+	return SECFailure;
+    }
+
+    rv = PK11_GenerateRandom(iv->data,iv->len);
+    if (rv != SECSuccess) {
+	PORT_Free(iv->data);
+	iv->data = NULL; iv->len = 0;
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+/*
+ * create a new paramter block from the passed in MECHANISM and the
+ * key. Use Netscape's S/MIME Rules for the New param block.
+ */
+SECItem *
+pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen) 
+{ 
+    CK_RC2_CBC_PARAMS *rc2_params;
+    CK_RC2_PARAMS *rc2_ecb_params;
+    SECItem *mech;
+    SECItem iv;
+    SECStatus rv;
+
+
+    mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
+    if (mech == NULL) return NULL;
+
+    rv = SECSuccess;
+    mech->type = siBuffer;
+    switch (type) {
+    case CKM_RC4:
+    case CKM_CAMELLIA_ECB:
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+	mech->data = NULL;
+	mech->len = 0;
+	break;
+    case CKM_RC2_ECB:
+	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
+	if (rc2_ecb_params == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
+	 *   or RC4 key. Of course that wouldn't happen here doing RC2:).*/
+	*rc2_ecb_params = keyLen ? keyLen*8 : 128;
+	mech->data = (unsigned char *) rc2_ecb_params;
+	mech->len = sizeof(CK_RC2_PARAMS);
+	break;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+	rv = pk11_GenIV(type,&iv);
+	if (rv != SECSuccess) {
+	    break;
+	}
+	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
+	if (rc2_params == NULL) {
+	    PORT_Free(iv.data);
+	    rv = SECFailure;
+	    break;
+	}
+	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
+	 *   or RC4 key. Of course that wouldn't happen here doing RC2:).*/
+	rc2_params->ulEffectiveBits = keyLen ? keyLen*8 : 128;
+	if (iv.data)
+	    PORT_Memcpy(rc2_params->iv,iv.data,sizeof(rc2_params->iv));
+	mech->data = (unsigned char *) rc2_params;
+	mech->len = sizeof(CK_RC2_CBC_PARAMS);
+	PORT_Free(iv.data);
+	break;
+    case CKM_RC5_ECB:
+        PORT_Free(mech);
+	return PK11_ParamFromIV(type,NULL);
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	rv = pk11_GenIV(type,&iv);
+	if (rv != SECSuccess) {
+	    break;
+	}
+        PORT_Free(mech);
+	return PK11_ParamFromIV(type,&iv);
+    default:
+	if (pk11_lookup(type)->iv == 0) {
+	    mech->data = NULL;
+	    mech->len = 0;
+	    break;
+	}
+    case CKM_CAMELLIA_CBC:
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	rv = pk11_GenIV(type,&iv);
+	if (rv != SECSuccess) {
+	    break;
+	}
+	mech->data = (unsigned char*)PORT_Alloc(iv.len);
+	if (mech->data == NULL) {
+	    PORT_Free(iv.data);
+	    rv = SECFailure;
+	    break;
+	}
+	PORT_Memcpy(mech->data,iv.data,iv.len);
+	mech->len = iv.len;
+        PORT_Free(iv.data);
+	break;
+    }
+    if (rv !=  SECSuccess) {
+	SECITEM_FreeItem(mech,PR_TRUE);
+	return NULL;
+    }
+    return mech;
+
+}
+
+SECItem *
+PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) 
+{ 
+    int keyLen = key ? PK11_GetKeyLength(key) :  0;
+
+    return pk11_GenerateNewParamWithKeyLen(type, keyLen);
+}
+
+#define RC5_V10 0x10
+
+/* turn a PKCS #11 parameter into a DER Encoded Algorithm ID */
+SECStatus
+PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, 
+				PRArenaPool *arena, SECAlgorithmID *algid) {
+    CK_RC2_CBC_PARAMS *rc2_params;
+    sec_rc2cbcParameter rc2;
+    CK_RC5_CBC_PARAMS *rc5_params;
+    sec_rc5cbcParameter rc5;
+    CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(algTag);
+    SECItem *newParams = NULL;
+    SECStatus rv = SECFailure;
+    unsigned long rc2version;
+
+    switch (type) {
+    case CKM_RC4:
+    case CKM_CAMELLIA_ECB:
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+	newParams = NULL;
+	rv = SECSuccess;
+	break;
+    case CKM_RC2_ECB:
+	break;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+	rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
+	rc2version = rc2_unmap(rc2_params->ulEffectiveBits);
+	if (SEC_ASN1EncodeUnsignedInteger (NULL, &(rc2.rc2ParameterVersion),
+					   rc2version) == NULL)
+	    break;
+	rc2.iv.data = rc2_params->iv;
+	rc2.iv.len = sizeof(rc2_params->iv);
+	newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc2,
+                                         sec_rc2cbc_parameter_template);
+        PORT_Free(rc2.rc2ParameterVersion.data);
+	if (newParams == NULL)
+	    break;
+	rv = SECSuccess;
+	break;
+
+    case CKM_RC5_ECB: /* well not really... */
+	break;
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	rc5_params = (CK_RC5_CBC_PARAMS *)param->data;
+	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.version, RC5_V10) == NULL)
+	    break;
+	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.blockSizeInBits, 
+					rc5_params->ulWordsize*8) == NULL) {
+            PORT_Free(rc5.version.data);
+	    break;
+	}
+	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.rounds, 
+					rc5_params->ulWordsize*8) == NULL) {
+            PORT_Free(rc5.blockSizeInBits.data);
+            PORT_Free(rc5.version.data);
+	    break;
+	}
+	rc5.iv.data = rc5_params->pIv;
+	rc5.iv.len = rc5_params->ulIvLen;
+	newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc5,
+                                         sec_rc5cbc_parameter_template);
+        PORT_Free(rc5.version.data);
+        PORT_Free(rc5.blockSizeInBits.data);
+        PORT_Free(rc5.rounds.data);
+	if (newParams == NULL)
+	    break;
+	rv = SECSuccess;
+	break;
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+	return PBE_PK11ParamToAlgid(algTag, param, arena, algid);
+    default:
+	if (pk11_lookup(type)->iv == 0) {
+	    rv = SECSuccess;
+	    newParams = NULL;
+	    break;
+	}
+    case CKM_CAMELLIA_CBC:
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	newParams = SEC_ASN1EncodeItem(NULL,NULL,param,
+                                       SEC_ASN1_GET(SEC_OctetStringTemplate) );
+	if (newParams == NULL)
+	    break;
+	rv = SECSuccess;
+	break;
+    }
+
+    if (rv !=  SECSuccess) {
+	if (newParams) SECITEM_FreeItem(newParams,PR_TRUE);
+	return rv;
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, algid, algTag, newParams);
+    SECITEM_FreeItem(newParams,PR_TRUE);
+    return rv;
+}
+
+/* turn an OID algorithm tag into a PKCS #11 mechanism. This allows us to
+ * map OID's directly into the PKCS #11 mechanism we want to call. We find
+ * this mapping in our standard OID table */
+CK_MECHANISM_TYPE
+PK11_AlgtagToMechanism(SECOidTag algTag) {
+    SECOidData *oid = SECOID_FindOIDByTag(algTag);
+
+    if (oid) return (CK_MECHANISM_TYPE) oid->mechanism;
+    return CKM_INVALID_MECHANISM;
+}
+
+/* turn a mechanism into an oid. */
+SECOidTag
+PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type) {
+    SECOidData *oid = SECOID_FindOIDByMechanism((unsigned long)type);
+
+    if (oid) return oid->offset;
+    return SEC_OID_UNKNOWN;
+}
+
+/* Determine appropriate blocking mechanism, used when wrapping private keys
+ * which require PKCS padding.  If the mechanism does not map to a padding
+ * mechanism, we simply return the mechanism.
+ */
+CK_MECHANISM_TYPE
+PK11_GetPadMechanism(CK_MECHANISM_TYPE type) {
+    switch(type) {
+	case CKM_CAMELLIA_CBC:
+	    return CKM_CAMELLIA_CBC_PAD;
+	case CKM_AES_CBC:
+	    return CKM_AES_CBC_PAD;
+	case CKM_DES_CBC:
+	    return CKM_DES_CBC_PAD;
+	case CKM_DES3_CBC:
+	    return CKM_DES3_CBC_PAD;
+	case CKM_RC2_CBC:
+	    return CKM_RC2_CBC_PAD;
+	case CKM_CDMF_CBC:
+	    return CKM_CDMF_CBC_PAD;
+	case CKM_CAST_CBC:
+	    return CKM_CAST_CBC_PAD;
+	case CKM_CAST3_CBC:
+	    return CKM_CAST3_CBC_PAD;
+	case CKM_CAST5_CBC:
+	    return CKM_CAST5_CBC_PAD;
+	case CKM_RC5_CBC:
+	    return CKM_RC5_CBC_PAD; 
+	case CKM_IDEA_CBC:
+	    return CKM_IDEA_CBC_PAD; 
+	default:
+	    break;
+    }
+
+    return type;
+}
+	    
+static PRBool
+pk11_isAllZero(unsigned char *data,int len) {
+    while (len--) {
+	if (*data++) {
+	    return PR_FALSE;
+	}
+    }
+    return PR_TRUE;
+}
+
+CK_RV
+PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, 
+				      CK_MECHANISM_PTR pCryptoMechanism,
+				      SECItem *pbe_pwd, PRBool faulty3DES)
+{
+    int iv_len = 0;
+    CK_PBE_PARAMS_PTR pPBEparams;
+    CK_RC2_CBC_PARAMS_PTR rc2_params;
+    CK_ULONG rc2_key_len;
+
+    if((pPBEMechanism == CK_NULL_PTR) || (pCryptoMechanism == CK_NULL_PTR)) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /* pkcs5 v2 cannot be supported by this interface.
+     * use PK11_GetPBECryptoMechanism instead.
+     */
+    if ((pPBEMechanism->mechanism == CKM_INVALID_MECHANISM) || 
+	(pPBEMechanism->mechanism == CKM_PKCS5_PBKD2)) {
+	return CKR_MECHANISM_INVALID;
+    }
+
+    pPBEparams = (CK_PBE_PARAMS_PTR)pPBEMechanism->pParameter;
+    iv_len = PK11_GetIVLength(pPBEMechanism->mechanism);
+
+    if (iv_len) {
+	if (pk11_isAllZero(pPBEparams->pInitVector,iv_len)) {
+	    SECItem param;
+	    PK11SymKey *symKey;
+	    PK11SlotInfo *intSlot = PK11_GetInternalSlot();
+
+	    if (intSlot == NULL) {
+		return CKR_DEVICE_ERROR;
+	    }
+
+	    param.data = pPBEMechanism->pParameter;
+	    param.len = pPBEMechanism->ulParameterLen;
+
+	    symKey = PK11_RawPBEKeyGen(intSlot,
+		pPBEMechanism->mechanism, &param, pbe_pwd, faulty3DES, NULL);
+	    PK11_FreeSlot(intSlot);
+	    if (symKey== NULL) {
+		return CKR_DEVICE_ERROR; /* sigh */
+	    }
+	    PK11_FreeSymKey(symKey);
+	}
+    }
+
+    switch(pPBEMechanism->mechanism) {
+	case CKM_PBE_MD2_DES_CBC:
+	case CKM_PBE_MD5_DES_CBC:
+	case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+	    pCryptoMechanism->mechanism = CKM_DES_CBC;
+	    goto have_crypto_mechanism;
+	case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+	case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+	case CKM_PBE_SHA1_DES3_EDE_CBC:
+	case CKM_PBE_SHA1_DES2_EDE_CBC:
+	    pCryptoMechanism->mechanism = CKM_DES3_CBC;
+have_crypto_mechanism:
+	    pCryptoMechanism->pParameter = PORT_Alloc(iv_len);
+	    pCryptoMechanism->ulParameterLen = (CK_ULONG)iv_len;
+	    if(pCryptoMechanism->pParameter == NULL) {
+		return CKR_HOST_MEMORY;
+	    }
+	    PORT_Memcpy((unsigned char *)(pCryptoMechanism->pParameter),
+			(unsigned char *)(pPBEparams->pInitVector),
+			iv_len);
+	    break;
+	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+	case CKM_PBE_SHA1_RC4_40:
+	case CKM_PBE_SHA1_RC4_128:
+	    pCryptoMechanism->mechanism = CKM_RC4;
+	    pCryptoMechanism->ulParameterLen = 0;
+	    pCryptoMechanism->pParameter = CK_NULL_PTR;
+	    break;
+	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+	case CKM_PBE_SHA1_RC2_40_CBC:
+	    rc2_key_len = 40;
+	    goto have_key_len;
+	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+	    rc2_key_len = 128;
+have_key_len:
+	    pCryptoMechanism->mechanism = CKM_RC2_CBC;
+	    pCryptoMechanism->ulParameterLen = (CK_ULONG)
+						sizeof(CK_RC2_CBC_PARAMS);
+	    pCryptoMechanism->pParameter = (CK_RC2_CBC_PARAMS_PTR)
+				PORT_ZAlloc(sizeof(CK_RC2_CBC_PARAMS));
+	    if(pCryptoMechanism->pParameter == NULL) {
+		return CKR_HOST_MEMORY;
+	    }
+	    rc2_params = (CK_RC2_CBC_PARAMS_PTR)pCryptoMechanism->pParameter;
+	    PORT_Memcpy((unsigned char *)rc2_params->iv,
+	    		(unsigned char *)pPBEparams->pInitVector,
+	    		iv_len);
+	    rc2_params->ulEffectiveBits = rc2_key_len;
+	    break;
+	default:
+	    return CKR_MECHANISM_INVALID;
+    }
+
+    return CKR_OK;
+}
+
+/* Make a Key type to an appropriate signing/verification mechanism */
+CK_MECHANISM_TYPE
+PK11_MapSignKeyType(KeyType keyType)
+{
+    switch (keyType) {
+    case rsaKey:
+	return CKM_RSA_PKCS;
+    case fortezzaKey:
+    case dsaKey:
+	return CKM_DSA;
+    case ecKey:
+	return CKM_ECDSA;
+    case dhKey:
+    default:
+	break;
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+CK_MECHANISM_TYPE
+pk11_mapWrapKeyType(KeyType keyType)
+{
+    switch (keyType) {
+    case rsaKey:
+	return CKM_RSA_PKCS;
+    /* Add fortezza?? */
+    default:
+	break;
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+SECOidTag 
+PK11_FortezzaMapSig(SECOidTag algTag)
+{
+    switch (algTag) {
+    case SEC_OID_MISSI_KEA_DSS:
+    case SEC_OID_MISSI_DSS:
+    case SEC_OID_MISSI_DSS_OLD:
+    case SEC_OID_MISSI_KEA_DSS_OLD:
+    case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+	return SEC_OID_ANSIX9_DSA_SIGNATURE;
+    default:
+	break;
+    }
+    return algTag;
+}
diff --git a/security/nss/lib/pk11wrap/pk11merge.c b/security/nss/lib/pk11wrap/pk11merge.c
new file mode 100644
index 000000000..ef0be3432
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11merge.c
@@ -0,0 +1,1329 @@
+/*
+ * Merge the source token into the target token.
+ */
+
+#include "secmod.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pk11pub.h"
+#include "pk11priv.h"
+#include "pkcs11.h"
+#include "seccomon.h"
+#include "secerr.h"
+#include "keyhi.h"
+#include "hasht.h"
+#include "cert.h"
+
+/*************************************************************************
+ *
+ *             short utilities to aid in the merge
+ *
+ *************************************************************************/
+
+/*
+ * write a bunch of attributes out to an existing object.
+ */
+static SECStatus
+pk11_setAttributes(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+		CK_ATTRIBUTE *setTemplate, CK_ULONG setTemplCount)
+{
+    CK_RV crv;
+    CK_SESSION_HANDLE rwsession;
+
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+    	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, id,
+			setTemplate, setTemplCount);
+    PK11_RestoreROSession(slot, rwsession);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+/*
+ * copy a template of attributes from a source object to a target object.
+ * if target object is not given, create it.
+ */
+static SECStatus
+pk11_copyAttributes(PRArenaPool *arena, 
+	PK11SlotInfo *targetSlot, CK_OBJECT_HANDLE targetID,
+	PK11SlotInfo *sourceSlot, CK_OBJECT_HANDLE sourceID,
+	CK_ATTRIBUTE *copyTemplate, CK_ULONG copyTemplateCount)
+{
+    SECStatus rv = PK11_GetAttributes(arena, sourceSlot, sourceID, 
+				copyTemplate, copyTemplateCount);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    if (targetID == CK_INVALID_HANDLE) {
+	/* we need to create the object */
+	rv = PK11_CreateNewObject(targetSlot, CK_INVALID_SESSION, 
+		copyTemplate, copyTemplateCount, PR_TRUE, &targetID);
+    } else {
+	/* update the existing object with the new attributes */
+	rv = pk11_setAttributes(targetSlot, targetID, 
+			copyTemplate, copyTemplateCount);
+    }
+    return rv;
+}
+
+/*
+ * look for a matching object across tokens.
+ */
+static SECStatus
+pk11_matchAcrossTokens(PRArenaPool *arena, PK11SlotInfo *targetSlot, 
+		       PK11SlotInfo *sourceSlot,
+		       CK_ATTRIBUTE *template, CK_ULONG tsize, 
+		       CK_OBJECT_HANDLE id, CK_OBJECT_HANDLE *peer)
+{
+
+    CK_RV crv;
+    *peer = CK_INVALID_HANDLE;
+
+    crv = PK11_GetAttributes(arena, sourceSlot, id, template, tsize);
+    if (crv != CKR_OK) {
+ 	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+    if (template[0].ulValueLen == -1) {
+	crv = CKR_ATTRIBUTE_TYPE_INVALID;
+ 	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+    *peer = pk11_FindObjectByTemplate(targetSlot, template, tsize);
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+
+/*
+ * Encrypt using key and parameters
+ */
+SECStatus
+pk11_encrypt(PK11SymKey *symKey, CK_MECHANISM_TYPE mechType, SECItem *param,
+	SECItem *input, SECItem **output)
+{
+    PK11Context *ctxt = NULL;
+    SECStatus rv = SECSuccess;
+
+    if (*output) {
+	SECITEM_FreeItem(*output,PR_TRUE);
+    }
+    *output = SECITEM_AllocItem(NULL, NULL, input->len+20 /*slop*/);
+    if (!*output) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    ctxt = PK11_CreateContextBySymKey(mechType, CKA_ENCRYPT, symKey, param);
+    if (ctxt == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    rv = PK11_CipherOp(ctxt, (*output)->data, 
+		(int *)&((*output)->len), 
+		(*output)->len, input->data, input->len);
+
+done:
+    if (ctxt) {
+	PK11_Finalize(ctxt);
+	PK11_DestroyContext(ctxt,PR_TRUE);
+    }
+    if (rv != SECSuccess) {
+	if (*output) {
+	    SECITEM_FreeItem(*output, PR_TRUE);
+	    *output = NULL;
+	}
+    }
+    return rv;
+}
+
+
+
+/*************************************************************************
+ *
+ *            Private Keys
+ *
+ *************************************************************************/
+
+/*
+ * Fetch the key usage based on the pkcs #11 flags
+ */
+unsigned int
+pk11_getPrivateKeyUsage(PK11SlotInfo *slot, CK_OBJECT_HANDLE id)
+{
+    unsigned int usage = 0;
+
+    if ((PK11_HasAttributeSet(slot, id, CKA_UNWRAP) || 
+			PK11_HasAttributeSet(slot,id, CKA_DECRYPT))) {
+	usage |= KU_KEY_ENCIPHERMENT;
+    }
+    if (PK11_HasAttributeSet(slot, id, CKA_DERIVE)) {
+	usage |= KU_KEY_AGREEMENT;
+    }
+    if ((PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER) || 
+			PK11_HasAttributeSet(slot, id, CKA_SIGN))) {
+	usage |= KU_DIGITAL_SIGNATURE;
+    }
+    return usage;
+}
+    
+	
+/*
+ * merge a private key, 
+ *
+ * Private keys are merged using PBE wrapped keys with a random
+ * value as the 'password'. Once the base key is moved, The remaining
+ * attributes (SUBJECT) is copied.
+ */
+static SECStatus
+pk11_mergePrivateKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg)
+{
+    SECKEYPrivateKey *sourceKey = NULL;
+    CK_OBJECT_HANDLE targetKeyID;
+    SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+    char *nickname = NULL;
+    SECItem nickItem;
+    SECItem pwitem;
+    SECItem publicValue;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    unsigned int keyUsage;
+    unsigned char randomData[SHA1_LENGTH];
+    SECOidTag algTag = SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
+    CK_ATTRIBUTE privTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    CK_ULONG privTemplateCount = sizeof(privTemplate)/sizeof(privTemplate[0]);
+    CK_ATTRIBUTE privCopyTemplate[] = {
+	{ CKA_SUBJECT, NULL, 0 }
+    };
+    CK_ULONG privCopyTemplateCount = 
+		sizeof(privCopyTemplate)/sizeof(privCopyTemplate[0]);
+
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    /* check to see if the key is already in the target slot */
+    rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, privTemplate, 
+				privTemplateCount, id, &targetKeyID);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    if (targetKeyID != CK_INVALID_HANDLE) {
+	/* match found,  not an error ... */
+	goto done;
+    }
+
+    /* get an NSS representation of our source key */
+    sourceKey = PK11_MakePrivKey(sourceSlot, nullKey, PR_FALSE, 
+				 id, sourcePwArg);
+    if (sourceKey == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    /* Load the private key */
+    /* generate a random pwitem */
+    rv = PK11_GenerateRandom(randomData, sizeof(randomData));
+    if (rv != SECSuccess) {
+	goto done;
+    }
+    pwitem.data = randomData;
+    pwitem.len = sizeof(randomData);
+    /* fetch the private key encrypted */
+    epki = PK11_ExportEncryptedPrivKeyInfo(sourceSlot, algTag, &pwitem, 
+					   sourceKey, 1, sourcePwArg);
+    if (epki == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+    nickname = PK11_GetObjectNickname(sourceSlot, id);
+    /* NULL nickanme is fine (in fact is often normal) */
+    if (nickname)  {
+	nickItem.data = (unsigned char *)nickname;
+	nickItem.len = PORT_Strlen(nickname);
+    }
+    keyUsage = pk11_getPrivateKeyUsage(sourceSlot, id);
+    /* pass in the CKA_ID */
+    publicValue.data = privTemplate[0].pValue;
+    publicValue.len = privTemplate[0].ulValueLen;
+    rv = PK11_ImportEncryptedPrivateKeyInfo(targetSlot, epki, &pwitem,
+			nickname? &nickItem : NULL , &publicValue, 
+			PR_TRUE, PR_TRUE, sourceKey->keyType, keyUsage, 
+			targetPwArg);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    /* make sure it made it */
+    rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, privTemplate, 
+				privTemplateCount, id, &targetKeyID);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    if (targetKeyID == CK_INVALID_HANDLE) {
+	/* this time the key should exist */
+	rv = SECFailure;
+	goto done;
+    }
+
+    /* fill in remaining attributes */
+    rv = pk11_copyAttributes(arena, targetSlot, targetKeyID, sourceSlot, id,
+				privCopyTemplate, privCopyTemplateCount);
+done:
+    /* make sure the 'key' is cleared */
+    PORT_Memset(randomData, 0, sizeof(randomData));
+    if (nickname) {
+	PORT_Free(nickname);
+    }
+    if (sourceKey) {
+	SECKEY_DestroyPrivateKey(sourceKey);
+    }
+    if (epki) {
+	SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
+    }
+    if (arena) {
+         PORT_FreeArena(arena,PR_FALSE);
+    }
+    return rv;
+}
+
+
+/*************************************************************************
+ *
+ *            Secret Keys
+ *
+ *************************************************************************/
+
+/*
+ * we need to find a unique CKA_ID.
+ *  The basic idea is to just increment the lowest byte.
+ *  This code also handles the following corner cases:
+ *   1) the single byte overflows. On overflow we increment the next byte up 
+ *    and so forth until we have overflowed the entire CKA_ID.
+ *   2) If we overflow the entire CKA_ID we expand it by one byte.
+ *   3) the CKA_ID is non-existant, we create a new one with one byte.
+ *    This means no matter what CKA_ID is passed, the result of this function 
+ *    is always a new CKA_ID, and this function will never return the same 
+ *    CKA_ID the it has returned in the passed.
+ */
+static SECStatus
+pk11_incrementID(PRArenaPool *arena, CK_ATTRIBUTE *ptemplate)
+{
+    unsigned char *buf = ptemplate->pValue;
+    CK_ULONG len = ptemplate->ulValueLen;
+
+    if (buf == NULL || len == (CK_ULONG)-1) {
+	/* we have no valid CKAID, we'll create a basic one byte CKA_ID below */
+	len = 0;
+    } else {
+	CK_ULONG i;
+
+	/* walk from the back to front, incrementing
+	 * the CKA_ID until we no longer have a carry,
+	 * or have hit the front of the id. */
+	for (i=len; i != 0; i--) {
+	    buf[i-1]++;
+	    if (buf[i-1] != 0) {
+		/* no more carries, the increment is complete */
+		return SECSuccess;
+	     }
+	}
+	/* we've now overflowed, fall through and expand the CKA_ID by 
+	 * one byte */
+    } 
+    /* if we are here we've run the counter to zero (indicating an overflow).
+     * create an CKA_ID that is all zeros, but has one more zero than
+     * the previous CKA_ID */
+    buf = PORT_ArenaZAlloc(arena, len+1);
+    if (buf == NULL) {
+	return SECFailure;
+    }
+    ptemplate->pValue = buf;
+    ptemplate->ulValueLen = len+1;
+    return SECSuccess;
+}
+
+
+static CK_FLAGS
+pk11_getSecretKeyFlags(PK11SlotInfo *slot, CK_OBJECT_HANDLE id)
+{
+    CK_FLAGS flags = 0;
+
+    if (PK11_HasAttributeSet(slot, id, CKA_UNWRAP)) {
+	flags |= CKF_UNWRAP;
+    }
+    if (PK11_HasAttributeSet(slot, id, CKA_WRAP)) {
+	flags |= CKF_WRAP;
+    }
+    if (PK11_HasAttributeSet(slot, id, CKA_ENCRYPT)) {
+	flags |= CKF_ENCRYPT;
+    }
+    if (PK11_HasAttributeSet(slot, id, CKA_DECRYPT)) {
+	flags |= CKF_DECRYPT;
+    }
+    if (PK11_HasAttributeSet(slot, id, CKA_DERIVE)) {
+	flags |= CKF_DERIVE;
+    }
+    if (PK11_HasAttributeSet(slot, id, CKA_SIGN)) {
+	flags |= CKF_SIGN;
+    }
+    if (PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER)) {
+	flags |= CKF_SIGN_RECOVER;
+    }
+    if (PK11_HasAttributeSet(slot, id, CKA_VERIFY)) {
+	flags |= CKF_VERIFY;
+    }
+    if (PK11_HasAttributeSet(slot, id, CKA_VERIFY_RECOVER)) {
+	flags |= CKF_VERIFY_RECOVER;
+    }
+    return flags;
+}
+
+static const char testString[] = 
+	"My Encrytion Test Data (should be at least 32 bytes long)";
+/*
+ * merge a secret key, 
+ *
+ * Secret keys may collide by CKA_ID as we merge 2 token. If we collide
+ * on the CKA_ID, we need to make sure we are dealing with different keys.
+ * The reason for this is it is possible that we've merged this database
+ * before, and this key could have been merged already.  If the keys are
+ * the same, we are done. If they are not, we need to update the CKA_ID of
+ * the source key and try again.
+ * 
+ * Once we know we have a unique key to merge in, we use NSS's underlying
+ * key Move function which will do a key exchange if necessary to move
+ * the key from one token to another. Then we set the CKA_ID and additional
+ * pkcs #11 attributes.
+ */
+static SECStatus
+pk11_mergeSecretKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg)
+{
+    PK11SymKey *sourceKey = NULL;
+    PK11SymKey *targetKey = NULL;
+    SECItem *sourceOutput = NULL;
+    SECItem *targetOutput = NULL;
+    SECItem *param = NULL;
+    SECItem input;
+    CK_OBJECT_HANDLE targetKeyID;
+    CK_FLAGS flags;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    CK_MECHANISM_TYPE keyMechType, cryptoMechType;
+    CK_KEY_TYPE sourceKeyType, targetKeyType;
+    CK_ATTRIBUTE symTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    CK_ULONG symTemplateCount = sizeof(symTemplate)/sizeof(symTemplate[0]);
+    CK_ATTRIBUTE symCopyTemplate[] = {
+	{ CKA_LABEL, NULL, 0 }
+    };
+    CK_ULONG symCopyTemplateCount = 
+		sizeof(symCopyTemplate)/sizeof(symCopyTemplate[0]);
+
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    sourceKeyType = PK11_ReadULongAttribute(sourceSlot, id, CKA_KEY_TYPE);
+    if (sourceKeyType == (CK_ULONG) -1) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    /* get the key mechanism */
+    keyMechType = PK11_GetKeyMechanism(sourceKeyType);
+    /* get a mechanism suitable to encryption.
+     * PK11_GetKeyMechanism returns a mechanism that is unique to the key
+     * type. It tries to return encryption/decryption mechanisms, however
+     * CKM_DES3_CBC uses and abmiguous keyType, so keyMechType is returned as
+     * 'keygen' mechanism. Detect that case here */
+    cryptoMechType =  keyMechType;
+    if ((keyMechType == CKM_DES3_KEY_GEN) ||  
+				(keyMechType == CKM_DES2_KEY_GEN)) {
+	cryptoMechType = CKM_DES3_CBC;
+    }
+
+    sourceKey = PK11_SymKeyFromHandle(sourceSlot, NULL, PK11_OriginDerive,
+				keyMechType , id, PR_FALSE, sourcePwArg);
+    if (sourceKey == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    /* check to see a key with the same CKA_ID  already exists in 
+     * the target slot. If it does, then we need to verify if the keys
+     * really matches. If they don't import the key with a new CKA_ID
+     * value. */
+    rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot,
+			symTemplate, symTemplateCount, id, &targetKeyID);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    /* set up the input test */
+    input.data = (unsigned char *)testString;
+    input.len = PK11_GetBlockSize(cryptoMechType, NULL);
+    if (input.len < 0) {
+	rv = SECFailure;
+	goto done;
+    }
+    if (input.len == 0) {
+	input.len = sizeof (testString);
+    }
+    while (targetKeyID != CK_INVALID_HANDLE) {
+	/* test to see if the keys are identical */
+	targetKeyType = PK11_ReadULongAttribute(sourceSlot, id, CKA_KEY_TYPE);
+	if (targetKeyType == sourceKeyType) {
+		/* same keyType  - see if it's the same key */
+		targetKey = PK11_SymKeyFromHandle(targetSlot, NULL, 
+			PK11_OriginDerive, keyMechType, targetKeyID, PR_FALSE,
+			targetPwArg);
+		/* get a parameter if we don't already have one */
+		if (!param) {
+		    param = PK11_GenerateNewParam(cryptoMechType, sourceKey);
+		    if (param == NULL) {
+			rv = SECFailure;
+			goto done;
+		    }
+		}
+		/* use the source key to encrypt a reference */
+		if (!sourceOutput) {
+		    rv = pk11_encrypt(sourceKey, cryptoMechType, param, &input,
+			&sourceOutput);
+		    if (rv != SECSuccess) {
+			goto done;
+		    }
+		}
+		/* encrypt the reference with the target key */
+		rv = pk11_encrypt(targetKey, cryptoMechType, param, &input,
+			&targetOutput);
+		if (rv == SECSuccess) {
+		    if (SECITEM_ItemsAreEqual(sourceOutput, targetOutput)) {
+			/* they produce the same output, they must be the
+			 * same key */
+			goto done;
+		    }
+		    SECITEM_FreeItem(targetOutput, PR_TRUE);
+		    targetOutput = NULL;
+		}
+		PK11_FreeSymKey(targetKey);
+		targetKey = NULL;
+	}
+	/* keys aren't equal, update the KEY_ID and look again */
+	rv = pk11_incrementID(arena, &symTemplate[0]);
+	if (rv != SECSuccess) {
+	    goto done;
+	}
+	targetKeyID = pk11_FindObjectByTemplate(targetSlot, 
+					symTemplate, symTemplateCount);
+    }
+
+    /* we didn't find a matching key, import this one with the new
+     * CKAID */
+    flags = pk11_getSecretKeyFlags(sourceSlot, id);
+    targetKey = PK11_MoveSymKey(targetSlot, PK11_OriginDerive, flags, PR_TRUE,
+			sourceKey);
+    if (targetKey == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+    /* set the key new CKAID */
+    rv = pk11_setAttributes(targetSlot, targetKey->objectID, symTemplate, 1);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    /* fill in remaining attributes */
+    rv = pk11_copyAttributes(arena, targetSlot, targetKey->objectID, 
+			sourceSlot, id, symCopyTemplate, symCopyTemplateCount);
+done:
+    if (sourceKey) {
+	PK11_FreeSymKey(sourceKey);
+    }
+    if (targetKey) {
+	PK11_FreeSymKey(targetKey);
+    }
+    if (sourceOutput) {
+	SECITEM_FreeItem(sourceOutput, PR_TRUE);
+    }
+    if (targetOutput) {
+	SECITEM_FreeItem(targetOutput, PR_TRUE);
+    }
+    if (param) {
+	SECITEM_FreeItem(param, PR_TRUE);
+    }
+    if (arena) {
+         PORT_FreeArena(arena,PR_FALSE);
+    }
+    return rv;
+}
+
+/*************************************************************************
+ *
+ *            Public Keys
+ *
+ *************************************************************************/
+
+/*
+ * Merge public key
+ *
+ * Use the high level NSS calls to extract the public key and import it
+ * into the token. Extra attributes are then copied to the new token.
+ */
+static SECStatus
+pk11_mergePublicKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg)
+{
+    SECKEYPublicKey *sourceKey = NULL;
+    CK_OBJECT_HANDLE targetKeyID;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    CK_ATTRIBUTE pubTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    CK_ULONG pubTemplateCount = sizeof(pubTemplate)/sizeof(pubTemplate[0]);
+    CK_ATTRIBUTE pubCopyTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_LABEL, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 }
+    };
+    CK_ULONG pubCopyTemplateCount = 
+		sizeof(pubCopyTemplate)/sizeof(pubCopyTemplate[0]);
+
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+
+
+    /* check to see if the key is already in the target slot */
+    rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, pubTemplate, 
+				pubTemplateCount, id, &targetKeyID);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    /* Key is already in the target slot */
+    if (targetKeyID != CK_INVALID_HANDLE) {
+	/* not an error ... */
+	goto done;
+    }
+
+    /* fetch an NSS representation of the public key */
+    sourceKey = PK11_ExtractPublicKey(sourceSlot, nullKey, id);
+    if (sourceKey== NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    /* load the public key into the target token. */
+    targetKeyID = PK11_ImportPublicKey(targetSlot, sourceKey, PR_TRUE);
+    if (targetKeyID == CK_INVALID_HANDLE) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    /* fill in remaining attributes */
+    rv = pk11_copyAttributes(arena, targetSlot, targetKeyID, sourceSlot, id,
+				pubCopyTemplate, pubCopyTemplateCount);
+
+
+done:
+    if (sourceKey) {
+	SECKEY_DestroyPublicKey(sourceKey);
+    }
+    if (arena) {
+         PORT_FreeArena(arena,PR_FALSE);
+    }
+    return rv;
+}
+
+/*************************************************************************
+ *
+ *            Certificates
+ *
+ *************************************************************************/
+
+/*
+ * merge a certificate object
+ *
+ * Use the high level NSS calls to extract and import the certificate.
+ */
+static SECStatus
+pk11_mergeCert(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg)
+{
+    CERTCertificate *sourceCert = NULL;
+    CK_OBJECT_HANDLE targetCertID = CK_INVALID_HANDLE;
+    char *nickname = NULL;
+    SECStatus rv = SECSuccess;
+    PRArenaPool *arena = NULL;
+    CK_ATTRIBUTE sourceCKAID = {CKA_ID, NULL, 0};
+    CK_ATTRIBUTE targetCKAID = {CKA_ID, NULL, 0};
+    SECStatus lrv = SECSuccess;
+    int error;
+
+
+    sourceCert = PK11_MakeCertFromHandle(sourceSlot, id, NULL);
+    if (sourceCert == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    nickname = PK11_GetObjectNickname(sourceSlot, id);
+
+    /* see if the cert is already there */
+    targetCertID = PK11_FindCertInSlot(targetSlot, sourceCert, targetPwArg);
+    if (targetCertID == CK_INVALID_HANDLE) {
+	/* cert doesn't exist load the cert in. */
+	/* OK for the nickname to be NULL, not all certs have nicknames */
+	rv = PK11_ImportCert(targetSlot, sourceCert, CK_INVALID_HANDLE,
+			     nickname, PR_FALSE);
+	goto done;
+    }
+
+    /* the cert already exists, see if the nickname and/or  CKA_ID need
+     * to be updated */
+
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    /* does our source have a CKA_ID ? */
+    rv = PK11_GetAttributes(arena, sourceSlot, id,  &sourceCKAID, 1);
+    if (rv != SECSuccess) {
+	sourceCKAID.ulValueLen = 0;
+    }
+
+    /* if we have a source CKA_ID, see of we need to update the
+     * target's CKA_ID */
+    if (sourceCKAID.ulValueLen != 0) {
+	rv = PK11_GetAttributes(arena, targetSlot, targetCertID,
+				    &targetCKAID, 1);
+	if (rv != SECSuccess) {
+	    targetCKAID.ulValueLen = 0;
+	}
+	/* if the target has no CKA_ID, update it from the source */
+	if (targetCKAID.ulValueLen == 0) {
+	    lrv=pk11_setAttributes(targetSlot, targetCertID, &sourceCKAID, 1);
+	    if (lrv != SECSuccess) {
+		error = PORT_GetError();
+	    }
+	}
+    }
+    rv = SECSuccess;
+
+    /* now check if we need to update the nickname */
+    if (nickname && *nickname) {
+	char *targetname;
+	targetname = PK11_GetObjectNickname(targetSlot, targetCertID);
+	if (!targetname || !*targetname) {
+	    /* target has no nickname, or it's empty, update it */
+	    rv = PK11_SetObjectNickname(targetSlot, targetCertID, nickname);
+	}
+	if (targetname) {
+	    PORT_Free(targetname);
+	}
+    }
+
+    /* restore the error code if CKA_ID failed, but nickname didn't */
+    if ((rv == SECSuccess) && (lrv != SECSuccess)) {
+	rv = lrv;
+	PORT_SetError(error);
+    }
+
+done:
+    if (nickname) {
+	PORT_Free(nickname);
+    }
+    if (sourceCert) {
+	CERT_DestroyCertificate(sourceCert);
+    }
+    if (arena) {
+         PORT_FreeArena(arena,PR_FALSE);
+    }
+    return rv;
+}
+
+
+/*************************************************************************
+ *
+ *            Crls
+ *
+ *************************************************************************/
+
+/*
+ * Use the raw PKCS #11 interface to merge the CRLs.
+ *
+ * In the case where of collision, choose the newest CRL that is valid.
+ */
+static SECStatus
+pk11_mergeCrl(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg)
+{
+    CK_OBJECT_HANDLE targetCrlID;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    CK_ATTRIBUTE crlTemplate[] = {
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_NSS_KRL, NULL, 0 }
+    };
+    CK_ULONG crlTemplateCount = sizeof(crlTemplate)/sizeof(crlTemplate[0]);
+    CK_ATTRIBUTE crlCopyTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_LABEL, NULL, 0 },
+	{ CKA_PRIVATE, NULL, 0 },
+	{ CKA_MODIFIABLE, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_NSS_KRL, NULL, 0 },
+	{ CKA_NSS_URL, NULL, 0 },
+	{ CKA_VALUE, NULL, 0 }
+    };
+    CK_ULONG crlCopyTemplateCount = 
+		sizeof(crlCopyTemplate)/sizeof(crlCopyTemplate[0]);
+
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+    /* check to see if the crl is already in the target slot */
+    rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, crlTemplate, 
+				crlTemplateCount, id, &targetCrlID);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+    if (targetCrlID != CK_INVALID_HANDLE) {
+	/* we already have a CRL, check to see which is more up-to-date. */
+	goto done;
+    }
+
+    /* load the CRL into the target token. */
+    rv = pk11_copyAttributes(arena, targetSlot, targetCrlID, sourceSlot, id,
+				crlCopyTemplate, crlCopyTemplateCount);
+done:
+    if (arena) {
+         PORT_FreeArena(arena,PR_FALSE);
+    }
+    return rv;
+}
+
+/*************************************************************************
+ *
+ *            SMIME objects
+ *
+ *************************************************************************/
+
+/*
+ * use the raw PKCS #11 interface to merge the S/MIME records
+ */
+static SECStatus
+pk11_mergeSmime(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg)
+{
+    CK_OBJECT_HANDLE targetSmimeID;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    CK_ATTRIBUTE smimeTemplate[] = {
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_NSS_EMAIL, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 },
+    };
+    CK_ULONG smimeTemplateCount = 
+		sizeof(smimeTemplate)/sizeof(smimeTemplate[0]);
+    CK_ATTRIBUTE smimeCopyTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_LABEL, NULL, 0 },
+	{ CKA_PRIVATE, NULL, 0 },
+	{ CKA_MODIFIABLE, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_NSS_EMAIL, NULL, 0 },
+	{ CKA_NSS_SMIME_TIMESTAMP, NULL, 0 },
+	{ CKA_VALUE, NULL, 0 }
+    };
+    CK_ULONG smimeCopyTemplateCount = 
+		sizeof(smimeCopyTemplate)/sizeof(smimeCopyTemplate[0]);
+
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+    /* check to see if the crl is already in the target slot */
+    rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, smimeTemplate, 
+				smimeTemplateCount, id, &targetSmimeID);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+    if (targetSmimeID != CK_INVALID_HANDLE) {
+	/* we already have a SMIME record */
+	goto done;
+    }
+
+    /* load the SMime Record into the target token. */
+    rv = pk11_copyAttributes(arena, targetSlot, targetSmimeID, sourceSlot, id,
+				smimeCopyTemplate, smimeCopyTemplateCount);
+done:
+    if (arena) {
+         PORT_FreeArena(arena,PR_FALSE);
+    }
+    return rv;
+}
+
+/*************************************************************************
+ *
+ *            Trust Objects
+ *
+ *************************************************************************/
+
+
+/*
+ * decide which trust record entry wins. PR_TRUE (source) or PR_FALSE (target)
+ */
+#define USE_TARGET PR_FALSE
+#define USE_SOURCE PR_TRUE
+PRBool
+pk11_mergeTrustEntry(CK_ATTRIBUTE *target, CK_ATTRIBUTE *source)
+{
+    CK_ULONG targetTrust = (target->ulValueLen == sizeof (CK_LONG)) ?
+		*(CK_ULONG *)target->pValue : CKT_NSS_TRUST_UNKNOWN;
+    CK_ULONG sourceTrust = (source->ulValueLen == sizeof (CK_LONG)) ?
+		*(CK_ULONG *)source->pValue : CKT_NSS_TRUST_UNKNOWN;
+
+    /*
+     * Examine a single entry and deside if the source or target version
+     * should win out. When all the entries have been checked, if there is
+     * any case we need to update, we will write the whole source record
+     * to the target database. That means for each individual record, if the
+     * target wins, we need to update the source (in case later we have a
+     * case where the source wins). If the source wins, it already 
+     */
+    if (sourceTrust == targetTrust) {
+	return USE_TARGET;  /* which equates to 'do nothing' */
+    }
+
+    if (sourceTrust == CKT_NSS_TRUST_UNKNOWN) {
+	return USE_TARGET; 
+    }
+
+    /* target has no idea, use the source's idea of the trust value */
+    if (targetTrust == CKT_NSS_TRUST_UNKNOWN) {
+	/* source overwrites the target */
+	return USE_SOURCE;
+    }
+
+    /* so both the target and the source have some idea of what this 
+     * trust attribute should be, and neither agree exactly. 
+     * At this point, we prefer 'hard' attributes over 'soft' ones. 
+     * 'hard' ones are CKT_NSS_TRUSTED, CKT_NSS_TRUSTED_DELEGATOR, and
+     * CKT_NSS_UNTRUTED. Soft ones are ones which don't change the
+     * actual trust of the cert (CKT_MUST_VERIFY, CKT_NSS_VALID,
+     * CKT_NSS_VALID_DELEGATOR).
+     */
+    if ((sourceTrust == CKT_NSS_MUST_VERIFY) 
+	|| (sourceTrust == CKT_NSS_VALID)
+	|| (sourceTrust == CKT_NSS_VALID_DELEGATOR)) {
+	return USE_TARGET;
+    }
+    if ((targetTrust == CKT_NSS_MUST_VERIFY) 
+	|| (targetTrust == CKT_NSS_VALID)
+	|| (targetTrust == CKT_NSS_VALID_DELEGATOR)) {
+	/* source overrites the target */
+	return USE_SOURCE;
+    }
+
+    /* both have hard attributes, we have a conflict, let the target win. */
+    return USE_TARGET;
+}
+/*
+ * use the raw PKCS #11 interface to merge the S/MIME records
+ */
+static SECStatus
+pk11_mergeTrust(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg)
+{
+    CK_OBJECT_HANDLE targetTrustID;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    int error = 0;
+    CK_ATTRIBUTE trustTemplate[] = {
+	{ CKA_ISSUER, NULL, 0 },
+	{ CKA_SERIAL_NUMBER, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 },
+    };
+    CK_ULONG trustTemplateCount = 
+		sizeof(trustTemplate)/sizeof(trustTemplate[0]);
+    CK_ATTRIBUTE trustCopyTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_LABEL, NULL, 0 },
+	{ CKA_PRIVATE, NULL, 0 },
+	{ CKA_MODIFIABLE, NULL, 0 },
+	{ CKA_ISSUER, NULL, 0},
+	{ CKA_SERIAL_NUMBER, NULL, 0},
+	{ CKA_CERT_SHA1_HASH, NULL, 0 },
+	{ CKA_CERT_MD5_HASH, NULL, 0 },
+	{ CKA_TRUST_SERVER_AUTH, NULL, 0 },
+	{ CKA_TRUST_CLIENT_AUTH, NULL, 0 },
+	{ CKA_TRUST_CODE_SIGNING, NULL, 0 },
+	{ CKA_TRUST_EMAIL_PROTECTION, NULL, 0 },
+	{ CKA_TRUST_STEP_UP_APPROVED, NULL, 0 }
+    };
+    CK_ULONG trustCopyTemplateCount = 
+		sizeof(trustCopyTemplate)/sizeof(trustCopyTemplate[0]);
+
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	rv = SECFailure;
+	goto done;
+    }
+    /* check to see if the crl is already in the target slot */
+    rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, trustTemplate, 
+				trustTemplateCount, id, &targetTrustID);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+    if (targetTrustID != CK_INVALID_HANDLE) {
+	/* a matching trust record already exists, merge it in */
+	CK_ATTRIBUTE_TYPE trustAttrs[] = {
+	    CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH,
+	    CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION, 
+	    CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, 
+	    CKA_TRUST_TIME_STAMPING
+	};
+	CK_ULONG trustAttrsCount = 
+		sizeof(trustAttrs)/sizeof(trustAttrs[0]);
+
+	int i;
+	CK_ATTRIBUTE targetTemplate, sourceTemplate;
+
+	/* existing trust record, merge the two together */
+        for (i=0; i < trustAttrsCount; i++) {
+	    targetTemplate.type = sourceTemplate.type = trustAttrs[i];
+	    targetTemplate.pValue = sourceTemplate.pValue = NULL;
+	    targetTemplate.ulValueLen = sourceTemplate.ulValueLen = 0;
+	    PK11_GetAttributes(arena, sourceSlot, id, &sourceTemplate, 1);
+	    PK11_GetAttributes(arena, targetSlot, targetTrustID, 
+							&targetTemplate, 1);
+	    if (pk11_mergeTrustEntry(&targetTemplate, &sourceTemplate)) {
+		/* source wins, write out the source attribute to the target */
+		SECStatus lrv = pk11_setAttributes(targetSlot, targetTrustID, 
+				   &sourceTemplate, 1);
+		if (lrv != SECSuccess) {
+		    rv = SECFailure;
+		    error = PORT_GetError();
+		}
+	    }
+	}
+
+	/* handle step */
+	sourceTemplate.type = CKA_TRUST_STEP_UP_APPROVED;
+	sourceTemplate.pValue = NULL;
+	sourceTemplate.ulValueLen = 0;
+
+	/* if the source has steup set, then set it in the target */
+	PK11_GetAttributes(arena, sourceSlot, id, &sourceTemplate, 1);
+	if ((sourceTemplate.ulValueLen == sizeof(CK_BBOOL)) && 
+		(sourceTemplate.pValue) &&
+		(*(CK_BBOOL *)sourceTemplate.pValue == CK_TRUE)) {
+	    SECStatus lrv = pk11_setAttributes(targetSlot, targetTrustID, 
+				   &sourceTemplate, 1);
+	    if (lrv != SECSuccess) {
+		rv = SECFailure;
+		error = PORT_GetError();
+	    }
+	}
+
+	goto done;
+
+    }
+
+    /* load the new trust Record into the target token. */
+    rv = pk11_copyAttributes(arena, targetSlot, targetTrustID, sourceSlot, id,
+				trustCopyTemplate, trustCopyTemplateCount);
+done:
+    if (arena) {
+         PORT_FreeArena(arena,PR_FALSE);
+    }
+
+    /* restore the error code */
+    if (rv == SECFailure && error) {
+	PORT_SetError(error);
+    }
+	
+    return rv;
+}
+
+/*************************************************************************
+ *
+ *            Central merge code
+ *
+ *************************************************************************/
+/*
+ * merge a single object from sourceToken to targetToken
+ */
+static SECStatus
+pk11_mergeObject(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg)
+{
+
+    CK_OBJECT_CLASS objClass;
+
+
+    objClass = PK11_ReadULongAttribute(sourceSlot, id, CKA_CLASS);
+    if (objClass == (CK_ULONG) -1) {
+	PORT_SetError( SEC_ERROR_UNKNOWN_OBJECT_TYPE );
+	return SECFailure;
+    }
+
+    switch (objClass) {
+    case CKO_CERTIFICATE:
+	return pk11_mergeCert(targetSlot, sourceSlot, id, 
+					targetPwArg, sourcePwArg);
+    case CKO_NSS_TRUST:
+	return pk11_mergeTrust(targetSlot, sourceSlot, id, 
+					targetPwArg, sourcePwArg);
+    case CKO_PUBLIC_KEY:
+	return pk11_mergePublicKey(targetSlot, sourceSlot, id,
+					targetPwArg, sourcePwArg);
+    case CKO_PRIVATE_KEY:
+	return pk11_mergePrivateKey(targetSlot, sourceSlot, id, 
+					targetPwArg, sourcePwArg);
+    case CKO_SECRET_KEY:
+	return pk11_mergeSecretKey(targetSlot, sourceSlot, id, 
+					targetPwArg, sourcePwArg);
+    case CKO_NSS_CRL:
+	return pk11_mergeCrl(targetSlot, sourceSlot, id, 
+					targetPwArg, sourcePwArg);
+    case CKO_NSS_SMIME:
+	return pk11_mergeSmime(targetSlot, sourceSlot, id, 
+					targetPwArg, sourcePwArg);
+    default:
+	break;
+    }
+
+    PORT_SetError( SEC_ERROR_UNKNOWN_OBJECT_TYPE );
+    return SECFailure;
+}
+
+PK11MergeLogNode *
+pk11_newMergeLogNode(PRArenaPool *arena, 
+		     PK11SlotInfo *slot, CK_OBJECT_HANDLE id, int error)
+{
+    PK11MergeLogNode *newLog;
+    PK11GenericObject *obj;
+
+    newLog = PORT_ArenaZNew(arena, PK11MergeLogNode);
+    if (newLog == NULL) {
+	return NULL;
+    }
+
+    obj = PORT_ArenaZNew(arena, PK11GenericObject);
+    if ( !obj ) {
+	return NULL;
+    }
+
+    /* initialize it */
+    obj->slot = slot;
+    obj->objectID = id;
+
+    newLog->object= obj;
+    newLog->error = error;
+    return newLog;
+}
+
+/*
+ * walk down each entry and merge it. keep track of the errors in the log
+ */
+static SECStatus
+pk11_mergeByObjectIDs(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		CK_OBJECT_HANDLE *objectIDs, int count,
+		PK11MergeLog *log, void *targetPwArg, void *sourcePwArg)
+{
+    SECStatus rv = SECSuccess;
+    int error, i;
+    
+    for (i=0; i < count; i++) {
+	/* try to update the entire database. On failure, keep going,
+	 * but remember the error to report back to the caller */
+	SECStatus lrv;
+	PK11MergeLogNode *newLog;
+
+	lrv= pk11_mergeObject(targetSlot, sourceSlot, objectIDs[i], 
+				targetPwArg, sourcePwArg);
+	if (lrv == SECSuccess) {
+	   /* merged with no problem, go to next object */
+	   continue;
+	}
+
+	/* remember that we failed and why */
+	rv = SECFailure;
+	error = PORT_GetError();
+
+	/* log the errors */
+	if (!log) {
+	    /* not logging, go to next entry */
+	    continue;
+	}
+	newLog = pk11_newMergeLogNode(log->arena, sourceSlot, 
+				      objectIDs[i], error);
+	if (!newLog) {
+	    /* failed to allocate entry, just keep going */
+	    continue;
+	}
+
+	/* link in the errorlog entry */
+	newLog->next = NULL;
+	if (log->tail) {
+	    log->tail->next = newLog;
+	} else {
+	    log->head = newLog;
+	}
+	newLog->prev = log->tail;
+	log->tail = newLog;
+    }
+
+    /* restore the last error code */
+    if (rv != SECSuccess) {
+	PORT_SetError(error);
+    }
+    return rv;
+}
+
+/*
+ * Merge all the records in sourceSlot that aren't in targetSlot
+ * 
+ *   This function will return failure if not all the objects
+ *   successfully merged.
+ *
+ *   Applications can pass in an optional error log which will record
+ *   each failing object and why it failed to import. PK11MergeLog
+ *   is modelled after the CERTVerifyLog.
+ */
+SECStatus
+PK11_MergeTokens(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+		PK11MergeLog *log, void *targetPwArg, void *sourcePwArg)
+{
+    SECStatus rv = SECSuccess, lrv = SECSuccess;
+    int error, count = 0;
+    CK_ATTRIBUTE search[2];
+    CK_OBJECT_HANDLE *objectIDs = NULL;
+    CK_BBOOL ck_true = CK_TRUE;
+    CK_OBJECT_CLASS privKey = CKO_PRIVATE_KEY;
+
+    PK11_SETATTRS(&search[0], CKA_TOKEN, &ck_true, sizeof(ck_true));
+    PK11_SETATTRS(&search[1], CKA_CLASS, &privKey, sizeof(privKey));
+    /*
+     * make sure both tokens are already authenticated if need be.
+     */
+    rv = PK11_Authenticate(targetSlot, PR_TRUE, targetPwArg);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = PK11_Authenticate(sourceSlot, PR_TRUE, sourcePwArg);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* turns out the old DB's are rather fragile if the private keys aren't
+     * merged in first, so do the private keys explicity. */
+    objectIDs = pk11_FindObjectsByTemplate(sourceSlot, search, 2, &count);
+    if (objectIDs) {
+	lrv = pk11_mergeByObjectIDs(targetSlot, sourceSlot, 
+				    objectIDs, count, log, 
+				    targetPwArg, sourcePwArg);
+	if (lrv != SECSuccess) {
+	    error = PORT_GetError();
+	}
+	PORT_Free(objectIDs);
+	count = 0;
+    }
+
+    /* now do the rest  (NOTE: this will repeat the private keys, but
+     * that shouldnt' be an issue as we will notice they are already
+     * merged in */
+    objectIDs = pk11_FindObjectsByTemplate(sourceSlot, search, 1, &count);
+    if (!objectIDs) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = pk11_mergeByObjectIDs(targetSlot, sourceSlot, objectIDs, count, log, 
+			targetPwArg, sourcePwArg);
+    if (rv == SECSuccess) {
+	/* if private keys failed, but the rest succeeded, be sure to let
+	 * the caller know that private keys failed and why.
+	 * NOTE: this is highly unlikely since the same keys that failed
+	 * in the previous merge call will most likely fail in this one */
+	if (lrv != SECSuccess) {
+	    rv = lrv;
+	    PORT_SetError(error);
+	}
+    }
+
+loser:
+    if (objectIDs) {
+	PORT_Free(objectIDs);
+    }
+    return rv;
+}
+
+PK11MergeLog *
+PK11_CreateMergeLog(void)
+{
+    PRArenaPool *arena;
+    PK11MergeLog *log;
+
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    log = PORT_ArenaZNew(arena, PK11MergeLog);
+    if (log == NULL) {
+         PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    log->arena = arena;
+    log->version = 1;
+    return log;
+}
+
+void
+PK11_DestroyMergeLog(PK11MergeLog *log)
+{
+   if (log && log->arena) {
+	PORT_FreeArena(log->arena, PR_FALSE);
+    }
+}
diff --git a/security/nss/lib/pk11wrap/pk11nobj.c b/security/nss/lib/pk11wrap/pk11nobj.c
new file mode 100644
index 000000000..d94820bc4
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11nobj.c
@@ -0,0 +1,816 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file manages Netscape specific PKCS #11 objects (CRLs, Trust objects,
+ * etc).
+ */
+
+#include "secport.h"
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "certi.h" 
+#include "secitem.h"
+#include "sechash.h" 
+#include "secoid.h"
+
+#include "certdb.h" 
+#include "secerr.h"
+#include "sslerr.h"
+
+#include "pki3hack.h"
+#include "dev3hack.h" 
+
+#include "devm.h" 
+#include "pki.h"
+#include "pkim.h" 
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+CK_TRUST
+pk11_GetTrustField(PK11SlotInfo *slot, PRArenaPool *arena, 
+                   CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type)
+{
+  CK_TRUST rv = 0;
+  SECItem item;
+
+  item.data = NULL;
+  item.len = 0;
+
+  if( SECSuccess == PK11_ReadAttribute(slot, id, type, arena, &item) ) {
+    PORT_Assert(item.len == sizeof(CK_TRUST));
+    PORT_Memcpy(&rv, item.data, sizeof(CK_TRUST));
+    /* Damn, is there an endian problem here? */
+    return rv;
+  }
+
+  return 0;
+}
+
+PRBool
+pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust *trust)
+{
+  PRArenaPool *arena;
+
+  CK_ATTRIBUTE tobjTemplate[] = {
+    { CKA_CLASS, NULL, 0 },
+    { CKA_CERT_SHA1_HASH, NULL, 0 },
+  };
+
+  CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+  CK_OBJECT_HANDLE tobjID;
+  unsigned char sha1_hash[SHA1_LENGTH];
+
+  CK_TRUST serverAuth, codeSigning, emailProtection, clientAuth;
+
+  PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len);
+
+  PK11_SETATTRS(&tobjTemplate[0], CKA_CLASS, &tobjc, sizeof(tobjc));
+  PK11_SETATTRS(&tobjTemplate[1], CKA_CERT_SHA1_HASH, sha1_hash, 
+                SHA1_LENGTH);
+
+  tobjID = pk11_FindObjectByTemplate(slot, tobjTemplate, 
+                                     sizeof(tobjTemplate)/sizeof(tobjTemplate[0]));
+  if( CK_INVALID_HANDLE == tobjID ) {
+    return PR_FALSE;
+  }
+
+  arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+  if( NULL == arena ) return PR_FALSE;
+
+  /* Unfortunately, it seems that PK11_GetAttributes doesn't deal
+   * well with nonexistant attributes.  I guess we have to check 
+   * the trust info fields one at a time.
+   */
+
+  /* We could verify CKA_CERT_HASH here */
+
+  /* We could verify CKA_EXPIRES here */
+
+
+  /* "Purpose" trust information */
+  serverAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_SERVER_AUTH);
+  clientAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CLIENT_AUTH);
+  codeSigning = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CODE_SIGNING);
+  emailProtection = pk11_GetTrustField(slot, arena, tobjID, 
+						CKA_TRUST_EMAIL_PROTECTION);
+  /* Here's where the fun logic happens.  We have to map back from the 
+   * key usage, extended key usage, purpose, and possibly other trust values 
+   * into the old trust-flags bits.  */
+
+  /* First implementation: keep it simple for testing.  We can study what other
+   * mappings would be appropriate and add them later.. fgmr 20000724 */
+
+  if ( serverAuth ==  CKT_NETSCAPE_TRUSTED ) {
+    trust->sslFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+  }
+
+  if ( serverAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+    trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 
+							CERTDB_NS_TRUSTED_CA;
+  }
+  if ( clientAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+    trust->sslFlags |=  CERTDB_TRUSTED_CLIENT_CA ;
+  }
+
+  if ( emailProtection == CKT_NETSCAPE_TRUSTED ) {
+    trust->emailFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+  }
+
+  if ( emailProtection == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+    trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
+  }
+
+  if( codeSigning == CKT_NETSCAPE_TRUSTED ) {
+    trust->objectSigningFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+  }
+
+  if( codeSigning == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+    trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
+  }
+
+  /* There's certainly a lot more logic that can go here.. */
+
+  PORT_FreeArena(arena, PR_FALSE);
+
+  return PR_TRUE;
+}
+
+static SECStatus
+pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg)
+{
+    SECItem derCrl;
+    CERTCrlHeadNode *head = (CERTCrlHeadNode *) arg;
+    CERTCrlNode *new_node = NULL;
+    CK_ATTRIBUTE fetchCrl[3] = {
+	 { CKA_VALUE, NULL, 0},
+	 { CKA_NETSCAPE_KRL, NULL, 0},
+	 { CKA_NETSCAPE_URL, NULL, 0},
+    };
+    const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]);
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+
+    crv = PK11_GetAttributes(head->arena,slot,crlID,fetchCrl,fetchCrlSize);
+    if (CKR_OK != crv) {
+	PORT_SetError(PK11_MapError(crv));
+	goto loser;
+    }
+
+    if (!fetchCrl[1].pValue) {
+	PORT_SetError(SEC_ERROR_CRL_INVALID);
+	goto loser;
+    }
+
+    new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, sizeof(CERTCrlNode));
+    if (new_node == NULL) {
+        goto loser;
+    }
+
+    if (*((CK_BBOOL *)fetchCrl[1].pValue))
+        new_node->type = SEC_KRL_TYPE;
+    else
+        new_node->type = SEC_CRL_TYPE;
+
+    derCrl.type = siBuffer;
+    derCrl.data = (unsigned char *)fetchCrl[0].pValue;
+    derCrl.len = fetchCrl[0].ulValueLen;
+    new_node->crl=CERT_DecodeDERCrl(head->arena,&derCrl,new_node->type);
+    if (new_node->crl == NULL) {
+	goto loser;
+    }
+
+    if (fetchCrl[2].pValue) {
+        int nnlen = fetchCrl[2].ulValueLen;
+        new_node->crl->url  = (char *)PORT_ArenaAlloc(head->arena, nnlen+1);
+        if ( !new_node->crl->url ) {
+            goto loser;
+        }
+        PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen);
+        new_node->crl->url[nnlen] = 0;
+    } else {
+        new_node->crl->url = NULL;
+    }
+
+
+    new_node->next = NULL;
+    if (head->last) {
+        head->last->next = new_node;
+        head->last = new_node;
+    } else {
+        head->first = head->last = new_node;
+    }
+    rv = SECSuccess;
+
+loser:
+    return(rv);
+}
+
+/*
+ * Return a list of all the CRLs .
+ * CRLs are allocated in the list's arena.
+ */
+SECStatus
+PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) {
+    pk11TraverseSlot creater;
+    CK_ATTRIBUTE theTemplate[2];
+    CK_ATTRIBUTE *attrs;
+    CK_OBJECT_CLASS certClass = CKO_NETSCAPE_CRL;
+    CK_BBOOL isKrl = CK_FALSE;
+
+    attrs = theTemplate;
+    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); attrs++;
+    if (type != -1) {
+	isKrl = (CK_BBOOL) (type == SEC_KRL_TYPE);
+        PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, &isKrl, sizeof(isKrl)); attrs++;
+    }
+
+    creater.callback = pk11_CollectCrls;
+    creater.callbackArg = (void *) nodes;
+    creater.findTemplate = theTemplate;
+    creater.templateCount = (attrs - theTemplate);
+
+    return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, PR_FALSE, wincx);
+}
+
+struct crlOptionsStr {
+    CERTCrlHeadNode* head;
+    PRInt32 decodeOptions;
+};
+
+typedef struct crlOptionsStr crlOptions;
+
+static SECStatus
+pk11_RetrieveCrlsCallback(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID,
+                          void *arg)
+{
+    SECItem* derCrl = NULL;
+    crlOptions* options = (crlOptions*) arg;
+    CERTCrlHeadNode *head = options->head;
+    CERTCrlNode *new_node = NULL;
+    CK_ATTRIBUTE fetchCrl[3] = {
+	 { CKA_VALUE, NULL, 0},
+	 { CKA_NETSCAPE_KRL, NULL, 0},
+	 { CKA_NETSCAPE_URL, NULL, 0},
+    };
+    const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]);
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+    PRBool adopted = PR_FALSE; /* whether the CRL adopted the DER memory
+                                  successfully */
+    int i;
+
+    crv = PK11_GetAttributes(NULL,slot,crlID,fetchCrl,fetchCrlSize);
+    if (CKR_OK != crv) {
+	PORT_SetError(PK11_MapError(crv));
+	goto loser;
+    }
+
+    if (!fetchCrl[1].pValue) {
+        /* reject KRLs */
+	PORT_SetError(SEC_ERROR_CRL_INVALID);
+	goto loser;
+    }
+
+    new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena,
+                                              sizeof(CERTCrlNode));
+    if (new_node == NULL) {
+        goto loser;
+    }
+
+    new_node->type = SEC_CRL_TYPE;
+
+    derCrl = SECITEM_AllocItem(NULL, NULL, 0);
+    if (!derCrl) {
+        goto loser;
+    }
+    derCrl->type = siBuffer;
+    derCrl->data = (unsigned char *)fetchCrl[0].pValue;
+    derCrl->len = fetchCrl[0].ulValueLen;
+    new_node->crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl,new_node->type,
+                                               options->decodeOptions);
+    if (new_node->crl == NULL) {
+	goto loser;
+    }    
+    adopted = PR_TRUE; /* now that the CRL has adopted the DER memory,
+                          we won't need to free it upon exit */
+
+    if (fetchCrl[2].pValue && fetchCrl[2].ulValueLen) {
+        /* copy the URL if there is one */
+        int nnlen = fetchCrl[2].ulValueLen;
+        new_node->crl->url  = (char *)PORT_ArenaAlloc(new_node->crl->arena,
+                                                      nnlen+1);
+        if ( !new_node->crl->url ) {
+            goto loser;
+        }
+        PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen);
+        new_node->crl->url[nnlen] = 0;
+    } else {
+        new_node->crl->url = NULL;
+    }
+
+    new_node->next = NULL;
+    if (head->last) {
+        head->last->next = new_node;
+        head->last = new_node;
+    } else {
+        head->first = head->last = new_node;
+    }
+    rv = SECSuccess;
+    new_node->crl->slot = PK11_ReferenceSlot(slot);
+    new_node->crl->pkcs11ID = crlID;
+
+loser:
+    /* free attributes that weren't adopted by the CRL */
+    for (i=1;i<fetchCrlSize;i++) {
+        if (fetchCrl[i].pValue) {
+            PORT_Free(fetchCrl[i].pValue);
+        }
+    }
+    /* free the DER if the CRL object didn't adopt it */
+    if (fetchCrl[0].pValue && PR_FALSE == adopted) {
+        PORT_Free(fetchCrl[0].pValue);
+    }
+    if (derCrl && !adopted) {
+        /* clear the data fields, which we already took care of above */
+        derCrl->data = NULL;
+        derCrl->len = 0;
+        /* free the memory for the SECItem structure itself */
+        SECITEM_FreeItem(derCrl, PR_TRUE);
+    }
+    return(rv);
+}
+
+/*
+ * Return a list of CRLs matching specified issuer and type
+ * CRLs are not allocated in the list's arena, but rather in their own,
+ * arena, so that they can be used individually in the CRL cache .
+ * CRLs are always partially decoded for efficiency.
+ */
+SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer,
+                            void *wincx)
+{
+    pk11TraverseSlot creater;
+    CK_ATTRIBUTE theTemplate[2];
+    CK_ATTRIBUTE *attrs;
+    CK_OBJECT_CLASS crlClass = CKO_NETSCAPE_CRL;
+    crlOptions options;
+
+    attrs = theTemplate;
+    PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); attrs++;
+
+    options.head = nodes;
+
+    /* - do a partial decoding - we don't need to decode the entries while
+       fetching
+       - don't copy the DER for optimal performance - CRL can be very large
+       - have the CRL objects adopt the DER, so SEC_DestroyCrl will free it
+       - keep bad CRL objects. The CRL cache is interested in them, for
+         security purposes. Bad CRL objects are a sign of something amiss.
+    */
+
+    options.decodeOptions = CRL_DECODE_SKIP_ENTRIES | CRL_DECODE_DONT_COPY_DER |
+                            CRL_DECODE_ADOPT_HEAP_DER | CRL_DECODE_KEEP_BAD_CRL;
+    if (issuer)
+    {
+        PK11_SETATTRS(attrs, CKA_SUBJECT, issuer->data, issuer->len); attrs++;
+    }
+
+    creater.callback = pk11_RetrieveCrlsCallback;
+    creater.callbackArg = (void *) &options;
+    creater.findTemplate = theTemplate;
+    creater.templateCount = (attrs - theTemplate);
+
+    return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, PR_FALSE, wincx);
+}
+
+/*
+ * return the crl associated with a derSubjectName 
+ */
+SECItem *
+PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle,
+					 SECItem *name, int type, char **pUrl)
+{
+    NSSCRL **crls, **crlp, *crl = NULL;
+    NSSDER subject;
+    SECItem *rvItem;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    char * url = NULL;
+
+    PORT_SetError(0);
+    NSSITEM_FROM_SECITEM(&subject, name);
+    if (*slot) {
+	nssCryptokiObject **instances;
+	nssPKIObjectCollection *collection;
+	nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+	NSSToken *token = PK11Slot_GetNSSToken(*slot);
+	collection = nssCRLCollection_Create(td, NULL);
+	if (!collection) {
+	    goto loser;
+	}
+	instances = nssToken_FindCRLsBySubject(token, NULL, &subject, 
+	                                       tokenOnly, 0, NULL);
+	nssPKIObjectCollection_AddInstances(collection, instances, 0);
+	nss_ZFreeIf(instances);
+	crls = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL);
+	nssPKIObjectCollection_Destroy(collection);
+    } else {
+	crls = nssTrustDomain_FindCRLsBySubject(td, &subject);
+    }
+    if ((!crls) || (*crls == NULL)) {
+	if (crls) {
+	    nssCRLArray_Destroy(crls);
+	}
+	if (NSS_GetError() == NSS_ERROR_NOT_FOUND) {
+	    PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
+	}
+	goto loser;
+    }
+    for (crlp = crls; *crlp; crlp++) {
+	if ((!(*crlp)->isKRL && type == SEC_CRL_TYPE) ||
+	    ((*crlp)->isKRL && type != SEC_CRL_TYPE)) 
+	{
+	    crl = nssCRL_AddRef(*crlp);
+	    break;
+	}
+    }
+    nssCRLArray_Destroy(crls);
+    if (!crl) { 
+	/* CRL collection was found, but no interesting CRL's were on it.
+	 * Not an error */
+	PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
+	goto loser;
+    }
+    if (crl->url) {
+	url = PORT_Strdup(crl->url);
+	if (!url) {
+	    goto loser;
+	}
+    }
+    rvItem = SECITEM_AllocItem(NULL, NULL, crl->encoding.size);
+    if (!rvItem) {
+	goto loser;
+    }
+    memcpy(rvItem->data, crl->encoding.data, crl->encoding.size);
+    *slot = PK11_ReferenceSlot(crl->object.instances[0]->token->pk11slot);
+    *crlHandle = crl->object.instances[0]->handle;
+    *pUrl = url;
+    nssCRL_Destroy(crl);
+    return rvItem;
+
+loser:
+    if (url)
+    	PORT_Free(url);
+    if (crl)
+	nssCRL_Destroy(crl);
+    if (PORT_GetError() == 0) {
+	PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
+    }
+    return NULL;
+}
+
+CK_OBJECT_HANDLE
+PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, 
+							char *url, int type)
+{
+    NSSItem derCRL, derSubject;
+    NSSToken *token = PK11Slot_GetNSSToken(slot);
+    nssCryptokiObject *object;
+    PRBool isKRL = (type == SEC_CRL_TYPE) ? PR_FALSE : PR_TRUE;
+    CK_OBJECT_HANDLE rvH;
+
+    NSSITEM_FROM_SECITEM(&derSubject, name);
+    NSSITEM_FROM_SECITEM(&derCRL, crl);
+
+    object = nssToken_ImportCRL(token, NULL, 
+                                &derSubject, &derCRL, isKRL, url, PR_TRUE);
+
+    if (object) {
+	rvH = object->handle;
+	nssCryptokiObject_Destroy(object);
+    } else {
+	rvH = CK_INVALID_HANDLE;
+    }
+    return rvH;
+}
+
+
+/*
+ * delete a crl.
+ */
+SECStatus
+SEC_DeletePermCRL(CERTSignedCrl *crl)
+{
+    PRStatus status;
+    NSSToken *token;
+    nssCryptokiObject *object;
+    PK11SlotInfo *slot = crl->slot;
+
+    if (slot == NULL) {
+        PORT_Assert(slot);
+	/* shouldn't happen */
+	PORT_SetError( SEC_ERROR_CRL_INVALID);
+	return SECFailure;
+    }
+    token = PK11Slot_GetNSSToken(slot);
+
+    object = nss_ZNEW(NULL, nssCryptokiObject);
+    if (!object) {
+        return SECFailure;
+    }
+    object->token = nssToken_AddRef(token);
+    object->handle = crl->pkcs11ID;
+    object->isTokenObject = PR_TRUE;
+
+    status = nssToken_DeleteStoredObject(object);
+
+    nssCryptokiObject_Destroy(object);
+    return (status == PR_SUCCESS) ? SECSuccess : SECFailure;
+}
+
+/*
+ * return the certificate associated with a derCert 
+ */
+SECItem *
+PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr,
+				 SECItem *name, SECItem **profileTime)
+{
+    CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_NETSCAPE_EMAIL, NULL, 0 },
+    };
+    CK_ATTRIBUTE smimeData[] =  {
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_VALUE, NULL, 0 },
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    CK_RV crv;
+    SECItem *emailProfile = NULL;
+
+    if (!emailAddr || !emailAddr[0]) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, emailAddr, strlen(emailAddr)); 
+								    attrs++;
+
+    if (*slot) {
+    	smimeh = pk11_FindObjectByTemplate(*slot,theTemplate,tsize);
+    } else {
+	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
+							PR_FALSE,PR_TRUE,NULL);
+	PK11SlotListElement *le;
+
+	if (!list) {
+	    return NULL;
+	}
+	/* loop through all the slots */
+	for (le = list->head; le; le = le->next) {
+	    smimeh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize);
+	    if (smimeh != CK_INVALID_HANDLE) {
+		*slot = PK11_ReferenceSlot(le->slot);
+		break;
+	    }
+	}
+	PK11_FreeSlotList(list);
+    }
+    
+    if (smimeh == CK_INVALID_HANDLE) {
+	PORT_SetError(SEC_ERROR_NO_KRL);
+	return NULL;
+    }
+
+    if (profileTime) {
+    	PK11_SETATTRS(smimeData, CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0);
+    } 
+    
+    crv = PK11_GetAttributes(NULL,*slot,smimeh,smimeData,2);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError (crv));
+	goto loser;
+    }
+
+    if (!profileTime) {
+	SECItem profileSubject;
+
+	profileSubject.data = (unsigned char*) smimeData[0].pValue;
+	profileSubject.len = smimeData[0].ulValueLen;
+	if (!SECITEM_ItemsAreEqual(&profileSubject,name)) {
+	    goto loser;
+	}
+    }
+
+    emailProfile = (SECItem *)PORT_ZAlloc(sizeof(SECItem));    
+    if (emailProfile == NULL) {
+	goto loser;
+    }
+
+    emailProfile->data = (unsigned char*) smimeData[1].pValue;
+    emailProfile->len = smimeData[1].ulValueLen;
+
+    if (profileTime) {
+	*profileTime = (SECItem *)PORT_ZAlloc(sizeof(SECItem));    
+	if (*profileTime) {
+	    (*profileTime)->data = (unsigned char*) smimeData[0].pValue;
+	    (*profileTime)->len = smimeData[0].ulValueLen;
+	}
+    }
+
+loser:
+    if (emailProfile == NULL) {
+	if (smimeData[1].pValue) {
+	    PORT_Free(smimeData[1].pValue);
+	}
+    }
+    if (profileTime == NULL || *profileTime == NULL) {
+	if (smimeData[0].pValue) {
+	    PORT_Free(smimeData[0].pValue);
+	}
+    }
+    return emailProfile;
+}
+
+
+SECStatus
+PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
+				 SECItem *emailProfile,  SECItem *profileTime)
+{
+    CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
+    CK_BBOOL ck_true = CK_TRUE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_NETSCAPE_EMAIL, NULL, 0 },
+	{ CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0 },
+	{ CKA_VALUE, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int realSize = 0;
+    CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    CK_SESSION_HANDLE rwsession;
+    PK11SlotInfo *free_slot = NULL;
+    CK_RV crv;
+#ifdef DEBUG
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+#endif
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); attrs++;
+    PK11_SETATTRS(attrs, CKA_SUBJECT, derSubj->data, derSubj->len); attrs++;
+    PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, 
+				emailAddr, PORT_Strlen(emailAddr)+1); attrs++;
+    if (profileTime) {
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_SMIME_TIMESTAMP, profileTime->data,
+	                                            profileTime->len); attrs++;
+	PK11_SETATTRS(attrs, CKA_VALUE,emailProfile->data,
+	                                            emailProfile->len); attrs++;
+    }
+    realSize = attrs - theTemplate;
+    PORT_Assert (realSize <= tsize);
+
+    if (slot == NULL) {
+	free_slot = slot = PK11_GetInternalKeySlot();
+	/* we need to free the key slot in the end!!! */
+    }
+
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_READ_ONLY);
+	if (free_slot) {
+	    PK11_FreeSlot(free_slot);
+	}
+	return SECFailure;
+    }
+
+    crv = PK11_GETTAB(slot)->
+                        C_CreateObject(rwsession,theTemplate,realSize,&smimeh);
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+    }
+
+    PK11_RestoreROSession(slot,rwsession);
+
+    if (free_slot) {
+	PK11_FreeSlot(free_slot);
+    }
+    return SECSuccess;
+}
+
+
+CERTSignedCrl * crl_storeCRL (PK11SlotInfo *slot,char *url,
+                  CERTSignedCrl *newCrl, SECItem *derCrl, int type);
+
+/* import the CRL into the token */
+
+CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
+    int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena,
+    PRInt32 decodeoptions)
+{
+    CERTSignedCrl *newCrl, *crl;
+    SECStatus rv;
+    CERTCertificate *caCert = NULL;
+
+    newCrl = crl = NULL;
+
+    do {
+        newCrl = CERT_DecodeDERCrlWithFlags(arena, derCRL, type,
+                                            decodeoptions);
+        if (newCrl == NULL) {
+            if (type == SEC_CRL_TYPE) {
+                /* only promote error when the error code is too generic */
+                if (PORT_GetError () == SEC_ERROR_BAD_DER)
+                    PORT_SetError(SEC_ERROR_CRL_INVALID);
+	        } else {
+                PORT_SetError(SEC_ERROR_KRL_INVALID);
+            }
+            break;		
+        }
+
+        if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
+            CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
+            PR_ASSERT(handle != NULL);
+            caCert = CERT_FindCertByName (handle,
+                                          &newCrl->crl.derName);
+            if (caCert == NULL) {
+                PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);	    
+                break;
+            }
+
+            /* If caCert is a v3 certificate, make sure that it can be used for
+               crl signing purpose */
+            rv = CERT_CheckCertUsage (caCert, KU_CRL_SIGN);
+            if (rv != SECSuccess) {
+                break;
+            }
+
+            rv = CERT_VerifySignedData(&newCrl->signatureWrap, caCert,
+                                       PR_Now(), wincx);
+            if (rv != SECSuccess) {
+                if (type == SEC_CRL_TYPE) {
+                    PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
+                } else {
+                    PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
+                }
+                break;
+            }
+        }
+
+	crl = crl_storeCRL(slot, url, newCrl, derCRL, type);
+
+    } while (0);
+
+    if (crl == NULL) {
+	SEC_DestroyCrl (newCrl);
+    }
+    if (caCert) {
+        CERT_DestroyCertificate(caCert);
+    }
+    return (crl);
+}
diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c
new file mode 100644
index 000000000..e7c3afc3c
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@@ -0,0 +1,1820 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file manages object type indepentent functions.
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11.h"
+#include "pkcs11t.h"
+#include "pk11func.h"
+#include "key.h" 
+#include "secitem.h"
+#include "secerr.h"
+#include "sslerr.h"
+
+#define PK11_SEARCH_CHUNKSIZE 10
+
+/*
+ * Build a block big enough to hold the data
+ */
+SECItem *
+PK11_BlockData(SECItem *data,unsigned long size) {
+    SECItem *newData;
+
+    newData = (SECItem *)PORT_Alloc(sizeof(SECItem));
+    if (newData == NULL) return NULL;
+
+    newData->len = (data->len + (size-1))/size;
+    newData->len *= size;
+
+    newData->data = (unsigned char *) PORT_ZAlloc(newData->len); 
+    if (newData->data == NULL) {
+	PORT_Free(newData);
+	return NULL;
+    }
+    PORT_Memset(newData->data,newData->len-data->len,newData->len); 
+    PORT_Memcpy(newData->data,data->data,data->len);
+    return newData;
+}
+
+
+SECStatus
+PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
+    CK_RV crv;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DestroyObject(slot->session,object);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+    CK_SESSION_HANDLE rwsession;
+
+    
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+    	return SECFailure;
+    }
+
+    crv = PK11_GETTAB(slot)->C_DestroyObject(rwsession,object);
+    if (crv != CKR_OK) {
+	rv = SECFailure;
+	PORT_SetError(PK11_MapError(crv));
+    }
+    PK11_RestoreROSession(slot,rwsession);
+    return rv;
+}
+
+/*
+ * Read in a single attribute into a SECItem. Allocate space for it with 
+ * PORT_Alloc unless an arena is supplied. In the latter case use the arena
+ * to allocate the space.
+ */
+SECStatus
+PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+	 CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result) {
+    CK_ATTRIBUTE attr = { 0, NULL, 0 };
+    CK_RV crv;
+
+    attr.type = type;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
+    if (crv != CKR_OK) {
+	PK11_ExitSlotMonitor(slot);
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    if (arena) {
+    	attr.pValue = PORT_ArenaAlloc(arena,attr.ulValueLen);
+    } else {
+    	attr.pValue = PORT_Alloc(attr.ulValueLen);
+    }
+    if (attr.pValue == NULL) {
+	PK11_ExitSlotMonitor(slot);
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	if (!arena) PORT_Free(attr.pValue);
+	return SECFailure;
+    }
+
+    result->data = (unsigned char*)attr.pValue;
+    result->len = attr.ulValueLen;
+
+    return SECSuccess;
+}
+
+/*
+ * Read in a single attribute into As a Ulong. 
+ */
+CK_ULONG
+PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+	 CK_ATTRIBUTE_TYPE type) {
+    CK_ATTRIBUTE attr;
+    CK_ULONG value = CK_UNAVAILABLE_INFORMATION;
+    CK_RV crv;
+
+    PK11_SETATTRS(&attr,type,&value,sizeof(value));
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+    }
+    return value;
+}
+
+/*
+ * check to see if a bool has been set.
+ */
+CK_BBOOL
+PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+				                      CK_ATTRIBUTE_TYPE type )
+{
+    CK_BBOOL ckvalue = CK_FALSE;
+    CK_ATTRIBUTE theTemplate;
+    CK_RV crv;
+
+    /* Prepare to retrieve the attribute. */
+    PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) );
+
+    /* Retrieve attribute value. */
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id,
+                                                    &theTemplate, 1 );
+    PK11_ExitSlotMonitor(slot);
+    if( crv != CKR_OK ) {
+        PORT_SetError( PK11_MapError( crv ) );
+        return CK_FALSE;
+    }
+
+    return ckvalue;
+}
+
+/*
+ * returns a full list of attributes. Allocate space for them. If an arena is
+ * provided, allocate space out of the arena.
+ */
+CK_RV
+PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
+			CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count)
+{
+    int i;
+    /* make pedantic happy... note that it's only used arena != NULL */ 
+    void *mark = NULL; 
+    CK_RV crv;
+    PORT_Assert(slot->session != CK_INVALID_SESSION);
+    if (slot->session == CK_INVALID_SESSION)
+	return CKR_SESSION_HANDLE_INVALID;
+
+    /*
+     * first get all the lengths of the parameters.
+     */
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
+    if (crv != CKR_OK) {
+	PK11_ExitSlotMonitor(slot);
+	return crv;
+    }
+
+    if (arena) {
+    	mark = PORT_ArenaMark(arena);
+	if (mark == NULL) return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * now allocate space to store the results.
+     */
+    for (i=0; i < count; i++) {
+	if (attr[i].ulValueLen == 0)
+	    continue;
+	if (arena) {
+	    attr[i].pValue = PORT_ArenaAlloc(arena,attr[i].ulValueLen);
+	    if (attr[i].pValue == NULL) {
+		/* arena failures, just release the mark */
+		PORT_ArenaRelease(arena,mark);
+		PK11_ExitSlotMonitor(slot);
+		return CKR_HOST_MEMORY;
+	    }
+	} else {
+	    attr[i].pValue = PORT_Alloc(attr[i].ulValueLen);
+	    if (attr[i].pValue == NULL) {
+		/* Separate malloc failures, loop to release what we have 
+		 * so far */
+		int j;
+		for (j= 0; j < i; j++) { 
+		    PORT_Free(attr[j].pValue);
+		    /* don't give the caller pointers to freed memory */
+		    attr[j].pValue = NULL; 
+		}
+		PK11_ExitSlotMonitor(slot);
+		return CKR_HOST_MEMORY;
+	    }
+	}
+    }
+
+    /*
+     * finally get the results.
+     */
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	if (arena) {
+	    PORT_ArenaRelease(arena,mark);
+	} else {
+	    for (i= 0; i < count; i++) {
+		PORT_Free(attr[i].pValue);
+		/* don't give the caller pointers to freed memory */
+		attr[i].pValue = NULL;
+	    }
+	}
+    } else if (arena && mark) {
+	PORT_ArenaUnmark(arena,mark);
+    }
+    return crv;
+}
+
+PRBool
+PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle)
+{
+    return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN);
+}
+
+char *
+PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) 
+{
+    char *nickname = NULL;
+    SECItem result;
+    SECStatus rv;
+
+    rv = PK11_ReadAttribute(slot,id,CKA_LABEL,NULL,&result);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+
+    nickname = PORT_ZAlloc(result.len+1);
+    if (nickname == NULL) {
+	PORT_Free(result.data);
+	return NULL;
+    }
+    PORT_Memcpy(nickname, result.data, result.len);
+    PORT_Free(result.data);
+    return nickname;
+}
+
+SECStatus
+PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, 
+						const char *nickname) 
+{
+    int len = PORT_Strlen(nickname);
+    CK_ATTRIBUTE setTemplate;
+    CK_RV crv;
+    CK_SESSION_HANDLE rwsession;
+
+    if (len < 0) {
+	return SECFailure;
+    }
+
+    PK11_SETATTRS(&setTemplate, CKA_LABEL, (CK_CHAR *) nickname, len);
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+    	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, id,
+			&setTemplate, 1);
+    PK11_RestoreROSession(slot, rwsession);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * strip leading zero's from key material
+ */
+void
+pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib) {
+    char *ptr = (char *)attrib->pValue;
+    unsigned long len = attrib->ulValueLen;
+
+    while (len && (*ptr == 0)) {
+	len--;
+	ptr++;
+    }
+    attrib->pValue = ptr;
+    attrib->ulValueLen = len;
+}
+
+/*
+ * get a new session on a slot. If we run out of session, use the slot's
+ * 'exclusive' session. In this case owner becomes false.
+ */
+CK_SESSION_HANDLE
+pk11_GetNewSession(PK11SlotInfo *slot,PRBool *owner)
+{
+    CK_SESSION_HANDLE session;
+    *owner =  PR_TRUE;
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    if ( PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION, 
+			slot,pk11_notify,&session) != CKR_OK) {
+	*owner = PR_FALSE;
+	session = slot->session;
+    }
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+
+    return session;
+}
+
+void
+pk11_CloseSession(PK11SlotInfo *slot,CK_SESSION_HANDLE session,PRBool owner)
+{
+    if (!owner) return;
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    (void) PK11_GETTAB(slot)->C_CloseSession(session);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+}
+
+
+SECStatus
+PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
+				const CK_ATTRIBUTE *theTemplate, int count, 
+				PRBool token, CK_OBJECT_HANDLE *objectID)
+{
+	CK_SESSION_HANDLE rwsession;
+	CK_RV crv;
+	SECStatus rv = SECSuccess;
+
+	rwsession = session;
+	if (token) {
+	    rwsession =  PK11_GetRWSession(slot);
+	} else if (rwsession == CK_INVALID_SESSION) {
+	    rwsession =  slot->session;
+	    if (rwsession != CK_INVALID_SESSION)
+		PK11_EnterSlotMonitor(slot);
+	}
+	if (rwsession == CK_INVALID_SESSION) {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+	crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, theTemplate,
+							count,objectID);
+	if(crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    rv = SECFailure;
+	}
+	if (token) {
+	    PK11_RestoreROSession(slot, rwsession);
+	} else if (session == CK_INVALID_SESSION) {
+	    PK11_ExitSlotMonitor(slot);
+        }
+
+	return rv;
+}
+
+
+/* This function may add a maximum of 9 attributes. */
+unsigned int
+pk11_OpFlagsToAttributes(CK_FLAGS flags, CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue)
+{
+
+    const static CK_ATTRIBUTE_TYPE attrTypes[12] = {
+	CKA_ENCRYPT,      CKA_DECRYPT, 0 /* DIGEST */,     CKA_SIGN,
+	CKA_SIGN_RECOVER, CKA_VERIFY,  CKA_VERIFY_RECOVER, 0 /* GEN */,
+	0 /* GEN PAIR */, CKA_WRAP,    CKA_UNWRAP,         CKA_DERIVE 
+    };
+
+    const CK_ATTRIBUTE_TYPE *pType	= attrTypes;
+          CK_ATTRIBUTE      *attr	= attrs;
+          CK_FLAGS          test	= CKF_ENCRYPT;
+
+
+    PR_ASSERT(!(flags & ~CKF_KEY_OPERATION_FLAGS));
+    flags &= CKF_KEY_OPERATION_FLAGS;
+
+    for (; flags && test <= CKF_DERIVE; test <<= 1, ++pType) {
+    	if (test & flags) {
+	    flags ^= test;
+	    PR_ASSERT(*pType);
+	    PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); 
+	    ++attr;
+	}
+    }
+    return (attr - attrs);
+}
+
+/*
+ * Check for conflicting flags, for example, if both PK11_ATTR_PRIVATE
+ * and PK11_ATTR_PUBLIC are set.
+ */
+PRBool
+pk11_BadAttrFlags(PK11AttrFlags attrFlags)
+{
+    PK11AttrFlags trueFlags = attrFlags & 0x55555555;
+    PK11AttrFlags falseFlags = (attrFlags >> 1) & 0x55555555;
+    return ((trueFlags & falseFlags) != 0);
+}
+
+/*
+ * This function may add a maximum of 5 attributes.
+ * The caller must make sure the attribute flags don't have conflicts.
+ */
+unsigned int
+pk11_AttrFlagsToAttributes(PK11AttrFlags attrFlags, CK_ATTRIBUTE *attrs,
+				CK_BBOOL *ckTrue, CK_BBOOL *ckFalse)
+{
+    const static CK_ATTRIBUTE_TYPE attrTypes[5] = {
+	CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_SENSITIVE,
+	CKA_EXTRACTABLE
+    };
+
+    const CK_ATTRIBUTE_TYPE *pType	= attrTypes;
+          CK_ATTRIBUTE      *attr	= attrs;
+          PK11AttrFlags      test	= PK11_ATTR_TOKEN;
+
+    PR_ASSERT(!pk11_BadAttrFlags(attrFlags));
+
+    /* we test two related bitflags in each iteration */
+    for (; attrFlags && test <= PK11_ATTR_EXTRACTABLE; test <<= 2, ++pType) {
+    	if (test & attrFlags) {
+	    attrFlags ^= test;
+	    PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); 
+	    ++attr;
+	} else if ((test << 1) & attrFlags) {
+	    attrFlags ^= (test << 1);
+	    PK11_SETATTRS(attr, *pType, ckFalse, sizeof *ckFalse); 
+	    ++attr;
+	}
+    }
+    return (attr - attrs);
+}
+
+/*
+ * Some non-compliant PKCS #11 vendors do not give us the modulus, so actually
+ * set up a signature to get the signaure length.
+ */
+static int
+pk11_backupGetSignLength(SECKEYPrivateKey *key)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_ULONG len;
+    CK_RV crv;
+    unsigned char h_data[20]  = { 0 };
+    unsigned char buf[20]; /* obviously to small */
+    CK_ULONG smallLen = sizeof(buf);
+
+    mech.mechanism = PK11_MapSignKeyType(key->keyType);
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return -1;
+    }
+    len = 0;
+    crv = PK11_GETTAB(slot)->C_Sign(session,h_data,sizeof(h_data),
+					NULL, &len);
+    /* now call C_Sign with too small a buffer to clear the session state */
+    (void) PK11_GETTAB(slot)->
+			C_Sign(session,h_data,sizeof(h_data),buf,&smallLen);
+	
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return -1;
+    }
+    return len;
+}
+
+/*
+ * get the length of a signature object based on the key
+ */
+int
+PK11_SignatureLen(SECKEYPrivateKey *key)
+{
+    int val;
+    CK_ATTRIBUTE theTemplate = { CKA_EC_PARAMS, NULL, 0 };
+    SECItem params = {siBuffer, NULL, 0};
+    int length; 
+
+    switch (key->keyType) {
+    case rsaKey:
+	val = PK11_GetPrivateModulusLen(key);
+	if (val == -1) {
+	    return pk11_backupGetSignLength(key);
+	}
+	return (unsigned long) val;
+	
+    case fortezzaKey:
+    case dsaKey:
+	return 40;
+    case ecKey:
+	if (PK11_GetAttributes(NULL, key->pkcs11Slot, key->pkcs11ID,
+			       &theTemplate, 1) == CKR_OK) {
+	    if (theTemplate.pValue != NULL) {
+	        params.len = theTemplate.ulValueLen;
+		params.data = (unsigned char *) theTemplate.pValue;
+	        length = SECKEY_ECParamsToBasePointOrderLen(&params);
+	        PORT_Free(theTemplate.pValue);
+		if (length == 0) {
+		    return pk11_backupGetSignLength(key);
+		}
+		length = ((length + 7)/8) * 2;
+		return length;
+	    }
+	}
+	break;
+    default:
+	break;
+    }
+    PORT_SetError( SEC_ERROR_INVALID_KEY );
+    return 0;
+}
+
+/*
+ * copy a key (or any other object) on a token
+ */
+CK_OBJECT_HANDLE
+PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject)
+{
+    CK_OBJECT_HANDLE destObject;
+    CK_RV crv;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_CopyObject(slot->session,srcObject,NULL,0,
+				&destObject);
+    PK11_ExitSlotMonitor(slot);
+    if (crv == CKR_OK) return destObject;
+    PORT_SetError( PK11_MapError(crv) );
+    return CK_INVALID_HANDLE;
+}
+
+PRBool
+pk11_FindAttrInTemplate(CK_ATTRIBUTE *attr, unsigned int numAttrs,
+						CK_ATTRIBUTE_TYPE target)
+{
+    for (; numAttrs > 0; ++attr, --numAttrs) {
+    	if (attr->type == target)
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+	
+/*
+ * Recover the Signed data. We need this because our old verify can't
+ * figure out which hash algorithm to use until we decryptted this.
+ */
+SECStatus
+PK11_VerifyRecover(SECKEYPublicKey *key,
+			 	SECItem *sig, SECItem *dsig, void *wincx)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_OBJECT_HANDLE id = key->pkcs11ID;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_ULONG len;
+    CK_RV crv;
+
+    mech.mechanism = PK11_MapSignKeyType(key->keyType);
+
+    if (slot == NULL) {
+	slot = PK11_GetBestSlot(mech.mechanism,wincx);
+	if (slot == NULL) {
+	    	PORT_SetError( SEC_ERROR_NO_MODULE );
+		return SECFailure;
+	}
+	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
+    } else {
+	PK11_ReferenceSlot(slot);
+    }
+
+    if (id == CK_INVALID_HANDLE) {
+	PK11_FreeSlot(slot);
+	PORT_SetError( SEC_ERROR_BAD_KEY );
+	return SECFailure;
+    }
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_VerifyRecoverInit(session,&mech,id);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	PK11_FreeSlot(slot);
+	return SECFailure;
+    }
+    len = dsig->len;
+    crv = PK11_GETTAB(slot)->C_VerifyRecover(session,sig->data,
+						sig->len, dsig->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    dsig->len = len;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	PK11_FreeSlot(slot);
+	return SECFailure;
+    }
+    PK11_FreeSlot(slot);
+    return SECSuccess;
+}
+
+/*
+ * verify a signature from its hash.
+ */
+SECStatus
+PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_OBJECT_HANDLE id = key->pkcs11ID;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    mech.mechanism = PK11_MapSignKeyType(key->keyType);
+
+    if (slot == NULL) {
+	slot = PK11_GetBestSlot(mech.mechanism,wincx);
+       
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return SECFailure;
+	}
+	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
+            
+    } else {
+	PK11_ReferenceSlot(slot);
+    }
+
+    if (id == CK_INVALID_HANDLE) {
+	PK11_FreeSlot(slot);
+	PORT_SetError( SEC_ERROR_BAD_KEY );
+	return SECFailure;
+    }
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_VerifyInit(session,&mech,id);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PK11_FreeSlot(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Verify(session,hash->data,
+					hash->len, sig->data, sig->len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    PK11_FreeSlot(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * sign a hash. The algorithm is determined by the key.
+ */
+SECStatus
+PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_ULONG len;
+    CK_RV crv;
+
+    mech.mechanism = PK11_MapSignKeyType(key->keyType);
+
+    if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) {
+	PK11_HandlePasswordCheck(slot, key->wincx);
+    }
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    len = sig->len;
+    crv = PK11_GETTAB(slot)->C_Sign(session,hash->data,
+					hash->len, sig->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    sig->len = len;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * Now SSL 2.0 uses raw RSA stuff. These next to functions *must* use
+ * RSA keys, or they'll fail. We do the checks up front. If anyone comes
+ * up with a meaning for rawdecrypt for any other public key operation,
+ * then we need to move this check into some of PK11_PubDecrypt callers,
+ * (namely SSL 2.0).
+ */
+static SECStatus
+pk11_PrivDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
+	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
+				    unsigned encLen, CK_MECHANISM_PTR mech)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_ULONG out = maxLen;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    if (key->keyType != rsaKey) {
+	PORT_SetError( SEC_ERROR_INVALID_KEY );
+	return SECFailure;
+    }
+
+    /* Why do we do a PK11_handle check here? for simple
+     * decryption? .. because the user may have asked for 'ask always'
+     * and this is a private key operation. In practice, thought, it's mute
+     * since only servers wind up using this function */
+    if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) {
+	PK11_HandlePasswordCheck(slot, key->wincx);
+    }
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, key->pkcs11ID);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen, data, &out);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    *outLen = out;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
+	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
+				    unsigned encLen)
+{
+    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
+    return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech);
+}
+
+SECStatus
+PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data, 
+	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
+				    unsigned encLen)
+{
+    CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 };
+    return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech);
+}
+
+static SECStatus
+pk11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
+		    unsigned char *data, unsigned dataLen, 
+		    CK_MECHANISM_PTR mech, void *wincx)
+{
+    PK11SlotInfo *slot;
+    CK_OBJECT_HANDLE id;
+    CK_ULONG out;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    if (!key || key->keyType != rsaKey) {
+	PORT_SetError( SEC_ERROR_BAD_KEY );
+	return SECFailure;
+    }
+    out = SECKEY_PublicKeyStrength(key);
+
+    slot = PK11_GetBestSlot(mech->mechanism, wincx);
+    if (slot == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return SECFailure;
+    }
+
+    id = PK11_ImportPublicKey(slot,key,PR_FALSE);
+
+    if (id == CK_INVALID_HANDLE) {
+	PK11_FreeSlot(slot);
+	PORT_SetError( SEC_ERROR_BAD_KEY );
+	return SECFailure;
+    }
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_EncryptInit(session, mech, id);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PK11_FreeSlot(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    PK11_FreeSlot(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
+		unsigned char *data, unsigned dataLen, void *wincx)
+{
+    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
+    return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx);
+}
+
+SECStatus
+PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc,
+		unsigned char *data, unsigned dataLen, void *wincx)
+{
+    CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 };
+    return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx);
+}
+
+SECKEYPrivateKey *
+PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
+		   CK_MECHANISM_TYPE wrapType, SECItem *param, 
+		   SECItem *wrappedKey, SECItem *label, 
+		   SECItem *idValue, PRBool perm, PRBool sensitive,
+		   CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage,
+		   int usageCount, void *wincx)
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+    CK_ATTRIBUTE keyTemplate[15] ;
+    int templateCount = 0;
+    CK_OBJECT_HANDLE privKeyID;
+    CK_MECHANISM mechanism;
+    CK_ATTRIBUTE *attrs = keyTemplate;
+    SECItem *param_free = NULL, *ck_id;
+    CK_RV crv;
+    CK_SESSION_HANDLE rwsession;
+    PK11SymKey *newKey = NULL;
+    int i;
+
+    if(!slot || !wrappedKey || !idValue) {
+	/* SET AN ERROR!!! */
+	return NULL;
+    }
+
+    ck_id = PK11_MakeIDFromPubKey(idValue);
+    if(!ck_id) {
+	return NULL;
+    }
+
+    PK11_SETATTRS(attrs, CKA_TOKEN, perm ? &cktrue : &ckfalse,
+					 sizeof(cktrue)); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++;
+    PK11_SETATTRS(attrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse,
+					 sizeof(cktrue)); attrs++;
+    PK11_SETATTRS(attrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse,
+					sizeof(cktrue)); attrs++;
+    if (label && label->data) {
+	PK11_SETATTRS(attrs, CKA_LABEL, label->data, label->len); attrs++;
+    }
+    PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); attrs++;
+    for (i=0; i < usageCount; i++) {
+    	PK11_SETATTRS(attrs, usage[i], &cktrue, sizeof(cktrue)); attrs++;
+    }
+
+    if (PK11_IsInternal(slot)) {
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, idValue->data, 
+		      idValue->len); attrs++;
+    }
+
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)) );
+
+    mechanism.mechanism = wrapType;
+    if(!param) param = param_free= PK11_ParamFromIV(wrapType, NULL);
+    if(param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+
+    if (wrappingKey->slot != slot) {
+	newKey = pk11_CopyToSlot(slot,wrapType,CKA_WRAP,wrappingKey);
+    } else {
+	newKey = PK11_ReferenceSymKey(wrappingKey);
+    }
+
+    if (newKey) {
+	if (perm) {
+	    /* Get RW Session will either lock the monitor if necessary, 
+	     *  or return a thread safe session handle, or fail. */ 
+	    rwsession = PK11_GetRWSession(slot);
+	} else {
+	    rwsession = slot->session;
+	    if (rwsession != CK_INVALID_SESSION) 
+		PK11_EnterSlotMonitor(slot);
+	}
+	if (rwsession == CK_INVALID_SESSION) {
+	    PK11_FreeSymKey(newKey);
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	    return NULL;
+	}
+	crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, 
+					 newKey->objectID,
+					 wrappedKey->data, 
+					 wrappedKey->len, keyTemplate, 
+					 templateCount, &privKeyID);
+
+	if (perm) {
+	    PK11_RestoreROSession(slot, rwsession);
+	} else {
+	    PK11_ExitSlotMonitor(slot);
+	}
+	PK11_FreeSymKey(newKey);
+    } else {
+	crv = CKR_FUNCTION_NOT_SUPPORTED;
+    }
+
+    if(ck_id) {
+	SECITEM_FreeItem(ck_id, PR_TRUE);
+	ck_id = NULL;
+    }
+
+    if (crv != CKR_OK) {
+	/* we couldn't unwrap the key, use the internal module to do the
+	 * unwrap, then load the new key into the token */
+	 PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	if (int_slot && (slot != int_slot)) {
+	    SECKEYPrivateKey *privKey = PK11_UnwrapPrivKey(int_slot,
+			wrappingKey, wrapType, param, wrappedKey, label,
+			idValue, PR_FALSE, PR_FALSE, 
+			keyType, usage, usageCount, wincx);
+	    if (privKey) {
+		SECKEYPrivateKey *newPrivKey = PK11_LoadPrivKey(slot,privKey,
+						NULL,perm,sensitive);
+		SECKEY_DestroyPrivateKey(privKey);
+		PK11_FreeSlot(int_slot);
+		return newPrivKey;
+	    }
+	}
+	if (int_slot) PK11_FreeSlot(int_slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+    return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx);
+}
+
+/*
+ * Now we're going to wrap a SECKEYPrivateKey with a PK11SymKey
+ * The strategy is to get both keys to reside in the same slot,
+ * one that can perform the desired crypto mechanism and then
+ * call C_WrapKey after all the setup has taken place.
+ */
+SECStatus
+PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, 
+		 SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, 
+		 SECItem *param, SECItem *wrappedKey, void *wincx)
+{
+    PK11SlotInfo     *privSlot   = privKey->pkcs11Slot; /* The slot where
+							 * the private key
+							 * we are going to
+							 * wrap lives.
+							 */
+    PK11SymKey       *newSymKey  = NULL;
+    SECKEYPrivateKey *newPrivKey = NULL;
+    SECItem          *param_free = NULL;
+    CK_ULONG          len        = wrappedKey->len;
+    CK_MECHANISM      mech;
+    CK_RV             crv;
+
+    if (!privSlot || !PK11_DoesMechanism(privSlot, wrapType)) {
+        /* Figure out a slot that does the mechanism and try to import
+	 * the private key onto that slot.
+	 */
+        PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	privSlot = int_slot; /* The private key has a new home */
+	newPrivKey = PK11_LoadPrivKey(privSlot,privKey,NULL,PR_FALSE,PR_FALSE);
+	/* newPrivKey has allocated its own reference to the slot, so it's
+	 * safe until we destroy newPrivkey.
+	 */
+	PK11_FreeSlot(int_slot);
+	if (newPrivKey == NULL) {
+	    return SECFailure;
+	}
+	privKey = newPrivKey;
+    }
+
+    if (privSlot != wrappingKey->slot) {
+        newSymKey = pk11_CopyToSlot (privSlot, wrapType, CKA_WRAP, 
+				     wrappingKey);
+	wrappingKey = newSymKey;
+    }
+
+    if (wrappingKey == NULL) {
+        if (newPrivKey) {
+		SECKEY_DestroyPrivateKey(newPrivKey);
+	}
+	return SECFailure;
+    }
+    mech.mechanism = wrapType;
+    if (!param) {
+        param = param_free = PK11_ParamFromIV(wrapType, NULL);
+    }
+    if (param) {
+        mech.pParameter     = param->data;
+	mech.ulParameterLen = param->len;
+    } else {
+        mech.pParameter     = NULL;
+	mech.ulParameterLen = 0;
+    }
+
+    PK11_EnterSlotMonitor(privSlot);
+    crv = PK11_GETTAB(privSlot)->C_WrapKey(privSlot->session, &mech, 
+					   wrappingKey->objectID, 
+					   privKey->pkcs11ID,
+					   wrappedKey->data, &len);
+    PK11_ExitSlotMonitor(privSlot);
+
+    if (newSymKey) {
+        PK11_FreeSymKey(newSymKey);
+    }
+    if (newPrivKey) {
+        SECKEY_DestroyPrivateKey(newPrivKey);
+    }
+    if (param_free) {
+	SECITEM_FreeItem(param_free,PR_TRUE);
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+
+    wrappedKey->len = len;
+    return SECSuccess;
+}
+
+#if 0
+/*
+ * Sample code relating to linked list returned by PK11_FindGenericObjects
+ */
+
+/*
+ * You can walk the list with the following code:
+ */
+    firstObj = PK11_FindGenericObjects(slot, objClass);
+    for (thisObj=firstObj;
+         thisObj; 
+         thisObj=PK11_GetNextGenericObject(thisObj)) {
+        /* operate on thisObj */
+    }
+/*
+ * If you want a particular object from the list...
+ */
+    firstObj = PK11_FindGenericObjects(slot, objClass);
+    for (thisObj=firstObj;
+         thisObj; 
+         thisObj=PK11_GetNextGenericObject(thisObj)) {
+   	if (isMyObj(thisObj)) {
+  	    if ( thisObj == firstObj) {
+                /* NOTE: firstObj could be NULL at this point */
+  		firstObj = PK11_GetNextGenericObject(thsObj); 
+  	    }
+  	    PK11_UnlinkGenericObject(thisObj);
+            myObj = thisObj;
+            break;
+        }
+    }
+
+    PK11_DestroyGenericObjects(firstObj);
+
+      /* use myObj */
+
+    PK11_DestroyGenericObject(myObj);
+#endif /* sample code */
+
+/*
+ * return a linked, non-circular list of generic objects.
+ * If you are only interested
+ * in one object, just use the first object in the list. To find the
+ * rest of the list use PK11_GetNextGenericObject() to return the next object.
+ */
+PK11GenericObject *
+PK11_FindGenericObjects(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass)
+{
+    CK_ATTRIBUTE template[1];
+    CK_ATTRIBUTE *attrs = template;
+    CK_OBJECT_HANDLE *objectIDs = NULL;
+    PK11GenericObject *lastObj = NULL, *obj;
+    PK11GenericObject *firstObj = NULL;
+    int i, count = 0;
+
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++;
+
+    objectIDs = pk11_FindObjectsByTemplate(slot,template,1,&count);
+    if (objectIDs == NULL) {
+	return NULL;
+    }
+
+    /* where we connect our object once we've created it.. */
+    for (i=0; i < count; i++) {
+	obj = PORT_New(PK11GenericObject);
+	if ( !obj ) {
+	    if (firstObj) {
+		PK11_DestroyGenericObjects(firstObj);
+	    }
+	    PORT_Free(objectIDs);
+	    return NULL;
+	}
+	/* initialize it */	
+	obj->slot = PK11_ReferenceSlot(slot);
+	obj->objectID = objectIDs[i];
+	obj->next = NULL;
+	obj->prev = NULL;
+
+	/* link it in */
+	if (firstObj == NULL) {
+	    firstObj = obj;
+	} else {
+	    PK11_LinkGenericObject(lastObj, obj);
+	}
+	lastObj = obj;
+    }
+    PORT_Free(objectIDs);
+    return firstObj;
+}
+
+/*
+ * get the Next Object in the list.
+ */
+PK11GenericObject *
+PK11_GetNextGenericObject(PK11GenericObject *object)
+{
+    return object->next;
+}
+
+PK11GenericObject *
+PK11_GetPrevGenericObject(PK11GenericObject *object)
+{
+    return object->prev;
+}
+
+/*
+ * Link a single object into a new list.
+ * if the object is already in another list, remove it first.
+ */
+SECStatus
+PK11_LinkGenericObject(PK11GenericObject *list, PK11GenericObject *object)
+{
+    PK11_UnlinkGenericObject(object);
+    object->prev = list;
+    object->next = list->next;
+    list->next = object;
+    if (object->next != NULL) {
+	object->next->prev = object;
+    }
+   return SECSuccess;
+}
+
+/*
+ * remove an object from the list. If the object isn't already in
+ * a list unlink becomes a noop.
+ */
+SECStatus
+PK11_UnlinkGenericObject(PK11GenericObject *object)
+{
+    if (object->prev != NULL) {
+	object->prev->next = object->next;
+    }
+    if (object->next != NULL) {
+	object->next->prev = object->prev;
+    }
+
+    object->next = NULL;
+    object->prev = NULL;
+    return SECSuccess;
+}
+
+/*
+ * This function removes a single object from the list and destroys it.
+ * For an already unlinked object there is no difference between
+ * PK11_DestroyGenericObject and PK11_DestroyGenericObjects
+ */
+SECStatus 
+PK11_DestroyGenericObject(PK11GenericObject *object)
+{
+    if (object == NULL) {
+	return SECSuccess;
+    }
+
+    PK11_UnlinkGenericObject(object);
+    if (object->slot) {
+	PK11_FreeSlot(object->slot);
+    }
+    PORT_Free(object);
+    return SECSuccess;
+}
+
+/*
+ * walk down a link list of generic objects destroying them.
+ * This will destroy all objects in a list that the object is linked into.
+ * (the list is traversed in both directions).
+ */
+SECStatus 
+PK11_DestroyGenericObjects(PK11GenericObject *objects)
+{
+    PK11GenericObject *nextObject;
+    PK11GenericObject *prevObject;
+ 
+    if (objects == NULL) {
+	return SECSuccess;
+    }
+
+    nextObject = objects->next;
+    prevObject = objects->prev;
+
+    /* delete all the objects after it in the list */
+    for (; objects;  objects = nextObject) {
+	nextObject = objects->next;
+	PK11_DestroyGenericObject(objects);
+    }
+    /* delete all the objects before it in the list */
+    for (objects = prevObject; objects;  objects = prevObject) {
+	prevObject = objects->prev;
+	PK11_DestroyGenericObject(objects);
+    }
+    return SECSuccess;
+}
+
+
+/*
+ * Hand Create a new object and return the Generic object for our new object.
+ */
+PK11GenericObject *
+PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate,
+		int count,  PRBool token)
+{
+    CK_OBJECT_HANDLE objectID;
+    PK11GenericObject *obj;
+    CK_RV crv;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_CreateNewObject(slot, slot->session, pTemplate, count, 
+			       token, &objectID);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return NULL;
+    }
+
+    obj = PORT_New(PK11GenericObject);
+    if ( !obj ) {
+	/* error set by PORT_New */
+	return NULL;
+    }
+
+    /* initialize it */	
+    obj->slot = PK11_ReferenceSlot(slot);
+    obj->objectID = objectID;
+    obj->next = NULL;
+    obj->prev = NULL;
+    return obj;
+}
+
+/*
+ * Change an attribute on a raw object
+ */
+SECStatus
+PK11_WriteRawAttribute(PK11ObjectType objType, void *objSpec, 
+				CK_ATTRIBUTE_TYPE attrType, SECItem *item)
+{
+    PK11SlotInfo *slot = NULL;
+    CK_OBJECT_HANDLE handle;
+    CK_ATTRIBUTE setTemplate;
+    CK_RV crv;
+    CK_SESSION_HANDLE rwsession;
+
+    switch (objType) {
+    case PK11_TypeGeneric:
+	slot = ((PK11GenericObject *)objSpec)->slot;
+	handle = ((PK11GenericObject *)objSpec)->objectID;
+	break;
+    case PK11_TypePrivKey:
+	slot = ((SECKEYPrivateKey *)objSpec)->pkcs11Slot;
+	handle = ((SECKEYPrivateKey *)objSpec)->pkcs11ID;
+	break;
+    case PK11_TypePubKey:
+	slot = ((SECKEYPublicKey *)objSpec)->pkcs11Slot;
+	handle = ((SECKEYPublicKey *)objSpec)->pkcs11ID;
+	break;
+    case PK11_TypeSymKey:
+	slot = ((PK11SymKey *)objSpec)->slot;
+	handle = ((PK11SymKey *)objSpec)->objectID;
+	break;
+    case PK11_TypeCert: /* don't handle cert case for now */
+    default:
+	break;
+    }
+    if (slot == NULL) {
+	PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE);
+	return SECFailure;
+    }
+
+    PK11_SETATTRS(&setTemplate, attrType, (CK_CHAR *) item->data, item->len);
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+    	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, handle,
+			&setTemplate, 1);
+    PK11_RestoreROSession(slot, rwsession);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+SECStatus
+PK11_ReadRawAttribute(PK11ObjectType objType, void *objSpec, 
+				CK_ATTRIBUTE_TYPE attrType, SECItem *item)
+{
+    PK11SlotInfo *slot = NULL;
+    CK_OBJECT_HANDLE handle;
+
+    switch (objType) {
+    case PK11_TypeGeneric:
+	slot = ((PK11GenericObject *)objSpec)->slot;
+	handle = ((PK11GenericObject *)objSpec)->objectID;
+	break;
+    case PK11_TypePrivKey:
+	slot = ((SECKEYPrivateKey *)objSpec)->pkcs11Slot;
+	handle = ((SECKEYPrivateKey *)objSpec)->pkcs11ID;
+	break;
+    case PK11_TypePubKey:
+	slot = ((SECKEYPublicKey *)objSpec)->pkcs11Slot;
+	handle = ((SECKEYPublicKey *)objSpec)->pkcs11ID;
+	break;
+    case PK11_TypeSymKey:
+	slot = ((PK11SymKey *)objSpec)->slot;
+	handle = ((PK11SymKey *)objSpec)->objectID;
+	break;
+    case PK11_TypeCert: /* don't handle cert case for now */
+    default:
+	break;
+    }
+    if (slot == NULL) {
+	PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE);
+	return SECFailure;
+    }
+
+    return PK11_ReadAttribute(slot, handle, attrType, NULL, item);
+}
+
+
+/*
+ * return the object handle that matches the template
+ */
+CK_OBJECT_HANDLE
+pk11_FindObjectByTemplate(PK11SlotInfo *slot,CK_ATTRIBUTE *theTemplate,int tsize)
+{
+    CK_OBJECT_HANDLE object;
+    CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+    CK_ULONG objectCount;
+
+    /*
+     * issue the find
+     */
+    PK11_EnterSlotMonitor(slot);
+    if (slot->session != CK_INVALID_SESSION) {
+	crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, 
+	                                           theTemplate, tsize);
+    }
+    if (crv != CKR_OK) {
+        PK11_ExitSlotMonitor(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return CK_INVALID_HANDLE;
+    }
+
+    crv=PK11_GETTAB(slot)->C_FindObjects(slot->session,&object,1,&objectCount);
+    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
+    PK11_ExitSlotMonitor(slot);
+    if ((crv != CKR_OK) || (objectCount < 1)) {
+	/* shouldn't use SSL_ERROR... here */
+	PORT_SetError( crv != CKR_OK ? PK11_MapError(crv) :
+						  SSL_ERROR_NO_CERTIFICATE);
+	return CK_INVALID_HANDLE;
+    }
+
+    /* blow up if the PKCS #11 module returns us and invalid object handle */
+    PORT_Assert(object != CK_INVALID_HANDLE);
+    return object;
+} 
+
+/*
+ * return all the object handles that matches the template
+ */
+CK_OBJECT_HANDLE *
+pk11_FindObjectsByTemplate(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate,
+                           int templCount, int *object_count) 
+{
+    CK_OBJECT_HANDLE *objID = NULL;
+    CK_ULONG returned_count = 0;
+    CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+
+    PK11_EnterSlotMonitor(slot);
+    if (slot->session != CK_INVALID_SESSION) {
+	crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, 
+	                                           findTemplate, templCount);
+    }
+    if (crv != CKR_OK) {
+	PK11_ExitSlotMonitor(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	*object_count = -1;
+	return NULL;
+    }
+
+
+    /*
+     * collect all the Matching Objects
+     */
+    do {
+	CK_OBJECT_HANDLE *oldObjID = objID;
+
+	if (objID == NULL) {
+    	    objID = (CK_OBJECT_HANDLE *) PORT_Alloc(sizeof(CK_OBJECT_HANDLE)*
+				(*object_count+ PK11_SEARCH_CHUNKSIZE));
+	} else {
+    	    objID = (CK_OBJECT_HANDLE *) PORT_Realloc(objID,
+		sizeof(CK_OBJECT_HANDLE)*(*object_count+PK11_SEARCH_CHUNKSIZE));
+	}
+
+	if (objID == NULL) {
+	    if (oldObjID) PORT_Free(oldObjID);
+	    break;
+	}
+    	crv = PK11_GETTAB(slot)->C_FindObjects(slot->session,
+		&objID[*object_count],PK11_SEARCH_CHUNKSIZE,&returned_count);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    PORT_Free(objID);
+	    objID = NULL;
+	    break;
+    	}
+	*object_count += returned_count;
+    } while (returned_count == PK11_SEARCH_CHUNKSIZE);
+
+    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
+    PK11_ExitSlotMonitor(slot);
+
+    if (objID && (*object_count == 0)) {
+	PORT_Free(objID);
+	return NULL;
+    }
+    if (objID == NULL) *object_count = -1;
+    return objID;
+}
+/*
+ * given a PKCS #11 object, match it's peer based on the KeyID. searchID
+ * is typically a privateKey or a certificate while the peer is the opposite
+ */
+CK_OBJECT_HANDLE
+PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE searchID,
+				 		CK_OBJECT_CLASS matchclass)
+{
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    CK_ATTRIBUTE *keyclass = &theTemplate[1];
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    /* if you change the array, change the variable below as well */
+    CK_OBJECT_HANDLE peerID;
+    CK_OBJECT_HANDLE parent;
+    PRArenaPool *arena;
+    CK_RV crv;
+
+    /* now we need to create space for the public key */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return CK_INVALID_HANDLE;
+
+    crv = PK11_GetAttributes(arena,slot,searchID,theTemplate,tsize);
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	PORT_SetError( PK11_MapError(crv) );
+	return CK_INVALID_HANDLE;
+    }
+
+    if ((theTemplate[0].ulValueLen == 0) || (theTemplate[0].ulValueLen == -1)) {
+	PORT_FreeArena(arena,PR_FALSE);
+	if (matchclass == CKO_CERTIFICATE)
+	    PORT_SetError(SEC_ERROR_BAD_KEY);
+	else
+	    PORT_SetError(SEC_ERROR_NO_KEY);
+	return CK_INVALID_HANDLE;
+     }
+	
+	
+
+    /*
+     * issue the find
+     */
+    parent = *(CK_OBJECT_CLASS *)(keyclass->pValue);
+    *(CK_OBJECT_CLASS *)(keyclass->pValue) = matchclass;
+
+    peerID = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
+    PORT_FreeArena(arena,PR_FALSE);
+
+    return peerID;
+}
+
+/*
+ * count the number of objects that match the template.
+ */
+int
+PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, 
+							int templCount)
+{
+    CK_OBJECT_HANDLE objID[PK11_SEARCH_CHUNKSIZE];
+    int object_count = 0;
+    CK_ULONG returned_count = 0;
+    CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+
+    PK11_EnterSlotMonitor(slot);
+    if (slot->session != CK_INVALID_SESSION) {
+	crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session,
+						   findTemplate, templCount);
+    }
+    if (crv != CKR_OK) {
+        PK11_ExitSlotMonitor(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return object_count;
+    }
+
+    /*
+     * collect all the Matching Objects
+     */
+    do {
+    	crv = PK11_GETTAB(slot)->C_FindObjects(slot->session, objID, 
+	                                       PK11_SEARCH_CHUNKSIZE, 
+					       &returned_count);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    break;
+    	}
+	object_count += returned_count;
+    } while (returned_count == PK11_SEARCH_CHUNKSIZE);
+
+    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
+    PK11_ExitSlotMonitor(slot);
+    return object_count;
+}
+
+/*
+ * Traverse all the objects in a given slot.
+ */
+SECStatus
+PK11_TraverseSlot(PK11SlotInfo *slot, void *arg)
+{
+    int i;
+    CK_OBJECT_HANDLE *objID = NULL;
+    int object_count = 0;
+    pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg;
+
+    objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate,
+		slotcb->templateCount,&object_count);
+
+    /*Actually this isn't a failure... there just were no objs to be found*/
+    if (object_count == 0) {
+	return SECSuccess;
+    }
+
+    if (objID == NULL) {
+	return SECFailure;
+    }
+
+    for (i=0; i < object_count; i++) {
+	(*slotcb->callback)(slot,objID[i],slotcb->callbackArg);
+    }
+    PORT_Free(objID);
+    return SECSuccess;
+}
+
+/*
+ * Traverse all the objects in all slots.
+ */
+SECStatus
+pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), 
+				void *arg, PRBool forceLogin, void *wincx) {
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    SECStatus rv;
+
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,wincx);
+    if (list == NULL) return SECFailure;
+
+    /* look at each slot and authenticate as necessary */
+    for (le = list->head ; le; le = le->next) {
+	if (forceLogin) {
+	    rv = pk11_AuthenticateUnfriendly(le->slot, PR_FALSE, wincx);
+	    if (rv != SECSuccess) {
+		continue;
+	    }
+	}
+	if (callback) {
+	    (*callback)(le->slot,arg);
+	}
+    }
+
+    PK11_FreeSlotList(list);
+
+    return SECSuccess;
+}
+
+CK_OBJECT_HANDLE *
+PK11_FindObjectsFromNickname(char *nickname,PK11SlotInfo **slotptr,
+		CK_OBJECT_CLASS objclass, int *returnCount, void *wincx)
+{
+    char *tokenName;
+    char *delimit;
+    PK11SlotInfo *slot;
+    CK_OBJECT_HANDLE *objID;
+    CK_ATTRIBUTE findTemplate[] = {
+	 { CKA_LABEL, NULL, 0},
+	 { CKA_CLASS, NULL, 0},
+    };
+    int findCount = sizeof(findTemplate)/sizeof(findTemplate[0]);
+    SECStatus rv;
+    PK11_SETATTRS(&findTemplate[1], CKA_CLASS, &objclass, sizeof(objclass));
+
+    *slotptr = slot = NULL;
+    *returnCount = 0;
+    /* first find the slot associated with this nickname */
+    if ((delimit = PORT_Strchr(nickname,':')) != NULL) {
+	int len = delimit - nickname;
+	tokenName = (char*)PORT_Alloc(len+1);
+	PORT_Memcpy(tokenName,nickname,len);
+	tokenName[len] = 0;
+
+        slot = *slotptr = PK11_FindSlotByName(tokenName);
+        PORT_Free(tokenName);
+	/* if we couldn't find a slot, assume the nickname is an internal cert
+	 * with no proceding slot name */
+	if (slot == NULL) {
+		slot = *slotptr = PK11_GetInternalKeySlot();
+	} else {
+		nickname = delimit+1;
+	}
+    } else {
+	*slotptr = slot = PK11_GetInternalKeySlot();
+    }
+    if (slot == NULL) {
+        return CK_INVALID_HANDLE;
+    }
+
+    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
+    if (rv != SECSuccess) {
+	PK11_FreeSlot(slot);
+	*slotptr = NULL;
+	return CK_INVALID_HANDLE;
+    }
+
+    findTemplate[0].pValue = nickname;
+    findTemplate[0].ulValueLen = PORT_Strlen(nickname);
+    objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,returnCount);
+    if (objID == NULL) {
+	/* PKCS #11 isn't clear on whether or not the NULL is
+	 * stored in the template.... try the find again with the
+	 * full null terminated string. */
+    	findTemplate[0].ulValueLen += 1;
+        objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,
+								returnCount);
+	if (objID == NULL) {
+	    /* Well that's the best we can do. It's just not here */
+	    /* what about faked nicknames? */
+	    PK11_FreeSlot(slot);
+	    *slotptr = NULL;
+	    *returnCount = 0;
+	}
+    }
+
+    return objID;
+}
+
+SECItem *
+pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) 
+{
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+    };
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_RV crv;
+    SECItem *item;
+
+    item = SECITEM_AllocItem(NULL, NULL, 0);
+
+    if (item == NULL) {
+	return NULL;
+    }
+
+    crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize);
+    if (crv != CKR_OK) {
+	SECITEM_FreeItem(item,PR_TRUE);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    item->data = (unsigned char*) theTemplate[0].pValue;
+    item->len =theTemplate[0].ulValueLen;
+
+    return item;
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
new file mode 100644
index 000000000..8644cdccc
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -0,0 +1,427 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * The following handles the loading, unloading and management of
+ * various PCKS #11 modules
+ */
+
+#include <ctype.h>
+#include "pkcs11.h"
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pki3hack.h"
+#include "secerr.h"
+   
+#include "pk11pars.h" 
+
+/* create a new module */
+static  SECMODModule *
+secmod_NewModule(void)
+{
+    SECMODModule *newMod;
+    PRArenaPool *arena;
+
+
+    /* create an arena in which dllName and commonName can be
+     * allocated.
+     */
+    arena = PORT_NewArena(512);
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    newMod = (SECMODModule *)PORT_ArenaAlloc(arena,sizeof (SECMODModule));
+    if (newMod == NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+
+    /*
+     * initialize of the fields of the module
+     */
+    newMod->arena = arena;
+    newMod->internal = PR_FALSE;
+    newMod->loaded = PR_FALSE;
+    newMod->isFIPS = PR_FALSE;
+    newMod->dllName = NULL;
+    newMod->commonName = NULL;
+    newMod->library = NULL;
+    newMod->functionList = NULL;
+    newMod->slotCount = 0;
+    newMod->slots = NULL;
+    newMod->slotInfo = NULL;
+    newMod->slotInfoCount = 0;
+    newMod->refCount = 1;
+    newMod->ssl[0] = 0;
+    newMod->ssl[1] = 0;
+    newMod->libraryParams = NULL;
+    newMod->moduleDBFunc = NULL;
+    newMod->parent = NULL;
+    newMod->isCritical = PR_FALSE;
+    newMod->isModuleDB = PR_FALSE;
+    newMod->moduleDBOnly = PR_FALSE;
+    newMod->trustOrder = 0;
+    newMod->cipherOrder = 0;
+    newMod->evControlMask = 0;
+    newMod->refLock = PZ_NewLock(nssILockRefLock);
+    if (newMod->refLock == NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    return newMod;
+    
+}
+
+/*
+ * for 3.4 we continue to use the old SECMODModule structure
+ */
+SECMODModule *
+SECMOD_CreateModule(const char *library, const char *moduleName, 
+				const char *parameters, const char *nss)
+{
+    SECMODModule *mod = secmod_NewModule();
+    char *slotParams,*ciphers;
+    /* pk11pars.h still does not have const char * interfaces */
+    char *nssc = (char *)nss;
+    if (mod == NULL) return NULL;
+
+    mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName : "");
+    if (library) {
+	mod->dllName = PORT_ArenaStrdup(mod->arena,library);
+    }
+    /* new field */
+    if (parameters) {
+	mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters);
+    }
+    mod->internal   = secmod_argHasFlag("flags","internal",nssc);
+    mod->isFIPS     = secmod_argHasFlag("flags","FIPS",nssc);
+    mod->isCritical = secmod_argHasFlag("flags","critical",nssc);
+    slotParams      = secmod_argGetParamValue("slotParams",nssc);
+    mod->slotInfo   = secmod_argParseSlotInfo(mod->arena,slotParams,
+							&mod->slotInfoCount);
+    if (slotParams) PORT_Free(slotParams);
+    /* new field */
+    mod->trustOrder  = secmod_argReadLong("trustOrder",nssc,
+						SECMOD_DEFAULT_TRUST_ORDER,NULL);
+    /* new field */
+    mod->cipherOrder = secmod_argReadLong("cipherOrder",nssc,
+						SECMOD_DEFAULT_CIPHER_ORDER,NULL);
+    /* new field */
+    mod->isModuleDB   = secmod_argHasFlag("flags","moduleDB",nssc);
+    mod->moduleDBOnly = secmod_argHasFlag("flags","moduleDBOnly",nssc);
+    if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE;
+
+    ciphers = secmod_argGetParamValue("ciphers",nssc);
+    secmod_argSetNewCipherFlags(&mod->ssl[0],ciphers);
+    if (ciphers) PORT_Free(ciphers);
+
+    secmod_PrivateModuleCount++;
+
+    return mod;
+}
+
+static char *
+secmod_mkModuleSpec(SECMODModule * module)
+{
+    char *nss = NULL, *modSpec = NULL, **slotStrings = NULL;
+    int slotCount, i, si;
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+
+    /* allocate target slot info strings */
+    slotCount = 0;
+
+    SECMOD_GetReadLock(moduleLock);
+    if (module->slotCount) {
+	for (i=0; i < module->slotCount; i++) {
+	    if (module->slots[i]->defaultFlags !=0) {
+		slotCount++;
+	    }
+	}
+    } else {
+	slotCount = module->slotInfoCount;
+    }
+
+    slotStrings = (char **)PORT_ZAlloc(slotCount*sizeof(char *));
+    if (slotStrings == NULL) {
+        SECMOD_ReleaseReadLock(moduleLock);
+	goto loser;
+    }
+
+
+    /* build the slot info strings */
+    if (module->slotCount) {
+	for (i=0, si= 0; i < module->slotCount; i++) {
+	    if (module->slots[i]->defaultFlags) {
+		PORT_Assert(si < slotCount);
+		if (si >= slotCount) break;
+		slotStrings[si] = secmod_mkSlotString(module->slots[i]->slotID,
+			module->slots[i]->defaultFlags,
+			module->slots[i]->timeout,
+			module->slots[i]->askpw,
+			module->slots[i]->hasRootCerts,
+			module->slots[i]->hasRootTrust);
+		si++;
+	    }
+	}
+     } else {
+	for (i=0; i < slotCount; i++) {
+		slotStrings[i] = secmod_mkSlotString(module->slotInfo[i].slotID,
+			module->slotInfo[i].defaultFlags,
+			module->slotInfo[i].timeout,
+			module->slotInfo[i].askpw,
+			module->slotInfo[i].hasRootCerts,
+			module->slotInfo[i].hasRootTrust);
+	}
+    }
+
+    SECMOD_ReleaseReadLock(moduleLock);
+    nss = secmod_mkNSS(slotStrings,slotCount,module->internal, module->isFIPS,
+		       module->isModuleDB, module->moduleDBOnly, 
+		       module->isCritical, module->trustOrder,
+		       module->cipherOrder,module->ssl[0],module->ssl[1]);
+    modSpec= secmod_mkNewModuleSpec(module->dllName,module->commonName,
+						module->libraryParams,nss);
+    PORT_Free(slotStrings);
+    PR_smprintf_free(nss);
+loser:
+    return (modSpec);
+}
+    
+
+char **
+SECMOD_GetModuleSpecList(SECMODModule *module)
+{
+    SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc;
+    if (func) {
+	return (*func)(SECMOD_MODULE_DB_FUNCTION_FIND,
+		module->libraryParams,NULL);
+    }
+    return NULL;
+}
+
+SECStatus
+SECMOD_AddPermDB(SECMODModule *module)
+{
+    SECMODModuleDBFunc func;
+    char *moduleSpec;
+    char **retString;
+
+    if (module->parent == NULL) return SECFailure;
+
+    func  = (SECMODModuleDBFunc) module->parent->moduleDBFunc;
+    if (func) {
+	moduleSpec = secmod_mkModuleSpec(module);
+	retString = (*func)(SECMOD_MODULE_DB_FUNCTION_ADD,
+		module->parent->libraryParams,moduleSpec);
+	PORT_Free(moduleSpec);
+	if (retString != NULL) return SECSuccess;
+    }
+    return SECFailure;
+}
+
+SECStatus
+SECMOD_DeletePermDB(SECMODModule *module)
+{
+    SECMODModuleDBFunc func;
+    char *moduleSpec;
+    char **retString;
+
+    if (module->parent == NULL) return SECFailure;
+
+    func  = (SECMODModuleDBFunc) module->parent->moduleDBFunc;
+    if (func) {
+	moduleSpec = secmod_mkModuleSpec(module);
+	retString = (*func)(SECMOD_MODULE_DB_FUNCTION_DEL,
+		module->parent->libraryParams,moduleSpec);
+	PORT_Free(moduleSpec);
+	if (retString != NULL) return SECSuccess;
+    }
+    return SECFailure;
+}
+
+SECStatus
+SECMOD_FreeModuleSpecList(SECMODModule *module, char **moduleSpecList)
+{
+    SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc;
+    char **retString;
+    if (func) {
+	retString = (*func)(SECMOD_MODULE_DB_FUNCTION_RELEASE,
+		module->libraryParams,moduleSpecList);
+	if (retString != NULL) return SECSuccess;
+    }
+    return SECFailure;
+}
+
+/*
+ * load a PKCS#11 module but do not add it to the default NSS trust domain
+ */
+SECMODModule *
+SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse)
+{
+    char *library = NULL, *moduleName = NULL, *parameters = NULL, *nss= NULL;
+    SECStatus status;
+    SECMODModule *module = NULL;
+    SECStatus rv;
+
+    /* initialize the underlying module structures */
+    SECMOD_Init();
+
+    status = secmod_argParseModuleSpec(modulespec, &library, &moduleName, 
+							&parameters, &nss);
+    if (status != SECSuccess) {
+	goto loser;
+    }
+
+    module = SECMOD_CreateModule(library, moduleName, parameters, nss);
+    if (library) PORT_Free(library);
+    if (moduleName) PORT_Free(moduleName);
+    if (parameters) PORT_Free(parameters);
+    if (nss) PORT_Free(nss);
+    if (!module) {
+	goto loser;
+    }
+    if (parent) {
+    	module->parent = SECMOD_ReferenceModule(parent);
+    }
+
+    /* load it */
+    rv = SECMOD_LoadPKCS11Module(module);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    if (recurse && module->isModuleDB) {
+	char ** moduleSpecList;
+	PORT_SetError(0);
+
+	moduleSpecList = SECMOD_GetModuleSpecList(module);
+	if (moduleSpecList) {
+	    char **index;
+
+	    for (index = moduleSpecList; *index; index++) {
+		SECMODModule *child;
+		child = SECMOD_LoadModule(*index,module,PR_TRUE);
+		if (!child) break;
+		if (child->isCritical && !child->loaded) {
+		    int err = PORT_GetError();
+		    if (!err)  
+			err = SEC_ERROR_NO_MODULE;
+		    SECMOD_DestroyModule(child);
+		    PORT_SetError(err);
+		    rv = SECFailure;
+		    break;
+		}
+		SECMOD_DestroyModule(child);
+	    }
+	    SECMOD_FreeModuleSpecList(module,moduleSpecList);
+	} else {
+	    if (!PORT_GetError())
+		PORT_SetError(SEC_ERROR_NO_MODULE);
+	    rv = SECFailure;
+	}
+    }
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+
+    /* inherit the reference */
+    if (!module->moduleDBOnly) {
+	SECMOD_AddModuleToList(module);
+    } else {
+	SECMOD_AddModuleToDBOnlyList(module);
+    }
+   
+    /* handle any additional work here */
+    return module;
+
+loser:
+    if (module) {
+	if (module->loaded) {
+	    SECMOD_UnloadModule(module);
+	}
+	SECMOD_AddModuleToUnloadList(module);
+    }
+    return module;
+}
+
+/*
+ * load a PKCS#11 module and add it to the default NSS trust domain
+ */
+SECMODModule *
+SECMOD_LoadUserModule(char *modulespec,SECMODModule *parent, PRBool recurse)
+{
+    SECStatus rv = SECSuccess;
+    SECMODModule * newmod = SECMOD_LoadModule(modulespec, parent, recurse);
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+
+    if (newmod) {
+	SECMOD_GetReadLock(moduleLock);
+        rv = STAN_AddModuleToDefaultTrustDomain(newmod);
+	SECMOD_ReleaseReadLock(moduleLock);
+        if (SECSuccess != rv) {
+            SECMOD_DestroyModule(newmod);
+            return NULL;
+        }
+    }
+    return newmod;
+}
+
+/*
+ * remove the PKCS#11 module from the default NSS trust domain, call
+ * C_Finalize, and destroy the module structure
+ */
+SECStatus SECMOD_UnloadUserModule(SECMODModule *mod)
+{
+    SECStatus rv = SECSuccess;
+    int atype = 0;
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+    if (!mod) {
+        return SECFailure;
+    }
+
+    SECMOD_GetReadLock(moduleLock);
+    rv = STAN_RemoveModuleFromDefaultTrustDomain(mod);
+    SECMOD_ReleaseReadLock(moduleLock);
+    if (SECSuccess != rv) {
+        return SECFailure;
+    }
+    return SECMOD_DeleteModuleEx(NULL, mod, &atype, PR_FALSE);
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c
new file mode 100644
index 000000000..fa35f02e3
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pbe.c
@@ -0,0 +1,1460 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "secport.h"
+#include "hasht.h"
+#include "pkcs11t.h"
+#include "sechash.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "secoid.h"
+#include "secerr.h"
+#include "secmod.h"
+#include "pk11func.h"
+#include "secpkcs5.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "key.h"
+
+typedef struct SEC_PKCS5PBEParameterStr SEC_PKCS5PBEParameter;
+struct SEC_PKCS5PBEParameterStr {
+    PRArenaPool     *poolp;
+    SECItem         salt;           /* octet string */
+    SECItem         iteration;      /* integer */
+    SECItem         keyLength;	/* PKCS5v2 only */
+    SECAlgorithmID  *pPrfAlgId;	/* PKCS5v2 only */
+    SECAlgorithmID  prfAlgId;	/* PKCS5v2 only */
+};
+
+/* PKCS5 V2 has an algorithm ID for the encryption and for 
+ * the key generation. This is valid for SEC_OID_PKCS5_PBES2 
+ * and SEC_OID_PKCS5_PBMAC1
+ */
+struct sec_pkcs5V2ParameterStr {
+    PRArenaPool    *poolp;
+    SECAlgorithmID pbeAlgId;   /* real pbe algorithms */
+    SECAlgorithmID cipherAlgId; /* encryption/mac */
+};
+
+typedef struct sec_pkcs5V2ParameterStr sec_pkcs5V2Parameter;
+
+
+/* template for PKCS 5 PBE Parameter.  This template has been expanded
+ * based upon the additions in PKCS 12.  This should eventually be moved
+ * if RSA updates PKCS 5.
+ */
+const SEC_ASN1Template SEC_PKCS5PBEParameterTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(SEC_PKCS5PBEParameter) },
+    { SEC_ASN1_OCTET_STRING, 
+	offsetof(SEC_PKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER,
+	offsetof(SEC_PKCS5PBEParameter, iteration) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_V2PKCS12PBEParameterTemplate[] =
+{   
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) },
+    { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) },
+    { 0 }
+};
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+/* SECOID_PKCS5_PBKDF2 */
+const SEC_ASN1Template SEC_PKCS5V2PBEParameterTemplate[] =
+{   
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) },
+    /* This is really a choice, but since we only understand this
+     * choice, just inline it */
+    { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) },
+    { SEC_ASN1_INTEGER|SEC_ASN1_OPTIONAL, 
+		      offsetof(SEC_PKCS5PBEParameter, keyLength) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN | SEC_ASN1_OPTIONAL, 
+	offsetof(SEC_PKCS5PBEParameter, pPrfAlgId),
+	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
+
+/* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */
+const SEC_ASN1Template SEC_PKCS5V2ParameterTemplate[] =
+{   
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(sec_pkcs5V2Parameter, pbeAlgId),
+	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	offsetof(sec_pkcs5V2Parameter, cipherAlgId),
+	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
+
+
+/*
+ * maps a PBE algorithm to a crypto algorithm. for PKCS12 and PKCS5v1
+ * for PKCS5v2 it returns SEC_OID_PKCS5_PBKDF2.
+ */
+SECOidTag
+sec_pkcs5GetCryptoFromAlgTag(SECOidTag algorithm)
+{
+    switch(algorithm)
+    {
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
+	    return SEC_OID_DES_EDE3_CBC;
+	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
+	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+	    return SEC_OID_DES_CBC;
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	    return SEC_OID_RC2_CBC;
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	    return SEC_OID_RC4;
+	case SEC_OID_PKCS5_PBKDF2:
+	case SEC_OID_PKCS5_PBES2:
+	case SEC_OID_PKCS5_PBMAC1:
+	    return SEC_OID_PKCS5_PBKDF2;
+	default:
+	    break;
+    }
+
+    return SEC_OID_UNKNOWN;
+}
+
+/*
+ * get a new PKCS5 V2 Parameter from the algorithm id.
+ *  if arena is passed in, use it, otherwise create a new arena.
+ */
+sec_pkcs5V2Parameter *
+sec_pkcs5_v2_get_v2_param(PRArenaPool *arena, SECAlgorithmID *algid)
+{
+    PRArenaPool *localArena = NULL;
+    sec_pkcs5V2Parameter *pbeV2_param;
+    SECStatus rv;
+
+    if (arena == NULL) {
+	localArena = arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+	if (arena == NULL) {
+	    return NULL;
+	}
+    }
+    pbeV2_param = PORT_ArenaZNew(arena, sec_pkcs5V2Parameter);
+    if (pbeV2_param == NULL) {
+	goto loser;
+    }
+	
+    rv = SEC_ASN1DecodeItem(arena, pbeV2_param,
+		SEC_PKCS5V2ParameterTemplate, &algid->parameters);
+    if (rv == SECFailure) {
+	goto loser;
+    }
+
+    pbeV2_param->poolp = arena;
+    return pbeV2_param;
+loser:
+    if (localArena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+void
+sec_pkcs5_v2_destroy_v2_param(sec_pkcs5V2Parameter *param)
+{
+   if (param && param->poolp) {
+	PORT_FreeArena(param->poolp, PR_TRUE);
+   }
+}
+	
+
+/* maps crypto algorithm from PBE algorithm.
+ */
+SECOidTag 
+SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid)
+{
+
+    SECOidTag pbeAlg;
+    SECOidTag cipherAlg;
+
+    if(algid == NULL)
+	return SEC_OID_UNKNOWN;
+
+    pbeAlg = SECOID_GetAlgorithmTag(algid);
+    cipherAlg = sec_pkcs5GetCryptoFromAlgTag(pbeAlg);
+    if ((cipherAlg == SEC_OID_PKCS5_PBKDF2)  &&
+	 (pbeAlg != SEC_OID_PKCS5_PBKDF2)) {
+	sec_pkcs5V2Parameter *pbeV2_param;
+	cipherAlg = SEC_OID_UNKNOWN;
+
+	pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid);
+	if (pbeV2_param != NULL) {
+	    cipherAlg = SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId);
+	    sec_pkcs5_v2_destroy_v2_param(pbeV2_param);
+	}
+    }
+
+    return cipherAlg;
+}
+
+/* check to see if an oid is a pbe algorithm
+ */ 
+PRBool 
+SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid)
+{
+    return (PRBool)(SEC_PKCS5GetCryptoAlgorithm(algid) != SEC_OID_UNKNOWN);
+}
+
+PRBool 
+SEC_PKCS5IsAlgorithmPBEAlgTag(SECOidTag algtag)
+{
+    return (PRBool)(sec_pkcs5GetCryptoFromAlgTag(algtag) != SEC_OID_UNKNOWN);
+}
+
+/*
+ * find the most appropriate PKCS5v2 overall oid tag from a regular
+ * cipher/hash algorithm tag.
+ */
+static SECOidTag
+sec_pkcs5v2_get_pbe(SECOidTag algTag)
+{
+    /* if it's a valid hash oid... */
+    if (HASH_GetHashOidTagByHMACOidTag(algTag) != SEC_OID_UNKNOWN) {
+	/* use the MAC tag */
+	return SEC_OID_PKCS5_PBMAC1;
+    }
+    if (HASH_GetHashTypeByOidTag(algTag) != HASH_AlgNULL) {
+	/* eliminate Hash algorithms */
+	return SEC_OID_UNKNOWN;
+    }
+    if (PK11_AlgtagToMechanism(algTag) != CKM_INVALID_MECHANISM) {
+	/* it's not a hash, if it has a PKCS #11 mechanism associated
+	 * with it, assume it's a cipher. (NOTE this will generate
+	 * some false positives). */
+	return SEC_OID_PKCS5_PBES2;
+    }
+    return SEC_OID_UNKNOWN;
+}
+
+/* 
+ * maps PBE algorithm from crypto algorithm, assumes SHA1 hashing.
+ *  input keyLen in bits.
+ */
+SECOidTag 
+SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen)
+{
+    switch(algTag)
+    {
+	case SEC_OID_DES_EDE3_CBC:
+	    switch(keyLen) {
+		case 168:
+		case 192:
+		case 0:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
+		case 128:
+		case 92:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC;
+		default:
+		    break;
+	    }
+	    break;
+	case SEC_OID_DES_CBC:
+	    return SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC;
+	case SEC_OID_RC2_CBC:
+	    switch(keyLen) {
+		case 40:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+		case 128:
+		case 0:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
+		default:
+		    break;
+	    }
+	    break;
+	case SEC_OID_RC4:
+	    switch(keyLen) {
+		case 40:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4;
+		case 128:
+		case 0:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4;
+		default:
+		    break;
+	    }
+	    break;
+	default:
+	    return sec_pkcs5v2_get_pbe(algTag);
+    }
+
+    return SEC_OID_UNKNOWN;
+}
+
+/*
+ * get the key length in bytes from a PKCS5 PBE
+ */
+int
+sec_pkcs5v2_key_length(SECAlgorithmID *algid)
+{
+    SECOidTag algorithm;
+    PRArenaPool *arena = NULL;
+    SEC_PKCS5PBEParameter p5_param;
+    SECStatus rv;
+    int length = -1;
+
+    algorithm = SECOID_GetAlgorithmTag(algid);
+    /* sanity check, they should all be PBKDF2 here */
+    if (algorithm != SEC_OID_PKCS5_PBKDF2) {
+	return -1;
+    }
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+    PORT_Memset(&p5_param, 0, sizeof(p5_param));
+    rv = SEC_ASN1DecodeItem(arena,&p5_param,
+			 SEC_PKCS5V2PBEParameterTemplate, &algid->parameters);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    if (p5_param.keyLength.data != NULL) {
+        length = DER_GetInteger(&p5_param.keyLength);
+    }
+
+loser:
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return length;
+}
+
+/*
+ *  get the key length in bytes needed for the PBE algorithm
+ */
+int 
+SEC_PKCS5GetKeyLength(SECAlgorithmID *algid)
+{
+
+    SECOidTag algorithm;
+
+    if(algid == NULL)
+	return SEC_OID_UNKNOWN;
+
+    algorithm = SECOID_GetAlgorithmTag(algid);
+
+    switch(algorithm)
+    {
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
+	    return 24;
+	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
+	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+	    return 8;
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	    return 5;
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	    return 16;
+	case SEC_OID_PKCS5_PBKDF2:
+	    return sec_pkcs5v2_key_length(algid);
+	case SEC_OID_PKCS5_PBES2:
+	case SEC_OID_PKCS5_PBMAC1:
+	    {
+		sec_pkcs5V2Parameter *pbeV2_param;
+		int length = -1;
+		pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid);
+		if (pbeV2_param != NULL) {
+	    	    length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId);
+		    sec_pkcs5_v2_destroy_v2_param(pbeV2_param);
+		}
+		return length;
+	    }
+	
+	default:
+	    break;
+    }
+    return -1;
+}
+
+
+/* the PKCS12 V2 algorithms only encode the salt, there is no iteration
+ * count so we need a check for V2 algorithm parameters.
+ */
+static PRBool
+sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(SECOidTag algorithm)
+{
+    switch(algorithm) 
+    {
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	    return PR_TRUE;
+	default:
+	    break;
+    }
+
+    return PR_FALSE;
+}
+
+static PRBool
+sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(SECOidTag algorithm)
+{
+    switch(algorithm) 
+    {
+	case SEC_OID_PKCS5_PBES2:
+	case SEC_OID_PKCS5_PBMAC1:
+	case SEC_OID_PKCS5_PBKDF2:
+	    return PR_TRUE;
+	default:
+	    break;
+    }
+
+    return PR_FALSE;
+}
+
+/* destroy a pbe parameter.  it assumes that the parameter was 
+ * generated using the appropriate create function and therefor
+ * contains an arena pool.
+ */
+static void 
+sec_pkcs5_destroy_pbe_param(SEC_PKCS5PBEParameter *pbe_param)
+{
+    if(pbe_param != NULL)
+	PORT_FreeArena(pbe_param->poolp, PR_TRUE);
+}
+
+/* creates a PBE parameter based on the PBE algorithm.  the only required
+ * parameters are algorithm and interation.  the return is a PBE parameter
+ * which conforms to PKCS 5 parameter unless an extended parameter is needed.
+ * this is primarily if keyLength and a variable key length algorithm are
+ * specified.
+ *   salt -  if null, a salt will be generated from random bytes.
+ *   iteration - number of iterations to perform hashing.
+ *   keyLength - only used in variable key length algorithms. if specified,
+ *            should be in bytes.
+ * once a parameter is allocated, it should be destroyed calling 
+ * sec_pkcs5_destroy_pbe_parameter or SEC_PKCS5DestroyPBEParameter.
+ */
+#define DEFAULT_SALT_LENGTH 16
+static SEC_PKCS5PBEParameter *
+sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, 
+			SECItem *salt, 
+			int iteration,
+			int keyLength,
+			SECOidTag prfAlg)
+{
+    PRArenaPool *poolp = NULL;
+    SEC_PKCS5PBEParameter *pbe_param = NULL;
+    SECStatus rv= SECSuccess; 
+    void *dummy = NULL;
+
+    if(iteration < 0) {
+	return NULL;
+    }
+
+    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(poolp == NULL)
+	return NULL;
+
+    pbe_param = (SEC_PKCS5PBEParameter *)PORT_ArenaZAlloc(poolp,
+	sizeof(SEC_PKCS5PBEParameter));
+    if(!pbe_param) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	return NULL;
+    }
+
+    pbe_param->poolp = poolp;
+
+    rv = SECFailure;
+    if (salt && salt->data) {
+    	rv = SECITEM_CopyItem(poolp, &pbe_param->salt, salt);
+    } else {
+	/* sigh, the old interface generated salt on the fly, so we have to
+	 * preserve the semantics */
+	pbe_param->salt.len = DEFAULT_SALT_LENGTH;
+	pbe_param->salt.data = PORT_ArenaZAlloc(poolp,DEFAULT_SALT_LENGTH);
+	if (pbe_param->salt.data) {
+	   rv = PK11_GenerateRandom(pbe_param->salt.data,DEFAULT_SALT_LENGTH);
+	}
+    }
+
+    if(rv != SECSuccess) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	return NULL;
+    }
+
+    /* encode the integer */
+    dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->iteration, 
+		iteration);
+    rv = (dummy) ? SECSuccess : SECFailure;
+
+    if(rv != SECSuccess) {
+	PORT_FreeArena(poolp, PR_FALSE);
+	return NULL;
+    }
+
+    /*
+     * for PKCS5 v2 Add the keylength and the prf
+     */
+    if (algorithm == SEC_OID_PKCS5_PBKDF2) {
+	dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->keyLength, 
+		keyLength);
+	rv = (dummy) ? SECSuccess : SECFailure;
+	if (rv != SECSuccess) {
+	    PORT_FreeArena(poolp, PR_FALSE);
+	    return NULL;
+	}
+	rv = SECOID_SetAlgorithmID(poolp, &pbe_param->prfAlgId, prfAlg, NULL);
+	if (rv != SECSuccess) {
+	    PORT_FreeArena(poolp, PR_FALSE);
+	    return NULL;
+	}
+	pbe_param->pPrfAlgId = &pbe_param->prfAlgId;
+    }
+
+    return pbe_param;
+}
+
+/* creates a algorithm ID containing the PBE algorithm and appropriate
+ * parameters.  the required parameter is the algorithm.  if salt is
+ * not specified, it is generated randomly.  
+ *
+ * the returned SECAlgorithmID should be destroyed using 
+ * SECOID_DestroyAlgorithmID
+ */
+SECAlgorithmID *
+sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, 
+			   SECOidTag cipherAlgorithm,
+			   SECOidTag prfAlg,
+			   SECOidTag *pPbeAlgorithm,
+			   int keyLength,
+			   SECItem *salt, 
+			   int iteration)
+{
+    PRArenaPool *poolp = NULL;
+    SECAlgorithmID *algid, *ret_algid = NULL;
+    SECOidTag pbeAlgorithm = algorithm;
+    SECItem der_param;
+    void *dummy;
+    SECStatus rv = SECFailure;
+    SEC_PKCS5PBEParameter *pbe_param = NULL;
+    sec_pkcs5V2Parameter pbeV2_param;
+
+    if(iteration <= 0) {
+	return NULL;
+    }
+
+    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(!poolp) {
+	goto loser;
+    }
+
+    if (!SEC_PKCS5IsAlgorithmPBEAlgTag(algorithm) ||
+    	 	sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) {
+	/* use PKCS 5 v2 */
+	SECItem *cipherParams;
+
+	/*
+	 * if we ask for pkcs5 Algorithms directly, then the
+	 * application needs to supply the cipher algorithm,
+	 * otherwise we are implicitly using pkcs5 v2 and the
+	 * passed in algorithm is the encryption algorithm.
+	 */
+	if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) {
+	    if (cipherAlgorithm == SEC_OID_UNKNOWN) {
+		goto loser;
+	    }
+	} else {
+	    cipherAlgorithm = algorithm;
+	    /* force algorithm to be chosen below */
+	    algorithm = SEC_OID_PKCS5_PBKDF2;
+	}
+	
+	pbeAlgorithm = SEC_OID_PKCS5_PBKDF2;
+	/*
+	 * 'algorithm' is the overall algorithm oid tag used to wrap the 
+	 * entire algoithm ID block. For PKCS5v1 and PKCS12, this 
+	 * algorithm OID has encoded in it both the PBE KDF function 
+	 * and the encryption algorithm. For PKCS 5v2, PBE KDF and
+	 * encryption/macing oids are encoded as parameters in
+	 * the algorithm ID block. 
+	 *
+	 * Thus in PKCS5 v1 and PKCS12, this algorithm maps to a pkcs #11
+	 * mechanism, where as in PKCS 5v2, this alogithm tag does not map
+	 * directly to a PKCS #11 mechanim, instead the 2 oids in the 
+	 * algorithm ID block map the the actual PKCS #11 mechanism.
+	 * gorithm is). We use choose this algorithm oid based on the 
+	 * cipherAlgorithm to determine what this should be (MAC1 or PBES2).
+	 */
+	if (algorithm == SEC_OID_PKCS5_PBKDF2) {
+	     /* choose mac or pbes */
+	     algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
+	}
+
+	/* set the PKCS5v2 specific parameters */
+	if (keyLength == 0) {
+	    SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
+    	    if (hashAlg != SEC_OID_UNKNOWN) {
+	        keyLength = HASH_ResultLenByOidTag(hashAlg);
+	    } else {
+		CK_MECHANISM_TYPE cryptoMech;
+		cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm);
+		if (cryptoMech == CKM_INVALID_MECHANISM) {
+		    goto loser;
+		}
+	        keyLength = PK11_GetMaxKeyLength(cryptoMech);
+	    }
+	    if (keyLength == 0) {
+		goto loser;
+	    }
+	}
+	/* currently only SEC_OID_HMAC_SHA1 is defined */
+	if (prfAlg == SEC_OID_UNKNOWN) {
+	    prfAlg = SEC_OID_HMAC_SHA1;
+	}
+
+	/* build the PKCS5v2 cipher algorithm id */
+	cipherParams = pk11_GenerateNewParamWithKeyLen(	
+			PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
+	if (!cipherParams) {
+	    goto loser;
+	}
+
+	PORT_Memset(&pbeV2_param, 0, sizeof (pbeV2_param));
+
+	rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams, 
+				poolp, &pbeV2_param.cipherAlgId);
+	SECITEM_FreeItem(cipherParams, PR_TRUE);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+	
+
+    /* generate the parameter */
+    pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
+			keyLength, prfAlg);
+    if(!pbe_param) {
+	goto loser;
+    }
+
+    /* generate the algorithm id */
+    algid = (SECAlgorithmID *)PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
+    if(algid == NULL) {
+	goto loser;
+    }
+
+    der_param.data = NULL;
+    der_param.len = 0;
+    if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) {
+	/* first encode the PBE algorithm ID */
+	dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param,
+					SEC_PKCS5V2PBEParameterTemplate);
+	if (dummy == NULL) {
+	    goto loser;
+	}
+	rv = SECOID_SetAlgorithmID(poolp, &pbeV2_param.pbeAlgId, 
+				   pbeAlgorithm, &der_param);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+
+	/* now encode the Full PKCS 5 parameter */
+	der_param.data = NULL;
+	der_param.len = 0;
+	dummy = SEC_ASN1EncodeItem(poolp, &der_param, &pbeV2_param,
+					SEC_PKCS5V2ParameterTemplate);
+    } else if(!sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
+	dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param,
+					SEC_PKCS5PBEParameterTemplate);
+    } else {
+	dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param,
+	    				SEC_V2PKCS12PBEParameterTemplate);
+    }
+    if (dummy == NULL) {
+	goto loser;
+    }
+
+    rv = SECOID_SetAlgorithmID(poolp, algid, algorithm, &der_param);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID));
+    if (ret_algid == NULL) {
+	goto loser;
+    }
+
+    rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid);
+    if (rv != SECSuccess) {
+	SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE);
+	ret_algid = NULL;
+    } else if (pPbeAlgorithm) {
+	*pPbeAlgorithm = pbeAlgorithm;
+    }
+
+loser:
+    if (poolp != NULL) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	algid = NULL;
+    }
+
+    if (pbe_param) {
+	sec_pkcs5_destroy_pbe_param(pbe_param);
+    }
+
+    return ret_algid;
+}
+
+SECStatus
+pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech)
+{
+    SEC_PKCS5PBEParameter p5_param;
+    SECItem *salt = NULL;
+    SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECFailure;
+    unsigned char *paramData = NULL;
+    unsigned char *pSalt = NULL;
+    CK_ULONG iterations;
+    int paramLen = 0;
+    int iv_len;
+    
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+
+
+    /*
+     * decode the algid based on the pbe type
+     */
+    if (sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
+        iv_len = PK11_GetIVLength(PK11_AlgtagToMechanism(algorithm));
+        rv = SEC_ASN1DecodeItem(arena, &p5_param,
+			 SEC_V2PKCS12PBEParameterTemplate, &algid->parameters);
+    } else if (algorithm == SEC_OID_PKCS5_PBKDF2) {
+	iv_len = 0;
+        PORT_Memset(&p5_param, 0, sizeof(p5_param));
+        rv = SEC_ASN1DecodeItem(arena,&p5_param,
+			 SEC_PKCS5V2PBEParameterTemplate, &algid->parameters);
+    } else {
+        iv_len = PK11_GetIVLength(PK11_AlgtagToMechanism(algorithm));
+        rv = SEC_ASN1DecodeItem(arena,&p5_param,SEC_PKCS5PBEParameterTemplate, 
+						&algid->parameters);
+    }
+
+    if (iv_len < 0) {
+	goto loser;
+    }
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+        
+    /* get salt */
+    salt = &p5_param.salt;
+    iterations = (CK_ULONG) DER_GetInteger(&p5_param.iteration);
+
+    /* allocate and fill in the PKCS #11 parameters
+     * based on the algorithm. */
+    if (algorithm == SEC_OID_PKCS5_PBKDF2) {
+	SECOidTag prfAlgTag;
+    	CK_PKCS5_PBKD2_PARAMS *pbeV2_params = 
+		(CK_PKCS5_PBKD2_PARAMS *)PORT_ZAlloc(
+			sizeof(CK_PKCS5_PBKD2_PARAMS)+ salt->len);
+
+	if (pbeV2_params == NULL) {
+	    goto loser;
+	}
+	paramData = (unsigned char *)pbeV2_params;
+	paramLen = sizeof(CK_PKCS5_PBKD2_PARAMS);
+
+	/* set the prf */
+	prfAlgTag = SEC_OID_HMAC_SHA1;
+ 	if (p5_param.pPrfAlgId &&
+ 	    p5_param.pPrfAlgId->algorithm.data != 0) {
+ 	    prfAlgTag = SECOID_GetAlgorithmTag(p5_param.pPrfAlgId);
+	}
+	if (prfAlgTag == SEC_OID_HMAC_SHA1) {
+	    pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA1;
+	} else {
+	    /* only SHA1_HMAC is currently supported by PKCS #11 */
+	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    goto loser;
+	}
+	
+	/* probably should fetch these from the prfAlgid */
+	pbeV2_params->pPrfData = NULL;
+	pbeV2_params->ulPrfDataLen = 0;
+	pbeV2_params->saltSource = CKZ_SALT_SPECIFIED;
+	pSalt = ((CK_CHAR_PTR) pbeV2_params)+sizeof(CK_PKCS5_PBKD2_PARAMS);
+        PORT_Memcpy(pSalt, salt->data, salt->len);
+	pbeV2_params->pSaltSourceData = pSalt;
+	pbeV2_params->ulSaltSourceDataLen = salt->len;
+	pbeV2_params->iterations = iterations;
+    } else {
+	CK_PBE_PARAMS *pbe_params = NULL;
+    	pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS)+
+						salt->len+iv_len);
+	if (pbe_params == NULL) {
+	    goto loser;
+	}
+	paramData = (unsigned char *)pbe_params;
+	paramLen = sizeof(CK_PBE_PARAMS);
+
+	pSalt = ((CK_CHAR_PTR) pbe_params)+sizeof(CK_PBE_PARAMS);
+    	pbe_params->pSalt = pSalt;
+        PORT_Memcpy(pSalt, salt->data, salt->len);
+	pbe_params->ulSaltLen = salt->len;
+	if (iv_len) {
+	    pbe_params->pInitVector = 
+		((CK_CHAR_PTR) pbe_params)+ sizeof(CK_PBE_PARAMS)+salt->len;
+	}
+	pbe_params->ulIteration = iterations;
+    }
+
+    /* copy into the mechanism sec item */
+    mech->data = paramData;
+    mech->len = paramLen;
+    if (arena) {
+	PORT_FreeArena(arena,PR_TRUE);
+    }
+    return SECSuccess;
+
+loser:
+    if (paramData) {
+	PORT_Free(paramData);
+    }
+    if (arena) {
+	PORT_FreeArena(arena,PR_TRUE);
+    }
+    return SECFailure;
+}
+
+/*
+ * public, deprecated, not valid for pkcs5 v2 
+ * 
+ * use PK11_CreatePBEV2AlgorithmID or PK11_CreatePBEAlgorithmID to create
+ * PBE algorithmID's directly.
+ */
+SECStatus
+PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PRArenaPool *arena, 
+		     SECAlgorithmID *algId)
+{
+    CK_PBE_PARAMS *pbe_param;
+    SECItem pbeSalt;
+    SECAlgorithmID *pbeAlgID = NULL;
+    SECStatus rv;
+
+    if(!param || !algId) {
+	return SECFailure;
+    }
+
+    pbe_param = (CK_PBE_PARAMS *)param->data;
+    pbeSalt.data = (unsigned char *)pbe_param->pSalt;
+    pbeSalt.len = pbe_param->ulSaltLen;
+    pbeAlgID = sec_pkcs5CreateAlgorithmID(algTag, SEC_OID_UNKNOWN, 
+	SEC_OID_UNKNOWN, NULL, 0, &pbeSalt, (int)pbe_param->ulIteration);
+    if(!pbeAlgID) {
+	return SECFailure;
+    }
+
+    rv = SECOID_CopyAlgorithmID(arena, algId, pbeAlgID);
+    SECOID_DestroyAlgorithmID(pbeAlgID, PR_TRUE);
+    return rv;
+}
+
+/*
+ * public, Deprecated, This function is only for binary compatibility with 
+ * older applications. Does not support PKCS5v2.
+ *
+ * Applications should use PK11_PBEKeyGen() for keys and PK11_GetPBEIV() for
+ * iv values rather than generating PBE bits directly.
+ */
+PBEBitGenContext *
+PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
+	SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
+	unsigned int iterations)
+{
+    SECItem *context = NULL;
+    SECItem mechItem;
+    CK_PBE_PARAMS pbe_params;
+    CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
+    PK11SlotInfo *slot;
+    PK11SymKey *symKey = NULL;
+    unsigned char ivData[8];
+    
+
+    /* use the purpose to select the low level keygen algorithm */
+    switch (bitGenPurpose) {
+    case pbeBitGenIntegrityKey:
+	switch (hashAlgorithm) {
+	case SEC_OID_SHA1:
+	    mechanism = CKM_PBA_SHA1_WITH_SHA1_HMAC;
+	    break;
+	case SEC_OID_MD2:
+	    mechanism = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;
+	    break;
+	case SEC_OID_MD5:
+	    mechanism = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;
+	    break;
+	default:
+	    break;
+	}
+	break;
+    case pbeBitGenCipherIV:
+	if (bitsNeeded > 64) {
+	    break;
+	}
+	if (hashAlgorithm != SEC_OID_SHA1) {
+	    break;
+	}
+	mechanism = CKM_PBE_SHA1_DES3_EDE_CBC;
+	break;
+    case pbeBitGenCipherKey:
+	if (hashAlgorithm != SEC_OID_SHA1) {
+	    break;
+	}
+	switch (bitsNeeded) {
+	case 40:
+	    mechanism = CKM_PBE_SHA1_RC4_40;
+	    break;
+	case 128:
+	    mechanism = CKM_PBE_SHA1_RC4_128;
+	    break;
+	default:
+	    break;
+	}
+    case pbeBitGenIDNull:
+	break;
+    }
+
+    if (mechanism == CKM_INVALID_MECHANISM) {
+	/* we should set an error, but this is a deprecated function, and
+	 * we are keeping bug for bug compatibility;)... */
+	    return NULL;
+    } 
+
+    pbe_params.pInitVector = ivData;
+    pbe_params.pPassword = pwitem->data;
+    pbe_params.ulPasswordLen = pwitem->len;
+    pbe_params.pSalt = salt->data;
+    pbe_params.ulSaltLen = salt->len;
+    pbe_params.ulIteration = iterations;
+    mechItem.data = (unsigned char *) &pbe_params;
+    mechItem.len = sizeof(pbe_params);
+
+
+    slot = PK11_GetInternalSlot();
+    symKey = PK11_RawPBEKeyGen(slot,mechanism,
+					&mechItem, pwitem, PR_FALSE, NULL);
+    PK11_FreeSlot(slot);
+    if (symKey != NULL) {
+	if (bitGenPurpose == pbeBitGenCipherIV) {
+	    /* NOTE: this assumes that bitsNeeded is a multiple of 8! */
+	    SECItem ivItem;
+
+	    ivItem.data = ivData;
+	    ivItem.len = bitsNeeded/8;
+	    context = SECITEM_DupItem(&ivItem);
+	} else {
+	    SECItem *keyData;
+	    PK11_ExtractKeyValue(symKey);
+	    keyData = PK11_GetKeyData(symKey);
+
+	    /* assert bitsNeeded with length? */
+	    if (keyData) {
+	    	context = SECITEM_DupItem(keyData);
+	    }
+	}
+	PK11_FreeSymKey(symKey);
+    }
+
+    return (PBEBitGenContext *)context;
+}
+
+/*
+ * public, Deprecated, This function is only for binary compatibility with 
+ * older applications. Does not support PKCS5v2.
+ * 
+ * Applications should use PK11_PBEKeyGen() for keys and PK11_GetIV() for
+ * iv values rather than generating PBE bits directly.
+ */
+SECItem *
+PBE_GenerateBits(PBEBitGenContext *context)
+{
+    return (SECItem *)context;
+}
+
+/*
+ * public, Deprecated, This function is only for binary compatibility with 
+ * older applications. Does not support PKCS5v2.
+ * 
+ * Applications should use PK11_PBEKeyGen() for keys and PK11_GetPBEIV() for
+ * iv values rather than generating PBE bits directly.
+ */
+void
+PBE_DestroyContext(PBEBitGenContext *context)
+{
+    SECITEM_FreeItem((SECItem *)context,PR_TRUE);
+}
+
+/*
+ * public, deprecated. Replaced with PK11_GetPBEIV().
+ */
+SECItem *
+SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES)
+{
+    /* pbe stuff */
+    CK_MECHANISM_TYPE type;
+    SECItem *param = NULL;
+    SECItem *iv = NULL;
+    SECItem src;
+    int iv_len = 0;
+    PK11SymKey *symKey;
+    PK11SlotInfo *slot;
+    CK_PBE_PARAMS_PTR pPBEparams;
+    SECOidTag	pbeAlg;
+
+    pbeAlg = SECOID_GetAlgorithmTag(algid);
+    if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(pbeAlg)) {
+	unsigned char *ivData;
+	sec_pkcs5V2Parameter *pbeV2_param = NULL;
+
+	/* can only return the IV if the crypto Algorithm exists */
+	if (pbeAlg == SEC_OID_PKCS5_PBKDF2) {
+	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    goto loser;
+	}
+	pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid);
+	if (pbeV2_param == NULL) {
+	    goto loser;
+	}
+	/* extract the IV from the cipher algid portion of our pkcs 5 v2
+	 * algorithm id */
+    	type = PK11_AlgtagToMechanism(
+    		SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId));
+	param = PK11_ParamFromAlgid(&pbeV2_param->cipherAlgId);
+	sec_pkcs5_v2_destroy_v2_param(pbeV2_param);
+	if (!param) {
+	    goto loser;
+	}
+	/* NOTE: NULL is a permissible return here */
+	ivData = PK11_IVFromParam(type, param, &iv_len);
+	src.data = ivData;
+	src.len = iv_len;
+	goto done;
+    }
+
+    type = PK11_AlgtagToMechanism(pbeAlg);
+    param = PK11_ParamFromAlgid(algid);
+    if (param == NULL) {
+	goto done;
+    }
+    slot = PK11_GetInternalSlot();
+    symKey = PK11_RawPBEKeyGen(slot, type, param, pwitem, faulty3DES, NULL);
+    PK11_FreeSlot(slot);
+    if (symKey == NULL) {
+	goto loser;
+    }
+    PK11_FreeSymKey(symKey);
+    pPBEparams = (CK_PBE_PARAMS_PTR)param->data;
+    iv_len = PK11_GetIVLength(type);
+
+    src.data = (unsigned char *)pPBEparams->pInitVector;
+    src.len = iv_len;
+
+done:
+    iv = SECITEM_DupItem(&src);
+
+loser:
+    if (param) {
+	SECITEM_ZfreeItem(param, PR_TRUE);
+    }
+    return iv;
+}
+
+/*
+ * Subs from nss 3.x that are deprecated
+ */
+PBEBitGenContext *
+__PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
+	SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
+	unsigned int iterations)
+{
+    PORT_Assert("__PBE_CreateContext is Deprecated" == NULL);
+    return NULL;
+}
+
+SECItem *
+__PBE_GenerateBits(PBEBitGenContext *context)
+{
+    PORT_Assert("__PBE_GenerateBits is Deprecated" == NULL);
+    return NULL;
+}
+
+void
+__PBE_DestroyContext(PBEBitGenContext *context)
+{
+    PORT_Assert("__PBE_DestroyContext is Deprecated" == NULL);
+}
+
+SECStatus
+RSA_FormatBlock(SECItem *result, unsigned modulusLen,
+                int blockType, SECItem *data)
+{
+    PORT_Assert("RSA_FormatBlock is Deprecated" == NULL);
+    return SECFailure;
+}
+
+/****************************************************************************
+ *
+ * Now Do The PBE Functions Here...
+ *
+ ****************************************************************************/
+
+static void
+pk11_destroy_ck_pbe_params(CK_PBE_PARAMS *pbe_params)
+{
+    if (pbe_params) {
+	if (pbe_params->pPassword)
+	    PORT_ZFree(pbe_params->pPassword, pbe_params->ulPasswordLen);
+	if (pbe_params->pSalt)
+	    PORT_ZFree(pbe_params->pSalt, pbe_params->ulSaltLen);
+	PORT_ZFree(pbe_params, sizeof(CK_PBE_PARAMS));
+    }
+}
+
+/*
+ * public, deprecated.  use PK11_CreatePBEAlgorithmID or 
+ * PK11_CreatePBEV2AlgorithmID instead. If you needthe pkcs #11 parameters, 
+ * use PK11_ParamFromAlgid from the algorithm id you created using 
+ * PK11_CreatePBEAlgorithmID or PK11_CreatePBEV2AlgorithmID.
+ */
+SECItem * 
+PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations)
+{
+    CK_PBE_PARAMS *pbe_params = NULL;
+    SECItem *paramRV = NULL;
+
+    paramRV = SECITEM_AllocItem(NULL, NULL, sizeof(CK_PBE_PARAMS));
+    if (!paramRV ) {
+	goto loser;
+    }
+    /* init paramRV->data with zeros. SECITEM_AllocItem does not do it */
+    PORT_Memset(paramRV->data, 0, sizeof(CK_PBE_PARAMS));
+
+    pbe_params = (CK_PBE_PARAMS *)paramRV->data;
+    pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwd->len);
+    if (!pbe_params->pPassword) {
+        goto loser;
+    }
+    PORT_Memcpy(pbe_params->pPassword, pwd->data, pwd->len);
+    pbe_params->ulPasswordLen = pwd->len;
+
+    pbe_params->pSalt = (CK_CHAR_PTR)PORT_ZAlloc(salt->len);
+    if (!pbe_params->pSalt) {
+	goto loser;
+    }
+    PORT_Memcpy(pbe_params->pSalt, salt->data, salt->len);
+    pbe_params->ulSaltLen = salt->len;
+
+    pbe_params->ulIteration = (CK_ULONG)iterations;
+    return paramRV;
+
+loser:
+    if (pbe_params)
+        pk11_destroy_ck_pbe_params(pbe_params);
+    if (paramRV) 
+    	PORT_ZFree(paramRV, sizeof(SECItem));
+    return NULL;
+}
+
+/*
+ * public, deprecated.
+ */
+void
+PK11_DestroyPBEParams(SECItem *pItem)
+{
+    if (pItem) {
+	CK_PBE_PARAMS * params = (CK_PBE_PARAMS *)(pItem->data);
+	if (params)
+	    pk11_destroy_ck_pbe_params(params);
+	PORT_ZFree(pItem, sizeof(SECItem));
+    }
+}
+
+/*
+ * public, Partially supports PKCS5 V2 (some parameters are not controllable
+ * through this interface). Use PK11_CreatePBEV2AlgorithmID() if you need
+ * finer control these.
+ */
+SECAlgorithmID *
+PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt)
+{
+    SECAlgorithmID *algid = NULL;
+    algid = sec_pkcs5CreateAlgorithmID(algorithm,
+		 SEC_OID_UNKNOWN, SEC_OID_UNKNOWN, NULL, 0, salt, iteration);
+    return algid;
+}
+
+/*
+ * public, fully support pkcs5v2.
+ */
+SECAlgorithmID *
+PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag,
+			    SECOidTag prfAlgTag, int keyLength, int iteration, 
+			    SECItem *salt)
+{
+    SECAlgorithmID *algid = NULL;
+    algid = sec_pkcs5CreateAlgorithmID(pbeAlgTag, cipherAlgTag, prfAlgTag,
+					NULL, keyLength, salt, iteration);
+    return algid;
+}
+
+/*
+ * private.
+ */
+PK11SymKey *
+pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, 
+			SECItem *params, CK_KEY_TYPE keyType, int keyLen,
+			SECItem *pwitem, void *wincx)
+{
+    CK_ULONG pwLen;
+    /* do some sanity checks */
+    if ((params == NULL) || (params->data == NULL)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    if (type == CKM_INVALID_MECHANISM) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return NULL;
+    }
+
+    /* set the password pointer in the parameters... */
+    if (type == CKM_PKCS5_PBKD2) {
+    	CK_PKCS5_PBKD2_PARAMS *pbev2_params;
+	if (params->len < sizeof(CK_PKCS5_PBKD2_PARAMS)) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return NULL;
+	}
+	pbev2_params = (CK_PKCS5_PBKD2_PARAMS *)params->data;
+	pbev2_params->pPassword = pwitem->data;
+	pwLen = pwitem->len;
+	pbev2_params->ulPasswordLen = &pwLen;
+    } else {
+    	CK_PBE_PARAMS *pbe_params;
+	if (params->len < sizeof(CK_PBE_PARAMS)) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return NULL;
+	}
+	pbe_params = (CK_PBE_PARAMS *)params->data;
+	pbe_params->pPassword = pwitem->data;
+	pbe_params->ulPasswordLen = pwitem->len;
+    }
+
+    /* generate the key (and sometimes the IV as a side effect...) */
+    return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType, 
+	   keyLen, NULL, CKF_SIGN|CKF_ENCRYPT|CKF_DECRYPT|CKF_UNWRAP|CKF_WRAP, 
+	   0, wincx);
+}
+
+/*
+ * public, deprecated. use PK11_PBEKeyGen instead.
+ */
+PK11SymKey *
+PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *mech,
+			 SECItem *pwitem, PRBool faulty3DES, void *wincx)
+{
+    if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
+	type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
+    }
+    return pk11_RawPBEKeyGenWithKeyType(slot, type, mech, -1, 0, pwitem, wincx);
+}
+
+/*
+ * pubic, supports pkcs5 v2.
+ *
+ * Create symkey from a PBE key. The algid can be created with
+ *  PK11_CreatePBEV2AlgorithmID and PK11_CreatePBEAlgorithmID, or by
+ *  extraction of der data.
+ */
+PK11SymKey *
+PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
+	       					PRBool faulty3DES, void *wincx)
+{
+    CK_MECHANISM_TYPE type;
+    SECItem *param = NULL;
+    PK11SymKey *symKey;
+    SECOidTag	pbeAlg;
+    CK_KEY_TYPE keyType = -1;
+    int keyLen = 0;
+
+    pbeAlg = SECOID_GetAlgorithmTag(algid);
+    /* if we're using PKCS5v2, extract the additional information we need
+     * (key length, key type, and pbeAlg). */
+    if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(pbeAlg)) {
+	CK_MECHANISM_TYPE cipherMech;
+	sec_pkcs5V2Parameter *pbeV2_param;
+
+	pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid);
+	if (pbeV2_param == NULL) {
+	    return NULL;
+	}
+	cipherMech = PK11_AlgtagToMechanism(
+		SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId));
+	pbeAlg = SECOID_GetAlgorithmTag(&pbeV2_param->pbeAlgId);
+	param = PK11_ParamFromAlgid(&pbeV2_param->pbeAlgId);
+	sec_pkcs5_v2_destroy_v2_param(pbeV2_param);
+	keyLen = SEC_PKCS5GetKeyLength(algid);
+	if (keyLen == -1) {
+	    keyLen = 0;
+	}
+	keyType = PK11_GetKeyType(cipherMech, keyLen);
+    } else {
+	param = PK11_ParamFromAlgid(algid);
+    }
+    if(param == NULL) {
+	return NULL;
+    }
+
+    type = PK11_AlgtagToMechanism(pbeAlg);	
+    if (type == CKM_INVALID_MECHANISM) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return NULL;
+    }
+    if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
+	type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
+    }
+    symKey = pk11_RawPBEKeyGenWithKeyType(slot, type, param, keyType, keyLen, 
+					pwitem, wincx);
+
+    SECITEM_ZfreeItem(param, PR_TRUE);
+    return symKey;
+}
+
+/*
+ * public, supports pkcs5v2
+ */
+SECItem *
+PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem)
+{
+    return SEC_PKCS5GetIV(algid, pwitem, PR_FALSE);
+}
+
+CK_MECHANISM_TYPE
+pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, 
+			   SECItem *pbe_pwd, PRBool faulty3DES)
+{
+    int keyLen = 0;
+    SECOidTag algTag = SEC_PKCS5GetCryptoAlgorithm(algid);
+    CK_MECHANISM_TYPE mech = PK11_AlgtagToMechanism(algTag);
+    CK_MECHANISM_TYPE returnedMechanism = CKM_INVALID_MECHANISM;
+    SECItem *iv = NULL;
+
+    if (mech == CKM_INVALID_MECHANISM) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	goto loser;
+    }
+    if (PK11_GetIVLength(mech)) {
+	iv = SEC_PKCS5GetIV(algid, pbe_pwd, faulty3DES);
+	if (iv == NULL) {
+	    goto loser;
+	}
+    }
+
+    keyLen = SEC_PKCS5GetKeyLength(algid);
+
+    *param = pk11_ParamFromIVWithLen(mech, iv, keyLen);
+    if (*param == NULL) {
+	goto loser;
+    }
+    returnedMechanism = mech;
+
+loser:
+    if (iv) {
+	SECITEM_FreeItem(iv,PR_TRUE);
+    }
+    return returnedMechanism;
+}
+
+/*
+ * public, supports pkcs5 v2
+ *
+ * get a the crypto mechanism directly from the pbe algorithmid.
+ *
+ * it's important to go directly from the algorithm id so that we can
+ * handle both the PKCS #5 v1, PKCS #12, and PKCS #5 v2 cases.
+ *
+ * This function returns both the mechanism an the paramter for the mechanism.
+ * The caller is responsible for freeing the parameter.
+ */
+CK_MECHANISM_TYPE
+PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, 
+			   SECItem *pbe_pwd)
+{
+    return pk11_GetPBECryptoMechanism(algid, param, pbe_pwd, PR_FALSE);
+}
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
new file mode 100644
index 000000000..a90081e20
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -0,0 +1,565 @@
+
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file PKCS #12 fuctions that should really be moved to the
+ * PKCS #12 directory, however we can't do that in a point release
+ * because that will break binary compatibility, so we keep them here for now.
+ */
+
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "key.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+
+
+/* These data structures should move to a common .h file shared between the
+ * wrappers and the pkcs 12 code. */
+
+/*
+** RSA Raw Private Key structures
+*/
+
+/* member names from PKCS#1, section 7.2 */
+struct SECKEYRSAPrivateKeyStr {
+    PRArenaPool * arena;
+    SECItem version;
+    SECItem modulus;
+    SECItem publicExponent;
+    SECItem privateExponent;
+    SECItem prime1;
+    SECItem prime2;
+    SECItem exponent1;
+    SECItem exponent2;
+    SECItem coefficient;
+};
+typedef struct SECKEYRSAPrivateKeyStr SECKEYRSAPrivateKey;
+
+
+/*
+** DSA Raw Private Key structures
+*/
+
+struct SECKEYDSAPrivateKeyStr {
+    SECKEYPQGParams params;
+    SECItem privateValue;
+};
+typedef struct SECKEYDSAPrivateKeyStr SECKEYDSAPrivateKey;
+
+/*
+** Diffie-Hellman Raw Private Key structures
+** Structure member names suggested by PKCS#3.
+*/
+struct SECKEYDHPrivateKeyStr {
+    PRArenaPool * arena;
+    SECItem prime;
+    SECItem base;
+    SECItem privateValue;
+};
+typedef struct SECKEYDHPrivateKeyStr SECKEYDHPrivateKey;
+
+/*
+** raw private key object
+*/
+struct SECKEYRawPrivateKeyStr {
+    PLArenaPool *arena;
+    KeyType keyType;
+    union {
+        SECKEYRSAPrivateKey rsa;
+        SECKEYDSAPrivateKey dsa;
+        SECKEYDHPrivateKey  dh;
+    } u;
+};
+typedef struct SECKEYRawPrivateKeyStr SECKEYRawPrivateKey;
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+/* ASN1 Templates for new decoder/encoder */
+/*
+ * Attribute value for PKCS8 entries (static?)
+ */
+const SEC_ASN1Template SECKEY_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(SECKEYAttribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SECKEYAttribute, attrType) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(SECKEYAttribute, attrValue),
+        SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SECKEY_AttributeTemplate },
+};
+
+const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPrivateKeyInfo) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPrivateKeyInfo,version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+        offsetof(SECKEYPrivateKeyInfo,algorithm),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPrivateKeyInfo,privateKey) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        offsetof(SECKEYPrivateKeyInfo,attributes),
+        SECKEY_SetOfAttributeTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SECKEY_PrivateKeyInfoTemplate }
+};
+
+const SEC_ASN1Template SECKEY_RSAPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRawPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.version) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.modulus) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.publicExponent) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.privateExponent) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime1) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime2) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent1) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent2) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.coefficient) },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dsa.privateValue) },
+};
+
+const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.privateValue) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.base) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.prime) },
+};
+
+const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+        offsetof(SECKEYEncryptedPrivateKeyInfo,algorithm),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+        offsetof(SECKEYEncryptedPrivateKeyInfo,encryptedData) },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[] = {
+        { SEC_ASN1_POINTER, 0, SECKEY_EncryptedPrivateKeyInfoTemplate }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_EncryptedPrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PointerToPrivateKeyInfoTemplate)
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+static void
+prepare_rsa_priv_key_export_for_asn1(SECKEYRawPrivateKey *key)
+{
+    key->u.rsa.modulus.type = siUnsignedInteger;
+    key->u.rsa.publicExponent.type = siUnsignedInteger;
+    key->u.rsa.privateExponent.type = siUnsignedInteger;
+    key->u.rsa.prime1.type = siUnsignedInteger;
+    key->u.rsa.prime2.type = siUnsignedInteger;
+    key->u.rsa.exponent1.type = siUnsignedInteger;
+    key->u.rsa.exponent2.type = siUnsignedInteger;
+    key->u.rsa.coefficient.type = siUnsignedInteger;
+}
+
+static void
+prepare_dsa_priv_key_export_for_asn1(SECKEYRawPrivateKey *key)
+{
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+    key->u.dsa.params.prime.type = siUnsignedInteger;
+    key->u.dsa.params.subPrime.type = siUnsignedInteger;
+    key->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+static void
+prepare_dh_priv_key_export_for_asn1(SECKEYRawPrivateKey *key)
+{
+    key->u.dh.privateValue.type = siUnsignedInteger;
+    key->u.dh.prime.type = siUnsignedInteger;
+    key->u.dh.base.type = siUnsignedInteger;
+}
+
+
+SECStatus
+PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
+{
+    return PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, derPKI,
+	nickname, publicValue, isPerm, isPrivate, keyUsage, NULL, wincx);
+}
+
+SECStatus
+PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey** privk,
+	void *wincx) 
+{
+    SECKEYPrivateKeyInfo *pki = NULL;
+    PRArenaPool *temparena = NULL;
+    SECStatus rv = SECFailure;
+
+    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!temparena)
+        return rv;
+    pki = PORT_ArenaZNew(temparena, SECKEYPrivateKeyInfo);
+    if (!pki) {
+        PORT_FreeArena(temparena, PR_FALSE);
+        return rv;
+    }
+    pki->arena = temparena;
+
+    rv = SEC_ASN1DecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate,
+		derPKI);
+    if( rv != SECSuccess ) {
+	goto finish;
+    }
+
+    rv = PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname,
+		publicValue, isPerm, isPrivate, keyUsage, privk, wincx);
+
+finish:
+    /* this zeroes the key and frees the arena */
+    SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
+    return rv;
+}
+        
+SECStatus
+PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey **privk,
+	void *wincx) 
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+    CK_KEY_TYPE keyType = CKK_RSA;
+    CK_OBJECT_HANDLE objectID;
+    CK_ATTRIBUTE theTemplate[20];
+    int templateCount = 0;
+    SECStatus rv = SECFailure;
+    PRArenaPool *arena;
+    CK_ATTRIBUTE *attrs;
+    CK_ATTRIBUTE *signedattr = NULL;
+    int signedcount = 0;
+    CK_ATTRIBUTE *ap;
+    SECItem *ck_id = NULL;
+
+    arena = PORT_NewArena(2048);
+    if(!arena) {
+	return SECFailure;
+    }
+
+    attrs = theTemplate;
+
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, isPerm ? &cktrue : &ckfalse, 
+						sizeof(CK_BBOOL) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_SENSITIVE, isPrivate ? &cktrue : &ckfalse, 
+						sizeof(CK_BBOOL) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_PRIVATE, isPrivate ? &cktrue : &ckfalse,
+						 sizeof(CK_BBOOL) ); attrs++;
+
+    switch (lpk->keyType) {
+    case rsaKey:
+	    keyType = CKK_RSA;
+	    PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ?
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ?
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? 
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, 
+				(keyUsage & KU_DIGITAL_SIGNATURE) ? 
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    ck_id = PK11_MakeIDFromPubKey(&lpk->u.rsa.modulus);
+	    if (ck_id == NULL) {
+		goto loser;
+	    }
+	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
+	    if (nickname) {
+		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); attrs++; 
+	    } 
+	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_MODULUS, lpk->u.rsa.modulus.data,
+						lpk->u.rsa.modulus.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
+	     			lpk->u.rsa.publicExponent.data,
+				lpk->u.rsa.publicExponent.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PRIVATE_EXPONENT, 
+	     			lpk->u.rsa.privateExponent.data,
+				lpk->u.rsa.privateExponent.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PRIME_1, 
+	     			lpk->u.rsa.prime1.data,
+				lpk->u.rsa.prime1.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PRIME_2, 
+	     			lpk->u.rsa.prime2.data,
+				lpk->u.rsa.prime2.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_EXPONENT_1, 
+	     			lpk->u.rsa.exponent1.data,
+				lpk->u.rsa.exponent1.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_EXPONENT_2, 
+	     			lpk->u.rsa.exponent2.data,
+				lpk->u.rsa.exponent2.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_COEFFICIENT, 
+	     			lpk->u.rsa.coefficient.data,
+				lpk->u.rsa.coefficient.len); attrs++;
+	    break;
+    case dsaKey:
+	    keyType = CKK_DSA;
+	    /* To make our intenal PKCS #11 module work correctly with 
+	     * our database, we need to pass in the public key value for 
+	     * this dsa key. We have a netscape only CKA_ value to do this.
+	     * Only send it to internal slots */
+	    if( publicValue == NULL ) {
+		goto loser;
+	    }
+	    if (PK11_IsInternal(slot)) {
+	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
+				publicValue->data, publicValue->len); attrs++;
+	    }
+	    PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); attrs++;
+	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, &cktrue, sizeof(CK_BBOOL)); attrs++;
+	    if(nickname) {
+		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
+		attrs++; 
+	    } 
+	    ck_id = PK11_MakeIDFromPubKey(publicValue);
+	    if (ck_id == NULL) {
+		goto loser;
+	    }
+	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
+	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dsa.params.prime.data,
+				lpk->u.dsa.params.prime.len); attrs++;
+	    PK11_SETATTRS(attrs,CKA_SUBPRIME,lpk->u.dsa.params.subPrime.data,
+				lpk->u.dsa.params.subPrime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dsa.params.base.data,
+					lpk->u.dsa.params.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dsa.privateValue.data, 
+					lpk->u.dsa.privateValue.len); attrs++;
+	    break;
+     case dhKey:
+	    keyType = CKK_DH;
+	    /* To make our intenal PKCS #11 module work correctly with 
+	     * our database, we need to pass in the public key value for 
+	     * this dh key. We have a netscape only CKA_ value to do this.
+	     * Only send it to internal slots */
+	    if (PK11_IsInternal(slot)) {
+	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
+				publicValue->data, publicValue->len); attrs++;
+	    }
+	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); attrs++;
+	    if(nickname) {
+		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
+		attrs++; 
+	    } 
+	    ck_id = PK11_MakeIDFromPubKey(publicValue);
+	    if (ck_id == NULL) {
+		goto loser;
+	    }
+	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
+	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dh.prime.data,
+				lpk->u.dh.prime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dh.base.data,
+					lpk->u.dh.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dh.privateValue.data, 
+					lpk->u.dh.privateValue.len); attrs++;
+	    break;
+	/* what about fortezza??? */
+    default:
+	    PORT_SetError(SEC_ERROR_BAD_KEY);
+	    goto loser;
+    }
+    templateCount = attrs - theTemplate;
+    PORT_Assert(templateCount <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
+    PORT_Assert(signedattr != NULL);
+    signedcount = attrs - signedattr;
+
+    for (ap=signedattr; signedcount; ap++, signedcount--) {
+	pk11_SignedToUnsigned(ap);
+    }
+
+    rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
+			theTemplate, templateCount, isPerm, &objectID);
+
+    /* create and return a SECKEYPrivateKey */
+    if( rv == SECSuccess && privk != NULL) {
+	*privk = PK11_MakePrivKey(slot, lpk->keyType, !isPerm, objectID, wincx);
+	if( *privk == NULL ) {
+	    rv = SECFailure;
+	}
+    }
+loser:
+    if (ck_id) {
+	SECITEM_ZfreeItem(ck_id, PR_TRUE);
+    }
+    return rv;
+}
+
+SECStatus
+PK11_ImportPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
+{
+    return PK11_ImportAndReturnPrivateKey(slot, lpk, nickname, publicValue,
+	isPerm, isPrivate, keyUsage, NULL, wincx);
+}
+
+SECStatus
+PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
+	SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECItem *publicValue,
+	PRBool isPerm, PRBool isPrivate, unsigned int keyUsage,
+	SECKEYPrivateKey **privk, void *wincx) 
+{
+    CK_KEY_TYPE keyType = CKK_RSA;
+    SECStatus rv = SECFailure;
+    SECKEYRawPrivateKey *lpk = NULL;
+    const SEC_ASN1Template *keyTemplate, *paramTemplate;
+    void *paramDest = NULL;
+    PRArenaPool *arena;
+
+    arena = PORT_NewArena(2048);
+    if(!arena) {
+	return SECFailure;
+    }
+
+    /* need to change this to use RSA/DSA keys */
+    lpk = (SECKEYRawPrivateKey *)PORT_ArenaZAlloc(arena,
+						  sizeof(SECKEYRawPrivateKey));
+    if(lpk == NULL) {
+	goto loser;
+    }
+    lpk->arena = arena;
+
+    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	    prepare_rsa_priv_key_export_for_asn1(lpk);
+	    keyTemplate = SECKEY_RSAPrivateKeyExportTemplate;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    lpk->keyType = rsaKey;
+	    keyType = CKK_RSA;
+	    break;
+	case SEC_OID_ANSIX9_DSA_SIGNATURE:
+	    prepare_dsa_priv_key_export_for_asn1(lpk);
+	    keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
+	    paramTemplate = SECKEY_PQGParamsTemplate;
+	    paramDest = &(lpk->u.dsa.params);
+	    lpk->keyType = dsaKey;
+	    keyType = CKK_DSA;
+	    break;
+	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+	    if(!publicValue) {
+		goto loser;
+	    }
+	    prepare_dh_priv_key_export_for_asn1(lpk);
+	    keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    lpk->keyType = dhKey;
+	    keyType = CKK_DH;
+	    break;
+
+	default:
+	    keyTemplate   = NULL;
+	    paramTemplate = NULL;
+	    paramDest     = NULL;
+	    break;
+    }
+
+    if(!keyTemplate) {
+	goto loser;
+    }
+
+    /* decode the private key and any algorithm parameters */
+    rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+    if(paramDest && paramTemplate) {
+	rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, 
+				 &(pki->algorithm.parameters));
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    rv = PK11_ImportAndReturnPrivateKey(slot,lpk,nickname,publicValue, isPerm, 
+	isPrivate,  keyUsage, privk, wincx);
+
+
+loser:
+    if (lpk!= NULL) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    return rv;
+}
+
+SECStatus
+PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
+{
+    return PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname,
+	publicValue, isPerm, isPrivate, keyUsage, NULL, wincx);
+
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11pqg.c b/security/nss/lib/pk11wrap/pk11pqg.c
new file mode 100644
index 000000000..3b6cf5399
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pqg.c
@@ -0,0 +1,470 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* Thse functions are stub functions which will get replaced with calls through
+ * PKCS #11.
+ */
+
+#include "pk11func.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11t.h"
+#include "pk11pqg.h"
+#include "secerr.h"
+
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of P specified by j.  Length of h will match length of P.
+ * Length of SEED in bytes specified in seedBytes.
+ * seedBbytes must be in the range [20..255] or an error will result.
+ */
+extern SECStatus
+PK11_PQG_ParamGenSeedLen( unsigned int j, unsigned int seedBytes,
+				 PQGParams **pParams, PQGVerify **pVfy)
+{
+    PK11SlotInfo *slot = NULL;
+    CK_ATTRIBUTE genTemplate[5];
+    CK_ATTRIBUTE *attrs = genTemplate;
+    int count = sizeof(genTemplate)/sizeof(genTemplate[0]);
+    CK_MECHANISM mechanism;
+    CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE;
+    CK_RV crv;
+    CK_ATTRIBUTE pTemplate[] = {
+	{ CKA_PRIME, NULL, 0 },
+	{ CKA_SUBPRIME, NULL, 0 },
+	{ CKA_BASE, NULL, 0 },
+    };
+    CK_ATTRIBUTE vTemplate[] = {
+	{ CKA_NETSCAPE_PQG_COUNTER, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_SEED, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_H, NULL, 0 },
+    };
+    int pTemplateCount = sizeof(pTemplate)/sizeof(pTemplate[0]);
+    int vTemplateCount = sizeof(vTemplate)/sizeof(vTemplate[0]);
+    PRArenaPool *parena = NULL;
+    PRArenaPool *varena = NULL;
+    PQGParams *params = NULL;
+    PQGVerify *verify = NULL;
+    CK_ULONG primeBits = PQG_INDEX_TO_PBITS(j);
+    CK_ULONG seedBits = seedBytes*8;
+
+    *pParams = NULL;
+    *pVfy =  NULL;
+
+    if (primeBits == (CK_ULONG)-1) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	goto loser;
+    }
+    PK11_SETATTRS(attrs, CKA_PRIME_BITS,&primeBits,sizeof(primeBits)); attrs++;
+    if (seedBits != 0) {
+    	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED_BITS, 
+					&seedBits, sizeof(seedBits)); attrs++;
+    }
+    count = attrs - genTemplate;
+    PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE));
+
+    slot = PK11_GetInternalSlot();
+    if (slot == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    /* Initialize the Key Gen Mechanism */
+    mechanism.mechanism = CKM_DSA_PARAMETER_GEN;
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GenerateKey(slot->session,
+			 &mechanism, genTemplate, count, &objectID);
+    PK11_ExitSlotMonitor(slot);
+
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+    parena = PORT_NewArena(60);
+    if (!parena) {
+	goto loser;
+    }        
+
+    crv = PK11_GetAttributes(parena, slot, objectID, pTemplate, pTemplateCount);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+
+    params = (PQGParams *)PORT_ArenaAlloc(parena,sizeof(PQGParams));
+    if (params == NULL) {
+	goto loser;
+    }
+
+    /* fill in Params */
+    params->arena = parena;
+    params->prime.type = siUnsignedInteger;
+    params->prime.data = pTemplate[0].pValue;
+    params->prime.len = pTemplate[0].ulValueLen;
+    params->subPrime.type = siUnsignedInteger;
+    params->subPrime.data = pTemplate[1].pValue;
+    params->subPrime.len = pTemplate[1].ulValueLen;
+    params->base.type = siUnsignedInteger;
+    params->base.data = pTemplate[2].pValue;
+    params->base.len = pTemplate[2].ulValueLen;
+
+
+    varena = PORT_NewArena(60);
+    if (!varena) {
+	goto loser;
+    }        
+
+    crv = PK11_GetAttributes(varena, slot, objectID, vTemplate, vTemplateCount);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+
+    verify = (PQGVerify *)PORT_ArenaAlloc(varena,sizeof(PQGVerify));
+    if (verify == NULL) {
+	goto loser;
+    }
+    /* fill in Params */
+    verify->arena = varena;
+    verify->counter = (unsigned int)(*(CK_ULONG*)vTemplate[0].pValue);
+    verify->seed.type = siUnsignedInteger;
+    verify->seed.data = vTemplate[1].pValue;
+    verify->seed.len = vTemplate[1].ulValueLen;
+    verify->h.type = siUnsignedInteger;
+    verify->h.data = vTemplate[2].pValue;
+    verify->h.len = vTemplate[2].ulValueLen;
+
+    PK11_DestroyObject(slot,objectID);
+    PK11_FreeSlot(slot);
+
+    *pParams = params;
+    *pVfy =  verify;
+
+    return SECSuccess;
+
+loser:
+    if (objectID != CK_INVALID_HANDLE) {
+	PK11_DestroyObject(slot,objectID);
+    }
+    if (parena != NULL) {
+	PORT_FreeArena(parena,PR_FALSE);
+    }
+    if (varena != NULL) {
+	PORT_FreeArena(varena,PR_FALSE);
+    }
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    return SECFailure;
+}
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of seed and length of h both equal length of P. 
+ * All lengths are specified by "j", according to the table above.
+ */
+extern SECStatus
+PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
+{
+    return PK11_PQG_ParamGenSeedLen(j, 0, pParams, pVfy);
+}
+
+/*  Test PQGParams for validity as DSS PQG values.
+ *  If vfy is non-NULL, test PQGParams to make sure they were generated
+ *       using the specified seed, counter, and h values.
+ *
+ *  Return value indicates whether Verification operation ran succesfully
+ *  to completion, but does not indicate if PQGParams are valid or not.
+ *  If return value is SECSuccess, then *pResult has these meanings:
+ *       SECSuccess: PQGParams are valid.
+ *       SECFailure: PQGParams are invalid.
+ */
+
+extern SECStatus
+PK11_PQG_VerifyParams(const PQGParams *params, const PQGVerify *vfy, 
+							SECStatus *result)
+{
+    CK_ATTRIBUTE keyTempl[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_KEY_TYPE, NULL, 0 },
+	{ CKA_PRIME, NULL, 0 },
+	{ CKA_SUBPRIME, NULL, 0 },
+	{ CKA_BASE, NULL, 0 },
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_COUNTER, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_SEED, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_H, NULL, 0 },
+    };
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS class = CKO_KG_PARAMETERS;
+    CK_KEY_TYPE keyType = CKK_DSA;
+    SECStatus rv = SECSuccess;
+    PK11SlotInfo *slot;
+    int keyCount;
+    CK_OBJECT_HANDLE objectID;
+    CK_ULONG counter;
+    CK_RV crv;
+
+    attrs = keyTempl;
+    PK11_SETATTRS(attrs, CKA_CLASS, &class, sizeof(class)); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++;
+    PK11_SETATTRS(attrs, CKA_PRIME, params->prime.data, 
+						params->prime.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_SUBPRIME, params->subPrime.data, 
+						params->subPrime.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_BASE,params->base.data,params->base.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckfalse, sizeof(ckfalse)); attrs++;
+    if (vfy) {
+	counter = vfy->counter;
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_COUNTER, 
+			&counter, sizeof(counter)); attrs++;
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED, 
+			vfy->seed.data, vfy->seed.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_H, 
+			vfy->h.data, vfy->h.len); attrs++;
+    }
+
+    keyCount = attrs - keyTempl;
+    PORT_Assert(keyCount <= sizeof(keyTempl)/sizeof(keyTempl[0]));
+
+
+    slot = PK11_GetInternalSlot();
+    if (slot == NULL) {
+	return SECFailure;
+    }
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_CreateObject(slot->session, keyTempl, keyCount, 
+								&objectID);
+    PK11_ExitSlotMonitor(slot);
+
+    /* throw away the keys, we only wanted the return code */
+    PK11_DestroyObject(slot,objectID);
+    PK11_FreeSlot(slot);
+
+    *result = SECSuccess;
+    if (crv == CKR_ATTRIBUTE_VALUE_INVALID) {
+	*result = SECFailure;
+    } else if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	rv = SECFailure;
+    }
+    return rv;
+
+}
+
+
+
+/**************************************************************************
+ *  Free the PQGParams struct and the things it points to.                *
+ **************************************************************************/
+extern void 
+PK11_PQG_DestroyParams(PQGParams *params) {
+    if (params == NULL) 
+    	return;
+    if (params->arena != NULL) {
+	PORT_FreeArena(params->arena, PR_FALSE);	/* don't zero it */
+    } else {
+	SECITEM_FreeItem(&params->prime,    PR_FALSE); /* don't free prime */
+	SECITEM_FreeItem(&params->subPrime, PR_FALSE); /* don't free subPrime */
+	SECITEM_FreeItem(&params->base,     PR_FALSE); /* don't free base */
+	PORT_Free(params);
+    }
+}
+
+/**************************************************************************
+ *  Free the PQGVerify struct and the things it points to.                *
+ **************************************************************************/
+extern void
+PK11_PQG_DestroyVerify(PQGVerify *vfy) {
+    if (vfy == NULL) 
+    	return;
+    if (vfy->arena != NULL) {
+	PORT_FreeArena(vfy->arena, PR_FALSE);	/* don't zero it */
+    } else {
+	SECITEM_FreeItem(&vfy->seed,   PR_FALSE); /* don't free seed */
+	SECITEM_FreeItem(&vfy->h,      PR_FALSE); /* don't free h */
+	PORT_Free(vfy);
+    }
+}
+
+#define PQG_DEFAULT_CHUNKSIZE 2048	/* bytes */
+
+/**************************************************************************
+ *  Return a pointer to a new PQGParams struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGParams *
+PK11_PQG_NewParams(const SECItem * prime, const SECItem * subPrime, 
+                                 		const SECItem * base) {
+    PRArenaPool *arena;
+    PQGParams *dest;
+    SECStatus status;
+
+    arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	goto loser;
+
+    dest = (PQGParams*)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
+    if (dest == NULL)
+	goto loser;
+
+    dest->arena = arena;
+
+    status = SECITEM_CopyItem(arena, &dest->prime, prime);
+    if (status != SECSuccess)
+	goto loser;
+
+    status = SECITEM_CopyItem(arena, &dest->subPrime, subPrime);
+    if (status != SECSuccess)
+	goto loser;
+
+    status = SECITEM_CopyItem(arena, &dest->base, base);
+    if (status != SECSuccess)
+	goto loser;
+
+    return dest;
+
+loser:
+    if (arena != NULL)
+	PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+
+/**************************************************************************
+ * Fills in caller's "prime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus 
+PK11_PQG_GetPrimeFromParams(const PQGParams *params, SECItem * prime) {
+    return SECITEM_CopyItem(NULL, prime, &params->prime);
+}
+
+
+/**************************************************************************
+ * Fills in caller's "subPrime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus
+PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, SECItem * subPrime) {
+    return SECITEM_CopyItem(NULL, subPrime, &params->subPrime);
+}
+
+
+/**************************************************************************
+ * Fills in caller's "base" SECItem with the base value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus 
+PK11_PQG_GetBaseFromParams(const PQGParams *params, SECItem *base) {
+    return SECITEM_CopyItem(NULL, base, &params->base);
+}
+
+
+/**************************************************************************
+ *  Return a pointer to a new PQGVerify struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGVerify *
+PK11_PQG_NewVerify(unsigned int counter, const SECItem * seed, 
+							const SECItem * h) {
+    PRArenaPool *arena;
+    PQGVerify *  dest;
+    SECStatus    status;
+
+    arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	goto loser;
+
+    dest = (PQGVerify*)PORT_ArenaZAlloc(arena, sizeof(PQGVerify));
+    if (dest == NULL)
+	goto loser;
+
+    dest->arena   = arena;
+    dest->counter = counter;
+
+    status = SECITEM_CopyItem(arena, &dest->seed, seed);
+    if (status != SECSuccess)
+	goto loser;
+
+    status = SECITEM_CopyItem(arena, &dest->h, h);
+    if (status != SECSuccess)
+	goto loser;
+
+    return dest;
+
+loser:
+    if (arena != NULL)
+	PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+
+/**************************************************************************
+ * Returns "counter" value from the PQGVerify.
+ **************************************************************************/
+extern unsigned int 
+PK11_PQG_GetCounterFromVerify(const PQGVerify *verify) {
+    return verify->counter;
+}
+
+/**************************************************************************
+ * Fills in caller's "seed" SECItem with the seed value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus 
+PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem *seed) {
+    return SECITEM_CopyItem(NULL, seed, &verify->seed);
+}
+
+
+/**************************************************************************
+ * Fills in caller's "h" SECItem with the h value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus 
+PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h) {
+    return SECITEM_CopyItem(NULL, h, &verify->h);
+}
diff --git a/security/nss/lib/pk11wrap/pk11pqg.h b/security/nss/lib/pk11wrap/pk11pqg.h
new file mode 100644
index 000000000..b7ad303f7
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pqg.h
@@ -0,0 +1,155 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* Thse functions are stub functions which will get replaced with calls through
+ * PKCS #11.
+ */
+
+#ifndef _PK11PQG_H_
+#define  _PK11PQG_H_ 1
+
+#include "blapit.h"
+
+SEC_BEGIN_PROTOS
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of seed and length of h both equal length of P. 
+ * All lengths are specified by "j", according to the table above.
+ */
+extern SECStatus PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams, 
+							PQGVerify **pVfy);
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of P specified by j.  Length of h will match length of P.
+ * Length of SEED in bytes specified in seedBytes.
+ * seedBbytes must be in the range [20..255] or an error will result.
+ */
+extern SECStatus PK11_PQG_ParamGenSeedLen( unsigned int j, 
+	unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy);
+
+/*  Test PQGParams for validity as DSS PQG values.
+ *  If vfy is non-NULL, test PQGParams to make sure they were generated
+ *       using the specified seed, counter, and h values.
+ *
+ *  Return value indicates whether Verification operation ran succesfully
+ *  to completion, but does not indicate if PQGParams are valid or not.
+ *  If return value is SECSuccess, then *pResult has these meanings:
+ *       SECSuccess: PQGParams are valid.
+ *       SECFailure: PQGParams are invalid.
+ *
+ * Verify the following 12 facts about PQG counter SEED g and h
+ * 1.  Q is 160 bits long.
+ * 2.  P is one of the 9 valid lengths.
+ * 3.  G < P
+ * 4.  P % Q == 1
+ * 5.  Q is prime
+ * 6.  P is prime
+ * Steps 7-12 are done only if the optional PQGVerify is supplied.
+ * 7.  counter < 4096
+ * 8.  g >= 160 and g < 2048   (g is length of seed in bits)
+ * 9.  Q generated from SEED matches Q in PQGParams.
+ * 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams.
+ * 11. 1 < h < P-1
+ * 12. G generated from h matches G in PQGParams.
+ */
+
+extern SECStatus PK11_PQG_VerifyParams(const PQGParams *params, 
+                                    const PQGVerify *vfy, SECStatus *result);
+extern void PK11_PQG_DestroyParams(PQGParams *params);
+extern void PK11_PQG_DestroyVerify(PQGVerify *vfy);
+
+/**************************************************************************
+ *  Return a pointer to a new PQGParams struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGParams * PK11_PQG_NewParams(const SECItem * prime, const 
+				SECItem * subPrime, const SECItem * base);
+
+
+/**************************************************************************
+ * Fills in caller's "prime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetPrimeFromParams(const PQGParams *params, 
+							SECItem * prime);
+
+
+/**************************************************************************
+ * Fills in caller's "subPrime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, 
+							SECItem * subPrime);
+
+
+/**************************************************************************
+ * Fills in caller's "base" SECItem with the base value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetBaseFromParams(const PQGParams *params, 
+							SECItem *base);
+
+
+/**************************************************************************
+ *  Return a pointer to a new PQGVerify struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGVerify * PK11_PQG_NewVerify(unsigned int counter, 
+				const SECItem * seed, const SECItem * h);
+
+
+/**************************************************************************
+ * Returns "counter" value from the PQGVerify.
+ **************************************************************************/
+extern unsigned int PK11_PQG_GetCounterFromVerify(const PQGVerify *verify);
+
+/**************************************************************************
+ * Fills in caller's "seed" SECItem with the seed value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, 
+							SECItem *seed);
+
+/**************************************************************************
+ * Fills in caller's "h" SECItem with the h value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11priv.h b/security/nss/lib/pk11wrap/pk11priv.h
new file mode 100644
index 000000000..6b90c25d7
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11priv.h
@@ -0,0 +1,218 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _PK11PRIV_H_
+#define _PK11PRIV_H_
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "keyt.h"
+#include "certt.h"
+#include "pkcs11t.h"
+#include "secmodt.h"
+#include "seccomon.h"
+#include "pkcs7t.h"
+#include "cmsreclist.h"
+
+/*
+ * These are the private NSS functions. They are not exported by nss.def, and
+ * are not callable outside nss3.dll. 
+ */
+
+SEC_BEGIN_PROTOS
+
+/************************************************************
+ * Generic Slot Lists Management
+ ************************************************************/
+PK11SlotList * PK11_NewSlotList(void);
+PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,
+						PRBool needRW,void *wincx);
+SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot);
+SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le);
+PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
+							PK11SlotInfo *slot);
+PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
+int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE type);
+
+/************************************************************
+ * Generic Slot Management
+ ************************************************************/
+CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject);
+SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+         CK_ATTRIBUTE_TYPE type, PLArenaPool *arena, SECItem *result);
+CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+         CK_ATTRIBUTE_TYPE type);
+char * PK11_MakeString(PLArenaPool *arena,char *space,char *staticSring,
+								int stringLen);
+int PK11_MapError(CK_RV error);
+CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot);
+void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession);
+PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot,
+					 CK_SESSION_HANDLE session_handle);
+PK11SlotInfo *PK11_NewSlotInfo(SECMODModule *mod);
+void PK11_EnterSlotMonitor(PK11SlotInfo *);
+void PK11_ExitSlotMonitor(PK11SlotInfo *);
+void PK11_CleanKeyList(PK11SlotInfo *slot);
+
+
+/************************************************************
+ *  Slot Password Management
+ ************************************************************/
+SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
+SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw);
+void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx);
+void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
+void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func);
+
+/************************************************************
+ * Manage the built-In Slot Lists
+ ************************************************************/
+SECStatus PK11_InitSlotLists(void);
+void PK11_DestroySlotLists(void);
+PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type);
+void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count);
+void PK11_ClearSlotList(PK11SlotInfo *slot);
+
+
+/******************************************************************
+ *           Slot initialization
+ ******************************************************************/
+SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts);
+void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot);
+PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
+SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
+
+/*********************************************************************
+ *       Mechanism Mapping functions
+ *********************************************************************/
+void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
+	 	CK_MECHANISM_TYPE keygen, CK_MECHANISM_TYPE pad, 
+		int ivLen, int blocksize);
+CK_MECHANISM_TYPE PK11_GetKeyMechanism(CK_KEY_TYPE type);
+CK_MECHANISM_TYPE PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size);
+
+/**********************************************************************
+ *                   Symetric, Public, and Private Keys 
+ **********************************************************************/
+/* Key Generation specialized for SDR (fixed DES3 key) */
+PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx);
+SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType,
+					 CK_OBJECT_HANDLE id);
+CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
+					void *wincx, PK11SlotInfo **pSlot);
+PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
+
+/**********************************************************************
+ *                   Certs
+ **********************************************************************/
+SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
+    SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg);
+SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
+CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname,
+	PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, 
+								void *wincx);
+CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer,
+						CK_OBJECT_CLASS o_class); 
+CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot,
+			       CK_OBJECT_HANDLE id,
+			       CK_ATTRIBUTE_TYPE type );
+CK_RV PK11_GetAttributes(PLArenaPool *arena,PK11SlotInfo *slot,
+			 CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count);
+int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
+SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, 
+	SECStatus(*callback)(CERTCertificate *, void *), void *arg);
+SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
+   PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
+SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
+       SECStatus(* callback)(CERTCertificate*, void *), void *arg);
+SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx);
+
+
+/**********************************************************************
+ *                   Crypto Contexts
+ **********************************************************************/
+PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot, 
+    CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
+			 	SECItem *key, SECItem *param, void *wincx);
+PRBool PK11_HashOK(SECOidTag hashAlg);
+
+
+/**********************************************************************
+ * Functions which are  deprecated....
+ **********************************************************************/
+
+SECItem *
+PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *handle,
+					SECItem *derName, int type, char **url);
+
+CK_OBJECT_HANDLE
+PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, 
+				SECItem *name, char *url, int type);
+
+SECItem *
+PK11_FindSMimeProfile(PK11SlotInfo **slotp, char *emailAddr, SECItem *derSubj,
+					SECItem **profileTime);
+SECStatus
+PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
+			SECItem *emailProfile, SECItem *profileTime);
+
+PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle);
+
+char * PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) ;
+SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, 
+						const char *nickname) ;
+
+
+/* private */
+SECStatus pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *),
+	void *cbArg, PRBool forceLogin, void *pwArg);
+
+/* fetch multiple CRLs for a specific issuer */
+SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer,
+                                   void *wincx);
+
+/* set global options for NSS PKCS#11 module loader */
+SECStatus pk11_setGlobalOptions(PRBool noSingleThreadedModules,
+                                PRBool allowAlreadyInitializedModules,
+                                PRBool dontFinalizeModules);
+
+/* return whether NSS is allowed to call C_Finalize */
+PRBool pk11_getFinalizeModulesOption(void);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h
new file mode 100644
index 000000000..73794f81d
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -0,0 +1,809 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _PK11PUB_H_
+#define _PK11PUB_H_
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "keyt.h"
+#include "certt.h"
+#include "pkcs11t.h"
+#include "secmodt.h"
+#include "seccomon.h"
+#include "pkcs7t.h"
+#include "cmsreclist.h"
+
+/*
+ * Exported PK11 wrap functions.
+ */
+
+SEC_BEGIN_PROTOS
+
+/************************************************************
+ * Generic Slot Lists Management
+ ************************************************************/
+void PK11_FreeSlotList(PK11SlotList *list);
+SECStatus PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le);
+PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list);
+PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list, 
+				PK11SlotListElement *le, PRBool restart);
+
+/************************************************************
+ * Generic Slot Management
+ ************************************************************/
+PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
+void PK11_FreeSlot(PK11SlotInfo *slot);
+SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
+SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
+PK11SlotInfo *PK11_GetInternalKeySlot(void);
+PK11SlotInfo *PK11_GetInternalSlot(void);
+SECStatus PK11_Logout(PK11SlotInfo *slot);
+void PK11_LogoutAll(void);
+
+
+/************************************************************
+ *  Slot Password Management
+ ************************************************************/
+void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout);
+void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout);
+SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
+SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw);
+PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
+SECStatus PK11_InitPin(PK11SlotInfo *slot,const char *ssopw,
+                       const char *pk11_userpwd);
+SECStatus PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw,
+                        const char *newpw);
+void PK11_SetPasswordFunc(PK11PasswordFunc func);
+int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
+SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
+SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
+SECStatus PK11_TokenRefresh(PK11SlotInfo *slot);
+
+
+/******************************************************************
+ *           Slot info functions
+ ******************************************************************/
+PK11SlotInfo *PK11_FindSlotByName(const char *name);
+/******************************************************************
+ * PK11_FindSlotsByNames searches for a PK11SlotInfo using one or
+ * more criteria : dllName, slotName and tokenName . In addition, if
+ * presentOnly is set , only slots with a token inserted will be
+ * returned.
+ ******************************************************************/
+PK11SlotList *PK11_FindSlotsByNames(const char *dllName,
+        const char* slotName, const char* tokenName, PRBool presentOnly);
+PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
+PRBool PK11_IsInternal(PK11SlotInfo *slot);
+char * PK11_GetTokenName(PK11SlotInfo *slot);
+char * PK11_GetSlotName(PK11SlotInfo *slot);
+PRBool PK11_NeedLogin(PK11SlotInfo *slot);
+PRBool PK11_IsFriendly(PK11SlotInfo *slot);
+PRBool PK11_IsHW(PK11SlotInfo *slot);
+PRBool PK11_IsRemovable(PK11SlotInfo *slot);
+PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
+PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
+int PK11_GetSlotSeries(PK11SlotInfo *slot);
+int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
+unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
+CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
+SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
+SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
+SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
+PRBool PK11_IsDisabled(PK11SlotInfo *slot);
+PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
+PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
+/* Prevents the slot from being used, and set disable reason to user-disable */
+/* NOTE: Mechanisms that were ON continue to stay ON */
+/*       Therefore, when the slot is enabled, it will remember */
+/*       what mechanisms needs to be turned on */
+PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
+/* Allow all mechanisms that are ON before UserDisableSlot() */
+/* was called to be available again */
+PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
+/*
+ * wait for a specific slot event.
+ * event is a specific event to wait for. Currently only 
+ *    PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined.
+ * timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only
+ * poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change).
+ * pollInterval is a suggested pulling interval value. '0' means use the 
+ *  default. Future implementations that don't poll may ignore this value.
+ * series is the current series for the last slot. This should be the series 
+ *  value for the slot the last time you read persistant information from the
+ *  slot. For instance, if you publish a cert from the slot, you should obtain
+ *  the slot series at that time. Then PK11_WaitForTokenEvent can detect a 
+ *  a change in the slot between the time you publish and the time 
+ *  PK11_WaitForTokenEvent is called, elliminating potential race conditions.
+ *
+ * The current status that is returned is:
+ *   PK11TokenNotRemovable - always returned for any non-removable token.
+ *   PK11TokenPresent - returned when the token is present and we are waiting
+ *     on a PK11TokenPresentEvent. Then next event to look for is a 
+ *     PK11TokenChangeOrRemovalEvent.
+ *   PK11TokenChanged - returned when the old token has been removed and a new
+ *     token ad been inserted, and we are waiting for a 
+ *     PK11TokenChangeOrRemovalEvent. The next event to look for is another
+ *     PK11TokenChangeOrRemovalEvent.
+ *   PK11TokenRemoved - returned when the token is not present and we are 
+ *     waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for 
+ *     is a PK11TokenPresentEvent.
+ */
+PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
+	PRIntervalTime timeout, PRIntervalTime pollInterval, int series);
+
+PRBool PK11_NeedPWInit(void);
+PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
+SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
+PRBool PK11_IsFIPS(void);
+SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
+
+/*********************************************************************
+ *            Slot mapping utility functions.
+ *********************************************************************/
+PRBool PK11_IsPresent(PK11SlotInfo *slot);
+PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
+PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW,
+					PRBool loadCerts, void *wincx);
+PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int count,
+							void *wincx);
+PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
+CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
+int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
+
+/*
+ * Open a new database using the softoken. The caller is responsible for making
+ * sure the module spec is correct and usable. The caller should ask for one
+ * new database per call if the caller wants to get meaningful information
+ * about the new database.
+ *
+ * moduleSpec is the same data that you would pass to softoken at
+ * initialization time under the 'tokens' options. For example, if you were
+ * to specify tokens=<0x4=[configdir='./mybackup' tokenDescription='Backup']>
+ * You would specify "configdir='./mybackup' tokenDescription='Backup'" as your
+ * module spec here. The slot ID will be calculated for you by
+ * SECMOD_OpenUserDB().
+ *
+ * Typical parameters here are configdir, tokenDescription and flags.
+ *
+ * a Full list is below:
+ *
+ *
+ *  configDir - The location of the databases for this token. If configDir is
+ *         not specified, and noCertDB and noKeyDB is not specified, the load
+ *         will fail.
+ *   certPrefix - Cert prefix for this token.
+ *   keyPrefix - Prefix for the key database for this token. (if not specified,
+ *         certPrefix will be used).
+ *   tokenDescription - The label value for this token returned in the
+ *         CK_TOKEN_INFO structure with an internationalize string (UTF8).
+ *         This value will be truncated at 32 bytes (no NULL, partial UTF8
+ *         characters dropped). You should specify a user friendly name here
+ *         as this is the value the token will be refered to in most
+ *         application UI's. You should make sure tokenDescription is unique.
+ *   slotDescription - The slotDescription value for this token returned
+ *         in the CK_SLOT_INFO structure with an internationalize string
+ *         (UTF8). This value will be truncated at 64 bytes (no NULL, partial
+ *         UTF8 characters dropped). This name will not change after the
+ *         database is closed. It should have some number to make this unique.
+ *   minPWLen - minimum password length for this token.
+ *   flags - comma separated list of flag values, parsed case-insensitive.
+ *         Valid flags are:
+ *              readOnly - Databases should be opened read only.
+ *              noCertDB - Don't try to open a certificate database.
+ *              noKeyDB - Don't try to open a key database.
+ *              forceOpen - Don't fail to initialize the token if the
+ *                databases could not be opened.
+ *              passwordRequired - zero length passwords are not acceptable
+ *                (valid only if there is a keyDB).
+ *              optimizeSpace - allocate smaller hash tables and lock tables.
+ *                When this flag is not specified, Softoken will allocate
+ *                large tables to prevent lock contention.
+ */
+PK11SlotInfo *SECMOD_OpenUserDB(const char *moduleSpec);
+SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot);
+
+/*
+ * merge the permanent objects from on token to another 
+ */
+SECStatus PK11_MergeTokens(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
+                PK11MergeLog *log, void *targetPwArg, void *sourcePwArg);
+
+/*
+ * create and destroy merge logs needed by PK11_MergeTokens
+ */
+PK11MergeLog * PK11_CreateMergeLog(void);
+void PK11_DestroyMergeLog(PK11MergeLog *log);
+
+
+
+/*********************************************************************
+ *       Mechanism Mapping functions
+ *********************************************************************/
+CK_MECHANISM_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len);
+CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
+int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params);
+int PK11_GetIVLength(CK_MECHANISM_TYPE type);
+SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv);
+unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len);
+SECItem * PK11_BlockData(SECItem *data,unsigned long size);
+
+/* PKCS #11 to DER mapping functions */
+SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
+SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
+CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
+SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
+SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
+SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
+                                   PLArenaPool *arena, SECAlgorithmID *algid);
+SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
+SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo *,unsigned char *data,int len);
+SECStatus PK11_RandomUpdate(void *data, size_t bytes);
+SECStatus PK11_GenerateRandom(unsigned char *data,int len);
+
+/* warning: cannot work with pkcs 5 v2
+ * use algorithm ID s instead of pkcs #11 mechanism pointers */
+CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
+					    CK_MECHANISM_PTR pCryptoMechanism,
+					    SECItem *pbe_pwd, PRBool bad3DES);
+CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
+CK_MECHANISM_TYPE PK11_MapSignKeyType(KeyType keyType);
+
+/**********************************************************************
+ *                   Symetric, Public, and Private Keys 
+ **********************************************************************/
+void PK11_FreeSymKey(PK11SymKey *key);
+PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
+PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+    PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx);
+PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, 
+    CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, 
+    SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx);
+PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
+    PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, 
+    PRBool owner, void *wincx);
+PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
+			      CK_MECHANISM_TYPE type,int series, void *wincx);
+/*
+ * This function is not thread-safe.  It can only be called when only
+ * one thread has a reference to wrapKey.
+ */
+void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
+CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
+/*
+ * import a public key into the desired slot
+ *  
+ * This function takes a public key structure and creates a public key in a 
+ * given slot. If isToken is set, then a persistant public key is created.
+ *
+ * Note: it is possible for this function to return a handle for a key which
+ * is persistant, even if isToken is not set.
+ */
+CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot, 
+				SECKEYPublicKey *pubKey, PRBool isToken);
+PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+				SECItem *param,	int keySize,void *wincx);
+PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+				SECItem *param, int keySize, SECItem *keyid,
+				PRBool isToken, void *wincx);
+PK11SymKey *PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot,
+				CK_MECHANISM_TYPE type, SECItem *param,
+				int keySize, SECItem *keyid, CK_FLAGS opFlags,
+				PK11AttrFlags attrFlags, void *wincx);
+PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname,
+								void *wincx);
+PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey);
+CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *key);
+
+/*
+ * PK11_SetSymKeyUserData
+ *   sets generic user data on keys (usually a pointer to a data structure)
+ * that can later be retrieved by PK11_GetSymKeyUserData().
+ *    symKey - key where data will be set.
+ *    data - data to be set.
+ *    freefunc - function used to free the data.
+ * Setting user data on symKeys with existing user data already set will cause 
+ * the existing user data to be freed before the new user data is set.
+ * Freeing user data is done by calling the user specified freefunc. 
+ * If freefunc is NULL, the user data is assumed to be global or static an 
+ * not freed. Passing NULL for user data to PK11_SetSymKeyUserData has the 
+ * effect of freeing any existing user data, and clearing the user data 
+ * pointer. If user data exists when the symKey is finally freed, that 
+ * data will be freed with freefunc.
+ *
+ * Applications should only use this function on keys which the application
+ * has created directly, as there is only one user data value per key.
+ */
+void PK11_SetSymKeyUserData(PK11SymKey *symKey, void *data, 
+                                 PK11FreeDataFunc freefunc);
+/* PK11_GetSymKeyUserData 
+ *   retrieves generic user data which was set on a key by 
+ * PK11_SetSymKeyUserData.
+ *    symKey - key with data to be fetched
+ *
+ * If no data exists, or the data has been cleared, PK11_GetSymKeyUserData
+ * will return NULL. Returned data is still owned and managed by the SymKey,
+ * the caller should not free the data.
+ *
+ */
+void *PK11_GetSymKeyUserData(PK11SymKey *symKey);
+
+SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
+				PK11SymKey *symKey, SECItem *wrappedKey);
+SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
+	 PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
+/* move a key to 'slot' optionally set the key attributes according to either
+ * operation or the  flags and making the key permanent at the same time.
+ * If the key is moved to the same slot, operation and flags values are 
+ * currently ignored */
+PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, 
+			CK_FLAGS flags, PRBool  perm, PK11SymKey *symKey);
+/*
+ * derive a new key from the base key.
+ *  PK11_Derive returns a key which can do exactly one operation, and is
+ * ephemeral (session key).
+ *  PK11_DeriveWithFlags is the same as PK11_Derive, except you can use
+ * CKF_ flags to enable more than one operation.
+ *  PK11_DeriveWithFlagsPerm is the same as PK11_DeriveWithFlags except you can
+ *  (optionally) make the key permanent (token key).
+ */
+PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
+   			SECItem *param, CK_MECHANISM_TYPE target, 
+		        CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey, 
+	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
+	CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
+PK11SymKey * PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey, 
+	CK_MECHANISM_TYPE derive, 
+	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+	int keySize, CK_FLAGS flags, PRBool isPerm);
+
+PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey, 
+ SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
+ CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
+		 CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ;
+PK11SymKey *PK11_PubDeriveWithKDF( SECKEYPrivateKey *privKey, 
+ SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
+ CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
+		 CK_ATTRIBUTE_TYPE operation, int keySize,
+		 CK_ULONG kdf, SECItem *sharedData, void *wincx);
+
+/*
+ * unwrap a new key with a symetric key.
+ *  PK11_Unwrap returns a key which can do exactly one operation, and is
+ * ephemeral (session key).
+ *  PK11_UnwrapWithFlags is the same as PK11_Unwrap, except you can use
+ * CKF_ flags to enable more than one operation.
+ *  PK11_UnwrapWithFlagsPerm is the same as PK11_UnwrapWithFlags except you can
+ *  (optionally) make the key permanent (token key).
+ */
+PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key, 
+	CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,  
+	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, 
+	CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
+	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
+	CK_FLAGS flags);
+PK11SymKey * PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, 
+	CK_MECHANISM_TYPE wrapType,
+        SECItem *param, SECItem *wrappedKey, 
+	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+	 int keySize, CK_FLAGS flags, PRBool isPerm);
+
+/*
+ * unwrap a new key with a private key.
+ *  PK11_PubUnwrap returns a key which can do exactly one operation, and is
+ * ephemeral (session key).
+ *  PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can 
+ * use * CKF_ flags to enable more than one operation, and optionally make 
+ * the key permanent (token key).
+ */
+PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
+	 CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey * PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, 
+	  SECItem *wrappedKey, CK_MECHANISM_TYPE target, 
+	  CK_ATTRIBUTE_TYPE operation, int keySize,
+	  CK_FLAGS flags, PRBool isPerm);
+PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, 
+						SECItem *keyID, void *wincx);
+SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force);
+SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
+SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
+SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx);
+SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot,
+		SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
+					PRBool token, PRBool sensitive);
+char * PK11_GetSymKeyNickname(PK11SymKey *symKey);
+char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
+char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
+SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
+SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, 
+							const char *nickname);
+SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, 
+							const char *nickname);
+
+/* size to hold key in bytes */
+unsigned int PK11_GetKeyLength(PK11SymKey *key);
+/* size of actual secret parts of key in bits */
+/* algid is because RC4 strength is determined by the effective bits as well
+ * as the key bits */
+unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
+SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
+SECItem * PK11_GetKeyData(PK11SymKey *symKey);
+PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey);
+void *PK11_GetWindow(PK11SymKey *symKey);
+
+/*
+ * Explicitly set the key usage for the generated private key.
+ *
+ * This allows us to specify single use EC and RSA keys whose usage
+ * can be regulated by the underlying token.
+ *
+ * The underlying key usage is set using opFlags. opFlagsMask specifies
+ * which operations are specified by opFlags. For instance to turn encrypt
+ * on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and 
+ * opFlagsMask would be CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_VERIFY. You
+ * need to specify both the public and private key flags, 
+ * PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the 
+ * correct key type. Flags not specified in opFlagMask will be defaulted 
+ * according to mechanism type and token capabilities.
+ */
+SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,
+   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
+   PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask,
+    void *wincx);
+/*
+ * The attrFlags is the logical OR of the PK11_ATTR_XXX bitflags.
+ * These flags apply to the private key.  The PK11_ATTR_TOKEN,
+ * PK11_ATTR_SESSION, PK11_ATTR_MODIFIABLE, and PK11_ATTR_UNMODIFIABLE
+ * flags also apply to the public key.
+ */
+SECKEYPrivateKey *PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot,
+   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
+		 	    PK11AttrFlags attrFlags, void *wincx);
+SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
+   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
+		 	    PRBool isPerm, PRBool isSensitive, void *wincx);
+SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
+				 	CERTCertificate *cert, void *wincx);
+SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
+SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
+				       void *wincx);
+int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key); 
+
+/* note: despite the name, this function takes a private key. */
+SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
+   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
+#define PK11_PrivDecryptRaw PK11_PubDecryptRaw
+/* The encrypt function that complements the above decrypt function. */
+SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
+                unsigned char *data, unsigned dataLen, void *wincx);
+
+SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data,
+   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
+/* The encrypt function that complements the above decrypt function. */
+SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc,
+                unsigned char *data, unsigned dataLen, void *wincx);
+
+SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, 
+		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
+		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+		unsigned int usage, void *wincx);
+SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
+		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
+		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+		unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
+SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, 
+		SECItem *derPKI, SECItem *nickname,
+		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+		unsigned int usage, void *wincx);
+SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
+		SECItem *derPKI, SECItem *nickname,
+		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+		unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
+SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, 
+		SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, 
+		SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+		PRBool isPrivate, KeyType type, 
+		unsigned int usage, void *wincx);
+SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
+		CERTCertificate *cert, void *wincx);
+SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
+		PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
+		SECKEYPrivateKey *pk, int iteration, void *wincx);
+SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
+		PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
+		CERTCertificate *cert, int iteration, void *wincx);
+SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot, 
+					CERTCertificate *cert, void *wincx);
+SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
+SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
+PRBool PK11_VerifyKeyOK(PK11SymKey *key);
+SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot, 
+		PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
+		SECItem *param, SECItem *wrappedKey, SECItem *label, 
+		SECItem *publicValue, PRBool token, PRBool sensitive,
+		CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
+		void *wincx);
+SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
+			   SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
+			   SECItem *param, SECItem *wrappedKey, void *wincx);
+SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk);
+PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
+	CK_MECHANISM_TYPE mech);
+SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot,
+						 char *nickname, void *wincx);
+SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot,
+							char *nickname);
+SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey);
+/* deprecated */
+SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot);
+
+PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk,
+	void *wincx);
+SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey(
+	SECKEYPrivateKey *privk, void* wincx);
+SECKEYPrivateKey * PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot,
+				      SECKEYPrivateKey *privKey);
+
+/**********************************************************************
+ *                   Certs
+ **********************************************************************/
+SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
+SECStatus PK11_TraverseSlotCerts(
+     SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
+                                                void *arg, void *wincx);
+CERTCertificate * PK11_FindCertFromNickname(const char *nickname, void *wincx);
+CERTCertList * PK11_FindCertsFromNickname(const char *nickname, void *wincx);
+CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
+SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
+                CK_OBJECT_HANDLE key, const char *nickname, 
+                PRBool includeTrust);
+SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
+                CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
+PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, 
+                                    const char *nickname, void *wincx);
+PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
+								void *wincx);
+PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
+					CK_OBJECT_HANDLE *keyPtr, void *wincx);
+PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert,
+					CK_OBJECT_HANDLE *keyPtr, void *wincx);
+CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
+					CERTIssuerAndSN *sn, void *wincx);
+CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
+	SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
+				SECKEYPrivateKey**privKey, void *wincx);
+int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
+				void *wincx);
+SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
+	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
+	void *arg);
+CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, 
+					  CERTCertificate *cert, void *wincx);
+CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot,
+                                          SECItem *derCert, void *wincx);
+SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
+					char *nickname, PRBool addUsage,
+					void *wincx);
+CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx);
+PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
+CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
+				     void *wincx);
+SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
+	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
+	void *arg);
+CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg);
+CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot);
+CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
+    int type, void *wincx, PRInt32 importOptions, PLArenaPool* arena, PRInt32 decodeOptions);
+
+/**********************************************************************
+ *                   Sign/Verify 
+ **********************************************************************/
+
+/*
+ * Return the length in bytes of a signature generated with the
+ * private key.
+ *
+ * Return 0 or -1 on failure.  (XXX Should we fix it to always return
+ * -1 on failure?)
+ */
+int PK11_SignatureLen(SECKEYPrivateKey *key);
+PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
+SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash);
+SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig,
+						 SECItem *dsig, void * wincx);
+SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig, 
+						SECItem *hash, void *wincx);
+
+
+
+/**********************************************************************
+ *                   Crypto Contexts
+ **********************************************************************/
+void PK11_DestroyContext(PK11Context *context, PRBool freeit);
+PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
+	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
+PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
+PK11Context *PK11_CloneContext(PK11Context *old);
+SECStatus PK11_DigestBegin(PK11Context *cx);
+/*
+ * The output buffer 'out' must be big enough to hold the output of
+ * the hash algorithm 'hashAlg'.
+ */
+SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
+					PRInt32 len);
+SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in, 
+                        unsigned len);
+SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
+				int maxout, unsigned char *in, int inlen);
+SECStatus PK11_Finalize(PK11Context *context);
+SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, 
+				unsigned int *outLen, unsigned int length);
+SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
+						int *len, int saveLength);
+
+/* Save the context's state, with possible allocation.
+ * The caller may supply an already allocated buffer in preAllocBuf,
+ * with length pabLen.  If the buffer is large enough for the context's
+ * state, it will receive the state.
+ * If the buffer is not large enough (or NULL), then a new buffer will
+ * be allocated with PORT_Alloc.
+ * In either case, the state will be returned as a buffer, and the length
+ * of the state will be given in *stateLen.
+ */
+unsigned char *
+PK11_SaveContextAlloc(PK11Context *cx,
+                      unsigned char *preAllocBuf, unsigned int pabLen,
+                      unsigned int *stateLen);
+
+SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len);
+SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len);
+void PK11_SetFortezzaHack(PK11SymKey *symKey) ;
+
+
+/**********************************************************************
+ *                   PBE functions 
+ **********************************************************************/
+
+/* This function creates PBE parameters from the given inputs.  The result
+ * can be used to create a password integrity key for PKCS#12, by sending
+ * the return value to PK11_KeyGen along with the appropriate mechanism.
+ */
+SECItem * 
+PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations);
+
+/* free params created above (can be called after keygen is done */
+void PK11_DestroyPBEParams(SECItem *params);
+
+SECAlgorithmID *
+PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
+
+/* use to create PKCS5 V2 algorithms with finder control than that provided
+ * by PK11_CreatePBEAlgorithmID. */
+SECAlgorithmID *
+PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag,
+                            SECOidTag prfAlgTag, int keyLength, int iteration,
+                            SECItem *salt);
+PK11SymKey *
+PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid,  SECItem *pwitem,
+	       PRBool faulty3DES, void *wincx);
+
+/* warning: cannot work with PKCS 5 v2 use PK11_PBEKeyGen instead */
+PK11SymKey *
+PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
+		SECItem *pwitem, PRBool faulty3DES, void *wincx);
+SECItem *
+PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
+/*
+ * Get the Mechanism and parameter of the base encryption or mac scheme from
+ * a PBE algorithm ID.
+ *  Caller is responsible for freeing the return parameter (param).
+ */
+CK_MECHANISM_TYPE
+PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, 
+			   SECItem **param, SECItem *pwd);
+
+/**********************************************************************
+ * Functions to manage secmod flags
+ **********************************************************************/
+PK11DefaultArrayEntry * PK11_GetDefaultArray(int *);
+SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *, PK11DefaultArrayEntry *,
+							PRBool );
+
+/**********************************************************************
+ * Functions to look at PKCS #11 dependent data
+ **********************************************************************/
+PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot, 
+						CK_OBJECT_CLASS objClass);
+PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object);
+PK11GenericObject *PK11_GetPrevGenericObject(PK11GenericObject *object);
+SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object);
+SECStatus PK11_LinkGenericObject(PK11GenericObject *list,
+				 PK11GenericObject *object);
+SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object);
+SECStatus PK11_DestroyGenericObject(PK11GenericObject *object);
+PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot, 
+				   const CK_ATTRIBUTE *pTemplate, 
+				   int count, PRBool token);
+
+/*
+ * PK11_ReadRawAttribute and PK11_WriteRawAttribute are generic
+ * functions to read and modify the actual PKCS #11 attributes of
+ * the underlying pkcs #11 object.
+ * 
+ * object is a pointer to an NSS object that represents the underlying
+ *  PKCS #11 object. It's type must match the type of PK11ObjectType
+ *  as follows:
+ *
+ *     type                           object
+ *   PK11_TypeGeneric            PK11GenericObject *
+ *   PK11_TypePrivKey            SECKEYPrivateKey *
+ *   PK11_TypePubKey             SECKEYPublicKey *
+ *   PK11_TypeSymKey             PK11SymKey *
+ *
+ *  All other types are considered invalid. If type does not match the object
+ *  passed, unpredictable results will occur.
+ */
+SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object, 
+				CK_ATTRIBUTE_TYPE attr, SECItem *item);
+SECStatus PK11_WriteRawAttribute(PK11ObjectType type, void *object, 
+				CK_ATTRIBUTE_TYPE attr, SECItem *item);
+
+/*
+ * PK11_GetAllSlotsForCert returns all the slots that a given certificate
+ * exists on, since it's possible for a cert to exist on more than one
+ * PKCS#11 token.
+ */
+PK11SlotList *
+PK11_GetAllSlotsForCert(CERTCertificate *cert, void *arg);
+
+/**********************************************************************
+ * New functions which are already deprecated....
+ **********************************************************************/
+SECItem *
+PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
+					CERTCertificate *cert, void *pwarg);
+SECItem *
+PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
+
+PRBool SECMOD_HasRootCerts(void);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11sdr.c b/security/nss/lib/pk11wrap/pk11sdr.c
new file mode 100644
index 000000000..a9511b392
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11sdr.c
@@ -0,0 +1,410 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   thayes@netscape.com
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "seccomon.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "pk11sdr.h"
+
+/*
+ * Data structure and template for encoding the result of an SDR operation
+ *  This is temporary.  It should include the algorithm ID of the encryption mechanism
+ */
+struct SDRResult
+{
+  SECItem keyid;
+  SECAlgorithmID alg;
+  SECItem data;
+};
+typedef struct SDRResult SDRResult;
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+static SEC_ASN1Template template[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (SDRResult) },
+  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, keyid) },
+  { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(SDRResult, alg),
+    SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, data) },
+  { 0 }
+};
+
+static unsigned char keyID[] = {
+  0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+};
+
+static SECItem keyIDItem = {
+  0,
+  keyID,
+  sizeof keyID
+};
+
+/* local utility function for padding an incoming data block
+ * to the mechanism block size.
+ */
+static SECStatus
+padBlock(SECItem *data, int blockSize, SECItem *result)
+{
+  SECStatus rv = SECSuccess;
+  int padLength;
+  unsigned int i;
+
+  result->data = 0;
+  result->len = 0;
+
+  /* This algorithm always adds to the block (to indicate the number
+   * of pad bytes).  So allocate a block large enough.
+   */
+  padLength = blockSize - (data->len % blockSize);
+  result->len = data->len + padLength;
+  result->data = (unsigned char *)PORT_Alloc(result->len);
+
+  /* Copy the data */
+  PORT_Memcpy(result->data, data->data, data->len);
+
+  /* Add the pad values */
+  for(i = data->len; i < result->len; i++)
+    result->data[i] = (unsigned char)padLength;
+
+  return rv;
+}
+
+static SECStatus
+unpadBlock(SECItem *data, int blockSize, SECItem *result)
+{
+  SECStatus rv = SECSuccess;
+  int padLength;
+  int i;
+
+  result->data = 0;
+  result->len = 0;
+
+  /* Remove the padding from the end if the input data */
+  if (data->len == 0 || data->len % blockSize  != 0) { rv = SECFailure; goto loser; }
+
+  padLength = data->data[data->len-1];
+  if (padLength > blockSize) { rv = SECFailure; goto loser; }
+
+  /* verify padding */
+  for (i=data->len - padLength; i < data->len; i++) {
+    if (data->data[i] != padLength) {
+	rv = SECFailure;
+	goto loser;
+    }
+  }
+
+  result->len = data->len - padLength;
+  result->data = (unsigned char *)PORT_Alloc(result->len);
+  if (!result->data) { rv = SECFailure; goto loser; }
+
+  PORT_Memcpy(result->data, data->data, result->len);
+
+  if (padLength < 2) {
+    return SECWouldBlock;
+  }
+
+loser:
+  return rv;
+}
+
+static PRLock *pk11sdrLock = NULL;
+
+void
+pk11sdr_Init (void)
+{
+   pk11sdrLock = PR_NewLock();
+}
+
+void
+pk11sdr_Shutdown(void)
+{
+    if (pk11sdrLock) {
+	PR_DestroyLock(pk11sdrLock);
+	pk11sdrLock = NULL;
+    }
+}
+
+/*
+ * PK11SDR_Encrypt
+ *  Encrypt a block of data using the symmetric key identified.  The result
+ *  is an ASN.1 (DER) encoded block of keyid, params and data.
+ */
+SECStatus
+PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx)
+{
+  SECStatus rv = SECSuccess;
+  PK11SlotInfo *slot = 0;
+  PK11SymKey *key = 0;
+  SECItem *params = 0;
+  PK11Context *ctx = 0;
+  CK_MECHANISM_TYPE type;
+  SDRResult sdrResult;
+  SECItem paddedData;
+  SECItem *pKeyID;
+  PLArenaPool *arena = 0;
+
+  /* Initialize */
+  paddedData.len = 0;
+  paddedData.data = 0;
+
+  arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+  if (!arena) { rv = SECFailure; goto loser; }
+
+  /* 1. Locate the requested keyid, or the default key (which has a keyid)
+   * 2. Create an encryption context
+   * 3. Encrypt
+   * 4. Encode the results (using ASN.1)
+   */
+
+  slot = PK11_GetInternalKeySlot();
+  if (!slot) { rv = SECFailure; goto loser; }
+
+  /* Use triple-DES */
+  type = CKM_DES3_CBC;
+
+  /*
+   * Login to the internal token before we look for the key, otherwise we
+   * won't find it.
+   */
+  rv = PK11_Authenticate(slot, PR_TRUE, cx);
+  if (rv != SECSuccess) goto loser;
+
+  /* Find the key to use */
+  pKeyID = keyid;
+  if (pKeyID->len == 0) {
+	  pKeyID = &keyIDItem;  /* Use default value */
+
+	  /* put in a course lock to prevent a race between not finding the 
+	   * key and creating  one.
+	   */
+
+	  if (pk11sdrLock) PR_Lock(pk11sdrLock);
+
+	  /* Try to find the key */
+	  key = PK11_FindFixedKey(slot, type, pKeyID, cx);
+	  
+	  /* If the default key doesn't exist yet, try to create it */
+	  if (!key) key = PK11_GenDES3TokenKey(slot, pKeyID, cx);
+	  if (pk11sdrLock) PR_Unlock(pk11sdrLock);
+  } else {
+	  key = PK11_FindFixedKey(slot, type, pKeyID, cx);
+  }
+
+  if (!key) { rv = SECFailure; goto loser; }
+
+  params = PK11_GenerateNewParam(type, key);
+  if (!params) { rv = SECFailure; goto loser; }
+
+  ctx = PK11_CreateContextBySymKey(type, CKA_ENCRYPT, key, params);
+  if (!ctx) { rv = SECFailure; goto loser; }
+
+  rv = padBlock(data, PK11_GetBlockSize(type, 0), &paddedData);
+  if (rv != SECSuccess) goto loser;
+
+  sdrResult.data.len = paddedData.len;
+  sdrResult.data.data = (unsigned char *)PORT_ArenaAlloc(arena, sdrResult.data.len);
+
+  rv = PK11_CipherOp(ctx, sdrResult.data.data, (int*)&sdrResult.data.len, sdrResult.data.len,
+                     paddedData.data, paddedData.len);
+  if (rv != SECSuccess) goto loser;
+
+  PK11_Finalize(ctx);
+
+  sdrResult.keyid = *pKeyID;
+
+  rv = PK11_ParamToAlgid(SEC_OID_DES_EDE3_CBC, params, arena, &sdrResult.alg);
+  if (rv != SECSuccess) goto loser;
+
+  if (!SEC_ASN1EncodeItem(0, result, &sdrResult, template)) { rv = SECFailure; goto loser; }
+
+loser:
+  SECITEM_ZfreeItem(&paddedData, PR_FALSE);
+  if (arena) PORT_FreeArena(arena, PR_TRUE);
+  if (ctx) PK11_DestroyContext(ctx, PR_TRUE);
+  if (params) SECITEM_ZfreeItem(params, PR_TRUE);
+  if (key) PK11_FreeSymKey(key);
+  if (slot) PK11_FreeSlot(slot);
+
+  return rv;
+}
+
+/* decrypt a block */
+static SECStatus
+pk11Decrypt(PK11SlotInfo *slot, PLArenaPool *arena, 
+	    CK_MECHANISM_TYPE type, PK11SymKey *key, 
+	    SECItem *params, SECItem *in, SECItem *result)
+{
+  PK11Context *ctx = 0;
+  SECItem paddedResult;
+  SECStatus rv;
+
+  paddedResult.len = 0;
+  paddedResult.data = 0;
+
+  ctx = PK11_CreateContextBySymKey(type, CKA_DECRYPT, key, params);
+  if (!ctx) { rv = SECFailure; goto loser; }
+
+  paddedResult.len = in->len;
+  paddedResult.data = PORT_ArenaAlloc(arena, paddedResult.len);
+
+  rv = PK11_CipherOp(ctx, paddedResult.data, 
+			(int*)&paddedResult.len, paddedResult.len,
+			in->data, in->len);
+  if (rv != SECSuccess) goto loser;
+
+  PK11_Finalize(ctx);
+
+  /* Remove the padding */
+  rv = unpadBlock(&paddedResult, PK11_GetBlockSize(type, 0), result);
+  if (rv) goto loser;
+
+loser:
+  if (ctx) PK11_DestroyContext(ctx, PR_TRUE);
+  return rv;
+}
+
+/*
+ * PK11SDR_Decrypt
+ *  Decrypt a block of data produced by PK11SDR_Encrypt.  The key used is identified
+ *  by the keyid field within the input.
+ */
+SECStatus
+PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx)
+{
+  SECStatus rv = SECSuccess;
+  PK11SlotInfo *slot = 0;
+  PK11SymKey *key = 0;
+  CK_MECHANISM_TYPE type;
+  SDRResult sdrResult;
+  SECItem *params = 0;
+  SECItem possibleResult = { 0, NULL, 0 };
+  PLArenaPool *arena = 0;
+
+  arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+  if (!arena) { rv = SECFailure; goto loser; }
+
+  /* Decode the incoming data */
+  memset(&sdrResult, 0, sizeof sdrResult);
+  rv = SEC_QuickDERDecodeItem(arena, &sdrResult, template, data);
+  if (rv != SECSuccess) goto loser;  /* Invalid format */
+
+  /* Find the slot and key for the given keyid */
+  slot = PK11_GetInternalKeySlot();
+  if (!slot) { rv = SECFailure; goto loser; }
+
+  rv = PK11_Authenticate(slot, PR_TRUE, cx);
+  if (rv != SECSuccess) goto loser;
+
+  /* Get the parameter values from the data */
+  params = PK11_ParamFromAlgid(&sdrResult.alg);
+  if (!params) { rv = SECFailure; goto loser; }
+
+  /* Use triple-DES (Should look up the algorithm) */
+  type = CKM_DES3_CBC;
+  key = PK11_FindFixedKey(slot, type, &sdrResult.keyid, cx);
+  if (!key) { 
+	rv = SECFailure;  
+  } else {
+	rv = pk11Decrypt(slot, arena, type, key, params, 
+			&sdrResult.data, result);
+  }
+
+  /*
+   * if the pad value was too small (1 or 2), then it's statistically
+   * 'likely' that (1 in 256) that we may not have the correct key.
+   * Check the other keys for a better match. If we find none, use
+   * this result.
+   */
+  if (rv == SECWouldBlock) {
+	possibleResult = *result;
+  }
+
+  /*
+   * handle the case where your key indicies may have been broken
+   */
+  if (rv != SECSuccess) {
+	PK11SymKey *keyList = PK11_ListFixedKeysInSlot(slot, NULL, cx);
+	PK11SymKey *testKey = NULL;
+	PK11SymKey *nextKey = NULL;
+
+	for (testKey = keyList; testKey; 
+				testKey = PK11_GetNextSymKey(testKey)) {
+	    rv = pk11Decrypt(slot, arena, type, testKey, params, 
+			     &sdrResult.data, result);
+	    if (rv == SECSuccess) {
+		break;
+	    } 
+	    /* found a close match. If it's our first remember it */
+	    if (rv == SECWouldBlock) {
+		if (possibleResult.data) {
+		    /* this is unlikely but possible. If we hit this condition,
+		     * we have no way of knowing which possibility to prefer.
+		     * in this case we just match the key the application
+		     * thought was the right one */
+		    SECITEM_ZfreeItem(result, PR_FALSE);
+		} else {
+		    possibleResult = *result;
+		}
+	    }
+	}
+
+	/* free the list */
+	for (testKey = keyList; testKey; testKey = nextKey) {
+	    nextKey = PK11_GetNextSymKey(testKey);
+	    PK11_FreeSymKey(testKey);
+	}
+  }
+
+  /* we didn't find a better key, use the one with a small pad value */
+  if ((rv != SECSuccess) && (possibleResult.data)) {
+	*result = possibleResult;
+	possibleResult.data = NULL;
+	rv = SECSuccess;
+  }
+
+loser:
+  if (arena) PORT_FreeArena(arena, PR_TRUE);
+  if (key) PK11_FreeSymKey(key);
+  if (params) SECITEM_ZfreeItem(params, PR_TRUE);
+  if (slot) PK11_FreeSlot(slot);
+  if (possibleResult.data) SECITEM_ZfreeItem(&possibleResult, PR_FALSE);
+
+  return rv;
+}
diff --git a/security/nss/lib/pk11wrap/pk11sdr.h b/security/nss/lib/pk11wrap/pk11sdr.h
new file mode 100644
index 000000000..488bd7d99
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11sdr.h
@@ -0,0 +1,59 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _PK11SDR_H_
+#define _PK11SDR_H_
+
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * PK11SDR_Encrypt - encrypt data using the specified key id or SDR default
+ *
+ */
+SECStatus
+PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx);
+
+/*
+ * PK11SDR_Decrypt - decrypt data previously encrypted with PK11SDR_Encrypt
+ */
+SECStatus
+PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
new file mode 100644
index 000000000..4b7042e7b
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -0,0 +1,2220 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file implements the Symkey wrapper and the PKCS context
+ * Interfaces.
+ */
+
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secerr.h"
+
+/* forward static declarations. */
+static PK11SymKey *pk11_DeriveWithTemplate(PK11SymKey *baseKey, 
+	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
+	CK_ATTRIBUTE_TYPE operation, int keySize, CK_ATTRIBUTE *userAttr, 
+	unsigned int numAttrs, PRBool isPerm);
+
+static void
+pk11_EnterKeyMonitor(PK11SymKey *symKey) {
+    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
+	PK11_EnterSlotMonitor(symKey->slot);
+}
+
+static void
+pk11_ExitKeyMonitor(PK11SymKey *symKey) {
+    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
+    	PK11_ExitSlotMonitor(symKey->slot);
+}
+
+/*
+ * pk11_getKeyFromList returns a symKey that has a session (if needSession
+ * was specified), or explicitly does not have a session (if needSession
+ * was not specified).
+ */
+static PK11SymKey *
+pk11_getKeyFromList(PK11SlotInfo *slot, PRBool needSession) {
+    PK11SymKey *symKey = NULL;
+
+    PZ_Lock(slot->freeListLock);
+    /* own session list are symkeys with sessions that the symkey owns.
+     * 'most' symkeys will own their own session. */
+    if (needSession) {
+	if (slot->freeSymKeysWithSessionHead) {
+    	    symKey = slot->freeSymKeysWithSessionHead;
+	    slot->freeSymKeysWithSessionHead = symKey->next;
+	    slot->keyCount--;
+	}
+    }
+    /* if we don't need a symkey with its own session, or we couldn't find
+     * one on the owner list, get one from the non-owner free list. */
+    if (!symKey) {
+	if (slot->freeSymKeysHead) {
+    	    symKey = slot->freeSymKeysHead;
+	    slot->freeSymKeysHead = symKey->next;
+	    slot->keyCount--;
+	}
+    }
+    PZ_Unlock(slot->freeListLock);
+    if (symKey) {
+	symKey->next = NULL;
+	if (!needSession) {
+	    return symKey;
+	}
+	/* if we are getting an owner key, make sure we have a valid session.
+         * session could be invalid if the token has been removed or because
+         * we got it from the non-owner free list */
+	if ((symKey->series != slot->series) || 
+			 (symKey->session == CK_INVALID_SESSION)) {
+	    symKey->session = pk11_GetNewSession(slot, &symKey->sessionOwner);
+	}
+	PORT_Assert(symKey->session != CK_INVALID_SESSION);
+	if (symKey->session != CK_INVALID_SESSION)
+	    return symKey;
+	PK11_FreeSymKey(symKey);
+	/* if we are here, we need a session, but couldn't get one, it's 
+	 * unlikely we pk11_GetNewSession will succeed if we call it a second
+	 * time. */
+	return NULL;
+    }
+
+    symKey = PORT_New(PK11SymKey);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->next = NULL;
+    if (needSession) {
+	symKey->session = pk11_GetNewSession(slot,&symKey->sessionOwner);
+	PORT_Assert(symKey->session != CK_INVALID_SESSION);
+        if (symKey->session == CK_INVALID_SESSION) {
+	    PK11_FreeSymKey(symKey);
+	    symKey = NULL;
+	}
+    } else {
+	symKey->session = CK_INVALID_SESSION;
+    }
+    return symKey;
+}
+
+/* Caller MUST hold slot->freeListLock (or ref count == 0?) !! */
+void
+PK11_CleanKeyList(PK11SlotInfo *slot)
+{
+    PK11SymKey *symKey = NULL;
+
+    while (slot->freeSymKeysWithSessionHead) {
+    	symKey = slot->freeSymKeysWithSessionHead;
+	slot->freeSymKeysWithSessionHead = symKey->next;
+	pk11_CloseSession(slot, symKey->session, symKey->sessionOwner);
+	PORT_Free(symKey);
+    }
+    while (slot->freeSymKeysHead) {
+    	symKey = slot->freeSymKeysHead;
+	slot->freeSymKeysHead = symKey->next;
+	pk11_CloseSession(slot, symKey->session, symKey->sessionOwner);
+	PORT_Free(symKey);
+    }
+    return;
+}
+
+/*
+ * create a symetric key:
+ *      Slot is the slot to create the key in.
+ *      type is the mechanism type 
+ *      owner is does this symKey structure own it's object handle (rare
+ *        that this is false).
+ *      needSession means the returned symKey will return with a valid session
+ *        allocated already.
+ */
+static PK11SymKey *
+pk11_CreateSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, 
+		  PRBool owner, PRBool needSession, void *wincx)
+{
+
+    PK11SymKey *symKey = pk11_getKeyFromList(slot, needSession);
+
+    if (symKey == NULL) {
+	return NULL;
+    }
+    /* if needSession was specified, make sure we have a valid session.
+     * callers which specify needSession as false should do their own
+     * check of the session before returning the symKey */
+    if (needSession && symKey->session == CK_INVALID_SESSION) {
+    	PK11_FreeSymKey(symKey);
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+    }
+
+    symKey->type = type;
+    symKey->data.type = siBuffer;
+    symKey->data.data = NULL;
+    symKey->data.len = 0;
+    symKey->owner = owner;
+    symKey->objectID = CK_INVALID_HANDLE;
+    symKey->slot = slot;
+    symKey->series = slot->series;
+    symKey->cx = wincx;
+    symKey->size = 0;
+    symKey->refCount = 1;
+    symKey->origin = PK11_OriginNULL;
+    symKey->parent = NULL;
+    symKey->freeFunc = NULL;
+    symKey->userData = NULL;
+    PK11_ReferenceSlot(slot);
+    return symKey;
+}
+
+/*
+ * destroy a symetric key
+ */
+void
+PK11_FreeSymKey(PK11SymKey *symKey)
+{
+    PK11SlotInfo *slot;
+    PRBool freeit = PR_TRUE;
+
+    if (PR_AtomicDecrement(&symKey->refCount) == 0) {
+	PK11SymKey *parent = symKey->parent;
+
+	symKey->parent = NULL;
+	if ((symKey->owner) && symKey->objectID != CK_INVALID_HANDLE) {
+	    pk11_EnterKeyMonitor(symKey);
+	    (void) PK11_GETTAB(symKey->slot)->
+		C_DestroyObject(symKey->session, symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+	}
+	if (symKey->data.data) {
+	    PORT_Memset(symKey->data.data, 0, symKey->data.len);
+	    PORT_Free(symKey->data.data);
+	}
+	/* free any existing data */
+	if (symKey->userData && symKey->freeFunc) {
+	    (*symKey->freeFunc)(symKey->userData);
+	}
+        slot = symKey->slot;
+        PZ_Lock(slot->freeListLock);
+	if (slot->keyCount < slot->maxKeyCount) {
+	    /* 
+             * freeSymkeysWithSessionHead contain a list of reusable
+	     *  SymKey structures with valid sessions.
+	     *    sessionOwner must be true.
+             *    session must be valid.
+             * freeSymKeysHead contain a list of SymKey structures without
+             *  valid session.
+             *    session must be CK_INVALID_SESSION.
+	     *    though sessionOwner is false, callers should not depend on
+	     *    this fact.
+	     */
+	    if (symKey->sessionOwner) {
+		PORT_Assert (symKey->session != CK_INVALID_SESSION);
+		symKey->next = slot->freeSymKeysWithSessionHead;
+		slot->freeSymKeysWithSessionHead = symKey;
+	    } else {
+		symKey->session = CK_INVALID_SESSION;
+		symKey->next = slot->freeSymKeysHead;
+		slot->freeSymKeysHead = symKey;
+	    }
+	    slot->keyCount++;
+	    symKey->slot = NULL;
+	    freeit = PR_FALSE;
+        }
+	PZ_Unlock(slot->freeListLock);
+        if (freeit) {
+	    pk11_CloseSession(symKey->slot, symKey->session,
+							symKey->sessionOwner);
+	    PORT_Free(symKey);
+	}
+	PK11_FreeSlot(slot);
+
+	if (parent) {
+	    PK11_FreeSymKey(parent);
+	}
+    }
+}
+
+PK11SymKey *
+PK11_ReferenceSymKey(PK11SymKey *symKey)
+{
+    PR_AtomicIncrement(&symKey->refCount);
+    return symKey;
+}
+
+/*
+ * Accessors
+ */
+CK_MECHANISM_TYPE
+PK11_GetMechanism(PK11SymKey *symKey)
+{
+    return symKey->type;
+}
+
+/*
+ * return the slot associated with a symetric key
+ */
+PK11SlotInfo *
+PK11_GetSlotFromKey(PK11SymKey *symKey)
+{
+    return PK11_ReferenceSlot(symKey->slot);
+}
+
+CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *symKey)
+{
+    return PK11_GetKeyType(symKey->type,symKey->size);
+}
+
+PK11SymKey *
+PK11_GetNextSymKey(PK11SymKey *symKey)
+{
+    return symKey ? symKey->next : NULL;
+}
+
+char *
+PK11_GetSymKeyNickname(PK11SymKey *symKey)
+{
+    return PK11_GetObjectNickname(symKey->slot,symKey->objectID);
+}
+
+SECStatus
+PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname)
+{
+    return PK11_SetObjectNickname(symKey->slot,symKey->objectID,nickname);
+}
+
+void *
+PK11_GetSymKeyUserData(PK11SymKey *symKey)
+{
+    return symKey->userData;
+}
+
+void
+PK11_SetSymKeyUserData(PK11SymKey *symKey, void *userData, 
+                                              PK11FreeDataFunc freeFunc)
+{
+    /* free any existing data */
+    if (symKey->userData && symKey->freeFunc) {
+	(*symKey->freeFunc)(symKey->userData);
+    }
+    symKey->userData = userData;
+    symKey->freeFunc = freeFunc;
+    return;
+}
+
+/*
+ * turn key handle into an appropriate key object
+ */
+PK11SymKey *
+PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin,
+    CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, PRBool owner, void *wincx)
+{
+    PK11SymKey *symKey;
+    PRBool needSession = !(owner && parent);
+
+    if (keyID == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+
+    symKey = pk11_CreateSymKey(slot, type, owner, needSession, wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->objectID = keyID;
+    symKey->origin = origin;
+
+    /* adopt the parent's session */
+    /* This is only used by SSL. What we really want here is a session
+     * structure with a ref count so  the session goes away only after all the
+     * keys do. */
+    if (!needSession) {
+	symKey->sessionOwner = PR_FALSE;
+	symKey->session = parent->session;
+	symKey->parent = PK11_ReferenceSymKey(parent);
+        /* This is the only case where pk11_CreateSymKey does not explicitly
+	 * check symKey->session. We need to assert here to make sure.
+	 * the session isn't invalid. */
+	PORT_Assert(parent->session != CK_INVALID_SESSION);
+	if (parent->session == CK_INVALID_SESSION) {
+	    PK11_FreeSymKey(symKey);
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return NULL;
+	}
+    }
+
+    return symKey;
+}
+
+/*
+ * turn key handle into an appropriate key object
+ */
+PK11SymKey *
+PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type,
+						    int series, void *wincx)
+{
+    PK11SymKey *symKey = NULL;
+
+    if (slot->series != series) return NULL;
+    if (slot->refKeys[wrap] == CK_INVALID_HANDLE) return NULL;
+    if (type == CKM_INVALID_MECHANISM) type = slot->wrapMechanism;
+
+    symKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive,
+		 slot->wrapMechanism, slot->refKeys[wrap], PR_FALSE, wincx);
+    return symKey;
+}
+
+/*
+ * This function is not thread-safe because it sets wrapKey->sessionOwner
+ * without using a lock or atomic routine.  It can only be called when
+ * only one thread has a reference to wrapKey.
+ */
+void
+PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey)
+{
+    /* save the handle and mechanism for the wrapping key */
+    /* mark the key and session as not owned by us to they don't get freed
+     * when the key goes way... that lets us reuse the key later */
+    slot->refKeys[wrap] = wrapKey->objectID;
+    wrapKey->owner = PR_FALSE;
+    wrapKey->sessionOwner = PR_FALSE;
+    slot->wrapMechanism = wrapKey->type;
+}
+
+
+/*
+ * figure out if a key is still valid or if it is stale.
+ */
+PRBool
+PK11_VerifyKeyOK(PK11SymKey *key) {
+    if (!PK11_IsPresent(key->slot)) {
+	return PR_FALSE;
+    }
+    return (PRBool)(key->series == key->slot->series);
+}
+
+static PK11SymKey *
+pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+                  PK11Origin origin, PRBool isToken, CK_ATTRIBUTE *keyTemplate,
+		  unsigned int templateCount, SECItem *key, void *wincx)
+{
+    PK11SymKey *    symKey;
+    SECStatus	    rv;
+
+    symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->size = key->len;
+
+    PK11_SETATTRS(&keyTemplate[templateCount], CKA_VALUE, key->data, key->len);
+    templateCount++;
+
+    if (SECITEM_CopyItem(NULL,&symKey->data,key) != SECSuccess) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+
+    symKey->origin = origin;
+
+    /* import the keys */
+    rv = PK11_CreateNewObject(slot, symKey->session, keyTemplate,
+		 	templateCount, isToken, &symKey->objectID);
+    if ( rv != SECSuccess) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+
+    return symKey;
+}
+
+/*
+ * turn key bits into an appropriate key object
+ */
+PK11SymKey *
+PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,void *wincx)
+{
+    PK11SymKey *    symKey;
+    unsigned int    templateCount = 0;
+    CK_OBJECT_CLASS keyClass 	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType 	= CKK_GENERIC_SECRET;
+    CK_BBOOL        cktrue 	= CK_TRUE; /* sigh */
+    CK_ATTRIBUTE    keyTemplate[5];
+    CK_ATTRIBUTE *  attrs 	= keyTemplate;
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount+1 <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+    keyType = PK11_GetKeyType(type,key->len);
+    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, PR_FALSE, 
+				keyTemplate, templateCount, key, wincx);
+    return symKey;
+}
+
+
+/*
+ * turn key bits into an appropriate key object
+ */
+PK11SymKey *
+PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,
+     CK_FLAGS flags, PRBool isPerm, void *wincx)
+{
+    PK11SymKey *    symKey;
+    unsigned int    templateCount = 0;
+    CK_OBJECT_CLASS keyClass 	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType 	= CKK_GENERIC_SECRET;
+    CK_BBOOL        cktrue 	= CK_TRUE; /* sigh */
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE *  attrs 	= keyTemplate;
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    if (isPerm) {
+	PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue) ); attrs++;
+	/* sigh some tokens think CKA_PRIVATE = false is a reasonable 
+	 * default for secret keys */
+	PK11_SETATTRS(attrs, CKA_PRIVATE, &cktrue, sizeof(cktrue) ); attrs++;
+    }
+    attrs += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
+    if ((operation != CKA_FLAGS_ONLY) &&
+    	 !pk11_FindAttrInTemplate(keyTemplate, attrs-keyTemplate, operation)) {
+        PK11_SETATTRS(attrs, operation, &cktrue, sizeof(cktrue)); attrs++;
+    }
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount+1 <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+    keyType = PK11_GetKeyType(type,key->len);
+    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, isPerm,
+				 keyTemplate, templateCount, key, wincx);
+    if (symKey && isPerm) {
+	symKey->owner = PR_FALSE;
+    }
+    return symKey;
+}
+
+
+PK11SymKey *
+PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *keyID,
+								void *wincx)
+{
+    CK_ATTRIBUTE findTemp[4];
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
+    int tsize = 0;
+    CK_OBJECT_HANDLE key_id;
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
+    if (keyID) {
+        PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); attrs++;
+    }
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    key_id = pk11_FindObjectByTemplate(slot,findTemp,tsize);
+    if (key_id == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    return PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, type, key_id,
+		 				PR_FALSE, wincx);
+}
+
+PK11SymKey *
+PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx)
+{
+    CK_ATTRIBUTE findTemp[4];
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
+    int tsize = 0;
+    int objCount = 0;
+    CK_OBJECT_HANDLE *key_ids;
+    PK11SymKey *nextKey = NULL;
+    PK11SymKey *topKey = NULL;
+    int i,len;
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
+    if (nickname) {
+	len = PORT_Strlen(nickname);
+	PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
+    }
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount);
+    if (key_ids == NULL) {
+	return NULL;
+    }
+
+    for (i=0; i < objCount ; i++) {
+	SECItem typeData;
+	CK_KEY_TYPE type = CKK_GENERIC_SECRET;
+        SECStatus rv = PK11_ReadAttribute(slot, key_ids[i], 
+						CKA_KEY_TYPE, NULL, &typeData);
+	if (rv == SECSuccess) {
+	    if (typeData.len == sizeof(CK_KEY_TYPE)) {
+	    	type = *(CK_KEY_TYPE *)typeData.data;
+	    }
+	    PORT_Free(typeData.data);
+	}
+	nextKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, 
+		PK11_GetKeyMechanism(type), key_ids[i], PR_FALSE, wincx);
+	if (nextKey) {
+	    nextKey->next = topKey;
+	    topKey = nextKey;
+	}
+   }
+   PORT_Free(key_ids);
+   return topKey;
+}
+
+void *
+PK11_GetWindow(PK11SymKey *key)
+{
+   return key->cx;
+}
+    
+
+/*
+ * extract a symetric key value. NOTE: if the key is sensitive, we will
+ * not be able to do this operation. This function is used to move
+ * keys from one token to another */
+SECStatus
+PK11_ExtractKeyValue(PK11SymKey *symKey)
+{
+    SECStatus rv;
+
+    if (symKey->data.data != NULL) {
+	if (symKey->size == 0) {
+	   symKey->size = symKey->data.len;
+	}
+	return SECSuccess;
+    }
+
+    if (symKey->slot == NULL) {
+	PORT_SetError( SEC_ERROR_INVALID_KEY );
+	return SECFailure;
+    }
+
+    rv = PK11_ReadAttribute(symKey->slot,symKey->objectID,CKA_VALUE,NULL,
+				&symKey->data);
+    if (rv == SECSuccess) {
+	symKey->size = symKey->data.len;
+    }
+    return rv;
+}
+
+SECStatus
+PK11_DeleteTokenSymKey(PK11SymKey *symKey)
+{
+    if (!PK11_IsPermObject(symKey->slot, symKey->objectID)) {
+	return SECFailure;
+    }
+    PK11_DestroyTokenObject(symKey->slot,symKey->objectID);
+    symKey->objectID = CK_INVALID_HANDLE;
+    return SECSuccess;
+}
+
+SECItem *
+PK11_GetKeyData(PK11SymKey *symKey)
+{
+    return &symKey->data;
+}
+
+/* This symbol is exported for backward compatibility. */
+SECItem *
+__PK11_GetKeyData(PK11SymKey *symKey)
+{
+    return PK11_GetKeyData(symKey);
+}
+
+/* return the keylength if possible.  '0' if not */
+unsigned int
+PK11_GetKeyLength(PK11SymKey *key)
+{
+    CK_KEY_TYPE keyType;
+
+    if (key->size != 0) return key->size;
+
+    /* First try to figure out the key length from its type */
+    keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE);
+    switch (keyType) {
+      case CKK_DES: key->size = 8; break;
+      case CKK_DES2: key->size = 16; break;
+      case CKK_DES3: key->size = 24; break;
+      case CKK_SKIPJACK: key->size = 10; break;
+      case CKK_BATON: key->size = 20; break;
+      case CKK_JUNIPER: key->size = 20; break;
+      case CKK_GENERIC_SECRET:
+	if (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)  {
+	    key->size=48;
+	}
+	break;
+      default: break;
+    }
+   if( key->size != 0 ) return key->size;
+
+   if (key->data.data == NULL) {
+	PK11_ExtractKeyValue(key);
+   }
+   /* key is probably secret. Look up its length */
+   /*  this is new PKCS #11 version 2.0 functionality. */
+   if (key->size == 0) {
+	CK_ULONG keyLength;
+
+	keyLength = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_VALUE_LEN);
+	if (keyLength != CK_UNAVAILABLE_INFORMATION) {
+	    key->size = (unsigned int)keyLength;
+	}
+    }
+
+   return key->size;
+}
+
+/* return the strength of a key. This is different from length in that
+ * 1) it returns the size in bits, and 2) it returns only the secret portions
+ * of the key minus any checksums or parity.
+ */
+unsigned int
+PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid) 
+{
+     int size=0;
+     CK_MECHANISM_TYPE mechanism= CKM_INVALID_MECHANISM; /* RC2 only */
+     SECItem *param = NULL; /* RC2 only */
+     CK_RC2_CBC_PARAMS *rc2_params = NULL; /* RC2 ONLY */
+     unsigned int effectiveBits = 0; /* RC2 ONLY */
+
+     switch (PK11_GetKeyType(key->type,0)) {
+     case CKK_CDMF:
+	return 40;
+     case CKK_DES:
+	return 56;
+     case CKK_DES3:
+     case CKK_DES2:
+	size = PK11_GetKeyLength(key);
+	if (size == 16) {
+	   /* double des */
+	   return 112; /* 16*7 */
+	}
+	return 168;
+    /*
+     * RC2 has is different than other ciphers in that it allows the user
+     * to deprecating keysize while still requiring all the bits for the 
+     * original key. The info
+     * on what the effective key strength is in the parameter for the key.
+     * In S/MIME this parameter is stored in the DER encoded algid. In Our 
+     * other uses of RC2, effectiveBits == keyBits, so this code functions
+     * correctly without an algid.
+     */
+    case CKK_RC2:
+	/* if no algid was provided, fall through to default */
+        if (!algid) {
+	    break; 
+	}
+	/* verify that the algid is for RC2 */
+	mechanism = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(algid));
+	if ((mechanism != CKM_RC2_CBC) && (mechanism != CKM_RC2_ECB)) {
+	    break;
+	}
+
+	/* now get effective bits from the algorithm ID. */
+	param = PK11_ParamFromAlgid(algid);
+	/* if we couldn't get memory just use key length */
+	if (param == NULL) {
+	    break;
+	}
+
+	rc2_params = (CK_RC2_CBC_PARAMS *) param->data;
+	/* paranoia... shouldn't happen */
+	PORT_Assert(param->data != NULL);
+	if (param->data == NULL) {
+	    SECITEM_FreeItem(param,PR_TRUE);
+	    break;
+	}
+	effectiveBits = (unsigned int)rc2_params->ulEffectiveBits;
+	SECITEM_FreeItem(param,PR_TRUE);
+	param = NULL; rc2_params=NULL; /* paranoia */
+
+	/* we have effective bits, is and allocated memory is free, now
+	 * we need to return the smaller of effective bits and keysize */
+	size = PK11_GetKeyLength(key);
+	if ((unsigned int)size*8 > effectiveBits) {
+	    return effectiveBits;
+	}
+
+	return size*8; /* the actual key is smaller, the strength can't be
+			* greater than the actual key size */
+	
+    default:
+	break;
+    }
+    return PK11_GetKeyLength(key) * 8;
+}
+
+/*
+ * The next three utilities are to deal with the fact that a given operation
+ * may be a multi-slot affair. This creates a new key object that is copied
+ * into the new slot.
+ */
+PK11SymKey *
+pk11_CopyToSlotPerm(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
+	 	CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, 
+		PRBool isPerm, PK11SymKey *symKey)
+{
+    SECStatus rv;
+    PK11SymKey *newKey = NULL;
+
+    /* Extract the raw key data if possible */
+    if (symKey->data.data == NULL) {
+	rv = PK11_ExtractKeyValue(symKey);
+	/* KEY is sensitive, we're try key exchanging it. */
+	if (rv != SECSuccess) {
+	    return pk11_KeyExchange(slot, type, operation, 
+						flags, isPerm, symKey);
+	}
+    }
+
+    newKey = PK11_ImportSymKeyWithFlags(slot,  type, symKey->origin,
+	operation, &symKey->data, flags, isPerm, symKey->cx);
+    if (newKey == NULL) {
+	newKey = pk11_KeyExchange(slot, type, operation, flags, isPerm, symKey);
+    }
+    return newKey;
+}
+
+PK11SymKey *
+pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey)
+{
+   return pk11_CopyToSlotPerm(slot, type, operation, 0, PR_FALSE, symKey);
+}
+
+/*
+ * Make sure the slot we are in the correct slot for the operation
+ */
+PK11SymKey *
+pk11_ForceSlot(PK11SymKey *symKey,CK_MECHANISM_TYPE type,
+						CK_ATTRIBUTE_TYPE operation)
+{
+    PK11SlotInfo *slot = symKey->slot;
+    PK11SymKey *newKey = NULL;
+
+    if ((slot== NULL) || !PK11_DoesMechanism(slot,type)) {
+	slot = PK11_GetBestSlot(type,symKey->cx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+	newKey = pk11_CopyToSlot(slot, type, operation, symKey);
+	PK11_FreeSlot(slot);
+    }
+    return newKey;
+}
+
+PK11SymKey *
+PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, 
+			CK_FLAGS flags, PRBool  perm, PK11SymKey *symKey)
+{
+    if (symKey->slot == slot) {
+	if (perm) {
+	   return PK11_ConvertSessionSymKeyToTokenSymKey(symKey,symKey->cx);
+	} else {
+	   return PK11_ReferenceSymKey(symKey);
+	}
+    }
+    
+    return pk11_CopyToSlotPerm(slot, symKey->type, 
+					operation, flags, perm, symKey);
+}
+
+/*
+ * Use the token to generate a key. 
+ * 
+ * keySize must be 'zero' for fixed key length algorithms. A nonzero 
+ *  keySize causes the CKA_VALUE_LEN attribute to be added to the template 
+ *  for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN 
+ *  attribute for keys with fixed length. The exception is DES2. If you
+ *  select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN
+ *  paramter and use the key size to determine which underlying DES keygen
+ *  function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN).
+ *
+ * keyType must be -1 for most algorithms. Some PBE algorthims cannot 
+ *  determine the correct key type from the mechanism or the paramters,
+ *  so key type must be specified. Other PKCS #11 mechanisms may do so in
+ *  the future. Currently there is no need to export this publically.
+ *  Keep it private until there is a need in case we need to expand the
+ *  keygen parameters again...
+ *
+ * CK_FLAGS flags: key operation flags
+ * PK11AttrFlags attrFlags: PK11_ATTR_XXX key attribute flags
+ */
+PK11SymKey *
+pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+    SECItem *param, CK_KEY_TYPE keyType, int keySize, SECItem *keyid, 
+    CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx)
+{
+    PK11SymKey *symKey;
+    CK_ATTRIBUTE genTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE *attrs = genTemplate;
+    int count = sizeof(genTemplate)/sizeof(genTemplate[0]);
+    CK_SESSION_HANDLE session;
+    CK_MECHANISM mechanism;
+    CK_RV crv;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_ULONG ck_key_size;       /* only used for variable-length keys */
+    PRBool isToken = ((attrFlags & PK11_ATTR_TOKEN) != 0);
+
+    if (pk11_BadAttrFlags(attrFlags)) {
+	PORT_SetError( SEC_ERROR_INVALID_ARGS );
+	return NULL;
+    }
+
+    if ((keySize != 0) && (type != CKM_DES3_CBC) && 
+		(type !=CKM_DES3_CBC_PAD) && (type != CKM_DES3_ECB)) {
+        ck_key_size = keySize; /* Convert to PK11 type */
+
+        PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size)); 
+							attrs++;
+    }
+
+    if (keyType != -1) {
+        PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(CK_KEY_TYPE)); 
+							attrs++;
+    }
+
+    /* Include key id value if provided */
+    if (keyid) {
+        PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len); attrs++;
+    }
+
+    attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse);
+    attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue);
+
+    count = attrs - genTemplate;
+    PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE));
+
+    /* Initialize the Key Gen Mechanism */
+    mechanism.mechanism = PK11_GetKeyGenWithSize(type, keySize);
+    if (mechanism.mechanism == CKM_FAKE_RANDOM) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+
+    /* find a slot to generate the key into */
+    /* Only do slot management if this is not a token key */
+    if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot,type))) {
+        PK11SlotInfo *bestSlot;
+
+        bestSlot = PK11_GetBestSlot(type,wincx);
+        if (bestSlot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+
+        symKey = pk11_CreateSymKey(bestSlot, type, !isToken, PR_TRUE, wincx);
+
+        PK11_FreeSlot(bestSlot);
+    } else {
+	symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx);
+    }
+    if (symKey == NULL) return NULL;
+
+    symKey->size = keySize;
+    symKey->origin = PK11_OriginGenerated;
+
+    /* Set the parameters for the key gen if provided */
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    }
+
+    /* Get session and perform locking */
+    if (isToken) {
+	PK11_Authenticate(symKey->slot,PR_TRUE,wincx);
+	/* Should always be original slot */
+        session = PK11_GetRWSession(symKey->slot);  
+	symKey->owner = PR_FALSE;
+    } else {
+        session = symKey->session;
+	if (session != CK_INVALID_SESSION) 
+	    pk11_EnterKeyMonitor(symKey);
+    }
+    if (session == CK_INVALID_SESSION) {
+	PK11_FreeSymKey(symKey);
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+	return NULL;
+    }
+
+    crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session,
+			 &mechanism, genTemplate, count, &symKey->objectID);
+
+    /* Release lock and session */
+    if (isToken) {
+        PK11_RestoreROSession(symKey->slot, session);
+    } else {
+        pk11_ExitKeyMonitor(symKey);
+    }
+
+    if (crv != CKR_OK) {
+	PK11_FreeSymKey(symKey);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    return symKey;
+}
+
+/*
+ * Use the token to generate a key.  - Public
+ * 
+ * keySize must be 'zero' for fixed key length algorithms. A nonzero 
+ *  keySize causes the CKA_VALUE_LEN attribute to be added to the template 
+ *  for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN 
+ *  attribute for keys with fixed length. The exception is DES2. If you
+ *  select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN
+ *  paramter and use the key size to determine which underlying DES keygen
+ *  function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN).
+ *
+ * CK_FLAGS flags: key operation flags
+ * PK11AttrFlags attrFlags: PK11_ATTR_XXX key attribute flags
+ */
+PK11SymKey *
+PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+    SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags,
+    PK11AttrFlags attrFlags, void *wincx)
+{
+    return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, -1, keySize, 
+	keyid, opFlags, attrFlags, wincx);
+}
+
+/*
+ * Use the token to generate a key. keySize must be 'zero' for fixed key
+ * length algorithms. A nonzero keySize causes the CKA_VALUE_LEN attribute
+ * to be added to the template for the key. PKCS #11 modules fail if you
+ * specify the CKA_VALUE_LEN attribute for keys with fixed length.
+ * NOTE: this means to generate a DES2 key from this interface you must
+ * specify CKM_DES2_KEY_GEN as the mechanism directly; specifying
+ * CKM_DES3_CBC as the mechanism and 16 as keySize currently doesn't work.
+ */
+PK11SymKey *
+PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
+    int keySize, SECItem *keyid, PRBool isToken, void *wincx)
+{
+    PK11SymKey *symKey;
+    PRBool weird = PR_FALSE;   /* hack for fortezza */
+    CK_FLAGS opFlags = CKF_SIGN;
+    PK11AttrFlags attrFlags = 0;
+
+    if ((keySize == -1) && (type == CKM_SKIPJACK_CBC64)) {
+	weird = PR_TRUE;
+	keySize = 0;
+    }
+
+    opFlags |= weird ? CKF_DECRYPT : CKF_ENCRYPT;
+
+    if (isToken) {
+	attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE);
+    }
+
+    symKey = pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, 
+			-1, keySize, keyid, opFlags, attrFlags, wincx);
+    if (symKey && weird) {
+	PK11_SetFortezzaHack(symKey);
+    }
+
+    return symKey;
+}
+
+PK11SymKey *
+PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
+						int keySize, void *wincx)
+{
+    return PK11_TokenKeyGen(slot, type, param, keySize, 0, PR_FALSE, wincx);
+}
+
+/* --- */
+PK11SymKey *
+PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx)
+{
+  return PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0, keyid, PR_TRUE, cx);
+}
+
+PK11SymKey*
+PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, void *wincx)
+{
+    PK11SlotInfo* slot = symk->slot;
+    CK_ATTRIBUTE template[1];
+    CK_ATTRIBUTE *attrs = template;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_RV crv;
+    CK_OBJECT_HANDLE newKeyID;
+    CK_SESSION_HANDLE rwsession;
+
+    PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); attrs++;
+
+    PK11_Authenticate(slot, PR_TRUE, wincx);
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+	return NULL;
+    }
+    crv = PK11_GETTAB(slot)->C_CopyObject(rwsession, symk->objectID,
+        template, 1, &newKeyID);
+    PK11_RestoreROSession(slot, rwsession);
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        return NULL;
+    }
+
+    return PK11_SymKeyFromHandle(slot, NULL /*parent*/, symk->origin,
+        symk->type, newKeyID, PR_FALSE /*owner*/, NULL /*wincx*/);
+}
+
+/*
+ * This function does a straight public key wrap (which only RSA can do).
+ * Use PK11_PubGenKey and PK11_WrapSymKey to implement the FORTEZZA and
+ * Diffie-Hellman Ciphers. */
+SECStatus
+PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
+				PK11SymKey *symKey, SECItem *wrappedKey)
+{
+    PK11SlotInfo *slot;
+    CK_ULONG len =  wrappedKey->len;
+    PK11SymKey *newKey = NULL;
+    CK_OBJECT_HANDLE id;
+    CK_MECHANISM mechanism;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    /* if this slot doesn't support the mechanism, go to a slot that does */
+    newKey = pk11_ForceSlot(symKey,type,CKA_ENCRYPT);
+    if (newKey != NULL) {
+	symKey = newKey;
+    }
+
+    if ((symKey == NULL) || (symKey->slot == NULL)) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return SECFailure;
+    }
+
+    slot = symKey->slot;
+    mechanism.mechanism = pk11_mapWrapKeyType(pubKey->keyType);
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+
+    id = PK11_ImportPublicKey(slot,pubKey,PR_FALSE);
+    if (id == CK_INVALID_HANDLE) {
+	if (newKey) {
+	    PK11_FreeSymKey(newKey);
+	}
+	return SECFailure;   /* Error code has been set. */
+    }
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_WrapKey(session,&mechanism,
+		id,symKey->objectID,wrappedKey->data,&len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (newKey) {
+	PK11_FreeSymKey(newKey);
+    }
+
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    wrappedKey->len = len;
+    return SECSuccess;
+} 
+
+/*
+ * this little function uses the Encrypt function to wrap a key, just in
+ * case we have problems with the wrap implementation for a token.
+ */
+static SECStatus
+pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type,
+			 SECItem *inKey, SECItem *outKey)
+{
+    PK11SlotInfo *slot;
+    CK_ULONG len;
+    SECItem *data;
+    CK_MECHANISM mech;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    slot = wrappingKey->slot;
+    /* use NULL IV's for wrapping */
+    mech.mechanism = type;
+    if (param) {
+	mech.pParameter = param->data;
+	mech.ulParameterLen = param->len;
+    } else {
+	mech.pParameter = NULL;
+	mech.ulParameterLen = 0;
+    }
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_EncryptInit(session,&mech,
+							wrappingKey->objectID);
+    if (crv != CKR_OK) {
+        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+        pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+
+    /* keys are almost always aligned, but if we get this far,
+     * we've gone above and beyond anyway... */
+    data = PK11_BlockData(inKey,PK11_GetBlockSize(type,param));
+    if (data == NULL) {
+        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+        pk11_CloseSession(slot,session,owner);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    len = outKey->len;
+    crv = PK11_GETTAB(slot)->C_Encrypt(session,data->data,data->len,
+							   outKey->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    SECITEM_FreeItem(data,PR_TRUE);
+    outKey->len = len;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * This function does a symetric based wrap.
+ */
+SECStatus
+PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, 
+	PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey)
+{
+    PK11SlotInfo *slot;
+    CK_ULONG len = wrappedKey->len;
+    PK11SymKey *newKey = NULL;
+    SECItem *param_save = NULL;
+    CK_MECHANISM mechanism;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+    SECStatus rv;
+
+    /* if this slot doesn't support the mechanism, go to a slot that does */
+    /* Force symKey and wrappingKey into the same slot */
+    if ((wrappingKey->slot == NULL) || (symKey->slot != wrappingKey->slot)) {
+	/* first try copying the wrapping Key to the symKey slot */
+	if (symKey->slot && PK11_DoesMechanism(symKey->slot,type)) {
+	    newKey = pk11_CopyToSlot(symKey->slot,type,CKA_WRAP,wrappingKey);
+	}
+	/* Nope, try it the other way */
+	if (newKey == NULL) {
+	    if (wrappingKey->slot) {
+	        newKey = pk11_CopyToSlot(wrappingKey->slot,
+					symKey->type, CKA_ENCRYPT, symKey);
+	    }
+	    /* just not playing... one last thing, can we get symKey's data?
+	     * If it's possible, we it should already be in the 
+	     * symKey->data.data pointer because pk11_CopyToSlot would have
+	     * tried to put it there. */
+	    if (newKey == NULL) {
+		/* Can't get symKey's data: Game Over */
+		if (symKey->data.data == NULL) {
+		    PORT_SetError( SEC_ERROR_NO_MODULE );
+		    return SECFailure;
+		}
+		if (param == NULL) {
+		    param_save = param = PK11_ParamFromIV(type,NULL);
+		}
+		rv = pk11_HandWrap(wrappingKey, param, type,
+						&symKey->data,wrappedKey);
+		if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
+		return rv;
+	    }
+	    /* we successfully moved the sym Key */
+	    symKey = newKey;
+	} else {
+	    /* we successfully moved the wrapping Key */
+	    wrappingKey = newKey;
+	}
+    }
+
+    /* at this point both keys are in the same token */
+    slot = wrappingKey->slot;
+    mechanism.mechanism = type;
+    /* use NULL IV's for wrapping */
+    if (param == NULL) {
+    	param_save = param = PK11_ParamFromIV(type,NULL);
+    }
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+
+    len = wrappedKey->len;
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism,
+		 wrappingKey->objectID, symKey->objectID, 
+						wrappedKey->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    rv = SECSuccess;
+    if (crv != CKR_OK) {
+	/* can't wrap it? try hand wrapping it... */
+	do {
+	    if (symKey->data.data == NULL) {
+		rv = PK11_ExtractKeyValue(symKey);
+		if (rv != SECSuccess) break;
+	    }
+	    rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data,
+								 wrappedKey);
+	} while (PR_FALSE);
+    } else {
+        wrappedKey->len = len;
+    }
+    if (newKey) PK11_FreeSymKey(newKey);
+    if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
+    return rv;
+} 
+
+/*
+ * This Generates a new key based on a symetricKey
+ */
+PK11SymKey *
+PK11_Derive( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param, 
+             CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
+	     int keySize)
+{
+    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
+				   keySize, NULL, 0, PR_FALSE);
+}
+
+
+PK11SymKey *
+PK11_DeriveWithFlags( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
+	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+	int keySize, CK_FLAGS flags)
+{
+    CK_BBOOL        ckTrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    unsigned int    templateCount;
+
+    templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue);
+    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
+		  keySize, keyTemplate, templateCount, PR_FALSE);
+}
+
+PK11SymKey *
+PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
+	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+	int keySize, CK_FLAGS flags, PRBool isPerm)
+{
+    CK_BBOOL        cktrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE    *attrs;
+    unsigned int    templateCount = 0;
+
+    attrs = keyTemplate;
+    if (isPerm) {
+        PK11_SETATTRS(attrs, CKA_TOKEN,  &cktrue, sizeof(CK_BBOOL)); attrs++;
+    }
+    templateCount = attrs - keyTemplate;
+    templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
+    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
+				   keySize, keyTemplate, templateCount, isPerm);
+}
+
+static PK11SymKey *
+pk11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
+	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+	int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs,
+							 PRBool isPerm)
+{
+    PK11SlotInfo *  slot	= baseKey->slot;
+    PK11SymKey *    symKey;
+    PK11SymKey *    newBaseKey	= NULL;
+    CK_BBOOL        cktrue	= CK_TRUE; 
+    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
+    CK_ULONG        valueLen	= 0;
+    CK_MECHANISM    mechanism; 
+    CK_RV           crv;
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE *  attrs	= keyTemplate;
+    CK_SESSION_HANDLE session;
+    unsigned int    templateCount;
+
+    if (numAttrs > MAX_TEMPL_ATTRS) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* first copy caller attributes in. */
+    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
+    	*attrs++ = *userAttr++;
+    }
+
+    /* We only add the following attributes to the template if the caller
+    ** didn't already supply them.
+    */
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
+	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
+	keyType = PK11_GetKeyType(target, keySize);
+	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
+	attrs++;
+    }
+    if (keySize > 0 &&
+    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
+	valueLen = (CK_ULONG)keySize;
+	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
+	attrs++;
+    }
+    if ((operation != CKA_FLAGS_ONLY) &&
+	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
+	PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue); attrs++;
+    }
+
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= MAX_TEMPL_ATTRS);
+
+    /* move the key to a slot that can do the function */
+    if (!PK11_DoesMechanism(slot,derive)) {
+	/* get a new base key & slot */
+	PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx);
+
+	if (newSlot == NULL) return NULL;
+
+        newBaseKey = pk11_CopyToSlot (newSlot, derive, CKA_DERIVE, 
+				     baseKey);
+	PK11_FreeSlot(newSlot);
+	if (newBaseKey == NULL) 
+	    return NULL;	
+	baseKey = newBaseKey;
+	slot = baseKey->slot;
+    }
+
+
+    /* get our key Structure */
+    symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, baseKey->cx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->size = keySize;
+
+    mechanism.mechanism = derive;
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+    symKey->origin=PK11_OriginDerive;
+
+    if (isPerm) {
+	session =  PK11_GetRWSession(slot);
+    } else {
+        pk11_EnterKeyMonitor(symKey);
+	session = symKey->session;
+    }
+    if (session == CK_INVALID_SESSION) {
+	if (!isPerm)
+	    pk11_ExitKeyMonitor(symKey);
+	crv = CKR_SESSION_HANDLE_INVALID;
+    } else {
+	crv = PK11_GETTAB(slot)->C_DeriveKey(session, &mechanism,
+	     baseKey->objectID, keyTemplate, templateCount, &symKey->objectID);
+	if (isPerm) {
+	    PK11_RestoreROSession(slot, session);
+	} else {
+	    pk11_ExitKeyMonitor(symKey);
+	}
+    }
+    if (newBaseKey) 
+    	PK11_FreeSymKey(newBaseKey);
+    if (crv != CKR_OK) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+    return symKey;
+}
+
+/*
+ * This Generates a wrapping key based on a privateKey, publicKey, and two
+ * random numbers. For Mail usage RandomB should be NULL. In the Sender's
+ * case RandomA is generate, outherwize it is passed.
+ */
+static unsigned char *rb_email = NULL;
+
+PK11SymKey *
+PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
+   PRBool isSender, SECItem *randomA, SECItem *randomB, 
+    CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
+			CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx)
+{
+    PK11SlotInfo *slot = privKey->pkcs11Slot;
+    CK_MECHANISM mechanism;
+    PK11SymKey *symKey;
+    CK_RV crv;
+
+
+    if (rb_email == NULL) {
+	rb_email = PORT_ZAlloc(128);
+	if (rb_email == NULL) {
+	    return NULL;
+	}
+	rb_email[127] = 1;
+    }
+
+    /* get our key Structure */
+    symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->origin = PK11_OriginDerive;
+
+    switch (privKey->keyType) {
+    case rsaKey:
+    case nullKey:
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	break;
+    case dsaKey:
+    case keaKey:
+    case fortezzaKey:
+	{
+	    CK_KEA_DERIVE_PARAMS param;
+	    param.isSender = (CK_BBOOL) isSender;
+	    param.ulRandomLen = randomA->len;
+	    param.pRandomA = randomA->data;
+	    param.pRandomB = rb_email;
+	    if (randomB)
+		 param.pRandomB = randomB->data;
+	    if (pubKey->keyType == fortezzaKey) {
+		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
+		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
+	    } else {
+		/* assert type == keaKey */
+		/* XXX change to match key key types */
+		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
+		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
+	    }
+
+	    mechanism.mechanism = derive;
+	    mechanism.pParameter = &param;
+	    mechanism.ulParameterLen = sizeof(param);
+
+	    /* get a new symKey structure */
+	    pk11_EnterKeyMonitor(symKey);
+	    crv=PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
+			privKey->pkcs11ID, NULL, 0, &symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+	    if (crv == CKR_OK) return symKey;
+	    PORT_SetError( PK11_MapError(crv) );
+	}
+	break;
+    case dhKey:
+	{
+	    CK_BBOOL cktrue = CK_TRUE;
+	    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+	    CK_ULONG key_size = 0;
+	    CK_ATTRIBUTE keyTemplate[4];
+	    int templateCount;
+	    CK_ATTRIBUTE *attrs = keyTemplate;
+
+	    if (pubKey->keyType != dhKey) {
+		PORT_SetError(SEC_ERROR_BAD_KEY);
+		break;
+	    }
+
+	    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
+	    attrs++;
+	    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+	    attrs++;
+	    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
+	    attrs++;
+	    templateCount =  attrs - keyTemplate;
+	    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+	    keyType = PK11_GetKeyType(target,keySize);
+	    key_size = keySize;
+	    symKey->size = keySize;
+	    if (key_size == 0) templateCount--;
+
+	    mechanism.mechanism = derive;
+
+	    /* we can undefine these when we define diffie-helman keys */
+	    mechanism.pParameter = pubKey->u.dh.publicValue.data; 
+	    mechanism.ulParameterLen = pubKey->u.dh.publicValue.len;
+		
+	    pk11_EnterKeyMonitor(symKey);
+	    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
+	     privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+	    if (crv == CKR_OK) return symKey;
+	    PORT_SetError( PK11_MapError(crv) );
+	}
+	break;
+    case ecKey:
+        {
+	    CK_BBOOL cktrue = CK_TRUE;
+	    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+	    CK_ULONG key_size = 0;
+	    CK_ATTRIBUTE keyTemplate[4];
+	    int templateCount;
+	    CK_ATTRIBUTE *attrs = keyTemplate;
+	    CK_ECDH1_DERIVE_PARAMS *mechParams = NULL;
+
+	    if (pubKey->keyType != ecKey) {
+		PORT_SetError(SEC_ERROR_BAD_KEY);
+		break;
+	    }
+
+	    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
+	    attrs++;
+	    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+	    attrs++;
+	    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
+	    attrs++;
+	    templateCount =  attrs - keyTemplate;
+	    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+	    keyType = PK11_GetKeyType(target,keySize);
+	    key_size = keySize;
+	    symKey->size = keySize;
+	    if (key_size == 0) templateCount--;
+
+	    mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); 
+	    mechParams->kdf = CKD_SHA1_KDF;
+	    mechParams->ulSharedDataLen = 0;
+	    mechParams->pSharedData = NULL;
+	    mechParams->ulPublicDataLen =  pubKey->u.ec.publicValue.len;
+	    mechParams->pPublicData =  pubKey->u.ec.publicValue.data;
+
+	    mechanism.mechanism = derive;
+	    mechanism.pParameter = mechParams;
+	    mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS);
+
+	    pk11_EnterKeyMonitor(symKey);
+	    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, 
+		&mechanism, privKey->pkcs11ID, keyTemplate, 
+		templateCount, &symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+
+	    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
+
+	    if (crv == CKR_OK) return symKey;
+	    PORT_SetError( PK11_MapError(crv) );
+	}
+   }
+
+   PK11_FreeSymKey(symKey);
+   return NULL;
+}
+
+static PK11SymKey *
+pk11_PubDeriveECKeyWithKDF(
+		    SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
+		    PRBool isSender, SECItem *randomA, SECItem *randomB,
+		    CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
+		    CK_ATTRIBUTE_TYPE operation, int keySize,
+		    CK_ULONG kdf, SECItem *sharedData, void *wincx)
+{
+    PK11SlotInfo           *slot            = privKey->pkcs11Slot;
+    PK11SymKey             *symKey;
+    CK_MECHANISM            mechanism;
+    CK_RV                   crv;
+    CK_BBOOL                cktrue          = CK_TRUE;
+    CK_OBJECT_CLASS         keyClass        = CKO_SECRET_KEY;
+    CK_KEY_TYPE             keyType         = CKK_GENERIC_SECRET;
+    CK_ULONG                key_size        = 0;
+    CK_ATTRIBUTE            keyTemplate[4];
+    int                     templateCount;
+    CK_ATTRIBUTE           *attrs           = keyTemplate;
+    CK_ECDH1_DERIVE_PARAMS *mechParams      = NULL;
+
+    if (pubKey->keyType != ecKey) {
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	return NULL;
+    }
+    if ((kdf < CKD_NULL) || (kdf > CKD_SHA1_KDF)) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return NULL;
+    }
+
+    /* get our key Structure */
+    symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->origin = PK11_OriginDerive;
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));     attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));    attrs++;
+    PK11_SETATTRS(attrs, operation, &cktrue, 1);                      attrs++;
+    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); attrs++;
+    templateCount =  attrs - keyTemplate;
+    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+    keyType = PK11_GetKeyType(target,keySize);
+    key_size = keySize;
+    symKey->size = keySize;
+    if (key_size == 0) 
+    	templateCount--;
+
+    mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS);
+    if (!mechParams) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+    mechParams->kdf = kdf;
+    if (sharedData == NULL) {
+	mechParams->ulSharedDataLen = 0;
+	mechParams->pSharedData     = NULL;
+    } else {
+	mechParams->ulSharedDataLen = sharedData->len;
+	mechParams->pSharedData     = sharedData->data;
+    }
+    mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len;
+    mechParams->pPublicData     = pubKey->u.ec.publicValue.data;
+
+    mechanism.mechanism      = derive;
+    mechanism.pParameter     = mechParams;
+    mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS);
+
+    pk11_EnterKeyMonitor(symKey);
+    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, 
+    	privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID);
+    pk11_ExitKeyMonitor(symKey);
+
+    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
+
+    if (crv != CKR_OK) {
+	PK11_FreeSymKey(symKey);
+	symKey = NULL;
+	PORT_SetError( PK11_MapError(crv) );
+    }
+    return symKey;
+}
+
+PK11SymKey *
+PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
+		      PRBool isSender, SECItem *randomA, SECItem *randomB, 
+		      CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
+		      CK_ATTRIBUTE_TYPE operation, int keySize,
+		      CK_ULONG kdf, SECItem *sharedData, void *wincx)
+{
+
+    switch (privKey->keyType) {
+    case rsaKey:
+    case nullKey:
+    case dsaKey:
+    case keaKey:
+    case fortezzaKey:
+    case dhKey:
+	return PK11_PubDerive(privKey, pubKey, isSender, randomA, randomB,
+		derive, target, operation, keySize, wincx);
+    case ecKey:
+	return pk11_PubDeriveECKeyWithKDF( privKey, pubKey, isSender, 
+		randomA, randomB, derive, target, operation, keySize, 
+		kdf, sharedData, wincx);
+    default: break;
+    }
+
+    return NULL;
+}
+
+/*
+ * this little function uses the Decrypt function to unwrap a key, just in
+ * case we are having problem with unwrap. NOTE: The key size may
+ * not be preserved properly for some algorithms!
+ */
+static PK11SymKey *
+pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
+                CK_MECHANISM *mech, SECItem *inKey, CK_MECHANISM_TYPE target, 
+		CK_ATTRIBUTE *keyTemplate, unsigned int templateCount, 
+		int key_size, void * wincx, CK_RV *crvp, PRBool isPerm)
+{
+    CK_ULONG len;
+    SECItem outKey;
+    PK11SymKey *symKey;
+    CK_RV crv;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+
+    /* remove any VALUE_LEN parameters */
+    if (keyTemplate[templateCount-1].type == CKA_VALUE_LEN) {
+        templateCount--;
+    }
+
+    /* keys are almost always aligned, but if we get this far,
+     * we've gone above and beyond anyway... */
+    outKey.data = (unsigned char*)PORT_Alloc(inKey->len);
+    if (outKey.data == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MEMORY );
+	if (crvp) *crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+    len = inKey->len;
+
+    /* use NULL IV's for wrapping */
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DecryptInit(session,mech,wrappingKey);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_Free(outKey.data);
+	PORT_SetError( PK11_MapError(crv) );
+	if (crvp) *crvp =crv;
+	return NULL;
+    }
+    crv = PK11_GETTAB(slot)->C_Decrypt(session,inKey->data,inKey->len,
+							   outKey.data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (crv != CKR_OK) {
+	PORT_Free(outKey.data);
+	PORT_SetError( PK11_MapError(crv) );
+	if (crvp) *crvp =crv;
+	return NULL;
+    }
+
+    outKey.len = (key_size == 0) ? len : key_size;
+    outKey.type = siBuffer;
+
+    if (PK11_DoesMechanism(slot,target)) {
+	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
+	                                    isPerm, keyTemplate, 
+					    templateCount, &outKey, wincx);
+    } else {
+	slot = PK11_GetBestSlot(target,wincx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    PORT_Free(outKey.data);
+	    if (crvp) *crvp = CKR_DEVICE_ERROR; 
+	    return NULL;
+	}
+	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
+	                                    isPerm, keyTemplate,
+					    templateCount, &outKey, wincx);
+	PK11_FreeSlot(slot);
+    }
+    PORT_Free(outKey.data);
+
+    if (crvp) *crvp = symKey? CKR_OK : CKR_DEVICE_ERROR; 
+    return symKey;
+}
+
+/*
+ * The wrap/unwrap function is pretty much the same for private and
+ * public keys. It's just getting the Object ID and slot right. This is
+ * the combined unwrap function.
+ */
+static PK11SymKey *
+pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
+    CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
+    CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
+    void *wincx, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, PRBool isPerm)
+{
+    PK11SymKey *    symKey;
+    SECItem *       param_free	= NULL;
+    CK_BBOOL        cktrue	= CK_TRUE; 
+    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
+    CK_ULONG        valueLen	= 0;
+    CK_MECHANISM    mechanism;
+    CK_SESSION_HANDLE rwsession;
+    CK_RV           crv;
+    CK_MECHANISM_INFO mechanism_info;
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE *  attrs	= keyTemplate;
+    unsigned int    templateCount;
+
+    if (numAttrs > MAX_TEMPL_ATTRS) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* first copy caller attributes in. */
+    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
+    	*attrs++ = *userAttr++;
+    }
+
+    /* We only add the following attributes to the template if the caller
+    ** didn't already supply them.
+    */
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
+	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
+	keyType = PK11_GetKeyType(target, keySize);
+	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
+	attrs++;
+    }
+    if ((operation != CKA_FLAGS_ONLY) &&
+	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
+	PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+    }
+
+    /*
+     * must be last in case we need to use this template to import the key
+     */
+    if (keySize > 0 &&
+    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
+	valueLen = (CK_ULONG)keySize;
+	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
+	attrs++;
+    }
+
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+
+    /* find out if we can do wrap directly. Because the RSA case if *very*
+     * common, cache the results for it. */
+    if ((wrapType == CKM_RSA_PKCS) && (slot->hasRSAInfo)) {
+	mechanism_info.flags = slot->RSAInfoFlags;
+    } else {
+	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,wrapType,
+				 &mechanism_info);
+    	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    	if (crv != CKR_OK) {
+	     mechanism_info.flags = 0;
+    	}
+        if (wrapType == CKM_RSA_PKCS) {
+	    slot->RSAInfoFlags = mechanism_info.flags;
+	    slot->hasRSAInfo = PR_TRUE;
+	}
+    }
+
+    /* initialize the mechanism structure */
+    mechanism.mechanism = wrapType;
+    /* use NULL IV's for wrapping */
+    if (param == NULL) 
+	param = param_free = PK11_ParamFromIV(wrapType,NULL);
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+
+    if ((mechanism_info.flags & CKF_DECRYPT)  
+				&& !PK11_DoesMechanism(slot,target)) {
+	symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
+	                         target, keyTemplate, templateCount, keySize, 
+				 wincx, &crv, isPerm);
+	if (symKey) {
+	    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+	    return symKey;
+	}
+	/*
+	 * if the RSA OP simply failed, don't try to unwrap again 
+	 * with this module.
+	 */
+	if (crv == CKR_DEVICE_ERROR){
+	    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+	    return NULL;
+	}
+	/* fall through, maybe they incorrectly set CKF_DECRYPT */
+    }
+
+    /* get our key Structure */
+    symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, wincx);
+    if (symKey == NULL) {
+	if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+	return NULL;
+    }
+
+    symKey->size = keySize;
+    symKey->origin = PK11_OriginUnwrap;
+
+    if (isPerm) {
+	rwsession = PK11_GetRWSession(slot);
+    } else {
+        pk11_EnterKeyMonitor(symKey);
+	rwsession = symKey->session;
+    }
+    PORT_Assert(rwsession != CK_INVALID_SESSION);
+    if (rwsession == CK_INVALID_SESSION) 
+    	crv = CKR_SESSION_HANDLE_INVALID;
+    else
+	crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession,&mechanism,wrappingKey,
+		wrappedKey->data, wrappedKey->len, keyTemplate, templateCount, 
+							  &symKey->objectID);
+    if (isPerm) {
+	if (rwsession != CK_INVALID_SESSION)
+	    PK11_RestoreROSession(slot, rwsession);
+    } else {
+        pk11_ExitKeyMonitor(symKey);
+    }
+    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+    if (crv != CKR_OK) {
+	PK11_FreeSymKey(symKey);
+	symKey = NULL;
+	if (crv != CKR_DEVICE_ERROR) {
+	    /* try hand Unwrapping */
+	    symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
+				     target, keyTemplate, templateCount,
+				     keySize, wincx, NULL, isPerm);
+	}
+   }
+
+   return symKey;
+}
+
+/* use a symetric key to unwrap another symetric key */
+PK11SymKey *
+PK11_UnwrapSymKey( PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
+                   SECItem *param, SECItem *wrappedKey, 
+		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+		   int keySize)
+{
+    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
+		    wrapType, param, wrappedKey, target, operation, keySize, 
+		    wrappingKey->cx, NULL, 0, PR_FALSE);
+}
+
+/* use a symetric key to unwrap another symetric key */
+PK11SymKey *
+PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
+                   SECItem *param, SECItem *wrappedKey, 
+		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+		   int keySize, CK_FLAGS flags)
+{
+    CK_BBOOL        ckTrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    unsigned int    templateCount;
+
+    templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue);
+    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
+		    wrapType, param, wrappedKey, target, operation, keySize, 
+		    wrappingKey->cx, keyTemplate, templateCount, PR_FALSE);
+}
+
+PK11SymKey *
+PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, 
+		   CK_MECHANISM_TYPE wrapType,
+                   SECItem *param, SECItem *wrappedKey, 
+		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+		   int keySize, CK_FLAGS flags, PRBool isPerm)
+{
+    CK_BBOOL        cktrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE    *attrs;
+    unsigned int    templateCount;
+
+    attrs = keyTemplate;
+    if (isPerm) {
+        PK11_SETATTRS(attrs, CKA_TOKEN,  &cktrue, sizeof(CK_BBOOL)); attrs++;
+    }
+    templateCount = attrs-keyTemplate;
+    templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
+
+    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
+		    wrapType, param, wrappedKey, target, operation, keySize, 
+		    wrappingKey->cx, keyTemplate, templateCount, isPerm);
+}
+
+
+/* unwrap a symetric key with a private key. */
+PK11SymKey *
+PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey,
+	  CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize)
+{
+    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
+    PK11SlotInfo    *slot = wrappingKey->pkcs11Slot;
+
+    if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey,CKA_PRIVATE)) {
+	PK11_HandlePasswordCheck(slot,wrappingKey->wincx);
+    }
+    
+    return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
+	wrapType, NULL, wrappedKey, target, operation, keySize, 
+	wrappingKey->wincx, NULL, 0, PR_FALSE);
+}
+
+/* unwrap a symetric key with a private key. */
+PK11SymKey *
+PK11_PubUnwrapSymKeyWithFlags(SECKEYPrivateKey *wrappingKey, 
+	  SECItem *wrappedKey, CK_MECHANISM_TYPE target, 
+	  CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags)
+{
+    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
+    CK_BBOOL        ckTrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    unsigned int    templateCount;
+    PK11SlotInfo    *slot = wrappingKey->pkcs11Slot;
+
+    templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue);
+
+    if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey,CKA_PRIVATE)) {
+	PK11_HandlePasswordCheck(slot,wrappingKey->wincx);
+    }
+    
+    return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
+	wrapType, NULL, wrappedKey, target, operation, keySize, 
+	wrappingKey->wincx, keyTemplate, templateCount, PR_FALSE);
+}
+
+PK11SymKey *
+PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, 
+	  SECItem *wrappedKey, CK_MECHANISM_TYPE target, 
+	  CK_ATTRIBUTE_TYPE operation, int keySize,
+	  CK_FLAGS flags, PRBool isPerm)
+{
+    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
+    CK_BBOOL        cktrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE    *attrs;
+    unsigned int    templateCount;
+    PK11SlotInfo    *slot = wrappingKey->pkcs11Slot;
+
+    attrs = keyTemplate;
+    if (isPerm) {
+        PK11_SETATTRS(attrs, CKA_TOKEN,  &cktrue, sizeof(CK_BBOOL)); attrs++;
+    }
+    templateCount = attrs-keyTemplate;
+
+    templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
+
+    if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey,CKA_PRIVATE)) {
+	PK11_HandlePasswordCheck(slot,wrappingKey->wincx);
+    }
+    
+    return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
+	wrapType, NULL, wrappedKey, target, operation, keySize, 
+	wrappingKey->wincx, keyTemplate, templateCount, isPerm);
+}
+
+PK11SymKey*
+PK11_CopySymKeyForSigning(PK11SymKey *originalKey, CK_MECHANISM_TYPE mech)
+{
+    CK_RV crv;
+    CK_ATTRIBUTE setTemplate;
+    CK_BBOOL ckTrue = CK_TRUE; 
+    PK11SlotInfo *slot = originalKey->slot;
+
+    /* first just try to set this key up for signing */
+    PK11_SETATTRS(&setTemplate, CKA_SIGN, &ckTrue, sizeof(ckTrue));
+    pk11_EnterKeyMonitor(originalKey);
+    crv = PK11_GETTAB(slot)-> C_SetAttributeValue(originalKey->session, 
+				originalKey->objectID, &setTemplate, 1);
+    pk11_ExitKeyMonitor(originalKey);
+    if (crv == CKR_OK) {
+	return PK11_ReferenceSymKey(originalKey);
+    }
+
+    /* nope, doesn't like it, use the pk11 copy object command */
+    return pk11_CopyToSlot(slot, mech, CKA_SIGN, originalKey);
+}
+    
+void   
+PK11_SetFortezzaHack(PK11SymKey *symKey) { 
+   symKey->origin = PK11_OriginFortezzaHack;
+}
+
+/*
+ * This is required to allow FORTEZZA_NULL and FORTEZZA_RC4
+ * working. This function simply gets a valid IV for the keys.
+ */
+SECStatus
+PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len)
+{
+    CK_MECHANISM mech_info;
+    CK_ULONG count = 0;
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+
+    mech_info.mechanism = CKM_SKIPJACK_CBC64;
+    mech_info.pParameter = iv;
+    mech_info.ulParameterLen = len;
+
+    /* generate the IV for fortezza */
+    PK11_EnterSlotMonitor(symKey->slot);
+    crv=PK11_GETTAB(symKey->slot)->C_EncryptInit(symKey->slot->session,
+				&mech_info, symKey->objectID);
+    if (crv == CKR_OK) {
+	PK11_GETTAB(symKey->slot)->C_EncryptFinal(symKey->slot->session, 
+								NULL, &count);
+	rv = SECSuccess;
+    }
+    PK11_ExitSlotMonitor(symKey->slot);
+    return rv;
+}
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
new file mode 100644
index 000000000..d83874918
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -0,0 +1,2185 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Deal with PKCS #11 Slots.
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pkcs11t.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "secerr.h"
+
+#include "dev.h" 
+#include "dev3hack.h" 
+#include "pkim.h"
+
+
+/*************************************************************
+ * local static and global data
+ *************************************************************/
+
+/*
+ * This array helps parsing between names, mechanisms, and flags.
+ * to make the config files understand more entries, add them
+ * to this table. (NOTE: we need function to export this table and it's size)
+ */
+PK11DefaultArrayEntry PK11_DefaultArray[] = {
+	{ "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
+	{ "DSA", SECMOD_DSA_FLAG, CKM_DSA },
+	{ "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
+	{ "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
+	{ "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
+	{ "DES", SECMOD_DES_FLAG, CKM_DES_CBC },
+	{ "AES", SECMOD_AES_FLAG, CKM_AES_CBC },
+	{ "Camellia", SECMOD_CAMELLIA_FLAG, CKM_CAMELLIA_CBC },
+	{ "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC },
+	{ "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 },
+	{ "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 },
+/*	{ "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */
+	{ "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 },
+	{ "MD5", SECMOD_MD5_FLAG, CKM_MD5 },
+	{ "MD2", SECMOD_MD2_FLAG, CKM_MD2 },
+	{ "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN },
+	{ "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE },
+	{ "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 },
+	{ "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM },
+	{ "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM },
+};
+const int num_pk11_default_mechanisms = 
+                sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
+
+PK11DefaultArrayEntry *
+PK11_GetDefaultArray(int *size)
+{
+    if (size) {
+	*size = num_pk11_default_mechanisms;
+    }
+    return PK11_DefaultArray;
+}
+
+/*
+ * These  slotlists are lists of modules which provide default support for
+ *  a given algorithm or mechanism.
+ */
+static PK11SlotList pk11_camelliaSlotList,
+    pk11_aesSlotList,
+    pk11_desSlotList,
+    pk11_rc4SlotList,
+    pk11_rc2SlotList,
+    pk11_rc5SlotList,
+    pk11_sha1SlotList,
+    pk11_md5SlotList,
+    pk11_md2SlotList,
+    pk11_rsaSlotList,
+    pk11_dsaSlotList,
+    pk11_dhSlotList,
+    pk11_ecSlotList,
+    pk11_ideaSlotList,
+    pk11_sslSlotList,
+    pk11_tlsSlotList,
+    pk11_randomSlotList,
+    pk11_sha256SlotList,
+    pk11_sha512SlotList;	/* slots do SHA512 and SHA384 */
+
+/************************************************************
+ * Generic Slot List and Slot List element manipulations
+ ************************************************************/
+
+/*
+ * allocate a new list 
+ */
+PK11SlotList *
+PK11_NewSlotList(void)
+{
+    PK11SlotList *list;
+ 
+    list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList));
+    if (list == NULL) return NULL;
+    list->head = NULL;
+    list->tail = NULL;
+    list->lock = PZ_NewLock(nssILockList);
+    if (list->lock == NULL) {
+	PORT_Free(list);
+	return NULL;
+    }
+
+    return list;
+}
+
+/*
+ * free a list element when all the references go away.
+ */
+SECStatus
+PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le)
+{
+    PRBool freeit = PR_FALSE;
+
+    if (list == NULL || le == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    PZ_Lock(list->lock);
+    if (le->refCount-- == 1) {
+	freeit = PR_TRUE;
+    }
+    PZ_Unlock(list->lock);
+    if (freeit) {
+    	PK11_FreeSlot(le->slot);
+	PORT_Free(le);
+    }
+    return SECSuccess;
+}
+
+static void
+pk11_FreeSlotListStatic(PK11SlotList *list)
+{
+    PK11SlotListElement *le, *next ;
+    if (list == NULL) return;
+
+    for (le = list->head ; le; le = next) {
+	next = le->next;
+	PK11_FreeSlotListElement(list,le);
+    }
+    if (list->lock) {
+    	PZ_DestroyLock(list->lock);
+    }
+    list->lock = NULL;
+    list->head = NULL;
+}
+
+/*
+ * if we are freeing the list, we must be the only ones with a pointer
+ * to the list.
+ */
+void
+PK11_FreeSlotList(PK11SlotList *list)
+{
+    pk11_FreeSlotListStatic(list);
+    PORT_Free(list);
+}
+
+/*
+ * add a slot to a list
+ */
+SECStatus
+PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot)
+{
+    PK11SlotListElement *le;
+
+    le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement));
+    if (le == NULL) return SECFailure;
+
+    le->slot = PK11_ReferenceSlot(slot);
+    le->prev = NULL;
+    le->refCount = 1;
+    PZ_Lock(list->lock);
+    if (list->head) list->head->prev = le; else list->tail = le;
+    le->next = list->head;
+    list->head = le;
+    PZ_Unlock(list->lock);
+
+    return SECSuccess;
+}
+
+/*
+ * remove a slot entry from the list
+ */
+SECStatus
+PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le)
+{
+    PZ_Lock(list->lock);
+    if (le->prev) le->prev->next = le->next; else list->head = le->next;
+    if (le->next) le->next->prev = le->prev; else list->tail = le->prev;
+    le->next = le->prev = NULL;
+    PZ_Unlock(list->lock);
+    PK11_FreeSlotListElement(list,le);
+    return SECSuccess;
+}
+
+/*
+ * Move a list to the end of the target list. NOTE: There is no locking
+ * here... This assumes BOTH lists are private copy lists.
+ */
+SECStatus
+PK11_MoveListToList(PK11SlotList *target,PK11SlotList *src)
+{
+    if (src->head == NULL) return SECSuccess;
+
+    if (target->tail == NULL) {
+	target->head = src->head;
+    } else {
+	target->tail->next = src->head;
+    }
+    src->head->prev = target->tail;
+    target->tail = src->tail;
+    src->head = src->tail = NULL;
+    return SECSuccess;
+}
+
+/*
+ * get an element from the list with a reference. You must own the list.
+ */
+PK11SlotListElement *
+PK11_GetFirstRef(PK11SlotList *list)
+{
+    PK11SlotListElement *le;
+
+    le = list->head;
+    if (le != NULL) (le)->refCount++;
+    return le;
+}
+
+/*
+ * get the next element from the list with a reference. You must own the list.
+ */
+PK11SlotListElement *
+PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
+{
+    PK11SlotListElement *new_le;
+    new_le = le->next;
+    if (new_le) new_le->refCount++;
+    PK11_FreeSlotListElement(list,le);
+    return new_le;
+}
+
+/*
+ * get an element safely from the list. This just makes sure that if
+ * this element is not deleted while we deal with it.
+ */
+PK11SlotListElement *
+PK11_GetFirstSafe(PK11SlotList *list)
+{
+    PK11SlotListElement *le;
+
+    PZ_Lock(list->lock);
+    le = list->head;
+    if (le != NULL) (le)->refCount++;
+    PZ_Unlock(list->lock);
+    return le;
+}
+
+/*
+ * NOTE: if this element gets deleted, we can no longer safely traverse using
+ * it's pointers. We can either terminate the loop, or restart from the
+ * beginning. This is controlled by the restart option.
+ */
+PK11SlotListElement *
+PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
+{
+    PK11SlotListElement *new_le;
+    PZ_Lock(list->lock);
+    new_le = le->next;
+    if (le->next == NULL) {
+	/* if the prev and next fields are NULL then either this element
+	 * has been removed and we need to walk the list again (if restart
+	 * is true) or this was the only element on the list */
+	if ((le->prev == NULL) && restart &&  (list->head != le)) {
+	    new_le = list->head;
+	}
+    }
+    if (new_le) new_le->refCount++;
+    PZ_Unlock(list->lock);
+    PK11_FreeSlotListElement(list,le);
+    return new_le;
+}
+
+
+/*
+ * Find the element that holds this slot
+ */
+PK11SlotListElement *
+PK11_FindSlotElement(PK11SlotList *list,PK11SlotInfo *slot)
+{
+    PK11SlotListElement *le;
+
+    for (le = PK11_GetFirstSafe(list); le;
+			 	le = PK11_GetNextSafe(list,le,PR_TRUE)) {
+	if (le->slot == slot) return le;
+    }
+    return NULL;
+}
+
+/************************************************************
+ * Generic Slot Utilities
+ ************************************************************/
+/*
+ * Create a new slot structure
+ */
+PK11SlotInfo *
+PK11_NewSlotInfo(SECMODModule *mod)
+{
+    PK11SlotInfo *slot;
+
+    slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo));
+    if (slot == NULL) return slot;
+
+    slot->sessionLock = mod->isThreadSafe ?
+	PZ_NewLock(nssILockSession) : mod->refLock;
+    if (slot->sessionLock == NULL) {
+	PORT_Free(slot);
+	return NULL;
+    }
+    slot->freeListLock = PZ_NewLock(nssILockFreelist);
+    if (slot->freeListLock == NULL) {
+	if (mod->isThreadSafe) {
+	    PZ_DestroyLock(slot->sessionLock);
+	}
+	PORT_Free(slot);
+	return NULL;
+    }
+    slot->freeSymKeysWithSessionHead = NULL;
+    slot->freeSymKeysHead = NULL;
+    slot->keyCount = 0;
+    slot->maxKeyCount = 0;
+    slot->functionList = NULL;
+    slot->needTest = PR_TRUE;
+    slot->isPerm = PR_FALSE;
+    slot->isHW = PR_FALSE;
+    slot->isInternal = PR_FALSE;
+    slot->isThreadSafe = PR_FALSE;
+    slot->disabled = PR_FALSE;
+    slot->series = 1;
+    slot->wrapKey = 0;
+    slot->wrapMechanism = CKM_INVALID_MECHANISM;
+    slot->refKeys[0] = CK_INVALID_HANDLE;
+    slot->reason = PK11_DIS_NONE;
+    slot->readOnly = PR_TRUE;
+    slot->needLogin = PR_FALSE;
+    slot->hasRandom = PR_FALSE;
+    slot->defRWSession = PR_FALSE;
+    slot->protectedAuthPath = PR_FALSE;
+    slot->flags = 0;
+    slot->session = CK_INVALID_SESSION;
+    slot->slotID = 0;
+    slot->defaultFlags = 0;
+    slot->refCount = 1;
+    slot->askpw = 0;
+    slot->timeout = 0;
+    slot->mechanismList = NULL;
+    slot->mechanismCount = 0;
+    slot->cert_array = NULL;
+    slot->cert_count = 0;
+    slot->slot_name[0] = 0;
+    slot->token_name[0] = 0;
+    PORT_Memset(slot->serial,' ',sizeof(slot->serial));
+    slot->module = NULL;
+    slot->authTransact = 0;
+    slot->authTime = LL_ZERO;
+    slot->minPassword = 0;
+    slot->maxPassword = 0;
+    slot->hasRootCerts = PR_FALSE;
+    slot->nssToken = NULL;
+    return slot;
+}
+    
+/* create a new reference to a slot so it doesn't go away */
+PK11SlotInfo *
+PK11_ReferenceSlot(PK11SlotInfo *slot)
+{
+    PR_AtomicIncrement(&slot->refCount);
+    return slot;
+}
+
+/* Destroy all info on a slot we have built up */
+void
+PK11_DestroySlot(PK11SlotInfo *slot)
+{
+   /* free up the cached keys and sessions */
+   PK11_CleanKeyList(slot);
+   
+   /* free up all the sessions on this slot */
+   if (slot->functionList) {
+	PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
+   }
+
+   if (slot->mechanismList) {
+	PORT_Free(slot->mechanismList);
+   }
+   if (slot->isThreadSafe && slot->sessionLock) {
+	PZ_DestroyLock(slot->sessionLock);
+   }
+   slot->sessionLock = NULL;
+   if (slot->freeListLock) {
+	PZ_DestroyLock(slot->freeListLock);
+	slot->freeListLock = NULL;
+   }
+
+   /* finally Tell our parent module that we've gone away so it can unload */
+   if (slot->module) {
+	SECMOD_SlotDestroyModule(slot->module,PR_TRUE);
+   }
+
+   /* ok, well not quit finally... now we free the memory */
+   PORT_Free(slot);
+}
+
+
+/* We're all done with the slot, free it */
+void
+PK11_FreeSlot(PK11SlotInfo *slot)
+{
+    if (PR_AtomicDecrement(&slot->refCount) == 0) {
+	PK11_DestroySlot(slot);
+    }
+}
+
+void
+PK11_EnterSlotMonitor(PK11SlotInfo *slot) {
+    PZ_Lock(slot->sessionLock);
+}
+
+void
+PK11_ExitSlotMonitor(PK11SlotInfo *slot) {
+    PZ_Unlock(slot->sessionLock);
+}
+
+/***********************************************************
+ * Functions to find specific slots.
+ ***********************************************************/
+PRBool
+SECMOD_HasRootCerts(void)
+{
+   SECMODModuleList *mlp;
+   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+   int i;
+   PRBool found = PR_FALSE;
+
+   /* work through all the slots */
+   SECMOD_GetReadLock(moduleLock);
+   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
+	    if (PK11_IsPresent(tmpSlot)) {
+		if (tmpSlot->hasRootCerts) {
+		    found = PR_TRUE;
+		    break;
+		}
+	    }
+	}
+	if (found) break;
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    return found;
+}
+
+/***********************************************************
+ * Functions to find specific slots.
+ ***********************************************************/
+PK11SlotList *
+PK11_FindSlotsByNames(const char *dllName, const char* slotName,
+                        const char* tokenName, PRBool presentOnly)
+{
+    SECMODModuleList *mlp;
+    SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+    int i;
+    PK11SlotList* slotList = NULL;
+    PRUint32 slotcount = 0;
+    SECStatus rv = SECSuccess;
+
+    slotList = PK11_NewSlotList();
+    if (!slotList) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    if ( ((NULL == dllName) || (0 == *dllName)) &&
+        ((NULL == slotName) || (0 == *slotName)) &&
+        ((NULL == tokenName) || (0 == *tokenName)) ) {
+        /* default to softoken */
+        PK11_AddSlotToList(slotList, PK11_GetInternalKeySlot());
+        return slotList;
+    }
+
+    /* work through all the slots */
+    SECMOD_GetReadLock(moduleLock);
+    for (mlp = modules; mlp != NULL; mlp = mlp->next) {
+        PORT_Assert(mlp->module);
+        if (!mlp->module) {
+            rv = SECFailure;
+            break;
+        }
+        if ((!dllName) || (mlp->module->dllName &&
+            (0 == PORT_Strcmp(mlp->module->dllName, dllName)))) {
+            for (i=0; i < mlp->module->slotCount; i++) {
+                PK11SlotInfo *tmpSlot = (mlp->module->slots?mlp->module->slots[i]:NULL);
+                PORT_Assert(tmpSlot);
+                if (!tmpSlot) {
+                    rv = SECFailure;
+                    break;
+                }
+                if ((PR_FALSE == presentOnly || PK11_IsPresent(tmpSlot)) &&
+                    ( (!tokenName) || (tmpSlot->token_name &&
+                    (0==PORT_Strcmp(tmpSlot->token_name, tokenName)))) &&
+                    ( (!slotName) || (tmpSlot->slot_name &&
+                    (0==PORT_Strcmp(tmpSlot->slot_name, slotName)))) ) {
+                    if (tmpSlot) {
+                        PK11_AddSlotToList(slotList, tmpSlot);
+                        slotcount++;
+                    }
+                }
+            }
+        }
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    if ( (0 == slotcount) || (SECFailure == rv) ) {
+        PORT_SetError(SEC_ERROR_NO_TOKEN);
+        PK11_FreeSlotList(slotList);
+        slotList = NULL;
+    }
+
+    if (SECFailure == rv) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+    }
+
+    return slotList;
+}
+
+PK11SlotInfo *
+PK11_FindSlotByName(const char *name)
+{
+   SECMODModuleList *mlp;
+   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+   int i;
+   PK11SlotInfo *slot = NULL;
+
+   if ((name == NULL) || (*name == 0)) {
+	return PK11_GetInternalKeySlot();
+   }
+
+   /* work through all the slots */
+   SECMOD_GetReadLock(moduleLock);
+   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
+	    if (PK11_IsPresent(tmpSlot)) {
+		if (PORT_Strcmp(tmpSlot->token_name,name) == 0) {
+		    slot = PK11_ReferenceSlot(tmpSlot);
+		    break;
+		}
+	    }
+	}
+	if (slot != NULL) break;
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    if (slot == NULL) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+    }
+
+    return slot;
+}
+
+
+PK11SlotInfo *
+PK11_FindSlotBySerial(char *serial)
+{
+   SECMODModuleList *mlp;
+   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+   int i;
+   PK11SlotInfo *slot = NULL;
+
+   /* work through all the slots */
+   SECMOD_GetReadLock(moduleLock);
+   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
+	    if (PK11_IsPresent(tmpSlot)) {
+		if (PORT_Memcmp(tmpSlot->serial,serial,
+					sizeof(tmpSlot->serial)) == 0) {
+		    slot = PK11_ReferenceSlot(tmpSlot);
+		    break;
+		}
+	    }
+	}
+	if (slot != NULL) break;
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    if (slot == NULL) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+    }
+
+    return slot;
+}
+
+/*
+ * notification stub. If we ever get interested in any events that
+ * the pkcs11 functions may pass back to use, we can catch them here...
+ * currently pdata is a slotinfo structure.
+ */
+CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
+							 CK_VOID_PTR pdata)
+{
+    return CKR_OK;
+}
+
+/*
+ * grab a new RW session
+ * !!! has a side effect of grabbing the Monitor if either the slot's default
+ * session is RW or the slot is not thread safe. Monitor is release in function
+ * below
+ */
+CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot)
+{
+    CK_SESSION_HANDLE rwsession;
+    CK_RV crv;
+    PRBool haveMonitor = PR_FALSE;
+
+    if (!slot->isThreadSafe || slot->defRWSession) {
+    	PK11_EnterSlotMonitor(slot);
+	haveMonitor = PR_TRUE;
+    }
+    if (slot->defRWSession) {
+	PORT_Assert(slot->session != CK_INVALID_SESSION);
+	if (slot->session != CK_INVALID_SESSION) 
+	    return slot->session;
+    }
+
+    crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+				CKF_RW_SESSION|CKF_SERIAL_SESSION,
+				  	  slot, pk11_notify,&rwsession);
+    PORT_Assert(rwsession != CK_INVALID_SESSION || crv != CKR_OK);
+    if (crv != CKR_OK || rwsession == CK_INVALID_SESSION) {
+	if (crv == CKR_OK) 
+	    crv = CKR_DEVICE_ERROR;
+	if (haveMonitor)
+	    PK11_ExitSlotMonitor(slot);
+	PORT_SetError(PK11_MapError(crv));
+	return CK_INVALID_SESSION;
+    }
+    if (slot->defRWSession) { /* we have the monitor */
+    	slot->session = rwsession;
+    }
+    return rwsession;
+}
+
+PRBool
+PK11_RWSessionHasLock(PK11SlotInfo *slot,CK_SESSION_HANDLE session_handle) 
+{
+    PRBool hasLock;
+    hasLock = (PRBool)(!slot->isThreadSafe || 
+    	      (slot->defRWSession && slot->session != CK_INVALID_SESSION));
+    return hasLock;
+}
+
+static PRBool
+pk11_RWSessionIsDefault(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession)
+{
+    PRBool isDefault;
+    isDefault = (PRBool)(slot->session == rwsession &&
+    	                 slot->defRWSession && 
+			 slot->session != CK_INVALID_SESSION);
+    return isDefault;
+}
+
+/*
+ * close the rwsession and restore our readonly session
+ * !!! has a side effect of releasing the Monitor if either the slot's default
+ * session is RW or the slot is not thread safe.
+ */
+void
+PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession)
+{
+    PORT_Assert(rwsession != CK_INVALID_SESSION);
+    if (rwsession != CK_INVALID_SESSION) {
+    	PRBool doExit = PK11_RWSessionHasLock(slot, rwsession);
+	if (!pk11_RWSessionIsDefault(slot, rwsession))
+	    PK11_GETTAB(slot)->C_CloseSession(rwsession);
+	if (doExit)
+	    PK11_ExitSlotMonitor(slot);
+    }
+}
+
+/************************************************************
+ * Manage the built-In Slot Lists
+ ************************************************************/
+
+/* Init the static built int slot list (should actually integrate
+ * with PK11_NewSlotList */
+static void
+pk11_InitSlotListStatic(PK11SlotList *list)
+{
+    list->lock = PZ_NewLock(nssILockList);
+    list->head = NULL;
+}
+
+
+/* initialize the system slotlists */
+SECStatus
+PK11_InitSlotLists(void)
+{
+    pk11_InitSlotListStatic(&pk11_camelliaSlotList);
+    pk11_InitSlotListStatic(&pk11_aesSlotList);
+    pk11_InitSlotListStatic(&pk11_desSlotList);
+    pk11_InitSlotListStatic(&pk11_rc4SlotList);
+    pk11_InitSlotListStatic(&pk11_rc2SlotList);
+    pk11_InitSlotListStatic(&pk11_rc5SlotList);
+    pk11_InitSlotListStatic(&pk11_md5SlotList);
+    pk11_InitSlotListStatic(&pk11_md2SlotList);
+    pk11_InitSlotListStatic(&pk11_sha1SlotList);
+    pk11_InitSlotListStatic(&pk11_rsaSlotList);
+    pk11_InitSlotListStatic(&pk11_dsaSlotList);
+    pk11_InitSlotListStatic(&pk11_dhSlotList);
+    pk11_InitSlotListStatic(&pk11_ecSlotList);
+    pk11_InitSlotListStatic(&pk11_ideaSlotList);
+    pk11_InitSlotListStatic(&pk11_sslSlotList);
+    pk11_InitSlotListStatic(&pk11_tlsSlotList);
+    pk11_InitSlotListStatic(&pk11_randomSlotList);
+    pk11_InitSlotListStatic(&pk11_sha256SlotList);
+    pk11_InitSlotListStatic(&pk11_sha512SlotList);
+    return SECSuccess;
+}
+
+void
+PK11_DestroySlotLists(void)
+{
+    pk11_FreeSlotListStatic(&pk11_camelliaSlotList);
+    pk11_FreeSlotListStatic(&pk11_aesSlotList);
+    pk11_FreeSlotListStatic(&pk11_desSlotList);
+    pk11_FreeSlotListStatic(&pk11_rc4SlotList);
+    pk11_FreeSlotListStatic(&pk11_rc2SlotList);
+    pk11_FreeSlotListStatic(&pk11_rc5SlotList);
+    pk11_FreeSlotListStatic(&pk11_md5SlotList);
+    pk11_FreeSlotListStatic(&pk11_md2SlotList);
+    pk11_FreeSlotListStatic(&pk11_sha1SlotList);
+    pk11_FreeSlotListStatic(&pk11_rsaSlotList);
+    pk11_FreeSlotListStatic(&pk11_dsaSlotList);
+    pk11_FreeSlotListStatic(&pk11_dhSlotList);
+    pk11_FreeSlotListStatic(&pk11_ecSlotList);
+    pk11_FreeSlotListStatic(&pk11_ideaSlotList);
+    pk11_FreeSlotListStatic(&pk11_sslSlotList);
+    pk11_FreeSlotListStatic(&pk11_tlsSlotList);
+    pk11_FreeSlotListStatic(&pk11_randomSlotList);
+    pk11_FreeSlotListStatic(&pk11_sha256SlotList);
+    pk11_FreeSlotListStatic(&pk11_sha512SlotList);
+    return;
+}
+
+/* return a system slot list based on mechanism */
+PK11SlotList *
+PK11_GetSlotList(CK_MECHANISM_TYPE type)
+{
+/* XXX a workaround for Bugzilla bug #55267 */
+#if defined(HPUX) && defined(__LP64__)
+    if (CKM_INVALID_MECHANISM == type)
+        return NULL;
+#endif
+    switch (type) {
+    case CKM_CAMELLIA_CBC:
+    case CKM_CAMELLIA_ECB:
+	return &pk11_camelliaSlotList;
+    case CKM_AES_CBC:
+    case CKM_AES_ECB:
+	return &pk11_aesSlotList;
+    case CKM_DES_CBC:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_DES3_CBC:
+	return &pk11_desSlotList;
+    case CKM_RC4:
+	return &pk11_rc4SlotList;
+    case CKM_RC5_CBC:
+	return &pk11_rc5SlotList;
+    case CKM_SHA_1:
+	return &pk11_sha1SlotList;
+    case CKM_SHA256:
+	return &pk11_sha256SlotList;
+    case CKM_SHA384:
+    case CKM_SHA512:
+	return &pk11_sha512SlotList;
+    case CKM_MD5:
+	return &pk11_md5SlotList;
+    case CKM_MD2:
+	return &pk11_md2SlotList;
+    case CKM_RC2_ECB:
+    case CKM_RC2_CBC:
+	return &pk11_rc2SlotList;
+    case CKM_RSA_PKCS:
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+    case CKM_RSA_X_509:
+	return &pk11_rsaSlotList;
+    case CKM_DSA:
+	return &pk11_dsaSlotList;
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+    case CKM_DH_PKCS_DERIVE:
+	return &pk11_dhSlotList;
+    case CKM_ECDSA:
+    case CKM_ECDSA_SHA1:
+    case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
+    case CKM_ECDH1_DERIVE:
+	return &pk11_ecSlotList;
+    case CKM_SSL3_PRE_MASTER_KEY_GEN:
+    case CKM_SSL3_MASTER_KEY_DERIVE:
+    case CKM_SSL3_SHA1_MAC:
+    case CKM_SSL3_MD5_MAC:
+	return &pk11_sslSlotList;
+    case CKM_TLS_MASTER_KEY_DERIVE:
+    case CKM_TLS_KEY_AND_MAC_DERIVE:
+	return &pk11_tlsSlotList;
+    case CKM_IDEA_CBC:
+    case CKM_IDEA_ECB:
+	return &pk11_ideaSlotList;
+    case CKM_FAKE_RANDOM:
+	return &pk11_randomSlotList;
+    }
+    return NULL;
+}
+
+/*
+ * load the static SlotInfo structures used to select a PKCS11 slot.
+ * preSlotInfo has a list of all the default flags for the slots on this
+ * module.
+ */
+void
+PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count)
+{
+    int i;
+
+    for (i=0; i < count; i++) {
+	if (psi[i].slotID == slot->slotID)
+	    break;
+    }
+
+    if (i == count) return;
+
+    slot->defaultFlags = psi[i].defaultFlags;
+    slot->askpw = psi[i].askpw;
+    slot->timeout = psi[i].timeout;
+    slot->hasRootCerts = psi[i].hasRootCerts;
+
+    /* if the slot is already disabled, don't load them into the
+     * default slot lists. We get here so we can save the default
+     * list value. */
+    if (slot->disabled) return;
+
+    /* if the user has disabled us, don't load us in */
+    if (slot->defaultFlags & PK11_DISABLE_FLAG) {
+	slot->disabled = PR_TRUE;
+	slot->reason = PK11_DIS_USER_SELECTED;
+	/* free up sessions and things?? */
+	return;
+    }
+
+    for (i=0; i < num_pk11_default_mechanisms; i++) {
+	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
+	    CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
+	    PK11SlotList *slotList = PK11_GetSlotList(mechanism);
+
+	    if (slotList) PK11_AddSlotToList(slotList,slot);
+	}
+    }
+
+    return;
+}
+
+
+/*
+ * update a slot to its new attribute according to the slot list
+ * returns: SECSuccess if nothing to do or add/delete is successful
+ */
+SECStatus
+PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry,
+                        PRBool add)  
+                        /* add: PR_TRUE if want to turn on */
+{
+    SECStatus result = SECSuccess;
+    PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism);
+
+    if (add) { /* trying to turn on a mechanism */
+                 
+        /* turn on the default flag in the slot */
+        slot->defaultFlags |= entry->flag;
+        
+        /* add this slot to the list */
+        if (slotList!=NULL)
+            result = PK11_AddSlotToList(slotList, slot);
+        
+    } else { /* trying to turn off */
+            
+        /* turn OFF the flag in the slot */ 
+        slot->defaultFlags &= ~entry->flag;
+        
+        if (slotList) {
+            /* find the element in the list & delete it */
+            PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot);
+
+            /* remove the slot from the list */
+            if (le)
+                result = PK11_DeleteSlotFromList(slotList, le);
+        }
+    }
+    return result;
+}
+
+/*
+ * clear a slot off of all of it's default list
+ */
+void
+PK11_ClearSlotList(PK11SlotInfo *slot)
+{
+    int i;
+
+    if (slot->disabled) return;
+    if (slot->defaultFlags == 0) return;
+
+    for (i=0; i < num_pk11_default_mechanisms; i++) {
+	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
+	    CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
+	    PK11SlotList *slotList = PK11_GetSlotList(mechanism);
+	    PK11SlotListElement *le = NULL;
+
+	    if (slotList) le = PK11_FindSlotElement(slotList,slot);
+
+	    if (le) {
+		PK11_DeleteSlotFromList(slotList,le);
+		PK11_FreeSlotListElement(slotList,le);
+	    }
+	}
+    }
+}
+
+
+/******************************************************************
+ *           Slot initialization
+ ******************************************************************/
+/*
+ * turn a PKCS11 Static Label into a string
+ */
+char *
+PK11_MakeString(PRArenaPool *arena,char *space,
+					char *staticString,int stringLen)
+{
+	int i;
+	char *newString;
+	for(i=(stringLen-1); i >= 0; i--) {
+	  if (staticString[i] != ' ') break;
+	}
+	/* move i to point to the last space */
+	i++;
+	if (arena) {
+	    newString = (char*)PORT_ArenaAlloc(arena,i+1 /* space for NULL */);
+	} else if (space) {
+	    newString = space;
+	} else {
+	    newString = (char*)PORT_Alloc(i+1 /* space for NULL */);
+	}
+	if (newString == NULL) return NULL;
+
+	if (i) PORT_Memcpy(newString,staticString, i);
+	newString[i] = 0;
+
+	return newString;
+}
+
+/*
+ * Reads in the slots mechanism list for later use
+ */
+SECStatus
+PK11_ReadMechanismList(PK11SlotInfo *slot)
+{
+    CK_ULONG count;
+    CK_RV crv;
+    PRUint32 i;
+
+    if (slot->mechanismList) {
+	PORT_Free(slot->mechanismList);
+	slot->mechanismList = NULL;
+    }
+    slot->mechanismCount = 0;
+
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
+    if (crv != CKR_OK) {
+	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+
+    slot->mechanismList = (CK_MECHANISM_TYPE *)
+			    PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
+    if (slot->mechanismList == NULL) {
+	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,
+						slot->mechanismList, &count);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_Free(slot->mechanismList);
+	slot->mechanismList = NULL;
+	PORT_SetError(PK11_MapError(crv));
+	return SECSuccess;
+    }
+    slot->mechanismCount = count;
+    PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits));
+
+    for (i=0; i < count; i++) {
+	CK_MECHANISM_TYPE mech = slot->mechanismList[i];
+	if (mech < 0x7ff) {
+	    slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
+	}
+    }
+    return SECSuccess;
+}
+
+/*
+ * initialize a new token
+ * unlike initialize slot, this can be called multiple times in the lifetime
+ * of NSS. It reads the information associated with a card or token,
+ * that is not going to change unless the card or token changes.
+ */
+SECStatus
+PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
+{
+    CK_TOKEN_INFO tokenInfo;
+    CK_RV crv;
+    char *tmp;
+    SECStatus rv;
+    PRStatus status;
+
+    /* set the slot flags to the current token values */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+
+    /* set the slot flags to the current token values */
+    slot->series++; /* allow other objects to detect that the 
+		      * slot is different */
+    slot->flags = tokenInfo.flags;
+    slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? 
+							PR_TRUE : PR_FALSE);
+    slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? 
+							PR_TRUE : PR_FALSE);
+    slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE);
+    slot->protectedAuthPath =
+    		((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) 
+	 						? PR_TRUE : PR_FALSE);
+    slot->lastLoginCheck = 0;
+    slot->lastState = 0;
+    /* on some platforms Active Card incorrectly sets the 
+     * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
+    if (slot->isActiveCard) {
+	slot->protectedAuthPath = PR_FALSE;
+    }
+    tmp = PK11_MakeString(NULL,slot->token_name,
+			(char *)tokenInfo.label, sizeof(tokenInfo.label));
+    slot->minPassword = tokenInfo.ulMinPinLen;
+    slot->maxPassword = tokenInfo.ulMaxPinLen;
+    PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial));
+
+    nssToken_UpdateName(slot->nssToken);
+
+    slot->defRWSession = (PRBool)((!slot->readOnly) && 
+					(tokenInfo.ulMaxSessionCount == 1));
+    rv = PK11_ReadMechanismList(slot);
+    if (rv != SECSuccess) return rv;
+
+    slot->hasRSAInfo = PR_FALSE;
+    slot->RSAInfoFlags = 0;
+
+    /* initialize the maxKeyCount value */
+    if (tokenInfo.ulMaxSessionCount == 0) {
+	slot->maxKeyCount = 800; /* should be #define or a config param */
+    } else if (tokenInfo.ulMaxSessionCount < 20) {
+	/* don't have enough sessions to keep that many keys around */
+	slot->maxKeyCount = 0;
+    } else {
+	slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2;
+    }
+
+    /* Make sure our session handle is valid */
+    if (slot->session == CK_INVALID_SESSION) {
+	/* we know we don't have a valid session, go get one */
+	CK_SESSION_HANDLE session;
+
+	/* session should be Readonly, serial */
+	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+	      (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
+				  slot,pk11_notify,&session);
+	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	if (crv != CKR_OK) {
+	    PORT_SetError(PK11_MapError(crv));
+	    return SECFailure;
+	}
+	slot->session = session;
+    } else {
+	/* The session we have may be defunct (the token associated with it)
+	 * has been removed   */
+	CK_SESSION_INFO sessionInfo;
+
+	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
+        if (crv == CKR_DEVICE_ERROR) {
+	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
+	    crv = CKR_SESSION_CLOSED;
+	}
+	if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) {
+	    crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+	      (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
+					slot,pk11_notify,&slot->session);
+	    if (crv != CKR_OK) {
+	        PORT_SetError(PK11_MapError(crv));
+		slot->session = CK_INVALID_SESSION;
+		if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+		return SECFailure;
+	    }
+	}
+	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    }
+
+    status = nssToken_Refresh(slot->nssToken);
+    if (status != PR_SUCCESS)
+    	return SECFailure;
+
+    if (!(slot->isInternal) && (slot->hasRandom)) {
+	/* if this slot has a random number generater, use it to add entropy
+	 * to the internal slot. */
+	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	if (int_slot) {
+	    unsigned char random_bytes[32];
+
+	    /* if this slot can issue random numbers, get some entropy from
+	     * that random number generater and give it to our internal token.
+	     */
+	    PK11_EnterSlotMonitor(slot);
+	    crv = PK11_GETTAB(slot)->C_GenerateRandom
+			(slot->session,random_bytes, sizeof(random_bytes));
+	    PK11_ExitSlotMonitor(slot);
+	    if (crv == CKR_OK) {
+	        PK11_EnterSlotMonitor(int_slot);
+		PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session,
+					random_bytes, sizeof(random_bytes));
+	        PK11_ExitSlotMonitor(int_slot);
+	    }
+
+	    /* Now return the favor and send entropy to the token's random 
+	     * number generater */
+	    PK11_EnterSlotMonitor(int_slot);
+	    crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session,
+					random_bytes, sizeof(random_bytes));
+	    PK11_ExitSlotMonitor(int_slot);
+	    if (crv == CKR_OK) {
+	        PK11_EnterSlotMonitor(slot);
+		crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session,
+					random_bytes, sizeof(random_bytes));
+	        PK11_ExitSlotMonitor(slot);
+	    }
+	    PK11_FreeSlot(int_slot);
+	}
+    }
+
+	
+    return SECSuccess;
+}
+
+/*
+ * initialize a new token
+ * unlike initialize slot, this can be called multiple times in the lifetime
+ * of NSS. It reads the information associated with a card or token,
+ * that is not going to change unless the card or token changes.
+ */
+SECStatus
+PK11_TokenRefresh(PK11SlotInfo *slot)
+{
+    CK_TOKEN_INFO tokenInfo;
+    CK_RV crv;
+
+    /* set the slot flags to the current token values */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+
+    slot->flags = tokenInfo.flags;
+    slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? 
+							PR_TRUE : PR_FALSE);
+    slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? 
+							PR_TRUE : PR_FALSE);
+    slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE);
+    slot->protectedAuthPath =
+    		((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) 
+	 						? PR_TRUE : PR_FALSE);
+    /* on some platforms Active Card incorrectly sets the 
+     * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
+    if (slot->isActiveCard) {
+	slot->protectedAuthPath = PR_FALSE;
+    }
+    return SECSuccess;
+}
+
+static PRBool
+pk11_isRootSlot(PK11SlotInfo *slot) 
+{
+    CK_ATTRIBUTE findTemp[1];
+    CK_ATTRIBUTE *attrs;
+    CK_OBJECT_CLASS oclass = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+    int tsize;
+    CK_OBJECT_HANDLE handle;
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++;
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    handle = pk11_FindObjectByTemplate(slot,findTemp,tsize);
+    if (handle == CK_INVALID_HANDLE) {
+	return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+/*
+ * Initialize the slot :
+ * This initialization code is called on each slot a module supports when
+ * it is loaded. It does the bringup initialization. The difference between
+ * this and InitToken is Init slot does those one time initialization stuff,
+ * usually associated with the reader, while InitToken may get called multiple
+ * times as tokens are removed and re-inserted.
+ */
+void
+PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot)
+{
+    SECStatus rv;
+    char *tmp;
+    CK_SLOT_INFO slotInfo;
+
+    slot->functionList = mod->functionList;
+    slot->isInternal = mod->internal;
+    slot->slotID = slotID;
+    slot->isThreadSafe = mod->isThreadSafe;
+    slot->hasRSAInfo = PR_FALSE;
+    
+    if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID,&slotInfo) != CKR_OK) {
+	slot->disabled = PR_TRUE;
+	slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
+	return;
+    }
+
+    /* test to make sure claimed mechanism work */
+    slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
+    slot->module = mod; /* NOTE: we don't make a reference here because
+			 * modules have references to their slots. This
+			 * works because modules keep implicit references
+			 * from their slots, and won't unload and disappear
+			 * until all their slots have been freed */
+    tmp = PK11_MakeString(NULL,slot->slot_name,
+	 (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
+    slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);
+#define ACTIVE_CARD "ActivCard SA"
+    slot->isActiveCard = (PRBool)(PORT_Strncmp((char *)slotInfo.manufacturerID,
+				ACTIVE_CARD, sizeof(ACTIVE_CARD)-1) == 0);
+    if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) {
+	slot->isPerm = PR_TRUE;
+	/* permanment slots must have the token present always */
+	if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
+	    slot->disabled = PR_TRUE;
+	    slot->reason = PK11_DIS_TOKEN_NOT_PRESENT;
+	    return; /* nothing else to do */
+	}
+    }
+    /* if the token is present, initialize it */
+    if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) {
+	rv = PK11_InitToken(slot,PR_TRUE);
+	/* the only hard failures are on permanent devices, or function
+	 * verify failures... function verify failures are already handled
+	 * by tokenInit */
+	if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) {
+	    slot->disabled = PR_TRUE;
+	    slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
+	}
+	if (rv == SECSuccess && pk11_isRootSlot(slot)) {
+	    if (!slot->hasRootCerts) {
+		slot->module->trustOrder = 100;
+	    }
+	    slot->hasRootCerts= PR_TRUE;
+	}
+    }
+}
+
+	
+
+/*********************************************************************
+ *            Slot mapping utility functions.
+ *********************************************************************/
+
+/*
+ * determine if the token is present. If the token is present, make sure
+ * we have a valid session handle. Also set the value of needLogin 
+ * appropriately.
+ */
+static PRBool
+pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts)
+{
+    CK_SLOT_INFO slotInfo;
+    CK_SESSION_INFO sessionInfo;
+    CK_RV crv;
+
+    /* disabled slots are never present */
+    if (slot->disabled) {
+	return PR_FALSE;
+    }
+
+    /* permanent slots are always present */
+    if (slot->isPerm && (slot->session != CK_INVALID_SESSION)) {
+	return PR_TRUE;
+    }
+
+    if (slot->nssToken) {
+	return nssToken_IsPresent(slot->nssToken);
+    }
+
+    /* removable slots have a flag that says they are present */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo) != CKR_OK) {
+        if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	return PR_FALSE;
+    }
+    if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
+	/* if the slot is no longer present, close the session */
+	if (slot->session != CK_INVALID_SESSION) {
+	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
+	    slot->session = CK_INVALID_SESSION;
+	}
+        if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	return PR_FALSE;
+    }
+
+    /* use the session Info to determine if the card has been removed and then
+     * re-inserted */
+    if (slot->session != CK_INVALID_SESSION) {
+	if (slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo);
+	if (crv != CKR_OK) {
+	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
+	    slot->session = CK_INVALID_SESSION;
+	}
+        if (slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    }
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+
+    /* card has not been removed, current token info is correct */
+    if (slot->session != CK_INVALID_SESSION) return PR_TRUE;
+
+    /* initialize the token info state */
+    if (PK11_InitToken(slot,loadCerts) != SECSuccess) {
+	return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
+/*
+ * old version of the routine
+ */
+PRBool
+PK11_IsPresent(PK11SlotInfo *slot) {
+   return pk11_IsPresentCertLoad(slot,PR_TRUE);
+}
+
+/* is the slot disabled? */
+PRBool
+PK11_IsDisabled(PK11SlotInfo *slot)
+{
+    return slot->disabled;
+}
+
+/* and why? */
+PK11DisableReasons
+PK11_GetDisabledReason(PK11SlotInfo *slot)
+{
+    return slot->reason;
+}
+
+/* returns PR_TRUE if successfully disable the slot */
+/* returns PR_FALSE otherwise */
+PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) {
+
+    slot->defaultFlags |= PK11_DISABLE_FLAG;
+    slot->disabled = PR_TRUE;
+    slot->reason = PK11_DIS_USER_SELECTED;
+    
+    return PR_TRUE;
+}
+
+PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) {
+
+    slot->defaultFlags &= ~PK11_DISABLE_FLAG;
+    slot->disabled = PR_FALSE;
+    slot->reason = PK11_DIS_NONE;
+    return PR_TRUE;
+}
+
+PRBool PK11_HasRootCerts(PK11SlotInfo *slot) {
+    return slot->hasRootCerts;
+}
+
+/* Get the module this slot is attached to */
+SECMODModule *
+PK11_GetModule(PK11SlotInfo *slot)
+{
+	return slot->module;
+}
+
+/* return the default flags of a slot */
+unsigned long
+PK11_GetDefaultFlags(PK11SlotInfo *slot)
+{
+	return slot->defaultFlags;
+}
+
+/*
+ * The following wrapper functions allow us to export an opaque slot
+ * function to the rest of libsec and the world... */
+PRBool
+PK11_IsReadOnly(PK11SlotInfo *slot)
+{
+    return slot->readOnly;
+}
+
+PRBool
+PK11_IsHW(PK11SlotInfo *slot)
+{
+    return slot->isHW;
+}
+
+PRBool
+PK11_IsRemovable(PK11SlotInfo *slot)
+{
+    return !slot->isPerm;
+}
+
+PRBool
+PK11_IsInternal(PK11SlotInfo *slot)
+{
+    return slot->isInternal;
+}
+
+PRBool
+PK11_NeedLogin(PK11SlotInfo *slot)
+{
+    return slot->needLogin;
+}
+
+PRBool
+PK11_IsFriendly(PK11SlotInfo *slot)
+{
+    /* internal slot always has public readable certs */
+    return (PRBool)(slot->isInternal || 
+		    ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) == 
+		     SECMOD_FRIENDLY_FLAG));
+}
+
+char *
+PK11_GetTokenName(PK11SlotInfo *slot)
+{
+     return slot->token_name;
+}
+
+char *
+PK11_GetSlotName(PK11SlotInfo *slot)
+{
+     return slot->slot_name;
+}
+
+int
+PK11_GetSlotSeries(PK11SlotInfo *slot)
+{
+    return slot->series;
+}
+
+int
+PK11_GetCurrentWrapIndex(PK11SlotInfo *slot)
+{
+    return slot->wrapKey;
+}
+
+CK_SLOT_ID
+PK11_GetSlotID(PK11SlotInfo *slot)
+{
+    return slot->slotID;
+}
+
+SECMODModuleID
+PK11_GetModuleID(PK11SlotInfo *slot)
+{
+    return slot->module->moduleID;
+}
+
+static void
+pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size)
+{
+    CK_CHAR *walk = buffer;
+    CK_CHAR *end = buffer + buffer_size;
+
+    /* find the NULL */
+    while (walk < end && *walk != '\0') {
+	walk++;
+    }
+
+    /* clear out the buffer */
+    while (walk < end) {
+	*walk++ = ' ';
+    }
+}
+
+/* return the slot info structure */
+SECStatus
+PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info)
+{
+    CK_RV crv;
+
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    /*
+     * some buggy drivers do not fill the buffer completely, 
+     * erase the buffer first
+     */
+    PORT_Memset(info->slotDescription,' ',sizeof(info->slotDescription));
+    PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID));
+    crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,info);
+    pk11_zeroTerminatedToBlankPadded(info->slotDescription,
+					sizeof(info->slotDescription));
+    pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
+					sizeof(info->manufacturerID));
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*  return the token info structure */
+SECStatus
+PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info)
+{
+    CK_RV crv;
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    /*
+     * some buggy drivers do not fill the buffer completely, 
+     * erase the buffer first
+     */
+    PORT_Memset(info->label,' ',sizeof(info->label));
+    PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID));
+    PORT_Memset(info->model,' ',sizeof(info->model));
+    PORT_Memset(info->serialNumber,' ',sizeof(info->serialNumber));
+    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,info);
+    pk11_zeroTerminatedToBlankPadded(info->label,sizeof(info->label));
+    pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
+					sizeof(info->manufacturerID));
+    pk11_zeroTerminatedToBlankPadded(info->model,sizeof(info->model));
+    pk11_zeroTerminatedToBlankPadded(info->serialNumber,
+					sizeof(info->serialNumber));
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* Find out if we need to initialize the user's pin */
+PRBool
+PK11_NeedUserInit(PK11SlotInfo *slot)
+{
+    PRBool needUserInit = (PRBool) ((slot->flags & CKF_USER_PIN_INITIALIZED) 
+					== 0);
+
+    if (needUserInit) {
+	CK_TOKEN_INFO info;
+	SECStatus rv;
+
+	/* see if token has been initialized off line */
+	rv = PK11_GetTokenInfo(slot, &info);
+	if (rv == SECSuccess) {
+	    slot->flags = info.flags;
+	}
+    }
+    return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0);
+}
+
+/* get the internal key slot. FIPS has only one slot for both key slots and
+ * default slots */
+PK11SlotInfo *
+PK11_GetInternalKeySlot(void)
+{
+    SECMODModule *mod = SECMOD_GetInternalModule();
+    PORT_Assert(mod != NULL);
+    if (!mod) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+    return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]);
+}
+
+/* get the internal default slot */
+PK11SlotInfo *
+PK11_GetInternalSlot(void) 
+{
+    SECMODModule * mod = SECMOD_GetInternalModule();
+    PORT_Assert(mod != NULL);
+    if (!mod) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+    return PK11_ReferenceSlot(mod->slots[0]);
+}
+
+/*
+ * check if a given slot supports the requested mechanism
+ */
+PRBool
+PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type)
+{
+    int i;
+
+    /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to
+     * tell us we're looking form someone that has implemented get
+     * random bits */
+    if (type == CKM_FAKE_RANDOM) {
+	return slot->hasRandom;
+    }
+
+    /* for most mechanism, bypass the linear lookup */
+    if (type < 0x7ff) {
+	return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8)))  ?
+		PR_TRUE : PR_FALSE;
+    }
+	   
+    for (i=0; i < (int) slot->mechanismCount; i++) {
+	if (slot->mechanismList[i] == type) return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+/*
+ * Return true if a token that can do the desired mechanism exists.
+ * This allows us to have hardware tokens that can do function XYZ magically
+ * allow SSL Ciphers to appear if they are plugged in.
+ */
+PRBool
+PK11_TokenExists(CK_MECHANISM_TYPE type)
+{
+    SECMODModuleList *mlp;
+    SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+    PK11SlotInfo *slot;
+    PRBool found = PR_FALSE;
+    int i;
+
+    /* we only need to know if there is a token that does this mechanism.
+     * check the internal module first because it's fast, and supports 
+     * almost everything. */
+    slot = PK11_GetInternalSlot();
+    if (slot) {
+    	found = PK11_DoesMechanism(slot,type);
+	PK11_FreeSlot(slot);
+    }
+    if (found) return PR_TRUE; /* bypass getting module locks */
+
+    SECMOD_GetReadLock(moduleLock);
+    for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    slot = mlp->module->slots[i];
+	    if (PK11_IsPresent(slot)) {
+		if (PK11_DoesMechanism(slot,type)) {
+		    found = PR_TRUE;
+		    break;
+		}
+	    }
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+    return found;
+}
+
+/*
+ * get all the currently available tokens in a list.
+ * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM,
+ * get all the tokens. Make sure tokens that need authentication are put at
+ * the end of this list.
+ */
+PK11SlotList *
+PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, 
+                  void *wincx)
+{
+    PK11SlotList *     list         = PK11_NewSlotList();
+    PK11SlotList *     loginList    = PK11_NewSlotList();
+    PK11SlotList *     friendlyList = PK11_NewSlotList();
+    SECMODModuleList * mlp;
+    SECMODModuleList * modules      = SECMOD_GetDefaultModuleList();
+    SECMODListLock *   moduleLock   = SECMOD_GetDefaultModuleListLock();
+    int                i;
+#if defined( XP_WIN32 ) 
+    int                j            = 0;
+    PRInt32            waste[16];
+#endif
+
+    if ((list == NULL)  || (loginList == NULL) || (friendlyList == NULL)) {
+	if (list) PK11_FreeSlotList(list);
+	if (loginList) PK11_FreeSlotList(loginList);
+	if (friendlyList) PK11_FreeSlotList(friendlyList);
+	return NULL;
+    }
+
+    SECMOD_GetReadLock(moduleLock);
+    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+
+#if defined( XP_WIN32 ) 
+	/* This is works around some horrible cache/page thrashing problems 
+	** on Win32.  Without this, this loop can take up to 6 seconds at 
+	** 100% CPU on a Pentium-Pro 200.  The thing this changes is to 
+	** increase the size of the stack frame and modify it.  
+	** Moving the loop code itself seems to have no effect.
+	** Dunno why this combination makes a difference, but it does.
+	*/
+	waste[ j & 0xf] = j++; 
+#endif
+
+	for (i = 0; i < mlp->module->slotCount; i++) {
+	    PK11SlotInfo *slot = mlp->module->slots[i];
+
+	    if (pk11_IsPresentCertLoad(slot, loadCerts)) {
+		if (needRW &&  slot->readOnly) continue;
+		if ((type == CKM_INVALID_MECHANISM) 
+					|| PK11_DoesMechanism(slot, type)) {
+		    if (pk11_LoginStillRequired(slot,wincx)) {
+			if (PK11_IsFriendly(slot)) {
+			    PK11_AddSlotToList(friendlyList, slot);
+			} else {
+			    PK11_AddSlotToList(loginList, slot);
+			}
+		    } else {
+			PK11_AddSlotToList(list, slot);
+		    }
+		}
+	    }
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    PK11_MoveListToList(list,friendlyList);
+    PK11_FreeSlotList(friendlyList);
+    PK11_MoveListToList(list,loginList);
+    PK11_FreeSlotList(loginList);
+
+    return list;
+}
+
+/*
+ * NOTE: This routine is working from a private List generated by 
+ * PK11_GetAllTokens. That is why it does not need to lock.
+ */
+PK11SlotList *
+PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx)
+{
+    PK11SlotList *list = PK11_GetAllTokens(type,needRW,PR_TRUE,wincx);
+    PK11SlotListElement *le, *next ;
+    SECStatus rv;
+
+    if (list == NULL) return list;
+
+    for (le = list->head ; le; le = next) {
+	next = le->next; /* save the pointer here in case we have to 
+			  * free the element later */
+        rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
+	if (rv != SECSuccess) {
+	    PK11_DeleteSlotFromList(list,le);
+	    continue;
+	}
+    }
+    return list;
+}
+
+
+/*
+ * find the best slot which supports the given
+ * Mechanism. In normal cases this should grab the first slot on the list
+ * with no fuss.
+ */
+PK11SlotInfo *
+PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int mech_count, void *wincx)
+{
+    PK11SlotList *list = NULL;
+    PK11SlotListElement *le ;
+    PK11SlotInfo *slot = NULL;
+    PRBool freeit = PR_FALSE;
+    PRBool listNeedLogin = PR_FALSE;
+    int i;
+    SECStatus rv;
+
+    list = PK11_GetSlotList(type[0]);
+
+    if ((list == NULL) || (list->head == NULL)) {
+	/* We need to look up all the tokens for the mechanism */
+	list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx);
+	freeit = PR_TRUE;
+    }
+
+    /* no one can do it! */
+    if (list == NULL) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return NULL;
+    }
+
+    PORT_SetError(0);
+
+
+    listNeedLogin = PR_FALSE;
+    for (i=0; i < mech_count; i++) {
+	if ((type[i] != CKM_FAKE_RANDOM) && 
+	    (type[i] != CKM_SHA_1) &&
+	    (type[i] != CKM_SHA256) &&
+	    (type[i] != CKM_SHA384) &&
+	    (type[i] != CKM_SHA512) &&
+	    (type[i] != CKM_MD5) && 
+	    (type[i] != CKM_MD2)) {
+	    listNeedLogin = PR_TRUE;
+	    break;
+	}
+    }
+
+    for (le = PK11_GetFirstSafe(list); le;
+			 	le = PK11_GetNextSafe(list,le,PR_TRUE)) {
+	if (PK11_IsPresent(le->slot)) {
+	    PRBool doExit = PR_FALSE;
+	    for (i=0; i < mech_count; i++) {
+	    	if (!PK11_DoesMechanism(le->slot,type[i])) {
+		    doExit = PR_TRUE;
+		    break;
+		}
+	    }
+	    if (doExit) continue;
+	      
+	    if (listNeedLogin && le->slot->needLogin) {
+		rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
+		if (rv != SECSuccess) continue;
+	    }
+	    slot = le->slot;
+	    PK11_ReferenceSlot(slot);
+	    PK11_FreeSlotListElement(list,le);
+	    if (freeit) { PK11_FreeSlotList(list); }
+	    return slot;
+	}
+    }
+    if (freeit) { PK11_FreeSlotList(list); }
+    if (PORT_GetError() == 0) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+    }
+    return NULL;
+}
+
+/* original get best slot now calls the multiple version with only one type */
+PK11SlotInfo *
+PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx)
+{
+    return PK11_GetBestSlotMultiple(&type, 1, wincx);
+}
+
+int
+PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism)
+{
+    CK_MECHANISM_INFO mechanism_info;
+    CK_RV crv;
+
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
+                               mechanism,&mechanism_info);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) return 0;
+
+    if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) 
+		return 0;
+    return mechanism_info.ulMaxKeySize;
+}
+
+
+/*
+ * This function uses the existing PKCS #11 module to find the
+ * longest supported key length in the preferred token for a mechanism.
+ * This varies from the above function in that 1) it returns the key length
+ * even for fixed key algorithms, and 2) it looks through the tokens
+ * generally rather than for a specific token. This is used in liu of
+ * a PK11_GetKeyLength function in pk11mech.c since we can actually read
+ * supported key lengths from PKCS #11.
+ *
+ * For symmetric key operations the length is returned in bytes.
+ */
+int
+PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism)
+{
+    CK_MECHANISM_INFO mechanism_info;
+    PK11SlotList *list = NULL;
+    PK11SlotListElement *le ;
+    PRBool freeit = PR_FALSE;
+    int keyLength = 0;
+
+    list = PK11_GetSlotList(mechanism);
+
+    if ((list == NULL) || (list->head == NULL)) {
+	/* We need to look up all the tokens for the mechanism */
+	list = PK11_GetAllTokens(mechanism,PR_FALSE,PR_FALSE,NULL);
+	freeit = PR_TRUE;
+    }
+
+    /* no tokens recognize this mechanism */
+    if (list == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return 0;
+    }
+
+    for (le = PK11_GetFirstSafe(list); le;
+			 	le = PK11_GetNextSafe(list,le,PR_TRUE)) {
+	PK11SlotInfo *slot = le->slot;
+	CK_RV crv;
+	if (PK11_IsPresent(slot)) {
+	    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+	    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
+                               mechanism,&mechanism_info);
+ 	    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	    if ((crv == CKR_OK)  && (mechanism_info.ulMaxKeySize != 0)
+		&& (mechanism_info.ulMaxKeySize != 0xffffffff)) {
+		keyLength = mechanism_info.ulMaxKeySize;
+		break;
+	    }
+	}
+    }
+    if (le) 
+	PK11_FreeSlotListElement(list, le);
+    if (freeit) 
+	PK11_FreeSlotList(list);
+    return keyLength;
+}
+
+SECStatus
+PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) {
+    CK_RV crv;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, data, (CK_ULONG)len);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+SECStatus
+PK11_GenerateRandomOnSlot(PK11SlotInfo *slot, unsigned char *data, int len) {
+    CK_RV crv;
+
+    if (!slot->isInternal) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session,data, 
+							(CK_ULONG)len);
+    if (!slot->isInternal) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return  SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* Attempts to update the Best Slot for "FAKE RANDOM" generation.
+** If that's not the internal slot, then it also attempts to update the
+** internal slot.
+** The return value indicates if the INTERNAL slot was updated OK.
+*/
+SECStatus
+PK11_RandomUpdate(void *data, size_t bytes)
+{
+    PK11SlotInfo *slot;
+    PRBool        bestIsInternal;
+    SECStatus     status;
+
+    slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL);
+    if (slot == NULL) {
+	slot = PK11_GetInternalSlot();
+	if (!slot)
+	    return SECFailure;
+    }
+
+    bestIsInternal = PK11_IsInternal(slot);
+    status = PK11_SeedRandom(slot, data, bytes);
+    PK11_FreeSlot(slot);
+
+    if (!bestIsInternal) {
+    	/* do internal slot, too. */
+    	slot = PK11_GetInternalSlot();	/* can't fail */
+	status = PK11_SeedRandom(slot, data, bytes);
+	PK11_FreeSlot(slot);
+    }
+    return status;
+}
+
+
+SECStatus
+PK11_GenerateRandom(unsigned char *data,int len) {
+    PK11SlotInfo *slot;
+    SECStatus rv;
+
+    slot = PK11_GetBestSlot(CKM_FAKE_RANDOM,NULL);
+    if (slot == NULL) return SECFailure;
+
+    rv = PK11_GenerateRandomOnSlot(slot, data, len);
+    PK11_FreeSlot(slot);
+    return rv;
+}
+
+/*
+ * Reset the token to it's initial state. For the internal module, this will
+ * Purge your keydb, and reset your cert db certs to USER_INIT.
+ */
+SECStatus 
+PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd)
+{
+    unsigned char tokenName[32];
+    int tokenNameLen;
+    CK_RV crv;
+
+    /* reconstruct the token name */
+    tokenNameLen = PORT_Strlen(slot->token_name);
+    if (tokenNameLen > sizeof(tokenName)) {
+	tokenNameLen = sizeof(tokenName);
+    }
+
+    PORT_Memcpy(tokenName,slot->token_name,tokenNameLen);
+    if (tokenNameLen < sizeof(tokenName)) {
+	PORT_Memset(&tokenName[tokenNameLen],' ',
+					 sizeof(tokenName)-tokenNameLen);
+    }
+
+    /* initialize the token */    
+    PK11_EnterSlotMonitor(slot);
+
+    /* first shutdown the token. Existing sessions will get closed here */
+    PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
+    slot->session = CK_INVALID_SESSION;
+
+    /* now re-init the token */ 
+    crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID,
+	(unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd): 0, tokenName);
+
+    /* finally bring the token back up */
+    PK11_InitToken(slot,PR_TRUE);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
+	                                      slot->nssToken);
+    return SECSuccess;
+}
+void
+PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst) 
+{
+    sl->nssToken = nsst;
+}
+
+NSSToken *
+PK11Slot_GetNSSToken(PK11SlotInfo *sl) 
+{
+    return sl->nssToken;
+}
+
+/*
+ * wait for a token to change it's state. The application passes in the expected
+ * new state in event. 
+ */
+PK11TokenStatus
+PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, 
+	PRIntervalTime timeout, PRIntervalTime latency, int series)
+{
+   PRIntervalTime first_time = 0;
+   PRBool first_time_set = PR_FALSE;
+   PRBool waitForRemoval;
+
+   if (slot->isPerm) {
+	return PK11TokenNotRemovable;
+   }
+   if (latency == 0) {
+	latency = PR_SecondsToInterval(5);
+   }
+   waitForRemoval = (PRBool) (event == PK11TokenRemovedOrChangedEvent);
+
+   if (series == 0) {
+	series = PK11_GetSlotSeries(slot);
+   }
+   while (PK11_IsPresent(slot) == waitForRemoval ) {
+	PRIntervalTime interval;
+
+	if (waitForRemoval && series != PK11_GetSlotSeries(slot)) {
+	    return PK11TokenChanged;
+	}
+	if (timeout == PR_INTERVAL_NO_WAIT) {
+	    return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
+	}
+	if (timeout != PR_INTERVAL_NO_TIMEOUT ) {
+	    interval = PR_IntervalNow();
+	    if (!first_time_set) {
+		first_time = interval;
+		first_time_set = PR_TRUE;
+	    }
+	    if ((interval-first_time) > timeout) {
+		return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
+	    }
+	}
+	PR_Sleep(latency);
+   }
+   return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent;
+}
diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
new file mode 100644
index 000000000..e4edaf2e6
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -0,0 +1,1440 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Initialize the PCKS 11 subsystem
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "secmodti.h"
+#include "pk11func.h"
+#include "pki3hack.h"
+#include "secerr.h"
+#include "dev.h"
+#include "pkcs11ni.h"
+
+/* these are for displaying error messages */
+
+static  SECMODModuleList *modules = NULL;
+static  SECMODModuleList *modulesDB = NULL;
+static  SECMODModuleList *modulesUnload = NULL;
+static  SECMODModule *internalModule = NULL;
+static  SECMODModule *defaultDBModule = NULL;
+static  SECMODModule *pendingModule = NULL;
+static SECMODListLock *moduleLock = NULL;
+
+int secmod_PrivateModuleCount = 0;
+
+extern PK11DefaultArrayEntry PK11_DefaultArray[];
+extern int num_pk11_default_mechanisms;
+
+
+void
+SECMOD_Init() 
+{
+    /* don't initialize twice */
+    if (moduleLock) return;
+
+    moduleLock = SECMOD_NewListLock();
+    PK11_InitSlotLists();
+}
+
+
+SECStatus
+SECMOD_Shutdown() 
+{
+    /* destroy the lock */
+    if (moduleLock) {
+	SECMOD_DestroyListLock(moduleLock);
+	moduleLock = NULL;
+    }
+    /* free the internal module */
+    if (internalModule) {
+	SECMOD_DestroyModule(internalModule);
+	internalModule = NULL;
+    }
+
+    /* free the default database module */
+    if (defaultDBModule) {
+	SECMOD_DestroyModule(defaultDBModule);
+	defaultDBModule = NULL;
+    }
+	
+    /* destroy the list */
+    if (modules) {
+	SECMOD_DestroyModuleList(modules);
+	modules = NULL;
+    }
+   
+    if (modulesDB) {
+	SECMOD_DestroyModuleList(modulesDB);
+	modulesDB = NULL;
+    }
+
+    if (modulesUnload) {
+	SECMOD_DestroyModuleList(modulesUnload);
+	modulesUnload = NULL;
+    }
+
+    /* make all the slots and the lists go away */
+    PK11_DestroySlotLists();
+
+    nss_DumpModuleLog();
+
+#ifdef DEBUG
+    if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
+	PORT_Assert(secmod_PrivateModuleCount == 0);
+    }
+#endif
+    if (secmod_PrivateModuleCount) {
+    	PORT_SetError(SEC_ERROR_BUSY);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+/*
+ * retrieve the internal module
+ */
+SECMODModule *
+SECMOD_GetInternalModule(void)
+{
+   return internalModule;
+}
+
+
+SECStatus
+secmod_AddModuleToList(SECMODModuleList **moduleList,SECMODModule *newModule)
+{
+    SECMODModuleList *mlp, *newListElement, *last = NULL;
+
+    newListElement = SECMOD_NewModuleListElement();
+    if (newListElement == NULL) {
+	return SECFailure;
+    }
+
+    newListElement->module = SECMOD_ReferenceModule(newModule);
+
+    SECMOD_GetWriteLock(moduleLock);
+    /* Added it to the end (This is very inefficient, but Adding a module
+     * on the fly should happen maybe 2-3 times through the life this program
+     * on a given computer, and this list should be *SHORT*. */
+    for(mlp = *moduleList; mlp != NULL; mlp = mlp->next) {
+	last = mlp;
+    }
+
+    if (last == NULL) {
+	*moduleList = newListElement;
+    } else {
+	SECMOD_AddList(last,newListElement,NULL);
+    }
+    SECMOD_ReleaseWriteLock(moduleLock);
+    return SECSuccess;
+}
+
+SECStatus
+SECMOD_AddModuleToList(SECMODModule *newModule)
+{
+    if (newModule->internal && !internalModule) {
+	internalModule = SECMOD_ReferenceModule(newModule);
+    }
+    return secmod_AddModuleToList(&modules,newModule);
+}
+
+SECStatus
+SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule)
+{
+    if (defaultDBModule == NULL) {
+	defaultDBModule = SECMOD_ReferenceModule(newModule);
+    }
+    return secmod_AddModuleToList(&modulesDB,newModule);
+}
+
+SECStatus
+SECMOD_AddModuleToUnloadList(SECMODModule *newModule)
+{
+    return secmod_AddModuleToList(&modulesUnload,newModule);
+}
+
+/*
+ * get the list of PKCS11 modules that are available.
+ */
+SECMODModuleList * SECMOD_GetDefaultModuleList() { return modules; }
+SECMODModuleList *SECMOD_GetDeadModuleList() { return modulesUnload; }
+SECMODModuleList *SECMOD_GetDBModuleList() { return modulesDB; }
+
+/*
+ * This lock protects the global module lists.
+ * it also protects changes to the slot array (module->slots[]) and slot count 
+ * (module->slotCount) in each module. It is a read/write lock with multiple 
+ * readers or one writer. Writes are uncommon. 
+ * Because of legacy considerations protection of the slot array and count is 
+ * only necessary in applications if the application calls 
+ * SECMOD_UpdateSlotList() or SECMOD_WaitForAnyTokenEvent(), though all new
+ * applications are encouraged to acquire this lock when reading the
+ * slot array information directly.
+ */
+SECMODListLock *SECMOD_GetDefaultModuleListLock() { return moduleLock; }
+
+
+
+/*
+ * find a module by name, and add a reference to it.
+ * return that module.
+ */
+SECMODModule *
+SECMOD_FindModule(const char *name)
+{
+    SECMODModuleList *mlp;
+    SECMODModule *module = NULL;
+
+    SECMOD_GetReadLock(moduleLock);
+    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
+	    module = mlp->module;
+	    SECMOD_ReferenceModule(module);
+	    break;
+	}
+    }
+    if (module) {
+	goto found;
+    }
+    for(mlp = modulesUnload; mlp != NULL; mlp = mlp->next) {
+	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
+	    module = mlp->module;
+	    SECMOD_ReferenceModule(module);
+	    break;
+	}
+    }
+
+found:
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    return module;
+}
+
+/*
+ * find a module by ID, and add a reference to it.
+ * return that module.
+ */
+SECMODModule *
+SECMOD_FindModuleByID(SECMODModuleID id) 
+{
+    SECMODModuleList *mlp;
+    SECMODModule *module = NULL;
+
+    SECMOD_GetReadLock(moduleLock);
+    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	if (id == mlp->module->moduleID) {
+	    module = mlp->module;
+	    SECMOD_ReferenceModule(module);
+	    break;
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+    if (module == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MODULE);
+    }
+    return module;
+}
+
+/*
+ * Find the Slot based on ID and the module.
+ */
+PK11SlotInfo *
+SECMOD_FindSlotByID(SECMODModule *module, CK_SLOT_ID slotID)
+{
+    int i;
+    PK11SlotInfo *slot = NULL;
+
+    SECMOD_GetReadLock(moduleLock);
+    for (i=0; i < module->slotCount; i++) {
+	PK11SlotInfo *cSlot = module->slots[i];
+
+	if (cSlot->slotID == slotID) {
+	    slot = PK11_ReferenceSlot(cSlot);
+	    break;
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    if (slot == NULL) {
+	PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
+    }
+    return slot;
+}
+
+/*
+ * lookup the Slot module based on it's module ID and slot ID.
+ */
+PK11SlotInfo *
+SECMOD_LookupSlot(SECMODModuleID moduleID,CK_SLOT_ID slotID) 
+{
+    SECMODModule *module;
+    PK11SlotInfo *slot;
+
+    module = SECMOD_FindModuleByID(moduleID);
+    if (module == NULL) return NULL;
+
+    slot = SECMOD_FindSlotByID(module, slotID);
+    SECMOD_DestroyModule(module);
+    return slot;
+}
+
+
+/*
+ * find a module by name or module pointer and delete it off the module list.
+ * optionally remove it from secmod.db.
+ */
+SECStatus
+SECMOD_DeleteModuleEx(const char *name, SECMODModule *mod, 
+						int *type, PRBool permdb) 
+{
+    SECMODModuleList *mlp;
+    SECMODModuleList **mlpp;
+    SECStatus rv = SECFailure;
+
+    *type = SECMOD_EXTERNAL;
+
+    SECMOD_GetWriteLock(moduleLock);
+    for (mlpp = &modules,mlp = modules; 
+				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
+	if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) ||
+							mod == mlp->module) {
+	    /* don't delete the internal module */
+	    if (!mlp->module->internal) {
+		SECMOD_RemoveList(mlpp,mlp);
+		/* delete it after we release the lock */
+		rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module);
+	    } else if (mlp->module->isFIPS) {
+		*type = SECMOD_FIPS;
+	    } else {
+		*type = SECMOD_INTERNAL;
+	    }
+	    break;
+	}
+    }
+    if (mlp) {
+	goto found;
+    }
+    /* not on the internal list, check the unload list */
+    for (mlpp = &modulesUnload,mlp = modulesUnload; 
+				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
+	if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) ||
+							mod == mlp->module) {
+	    /* don't delete the internal module */
+	    if (!mlp->module->internal) {
+		SECMOD_RemoveList(mlpp,mlp);
+		rv = SECSuccess;
+	    } else if (mlp->module->isFIPS) {
+		*type = SECMOD_FIPS;
+	    } else {
+		*type = SECMOD_INTERNAL;
+	    }
+	    break;
+	}
+    }
+found:
+    SECMOD_ReleaseWriteLock(moduleLock);
+
+
+    if (rv == SECSuccess) {
+	if (permdb) {
+ 	    SECMOD_DeletePermDB(mlp->module);
+	}
+	SECMOD_DestroyModuleListElement(mlp);
+    }
+    return rv;
+}
+
+/*
+ * find a module by name and delete it off the module list
+ */
+SECStatus
+SECMOD_DeleteModule(const char *name, int *type) 
+{
+    return SECMOD_DeleteModuleEx(name, NULL, type, PR_TRUE);
+}
+
+/*
+ * find a module by name and delete it off the module list
+ */
+SECStatus
+SECMOD_DeleteInternalModule(const char *name) 
+{
+    SECMODModuleList *mlp;
+    SECMODModuleList **mlpp;
+    SECStatus rv = SECFailure;
+
+    if (pendingModule) {
+	PORT_SetError(SEC_ERROR_MODULE_STUCK);
+	return rv;
+    }
+
+    SECMOD_GetWriteLock(moduleLock);
+    for(mlpp = &modules,mlp = modules; 
+				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
+	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
+	    /* don't delete the internal module */
+	    if (mlp->module->internal) {
+		SECMOD_RemoveList(mlpp,mlp);
+		rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module);
+	    } 
+	    break;
+	}
+    }
+    SECMOD_ReleaseWriteLock(moduleLock);
+
+    if (rv == SECSuccess) {
+	SECMODModule *newModule,*oldModule;
+
+	if (mlp->module->isFIPS) {
+    	    newModule = SECMOD_CreateModule(NULL, SECMOD_INT_NAME,
+				NULL, SECMOD_INT_FLAGS);
+	} else {
+    	    newModule = SECMOD_CreateModule(NULL, SECMOD_FIPS_NAME,
+				NULL, SECMOD_FIPS_FLAGS);
+	}
+	if (newModule) {
+	    newModule->libraryParams = 
+	     PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
+	    rv = SECMOD_AddModule(newModule);
+	    if (rv != SECSuccess) {
+		SECMOD_DestroyModule(newModule);
+		newModule = NULL;
+	    }
+	}
+	if (newModule == NULL) {
+	    SECMODModuleList *last = NULL,*mlp2;
+	   /* we're in pretty deep trouble if this happens...Security
+	    * not going to work well... try to put the old module back on
+	    * the list */
+	   SECMOD_GetWriteLock(moduleLock);
+	   for(mlp2 = modules; mlp2 != NULL; mlp2 = mlp->next) {
+		last = mlp2;
+	   }
+
+	   if (last == NULL) {
+		modules = mlp;
+	   } else {
+		SECMOD_AddList(last,mlp,NULL);
+	   }
+	   SECMOD_ReleaseWriteLock(moduleLock);
+	   return SECFailure; 
+	}
+	pendingModule = oldModule = internalModule;
+	internalModule = NULL;
+	SECMOD_DestroyModule(oldModule);
+ 	SECMOD_DeletePermDB(mlp->module);
+	SECMOD_DestroyModuleListElement(mlp);
+	internalModule = newModule; /* adopt the module */
+    }
+    return rv;
+}
+
+SECStatus
+SECMOD_AddModule(SECMODModule *newModule) 
+{
+    SECStatus rv;
+    SECMODModule *oldModule;
+
+    /* Test if a module w/ the same name already exists */
+    /* and return SECWouldBlock if so. */
+    /* We should probably add a new return value such as */
+    /* SECDublicateModule, but to minimize ripples, I'll */
+    /* give SECWouldBlock a new meaning */
+    if ((oldModule = SECMOD_FindModule(newModule->commonName)) != NULL) {
+	SECMOD_DestroyModule(oldModule);
+        return SECWouldBlock;
+        /* module already exists. */
+    }
+
+    rv = SECMOD_LoadPKCS11Module(newModule);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    if (newModule->parent == NULL) {
+	newModule->parent = SECMOD_ReferenceModule(defaultDBModule);
+    }
+
+    SECMOD_AddPermDB(newModule);
+    SECMOD_AddModuleToList(newModule);
+
+    rv = STAN_AddModuleToDefaultTrustDomain(newModule);
+
+    return rv;
+}
+
+PK11SlotInfo *
+SECMOD_FindSlot(SECMODModule *module,const char *name) 
+{
+    int i;
+    char *string;
+    PK11SlotInfo *retSlot = NULL;
+
+    SECMOD_GetReadLock(moduleLock);
+    for (i=0; i < module->slotCount; i++) {
+	PK11SlotInfo *slot = module->slots[i];
+
+	if (PK11_IsPresent(slot)) {
+	    string = PK11_GetTokenName(slot);
+	} else {
+	    string = PK11_GetSlotName(slot);
+	}
+	if (PORT_Strcmp(name,string) == 0) {
+	    retSlot = PK11_ReferenceSlot(slot);
+	    break;
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    if (retSlot == NULL) {
+	PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
+    }
+    return retSlot;
+}
+
+SECStatus
+PK11_GetModInfo(SECMODModule *mod,CK_INFO *info)
+{
+    CK_RV crv;
+
+    if (mod->functionList == NULL) return SECFailure;
+    crv = PK11_GETTAB(mod)->C_GetInfo(info);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+    }	
+    return (crv == CKR_OK) ? SECSuccess : SECFailure;
+}
+
+/* Determine if we have the FIP's module loaded as the default
+ * module to trigger other bogus FIPS requirements in PKCS #12 and
+ * SSL
+ */
+PRBool
+PK11_IsFIPS(void)
+{
+    SECMODModule *mod = SECMOD_GetInternalModule();
+
+    if (mod && mod->internal) {
+	return mod->isFIPS;
+    }
+
+    return PR_FALSE;
+}
+
+/* combines NewModule() & AddModule */
+/* give a string for the module name & the full-path for the dll, */
+/* installs the PKCS11 module & update registry */
+SECStatus 
+SECMOD_AddNewModuleEx(const char* moduleName, const char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags,
+                              char* modparms, char* nssparms)
+{
+    SECMODModule *module;
+    SECStatus result = SECFailure;
+    int s,i;
+    PK11SlotInfo* slot;
+
+    PR_SetErrorText(0, NULL);
+
+    module = SECMOD_CreateModule(dllPath, moduleName, modparms, nssparms);
+
+    if (module == NULL) {
+	return result;
+    }
+
+    if (module->dllName != NULL) {
+        if (module->dllName[0] != 0) {
+            result = SECMOD_AddModule(module);
+            if (result == SECSuccess) {
+                /* turn on SSL cipher enable flags */
+                module->ssl[0] = cipherEnableFlags;
+
+ 		SECMOD_GetReadLock(moduleLock);
+                /* check each slot to turn on appropriate mechanisms */
+                for (s = 0; s < module->slotCount; s++) {
+                    slot = (module->slots)[s];
+                    /* for each possible mechanism */
+                    for (i=0; i < num_pk11_default_mechanisms; i++) {
+                        /* we are told to turn it on by default ? */
+			PRBool add = 
+			 (PK11_DefaultArray[i].flag & defaultMechanismFlags) ?
+						PR_TRUE: PR_FALSE;
+                        result = PK11_UpdateSlotAttribute(slot, 
+					&(PK11_DefaultArray[i]),  add);
+                    } /* for each mechanism */
+                    /* disable each slot if the defaultFlags say so */
+                    if (defaultMechanismFlags & PK11_DISABLE_FLAG) {
+                        PK11_UserDisableSlot(slot);
+                    }
+                } /* for each slot of this module */
+ 		SECMOD_ReleaseReadLock(moduleLock);
+
+                /* delete and re-add module in order to save changes 
+		 * to the module */
+		result = SECMOD_UpdateModule(module);
+            }
+        }
+    }
+    SECMOD_DestroyModule(module);
+    return result;
+}
+
+SECStatus 
+SECMOD_AddNewModule(const char* moduleName, const char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags)
+{
+    return SECMOD_AddNewModuleEx(moduleName, dllPath, defaultMechanismFlags,
+                  cipherEnableFlags, 
+                  NULL, NULL); /* don't pass module or nss params */
+}
+
+SECStatus 
+SECMOD_UpdateModule(SECMODModule *module)
+{
+    SECStatus result;
+
+    result = SECMOD_DeletePermDB(module);
+                
+    if (result == SECSuccess) {          
+	result = SECMOD_AddPermDB(module);
+    }
+    return result;
+}
+
+/* Public & Internal(Security Library)  representation of
+ * encryption mechanism flags conversion */
+
+/* Currently, the only difference is that internal representation 
+ * puts RANDOM_FLAG at bit 31 (Most-significant bit), but
+ * public representation puts this bit at bit 28
+ */
+unsigned long 
+SECMOD_PubMechFlagstoInternal(unsigned long publicFlags)
+{
+    unsigned long internalFlags = publicFlags;
+
+    if (publicFlags & PUBLIC_MECH_RANDOM_FLAG) {
+        internalFlags &= ~PUBLIC_MECH_RANDOM_FLAG;
+        internalFlags |= SECMOD_RANDOM_FLAG;
+    }
+    return internalFlags;
+}
+
+unsigned long 
+SECMOD_InternaltoPubMechFlags(unsigned long internalFlags) 
+{
+    unsigned long publicFlags = internalFlags;
+
+    if (internalFlags & SECMOD_RANDOM_FLAG) {
+        publicFlags &= ~SECMOD_RANDOM_FLAG;
+        publicFlags |= PUBLIC_MECH_RANDOM_FLAG;
+    }
+    return publicFlags;
+}
+
+
+/* Public & Internal(Security Library)  representation of */
+/* cipher flags conversion */
+/* Note: currently they are just stubs */
+unsigned long 
+SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags) 
+{
+    return publicFlags;
+}
+
+unsigned long 
+SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags) 
+{
+    return internalFlags;
+}
+
+/* Funtion reports true if module of modType is installed/configured */
+PRBool 
+SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags )
+{
+    PRBool result = PR_FALSE;
+    SECMODModuleList *mods = SECMOD_GetDefaultModuleList();
+    SECMOD_GetReadLock(moduleLock);
+
+
+    for ( ; mods != NULL; mods = mods->next) {
+        if (mods->module->ssl[0] & 
+		SECMOD_PubCipherFlagstoInternal(pubCipherEnableFlags)) {
+            result = PR_TRUE;
+        }
+    }
+
+    SECMOD_ReleaseReadLock(moduleLock);
+    return result;
+}
+
+/* create a new ModuleListElement */
+SECMODModuleList *SECMOD_NewModuleListElement(void) 
+{
+    SECMODModuleList *newModList;
+
+    newModList= (SECMODModuleList *) PORT_Alloc(sizeof(SECMODModuleList));
+    if (newModList) {
+	newModList->next = NULL;
+	newModList->module = NULL;
+    }
+    return newModList;
+}
+
+/*
+ * make a new reference to a module so It doesn't go away on us
+ */
+SECMODModule *
+SECMOD_ReferenceModule(SECMODModule *module) 
+{
+    PZ_Lock(module->refLock);
+    PORT_Assert(module->refCount > 0);
+
+    module->refCount++;
+    PZ_Unlock(module->refLock);
+    return module;
+}
+
+
+/* destroy an existing module */
+void
+SECMOD_DestroyModule(SECMODModule *module) 
+{
+    PRBool willfree = PR_FALSE;
+    int slotCount;
+    int i;
+
+    PZ_Lock(module->refLock);
+    if (module->refCount-- == 1) {
+	willfree = PR_TRUE;
+    }
+    PORT_Assert(willfree || (module->refCount > 0));
+    PZ_Unlock(module->refLock);
+
+    if (!willfree) {
+	return;
+    }
+   
+    if (module->parent != NULL) {
+	SECMODModule *parent = module->parent;
+	/* paranoia, don't loop forever if the modules are looped */
+	module->parent = NULL;
+	SECMOD_DestroyModule(parent);
+    }
+
+    /* slots can't really disappear until our module starts freeing them,
+     * so this check is safe */
+    slotCount = module->slotCount;
+    if (slotCount == 0) {
+	SECMOD_SlotDestroyModule(module,PR_FALSE);
+	return;
+    }
+
+    /* now free all out slots, when they are done, they will cause the
+     * module to disappear altogether */
+    for (i=0 ; i < slotCount; i++) {
+	if (!module->slots[i]->disabled) {
+		PK11_ClearSlotList(module->slots[i]);
+	}
+	PK11_FreeSlot(module->slots[i]);
+    }
+    /* WARNING: once the last slot has been freed is it possible (even likely)
+     * that module is no more... touching it now is a good way to go south */
+}
+
+
+/* we can only get here if we've destroyed the module, or some one has
+ * erroneously freed a slot that wasn't referenced. */
+void
+SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) 
+{
+    PRBool willfree = PR_FALSE;
+    if (fromSlot) {
+        PORT_Assert(module->refCount == 0);
+	PZ_Lock(module->refLock);
+	if (module->slotCount-- == 1) {
+	    willfree = PR_TRUE;
+	}
+	PORT_Assert(willfree || (module->slotCount > 0));
+	PZ_Unlock(module->refLock);
+        if (!willfree) return;
+    }
+
+    if (module == pendingModule) {
+	pendingModule = NULL;
+    }
+
+    if (module->loaded) {
+	SECMOD_UnloadModule(module);
+    }
+    PZ_DestroyLock(module->refLock);
+    PORT_FreeArena(module->arena,PR_FALSE);
+    secmod_PrivateModuleCount--;
+}
+
+/* destroy a list element
+ * this destroys a single element, and returns the next element
+ * on the chain. It makes it easy to implement for loops to delete
+ * the chain. It also make deleting a single element easy */
+SECMODModuleList *
+SECMOD_DestroyModuleListElement(SECMODModuleList *element) 
+{
+    SECMODModuleList *next = element->next;
+
+    if (element->module) {
+	SECMOD_DestroyModule(element->module);
+	element->module = NULL;
+    }
+    PORT_Free(element);
+    return next;
+}
+
+
+/*
+ * Destroy an entire module list
+ */
+void
+SECMOD_DestroyModuleList(SECMODModuleList *list) 
+{
+    SECMODModuleList *lp;
+
+    for ( lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) ;
+}
+
+PRBool
+SECMOD_CanDeleteInternalModule(void)
+{
+    return (PRBool) (pendingModule == NULL);
+}
+
+/*
+ * check to see if the module has added new slots. PKCS 11 v2.20 allows for
+ * modules to add new slots, but never remove them. Slots cannot be added 
+ * between a call to C_GetSlotLlist(Flag, NULL, &count) and the subsequent
+ * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
+ * grow on the caller. It is permissible for the slots to increase between
+ * successive calls with NULL to get the size.
+ */
+SECStatus
+SECMOD_UpdateSlotList(SECMODModule *mod)
+{
+    CK_RV crv;
+    CK_ULONG count;
+    CK_ULONG i, oldCount;
+    PRBool freeRef = PR_FALSE;
+    void *mark = NULL;
+    CK_ULONG *slotIDs = NULL;
+    PK11SlotInfo **newSlots = NULL;
+    PK11SlotInfo **oldSlots = NULL;
+
+    /* C_GetSlotList is not a session function, make sure 
+     * calls are serialized */
+    PZ_Lock(mod->refLock);
+    freeRef = PR_TRUE;
+    /* see if the number of slots have changed */
+    crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, NULL, &count);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	goto loser;
+    }
+    /* nothing new, blow out early, we want this function to be quick
+     * and cheap in the normal case  */
+    if (count == mod->slotCount) {
+ 	PZ_Unlock(mod->refLock);
+	return SECSuccess;
+    }
+    if (count < (CK_ULONG)mod->slotCount) {
+	/* shouldn't happen with a properly functioning PKCS #11 module */
+	PORT_SetError( SEC_ERROR_INCOMPATIBLE_PKCS11 );
+	goto loser;
+    }
+
+    /* get the new slot list */
+    slotIDs = PORT_NewArray(CK_SLOT_ID, count);
+    if (slotIDs == NULL) {
+	goto loser;
+    }
+
+    crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, slotIDs, &count);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	goto loser;
+    }
+    freeRef = PR_FALSE;
+    PZ_Unlock(mod->refLock);
+    mark = PORT_ArenaMark(mod->arena);
+    if (mark == NULL) {
+	goto loser;
+    }
+    newSlots = PORT_ArenaZNewArray(mod->arena,PK11SlotInfo *,count);
+
+    /* walk down the new slot ID list returned from the module. We keep
+     * the old slots which match a returned ID, and we initialize the new 
+     * slots. */
+    for (i=0; i < count; i++) {
+	PK11SlotInfo *slot = SECMOD_FindSlotByID(mod,slotIDs[i]);
+
+	if (!slot) {
+	    /* we have a new slot create a new slot data structure */
+	    slot = PK11_NewSlotInfo(mod);
+	    if (!slot) {
+		goto loser;
+	    }
+	    PK11_InitSlot(mod, slotIDs[i], slot);
+	    STAN_InitTokenForSlotInfo(NULL, slot);
+	}
+	newSlots[i] = slot;
+    }
+    STAN_ResetTokenInterator(NULL);
+    PORT_Free(slotIDs);
+    slotIDs = NULL;
+    PORT_ArenaUnmark(mod->arena, mark);
+
+    /* until this point we're still using the old slot list. Now we update
+     * module slot list. We update the slots (array) first then the count, 
+     * since we've already guarrenteed that count has increased (just in case 
+     * someone is looking at the slots field of  module without holding the 
+     * moduleLock */
+    SECMOD_GetWriteLock(moduleLock);
+    oldCount =mod->slotCount;
+    oldSlots = mod->slots;
+    mod->slots = newSlots; /* typical arena 'leak'... old mod->slots is
+			    * allocated out of the module arena and won't
+			    * be freed until the module is freed */
+    mod->slotCount = count;
+    SECMOD_ReleaseWriteLock(moduleLock);
+    /* free our old references before forgetting about oldSlot*/
+    for (i=0; i < oldCount; i++) {
+	PK11_FreeSlot(oldSlots[i]);
+    }
+    return SECSuccess;
+
+loser:
+    if (freeRef) {
+	PZ_Unlock(mod->refLock);
+    }
+    if (slotIDs) {
+	PORT_Free(slotIDs);
+    }
+    /* free all the slots we allocated. newSlots are part of the
+     * mod arena. NOTE: the newSlots array contain both new and old
+     * slots, but we kept a reference to the old slots when we built the new
+     * array, so we need to free all the slots in newSlots array. */
+    if (newSlots) {
+	for (i=0; i < count; i++) {
+	    if (newSlots[i] == NULL) {
+		break; /* hit the last one */
+	    }
+	    PK11_FreeSlot(newSlots[i]);
+	}
+    }
+    /* must come after freeing newSlots */
+    if (mark) {
+ 	PORT_ArenaRelease(mod->arena, mark);
+    }
+    return SECFailure;
+}
+
+/*
+ * this handles modules that do not support C_WaitForSlotEvent().
+ * The internal flags are stored. Note that C_WaitForSlotEvent() does not
+ * have a timeout, so we don't have one for handleWaitForSlotEvent() either.
+ */
+PK11SlotInfo *
+secmod_HandleWaitForSlotEvent(SECMODModule *mod,  unsigned long flags,
+						PRIntervalTime latency)
+{
+    PRBool removableSlotsFound = PR_FALSE;
+    int i;
+    int error = SEC_ERROR_NO_EVENT;
+
+    PZ_Lock(mod->refLock);
+    if (mod->evControlMask & SECMOD_END_WAIT) {
+	mod->evControlMask &= ~SECMOD_END_WAIT;
+	PZ_Unlock(mod->refLock);
+	PORT_SetError(SEC_ERROR_NO_EVENT);
+	return NULL;
+    }
+    mod->evControlMask |= SECMOD_WAIT_SIMULATED_EVENT;
+    while (mod->evControlMask & SECMOD_WAIT_SIMULATED_EVENT) {
+	PZ_Unlock(mod->refLock);
+	/* now is a good time to see if new slots have been added */
+	SECMOD_UpdateSlotList(mod);
+
+	/* loop through all the slots on a module */
+	SECMOD_GetReadLock(moduleLock);
+	for (i=0; i < mod->slotCount; i++) {
+	    PK11SlotInfo *slot = mod->slots[i];
+	    uint16 series;
+	    PRBool present;
+
+	    /* perm modules do not change */
+	    if (slot->isPerm) {
+		continue;
+	    }
+	    removableSlotsFound = PR_TRUE;
+	    /* simulate the PKCS #11 module flags. are the flags different
+	     * from the last time we called? */
+	    series = slot->series;
+	    present = PK11_IsPresent(slot);
+	    if ((slot->flagSeries != series) || (slot->flagState != present)) {
+		slot->flagState = present;
+		slot->flagSeries = series;
+		SECMOD_ReleaseReadLock(moduleLock);
+		PZ_Lock(mod->refLock);
+		mod->evControlMask &= ~SECMOD_END_WAIT;
+		PZ_Unlock(mod->refLock);
+		return PK11_ReferenceSlot(slot);
+	    }
+	}
+	SECMOD_ReleaseReadLock(moduleLock);
+	/* if everything was perm modules, don't lock up forever */
+	if (!removableSlotsFound) {
+	    error =SEC_ERROR_NO_SLOT_SELECTED;
+	    PZ_Lock(mod->refLock);
+	    break;
+	}
+	if (flags & CKF_DONT_BLOCK) {
+	    PZ_Lock(mod->refLock);
+	    break;
+	}
+	PR_Sleep(latency);
+ 	PZ_Lock(mod->refLock);
+    }
+    mod->evControlMask &= ~SECMOD_END_WAIT;
+    PZ_Unlock(mod->refLock);
+    PORT_SetError(error);
+    return NULL;
+}
+
+/*
+ * this function waits for a token event on any slot of a given module
+ * This function should not be called from more than one thread of the
+ * same process (though other threads can make other library calls
+ * on this module while this call is blocked).
+ */
+PK11SlotInfo *
+SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, unsigned long flags,
+						 PRIntervalTime latency)
+{
+    CK_SLOT_ID id;
+    CK_RV crv;
+    PK11SlotInfo *slot;
+
+    if (!pk11_getFinalizeModulesOption() ||
+        ((mod->cryptokiVersion.major == 2) &&
+         (mod->cryptokiVersion.minor < 1))) { 
+        /* if we are sharing the module with other software in our
+         * address space, we can't reliably use C_WaitForSlotEvent(),
+         * and if the module is version 2.0, C_WaitForSlotEvent() doesn't
+         * exist */
+	return secmod_HandleWaitForSlotEvent(mod, flags, latency);
+    }
+    /* first the the PKCS #11 call */
+    PZ_Lock(mod->refLock);
+    if (mod->evControlMask & SECMOD_END_WAIT) {
+	goto end_wait;
+    }
+    mod->evControlMask |= SECMOD_WAIT_PKCS11_EVENT;
+    PZ_Unlock(mod->refLock);
+    crv = PK11_GETTAB(mod)->C_WaitForSlotEvent(flags, &id, NULL);
+    PZ_Lock(mod->refLock);
+    mod->evControlMask &= ~SECMOD_WAIT_PKCS11_EVENT;
+    /* if we are in end wait, short circuit now, don't even risk
+     * going into secmod_HandleWaitForSlotEvent */
+    if (mod->evControlMask & SECMOD_END_WAIT) {
+	goto end_wait;
+    }
+    PZ_Unlock(mod->refLock);
+    if (crv == CKR_FUNCTION_NOT_SUPPORTED) {
+	/* module doesn't support that call, simulate it */
+	return secmod_HandleWaitForSlotEvent(mod, flags, latency);
+    }
+    if (crv != CKR_OK) {
+	/* we can get this error if finalize was called while we were
+	 * still running. This is the only way to force a C_WaitForSlotEvent()
+	 * to return in PKCS #11. In this case, just return that there
+	 * was no event. */
+	if (crv == CKR_CRYPTOKI_NOT_INITIALIZED) {
+	    PORT_SetError(SEC_ERROR_NO_EVENT);
+	} else {
+	    PORT_SetError(PK11_MapError(crv));
+	}
+	return NULL;
+    }
+    slot = SECMOD_FindSlotByID(mod, id);
+    if (slot == NULL) {
+	/* possibly a new slot that was added? */
+	SECMOD_UpdateSlotList(mod);
+	slot = SECMOD_FindSlotByID(mod, id);
+    }
+    /* if we are in the delay period for the "isPresent" call, reset
+     * the delay since we know things have probably changed... */
+    if (slot && slot->nssToken && slot->nssToken->slot) {
+	nssSlot_ResetDelay(slot->nssToken->slot);
+    }
+    return slot;
+
+    /* must be called with the lock on. */
+end_wait:
+    mod->evControlMask &= ~SECMOD_END_WAIT;
+    PZ_Unlock(mod->refLock);
+    PORT_SetError(SEC_ERROR_NO_EVENT);
+    return NULL;
+}
+
+/*
+ * This function "wakes up" WaitForAnyTokenEvent. It's a pretty drastic
+ * function, possibly bringing down the pkcs #11 module in question. This
+ * should be OK because 1) it does reinitialize, and 2) it should only be
+ * called when we are on our way to tear the whole system down anyway.
+ */
+SECStatus
+SECMOD_CancelWait(SECMODModule *mod)
+{
+    unsigned long controlMask = mod->evControlMask;
+    SECStatus rv = SECSuccess;
+    CK_RV crv;
+
+    PZ_Lock(mod->refLock);
+    mod->evControlMask |= SECMOD_END_WAIT;
+    controlMask = mod->evControlMask;
+    if (controlMask & SECMOD_WAIT_PKCS11_EVENT) {
+        if (!pk11_getFinalizeModulesOption()) {
+            /* can't get here unless pk11_getFinalizeModulesOption is set */
+            PORT_Assert(0);
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            rv = SECFailure;
+            goto loser;
+        }
+	/* NOTE: this call will drop all transient keys, in progress
+	 * operations, and any authentication. This is the only documented
+	 * way to get WaitForSlotEvent to return. Also note: for non-thread
+	 * safe tokens, we need to hold the module lock, this is not yet at
+	 * system shutdown/startup time, so we need to protect these calls */
+	crv = PK11_GETTAB(mod)->C_Finalize(NULL);
+	/* ok, we slammed the module down, now we need to reinit it in case
+	 * we intend to use it again */
+	if (CKR_OK == crv) {
+            PRBool alreadyLoaded;
+	    secmod_ModuleInit(mod, &alreadyLoaded);
+	} else {
+	    /* Finalized failed for some reason,  notify the application
+	     * so maybe it has a prayer of recovering... */
+	    PORT_SetError(PK11_MapError(crv));
+	    rv = SECFailure;
+	}
+    } else if (controlMask & SECMOD_WAIT_SIMULATED_EVENT) {
+	mod->evControlMask &= ~SECMOD_WAIT_SIMULATED_EVENT; 
+				/* Simulated events will eventually timeout
+				 * and wake up in the loop */
+    }
+loser:
+    PZ_Unlock(mod->refLock);
+    return rv;
+}
+
+/*
+ * check to see if the module has removable slots that we may need to
+ * watch for.
+ */
+PRBool
+SECMOD_HasRemovableSlots(SECMODModule *mod)
+{
+    int i;
+    PRBool ret = PR_FALSE;
+
+    SECMOD_GetReadLock(moduleLock);
+    for (i=0; i < mod->slotCount; i++) {
+	PK11SlotInfo *slot = mod->slots[i];
+	/* perm modules are not inserted or removed */
+	if (slot->isPerm) {
+	    continue;
+	}
+	ret = PR_TRUE;
+	break;
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+    return ret;
+}
+
+/*
+ * helper function to actually create and destroy user defined slots
+ */
+static SECStatus
+secmod_UserDBOp(CK_OBJECT_CLASS objClass, const char *sendSpec)
+{
+    PK11SlotInfo *slot = PK11_GetInternalSlot();
+    CK_OBJECT_HANDLE dummy;
+    CK_ATTRIBUTE template[2] ;
+    CK_ATTRIBUTE *attrs = template;
+    SECStatus rv;
+    CK_RV crv;
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_NETSCAPE_MODULE_SPEC , (unsigned char *)sendSpec,
+					 strlen(sendSpec)+1); attrs++;
+
+    PORT_Assert(attrs-template <= 2);
+
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_CreateNewObject(slot, slot->session,
+	template, attrs-template, PR_FALSE, &dummy);
+    PK11_ExitSlotMonitor(slot);
+
+    if (crv != CKR_OK) {
+	PK11_FreeSlot(slot);
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    rv = SECMOD_UpdateSlotList(slot->module);
+    PK11_FreeSlot(slot);
+    return rv;
+}
+
+/*
+ * add escapes to protect quote characters...
+ */
+static char *
+nss_addEscape(const char *string, char quote)
+{
+    char *newString = 0;
+    int escapes = 0, size = 0;
+    const char *src;
+    char *dest;
+
+    for (src=string; *src ; src++) {
+        if ((*src == quote) || (*src == '\\')) escapes++;
+        size++;
+    }
+
+    newString = PORT_ZAlloc(escapes+size+1);
+    if (newString == NULL) {
+        return NULL;
+    }
+
+    for (src=string, dest=newString; *src; src++,dest++) {
+        if ((*src == '\\') || (*src == quote)) {
+            *dest++ = '\\';
+        }
+        *dest = *src;
+    }
+
+    return newString;
+}
+
+static char *
+nss_doubleEscape(const char *string)
+{
+    char *round1 = NULL;
+    char *retValue = NULL;
+    if (string == NULL) {
+        goto done;
+    }
+    round1 = nss_addEscape(string,'>');
+    if (round1) {
+        retValue = nss_addEscape(round1,']');
+        PORT_Free(round1);
+    }
+
+done:
+    if (retValue == NULL) {
+        retValue = PORT_Strdup("");
+    }
+    return retValue;
+}
+
+/*
+ * Open a new database using the softoken. The caller is responsible for making
+ * sure the module spec is correct and usable. The caller should ask for one
+ * new database per call if the caller wants to get meaningful information 
+ * about the new database.
+ *
+ * moduleSpec is the same data that you would pass to softoken at 
+ * initialization time under the 'tokens' options. For example, if you were
+ * to specify tokens=<0x4=[configdir='./mybackup' tokenDescription='Backup']>
+ * You would specify "configdir='./mybackup' tokenDescription='Backup'" as your
+ * module spec here. The slot ID will be calculated for you by 
+ * SECMOD_OpenUserDB().
+ *
+ * Typical parameters here are configdir, tokenDescription and flags.
+ *
+ * a Full list is below:
+ *
+ *
+ *  configDir - The location of the databases for this token. If configDir is 
+ *         not specified, and noCertDB and noKeyDB is not specified, the load
+ *         will fail.
+ *   certPrefix - Cert prefix for this token.
+ *   keyPrefix - Prefix for the key database for this token. (if not specified,
+ *         certPrefix will be used).
+ *   tokenDescription - The label value for this token returned in the 
+ *         CK_TOKEN_INFO structure with an internationalize string (UTF8). 
+ *         This value will be truncated at 32 bytes (no NULL, partial UTF8 
+ *         characters dropped). You should specify a user friendly name here
+ *         as this is the value the token will be refered to in most 
+ *         application UI's. You should make sure tokenDescription is unique.
+ *   slotDescription - The slotDescription value for this token returned 
+ *         in the CK_SLOT_INFO structure with an internationalize string 
+ *         (UTF8). This value will be truncated at 64 bytes (no NULL, partial 
+ *         UTF8 characters dropped). This name will not change after the 
+ *         database is closed. It should have some number to make this unique.
+ *   minPWLen - minimum password length for this token.
+ *   flags - comma separated list of flag values, parsed case-insensitive.
+ *         Valid flags are:
+ *              readOnly - Databases should be opened read only.
+ *              noCertDB - Don't try to open a certificate database.
+ *              noKeyDB - Don't try to open a key database.
+ *              forceOpen - Don't fail to initialize the token if the 
+ *                databases could not be opened.
+ *              passwordRequired - zero length passwords are not acceptable 
+ *                (valid only if there is a keyDB).
+ *              optimizeSpace - allocate smaller hash tables and lock tables.
+ *                When this flag is not specified, Softoken will allocate 
+ *                large tables to prevent lock contention. 
+ */
+PK11SlotInfo *
+SECMOD_OpenUserDB(const char *moduleSpec)
+{
+    CK_SLOT_ID slotID = 0;
+    char *escSpec;
+    char *sendSpec;
+    SECStatus rv;
+    SECMODModule *mod;
+    CK_SLOT_ID i, minSlotID, maxSlotID;
+    PRBool found = PR_FALSE;
+
+    if (moduleSpec == NULL) {
+	return NULL;
+    }
+
+    /* NOTE: unlike most PK11 function, this does not return a reference
+     * to the module */
+    mod = SECMOD_GetInternalModule();
+    if (!mod) {
+	/* shouldn't happen */
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+    }
+
+    /* look for a free slot id on the internal module */
+    if (mod->isFIPS) {
+	minSlotID = SFTK_MIN_FIPS_USER_SLOT_ID;
+	maxSlotID = SFTK_MAX_FIPS_USER_SLOT_ID;
+    } else {
+	minSlotID = SFTK_MIN_USER_SLOT_ID;
+	maxSlotID = SFTK_MAX_USER_SLOT_ID;
+    }
+    for (i=minSlotID; i < maxSlotID; i++) {
+	PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, i);
+	if (slot) {
+	    PRBool present = PK11_IsPresent(slot);
+	    PK11_FreeSlot(slot);
+	    if (present) {
+		continue;
+	    }
+	    /* not present means it's available */
+	}
+	/* it doesn't exist or isn't present, it's available */
+	slotID = i;
+	found = PR_TRUE;
+	break;
+    }
+
+    if (!found) {
+	/* this could happen if we try to open too many slots */
+	PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
+	return NULL;
+    }
+
+    /* we've found the slot, now build the moduleSpec */
+
+    escSpec = nss_doubleEscape(moduleSpec);
+    if (escSpec == NULL) {
+	return NULL;
+    }
+    sendSpec = PR_smprintf("tokens=[0x%x=<%s>]", slotID, escSpec);
+    PORT_Free(escSpec);
+
+    if (sendSpec == NULL) {
+	/* PR_smprintf does not set no memory error */
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    rv = secmod_UserDBOp(CKO_NETSCAPE_NEWSLOT, sendSpec);
+    PR_smprintf_free(sendSpec);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+
+    return SECMOD_FindSlotByID(mod, slotID);
+}
+
+/*
+ * close an already opened user database. NOTE: the database must be
+ * in the internal token, and must be one created with SECMOD_OpenUserDB().
+ * Once the database is closed, the slot will remain as an empty slot
+ * until it's used again with SECMOD_OpenUserDB().
+ */
+SECStatus
+SECMOD_CloseUserDB(PK11SlotInfo *slot)
+{
+    SECStatus rv;
+    char *sendSpec;
+
+    if (!slot->isInternal) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    
+    sendSpec = PR_smprintf("tokens=[0x%x=<>]", slot->slotID);
+    if (sendSpec == NULL) {
+	/* PR_smprintf does not set no memory error */
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    rv = secmod_UserDBOp(CKO_NETSCAPE_DELSLOT, sendSpec);
+    PR_smprintf_free(sendSpec);
+    return rv;
+}
diff --git a/security/nss/lib/pk11wrap/secmod.h b/security/nss/lib/pk11wrap/secmod.h
new file mode 100644
index 000000000..aae997cce
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmod.h
@@ -0,0 +1,179 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _SECMOD_H_
+#define _SEDMOD_H_
+#include "seccomon.h"
+#include "secmodt.h"
+#include "prinrval.h"
+
+/* These mechanisms flags are visible to all other libraries. */
+/* They must be converted to internal SECMOD_*_FLAG */
+/* if used inside the functions of the security library */
+#define PUBLIC_MECH_RSA_FLAG         0x00000001ul
+#define PUBLIC_MECH_DSA_FLAG         0x00000002ul
+#define PUBLIC_MECH_RC2_FLAG         0x00000004ul
+#define PUBLIC_MECH_RC4_FLAG         0x00000008ul
+#define PUBLIC_MECH_DES_FLAG         0x00000010ul
+#define PUBLIC_MECH_DH_FLAG          0x00000020ul
+#define PUBLIC_MECH_FORTEZZA_FLAG    0x00000040ul
+#define PUBLIC_MECH_RC5_FLAG         0x00000080ul
+#define PUBLIC_MECH_SHA1_FLAG        0x00000100ul
+#define PUBLIC_MECH_MD5_FLAG         0x00000200ul
+#define PUBLIC_MECH_MD2_FLAG         0x00000400ul
+#define PUBLIC_MECH_SSL_FLAG         0x00000800ul
+#define PUBLIC_MECH_TLS_FLAG         0x00001000ul
+#define PUBLIC_MECH_AES_FLAG         0x00002000ul
+#define PUBLIC_MECH_SHA256_FLAG      0x00004000ul
+#define PUBLIC_MECH_SHA512_FLAG      0x00008000ul
+#define PUBLIC_MECH_CAMELLIA_FLAG    0x00010000ul
+
+#define PUBLIC_MECH_RANDOM_FLAG      0x08000000ul
+#define PUBLIC_MECH_FRIENDLY_FLAG    0x10000000ul
+#define PUBLIC_OWN_PW_DEFAULTS       0X20000000ul
+#define PUBLIC_DISABLE_FLAG          0x40000000ul
+
+/* warning: reserved means reserved */
+#define PUBLIC_MECH_RESERVED_FLAGS   0x87FF0000ul
+
+/* These cipher flags are visible to all other libraries, */
+/* But they must be converted before used in functions */
+/* withing the security module */
+#define PUBLIC_CIPHER_FORTEZZA_FLAG  0x00000001ul
+
+/* warning: reserved means reserved */
+#define PUBLIC_CIPHER_RESERVED_FLAGS 0xFFFFFFFEul
+
+SEC_BEGIN_PROTOS
+
+/*
+ * the following functions are going to be deprecated in NSS 4.0 in
+ * favor of the new stan functions.
+ */
+
+/* Initialization */
+extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
+							PRBool recurse);
+
+extern SECMODModule *SECMOD_LoadUserModule(char *moduleSpec,SECMODModule *parent,
+							PRBool recurse);
+
+SECStatus SECMOD_UnloadUserModule(SECMODModule *mod);
+
+SECMODModule * SECMOD_CreateModule(const char *lib, const char *name,
+					const char *param, const char *nss);
+
+
+/* Module Management */
+char **SECMOD_GetModuleSpecList(SECMODModule *module);
+SECStatus SECMOD_FreeModuleSpecList(SECMODModule *module,char **moduleSpecList);
+
+ 
+/* protoypes */
+/* Get a list of active PKCS #11 modules */
+extern SECMODModuleList *SECMOD_GetDefaultModuleList(void); 
+/* Get a list of defined but not loaded PKCS #11 modules */
+extern SECMODModuleList *SECMOD_GetDeadModuleList(void);
+/* Get a list of Modules which define PKCS #11 modules to load */
+extern SECMODModuleList *SECMOD_GetDBModuleList(void);
+
+/* lock to protect all three module lists above */
+extern SECMODListLock *SECMOD_GetDefaultModuleListLock(void);
+
+extern SECStatus SECMOD_UpdateModule(SECMODModule *module);
+
+/* lock management */
+extern void SECMOD_GetReadLock(SECMODListLock *);
+extern void SECMOD_ReleaseReadLock(SECMODListLock *);
+
+/* Operate on modules by name */
+extern SECMODModule *SECMOD_FindModule(const char *name);
+extern SECStatus SECMOD_DeleteModule(const char *name, int *type);
+extern SECStatus SECMOD_DeleteModuleEx(const char * name, 
+                                       SECMODModule *mod, 
+                                       int *type, 
+                                       PRBool permdb);
+extern SECStatus SECMOD_DeleteInternalModule(const char *name);
+extern PRBool SECMOD_CanDeleteInternalModule(void);
+extern SECStatus SECMOD_AddNewModule(const char* moduleName, 
+			      const char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags);
+extern SECStatus SECMOD_AddNewModuleEx(const char* moduleName,
+			      const char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags,
+                              char* modparms,
+                              char* nssparms);
+
+/* database/memory management */
+extern SECMODModule *SECMOD_GetInternalModule(void);
+extern SECMODModule *SECMOD_ReferenceModule(SECMODModule *module);
+extern void SECMOD_DestroyModule(SECMODModule *module);
+extern PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID module,
+							unsigned long slotID);
+extern PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module,const char *name);
+
+/* Funtion reports true if at least one of the modules */
+/* of modType has been installed */
+PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags );
+
+/* Functions used to convert between internal & public representation
+ * of Mechanism Flags and Cipher Enable Flags */
+extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);
+extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
+
+PRBool SECMOD_HasRemovableSlots(SECMODModule *mod);
+PK11SlotInfo *SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, 
+				unsigned long flags, PRIntervalTime latency);
+/*
+ * Warning: the SECMOD_CancelWait function is highly destructive, potentially 
+ * finalizing  the module 'mod' (causing inprogress operations to fail, 
+ * and session key material to disappear). It should only be called when 
+ * shutting down  the module. 
+ */
+SECStatus SECMOD_CancelWait(SECMODModule *mod);
+/*
+ * check to see if the module has added new slots. PKCS 11 v2.20 allows for
+ * modules to add new slots, but never remove them. Slots not be added between 
+ * a call to C_GetSlotLlist(Flag, NULL, &count) and the corresponding
+ * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
+ * grow on the caller. It is permissible for the slots to increase between
+ * corresponding calls with NULL to get the size.
+ */
+SECStatus SECMOD_UpdateSlotList(SECMODModule *mod);
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h
new file mode 100644
index 000000000..9af31ef20
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmodi.h
@@ -0,0 +1,177 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal header file included only by files in pkcs11 dir, or in
+ * pkcs11 specific client and server files.
+ */
+#ifndef _SECMODI_H_
+#define _SECMODI_H_ 1
+#include "pkcs11.h"
+#include "nssilock.h"
+#include "mcom_db.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "certt.h"
+#include "secmodt.h"
+#include "keyt.h"
+
+SEC_BEGIN_PROTOS
+
+/* proto-types */
+extern SECStatus SECMOD_DeletePermDB(SECMODModule *module);
+extern SECStatus SECMOD_AddPermDB(SECMODModule *module);
+extern SECStatus SECMOD_Shutdown(void);
+void nss_DumpModuleLog(void);
+
+extern int secmod_PrivateModuleCount;
+
+extern void SECMOD_Init(void);
+SECStatus secmod_ModuleInit(SECMODModule *mod, PRBool* alreadyLoaded);
+
+/* list managment */
+extern SECStatus SECMOD_AddModuleToList(SECMODModule *newModule);
+extern SECStatus SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule);
+extern SECStatus SECMOD_AddModuleToUnloadList(SECMODModule *newModule);
+extern void SECMOD_RemoveList(SECMODModuleList **,SECMODModuleList *);
+extern void SECMOD_AddList(SECMODModuleList *,SECMODModuleList *,SECMODListLock *);
+extern SECMODListLock *SECMOD_NewListLock(void);
+extern void SECMOD_DestroyListLock(SECMODListLock *);
+extern void SECMOD_GetWriteLock(SECMODListLock *);
+extern void SECMOD_ReleaseWriteLock(SECMODListLock *);
+
+/* Operate on modules by name */
+extern SECMODModule *SECMOD_FindModuleByID(SECMODModuleID);
+
+/* database/memory management */
+extern SECMODModuleList *SECMOD_NewModuleListElement(void);
+extern SECMODModuleList *SECMOD_DestroyModuleListElement(SECMODModuleList *);
+extern void SECMOD_DestroyModuleList(SECMODModuleList *);
+extern SECStatus SECMOD_AddModule(SECMODModule *newModule);
+
+extern unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags);
+extern unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags);
+
+/* Library functions */
+SECStatus SECMOD_LoadPKCS11Module(SECMODModule *);
+SECStatus SECMOD_UnloadModule(SECMODModule *);
+void SECMOD_SetInternalModule(SECMODModule *);
+
+void SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot);
+CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
+                                                         CK_VOID_PTR pdata);
+void pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib);
+CK_OBJECT_HANDLE pk11_FindObjectByTemplate(PK11SlotInfo *slot,
+					CK_ATTRIBUTE *inTemplate,int tsize);
+CK_OBJECT_HANDLE *pk11_FindObjectsByTemplate(PK11SlotInfo *slot,
+			CK_ATTRIBUTE *inTemplate,int tsize, int *objCount);
+SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
+				 PK11DefaultArrayEntry *entry, PRBool add);
+
+#define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList))
+#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
+		(x)->pValue=(v); (x)->ulValueLen = (l);
+SECStatus PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
+                               const CK_ATTRIBUTE *theTemplate, int count,
+                                PRBool token, CK_OBJECT_HANDLE *objectID);
+
+SECStatus pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech);
+SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, 
+				PRArenaPool *arena, SECAlgorithmID *algId);
+
+PK11SymKey *pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot,
+	CK_MECHANISM_TYPE type, SECItem *param, CK_KEY_TYPE keyType, 
+	int keySize, SECItem *keyId, CK_FLAGS opFlags, 
+	PK11AttrFlags attrFlags, void *wincx);
+
+CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
+                   SECItem **param, SECItem *pwd, PRBool faulty3DES);
+
+
+
+extern void pk11sdr_Init(void);
+extern void pk11sdr_Shutdown(void);
+
+/*
+ * Private to pk11wrap.
+ */
+
+PRBool pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx);
+CK_SESSION_HANDLE pk11_GetNewSession(PK11SlotInfo *slot, PRBool *owner);
+void pk11_CloseSession(PK11SlotInfo *slot, CK_SESSION_HANDLE sess, PRBool own);
+PK11SymKey *pk11_ForceSlot(PK11SymKey *symKey, CK_MECHANISM_TYPE type,
+						CK_ATTRIBUTE_TYPE operation);
+/* Convert key operation flags to PKCS #11 attributes. */
+unsigned int pk11_OpFlagsToAttributes(CK_FLAGS flags, 
+				CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue);
+/* Check for bad (conflicting) attribute flags */
+PRBool pk11_BadAttrFlags(PK11AttrFlags attrFlags);
+/* Convert key attribute flags to PKCS #11 attributes. */
+unsigned int pk11_AttrFlagsToAttributes(PK11AttrFlags attrFlags,
+		CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue, CK_BBOOL *ckFalse);
+PRBool pk11_FindAttrInTemplate(CK_ATTRIBUTE *attr, unsigned int numAttrs,
+					CK_ATTRIBUTE_TYPE target);
+
+CK_MECHANISM_TYPE pk11_mapWrapKeyType(KeyType keyType);
+PK11SymKey *pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+		CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, PRBool isPerm,
+						PK11SymKey *symKey);
+
+PRBool pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert,
+							 CERTCertTrust *trust);
+CK_OBJECT_HANDLE pk11_FindPubKeyByAnyCert(CERTCertificate *cert,
+					 PK11SlotInfo **slot, void *wincx);
+SECStatus pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts,
+							void *wincx);
+int PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate,
+						int templateCount);
+SECItem *pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, 
+						CK_OBJECT_HANDLE handle);
+SECStatus PK11_TraverseSlot(PK11SlotInfo *slot, void *arg);
+CK_OBJECT_HANDLE pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, 
+							SECItem *keyID);
+SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, 
+			PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx);
+CERTCertificate *PK11_MakeCertFromHandle(PK11SlotInfo *slot,
+			CK_OBJECT_HANDLE certID, CK_ATTRIBUTE *privateLabel);
+
+SECItem *pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen);
+SECItem *pk11_ParamFromIVWithLen(CK_MECHANISM_TYPE type, 
+				 SECItem *iv, int keyLen);
+
+SEC_END_PROTOS
+
+#endif
+
diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h
new file mode 100644
index 000000000..0d11f2215
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmodt.h
@@ -0,0 +1,502 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _SECMODT_H_
+#define _SECMODT_H_ 1
+
+#include "nssrwlkt.h"
+#include "nssilckt.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "pkcs11t.h"
+
+/* find a better home for these... */
+extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
+extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
+extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
+
+/* PKCS11 needs to be included */
+typedef struct SECMODModuleStr SECMODModule;
+typedef struct SECMODModuleListStr SECMODModuleList;
+typedef NSSRWLock SECMODListLock;
+typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
+typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
+typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
+typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
+typedef struct PK11SlotListStr PK11SlotList;
+typedef struct PK11SlotListElementStr PK11SlotListElement;
+typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
+typedef unsigned long SECMODModuleID;
+typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
+typedef struct PK11GenericObjectStr PK11GenericObject;
+typedef void (*PK11FreeDataFunc)(void *);
+
+struct SECMODModuleStr {
+    PLArenaPool	*arena;
+    PRBool	internal;	/* true of internally linked modules, false
+				 * for the loaded modules */
+    PRBool	loaded;		/* Set to true if module has been loaded */
+    PRBool	isFIPS;		/* Set to true if module is finst internal */
+    char	*dllName;	/* name of the shared library which implements
+				 * this module */
+    char	*commonName;	/* name of the module to display to the user */
+    void	*library;	/* pointer to the library. opaque. used only by
+				 * pk11load.c */
+    void	*functionList; /* The PKCS #11 function table */
+    PZLock	*refLock;	/* only used pk11db.c */
+    int		refCount;	/* Module reference count */
+    PK11SlotInfo **slots;	/* array of slot points attached to this mod*/
+    int		slotCount;	/* count of slot in above array */
+    PK11PreSlotInfo *slotInfo;	/* special info about slots default settings */
+    int		slotInfoCount;  /* count */
+    SECMODModuleID moduleID;	/* ID so we can find this module again */
+    PRBool	isThreadSafe;
+    unsigned long ssl[2];	/* SSL cipher enable flags */
+    char	*libraryParams;  /* Module specific parameters */
+    void *moduleDBFunc; /* function to return module configuration data*/
+    SECMODModule *parent;	/* module that loaded us */
+    PRBool	isCritical;	/* This module must load successfully */
+    PRBool	isModuleDB;	/* this module has lists of PKCS #11 modules */
+    PRBool	moduleDBOnly;	/* this module only has lists of PKCS #11 modules */
+    int		trustOrder;	/* order for this module's certificate trust rollup */
+    int		cipherOrder;	/* order for cipher operations */
+    unsigned long evControlMask; /* control the running and shutdown of slot
+				  * events (SECMOD_WaitForAnyTokenEvent) */
+    CK_VERSION  cryptokiVersion; /* version of this library */
+};
+
+/* evControlMask flags */
+/*
+ * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
+ *
+ * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
+ *  C_WaitForSlotEvent().
+ * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
+ *  which polls for token insertion and removal events.
+ * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
+ *  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
+ *  should return immediately to it's caller.
+ */ 
+#define SECMOD_END_WAIT 	    0x01
+#define SECMOD_WAIT_SIMULATED_EVENT 0x02 
+#define SECMOD_WAIT_PKCS11_EVENT    0x04
+
+struct SECMODModuleListStr {
+    SECMODModuleList	*next;
+    SECMODModule	*module;
+};
+
+struct PK11SlotListStr {
+    PK11SlotListElement *head;
+    PK11SlotListElement *tail;
+    PZLock *lock;
+};
+
+struct PK11SlotListElementStr {
+    PK11SlotListElement *next;
+    PK11SlotListElement *prev;
+    PK11SlotInfo *slot;
+    int refCount;
+};
+
+struct PK11RSAGenParamsStr {
+    int keySizeInBits;
+    unsigned long pe;
+};
+
+typedef enum {
+     PK11CertListUnique = 0,     /* get one instance of all certs */
+     PK11CertListUser = 1,       /* get all instances of user certs */
+     PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
+                                  * deprecated. Use PK11CertListCAUnique
+                                  */
+     PK11CertListCA = 3,         /* get all instances of CA certs */
+     PK11CertListCAUnique = 4,   /* get one instance of CA certs */
+     PK11CertListUserUnique = 5, /* get one instance of user certs */
+     PK11CertListAll = 6         /* get all instances of all certs */
+} PK11CertListType;
+
+/*
+ * Entry into the Array which lists all the legal bits for the default flags
+ * in the slot, their definition, and the PKCS #11 mechanism the represent
+ * Always Statically allocated. 
+ */
+struct PK11DefaultArrayEntryStr {
+    char *name;
+    unsigned long flag;
+    unsigned long mechanism; /* this is a long so we don't include the 
+			      * whole pkcs 11 world to use this header */
+};
+
+
+#define SECMOD_RSA_FLAG 	0x00000001L
+#define SECMOD_DSA_FLAG 	0x00000002L
+#define SECMOD_RC2_FLAG 	0x00000004L
+#define SECMOD_RC4_FLAG 	0x00000008L
+#define SECMOD_DES_FLAG 	0x00000010L
+#define SECMOD_DH_FLAG	 	0x00000020L
+#define SECMOD_FORTEZZA_FLAG	0x00000040L
+#define SECMOD_RC5_FLAG		0x00000080L
+#define SECMOD_SHA1_FLAG	0x00000100L
+#define SECMOD_MD5_FLAG		0x00000200L
+#define SECMOD_MD2_FLAG		0x00000400L
+#define SECMOD_SSL_FLAG		0x00000800L
+#define SECMOD_TLS_FLAG		0x00001000L
+#define SECMOD_AES_FLAG 	0x00002000L
+#define SECMOD_SHA256_FLAG	0x00004000L
+#define SECMOD_SHA512_FLAG	0x00008000L	/* also for SHA384 */
+#define SECMOD_CAMELLIA_FLAG 	0x00010000L /* = PUBLIC_MECH_CAMELLIA_FLAG */
+/* reserved bit for future, do not use */
+#define SECMOD_RESERVED_FLAG    0X08000000L
+#define SECMOD_FRIENDLY_FLAG	0x10000000L
+#define SECMOD_RANDOM_FLAG	0x80000000L
+
+/* need to make SECMOD and PK11 prefixes consistant. */
+#define PK11_OWN_PW_DEFAULTS 0x20000000L
+#define PK11_DISABLE_FLAG    0x40000000L
+
+/*
+ * PK11AttrFlags
+ *
+ * A 32-bit bitmask of PK11_ATTR_XXX flags
+ */
+typedef PRUint32 PK11AttrFlags;
+
+/*
+ * PK11_ATTR_XXX
+ *
+ * The following PK11_ATTR_XXX bitflags are used to specify
+ * PKCS #11 object attributes that have Boolean values.  Some NSS
+ * functions have a "PK11AttrFlags attrFlags" parameter whose value
+ * is the logical OR of these bitflags.  NSS use these bitflags on
+ * private keys or secret keys.  Some of these bitflags also apply
+ * to the public keys associated with the private keys.
+ *
+ * For each PKCS #11 object attribute, we need two bitflags to
+ * specify not only "true" and "false" but also "default".  For
+ * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
+ * CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
+ *     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
+ * to the template.  If PK11_ATTR_PUBLIC is set, we add
+ *     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
+ * to the template.  If neither flag is set, we don't add any
+ * CKA_PRIVATE entry to the template.
+ */
+
+/*
+ * Attributes for PKCS #11 storage objects, which include not only
+ * keys but also certificates and domain parameters.
+ */
+
+/*
+ * PK11_ATTR_TOKEN
+ * PK11_ATTR_SESSION
+ *
+ * These two flags determine whether the object is a token or
+ * session object.
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_TOKEN flag is set, the object is a token
+ * object.  If the PK11_ATTR_SESSION flag is set, the object is
+ * a session object.  If neither flag is set, the object is *by
+ * default* a session object.
+ *
+ * These two flags specify the value of the PKCS #11 CKA_TOKEN
+ * attribute.
+ */
+#define PK11_ATTR_TOKEN         0x00000001L
+#define PK11_ATTR_SESSION       0x00000002L
+
+/*
+ * PK11_ATTR_PRIVATE
+ * PK11_ATTR_PUBLIC
+ *
+ * These two flags determine whether the object is a private or
+ * public object.  A user may not access a private object until the
+ * user has authenticated to the token.
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_PRIVATE flag is set, the object is a private
+ * object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
+ * public object.  If neither flag is set, it is token-specific
+ * whether the object is private or public.
+ *
+ * These two flags specify the value of the PKCS #11 CKA_PRIVATE
+ * attribute.  NSS only uses this attribute on private and secret
+ * keys, so public keys created by NSS get the token-specific
+ * default value of the CKA_PRIVATE attribute.
+ */
+#define PK11_ATTR_PRIVATE       0x00000004L
+#define PK11_ATTR_PUBLIC        0x00000008L
+
+/*
+ * PK11_ATTR_MODIFIABLE
+ * PK11_ATTR_UNMODIFIABLE
+ *
+ * These two flags determine whether the object is modifiable or
+ * read-only.
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
+ * modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
+ * is read-only.  If neither flag is set, the object is *by default*
+ * modifiable.
+ *
+ * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
+ * attribute.
+ */
+#define PK11_ATTR_MODIFIABLE    0x00000010L
+#define PK11_ATTR_UNMODIFIABLE  0x00000020L
+
+/* Attributes for PKCS #11 key objects. */
+
+/*
+ * PK11_ATTR_SENSITIVE
+ * PK11_ATTR_INSENSITIVE
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
+ * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
+ * sensitive.  If neither flag is set, it is token-specific whether
+ * the key is sensitive or not.
+ *
+ * If a key is sensitive, certain attributes of the key cannot be
+ * revealed in plaintext outside the token.
+ *
+ * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
+ * attribute.  Although the default value of the CKA_SENSITIVE
+ * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
+ * tokens set the default value to CK_TRUE because only CK_TRUE
+ * is allowed.  So in practice the default value of this attribute
+ * is token-specific, hence the need for two bitflags.
+ */
+#define PK11_ATTR_SENSITIVE     0x00000040L
+#define PK11_ATTR_INSENSITIVE   0x00000080L
+
+/*
+ * PK11_ATTR_EXTRACTABLE
+ * PK11_ATTR_UNEXTRACTABLE
+ *
+ * These two flags are related and cannot both be set.
+ * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
+ * and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
+ * the key is not extractable, and certain attributes of the key
+ * cannot be revealed in plaintext outside the token (just like a
+ * sensitive key).  If neither flag is set, it is token-specific
+ * whether the key is extractable or not.
+ *
+ * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
+ * attribute.
+ */
+#define PK11_ATTR_EXTRACTABLE   0x00000100L
+#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
+
+/* Cryptographic module types */
+#define SECMOD_EXTERNAL	0	/* external module */
+#define SECMOD_INTERNAL 1	/* internal default module */
+#define SECMOD_FIPS	2	/* internal fips module */
+
+/* default module configuration strings */
+#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SHA256,SHA512]"
+
+#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
+"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
+
+#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
+#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
+#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
+#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
+
+/*
+ * What is the origin of a given Key. Normally this doesn't matter, but
+ * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
+ * hack.
+ */
+typedef enum {
+    PK11_OriginNULL = 0,	/* There is not key, it's a null SymKey */
+    PK11_OriginDerive = 1,	/* Key was derived from some other key */
+    PK11_OriginGenerated = 2,	/* Key was generated (also PBE keys) */
+    PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
+    PK11_OriginUnwrap = 4	/* Key was unwrapped or decrypted */
+} PK11Origin;
+
+/* PKCS #11 disable reasons */
+typedef enum {
+    PK11_DIS_NONE = 0,
+    PK11_DIS_USER_SELECTED = 1,
+    PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
+    PK11_DIS_TOKEN_VERIFY_FAILED = 3,
+    PK11_DIS_TOKEN_NOT_PRESENT = 4
+} PK11DisableReasons;
+
+/* types of PKCS #11 objects 
+ * used to identify which NSS data structure is 
+ * passed to the PK11_Raw* functions. Types map as follows:
+ *   PK11_TypeGeneric            PK11GenericObject *
+ *   PK11_TypePrivKey            SECKEYPrivateKey *
+ *   PK11_TypePubKey             SECKEYPublicKey *
+ *   PK11_TypeSymKey             PK11SymKey *
+ *   PK11_TypeCert               CERTCertificate * (currently not used).
+ */
+typedef enum {
+   PK11_TypeGeneric = 0,
+   PK11_TypePrivKey = 1,
+   PK11_TypePubKey = 2,
+   PK11_TypeCert = 3,
+   PK11_TypeSymKey = 4
+} PK11ObjectType;
+
+
+
+/* function pointer type for password callback function.
+ * This type is passed in to PK11_SetPasswordFunc() 
+ */
+typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
+typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
+typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
+
+/*
+ * Special strings the password callback function can return only if
+ * the slot is an protected auth path slot.
+ */ 
+#define PK11_PW_RETRY		"RETRY"	/* an failed attempt to authenticate
+					 * has already been made, just retry
+					 * the operation */
+#define PK11_PW_AUTHENTICATED	"AUTH"  /* a successful attempt to authenticate
+					 * has completed. Continue without
+					 * another call to C_Login */
+/* All other non-null values mean that that NSS could call C_Login to force
+ * the authentication. The following define is to aid applications in 
+ * documenting that is what it's trying to do */
+#define PK11_PW_TRY		"TRY"   /* Default: a prompt has been presented
+					 * to the user, initiate a C_Login
+					 * to authenticate the token */
+
+/*
+ * PKCS #11 key structures
+ */
+
+/*
+** Attributes
+*/
+struct SECKEYAttributeStr {
+    SECItem attrType;
+    SECItem **attrValue;
+};
+typedef struct SECKEYAttributeStr SECKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID algorithm;
+    SECItem privateKey;
+    SECKEYAttribute **attributes;
+};
+typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYEncryptedPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem encryptedData;
+};
+typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
+
+/*
+ * token removal detection
+ */
+typedef enum {
+   PK11TokenNotRemovable = 0,
+   PK11TokenPresent = 1,
+   PK11TokenChanged = 2,
+   PK11TokenRemoved = 3
+} PK11TokenStatus;
+
+typedef enum {
+   PK11TokenRemovedOrChangedEvent = 0,
+   PK11TokenPresentEvent = 1
+} PK11TokenEvent;
+
+/*
+ * CRL Import Flags
+ */
+#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
+#define CRL_IMPORT_BYPASS_CHECKS   0x00000001
+
+
+/*
+ * Merge Error Log
+ */
+typedef struct PK11MergeLogStr PK11MergeLog;
+typedef struct PK11MergeLogNodeStr PK11MergeLogNode;
+
+/* These need to be global, leave some open fields so we can 'expand'
+ * these without breaking binary compatibility */
+struct PK11MergeLogNodeStr {
+    PK11MergeLogNode *next;   /* next entry in the list */
+    PK11MergeLogNode *prev;   /* last entry in the list */
+    PK11GenericObject *object; /* object that failed */
+    int	error;		       /* what the error was */
+    CK_RV reserved1;
+    unsigned long reserved2; /* future flags */
+    unsigned long reserved3; /* future scalar */
+    void *reserved4; 	      /* future pointer */
+    void *reserved5;	      /* future expansion pointer */
+};
+
+struct PK11MergeLogStr {
+    PK11MergeLogNode *head;
+    PK11MergeLogNode *tail;
+    PLArenaPool *arena;
+    int version;
+    unsigned long reserved1;
+    unsigned long reserved2;
+    unsigned long reserved3;
+    void *reserverd4;
+    void *reserverd5;
+};
+    
+
+#endif /*_SECMODT_H_ */
diff --git a/security/nss/lib/pk11wrap/secmodti.h b/security/nss/lib/pk11wrap/secmodti.h
new file mode 100644
index 000000000..874a38dde
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmodti.h
@@ -0,0 +1,220 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal header file included only by files in pkcs11 dir, or in
+ * pkcs11 specific client and server files.
+ */
+
+#ifndef  _SECMODTI_H_
+#define  _SECMODTI_H_ 1
+#include "prmon.h"
+#include "prtypes.h"
+#include "nssilckt.h"
+#include "pk11init.h"
+#include "secmodt.h"
+#include "pkcs11t.h"
+
+#include "nssdevt.h"
+
+/* internal data structures */
+
+/* Traverse slots callback */
+typedef struct pk11TraverseSlotStr {
+    SECStatus (*callback)(PK11SlotInfo *,CK_OBJECT_HANDLE, void *);
+    void *callbackArg;
+    CK_ATTRIBUTE *findTemplate;
+    int templateCount;
+} pk11TraverseSlot;
+
+
+/* represent a pkcs#11 slot reference counted. */
+struct PK11SlotInfoStr {
+    /* the PKCS11 function list for this slot */
+    void *functionList;
+    SECMODModule *module; /* our parent module */
+    /* Boolean to indicate the current state of this slot */
+    PRBool needTest;	/* Has this slot been tested for Export complience */
+    PRBool isPerm;	/* is this slot a permanment device */
+    PRBool isHW;	/* is this slot a hardware device */
+    PRBool isInternal;  /* is this slot one of our internal PKCS #11 devices */
+    PRBool disabled;	/* is this slot disabled... */
+    PK11DisableReasons reason; 	/* Why this slot is disabled */
+    PRBool readOnly;	/* is the token in this slot read-only */
+    PRBool needLogin;	/* does the token of the type that needs 
+			 * authentication (still true even if token is logged 
+			 * in) */
+    PRBool hasRandom;   /* can this token generated random numbers */
+    PRBool defRWSession; /* is the default session RW (we open our default 
+			  * session rw if the token can only handle one session
+			  * at a time. */
+    PRBool isThreadSafe; /* copied from the module */
+    /* The actual flags (many of which are distilled into the above PRBools) */
+    CK_FLAGS flags;      /* flags from PKCS #11 token Info */
+    /* a default session handle to do quick and dirty functions */
+    CK_SESSION_HANDLE session; 
+    PZLock *sessionLock; /* lock for this session */
+    /* our ID */
+    CK_SLOT_ID slotID;
+    /* persistant flags saved from startup to startup */
+    unsigned long defaultFlags;
+    /* keep track of who is using us so we don't accidently get freed while
+     * still in use */
+    PRInt32 refCount;    /* to be in/decremented by atomic calls ONLY! */
+    PZLock *freeListLock;
+    PK11SymKey *freeSymKeysWithSessionHead;
+    PK11SymKey *freeSymKeysHead;
+    int keyCount;
+    int maxKeyCount;
+    /* Password control functions for this slot. many of these are only
+     * active if the appropriate flag is on in defaultFlags */
+    int askpw;		/* what our password options are */
+    int timeout;	/* If we're ask_timeout, what is our timeout time is 
+			 * seconds */
+    int authTransact;   /* allow multiple authentications off one password if
+		         * they are all part of the same transaction */
+    int64 authTime;     /* when were we last authenticated */
+    int minPassword;	/* smallest legal password */
+    int maxPassword;	/* largest legal password */
+    uint16 series;	/* break up the slot info into various groups of 
+			 * inserted tokens so that keys and certs can be
+			 * invalidated */
+    uint16 flagSeries;	/* record the last series for the last event
+                         * returned for this slot */
+    PRBool flagState;	/* record the state of the last event returned for this
+			 * slot. */
+    uint16 wrapKey;	/* current wrapping key for SSL master secrets */
+    CK_MECHANISM_TYPE wrapMechanism;
+			/* current wrapping mechanism for current wrapKey */
+    CK_OBJECT_HANDLE refKeys[1]; /* array of existing wrapping keys for */
+    CK_MECHANISM_TYPE *mechanismList; /* list of mechanism supported by this
+				       * token */
+    int mechanismCount;
+    /* cache the certificates stored on the token of this slot */
+    CERTCertificate **cert_array;
+    int array_size;
+    int cert_count;
+    char serial[16];
+    /* since these are odd sizes, keep them last. They are odd sizes to 
+     * allow them to become null terminated strings */
+    char slot_name[65];
+    char token_name[33];
+    PRBool hasRootCerts;
+    PRBool hasRootTrust;
+    PRBool hasRSAInfo;
+    CK_FLAGS RSAInfoFlags;
+    PRBool protectedAuthPath;
+    PRBool isActiveCard;
+    PRIntervalTime lastLoginCheck;
+    unsigned int lastState;
+    /* for Stan */
+    NSSToken *nssToken;
+    /* fast mechanism lookup */
+    char mechanismBits[256];
+};
+
+/* Symetric Key structure. Reference Counted */
+struct PK11SymKeyStr {
+    CK_MECHANISM_TYPE type;	/* type of operation this key was created for*/
+    CK_OBJECT_HANDLE  objectID; /* object id of this key in the slot */
+    PK11SlotInfo      *slot;    /* Slot this key is loaded into */
+    void	      *cx;	/* window context in case we need to loggin */
+    PK11SymKey	      *next;
+    PRBool	      owner;
+    SECItem	      data;	/* raw key data if available */
+    CK_SESSION_HANDLE session;
+    PRBool	      sessionOwner;
+    PRInt32	      refCount;	/* number of references to this key */
+    int		      size;	/* key size in bytes */
+    PK11Origin	      origin;	/* where this key came from 
+                                 * (see def in secmodt.h) */
+    PK11SymKey        *parent;  /* potential owner key of the session */
+    uint16 series;		/* break up the slot info into various groups 
+				 * of inserted tokens so that keys and certs 
+				 * can be invalidated */
+    void *userData;		/* random data the application can attach to
+                                 * this key */
+    PK11FreeDataFunc freeFunc;	/* function to free the user data */
+};
+
+
+/*
+ * hold a hash, encryption or signing context for multi-part operations.
+ * hold enough information so that multiple contexts can be interleaved
+ * if necessary. ... Not RefCounted.
+ */
+struct PK11ContextStr {
+    CK_ATTRIBUTE_TYPE	operation; /* type of operation this context is doing
+				    * (CKA_ENCRYPT, CKA_SIGN, CKA_HASH, etc. */
+    PK11SymKey  	*key;	   /* symetric key used in this context */
+    PK11SlotInfo	*slot;	   /* slot this context is operationing on */
+    CK_SESSION_HANDLE	session;   /* session this context is using */
+    PZLock		*sessionLock; /* lock before accessing a PKCS #11 
+				       * session */
+    PRBool		ownSession;/* do we own the session? */
+    void 		*cx;	   /* window context in case we need to loggin*/
+    void		*savedData;/* save data when we are multiplexing on a
+				    * single context */
+    unsigned long	savedLength; /* length of the saved context */
+    SECItem		*param;	    /* mechanism parameters used to build this
+								context */
+    PRBool		init;	    /* has this contexted been initialized */
+    CK_MECHANISM_TYPE	type;	    /* what is the PKCS #11 this context is
+				     * representing (usually what algorithm is
+				     * being used (CKM_RSA_PKCS, CKM_DES,
+				     * CKM_SHA, etc.*/
+    PRBool		fortezzaHack; /*Fortezza SSL has some special
+				       * non-standard semantics*/
+};
+
+/*
+ * structure to hold a pointer to a unique PKCS #11 object 
+ * (pointer to the slot and the object id).
+ */
+struct PK11GenericObjectStr {
+    PK11GenericObject *prev;
+    PK11GenericObject *next;
+    PK11SlotInfo *slot;
+    CK_OBJECT_HANDLE objectID;
+};
+
+
+#define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */
+
+/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
+#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
+
+
+#endif /* _SECMODTI_H_ */
diff --git a/security/nss/lib/pk11wrap/secpkcs5.h b/security/nss/lib/pk11wrap/secpkcs5.h
new file mode 100644
index 000000000..3858563b6
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secpkcs5.h
@@ -0,0 +1,94 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _SECPKCS5_H_
+#define _SECPKCS5_H_
+#include "seccomon.h"
+#include "secmodt.h"
+
+/* used for V2 PKCS 12 Draft Spec */
+typedef enum {
+    pbeBitGenIDNull = 0,
+    pbeBitGenCipherKey = 0x01,
+    pbeBitGenCipherIV = 0x02,
+    pbeBitGenIntegrityKey = 0x03
+} PBEBitGenID;
+
+typedef struct PBEBitGenContextStr PBEBitGenContext;
+
+SEC_BEGIN_PROTOS
+
+/* private */
+SECAlgorithmID *
+sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, SECOidTag cipherAlgorithm,
+			SECOidTag prfAlg, SECOidTag *pPbeAlgorithm,
+			int keyLengh, SECItem *salt, int iteration);
+
+/* Get the initialization vector.  The password is passed in, hashing
+ * is performed, and the initialization vector is returned.
+ *  algid is a pointer to a PBE algorithm ID
+ *  pwitem is the password
+ * If an error occurs or the algorithm id is not a PBE algrithm,
+ * NULL is returned.  Otherwise, the iv is returned in a secitem.
+ */
+SECItem *
+SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES);
+
+SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid);
+PRBool SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid);
+PRBool SEC_PKCS5IsAlgorithmPBEAlgTag(SECOidTag algTag);
+SECOidTag SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen);
+int SEC_PKCS5GetKeyLength(SECAlgorithmID *algid);
+
+/**********************************************************************
+ * Deprecated PBE functions.  Use the PBE functions in pk11func.h
+ * instead.
+ **********************************************************************/
+
+PBEBitGenContext *
+PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
+        SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
+        unsigned int iterations);
+
+void
+PBE_DestroyContext(PBEBitGenContext *context);
+
+
+SECItem *
+PBE_GenerateBits(PBEBitGenContext *context);
+
+SEC_END_PROTOS
+
+#endif /* _SECPKS5_H_ */
diff --git a/security/nss/lib/pkcs12/Makefile b/security/nss/lib/pkcs12/Makefile
new file mode 100644
index 000000000..09182f0ea
--- /dev/null
+++ b/security/nss/lib/pkcs12/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
diff --git a/security/nss/lib/pkcs12/config.mk b/security/nss/lib/pkcs12/config.mk
new file mode 100644
index 000000000..9554ab4a5
--- /dev/null
+++ b/security/nss/lib/pkcs12/config.mk
@@ -0,0 +1,48 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/pkcs12/manifest.mn b/security/nss/lib/pkcs12/manifest.mn
new file mode 100644
index 000000000..fd4bdb1dc
--- /dev/null
+++ b/security/nss/lib/pkcs12/manifest.mn
@@ -0,0 +1,65 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	pkcs12t.h \
+	pkcs12.h \
+	p12plcy.h \
+	p12.h \
+	p12t.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	p12local.c \
+	p12creat.c \
+	p12dec.c \
+	p12plcy.c \
+	p12tmpl.c \
+	p12e.c \
+	p12d.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkcs12
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/pkcs12/p12.h b/security/nss/lib/pkcs12/p12.h
new file mode 100644
index 000000000..852047c1f
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12.h
@@ -0,0 +1,212 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#ifndef _P12_H_
+#define _P12_H_
+
+#include "secoid.h"
+#include "key.h"
+#include "secpkcs7.h"
+#include "p12t.h"
+
+typedef int (PR_CALLBACK * PKCS12OpenFunction)(void *arg);
+typedef int (PR_CALLBACK * PKCS12ReadFunction)(void *arg,
+                                               unsigned char *buffer, 
+                                               unsigned int *lenRead,
+                                               unsigned int maxLen);
+typedef int (PR_CALLBACK * PKCS12WriteFunction)(void *arg,
+                                                unsigned char *buffer, 
+                                                unsigned int *bufLen,
+                                                unsigned int *lenWritten);
+typedef int (PR_CALLBACK * PKCS12CloseFunction)(void *arg);
+typedef SECStatus (PR_CALLBACK * PKCS12UnicodeConvertFunction)(
+                                 PLArenaPool *arena,
+                                 SECItem *dest, SECItem *src,
+                                 PRBool toUnicode,
+                                 PRBool swapBytes);
+typedef void (PR_CALLBACK * SEC_PKCS12EncoderOutputCallback)(
+                            void *arg, const char *buf,
+                            unsigned long len);
+typedef void (PR_CALLBACK * SEC_PKCS12DecoderOutputCallback)(
+                            void *arg, const char *buf,
+                            unsigned long len);
+typedef SECItem * (PR_CALLBACK * SEC_PKCS12NicknameCollisionCallback)(
+                                 SECItem *old_nickname,
+                                 PRBool *cancel,
+                                 void *arg);
+
+
+
+
+typedef SECStatus (PR_CALLBACK *digestOpenFn)(void *arg, PRBool readData);
+typedef SECStatus (PR_CALLBACK *digestCloseFn)(void *arg, PRBool removeFile);
+typedef int (PR_CALLBACK *digestIOFn)(void *arg, unsigned char *buf, 
+                                      unsigned long len);
+
+typedef struct SEC_PKCS12ExportContextStr SEC_PKCS12ExportContext;
+typedef struct SEC_PKCS12SafeInfoStr SEC_PKCS12SafeInfo;
+typedef struct SEC_PKCS12DecoderContextStr SEC_PKCS12DecoderContext;
+typedef struct SEC_PKCS12DecoderItemStr SEC_PKCS12DecoderItem;
+
+struct sec_PKCS12PasswordModeInfo {
+    SECItem	*password;
+    SECOidTag	algorithm;
+};
+
+struct sec_PKCS12PublicKeyModeInfo {
+    CERTCertificate	*cert;
+    CERTCertDBHandle *certDb;
+    SECOidTag	algorithm;
+    int keySize;
+};
+
+struct SEC_PKCS12DecoderItemStr {
+    SECItem *der;
+    SECOidTag type;
+    PRBool hasKey;
+    SECItem *friendlyName;      /* UTF-8 string */
+    SECAlgorithmID *shroudAlg;
+};
+    
+
+SEC_BEGIN_PROTOS
+
+SEC_PKCS12SafeInfo *
+SEC_PKCS12CreatePubKeyEncryptedSafe(SEC_PKCS12ExportContext *p12ctxt,
+				    CERTCertDBHandle *certDb,
+				    CERTCertificate *signer,
+				    CERTCertificate **recipients,
+				    SECOidTag algorithm, int keysize);
+
+extern SEC_PKCS12SafeInfo *
+SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, 
+				 SECItem *pwitem, SECOidTag privAlg);
+
+extern SEC_PKCS12SafeInfo *
+SEC_PKCS12CreateUnencryptedSafe(SEC_PKCS12ExportContext *p12ctxt);
+
+extern SECStatus
+SEC_PKCS12AddPasswordIntegrity(SEC_PKCS12ExportContext *p12ctxt,
+			       SECItem *pwitem, SECOidTag integAlg);
+extern SECStatus
+SEC_PKCS12AddPublicKeyIntegrity(SEC_PKCS12ExportContext *p12ctxt,
+				CERTCertificate *cert, CERTCertDBHandle *certDb,
+				SECOidTag algorithm, int keySize);
+
+extern SEC_PKCS12ExportContext *
+SEC_PKCS12CreateExportContext(SECKEYGetPasswordKey pwfn, void *pwfnarg,  
+			      PK11SlotInfo *slot, void *wincx);
+
+extern SECStatus
+SEC_PKCS12AddCert(SEC_PKCS12ExportContext *p12ctxt, 
+		  SEC_PKCS12SafeInfo *safe, void *nestedDest,
+		  CERTCertificate *cert, CERTCertDBHandle *certDb,
+		  SECItem *keyId, PRBool includeCertChain);
+
+extern SECStatus
+SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, 
+			SEC_PKCS12SafeInfo *safe, 
+			void *nestedDest, CERTCertificate *cert,
+			PRBool shroudKey, SECOidTag algorithm, SECItem *pwitem,
+			SECItem *keyId, SECItem *nickName);
+
+extern SECStatus
+SEC_PKCS12AddCertOrChainAndKey(SEC_PKCS12ExportContext *p12ctxt, 
+			void *certSafe, void *certNestedDest, 
+			CERTCertificate *cert, CERTCertDBHandle *certDb,
+			void *keySafe, void *keyNestedDest, PRBool shroudKey, 
+			SECItem *pwitem, SECOidTag algorithm,
+			PRBool includeCertChain);
+
+
+extern SECStatus
+SEC_PKCS12AddCertAndKey(SEC_PKCS12ExportContext *p12ctxt, 
+			void *certSafe, void *certNestedDest, 
+			CERTCertificate *cert, CERTCertDBHandle *certDb,
+			void *keySafe, void *keyNestedDest, 
+			PRBool shroudKey, SECItem *pwitem, SECOidTag algorithm);
+
+extern void *
+SEC_PKCS12CreateNestedSafeContents(SEC_PKCS12ExportContext *p12ctxt,
+				   void *baseSafe, void *nestedDest);
+
+extern SECStatus
+SEC_PKCS12Encode(SEC_PKCS12ExportContext *p12exp, 
+		 SEC_PKCS12EncoderOutputCallback output, void *outputarg);
+
+extern void
+SEC_PKCS12DestroyExportContext(SEC_PKCS12ExportContext *p12exp);
+
+extern SEC_PKCS12DecoderContext *
+SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
+		       digestOpenFn dOpen, digestCloseFn dClose,
+		       digestIOFn dRead, digestIOFn dWrite, void *dArg);
+
+extern SECStatus
+SEC_PKCS12DecoderSetTargetTokenCAs(SEC_PKCS12DecoderContext *p12dcx,
+                		   SECPKCS12TargetTokenCAs tokenCAs);
+
+extern SECStatus
+SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx, unsigned char *data,
+			unsigned long len);
+
+extern void
+SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx);
+
+extern SECStatus
+SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx);
+
+extern SECStatus
+SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
+			      SEC_PKCS12NicknameCollisionCallback nicknameCb);
+
+extern SECStatus
+SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx);
+
+CERTCertList *
+SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx);
+
+SECStatus
+SEC_PKCS12DecoderIterateInit(SEC_PKCS12DecoderContext *p12dcx);
+
+SECStatus
+SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx,
+                             const SEC_PKCS12DecoderItem **ipp);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pkcs12/p12creat.c b/security/nss/lib/pkcs12/p12creat.c
new file mode 100644
index 000000000..29b0892f3
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12creat.c
@@ -0,0 +1,254 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "pkcs12.h"
+#include "secitem.h"
+#include "secport.h"
+#include "secder.h"
+#include "secoid.h"
+#include "p12local.h"
+#include "secerr.h"
+
+
+/* allocate space for a PFX structure and set up initial
+ * arena pool.  pfx structure is cleared and a pointer to
+ * the new structure is returned.
+ */
+SEC_PKCS12PFXItem *
+sec_pkcs12_new_pfx(void)
+{
+    SEC_PKCS12PFXItem   *pfx = NULL;
+    PRArenaPool     *poolp = NULL;
+
+    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);	/* XXX Different size? */
+    if(poolp == NULL)
+	goto loser;
+
+    pfx = (SEC_PKCS12PFXItem *)PORT_ArenaZAlloc(poolp, 
+	sizeof(SEC_PKCS12PFXItem));
+    if(pfx == NULL)
+	goto loser;
+    pfx->poolp = poolp;
+
+    return pfx;
+
+loser:
+    PORT_FreeArena(poolp, PR_TRUE);
+    return NULL;
+}
+
+/* allocate space for a PFX structure and set up initial
+ * arena pool.  pfx structure is cleared and a pointer to
+ * the new structure is returned.
+ */
+SEC_PKCS12AuthenticatedSafe *
+sec_pkcs12_new_asafe(PRArenaPool *poolp)
+{
+    SEC_PKCS12AuthenticatedSafe  *asafe = NULL;
+    void *mark;
+
+    mark = PORT_ArenaMark(poolp);
+    asafe = (SEC_PKCS12AuthenticatedSafe *)PORT_ArenaZAlloc(poolp, 
+	sizeof(SEC_PKCS12AuthenticatedSafe));
+    if(asafe == NULL)
+	goto loser;
+    asafe->poolp = poolp;
+    PORT_Memset(&asafe->old_baggage, 0, sizeof(SEC_PKCS7ContentInfo));
+
+    PORT_ArenaUnmark(poolp, mark);
+    return asafe;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/* create a safe contents structure with a list of
+ * length 0 with the first element being NULL 
+ */
+SEC_PKCS12SafeContents *
+sec_pkcs12_create_safe_contents(PRArenaPool *poolp)
+{
+    SEC_PKCS12SafeContents *safe;
+    void *mark;
+
+    if(poolp == NULL)
+	return NULL;
+
+    /* allocate structure */
+    mark = PORT_ArenaMark(poolp);
+    safe = (SEC_PKCS12SafeContents *)PORT_ArenaZAlloc(poolp, 
+	sizeof(SEC_PKCS12SafeContents));
+    if(safe == NULL)
+    {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+    /* init list */
+    safe->contents = (SEC_PKCS12SafeBag**)PORT_ArenaZAlloc(poolp, 
+						  sizeof(SEC_PKCS12SafeBag *));
+    if(safe->contents == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+    safe->contents[0] = NULL;
+    safe->poolp       = poolp;
+    safe->safe_size   = 0;
+    PORT_ArenaUnmark(poolp, mark);
+    return safe;
+}
+
+/* create a new external bag which is appended onto the list
+ * of bags in baggage.  the bag is created in the same arena
+ * as baggage
+ */
+SEC_PKCS12BaggageItem *
+sec_pkcs12_create_external_bag(SEC_PKCS12Baggage *luggage)
+{
+    void *dummy, *mark;
+    SEC_PKCS12BaggageItem *bag;
+
+    if(luggage == NULL) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(luggage->poolp);
+
+    /* allocate space for null terminated bag list */
+    if(luggage->bags == NULL) {
+	luggage->bags=(SEC_PKCS12BaggageItem**)PORT_ArenaZAlloc(luggage->poolp, 
+					sizeof(SEC_PKCS12BaggageItem *));
+	if(luggage->bags == NULL) {
+	    goto loser;
+	}
+	luggage->luggage_size = 0;
+    }
+
+    /* grow the list */    
+    dummy = PORT_ArenaGrow(luggage->poolp, luggage->bags,
+    			sizeof(SEC_PKCS12BaggageItem *) * (luggage->luggage_size + 1),
+    			sizeof(SEC_PKCS12BaggageItem *) * (luggage->luggage_size + 2));
+    if(dummy == NULL) {
+	goto loser;
+    }
+    luggage->bags = (SEC_PKCS12BaggageItem**)dummy;
+
+    luggage->bags[luggage->luggage_size] = 
+    		(SEC_PKCS12BaggageItem *)PORT_ArenaZAlloc(luggage->poolp,
+    							sizeof(SEC_PKCS12BaggageItem));
+    if(luggage->bags[luggage->luggage_size] == NULL) {
+	goto loser;
+    }
+
+    /* create new bag and append it to the end */
+    bag = luggage->bags[luggage->luggage_size];
+    bag->espvks = (SEC_PKCS12ESPVKItem **)PORT_ArenaZAlloc(
+    						luggage->poolp,
+    						sizeof(SEC_PKCS12ESPVKItem *));
+    bag->unencSecrets = (SEC_PKCS12SafeBag **)PORT_ArenaZAlloc(
+    						luggage->poolp,
+    						sizeof(SEC_PKCS12SafeBag *));
+    if((bag->espvks == NULL) || (bag->unencSecrets == NULL)) {
+	goto loser;
+    }
+
+    bag->poolp = luggage->poolp;
+    luggage->luggage_size++;
+    luggage->bags[luggage->luggage_size] = NULL;
+    bag->espvks[0] = NULL;
+    bag->unencSecrets[0] = NULL;
+    bag->nEspvks = bag->nSecrets = 0;
+
+    PORT_ArenaUnmark(luggage->poolp, mark);
+    return bag;
+
+loser:
+    PORT_ArenaRelease(luggage->poolp, mark);
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    return NULL;
+}
+
+/* creates a baggage witha NULL terminated 0 length list */
+SEC_PKCS12Baggage *
+sec_pkcs12_create_baggage(PRArenaPool *poolp)
+{
+    SEC_PKCS12Baggage *luggage;
+    void *mark;
+
+    if(poolp == NULL)
+	return NULL;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* allocate bag */
+    luggage = (SEC_PKCS12Baggage *)PORT_ArenaZAlloc(poolp, 
+	sizeof(SEC_PKCS12Baggage));
+    if(luggage == NULL)
+    {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+    /* init list */
+    luggage->bags = (SEC_PKCS12BaggageItem **)PORT_ArenaZAlloc(poolp,
+    					sizeof(SEC_PKCS12BaggageItem *));
+    if(luggage->bags == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+    luggage->bags[0] = NULL;
+    luggage->luggage_size = 0;
+    luggage->poolp = poolp;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return luggage;
+}
+
+/* free pfx structure and associated items in the arena */
+void 
+SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx)
+{
+    if (pfx != NULL && pfx->poolp != NULL)
+    {
+	PORT_FreeArena(pfx->poolp, PR_TRUE);
+    }
+}
diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c
new file mode 100644
index 000000000..ce2bf00a3
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12d.c
@@ -0,0 +1,3552 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#include "nssrenam.h"
+#include "p12t.h"
+#include "p12.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "seccomon.h"
+#include "secport.h"
+#include "cert.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "pk11func.h"
+#include "p12plcy.h"
+#include "p12local.h"
+#include "secder.h"
+#include "secport.h"
+
+#include "certdb.h"
+
+#include "prcpucfg.h"
+
+typedef struct sec_PKCS12SafeContentsContextStr sec_PKCS12SafeContentsContext;
+
+/* Opaque structure for decoding SafeContents.  These are used
+ * for each authenticated safe as well as any nested safe contents.
+ */
+struct sec_PKCS12SafeContentsContextStr {
+    /* the parent decoder context */
+    SEC_PKCS12DecoderContext *p12dcx;
+
+    /* memory arena to allocate space from */
+    PRArenaPool *arena;
+
+    /* decoder context and destination for decoding safe contents */
+    SEC_ASN1DecoderContext *safeContentsDcx;
+    sec_PKCS12SafeContents safeContents;
+
+    /* information for decoding safe bags within the safe contents.
+     * these variables are updated for each safe bag decoded.
+     */
+    SEC_ASN1DecoderContext *currentSafeBagDcx;
+    sec_PKCS12SafeBag *currentSafeBag;
+    PRBool skipCurrentSafeBag;
+
+    /* if the safe contents is nested, the parent is pointed to here. */
+    sec_PKCS12SafeContentsContext *nestedCtx;
+};
+
+/* opaque decoder context structure.  information for decoding a pkcs 12
+ * PDU are stored here as well as decoding pointers for intermediary 
+ * structures which are part of the PKCS 12 PDU.  Upon a successful
+ * decode, the safe bags containing certificates and keys encountered.
+ */  
+struct SEC_PKCS12DecoderContextStr {
+    PRArenaPool *arena;
+    PK11SlotInfo *slot;
+    void *wincx;
+    PRBool error;
+    int errorValue;
+
+    /* password */
+    SECItem *pwitem;
+
+    /* used for decoding the PFX structure */
+    SEC_ASN1DecoderContext *pfxDcx;
+    sec_PKCS12PFXItem pfx;
+
+    /* safe bags found during decoding */  
+    sec_PKCS12SafeBag **safeBags;
+    unsigned int safeBagCount;
+
+    /* state variables for decoding authenticated safes. */
+    SEC_PKCS7DecoderContext *currentASafeP7Dcx;
+    SEC_ASN1DecoderContext *aSafeDcx;
+    SEC_PKCS7DecoderContext *aSafeP7Dcx;
+    sec_PKCS12AuthenticatedSafe authSafe;
+    SEC_PKCS7ContentInfo *aSafeCinfo;
+    sec_PKCS12SafeContents safeContents;
+
+    /* safe contents info */
+    unsigned int safeContentsCnt;
+    sec_PKCS12SafeContentsContext **safeContentsList;
+
+    /* HMAC info */
+    sec_PKCS12MacData	macData;
+    SEC_ASN1DecoderContext *hmacDcx;
+
+    /* routines for reading back the data to be hmac'd */
+    digestOpenFn dOpen;
+    digestCloseFn dClose;
+    digestIOFn dRead, dWrite;
+    void *dArg;
+
+    /* helper functions */
+    SECKEYGetPasswordKey pwfn;
+    void *pwfnarg;
+    PRBool swapUnicodeBytes;
+
+    /* import information */
+    PRBool bagsVerified;
+
+    /* buffer management for the default callbacks implementation */
+    void        *buffer;      /* storage area */
+    PRInt32     filesize;     /* actual data size */
+    PRInt32     allocated;    /* total buffer size allocated */
+    PRInt32     currentpos;   /* position counter */
+    SECPKCS12TargetTokenCAs tokenCAs;
+    sec_PKCS12SafeBag **keyList;/* used by ...IterateNext() */
+    unsigned int iteration;
+    SEC_PKCS12DecoderItem decitem;
+};
+
+
+/* make sure that the PFX version being decoded is a version
+ * which we support.
+ */
+static PRBool
+sec_pkcs12_proper_version(sec_PKCS12PFXItem *pfx)
+{
+    /* if no version, assume it is not supported */
+    if(pfx->version.len == 0) {
+	return PR_FALSE;
+    }
+
+    if(DER_GetInteger(&pfx->version) > SEC_PKCS12_VERSION) {
+	return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
+/* retrieve the key for decrypting the safe contents */ 
+static PK11SymKey *
+sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid)
+{
+    SEC_PKCS12DecoderContext *p12dcx =
+	(SEC_PKCS12DecoderContext *) arg;
+    PK11SlotInfo *slot;
+    PK11SymKey *bulkKey;
+
+    if(!p12dcx) {
+	return NULL;
+    }
+
+    /* if no slot specified, use the internal key slot */
+    if(p12dcx->slot) {
+	slot = PK11_ReferenceSlot(p12dcx->slot);
+    } else {
+	slot = PK11_GetInternalKeySlot();
+    }
+
+    bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, 
+						PR_FALSE, p12dcx->wincx);
+    /* some tokens can't generate PBE keys on their own, generate the
+     * key in the internal slot, and let the Import code deal with it,
+     * (if the slot can't generate PBEs, then we need to use the internal
+     * slot anyway to unwrap). */
+    if (!bulkKey && !PK11_IsInternal(slot)) {
+	PK11_FreeSlot(slot);
+	slot = PK11_GetInternalKeySlot();
+	bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, 
+						PR_FALSE, p12dcx->wincx);
+    }
+    PK11_FreeSlot(slot);
+
+    /* set the password data on the key */
+    if (bulkKey) {
+        PK11_SetSymKeyUserData(bulkKey,p12dcx->pwitem, NULL);
+    }
+
+
+    return bulkKey;
+}
+
+/* XXX this needs to be modified to handle enveloped data.  most
+ * likely, it should mirror the routines for SMIME in that regard.
+ */
+static PRBool
+sec_pkcs12_decoder_decryption_allowed(SECAlgorithmID *algid, 
+				      PK11SymKey *bulkkey)
+{
+    PRBool decryptionAllowed = SEC_PKCS12DecryptionAllowed(algid);
+
+    if(!decryptionAllowed) {
+	return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
+/* when we encounter a new safe bag during the decoding, we need
+ * to allocate space for the bag to be decoded to and set the 
+ * state variables appropriately.  all of the safe bags are allocated
+ * in a buffer in the outer SEC_PKCS12DecoderContext, however,
+ * a pointer to the safeBag is also used in the sec_PKCS12SafeContentsContext
+ * for the current bag.
+ */
+static SECStatus
+sec_pkcs12_decoder_init_new_safe_bag(sec_PKCS12SafeContentsContext 
+						*safeContentsCtx)
+{
+    void *mark = NULL;
+    SEC_PKCS12DecoderContext *p12dcx;
+
+    /* make sure that the structures are defined, and there has
+     * not been an error in the decoding 
+     */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+		|| safeContentsCtx->p12dcx->error) {
+	return SECFailure;
+    }
+
+    p12dcx = safeContentsCtx->p12dcx;
+    mark = PORT_ArenaMark(p12dcx->arena);
+
+    /* allocate a new safe bag, if bags already exist, grow the 
+     * list of bags, otherwise allocate a new list.  the list is
+     * NULL terminated.
+     */
+    if(p12dcx->safeBagCount) {
+	p12dcx->safeBags = 
+	    (sec_PKCS12SafeBag**)PORT_ArenaGrow(p12dcx->arena,p12dcx->safeBags,
+			(p12dcx->safeBagCount + 1) * sizeof(sec_PKCS12SafeBag *),
+			(p12dcx->safeBagCount + 2) * sizeof(sec_PKCS12SafeBag *));
+    } else {
+	p12dcx->safeBags = (sec_PKCS12SafeBag**)PORT_ArenaZAlloc(p12dcx->arena,
+					    2 * sizeof(sec_PKCS12SafeBag *));
+    }
+    if(!p12dcx->safeBags) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+
+    /* append the bag to the end of the list and update the reference
+     * in the safeContentsCtx.
+     */
+    p12dcx->safeBags[p12dcx->safeBagCount] = 
+    safeContentsCtx->currentSafeBag = 
+        (sec_PKCS12SafeBag*)PORT_ArenaZAlloc(p12dcx->arena,
+					     sizeof(sec_PKCS12SafeBag));
+    if(!safeContentsCtx->currentSafeBag) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+    p12dcx->safeBags[++p12dcx->safeBagCount] = NULL;
+
+    safeContentsCtx->currentSafeBag->slot = safeContentsCtx->p12dcx->slot;
+    safeContentsCtx->currentSafeBag->pwitem = safeContentsCtx->p12dcx->pwitem;
+    safeContentsCtx->currentSafeBag->swapUnicodeBytes = 
+				safeContentsCtx->p12dcx->swapUnicodeBytes;
+    safeContentsCtx->currentSafeBag->arena = safeContentsCtx->p12dcx->arena;
+    safeContentsCtx->currentSafeBag->tokenCAs = 
+				safeContentsCtx->p12dcx->tokenCAs;
+
+    PORT_ArenaUnmark(p12dcx->arena, mark);
+    return SECSuccess;
+
+loser:
+
+    /* if an error occurred, release the memory and set the error flag
+     * the only possible errors triggered by this function are memory 
+     * related.
+     */
+    if(mark) {
+	PORT_ArenaRelease(p12dcx->arena, mark);
+    }
+
+    p12dcx->error = PR_TRUE;
+    return SECFailure;
+}
+
+/* A wrapper for updating the ASN1 context in which a safeBag is
+ * being decoded.  This function is called as a callback from
+ * secasn1d when decoding SafeContents structures.
+ */
+static void
+sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data, 
+				   unsigned long len, int depth, 
+				   SEC_ASN1EncodingPart data_kind)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext *)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+    SECStatus rv;
+
+    /* make sure that we are not skipping the current safeBag,
+     * and that there are no errors.  If so, just return rather
+     * than continuing to process.
+     */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+		|| safeContentsCtx->p12dcx->error 
+		|| safeContentsCtx->skipCurrentSafeBag) {
+	return;
+    }
+    p12dcx = safeContentsCtx->p12dcx;
+
+    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagDcx, data, len);
+    if(rv != SECSuccess) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+
+    return;
+
+loser:
+    /* set the error, and finish the decoder context.  because there 
+     * is not a way of returning an error message, it may be worth
+     * while to do a check higher up and finish any decoding contexts
+     * that are still open.
+     */
+    p12dcx->error = PR_TRUE;
+    SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
+    safeContentsCtx->currentSafeBagDcx = NULL;
+    return;
+}
+
+/* forward declarations of functions that are used when decoding
+ * safeContents bags which are nested and when decoding the 
+ * authenticatedSafes.
+ */
+static SECStatus
+sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext 
+							*safeContentsCtx);
+static SECStatus
+sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
+							*safeContentsCtx);
+static void
+sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data, 
+				   unsigned long len, int depth, 
+				   SEC_ASN1EncodingPart data_kind);
+
+/* notify function for decoding safeBags.  This function is
+ * used to filter safeBag types which are not supported,
+ * initiate the decoding of nested safe contents, and decode
+ * safeBags in general.  this function is set when the decoder
+ * context for the safeBag is first created.
+ */
+static void
+sec_pkcs12_decoder_safe_bag_notify(void *arg, PRBool before,
+				   void *dest, int real_depth)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext *)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+    sec_PKCS12SafeBag *bag;
+    PRBool after;
+
+    /* if an error is encountered, return */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
+		safeContentsCtx->p12dcx->error) {
+	return;
+    }
+    p12dcx = safeContentsCtx->p12dcx;
+
+    /* to make things more readable */
+    if(before)
+	after = PR_FALSE;
+    else 
+	after = PR_TRUE;
+
+    /* have we determined the safeBagType yet? */
+    bag = safeContentsCtx->currentSafeBag;
+    if(bag->bagTypeTag == NULL) {
+	if(after && (dest == &(bag->safeBagType))) {
+	    bag->bagTypeTag = SECOID_FindOID(&(bag->safeBagType));
+	    if(bag->bagTypeTag == NULL) {
+		p12dcx->error = PR_TRUE;
+		p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	    }
+	}
+	return;
+    }
+
+    /* process the safeBag depending on it's type.  those
+     * which we do not support, are ignored.  we start a decoding
+     * context for a nested safeContents.
+     */
+    switch(bag->bagTypeTag->offset) {
+	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+	    break;
+	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
+	    /* if we are just starting to decode the safeContents, initialize
+	     * a new safeContentsCtx to process it.
+	     */
+	    if(before && (dest == &(bag->safeBagContent))) {
+		sec_pkcs12_decoder_begin_nested_safe_contents(safeContentsCtx);
+	    } else if(after && (dest == &(bag->safeBagContent))) {
+		/* clean up the nested decoding */
+		sec_pkcs12_decoder_finish_nested_safe_contents(safeContentsCtx);
+	    }
+	    break;
+	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
+	case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
+	default:
+	    /* skip any safe bag types we don't understand or handle */
+	    safeContentsCtx->skipCurrentSafeBag = PR_TRUE;
+	    break;
+    }
+
+    return;
+}
+
+/* notify function for decoding safe contents.  each entry in the
+ * safe contents is a safeBag which needs to be allocated and
+ * the decoding context initialized at the beginning and then
+ * the context needs to be closed and finished at the end.
+ *
+ * this function is set when the safeContents decode context is
+ * initialized.
+ */
+static void
+sec_pkcs12_decoder_safe_contents_notify(void *arg, PRBool before,
+					void *dest, int real_depth)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext*)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+    SECStatus rv;
+
+    /* if there is an error we don't want to continue processing,
+     * just return and keep going.
+     */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+		|| safeContentsCtx->p12dcx->error) {
+	return;
+    }
+    p12dcx = safeContentsCtx->p12dcx;
+
+    /* if we are done with the current safeBag, then we need to
+     * finish the context and set the state variables appropriately.
+     */
+    if(!before) {
+	SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsDcx);
+	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
+	safeContentsCtx->currentSafeBagDcx = NULL;
+	safeContentsCtx->skipCurrentSafeBag = PR_FALSE;
+    } else {
+	/* we are starting a new safe bag.  we need to allocate space
+	 * for the bag and initialize the decoding context.
+	 */
+	rv = sec_pkcs12_decoder_init_new_safe_bag(safeContentsCtx);
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+
+	/* set up the decoder context */
+	safeContentsCtx->currentSafeBagDcx = SEC_ASN1DecoderStart(p12dcx->arena,
+						safeContentsCtx->currentSafeBag,
+						sec_PKCS12SafeBagTemplate);
+	if(!safeContentsCtx->currentSafeBagDcx) {
+	    p12dcx->errorValue = PORT_GetError();
+	    goto loser;
+	}
+
+	/* set the notify and filter procs so that the safe bag
+	 * data gets sent to the proper location when decoding.
+	 */
+	SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->currentSafeBagDcx, 
+				 sec_pkcs12_decoder_safe_bag_notify, 
+				 safeContentsCtx);
+	SEC_ASN1DecoderSetFilterProc(safeContentsCtx->safeContentsDcx, 
+				 sec_pkcs12_decoder_safe_bag_update, 
+				 safeContentsCtx, PR_TRUE);
+    }
+
+    return;
+
+loser:
+    /* in the event of an error, we want to close the decoding
+     * context and clear the filter and notify procedures.
+     */
+    p12dcx->error = PR_TRUE;
+
+    if(safeContentsCtx->currentSafeBagDcx) {
+	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
+	safeContentsCtx->currentSafeBagDcx = NULL;
+    }
+
+    SEC_ASN1DecoderClearNotifyProc(safeContentsCtx->safeContentsDcx);
+    SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsDcx);
+
+    return;
+}
+
+/* initialize the safeContents for decoding.  this routine
+ * is used for authenticatedSafes as well as nested safeContents.
+ */
+static sec_PKCS12SafeContentsContext *
+sec_pkcs12_decoder_safe_contents_init_decode(SEC_PKCS12DecoderContext *p12dcx,
+					     PRBool nestedSafe)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = NULL;
+    const SEC_ASN1Template *theTemplate;
+
+    if(!p12dcx || p12dcx->error) {
+	return NULL;
+    }
+
+    /* allocate a new safeContents list or grow the existing list and
+     * append the new safeContents onto the end.
+     */
+    if(!p12dcx->safeContentsCnt) {
+	p12dcx->safeContentsList = 
+	    (sec_PKCS12SafeContentsContext**)PORT_ArenaZAlloc(p12dcx->arena, 
+	       			 2 * sizeof(sec_PKCS12SafeContentsContext *));
+    } else {
+	p12dcx->safeContentsList = 
+	   (sec_PKCS12SafeContentsContext **) PORT_ArenaGrow(p12dcx->arena,
+			p12dcx->safeContentsList,
+			(1 + p12dcx->safeContentsCnt) * 
+				sizeof(sec_PKCS12SafeContentsContext *),
+			(2 + p12dcx->safeContentsCnt) * 
+				sizeof(sec_PKCS12SafeContentsContext *));
+    }
+    if(!p12dcx->safeContentsList) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+
+    p12dcx->safeContentsList[p12dcx->safeContentsCnt] = safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext*)PORT_ArenaZAlloc(
+					p12dcx->arena,
+					sizeof(sec_PKCS12SafeContentsContext));
+    if(!p12dcx->safeContentsList[p12dcx->safeContentsCnt]) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+    p12dcx->safeContentsList[++p12dcx->safeContentsCnt] = NULL;
+
+    /* set up the state variables */
+    safeContentsCtx->p12dcx = p12dcx;
+    safeContentsCtx->arena = p12dcx->arena;
+
+    /* begin the decoding -- the template is based on whether we are
+     * decoding a nested safeContents or not.
+     */
+    if(nestedSafe == PR_TRUE) {
+	theTemplate = sec_PKCS12NestedSafeContentsDecodeTemplate;
+    } else {
+	theTemplate = sec_PKCS12SafeContentsDecodeTemplate;
+    }
+
+    /* start the decoder context */
+    safeContentsCtx->safeContentsDcx = SEC_ASN1DecoderStart(p12dcx->arena, 
+					&safeContentsCtx->safeContents,
+					theTemplate);
+	
+    if(!safeContentsCtx->safeContentsDcx) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+
+    /* set the safeContents notify procedure to look for
+     * and start the decode of safeBags.
+     */
+    SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->safeContentsDcx, 
+				sec_pkcs12_decoder_safe_contents_notify,
+				safeContentsCtx);
+
+    return safeContentsCtx;
+
+loser:
+    /* in the case of an error, we want to finish the decoder
+     * context and set the error flag.
+     */
+    if(safeContentsCtx && safeContentsCtx->safeContentsDcx) {
+	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
+	safeContentsCtx->safeContentsDcx = NULL;
+    }
+
+    p12dcx->error = PR_TRUE;
+
+    return NULL;
+}
+
+/* wrapper for updating safeContents.  this is set as the filter of
+ * safeBag when there is a nested safeContents.
+ */
+static void
+sec_pkcs12_decoder_nested_safe_contents_update(void *arg, const char *buf,
+					  unsigned long len, int depth,
+					  SEC_ASN1EncodingPart data_kind)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext *)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+    SECStatus rv;
+
+    /* check for an error */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+			|| safeContentsCtx->p12dcx->error
+			|| !safeContentsCtx->safeContentsDcx) {
+	return;
+    }
+
+    /* no need to update if no data sent in */
+    if(!len || !buf) {
+	return;
+    }
+
+    /* update the decoding context */
+    p12dcx = safeContentsCtx->p12dcx;
+    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsDcx, buf, len);
+    if(rv != SECSuccess) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+
+    return;
+
+loser:
+    /* handle any errors.  If a decoding context is open, close it. */
+    p12dcx->error = PR_TRUE;
+    if(safeContentsCtx->safeContentsDcx) {
+	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
+	safeContentsCtx->safeContentsDcx = NULL;
+    }
+}
+
+/* whenever a new safeContentsSafeBag is encountered, we need
+ * to init a safeContentsContext.  
+ */
+static SECStatus  
+sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext 
+							*safeContentsCtx)
+{
+    /* check for an error */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
+		safeContentsCtx->p12dcx->error) {
+	return SECFailure;
+    }
+
+    safeContentsCtx->nestedCtx = sec_pkcs12_decoder_safe_contents_init_decode(
+						safeContentsCtx->p12dcx,
+						PR_TRUE);
+    if(!safeContentsCtx->nestedCtx) {
+	return SECFailure;
+    }
+
+    /* set up new filter proc */
+    SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->nestedCtx->safeContentsDcx,
+				 sec_pkcs12_decoder_safe_contents_notify,
+				 safeContentsCtx->nestedCtx);
+    SEC_ASN1DecoderSetFilterProc(safeContentsCtx->currentSafeBagDcx,
+				 sec_pkcs12_decoder_nested_safe_contents_update,
+				 safeContentsCtx->nestedCtx, PR_TRUE);
+
+    return SECSuccess;
+}
+
+/* when the safeContents is done decoding, we need to reset the
+ * proper filter and notify procs and close the decoding context 
+ */
+static SECStatus
+sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
+							*safeContentsCtx)
+{
+    /* check for error */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
+		safeContentsCtx->p12dcx->error) {
+	return SECFailure;
+    }
+
+    /* clean up */	
+    SEC_ASN1DecoderClearFilterProc(safeContentsCtx->currentSafeBagDcx);
+    SEC_ASN1DecoderClearNotifyProc(safeContentsCtx->nestedCtx->safeContentsDcx);
+    SEC_ASN1DecoderFinish(safeContentsCtx->nestedCtx->safeContentsDcx);
+    safeContentsCtx->nestedCtx->safeContentsDcx = NULL;
+    safeContentsCtx->nestedCtx = NULL;
+
+    return SECSuccess;
+}
+
+/* wrapper for updating safeContents.  This is used when decoding
+ * the nested safeContents and any authenticatedSafes.
+ */
+static void
+sec_pkcs12_decoder_safe_contents_callback(void *arg, const char *buf,
+					  unsigned long len)
+{
+    SECStatus rv;
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext *)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+
+    /* check for error */  
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+		|| safeContentsCtx->p12dcx->error
+		|| !safeContentsCtx->safeContentsDcx) {
+	return;
+    }
+    p12dcx = safeContentsCtx->p12dcx;
+
+    /* update the decoder */
+    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsDcx, buf, len);
+    if(rv != SECSuccess) {
+	/* if we fail while trying to decode a 'safe', it's probably because
+	 * we didn't have the correct password. */
+	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	SEC_PKCS7DecoderAbort(p12dcx->currentASafeP7Dcx,SEC_ERROR_BAD_PASSWORD);
+	goto loser;
+    }
+
+    return;
+
+loser:
+    /* set the error and finish the context */
+    p12dcx->error = PR_TRUE;
+    if(safeContentsCtx->safeContentsDcx) {
+	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
+	safeContentsCtx->safeContentsDcx = NULL;
+    }
+
+    return;
+}
+
+/* this is a wrapper for the ASN1 decoder to call SEC_PKCS7DecoderUpdate
+ */
+static void
+sec_pkcs12_decoder_wrap_p7_update(void *arg, const char *data,
+				  unsigned long len, int depth,
+				  SEC_ASN1EncodingPart data_kind)
+{
+    SEC_PKCS7DecoderContext *p7dcx = (SEC_PKCS7DecoderContext *)arg;
+
+    SEC_PKCS7DecoderUpdate(p7dcx, data, len);
+}
+
+/* notify function for decoding aSafes.  at the beginning,
+ * of an authenticatedSafe, we start a decode of a safeContents.
+ * at the end, we clean up the safeContents decoder context and
+ * reset state variables 
+ */
+static void
+sec_pkcs12_decoder_asafes_notify(void *arg, PRBool before, void *dest, 
+			       int real_depth)
+{
+    SEC_PKCS12DecoderContext *p12dcx;
+    sec_PKCS12SafeContentsContext *safeContentsCtx;
+
+    /* make sure no error occurred. */
+    p12dcx = (SEC_PKCS12DecoderContext *)arg;
+    if(!p12dcx || p12dcx->error) {
+	return;
+    }
+
+    if(before) {
+
+	/* init a new safeContentsContext */
+	safeContentsCtx = sec_pkcs12_decoder_safe_contents_init_decode(p12dcx, 
+								PR_FALSE);
+	if(!safeContentsCtx) {
+	    goto loser;
+	}
+
+	/* initiate the PKCS7ContentInfo decode */
+	p12dcx->currentASafeP7Dcx = SEC_PKCS7DecoderStart(
+				sec_pkcs12_decoder_safe_contents_callback,
+				safeContentsCtx, 
+				p12dcx->pwfn, p12dcx->pwfnarg,
+				sec_pkcs12_decoder_get_decrypt_key, p12dcx,
+				sec_pkcs12_decoder_decryption_allowed);
+	if(!p12dcx->currentASafeP7Dcx) {
+	    p12dcx->errorValue = PORT_GetError();
+	    goto loser;
+	}
+	SEC_ASN1DecoderSetFilterProc(p12dcx->aSafeDcx, 
+				     sec_pkcs12_decoder_wrap_p7_update,
+				     p12dcx->currentASafeP7Dcx, PR_TRUE);
+    }
+
+    if(!before) {
+	/* if one is being decoded, finish the decode */
+	if(p12dcx->currentASafeP7Dcx != NULL) {
+	    if(!SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx)) {
+		p12dcx->currentASafeP7Dcx = NULL;
+		p12dcx->errorValue = PORT_GetError();
+		goto loser;
+	    }
+	    p12dcx->currentASafeP7Dcx = NULL;
+	}
+    }
+
+
+    return;
+
+loser:
+    /* set the error flag */
+    p12dcx->error = PR_TRUE;
+    return;
+}
+
+/* wrapper for updating asafes decoding context.  this function
+ * writes data being decoded to disk, so that a mac can be computed
+ * later.  
+ */
+static void
+sec_pkcs12_decoder_asafes_callback(void *arg, const char *buf, 
+				  unsigned long len)
+{
+    SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
+    SECStatus rv;
+
+    if(!p12dcx || p12dcx->error) {
+	return;
+    }
+
+    /* update the context */
+    rv = SEC_ASN1DecoderUpdate(p12dcx->aSafeDcx, buf, len);
+    if(rv != SECSuccess) {
+	p12dcx->errorValue = PORT_GetError();
+	p12dcx->error = PR_TRUE;
+	goto loser;
+    }
+
+    /* if we are writing to a file, write out the new information */
+    if(p12dcx->dWrite) {
+	unsigned long writeLen = (*p12dcx->dWrite)(p12dcx->dArg, 	
+						   (unsigned char *)buf, len);
+	if(writeLen != len) {
+	    p12dcx->errorValue = PORT_GetError();
+	    goto loser;
+	}
+    }
+
+    return;
+
+loser:
+    /* set the error flag */
+    p12dcx->error = PR_TRUE;
+    SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
+    p12dcx->aSafeDcx = NULL;
+
+    return;
+}
+   
+/* start the decode of an authenticatedSafe contentInfo.
+ */ 
+static SECStatus
+sec_pkcs12_decode_start_asafes_cinfo(SEC_PKCS12DecoderContext *p12dcx)
+{
+    if(!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+
+    /* start the decode context */
+    p12dcx->aSafeDcx = SEC_ASN1DecoderStart(p12dcx->arena, 
+    					&p12dcx->authSafe,
+    					sec_PKCS12AuthenticatedSafeTemplate);
+    if(!p12dcx->aSafeDcx) {
+	p12dcx->errorValue = PORT_GetError();
+   	goto loser;
+    }
+
+    /* set the notify function */
+    SEC_ASN1DecoderSetNotifyProc(p12dcx->aSafeDcx,
+    				 sec_pkcs12_decoder_asafes_notify, p12dcx);
+
+    /* begin the authSafe decoder context */
+    p12dcx->aSafeP7Dcx = SEC_PKCS7DecoderStart(
+    				sec_pkcs12_decoder_asafes_callback, p12dcx,
+    				p12dcx->pwfn, p12dcx->pwfnarg, NULL, NULL, NULL);
+    if(!p12dcx->aSafeP7Dcx) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+  
+    /* open the temp file for writing, if the filter functions were set */ 
+    if(p12dcx->dOpen && (*p12dcx->dOpen)(p12dcx->dArg, PR_FALSE) 
+				!= SECSuccess) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+    p12dcx->error = PR_TRUE;
+
+    if(p12dcx->aSafeDcx) {
+	SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
+	p12dcx->aSafeDcx = NULL;
+    } 
+
+    if(p12dcx->aSafeP7Dcx) {
+	SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
+	p12dcx->aSafeP7Dcx = NULL;
+    }
+
+    return SECFailure;
+}
+
+/* wrapper for updating the safeContents.  this function is used as
+ * a filter for the pfx when decoding the authenticated safes 
+ */
+static void 
+sec_pkcs12_decode_asafes_cinfo_update(void *arg, const char *buf,
+				      unsigned long len, int depth,
+				      SEC_ASN1EncodingPart data_kind)
+{
+    SEC_PKCS12DecoderContext *p12dcx;
+    SECStatus rv;
+
+    p12dcx = (SEC_PKCS12DecoderContext*)arg;
+    if(!p12dcx || p12dcx->error) {
+	return;
+    }
+
+    /* update the safeContents decoder */
+    rv = SEC_PKCS7DecoderUpdate(p12dcx->aSafeP7Dcx, buf, len);
+    if(rv != SECSuccess) {
+	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	goto loser;
+    }
+
+    return;
+
+loser:
+
+    /* did we find an error?  if so, close the context and set the 
+     * error flag.
+     */
+    SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
+    p12dcx->aSafeP7Dcx = NULL;
+    p12dcx->error = PR_TRUE;
+}
+
+/* notify procedure used while decoding the pfx.  When we encounter
+ * the authSafes, we want to trigger the decoding of authSafes as well
+ * as when we encounter the macData, trigger the decoding of it.  we do
+ * this because we we are streaming the decoder and not decoding in place.
+ * the pfx which is the destination, only has the version decoded into it.
+ */
+static void 
+sec_pkcs12_decoder_pfx_notify_proc(void *arg, PRBool before, void *dest,
+				   int real_depth)
+{
+    SECStatus rv;
+    SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext*)arg;
+
+    /* if an error occurrs, clear the notifyProc and the filterProc 
+     * and continue. 
+     */
+    if(p12dcx->error) {
+	SEC_ASN1DecoderClearNotifyProc(p12dcx->pfxDcx);
+	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxDcx);
+	return;
+    }
+
+    if(before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
+
+	/* we want to make sure this is a version we support */
+	if(!sec_pkcs12_proper_version(&p12dcx->pfx)) {
+	    p12dcx->errorValue = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
+	    goto loser;
+	}
+
+	/* start the decode of the aSafes cinfo... */
+	rv = sec_pkcs12_decode_start_asafes_cinfo(p12dcx);
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+
+	/* set the filter proc to update the authenticated safes. */
+	SEC_ASN1DecoderSetFilterProc(p12dcx->pfxDcx,
+				     sec_pkcs12_decode_asafes_cinfo_update,
+				     p12dcx, PR_TRUE);
+    }
+
+    if(!before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
+
+	/* we are done decoding the authenticatedSafes, so we need to 
+	 * finish the decoderContext and clear the filter proc
+	 * and close the hmac callback, if present
+	 */
+	p12dcx->aSafeCinfo = SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
+	p12dcx->aSafeP7Dcx = NULL;
+	if(!p12dcx->aSafeCinfo) {
+	    p12dcx->errorValue = PORT_GetError();
+	    goto loser;
+	}
+	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxDcx);
+	if(p12dcx->dClose && ((*p12dcx->dClose)(p12dcx->dArg, PR_FALSE) 
+				!= SECSuccess)) {
+	    p12dcx->errorValue = PORT_GetError();
+	    goto loser;
+	}
+
+    }
+
+    return;
+
+loser:
+    p12dcx->error = PR_TRUE;
+}
+
+/*  default implementations of the open/close/read/write functions for
+    SEC_PKCS12DecoderStart 
+*/
+
+#define DEFAULT_TEMP_SIZE 4096
+
+static SECStatus
+p12u_DigestOpen(void *arg, PRBool readData)
+{
+    SEC_PKCS12DecoderContext* p12cxt = arg;
+
+    p12cxt->currentpos = 0;
+
+    if (PR_FALSE == readData) {
+        /* allocate an initial buffer */
+        p12cxt->filesize = 0;
+        p12cxt->allocated = DEFAULT_TEMP_SIZE;
+        p12cxt->buffer = PORT_Alloc(DEFAULT_TEMP_SIZE);
+        PR_ASSERT(p12cxt->buffer);
+    }
+    else
+    {
+        PR_ASSERT(p12cxt->buffer);
+        if (!p12cxt->buffer) {
+            return SECFailure; /* no data to read */
+        }
+    }
+
+    return SECSuccess;
+}
+
+static SECStatus
+p12u_DigestClose(void *arg, PRBool removeFile)
+{
+    SEC_PKCS12DecoderContext* p12cxt = arg;
+
+    PR_ASSERT(p12cxt);
+    if (!p12cxt) {
+        return SECFailure;
+    }
+    p12cxt->currentpos = 0;
+
+    if (PR_TRUE == removeFile) {
+        PR_ASSERT(p12cxt->buffer);
+        if (!p12cxt->buffer) {
+            return SECFailure;
+        }
+        if (p12cxt->buffer) {
+            PORT_Free(p12cxt->buffer);
+            p12cxt->buffer = NULL;
+            p12cxt->allocated = 0;
+            p12cxt->filesize = 0;
+        }
+    }
+
+    return SECSuccess;
+}
+
+static int
+p12u_DigestRead(void *arg, unsigned char *buf, unsigned long len)
+{
+    int toread = len;
+    SEC_PKCS12DecoderContext* p12cxt = arg;
+
+    if(!buf || len == 0 || !p12cxt->buffer) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return -1;
+    }
+
+    if ((p12cxt->filesize - p12cxt->currentpos) < (long)len) {
+        /* trying to read past the end of the buffer */
+        toread = p12cxt->filesize - p12cxt->currentpos;
+    }
+    memcpy(buf, (char*)p12cxt->buffer + p12cxt->currentpos, toread);
+    p12cxt->currentpos += toread;
+    return toread;
+}
+
+static int
+p12u_DigestWrite(void *arg, unsigned char *buf, unsigned long len)
+{
+    SEC_PKCS12DecoderContext* p12cxt = arg;
+
+    if(!buf || len == 0) {
+        return -1;
+    }
+
+    if (p12cxt->currentpos+(long)len > p12cxt->filesize) {
+        p12cxt->filesize = p12cxt->currentpos + len;
+    }
+    else {
+        p12cxt->filesize += len;
+    }
+    if (p12cxt->filesize > p12cxt->allocated) {
+        void* newbuffer;
+        size_t newsize = p12cxt->filesize + DEFAULT_TEMP_SIZE;
+        newbuffer  = PORT_Realloc(p12cxt->buffer, newsize);
+        if (NULL == newbuffer) {
+            return -1; /* can't extend the buffer */
+        }
+        p12cxt->buffer = newbuffer;
+        p12cxt->allocated = newsize;
+    }
+    PR_ASSERT(p12cxt->buffer);
+    memcpy((char*)p12cxt->buffer + p12cxt->currentpos, buf, len);
+    p12cxt->currentpos += len;
+    return len;
+}
+
+/* SEC_PKCS12DecoderStart
+ *	Creates a decoder context for decoding a PKCS 12 PDU objct.
+ *	This function sets up the initial decoding context for the
+ *	PFX and sets the needed state variables.
+ *
+ *	pwitem - the password for the hMac and any encoded safes.
+ *		 this should be changed to take a callback which retrieves
+ *		 the password.  it may be possible for different safes to
+ *		 have different passwords.  also, the password is already
+ *		 in unicode.  it should probably be converted down below via
+ *		 a unicode conversion callback.
+ *	slot - the slot to import the dataa into should multiple slots 
+ *		 be supported based on key type and cert type?
+ *	dOpen, dClose, dRead, dWrite - digest routines for writing data
+ *		 to a file so it could be read back and the hmack recomputed
+ *		 and verified.  doesn't seem to be away for both encoding
+ *		 and decoding to be single pass, thus the need for these
+ *		 routines.
+ *	dArg - the argument for dOpen, etc.
+ *
+ *      if NULL == dOpen == dClose == dRead == dWrite == dArg, then default
+ *      implementations using a memory buffer are used
+ *
+ *	This function returns the decoder context, if it was successful.
+ *	Otherwise, null is returned.
+ */
+SEC_PKCS12DecoderContext *
+SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
+		       digestOpenFn dOpen, digestCloseFn dClose, 
+		       digestIOFn dRead, digestIOFn dWrite, void *dArg)
+{
+    SEC_PKCS12DecoderContext *p12dcx;
+    PRArenaPool *arena;
+
+    arena = PORT_NewArena(2048); /* different size? */
+    if(!arena) {
+	return NULL;	/* error is already set */
+    }
+
+    /* allocate the decoder context and set the state variables */
+    p12dcx = (SEC_PKCS12DecoderContext*)PORT_ArenaZAlloc(arena, sizeof(SEC_PKCS12DecoderContext));
+    if(!p12dcx) {
+	goto loser;	/* error is already set */
+    }
+
+    if (!dOpen && !dClose && !dRead && !dWrite && !dArg) {
+        /* use default implementations */
+        dOpen = p12u_DigestOpen;
+        dClose = p12u_DigestClose;
+        dRead = p12u_DigestRead;
+        dWrite = p12u_DigestWrite;
+        dArg = (void*)p12dcx;
+    }
+
+    p12dcx->arena = arena;
+    p12dcx->pwitem = pwitem;
+    p12dcx->slot = (slot ? PK11_ReferenceSlot(slot) 
+						: PK11_GetInternalKeySlot());
+    p12dcx->wincx = wincx;
+    p12dcx->tokenCAs = SECPKCS12TargetTokenNoCAs;
+#ifdef IS_LITTLE_ENDIAN
+    p12dcx->swapUnicodeBytes = PR_TRUE;
+#else
+    p12dcx->swapUnicodeBytes = PR_FALSE;
+#endif
+    p12dcx->errorValue = 0;
+    p12dcx->error = PR_FALSE;
+
+    /* start the decoding of the PFX and set the notify proc
+     * for the PFX item.
+     */
+    p12dcx->pfxDcx = SEC_ASN1DecoderStart(p12dcx->arena, &p12dcx->pfx,
+    					  sec_PKCS12PFXItemTemplate);
+    if(!p12dcx->pfxDcx) {
+	PK11_FreeSlot(p12dcx->slot);
+	goto loser;
+    }
+
+    SEC_ASN1DecoderSetNotifyProc(p12dcx->pfxDcx, 
+				 sec_pkcs12_decoder_pfx_notify_proc,
+    				 p12dcx); 
+    
+    /* set up digest functions */
+    p12dcx->dOpen = dOpen;
+    p12dcx->dWrite = dWrite;
+    p12dcx->dClose = dClose;
+    p12dcx->dRead = dRead;
+    p12dcx->dArg = dArg;
+    
+    p12dcx->keyList = NULL;
+    p12dcx->decitem.type = 0;
+    p12dcx->decitem.der = NULL;
+    p12dcx->decitem.hasKey = PR_FALSE;
+    p12dcx->decitem.friendlyName = NULL;
+    p12dcx->iteration = 0;
+
+    return p12dcx;
+
+loser:
+    PORT_FreeArena(arena, PR_TRUE);
+    return NULL;
+}
+
+SECStatus
+SEC_PKCS12DecoderSetTargetTokenCAs(SEC_PKCS12DecoderContext *p12dcx,
+		SECPKCS12TargetTokenCAs tokenCAs)
+{
+    if (!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+    p12dcx->tokenCAs = tokenCAs;
+    return SECSuccess;
+}
+
+
+/* SEC_PKCS12DecoderUpdate 
+ *	Streaming update sending more data to the decoder.  If 
+ *	an error occurs, SECFailure is returned.
+ *
+ *	p12dcx - the decoder context 
+ *	data, len - the data buffer and length of data to send to 
+ *		the update functions.
+ */
+SECStatus
+SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx,
+			unsigned char *data, unsigned long len)
+{
+    SECStatus rv;
+
+    if(!p12dcx || p12dcx->error) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* update the PFX decoder context */
+    rv = SEC_ASN1DecoderUpdate(p12dcx->pfxDcx, (const char *)data, len);
+    if(rv != SECSuccess) {
+	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+
+    p12dcx->error = PR_TRUE;
+    return SECFailure;
+}
+
+/* This should be a nice sized buffer for reading in data (potentially large 
+** amounts) to be MACed.  It should be MUCH larger than HASH_LENGTH_MAX.
+*/
+#define IN_BUF_LEN	1024
+#ifdef DEBUG
+static const char bufferEnd[] = { "BufferEnd" } ;
+#endif
+#define FUDGE 128 /* must be as large as bufferEnd or more. */
+
+/* verify the hmac by reading the data from the temporary file
+ * using the routines specified when the decodingContext was 
+ * created and return SECSuccess if the hmac matches.
+ */
+static SECStatus
+sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
+{
+    PK11Context *     pk11cx = NULL;
+    PK11SymKey *      symKey = NULL;
+    SECItem *         params = NULL;
+    unsigned char *   buf;
+    SECStatus         rv     = SECFailure;
+    SECStatus         lrv;
+    unsigned int      bufLen;
+    int               iteration;
+    int               bytesRead;
+    SECOidTag         algtag;
+    SECItem           hmacRes;
+    SECItem           ignore = {0};
+    CK_MECHANISM_TYPE integrityMech;
+    
+    if(!p12dcx || p12dcx->error) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    buf = (unsigned char *)PORT_Alloc(IN_BUF_LEN + FUDGE);
+    if (!buf)
+    	return SECFailure;  /* error code has been set. */
+
+#ifdef DEBUG
+    memcpy(buf + IN_BUF_LEN, bufferEnd, sizeof bufferEnd);
+#endif
+
+    /* generate hmac key */
+    if(p12dcx->macData.iter.data) {
+	iteration = (int)DER_GetInteger(&p12dcx->macData.iter);
+    } else {
+	iteration = 1;
+    }
+
+    params = PK11_CreatePBEParams(&p12dcx->macData.macSalt, p12dcx->pwitem,
+                                  iteration);
+
+    algtag = SECOID_GetAlgorithmTag(&p12dcx->macData.safeMac.digestAlgorithm);
+    switch (algtag) {
+    case SEC_OID_SHA1:
+	integrityMech = CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN; break;
+    case SEC_OID_MD5:
+	integrityMech = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;  break;
+    case SEC_OID_MD2:
+	integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;  break;
+    default:
+	goto loser;
+    }
+
+    symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
+    PK11_DestroyPBEParams(params);
+    params = NULL;
+    if (!symKey) goto loser;
+    /* init hmac */
+    pk11cx = PK11_CreateContextBySymKey(sec_pkcs12_algtag_to_mech(algtag),
+                                        CKA_SIGN, symKey, &ignore);
+    if(!pk11cx) {
+	goto loser;
+    }
+    lrv = PK11_DigestBegin(pk11cx);
+    if (lrv == SECFailure ) {
+	goto loser;
+    }
+
+    /* try to open the data for readback */
+    if(p12dcx->dOpen && ((*p12dcx->dOpen)(p12dcx->dArg, PR_TRUE) 
+			!= SECSuccess)) {
+	goto loser;
+    }
+
+    /* read the data back IN_BUF_LEN bytes at a time and recompute
+     * the hmac.  if fewer bytes are read than are requested, it is
+     * assumed that the end of file has been reached. if bytesRead
+     * is returned as -1, then an error occured reading from the 
+     * file.
+     */
+    do {
+	bytesRead = (*p12dcx->dRead)(p12dcx->dArg, buf, IN_BUF_LEN);
+	if (bytesRead < 0) {
+	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_READ);
+	    goto loser;
+	}
+	PORT_Assert(bytesRead <= IN_BUF_LEN);
+	PORT_Assert(!memcmp(buf + IN_BUF_LEN, bufferEnd, sizeof bufferEnd));
+
+	if (bytesRead > IN_BUF_LEN) {
+	    /* dRead callback overflowed buffer. */
+	    PORT_SetError(SEC_ERROR_INPUT_LEN);
+	    goto loser;
+	}
+
+	if (bytesRead) {
+	    lrv = PK11_DigestOp(pk11cx, buf, bytesRead);
+	    if (lrv == SECFailure) {
+		goto loser;
+	    }
+    	}
+    } while (bytesRead == IN_BUF_LEN);
+
+    /* finish the hmac context */
+    lrv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN);
+    if (lrv == SECFailure ) {
+	goto loser;
+    }
+
+    hmacRes.data = buf;
+    hmacRes.len = bufLen;
+
+    /* is the hmac computed the same as the hmac which was decoded? */
+    rv = SECSuccess;
+    if(SECITEM_CompareItem(&hmacRes, &p12dcx->macData.safeMac.digest) 
+			!= SECEqual) {
+	PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
+	rv = SECFailure;
+    }
+
+loser:
+    /* close the file and remove it */
+    if(p12dcx->dClose) {
+	(*p12dcx->dClose)(p12dcx->dArg, PR_TRUE);
+    }
+
+    if(pk11cx) {
+	PK11_DestroyContext(pk11cx, PR_TRUE);
+    }
+    if (params) {
+	PK11_DestroyPBEParams(params);
+    }
+    if (symKey) {
+	PK11_FreeSymKey(symKey);
+    }
+    PORT_ZFree(buf, IN_BUF_LEN + FUDGE);
+
+    return rv;
+}
+
+/* SEC_PKCS12DecoderVerify
+ * 	Verify the macData or the signature of the decoded PKCS 12 PDU.
+ *	If the signature or the macData do not match, SECFailure is
+ *	returned.
+ *
+ * 	p12dcx - the decoder context 
+ */
+SECStatus
+SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx)
+{
+    SECStatus rv = SECSuccess;
+
+    /* make sure that no errors have occured... */
+    if(!p12dcx) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if(p12dcx->error) {
+	/* error code is already set! PORT_SetError(p12dcx->errorValue); */
+	return SECFailure;
+    }
+
+    rv = SEC_ASN1DecoderFinish(p12dcx->pfxDcx);
+    p12dcx->pfxDcx = NULL;
+    if(rv != SECSuccess) {
+	return rv;
+    }
+
+    /* check the signature or the mac depending on the type of
+     * integrity used.
+     */
+    if(p12dcx->pfx.encodedMacData.len) {
+	rv = SEC_ASN1DecodeItem(p12dcx->arena, &p12dcx->macData,
+				sec_PKCS12MacDataTemplate,
+				&p12dcx->pfx.encodedMacData);
+	if(rv == SECSuccess) {
+	    return sec_pkcs12_decoder_verify_mac(p12dcx);
+	}
+    } else {
+	if(SEC_PKCS7VerifySignature(p12dcx->aSafeCinfo, certUsageEmailSigner,
+				    PR_FALSE)) {
+	    return SECSuccess;
+	} else {
+	    PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
+	}
+    }
+
+    return SECFailure;
+}
+
+/* SEC_PKCS12DecoderFinish
+ *	Free any open ASN1 or PKCS7 decoder contexts and then
+ *	free the arena pool which everything should be allocated
+ *	from.  This function should be called upon completion of
+ *	decoding and installing of a pfx pdu.  This should be
+ *	called even if an error occurs.
+ *
+ *	p12dcx - the decoder context
+ */
+void
+SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx)
+{
+    if(!p12dcx) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return;
+    }
+
+    if(p12dcx->pfxDcx) {
+	SEC_ASN1DecoderFinish(p12dcx->pfxDcx);
+	p12dcx->pfxDcx = NULL;
+    }
+
+    if(p12dcx->aSafeDcx) {
+	SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
+	p12dcx->aSafeDcx = NULL;
+    }
+
+    if(p12dcx->currentASafeP7Dcx) {
+	SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx);
+	p12dcx->currentASafeP7Dcx = NULL;
+    }
+
+    if(p12dcx->aSafeP7Dcx) {
+	SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
+    }
+
+    if(p12dcx->hmacDcx) {
+	SEC_ASN1DecoderFinish(p12dcx->hmacDcx);
+	p12dcx->hmacDcx = NULL;
+    }
+    
+    if (p12dcx->decitem.type != 0 && p12dcx->decitem.der != NULL) {
+        SECITEM_FreeItem(p12dcx->decitem.der, PR_TRUE);
+    }
+    if (p12dcx->decitem.friendlyName != NULL) {
+        SECITEM_FreeItem(p12dcx->decitem.friendlyName, PR_TRUE);
+    }
+
+    if(p12dcx->slot) {
+	PK11_FreeSlot(p12dcx->slot);
+	p12dcx->slot = NULL;
+    }
+
+    if(p12dcx->arena) {
+	PORT_FreeArena(p12dcx->arena, PR_TRUE);
+    }
+}
+
+static SECStatus
+sec_pkcs12_decoder_set_attribute_value(sec_PKCS12SafeBag *bag,
+			       SECOidTag attributeType,
+			       SECItem *attrValue)
+{
+    int i = 0;
+    SECOidData *oid;
+
+    if(!bag || !attrValue) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    oid = SECOID_FindOIDByTag(attributeType);
+    if(!oid) {
+	return SECFailure;
+    }
+
+    if(!bag->attribs) {
+	bag->attribs = (sec_PKCS12Attribute**)PORT_ArenaZAlloc(bag->arena, 
+					sizeof(sec_PKCS12Attribute *) * 2);
+    } else {
+	while(bag->attribs[i]) i++;
+	bag->attribs = (sec_PKCS12Attribute **)PORT_ArenaGrow(bag->arena, 
+				      bag->attribs, 
+				      (i + 1) * sizeof(sec_PKCS12Attribute *),
+				      (i + 2) * sizeof(sec_PKCS12Attribute *));
+    }
+
+    if(!bag->attribs) {
+	return SECFailure;
+    }
+
+    bag->attribs[i] = (sec_PKCS12Attribute*)PORT_ArenaZAlloc(bag->arena, 
+						  sizeof(sec_PKCS12Attribute));
+    if(!bag->attribs) {
+	return SECFailure;
+    }
+
+    bag->attribs[i]->attrValue = (SECItem**)PORT_ArenaZAlloc(bag->arena, 
+						  sizeof(SECItem *) * 2);
+    if(!bag->attribs[i]->attrValue) {
+	return SECFailure;
+    }
+
+    bag->attribs[i+1] = NULL;
+    bag->attribs[i]->attrValue[0] = attrValue;
+    bag->attribs[i]->attrValue[1] = NULL;
+
+    if(SECITEM_CopyItem(bag->arena, &bag->attribs[i]->attrType, &oid->oid)
+			!= SECSuccess) {
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+static SECItem *
+sec_pkcs12_get_attribute_value(sec_PKCS12SafeBag *bag,
+			       SECOidTag attributeType)
+{
+    int i = 0;
+
+    if(!bag->attribs) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    while(bag->attribs[i] != NULL) {
+	if(SECOID_FindOIDTag(&bag->attribs[i]->attrType) 
+			== attributeType) {
+	    return bag->attribs[i]->attrValue[0];
+	}
+	i++;
+    }
+
+    return NULL;
+}
+
+/* For now, this function will merely remove any ":"
+ * in the nickname which the PK11 functions may have
+ * placed there.  This will keep dual certs from appearing
+ * twice under "Your" certificates when imported onto smart
+ * cards.  Once with the name "Slot:Cert" and another with
+ * the nickname "Slot:Slot:Cert"
+ */
+static void
+sec_pkcs12_sanitize_nickname(PK11SlotInfo *slot, SECItem *nick)
+{
+    char *nickname;
+    char *delimit;
+    int delimitlen;
+ 
+    nickname = (char*)nick->data;
+    if ((delimit = PORT_Strchr(nickname, ':')) != NULL) {
+        char *slotName;
+	int slotNameLen;
+
+	slotNameLen = delimit-nickname;
+	slotName = PORT_NewArray(char, (slotNameLen+1));
+	PORT_Assert(slotName);
+	if (slotName == NULL) {
+	  /* What else can we do?*/
+	  return;
+	}
+	PORT_Memcpy(slotName, nickname, slotNameLen);
+	slotName[slotNameLen] = '\0';
+	if (PORT_Strcmp(PK11_GetTokenName(slot), slotName) == 0) {
+	  delimitlen = PORT_Strlen(delimit+1);
+	  PORT_Memmove(nickname, delimit+1, delimitlen+1);
+	  nick->len = delimitlen;
+	}
+	PORT_Free(slotName);
+    }
+ 
+}
+
+static SECItem *
+sec_pkcs12_get_nickname(sec_PKCS12SafeBag *bag)
+{
+    SECItem *src, *dest;
+
+    if(!bag) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    src = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME);
+    if(!src) {
+	return NULL;
+    }
+
+    dest = (SECItem*)PORT_ZAlloc(sizeof(SECItem));
+    if(!dest) { 
+	goto loser;
+    }
+    if(!sec_pkcs12_convert_item_to_unicode(NULL, dest, src, PR_FALSE, 
+				PR_FALSE, PR_FALSE)) {
+	goto loser;
+    }
+
+    sec_pkcs12_sanitize_nickname(bag->slot, dest);
+
+    return dest;
+
+loser:
+    if(dest) {
+	SECITEM_ZfreeItem(dest, PR_TRUE);
+    }
+
+    bag->problem = PR_TRUE;
+    bag->error = PORT_GetError();
+    return NULL;
+}
+
+static SECStatus
+sec_pkcs12_set_nickname(sec_PKCS12SafeBag *bag, SECItem *name)
+{
+    int i = 0;
+    sec_PKCS12Attribute *attr = NULL;
+    SECOidData *oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_FRIENDLY_NAME);
+
+    if(!bag || !bag->arena || !name) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+	
+    if(!bag->attribs) {
+	if(!oid) {
+	    goto loser;
+	}
+
+	bag->attribs = (sec_PKCS12Attribute**)PORT_ArenaZAlloc(bag->arena, 
+					     sizeof(sec_PKCS12Attribute *)*2);
+	if(!bag->attribs) {
+	    goto loser;
+	}
+	bag->attribs[0] = (sec_PKCS12Attribute*)PORT_ArenaZAlloc(bag->arena, 
+						  sizeof(sec_PKCS12Attribute));
+	if(!bag->attribs[0]) {
+	    goto loser;
+	}
+	bag->attribs[1] = NULL;
+
+	attr = bag->attribs[0];
+	if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid) 
+			!= SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	while(bag->attribs[i]) {
+	    if(SECOID_FindOIDTag(&bag->attribs[i]->attrType)
+			== SEC_OID_PKCS9_FRIENDLY_NAME) {
+		attr = bag->attribs[i];
+		break;
+	    }
+	    i++;
+	}
+	if(!attr) {
+	    if(!oid) {
+		goto loser;
+	    }
+	    bag->attribs = (sec_PKCS12Attribute **)PORT_ArenaGrow(bag->arena, 
+								  bag->attribs,
+					(i+1) * sizeof(sec_PKCS12Attribute *),
+					(i+2) * sizeof(sec_PKCS12Attribute *));
+	    if(!bag->attribs) {
+		goto loser;
+	    }
+	    bag->attribs[i] = 
+	        (sec_PKCS12Attribute *)PORT_ArenaZAlloc(bag->arena, 
+						  sizeof(sec_PKCS12Attribute));
+	    if(!bag->attribs[i]) {
+		goto loser;
+	    }
+	    bag->attribs[i+1] = NULL;
+	    attr = bag->attribs[i];
+	    if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid) 
+				!= SECSuccess) {
+		goto loser;
+	    }
+	}
+    }
+
+    PORT_Assert(attr);
+    if(!attr->attrValue) {
+	attr->attrValue = (SECItem **)PORT_ArenaZAlloc(bag->arena, 
+						       sizeof(SECItem *) * 2);
+	if(!attr->attrValue) {
+	    goto loser;
+	}
+	attr->attrValue[0] = (SECItem*)PORT_ArenaZAlloc(bag->arena, 
+							sizeof(SECItem));
+	if(!attr->attrValue[0]) {
+	    goto loser;
+	}
+	attr->attrValue[1] = NULL;
+    }
+
+    name->len = PORT_Strlen((char *)name->data);
+    if(!sec_pkcs12_convert_item_to_unicode(bag->arena, attr->attrValue[0],
+				name, PR_FALSE, PR_FALSE, PR_TRUE)) {
+	goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+    bag->problem = PR_TRUE;
+    bag->error = PORT_GetError();
+    return SECFailure;
+}
+	
+static SECStatus
+sec_pkcs12_get_key_info(sec_PKCS12SafeBag *key) 
+{
+    int i = 0;
+    SECKEYPrivateKeyInfo *pki = NULL;
+
+    if(!key) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* if the bag does *not* contain an unencrypted PrivateKeyInfo 
+     * then we cannot convert the attributes.  We are propagating
+     * attributes within the PrivateKeyInfo to the SafeBag level.
+     */
+    if(SECOID_FindOIDTag(&(key->safeBagType)) != 
+			SEC_OID_PKCS12_V1_KEY_BAG_ID) {
+	return SECSuccess;
+    }
+
+    pki = key->safeBagContent.pkcs8KeyBag;
+
+    if(!pki || !pki->attributes) {
+	return SECSuccess;
+    }
+
+    while(pki->attributes[i]) {
+	SECOidTag tag = SECOID_FindOIDTag(&pki->attributes[i]->attrType);
+
+	if (tag == SEC_OID_PKCS9_LOCAL_KEY_ID ||
+	    tag == SEC_OID_PKCS9_FRIENDLY_NAME) {
+	    SECItem *attrValue = sec_pkcs12_get_attribute_value(key, tag);
+	    if(!attrValue) {
+		if(sec_pkcs12_decoder_set_attribute_value(key, tag,
+					pki->attributes[i]->attrValue[0])
+					!= SECSuccess) {
+		    key->problem = PR_TRUE;
+		    key->error = PORT_GetError();
+		    return SECFailure;
+		}
+	    }
+	}
+	i++;
+    }
+
+    return SECSuccess;
+}
+
+/* retrieve the nickname for the certificate bag.  first look
+ * in the cert bag, otherwise get it from the key.
+ */
+static SECItem *
+sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert,
+				 sec_PKCS12SafeBag *key, 
+				 void *wincx)
+{
+    SECItem *nickname;
+
+    if(!cert) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    nickname = sec_pkcs12_get_nickname(cert);
+    if(nickname) {
+	return nickname;
+    }
+
+    if(key) {
+	nickname = sec_pkcs12_get_nickname(key);
+	
+        if(nickname && sec_pkcs12_set_nickname(cert, nickname)
+			!= SECSuccess) {
+	    SECITEM_ZfreeItem(nickname, PR_TRUE);
+	    return NULL;
+	}
+    }
+
+    return nickname;
+}
+
+/* set the nickname for the certificate */
+static SECStatus
+sec_pkcs12_set_nickname_for_cert(sec_PKCS12SafeBag *cert, 
+				 sec_PKCS12SafeBag *key, 
+				 SECItem *nickname, 
+				 void *wincx)
+{
+    if(!nickname || !cert) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(sec_pkcs12_set_nickname(cert, nickname) != SECSuccess) {
+	return SECFailure;
+    }
+
+    if(key) {
+	if(sec_pkcs12_set_nickname(key, nickname) != SECSuccess) {
+	    cert->problem = PR_TRUE;
+	    cert->error   = key->error;
+	    return SECFailure;
+	}
+    }
+
+    return SECSuccess;
+}
+
+/* retrieve the DER cert from the cert bag */
+static SECItem *
+sec_pkcs12_get_der_cert(sec_PKCS12SafeBag *cert) 
+{
+    if(!cert) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    if(SECOID_FindOIDTag(&cert->safeBagType) != SEC_OID_PKCS12_V1_CERT_BAG_ID) {
+	return NULL;
+    }
+
+    /* only support X509 certs not SDSI */
+    if(SECOID_FindOIDTag(&cert->safeBagContent.certBag->bagID) 
+			!= SEC_OID_PKCS9_X509_CERT) {
+	return NULL;
+    }
+			
+    return SECITEM_DupItem(&(cert->safeBagContent.certBag->value.x509Cert));
+}
+
+struct certNickInfo {
+    PRArenaPool *arena;
+    unsigned int nNicks;
+    SECItem **nickList;
+    unsigned int error;
+};
+
+/* callback for traversing certificates to gather the nicknames 
+ * used in a particular traversal.  for instance, when using
+ * CERT_TraversePermCertsForSubject, gather the nicknames and
+ * store them in the certNickInfo for a particular DN.
+ * 
+ * this handles the case where multiple nicknames are allowed
+ * for the same dn, which is not currently allowed, but may be
+ * in the future.
+ */ 
+static SECStatus
+gatherNicknames(CERTCertificate *cert, void *arg)
+{
+    struct certNickInfo *nickArg = (struct certNickInfo *)arg;
+    SECItem tempNick;
+    unsigned int i;
+
+    if(!cert || !nickArg || nickArg->error) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(!cert->nickname) {
+	return SECSuccess;
+    }
+
+    tempNick.data = (unsigned char *)cert->nickname;
+    tempNick.len = PORT_Strlen(cert->nickname) + 1;
+
+    /* do we already have the nickname in the list? */
+    if(nickArg->nNicks > 0) {
+
+	/* nicknames have been encountered, but there is no list -- bad */
+	if(!nickArg->nickList) {
+	    nickArg->error = SEC_ERROR_INVALID_ARGS;
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+
+	for(i = 0; i < nickArg->nNicks; i++) {
+	    if(SECITEM_CompareItem(nickArg->nickList[i], &tempNick) 
+				== SECEqual) {
+		return SECSuccess;
+	    }
+	}
+    }
+
+    /* add the nickname to the list */
+    if(nickArg->nNicks == 0) {
+	nickArg->nickList = (SECItem **)PORT_ArenaZAlloc(nickArg->arena, 
+					     2 * sizeof(SECItem *));
+    } else {
+	nickArg->nickList = (SECItem **)PORT_ArenaGrow(nickArg->arena,
+				nickArg->nickList, 
+				(nickArg->nNicks + 1) * sizeof(SECItem *),
+				(nickArg->nNicks + 2) * sizeof(SECItem *));
+    }
+    if(!nickArg->nickList) {
+	nickArg->error = SEC_ERROR_NO_MEMORY;
+	return SECFailure;
+    }
+
+    nickArg->nickList[nickArg->nNicks] = 
+        (SECItem *)PORT_ArenaZAlloc(nickArg->arena, sizeof(SECItem));
+    if(!nickArg->nickList[nickArg->nNicks]) {
+	nickArg->error = PORT_GetError();
+	return SECFailure;
+    }
+    
+
+    if(SECITEM_CopyItem(nickArg->arena, nickArg->nickList[nickArg->nNicks],
+			&tempNick) != SECSuccess) {
+	nickArg->error = PORT_GetError();
+	return SECFailure;
+    }
+
+    nickArg->nNicks++;
+
+    return SECSuccess;
+}
+
+/* traverses the certs in the data base or in the token for the
+ * DN to see if any certs currently have a nickname set.
+ * If so, return it. 
+ */
+static SECItem *
+sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert, void *wincx)
+{
+    struct certNickInfo *nickArg = NULL;
+    SECItem *derCert, *returnDn = NULL;
+    PRArenaPool *arena = NULL;
+    CERTCertificate *tempCert;
+
+    if(!cert) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    derCert = sec_pkcs12_get_der_cert(cert);
+    if(!derCert) {
+	return NULL;
+    }
+
+    tempCert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if(!tempCert) {
+	returnDn = NULL;
+	goto loser;
+    }
+
+    arena = PORT_NewArena(1024);
+    if(!arena) {
+	returnDn = NULL;
+	goto loser;
+    }
+    nickArg = (struct certNickInfo *)PORT_ArenaZAlloc(arena, 
+						 sizeof(struct certNickInfo));
+    if(!nickArg) {
+	returnDn = NULL;
+	goto loser;
+    }
+    nickArg->error = 0;
+    nickArg->nNicks = 0;
+    nickArg->nickList = NULL;
+    nickArg->arena = arena;
+
+    /* if the token is local, first traverse the cert database 
+     * then traverse the token.
+     */
+    if(PK11_TraverseCertsForSubjectInSlot(tempCert, cert->slot, gatherNicknames,
+			(void *)nickArg) != SECSuccess) {
+	returnDn = NULL;
+	goto loser;
+    }
+
+    if(nickArg->error) {
+	/* XXX do we want to set the error? */
+	returnDn = NULL;
+	goto loser;
+    }
+		
+    if(nickArg->nNicks == 0) {
+	returnDn = NULL;
+	goto loser;
+    }
+
+    /* set it to the first name, for now.  handle multiple names? */
+    returnDn = SECITEM_DupItem(nickArg->nickList[0]);
+
+loser:
+    if(arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    if(tempCert) {
+	CERT_DestroyCertificate(tempCert);
+    }
+
+    if(derCert) {
+	SECITEM_FreeItem(derCert, PR_TRUE);
+    }
+
+    return (returnDn);
+}
+
+/* counts certificates found for a given traversal function */
+static SECStatus
+countCertificate(CERTCertificate *cert, void *arg)
+{
+    unsigned int *nCerts = (unsigned int *)arg;
+
+    if(!cert || !arg) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    (*nCerts)++;
+    return SECSuccess;
+}
+
+static PRBool
+sec_pkcs12_certs_for_nickname_exist(SECItem *nickname, PK11SlotInfo *slot)
+{
+    unsigned int nCerts = 0;
+
+    if(!nickname || !slot) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return PR_TRUE;
+    }
+
+    /* we want to check the local database first if we are importing to it */
+    PK11_TraverseCertsForNicknameInSlot(nickname, slot, countCertificate, 
+					(void *)&nCerts);
+    return (PRBool)(nCerts != 0);
+}
+
+/* validate cert nickname such that there is a one-to-one relation
+ * between nicknames and dn's.  we want to enforce the case that the
+ * nickname is non-NULL and that there is only one nickname per DN.
+ * 
+ * if there is a problem with a nickname or the nickname is not present, 
+ * the user will be prompted for it.
+ */
+static void
+sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert,
+				sec_PKCS12SafeBag *key,
+				SEC_PKCS12NicknameCollisionCallback nicknameCb,
+				void *wincx)
+{
+    SECItem *certNickname, *existingDNNick;
+    PRBool setNickname = PR_FALSE, cancel = PR_FALSE;
+    SECItem *newNickname = NULL;
+
+    if(!cert || !cert->hasKey) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return;
+    }
+
+    if(!nicknameCb) {
+	cert->problem = PR_TRUE;
+	cert->error = SEC_ERROR_INVALID_ARGS;
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return;
+    }
+
+    if(cert->hasKey && !key) {
+	cert->problem = PR_TRUE;
+	cert->error = SEC_ERROR_INVALID_ARGS;
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return;
+    }
+
+    certNickname = sec_pkcs12_get_nickname_for_cert(cert, key, wincx);
+    existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert, wincx);
+
+    /* nickname is already used w/ this dn, so it is safe to return */
+    if(certNickname && existingDNNick &&
+		SECITEM_CompareItem(certNickname, existingDNNick) == SECEqual) {
+	goto loser;
+    }
+
+    /* nickname not set in pkcs 12 bags, but a nick is already used for
+     * this dn.  set the nicks in the p12 bags and finish.
+     */
+    if(existingDNNick) {
+	sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick, wincx);
+	goto loser;
+    }
+
+    /* at this point, we have a certificate for which the DN is not located
+     * on the token.  the nickname specified may or may not be NULL.  if it
+     * is not null, we need to make sure that there are no other certificates
+     * with this nickname in the token for it to be valid.  this imposes a 
+     * one to one relationship between DN and nickname.  
+     *
+     * if the nickname is null, we need the user to enter a nickname for
+     * the certificate.
+     *
+     * once we have a nickname, we make sure that the nickname is unique
+     * for the DN.  if it is not, the user is reprompted to enter a new 
+     * nickname.  
+     *
+     * in order to exit this loop, the nickname entered is either unique
+     * or the user hits cancel and the certificate is not imported.
+     */
+    setNickname = PR_FALSE;
+    while(1) {
+	/* we will use the nickname so long as no other certs have the
+	 * same nickname.  and the nickname is not NULL.
+	 */		
+	if (certNickname && certNickname->data &&
+	    !sec_pkcs12_certs_for_nickname_exist(certNickname, cert->slot)) {
+	    if (setNickname) {
+		sec_pkcs12_set_nickname_for_cert(cert, key, certNickname,
+				    wincx);
+	    }
+	    break;
+	}
+
+	setNickname = PR_FALSE;
+	newNickname = (*nicknameCb)(certNickname, &cancel, wincx);
+	if(cancel) {
+	    cert->problem = PR_TRUE;
+	    cert->error = SEC_ERROR_USER_CANCELLED;
+	    break;
+	}
+
+	if(!newNickname) {
+	    cert->problem = PR_TRUE;
+	    cert->error = PORT_GetError();
+	    break;
+	}
+
+	/* at this point we have a new nickname, if we have an existing
+	 * certNickname, we need to free it and assign the new nickname
+	 * to it to avoid a memory leak.  happy?
+	 */
+	if(certNickname) {
+	    SECITEM_ZfreeItem(certNickname, PR_TRUE);
+	    certNickname = NULL;
+	}
+
+	certNickname = newNickname;
+	setNickname = PR_TRUE;
+	/* go back and recheck the new nickname */
+    }
+
+loser:
+    if(certNickname) {
+	SECITEM_ZfreeItem(certNickname, PR_TRUE);
+    }
+
+    if(existingDNNick) {
+	SECITEM_ZfreeItem(existingDNNick, PR_TRUE);
+    }
+}
+
+static void 
+sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert,
+			 sec_PKCS12SafeBag *key,
+			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
+			 void *wincx)
+{
+    CERTCertificate *leafCert;
+
+    if(!cert) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return;
+    }
+    
+    cert->validated = PR_TRUE;
+
+    if(!nicknameCb) {
+	cert->noInstall = PR_TRUE;
+	cert->problem = PR_TRUE;
+	cert->error   = SEC_ERROR_INVALID_ARGS;
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return;
+    }
+
+    if(!cert->safeBagContent.certBag) {
+	cert->noInstall = PR_TRUE;
+	cert->problem = PR_TRUE;
+	cert->error = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	return;
+    }
+
+    cert->noInstall = PR_FALSE;
+    cert->unused = PR_FALSE;
+    cert->problem = PR_FALSE;
+    cert->error = 0;
+
+    leafCert = CERT_DecodeDERCertificate(
+	 &cert->safeBagContent.certBag->value.x509Cert, PR_FALSE, NULL);
+    if(!leafCert) {
+	cert->noInstall = PR_TRUE;
+	cert->problem = PR_TRUE;
+	cert->error = PORT_GetError();
+	return;
+    }
+
+    sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, (void *)leafCert);
+
+    CERT_DestroyCertificate(leafCert);
+}
+
+static void
+sec_pkcs12_validate_key_by_cert(sec_PKCS12SafeBag *cert, sec_PKCS12SafeBag *key,
+				void *wincx)
+{
+    CERTCertificate *leafCert;
+    SECKEYPrivateKey *privk;
+
+    if(!key) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return;
+    }
+
+    key->validated = PR_TRUE;
+
+    if(!cert) {
+	key->problem = PR_TRUE;
+	key->noInstall = PR_TRUE;
+	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
+	return;
+    }
+
+    leafCert = CERT_DecodeDERCertificate(
+	&(cert->safeBagContent.certBag->value.x509Cert), PR_FALSE, NULL);
+    if(!leafCert) {
+	key->problem = PR_TRUE;
+	key->noInstall = PR_TRUE;
+	key->error = PORT_GetError();
+	return;
+    }
+
+    privk = PK11_FindPrivateKeyFromCert(key->slot, leafCert, wincx);
+    if(!privk) {
+	privk = PK11_FindKeyByDERCert(key->slot, leafCert, wincx);
+    }
+ 
+    if(privk) {
+	SECKEY_DestroyPrivateKey(privk);
+	key->noInstall = PR_TRUE;
+    } 
+
+    CERT_DestroyCertificate(leafCert);
+}
+
+static SECStatus
+sec_pkcs12_add_cert(sec_PKCS12SafeBag *cert, PRBool keyExists, void *wincx)
+{
+    SECItem *derCert, *nickName;
+    char *nickData = NULL;
+    PRBool isIntermediateCA;
+    SECStatus rv;
+
+    if(!cert) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(cert->problem || cert->noInstall || cert->installed) {
+	return SECSuccess;
+    }
+
+    derCert = &cert->safeBagContent.certBag->value.x509Cert;
+
+    PORT_Assert(!cert->problem && !cert->noInstall);
+
+    nickName = sec_pkcs12_get_nickname(cert);
+    if(nickName) {
+	nickData = (char *)nickName->data;
+    }
+
+    isIntermediateCA = CERT_IsCADERCert(derCert, NULL) && 
+						!CERT_IsRootDERCert(derCert);
+
+    if(keyExists) {
+	CERTCertificate *newCert;
+
+	newCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+	                                  derCert, NULL, PR_FALSE, PR_FALSE);
+	if(!newCert) {
+	     if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
+	     cert->error = PORT_GetError();
+	     cert->problem = PR_TRUE;
+	     return SECFailure;
+	}
+
+	rv = PK11_ImportCertForKeyToSlot(cert->slot, newCert, nickData, 
+					 PR_TRUE, wincx);
+	CERT_DestroyCertificate(newCert);
+    } else if ((cert->tokenCAs == SECPKCS12TargetTokenNoCAs) || 
+     ((cert->tokenCAs == SECPKCS12TargetTokenIntermediateCAs) && 
+							!isIntermediateCA)) {
+	SECItem *certList[2];
+	certList[0] = derCert;
+	certList[1] = NULL;
+	
+	rv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageUserCertImport,
+			     1, certList, NULL, PR_TRUE, PR_FALSE, nickData);
+    } else {
+	rv = PK11_ImportDERCert(cert->slot, derCert, CK_INVALID_HANDLE,
+							nickData, PR_FALSE);
+    }
+
+    cert->installed = PR_TRUE;
+    if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
+    return rv;
+}
+
+static SECItem *
+sec_pkcs12_get_public_value_and_type(SECKEYPublicKey *pubKey, KeyType *type);
+
+static SECStatus
+sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECKEYPublicKey *pubKey, 
+		   unsigned int keyUsage, 
+		   SECItem *nickName, void *wincx)
+{
+    SECStatus rv;
+    SECItem *publicValue = NULL;
+    KeyType keyType;
+
+    /* We should always have values for "key" and "pubKey"
+       so they can be dereferenced later. */
+    if(!key || !pubKey) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(key->problem || key->noInstall) {
+	return SECSuccess;
+    }
+
+    /* get the value and type from the public key */
+    publicValue = sec_pkcs12_get_public_value_and_type(pubKey, &keyType);
+    if (!publicValue) {
+	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
+	key->problem = PR_TRUE;
+	return SECFailure;
+    }
+
+    switch(SECOID_FindOIDTag(&key->safeBagType))
+    {
+	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    rv = PK11_ImportPrivateKeyInfo(key->slot, 
+			  key->safeBagContent.pkcs8KeyBag, 
+			  nickName, publicValue, PR_TRUE, PR_TRUE,
+			  keyUsage,  wincx);
+	    break;
+	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+	    rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
+					key->safeBagContent.pkcs8ShroudedKeyBag,
+					key->pwitem, nickName, publicValue, 
+					PR_TRUE, PR_TRUE, keyType, keyUsage,
+					wincx);
+	    break;
+	default:
+	    key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
+	    key->problem = PR_TRUE;
+	    if(nickName) {
+		SECITEM_ZfreeItem(nickName, PR_TRUE);
+	    }
+	    return SECFailure;
+    }
+
+    if(rv != SECSuccess) {
+	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
+	key->problem = PR_TRUE;
+    } else {
+	/* try to import the public key. Failure to do so is not fatal,
+	 * not all tokens can store the public key */
+	if (pubKey) {
+	    PK11_ImportPublicKey(key->slot, pubKey, PR_TRUE);
+	}
+	key->installed = PR_TRUE;
+    }
+
+    return rv;
+}
+
+/* 
+ * The correctness of the code in this file ABSOLUTELY REQUIRES 
+ * that ALL BAGs share a single common arena.  
+ *
+ * This function allocates the bag list from the arena of whatever bag 
+ * happens to be passed to it.  Each time a new bag is handed to it,
+ * it grows (resizes) the arena of the bag that was handed to it.  
+ * If the bags have different arenas, it will grow the wrong arena.
+ *
+ * Worse, if the bags had separate arenas, then while destroying the bags 
+ * in a bag list, when the bag whose arena contained the bag list was 
+ * destroyed, the baglist itself would be destroyed, making it difficult 
+ * or impossible to continue to destroy the bags in the destroyed list.
+ */
+static SECStatus
+sec_pkcs12_add_item_to_bag_list(sec_PKCS12SafeBag ***bagList, 
+				sec_PKCS12SafeBag *bag)
+{
+    sec_PKCS12SafeBag **newBagList = NULL;
+    int i = 0;
+
+    if(!bagList || !bag) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(!(*bagList)) {
+	newBagList = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(bag->arena, 
+				      sizeof(sec_PKCS12SafeBag *) * 2);
+    } else {
+	while((*bagList)[i]) 
+	    i++;
+	newBagList = (sec_PKCS12SafeBag **)PORT_ArenaGrow(bag->arena, 
+	                        *bagList,
+				sizeof(sec_PKCS12SafeBag *) * (i + 1),
+				sizeof(sec_PKCS12SafeBag *) * (i + 2));
+    }
+
+    if(!newBagList) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    newBagList[i]   = bag;
+    newBagList[i+1] = NULL;
+    *bagList = newBagList;
+
+    return SECSuccess;
+}
+
+static sec_PKCS12SafeBag **
+sec_pkcs12_find_certs_for_key(sec_PKCS12SafeBag **safeBags, 
+                              sec_PKCS12SafeBag *key ) 
+{
+    sec_PKCS12SafeBag **certList = NULL;
+    SECItem *keyId;
+    int i;
+
+    if(!safeBags || !safeBags[0]) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    keyId = sec_pkcs12_get_attribute_value(key, SEC_OID_PKCS9_LOCAL_KEY_ID);
+    if(!keyId) {
+	return NULL;
+    }
+
+    for (i = 0; safeBags[i]; i++) {
+	if(SECOID_FindOIDTag(&(safeBags[i]->safeBagType)) 
+				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
+	    SECItem *certKeyId = sec_pkcs12_get_attribute_value(safeBags[i],
+						SEC_OID_PKCS9_LOCAL_KEY_ID);
+
+	    if(certKeyId && (SECITEM_CompareItem(certKeyId, keyId) 
+				== SECEqual)) {
+		if(sec_pkcs12_add_item_to_bag_list(&certList, safeBags[i])
+				!= SECSuccess) {
+		    /* This would leak the partial list of safeBags,
+		     * but that list is allocated from the arena of 
+		     * one of the safebags, and will be destroyed when 
+		     * that arena is destroyed.  So this is not a real leak.
+		     */
+		    return NULL;
+		}
+	    }
+	}
+    }
+
+    return certList;
+}
+
+CERTCertList *
+SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx)
+{
+    CERTCertList *certList = NULL;
+    sec_PKCS12SafeBag **safeBags;
+    int i;
+
+    if (!p12dcx || !p12dcx->safeBags || !p12dcx->safeBags[0]) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    safeBags = p12dcx->safeBags;
+    certList = CERT_NewCertList();
+
+    if (certList == NULL) {
+	 return NULL;
+    }
+
+    for (i = 0; safeBags[i]; i++) {
+	if (SECOID_FindOIDTag(&(safeBags[i]->safeBagType)) 
+				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
+		SECItem *derCert = sec_pkcs12_get_der_cert(safeBags[i]) ;
+		CERTCertificate *tempCert = NULL;
+
+		if (derCert == NULL) 
+		    continue;
+    		tempCert=CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+		                                 derCert, NULL, 
+		                                 PR_FALSE, PR_TRUE);
+
+		if (tempCert) {
+		    CERT_AddCertToListTail(certList,tempCert);
+		}
+		SECITEM_FreeItem(derCert,PR_TRUE);
+	}
+	/* fixed an infinite loop here, by ensuring that i gets incremented
+	 * if derCert is NULL above.
+	 */
+    }
+
+    return certList;
+}
+static sec_PKCS12SafeBag **
+sec_pkcs12_get_key_bags(sec_PKCS12SafeBag **safeBags)
+{
+    int i;
+    sec_PKCS12SafeBag **keyList = NULL;
+    SECOidTag bagType;
+
+    if(!safeBags || !safeBags[0]) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    for (i = 0; safeBags[i]; i++) {
+	bagType = SECOID_FindOIDTag(&(safeBags[i]->safeBagType));
+	switch(bagType) {
+	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+		if(sec_pkcs12_add_item_to_bag_list(&keyList, safeBags[i])
+				!= SECSuccess) {
+		    /* This would leak, except that keyList is allocated
+		     * from the arena shared by all the safeBags.
+		     */
+		    return NULL;
+		}
+		break;
+	    default:
+		break;
+	}
+    }
+
+    return keyList;
+}
+
+/* This function takes two passes over the bags, validating them 
+ * The two passes are intended to mirror exactly the two passes in 
+ * sec_pkcs12_install_bags.  But they don't. :(
+ */
+static SECStatus 
+sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags, 
+			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
+			 void *wincx)
+{
+    sec_PKCS12SafeBag **keyList;
+    int i;
+
+    if(!safeBags || !nicknameCb) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(!safeBags[0]) {
+	return SECSuccess;
+    }
+
+    /* First pass.  Find all the key bags.  
+     * Find the matching cert(s) for each key.  
+     */
+    keyList = sec_pkcs12_get_key_bags(safeBags);
+    if(keyList) {
+	for (i = 0; keyList[i]; ++i) {
+	    sec_PKCS12SafeBag *key = keyList[i];
+	    sec_PKCS12SafeBag **certList = 
+			    sec_pkcs12_find_certs_for_key(safeBags, key);
+
+	    if(certList) {
+		int j;
+
+		if(SECOID_FindOIDTag(&(key->safeBagType)) == 
+					SEC_OID_PKCS12_V1_KEY_BAG_ID) {
+		    /* if it is an unencrypted private key then make sure
+		     * the attributes are propageted to the appropriate 
+		     * level 
+		     */
+		    if(sec_pkcs12_get_key_info(key) != SECSuccess) {
+			return SECFailure;
+		    }
+		}
+	
+		sec_pkcs12_validate_key_by_cert(certList[0], key, wincx);
+		for (j = 0; certList[j]; ++j) {
+		    sec_PKCS12SafeBag *cert = certList[j];
+		    cert->hasKey = PR_TRUE;
+		    if(key->problem) {
+			cert->problem = PR_TRUE;
+			cert->error   = key->error;
+			continue;
+		    } 
+		    sec_pkcs12_validate_cert(cert, key, nicknameCb, wincx);
+		    if(cert->problem) {
+			key->problem = cert->problem;
+			key->error   = cert->error;
+		    }
+		}
+	    }
+	}
+    }
+
+    /* Now take a second pass over the safebags and mark for installation any 
+     * certs that were neither installed nor disqualified by the first pass.
+     */
+    for (i = 0; safeBags[i]; ++i) {
+	sec_PKCS12SafeBag *bag = safeBags[i];
+
+	if(!bag->validated) {
+	    SECOidTag bagType = SECOID_FindOIDTag(&bag->safeBagType);
+
+	    switch(bagType) {
+	    case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+		sec_pkcs12_validate_cert(bag, NULL, nicknameCb, wincx);
+		break;
+	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+		bag->noInstall = PR_TRUE;
+		bag->problem = PR_TRUE;	
+		bag->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
+		break;
+	    default:
+		bag->noInstall = PR_TRUE;
+	    }
+	}
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
+			      SEC_PKCS12NicknameCollisionCallback nicknameCb)
+{
+    SECStatus rv;
+    int i, noInstallCnt, probCnt, bagCnt, errorVal = 0;
+    if(!p12dcx || p12dcx->error || !p12dcx->safeBags) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    rv = sec_pkcs12_validate_bags(p12dcx->safeBags, nicknameCb, p12dcx->wincx);
+    if(rv == SECSuccess) {
+	p12dcx->bagsVerified = PR_TRUE;
+    }
+
+    noInstallCnt = probCnt = bagCnt = 0;
+    i = 0;
+    while(p12dcx->safeBags[i]) {
+	bagCnt++;
+	if(p12dcx->safeBags[i]->noInstall) 
+	    noInstallCnt++;
+	if(p12dcx->safeBags[i]->problem) {
+	    probCnt++;
+	    errorVal = p12dcx->safeBags[i]->error;
+	}
+	i++;
+    }
+
+    /* formerly was erroneous code here that assumed that if all bags
+     * failed to import, then the problem was duplicated data; 
+     * that is, it assume that the problem must be that the file had
+     * previously been successfully imported.  But importing a 
+     * previously imported file causes NO ERRORS at all, and this 
+     * false assumption caused real errors to be hidden behind false
+     * errors about duplicated data.
+     */
+
+    if(probCnt) {
+	PORT_SetError(errorVal);
+	return SECFailure;
+    }
+
+    return rv;
+}
+
+
+static SECKEYPublicKey *
+sec_pkcs12_get_public_key_and_usage(sec_PKCS12SafeBag *certBag,
+					 unsigned int *usage)
+{
+    SECKEYPublicKey *pubKey = NULL;
+    CERTCertificate *cert = NULL;
+
+    if(!certBag || !usage) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    *usage = 0;
+
+    cert = CERT_DecodeDERCertificate(
+	 &certBag->safeBagContent.certBag->value.x509Cert, PR_FALSE, NULL);
+    if(!cert) {
+	return NULL;
+    }
+
+    *usage = cert->keyUsage;
+    pubKey = CERT_ExtractPublicKey(cert);
+    CERT_DestroyCertificate(cert);
+    return pubKey;
+}
+
+static SECItem *
+sec_pkcs12_get_public_value_and_type(SECKEYPublicKey *pubKey,
+					KeyType *type)
+{
+    SECItem *pubValue = NULL;
+
+    if(!type || !pubKey) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    *type = pubKey->keyType;
+    switch(pubKey->keyType) {
+	case dsaKey:
+	    pubValue = &pubKey->u.dsa.publicValue;
+	    break;
+	case dhKey:
+	    pubValue = &pubKey->u.dh.publicValue;
+	    break;
+	case rsaKey:
+	    pubValue = &pubKey->u.rsa.modulus;
+	    break;
+        case ecKey:
+	    pubValue = &pubKey->u.ec.publicValue;
+	    break;
+	default:
+	    pubValue = NULL;
+    }
+
+    return pubValue;
+}
+
+/* This function takes two passes over the bags, installing them in the
+ * desired slot.  The two passes are intended to mirror exactly the 
+ * two passes in sec_pkcs12_validate_bags.
+ */
+static SECStatus 
+sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, void *wincx)
+{
+    sec_PKCS12SafeBag **keyList;
+    int i;
+    int failedKeys = 0;
+
+    if(!safeBags) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(!safeBags[0]) {
+	return SECSuccess;
+    }
+
+    /* First pass.  Find all the key bags. 
+     * Try to install them, and any certs associated with them.  
+     */
+    keyList = sec_pkcs12_get_key_bags(safeBags);
+    if(keyList) {
+	for (i = 0; keyList[i]; i++) {
+	    SECStatus rv;
+	    SECKEYPublicKey *pubKey = NULL;
+	    SECItem *nickName    = NULL;
+	    sec_PKCS12SafeBag *key = keyList[i];
+	    sec_PKCS12SafeBag **certList;
+	    unsigned int keyUsage;
+
+	    if(key->problem) {
+		++failedKeys;
+		continue;
+	    }
+
+	    certList = sec_pkcs12_find_certs_for_key(safeBags, key);
+	    if(certList && certList[0]) {
+		pubKey = sec_pkcs12_get_public_key_and_usage(certList[0],
+					&keyUsage);
+		/* use the cert's nickname, if it has one, else use the 
+		 * key's nickname, else fail.
+		 */
+		nickName = sec_pkcs12_get_nickname_for_cert(certList[0], 
+		                                            key, wincx);
+	    } else {
+		nickName = sec_pkcs12_get_nickname(key);
+	    }
+	    if (!nickName) {
+		key->error = SEC_ERROR_BAD_NICKNAME;
+		key->problem = PR_TRUE;
+		rv = SECFailure;
+	    } else if (!pubKey) {
+                key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
+		key->problem = PR_TRUE;
+                rv = SECFailure;
+	    } else {
+		rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName, wincx);
+            }
+	    if (pubKey) {
+		SECKEY_DestroyPublicKey(pubKey);
+		pubKey = NULL;
+	    }
+	    if (nickName) {
+		SECITEM_FreeItem(nickName, PR_TRUE);
+		nickName = NULL;
+	    }
+	    if(rv != SECSuccess) {
+		PORT_SetError(key->error);
+		++failedKeys;
+	    }
+
+	    if(certList) {
+		int j;
+
+		for (j = 0; certList[j]; j++) {
+		    sec_PKCS12SafeBag *cert = certList[j];
+		    SECStatus certRv;
+
+		    if (!cert)
+		    	continue;
+		    if(rv != SECSuccess) {
+			cert->problem = key->problem;
+			cert->error   = key->error;	
+			cert->noInstall = PR_TRUE;
+			continue;
+		    }
+
+		    certRv = sec_pkcs12_add_cert(cert, cert->hasKey, wincx);
+		    if(certRv != SECSuccess) {
+			key->problem = cert->problem;
+			key->error   = cert->error;
+			PORT_SetError(cert->error);
+			return SECFailure;
+		    }
+		}
+	    }
+	}
+    }
+    if (failedKeys)
+    	return SECFailure;
+
+    /* Now take a second pass over the safebags and install any certs 
+     * that were neither installed nor disqualified by the first pass.
+     */
+    for (i = 0; safeBags[i]; i++) {
+	sec_PKCS12SafeBag *bag = safeBags[i];
+
+	if (!bag->installed && !bag->problem && !bag->noInstall) {
+	    SECStatus rv;
+	    SECOidTag bagType = SECOID_FindOIDTag(&(bag->safeBagType));
+
+	    switch(bagType) {
+	    case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+		rv = sec_pkcs12_add_cert(bag, bag->hasKey, wincx);
+		if(rv != SECSuccess) {
+		    PORT_SetError(bag->error);
+		    return SECFailure;
+		}
+		break;
+	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+	    default:
+		break;
+	    }
+	}
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx)
+{
+    if(!p12dcx || p12dcx->error) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(!p12dcx->bagsVerified) {
+	return SECFailure;
+    }
+
+    return sec_pkcs12_install_bags(p12dcx->safeBags, p12dcx->wincx);
+}
+
+PRBool
+sec_pkcs12_bagHasKey(SEC_PKCS12DecoderContext *p12dcx, sec_PKCS12SafeBag *bag)
+{
+    int i;
+    SECItem *keyId;
+    SECItem *certKeyId;
+
+    certKeyId = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_LOCAL_KEY_ID);
+    if (certKeyId == NULL) {
+        return PR_FALSE;
+    }
+            
+    for (i=0; p12dcx->keyList && p12dcx->keyList[i]; i++) {
+        keyId = sec_pkcs12_get_attribute_value(p12dcx->keyList[i],
+                                                SEC_OID_PKCS9_LOCAL_KEY_ID);
+        if(!keyId) {
+            continue;
+        }
+        if(SECITEM_CompareItem(certKeyId, keyId) == SECEqual) {
+            return PR_TRUE;
+        }
+    }
+    return PR_FALSE;
+}
+
+SECItem *
+sec_pkcs12_get_friendlyName(sec_PKCS12SafeBag *bag)
+{
+    SECItem *friendlyName;
+    SECItem *tempnm;
+    
+    tempnm = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME);
+    friendlyName = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if (friendlyName) {
+        if (!sec_pkcs12_convert_item_to_unicode(NULL, friendlyName,
+                                   tempnm, PR_TRUE, PR_FALSE, PR_FALSE)) {
+            SECITEM_FreeItem(friendlyName, PR_TRUE);
+            friendlyName = NULL;
+        }
+    }
+    return friendlyName;
+}
+
+/* Following two functions provide access to selected portions of the safe bags.
+ * Iteration is implemented per decoder context and may be accessed after
+ * SEC_PKCS12DecoderVerify() returns success.
+ * When ...DecoderIterateNext() returns SUCCESS a decoder item has been returned
+ * where item.type is always set; item.friendlyName is set if it is non-null;
+ * item.der, item.hasKey are set only for SEC_OID_PKCS12_V1_CERT_BAG_ID items.
+ * ...DecoderIterateNext() returns FAILURE when the list is exhausted or when
+ * arguments are invalid; PORT_GetError() is 0 at end-of-list.
+ * Caller has read-only access to decoder items. Any SECItems generated are
+ * owned by the decoder context and are freed by ...DecoderFinish().
+ */
+SECStatus
+SEC_PKCS12DecoderIterateInit(SEC_PKCS12DecoderContext *p12dcx)
+{
+    if(!p12dcx || p12dcx->error) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    p12dcx->iteration = 0;
+    return SECSuccess;
+}
+
+SECStatus
+SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx,
+                             const SEC_PKCS12DecoderItem **ipp)
+{
+    sec_PKCS12SafeBag *bag;
+    
+    if(!p12dcx || p12dcx->error) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (p12dcx->decitem.type != 0 && p12dcx->decitem.der != NULL) {
+        SECITEM_FreeItem(p12dcx->decitem.der, PR_TRUE);
+    }
+    if (p12dcx->decitem.shroudAlg != NULL) {
+        SECOID_DestroyAlgorithmID(p12dcx->decitem.shroudAlg, PR_TRUE);
+    }
+    if (p12dcx->decitem.friendlyName != NULL) {
+        SECITEM_FreeItem(p12dcx->decitem.friendlyName, PR_TRUE);
+    }
+    p12dcx->decitem.type = 0;
+    p12dcx->decitem.der = NULL;
+    p12dcx->decitem.shroudAlg = NULL;
+    p12dcx->decitem.friendlyName = NULL;
+    p12dcx->decitem.hasKey = PR_FALSE;
+    *ipp = NULL;
+    if (p12dcx->keyList == NULL) {
+        p12dcx->keyList = sec_pkcs12_get_key_bags(p12dcx->safeBags);
+    }
+
+    
+    for (; p12dcx->iteration < p12dcx->safeBagCount; p12dcx->iteration++) {
+        bag = p12dcx->safeBags[p12dcx->iteration];
+ 	if(bag == NULL || bag->problem) {
+            continue;
+        }
+        p12dcx->decitem.type = SECOID_FindOIDTag(&(bag->safeBagType));
+        switch(p12dcx->decitem.type) {
+            case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+                p12dcx->decitem.der = sec_pkcs12_get_der_cert(bag);
+                p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag);
+                p12dcx->decitem.hasKey = sec_pkcs12_bagHasKey(p12dcx, bag);
+                break;
+            case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+                p12dcx->decitem.shroudAlg = PORT_ZNew(SECAlgorithmID);
+		if (p12dcx->decitem.shroudAlg) {
+		    SECOID_CopyAlgorithmID(NULL, p12dcx->decitem.shroudAlg,
+			&bag->safeBagContent.pkcs8ShroudedKeyBag->algorithm);
+		}
+            case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+                p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag);
+                break;
+            default:
+                /* return these even though we don't expect them */
+                break;
+            case SEC_OID_UNKNOWN:
+                /* ignore these */
+                continue;
+        }
+        *ipp = &p12dcx->decitem;
+        p12dcx->iteration++;
+        break;  /* end for() */
+    }
+    
+    PORT_SetError(0);       /* end-of-list is SECFailure with no PORT error */
+    return ((p12dcx->decitem.type == 0) ? SECFailure : SECSuccess);
+}
+
+static SECStatus
+sec_pkcs12_decoder_append_bag_to_context(SEC_PKCS12DecoderContext *p12dcx,
+					 sec_PKCS12SafeBag *bag)
+{
+    if(!p12dcx || p12dcx->error) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(!p12dcx->safeBagCount) {
+	p12dcx->safeBags = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(p12dcx->arena, 
+					    sizeof(sec_PKCS12SafeBag *) * 2);
+    } else {
+	p12dcx->safeBags = 
+	  (sec_PKCS12SafeBag **)PORT_ArenaGrow(p12dcx->arena, p12dcx->safeBags,
+		     (p12dcx->safeBagCount + 1) * sizeof(sec_PKCS12SafeBag *),
+		     (p12dcx->safeBagCount + 2) * sizeof(sec_PKCS12SafeBag *));
+    }
+
+    if(!p12dcx->safeBags) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    p12dcx->safeBags[p12dcx->safeBagCount] = bag;
+    p12dcx->safeBags[p12dcx->safeBagCount+1] = NULL;
+    p12dcx->safeBagCount++;
+
+    return SECSuccess;
+}
+
+static sec_PKCS12SafeBag *
+sec_pkcs12_decoder_convert_old_key(SEC_PKCS12DecoderContext *p12dcx,
+				   void *key, PRBool isEspvk)
+{
+    sec_PKCS12SafeBag *keyBag;
+    SECOidData *oid;
+    SECOidTag keyTag;
+    SECItem *keyID, *nickName, *newNickName;
+
+    if(!p12dcx || p12dcx->error || !key) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    newNickName =(SECItem *)PORT_ArenaZAlloc(p12dcx->arena, sizeof(SECItem));
+    keyBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12dcx->arena, 
+						   sizeof(sec_PKCS12SafeBag));
+    if(!keyBag || !newNickName) {
+	return NULL;
+    }
+
+    keyBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
+    keyBag->slot = p12dcx->slot;
+    keyBag->arena = p12dcx->arena;
+    keyBag->pwitem = p12dcx->pwitem;
+    keyBag->tokenCAs = p12dcx->tokenCAs;
+    keyBag->oldBagType = PR_TRUE;
+
+    keyTag = (isEspvk) ? SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID :
+			 SEC_OID_PKCS12_V1_KEY_BAG_ID;
+    oid = SECOID_FindOIDByTag(keyTag);
+    if(!oid) {
+	return NULL;
+    }
+
+    if(SECITEM_CopyItem(p12dcx->arena, &keyBag->safeBagType, &oid->oid) 
+			!= SECSuccess) {
+	return NULL;
+    }
+
+    if(isEspvk) {
+	SEC_PKCS12ESPVKItem *espvk = (SEC_PKCS12ESPVKItem *)key;
+	keyBag->safeBagContent.pkcs8ShroudedKeyBag  = 
+					espvk->espvkCipherText.pkcs8KeyShroud;
+	nickName = &(espvk->espvkData.uniNickName); 
+	if(!espvk->espvkData.assocCerts || !espvk->espvkData.assocCerts[0]) {
+	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	    return NULL;
+	}
+	keyID = &espvk->espvkData.assocCerts[0]->digest;
+    } else {
+	SEC_PKCS12PrivateKey *pk = (SEC_PKCS12PrivateKey *)key;
+	keyBag->safeBagContent.pkcs8KeyBag = &pk->pkcs8data;
+	nickName= &(pk->pvkData.uniNickName);
+	if(!pk->pvkData.assocCerts || !pk->pvkData.assocCerts[0]) {
+	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	    return NULL;
+	}
+	keyID = &pk->pvkData.assocCerts[0]->digest;
+    }
+
+    if(nickName->len) {
+	if(nickName->len >= 2) {
+	    if(nickName->data[0] && nickName->data[1]) {
+		if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, 
+					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
+		    return NULL;
+		}
+		nickName = newNickName;
+	    } else if(nickName->data[0] && !nickName->data[1]) {
+		unsigned int j = 0;
+		unsigned char t;
+		for(j = 0; j < nickName->len; j+=2) {
+		    t = nickName->data[j+1];
+		    nickName->data[j+1] = nickName->data[j];
+		    nickName->data[j] = t;
+		}
+	    }
+	} else {
+	    if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, 
+					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
+		return NULL;
+	    }
+	    nickName = newNickName;
+	}
+    }
+
+    if(sec_pkcs12_decoder_set_attribute_value(keyBag,
+					      SEC_OID_PKCS9_FRIENDLY_NAME,
+					      nickName) != SECSuccess) {
+	return NULL;
+    }
+	
+    if(sec_pkcs12_decoder_set_attribute_value(keyBag,SEC_OID_PKCS9_LOCAL_KEY_ID,
+					keyID) != SECSuccess) {
+	return NULL;
+    }
+
+    return keyBag;
+}
+
+static sec_PKCS12SafeBag *
+sec_pkcs12_decoder_create_cert(SEC_PKCS12DecoderContext *p12dcx,
+			       SECItem *derCert)
+{
+    sec_PKCS12SafeBag *certBag;
+    SECOidData *oid;
+    SGNDigestInfo *digest;
+    SECItem *keyId;
+    SECStatus rv;
+
+    if(!p12dcx || p12dcx->error || !derCert) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    keyId = (SECItem *)PORT_ArenaZAlloc(p12dcx->arena, sizeof(SECItem));
+    if(!keyId) {
+	return NULL;
+    }
+
+    digest = sec_pkcs12_compute_thumbprint(derCert);
+    if(!digest) {
+	return NULL;
+    }
+
+    rv = SECITEM_CopyItem(p12dcx->arena, keyId, &digest->digest);
+    SGN_DestroyDigestInfo(digest);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    oid = SECOID_FindOIDByTag(SEC_OID_PKCS12_V1_CERT_BAG_ID);
+    certBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12dcx->arena, 
+						    sizeof(sec_PKCS12SafeBag));
+    if(!certBag || !oid || (SECITEM_CopyItem(p12dcx->arena, 
+			&certBag->safeBagType, &oid->oid) != SECSuccess)) {
+	return NULL;
+    }
+
+    certBag->slot = p12dcx->slot;
+    certBag->pwitem = p12dcx->pwitem;
+    certBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
+    certBag->arena = p12dcx->arena;
+    certBag->tokenCAs = p12dcx->tokenCAs;
+
+    oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_X509_CERT);
+    certBag->safeBagContent.certBag = 
+        (sec_PKCS12CertBag *)PORT_ArenaZAlloc(p12dcx->arena, 
+					      sizeof(sec_PKCS12CertBag));
+    if(!certBag->safeBagContent.certBag || !oid ||
+			(SECITEM_CopyItem(p12dcx->arena, 
+				 &certBag->safeBagContent.certBag->bagID,
+				 &oid->oid) != SECSuccess)) {
+	return NULL;
+    }
+      
+    if(SECITEM_CopyItem(p12dcx->arena, 
+			 &(certBag->safeBagContent.certBag->value.x509Cert),
+			 derCert) != SECSuccess) {
+	return NULL;
+    }
+
+    if(sec_pkcs12_decoder_set_attribute_value(certBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
+					keyId) != SECSuccess) {
+	return NULL;
+    }
+
+    return certBag;
+}
+
+static sec_PKCS12SafeBag **
+sec_pkcs12_decoder_convert_old_cert(SEC_PKCS12DecoderContext *p12dcx,
+				    SEC_PKCS12CertAndCRL *oldCert)
+{
+    sec_PKCS12SafeBag **certList;
+    SECItem **derCertList;
+    int i, j;
+
+    if(!p12dcx || p12dcx->error || !oldCert) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    derCertList = SEC_PKCS7GetCertificateList(&oldCert->value.x509->certOrCRL);
+    if(!derCertList) {
+	return NULL;
+    }
+
+    i = 0;
+    while(derCertList[i]) i++;
+
+    certList = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(p12dcx->arena, 
+				(i + 1) * sizeof(sec_PKCS12SafeBag *));
+    if(!certList) {
+	return NULL;
+    }
+
+    for(j = 0; j < i; j++) {
+	certList[j] = sec_pkcs12_decoder_create_cert(p12dcx, derCertList[j]);
+	if(!certList[j]) {
+	    return NULL;
+	}
+    }
+
+    return certList;
+}   
+
+static SECStatus
+sec_pkcs12_decoder_convert_old_key_and_certs(SEC_PKCS12DecoderContext *p12dcx,
+					     void *oldKey, PRBool isEspvk,
+					     SEC_PKCS12SafeContents *safe,
+					     SEC_PKCS12Baggage *baggage)
+{
+    sec_PKCS12SafeBag *key, **certList;
+    SEC_PKCS12CertAndCRL *oldCert;
+    SEC_PKCS12PVKSupportingData *pvkData;
+    int i;
+    SECItem *keyName;
+
+    if(!p12dcx || !oldKey) {
+	return SECFailure;
+    }
+
+    if(isEspvk) {
+	pvkData = &((SEC_PKCS12ESPVKItem *)(oldKey))->espvkData;
+    } else {
+	pvkData = &((SEC_PKCS12PrivateKey *)(oldKey))->pvkData;
+    }
+
+    if(!pvkData->assocCerts || !pvkData->assocCerts[0]) {
+	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	return SECFailure;
+    }
+
+    oldCert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage, 
+				     SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID, NULL,
+				     pvkData->assocCerts[0]);
+    if(!oldCert) {
+	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	return SECFailure;
+    }
+	
+    key = sec_pkcs12_decoder_convert_old_key(p12dcx,oldKey, isEspvk);
+    certList = sec_pkcs12_decoder_convert_old_cert(p12dcx, oldCert);
+    if(!key || !certList) {
+	return SECFailure;
+    }
+
+    if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, key) != SECSuccess) {
+	return SECFailure;
+    }
+
+    keyName = sec_pkcs12_get_nickname(key);
+    if(!keyName) {
+	return SECFailure;
+    }
+
+    i = 0;
+    while(certList[i]) {
+	if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, certList[i]) 
+				!= SECSuccess) {
+	    return SECFailure;
+	}
+	i++;
+    }
+
+    certList = sec_pkcs12_find_certs_for_key(p12dcx->safeBags, key);
+    if(!certList) {
+	return SECFailure;
+    }
+
+    i = 0;
+    while(certList[i] != 0) {
+	if(sec_pkcs12_set_nickname(certList[i], keyName) != SECSuccess) {
+	    return SECFailure;
+	}
+	i++;
+    }
+				
+    return SECSuccess;
+}
+	
+static SECStatus
+sec_pkcs12_decoder_convert_old_safe_to_bags(SEC_PKCS12DecoderContext *p12dcx,
+					    SEC_PKCS12SafeContents *safe,
+					    SEC_PKCS12Baggage *baggage)
+{
+    SECStatus rv;
+
+    if(!p12dcx || p12dcx->error) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if(safe && safe->contents) {
+	int i = 0;
+	while(safe->contents[i] != NULL) {
+	    if(SECOID_FindOIDTag(&safe->contents[i]->safeBagType) 
+				== SEC_OID_PKCS12_KEY_BAG_ID) {
+		int j = 0;
+		SEC_PKCS12PrivateKeyBag *privBag = 
+					safe->contents[i]->safeContent.keyBag;
+		
+		while(privBag->privateKeys[j] != NULL) {
+		    SEC_PKCS12PrivateKey *pk = privBag->privateKeys[j];
+		    rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx,pk,
+						PR_FALSE, safe, baggage);
+		    if(rv != SECSuccess) {
+			goto loser;
+		    }
+		    j++;
+		}
+	    }
+	    i++;
+	}
+    }
+
+    if(baggage && baggage->bags) {
+	int i = 0;
+	while(baggage->bags[i] != NULL) {
+	    SEC_PKCS12BaggageItem *bag = baggage->bags[i];
+	    int j = 0;
+
+	    if(!bag->espvks) {
+		i++;
+		continue;
+	    }
+
+	    while(bag->espvks[j] != NULL) {
+		SEC_PKCS12ESPVKItem *espvk = bag->espvks[j];
+		rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx, espvk,
+							PR_TRUE, safe, baggage);
+		if(rv != SECSuccess) {
+		    goto loser;
+		}
+		j++;
+	    }
+	    i++;
+	}
+    }
+
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+
+SEC_PKCS12DecoderContext *
+sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot, 
+			      PRBool swapUnicode, SECItem *pwitem,
+			      void *wincx, SEC_PKCS12SafeContents *safe,
+			      SEC_PKCS12Baggage *baggage)
+{
+    SEC_PKCS12DecoderContext *p12dcx;
+
+    if(!arena || !slot || !pwitem) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    if(!safe && !baggage) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    p12dcx = (SEC_PKCS12DecoderContext *)PORT_ArenaZAlloc(arena, 
+					    sizeof(SEC_PKCS12DecoderContext));
+    if(!p12dcx) {
+	return NULL;
+    }
+
+    p12dcx->arena = arena;
+    p12dcx->slot = PK11_ReferenceSlot(slot);
+    p12dcx->wincx = wincx;
+    p12dcx->error = PR_FALSE;
+    p12dcx->swapUnicodeBytes = swapUnicode; 
+    p12dcx->pwitem = pwitem;
+    p12dcx->tokenCAs = SECPKCS12TargetTokenNoCAs;
+    
+    if(sec_pkcs12_decoder_convert_old_safe_to_bags(p12dcx, safe, baggage) 
+				!= SECSuccess) {
+	p12dcx->error = PR_TRUE;
+	return NULL;
+    }
+
+    return p12dcx;
+}
diff --git a/security/nss/lib/pkcs12/p12dec.c b/security/nss/lib/pkcs12/p12dec.c
new file mode 100644
index 000000000..b35d89aaa
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12dec.c
@@ -0,0 +1,696 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "pkcs12.h"
+#include "plarena.h"
+#include "secpkcs7.h"
+#include "p12local.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secport.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "secerr.h"
+#include "cert.h"
+#include "certdb.h"
+#include "p12plcy.h"
+#include "p12.h" 
+#include "secpkcs5.h" 
+
+/* PFX extraction and validation routines */
+
+/* decode the DER encoded PFX item.  if unable to decode, check to see if it
+ * is an older PFX item.  If that fails, assume the file was not a valid
+ * pfx file.
+ * the returned pfx structure should be destroyed using SEC_PKCS12DestroyPFX
+ */
+static SEC_PKCS12PFXItem *
+sec_pkcs12_decode_pfx(SECItem *der_pfx)
+{
+    SEC_PKCS12PFXItem *pfx;
+    SECStatus rv;
+
+    if(der_pfx == NULL) {
+	return NULL;
+    }
+
+    /* allocate the space for a new PFX item */
+    pfx = sec_pkcs12_new_pfx();
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    rv = SEC_ASN1DecodeItem(pfx->poolp, pfx, SEC_PKCS12PFXItemTemplate, 
+    			    der_pfx);
+
+    /* if a failure occurred, check for older version...
+     * we also get rid of the old pfx structure, because we don't
+     * know where it failed and what data in may contain
+     */
+    if(rv != SECSuccess) {
+	SEC_PKCS12DestroyPFX(pfx);
+	pfx = sec_pkcs12_new_pfx();
+	if(pfx == NULL) {
+	    return NULL;
+	}
+	rv = SEC_ASN1DecodeItem(pfx->poolp, pfx, SEC_PKCS12PFXItemTemplate_OLD, 
+				der_pfx);
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_PKCS12_DECODING_PFX);
+	    PORT_FreeArena(pfx->poolp, PR_TRUE);
+	    return NULL;
+	}
+	pfx->old = PR_TRUE;
+	SGN_CopyDigestInfo(pfx->poolp, &pfx->macData.safeMac, &pfx->old_safeMac);
+	SECITEM_CopyItem(pfx->poolp, &pfx->macData.macSalt, &pfx->old_macSalt);
+    } else {
+	pfx->old = PR_FALSE;
+    }
+
+    /* convert bit string from bits to bytes */
+    pfx->macData.macSalt.len /= 8;
+
+    return pfx;
+}
+
+/* validate the integrity MAC used in the PFX.  The MAC is generated
+ * per the PKCS 12 document.  If the MAC is incorrect, it is most likely
+ * due to an invalid password.
+ * pwitem is the integrity password
+ * pfx is the decoded pfx item
+ */
+static PRBool 
+sec_pkcs12_check_pfx_mac(SEC_PKCS12PFXItem *pfx,
+			 SECItem *pwitem)
+{
+    SECItem *key = NULL, *mac = NULL, *data = NULL;
+    SECItem *vpwd = NULL;
+    SECOidTag algorithm;
+    PRBool ret = PR_FALSE;
+
+    if(pfx == NULL) {
+	return PR_FALSE;
+    }
+
+    algorithm = SECOID_GetAlgorithmTag(&pfx->macData.safeMac.digestAlgorithm);
+    switch(algorithm) {
+	/* only SHA1 hashing supported as a MACing algorithm */
+	case SEC_OID_SHA1:
+	    if(pfx->old == PR_FALSE) {
+		pfx->swapUnicode = PR_FALSE;
+	    }
+
+recheckUnicodePassword:
+	    vpwd = sec_pkcs12_create_virtual_password(pwitem, 
+	    					&pfx->macData.macSalt, 
+						pfx->swapUnicode);
+	    if(vpwd == NULL) {
+		return PR_FALSE;
+	    }
+
+	    key = sec_pkcs12_generate_key_from_password(algorithm,
+						&pfx->macData.macSalt, 
+						(pfx->old ? pwitem : vpwd));
+	    /* free vpwd only for newer PFX */
+	    if(vpwd) {
+		SECITEM_ZfreeItem(vpwd, PR_TRUE);
+	    }
+	    if(key == NULL) {
+		return PR_FALSE;
+	    }
+
+	    data = SEC_PKCS7GetContent(&pfx->authSafe);
+	    if(data == NULL) {
+		break;
+	    }
+
+	    /* check MAC */
+	    mac = sec_pkcs12_generate_mac(key, data, pfx->old);
+	    ret = PR_TRUE;
+	    if(mac) {
+		SECItem *safeMac = &pfx->macData.safeMac.digest;
+		if(SECITEM_CompareItem(mac, safeMac) != SECEqual) {
+
+		    /* if we encounter an invalid mac, lets invert the
+		     * password in case of unicode changes 
+		     */
+		    if(((!pfx->old) && pfx->swapUnicode) || (pfx->old)){
+			PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
+			ret = PR_FALSE;
+		    } else {
+			SECITEM_ZfreeItem(mac, PR_TRUE);
+			pfx->swapUnicode = PR_TRUE;
+			goto recheckUnicodePassword;
+		    }
+		} 
+		SECITEM_ZfreeItem(mac, PR_TRUE);
+	    } else {
+		ret = PR_FALSE;
+	    }
+	    break;
+	default:
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM);
+	    ret = PR_FALSE;
+	    break;
+    }
+
+    /* let success fall through */
+    if(key != NULL)
+	SECITEM_ZfreeItem(key, PR_TRUE);
+
+    return ret;
+}
+
+/* check the validity of the pfx structure.  we currently only support
+ * password integrity mode, so we check the MAC.
+ */
+static PRBool 
+sec_pkcs12_validate_pfx(SEC_PKCS12PFXItem *pfx, 
+			SECItem *pwitem)
+{
+    SECOidTag contentType;
+
+    contentType = SEC_PKCS7ContentType(&pfx->authSafe);
+    switch(contentType)
+    {
+	case SEC_OID_PKCS7_DATA:
+	    return sec_pkcs12_check_pfx_mac(pfx, pwitem);
+	    break;
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	default:
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE);
+	    break;
+    }
+
+    return PR_FALSE;
+}
+
+/* decode and return the valid PFX.  if the PFX item is not valid,
+ * NULL is returned.
+ */
+static SEC_PKCS12PFXItem *
+sec_pkcs12_get_pfx(SECItem *pfx_data, 
+		   SECItem *pwitem)
+{
+    SEC_PKCS12PFXItem *pfx;
+    PRBool valid_pfx;
+
+    if((pfx_data == NULL) || (pwitem == NULL)) {
+	return NULL;
+    }
+
+    pfx = sec_pkcs12_decode_pfx(pfx_data);
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    valid_pfx = sec_pkcs12_validate_pfx(pfx, pwitem);
+    if(valid_pfx != PR_TRUE) {
+	SEC_PKCS12DestroyPFX(pfx);
+	pfx = NULL;
+    }
+
+    return pfx;
+}
+
+/* authenticated safe decoding, validation, and access routines
+ */
+
+/* convert dogbert beta 3 authenticated safe structure to a post
+ * beta three structure, so that we don't have to change more routines.
+ */
+static SECStatus
+sec_pkcs12_convert_old_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe)
+{
+    SEC_PKCS12Baggage *baggage;
+    SEC_PKCS12BaggageItem *bag;
+    SECStatus rv = SECSuccess;
+
+    if(asafe->old_baggage.espvks == NULL) {
+	/* XXX should the ASN1 engine produce a single NULL element list
+	 * rather than setting the pointer to NULL?  
+	 * There is no need to return an error -- assume that the list
+	 * was empty.
+	 */
+	return SECSuccess;
+    }
+
+    baggage = sec_pkcs12_create_baggage(asafe->poolp);
+    if(!baggage) {
+	return SECFailure;
+    }
+    bag = sec_pkcs12_create_external_bag(baggage);
+    if(!bag) {
+	return SECFailure;
+    }
+
+    PORT_Memcpy(&asafe->baggage, baggage, sizeof(SEC_PKCS12Baggage));
+
+    /* if there are shrouded keys, append them to the bag */
+    rv = SECSuccess;
+    if(asafe->old_baggage.espvks[0] != NULL) {
+	int nEspvk = 0;
+	rv = SECSuccess;
+	while((asafe->old_baggage.espvks[nEspvk] != NULL) && 
+		(rv == SECSuccess)) {
+	    rv = sec_pkcs12_append_shrouded_key(bag, 
+	    				asafe->old_baggage.espvks[nEspvk]);
+	    nEspvk++;
+	}
+    }
+
+    return rv;
+}    
+
+/* decodes the authenticated safe item.  a return of NULL indicates
+ * an error.  however, the error will have occured either in memory
+ * allocation or in decoding the authenticated safe.
+ *
+ * if an old PFX item has been found, we want to convert the
+ * old authenticated safe to the new one.
+ */
+static SEC_PKCS12AuthenticatedSafe *
+sec_pkcs12_decode_authenticated_safe(SEC_PKCS12PFXItem *pfx) 
+{
+    SECItem *der_asafe = NULL;
+    SEC_PKCS12AuthenticatedSafe *asafe = NULL;
+    SECStatus rv;
+
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    der_asafe = SEC_PKCS7GetContent(&pfx->authSafe);
+    if(der_asafe == NULL) {
+	/* XXX set error ? */
+	goto loser;
+    }
+
+    asafe = sec_pkcs12_new_asafe(pfx->poolp);
+    if(asafe == NULL) {
+	goto loser;
+    }
+
+    if(pfx->old == PR_FALSE) {
+	rv = SEC_ASN1DecodeItem(pfx->poolp, asafe, 
+			 	SEC_PKCS12AuthenticatedSafeTemplate, 
+			 	der_asafe);
+	asafe->old = PR_FALSE;
+	asafe->swapUnicode = pfx->swapUnicode;
+    } else {
+	/* handle beta exported files */
+	rv = SEC_ASN1DecodeItem(pfx->poolp, asafe, 
+				SEC_PKCS12AuthenticatedSafeTemplate_OLD,
+				der_asafe);
+	asafe->safe = &(asafe->old_safe);
+	rv = sec_pkcs12_convert_old_auth_safe(asafe);
+	asafe->old = PR_TRUE;
+    }
+
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    asafe->poolp = pfx->poolp;
+    
+    return asafe;
+
+loser:
+    return NULL;
+}
+
+/* validates the safe within the authenticated safe item.  
+ * in order to be valid:
+ *  1.  the privacy salt must be present
+ *  2.  the encryption algorithm must be supported (including
+ *	export policy)
+ * PR_FALSE indicates an error, PR_TRUE indicates a valid safe
+ */
+static PRBool 
+sec_pkcs12_validate_encrypted_safe(SEC_PKCS12AuthenticatedSafe *asafe)
+{
+    PRBool valid = PR_FALSE;
+    SECAlgorithmID *algid;
+
+    if(asafe == NULL) {
+	return PR_FALSE;
+    }
+
+    /* if mode is password privacy, then privacySalt is assumed
+     * to be non-zero.
+     */
+    if(asafe->privacySalt.len != 0) {
+	valid = PR_TRUE;
+	asafe->privacySalt.len /= 8;
+    } else {
+	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	return PR_FALSE;
+    }
+
+    /* until spec changes, content will have between 2 and 8 bytes depending
+     * upon the algorithm used if certs are unencrypted...
+     * also want to support case where content is empty -- which we produce 
+     */ 
+    if(SEC_PKCS7IsContentEmpty(asafe->safe, 8) == PR_TRUE) {
+	asafe->emptySafe = PR_TRUE;
+	return PR_TRUE;
+    }
+
+    asafe->emptySafe = PR_FALSE;
+
+    /* make sure that a pbe algorithm is being used */
+    algid = SEC_PKCS7GetEncryptionAlgorithm(asafe->safe);
+    if(algid != NULL) {
+	if(SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	    valid = SEC_PKCS12DecryptionAllowed(algid);
+
+	    if(valid == PR_FALSE) {
+		PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
+	    }
+	} else {
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM);
+	    valid = PR_FALSE;
+	}
+    } else {
+	valid = PR_FALSE;
+	PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM);
+    }
+
+    return valid;
+}
+
+/* validates authenticates safe:
+ *  1.  checks that the version is supported
+ *  2.  checks that only password privacy mode is used (currently)
+ *  3.  further, makes sure safe has appropriate policies per above function
+ * PR_FALSE indicates failure.
+ */
+static PRBool 
+sec_pkcs12_validate_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe)
+{
+    PRBool valid = PR_TRUE;
+    SECOidTag safe_type;
+    int version;
+
+    if(asafe == NULL) {
+	return PR_FALSE;
+    }
+
+    /* check version, since it is default it may not be present.
+     * therefore, assume ok
+     */
+    if((asafe->version.len > 0) && (asafe->old == PR_FALSE)) {
+	version = DER_GetInteger(&asafe->version);
+	if(version > SEC_PKCS12_PFX_VERSION) {
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION);
+	    return PR_FALSE;
+	}
+    }
+
+    /* validate password mode is being used */
+    safe_type = SEC_PKCS7ContentType(asafe->safe);
+    switch(safe_type)
+    {
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    valid = sec_pkcs12_validate_encrypted_safe(asafe);
+	    break;
+	case SEC_OID_PKCS7_ENVELOPED_DATA:
+	default:
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE);
+	    valid = PR_FALSE;
+	    break;
+    }
+
+    return valid;
+}
+
+/* retrieves the authenticated safe item from the PFX item
+ *  before returning the authenticated safe, the validity of the
+ *  authenticated safe is checked and if valid, returned.
+ * a return of NULL indicates that an error occured.
+ */
+static SEC_PKCS12AuthenticatedSafe *
+sec_pkcs12_get_auth_safe(SEC_PKCS12PFXItem *pfx)
+{
+    SEC_PKCS12AuthenticatedSafe *asafe;
+    PRBool valid_safe;
+
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    asafe = sec_pkcs12_decode_authenticated_safe(pfx);
+    if(asafe == NULL) {
+	return NULL;
+    }
+
+    valid_safe = sec_pkcs12_validate_auth_safe(asafe);
+    if(valid_safe != PR_TRUE) {
+	asafe = NULL;
+    } else if(asafe) {
+	asafe->baggage.poolp = asafe->poolp;
+    }
+
+    return asafe;
+}
+
+/* decrypts the authenticated safe.
+ * a return of anything but SECSuccess indicates an error.  the
+ * password is not known to be valid until the call to the 
+ * function sec_pkcs12_get_safe_contents.  If decoding the safe
+ * fails, it is assumed the password was incorrect and the error
+ * is set then.  any failure here is assumed to be due to 
+ * internal problems in SEC_PKCS7DecryptContents or below.
+ */
+static SECStatus
+sec_pkcs12_decrypt_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe, 
+			     SECItem *pwitem,
+			     void *wincx)
+{
+    SECStatus rv = SECFailure;
+    SECItem *vpwd = NULL;
+
+    if((asafe == NULL) || (pwitem == NULL)) {
+	return SECFailure;
+    }
+
+    if(asafe->old == PR_FALSE) {
+	vpwd = sec_pkcs12_create_virtual_password(pwitem, &asafe->privacySalt,
+						 asafe->swapUnicode);
+	if(vpwd == NULL) {
+	    return SECFailure;
+	}
+    }
+
+    rv = SEC_PKCS7DecryptContents(asafe->poolp, asafe->safe, 
+    				  (asafe->old ? pwitem : vpwd), wincx);
+
+    if(asafe->old == PR_FALSE) {
+	SECITEM_ZfreeItem(vpwd, PR_TRUE);
+    }
+
+    return rv;
+}
+
+/* extract the safe from the authenticated safe.
+ *  if we are unable to decode the safe, then it is likely that the 
+ *  safe has not been decrypted or the password used to decrypt
+ *  the safe was invalid.  we assume that the password was invalid and
+ *  set an error accordingly.
+ * a return of NULL indicates that an error occurred.
+ */
+static SEC_PKCS12SafeContents *
+sec_pkcs12_get_safe_contents(SEC_PKCS12AuthenticatedSafe *asafe)
+{
+    SECItem *src = NULL;
+    SEC_PKCS12SafeContents *safe = NULL;
+    SECStatus rv = SECFailure;
+
+    if(asafe == NULL) {
+	return NULL;
+    }
+
+    safe = (SEC_PKCS12SafeContents *)PORT_ArenaZAlloc(asafe->poolp, 
+	    					sizeof(SEC_PKCS12SafeContents));
+    if(safe == NULL) {
+	return NULL;
+    }
+    safe->poolp = asafe->poolp;
+    safe->old = asafe->old;
+    safe->swapUnicode = asafe->swapUnicode;
+
+    src = SEC_PKCS7GetContent(asafe->safe);
+    if(src != NULL) {
+	const SEC_ASN1Template *theTemplate;
+	if(asafe->old != PR_TRUE) {
+	    theTemplate = SEC_PKCS12SafeContentsTemplate;
+	} else {
+	    theTemplate = SEC_PKCS12SafeContentsTemplate_OLD;
+	}
+
+	rv = SEC_ASN1DecodeItem(asafe->poolp, safe, theTemplate, src);
+
+	/* if we could not decode the item, password was probably invalid */
+	if(rv != SECSuccess) {
+	    safe = NULL;
+	    PORT_SetError(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT);
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	rv = SECFailure;
+    }
+
+    return safe;
+}
+
+/* import PFX item 
+ * der_pfx is the der encoded pfx structure
+ * pbef and pbearg are the integrity/encryption password call back
+ * ncCall is the nickname collision calllback
+ * slot is the destination token
+ * wincx window handler
+ *
+ * on error, error code set and SECFailure returned 
+ */
+SECStatus
+SEC_PKCS12PutPFX(SECItem *der_pfx, SECItem *pwitem,
+		 SEC_PKCS12NicknameCollisionCallback ncCall,
+		 PK11SlotInfo *slot,
+		 void *wincx)
+{
+    SEC_PKCS12PFXItem *pfx;
+    SEC_PKCS12AuthenticatedSafe *asafe;
+    SEC_PKCS12SafeContents *safe_contents = NULL;
+    SECStatus rv;
+
+    if(!der_pfx || !pwitem || !slot) {
+	return SECFailure;
+    }
+
+    /* decode and validate each section */
+    rv = SECFailure;
+
+    pfx = sec_pkcs12_get_pfx(der_pfx, pwitem);
+    if(pfx != NULL) {
+	asafe = sec_pkcs12_get_auth_safe(pfx);
+	if(asafe != NULL) {
+
+	    /* decrypt safe -- only if not empty */
+	    if(asafe->emptySafe != PR_TRUE) {
+		rv = sec_pkcs12_decrypt_auth_safe(asafe, pwitem, wincx);
+		if(rv == SECSuccess) {
+		    safe_contents = sec_pkcs12_get_safe_contents(asafe);
+		    if(safe_contents == NULL) {
+			rv = SECFailure;
+		    }
+		}
+	    } else {
+		safe_contents = sec_pkcs12_create_safe_contents(asafe->poolp);
+		if(safe_contents == NULL) {
+		    rv = SECFailure;
+		} else {
+                    safe_contents->swapUnicode = pfx->swapUnicode;
+		    rv = SECSuccess;
+		}
+	    }
+
+	    /* get safe contents and begin import */
+	    if(rv == SECSuccess) {
+		SEC_PKCS12DecoderContext *p12dcx;
+
+		p12dcx = sec_PKCS12ConvertOldSafeToNew(pfx->poolp, slot,
+					pfx->swapUnicode,
+					pwitem, wincx, safe_contents,
+					&asafe->baggage);
+		if(!p12dcx) {
+		    rv = SECFailure;
+		    goto loser;
+		}
+
+		if(SEC_PKCS12DecoderValidateBags(p12dcx, ncCall) 
+				!= SECSuccess) {
+		    rv = SECFailure;
+		    goto loser;
+		}
+
+		rv = SEC_PKCS12DecoderImportBags(p12dcx);
+	    }
+
+	}
+    }
+
+loser:
+
+    if(pfx) {
+	SEC_PKCS12DestroyPFX(pfx);
+    }
+
+    return rv;
+}
+
+PRBool 
+SEC_PKCS12ValidData(char *buf, int bufLen, long int totalLength)
+{
+    int lengthLength;
+
+    PRBool valid = PR_FALSE;
+
+    if(buf == NULL) {
+	return PR_FALSE;
+    }
+
+    /* check for constructed sequence identifier tag */
+    if(*buf == (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) {
+	totalLength--;   /* header byte taken care of */
+	buf++;
+
+	lengthLength = (long int)SEC_ASN1LengthLength(totalLength - 1);
+	if(totalLength > 0x7f) {
+	    lengthLength--;
+	    *buf &= 0x7f;  /* remove bit 8 indicator */
+	    if((*buf - (char)lengthLength) == 0) {
+		valid = PR_TRUE;
+	    }
+	} else {
+	    lengthLength--;
+	    if((*buf - (char)lengthLength) == 0) {
+		valid = PR_TRUE;
+	    }
+	}
+    }
+
+    return valid;
+}
diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c
new file mode 100644
index 000000000..959d37483
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12e.c
@@ -0,0 +1,2075 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "p12t.h"
+#include "p12.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "seccomon.h"
+#include "secport.h"
+#include "cert.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "pk11func.h"
+#include "p12plcy.h"
+#include "p12local.h"
+#include "prcpucfg.h"
+
+/*
+** This PKCS12 file encoder uses numerous nested ASN.1 and PKCS7 encoder
+** contexts.  It can be difficult to keep straight.  Here's a picture:
+**
+**  "outer"  ASN.1 encoder.  The output goes to the library caller's CB.
+**  "middle" PKCS7 encoder.  Feeds    the "outer" ASN.1 encoder.
+**  "middle" ASN1  encoder.  Encodes  the encrypted aSafes. 
+**                           Feeds    the "middle" P7 encoder above.
+**  "inner"  PKCS7 encoder.  Encrypts the "authenticated Safes" (aSafes)
+**                           Feeds    the "middle" ASN.1 encoder above.
+**  "inner"  ASN.1 encoder.  Encodes  the unencrypted aSafes.  
+**                           Feeds    the "inner" P7 enocder above.
+**
+** Buffering has been added at each point where the output of an ASN.1
+** encoder feeds the input of a PKCS7 encoder.
+*/
+
+/*********************************
+ * Output buffer object, used to buffer output from ASN.1 encoder
+ * before passing data on down to the next PKCS7 encoder.
+ *********************************/
+
+#define PK12_OUTPUT_BUFFER_SIZE  8192
+
+struct sec_pkcs12OutputBufferStr {
+    SEC_PKCS7EncoderContext * p7eCx;
+    PK11Context             * hmacCx;
+    unsigned int              numBytes;
+    unsigned int              bufBytes;
+             char             buf[PK12_OUTPUT_BUFFER_SIZE];
+};
+typedef struct sec_pkcs12OutputBufferStr sec_pkcs12OutputBuffer;
+
+/*********************************
+ * Structures used in exporting the PKCS 12 blob
+ *********************************/
+
+/* A SafeInfo is used for each ContentInfo which makes up the
+ * sequence of safes in the AuthenticatedSafe portion of the
+ * PFX structure.
+ */
+struct SEC_PKCS12SafeInfoStr {
+    PRArenaPool *arena;
+
+    /* information for setting up password encryption */
+    SECItem pwitem;
+    SECOidTag algorithm;
+    PK11SymKey *encryptionKey;
+
+    /* how many items have been stored in this safe,
+     * we will skip any safe which does not contain any
+     * items
+      */
+    unsigned int itemCount;
+
+    /* the content info for the safe */
+    SEC_PKCS7ContentInfo *cinfo;
+
+    sec_PKCS12SafeContents *safe;
+};
+
+/* An opaque structure which contains information needed for exporting
+ * certificates and keys through PKCS 12.
+ */
+struct SEC_PKCS12ExportContextStr {
+    PRArenaPool *arena;
+    PK11SlotInfo *slot;
+    void *wincx;
+
+    /* integrity information */
+    PRBool integrityEnabled;
+    PRBool	pwdIntegrity;
+    union {
+	struct sec_PKCS12PasswordModeInfo pwdInfo;
+	struct sec_PKCS12PublicKeyModeInfo pubkeyInfo;
+    } integrityInfo; 
+
+    /* helper functions */
+    /* retrieve the password call back */
+    SECKEYGetPasswordKey pwfn;
+    void *pwfnarg;
+
+    /* safe contents bags */
+    SEC_PKCS12SafeInfo **safeInfos;
+    unsigned int safeInfoCount;
+
+    /* the sequence of safes */
+    sec_PKCS12AuthenticatedSafe authSafe;
+
+    /* information needing deletion */
+    CERTCertificate **certList;
+};
+
+/* structures for passing information to encoder callbacks when processing
+ * data through the ASN1 engine.
+ */
+struct sec_pkcs12_encoder_output {
+    SEC_PKCS12EncoderOutputCallback outputfn;
+    void *outputarg;
+};
+
+struct sec_pkcs12_hmac_and_output_info {
+    void *arg;
+    struct sec_pkcs12_encoder_output output;
+};
+
+/* An encoder context which is used for the actual encoding
+ * portion of PKCS 12. 
+ */
+typedef struct sec_PKCS12EncoderContextStr {
+    PRArenaPool *arena;
+    SEC_PKCS12ExportContext *p12exp;
+    PK11SymKey *encryptionKey;
+
+    /* encoder information - this is set up based on whether 
+     * password based or public key pased privacy is being used
+     */
+    SEC_ASN1EncoderContext *outerA1ecx;
+    union {
+	struct sec_pkcs12_hmac_and_output_info hmacAndOutputInfo;
+	struct sec_pkcs12_encoder_output       encOutput;
+    } output;
+
+    /* structures for encoding of PFX and MAC */
+    sec_PKCS12PFXItem        pfx;
+    sec_PKCS12MacData        mac;
+
+    /* authenticated safe encoding tracking information */
+    SEC_PKCS7ContentInfo    *aSafeCinfo;
+    SEC_PKCS7EncoderContext *middleP7ecx;
+    SEC_ASN1EncoderContext  *middleA1ecx;
+    unsigned int             currentSafe;
+
+    /* hmac context */
+    PK11Context             *hmacCx;
+
+    /* output buffers */
+    sec_pkcs12OutputBuffer  middleBuf;
+    sec_pkcs12OutputBuffer  innerBuf;
+
+} sec_PKCS12EncoderContext;
+
+
+/*********************************
+ * Export setup routines
+ *********************************/
+
+/* SEC_PKCS12CreateExportContext 
+ *   Creates an export context and sets the unicode and password retrieval
+ *   callbacks.  This is the first call which must be made when exporting
+ *   a PKCS 12 blob.
+ *
+ * pwfn, pwfnarg - password retrieval callback and argument.  these are
+ * 		   required for password-authentication mode.
+ */
+SEC_PKCS12ExportContext *
+SEC_PKCS12CreateExportContext(SECKEYGetPasswordKey pwfn, void *pwfnarg,  
+			      PK11SlotInfo *slot, void *wincx)
+{
+    PRArenaPool *arena = NULL;
+    SEC_PKCS12ExportContext *p12ctxt = NULL;
+
+    /* allocate the arena and create the context */
+    arena = PORT_NewArena(4096);
+    if(!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    p12ctxt = (SEC_PKCS12ExportContext *)PORT_ArenaZAlloc(arena, 
+					sizeof(SEC_PKCS12ExportContext));
+    if(!p12ctxt) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* password callback for key retrieval */
+    p12ctxt->pwfn = pwfn;
+    p12ctxt->pwfnarg = pwfnarg;
+
+    p12ctxt->integrityEnabled = PR_FALSE;
+    p12ctxt->arena = arena;
+    p12ctxt->wincx = wincx;
+    p12ctxt->slot = (slot) ? PK11_ReferenceSlot(slot) : PK11_GetInternalSlot();
+
+    return p12ctxt;
+
+loser:
+    if(arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    return NULL;
+}
+
+/* 
+ * Adding integrity mode
+ */
+
+/* SEC_PKCS12AddPasswordIntegrity 
+ *	Add password integrity to the exported data.  If an integrity method
+ *	has already been set, then return an error.
+ *	
+ *	p12ctxt - the export context
+ * 	pwitem - the password for integrity mode
+ *	integAlg - the integrity algorithm to use for authentication.
+ */
+SECStatus
+SEC_PKCS12AddPasswordIntegrity(SEC_PKCS12ExportContext *p12ctxt,
+			       SECItem *pwitem, SECOidTag integAlg) 
+{			       
+    if(!p12ctxt || p12ctxt->integrityEnabled) {
+	return SECFailure;
+    }
+   
+    /* set up integrity information */
+    p12ctxt->pwdIntegrity = PR_TRUE;
+    p12ctxt->integrityInfo.pwdInfo.password = 
+        (SECItem*)PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECItem));
+    if(!p12ctxt->integrityInfo.pwdInfo.password) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    if(SECITEM_CopyItem(p12ctxt->arena, 
+			p12ctxt->integrityInfo.pwdInfo.password, pwitem)
+		!= SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    p12ctxt->integrityInfo.pwdInfo.algorithm = integAlg;
+    p12ctxt->integrityEnabled = PR_TRUE;
+
+    return SECSuccess;
+}
+
+/* SEC_PKCS12AddPublicKeyIntegrity
+ *	Add public key integrity to the exported data.  If an integrity method
+ *	has already been set, then return an error.  The certificate must be
+ *	allowed to be used as a signing cert.
+ *	
+ *	p12ctxt - the export context
+ *	cert - signer certificate
+ *	certDb - the certificate database
+ *	algorithm - signing algorithm
+ *	keySize - size of the signing key (?)
+ */
+SECStatus
+SEC_PKCS12AddPublicKeyIntegrity(SEC_PKCS12ExportContext *p12ctxt,
+				CERTCertificate *cert, CERTCertDBHandle *certDb,
+				SECOidTag algorithm, int keySize)
+{
+    if(!p12ctxt) {
+	return SECFailure;
+    }
+    
+    p12ctxt->integrityInfo.pubkeyInfo.cert = cert;
+    p12ctxt->integrityInfo.pubkeyInfo.certDb = certDb;
+    p12ctxt->integrityInfo.pubkeyInfo.algorithm = algorithm;
+    p12ctxt->integrityInfo.pubkeyInfo.keySize = keySize;
+    p12ctxt->integrityEnabled = PR_TRUE;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Adding safes - encrypted (password/public key) or unencrypted
+ *	Each of the safe creation routines return an opaque pointer which
+ *	are later passed into the routines for exporting certificates and
+ *	keys.
+ */
+
+/* append the newly created safeInfo to list of safeInfos in the export
+ * context.  
+ */
+static SECStatus
+sec_pkcs12_append_safe_info(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *info)
+{
+    void *mark = NULL, *dummy1 = NULL, *dummy2 = NULL;
+
+    if(!p12ctxt || !info) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    /* if no safeInfos have been set, create the list, otherwise expand it. */
+    if(!p12ctxt->safeInfoCount) {
+	p12ctxt->safeInfos = (SEC_PKCS12SafeInfo **)PORT_ArenaZAlloc(p12ctxt->arena, 
+					      2 * sizeof(SEC_PKCS12SafeInfo *));
+	dummy1 = p12ctxt->safeInfos;
+	p12ctxt->authSafe.encodedSafes = (SECItem **)PORT_ArenaZAlloc(p12ctxt->arena, 
+					2 * sizeof(SECItem *));
+	dummy2 = p12ctxt->authSafe.encodedSafes;
+    } else {
+	dummy1 = PORT_ArenaGrow(p12ctxt->arena, p12ctxt->safeInfos, 
+			       (p12ctxt->safeInfoCount + 1) * sizeof(SEC_PKCS12SafeInfo *),
+			       (p12ctxt->safeInfoCount + 2) * sizeof(SEC_PKCS12SafeInfo *));
+	p12ctxt->safeInfos = (SEC_PKCS12SafeInfo **)dummy1;
+	dummy2 = PORT_ArenaGrow(p12ctxt->arena, p12ctxt->authSafe.encodedSafes, 
+			       (p12ctxt->authSafe.safeCount + 1) * sizeof(SECItem *),
+			       (p12ctxt->authSafe.safeCount + 2) * sizeof(SECItem *));
+	p12ctxt->authSafe.encodedSafes = (SECItem**)dummy2;
+    }
+    if(!dummy1 || !dummy2) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* append the new safeInfo and null terminate the list */
+    p12ctxt->safeInfos[p12ctxt->safeInfoCount] = info;
+    p12ctxt->safeInfos[++p12ctxt->safeInfoCount] = NULL;
+    p12ctxt->authSafe.encodedSafes[p12ctxt->authSafe.safeCount] = 
+        (SECItem*)PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECItem));
+    if(!p12ctxt->authSafe.encodedSafes[p12ctxt->authSafe.safeCount]) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    p12ctxt->authSafe.encodedSafes[++p12ctxt->authSafe.safeCount] = NULL;
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return SECFailure;
+}
+
+/* SEC_PKCS12CreatePasswordPrivSafe
+ *	Create a password privacy safe to store exported information in.
+ *
+ * 	p12ctxt - export context
+ *	pwitem - password for encryption
+ *	privAlg - pbe algorithm through which encryption is done.
+ */
+SEC_PKCS12SafeInfo *
+SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, 
+				 SECItem *pwitem, SECOidTag privAlg)
+{
+    SEC_PKCS12SafeInfo *safeInfo = NULL;
+    void *mark = NULL;
+    PK11SlotInfo *slot = NULL;
+    SECAlgorithmID *algId;
+    SECItem uniPwitem = {siBuffer, NULL, 0};
+
+    if(!p12ctxt) {
+	return NULL;
+    }
+
+    /* allocate the safe info */
+    mark = PORT_ArenaMark(p12ctxt->arena);
+    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    						sizeof(SEC_PKCS12SafeInfo));
+    if(!safeInfo) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	return NULL;
+    }
+
+    safeInfo->itemCount = 0;
+
+    /* create the encrypted safe */
+    safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, 
+    						   p12ctxt->pwfnarg);
+    if(!safeInfo->cinfo) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    safeInfo->arena = p12ctxt->arena;
+
+    /* convert the password to unicode */ 
+    if(!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
+					       PR_TRUE, PR_TRUE, PR_TRUE)) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    if(SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* generate the encryption key */
+    slot = PK11_ReferenceSlot(p12ctxt->slot);
+    if(!slot) {
+	slot = PK11_GetInternalKeySlot();
+	if(!slot) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+    }
+
+    algId = SEC_PKCS7GetEncryptionAlgorithm(safeInfo->cinfo);
+    safeInfo->encryptionKey = PK11_PBEKeyGen(slot, algId, &uniPwitem, 
+					     PR_FALSE, p12ctxt->wincx);
+    if(!safeInfo->encryptionKey) {
+	goto loser;
+    }
+
+    safeInfo->arena = p12ctxt->arena;
+    safeInfo->safe = NULL;
+    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
+	goto loser;
+    }
+
+    if(uniPwitem.data) {
+	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
+    }
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    return safeInfo;
+
+loser:
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    if(safeInfo->cinfo) {
+	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
+    }
+
+    if(uniPwitem.data) {
+	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
+    }
+
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return NULL;
+}
+
+/* SEC_PKCS12CreateUnencryptedSafe 
+ *	Creates an unencrypted safe within the export context.
+ *
+ *	p12ctxt - the export context 
+ */
+SEC_PKCS12SafeInfo *
+SEC_PKCS12CreateUnencryptedSafe(SEC_PKCS12ExportContext *p12ctxt)
+{
+    SEC_PKCS12SafeInfo *safeInfo = NULL;
+    void *mark = NULL;
+
+    if(!p12ctxt) {
+	return NULL;
+    }
+
+    /* create the safe info */
+    mark = PORT_ArenaMark(p12ctxt->arena);
+    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    					      sizeof(SEC_PKCS12SafeInfo));
+    if(!safeInfo) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    safeInfo->itemCount = 0;
+
+    /* create the safe content */
+    safeInfo->cinfo = SEC_PKCS7CreateData();
+    if(!safeInfo->cinfo) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return safeInfo;
+
+loser:
+    if(safeInfo->cinfo) {
+	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
+    }
+
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return NULL;
+}
+
+/* SEC_PKCS12CreatePubKeyEncryptedSafe
+ *	Creates a safe which is protected by public key encryption.  
+ *
+ *	p12ctxt - the export context
+ *	certDb - the certificate database
+ *	signer - the signer's certificate
+ *	recipients - the list of recipient certificates.
+ *	algorithm - the encryption algorithm to use
+ *	keysize - the algorithms key size (?)
+ */
+SEC_PKCS12SafeInfo *
+SEC_PKCS12CreatePubKeyEncryptedSafe(SEC_PKCS12ExportContext *p12ctxt,
+				    CERTCertDBHandle *certDb,
+				    CERTCertificate *signer,
+				    CERTCertificate **recipients,
+				    SECOidTag algorithm, int keysize) 
+{
+    SEC_PKCS12SafeInfo *safeInfo = NULL;
+    void *mark = NULL;
+
+    if(!p12ctxt || !signer || !recipients || !(*recipients)) {
+	return NULL;
+    }
+
+    /* allocate the safeInfo */
+    mark = PORT_ArenaMark(p12ctxt->arena);
+    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    						      sizeof(SEC_PKCS12SafeInfo));
+    if(!safeInfo) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    safeInfo->itemCount = 0;
+    safeInfo->arena = p12ctxt->arena;
+
+    /* create the enveloped content info using certUsageEmailSigner currently.
+     * XXX We need to eventually use something other than certUsageEmailSigner
+     */
+    safeInfo->cinfo = SEC_PKCS7CreateEnvelopedData(signer, certUsageEmailSigner,
+					certDb, algorithm, keysize, 
+					p12ctxt->pwfn, p12ctxt->pwfnarg);
+    if(!safeInfo->cinfo) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* add recipients */
+    if(recipients) {
+	unsigned int i = 0;
+	while(recipients[i] != NULL) {
+	    SECStatus rv = SEC_PKCS7AddRecipient(safeInfo->cinfo, recipients[i],
+					       certUsageEmailRecipient, certDb);
+	    if(rv != SECSuccess) {
+		goto loser;
+	    }
+	    i++;
+	}
+    }
+
+    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return safeInfo;
+
+loser:
+    if(safeInfo->cinfo) {
+	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
+	safeInfo->cinfo = NULL;
+    }
+
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return NULL;
+} 
+
+/*********************************
+ * Routines to handle the exporting of the keys and certificates
+ *********************************/
+
+/* creates a safe contents which safeBags will be appended to */
+sec_PKCS12SafeContents *
+sec_PKCS12CreateSafeContents(PRArenaPool *arena)
+{
+    sec_PKCS12SafeContents *safeContents;
+
+    if(arena == NULL) {
+	return NULL; 
+    }
+
+    /* create the safe contents */
+    safeContents = (sec_PKCS12SafeContents *)PORT_ArenaZAlloc(arena,
+					    sizeof(sec_PKCS12SafeContents));
+    if(!safeContents) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* set up the internal contents info */
+    safeContents->safeBags = NULL;
+    safeContents->arena = arena;
+    safeContents->bagCount = 0;
+
+    return safeContents;
+
+loser:
+    return NULL;
+}   
+
+/* appends a safe bag to a safeContents using the specified arena. 
+ */
+SECStatus
+sec_pkcs12_append_bag_to_safe_contents(PRArenaPool *arena, 
+				       sec_PKCS12SafeContents *safeContents,
+				       sec_PKCS12SafeBag *safeBag)
+{
+    void *mark = NULL, *dummy = NULL;
+
+    if(!arena || !safeBag || !safeContents) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(arena);
+    if(!mark) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    /* allocate space for the list, or reallocate to increase space */
+    if(!safeContents->safeBags) {
+	safeContents->safeBags = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(arena, 
+						(2 * sizeof(sec_PKCS12SafeBag *)));
+	dummy = safeContents->safeBags;
+	safeContents->bagCount = 0;
+    } else {
+	dummy = PORT_ArenaGrow(arena, safeContents->safeBags, 
+			(safeContents->bagCount + 1) * sizeof(sec_PKCS12SafeBag *),
+			(safeContents->bagCount + 2) * sizeof(sec_PKCS12SafeBag *));
+	safeContents->safeBags = (sec_PKCS12SafeBag **)dummy;
+    }
+
+    if(!dummy) {
+	PORT_ArenaRelease(arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    /* append the bag at the end and null terminate the list */
+    safeContents->safeBags[safeContents->bagCount++] = safeBag;
+    safeContents->safeBags[safeContents->bagCount] = NULL;
+
+    PORT_ArenaUnmark(arena, mark);
+
+    return SECSuccess;
+}
+
+/* appends a safeBag to a specific safeInfo.
+ */
+SECStatus
+sec_pkcs12_append_bag(SEC_PKCS12ExportContext *p12ctxt, 
+		      SEC_PKCS12SafeInfo *safeInfo, sec_PKCS12SafeBag *safeBag)
+{
+    sec_PKCS12SafeContents *dest;
+    SECStatus rv = SECFailure;
+
+    if(!p12ctxt || !safeBag || !safeInfo) {
+	return SECFailure;
+    }
+
+    if(!safeInfo->safe) {
+	safeInfo->safe = sec_PKCS12CreateSafeContents(p12ctxt->arena);
+	if(!safeInfo->safe) {
+	    return SECFailure;
+	}
+    }
+
+    dest = safeInfo->safe;
+    rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, dest, safeBag);
+    if(rv == SECSuccess) {
+	safeInfo->itemCount++;
+    }
+    
+    return rv;
+} 
+
+/* Creates a safeBag of the specified type, and if bagData is specified,
+ * the contents are set.  The contents could be set later by the calling
+ * routine.
+ */
+sec_PKCS12SafeBag *
+sec_PKCS12CreateSafeBag(SEC_PKCS12ExportContext *p12ctxt, SECOidTag bagType, 
+			void *bagData)
+{
+    sec_PKCS12SafeBag *safeBag;
+    PRBool setName = PR_TRUE;
+    void *mark = NULL;
+    SECStatus rv = SECSuccess;
+    SECOidData *oidData = NULL;
+
+    if(!p12ctxt) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+    if(!mark) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    safeBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    						    sizeof(sec_PKCS12SafeBag));
+    if(!safeBag) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    /* set the bags content based upon bag type */
+    switch(bagType) {
+	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    safeBag->safeBagContent.pkcs8KeyBag =
+	        (SECKEYPrivateKeyInfo *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+	    safeBag->safeBagContent.certBag = (sec_PKCS12CertBag *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
+	    safeBag->safeBagContent.crlBag = (sec_PKCS12CRLBag *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
+	    safeBag->safeBagContent.secretBag = (sec_PKCS12SecretBag *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+	    safeBag->safeBagContent.pkcs8ShroudedKeyBag = 
+	        (SECKEYEncryptedPrivateKeyInfo *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
+	    safeBag->safeBagContent.safeContents = 
+	        (sec_PKCS12SafeContents *)bagData;
+	    setName = PR_FALSE;
+	    break;
+	default:
+	    goto loser;
+    }
+
+    oidData = SECOID_FindOIDByTag(bagType);
+    if(oidData) {
+	rv = SECITEM_CopyItem(p12ctxt->arena, &safeBag->safeBagType, &oidData->oid);
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+    } else {
+	goto loser;
+    }
+    
+    safeBag->arena = p12ctxt->arena;
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+
+    return safeBag;
+
+loser:
+    if(mark) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+    }
+
+    return NULL;
+}
+
+/* Creates a new certificate bag and returns a pointer to it.  If an error
+ * occurs NULL is returned.
+ */
+sec_PKCS12CertBag *
+sec_PKCS12NewCertBag(PRArenaPool *arena, SECOidTag certType)
+{
+    sec_PKCS12CertBag *certBag = NULL;
+    SECOidData *bagType = NULL;
+    SECStatus rv;
+    void *mark = NULL;
+
+    if(!arena) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(arena);
+    certBag = (sec_PKCS12CertBag *)PORT_ArenaZAlloc(arena, 
+    						    sizeof(sec_PKCS12CertBag));
+    if(!certBag) {
+	PORT_ArenaRelease(arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    bagType = SECOID_FindOIDByTag(certType);
+    if(!bagType) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    rv = SECITEM_CopyItem(arena, &certBag->bagID, &bagType->oid);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+	
+    PORT_ArenaUnmark(arena, mark);
+    return certBag;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+/* Creates a new CRL bag and returns a pointer to it.  If an error
+ * occurs NULL is returned.
+ */
+sec_PKCS12CRLBag *
+sec_PKCS12NewCRLBag(PRArenaPool *arena, SECOidTag crlType)
+{
+    sec_PKCS12CRLBag *crlBag = NULL;
+    SECOidData *bagType = NULL;
+    SECStatus rv;
+    void *mark = NULL;
+
+    if(!arena) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(arena);
+    crlBag = (sec_PKCS12CRLBag *)PORT_ArenaZAlloc(arena, 
+    						  sizeof(sec_PKCS12CRLBag));
+    if(!crlBag) {
+	PORT_ArenaRelease(arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    bagType = SECOID_FindOIDByTag(crlType);
+    if(!bagType) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    rv = SECITEM_CopyItem(arena, &crlBag->bagID, &bagType->oid);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+	
+    PORT_ArenaUnmark(arena, mark);
+    return crlBag;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+/* sec_PKCS12AddAttributeToBag
+ * adds an attribute to a safeBag.  currently, the only attributes supported
+ * are those which are specified within PKCS 12.  
+ *
+ *	p12ctxt - the export context 
+ *	safeBag - the safeBag to which attributes are appended
+ *	attrType - the attribute type
+ * 	attrData - the attribute data
+ */
+SECStatus
+sec_PKCS12AddAttributeToBag(SEC_PKCS12ExportContext *p12ctxt, 
+			    sec_PKCS12SafeBag *safeBag, SECOidTag attrType,
+			    SECItem *attrData)
+{
+    sec_PKCS12Attribute *attribute;
+    void *mark = NULL, *dummy = NULL;
+    SECOidData *oiddata = NULL;
+    SECItem unicodeName = { siBuffer, NULL, 0};
+    void *src = NULL;
+    unsigned int nItems = 0;
+    SECStatus rv;
+
+    if(!safeBag || !p12ctxt) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(safeBag->arena);
+
+    /* allocate the attribute */
+    attribute = (sec_PKCS12Attribute *)PORT_ArenaZAlloc(safeBag->arena, 
+    						sizeof(sec_PKCS12Attribute));
+    if(!attribute) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* set up the attribute */
+    oiddata = SECOID_FindOIDByTag(attrType);
+    if(!oiddata) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    if(SECITEM_CopyItem(p12ctxt->arena, &attribute->attrType, &oiddata->oid) !=
+    		SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    nItems = 1;
+    switch(attrType) {
+	case SEC_OID_PKCS9_LOCAL_KEY_ID:
+	    {
+		src = attrData;
+		break;
+	    }
+	case SEC_OID_PKCS9_FRIENDLY_NAME:
+	    {
+		if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, 
+					&unicodeName, attrData, PR_FALSE, 
+					PR_FALSE, PR_TRUE)) {
+		    goto loser;
+		}
+		src = &unicodeName;
+		break;
+	    }
+	default:
+	    goto loser;
+    }
+
+    /* append the attribute to the attribute value list  */
+    attribute->attrValue = (SECItem **)PORT_ArenaZAlloc(p12ctxt->arena, 
+    					    ((nItems + 1) * sizeof(SECItem *)));
+    if(!attribute->attrValue) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* XXX this will need to be changed if attributes requiring more than
+     * one element are ever used.
+     */
+    attribute->attrValue[0] = (SECItem *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    							  sizeof(SECItem));
+    if(!attribute->attrValue[0]) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    attribute->attrValue[1] = NULL;
+
+    rv = SECITEM_CopyItem(p12ctxt->arena, attribute->attrValue[0], 
+			  (SECItem*)src);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* append the attribute to the safeBag attributes */
+    if(safeBag->nAttribs) {
+	dummy = PORT_ArenaGrow(p12ctxt->arena, safeBag->attribs, 
+			((safeBag->nAttribs + 1) * sizeof(sec_PKCS12Attribute *)),
+			((safeBag->nAttribs + 2) * sizeof(sec_PKCS12Attribute *)));
+	safeBag->attribs = (sec_PKCS12Attribute **)dummy;
+    } else {
+	safeBag->attribs = (sec_PKCS12Attribute **)PORT_ArenaZAlloc(p12ctxt->arena, 
+						2 * sizeof(sec_PKCS12Attribute *));
+	dummy = safeBag->attribs;
+    }
+    if(!dummy) {
+	goto loser;
+    }
+
+    safeBag->attribs[safeBag->nAttribs] = attribute;
+    safeBag->attribs[++safeBag->nAttribs] = NULL;
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return SECSuccess;
+
+loser:
+    if(mark) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+    }
+
+    return SECFailure;
+}
+
+/* SEC_PKCS12AddCert
+ * 	Adds a certificate to the data being exported.  
+ *
+ *	p12ctxt - the export context
+ *	safe - the safeInfo to which the certificate is placed 
+ *	nestedDest - if the cert is to be placed within a nested safeContents then,
+ *		     this value is to be specified with the destination
+ *	cert - the cert to export
+ *	certDb - the certificate database handle
+ *	keyId - a unique identifier to associate a certificate/key pair
+ *	includeCertChain - PR_TRUE if the certificate chain is to be included.
+ */
+SECStatus
+SEC_PKCS12AddCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *safe, 
+		  void *nestedDest, CERTCertificate *cert, 
+		  CERTCertDBHandle *certDb, SECItem *keyId,
+		  PRBool includeCertChain)
+{
+    sec_PKCS12CertBag *certBag;
+    sec_PKCS12SafeBag *safeBag;
+    void *mark;
+    SECStatus rv;
+    SECItem nick = {siBuffer, NULL,0};
+
+    if(!p12ctxt || !cert) {
+	return SECFailure;
+    }
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    /* allocate the cert bag */
+    certBag = sec_PKCS12NewCertBag(p12ctxt->arena, 
+    				   SEC_OID_PKCS9_X509_CERT);
+    if(!certBag) {
+	goto loser;
+    }
+
+    if(SECITEM_CopyItem(p12ctxt->arena, &certBag->value.x509Cert, 
+    			&cert->derCert) != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* if the cert chain is to be included, we should only be exporting
+     * the cert from our internal database.
+     */
+    if(includeCertChain) {
+	CERTCertificateList *certList = CERT_CertChainFromCert(cert,
+							       certUsageSSLClient,
+							       PR_TRUE);
+	unsigned int count = 0;
+	if(!certList) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+
+	/* add cert chain */
+	for(count = 0; count < (unsigned int)certList->len; count++) {
+	    if(SECITEM_CompareItem(&certList->certs[count], &cert->derCert)
+	    			!= SECEqual) {
+	    	CERTCertificate *tempCert;
+
+		/* decode the certificate */
+		/* XXX
+		 * This was rather silly.  The chain is constructed above
+		 * by finding all of the CERTCertificate's in the database.
+		 * Then the chain is put into a CERTCertificateList, which only
+		 * contains the DER.  Finally, the DER was decoded, and the
+		 * decoded cert was sent recursively back to this function.
+		 * Beyond being inefficent, this causes data loss (specifically,
+		 * the nickname).  Instead, for 3.4, we'll do a lookup by the
+		 * DER, which should return the cached entry.
+		 */
+		tempCert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(),
+		                                  &certList->certs[count]);
+	    	if(!tempCert) {
+		    CERT_DestroyCertificateList(certList);
+		    goto loser;
+		}
+
+		/* add the certificate */
+	    	if(SEC_PKCS12AddCert(p12ctxt, safe, nestedDest, tempCert,
+				 certDb, NULL, PR_FALSE) != SECSuccess) {
+		    CERT_DestroyCertificate(tempCert);
+		    CERT_DestroyCertificateList(certList);
+		    goto loser;
+		}
+		CERT_DestroyCertificate(tempCert);
+	    }
+	}
+	CERT_DestroyCertificateList(certList);
+    }
+
+    /* if the certificate has a nickname, we will set the friendly name
+     * to that.
+     */
+    if(cert->nickname) {
+        if (cert->slot && !PK11_IsInternal(cert->slot)) {
+	  /*
+	   * The cert is coming off of an external token, 
+	   * let's strip the token name from the nickname
+	   * and only add what comes after the colon as the
+	   * nickname. -javi
+	   */
+	    char *delimit;
+	    
+	    delimit = PORT_Strchr(cert->nickname,':');
+	    if (delimit == NULL) {
+	        nick.data = (unsigned char *)cert->nickname;
+		nick.len = PORT_Strlen(cert->nickname);
+	    } else {
+	        delimit++;
+	        nick.data = (unsigned char *)PORT_ArenaStrdup(p12ctxt->arena,
+							      delimit);
+		nick.len = PORT_Strlen(delimit);
+	    }
+	} else {
+	    nick.data = (unsigned char *)cert->nickname;
+	    nick.len = PORT_Strlen(cert->nickname);
+	}
+    }
+
+    safeBag = sec_PKCS12CreateSafeBag(p12ctxt, SEC_OID_PKCS12_V1_CERT_BAG_ID, 
+    				      certBag);
+    if(!safeBag) {
+	goto loser;
+    }
+
+    /* add the friendly name and keyId attributes, if necessary */
+    if(nick.data) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, safeBag, 
+				       SEC_OID_PKCS9_FRIENDLY_NAME, &nick) 
+				       != SECSuccess) {
+	    goto loser;
+	}
+    }
+	   
+    if(keyId) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, safeBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
+				       keyId) != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    /* append the cert safeBag */
+    if(nestedDest) {
+	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
+					  (sec_PKCS12SafeContents*)nestedDest, 
+					   safeBag);
+    } else {
+	rv = sec_pkcs12_append_bag(p12ctxt, safe, safeBag);
+    }
+
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return SECSuccess;
+
+loser:
+    if(mark) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+    }
+
+    return SECFailure;
+}
+
+/* SEC_PKCS12AddKeyForCert
+ *	Extracts the key associated with a particular certificate and exports
+ *	it.
+ *
+ *	p12ctxt - the export context 
+ *	safe - the safeInfo to place the key in
+ *	nestedDest - the nested safeContents to place a key
+ *	cert - the certificate which the key belongs to
+ *	shroudKey - encrypt the private key for export.  This value should 
+ *		always be true.  lower level code will not allow the export
+ *		of unencrypted private keys.
+ *	algorithm - the algorithm with which to encrypt the private key
+ *	pwitem - the password to encrypt the private key with
+ *	keyId - the keyID attribute
+ *	nickName - the nickname attribute
+ */
+SECStatus
+SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *safe, 
+			void *nestedDest, CERTCertificate *cert,
+			PRBool shroudKey, SECOidTag algorithm, SECItem *pwitem,
+			SECItem *keyId, SECItem *nickName)
+{
+    void *mark;
+    void *keyItem;
+    SECOidTag keyType;
+    SECStatus rv = SECFailure;
+    SECItem nickname = {siBuffer,NULL,0}, uniPwitem = {siBuffer, NULL, 0};
+    sec_PKCS12SafeBag *returnBag;
+
+    if(!p12ctxt || !cert || !safe) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    /* retrieve the key based upon the type that it is and 
+     * specify the type of safeBag to store the key in
+     */	   
+    if(!shroudKey) {
+
+	/* extract the key unencrypted.  this will most likely go away */
+	SECKEYPrivateKeyInfo *pki = PK11_ExportPrivateKeyInfo(cert, 
+							      p12ctxt->wincx);
+	if(!pki) {
+	    PORT_ArenaRelease(p12ctxt->arena, mark);
+	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
+	    return SECFailure;
+	}   
+	keyItem = PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECKEYPrivateKeyInfo));
+	if(!keyItem) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	rv = SECKEY_CopyPrivateKeyInfo(p12ctxt->arena, 
+				       (SECKEYPrivateKeyInfo *)keyItem, pki);
+	keyType = SEC_OID_PKCS12_V1_KEY_BAG_ID;
+	SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
+    } else {
+
+	/* extract the key encrypted */
+	SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+	PK11SlotInfo *slot = NULL;
+
+	if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem,
+				 pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+
+	/* we want to make sure to take the key out of the key slot */
+	if(PK11_IsInternal(p12ctxt->slot)) {
+	    slot = PK11_GetInternalKeySlot();
+	} else {
+	    slot = PK11_ReferenceSlot(p12ctxt->slot);
+	}
+
+	epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, 
+						  &uniPwitem, cert, 1, 
+						  p12ctxt->wincx);
+	PK11_FreeSlot(slot);
+	if(!epki) {
+	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
+	    goto loser;
+	}   
+	
+	keyItem = PORT_ArenaZAlloc(p12ctxt->arena, 
+				  sizeof(SECKEYEncryptedPrivateKeyInfo));
+	if(!keyItem) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	rv = SECKEY_CopyEncryptedPrivateKeyInfo(p12ctxt->arena, 
+					(SECKEYEncryptedPrivateKeyInfo *)keyItem,
+					epki);
+	keyType = SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID;
+	SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
+    }
+
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+	
+    /* if no nickname specified, let's see if the certificate has a 
+     * nickname.
+     */					  
+    if(!nickName) {
+	if(cert->nickname) {
+	    nickname.data = (unsigned char *)cert->nickname;
+	    nickname.len = PORT_Strlen(cert->nickname);
+	    nickName = &nickname;
+	}
+    }
+
+    /* create the safe bag and set any attributes */
+    returnBag = sec_PKCS12CreateSafeBag(p12ctxt, keyType, keyItem);
+    if(!returnBag) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(nickName) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, 
+				       SEC_OID_PKCS9_FRIENDLY_NAME, nickName) 
+				       != SECSuccess) {
+	    goto loser;
+	}
+    }
+	   
+    if(keyId) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
+				       keyId) != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    if(nestedDest) {
+	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena,
+					  (sec_PKCS12SafeContents*)nestedDest, 
+					  returnBag);
+    } else {
+	rv = sec_pkcs12_append_bag(p12ctxt, safe, returnBag);
+    }
+
+loser:
+
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+    } else {
+	PORT_ArenaUnmark(p12ctxt->arena, mark);
+    }
+
+    return rv;
+}
+
+/* SEC_PKCS12AddCertOrChainAndKey
+ *	Add a certificate and key pair to be exported.
+ *
+ *	p12ctxt          - the export context 
+ * 	certSafe         - the safeInfo where the cert is stored
+ *	certNestedDest   - the nested safeContents to store the cert
+ *	keySafe          - the safeInfo where the key is stored
+ *	keyNestedDest    - the nested safeContents to store the key
+ *	shroudKey        - extract the private key encrypted?
+ *	pwitem           - the password with which the key is encrypted
+ *	algorithm        - the algorithm with which the key is encrypted
+ *	includeCertChain - also add certs from chain to bag.
+ */
+SECStatus
+SEC_PKCS12AddCertOrChainAndKey(SEC_PKCS12ExportContext *p12ctxt, 
+			       void *certSafe, void *certNestedDest, 
+			       CERTCertificate *cert, CERTCertDBHandle *certDb,
+			       void *keySafe, void *keyNestedDest, 
+			       PRBool shroudKey, SECItem *pwitem, 
+			       SECOidTag algorithm, PRBool includeCertChain)
+{
+    SECStatus rv = SECFailure;
+    SGNDigestInfo *digest = NULL;
+    void *mark = NULL;
+
+    if(!p12ctxt || !certSafe || !keySafe || !cert) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    /* generate the thumbprint of the cert to use as a keyId */
+    digest = sec_pkcs12_compute_thumbprint(&cert->derCert);
+    if(!digest) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	return SECFailure;
+    }
+
+    /* add the certificate */
+    rv = SEC_PKCS12AddCert(p12ctxt, (SEC_PKCS12SafeInfo*)certSafe, 
+			   (SEC_PKCS12SafeInfo*)certNestedDest, cert, certDb,
+    			   &digest->digest, includeCertChain);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* add the key */
+    rv = SEC_PKCS12AddKeyForCert(p12ctxt, (SEC_PKCS12SafeInfo*)keySafe, 
+				 keyNestedDest, cert, 
+    				 shroudKey, algorithm, pwitem, 
+    				 &digest->digest, NULL );
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    SGN_DestroyDigestInfo(digest);
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return SECSuccess;
+
+loser:
+    SGN_DestroyDigestInfo(digest);
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    
+    return SECFailure; 
+}
+
+/* like SEC_PKCS12AddCertOrChainAndKey, but always adds cert chain */
+SECStatus
+SEC_PKCS12AddCertAndKey(SEC_PKCS12ExportContext *p12ctxt, 
+			void *certSafe, void *certNestedDest, 
+			CERTCertificate *cert, CERTCertDBHandle *certDb,
+			void *keySafe, void *keyNestedDest, 
+			PRBool shroudKey, SECItem *pwItem, SECOidTag algorithm)
+{
+    return SEC_PKCS12AddCertOrChainAndKey(p12ctxt, certSafe, certNestedDest,
+    		cert, certDb, keySafe, keyNestedDest, shroudKey, pwItem, 
+		algorithm, PR_TRUE);
+}
+
+
+/* SEC_PKCS12CreateNestedSafeContents
+ * 	Allows nesting of safe contents to be implemented.  No limit imposed on 
+ *	depth.  
+ *
+ *	p12ctxt - the export context 
+ *	baseSafe - the base safeInfo 
+ *	nestedDest - a parent safeContents (?)
+ */
+void *
+SEC_PKCS12CreateNestedSafeContents(SEC_PKCS12ExportContext *p12ctxt,
+				   void *baseSafe, void *nestedDest)
+{
+    sec_PKCS12SafeContents *newSafe;
+    sec_PKCS12SafeBag *safeContentsBag;
+    void *mark;
+    SECStatus rv;
+
+    if(!p12ctxt || !baseSafe) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    newSafe = sec_PKCS12CreateSafeContents(p12ctxt->arena);
+    if(!newSafe) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    /* create the safeContents safeBag */
+    safeContentsBag = sec_PKCS12CreateSafeBag(p12ctxt, 
+					SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
+					newSafe);
+    if(!safeContentsBag) {
+	goto loser;
+    }
+
+    /* append the safeContents to the appropriate area */
+    if(nestedDest) {
+	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
+					   (sec_PKCS12SafeContents*)nestedDest,
+					   safeContentsBag);
+    } else {
+	rv = sec_pkcs12_append_bag(p12ctxt, (SEC_PKCS12SafeInfo*)baseSafe, 
+				   safeContentsBag);
+    }
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return newSafe;
+
+loser:
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return NULL;
+}
+
+/*********************************
+ * Encoding routines
+ *********************************/
+
+/* set up the encoder context based on information in the export context
+ * and return the newly allocated enocoder context.  A return of NULL 
+ * indicates an error occurred. 
+ */
+sec_PKCS12EncoderContext *
+sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
+{
+    sec_PKCS12EncoderContext *p12enc = NULL;
+    unsigned int i, nonEmptyCnt;
+    SECStatus rv;
+    SECItem ignore = {0};
+    void *mark;
+
+    if(!p12exp || !p12exp->safeInfos) {
+	return NULL;
+    }
+
+    /* check for any empty safes and skip them */
+    i = nonEmptyCnt = 0;
+    while(p12exp->safeInfos[i]) {
+	if(p12exp->safeInfos[i]->itemCount) {
+	    nonEmptyCnt++;
+	}
+	i++;
+    }
+    if(nonEmptyCnt == 0) {
+	return NULL;
+    }
+    p12exp->authSafe.encodedSafes[nonEmptyCnt] = NULL;
+
+    /* allocate the encoder context */
+    mark = PORT_ArenaMark(p12exp->arena);
+    p12enc = PORT_ArenaZNew(p12exp->arena, sec_PKCS12EncoderContext);
+    if(!p12enc) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    p12enc->arena = p12exp->arena;
+    p12enc->p12exp = p12exp;
+
+    /* set up the PFX version and information */
+    PORT_Memset(&p12enc->pfx, 0, sizeof(sec_PKCS12PFXItem));
+    if(!SEC_ASN1EncodeInteger(p12exp->arena, &(p12enc->pfx.version), 
+    			      SEC_PKCS12_VERSION) ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    	goto loser;
+    }
+
+    /* set up the authenticated safe content info based on the 
+     * type of integrity being used.  this should be changed to
+     * enforce integrity mode, but will not be implemented until
+     * it is confirmed that integrity must be in place
+     */
+    if(p12exp->integrityEnabled && !p12exp->pwdIntegrity) {
+	SECStatus rv;
+
+	/* create public key integrity mode */
+	p12enc->aSafeCinfo = SEC_PKCS7CreateSignedData(
+				p12exp->integrityInfo.pubkeyInfo.cert,
+				certUsageEmailSigner,
+				p12exp->integrityInfo.pubkeyInfo.certDb,
+				p12exp->integrityInfo.pubkeyInfo.algorithm,
+				NULL,
+				p12exp->pwfn,
+				p12exp->pwfnarg);
+	if(!p12enc->aSafeCinfo) {
+	    goto loser;
+	}
+	if(SEC_PKCS7IncludeCertChain(p12enc->aSafeCinfo,NULL) != SECSuccess) {
+	    goto loser;
+	}
+	rv = SEC_PKCS7AddSigningTime(p12enc->aSafeCinfo);
+	PORT_Assert(rv == SECSuccess);
+    } else {
+	p12enc->aSafeCinfo = SEC_PKCS7CreateData();
+
+	/* init password pased integrity mode */
+	if(p12exp->integrityEnabled) {
+	    SECItem  pwd = {siBuffer,NULL, 0};
+	    SECItem *salt = sec_pkcs12_generate_salt();
+	    PK11SymKey *symKey;
+	    SECItem *params;
+	    CK_MECHANISM_TYPE integrityMechType;
+	    CK_MECHANISM_TYPE hmacMechType;
+
+	    /* zero out macData and set values */
+	    PORT_Memset(&p12enc->mac, 0, sizeof(sec_PKCS12MacData));
+
+	    if(!salt) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	    if(SECITEM_CopyItem(p12exp->arena, &(p12enc->mac.macSalt), salt) 
+			!= SECSuccess) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }   
+
+	    /* generate HMAC key */
+	    if(!sec_pkcs12_convert_item_to_unicode(NULL, &pwd, 
+			p12exp->integrityInfo.pwdInfo.password, PR_TRUE, 
+			PR_TRUE, PR_TRUE)) {
+		goto loser;
+	    }
+	    /*
+	     * This code only works with PKCS #12 Mac using PKCS #5 v1
+	     * PBA keygens. PKCS #5 v2 support will require a change to
+	     * the PKCS #12 spec.
+	     */
+	    params = PK11_CreatePBEParams(salt, &pwd, 1);
+	    SECITEM_ZfreeItem(salt, PR_TRUE);
+	    SECITEM_ZfreeItem(&pwd, PR_FALSE);
+
+	    /* get the PBA Mechanism to generate the key */
+	    switch (p12exp->integrityInfo.pwdInfo.algorithm) {
+	    case SEC_OID_SHA1:
+		integrityMechType = CKM_PBA_SHA1_WITH_SHA1_HMAC; break;
+	    case SEC_OID_MD5:
+		integrityMechType = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;  break;
+	    case SEC_OID_MD2:
+		integrityMechType = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;  break;
+	    default:
+		goto loser;
+	    }
+
+	    /* generate the key */
+	    symKey = PK11_KeyGen(NULL, integrityMechType, params, 20, NULL);
+	    PK11_DestroyPBEParams(params);
+	    if(!symKey) {
+		goto loser;
+	    }
+
+	    /* initialize HMAC */
+	    /* Get the HMAC mechanism from the hash OID */
+	    hmacMechType=  sec_pkcs12_algtag_to_mech( 
+	                              p12exp->integrityInfo.pwdInfo.algorithm);
+
+	    p12enc->hmacCx = PK11_CreateContextBySymKey( hmacMechType,
+						 CKA_SIGN, symKey, &ignore);
+
+	    PK11_FreeSymKey(symKey);
+	    if(!p12enc->hmacCx) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	    rv = PK11_DigestBegin(p12enc->hmacCx);
+	    if (rv != SECSuccess)
+		goto loser;
+	}
+    }
+
+    if(!p12enc->aSafeCinfo) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12exp->arena, mark);
+
+    return p12enc;
+
+loser:
+    if(p12enc) {
+	if(p12enc->aSafeCinfo) {
+	    SEC_PKCS7DestroyContentInfo(p12enc->aSafeCinfo);
+	}
+	if(p12enc->hmacCx) {
+	    PK11_DestroyContext(p12enc->hmacCx, PR_TRUE);
+	}
+    }
+    if (p12exp->arena != NULL)
+	PORT_ArenaRelease(p12exp->arena, mark);
+
+    return NULL;
+}
+
+/* The outermost ASN.1 encoder calls this function for output.
+** This function calls back to the library caller's output routine,
+** which typically writes to a PKCS12 file.
+ */
+static void
+sec_P12A1OutputCB_Outer(void *arg, const char *buf, unsigned long len,
+		       int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct sec_pkcs12_encoder_output *output;
+
+    output = (struct sec_pkcs12_encoder_output*)arg;
+    (* output->outputfn)(output->outputarg, buf, len);
+}
+
+/* The "middle" and "inner" ASN.1 encoders call this function to output. 
+** This function does HMACing, if appropriate, and then buffers the data.
+** The buffered data is eventually passed down to the underlying PKCS7 encoder.
+ */
+static void
+sec_P12A1OutputCB_HmacP7Update(void *arg, const char *buf,
+			       unsigned long        len, 
+			       int                  depth,
+			       SEC_ASN1EncodingPart data_kind)
+{
+    sec_pkcs12OutputBuffer *  bufcx = (sec_pkcs12OutputBuffer *)arg;
+
+    if(!buf || !len) 
+	return;
+
+    if (bufcx->hmacCx) {
+	PK11_DigestOp(bufcx->hmacCx, (unsigned char *)buf, len);
+    }
+
+    /* buffer */
+    if (bufcx->numBytes > 0) {
+	int toCopy;
+	if (len + bufcx->numBytes <= bufcx->bufBytes) {
+	    memcpy(bufcx->buf + bufcx->numBytes, buf, len);
+	    bufcx->numBytes += len;
+	    if (bufcx->numBytes < bufcx->bufBytes) 
+	    	return;
+	    SEC_PKCS7EncoderUpdate(bufcx->p7eCx, bufcx->buf, bufcx->bufBytes);
+	    bufcx->numBytes = 0;
+	    return;
+	} 
+	toCopy = bufcx->bufBytes - bufcx->numBytes;
+	memcpy(bufcx->buf + bufcx->numBytes, buf, toCopy);
+	SEC_PKCS7EncoderUpdate(bufcx->p7eCx, bufcx->buf, bufcx->bufBytes);
+	bufcx->numBytes = 0;
+	len -= toCopy;
+	buf += toCopy;
+    } 
+    /* buffer is presently empty */
+    if (len >= bufcx->bufBytes) {
+	/* Just pass it through */
+	SEC_PKCS7EncoderUpdate(bufcx->p7eCx, buf, len);
+    } else {
+	/* copy it all into the buffer, and return */
+	memcpy(bufcx->buf, buf, len);
+	bufcx->numBytes = len;
+    }
+}
+
+void
+sec_FlushPkcs12OutputBuffer( sec_pkcs12OutputBuffer *  bufcx)
+{
+    if (bufcx->numBytes > 0) {
+	SEC_PKCS7EncoderUpdate(bufcx->p7eCx, bufcx->buf, bufcx->numBytes);
+	bufcx->numBytes = 0;
+    }
+}
+
+/* Feeds the output of a PKCS7 encoder into the next outward ASN.1 encoder.
+** This function is used by both the inner and middle PCS7 encoders.
+*/
+static void
+sec_P12P7OutputCB_CallA1Update(void *arg, const char *buf, unsigned long len)
+{
+    SEC_ASN1EncoderContext *cx = (SEC_ASN1EncoderContext*)arg;
+
+    if (!buf || !len) 
+    	return;
+
+    SEC_ASN1EncoderUpdate(cx, buf, len);
+}
+
+
+/* this function encodes content infos which are part of the
+ * sequence of content infos labeled AuthenticatedSafes 
+ */
+static SECStatus 
+sec_pkcs12_encoder_asafe_process(sec_PKCS12EncoderContext *p12ecx)
+{
+    SEC_PKCS7EncoderContext *innerP7ecx;
+    SEC_PKCS7ContentInfo    *cinfo;
+    PK11SymKey              *bulkKey      = NULL;
+    SEC_ASN1EncoderContext  *innerA1ecx   = NULL;
+    SECStatus                rv           = SECSuccess;
+
+    if(p12ecx->currentSafe < p12ecx->p12exp->authSafe.safeCount) {
+	SEC_PKCS12SafeInfo *safeInfo;
+	SECOidTag cinfoType;
+
+	safeInfo = p12ecx->p12exp->safeInfos[p12ecx->currentSafe];
+
+	/* skip empty safes */
+	if(safeInfo->itemCount == 0) {
+	    return SECSuccess;
+	}
+
+	cinfo = safeInfo->cinfo;
+	cinfoType = SEC_PKCS7ContentType(cinfo);
+
+	/* determine the safe type and set the appropriate argument */
+	switch(cinfoType) {
+	    case SEC_OID_PKCS7_DATA:
+	    case SEC_OID_PKCS7_ENVELOPED_DATA:
+		break;
+	    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+		bulkKey = safeInfo->encryptionKey;
+		PK11_SetSymKeyUserData(bulkKey, &safeInfo->pwitem, NULL);
+		break;
+	    default:
+		return SECFailure;
+
+	}
+
+	/* start the PKCS7 encoder */
+	innerP7ecx = SEC_PKCS7EncoderStart(cinfo, 
+				  sec_P12P7OutputCB_CallA1Update,
+				  p12ecx->middleA1ecx, bulkKey);
+	if(!innerP7ecx) {
+	    goto loser;
+	}
+
+	/* encode safe contents */
+	p12ecx->innerBuf.p7eCx    = innerP7ecx;
+	p12ecx->innerBuf.hmacCx   = NULL;
+	p12ecx->innerBuf.numBytes = 0;
+	p12ecx->innerBuf.bufBytes = sizeof p12ecx->innerBuf.buf;
+
+	innerA1ecx = SEC_ASN1EncoderStart(safeInfo->safe, 
+	                           sec_PKCS12SafeContentsTemplate,
+				   sec_P12A1OutputCB_HmacP7Update, 
+				   &p12ecx->innerBuf);
+	if(!innerA1ecx) {
+	    goto loser;
+	}   
+	rv = SEC_ASN1EncoderUpdate(innerA1ecx, NULL, 0);
+	SEC_ASN1EncoderFinish(innerA1ecx);
+	sec_FlushPkcs12OutputBuffer( &p12ecx->innerBuf);
+	innerA1ecx = NULL;
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+
+
+	/* finish up safe content info */
+	rv = SEC_PKCS7EncoderFinish(innerP7ecx, p12ecx->p12exp->pwfn, 
+				    p12ecx->p12exp->pwfnarg);
+    }
+    memset(&p12ecx->innerBuf, 0, sizeof p12ecx->innerBuf);
+    return SECSuccess;
+
+loser:
+    if(innerP7ecx) {
+	SEC_PKCS7EncoderFinish(innerP7ecx, p12ecx->p12exp->pwfn, 
+			       p12ecx->p12exp->pwfnarg);
+    }
+
+    if(innerA1ecx) {
+	SEC_ASN1EncoderFinish(innerA1ecx);
+    }
+    memset(&p12ecx->innerBuf, 0, sizeof p12ecx->innerBuf);
+    return SECFailure;
+}
+
+/* finish the HMAC and encode the macData so that it can be
+ * encoded.
+ */
+static SECStatus
+sec_Pkcs12FinishMac(sec_PKCS12EncoderContext *p12ecx)
+{
+    SECItem hmac = { siBuffer, NULL, 0 };
+    SECStatus rv;
+    SGNDigestInfo *di = NULL;
+    void *dummy;
+
+    if(!p12ecx) {
+	return SECFailure;
+    }
+
+    /* make sure we are using password integrity mode */
+    if(!p12ecx->p12exp->integrityEnabled) {
+	return SECSuccess;
+    }
+
+    if(!p12ecx->p12exp->pwdIntegrity) {
+	return SECSuccess;
+    }
+
+    /* finish the hmac */
+    hmac.data = (unsigned char *)PORT_ZAlloc(SHA1_LENGTH);
+    if(!hmac.data) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    rv = PK11_DigestFinal(p12ecx->hmacCx, hmac.data, &hmac.len, SHA1_LENGTH);
+
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* create the digest info */
+    di = SGN_CreateDigestInfo(p12ecx->p12exp->integrityInfo.pwdInfo.algorithm,
+    			      hmac.data, hmac.len);
+    if(!di) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = SGN_CopyDigestInfo(p12ecx->arena, &p12ecx->mac.safeMac, di);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* encode the mac data */
+    dummy = SEC_ASN1EncodeItem(p12ecx->arena, &p12ecx->pfx.encodedMacData, 
+    			    &p12ecx->mac, sec_PKCS12MacDataTemplate);
+    if(!dummy) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	rv = SECFailure;
+    }
+
+loser:
+    if(di) {
+	SGN_DestroyDigestInfo(di);
+    }
+    if(hmac.data) {
+	SECITEM_ZfreeItem(&hmac, PR_FALSE);
+    }
+    PK11_DestroyContext(p12ecx->hmacCx, PR_TRUE);
+    p12ecx->hmacCx = NULL;
+
+    return rv;
+}
+
+/* pfx notify function for ASN1 encoder.  
+ * We want to stop encoding once we reach the authenticated safe.  
+ * At that point, the encoder will be updated via streaming
+ * as the authenticated safe is  encoded. 
+ */
+static void
+sec_pkcs12_encoder_pfx_notify(void *arg, PRBool before, void *dest, int real_depth)
+{
+    sec_PKCS12EncoderContext *p12ecx;
+
+    if(!before) {
+	return;
+    }
+
+    /* look for authenticated safe */
+    p12ecx = (sec_PKCS12EncoderContext*)arg;
+    if(dest != &p12ecx->pfx.encodedAuthSafe) {
+	return;
+    }
+
+    SEC_ASN1EncoderSetTakeFromBuf(p12ecx->outerA1ecx);
+    SEC_ASN1EncoderSetStreaming(p12ecx->outerA1ecx);
+    SEC_ASN1EncoderClearNotifyProc(p12ecx->outerA1ecx);
+}
+
+/* SEC_PKCS12Encode
+ *	Encodes the PFX item and returns it to the output function, via
+ *	callback.  the output function must be capable of multiple updates.
+ *	
+ *	p12exp - the export context 
+ *	output - the output function callback, will be called more than once,
+ *		 must be able to accept streaming data.
+ *	outputarg - argument for the output callback.
+ */
+SECStatus
+SEC_PKCS12Encode(SEC_PKCS12ExportContext *p12exp, 
+		 SEC_PKCS12EncoderOutputCallback output, void *outputarg)
+{
+    sec_PKCS12EncoderContext *p12enc;
+    struct sec_pkcs12_encoder_output outInfo;
+    SECStatus rv;
+
+    if(!p12exp || !output) {
+	return SECFailure;
+    }
+
+    /* get the encoder context */
+    p12enc = sec_pkcs12_encoder_start_context(p12exp);
+    if(!p12enc) {
+	return SECFailure;
+    }
+
+    outInfo.outputfn = output;
+    outInfo.outputarg = outputarg;
+
+    /* set up PFX encoder, the "outer" encoder.  Set it for streaming */
+    p12enc->outerA1ecx = SEC_ASN1EncoderStart(&p12enc->pfx, 
+                                       sec_PKCS12PFXItemTemplate,
+				       sec_P12A1OutputCB_Outer, 
+				       &outInfo);
+    if(!p12enc->outerA1ecx) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	rv = SECFailure;
+	goto loser;
+    }
+    SEC_ASN1EncoderSetStreaming(p12enc->outerA1ecx);
+    SEC_ASN1EncoderSetNotifyProc(p12enc->outerA1ecx, 
+                                 sec_pkcs12_encoder_pfx_notify, p12enc);
+    rv = SEC_ASN1EncoderUpdate(p12enc->outerA1ecx, NULL, 0);
+    if(rv != SECSuccess) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    /* set up asafe cinfo - the output of the encoder feeds the PFX encoder */
+    p12enc->middleP7ecx = SEC_PKCS7EncoderStart(p12enc->aSafeCinfo, 
+				       sec_P12P7OutputCB_CallA1Update,
+				       p12enc->outerA1ecx, NULL);
+    if(!p12enc->middleP7ecx) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    /* encode asafe */
+    p12enc->middleBuf.p7eCx    = p12enc->middleP7ecx;
+    p12enc->middleBuf.hmacCx   = NULL;
+    p12enc->middleBuf.numBytes = 0;
+    p12enc->middleBuf.bufBytes = sizeof p12enc->middleBuf.buf;
+
+    /* Setup the "inner ASN.1 encoder for Authenticated Safes.  */
+    if(p12enc->p12exp->integrityEnabled && 
+       p12enc->p12exp->pwdIntegrity) {
+	p12enc->middleBuf.hmacCx = p12enc->hmacCx;
+    }
+    p12enc->middleA1ecx = SEC_ASN1EncoderStart(&p12enc->p12exp->authSafe,
+			    sec_PKCS12AuthenticatedSafeTemplate,
+			    sec_P12A1OutputCB_HmacP7Update,
+			    &p12enc->middleBuf);
+    if(!p12enc->middleA1ecx) {
+	rv = SECFailure;
+	goto loser;
+    }
+    SEC_ASN1EncoderSetStreaming(p12enc->middleA1ecx);
+    SEC_ASN1EncoderSetTakeFromBuf(p12enc->middleA1ecx); 
+	
+    /* encode each of the safes */			 
+    while(p12enc->currentSafe != p12enc->p12exp->safeInfoCount) {
+	sec_pkcs12_encoder_asafe_process(p12enc);
+	p12enc->currentSafe++;
+    }
+    SEC_ASN1EncoderClearTakeFromBuf(p12enc->middleA1ecx);
+    SEC_ASN1EncoderClearStreaming(p12enc->middleA1ecx);
+    SEC_ASN1EncoderUpdate(p12enc->middleA1ecx, NULL, 0);
+    SEC_ASN1EncoderFinish(p12enc->middleA1ecx);
+
+    sec_FlushPkcs12OutputBuffer( &p12enc->middleBuf);
+
+    /* finish the encoding of the authenticated safes */
+    rv = SEC_PKCS7EncoderFinish(p12enc->middleP7ecx, p12exp->pwfn, 
+    				p12exp->pwfnarg);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    SEC_ASN1EncoderClearTakeFromBuf(p12enc->outerA1ecx);
+    SEC_ASN1EncoderClearStreaming(p12enc->outerA1ecx);
+
+    /* update the mac, if necessary */
+    rv = sec_Pkcs12FinishMac(p12enc);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+   
+    /* finish encoding the pfx */ 
+    rv = SEC_ASN1EncoderUpdate(p12enc->outerA1ecx, NULL, 0);
+
+    SEC_ASN1EncoderFinish(p12enc->outerA1ecx);
+
+loser:
+    return rv;
+}
+
+void
+SEC_PKCS12DestroyExportContext(SEC_PKCS12ExportContext *p12ecx)
+{
+    int i = 0;
+
+    if(!p12ecx) {
+	return;
+    }
+
+    if(p12ecx->safeInfos) {
+	i = 0;
+	while(p12ecx->safeInfos[i] != NULL) {
+	    if(p12ecx->safeInfos[i]->encryptionKey) {
+		PK11_FreeSymKey(p12ecx->safeInfos[i]->encryptionKey);
+	    }
+	    if(p12ecx->safeInfos[i]->cinfo) {
+		SEC_PKCS7DestroyContentInfo(p12ecx->safeInfos[i]->cinfo);
+	    }
+	    i++;
+	}
+    }
+
+    PK11_FreeSlot(p12ecx->slot);
+
+    PORT_FreeArena(p12ecx->arena, PR_TRUE);
+}
+
diff --git a/security/nss/lib/pkcs12/p12exp.c b/security/nss/lib/pkcs12/p12exp.c
new file mode 100644
index 000000000..b9ae89241
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12exp.c
@@ -0,0 +1,1410 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "plarena.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "seccomon.h"
+#include "secport.h"
+#include "cert.h"
+#include "pkcs12.h"
+#include "p12local.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "p12plcy.h"
+
+/* release the memory taken up by the list of nicknames */
+static void
+sec_pkcs12_destroy_nickname_list(SECItem **nicknames)
+{
+    int i = 0;
+
+    if(nicknames == NULL) {
+	return;
+    }
+
+    while(nicknames[i] != NULL) {
+	SECITEM_FreeItem(nicknames[i], PR_FALSE);
+	i++;
+    }
+
+    PORT_Free(nicknames);
+}
+   
+/* release the memory taken up by the list of certificates */ 
+static void
+sec_pkcs12_destroy_certificate_list(CERTCertificate **ref_certs)
+{
+    int i = 0;
+
+    if(ref_certs == NULL) {
+	return;
+    }
+
+    while(ref_certs[i] != NULL) {
+	CERT_DestroyCertificate(ref_certs[i]);
+	i++;
+    }
+}
+
+static void
+sec_pkcs12_destroy_cinfos_for_cert_bags(SEC_PKCS12CertAndCRLBag *certBag)
+{
+    int j = 0;
+    j = 0;
+    while(certBag->certAndCRLs[j] != NULL) {
+	SECOidTag certType = SECOID_FindOIDTag(&certBag->certAndCRLs[j]->BagID);
+	if(certType == SEC_OID_PKCS12_X509_CERT_CRL_BAG) {
+	    SEC_PKCS12X509CertCRL *x509;
+	    x509 = certBag->certAndCRLs[j]->value.x509;
+	    SEC_PKCS7DestroyContentInfo(&x509->certOrCRL);
+	}
+	j++;
+    }
+}
+
+/* destroy all content infos since they were not allocated in common
+ * pool
+ */
+static void
+sec_pkcs12_destroy_cert_content_infos(SEC_PKCS12SafeContents *safe,
+				      SEC_PKCS12Baggage *baggage)
+{
+    int i, j;
+
+    if((safe != NULL) && (safe->contents != NULL)) {
+	i = 0;
+	while(safe->contents[i] != NULL) {
+	    SECOidTag bagType = SECOID_FindOIDTag(&safe->contents[i]->safeBagType);
+	    if(bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
+		SEC_PKCS12CertAndCRLBag *certBag;
+		certBag = safe->contents[i]->safeContent.certAndCRLBag;
+		sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
+	    }
+	    i++;
+	}
+    }
+
+    if((baggage != NULL) && (baggage->bags != NULL)) {
+	i = 0;
+	while(baggage->bags[i] != NULL) { 
+	    if(baggage->bags[i]->unencSecrets != NULL) {
+		j = 0;
+		while(baggage->bags[i]->unencSecrets[j] != NULL) {
+		    SECOidTag bagType;
+		    bagType = SECOID_FindOIDTag(&baggage->bags[i]->unencSecrets[j]->safeBagType);
+		    if(bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
+			SEC_PKCS12CertAndCRLBag *certBag;
+			certBag = baggage->bags[i]->unencSecrets[j]->safeContent.certAndCRLBag;
+			sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
+		    }
+		    j++;
+		}
+	    }
+	    i++;
+	}
+    }
+}
+
+/* convert the nickname list from a NULL termincated Char list
+ * to a NULL terminated SECItem list
+ */
+static SECItem **
+sec_pkcs12_convert_nickname_list(char **nicknames)
+{
+    SECItem **nicks;
+    int i, j;
+    PRBool error = PR_FALSE;
+
+    if(nicknames == NULL) {
+	return NULL;
+    }
+
+    i = j = 0;
+    while(nicknames[i] != NULL) {
+	i++;
+    }
+
+    /* allocate the space and copy the data */	
+    nicks = (SECItem **)PORT_ZAlloc(sizeof(SECItem *) * (i + 1));
+    if(nicks != NULL) {
+	for(j = 0; ((j < i) && (error == PR_FALSE)); j++) {
+	    nicks[j] = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+	    if(nicks[j] != NULL) {
+		nicks[j]->data = 
+		    (unsigned char *)PORT_ZAlloc(PORT_Strlen(nicknames[j])+1);
+		if(nicks[j]->data != NULL) {
+		    nicks[j]->len = PORT_Strlen(nicknames[j]);
+		    PORT_Memcpy(nicks[j]->data, nicknames[j], nicks[j]->len);
+		    nicks[j]->data[nicks[j]->len] = 0;
+		} else {
+		    error = PR_TRUE;
+		}
+	    } else {
+	       error = PR_TRUE;
+	    }
+	}
+    }
+
+    if(error == PR_TRUE) {
+        for(i = 0; i < j; i++) { 
+	    SECITEM_FreeItem(nicks[i], PR_TRUE);
+	}
+	PORT_Free(nicks);
+	nicks = NULL;
+    }
+
+    return nicks;
+}
+
+/* package the certificate add_cert into PKCS12 structures,
+ * retrieve the certificate chain for the cert and return
+ * the packaged contents.
+ * poolp -- common memory pool;
+ * add_cert -- certificate to package up
+ * nickname for the certificate 
+ * a return of NULL indicates an error
+ */
+static SEC_PKCS12CertAndCRL *
+sec_pkcs12_get_cert(PRArenaPool *poolp,
+		       CERTCertificate *add_cert, 
+		       SECItem *nickname)
+{
+    SEC_PKCS12CertAndCRL *cert;
+    SEC_PKCS7ContentInfo *cinfo;
+    SGNDigestInfo *t_di;
+    void *mark;
+    SECStatus rv;
+
+    if((poolp == NULL) || (add_cert == NULL) || (nickname == NULL)) {
+    	return NULL;
+    }
+    mark = PORT_ArenaMark(poolp);
+
+    cert = sec_pkcs12_new_cert_crl(poolp, SEC_OID_PKCS12_X509_CERT_CRL_BAG);
+    if(cert != NULL) {
+
+	/* copy the nickname */
+	rv = SECITEM_CopyItem(poolp, &cert->nickname, nickname);
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    cert = NULL;
+	} else {
+
+	    /* package the certificate and cert chain into a NULL signer
+	     * PKCS 7 SignedData content Info and prepare it for encoding 
+	     * since we cannot use DER_ANY_TEMPLATE
+	     */
+	    cinfo = SEC_PKCS7CreateCertsOnly(add_cert, PR_TRUE, NULL);
+	    rv = SEC_PKCS7PrepareForEncode(cinfo, NULL, NULL, NULL);
+
+	    /* thumbprint the certificate */
+	    if((cinfo != NULL) && (rv == SECSuccess))
+	    {
+		PORT_Memcpy(&cert->value.x509->certOrCRL, cinfo, sizeof(*cinfo));
+		t_di = sec_pkcs12_compute_thumbprint(&add_cert->derCert);
+		if(t_di != NULL)
+		{
+		    /* test */
+		    rv = SGN_CopyDigestInfo(poolp, &cert->value.x509->thumbprint,
+		    			    t_di);
+		    if(rv != SECSuccess) {
+			cert = NULL;
+			PORT_SetError(SEC_ERROR_NO_MEMORY);
+		    }
+		    SGN_DestroyDigestInfo(t_di);
+		}
+		else
+		    cert = NULL;
+	    }
+	}
+    }
+
+    if (cert == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+    } else {
+	PORT_ArenaUnmark(poolp, mark);
+    }
+
+    return cert;
+}
+
+/* package the private key associated with the certificate and 
+ * return the appropriate PKCS 12 structure 
+ * poolp common memory pool
+ * nickname key nickname
+ * cert -- cert to look up
+ * wincx -- window handle 
+ * an error is indicated by a return of NULL
+ */
+static SEC_PKCS12PrivateKey *
+sec_pkcs12_get_private_key(PRArenaPool *poolp,
+			   SECItem *nickname,
+			   CERTCertificate *cert,
+			   void *wincx)
+{
+    SECKEYPrivateKeyInfo *pki;
+    SEC_PKCS12PrivateKey *pk;
+    SECStatus rv;
+    void *mark;
+
+    if((poolp == NULL) || (nickname == NULL)) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* retrieve key from the data base */
+    pki = PK11_ExportPrivateKeyInfo(nickname, cert, wincx);
+    if(pki == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
+	return NULL;
+    }
+
+    pk = (SEC_PKCS12PrivateKey *)PORT_ArenaZAlloc(poolp,
+						  sizeof(SEC_PKCS12PrivateKey));
+    if(pk != NULL) {
+	rv = sec_pkcs12_init_pvk_data(poolp, &pk->pvkData);
+
+	if(rv == SECSuccess) {
+	    /* copy the key into poolp memory space */
+	    rv = SECKEY_CopyPrivateKeyInfo(poolp, &pk->pkcs8data, pki);
+	    if(rv == SECSuccess) {
+		rv = SECITEM_CopyItem(poolp, &pk->pvkData.nickname, nickname);
+	    }
+	}
+
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    pk = NULL;
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY); 
+    }
+
+    /* destroy private key, zeroing out data */
+    SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
+    if (pk == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+    } else {
+	PORT_ArenaUnmark(poolp, mark);
+    }
+
+    return pk;
+}
+
+/* get a shrouded key item associated with a certificate
+ * return the appropriate PKCS 12 structure 
+ * poolp common memory pool
+ * nickname key nickname
+ * cert -- cert to look up
+ * wincx -- window handle 
+ * an error is indicated by a return of NULL
+ */
+static SEC_PKCS12ESPVKItem *
+sec_pkcs12_get_shrouded_key(PRArenaPool *poolp,
+			    SECItem *nickname,
+			    CERTCertificate *cert,
+			    SECOidTag algorithm, 
+			    SECItem *pwitem,
+			    PKCS12UnicodeConvertFunction unicodeFn,
+			    void *wincx)
+{
+    SECKEYEncryptedPrivateKeyInfo *epki;
+    SEC_PKCS12ESPVKItem *pk;
+    void *mark;
+    SECStatus rv;
+    PK11SlotInfo *slot = NULL;
+    PRBool swapUnicodeBytes = PR_FALSE;
+
+#ifdef IS_LITTLE_ENDIAN
+    swapUnicodeBytes = PR_TRUE;
+#endif
+
+    if((poolp == NULL) || (nickname == NULL))
+	return NULL;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* use internal key slot */
+    slot = PK11_GetInternalKeySlot();
+
+    /* retrieve encrypted prviate key */
+    epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, pwitem, 
+    					      nickname, cert, 1, 0, NULL);
+    PK11_FreeSlot(slot);
+    if(epki == NULL) {
+	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+    /* create a private key and store the data into the poolp memory space */
+    pk = sec_pkcs12_create_espvk(poolp, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING);
+    if(pk != NULL) {
+	rv = sec_pkcs12_init_pvk_data(poolp, &pk->espvkData);
+	rv = SECITEM_CopyItem(poolp, &pk->espvkData.nickname, nickname);
+	pk->espvkCipherText.pkcs8KeyShroud = 
+	    (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(poolp,
+					sizeof(SECKEYEncryptedPrivateKeyInfo));
+	if((pk->espvkCipherText.pkcs8KeyShroud != NULL)  && (rv == SECSuccess)) {
+	    rv = SECKEY_CopyEncryptedPrivateKeyInfo(poolp, 
+					pk->espvkCipherText.pkcs8KeyShroud, epki);
+	    if(rv == SECSuccess) {
+		rv = (*unicodeFn)(poolp, &pk->espvkData.uniNickName, nickname, 
+				  PR_TRUE, swapUnicodeBytes);
+	    }
+	}
+
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    pk = NULL;
+	}
+    }
+
+    SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
+    if(pk == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+    } else {
+	PORT_ArenaUnmark(poolp, mark);
+    }
+	
+    return pk;
+}
+
+/* add a thumbprint to a private key associated certs list 
+ * pvk is the area where the list is stored
+ * thumb is the thumbprint to copy
+ * a return of SECFailure indicates an error 
+ */
+static SECStatus 
+sec_pkcs12_add_thumbprint(SEC_PKCS12PVKSupportingData *pvk,
+			  SGNDigestInfo *thumb)
+{
+    SGNDigestInfo **thumb_list = NULL;
+    int nthumbs, size;
+    void *mark, *dummy;
+    SECStatus rv = SECFailure;
+
+    if((pvk == NULL) || (thumb == NULL)) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(pvk->poolp);
+
+    thumb_list = pvk->assocCerts;
+    nthumbs = pvk->nThumbs;
+
+    /* allocate list space needed -- either growing or allocating 
+     * list must be NULL terminated 
+     */
+    size = sizeof(SGNDigestInfo *);
+    dummy = PORT_ArenaGrow(pvk->poolp, thumb_list, (size * (nthumbs + 1)),
+    			   (size * (nthumbs + 2)));
+    thumb_list = dummy;
+    if(dummy != NULL) {
+	thumb_list[nthumbs] = (SGNDigestInfo *)PORT_ArenaZAlloc(pvk->poolp, 
+						sizeof(SGNDigestInfo));
+	if(thumb_list[nthumbs] != NULL) {
+	    SGN_CopyDigestInfo(pvk->poolp, thumb_list[nthumbs], thumb);
+	    nthumbs += 1;
+	    thumb_list[nthumbs] = 0;
+	} else {
+	    dummy = NULL;
+	}
+    }
+
+    if(dummy == NULL) {
+    	PORT_ArenaRelease(pvk->poolp, mark);
+	return SECFailure;
+    } 
+
+    pvk->assocCerts = thumb_list;
+    pvk->nThumbs = nthumbs;
+
+    PORT_ArenaUnmark(pvk->poolp, mark);
+    return SECSuccess;
+}
+
+/* search the list of shrouded keys in the baggage for the desired
+ * name.  return a pointer to the item.  a return of NULL indicates
+ * that no match was present or that an error occurred.
+ */
+static SEC_PKCS12ESPVKItem *
+sec_pkcs12_get_espvk_by_name(SEC_PKCS12Baggage *luggage, 
+			     SECItem *name)
+{
+    PRBool found = PR_FALSE;
+    SEC_PKCS12ESPVKItem *espvk = NULL;
+    int i, j;
+    SECComparison rv = SECEqual;
+    SECItem *t_name;
+    SEC_PKCS12BaggageItem *bag;
+
+    if((luggage == NULL) || (name == NULL)) {
+	return NULL;
+    }
+
+    i = 0;
+    while((found == PR_FALSE) && (i < luggage->luggage_size)) {
+	j = 0;
+	bag = luggage->bags[i];
+	while((found == PR_FALSE) && (j < bag->nEspvks)) {
+	    espvk = bag->espvks[j];
+	    if(espvk->poolp == NULL) {
+		espvk->poolp = luggage->poolp;
+	    }
+	    t_name = SECITEM_DupItem(&espvk->espvkData.nickname);
+	    if(t_name != NULL) {
+		rv = SECITEM_CompareItem(name, t_name);
+		if(rv == SECEqual) {
+		    found = PR_TRUE;
+		}
+		SECITEM_FreeItem(t_name, PR_TRUE);
+	    } else {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		return NULL;
+	    }
+	    j++;
+	}
+	i++;
+    }
+
+    if(found != PR_TRUE) {
+	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
+	return NULL;
+    }
+
+    return espvk;
+}
+
+/* locates a certificate and copies the thumbprint to the
+ * appropriate private key
+ */
+static SECStatus 
+sec_pkcs12_propagate_thumbprints(SECItem **nicknames,
+				 CERTCertificate **ref_certs,
+				 SEC_PKCS12SafeContents *safe,
+				 SEC_PKCS12Baggage *baggage)
+{
+    SEC_PKCS12CertAndCRL *cert;
+    SEC_PKCS12PrivateKey *key;
+    SEC_PKCS12ESPVKItem *espvk;
+    int i;
+    PRBool error = PR_FALSE;
+    SECStatus rv = SECFailure;
+
+    if((nicknames == NULL) || (safe == NULL)) {
+	return SECFailure;
+    }
+
+    i = 0;
+    while((nicknames[i] != NULL) && (error == PR_FALSE)) {
+	/* process all certs */
+	cert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage,
+					SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
+					nicknames[i], NULL);
+	if(cert != NULL) {
+	    /* locate key and copy thumbprint */
+	    key = (SEC_PKCS12PrivateKey *)sec_pkcs12_find_object(safe, baggage,
+	    				SEC_OID_PKCS12_KEY_BAG_ID,
+	    				nicknames[i], NULL);
+	    if(key != NULL) {
+		key->pvkData.poolp = key->poolp;
+		rv = sec_pkcs12_add_thumbprint(&key->pvkData, 
+			&cert->value.x509->thumbprint);
+		if(rv == SECFailure)
+		    error = PR_TRUE;  /* XXX Set error? */
+	    }
+
+	    /* look in the baggage as well...*/
+	    if((baggage != NULL) && (error == PR_FALSE)) {
+		espvk = sec_pkcs12_get_espvk_by_name(baggage, nicknames[i]);
+		if(espvk != NULL) {
+		    espvk->espvkData.poolp = espvk->poolp;
+		    rv = sec_pkcs12_add_thumbprint(&espvk->espvkData,
+			&cert->value.x509->thumbprint);
+		    if(rv == SECFailure)
+			error = PR_TRUE;  /* XXX Set error? */
+		}
+	    }
+	}
+	i++;
+    }
+
+    if(error == PR_TRUE) {
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+/* append a safe bag to the end of the safe contents list */
+SECStatus 
+sec_pkcs12_append_safe_bag(SEC_PKCS12SafeContents *safe,
+			   SEC_PKCS12SafeBag *bag)
+{
+    int size;
+    void *mark = NULL, *dummy = NULL;
+
+    if((bag == NULL) || (safe == NULL))
+	return SECFailure;
+
+    mark = PORT_ArenaMark(safe->poolp);
+
+    size = (safe->safe_size * sizeof(SEC_PKCS12SafeBag *));
+    
+    if(safe->safe_size > 0) {
+	dummy = (SEC_PKCS12SafeBag **)PORT_ArenaGrow(safe->poolp, 
+	    				safe->contents, 
+	    				size, 
+	    				(size + sizeof(SEC_PKCS12SafeBag *)));
+	safe->contents = dummy;
+    } else {
+	safe->contents = (SEC_PKCS12SafeBag **)PORT_ArenaZAlloc(safe->poolp, 
+	    (2 * sizeof(SEC_PKCS12SafeBag *)));
+	dummy = safe->contents;
+    }
+
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    safe->contents[safe->safe_size] = bag;
+    safe->safe_size++;
+    safe->contents[safe->safe_size] = NULL;
+
+    PORT_ArenaUnmark(safe->poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(safe->poolp, mark);
+    return SECFailure;
+}
+
+/* append a certificate onto the end of a cert bag */
+static SECStatus 
+sec_pkcs12_append_cert_to_bag(PRArenaPool *arena,
+			      SEC_PKCS12SafeBag *safebag,
+			      CERTCertificate *cert,
+			      SECItem *nickname)
+{
+    int size;
+    void *dummy = NULL, *mark = NULL;
+    SEC_PKCS12CertAndCRL *p12cert;
+    SEC_PKCS12CertAndCRLBag *bag;
+
+    if((arena == NULL) || (safebag == NULL) || 
+    	(cert == NULL) || (nickname == NULL)) {
+	return SECFailure;
+    }
+
+    bag = safebag->safeContent.certAndCRLBag;
+    if(bag == NULL) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(arena);
+
+    p12cert = sec_pkcs12_get_cert(arena, cert, nickname);
+    if(p12cert == NULL) {
+	PORT_ArenaRelease(bag->poolp, mark);
+	return SECFailure;
+    }
+
+    size = bag->bag_size * sizeof(SEC_PKCS12CertAndCRL *);
+    if(bag->bag_size > 0) {
+	dummy = (SEC_PKCS12CertAndCRL **)PORT_ArenaGrow(bag->poolp,
+	    bag->certAndCRLs, size, size + sizeof(SEC_PKCS12CertAndCRL *));
+	bag->certAndCRLs = dummy;
+    } else {
+	bag->certAndCRLs = (SEC_PKCS12CertAndCRL **)PORT_ArenaZAlloc(bag->poolp,
+	    (2 * sizeof(SEC_PKCS12CertAndCRL *)));
+	dummy = bag->certAndCRLs;
+    }
+
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    bag->certAndCRLs[bag->bag_size] = p12cert;
+    bag->bag_size++;
+    bag->certAndCRLs[bag->bag_size] = NULL;
+
+    PORT_ArenaUnmark(bag->poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(bag->poolp, mark);
+    return SECFailure;
+}
+
+/* append a key onto the end of a list of keys in a key bag */
+SECStatus 
+sec_pkcs12_append_key_to_bag(SEC_PKCS12SafeBag *safebag,
+			     SEC_PKCS12PrivateKey *pk)
+{
+    void *mark, *dummy;
+    SEC_PKCS12PrivateKeyBag *bag;
+    int size;
+
+    if((safebag == NULL) || (pk == NULL))
+	return SECFailure;
+
+    bag = safebag->safeContent.keyBag;
+    if(bag == NULL) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(bag->poolp);
+
+    size = (bag->bag_size * sizeof(SEC_PKCS12PrivateKey *));
+
+    if(bag->bag_size > 0) {
+	dummy = (SEC_PKCS12PrivateKey **)PORT_ArenaGrow(bag->poolp,
+					bag->privateKeys, 
+					size, 
+					size + sizeof(SEC_PKCS12PrivateKey *));
+	bag->privateKeys = dummy;
+    } else {
+	bag->privateKeys = (SEC_PKCS12PrivateKey **)PORT_ArenaZAlloc(bag->poolp,
+	    (2 * sizeof(SEC_PKCS12PrivateKey *)));
+	dummy = bag->privateKeys;
+    }
+
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    bag->privateKeys[bag->bag_size] = pk;
+    bag->bag_size++;
+    bag->privateKeys[bag->bag_size] = NULL;
+
+    PORT_ArenaUnmark(bag->poolp, mark);
+    return SECSuccess;
+
+loser:
+    /* XXX Free memory? */
+    PORT_ArenaRelease(bag->poolp, mark);
+    return SECFailure;
+}
+
+/* append a safe bag to the baggage area */
+static SECStatus 
+sec_pkcs12_append_unshrouded_bag(SEC_PKCS12BaggageItem *bag,
+				 SEC_PKCS12SafeBag *u_bag)
+{
+    int size;
+    void *mark = NULL, *dummy = NULL;
+
+    if((bag == NULL) || (u_bag == NULL))
+	return SECFailure;
+
+    mark = PORT_ArenaMark(bag->poolp);
+
+    /* dump things into the first bag */
+    size = (bag->nSecrets + 1) * sizeof(SEC_PKCS12SafeBag *);
+    dummy = PORT_ArenaGrow(bag->poolp,
+	    		bag->unencSecrets, size, 
+	    		size + sizeof(SEC_PKCS12SafeBag *));
+    bag->unencSecrets = dummy;
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    bag->unencSecrets[bag->nSecrets] = u_bag;
+    bag->nSecrets++;
+    bag->unencSecrets[bag->nSecrets] = NULL;
+
+    PORT_ArenaUnmark(bag->poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(bag->poolp, mark);
+    return SECFailure;
+}
+
+/* gather up all certificates and keys and package them up
+ * in the safe, baggage, or both.
+ * nicknames is the list of nicknames and corresponding certs in ref_certs
+ * ref_certs a null terminated list of certificates
+ * rSafe, rBaggage -- return areas for safe and baggage
+ * shroud_keys -- store keys externally
+ * pwitem -- password for computing integrity mac and encrypting contents
+ * wincx -- window handle
+ *
+ * if a failure occurs, an error is set and SECFailure returned.
+ */
+static SECStatus
+sec_pkcs12_package_certs_and_keys(SECItem **nicknames,
+				  CERTCertificate **ref_certs,
+				  PRBool unencryptedCerts,
+				  SEC_PKCS12SafeContents **rSafe,
+				  SEC_PKCS12Baggage **rBaggage,
+				  PRBool shroud_keys, 
+				  SECOidTag shroud_alg,
+				  SECItem *pwitem,
+				  PKCS12UnicodeConvertFunction unicodeFn,
+				  void *wincx)
+{
+    PRArenaPool *permArena;
+    SEC_PKCS12SafeContents *safe = NULL;
+    SEC_PKCS12Baggage *baggage = NULL;
+
+    SECStatus rv = SECFailure;
+    PRBool problem = PR_FALSE;
+
+    SEC_PKCS12ESPVKItem *espvk = NULL;
+    SEC_PKCS12PrivateKey *pk = NULL;
+    CERTCertificate *add_cert = NULL;
+    SEC_PKCS12SafeBag *certbag = NULL, *keybag = NULL;
+    SEC_PKCS12BaggageItem *external_bag = NULL;
+    int ncerts = 0, nkeys = 0;
+    int i;
+
+    if((nicknames == NULL) || (rSafe == NULL) || (rBaggage == NULL)) {
+	return SECFailure;
+    }
+	
+    *rBaggage = baggage;
+    *rSafe = safe;
+
+    permArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(permArena == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+     }
+
+    /* allocate structures */
+    safe = sec_pkcs12_create_safe_contents(permArena);
+    if(safe == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	rv = SECFailure;
+	goto loser;
+    }
+
+    certbag = sec_pkcs12_create_safe_bag(permArena, 
+					 SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID);
+    if(certbag == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(shroud_keys != PR_TRUE) {
+	keybag = sec_pkcs12_create_safe_bag(permArena, 
+					    SEC_OID_PKCS12_KEY_BAG_ID);
+	if(keybag == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+    }
+
+    if((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
+	baggage = sec_pkcs12_create_baggage(permArena);
+    	if(baggage == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	external_bag = sec_pkcs12_create_external_bag(baggage);
+    }
+
+    /* package keys and certs */
+    i = 0;
+    while((nicknames[i] != NULL) && (problem == PR_FALSE)) {
+	if(ref_certs[i] != NULL) {
+	    /* append cert to bag o certs */
+	    rv = sec_pkcs12_append_cert_to_bag(permArena, certbag, 
+	    				       ref_certs[i],
+	    				       nicknames[i]);
+	    if(rv == SECFailure) {
+		problem = PR_FALSE;
+	    } else {
+		ncerts++;
+	    }
+
+	    if(rv == SECSuccess) {
+		/* package up them keys */
+		if(shroud_keys == PR_TRUE) {
+	    	    espvk = sec_pkcs12_get_shrouded_key(permArena, 
+							nicknames[i],
+	    	    					ref_certs[i],
+							shroud_alg, 
+							pwitem, unicodeFn,
+							wincx);
+		    if(espvk != NULL) {
+			rv = sec_pkcs12_append_shrouded_key(external_bag, espvk);
+			SECITEM_CopyItem(permArena, &espvk->derCert,
+					 &ref_certs[i]->derCert);
+		    } else {
+			rv = SECFailure;
+		    }
+		} else {
+		    pk = sec_pkcs12_get_private_key(permArena, nicknames[i], 
+		    				    ref_certs[i], wincx);
+		    if(pk != NULL) {
+			rv = sec_pkcs12_append_key_to_bag(keybag, pk);
+			SECITEM_CopyItem(permArena, &espvk->derCert,
+					 &ref_certs[i]->derCert);
+		    } else {
+			rv = SECFailure;
+		    }
+		}
+	
+		if(rv == SECFailure) {
+		    problem = PR_TRUE;
+		} else {
+		    nkeys++;
+		}
+	    }
+	} else {
+	    /* handle only keys here ? */
+	    problem = PR_TRUE;
+	}
+	i++;
+    }
+
+    /* let success fall through */
+loser:
+    if(problem == PR_FALSE) {
+	/* if we have certs, we want to append the cert bag to the 
+	 * appropriate area 
+	 */
+	if(ncerts > 0) {
+	    if(unencryptedCerts != PR_TRUE) {
+		rv = sec_pkcs12_append_safe_bag(safe, certbag);
+	    } else {
+		rv = sec_pkcs12_append_unshrouded_bag(external_bag, certbag);
+	    }
+	} else {
+	    rv = SECSuccess;
+	}
+
+	/* append key bag, if they are stored in safe contents */
+	if((rv == SECSuccess) && (shroud_keys == PR_FALSE) && (nkeys > 0)) {
+	    rv = sec_pkcs12_append_safe_bag(safe, keybag);
+	}
+    } else {
+	rv = SECFailure;
+    }
+
+    /* if baggage not used, NULLify it */
+    if((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
+	if(((unencryptedCerts == PR_TRUE) && (ncerts == 0)) &&
+	   ((shroud_keys == PR_TRUE) && (nkeys == 0)))
+		baggage = NULL;
+    } else {
+	baggage = NULL;
+    }
+
+    if((problem == PR_TRUE) || (rv == SECFailure)) {
+	PORT_FreeArena(permArena, PR_TRUE);
+	rv = SECFailure;
+	baggage = NULL;
+	safe = NULL;
+    }
+
+    *rBaggage = baggage;
+    *rSafe = safe;
+
+    return rv;
+}
+
+/* DER encode the safe contents and return a SECItem.  if an error
+ * occurs, NULL is returned.
+ */
+static SECItem *
+sec_pkcs12_encode_safe_contents(SEC_PKCS12SafeContents *safe)
+{
+    SECItem *dsafe = NULL, *tsafe;
+    void *dummy = NULL;
+    PRArenaPool *arena;
+
+    if(safe == NULL) {
+	return NULL;
+    }
+
+/*    rv = sec_pkcs12_prepare_for_der_code_safe(safe, PR_TRUE);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }*/
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(arena == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    tsafe = (SECItem *)PORT_ArenaZAlloc(arena, sizeof(SECItem));
+    if(tsafe != NULL) {
+	dummy = SEC_ASN1EncodeItem(arena, tsafe, safe, 
+	    SEC_PKCS12SafeContentsTemplate);
+	if(dummy != NULL) {
+	    dsafe = SECITEM_DupItem(tsafe);
+	} else {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena(arena, PR_TRUE);
+
+    return dsafe;
+}
+
+/* prepare the authenicated safe for encoding and encode it.  
+ *   baggage is copied to the appropriate area, safe is encoded and
+ *   encrypted.  the version and transport mode are set on the asafe.
+ *   the whole ball of wax is then der encoded and packaged up into
+ *   data content info 
+ * safe -- container of certs and keys, is encrypted.
+ * baggage -- container of certs and keys, keys assumed to be encrypted by 
+ *    another method, certs are in the clear
+ * algorithm -- algorithm by which to encrypt safe
+ * pwitem -- password for encryption
+ * wincx - window handle
+ *
+ * return of NULL is an error condition.
+ */
+static SEC_PKCS7ContentInfo *
+sec_pkcs12_get_auth_safe(SEC_PKCS12SafeContents *safe, 
+			 SEC_PKCS12Baggage *baggage,  
+			 SECOidTag algorithm, 
+			 SECItem *pwitem,
+			 PKCS12UnicodeConvertFunction unicodeFn,
+			 void *wincx)
+{
+    SECItem *src = NULL, *dest = NULL, *psalt = NULL;
+    PRArenaPool *poolp;
+    SEC_PKCS12AuthenticatedSafe *asafe;
+    SEC_PKCS7ContentInfo *safe_cinfo = NULL;
+    SEC_PKCS7ContentInfo *asafe_cinfo = NULL;
+    void *dummy;
+    SECStatus rv = SECSuccess;
+    PRBool swapUnicodeBytes = PR_FALSE;
+
+#ifdef IS_LITTLE_ENDIAN
+    swapUnicodeBytes = PR_TRUE;
+#endif
+    
+    if(((safe != NULL) && (pwitem == NULL)) && (baggage == NULL))
+	return NULL;
+
+    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(poolp == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    /* prepare authenticated safe for encode */
+    asafe = sec_pkcs12_new_asafe(poolp);
+    if(asafe != NULL) {
+
+	/* set version */
+	dummy = SEC_ASN1EncodeInteger(asafe->poolp, &asafe->version,
+				      SEC_PKCS12_PFX_VERSION);
+	if(dummy == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* generate the privacy salt used to create virtual pwd */
+	psalt = sec_pkcs12_generate_salt();
+	if(psalt != NULL) {
+	    rv = SECITEM_CopyItem(asafe->poolp, &asafe->privacySalt,
+				  psalt);
+	    if(rv == SECSuccess) {
+		asafe->privacySalt.len *= 8;
+	    } 
+	    else {
+		SECITEM_ZfreeItem(psalt, PR_TRUE);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	} 
+
+	if((psalt == NULL) || (rv == SECFailure)) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* package up safe contents */
+	if(safe != NULL) 
+	{
+	    safe_cinfo = SEC_PKCS7CreateEncryptedData(algorithm, NULL, wincx);
+	    if((safe_cinfo != NULL) && (safe->safe_size > 0)) {
+		/* encode the safe and encrypt the contents of the 
+		 * content info
+		 */
+		src = sec_pkcs12_encode_safe_contents(safe);
+
+		if(src != NULL) {
+		    rv = SEC_PKCS7SetContent(safe_cinfo, (char *)src->data, src->len);
+		    SECITEM_ZfreeItem(src, PR_TRUE);
+		    if(rv == SECSuccess) {
+			SECItem *vpwd;
+			vpwd = sec_pkcs12_create_virtual_password(pwitem, psalt,
+						unicodeFn, swapUnicodeBytes);
+			if(vpwd != NULL) {
+			    rv = SEC_PKCS7EncryptContents(NULL, safe_cinfo,
+							  vpwd, wincx);
+			    SECITEM_ZfreeItem(vpwd, PR_TRUE);
+			} else {
+			    rv = SECFailure;
+			    PORT_SetError(SEC_ERROR_NO_MEMORY);
+			}
+		    } else {
+			PORT_SetError(SEC_ERROR_NO_MEMORY);
+		    }
+		} else {
+		    rv = SECFailure;
+		}
+	    } else if(safe->safe_size > 0) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    } else {
+	    	/* case where there is NULL content in the safe contents */
+		rv = SEC_PKCS7SetContent(safe_cinfo, NULL, 0);
+		if(rv != SECFailure) {
+		    PORT_SetError(SEC_ERROR_NO_MEMORY);
+		}
+	    }
+
+	    if(rv != SECSuccess) {
+		SEC_PKCS7DestroyContentInfo(safe_cinfo);
+		safe_cinfo = NULL;
+		goto loser;
+	    }
+
+	    asafe->safe = safe_cinfo;	
+	    /*
+	    PORT_Memcpy(&asafe->safe, safe_cinfo, sizeof(*safe_cinfo));
+	    */
+	}
+
+	/* copy the baggage to the authenticated safe baggage if present */
+	if(baggage != NULL) {
+	    PORT_Memcpy(&asafe->baggage, baggage, sizeof(*baggage));
+	}
+
+	/* encode authenticated safe and store it in a Data content info */
+	dest = (SECItem *)PORT_ArenaZAlloc(poolp, sizeof(SECItem));
+	if(dest != NULL) {
+	    dummy = SEC_ASN1EncodeItem(poolp, dest, asafe, 
+				SEC_PKCS12AuthenticatedSafeTemplate);
+	    if(dummy != NULL) {
+		asafe_cinfo = SEC_PKCS7CreateData();
+		if(asafe_cinfo != NULL) {
+		    rv = SEC_PKCS7SetContent(asafe_cinfo, 
+					 	(char *)dest->data, 
+						dest->len);
+		    if(rv != SECSuccess) {
+			PORT_SetError(SEC_ERROR_NO_MEMORY);
+			SEC_PKCS7DestroyContentInfo(asafe_cinfo);
+			asafe_cinfo = NULL;
+		    }
+		}
+	    } else {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		rv = SECFailure;
+	    }
+	}
+    }
+
+loser:
+    PORT_FreeArena(poolp, PR_TRUE);
+    if(safe_cinfo != NULL) {
+    	SEC_PKCS7DestroyContentInfo(safe_cinfo);
+    }
+    if(psalt != NULL) {
+	SECITEM_ZfreeItem(psalt, PR_TRUE);
+    }
+
+    if(rv == SECFailure) {
+	return NULL;
+    }
+	
+    return asafe_cinfo;
+}
+
+/* generates the PFX and computes the mac on the authenticated safe 
+ * NULL implies an error
+ */
+static SEC_PKCS12PFXItem *
+sec_pkcs12_get_pfx(SEC_PKCS7ContentInfo *cinfo, 
+		   PRBool do_mac, 
+		   SECItem *pwitem, PKCS12UnicodeConvertFunction unicodeFn)
+{
+    SECItem *dest = NULL, *mac = NULL, *salt = NULL, *key = NULL;
+    SEC_PKCS12PFXItem *pfx;
+    SECStatus rv = SECFailure;
+    SGNDigestInfo *di;
+    SECItem *vpwd;
+    PRBool swapUnicodeBytes = PR_FALSE;
+
+#ifdef IS_LITTLE_ENDIAN
+    swapUnicodeBytes = PR_TRUE;
+#endif
+
+    if((cinfo == NULL) || ((do_mac == PR_TRUE) && (pwitem == NULL))) {
+	return NULL;
+    }
+
+    /* allocate new pfx structure */
+    pfx = sec_pkcs12_new_pfx();
+    if(pfx == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    PORT_Memcpy(&pfx->authSafe, cinfo, sizeof(*cinfo));
+    if(do_mac == PR_TRUE) {
+
+    	/* salt for computing mac */
+	salt = sec_pkcs12_generate_salt();
+	if(salt != NULL) {
+	    rv = SECITEM_CopyItem(pfx->poolp, &pfx->macData.macSalt, salt);
+	    pfx->macData.macSalt.len *= 8;
+
+	    vpwd = sec_pkcs12_create_virtual_password(pwitem, salt,
+						unicodeFn, swapUnicodeBytes);
+	    if(vpwd == NULL) {
+		rv = SECFailure;
+		key = NULL;
+	    } else {
+		key = sec_pkcs12_generate_key_from_password(SEC_OID_SHA1,
+							salt, vpwd);
+		SECITEM_ZfreeItem(vpwd, PR_TRUE);
+	    }
+
+	    if((key != NULL) && (rv == SECSuccess)) {
+		dest = SEC_PKCS7GetContent(cinfo);
+		if(dest != NULL) {
+
+		    /* compute mac on data -- for password integrity mode */
+		    mac = sec_pkcs12_generate_mac(key, dest, PR_FALSE);
+		    if(mac != NULL) {
+			di = SGN_CreateDigestInfo(SEC_OID_SHA1, 
+			    			  mac->data, mac->len);
+			if(di != NULL) {
+			    rv = SGN_CopyDigestInfo(pfx->poolp, 
+						    &pfx->macData.safeMac, di);
+			    SGN_DestroyDigestInfo(di);
+			} else {
+			    PORT_SetError(SEC_ERROR_NO_MEMORY);
+			}
+			SECITEM_ZfreeItem(mac, PR_TRUE);
+		    }
+		} else {
+		    rv = SECFailure;
+		}
+	    } else {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		rv = SECFailure;
+	    }
+
+	    if(key != NULL) {
+		SECITEM_ZfreeItem(key, PR_TRUE);
+	    }
+	    SECITEM_ZfreeItem(salt, PR_TRUE);
+	}
+    }
+
+    if(rv == SECFailure) {
+	SEC_PKCS12DestroyPFX(pfx);
+	pfx = NULL;
+    }
+
+    return pfx;
+}
+
+/* der encode the pfx */
+static SECItem *
+sec_pkcs12_encode_pfx(SEC_PKCS12PFXItem *pfx)
+{
+    SECItem *dest;
+    void *dummy;
+
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    dummy = SEC_ASN1EncodeItem(NULL, dest, pfx, SEC_PKCS12PFXItemTemplate);
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	SECITEM_ZfreeItem(dest, PR_TRUE);
+	dest = NULL;
+    }
+
+    return dest;
+}
+
+SECItem *
+SEC_PKCS12GetPFX(char **nicknames,
+		 CERTCertificate **ref_certs,
+		 PRBool shroud_keys, 
+		 SEC_PKCS5GetPBEPassword pbef, 
+		 void *pbearg,
+		 PKCS12UnicodeConvertFunction unicodeFn,
+		 void *wincx)
+{
+    SECItem **nicks = NULL;
+    SEC_PKCS12PFXItem *pfx = NULL;
+    SEC_PKCS12Baggage *baggage = NULL;
+    SEC_PKCS12SafeContents *safe = NULL;
+    SEC_PKCS7ContentInfo *cinfo = NULL;
+    SECStatus rv = SECFailure;
+    SECItem *dest = NULL, *pwitem = NULL;
+    PRBool problem = PR_FALSE;
+    PRBool unencryptedCerts;
+    SECOidTag shroud_alg, safe_alg;
+
+    /* how should we encrypt certs ? */
+    unencryptedCerts = !SEC_PKCS12IsEncryptionAllowed();
+    if(!unencryptedCerts) {
+	safe_alg = SEC_PKCS12GetPreferredEncryptionAlgorithm();
+	if(safe_alg == SEC_OID_UNKNOWN) {
+	    safe_alg = SEC_PKCS12GetStrongestAllowedAlgorithm();
+	}
+	if(safe_alg == SEC_OID_UNKNOWN) {
+	    unencryptedCerts = PR_TRUE;
+	    /* for export where no encryption is allowed, we still need
+	     * to encrypt the NULL contents per the spec.  encrypted info
+	     * is known plaintext, so it shouldn't be a problem.
+	     */
+	    safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+	}
+    } else {
+	/* for export where no encryption is allowed, we still need
+	 * to encrypt the NULL contents per the spec.  encrypted info
+	 * is known plaintext, so it shouldn't be a problem.
+	 */
+	safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+    }
+
+    /* keys are always stored with triple DES */
+    shroud_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
+
+    /* check for FIPS, if so, do not encrypt certs */
+    if(PK11_IsFIPS() && !unencryptedCerts) {
+	unencryptedCerts = PR_TRUE;
+    }
+
+    if((nicknames == NULL) || (pbef == NULL) || (ref_certs == NULL)) {
+	problem = PR_TRUE;
+	goto loser;
+    }
+
+
+    /* get password */
+    pwitem = (*pbef)(pbearg);
+    if(pwitem == NULL) {
+	problem = PR_TRUE;
+	goto loser;
+    }
+    nicks = sec_pkcs12_convert_nickname_list(nicknames);
+
+    /* get safe and baggage */
+    rv = sec_pkcs12_package_certs_and_keys(nicks, ref_certs, unencryptedCerts,
+    					   &safe, &baggage, shroud_keys,
+    					   shroud_alg, pwitem, unicodeFn, wincx);
+    if(rv == SECFailure) {
+	problem = PR_TRUE;
+    }
+
+    if((safe != NULL) && (problem == PR_FALSE)) {
+	/* copy thumbprints */
+	rv = sec_pkcs12_propagate_thumbprints(nicks, ref_certs, safe, baggage);
+
+	/* package everything up into AuthenticatedSafe */
+	cinfo = sec_pkcs12_get_auth_safe(safe, baggage, 
+					 safe_alg, pwitem, unicodeFn, wincx);
+
+	sec_pkcs12_destroy_cert_content_infos(safe, baggage);
+
+	/* get the pfx and mac it */
+	if(cinfo != NULL) {
+	    pfx = sec_pkcs12_get_pfx(cinfo, PR_TRUE, pwitem, unicodeFn);
+	    if(pfx != NULL) {
+		dest = sec_pkcs12_encode_pfx(pfx);
+		SEC_PKCS12DestroyPFX(pfx);
+	    }
+	    SEC_PKCS7DestroyContentInfo(cinfo);
+	}
+
+	if(safe != NULL) {
+	    PORT_FreeArena(safe->poolp, PR_TRUE);
+	}
+    } else {
+	if(safe != NULL) {
+	    PORT_FreeArena(safe->poolp, PR_TRUE);
+	}
+    }
+
+loser:
+    if(nicks != NULL) {
+	sec_pkcs12_destroy_nickname_list(nicks);
+    }
+
+    if(ref_certs != NULL) {
+	sec_pkcs12_destroy_certificate_list(ref_certs);
+    }
+
+    if(pwitem != NULL) {
+	SECITEM_ZfreeItem(pwitem, PR_TRUE);
+    }
+
+    if(problem == PR_TRUE) {
+	dest = NULL;
+    }
+
+    return dest;
+}
diff --git a/security/nss/lib/pkcs12/p12local.c b/security/nss/lib/pkcs12/p12local.c
new file mode 100644
index 000000000..a2221504b
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12local.c
@@ -0,0 +1,1372 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nssrenam.h"
+#include "pkcs12.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "seccomon.h"
+#include "secoid.h"
+#include "sechash.h"
+#include "secitem.h"
+#include "secerr.h"
+#include "pk11func.h"
+#include "p12local.h"
+#include "p12.h"
+
+#define SALT_LENGTH	16
+
+SEC_ASN1_MKSUB(SECKEY_PrivateKeyInfoTemplate)
+SEC_ASN1_MKSUB(sgn_DigestInfoTemplate)
+
+CK_MECHANISM_TYPE
+sec_pkcs12_algtag_to_mech(SECOidTag algtag)
+{
+    switch (algtag) {
+    case SEC_OID_MD2:
+	return CKM_MD2_HMAC;
+    case SEC_OID_MD5:
+	return CKM_MD5_HMAC;
+    case SEC_OID_SHA1:
+	return CKM_SHA_1_HMAC;
+    case SEC_OID_SHA256:
+	return CKM_SHA256_HMAC;
+    case SEC_OID_SHA384:
+	return CKM_SHA384_HMAC;
+    case SEC_OID_SHA512:
+	return CKM_SHA512_HMAC;
+    default:
+	break;
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+/* helper functions */
+/* returns proper bag type template based upon object type tag */
+const SEC_ASN1Template *
+sec_pkcs12_choose_bag_type_old(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12SafeBag *safebag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    safebag = (SEC_PKCS12SafeBag*)src_or_dest;
+
+    oiddata = safebag->safeBagTypeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&safebag->safeBagType);
+	safebag->safeBagTypeTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_KEY_BAG_ID:
+	    theTemplate = SEC_PointerToPKCS12KeyBagTemplate;
+	    break;
+	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
+	    theTemplate = SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD;
+	    break;
+        case SEC_OID_PKCS12_SECRET_BAG_ID:
+	    theTemplate = SEC_PointerToPKCS12SecretBagTemplate;
+	    break;
+    }
+    return theTemplate;
+}
+
+const SEC_ASN1Template *
+sec_pkcs12_choose_bag_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12SafeBag *safebag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    safebag = (SEC_PKCS12SafeBag*)src_or_dest;
+
+    oiddata = safebag->safeBagTypeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&safebag->safeBagType);
+	safebag->safeBagTypeTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_KEY_BAG_ID:
+	    theTemplate = SEC_PKCS12PrivateKeyBagTemplate;
+	    break;
+	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
+	    theTemplate = SEC_PKCS12CertAndCRLBagTemplate;
+	    break;
+        case SEC_OID_PKCS12_SECRET_BAG_ID:
+	    theTemplate = SEC_PKCS12SecretBagTemplate;
+	    break;
+    }
+    return theTemplate;
+}
+
+/* returns proper cert crl template based upon type tag */
+const SEC_ASN1Template *
+sec_pkcs12_choose_cert_crl_type_old(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12CertAndCRL *certbag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    certbag = (SEC_PKCS12CertAndCRL*)src_or_dest;
+    oiddata = certbag->BagTypeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&certbag->BagID);
+	certbag->BagTypeTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
+	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate_OLD;
+	    break;
+	case SEC_OID_PKCS12_SDSI_CERT_BAG:
+	    theTemplate = SEC_PointerToPKCS12SDSICertTemplate;
+	    break;
+    }
+    return theTemplate;
+}
+
+const SEC_ASN1Template *
+sec_pkcs12_choose_cert_crl_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12CertAndCRL *certbag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    certbag = (SEC_PKCS12CertAndCRL*)src_or_dest;
+    oiddata = certbag->BagTypeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&certbag->BagID);
+	certbag->BagTypeTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
+	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate;
+	    break;
+	case SEC_OID_PKCS12_SDSI_CERT_BAG:
+	    theTemplate = SEC_PointerToPKCS12SDSICertTemplate;
+	    break;
+    }
+    return theTemplate;
+}
+
+/* returns appropriate shroud template based on object type tag */
+const SEC_ASN1Template *
+sec_pkcs12_choose_shroud_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12ESPVKItem *espvk;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    espvk = (SEC_PKCS12ESPVKItem*)src_or_dest;
+    oiddata = espvk->espvkTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&espvk->espvkOID);
+ 	espvk->espvkTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_PKCS8_KEY_SHROUDING:
+	   theTemplate = 
+		SEC_ASN1_GET(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate);
+	    break;
+    }
+    return theTemplate;
+}
+
+/* generate SALT  placing it into the character array passed in.
+ * it is assumed that salt_dest is an array of appropriate size
+ * XXX We might want to generate our own random context
+ */
+SECItem *
+sec_pkcs12_generate_salt(void)
+{
+    SECItem *salt;
+
+    salt = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(salt == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    salt->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) * 
+					      SALT_LENGTH);
+    salt->len = SALT_LENGTH;
+    if(salt->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	SECITEM_ZfreeItem(salt, PR_TRUE);
+	return NULL;
+    }
+
+    PK11_GenerateRandom(salt->data, salt->len);
+
+    return salt;
+}
+
+/* generate KEYS -- as per PKCS12 section 7.  
+ * only used for MAC
+ */
+SECItem *
+sec_pkcs12_generate_key_from_password(SECOidTag algorithm, 
+				      SECItem *salt, 
+				      SECItem *password) 
+{
+    unsigned char *pre_hash=NULL;
+    unsigned char *hash_dest=NULL;
+    SECStatus res;
+    PRArenaPool *poolp;
+    SECItem *key = NULL;
+    int key_len = 0;
+
+    if((salt == NULL) || (password == NULL)) {
+	return NULL;
+    }
+
+    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(poolp == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    pre_hash = (unsigned char *)PORT_ArenaZAlloc(poolp, sizeof(char) * 
+						 (salt->len+password->len));
+    if(pre_hash == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    hash_dest = (unsigned char *)PORT_ArenaZAlloc(poolp, 
+					sizeof(unsigned char) * SHA1_LENGTH);
+    if(hash_dest == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    PORT_Memcpy(pre_hash, salt->data, salt->len);
+    /* handle password of 0 length case */
+    if(password->len > 0) {
+	PORT_Memcpy(&(pre_hash[salt->len]), password->data, password->len);
+    }
+
+    res = PK11_HashBuf(SEC_OID_SHA1, hash_dest, pre_hash, 
+                       (salt->len+password->len));
+    if(res == SECFailure) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    switch(algorithm) {
+	case SEC_OID_SHA1:
+	    if(key_len == 0)
+		key_len = 16;
+	    key = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+	    if(key == NULL) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	    key->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) 
+						     * key_len);
+	    if(key->data == NULL) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	    key->len = key_len;
+	    PORT_Memcpy(key->data, &hash_dest[SHA1_LENGTH-key->len], key->len);
+	    break;
+	default:
+	    goto loser;
+	    break;
+    }
+
+    PORT_FreeArena(poolp, PR_TRUE);
+    return key;
+
+loser:
+    PORT_FreeArena(poolp, PR_TRUE);
+    if(key != NULL) {
+	SECITEM_ZfreeItem(key, PR_TRUE);
+    }
+    return NULL;
+}
+
+/* MAC is generated per PKCS 12 section 6.  It is expected that key, msg
+ * and mac_dest are pre allocated, non-NULL arrays.  msg_len is passed in
+ * because it is not known how long the message actually is.  String
+ * manipulation routines will not necessarily work because msg may have
+ * imbedded NULLs
+ */
+static SECItem *
+sec_pkcs12_generate_old_mac(SECItem *key, 
+			    SECItem *msg)
+{
+    SECStatus res;
+    PRArenaPool *temparena = NULL;
+    unsigned char *hash_dest=NULL, *hash_src1=NULL, *hash_src2 = NULL;
+    int i;
+    SECItem *mac = NULL;
+
+    if((key == NULL) || (msg == NULL))
+        goto loser;
+
+    /* allocate return item */
+    mac = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(mac == NULL)
+    	return NULL;
+    mac->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char)
+    	* SHA1_LENGTH);
+    mac->len = SHA1_LENGTH;
+    if(mac->data == NULL)
+	goto loser;
+
+    /* allocate temporary items */
+    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(temparena == NULL)
+	goto loser;
+
+    hash_src1 = (unsigned char *)PORT_ArenaZAlloc(temparena,
+    	sizeof(unsigned char) * (16+msg->len));
+    if(hash_src1 == NULL)
+        goto loser;
+
+    hash_src2 = (unsigned char *)PORT_ArenaZAlloc(temparena,
+   	sizeof(unsigned char) * (SHA1_LENGTH+16));
+    if(hash_src2 == NULL)
+        goto loser;
+
+    hash_dest = (unsigned char *)PORT_ArenaZAlloc(temparena, 
+   	sizeof(unsigned char) * SHA1_LENGTH);
+    if(hash_dest == NULL)
+        goto loser;
+
+    /* perform mac'ing as per PKCS 12 */
+
+    /* first round of hashing */
+    for(i = 0; i < 16; i++)
+	hash_src1[i] = key->data[i] ^ 0x36;
+    PORT_Memcpy(&(hash_src1[16]), msg->data, msg->len);
+    res = PK11_HashBuf(SEC_OID_SHA1, hash_dest, hash_src1, (16+msg->len));
+    if(res == SECFailure)
+	goto loser;
+
+    /* second round of hashing */
+    for(i = 0; i < 16; i++)
+	hash_src2[i] = key->data[i] ^ 0x5c;
+    PORT_Memcpy(&(hash_src2[16]), hash_dest, SHA1_LENGTH);
+    res = PK11_HashBuf(SEC_OID_SHA1, mac->data, hash_src2, SHA1_LENGTH+16);
+    if(res == SECFailure)
+	goto loser;
+
+    PORT_FreeArena(temparena, PR_TRUE);
+    return mac;
+
+loser:
+    if(temparena != NULL)
+	PORT_FreeArena(temparena, PR_TRUE);
+    if(mac != NULL)
+	SECITEM_ZfreeItem(mac, PR_TRUE);
+    return NULL;
+}
+
+/* MAC is generated per PKCS 12 section 6.  It is expected that key, msg
+ * and mac_dest are pre allocated, non-NULL arrays.  msg_len is passed in
+ * because it is not known how long the message actually is.  String
+ * manipulation routines will not necessarily work because msg may have
+ * imbedded NULLs
+ */
+SECItem *
+sec_pkcs12_generate_mac(SECItem *key, 
+			SECItem *msg,
+			PRBool old_method)
+{
+    SECStatus res = SECFailure;
+    SECItem *mac = NULL;
+    PK11Context *pk11cx = NULL;    
+    SECItem ignore = {0};
+
+    if((key == NULL) || (msg == NULL)) {
+	return NULL;
+    }
+
+    if(old_method == PR_TRUE) {
+	return sec_pkcs12_generate_old_mac(key, msg);
+    }
+
+    /* allocate return item */
+    mac = SECITEM_AllocItem(NULL, NULL, SHA1_LENGTH);
+    if (mac == NULL) {
+	return NULL;
+    }
+
+    pk11cx = PK11_CreateContextByRawKey(NULL, CKM_SHA_1_HMAC, PK11_OriginDerive,
+                                        CKA_SIGN, key, &ignore, NULL);
+    if (pk11cx == NULL) {
+	goto loser;
+    }
+
+    res = PK11_DigestBegin(pk11cx);
+    if (res == SECFailure) {
+	goto loser;
+    }
+
+    res = PK11_DigestOp(pk11cx, msg->data, msg->len);
+    if (res == SECFailure) {
+	goto loser;
+    }
+
+    res = PK11_DigestFinal(pk11cx, mac->data, &mac->len, SHA1_LENGTH);
+    if (res == SECFailure) {
+	goto loser;
+    }
+
+    PK11_DestroyContext(pk11cx, PR_TRUE);
+    pk11cx = NULL;
+
+loser:
+
+    if(res != SECSuccess) {
+	SECITEM_ZfreeItem(mac, PR_TRUE);
+	mac = NULL;
+	if (pk11cx) {
+	    PK11_DestroyContext(pk11cx, PR_TRUE);
+	}
+    }
+
+    return mac;
+}
+
+/* compute the thumbprint of the DER cert and create a digest info
+ * to store it in and return the digest info.
+ * a return of NULL indicates an error.
+ */
+SGNDigestInfo *
+sec_pkcs12_compute_thumbprint(SECItem *der_cert)
+{
+    SGNDigestInfo *thumb = NULL;
+    SECItem digest;
+    PRArenaPool *temparena = NULL;
+    SECStatus rv = SECFailure;
+
+    if(der_cert == NULL)
+	return NULL;
+
+    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(temparena == NULL) {
+	return NULL;
+    }
+
+    digest.data = (unsigned char *)PORT_ArenaZAlloc(temparena,
+						    sizeof(unsigned char) * 
+						    SHA1_LENGTH);
+    /* digest data and create digest info */
+    if(digest.data != NULL) {
+	digest.len = SHA1_LENGTH;
+	rv = PK11_HashBuf(SEC_OID_SHA1, digest.data, der_cert->data, 
+	                  der_cert->len);
+	if(rv == SECSuccess) {
+	    thumb = SGN_CreateDigestInfo(SEC_OID_SHA1, 
+					 digest.data, 
+					 digest.len);
+	} else {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena(temparena, PR_TRUE);
+
+    return thumb;
+}
+
+/* create a virtual password per PKCS 12, the password is converted
+ * to unicode, the salt is prepended to it, and then the whole thing
+ * is returned */
+SECItem *
+sec_pkcs12_create_virtual_password(SECItem *password, SECItem *salt,
+				   PRBool swap)
+{
+    SECItem uniPwd = {siBuffer, NULL,0}, *retPwd = NULL;
+
+    if((password == NULL) || (salt == NULL)) {
+	return NULL;
+    }
+
+    if(password->len == 0) {
+	uniPwd.data = (unsigned char*)PORT_ZAlloc(2);
+	uniPwd.len = 2;
+	if(!uniPwd.data) {
+	    return NULL;
+	}
+    } else {
+	uniPwd.data = (unsigned char*)PORT_ZAlloc(password->len * 3);
+	uniPwd.len = password->len * 3;
+	if(!PORT_UCS2_ASCIIConversion(PR_TRUE, password->data, password->len,
+				uniPwd.data, uniPwd.len, &uniPwd.len, swap)) {
+	    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
+	    return NULL;
+	}
+    }
+
+    retPwd = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(retPwd == NULL) {
+	goto loser;
+    }
+
+    /* allocate space and copy proper data */
+    retPwd->len = uniPwd.len + salt->len;
+    retPwd->data = (unsigned char *)PORT_Alloc(retPwd->len);
+    if(retPwd->data == NULL) {
+	PORT_Free(retPwd);
+	goto loser;
+    }
+
+    PORT_Memcpy(retPwd->data, salt->data, salt->len);
+    PORT_Memcpy((retPwd->data + salt->len), uniPwd.data, uniPwd.len);
+
+    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
+
+    return retPwd;
+
+loser:
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
+    return NULL;
+}
+
+/* appends a shrouded key to a key bag.  this is used for exporting
+ * to store externally wrapped keys.  it is used when importing to convert
+ * old items to new
+ */
+SECStatus 
+sec_pkcs12_append_shrouded_key(SEC_PKCS12BaggageItem *bag,
+				SEC_PKCS12ESPVKItem *espvk)
+{
+    int size;
+    void *mark = NULL, *dummy = NULL;
+
+    if((bag == NULL) || (espvk == NULL))
+	return SECFailure;
+
+    mark = PORT_ArenaMark(bag->poolp);
+
+    /* grow the list */
+    size = (bag->nEspvks + 1) * sizeof(SEC_PKCS12ESPVKItem *);
+    dummy = (SEC_PKCS12ESPVKItem **)PORT_ArenaGrow(bag->poolp,
+	    				bag->espvks, size, 
+	    				size + sizeof(SEC_PKCS12ESPVKItem *));
+    bag->espvks = (SEC_PKCS12ESPVKItem**)dummy;
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    bag->espvks[bag->nEspvks] = espvk;
+    bag->nEspvks++;
+    bag->espvks[bag->nEspvks] = NULL;
+
+    PORT_ArenaUnmark(bag->poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(bag->poolp, mark);
+    return SECFailure;
+}
+
+/* search a certificate list for a nickname, a thumbprint, or both
+ * within a certificate bag.  if the certificate could not be
+ * found or an error occurs, NULL is returned;
+ */
+static SEC_PKCS12CertAndCRL *
+sec_pkcs12_find_cert_in_certbag(SEC_PKCS12CertAndCRLBag *certbag,
+				SECItem *nickname, SGNDigestInfo *thumbprint)
+{
+    PRBool search_both = PR_FALSE, search_nickname = PR_FALSE;
+    int i, j;
+
+    if((certbag == NULL) || ((nickname == NULL) && (thumbprint == NULL))) {
+	return NULL;
+    }
+
+    if(thumbprint && nickname) {
+	search_both = PR_TRUE;
+    }
+
+    if(nickname) {
+	search_nickname = PR_TRUE;
+    }
+
+search_again:  
+    i = 0;
+    while(certbag->certAndCRLs[i] != NULL) {
+	SEC_PKCS12CertAndCRL *cert = certbag->certAndCRLs[i];
+
+	if(SECOID_FindOIDTag(&cert->BagID) == SEC_OID_PKCS12_X509_CERT_CRL_BAG) {
+
+	    /* check nicknames */
+	    if(search_nickname) {
+		if(SECITEM_CompareItem(nickname, &cert->nickname) == SECEqual) {
+		    return cert;
+		}
+	    } else {
+	    /* check thumbprints */
+		SECItem **derCertList;
+
+		/* get pointer to certificate list, does not need to
+		 * be freed since it is within the arena which will
+		 * be freed later.
+		 */
+		derCertList = SEC_PKCS7GetCertificateList(&cert->value.x509->certOrCRL);
+		j = 0;
+		if(derCertList != NULL) {
+		    while(derCertList[j] != NULL) {
+			SECComparison eq;
+			SGNDigestInfo *di;
+			di = sec_pkcs12_compute_thumbprint(derCertList[j]);
+			if(di) {
+			    eq = SGN_CompareDigestInfo(thumbprint, di);
+			    SGN_DestroyDigestInfo(di);
+			    if(eq == SECEqual) {
+				/* copy the derCert for later reference */
+				cert->value.x509->derLeafCert = derCertList[j];
+				return cert;
+			    }
+			} else {
+			    /* an error occurred */
+			    return NULL;
+			}
+			j++;
+		    }
+		}
+	    }
+	}
+
+	i++;
+    }
+
+    if(search_both) {
+	search_both = PR_FALSE;
+	search_nickname = PR_FALSE;
+	goto search_again;
+    }
+
+    return NULL;
+}
+
+/* search a key list for a nickname, a thumbprint, or both
+ * within a key bag.  if the key could not be
+ * found or an error occurs, NULL is returned;
+ */
+static SEC_PKCS12PrivateKey *
+sec_pkcs12_find_key_in_keybag(SEC_PKCS12PrivateKeyBag *keybag,
+			      SECItem *nickname, SGNDigestInfo *thumbprint)
+{
+    PRBool search_both = PR_FALSE, search_nickname = PR_FALSE;
+    int i, j;
+
+    if((keybag == NULL) || ((nickname == NULL) && (thumbprint == NULL))) {
+	return NULL;
+    }
+
+    if(keybag->privateKeys == NULL) {
+	return NULL;
+    }
+
+    if(thumbprint && nickname) {
+	search_both = PR_TRUE;
+    }
+
+    if(nickname) {
+	search_nickname = PR_TRUE;
+    }
+
+search_again:  
+    i = 0;
+    while(keybag->privateKeys[i] != NULL) {
+	SEC_PKCS12PrivateKey *key = keybag->privateKeys[i];
+
+	/* check nicknames */
+	if(search_nickname) {
+	    if(SECITEM_CompareItem(nickname, &key->pvkData.nickname) == SECEqual) {
+		return key;
+	    }
+	} else {
+	    /* check digests */
+	    SGNDigestInfo **assocCerts = key->pvkData.assocCerts;
+	    if((assocCerts == NULL) || (assocCerts[0] == NULL)) {
+		return NULL;
+	    }
+
+	    j = 0;
+	    while(assocCerts[j] != NULL) {
+		SECComparison eq;
+		eq = SGN_CompareDigestInfo(thumbprint, assocCerts[j]);
+		if(eq == SECEqual) {
+		    return key;
+		}
+		j++;
+	    }
+	}
+	i++;
+    }
+
+    if(search_both) {
+	search_both = PR_FALSE;
+	search_nickname = PR_FALSE;
+	goto search_again;
+    }
+
+    return NULL;
+}
+
+/* seach the safe first then try the baggage bag 
+ *  safe and bag contain certs and keys to search
+ *  objType is the object type to look for
+ *  bagType is the type of bag that was found by sec_pkcs12_find_object
+ *  index is the entity in safe->safeContents or bag->unencSecrets which
+ *    is being searched
+ *  nickname and thumbprint are the search criteria
+ * 
+ * a return of null indicates no match
+ */
+static void *
+sec_pkcs12_try_find(SEC_PKCS12SafeContents *safe,
+		  SEC_PKCS12BaggageItem *bag,
+		  SECOidTag objType, SECOidTag bagType, int index,
+		  SECItem *nickname, SGNDigestInfo *thumbprint)
+{
+    PRBool searchSafe;
+    int i = index;
+
+    if((safe == NULL) && (bag == NULL)) {
+	return NULL;
+    }
+
+    searchSafe = (safe == NULL ? PR_FALSE : PR_TRUE);
+    switch(objType) {
+	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
+	    if(objType == bagType) {
+		SEC_PKCS12CertAndCRLBag *certBag;
+
+		if(searchSafe) {
+		    certBag = safe->contents[i]->safeContent.certAndCRLBag;
+		} else {
+		    certBag = bag->unencSecrets[i]->safeContent.certAndCRLBag;
+		}
+		return sec_pkcs12_find_cert_in_certbag(certBag, nickname, 
+							thumbprint);
+	    }
+	    break;
+	case SEC_OID_PKCS12_KEY_BAG_ID:
+	    if(objType == bagType) {
+		SEC_PKCS12PrivateKeyBag *keyBag;
+
+		if(searchSafe) {
+		    keyBag = safe->contents[i]->safeContent.keyBag;
+		} else {
+		    keyBag = bag->unencSecrets[i]->safeContent.keyBag;
+		}
+		return sec_pkcs12_find_key_in_keybag(keyBag, nickname, 
+							 thumbprint);
+	    }
+	    break;
+	default:
+	    break;
+    }
+
+    return NULL;
+}
+
+/* searches both the baggage and the safe areas looking for
+ * object of specified type matching either the nickname or the 
+ * thumbprint specified.
+ *
+ * safe and baggage store certs and keys
+ * objType is the OID for the bag type to be searched:
+ *   SEC_OID_PKCS12_KEY_BAG_ID, or 
+ *   SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID
+ * nickname and thumbprint are the search criteria
+ * 
+ * if no match found, NULL returned and error set
+ */
+void *
+sec_pkcs12_find_object(SEC_PKCS12SafeContents *safe,
+			SEC_PKCS12Baggage *baggage,
+			SECOidTag objType,
+			SECItem *nickname,
+			SGNDigestInfo *thumbprint)
+{
+    int i, j;
+    void *retItem;
+   
+    if(((safe == NULL) && (thumbprint == NULL)) ||
+       ((nickname == NULL) && (thumbprint == NULL))) {
+	return NULL;
+    }    
+
+    i = 0;
+    if((safe != NULL) && (safe->contents != NULL)) {
+	while(safe->contents[i] != NULL) {
+	    SECOidTag bagType = SECOID_FindOIDTag(&safe->contents[i]->safeBagType);
+	    retItem = sec_pkcs12_try_find(safe, NULL, objType, bagType, i,
+	    				  nickname, thumbprint);
+	    if(retItem != NULL) {
+		return retItem;
+	    }
+	    i++;
+	}
+    }
+
+    if((baggage != NULL) && (baggage->bags != NULL)) {
+	i = 0;
+	while(baggage->bags[i] != NULL) {
+	    SEC_PKCS12BaggageItem *xbag = baggage->bags[i];
+	    j = 0;
+	    if(xbag->unencSecrets != NULL) {
+		while(xbag->unencSecrets[j] != NULL) {
+		    SECOidTag bagType;
+		    bagType = SECOID_FindOIDTag(&xbag->unencSecrets[j]->safeBagType);
+		    retItem = sec_pkcs12_try_find(NULL, xbag, objType, bagType,
+		    				  j, nickname, thumbprint);
+		    if(retItem != NULL) {
+			return retItem;
+		    }
+		    j++;
+		}
+	    }
+	    i++;
+	}
+    }
+
+    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
+    return NULL;
+}
+
+/* this function converts a password to unicode and encures that the 
+ * required double 0 byte be placed at the end of the string
+ */
+PRBool
+sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
+				   SECItem *src, PRBool zeroTerm,
+				   PRBool asciiConvert, PRBool toUnicode)
+{
+    PRBool success = PR_FALSE;
+    if(!src || !dest) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return PR_FALSE;
+    }
+
+    dest->len = src->len * 3 + 2;
+    if(arena) {
+	dest->data = (unsigned char*)PORT_ArenaZAlloc(arena, dest->len);
+    } else {
+	dest->data = (unsigned char*)PORT_ZAlloc(dest->len);
+    }
+
+    if(!dest->data) {
+	dest->len = 0;
+	return PR_FALSE;
+    }
+
+    if(!asciiConvert) {
+	success = PORT_UCS2_UTF8Conversion(toUnicode, src->data, src->len, dest->data,
+					   dest->len, &dest->len);
+    } else {
+#ifndef IS_LITTLE_ENDIAN
+	PRBool swapUnicode = PR_FALSE;
+#else
+	PRBool swapUnicode = PR_TRUE;
+#endif
+	success = PORT_UCS2_ASCIIConversion(toUnicode, src->data, src->len, dest->data,
+					    dest->len, &dest->len, swapUnicode);
+    }
+
+    if(!success) {
+	if(!arena) {
+	    PORT_Free(dest->data);
+	    dest->data = NULL;
+	    dest->len = 0;
+	}
+	return PR_FALSE;
+    }
+
+    if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
+	if(dest->len + 2 > 3 * src->len) {
+	    if(arena) {
+		dest->data = (unsigned char*)PORT_ArenaGrow(arena, 
+						     dest->data, dest->len,
+						     dest->len + 2);
+	    } else {
+		dest->data = (unsigned char*)PORT_Realloc(dest->data, 
+							  dest->len + 2);
+	    }
+
+	    if(!dest->data) {
+		return PR_FALSE;
+	    }
+	}
+	dest->len += 2;
+	dest->data[dest->len-1] = dest->data[dest->len-2] = 0;
+    }
+
+    return PR_TRUE;
+}
+
+/* pkcs 12 templates */
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser =
+    sec_pkcs12_choose_shroud_type;
+
+const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
+    { SEC_ASN1_ANY, offsetof(SEC_PKCS12SafeBag, derSafeContent) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12CodedCertBagTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
+    { SEC_ASN1_ANY, offsetof(SEC_PKCS12CertAndCRL, derValue) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12CodedCertAndCRLBagTemplate[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
+	SEC_PKCS12CodedCertBagTemplate },
+};
+
+const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate_OLD[] = 
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12ESPVKItem) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12ESPVKItem, espvkOID) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12ESPVKItem, espvkData),
+	SEC_PKCS12PVKSupportingDataTemplate_OLD },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+	SEC_ASN1_DYNAMIC | 0, offsetof(SEC_PKCS12ESPVKItem, espvkCipherText),
+	&sec_pkcs12_shroud_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate[] = 
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12ESPVKItem) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12ESPVKItem, espvkOID) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12ESPVKItem, espvkData),
+	SEC_PKCS12PVKSupportingDataTemplate },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+	SEC_ASN1_DYNAMIC | 0, offsetof(SEC_PKCS12ESPVKItem, espvkCipherText),
+	&sec_pkcs12_shroud_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PVKAdditionalDataTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKAdditionalData) },
+    { SEC_ASN1_OBJECT_ID, 
+	offsetof(SEC_PKCS12PVKAdditionalData, pvkAdditionalType) },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(SEC_PKCS12PVKAdditionalData, pvkAdditionalContent) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN , 
+        offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
+	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
+    { SEC_ASN1_PRINTABLE_STRING, 
+	offsetof(SEC_PKCS12PVKSupportingData, nickname) },
+    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
+	offsetof(SEC_PKCS12PVKSupportingData, pvkAdditionalDER) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN , 
+        offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
+	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
+    { SEC_ASN1_BMP_STRING, 
+	offsetof(SEC_PKCS12PVKSupportingData, uniNickName) },
+    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
+	offsetof(SEC_PKCS12PVKSupportingData, pvkAdditionalDER) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12BaggageItemTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12BaggageItem) },
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, espvks),
+	SEC_PKCS12ESPVKItemTemplate },
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, unencSecrets),
+	SEC_PKCS12SafeBagTemplate },
+    /*{ SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, unencSecrets),
+	SEC_PKCS12CodedSafeBagTemplate }, */
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12BaggageTemplate[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12Baggage, bags),
+	SEC_PKCS12BaggageItemTemplate },
+};
+
+const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12Baggage_OLD, espvks),
+	SEC_PKCS12ESPVKItemTemplate_OLD },
+};
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_bag_chooser =
+	sec_pkcs12_choose_bag_type;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_bag_chooser_old =
+	sec_pkcs12_choose_bag_type_old;
+
+const SEC_ASN1Template SEC_PKCS12SafeBagTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+	SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        offsetof(SEC_PKCS12SafeBag, safeContent),
+	&sec_pkcs12_bag_chooser_old },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SafeBagTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_POINTER,
+        offsetof(SEC_PKCS12SafeBag, safeContent),
+	&sec_pkcs12_bag_chooser },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BMP_STRING,
+	offsetof(SEC_PKCS12SafeBag, uniSafeBagName) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate_OLD[] =
+{
+    { SEC_ASN1_SET_OF,
+	offsetof(SEC_PKCS12SafeContents, contents),
+	SEC_PKCS12SafeBagTemplate_OLD }
+};
+
+const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate[] =
+{
+    { SEC_ASN1_SET_OF,
+	offsetof(SEC_PKCS12SafeContents, contents),
+	SEC_PKCS12SafeBagTemplate }  /* here */
+};
+
+const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PrivateKey) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12PrivateKey, pvkData),
+	SEC_PKCS12PVKSupportingDataTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, 
+        offsetof(SEC_PKCS12PrivateKey, pkcs8data),
+	SEC_ASN1_SUB(SECKEY_PrivateKeyInfoTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PrivateKeyBagTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PrivateKeyBag) },
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12PrivateKeyBag, privateKeys),
+	SEC_PKCS12PrivateKeyTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, certOrCRL),
+	sec_PKCS7ContentInfoTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , 
+        offsetof(SEC_PKCS12X509CertCRL, thumbprint),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, certOrCRL),
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
+    { SEC_ASN1_IA5_STRING, offsetof(SEC_PKCS12SDSICert, value) },
+    { 0 }
+};
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_crl_chooser_old =
+	sec_pkcs12_choose_cert_crl_type_old;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_crl_chooser =
+	sec_pkcs12_choose_cert_crl_type;
+
+const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT |
+	SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | 0,
+	offsetof(SEC_PKCS12CertAndCRL, value),
+	&sec_pkcs12_cert_crl_chooser_old },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+	SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+	offsetof(SEC_PKCS12CertAndCRL, value),
+	&sec_pkcs12_cert_crl_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
+	SEC_PKCS12CertAndCRLTemplate },
+};
+
+const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRLBag) },
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
+	SEC_PKCS12CertAndCRLTemplate_OLD },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SecretAdditionalTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SecretAdditional) },
+    { SEC_ASN1_OBJECT_ID,
+	offsetof(SEC_PKCS12SecretAdditional, secretAdditionalType) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT,
+	offsetof(SEC_PKCS12SecretAdditional, secretAdditionalContent) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SecretTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12Secret) },
+    { SEC_ASN1_BMP_STRING, offsetof(SEC_PKCS12Secret, uniSecretName) },
+    { SEC_ASN1_ANY, offsetof(SEC_PKCS12Secret, value) },
+    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
+	offsetof(SEC_PKCS12Secret, secretAdditional),
+	SEC_PKCS12SecretAdditionalTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SecretItemTemplate[] = 
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12Secret) },
+    { SEC_ASN1_INLINE | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(SEC_PKCS12SecretItem, secret), SEC_PKCS12SecretTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(SEC_PKCS12SecretItem, subFolder), SEC_PKCS12SafeBagTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12SecretBag, secrets),
+	SEC_PKCS12SecretItemTemplate },
+};
+
+const SEC_ASN1Template SEC_PKCS12MacDataTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , offsetof(SEC_PKCS12MacData, safeMac),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_BIT_STRING, offsetof(SEC_PKCS12MacData, macSalt) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PFXItemTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
+    { SEC_ASN1_OPTIONAL |
+	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+	offsetof(SEC_PKCS12PFXItem, macData), SEC_PKCS12MacDataTemplate },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+	offsetof(SEC_PKCS12PFXItem, authSafe), 
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
+    { SEC_ASN1_OPTIONAL |
+	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
+	offsetof(SEC_PKCS12PFXItem, old_safeMac), 
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BIT_STRING,
+	offsetof(SEC_PKCS12PFXItem, old_macSalt) },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+	offsetof(SEC_PKCS12PFXItem, authSafe), 
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12AuthenticatedSafe) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
+	offsetof(SEC_PKCS12AuthenticatedSafe, version) }, 
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OBJECT_ID,
+	offsetof(SEC_PKCS12AuthenticatedSafe, transportMode) },
+    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL,
+	offsetof(SEC_PKCS12AuthenticatedSafe, privacySalt) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SET_OF, 
+	offsetof(SEC_PKCS12AuthenticatedSafe, baggage.bags), 
+	SEC_PKCS12BaggageItemTemplate },
+    { SEC_ASN1_POINTER,
+	offsetof(SEC_PKCS12AuthenticatedSafe, safe),
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12AuthenticatedSafe) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
+	offsetof(SEC_PKCS12AuthenticatedSafe, version) }, 
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
+	offsetof(SEC_PKCS12AuthenticatedSafe, transportMode) },
+    { SEC_ASN1_BIT_STRING,
+	offsetof(SEC_PKCS12AuthenticatedSafe, privacySalt) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+    	SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+	offsetof(SEC_PKCS12AuthenticatedSafe, old_baggage), 
+	SEC_PKCS12BaggageTemplate_OLD },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(SEC_PKCS12AuthenticatedSafe, old_safe),
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12KeyBagTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12PrivateKeyBagTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12CertAndCRLBagTemplate_OLD }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12CertAndCRLBagTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12SecretBagTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12SecretBagTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate_OLD[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12X509CertCRLTemplate_OLD }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12X509CertCRLTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12SDSICertTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12SDSICertTemplate }
+};
+
+
diff --git a/security/nss/lib/pkcs12/p12local.h b/security/nss/lib/pkcs12/p12local.h
new file mode 100644
index 000000000..0c4bd594d
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12local.h
@@ -0,0 +1,91 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#ifndef _P12LOCAL_H_
+#define _P12LOCAL_H_
+
+#include "plarena.h"
+#include "secoidt.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "certt.h"
+#include "secpkcs7.h"
+#include "pkcs12.h"
+#include "p12.h"
+
+/* helper functions */
+extern const SEC_ASN1Template *
+sec_pkcs12_choose_bag_type(void *src_or_dest, PRBool encoding);
+extern const SEC_ASN1Template *
+sec_pkcs12_choose_cert_crl_type(void *src_or_dest, PRBool encoding);
+extern const SEC_ASN1Template *
+sec_pkcs12_choose_shroud_type(void *src_or_dest, PRBool encoding);
+extern SECItem *sec_pkcs12_generate_salt(void);
+extern SECItem *sec_pkcs12_generate_key_from_password(SECOidTag algorithm, 
+	SECItem *salt, SECItem *password);
+extern SECItem *sec_pkcs12_generate_mac(SECItem *key, SECItem *msg, 
+					PRBool old_method);
+extern SGNDigestInfo *sec_pkcs12_compute_thumbprint(SECItem *der_cert);
+extern SECItem *sec_pkcs12_create_virtual_password(SECItem *password, 
+			SECItem *salt, PRBool swapUnicodeBytes);
+extern SECStatus sec_pkcs12_append_shrouded_key(SEC_PKCS12BaggageItem *bag,
+						 SEC_PKCS12ESPVKItem *espvk);
+extern void *sec_pkcs12_find_object(SEC_PKCS12SafeContents *safe,
+				SEC_PKCS12Baggage *baggage, SECOidTag objType,
+				SECItem *nickname, SGNDigestInfo *thumbprint);
+extern PRBool sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
+						 SECItem *src, PRBool zeroTerm,
+						 PRBool asciiConvert, PRBool toUnicode);
+extern CK_MECHANISM_TYPE sec_pkcs12_algtag_to_mech(SECOidTag algtag);
+
+/* create functions */
+extern SEC_PKCS12PFXItem *sec_pkcs12_new_pfx(void);
+extern SEC_PKCS12SafeContents *sec_pkcs12_create_safe_contents(
+	PRArenaPool *poolp);
+extern SEC_PKCS12Baggage *sec_pkcs12_create_baggage(PRArenaPool *poolp);
+extern SEC_PKCS12BaggageItem *sec_pkcs12_create_external_bag(SEC_PKCS12Baggage *luggage);
+extern void SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx);
+extern SEC_PKCS12AuthenticatedSafe *sec_pkcs12_new_asafe(PRArenaPool *poolp);
+
+/* conversion from old to new */
+extern SEC_PKCS12DecoderContext *
+sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot,
+			      PRBool swapUnicode, SECItem *pwitem,
+			      void *wincx, SEC_PKCS12SafeContents *safe,
+			      SEC_PKCS12Baggage *baggage);
+	
+#endif
diff --git a/security/nss/lib/pkcs12/p12plcy.c b/security/nss/lib/pkcs12/p12plcy.c
new file mode 100644
index 000000000..ac96300e4
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12plcy.c
@@ -0,0 +1,157 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#include "p12plcy.h"
+#include "secoid.h"
+#include "secport.h"
+#include "secpkcs5.h" 
+
+#define PKCS12_NULL  0x0000
+
+typedef struct pkcs12SuiteMapStr {
+    SECOidTag		algTag;
+    unsigned int	keyLengthBits;	/* in bits */
+    unsigned long	suite;
+    PRBool 		allowed;
+    PRBool		preferred;
+} pkcs12SuiteMap;
+
+static pkcs12SuiteMap pkcs12SuiteMaps[] = {
+    { SEC_OID_RC4,		40,	PKCS12_RC4_40,		PR_FALSE,	PR_FALSE},
+    { SEC_OID_RC4,	       128,	PKCS12_RC4_128,		PR_FALSE,	PR_FALSE},
+    { SEC_OID_RC2_CBC,		40,	PKCS12_RC2_CBC_40,	PR_FALSE,	PR_TRUE},
+    { SEC_OID_RC2_CBC,	       128,	PKCS12_RC2_CBC_128,	PR_FALSE,	PR_FALSE},
+    { SEC_OID_DES_CBC,		64,	PKCS12_DES_56,		PR_FALSE,	PR_FALSE},
+    { SEC_OID_DES_EDE3_CBC,    192,	PKCS12_DES_EDE3_168,	PR_FALSE,	PR_FALSE},
+    { SEC_OID_UNKNOWN,		 0,	PKCS12_NULL,		PR_FALSE,	PR_FALSE},
+    { SEC_OID_UNKNOWN,		 0,	0L,			PR_FALSE,	PR_FALSE}
+};
+
+/* determine if algid is an algorithm which is allowed */
+PRBool 
+SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid)
+{
+    unsigned int keyLengthBits;
+    SECOidTag algId;
+    int i;
+   
+    algId = SEC_PKCS5GetCryptoAlgorithm(algid);
+    if(algId == SEC_OID_UNKNOWN) {
+	return PR_FALSE;
+    }
+    
+    keyLengthBits = (unsigned int)(SEC_PKCS5GetKeyLength(algid) * 8);
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
+	if((pkcs12SuiteMaps[i].algTag == algId) && 
+	   (pkcs12SuiteMaps[i].keyLengthBits == keyLengthBits)) {
+
+	    return pkcs12SuiteMaps[i].allowed;
+	}
+	i++;
+    }
+
+    return PR_FALSE;
+}
+
+/* is any encryption allowed? */
+PRBool
+SEC_PKCS12IsEncryptionAllowed(void)
+{
+    int i;
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
+	if(pkcs12SuiteMaps[i].allowed == PR_TRUE) {
+	    return PR_TRUE;
+	} 
+	i++;
+    }
+
+    return PR_FALSE;
+}
+
+
+SECStatus
+SEC_PKCS12EnableCipher(long which, int on) 
+{
+    int i;
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].suite != 0L) {
+	if(pkcs12SuiteMaps[i].suite == (unsigned long)which) {
+	    if(on) {
+		pkcs12SuiteMaps[i].allowed = PR_TRUE;
+	    } else {
+		pkcs12SuiteMaps[i].allowed = PR_FALSE;
+	    }
+	    return SECSuccess;
+	}
+	i++;
+    }
+
+    return SECFailure;
+}
+
+SECStatus
+SEC_PKCS12SetPreferredCipher(long which, int on)
+{
+    int i;
+    PRBool turnedOff = PR_FALSE;
+    PRBool turnedOn = PR_FALSE;
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].suite != 0L) {
+	if(pkcs12SuiteMaps[i].preferred == PR_TRUE) {
+	    pkcs12SuiteMaps[i].preferred = PR_FALSE;
+	    turnedOff = PR_TRUE;
+	}
+	if(pkcs12SuiteMaps[i].suite == (unsigned long)which) {
+	    pkcs12SuiteMaps[i].preferred = PR_TRUE;
+	    turnedOn = PR_TRUE;
+	}
+	i++;
+    }
+
+    if((turnedOn) && (turnedOff)) {
+	return SECSuccess;
+    }
+
+    return SECFailure;
+}
+
diff --git a/security/nss/lib/pkcs12/p12plcy.h b/security/nss/lib/pkcs12/p12plcy.h
new file mode 100644
index 000000000..054eecfdc
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12plcy.h
@@ -0,0 +1,57 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _P12PLCY_H_
+#define _P12PLCY_H_
+
+#include "secoid.h"
+#include "ciferfam.h"
+
+SEC_BEGIN_PROTOS
+
+/* for the algid specified, can we decrypt it ? */
+extern PRBool SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid);
+
+/* is encryption allowed? */
+extern PRBool SEC_PKCS12IsEncryptionAllowed(void);
+
+/* enable a cipher for encryption/decryption */
+extern SECStatus SEC_PKCS12EnableCipher(long which, int on);
+
+/* return the preferred cipher for encryption */
+extern SECStatus SEC_PKCS12SetPreferredCipher(long which, int on);
+
+SEC_END_PROTOS
+#endif
diff --git a/security/nss/lib/pkcs12/p12t.h b/security/nss/lib/pkcs12/p12t.h
new file mode 100644
index 000000000..3d16b61c5
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12t.h
@@ -0,0 +1,187 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _P12T_H_
+#define _P12T_H_
+
+#include "secoid.h"
+#include "key.h"
+#include "pkcs11.h"
+#include "secpkcs7.h"
+#include "secdig.h"	/* for SGNDigestInfo */
+#include "pkcs12t.h"
+
+#define SEC_PKCS12_VERSION	3
+
+/* structure declarations */
+typedef struct sec_PKCS12PFXItemStr sec_PKCS12PFXItem;
+typedef struct sec_PKCS12MacDataStr sec_PKCS12MacData;
+typedef struct sec_PKCS12AuthenticatedSafeStr sec_PKCS12AuthenticatedSafe;
+typedef struct sec_PKCS12SafeContentsStr sec_PKCS12SafeContents;
+typedef struct sec_PKCS12SafeBagStr sec_PKCS12SafeBag;
+typedef struct sec_PKCS12PKCS8ShroudedKeyBagStr sec_PKCS12PKCS8ShroudedKeyBag;
+typedef struct sec_PKCS12CertBagStr sec_PKCS12CertBag;
+typedef struct sec_PKCS12CRLBagStr sec_PKCS12CRLBag;
+typedef struct sec_PKCS12SecretBag sec_PKCS12SecretBag;
+typedef struct sec_PKCS12AttributeStr sec_PKCS12Attribute;
+
+struct sec_PKCS12CertBagStr {
+    /* what type of cert is stored? */
+    SECItem bagID;
+
+    /* certificate information */
+    union {
+	SECItem x509Cert;
+	SECItem SDSICert;
+    } value;
+};
+
+struct sec_PKCS12CRLBagStr {
+    /* what type of cert is stored? */
+    SECItem bagID;
+
+    /* certificate information */
+    union {
+	SECItem x509CRL;
+    } value;
+};
+
+struct sec_PKCS12SecretBag {
+    /* what type of secret? */
+    SECItem secretType;
+
+    /* secret information.  ssshhhh be vewy vewy quiet. */
+    SECItem secretContent;
+};
+
+struct sec_PKCS12AttributeStr {
+    SECItem attrType;
+    SECItem **attrValue;
+};
+
+struct sec_PKCS12SafeBagStr {
+
+    /* What type of bag are we using? */
+    SECItem safeBagType;
+
+    /* Dependent upon the type of bag being used. */
+    union {
+	SECKEYPrivateKeyInfo *pkcs8KeyBag;
+	SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
+	sec_PKCS12CertBag *certBag;
+	sec_PKCS12CRLBag *crlBag;
+	sec_PKCS12SecretBag *secretBag;
+	sec_PKCS12SafeContents *safeContents;
+    } safeBagContent;
+
+    sec_PKCS12Attribute **attribs;
+
+    /* used locally */
+    SECOidData *bagTypeTag;
+    PLArenaPool *arena;
+    unsigned int nAttribs;
+
+    /* used for validation/importing */
+    PRBool problem, noInstall, validated, hasKey, unused, installed;
+    int error;
+
+    PRBool swapUnicodeBytes;
+    PK11SlotInfo *slot;
+    SECItem *pwitem;
+    PRBool oldBagType;
+    SECPKCS12TargetTokenCAs tokenCAs;
+};
+    
+struct sec_PKCS12SafeContentsStr {
+    sec_PKCS12SafeBag **safeBags;
+    SECItem **encodedSafeBags;
+    
+    /* used locally */
+    PLArenaPool *arena;
+    unsigned int bagCount;
+};
+
+struct sec_PKCS12MacDataStr {
+    SGNDigestInfo safeMac;
+    SECItem macSalt;
+    SECItem iter;
+};
+
+struct sec_PKCS12PFXItemStr {
+
+    SECItem version;
+
+    /* Content type will either be Data (password integrity mode)
+     * or signedData (public-key integrity mode)
+     */
+    SEC_PKCS7ContentInfo *authSafe;
+    SECItem encodedAuthSafe;
+
+    /* Only present in password integrity mode */
+    sec_PKCS12MacData macData;
+    SECItem encodedMacData;
+};
+
+struct sec_PKCS12AuthenticatedSafeStr {
+    /* Content type will either be encryptedData (password privacy mode)
+     * or envelopedData (public-key privacy mode)
+     */
+    SEC_PKCS7ContentInfo **safes;
+    SECItem **encodedSafes;
+
+    /* used locally */
+    unsigned int safeCount;
+    SECItem dummySafe;
+};
+
+extern const SEC_ASN1Template sec_PKCS12PFXItemTemplate[];
+extern const SEC_ASN1Template sec_PKCS12MacDataTemplate[];
+extern const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[];
+extern const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[];
+extern const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[];
+extern const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[];
+extern const SEC_ASN1Template sec_PKCS12CertBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12CRLBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12SecretBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToCRLBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToSecretBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToSafeContentsTemplate[];
+extern const SEC_ASN1Template sec_PKCS12AttributeTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[];
+extern const SEC_ASN1Template sec_PKCS12SafeBagTemplate[];
+
+#endif
diff --git a/security/nss/lib/pkcs12/p12tmpl.c b/security/nss/lib/pkcs12/p12tmpl.c
new file mode 100644
index 000000000..9b0f3ddba
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12tmpl.c
@@ -0,0 +1,323 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "plarena.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "seccomon.h"
+#include "secport.h"
+#include "cert.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "p12t.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(sgn_DigestInfoTemplate)
+
+static const SEC_ASN1Template *
+sec_pkcs12_choose_safe_bag_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    sec_PKCS12SafeBag *safeBag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    safeBag = (sec_PKCS12SafeBag*)src_or_dest;
+
+    oiddata = SECOID_FindOID(&safeBag->safeBagType);
+    if(oiddata == NULL) {
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
+	    break;
+	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+	    theTemplate = sec_PKCS12PointerToCertBagTemplate;
+	    break;
+	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
+	    theTemplate = sec_PKCS12PointerToCRLBagTemplate;
+	    break;
+        case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
+	    theTemplate = sec_PKCS12PointerToSecretBagTemplate;
+	    break;
+	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+	    theTemplate = 
+	        SEC_ASN1_GET(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate);
+	    break;
+	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
+	    if(encoding) {
+		theTemplate = sec_PKCS12PointerToSafeContentsTemplate;
+	    } else {
+		theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    }
+	    break;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1Template *
+sec_pkcs12_choose_crl_bag_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    sec_PKCS12CRLBag *crlbag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    crlbag = (sec_PKCS12CRLBag*)src_or_dest;
+
+    oiddata = SECOID_FindOID(&crlbag->bagID);
+    if(oiddata == NULL) {
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS9_X509_CRL:
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1Template *
+sec_pkcs12_choose_cert_bag_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    sec_PKCS12CertBag *certbag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    certbag = (sec_PKCS12CertBag*)src_or_dest;
+
+    oiddata = SECOID_FindOID(&certbag->bagID);
+    if(oiddata == NULL) {
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS9_X509_CERT:
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+	case SEC_OID_PKCS9_SDSI_CERT:
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
+	    break;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1Template *
+sec_pkcs12_choose_attr_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    sec_PKCS12Attribute *attr;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    attr = (sec_PKCS12Attribute*)src_or_dest;
+
+    oiddata = SECOID_FindOID(&attr->attrType);
+    if(oiddata == NULL) {
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS9_FRIENDLY_NAME:
+	    theTemplate = SEC_ASN1_GET(SEC_BMPStringTemplate);
+	    break;
+	case SEC_OID_PKCS9_LOCAL_KEY_ID:
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+	case SEC_OID_PKCS12_KEY_USAGE:
+	    theTemplate = SEC_ASN1_GET(SEC_BitStringTemplate);
+	    break;
+    }
+
+    return theTemplate;
+}
+
+
+const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM, 0, sec_PKCS7ContentInfoTemplate }
+};
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_crl_bag_chooser =
+    sec_pkcs12_choose_crl_bag_type;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_bag_chooser =
+    sec_pkcs12_choose_cert_bag_type;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_safe_bag_chooser =
+    sec_pkcs12_choose_safe_bag_type;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_attr_chooser =
+    sec_pkcs12_choose_attr_type;
+
+const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[] = {
+    { SEC_ASN1_POINTER, 0, sec_PKCS12CertBagTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12PointerToCRLBagTemplate[] = {
+    { SEC_ASN1_POINTER, 0, sec_PKCS12CRLBagTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12PointerToSecretBagTemplate[] = {
+    { SEC_ASN1_POINTER, 0, sec_PKCS12SecretBagTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12PointerToSafeContentsTemplate[] = {
+    { SEC_ASN1_POINTER, 0, sec_PKCS12SafeContentsTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12PFXItemTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, 0, NULL, 
+	sizeof(sec_PKCS12PFXItem) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
+	offsetof(sec_PKCS12PFXItem, version) },
+    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM, 
+	offsetof(sec_PKCS12PFXItem, encodedAuthSafe) },
+    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM,
+	offsetof(sec_PKCS12PFXItem, encodedMacData) },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12MacDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12MacData) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , offsetof(sec_PKCS12MacData, safeMac),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_OCTET_STRING, offsetof(sec_PKCS12MacData, macSalt) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, offsetof(sec_PKCS12MacData, iter) },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 
+	offsetof(sec_PKCS12AuthenticatedSafe, encodedSafes), 
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+const SEC_ASN1Template sec_PKCS12SafeBagTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, 0, NULL, 
+	sizeof(sec_PKCS12SafeBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12SafeBag, safeBagType) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED |
+	SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+	offsetof(sec_PKCS12SafeBag, safeBagContent), 
+	&sec_pkcs12_safe_bag_chooser },
+    { SEC_ASN1_SET_OF | SEC_ASN1_OPTIONAL, offsetof(sec_PKCS12SafeBag, attribs),
+	sec_PKCS12AttributeTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 
+	offsetof(sec_PKCS12SafeContents, safeBags),
+	sec_PKCS12SafeBagTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12SequenceOfAnyTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 0,
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
+	offsetof(sec_PKCS12SafeContents, encodedSafeBags),
+	sec_PKCS12SequenceOfAnyTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 
+	offsetof(sec_PKCS12SafeContents, encodedSafeBags),
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+const SEC_ASN1Template sec_PKCS12CRLBagTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12CRLBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12CRLBag, bagID) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_POINTER, 
+	offsetof(sec_PKCS12CRLBag, value), &sec_pkcs12_crl_bag_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12CertBagTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12CertBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12CertBag, bagID) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+	SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(sec_PKCS12CertBag, value), &sec_pkcs12_cert_bag_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12SecretBagTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12SecretBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12SecretBag, secretType) },
+    { SEC_ASN1_ANY, offsetof(sec_PKCS12SecretBag, secretContent) },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12Attribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12Attribute, attrType) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_DYNAMIC, 
+	offsetof(sec_PKCS12Attribute, attrValue),
+	&sec_pkcs12_attr_chooser },
+    { 0 }
+};
diff --git a/security/nss/lib/pkcs12/pkcs12.h b/security/nss/lib/pkcs12/pkcs12.h
new file mode 100644
index 000000000..e84a69f6b
--- /dev/null
+++ b/security/nss/lib/pkcs12/pkcs12.h
@@ -0,0 +1,74 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#ifndef _PKCS12_H_
+#define _PKCS12_H_
+
+#include "pkcs12t.h"
+#include "p12.h"
+
+SEC_BEGIN_PROTOS
+
+typedef SECItem * (* SEC_PKCS12GetPassword)(void *arg);
+
+/* Decode functions */
+/* Import a PFX item.  
+ *	der_pfx is the der-encoded pfx item to import.
+ *	pbef, and pbefarg are used to retrieve passwords for the HMAC,
+ *	    and any passwords needed for passing to PKCS5 encryption 
+ *	    routines.
+ *	algorithm is the algorithm by which private keys are stored in
+ *	    the key database.  this could be a specific algorithm or could
+ *	    be based on a global setting.
+ *	slot is the slot to where the certificates will be placed.  if NULL,
+ *	    the internal key slot is used.
+ * If the process is successful, a SECSuccess is returned, otherwise
+ * a failure occurred.
+ */ 
+SECStatus
+SEC_PKCS12PutPFX(SECItem *der_pfx, SECItem *pwitem,
+		 SEC_PKCS12NicknameCollisionCallback ncCall,
+		 PK11SlotInfo *slot, void *wincx);
+
+/* check the first two bytes of a file to make sure that it matches
+ * the desired header for a PKCS 12 file
+ */
+PRBool SEC_PKCS12ValidData(char *buf, int bufLen, long int totalLength);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pkcs12/pkcs12t.h b/security/nss/lib/pkcs12/pkcs12t.h
new file mode 100644
index 000000000..98d84d123
--- /dev/null
+++ b/security/nss/lib/pkcs12/pkcs12t.h
@@ -0,0 +1,398 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _PKCS12T_H_
+#define _PKCS12T_H_
+
+#include "seccomon.h"
+#include "secoid.h"
+#include "cert.h"
+#include "key.h"
+#include "plarena.h"
+#include "secpkcs7.h"
+#include "secdig.h"	/* for SGNDigestInfo */
+
+typedef enum {
+  SECPKCS12TargetTokenNoCAs,		/* CA get loaded intothe fixed token,
+					 * User certs go to target token */
+  SECPKCS12TargetTokenIntermediateCAs,  /* User certs and intermediates go to
+					 * target token, root certs got to
+					 * fixed token */
+  SECPKCS12TargetTokenAllCAs		/* All certs go to target token */
+} SECPKCS12TargetTokenCAs;
+
+/* PKCS12 Structures */
+typedef struct SEC_PKCS12PFXItemStr SEC_PKCS12PFXItem;
+typedef struct SEC_PKCS12MacDataStr SEC_PKCS12MacData;
+typedef struct SEC_PKCS12AuthenticatedSafeStr SEC_PKCS12AuthenticatedSafe;
+typedef struct SEC_PKCS12BaggageItemStr SEC_PKCS12BaggageItem;
+typedef struct SEC_PKCS12BaggageStr SEC_PKCS12Baggage;
+typedef struct SEC_PKCS12Baggage_OLDStr SEC_PKCS12Baggage_OLD;
+typedef struct SEC_PKCS12ESPVKItemStr SEC_PKCS12ESPVKItem;
+typedef struct SEC_PKCS12PVKSupportingDataStr SEC_PKCS12PVKSupportingData;
+typedef struct SEC_PKCS12PVKAdditionalDataStr SEC_PKCS12PVKAdditionalData;
+typedef struct SEC_PKCS12SafeContentsStr SEC_PKCS12SafeContents;
+typedef struct SEC_PKCS12SafeBagStr SEC_PKCS12SafeBag;
+typedef struct SEC_PKCS12PrivateKeyStr SEC_PKCS12PrivateKey;
+typedef struct SEC_PKCS12PrivateKeyBagStr SEC_PKCS12PrivateKeyBag;
+typedef struct SEC_PKCS12CertAndCRLBagStr SEC_PKCS12CertAndCRLBag;
+typedef struct SEC_PKCS12CertAndCRLStr SEC_PKCS12CertAndCRL;
+typedef struct SEC_PKCS12X509CertCRLStr SEC_PKCS12X509CertCRL;
+typedef struct SEC_PKCS12SDSICertStr SEC_PKCS12SDSICert;
+typedef struct SEC_PKCS12SecretStr SEC_PKCS12Secret;
+typedef struct SEC_PKCS12SecretAdditionalStr SEC_PKCS12SecretAdditional;
+typedef struct SEC_PKCS12SecretItemStr SEC_PKCS12SecretItem;
+typedef struct SEC_PKCS12SecretBagStr SEC_PKCS12SecretBag;
+
+typedef SECItem *(* SEC_PKCS12PasswordFunc)(SECItem *args);
+
+/* PKCS12 types */
+
+/* stores shrouded keys */
+struct SEC_PKCS12BaggageStr
+{
+    PLArenaPool     *poolp;
+    SEC_PKCS12BaggageItem **bags;
+
+    int luggage_size;		/* used locally */
+};
+
+/* additional data to be associated with keys.	currently there
+ * is nothing defined to be stored here.  allows future expansion.
+ */
+struct SEC_PKCS12PVKAdditionalDataStr
+{
+    PLArenaPool	*poolp;
+    SECOidData	*pvkAdditionalTypeTag;	/* used locally */
+    SECItem     pvkAdditionalType;
+    SECItem     pvkAdditionalContent;
+};
+
+/* cert and other supporting data for private keys.  used
+ * for both shrouded and non-shrouded keys.
+ */
+struct SEC_PKCS12PVKSupportingDataStr
+{
+    PLArenaPool		*poolp;
+    SGNDigestInfo 	**assocCerts;
+    SECItem		regenerable;
+    SECItem         	nickname;
+    SEC_PKCS12PVKAdditionalData     pvkAdditional;
+    SECItem		pvkAdditionalDER;
+
+    SECItem		uniNickName;
+    /* used locally */
+    int			nThumbs;
+};
+
+/* shrouded key structure.  supports only pkcs8 shrouding
+ * currently.
+ */
+struct SEC_PKCS12ESPVKItemStr
+{
+    PLArenaPool *poolp;		/* used locally */
+    SECOidData	*espvkTag;	/* used locally */
+    SECItem	espvkOID;
+    SEC_PKCS12PVKSupportingData espvkData;
+    union
+    {
+	SECKEYEncryptedPrivateKeyInfo *pkcs8KeyShroud;
+    } espvkCipherText;
+
+    PRBool duplicate;	/* used locally */
+    PRBool problem_cert; 	/* used locally */
+    PRBool single_cert;		/* used locally */
+    int nCerts;			/* used locally */
+    SECItem derCert;		/* used locally */
+};
+
+/* generic bag store for the safe.  safeBagType identifies
+ * the type of bag stored.
+ */
+struct SEC_PKCS12SafeBagStr
+{
+    PLArenaPool *poolp;
+    SECOidData	*safeBagTypeTag;	/* used locally */
+    SECItem     safeBagType;
+    union
+    {
+	SEC_PKCS12PrivateKeyBag	*keyBag;
+	SEC_PKCS12CertAndCRLBag *certAndCRLBag;
+	SEC_PKCS12SecretBag     *secretBag;
+    } safeContent;
+
+    SECItem	derSafeContent;
+    SECItem 	safeBagName;
+
+    SECItem	uniSafeBagName;
+};
+
+/* stores private keys and certificates in a list.  each safebag
+ * has an ID identifying the type of content stored.
+ */
+struct SEC_PKCS12SafeContentsStr
+{
+    PLArenaPool     	*poolp;
+    SEC_PKCS12SafeBag	**contents;
+
+    /* used for tracking purposes */
+    int safe_size;
+    PRBool old;
+    PRBool swapUnicode;
+    PRBool possibleSwapUnicode;
+};
+
+/* private key structure which holds encrypted private key and
+ * supporting data including nickname and certificate thumbprint.
+ */
+struct SEC_PKCS12PrivateKeyStr
+{
+    PLArenaPool *poolp;
+    SEC_PKCS12PVKSupportingData pvkData;
+    SECKEYPrivateKeyInfo	pkcs8data;   /* borrowed from PKCS 8 */
+
+    PRBool duplicate;	/* used locally */
+    PRBool problem_cert;/* used locally */
+    PRBool single_cert;	/* used locally */
+    int nCerts;		/* used locally */
+    SECItem derCert;	/* used locally */
+};
+
+/* private key bag, holds a (null terminated) list of private key
+ * structures.
+ */
+struct SEC_PKCS12PrivateKeyBagStr
+{
+    PLArenaPool     *poolp;
+    SEC_PKCS12PrivateKey 	**privateKeys;
+
+    int bag_size;	/* used locally */
+};
+
+/* container to hold certificates.  currently supports x509
+ * and sdsi certificates
+ */
+struct SEC_PKCS12CertAndCRLStr
+{
+    PLArenaPool     *poolp;
+    SECOidData	    *BagTypeTag;    /* used locally */
+    SECItem         BagID;
+    union
+    {
+    	SEC_PKCS12X509CertCRL	*x509;
+    	SEC_PKCS12SDSICert	*sdsi;
+    } value;
+
+    SECItem derValue;
+    SECItem nickname;		/* used locally */
+    PRBool duplicate;		/* used locally */
+};
+
+/* x509 certificate structure.	typically holds the der encoding
+ * of the x509 certificate.  thumbprint contains a digest of the
+ * certificate
+ */
+struct SEC_PKCS12X509CertCRLStr
+{
+    PLArenaPool     		*poolp;
+    SEC_PKCS7ContentInfo	certOrCRL;
+    SGNDigestInfo		thumbprint;
+
+    SECItem *derLeafCert;	/* used locally */
+};
+
+/* sdsi certificate structure.	typically holds the der encoding
+ * of the sdsi certificate.  thumbprint contains a digest of the
+ * certificate
+ */
+struct SEC_PKCS12SDSICertStr
+{
+    PLArenaPool     *poolp;
+    SECItem         value;
+    SGNDigestInfo   thumbprint;
+};
+
+/* contains a null terminated list of certs and crls */
+struct SEC_PKCS12CertAndCRLBagStr
+{
+    PLArenaPool     		*poolp;
+    SEC_PKCS12CertAndCRL	**certAndCRLs;
+
+    int bag_size;	/* used locally */
+};
+
+/* additional secret information.  currently no information
+ * stored in this structure.
+ */
+struct SEC_PKCS12SecretAdditionalStr
+{
+    PLArenaPool     *poolp;
+    SECOidData	    *secretTypeTag;         /* used locally */
+    SECItem         secretAdditionalType;
+    SECItem         secretAdditionalContent;
+};
+
+/* secrets container.  this will be used to contain currently
+ * unspecified secrets.  (it's a secret)
+ */
+struct SEC_PKCS12SecretStr
+{
+    PLArenaPool     *poolp;
+    SECItem	secretName;
+    SECItem	value;
+    SEC_PKCS12SecretAdditional	secretAdditional;
+
+    SECItem	uniSecretName;
+};
+
+struct SEC_PKCS12SecretItemStr
+{
+    PLArenaPool     *poolp;
+    SEC_PKCS12Secret	secret;
+    SEC_PKCS12SafeBag	subFolder;
+};    
+
+/* a bag of secrets.  holds a null terminated list of secrets.
+ */
+struct SEC_PKCS12SecretBagStr
+{
+    PLArenaPool     	*poolp;
+    SEC_PKCS12SecretItem	**secrets;
+
+    int bag_size;	/* used locally */
+};
+
+struct SEC_PKCS12MacDataStr
+{
+    SGNDigestInfo	safeMac;
+    SECItem		macSalt;
+};
+
+/* outer transfer unit */
+struct SEC_PKCS12PFXItemStr
+{
+    PLArenaPool		*poolp;
+    SEC_PKCS12MacData	macData;
+    SEC_PKCS7ContentInfo	authSafe; 
+
+    /* for compatibility with beta */
+    PRBool		old;
+    SGNDigestInfo 	old_safeMac;
+    SECItem		old_macSalt;
+
+    /* compatibility between platforms for unicode swapping */
+    PRBool		swapUnicode;
+};
+
+struct SEC_PKCS12BaggageItemStr {
+    PLArenaPool	    *poolp;
+    SEC_PKCS12ESPVKItem	**espvks;
+    SEC_PKCS12SafeBag	**unencSecrets;
+
+    int nEspvks;
+    int nSecrets; 
+};
+    
+/* stores shrouded keys */
+struct SEC_PKCS12Baggage_OLDStr
+{
+    PLArenaPool     *poolp;
+    SEC_PKCS12ESPVKItem **espvks;
+
+    int luggage_size;		/* used locally */
+};
+
+/* authenticated safe, stores certs, keys, and shrouded keys */
+struct SEC_PKCS12AuthenticatedSafeStr
+{
+    PLArenaPool     *poolp;
+    SECItem         version;
+    SECOidData	    *transportTypeTag;	/* local not part of encoding*/
+    SECItem         transportMode;
+    SECItem         privacySalt;
+    SEC_PKCS12Baggage	  baggage;
+    SEC_PKCS7ContentInfo  *safe;
+
+    /* used for beta compatibility */
+    PRBool old;
+    PRBool emptySafe;
+    SEC_PKCS12Baggage_OLD old_baggage;
+    SEC_PKCS7ContentInfo old_safe;
+    PRBool swapUnicode;
+};
+#define SEC_PKCS12_PFX_VERSION		1		/* what we create */
+
+
+
+/* PKCS 12 Templates */
+extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12MacDataTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PVKAdditionalTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SafeBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PrivateKeyBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SecretTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SecretItemTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SecretAdditionalTemplate[];
+extern const SEC_ASN1Template SGN_DigestInfoTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12KeyBagTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12SecretBagTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12SDSICertTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CodedCertBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CodedCertAndCRLBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate_OLD[];
+#endif
diff --git a/security/nss/lib/pkcs7/Makefile b/security/nss/lib/pkcs7/Makefile
new file mode 100644
index 000000000..3bc1a719a
--- /dev/null
+++ b/security/nss/lib/pkcs7/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
diff --git a/security/nss/lib/pkcs7/certread.c b/security/nss/lib/pkcs7/certread.c
new file mode 100644
index 000000000..314220953
--- /dev/null
+++ b/security/nss/lib/pkcs7/certread.c
@@ -0,0 +1,456 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "cert.h"
+#include "secpkcs7.h"
+#include "base64.h"
+#include "secitem.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secerr.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+
+SECStatus
+SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
+{
+    SEC_PKCS7ContentInfo *contentInfo = NULL;
+    SECStatus rv;
+    SECItem **certs;
+    int count;
+
+    contentInfo = SEC_PKCS7DecodeItem(pkcs7Item, NULL, NULL, NULL, NULL, NULL, 
+				      NULL, NULL);
+    if ( contentInfo == NULL ) {
+	goto loser;
+    }
+
+    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
+	goto loser;
+    }
+
+    certs = contentInfo->content.signedData->rawCerts;
+    if ( certs ) {
+	count = 0;
+	
+	while ( *certs ) {
+	    count++;
+	    certs++;
+	}
+	rv = (* f)(arg, contentInfo->content.signedData->rawCerts, count);
+    }
+    
+    rv = SECSuccess;
+    
+    goto done;
+loser:
+    rv = SECFailure;
+    
+done:
+    if ( contentInfo ) {
+	SEC_PKCS7DestroyContentInfo(contentInfo);
+    }
+
+    return(rv);
+}
+
+const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+SECStatus
+SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
+{
+    SECStatus rv;
+    SECItem **certs;
+    int count;
+    SECItem **rawCerts = NULL;
+    PRArenaPool *arena;
+    SEC_PKCS7ContentInfo *contentInfo = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return SECFailure;
+    }
+
+    contentInfo = SEC_PKCS7DecodeItem(certsItem, NULL, NULL, NULL, NULL, NULL, 
+				      NULL, NULL);
+    if ( contentInfo == NULL ) {
+	goto loser;
+    }
+
+    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
+	goto loser;
+    }
+
+
+    rv = SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
+		    contentInfo->content.data);
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    certs = rawCerts;
+    if ( certs ) {
+	count = 0;
+	
+	while ( *certs ) {
+	    count++;
+	    certs++;
+	}
+	rv = (* f)(arg, rawCerts, count);
+    }
+    
+    rv = SECSuccess;
+    
+    goto done;
+loser:
+    rv = SECFailure;
+    
+done:
+    if ( contentInfo ) {
+	SEC_PKCS7DestroyContentInfo(contentInfo);
+    }
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(rv);
+}
+
+CERTCertificate *
+CERT_ConvertAndDecodeCertificate(char *certstr)
+{
+    CERTCertificate *cert;
+    SECStatus rv;
+    SECItem der;
+
+    rv = ATOB_ConvertAsciiToItem(&der, certstr);
+    if (rv != SECSuccess)
+	return NULL;
+
+    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
+                                   &der, NULL, PR_FALSE, PR_TRUE);
+
+    PORT_Free(der.data);
+    return cert;
+}
+
+static const char NS_CERT_HEADER[]  = "-----BEGIN CERTIFICATE-----";
+static const char NS_CERT_TRAILER[] = "-----END CERTIFICATE-----";
+#define NS_CERT_HEADER_LEN  ((sizeof NS_CERT_HEADER) - 1)
+#define NS_CERT_TRAILER_LEN ((sizeof NS_CERT_TRAILER) - 1)
+
+static const char CERTIFICATE_TYPE_STRING[] = "certificate";
+#define CERTIFICATE_TYPE_LEN (sizeof(CERTIFICATE_TYPE_STRING)-1)
+
+/*
+ * read an old style ascii or binary certificate chain
+ */
+SECStatus
+CERT_DecodeCertPackage(char *certbuf,
+		       int certlen,
+		       CERTImportCertificateFunc f,
+		       void *arg)
+{
+    unsigned char *cp;
+    unsigned char *bincert = NULL;
+    char *         ascCert = NULL;
+    SECStatus      rv;
+    
+    if ( certbuf == NULL ) {
+	return(SECFailure);
+    }
+    
+    cp = (unsigned char *)certbuf;
+
+    /* is a DER encoded certificate of some type? */
+    if ( ( *cp  & 0x1f ) == SEC_ASN1_SEQUENCE ) {
+	SECItem certitem;
+	SECItem *pcertitem = &certitem;
+	int seqLen, seqLenLen;
+
+	cp++;
+	
+	if ( *cp & 0x80) {
+	    /* Multibyte length */
+	    seqLenLen = cp[0] & 0x7f;
+	    
+	    switch (seqLenLen) {
+	      case 4:
+		seqLen = ((unsigned long)cp[1]<<24) |
+		    ((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4];
+		break;
+	      case 3:
+		seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
+		break;
+	      case 2:
+		seqLen = (cp[1]<<8) | cp[2];
+		break;
+	      case 1:
+		seqLen = cp[1];
+		break;
+	      default:
+		/* indefinite length */
+		seqLen = 0;
+	    }
+	    cp += ( seqLenLen + 1 );
+
+	} else {
+	    seqLenLen = 0;
+	    seqLen = *cp;
+	    cp++;
+	}
+
+	/* check entire length if definite length */
+	if ( seqLen || seqLenLen ) {
+	    if ( certlen != ( seqLen + seqLenLen + 2 ) ) {
+		if (certlen > ( seqLen + seqLenLen + 2 ))
+		    PORT_SetError(SEC_ERROR_EXTRA_INPUT);
+		else 
+		    PORT_SetError(SEC_ERROR_INPUT_LEN);
+		goto notder;
+	    }
+	}
+	
+	/* check the type string */
+	/* netscape wrapped DER cert */
+	if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
+	    ( cp[1] == CERTIFICATE_TYPE_LEN ) &&
+	    ( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
+	    
+	    cp += ( CERTIFICATE_TYPE_LEN + 2 );
+
+	    /* it had better be a certificate by now!! */
+	    certitem.data = cp;
+	    certitem.len = certlen - ( cp - (unsigned char *)certbuf );
+	    
+	    rv = (* f)(arg, &pcertitem, 1);
+	    
+	    return(rv);
+	} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
+	    SECOidData *oiddata;
+	    SECItem oiditem;
+	    /* XXX - assume DER encoding of OID len!! */
+	    oiditem.len = cp[1];
+	    oiditem.data = (unsigned char *)&cp[2];
+	    oiddata = SECOID_FindOID(&oiditem);
+	    if ( oiddata == NULL ) {
+		return(SECFailure);
+	    }
+
+	    certitem.data = (unsigned char*)certbuf;
+	    certitem.len = certlen;
+	    
+	    switch ( oiddata->offset ) {
+	      case SEC_OID_PKCS7_SIGNED_DATA:
+		return(SEC_ReadPKCS7Certs(&certitem, f, arg));
+		break;
+	      case SEC_OID_NS_TYPE_CERT_SEQUENCE:
+		return(SEC_ReadCertSequence(&certitem, f, arg));
+		break;
+	      default:
+		break;
+	    }
+	    
+	} else {
+	    /* it had better be a certificate by now!! */
+	    certitem.data = (unsigned char*)certbuf;
+	    certitem.len = certlen;
+	    
+	    rv = (* f)(arg, &pcertitem, 1);
+	    return(rv);
+	}
+    }
+
+    /* now look for a netscape base64 ascii encoded cert */
+notder:
+  {
+    unsigned char *certbegin = NULL; 
+    unsigned char *certend   = NULL;
+    char          *pc;
+    int cl;
+
+    /* Convert the ASCII data into a nul-terminated string */
+    ascCert = (char *)PORT_Alloc(certlen + 1);
+    if (!ascCert) {
+        rv = SECFailure;
+	goto loser;
+    }
+
+    PORT_Memcpy(ascCert, certbuf, certlen);
+    ascCert[certlen] = '\0';
+
+    pc = PORT_Strchr(ascCert, '\n');  /* find an EOL */
+    if (!pc) { /* maybe this is a MAC file */
+	pc = ascCert;
+	while (*pc && NULL != (pc = PORT_Strchr(pc, '\r'))) {
+	    *pc++ = '\n';
+	}
+    }
+
+    cp = (unsigned char *)ascCert;
+    cl = certlen;
+
+    /* find the beginning marker */
+    while ( cl > NS_CERT_HEADER_LEN ) {
+	int found = 0;
+	if ( !PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
+			        NS_CERT_HEADER_LEN) ) {
+	    cl -= NS_CERT_HEADER_LEN;
+	    cp += NS_CERT_HEADER_LEN;
+	    found = 1;
+	}
+	
+	/* skip to next eol */
+	while ( cl && ( *cp != '\n' )) {
+	    cp++;
+	    cl--;
+	} 
+
+	/* skip all blank lines */
+	while ( cl && ( *cp == '\n' || *cp == '\r' )) {
+	    cp++;
+	    cl--;
+	}
+	if (cl && found) {
+	    certbegin = cp;
+	    break;
+    	}
+    }
+
+    if ( certbegin ) {
+	/* find the ending marker */
+	while ( cl >= NS_CERT_TRAILER_LEN ) {
+	    if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
+				   NS_CERT_TRAILER_LEN) ) {
+		certend = (unsigned char *)cp;
+		break;
+	    }
+
+	    /* skip to next eol */
+	    while ( cl && ( *cp != '\n' )) {
+		cp++;
+		cl--;
+	    }
+
+	    /* skip all blank lines */
+	    while ( cl && ( *cp == '\n' || *cp == '\r' )) {
+		cp++;
+		cl--;
+	    }
+	}
+    }
+
+    if ( certbegin && certend ) {
+	unsigned int binLen;
+
+	*certend = 0;
+	/* convert to binary */
+	bincert = ATOB_AsciiToData(certbegin, &binLen);
+	if (!bincert) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* now recurse to decode the binary */
+	rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);
+	
+    } else {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	rv = SECFailure;
+    }
+  }
+
+loser:
+
+    if ( bincert ) {
+	PORT_Free(bincert);
+    }
+
+    if ( ascCert ) {
+	PORT_Free(ascCert);
+    }
+
+    return(rv);
+}
+
+typedef struct {
+    PRArenaPool *arena;
+    SECItem cert;
+} collect_args;
+
+static SECStatus
+collect_certs(void *arg, SECItem **certs, int numcerts)
+{
+    SECStatus rv;
+    collect_args *collectArgs;
+    
+    collectArgs = (collect_args *)arg;
+    
+    rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
+
+    return(rv);
+}
+
+
+/*
+ * read an old style ascii or binary certificate
+ */
+CERTCertificate *
+CERT_DecodeCertFromPackage(char *certbuf, int certlen)
+{
+    collect_args collectArgs;
+    SECStatus rv;
+    CERTCertificate *cert = NULL;
+    
+    collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
+				(void *)&collectArgs);
+    if ( rv == SECSuccess ) {
+	cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
+	                               &collectArgs.cert, NULL, 
+	                               PR_FALSE, PR_TRUE);
+    }
+    
+    PORT_FreeArena(collectArgs.arena, PR_FALSE);
+    
+    return(cert);
+}
diff --git a/security/nss/lib/pkcs7/config.mk b/security/nss/lib/pkcs7/config.mk
new file mode 100644
index 000000000..7ade98fc1
--- /dev/null
+++ b/security/nss/lib/pkcs7/config.mk
@@ -0,0 +1,46 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
diff --git a/security/nss/lib/pkcs7/manifest.mn b/security/nss/lib/pkcs7/manifest.mn
new file mode 100644
index 000000000..7b7ae43a0
--- /dev/null
+++ b/security/nss/lib/pkcs7/manifest.mn
@@ -0,0 +1,67 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	secmime.h \
+	secpkcs7.h \
+	pkcs7t.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	p7local.h \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = \
+	certread.c \
+	p7common.c \
+	p7create.c \
+	p7decode.c \
+	p7encode.c \
+	p7local.c  \
+	secmime.c  \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = pkcs7
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/pkcs7/p7common.c b/security/nss/lib/pkcs7/p7common.c
new file mode 100644
index 000000000..aef65471b
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7common.c
@@ -0,0 +1,724 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * PKCS7 implementation -- the exported parts that are used whether
+ * creating or decoding.
+ *
+ * $Id$
+ */
+
+#include "p7local.h"
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+
+/*
+ * Find out (saving pointer to lookup result for future reference)
+ * and return the inner content type.
+ */
+SECOidTag
+SEC_PKCS7ContentType (SEC_PKCS7ContentInfo *cinfo)
+{
+    if (cinfo->contentTypeTag == NULL)
+	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+
+    if (cinfo->contentTypeTag == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return cinfo->contentTypeTag->offset;
+}
+
+
+/*
+ * Destroy a PKCS7 contentInfo and all of its sub-pieces.
+ */
+void
+SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+    CERTCertificate **certs;
+    CERTCertificateList **certlists;
+    SEC_PKCS7SignerInfo **signerinfos;
+    SEC_PKCS7RecipientInfo **recipientinfos;
+
+    PORT_Assert (cinfo->refCount > 0);
+    if (cinfo->refCount <= 0)
+	return;
+
+    cinfo->refCount--;
+    if (cinfo->refCount > 0)
+	return;
+
+    certs = NULL;
+    certlists = NULL;
+    recipientinfos = NULL;
+    signerinfos = NULL;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *edp;
+
+	    edp = cinfo->content.envelopedData;
+	    if (edp != NULL) {
+		recipientinfos = edp->recipientInfos;
+	    }
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    if (sdp != NULL) {
+		certs = sdp->certs;
+		certlists = sdp->certLists;
+		signerinfos = sdp->signerInfos;
+	    }
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    if (saedp != NULL) {
+		certs = saedp->certs;
+		certlists = saedp->certLists;
+		recipientinfos = saedp->recipientInfos;
+		signerinfos = saedp->signerInfos;
+		if (saedp->sigKey != NULL)
+		    PK11_FreeSymKey (saedp->sigKey);
+	    }
+	}
+	break;
+      default:
+	/* XXX Anything else that needs to be "manually" freed/destroyed? */
+	break;
+    }
+
+    if (certs != NULL) {
+	CERTCertificate *cert;
+
+	while ((cert = *certs++) != NULL) {
+	    CERT_DestroyCertificate (cert);
+	}
+    }
+
+    if (certlists != NULL) {
+	CERTCertificateList *certlist;
+
+	while ((certlist = *certlists++) != NULL) {
+	    CERT_DestroyCertificateList (certlist);
+	}
+    }
+
+    if (recipientinfos != NULL) {
+	SEC_PKCS7RecipientInfo *ri;
+
+	while ((ri = *recipientinfos++) != NULL) {
+	    if (ri->cert != NULL)
+		CERT_DestroyCertificate (ri->cert);
+	}
+    }
+
+    if (signerinfos != NULL) {
+	SEC_PKCS7SignerInfo *si;
+
+	while ((si = *signerinfos++) != NULL) {
+	    if (si->cert != NULL)
+		CERT_DestroyCertificate (si->cert);
+	    if (si->certList != NULL)
+		CERT_DestroyCertificateList (si->certList);
+	}
+    }
+
+    if (cinfo->poolp != NULL) {
+	PORT_FreeArena (cinfo->poolp, PR_FALSE);	/* XXX clear it? */
+    }
+}
+
+
+/*
+ * Return a copy of the given contentInfo.  The copy may be virtual
+ * or may be real -- either way, the result needs to be passed to
+ * SEC_PKCS7DestroyContentInfo later (as does the original).
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *cinfo)
+{
+    if (cinfo == NULL)
+	return NULL;
+
+    PORT_Assert (cinfo->refCount > 0);
+
+    if (cinfo->created) {
+	/*
+	 * Want to do a real copy of these; otherwise subsequent
+	 * changes made to either copy are likely to be a surprise.
+	 * XXX I suspect that this will not actually be called for yet,
+	 * which is why the assert, so to notice if it is...
+	 */
+	PORT_Assert (0);
+	/*
+	 * XXX Create a new pool here, and copy everything from
+	 * within.  For cert stuff, need to call the appropriate
+	 * copy functions, etc.
+	 */
+    }
+
+    cinfo->refCount++;
+    return cinfo;
+}
+
+
+/*
+ * Return a pointer to the actual content.  In the case of those types
+ * which are encrypted, this returns the *plain* content.
+ * XXX Needs revisiting if/when we handle nested encrypted types.
+ */
+SECItem *
+SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_DATA:
+	return cinfo->content.data;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	{
+	    SEC_PKCS7DigestedData *digd;
+
+	    digd = cinfo->content.digestedData;
+	    if (digd == NULL)
+		break;
+	    return SEC_PKCS7GetContent (&(digd->contentInfo));
+	}
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	{
+	    SEC_PKCS7EncryptedData *encd;
+
+	    encd = cinfo->content.encryptedData;
+	    if (encd == NULL)
+		break;
+	    return &(encd->encContentInfo.plainContent);
+	}
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *envd;
+
+	    envd = cinfo->content.envelopedData;
+	    if (envd == NULL)
+		break;
+	    return &(envd->encContentInfo.plainContent);
+	}
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sigd;
+
+	    sigd = cinfo->content.signedData;
+	    if (sigd == NULL)
+		break;
+	    return SEC_PKCS7GetContent (&(sigd->contentInfo));
+	}
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saed;
+
+	    saed = cinfo->content.signedAndEnvelopedData;
+	    if (saed == NULL)
+		break;
+	    return &(saed->encContentInfo.plainContent);
+	}
+      default:
+	PORT_Assert(0);
+	break;
+    }
+
+    return NULL;
+}
+
+
+/*
+ * XXX Fix the placement and formatting of the
+ * following routines (i.e. make them consistent with the rest of
+ * the pkcs7 code -- I think some/many belong in other files and
+ * they all need a formatting/style rehaul)
+ */
+
+/* retrieve the algorithm identifier for encrypted data.  
+ * the identifier returned is a copy of the algorithm identifier
+ * in the content info and needs to be freed after being used.
+ *
+ *   cinfo is the content info for which to retrieve the
+ *     encryption algorithm.
+ *
+ * if the content info is not encrypted data or an error 
+ * occurs NULL is returned.
+ */
+SECAlgorithmID *
+SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo)
+{
+  SECAlgorithmID *alg = 0;
+  switch (SEC_PKCS7ContentType(cinfo))
+    {
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+      alg = &cinfo->content.encryptedData->encContentInfo.contentEncAlg;
+      break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+      alg = &cinfo->content.envelopedData->encContentInfo.contentEncAlg;
+      break;
+    case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+      alg = &cinfo->content.signedAndEnvelopedData
+	->encContentInfo.contentEncAlg;
+      break;
+    default:
+      alg = 0;
+      break;
+    }
+
+    return alg;
+}
+
+/* set the content of the content info.  For data content infos,
+ * the data is set.  For encrytped content infos, the plainContent
+ * is set, and is expected to be encrypted later.
+ *  
+ * cinfo is the content info where the data will be set
+ *
+ * buf is a buffer of the data to set
+ *
+ * len is the length of the data being set.
+ *
+ * in the event of an error, SECFailure is returned.  SECSuccess 
+ * indicates the content was successfully set.
+ */
+SECStatus 
+SEC_PKCS7SetContent(SEC_PKCS7ContentInfo *cinfo,
+		    const char *buf, 
+		    unsigned long len)
+{
+    SECOidTag cinfo_type;
+    SECStatus rv;
+    SECItem content;
+    SECOidData *contentTypeTag = NULL;
+
+    content.data = (unsigned char *)buf;
+    content.len = len;
+
+    cinfo_type = SEC_PKCS7ContentType(cinfo);
+
+    /* set inner content */
+    switch(cinfo_type)
+    {
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	    if(content.len > 0) {
+		/* we "leak" the old content here, but as it's all in the pool */
+		/* it does not really matter */
+
+		/* create content item if necessary */
+		if (cinfo->content.signedData->contentInfo.content.data == NULL)
+		    cinfo->content.signedData->contentInfo.content.data = SECITEM_AllocItem(cinfo->poolp, NULL, 0);
+		rv = SECITEM_CopyItem(cinfo->poolp, 
+			cinfo->content.signedData->contentInfo.content.data,
+			&content);
+	    } else {
+		cinfo->content.signedData->contentInfo.content.data->data = NULL;
+		cinfo->content.signedData->contentInfo.content.data->len = 0;
+		rv = SECSuccess;
+	    }
+	    if(rv == SECFailure)
+		goto loser;
+	    
+	    break;
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    /* XXX this forces the inner content type to be "data" */
+	    /* do we really want to override without asking or reason? */
+	    contentTypeTag = SECOID_FindOIDByTag(SEC_OID_PKCS7_DATA);
+	    if(contentTypeTag == NULL)
+		goto loser;
+	    rv = SECITEM_CopyItem(cinfo->poolp, 
+		&(cinfo->content.encryptedData->encContentInfo.contentType),
+		&(contentTypeTag->oid));
+	    if(rv == SECFailure)
+		goto loser;
+	    if(content.len > 0) {
+		rv = SECITEM_CopyItem(cinfo->poolp, 
+			&(cinfo->content.encryptedData->encContentInfo.plainContent),
+			&content);
+	    } else {
+		cinfo->content.encryptedData->encContentInfo.plainContent.data = NULL;
+		cinfo->content.encryptedData->encContentInfo.encContent.data = NULL;
+		cinfo->content.encryptedData->encContentInfo.plainContent.len = 0;
+		cinfo->content.encryptedData->encContentInfo.encContent.len = 0;
+		rv = SECSuccess;
+	    }
+	    if(rv == SECFailure)
+		goto loser;
+	    break;
+	case SEC_OID_PKCS7_DATA:
+	    cinfo->content.data = (SECItem *)PORT_ArenaZAlloc(cinfo->poolp,
+		sizeof(SECItem));
+	    if(cinfo->content.data == NULL)
+		goto loser;
+	    if(content.len > 0) {
+		rv = SECITEM_CopyItem(cinfo->poolp,
+			cinfo->content.data, &content);
+	    } else {
+	    	/* handle case with NULL content */
+		rv = SECSuccess;
+	    }
+	    if(rv == SECFailure)
+		goto loser;
+	    break;
+	default:
+	    goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+	
+    return SECFailure;
+}
+
+/* the content of an encrypted data content info is encrypted.
+ * it is assumed that for encrypted data, that the data has already
+ * been set and is in the "plainContent" field of the content info.
+ *
+ * cinfo is the content info to encrypt
+ *
+ * key is the key with which to perform the encryption.  if the
+ *     algorithm is a password based encryption algorithm, the
+ *     key is actually a password which will be processed per
+ *     PKCS #5.
+ * 
+ * in the event of an error, SECFailure is returned.  SECSuccess
+ * indicates a success.
+ */
+SECStatus 
+SEC_PKCS7EncryptContents(PRArenaPool *poolp,
+			 SEC_PKCS7ContentInfo *cinfo,
+			 SECItem *key,
+			 void *wincx)
+{
+    SECAlgorithmID *algid 	= NULL;
+    SECItem *       result 	= NULL;
+    SECItem *       src;
+    SECItem *       dest;
+    SECItem *       blocked_data = NULL;
+    void *          mark;
+    void *          cx;
+    PK11SymKey *    eKey 	= NULL;
+    PK11SlotInfo *  slot 	= NULL;
+
+    CK_MECHANISM_TYPE cryptoMechType;
+    int             bs;
+    SECStatus       rv 		= SECFailure;
+    SECItem         *c_param = NULL;
+
+    if((cinfo == NULL) || (key == NULL))
+	return SECFailure;
+
+    if(SEC_PKCS7ContentType(cinfo) != SEC_OID_PKCS7_ENCRYPTED_DATA)
+	return SECFailure;
+
+    algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);	
+    if(algid == NULL)
+	return SECFailure;
+
+    if(poolp == NULL)
+	poolp = cinfo->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+    
+    src = &cinfo->content.encryptedData->encContentInfo.plainContent;
+    dest = &cinfo->content.encryptedData->encContentInfo.encContent;
+    dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64));
+    dest->len = (src->len + 64);
+    if(dest->data == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    slot = PK11_GetInternalKeySlot();
+    if(slot == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    eKey = PK11_PBEKeyGen(slot, algid, key, PR_FALSE, wincx);
+    if(eKey == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    
+    cryptoMechType = PK11_GetPBECryptoMechanism(algid, &c_param, key);
+    if (cryptoMechType == CKM_INVALID_MECHANISM) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    /* block according to PKCS 8 */
+    bs = PK11_GetBlockSize(cryptoMechType, c_param);
+    rv = SECSuccess;
+    if(bs) {
+	char pad_char;
+	pad_char = (char)(bs - (src->len % bs));
+	if(src->len % bs) {
+	    rv = SECSuccess;
+	    blocked_data = PK11_BlockData(src, bs);
+	    if(blocked_data) {
+		PORT_Memset((blocked_data->data + blocked_data->len 
+			    - (int)pad_char), 
+			    pad_char, (int)pad_char);
+	    } else {
+		rv = SECFailure;
+		goto loser;
+	    }
+	} else {
+	    blocked_data = SECITEM_DupItem(src);
+	    if(blocked_data) {
+		blocked_data->data = (unsigned char*)PORT_Realloc(
+						  blocked_data->data,
+						  blocked_data->len + bs);
+		if(blocked_data->data) {
+		    blocked_data->len += bs;
+		    PORT_Memset((blocked_data->data + src->len), (char)bs, bs);
+		} else {
+		    rv = SECFailure;
+		    goto loser;
+		}
+	    } else {
+		rv = SECFailure;
+		goto loser;
+	    }
+	 }
+    } else {
+	blocked_data = SECITEM_DupItem(src);
+	if(!blocked_data) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+    }
+
+    cx = PK11_CreateContextBySymKey(cryptoMechType, CKA_ENCRYPT,
+		    		    eKey, c_param);
+    if(cx == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = PK11_CipherOp((PK11Context*)cx, dest->data, (int *)(&dest->len), 
+		       (int)(src->len + 64), blocked_data->data, 
+		       (int)blocked_data->len);
+    PK11_DestroyContext((PK11Context*)cx, PR_TRUE);
+
+loser:
+    /* let success fall through */
+    if(blocked_data != NULL)
+	SECITEM_ZfreeItem(blocked_data, PR_TRUE);
+
+    if(result != NULL)
+	SECITEM_ZfreeItem(result, PR_TRUE);
+
+    if(rv == SECFailure)
+	PORT_ArenaRelease(poolp, mark);
+    else 
+	PORT_ArenaUnmark(poolp, mark);
+
+    if(eKey != NULL)
+	PK11_FreeSymKey(eKey);
+
+    if(slot != NULL)
+	PK11_FreeSlot(slot);
+
+    if(c_param != NULL) 
+	SECITEM_ZfreeItem(c_param, PR_TRUE);
+	
+    return rv;
+}
+
+/* the content of an encrypted data content info is decrypted.
+ * it is assumed that for encrypted data, that the data has already
+ * been set and is in the "encContent" field of the content info.
+ *
+ * cinfo is the content info to decrypt
+ *
+ * key is the key with which to perform the decryption.  if the
+ *     algorithm is a password based encryption algorithm, the
+ *     key is actually a password which will be processed per
+ *     PKCS #5.
+ * 
+ * in the event of an error, SECFailure is returned.  SECSuccess
+ * indicates a success.
+ */
+SECStatus 
+SEC_PKCS7DecryptContents(PRArenaPool *poolp,
+			 SEC_PKCS7ContentInfo *cinfo,
+			 SECItem *key,
+			 void *wincx)
+{
+    SECAlgorithmID *algid = NULL;
+    SECStatus rv = SECFailure;
+    SECItem *result = NULL, *dest, *src;
+    void *mark;
+
+    PK11SymKey *eKey = NULL;
+    PK11SlotInfo *slot = NULL;
+    CK_MECHANISM_TYPE cryptoMechType;
+    void *cx;
+    SECItem *c_param = NULL;
+    int bs;
+
+    if((cinfo == NULL) || (key == NULL))
+	return SECFailure;
+
+    if(SEC_PKCS7ContentType(cinfo) != SEC_OID_PKCS7_ENCRYPTED_DATA)
+	return SECFailure;
+
+    algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);	
+    if(algid == NULL)
+	return SECFailure;
+
+    if(poolp == NULL)
+	poolp = cinfo->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+    
+    src = &cinfo->content.encryptedData->encContentInfo.encContent;
+    dest = &cinfo->content.encryptedData->encContentInfo.plainContent;
+    dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64));
+    dest->len = (src->len + 64);
+    if(dest->data == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    slot = PK11_GetInternalKeySlot();
+    if(slot == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    eKey = PK11_PBEKeyGen(slot, algid, key, PR_FALSE, wincx);
+    if(eKey == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    
+    cryptoMechType = PK11_GetPBECryptoMechanism(algid, &c_param, key);
+    if (cryptoMechType == CKM_INVALID_MECHANISM) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    cx = PK11_CreateContextBySymKey(cryptoMechType, CKA_DECRYPT,
+		    		    eKey, c_param);
+    if(cx == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = PK11_CipherOp((PK11Context*)cx, dest->data, (int *)(&dest->len), 
+		       (int)(src->len + 64), src->data, (int)src->len);
+    PK11_DestroyContext((PK11Context *)cx, PR_TRUE);
+
+    bs = PK11_GetBlockSize(cryptoMechType, c_param);
+    if(bs) {
+	/* check for proper badding in block algorithms.  this assumes
+	 * RC2 cbc or a DES cbc variant.  and the padding is thus defined
+	 */
+	if(((int)dest->data[dest->len-1] <= bs) && 
+	   ((int)dest->data[dest->len-1] > 0)) {
+	    dest->len -= (int)dest->data[dest->len-1];
+	} else {
+	    rv = SECFailure;
+	    /* set an error ? */
+	}
+    } 
+
+loser:
+    /* let success fall through */
+    if(result != NULL)
+	SECITEM_ZfreeItem(result, PR_TRUE);
+
+    if(rv == SECFailure)
+	PORT_ArenaRelease(poolp, mark);
+    else
+	PORT_ArenaUnmark(poolp, mark);
+
+    if(eKey != NULL)
+	PK11_FreeSymKey(eKey);
+
+    if(slot != NULL)
+	PK11_FreeSlot(slot);
+
+    if(c_param != NULL) 
+	SECITEM_ZfreeItem(c_param, PR_TRUE);
+	
+    return rv;
+}
+
+SECItem **
+SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo)
+{
+    switch(SEC_PKCS7ContentType(cinfo))
+    {
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	    return cinfo->content.signedData->rawCerts;
+	    break;
+	default:
+	    return NULL;
+	    break;
+    }
+}
+
+
+int
+SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo)
+{
+  if (cinfo->contentTypeTag->offset == SEC_OID_PKCS7_ENVELOPED_DATA)
+    return cinfo->content.envelopedData->encContentInfo.keysize;
+  else
+    return 0;
+}
+
diff --git a/security/nss/lib/pkcs7/p7create.c b/security/nss/lib/pkcs7/p7create.c
new file mode 100644
index 000000000..5c6a4f31a
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7create.c
@@ -0,0 +1,1321 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * PKCS7 creation.
+ *
+ * $Id$
+ */
+
+#include "p7local.h"
+
+#include "cert.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "secder.h"
+#include "secpkcs5.h"
+
+static SECStatus
+sec_pkcs7_init_content_info (SEC_PKCS7ContentInfo *cinfo, PRArenaPool *poolp,
+			     SECOidTag kind, PRBool detached)
+{
+    void *thing;
+    int version;
+    SECItem *versionp;
+    SECStatus rv;
+
+    PORT_Assert (cinfo != NULL && poolp != NULL);
+    if (cinfo == NULL || poolp == NULL)
+	return SECFailure;
+
+    cinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
+    PORT_Assert (cinfo->contentTypeTag
+		 && cinfo->contentTypeTag->offset == kind);
+
+    rv = SECITEM_CopyItem (poolp, &(cinfo->contentType),
+			   &(cinfo->contentTypeTag->oid));
+    if (rv != SECSuccess)
+	return rv;
+
+    if (detached)
+	return SECSuccess;
+
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SECItem));
+	cinfo->content.data = (SECItem*)thing;
+	versionp = NULL;
+	version = -1;
+	break;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7DigestedData));
+	cinfo->content.digestedData = (SEC_PKCS7DigestedData*)thing;
+	versionp = &(cinfo->content.digestedData->version);
+	version = SEC_PKCS7_DIGESTED_DATA_VERSION;
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EncryptedData));
+	cinfo->content.encryptedData = (SEC_PKCS7EncryptedData*)thing;
+	versionp = &(cinfo->content.encryptedData->version);
+	version = SEC_PKCS7_ENCRYPTED_DATA_VERSION;
+	break;
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EnvelopedData));
+	cinfo->content.envelopedData = 
+	  (SEC_PKCS7EnvelopedData*)thing;
+	versionp = &(cinfo->content.envelopedData->version);
+	version = SEC_PKCS7_ENVELOPED_DATA_VERSION;
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7SignedData));
+	cinfo->content.signedData = 
+	  (SEC_PKCS7SignedData*)thing;
+	versionp = &(cinfo->content.signedData->version);
+	version = SEC_PKCS7_SIGNED_DATA_VERSION;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	thing = PORT_ArenaZAlloc(poolp,sizeof(SEC_PKCS7SignedAndEnvelopedData));
+	cinfo->content.signedAndEnvelopedData = 
+	  (SEC_PKCS7SignedAndEnvelopedData*)thing;
+	versionp = &(cinfo->content.signedAndEnvelopedData->version);
+	version = SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION;
+	break;
+    }
+
+    if (thing == NULL)
+	return SECFailure;
+
+    if (versionp != NULL) {
+	SECItem *dummy;
+
+	PORT_Assert (version >= 0);
+	dummy = SEC_ASN1EncodeInteger (poolp, versionp, version);
+	if (dummy == NULL)
+	    return SECFailure;
+	PORT_Assert (dummy == versionp);
+    }
+
+    return SECSuccess;
+}
+
+
+static SEC_PKCS7ContentInfo *
+sec_pkcs7_create_content_info (SECOidTag kind, PRBool detached,
+			       SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    PRArenaPool *poolp;
+    SECStatus rv;
+
+    poolp = PORT_NewArena (1024);	/* XXX what is right value? */
+    if (poolp == NULL)
+	return NULL;
+
+    cinfo = (SEC_PKCS7ContentInfo*)PORT_ArenaZAlloc (poolp, sizeof(*cinfo));
+    if (cinfo == NULL) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    cinfo->poolp = poolp;
+    cinfo->pwfn = pwfn;
+    cinfo->pwfn_arg = pwfn_arg;
+    cinfo->created = PR_TRUE;
+    cinfo->refCount = 1;
+
+    rv = sec_pkcs7_init_content_info (cinfo, poolp, kind, detached);
+    if (rv != SECSuccess) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
+
+/*
+ * Add a signer to a PKCS7 thing, verifying the signature cert first.
+ * Any error returns SECFailure.
+ *
+ * XXX Right now this only adds the *first* signer.  It fails if you try
+ * to add a second one -- this needs to be fixed.
+ */
+static SECStatus
+sec_pkcs7_add_signer (SEC_PKCS7ContentInfo *cinfo,
+		      CERTCertificate *     cert,
+		      SECCertUsage          certusage,
+		      CERTCertDBHandle *    certdb,
+		      SECOidTag             digestalgtag,
+		      SECItem *             digestdata)
+{
+    SEC_PKCS7SignerInfo *signerinfo, **signerinfos, ***signerinfosp;
+    SECAlgorithmID      *digestalg,  **digestalgs,  ***digestalgsp;
+    SECItem             *digest,     **digests,     ***digestsp;
+    SECItem *            dummy;
+    void *               mark;
+    SECStatus            rv;
+    SECOidTag            kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    digestalgsp = &(sdp->digestAlgorithms);
+	    digestsp = &(sdp->digests);
+	    signerinfosp = &(sdp->signerInfos);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    digestalgsp = &(saedp->digestAlgorithms);
+	    digestsp = &(saedp->digests);
+	    signerinfosp = &(saedp->signerInfos);
+	}
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    /*
+     * XXX I think that CERT_VerifyCert should do this if *it* is passed
+     * a NULL database.
+     */
+    if (certdb == NULL) {
+	certdb = CERT_GetDefaultCertDB();
+	if (certdb == NULL)
+	    return SECFailure;		/* XXX set an error? */
+    }
+
+    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
+			 cinfo->pwfn_arg, NULL) != SECSuccess)
+	{
+	/* XXX Did CERT_VerifyCert set an error? */
+	return SECFailure;
+    }
+
+    /*
+     * XXX This is the check that we do not already have a signer.
+     * This is not what we really want -- we want to allow this
+     * and *add* the new signer.
+     */
+    PORT_Assert (*signerinfosp == NULL
+		 && *digestalgsp == NULL && *digestsp == NULL);
+    if (*signerinfosp != NULL || *digestalgsp != NULL || *digestsp != NULL)
+	return SECFailure;
+
+    mark = PORT_ArenaMark (cinfo->poolp);
+
+    signerinfo = (SEC_PKCS7SignerInfo*)PORT_ArenaZAlloc (cinfo->poolp, 
+						  sizeof(SEC_PKCS7SignerInfo));
+    if (signerinfo == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &signerinfo->version,
+				   SEC_PKCS7_SIGNER_INFO_VERSION);
+    if (dummy == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    PORT_Assert (dummy == &signerinfo->version);
+
+    signerinfo->cert = CERT_DupCertificate (cert);
+    if (signerinfo->cert == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    signerinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
+    if (signerinfo->issuerAndSN == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    rv = SECOID_SetAlgorithmID (cinfo->poolp, &signerinfo->digestAlg,
+				digestalgtag, NULL);
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    /*
+     * Okay, now signerinfo is all set.  We just need to put it and its
+     * companions (another copy of the digest algorithm, and the digest
+     * itself if given) into the main structure.
+     *
+     * XXX If we are handling more than one signer, the following code
+     * needs to look through the digest algorithms already specified
+     * and see if the same one is there already.  If it is, it does not
+     * need to be added again.  Also, if it is there *and* the digest
+     * is not null, then the digest given should match the digest already
+     * specified -- if not, that is an error.  Finally, the new signerinfo
+     * should be *added* to the set already found.
+     */
+
+    signerinfos = (SEC_PKCS7SignerInfo**)PORT_ArenaAlloc (cinfo->poolp,
+				   2 * sizeof(SEC_PKCS7SignerInfo *));
+    if (signerinfos == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    signerinfos[0] = signerinfo;
+    signerinfos[1] = NULL;
+
+    digestalg = PORT_ArenaZAlloc (cinfo->poolp, sizeof(SECAlgorithmID));
+    digestalgs = PORT_ArenaAlloc (cinfo->poolp, 2 * sizeof(SECAlgorithmID *));
+    if (digestalg == NULL || digestalgs == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    rv = SECOID_SetAlgorithmID (cinfo->poolp, digestalg, digestalgtag, NULL);
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    digestalgs[0] = digestalg;
+    digestalgs[1] = NULL;
+
+    if (digestdata != NULL) {
+	digest = (SECItem*)PORT_ArenaAlloc (cinfo->poolp, sizeof(SECItem));
+	digests = (SECItem**)PORT_ArenaAlloc (cinfo->poolp, 
+					      2 * sizeof(SECItem *));
+	if (digest == NULL || digests == NULL) {
+	    PORT_ArenaRelease (cinfo->poolp, mark);
+	    return SECFailure;
+	}
+	rv = SECITEM_CopyItem (cinfo->poolp, digest, digestdata);
+	if (rv != SECSuccess) {
+	    PORT_ArenaRelease (cinfo->poolp, mark);
+	    return SECFailure;
+	}
+	digests[0] = digest;
+	digests[1] = NULL;
+    } else {
+	digests = NULL;
+    }
+
+    *signerinfosp = signerinfos;
+    *digestalgsp = digestalgs;
+    *digestsp = digests;
+
+    PORT_ArenaUnmark(cinfo->poolp, mark);
+    return SECSuccess;
+}
+
+
+/*
+ * Helper function for creating an empty signedData.
+ */
+static SEC_PKCS7ContentInfo *
+sec_pkcs7_create_signed_data (SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7SignedData *sigd;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_SIGNED_DATA, PR_FALSE,
+					   pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    sigd = cinfo->content.signedData;
+    PORT_Assert (sigd != NULL);
+
+    /*
+     * XXX Might we want to allow content types other than data?
+     * If so, via what interface?
+     */
+    rv = sec_pkcs7_init_content_info (&(sigd->contentInfo), cinfo->poolp,
+				      SEC_OID_PKCS7_DATA, PR_TRUE);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
+
+/*
+ * Start a PKCS7 signing context.
+ *
+ * "cert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "certusage" describes the signing usage (e.g. certUsageEmailSigner)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "signing" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * The return value can be passed to functions which add things to
+ * it like attributes, then eventually to SEC_PKCS7Encode() or to
+ * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
+ * SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateSignedData (CERTCertificate *cert,
+			   SECCertUsage certusage,
+			   CERTCertDBHandle *certdb,
+			   SECOidTag digestalg,
+			   SECItem *digest,
+ 			   SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_signed_data (pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    rv = sec_pkcs7_add_signer (cinfo, cert, certusage, certdb,
+			       digestalg, digest);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
+
+static SEC_PKCS7Attribute *
+sec_pkcs7_create_attribute (PRArenaPool *poolp, SECOidTag oidtag,
+			    SECItem *value, PRBool encoded)
+{
+    SEC_PKCS7Attribute *attr;
+    SECItem **values;
+    void *mark;
+
+    PORT_Assert (poolp != NULL);
+    mark = PORT_ArenaMark (poolp);
+
+    attr = (SEC_PKCS7Attribute*)PORT_ArenaAlloc (poolp, 
+						 sizeof(SEC_PKCS7Attribute));
+    if (attr == NULL)
+	goto loser;
+
+    attr->typeTag = SECOID_FindOIDByTag (oidtag);
+    if (attr->typeTag == NULL)
+	goto loser;
+
+    if (SECITEM_CopyItem (poolp, &(attr->type),
+			  &(attr->typeTag->oid)) != SECSuccess)
+	goto loser;
+
+    values = (SECItem**)PORT_ArenaAlloc (poolp, 2 * sizeof(SECItem *));
+    if (values == NULL)
+	goto loser;
+
+    if (value != NULL) {
+	SECItem *copy;
+
+	copy = (SECItem*)PORT_ArenaAlloc (poolp, sizeof(SECItem));
+	if (copy == NULL)
+	    goto loser;
+
+	if (SECITEM_CopyItem (poolp, copy, value) != SECSuccess)
+	    goto loser;
+
+	value = copy;
+    }
+
+    values[0] = value;
+    values[1] = NULL;
+    attr->values = values;
+    attr->encoded = encoded;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return attr;
+
+loser:
+    PORT_Assert (mark != NULL);
+    PORT_ArenaRelease (poolp, mark);
+    return NULL;
+}
+
+
+static SECStatus
+sec_pkcs7_add_attribute (SEC_PKCS7ContentInfo *cinfo,
+			 SEC_PKCS7Attribute ***attrsp,
+			 SEC_PKCS7Attribute *attr)
+{
+    SEC_PKCS7Attribute **attrs;
+    SECItem *ct_value;
+    void *mark;
+
+    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
+    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	return SECFailure;
+
+    attrs = *attrsp;
+    if (attrs != NULL) {
+	int count;
+
+	/*
+	 * We already have some attributes, and just need to add this
+	 * new one.
+	 */
+
+	/*
+	 * We should already have the *required* attributes, which were
+	 * created/added at the same time the first attribute was added.
+	 */
+	PORT_Assert (sec_PKCS7FindAttribute (attrs,
+					     SEC_OID_PKCS9_CONTENT_TYPE,
+					     PR_FALSE) != NULL);
+	PORT_Assert (sec_PKCS7FindAttribute (attrs,
+					     SEC_OID_PKCS9_MESSAGE_DIGEST,
+					     PR_FALSE) != NULL);
+
+	for (count = 0; attrs[count] != NULL; count++)
+	    ;
+	attrs = (SEC_PKCS7Attribute**)PORT_ArenaGrow (cinfo->poolp, attrs,
+				(count + 1) * sizeof(SEC_PKCS7Attribute *),
+				(count + 2) * sizeof(SEC_PKCS7Attribute *));
+	if (attrs == NULL)
+	    return SECFailure;
+
+	attrs[count] = attr;
+	attrs[count+1] = NULL;
+	*attrsp = attrs;
+
+	return SECSuccess;
+    }
+
+    /*
+     * This is the first time an attribute is going in.
+     * We need to create and add the required attributes, and then
+     * we will also add in the one our caller gave us.
+     */
+
+    /*
+     * There are 2 required attributes, plus the one our caller wants
+     * to add, plus we always end with a NULL one.  Thus, four slots.
+     */
+    attrs = (SEC_PKCS7Attribute**)PORT_ArenaAlloc (cinfo->poolp, 
+					   4 * sizeof(SEC_PKCS7Attribute *));
+    if (attrs == NULL)
+	return SECFailure;
+
+    mark = PORT_ArenaMark (cinfo->poolp);
+
+    /*
+     * First required attribute is the content type of the data
+     * being signed.
+     */
+    ct_value = &(cinfo->content.signedData->contentInfo.contentType);
+    attrs[0] = sec_pkcs7_create_attribute (cinfo->poolp,
+					   SEC_OID_PKCS9_CONTENT_TYPE,
+					   ct_value, PR_FALSE);
+    /*
+     * Second required attribute is the message digest of the data
+     * being signed; we leave the value NULL for now (just create
+     * the place for it to go), and the encoder will fill it in later.
+     */
+    attrs[1] = sec_pkcs7_create_attribute (cinfo->poolp,
+					   SEC_OID_PKCS9_MESSAGE_DIGEST,
+					   NULL, PR_FALSE);
+    if (attrs[0] == NULL || attrs[1] == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure; 
+    }
+
+    attrs[2] = attr;
+    attrs[3] = NULL;
+    *attrsp = attrs;
+
+    PORT_ArenaUnmark (cinfo->poolp, mark);
+    return SECSuccess;
+}
+
+
+/*
+ * Add the signing time to the authenticated (i.e. signed) attributes
+ * of "cinfo".  This is expected to be included in outgoing signed
+ * messages for email (S/MIME) but is likely useful in other situations.
+ *
+ * This should only be added once; a second call will either do
+ * nothing or replace an old signing time with a newer one.
+ *
+ * XXX This will probably just shove the current time into "cinfo"
+ * but it will not actually get signed until the entire item is
+ * processed for encoding.  Is this (expected to be small) delay okay?
+ *
+ * "cinfo" should be of type signedData (the only kind of pkcs7 data
+ * that is allowed authenticated attributes); SECFailure will be returned
+ * if it is not.
+ */
+SECStatus
+SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo)
+{
+    SEC_PKCS7SignerInfo **signerinfos;
+    SEC_PKCS7Attribute *attr;
+    SECItem stime;
+    SECStatus rv;
+    int si;
+
+    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
+    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	return SECFailure;
+
+    signerinfos = cinfo->content.signedData->signerInfos;
+
+    /* There has to be a signer, or it makes no sense. */
+    if (signerinfos == NULL || signerinfos[0] == NULL)
+	return SECFailure;
+
+    rv = DER_EncodeTimeChoice(NULL, &stime, PR_Now());
+    if (rv != SECSuccess)
+	return rv;
+
+    attr = sec_pkcs7_create_attribute (cinfo->poolp,
+				       SEC_OID_PKCS9_SIGNING_TIME,
+				       &stime, PR_FALSE);
+    SECITEM_FreeItem (&stime, PR_FALSE);
+
+    if (attr == NULL)
+	return SECFailure;
+
+    rv = SECSuccess;
+    for (si = 0; signerinfos[si] != NULL; si++) {
+	SEC_PKCS7Attribute *oattr;
+
+	oattr = sec_PKCS7FindAttribute (signerinfos[si]->authAttr,
+					SEC_OID_PKCS9_SIGNING_TIME, PR_FALSE);
+	PORT_Assert (oattr == NULL);
+	if (oattr != NULL)
+	    continue;	/* XXX or would it be better to replace it? */
+
+	rv = sec_pkcs7_add_attribute (cinfo, &(signerinfos[si]->authAttr),
+				      attr);
+	if (rv != SECSuccess)
+	    break;	/* could try to continue, but may as well give up now */
+    }
+
+    return rv;
+}
+
+
+/*
+ * Add the specified attribute to the authenticated (i.e. signed) attributes
+ * of "cinfo" -- "oidtag" describes the attribute and "value" is the
+ * value to be associated with it.  NOTE! "value" must already be encoded;
+ * no interpretation of "oidtag" is done.  Also, it is assumed that this
+ * signedData has only one signer -- if we ever need to add attributes
+ * when there is more than one signature, we need a way to specify *which*
+ * signature should get the attribute.
+ *
+ * XXX Technically, a signed attribute can have multiple values; if/when
+ * we ever need to support an attribute which takes multiple values, we
+ * either need to change this interface or create an AddSignedAttributeValue
+ * which can be called subsequently, and would then append a value.
+ *
+ * "cinfo" should be of type signedData (the only kind of pkcs7 data
+ * that is allowed authenticated attributes); SECFailure will be returned
+ * if it is not.
+ */
+SECStatus
+SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo,
+			     SECOidTag oidtag,
+			     SECItem *value)
+{
+    SEC_PKCS7SignerInfo **signerinfos;
+    SEC_PKCS7Attribute *attr;
+
+    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
+    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	return SECFailure;
+
+    signerinfos = cinfo->content.signedData->signerInfos;
+
+    /*
+     * No signature or more than one means no deal.
+     */
+    if (signerinfos == NULL || signerinfos[0] == NULL || signerinfos[1] != NULL)
+	return SECFailure;
+
+    attr = sec_pkcs7_create_attribute (cinfo->poolp, oidtag, value, PR_TRUE);
+    if (attr == NULL)
+	return SECFailure;
+
+    return sec_pkcs7_add_attribute (cinfo, &(signerinfos[0]->authAttr), attr);
+}
+ 
+
+/*
+ * Mark that the signer certificates and their issuing chain should
+ * be included in the encoded data.  This is expected to be used
+ * in outgoing signed messages for email (S/MIME).
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL, meaning use the default database.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+SECStatus
+SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo,
+			   CERTCertDBHandle *certdb)
+{
+    SECOidTag kind;
+    SEC_PKCS7SignerInfo *signerinfo, **signerinfos;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	signerinfos = cinfo->content.signedData->signerInfos;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	signerinfos = cinfo->content.signedAndEnvelopedData->signerInfos;
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    if (signerinfos == NULL)		/* no signer, no certs? */
+	return SECFailure;		/* XXX set an error? */
+
+    if (certdb == NULL) {
+	certdb = CERT_GetDefaultCertDB();
+	if (certdb == NULL) {
+	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
+	    return SECFailure;
+	}
+    }
+
+    /* XXX Should it be an error if we find no signerinfo or no certs? */
+    while ((signerinfo = *signerinfos++) != NULL) {
+	if (signerinfo->cert != NULL)
+	    /* get the cert chain.  don't send the root to avoid contamination
+	     * of old clients with a new root that they don't trust
+	     */
+	    signerinfo->certList = CERT_CertChainFromCert (signerinfo->cert,
+							   certUsageEmailSigner,
+							   PR_FALSE);
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * Helper function to add a certificate chain for inclusion in the
+ * bag of certificates in a signedData.
+ */
+static SECStatus
+sec_pkcs7_add_cert_chain (SEC_PKCS7ContentInfo *cinfo,
+			  CERTCertificate *cert,
+			  CERTCertDBHandle *certdb)
+{
+    SECOidTag kind;
+    CERTCertificateList *certlist, **certlists, ***certlistsp;
+    int count;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    certlistsp = &(sdp->certLists);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    certlistsp = &(saedp->certLists);
+	}
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    if (certdb == NULL) {
+	certdb = CERT_GetDefaultCertDB();
+	if (certdb == NULL) {
+	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
+	    return SECFailure;
+	}
+    }
+
+    certlist = CERT_CertChainFromCert (cert, certUsageEmailSigner, PR_FALSE);
+    if (certlist == NULL)
+	return SECFailure;
+
+    certlists = *certlistsp;
+    if (certlists == NULL) {
+	count = 0;
+	certlists = (CERTCertificateList**)PORT_ArenaAlloc (cinfo->poolp,
+				     2 * sizeof(CERTCertificateList *));
+    } else {
+	for (count = 0; certlists[count] != NULL; count++)
+	    ;
+	PORT_Assert (count);	/* should be at least one already */
+	certlists = (CERTCertificateList**)PORT_ArenaGrow (cinfo->poolp, 
+				 certlists,
+				(count + 1) * sizeof(CERTCertificateList *),
+				(count + 2) * sizeof(CERTCertificateList *));
+    }
+
+    if (certlists == NULL) {
+	CERT_DestroyCertificateList (certlist);
+	return SECFailure;
+    }
+
+    certlists[count] = certlist;
+    certlists[count + 1] = NULL;
+
+    *certlistsp = certlists;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Helper function to add a certificate for inclusion in the bag of
+ * certificates in a signedData.
+ */
+static SECStatus
+sec_pkcs7_add_certificate (SEC_PKCS7ContentInfo *cinfo,
+			   CERTCertificate *cert)
+{
+    SECOidTag kind;
+    CERTCertificate **certs, ***certsp;
+    int count;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    certsp = &(sdp->certs);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    certsp = &(saedp->certs);
+	}
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    cert = CERT_DupCertificate (cert);
+    if (cert == NULL)
+	return SECFailure;
+
+    certs = *certsp;
+    if (certs == NULL) {
+	count = 0;
+	certs = (CERTCertificate**)PORT_ArenaAlloc (cinfo->poolp, 
+					      2 * sizeof(CERTCertificate *));
+    } else {
+	for (count = 0; certs[count] != NULL; count++)
+	    ;
+	PORT_Assert (count);	/* should be at least one already */
+	certs = (CERTCertificate**)PORT_ArenaGrow (cinfo->poolp, certs,
+				(count + 1) * sizeof(CERTCertificate *),
+				(count + 2) * sizeof(CERTCertificate *));
+    }
+
+    if (certs == NULL) {
+	CERT_DestroyCertificate (cert);
+	return SECFailure;
+    }
+
+    certs[count] = cert;
+    certs[count + 1] = NULL;
+
+    *certsp = certs;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Create a PKCS7 certs-only container.
+ *
+ * "cert" is the (first) cert that will be included.
+ *
+ * "include_chain" specifies whether the entire chain for "cert" should
+ * be included.
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL in when "include_chain" is false, or when meaning
+ * use the default database.
+ *
+ * More certs and chains can be added via AddCertificate and AddCertChain.
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateCertsOnly (CERTCertificate *cert,
+			  PRBool include_chain,
+			  CERTCertDBHandle *certdb)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_signed_data (NULL, NULL);
+    if (cinfo == NULL)
+	return NULL;
+
+    if (include_chain)
+	rv = sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
+    else
+	rv = sec_pkcs7_add_certificate (cinfo, cert);
+
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
+
+/*
+ * Add "cert" and its entire chain to the set of certs included in "cinfo".
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL, meaning use the default database.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+SECStatus
+SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo,
+		       CERTCertificate *cert,
+		       CERTCertDBHandle *certdb)
+{
+    SECOidTag kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    if (kind != SEC_OID_PKCS7_SIGNED_DATA
+	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
+	return SECFailure;		/* XXX set an error? */
+
+    return sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
+}
+
+
+/*
+ * Add "cert" to the set of certs included in "cinfo".
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+SECStatus
+SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo, CERTCertificate *cert)
+{
+    SECOidTag kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    if (kind != SEC_OID_PKCS7_SIGNED_DATA
+	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
+	return SECFailure;		/* XXX set an error? */
+
+    return sec_pkcs7_add_certificate (cinfo, cert);
+}
+
+
+static SECStatus
+sec_pkcs7_init_encrypted_content_info (SEC_PKCS7EncryptedContentInfo *enccinfo,
+				       PRArenaPool *poolp,
+				       SECOidTag kind, PRBool detached,
+				       SECOidTag encalg, int keysize)
+{
+    SECStatus rv;
+
+    PORT_Assert (enccinfo != NULL && poolp != NULL);
+    if (enccinfo == NULL || poolp == NULL)
+	return SECFailure;
+
+    /*
+     * XXX Some day we may want to allow for other kinds.  That needs
+     * more work and modifications to the creation interface, etc.
+     * For now, allow but notice callers who pass in other kinds.
+     * They are responsible for creating the inner type and encoding,
+     * if it is other than DATA.
+     */
+    PORT_Assert (kind == SEC_OID_PKCS7_DATA);
+
+    enccinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
+    PORT_Assert (enccinfo->contentTypeTag
+	       && enccinfo->contentTypeTag->offset == kind);
+
+    rv = SECITEM_CopyItem (poolp, &(enccinfo->contentType),
+			   &(enccinfo->contentTypeTag->oid));
+    if (rv != SECSuccess)
+	return rv;
+
+    /* Save keysize and algorithm for later. */
+    enccinfo->keysize = keysize;
+    enccinfo->encalg = encalg;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Add a recipient to a PKCS7 thing, verifying their cert first.
+ * Any error returns SECFailure.
+ */
+static SECStatus
+sec_pkcs7_add_recipient (SEC_PKCS7ContentInfo *cinfo,
+			 CERTCertificate *cert,
+			 SECCertUsage certusage,
+			 CERTCertDBHandle *certdb)
+{
+    SECOidTag kind;
+    SEC_PKCS7RecipientInfo *recipientinfo, **recipientinfos, ***recipientinfosp;
+    SECItem *dummy;
+    void *mark;
+    int count;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *edp;
+
+	    edp = cinfo->content.envelopedData;
+	    recipientinfosp = &(edp->recipientInfos);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    recipientinfosp = &(saedp->recipientInfos);
+	}
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    /*
+     * XXX I think that CERT_VerifyCert should do this if *it* is passed
+     * a NULL database.
+     */
+    if (certdb == NULL) {
+	certdb = CERT_GetDefaultCertDB();
+	if (certdb == NULL)
+	    return SECFailure;		/* XXX set an error? */
+    }
+
+    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
+			 cinfo->pwfn_arg, NULL) != SECSuccess)
+	{
+	/* XXX Did CERT_VerifyCert set an error? */
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark (cinfo->poolp);
+
+    recipientinfo = (SEC_PKCS7RecipientInfo*)PORT_ArenaZAlloc (cinfo->poolp,
+				      sizeof(SEC_PKCS7RecipientInfo));
+    if (recipientinfo == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &recipientinfo->version,
+				   SEC_PKCS7_RECIPIENT_INFO_VERSION);
+    if (dummy == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    PORT_Assert (dummy == &recipientinfo->version);
+
+    recipientinfo->cert = CERT_DupCertificate (cert);
+    if (recipientinfo->cert == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    recipientinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
+    if (recipientinfo->issuerAndSN == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    /*
+     * Okay, now recipientinfo is all set.  We just need to put it into
+     * the main structure.
+     *
+     * If this is the first recipient, allocate a new recipientinfos array;
+     * otherwise, reallocate the array, making room for the new entry.
+     */
+    recipientinfos = *recipientinfosp;
+    if (recipientinfos == NULL) {
+	count = 0;
+	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaAlloc (
+					  cinfo->poolp,
+					  2 * sizeof(SEC_PKCS7RecipientInfo *));
+    } else {
+	for (count = 0; recipientinfos[count] != NULL; count++)
+	    ;
+	PORT_Assert (count);	/* should be at least one already */
+	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaGrow (
+				 cinfo->poolp, recipientinfos,
+				(count + 1) * sizeof(SEC_PKCS7RecipientInfo *),
+				(count + 2) * sizeof(SEC_PKCS7RecipientInfo *));
+    }
+
+    if (recipientinfos == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    recipientinfos[count] = recipientinfo;
+    recipientinfos[count + 1] = NULL;
+
+    *recipientinfosp = recipientinfos;
+
+    PORT_ArenaUnmark (cinfo->poolp, mark);
+    return SECSuccess;
+}
+
+
+/*
+ * Start a PKCS7 enveloping context.
+ *
+ * "cert" is the cert for the recipient.  It will be checked for validity.
+ *
+ * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "recipient" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
+ *
+ * "keysize" specifies the bulk encryption key size, in bits.
+ *
+ * The return value can be passed to functions which add things to
+ * it like more recipients, then eventually to SEC_PKCS7Encode() or to
+ * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
+ * SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert,
+			      SECCertUsage certusage,
+			      CERTCertDBHandle *certdb,
+			      SECOidTag encalg,
+			      int keysize,
+ 			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7EnvelopedData *envd;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENVELOPED_DATA,
+					   PR_FALSE, pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    rv = sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    envd = cinfo->content.envelopedData;
+    PORT_Assert (envd != NULL);
+
+    /*
+     * XXX Might we want to allow content types other than data?
+     * If so, via what interface?
+     */
+    rv = sec_pkcs7_init_encrypted_content_info (&(envd->encContentInfo),
+						cinfo->poolp,
+						SEC_OID_PKCS7_DATA, PR_FALSE,
+						encalg, keysize);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    /* XXX Anything more to do here? */
+
+    return cinfo;
+}
+
+
+/*
+ * Add another recipient to an encrypted message.
+ *
+ * "cinfo" should be of type envelopedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ *
+ * "cert" is the cert for the recipient.  It will be checked for validity.
+ *
+ * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "recipient" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ */
+SECStatus
+SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo,
+		       CERTCertificate *cert,
+		       SECCertUsage certusage,
+		       CERTCertDBHandle *certdb)
+{
+    return sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
+}
+
+
+/*
+ * Create an empty PKCS7 data content info.
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateData (void)
+{
+    return sec_pkcs7_create_content_info (SEC_OID_PKCS7_DATA, PR_FALSE,
+					  NULL, NULL);
+}
+
+
+/*
+ * Create an empty PKCS7 encrypted content info.
+ *
+ * "algorithm" specifies the bulk encryption algorithm to use.
+ * 
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize,
+			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SECAlgorithmID *algid;
+    SEC_PKCS7EncryptedData *enc_data;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENCRYPTED_DATA, 
+					   PR_FALSE, pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    enc_data = cinfo->content.encryptedData;
+    algid = &(enc_data->encContentInfo.contentEncAlg);
+
+    if (!SEC_PKCS5IsAlgorithmPBEAlgTag(algorithm)) {
+	rv = SECOID_SetAlgorithmID (cinfo->poolp, algid, algorithm, NULL);
+    } else {
+        /* Assume password-based-encryption.  
+         * Note: we can't generate pkcs5v2 from this interface.
+         * PK11_CreateBPEAlgorithmID generates pkcs5v2 by accepting
+         * non-PBE oids and assuming that they are pkcs5v2 oids, but
+         * NSS_CMSEncryptedData_Create accepts non-PBE oids as regular
+         * CMS encrypted data, so we can't tell SEC_PKCS7CreateEncryptedtedData
+         * to create pkcs5v2 PBEs */
+	SECAlgorithmID *pbe_algid;
+	pbe_algid = PK11_CreatePBEAlgorithmID (algorithm, 1, NULL);
+	if (pbe_algid == NULL) {
+	    rv = SECFailure;
+	} else {
+	    rv = SECOID_CopyAlgorithmID (cinfo->poolp, algid, pbe_algid);
+	    SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE);
+	}
+    }
+
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    rv = sec_pkcs7_init_encrypted_content_info (&(enc_data->encContentInfo),
+						cinfo->poolp,
+						SEC_OID_PKCS7_DATA, PR_FALSE,
+						algorithm, keysize);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
new file mode 100644
index 000000000..beef4a56d
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7decode.c
@@ -0,0 +1,2055 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * PKCS7 decoding, verification.
+ *
+ * $Id$
+ */
+
+#include "p7local.h"
+
+#include "cert.h"
+				/* XXX do not want to have to include */
+#include "certdb.h"		/* certdb.h -- the trust stuff needed by */
+     				/* the add certificate code needs to get */
+                           	/* rewritten/abstracted and then this */
+      				/* include should be removed! */
+/*#include "cdbhdl.h" */
+#include "cryptohi.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
+#include "secder.h"
+#include "secpkcs5.h"
+
+struct sec_pkcs7_decoder_worker {
+    int depth;
+    int digcnt;
+    void **digcxs;
+    const SECHashObject **digobjs;
+    sec_PKCS7CipherObject *decryptobj;
+    PRBool saw_contents;
+};
+
+struct SEC_PKCS7DecoderContextStr {
+    SEC_ASN1DecoderContext *dcx;
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7DecoderContentCallback cb;
+    void *cb_arg;
+    SECKEYGetPasswordKey pwfn;
+    void *pwfn_arg;
+    struct sec_pkcs7_decoder_worker worker;
+    PRArenaPool *tmp_poolp;
+    int error;
+    SEC_PKCS7GetDecryptKeyCallback dkcb;
+    void *dkcb_arg;
+    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb;
+};
+
+/*
+ * Handle one worker, decrypting and digesting the data as necessary.
+ *
+ * XXX If/when we support nested contents, this probably needs to be
+ * revised somewhat to get passed the content-info (which unfortunately
+ * can be two different types depending on whether it is encrypted or not)
+ * corresponding to the given worker.
+ */
+static void
+sec_pkcs7_decoder_work_data (SEC_PKCS7DecoderContext *p7dcx,
+			     struct sec_pkcs7_decoder_worker *worker,
+			     const unsigned char *data, unsigned long len,
+			     PRBool final)
+{
+    unsigned char *buf = NULL;
+    SECStatus rv;
+    int i;
+
+    /*
+     * We should really have data to process, or we should be trying
+     * to finish/flush the last block.  (This is an overly paranoid
+     * check since all callers are in this file and simple inspection
+     * proves they do it right.  But it could find a bug in future
+     * modifications/development, that is why it is here.)
+     */
+    PORT_Assert ((data != NULL && len) || final);
+
+    /*
+     * Decrypt this chunk.
+     *
+     * XXX If we get an error, we do not want to do the digest or callback,
+     * but we want to keep decoding.  Or maybe we want to stop decoding
+     * altogether if there is a callback, because obviously we are not
+     * sending the data back and they want to know that.
+     */
+    if (worker->decryptobj != NULL) {
+	/* XXX the following lengths should all be longs? */
+	unsigned int inlen;	/* length of data being decrypted */
+	unsigned int outlen;	/* length of decrypted data */
+	unsigned int buflen;	/* length available for decrypted data */
+	SECItem *plain;
+
+	inlen = len;
+	buflen = sec_PKCS7DecryptLength (worker->decryptobj, inlen, final);
+	if (buflen == 0) {
+	    if (inlen == 0)	/* no input and no output */
+		return;
+	    /*
+	     * No output is expected, but the input data may be buffered
+	     * so we still have to call Decrypt.
+	     */
+	    rv = sec_PKCS7Decrypt (worker->decryptobj, NULL, NULL, 0,
+				   data, inlen, final);
+	    if (rv != SECSuccess) {
+		p7dcx->error = PORT_GetError();
+		return;		/* XXX indicate error? */
+	    }
+	    return;
+	}
+
+	if (p7dcx->cb != NULL) {
+	    buf = (unsigned char *) PORT_Alloc (buflen);
+	    plain = NULL;
+	} else {
+	    unsigned long oldlen;
+
+	    /*
+	     * XXX This assumes one level of content only.
+	     * See comment above about nested content types.
+	     * XXX Also, it should work for signedAndEnvelopedData, too!
+	     */
+	    plain = &(p7dcx->cinfo->
+			content.envelopedData->encContentInfo.plainContent);
+
+	    oldlen = plain->len;
+	    if (oldlen == 0) {
+		buf = (unsigned char*)PORT_ArenaAlloc (p7dcx->cinfo->poolp, 
+						       buflen);
+	    } else {
+		buf = (unsigned char*)PORT_ArenaGrow (p7dcx->cinfo->poolp, 
+				      plain->data,
+				      oldlen, oldlen + buflen);
+		if (buf != NULL)
+		    buf += oldlen;
+	    }
+	    plain->data = buf;
+	}
+	if (buf == NULL) {
+	    p7dcx->error = SEC_ERROR_NO_MEMORY;
+	    return;		/* XXX indicate error? */
+	}
+	rv = sec_PKCS7Decrypt (worker->decryptobj, buf, &outlen, buflen,
+			       data, inlen, final);
+	if (rv != SECSuccess) {
+	    p7dcx->error = PORT_GetError();
+	    return;		/* XXX indicate error? */
+	}
+	if (plain != NULL) {
+	    PORT_Assert (final || outlen == buflen);
+	    plain->len += outlen;
+	}
+	data = buf;
+	len = outlen;
+    }
+
+    /*
+     * Update the running digests.
+     */
+    if (len) {
+	for (i = 0; i < worker->digcnt; i++) {
+	    (* worker->digobjs[i]->update) (worker->digcxs[i], data, len);
+	}
+    }
+
+    /*
+     * Pass back the contents bytes, and free the temporary buffer.
+     */
+    if (p7dcx->cb != NULL) {
+	if (len)
+	    (* p7dcx->cb) (p7dcx->cb_arg, (const char *)data, len);
+	if (worker->decryptobj != NULL) {
+	    PORT_Assert (buf != NULL);
+	    PORT_Free (buf);
+	}
+    }
+}
+
+static void
+sec_pkcs7_decoder_filter (void *arg, const char *data, unsigned long len,
+			  int depth, SEC_ASN1EncodingPart data_kind)
+{
+    SEC_PKCS7DecoderContext *p7dcx;
+    struct sec_pkcs7_decoder_worker *worker;
+
+    /*
+     * Since we do not handle any nested contents, the only bytes we
+     * are really interested in are the actual contents bytes (not
+     * the identifier, length, or end-of-contents bytes).  If we were
+     * handling nested types we would probably need to do something
+     * smarter based on depth and data_kind.
+     */
+    if (data_kind != SEC_ASN1_Contents)
+	return;
+
+    /*
+     * The ASN.1 decoder should not even call us with a length of 0.
+     * Just being paranoid.
+     */
+    PORT_Assert (len);
+    if (len == 0)
+	return;
+
+    p7dcx = (SEC_PKCS7DecoderContext*)arg;
+
+    /*
+     * Handling nested contents would mean that there is a chain
+     * of workers -- one per each level of content.  The following
+     * would start with the first worker and loop over them.
+     */
+    worker = &(p7dcx->worker);
+
+    worker->saw_contents = PR_TRUE;
+
+    sec_pkcs7_decoder_work_data (p7dcx, worker,
+				 (const unsigned char *) data, len, PR_FALSE);
+}
+
+
+/*
+ * Create digest contexts for each algorithm in "digestalgs".
+ * No algorithms is not an error, we just do not do anything.
+ * An error (like trouble allocating memory), marks the error
+ * in "p7dcx" and returns SECFailure, which means that our caller
+ * should just give up altogether.
+ */
+static SECStatus
+sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth,
+				 SECAlgorithmID **digestalgs)
+{
+    int i, digcnt;
+
+    if (digestalgs == NULL)
+	return SECSuccess;
+
+    /*
+     * Count the algorithms.
+     */
+    digcnt = 0;
+    while (digestalgs[digcnt] != NULL)
+	digcnt++;
+
+    /*
+     * No algorithms means no work to do.
+     * Just act as if there were no algorithms specified.
+     */
+    if (digcnt == 0)
+	return SECSuccess;
+
+    p7dcx->worker.digcxs = (void**)PORT_ArenaAlloc (p7dcx->tmp_poolp,
+					    digcnt * sizeof (void *));
+    p7dcx->worker.digobjs = (const SECHashObject**)PORT_ArenaAlloc (p7dcx->tmp_poolp,
+					     digcnt * sizeof (SECHashObject *));
+    if (p7dcx->worker.digcxs == NULL || p7dcx->worker.digobjs == NULL) {
+	p7dcx->error = SEC_ERROR_NO_MEMORY;
+	return SECFailure;
+    }
+
+    p7dcx->worker.depth = depth;
+    p7dcx->worker.digcnt = 0;
+
+    /*
+     * Create a digest context for each algorithm.
+     */
+    for (i = 0; i < digcnt; i++) {
+	SECAlgorithmID *     algid  = digestalgs[i];
+	SECOidTag            oidTag = SECOID_FindOIDTag(&(algid->algorithm));
+	const SECHashObject *digobj = HASH_GetHashObjectByOidTag(oidTag);
+	void *digcx;
+
+	/*
+	 * Skip any algorithm we do not even recognize; obviously,
+	 * this could be a problem, but if it is critical then the
+	 * result will just be that the signature does not verify.
+	 * We do not necessarily want to error out here, because
+	 * the particular algorithm may not actually be important,
+	 * but we cannot know that until later.
+	 */
+	if (digobj == NULL) {
+	    p7dcx->worker.digcnt--;
+	    continue;
+	}
+
+	digcx = (* digobj->create)();
+	if (digcx != NULL) {
+	    (* digobj->begin) (digcx);
+	    p7dcx->worker.digobjs[p7dcx->worker.digcnt] = digobj;
+	    p7dcx->worker.digcxs[p7dcx->worker.digcnt] = digcx;
+	    p7dcx->worker.digcnt++;
+	}
+    }
+
+    if (p7dcx->worker.digcnt != 0)
+	SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
+				      sec_pkcs7_decoder_filter,
+				      p7dcx,
+				      (PRBool)(p7dcx->cb != NULL));
+    return SECSuccess;
+}
+
+
+/*
+ * Close out all of the digest contexts, storing the results in "digestsp".
+ */
+static SECStatus
+sec_pkcs7_decoder_finish_digests (SEC_PKCS7DecoderContext *p7dcx,
+				  PRArenaPool *poolp,
+				  SECItem ***digestsp)
+{
+    struct sec_pkcs7_decoder_worker *worker;
+    const SECHashObject *digobj;
+    void *digcx;
+    SECItem **digests, *digest;
+    int i;
+    void *mark;
+
+    /*
+     * XXX Handling nested contents would mean that there is a chain
+     * of workers -- one per each level of content.  The following
+     * would want to find the last worker in the chain.
+     */
+    worker = &(p7dcx->worker);
+
+    /*
+     * If no digests, then we have nothing to do.
+     */
+    if (worker->digcnt == 0)
+	return SECSuccess;
+
+    /*
+     * No matter what happens after this, we want to stop filtering.
+     * XXX If we handle nested contents, we only want to stop filtering
+     * if we are finishing off the *last* worker.
+     */
+    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
+
+    /*
+     * If we ended up with no contents, just destroy each
+     * digest context -- they are meaningless and potentially
+     * confusing, because their presence would imply some content
+     * was digested.
+     */
+    if (! worker->saw_contents) {
+	for (i = 0; i < worker->digcnt; i++) {
+	    digcx = worker->digcxs[i];
+	    digobj = worker->digobjs[i];
+	    (* digobj->destroy) (digcx, PR_TRUE);
+	}
+	return SECSuccess;
+    }
+
+    mark = PORT_ArenaMark (poolp);
+
+    /*
+     * Close out each digest context, saving digest away.
+     */
+    digests = 
+      (SECItem**)PORT_ArenaAlloc (poolp,(worker->digcnt+1)*sizeof(SECItem *));
+    digest = (SECItem*)PORT_ArenaAlloc (poolp, worker->digcnt*sizeof(SECItem));
+    if (digests == NULL || digest == NULL) {
+	p7dcx->error = PORT_GetError();
+	PORT_ArenaRelease (poolp, mark);
+	return SECFailure;
+    }
+
+    for (i = 0; i < worker->digcnt; i++, digest++) {
+	digcx = worker->digcxs[i];
+	digobj = worker->digobjs[i];
+
+	digest->data = (unsigned char*)PORT_ArenaAlloc (poolp, digobj->length);
+	if (digest->data == NULL) {
+	    p7dcx->error = PORT_GetError();
+	    PORT_ArenaRelease (poolp, mark);
+	    return SECFailure;
+	}
+
+	digest->len = digobj->length;
+	(* digobj->end) (digcx, digest->data, &(digest->len), digest->len);
+	(* digobj->destroy) (digcx, PR_TRUE);
+
+	digests[i] = digest;
+    }
+    digests[i] = NULL;
+    *digestsp = digests;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+}
+
+/*
+ * XXX Need comment explaining following helper function (which is used
+ * by sec_pkcs7_decoder_start_decrypt).
+ */
+extern const SEC_ASN1Template SEC_SMIMEKEAParamTemplateAllParams[];
+
+static PK11SymKey *
+sec_pkcs7_decoder_get_recipient_key (SEC_PKCS7DecoderContext *p7dcx,
+				     SEC_PKCS7RecipientInfo **recipientinfos,
+				     SEC_PKCS7EncryptedContentInfo *enccinfo)
+{
+    SEC_PKCS7RecipientInfo *ri;
+    CERTCertificate *cert = NULL;
+    SECKEYPrivateKey *privkey = NULL;
+    PK11SymKey *bulkkey = NULL;
+    SECOidTag keyalgtag, bulkalgtag, encalgtag;
+    PK11SlotInfo *slot = NULL;
+    int bulkLength = 0;
+
+    if (recipientinfos == NULL || recipientinfos[0] == NULL) {
+	p7dcx->error = SEC_ERROR_NOT_A_RECIPIENT;
+	goto no_key_found;
+    }
+
+    cert = PK11_FindCertAndKeyByRecipientList(&slot,recipientinfos,&ri,
+						&privkey, p7dcx->pwfn_arg);
+    if (cert == NULL) {
+	p7dcx->error = SEC_ERROR_NOT_A_RECIPIENT;
+	goto no_key_found;
+    }
+
+    ri->cert = cert;		/* so we can find it later */
+    PORT_Assert(privkey != NULL);
+
+    keyalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+    encalgtag = SECOID_GetAlgorithmTag (&(ri->keyEncAlg));
+    if ((encalgtag != SEC_OID_NETSCAPE_SMIME_KEA) && (keyalgtag != encalgtag)) {
+	p7dcx->error = SEC_ERROR_PKCS7_KEYALG_MISMATCH;
+	goto no_key_found;
+    }
+    bulkalgtag = SECOID_GetAlgorithmTag (&(enccinfo->contentEncAlg));
+
+    switch (encalgtag) {
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	bulkkey = PK11_PubUnwrapSymKey (privkey, &ri->encKey,
+					PK11_AlgtagToMechanism (bulkalgtag),
+					CKA_DECRYPT, 0);
+	if (bulkkey == NULL) {
+	    p7dcx->error = PORT_GetError();
+	    PORT_SetError(0);
+	    goto no_key_found;
+	}
+	break;
+	/* ### mwelch -- KEA */ 
+        case SEC_OID_NETSCAPE_SMIME_KEA:
+	  {
+	      SECStatus err;
+	      CK_MECHANISM_TYPE bulkType;
+	      PK11SymKey *tek;
+	      SECKEYPublicKey *senderPubKey;
+	      SEC_PKCS7SMIMEKEAParameters   keaParams;
+
+	      (void) memset(&keaParams, 0, sizeof(keaParams));
+
+	      /* Decode the KEA algorithm parameters. */
+	      err = SEC_ASN1DecodeItem(NULL,
+				       &keaParams,
+				       SEC_SMIMEKEAParamTemplateAllParams,
+				       &(ri->keyEncAlg.parameters));
+	      if (err != SECSuccess)
+	      {
+		  p7dcx->error = err;
+		  PORT_SetError(0);
+		  goto no_key_found;
+	      }
+	  
+
+	      /* We just got key data, no key structure. So, we
+		 create one. */
+	     senderPubKey = 
+		  PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
+				     keaParams.originatorKEAKey.len);
+	     if (senderPubKey == NULL)
+	     {
+		    p7dcx->error = PORT_GetError();
+		    PORT_SetError(0);
+		    goto no_key_found;
+	     }
+	      
+	     /* Generate the TEK (token exchange key) which we use
+	         to unwrap the bulk encryption key. */
+	     tek = PK11_PubDerive(privkey, senderPubKey, 
+				   PR_FALSE,
+				   &keaParams.originatorRA,
+				   NULL,
+				   CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+				   CKA_WRAP, 0, p7dcx->pwfn_arg);
+	     SECKEY_DestroyPublicKey(senderPubKey);
+	      
+	     if (tek == NULL)
+	     {
+		  p7dcx->error = PORT_GetError();
+		  PORT_SetError(0);
+		  goto no_key_found;
+	     }
+	      
+	      /* Now that we have the TEK, unwrap the bulk key
+	         with which to decrypt the message. We have to
+		 do one of two different things depending on 
+		 whether Skipjack was used for bulk encryption 
+		 of the message. */
+	      bulkType = PK11_AlgtagToMechanism (bulkalgtag);
+	      switch(bulkType)
+	      {
+	      case CKM_SKIPJACK_CBC64:
+	      case CKM_SKIPJACK_ECB64:
+	      case CKM_SKIPJACK_OFB64:
+	      case CKM_SKIPJACK_CFB64:
+	      case CKM_SKIPJACK_CFB32:
+	      case CKM_SKIPJACK_CFB16:
+	      case CKM_SKIPJACK_CFB8:
+		  /* Skipjack is being used as the bulk encryption algorithm.*/
+		  /* Unwrap the bulk key. */
+		  bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP,
+					      NULL, &ri->encKey, 
+					      CKM_SKIPJACK_CBC64, 
+					      CKA_DECRYPT, 0);
+		  break;
+	      default:
+		  /* Skipjack was not used for bulk encryption of this
+		     message. Use Skipjack CBC64, with the nonSkipjackIV
+		     part of the KEA key parameters, to decrypt 
+		     the bulk key. If we got a parameter indicating that the
+		     bulk key size is different than the encrypted key size,
+		     pass in the real key size. */
+		  
+		  /* Check for specified bulk key length (unspecified implies
+		     that the bulk key length is the same as encrypted length) */
+		  if (keaParams.bulkKeySize.len > 0)
+		  {
+		      p7dcx->error = SEC_ASN1DecodeItem(NULL, &bulkLength,
+					SEC_ASN1_GET(SEC_IntegerTemplate),
+					&keaParams.bulkKeySize);
+		  }
+		  
+		  if (p7dcx->error != SECSuccess)
+		      goto no_key_found;
+		  
+		  bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64,
+					      &keaParams.nonSkipjackIV, 
+					      &ri->encKey,
+					      bulkType,
+					      CKA_DECRYPT, bulkLength);
+	      }
+	      
+	      
+	      if (bulkkey == NULL)
+	      {
+		  p7dcx->error = PORT_GetError();
+		  PORT_SetError(0);
+		  goto no_key_found;
+	      }
+	      break;
+	  }
+      default:
+	p7dcx->error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	break;
+    }
+
+no_key_found:
+    if (privkey != NULL)
+	SECKEY_DestroyPrivateKey (privkey);
+    if (slot != NULL)
+	PK11_FreeSlot(slot);
+
+    return bulkkey;
+}
+ 
+/*
+ * XXX The following comment is old -- the function used to only handle
+ * EnvelopedData or SignedAndEnvelopedData but now handles EncryptedData
+ * as well (and it had all of the code of the helper function above
+ * built into it), though the comment was left as is.  Fix it...
+ *
+ * We are just about to decode the content of an EnvelopedData.
+ * Set up a decryption context so we can decrypt as we go.
+ * Presumably we are one of the recipients listed in "recipientinfos".
+ * (XXX And if we are not, or if we have trouble, what should we do?
+ *  It would be nice to let the decoding still work.  Maybe it should
+ *  be an error if there is a content callback, but not an error otherwise?)
+ * The encryption key and related information can be found in "enccinfo".
+ */
+static SECStatus
+sec_pkcs7_decoder_start_decrypt (SEC_PKCS7DecoderContext *p7dcx, int depth,
+				 SEC_PKCS7RecipientInfo **recipientinfos,
+				 SEC_PKCS7EncryptedContentInfo *enccinfo,
+				 PK11SymKey **copy_key_for_signature)
+{
+    PK11SymKey *bulkkey = NULL;
+    sec_PKCS7CipherObject *decryptobj;
+
+    /*
+     * If a callback is supplied to retrieve the encryption key, 
+     * for instance, for Encrypted Content infos, then retrieve
+     * the bulkkey from the callback.  Otherwise, assume that
+     * we are processing Enveloped or SignedAndEnveloped data
+     * content infos.
+     *
+     * XXX Put an assert here?
+     */
+    if (SEC_PKCS7ContentType(p7dcx->cinfo) == SEC_OID_PKCS7_ENCRYPTED_DATA) {
+	if (p7dcx->dkcb != NULL) {
+	    bulkkey = (*p7dcx->dkcb)(p7dcx->dkcb_arg, 
+				     &(enccinfo->contentEncAlg));
+	}
+	enccinfo->keysize = 0;
+    } else {
+	bulkkey = sec_pkcs7_decoder_get_recipient_key (p7dcx, recipientinfos, 
+						       enccinfo);
+	if (bulkkey == NULL) goto no_decryption;
+	enccinfo->keysize = PK11_GetKeyStrength(bulkkey, 
+						&(enccinfo->contentEncAlg));
+
+    }
+
+    /*
+     * XXX I think following should set error in p7dcx and clear set error
+     * (as used to be done here, or as is done in get_receipient_key above.
+     */
+    if(bulkkey == NULL) {
+	goto no_decryption;
+    }
+    
+    /* 
+     * We want to make sure decryption is allowed.  This is done via
+     * a callback specified in SEC_PKCS7DecoderStart().
+     */
+    if (p7dcx->decrypt_allowed_cb) {
+	if ((*p7dcx->decrypt_allowed_cb) (&(enccinfo->contentEncAlg), 
+					  bulkkey) == PR_FALSE) {
+	    p7dcx->error = SEC_ERROR_DECRYPTION_DISALLOWED;
+	    goto no_decryption;
+	}
+    } else {
+	    p7dcx->error = SEC_ERROR_DECRYPTION_DISALLOWED;
+	    goto no_decryption;
+    }
+
+    /*
+     * When decrypting a signedAndEnvelopedData, the signature also has
+     * to be decrypted with the bulk encryption key; to avoid having to
+     * get it all over again later (and do another potentially expensive
+     * RSA operation), copy it for later signature verification to use.
+     */
+    if (copy_key_for_signature != NULL)
+	*copy_key_for_signature = PK11_ReferenceSymKey (bulkkey);
+
+    /*
+     * Now we have the bulk encryption key (in bulkkey) and the
+     * the algorithm (in enccinfo->contentEncAlg).  Using those,
+     * create a decryption context.
+     */
+    decryptobj = sec_PKCS7CreateDecryptObject (bulkkey,
+					       &(enccinfo->contentEncAlg));
+
+    /*
+     * We are done with (this) bulkkey now.
+     */
+    PK11_FreeSymKey (bulkkey);
+
+    if (decryptobj == NULL) {
+	p7dcx->error = PORT_GetError();
+	PORT_SetError(0);
+	goto no_decryption;
+    }
+
+    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
+				  sec_pkcs7_decoder_filter,
+				  p7dcx,
+				  (PRBool)(p7dcx->cb != NULL));
+
+    p7dcx->worker.depth = depth;
+    p7dcx->worker.decryptobj = decryptobj;
+
+    return SECSuccess;
+
+no_decryption:
+    /*
+     * For some reason (error set already, if appropriate), we cannot
+     * decrypt the content.  I am not sure what exactly is the right
+     * thing to do here; in some cases we want to just stop, and in
+     * others we want to let the decoding finish even though we cannot
+     * decrypt the content.  My current thinking is that if the caller
+     * set up a content callback, then they are really interested in
+     * getting (decrypted) content, and if they cannot they will want
+     * to know about it.  However, if no callback was specified, then
+     * maybe it is not important that the decryption failed.
+     */
+    if (p7dcx->cb != NULL)
+	return SECFailure;
+    else
+	return SECSuccess;	/* Let the decoding continue. */
+}
+
+
+static SECStatus
+sec_pkcs7_decoder_finish_decrypt (SEC_PKCS7DecoderContext *p7dcx,
+				  PRArenaPool *poolp,
+				  SEC_PKCS7EncryptedContentInfo *enccinfo)
+{
+    struct sec_pkcs7_decoder_worker *worker;
+
+    /*
+     * XXX Handling nested contents would mean that there is a chain
+     * of workers -- one per each level of content.  The following
+     * would want to find the last worker in the chain.
+     */
+    worker = &(p7dcx->worker);
+
+    /*
+     * If no decryption context, then we have nothing to do.
+     */
+    if (worker->decryptobj == NULL)
+	return SECSuccess;
+
+    /*
+     * No matter what happens after this, we want to stop filtering.
+     * XXX If we handle nested contents, we only want to stop filtering
+     * if we are finishing off the *last* worker.
+     */
+    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
+
+    /*
+     * Handle the last block.
+     */
+    sec_pkcs7_decoder_work_data (p7dcx, worker, NULL, 0, PR_TRUE);
+
+    /*
+     * All done, destroy it.
+     */
+    sec_PKCS7DestroyDecryptObject (worker->decryptobj);
+    worker->decryptobj = NULL;
+
+    return SECSuccess;
+}
+
+
+static void
+sec_pkcs7_decoder_notify (void *arg, PRBool before, void *dest, int depth)
+{
+    SEC_PKCS7DecoderContext *p7dcx;
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7SignedData *sigd;
+    SEC_PKCS7EnvelopedData *envd;
+    SEC_PKCS7SignedAndEnvelopedData *saed;
+    SEC_PKCS7EncryptedData *encd;
+    SEC_PKCS7DigestedData *digd;
+    PRBool after;
+    SECStatus rv;
+
+    /*
+     * Just to make the code easier to read, create an "after" variable
+     * that is equivalent to "not before".
+     * (This used to be just the statement "after = !before", but that
+     * causes a warning on the mac; to avoid that, we do it the long way.)
+     */
+    if (before)
+	after = PR_FALSE;
+    else
+	after = PR_TRUE;
+
+    p7dcx = (SEC_PKCS7DecoderContext*)arg;
+    cinfo = p7dcx->cinfo;
+
+    if (cinfo->contentTypeTag == NULL) {
+	if (after && dest == &(cinfo->contentType))
+	    cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+	return;
+    }
+
+    switch (cinfo->contentTypeTag->offset) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	sigd = cinfo->content.signedData;
+	if (sigd == NULL)
+	    break;
+
+	if (sigd->contentInfo.contentTypeTag == NULL) {
+	    if (after && dest == &(sigd->contentInfo.contentType))
+		sigd->contentInfo.contentTypeTag =
+			SECOID_FindOID(&(sigd->contentInfo.contentType));
+	    break;
+	}
+
+	/*
+	 * We only set up a filtering digest if the content is
+	 * plain DATA; anything else needs more work because a
+	 * second pass is required to produce a DER encoding from
+	 * an input that can be BER encoded.  (This is a requirement
+	 * of PKCS7 that is unfortunate, but there you have it.)
+	 *
+	 * XXX Also, since we stop here if this is not DATA, the
+	 * inner content is not getting processed at all.  Someday
+	 * we may want to fix that.
+	 */
+	if (sigd->contentInfo.contentTypeTag->offset != SEC_OID_PKCS7_DATA) {
+	    /* XXX Set an error in p7dcx->error */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	    break;
+	}
+
+	/*
+	 * Just before the content, we want to set up a digest context
+	 * for each digest algorithm listed, and start a filter which
+	 * will run all of the contents bytes through that digest.
+	 */
+	if (before && dest == &(sigd->contentInfo.content)) {
+	    rv = sec_pkcs7_decoder_start_digests (p7dcx, depth,
+						  sigd->digestAlgorithms);
+	    if (rv != SECSuccess)
+		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+
+	    break;
+	}
+
+	/*
+	 * XXX To handle nested types, here is where we would want
+	 * to check for inner boundaries that need handling.
+	 */
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(sigd->contentInfo.content)) {
+	    /*
+	     * Close out the digest contexts.  We ignore any error
+	     * because we are stopping anyway; the error status left
+	     * behind in p7dcx will be seen by outer functions.
+	     */
+	    (void) sec_pkcs7_decoder_finish_digests (p7dcx, cinfo->poolp,
+						     &(sigd->digests));
+
+	    /*
+	     * XXX To handle nested contents, we would need to remove
+	     * the worker from the chain (and free it).
+	     */
+
+	    /*
+	     * Stop notify.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	envd = cinfo->content.envelopedData;
+	if (envd == NULL)
+	    break;
+
+	if (envd->encContentInfo.contentTypeTag == NULL) {
+	    if (after && dest == &(envd->encContentInfo.contentType))
+		envd->encContentInfo.contentTypeTag =
+			SECOID_FindOID(&(envd->encContentInfo.contentType));
+	    break;
+	}
+
+	/*
+	 * Just before the content, we want to set up a decryption
+	 * context, and start a filter which will run all of the
+	 * contents bytes through it to determine the plain content.
+	 */
+	if (before && dest == &(envd->encContentInfo.encContent)) {
+	    rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth,
+						  envd->recipientInfos,
+						  &(envd->encContentInfo),
+						  NULL);
+	    if (rv != SECSuccess)
+		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+
+	    break;
+	}
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(envd->encContentInfo.encContent)) {
+	    /*
+	     * Close out the decryption context.  We ignore any error
+	     * because we are stopping anyway; the error status left
+	     * behind in p7dcx will be seen by outer functions.
+	     */
+	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
+						     &(envd->encContentInfo));
+
+	    /*
+	     * XXX To handle nested contents, we would need to remove
+	     * the worker from the chain (and free it).
+	     */
+
+	    /*
+	     * Stop notify.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	saed = cinfo->content.signedAndEnvelopedData;
+	if (saed == NULL)
+	    break;
+
+	if (saed->encContentInfo.contentTypeTag == NULL) {
+	    if (after && dest == &(saed->encContentInfo.contentType))
+		saed->encContentInfo.contentTypeTag =
+			SECOID_FindOID(&(saed->encContentInfo.contentType));
+	    break;
+	}
+
+	/*
+	 * Just before the content, we want to set up a decryption
+	 * context *and* digest contexts, and start a filter which
+	 * will run all of the contents bytes through both.
+	 */
+	if (before && dest == &(saed->encContentInfo.encContent)) {
+	    rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth,
+						  saed->recipientInfos,
+						  &(saed->encContentInfo),
+						  &(saed->sigKey));
+	    if (rv == SECSuccess)
+		rv = sec_pkcs7_decoder_start_digests (p7dcx, depth,
+						      saed->digestAlgorithms);
+	    if (rv != SECSuccess)
+		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+
+	    break;
+	}
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(saed->encContentInfo.encContent)) {
+	    /*
+	     * Close out the decryption and digests contexts.
+	     * We ignore any errors because we are stopping anyway;
+	     * the error status left behind in p7dcx will be seen by
+	     * outer functions.
+	     *
+	     * Note that the decrypt stuff must be called first;
+	     * it may have a last buffer to do which in turn has
+	     * to be added to the digest.
+	     */
+	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
+						     &(saed->encContentInfo));
+	    (void) sec_pkcs7_decoder_finish_digests (p7dcx, cinfo->poolp,
+						     &(saed->digests));
+
+	    /*
+	     * XXX To handle nested contents, we would need to remove
+	     * the worker from the chain (and free it).
+	     */
+
+	    /*
+	     * Stop notify.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	digd = cinfo->content.digestedData;
+	
+	/* 
+	 * XXX Want to do the digest or not?  Maybe future enhancement...
+	 */
+	if (before && dest == &(digd->contentInfo.content.data)) {
+	    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx, sec_pkcs7_decoder_filter,
+					  p7dcx,
+					  (PRBool)(p7dcx->cb != NULL));
+	    break;
+	}
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(digd->contentInfo.content.data)) {
+	    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	encd = cinfo->content.encryptedData;
+
+	/*
+	 * XXX If the decryption key callback is set, we want to start
+	 * the decryption.  If the callback is not set, we will treat the
+	 * content as plain data, since we do not have the key.
+	 *
+	 * Is this the proper thing to do?
+	 */
+	if (before && dest == &(encd->encContentInfo.encContent)) {
+	    /*
+	     * Start the encryption process if the decryption key callback
+	     * is present.  Otherwise, treat the content like plain data.
+	     */
+	    rv = SECSuccess;
+	    if (p7dcx->dkcb != NULL) {
+		rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth, NULL,
+						      &(encd->encContentInfo),
+						      NULL);
+	    }
+
+	    if (rv != SECSuccess)
+		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+		
+	    break;
+	}
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(encd->encContentInfo.encContent)) {
+	    /*
+	     * Close out the decryption context.  We ignore any error
+	     * because we are stopping anyway; the error status left
+	     * behind in p7dcx will be seen by outer functions.
+	     */
+	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
+						     &(encd->encContentInfo));
+
+	    /*
+	     * Stop notify.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_DATA:
+	/*
+	 * If a output callback has been specified, we want to set the filter
+	 * to call the callback.  This is taken care of in 
+	 * sec_pkcs7_decoder_start_decrypt() or 
+	 * sec_pkcs7_decoder_start_digests() for the other content types.
+	 */ 
+	
+	if (before && dest == &(cinfo->content.data)) {
+
+	    /* 
+	     * Set the filter proc up.
+	     */
+	    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
+					  sec_pkcs7_decoder_filter,
+					  p7dcx,
+					  (PRBool)(p7dcx->cb != NULL));
+	    break;
+	}
+
+	if (after && dest == &(cinfo->content.data)) {
+	    /*
+	     * Time to clean up after ourself, stop the Notify and Filter
+	     * procedures.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
+	}
+	break;
+
+      default:
+	SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	break;
+    }
+}
+
+
+SEC_PKCS7DecoderContext *
+SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
+		      SECKEYGetPasswordKey pwfn, void *pwfn_arg,
+		      SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
+		      void *decrypt_key_cb_arg,
+		      SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb)
+{
+    SEC_PKCS7DecoderContext *p7dcx;
+    SEC_ASN1DecoderContext *dcx;
+    SEC_PKCS7ContentInfo *cinfo;
+    PRArenaPool *poolp;
+
+    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
+    if (poolp == NULL)
+	return NULL;
+
+    cinfo = (SEC_PKCS7ContentInfo*)PORT_ArenaZAlloc (poolp, sizeof(*cinfo));
+    if (cinfo == NULL) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    cinfo->poolp = poolp;
+    cinfo->pwfn = pwfn;
+    cinfo->pwfn_arg = pwfn_arg;
+    cinfo->created = PR_FALSE;
+    cinfo->refCount = 1;
+
+    p7dcx = 
+      (SEC_PKCS7DecoderContext*)PORT_ZAlloc (sizeof(SEC_PKCS7DecoderContext));
+    if (p7dcx == NULL) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    p7dcx->tmp_poolp = PORT_NewArena (1024);	/* XXX what is right value? */
+    if (p7dcx->tmp_poolp == NULL) {
+	PORT_Free (p7dcx);
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    dcx = SEC_ASN1DecoderStart (poolp, cinfo, sec_PKCS7ContentInfoTemplate);
+    if (dcx == NULL) {
+	PORT_FreeArena (p7dcx->tmp_poolp, PR_FALSE);
+	PORT_Free (p7dcx);
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    SEC_ASN1DecoderSetNotifyProc (dcx, sec_pkcs7_decoder_notify, p7dcx);
+
+    p7dcx->dcx = dcx;
+    p7dcx->cinfo = cinfo;
+    p7dcx->cb = cb;
+    p7dcx->cb_arg = cb_arg;
+    p7dcx->pwfn = pwfn;
+    p7dcx->pwfn_arg = pwfn_arg;
+    p7dcx->dkcb = decrypt_key_cb;
+    p7dcx->dkcb_arg = decrypt_key_cb_arg;
+    p7dcx->decrypt_allowed_cb = decrypt_allowed_cb;
+
+    return p7dcx;
+}
+
+
+/*
+ * Do the next chunk of PKCS7 decoding.  If there is a problem, set
+ * an error and return a failure status.  Note that in the case of
+ * an error, this routine is still prepared to be called again and
+ * again in case that is the easiest route for our caller to take.
+ * We simply detect it and do not do anything except keep setting
+ * that error in case our caller has not noticed it yet...
+ */
+SECStatus
+SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
+		       const char *buf, unsigned long len)
+{
+    if (p7dcx->cinfo != NULL && p7dcx->dcx != NULL) { 
+	PORT_Assert (p7dcx->error == 0);
+	if (p7dcx->error == 0) {
+	    if (SEC_ASN1DecoderUpdate (p7dcx->dcx, buf, len) != SECSuccess) {
+		p7dcx->error = PORT_GetError();
+		PORT_Assert (p7dcx->error);
+		if (p7dcx->error == 0)
+		    p7dcx->error = -1;
+	    }
+	}
+    }
+
+    if (p7dcx->error) {
+	if (p7dcx->dcx != NULL) {
+	    (void) SEC_ASN1DecoderFinish (p7dcx->dcx);
+	    p7dcx->dcx = NULL;
+	}
+	if (p7dcx->cinfo != NULL) {
+	    SEC_PKCS7DestroyContentInfo (p7dcx->cinfo);
+	    p7dcx->cinfo = NULL;
+	}
+	PORT_SetError (p7dcx->error);
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+SEC_PKCS7ContentInfo *
+SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+
+    cinfo = p7dcx->cinfo;
+    if (p7dcx->dcx != NULL) {
+	if (SEC_ASN1DecoderFinish (p7dcx->dcx) != SECSuccess) {
+	    SEC_PKCS7DestroyContentInfo (cinfo);
+	    cinfo = NULL;
+	}
+    }
+    /* free any NSS data structures */
+    if (p7dcx->worker.decryptobj) {
+        sec_PKCS7DestroyDecryptObject (p7dcx->worker.decryptobj);
+    }
+    PORT_FreeArena (p7dcx->tmp_poolp, PR_FALSE);
+    PORT_Free (p7dcx);
+    return cinfo;
+}
+
+
+SEC_PKCS7ContentInfo *
+SEC_PKCS7DecodeItem(SECItem *p7item,
+		    SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
+		    SECKEYGetPasswordKey pwfn, void *pwfn_arg,
+		    SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
+		    void *decrypt_key_cb_arg,
+		    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb)
+{
+    SEC_PKCS7DecoderContext *p7dcx;
+
+    p7dcx = SEC_PKCS7DecoderStart(cb, cb_arg, pwfn, pwfn_arg, decrypt_key_cb,
+				  decrypt_key_cb_arg, decrypt_allowed_cb);
+    if (!p7dcx) {
+        /* error code is set */
+        return NULL;
+    }
+    (void) SEC_PKCS7DecoderUpdate(p7dcx, (char *) p7item->data, p7item->len);
+    return SEC_PKCS7DecoderFinish(p7dcx);
+}
+
+/*
+ * Abort the ASN.1 stream. Used by pkcs 12
+ */
+void
+SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error)
+{
+    PORT_Assert(p7dcx);
+    SEC_ASN1DecoderAbort(p7dcx->dcx, error);
+}
+
+
+/*
+ * If the thing contains any certs or crls return true; false otherwise.
+ */
+PRBool
+SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+    SECItem **certs;
+    CERTSignedCrl **crls;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	return PR_FALSE;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	certs = cinfo->content.signedData->rawCerts;
+	crls = cinfo->content.signedData->crls;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	certs = cinfo->content.signedAndEnvelopedData->rawCerts;
+	crls = cinfo->content.signedAndEnvelopedData->crls;
+	break;
+    }
+
+    /*
+     * I know this could be collapsed, but I was in a mood to be explicit.
+     */
+    if (certs != NULL && certs[0] != NULL)
+	return PR_TRUE;
+    else if (crls != NULL && crls[0] != NULL)
+	return PR_TRUE;
+    else
+	return PR_FALSE;
+}
+
+/* return the content length...could use GetContent, however we
+ * need the encrypted content length 
+ */
+PRBool
+SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen)
+{
+    SECItem *item = NULL;
+
+    if(cinfo == NULL) {
+	return PR_TRUE;
+    }
+
+    switch(SEC_PKCS7ContentType(cinfo)) 
+    {
+	case SEC_OID_PKCS7_DATA:
+	    item = cinfo->content.data;
+	    break;
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    item = &cinfo->content.encryptedData->encContentInfo.encContent;
+	    break;
+	default:
+	    /* add other types */
+	    return PR_FALSE;
+    }
+
+    if(!item) {
+	return PR_TRUE;
+    } else if(item->len <= minLen) {
+	return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+
+PRBool
+SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	return PR_FALSE;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	return PR_TRUE;
+    }
+}
+
+
+/*
+ * If the PKCS7 content has a signature (not just *could* have a signature)
+ * return true; false otherwise.  This can/should be called before calling
+ * VerifySignature, which will always indicate failure if no signature is
+ * present, but that does not mean there even was a signature!
+ * Note that the content itself can be empty (detached content was sent
+ * another way); it is the presence of the signature that matters.
+ */
+PRBool
+SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+    SEC_PKCS7SignerInfo **signerinfos;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	return PR_FALSE;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	signerinfos = cinfo->content.signedData->signerInfos;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	signerinfos = cinfo->content.signedAndEnvelopedData->signerInfos;
+	break;
+    }
+
+    /*
+     * I know this could be collapsed; but I kind of think it will get
+     * more complicated before I am finished, so...
+     */
+    if (signerinfos != NULL && signerinfos[0] != NULL)
+	return PR_TRUE;
+    else
+	return PR_FALSE;
+}
+
+
+/*
+ * SEC_PKCS7ContentVerifySignature
+ *	Look at a PKCS7 contentInfo and check if the signature is good.
+ *	The digest was either calculated earlier (and is stored in the
+ *	contentInfo itself) or is passed in via "detached_digest".
+ *
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ *
+ * XXX Each place which returns PR_FALSE should be sure to have a good
+ * error set for inspection by the caller.  Alternatively, we could create
+ * an enumeration of success and each type of failure and return that
+ * instead of a boolean.  For now, the default in a bad situation is to
+ * set the error to SEC_ERROR_PKCS7_BAD_SIGNATURE.  But this should be
+ * reviewed; better (more specific) errors should be possible (to distinguish
+ * a signature failure from a badly-formed pkcs7 signedData, for example).
+ * Some of the errors should probably just be SEC_ERROR_BAD_SIGNATURE,
+ * but that has a less helpful error string associated with it right now;
+ * if/when that changes, review and change these as needed.
+ *
+ * XXX This is broken wrt signedAndEnvelopedData.  In that case, the
+ * message digest is doubly encrypted -- first encrypted with the signer
+ * private key but then again encrypted with the bulk encryption key used
+ * to encrypt the content.  So before we can pass the digest to VerifyDigest,
+ * we need to decrypt it with the bulk encryption key.  Also, in this case,
+ * there should be NO authenticatedAttributes (signerinfo->authAttr should
+ * be NULL).
+ */
+static PRBool
+sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
+			   SECCertUsage certusage,
+			   SECItem *detached_digest,
+			   HASH_HashType digest_type,
+			   PRBool keepcerts)
+{
+    SECAlgorithmID **digestalgs, *bulkid;
+    SECItem *digest;
+    SECItem **digests;
+    SECItem **rawcerts;
+    CERTSignedCrl **crls;
+    SEC_PKCS7SignerInfo **signerinfos, *signerinfo;
+    CERTCertificate *cert, **certs;
+    PRBool goodsig;
+    CERTCertDBHandle *certdb, *defaultdb; 
+    SECOidTag encTag,digestTag;
+    HASH_HashType found_type;
+    int i, certcount;
+    SECKEYPublicKey *publickey;
+    SECItem *content_type;
+    PK11SymKey *sigkey;
+    SECItem *encoded_stime;
+    int64 stime;
+    SECStatus rv;
+
+    /*
+     * Everything needed in order to "goto done" safely.
+     */
+    goodsig = PR_FALSE;
+    certcount = 0;
+    cert = NULL;
+    certs = NULL;
+    certdb = NULL;
+    defaultdb = CERT_GetDefaultCertDB();
+    publickey = NULL;
+
+    if (! SEC_PKCS7ContentIsSigned(cinfo)) {
+	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+
+    PORT_Assert (cinfo->contentTypeTag != NULL);
+
+    switch (cinfo->contentTypeTag->offset) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	/* Could only get here if SEC_PKCS7ContentIsSigned is broken. */
+	PORT_Assert (0);
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    digestalgs = sdp->digestAlgorithms;
+	    digests = sdp->digests;
+	    rawcerts = sdp->rawCerts;
+	    crls = sdp->crls;
+	    signerinfos = sdp->signerInfos;
+	    content_type = &(sdp->contentInfo.contentType);
+	    sigkey = NULL;
+	    bulkid = NULL;
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    digestalgs = saedp->digestAlgorithms;
+	    digests = saedp->digests;
+	    rawcerts = saedp->rawCerts;
+	    crls = saedp->crls;
+	    signerinfos = saedp->signerInfos;
+	    content_type = &(saedp->encContentInfo.contentType);
+	    sigkey = saedp->sigKey;
+	    bulkid = &(saedp->encContentInfo.contentEncAlg);
+	}
+	break;
+    }
+
+    if ((signerinfos == NULL) || (signerinfos[0] == NULL)) {
+	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+
+    /*
+     * XXX Need to handle multiple signatures; checking them is easy,
+     * but what should be the semantics here (like, return value)?
+     */
+    if (signerinfos[1] != NULL) {
+	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+
+    signerinfo = signerinfos[0];
+
+    /*
+     * XXX I would like to just pass the issuerAndSN, along with the rawcerts
+     * and crls, to some function that did all of this certificate stuff
+     * (open/close the database if necessary, verifying the certs, etc.)
+     * and gave me back a cert pointer if all was good.
+     */
+    certdb = defaultdb;
+    if (certdb == NULL) {
+	goto done;
+    }
+
+    certcount = 0;
+    if (rawcerts != NULL) {
+	for (; rawcerts[certcount] != NULL; certcount++) {
+	    /* just counting */
+	}
+    }
+
+    /*
+     * Note that the result of this is that each cert in "certs"
+     * needs to be destroyed.
+     */
+    rv = CERT_ImportCerts(certdb, certusage, certcount, rawcerts, &certs,
+			  keepcerts, PR_FALSE, NULL);
+    if ( rv != SECSuccess ) {
+	goto done;
+    }
+
+    /*
+     * This cert will also need to be freed, but since we save it
+     * in signerinfo for later, we do not want to destroy it when
+     * we leave this function -- we let the clean-up of the entire
+     * cinfo structure later do the destroy of this cert.
+     */
+    cert = CERT_FindCertByIssuerAndSN(certdb, signerinfo->issuerAndSN);
+    if (cert == NULL) {
+	goto done;
+    }
+
+    signerinfo->cert = cert;
+
+    /*
+     * Get and convert the signing time; if available, it will be used
+     * both on the cert verification and for importing the sender
+     * email profile.
+     */
+    encoded_stime = SEC_PKCS7GetSigningTime (cinfo);
+    if (encoded_stime != NULL) {
+	if (DER_DecodeTimeChoice (&stime, encoded_stime) != SECSuccess)
+	    encoded_stime = NULL;	/* conversion failed, so pretend none */
+    }
+
+    /*
+     * XXX  This uses the signing time, if available.  Additionally, we
+     * might want to, if there is no signing time, get the message time
+     * from the mail header itself, and use that.  That would require
+     * a change to our interface though, and for S/MIME callers to pass
+     * in a time (and for non-S/MIME callers to pass in nothing, or
+     * maybe make them pass in the current time, always?).
+     */
+    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage,
+			 encoded_stime != NULL ? stime : PR_Now(),
+			 cinfo->pwfn_arg, NULL) != SECSuccess)
+	{
+	/*
+	 * XXX Give the user an option to check the signature anyway?
+	 * If we want to do this, need to give a way to leave and display
+	 * some dialog and get the answer and come back through (or do
+	 * the rest of what we do below elsewhere, maybe by putting it
+	 * in a function that we call below and could call from a dialog
+	 * finish handler).
+	 */
+	goto savecert;
+    }
+
+    publickey = CERT_ExtractPublicKey (cert);
+    if (publickey == NULL)
+	goto done;
+
+    /*
+     * XXX No!  If digests is empty, see if we can create it now by
+     * digesting the contents.  This is necessary if we want to allow
+     * somebody to do a simple decode (without filtering, etc.) and
+     * then later call us here to do the verification.
+     * OR, we can just specify that the interface to this routine
+     * *requires* that the digest(s) be done before calling and either
+     * stashed in the struct itself or passed in explicitly (as would
+     * be done for detached contents).
+     */
+    if ((digests == NULL || digests[0] == NULL)
+	&& (detached_digest == NULL || detached_digest->data == NULL))
+	goto done;
+
+    /*
+     * Find and confirm digest algorithm.
+     */
+    digestTag = SECOID_FindOIDTag(&(signerinfo->digestAlg.algorithm));
+
+    /* make sure we understand the digest type first */
+    found_type = HASH_GetHashTypeByOidTag(digestTag);
+    if ((digestTag == SEC_OID_UNKNOWN) || (found_type == HASH_AlgNULL)) {
+	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+
+    if (detached_digest != NULL) {
+	unsigned int hashLen     = HASH_ResultLen(found_type);
+
+	if (digest_type != found_type || 
+	    detached_digest->len != hashLen) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+	digest = detached_digest;
+    } else {
+	PORT_Assert (digestalgs != NULL && digestalgs[0] != NULL);
+	if (digestalgs == NULL || digestalgs[0] == NULL) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	/*
+	 * pick digest matching signerinfo->digestAlg from digests
+	 */
+	for (i = 0; digestalgs[i] != NULL; i++) {
+	    if (SECOID_FindOIDTag(&(digestalgs[i]->algorithm)) == digestTag)
+		break;
+	}
+	if (digestalgs[i] == NULL) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	digest = digests[i];
+    }
+
+    encTag = SECOID_FindOIDTag(&(signerinfo->digestEncAlg.algorithm));
+    if (encTag == SEC_OID_UNKNOWN) {
+	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+
+#ifndef NSS_ECC_MORE_THAN_SUITE_B
+    if (encTag == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+	PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+#endif
+
+
+    if (signerinfo->authAttr != NULL) {
+	SEC_PKCS7Attribute *attr;
+	SECItem *value;
+	SECItem encoded_attrs;
+
+	/*
+	 * We have a sigkey only for signedAndEnvelopedData, which is
+	 * not supposed to have any authenticated attributes.
+	 */
+	if (sigkey != NULL) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	/*
+	 * PKCS #7 says that if there are any authenticated attributes,
+	 * then there must be one for content type which matches the
+	 * content type of the content being signed, and there must
+	 * be one for message digest which matches our message digest.
+	 * So check these things first.
+	 * XXX Might be nice to have a compare-attribute-value function
+	 * which could collapse the following nicely.
+	 */
+	attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
+				       SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE);
+	value = sec_PKCS7AttributeValue (attr);
+	if (value == NULL || value->len != content_type->len) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+	if (PORT_Memcmp (value->data, content_type->data, value->len) != 0) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
+				       SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE);
+	value = sec_PKCS7AttributeValue (attr);
+	if (value == NULL || value->len != digest->len) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+	if (PORT_Memcmp (value->data, digest->data, value->len) != 0) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	/*
+	 * Okay, we met the constraints of the basic attributes.
+	 * Now check the signature, which is based on a digest of
+	 * the DER-encoded authenticated attributes.  So, first we
+	 * encode and then we digest/verify.
+	 */
+	encoded_attrs.data = NULL;
+	encoded_attrs.len = 0;
+	if (sec_PKCS7EncodeAttributes (NULL, &encoded_attrs,
+				       &(signerinfo->authAttr)) == NULL)
+	    goto done;
+
+	if (encoded_attrs.data == NULL || encoded_attrs.len == 0) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+
+	goodsig = (PRBool)(VFY_VerifyDataDirect(encoded_attrs.data, 
+				   encoded_attrs.len,
+				   publickey, &(signerinfo->encDigest),
+				   encTag, digestTag, NULL,
+				   cinfo->pwfn_arg) == SECSuccess);
+	PORT_Free (encoded_attrs.data);
+    } else {
+	SECItem *sig;
+	SECItem holder;
+	SECStatus rv;
+
+	/*
+	 * No authenticated attributes.
+	 * The signature is based on the plain message digest.
+	 */
+
+	sig = &(signerinfo->encDigest);
+	if (sig->len == 0) {		/* bad signature */
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	if (sigkey != NULL) {
+	    sec_PKCS7CipherObject *decryptobj;
+	    unsigned int buflen;
+
+	    /*
+	     * For signedAndEnvelopedData, we first must decrypt the encrypted
+	     * digest with the bulk encryption key.  The result is the normal
+	     * encrypted digest (aka the signature).
+	     */
+	    decryptobj = sec_PKCS7CreateDecryptObject (sigkey, bulkid);
+	    if (decryptobj == NULL)
+		goto done;
+
+	    buflen = sec_PKCS7DecryptLength (decryptobj, sig->len, PR_TRUE);
+	    PORT_Assert (buflen);
+	    if (buflen == 0) {		/* something is wrong */
+		sec_PKCS7DestroyDecryptObject (decryptobj);
+		goto done;
+	    }
+
+	    holder.data = (unsigned char*)PORT_Alloc (buflen);
+	    if (holder.data == NULL) {
+		sec_PKCS7DestroyDecryptObject (decryptobj);
+		goto done;
+	    }
+
+	    rv = sec_PKCS7Decrypt (decryptobj, holder.data, &holder.len, buflen,
+				   sig->data, sig->len, PR_TRUE);
+	    sec_PKCS7DestroyDecryptObject (decryptobj);
+	    if (rv != SECSuccess) {
+		goto done;
+	    }
+
+	    sig = &holder;
+	}
+
+	goodsig = (PRBool)(VFY_VerifyDigestDirect(digest, publickey, sig,
+				     encTag, digestTag, cinfo->pwfn_arg)
+                            == SECSuccess);
+
+	if (sigkey != NULL) {
+	    PORT_Assert (sig == &holder);
+	    PORT_ZFree (holder.data, holder.len);
+	}
+    }
+
+    if (! goodsig) {
+	/*
+	 * XXX Change the generic error into our specific one, because
+	 * in that case we get a better explanation out of the Security
+	 * Advisor.  This is really a bug in our error strings (the
+	 * "generic" error has a lousy/wrong message associated with it
+	 * which assumes the signature verification was done for the
+	 * purposes of checking the issuer signature on a certificate)
+	 * but this is at least an easy workaround and/or in the
+	 * Security Advisor, which specifically checks for the error
+	 * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation
+	 * in that case but does not similarly check for
+	 * SEC_ERROR_BAD_SIGNATURE.  It probably should, but then would
+	 * probably say the wrong thing in the case that it *was* the
+	 * certificate signature check that failed during the cert
+	 * verification done above.  Our error handling is really a mess.
+	 */
+	if (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE)
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+    }
+
+savecert:
+    /*
+     * Only save the smime profile if we are checking an email message and
+     * the cert has an email address in it.
+     */
+    if ( cert->emailAddr && cert->emailAddr[0] &&
+	( ( certusage == certUsageEmailSigner ) ||
+	 ( certusage == certUsageEmailRecipient ) ) ) {
+	SECItem *profile = NULL;
+	int save_error;
+
+	/*
+	 * Remember the current error set because we do not care about
+	 * anything set by the functions we are about to call.
+	 */
+	save_error = PORT_GetError();
+
+	if (goodsig && (signerinfo->authAttr != NULL)) {
+	    /*
+	     * If the signature is good, then we can save the S/MIME profile,
+	     * if we have one.
+	     */
+	    SEC_PKCS7Attribute *attr;
+
+	    attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
+					   SEC_OID_PKCS9_SMIME_CAPABILITIES,
+					   PR_TRUE);
+	    profile = sec_PKCS7AttributeValue (attr);
+	}
+
+	rv = CERT_SaveSMimeProfile (cert, profile, encoded_stime);
+
+	/*
+	 * Restore the saved error in case the calls above set a new
+	 * one that we do not actually care about.
+	 */
+	PORT_SetError (save_error);
+
+	/*
+	 * XXX Failure is not indicated anywhere -- the signature
+	 * verification itself is unaffected by whether or not the
+	 * profile was successfully saved.
+	 */
+    }
+	
+
+done:
+
+    /*
+     * See comment above about why we do not want to destroy cert
+     * itself here.
+     */
+
+    if (certs != NULL)
+	CERT_DestroyCertArray (certs, certcount);
+
+    if (publickey != NULL)
+	SECKEY_DestroyPublicKey (publickey);
+
+    return goodsig;
+}
+
+/*
+ * SEC_PKCS7VerifySignature
+ *	Look at a PKCS7 contentInfo and check if the signature is good.
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ */
+PRBool
+SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
+			 SECCertUsage certusage,
+			 PRBool keepcerts)
+{
+    return sec_pkcs7_verify_signature (cinfo, certusage,
+				       NULL, HASH_AlgNULL, keepcerts);
+}
+
+/*
+ * SEC_PKCS7VerifyDetachedSignature
+ *	Look at a PKCS7 contentInfo and check if the signature matches
+ *	a passed-in digest (calculated, supposedly, from detached contents).
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ */
+PRBool
+SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
+				 SECCertUsage certusage,
+				 SECItem *detached_digest,
+				 HASH_HashType digest_type,
+				 PRBool keepcerts)
+{
+    return sec_pkcs7_verify_signature (cinfo, certusage,
+				       detached_digest, digest_type,
+				       keepcerts);
+}
+
+
+/*
+ * Return the asked-for portion of the name of the signer of a PKCS7
+ * signed object.
+ *
+ * Returns a pointer to allocated memory, which must be freed.
+ * A NULL return value is an error.
+ */
+
+#define sec_common_name 1
+#define sec_email_address 2
+
+static char *
+sec_pkcs7_get_signer_cert_info(SEC_PKCS7ContentInfo *cinfo, int selector)
+{
+    SECOidTag kind;
+    SEC_PKCS7SignerInfo **signerinfos;
+    CERTCertificate *signercert;
+    char *container;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	PORT_Assert (0);
+	return NULL;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    signerinfos = sdp->signerInfos;
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    signerinfos = saedp->signerInfos;
+	}
+	break;
+    }
+
+    if (signerinfos == NULL || signerinfos[0] == NULL)
+	return NULL;
+
+    signercert = signerinfos[0]->cert;
+
+    /*
+     * No cert there; see if we can find one by calling verify ourselves.
+     */
+    if (signercert == NULL) {
+	/*
+	 * The cert usage does not matter in this case, because we do not
+	 * actually care about the verification itself, but we have to pick
+	 * some valid usage to pass in.
+	 */
+	(void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner,
+					   NULL, HASH_AlgNULL, PR_FALSE);
+	signercert = signerinfos[0]->cert;
+	if (signercert == NULL)
+	    return NULL;
+    }
+
+    switch (selector) {
+      case sec_common_name:
+	container = CERT_GetCommonName (&signercert->subject);
+	break;
+      case sec_email_address:
+	if(signercert->emailAddr && signercert->emailAddr[0]) {
+	    container = PORT_Strdup(signercert->emailAddr);
+	} else {
+	    container = NULL;
+	}
+	break;
+      default:
+	PORT_Assert (0);
+	container = NULL;
+	break;
+    }
+
+    return container;
+}
+
+char *
+SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo)
+{
+    return sec_pkcs7_get_signer_cert_info(cinfo, sec_common_name);
+}
+
+char *
+SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo)
+{
+    return sec_pkcs7_get_signer_cert_info(cinfo, sec_email_address);
+}
+
+
+/*
+ * Return the signing time, in UTCTime format, of a PKCS7 contentInfo.
+ */
+SECItem *
+SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo)
+{
+    SEC_PKCS7SignerInfo **signerinfos;
+    SEC_PKCS7Attribute *attr;
+
+    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	return NULL;
+
+    signerinfos = cinfo->content.signedData->signerInfos;
+
+    /*
+     * No signature, or more than one, means no deal.
+     */
+    if (signerinfos == NULL || signerinfos[0] == NULL || signerinfos[1] != NULL)
+	return NULL;
+
+    attr = sec_PKCS7FindAttribute (signerinfos[0]->authAttr,
+				   SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
+    return sec_PKCS7AttributeValue (attr);
+}
diff --git a/security/nss/lib/pkcs7/p7encode.c b/security/nss/lib/pkcs7/p7encode.c
new file mode 100644
index 000000000..ac615bc21
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7encode.c
@@ -0,0 +1,1297 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * PKCS7 encoding.
+ *
+ * $Id$
+ */
+
+#include "p7local.h"
+
+#include "cert.h"
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
+
+struct sec_pkcs7_encoder_output {
+    SEC_PKCS7EncoderOutputCallback outputfn;
+    void *outputarg;
+};
+
+struct SEC_PKCS7EncoderContextStr {
+    SEC_ASN1EncoderContext *ecx;
+    SEC_PKCS7ContentInfo *cinfo;
+    struct sec_pkcs7_encoder_output output;
+    sec_PKCS7CipherObject *encryptobj;
+    const SECHashObject *digestobj;
+    void *digestcx;
+};
+
+
+/*
+ * The little output function that the ASN.1 encoder calls to hand
+ * us bytes which we in turn hand back to our caller (via the callback
+ * they gave us).
+ */
+static void
+sec_pkcs7_encoder_out(void *arg, const char *buf, unsigned long len,
+		      int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct sec_pkcs7_encoder_output *output;
+
+    output = (struct sec_pkcs7_encoder_output*)arg;
+    output->outputfn (output->outputarg, buf, len);
+}
+
+static sec_PKCS7CipherObject *
+sec_pkcs7_encoder_start_encrypt (SEC_PKCS7ContentInfo *cinfo,
+						 PK11SymKey *orig_bulkkey)
+{
+    SECOidTag kind;
+    sec_PKCS7CipherObject *encryptobj;
+    SEC_PKCS7RecipientInfo **recipientinfos, *ri;
+    SEC_PKCS7EncryptedContentInfo *enccinfo;
+    SEC_PKCS7SMIMEKEAParameters   keaParams;
+    SECKEYPublicKey *publickey = NULL;
+    SECKEYPrivateKey *ourPrivKey = NULL;
+    PK11SymKey  *bulkkey;
+    void *mark, *wincx;
+    int i;
+    PRArenaPool *arena = NULL;
+
+    /* Get the context in case we need it below. */
+    wincx = cinfo->pwfn_arg;
+
+    /* Clear keaParams, since cleanup code checks the lengths */
+    (void) memset(&keaParams, 0, sizeof(keaParams));
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	recipientinfos = NULL;
+	enccinfo = NULL;
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	{
+	    SEC_PKCS7EncryptedData *encdp;
+
+	    /* To do EncryptedData we *must* be given a bulk key. */
+	    PORT_Assert (orig_bulkkey != NULL);
+	    if (orig_bulkkey == NULL) {
+		/* XXX error? */
+		return NULL;
+	    }
+
+	    encdp = cinfo->content.encryptedData;
+	    recipientinfos = NULL;
+	    enccinfo = &(encdp->encContentInfo);
+	}
+	break;
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *envdp;
+
+	    envdp = cinfo->content.envelopedData;
+	    recipientinfos = envdp->recipientInfos;
+	    enccinfo = &(envdp->encContentInfo);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    recipientinfos = saedp->recipientInfos;
+	    enccinfo = &(saedp->encContentInfo);
+	}
+	break;
+    }
+
+    if (enccinfo == NULL)
+	return NULL;
+
+    bulkkey = orig_bulkkey;
+    if (bulkkey == NULL) {
+	CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(enccinfo->encalg);
+	PK11SlotInfo *slot;
+
+
+	slot = PK11_GetBestSlot(type,cinfo->pwfn_arg);
+	if (slot == NULL) {
+	    return NULL;
+	}
+	bulkkey = PK11_KeyGen(slot,type,NULL, enccinfo->keysize/8,
+			      cinfo->pwfn_arg);
+	PK11_FreeSlot(slot);
+	if (bulkkey == NULL) {
+	    return NULL;
+	}
+    }
+
+    encryptobj = NULL;
+    mark = PORT_ArenaMark (cinfo->poolp);
+
+    /*
+     * Encrypt the bulk key with the public key of each recipient.
+     */
+    for (i = 0; recipientinfos && (ri = recipientinfos[i]) != NULL; i++) {
+	CERTCertificate *cert;
+	SECOidTag certalgtag, encalgtag;
+	SECStatus rv;
+	int data_len;
+	SECItem *params = NULL;
+
+	cert = ri->cert;
+	PORT_Assert (cert != NULL);
+	if (cert == NULL)
+	    continue;
+
+	/*
+	 * XXX Want an interface that takes a cert and some data and
+	 * fills in an algorithmID and encrypts the data with the public
+	 * key from the cert.  Or, give me two interfaces -- one which
+	 * gets the algorithm tag from a cert (I should not have to go
+	 * down into the subjectPublicKeyInfo myself) and another which
+	 * takes a public key and algorithm tag and data and encrypts
+	 * the data.  Or something like that.  The point is that all
+	 * of the following hardwired RSA and KEA stuff should be done
+	 * elsewhere.
+	 */
+
+	certalgtag=SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+
+	switch (certalgtag) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	    encalgtag = certalgtag;
+	    publickey = CERT_ExtractPublicKey (cert);
+	    if (publickey == NULL) goto loser;
+		
+	    data_len = SECKEY_PublicKeyStrength(publickey);
+	    ri->encKey.data = 
+	        (unsigned char*)PORT_ArenaAlloc(cinfo->poolp ,data_len);
+	    ri->encKey.len = data_len;
+	    if (ri->encKey.data == NULL) goto loser;
+
+	    rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(certalgtag),publickey,
+				bulkkey,&ri->encKey);
+
+	    SECKEY_DestroyPublicKey(publickey);
+	    publickey = NULL;
+	    if (rv != SECSuccess) goto loser;
+	    params = NULL; /* paranoia */
+	    break;
+	/* ### mwelch -- KEA */ 
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_KEA:
+	    {
+#define SMIME_FORTEZZA_RA_LENGTH 128
+#define SMIME_FORTEZZA_IV_LENGTH 24
+#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
+		SECStatus err;
+		PK11SymKey *tek;
+		CERTCertificate *ourCert;
+		SECKEYPublicKey *ourPubKey;
+		SECKEATemplateSelector whichKEA = SECKEAInvalid;
+
+		/* We really want to show our KEA tag as the
+		   key exchange algorithm tag. */
+		encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
+
+		/* Get the public key of the recipient. */
+		publickey = CERT_ExtractPublicKey(cert);
+		if (publickey == NULL) goto loser;
+
+		/* Find our own cert, and extract its keys. */
+		ourCert = PK11_FindBestKEAMatch(cert,wincx);
+		if (ourCert == NULL) goto loser;
+
+		arena = PORT_NewArena(1024);
+		if (arena == NULL) goto loser;
+
+		ourPubKey = CERT_ExtractPublicKey(ourCert);
+		if (ourPubKey == NULL)
+		{
+		    CERT_DestroyCertificate(ourCert);
+		    goto loser;
+		}
+
+		/* While we're here, copy the public key into the outgoing
+		 * KEA parameters. */
+		SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey),
+				 &(ourPubKey->u.fortezza.KEAKey));
+		SECKEY_DestroyPublicKey(ourPubKey);
+		ourPubKey = NULL;
+
+		/* Extract our private key in order to derive the 
+		 * KEA key. */
+		ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
+		CERT_DestroyCertificate(ourCert); /* we're done with this */
+		if (!ourPrivKey) goto loser;
+
+		/* Prepare raItem with 128 bytes (filled with zeros). */
+		keaParams.originatorRA.data = 
+		  (unsigned char*)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
+		keaParams.originatorRA.len = SMIME_FORTEZZA_RA_LENGTH;
+
+
+		/* Generate the TEK (token exchange key) which we use
+		 * to wrap the bulk encryption key. (raItem) will be
+		 * filled with a random seed which we need to send to
+		 * the recipient. */
+		tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
+				     &keaParams.originatorRA, NULL,
+				     CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+				     CKA_WRAP, 0, wincx);
+
+		    SECKEY_DestroyPublicKey(publickey);
+		    SECKEY_DestroyPrivateKey(ourPrivKey);
+		    publickey = NULL;
+		    ourPrivKey = NULL;
+		
+		if (!tek)
+		    goto loser;
+
+		ri->encKey.data = (unsigned char*)PORT_ArenaAlloc(cinfo->poolp,
+						  SMIME_FORTEZZA_MAX_KEY_SIZE);
+		ri->encKey.len = SMIME_FORTEZZA_MAX_KEY_SIZE;
+
+		if (ri->encKey.data == NULL)
+		{
+		    PK11_FreeSymKey(tek);
+		    goto loser;
+		}
+
+		/* Wrap the bulk key. What we do with the resulting data
+		   depends on whether we're using Skipjack to wrap the key. */
+		switch(PK11_AlgtagToMechanism(enccinfo->encalg))
+		{
+		case CKM_SKIPJACK_CBC64:
+		case CKM_SKIPJACK_ECB64:
+		case CKM_SKIPJACK_OFB64:
+		case CKM_SKIPJACK_CFB64:
+		case CKM_SKIPJACK_CFB32:
+		case CKM_SKIPJACK_CFB16:
+		case CKM_SKIPJACK_CFB8:
+		    /* do SKIPJACK, we use the wrap mechanism */
+		    err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, 
+				      tek, bulkkey, &ri->encKey);
+		    whichKEA = SECKEAUsesSkipjack;
+		    break;
+		default:
+		    /* Not SKIPJACK, we encrypt the raw key data */
+		    keaParams.nonSkipjackIV .data = 
+		      (unsigned char*)PORT_ArenaAlloc(arena,
+						     SMIME_FORTEZZA_IV_LENGTH);
+		    keaParams.nonSkipjackIV.len = SMIME_FORTEZZA_IV_LENGTH;
+		    err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64,
+					  &keaParams.nonSkipjackIV, 
+				          tek, bulkkey, &ri->encKey);
+		    if (err != SECSuccess)
+			goto loser;
+
+		    if (ri->encKey.len != PK11_GetKeyLength(bulkkey))
+		    {
+			/* The size of the encrypted key is not the same as
+			   that of the original bulk key, presumably due to
+			   padding. Encode and store the real size of the
+			   bulk key. */
+			if (SEC_ASN1EncodeInteger(arena, 
+						  &keaParams.bulkKeySize,
+						  PK11_GetKeyLength(bulkkey))
+			    == NULL)
+			    err = (SECStatus)PORT_GetError();
+			else
+			    /* use full template for encoding */
+			    whichKEA = SECKEAUsesNonSkipjackWithPaddedEncKey;
+		    }
+		    else
+			/* enc key length == bulk key length */
+			whichKEA = SECKEAUsesNonSkipjack; 
+		    break;
+		}
+
+		PK11_FreeSymKey(tek);
+		if (err != SECSuccess)
+		    goto loser;
+
+		PORT_Assert( whichKEA != SECKEAInvalid);
+
+		/* Encode the KEA parameters into the recipient info. */
+		params = SEC_ASN1EncodeItem(arena,NULL, &keaParams, 
+				      sec_pkcs7_get_kea_template(whichKEA));
+		if (params == NULL) goto loser;
+		break;
+	    }
+	default:
+	    PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
+	    goto loser;
+	}
+
+	rv = SECOID_SetAlgorithmID(cinfo->poolp, &ri->keyEncAlg, encalgtag, 
+			params);
+	if (rv != SECSuccess)
+	    goto loser;
+	if (arena) PORT_FreeArena(arena,PR_FALSE);
+	arena = NULL;
+    }
+
+    encryptobj = sec_PKCS7CreateEncryptObject (cinfo->poolp, bulkkey,
+					       enccinfo->encalg,
+					       &(enccinfo->contentEncAlg));
+    if (encryptobj != NULL) {
+	PORT_ArenaUnmark (cinfo->poolp, mark);
+	mark = NULL;		/* good one; do not want to release */
+    }
+    /* fallthru */
+
+loser:
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if (publickey) {
+        SECKEY_DestroyPublicKey(publickey);
+    }
+    if (ourPrivKey) {
+        SECKEY_DestroyPrivateKey(ourPrivKey);
+    }
+    if (mark != NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+    }
+    if (orig_bulkkey == NULL) {
+	if (bulkkey) PK11_FreeSymKey(bulkkey);
+    }
+
+    return encryptobj;
+}
+
+
+static void
+sec_pkcs7_encoder_notify (void *arg, PRBool before, void *dest, int depth)
+{
+    SEC_PKCS7EncoderContext *p7ecx;
+    SEC_PKCS7ContentInfo *cinfo;
+    SECOidTag kind;
+    PRBool before_content;
+
+    /*
+     * We want to notice just before the content field.  After fields are
+     * not interesting to us.
+     */
+    if (!before)
+	return;
+
+    p7ecx = (SEC_PKCS7EncoderContext*)arg;
+    cinfo = p7ecx->cinfo;
+
+    before_content = PR_FALSE;
+
+    /*
+     * Watch for the content field, at which point we want to instruct
+     * the ASN.1 encoder to start taking bytes from the buffer.
+     *
+     * XXX The following assumes the inner content type is data;
+     * if/when we want to handle fully nested types, this will have
+     * to recurse until reaching the innermost data content.
+     */
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+	if (dest == &(cinfo->content.data))
+	    before_content = PR_TRUE;
+	break;
+
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	{
+	    SEC_PKCS7DigestedData *digd;
+
+	    digd = cinfo->content.digestedData;
+	    if (digd == NULL)
+		break;
+
+	    if (dest == &(digd->contentInfo.content))
+		before_content = PR_TRUE;
+	}
+	break;
+
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	{
+	    SEC_PKCS7EncryptedData *encd;
+
+	    encd = cinfo->content.encryptedData;
+	    if (encd == NULL)
+		break;
+
+	    if (dest == &(encd->encContentInfo.encContent))
+		before_content = PR_TRUE;
+	}
+	break;
+
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *envd;
+
+	    envd = cinfo->content.envelopedData;
+	    if (envd == NULL)
+		break;
+
+	    if (dest == &(envd->encContentInfo.encContent))
+		before_content = PR_TRUE;
+	}
+	break;
+
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sigd;
+
+	    sigd = cinfo->content.signedData;
+	    if (sigd == NULL)
+		break;
+
+	    if (dest == &(sigd->contentInfo.content))
+		before_content = PR_TRUE;
+	}
+	break;
+
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saed;
+
+	    saed = cinfo->content.signedAndEnvelopedData;
+	    if (saed == NULL)
+		break;
+
+	    if (dest == &(saed->encContentInfo.encContent))
+		before_content = PR_TRUE;
+	}
+	break;
+    }
+
+    if (before_content) {
+	/*
+	 * This will cause the next SEC_ASN1EncoderUpdate to take the
+	 * contents bytes from the passed-in buffer.
+	 */
+	SEC_ASN1EncoderSetTakeFromBuf (p7ecx->ecx);
+	/*
+	 * And that is all we needed this notify function for.
+	 */
+	SEC_ASN1EncoderClearNotifyProc (p7ecx->ecx);
+    }
+}
+
+
+static SEC_PKCS7EncoderContext *
+sec_pkcs7_encoder_start_contexts (SEC_PKCS7ContentInfo *cinfo,
+				  PK11SymKey *bulkkey)
+{
+    SEC_PKCS7EncoderContext *p7ecx;
+    SECOidTag kind;
+    PRBool encrypt;
+    SECItem **digests;
+    SECAlgorithmID *digestalg, **digestalgs;
+
+    p7ecx = 
+      (SEC_PKCS7EncoderContext*)PORT_ZAlloc (sizeof(SEC_PKCS7EncoderContext));
+    if (p7ecx == NULL)
+	return NULL;
+
+    digests = NULL;
+    digestalg = NULL;
+    digestalgs = NULL;
+    encrypt = PR_FALSE;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+	break;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	digestalg = &(cinfo->content.digestedData->digestAlg);
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	digests = cinfo->content.signedData->digests;
+	digestalgs = cinfo->content.signedData->digestAlgorithms;
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	encrypt = PR_TRUE;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	digests = cinfo->content.signedAndEnvelopedData->digests;
+	digestalgs = cinfo->content.signedAndEnvelopedData->digestAlgorithms;
+	encrypt = PR_TRUE;
+	break;
+    }
+
+    if (encrypt) {
+	p7ecx->encryptobj = sec_pkcs7_encoder_start_encrypt (cinfo, bulkkey);
+	if (p7ecx->encryptobj == NULL) {
+	    PORT_Free (p7ecx);
+	    return NULL;
+	}
+    }
+
+    if (digestalgs != NULL) {
+	if (digests != NULL) {
+	    /* digests already created (probably for detached data) */
+	    digestalg = NULL;
+	} else {
+	    /*
+	     * XXX Some day we should handle multiple digests; for now,
+	     * assume only one will be done.
+	     */
+	    PORT_Assert (digestalgs[0] != NULL && digestalgs[1] == NULL);
+	    digestalg = digestalgs[0];
+	}
+    }
+
+    if (digestalg != NULL) {
+	SECOidTag  oidTag = SECOID_FindOIDTag(&(digestalg->algorithm));
+
+	p7ecx->digestobj = HASH_GetHashObjectByOidTag(oidTag);
+	if (p7ecx->digestobj != NULL) {
+	    p7ecx->digestcx = (* p7ecx->digestobj->create) ();
+	    if (p7ecx->digestcx == NULL)
+		p7ecx->digestobj = NULL;
+	    else
+		(* p7ecx->digestobj->begin) (p7ecx->digestcx);
+	}
+	if (p7ecx->digestobj == NULL) {
+	    if (p7ecx->encryptobj != NULL)
+		sec_PKCS7DestroyEncryptObject (p7ecx->encryptobj);
+	    PORT_Free (p7ecx);
+	    return NULL;
+	}
+    }
+
+    p7ecx->cinfo = cinfo;
+    return p7ecx;
+}
+
+
+SEC_PKCS7EncoderContext *
+SEC_PKCS7EncoderStart (SEC_PKCS7ContentInfo *cinfo,
+		       SEC_PKCS7EncoderOutputCallback outputfn,
+		       void *outputarg,
+		       PK11SymKey *bulkkey)
+{
+    SEC_PKCS7EncoderContext *p7ecx;
+    SECStatus rv;
+
+    p7ecx = sec_pkcs7_encoder_start_contexts (cinfo, bulkkey);
+    if (p7ecx == NULL)
+	return NULL;
+
+    p7ecx->output.outputfn = outputfn;
+    p7ecx->output.outputarg = outputarg;
+
+    /*
+     * Initialize the BER encoder.
+     */
+    p7ecx->ecx = SEC_ASN1EncoderStart (cinfo, sec_PKCS7ContentInfoTemplate,
+				       sec_pkcs7_encoder_out, &(p7ecx->output));
+    if (p7ecx->ecx == NULL) {
+	PORT_Free (p7ecx);
+	return NULL;
+    }
+
+    /*
+     * Indicate that we are streaming.  We will be streaming until we
+     * get past the contents bytes.
+     */
+    SEC_ASN1EncoderSetStreaming (p7ecx->ecx);
+
+    /*
+     * The notify function will watch for the contents field.
+     */
+    SEC_ASN1EncoderSetNotifyProc (p7ecx->ecx, sec_pkcs7_encoder_notify, p7ecx);
+
+    /*
+     * This will encode everything up to the content bytes.  (The notify
+     * function will then cause the encoding to stop there.)  Then our
+     * caller can start passing contents bytes to our Update, which we
+     * will pass along.
+     */
+    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, NULL, 0);
+    if (rv != SECSuccess) {
+	PORT_Free (p7ecx);
+	return NULL;
+    }
+
+    return p7ecx;
+}
+
+
+/*
+ * XXX If/when we support nested contents, this needs to be revised.
+ */
+static SECStatus
+sec_pkcs7_encoder_work_data (SEC_PKCS7EncoderContext *p7ecx, SECItem *dest,
+			     const unsigned char *data, unsigned long len,
+			     PRBool final)
+{
+    unsigned char *buf = NULL;
+    SECStatus rv;
+
+
+    rv = SECSuccess;		/* may as well be optimistic */
+
+    /*
+     * We should really have data to process, or we should be trying
+     * to finish/flush the last block.  (This is an overly paranoid
+     * check since all callers are in this file and simple inspection
+     * proves they do it right.  But it could find a bug in future
+     * modifications/development, that is why it is here.)
+     */
+    PORT_Assert ((data != NULL && len) || final);
+
+    /*
+     * Update the running digest.
+     * XXX This needs modification if/when we handle multiple digests.
+     */
+    if (len && p7ecx->digestobj != NULL) {
+	(* p7ecx->digestobj->update) (p7ecx->digestcx, data, len);
+    }
+
+    /*
+     * Encrypt this chunk.
+     */
+    if (p7ecx->encryptobj != NULL) {
+	/* XXX the following lengths should all be longs? */
+	unsigned int inlen;	/* length of data being encrypted */
+	unsigned int outlen;	/* length of encrypted data */
+	unsigned int buflen;	/* length available for encrypted data */
+
+	inlen = len;
+	buflen = sec_PKCS7EncryptLength (p7ecx->encryptobj, inlen, final);
+	if (buflen == 0) {
+	    /*
+	     * No output is expected, but the input data may be buffered
+	     * so we still have to call Encrypt.
+	     */
+	    rv = sec_PKCS7Encrypt (p7ecx->encryptobj, NULL, NULL, 0,
+				   data, inlen, final);
+	    if (final) {
+		len = 0;
+		goto done;
+	    }
+	    return rv;
+	}
+
+	if (dest != NULL)
+	    buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cinfo->poolp, buflen);
+	else
+	    buf = (unsigned char*)PORT_Alloc (buflen);
+
+	if (buf == NULL) {
+	    rv = SECFailure;
+	} else {
+	    rv = sec_PKCS7Encrypt (p7ecx->encryptobj, buf, &outlen, buflen,
+				   data, inlen, final);
+	    data = buf;
+	    len = outlen;
+	}
+	if (rv != SECSuccess) {
+	    if (final)
+		goto done;
+	    return rv;
+	}
+    }
+
+    if (p7ecx->ecx != NULL) {
+	/*
+	 * Encode the contents bytes.
+	 */
+	if(len) {
+	    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, (const char *)data, len);
+	}
+    }
+
+done:
+    if (p7ecx->encryptobj != NULL) {
+	if (final)
+	    sec_PKCS7DestroyEncryptObject (p7ecx->encryptobj);
+	if (dest != NULL) {
+	    dest->data = buf;
+	    dest->len = len;
+	} else if (buf != NULL) {
+	    PORT_Free (buf);
+	}
+    }
+
+    if (final && p7ecx->digestobj != NULL) {
+	SECItem *digest, **digests, ***digestsp;
+	unsigned char *digdata;
+	SECOidTag kind;
+
+	kind = SEC_PKCS7ContentType (p7ecx->cinfo);
+	switch (kind) {
+	  default:
+	    PORT_Assert (0);
+	    return SECFailure;
+	  case SEC_OID_PKCS7_DIGESTED_DATA:
+	    digest = &(p7ecx->cinfo->content.digestedData->digest);
+	    digestsp = NULL;
+	    break;
+	  case SEC_OID_PKCS7_SIGNED_DATA:
+	    digest = NULL;
+	    digestsp = &(p7ecx->cinfo->content.signedData->digests);
+	    break;
+	  case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	    digest = NULL;
+	    digestsp = &(p7ecx->cinfo->content.signedAndEnvelopedData->digests);
+	    break;
+	}
+
+	digdata = (unsigned char*)PORT_ArenaAlloc (p7ecx->cinfo->poolp,
+				   p7ecx->digestobj->length);
+	if (digdata == NULL)
+	    return SECFailure;
+
+	if (digestsp != NULL) {
+	    PORT_Assert (digest == NULL);
+
+	    digest = (SECItem*)PORT_ArenaAlloc (p7ecx->cinfo->poolp, 
+						sizeof(SECItem));
+	    digests = (SECItem**)PORT_ArenaAlloc (p7ecx->cinfo->poolp,
+				       2 * sizeof(SECItem *));
+	    if (digests == NULL || digest == NULL)
+		return SECFailure;
+
+	    digests[0] = digest;
+	    digests[1] = NULL;
+
+	    *digestsp = digests;
+	}
+
+	PORT_Assert (digest != NULL);
+
+	digest->data = digdata;
+	digest->len = p7ecx->digestobj->length;
+
+	(* p7ecx->digestobj->end) (p7ecx->digestcx, digest->data,
+				   &(digest->len), digest->len);
+	(* p7ecx->digestobj->destroy) (p7ecx->digestcx, PR_TRUE);
+    }
+
+    return rv;
+}
+
+
+SECStatus
+SEC_PKCS7EncoderUpdate (SEC_PKCS7EncoderContext *p7ecx,
+			const char *data, unsigned long len)
+{
+    /* XXX Error handling needs help.  Return what?  Do "Finish" on failure? */
+    return sec_pkcs7_encoder_work_data (p7ecx, NULL,
+					(const unsigned char *)data, len,
+					PR_FALSE);
+}
+
+static SECStatus
+sec_pkcs7_encoder_sig_and_certs (SEC_PKCS7ContentInfo *cinfo,
+				 SECKEYGetPasswordKey pwfn, void *pwfnarg)
+{
+    SECOidTag kind;
+    CERTCertificate **certs;
+    CERTCertificateList **certlists;
+    SECAlgorithmID **digestalgs;
+    SECItem **digests;
+    SEC_PKCS7SignerInfo *signerinfo, **signerinfos;
+    SECItem **rawcerts, ***rawcertsp;
+    PRArenaPool *poolp;
+    int certcount;
+    int ci, cli, rci, si;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	certs = NULL;
+	certlists = NULL;
+	digestalgs = NULL;
+	digests = NULL;
+	signerinfos = NULL;
+	rawcertsp = NULL;
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    certs = sdp->certs;
+	    certlists = sdp->certLists;
+	    digestalgs = sdp->digestAlgorithms;
+	    digests = sdp->digests;
+	    signerinfos = sdp->signerInfos;
+	    rawcertsp = &(sdp->rawCerts);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    certs = saedp->certs;
+	    certlists = saedp->certLists;
+	    digestalgs = saedp->digestAlgorithms;
+	    digests = saedp->digests;
+	    signerinfos = saedp->signerInfos;
+	    rawcertsp = &(saedp->rawCerts);
+	}
+	break;
+    }
+
+    if (certs == NULL && certlists == NULL && signerinfos == NULL)
+	return SECSuccess;		/* nothing for us to do! */
+
+    poolp = cinfo->poolp;
+    certcount = 0;
+
+    if (signerinfos != NULL) {
+	SECOidTag digestalgtag;
+	int di;
+	SECStatus rv;
+	CERTCertificate *cert;
+	SECKEYPrivateKey *privkey;
+	SECItem signature;
+	SECOidTag signalgtag;
+
+	PORT_Assert (digestalgs != NULL && digests != NULL);
+
+	/*
+	 * If one fails, we bail right then.  If we want to continue and
+	 * try to do subsequent signatures, this loop, and the departures
+	 * from it, will need to be reworked.
+	 */
+	for (si = 0; signerinfos[si] != NULL; si++) {
+
+	    signerinfo = signerinfos[si];
+
+	    /* find right digest */
+	    digestalgtag = SECOID_GetAlgorithmTag (&(signerinfo->digestAlg));
+	    for (di = 0; digestalgs[di] != NULL; di++) {
+		/* XXX Should I be comparing more than the tag? */
+		if (digestalgtag == SECOID_GetAlgorithmTag (digestalgs[di]))
+		    break;
+	    }
+	    if (digestalgs[di] == NULL) {
+		/* XXX oops; do what? set an error? */
+		return SECFailure;
+	    }
+	    PORT_Assert (digests[di] != NULL);
+
+	    cert = signerinfo->cert;
+	    privkey = PK11_FindKeyByAnyCert (cert, pwfnarg);
+	    if (privkey == NULL)
+		return SECFailure;
+
+	    /*
+	     * XXX I think there should be a cert-level interface for this,
+	     * so that I do not have to know about subjectPublicKeyInfo...
+	     */
+	    signalgtag = SECOID_GetAlgorithmTag (&(cert->subjectPublicKeyInfo.algorithm));
+
+	    /* Fortezza MISSI have weird signature formats.  Map them
+	     * to standard DSA formats */
+	    signalgtag = PK11_FortezzaMapSig(signalgtag);
+
+	    if (signerinfo->authAttr != NULL) {
+		SEC_PKCS7Attribute *attr;
+		SECItem encoded_attrs;
+		SECItem *dummy;
+		SECOidTag algid;
+
+		/*
+		 * First, find and fill in the message digest attribute.
+		 */
+		attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
+					       SEC_OID_PKCS9_MESSAGE_DIGEST,
+					       PR_TRUE);
+		PORT_Assert (attr != NULL);
+		if (attr == NULL) {
+		    SECKEY_DestroyPrivateKey (privkey);
+		    return SECFailure;
+		}
+
+		/*
+		 * XXX The second half of the following assertion prevents
+		 * the encoder from being called twice on the same content.
+		 * Either just remove the second half the assertion, or
+		 * change the code to check if the value already there is
+		 * the same as digests[di], whichever seems more right.
+		 */
+		PORT_Assert (attr->values != NULL && attr->values[0] == NULL);
+		attr->values[0] = digests[di];
+
+		/*
+		 * Before encoding, reorder the attributes so that when they
+		 * are encoded, they will be conforming DER, which is required
+		 * to have a specific order and that is what must be used for
+		 * the hash/signature.  We do this here, rather than building
+		 * it into EncodeAttributes, because we do not want to do
+		 * such reordering on incoming messages (which also uses
+		 * EncodeAttributes) or our old signatures (and other "broken"
+		 * implementations) will not verify.  So, we want to guarantee
+		 * that we send out good DER encodings of attributes, but not
+		 * to expect to receive them.
+		 */
+		rv = sec_PKCS7ReorderAttributes (signerinfo->authAttr);
+		if (rv != SECSuccess) {
+		    SECKEY_DestroyPrivateKey (privkey);
+		    return SECFailure;
+		}
+
+		encoded_attrs.data = NULL;
+		encoded_attrs.len = 0;
+		dummy = sec_PKCS7EncodeAttributes (NULL, &encoded_attrs,
+						   &(signerinfo->authAttr));
+		if (dummy == NULL) {
+		    SECKEY_DestroyPrivateKey (privkey);
+		    return SECFailure;
+		}
+
+	        algid = SEC_GetSignatureAlgorithmOidTag(privkey->keyType,
+ 							digestalgtag);
+		if (algid == SEC_OID_UNKNOWN) {
+		    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+		    SECKEY_DestroyPrivateKey (privkey);
+		    return SECFailure;
+		}
+		rv = SEC_SignData (&signature,
+				   encoded_attrs.data, encoded_attrs.len,
+				   privkey,
+				   algid);
+		SECITEM_FreeItem (&encoded_attrs, PR_FALSE);
+	    } else {
+		rv = SGN_Digest (privkey, digestalgtag, &signature,
+				 digests[di]);
+	    }
+
+	    SECKEY_DestroyPrivateKey (privkey);
+
+	    if (rv != SECSuccess)
+		return rv;
+
+	    rv = SECITEM_CopyItem (poolp, &(signerinfo->encDigest), &signature);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    SECITEM_FreeItem (&signature, PR_FALSE);
+
+	    rv = SECOID_SetAlgorithmID (poolp, &(signerinfo->digestEncAlg),
+					signalgtag, NULL);
+	    if (rv != SECSuccess)
+		return SECFailure;
+
+	    /*
+	     * Count the cert chain for this signer.
+	     */
+	    if (signerinfo->certList != NULL)
+		certcount += signerinfo->certList->len;
+	}
+    }
+
+    if (certs != NULL) {
+	for (ci = 0; certs[ci] != NULL; ci++)
+	    certcount++;
+    }
+
+    if (certlists != NULL) {
+	for (cli = 0; certlists[cli] != NULL; cli++)
+	    certcount += certlists[cli]->len;
+    }
+
+    if (certcount == 0)
+	return SECSuccess;		/* signing done; no certs */
+
+    /*
+     * Combine all of the certs and cert chains into rawcerts.
+     * Note: certcount is an upper bound; we may not need that many slots
+     * but we will allocate anyway to avoid having to do another pass.
+     * (The temporary space saving is not worth it.)
+     */
+    rawcerts = (SECItem**)PORT_ArenaAlloc (poolp, 
+					(certcount + 1) * sizeof(SECItem *));
+    if (rawcerts == NULL)
+	return SECFailure;
+
+    /*
+     * XXX Want to check for duplicates and not add *any* cert that is
+     * already in the set.  This will be more important when we start
+     * dealing with larger sets of certs, dual-key certs (signing and
+     * encryption), etc.  For the time being we can slide by...
+     */
+    rci = 0;
+    if (signerinfos != NULL) {
+	for (si = 0; signerinfos[si] != NULL; si++) {
+	    signerinfo = signerinfos[si];
+	    for (ci = 0; ci < signerinfo->certList->len; ci++)
+		rawcerts[rci++] = &(signerinfo->certList->certs[ci]);
+	}
+
+    }
+
+    if (certs != NULL) {
+	for (ci = 0; certs[ci] != NULL; ci++)
+	    rawcerts[rci++] = &(certs[ci]->derCert);
+    }
+
+    if (certlists != NULL) {
+	for (cli = 0; certlists[cli] != NULL; cli++) {
+	    for (ci = 0; ci < certlists[cli]->len; ci++)
+		rawcerts[rci++] = &(certlists[cli]->certs[ci]);
+	}
+    }
+
+    rawcerts[rci] = NULL;
+    *rawcertsp = rawcerts;
+
+    return SECSuccess;
+}
+
+
+SECStatus
+SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx,
+			SECKEYGetPasswordKey pwfn, void *pwfnarg)
+{
+    SECStatus rv;
+
+    /*
+     * Flush out any remaining data.
+     */
+    rv = sec_pkcs7_encoder_work_data (p7ecx, NULL, NULL, 0, PR_TRUE);
+
+    /*
+     * Turn off streaming stuff.
+     */
+    SEC_ASN1EncoderClearTakeFromBuf (p7ecx->ecx);
+    SEC_ASN1EncoderClearStreaming (p7ecx->ecx);
+
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = sec_pkcs7_encoder_sig_and_certs (p7ecx->cinfo, pwfn, pwfnarg);
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, NULL, 0);
+
+loser:
+    SEC_ASN1EncoderFinish (p7ecx->ecx);
+    PORT_Free (p7ecx);
+    return rv;
+}
+
+/*
+ * Abort the ASN.1 stream. Used by pkcs 12
+ */
+void
+SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7ecx, int error)
+{
+    PORT_Assert(p7ecx);
+    SEC_ASN1EncoderAbort(p7ecx->ecx, error);
+}
+
+/*
+ * After this routine is called, the entire PKCS7 contentInfo is ready
+ * to be encoded.  This is used internally, but can also be called from
+ * elsewhere for those who want to be able to just have pointers to
+ * the ASN1 template for pkcs7 contentInfo built into their own encodings.
+ */
+SECStatus
+SEC_PKCS7PrepareForEncode (SEC_PKCS7ContentInfo *cinfo,
+			   PK11SymKey *bulkkey,
+			   SECKEYGetPasswordKey pwfn,
+			   void *pwfnarg)
+{
+    SEC_PKCS7EncoderContext *p7ecx;
+    SECItem *content, *enc_content;
+    SECStatus rv;
+
+    p7ecx = sec_pkcs7_encoder_start_contexts (cinfo, bulkkey);
+    if (p7ecx == NULL)
+	return SECFailure;
+
+    content = SEC_PKCS7GetContent (cinfo);
+
+    if (p7ecx->encryptobj != NULL) {
+	SECOidTag kind;
+	SEC_PKCS7EncryptedContentInfo *enccinfo;
+
+	kind = SEC_PKCS7ContentType (p7ecx->cinfo);
+	switch (kind) {
+	  default:
+	    PORT_Assert (0);
+	    rv = SECFailure;
+	    goto loser;
+	  case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    enccinfo = &(p7ecx->cinfo->content.encryptedData->encContentInfo);
+	    break;
+	  case SEC_OID_PKCS7_ENVELOPED_DATA:
+	    enccinfo = &(p7ecx->cinfo->content.envelopedData->encContentInfo);
+	    break;
+	  case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	    enccinfo = &(p7ecx->cinfo->content.signedAndEnvelopedData->encContentInfo);
+	    break;
+	}
+	enc_content = &(enccinfo->encContent);
+    } else {
+	enc_content = NULL;
+    }
+
+    if (content != NULL && content->data != NULL && content->len) {
+	rv = sec_pkcs7_encoder_work_data (p7ecx, enc_content,
+					  content->data, content->len, PR_TRUE);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    rv = sec_pkcs7_encoder_sig_and_certs (cinfo, pwfn, pwfnarg);
+
+loser:
+    PORT_Free (p7ecx);
+    return rv;
+}
+
+
+/*
+ * Encode a PKCS7 object, in one shot.  All necessary components
+ * of the object must already be specified.  Either the data has
+ * already been included (via SetContent), or the data is detached,
+ * or there is no data at all (certs-only).
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "outputfn" is where the encoded bytes will be passed.
+ *
+ * "outputarg" is an opaque argument to the above callback.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * private key of the signer.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+SECStatus
+SEC_PKCS7Encode (SEC_PKCS7ContentInfo *cinfo,
+		 SEC_PKCS7EncoderOutputCallback outputfn,
+		 void *outputarg,
+		 PK11SymKey *bulkkey,
+		 SECKEYGetPasswordKey pwfn,
+		 void *pwfnarg)
+{
+    SECStatus rv;
+
+    rv = SEC_PKCS7PrepareForEncode (cinfo, bulkkey, pwfn, pwfnarg);
+    if (rv == SECSuccess) {
+	struct sec_pkcs7_encoder_output outputcx;
+
+	outputcx.outputfn = outputfn;
+	outputcx.outputarg = outputarg;
+
+	rv = SEC_ASN1Encode (cinfo, sec_PKCS7ContentInfoTemplate,
+			     sec_pkcs7_encoder_out, &outputcx);
+    }
+
+    return rv;
+}
+
+
+/*
+ * Encode a PKCS7 object, in one shot.  All necessary components
+ * of the object must already be specified.  Either the data has
+ * already been included (via SetContent), or the data is detached,
+ * or there is no data at all (certs-only).  The output, rather than
+ * being passed to an output function as is done above, is all put
+ * into a SECItem.
+ *
+ * "pool" specifies a pool from which to allocate the result.
+ * It can be NULL, in which case memory is allocated generically.
+ *
+ * "dest" specifies a SECItem in which to put the result data.
+ * It can be NULL, in which case the entire item is allocated, too.
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * private key of the signer.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+SECItem *
+SEC_PKCS7EncodeItem (PRArenaPool *pool,
+		     SECItem *dest,
+		     SEC_PKCS7ContentInfo *cinfo,
+		     PK11SymKey *bulkkey,
+		     SECKEYGetPasswordKey pwfn,
+		     void *pwfnarg)
+{
+    SECStatus rv;
+
+    rv = SEC_PKCS7PrepareForEncode (cinfo, bulkkey, pwfn, pwfnarg);
+    if (rv != SECSuccess)
+	return NULL;
+
+    return SEC_ASN1EncodeItem (pool, dest, cinfo, sec_PKCS7ContentInfoTemplate);
+}
+
diff --git a/security/nss/lib/pkcs7/p7local.c b/security/nss/lib/pkcs7/p7local.c
new file mode 100644
index 000000000..70bb6c42b
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7local.c
@@ -0,0 +1,1408 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Support routines for PKCS7 implementation, none of which are exported.
+ * This file should only contain things that are needed by both the
+ * encoding/creation side *and* the decoding/decryption side.  Anything
+ * else should be static routines in the appropriate file.
+ *
+ * $Id$
+ */
+
+#include "p7local.h"
+
+#include "cryptohi.h" 
+#include "secasn1.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secpkcs5.h"
+#include "secerr.h"
+
+/*
+ * -------------------------------------------------------------------
+ * Cipher stuff.
+ */
+
+typedef SECStatus (*sec_pkcs7_cipher_function) (void *,
+						unsigned char *,
+						unsigned *,
+						unsigned int,
+						const unsigned char *,
+						unsigned int);
+typedef SECStatus (*sec_pkcs7_cipher_destroy) (void *, PRBool);
+
+#define BLOCK_SIZE 4096
+
+struct sec_pkcs7_cipher_object {
+    void *cx;
+    sec_pkcs7_cipher_function doit;
+    sec_pkcs7_cipher_destroy destroy;
+    PRBool encrypt;
+    int block_size;
+    int pad_size;
+    int pending_count;
+    unsigned char pending_buf[BLOCK_SIZE];
+};
+
+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
+
+/*
+ * Create a cipher object to do decryption,  based on the given bulk
+ * encryption key and algorithm identifier (which may include an iv).
+ *
+ * XXX This interface, or one similar, would be really nice available
+ * in general...  I tried to keep the pkcs7-specific stuff (mostly
+ * having to do with padding) out of here.
+ *
+ * XXX Once both are working, it might be nice to combine this and the
+ * function below (for starting up encryption) into one routine, and just
+ * have two simple cover functions which call it. 
+ */
+sec_PKCS7CipherObject *
+sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid)
+{
+    sec_PKCS7CipherObject *result;
+    SECOidTag algtag;
+    void *ciphercx;
+    CK_MECHANISM_TYPE cryptoMechType;
+    SECItem *param;
+    PK11SlotInfo *slot;
+
+    result = (struct sec_pkcs7_cipher_object*)
+      PORT_ZAlloc (sizeof(struct sec_pkcs7_cipher_object));
+    if (result == NULL)
+	return NULL;
+
+    ciphercx = NULL;
+    algtag = SECOID_GetAlgorithmTag (algid);
+
+    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	SECItem *pwitem;
+
+	pwitem = (SECItem *)PK11_GetSymKeyUserData(key);
+	if (!pwitem) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+
+	cryptoMechType = PK11_GetPBECryptoMechanism(algid, &param, pwitem);
+	if (cryptoMechType == CKM_INVALID_MECHANISM) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+    } else {
+	cryptoMechType = PK11_AlgtagToMechanism(algtag);
+	param = PK11_ParamFromAlgid(algid);
+	if (param == NULL) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+    }
+
+    result->pad_size = PK11_GetBlockSize(cryptoMechType, param);
+    slot = PK11_GetSlotFromKey(key);
+    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;
+    PK11_FreeSlot(slot);
+    ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_DECRYPT, 
+					  key, param);
+    SECITEM_FreeItem(param,PR_TRUE);
+    if (ciphercx == NULL) {
+	PORT_Free (result);
+	return NULL;
+    }
+
+    result->cx = ciphercx;
+    result->doit =  (sec_pkcs7_cipher_function) PK11_CipherOp;
+    result->destroy = (sec_pkcs7_cipher_destroy) PK11_DestroyContext;
+    result->encrypt = PR_FALSE;
+    result->pending_count = 0;
+
+    return result;
+}
+
+/*
+ * Create a cipher object to do encryption, based on the given bulk
+ * encryption key and algorithm tag.  Fill in the algorithm identifier
+ * (which may include an iv) appropriately.
+ *
+ * XXX This interface, or one similar, would be really nice available
+ * in general...  I tried to keep the pkcs7-specific stuff (mostly
+ * having to do with padding) out of here.
+ *
+ * XXX Once both are working, it might be nice to combine this and the
+ * function above (for starting up decryption) into one routine, and just
+ * have two simple cover functions which call it. 
+ */
+sec_PKCS7CipherObject *
+sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key,
+			      SECOidTag algtag, SECAlgorithmID *algid)
+{
+    sec_PKCS7CipherObject *result;
+    void *ciphercx;
+    SECItem *param;
+    SECStatus rv;
+    CK_MECHANISM_TYPE cryptoMechType;
+    PRBool needToEncodeAlgid = PR_FALSE;
+    PK11SlotInfo *slot;
+
+    result = (struct sec_pkcs7_cipher_object*)
+	      PORT_ZAlloc (sizeof(struct sec_pkcs7_cipher_object));
+    if (result == NULL)
+	return NULL;
+
+    ciphercx = NULL;
+    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	SECItem *pwitem;
+
+	pwitem = (SECItem *)PK11_GetSymKeyUserData(key);
+	if (!pwitem) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+
+	cryptoMechType = PK11_GetPBECryptoMechanism(algid, &param, pwitem);
+	if (cryptoMechType == CKM_INVALID_MECHANISM) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+    } else {
+	cryptoMechType = PK11_AlgtagToMechanism(algtag);
+	param = PK11_GenerateNewParam(cryptoMechType, key);
+	if (param == NULL) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+	needToEncodeAlgid = PR_TRUE;
+    }
+
+    result->pad_size = PK11_GetBlockSize(cryptoMechType,param);
+    slot = PK11_GetSlotFromKey(key);
+    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;
+    PK11_FreeSlot(slot);
+    ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_ENCRYPT, 
+    					  key, param);
+    if (ciphercx == NULL) {
+	PORT_Free (result);
+        SECITEM_FreeItem(param,PR_TRUE);
+	return NULL;
+    }
+
+    /*
+     * These are placed after the CreateContextBySymKey() because some
+     * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).
+     * Don't move it from here.
+     */
+    if (needToEncodeAlgid) {
+	rv = PK11_ParamToAlgid(algtag,param,poolp,algid);
+	if(rv != SECSuccess) {
+	    PORT_Free (result);
+            SECITEM_FreeItem(param,PR_TRUE);
+	    return NULL;
+	}
+    }
+    SECITEM_FreeItem(param,PR_TRUE);
+
+    result->cx = ciphercx;
+    result->doit = (sec_pkcs7_cipher_function) PK11_CipherOp;
+    result->destroy = (sec_pkcs7_cipher_destroy) PK11_DestroyContext;
+    result->encrypt = PR_TRUE;
+    result->pending_count = 0;
+
+    return result;
+}
+
+
+/*
+ * Destroy the cipher object.
+ */
+static void
+sec_pkcs7_destroy_cipher (sec_PKCS7CipherObject *obj)
+{
+    (* obj->destroy) (obj->cx, PR_TRUE);
+    PORT_Free (obj);
+}
+
+void
+sec_PKCS7DestroyDecryptObject (sec_PKCS7CipherObject *obj)
+{
+    PORT_Assert (obj != NULL);
+    if (obj == NULL)
+	return;
+    PORT_Assert (! obj->encrypt);
+    sec_pkcs7_destroy_cipher (obj);
+}
+
+void
+sec_PKCS7DestroyEncryptObject (sec_PKCS7CipherObject *obj)
+{
+    PORT_Assert (obj != NULL);
+    if (obj == NULL)
+	return;
+    PORT_Assert (obj->encrypt);
+    sec_pkcs7_destroy_cipher (obj);
+}
+
+
+/*
+ * XXX I think all of the following lengths should be longs instead
+ * of ints, but our current crypto interface uses ints, so I did too.
+ */
+
+
+/*
+ * What will be the output length of the next call to decrypt?
+ * Result can be used to perform memory allocations.  Note that the amount
+ * is exactly accurate only when not doing a block cipher or when final
+ * is false, otherwise it is an upper bound on the amount because until
+ * we see the data we do not know how many padding bytes there are
+ * (always between 1 and bsize).
+ *
+ * Note that this can return zero, which does not mean that the decrypt
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent decrypt operation, as no output bytes
+ * will be stored.
+ */
+unsigned int
+sec_PKCS7DecryptLength (sec_PKCS7CipherObject *obj, unsigned int input_len,
+			PRBool final)
+{
+    int blocks, block_size;
+
+    PORT_Assert (! obj->encrypt);
+
+    block_size = obj->block_size;
+
+    /*
+     * If this is not a block cipher, then we always have the same
+     * number of output bytes as we had input bytes.
+     */
+    if (block_size == 0)
+	return input_len;
+
+    /*
+     * On the final call, we will always use up all of the pending
+     * bytes plus all of the input bytes, *but*, there will be padding
+     * at the end and we cannot predict how many bytes of padding we
+     * will end up removing.  The amount given here is actually known
+     * to be at least 1 byte too long (because we know we will have
+     * at least 1 byte of padding), but seemed clearer/better to me.
+     */
+    if (final)
+	return obj->pending_count + input_len;
+
+    /*
+     * Okay, this amount is exactly what we will output on the
+     * next cipher operation.  We will always hang onto the last
+     * 1 - block_size bytes for non-final operations.  That is,
+     * we will do as many complete blocks as we can *except* the
+     * last block (complete or partial).  (This is because until
+     * we know we are at the end, we cannot know when to interpret
+     * and removing the padding byte(s), which are guaranteed to
+     * be there.)
+     */
+    blocks = (obj->pending_count + input_len - 1) / block_size;
+    return blocks * block_size;
+}
+
+/*
+ * What will be the output length of the next call to encrypt?
+ * Result can be used to perform memory allocations.
+ *
+ * Note that this can return zero, which does not mean that the encrypt
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent encrypt operation, as no output bytes
+ * will be stored.
+ */
+unsigned int
+sec_PKCS7EncryptLength (sec_PKCS7CipherObject *obj, unsigned int input_len,
+			PRBool final)
+{
+    int blocks, block_size;
+    int pad_size;
+
+    PORT_Assert (obj->encrypt);
+
+    block_size = obj->block_size;
+    pad_size = obj->pad_size;
+
+    /*
+     * If this is not a block cipher, then we always have the same
+     * number of output bytes as we had input bytes.
+     */
+    if (block_size == 0)
+	return input_len;
+
+    /*
+     * On the final call, we only send out what we need for
+     * remaining bytes plus the padding.  (There is always padding,
+     * so even if we have an exact number of blocks as input, we
+     * will add another full block that is just padding.)
+     */
+    if (final) {
+	if (pad_size == 0) {
+    	    return obj->pending_count + input_len;
+	} else {
+    	    blocks = (obj->pending_count + input_len) / pad_size;
+	    blocks++;
+	    return blocks*pad_size;
+	}
+    }
+
+    /*
+     * Now, count the number of complete blocks of data we have.
+     */
+    blocks = (obj->pending_count + input_len) / block_size;
+
+
+    return blocks * block_size;
+}
+
+
+/*
+ * Decrypt a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the decrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "obj" is the return value from sec_PKCS7CreateDecryptObject.
+ * When "final" is true, this is the last of the data to be decrypted.
+ *
+ * This is much more complicated than it sounds when the cipher is
+ * a block-type, meaning that the decryption function will only
+ * operate on whole blocks.  But our caller is operating stream-wise,
+ * and can pass in any number of bytes.  So we need to keep track
+ * of block boundaries.  We save excess bytes between calls in "obj".
+ * We also need to determine which bytes are padding, and remove
+ * them from the output.  We can only do this step when we know we
+ * have the final block of data.  PKCS #7 specifies that the padding
+ * used for a block cipher is a string of bytes, each of whose value is
+ * the same as the length of the padding, and that all data is padded.
+ * (Even data that starts out with an exact multiple of blocks gets
+ * added to it another block, all of which is padding.)
+ */ 
+SECStatus
+sec_PKCS7Decrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final)
+{
+    int blocks, bsize, pcount, padsize;
+    unsigned int max_needed, ifraglen, ofraglen, output_len;
+    unsigned char *pbuf;
+    SECStatus rv;
+
+    PORT_Assert (! obj->encrypt);
+
+    /*
+     * Check that we have enough room for the output.  Our caller should
+     * already handle this; failure is really an internal error (i.e. bug).
+     */
+    max_needed = sec_PKCS7DecryptLength (obj, input_len, final);
+    PORT_Assert (max_output_len >= max_needed);
+    if (max_output_len < max_needed) {
+	/* PORT_SetError (XXX); */
+	return SECFailure;
+    }
+
+    /*
+     * hardware encryption does not like small decryption sizes here, so we
+     * allow both blocking and padding.
+     */
+    bsize = obj->block_size;
+    padsize = obj->pad_size;
+
+    /*
+     * When no blocking or padding work to do, we can simply call the
+     * cipher function and we are done.
+     */
+    if (bsize == 0) {
+	return (* obj->doit) (obj->cx, output, output_len_p, max_output_len,
+			      input, input_len);
+    }
+
+    pcount = obj->pending_count;
+    pbuf = obj->pending_buf;
+
+    output_len = 0;
+
+    if (pcount) {
+	/*
+	 * Try to fill in an entire block, starting with the bytes
+	 * we already have saved away.
+	 */
+	while (input_len && pcount < bsize) {
+	    pbuf[pcount++] = *input++;
+	    input_len--;
+	}
+	/*
+	 * If we have at most a whole block and this is not our last call,
+	 * then we are done for now.  (We do not try to decrypt a lone
+	 * single block because we cannot interpret the padding bytes
+	 * until we know we are handling the very last block of all input.)
+	 */
+	if (input_len == 0 && !final) {
+	    obj->pending_count = pcount;
+	    if (output_len_p)
+		*output_len_p = 0;
+	    return SECSuccess;
+	}
+	/*
+	 * Given the logic above, we expect to have a full block by now.
+	 * If we do not, there is something wrong, either with our own
+	 * logic or with (length of) the data given to us.
+	 */
+	PORT_Assert ((padsize == 0) || (pcount % padsize) == 0);
+	if ((padsize != 0) && (pcount % padsize) != 0) {
+	    PORT_Assert (final);	
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+	/*
+	 * Decrypt the block.
+	 */
+	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+			    pbuf, pcount);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7DecryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ofraglen == pcount);
+
+	/*
+	 * Account for the bytes now in output.
+	 */
+	max_output_len -= ofraglen;
+	output_len += ofraglen;
+	output += ofraglen;
+    }
+
+    /*
+     * If this is our last call, we expect to have an exact number of
+     * blocks left to be decrypted; we will decrypt them all.
+     * 
+     * If not our last call, we always save between 1 and bsize bytes
+     * until next time.  (We must do this because we cannot be sure
+     * that none of the decrypted bytes are padding bytes until we
+     * have at least another whole block of data.  You cannot tell by
+     * looking -- the data could be anything -- you can only tell by
+     * context, knowing you are looking at the last block.)  We could
+     * decrypt a whole block now but it is easier if we just treat it
+     * the same way we treat partial block bytes.
+     */
+    if (final) {
+	if (padsize) {
+	    blocks = input_len / padsize;
+	    ifraglen = blocks * padsize;
+	} else ifraglen = input_len;
+	PORT_Assert (ifraglen == input_len);
+
+	if (ifraglen != input_len) {
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+    } else {
+	blocks = (input_len - 1) / bsize;
+	ifraglen = blocks * bsize;
+	PORT_Assert (ifraglen < input_len);
+
+	pcount = input_len - ifraglen;
+	PORT_Memcpy (pbuf, input + ifraglen, pcount);
+	obj->pending_count = pcount;
+    }
+
+    if (ifraglen) {
+	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+			    input, ifraglen);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7DecryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ifraglen == ofraglen);
+	if (ifraglen != ofraglen) {
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+
+	output_len += ofraglen;
+    } else {
+	ofraglen = 0;
+    }
+
+    /*
+     * If we just did our very last block, "remove" the padding by
+     * adjusting the output length.
+     */
+    if (final && (padsize != 0)) {
+	unsigned int padlen = *(output + ofraglen - 1);
+	if (padlen == 0 || padlen > padsize) {
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+	output_len -= padlen;
+    }
+
+    PORT_Assert (output_len_p != NULL || output_len == 0);
+    if (output_len_p != NULL)
+	*output_len_p = output_len;
+
+    return SECSuccess;
+}
+
+/*
+ * Encrypt a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the encrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "obj" is the return value from sec_PKCS7CreateEncryptObject.
+ * When "final" is true, this is the last of the data to be encrypted.
+ *
+ * This is much more complicated than it sounds when the cipher is
+ * a block-type, meaning that the encryption function will only
+ * operate on whole blocks.  But our caller is operating stream-wise,
+ * and can pass in any number of bytes.  So we need to keep track
+ * of block boundaries.  We save excess bytes between calls in "obj".
+ * We also need to add padding bytes at the end.  PKCS #7 specifies
+ * that the padding used for a block cipher is a string of bytes,
+ * each of whose value is the same as the length of the padding,
+ * and that all data is padded.  (Even data that starts out with
+ * an exact multiple of blocks gets added to it another block,
+ * all of which is padding.)
+ *
+ * XXX I would kind of like to combine this with the function above
+ * which does decryption, since they have a lot in common.  But the
+ * tricky parts about padding and filling blocks would be much
+ * harder to read that way, so I left them separate.  At least for
+ * now until it is clear that they are right.
+ */ 
+SECStatus
+sec_PKCS7Encrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final)
+{
+    int blocks, bsize, padlen, pcount, padsize;
+    unsigned int max_needed, ifraglen, ofraglen, output_len;
+    unsigned char *pbuf;
+    SECStatus rv;
+
+    PORT_Assert (obj->encrypt);
+
+    /*
+     * Check that we have enough room for the output.  Our caller should
+     * already handle this; failure is really an internal error (i.e. bug).
+     */
+    max_needed = sec_PKCS7EncryptLength (obj, input_len, final);
+    PORT_Assert (max_output_len >= max_needed);
+    if (max_output_len < max_needed) {
+	/* PORT_SetError (XXX); */
+	return SECFailure;
+    }
+
+    bsize = obj->block_size;
+    padsize = obj->pad_size;
+
+    /*
+     * When no blocking and padding work to do, we can simply call the
+     * cipher function and we are done.
+     */
+    if (bsize == 0) {
+	return (* obj->doit) (obj->cx, output, output_len_p, max_output_len,
+			      input, input_len);
+    }
+
+    pcount = obj->pending_count;
+    pbuf = obj->pending_buf;
+
+    output_len = 0;
+
+    if (pcount) {
+	/*
+	 * Try to fill in an entire block, starting with the bytes
+	 * we already have saved away.
+	 */
+	while (input_len && pcount < bsize) {
+	    pbuf[pcount++] = *input++;
+	    input_len--;
+	}
+	/*
+	 * If we do not have a full block and we know we will be
+	 * called again, then we are done for now.
+	 */
+	if (pcount < bsize && !final) {
+	    obj->pending_count = pcount;
+	    if (output_len_p != NULL)
+		*output_len_p = 0;
+	    return SECSuccess;
+	}
+	/*
+	 * If we have a whole block available, encrypt it.
+	 */
+	if ((padsize == 0) || (pcount % padsize) == 0) {
+	    rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+				pbuf, pcount);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    /*
+	     * For now anyway, all of our ciphers have the same number of
+	     * bytes of output as they do input.  If this ever becomes untrue,
+	     * then sec_PKCS7EncryptLength needs to be made smarter!
+	     */
+	    PORT_Assert (ofraglen == pcount);
+
+	    /*
+	     * Account for the bytes now in output.
+	     */
+	    max_output_len -= ofraglen;
+	    output_len += ofraglen;
+	    output += ofraglen;
+
+	    pcount = 0;
+	}
+    }
+
+    if (input_len) {
+	PORT_Assert (pcount == 0);
+
+	blocks = input_len / bsize;
+	ifraglen = blocks * bsize;
+
+	if (ifraglen) {
+	    rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+				input, ifraglen);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    /*
+	     * For now anyway, all of our ciphers have the same number of
+	     * bytes of output as they do input.  If this ever becomes untrue,
+	     * then sec_PKCS7EncryptLength needs to be made smarter!
+	     */
+	    PORT_Assert (ifraglen == ofraglen);
+
+	    max_output_len -= ofraglen;
+	    output_len += ofraglen;
+	    output += ofraglen;
+	}
+
+	pcount = input_len - ifraglen;
+	PORT_Assert (pcount < bsize);
+	if (pcount)
+	    PORT_Memcpy (pbuf, input + ifraglen, pcount);
+    }
+
+    if (final) {
+	padlen = padsize - (pcount % padsize);
+	PORT_Memset (pbuf + pcount, padlen, padlen);
+	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+			    pbuf, pcount+padlen);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7EncryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ofraglen == (pcount+padlen));
+	output_len += ofraglen;
+    } else {
+	obj->pending_count = pcount;
+    }
+
+    PORT_Assert (output_len_p != NULL || output_len == 0);
+    if (output_len_p != NULL)
+	*output_len_p = output_len;
+
+    return SECSuccess;
+}
+
+/*
+ * End of cipher stuff.
+ * -------------------------------------------------------------------
+ */
+
+
+/*
+ * -------------------------------------------------------------------
+ * XXX The following Attribute stuff really belongs elsewhere.
+ * The Attribute type is *not* part of pkcs7 but rather X.501.
+ * But for now, since PKCS7 is the only customer of attributes,
+ * we define them here.  Once there is a use outside of PKCS7,
+ * then change the attribute types and functions from internal
+ * to external naming convention, and move them elsewhere!
+ */
+
+/*
+ * Look through a set of attributes and find one that matches the
+ * specified object ID.  If "only" is true, then make sure that
+ * there is not more than one attribute of the same type.  Otherwise,
+ * just return the first one found. (XXX Does anybody really want
+ * that first-found behavior?  It was like that when I found it...)
+ */
+SEC_PKCS7Attribute *
+sec_PKCS7FindAttribute (SEC_PKCS7Attribute **attrs, SECOidTag oidtag,
+			PRBool only)
+{
+    SECOidData *oid;
+    SEC_PKCS7Attribute *attr1, *attr2;
+
+    if (attrs == NULL)
+	return NULL;
+
+    oid = SECOID_FindOIDByTag(oidtag);
+    if (oid == NULL)
+	return NULL;
+
+    while ((attr1 = *attrs++) != NULL) {
+	if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data,
+							    oid->oid.data,
+							    oid->oid.len) == 0)
+	    break;
+    }
+
+    if (attr1 == NULL)
+	return NULL;
+
+    if (!only)
+	return attr1;
+
+    while ((attr2 = *attrs++) != NULL) {
+	if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data,
+							    oid->oid.data,
+							    oid->oid.len) == 0)
+	    break;
+    }
+
+    if (attr2 != NULL)
+	return NULL;
+
+    return attr1;
+}
+
+
+/*
+ * Return the single attribute value, doing some sanity checking first:
+ * - Multiple values are *not* expected.
+ * - Empty values are *not* expected.
+ */
+SECItem *
+sec_PKCS7AttributeValue(SEC_PKCS7Attribute *attr)
+{
+    SECItem *value;
+
+    if (attr == NULL)
+	return NULL;
+
+    value = attr->values[0];
+
+    if (value == NULL || value->data == NULL || value->len == 0)
+	return NULL;
+
+    if (attr->values[1] != NULL)
+	return NULL;
+
+    return value;
+}
+
+static const SEC_ASN1Template *
+sec_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+
+    SEC_PKCS7Attribute *attribute;
+    SECOidData *oiddata;
+    PRBool encoded;
+
+    PORT_Assert (src_or_dest != NULL);
+    if (src_or_dest == NULL)
+	return NULL;
+
+    attribute = (SEC_PKCS7Attribute*)src_or_dest;
+
+    if (encoding && attribute->encoded)
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+
+    oiddata = attribute->typeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&attribute->type);
+	attribute->typeTag = oiddata;
+    }
+
+    if (oiddata == NULL) {
+	encoded = PR_TRUE;
+	theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+    } else {
+	switch (oiddata->offset) {
+	  default:
+	    encoded = PR_TRUE;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	  case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	  case SEC_OID_RFC1274_MAIL:
+	  case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
+	    break;
+	  case SEC_OID_PKCS9_CONTENT_TYPE:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate);
+	    break;
+	  case SEC_OID_PKCS9_MESSAGE_DIGEST:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+	  case SEC_OID_PKCS9_SIGNING_TIME:
+	    encoded = PR_FALSE;
+            theTemplate = SEC_ASN1_GET(CERT_TimeChoiceTemplate);
+	    break;
+	  /* XXX Want other types here, too */
+	}
+    }
+
+    if (encoding) {
+	/*
+	 * If we are encoding and we think we have an already-encoded value,
+	 * then the code which initialized this attribute should have set
+	 * the "encoded" property to true (and we would have returned early,
+	 * up above).  No devastating error, but that code should be fixed.
+	 * (It could indicate that the resulting encoded bytes are wrong.)
+	 */
+	PORT_Assert (!encoded);
+    } else {
+	/*
+	 * We are decoding; record whether the resulting value is
+	 * still encoded or not.
+	 */
+	attribute->encoded = encoded;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1TemplateChooserPtr sec_attr_chooser
+	= sec_attr_choose_attr_value_template;
+
+static const SEC_ASN1Template sec_pkcs7_attribute_template[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7Attribute) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SEC_PKCS7Attribute,type) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7Attribute,values),
+	  &sec_attr_chooser },
+    { 0 }
+};
+
+static const SEC_ASN1Template sec_pkcs7_set_of_attribute_template[] = {
+    { SEC_ASN1_SET_OF, 0, sec_pkcs7_attribute_template },
+};
+
+/*
+ * If you are wondering why this routine does not reorder the attributes
+ * first, and might be tempted to make it do so, see the comment by the
+ * call to ReorderAttributes in p7encode.c.  (Or, see who else calls this
+ * and think long and hard about the implications of making it always
+ * do the reordering.)
+ */
+SECItem *
+sec_PKCS7EncodeAttributes (PRArenaPool *poolp, SECItem *dest, void *src)
+{
+    return SEC_ASN1EncodeItem (poolp, dest, src,
+			       sec_pkcs7_set_of_attribute_template);
+}
+
+/*
+ * Make sure that the order of the attributes guarantees valid DER
+ * (which must be in lexigraphically ascending order for a SET OF);
+ * if reordering is necessary it will be done in place (in attrs).
+ */
+SECStatus
+sec_PKCS7ReorderAttributes (SEC_PKCS7Attribute **attrs)
+{
+    PRArenaPool *poolp;
+    int num_attrs, i, pass, besti;
+    unsigned int j;
+    SECItem **enc_attrs;
+    SEC_PKCS7Attribute **new_attrs;
+
+    /*
+     * I think we should not be called with NULL.  But if we are,
+     * call it a success anyway, because the order *is* okay.
+     */
+    PORT_Assert (attrs != NULL);
+    if (attrs == NULL)
+	return SECSuccess;
+
+    /*
+     * Count how many attributes we are dealing with here.
+     */
+    num_attrs = 0;
+    while (attrs[num_attrs] != NULL)
+	num_attrs++;
+
+    /*
+     * Again, I think we should have some attributes here.
+     * But if we do not, or if there is only one, then call it
+     * a success because it also already has a fine order.
+     */
+    PORT_Assert (num_attrs);
+    if (num_attrs == 0 || num_attrs == 1)
+	return SECSuccess;
+
+    /*
+     * Allocate an arena for us to work with, so it is easy to
+     * clean up all of the memory (fairly small pieces, really).
+     */
+    poolp = PORT_NewArena (1024);	/* XXX what is right value? */
+    if (poolp == NULL)
+	return SECFailure;		/* no memory; nothing we can do... */
+
+    /*
+     * Allocate arrays to hold the individual encodings which we will use
+     * for comparisons and the reordered attributes as they are sorted.
+     */
+    enc_attrs=(SECItem**)PORT_ArenaZAlloc(poolp, num_attrs*sizeof(SECItem *));
+    new_attrs = (SEC_PKCS7Attribute**)PORT_ArenaZAlloc (poolp,
+				  num_attrs * sizeof(SEC_PKCS7Attribute *));
+    if (enc_attrs == NULL || new_attrs == NULL) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return SECFailure;
+    }
+
+    /*
+     * DER encode each individual attribute.
+     */
+    for (i = 0; i < num_attrs; i++) {
+	enc_attrs[i] = SEC_ASN1EncodeItem (poolp, NULL, attrs[i],
+					   sec_pkcs7_attribute_template);
+	if (enc_attrs[i] == NULL) {
+	    PORT_FreeArena (poolp, PR_FALSE);
+	    return SECFailure;
+	}
+    }
+
+    /*
+     * Now compare and sort them; this is not the most efficient sorting
+     * method, but it is just fine for the problem at hand, because the
+     * number of attributes is (always) going to be small.
+     */
+    for (pass = 0; pass < num_attrs; pass++) {
+	/*
+	 * Find the first not-yet-accepted attribute.  (Once one is
+	 * sorted into the other array, it is cleared from enc_attrs.)
+	 */
+	for (i = 0; i < num_attrs; i++) {
+	    if (enc_attrs[i] != NULL)
+		break;
+	}
+	PORT_Assert (i < num_attrs);
+	besti = i;
+
+	/*
+	 * Find the lowest (lexigraphically) encoding.  One that is
+	 * shorter than all the rest is known to be "less" because each
+	 * attribute is of the same type (a SEQUENCE) and so thus the
+	 * first octet of each is the same, and the second octet is
+	 * the length (or the length of the length with the high bit
+	 * set, followed by the length, which also works out to always
+	 * order the shorter first).  Two (or more) that have the
+	 * same length need to be compared byte by byte until a mismatch
+	 * is found.
+	 */
+	for (i = besti + 1; i < num_attrs; i++) {
+	    if (enc_attrs[i] == NULL)	/* slot already handled */
+		continue;
+
+	    if (enc_attrs[i]->len != enc_attrs[besti]->len) {
+		if (enc_attrs[i]->len < enc_attrs[besti]->len)
+		    besti = i;
+		continue;
+	    }
+
+	    for (j = 0; j < enc_attrs[i]->len; j++) {
+		if (enc_attrs[i]->data[j] < enc_attrs[besti]->data[j]) {
+		    besti = i;
+		    break;
+		}
+	    }
+
+	    /*
+	     * For this not to be true, we would have to have encountered	
+	     * two *identical* attributes, which I think we should not see.
+	     * So assert if it happens, but even if it does, let it go
+	     * through; the ordering of the two does not matter.
+	     */
+	    PORT_Assert (j < enc_attrs[i]->len);
+	}
+
+	/*
+	 * Now we have found the next-lowest one; copy it over and
+	 * remove it from enc_attrs.
+	 */
+	new_attrs[pass] = attrs[besti];
+	enc_attrs[besti] = NULL;
+    }
+
+    /*
+     * Now new_attrs has the attributes in the order we want;
+     * copy them back into the attrs array we started with.
+     */
+    for (i = 0; i < num_attrs; i++)
+	attrs[i] = new_attrs[i];
+
+    PORT_FreeArena (poolp, PR_FALSE);
+    return SECSuccess;
+}
+
+/*
+ * End of attribute stuff.
+ * -------------------------------------------------------------------
+ */
+
+
+/*
+ * Templates and stuff.  Keep these at the end of the file.
+ */
+
+/* forward declaration */
+static const SEC_ASN1Template *
+sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding);
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs7_chooser
+	= sec_pkcs7_choose_content_template;
+
+const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7ContentInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SEC_PKCS7ContentInfo,contentType) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
+     | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(SEC_PKCS7ContentInfo,content),
+	  &sec_pkcs7_chooser },
+    { 0 }
+};
+
+/* XXX These names should change from external to internal convention. */
+
+static const SEC_ASN1Template SEC_PKCS7SignerInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7SignerInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7SignerInfo,version) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignerInfo,issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignerInfo,digestAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(SEC_PKCS7SignerInfo,authAttr),
+	  sec_pkcs7_set_of_attribute_template },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignerInfo,digestEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7SignerInfo,encDigest) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(SEC_PKCS7SignerInfo,unAuthAttr),
+	  sec_pkcs7_set_of_attribute_template },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PKCS7SignedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7SignedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7SignedData,version) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignedData,digestAlgorithms),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7SignedData,contentInfo),
+	  sec_PKCS7ContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(SEC_PKCS7SignedData,rawCerts),
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(SEC_PKCS7SignedData,crls),
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7SignedData,signerInfos),
+	  SEC_PKCS7SignerInfoTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PointerToPKCS7SignedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7SignedDataTemplate }
+};
+
+static const SEC_ASN1Template SEC_PKCS7RecipientInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7RecipientInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7RecipientInfo,version) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7RecipientInfo,issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7RecipientInfo,keyEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7RecipientInfo,encKey) },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PKCS7EncryptedContentInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7EncryptedContentInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SEC_PKCS7EncryptedContentInfo,contentType) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7EncryptedContentInfo,contentEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(SEC_PKCS7EncryptedContentInfo,encContent),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PKCS7EnvelopedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7EnvelopedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7EnvelopedData,version) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7EnvelopedData,recipientInfos),
+	  SEC_PKCS7RecipientInfoTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7EnvelopedData,encContentInfo),
+	  SEC_PKCS7EncryptedContentInfoTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PointerToPKCS7EnvelopedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7EnvelopedDataTemplate }
+};
+
+static const SEC_ASN1Template SEC_PKCS7SignedAndEnvelopedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7SignedAndEnvelopedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,version) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,recipientInfos),
+	  SEC_PKCS7RecipientInfoTemplate },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,digestAlgorithms),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,encContentInfo),
+	  SEC_PKCS7EncryptedContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,rawCerts),
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,crls),
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,signerInfos),
+	  SEC_PKCS7SignerInfoTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template
+SEC_PointerToPKCS7SignedAndEnvelopedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7SignedAndEnvelopedDataTemplate }
+};
+
+static const SEC_ASN1Template SEC_PKCS7DigestedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7DigestedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7DigestedData,version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7DigestedData,digestAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7DigestedData,contentInfo),
+	  sec_PKCS7ContentInfoTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7DigestedData,digest) },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PointerToPKCS7DigestedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7DigestedDataTemplate }
+};
+
+static const SEC_ASN1Template SEC_PKCS7EncryptedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7EncryptedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7EncryptedData,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7EncryptedData,encContentInfo),
+	  SEC_PKCS7EncryptedContentInfoTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PointerToPKCS7EncryptedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7EncryptedDataTemplate }
+};
+
+const SEC_ASN1Template SEC_SMIMEKEAParamTemplateSkipjack[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
+	{ 0 }
+};
+
+const SEC_ASN1Template SEC_SMIMEKEAParamTemplateNoSkipjack[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,nonSkipjackIV) },
+	{ 0 }
+};
+
+const SEC_ASN1Template SEC_SMIMEKEAParamTemplateAllParams[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,nonSkipjackIV) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,bulkKeySize) },
+	{ 0 }
+};
+
+const SEC_ASN1Template*
+sec_pkcs7_get_kea_template(SECKEATemplateSelector whichTemplate)
+{
+	const SEC_ASN1Template *returnVal = NULL;
+
+	switch(whichTemplate)
+	{
+	case SECKEAUsesNonSkipjack:
+		returnVal = SEC_SMIMEKEAParamTemplateNoSkipjack;
+		break;
+	case SECKEAUsesSkipjack:
+		returnVal = SEC_SMIMEKEAParamTemplateSkipjack;
+		break;
+	case SECKEAUsesNonSkipjackWithPaddedEncKey:
+	default:
+		returnVal = SEC_SMIMEKEAParamTemplateAllParams;
+		break;
+	}
+	return returnVal;
+}
+	
+static const SEC_ASN1Template *
+sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS7ContentInfo *cinfo;
+    SECOidTag kind;
+
+    PORT_Assert (src_or_dest != NULL);
+    if (src_or_dest == NULL)
+	return NULL;
+
+    cinfo = (SEC_PKCS7ContentInfo*)src_or_dest;
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	break;
+      case SEC_OID_PKCS7_DATA:
+	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	theTemplate = SEC_PointerToPKCS7SignedDataTemplate;
+	break;
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	theTemplate = SEC_PointerToPKCS7EnvelopedDataTemplate;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	theTemplate = SEC_PointerToPKCS7SignedAndEnvelopedDataTemplate;
+	break;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	theTemplate = SEC_PointerToPKCS7DigestedDataTemplate;
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	theTemplate = SEC_PointerToPKCS7EncryptedDataTemplate;
+	break;
+    }
+    return theTemplate;
+}
+
+/*
+ * End of templates.  Do not add stuff after this; put new code
+ * up above the start of the template definitions.
+ */
diff --git a/security/nss/lib/pkcs7/p7local.h b/security/nss/lib/pkcs7/p7local.h
new file mode 100644
index 000000000..2647d5f6e
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7local.h
@@ -0,0 +1,179 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Support routines for PKCS7 implementation, none of which are exported.
+ * This file should only contain things that are needed by both the
+ * encoding/creation side *and* the decoding/decryption side.  Anything
+ * else should just be static routines in the appropriate file.
+ *
+ * Do not export this file!  If something in here is really needed outside
+ * of pkcs7 code, first try to add a PKCS7 interface which will do it for
+ * you.  If that has a problem, then just move out what you need, changing
+ * its name as appropriate!
+ *
+ * $Id$
+ */
+
+#ifndef _P7LOCAL_H_
+#define _P7LOCAL_H_
+
+#include "secpkcs7.h"
+#include "secasn1t.h"
+
+extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
+
+/* opaque objects */
+typedef struct sec_pkcs7_cipher_object sec_PKCS7CipherObject;
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * Look through a set of attributes and find one that matches the
+ * specified object ID.  If "only" is true, then make sure that
+ * there is not more than one attribute of the same type.  Otherwise,
+ * just return the first one found. (XXX Does anybody really want
+ * that first-found behavior?  It was like that when I found it...)
+ */
+extern SEC_PKCS7Attribute *sec_PKCS7FindAttribute (SEC_PKCS7Attribute **attrs,
+						   SECOidTag oidtag,
+						   PRBool only);
+/*
+ * Return the single attribute value, doing some sanity checking first:
+ * - Multiple values are *not* expected.
+ * - Empty values are *not* expected.
+ */
+extern SECItem *sec_PKCS7AttributeValue (SEC_PKCS7Attribute *attr);
+
+/*
+ * Encode a set of attributes (found in "src").
+ */
+extern SECItem *sec_PKCS7EncodeAttributes (PRArenaPool *poolp,
+					   SECItem *dest, void *src);
+
+/*
+ * Make sure that the order of the attributes guarantees valid DER
+ * (which must be in lexigraphically ascending order for a SET OF);
+ * if reordering is necessary it will be done in place (in attrs).
+ */
+extern SECStatus sec_PKCS7ReorderAttributes (SEC_PKCS7Attribute **attrs);
+
+
+/*
+ * Create a context for decrypting, based on the given key and algorithm.
+ */
+extern sec_PKCS7CipherObject *
+sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid);
+
+/*
+ * Create a context for encrypting, based on the given key and algorithm,
+ * and fill in the algorithm id.
+ */
+extern sec_PKCS7CipherObject *
+sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key,
+			      SECOidTag algtag, SECAlgorithmID *algid);
+
+/*
+ * Destroy the given decryption or encryption object.
+ */
+extern void sec_PKCS7DestroyDecryptObject (sec_PKCS7CipherObject *obj);
+extern void sec_PKCS7DestroyEncryptObject (sec_PKCS7CipherObject *obj);
+
+/*
+ * What will be the output length of the next call to encrypt/decrypt?
+ * Result can be used to perform memory allocations.  Note that the amount
+ * is exactly accurate only when not doing a block cipher or when final
+ * is false, otherwise it is an upper bound on the amount because until
+ * we see the data we do not know how many padding bytes there are
+ * (always between 1 and the cipher block size).
+ *
+ * Note that this can return zero, which does not mean that the cipher
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent cipher operation, as no output bytes
+ * will be stored.
+ */
+extern unsigned int sec_PKCS7DecryptLength (sec_PKCS7CipherObject *obj,
+					    unsigned int input_len,
+					    PRBool final);
+extern unsigned int sec_PKCS7EncryptLength (sec_PKCS7CipherObject *obj,
+					    unsigned int input_len,
+					    PRBool final);
+
+/*
+ * Decrypt a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the decrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "obj" is the return value from sec_PKCS7CreateDecryptObject.
+ * When "final" is true, this is the last of the data to be decrypted.
+ */ 
+extern SECStatus sec_PKCS7Decrypt (sec_PKCS7CipherObject *obj,
+				   unsigned char *output,
+				   unsigned int *output_len_p,
+				   unsigned int max_output_len,
+				   const unsigned char *input,
+				   unsigned int input_len,
+				   PRBool final);
+
+/*
+ * Encrypt a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the encrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "obj" is the return value from sec_PKCS7CreateEncryptObject.
+ * When "final" is true, this is the last of the data to be encrypted.
+ */ 
+extern SECStatus sec_PKCS7Encrypt (sec_PKCS7CipherObject *obj,
+				   unsigned char *output,
+				   unsigned int *output_len_p,
+				   unsigned int max_output_len,
+				   const unsigned char *input,
+				   unsigned int input_len,
+				   PRBool final);
+
+/* return the correct kea template based on the template selector. skipjack
+ * does not have the extra IV.
+ */
+const SEC_ASN1Template * 
+sec_pkcs7_get_kea_template(SECKEATemplateSelector whichTemplate);
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _P7LOCAL_H_ */
diff --git a/security/nss/lib/pkcs7/pkcs7t.h b/security/nss/lib/pkcs7/pkcs7t.h
new file mode 100644
index 000000000..a1932a107
--- /dev/null
+++ b/security/nss/lib/pkcs7/pkcs7t.h
@@ -0,0 +1,299 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Header for pkcs7 types.
+ *
+ * $Id$
+ */
+
+#ifndef _PKCS7T_H_
+#define _PKCS7T_H_
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "certt.h"
+#include "secmodt.h"
+
+/* Opaque objects */
+typedef struct SEC_PKCS7DecoderContextStr SEC_PKCS7DecoderContext;
+typedef struct SEC_PKCS7EncoderContextStr SEC_PKCS7EncoderContext;
+
+/* legacy defines that haven't been active for years */
+typedef void *(*SECKEYGetPasswordKey)(void *arg, void *handle);
+
+
+/* Non-opaque objects.  NOTE, though: I want them to be treated as
+ * opaque as much as possible.  If I could hide them completely,
+ * I would.  (I tried, but ran into trouble that was taking me too
+ * much time to get out of.)  I still intend to try to do so.
+ * In fact, the only type that "outsiders" should even *name* is
+ * SEC_PKCS7ContentInfo, and they should not reference its fields.
+ */
+/* rjr: PKCS #11 cert handling (pk11cert.c) does use SEC_PKCS7RecipientInfo's.
+ * This is because when we search the recipient list for the cert and key we
+ * want, we need to invert the order of the loops we used to have. The old
+ * loops were:
+ *
+ *  For each recipient {
+ *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
+ *       [which unrolls to... ]
+ *       For each slot {
+ *            Log into slot;
+ *            search slot for cert;
+ *      }
+ *  }
+ *
+ *  the new loop searchs all the recipients at once on a slot. this allows
+ *  PKCS #11 to order slots in such a way that logout slots don't get checked
+ *  if we can find the cert on a logged in slot. This eliminates lots of
+ *  spurious password prompts when smart cards are installed... so why this
+ *  comment? If you make SEC_PKCS7RecipientInfo completely opaque, you need
+ *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
+ *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
+ *  function.
+ */
+typedef struct SEC_PKCS7ContentInfoStr SEC_PKCS7ContentInfo;
+typedef struct SEC_PKCS7SignedDataStr SEC_PKCS7SignedData;
+typedef struct SEC_PKCS7EncryptedContentInfoStr SEC_PKCS7EncryptedContentInfo;
+typedef struct SEC_PKCS7EnvelopedDataStr SEC_PKCS7EnvelopedData;
+typedef struct SEC_PKCS7SignedAndEnvelopedDataStr
+		SEC_PKCS7SignedAndEnvelopedData;
+typedef struct SEC_PKCS7SignerInfoStr SEC_PKCS7SignerInfo;
+typedef struct SEC_PKCS7RecipientInfoStr SEC_PKCS7RecipientInfo;
+typedef struct SEC_PKCS7DigestedDataStr SEC_PKCS7DigestedData;
+typedef struct SEC_PKCS7EncryptedDataStr SEC_PKCS7EncryptedData;
+typedef struct SEC_PKCS7SMIMEKEAParametersStr SEC_PKCS7SMIMEKEAParameters;
+/*
+ * The following is not actually a PKCS7 type, but for now it is only
+ * used by PKCS7, so we have adopted it.  If someone else *ever* needs
+ * it, its name should be changed and it should be moved out of here.
+ * Do not dare to use it without doing so!
+ */
+typedef struct SEC_PKCS7AttributeStr SEC_PKCS7Attribute;
+
+struct SEC_PKCS7ContentInfoStr {
+    PLArenaPool *poolp;			/* local; not part of encoding */
+    PRBool created;			/* local; not part of encoding */
+    int refCount;			/* local; not part of encoding */
+    SECOidData *contentTypeTag;		/* local; not part of encoding */
+    SECKEYGetPasswordKey pwfn;		/* local; not part of encoding */
+    void *pwfn_arg;			/* local; not part of encoding */
+    SECItem contentType;
+    union {
+	SECItem				*data;
+	SEC_PKCS7DigestedData		*digestedData;
+	SEC_PKCS7EncryptedData		*encryptedData;
+	SEC_PKCS7EnvelopedData		*envelopedData;
+	SEC_PKCS7SignedData		*signedData;
+	SEC_PKCS7SignedAndEnvelopedData	*signedAndEnvelopedData;
+    } content;
+};
+
+struct SEC_PKCS7SignedDataStr {
+    SECItem version;
+    SECAlgorithmID **digestAlgorithms;
+    SEC_PKCS7ContentInfo contentInfo;
+    SECItem **rawCerts;
+    CERTSignedCrl **crls;
+    SEC_PKCS7SignerInfo **signerInfos;
+    SECItem **digests;			/* local; not part of encoding */
+    CERTCertificate **certs;		/* local; not part of encoding */
+    CERTCertificateList **certLists;	/* local; not part of encoding */
+};
+#define SEC_PKCS7_SIGNED_DATA_VERSION		1	/* what we *create* */
+
+struct SEC_PKCS7EncryptedContentInfoStr {
+    SECOidData *contentTypeTag;		/* local; not part of encoding */
+    SECItem contentType;
+    SECAlgorithmID contentEncAlg;
+    SECItem encContent;
+    SECItem plainContent;		/* local; not part of encoding */
+					/* bytes not encrypted, but encoded */
+    int keysize;			/* local; not part of encoding */
+					/* size of bulk encryption key
+					 * (only used by creation code) */
+    SECOidTag encalg;			/* local; not part of encoding */
+					/* oid tag of encryption algorithm
+					 * (only used by creation code) */
+};
+
+struct SEC_PKCS7EnvelopedDataStr {
+    SECItem version;
+    SEC_PKCS7RecipientInfo **recipientInfos;
+    SEC_PKCS7EncryptedContentInfo encContentInfo;
+};
+#define SEC_PKCS7_ENVELOPED_DATA_VERSION	0	/* what we *create* */
+
+struct SEC_PKCS7SignedAndEnvelopedDataStr {
+    SECItem version;
+    SEC_PKCS7RecipientInfo **recipientInfos;
+    SECAlgorithmID **digestAlgorithms;
+    SEC_PKCS7EncryptedContentInfo encContentInfo;
+    SECItem **rawCerts;
+    CERTSignedCrl **crls;
+    SEC_PKCS7SignerInfo **signerInfos;
+    SECItem **digests;			/* local; not part of encoding */
+    CERTCertificate **certs;		/* local; not part of encoding */
+    CERTCertificateList **certLists;	/* local; not part of encoding */
+    PK11SymKey *sigKey;			/* local; not part of encoding */
+};
+#define SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION 1	/* what we *create* */
+
+struct SEC_PKCS7SignerInfoStr {
+    SECItem version;
+    CERTIssuerAndSN *issuerAndSN;
+    SECAlgorithmID digestAlg;
+    SEC_PKCS7Attribute **authAttr;
+    SECAlgorithmID digestEncAlg;
+    SECItem encDigest;
+    SEC_PKCS7Attribute **unAuthAttr;
+    CERTCertificate *cert;		/* local; not part of encoding */
+    CERTCertificateList *certList;	/* local; not part of encoding */
+};
+#define SEC_PKCS7_SIGNER_INFO_VERSION		1	/* what we *create* */
+
+struct SEC_PKCS7RecipientInfoStr {
+    SECItem version;
+    CERTIssuerAndSN *issuerAndSN;
+    SECAlgorithmID keyEncAlg;
+    SECItem encKey;
+    CERTCertificate *cert;		/* local; not part of encoding */
+};
+#define SEC_PKCS7_RECIPIENT_INFO_VERSION	0	/* what we *create* */
+
+struct SEC_PKCS7DigestedDataStr {
+    SECItem version;
+    SECAlgorithmID digestAlg;
+    SEC_PKCS7ContentInfo contentInfo;
+    SECItem digest;
+};
+#define SEC_PKCS7_DIGESTED_DATA_VERSION		0	/* what we *create* */
+
+struct SEC_PKCS7EncryptedDataStr {
+    SECItem version;
+    SEC_PKCS7EncryptedContentInfo encContentInfo;
+};
+#define SEC_PKCS7_ENCRYPTED_DATA_VERSION	0	/* what we *create* */
+
+/*
+ * See comment above about this type not really belonging to PKCS7.
+ */
+struct SEC_PKCS7AttributeStr {
+    /* The following fields make up an encoded Attribute: */
+    SECItem type;
+    SECItem **values;	/* data may or may not be encoded */
+    /* The following fields are not part of an encoded Attribute: */
+    SECOidData *typeTag;
+    PRBool encoded;	/* when true, values are encoded */
+};
+
+/* An enumerated type used to select templates based on the encryption
+   scenario and data specifics. */
+typedef enum
+{
+	SECKEAInvalid = -1,
+	SECKEAUsesSkipjack = 0,
+	SECKEAUsesNonSkipjack = 1,
+	SECKEAUsesNonSkipjackWithPaddedEncKey = 2
+} SECKEATemplateSelector;
+
+/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
+                but I cannot think of a more appropriate place at this time. */
+struct SEC_PKCS7SMIMEKEAParametersStr {
+	SECItem originatorKEAKey;	/* sender KEA key (encrypted?) */
+	SECItem originatorRA;		/* random number generated by sender */
+	SECItem nonSkipjackIV;		/* init'n vector for SkipjackCBC64
+					   decryption of KEA key if Skipjack
+					   is not the bulk algorithm used on
+					   the message */
+	SECItem bulkKeySize;		/* if Skipjack is not the bulk
+					   algorithm used on the message,
+					   and the size of the bulk encryption
+					   key is not the same as that of
+					   originatorKEAKey (due to padding
+					   perhaps), this field will contain
+					   the real size of the bulk encryption
+					   key. */
+};
+
+/*
+ * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
+ * If specified, this is where the content bytes (only) will be "sent"
+ * as they are recovered during the decoding.
+ *
+ * XXX Should just combine this with SEC_PKCS7EncoderContentCallback type
+ * and use a simpler, common name.
+ */
+typedef void (* SEC_PKCS7DecoderContentCallback)(void *arg,
+						 const char *buf,
+						 unsigned long len);
+
+/*
+ * Type of function passed to SEC_PKCS7Encode or SEC_PKCS7EncoderStart.
+ * This is where the encoded bytes will be "sent".
+ *
+ * XXX Should just combine this with SEC_PKCS7DecoderContentCallback type
+ * and use a simpler, common name.
+ */
+typedef void (* SEC_PKCS7EncoderOutputCallback)(void *arg,
+						const char *buf,
+						unsigned long len);
+
+
+/*
+ * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart
+ * to retrieve the decryption key.  This function is inteded to be
+ * used for EncryptedData content info's which do not have a key available
+ * in a certificate, etc.
+ */
+typedef PK11SymKey * (* SEC_PKCS7GetDecryptKeyCallback)(void *arg, 
+							SECAlgorithmID *algid);
+
+/* 
+ * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
+ * This function in intended to be used to verify that decrypting a
+ * particular crypto algorithm is allowed.  Content types which do not
+ * require decryption will not need the callback.  If the callback
+ * is not specified for content types which require decryption, the
+ * decryption will be disallowed.
+ */
+typedef PRBool (* SEC_PKCS7DecryptionAllowedCallback)(SECAlgorithmID *algid,  
+						      PK11SymKey *bulkkey);
+
+#endif /* _PKCS7T_H_ */
diff --git a/security/nss/lib/pkcs7/secmime.c b/security/nss/lib/pkcs7/secmime.c
new file mode 100644
index 000000000..e113cbdf2
--- /dev/null
+++ b/security/nss/lib/pkcs7/secmime.c
@@ -0,0 +1,904 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Stuff specific to S/MIME policy and interoperability.
+ * Depends on PKCS7, but there should be no dependency the other way around.
+ *
+ * $Id$
+ */
+
+#include "secmime.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "ciferfam.h"	/* for CIPHER_FAMILY symbols */
+#include "secasn1.h"
+#include "secitem.h"
+#include "cert.h"
+#include "key.h"
+#include "secerr.h"
+
+typedef struct smime_cipher_map_struct {
+    unsigned long cipher;
+    SECOidTag algtag;
+    SECItem *parms;
+} smime_cipher_map;
+
+/*
+ * These are macros because I think some subsequent parameters,
+ * like those for RC5, will want to use them, too, separately.
+ */
+#define SMIME_DER_INTVAL_16	SEC_ASN1_INTEGER, 0x01, 0x10
+#define SMIME_DER_INTVAL_40	SEC_ASN1_INTEGER, 0x01, 0x28
+#define SMIME_DER_INTVAL_64	SEC_ASN1_INTEGER, 0x01, 0x40
+#define SMIME_DER_INTVAL_128	SEC_ASN1_INTEGER, 0x02, 0x00, 0x80
+
+#ifdef SMIME_DOES_RC5	/* will be needed; quiet unused warning for now */
+static unsigned char smime_int16[] = { SMIME_DER_INTVAL_16 };
+#endif
+static unsigned char smime_int40[] = { SMIME_DER_INTVAL_40 };
+static unsigned char smime_int64[] = { SMIME_DER_INTVAL_64 };
+static unsigned char smime_int128[] = { SMIME_DER_INTVAL_128 };
+
+static SECItem smime_rc2p40 = { siBuffer, smime_int40, sizeof(smime_int40) };
+static SECItem smime_rc2p64 = { siBuffer, smime_int64, sizeof(smime_int64) };
+static SECItem smime_rc2p128 = { siBuffer, smime_int128, sizeof(smime_int128) };
+
+static smime_cipher_map smime_cipher_maps[] = {
+    { SMIME_RC2_CBC_40,		SEC_OID_RC2_CBC,	&smime_rc2p40 },
+    { SMIME_RC2_CBC_64,		SEC_OID_RC2_CBC,	&smime_rc2p64 },
+    { SMIME_RC2_CBC_128,	SEC_OID_RC2_CBC,	&smime_rc2p128 },
+#ifdef SMIME_DOES_RC5
+    { SMIME_RC5PAD_64_16_40,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p40 },
+    { SMIME_RC5PAD_64_16_64,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p64 },
+    { SMIME_RC5PAD_64_16_128,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p128 },
+#endif
+    { SMIME_DES_CBC_56,		SEC_OID_DES_CBC,	NULL },
+    { SMIME_DES_EDE3_168,	SEC_OID_DES_EDE3_CBC,	NULL },
+    { SMIME_FORTEZZA,		SEC_OID_FORTEZZA_SKIPJACK, NULL}
+};
+
+/*
+ * Note, the following value really just needs to be an upper bound
+ * on the ciphers.
+ */
+static const int smime_symmetric_count = sizeof(smime_cipher_maps)
+					 / sizeof(smime_cipher_map);
+
+static unsigned long *smime_prefs, *smime_newprefs;
+static int smime_current_pref_index = 0;
+static PRBool smime_prefs_complete = PR_FALSE;
+static PRBool smime_prefs_changed = PR_TRUE;
+
+static unsigned long smime_policy_bits = 0;
+
+
+static int
+smime_mapi_by_cipher (unsigned long cipher)
+{
+    int i;
+
+    for (i = 0; i < smime_symmetric_count; i++) {
+	if (smime_cipher_maps[i].cipher == cipher)
+	    break;
+    }
+
+    if (i == smime_symmetric_count)
+	return -1;
+
+    return i;
+}
+
+
+/*
+ * this function locally records the user's preference
+ */
+SECStatus 
+SECMIME_EnableCipher(long which, int on)
+{
+    unsigned long mask;
+
+    if (smime_newprefs == NULL || smime_prefs_complete) {
+	/*
+	 * This is either the very first time, or we are starting over.
+	 */
+	smime_newprefs = (unsigned long*)PORT_ZAlloc (smime_symmetric_count
+				      * sizeof(*smime_newprefs));
+	if (smime_newprefs == NULL)
+	    return SECFailure;
+	smime_current_pref_index = 0;
+	smime_prefs_complete = PR_FALSE;
+    }
+
+    mask = which & CIPHER_FAMILYID_MASK;
+    if (mask == CIPHER_FAMILYID_MASK) {
+    	/*
+	 * This call signifies that all preferences have been set.
+	 * Move "newprefs" over, after checking first whether or
+	 * not the new ones are different from the old ones.
+	 */
+	if (smime_prefs != NULL) {
+	    if (PORT_Memcmp (smime_prefs, smime_newprefs,
+			     smime_symmetric_count * sizeof(*smime_prefs)) == 0)
+		smime_prefs_changed = PR_FALSE;
+	    else
+		smime_prefs_changed = PR_TRUE;
+	    PORT_Free (smime_prefs);
+	}
+
+	smime_prefs = smime_newprefs;
+	smime_prefs_complete = PR_TRUE;
+	return SECSuccess;
+    }
+
+    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
+    if (mask != CIPHER_FAMILYID_SMIME) {
+	/* XXX set an error! */
+    	return SECFailure;
+    }
+
+    if (on) {
+	PORT_Assert (smime_current_pref_index < smime_symmetric_count);
+	if (smime_current_pref_index >= smime_symmetric_count) {
+	    /* XXX set an error! */
+	    return SECFailure;
+	}
+
+	smime_newprefs[smime_current_pref_index++] = which;
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * this function locally records the export policy
+ */
+SECStatus 
+SECMIME_SetPolicy(long which, int on)
+{
+    unsigned long mask;
+
+    PORT_Assert ((which & CIPHER_FAMILYID_MASK) == CIPHER_FAMILYID_SMIME);
+    if ((which & CIPHER_FAMILYID_MASK) != CIPHER_FAMILYID_SMIME) {
+	/* XXX set an error! */
+    	return SECFailure;
+    }
+
+    which &= ~CIPHER_FAMILYID_MASK;
+
+    PORT_Assert (which < 32);	/* bits in the long */
+    if (which >= 32) {
+	/* XXX set an error! */
+    	return SECFailure;
+    }
+
+    mask = 1UL << which;
+
+    if (on) {
+    	smime_policy_bits |= mask;
+    } else {
+    	smime_policy_bits &= ~mask;
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * Based on the given algorithm (including its parameters, in some cases!)
+ * and the given key (may or may not be inspected, depending on the
+ * algorithm), find the appropriate policy algorithm specification
+ * and return it.  If no match can be made, -1 is returned.
+ */
+static long
+smime_policy_algorithm (SECAlgorithmID *algid, PK11SymKey *key)
+{
+    SECOidTag algtag;
+
+    algtag = SECOID_GetAlgorithmTag (algid);
+    switch (algtag) {
+      case SEC_OID_RC2_CBC:
+	{
+	    unsigned int keylen_bits;
+
+	    keylen_bits = PK11_GetKeyStrength (key, algid);
+	    switch (keylen_bits) {
+	      case 40:
+		return SMIME_RC2_CBC_40;
+	      case 64:
+		return SMIME_RC2_CBC_64;
+	      case 128:
+		return SMIME_RC2_CBC_128;
+	      default:
+		break;
+	    }
+	}
+	break;
+      case SEC_OID_DES_CBC:
+	return SMIME_DES_CBC_56;
+      case SEC_OID_DES_EDE3_CBC:
+	return SMIME_DES_EDE3_168;
+      case SEC_OID_FORTEZZA_SKIPJACK:
+	return SMIME_FORTEZZA;
+#ifdef SMIME_DOES_RC5
+      case SEC_OID_RC5_CBC_PAD:
+	PORT_Assert (0);	/* XXX need to pull out parameters and match */
+	break;
+#endif
+      default:
+	break;
+    }
+
+    return -1;
+}
+
+
+static PRBool
+smime_cipher_allowed (unsigned long which)
+{
+    unsigned long mask;
+
+    which &= ~CIPHER_FAMILYID_MASK;
+    PORT_Assert (which < 32);	/* bits per long (min) */
+    if (which >= 32)
+	return PR_FALSE;
+
+    mask = 1UL << which;
+    if ((mask & smime_policy_bits) == 0)
+	return PR_FALSE;
+
+    return PR_TRUE;
+}
+
+
+PRBool
+SECMIME_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key)
+{
+    long which;
+
+    which = smime_policy_algorithm (algid, key);
+    if (which < 0)
+	return PR_FALSE;
+
+    return smime_cipher_allowed ((unsigned long)which);
+}
+
+
+/*
+ * Does the current policy allow *any* S/MIME encryption (or decryption)?
+ *
+ * This tells whether or not *any* S/MIME encryption can be done,
+ * according to policy.  Callers may use this to do nicer user interface
+ * (say, greying out a checkbox so a user does not even try to encrypt
+ * a message when they are not allowed to) or for any reason they want
+ * to check whether S/MIME encryption (or decryption, for that matter)
+ * may be done.
+ *
+ * It takes no arguments.  The return value is a simple boolean:
+ *   PR_TRUE means encryption (or decryption) is *possible*
+ *	(but may still fail due to other reasons, like because we cannot
+ *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
+ *   PR_FALSE means encryption (or decryption) is not permitted
+ *
+ * There are no errors from this routine.
+ */
+PRBool
+SECMIME_EncryptionPossible (void)
+{
+    if (smime_policy_bits != 0)
+	return PR_TRUE;
+
+    return PR_FALSE;
+}
+
+
+/*
+ * XXX Would like the "parameters" field to be a SECItem *, but the
+ * encoder is having trouble with optional pointers to an ANY.  Maybe
+ * once that is fixed, can change this back...
+ */
+typedef struct smime_capability_struct {
+    unsigned long cipher;	/* local; not part of encoding */
+    SECOidTag capIDTag;		/* local; not part of encoding */
+    SECItem capabilityID;
+    SECItem parameters;
+} smime_capability;
+
+static const SEC_ASN1Template smime_capability_template[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(smime_capability) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(smime_capability,capabilityID), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(smime_capability,parameters), },
+    { 0, }
+};
+
+static const SEC_ASN1Template smime_capabilities_template[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, smime_capability_template }
+};
+
+
+
+static void
+smime_fill_capability (smime_capability *cap)
+{
+    unsigned long cipher;
+    SECOidTag algtag;
+    int i;
+
+    algtag = SECOID_FindOIDTag (&(cap->capabilityID));
+
+    for (i = 0; i < smime_symmetric_count; i++) {
+	if (smime_cipher_maps[i].algtag != algtag)
+	    continue;
+	/*
+	 * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing
+	 * 2 NULLs as equal and NULL and non-NULL as not equal), we could
+	 * use that here instead of all of the following comparison code.
+	 */
+	if (cap->parameters.data != NULL) {
+	    if (smime_cipher_maps[i].parms == NULL)
+		continue;
+	    if (cap->parameters.len != smime_cipher_maps[i].parms->len)
+		continue;
+	    if (PORT_Memcmp (cap->parameters.data,
+			     smime_cipher_maps[i].parms->data,
+			     cap->parameters.len) == 0)
+		break;
+	} else if (smime_cipher_maps[i].parms == NULL) {
+	    break;
+	}
+    }
+
+    if (i == smime_symmetric_count)
+	cipher = 0;
+    else
+	cipher = smime_cipher_maps[i].cipher;
+
+    cap->cipher = cipher;
+    cap->capIDTag = algtag;
+}
+
+
+static long
+smime_choose_cipher (CERTCertificate *scert, CERTCertificate **rcerts)
+{
+    PRArenaPool *poolp;
+    long chosen_cipher;
+    int *cipher_abilities;
+    int *cipher_votes;
+    int strong_mapi;
+    int rcount, mapi, max, i;
+	PRBool isFortezza = PK11_FortezzaHasKEA(scert);
+
+    if (smime_policy_bits == 0) {
+	PORT_SetError (SEC_ERROR_BAD_EXPORT_ALGORITHM);
+	return -1;
+    }
+
+    chosen_cipher = SMIME_RC2_CBC_40;		/* the default, LCD */
+
+    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
+    if (poolp == NULL)
+	goto done;
+
+    cipher_abilities = (int*)PORT_ArenaZAlloc (poolp,
+					 smime_symmetric_count * sizeof(int));
+    if (cipher_abilities == NULL)
+	goto done;
+
+    cipher_votes = (int*)PORT_ArenaZAlloc (poolp,
+				     smime_symmetric_count * sizeof(int));
+    if (cipher_votes == NULL)
+	goto done;
+
+    /*
+     * XXX Should have a #define somewhere which specifies default
+     * strong cipher.  (Or better, a way to configure, which would
+     * take Fortezza into account as well.)
+     */
+
+    /* If the user has the Fortezza preference turned on, make
+     *  that the strong cipher. Otherwise, use triple-DES. */
+    strong_mapi = -1;
+    if (isFortezza) {
+	for(i=0;i < smime_current_pref_index && strong_mapi < 0;i++)
+	{
+	    if (smime_prefs[i] == SMIME_FORTEZZA)
+		strong_mapi = smime_mapi_by_cipher(SMIME_FORTEZZA);
+	}
+    }
+
+    if (strong_mapi == -1)
+	strong_mapi = smime_mapi_by_cipher (SMIME_DES_EDE3_168);
+
+    PORT_Assert (strong_mapi >= 0);
+
+    for (rcount = 0; rcerts[rcount] != NULL; rcount++) {
+	SECItem *profile;
+	smime_capability **caps;
+	int capi, pref;
+	SECStatus dstat;
+
+	pref = smime_symmetric_count;
+	profile = CERT_FindSMimeProfile (rcerts[rcount]);
+	if (profile != NULL && profile->data != NULL && profile->len > 0) {
+	    caps = NULL;
+	    dstat = SEC_QuickDERDecodeItem (poolp, &caps,
+					smime_capabilities_template,
+					profile);
+	    if (dstat == SECSuccess && caps != NULL) {
+		for (capi = 0; caps[capi] != NULL; capi++) {
+		    smime_fill_capability (caps[capi]);
+		    mapi = smime_mapi_by_cipher (caps[capi]->cipher);
+		    if (mapi >= 0) {
+			cipher_abilities[mapi]++;
+			cipher_votes[mapi] += pref;
+			--pref;
+		    }
+		}
+	    }
+	} else {
+	    SECKEYPublicKey *key;
+	    unsigned int pklen_bits;
+
+	    /*
+	     * XXX This is probably only good for RSA keys.  What I would
+	     * really like is a function to just say;  Is the public key in
+	     * this cert an export-length key?  Then I would not have to
+	     * know things like the value 512, or the kind of key, or what
+	     * a subjectPublicKeyInfo is, etc.
+	     */
+	    key = CERT_ExtractPublicKey (rcerts[rcount]);
+	    if (key != NULL) {
+		pklen_bits = SECKEY_PublicKeyStrength (key) * 8;
+		SECKEY_DestroyPublicKey (key);
+
+		if (pklen_bits > 512) {
+		    cipher_abilities[strong_mapi]++;
+		    cipher_votes[strong_mapi] += pref;
+		}
+	    }
+	}
+	if (profile != NULL)
+	    SECITEM_FreeItem (profile, PR_TRUE);
+    }
+
+    max = 0;
+    for (mapi = 0; mapi < smime_symmetric_count; mapi++) {
+	if (cipher_abilities[mapi] != rcount)
+	    continue;
+	if (! smime_cipher_allowed (smime_cipher_maps[mapi].cipher))
+	    continue;
+	if (!isFortezza  && (smime_cipher_maps[mapi].cipher == SMIME_FORTEZZA))
+		continue;
+	if (cipher_votes[mapi] > max) {
+	    chosen_cipher = smime_cipher_maps[mapi].cipher;
+	    max = cipher_votes[mapi];
+	} /* XXX else if a tie, let scert break it? */
+    }
+
+done:
+    if (poolp != NULL)
+	PORT_FreeArena (poolp, PR_FALSE);
+
+    return chosen_cipher;
+}
+
+
+/*
+ * XXX This is a hack for now to satisfy our current interface.
+ * Eventually, with more parameters needing to be specified, just
+ * looking up the keysize is not going to be sufficient.
+ */
+static int
+smime_keysize_by_cipher (unsigned long which)
+{
+    int keysize;
+
+    switch (which) {
+      case SMIME_RC2_CBC_40:
+	keysize = 40;
+	break;
+      case SMIME_RC2_CBC_64:
+	keysize = 64;
+	break;
+      case SMIME_RC2_CBC_128:
+	keysize = 128;
+	break;
+#ifdef SMIME_DOES_RC5
+      case SMIME_RC5PAD_64_16_40:
+      case SMIME_RC5PAD_64_16_64:
+      case SMIME_RC5PAD_64_16_128:
+	/* XXX See comment above; keysize is not enough... */
+	PORT_Assert (0);
+	PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
+	keysize = -1;
+	break;
+#endif
+      case SMIME_DES_CBC_56:
+      case SMIME_DES_EDE3_168:
+      case SMIME_FORTEZZA:
+	/*
+	 * These are special; since the key size is fixed, we actually
+	 * want to *avoid* specifying a key size.
+	 */
+	keysize = 0;
+	break;
+      default:
+	keysize = -1;
+	break;
+    }
+
+    return keysize;
+}
+
+
+/*
+ * Start an S/MIME encrypting context.
+ *
+ * "scert" is the cert for the sender.  It will be checked for validity.
+ * "rcerts" are the certs for the recipients.  They will also be checked.
+ *
+ * "certdb" is the cert database to use for verifying the certs.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SECMIME_CreateEncrypted(CERTCertificate *scert,
+			CERTCertificate **rcerts,
+			CERTCertDBHandle *certdb,
+			SECKEYGetPasswordKey pwfn,
+			void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    long cipher;
+    SECOidTag encalg;
+    int keysize;
+    int mapi, rci;
+
+    cipher = smime_choose_cipher (scert, rcerts);
+    if (cipher < 0)
+	return NULL;
+
+    mapi = smime_mapi_by_cipher (cipher);
+    if (mapi < 0)
+	return NULL;
+
+    /*
+     * XXX This is stretching it -- CreateEnvelopedData should probably
+     * take a cipher itself of some sort, because we cannot know what the
+     * future will bring in terms of parameters for each type of algorithm.
+     * For example, just an algorithm and keysize is *not* sufficient to
+     * fully specify the usage of RC5 (which also needs to know rounds and
+     * block size).  Work this out into a better API!
+     */
+    encalg = smime_cipher_maps[mapi].algtag;
+    keysize = smime_keysize_by_cipher (cipher);
+    if (keysize < 0)
+	return NULL;
+
+    cinfo = SEC_PKCS7CreateEnvelopedData (scert, certUsageEmailRecipient,
+					  certdb, encalg, keysize,
+					  pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    for (rci = 0; rcerts[rci] != NULL; rci++) {
+	if (rcerts[rci] == scert)
+	    continue;
+	if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient,
+				   NULL) != SECSuccess) {
+	    SEC_PKCS7DestroyContentInfo (cinfo);
+	    return NULL;
+	}
+    }
+
+    return cinfo;
+}
+
+
+static smime_capability **smime_capabilities;
+static SECItem *smime_encoded_caps;
+static PRBool lastUsedFortezza;
+
+
+static SECStatus
+smime_init_caps (PRBool isFortezza)
+{
+    smime_capability *cap;
+    smime_cipher_map *map;
+    SECOidData *oiddata;
+    SECStatus rv;
+    int i, capIndex;
+
+    if (smime_encoded_caps != NULL 
+	&& (! smime_prefs_changed) 
+	&& lastUsedFortezza == isFortezza)
+	return SECSuccess;
+
+    if (smime_encoded_caps != NULL) {
+	SECITEM_FreeItem (smime_encoded_caps, PR_TRUE);
+	smime_encoded_caps = NULL;
+    }
+
+    if (smime_capabilities == NULL) {
+	smime_capabilities = (smime_capability**)PORT_ZAlloc (
+					  (smime_symmetric_count + 1)
+					  * sizeof(smime_capability *));
+	if (smime_capabilities == NULL)
+	    return SECFailure;
+    }
+
+    rv = SECFailure;
+
+    /* 
+       The process of creating the encoded PKCS7 cipher capability list
+       involves two basic steps: 
+
+       (a) Convert our internal representation of cipher preferences 
+           (smime_prefs) into an array containing cipher OIDs and 
+	   parameter data (smime_capabilities). This step is
+	   performed here.
+
+       (b) Encode, using ASN.1, the cipher information in 
+           smime_capabilities, leaving the encoded result in 
+	   smime_encoded_caps.
+
+       (In the process of performing (a), Lisa put in some optimizations
+       which allow us to avoid needlessly re-populating elements in 
+       smime_capabilities as we walk through smime_prefs.)
+
+       We want to use separate loop variables for smime_prefs and
+       smime_capabilities because in the case where the Skipjack cipher 
+       is turned on in the prefs, but where we don't want to include 
+       Skipjack in the encoded capabilities (presumably due to using a 
+       non-fortezza cert when sending a message), we want to avoid creating
+       an empty element in smime_capabilities. This would otherwise cause 
+       the encoding step to produce an empty set, since Skipjack happens 
+       to be the first cipher in smime_prefs, if it is turned on.
+    */
+    for (i = 0, capIndex = 0; i < smime_current_pref_index; i++, capIndex++) {
+	int mapi;
+
+	/* Get the next cipher preference in smime_prefs. */
+	mapi = smime_mapi_by_cipher (smime_prefs[i]);
+	if (mapi < 0)
+	    break;
+
+	/* Find the corresponding entry in the cipher map. */
+	PORT_Assert (mapi < smime_symmetric_count);
+	map = &(smime_cipher_maps[mapi]);
+
+	/* If we're using a non-Fortezza cert, only advertise non-Fortezza
+	   capabilities. (We advertise all capabilities if we have a 
+	   Fortezza cert.) */
+	if ((!isFortezza) && (map->cipher == SMIME_FORTEZZA))
+	{
+	    capIndex--; /* we want to visit the same caps index entry next time */
+	    continue;
+	}
+
+	/*
+	 * Convert the next preference found in smime_prefs into an
+	 * smime_capability.
+	 */
+
+	cap = smime_capabilities[capIndex];
+	if (cap == NULL) {
+	    cap = (smime_capability*)PORT_ZAlloc (sizeof(smime_capability));
+	    if (cap == NULL)
+		break;
+	    smime_capabilities[capIndex] = cap;
+	} else if (cap->cipher == smime_prefs[i]) {
+	    continue;		/* no change to this one */
+	}
+
+	cap->capIDTag = map->algtag;
+	oiddata = SECOID_FindOIDByTag (map->algtag);
+	if (oiddata == NULL)
+	    break;
+
+	if (cap->capabilityID.data != NULL) {
+	    SECITEM_FreeItem (&(cap->capabilityID), PR_FALSE);
+	    cap->capabilityID.data = NULL;
+	    cap->capabilityID.len = 0;
+	}
+
+	rv = SECITEM_CopyItem (NULL, &(cap->capabilityID), &(oiddata->oid));
+	if (rv != SECSuccess)
+	    break;
+
+	if (map->parms == NULL) {
+	    cap->parameters.data = NULL;
+	    cap->parameters.len = 0;
+	} else {
+	    cap->parameters.data = map->parms->data;
+	    cap->parameters.len = map->parms->len;
+	}
+
+	cap->cipher = smime_prefs[i];
+    }
+
+    if (i != smime_current_pref_index)
+	return rv;
+
+    while (capIndex < smime_symmetric_count) {
+	cap = smime_capabilities[capIndex];
+	if (cap != NULL) {
+	    SECITEM_FreeItem (&(cap->capabilityID), PR_FALSE);
+	    PORT_Free (cap);
+	}
+	smime_capabilities[capIndex] = NULL;
+	capIndex++;
+    }
+    smime_capabilities[capIndex] = NULL;
+
+    smime_encoded_caps = SEC_ASN1EncodeItem (NULL, NULL, &smime_capabilities,
+					     smime_capabilities_template);
+    if (smime_encoded_caps == NULL)
+	return SECFailure;
+
+    lastUsedFortezza = isFortezza;
+
+    return SECSuccess;
+}
+
+
+static SECStatus
+smime_add_profile (CERTCertificate *cert, SEC_PKCS7ContentInfo *cinfo)
+{
+    PRBool isFortezza = PR_FALSE;
+
+    PORT_Assert (smime_prefs_complete);
+    if (! smime_prefs_complete)
+	return SECFailure;
+
+    /* See if the sender's cert specifies Fortezza key exchange. */
+    if (cert != NULL)
+	isFortezza = PK11_FortezzaHasKEA(cert);
+
+    /* For that matter, if capabilities haven't been initialized yet,
+       do so now. */
+    if (isFortezza != lastUsedFortezza || smime_encoded_caps == NULL || smime_prefs_changed) {
+	SECStatus rv;
+
+	rv = smime_init_caps(isFortezza);
+	if (rv != SECSuccess)
+	    return rv;
+
+	PORT_Assert (smime_encoded_caps != NULL);
+    }
+
+    return SEC_PKCS7AddSignedAttribute (cinfo, SEC_OID_PKCS9_SMIME_CAPABILITIES,
+					smime_encoded_caps);
+}
+
+
+/*
+ * Start an S/MIME signing context.
+ *
+ * "scert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "ecert" is the signer's encryption cert.  If it is different from
+ * scert, then it will be included in the signed message so that the
+ * recipient can save it for future encryptions.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
+ * XXX There should be SECMIME functions for hashing, or the hashing should
+ * be built into this interface, which we would like because we would
+ * support more smartcards that way, and then this argument should go away.)
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+
+SEC_PKCS7ContentInfo *
+SECMIME_CreateSigned (CERTCertificate *scert,
+		      CERTCertificate *ecert,
+		      CERTCertDBHandle *certdb,
+		      SECOidTag digestalg,
+		      SECItem *digest,
+		      SECKEYGetPasswordKey pwfn,
+		      void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SECStatus rv;
+
+    /* See note in header comment above about digestalg. */
+    /* Doesn't explain this. PORT_Assert (digestalg == SEC_OID_SHA1); */
+
+    cinfo = SEC_PKCS7CreateSignedData (scert, certUsageEmailSigner,
+				       certdb, digestalg, digest,
+				       pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    if (SEC_PKCS7IncludeCertChain (cinfo, NULL) != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    /* if the encryption cert and the signing cert differ, then include
+     * the encryption cert too.
+     */
+    /* it is ok to compare the pointers since we ref count, and the same
+     * cert will always have the same pointer
+     */
+    if ( ( ecert != NULL ) && ( ecert != scert ) ) {
+	rv = SEC_PKCS7AddCertificate(cinfo, ecert);
+	if ( rv != SECSuccess ) {
+	    SEC_PKCS7DestroyContentInfo (cinfo);
+	    return NULL;
+	}
+    }
+    /*
+     * Add the signing time.  But if it fails for some reason,
+     * may as well not give up altogether -- just assert.
+     */
+    rv = SEC_PKCS7AddSigningTime (cinfo);
+    PORT_Assert (rv == SECSuccess);
+
+    /*
+     * Add the email profile.  Again, if it fails for some reason,
+     * may as well not give up altogether -- just assert.
+     */
+    rv = smime_add_profile (ecert, cinfo);
+    PORT_Assert (rv == SECSuccess);
+
+    return cinfo;
+}
diff --git a/security/nss/lib/pkcs7/secmime.h b/security/nss/lib/pkcs7/secmime.h
new file mode 100644
index 000000000..fece45f23
--- /dev/null
+++ b/security/nss/lib/pkcs7/secmime.h
@@ -0,0 +1,195 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Header file for routines specific to S/MIME.  Keep things that are pure
+ * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
+ *
+ * $Id$
+ */
+
+#ifndef _SECMIME_H_
+#define _SECMIME_H_ 1
+
+#include "secpkcs7.h"
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * Initialize the local recording of the user S/MIME cipher preferences.
+ * This function is called once for each cipher, the order being
+ * important (first call records greatest preference, and so on).
+ * When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
+ * If the function is called again after that, it is assumed that
+ * the preferences are being reset, and the old preferences are
+ * discarded.
+ *
+ * XXX This is for a particular user, and right now the storage is
+ * XXX local, static.  The preference should be stored elsewhere to allow
+ * XXX for multiple uses of one library?  How does SSL handle this;
+ * XXX it has something similar?
+ *
+ *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
+ *    for example SMIME_DES_CBC_56).
+ *  - If "on" is non-zero then the named cipher is enabled, otherwise
+ *    it is disabled.  (It is not necessary to call the function for
+ *    ciphers that are disabled, however, as that is the default.)
+ *
+ * If the cipher preference is successfully recorded, SECSuccess
+ * is returned.  Otherwise SECFailure is returned.  The only errors
+ * are due to failure allocating memory or bad parameters/calls:
+ *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
+ *	SEC_ERROR_XXX (function is being called more times than there
+ *		are known/expected ciphers)
+ */
+extern SECStatus SECMIME_EnableCipher(long which, int on);
+
+/*
+ * Initialize the local recording of the S/MIME policy.
+ * This function is called to enable/disable a particular cipher.
+ * (S/MIME encryption or decryption using a particular cipher is only
+ * allowed if that cipher is currently enabled.)  At startup, all S/MIME
+ * ciphers are disabled.  From that point, this function can be called
+ * to enable a cipher -- it is not necessary to call this to disable
+ * a cipher unless that cipher was previously, explicitly enabled via
+ * this function.
+ *
+ * XXX This is for a the current module, I think, so local, static storage
+ * XXX is okay.  Is that correct, or could multiple uses of the same
+ * XXX library expect to operate under different policies?
+ *
+ *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
+ *    for example SMIME_DES_CBC_56).
+ *  - If "on" is non-zero then the named cipher is enabled, otherwise
+ *    it is disabled.
+ *
+ * If the cipher is successfully enabled/disabled, SECSuccess is
+ * returned.  Otherwise SECFailure is returned.  The only errors
+ * are due to bad parameters:
+ *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
+ *	SEC_ERROR_XXX ("which" exceeds expected maximum cipher; this is
+ *		really an internal error)
+ */
+extern SECStatus SECMIME_SetPolicy(long which, int on);
+
+/*
+ * Does the current policy allow S/MIME decryption of this particular
+ * algorithm and keysize?
+ */
+extern PRBool SECMIME_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
+
+/*
+ * Does the current policy allow *any* S/MIME encryption (or decryption)?
+ *
+ * This tells whether or not *any* S/MIME encryption can be done,
+ * according to policy.  Callers may use this to do nicer user interface
+ * (say, greying out a checkbox so a user does not even try to encrypt
+ * a message when they are not allowed to) or for any reason they want
+ * to check whether S/MIME encryption (or decryption, for that matter)
+ * may be done.
+ *
+ * It takes no arguments.  The return value is a simple boolean:
+ *   PR_TRUE means encryption (or decryption) is *possible*
+ *	(but may still fail due to other reasons, like because we cannot
+ *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
+ *   PR_FALSE means encryption (or decryption) is not permitted
+ *
+ * There are no errors from this routine.
+ */
+extern PRBool SECMIME_EncryptionPossible(void);
+
+/*
+ * Start an S/MIME encrypting context.
+ *
+ * "scert" is the cert for the sender.  It will be checked for validity.
+ * "rcerts" are the certs for the recipients.  They will also be checked.
+ *
+ * "certdb" is the cert database to use for verifying the certs.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *SECMIME_CreateEncrypted(CERTCertificate *scert,
+						     CERTCertificate **rcerts,
+						     CERTCertDBHandle *certdb,
+						     SECKEYGetPasswordKey pwfn,
+						     void *pwfn_arg);
+
+/*
+ * Start an S/MIME signing context.
+ *
+ * "scert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm.  (It should be SEC_OID_SHA1;
+ * XXX There should be SECMIME functions for hashing, or the hashing should
+ * be built into this interface, which we would like because we would
+ * support more smartcards that way, and then this argument should go away.)
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *SECMIME_CreateSigned(CERTCertificate *scert,
+						  CERTCertificate *ecert,
+						  CERTCertDBHandle *certdb,
+						  SECOidTag digestalg,
+						  SECItem *digest,
+						  SECKEYGetPasswordKey pwfn,
+						  void *pwfn_arg);
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _SECMIME_H_ */
diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h
new file mode 100644
index 000000000..645eb77d4
--- /dev/null
+++ b/security/nss/lib/pkcs7/secpkcs7.h
@@ -0,0 +1,626 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Interface to the PKCS7 implementation.
+ *
+ * $Id$
+ */
+
+#ifndef _SECPKCS7_H_
+#define _SECPKCS7_H_
+
+#include "seccomon.h"
+
+#include "secoidt.h"
+#include "certt.h"
+#include "keyt.h"
+#include "hasht.h"
+#include "pkcs7t.h"
+
+extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/************************************************************************
+ *	Miscellaneous
+ ************************************************************************/
+
+/*
+ * Returns the content type of the given contentInfo.
+ */
+extern SECOidTag SEC_PKCS7ContentType (SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * Destroy a PKCS7 contentInfo and all of its sub-pieces.
+ */
+extern void SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
+
+/*
+ * Copy a PKCS7 contentInfo.  A Destroy is needed on *each* copy.
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
+
+/*
+ * Return a pointer to the actual content.  In the case of those types
+ * which are encrypted, this returns the *plain* content.
+ */
+extern SECItem *SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo);
+
+/************************************************************************
+ *	PKCS7 Decoding, Verification, etc..
+ ************************************************************************/
+
+extern SEC_PKCS7DecoderContext *
+SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback callback,
+		      void *callback_arg,
+		      SECKEYGetPasswordKey pwfn, void *pwfn_arg,
+		      SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
+		      void *decrypt_key_cb_arg,
+		      SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
+
+extern SECStatus
+SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
+		       const char *buf, unsigned long len);
+
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx);
+
+
+/*  Abort the underlying ASN.1 stream & set an error  */
+void SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error);
+
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7DecodeItem(SECItem *p7item,
+		    SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
+		    SECKEYGetPasswordKey pwfn, void *pwfn_arg,
+		    SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
+		    void *decrypt_key_cb_arg,
+		    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
+
+extern PRBool SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo);
+
+/* checks to see if the contents of the content info is
+ * empty.  it so, PR_TRUE is returned.  PR_FALSE, otherwise.
+ *
+ * minLen is used to specify a minimum size.  if content size <= minLen,
+ * content is assumed empty.
+ */
+extern PRBool 
+SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen); 
+
+extern PRBool SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * If the PKCS7 content has a signature (not just *could* have a signature)
+ * return true; false otherwise.  This can/should be called before calling
+ * VerifySignature, which will always indicate failure if no signature is
+ * present, but that does not mean there even was a signature!
+ * Note that the content itself can be empty (detached content was sent
+ * another way); it is the presence of the signature that matters.
+ */
+extern PRBool SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * SEC_PKCS7VerifySignature
+ *	Look at a PKCS7 contentInfo and check if the signature is good.
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ */
+extern PRBool SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
+				       SECCertUsage certusage,
+				       PRBool keepcerts);
+
+/*
+ * SEC_PKCS7VerifyDetachedSignature
+ *	Look at a PKCS7 contentInfo and check if the signature matches
+ *	a passed-in digest (calculated, supposedly, from detached contents).
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ */
+extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
+					       SECCertUsage certusage,
+					       SECItem *detached_digest,
+					       HASH_HashType digest_type,
+					       PRBool keepcerts);
+
+/*
+ * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
+ *      The passed-in contentInfo is espected to be Signed, and these
+ *      functions return the specified portion of the full signer name.
+ *
+ *      Returns a pointer to allocated memory, which must be freed.
+ *      A NULL return value is an error.
+ */
+extern char *SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo);
+extern char *SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * Return the the signing time, in UTCTime format, of a PKCS7 contentInfo.
+ */
+extern SECItem *SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo);
+
+
+/************************************************************************
+ *	PKCS7 Creation and Encoding.
+ ************************************************************************/
+
+/*
+ * Start a PKCS7 signing context.
+ *
+ * "cert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "certusage" describes the signing usage (e.g. certUsageEmailSigner)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "signing" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * The return value can be passed to functions which add things to
+ * it like attributes, then eventually to SEC_PKCS7Encode() or to
+ * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
+ * SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateSignedData (CERTCertificate *cert,
+			   SECCertUsage certusage,
+			   CERTCertDBHandle *certdb,
+			   SECOidTag digestalg,
+			   SECItem *digest,
+		           SECKEYGetPasswordKey pwfn, void *pwfn_arg);
+
+/*
+ * Create a PKCS7 certs-only container.
+ *
+ * "cert" is the (first) cert that will be included.
+ *
+ * "include_chain" specifies whether the entire chain for "cert" should
+ * be included.
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL in when "include_chain" is false, or when meaning
+ * use the default database.
+ *
+ * More certs and chains can be added via AddCertficate and AddCertChain.
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateCertsOnly (CERTCertificate *cert,
+			  PRBool include_chain,
+			  CERTCertDBHandle *certdb);
+
+/*
+ * Start a PKCS7 enveloping context.
+ *
+ * "cert" is the cert for the recipient.  It will be checked for validity.
+ *
+ * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "recipient" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
+ *
+ * "keysize" specifies the bulk encryption key size, in bits.
+ *
+ * The return value can be passed to functions which add things to
+ * it like more recipients, then eventually to SEC_PKCS7Encode() or to
+ * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
+ * SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert,
+			      SECCertUsage certusage,
+			      CERTCertDBHandle *certdb,
+			      SECOidTag encalg,
+			      int keysize,
+		              SECKEYGetPasswordKey pwfn, void *pwfn_arg);
+
+/*
+ * XXX There will be a similar routine for creating signedAndEnvelopedData.
+ * But its parameters will be different and I have no plans to implement
+ * it any time soon because we have no current need for it.
+ */
+
+/*
+ * Create an empty PKCS7 data content info.
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *SEC_PKCS7CreateData (void);
+
+/*
+ * Create an empty PKCS7 encrypted content info.
+ *
+ * "algorithm" specifies the bulk encryption algorithm to use.
+ * 
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize,
+			      SECKEYGetPasswordKey pwfn, void *pwfn_arg);
+
+/*
+ * All of the following things return SECStatus to signal success or failure.
+ * Failure should have a more specific error status available via
+ * PORT_GetError()/XP_GetError().
+ */
+
+/*
+ * Add the specified attribute to the authenticated (i.e. signed) attributes
+ * of "cinfo" -- "oidtag" describes the attribute and "value" is the
+ * value to be associated with it.  NOTE! "value" must already be encoded;
+ * no interpretation of "oidtag" is done.  Also, it is assumed that this
+ * signedData has only one signer -- if we ever need to add attributes
+ * when there is more than one signature, we need a way to specify *which*
+ * signature should get the attribute.
+ *
+ * XXX Technically, a signed attribute can have multiple values; if/when
+ * we ever need to support an attribute which takes multiple values, we
+ * either need to change this interface or create an AddSignedAttributeValue
+ * which can be called subsequently, and would then append a value.
+ *
+ * "cinfo" should be of type signedData (the only kind of pkcs7 data
+ * that is allowed authenticated attributes); SECFailure will be returned
+ * if it is not.
+ */
+extern SECStatus SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo,
+					      SECOidTag oidtag,
+					      SECItem *value);
+
+/*
+ * Add "cert" and its entire chain to the set of certs included in "cinfo".
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL, meaning use the default database.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+extern SECStatus SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo,
+					CERTCertificate *cert,
+					CERTCertDBHandle *certdb);
+
+/*
+ * Add "cert" to the set of certs included in "cinfo".
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+extern SECStatus SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo,
+					  CERTCertificate *cert);
+
+/*
+ * Add another recipient to an encrypted message.
+ *
+ * "cinfo" should be of type envelopedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ *
+ * "cert" is the cert for the recipient.  It will be checked for validity.
+ *
+ * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "recipient" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ */
+extern SECStatus SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo,
+					CERTCertificate *cert,
+					SECCertUsage certusage,
+					CERTCertDBHandle *certdb);
+
+/*
+ * Add the signing time to the authenticated (i.e. signed) attributes
+ * of "cinfo".  This is expected to be included in outgoing signed
+ * messages for email (S/MIME) but is likely useful in other situations.
+ *
+ * This should only be added once; a second call will either do
+ * nothing or replace an old signing time with a newer one.
+ *
+ * XXX This will probably just shove the current time into "cinfo"
+ * but it will not actually get signed until the entire item is
+ * processed for encoding.  Is this (expected to be small) delay okay?
+ *
+ * "cinfo" should be of type signedData (the only kind of pkcs7 data
+ * that is allowed authenticated attributes); SECFailure will be returned
+ * if it is not.
+ */
+extern SECStatus SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * Add the signer's symmetric capabilities to the authenticated
+ * (i.e. signed) attributes of "cinfo".  This is expected to be
+ * included in outgoing signed messages for email (S/MIME).
+ *
+ * This can only be added once; a second call will return SECFailure.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+extern SECStatus SEC_PKCS7AddSymmetricCapabilities(SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * Mark that the signer's certificate and its issuing chain should
+ * be included in the encoded data.  This is expected to be used
+ * in outgoing signed messages for email (S/MIME).
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL, meaning use the default database.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+extern SECStatus SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo,
+					    CERTCertDBHandle *certdb);
+
+
+/*
+ * Set the content; it will be included and also hashed and/or encrypted
+ * as appropriate.  This is for in-memory content (expected to be "small")
+ * that will be included in the PKCS7 object.  All others should stream the
+ * content through when encoding (see SEC_PKCS7Encoder{Start,Update,Finish}).
+ *
+ * "buf" points to data of length "len"; it will be copied.
+ */
+extern SECStatus SEC_PKCS7SetContent (SEC_PKCS7ContentInfo *cinfo,
+				      const char *buf, unsigned long len);
+
+/*
+ * Encode a PKCS7 object, in one shot.  All necessary components
+ * of the object must already be specified.  Either the data has
+ * already been included (via SetContent), or the data is detached,
+ * or there is no data at all (certs-only).
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "outputfn" is where the encoded bytes will be passed.
+ *
+ * "outputarg" is an opaque argument to the above callback.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * private key of the signer.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+extern SECStatus SEC_PKCS7Encode (SEC_PKCS7ContentInfo *cinfo,
+				  SEC_PKCS7EncoderOutputCallback outputfn,
+				  void *outputarg,
+				  PK11SymKey *bulkkey,
+				  SECKEYGetPasswordKey pwfn,
+				  void *pwfnarg);
+
+/*
+ * Encode a PKCS7 object, in one shot.  All necessary components
+ * of the object must already be specified.  Either the data has
+ * already been included (via SetContent), or the data is detached,
+ * or there is no data at all (certs-only).  The output, rather than
+ * being passed to an output function as is done above, is all put
+ * into a SECItem.
+ *
+ * "pool" specifies a pool from which to allocate the result.
+ * It can be NULL, in which case memory is allocated generically.
+ *
+ * "dest" specifies a SECItem in which to put the result data.
+ * It can be NULL, in which case the entire item is allocated, too.
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * private key of the signer.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+extern SECItem *SEC_PKCS7EncodeItem (PLArenaPool *pool,
+				     SECItem *dest,
+				     SEC_PKCS7ContentInfo *cinfo,
+				     PK11SymKey *bulkkey,
+				     SECKEYGetPasswordKey pwfn,
+				     void *pwfnarg);
+
+/*
+ * For those who want to simply point to the pkcs7 contentInfo ASN.1
+ * template, and *not* call the encoding functions directly, the
+ * following function can be used -- after it is called, the entire
+ * PKCS7 contentInfo is ready to be encoded.
+ */
+extern SECStatus SEC_PKCS7PrepareForEncode (SEC_PKCS7ContentInfo *cinfo,
+					    PK11SymKey *bulkkey,
+					    SECKEYGetPasswordKey pwfn,
+					    void *pwfnarg);
+
+/*
+ * Start the process of encoding a PKCS7 object.  The first part of
+ * the encoded object will be passed to the output function right away;
+ * after that it is expected that SEC_PKCS7EncoderUpdate will be called,
+ * streaming in the actual content that is getting included as well as
+ * signed or encrypted (or both).
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "outputfn" is where the encoded bytes will be passed.
+ *
+ * "outputarg" is an opaque argument to the above callback.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * Returns an object to be passed to EncoderUpdate and EncoderFinish.
+ */
+extern SEC_PKCS7EncoderContext *
+SEC_PKCS7EncoderStart (SEC_PKCS7ContentInfo *cinfo,
+		       SEC_PKCS7EncoderOutputCallback outputfn,
+		       void *outputarg,
+		       PK11SymKey *bulkkey);
+
+/*
+ * Encode more contents, hashing and/or encrypting along the way.
+ */
+extern SECStatus SEC_PKCS7EncoderUpdate (SEC_PKCS7EncoderContext *p7ecx,
+					 const char *buf,
+					 unsigned long len);
+
+/*
+ * No more contents; finish the signature creation, if appropriate,
+ * and then the encoding.
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * signer's private key.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+extern SECStatus SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx,
+					 SECKEYGetPasswordKey pwfn,
+					 void *pwfnarg);
+
+/*  Abort the underlying ASN.1 stream & set an error  */
+void SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7dcx, int error);
+
+/* retrieve the algorithm ID used to encrypt the content info
+ * for encrypted and enveloped data.  The SECAlgorithmID pointer
+ * returned needs to be freed as it is a copy of the algorithm
+ * id in the content info.
+ */ 
+extern SECAlgorithmID *
+SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo); 
+
+/* the content of an encrypted data content info is encrypted.
+ * it is assumed that for encrypted data, that the data has already
+ * been set and is in the "plainContent" field of the content info.
+ *
+ * cinfo is the content info to encrypt
+ *
+ * key is the key with which to perform the encryption.  if the
+ *     algorithm is a password based encryption algorithm, the
+ *     key is actually a password which will be processed per
+ *     PKCS #5.
+ * 
+ * in the event of an error, SECFailure is returned.  SECSuccess
+ * indicates a success.
+ */
+extern SECStatus 
+SEC_PKCS7EncryptContents(PLArenaPool *poolp,
+			 SEC_PKCS7ContentInfo *cinfo, 
+			 SECItem *key,
+			 void *wincx); 
+	
+/* the content of an encrypted data content info is decrypted.
+ * it is assumed that for encrypted data, that the data has already
+ * been set and is in the "encContent" field of the content info.
+ *
+ * cinfo is the content info to decrypt
+ *
+ * key is the key with which to perform the decryption.  if the
+ *     algorithm is a password based encryption algorithm, the
+ *     key is actually a password which will be processed per
+ *     PKCS #5.
+ * 
+ * in the event of an error, SECFailure is returned.  SECSuccess
+ * indicates a success.
+ */
+extern SECStatus 
+SEC_PKCS7DecryptContents(PLArenaPool *poolp,
+			 SEC_PKCS7ContentInfo *cinfo, 
+			 SECItem *key,
+			 void *wincx); 
+
+/* retrieve the certificate list from the content info.  the list
+ * is a pointer to the list in the content info.  this should not
+ * be deleted or freed in any way short of calling 
+ * SEC_PKCS7DestroyContentInfo
+ */
+extern SECItem **
+SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo);
+
+/* Returns the key length (in bits) of the algorithm used to encrypt
+   this object.  Returns 0 if it's not encrypted, or the key length is
+   irrelevant. */
+extern int 
+SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo);
+ 
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _SECPKCS7_H_ */
diff --git a/security/nss/lib/pki/Makefile b/security/nss/lib/pki/Makefile
new file mode 100644
index 000000000..2d25c00f2
--- /dev/null
+++ b/security/nss/lib/pki/Makefile
@@ -0,0 +1,44 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+export:: private_export
diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c
new file mode 100644
index 000000000..ee47361cd
--- /dev/null
+++ b/security/nss/lib/pki/asymmkey.c
@@ -0,0 +1,434 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+NSS_IMPLEMENT PRStatus
+NSSPrivateKey_Destroy (
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSPrivateKey_DeleteStoredObject (
+  NSSPrivateKey *vk,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRUint32
+NSSPrivateKey_GetSignatureLength (
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return -1;
+}
+
+NSS_IMPLEMENT PRUint32
+NSSPrivateKey_GetPrivateModulusLength (
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return -1;
+}
+
+NSS_IMPLEMENT PRBool
+NSSPrivateKey_IsStillPresent (
+  NSSPrivateKey *vk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FALSE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPrivateKey_Encode (
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *ap,
+  NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSPrivateKey_GetTrustDomain (
+  NSSPrivateKey *vk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSPrivateKey_GetToken (
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSPrivateKey_GetSlot (
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSModule *
+NSSPrivateKey_GetModule (
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPrivateKey_Decrypt (
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPrivateKey_Sign (
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPrivateKey_SignRecover (
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSPrivateKey_UnwrapSymmetricKey (
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSPrivateKey_DeriveSymmetricKey (
+  NSSPrivateKey *vk,
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPublicKey *
+NSSPrivateKey_FindPublicKey (
+  NSSPrivateKey *vk
+  /* { don't need the callback here, right? } */
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSPrivateKey_CreateCryptoContext (
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSPrivateKey_FindCertificates (
+  NSSPrivateKey *vk,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSPrivateKey_FindBestCertificate (
+  NSSPrivateKey *vk,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSPublicKey_Destroy (
+  NSSPublicKey *bk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSPublicKey_DeleteStoredObject (
+  NSSPublicKey *bk,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPublicKey_Encode (
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *ap,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSPublicKey_GetTrustDomain (
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSPublicKey_GetToken (
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSPublicKey_GetSlot (
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSModule *
+NSSPublicKey_GetModule (
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPublicKey_Encrypt (
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSPublicKey_Verify (
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPublicKey_VerifyRecover (
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPublicKey_WrapSymmetricKey (
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSPublicKey_CreateCryptoContext (
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSPublicKey_FindCertificates (
+  NSSPublicKey *bk,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSPublicKey_FindBestCertificate (
+  NSSPublicKey *bk,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPrivateKey *
+NSSPublicKey_FindPrivateKey (
+  NSSPublicKey *bk,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
diff --git a/security/nss/lib/pki/certdecode.c b/security/nss/lib/pki/certdecode.c
new file mode 100644
index 000000000..6f6940aa0
--- /dev/null
+++ b/security/nss/lib/pki/certdecode.c
@@ -0,0 +1,101 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+/* This is defined in pki3hack.c */
+NSS_EXTERN nssDecodedCert *
+nssDecodedPKIXCertificate_Create (
+  NSSArena *arenaOpt,
+  NSSDER *encoding
+);
+
+NSS_IMPLEMENT PRStatus
+nssDecodedPKIXCertificate_Destroy (
+  nssDecodedCert *dc
+);
+
+NSS_IMPLEMENT nssDecodedCert *
+nssDecodedCert_Create (
+  NSSArena *arenaOpt,
+  NSSDER *encoding,
+  NSSCertificateType type
+)
+{
+    nssDecodedCert *rvDC = NULL;
+    switch(type) {
+    case NSSCertificateType_PKIX:
+	rvDC = nssDecodedPKIXCertificate_Create(arenaOpt, encoding);
+	break;
+    default:
+#if 0
+	nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+#endif
+	return (nssDecodedCert *)NULL;
+    }
+    return rvDC;
+}
+
+NSS_IMPLEMENT PRStatus
+nssDecodedCert_Destroy (
+  nssDecodedCert *dc
+)
+{
+    if (!dc) {
+	return PR_FAILURE;
+    }
+    switch(dc->type) {
+    case NSSCertificateType_PKIX:
+	return nssDecodedPKIXCertificate_Destroy(dc);
+    default:
+#if 0
+	nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+#endif
+	break;
+    }
+    return PR_FAILURE;
+}
+
diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c
new file mode 100644
index 000000000..c7b331d03
--- /dev/null
+++ b/security/nss/lib/pki/certificate.c
@@ -0,0 +1,1154 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#include "pkistore.h"
+
+#include "pki3hack.h"
+#include "pk11func.h"
+#include "hasht.h"
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+/* Creates a certificate from a base object */
+NSS_IMPLEMENT NSSCertificate *
+nssCertificate_Create (
+  nssPKIObject *object
+)
+{
+    PRStatus status;
+    NSSCertificate *rvCert;
+    nssArenaMark * mark;
+    NSSArena *arena = object->arena;
+    PR_ASSERT(object->instances != NULL && object->numInstances > 0);
+    PR_ASSERT(object->lockType == nssPKIMonitor);
+    mark = nssArena_Mark(arena);
+    rvCert = nss_ZNEW(arena, NSSCertificate);
+    if (!rvCert) {
+	return (NSSCertificate *)NULL;
+    }
+    rvCert->object = *object;
+    /* XXX should choose instance based on some criteria */
+    status = nssCryptokiCertificate_GetAttributes(object->instances[0],
+                                                  NULL,  /* XXX sessionOpt */
+                                                  arena,
+                                                  &rvCert->type,
+                                                  &rvCert->id,
+                                                  &rvCert->encoding,
+                                                  &rvCert->issuer,
+                                                  &rvCert->serial,
+                                                  &rvCert->subject);
+    if (status != PR_SUCCESS ||
+	!rvCert->encoding.data ||
+	!rvCert->encoding.size ||
+	!rvCert->issuer.data ||
+	!rvCert->issuer.size ||
+	!rvCert->serial.data ||
+	!rvCert->serial.size) {
+	if (mark)
+	    nssArena_Release(arena, mark);
+	return (NSSCertificate *)NULL;
+    }
+    if (mark)
+	nssArena_Unmark(arena, mark);
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+nssCertificate_AddRef (
+  NSSCertificate *c
+)
+{
+    if (c) {
+	nssPKIObject_AddRef(&c->object);
+    }
+    return c;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCertificate_Destroy (
+  NSSCertificate *c
+)
+{
+    nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
+    nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
+
+    if (c) {
+	PRUint32 i;
+	nssDecodedCert *dc = c->decoding;
+	NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+	NSSCryptoContext *cc = c->object.cryptoContext;
+
+	PR_ASSERT(c->object.refCount > 0);
+
+	/* --- LOCK storage --- */
+	if (cc) {
+	    nssCertificateStore_Lock(cc->certStore, &lockTrace);
+	} else {
+	    nssTrustDomain_LockCertCache(td);
+	}
+	if (PR_AtomicDecrement(&c->object.refCount) == 0) {
+	    /* --- remove cert and UNLOCK storage --- */
+	    if (cc) {
+		nssCertificateStore_RemoveCertLOCKED(cc->certStore, c);
+		nssCertificateStore_Unlock(cc->certStore, &lockTrace,
+                                           &unlockTrace);
+	    } else {
+		nssTrustDomain_RemoveCertFromCacheLOCKED(td, c);
+		nssTrustDomain_UnlockCertCache(td);
+	    }
+	    /* free cert data */
+	    for (i=0; i<c->object.numInstances; i++) {
+		nssCryptokiObject_Destroy(c->object.instances[i]);
+	    }
+	    nssPKIObject_DestroyLock(&c->object);
+	    nssArena_Destroy(c->object.arena);
+	    nssDecodedCert_Destroy(dc);
+	} else {
+	    /* --- UNLOCK storage --- */
+	    if (cc) {
+		nssCertificateStore_Unlock(cc->certStore,
+					   &lockTrace,
+					   &unlockTrace);
+	    } else {
+		nssTrustDomain_UnlockCertCache(td);
+	    }
+	}
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_Destroy (
+  NSSCertificate *c
+)
+{
+    return nssCertificate_Destroy(c);
+}
+
+NSS_IMPLEMENT NSSDER *
+nssCertificate_GetEncoding (
+  NSSCertificate *c
+)
+{
+    if (c->encoding.size > 0 && c->encoding.data) {
+	return &c->encoding;
+    } else {
+	return (NSSDER *)NULL;
+    }
+}
+
+NSS_IMPLEMENT NSSDER *
+nssCertificate_GetIssuer (
+  NSSCertificate *c
+)
+{
+    if (c->issuer.size > 0 && c->issuer.data) {
+	return &c->issuer;
+    } else {
+	return (NSSDER *)NULL;
+    }
+}
+
+NSS_IMPLEMENT NSSDER *
+nssCertificate_GetSerialNumber (
+  NSSCertificate *c
+)
+{
+    if (c->serial.size > 0 && c->serial.data) {
+	return &c->serial;
+    } else {
+	return (NSSDER *)NULL;
+    }
+}
+
+NSS_IMPLEMENT NSSDER *
+nssCertificate_GetSubject (
+  NSSCertificate *c
+)
+{
+    if (c->subject.size > 0 && c->subject.data) {
+	return &c->subject;
+    } else {
+	return (NSSDER *)NULL;
+    }
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+nssCertificate_GetNickname (
+  NSSCertificate *c,
+  NSSToken *tokenOpt
+)
+{
+    return nssPKIObject_GetNicknameForToken(&c->object, tokenOpt);
+}
+
+NSS_IMPLEMENT NSSASCII7 *
+nssCertificate_GetEmailAddress (
+  NSSCertificate *c
+)
+{
+    return c->email;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_DeleteStoredObject (
+  NSSCertificate *c,
+  NSSCallback *uhh
+)
+{
+    return nssPKIObject_DeleteStoredObject(&c->object, uhh, PR_TRUE);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_Validate (
+  NSSCertificate *c,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT void ** /* void *[] */
+NSSCertificate_ValidateCompletely (
+  NSSCertificate *c,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt, /* NULL for none */
+  void **rvOpt, /* NULL for allocate */
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt /* NULL for heap */
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_ValidateAndDiscoverUsagesAndPolicies (
+  NSSCertificate *c,
+  NSSTime **notBeforeOutOpt,
+  NSSTime **notAfterOutOpt,
+  void *allowedUsages,
+  void *disallowedUsages,
+  void *allowedPolicies,
+  void *disallowedPolicies,
+  /* more args.. work on this fgmr */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSDER *
+NSSCertificate_Encode (
+  NSSCertificate *c,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    /* Item, DER, BER are all typedefs now... */
+    return nssItem_Duplicate((NSSItem *)&c->encoding, arenaOpt, rvOpt);
+}
+
+NSS_IMPLEMENT nssDecodedCert *
+nssCertificate_GetDecoding (
+  NSSCertificate *c
+)
+{
+    nssDecodedCert* deco = NULL;
+    nssPKIObject_Lock(&c->object);
+    if (!c->decoding) {
+	deco = nssDecodedCert_Create(NULL, &c->encoding, c->type);
+    	PORT_Assert(!c->decoding); 
+        c->decoding = deco;
+    } else {
+        deco = c->decoding;
+    }
+    nssPKIObject_Unlock(&c->object);
+    return deco;
+}
+
+static NSSCertificate **
+filter_subject_certs_for_id (
+  NSSCertificate **subjectCerts, 
+  void *id
+)
+{
+    NSSCertificate **si;
+    nssDecodedCert *dcp;
+    int nextOpenSlot = 0;
+    int i;
+    nssCertIDMatch matchLevel = nssCertIDMatch_Unknown;
+    nssCertIDMatch match;
+
+    /* walk the subject certs */
+    for (si = subjectCerts; *si; si++) {
+	dcp = nssCertificate_GetDecoding(*si);
+	if (!dcp) {
+	    NSSCertificate_Destroy(*si);
+	    continue;
+	}
+	match = dcp->matchIdentifier(dcp, id);
+	switch (match) {
+	case nssCertIDMatch_Yes:
+	    if (matchLevel == nssCertIDMatch_Unknown) {
+		/* we have non-definitive matches, forget them */
+		for (i = 0; i < nextOpenSlot; i++) {
+		    NSSCertificate_Destroy(subjectCerts[i]);
+		    subjectCerts[i] = NULL;
+		}
+		nextOpenSlot = 0;
+		/* only keep definitive matches from now on */
+		matchLevel = nssCertIDMatch_Yes;
+	    }
+	    /* keep the cert */
+	    subjectCerts[nextOpenSlot++] = *si;
+	    break;
+	case nssCertIDMatch_Unknown:
+	    if (matchLevel == nssCertIDMatch_Unknown) {
+		/* only have non-definitive matches so far, keep it */
+		subjectCerts[nextOpenSlot++] = *si;
+		break;
+	    }
+	    /* else fall through, we have a definitive match already */
+	case nssCertIDMatch_No:
+	default:
+	    NSSCertificate_Destroy(*si);
+	    *si = NULL;
+	}
+    }
+    subjectCerts[nextOpenSlot] = NULL;
+    return subjectCerts;
+}
+
+static NSSCertificate **
+filter_certs_for_valid_issuers (
+  NSSCertificate **certs
+)
+{
+    NSSCertificate **cp;
+    nssDecodedCert *dcp;
+    int nextOpenSlot = 0;
+
+    for (cp = certs; *cp; cp++) {
+	dcp = nssCertificate_GetDecoding(*cp);
+	if (dcp && dcp->isValidIssuer(dcp)) {
+	    certs[nextOpenSlot++] = *cp;
+	} else {
+	    NSSCertificate_Destroy(*cp);
+	}
+    }
+    certs[nextOpenSlot] = NULL;
+    return certs;
+}
+
+static NSSCertificate *
+find_cert_issuer (
+  NSSCertificate *c,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSTrustDomain *td,
+  NSSCryptoContext *cc
+)
+{
+    NSSArena *arena;
+    NSSCertificate **certs = NULL;
+    NSSCertificate **ccIssuers = NULL;
+    NSSCertificate **tdIssuers = NULL;
+    NSSCertificate *issuer = NULL;
+
+    if (!cc)
+	cc = c->object.cryptoContext;
+    if (!td)
+	td = NSSCertificate_GetTrustDomain(c);
+    arena = nssArena_Create();
+    if (!arena) {
+	return (NSSCertificate *)NULL;
+    }
+    if (cc) {
+	ccIssuers = nssCryptoContext_FindCertificatesBySubject(cc,
+	                                                       &c->issuer,
+	                                                       NULL,
+	                                                       0,
+	                                                       arena);
+    }
+    if (td)
+	tdIssuers = nssTrustDomain_FindCertificatesBySubject(td,
+                                                         &c->issuer,
+                                                         NULL,
+                                                         0,
+                                                         arena);
+    certs = nssCertificateArray_Join(ccIssuers, tdIssuers);
+    if (certs) {
+	nssDecodedCert *dc = NULL;
+	void *issuerID = NULL;
+	dc = nssCertificate_GetDecoding(c);
+	if (dc) {
+	    issuerID = dc->getIssuerIdentifier(dc);
+	}
+	/* XXX review based on CERT_FindCertIssuer
+	 * this function is not using the authCertIssuer field as a fallback
+	 * if authority key id does not exist
+	 */
+	if (issuerID) {
+	    certs = filter_subject_certs_for_id(certs, issuerID);
+	}
+	certs = filter_certs_for_valid_issuers(certs);
+	issuer = nssCertificateArray_FindBestCertificate(certs,
+	                                                 timeOpt,
+	                                                 usage,
+	                                                 policiesOpt);
+	nssCertificateArray_Destroy(certs);
+    }
+    nssArena_Destroy(arena);
+    return issuer;
+}
+
+/* This function returns the built chain, as far as it gets,
+** even if/when it fails to find an issuer, and returns PR_FAILURE
+*/
+NSS_IMPLEMENT NSSCertificate **
+nssCertificate_BuildChain (
+  NSSCertificate *c,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit,
+  NSSArena *arenaOpt,
+  PRStatus *statusOpt,
+  NSSTrustDomain *td,
+  NSSCryptoContext *cc 
+)
+{
+    NSSCertificate **rvChain = NULL;
+    NSSUsage issuerUsage = *usage;
+    nssPKIObjectCollection *collection = NULL;
+    PRUint32  rvCount = 0;
+    PRStatus  st;
+    PRStatus  ret = PR_SUCCESS;
+
+    if (!c || !cc ||
+        (!td && (td = NSSCertificate_GetTrustDomain(c)) == NULL)) {
+	goto loser;
+    }
+    /* bump the usage up to CA level */
+    issuerUsage.nss3lookingForCA = PR_TRUE;
+    collection = nssCertificateCollection_Create(td, NULL);
+    if (!collection)
+	goto loser;
+    st = nssPKIObjectCollection_AddObject(collection, (nssPKIObject *)c);
+    if (st != PR_SUCCESS)
+    	goto loser;
+    for (rvCount = 1; (!rvLimit || rvCount < rvLimit); ++rvCount) {
+	CERTCertificate *cCert = STAN_GetCERTCertificate(c);
+	if (cCert->isRoot) {
+	    /* not including the issuer of the self-signed cert, which is,
+	     * of course, itself
+	     */
+	    break;
+	}
+	c = find_cert_issuer(c, timeOpt, &issuerUsage, policiesOpt, td, cc);
+	if (!c) {
+	    ret = PR_FAILURE;
+	    break;
+	}
+	st = nssPKIObjectCollection_AddObject(collection, (nssPKIObject *)c);
+	nssCertificate_Destroy(c); /* collection has it */
+	if (st != PR_SUCCESS)
+	    goto loser;
+    }
+    rvChain = nssPKIObjectCollection_GetCertificates(collection, 
+                                                     rvOpt, 
+                                                     rvLimit, 
+                                                     arenaOpt);
+    if (rvChain) {
+	nssPKIObjectCollection_Destroy(collection);
+	if (statusOpt) 
+	    *statusOpt = ret;
+	if (ret != PR_SUCCESS)
+	    nss_SetError(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND);
+	return rvChain;
+    }
+
+loser:
+    if (collection)
+	nssPKIObjectCollection_Destroy(collection);
+    if (statusOpt) 
+	*statusOpt = PR_FAILURE;
+    nss_SetError(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND);
+    return rvChain;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCertificate_BuildChain (
+  NSSCertificate *c,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt,
+  PRStatus *statusOpt,
+  NSSTrustDomain *td,
+  NSSCryptoContext *cc 
+)
+{
+    return nssCertificate_BuildChain(c, timeOpt, usage, policiesOpt,
+                                     rvOpt, rvLimit, arenaOpt, statusOpt,
+				     td, cc);
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+nssCertificate_GetCryptoContext (
+  NSSCertificate *c
+)
+{
+    return c->object.cryptoContext;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+nssCertificate_GetTrustDomain (
+  NSSCertificate *c
+)
+{
+    return c->object.trustDomain;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSCertificate_GetTrustDomain (
+  NSSCertificate *c
+)
+{
+    return nssCertificate_GetTrustDomain(c);
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSCertificate_GetToken (
+  NSSCertificate *c,
+  PRStatus *statusOpt
+)
+{
+    return (NSSToken *)NULL;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSCertificate_GetSlot (
+  NSSCertificate *c,
+  PRStatus *statusOpt
+)
+{
+    return (NSSSlot *)NULL;
+}
+
+NSS_IMPLEMENT NSSModule *
+NSSCertificate_GetModule (
+  NSSCertificate *c,
+  PRStatus *statusOpt
+)
+{
+    return (NSSModule *)NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCertificate_Encrypt (
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_Verify (
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCertificate_VerifyRecover (
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCertificate_WrapSymmetricKey (
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSCertificate_CreateCryptoContext (
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh  
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPublicKey *
+NSSCertificate_GetPublicKey (
+  NSSCertificate *c
+)
+{
+#if 0
+    CK_ATTRIBUTE pubktemplate[] = {
+	{ CKA_CLASS,   NULL, 0 },
+	{ CKA_ID,      NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 }
+    };
+    PRStatus nssrv;
+    CK_ULONG count = sizeof(pubktemplate) / sizeof(pubktemplate[0]);
+    NSS_CK_SET_ATTRIBUTE_ITEM(pubktemplate, 0, &g_ck_class_pubkey);
+    if (c->id.size > 0) {
+	/* CKA_ID */
+	NSS_CK_ITEM_TO_ATTRIBUTE(&c->id, &pubktemplate[1]);
+    } else {
+	/* failure, yes? */
+	return (NSSPublicKey *)NULL;
+    }
+    if (c->subject.size > 0) {
+	/* CKA_SUBJECT */
+	NSS_CK_ITEM_TO_ATTRIBUTE(&c->subject, &pubktemplate[2]);
+    } else {
+	/* failure, yes? */
+	return (NSSPublicKey *)NULL;
+    }
+    /* Try the cert's token first */
+    if (c->token) {
+	nssrv = nssToken_FindObjectByTemplate(c->token, pubktemplate, count);
+    }
+#endif
+    /* Try all other key tokens */
+    return (NSSPublicKey *)NULL;
+}
+
+NSS_IMPLEMENT NSSPrivateKey *
+NSSCertificate_FindPrivateKey (
+  NSSCertificate *c,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRBool
+NSSCertificate_IsPrivateKeyAvailable (
+  NSSCertificate *c,
+  NSSCallback *uhh,
+  PRStatus *statusOpt
+)
+{
+    PRBool isUser = PR_FALSE;
+    nssCryptokiObject **ip;
+    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
+    if (!instances) {
+	return PR_FALSE;
+    }
+    for (ip = instances; *ip; ip++) {
+	nssCryptokiObject *instance = *ip;
+	if (nssToken_IsPrivateKeyAvailable(instance->token, c, instance)) {
+	    isUser = PR_TRUE;
+	}
+    }
+    nssCryptokiObjectArray_Destroy(instances);
+    return isUser;
+}
+
+/* sort the subject cert list from newest to oldest */
+PRIntn
+nssCertificate_SubjectListSort (
+  void *v1,
+  void *v2
+)
+{
+    NSSCertificate *c1 = (NSSCertificate *)v1;
+    NSSCertificate *c2 = (NSSCertificate *)v2;
+    nssDecodedCert *dc1 = nssCertificate_GetDecoding(c1);
+    nssDecodedCert *dc2 = nssCertificate_GetDecoding(c2);
+    if (!dc1) {
+	return dc2 ? 1 : 0;
+    } else if (!dc2) {
+	return -1;
+    } else {
+	return dc1->isNewerThan(dc1, dc2) ? -1 : 1;
+    }
+}
+
+NSS_IMPLEMENT PRBool
+NSSUserCertificate_IsStillPresent (
+  NSSUserCertificate *uc,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FALSE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSUserCertificate_Decrypt (
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSUserCertificate_Sign (
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSUserCertificate_SignRecover (
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSUserCertificate_UnwrapSymmetricKey (
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSUserCertificate_DeriveSymmetricKey (
+  NSSUserCertificate *uc, /* provides private key */
+  NSSCertificate *c, /* provides public key */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssSMIMEProfile_Create (
+  NSSCertificate *cert,
+  NSSItem *profileTime,
+  NSSItem *profileData
+)
+{
+    NSSArena *arena;
+    nssSMIMEProfile *rvProfile;
+    nssPKIObject *object;
+    NSSTrustDomain *td = nssCertificate_GetTrustDomain(cert);
+    NSSCryptoContext *cc = nssCertificate_GetCryptoContext(cert);
+    arena = nssArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    object = nssPKIObject_Create(arena, NULL, td, cc, nssPKILock);
+    if (!object) {
+	goto loser;
+    }
+    rvProfile = nss_ZNEW(arena, nssSMIMEProfile);
+    if (!rvProfile) {
+	goto loser;
+    }
+    rvProfile->object = *object;
+    rvProfile->certificate = cert;
+    rvProfile->email = nssUTF8_Duplicate(cert->email, arena);
+    rvProfile->subject = nssItem_Duplicate(&cert->subject, arena, NULL);
+    if (profileTime) {
+	rvProfile->profileTime = nssItem_Duplicate(profileTime, arena, NULL);
+    }
+    if (profileData) {
+	rvProfile->profileData = nssItem_Duplicate(profileData, arena, NULL);
+    }
+    return rvProfile;
+loser:
+    if (object) nssPKIObject_Destroy(object);
+    else if (arena)  nssArena_Destroy(arena);
+    return (nssSMIMEProfile *)NULL;
+}
+
+/* execute a callback function on all members of a cert list */
+NSS_EXTERN PRStatus
+nssCertificateList_DoCallback (
+  nssList *certList, 
+  PRStatus (* callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    nssListIterator *certs;
+    NSSCertificate *cert;
+    PRStatus nssrv;
+    certs = nssList_CreateIterator(certList);
+    if (!certs) {
+        return PR_FAILURE;
+    }
+    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
+         cert != (NSSCertificate *)NULL;
+         cert  = (NSSCertificate *)nssListIterator_Next(certs))
+    {
+	nssrv = (*callback)(cert, arg);
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+    return PR_SUCCESS;
+}
+
+static PRStatus add_ref_callback(NSSCertificate *c, void *a)
+{
+    nssCertificate_AddRef(c);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT void
+nssCertificateList_AddReferences (
+  nssList *certList
+)
+{
+    (void)nssCertificateList_DoCallback(certList, add_ref_callback, NULL);
+}
+
+NSS_IMPLEMENT NSSTrust *
+nssTrust_Create (
+  nssPKIObject *object,
+  NSSItem *certData
+)
+{
+    PRStatus status;
+    PRUint32 i;
+    PRUint32 lastTrustOrder, myTrustOrder;
+    unsigned char sha1_hashcmp[SHA1_LENGTH];
+    unsigned char sha1_hashin[SHA1_LENGTH];
+    NSSItem sha1_hash;
+    NSSTrust *rvt;
+    nssCryptokiObject *instance;
+    nssTrustLevel serverAuth, clientAuth, codeSigning, emailProtection;
+    SECStatus rv; /* Should be stan flavor */
+    PRBool stepUp;
+
+    lastTrustOrder = 1<<16; /* just make it big */
+    PR_ASSERT(object->instances != NULL && object->numInstances > 0);
+    rvt = nss_ZNEW(object->arena, NSSTrust);
+    if (!rvt) {
+	return (NSSTrust *)NULL;
+    }
+    rvt->object = *object;
+
+    /* should be stan flavor of Hashbuf */
+    rv = PK11_HashBuf(SEC_OID_SHA1,sha1_hashcmp,certData->data,certData->size);
+    if (rv != SECSuccess) {
+	return (NSSTrust *)NULL;
+    }
+    sha1_hash.data = sha1_hashin;
+    sha1_hash.size = sizeof (sha1_hashin);
+    /* trust has to peek into the base object members */
+    nssPKIObject_Lock(object);
+    for (i=0; i<object->numInstances; i++) {
+	instance = object->instances[i];
+	myTrustOrder = nssToken_GetTrustOrder(instance->token);
+	status = nssCryptokiTrust_GetAttributes(instance, NULL,
+						&sha1_hash,
+	                                        &serverAuth,
+	                                        &clientAuth,
+	                                        &codeSigning,
+	                                        &emailProtection,
+	                                        &stepUp);
+	if (status != PR_SUCCESS) {
+	    nssPKIObject_Unlock(object);
+	    return (NSSTrust *)NULL;
+	}
+	if (PORT_Memcmp(sha1_hashin,sha1_hashcmp,SHA1_LENGTH) != 0) {
+	    nssPKIObject_Unlock(object);
+	    return (NSSTrust *)NULL;
+	}
+	if (rvt->serverAuth == nssTrustLevel_Unknown ||
+	    myTrustOrder < lastTrustOrder) 
+	{
+	    rvt->serverAuth = serverAuth;
+	}
+	if (rvt->clientAuth == nssTrustLevel_Unknown ||
+	    myTrustOrder < lastTrustOrder) 
+	{
+	    rvt->clientAuth = clientAuth;
+	}
+	if (rvt->emailProtection == nssTrustLevel_Unknown ||
+	    myTrustOrder < lastTrustOrder) 
+	{
+	    rvt->emailProtection = emailProtection;
+	}
+	if (rvt->codeSigning == nssTrustLevel_Unknown ||
+	    myTrustOrder < lastTrustOrder) 
+	{
+	    rvt->codeSigning = codeSigning;
+	}
+	rvt->stepUpApproved = stepUp;
+	lastTrustOrder = myTrustOrder;
+    }
+    nssPKIObject_Unlock(object);
+    return rvt;
+}
+
+NSS_IMPLEMENT NSSTrust *
+nssTrust_AddRef (
+  NSSTrust *trust
+)
+{
+    if (trust) {
+	nssPKIObject_AddRef(&trust->object);
+    }
+    return trust;
+}
+
+NSS_IMPLEMENT PRStatus
+nssTrust_Destroy (
+  NSSTrust *trust
+)
+{
+    if (trust) {
+	(void)nssPKIObject_Destroy(&trust->object);
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssSMIMEProfile_AddRef (
+  nssSMIMEProfile *profile
+)
+{
+    if (profile) {
+	nssPKIObject_AddRef(&profile->object);
+    }
+    return profile;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSMIMEProfile_Destroy (
+  nssSMIMEProfile *profile
+)
+{
+    if (profile) {
+	(void)nssPKIObject_Destroy(&profile->object);
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSCRL *
+nssCRL_Create (
+  nssPKIObject *object
+)
+{
+    PRStatus status;
+    NSSCRL *rvCRL;
+    NSSArena *arena = object->arena;
+    PR_ASSERT(object->instances != NULL && object->numInstances > 0);
+    rvCRL = nss_ZNEW(arena, NSSCRL);
+    if (!rvCRL) {
+	return (NSSCRL *)NULL;
+    }
+    rvCRL->object = *object;
+    /* XXX should choose instance based on some criteria */
+    status = nssCryptokiCRL_GetAttributes(object->instances[0],
+                                          NULL,  /* XXX sessionOpt */
+                                          arena,
+                                          &rvCRL->encoding,
+                                          NULL, /* subject */
+                                          NULL, /* class */
+                                          &rvCRL->url,
+                                          &rvCRL->isKRL);
+    if (status != PR_SUCCESS) {
+	return (NSSCRL *)NULL;
+    }
+    return rvCRL;
+}
+
+NSS_IMPLEMENT NSSCRL *
+nssCRL_AddRef (
+  NSSCRL *crl
+)
+{
+    if (crl) {
+	nssPKIObject_AddRef(&crl->object);
+    }
+    return crl;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCRL_Destroy (
+  NSSCRL *crl
+)
+{
+    if (crl) {
+	(void)nssPKIObject_Destroy(&crl->object);
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCRL_DeleteStoredObject (
+  NSSCRL *crl,
+  NSSCallback *uhh
+)
+{
+    return nssPKIObject_DeleteStoredObject(&crl->object, uhh, PR_TRUE);
+}
+
+NSS_IMPLEMENT NSSDER *
+nssCRL_GetEncoding (
+  NSSCRL *crl
+)
+{
+    if (crl && crl->encoding.data != NULL && crl->encoding.size > 0) {
+	return &crl->encoding;
+    } else {
+	return (NSSDER *)NULL;
+    }
+}
diff --git a/security/nss/lib/pki/config.mk b/security/nss/lib/pki/config.mk
new file mode 100644
index 000000000..f4e5b965b
--- /dev/null
+++ b/security/nss/lib/pki/config.mk
@@ -0,0 +1,52 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c
new file mode 100644
index 000000000..b79381af4
--- /dev/null
+++ b/security/nss/lib/pki/cryptocontext.c
@@ -0,0 +1,1020 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef PKISTORE_H
+#include "pkistore.h"
+#endif /* PKISTORE_H */
+
+#include "pki1t.h"
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
+
+NSS_IMPLEMENT NSSCryptoContext *
+nssCryptoContext_Create (
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+)
+{
+    NSSArena *arena;
+    NSSCryptoContext *rvCC;
+    arena = NSSArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    rvCC = nss_ZNEW(arena, NSSCryptoContext);
+    if (!rvCC) {
+	return NULL;
+    }
+    rvCC->td = td;
+    rvCC->arena = arena;
+    rvCC->certStore = nssCertificateStore_Create(rvCC->arena);
+    if (!rvCC->certStore) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+
+    return rvCC;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_Destroy (
+  NSSCryptoContext *cc
+)
+{
+    PRStatus status = PR_SUCCESS;
+    PORT_Assert(cc->certStore);
+    if (cc->certStore) {
+	status = nssCertificateStore_Destroy(cc->certStore);
+	if (status == PR_FAILURE) {
+	    return status;
+	}
+    } else {
+	status = PR_FAILURE;
+    }
+    nssArena_Destroy(cc->arena);
+    return status;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_SetDefaultCallback (
+  NSSCryptoContext *td,
+  NSSCallback *newCallback,
+  NSSCallback **oldCallbackOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSCallback *
+NSSCryptoContext_GetDefaultCallback (
+  NSSCryptoContext *td,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSCryptoContext_GetTrustDomain (
+  NSSCryptoContext *td
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindOrImportCertificate (
+  NSSCryptoContext *cc,
+  NSSCertificate *c
+)
+{
+    NSSCertificate *rvCert = NULL;
+
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+	return rvCert;
+    }
+    rvCert = nssCertificateStore_FindOrAdd(cc->certStore, c);
+    if (rvCert == c && c->object.cryptoContext != cc) {
+	PORT_Assert(!c->object.cryptoContext);
+	c->object.cryptoContext = cc;
+    } 
+    if (rvCert) {
+	/* an NSSCertificate cannot be part of two crypto contexts
+	** simultaneously.  If this assertion fails, then there is 
+	** a serious Stan design flaw.
+	*/
+	PORT_Assert(cc == c->object.cryptoContext);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_ImportPKIXCertificate (
+  NSSCryptoContext *cc,
+  struct NSSPKIXCertificateStr *pc
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_ImportEncodedCertificate (
+  NSSCryptoContext *cc,
+  NSSBER *ber
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_ImportEncodedPKIXCertificateChain (
+  NSSCryptoContext *cc,
+  NSSBER *ber
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCryptoContext_ImportTrust (
+  NSSCryptoContext *cc,
+  NSSTrust *trust
+)
+{
+    PRStatus nssrv;
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return PR_FAILURE;
+    }
+    nssrv = nssCertificateStore_AddTrust(cc->certStore, trust);
+#if 0
+    if (nssrv == PR_SUCCESS) {
+	trust->object.cryptoContext = cc;
+    }
+#endif
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCryptoContext_ImportSMIMEProfile (
+  NSSCryptoContext *cc,
+  nssSMIMEProfile *profile
+)
+{
+    PRStatus nssrv;
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return PR_FAILURE;
+    }
+    nssrv = nssCertificateStore_AddSMIMEProfile(cc->certStore, profile);
+#if 0
+    if (nssrv == PR_SUCCESS) {
+	profile->object.cryptoContext = cc;
+    }
+#endif
+    return nssrv;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestCertificateByNickname (
+  NSSCryptoContext *cc,
+  const NSSUTF8 *name,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+)
+{
+    NSSCertificate **certs;
+    NSSCertificate *rvCert = NULL;
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    certs = nssCertificateStore_FindCertificatesByNickname(cc->certStore,
+                                                           name,
+                                                           NULL, 0, NULL);
+    if (certs) {
+	rvCert = nssCertificateArray_FindBestCertificate(certs,
+	                                                 timeOpt,
+	                                                 usage,
+	                                                 policiesOpt);
+	nssCertificateArray_Destroy(certs);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindCertificatesByNickname (
+  NSSCryptoContext *cc,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvCerts;
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    rvCerts = nssCertificateStore_FindCertificatesByNickname(cc->certStore,
+                                                             name,
+                                                             rvOpt,
+                                                             maximumOpt,
+                                                             arenaOpt);
+    return rvCerts;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindCertificateByIssuerAndSerialNumber (
+  NSSCryptoContext *cc,
+  NSSDER *issuer,
+  NSSDER *serialNumber
+)
+{
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    return nssCertificateStore_FindCertificateByIssuerAndSerialNumber(
+                                                               cc->certStore,
+                                                               issuer,
+                                                               serialNumber);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestCertificateBySubject (
+  NSSCryptoContext *cc,
+  NSSDER *subject,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    NSSCertificate **certs;
+    NSSCertificate *rvCert = NULL;
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    certs = nssCertificateStore_FindCertificatesBySubject(cc->certStore,
+                                                          subject,
+                                                          NULL, 0, NULL);
+    if (certs) {
+	rvCert = nssCertificateArray_FindBestCertificate(certs,
+	                                                 timeOpt,
+	                                                 usage,
+	                                                 policiesOpt);
+	nssCertificateArray_Destroy(certs);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+nssCryptoContext_FindCertificatesBySubject (
+  NSSCryptoContext *cc,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvCerts;
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    rvCerts = nssCertificateStore_FindCertificatesBySubject(cc->certStore,
+                                                            subject,
+                                                            rvOpt,
+                                                            maximumOpt,
+                                                            arenaOpt);
+    return rvCerts;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindCertificatesBySubject (
+  NSSCryptoContext *cc,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    return nssCryptoContext_FindCertificatesBySubject(cc, subject,
+                                                      rvOpt, maximumOpt,
+                                                      arenaOpt);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestCertificateByNameComponents (
+  NSSCryptoContext *cc,
+  NSSUTF8 *nameComponents,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindCertificatesByNameComponents (
+  NSSCryptoContext *cc,
+  NSSUTF8 *nameComponents,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindCertificateByEncodedCertificate (
+  NSSCryptoContext *cc,
+  NSSBER *encodedCertificate
+)
+{
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    return nssCertificateStore_FindCertificateByEncodedCertificate(
+                                                           cc->certStore,
+                                                           encodedCertificate);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestCertificateByEmail (
+  NSSCryptoContext *cc,
+  NSSASCII7 *email,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    NSSCertificate **certs;
+    NSSCertificate *rvCert = NULL;
+
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    certs = nssCertificateStore_FindCertificatesByEmail(cc->certStore,
+                                                        email,
+                                                        NULL, 0, NULL);
+    if (certs) {
+	rvCert = nssCertificateArray_FindBestCertificate(certs,
+	                                                 timeOpt,
+	                                                 usage,
+	                                                 policiesOpt);
+	nssCertificateArray_Destroy(certs);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindCertificatesByEmail (
+  NSSCryptoContext *cc,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvCerts;
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    rvCerts = nssCertificateStore_FindCertificatesByEmail(cc->certStore,
+                                                          email,
+                                                          rvOpt,
+                                                          maximumOpt,
+                                                          arenaOpt);
+    return rvCerts;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindCertificateByOCSPHash (
+  NSSCryptoContext *cc,
+  NSSItem *hash
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestUserCertificate (
+  NSSCryptoContext *cc,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindUserCertificates (
+  NSSCryptoContext *cc,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestUserCertificateForSSLClientAuth (
+  NSSCryptoContext *cc,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindUserCertificatesForSSLClientAuth (
+  NSSCryptoContext *cc,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestUserCertificateForEmailSigning (
+  NSSCryptoContext *cc,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindUserCertificatesForEmailSigning (
+  NSSCryptoContext *cc,
+  NSSASCII7 *signerOpt, /* fgmr or a more general name? */
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSTrust *
+nssCryptoContext_FindTrustForCertificate (
+  NSSCryptoContext *cc,
+  NSSCertificate *cert
+)
+{
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    return nssCertificateStore_FindTrustForCertificate(cc->certStore, cert);
+}
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssCryptoContext_FindSMIMEProfileForCertificate (
+  NSSCryptoContext *cc,
+  NSSCertificate *cert
+)
+{
+    PORT_Assert(cc->certStore);
+    if (!cc->certStore) {
+	return NULL;
+    }
+    return nssCertificateStore_FindSMIMEProfileForCertificate(cc->certStore, 
+                                                              cert);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_GenerateKeyPair (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  NSSPrivateKey **pvkOpt,
+  NSSPublicKey **pbkOpt,
+  PRBool privateKeyIsSensitive,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_GenerateSymmetricKey (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  PRUint32 keysize,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_GenerateSymmetricKeyFromPassword (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  NSSUTF8 *passwordOpt, /* if null, prompt */
+  NSSToken *destinationOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID (
+  NSSCryptoContext *cc,
+  NSSOID *algorithm,
+  NSSItem *keyID,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+struct token_session_str {
+    NSSToken *token;
+    nssSession *session;
+};
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_Decrypt (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginDecrypt (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_ContinueDecrypt (
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishDecrypt (
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_Sign (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginSign (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_ContinueSign (
+  NSSCryptoContext *cc,
+  NSSItem *data
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishSign (
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_SignRecover (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginSignRecover (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_ContinueSignRecover (
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishSignRecover (
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_UnwrapSymmetricKey (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_DeriveSymmetricKey (
+  NSSCryptoContext *cc,
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_Encrypt (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginEncrypt (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_ContinueEncrypt (
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishEncrypt (
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_Verify (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginVerify (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_ContinueVerify (
+  NSSCryptoContext *cc,
+  NSSItem *data
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_FinishVerify (
+  NSSCryptoContext *cc
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_VerifyRecover (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginVerifyRecover (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_ContinueVerifyRecover (
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishVerifyRecover (
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_WrapSymmetricKey (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_Digest (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    return nssToken_Digest(cc->token, cc->session, apOpt, 
+                           data, rvOpt, arenaOpt);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginDigest (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    return nssToken_BeginDigest(cc->token, cc->session, apOpt);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_ContinueDigest (
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *item
+)
+{
+	/*
+    NSSAlgorithmAndParameters *ap;
+    ap = (apOpt) ? apOpt : cc->ap;
+    */
+	/* why apOpt?  can't change it at this point... */
+    return nssToken_ContinueDigest(cc->token, cc->session, item);
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishDigest (
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    return nssToken_FinishDigest(cc->token, cc->session, rvOpt, arenaOpt);
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSCryptoContext_Clone (
+  NSSCryptoContext *cc
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
diff --git a/security/nss/lib/pki/doc/standiag.png b/security/nss/lib/pki/doc/standiag.png
new file mode 100644
index 000000000..fe1aca389
--- /dev/null
+++ b/security/nss/lib/pki/doc/standiag.png
diff --git a/security/nss/lib/pki/doc/standoc.html b/security/nss/lib/pki/doc/standoc.html
new file mode 100644
index 000000000..8cc067588
--- /dev/null
+++ b/security/nss/lib/pki/doc/standoc.html
@@ -0,0 +1,474 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is the Netscape security libraries.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1994-2000
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the GPL or the LGPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+                                                                        
+                              
+  <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
+  <title>Stan Design - Work In Progress</title>
+</head>
+  <body>
+ <br>
+               This is a working document for progress on Stan design/development.<br>
+ <br>
+        Current <a href="#build">build</a>
+       and <a href="#test">test</a>
+        instructions.<br>
+ <br>
+                      The current set of Stan libraries.<br>
+ <a href="#asn1">asn1</a>
+ <br>
+ <a href="#base">base</a>
+ <br>
+ <a href="#ckfw">ckfw</a>
+ <br>
+ <a href="#dev">dev</a>
+ <br>
+ <a href="#pki">pki</a>
+ <br>
+ <a href="#pki1">pki1</a>
+ <br>
+ <a href="#pkix">pkix</a>
+ <br>
+ <br>
+                     "Public" types below (those available to consumers of
+ NSS)   begin    with   "NSS".  &nbsp;"Protected" types (those only available
+ within   NSS)   begin   with  "nss".<br>
+ <br>
+        Open issues appears as numbered indents.<br>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="asn1"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/asn1/">
+           ASN.1</a>
+ </h3>
+                          ASN.1 encoder/decoder wrapping around the current 
+ ASN.1    implementation.<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSASN1EncodingType">  NSSASN1EncodingType</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Item">nssASN1Item</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Template">nssASN1Template</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1ChooseTemplateFunction">
+                     nssASN1ChooseTemplateFunction</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Encoder">nssASN1Encoder</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Decoder">nssASN1Decoder</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1EncodingPart">  nssASN1EncodingPart</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1NotifyFunction">
+       nssASN1NotifyFunction</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1EncoderWriteFunction">
+                     nssASN1EncoderWriteFunction</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1DecoderFilterFunction">
+                     nssASN1DecoderFilterFunction</a>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"> 
+<h3><a name="base"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/base/">
+       Base</a>
+ </h3>
+                          Set of base utilities for Stan implementation.
+&nbsp;These       are   all   fairly straightforward, except for nssPointerTracker.<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSError">NSSError</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSArena">NSSArena</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSItem">NSSItem</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSBER">NSSBER</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSDER">NSSDER</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSBitString">NSSBitString</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSUTF8">NSSUTF8</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSASCII7">NSSASCII7</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssArenaMark">nssArenaMark</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssPointerTracker">nssPointerTracker</a>
+ <br>
+          This is intended for debug builds only.<br>
+ 
+<ol>
+   <li>Ignored for now.<br>
+   </li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssStringType">nssStringType</a>
+ <br>
+ <br>
+          Suggested additions:<br>
+ 
+<ol>
+   <li>nssList - A list that optionally uses a lock. &nbsp;This list  would 
+   manage the currently loaded modules in a trust domain, etc.</li>
+   
+  <ul>
+     <li>SECMODListLock kept track of the number of waiting threads.  &nbsp;Will 
+  this be needed in the trust domain?</li>
+   
+  </ul>
+ 
+</ol>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"> 
+<h3><a name="ckfw"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/">
+  CKFW</a>
+ </h3>
+                     The cryptoki framework, used for building cryptoki tokens. 
+   &nbsp;This      needs  to be described in a separate document showing how
+   to set up a  token    using  CKFW. &nbsp;This code only relates to tokens,
+   so it is not  relevant    here.<br>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"> 
+<h3><a name="dev"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/dev/"> 
+ Device</a>
+ </h3>
+                          Defines cryptoki devices used in NSS. &nbsp;This
+ is  not   part  of the exposed API. &nbsp;It is a low-level API allowing
+NSS to manage   cryptoki  devices.<br>
+ <br>
+         The relationship is like this:<br>
+ <br>
+         libpki --&gt; libdev --&gt; cryptoki<br>
+ <br>
+         As an example,<br>
+ <br>
+         NSSTrustDomain_FindCertificate --&gt; NSSToken_FindCertificate --&gt;
+   C_FindObjects<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSModule">NSSModule</a>
+ <br>
+                     Replaces the SECMOD API. &nbsp;The module manages a
+PRLibrary       that   holds  a cryptoki implementation via a number of slots.
+&nbsp;The      API should   provide  the ability  to Load and Unload a module,
+Login  and    Logout to the   module (through its slots), and to locate a
+particular   slot/token.<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSSlot">NSSSlot</a>
+ <br>
+                     This and NSSToken combine to replace the PK11 API parts
+  that   relate    to  slot  and token management. &nbsp;The slot API should
+  provide   the ability   to Login/Logout   to a slot, check the login status,
+  determine    basic configuration    information   about the slot, and modify
+  the password    settings.<br>
+ 
+<ol>
+   <li>Should slots also maintain a default session? &nbsp;This session would 
+ be used for slot management calls (sections 9.5 and9.6 of PKCS#11). &nbsp;Or 
+ is the token session sufficient (this would not work if C_GetTokenInfo and 
+ C_InitToken need to be wrapped in a threadsafe session).<br>
+   </li>
+ 
+</ol>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSToken">NSSToken</a>
+ <br>
+                     Fills in the gaps left by NSSSlot. &nbsp;Much of the 
+cryptoki     API   is  directed   towards slots.  &nbsp;However,   some  functionality
+   clearly belongs with a token type. &nbsp;For  example,   a certificate
+ lives  on a token, not a slot, so one would expect  a function   NSSToken_FindCertificate.
+    &nbsp;Thus functions that deal with  importing/exporting   an object
+and    performing  actual cryptographic operations  belong here.<br>
+ 
+<ol>
+   <li>The   distinction  between a slot and a token is not clear. &nbsp;Most 
+   functions take  a slotID   as an argument,  even though it is obvious that
+     the event   is intended to occur on a token. &nbsp;That leaves various
+   possibilities:</li>
+   
+  <ol>
+     <li>Implement the API entirely as NSSToken. &nbsp;If the token  is not 
+  present, some calls will simply fail.</li>
+     <li>Divide the API between NSSToken and NSSSlot, as described  above. 
+&nbsp;NSSSlot  would handle cryptoki calls specified as "slot management",
+  while NSSToken  handles actual token operations.</li>
+     <li>Others?</li>
+   
+  </ol>
+   <li>Session management. &nbsp;Tokens needs a threadsafe session handle 
+ to perform operations. &nbsp;CryptoContexts are meant to provide such sessions, 
+ but other objects will need access to token functions as well (examples: 
+the TrustDomain_Find functions, _Login, _Logout, and others that do not exist 
+ such as NSSToken_ChangePassword). &nbsp;For those functions, the token could 
+ maintain a default session. &nbsp;Thus all NSSToken API functions would take
+ sessionOpt as an argument. &nbsp;If the caller is going to provide a session,
+ it sends an NSSSession there, otherwise it sends NULL and the default session
+ is utilized.<br>
+   </li>
+ 
+</ol>
+      Proposed:<br>
+    NSSSession<br>
+    Wraps a Cryptoki session. &nbsp;Created from a slot. &nbsp;Used to manage
+  sessions for crypto contexts. &nbsp;Has a lock field, which locks the session
+  if the slot is not threadsafe.<br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="pki"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki/"> 
+   PKI</a>
+ </h3>
+                          The NSS PKI library.<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCertificate">NSS</a>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCertificate">Certificate</a>
+ <br>
+ 
+<ol>
+   <li>The API leaves open the possibility of NSSCertificate meaning  various 
+ certificate types, not just X.509. &nbsp;The way to keep open this  possibility 
+ is to keep only generally useful information in the NSSCertificate  type. 
+&nbsp;Examples would be the certificate encoding, label, trust (obtained
+ from cryptoki calls), an email address, etc. &nbsp;Some type of generic
+reference  should be kept to the decoded certificate, which would then be
+accessed by  a type-specific API (e.g., NSSX509_GetSubjectName).</li>
+ 
+</ol>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSUserCertificate">NSSUserCertificate</a>
+ <br>
+ 
+<ol>
+   <li>Should this be a typedef of NSSCertificate?&nbsp; This implies  that 
+ any function that requires an   NSSUserCertificate   would fail when  called 
+ with a certificate lacking a private key. </li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSPrivateKey">NSSPrivateKey</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSPublicKey">NSSPublicKey</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSSymmetricKey">NSSSymmetricKey</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSTrustDomain">NSSTrustDomain</a>
+ <br>
+                    A trust domain is "the field in which certificates may
+ be  validated."       &nbsp;It  is a collection of modules capable of performing 
+  cryptographic      operations  and storing certs and keys. &nbsp;This collection 
+  is managed     by NSS in a manner opaque to the consumer. &nbsp;The slots 
+  will have various      orderings determining which has preference for a 
+given  operation. &nbsp;For      example, the trust domain may order the storage
+ of user certificates one    way, and the storage of email certificates in
+ another way [is that a good    example?].<br>
+ <br>
+ 
+<ol>
+   <li>           How will ordering work? &nbsp;We already have the  suggestion 
+      that  there be two kinds of ordering: storage and search.  &nbsp;How 
+will     they be  constructed/managed? &nbsp;Do we want to expose  access 
+to a token     that overrides  this ordering (i.e., the download of  updated 
+root certs   may  need to override  storage order)</li>
+   <li>How are certs cached? &nbsp;Nelson wonders what it means   to   Stan 
+    when a cert does not live on a token yet. &nbsp;Bob, Terry, and    I discussed
+    this. &nbsp;My conclusion is that there should be a type,  separate 
+from   NSSCertificate,  that holds the decoded cert parts (e.g.,   NSSX509Certificate,
+    or to avoid confusion, NSSX509DecodedParts). &nbsp;NSSCertificate   would
+  keep  a handle to this type, so that it only needs to decode the  cert
+once.   &nbsp;The  NSSTrustDomain would keep a hash table of cached certs, 
+some of  which may  not live on a token yet (i.e., they are only NSSX509DecodedParts). 
+     &nbsp;This  cache could be accessed in the same way the temp db was, 
+and    when the cert  is ready to be moved onto a token a call to NSSTrustDomain_ImportCertificate 
+       is made. &nbsp;Note    that this is essentially the same as CERT_TempCertToPerm.</li>
+   
+  <ul>
+     <li>The hashtable in lib/base (copied from ckfw/hash.c) uses the identity 
+hash. &nbsp;Therefore, in a hash of certificates, the key is the certificate 
+pointer itself. &nbsp;One possibility is to store the decoded cert (NSSX509DecodedParts 
+above) as the value in the {key, value} pair. &nbsp;When a cert is decoded, 
+the cert pointer and decoding pointer are added to the hash. &nbsp;Subsequent 
+lookups have access to one or both of these pointers. &nbsp;This keeps NSSCertificate 
+separate from its decoding, while providing a way to locate it.</li>
+   
+  </ul>
+   <li>The API is designed to keep token details hidden from the user.  &nbsp;However, 
+ it has already been realized that PSM and CMS may need special  access to 
+tokens. &nbsp;Is this part of the TrustDomain API, or should PSM  and CMS 
+be allowed to use "friend" headers from the Token API?</li>
+   <li>Do we want to allow traversal via NSSTrustDomain_TraverseXXXX?<br>
+   </li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCryptoContext"><br>
+                   NSSCryptoContext</a>
+ <br>
+    Analgous to a Cryptoki session. &nbsp;Manages session objects only.<br>
+  <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSTime">NSSTime</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSUsage">NSSUsage</a>
+ <br>
+ 
+<ol>
+   <li>       See Fred's <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki/nsspkit.h#187">
+               comments</a>
+              .</li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSPolicies">NSSPolicies</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSAlgorithmAndParameters">
+                      NSSAlgorithmAndParameters</a>
+ <br>
+ 
+<ol>
+   <li>       Again, Fred's <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki/nsspkit.h#215">
+               comments</a>
+              . &nbsp;The old NSS code had various types related to  algorithms 
+    running around in it. &nbsp;We had SECOidTag, SECAlgorithmID,   SECItem's
+     for parameters, CK_MECHANISM for cryptoki, etc. &nbsp;This type   should
+    be  able to encapsulate all of those.</li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCallback">NSSCallback</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSOperations">NSSOperations</a>
+ <br>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2"><br>
+ <br>
+ A diagram to suggest a possible TrustDomain architecture.<br>
+ <br>
+ <img src="./standiag.png" alt="Trust Domain Diagram" width="748" height="367">
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="pki1"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki1/">
+    PKI1</a>
+ </h3>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSOID">NSSOID</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSATAV">NSSATAV</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSRDN">NSSRDN</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSRDNSeq">NSSRDNSeq</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSName">NSSName</a>
+ <br>
+            NSSNameChoice<br>
+            NSSGeneralName<br>
+            NSSGeneralNameChoice<br>
+            NSSOtherName<br>
+            NSSRFC822Name<br>
+            NSSDNSName<br>
+            NSSX400Address<br>
+            NSSEdiParityAddress<br>
+            NSSURI<br>
+            NSSIPAddress<br>
+            NSSRegisteredID<br>
+            NSSGeneralNameSeq<br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssAttributeTypeAliasTable">
+            nssAttributeTypeAliasTable</a>
+ <br>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="pkix"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pkix/">
+       PKIX&nbsp;</a>
+ </h3>
+           There is a plethora of PKIX related types here.<br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="build"></a>
+        Building Stan</h3>
+ <br>
+       From nss/lib, run "make BUILD_STAN=1"<br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="test"></a>
+       Testing Stan</h3>
+       A&nbsp;new command line tool, pkiutil, has been created to use only
+ the   Stan API. &nbsp;It depends on a new library, cmdlib, meant to replace
+ the   old secutil library. &nbsp;The old library had code used by products
+ that   needed to be integrated into the main library codebase somehow. &nbsp;The
+   goal of the new cmdlib is to have functionality needed strictly for NSS
+ tools.<br>
+ <br>
+       How to build:<br>
+ 
+<ol>
+   <li>cd nss/cmd/cmdlib; make</li>
+   <li>cd ../pkiutil; make</li>
+ 
+</ol>
+       pkiutil will give detailed help with either "pkiutil -?" or "pkiutil 
+ --help".<br>
+ <br>
+      So far, the only available test is to list certs on the builtins token. 
+  &nbsp;Copy "libnssckbi.so" (or whatever it is) to cmd/pkiutil. &nbsp;Then 
+  run "pkiutil -L" or "pkiutil --list". &nbsp;The list of certificate nicknames 
+  should be displayed.<br>
+ <br>
+ <br>
+ 
+</body>
+</html>
diff --git a/security/nss/lib/pki/manifest.mn b/security/nss/lib/pki/manifest.mn
new file mode 100644
index 000000000..526cdf1a6
--- /dev/null
+++ b/security/nss/lib/pki/manifest.mn
@@ -0,0 +1,78 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	pki.h      \
+	pkit.h     \
+	nsspkit.h  \
+	nsspki.h   \
+	pkistore.h \
+	pki3hack.h \
+	pkitm.h    \
+	pkim.h     \
+	$(NULL)
+
+EXPORTS =	   \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS =		        \
+	asymmkey.c      \
+	certificate.c   \
+	cryptocontext.c \
+	symmkey.c       \
+	trustdomain.c   \
+	tdcache.c       \
+	certdecode.c    \
+	pkistore.c      \
+	pkibase.c       \
+	pki3hack.c      \
+	$(NULL)
+
+#DEFINES = -DDEBUG_CACHE
+
+REQUIRES = nspr
+
+LIBRARY_NAME = nsspki
+LIBRARY_VERSION = 3
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h
new file mode 100644
index 000000000..43996ee94
--- /dev/null
+++ b/security/nss/lib/pki/nsspki.h
@@ -0,0 +1,3204 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSPKI_H
+#define NSSPKI_H
+
+#ifdef DEBUG
+static const char NSSPKI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nsspki.h
+ *
+ * This file prototypes the methods of the top-level PKI objects.
+ */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#ifndef NSSPKI1_H
+#include "nsspki1.h"
+#endif /* NSSPKI1_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * A note about interfaces
+ *
+ * Although these APIs are specified in C, a language which does
+ * not have fancy support for abstract interfaces, this library
+ * was designed from an object-oriented perspective.  It may be
+ * useful to consider the standard interfaces which went into
+ * the writing of these APIs.
+ *
+ * Basic operations on all objects:
+ *  Destroy -- free a pointer to an object
+ *  DeleteStoredObject -- delete an object permanently
+ *
+ * Public Key cryptographic operations:
+ *  Encrypt
+ *  Verify
+ *  VerifyRecover
+ *  Wrap
+ *  Derive
+ *
+ * Private Key cryptographic operations:
+ *  IsStillPresent
+ *  Decrypt
+ *  Sign
+ *  SignRecover
+ *  Unwrap
+ *  Derive
+ *
+ * Symmetric Key cryptographic operations:
+ *  IsStillPresent
+ *  Encrypt
+ *  Decrypt
+ *  Sign
+ *  SignRecover
+ *  Verify
+ *  VerifyRecover
+ *  Wrap
+ *  Unwrap
+ *  Derive
+ *
+ */
+
+/*
+ * NSSCertificate
+ *
+ * These things can do crypto ops like public keys, except that the trust, 
+ * usage, and other constraints are checked.  These objects are "high-level,"
+ * so trust, usages, etc. are in the form we throw around (client auth,
+ * email signing, etc.).  Remember that theoretically another implementation
+ * (think PGP) could be beneath this object.
+ */
+
+/*
+ * NSSCertificate_Destroy
+ *
+ * Free a pointer to a certificate object.
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_Destroy
+(
+  NSSCertificate *c
+);
+
+/*
+ * NSSCertificate_DeleteStoredObject
+ *
+ * Permanently remove this certificate from storage.  If this is the
+ * only (remaining) certificate corresponding to a private key, 
+ * public key, and/or other object; then that object (those objects)
+ * are deleted too.
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_DeleteStoredObject
+(
+  NSSCertificate *c,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSCertificate_Validate
+ *
+ * Verify that this certificate is trusted, for the specified usage(s), 
+ * at the specified time, {word word} the specified policies.
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_Validate
+(
+  NSSCertificate *c,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+);
+
+/*
+ * NSSCertificate_ValidateCompletely
+ *
+ * Verify that this certificate is trusted.  The difference between
+ * this and the previous call is that NSSCertificate_Validate merely
+ * returns success or failure with an appropriate error stack.
+ * However, there may be (and often are) multiple problems with a
+ * certificate.  This routine returns an array of errors, specifying
+ * every problem.
+ */
+
+/* 
+ * Return value must be an array of objects, each of which has
+ * an NSSError, and any corresponding certificate (in the chain)
+ * and/or policy.
+ */
+
+NSS_EXTERN void ** /* void *[] */
+NSSCertificate_ValidateCompletely
+(
+  NSSCertificate *c,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt, /* NULL for none */
+  void **rvOpt, /* NULL for allocate */
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt /* NULL for heap */
+);
+
+/*
+ * NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
+ *
+ * Returns PR_SUCCESS if the certificate is valid for at least something.
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
+(
+  NSSCertificate *c,
+  NSSTime **notBeforeOutOpt,
+  NSSTime **notAfterOutOpt,
+  void *allowedUsages,
+  void *disallowedUsages,
+  void *allowedPolicies,
+  void *disallowedPolicies,
+  /* more args.. work on this fgmr */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_Encode
+ *
+ */
+
+NSS_EXTERN NSSDER *
+NSSCertificate_Encode
+(
+  NSSCertificate *c,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_BuildChain
+ *
+ * This routine returns NSSCertificate *'s for each certificate
+ * in the "chain" starting from the specified one up to and
+ * including the root.  The zeroth element in the array is the
+ * specified ("leaf") certificate.
+ *
+ * If statusOpt is supplied, and is returned as PR_FAILURE, possible
+ * error values are:
+ *
+ * NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND - the chain is incomplete
+ *
+ */
+
+extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND;
+
+NSS_EXTERN NSSCertificate **
+NSSCertificate_BuildChain
+(
+  NSSCertificate *c,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt,
+  PRStatus *statusOpt,
+  NSSTrustDomain *td,
+  NSSCryptoContext *cc 
+);
+
+/*
+ * NSSCertificate_GetTrustDomain
+ *
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSCertificate_GetTrustDomain
+(
+  NSSCertificate *c
+);
+
+/*
+ * NSSCertificate_GetToken
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSToken *
+NSSCertificate_GetToken
+(
+  NSSCertificate *c,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSCertificate_GetSlot
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSSlot *
+NSSCertificate_GetSlot
+(
+  NSSCertificate *c,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSCertificate_GetModule
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSModule *
+NSSCertificate_GetModule
+(
+  NSSCertificate *c,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSCertificate_Encrypt
+ *
+ * Encrypt a single chunk of data with the public key corresponding to
+ * this certificate.
+ */
+
+NSS_EXTERN NSSItem *
+NSSCertificate_Encrypt
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_Verify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_Verify
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSCertificate_VerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCertificate_VerifyRecover
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_WrapSymmetricKey
+ *
+ * This method tries very hard to to succeed, even in situations 
+ * involving sensitive keys and multiple modules.
+ * { relyea: want to add verbiage? }
+ */
+
+NSS_EXTERN NSSItem *
+NSSCertificate_WrapSymmetricKey
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_CreateCryptoContext
+ *
+ * Create a crypto context, in this certificate's trust domain, with this
+ * as the distinguished certificate.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSCertificate_CreateCryptoContext
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh  
+);
+
+/*
+ * NSSCertificate_GetPublicKey
+ *
+ * Returns the public key corresponding to this certificate.
+ */
+
+NSS_EXTERN NSSPublicKey *
+NSSCertificate_GetPublicKey
+(
+  NSSCertificate *c
+);
+
+/*
+ * NSSCertificate_FindPrivateKey
+ *
+ * Finds and returns the private key corresponding to this certificate,
+ * if it is available.
+ *
+ * { Should this hang off of NSSUserCertificate? }
+ */
+
+NSS_EXTERN NSSPrivateKey *
+NSSCertificate_FindPrivateKey
+(
+  NSSCertificate *c,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSCertificate_IsPrivateKeyAvailable
+ *
+ * Returns success if the private key corresponding to this certificate
+ * is available to be used.
+ *
+ * { Should *this* hang off of NSSUserCertificate?? }
+ */
+
+NSS_EXTERN PRBool
+NSSCertificate_IsPrivateKeyAvailable
+(
+  NSSCertificate *c,
+  NSSCallback *uhh,
+  PRStatus *statusOpt
+);
+
+/*
+ * If we make NSSUserCertificate not a typedef of NSSCertificate, 
+ * then we'll need implementations of the following:
+ *
+ *  NSSUserCertificate_Destroy
+ *  NSSUserCertificate_DeleteStoredObject
+ *  NSSUserCertificate_Validate
+ *  NSSUserCertificate_ValidateCompletely
+ *  NSSUserCertificate_ValidateAndDiscoverUsagesAndPolicies
+ *  NSSUserCertificate_Encode
+ *  NSSUserCertificate_BuildChain
+ *  NSSUserCertificate_GetTrustDomain
+ *  NSSUserCertificate_GetToken
+ *  NSSUserCertificate_GetSlot
+ *  NSSUserCertificate_GetModule
+ *  NSSUserCertificate_GetCryptoContext
+ *  NSSUserCertificate_GetPublicKey
+ */
+
+/*
+ * NSSUserCertificate_IsStillPresent
+ *
+ * Verify that if this certificate lives on a token, that the token
+ * is still present and the certificate still exists.  This is a
+ * lightweight call which should be used whenever it should be
+ * verified that the user hasn't perhaps popped out his or her
+ * token and strolled away.
+ */
+
+NSS_EXTERN PRBool
+NSSUserCertificate_IsStillPresent
+(
+  NSSUserCertificate *uc,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSUserCertificate_Decrypt
+ *
+ * Decrypt a single chunk of data with the private key corresponding
+ * to this certificate.
+ */
+
+NSS_EXTERN NSSItem *
+NSSUserCertificate_Decrypt
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSUserCertificate_Sign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSUserCertificate_Sign
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSUserCertificate_SignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSUserCertificate_SignRecover
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSUserCertificate_UnwrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSUserCertificate_UnwrapSymmetricKey
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSUserCertificate_DeriveSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSUserCertificate_DeriveSymmetricKey
+(
+  NSSUserCertificate *uc, /* provides private key */
+  NSSCertificate *c, /* provides public key */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhh
+);
+
+/* filter-certs function(s) */
+
+/**
+ ** fgmr -- trust objects
+ **/
+
+/*
+ * NSSPrivateKey
+ *
+ */
+
+/*
+ * NSSPrivateKey_Destroy
+ *
+ * Free a pointer to a private key object.
+ */
+
+NSS_EXTERN PRStatus
+NSSPrivateKey_Destroy
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_DeleteStoredObject
+ *
+ * Permanently remove this object, and any related objects (such as the
+ * certificates corresponding to this key).
+ */
+
+NSS_EXTERN PRStatus
+NSSPrivateKey_DeleteStoredObject
+(
+  NSSPrivateKey *vk,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPrivateKey_GetSignatureLength
+ *
+ */
+
+NSS_EXTERN PRUint32
+NSSPrivateKey_GetSignatureLength
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_GetPrivateModulusLength
+ *
+ */
+
+NSS_EXTERN PRUint32
+NSSPrivateKey_GetPrivateModulusLength
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_IsStillPresent
+ *
+ */
+
+NSS_EXTERN PRBool
+NSSPrivateKey_IsStillPresent
+(
+  NSSPrivateKey *vk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPrivateKey_Encode
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPrivateKey_Encode
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *ap,
+  NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_GetTrustDomain
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSPrivateKey_GetTrustDomain
+(
+  NSSPrivateKey *vk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPrivateKey_GetToken
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSPrivateKey_GetToken
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_GetSlot
+ *
+ */
+
+NSS_EXTERN NSSSlot *
+NSSPrivateKey_GetSlot
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_GetModule
+ *
+ */
+
+NSS_EXTERN NSSModule *
+NSSPrivateKey_GetModule
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_Decrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPrivateKey_Decrypt
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_Sign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPrivateKey_Sign
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_SignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPrivateKey_SignRecover
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_UnwrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSPrivateKey_UnwrapSymmetricKey
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPrivateKey_DeriveSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSPrivateKey_DeriveSymmetricKey
+(
+  NSSPrivateKey *vk,
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPrivateKey_FindPublicKey
+ *
+ */
+
+NSS_EXTERN NSSPublicKey *
+NSSPrivateKey_FindPublicKey
+(
+  NSSPrivateKey *vk
+  /* { don't need the callback here, right? } */
+);
+
+/*
+ * NSSPrivateKey_CreateCryptoContext
+ *
+ * Create a crypto context, in this key's trust domain,
+ * with this as the distinguished private key.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSPrivateKey_CreateCryptoContext
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPrivateKey_FindCertificates
+ *
+ * Note that there may be more than one certificate for this
+ * private key.  { FilterCertificates function to further
+ * reduce the list. }
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSPrivateKey_FindCertificates
+(
+  NSSPrivateKey *vk,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_FindBestCertificate
+ *
+ * The parameters for this function will depend on what the users
+ * need.  This is just a starting point.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSPrivateKey_FindBestCertificate
+(
+  NSSPrivateKey *vk,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSPublicKey
+ *
+ * Once you generate, find, or derive one of these, you can use it
+ * to perform (simple) cryptographic operations.  Though there may
+ * be certificates associated with these public keys, they are not
+ * verified.
+ */
+
+/*
+ * NSSPublicKey_Destroy
+ *
+ * Free a pointer to a public key object.
+ */
+
+NSS_EXTERN PRStatus
+NSSPublicKey_Destroy
+(
+  NSSPublicKey *bk
+);
+
+/*
+ * NSSPublicKey_DeleteStoredObject
+ *
+ * Permanently remove this object, and any related objects (such as the
+ * corresponding private keys and certificates).
+ */
+
+NSS_EXTERN PRStatus
+NSSPublicKey_DeleteStoredObject
+(
+  NSSPublicKey *bk,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPublicKey_Encode
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPublicKey_Encode
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *ap,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPublicKey_GetTrustDomain
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSPublicKey_GetTrustDomain
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPublicKey_GetToken
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSToken *
+NSSPublicKey_GetToken
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPublicKey_GetSlot
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSSlot *
+NSSPublicKey_GetSlot
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPublicKey_GetModule
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSModule *
+NSSPublicKey_GetModule
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPublicKey_Encrypt
+ *
+ * Encrypt a single chunk of data with the public key corresponding to
+ * this certificate.
+ */
+
+NSS_EXTERN NSSItem *
+NSSPublicKey_Encrypt
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPublicKey_Verify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSPublicKey_Verify
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPublicKey_VerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPublicKey_VerifyRecover
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPublicKey_WrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPublicKey_WrapSymmetricKey
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPublicKey_CreateCryptoContext
+ *
+ * Create a crypto context, in this key's trust domain, with this
+ * as the distinguished public key.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSPublicKey_CreateCryptoContext
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPublicKey_FindCertificates
+ *
+ * Note that there may be more than one certificate for this
+ * public key.  The current implementation may not find every
+ * last certificate available for this public key: that would
+ * involve trolling e.g. huge ldap databases, which will be
+ * grossly inefficient and not generally useful.
+ * { FilterCertificates function to further reduce the list }
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSPublicKey_FindCertificates
+(
+  NSSPublicKey *bk,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_FindBestCertificate
+ *
+ * The parameters for this function will depend on what the users
+ * need.  This is just a starting point.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSPublicKey_FindBestCertificate
+(
+  NSSPublicKey *bk,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSPublicKey_FindPrivateKey
+ *
+ */
+
+NSS_EXTERN NSSPrivateKey *
+NSSPublicKey_FindPrivateKey
+(
+  NSSPublicKey *bk,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey
+ *
+ */
+
+/*
+ * NSSSymmetricKey_Destroy
+ *
+ * Free a pointer to a symmetric key object.
+ */
+
+NSS_EXTERN PRStatus
+NSSSymmetricKey_Destroy
+(
+  NSSSymmetricKey *mk
+);
+
+/*
+ * NSSSymmetricKey_DeleteStoredObject
+ *
+ * Permanently remove this object.
+ */
+
+NSS_EXTERN PRStatus
+NSSSymmetricKey_DeleteStoredObject
+(
+  NSSSymmetricKey *mk,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_GetKeyLength
+ *
+ */
+
+NSS_EXTERN PRUint32
+NSSSymmetricKey_GetKeyLength
+(
+  NSSSymmetricKey *mk
+);
+
+/*
+ * NSSSymmetricKey_GetKeyStrength
+ *
+ */
+
+NSS_EXTERN PRUint32
+NSSSymmetricKey_GetKeyStrength
+(
+  NSSSymmetricKey *mk
+);
+
+/*
+ * NSSSymmetricKey_IsStillPresent
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSSymmetricKey_IsStillPresent
+(
+  NSSSymmetricKey *mk
+);
+
+/*
+ * NSSSymmetricKey_GetTrustDomain
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSSymmetricKey_GetTrustDomain
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSSymmetricKey_GetToken
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSToken *
+NSSSymmetricKey_GetToken
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSSymmetricKey_GetSlot
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSSlot *
+NSSSymmetricKey_GetSlot
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSSymmetricKey_GetModule
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSModule *
+NSSSymmetricKey_GetModule
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSSymmetricKey_Encrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_Encrypt
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_Decrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_Decrypt
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_Sign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_Sign
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_SignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_SignRecover
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_Verify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSSymmetricKey_Verify
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_VerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_VerifyRecover
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_WrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_WrapSymmetricKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_WrapPrivateKey
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_WrapPrivateKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPrivateKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_UnwrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSSymmetricKey_UnwrapSymmetricKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSOID *target,
+  PRUint32 keySizeOpt,
+  NSSOperations operations,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_UnwrapPrivateKey
+ *
+ */
+
+NSS_EXTERN NSSPrivateKey *
+NSSSymmetricKey_UnwrapPrivateKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSUTF8 *labelOpt,
+  NSSItem *keyIDOpt,
+  PRBool persistant,
+  PRBool sensitive,
+  NSSToken *destinationOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_DeriveSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSSymmetricKey_DeriveSymmetricKey
+(
+  NSSSymmetricKey *originalKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt,
+  NSSOperations operations,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_CreateCryptoContext
+ *
+ * Create a crypto context, in this key's trust domain,
+ * with this as the distinguished symmetric key.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSSymmetricKey_CreateCryptoContext
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSTrustDomain
+ *
+ */
+
+/*
+ * NSSTrustDomain_Create
+ *
+ * This creates a trust domain, optionally with an initial cryptoki
+ * module.  If the module name is not null, the module is loaded if
+ * needed (using the uriOpt argument), and initialized with the
+ * opaqueOpt argument.  If mumble mumble priority settings, then
+ * module-specification objects in the module can cause the loading
+ * and initialization of further modules.
+ *
+ * The uriOpt is defined to take a URI.  At present, we only
+ * support file: URLs pointing to platform-native shared libraries.
+ * However, by specifying this as a URI, this keeps open the 
+ * possibility of supporting other, possibly remote, resources.
+ *
+ * The "reserved" arguments is held for when we figure out the
+ * module priority stuff.
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSTrustDomain_Create
+(
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void *reserved
+);
+
+/*
+ * NSSTrustDomain_Destroy
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_Destroy
+(
+  NSSTrustDomain *td
+);
+
+/*
+ * NSSTrustDomain_SetDefaultCallback
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_SetDefaultCallback
+(
+  NSSTrustDomain *td,
+  NSSCallback *newCallback,
+  NSSCallback **oldCallbackOpt
+);
+
+/*
+ * NSSTrustDomain_GetDefaultCallback
+ *
+ */
+
+NSS_EXTERN NSSCallback *
+NSSTrustDomain_GetDefaultCallback
+(
+  NSSTrustDomain *td,
+  PRStatus *statusOpt
+);
+
+/*
+ * Default policies?
+ * Default usage?
+ * Default time, for completeness?
+ */
+
+/*
+ * NSSTrustDomain_LoadModule
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_LoadModule
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void *reserved
+);
+
+/*
+ * NSSTrustDomain_AddModule
+ * NSSTrustDomain_AddSlot
+ * NSSTrustDomain_UnloadModule
+ * Managing modules, slots, tokens; priorities;
+ * Traversing all of the above
+ * this needs more work
+ */
+
+/*
+ * NSSTrustDomain_DisableToken
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_DisableToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSError why
+);
+
+/*
+ * NSSTrustDomain_EnableToken
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_EnableToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+);
+
+/*
+ * NSSTrustDomain_IsTokenEnabled
+ *
+ * If disabled, "why" is always on the error stack.
+ * The optional argument is just for convenience.
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_IsTokenEnabled
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSError *whyOpt
+);
+
+/*
+ * NSSTrustDomain_FindSlotByName
+ *
+ */
+
+NSS_EXTERN NSSSlot *
+NSSTrustDomain_FindSlotByName
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *slotName
+);
+
+/*
+ * NSSTrustDomain_FindTokenByName
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSTrustDomain_FindTokenByName
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *tokenName
+);
+
+/*
+ * NSSTrustDomain_FindTokenBySlotName
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSTrustDomain_FindTokenBySlotName
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *slotName
+);
+
+/*
+ * NSSTrustDomain_FindBestTokenForAlgorithm
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSTrustDomain_FindTokenForAlgorithm
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithm
+);
+
+/*
+ * NSSTrustDomain_FindBestTokenForAlgorithms
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSTrustDomain_FindBestTokenForAlgorithms
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithms[], /* may be null-terminated */
+  PRUint32 nAlgorithmsOpt /* limits the array if nonzero */
+);
+
+/*
+ * NSSTrustDomain_Login
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_Login
+(
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_Logout
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_Logout
+(
+  NSSTrustDomain *td
+);
+
+/* Importing things */
+
+/*
+ * NSSTrustDomain_ImportCertificate
+ *
+ * The implementation will pull some data out of the certificate
+ * (e.g. e-mail address) for use in pkcs#11 object attributes.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_ImportCertificate
+(
+  NSSTrustDomain *td,
+  NSSCertificate *c
+);
+
+/*
+ * NSSTrustDomain_ImportPKIXCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_ImportPKIXCertificate
+(
+  NSSTrustDomain *td,
+  /* declared as a struct until these "data types" are defined */
+  struct NSSPKIXCertificateStr *pc
+);
+
+/*
+ * NSSTrustDomain_ImportEncodedCertificate
+ *
+ * Imports any type of certificate we support.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_ImportEncodedCertificate
+(
+  NSSTrustDomain *td,
+  NSSBER *ber
+);
+
+/*
+ * NSSTrustDomain_ImportEncodedCertificateChain
+ *
+ * If you just want the leaf, pass in a maximum of one.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_ImportEncodedCertificateChain
+(
+  NSSTrustDomain *td,
+  NSSBER *ber,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_ImportEncodedPrivateKey
+ *
+ */
+
+NSS_EXTERN NSSPrivateKey *
+NSSTrustDomain_ImportEncodedPrivateKey
+(
+  NSSTrustDomain *td,
+  NSSBER *ber,
+  NSSItem *passwordOpt, /* NULL will cause a callback */
+  NSSCallback *uhhOpt,
+  NSSToken *destination
+);
+
+/*
+ * NSSTrustDomain_ImportEncodedPublicKey
+ *
+ */
+
+NSS_EXTERN NSSPublicKey *
+NSSTrustDomain_ImportEncodedPublicKey
+(
+  NSSTrustDomain *td,
+  NSSBER *ber
+);
+
+/* Other importations: S/MIME capabilities */
+
+/*
+ * NSSTrustDomain_FindBestCertificateByNickname
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestCertificateByNickname
+(
+  NSSTrustDomain *td,
+  const NSSUTF8 *name,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesByNickname
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindCertificatesByNickname
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
+(
+  NSSTrustDomain *td,
+  NSSDER *issuer,
+  NSSDER *serialNumber
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesByIssuerAndSerialNumber
+ *
+ * Theoretically, this should never happen.  However, some companies
+ * we know have issued duplicate certificates with the same issuer
+ * and serial number.  Do we just ignore them?  I'm thinking yes.
+ */
+
+/*
+ * NSSTrustDomain_FindBestCertificateBySubject
+ *
+ * This does not search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestCertificateBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER /*NSSUTF8*/ *subject,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesBySubject
+ *
+ * This does not search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindCertificatesBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER /*NSSUTF8*/ *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindBestCertificateByNameComponents
+ *
+ * This call does try several tricks, including a pseudo pkcs#11 
+ * attribute for the ldap module to try as a query.  Eventually
+ * this call falls back to a traversal if that's what's required.
+ * It will search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestCertificateByNameComponents
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nameComponents,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesByNameComponents
+ *
+ * This call, too, tries several tricks.  It will stop on the first
+ * attempt that generates results, so it won't e.g. traverse the
+ * entire ldap database.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindCertificatesByNameComponents
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nameComponents,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificateByEncodedCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindCertificateByEncodedCertificate
+(
+  NSSTrustDomain *td,
+  NSSBER *encodedCertificate
+);
+
+/*
+ * NSSTrustDomain_FindBestCertificateByEmail
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindCertificateByEmail
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesByEmail
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindCertificatesByEmail
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificateByOCSPHash
+ *
+ * There can be only one.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindCertificateByOCSPHash
+(
+  NSSTrustDomain *td,
+  NSSItem *hash
+);
+
+/*
+ * NSSTrustDomain_TraverseCertificates
+ *
+ * This function descends from one in older versions of NSS which
+ * traverses the certs in the permanent database.  That function
+ * was used to implement selection routines, but was directly
+ * available too.  Trust domains are going to contain a lot more
+ * certs now (e.g., an ldap server), so we'd really like to
+ * discourage traversal.  Thus for now, this is commented out.
+ * If it's needed, let's look at the situation more closely to
+ * find out what the actual requirements are.
+ */
+ 
+/* For now, adding this function.  This may only be for debugging
+ * purposes.
+ * Perhaps some equivalent function, on a specified token, will be
+ * needed in a "friend" header file?
+ */
+NSS_EXTERN PRStatus *
+NSSTrustDomain_TraverseCertificates
+(
+  NSSTrustDomain *td,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+/*
+ * NSSTrustDomain_FindBestUserCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestUserCertificate
+(
+  NSSTrustDomain *td,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindUserCertificates
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindUserCertificates
+(
+  NSSTrustDomain *td,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindUserCertificatesForSSLClientAuth
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindUserCertificatesForSSLClientAuth
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindBestUserCertificateForEmailSigning
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestUserCertificateForEmailSigning
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindUserCertificatesForEmailSigning
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindUserCertificatesForEmailSigning
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * Here is where we'd add more Find[Best]UserCertificate[s]For<usage>
+ * routines.
+ */
+
+/* Private Keys */
+
+/*
+ * NSSTrustDomain_GenerateKeyPair
+ *
+ * Creates persistant objects.  If you want session objects, use
+ * NSSCryptoContext_GenerateKeyPair.  The destination token is where
+ * the keys are stored.  If that token can do the required math, then
+ * that's where the keys are generated too.  Otherwise, the keys are
+ * generated elsewhere and moved to that token.
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_GenerateKeyPair
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  NSSPrivateKey **pvkOpt,
+  NSSPublicKey **pbkOpt,
+  PRBool privateKeyIsSensitive,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_TraversePrivateKeys
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSTrustDomain_TraversePrivateKeys
+ * (
+ *   NSSTrustDomain *td,
+ *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
+ *   void *arg
+ * );
+ */
+
+/* Symmetric Keys */
+
+/*
+ * NSSTrustDomain_GenerateSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSTrustDomain_GenerateSymmetricKey
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  PRUint32 keysize,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_GenerateSymmetricKeyFromPassword
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSTrustDomain_GenerateSymmetricKeyFromPassword
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  NSSUTF8 *passwordOpt, /* if null, prompt */
+  NSSToken *destinationOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_FindSymmetricKeyByAlgorithm
+ *
+ * Is this still needed?
+ * 
+ * NSS_EXTERN NSSSymmetricKey *
+ * NSSTrustDomain_FindSymmetricKeyByAlgorithm
+ * (
+ *   NSSTrustDomain *td,
+ *   NSSOID *algorithm,
+ *   NSSCallback *uhhOpt
+ * );
+ */
+
+/*
+ * NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithm,
+  NSSItem *keyID,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_TraverseSymmetricKeys
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSTrustDomain_TraverseSymmetricKeys
+ * (
+ *   NSSTrustDomain *td,
+ *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
+ *   void *arg
+ * );
+ */
+
+/*
+ * NSSTrustDomain_CreateCryptoContext
+ *
+ * If a callback object is specified, it becomes the for the crypto
+ * context; otherwise, this trust domain's default (if any) is
+ * inherited.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContext
+(
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_CreateCryptoContextForAlgorithm
+ *
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContextForAlgorithm
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithm
+);
+
+/*
+ * NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
+ *
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap
+);
+
+/* find/traverse other objects, e.g. s/mime profiles */
+
+/*
+ * NSSCryptoContext
+ *
+ * A crypto context is sort of a short-term snapshot of a trust domain,
+ * used for the life of "one crypto operation."  You can also think of
+ * it as a "temporary database."
+ * 
+ * Just about all of the things you can do with a trust domain -- importing
+ * or creating certs, keys, etc. -- can be done with a crypto context.
+ * The difference is that the objects will be temporary ("session") objects.
+ * 
+ * Also, if the context was created for a key, cert, and/or algorithm; or
+ * if such objects have been "associated" with the context, then the context
+ * can do everything the keys can, like crypto operations.
+ * 
+ * And finally, because it keeps the state of the crypto operations, it
+ * can do streaming crypto ops.
+ */
+
+/*
+ * NSSTrustDomain_Destroy
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_Destroy
+(
+  NSSCryptoContext *cc
+);
+
+/* establishing a default callback */
+
+/*
+ * NSSCryptoContext_SetDefaultCallback
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_SetDefaultCallback
+(
+  NSSCryptoContext *cc,
+  NSSCallback *newCallback,
+  NSSCallback **oldCallbackOpt
+);
+
+/*
+ * NSSCryptoContext_GetDefaultCallback
+ *
+ */
+
+NSS_EXTERN NSSCallback *
+NSSCryptoContext_GetDefaultCallback
+(
+  NSSCryptoContext *cc,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSCryptoContext_GetTrustDomain
+ *
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSCryptoContext_GetTrustDomain
+(
+  NSSCryptoContext *cc
+);
+
+/* AddModule, etc: should we allow "temporary" changes here? */
+/* DisableToken, etc: ditto */
+/* Ordering of tokens? */
+/* Finding slots+token etc. */
+/* login+logout */
+
+/* Importing things */
+
+/*
+ * NSSCryptoContext_FindOrImportCertificate
+ *
+ * If the certificate store already contains this DER cert, return the 
+ * address of the matching NSSCertificate that is already in the store,
+ * and bump its reference count.
+ *
+ * If this DER cert is NOT already in the store, then add the new
+ * NSSCertificate to the store and bump its reference count, 
+ * then return its address. 
+ *
+ * if this DER cert is not in the store and cannot be added to it, 
+ * return NULL;
+ *
+ * Record the associated crypto context in the certificate.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindOrImportCertificate (
+  NSSCryptoContext *cc,
+  NSSCertificate *c
+);
+
+/*
+ * NSSCryptoContext_ImportPKIXCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_ImportPKIXCertificate
+(
+  NSSCryptoContext *cc,
+  struct NSSPKIXCertificateStr *pc
+);
+
+/*
+ * NSSCryptoContext_ImportEncodedCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_ImportEncodedCertificate
+(
+  NSSCryptoContext *cc,
+  NSSBER *ber
+);
+
+/*
+ * NSSCryptoContext_ImportEncodedPKIXCertificateChain
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_ImportEncodedPKIXCertificateChain
+(
+  NSSCryptoContext *cc,
+  NSSBER *ber
+);
+
+/* Other importations: S/MIME capabilities
+ */
+
+/*
+ * NSSCryptoContext_FindBestCertificateByNickname
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestCertificateByNickname
+(
+  NSSCryptoContext *cc,
+  const NSSUTF8 *name,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+);
+
+/*
+ * NSSCryptoContext_FindCertificatesByNickname
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindCertificatesByNickname
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
+(
+  NSSCryptoContext *cc,
+  NSSDER *issuer,
+  NSSDER *serialNumber
+);
+
+/*
+ * NSSCryptoContext_FindBestCertificateBySubject
+ *
+ * This does not search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestCertificateBySubject
+(
+  NSSCryptoContext *cc,
+  NSSDER /*NSSUTF8*/ *subject,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificatesBySubject
+ *
+ * This does not search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindCertificatesBySubject
+(
+  NSSCryptoContext *cc,
+  NSSDER /*NSSUTF8*/ *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindBestCertificateByNameComponents
+ *
+ * This call does try several tricks, including a pseudo pkcs#11 
+ * attribute for the ldap module to try as a query.  Eventually
+ * this call falls back to a traversal if that's what's required.
+ * It will search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestCertificateByNameComponents
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *nameComponents,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificatesByNameComponents
+ *
+ * This call, too, tries several tricks.  It will stop on the first
+ * attempt that generates results, so it won't e.g. traverse the
+ * entire ldap database.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindCertificatesByNameComponents
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *nameComponents,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificateByEncodedCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindCertificateByEncodedCertificate
+(
+  NSSCryptoContext *cc,
+  NSSBER *encodedCertificate
+);
+
+/*
+ * NSSCryptoContext_FindBestCertificateByEmail
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestCertificateByEmail
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *email,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificatesByEmail
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindCertificatesByEmail
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificateByOCSPHash
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindCertificateByOCSPHash
+(
+  NSSCryptoContext *cc,
+  NSSItem *hash
+);
+
+/*
+ * NSSCryptoContext_TraverseCertificates
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSCryptoContext_TraverseCertificates
+ * (
+ *   NSSCryptoContext *cc,
+ *   PRStatus (*callback)(NSSCertificate *c, void *arg),
+ *   void *arg
+ * );
+ */
+
+/*
+ * NSSCryptoContext_FindBestUserCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestUserCertificate
+(
+  NSSCryptoContext *cc,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindUserCertificates
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindUserCertificates
+(
+  NSSCryptoContext *cc,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindUserCertificatesForSSLClientAuth
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindUserCertificatesForSSLClientAuth
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindBestUserCertificateForEmailSigning
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestUserCertificateForEmailSigning
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindUserCertificatesForEmailSigning
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindUserCertificatesForEmailSigning
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *signerOpt, /* fgmr or a more general name? */
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/* Private Keys */
+
+/*
+ * NSSCryptoContext_GenerateKeyPair
+ *
+ * Creates session objects.  If you want persistant objects, use
+ * NSSTrustDomain_GenerateKeyPair.  The destination token is where
+ * the keys are stored.  If that token can do the required math, then
+ * that's where the keys are generated too.  Otherwise, the keys are
+ * generated elsewhere and moved to that token.
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_GenerateKeyPair
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  NSSPrivateKey **pvkOpt,
+  NSSPublicKey **pbkOpt,
+  PRBool privateKeyIsSensitive,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_TraversePrivateKeys
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSCryptoContext_TraversePrivateKeys
+ * (
+ *   NSSCryptoContext *cc,
+ *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
+ *   void *arg
+ * );
+ */
+
+/* Symmetric Keys */
+
+/*
+ * NSSCryptoContext_GenerateSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_GenerateSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  PRUint32 keysize,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_GenerateSymmetricKeyFromPassword
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_GenerateSymmetricKeyFromPassword
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  NSSUTF8 *passwordOpt, /* if null, prompt */
+  NSSToken *destinationOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_FindSymmetricKeyByAlgorithm
+ *
+ * 
+ * NSS_EXTERN NSSSymmetricKey *
+ * NSSCryptoContext_FindSymmetricKeyByType
+ * (
+ *   NSSCryptoContext *cc,
+ *   NSSOID *type,
+ *   NSSCallback *uhhOpt
+ * );
+ */
+
+/*
+ * NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
+(
+  NSSCryptoContext *cc,
+  NSSOID *algorithm,
+  NSSItem *keyID,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_TraverseSymmetricKeys
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSCryptoContext_TraverseSymmetricKeys
+ * (
+ *   NSSCryptoContext *cc,
+ *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
+ *   void *arg
+ * );
+ */
+
+/* Crypto ops on distinguished keys */
+
+/*
+ * NSSCryptoContext_Decrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_Decrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginDecrypt
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginDecrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueDecrypt
+ *
+ */
+
+/*
+ * NSSItem semantics:
+ *
+ *   If rvOpt is NULL, a new NSSItem and buffer are allocated.
+ *   If rvOpt is not null, but the buffer pointer is null,
+ *     then rvOpt is returned but a new buffer is allocated.
+ *     In this case, if the length value is not zero, then
+ *     no more than that much space will be allocated.
+ *   If rvOpt is not null and the buffer pointer is not null,
+ *     then that buffer is re-used.  No more than the buffer
+ *     length value will be used; if it's not enough, an
+ *     error is returned.  If less is used, the number is
+ *     adjusted downwards.
+ *
+ *  Note that although this is short of some ideal "Item"
+ *  definition, we can usually tell how big these buffers
+ *  have to be.
+ *
+ *  Feedback is requested; and earlier is better than later.
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_ContinueDecrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FinishDecrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishDecrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_Sign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_Sign
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginSign
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginSign
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueSign
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_ContinueSign
+(
+  NSSCryptoContext *cc,
+  NSSItem *data
+);
+
+/*
+ * NSSCryptoContext_FinishSign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishSign
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_SignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_SignRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginSignRecover
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginSignRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueSignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_ContinueSignRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FinishSignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishSignRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_UnwrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_UnwrapSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_DeriveSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_DeriveSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_Encrypt
+ *
+ * Encrypt a single chunk of data with the distinguished public key
+ * of this crypto context.
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_Encrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginEncrypt
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginEncrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueEncrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_ContinueEncrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FinishEncrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishEncrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_Verify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_Verify
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_BeginVerify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginVerify
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueVerify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_ContinueVerify
+(
+  NSSCryptoContext *cc,
+  NSSItem *data
+);
+
+/*
+ * NSSCryptoContext_FinishVerify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_FinishVerify
+(
+  NSSCryptoContext *cc
+);
+
+/*
+ * NSSCryptoContext_VerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_VerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginVerifyRecover
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginVerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueVerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_ContinueVerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FinishVerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishVerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_WrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_WrapSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_Digest
+ *
+ * Digest a single chunk of data with the distinguished digest key
+ * of this crypto context.
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_Digest
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginDigest
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginDigest
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueDigest
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_ContinueDigest
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *item
+);
+
+/*
+ * NSSCryptoContext_FinishDigest
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishDigest
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * tbd: Combination ops
+ */
+
+/*
+ * NSSCryptoContext_Clone
+ *
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSCryptoContext_Clone
+(
+  NSSCryptoContext *cc
+);
+
+/*
+ * NSSCryptoContext_Save
+ * NSSCryptoContext_Restore
+ *
+ * We need to be able to save and restore the state of contexts.
+ * Perhaps a mark-and-release mechanism would be better?
+ */
+
+/*
+ * ..._SignTBSCertificate
+ *
+ * This requires feedback from the cert server team.
+ */
+
+/*
+ * PRBool NSSCertificate_GetIsTrustedFor{xxx}(NSSCertificate *c);
+ * PRStatus NSSCertificate_SetIsTrustedFor{xxx}(NSSCertificate *c, PRBool trusted);
+ *
+ * These will be helper functions which get the trust object for a cert,
+ * and then call the corresponding function(s) on it.
+ *
+ * PKIX trust objects will have methods to manipulate the low-level trust
+ * bits (which are based on key usage and extended key usage), and also the
+ * conceptual high-level usages (e.g. ssl client auth, email encryption, etc.)
+ *
+ * Other types of trust objects (if any) might have different low-level
+ * representations, but hopefully high-level concepts would map.
+ *
+ * Only these high-level general routines would be promoted to the
+ * general certificate level here.  Hence the {xxx} above would be things
+ * like "EmailSigning."
+ *
+ *
+ * NSSPKIXTrust *NSSCertificate_GetPKIXTrustObject(NSSCertificate *c);
+ * PRStatus NSSCertificate_SetPKIXTrustObject(NSSCertificate *c, NSPKIXTrust *t);
+ *
+ * I want to hold off on any general trust object until we've investigated
+ * other models more thoroughly.
+ */
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKI_H */
diff --git a/security/nss/lib/pki/nsspkit.h b/security/nss/lib/pki/nsspkit.h
new file mode 100644
index 000000000..71c69956d
--- /dev/null
+++ b/security/nss/lib/pki/nsspkit.h
@@ -0,0 +1,274 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSPKIT_H
+#define NSSPKIT_H
+
+#ifdef DEBUG
+static const char NSSPKIT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nsspkit.h
+ *
+ * This file defines the types of the top-level PKI objects.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSCertificate
+ *
+ * This is the public representation of a Certificate.  The certificate
+ * may be one found on a smartcard or other token, one decoded from data
+ * received as part of a protocol, one constructed from constituent
+ * parts, etc.  Usually it is associated with ("in") a trust domain; as
+ * it can be verified only within a trust domain.  The underlying type
+ * of certificate may be of any supported standard, e.g. PKIX, PGP, etc.
+ *
+ * People speak of "verifying (with) the server's, or correspondant's, 
+ * certificate"; for simple operations we support that simplification
+ * by implementing public-key crypto operations as methods on this type.
+ */
+
+struct NSSCertificateStr;
+typedef struct NSSCertificateStr NSSCertificate;
+
+/*
+ * NSSUserCertificate
+ *
+ * A ``User'' certificate is one for which the private key is available.
+ * People speak of "using my certificate to sign my email" and "using
+ * my certificate to authenticate to (or login to) the server"; for
+ * simple operations, we support that simplification by implementing
+ * private-key crypto operations as methods on this type.
+ *
+ * The current design only weakly distinguishes between certificates
+ * and user certificates: as far as the compiler goes they're 
+ * interchangable; debug libraries only have one common pointer-tracker;
+ * etc.  However, attempts to do private-key operations on a certificate
+ * for which the private key is not available will fail.
+ *
+ * Open design question: should these types be more firmly separated?
+ */
+
+typedef NSSCertificate NSSUserCertificate;
+
+/*
+ * NSSPrivateKey
+ *
+ * This is the public representation of a Private Key.  In general,
+ * the actual value of the key is not available, but operations may
+ * be performed with it.
+ */
+
+struct NSSPrivateKeyStr;
+typedef struct NSSPrivateKeyStr NSSPrivateKey;
+
+/*
+ * NSSPublicKey
+ *
+ */
+
+struct NSSPublicKeyStr;
+typedef struct NSSPublicKeyStr NSSPublicKey;
+
+/*
+ * NSSSymmetricKey
+ *
+ */
+
+struct NSSSymmetricKeyStr;
+typedef struct NSSSymmetricKeyStr NSSSymmetricKey;
+
+/*
+ * NSSTrustDomain
+ *
+ * A Trust Domain is the field in which certificates may be validated.
+ * A trust domain will generally have one or more cryptographic modules
+ * open; these modules perform the cryptographic operations, and 
+ * provide the basic "root" trust information from which the trust in
+ * a specific certificate or key depends.
+ *
+ * A client program, or a simple server, would typically have one
+ * trust domain.  A server supporting multiple "virtual servers" might
+ * have a separate trust domain for each virtual server.  The separate
+ * trust domains might share some modules (e.g., a hardware crypto
+ * accelerator) but not others (e.g., the tokens storing the different
+ * servers' private keys, or the databases with each server's trusted
+ * root certificates).
+ *
+ * This object descends from the "permananet database" in the old code.
+ */
+
+struct NSSTrustDomainStr;
+typedef struct NSSTrustDomainStr NSSTrustDomain;
+
+/*
+ * NSSCryptoContext
+ *
+ * A Crypto Context is a short-term, "helper" object which is used
+ * for the lifetime of one ongoing "crypto operation."  Such an
+ * operation may be the creation of a signed message, the use of an
+ * TLS socket connection, etc.  Each crypto context is "in" a
+ * specific trust domain, and it may have associated with it a
+ * distinguished certificate, public key, private key, and/or
+ * symmetric key.  It can also temporarily hold and use temporary
+ * data (e.g. intermediate certificates) which is not stored
+ * permanently in the trust domain.
+ *
+ * In OO terms, this interface inherits interfaces from the trust
+ * domain, the certificates, and the keys.  It also provides
+ * streaming crypto operations.
+ *
+ * This object descends from the "temporary database" concept in the
+ * old code, but it has changed a lot as a result of what we've 
+ * learned.
+ */
+
+typedef struct NSSCryptoContextStr NSSCryptoContext;
+
+/*
+ * fgmr others
+ */
+
+/* 
+ * NSSTime
+ *
+ * Unfortunately, we need an "exceptional" value to indicate
+ * an error upon return, or "no value" on input.  Note that zero
+ * is a perfectly valid value for both time_t and PRTime.
+ *
+ * If we were to create a "range" object, with two times for
+ * Not Before and Not After, we would have an obvious place for
+ * the somewhat arbitrary logic involved in comparing them.
+ *
+ * Failing that, let's have an NSSTime_CompareRanges function.
+ */
+
+struct NSSTimeStr;
+typedef struct NSSTimeStr NSSTime;
+
+struct NSSTrustStr;
+typedef struct NSSTrustStr NSSTrust;
+
+/*
+ * NSSUsage
+ *
+ * This is trickier than originally planned; I'll write up a
+ * doc on it.
+ *
+ * We'd still like nsspki.h to have a list of common usages,
+ * e.g.:
+ *
+ *  extern const NSSUsage *NSSUsage_ClientAuth;
+ *  extern const NSSUsage *NSSUsage_ServerAuth;
+ *  extern const NSSUsage *NSSUsage_SignEmail;
+ *  extern const NSSUsage *NSSUsage_EncryptEmail;
+ *  etc.
+ */
+
+struct NSSUsageStr;
+typedef struct NSSUsageStr NSSUsage;
+
+/*
+ * NSSPolicies
+ *
+ * Placeholder, for now.
+ */
+
+struct NSSPoliciesStr;
+typedef struct NSSPoliciesStr NSSPolicies;
+
+/*
+ * NSSAlgorithmAndParameters
+ *
+ * Algorithm is an OID
+ * Parameters depend on the algorithm
+ */
+
+struct NSSAlgorithmAndParametersStr;
+typedef struct NSSAlgorithmAndParametersStr NSSAlgorithmAndParameters;
+
+/*
+ * NSSCallback
+ *
+ * At minimum, a "challenge" method and a closure argument.
+ * Usually the challenge will just be prompting for a password.
+ * How OO do we want to make it?
+ */
+
+typedef struct NSSCallbackStr NSSCallback;
+
+struct NSSCallbackStr {
+    /* Prompt for a password to initialize a slot.  */
+    PRStatus (* getInitPW)(NSSUTF8 *slotName, void *arg, 
+                           NSSUTF8 **ssoPW, NSSUTF8 **userPW); 
+    /* Prompt for oldPW and newPW in order to change the 
+     * password on a slot.  
+     */
+    PRStatus (* getNewPW)(NSSUTF8 *slotName, PRUint32 *retries, void *arg,
+                          NSSUTF8 **oldPW, NSSUTF8 **newPW); 
+    /* Prompt for slot password.  */
+    PRStatus (* getPW)(NSSUTF8 *slotName, PRUint32 *retries, void *arg,
+                       NSSUTF8 **password); 
+    void *arg;
+};
+
+/* set errors - user cancelled, ... */
+
+typedef PRUint32 NSSOperations;
+/* 1) Do we want these to be preprocessor definitions or constants? */
+/* 2) What is the correct and complete list? */
+
+#define NSSOperations_ENCRYPT           0x0001
+#define NSSOperations_DECRYPT           0x0002
+#define NSSOperations_WRAP              0x0004
+#define NSSOperations_UNWRAP            0x0008
+#define NSSOperations_SIGN              0x0010
+#define NSSOperations_SIGN_RECOVER      0x0020
+#define NSSOperations_VERIFY            0x0040
+#define NSSOperations_VERIFY_RECOVER    0x0080
+
+struct NSSPKIXCertificateStr;
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKIT_H */
diff --git a/security/nss/lib/pki/pki.h b/security/nss/lib/pki/pki.h
new file mode 100644
index 000000000..c705b7206
--- /dev/null
+++ b/security/nss/lib/pki/pki.h
@@ -0,0 +1,248 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef PKI_H
+#define PKI_H
+
+#ifdef DEBUG
+static const char PKI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+PR_BEGIN_EXTERN_C
+
+NSS_EXTERN NSSCallback *
+nssTrustDomain_GetDefaultCallback
+(
+  NSSTrustDomain *td,
+  PRStatus *statusOpt
+);
+
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_FindCertificatesBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSTrust *
+nssTrustDomain_FindTrustForCertificate
+(
+  NSSTrustDomain *td,
+  NSSCertificate *c
+);
+
+NSS_EXTERN NSSCertificate *
+nssCertificate_AddRef
+(
+  NSSCertificate *c
+);
+
+NSS_EXTERN PRStatus
+nssCertificate_Destroy
+(
+  NSSCertificate *c
+);
+
+NSS_EXTERN NSSDER *
+nssCertificate_GetEncoding
+(
+  NSSCertificate *c
+);
+
+NSS_EXTERN NSSDER *
+nssCertificate_GetIssuer
+(
+  NSSCertificate *c
+);
+
+NSS_EXTERN NSSDER *
+nssCertificate_GetSerialNumber
+(
+  NSSCertificate *c
+);
+
+NSS_EXTERN NSSDER *
+nssCertificate_GetSubject
+(
+  NSSCertificate *c
+);
+
+NSS_EXTERN NSSUTF8 *
+nssCertificate_GetNickname
+(
+  NSSCertificate *c,
+  NSSToken *tokenOpt
+);
+
+NSS_EXTERN NSSASCII7 *
+nssCertificate_GetEmailAddress
+(
+  NSSCertificate *c
+);
+
+NSS_EXTERN PRBool
+nssCertificate_IssuerAndSerialEqual
+(
+  NSSCertificate *c1,
+  NSSCertificate *c2
+);
+
+NSS_EXTERN NSSPrivateKey *
+nssPrivateKey_AddRef
+(
+  NSSPrivateKey *vk
+);
+
+NSS_EXTERN PRStatus
+nssPrivateKey_Destroy
+(
+  NSSPrivateKey *vk
+);
+
+NSS_EXTERN NSSItem *
+nssPrivateKey_GetID
+(
+  NSSPrivateKey *vk
+);
+
+NSS_EXTERN NSSUTF8 *
+nssPrivateKey_GetNickname
+(
+  NSSPrivateKey *vk,
+  NSSToken *tokenOpt
+);
+
+NSS_EXTERN PRStatus
+nssPublicKey_Destroy
+(
+  NSSPublicKey *bk
+);
+
+NSS_EXTERN NSSItem *
+nssPublicKey_GetID
+(
+  NSSPublicKey *vk
+);
+
+NSS_EXTERN NSSCertificate **
+nssCryptoContext_FindCertificatesBySubject
+(
+  NSSCryptoContext *cc,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/* putting here for now, needs more thought */
+NSS_EXTERN PRStatus
+nssCryptoContext_ImportTrust
+(
+  NSSCryptoContext *cc,
+  NSSTrust *trust
+);
+
+NSS_EXTERN NSSTrust *
+nssCryptoContext_FindTrustForCertificate
+(
+  NSSCryptoContext *cc,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN PRStatus
+nssCryptoContext_ImportSMIMEProfile
+(
+  NSSCryptoContext *cc,
+  nssSMIMEProfile *profile
+);
+
+NSS_EXTERN nssSMIMEProfile *
+nssCryptoContext_FindSMIMEProfileForCertificate
+(
+  NSSCryptoContext *cc,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN NSSTrust *
+nssTrust_AddRef
+(
+  NSSTrust *trust
+);
+
+NSS_EXTERN PRStatus
+nssTrust_Destroy
+(
+  NSSTrust *trust
+);
+
+NSS_EXTERN nssSMIMEProfile *
+nssSMIMEProfile_AddRef
+(
+  nssSMIMEProfile *profile
+);
+
+NSS_EXTERN PRStatus
+nssSMIMEProfile_Destroy
+(
+  nssSMIMEProfile *profile
+);
+
+NSS_EXTERN nssSMIMEProfile *
+nssSMIMEProfile_Create
+(
+  NSSCertificate *cert,
+  NSSItem *profileTime,
+  NSSItem *profileData
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKI_H */
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
new file mode 100644
index 000000000..6171f69bb
--- /dev/null
+++ b/security/nss/lib/pki/pki3hack.c
@@ -0,0 +1,1289 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * Hacks to integrate NSS 3.4 and NSS 4.0 certificates.
+ */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef DEVNSS3HACK_H
+#include "dev3hack.h"
+#endif /* DEVNSS3HACK_H */
+
+#ifndef PKINSS3HACK_H
+#include "pki3hack.h"
+#endif /* PKINSS3HACK_H */
+
+#include "secitem.h"
+#include "certdb.h"
+#include "certt.h"
+#include "cert.h"
+#include "certi.h"
+#include "pk11func.h"
+#include "pkistore.h"
+#include "secmod.h"
+#include "nssrwlk.h"
+
+NSSTrustDomain *g_default_trust_domain = NULL;
+
+NSSCryptoContext *g_default_crypto_context = NULL;
+
+NSSTrustDomain *
+STAN_GetDefaultTrustDomain()
+{
+    return g_default_trust_domain;
+}
+
+NSSCryptoContext *
+STAN_GetDefaultCryptoContext()
+{
+    return g_default_crypto_context;
+}
+
+extern const NSSError NSS_ERROR_ALREADY_INITIALIZED;
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+NSS_IMPLEMENT PRStatus
+STAN_InitTokenForSlotInfo(NSSTrustDomain *td, PK11SlotInfo *slot)
+{
+    NSSToken *token;
+    if (!td) {
+	td = g_default_trust_domain;
+    }
+    token = nssToken_CreateFromPK11SlotInfo(td, slot);
+    PK11Slot_SetNSSToken(slot, token);
+    /* Don't add non-existent token to TD's token list */
+    if (token) {
+	NSSRWLock_LockWrite(td->tokensLock);
+	nssList_Add(td->tokenList, token);
+	NSSRWLock_UnlockWrite(td->tokensLock);
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+STAN_ResetTokenInterator(NSSTrustDomain *td)
+{
+    if (!td) {
+	td = g_default_trust_domain;
+    }
+    NSSRWLock_LockWrite(td->tokensLock);
+    nssListIterator_Destroy(td->tokens);
+    td->tokens = nssList_CreateIterator(td->tokenList);
+    NSSRWLock_UnlockWrite(td->tokensLock);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+STAN_LoadDefaultNSS3TrustDomain (
+  void
+)
+{
+    NSSTrustDomain *td;
+    SECMODModuleList *mlp;
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+    int i;
+
+    if (g_default_trust_domain || g_default_crypto_context) {
+	/* Stan is already initialized or a previous shutdown failed. */
+	nss_SetError(NSS_ERROR_ALREADY_INITIALIZED);
+	return PR_FAILURE;
+    }
+    td = NSSTrustDomain_Create(NULL, NULL, NULL, NULL);
+    if (!td) {
+	return PR_FAILURE;
+    }
+    /*
+     * Deadlock warning: we should never acquire the moduleLock while
+     * we hold the tokensLock. We can use the NSSRWLock Rank feature to
+     * guarrentee this. tokensLock have a higher rank than module lock.
+     */
+    td->tokenList = nssList_Create(td->arena, PR_TRUE);
+    if (!td->tokenList) {
+	goto loser;
+    }
+    SECMOD_GetReadLock(moduleLock);
+    NSSRWLock_LockWrite(td->tokensLock);
+    for (mlp = SECMOD_GetDefaultModuleList(); mlp != NULL; mlp=mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    STAN_InitTokenForSlotInfo(td, mlp->module->slots[i]);
+	}
+    }
+    td->tokens = nssList_CreateIterator(td->tokenList);
+    NSSRWLock_UnlockWrite(td->tokensLock);
+    SECMOD_ReleaseReadLock(moduleLock);
+    if (!td->tokens) {
+	goto loser;
+    }
+    g_default_crypto_context = NSSTrustDomain_CreateCryptoContext(td, NULL);
+    if (!g_default_crypto_context) {
+	goto loser;
+    }
+    g_default_trust_domain = td;
+    return PR_SUCCESS;
+
+  loser:
+    NSSTrustDomain_Destroy(td);
+    return PR_FAILURE;
+}
+
+/*
+ * must be called holding the ModuleListLock (either read or write).
+ */
+NSS_IMPLEMENT SECStatus
+STAN_AddModuleToDefaultTrustDomain (
+  SECMODModule *module
+)
+{
+    NSSTrustDomain *td;
+    int i;
+    td = STAN_GetDefaultTrustDomain();
+    for (i=0; i<module->slotCount; i++) {
+	STAN_InitTokenForSlotInfo(td, module->slots[i]);
+    }
+    STAN_ResetTokenInterator(td);
+    return SECSuccess;
+}
+
+/*
+ * must be called holding the ModuleListLock (either read or write).
+ */
+NSS_IMPLEMENT SECStatus
+STAN_RemoveModuleFromDefaultTrustDomain (
+  SECMODModule *module
+)
+{
+    NSSToken *token;
+    NSSTrustDomain *td;
+    int i;
+    td = STAN_GetDefaultTrustDomain();
+    NSSRWLock_LockWrite(td->tokensLock);
+    for (i=0; i<module->slotCount; i++) {
+	token = PK11Slot_GetNSSToken(module->slots[i]);
+	if (token) {
+	    nssToken_NotifyCertsNotVisible(token);
+	    nssList_Remove(td->tokenList, token);
+	    PK11Slot_SetNSSToken(module->slots[i], NULL);
+	    nssToken_Destroy(token);
+ 	}
+    }
+    nssListIterator_Destroy(td->tokens);
+    td->tokens = nssList_CreateIterator(td->tokenList);
+    NSSRWLock_UnlockWrite(td->tokensLock);
+    return SECSuccess;
+}
+
+NSS_IMPLEMENT PRStatus
+STAN_Shutdown()
+{
+    PRStatus status = PR_SUCCESS;
+    if (g_default_trust_domain) {
+	if (NSSTrustDomain_Destroy(g_default_trust_domain) == PR_SUCCESS) {
+	    g_default_trust_domain = NULL;
+	} else {
+	    status = PR_FAILURE;
+	}
+    }
+    if (g_default_crypto_context) {
+	if (NSSCryptoContext_Destroy(g_default_crypto_context) == PR_SUCCESS) {
+	    g_default_crypto_context = NULL;
+	} else {
+	    status = PR_FAILURE;
+	}
+    }
+    return status;
+}
+
+/* this function should not be a hack; it will be needed in 4.0 (rename) */
+NSS_IMPLEMENT NSSItem *
+STAN_GetCertIdentifierFromDER(NSSArena *arenaOpt, NSSDER *der)
+{
+    NSSItem *rvKey;
+    SECItem secDER;
+    SECItem secKey = { 0 };
+    SECStatus secrv;
+    PRArenaPool *arena;
+
+    SECITEM_FROM_NSSITEM(&secDER, der);
+
+    /* nss3 call uses nss3 arena's */
+    arena = PORT_NewArena(256);
+    if (!arena) {
+	return NULL;
+    }
+    secrv = CERT_KeyFromDERCert(arena, &secDER, &secKey);
+    if (secrv != SECSuccess) {
+	return NULL;
+    }
+    rvKey = nssItem_Create(arenaOpt, NULL, secKey.len, (void *)secKey.data);
+    PORT_FreeArena(arena,PR_FALSE);
+    return rvKey;
+}
+
+NSS_IMPLEMENT PRStatus
+nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena, 
+                                     NSSDER *issuer, NSSDER *serial)
+{
+    SECStatus secrv;
+    SECItem derCert;
+    SECItem derIssuer = { 0 };
+    SECItem derSerial = { 0 };
+    SECITEM_FROM_NSSITEM(&derCert, der);
+    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
+    if (secrv != SECSuccess) {
+	return PR_FAILURE;
+    }
+    (void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
+    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
+    if (secrv != SECSuccess) {
+	PORT_Free(derSerial.data);
+	return PR_FAILURE;
+    }
+    (void)nssItem_Create(arena, issuer, derIssuer.len, derIssuer.data);
+    PORT_Free(derSerial.data);
+    PORT_Free(derIssuer.data);
+    return PR_SUCCESS;
+}
+
+static NSSItem *
+nss3certificate_getIdentifier(nssDecodedCert *dc)
+{
+    NSSItem *rvID;
+    CERTCertificate *c = (CERTCertificate *)dc->data;
+    rvID = nssItem_Create(NULL, NULL, c->certKey.len, c->certKey.data);
+    return rvID;
+}
+
+static void *
+nss3certificate_getIssuerIdentifier(nssDecodedCert *dc)
+{
+    CERTCertificate *c = (CERTCertificate *)dc->data;
+    return (void *)c->authKeyID;
+}
+
+static nssCertIDMatch
+nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id)
+{
+    CERTCertificate *c = (CERTCertificate *)dc->data;
+    CERTAuthKeyID *authKeyID = (CERTAuthKeyID *)id;
+    SECItem skid;
+    nssCertIDMatch match = nssCertIDMatch_Unknown;
+
+    /* keyIdentifier */
+    if (authKeyID->keyID.len > 0 &&
+	CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
+	PRBool skiEqual;
+	skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
+	PORT_Free(skid.data);
+	if (skiEqual) {
+	    /* change the state to positive match, but keep going */
+	    match = nssCertIDMatch_Yes;
+	} else {
+	    /* exit immediately on failure */
+	    return nssCertIDMatch_No;
+	}
+    }
+
+    /* issuer/serial (treated as pair) */
+    if (authKeyID->authCertIssuer) {
+	SECItem *caName = NULL;
+	SECItem *caSN = &authKeyID->authCertSerialNumber;
+
+	caName = (SECItem *)CERT_GetGeneralNameByType(
+	                                        authKeyID->authCertIssuer,
+						certDirectoryName, PR_TRUE);
+	if (caName != NULL &&
+	    SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
+	    SECITEM_ItemsAreEqual(&c->serialNumber, caSN)) 
+	{
+	    match = nssCertIDMatch_Yes;
+	} else {
+	    match = nssCertIDMatch_Unknown;
+	}
+    }
+    return match;
+}
+
+static PRBool
+nss3certificate_isValidIssuer(nssDecodedCert *dc)
+{
+    CERTCertificate *c = (CERTCertificate *)dc->data;
+    unsigned int ignore;
+    return CERT_IsCACert(c, &ignore);
+}
+
+static NSSUsage *
+nss3certificate_getUsage(nssDecodedCert *dc)
+{
+    /* CERTCertificate *c = (CERTCertificate *)dc->data; */
+    return NULL;
+}
+
+static PRBool 
+nss3certificate_isValidAtTime(nssDecodedCert *dc, NSSTime *time)
+{
+    SECCertTimeValidity validity;
+    CERTCertificate *c = (CERTCertificate *)dc->data;
+    validity = CERT_CheckCertValidTimes(c, NSSTime_GetPRTime(time), PR_TRUE);
+    if (validity == secCertTimeValid) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+static PRBool 
+nss3certificate_isNewerThan(nssDecodedCert *dc, nssDecodedCert *cmpdc)
+{
+    /* I know this isn't right, but this is glue code anyway */
+    if (cmpdc->type == dc->type) {
+	CERTCertificate *certa = (CERTCertificate *)dc->data;
+	CERTCertificate *certb = (CERTCertificate *)cmpdc->data;
+	return CERT_IsNewer(certa, certb);
+    }
+    return PR_FALSE;
+}
+
+/* CERT_FilterCertListByUsage */
+static PRBool
+nss3certificate_matchUsage(nssDecodedCert *dc, const NSSUsage *usage)
+{
+    CERTCertificate *cc;
+    unsigned int requiredKeyUsage = 0;
+    unsigned int requiredCertType = 0;
+    SECStatus secrv;
+    PRBool match;
+    PRBool ca;
+
+    /* This is for NSS 3.3 functions that do not specify a usage */
+    if (usage->anyUsage) {
+	return PR_TRUE;
+    }
+    ca = usage->nss3lookingForCA;
+    secrv = CERT_KeyUsageAndTypeForCertUsage(usage->nss3usage, ca,
+                                             &requiredKeyUsage,
+                                             &requiredCertType);
+    if (secrv != SECSuccess) {
+	return PR_FALSE;
+    }
+    cc = (CERTCertificate *)dc->data;
+    secrv = CERT_CheckKeyUsage(cc, requiredKeyUsage);
+    match = (PRBool)(secrv == SECSuccess);
+    if (match) {
+	unsigned int certType = 0;
+	if (ca) {
+	    (void)CERT_IsCACert(cc, &certType);
+	} else {
+	    certType = cc->nsCertType;
+	}
+	if (!(certType & requiredCertType)) {
+	    match = PR_FALSE;
+	}
+    }
+    return match;
+}
+
+static NSSASCII7 *
+nss3certificate_getEmailAddress(nssDecodedCert *dc)
+{
+    CERTCertificate *cc = (CERTCertificate *)dc->data;
+    return (cc && cc->emailAddr && cc->emailAddr[0])
+	    ? (NSSASCII7 *)cc->emailAddr : NULL;
+}
+
+static PRStatus
+nss3certificate_getDERSerialNumber(nssDecodedCert *dc, 
+                                   NSSDER *serial, NSSArena *arena)
+{
+    CERTCertificate *cc = (CERTCertificate *)dc->data;
+    SECItem derSerial = { 0 };
+    SECStatus secrv;
+    secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+    if (secrv == SECSuccess) {
+	(void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
+	PORT_Free(derSerial.data);
+	return PR_SUCCESS;
+    }
+    return PR_FAILURE;
+}
+
+/* Returns NULL if "encoding" cannot be decoded. */
+NSS_IMPLEMENT nssDecodedCert *
+nssDecodedPKIXCertificate_Create (
+  NSSArena *arenaOpt,
+  NSSDER *encoding
+)
+{
+    nssDecodedCert  *rvDC = NULL;
+    CERTCertificate *cert;
+    SECItem          secDER;
+
+    SECITEM_FROM_NSSITEM(&secDER, encoding);
+    cert = CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL);
+    if (cert) {
+	rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
+	if (rvDC) {
+	    rvDC->type                = NSSCertificateType_PKIX;
+	    rvDC->data                = (void *)cert;
+	    rvDC->getIdentifier       = nss3certificate_getIdentifier;
+	    rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
+	    rvDC->matchIdentifier     = nss3certificate_matchIdentifier;
+	    rvDC->isValidIssuer       = nss3certificate_isValidIssuer;
+	    rvDC->getUsage            = nss3certificate_getUsage;
+	    rvDC->isValidAtTime       = nss3certificate_isValidAtTime;
+	    rvDC->isNewerThan         = nss3certificate_isNewerThan;
+	    rvDC->matchUsage          = nss3certificate_matchUsage;
+	    rvDC->getEmailAddress     = nss3certificate_getEmailAddress;
+	    rvDC->getDERSerialNumber  = nss3certificate_getDERSerialNumber;
+	} else {
+	    CERT_DestroyCertificate(cert);
+	}
+    }
+    return rvDC;
+}
+
+static nssDecodedCert *
+create_decoded_pkix_cert_from_nss3cert (
+  NSSArena *arenaOpt,
+  CERTCertificate *cc
+)
+{
+    nssDecodedCert *rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
+    if (rvDC) {
+	rvDC->type                = NSSCertificateType_PKIX;
+	rvDC->data                = (void *)cc;
+	rvDC->getIdentifier       = nss3certificate_getIdentifier;
+	rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
+	rvDC->matchIdentifier     = nss3certificate_matchIdentifier;
+	rvDC->isValidIssuer       = nss3certificate_isValidIssuer;
+	rvDC->getUsage            = nss3certificate_getUsage;
+	rvDC->isValidAtTime       = nss3certificate_isValidAtTime;
+	rvDC->isNewerThan         = nss3certificate_isNewerThan;
+	rvDC->matchUsage          = nss3certificate_matchUsage;
+	rvDC->getEmailAddress     = nss3certificate_getEmailAddress;
+    }
+    return rvDC;
+}
+
+NSS_IMPLEMENT PRStatus
+nssDecodedPKIXCertificate_Destroy (
+  nssDecodedCert *dc
+)
+{
+    CERTCertificate *cert = (CERTCertificate *)dc->data;
+
+    /* The decoder may only be half initialized (the case where we find we 
+     * could not decode the certificate). In this case, there is not cert to
+     * free, just free the dc structure. */
+    if (cert) {
+	PRBool freeSlot = cert->ownSlot;
+	PK11SlotInfo *slot = cert->slot;
+	PRArenaPool *arena  = cert->arena;
+	/* zero cert before freeing. Any stale references to this cert
+	 * after this point will probably cause an exception.  */
+	PORT_Memset(cert, 0, sizeof *cert);
+	/* free the arena that contains the cert. */
+	PORT_FreeArena(arena, PR_FALSE);
+	if (slot && freeSlot) {
+	    PK11_FreeSlot(slot);
+	}
+    }
+    nss_ZFreeIf(dc);
+    return PR_SUCCESS;
+}
+
+/* see pk11cert.c:pk11_HandleTrustObject */
+static unsigned int
+get_nss3trust_from_nss4trust(CK_TRUST t)
+{
+    unsigned int rt = 0;
+    if (t == nssTrustLevel_Trusted) {
+	rt |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+    }
+    if (t == nssTrustLevel_TrustedDelegator) {
+	rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA /*| CERTDB_NS_TRUSTED_CA*/;
+    }
+    if (t == nssTrustLevel_Valid) {
+	rt |= CERTDB_VALID_PEER;
+    }
+    if (t == nssTrustLevel_ValidDelegator) {
+	rt |= CERTDB_VALID_CA;
+    }
+    return rt;
+}
+
+static CERTCertTrust *
+cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena)
+{
+    CERTCertTrust *rvTrust;
+    unsigned int client;
+    if (!t) {
+	return NULL;
+    }
+    rvTrust = PORT_ArenaAlloc(arena, sizeof(CERTCertTrust));
+    if (!rvTrust) return NULL;
+    rvTrust->sslFlags = get_nss3trust_from_nss4trust(t->serverAuth);
+    client = get_nss3trust_from_nss4trust(t->clientAuth);
+    if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) {
+	client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA);
+	rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA;
+    }
+    rvTrust->sslFlags |= client;
+    rvTrust->emailFlags = get_nss3trust_from_nss4trust(t->emailProtection);
+    rvTrust->objectSigningFlags = get_nss3trust_from_nss4trust(t->codeSigning);
+    /* The cert is a valid step-up cert (in addition to/lieu of trust above */
+    if (t->stepUpApproved) {
+	rvTrust->sslFlags |= CERTDB_GOVT_APPROVED_CA;
+    }
+    return rvTrust;
+}
+
+CERTCertTrust * 
+nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
+{
+    CERTCertTrust *rvTrust = NULL;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    NSSTrust *t;
+    t = nssTrustDomain_FindTrustForCertificate(td, c);
+    if (t) {
+	rvTrust = cert_trust_from_stan_trust(t, cc->arena);
+	if (!rvTrust) {
+	    nssTrust_Destroy(t);
+	    return NULL;
+	}
+	nssTrust_Destroy(t);
+    } else {
+	rvTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
+	if (!rvTrust) {
+	    return NULL;
+	}
+	memset(rvTrust, 0, sizeof(*rvTrust));
+    }
+    if (NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL)) {
+	rvTrust->sslFlags |= CERTDB_USER;
+	rvTrust->emailFlags |= CERTDB_USER;
+	rvTrust->objectSigningFlags |= CERTDB_USER;
+    }
+    return rvTrust;
+}
+
+static nssCryptokiInstance *
+get_cert_instance(NSSCertificate *c)
+{
+    nssCryptokiObject *instance, **ci;
+    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
+    if (!instances) {
+	return NULL;
+    }
+    instance = NULL;
+    for (ci = instances; *ci; ci++) {
+	if (!instance) {
+	    instance = nssCryptokiObject_Clone(*ci);
+	} else {
+	    /* This only really works for two instances...  But 3.4 can't
+	     * handle more anyway.  The logic is, if there are multiple
+	     * instances, prefer the one that is not internal (e.g., on
+	     * a hardware device.
+	     */
+	    if (PK11_IsInternal(instance->token->pk11slot)) {
+		nssCryptokiObject_Destroy(instance);
+		instance = nssCryptokiObject_Clone(*ci);
+	    }
+	}
+    }
+    nssCryptokiObjectArray_Destroy(instances);
+    return instance;
+}
+
+char * 
+STAN_GetCERTCertificateNameForInstance (
+  PLArenaPool *arenaOpt,
+  NSSCertificate *c,
+  nssCryptokiInstance *instance
+)
+{
+    NSSCryptoContext *context = c->object.cryptoContext;
+    PRStatus nssrv;
+    int nicklen, tokenlen, len;
+    NSSUTF8 *tokenName = NULL;
+    NSSUTF8 *stanNick = NULL;
+    char *nickname = NULL;
+    char *nick;
+
+    if (instance) {
+	stanNick = instance->label;
+    } else if (context) {
+	stanNick = c->object.tempName;
+    }
+    if (stanNick) {
+	/* fill other fields needed by NSS3 functions using CERTCertificate */
+	if (instance && (!PK11_IsInternal(instance->token->pk11slot) || 
+	                 PORT_Strchr(stanNick, ':') != NULL) ) {
+	    tokenName = nssToken_GetName(instance->token);
+	    tokenlen = nssUTF8_Size(tokenName, &nssrv);
+	} else {
+	/* don't use token name for internal slot; 3.3 didn't */
+	    tokenlen = 0;
+	}
+	nicklen = nssUTF8_Size(stanNick, &nssrv);
+	len = tokenlen + nicklen;
+	if (arenaOpt) {
+	    nickname = PORT_ArenaAlloc(arenaOpt, len);
+	} else {
+	    nickname = PORT_Alloc(len);
+	}
+	nick = nickname;
+	if (tokenName) {
+	    memcpy(nick, tokenName, tokenlen-1);
+	    nick += tokenlen-1;
+	    *nick++ = ':';
+	}
+	memcpy(nick, stanNick, nicklen-1);
+	nickname[len-1] = '\0';
+    }
+    return nickname;
+}
+
+char * 
+STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c)
+{
+    char * result;
+    nssCryptokiInstance *instance = get_cert_instance(c);
+    /* It's OK to call this function, even if instance is NULL */
+    result = STAN_GetCERTCertificateNameForInstance(arenaOpt, c, instance);
+    if (instance)
+	nssCryptokiObject_Destroy(instance);
+    return result;
+}
+
+static void
+fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced)
+{
+    CERTCertTrust* trust = NULL;
+    NSSTrust *nssTrust;
+    NSSCryptoContext *context = c->object.cryptoContext;
+    nssCryptokiInstance *instance;
+    NSSUTF8 *stanNick = NULL;
+
+    /* We are holding the base class object's lock on entry of this function
+     * This lock protects writes to fields of the CERTCertificate .
+     * It is also needed by some functions to compute values such as trust.
+     */
+    instance = get_cert_instance(c);
+
+    if (instance) {
+	stanNick = instance->label;
+    } else if (context) {
+	stanNick = c->object.tempName;
+    }
+    /* fill other fields needed by NSS3 functions using CERTCertificate */
+    if ((!cc->nickname && stanNick) || forced) {
+	PRStatus nssrv;
+	int nicklen, tokenlen, len;
+	NSSUTF8 *tokenName = NULL;
+	char *nick;
+	if (instance && 
+	     (!PK11_IsInternal(instance->token->pk11slot) || 
+	      (stanNick && PORT_Strchr(stanNick, ':') != NULL))) {
+	    tokenName = nssToken_GetName(instance->token);
+	    tokenlen = nssUTF8_Size(tokenName, &nssrv);
+	} else {
+	    /* don't use token name for internal slot; 3.3 didn't */
+	    tokenlen = 0;
+	}
+	if (stanNick) {
+	    nicklen = nssUTF8_Size(stanNick, &nssrv);
+	    len = tokenlen + nicklen;
+	    nick = PORT_ArenaAlloc(cc->arena, len);
+	    if (tokenName) {
+		memcpy(nick, tokenName, tokenlen-1);
+		nick[tokenlen-1] = ':';
+		memcpy(nick+tokenlen, stanNick, nicklen-1);
+	    } else {
+		memcpy(nick, stanNick, nicklen-1);
+	    }
+	    nick[len-1] = '\0';
+            cc->nickname = nick;
+	} else {
+	    cc->nickname = NULL;
+	}
+    }
+    if (context) {
+	/* trust */
+	nssTrust = nssCryptoContext_FindTrustForCertificate(context, c);
+	if (nssTrust) {
+            trust = cert_trust_from_stan_trust(nssTrust, cc->arena);
+            if (trust) {
+                /* we should destroy cc->trust before replacing it, but it's
+                   allocated in cc->arena, so memory growth will occur on each
+                   refresh */
+                cc->trust = trust;
+            }
+	    nssTrust_Destroy(nssTrust);
+	}
+    } else if (instance) {
+	/* slot */
+	if (cc->slot != instance->token->pk11slot) {
+	    if (cc->slot) {
+		PK11_FreeSlot(cc->slot);
+	    }
+	    cc->slot = PK11_ReferenceSlot(instance->token->pk11slot);
+	}
+	cc->ownSlot = PR_TRUE;
+	/* pkcs11ID */
+	cc->pkcs11ID = instance->handle;
+	/* trust */
+	trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+        if (trust) {
+            /* we should destroy cc->trust before replacing it, but it's
+               allocated in cc->arena, so memory growth will occur on each
+               refresh */
+            cc->trust = trust;
+        }
+	nssCryptokiObject_Destroy(instance);
+    } 
+    /* database handle is now the trust domain */
+    cc->dbhandle = c->object.trustDomain;
+    /* subjectList ? */
+    /* istemp and isperm are supported in NSS 3.4 */
+    cc->istemp = PR_FALSE; /* CERT_NewTemp will override this */
+    cc->isperm = PR_TRUE;  /* by default */
+    /* pointer back */
+    cc->nssCertificate = c;
+    if (trust) {
+	/* force the cert type to be recomputed to include trust info */
+	PRUint32 nsCertType = cert_ComputeCertType(cc);
+
+	/* Assert that it is safe to cast &cc->nsCertType to "PRInt32 *" */
+	PORT_Assert(sizeof(cc->nsCertType) == sizeof(PRInt32));
+	PR_AtomicSet((PRInt32 *)&cc->nsCertType, nsCertType);
+    }
+}
+
+static CERTCertificate *
+stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
+{
+    nssDecodedCert *dc = NULL;
+    CERTCertificate *cc = NULL;
+
+    nssPKIObject_Lock(&c->object);
+
+    dc = c->decoding;
+    if (!dc) {
+	dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
+	if (!dc) {
+            goto loser;
+        }
+	cc = (CERTCertificate *)dc->data;
+	PORT_Assert(cc); /* software error */
+	if (!cc) {
+	    nssDecodedPKIXCertificate_Destroy(dc);
+	    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+	    goto loser;
+	}
+    	PORT_Assert(!c->decoding); 
+	if (!c->decoding) {
+	    c->decoding = dc;
+	} else { 
+            /* this should never happen. Fail. */
+	    nssDecodedPKIXCertificate_Destroy(dc);
+	    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+            goto loser;
+	}
+    }
+    cc = (CERTCertificate *)dc->data;
+    PORT_Assert(cc);
+    if (!cc) {
+        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+        goto loser;
+    }
+    if (!cc->nssCertificate || forceUpdate) {
+        fill_CERTCertificateFields(c, cc, forceUpdate);
+    } else if (!cc->trust && !c->object.cryptoContext) {
+        /* if it's a perm cert, it might have been stored before the
+         * trust, so look for the trust again.  But a temp cert can be
+         * ignored.
+         */
+        CERTCertTrust* trust = NULL;
+        trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+        cc->trust = trust;
+    }
+
+  loser:
+    nssPKIObject_Unlock(&c->object);
+    return cc;
+}
+
+NSS_IMPLEMENT CERTCertificate *
+STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
+{
+    if (c->decoding) {
+	return stan_GetCERTCertificate(c, PR_TRUE);
+    }
+    return NULL;
+}
+
+NSS_IMPLEMENT CERTCertificate *
+STAN_GetCERTCertificate(NSSCertificate *c)
+{
+    return stan_GetCERTCertificate(c, PR_FALSE);
+}
+/*
+ * many callers of STAN_GetCERTCertificate() intend that
+ * the CERTCertificate returned inherits the reference to the 
+ * NSSCertificate. For these callers it's convenient to have 
+ * this function 'own' the reference and either return a valid 
+ * CERTCertificate structure which inherits the reference or 
+ * destroy the reference to NSSCertificate and returns NULL.
+ */
+NSS_IMPLEMENT CERTCertificate *
+STAN_GetCERTCertificateOrRelease(NSSCertificate *c)
+{
+    CERTCertificate *nss3cert = stan_GetCERTCertificate(c, PR_FALSE);
+    if (!nss3cert) {
+	nssCertificate_Destroy(c);
+    }
+    return nss3cert;
+}
+
+static nssTrustLevel
+get_stan_trust(unsigned int t, PRBool isClientAuth) 
+{
+    if (isClientAuth) {
+	if (t & CERTDB_TRUSTED_CLIENT_CA) {
+	    return nssTrustLevel_TrustedDelegator;
+	}
+    } else {
+	if (t & CERTDB_TRUSTED_CA || t & CERTDB_NS_TRUSTED_CA) {
+	    return nssTrustLevel_TrustedDelegator;
+	}
+    }
+    if (t & CERTDB_TRUSTED) {
+	return nssTrustLevel_Trusted;
+    }
+    if (t & CERTDB_VALID_CA) {
+	return nssTrustLevel_ValidDelegator;
+    }
+    if (t & CERTDB_VALID_PEER) {
+	return nssTrustLevel_Valid;
+    }
+    return nssTrustLevel_NotTrusted;
+}
+
+NSS_EXTERN NSSCertificate *
+STAN_GetNSSCertificate(CERTCertificate *cc)
+{
+    NSSCertificate *c;
+    nssCryptokiInstance *instance;
+    nssPKIObject *pkiob;
+    NSSArena *arena;
+    c = cc->nssCertificate;
+    if (c) {
+    	return c;
+    }
+    /* i don't think this should happen.  but if it can, need to create
+     * NSSCertificate from CERTCertificate values here.  */
+    /* Yup, it can happen. */
+    arena = NSSArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    c = nss_ZNEW(arena, NSSCertificate);
+    if (!c) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    NSSITEM_FROM_SECITEM(&c->encoding, &cc->derCert);
+    c->type = NSSCertificateType_PKIX;
+    pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL, nssPKIMonitor);
+    if (!pkiob) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    c->object = *pkiob;
+    nssItem_Create(arena,
+                   &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
+    nssItem_Create(arena,
+                   &c->subject, cc->derSubject.len, cc->derSubject.data);
+    if (PR_TRUE) {
+	/* CERTCertificate stores serial numbers decoded.  I need the DER
+	* here.  sigh.
+	*/
+	SECItem derSerial;
+	SECStatus secrv;
+	secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+	if (secrv == SECFailure) {
+	    nssArena_Destroy(arena);
+	    return NULL;
+	}
+	nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
+	PORT_Free(derSerial.data);
+    }
+    if (cc->emailAddr && cc->emailAddr[0]) {
+        c->email = nssUTF8_Create(arena,
+                                  nssStringType_PrintableString,
+                                  (NSSUTF8 *)cc->emailAddr,
+                                  PORT_Strlen(cc->emailAddr));
+    }
+    if (cc->slot) {
+	instance = nss_ZNEW(arena, nssCryptokiInstance);
+	if (!instance) {
+	    nssArena_Destroy(arena);
+	    return NULL;
+	}
+	instance->token = nssToken_AddRef(PK11Slot_GetNSSToken(cc->slot));
+	instance->handle = cc->pkcs11ID;
+	instance->isTokenObject = PR_TRUE;
+	if (cc->nickname) {
+	    instance->label = nssUTF8_Create(arena,
+	                                     nssStringType_UTF8String,
+	                                     (NSSUTF8 *)cc->nickname,
+	                                     PORT_Strlen(cc->nickname));
+	}
+	nssPKIObject_AddInstance(&c->object, instance);
+    }
+    c->decoding = create_decoded_pkix_cert_from_nss3cert(NULL, cc);
+    cc->nssCertificate = c;
+    return c;
+}
+
+static NSSToken*
+stan_GetTrustToken (
+  NSSCertificate *c
+)
+{
+    NSSToken *ttok = NULL;
+    NSSToken *rtok = NULL;
+    NSSToken *tok = NULL;
+    nssCryptokiObject **ip;
+    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
+    if (!instances) {
+	return PR_FALSE;
+    }
+    for (ip = instances; *ip; ip++) {
+	nssCryptokiObject *instance = *ip;
+        nssCryptokiObject *to = 
+		nssToken_FindTrustForCertificate(instance->token, NULL,
+		&c->encoding, &c->issuer, &c->serial, 
+		nssTokenSearchType_TokenOnly);
+	NSSToken *ctok = instance->token;
+	PRBool ro = PK11_IsReadOnly(ctok->pk11slot);
+
+	if (to) {
+	    nssCryptokiObject_Destroy(to);
+	    ttok = ctok;
+ 	    if (!ro) {
+		break;
+	    }
+	} else {
+	    if (!rtok && ro) {
+		rtok = ctok;
+	    } 
+	    if (!tok && !ro) {
+		tok = ctok;
+	    }
+	}
+    }
+    nssCryptokiObjectArray_Destroy(instances);
+    return ttok ? ttok : (tok ? tok : rtok);
+}
+
+NSS_EXTERN PRStatus
+STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
+{
+    PRStatus nssrv;
+    NSSCertificate *c = STAN_GetNSSCertificate(cc);
+    NSSToken *tok;
+    NSSTrustDomain *td;
+    NSSTrust *nssTrust;
+    NSSArena *arena;
+    CERTCertTrust *oldTrust;
+    nssListIterator *tokens;
+    PRBool moving_object;
+    nssCryptokiObject *newInstance;
+    nssPKIObject *pkiob;
+
+    if (c == NULL) {
+        return SECFailure;
+    }
+    oldTrust = nssTrust_GetCERTCertTrustForCert(c, cc);
+    if (oldTrust) {
+	if (memcmp(oldTrust, trust, sizeof (CERTCertTrust)) == 0) {
+	    /* ... and the new trust is no different, done) */
+	    return PR_SUCCESS;
+	} else {
+	    /* take over memory already allocated in cc's arena */
+	    cc->trust = oldTrust;
+	}
+    } else {
+	cc->trust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
+    }
+    memcpy(cc->trust, trust, sizeof(CERTCertTrust));
+    /* Set the NSSCerticate's trust */
+    arena = nssArena_Create();
+    if (!arena) return PR_FAILURE;
+    nssTrust = nss_ZNEW(arena, NSSTrust);
+    if (!nssTrust) {
+	nssArena_Destroy(arena);
+	return PR_FAILURE;
+    }
+    pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL, nssPKILock);
+    if (!pkiob) {
+	nssArena_Destroy(arena);
+	return PR_FAILURE;
+    }
+    nssTrust->object = *pkiob;
+    nssTrust->certificate = c;
+    nssTrust->serverAuth = get_stan_trust(trust->sslFlags, PR_FALSE);
+    nssTrust->clientAuth = get_stan_trust(trust->sslFlags, PR_TRUE);
+    nssTrust->emailProtection = get_stan_trust(trust->emailFlags, PR_FALSE);
+    nssTrust->codeSigning = get_stan_trust(trust->objectSigningFlags, PR_FALSE);
+    nssTrust->stepUpApproved = 
+                    (PRBool)(trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
+    if (c->object.cryptoContext != NULL) {
+	/* The cert is in a context, set the trust there */
+	NSSCryptoContext *cc = c->object.cryptoContext;
+	nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
+	if (nssrv != PR_SUCCESS) {
+	    goto done;
+	}
+	if (c->object.numInstances == 0) {
+	    /* The context is the only instance, finished */
+	    goto done;
+	}
+    }
+    td = STAN_GetDefaultTrustDomain();
+    tok = stan_GetTrustToken(c);
+    moving_object = PR_FALSE;
+    if (tok && PK11_IsReadOnly(tok->pk11slot))  {
+	NSSRWLock_LockRead(td->tokensLock);
+	tokens = nssList_CreateIterator(td->tokenList);
+	if (!tokens) {
+	    nssrv = PR_FAILURE;
+	    NSSRWLock_UnlockRead(td->tokensLock);
+	    goto done;
+	}
+	for (tok  = (NSSToken *)nssListIterator_Start(tokens);
+	     tok != (NSSToken *)NULL;
+	     tok  = (NSSToken *)nssListIterator_Next(tokens))
+	{
+	    if (!PK11_IsReadOnly(tok->pk11slot)) break;
+	}
+	nssListIterator_Finish(tokens);
+	nssListIterator_Destroy(tokens);
+	NSSRWLock_UnlockRead(td->tokensLock);
+	moving_object = PR_TRUE;
+    } 
+    if (tok) {
+	if (moving_object) {
+	    /* this is kind of hacky.  the softoken needs the cert
+	     * object in order to store trust.  forcing it to be perm
+	     */
+	    NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
+	    NSSASCII7 *email = NULL;
+
+	    if (PK11_IsInternal(tok->pk11slot)) {
+		email = c->email;
+	    }
+	    newInstance = nssToken_ImportCertificate(tok, NULL,
+	                                             NSSCertificateType_PKIX,
+	                                             &c->id,
+	                                             nickname,
+	                                             &c->encoding,
+	                                             &c->issuer,
+	                                             &c->subject,
+	                                             &c->serial,
+						     email,
+	                                             PR_TRUE);
+	    if (!newInstance) {
+		nssrv = PR_FAILURE;
+		goto done;
+	    }
+	    nssPKIObject_AddInstance(&c->object, newInstance);
+	}
+	newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
+	                                   &c->issuer, &c->serial,
+	                                   nssTrust->serverAuth,
+	                                   nssTrust->clientAuth,
+	                                   nssTrust->codeSigning,
+	                                   nssTrust->emailProtection,
+	                                   nssTrust->stepUpApproved, PR_TRUE);
+	/* If the selected token can't handle trust, dump the trust on 
+	 * the internal token */
+	if (!newInstance && !PK11_IsInternal(tok->pk11slot)) {
+	    PK11SlotInfo *slot = PK11_GetInternalKeySlot();
+	    NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
+	    NSSASCII7 *email = c->email;
+	    tok = PK11Slot_GetNSSToken(slot);
+	    PK11_FreeSlot(slot);
+	
+	    newInstance = nssToken_ImportCertificate(tok, NULL,
+	                                             NSSCertificateType_PKIX,
+	                                             &c->id,
+	                                             nickname,
+	                                             &c->encoding,
+	                                             &c->issuer,
+	                                             &c->subject,
+	                                             &c->serial,
+						     email,
+	                                             PR_TRUE);
+	    if (!newInstance) {
+		nssrv = PR_FAILURE;
+		goto done;
+	    }
+	    nssPKIObject_AddInstance(&c->object, newInstance);
+	    newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
+	                                   &c->issuer, &c->serial,
+	                                   nssTrust->serverAuth,
+	                                   nssTrust->clientAuth,
+	                                   nssTrust->codeSigning,
+	                                   nssTrust->emailProtection,
+	                                   nssTrust->stepUpApproved, PR_TRUE);
+	}
+	if (newInstance) {
+	    nssCryptokiObject_Destroy(newInstance);
+	    nssrv = PR_SUCCESS;
+	} else {
+	    nssrv = PR_FAILURE;
+	}
+    } else {
+	nssrv = PR_FAILURE;
+    }
+done:
+    (void)nssTrust_Destroy(nssTrust);
+    return nssrv;
+}
+
+/* CERT_TraversePermCertsForSubject */
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_TraverseCertificatesBySubject (
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    NSSArena *tmpArena;
+    NSSCertificate **subjectCerts;
+    NSSCertificate *c;
+    PRIntn i;
+    tmpArena = NSSArena_Create();
+    if (!tmpArena) {
+        return PR_FAILURE;
+    }
+    subjectCerts = NSSTrustDomain_FindCertificatesBySubject(td, subject, NULL,
+                                                            0, tmpArena);
+    if (subjectCerts) {
+	for (i=0, c = subjectCerts[i]; c; i++) {
+	    nssrv = callback(c, arg);
+	    if (nssrv != PR_SUCCESS) break;
+	}
+    }
+    nssArena_Destroy(tmpArena);
+    return nssrv;
+}
+
+/* CERT_TraversePermCertsForNickname */
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_TraverseCertificatesByNickname (
+  NSSTrustDomain *td,
+  NSSUTF8 *nickname,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    NSSArena *tmpArena;
+    NSSCertificate **nickCerts;
+    NSSCertificate *c;
+    PRIntn i;
+    tmpArena = NSSArena_Create();
+    if (!tmpArena) {
+        return PR_FAILURE;
+    }
+    nickCerts = NSSTrustDomain_FindCertificatesByNickname(td, nickname, NULL,
+                                                          0, tmpArena);
+    if (nickCerts) {
+	for (i=0, c = nickCerts[i]; c; i++) {
+	    nssrv = callback(c, arg);
+	    if (nssrv != PR_SUCCESS) break;
+	}
+    }
+    nssArena_Destroy(tmpArena);
+    return nssrv;
+}
+
+static void cert_dump_iter(const void *k, void *v, void *a)
+{
+    NSSCertificate *c = (NSSCertificate *)k;
+    CERTCertificate *cert = STAN_GetCERTCertificate(c);
+    printf("[%2d] \"%s\"\n", c->object.refCount, cert->subjectName);
+}
+
+void
+nss_DumpCertificateCacheInfo()
+{
+    NSSTrustDomain *td;
+    NSSCryptoContext *cc;
+    td = STAN_GetDefaultTrustDomain();
+    cc = STAN_GetDefaultCryptoContext();
+    printf("\n\nCertificates in the cache:\n");
+    nssTrustDomain_DumpCacheInfo(td, cert_dump_iter, NULL);
+    printf("\n\nCertificates in the temporary store:\n");
+    if (cc->certStore) {
+	nssCertificateStore_DumpStoreInfo(cc->certStore, cert_dump_iter, NULL);
+    }
+}
+
diff --git a/security/nss/lib/pki/pki3hack.h b/security/nss/lib/pki/pki3hack.h
new file mode 100644
index 000000000..4e28f7dae
--- /dev/null
+++ b/security/nss/lib/pki/pki3hack.h
@@ -0,0 +1,197 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef PKINSS3HACK_H
+#define PKINSS3HACK_H
+
+#ifdef DEBUG
+static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+#ifndef DEVT_H
+#include "devt.h"
+#endif /* DEVT_H */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#include "base.h"
+
+#include "cert.h"
+
+PR_BEGIN_EXTERN_C
+
+#define NSSITEM_FROM_SECITEM(nssit, secit)  \
+    (nssit)->data = (void *)(secit)->data;  \
+    (nssit)->size = (PRUint32)(secit)->len;
+
+#define SECITEM_FROM_NSSITEM(secit, nssit)          \
+    (secit)->data = (unsigned char *)(nssit)->data; \
+    (secit)->len  = (unsigned int)(nssit)->size;
+
+NSS_EXTERN NSSTrustDomain *
+STAN_GetDefaultTrustDomain();
+
+NSS_EXTERN NSSCryptoContext *
+STAN_GetDefaultCryptoContext();
+
+NSS_EXTERN PRStatus
+STAN_InitTokenForSlotInfo(NSSTrustDomain *td, PK11SlotInfo *slot);
+
+NSS_EXTERN PRStatus
+STAN_ResetTokenInterator(NSSTrustDomain *td);
+
+NSS_EXTERN PRStatus
+STAN_LoadDefaultNSS3TrustDomain(void);
+
+NSS_EXTERN PRStatus
+STAN_Shutdown();
+
+NSS_EXTERN SECStatus
+STAN_AddModuleToDefaultTrustDomain(SECMODModule *module);
+
+NSS_EXTERN SECStatus
+STAN_RemoveModuleFromDefaultTrustDomain(SECMODModule *module);
+
+NSS_EXTERN CERTCertificate *
+STAN_ForceCERTCertificateUpdate(NSSCertificate *c);
+
+NSS_EXTERN CERTCertificate *
+STAN_GetCERTCertificate(NSSCertificate *c);
+
+NSS_EXTERN CERTCertificate *
+STAN_GetCERTCertificateOrRelease(NSSCertificate *c);
+
+NSS_EXTERN NSSCertificate *
+STAN_GetNSSCertificate(CERTCertificate *c);
+
+NSS_EXTERN CERTCertTrust * 
+nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc);
+
+NSS_EXTERN PRStatus
+STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust);
+
+NSS_EXTERN PRStatus
+nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena, 
+                                     NSSDER *issuer, NSSDER *serial);
+
+NSS_EXTERN char *
+STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c);
+
+NSS_EXTERN char *
+STAN_GetCERTCertificateNameForInstance(PLArenaPool *arenaOpt,
+                                       NSSCertificate *c,
+                                       nssCryptokiInstance *instance);
+
+/* exposing this */
+NSS_EXTERN NSSCertificate *
+NSSCertificate_Create
+(
+  NSSArena *arenaOpt
+);
+
+/* This function is being put here because it is a hack for 
+ * PK11_FindCertFromNickname.
+ */
+NSS_EXTERN NSSCertificate *
+nssTrustDomain_FindBestCertificateByNicknameForToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSUTF8 *name,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+);
+
+/* This function is being put here because it is a hack for 
+ * PK11_FindCertsFromNickname.
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_FindCertificatesByNicknameForToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/* CERT_TraversePermCertsForSubject */
+NSS_EXTERN PRStatus
+nssTrustDomain_TraverseCertificatesBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+/* CERT_TraversePermCertsForNickname */
+NSS_EXTERN PRStatus
+nssTrustDomain_TraverseCertificatesByNickname
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nickname,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+/* SEC_TraversePermCerts */
+NSS_EXTERN PRStatus
+nssTrustDomain_TraverseCertificates
+(
+  NSSTrustDomain *td,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+/* CERT_AddTempCertToPerm */
+NSS_EXTERN PRStatus
+nssTrustDomain_AddTempCertToPerm
+(
+  NSSCertificate *c
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKINSS3HACK_H */
diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c
new file mode 100644
index 000000000..db1672395
--- /dev/null
+++ b/security/nss/lib/pki/pkibase.c
@@ -0,0 +1,1264 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#include "pki3hack.h"
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+NSS_IMPLEMENT void
+nssPKIObject_Lock(nssPKIObject * object)
+{
+    switch (object->lockType) {
+    case nssPKIMonitor:
+        PZ_EnterMonitor(object->sync.mlock);
+        break;
+    case nssPKILock:
+        PZ_Lock(object->sync.lock);
+        break;
+    default:
+        PORT_Assert(0);
+    }
+}
+
+NSS_IMPLEMENT void
+nssPKIObject_Unlock(nssPKIObject * object)
+{
+    switch (object->lockType) {
+    case nssPKIMonitor:
+        PZ_ExitMonitor(object->sync.mlock);
+        break;
+    case nssPKILock:
+        PZ_Unlock(object->sync.lock);
+        break;
+    default:
+        PORT_Assert(0);
+    }
+}
+
+NSS_IMPLEMENT PRStatus
+nssPKIObject_NewLock(nssPKIObject * object, nssPKILockType lockType)
+{
+    object->lockType = lockType;
+    switch (lockType) {
+    case nssPKIMonitor:
+        object->sync.mlock = PZ_NewMonitor(nssILockSSL);
+        return (object->sync.mlock ? PR_SUCCESS : PR_FAILURE);
+    case nssPKILock:
+        object->sync.lock = PZ_NewLock(nssILockSSL);
+        return (object->sync.lock ? PR_SUCCESS : PR_FAILURE);
+    default:
+        PORT_Assert(0);
+        return PR_FAILURE;
+    }
+}
+
+NSS_IMPLEMENT void
+nssPKIObject_DestroyLock(nssPKIObject * object)
+{
+    switch (object->lockType) {
+    case nssPKIMonitor:
+        PZ_DestroyMonitor(object->sync.mlock);
+        object->sync.mlock = NULL;
+        break;
+    case nssPKILock:
+        PZ_DestroyLock(object->sync.lock);
+        object->sync.lock = NULL;
+        break;
+    default:
+        PORT_Assert(0);
+    }
+}
+
+
+
+NSS_IMPLEMENT nssPKIObject *
+nssPKIObject_Create (
+  NSSArena *arenaOpt,
+  nssCryptokiObject *instanceOpt,
+  NSSTrustDomain *td,
+  NSSCryptoContext *cc,
+  nssPKILockType lockType
+)
+{
+    NSSArena *arena;
+    nssArenaMark *mark = NULL;
+    nssPKIObject *object;
+    if (arenaOpt) {
+	arena = arenaOpt;
+	mark = nssArena_Mark(arena);
+    } else {
+	arena = nssArena_Create();
+	if (!arena) {
+	    return (nssPKIObject *)NULL;
+	}
+    }
+    object = nss_ZNEW(arena, nssPKIObject);
+    if (!object) {
+	goto loser;
+    }
+    object->arena = arena;
+    object->trustDomain = td; /* XXX */
+    object->cryptoContext = cc;
+    if (PR_SUCCESS != nssPKIObject_NewLock(object, lockType)) {
+	goto loser;
+    }
+    if (instanceOpt) {
+	if (nssPKIObject_AddInstance(object, instanceOpt) != PR_SUCCESS) {
+	    goto loser;
+	}
+    }
+    PR_AtomicIncrement(&object->refCount);
+    if (mark) {
+	nssArena_Unmark(arena, mark);
+    }
+    return object;
+loser:
+    if (mark) {
+	nssArena_Release(arena, mark);
+    } else {
+	nssArena_Destroy(arena);
+    }
+    return (nssPKIObject *)NULL;
+}
+
+NSS_IMPLEMENT PRBool
+nssPKIObject_Destroy (
+  nssPKIObject *object
+)
+{
+    PRUint32 i;
+    PR_ASSERT(object->refCount > 0);
+    if (PR_AtomicDecrement(&object->refCount) == 0) {
+	for (i=0; i<object->numInstances; i++) {
+	    nssCryptokiObject_Destroy(object->instances[i]);
+	}
+	nssPKIObject_DestroyLock(object);
+	nssArena_Destroy(object->arena);
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+NSS_IMPLEMENT nssPKIObject *
+nssPKIObject_AddRef (
+  nssPKIObject *object
+)
+{
+    PR_AtomicIncrement(&object->refCount);
+    return object;
+}
+
+NSS_IMPLEMENT PRStatus
+nssPKIObject_AddInstance (
+  nssPKIObject *object,
+  nssCryptokiObject *instance
+)
+{
+    nssPKIObject_Lock(object);
+    if (object->numInstances == 0) {
+	object->instances = nss_ZNEWARRAY(object->arena,
+	                                  nssCryptokiObject *,
+	                                  object->numInstances + 1);
+    } else {
+	PRUint32 i;
+	for (i=0; i<object->numInstances; i++) {
+	    if (nssCryptokiObject_Equal(object->instances[i], instance)) {
+		nssPKIObject_Unlock(object);
+		if (instance->label) {
+		    if (!object->instances[i]->label ||
+		        !nssUTF8_Equal(instance->label,
+		                       object->instances[i]->label, NULL))
+		    {
+			/* Either the old instance did not have a label,
+			 * or the label has changed.
+			 */
+			nss_ZFreeIf(object->instances[i]->label);
+			object->instances[i]->label = instance->label;
+			instance->label = NULL;
+		    }
+		} else if (object->instances[i]->label) {
+		    /* The old label was removed */
+		    nss_ZFreeIf(object->instances[i]->label);
+		    object->instances[i]->label = NULL;
+		}
+		nssCryptokiObject_Destroy(instance);
+		return PR_SUCCESS;
+	    }
+	}
+	object->instances = nss_ZREALLOCARRAY(object->instances,
+	                                      nssCryptokiObject *,
+	                                      object->numInstances + 1);
+    }
+    if (!object->instances) {
+	nssPKIObject_Unlock(object);
+	return PR_FAILURE;
+    }
+    object->instances[object->numInstances++] = instance;
+    nssPKIObject_Unlock(object);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRBool
+nssPKIObject_HasInstance (
+  nssPKIObject *object,
+  nssCryptokiObject *instance
+)
+{
+    PRUint32 i;
+    PRBool hasIt = PR_FALSE;;
+    nssPKIObject_Lock(object);
+    for (i=0; i<object->numInstances; i++) {
+	if (nssCryptokiObject_Equal(object->instances[i], instance)) {
+	    hasIt = PR_TRUE;
+	    break;
+	}
+    }
+    nssPKIObject_Unlock(object);
+    return hasIt;
+}
+
+NSS_IMPLEMENT PRStatus
+nssPKIObject_RemoveInstanceForToken (
+  nssPKIObject *object,
+  NSSToken *token
+)
+{
+    PRUint32 i;
+    nssCryptokiObject *instanceToRemove = NULL;
+    nssPKIObject_Lock(object);
+    if (object->numInstances == 0) {
+	nssPKIObject_Unlock(object);
+	return PR_SUCCESS;
+    }
+    for (i=0; i<object->numInstances; i++) {
+	if (object->instances[i]->token == token) {
+	    instanceToRemove = object->instances[i];
+	    object->instances[i] = object->instances[object->numInstances-1];
+	    object->instances[object->numInstances-1] = NULL;
+	    break;
+	}
+    }
+    if (--object->numInstances > 0) {
+	nssCryptokiObject **instances = nss_ZREALLOCARRAY(object->instances,
+	                                      nssCryptokiObject *,
+	                                      object->numInstances);
+	if (instances) {
+	    object->instances = instances;
+	}
+    } else {
+	nss_ZFreeIf(object->instances);
+    }
+    nssCryptokiObject_Destroy(instanceToRemove);
+    nssPKIObject_Unlock(object);
+    return PR_SUCCESS;
+}
+
+/* this needs more thought on what will happen when there are multiple
+ * instances
+ */
+NSS_IMPLEMENT PRStatus
+nssPKIObject_DeleteStoredObject (
+  nssPKIObject *object,
+  NSSCallback *uhh,
+  PRBool isFriendly
+)
+{
+    PRUint32 i, numNotDestroyed;
+    PRStatus status = PR_SUCCESS;
+    numNotDestroyed = 0;
+    nssPKIObject_Lock(object);
+    for (i=0; i<object->numInstances; i++) {
+	nssCryptokiObject *instance = object->instances[i];
+	status = nssToken_DeleteStoredObject(instance);
+	object->instances[i] = NULL;
+	if (status == PR_SUCCESS) {
+	    nssCryptokiObject_Destroy(instance);
+	} else {
+	    object->instances[numNotDestroyed++] = instance;
+	}
+    }
+    if (numNotDestroyed == 0) {
+	nss_ZFreeIf(object->instances);
+	object->numInstances = 0;
+    } else {
+	object->numInstances = numNotDestroyed;
+    }
+    nssPKIObject_Unlock(object);
+    return status;
+}
+
+NSS_IMPLEMENT NSSToken **
+nssPKIObject_GetTokens (
+  nssPKIObject *object,
+  PRStatus *statusOpt
+)
+{
+    NSSToken **tokens = NULL;
+    nssPKIObject_Lock(object);
+    if (object->numInstances > 0) {
+	tokens = nss_ZNEWARRAY(NULL, NSSToken *, object->numInstances + 1);
+	if (tokens) {
+	    PRUint32 i;
+	    for (i=0; i<object->numInstances; i++) {
+		tokens[i] = nssToken_AddRef(object->instances[i]->token);
+	    }
+	}
+    }
+    nssPKIObject_Unlock(object);
+    if (statusOpt) *statusOpt = PR_SUCCESS; /* until more logic here */
+    return tokens;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+nssPKIObject_GetNicknameForToken (
+  nssPKIObject *object,
+  NSSToken *tokenOpt
+)
+{
+    PRUint32 i;
+    NSSUTF8 *nickname = NULL;
+    nssPKIObject_Lock(object);
+    for (i=0; i<object->numInstances; i++) {
+	if ((!tokenOpt && object->instances[i]->label) ||
+	    (object->instances[i]->token == tokenOpt)) 
+	{
+            /* XXX should be copy? safe as long as caller has reference */
+	    nickname = object->instances[i]->label; 
+	    break;
+	}
+    }
+    nssPKIObject_Unlock(object);
+    return nickname;
+}
+
+NSS_IMPLEMENT nssCryptokiObject **
+nssPKIObject_GetInstances (
+  nssPKIObject *object
+)
+{
+    nssCryptokiObject **instances = NULL;
+    PRUint32 i;
+    if (object->numInstances == 0) {
+	return (nssCryptokiObject **)NULL;
+    }
+    nssPKIObject_Lock(object);
+    instances = nss_ZNEWARRAY(NULL, nssCryptokiObject *, 
+                              object->numInstances + 1);
+    if (instances) {
+	for (i=0; i<object->numInstances; i++) {
+	    instances[i] = nssCryptokiObject_Clone(object->instances[i]);
+	}
+    }
+    nssPKIObject_Unlock(object);
+    return instances;
+}
+
+NSS_IMPLEMENT void
+nssCertificateArray_Destroy (
+  NSSCertificate **certs
+)
+{
+    if (certs) {
+	NSSCertificate **certp;
+	for (certp = certs; *certp; certp++) {
+	    if ((*certp)->decoding) {
+		CERTCertificate *cc = STAN_GetCERTCertificate(*certp);
+		if (cc) {
+		    CERT_DestroyCertificate(cc);
+		}
+		continue;
+	    }
+	    nssCertificate_Destroy(*certp);
+	}
+	nss_ZFreeIf(certs);
+    }
+}
+
+NSS_IMPLEMENT void
+NSSCertificateArray_Destroy (
+  NSSCertificate **certs
+)
+{
+    nssCertificateArray_Destroy(certs);
+}
+
+NSS_IMPLEMENT NSSCertificate **
+nssCertificateArray_Join (
+  NSSCertificate **certs1,
+  NSSCertificate **certs2
+)
+{
+    if (certs1 && certs2) {
+	NSSCertificate **certs, **cp;
+	PRUint32 count = 0;
+	PRUint32 count1 = 0;
+	cp = certs1;
+	while (*cp++) count1++;
+	count = count1;
+	cp = certs2;
+	while (*cp++) count++;
+	certs = nss_ZREALLOCARRAY(certs1, NSSCertificate *, count + 1);
+	if (!certs) {
+	    nss_ZFreeIf(certs1);
+	    nss_ZFreeIf(certs2);
+	    return (NSSCertificate **)NULL;
+	}
+	for (cp = certs2; *cp; cp++, count1++) {
+	    certs[count1] = *cp;
+	}
+	nss_ZFreeIf(certs2);
+	return certs;
+    } else if (certs1) {
+	return certs1;
+    } else {
+	return certs2;
+    }
+}
+
+NSS_IMPLEMENT NSSCertificate * 
+nssCertificateArray_FindBestCertificate (
+  NSSCertificate **certs, 
+  NSSTime *timeOpt,
+  const NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    NSSCertificate *bestCert = NULL;
+    NSSTime *time, sTime;
+    PRBool haveUsageMatch = PR_FALSE;
+    PRBool thisCertMatches;
+
+    if (timeOpt) {
+	time = timeOpt;
+    } else {
+	NSSTime_Now(&sTime);
+	time = &sTime;
+    }
+    if (!certs) {
+	return (NSSCertificate *)NULL;
+    }
+    for (; *certs; certs++) {
+	nssDecodedCert *dc, *bestdc;
+	NSSCertificate *c = *certs;
+	dc = nssCertificate_GetDecoding(c);
+	if (!dc) continue;
+	thisCertMatches = dc->matchUsage(dc, usage);
+	if (!bestCert) {
+	    /* always take the first cert, but remember whether or not
+	     * the usage matched 
+	     */
+	    bestCert = nssCertificate_AddRef(c);
+	    haveUsageMatch = thisCertMatches;
+	    continue;
+	} else {
+	    if (haveUsageMatch && !thisCertMatches) {
+		/* if already have a cert for this usage, and if this cert 
+		 * doesn't have the correct usage, continue
+		 */
+		continue;
+	    } else if (!haveUsageMatch && thisCertMatches) {
+		/* this one does match usage, replace the other */
+		nssCertificate_Destroy(bestCert);
+		bestCert = nssCertificate_AddRef(c);
+		haveUsageMatch = PR_TRUE;
+		continue;
+	    }
+	    /* this cert match as well as any cert we've found so far, 
+	     * defer to time/policies 
+	     * */
+	}
+	bestdc = nssCertificate_GetDecoding(bestCert);
+	/* time */
+	if (bestdc->isValidAtTime(bestdc, time)) {
+	    /* The current best cert is valid at time */
+	    if (!dc->isValidAtTime(dc, time)) {
+		/* If the new cert isn't valid at time, it's not better */
+		continue;
+	    }
+	} else {
+	    /* The current best cert is not valid at time */
+	    if (dc->isValidAtTime(dc, time)) {
+		/* If the new cert is valid at time, it's better */
+		nssCertificate_Destroy(bestCert);
+		bestCert = nssCertificate_AddRef(c);
+	    }
+	}
+	/* either they are both valid at time, or neither valid; 
+	 * take the newer one
+	 */
+	if (!bestdc->isNewerThan(bestdc, dc)) {
+	    nssCertificate_Destroy(bestCert);
+	    bestCert = nssCertificate_AddRef(c);
+	}
+	/* policies */
+	/* XXX later -- defer to policies */
+    }
+    return bestCert;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCertificateArray_Traverse (
+  NSSCertificate **certs,
+  PRStatus (* callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    PRStatus status = PR_SUCCESS;
+    if (certs) {
+	NSSCertificate **certp;
+	for (certp = certs; *certp; certp++) {
+	    status = (*callback)(*certp, arg);
+	    if (status != PR_SUCCESS) {
+		break;
+	    }
+	}
+    }
+    return status;
+}
+
+
+NSS_IMPLEMENT void
+nssCRLArray_Destroy (
+  NSSCRL **crls
+)
+{
+    if (crls) {
+	NSSCRL **crlp;
+	for (crlp = crls; *crlp; crlp++) {
+	    nssCRL_Destroy(*crlp);
+	}
+	nss_ZFreeIf(crls);
+    }
+}
+
+/*
+ * Object collections
+ */
+
+typedef enum
+{
+  pkiObjectType_Certificate = 0,
+  pkiObjectType_CRL = 1,
+  pkiObjectType_PrivateKey = 2,
+  pkiObjectType_PublicKey = 3
+} pkiObjectType;
+
+/* Each object is defined by a set of items that uniquely identify it.
+ * Here are the uid sets:
+ *
+ * NSSCertificate ==>  { issuer, serial }
+ * NSSPrivateKey
+ *         (RSA) ==> { modulus, public exponent }
+ *
+ */
+#define MAX_ITEMS_FOR_UID 2
+
+/* pkiObjectCollectionNode
+ *
+ * A node in the collection is the set of unique identifiers for a single
+ * object, along with either the actual object or a proto-object.
+ */
+typedef struct
+{
+  PRCList link;
+  PRBool haveObject;
+  nssPKIObject *object;
+  NSSItem uid[MAX_ITEMS_FOR_UID];
+} 
+pkiObjectCollectionNode;
+
+/* nssPKIObjectCollection
+ *
+ * The collection is the set of all objects, plus the interfaces needed
+ * to manage the objects.
+ *
+ */
+struct nssPKIObjectCollectionStr
+{
+  NSSArena *arena;
+  NSSTrustDomain *td;
+  NSSCryptoContext *cc;
+  PRCList head; /* list of pkiObjectCollectionNode's */
+  PRUint32 size;
+  pkiObjectType objectType;
+  void           (*      destroyObject)(nssPKIObject *o);
+  PRStatus       (*   getUIDFromObject)(nssPKIObject *o, NSSItem *uid);
+  PRStatus       (* getUIDFromInstance)(nssCryptokiObject *co, NSSItem *uid, 
+                                        NSSArena *arena);
+  nssPKIObject * (*       createObject)(nssPKIObject *o);
+  nssPKILockType lockType; /* type of lock to use for new proto-objects */
+};
+
+static nssPKIObjectCollection *
+nssPKIObjectCollection_Create (
+  NSSTrustDomain *td,
+  NSSCryptoContext *ccOpt,
+  nssPKILockType lockType
+)
+{
+    NSSArena *arena;
+    nssPKIObjectCollection *rvCollection = NULL;
+    arena = nssArena_Create();
+    if (!arena) {
+	return (nssPKIObjectCollection *)NULL;
+    }
+    rvCollection = nss_ZNEW(arena, nssPKIObjectCollection);
+    if (!rvCollection) {
+	goto loser;
+    }
+    PR_INIT_CLIST(&rvCollection->head);
+    rvCollection->arena = arena;
+    rvCollection->td = td; /* XXX */
+    rvCollection->cc = ccOpt;
+    rvCollection->lockType = lockType;
+    return rvCollection;
+loser:
+    nssArena_Destroy(arena);
+    return (nssPKIObjectCollection *)NULL;
+}
+
+NSS_IMPLEMENT void
+nssPKIObjectCollection_Destroy (
+  nssPKIObjectCollection *collection
+)
+{
+    if (collection) {
+	PRCList *link;
+	pkiObjectCollectionNode *node;
+	/* first destroy any objects in the collection */
+	link = PR_NEXT_LINK(&collection->head);
+	while (link != &collection->head) {
+	    node = (pkiObjectCollectionNode *)link;
+	    if (node->haveObject) {
+		(*collection->destroyObject)(node->object);
+	    } else {
+		nssPKIObject_Destroy(node->object);
+	    }
+	    link = PR_NEXT_LINK(link);
+	}
+	/* then destroy it */
+	nssArena_Destroy(collection->arena);
+    }
+}
+
+NSS_IMPLEMENT PRUint32
+nssPKIObjectCollection_Count (
+  nssPKIObjectCollection *collection
+)
+{
+    return collection->size;
+}
+
+NSS_IMPLEMENT PRStatus
+nssPKIObjectCollection_AddObject (
+  nssPKIObjectCollection *collection,
+  nssPKIObject *object
+)
+{
+    pkiObjectCollectionNode *node;
+    node = nss_ZNEW(collection->arena, pkiObjectCollectionNode);
+    if (!node) {
+	return PR_FAILURE;
+    }
+    node->haveObject = PR_TRUE;
+    node->object = nssPKIObject_AddRef(object);
+    (*collection->getUIDFromObject)(object, node->uid);
+    PR_INIT_CLIST(&node->link);
+    PR_INSERT_BEFORE(&node->link, &collection->head);
+    collection->size++;
+    return PR_SUCCESS;
+}
+
+static pkiObjectCollectionNode *
+find_instance_in_collection (
+  nssPKIObjectCollection *collection,
+  nssCryptokiObject *instance
+)
+{
+    PRCList *link;
+    pkiObjectCollectionNode *node;
+    link = PR_NEXT_LINK(&collection->head);
+    while (link != &collection->head) {
+	node = (pkiObjectCollectionNode *)link;
+	if (nssPKIObject_HasInstance(node->object, instance)) {
+	    return node;
+	}
+	link = PR_NEXT_LINK(link);
+    }
+    return (pkiObjectCollectionNode *)NULL;
+}
+
+static pkiObjectCollectionNode *
+find_object_in_collection (
+  nssPKIObjectCollection *collection,
+  NSSItem *uid
+)
+{
+    PRUint32 i;
+    PRStatus status;
+    PRCList *link;
+    pkiObjectCollectionNode *node;
+    link = PR_NEXT_LINK(&collection->head);
+    while (link != &collection->head) {
+	node = (pkiObjectCollectionNode *)link;
+	for (i=0; i<MAX_ITEMS_FOR_UID; i++) {
+	    if (!nssItem_Equal(&node->uid[i], &uid[i], &status)) {
+		break;
+	    }
+	}
+	if (i == MAX_ITEMS_FOR_UID) {
+	    return node;
+	}
+	link = PR_NEXT_LINK(link);
+    }
+    return (pkiObjectCollectionNode *)NULL;
+}
+
+static pkiObjectCollectionNode *
+add_object_instance (
+  nssPKIObjectCollection *collection,
+  nssCryptokiObject *instance,
+  PRBool *foundIt
+)
+{
+    PRUint32 i;
+    PRStatus status;
+    pkiObjectCollectionNode *node;
+    nssArenaMark *mark = NULL;
+    NSSItem uid[MAX_ITEMS_FOR_UID];
+    nsslibc_memset(uid, 0, sizeof uid);
+    /* The list is traversed twice, first (here) looking to match the
+     * { token, handle } tuple, and if that is not found, below a search
+     * for unique identifier is done.  Here, a match means this exact object
+     * instance is already in the collection, and we have nothing to do.
+     */
+    *foundIt = PR_FALSE;
+    node = find_instance_in_collection(collection, instance);
+    if (node) {
+	/* The collection is assumed to take over the instance.  Since we
+	 * are not using it, it must be destroyed.
+	 */
+	nssCryptokiObject_Destroy(instance);
+	*foundIt = PR_TRUE;
+	return node;
+    }
+    mark = nssArena_Mark(collection->arena);
+    if (!mark) {
+	goto loser;
+    }
+    status = (*collection->getUIDFromInstance)(instance, uid, 
+                                               collection->arena);
+    if (status != PR_SUCCESS) {
+	goto loser;
+    }
+    /* Search for unique identifier.  A match here means the object exists 
+     * in the collection, but does not have this instance, so the instance 
+     * needs to be added.
+     */
+    node = find_object_in_collection(collection, uid);
+    if (node) {
+	/* This is an object with multiple instances */
+	status = nssPKIObject_AddInstance(node->object, instance);
+    } else {
+	/* This is a completely new object.  Create a node for it. */
+	node = nss_ZNEW(collection->arena, pkiObjectCollectionNode);
+	if (!node) {
+	    goto loser;
+	}
+	node->object = nssPKIObject_Create(NULL, instance, 
+	                                   collection->td, collection->cc,
+                                           collection->lockType);
+	if (!node->object) {
+	    goto loser;
+	}
+	for (i=0; i<MAX_ITEMS_FOR_UID; i++) {
+	    node->uid[i] = uid[i];
+	}
+	node->haveObject = PR_FALSE;
+	PR_INIT_CLIST(&node->link);
+	PR_INSERT_BEFORE(&node->link, &collection->head);
+	collection->size++;
+	status = PR_SUCCESS;
+    }
+    nssArena_Unmark(collection->arena, mark);
+    return node;
+loser:
+    if (mark) {
+	nssArena_Release(collection->arena, mark);
+    }
+    nssCryptokiObject_Destroy(instance);
+    return (pkiObjectCollectionNode *)NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+nssPKIObjectCollection_AddInstances (
+  nssPKIObjectCollection *collection,
+  nssCryptokiObject **instances,
+  PRUint32 numInstances
+)
+{
+    PRStatus status = PR_SUCCESS;
+    PRUint32 i = 0;
+    PRBool foundIt;
+    pkiObjectCollectionNode *node;
+    if (instances) {
+	while ((!numInstances || i < numInstances) && *instances) {
+	    if (status == PR_SUCCESS) {
+		node = add_object_instance(collection, *instances, &foundIt);
+		if (node == NULL) {
+		    /* add_object_instance freed the current instance */
+		    /* free the remaining instances */
+		    status = PR_FAILURE;
+		}
+	    } else {
+		nssCryptokiObject_Destroy(*instances);
+	    }
+	    instances++;
+	    i++;
+	}
+    }
+    return status;
+}
+
+static void
+nssPKIObjectCollection_RemoveNode (
+   nssPKIObjectCollection *collection,
+   pkiObjectCollectionNode *node
+)
+{
+    PR_REMOVE_LINK(&node->link); 
+    collection->size--;
+}
+
+static PRStatus
+nssPKIObjectCollection_GetObjects (
+  nssPKIObjectCollection *collection,
+  nssPKIObject **rvObjects,
+  PRUint32 rvSize
+)
+{
+    PRUint32 i = 0;
+    PRCList *link = PR_NEXT_LINK(&collection->head);
+    pkiObjectCollectionNode *node;
+    int error=0;
+    while ((i < rvSize) && (link != &collection->head)) {
+	node = (pkiObjectCollectionNode *)link;
+	if (!node->haveObject) {
+	    /* Convert the proto-object to an object */
+	    node->object = (*collection->createObject)(node->object);
+	    if (!node->object) {
+		link = PR_NEXT_LINK(link);
+		/*remove bogus object from list*/
+		nssPKIObjectCollection_RemoveNode(collection,node);
+		error++;
+		continue;
+	    }
+	    node->haveObject = PR_TRUE;
+	}
+	rvObjects[i++] = nssPKIObject_AddRef(node->object);
+	link = PR_NEXT_LINK(link);
+    }
+    if (!error && *rvObjects == NULL) {
+	nss_SetError(NSS_ERROR_NOT_FOUND);
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssPKIObjectCollection_Traverse (
+  nssPKIObjectCollection *collection,
+  nssPKIObjectCallback *callback
+)
+{
+    PRStatus status;
+    PRCList *link = PR_NEXT_LINK(&collection->head);
+    pkiObjectCollectionNode *node;
+    while (link != &collection->head) {
+	node = (pkiObjectCollectionNode *)link;
+	if (!node->haveObject) {
+	    node->object = (*collection->createObject)(node->object);
+	    if (!node->object) {
+		link = PR_NEXT_LINK(link);
+		/*remove bogus object from list*/
+		nssPKIObjectCollection_RemoveNode(collection,node);
+		continue;
+	    }
+	    node->haveObject = PR_TRUE;
+	}
+	switch (collection->objectType) {
+	case pkiObjectType_Certificate: 
+	    status = (*callback->func.cert)((NSSCertificate *)node->object, 
+	                                    callback->arg);
+	    break;
+	case pkiObjectType_CRL: 
+	    status = (*callback->func.crl)((NSSCRL *)node->object, 
+	                                   callback->arg);
+	    break;
+	case pkiObjectType_PrivateKey: 
+	    status = (*callback->func.pvkey)((NSSPrivateKey *)node->object, 
+	                                     callback->arg);
+	    break;
+	case pkiObjectType_PublicKey: 
+	    status = (*callback->func.pbkey)((NSSPublicKey *)node->object, 
+	                                     callback->arg);
+	    break;
+	}
+	link = PR_NEXT_LINK(link);
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssPKIObjectCollection_AddInstanceAsObject (
+  nssPKIObjectCollection *collection,
+  nssCryptokiObject *instance
+)
+{
+    pkiObjectCollectionNode *node;
+    PRBool foundIt;
+    node = add_object_instance(collection, instance, &foundIt);
+    if (node == NULL) {
+	return PR_FAILURE;
+    }
+    if (!node->haveObject) {
+	node->object = (*collection->createObject)(node->object);
+	if (!node->object) {
+	    /*remove bogus object from list*/
+	    nssPKIObjectCollection_RemoveNode(collection,node);
+	    return PR_FAILURE;
+	}
+	node->haveObject = PR_TRUE;
+    } else if (!foundIt) {
+	/* The instance was added to a pre-existing node.  This
+	 * function is *only* being used for certificates, and having
+	 * multiple instances of certs in 3.X requires updating the
+	 * CERTCertificate.
+	 * But only do it if it was a new instance!!!  If the same instance
+	 * is encountered, we set *foundIt to true.  Detect that here and
+	 * ignore it.
+	 */
+	STAN_ForceCERTCertificateUpdate((NSSCertificate *)node->object);
+    }
+    return PR_SUCCESS;
+}
+
+/*
+ * Certificate collections
+ */
+
+static void
+cert_destroyObject(nssPKIObject *o)
+{
+    NSSCertificate *c = (NSSCertificate *)o;
+    if (c->decoding) {
+	CERTCertificate *cc = STAN_GetCERTCertificate(c);
+	if (cc) {
+	    CERT_DestroyCertificate(cc);
+	    return;
+	} /* else destroy it as NSSCertificate below */
+    }
+    nssCertificate_Destroy(c);
+}
+
+static PRStatus
+cert_getUIDFromObject(nssPKIObject *o, NSSItem *uid)
+{
+    NSSCertificate *c = (NSSCertificate *)o;
+    /* The builtins are still returning decoded serial numbers.  Until
+     * this compatibility issue is resolved, use the full DER of the
+     * cert to uniquely identify it.
+     */
+    NSSDER *derCert;
+    derCert = nssCertificate_GetEncoding(c);
+    uid[0].data = NULL; uid[0].size = 0;
+    uid[1].data = NULL; uid[1].size = 0;
+    if (derCert != NULL) {
+	uid[0] = *derCert;
+    }
+    return PR_SUCCESS;
+}
+
+static PRStatus
+cert_getUIDFromInstance(nssCryptokiObject *instance, NSSItem *uid, 
+                        NSSArena *arena)
+{
+    /* The builtins are still returning decoded serial numbers.  Until
+     * this compatibility issue is resolved, use the full DER of the
+     * cert to uniquely identify it.
+     */
+    uid[1].data = NULL; uid[1].size = 0;
+    return nssCryptokiCertificate_GetAttributes(instance,
+                                                NULL,  /* XXX sessionOpt */
+                                                arena, /* arena    */
+                                                NULL,  /* type     */
+                                                NULL,  /* id       */
+                                                &uid[0], /* encoding */
+                                                NULL,  /* issuer   */
+                                                NULL,  /* serial   */
+                                                NULL);  /* subject  */
+}
+
+static nssPKIObject *
+cert_createObject(nssPKIObject *o)
+{
+    NSSCertificate *cert;
+    cert = nssCertificate_Create(o);
+/*    if (STAN_GetCERTCertificate(cert) == NULL) {
+	nssCertificate_Destroy(cert);
+	return (nssPKIObject *)NULL;
+    } */
+    /* In 3.4, have to maintain uniqueness of cert pointers by caching all
+     * certs.  Cache the cert here, before returning.  If it is already
+     * cached, take the cached entry.
+     */
+    {
+	NSSTrustDomain *td = o->trustDomain;
+	nssTrustDomain_AddCertsToCache(td, &cert, 1);
+    }
+    return (nssPKIObject *)cert;
+}
+
+NSS_IMPLEMENT nssPKIObjectCollection *
+nssCertificateCollection_Create (
+  NSSTrustDomain *td,
+  NSSCertificate **certsOpt
+)
+{
+    PRStatus status;
+    nssPKIObjectCollection *collection;
+    collection = nssPKIObjectCollection_Create(td, NULL, nssPKIMonitor);
+    collection->objectType = pkiObjectType_Certificate;
+    collection->destroyObject = cert_destroyObject;
+    collection->getUIDFromObject = cert_getUIDFromObject;
+    collection->getUIDFromInstance = cert_getUIDFromInstance;
+    collection->createObject = cert_createObject;
+    if (certsOpt) {
+	for (; *certsOpt; certsOpt++) {
+	    nssPKIObject *object = (nssPKIObject *)(*certsOpt);
+	    status = nssPKIObjectCollection_AddObject(collection, object);
+	}
+    }
+    return collection;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+nssPKIObjectCollection_GetCertificates (
+  nssPKIObjectCollection *collection,
+  NSSCertificate **rvOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    PRStatus status;
+    PRUint32 rvSize;
+    PRBool allocated = PR_FALSE;
+    if (collection->size == 0) {
+	return (NSSCertificate **)NULL;
+    }
+    if (maximumOpt == 0) {
+	rvSize = collection->size;
+    } else {
+	rvSize = PR_MIN(collection->size, maximumOpt);
+    }
+    if (!rvOpt) {
+	rvOpt = nss_ZNEWARRAY(arenaOpt, NSSCertificate *, rvSize + 1);
+	if (!rvOpt) {
+	    return (NSSCertificate **)NULL;
+	}
+	allocated = PR_TRUE;
+    }
+    status = nssPKIObjectCollection_GetObjects(collection, 
+                                               (nssPKIObject **)rvOpt, 
+                                               rvSize);
+    if (status != PR_SUCCESS) {
+	if (allocated) {
+	    nss_ZFreeIf(rvOpt);
+	}
+	return (NSSCertificate **)NULL;
+    }
+    return rvOpt;
+}
+
+/*
+ * CRL/KRL collections
+ */
+
+static void
+crl_destroyObject(nssPKIObject *o)
+{
+    NSSCRL *crl = (NSSCRL *)o;
+    nssCRL_Destroy(crl);
+}
+
+static PRStatus
+crl_getUIDFromObject(nssPKIObject *o, NSSItem *uid)
+{
+    NSSCRL *crl = (NSSCRL *)o;
+    NSSDER *encoding;
+    encoding = nssCRL_GetEncoding(crl);
+    if (!encoding) {
+        nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+        return PR_FALSE;
+    }
+    uid[0] = *encoding;
+    uid[1].data = NULL; uid[1].size = 0;
+    return PR_SUCCESS;
+}
+
+static PRStatus
+crl_getUIDFromInstance(nssCryptokiObject *instance, NSSItem *uid, 
+                       NSSArena *arena)
+{
+    return nssCryptokiCRL_GetAttributes(instance,
+                                        NULL,    /* XXX sessionOpt */
+                                        arena,   /* arena    */
+                                        &uid[0], /* encoding */
+                                        NULL,    /* subject  */
+                                        NULL,    /* class    */
+                                        NULL,    /* url      */
+                                        NULL);   /* isKRL    */
+}
+
+static nssPKIObject *
+crl_createObject(nssPKIObject *o)
+{
+    return (nssPKIObject *)nssCRL_Create(o);
+}
+
+NSS_IMPLEMENT nssPKIObjectCollection *
+nssCRLCollection_Create (
+  NSSTrustDomain *td,
+  NSSCRL **crlsOpt
+)
+{
+    PRStatus status;
+    nssPKIObjectCollection *collection;
+    collection = nssPKIObjectCollection_Create(td, NULL, nssPKILock);
+    collection->objectType = pkiObjectType_CRL;
+    collection->destroyObject = crl_destroyObject;
+    collection->getUIDFromObject = crl_getUIDFromObject;
+    collection->getUIDFromInstance = crl_getUIDFromInstance;
+    collection->createObject = crl_createObject;
+    if (crlsOpt) {
+	for (; *crlsOpt; crlsOpt++) {
+	    nssPKIObject *object = (nssPKIObject *)(*crlsOpt);
+	    status = nssPKIObjectCollection_AddObject(collection, object);
+	}
+    }
+    return collection;
+}
+
+NSS_IMPLEMENT NSSCRL **
+nssPKIObjectCollection_GetCRLs (
+  nssPKIObjectCollection *collection,
+  NSSCRL **rvOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    PRStatus status;
+    PRUint32 rvSize;
+    PRBool allocated = PR_FALSE;
+    if (collection->size == 0) {
+	return (NSSCRL **)NULL;
+    }
+    if (maximumOpt == 0) {
+	rvSize = collection->size;
+    } else {
+	rvSize = PR_MIN(collection->size, maximumOpt);
+    }
+    if (!rvOpt) {
+	rvOpt = nss_ZNEWARRAY(arenaOpt, NSSCRL *, rvSize + 1);
+	if (!rvOpt) {
+	    return (NSSCRL **)NULL;
+	}
+	allocated = PR_TRUE;
+    }
+    status = nssPKIObjectCollection_GetObjects(collection, 
+                                               (nssPKIObject **)rvOpt, 
+                                               rvSize);
+    if (status != PR_SUCCESS) {
+	if (allocated) {
+	    nss_ZFreeIf(rvOpt);
+	}
+	return (NSSCRL **)NULL;
+    }
+    return rvOpt;
+}
+
+/* how bad would it be to have a static now sitting around, updated whenever
+ * this was called?  would avoid repeated allocs...
+ */
+NSS_IMPLEMENT NSSTime *
+NSSTime_Now (
+  NSSTime *timeOpt
+)
+{
+    return NSSTime_SetPRTime(timeOpt, PR_Now());
+}
+
+NSS_IMPLEMENT NSSTime *
+NSSTime_SetPRTime (
+  NSSTime *timeOpt,
+  PRTime prTime
+)
+{
+    NSSTime *rvTime;
+    rvTime = (timeOpt) ? timeOpt : nss_ZNEW(NULL, NSSTime);
+    rvTime->prTime = prTime;
+    return rvTime;
+}
+
+NSS_IMPLEMENT PRTime
+NSSTime_GetPRTime (
+  NSSTime *time
+)
+{
+  return time->prTime;
+}
+
diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h
new file mode 100644
index 000000000..0b2655f61
--- /dev/null
+++ b/security/nss/lib/pki/pkim.h
@@ -0,0 +1,731 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef PKIM_H
+#define PKIM_H
+
+#ifdef DEBUG
+static const char PKIM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+#ifndef PKITM_H
+#include "pkitm.h"
+#endif /* PKITM_H */
+
+PR_BEGIN_EXTERN_C
+
+/* nssPKIObject
+ *
+ * This is the base object class, common to all PKI objects defined in
+ * in this module.  Each object can be safely 'casted' to an nssPKIObject,
+ * then passed to these methods.
+ *
+ * nssPKIObject_Create
+ * nssPKIObject_Destroy
+ * nssPKIObject_AddRef
+ * nssPKIObject_AddInstance
+ * nssPKIObject_HasInstance
+ * nssPKIObject_GetTokens
+ * nssPKIObject_GetNicknameForToken
+ * nssPKIObject_RemoveInstanceForToken
+ * nssPKIObject_DeleteStoredObject
+ */
+
+NSS_EXTERN void     nssPKIObject_Lock       (nssPKIObject * object);
+NSS_EXTERN void     nssPKIObject_Unlock     (nssPKIObject * object);
+NSS_EXTERN PRStatus nssPKIObject_NewLock    (nssPKIObject * object,
+                                             nssPKILockType lockType);
+NSS_EXTERN void     nssPKIObject_DestroyLock(nssPKIObject * object);
+
+/* nssPKIObject_Create
+ *
+ * A generic PKI object.  It must live in a trust domain.  It may be
+ * initialized with a token instance, or alternatively in a crypto context.
+ */
+NSS_EXTERN nssPKIObject *
+nssPKIObject_Create
+(
+  NSSArena *arenaOpt,
+  nssCryptokiObject *instanceOpt,
+  NSSTrustDomain *td,
+  NSSCryptoContext *ccOpt,
+  nssPKILockType lockType
+);
+
+/* nssPKIObject_AddRef
+ */
+NSS_EXTERN nssPKIObject *
+nssPKIObject_AddRef
+(
+  nssPKIObject *object
+);
+
+/* nssPKIObject_Destroy
+ *
+ * Returns true if object was destroyed.  This notifies the subclass that
+ * all references are gone and it should delete any members it owns.
+ */
+NSS_EXTERN PRBool
+nssPKIObject_Destroy
+(
+  nssPKIObject *object
+);
+
+/* nssPKIObject_AddInstance
+ *
+ * Add a token instance to the object, if it does not have it already.
+ */
+NSS_EXTERN PRStatus
+nssPKIObject_AddInstance
+(
+  nssPKIObject *object,
+  nssCryptokiObject *instance
+);
+
+/* nssPKIObject_HasInstance
+ *
+ * Query the object for a token instance.
+ */
+NSS_EXTERN PRBool
+nssPKIObject_HasInstance
+(
+  nssPKIObject *object,
+  nssCryptokiObject *instance
+);
+
+/* nssPKIObject_GetTokens
+ *
+ * Get all tokens which have an instance of the object.
+ */
+NSS_EXTERN NSSToken **
+nssPKIObject_GetTokens
+(
+  nssPKIObject *object,
+  PRStatus *statusOpt
+);
+
+/* nssPKIObject_GetNicknameForToken
+ *
+ * tokenOpt == NULL means take the first available, otherwise return the
+ * nickname for the specified token.
+ */
+NSS_EXTERN NSSUTF8 *
+nssPKIObject_GetNicknameForToken
+(
+  nssPKIObject *object,
+  NSSToken *tokenOpt
+);
+
+/* nssPKIObject_RemoveInstanceForToken
+ *
+ * Remove the instance of the object on the specified token.
+ */
+NSS_EXTERN PRStatus
+nssPKIObject_RemoveInstanceForToken
+(
+  nssPKIObject *object,
+  NSSToken *token
+);
+
+/* nssPKIObject_DeleteStoredObject
+ *
+ * Delete all token instances of the object, as well as any crypto context
+ * instances (TODO).  If any of the instances are read-only, or if the
+ * removal fails, the object will keep those instances.  'isFriendly' refers
+ * to the object -- can this object be removed from a friendly token without
+ * login?  For example, certificates are friendly, private keys are not.
+ * Note that if the token is not friendly, authentication will be required
+ * regardless of the value of 'isFriendly'.
+ */
+NSS_EXTERN PRStatus
+nssPKIObject_DeleteStoredObject
+(
+  nssPKIObject *object,
+  NSSCallback *uhh,
+  PRBool isFriendly
+);
+
+NSS_EXTERN nssCryptokiObject **
+nssPKIObject_GetInstances
+(
+  nssPKIObject *object
+);
+
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_FindCertificatesByID
+(
+  NSSTrustDomain *td,
+  NSSItem *id,
+  NSSCertificate **rvOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSCRL **
+nssTrustDomain_FindCRLsBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER *subject
+);
+
+/* module-private nsspki methods */
+
+NSS_EXTERN NSSCryptoContext *
+nssCryptoContext_Create
+(
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+);
+
+/* XXX for the collection */
+NSS_EXTERN NSSCertificate *
+nssCertificate_Create
+(
+  nssPKIObject *object
+);
+
+NSS_EXTERN PRStatus
+nssCertificate_SetCertTrust
+(
+  NSSCertificate *c,
+  NSSTrust *trust
+);
+
+NSS_EXTERN nssDecodedCert *
+nssCertificate_GetDecoding
+(
+  NSSCertificate *c
+);
+
+extern PRIntn
+nssCertificate_SubjectListSort
+(
+  void *v1,
+  void *v2
+);
+
+NSS_EXTERN nssDecodedCert *
+nssDecodedCert_Create
+(
+  NSSArena *arenaOpt,
+  NSSDER *encoding,
+  NSSCertificateType type
+);
+
+NSS_EXTERN PRStatus
+nssDecodedCert_Destroy
+(
+  nssDecodedCert *dc
+);
+
+NSS_EXTERN NSSTrust *
+nssTrust_Create
+(
+  nssPKIObject *object,
+  NSSItem *certData
+);
+
+NSS_EXTERN NSSCRL *
+nssCRL_Create
+(
+  nssPKIObject *object
+);
+
+NSS_EXTERN NSSCRL *
+nssCRL_AddRef
+(
+  NSSCRL *crl
+);
+
+NSS_EXTERN PRStatus
+nssCRL_Destroy
+(
+  NSSCRL *crl
+);
+
+NSS_EXTERN PRStatus
+nssCRL_DeleteStoredObject
+(
+  NSSCRL *crl,
+  NSSCallback *uhh
+);
+
+NSS_EXTERN NSSPrivateKey *
+nssPrivateKey_Create
+(
+  nssPKIObject *o
+);
+
+NSS_EXTERN NSSDER *
+nssCRL_GetEncoding
+(
+  NSSCRL *crl
+);
+
+NSS_EXTERN NSSPublicKey *
+nssPublicKey_Create
+(
+  nssPKIObject *object
+);
+
+/* nssCertificateArray
+ *
+ * These are being thrown around a lot, might as well group together some
+ * functionality.
+ *
+ * nssCertificateArray_Destroy
+ * nssCertificateArray_Join
+ * nssCertificateArray_FindBestCertificate
+ * nssCertificateArray_Traverse
+ */
+
+/* nssCertificateArray_Destroy
+ *
+ * Will destroy the array and the certs within it.  If the array was created
+ * in an arena, will *not* (of course) destroy the arena.  However, is safe
+ * to call this method on an arena-allocated array.
+ */
+NSS_EXTERN void
+nssCertificateArray_Destroy
+(
+  NSSCertificate **certs
+);
+
+/* nssCertificateArray_Join
+ *
+ * Join two arrays into one.  The two arrays, certs1 and certs2, should
+ * be considered invalid after a call to this function (they may be destroyed
+ * as part of the join).  certs1 and/or certs2 may be NULL.  Safe to
+ * call with arrays allocated in an arena, the result will also be in the
+ * arena.
+ */
+NSS_EXTERN NSSCertificate **
+nssCertificateArray_Join
+(
+  NSSCertificate **certs1,
+  NSSCertificate **certs2
+);
+
+/* nssCertificateArray_FindBestCertificate
+ *
+ * Use the usual { time, usage, policies } to find the best cert in the
+ * array.
+ */
+NSS_EXTERN NSSCertificate * 
+nssCertificateArray_FindBestCertificate
+(
+  NSSCertificate **certs, 
+  NSSTime *timeOpt,
+  const NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/* nssCertificateArray_Traverse
+ *
+ * Do the callback for each cert, terminate the traversal if the callback
+ * fails.
+ */
+NSS_EXTERN PRStatus
+nssCertificateArray_Traverse
+(
+  NSSCertificate **certs,
+  PRStatus (* callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+NSS_EXTERN void
+nssCRLArray_Destroy
+(
+  NSSCRL **crls
+);
+
+/* nssPKIObjectCollection
+ *
+ * This is a handy way to group objects together and perform operations
+ * on them.  It can also handle "proto-objects"-- references to
+ * objects instances on tokens, where the actual object hasn't 
+ * been formed yet.
+ *
+ * nssCertificateCollection_Create
+ * nssPrivateKeyCollection_Create
+ * nssPublicKeyCollection_Create
+ *
+ * If this was a language that provided for inheritance, each type would
+ * inherit all of the following methods.  Instead, there is only one
+ * type (nssPKIObjectCollection), shared among all.  This may cause
+ * confusion; an alternative would be to define all of the methods
+ * for each subtype (nssCertificateCollection_Destroy, ...), but that doesn't
+ * seem worth the code bloat..  It is left up to the caller to remember 
+ * what type of collection he/she is dealing with.
+ *
+ * nssPKIObjectCollection_Destroy
+ * nssPKIObjectCollection_Count
+ * nssPKIObjectCollection_AddObject
+ * nssPKIObjectCollection_AddInstances
+ * nssPKIObjectCollection_Traverse
+ *
+ * Back to type-specific methods.
+ *
+ * nssPKIObjectCollection_GetCertificates
+ * nssPKIObjectCollection_GetCRLs
+ * nssPKIObjectCollection_GetPrivateKeys
+ * nssPKIObjectCollection_GetPublicKeys
+ */
+
+/* nssCertificateCollection_Create
+ *
+ * Create a collection of certificates in the specified trust domain.
+ * Optionally provide a starting set of certs.
+ */
+NSS_EXTERN nssPKIObjectCollection *
+nssCertificateCollection_Create
+(
+  NSSTrustDomain *td,
+  NSSCertificate **certsOpt
+);
+
+/* nssCRLCollection_Create
+ *
+ * Create a collection of CRLs/KRLs in the specified trust domain.
+ * Optionally provide a starting set of CRLs.
+ */
+NSS_EXTERN nssPKIObjectCollection *
+nssCRLCollection_Create
+(
+  NSSTrustDomain *td,
+  NSSCRL **crlsOpt
+);
+
+/* nssPrivateKeyCollection_Create
+ *
+ * Create a collection of private keys in the specified trust domain.
+ * Optionally provide a starting set of keys.
+ */
+NSS_EXTERN nssPKIObjectCollection *
+nssPrivateKeyCollection_Create
+(
+  NSSTrustDomain *td,
+  NSSPrivateKey **pvkOpt
+);
+
+/* nssPublicKeyCollection_Create
+ *
+ * Create a collection of public keys in the specified trust domain.
+ * Optionally provide a starting set of keys.
+ */
+NSS_EXTERN nssPKIObjectCollection *
+nssPublicKeyCollection_Create
+(
+  NSSTrustDomain *td,
+  NSSPublicKey **pvkOpt
+);
+
+/* nssPKIObjectCollection_Destroy
+ */
+NSS_EXTERN void
+nssPKIObjectCollection_Destroy
+(
+  nssPKIObjectCollection *collection
+);
+
+/* nssPKIObjectCollection_Count
+ */
+NSS_EXTERN PRUint32
+nssPKIObjectCollection_Count
+(
+  nssPKIObjectCollection *collection
+);
+
+NSS_EXTERN PRStatus
+nssPKIObjectCollection_AddObject
+(
+  nssPKIObjectCollection *collection,
+  nssPKIObject *object
+);
+
+/* nssPKIObjectCollection_AddInstances
+ *
+ * Add a set of object instances to the collection.  The instances
+ * will be sorted into any existing certs/proto-certs that may be in
+ * the collection.  The instances will be absorbed by the collection,
+ * the array should not be used after this call (except to free it).
+ *
+ * Failure means the collection is in an invalid state.
+ *
+ * numInstances = 0 means the array is NULL-terminated
+ */
+NSS_EXTERN PRStatus
+nssPKIObjectCollection_AddInstances
+(
+  nssPKIObjectCollection *collection,
+  nssCryptokiObject **instances,
+  PRUint32 numInstances
+);
+
+/* nssPKIObjectCollection_Traverse
+ */
+NSS_EXTERN PRStatus
+nssPKIObjectCollection_Traverse
+(
+  nssPKIObjectCollection *collection,
+  nssPKIObjectCallback *callback
+);
+
+/* This function is being added for NSS 3.5.  It corresponds to the function
+ * nssToken_TraverseCertificates.  The idea is to use the collection during
+ * a traversal, creating certs each time a new instance is added for which
+ * a cert does not already exist.
+ */
+NSS_EXTERN PRStatus
+nssPKIObjectCollection_AddInstanceAsObject
+(
+  nssPKIObjectCollection *collection,
+  nssCryptokiObject *instance
+);
+
+/* nssPKIObjectCollection_GetCertificates
+ *
+ * Get all of the certificates in the collection. 
+ */
+NSS_EXTERN NSSCertificate **
+nssPKIObjectCollection_GetCertificates
+(
+  nssPKIObjectCollection *collection,
+  NSSCertificate **rvOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSCRL **
+nssPKIObjectCollection_GetCRLs
+(
+  nssPKIObjectCollection *collection,
+  NSSCRL **rvOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSPrivateKey **
+nssPKIObjectCollection_GetPrivateKeys
+(
+  nssPKIObjectCollection *collection,
+  NSSPrivateKey **rvOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSPublicKey **
+nssPKIObjectCollection_GetPublicKeys
+(
+  nssPKIObjectCollection *collection,
+  NSSPublicKey **rvOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSTime *
+NSSTime_Now
+(
+  NSSTime *timeOpt
+);
+
+NSS_EXTERN NSSTime *
+NSSTime_SetPRTime
+(
+  NSSTime *timeOpt,
+  PRTime prTime
+);
+
+NSS_EXTERN PRTime
+NSSTime_GetPRTime
+(
+  NSSTime *time
+);
+
+NSS_EXTERN nssHash *
+nssHash_CreateCertificate
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
+
+/* 3.4 Certificate cache routines */
+
+NSS_EXTERN PRStatus
+nssTrustDomain_InitializeCache
+(
+  NSSTrustDomain *td,
+  PRUint32 cacheSize
+);
+
+NSS_EXTERN PRStatus
+nssTrustDomain_AddCertsToCache
+(
+  NSSTrustDomain *td,
+  NSSCertificate **certs,
+  PRUint32 numCerts
+);
+
+NSS_EXTERN void
+nssTrustDomain_RemoveCertFromCacheLOCKED (
+  NSSTrustDomain *td,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN void
+nssTrustDomain_LockCertCache (
+  NSSTrustDomain *td
+);
+
+NSS_EXTERN void
+nssTrustDomain_UnlockCertCache (
+  NSSTrustDomain *td
+);
+
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_DestroyCache
+(
+  NSSTrustDomain *td
+);
+
+/* 
+ * Remove all certs for the given token from the cache.  This is
+ * needed if the token is removed.
+ */
+NSS_EXTERN PRStatus
+nssTrustDomain_RemoveTokenCertsFromCache
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+);
+
+NSS_EXTERN PRStatus
+nssTrustDomain_UpdateCachedTokenCerts
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+);
+
+/*
+ * Find all cached certs with this nickname (label).
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsForNicknameFromCache
+(
+  NSSTrustDomain *td,
+  const NSSUTF8 *nickname,
+  nssList *certListOpt
+);
+
+/*
+ * Find all cached certs with this email address.
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsForEmailAddressFromCache
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  nssList *certListOpt
+);
+
+/*
+ * Find all cached certs with this subject.
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsForSubjectFromCache
+(
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  nssList *certListOpt
+);
+
+/*
+ * Look for a specific cert in the cache.
+ */
+NSS_EXTERN NSSCertificate *
+nssTrustDomain_GetCertForIssuerAndSNFromCache
+(
+  NSSTrustDomain *td,
+  NSSDER *issuer,
+  NSSDER *serialNum
+);
+
+/*
+ * Look for a specific cert in the cache.
+ */
+NSS_EXTERN NSSCertificate *
+nssTrustDomain_GetCertByDERFromCache
+(
+  NSSTrustDomain *td,
+  NSSDER *der
+);
+
+/* Get all certs from the cache */
+/* XXX this is being included to make some old-style calls word, not to
+ *     say we should keep it
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsFromCache
+(
+  NSSTrustDomain *td,
+  nssList *certListOpt
+);
+
+NSS_EXTERN void
+nssTrustDomain_DumpCacheInfo
+(
+  NSSTrustDomain *td,
+  void (* cert_dump_iter)(const void *, void *, void *),
+  void *arg
+);
+
+NSS_EXTERN void
+nssCertificateList_AddReferences
+(
+  nssList *certList
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKIM_H */
diff --git a/security/nss/lib/pki/pkistore.c b/security/nss/lib/pki/pkistore.c
new file mode 100644
index 000000000..30783762b
--- /dev/null
+++ b/security/nss/lib/pki/pkistore.c
@@ -0,0 +1,766 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifndef PKISTORE_H
+#include "pkistore.h"
+#endif /* PKISTORE_H */
+
+#include "cert.h"
+
+#include "prbit.h"
+
+/* 
+ * Certificate Store
+ *
+ * This differs from the cache in that it is a true storage facility.  Items
+ * stay in until they are explicitly removed.  It is only used by crypto
+ * contexts at this time, but may be more generally useful...
+ *
+ */
+
+struct nssCertificateStoreStr 
+{
+    PRBool i_alloced_arena;
+    NSSArena *arena;
+    PZLock *lock;
+    nssHash *subject;
+    nssHash *issuer_and_serial;
+};
+
+typedef struct certificate_hash_entry_str certificate_hash_entry;
+
+struct certificate_hash_entry_str
+{
+    NSSCertificate *cert;
+    NSSTrust *trust;
+    nssSMIMEProfile *profile;
+};
+
+/* forward static declarations */
+static NSSCertificate *
+nssCertStore_FindCertByIssuerAndSerialNumberLocked (
+  nssCertificateStore *store,
+  NSSDER *issuer,
+  NSSDER *serial
+);
+
+NSS_IMPLEMENT nssCertificateStore *
+nssCertificateStore_Create (
+  NSSArena *arenaOpt
+)
+{
+    NSSArena *arena;
+    nssCertificateStore *store;
+    PRBool i_alloced_arena;
+    if (arenaOpt) {
+	arena = arenaOpt;
+	i_alloced_arena = PR_FALSE;
+    } else {
+	arena = nssArena_Create();
+	if (!arena) {
+	    return NULL;
+	}
+	i_alloced_arena = PR_TRUE;
+    }
+    store = nss_ZNEW(arena, nssCertificateStore);
+    if (!store) {
+	goto loser;
+    }
+    store->lock = PZ_NewLock(nssILockOther);
+    if (!store->lock) {
+	goto loser;
+    }
+    /* Create the issuer/serial --> {cert, trust, S/MIME profile } hash */
+    store->issuer_and_serial = nssHash_CreateCertificate(arena, 0);
+    if (!store->issuer_and_serial) {
+	goto loser;
+    }
+    /* Create the subject DER --> subject list hash */
+    store->subject = nssHash_CreateItem(arena, 0);
+    if (!store->subject) {
+	goto loser;
+    }
+    store->arena = arena;
+    store->i_alloced_arena = i_alloced_arena;
+    return store;
+loser:
+    if (store) {
+	if (store->lock) {
+	    PZ_DestroyLock(store->lock);
+	}
+	if (store->issuer_and_serial) {
+	    nssHash_Destroy(store->issuer_and_serial);
+	}
+	if (store->subject) {
+	    nssHash_Destroy(store->subject);
+	}
+    }
+    if (i_alloced_arena) {
+	nssArena_Destroy(arena);
+    }
+    return NULL;
+}
+
+extern const NSSError NSS_ERROR_BUSY;
+
+NSS_IMPLEMENT PRStatus
+nssCertificateStore_Destroy (
+  nssCertificateStore *store
+)
+{
+    if (nssHash_Count(store->issuer_and_serial) > 0) {
+	nss_SetError(NSS_ERROR_BUSY);
+	return PR_FAILURE;
+    }
+    PZ_DestroyLock(store->lock);
+    nssHash_Destroy(store->issuer_and_serial);
+    nssHash_Destroy(store->subject);
+    if (store->i_alloced_arena) {
+	nssArena_Destroy(store->arena);
+    } else {
+	nss_ZFreeIf(store);
+    }
+    return PR_SUCCESS;
+}
+
+static PRStatus
+add_certificate_entry (
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    PRStatus nssrv;
+    certificate_hash_entry *entry;
+    entry = nss_ZNEW(cert->object.arena, certificate_hash_entry);
+    if (!entry) {
+	return PR_FAILURE;
+    }
+    entry->cert = cert;
+    nssrv = nssHash_Add(store->issuer_and_serial, cert, entry);
+    if (nssrv != PR_SUCCESS) {
+	nss_ZFreeIf(entry);
+    }
+    return nssrv;
+}
+
+static PRStatus
+add_subject_entry (
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    PRStatus nssrv;
+    nssList *subjectList;
+    subjectList = (nssList *)nssHash_Lookup(store->subject, &cert->subject);
+    if (subjectList) {
+	/* The subject is already in, add this cert to the list */
+	nssrv = nssList_AddUnique(subjectList, cert);
+    } else {
+	/* Create a new subject list for the subject */
+	subjectList = nssList_Create(NULL, PR_FALSE);
+	if (!subjectList) {
+	    return PR_FAILURE;
+	}
+	nssList_SetSortFunction(subjectList, nssCertificate_SubjectListSort);
+	/* Add the cert entry to this list of subjects */
+	nssrv = nssList_Add(subjectList, cert);
+	if (nssrv != PR_SUCCESS) {
+	    return nssrv;
+	}
+	/* Add the subject list to the cache */
+	nssrv = nssHash_Add(store->subject, &cert->subject, subjectList);
+    }
+    return nssrv;
+}
+
+/* declared below */
+static void
+remove_certificate_entry (
+  nssCertificateStore *store,
+  NSSCertificate *cert
+);
+
+/* Caller must hold store->lock */
+static PRStatus
+nssCertificateStore_AddLocked (
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    PRStatus nssrv = add_certificate_entry(store, cert);
+    if (nssrv == PR_SUCCESS) {
+	nssrv = add_subject_entry(store, cert);
+	if (nssrv == PR_FAILURE) {
+	    remove_certificate_entry(store, cert);
+	}
+    }
+    return nssrv;
+}
+
+
+NSS_IMPLEMENT NSSCertificate *
+nssCertificateStore_FindOrAdd (
+  nssCertificateStore *store,
+  NSSCertificate *c
+)
+{
+    PRStatus nssrv;
+    NSSCertificate *rvCert = NULL;
+
+    PZ_Lock(store->lock);
+    rvCert = nssCertStore_FindCertByIssuerAndSerialNumberLocked(
+					   store, &c->issuer, &c->serial);
+    if (!rvCert) {
+	nssrv = nssCertificateStore_AddLocked(store, c);
+	if (PR_SUCCESS == nssrv) {
+	    rvCert = nssCertificate_AddRef(c);
+	}
+    }
+    PZ_Unlock(store->lock);
+    return rvCert;
+}
+
+static void
+remove_certificate_entry (
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    certificate_hash_entry *entry;
+    entry = (certificate_hash_entry *)
+                             nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry) {
+	nssHash_Remove(store->issuer_and_serial, cert);
+	if (entry->trust) {
+	    nssTrust_Destroy(entry->trust);
+	}
+	if (entry->profile) {
+	    nssSMIMEProfile_Destroy(entry->profile);
+	}
+	nss_ZFreeIf(entry);
+    }
+}
+
+static void
+remove_subject_entry (
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    nssList *subjectList;
+    /* Get the subject list for the cert's subject */
+    subjectList = (nssList *)nssHash_Lookup(store->subject, &cert->subject);
+    if (subjectList) {
+	/* Remove the cert from the subject hash */
+	nssList_Remove(subjectList, cert);
+	nssHash_Remove(store->subject, &cert->subject);
+	if (nssList_Count(subjectList) == 0) {
+	    nssList_Destroy(subjectList);
+	} else {
+	    /* The cert being released may have keyed the subject entry.
+	     * Since there are still subject certs around, get another and
+	     * rekey the entry just in case.
+	     */
+	    NSSCertificate *subjectCert;
+	    (void)nssList_GetArray(subjectList, (void **)&subjectCert, 1);
+	    nssHash_Add(store->subject, &subjectCert->subject, subjectList);
+	}
+    }
+}
+
+NSS_IMPLEMENT void
+nssCertificateStore_RemoveCertLOCKED (
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    certificate_hash_entry *entry;
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry && entry->cert == cert) {
+	remove_certificate_entry(store, cert);
+	remove_subject_entry(store, cert);
+    }
+}
+
+NSS_IMPLEMENT void
+nssCertificateStore_Lock (
+  nssCertificateStore *store, nssCertificateStoreTrace* out
+)
+{
+#ifdef DEBUG
+    PORT_Assert(out);
+    out->store = store;
+    out->lock = store->lock;
+    out->locked = PR_TRUE;
+    PZ_Lock(out->lock);
+#else
+    PZ_Lock(store->lock);
+#endif
+}
+
+NSS_IMPLEMENT void
+nssCertificateStore_Unlock (
+  nssCertificateStore *store, const nssCertificateStoreTrace* in,
+  nssCertificateStoreTrace* out
+)
+{
+#ifdef DEBUG
+    PORT_Assert(in);
+    PORT_Assert(out);
+    out->store = store;
+    out->lock = store->lock;
+    PORT_Assert(!out->locked);
+    out->unlocked = PR_TRUE;
+
+    PORT_Assert(in->store == out->store);
+    PORT_Assert(in->lock == out->lock);
+    PORT_Assert(in->locked);
+    PORT_Assert(!in->unlocked);
+
+    PZ_Unlock(out->lock);
+#else
+    PZ_Unlock(store->lock);
+#endif
+}
+
+static NSSCertificate **
+get_array_from_list (
+  nssList *certList,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    PRUint32 count;
+    NSSCertificate **rvArray = NULL;
+    count = nssList_Count(certList);
+    if (count == 0) {
+	return NULL;
+    }
+    if (maximumOpt > 0) {
+	count = PR_MIN(maximumOpt, count);
+    }
+    if (rvOpt) {
+	nssList_GetArray(certList, (void **)rvOpt, count);
+    } else {
+	rvArray = nss_ZNEWARRAY(arenaOpt, NSSCertificate *, count + 1);
+	if (rvArray) {
+	    nssList_GetArray(certList, (void **)rvArray, count);
+	}
+    }
+    return rvArray;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+nssCertificateStore_FindCertificatesBySubject (
+  nssCertificateStore *store,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    nssList *subjectList;
+    PZ_Lock(store->lock);
+    subjectList = (nssList *)nssHash_Lookup(store->subject, subject);
+    if (subjectList) {
+	nssCertificateList_AddReferences(subjectList);
+	rvArray = get_array_from_list(subjectList, 
+	                              rvOpt, maximumOpt, arenaOpt);
+    }
+    PZ_Unlock(store->lock);
+    return rvArray;
+}
+
+/* Because only subject indexing is implemented, all other lookups require
+ * full traversal (unfortunately, PLHashTable doesn't allow you to exit
+ * early from the enumeration).  The assumptions are that 1) lookups by 
+ * fields other than subject will be rare, and 2) the hash will not have
+ * a large number of entries.  These assumptions will be tested.
+ *
+ * XXX
+ * For NSS 3.4, it is worth consideration to do all forms of indexing,
+ * because the only crypto context is global and persistent.
+ */
+
+struct nickname_template_str
+{
+    NSSUTF8 *nickname;
+    nssList *subjectList;
+};
+
+static void match_nickname(const void *k, void *v, void *a)
+{
+    PRStatus nssrv;
+    NSSCertificate *c;
+    NSSUTF8 *nickname;
+    nssList *subjectList = (nssList *)v;
+    struct nickname_template_str *nt = (struct nickname_template_str *)a;
+    nssrv = nssList_GetArray(subjectList, (void **)&c, 1);
+    nickname = nssCertificate_GetNickname(c, NULL);
+    if (nssrv == PR_SUCCESS && nickname &&
+         nssUTF8_Equal(nickname, nt->nickname, &nssrv)) 
+    {
+	nt->subjectList = subjectList;
+    }
+}
+
+/*
+ * Find all cached certs with this label.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssCertificateStore_FindCertificatesByNickname (
+  nssCertificateStore *store,
+  const NSSUTF8 *nickname,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    struct nickname_template_str nt;
+    nt.nickname = (char*) nickname;
+    nt.subjectList = NULL;
+    PZ_Lock(store->lock);
+    nssHash_Iterate(store->subject, match_nickname, &nt);
+    if (nt.subjectList) {
+	nssCertificateList_AddReferences(nt.subjectList);
+	rvArray = get_array_from_list(nt.subjectList, 
+	                              rvOpt, maximumOpt, arenaOpt);
+    }
+    PZ_Unlock(store->lock);
+    return rvArray;
+}
+
+struct email_template_str
+{
+    NSSASCII7 *email;
+    nssList *emailList;
+};
+
+static void match_email(const void *k, void *v, void *a)
+{
+    PRStatus nssrv;
+    NSSCertificate *c;
+    nssList *subjectList = (nssList *)v;
+    struct email_template_str *et = (struct email_template_str *)a;
+    nssrv = nssList_GetArray(subjectList, (void **)&c, 1);
+    if (nssrv == PR_SUCCESS && 
+         nssUTF8_Equal(c->email, et->email, &nssrv)) 
+    {
+	nssListIterator *iter = nssList_CreateIterator(subjectList);
+	if (iter) {
+	    for (c  = (NSSCertificate *)nssListIterator_Start(iter);
+	         c != (NSSCertificate *)NULL;
+	         c  = (NSSCertificate *)nssListIterator_Next(iter))
+	    {
+		nssList_Add(et->emailList, c);
+	    }
+	    nssListIterator_Finish(iter);
+	    nssListIterator_Destroy(iter);
+	}
+    }
+}
+
+/*
+ * Find all cached certs with this email address.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssCertificateStore_FindCertificatesByEmail (
+  nssCertificateStore *store,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    struct email_template_str et;
+    et.email = email;
+    et.emailList = nssList_Create(NULL, PR_FALSE);
+    if (!et.emailList) {
+	return NULL;
+    }
+    PZ_Lock(store->lock);
+    nssHash_Iterate(store->subject, match_email, &et);
+    if (et.emailList) {
+	/* get references before leaving the store's lock protection */
+	nssCertificateList_AddReferences(et.emailList);
+    }
+    PZ_Unlock(store->lock);
+    if (et.emailList) {
+	rvArray = get_array_from_list(et.emailList, 
+	                              rvOpt, maximumOpt, arenaOpt);
+	nssList_Destroy(et.emailList);
+    }
+    return rvArray;
+}
+
+/* Caller holds store->lock */
+static NSSCertificate *
+nssCertStore_FindCertByIssuerAndSerialNumberLocked (
+  nssCertificateStore *store,
+  NSSDER *issuer,
+  NSSDER *serial
+)
+{
+    certificate_hash_entry *entry;
+    NSSCertificate *rvCert = NULL;
+    NSSCertificate index;
+
+    index.issuer = *issuer;
+    index.serial = *serial;
+    entry = (certificate_hash_entry *)
+                           nssHash_Lookup(store->issuer_and_serial, &index);
+    if (entry) {
+	rvCert = nssCertificate_AddRef(entry->cert);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+nssCertificateStore_FindCertificateByIssuerAndSerialNumber (
+  nssCertificateStore *store,
+  NSSDER *issuer,
+  NSSDER *serial
+)
+{
+    NSSCertificate *rvCert = NULL;
+
+    PZ_Lock(store->lock);
+    rvCert = nssCertStore_FindCertByIssuerAndSerialNumberLocked (
+                           store, issuer, serial);
+    PZ_Unlock(store->lock);
+    return rvCert;
+}
+
+static PRStatus
+issuer_and_serial_from_encoding (
+  NSSBER *encoding, 
+  NSSDER *issuer, 
+  NSSDER *serial
+)
+{
+    SECItem derCert, derIssuer, derSerial;
+    SECStatus secrv;
+    derCert.data = (unsigned char *)encoding->data;
+    derCert.len = encoding->size;
+    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
+    if (secrv != SECSuccess) {
+	return PR_FAILURE;
+    }
+    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
+    if (secrv != SECSuccess) {
+	PORT_Free(derIssuer.data);
+	return PR_FAILURE;
+    }
+    issuer->data = derIssuer.data;
+    issuer->size = derIssuer.len;
+    serial->data = derSerial.data;
+    serial->size = derSerial.len;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+nssCertificateStore_FindCertificateByEncodedCertificate (
+  nssCertificateStore *store,
+  NSSDER *encoding
+)
+{
+    PRStatus nssrv = PR_FAILURE;
+    NSSDER issuer, serial;
+    NSSCertificate *rvCert = NULL;
+    nssrv = issuer_and_serial_from_encoding(encoding, &issuer, &serial);
+    if (nssrv != PR_SUCCESS) {
+	return NULL;
+    }
+    rvCert = nssCertificateStore_FindCertificateByIssuerAndSerialNumber(store, 
+                                                                     &issuer, 
+                                                                     &serial);
+    PORT_Free(issuer.data);
+    PORT_Free(serial.data);
+    return rvCert;
+}
+
+NSS_EXTERN PRStatus
+nssCertificateStore_AddTrust (
+  nssCertificateStore *store,
+  NSSTrust *trust
+)
+{
+    NSSCertificate *cert;
+    certificate_hash_entry *entry;
+    cert = trust->certificate;
+    PZ_Lock(store->lock);
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry) {
+	entry->trust = nssTrust_AddRef(trust);
+    }
+    PZ_Unlock(store->lock);
+    return (entry) ? PR_SUCCESS : PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSTrust *
+nssCertificateStore_FindTrustForCertificate (
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    certificate_hash_entry *entry;
+    NSSTrust *rvTrust = NULL;
+    PZ_Lock(store->lock);
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry && entry->trust) {
+	rvTrust = nssTrust_AddRef(entry->trust);
+    }
+    PZ_Unlock(store->lock);
+    return rvTrust;
+}
+
+NSS_EXTERN PRStatus
+nssCertificateStore_AddSMIMEProfile (
+  nssCertificateStore *store,
+  nssSMIMEProfile *profile
+)
+{
+    NSSCertificate *cert;
+    certificate_hash_entry *entry;
+    cert = profile->certificate;
+    PZ_Lock(store->lock);
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry) {
+	entry->profile = nssSMIMEProfile_AddRef(profile);
+    }
+    PZ_Unlock(store->lock);
+    return (entry) ? PR_SUCCESS : PR_FAILURE;
+}
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssCertificateStore_FindSMIMEProfileForCertificate (
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    certificate_hash_entry *entry;
+    nssSMIMEProfile *rvProfile = NULL;
+    PZ_Lock(store->lock);
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry && entry->profile) {
+	rvProfile = nssSMIMEProfile_AddRef(entry->profile);
+    }
+    PZ_Unlock(store->lock);
+    return rvProfile;
+}
+
+/* XXX this is also used by cache and should be somewhere else */
+
+static PLHashNumber
+nss_certificate_hash (
+  const void *key
+)
+{
+    unsigned int i;
+    PLHashNumber h;
+    NSSCertificate *c = (NSSCertificate *)key;
+    h = 0;
+    for (i=0; i<c->issuer.size; i++)
+	h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)c->issuer.data)[i];
+    for (i=0; i<c->serial.size; i++)
+	h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)c->serial.data)[i];
+    return h;
+}
+
+static int
+nss_compare_certs(const void *v1, const void *v2)
+{
+    PRStatus ignore;
+    NSSCertificate *c1 = (NSSCertificate *)v1;
+    NSSCertificate *c2 = (NSSCertificate *)v2;
+    return (int)(nssItem_Equal(&c1->issuer, &c2->issuer, &ignore) &&
+                 nssItem_Equal(&c1->serial, &c2->serial, &ignore));
+}
+
+NSS_IMPLEMENT nssHash *
+nssHash_CreateCertificate (
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+    return nssHash_Create(arenaOpt, 
+                          numBuckets, 
+                          nss_certificate_hash, 
+                          nss_compare_certs, 
+                          PL_CompareValues);
+}
+
+NSS_IMPLEMENT void
+nssCertificateStore_DumpStoreInfo (
+  nssCertificateStore *store,
+  void (* cert_dump_iter)(const void *, void *, void *),
+  void *arg
+)
+{
+    PZ_Lock(store->lock);
+    nssHash_Iterate(store->issuer_and_serial, cert_dump_iter, arg);
+    PZ_Unlock(store->lock);
+}
+
diff --git a/security/nss/lib/pki/pkistore.h b/security/nss/lib/pki/pkistore.h
new file mode 100644
index 000000000..ac77a4f80
--- /dev/null
+++ b/security/nss/lib/pki/pkistore.h
@@ -0,0 +1,204 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef PKISTORE_H
+#define PKISTORE_H
+
+#ifdef DEBUG
+static const char PKISTORE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+PR_BEGIN_EXTERN_C
+
+/* 
+ * PKI Stores
+ *
+ * This is a set of routines for managing local stores of PKI objects.
+ * Currently, the only application is in crypto contexts, where the
+ * certificate store is used.  In the future, methods should be added
+ * here for storing local references to keys.
+ */
+
+/* 
+ * nssCertificateStore
+ *
+ * Manages local store of certificate, trust, and S/MIME profile objects.
+ * Within a crypto context, mappings of cert to trust and cert to S/MIME
+ * profile are always 1-1.  Therefore, it is reasonable to store all objects
+ * in a single collection, indexed by the certificate.
+ */
+
+NSS_EXTERN nssCertificateStore *
+nssCertificateStore_Create
+(
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN PRStatus
+nssCertificateStore_Destroy
+(
+  nssCertificateStore *store
+);
+
+/* Atomic Find cert in store, or add this cert to the store.
+** Ref counts properly maintained.
+*/
+NSS_EXTERN NSSCertificate *
+nssCertificateStore_FindOrAdd 
+(
+  nssCertificateStore *store,
+  NSSCertificate *c
+);
+
+NSS_EXTERN void
+nssCertificateStore_RemoveCertLOCKED
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+);
+
+struct nssCertificateStoreTraceStr {
+    nssCertificateStore* store;
+    PZLock* lock;
+    PRBool locked;
+    PRBool unlocked;
+};
+
+typedef struct nssCertificateStoreTraceStr nssCertificateStoreTrace;
+
+NSS_EXTERN void
+nssCertificateStore_Lock (
+  nssCertificateStore *store, nssCertificateStoreTrace* out
+);
+
+NSS_EXTERN void
+nssCertificateStore_Unlock (
+  nssCertificateStore *store, const nssCertificateStoreTrace* in,
+  nssCertificateStoreTrace* out
+);
+
+NSS_EXTERN NSSCertificate **
+nssCertificateStore_FindCertificatesBySubject
+(
+  nssCertificateStore *store,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSCertificate **
+nssCertificateStore_FindCertificatesByNickname
+(
+  nssCertificateStore *store,
+  const NSSUTF8 *nickname,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSCertificate **
+nssCertificateStore_FindCertificatesByEmail
+(
+  nssCertificateStore *store,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSCertificate *
+nssCertificateStore_FindCertificateByIssuerAndSerialNumber
+(
+  nssCertificateStore *store,
+  NSSDER *issuer,
+  NSSDER *serial
+);
+
+NSS_EXTERN NSSCertificate *
+nssCertificateStore_FindCertificateByEncodedCertificate
+(
+  nssCertificateStore *store,
+  NSSDER *encoding
+);
+
+NSS_EXTERN PRStatus
+nssCertificateStore_AddTrust
+(
+  nssCertificateStore *store,
+  NSSTrust *trust
+);
+
+NSS_EXTERN NSSTrust *
+nssCertificateStore_FindTrustForCertificate
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN PRStatus
+nssCertificateStore_AddSMIMEProfile
+(
+  nssCertificateStore *store,
+  nssSMIMEProfile *profile
+);
+
+NSS_EXTERN nssSMIMEProfile *
+nssCertificateStore_FindSMIMEProfileForCertificate
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN void
+nssCertificateStore_DumpStoreInfo
+(
+  nssCertificateStore *store,
+  void (* cert_dump_iter)(const void *, void *, void *),
+  void *arg
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKISTORE_H */
diff --git a/security/nss/lib/pki/pkit.h b/security/nss/lib/pki/pkit.h
new file mode 100644
index 000000000..29e387b34
--- /dev/null
+++ b/security/nss/lib/pki/pkit.h
@@ -0,0 +1,224 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef PKIT_H
+#define PKIT_H
+
+#ifdef DEBUG
+static const char PKIT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * pkit.h
+ *
+ * This file contains definitions for the types of the top-level PKI objects.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#include "certt.h"
+#include "pkcs11t.h"
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+#ifndef DEVT_H
+#include "devt.h"
+#endif /* DEVT_H */
+
+#ifndef nssrwlkt_h__
+#include "nssrwlkt.h"
+#endif /* nssrwlkt_h__ */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * A note on ephemeral certs
+ *
+ * The key objects defined here can only be created on tokens, and can only
+ * exist on tokens.  Therefore, any instance of a key object must have
+ * a corresponding cryptoki instance.  OTOH, certificates created in 
+ * crypto contexts need not be stored as session objects on the token.
+ * There are good performance reasons for not doing so.  The certificate
+ * and trust objects have been defined with a cryptoContext field to
+ * allow for ephemeral certs, which may have a single instance in a crypto
+ * context along with any number (including zero) of cryptoki instances.
+ * Since contexts may not share objects, there can be only one context
+ * for each object.
+ */
+
+typedef enum {
+    nssPKILock = 1,
+    nssPKIMonitor = 2
+} nssPKILockType;
+
+/* nssPKIObject
+ *
+ * This is the base object class, common to all PKI objects defined in
+ * nsspkit.h
+ */
+struct nssPKIObjectStr 
+{
+    /* The arena for all object memory */
+    NSSArena *arena;
+    /* Atomically incremented/decremented reference counting */
+    PRInt32 refCount;
+    /* lock protects the array of nssCryptokiInstance's of the object */
+    union {
+        PZLock* lock;
+        PZMonitor *mlock;
+    } sync;
+    nssPKILockType lockType;
+    /* XXX with LRU cache, this cannot be guaranteed up-to-date.  It cannot
+     * be compared against the update level of the trust domain, since it is
+     * also affected by import/export.  Where is this array needed?
+     */
+    nssCryptokiObject **instances;
+    PRUint32 numInstances;
+    /* The object must live in a trust domain */
+    NSSTrustDomain *trustDomain;
+    /* The object may live in a crypto context */
+    NSSCryptoContext *cryptoContext;
+    /* XXX added so temp certs can have nickname, think more ... */
+    NSSUTF8 *tempName;
+};
+
+typedef struct nssDecodedCertStr nssDecodedCert;
+
+typedef struct nssCertificateStoreStr nssCertificateStore;
+
+/* How wide is the scope of this? */
+typedef struct nssSMIMEProfileStr nssSMIMEProfile;
+
+typedef struct nssPKIObjectStr nssPKIObject;
+
+struct NSSTrustStr 
+{
+    nssPKIObject object;
+    NSSCertificate *certificate;
+    nssTrustLevel serverAuth;
+    nssTrustLevel clientAuth;
+    nssTrustLevel emailProtection;
+    nssTrustLevel codeSigning;
+    PRBool stepUpApproved;
+};
+
+struct nssSMIMEProfileStr
+{
+    nssPKIObject object;
+    NSSCertificate *certificate;
+    NSSASCII7 *email;
+    NSSDER *subject;
+    NSSItem *profileTime;
+    NSSItem *profileData;
+};
+
+struct NSSCertificateStr
+{
+    nssPKIObject object;
+    NSSCertificateType type;
+    NSSItem id;
+    NSSBER encoding;
+    NSSDER issuer;
+    NSSDER subject;
+    NSSDER serial;
+    NSSASCII7 *email;
+    nssDecodedCert *decoding;
+};
+
+struct NSSPrivateKeyStr;
+
+struct NSSPublicKeyStr;
+
+struct NSSSymmetricKeyStr;
+
+typedef struct nssTDCertificateCacheStr nssTDCertificateCache;
+
+struct NSSTrustDomainStr {
+    PRInt32 refCount;
+    NSSArena *arena;
+    NSSCallback *defaultCallback;
+    nssList *tokenList;
+    nssListIterator *tokens;
+    nssTDCertificateCache *cache;
+    NSSRWLock *tokensLock;
+    void *spkDigestInfo;
+    CERTStatusConfig *statusConfig;
+};
+
+struct NSSCryptoContextStr
+{
+    PRInt32 refCount;
+    NSSArena *arena;
+    NSSTrustDomain *td;
+    NSSToken *token;
+    nssSession *session;
+    nssCertificateStore *certStore;
+};
+
+struct NSSTimeStr {
+    PRTime prTime;
+};
+
+struct NSSCRLStr {
+  nssPKIObject object;
+  NSSDER encoding;
+  NSSUTF8 *url;
+  PRBool isKRL;
+};
+
+typedef struct NSSCRLStr NSSCRL;
+
+struct NSSPoliciesStr;
+
+struct NSSAlgorithmAndParametersStr;
+
+struct NSSPKIXCertificateStr;
+
+PR_END_EXTERN_C
+
+#endif /* PKIT_H */
diff --git a/security/nss/lib/pki/pkitm.h b/security/nss/lib/pki/pkitm.h
new file mode 100644
index 000000000..ae40e013b
--- /dev/null
+++ b/security/nss/lib/pki/pkitm.h
@@ -0,0 +1,121 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef PKITM_H
+#define PKITM_H
+
+#ifdef DEBUG
+static const char PKITM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * pkitm.h
+ *
+ * This file contains PKI-module specific types.
+ */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+PR_BEGIN_EXTERN_C
+
+typedef enum nssCertIDMatchEnum {
+  nssCertIDMatch_Yes = 0,
+  nssCertIDMatch_No = 1,
+  nssCertIDMatch_Unknown = 2
+} nssCertIDMatch;
+
+/*
+ * nssDecodedCert
+ *
+ * This is an interface to allow the PKI module access to certificate
+ * information that can only be found by decoding.  The interface is
+ * generic, allowing each certificate type its own way of providing
+ * the information
+ */
+struct nssDecodedCertStr {
+    NSSCertificateType type;
+    void *data;
+    /* returns the unique identifier for the cert */
+    NSSItem *  (*getIdentifier)(nssDecodedCert *dc);
+    /* returns the unique identifier for this cert's issuer */
+    void *     (*getIssuerIdentifier)(nssDecodedCert *dc);
+    /* is id the identifier for this cert? */
+    nssCertIDMatch (*matchIdentifier)(nssDecodedCert *dc, void *id);
+    /* is this cert a valid CA cert? */
+    PRBool     (*isValidIssuer)(nssDecodedCert *dc);
+    /* returns the cert usage */
+    NSSUsage * (*getUsage)(nssDecodedCert *dc);
+    /* is time within the validity period of the cert? */
+    PRBool     (*isValidAtTime)(nssDecodedCert *dc, NSSTime *time);
+    /* is the validity period of this cert newer than cmpdc? */
+    PRBool     (*isNewerThan)(nssDecodedCert *dc, nssDecodedCert *cmpdc);
+    /* does the usage for this cert match the requested usage? */
+    PRBool     (*matchUsage)(nssDecodedCert *dc, const NSSUsage *usage);
+    /* extract the email address */
+    NSSASCII7 *(*getEmailAddress)(nssDecodedCert *dc);
+    /* extract the DER-encoded serial number */
+    PRStatus   (*getDERSerialNumber)(nssDecodedCert *dc,
+                                     NSSDER *derSerial, NSSArena *arena);
+};
+
+struct NSSUsageStr {
+    PRBool anyUsage;
+    SECCertUsage nss3usage;
+    PRBool nss3lookingForCA;
+};
+
+typedef struct nssPKIObjectCollectionStr nssPKIObjectCollection;
+
+typedef struct
+{
+  union {
+    PRStatus (*  cert)(NSSCertificate *c, void *arg);
+    PRStatus (*   crl)(NSSCRL       *crl, void *arg);
+    PRStatus (* pvkey)(NSSPrivateKey *vk, void *arg);
+    PRStatus (* pbkey)(NSSPublicKey *bk, void *arg);
+  } func;
+  void *arg;
+} nssPKIObjectCallback;
+
+PR_END_EXTERN_C
+
+#endif /* PKITM_H */
diff --git a/security/nss/lib/pki/symmkey.c b/security/nss/lib/pki/symmkey.c
new file mode 100644
index 000000000..0806e588b
--- /dev/null
+++ b/security/nss/lib/pki/symmkey.c
@@ -0,0 +1,300 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+NSS_IMPLEMENT PRStatus
+NSSSymmetricKey_Destroy (
+  NSSSymmetricKey *mk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSSymmetricKey_DeleteStoredObject (
+  NSSSymmetricKey *mk,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRUint32
+NSSSymmetricKey_GetKeyLength (
+  NSSSymmetricKey *mk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return -1;
+}
+
+NSS_IMPLEMENT PRUint32
+NSSSymmetricKey_GetKeyStrength (
+  NSSSymmetricKey *mk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return -1;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSSymmetricKey_IsStillPresent (
+  NSSSymmetricKey *mk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSSymmetricKey_GetTrustDomain (
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSSymmetricKey_GetToken (
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSSymmetricKey_GetSlot (
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSModule *
+NSSSymmetricKey_GetModule (
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_Encrypt (
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_Decrypt (
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_Sign (
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_SignRecover (
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSSymmetricKey_Verify (
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_VerifyRecover (
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_WrapSymmetricKey (
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_WrapPrivateKey (
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPrivateKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSSymmetricKey_UnwrapSymmetricKey (
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSOID *target,
+  PRUint32 keySizeOpt,
+  NSSOperations operations,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPrivateKey *
+NSSSymmetricKey_UnwrapPrivateKey (
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSUTF8 *labelOpt,
+  NSSItem *keyIDOpt,
+  PRBool persistant,
+  PRBool sensitive,
+  NSSToken *destinationOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSSymmetricKey_DeriveSymmetricKey (
+  NSSSymmetricKey *originalKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt,
+  NSSOperations operations,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSSymmetricKey_CreateCryptoContext (
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
diff --git a/security/nss/lib/pki/tdcache.c b/security/nss/lib/pki/tdcache.c
new file mode 100644
index 000000000..a7dc12ec2
--- /dev/null
+++ b/security/nss/lib/pki/tdcache.c
@@ -0,0 +1,1175 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include "cert.h"
+#include "dev.h"
+#include "pki3hack.h"
+
+#ifdef DEBUG_CACHE
+static PRLogModuleInfo *s_log = NULL;
+#endif
+
+#ifdef DEBUG_CACHE
+static void log_item_dump(const char *msg, NSSItem *it)
+{
+    char buf[33];
+    int i, j;
+    for (i=0; i<10 && i<it->size; i++) {
+	sprintf(&buf[2*i], "%02X", ((PRUint8 *)it->data)[i]);
+    }
+    if (it->size>10) {
+	sprintf(&buf[2*i], "..");
+	i += 1;
+	for (j=it->size-1; i<=16 && j>10; i++, j--) {
+	    sprintf(&buf[2*i], "%02X", ((PRUint8 *)it->data)[j]);
+	}
+    }
+    PR_LOG(s_log, PR_LOG_DEBUG, ("%s: %s", msg, buf));
+}
+#endif
+
+#ifdef DEBUG_CACHE
+static void log_cert_ref(const char *msg, NSSCertificate *c)
+{
+    PR_LOG(s_log, PR_LOG_DEBUG, ("%s: %s", msg,
+                           (c->nickname) ? c->nickname : c->email));
+    log_item_dump("\tserial", &c->serial);
+    log_item_dump("\tsubject", &c->subject);
+}
+#endif
+
+/* Certificate cache routines */
+
+/* XXX
+ * Locking is not handled well at all.  A single, global lock with sub-locks
+ * in the collection types.  Cleanup needed.
+ */
+
+/* should it live in its own arena? */
+struct nssTDCertificateCacheStr 
+{
+    PZLock *lock;
+    NSSArena *arena;
+    nssHash *issuerAndSN;
+    nssHash *subject;
+    nssHash *nickname;
+    nssHash *email;
+};
+
+struct cache_entry_str 
+{
+    union {
+	NSSCertificate *cert;
+	nssList *list;
+	void *value;
+    } entry;
+    PRUint32 hits;
+    PRTime lastHit;
+    NSSArena *arena;
+    NSSUTF8 *nickname;
+};
+
+typedef struct cache_entry_str cache_entry;
+
+static cache_entry *
+new_cache_entry(NSSArena *arena, void *value, PRBool ownArena)
+{
+    cache_entry *ce = nss_ZNEW(arena, cache_entry);
+    if (ce) {
+	ce->entry.value = value;
+	ce->hits = 1;
+	ce->lastHit = PR_Now();
+	if (ownArena) {
+	    ce->arena = arena;
+	}
+	ce->nickname = NULL;
+    }
+    return ce;
+}
+
+/* this should not be exposed in a header, but is here to keep the above
+ * types/functions static
+ */
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_InitializeCache (
+  NSSTrustDomain *td,
+  PRUint32 cacheSize
+)
+{
+    NSSArena *arena;
+    nssTDCertificateCache *cache = td->cache;
+#ifdef DEBUG_CACHE
+    s_log = PR_NewLogModule("nss_cache");
+    PR_ASSERT(s_log);
+#endif
+    PR_ASSERT(!cache);
+    arena = nssArena_Create();
+    if (!arena) {
+	return PR_FAILURE;
+    }
+    cache = nss_ZNEW(arena, nssTDCertificateCache);
+    if (!cache) {
+	nssArena_Destroy(arena);
+	return PR_FAILURE;
+    }
+    cache->lock = PZ_NewLock(nssILockCache);
+    if (!cache->lock) {
+	nssArena_Destroy(arena);
+	return PR_FAILURE;
+    }
+    /* Create the issuer and serial DER --> certificate hash */
+    cache->issuerAndSN = nssHash_CreateCertificate(arena, cacheSize);
+    if (!cache->issuerAndSN) {
+	goto loser;
+    }
+    /* Create the subject DER --> subject list hash */
+    cache->subject = nssHash_CreateItem(arena, cacheSize);
+    if (!cache->subject) {
+	goto loser;
+    }
+    /* Create the nickname --> subject list hash */
+    cache->nickname = nssHash_CreateString(arena, cacheSize);
+    if (!cache->nickname) {
+	goto loser;
+    }
+    /* Create the email --> list of subject lists hash */
+    cache->email = nssHash_CreateString(arena, cacheSize);
+    if (!cache->email) {
+	goto loser;
+    }
+    cache->arena = arena;
+    td->cache = cache;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("Cache initialized."));
+#endif
+    return PR_SUCCESS;
+loser:
+    PZ_DestroyLock(cache->lock);
+    nssArena_Destroy(arena);
+    td->cache = NULL;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("Cache initialization failed."));
+#endif
+    return PR_FAILURE;
+}
+
+/* The entries of the hashtable are currently dependent on the certificate(s)
+ * that produced them.  That is, the entries will be freed when the cert is
+ * released from the cache.  If there are certs in the cache at any time,
+ * including shutdown, the hash table entries will hold memory.  In order for
+ * clean shutdown, it is necessary for there to be no certs in the cache.
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+extern const NSSError NSS_ERROR_BUSY;
+
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_DestroyCache (
+  NSSTrustDomain *td
+)
+{
+    if (!td->cache) {
+	nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+	return PR_FAILURE;
+    }
+    if (nssHash_Count(td->cache->issuerAndSN) > 0) {
+	nss_SetError(NSS_ERROR_BUSY);
+	return PR_FAILURE;
+    }
+    PZ_DestroyLock(td->cache->lock);
+    nssHash_Destroy(td->cache->issuerAndSN);
+    nssHash_Destroy(td->cache->subject);
+    nssHash_Destroy(td->cache->nickname);
+    nssHash_Destroy(td->cache->email);
+    nssArena_Destroy(td->cache->arena);
+    td->cache = NULL;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("Cache destroyed."));
+#endif
+    return PR_SUCCESS;
+}
+
+static PRStatus
+remove_issuer_and_serial_entry (
+  nssTDCertificateCache *cache,
+  NSSCertificate *cert
+)
+{
+    /* Remove the cert from the issuer/serial hash */
+    nssHash_Remove(cache->issuerAndSN, cert);
+#ifdef DEBUG_CACHE
+    log_cert_ref("removed issuer/sn", cert);
+#endif
+    return PR_SUCCESS;
+}
+
+static PRStatus
+remove_subject_entry (
+  nssTDCertificateCache *cache,
+  NSSCertificate *cert,
+  nssList **subjectList,
+  NSSUTF8 **nickname,
+  NSSArena **arena
+)
+{
+    PRStatus nssrv;
+    cache_entry *ce;
+    *subjectList = NULL;
+    *arena = NULL;
+    /* Get the subject list for the cert's subject */
+    ce = (cache_entry *)nssHash_Lookup(cache->subject, &cert->subject);
+    if (ce) {
+	/* Remove the cert from the subject hash */
+	nssList_Remove(ce->entry.list, cert);
+	*subjectList = ce->entry.list;
+	*nickname = ce->nickname;
+	*arena = ce->arena;
+	nssrv = PR_SUCCESS;
+#ifdef DEBUG_CACHE
+	log_cert_ref("removed cert", cert);
+	log_item_dump("from subject list", &cert->subject);
+#endif
+    } else {
+	nssrv = PR_FAILURE;
+    }
+    return nssrv;
+}
+
+static PRStatus
+remove_nickname_entry (
+  nssTDCertificateCache *cache,
+  NSSUTF8 *nickname,
+  nssList *subjectList
+)
+{
+    PRStatus nssrv;
+    if (nickname) {
+	nssHash_Remove(cache->nickname, nickname);
+	nssrv = PR_SUCCESS;
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("removed nickname %s", nickname));
+#endif
+    } else {
+	nssrv = PR_FAILURE;
+    }
+    return nssrv;
+}
+
+static PRStatus
+remove_email_entry (
+  nssTDCertificateCache *cache,
+  NSSCertificate *cert,
+  nssList *subjectList
+)
+{
+    PRStatus nssrv = PR_FAILURE;
+    cache_entry *ce;
+    /* Find the subject list in the email hash */
+    if (cert->email) {
+	ce = (cache_entry *)nssHash_Lookup(cache->email, cert->email);
+	if (ce) {
+	    nssList *subjects = ce->entry.list;
+	    /* Remove the subject list from the email hash */
+	    nssList_Remove(subjects, subjectList);
+#ifdef DEBUG_CACHE
+	    log_item_dump("removed subject list", &cert->subject);
+	    PR_LOG(s_log, PR_LOG_DEBUG, ("for email %s", cert->email));
+#endif
+	    if (nssList_Count(subjects) == 0) {
+		/* No more subject lists for email, delete list and
+		* remove hash entry
+		*/
+		(void)nssList_Destroy(subjects);
+		nssHash_Remove(cache->email, cert->email);
+		/* there are no entries left for this address, free space
+		 * used for email entries
+		 */
+		nssArena_Destroy(ce->arena);
+#ifdef DEBUG_CACHE
+		PR_LOG(s_log, PR_LOG_DEBUG, ("removed email %s", cert->email));
+#endif
+	    }
+	    nssrv = PR_SUCCESS;
+	}
+    }
+    return nssrv;
+}
+
+NSS_IMPLEMENT void
+nssTrustDomain_RemoveCertFromCacheLOCKED (
+  NSSTrustDomain *td,
+  NSSCertificate *cert
+)
+{
+    nssList *subjectList;
+    cache_entry *ce;
+    NSSArena *arena;
+    NSSUTF8 *nickname;
+
+#ifdef DEBUG_CACHE
+    log_cert_ref("attempt to remove cert", cert);
+#endif
+    ce = (cache_entry *)nssHash_Lookup(td->cache->issuerAndSN, cert);
+    if (!ce || ce->entry.cert != cert) {
+	/* If it's not in the cache, or a different cert is (this is really
+	 * for safety reasons, though it shouldn't happen), do nothing 
+	 */
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("but it wasn't in the cache"));
+#endif
+	return;
+    }
+    (void)remove_issuer_and_serial_entry(td->cache, cert);
+    (void)remove_subject_entry(td->cache, cert, &subjectList, 
+                               &nickname, &arena);
+    if (nssList_Count(subjectList) == 0) {
+	(void)remove_nickname_entry(td->cache, nickname, subjectList);
+	(void)remove_email_entry(td->cache, cert, subjectList);
+	(void)nssList_Destroy(subjectList);
+	nssHash_Remove(td->cache->subject, &cert->subject);
+	/* there are no entries left for this subject, free the space used
+	 * for both the nickname and subject entries
+	 */
+	if (arena) {
+	    nssArena_Destroy(arena);
+	}
+    }
+}
+
+NSS_IMPLEMENT void
+nssTrustDomain_LockCertCache (
+  NSSTrustDomain *td
+)
+{
+    PZ_Lock(td->cache->lock);
+}
+
+NSS_IMPLEMENT void
+nssTrustDomain_UnlockCertCache (
+  NSSTrustDomain *td
+)
+{
+    PZ_Unlock(td->cache->lock);
+}
+
+struct token_cert_dtor {
+    NSSToken *token;
+    nssTDCertificateCache *cache;
+    NSSCertificate **certs;
+    PRUint32 numCerts, arrSize;
+};
+
+static void 
+remove_token_certs(const void *k, void *v, void *a)
+{
+    NSSCertificate *c = (NSSCertificate *)k;
+    nssPKIObject *object = &c->object;
+    struct token_cert_dtor *dtor = a;
+    PRUint32 i;
+    nssPKIObject_Lock(object);
+    for (i=0; i<object->numInstances; i++) {
+	if (object->instances[i]->token == dtor->token) {
+	    nssCryptokiObject_Destroy(object->instances[i]);
+	    object->instances[i] = object->instances[object->numInstances-1];
+	    object->instances[object->numInstances-1] = NULL;
+	    object->numInstances--;
+	    dtor->certs[dtor->numCerts++] = c;
+	    if (dtor->numCerts == dtor->arrSize) {
+		dtor->arrSize *= 2;
+		dtor->certs = nss_ZREALLOCARRAY(dtor->certs, 
+		                                NSSCertificate *,
+		                                dtor->arrSize);
+	    }
+	    break;
+	}
+    }
+    nssPKIObject_Unlock(object);
+    return;
+}
+
+/* 
+ * Remove all certs for the given token from the cache.  This is
+ * needed if the token is removed. 
+ */
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_RemoveTokenCertsFromCache (
+  NSSTrustDomain *td,
+  NSSToken *token
+)
+{
+    NSSCertificate **certs;
+    PRUint32 i, arrSize = 10;
+    struct token_cert_dtor dtor;
+    certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize);
+    if (!certs) {
+	return PR_FAILURE;
+    }
+    dtor.cache = td->cache;
+    dtor.token = token;
+    dtor.certs = certs;
+    dtor.numCerts = 0;
+    dtor.arrSize = arrSize;
+    PZ_Lock(td->cache->lock);
+    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, (void *)&dtor);
+    for (i=0; i<dtor.numCerts; i++) {
+	if (dtor.certs[i]->object.numInstances == 0) {
+	    nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
+	    dtor.certs[i] = NULL;  /* skip this cert in the second for loop */
+	}
+    }
+    PZ_Unlock(td->cache->lock);
+    for (i=0; i<dtor.numCerts; i++) {
+	if (dtor.certs[i]) {
+	    STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
+	}
+    }
+    nss_ZFreeIf(dtor.certs);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_UpdateCachedTokenCerts (
+  NSSTrustDomain *td,
+  NSSToken *token
+)
+{
+    NSSCertificate **cp, **cached = NULL;
+    nssList *certList;
+    PRUint32 count;
+    certList = nssList_Create(NULL, PR_FALSE);
+    if (!certList) return PR_FAILURE;
+    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    count = nssList_Count(certList);
+    if (count > 0) {
+	cached = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
+	if (!cached) {
+	    return PR_FAILURE;
+	}
+	nssList_GetArray(certList, (void **)cached, count);
+	nssList_Destroy(certList);
+	for (cp = cached; *cp; cp++) {
+	    nssCryptokiObject *instance;
+	    NSSCertificate *c = *cp;
+	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+	    instance = nssToken_FindCertificateByIssuerAndSerialNumber(
+	                                                       token,
+                                                               NULL,
+                                                               &c->issuer,
+                                                               &c->serial,
+                                                               tokenOnly,
+                                                               NULL);
+	    if (instance) {
+		nssPKIObject_AddInstance(&c->object, instance);
+		STAN_ForceCERTCertificateUpdate(c);
+	    }
+	}
+	nssCertificateArray_Destroy(cached);
+    }
+    return PR_SUCCESS;
+}
+
+static PRStatus
+add_issuer_and_serial_entry (
+  NSSArena *arena,
+  nssTDCertificateCache *cache, 
+  NSSCertificate *cert
+)
+{
+    cache_entry *ce;
+    ce = new_cache_entry(arena, (void *)cert, PR_FALSE);
+#ifdef DEBUG_CACHE
+    log_cert_ref("added to issuer/sn", cert);
+#endif
+    return nssHash_Add(cache->issuerAndSN, cert, (void *)ce);
+}
+
+static PRStatus
+add_subject_entry (
+  NSSArena *arena,
+  nssTDCertificateCache *cache, 
+  NSSCertificate *cert,
+  NSSUTF8 *nickname,
+  nssList **subjectList
+)
+{
+    PRStatus nssrv;
+    nssList *list;
+    cache_entry *ce;
+    *subjectList = NULL;  /* this is only set if a new one is created */
+    ce = (cache_entry *)nssHash_Lookup(cache->subject, &cert->subject);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+	/* The subject is already in, add this cert to the list */
+	nssrv = nssList_AddUnique(ce->entry.list, cert);
+#ifdef DEBUG_CACHE
+	log_cert_ref("added to existing subject list", cert);
+#endif
+    } else {
+	NSSDER *subject;
+	/* Create a new subject list for the subject */
+	list = nssList_Create(arena, PR_FALSE);
+	if (!list) {
+	    return PR_FAILURE;
+	}
+	ce = new_cache_entry(arena, (void *)list, PR_TRUE);
+	if (!ce) {
+	    return PR_FAILURE;
+	}
+	if (nickname) {
+	    ce->nickname = nssUTF8_Duplicate(nickname, arena);
+	}
+	nssList_SetSortFunction(list, nssCertificate_SubjectListSort);
+	/* Add the cert entry to this list of subjects */
+	nssrv = nssList_AddUnique(list, cert);
+	if (nssrv != PR_SUCCESS) {
+	    return nssrv;
+	}
+	/* Add the subject list to the cache */
+	subject = nssItem_Duplicate(&cert->subject, arena, NULL);
+	if (!subject) {
+	    return PR_FAILURE;
+	}
+	nssrv = nssHash_Add(cache->subject, subject, ce);
+	if (nssrv != PR_SUCCESS) {
+	    return nssrv;
+	}
+	*subjectList = list;
+#ifdef DEBUG_CACHE
+	log_cert_ref("created subject list", cert);
+#endif
+    }
+    return nssrv;
+}
+
+static PRStatus
+add_nickname_entry (
+  NSSArena *arena,
+  nssTDCertificateCache *cache, 
+  NSSUTF8 *certNickname,
+  nssList *subjectList
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    cache_entry *ce;
+    ce = (cache_entry *)nssHash_Lookup(cache->nickname, certNickname);
+    if (ce) {
+	/* This is a collision.  A nickname entry already exists for this
+	 * subject, but a subject entry didn't.  This would imply there are
+	 * two subjects using the same nickname, which is not allowed.
+	 */
+	return PR_FAILURE;
+    } else {
+	NSSUTF8 *nickname;
+	ce = new_cache_entry(arena, subjectList, PR_FALSE);
+	if (!ce) {
+	    return PR_FAILURE;
+	}
+	nickname = nssUTF8_Duplicate(certNickname, arena);
+	if (!nickname) {
+	    return PR_FAILURE;
+	}
+	nssrv = nssHash_Add(cache->nickname, nickname, ce);
+#ifdef DEBUG_CACHE
+	log_cert_ref("created nickname for", cert);
+#endif
+    }
+    return nssrv;
+}
+
+static PRStatus
+add_email_entry (
+  nssTDCertificateCache *cache, 
+  NSSCertificate *cert,
+  nssList *subjectList
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    nssList *subjects;
+    cache_entry *ce;
+    ce = (cache_entry *)nssHash_Lookup(cache->email, cert->email);
+    if (ce) {
+	/* Already have an entry for this email address, but not subject */
+	subjects = ce->entry.list;
+	nssrv = nssList_AddUnique(subjects, subjectList);
+	ce->hits++;
+	ce->lastHit = PR_Now();
+#ifdef DEBUG_CACHE
+	log_cert_ref("added subject to email for", cert);
+#endif
+    } else {
+	NSSASCII7 *email;
+	NSSArena *arena;
+	arena = nssArena_Create();
+	if (!arena) {
+	    return PR_FAILURE;
+	}
+	/* Create a new list of subject lists, add this subject */
+	subjects = nssList_Create(arena, PR_TRUE);
+	if (!subjects) {
+	    nssArena_Destroy(arena);
+	    return PR_FAILURE;
+	}
+	/* Add the new subject to the list */
+	nssrv = nssList_AddUnique(subjects, subjectList);
+	if (nssrv != PR_SUCCESS) {
+	    nssArena_Destroy(arena);
+	    return nssrv;
+	}
+	/* Add the new entry to the cache */
+	ce = new_cache_entry(arena, (void *)subjects, PR_TRUE);
+	if (!ce) {
+	    nssArena_Destroy(arena);
+	    return PR_FAILURE;
+	}
+	email = nssUTF8_Duplicate(cert->email, arena);
+	if (!email) {
+	    nssArena_Destroy(arena);
+	    return PR_FAILURE;
+	}
+	nssrv = nssHash_Add(cache->email, email, ce);
+	if (nssrv != PR_SUCCESS) {
+	    nssArena_Destroy(arena);
+	    return nssrv;
+	}
+#ifdef DEBUG_CACHE
+	log_cert_ref("created email for", cert);
+#endif
+    }
+    return nssrv;
+}
+
+extern const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE;
+
+static void
+remove_object_instances (
+  nssPKIObject *object,
+  nssCryptokiObject **instances,
+  int numInstances
+)
+{
+    int i;
+
+    for (i = 0; i < numInstances; i++) {
+	nssPKIObject_RemoveInstanceForToken(object, instances[i]->token);
+    }
+}
+
+static SECStatus
+merge_object_instances (
+  nssPKIObject *to,
+  nssPKIObject *from
+)
+{
+    nssCryptokiObject **instances, **ci;
+    int i;
+    SECStatus rv = SECSuccess;
+
+    instances = nssPKIObject_GetInstances(from);
+    if (instances == NULL) {
+	return SECFailure;
+    }
+    for (ci = instances, i = 0; *ci; ci++, i++) {
+	nssCryptokiObject *instance = nssCryptokiObject_Clone(*ci);
+	if (instance) {
+	    if (nssPKIObject_AddInstance(to, instance) == SECSuccess) {
+		continue;
+	    }
+	    nssCryptokiObject_Destroy(instance);
+	}
+	remove_object_instances(to, instances, i);
+	rv = SECFailure;
+	break;
+    }
+    nssCryptokiObjectArray_Destroy(instances);
+    return rv;
+}
+
+static NSSCertificate *
+add_cert_to_cache (
+  NSSTrustDomain *td, 
+  NSSCertificate *cert
+)
+{
+    NSSArena *arena = NULL;
+    nssList *subjectList = NULL;
+    PRStatus nssrv;
+    PRUint32 added = 0;
+    cache_entry *ce;
+    NSSCertificate *rvCert = NULL;
+    NSSUTF8 *certNickname = nssCertificate_GetNickname(cert, NULL);
+
+    PZ_Lock(td->cache->lock);
+    /* If it exists in the issuer/serial hash, it's already in all */
+    ce = (cache_entry *)nssHash_Lookup(td->cache->issuerAndSN, cert);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+	rvCert = nssCertificate_AddRef(ce->entry.cert);
+#ifdef DEBUG_CACHE
+	log_cert_ref("attempted to add cert already in cache", cert);
+#endif
+	PZ_Unlock(td->cache->lock);
+	/* collision - somebody else already added the cert
+	 * to the cache before this thread got around to it.
+	 */
+	/* merge the instances of the cert */
+	if (merge_object_instances(&rvCert->object, &cert->object)
+							!= SECSuccess) {
+	    nssCertificate_Destroy(rvCert);
+	    return NULL;
+	}
+	STAN_ForceCERTCertificateUpdate(rvCert);
+	nssCertificate_Destroy(cert);
+	return rvCert;
+    }
+    /* create a new cache entry for this cert within the cert's arena*/
+    nssrv = add_issuer_and_serial_entry(cert->object.arena, td->cache, cert);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    added++;
+    /* create an arena for the nickname and subject entries */
+    arena = nssArena_Create();
+    if (!arena) {
+	goto loser;
+    }
+    /* create a new subject list for this cert, or add to existing */
+    nssrv = add_subject_entry(arena, td->cache, cert, 
+						certNickname, &subjectList);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    added++;
+    /* If a new subject entry was created, also need nickname and/or email */
+    if (subjectList != NULL) {
+	PRBool handle = PR_FALSE;
+	if (certNickname) {
+	    nssrv = add_nickname_entry(arena, td->cache, 
+						certNickname, subjectList);
+	    if (nssrv != PR_SUCCESS) {
+		goto loser;
+	    }
+	    handle = PR_TRUE;
+	    added++;
+	}
+	if (cert->email) {
+	    nssrv = add_email_entry(td->cache, cert, subjectList);
+	    if (nssrv != PR_SUCCESS) {
+		goto loser;
+	    }
+	    handle = PR_TRUE;
+	    added += 2;
+	}
+#ifdef nodef
+	/* I think either a nickname or email address must be associated
+	 * with the cert.  However, certs are passed to NewTemp without
+	 * either.  This worked in the old code, so it must work now.
+	 */
+	if (!handle) {
+	    /* Require either nickname or email handle */
+	    nssrv = PR_FAILURE;
+	    goto loser;
+	}
+#endif
+    }
+    rvCert = cert;
+    PZ_Unlock(td->cache->lock);
+    return rvCert;
+loser:
+    /* Remove any handles that have been created */
+    subjectList = NULL;
+    if (added >= 1) {
+	(void)remove_issuer_and_serial_entry(td->cache, cert);
+    }
+    if (added >= 2) {
+	(void)remove_subject_entry(td->cache, cert, &subjectList, 
+						&certNickname, &arena);
+    }
+    if (added == 3 || added == 5) {
+	(void)remove_nickname_entry(td->cache, certNickname, subjectList);
+    }
+    if (added >= 4) {
+	(void)remove_email_entry(td->cache, cert, subjectList);
+    }
+    if (subjectList) {
+	nssHash_Remove(td->cache->subject, &cert->subject);
+	nssList_Destroy(subjectList);
+    }
+    if (arena) {
+	nssArena_Destroy(arena);
+    }
+    PZ_Unlock(td->cache->lock);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_AddCertsToCache (
+  NSSTrustDomain *td,
+  NSSCertificate **certs,
+  PRUint32 numCerts
+)
+{
+    PRUint32 i;
+    NSSCertificate *c;
+    for (i=0; i<numCerts && certs[i]; i++) {
+	c = add_cert_to_cache(td, certs[i]);
+	if (c == NULL) {
+	    return PR_FAILURE;
+	} else {
+	    certs[i] = c;
+	}
+    }
+    return PR_SUCCESS;
+}
+
+static NSSCertificate **
+collect_subject_certs (
+  nssList *subjectList,
+  nssList *rvCertListOpt
+)
+{
+    NSSCertificate *c;
+    NSSCertificate **rvArray = NULL;
+    PRUint32 count;
+    nssCertificateList_AddReferences(subjectList);
+    if (rvCertListOpt) {
+	nssListIterator *iter = nssList_CreateIterator(subjectList);
+	if (!iter) {
+	    return (NSSCertificate **)NULL;
+	}
+	for (c  = (NSSCertificate *)nssListIterator_Start(iter);
+	     c != (NSSCertificate *)NULL;
+	     c  = (NSSCertificate *)nssListIterator_Next(iter)) {
+	    nssList_Add(rvCertListOpt, c);
+	}
+	nssListIterator_Finish(iter);
+	nssListIterator_Destroy(iter);
+    } else {
+	count = nssList_Count(subjectList);
+	rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
+	if (!rvArray) {
+	    return (NSSCertificate **)NULL;
+	}
+	nssList_GetArray(subjectList, (void **)rvArray, count);
+    }
+    return rvArray;
+}
+
+/*
+ * Find all cached certs with this subject.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssTrustDomain_GetCertsForSubjectFromCache (
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  nssList *certListOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    cache_entry *ce;
+#ifdef DEBUG_CACHE
+    log_item_dump("looking for cert by subject", subject);
+#endif
+    PZ_Lock(td->cache->lock);
+    ce = (cache_entry *)nssHash_Lookup(td->cache->subject, subject);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
+#endif
+	rvArray = collect_subject_certs(ce->entry.list, certListOpt);
+    }
+    PZ_Unlock(td->cache->lock);
+    return rvArray;
+}
+
+/*
+ * Find all cached certs with this label.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssTrustDomain_GetCertsForNicknameFromCache (
+  NSSTrustDomain *td,
+  const NSSUTF8 *nickname,
+  nssList *certListOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    cache_entry *ce;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("looking for cert by nick %s", nickname));
+#endif
+    PZ_Lock(td->cache->lock);
+    ce = (cache_entry *)nssHash_Lookup(td->cache->nickname, nickname);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
+#endif
+	rvArray = collect_subject_certs(ce->entry.list, certListOpt);
+    }
+    PZ_Unlock(td->cache->lock);
+    return rvArray;
+}
+
+/*
+ * Find all cached certs with this email address.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssTrustDomain_GetCertsForEmailAddressFromCache (
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  nssList *certListOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    cache_entry *ce;
+    nssList *collectList = NULL;
+    nssListIterator *iter = NULL;
+    nssList *subjectList;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("looking for cert by email %s", email));
+#endif
+    PZ_Lock(td->cache->lock);
+    ce = (cache_entry *)nssHash_Lookup(td->cache->email, email);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
+#endif
+	/* loop over subject lists and get refs for certs */
+	if (certListOpt) {
+	    collectList = certListOpt;
+	} else {
+	    collectList = nssList_Create(NULL, PR_FALSE);
+	    if (!collectList) {
+		PZ_Unlock(td->cache->lock);
+		return NULL;
+	    }
+	}
+	iter = nssList_CreateIterator(ce->entry.list);
+	if (!iter) {
+	    PZ_Unlock(td->cache->lock);
+	    if (!certListOpt) {
+		nssList_Destroy(collectList);
+	    }
+	    return NULL;
+	}
+	for (subjectList  = (nssList *)nssListIterator_Start(iter);
+	     subjectList != (nssList *)NULL;
+	     subjectList  = (nssList *)nssListIterator_Next(iter)) {
+	    (void)collect_subject_certs(subjectList, collectList);
+	}
+	nssListIterator_Finish(iter);
+	nssListIterator_Destroy(iter);
+    }
+    PZ_Unlock(td->cache->lock);
+    if (!certListOpt && collectList) {
+	PRUint32 count = nssList_Count(collectList);
+	rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
+	if (rvArray) {
+	    nssList_GetArray(collectList, (void **)rvArray, count);
+	}
+	nssList_Destroy(collectList);
+    }
+    return rvArray;
+}
+
+/*
+ * Look for a specific cert in the cache
+ */
+NSS_IMPLEMENT NSSCertificate *
+nssTrustDomain_GetCertForIssuerAndSNFromCache (
+  NSSTrustDomain *td,
+  NSSDER *issuer,
+  NSSDER *serial
+)
+{
+    NSSCertificate certkey;
+    NSSCertificate *rvCert = NULL;
+    cache_entry *ce;
+    certkey.issuer.data = issuer->data;
+    certkey.issuer.size = issuer->size;
+    certkey.serial.data = serial->data;
+    certkey.serial.size = serial->size;
+#ifdef DEBUG_CACHE
+    log_item_dump("looking for cert by issuer/sn, issuer", issuer);
+    log_item_dump("                               serial", serial);
+#endif
+    PZ_Lock(td->cache->lock);
+    ce = (cache_entry *)nssHash_Lookup(td->cache->issuerAndSN, &certkey);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+	rvCert = nssCertificate_AddRef(ce->entry.cert);
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
+#endif
+    }
+    PZ_Unlock(td->cache->lock);
+    return rvCert;
+}
+
+static PRStatus
+issuer_and_serial_from_encoding (
+  NSSBER *encoding, 
+  NSSDER *issuer, 
+  NSSDER *serial
+)
+{
+    SECItem derCert, derIssuer, derSerial;
+    SECStatus secrv;
+    derCert.data = (unsigned char *)encoding->data;
+    derCert.len = encoding->size;
+    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
+    if (secrv != SECSuccess) {
+	return PR_FAILURE;
+    }
+    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
+    if (secrv != SECSuccess) {
+	return PR_FAILURE;
+    }
+    issuer->data = derIssuer.data;
+    issuer->size = derIssuer.len;
+    serial->data = derSerial.data;
+    serial->size = derSerial.len;
+    return PR_SUCCESS;
+}
+
+/*
+ * Look for a specific cert in the cache
+ */
+NSS_IMPLEMENT NSSCertificate *
+nssTrustDomain_GetCertByDERFromCache (
+  NSSTrustDomain *td,
+  NSSDER *der
+)
+{
+    PRStatus nssrv = PR_FAILURE;
+    NSSDER issuer, serial;
+    NSSCertificate *rvCert;
+    nssrv = issuer_and_serial_from_encoding(der, &issuer, &serial);
+    if (nssrv != PR_SUCCESS) {
+	return NULL;
+    }
+#ifdef DEBUG_CACHE
+    log_item_dump("looking for cert by DER", der);
+#endif
+    rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td, 
+                                                           &issuer, &serial);
+    PORT_Free(issuer.data);
+    PORT_Free(serial.data);
+    return rvCert;
+}
+
+static void cert_iter(const void *k, void *v, void *a)
+{
+    nssList *certList = (nssList *)a;
+    NSSCertificate *c = (NSSCertificate *)k;
+    nssList_Add(certList, nssCertificate_AddRef(c));
+}
+
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsFromCache (
+  NSSTrustDomain *td,
+  nssList *certListOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    nssList *certList;
+    if (certListOpt) {
+	certList = certListOpt;
+    } else {
+	certList = nssList_Create(NULL, PR_FALSE);
+	if (!certList) {
+	    return NULL;
+	}
+    }
+    PZ_Lock(td->cache->lock);
+    nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList);
+    PZ_Unlock(td->cache->lock);
+    if (!certListOpt) {
+	PRUint32 count = nssList_Count(certList);
+	rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
+	nssList_GetArray(certList, (void **)rvArray, count);
+	/* array takes the references */
+	nssList_Destroy(certList);
+    }
+    return rvArray;
+}
+
+NSS_IMPLEMENT void
+nssTrustDomain_DumpCacheInfo (
+  NSSTrustDomain *td,
+  void (* cert_dump_iter)(const void *, void *, void *),
+  void *arg
+)
+{
+    PZ_Lock(td->cache->lock);
+    nssHash_Iterate(td->cache->issuerAndSN, cert_dump_iter, arg);
+    PZ_Unlock(td->cache->lock);
+}
diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c
new file mode 100644
index 000000000..05baab8ba
--- /dev/null
+++ b/security/nss/lib/pki/trustdomain.c
@@ -0,0 +1,1294 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef PKI1T_H
+#include "pki1t.h"
+#endif /* PKI1T_H */
+
+#include "cert.h"
+#include "pki3hack.h"
+#include "pk11pub.h"
+#include "nssrwlk.h"
+
+#define NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE 32
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+typedef PRUint32 nssUpdateLevel;
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSTrustDomain_Create (
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void *reserved
+)
+{
+    NSSArena *arena;
+    NSSTrustDomain *rvTD;
+    arena = NSSArena_Create();
+    if(!arena) {
+	return (NSSTrustDomain *)NULL;
+    }
+    rvTD = nss_ZNEW(arena, NSSTrustDomain);
+    if (!rvTD) {
+	goto loser;
+    }
+    /* protect the token list and the token iterator */
+    rvTD->tokensLock = NSSRWLock_New(100, "tokens");
+    if (!rvTD->tokensLock) {
+	goto loser;
+    }
+    nssTrustDomain_InitializeCache(rvTD, NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE);
+    rvTD->arena = arena;
+    rvTD->refCount = 1;
+    rvTD->statusConfig = NULL;
+    return rvTD;
+loser:
+    if (rvTD && rvTD->tokensLock) {
+	NSSRWLock_Destroy(rvTD->tokensLock);
+    }
+    nssArena_Destroy(arena);
+    return (NSSTrustDomain *)NULL;
+}
+
+static void
+token_destructor(void *t)
+{
+    NSSToken *tok = (NSSToken *)t;
+    /* The token holds the first/last reference to the slot.
+     * When the token is actually destroyed (ref count == 0), 
+     * the slot will also be destroyed.
+     */
+    nssToken_Destroy(tok);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_Destroy (
+  NSSTrustDomain *td
+)
+{
+    PRStatus status = PR_SUCCESS;
+    if (--td->refCount == 0) {
+	/* Destroy each token in the list of tokens */
+	if (td->tokens) {
+	    nssListIterator_Destroy(td->tokens);
+	    td->tokens = NULL;
+	}
+	if (td->tokenList) {
+	    nssList_Clear(td->tokenList, token_destructor);
+	    nssList_Destroy(td->tokenList);
+	    td->tokenList = NULL;
+	}
+	NSSRWLock_Destroy(td->tokensLock);
+	td->tokensLock = NULL;
+	status = nssTrustDomain_DestroyCache(td);
+	if (status == PR_FAILURE) {
+	    return status;
+	}
+	if (td->statusConfig) {
+	    td->statusConfig->statusDestroy(td->statusConfig);
+	    td->statusConfig = NULL;
+	}
+	/* Destroy the trust domain */
+	nssArena_Destroy(td->arena);
+    }
+    return status;
+}
+
+/* XXX uses tokens until slot list is in place */
+static NSSSlot **
+nssTrustDomain_GetActiveSlots (
+  NSSTrustDomain *td,
+  nssUpdateLevel *updateLevel
+)
+{
+    PRUint32 count;
+    NSSSlot **slots = NULL;
+    NSSToken **tp, **tokens;
+    *updateLevel = 1;
+    NSSRWLock_LockRead(td->tokensLock);
+    count = nssList_Count(td->tokenList);
+    tokens = nss_ZNEWARRAY(NULL, NSSToken *, count + 1);
+    if (!tokens) {
+	NSSRWLock_UnlockRead(td->tokensLock);
+	return NULL;
+    }
+    slots = nss_ZNEWARRAY(NULL, NSSSlot *, count + 1);
+    if (!slots) {
+	NSSRWLock_UnlockRead(td->tokensLock);
+	nss_ZFreeIf(tokens);
+	return NULL;
+    }
+    nssList_GetArray(td->tokenList, (void **)tokens, count);
+    NSSRWLock_UnlockRead(td->tokensLock);
+    count = 0;
+    for (tp = tokens; *tp; tp++) {
+        NSSSlot * slot = nssToken_GetSlot(*tp);
+        if (!PK11_IsDisabled(slot->pk11slot)) {
+            slots[count++] = slot;
+        } else {
+	    nssSlot_Destroy(slot);
+	}
+    }
+    nss_ZFreeIf(tokens);
+    if (!count) {
+	nss_ZFreeIf(slots);
+    	slots = NULL;
+    }
+    return slots;
+}
+
+/* XXX */
+static nssSession *
+nssTrustDomain_GetSessionForToken (
+  NSSTrustDomain *td,
+  NSSToken *token
+)
+{
+    return nssToken_GetDefaultSession(token);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_SetDefaultCallback (
+  NSSTrustDomain *td,
+  NSSCallback *newCallback,
+  NSSCallback **oldCallbackOpt
+)
+{
+    if (oldCallbackOpt) {
+	*oldCallbackOpt = td->defaultCallback;
+    }
+    td->defaultCallback = newCallback;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSCallback *
+nssTrustDomain_GetDefaultCallback (
+  NSSTrustDomain *td,
+  PRStatus *statusOpt
+)
+{
+    if (statusOpt) {
+	*statusOpt = PR_SUCCESS;
+    }
+    return td->defaultCallback;
+}
+
+NSS_IMPLEMENT NSSCallback *
+NSSTrustDomain_GetDefaultCallback (
+  NSSTrustDomain *td,
+  PRStatus *statusOpt
+)
+{
+    return nssTrustDomain_GetDefaultCallback(td, statusOpt);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_LoadModule (
+  NSSTrustDomain *td,
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void *reserved
+)
+{
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_DisableToken (
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSError why
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_EnableToken (
+  NSSTrustDomain *td,
+  NSSToken *token
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_IsTokenEnabled (
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSError *whyOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSTrustDomain_FindSlotByName (
+  NSSTrustDomain *td,
+  NSSUTF8 *slotName
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSTrustDomain_FindTokenByName (
+  NSSTrustDomain *td,
+  NSSUTF8 *tokenName
+)
+{
+    PRStatus nssrv;
+    NSSUTF8 *myName;
+    NSSToken *tok = NULL;
+    NSSRWLock_LockRead(td->tokensLock);
+    for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
+         tok != (NSSToken *)NULL;
+         tok  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	if (nssToken_IsPresent(tok)) {
+	    myName = nssToken_GetName(tok);
+	    if (nssUTF8_Equal(tokenName, myName, &nssrv)) break;
+	}
+    }
+    nssListIterator_Finish(td->tokens);
+    NSSRWLock_UnlockRead(td->tokensLock);
+    return tok;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSTrustDomain_FindTokenBySlotName (
+  NSSTrustDomain *td,
+  NSSUTF8 *slotName
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSTrustDomain_FindTokenForAlgorithm (
+  NSSTrustDomain *td,
+  NSSOID *algorithm
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSTrustDomain_FindBestTokenForAlgorithms (
+  NSSTrustDomain *td,
+  NSSOID *algorithms[], /* may be null-terminated */
+  PRUint32 nAlgorithmsOpt /* limits the array if nonzero */
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_Login (
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_Logout (
+  NSSTrustDomain *td
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_ImportCertificate (
+  NSSTrustDomain *td,
+  NSSCertificate *c
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_ImportPKIXCertificate (
+  NSSTrustDomain *td,
+  /* declared as a struct until these "data types" are defined */
+  struct NSSPKIXCertificateStr *pc
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_ImportEncodedCertificate (
+  NSSTrustDomain *td,
+  NSSBER *ber
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_ImportEncodedCertificateChain (
+  NSSTrustDomain *td,
+  NSSBER *ber,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPrivateKey *
+NSSTrustDomain_ImportEncodedPrivateKey (
+  NSSTrustDomain *td,
+  NSSBER *ber,
+  NSSItem *passwordOpt, /* NULL will cause a callback */
+  NSSCallback *uhhOpt,
+  NSSToken *destination
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPublicKey *
+NSSTrustDomain_ImportEncodedPublicKey (
+  NSSTrustDomain *td,
+  NSSBER *ber
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+static NSSCertificate **
+get_certs_from_list(nssList *list)
+{
+    PRUint32 count = nssList_Count(list);
+    NSSCertificate **certs = NULL;
+    if (count > 0) {
+	certs = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
+	if (certs) {
+	    nssList_GetArray(list, (void **)certs, count);
+	}
+    }
+    return certs;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+nssTrustDomain_FindCertificatesByNickname (
+  NSSTrustDomain *td,
+  const NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    NSSToken *token = NULL;
+    NSSSlot **slots = NULL;
+    NSSSlot **slotp;
+    NSSCertificate **rvCerts = NULL;
+    nssPKIObjectCollection *collection = NULL;
+    nssUpdateLevel updateLevel;
+    nssList *nameList;
+    PRUint32 numRemaining = maximumOpt;
+    PRUint32 collectionCount = 0;
+    PRUint32 errors = 0;
+
+    /* First, grab from the cache */
+    nameList = nssList_Create(NULL, PR_FALSE);
+    if (!nameList) {
+	return NULL;
+    }
+    (void)nssTrustDomain_GetCertsForNicknameFromCache(td, name, nameList);
+    rvCerts = get_certs_from_list(nameList);
+    /* initialize the collection of token certificates with the set of
+     * cached certs (if any).
+     */
+    collection = nssCertificateCollection_Create(td, rvCerts);
+    nssCertificateArray_Destroy(rvCerts);
+    nssList_Destroy(nameList);
+    if (!collection) {
+	return (NSSCertificate **)NULL;
+    }
+    /* obtain the current set of active slots in the trust domain */
+    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
+    if (!slots) {
+	goto loser;
+    }
+    /* iterate over the slots */
+    for (slotp = slots; *slotp; slotp++) {
+	token = nssSlot_GetToken(*slotp);
+	if (token) {
+	    nssSession *session;
+	    nssCryptokiObject **instances = NULL;
+	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+	    PRStatus status = PR_FAILURE;
+
+	    session = nssTrustDomain_GetSessionForToken(td, token);
+	    if (session) {
+		instances = nssToken_FindCertificatesByNickname(token,
+								session,
+								name,
+								tokenOnly,
+								numRemaining,
+								&status);
+	    }
+	    nssToken_Destroy(token);
+	    if (status != PR_SUCCESS) {
+		errors++;
+		continue;
+	    }
+	    if (instances) {
+		status = nssPKIObjectCollection_AddInstances(collection, 
+		                                             instances, 0);
+		nss_ZFreeIf(instances);
+		if (status != PR_SUCCESS) {
+		    errors++;
+		    continue;
+		}
+		collectionCount = nssPKIObjectCollection_Count(collection);
+		if (maximumOpt > 0) {
+		    if (collectionCount >= maximumOpt)
+		    	break;
+		    numRemaining = maximumOpt - collectionCount;
+		}
+	    }
+	}
+    }
+    if (!collectionCount && errors)
+    	goto loser;
+    /* Grab the certs collected in the search. */
+    rvCerts = nssPKIObjectCollection_GetCertificates(collection,
+                                                     rvOpt, maximumOpt,
+                                                     arenaOpt);
+    /* clean up */
+    nssPKIObjectCollection_Destroy(collection);
+    nssSlotArray_Destroy(slots);
+    return rvCerts;
+loser:
+    if (slots) {
+	nssSlotArray_Destroy(slots);
+    }
+    if (collection) {
+	nssPKIObjectCollection_Destroy(collection);
+    }
+    return (NSSCertificate **)NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindCertificatesByNickname (
+  NSSTrustDomain *td,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    return nssTrustDomain_FindCertificatesByNickname(td,
+                                                     name,
+                                                     rvOpt,
+                                                     maximumOpt,
+                                                     arenaOpt);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+nssTrustDomain_FindBestCertificateByNickname (
+  NSSTrustDomain *td,
+  const NSSUTF8 *name,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    NSSCertificate **nicknameCerts;
+    NSSCertificate *rvCert = NULL;
+    nicknameCerts = nssTrustDomain_FindCertificatesByNickname(td, name,
+                                                              NULL,
+                                                              0,
+                                                              NULL);
+    if (nicknameCerts) {
+	rvCert = nssCertificateArray_FindBestCertificate(nicknameCerts,
+                                                         timeOpt,
+                                                         usage,
+                                                         policiesOpt);
+	nssCertificateArray_Destroy(nicknameCerts);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestCertificateByNickname (
+  NSSTrustDomain *td,
+  const NSSUTF8 *name,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    return nssTrustDomain_FindBestCertificateByNickname(td,
+                                                        name,
+                                                        timeOpt,
+                                                        usage,
+                                                        policiesOpt);
+}
+
+NSS_IMPLEMENT NSSCertificate **
+nssTrustDomain_FindCertificatesBySubject (
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    NSSToken *token = NULL;
+    NSSSlot **slots = NULL;
+    NSSSlot **slotp;
+    NSSCertificate **rvCerts = NULL;
+    nssPKIObjectCollection *collection = NULL;
+    nssUpdateLevel updateLevel;
+    nssList *subjectList;
+    PRUint32 numRemaining = maximumOpt;
+    PRUint32 collectionCount = 0;
+    PRUint32 errors = 0;
+
+    /* look in cache */
+    subjectList = nssList_Create(NULL, PR_FALSE);
+    if (!subjectList) {
+	return NULL;
+    }
+    (void)nssTrustDomain_GetCertsForSubjectFromCache(td, subject, subjectList);
+    rvCerts = get_certs_from_list(subjectList);
+    collection = nssCertificateCollection_Create(td, rvCerts);
+    nssCertificateArray_Destroy(rvCerts);
+    nssList_Destroy(subjectList);
+    if (!collection) {
+	return (NSSCertificate **)NULL;
+    }
+    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
+    if (!slots) {
+	goto loser;
+    }
+    for (slotp = slots; *slotp; slotp++) {
+	token = nssSlot_GetToken(*slotp);
+	if (token) {
+	    nssSession *session;
+	    nssCryptokiObject **instances = NULL;
+	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+	    PRStatus status = PR_FAILURE;
+
+	    session = nssTrustDomain_GetSessionForToken(td, token);
+	    if (session) {
+		instances = nssToken_FindCertificatesBySubject(token,
+							       session,
+							       subject,
+							       tokenOnly,
+							       numRemaining,
+							       &status);
+	    }
+	    nssToken_Destroy(token);
+	    if (status != PR_SUCCESS) {
+		errors++;
+		continue;
+	    }
+	    if (instances) {
+		status = nssPKIObjectCollection_AddInstances(collection, 
+		                                             instances, 0);
+		nss_ZFreeIf(instances);
+		if (status != PR_SUCCESS) {
+		    errors++;
+		    continue;
+		}
+		collectionCount = nssPKIObjectCollection_Count(collection);
+		if (maximumOpt > 0) {
+		    if (collectionCount >= maximumOpt)
+		    	break;
+		    numRemaining = maximumOpt - collectionCount;
+		}
+	    }
+	}
+    }
+    if (!collectionCount && errors)
+    	goto loser;
+    rvCerts = nssPKIObjectCollection_GetCertificates(collection,
+                                                     rvOpt, maximumOpt,
+                                                     arenaOpt);
+    nssPKIObjectCollection_Destroy(collection);
+    nssSlotArray_Destroy(slots);
+    return rvCerts;
+loser:
+    if (slots) {
+	nssSlotArray_Destroy(slots);
+    }
+    if (collection) {
+	nssPKIObjectCollection_Destroy(collection);
+    }
+    return (NSSCertificate **)NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindCertificatesBySubject (
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    return nssTrustDomain_FindCertificatesBySubject(td, 
+                                                    subject,
+                                                    rvOpt,
+                                                    maximumOpt,
+                                                    arenaOpt);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+nssTrustDomain_FindBestCertificateBySubject (
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    NSSCertificate **subjectCerts;
+    NSSCertificate *rvCert = NULL;
+    subjectCerts = nssTrustDomain_FindCertificatesBySubject(td, subject,
+                                                            NULL,
+                                                            0,
+                                                            NULL);
+    if (subjectCerts) {
+	rvCert = nssCertificateArray_FindBestCertificate(subjectCerts,
+                                                         timeOpt,
+                                                         usage,
+                                                         policiesOpt);
+	nssCertificateArray_Destroy(subjectCerts);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestCertificateBySubject (
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    return nssTrustDomain_FindBestCertificateBySubject(td,
+                                                       subject,
+                                                       timeOpt,
+                                                       usage,
+                                                       policiesOpt);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestCertificateByNameComponents (
+  NSSTrustDomain *td,
+  NSSUTF8 *nameComponents,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindCertificatesByNameComponents (
+  NSSTrustDomain *td,
+  NSSUTF8 *nameComponents,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+/* This returns at most a single certificate, so it can stop the loop
+ * when one is found.
+ */
+NSS_IMPLEMENT NSSCertificate *
+nssTrustDomain_FindCertificateByIssuerAndSerialNumber (
+  NSSTrustDomain *td,
+  NSSDER *issuer,
+  NSSDER *serial
+)
+{
+    NSSSlot **slots = NULL;
+    NSSSlot **slotp;
+    NSSCertificate *rvCert = NULL;
+    nssPKIObjectCollection *collection = NULL;
+    nssUpdateLevel updateLevel;
+
+    /* see if this search is already cached */
+    rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td,
+                                                           issuer, 
+                                                           serial);
+    if (rvCert) {
+	return rvCert;
+    }
+    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
+    if (slots) {
+	for (slotp = slots; *slotp; slotp++) {
+	    NSSToken *token = nssSlot_GetToken(*slotp);
+	    nssSession *session;
+	    nssCryptokiObject *instance;
+	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+	    PRStatus status = PR_FAILURE;
+
+	    if (!token) 
+		continue;
+	    session = nssTrustDomain_GetSessionForToken(td, token);
+	    if (session) {
+		instance = nssToken_FindCertificateByIssuerAndSerialNumber(
+								    token,
+								    session,
+								    issuer,
+								    serial,
+								    tokenOnly,
+								    &status);
+	    }
+	    nssToken_Destroy(token);
+	    if (status != PR_SUCCESS) {
+		continue;
+	    }
+	    if (instance) {
+		if (!collection) {
+		    collection = nssCertificateCollection_Create(td, NULL);
+		    if (!collection) {
+			break;  /* don't keep looping if out if memory */
+		    }
+		}
+		status = nssPKIObjectCollection_AddInstances(collection, 
+							     &instance, 1);
+		if (status == PR_SUCCESS) {
+		    (void)nssPKIObjectCollection_GetCertificates(
+					     collection, &rvCert, 1, NULL);
+		}
+		if (rvCert) {
+		    break; /* found one cert, all done */
+		}
+	    }
+	}
+    }
+    if (collection) {
+	nssPKIObjectCollection_Destroy(collection);
+    }
+    if (slots) {
+	nssSlotArray_Destroy(slots);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindCertificateByIssuerAndSerialNumber (
+  NSSTrustDomain *td,
+  NSSDER *issuer,
+  NSSDER *serial
+)
+{
+    return nssTrustDomain_FindCertificateByIssuerAndSerialNumber(td,
+                                                                 issuer,
+                                                                 serial);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+nssTrustDomain_FindCertificateByEncodedCertificate (
+  NSSTrustDomain *td,
+  NSSBER *ber
+)
+{
+    PRStatus status;
+    NSSCertificate *rvCert = NULL;
+    NSSDER issuer = { 0 };
+    NSSDER serial = { 0 };
+    NSSArena *arena = nssArena_Create();
+    if (!arena) {
+	return (NSSCertificate *)NULL;
+    }
+    /* XXX this is not generic...  will any cert crack into issuer/serial? */
+    status = nssPKIX509_GetIssuerAndSerialFromDER(ber, arena, &issuer, &serial);
+    if (status != PR_SUCCESS) {
+	goto finish;
+    }
+    rvCert = nssTrustDomain_FindCertificateByIssuerAndSerialNumber(td,
+                                                                   &issuer,
+                                                                   &serial);
+finish:
+    nssArena_Destroy(arena);
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindCertificateByEncodedCertificate (
+  NSSTrustDomain *td,
+  NSSBER *ber
+)
+{
+    return nssTrustDomain_FindCertificateByEncodedCertificate(td, ber);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestCertificateByEmail (
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    return 0;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindCertificatesByEmail (
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindCertificateByOCSPHash (
+  NSSTrustDomain *td,
+  NSSItem *hash
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestUserCertificate (
+  NSSTrustDomain *td,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindUserCertificates (
+  NSSTrustDomain *td,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestUserCertificateForSSLClientAuth (
+  NSSTrustDomain *td,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindUserCertificatesForSSLClientAuth (
+  NSSTrustDomain *td,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestUserCertificateForEmailSigning (
+  NSSTrustDomain *td,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindUserCertificatesForEmailSigning (
+  NSSTrustDomain *td,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+static PRStatus
+collector(nssCryptokiObject *instance, void *arg)
+{
+    nssPKIObjectCollection *collection = (nssPKIObjectCollection *)arg;
+    return nssPKIObjectCollection_AddInstanceAsObject(collection, instance);
+}
+
+NSS_IMPLEMENT PRStatus *
+NSSTrustDomain_TraverseCertificates (
+  NSSTrustDomain *td,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    PRStatus status = PR_FAILURE;
+    NSSToken *token = NULL;
+    NSSSlot **slots = NULL;
+    NSSSlot **slotp;
+    nssPKIObjectCollection *collection = NULL;
+    nssPKIObjectCallback pkiCallback;
+    nssUpdateLevel updateLevel;
+    NSSCertificate **cached = NULL;
+    nssList *certList;
+
+    certList = nssList_Create(NULL, PR_FALSE);
+    if (!certList) 
+    	return NULL;
+    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    cached = get_certs_from_list(certList);
+    collection = nssCertificateCollection_Create(td, cached);
+    nssCertificateArray_Destroy(cached);
+    nssList_Destroy(certList);
+    if (!collection) {
+	return (PRStatus *)NULL;
+    }
+    /* obtain the current set of active slots in the trust domain */
+    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
+    if (!slots) {
+	goto loser;
+    }
+    /* iterate over the slots */
+    for (slotp = slots; *slotp; slotp++) {
+	/* get the token for the slot, if present */
+	token = nssSlot_GetToken(*slotp);
+	if (token) {
+	    nssSession *session;
+	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+	    /* get a session for the token */
+	    session = nssTrustDomain_GetSessionForToken(td, token);
+	    if (session) {
+		/* perform the traversal */
+		status = nssToken_TraverseCertificates(token,
+						       session,
+						       tokenOnly,
+						       collector,
+						       collection);
+	    }
+	    nssToken_Destroy(token);
+	}
+    }
+
+    /* Traverse the collection */
+    pkiCallback.func.cert = callback;
+    pkiCallback.arg = arg;
+    status = nssPKIObjectCollection_Traverse(collection, &pkiCallback);
+loser:
+    if (slots) {
+	nssSlotArray_Destroy(slots);
+    }
+    if (collection) {
+	nssPKIObjectCollection_Destroy(collection);
+    }
+    return NULL;
+}
+
+
+NSS_IMPLEMENT NSSTrust *
+nssTrustDomain_FindTrustForCertificate (
+  NSSTrustDomain *td,
+  NSSCertificate *c
+)
+{
+    NSSSlot **slots;
+    NSSSlot **slotp;
+    nssCryptokiObject *to = NULL;
+    nssPKIObject *pkio = NULL;
+    NSSTrust *rvt = NULL;
+    nssUpdateLevel updateLevel;
+    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
+    if (!slots) {
+	return (NSSTrust *)NULL;
+    }
+    for (slotp = slots; *slotp; slotp++) {
+	NSSToken *token = nssSlot_GetToken(*slotp);
+
+	if (token) {
+	    to = nssToken_FindTrustForCertificate(token, NULL, 
+	                                          &c->encoding,
+	                                          &c->issuer,
+	                                          &c->serial,
+	                                      nssTokenSearchType_TokenOnly);
+	    if (to) {
+		PRStatus status;
+		if (!pkio) {
+		    pkio = nssPKIObject_Create(NULL, to, td, NULL, nssPKILock);
+		    status = pkio ? PR_SUCCESS : PR_FAILURE;
+		} else {
+		    status = nssPKIObject_AddInstance(pkio, to);
+		}
+		if (status != PR_SUCCESS) {
+		    nssCryptokiObject_Destroy(to);
+		}
+	    }
+	    nssToken_Destroy(token);
+	}
+    }
+    if (pkio) {
+	rvt = nssTrust_Create(pkio, &c->encoding);
+	if (rvt) {
+	    pkio = NULL;  /* rvt object now owns the pkio reference */
+	}
+    }
+    nssSlotArray_Destroy(slots);
+    if (pkio) {
+	nssPKIObject_Destroy(pkio);
+    }
+    return rvt;
+}
+
+NSS_IMPLEMENT NSSCRL **
+nssTrustDomain_FindCRLsBySubject (
+  NSSTrustDomain *td,
+  NSSDER *subject
+)
+{
+    NSSSlot **slots;
+    NSSSlot **slotp;
+    NSSToken *token;
+    nssUpdateLevel updateLevel;
+    nssPKIObjectCollection *collection;
+    NSSCRL **rvCRLs = NULL;
+    collection = nssCRLCollection_Create(td, NULL);
+    if (!collection) {
+	return (NSSCRL **)NULL;
+    }
+    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
+    if (!slots) {
+	goto loser;
+    }
+    for (slotp = slots; *slotp; slotp++) {
+	token = nssSlot_GetToken(*slotp);
+	if (token) {
+	    PRStatus status = PR_FAILURE;
+	    nssSession *session;
+	    nssCryptokiObject **instances = NULL;
+	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+
+	    /* get a session for the token */
+	    session = nssTrustDomain_GetSessionForToken(td, token);
+	    if (session) {
+		/* perform the traversal */
+		instances = nssToken_FindCRLsBySubject(token, session, subject,
+	                                               tokenOnly, 0, &status);
+	    }
+	    nssToken_Destroy(token);
+	    if (status == PR_SUCCESS) {
+		/* add the found CRL's to the collection */
+		status = nssPKIObjectCollection_AddInstances(collection, 
+							     instances, 0);
+	    }
+	    nss_ZFreeIf(instances);
+	}
+    }
+    rvCRLs = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL);
+loser:
+    nssPKIObjectCollection_Destroy(collection);
+    nssSlotArray_Destroy(slots);
+    return rvCRLs;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_GenerateKeyPair (
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  NSSPrivateKey **pvkOpt,
+  NSSPublicKey **pbkOpt,
+  PRBool privateKeyIsSensitive,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSTrustDomain_GenerateSymmetricKey (
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  PRUint32 keysize,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSTrustDomain_GenerateSymmetricKeyFromPassword (
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  NSSUTF8 *passwordOpt, /* if null, prompt */
+  NSSToken *destinationOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID (
+  NSSTrustDomain *td,
+  NSSOID *algorithm,
+  NSSItem *keyID,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+nssTrustDomain_CreateCryptoContext (
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+)
+{
+    return nssCryptoContext_Create(td, uhhOpt);
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContext (
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+)
+{
+    return nssTrustDomain_CreateCryptoContext(td, uhhOpt);
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContextForAlgorithm (
+  NSSTrustDomain *td,
+  NSSOID *algorithm
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters (
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
diff --git a/security/nss/lib/pki1/Makefile b/security/nss/lib/pki1/Makefile
new file mode 100644
index 000000000..04b47dca0
--- /dev/null
+++ b/security/nss/lib/pki1/Makefile
@@ -0,0 +1,50 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# Generate oiddata.h and oiddata.c.
+oidgen: oidgen.perl oids.txt
+	rm -f oiddata.c oiddata.h
+	$(PERL) oidgen.perl oiddata.c oiddata.h oids.txt
+
+export::  private_export 
+
diff --git a/security/nss/lib/pki1/atav.c b/security/nss/lib/pki1/atav.c
new file mode 100644
index 000000000..ca59d764f
--- /dev/null
+++ b/security/nss/lib/pki1/atav.c
@@ -0,0 +1,1824 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * atav.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * AttributeTypeAndValue.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * AttributeTypeAndValue
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  AttributeTypeAndValue           ::=     SEQUENCE {
+ *          type            ATTRIBUTE.&id ({SupportedAttributes}),
+ *          value   ATTRIBUTE.&Type ({SupportedAttributes}{@type})}
+ *  
+ *  -- ATTRIBUTE information object class specification
+ *  --  Note: This has been greatly simplified for PKIX !!
+ *  
+ *  ATTRIBUTE               ::=     CLASS {
+ *          &Type,
+ *          &id                     OBJECT IDENTIFIER UNIQUE }
+ *  WITH SYNTAX {
+ *          WITH SYNTAX &Type ID &id }
+ *  
+ * What this means is that the "type" of the value is determined by
+ * the value of the oid.  If we hide the structure, our accessors
+ * can (at least in debug builds) assert value semantics beyond what
+ * the compiler can provide.  Since these things are only used in
+ * RelativeDistinguishedNames, and since RDNs always contain a SET
+ * of these things, we don't lose anything by hiding the structure
+ * (and its size).
+ */
+
+struct NSSATAVStr {
+  NSSBER ber;
+  const NSSOID *oid;
+  NSSUTF8 *value;
+  nssStringType stringForm;
+};
+
+/*
+ * NSSATAV
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSATAV_CreateFromBER   -- constructor
+ *  NSSATAV_CreateFromUTF8  -- constructor
+ *  NSSATAV_Create          -- constructor
+ *
+ *  NSSATAV_Destroy
+ *  NSSATAV_GetDEREncoding
+ *  NSSATAV_GetUTF8Encoding
+ *  NSSATAV_GetType
+ *  NSSATAV_GetValue
+ *  NSSATAV_Compare
+ *  NSSATAV_Duplicate
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssATAV_CreateFromBER   -- constructor
+ *  nssATAV_CreateFromUTF8  -- constructor
+ *  nssATAV_Create          -- constructor
+ *
+ *  nssATAV_Destroy
+ *  nssATAV_GetDEREncoding
+ *  nssATAV_GetUTF8Encoding
+ *  nssATAV_GetType
+ *  nssATAV_GetValue
+ *  nssATAV_Compare
+ *  nssATAV_Duplicate
+ *
+ * In debug builds, the following non-public call is also available:
+ *
+ *  nssATAV_verifyPointer
+ */
+
+/*
+ * NSSATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berATAV
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  /* 
+   * NSSBERs can be created by the user, 
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSBER *)NULL == berATAV ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+
+  if( (void *)NULL == berATAV->data ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_CreateFromBER(arenaOpt, berATAV);
+}
+
+/*
+ * NSSATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringATAV
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  /*
+   * NSSUTF8s can be created by the user,
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSUTF8 *)NULL == stringATAV ) {
+    nss_SetError(NSS_ERROR_INVALID_UTF8);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_CreateFromUTF8(arenaOpt, stringATAV);
+}
+
+/*
+ * NSSATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (const void *)NULL == data ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Create(arenaOpt, oid, data, length);
+}
+
+/*
+ * NSSATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSATAV_Destroy
+(
+  NSSATAV *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Destroy(atav);
+}
+
+/*
+ * NSSATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_IMPLEMENT NSSDER *
+NSSATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetDEREncoding(atav, arenaOpt);
+}
+
+/*
+ * NSSATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetUTF8Encoding(atav, arenaOpt);
+}
+
+/*
+ * NSSATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An element of enum NSSOIDenum upon success
+ */
+
+NSS_IMPLEMENT const NSSOID *
+NSSATAV_GetType
+(
+  NSSATAV *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetType(atav);
+}
+
+/*
+ * NSSATAV_GetValue
+ *
+ * This routine returns a string containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetValue(atav, arenaOpt);
+}
+
+/*
+ * NSSATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
+    return PR_FAILURE;
+  }
+
+  if( (PRBool *)NULL == equalp ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Compare(atav1, atav2, equalp);
+}
+
+/*
+ * NSSATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Duplicate(atav, arenaOpt);
+}
+
+/*
+ * The pointer-tracking code
+ */
+
+#ifdef DEBUG
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker atav_pointer_tracker;
+
+static PRStatus
+atav_add_pointer
+(
+  const NSSATAV *atav
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&atav_pointer_tracker, atav);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRStatus
+atav_remove_pointer
+(
+  const NSSATAV *atav
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&atav_pointer_tracker, atav);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSATAV object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILRUE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssATAV_verifyPointer
+(
+  NSSATAV *atav
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&atav_pointer_tracker, atav);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_ATAV);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+typedef struct {
+  NSSBER oid;
+  NSSBER value;
+} atav_holder;
+
+static const nssASN1Template nss_atav_template[] = {
+  { nssASN1_SEQUENCE, 0, NULL, sizeof(atav_holder) },
+  { nssASN1_OBJECT_ID, nsslibc_offsetof(atav_holder, oid), NULL, 0 },
+  { nssASN1_ANY, nsslibc_offsetof(atav_holder, value), NULL, 0 },
+  { 0, 0, NULL, 0 }
+};
+
+/*
+ * There are several common attributes, with well-known type aliases
+ * and value semantics.  This table lists the ones we recognize.
+ */
+
+struct nss_attribute_data_str {
+  const NSSOID **oid;
+  nssStringType stringType;
+  PRUint32 minStringLength;
+  PRUint32 maxStringLength; /* zero for no limit */
+};
+
+static const struct nss_attribute_data_str nss_attribute_data[] = {
+  { &NSS_OID_X520_NAME,                     
+    nssStringType_DirectoryString, 1, 32768 },
+  { &NSS_OID_X520_COMMON_NAME,              
+    nssStringType_DirectoryString, 1,    64 },
+  { &NSS_OID_X520_SURNAME,                  
+    nssStringType_DirectoryString, 1,    40 },
+  { &NSS_OID_X520_GIVEN_NAME,               
+    nssStringType_DirectoryString, 1,    16 },
+  { &NSS_OID_X520_INITIALS,                 
+    nssStringType_DirectoryString, 1,     5 },
+  { &NSS_OID_X520_GENERATION_QUALIFIER,     
+    nssStringType_DirectoryString, 1,     3 },
+  { &NSS_OID_X520_DN_QUALIFIER,             
+    nssStringType_PrintableString, 1,     0 },
+  { &NSS_OID_X520_COUNTRY_NAME,             
+    nssStringType_PrintableString, 2,     2 },
+  { &NSS_OID_X520_LOCALITY_NAME,            
+    nssStringType_DirectoryString, 1,   128 },
+  { &NSS_OID_X520_STATE_OR_PROVINCE_NAME,   
+    nssStringType_DirectoryString, 1,   128 },
+  { &NSS_OID_X520_ORGANIZATION_NAME,        
+    nssStringType_DirectoryString, 1,    64 },
+  { &NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 
+    nssStringType_DirectoryString, 1,
+    /*
+     * Note, draft #11 defines both "32" and "64" for this maximum,
+     * in two separate places.  Until it's settled, "conservative
+     * in what you send."  We're always liberal in what we accept.
+     */
+                                         32 },
+  { &NSS_OID_X520_TITLE,                    
+    nssStringType_DirectoryString, 1,    64 },
+  { &NSS_OID_RFC1274_EMAIL,                 
+    nssStringType_PHGString,       1,   128 }
+};
+
+PRUint32 nss_attribute_data_quantity = 
+  (sizeof(nss_attribute_data)/sizeof(nss_attribute_data[0]));
+
+static nssStringType
+nss_attr_underlying_string_form
+(
+  nssStringType type,
+  void *data
+)
+{
+  if( nssStringType_DirectoryString == type ) {
+    PRUint8 tag = *(PRUint8 *)data;
+    switch( tag & nssASN1_TAGNUM_MASK ) {
+    case 20:
+      /*
+       * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
+       * below) but is T61 a suitable value for "Latin-1"?
+       */
+      return nssStringType_TeletexString;
+    case 19:
+      return nssStringType_PrintableString;
+    case 28:
+      return nssStringType_UniversalString;
+    case 30:
+      return nssStringType_BMPString;
+    case 12:
+      return nssStringType_UTF8String;
+    default:
+      return nssStringType_Unknown;
+    }
+  }
+
+  return type;
+}
+    
+
+/*
+ * This routine decodes the attribute value, in a type-specific way.
+ *
+ */
+
+static NSSUTF8 *
+nss_attr_to_utf8
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  NSSItem *item,
+  nssStringType *stringForm
+)
+{
+  NSSUTF8 *rv = (NSSUTF8 *)NULL;
+  PRUint32 i;
+  const struct nss_attribute_data_str *which = 
+    (struct nss_attribute_data_str *)NULL;
+  PRUint32 len = 0;
+
+  for( i = 0; i < nss_attribute_data_quantity; i++ ) {
+    if( *(nss_attribute_data[ i ].oid) == oid ) {
+      which = &nss_attribute_data[i];
+      break;
+    }
+  }
+
+  if( (struct nss_attribute_data_str *)NULL == which ) {
+    /* Unknown OID.  Encode it as hex. */
+    PRUint8 *c;
+    PRUint8 *d = (PRUint8 *)item->data;
+    PRUint32 amt = item->size;
+
+    if( item->size >= 0x7FFFFFFF ) {
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSUTF8 *)NULL;
+    }
+
+    len = 1 + (item->size * 2) + 1; /* '#' + hex + '\0' */
+    rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
+    if( (NSSUTF8 *)NULL == rv ) {
+      return (NSSUTF8 *)NULL;
+    }
+
+    c = (PRUint8 *)rv;
+    *c++ = '#'; /* XXX fgmr check this */
+    while( amt > 0 ) {
+      static char hex[16] = "0123456789ABCDEF";
+      *c++ = hex[ ((*d) & 0xf0) >> 4 ];
+      *c++ = hex[ ((*d) & 0x0f)      ];
+    }
+
+    /* *c = '\0'; nss_ZAlloc, remember */
+
+    *stringForm = nssStringType_Unknown; /* force exact comparison */
+  } else {
+    PRStatus status;
+    rv = nssUTF8_CreateFromBER(arenaOpt, which->stringType, 
+                               (NSSBER *)item);
+
+    if( (NSSUTF8 *)NULL == rv ) {
+      return (NSSUTF8 *)NULL;
+    }
+
+    len = nssUTF8_Length(rv, &status);
+    if( PR_SUCCESS != status || len == 0 ) {
+      nss_ZFreeIf(rv);
+      return (NSSUTF8 *)NULL;
+    }
+
+    *stringForm = nss_attr_underlying_string_form(which->stringType,
+                                                  item->data);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  const NSSBER *berATAV
+)
+{
+  atav_holder holder;
+  PRStatus status;
+  NSSATAV *rv;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  /* 
+   * NSSBERs can be created by the user, 
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSBER *)NULL == berATAV ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+
+  if( (void *)NULL == berATAV->data ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  status = nssASN1_DecodeBER(arenaOpt, &holder, 
+                             nss_atav_template, berATAV);
+  if( PR_SUCCESS != status ) {
+    return (NSSATAV *)NULL;
+  }
+
+  rv = nss_ZNEW(arenaOpt, NSSATAV);
+  if( (NSSATAV *)NULL == rv ) {
+    nss_ZFreeIf(holder.oid.data);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->oid = nssOID_CreateFromBER(&holder.oid);
+  if( (NSSOID *)NULL == rv->oid ) {
+    nss_ZFreeIf(rv);
+    nss_ZFreeIf(holder.oid.data);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  nss_ZFreeIf(holder.oid.data);
+
+  rv->ber.data = nss_ZAlloc(arenaOpt, berATAV->size);
+  if( (void *)NULL == rv->ber.data ) {
+    nss_ZFreeIf(rv);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->ber.size = berATAV->size;
+  (void)nsslibc_memcpy(rv->ber.data, berATAV->data, berATAV->size);
+
+  rv->value = nss_attr_to_utf8(arenaOpt, rv->oid, &holder.value,
+                               &rv->stringForm);
+  if( (NSSUTF8 *)NULL == rv->value ) {
+    nss_ZFreeIf(rv->ber.data);
+    nss_ZFreeIf(rv);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  nss_ZFreeIf(holder.value.data);
+
+#ifdef DEBUG
+  if( PR_SUCCESS != atav_add_pointer(rv) ) {
+    nss_ZFreeIf(rv->ber.data);
+    nss_ZFreeIf(rv->value);
+    nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+static PRBool
+nss_atav_utf8_string_is_hex
+(
+  const NSSUTF8 *s
+)
+{
+  /* All hex digits are ASCII, so this works */
+  PRUint8 *p = (PRUint8 *)s;
+
+  for( ; (PRUint8)0 != *p; p++ ) {
+    if( (('0' <= *p) && (*p <= '9')) ||
+        (('A' <= *p) && (*p <= 'F')) ||
+        (('a' <= *p) && (*p <= 'f')) ) {
+      continue;
+    } else {
+      return PR_FALSE;
+    }
+  }
+
+  return PR_TRUE;
+}
+
+static NSSUTF8
+nss_atav_fromhex
+(
+  NSSUTF8 *d
+)
+{
+  NSSUTF8 rv;
+
+  if( d[0] <= '9' ) {
+    rv = (d[0] - '0') * 16;
+  } else if( d[0] >= 'a' ) {
+    rv = (d[0] - 'a' + 10) * 16;
+  } else {
+    rv = (d[0] - 'A' + 10);
+  }
+
+  if( d[1] <= '9' ) {
+    rv += (d[1] - '0');
+  } else if( d[1] >= 'a' ) {
+    rv += (d[1] - 'a' + 10);
+  } else {
+    rv += (d[1] - 'A' + 10);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  const NSSUTF8 *stringATAV
+)
+{
+  char *c;
+  NSSUTF8 *type;
+  NSSUTF8 *value;
+  PRUint32 i;
+  const NSSOID *oid = (NSSOID *)NULL;
+  NSSATAV *rv;
+  NSSItem xitem;
+
+  xitem.data = (void *)NULL;
+
+  for( c = (char *)stringATAV; '\0' != *c; c++ ) {
+    if( '=' == *c ) {
+#ifdef PEDANTIC
+      /*
+       * Theoretically, one could have an '=' in an 
+       * attribute string alias.  We don't, yet, though.
+       */
+      if( (char *)stringATAV == c ) {
+        nss_SetError(NSS_ERROR_INVALID_STRING);
+        return (NSSATAV *)NULL;
+      } else {
+        if( '\\' == c[-1] ) {
+          continue;
+        }
+      }
+#endif /* PEDANTIC */
+      break;
+    }
+  }
+
+  if( '\0' == *c ) {
+    nss_SetError(NSS_ERROR_INVALID_UTF8);
+    return (NSSATAV *)NULL;
+  } else {
+    c++;
+    value = (NSSUTF8 *)c;
+  }
+
+  i = ((NSSUTF8 *)c - stringATAV);
+  type = (NSSUTF8 *)nss_ZAlloc((NSSArena *)NULL, i);
+  if( (NSSUTF8 *)NULL == type ) {
+    return (NSSATAV *)NULL;
+  }
+
+  (void)nsslibc_memcpy(type, stringATAV, i-1);
+
+  c = (char *)stringATAV;
+  if( (('0' <= *c) && (*c <= '9')) || ('#' == *c) ) {
+    oid = nssOID_CreateFromUTF8(type);
+    if( (NSSOID *)NULL == oid ) {
+      nss_ZFreeIf(type);
+      return (NSSATAV *)NULL;
+    }
+  } else {
+    for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
+      PRStatus status;
+      const nssAttributeTypeAliasTable *e = &nss_attribute_type_aliases[i];
+      PRBool match = nssUTF8_CaseIgnoreMatch(type, e->alias, &status);
+      if( PR_SUCCESS != status ) {
+        nss_ZFreeIf(type);
+        return (NSSATAV *)NULL;
+      }
+      if( PR_TRUE == match ) {
+        oid = *(e->oid);
+        break;
+      }
+    }
+
+    if( (NSSOID *)NULL == oid ) {
+      nss_ZFreeIf(type);
+      nss_SetError(NSS_ERROR_UNKNOWN_ATTRIBUTE);
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  nss_ZFreeIf(type);
+  type = (NSSUTF8 *)NULL;
+
+  rv = nss_ZNEW(arenaOpt, NSSATAV);
+  if( (NSSATAV *)NULL == rv ) {
+    return (NSSATAV *)NULL;
+  }
+
+  rv->oid = oid;
+
+  if( '#' == *value ) { /* XXX fgmr.. was it '#'?  or backslash? */
+    PRUint32 size;
+    PRUint32 len;
+    NSSUTF8 *c;
+    NSSUTF8 *d;
+    PRStatus status;
+    /* It's in hex */
+
+    value++;
+    if( PR_TRUE != nss_atav_utf8_string_is_hex(value) ) {
+      (void)nss_ZFreeIf(rv);
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSATAV *)NULL;
+    }
+
+    size = nssUTF8_Size(value, &status);
+    if( PR_SUCCESS != status ) {
+      /* 
+       * Only returns an error on bad pointer (nope) or string
+       * too long.  The defined limits for known attributes are
+       * small enough to fit in PRUint32, and when undefined we
+       * get to apply our own practical limits.  Ergo, I say the 
+       * string is invalid.
+       */
+      (void)nss_ZFreeIf(rv);
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSATAV *)NULL;
+    }
+
+    if( ((size-1) & 1) ) {
+      /* odd length */
+      (void)nss_ZFreeIf(rv);
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSATAV *)NULL;
+    }
+
+    len = (size-1)/2;
+
+    rv->value = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
+    if( (NSSUTF8 *)NULL == rv->value ) {
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    xitem.size = len;
+    xitem.data = (void *)rv->value;
+
+    for( c = rv->value, d = value; len--; c++, d += 2 ) {
+      *c = nss_atav_fromhex(d);
+    }
+
+    *c = 0;
+  } else {
+    PRStatus status;
+    PRUint32 i, len;
+    PRUint8 *s;
+
+    /*
+     * XXX fgmr-- okay, this is a little wasteful, and should
+     * probably be abstracted out a bit.  Later.
+     */
+
+    rv->value = nssUTF8_Duplicate(value, arenaOpt);
+    if( (NSSUTF8 *)NULL == rv->value ) {
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    len = nssUTF8_Size(rv->value, &status);
+    if( PR_SUCCESS != status ) {
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    s = (PRUint8 *)rv->value;
+    for( i = 0; i < len; i++ ) {
+      if( '\\' == s[i] ) {
+        (void)nsslibc_memcpy(&s[i], &s[i+1], len-i-1);
+      }
+    }
+  }
+
+  /* Now just BER-encode the baby and we're through.. */
+  {
+    const struct nss_attribute_data_str *which = 
+      (struct nss_attribute_data_str *)NULL;
+    PRUint32 i;
+    NSSArena *a;
+    NSSDER *oidder;
+    NSSItem *vitem;
+    atav_holder ah;
+    NSSDER *status;
+
+    for( i = 0; i < nss_attribute_data_quantity; i++ ) {
+      if( *(nss_attribute_data[ i ].oid) == rv->oid ) {
+        which = &nss_attribute_data[i];
+        break;
+      }
+    }
+
+    a = NSSArena_Create();
+    if( (NSSArena *)NULL == a ) {
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    oidder = nssOID_GetDEREncoding(rv->oid, (NSSDER *)NULL, a);
+    if( (NSSDER *)NULL == oidder ) {
+      (void)NSSArena_Destroy(a);
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    if( (struct nss_attribute_data_str *)NULL == which ) {
+      /*
+       * We'll just have to take the user data as an octet stream.
+       */
+      if( (void *)NULL == xitem.data ) {
+        /*
+         * This means that an ATTR entry has been added to oids.txt,
+         * but no corresponding entry has been added to the array
+         * ns_attribute_data[] above.
+         */
+        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      vitem = nssASN1_EncodeItem(a, (NSSDER *)NULL, &xitem, 
+                                 nssASN1Template_OctetString, NSSASN1DER);
+      if( (NSSItem *)NULL == vitem ) {
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      rv->stringForm = nssStringType_Unknown;
+    } else {
+      PRUint32 length = 0;
+      PRStatus stat;
+      
+      length = nssUTF8_Length(rv->value, &stat);
+      if( PR_SUCCESS != stat ) {
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      if( ((0 != which->minStringLength) && 
+           (length < which->minStringLength)) ||
+          ((0 != which->maxStringLength) &&
+           (length > which->maxStringLength)) ) {
+        nss_SetError(NSS_ERROR_INVALID_STRING);
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      vitem = nssUTF8_GetDEREncoding(a, which->stringType, rv->value);
+      if( (NSSItem *)NULL == vitem ) {
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      if( nssStringType_DirectoryString == which->stringType ) {
+        rv->stringForm = nssStringType_UTF8String;
+      } else {
+        rv->stringForm = which->stringType;
+      }
+    }
+
+    ah.oid = *oidder;
+    ah.value = *vitem;
+
+    status = nssASN1_EncodeItem(arenaOpt, &rv->ber, &ah, 
+                                nss_atav_template, NSSASN1DER);
+
+    if( (NSSDER *)NULL == status ) {
+      (void)NSSArena_Destroy(a);
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    (void)NSSArena_Destroy(a);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+)
+{
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (const void *)NULL == data ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /* XXX fgmr-- oops, forgot this one */
+  return (NSSATAV *)NULL;
+}
+
+/*
+ * nssATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssATAV_Destroy
+(
+  NSSATAV *atav
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nss_ZFreeIf(atav->ber.data);
+  (void)nss_ZFreeIf(atav->value);
+
+#ifdef DEBUG
+  if( PR_SUCCESS != atav_remove_pointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_IMPLEMENT NSSDER *
+nssATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSDER *rv;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSDER *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  rv = nss_ZNEW(arenaOpt, NSSDER);
+  if( (NSSDER *)NULL == rv ) {
+    return (NSSDER *)NULL;
+  }
+
+  rv->data = nss_ZAlloc(arenaOpt, atav->ber.size);
+  if( (void *)NULL == rv->data ) {
+    (void)nss_ZFreeIf(rv);
+    return (NSSDER *)NULL;
+  }
+
+  rv->size = atav->ber.size;
+  if( NULL == nsslibc_memcpy(rv->data, atav->ber.data, rv->size) ) {
+    (void)nss_ZFreeIf(rv->data);
+    (void)nss_ZFreeIf(rv);
+    return (NSSDER *)NULL;
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  PRUint32 i;
+  const NSSUTF8 *alias = (NSSUTF8 *)NULL;
+  NSSUTF8 *oid;
+  NSSUTF8 *value;
+  PRUint32 oidlen;
+  PRUint32 valuelen;
+  PRUint32 totallen;
+  PRStatus status;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
+    if( *(nss_attribute_type_aliases[i].oid) == atav->oid ) {
+      alias = nss_attribute_type_aliases[i].alias;
+      break;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == alias ) {
+    oid = nssOID_GetUTF8Encoding(atav->oid, (NSSArena *)NULL);
+    if( (NSSUTF8 *)NULL == oid ) {
+      return (NSSUTF8 *)NULL;
+    }
+
+    oidlen = nssUTF8_Size(oid, &status);
+    if( PR_SUCCESS != status ) {
+      (void)nss_ZFreeIf(oid);
+      return (NSSUTF8 *)NULL;
+    }
+  } else {
+    oidlen = nssUTF8_Size(alias, &status);
+    if( PR_SUCCESS != status ) {
+      return (NSSUTF8 *)NULL;
+    }
+    oid = (NSSUTF8 *)NULL;
+  }
+
+  value = nssATAV_GetValue(atav, (NSSArena *)NULL);
+  if( (NSSUTF8 *)NULL == value ) {
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  valuelen = nssUTF8_Size(value, &status);
+  if( PR_SUCCESS != status ) {
+    (void)nss_ZFreeIf(value);
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  totallen = oidlen + valuelen - 1 + 1;
+  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, totallen);
+  if( (NSSUTF8 *)NULL == rv ) {
+    (void)nss_ZFreeIf(value);
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSUTF8 *)NULL == alias ) {
+    if( (void *)NULL == nsslibc_memcpy(rv, oid, oidlen-1) ) {
+      (void)nss_ZFreeIf(rv);
+      (void)nss_ZFreeIf(value);
+      (void)nss_ZFreeIf(oid);
+      return (NSSUTF8 *)NULL;
+    }
+  } else {
+    if( (void *)NULL == nsslibc_memcpy(rv, alias, oidlen-1) ) {
+      (void)nss_ZFreeIf(rv);
+      (void)nss_ZFreeIf(value);
+      return (NSSUTF8 *)NULL;
+    }
+  }
+
+  rv[ oidlen-1 ] = '=';
+
+  if( (void *)NULL == nsslibc_memcpy(&rv[oidlen], value, valuelen) ) {
+    (void)nss_ZFreeIf(rv);
+    (void)nss_ZFreeIf(value);
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  A valid NSSOID pointer upon success
+ */
+
+NSS_IMPLEMENT const NSSOID *
+nssATAV_GetType
+(
+  NSSATAV *atav
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSOID *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return atav->oid;
+}
+
+/*
+ * nssATAV_GetValue
+ *
+ * This routine returns a NSSUTF8 string containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error upon the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return nssUTF8_Duplicate(atav->value, arenaOpt);
+}
+
+/*
+ * nssATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have set an 
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_IMPLEMENT PRStatus
+nssATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+)
+{
+  nssStringType comparison;
+  PRUint32 len1;
+  PRUint32 len2;
+  PRStatus status;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
+    return PR_FAILURE;
+  }
+
+  if( (PRBool *)NULL == equalp ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( atav1->oid != atav2->oid ) {
+    *equalp = PR_FALSE;
+    return PR_SUCCESS;
+  }
+
+  if( atav1->stringForm != atav2->stringForm ) {
+    if( (nssStringType_PrintableString == atav1->stringForm) ||
+        (nssStringType_PrintableString == atav2->stringForm) ) {
+      comparison = nssStringType_PrintableString;
+    } else if( (nssStringType_PHGString == atav1->stringForm) ||
+               (nssStringType_PHGString == atav2->stringForm) ) {
+      comparison = nssStringType_PHGString;
+    } else {
+      comparison = atav1->stringForm;
+    }
+  } else {
+    comparison = atav1->stringForm;
+  }
+
+  switch( comparison ) {
+  case nssStringType_DirectoryString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_FAILURE;
+  case nssStringType_TeletexString:
+    break;
+  case nssStringType_PrintableString:
+    *equalp = nssUTF8_PrintableMatch(atav1->value, atav2->value, &status);
+    return status;
+    /* Case-insensitive, with whitespace reduction */
+    break;
+  case nssStringType_UniversalString:
+    break;
+  case nssStringType_BMPString:
+    break;
+  case nssStringType_GeneralString:
+    /* what to do here? */
+    break;
+  case nssStringType_UTF8String:
+    break;
+  case nssStringType_PHGString:
+    /* Case-insensitive (XXX fgmr, actually see draft-11 pg. 21) */
+    *equalp = nssUTF8_CaseIgnoreMatch(atav1->value, atav2->value, &status);
+    return status;
+  case nssStringType_Unknown:
+    break;
+  }
+  
+  len1 = nssUTF8_Size(atav1->value, &status);
+  if( PR_SUCCESS != status ) {
+    return PR_FAILURE;
+  }
+
+  len2 = nssUTF8_Size(atav2->value, &status);
+  if( PR_SUCCESS != status ) {
+    return PR_FAILURE;
+  }
+
+  if( len1 != len2 ) {
+    *equalp = PR_FALSE;
+    return PR_SUCCESS;
+  }
+
+  *equalp = nsslibc_memequal(atav1->value, atav2->value, len1, &status);
+  return status;
+}
+
+
+/*
+ * nssATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSATAV *rv;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  rv = nss_ZNEW(arenaOpt, NSSATAV);
+  if( (NSSATAV *)NULL == rv ) {
+    return (NSSATAV *)NULL;
+  }
+
+  rv->oid = atav->oid;
+  rv->stringForm = atav->stringForm;
+  rv->value = nssUTF8_Duplicate(atav->value, arenaOpt);
+  if( (NSSUTF8 *)NULL == rv->value ) {
+    (void)nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->ber.data = nss_ZAlloc(arenaOpt, atav->ber.size);
+  if( (void *)NULL == rv->ber.data ) {
+    (void)nss_ZFreeIf(rv->value);
+    (void)nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->ber.size = atav->ber.size;
+  if( NULL == nsslibc_memcpy(rv->ber.data, atav->ber.data, 
+                                   atav->ber.size) ) {
+    (void)nss_ZFreeIf(rv->ber.data);
+    (void)nss_ZFreeIf(rv->value);
+    (void)nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+
+  return rv;
+}
diff --git a/security/nss/lib/pki1/config.mk b/security/nss/lib/pki1/config.mk
new file mode 100644
index 000000000..3f8d47e04
--- /dev/null
+++ b/security/nss/lib/pki1/config.mk
@@ -0,0 +1,51 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = 
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
diff --git a/security/nss/lib/pki1/genname.c b/security/nss/lib/pki1/genname.c
new file mode 100644
index 000000000..1ef37a3f0
--- /dev/null
+++ b/security/nss/lib/pki1/genname.c
@@ -0,0 +1,97 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * genname.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * GeneralName.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * GeneralName
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  GeneralName ::= CHOICE {
+ *          otherName                   [0] INSTANCE OF OTHER-NAME,
+ *          rfc822Name                  [1] IA5String,
+ *          dNSName                     [2] IA5String,
+ *          x400Address                 [3] ORAddress,
+ *          directoryName               [4] Name,
+ *          ediPartyName                [5] EDIPartyName,
+ *          uniformResourceIdentifier   [6] IA5String,
+ *          iPAddress                   [7] OCTET STRING,
+ *          registeredID                [8] OBJECT IDENTIFIER }
+ *  
+ *  OTHER-NAME ::= TYPE-IDENTIFIER
+ *  
+ *  EDIPartyName ::= SEQUENCE {
+ *          nameAssigner        [0] DirectoryString {ub-name} OPTIONAL,
+ *          partyName           [1] DirectoryString {ub-name} }
+ *
+ */
+
+struct nssGeneralNameStr {
+  NSSGeneralNameChoice choice;
+  union {
+    /* OTHER-NAME otherName */
+    NSSUTF8 *rfc822Name;
+    NSSUTF8 *dNSName;
+    /* ORAddress x400Address */
+    NSSName *directoryName;
+    /* EDIPartyName ediPartyName */
+    NSSUTF8 *uniformResourceIdentifier;
+    NSSItem *iPAddress;
+    NSSOID *registeredID;
+  } u;
+};
diff --git a/security/nss/lib/pki1/gnseq.c b/security/nss/lib/pki1/gnseq.c
new file mode 100644
index 000000000..20bfd9c65
--- /dev/null
+++ b/security/nss/lib/pki1/gnseq.c
@@ -0,0 +1,74 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * gnseq.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * GeneralNames (note the ending 's').
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * GeneralNames (or, as we call it, GeneralNameSeq)
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * A GeneralNames is simply an (ordered) sequence of General Names.
+ * The seqSize variable is  "helper" kept for simplicity.
+ */
+
+struct nssGeneralNameSeqStr {
+  PRUint32 seqSize;
+  NSSGeneralName **generalNames;
+};
diff --git a/security/nss/lib/pki1/manifest.mn b/security/nss/lib/pki1/manifest.mn
new file mode 100644
index 000000000..c2eeb32c8
--- /dev/null
+++ b/security/nss/lib/pki1/manifest.mn
@@ -0,0 +1,72 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+CORE_DEPTH = ../../..
+
+# In 4.0, move nss*.h back to EXPORTS
+PRIVATE_EXPORTS = \
+	oiddata.h \
+	pki1.h	  \
+	pki1t.h	  \
+	nsspki1.h  \
+	nsspki1t.h \
+	$(NULL)
+
+EXPORTS =	   \
+	$(NULL)
+
+MODULE = nss
+
+CSRCS = $(NULL)
+xCSRCS =	  \
+	atav.c	  \
+	genname.c \
+	gnseq.c	  \
+	name.c	  \
+	oid.c	  \
+	oiddata.c \
+	rdn.c	  \
+	rdnseq.c  \
+	$(NULL)
+
+REQUIRES = nspr
+
+#LIBRARY_NAME = pki1
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/pki1/name.c b/security/nss/lib/pki1/name.c
new file mode 100644
index 000000000..9e255d5d7
--- /dev/null
+++ b/security/nss/lib/pki1/name.c
@@ -0,0 +1,80 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * name.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * Name.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * Name
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  -- naming data types --
+ *  
+ *  Name            ::=     CHOICE { -- only one possibility for now --
+ *                                          rdnSequence  RDNSequence }
+ *
+ * A name is basically a union of the possible names.  At the moment,
+ * there is only one type of name: an RDNSequence.
+ */
+
+struct nssNameStr {
+  PRUint32 tagPlaceHolder;
+  union {
+    NSSRDNSeq *rdnSequence;
+  } n;
+};
+
diff --git a/security/nss/lib/pki1/nsspki1.h b/security/nss/lib/pki1/nsspki1.h
new file mode 100644
index 000000000..117a48dba
--- /dev/null
+++ b/security/nss/lib/pki1/nsspki1.h
@@ -0,0 +1,2872 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSPKI1_H
+#define NSSPKI1_H
+
+#ifdef DEBUG
+static const char NSSPKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nsspki1.h
+ *
+ * This file contains the prototypes of the public NSS routines 
+ * dealing with the PKIX part-1 definitions.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+#ifndef OIDDATA_H
+#include "oiddata.h"
+#endif /* OIDDATA_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSOID
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSOID_CreateFromBER   -- constructor
+ *  NSSOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  NSSOID_GetDEREncoding
+ *  NSSOID_GetUTF8Encoding
+ */
+
+extern const NSSOID *NSS_OID_UNKNOWN;
+
+/*
+ * NSSOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromBER
+(
+  NSSBER *berOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_STRING;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+NSSOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSATAV_CreateFromBER   -- constructor
+ *  NSSATAV_CreateFromUTF8  -- constructor
+ *  NSSATAV_Create          -- constructor
+ *
+ *  NSSATAV_Destroy
+ *  NSSATAV_GetDEREncoding
+ *  NSSATAV_GetUTF8Encoding
+ *  NSSATAV_GetType
+ *  NSSATAV_GetValue
+ *  NSSATAV_Compare
+ *  NSSATAV_Duplicate
+ */
+
+/*
+ * NSSATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *derATAV
+);
+
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringATAV
+);
+
+extern const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE;
+extern const NSSError NSS_ERROR_INVALID_STRING;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSATAV_Destroy
+(
+  NSSATAV *atav
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+
+/*
+ * NSSATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_EXTERN NSSDER *
+NSSATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An element of enum NSSOIDenum upon success
+ */
+
+NSS_EXTERN const NSSOID *
+NSSATAV_GetType
+(
+  NSSATAV *atav
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+
+/*
+ * NSSATAV_GetValue
+ *
+ * This routine returns an NSSItem containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
+
+/*
+ * NSSATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSRDN
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSRDN_CreateFromBER   -- constructor
+ *  NSSRDN_CreateFromUTF8  -- constructor
+ *  NSSRDN_Create          -- constructor
+ *  NSSRDN_CreateSimple    -- constructor
+ *
+ *  NSSRDN_Destroy
+ *  NSSRDN_GetDEREncoding
+ *  NSSRDN_GetUTF8Encoding
+ *  NSSRDN_AddATAV
+ *  NSSRDN_GetATAVCount
+ *  NSSRDN_GetATAV
+ *  NSSRDN_GetSimpleATAV
+ *  NSSRDN_Compare
+ *  NSSRDN_Duplicate
+ */
+
+/*
+ * NSSRDN_CreateFromBER
+ *
+ * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
+ * RDN.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDN
+);
+
+/*
+ * NSSRDN_CreateFromUTF8
+ *
+ * This routine creates an NSSRDN by decoding an UTF8 string 
+ * consisting of either a single ATAV in the "equals" format, e.g., 
+ * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
+ * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDN
+);
+
+/*
+ * NSSRDN_Create
+ *
+ * This routine creates an NSSRDN from one or more NSSATAVs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_Create
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav1,
+  ...
+);
+
+/*
+ * NSSRDN_CreateSimple
+ *
+ * This routine creates a simple NSSRDN from a single NSSATAV.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_CreateSimple
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav
+);
+
+/*
+ * NSSRDN_Destroy
+ *
+ * This routine will destroy an RDN object.  It should eventually be
+ * called on all RDNs created without an arena.  While it is not 
+ * necessary to call it on RDNs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSRDN_Destroy
+(
+  NSSRDN *rdn
+);
+
+/*
+ * NSSRDN_GetDEREncoding
+ *
+ * This routine will DER-encode an RDN object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDN
+ */
+
+NSS_EXTERN NSSDER *
+NSSRDN_GetDEREncoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDN_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDN.  A simple (one-ATAV) RDN will be simply
+ * the string representation of that ATAV; a non-simple RDN will be in
+ * parenthesised form.  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * null upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSRDN_GetUTF8Encoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDN_AddATAV
+ *
+ * This routine adds an ATAV to the set of ATAVs in the specified RDN.
+ * Remember that RDNs consist of an unordered set of ATAVs.  If the
+ * RDN was created with a non-null arena argument, that same arena
+ * will be used for any additional required memory.  If the RDN was 
+ * created with a NULL arena argument, any additional memory will
+ * be obtained from the heap.  This routine returns a PRStatus value;
+ * it will return PR_SUCCESS upon success, and upon failure it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSRDN_AddATAV
+(
+  NSSRDN *rdn,
+  NSSATAV *atav
+);
+
+/*
+ * NSSRDN_GetATAVCount
+ *
+ * This routine returns the cardinality of the set of ATAVs within
+ * the specified RDN.  This routine may return 0 upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+NSSRDN_GetATAVCount
+(
+  NSSRDN *rdn
+);
+
+/*
+ * NSSRDN_GetATAV
+ *
+ * This routine returns a pointer to an ATAV that is a member of
+ * the set of ATAVs within the specified RDN.  While the set of
+ * ATAVs within an RDN is unordered, this routine will return
+ * distinct values for distinct values of 'i' as long as the RDN
+ * is not changed in any way.  The RDN may be changed by calling
+ * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
+ * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
+ * The caller owns the ATAV the pointer to which is returned.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+NSSRDN_GetATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * NSSRDN_GetSimpleATAV
+ *
+ * Most RDNs are actually very simple, with a single ATAV.  This 
+ * routine will return the single ATAV from such an RDN.  The caller
+ * owns the ATAV the pointer to which is returned.  If the optional
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, including the case where
+ * the set of ATAVs in the RDN is nonsingular.  Upon error, this
+ * routine will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_RDN_NOT_SIMPLE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+NSSRDN_GetSimpleATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDN_Compare
+ *
+ * This routine compares two RDNs for equality.  For two RDNs to be
+ * equal, they must have the same number of ATAVs, and every ATAV in
+ * one must be equal to an ATAV in the other.  (Note that the sets
+ * of ATAVs are unordered.)  The result of the comparison will be
+ * stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool.  This routine may return PR_FAILURE
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSRDN_Compare
+(
+  NSSRDN *rdn1,
+  NSSRDN *rdn2,
+  PRBool *equalp
+);
+
+/*
+ * NSSRDN_Duplicate
+ *
+ * This routine duplicates the specified RDN.  If the optional arena
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new RDN
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_Duplicate
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSRDNSeq_CreateFromBER   -- constructor
+ *  NSSRDNSeq_CreateFromUTF8  -- constructor
+ *  NSSRDNSeq_Create          -- constructor
+ *
+ *  NSSRDNSeq_Destroy
+ *  NSSRDNSeq_GetDEREncoding
+ *  NSSRDNSeq_GetUTF8Encoding
+ *  NSSRDNSeq_AppendRDN
+ *  NSSRDNSeq_GetRDNCount
+ *  NSSRDNSeq_GetRDN
+ *  NSSRDNSeq_Compare
+ *  NSSRDNSeq_Duplicate
+ */
+
+/*
+ * NSSRDNSeq_CreateFromBER
+ *
+ * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
+ * sequence of RDNs.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDNSeq
+);
+
+/*
+ * NSSRDNSeq_CreateFromUTF8
+ *
+ * This routine creates an NSSRDNSeq by decoding a UTF8 string
+ * consisting of a comma-separated sequence of RDNs, such as
+ * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDNSeq
+);
+
+/*
+ * NSSRDNSeq_Create
+ *
+ * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointero to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSRDN *rdn1,
+  ...
+);
+
+/*
+ * NSSRDNSeq_Destroy
+ *
+ * This routine will destroy an RDNSeq object.  It should eventually 
+ * be called on all RDNSeqs created without an arena.  While it is not
+ * necessary to call it on RDNSeqs created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSRDNSeq_Destroy
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * NSSRDNSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an RDNSeq object.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return null upon error, in which case it will have
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDNSeq
+ */
+
+NSS_EXTERN NSSDER *
+NSSRDNSeq_GetDEREncoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDNSeq as a comma-separated sequence of RDNs.  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSRDNSeq_GetUTF8Encoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq_AppendRDN
+ *
+ * This routine appends an RDN to the end of the existing RDN 
+ * sequence.  If the RDNSeq was created with a non-null arena 
+ * argument, that same arena will be used for any additional required
+ * memory.  If the RDNSeq was created with a NULL arena argument, any
+ * additional memory will be obtained from the heap.  This routine
+ * returns a PRStatus value; it will return PR_SUCCESS upon success,
+ * and upon failure it will create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSRDNSeq_AppendRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSRDN *rdn
+);
+
+/*
+ * NSSRDNSeq_GetRDNCount
+ *
+ * This routine returns the cardinality of the sequence of RDNs within
+ * the specified RDNSeq.  This routine may return 0 upon error, in 
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+NSSRDNSeq_GetRDNCount
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * NSSRDNSeq_GetRDN
+ *
+ * This routine returns a pointer to the i'th RDN in the sequence of
+ * RDNs that make up the specified RDNSeq.  The sequence begins with
+ * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
+ * is on the range [0,c) where c is the cardinality returned from
+ * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
+ * is returned.  If the optional arena argument is non-null, the memory
+ * used will be obtained from that areana; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.  Note that the 
+ * usual string representation of RDN Sequences is from last to first.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDN
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDNSeq_GetRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * NSSRDNSeq_Compare
+ *
+ * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
+ * be equal, they must have the same number of RDNs, and each RDN in
+ * one sequence must be equal to the corresponding RDN in the other
+ * sequence.  The result of the comparison will be stored at the
+ * location pointed to by the "equalp" variable, which must point to a
+ * valid PRBool.  This routine may return PR_FAILURE upon error, in
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSRDNSeq_Compare
+(
+  NSSRDNSeq *rdnseq1,
+  NSSRDNSeq *rdnseq2,
+  PRBool *equalp
+);
+
+/*
+ * NSSRDNSeq_Duplicate
+ *
+ * This routine duplicates the specified RDNSeq.  If the optional arena
+ * argument is non-null, the memory required will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new RDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_Duplicate
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ * NSSName_CreateFromBER   -- constructor
+ * NSSName_CreateFromUTF8  -- constructor
+ * NSSName_Create          -- constructor
+ *
+ * NSSName_Destroy
+ * NSSName_GetDEREncoding
+ * NSSName_GetUTF8Encoding
+ * NSSName_GetChoice
+ * NSSName_GetRDNSequence
+ * NSSName_GetSpecifiedChoice
+ * NSSName_Compare
+ * NSSName_Duplicate
+ *
+ * NSSName_GetUID
+ * NSSName_GetEmail
+ * NSSName_GetCommonName
+ * NSSName_GetOrganization
+ * NSSName_GetOrganizationalUnits
+ * NSSName_GetStateOrProvince
+ * NSSName_GetLocality
+ * NSSName_GetCountry
+ * NSSName_GetAttribute
+ */
+
+/*
+ * NSSName_CreateFromBER
+ *
+ * This routine creates an NSSName by decoding a BER- or DER-encoded 
+ * (directory) Name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have created an error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+NSSName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berName
+);
+
+/*
+ * NSSName_CreateFromUTF8
+ *
+ * This routine creates an NSSName by decoding a UTF8 string 
+ * consisting of the string representation of one of the choices of 
+ * (directory) names.  Currently the only choice is an RDNSeq.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  The routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+NSSName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringName
+);
+
+/*
+ * NSSName_Create
+ *
+ * This routine creates an NSSName with the specified choice of
+ * underlying name types.  The value of the choice variable must be
+ * one of the values of the NSSNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                     Type
+ *   ========================   ===========
+ *   NSSNameChoiceRdnSequence   NSSRDNSeq *
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+NSSName_Create
+(
+  NSSArena *arenaOpt,
+  NSSNameChoice choice,
+  void *arg
+);
+
+/*
+ * NSSName_Destroy
+ *
+ * This routine will destroy a Name object.  It should eventually be
+ * called on all Names created without an arena.  While it is not
+ * necessary to call it on Names created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSName_Destroy
+(
+  NSSName *name
+);
+
+/*
+ * NSSName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSName
+ */
+
+NSS_EXTERN NSSDER *
+NSSName_GetDEREncoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the Name in the format specified by the 
+ * underlying name choice.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSName_GetUTF8Encoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetChoice
+ *
+ * This routine returns the type of the choice underlying the specified
+ * name.  The return value will be a member of the NSSNameChoice 
+ * enumeration.  This routine may return NSSNameChoiceInvalid upon 
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  NSSNameChoiceInvalid upon error
+ *  An other member of the NSSNameChoice enumeration upon success
+ */
+
+NSS_EXTERN NSSNameChoice
+NSSName_GetChoice
+(
+  NSSName *name
+);
+
+/*
+ * NSSName_GetRDNSequence
+ *
+ * If the choice underlying the specified NSSName is that of an 
+ * RDNSequence, this routine will return a pointer to that RDN
+ * sequence.  Otherwise, this routine will place an error on the
+ * error stack, and return NULL.  If the optional arena argument is
+ * non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The
+ * caller owns the returned pointer.  This routine may return NULL
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSName_GetRDNSequence
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSName matches the specified
+ * choice, a caller-owned pointer to that underlying object will be
+ * returned.  Otherwise, an error will be placed on the error stack and
+ * NULL will be returned.  If the optional arena argument is non-null, 
+ * the memory required will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  The caller owns the returned
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+NSSName_GetSpecifiedChoice
+(
+  NSSName *name,
+  NSSNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_Compare
+ *
+ * This routine compares two Names for equality.  For two Names to be
+ * equal, they must have the same choice of underlying types, and the
+ * underlying values must be equal.  The result of the comparison will
+ * be stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool. This routine may return PR_FAILURE
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSName_Compare
+(
+  NSSName *name1,
+  NSSName *name2,
+  PRBool *equalp
+);
+
+/*
+ * NSSName_Duplicate
+ *
+ * This routine duplicates the specified nssname.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSName
+ */
+
+NSS_EXTERN NSSName *
+NSSName_Duplicate
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a UID attribute, the UID will be the value of 
+ * that attribute.  Note that no UID attribute is defined in either 
+ * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
+ * defines the type as a caseIgnoreString.  We'll return a Directory 
+ * String.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetUID
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing either a PKIX email address or a PKCS#9 email
+ * address, the result will be the value of that attribute.  If the
+ * optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
+NSSName_GetEmail
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a PKIX Common Name, the result will be that name.  If 
+ * the optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetCommonName
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified name, if the choices and content of the name permit.  
+ * If Name consists of a Sequence of Relative Distinguished names 
+ * containing a PKIX Organization, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetOrganization
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified name, if the choices and content of 
+ * the name permit.  If the Name consists of a Sequence of Relative 
+ * Distinguished Names containing one or more organisational units,
+ * the result will be the values of those attributes.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+NSSName_GetOrganizationalUnits
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a state or province, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetStateOrProvince
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from the 
+ * specified name, if the choices and content of the name permit.  If
+ * the Name consists of a Sequence of Relative Distinguished names
+ * containing a Locality, the result will be the value of that 
+ * attribute.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetLocality
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a Country, the result will be the value of
+ * that attribute..  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may 
+ * return NULL upon error, in which case it will have created an 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+NSSName_GetCountry
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetAttribute
+ *
+ * If the specified name consists of a Sequence of Relative 
+ * Distinguished Names containing an attribute with the specified 
+ * type, and the actual value of that attribute may be expressed 
+ * with a Directory String, then the value of that attribute will 
+ * be returned as a Directory String.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetAttribute
+(
+  NSSName *name,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ * NSSGeneralName_CreateFromBER   -- constructor
+ * NSSGeneralName_CreateFromUTF8  -- constructor
+ * NSSGeneralName_Create          -- constructor
+ *
+ * NSSGeneralName_Destroy
+ * NSSGeneralName_GetDEREncoding
+ * NSSGeneralName_GetUTF8Encoding
+ * NSSGeneralName_GetChoice
+ * NSSGeneralName_GetOtherName
+ * NSSGeneralName_GetRfc822Name
+ * NSSGeneralName_GetDNSName
+ * NSSGeneralName_GetX400Address
+ * NSSGeneralName_GetDirectoryName
+ * NSSGeneralName_GetEdiPartyName
+ * NSSGeneralName_GetUniformResourceIdentifier
+ * NSSGeneralName_GetIPAddress
+ * NSSGeneralName_GetRegisteredID
+ * NSSGeneralName_GetSpecifiedChoice
+ * NSSGeneralName_Compare
+ * NSSGeneralName_Duplicate
+ *
+ * NSSGeneralName_GetUID
+ * NSSGeneralName_GetEmail
+ * NSSGeneralName_GetCommonName
+ * NSSGeneralName_GetOrganization
+ * NSSGeneralName_GetOrganizationalUnits
+ * NSSGeneralName_GetStateOrProvince
+ * NSSGeneralName_GetLocality
+ * NSSGeneralName_GetCountry
+ * NSSGeneralName_GetAttribute
+ */
+
+/*
+ * NSSGeneralName_CreateFromBER
+ *
+ * This routine creates an NSSGeneralName by decoding a BER- or DER-
+ * encoded general name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralName
+);
+
+/*
+ * NSSGeneralName_CreateFromUTF8
+ *
+ * This routine creates an NSSGeneralName by decoding a UTF8 string
+ * consisting of the string representation of one of the choices of
+ * general names.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.  The routine may return NULL upon
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringGeneralName
+);
+
+/*
+ * NSSGeneralName_Create
+ *
+ * This routine creates an NSSGeneralName with the specified choice of
+ * underlying name types.  The value of the choice variable must be one
+ * of the values of the NSSGeneralNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                                         Type
+ *   ============================================   =========
+ *   NSSGeneralNameChoiceOtherName
+ *   NSSGeneralNameChoiceRfc822Name
+ *   NSSGeneralNameChoiceDNSName
+ *   NSSGeneralNameChoiceX400Address
+ *   NSSGeneralNameChoiceDirectoryName              NSSName *
+ *   NSSGeneralNameChoiceEdiPartyName
+ *   NSSGeneralNameChoiceUniformResourceIdentifier
+ *   NSSGeneralNameChoiceIPAddress
+ *   NSSGeneralNameChoiceRegisteredID
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one fo the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_Create
+(
+  NSSGeneralNameChoice choice,
+  void *arg
+);
+
+/*
+ * NSSGeneralName_Destroy
+ * 
+ * This routine will destroy a General Name object.  It should 
+ * eventually be called on all General Names created without an arena.
+ * While it is not necessary to call it on General Names created within
+ * an arena, it is not an error to do so.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS. If 
+ * usuccessful, it will create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralName_Destroy
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * NSSGeneralName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralName
+ */
+
+NSS_EXTERN NSSDER *
+NSSGeneralName_GetDEREncoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the General Name in the format specified by the
+ * underlying name choice.  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSGeneralName_GetUTF8Encoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetChoice
+ *
+ * This routine returns the type of choice underlying the specified 
+ * general name.  The return value will be a member of the 
+ * NSSGeneralNameChoice enumeration.  This routine may return 
+ * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NSSGeneralNameChoiceInvalid upon error
+ *  An other member of the NSSGeneralNameChoice enumeration 
+ */
+
+NSS_EXTERN NSSGeneralNameChoice
+NSSGeneralName_GetChoice
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * NSSGeneralName_GetOtherName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * Other Name, this routine will return a pointer to that Other name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSOtherName
+ */
+
+NSS_EXTERN NSSOtherName *
+NSSGeneralName_GetOtherName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetRfc822Name
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * RFC 822 Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRFC822Name
+ */
+
+NSS_EXTERN NSSRFC822Name *
+NSSGeneralName_GetRfc822Name
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetDNSName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a 
+ * DNS Name, this routine will return a pointer to that DNS name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSDNSName
+ */
+
+NSS_EXTERN NSSDNSName *
+NSSGeneralName_GetDNSName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetX400Address
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * X.400 Address, this routine will return a pointer to that Address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSX400Address
+ */
+
+NSS_EXTERN NSSX400Address *
+NSSGeneralName_GetX400Address
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetDirectoryName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * (directory) Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSName
+ */
+
+NSS_EXTERN NSSName *
+NSSGeneralName_GetName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetEdiPartyName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * EDI Party Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSEdiPartyName
+ */
+
+NSS_EXTERN NSSEdiPartyName *
+NSSGeneralName_GetEdiPartyName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetUniformResourceIdentifier
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * URI, this routine will return a pointer to that URI.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSURI
+ */
+
+NSS_EXTERN NSSURI *
+NSSGeneralName_GetUniformResourceIdentifier
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetIPAddress
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * IP Address , this routine will return a pointer to that address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSIPAddress
+ */
+
+NSS_EXTERN NSSIPAddress *
+NSSGeneralName_GetIPAddress
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetRegisteredID
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * Registered ID, this routine will return a pointer to that ID.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRegisteredID
+ */
+
+NSS_EXTERN NSSRegisteredID *
+NSSGeneralName_GetRegisteredID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSGeneralName matches the
+ * specified choice, a caller-owned pointer to that underlying object
+ * will be returned.  Otherwise, an error will be placed on the error
+ * stack and NULL will be returned.  If the optional arena argument
+ * is non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The caller
+ * owns the returned pointer.  This routine may return NULL upon 
+ * error, in which caes it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+NSSGeneralName_GetSpecifiedChoice
+(
+  NSSGeneralName *generalName,
+  NSSGeneralNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_Compare
+ * 
+ * This routine compares two General Names for equality.  For two 
+ * General Names to be equal, they must have the same choice of
+ * underlying types, and the underlying values must be equal.  The
+ * result of the comparison will be stored at the location pointed
+ * to by the "equalp" variable, which must point to a valid PRBool.
+ * This routine may return PR_FAILURE upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following value:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralName_Compare
+(
+  NSSGeneralName *generalName1,
+  NSSGeneralName *generalName2,
+  PRBool *equalp
+);
+
+/*
+ * NSSGeneralName_Duplicate
+ *
+ * This routine duplicates the specified General Name.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it 
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSGeneralName
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_Duplicate
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished Names containing a UID
+ * attribute, the UID will be the value of that attribute.  Note
+ * that no UID attribute is defined in either PKIX or PKCS#9; 
+ * rather, this seems to derive from RFC 1274, which defines the
+ * type as a caseIgnoreString.  We'll return a Directory String.
+ * If the optional arena argument is non-null, the memory used
+ * will be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetUID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing either
+ * a PKIX email address or a PKCS#9 email address, the result will
+ * be the value of that attribute.  If the General Name is an RFC 822
+ * Name, the result will be the string form of that name.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
+NSSGeneralName_GetEmail
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a PKIX
+ * Common Name, the result will be that name.  If the optional arena 
+ * argument is non-null, the memory used will be obtained from that 
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetCommonName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing an
+ * Organization, the result will be the value of that attribute.  
+ * If the optional arena argument is non-null, the memory used will 
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetOrganization
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified general name, if the choices and 
+ * content of the name permit.  If the General Name is a (directory) 
+ * Name consisting of a Sequence of Relative Distinguished names 
+ * containing one or more organisational units, the result will 
+ * consist of those units.  If the optional arena  argument is non-
+ * null, the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+NSSGeneralName_GetOrganizationalUnits
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a state or 
+ * province, the result will be the value of that attribute.  If the 
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetStateOrProvince
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a Locality, 
+ * the result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetLocality
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified general name, if the choices and content of the name 
+ * permit.  If the General Name is a (directory) Name consisting of a
+ * Sequence of Relative Distinguished names containing a Country, the 
+ * result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+NSSGeneralName_GetCountry
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetAttribute
+ *
+ * If the specified general name is a (directory) name consisting
+ * of a Sequence of Relative Distinguished Names containing an 
+ * attribute with the specified type, and the actual value of that
+ * attribute may be expressed with a Directory String, then the
+ * value of that attribute will be returned as a Directory String.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetAttribute
+(
+  NSSGeneralName *generalName,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralNameSeq
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSGeneralNameSeq_CreateFromBER   -- constructor
+ *  NSSGeneralNameSeq_Create          -- constructor
+ *
+ *  NSSGeneralNameSeq_Destroy
+ *  NSSGeneralNameSeq_GetDEREncoding
+ *  NSSGeneralNameSeq_AppendGeneralName
+ *  NSSGeneralNameSeq_GetGeneralNameCount
+ *  NSSGeneralNameSeq_GetGeneralName
+ *  NSSGeneralNameSeq_Compare
+ *  NSSGeneralnameSeq_Duplicate
+ */
+
+/*
+ * NSSGeneralNameSeq_CreateFromBER
+ *
+ * This routine creates a general name sequence by decoding a BER-
+ * or DER-encoded GeneralNames.  If the optional arena argument is
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+NSSGeneralNameSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralNameSeq
+);
+
+/*
+ * NSSGeneralNameSeq_Create
+ *
+ * This routine creates an NSSGeneralNameSeq from one or more General
+ * Names.  The final argument to this routine must be NULL.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+NSSGeneralNameSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSGeneralName *generalName1,
+  ...
+);
+
+/*
+ * NSSGeneralNameSeq_Destroy
+ *
+ * This routine will destroy an NSSGeneralNameSeq object.  It should
+ * eventually be called on all NSSGeneralNameSeqs created without an
+ * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
+ * created within an arena, it is not an error to do so.  This routine
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralNameSeq_Destroy
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * NSSGeneralNameSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an NSSGeneralNameSeq object.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return null upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralNameSeq
+ */
+
+NSS_EXTERN NSSDER *
+NSSGeneralNameSeq_GetDEREncoding
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralNameSeq_AppendGeneralName
+ *
+ * This routine appends a General Name to the end of the existing
+ * General Name Sequence.  If the sequence was created with a non-null
+ * arena argument, that same arena will be used for any additional
+ * required memory.  If the sequence was created with a NULL arena
+ * argument, any additional memory will be obtained from the heap.
+ * This routine returns a PRStatus value; it will return PR_SUCCESS
+ * upon success, and upon failure it will create an error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure.
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralNameSeq_AppendGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSGeneralName *generalName
+);
+
+/*
+ * NSSGeneralNameSeq_GetGeneralNameCount
+ *
+ * This routine returns the cardinality of the specified General name
+ * Sequence.  This routine may return 0 upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value;
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+NSSGeneralNameSeq_GetGeneralNameCount
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * NSSGeneralNameSeq_GetGeneralName
+ *
+ * This routine returns a pointer to the i'th General Name in the 
+ * specified General Name Sequence.  The value of the variable 'i' is
+ * on the range [0,c) where c is the cardinality returned from 
+ * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
+ * Name the pointer to which is returned.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to a General Name.
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralNameSeq_GetGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * NSSGeneralNameSeq_Compare
+ *
+ * This routine compares two General Name Sequences for equality.  For
+ * two General Name Sequences to be equal, they must have the same
+ * cardinality, and each General Name in one sequence must be equal to
+ * the corresponding General Name in the other.  The result of the
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralNameSeq_Compare
+(
+  NSSGeneralNameSeq *generalNameSeq1,
+  NSSGeneralNameSeq *generalNameSeq2,
+  PRBool *equalp
+);
+
+/*
+ * NSSGeneralNameSeq_Duplicate
+ *
+ * This routine duplicates the specified sequence of general names.  If
+ * the optional arena argument is non-null, the memory required will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new General Name Sequence.
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+NSSGeneralNameSeq_Duplicate
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+PR_END_EXTERN_C
+
+#endif /* NSSPT1M_H */
diff --git a/security/nss/lib/pki1/nsspki1t.h b/security/nss/lib/pki1/nsspki1t.h
new file mode 100644
index 000000000..3ebf1e548
--- /dev/null
+++ b/security/nss/lib/pki1/nsspki1t.h
@@ -0,0 +1,205 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NSSPKI1T_H
+#define NSSPKI1T_H
+
+#ifdef DEBUG
+static const char NSSPKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * nsspki1t.h
+ *
+ * This file contains the public type definitions for the PKIX part-1
+ * objects.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * OBJECT IDENTIFIER
+ *
+ * This is the basic OID that crops up everywhere.
+ */
+
+struct NSSOIDStr;
+typedef struct NSSOIDStr NSSOID;
+
+/*
+ * AttributeTypeAndValue
+ *
+ * This structure contains an attribute type (indicated by an OID), 
+ * and the type-specific value.  RelativeDistinguishedNamess consist
+ * of a set of these.  These are distinct from Attributes (which have
+ * SET of values), from AttributeDescriptions (which have qualifiers
+ * on the types), and from AttributeValueAssertions (which assert a
+ * a value comparison under some matching rule).
+ */
+
+struct NSSATAVStr;
+typedef struct NSSATAVStr NSSATAV;
+
+/*
+ * RelativeDistinguishedName
+ *
+ * This structure contains an unordered set of AttributeTypeAndValue 
+ * objects.  RDNs are used to distinguish a set of objects underneath 
+ * a common object.
+ *
+ * Often, a single ATAV is sufficient to make a unique distinction.
+ * For example, if a company assigns its people unique uid values,
+ * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
+ * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
+ * needed.  For example, if a company needed to distinguish between
+ * two Smiths by specifying their corporate divisions, then in the
+ * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
+ * set of ATAVs forms the RDN.
+ */
+
+struct NSSRDNStr;
+typedef struct NSSRDNStr NSSRDN;
+
+/*
+ * RDNSequence
+ *
+ * This structure contains a sequence of RelativeDistinguishedName
+ * objects.
+ */
+
+struct NSSRDNSeqStr;
+typedef struct NSSRDNSeqStr NSSRDNSeq;
+
+/*
+ * Name
+ *
+ * This structure contains a union of the possible name formats,
+ * which at the moment is limited to an RDNSequence.
+ */
+
+struct NSSNameStr;
+typedef struct NSSNameStr NSSName;
+
+/*
+ * NameChoice
+ *
+ * This enumeration is used to specify choice within a name.
+ */
+
+enum NSSNameChoiceEnum {
+  NSSNameChoiceInvalid = -1,
+  NSSNameChoiceRdnSequence
+};
+typedef enum NSSNameChoiceEnum NSSNameChoice;
+
+/*
+ * GeneralName
+ *
+ * This structure contains a union of the possible general names,
+ * of which there are several.
+ */
+
+struct NSSGeneralNameStr;
+typedef struct NSSGeneralNameStr NSSGeneralName;
+
+/*
+ * GeneralNameChoice
+ *
+ * This enumerates the possible general name types.
+ */
+
+enum NSSGeneralNameChoiceEnum {
+  NSSGeneralNameChoiceInvalid = -1,
+  NSSGeneralNameChoiceOtherName = 0,
+  NSSGeneralNameChoiceRfc822Name = 1,
+  NSSGeneralNameChoiceDNSName = 2,
+  NSSGeneralNameChoiceX400Address = 3,
+  NSSGeneralNameChoiceDirectoryName = 4,
+  NSSGeneralNameChoiceEdiPartyName = 5,
+  NSSGeneralNameChoiceUniformResourceIdentifier = 6,
+  NSSGeneralNameChoiceIPAddress = 7,
+  NSSGeneralNameChoiceRegisteredID = 8
+};
+typedef enum NSSGeneralNameChoiceEnum NSSGeneralNameChoice;
+
+/*
+ * The "other" types of general names.
+ */
+
+struct NSSOtherNameStr;
+typedef struct NSSOtherNameStr NSSOtherName;
+
+struct NSSRFC822NameStr;
+typedef struct NSSRFC822NameStr NSSRFC822Name;
+
+struct NSSDNSNameStr;
+typedef struct NSSDNSNameStr NSSDNSName;
+
+struct NSSX400AddressStr;
+typedef struct NSSX400AddressStr NSSX400Address;
+
+struct NSSEdiPartyNameStr;
+typedef struct NSSEdiPartyNameStr NSSEdiPartyName;
+
+struct NSSURIStr;
+typedef struct NSSURIStr NSSURI;
+
+struct NSSIPAddressStr;
+typedef struct NSSIPAddressStr NSSIPAddress;
+
+struct NSSRegisteredIDStr;
+typedef struct NSSRegisteredIDStr NSSRegisteredID;
+
+/*
+ * GeneralNameSeq
+ *
+ * This structure contains a sequence of GeneralName objects.
+ * Note that the PKIX documents refer to this as "GeneralNames,"
+ * which differs from "GeneralName" by only one letter.  To
+ * try to reduce confusion, we expand the name slightly to
+ * "GeneralNameSeq."
+ */
+
+struct NSSGeneralNameSeqStr;
+typedef struct NSSGeneralNameSeqStr NSSGeneralNameSeq;
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKI1T_H */
diff --git a/security/nss/lib/pki1/oid.c b/security/nss/lib/pki1/oid.c
new file mode 100644
index 000000000..d032f1eb2
--- /dev/null
+++ b/security/nss/lib/pki1/oid.c
@@ -0,0 +1,1618 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * oid.c
+ *
+ * This file contains the implementation of the basic OID routines.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+#include "plhash.h"
+#include "plstr.h"
+
+/*
+ * NSSOID
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSOID_CreateFromBER   -- constructor
+ *  NSSOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  NSSOID_GetDEREncoding
+ *  NSSOID_GetUTF8Encoding
+
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssOID_CreateFromBER   -- constructor
+ *  nssOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  nssOID_GetDEREncoding
+ *  nssOID_GetUTF8Encoding
+ *
+ * In debug builds, the following non-public calls are also available:
+ *
+ *  nssOID_verifyPointer
+ *  nssOID_getExplanation
+ *  nssOID_getTaggedUTF8
+ */
+
+const NSSOID *NSS_OID_UNKNOWN = (NSSOID *)NULL;
+
+/*
+ * First, the public "wrappers"
+ */
+
+/*
+ * NSSOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NULL upon error, in which case it 
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromBER
+(
+  NSSBER *berOid
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  /* 
+   * NSSBERs can be created by the user, 
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSBER *)NULL == berOid ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSOID *)NULL;
+  }
+
+  if( (void *)NULL == berOid->data ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+  
+  return nssOID_CreateFromBER(berOid);
+}
+
+/*
+ * NSSOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NULL
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  /*
+   * NSSUTF8s can be created by the user,
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSUTF8 *)NULL == stringOid ) {
+    nss_SetError(NSS_ERROR_INVALID_UTF8);
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssOID_CreateFromUTF8(stringOid);
+}
+
+/*
+ * NSSOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+NSSOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssOID_GetDEREncoding(oid, rvOpt, arenaOpt);
+}
+
+/*
+ * NSSOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssOID_GetUTF8Encoding(oid, arenaOpt);
+}
+
+/*
+ * Next, some internal bookkeeping; including the OID "tag" table 
+ * and the debug-version pointer tracker.
+ */
+
+/*
+ * For implementation reasons (so NSSOIDs can be compared with ==),
+ * we hash all NSSOIDs.  This is the hash table.
+ */
+
+static PLHashTable *oid_hash_table;
+
+/*
+ * And this is its lock.
+ */
+
+static PZLock *oid_hash_lock;
+
+/*
+ * This is the hash function.  We simply XOR the encoded form with
+ * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
+ * routine is left as an excercise for the more mathematically
+ * inclined student.
+ */
+
+static PLHashNumber PR_CALLBACK
+oid_hash
+(
+  const void *key
+)
+{
+  const NSSItem *item = (const NSSItem *)key;
+  PLHashNumber rv = 0;
+
+  PRUint8 *data = (PRUint8 *)item->data;
+  PRUint32 i;
+  PRUint8 *rvc = (PRUint8 *)&rv;
+
+  for( i = 0; i < item->size; i++ ) {
+    rvc[ i % sizeof(rv) ] ^= *data;
+    data++;
+  }
+
+  return rv;
+}
+
+/*
+ * This is the key-compare function.  It simply does a lexical
+ * comparison on the encoded OID form.  This does not result in
+ * quite the same ordering as the "sequence of numbers" order,
+ * but heck it's only used internally by the hash table anyway.
+ */
+
+static PRIntn PR_CALLBACK
+oid_hash_compare
+(
+  const void *k1,
+  const void *k2
+)
+{
+  PRIntn rv;
+
+  const NSSItem *i1 = (const NSSItem *)k1;
+  const NSSItem *i2 = (const NSSItem *)k2;
+
+  PRUint32 size = (i1->size < i2->size) ? i1->size : i2->size;
+
+  rv = (PRIntn)nsslibc_memequal(i1->data, i2->data, size, (PRStatus *)NULL);
+  if( 0 == rv ) {
+    rv = i1->size - i2->size;
+  }
+
+  return !rv;
+}
+
+/*
+ * The pointer-tracking code
+ */
+
+#ifdef DEBUG
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker oid_pointer_tracker;
+
+static PRStatus
+oid_add_pointer
+(
+  const NSSOID *oid
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&oid_pointer_tracker, oid);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+#if defined(CAN_DELETE_OIDS)
+/*
+ * We actually don't define NSSOID deletion, since we keep OIDs
+ * in a hash table for easy comparison.  Were we to, this is
+ * what the pointer-removal function would look like.
+ */
+
+static PRStatus
+oid_remove_pointer
+(
+  const NSSOID *oid
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&oid_pointer_tracker, oid);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+#endif /* CAN_DELETE_OIDS */
+
+#endif /* DEBUG */
+
+/*
+ * All dynamically-added OIDs get their memory from one statically-
+ * declared arena here, merely so that any cleanup code will have
+ * an easier time of it.
+ */
+
+static NSSArena *oid_arena;
+
+/*
+ * This is the call-once function which initializes the hashtable.
+ * It creates it, then prepopulates it with all of the builtin OIDs.
+ * It also creates the aforementioned NSSArena.
+ */
+
+static PRStatus PR_CALLBACK
+oid_once_func
+(
+  void
+)
+{
+  PRUint32 i;
+  
+  /* Initialize the arena */
+  oid_arena = nssArena_Create();
+  if( (NSSArena *)NULL == oid_arena ) {
+    goto loser;
+  }
+
+  /* Create the hash table lock */
+  oid_hash_lock = PZ_NewLock(nssILockOID);
+  if( (PZLock *)NULL == oid_hash_lock ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    goto loser;
+  }
+
+  /* Create the hash table */
+  oid_hash_table = PL_NewHashTable(0, oid_hash, oid_hash_compare,
+                                   PL_CompareValues, 
+                                   (PLHashAllocOps *)0,
+                                   (void *)0);
+  if( (PLHashTable *)NULL == oid_hash_table ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    goto loser;
+  }
+
+  /* And populate it with all the builtins */
+  for( i = 0; i < nss_builtin_oid_count; i++ ) {
+    NSSOID *oid = (NSSOID *)&nss_builtin_oids[i];
+    PLHashEntry *e = PL_HashTableAdd(oid_hash_table, &oid->data, oid);
+    if( (PLHashEntry *)NULL == e ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      goto loser;
+    }
+
+#ifdef DEBUG
+    if( PR_SUCCESS != oid_add_pointer(oid) ) {
+      goto loser;
+    }
+#endif /* DEBUG */
+  }
+
+  return PR_SUCCESS;
+
+ loser:
+  if( (PLHashTable *)NULL != oid_hash_table ) {
+    PL_HashTableDestroy(oid_hash_table);
+    oid_hash_table = (PLHashTable *)NULL;
+  }
+
+  if( (PZLock *)NULL != oid_hash_lock ) {
+    PZ_DestroyLock(oid_hash_lock);
+    oid_hash_lock = (PZLock *)NULL;
+  }
+
+  if( (NSSArena *)NULL != oid_arena ) {
+    (void)nssArena_Destroy(oid_arena);
+    oid_arena = (NSSArena *)NULL;
+  }
+
+  return PR_FAILURE;
+}
+
+/*
+ * This is NSPR's once-block.
+ */
+
+static PRCallOnceType oid_call_once;
+
+/*
+ * And this is our multiply-callable internal init routine, which
+ * will call-once our call-once function.
+ */
+
+static PRStatus
+oid_init
+(
+  void
+)
+{
+  return PR_CallOnce(&oid_call_once, oid_once_func);
+}
+
+#ifdef DEBUG
+
+/*
+ * nssOID_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSOID object, 
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssOID_verifyPointer
+(
+  const NSSOID *oid
+)
+{
+  PRStatus rv;
+
+  rv = oid_init();
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&oid_pointer_tracker, oid);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_NSSOID);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+/*
+ * oid_sanity_check_ber
+ *
+ * This routine merely applies some sanity-checking to the BER-encoded
+ * OID.
+ */
+
+static PRStatus
+oid_sanity_check_ber
+(
+  NSSBER *berOid
+)
+{
+  PRUint32 i;
+  PRUint8 *data = (PRUint8 *)berOid->data;
+
+  /*
+   * The size must be longer than zero bytes.
+   */
+
+  if( berOid->size <= 0 ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * In general, we can't preclude any number from showing up
+   * someday.  We could probably guess that top-level numbers
+   * won't get very big (beyond the current ccitt(0), iso(1),
+   * or joint-ccitt-iso(2)).  However, keep in mind that the
+   * encoding rules wrap the first two numbers together, as
+   *
+   *     (first * 40) + second
+   *
+   * Also, it is noted in the specs that this implies that the
+   * second number won't go above forty.
+   *
+   * 128 encodes 3.8, which seems pretty safe for now.  Let's
+   * check that the first byte is less than that.
+   *
+   * XXX This is a "soft check" -- we may want to exclude it.
+   */
+
+  if( data[0] >= 0x80 ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * In a normalised format, leading 0x80s will never show up.
+   * This means that no 0x80 will be preceeded by the final
+   * byte of a sequence, which would naturaly be less than 0x80.
+   * Our internal encoding for the single-digit OIDs uses 0x80,
+   * but the only places we use them (loading the builtin table,
+   * and adding a UTF8-encoded OID) bypass this check.
+   */
+
+  for( i = 1; i < berOid->size; i++ ) {
+    if( (0x80 == data[i]) && (data[i-1] < 0x80) ) {
+      return PR_FAILURE;
+    }
+  }
+
+  /*
+   * The high bit of each octet indicates that following octets
+   * are included in the current number.  Thus the last byte can't
+   * have the high bit set.
+   */
+
+  if( data[ berOid->size-1 ] >= 0x80 ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * Other than that, any byte sequence is legit.
+   */
+  return PR_SUCCESS;
+}
+
+/*
+ * nssOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NULL upon error, in which case it 
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromBER
+(
+  NSSBER *berOid
+)
+{
+  NSSOID *rv;
+  PLHashEntry *e;
+  
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSOID *)NULL;
+  }
+
+  if( PR_SUCCESS != oid_sanity_check_ber(berOid) ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSOID *)NULL;
+  }
+
+  /*
+   * Does it exist?
+   */
+  PZ_Lock(oid_hash_lock);
+  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, berOid);
+  (void)PZ_Unlock(oid_hash_lock);
+  if( (NSSOID *)NULL != rv ) {
+    /* Found it! */
+    return rv;
+  }
+
+  /*
+   * Doesn't exist-- create it.
+   */
+  rv = nss_ZNEW(oid_arena, NSSOID);
+  if( (NSSOID *)NULL == rv ) {
+    return (NSSOID *)NULL;
+  }
+
+  rv->data.data = nss_ZAlloc(oid_arena, berOid->size);
+  if( (void *)NULL == rv->data.data ) {
+    return (NSSOID *)NULL;
+  }
+
+  rv->data.size = berOid->size;
+  nsslibc_memcpy(rv->data.data, berOid->data, berOid->size);
+
+#ifdef DEBUG
+  rv->tag = "<runtime>";
+  rv->expl = "(OID registered at runtime)";
+#endif /* DEBUG */
+
+  PZ_Lock(oid_hash_lock);
+  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
+  (void)PZ_Unlock(oid_hash_lock);
+  if( (PLHashEntry *)NULL == e ) {
+    nss_ZFreeIf(rv->data.data);
+    nss_ZFreeIf(rv);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSOID *)NULL;
+  }
+
+#ifdef DEBUG
+  {
+    PRStatus st;
+    st = oid_add_pointer(rv);
+    if( PR_SUCCESS != st ) {
+      PZ_Lock(oid_hash_lock);
+      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
+      (void)PZ_Unlock(oid_hash_lock);
+      (void)nss_ZFreeIf(rv->data.data);
+      (void)nss_ZFreeIf(rv);
+      return (NSSOID *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+/*
+ * oid_sanity_check_utf8
+ *
+ * This routine merely applies some sanity-checking to the 
+ * UTF8-encoded OID.
+ */
+
+static PRStatus
+oid_sanity_check_utf8
+(
+  NSSUTF8 *s
+)
+{
+  /*
+   * It may begin with an octothorpe, which we skip.
+   */
+
+  if( '#' == *s ) {
+    s++;
+  }
+
+  /*
+   * It begins with a number
+   */
+
+  if( (*s < '0') || (*s > '9') ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * First number is only one digit long
+   *
+   * XXX This is a "soft check" -- we may want to exclude it
+   */
+
+  if( (s[1] != '.') && (s[1] != '\0') ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * Every character is either a digit or a period
+   */
+
+  for( ; '\0' != *s; s++ ) {
+    if( ('.' != *s) && ((*s < '0') || (*s > '9')) ) {
+      return PR_FAILURE;
+    }
+
+    /* No two consecutive periods */
+    if( ('.' == *s) && ('.' == s[1]) ) {
+      return PR_FAILURE;
+    }
+  }
+
+  /*
+   * The last character isn't a period
+   */
+
+  if( '.' == *--s ) {
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRUint32
+oid_encode_number
+(
+  PRUint32 n,
+  PRUint8 *dp,
+  PRUint32 nb
+)
+{
+  PRUint32 a[5];
+  PRUint32 i;
+  PRUint32 rv;
+
+  a[0] = (n >> 28) & 0x7f;
+  a[1] = (n >> 21) & 0x7f;
+  a[2] = (n >> 14) & 0x7f;
+  a[3] = (n >>  7) & 0x7f;
+  a[4] =  n        & 0x7f;
+
+  for( i = 0; i < 5; i++ ) {
+    if( 0 != a[i] ) {
+      break;
+    }
+  }
+
+  if( 5 == i ) {
+    i--;
+  }
+
+  rv = 5-i;
+  if( rv > nb ) {
+    return rv;
+  }
+
+  for( ; i < 4; i++ ) {
+    *dp = 0x80 | a[i];
+    dp++;
+  }
+
+  *dp = a[4];
+
+  return rv;
+}
+
+/*
+ * oid_encode_huge
+ *
+ * This routine will convert a huge decimal number into the DER 
+ * encoding for oid numbers.  It is not limited to numbers that will
+ * fit into some wordsize, like oid_encode_number.  But it's not
+ * necessarily very fast, either.  This is here in case some joker
+ * throws us an ASCII oid like 1.2.3.99999999999999999999999999.
+ */
+
+static PRUint32
+oid_encode_huge
+(
+  NSSUTF8 *s,
+  NSSUTF8 *e,
+  PRUint8 *dp,
+  PRUint32 nb
+)
+{
+  PRUint32 slen = (e-s);
+  PRUint32 blen = (slen+1)/2;
+  PRUint8 *st = (PRUint8 *)NULL;
+  PRUint8 *bd = (PRUint8 *)NULL;
+  PRUint32 i;
+  PRUint32 bitno;
+  PRUint8 *last;
+  PRUint8 *first;
+  PRUint32 byteno;
+  PRUint8 mask;
+
+  /* We'll be munging the data, so duplicate it */
+  st = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, slen);
+  if( (PRUint8 *)NULL == st ) {
+    return 0;
+  }
+
+  /* Don't know ahead of time exactly how long we'll need */
+  bd = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, blen);
+  if( (PRUint8 *)NULL == bd ) {
+    (void)nss_ZFreeIf(st);
+    return 0;
+  }
+
+  /* Copy the original, and convert ASCII to numbers */
+  for( i = 0; i < slen; i++ ) {
+    st[i] = (PRUint8)(s[i] - '0');
+  }
+
+  last = &st[slen-1];
+  first = &st[0];
+
+  /*
+   * The way we create the binary version is by looking at it 
+   * bit by bit.  Start with the least significant bit.  If the
+   * number is odd, set that bit.  Halve the number (with integer
+   * division), and go to the next least significant bit.  Keep 
+   * going until the number goes to zero.
+   */
+  for( bitno = 0; ; bitno++ ) {
+    PRUint8 *d;
+
+    byteno = bitno/7;
+    mask = (PRUint8)(1 << (bitno%7));
+
+    /* Skip leading zeroes */
+    for( ; first < last; first ++ ) {
+      if( 0 != *first ) {
+        break;
+      }
+    }
+
+    /* Down to one number and it's a zero?  Done. */
+    if( (first == last) && (0 == *last) ) {
+      break;
+    }
+
+    /* Last digit is odd?  Set the bit */
+    if( *last & 1 ) {
+      bd[ byteno ] |= mask;
+    }
+
+
+    /* 
+     * Divide the number in half.  This is just a matter
+     * of going from the least significant digit upwards,
+     * halving each one.  If any digit is odd (other than
+     * the last, which has already been handled), add five
+     * to the digit to its right.
+     */
+    *last /= 2;
+
+    for( d = &last[-1]; d >= first; d-- ) {
+      if( *d & 1 ) {
+        d[1] += 5;
+      }
+
+      *d /= 2;
+    }
+  }
+
+  /* Is there room to write the encoded data? */
+  if( (byteno+1) > nb ) {
+    return (byteno+1);
+  }
+
+  /* Trim any leading zero that crept in there */
+  for( ; byteno > 0; byteno-- ) {
+    if( 0 != bd[ byteno ] ) {
+      break;
+    }
+  }
+
+  /* Copy all but the last, marking the "continue" bit */
+  for( i = 0; i < byteno; i++ ) {
+    dp[i] = bd[ byteno-i ] | 0x80;
+  }
+  /* And the last with the "continue" bit clear */
+  dp[byteno] = bd[0];
+
+  (void)nss_ZFreeIf(bd);
+  (void)nss_ZFreeIf(st);
+  return (byteno+1);
+}
+
+/*
+ * oid_encode_string
+ *
+ * This routine converts a dotted-number OID into a DER-encoded
+ * one.  It assumes we've already sanity-checked the string.
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static NSSOID *
+oid_encode_string
+(
+  NSSUTF8 *s
+)
+{
+  PRUint32 nn = 0; /* number of numbers */
+  PRUint32 nb = 0; /* number of bytes (estimated) */
+  NSSUTF8 *t;
+  PRUint32 nd = 0; /* number of digits */
+  NSSOID *rv;
+  PRUint8 *dp;
+  PRUint32 a, b;
+  PRUint32 inc;
+
+  /* Dump any octothorpe */
+  if( '#' == *s ) {
+    s++;
+  }
+
+  /* Count up the bytes needed */
+  for( t = s; '\0' != *t; t++ ) {
+    if( '.' == *t ) {
+      nb += (nd+1)/2; /* errs on the big side */
+      nd = 0;
+      nn++;
+    } else {
+      nd++;
+    }
+  }
+  nb += (nd+1)/2;
+  nn++;
+
+  if( 1 == nn ) {
+    /*
+     * We have our own "denormalised" encoding for these,
+     * which is only used internally.
+     */
+    nb++;
+  }
+
+  /* 
+   * Allocate.  Note that we don't use the oid_arena here.. this is
+   * because there really isn't a "free()" for stuff allocated out of
+   * arenas (at least with the current implementation), so this would
+   * keep using up memory each time a UTF8-encoded OID were added.
+   * If need be (if this is the first time this oid has been seen),
+   * we'll copy it.
+   */
+  rv = nss_ZNEW((NSSArena *)NULL, NSSOID);
+  if( (NSSOID *)NULL == rv ) {
+    return (NSSOID *)NULL;
+  }
+
+  rv->data.data = nss_ZAlloc((NSSArena *)NULL, nb);
+  if( (void *)NULL == rv->data.data ) {
+    (void)nss_ZFreeIf(rv);
+    return (NSSOID *)NULL;
+  }
+
+  dp = (PRUint8 *)rv->data.data;
+
+  a = atoi(s);
+
+  if( 1 == nn ) {
+    dp[0] = '\x80';
+    inc = oid_encode_number(a, &dp[1], nb-1);
+    if( inc >= nb ) {
+      goto loser;
+    }
+  } else {
+    for( t = s; '.' != *t; t++ ) {
+      ;
+    }
+
+    t++;
+    b = atoi(t);
+    inc = oid_encode_number(a*40+b, dp, nb);
+    if( inc > nb ) {
+      goto loser;
+    }
+    dp += inc;
+    nb -= inc;
+    nn -= 2;
+
+    while( nn-- > 0 ) {
+      NSSUTF8 *u;
+
+      for( ; '.' != *t; t++ ) {
+        ;
+      }
+
+      t++;
+
+      for( u = t; ('\0' != *u) && ('.' != *u); u++ ) {
+        ;
+      }
+
+      if( (u-t > 9) ) {
+        /* In the billions.  Rats. */
+        inc = oid_encode_huge(t, u, dp, nb);
+      } else {
+        b = atoi(t);
+        inc = oid_encode_number(b, dp, nb);
+      }
+
+      if( inc > nb ) {
+        goto loser;
+      }
+      dp += inc;
+      nb -= inc;
+    }
+  }
+
+  return rv;
+
+ loser:
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return (NSSOID *)NULL;
+}
+
+/*
+ * nssOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NULL
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+)
+{
+  NSSOID *rv = (NSSOID *)NULL;
+  NSSOID *candidate = (NSSOID *)NULL;
+  PLHashEntry *e;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSOID *)NULL;
+  }
+
+  if( PR_SUCCESS != oid_sanity_check_utf8(stringOid) ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSOID *)NULL;
+  }
+
+  candidate = oid_encode_string(stringOid);
+  if( (NSSOID *)NULL == candidate ) {
+    /* Internal error only */
+    return rv;
+  }
+
+  /*
+   * Does it exist?
+   */
+  PZ_Lock(oid_hash_lock);
+  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, &candidate->data);
+  (void)PZ_Unlock(oid_hash_lock);
+  if( (NSSOID *)NULL != rv ) {
+    /* Already exists.  Delete my copy and return the original. */
+    (void)nss_ZFreeIf(candidate->data.data);
+    (void)nss_ZFreeIf(candidate);
+    return rv;
+  }
+
+  /* 
+   * Nope.  Add it.  Remember to allocate it out of the oid arena.
+   */
+
+  rv = nss_ZNEW(oid_arena, NSSOID);
+  if( (NSSOID *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->data.data = nss_ZAlloc(oid_arena, candidate->data.size);
+  if( (void *)NULL == rv->data.data ) {
+    goto loser;
+  }
+
+  rv->data.size = candidate->data.size;
+  nsslibc_memcpy(rv->data.data, candidate->data.data, rv->data.size);
+
+  (void)nss_ZFreeIf(candidate->data.data);
+  (void)nss_ZFreeIf(candidate);
+
+#ifdef DEBUG
+  rv->tag = "<runtime>";
+  rv->expl = "(OID registered at runtime)";
+#endif /* DEBUG */
+
+  PZ_Lock(oid_hash_lock);
+  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
+  (void)PZ_Unlock(oid_hash_lock);
+  if( (PLHashEntry *)NULL == e ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    goto loser;
+  }
+
+#ifdef DEBUG
+  {
+    PRStatus st;
+    st = oid_add_pointer(rv);
+    if( PR_SUCCESS != st ) {
+      PZ_Lock(oid_hash_lock);
+      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
+      (void)PZ_Unlock(oid_hash_lock);
+      goto loser;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (NSSOID *)NULL != candidate ) {
+    (void)nss_ZFreeIf(candidate->data.data);
+  }
+  (void)nss_ZFreeIf(candidate);
+
+  if( (NSSOID *)NULL != rv ) {
+    (void)nss_ZFreeIf(rv->data.data);
+  }
+  (void)nss_ZFreeIf(rv);
+
+  return (NSSOID *)NULL;
+}
+
+/*
+ * nssOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+nssOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  const NSSItem *it;
+  NSSDER *rv;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSDER *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  it = &oid->data;
+
+  if( (NSSDER *)NULL == rvOpt ) {
+    rv = nss_ZNEW(arenaOpt, NSSDER);
+    if( (NSSDER *)NULL == rv ) {
+      return (NSSDER *)NULL;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  rv->data = nss_ZAlloc(arenaOpt, it->size);
+  if( (void *)NULL == rv->data ) {
+    if( rv != rvOpt ) {
+      (void)nss_ZFreeIf(rv);
+    }
+    return (NSSDER *)NULL;
+  }
+
+  rv->size = it->size;
+  nsslibc_memcpy(rv->data, it->data, it->size);
+
+  return rv;
+}
+
+/*
+ * nssOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  PRUint8 *end;
+  PRUint8 *d;
+  PRUint8 *e;
+  char *a;
+  char *b;
+  PRUint32 len;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  a = (char *)NULL;
+
+  /* d will point to the next sequence of bytes to decode */
+  d = (PRUint8 *)oid->data.data;
+  /* end points to one past the legitimate data */
+  end = &d[ oid->data.size ];
+
+#ifdef NSSDEBUG
+  /*
+   * Guarantee that the for(e=d;e<end;e++) loop below will
+   * terminate.  Our BER sanity-checking code above will prevent
+   * such a BER from being registered, so the only other way one
+   * might show up is if our dotted-decimal encoder above screws
+   * up or our generated list is wrong.  So I'll wrap it with
+   * #ifdef NSSDEBUG and #endif.
+   */
+  if( end[-1] & 0x80 ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * Check for our pseudo-encoded single-digit OIDs
+   */
+  if( (*d == 0x80) && (2 == oid->data.size) ) {
+    /* Funky encoding.  The second byte is the number */
+    a = PR_smprintf("%lu", (PRUint32)d[1]);
+    if( (char *)NULL == a ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (NSSUTF8 *)NULL;
+    }
+    goto done;
+  }
+
+  for( ; d < end; d = &e[1] ) {
+    
+    for( e = d; e < end; e++ ) {
+      if( 0 == (*e & 0x80) ) {
+        break;
+      }
+    }
+    
+    if( ((e-d) > 4) || (((e-d) == 4) && (*d & 0x70)) ) {
+      /* More than a 32-bit number */
+    } else {
+      PRUint32 n = 0;
+      
+      switch( e-d ) {
+      case 4:
+        n |= ((PRUint32)(e[-4] & 0x0f)) << 28;
+      case 3:
+        n |= ((PRUint32)(e[-3] & 0x7f)) << 21;
+      case 2:
+        n |= ((PRUint32)(e[-2] & 0x7f)) << 14;
+      case 1:
+        n |= ((PRUint32)(e[-1] & 0x7f)) <<  7;
+      case 0:
+        n |= ((PRUint32)(e[-0] & 0x7f))      ;
+      }
+      
+      if( (char *)NULL == a ) {
+        /* This is the first number.. decompose it */
+        PRUint32 one = (n/40), two = (n%40);
+        
+        a = PR_smprintf("%lu.%lu", one, two);
+        if( (char *)NULL == a ) {
+          nss_SetError(NSS_ERROR_NO_MEMORY);
+          return (NSSUTF8 *)NULL;
+        }
+      } else {
+        b = PR_smprintf("%s.%lu", a, n);
+        if( (char *)NULL == b ) {
+          PR_smprintf_free(a);
+          nss_SetError(NSS_ERROR_NO_MEMORY);
+          return (NSSUTF8 *)NULL;
+        }
+        
+        PR_smprintf_free(a);
+        a = b;
+      }
+    }
+  }
+
+ done:
+  /*
+   * Even if arenaOpt is NULL, we have to copy the data so that
+   * it'll be freed with the right version of free: ours, not
+   * PR_smprintf_free's.
+   */
+  len = PL_strlen(a);
+  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
+  if( (NSSUTF8 *)NULL == rv ) {
+    PR_smprintf_free(a);
+    return (NSSUTF8 *)NULL;
+  }
+
+  nsslibc_memcpy(rv, a, len);
+  PR_smprintf_free(a);
+
+  return rv;
+}
+
+/*
+ * nssOID_getExplanation
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a static pointer to a UTF8-encoded string
+ * describing (in English) the specified OID.  The memory pointed to
+ * by the return value is not owned by the caller, and should not be
+ * freed or modified.  Note that explanations are only provided for
+ * the OIDs built into the NSS library; there is no way to specify an
+ * explanation for dynamically created OIDs.  This routine is intended
+ * only for use in debugging tools such as "derdump."  This routine
+ * may return null upon error, in which case it will have placed an
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *
+ * Return value:
+ *  NULL upon error
+ *  A static pointer to a readonly, non-caller-owned UTF8-encoded
+ *    string explaining the specified OID.
+ */
+
+#ifdef DEBUG
+NSS_EXTERN const NSSUTF8 *
+nssOID_getExplanation
+(
+  NSSOID *oid
+)
+{
+  if( PR_SUCCESS != oid_init() ) {
+    return (const NSSUTF8 *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return oid->expl;
+}
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+#endif /* DEBUG */
+
+/*
+ * nssOID_getTaggedUTF8
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a pointer to a caller-owned UTF8-encoded
+ * string containing a tagged encoding of the specified OID.  Note
+ * that OID (component) tags are only provided for the OIDs built 
+ * into the NSS library; there is no way to specify tags for 
+ * dynamically created OIDs.  This routine is intended for use in
+ * debugging tools such as "derdump."   If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return return null upon error, in which case it will have set 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the tagged encoding of
+ *      this NSSOID
+ */
+
+#ifdef DEBUG
+NSS_EXTERN NSSUTF8 *
+nssOID_getTaggedUTF8
+(
+  NSSOID *oid,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  char *raw;
+  char *c;
+  char *a = (char *)NULL;
+  char *b;
+  PRBool done = PR_FALSE;
+  PRUint32 len;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  a = PR_smprintf("{");
+  if( (char *)NULL == a ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSUTF8 *)NULL;
+  }
+
+  /*
+   * What I'm doing here is getting the text version of the OID,
+   * e.g. 1.2.12.92, then looking up each set of leading numbers
+   * as oids.. e.g. "1," then "1.2," then "1.2.12," etc.  Each of
+   * those will have the leaf tag, and I just build up the string.
+   * I never said this was the most efficient way of doing it,
+   * but hey it's a debug-build thing, and I'm getting really tired
+   * of writing this stupid low-level PKI code.
+   */
+
+  /* I know it's all ASCII, so I can use char */
+  raw = (char *)nssOID_GetUTF8Encoding(oid, (NSSArena *)NULL);
+  if( (char *)NULL == raw ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  for( c = raw; !done; c++ ) {
+    NSSOID *lead;
+    char *lastdot;
+
+    for( ; '.' != *c; c++ ) {
+      if( '\0' == *c ) {
+        done = PR_TRUE;
+        break;
+      }
+    }
+
+    *c = '\0';
+    lead = nssOID_CreateFromUTF8((NSSUTF8 *)raw);
+    if( (NSSOID *)NULL == lead ) {
+      PR_smprintf_free(a);
+      nss_ZFreeIf(raw);
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (NSSUTF8 *)NULL;
+    }
+
+    lastdot = PL_strrchr(raw, '.');
+    if( (char *)NULL == lastdot ) {
+      lastdot = raw;
+    }
+
+    b = PR_smprintf("%s %s(%s) ", a, lead->tag, &lastdot[1]);
+    if( (char *)NULL == b ) {
+      PR_smprintf_free(a);
+      nss_ZFreeIf(raw);
+      /* drop the OID reference on the floor */
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (NSSUTF8 *)NULL;
+    }
+
+    PR_smprintf_free(a);
+    a = b;
+
+    if( !done ) {
+      *c = '.';
+    }
+  }
+
+  nss_ZFreeIf(raw);
+
+  b = PR_smprintf("%s }", a);
+  if( (char *)NULL == b ) {
+    PR_smprintf_free(a);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSUTF8 *)NULL;
+  }
+
+  len = PL_strlen(b);
+  
+  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
+  if( (NSSUTF8 *)NULL == rv ) {
+    PR_smprintf_free(b);
+    return (NSSUTF8 *)NULL;
+  }
+
+  nsslibc_memcpy(rv, b, len);
+  PR_smprintf_free(b);
+
+  return rv;
+}
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+#endif /* DEBUG */
diff --git a/security/nss/lib/pki1/oiddata.c b/security/nss/lib/pki1/oiddata.c
new file mode 100644
index 000000000..c044ad8a8
--- /dev/null
+++ b/security/nss/lib/pki1/oiddata.c
@@ -0,0 +1,2937 @@
+/* THIS IS A GENERATED FILE */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ ; @(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef PKI1T_H
+#include "pki1t.h"
+#endif /* PKI1T_H */
+
+const NSSOID nss_builtin_oids[] = {
+  {
+#ifdef DEBUG
+    "ccitt",
+    "ITU-T",
+#endif /* DEBUG */
+    { "\x80\x00", 2 }
+  },
+  {
+#ifdef DEBUG
+    "recommendation",
+    "ITU-T Recommendation",
+#endif /* DEBUG */
+    { "\x00", 1 }
+  },
+  {
+#ifdef DEBUG
+    "question",
+    "ITU-T Question",
+#endif /* DEBUG */
+    { "\x01", 1 }
+  },
+  {
+#ifdef DEBUG
+    "administration",
+    "ITU-T Administration",
+#endif /* DEBUG */
+    { "\x02", 1 }
+  },
+  {
+#ifdef DEBUG
+    "network-operator",
+    "ITU-T Network Operator",
+#endif /* DEBUG */
+    { "\x03", 1 }
+  },
+  {
+#ifdef DEBUG
+    "identified-organization",
+    "ITU-T Identified Organization",
+#endif /* DEBUG */
+    { "\x04", 1 }
+  },
+  {
+#ifdef DEBUG
+    "data",
+    "RFC Data",
+#endif /* DEBUG */
+    { "\x09", 1 }
+  },
+  {
+#ifdef DEBUG
+    "pss",
+    "PSS British Telecom X.25 Network",
+#endif /* DEBUG */
+    { "\x09\x92\x26", 3 }
+  },
+  {
+#ifdef DEBUG
+    "ucl",
+    "RFC 1274 UCL Data networks",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c", 7 }
+  },
+  {
+#ifdef DEBUG
+    "pilot",
+    "RFC 1274 pilot",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64", 8 }
+  },
+  {
+#ifdef DEBUG
+    "attributeType",
+    "RFC 1274 Attribute Type",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "uid",
+    "RFC 1274 User Id",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "mail",
+    "RFC 1274 E-mail Addres",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "dc",
+    "RFC 2247 Domain Component",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01\x19", 10 }
+  },
+  {
+#ifdef DEBUG
+    "attributeSyntax",
+    "RFC 1274 Attribute Syntax",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "iA5StringSyntax",
+    "RFC 1274 IA5 String Attribute Syntax",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x03\x04", 10 }
+  },
+  {
+#ifdef DEBUG
+    "caseIgnoreIA5StringSyntax",
+    "RFC 1274 Case-Ignore IA5 String Attribute Syntax",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x03\x05", 10 }
+  },
+  {
+#ifdef DEBUG
+    "objectClass",
+    "RFC 1274 Object Class",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "groups",
+    "RFC 1274 Groups",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ucl",
+    "RFC 1327 ucl",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x86\xe8\xc4\xb5\xbe\x2c", 9 }
+  },
+  {
+#ifdef DEBUG
+    "iso",
+    "ISO",
+#endif /* DEBUG */
+    { "\x80\x01", 2 }
+  },
+  {
+#ifdef DEBUG
+    "standard",
+    "ISO Standard",
+#endif /* DEBUG */
+    { "\x28", 1 }
+  },
+  {
+#ifdef DEBUG
+    "registration-authority",
+    "ISO Registration Authority",
+#endif /* DEBUG */
+    { "\x29", 1 }
+  },
+  {
+#ifdef DEBUG
+    "member-body",
+    "ISO Member Body",
+#endif /* DEBUG */
+    { "\x2a", 1 }
+  },
+  {
+#ifdef DEBUG
+    "australia",
+    "Australia (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x24", 2 }
+  },
+  {
+#ifdef DEBUG
+    "taiwan",
+    "Taiwan (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x81\x1e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "ireland",
+    "Ireland (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x82\x74", 3 }
+  },
+  {
+#ifdef DEBUG
+    "norway",
+    "Norway (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x84\x42", 3 }
+  },
+  {
+#ifdef DEBUG
+    "sweden",
+    "Sweden (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x85\x70", 3 }
+  },
+  {
+#ifdef DEBUG
+    "great-britain",
+    "Great Britain (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x86\x3a", 3 }
+  },
+  {
+#ifdef DEBUG
+    "us",
+    "United States (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48", 3 }
+  },
+  {
+#ifdef DEBUG
+    "organization",
+    "US (ISO) organization",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "ansi-z30-50",
+    "ANSI Z39.50",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x13", 5 }
+  },
+  {
+#ifdef DEBUG
+    "dicom",
+    "DICOM",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x18", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ieee-1224",
+    "IEEE 1224",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x21", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ieee-802-10",
+    "IEEE 802.10",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x26", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ieee-802-11",
+    "IEEE 802.11",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x34", 5 }
+  },
+  {
+#ifdef DEBUG
+    "x9-57",
+    "ANSI X9.57",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38", 5 }
+  },
+  {
+#ifdef DEBUG
+    "holdInstruction",
+    "ANSI X9.57 Hold Instruction",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x02", 6 }
+  },
+  {
+#ifdef DEBUG
+    "id-holdinstruction-none",
+    "ANSI X9.57 Hold Instruction: None",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x02\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-holdinstruction-callissuer",
+    "ANSI X9.57 Hold Instruction: Call Issuer",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x02\x02", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-holdinstruction-reject",
+    "ANSI X9.57 Hold Instruction: Reject",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x02\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "x9algorithm",
+    "ANSI X9.57 Algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x04", 6 }
+  },
+  {
+#ifdef DEBUG
+    "id-dsa",
+    "ANSI X9.57 DSA Signature",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x04\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-dsa-with-sha1",
+    "ANSI X9.57 Algorithm DSA Signature with SHA-1 Digest",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x04\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "x942",
+    "ANSI X9.42",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x3e", 5 }
+  },
+  {
+#ifdef DEBUG
+    "algorithm",
+    "ANSI X9.42 Algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x3e\x02", 6 }
+  },
+  {
+#ifdef DEBUG
+    "dhpublicnumber",
+    "Diffie-Hellman Public Key Algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x3e\x02\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "entrust",
+    "Entrust Technologies",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf6\x7d", 6 }
+  },
+  {
+#ifdef DEBUG
+    "rsadsi",
+    "RSA Data Security Inc.",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d", 6 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs",
+    "PKCS",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-1",
+    "PKCS #1",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "rsaEncryption",
+    "PKCS #1 RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "md2WithRSAEncryption",
+    "PKCS #1 MD2 With RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "md4WithRSAEncryption",
+    "PKCS #1 MD4 With RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "md5WithRSAEncryption",
+    "PKCS #1 MD5 With RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "sha1WithRSAEncryption",
+    "PKCS #1 SHA-1 With RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-5",
+    "PKCS #5",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithMD2AndDES-CBC",
+    "PKCS #5 Password Based Encryption With MD2 and DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithMD5AndDES-CBC",
+    "PKCS #5 Password Based Encryption With MD5 and DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1AndDES-CBC",
+    "PKCS #5 Password Based Encryption With SHA-1 and DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-7",
+    "PKCS #7",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07", 8 }
+  },
+  {
+#ifdef DEBUG
+    "data",
+    "PKCS #7 Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "signedData",
+    "PKCS #7 Signed Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "envelopedData",
+    "PKCS #7 Enveloped Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "signedAndEnvelopedData",
+    "PKCS #7 Signed and Enveloped Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "digestedData",
+    "PKCS #7 Digested Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "encryptedData",
+    "PKCS #7 Encrypted Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x06", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-9",
+    "PKCS #9",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09", 8 }
+  },
+  {
+#ifdef DEBUG
+    "emailAddress",
+    "PKCS #9 Email Address",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "unstructuredName",
+    "PKCS #9 Unstructured Name",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "contentType",
+    "PKCS #9 Content Type",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "messageDigest",
+    "PKCS #9 Message Digest",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "signingTime",
+    "PKCS #9 Signing Time",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "counterSignature",
+    "PKCS #9 Counter Signature",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x06", 9 }
+  },
+  {
+#ifdef DEBUG
+    "challengePassword",
+    "PKCS #9 Challenge Password",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x07", 9 }
+  },
+  {
+#ifdef DEBUG
+    "unstructuredAddress",
+    "PKCS #9 Unstructured Address",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x08", 9 }
+  },
+  {
+#ifdef DEBUG
+    "extendedCertificateAttributes",
+    "PKCS #9 Extended Certificate Attributes",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x09", 9 }
+  },
+  {
+#ifdef DEBUG
+    "sMIMECapabilities",
+    "PKCS #9 S/MIME Capabilities",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x0f", 9 }
+  },
+  {
+#ifdef DEBUG
+    "friendlyName",
+    "PKCS #9 Friendly Name",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x14", 9 }
+  },
+  {
+#ifdef DEBUG
+    "localKeyID",
+    "PKCS #9 Local Key ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x15", 9 }
+  },
+  {
+#ifdef DEBUG
+    "certTypes",
+    "PKCS #9 Certificate Types",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x16", 9 }
+  },
+  {
+#ifdef DEBUG
+    "x509Certificate",
+    "PKCS #9 Certificate Type = X.509",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x16\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "sdsiCertificate",
+    "PKCS #9 Certificate Type = SDSI",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x16\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "crlTypes",
+    "PKCS #9 Certificate Revocation List Types",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x17", 9 }
+  },
+  {
+#ifdef DEBUG
+    "x509Crl",
+    "PKCS #9 CRL Type = X.509",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x17\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12",
+    "PKCS #12",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c", 8 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12PbeIds",
+    "PKCS #12 Password Based Encryption IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And128BitRC4",
+    "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And40BitRC4",
+    "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And3-KeyTripleDES-CBC",
+    "PKCS #12 Password Based Encryption With SHA-1 and 3-key Triple DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And2-KeyTripleDES-CBC",
+    "PKCS #12 Password Based Encryption With SHA-1 and 2-key Triple DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x04", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And128BitRC2-CBC",
+    "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC2-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x05", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And40BitRC2-CBC",
+    "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC2-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x06", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12EspvkIds",
+    "PKCS #12 ESPVK IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs8-key-shrouding",
+    "PKCS #12 Key Shrouding",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x02\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "draft1Pkcs-12Bag-ids",
+    "Draft 1.0 PKCS #12 Bag IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "keyBag",
+    "Draft 1.0 PKCS #12 Key Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "certAndCRLBagId",
+    "Draft 1.0 PKCS #12 Cert and CRL Bag ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "secretBagId",
+    "Draft 1.0 PKCS #12 Secret Bag ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "safeContentsId",
+    "Draft 1.0 PKCS #12 Safe Contents Bag ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x04", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-8ShroudedKeyBagId",
+    "Draft 1.0 PKCS #12 PKCS #8-shrouded Key Bag ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x05", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12CertBagIds",
+    "PKCS #12 Certificate Bag IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "x509CertCRLBagId",
+    "PKCS #12 X.509 Certificate and CRL Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x04\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "SDSICertBagID",
+    "PKCS #12 SDSI Certificate Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x04\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12Oids",
+    "PKCS #12 OIDs (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12PbeIds",
+    "PKCS #12 OIDs PBE IDs (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1And128BitRC4",
+    "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC4 (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1And40BitRC4",
+    "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC4 (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x02", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1AndTripleDES-CBC",
+    "PKCS #12 OIDs PBE with SHA-1 and Triple DES-CBC (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x03", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1And128BitRC2-CBC",
+    "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC2-CBC (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x04", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1And40BitRC2-CBC",
+    "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC2-CBC (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x05", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12EnvelopingIds",
+    "PKCS #12 OIDs Enveloping IDs (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "rsaEncryptionWith128BitRC4",
+    "PKCS #12 OIDs Enveloping RSA Encryption with 128-bit RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "rsaEncryptionWith40BitRC4",
+    "PKCS #12 OIDs Enveloping RSA Encryption with 40-bit RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02\x02", 11 }
+  },
+  {
+#ifdef DEBUG
+    "rsaEncryptionWithTripleDES",
+    "PKCS #12 OIDs Enveloping RSA Encryption with Triple DES",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02\x03", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12SignatureIds",
+    "PKCS #12 OIDs Signature IDs (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "rsaSignatureWithSHA1Digest",
+    "PKCS #12 OIDs RSA Signature with SHA-1 Digest",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x03\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12Version1",
+    "PKCS #12 Version 1",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12BagIds",
+    "PKCS #12 Bag IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "keyBag",
+    "PKCS #12 Key Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-8ShroudedKeyBag",
+    "PKCS #12 PKCS #8-shrouded Key Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x02", 11 }
+  },
+  {
+#ifdef DEBUG
+    "certBag",
+    "PKCS #12 Certificate Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x03", 11 }
+  },
+  {
+#ifdef DEBUG
+    "crlBag",
+    "PKCS #12 CRL Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x04", 11 }
+  },
+  {
+#ifdef DEBUG
+    "secretBag",
+    "PKCS #12 Secret Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x05", 11 }
+  },
+  {
+#ifdef DEBUG
+    "safeContentsBag",
+    "PKCS #12 Safe Contents Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x06", 11 }
+  },
+  {
+#ifdef DEBUG
+    "digest",
+    "RSA digest algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x02", 7 }
+  },
+  {
+#ifdef DEBUG
+    "md2",
+    "MD2",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x02\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "md4",
+    "MD4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x02\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "md5",
+    "MD5",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x02\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "cipher",
+    "RSA cipher algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "rc2cbc",
+    "RC2-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "rc4",
+    "RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "desede3cbc",
+    "DES-EDE3-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03\x07", 8 }
+  },
+  {
+#ifdef DEBUG
+    "rc5cbcpad",
+    "RC5-CBCPad",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03\x09", 8 }
+  },
+  {
+#ifdef DEBUG
+    "microsoft",
+    "Microsoft",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x14", 6 }
+  },
+  {
+#ifdef DEBUG
+    "columbia-university",
+    "Columbia University",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x18", 6 }
+  },
+  {
+#ifdef DEBUG
+    "unisys",
+    "Unisys",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x24", 6 }
+  },
+  {
+#ifdef DEBUG
+    "xapia",
+    "XAPIA",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x7a", 6 }
+  },
+  {
+#ifdef DEBUG
+    "wordperfect",
+    "WordPerfect",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf8\x23", 6 }
+  },
+  {
+#ifdef DEBUG
+    "identified-organization",
+    "ISO identified organizations",
+#endif /* DEBUG */
+    { "\x2b", 1 }
+  },
+  {
+#ifdef DEBUG
+    "us-dod",
+    "United States Department of Defense",
+#endif /* DEBUG */
+    { "\x2b\x06", 2 }
+  },
+  {
+#ifdef DEBUG
+    "internet",
+    "The Internet",
+#endif /* DEBUG */
+    { "\x2b\x06\x01", 3 }
+  },
+  {
+#ifdef DEBUG
+    "directory",
+    "Internet: Directory",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "management",
+    "Internet: Management",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x02", 4 }
+  },
+  {
+#ifdef DEBUG
+    "experimental",
+    "Internet: Experimental",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x03", 4 }
+  },
+  {
+#ifdef DEBUG
+    "private",
+    "Internet: Private",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x04", 4 }
+  },
+  {
+#ifdef DEBUG
+    "security",
+    "Internet: Security",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05", 4 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05", 5 }
+  },
+  {
+#ifdef DEBUG
+    "id-pkix",
+    "Public Key Infrastructure",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07", 6 }
+  },
+  {
+#ifdef DEBUG
+    "PKIX1Explicit88",
+    "RFC 2459 Explicitly Tagged Module, 1988 Syntax",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x00\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "PKIXImplicit88",
+    "RFC 2459 Implicitly Tagged Module, 1988 Syntax",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x00\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "PKIXExplicit93",
+    "RFC 2459 Explicitly Tagged Module, 1993 Syntax",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x00\x03", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-pe",
+    "PKIX Private Certificate Extensions",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-pe-authorityInfoAccess",
+    "Certificate Authority Information Access",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x01\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-qt",
+    "PKIX Policy Qualifier Types",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x02", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-qt-cps",
+    "PKIX CPS Pointer Qualifier",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x02\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-qt-unotice",
+    "PKIX User Notice Qualifier",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x02\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp",
+    "PKIX Key Purpose",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-serverAuth",
+    "TLS Web Server Authentication Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-clientAuth",
+    "TLS Web Client Authentication Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-codeSigning",
+    "Code Signing Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x03", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-emailProtection",
+    "E-Mail Protection Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-ipsecEndSystem",
+    "IPSEC End System Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-ipsecTunnel",
+    "IPSEC Tunnel Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x06", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-ipsecUser",
+    "IPSEC User Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x07", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-timeStamping",
+    "Time Stamping Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x08", 8 }
+  },
+  {
+#ifdef DEBUG
+    "ocsp-responder",
+    "OCSP Responder Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x09", 8 }
+  },
+  {
+#ifdef DEBUG
+    "pkix-id-pkix",
+    "",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07", 7 }
+  },
+  {
+#ifdef DEBUG
+    "pkix-id-pkip",
+    "",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "pkix-id-regctrl",
+    "CRMF Registration Control",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "regtoken",
+    "CRMF Registration Control, Registration Token",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "authenticator",
+    "CRMF Registration Control, Registration Authenticator",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkipubinfo",
+    "CRMF Registration Control, PKI Publication Info",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pki-arch-options",
+    "CRMF Registration Control, PKI Archive Options",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x04", 10 }
+  },
+  {
+#ifdef DEBUG
+    "old-cert-id",
+    "CRMF Registration Control, Old Certificate ID",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x05", 10 }
+  },
+  {
+#ifdef DEBUG
+    "protocol-encryption-key",
+    "CRMF Registration Control, Protocol Encryption Key",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x06", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkix-id-reginfo",
+    "CRMF Registration Info",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "utf8-pairs",
+    "CRMF Registration Info, UTF8 Pairs",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x02\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "cert-request",
+    "CRMF Registration Info, Certificate Request",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x02\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "id-ad",
+    "PKIX Access Descriptors",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-ad-ocsp",
+    "PKIX Online Certificate Status Protocol",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "basic-response",
+    "OCSP Basic Response",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "nonce-extension",
+    "OCSP Nonce Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "response",
+    "OCSP Response Types Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "crl",
+    "OCSP CRL Reference Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "no-check",
+    "OCSP No Check Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "archive-cutoff",
+    "OCSP Archive Cutoff Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x06", 9 }
+  },
+  {
+#ifdef DEBUG
+    "service-locator",
+    "OCSP Service Locator Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x07", 9 }
+  },
+  {
+#ifdef DEBUG
+    "id-ad-caIssuers",
+    "Certificate Authority Issuers",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "snmpv2",
+    "Internet: SNMPv2",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x06", 4 }
+  },
+  {
+#ifdef DEBUG
+    "mail",
+    "Internet: mail",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x07", 4 }
+  },
+  {
+#ifdef DEBUG
+    "mime-mhs",
+    "Internet: mail MIME mhs",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x07\x01", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ecma",
+    "European Computers Manufacturing Association",
+#endif /* DEBUG */
+    { "\x2b\x0c", 2 }
+  },
+  {
+#ifdef DEBUG
+    "oiw",
+    "Open Systems Implementors Workshop",
+#endif /* DEBUG */
+    { "\x2b\x0e", 2 }
+  },
+  {
+#ifdef DEBUG
+    "secsig",
+    "Open Systems Implementors Workshop Security Special Interest Group",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03", 3 }
+  },
+  {
+#ifdef DEBUG
+    "oIWSECSIGAlgorithmObjectIdentifiers",
+    "OIW SECSIG Algorithm OIDs",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "algorithm",
+    "OIW SECSIG Algorithm",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02", 4 }
+  },
+  {
+#ifdef DEBUG
+    "desecb",
+    "DES-ECB",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x06", 5 }
+  },
+  {
+#ifdef DEBUG
+    "descbc",
+    "DES-CBC",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x07", 5 }
+  },
+  {
+#ifdef DEBUG
+    "desofb",
+    "DES-OFB",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x08", 5 }
+  },
+  {
+#ifdef DEBUG
+    "descfb",
+    "DES-CFB",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x09", 5 }
+  },
+  {
+#ifdef DEBUG
+    "desmac",
+    "DES-MAC",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x0a", 5 }
+  },
+  {
+#ifdef DEBUG
+    "isoSHAWithRSASignature",
+    "ISO SHA with RSA Signature",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x0f", 5 }
+  },
+  {
+#ifdef DEBUG
+    "desede",
+    "DES-EDE",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x11", 5 }
+  },
+  {
+#ifdef DEBUG
+    "sha1",
+    "SHA-1",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x1a", 5 }
+  },
+  {
+#ifdef DEBUG
+    "bogusDSASignatureWithSHA1Digest",
+    "Forgezza DSA Signature with SHA-1 Digest",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x1b", 5 }
+  },
+  {
+#ifdef DEBUG
+    "authentication-mechanism",
+    "OIW SECSIG Authentication Mechanisms",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x03", 4 }
+  },
+  {
+#ifdef DEBUG
+    "security-attribute",
+    "OIW SECSIG Security Attributes",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x04", 4 }
+  },
+  {
+#ifdef DEBUG
+    "document-definition",
+    "OIW SECSIG Document Definitions used in security",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x05", 4 }
+  },
+  {
+#ifdef DEBUG
+    "directory-services-sig",
+    "OIW directory services sig",
+#endif /* DEBUG */
+    { "\x2b\x0e\x07", 3 }
+  },
+  {
+#ifdef DEBUG
+    "ewos",
+    "European Workshop on Open Systems",
+#endif /* DEBUG */
+    { "\x2b\x10", 2 }
+  },
+  {
+#ifdef DEBUG
+    "osf",
+    "Open Software Foundation",
+#endif /* DEBUG */
+    { "\x2b\x16", 2 }
+  },
+  {
+#ifdef DEBUG
+    "nordunet",
+    "Nordunet",
+#endif /* DEBUG */
+    { "\x2b\x17", 2 }
+  },
+  {
+#ifdef DEBUG
+    "nato-id-org",
+    "NATO identified organisation",
+#endif /* DEBUG */
+    { "\x2b\x1a", 2 }
+  },
+  {
+#ifdef DEBUG
+    "teletrust",
+    "Teletrust",
+#endif /* DEBUG */
+    { "\x2b\x24", 2 }
+  },
+  {
+#ifdef DEBUG
+    "smpte",
+    "Society of Motion Picture and Television Engineers",
+#endif /* DEBUG */
+    { "\x2b\x34", 2 }
+  },
+  {
+#ifdef DEBUG
+    "sita",
+    "Societe Internationale de Telecommunications Aeronautiques",
+#endif /* DEBUG */
+    { "\x2b\x45", 2 }
+  },
+  {
+#ifdef DEBUG
+    "iana",
+    "Internet Assigned Numbers Authority",
+#endif /* DEBUG */
+    { "\x2b\x5a", 2 }
+  },
+  {
+#ifdef DEBUG
+    "thawte",
+    "Thawte",
+#endif /* DEBUG */
+    { "\x2b\x65", 2 }
+  },
+  {
+#ifdef DEBUG
+    "joint-iso-ccitt",
+    "Joint ISO/ITU-T assignment",
+#endif /* DEBUG */
+    { "\x80\x02", 2 }
+  },
+  {
+#ifdef DEBUG
+    "presentation",
+    "Joint ISO/ITU-T Presentation",
+#endif /* DEBUG */
+    { "\x50", 1 }
+  },
+  {
+#ifdef DEBUG
+    "asn-1",
+    "Abstract Syntax Notation One",
+#endif /* DEBUG */
+    { "\x51", 1 }
+  },
+  {
+#ifdef DEBUG
+    "acse",
+    "Association Control",
+#endif /* DEBUG */
+    { "\x52", 1 }
+  },
+  {
+#ifdef DEBUG
+    "rtse",
+    "Reliable Transfer",
+#endif /* DEBUG */
+    { "\x53", 1 }
+  },
+  {
+#ifdef DEBUG
+    "rose",
+    "Remote Operations",
+#endif /* DEBUG */
+    { "\x54", 1 }
+  },
+  {
+#ifdef DEBUG
+    "x500",
+    "Directory",
+#endif /* DEBUG */
+    { "\x55", 1 }
+  },
+  {
+#ifdef DEBUG
+    "modules",
+    "X.500 modules",
+#endif /* DEBUG */
+    { "\x55\x01", 2 }
+  },
+  {
+#ifdef DEBUG
+    "service-environment",
+    "X.500 service environment",
+#endif /* DEBUG */
+    { "\x55\x02", 2 }
+  },
+  {
+#ifdef DEBUG
+    "application-context",
+    "X.500 application context",
+#endif /* DEBUG */
+    { "\x55\x03", 2 }
+  },
+  {
+#ifdef DEBUG
+    "id-at",
+    "X.520 attribute types",
+#endif /* DEBUG */
+    { "\x55\x04", 2 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-commonName",
+    "X.520 Common Name",
+#endif /* DEBUG */
+    { "\x55\x04\x03", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-surname",
+    "X.520 Surname",
+#endif /* DEBUG */
+    { "\x55\x04\x04", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-countryName",
+    "X.520 Country Name",
+#endif /* DEBUG */
+    { "\x55\x04\x06", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-localityName",
+    "X.520 Locality Name",
+#endif /* DEBUG */
+    { "\x55\x04\x07", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-stateOrProvinceName",
+    "X.520 State or Province Name",
+#endif /* DEBUG */
+    { "\x55\x04\x08", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-organizationName",
+    "X.520 Organization Name",
+#endif /* DEBUG */
+    { "\x55\x04\x0a", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-organizationalUnitName",
+    "X.520 Organizational Unit Name",
+#endif /* DEBUG */
+    { "\x55\x04\x0b", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-title",
+    "X.520 Title",
+#endif /* DEBUG */
+    { "\x55\x04\x0c", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-name",
+    "X.520 Name",
+#endif /* DEBUG */
+    { "\x55\x04\x29", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-givenName",
+    "X.520 Given Name",
+#endif /* DEBUG */
+    { "\x55\x04\x2a", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-initials",
+    "X.520 Initials",
+#endif /* DEBUG */
+    { "\x55\x04\x2b", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-generationQualifier",
+    "X.520 Generation Qualifier",
+#endif /* DEBUG */
+    { "\x55\x04\x2c", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-dnQualifier",
+    "X.520 DN Qualifier",
+#endif /* DEBUG */
+    { "\x55\x04\x2e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "attribute-syntax",
+    "X.500 attribute syntaxes",
+#endif /* DEBUG */
+    { "\x55\x05", 2 }
+  },
+  {
+#ifdef DEBUG
+    "object-classes",
+    "X.500 standard object classes",
+#endif /* DEBUG */
+    { "\x55\x06", 2 }
+  },
+  {
+#ifdef DEBUG
+    "attribute-set",
+    "X.500 attribute sets",
+#endif /* DEBUG */
+    { "\x55\x07", 2 }
+  },
+  {
+#ifdef DEBUG
+    "algorithms",
+    "X.500-defined algorithms",
+#endif /* DEBUG */
+    { "\x55\x08", 2 }
+  },
+  {
+#ifdef DEBUG
+    "encryption",
+    "X.500-defined encryption algorithms",
+#endif /* DEBUG */
+    { "\x55\x08\x01", 3 }
+  },
+  {
+#ifdef DEBUG
+    "rsa",
+    "RSA Encryption Algorithm",
+#endif /* DEBUG */
+    { "\x55\x08\x01\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "abstract-syntax",
+    "X.500 abstract syntaxes",
+#endif /* DEBUG */
+    { "\x55\x09", 2 }
+  },
+  {
+#ifdef DEBUG
+    "operational-attribute",
+    "DSA Operational Attributes",
+#endif /* DEBUG */
+    { "\x55\x0c", 2 }
+  },
+  {
+#ifdef DEBUG
+    "matching-rule",
+    "Matching Rule",
+#endif /* DEBUG */
+    { "\x55\x0d", 2 }
+  },
+  {
+#ifdef DEBUG
+    "knowledge-matching-rule",
+    "X.500 knowledge Matching Rules",
+#endif /* DEBUG */
+    { "\x55\x0e", 2 }
+  },
+  {
+#ifdef DEBUG
+    "name-form",
+    "X.500 name forms",
+#endif /* DEBUG */
+    { "\x55\x0f", 2 }
+  },
+  {
+#ifdef DEBUG
+    "group",
+    "X.500 groups",
+#endif /* DEBUG */
+    { "\x55\x10", 2 }
+  },
+  {
+#ifdef DEBUG
+    "subentry",
+    "X.500 subentry",
+#endif /* DEBUG */
+    { "\x55\x11", 2 }
+  },
+  {
+#ifdef DEBUG
+    "operational-attribute-type",
+    "X.500 operational attribute type",
+#endif /* DEBUG */
+    { "\x55\x12", 2 }
+  },
+  {
+#ifdef DEBUG
+    "operational-binding",
+    "X.500 operational binding",
+#endif /* DEBUG */
+    { "\x55\x13", 2 }
+  },
+  {
+#ifdef DEBUG
+    "schema-object-class",
+    "X.500 schema Object class",
+#endif /* DEBUG */
+    { "\x55\x14", 2 }
+  },
+  {
+#ifdef DEBUG
+    "schema-operational-attribute",
+    "X.500 schema operational attributes",
+#endif /* DEBUG */
+    { "\x55\x15", 2 }
+  },
+  {
+#ifdef DEBUG
+    "administrative-role",
+    "X.500 administrative roles",
+#endif /* DEBUG */
+    { "\x55\x17", 2 }
+  },
+  {
+#ifdef DEBUG
+    "access-control-attribute",
+    "X.500 access control attribute",
+#endif /* DEBUG */
+    { "\x55\x18", 2 }
+  },
+  {
+#ifdef DEBUG
+    "ros",
+    "X.500 ros object",
+#endif /* DEBUG */
+    { "\x55\x19", 2 }
+  },
+  {
+#ifdef DEBUG
+    "contract",
+    "X.500 contract",
+#endif /* DEBUG */
+    { "\x55\x1a", 2 }
+  },
+  {
+#ifdef DEBUG
+    "package",
+    "X.500 package",
+#endif /* DEBUG */
+    { "\x55\x1b", 2 }
+  },
+  {
+#ifdef DEBUG
+    "access-control-schema",
+    "X.500 access control schema",
+#endif /* DEBUG */
+    { "\x55\x1c", 2 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce",
+    "X.500 Certificate Extension",
+#endif /* DEBUG */
+    { "\x55\x1d", 2 }
+  },
+  {
+#ifdef DEBUG
+    "subject-directory-attributes",
+    "Certificate Subject Directory Attributes",
+#endif /* DEBUG */
+    { "\x55\x1d\x05", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-subjectDirectoryAttributes",
+    "Certificate Subject Directory Attributes",
+#endif /* DEBUG */
+    { "\x55\x1d\x09", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-subjectKeyIdentifier",
+    "Certificate Subject Key ID",
+#endif /* DEBUG */
+    { "\x55\x1d\x0e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-keyUsage",
+    "Certificate Key Usage",
+#endif /* DEBUG */
+    { "\x55\x1d\x0f", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-privateKeyUsagePeriod",
+    "Certificate Private Key Usage Period",
+#endif /* DEBUG */
+    { "\x55\x1d\x10", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-subjectAltName",
+    "Certificate Subject Alternate Name",
+#endif /* DEBUG */
+    { "\x55\x1d\x11", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-issuerAltName",
+    "Certificate Issuer Alternate Name",
+#endif /* DEBUG */
+    { "\x55\x1d\x12", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-basicConstraints",
+    "Certificate Basic Constraints",
+#endif /* DEBUG */
+    { "\x55\x1d\x13", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-cRLNumber",
+    "CRL Number",
+#endif /* DEBUG */
+    { "\x55\x1d\x14", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-cRLReasons",
+    "CRL Reason Code",
+#endif /* DEBUG */
+    { "\x55\x1d\x15", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-holdInstructionCode",
+    "Hold Instruction Code",
+#endif /* DEBUG */
+    { "\x55\x1d\x17", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-invalidityDate",
+    "Invalidity Date",
+#endif /* DEBUG */
+    { "\x55\x1d\x18", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-deltaCRLIndicator",
+    "Delta CRL Indicator",
+#endif /* DEBUG */
+    { "\x55\x1d\x1b", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-issuingDistributionPoint",
+    "Issuing Distribution Point",
+#endif /* DEBUG */
+    { "\x55\x1d\x1c", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-certificateIssuer",
+    "Certificate Issuer",
+#endif /* DEBUG */
+    { "\x55\x1d\x1d", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-nameConstraints",
+    "Certificate Name Constraints",
+#endif /* DEBUG */
+    { "\x55\x1d\x1e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-cRLDistributionPoints",
+    "CRL Distribution Points",
+#endif /* DEBUG */
+    { "\x55\x1d\x1f", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-certificatePolicies",
+    "Certificate Policies",
+#endif /* DEBUG */
+    { "\x55\x1d\x20", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-policyMappings",
+    "Certificate Policy Mappings",
+#endif /* DEBUG */
+    { "\x55\x1d\x21", 3 }
+  },
+  {
+#ifdef DEBUG
+    "policy-constraints",
+    "Certificate Policy Constraints (old)",
+#endif /* DEBUG */
+    { "\x55\x1d\x22", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-authorityKeyIdentifier",
+    "Certificate Authority Key Identifier",
+#endif /* DEBUG */
+    { "\x55\x1d\x23", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-policyConstraints",
+    "Certificate Policy Constraints",
+#endif /* DEBUG */
+    { "\x55\x1d\x24", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-extKeyUsage",
+    "Extended Key Usage",
+#endif /* DEBUG */
+    { "\x55\x1d\x25", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-mgt",
+    "X.500 Management Object",
+#endif /* DEBUG */
+    { "\x55\x1e", 2 }
+  },
+  {
+#ifdef DEBUG
+    "x400",
+    "X.400 MHS",
+#endif /* DEBUG */
+    { "\x56", 1 }
+  },
+  {
+#ifdef DEBUG
+    "ccr",
+    "Committment, Concurrency and Recovery",
+#endif /* DEBUG */
+    { "\x57", 1 }
+  },
+  {
+#ifdef DEBUG
+    "oda",
+    "Office Document Architecture",
+#endif /* DEBUG */
+    { "\x58", 1 }
+  },
+  {
+#ifdef DEBUG
+    "osi-management",
+    "OSI management",
+#endif /* DEBUG */
+    { "\x59", 1 }
+  },
+  {
+#ifdef DEBUG
+    "tp",
+    "Transaction Processing",
+#endif /* DEBUG */
+    { "\x5a", 1 }
+  },
+  {
+#ifdef DEBUG
+    "dor",
+    "Distinguished Object Reference",
+#endif /* DEBUG */
+    { "\x5b", 1 }
+  },
+  {
+#ifdef DEBUG
+    "rdt",
+    "Referenced Data Transfer",
+#endif /* DEBUG */
+    { "\x5c", 1 }
+  },
+  {
+#ifdef DEBUG
+    "nlm",
+    "Network Layer Management",
+#endif /* DEBUG */
+    { "\x5d", 1 }
+  },
+  {
+#ifdef DEBUG
+    "tlm",
+    "Transport Layer Management",
+#endif /* DEBUG */
+    { "\x5e", 1 }
+  },
+  {
+#ifdef DEBUG
+    "llm",
+    "Link Layer Management",
+#endif /* DEBUG */
+    { "\x5f", 1 }
+  },
+  {
+#ifdef DEBUG
+    "country",
+    "Country Assignments",
+#endif /* DEBUG */
+    { "\x60", 1 }
+  },
+  {
+#ifdef DEBUG
+    "canada",
+    "Canada",
+#endif /* DEBUG */
+    { "\x60\x7c", 2 }
+  },
+  {
+#ifdef DEBUG
+    "taiwan",
+    "Taiwan",
+#endif /* DEBUG */
+    { "\x60\x81\x1e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "norway",
+    "Norway",
+#endif /* DEBUG */
+    { "\x60\x84\x42", 3 }
+  },
+  {
+#ifdef DEBUG
+    "switzerland",
+    "Switzerland",
+#endif /* DEBUG */
+    { "\x60\x85\x74", 3 }
+  },
+  {
+#ifdef DEBUG
+    "us",
+    "United States",
+#endif /* DEBUG */
+    { "\x60\x86\x48", 3 }
+  },
+  {
+#ifdef DEBUG
+    "us-company",
+    "United States Company",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "us-government",
+    "United States Government (1.101)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65", 5 }
+  },
+  {
+#ifdef DEBUG
+    "us-dod",
+    "United States Department of Defense",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02", 6 }
+  },
+  {
+#ifdef DEBUG
+    "id-infosec",
+    "US DOD Infosec",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-modules",
+    "US DOD Infosec modules",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x00", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-algorithms",
+    "US DOD Infosec algorithms (MISSI)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "old-dss",
+    "MISSI DSS Algorithm (Old)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "skipjack-cbc-64",
+    "Skipjack CBC64",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "kea",
+    "MISSI KEA Algorithm",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "old-kea-dss",
+    "MISSI KEA and DSS Algorithm (Old)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x0c", 9 }
+  },
+  {
+#ifdef DEBUG
+    "dss",
+    "MISSI DSS Algorithm",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x13", 9 }
+  },
+  {
+#ifdef DEBUG
+    "kea-dss",
+    "MISSI KEA and DSS Algorithm",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x14", 9 }
+  },
+  {
+#ifdef DEBUG
+    "alt-kea",
+    "MISSI Alternate KEA Algorithm",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x16", 9 }
+  },
+  {
+#ifdef DEBUG
+    "id-formats",
+    "US DOD Infosec formats",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-policy",
+    "US DOD Infosec policy",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x03", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-object-classes",
+    "US DOD Infosec object classes",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-attributes",
+    "US DOD Infosec attributes",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-attribute-syntax",
+    "US DOD Infosec attribute syntax",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x06", 8 }
+  },
+  {
+#ifdef DEBUG
+    "netscape",
+    "Netscape Communications Corp.",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42", 7 }
+  },
+  {
+#ifdef DEBUG
+    "cert-ext",
+    "Netscape Cert Extensions",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "cert-type",
+    "Certificate Type",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "base-url",
+    "Certificate Extension Base URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "revocation-url",
+    "Certificate Revocation URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ca-revocation-url",
+    "Certificate Authority Revocation URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ca-crl-download-url",
+    "Certificate Authority CRL Download URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ca-cert-url",
+    "Certificate Authority Certificate Download URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x06", 9 }
+  },
+  {
+#ifdef DEBUG
+    "renewal-url",
+    "Certificate Renewal URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x07", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ca-policy-url",
+    "Certificate Authority Policy URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x08", 9 }
+  },
+  {
+#ifdef DEBUG
+    "homepage-url",
+    "Certificate Homepage URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x09", 9 }
+  },
+  {
+#ifdef DEBUG
+    "entity-logo",
+    "Certificate Entity Logo",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "user-picture",
+    "Certificate User Picture",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0b", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ssl-server-name",
+    "Certificate SSL Server Name",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0c", 9 }
+  },
+  {
+#ifdef DEBUG
+    "comment",
+    "Certificate Comment",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0d", 9 }
+  },
+  {
+#ifdef DEBUG
+    "thayes",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0e", 9 }
+  },
+  {
+#ifdef DEBUG
+    "data-type",
+    "Netscape Data Types",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "gif",
+    "image/gif",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "jpeg",
+    "image/jpeg",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "url",
+    "URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "html",
+    "text/html",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "cert-sequence",
+    "Certificate Sequence",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "directory",
+    "Netscape Directory",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x03", 8 }
+  },
+  {
+#ifdef DEBUG
+    "policy",
+    "Netscape Policy Type OIDs",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "export-approved",
+    "Strong Crypto Export Approved",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x04\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "cert-server",
+    "Netscape Certificate Server",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x05\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "recovery-request",
+    "Netscape Cert Server Recovery Request",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x05\x01\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "algs",
+    "Netscape algorithm OIDs",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x06", 8 }
+  },
+  {
+#ifdef DEBUG
+    "smime-kea",
+    "Netscape S/MIME KEA",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x06\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "name-components",
+    "Netscape Name Components",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x07", 8 }
+  },
+  {
+#ifdef DEBUG
+    "nickname",
+    "Netscape Nickname",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x07\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "verisign",
+    "Verisign",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45", 7 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45\x01\x07", 9 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45\x01\x07\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "verisign-user-notices",
+    "Verisign User Notices",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45\x01\x07\x01\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "us-government",
+    "US Government (101)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x65", 4 }
+  },
+  {
+#ifdef DEBUG
+    "us-government2",
+    "US Government (102)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x66", 4 }
+  },
+  {
+#ifdef DEBUG
+    "old-netscape",
+    "Netscape Communications Corp. (Old)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ns-cert-ext",
+    "Netscape Cert Extensions (Old NS)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x01", 6 }
+  },
+  {
+#ifdef DEBUG
+    "netscape-ok",
+    "Netscape says this cert is ok (Old NS)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x01\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "issuer-logo",
+    "Certificate Issuer Logo (Old NS)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x01\x02", 7 }
+  },
+  {
+#ifdef DEBUG
+    "subject-logo",
+    "Certificate Subject Logo (Old NS)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x01\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "ns-file-type",
+    "Netscape File Type",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x02", 6 }
+  },
+  {
+#ifdef DEBUG
+    "ns-image-type",
+    "Netscape Image Type",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x03", 6 }
+  },
+  {
+#ifdef DEBUG
+    "registration-procedures",
+    "Registration procedures",
+#endif /* DEBUG */
+    { "\x61", 1 }
+  },
+  {
+#ifdef DEBUG
+    "physical-layer-management",
+    "Physical layer Management",
+#endif /* DEBUG */
+    { "\x62", 1 }
+  },
+  {
+#ifdef DEBUG
+    "mheg",
+    "MHEG",
+#endif /* DEBUG */
+    { "\x63", 1 }
+  },
+  {
+#ifdef DEBUG
+    "guls",
+    "Generic Upper Layer Security",
+#endif /* DEBUG */
+    { "\x64", 1 }
+  },
+  {
+#ifdef DEBUG
+    "tls",
+    "Transport Layer Security Protocol",
+#endif /* DEBUG */
+    { "\x65", 1 }
+  },
+  {
+#ifdef DEBUG
+    "nls",
+    "Network Layer Security Protocol",
+#endif /* DEBUG */
+    { "\x66", 1 }
+  },
+  {
+#ifdef DEBUG
+    "organization",
+    "International organizations",
+#endif /* DEBUG */
+    { "\x67", 1 }
+  }
+};
+
+const PRUint32 nss_builtin_oid_count = 379;
+
+const NSSOID *NSS_OID_RFC1274_UID = (NSSOID *)&nss_builtin_oids[11];
+const NSSOID *NSS_OID_RFC1274_EMAIL = (NSSOID *)&nss_builtin_oids[12];
+const NSSOID *NSS_OID_RFC2247_DC = (NSSOID *)&nss_builtin_oids[13];
+const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE = (NSSOID *)&nss_builtin_oids[43];
+const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST = (NSSOID *)&nss_builtin_oids[44];
+const NSSOID *NSS_OID_X942_DIFFIE_HELMAN_KEY = (NSSOID *)&nss_builtin_oids[47];
+const NSSOID *NSS_OID_PKCS1_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[52];
+const NSSOID *NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[53];
+const NSSOID *NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[54];
+const NSSOID *NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[55];
+const NSSOID *NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[56];
+const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC = (NSSOID *)&nss_builtin_oids[58];
+const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC = (NSSOID *)&nss_builtin_oids[59];
+const NSSOID *NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC = (NSSOID *)&nss_builtin_oids[60];
+const NSSOID *NSS_OID_PKCS7 = (NSSOID *)&nss_builtin_oids[61];
+const NSSOID *NSS_OID_PKCS7_DATA = (NSSOID *)&nss_builtin_oids[62];
+const NSSOID *NSS_OID_PKCS7_SIGNED_DATA = (NSSOID *)&nss_builtin_oids[63];
+const NSSOID *NSS_OID_PKCS7_ENVELOPED_DATA = (NSSOID *)&nss_builtin_oids[64];
+const NSSOID *NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA = (NSSOID *)&nss_builtin_oids[65];
+const NSSOID *NSS_OID_PKCS7_DIGESTED_DATA = (NSSOID *)&nss_builtin_oids[66];
+const NSSOID *NSS_OID_PKCS7_ENCRYPTED_DATA = (NSSOID *)&nss_builtin_oids[67];
+const NSSOID *NSS_OID_PKCS9_EMAIL_ADDRESS = (NSSOID *)&nss_builtin_oids[69];
+const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_NAME = (NSSOID *)&nss_builtin_oids[70];
+const NSSOID *NSS_OID_PKCS9_CONTENT_TYPE = (NSSOID *)&nss_builtin_oids[71];
+const NSSOID *NSS_OID_PKCS9_MESSAGE_DIGEST = (NSSOID *)&nss_builtin_oids[72];
+const NSSOID *NSS_OID_PKCS9_SIGNING_TIME = (NSSOID *)&nss_builtin_oids[73];
+const NSSOID *NSS_OID_PKCS9_COUNTER_SIGNATURE = (NSSOID *)&nss_builtin_oids[74];
+const NSSOID *NSS_OID_PKCS9_CHALLENGE_PASSWORD = (NSSOID *)&nss_builtin_oids[75];
+const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS = (NSSOID *)&nss_builtin_oids[76];
+const NSSOID *NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES = (NSSOID *)&nss_builtin_oids[77];
+const NSSOID *NSS_OID_PKCS9_SMIME_CAPABILITIES = (NSSOID *)&nss_builtin_oids[78];
+const NSSOID *NSS_OID_PKCS9_FRIENDLY_NAME = (NSSOID *)&nss_builtin_oids[79];
+const NSSOID *NSS_OID_PKCS9_LOCAL_KEY_ID = (NSSOID *)&nss_builtin_oids[80];
+const NSSOID *NSS_OID_PKCS9_X509_CERT = (NSSOID *)&nss_builtin_oids[82];
+const NSSOID *NSS_OID_PKCS9_SDSI_CERT = (NSSOID *)&nss_builtin_oids[83];
+const NSSOID *NSS_OID_PKCS9_X509_CRL = (NSSOID *)&nss_builtin_oids[85];
+const NSSOID *NSS_OID_PKCS12 = (NSSOID *)&nss_builtin_oids[86];
+const NSSOID *NSS_OID_PKCS12_PBE_IDS = (NSSOID *)&nss_builtin_oids[87];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4 = (NSSOID *)&nss_builtin_oids[88];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4 = (NSSOID *)&nss_builtin_oids[89];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC = (NSSOID *)&nss_builtin_oids[90];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC = (NSSOID *)&nss_builtin_oids[91];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = (NSSOID *)&nss_builtin_oids[92];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = (NSSOID *)&nss_builtin_oids[93];
+const NSSOID *NSS_OID_PKCS12_KEY_BAG = (NSSOID *)&nss_builtin_oids[120];
+const NSSOID *NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG = (NSSOID *)&nss_builtin_oids[121];
+const NSSOID *NSS_OID_PKCS12_CERT_BAG = (NSSOID *)&nss_builtin_oids[122];
+const NSSOID *NSS_OID_PKCS12_CRL_BAG = (NSSOID *)&nss_builtin_oids[123];
+const NSSOID *NSS_OID_PKCS12_SECRET_BAG = (NSSOID *)&nss_builtin_oids[124];
+const NSSOID *NSS_OID_PKCS12_SAFE_CONTENTS_BAG = (NSSOID *)&nss_builtin_oids[125];
+const NSSOID *NSS_OID_MD2 = (NSSOID *)&nss_builtin_oids[127];
+const NSSOID *NSS_OID_MD4 = (NSSOID *)&nss_builtin_oids[128];
+const NSSOID *NSS_OID_MD5 = (NSSOID *)&nss_builtin_oids[129];
+const NSSOID *NSS_OID_RC2_CBC = (NSSOID *)&nss_builtin_oids[131];
+const NSSOID *NSS_OID_RC4 = (NSSOID *)&nss_builtin_oids[132];
+const NSSOID *NSS_OID_DES_EDE3_CBC = (NSSOID *)&nss_builtin_oids[133];
+const NSSOID *NSS_OID_RC5_CBC_PAD = (NSSOID *)&nss_builtin_oids[134];
+const NSSOID *NSS_OID_X509_AUTH_INFO_ACCESS = (NSSOID *)&nss_builtin_oids[154];
+const NSSOID *NSS_OID_PKIX_CPS_POINTER_QUALIFIER = (NSSOID *)&nss_builtin_oids[156];
+const NSSOID *NSS_OID_PKIX_USER_NOTICE_QUALIFIER = (NSSOID *)&nss_builtin_oids[157];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_SERVER_AUTH = (NSSOID *)&nss_builtin_oids[159];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH = (NSSOID *)&nss_builtin_oids[160];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_CODE_SIGN = (NSSOID *)&nss_builtin_oids[161];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION = (NSSOID *)&nss_builtin_oids[162];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM = (NSSOID *)&nss_builtin_oids[163];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = (NSSOID *)&nss_builtin_oids[164];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_USER = (NSSOID *)&nss_builtin_oids[165];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_TIME_STAMP = (NSSOID *)&nss_builtin_oids[166];
+const NSSOID *NSS_OID_OCSP_RESPONDER = (NSSOID *)&nss_builtin_oids[167];
+const NSSOID *NSS_OID_PKIX_REGCTRL_REGTOKEN = (NSSOID *)&nss_builtin_oids[171];
+const NSSOID *NSS_OID_PKIX_REGCTRL_AUTHENTICATOR = (NSSOID *)&nss_builtin_oids[172];
+const NSSOID *NSS_OID_PKIX_REGCTRL_PKIPUBINFO = (NSSOID *)&nss_builtin_oids[173];
+const NSSOID *NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS = (NSSOID *)&nss_builtin_oids[174];
+const NSSOID *NSS_OID_PKIX_REGCTRL_OLD_CERT_ID = (NSSOID *)&nss_builtin_oids[175];
+const NSSOID *NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY = (NSSOID *)&nss_builtin_oids[176];
+const NSSOID *NSS_OID_PKIX_REGINFO_UTF8_PAIRS = (NSSOID *)&nss_builtin_oids[178];
+const NSSOID *NSS_OID_PKIX_REGINFO_CERT_REQUEST = (NSSOID *)&nss_builtin_oids[179];
+const NSSOID *NSS_OID_OID_PKIX_OCSP = (NSSOID *)&nss_builtin_oids[181];
+const NSSOID *NSS_OID_PKIX_OCSP_BASIC_RESPONSE = (NSSOID *)&nss_builtin_oids[182];
+const NSSOID *NSS_OID_PKIX_OCSP_NONCE = (NSSOID *)&nss_builtin_oids[183];
+const NSSOID *NSS_OID_PKIX_OCSP_RESPONSE = (NSSOID *)&nss_builtin_oids[184];
+const NSSOID *NSS_OID_PKIX_OCSP_CRL = (NSSOID *)&nss_builtin_oids[185];
+const NSSOID *NSS_OID_X509_OCSP_NO_CHECK = (NSSOID *)&nss_builtin_oids[186];
+const NSSOID *NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF = (NSSOID *)&nss_builtin_oids[187];
+const NSSOID *NSS_OID_PKIX_OCSP_SERVICE_LOCATOR = (NSSOID *)&nss_builtin_oids[188];
+const NSSOID *NSS_OID_DES_ECB = (NSSOID *)&nss_builtin_oids[198];
+const NSSOID *NSS_OID_DES_CBC = (NSSOID *)&nss_builtin_oids[199];
+const NSSOID *NSS_OID_DES_OFB = (NSSOID *)&nss_builtin_oids[200];
+const NSSOID *NSS_OID_DES_CFB = (NSSOID *)&nss_builtin_oids[201];
+const NSSOID *NSS_OID_DES_MAC = (NSSOID *)&nss_builtin_oids[202];
+const NSSOID *NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE = (NSSOID *)&nss_builtin_oids[203];
+const NSSOID *NSS_OID_DES_EDE = (NSSOID *)&nss_builtin_oids[204];
+const NSSOID *NSS_OID_SHA1 = (NSSOID *)&nss_builtin_oids[205];
+const NSSOID *NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST = (NSSOID *)&nss_builtin_oids[206];
+const NSSOID *NSS_OID_X520_COMMON_NAME = (NSSOID *)&nss_builtin_oids[231];
+const NSSOID *NSS_OID_X520_SURNAME = (NSSOID *)&nss_builtin_oids[232];
+const NSSOID *NSS_OID_X520_COUNTRY_NAME = (NSSOID *)&nss_builtin_oids[233];
+const NSSOID *NSS_OID_X520_LOCALITY_NAME = (NSSOID *)&nss_builtin_oids[234];
+const NSSOID *NSS_OID_X520_STATE_OR_PROVINCE_NAME = (NSSOID *)&nss_builtin_oids[235];
+const NSSOID *NSS_OID_X520_ORGANIZATION_NAME = (NSSOID *)&nss_builtin_oids[236];
+const NSSOID *NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME = (NSSOID *)&nss_builtin_oids[237];
+const NSSOID *NSS_OID_X520_TITLE = (NSSOID *)&nss_builtin_oids[238];
+const NSSOID *NSS_OID_X520_NAME = (NSSOID *)&nss_builtin_oids[239];
+const NSSOID *NSS_OID_X520_GIVEN_NAME = (NSSOID *)&nss_builtin_oids[240];
+const NSSOID *NSS_OID_X520_INITIALS = (NSSOID *)&nss_builtin_oids[241];
+const NSSOID *NSS_OID_X520_GENERATION_QUALIFIER = (NSSOID *)&nss_builtin_oids[242];
+const NSSOID *NSS_OID_X520_DN_QUALIFIER = (NSSOID *)&nss_builtin_oids[243];
+const NSSOID *NSS_OID_X500_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[249];
+const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTR = (NSSOID *)&nss_builtin_oids[268];
+const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES = (NSSOID *)&nss_builtin_oids[269];
+const NSSOID *NSS_OID_X509_SUBJECT_KEY_ID = (NSSOID *)&nss_builtin_oids[270];
+const NSSOID *NSS_OID_X509_KEY_USAGE = (NSSOID *)&nss_builtin_oids[271];
+const NSSOID *NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD = (NSSOID *)&nss_builtin_oids[272];
+const NSSOID *NSS_OID_X509_SUBJECT_ALT_NAME = (NSSOID *)&nss_builtin_oids[273];
+const NSSOID *NSS_OID_X509_ISSUER_ALT_NAME = (NSSOID *)&nss_builtin_oids[274];
+const NSSOID *NSS_OID_X509_BASIC_CONSTRAINTS = (NSSOID *)&nss_builtin_oids[275];
+const NSSOID *NSS_OID_X509_CRL_NUMBER = (NSSOID *)&nss_builtin_oids[276];
+const NSSOID *NSS_OID_X509_REASON_CODE = (NSSOID *)&nss_builtin_oids[277];
+const NSSOID *NSS_OID_X509_HOLD_INSTRUCTION_CODE = (NSSOID *)&nss_builtin_oids[278];
+const NSSOID *NSS_OID_X509_INVALID_DATE = (NSSOID *)&nss_builtin_oids[279];
+const NSSOID *NSS_OID_X509_DELTA_CRL_INDICATOR = (NSSOID *)&nss_builtin_oids[280];
+const NSSOID *NSS_OID_X509_ISSUING_DISTRIBUTION_POINT = (NSSOID *)&nss_builtin_oids[281];
+const NSSOID *NSS_OID_X509_CERTIFICATE_ISSUER = (NSSOID *)&nss_builtin_oids[282];
+const NSSOID *NSS_OID_X509_NAME_CONSTRAINTS = (NSSOID *)&nss_builtin_oids[283];
+const NSSOID *NSS_OID_X509_CRL_DIST_POINTS = (NSSOID *)&nss_builtin_oids[284];
+const NSSOID *NSS_OID_X509_CERTIFICATE_POLICIES = (NSSOID *)&nss_builtin_oids[285];
+const NSSOID *NSS_OID_X509_POLICY_MAPPINGS = (NSSOID *)&nss_builtin_oids[286];
+const NSSOID *NSS_OID_X509_AUTH_KEY_ID = (NSSOID *)&nss_builtin_oids[288];
+const NSSOID *NSS_OID_X509_POLICY_CONSTRAINTS = (NSSOID *)&nss_builtin_oids[289];
+const NSSOID *NSS_OID_X509_EXT_KEY_USAGE = (NSSOID *)&nss_builtin_oids[290];
+const NSSOID *NSS_OID_MISSI_DSS_OLD = (NSSOID *)&nss_builtin_oids[314];
+const NSSOID *NSS_OID_FORTEZZA_SKIPJACK = (NSSOID *)&nss_builtin_oids[315];
+const NSSOID *NSS_OID_MISSI_KEA = (NSSOID *)&nss_builtin_oids[316];
+const NSSOID *NSS_OID_MISSI_KEA_DSS_OLD = (NSSOID *)&nss_builtin_oids[317];
+const NSSOID *NSS_OID_MISSI_DSS = (NSSOID *)&nss_builtin_oids[318];
+const NSSOID *NSS_OID_MISSI_KEA_DSS = (NSSOID *)&nss_builtin_oids[319];
+const NSSOID *NSS_OID_MISSI_ALT_KEY = (NSSOID *)&nss_builtin_oids[320];
+const NSSOID *NSS_OID_NS_CERT_EXT_CERT_TYPE = (NSSOID *)&nss_builtin_oids[328];
+const NSSOID *NSS_OID_NS_CERT_EXT_BASE_URL = (NSSOID *)&nss_builtin_oids[329];
+const NSSOID *NSS_OID_NS_CERT_EXT_REVOCATION_URL = (NSSOID *)&nss_builtin_oids[330];
+const NSSOID *NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL = (NSSOID *)&nss_builtin_oids[331];
+const NSSOID *NSS_OID_NS_CERT_EXT_CA_CRL_URL = (NSSOID *)&nss_builtin_oids[332];
+const NSSOID *NSS_OID_NS_CERT_EXT_CA_CERT_URL = (NSSOID *)&nss_builtin_oids[333];
+const NSSOID *NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL = (NSSOID *)&nss_builtin_oids[334];
+const NSSOID *NSS_OID_NS_CERT_EXT_CA_POLICY_URL = (NSSOID *)&nss_builtin_oids[335];
+const NSSOID *NSS_OID_NS_CERT_EXT_HOMEPAGE_URL = (NSSOID *)&nss_builtin_oids[336];
+const NSSOID *NSS_OID_NS_CERT_EXT_ENTITY_LOGO = (NSSOID *)&nss_builtin_oids[337];
+const NSSOID *NSS_OID_NS_CERT_EXT_USER_PICTURE = (NSSOID *)&nss_builtin_oids[338];
+const NSSOID *NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME = (NSSOID *)&nss_builtin_oids[339];
+const NSSOID *NSS_OID_NS_CERT_EXT_COMMENT = (NSSOID *)&nss_builtin_oids[340];
+const NSSOID *NSS_OID_NS_CERT_EXT_THAYES = (NSSOID *)&nss_builtin_oids[341];
+const NSSOID *NSS_OID_NS_TYPE_GIF = (NSSOID *)&nss_builtin_oids[343];
+const NSSOID *NSS_OID_NS_TYPE_JPEG = (NSSOID *)&nss_builtin_oids[344];
+const NSSOID *NSS_OID_NS_TYPE_URL = (NSSOID *)&nss_builtin_oids[345];
+const NSSOID *NSS_OID_NS_TYPE_HTML = (NSSOID *)&nss_builtin_oids[346];
+const NSSOID *NSS_OID_NS_TYPE_CERT_SEQUENCE = (NSSOID *)&nss_builtin_oids[347];
+const NSSOID *NSS_OID_NS_KEY_USAGE_GOVT_APPROVED = (NSSOID *)&nss_builtin_oids[350];
+const NSSOID *NSS_OID_NETSCAPE_RECOVERY_REQUEST = (NSSOID *)&nss_builtin_oids[353];
+const NSSOID *NSS_OID_NETSCAPE_SMIME_KEA = (NSSOID *)&nss_builtin_oids[355];
+const NSSOID *NSS_OID_NETSCAPE_NICKNAME = (NSSOID *)&nss_builtin_oids[357];
+const NSSOID *NSS_OID_VERISIGN_USER_NOTICES = (NSSOID *)&nss_builtin_oids[362];
+const NSSOID *NSS_OID_NS_CERT_EXT_NETSCAPE_OK = (NSSOID *)&nss_builtin_oids[367];
+const NSSOID *NSS_OID_NS_CERT_EXT_ISSUER_LOGO = (NSSOID *)&nss_builtin_oids[368];
+const NSSOID *NSS_OID_NS_CERT_EXT_SUBJECT_LOGO = (NSSOID *)&nss_builtin_oids[369];
+
+const nssAttributeTypeAliasTable nss_attribute_type_aliases[] = {
+  {
+    "uid",
+    &NSS_OID_RFC1274_UID
+  },
+  {
+    "mail",
+    &NSS_OID_RFC1274_EMAIL
+  },
+  {
+    "dc",
+    &NSS_OID_RFC2247_DC
+  },
+  {
+    "cn",
+    &NSS_OID_X520_COMMON_NAME
+  },
+  {
+    "sn",
+    &NSS_OID_X520_SURNAME
+  },
+  {
+    "c",
+    &NSS_OID_X520_COUNTRY_NAME
+  },
+  {
+    "l",
+    &NSS_OID_X520_LOCALITY_NAME
+  },
+  {
+    "s",
+    &NSS_OID_X520_STATE_OR_PROVINCE_NAME
+  },
+  {
+    "o",
+    &NSS_OID_X520_ORGANIZATION_NAME
+  },
+  {
+    "ou",
+    &NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME
+  },
+  {
+    "title",
+    &NSS_OID_X520_TITLE
+  },
+  {
+    "name",
+    &NSS_OID_X520_NAME
+  },
+  {
+    "givenName",
+    &NSS_OID_X520_GIVEN_NAME
+  },
+  {
+    "initials",
+    &NSS_OID_X520_INITIALS
+  },
+  {
+    "generationQualifier",
+    &NSS_OID_X520_GENERATION_QUALIFIER
+  },
+  {
+    "dnQualifier",
+    &NSS_OID_X520_DN_QUALIFIER
+  }
+};
+
+const PRUint32 nss_attribute_type_alias_count = 16;
+
diff --git a/security/nss/lib/pki1/oiddata.h b/security/nss/lib/pki1/oiddata.h
new file mode 100644
index 000000000..bb48bdfa3
--- /dev/null
+++ b/security/nss/lib/pki1/oiddata.h
@@ -0,0 +1,214 @@
+/* THIS IS A GENERATED FILE */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef OIDDATA_H
+#define OIDDATA_H
+
+#ifdef DEBUG
+static const char OIDDATA_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ ; @(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+extern const NSSOID *NSS_OID_RFC1274_UID;
+extern const NSSOID *NSS_OID_RFC1274_EMAIL;
+extern const NSSOID *NSS_OID_RFC2247_DC;
+extern const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE;
+extern const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+extern const NSSOID *NSS_OID_X942_DIFFIE_HELMAN_KEY;
+extern const NSSOID *NSS_OID_PKCS1_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS7;
+extern const NSSOID *NSS_OID_PKCS7_DATA;
+extern const NSSOID *NSS_OID_PKCS7_SIGNED_DATA;
+extern const NSSOID *NSS_OID_PKCS7_ENVELOPED_DATA;
+extern const NSSOID *NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA;
+extern const NSSOID *NSS_OID_PKCS7_DIGESTED_DATA;
+extern const NSSOID *NSS_OID_PKCS7_ENCRYPTED_DATA;
+extern const NSSOID *NSS_OID_PKCS9_EMAIL_ADDRESS;
+extern const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_NAME;
+extern const NSSOID *NSS_OID_PKCS9_CONTENT_TYPE;
+extern const NSSOID *NSS_OID_PKCS9_MESSAGE_DIGEST;
+extern const NSSOID *NSS_OID_PKCS9_SIGNING_TIME;
+extern const NSSOID *NSS_OID_PKCS9_COUNTER_SIGNATURE;
+extern const NSSOID *NSS_OID_PKCS9_CHALLENGE_PASSWORD;
+extern const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS;
+extern const NSSOID *NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES;
+extern const NSSOID *NSS_OID_PKCS9_SMIME_CAPABILITIES;
+extern const NSSOID *NSS_OID_PKCS9_FRIENDLY_NAME;
+extern const NSSOID *NSS_OID_PKCS9_LOCAL_KEY_ID;
+extern const NSSOID *NSS_OID_PKCS9_X509_CERT;
+extern const NSSOID *NSS_OID_PKCS9_SDSI_CERT;
+extern const NSSOID *NSS_OID_PKCS9_X509_CRL;
+extern const NSSOID *NSS_OID_PKCS12;
+extern const NSSOID *NSS_OID_PKCS12_PBE_IDS;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+extern const NSSOID *NSS_OID_PKCS12_KEY_BAG;
+extern const NSSOID *NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG;
+extern const NSSOID *NSS_OID_PKCS12_CERT_BAG;
+extern const NSSOID *NSS_OID_PKCS12_CRL_BAG;
+extern const NSSOID *NSS_OID_PKCS12_SECRET_BAG;
+extern const NSSOID *NSS_OID_PKCS12_SAFE_CONTENTS_BAG;
+extern const NSSOID *NSS_OID_MD2;
+extern const NSSOID *NSS_OID_MD4;
+extern const NSSOID *NSS_OID_MD5;
+extern const NSSOID *NSS_OID_RC2_CBC;
+extern const NSSOID *NSS_OID_RC4;
+extern const NSSOID *NSS_OID_DES_EDE3_CBC;
+extern const NSSOID *NSS_OID_RC5_CBC_PAD;
+extern const NSSOID *NSS_OID_X509_AUTH_INFO_ACCESS;
+extern const NSSOID *NSS_OID_PKIX_CPS_POINTER_QUALIFIER;
+extern const NSSOID *NSS_OID_PKIX_USER_NOTICE_QUALIFIER;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_SERVER_AUTH;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_CODE_SIGN;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_USER;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_TIME_STAMP;
+extern const NSSOID *NSS_OID_OCSP_RESPONDER;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_REGTOKEN;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_AUTHENTICATOR;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_PKIPUBINFO;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_OLD_CERT_ID;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY;
+extern const NSSOID *NSS_OID_PKIX_REGINFO_UTF8_PAIRS;
+extern const NSSOID *NSS_OID_PKIX_REGINFO_CERT_REQUEST;
+extern const NSSOID *NSS_OID_OID_PKIX_OCSP;
+extern const NSSOID *NSS_OID_PKIX_OCSP_BASIC_RESPONSE;
+extern const NSSOID *NSS_OID_PKIX_OCSP_NONCE;
+extern const NSSOID *NSS_OID_PKIX_OCSP_RESPONSE;
+extern const NSSOID *NSS_OID_PKIX_OCSP_CRL;
+extern const NSSOID *NSS_OID_X509_OCSP_NO_CHECK;
+extern const NSSOID *NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF;
+extern const NSSOID *NSS_OID_PKIX_OCSP_SERVICE_LOCATOR;
+extern const NSSOID *NSS_OID_DES_ECB;
+extern const NSSOID *NSS_OID_DES_CBC;
+extern const NSSOID *NSS_OID_DES_OFB;
+extern const NSSOID *NSS_OID_DES_CFB;
+extern const NSSOID *NSS_OID_DES_MAC;
+extern const NSSOID *NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE;
+extern const NSSOID *NSS_OID_DES_EDE;
+extern const NSSOID *NSS_OID_SHA1;
+extern const NSSOID *NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+extern const NSSOID *NSS_OID_X520_COMMON_NAME;
+extern const NSSOID *NSS_OID_X520_SURNAME;
+extern const NSSOID *NSS_OID_X520_COUNTRY_NAME;
+extern const NSSOID *NSS_OID_X520_LOCALITY_NAME;
+extern const NSSOID *NSS_OID_X520_STATE_OR_PROVINCE_NAME;
+extern const NSSOID *NSS_OID_X520_ORGANIZATION_NAME;
+extern const NSSOID *NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME;
+extern const NSSOID *NSS_OID_X520_TITLE;
+extern const NSSOID *NSS_OID_X520_NAME;
+extern const NSSOID *NSS_OID_X520_GIVEN_NAME;
+extern const NSSOID *NSS_OID_X520_INITIALS;
+extern const NSSOID *NSS_OID_X520_GENERATION_QUALIFIER;
+extern const NSSOID *NSS_OID_X520_DN_QUALIFIER;
+extern const NSSOID *NSS_OID_X500_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTR;
+extern const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES;
+extern const NSSOID *NSS_OID_X509_SUBJECT_KEY_ID;
+extern const NSSOID *NSS_OID_X509_KEY_USAGE;
+extern const NSSOID *NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD;
+extern const NSSOID *NSS_OID_X509_SUBJECT_ALT_NAME;
+extern const NSSOID *NSS_OID_X509_ISSUER_ALT_NAME;
+extern const NSSOID *NSS_OID_X509_BASIC_CONSTRAINTS;
+extern const NSSOID *NSS_OID_X509_CRL_NUMBER;
+extern const NSSOID *NSS_OID_X509_REASON_CODE;
+extern const NSSOID *NSS_OID_X509_HOLD_INSTRUCTION_CODE;
+extern const NSSOID *NSS_OID_X509_INVALID_DATE;
+extern const NSSOID *NSS_OID_X509_DELTA_CRL_INDICATOR;
+extern const NSSOID *NSS_OID_X509_ISSUING_DISTRIBUTION_POINT;
+extern const NSSOID *NSS_OID_X509_CERTIFICATE_ISSUER;
+extern const NSSOID *NSS_OID_X509_NAME_CONSTRAINTS;
+extern const NSSOID *NSS_OID_X509_CRL_DIST_POINTS;
+extern const NSSOID *NSS_OID_X509_CERTIFICATE_POLICIES;
+extern const NSSOID *NSS_OID_X509_POLICY_MAPPINGS;
+extern const NSSOID *NSS_OID_X509_AUTH_KEY_ID;
+extern const NSSOID *NSS_OID_X509_POLICY_CONSTRAINTS;
+extern const NSSOID *NSS_OID_X509_EXT_KEY_USAGE;
+extern const NSSOID *NSS_OID_MISSI_DSS_OLD;
+extern const NSSOID *NSS_OID_FORTEZZA_SKIPJACK;
+extern const NSSOID *NSS_OID_MISSI_KEA;
+extern const NSSOID *NSS_OID_MISSI_KEA_DSS_OLD;
+extern const NSSOID *NSS_OID_MISSI_DSS;
+extern const NSSOID *NSS_OID_MISSI_KEA_DSS;
+extern const NSSOID *NSS_OID_MISSI_ALT_KEY;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CERT_TYPE;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_BASE_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_REVOCATION_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_CRL_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_CERT_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_POLICY_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_HOMEPAGE_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_ENTITY_LOGO;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_USER_PICTURE;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_COMMENT;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_THAYES;
+extern const NSSOID *NSS_OID_NS_TYPE_GIF;
+extern const NSSOID *NSS_OID_NS_TYPE_JPEG;
+extern const NSSOID *NSS_OID_NS_TYPE_URL;
+extern const NSSOID *NSS_OID_NS_TYPE_HTML;
+extern const NSSOID *NSS_OID_NS_TYPE_CERT_SEQUENCE;
+extern const NSSOID *NSS_OID_NS_KEY_USAGE_GOVT_APPROVED;
+extern const NSSOID *NSS_OID_NETSCAPE_RECOVERY_REQUEST;
+extern const NSSOID *NSS_OID_NETSCAPE_SMIME_KEA;
+extern const NSSOID *NSS_OID_NETSCAPE_NICKNAME;
+extern const NSSOID *NSS_OID_VERISIGN_USER_NOTICES;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_NETSCAPE_OK;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_ISSUER_LOGO;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_SUBJECT_LOGO;
+
+#endif /* OIDDATA_H */
diff --git a/security/nss/lib/pki1/oidgen.perl b/security/nss/lib/pki1/oidgen.perl
new file mode 100755
index 000000000..3b6abc2ed
--- /dev/null
+++ b/security/nss/lib/pki1/oidgen.perl
@@ -0,0 +1,318 @@
+#!perl
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+$cvs_id = '@(#) $RCSfile$ $Revision$ $Date$';
+$cfile = shift;
+$hfile = shift;
+$count = -1;
+while(<>) {
+  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
+  next if (/^\s*$/);
+
+  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
+  $name = $1;
+  $value = $2;
+  # This is certainly not the best way to dequote the data.
+  $value =~ s/"//g;
+
+  if( $name =~ "OID" ) {
+    $count++;
+    $x[$count]{$name} = $value;
+    $enc = encodeoid($value);
+    $x[$count]{" encoding"} = escapeoid($enc);
+    $x[$count]{" encoding length"} = length($enc);
+  } else {
+    if( $count < 0 ) {
+      $g{$name} = $value;
+    } else {
+      $x[$count]{$name} = $value;
+    }
+  }
+}
+
+# dodump();
+
+doprint($cfile,$hfile);
+
+sub dodump {
+for( $i = 0; $i <= $count; $i++ ) {
+  print "number $i:\n";
+  %y = %{$x[$i]};
+  while(($n,$v) = each(%y)) {
+    print "\t$n ==> $v\n";
+  }
+}
+}
+
+sub doprint {
+open(CFILE, "> $cfile") || die "Can't open $cfile: $!"; 
+open(HFILE, "> $hfile") || die "Can't open $hfile: $!";
+
+print CFILE <<EOD
+/* THIS IS A GENERATED FILE */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+#ifndef PKI1T_H
+#include "pki1t.h"
+#endif /* PKI1T_H */
+
+const NSSOID nss_builtin_oids[] = {
+EOD
+    ;
+
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  print CFILE "  {\n";
+  print CFILE "#ifdef DEBUG\n";
+  print CFILE "    \"$y{TAG}\",\n";
+  print CFILE "    \"$y{EXPL}\",\n";
+  print CFILE "#endif /* DEBUG */\n";
+  print CFILE "    { \"", $y{" encoding"};
+  print CFILE "\", ", $y{" encoding length"}, " }\n";
+
+  if( $i == $count ) {
+    print CFILE "  }\n";
+  } else {
+    print CFILE "  },\n";
+  }
+}
+
+print CFILE "};\n\n";
+
+print CFILE "const PRUint32 nss_builtin_oid_count = ", ($count+1), ";\n\n";
+
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  if( defined($y{NAME}) ) {
+    print CFILE "const NSSOID *$y{NAME} = (NSSOID *)&nss_builtin_oids[$i];\n";
+  }
+}
+
+print CFILE "\n";
+
+$attrcount = -1;
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  if( defined($y{ATTR}) ) {
+    if( defined($y{NAME}) ) {
+      $attrcount++;
+      $attr[$attrcount]{ATTR} = $y{ATTR};
+      $attr[$attrcount]{NAME} = $y{NAME};
+    } else {
+      warn "Attribute $y{ATTR} has no name, and will be omitted!";
+    }
+  }
+}
+
+print CFILE "const nssAttributeTypeAliasTable nss_attribute_type_aliases[] = {\n";
+
+for( $i = 0; $i <= $attrcount; $i++ ) {
+  %y = %{$attr[$i]};
+  print CFILE "  {\n";
+  print CFILE "    \"$y{ATTR}\",\n";
+  print CFILE "    &$y{NAME}\n";
+
+  if( $i == $attrcount ) {
+    print CFILE "  }\n";
+  } else {
+    print CFILE "  },\n";
+  }
+}
+
+print CFILE "};\n\n";
+
+print CFILE "const PRUint32 nss_attribute_type_alias_count = ", ($attrcount+1), ";\n\n";
+
+print HFILE <<EOD
+/* THIS IS A GENERATED FILE */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef OIDDATA_H
+#define OIDDATA_H
+
+#ifdef DEBUG
+static const char OIDDATA_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+EOD
+    ;
+
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  if( defined($y{NAME}) ) {
+    print HFILE "extern const NSSOID *$y{NAME};\n";
+  }
+}
+
+print HFILE <<EOD
+
+#endif /* OIDDATA_H */
+EOD
+    ;
+
+close CFILE;
+close HFILE;
+}
+
+sub encodenum {
+    my $v = $_[0];
+    my @d;
+    my $i;
+    my $rv = "";
+
+    while( $v > 128 ) {
+        push @d, ($v % 128);
+        $v /= 128;
+    };
+    push @d, ($v%128);
+
+    for( $i = @d-1; $i > 0; $i-- ) {
+        $rv = $rv . chr(128 + $d[$i]);
+    }
+
+    $rv = $rv . chr($d[0]);
+
+    return $rv;
+}
+
+sub encodeoid {
+    my @o = split(/\./, $_[0]);
+    my $rv = "";
+    my $i;
+
+    if( @o < 2 ) {
+        # NSS's special "illegal" encoding
+        return chr(128) . encodenum($o[0]);
+    }
+
+    $rv = encodenum($o[0] * 40 + $o[1]);
+    shift @o; shift @o;
+
+    foreach $i (@o) {
+        $rv = $rv . encodenum($i);
+    }
+
+    return $rv;
+}
+
+sub escapeoid {
+  my @v = unpack("C*", $_[0]);
+  my $a;
+  my $rv = "";
+
+  foreach $a (@v) {
+    $rv = $rv . sprintf("\\x%02x", $a);
+  }
+
+  return $rv;
+}
diff --git a/security/nss/lib/pki1/oids.txt b/security/nss/lib/pki1/oids.txt
new file mode 100644
index 000000000..216ca6e99
--- /dev/null
+++ b/security/nss/lib/pki1/oids.txt
@@ -0,0 +1,2119 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CVS_ID "@(#) $RCSfile$ $Revision$ $Date$"
+
+# Fields
+#  OID  -- the OID data itself, in dotted-number format
+#  TAG  -- the unofficial but common name.  e.g., when written like
+#          { joint-iso-ccitt(2) country(16) US(840) company(1) netscape(113730) }
+#          those words ("joint-iso-ccitt," "country," etc.) are the tags.
+#  EXPL -- a textual explanation, that should stand by itself
+#  NAME -- the name we use in our code.  If no NAME is given, it won't be included
+#
+# Additionally, some sets of OIDs map to some other spaces.. 
+# additional fields capture that data:
+#
+#  CKM  -- the corresponding Cryptoki Mechanism, if any
+#  CKK  -- the corresponding Cryptoki Key type, if any
+#  ATTR -- the UTF-8 attribute type encoding, if applicable
+#          it should be in the standard presentation style (e.g., lowercase),
+#          already-escaped a la RFC 2253 if necessary (which would only
+#          be necessary if some idiot defined an attribute with, say,
+#          an equals sign in it)
+#  CERT_EXTENSION -- SUPPORTED or UNSUPPORTED certificate extension, if applicable
+
+# Top of the OID tree -- see http://www.alvestrand.no/objectid/top.html
+# 
+OID 0
+TAG ccitt               # ITU-T used to be called CCITT
+EXPL "ITU-T"
+
+# See X.208 Annex C for an explanation of the OIDs below ccitt/itu-t
+
+OID 0.0
+TAG recommendation
+EXPL "ITU-T Recommendation"
+
+OID 0.1
+TAG question
+EXPL "ITU-T Question"
+
+OID 0.2
+TAG administration
+EXPL "ITU-T Administration"
+
+OID 0.3
+TAG network-operator
+EXPL "ITU-T Network Operator"
+
+OID 0.4
+TAG identified-organization
+EXPL "ITU-T Identified Organization"
+
+OID 0.9           # used in some RFCs (unofficial!)
+TAG data
+EXPL "RFC Data"
+
+OID 0.9.2342
+TAG pss
+EXPL "PSS British Telecom X.25 Network"
+
+OID 0.9.2342.19200300
+TAG ucl
+EXPL "RFC 1274 UCL Data networks"
+
+OID 0.9.2342.19200300.100
+TAG pilot
+EXPL "RFC 1274 pilot"
+
+OID 0.9.2342.19200300.100.1
+TAG attributeType
+EXPL "RFC 1274 Attribute Type"
+
+OID 0.9.2342.19200300.100.1.1
+TAG uid
+EXPL "RFC 1274 User Id"
+NAME NSS_OID_RFC1274_UID
+ATTR "uid"
+
+OID 0.9.2342.19200300.100.1.3
+TAG mail
+EXPL "RFC 1274 E-mail Addres"
+NAME NSS_OID_RFC1274_EMAIL
+ATTR "mail" # XXX fgmr
+
+OID 0.9.2342.19200300.100.1.25
+TAG dc
+EXPL "RFC 2247 Domain Component"
+NAME NSS_OID_RFC2247_DC
+ATTR "dc"
+
+OID 0.9.2342.19200300.100.3
+TAG attributeSyntax
+EXPL "RFC 1274 Attribute Syntax"
+
+OID 0.9.2342.19200300.100.3.4
+TAG iA5StringSyntax
+EXPL "RFC 1274 IA5 String Attribute Syntax"
+
+OID 0.9.2342.19200300.100.3.5
+TAG caseIgnoreIA5StringSyntax
+EXPL "RFC 1274 Case-Ignore IA5 String Attribute Syntax"
+
+OID 0.9.2342.19200300.100.4
+TAG objectClass
+EXPL "RFC 1274 Object Class"
+
+OID 0.9.2342.19200300.100.10
+TAG groups
+EXPL "RFC 1274 Groups"
+
+OID 0.9.2342.234219200300 
+TAG ucl
+EXPL "RFC 1327 ucl"
+
+OID 1
+TAG iso
+EXPL "ISO"
+
+# See X.208 Annex B for an explanation of the OIDs below iso
+
+OID 1.0
+TAG standard
+EXPL "ISO Standard"
+
+OID 1.1
+TAG registration-authority
+EXPL "ISO Registration Authority"
+
+OID 1.2
+TAG member-body
+EXPL "ISO Member Body"
+
+OID 1.2.36
+TAG australia
+EXPL "Australia (ISO)"
+
+OID 1.2.158
+TAG taiwan
+EXPL "Taiwan (ISO)"
+
+OID 1.2.372 
+TAG ireland
+EXPL "Ireland (ISO)"
+
+OID 1.2.578 
+TAG norway
+EXPL "Norway (ISO)"
+
+OID 1.2.752 
+TAG sweden
+EXPL "Sweden (ISO)"
+
+OID 1.2.826 
+TAG great-britain
+EXPL "Great Britain (ISO)"
+
+OID 1.2.840
+TAG us
+EXPL "United States (ISO)"
+
+OID 1.2.840.1 
+TAG organization
+EXPL "US (ISO) organization"
+
+OID 1.2.840.10003
+TAG ansi-z30-50
+EXPL "ANSI Z39.50"
+
+OID 1.2.840.10008
+TAG dicom
+EXPL "DICOM"
+
+OID 1.2.840.10017
+TAG ieee-1224
+EXPL "IEEE 1224"
+
+OID 1.2.840.10022
+TAG ieee-802-10
+EXPL "IEEE 802.10"
+
+OID 1.2.840.10036
+TAG ieee-802-11
+EXPL "IEEE 802.11"
+
+OID 1.2.840.10040
+TAG x9-57
+EXPL "ANSI X9.57"
+
+# RFC 2459:
+#
+# holdInstruction OBJECT IDENTIFIER ::=
+#           {iso(1) member-body(2) us(840) x9cm(10040) 2}
+#
+# Note that the appendices of RFC 2459 define the (wrong) value
+# of 2.2.840.10040.2 for this oid.
+OID 1.2.840.10040.2
+TAG holdInstruction
+EXPL "ANSI X9.57 Hold Instruction"
+
+# RFC 2459:
+#
+# id-holdinstruction-none OBJECT IDENTIFIER  ::=
+#                 {holdInstruction 1} -- deprecated
+OID 1.2.840.10040.2.1
+TAG id-holdinstruction-none
+EXPL "ANSI X9.57 Hold Instruction: None"
+
+# RFC 2459:
+#
+# id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
+#                 {holdInstruction 2}
+OID 1.2.840.10040.2.2
+TAG id-holdinstruction-callissuer
+EXPL "ANSI X9.57 Hold Instruction: Call Issuer"
+
+# RFC 2459:
+#
+# id-holdinstruction-reject OBJECT IDENTIFIER ::=
+#                 {holdInstruction 3}
+OID 1.2.840.10040.2.3
+TAG id-holdinstruction-reject
+EXPL "ANSI X9.57 Hold Instruction: Reject"
+
+OID 1.2.840.10040.4
+TAG x9algorithm
+EXPL "ANSI X9.57 Algorithm"
+
+# RFC 2459:
+#
+# id-dsa OBJECT IDENTIFIER ::= {
+#      iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
+OID 1.2.840.10040.4.1
+TAG id-dsa
+EXPL "ANSI X9.57 DSA Signature"
+NAME NSS_OID_ANSIX9_DSA_SIGNATURE
+CKM CKM_DSA
+CKK CKK_DSA
+
+# RFC 2459:
+#
+# id-dsa-with-sha1 OBJECT IDENTIFIER ::=  {
+#      iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
+OID 1.2.840.10040.4.3
+TAG id-dsa-with-sha1
+EXPL "ANSI X9.57 Algorithm DSA Signature with SHA-1 Digest"
+NAME NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST
+CKM CKM_DSA_SHA1
+
+OID 1.2.840.10046
+TAG x942
+EXPL "ANSI X9.42"
+
+OID 1.2.840.10046.2
+TAG algorithm
+EXPL "ANSI X9.42 Algorithm"
+
+# RFC 2459:
+#
+# dhpublicnumber OBJECT IDENTIFIER ::= {
+#      iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }
+OID 1.2.840.10046.2.1
+TAG dhpublicnumber
+EXPL "Diffie-Hellman Public Key Algorithm"
+NAME NSS_OID_X942_DIFFIE_HELMAN_KEY
+CKM CKM_DH_PKCS_DERIVE
+CKK CKK_DH
+
+OID 1.2.840.113533
+TAG entrust
+EXPL "Entrust Technologies"
+
+OID 1.2.840.113549 
+TAG rsadsi
+EXPL "RSA Data Security Inc."
+
+OID 1.2.840.113549.1 
+# http://www.rsa.com/rsalabs/pubs/PKCS/
+TAG pkcs
+EXPL "PKCS"
+
+# RFC 2459:
+#
+# pkcs-1 OBJECT IDENTIFIER ::= {
+#      iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
+OID 1.2.840.113549.1.1
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
+TAG pkcs-1
+EXPL "PKCS #1"
+
+# RFC 2459:
+#
+# rsaEncryption OBJECT IDENTIFIER ::=  { pkcs-1 1 }
+OID 1.2.840.113549.1.1.1
+TAG rsaEncryption
+EXPL "PKCS #1 RSA Encryption"
+NAME NSS_OID_PKCS1_RSA_ENCRYPTION
+CKM CKM_RSA_PKCS
+CKK CKK_RSA
+
+# RFC 2459:
+#
+# md2WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 2 }
+OID 1.2.840.113549.1.1.2 
+TAG md2WithRSAEncryption
+EXPL "PKCS #1 MD2 With RSA Encryption"      
+NAME NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION
+CKM CKM_MD2_RSA_PKCS
+
+OID 1.2.840.113549.1.1.3 
+TAG md4WithRSAEncryption
+EXPL "PKCS #1 MD4 With RSA Encryption"      
+NAME NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION
+# No CKM!
+
+# RFC 2459:
+#
+# md5WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 4 }
+OID 1.2.840.113549.1.1.4 
+TAG md5WithRSAEncryption
+EXPL "PKCS #1 MD5 With RSA Encryption"      
+NAME NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION
+CKM CKM_MD5_RSA_PKCS
+
+# RFC 2459:
+#
+# sha1WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 5 }
+OID 1.2.840.113549.1.1.5 
+TAG sha1WithRSAEncryption
+EXPL "PKCS #1 SHA-1 With RSA Encryption"    
+NAME NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION
+CKM CKM_SHA1_RSA_PKCS
+
+OID 1.2.840.113549.1.5 
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-5.asc
+TAG pkcs-5
+EXPL "PKCS #5"
+
+OID 1.2.840.113549.1.5.1 
+TAG pbeWithMD2AndDES-CBC
+EXPL "PKCS #5 Password Based Encryption With MD2 and DES-CBC"     
+NAME NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC
+CKM CKM_PBE_MD2_DES_CBC
+
+OID 1.2.840.113549.1.5.3 
+TAG pbeWithMD5AndDES-CBC
+EXPL "PKCS #5 Password Based Encryption With MD5 and DES-CBC"     
+NAME NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC
+CKM CKM_PBE_MD5_DES_CBC
+
+OID 1.2.840.113549.1.5.10 
+TAG pbeWithSha1AndDES-CBC
+EXPL "PKCS #5 Password Based Encryption With SHA-1 and DES-CBC"   
+NAME NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_DES_CBC
+
+OID 1.2.840.113549.1.7 
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-7.asc
+TAG pkcs-7
+EXPL "PKCS #7"
+NAME NSS_OID_PKCS7
+
+OID 1.2.840.113549.1.7.1
+TAG data
+EXPL "PKCS #7 Data"
+NAME NSS_OID_PKCS7_DATA
+
+OID 1.2.840.113549.1.7.2 
+TAG signedData
+EXPL "PKCS #7 Signed Data"
+NAME NSS_OID_PKCS7_SIGNED_DATA
+
+OID 1.2.840.113549.1.7.3 
+TAG envelopedData
+EXPL "PKCS #7 Enveloped Data"
+NAME NSS_OID_PKCS7_ENVELOPED_DATA
+
+OID 1.2.840.113549.1.7.4 
+TAG signedAndEnvelopedData
+EXPL "PKCS #7 Signed and Enveloped Data"
+NAME NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA
+
+OID 1.2.840.113549.1.7.5 
+TAG digestedData
+EXPL "PKCS #7 Digested Data"
+NAME NSS_OID_PKCS7_DIGESTED_DATA
+
+OID 1.2.840.113549.1.7.6 
+TAG encryptedData
+EXPL "PKCS #7 Encrypted Data"
+NAME NSS_OID_PKCS7_ENCRYPTED_DATA
+
+# RFC 2459:
+#
+# pkcs-9 OBJECT IDENTIFIER ::=
+#        { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
+OID 1.2.840.113549.1.9 
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-9.asc
+TAG pkcs-9
+EXPL "PKCS #9"
+
+# RFC 2459:
+#
+# emailAddress AttributeType      ::= { pkcs-9 1 }
+OID 1.2.840.113549.1.9.1
+TAG emailAddress
+EXPL "PKCS #9 Email Address"
+NAME NSS_OID_PKCS9_EMAIL_ADDRESS
+
+OID 1.2.840.113549.1.9.2 
+TAG unstructuredName
+EXPL "PKCS #9 Unstructured Name"
+NAME NSS_OID_PKCS9_UNSTRUCTURED_NAME
+
+OID 1.2.840.113549.1.9.3 
+TAG contentType
+EXPL "PKCS #9 Content Type"
+NAME NSS_OID_PKCS9_CONTENT_TYPE
+
+OID 1.2.840.113549.1.9.4 
+TAG messageDigest
+EXPL "PKCS #9 Message Digest"
+NAME NSS_OID_PKCS9_MESSAGE_DIGEST
+
+OID 1.2.840.113549.1.9.5 
+TAG signingTime
+EXPL "PKCS #9 Signing Time"
+NAME NSS_OID_PKCS9_SIGNING_TIME
+
+OID 1.2.840.113549.1.9.6 
+TAG counterSignature
+EXPL "PKCS #9 Counter Signature"
+NAME NSS_OID_PKCS9_COUNTER_SIGNATURE
+
+OID 1.2.840.113549.1.9.7 
+TAG challengePassword
+EXPL "PKCS #9 Challenge Password"
+NAME NSS_OID_PKCS9_CHALLENGE_PASSWORD
+
+OID 1.2.840.113549.1.9.8 
+TAG unstructuredAddress
+EXPL "PKCS #9 Unstructured Address"
+NAME NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS
+
+OID 1.2.840.113549.1.9.9 
+TAG extendedCertificateAttributes
+EXPL "PKCS #9 Extended Certificate Attributes"
+NAME NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES
+
+OID 1.2.840.113549.1.9.15 
+TAG sMIMECapabilities
+EXPL "PKCS #9 S/MIME Capabilities"
+NAME NSS_OID_PKCS9_SMIME_CAPABILITIES
+
+OID 1.2.840.113549.1.9.20
+TAG friendlyName
+EXPL "PKCS #9 Friendly Name"
+NAME NSS_OID_PKCS9_FRIENDLY_NAME
+
+OID 1.2.840.113549.1.9.21
+TAG localKeyID
+EXPL "PKCS #9 Local Key ID"
+NAME NSS_OID_PKCS9_LOCAL_KEY_ID
+
+OID 1.2.840.113549.1.9.22 
+TAG certTypes
+EXPL "PKCS #9 Certificate Types"
+
+OID 1.2.840.113549.1.9.22.1
+TAG x509Certificate
+EXPL "PKCS #9 Certificate Type = X.509"
+NAME NSS_OID_PKCS9_X509_CERT
+
+OID 1.2.840.113549.1.9.22.2
+TAG sdsiCertificate
+EXPL "PKCS #9 Certificate Type = SDSI"
+NAME NSS_OID_PKCS9_SDSI_CERT
+
+OID 1.2.840.113549.1.9.23 
+TAG crlTypes
+EXPL "PKCS #9 Certificate Revocation List Types"
+
+OID 1.2.840.113549.1.9.23.1
+TAG x509Crl
+EXPL "PKCS #9 CRL Type = X.509"
+NAME NSS_OID_PKCS9_X509_CRL
+
+OID 1.2.840.113549.1.12
+# http://www.rsa.com/rsalabs/pubs/PKCS/html/pkcs-12.html
+# NOTE -- PKCS #12                          multiple contradictory
+#         documents exist.  Somebody go figure out the canonical
+#         OID list, keeping in mind backwards-compatability..
+TAG pkcs-12
+EXPL "PKCS #12"
+NAME NSS_OID_PKCS12
+
+OID 1.2.840.113549.1.12.1 
+TAG pkcs-12PbeIds
+EXPL "PKCS #12 Password Based Encryption IDs"
+NAME NSS_OID_PKCS12_PBE_IDS
+# We called it SEC_OID_PKCS12_MODE_IDS
+
+OID 1.2.840.113549.1.12.1.1
+TAG pbeWithSHA1And128BitRC4
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC4"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4
+
+OID 1.2.840.113549.1.12.1.2
+TAG pbeWithSHA1And40BitRC4
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC4"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4
+
+OID 1.2.840.113549.1.12.1.3
+TAG pbeWithSHA1And3-KeyTripleDES-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 3-key Triple DES-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
+
+OID 1.2.840.113549.1.12.1.4
+TAG pbeWithSHA1And2-KeyTripleDES-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 2-key Triple DES-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC
+CKM CKM_PBE_SHA1_DES2_EDE_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC
+
+OID 1.2.840.113549.1.12.1.5
+TAG pbeWithSHA1And128BitRC2-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC2-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.1.6
+TAG pbeWithSHA1And40BitRC2-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC2-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.2 
+TAG pkcs-12EspvkIds
+EXPL "PKCS #12 ESPVK IDs"
+# We called it SEC_OID_PKCS12_ESPVK_IDS
+
+OID 1.2.840.113549.1.12.2.1
+TAG pkcs8-key-shrouding
+EXPL "PKCS #12 Key Shrouding"
+# We called it SEC_OID_PKCS12_PKCS8_KEY_SHROUDING
+
+OID 1.2.840.113549.1.12.3 
+TAG draft1Pkcs-12Bag-ids
+EXPL "Draft 1.0 PKCS #12 Bag IDs"
+# We called it SEC_OID_PKCS12_BAG_IDS
+
+OID 1.2.840.113549.1.12.3.1
+TAG keyBag
+EXPL "Draft 1.0 PKCS #12 Key Bag"
+# We called it SEC_OID_PKCS12_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.3.2
+TAG certAndCRLBagId
+EXPL "Draft 1.0 PKCS #12 Cert and CRL Bag ID"
+# We called it SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID
+
+OID 1.2.840.113549.1.12.3.3
+TAG secretBagId
+EXPL "Draft 1.0 PKCS #12 Secret Bag ID"
+# We called it SEC_OID_PKCS12_SECRET_BAG_ID
+
+OID 1.2.840.113549.1.12.3.4
+TAG safeContentsId
+EXPL "Draft 1.0 PKCS #12 Safe Contents Bag ID"
+# We called it SEC_OID_PKCS12_SAFE_CONTENTS_ID
+
+OID 1.2.840.113549.1.12.3.5
+TAG pkcs-8ShroudedKeyBagId
+EXPL "Draft 1.0 PKCS #12 PKCS #8-shrouded Key Bag ID"
+# We called it SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.4 
+TAG pkcs-12CertBagIds
+EXPL "PKCS #12 Certificate Bag IDs"
+# We called it SEC_OID_PKCS12_CERT_BAG_IDS
+
+OID 1.2.840.113549.1.12.4.1
+TAG x509CertCRLBagId
+EXPL "PKCS #12 X.509 Certificate and CRL Bag"
+# We called it SEC_OID_PKCS12_X509_CERT_CRL_BAG
+
+OID 1.2.840.113549.1.12.4.2
+TAG SDSICertBagID
+EXPL "PKCS #12 SDSI Certificate Bag"
+# We called it SEC_OID_PKCS12_SDSI_CERT_BAG
+
+OID 1.2.840.113549.1.12.5 
+TAG pkcs-12Oids
+EXPL "PKCS #12 OIDs (XXX)"
+# We called it SEC_OID_PKCS12_OIDS
+
+OID 1.2.840.113549.1.12.5.1 
+TAG pkcs-12PbeIds
+EXPL "PKCS #12 OIDs PBE IDs (XXX)"
+# We called it SEC_OID_PKCS12_PBE_IDS
+
+OID 1.2.840.113549.1.12.5.1.1
+TAG pbeWithSha1And128BitRC4
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC4 (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.1.2
+TAG pbeWithSha1And40BitRC4
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC4 (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.1.3
+TAG pbeWithSha1AndTripleDES-CBC
+EXPL "PKCS #12 OIDs PBE with SHA-1 and Triple DES-CBC (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC
+
+OID 1.2.840.113549.1.12.5.1.4
+TAG pbeWithSha1And128BitRC2-CBC
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC2-CBC (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.5.1.5
+TAG pbeWithSha1And40BitRC2-CBC
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC2-CBC (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.5.2 
+TAG pkcs-12EnvelopingIds
+EXPL "PKCS #12 OIDs Enveloping IDs (XXX)"
+# We called it SEC_OID_PKCS12_ENVELOPING_IDS
+
+OID 1.2.840.113549.1.12.5.2.1
+TAG rsaEncryptionWith128BitRC4
+EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 128-bit RC4"
+# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.2.2
+TAG rsaEncryptionWith40BitRC4
+EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 40-bit RC4"
+# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.2.3
+TAG rsaEncryptionWithTripleDES
+EXPL "PKCS #12 OIDs Enveloping RSA Encryption with Triple DES"
+# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES
+
+OID 1.2.840.113549.1.12.5.3 
+TAG pkcs-12SignatureIds
+EXPL "PKCS #12 OIDs Signature IDs (XXX)"
+# We called it SEC_OID_PKCS12_SIGNATURE_IDS
+
+OID 1.2.840.113549.1.12.5.3.1
+TAG rsaSignatureWithSHA1Digest
+EXPL "PKCS #12 OIDs RSA Signature with SHA-1 Digest"
+# We called it SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST
+
+OID 1.2.840.113549.1.12.10 
+TAG pkcs-12Version1
+EXPL "PKCS #12 Version 1"
+
+OID 1.2.840.113549.1.12.10.1
+TAG pkcs-12BagIds
+EXPL "PKCS #12 Bag IDs"
+
+OID 1.2.840.113549.1.12.10.1.1
+TAG keyBag
+EXPL "PKCS #12 Key Bag"
+NAME NSS_OID_PKCS12_KEY_BAG
+# We called it SEC_OID_PKCS12_V1_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.2
+TAG pkcs-8ShroudedKeyBag
+EXPL "PKCS #12 PKCS #8-shrouded Key Bag"
+NAME NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG
+# We called it SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.3
+TAG certBag
+EXPL "PKCS #12 Certificate Bag"
+NAME NSS_OID_PKCS12_CERT_BAG
+# We called it SEC_OID_PKCS12_V1_CERT_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.4
+TAG crlBag
+EXPL "PKCS #12 CRL Bag"
+NAME NSS_OID_PKCS12_CRL_BAG
+# We called it SEC_OID_PKCS12_V1_CRL_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.5
+TAG secretBag
+EXPL "PKCS #12 Secret Bag"
+NAME NSS_OID_PKCS12_SECRET_BAG
+# We called it SEC_OID_PKCS12_V1_SECRET_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.6
+TAG safeContentsBag
+EXPL "PKCS #12 Safe Contents Bag"
+NAME NSS_OID_PKCS12_SAFE_CONTENTS_BAG
+# We called it SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID
+
+OID 1.2.840.113549.2
+TAG digest
+EXPL "RSA digest algorithm"
+
+OID 1.2.840.113549.2.2 
+TAG md2
+EXPL "MD2"
+NAME NSS_OID_MD2
+CKM CKM_MD2
+
+OID 1.2.840.113549.2.4 
+TAG md4
+EXPL "MD4"
+NAME NSS_OID_MD4
+# No CKM
+
+OID 1.2.840.113549.2.5
+TAG md5
+EXPL "MD5"
+NAME NSS_OID_MD5
+CKM CKM_MD5
+
+OID 1.2.840.113549.3 
+TAG cipher
+EXPL "RSA cipher algorithm"
+
+OID 1.2.840.113549.3.2 
+TAG rc2cbc
+EXPL "RC2-CBC"
+NAME NSS_OID_RC2_CBC
+CKM_RC2_CBC
+
+OID 1.2.840.113549.3.4 
+TAG rc4
+EXPL "RC4"
+NAME NSS_OID_RC4
+CKM CKM_RC4
+
+OID 1.2.840.113549.3.7 
+TAG desede3cbc
+EXPL "DES-EDE3-CBC"
+NAME NSS_OID_DES_EDE3_CBC
+CKM CKM_DES3_CBC
+
+OID 1.2.840.113549.3.9 
+TAG rc5cbcpad
+EXPL "RC5-CBCPad"
+NAME NSS_OID_RC5_CBC_PAD
+CKM CKM_RC5_CBC
+
+OID 1.2.840.113556
+TAG microsoft
+EXPL "Microsoft"
+
+OID 1.2.840.113560
+TAG columbia-university
+EXPL "Columbia University"
+
+OID 1.2.840.113572
+TAG unisys
+EXPL "Unisys"
+
+OID 1.2.840.113658
+TAG xapia
+EXPL "XAPIA"
+
+OID 1.2.840.113699
+TAG wordperfect
+EXPL "WordPerfect"
+
+OID 1.3
+TAG identified-organization
+EXPL "ISO identified organizations"
+
+OID 1.3.6
+TAG us-dod
+EXPL "United States Department of Defense"
+
+OID 1.3.6.1 
+TAG internet  # See RFC 1065
+EXPL "The Internet"
+
+OID 1.3.6.1.1
+TAG directory
+EXPL "Internet: Directory"
+
+OID 1.3.6.1.2
+TAG management
+EXPL "Internet: Management"
+
+OID 1.3.6.1.3
+TAG experimental
+EXPL "Internet: Experimental"
+
+OID 1.3.6.1.4
+TAG private
+EXPL "Internet: Private"
+
+OID 1.3.6.1.5
+TAG security
+EXPL "Internet: Security"
+
+OID 1.3.6.1.5.5
+
+# RFC 2459:
+#
+# id-pkix  OBJECT IDENTIFIER  ::=
+#          { iso(1) identified-organization(3) dod(6) internet(1)
+#                     security(5) mechanisms(5) pkix(7) }
+OID 1.3.6.1.5.5.7 
+TAG id-pkix
+EXPL "Public Key Infrastructure"
+
+# RFC 2459:
+#
+# PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1)
+#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)}
+OID 1.3.6.1.5.5.7.0.1
+TAG PKIX1Explicit88
+EXPL "RFC 2459 Explicitly Tagged Module, 1988 Syntax"
+
+# RFC 2459:
+#
+# PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1)
+#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)}
+OID 1.3.6.1.5.5.7.0.2
+TAG PKIXImplicit88
+EXPL "RFC 2459 Implicitly Tagged Module, 1988 Syntax"
+
+# RFC 2459:
+#
+# PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) internet(1)
+#    security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-93(3)}
+OID 1.3.6.1.5.5.7.0.3
+TAG PKIXExplicit93
+EXPL "RFC 2459 Explicitly Tagged Module, 1993 Syntax"
+
+# RFC 2459:
+#
+# id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
+#         -- arc for private certificate extensions
+OID 1.3.6.1.5.5.7.1 
+TAG id-pe
+EXPL "PKIX Private Certificate Extensions"
+
+# RFC 2459:
+#
+# id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
+OID 1.3.6.1.5.5.7.1.1
+TAG id-pe-authorityInfoAccess
+EXPL "Certificate Authority Information Access"
+NAME NSS_OID_X509_AUTH_INFO_ACCESS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+#         -- arc for policy qualifier types
+OID 1.3.6.1.5.5.7.2 
+TAG id-qt
+EXPL "PKIX Policy Qualifier Types"
+
+# RFC 2459:
+#
+# id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
+#         -- OID for CPS qualifier
+OID 1.3.6.1.5.5.7.2.1
+TAG id-qt-cps
+EXPL "PKIX CPS Pointer Qualifier"
+NAME NSS_OID_PKIX_CPS_POINTER_QUALIFIER
+
+# RFC 2459:
+#
+# id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
+#         -- OID for user notice qualifier
+OID 1.3.6.1.5.5.7.2.2
+TAG id-qt-unotice
+EXPL "PKIX User Notice Qualifier"
+NAME NSS_OID_PKIX_USER_NOTICE_QUALIFIER
+
+# RFC 2459:
+#
+# id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+#         -- arc for extended key purpose OIDS
+OID 1.3.6.1.5.5.7.3 
+TAG id-kp
+EXPL "PKIX Key Purpose"
+
+# RFC 2459:
+#
+# id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
+OID 1.3.6.1.5.5.7.3.1
+TAG id-kp-serverAuth
+EXPL "TLS Web Server Authentication Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_SERVER_AUTH
+
+# RFC 2459:
+#
+# id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
+OID 1.3.6.1.5.5.7.3.2
+TAG id-kp-clientAuth
+EXPL "TLS Web Client Authentication Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH
+
+# RFC 2459:
+#
+# id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
+OID 1.3.6.1.5.5.7.3.3
+TAG id-kp-codeSigning
+EXPL "Code Signing Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_CODE_SIGN
+
+# RFC 2459:
+#
+# id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
+OID 1.3.6.1.5.5.7.3.4
+TAG id-kp-emailProtection
+EXPL "E-Mail Protection Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION
+
+# RFC 2459:
+#
+# id-kp-ipsecEndSystem  OBJECT IDENTIFIER ::= { id-kp 5 }
+OID 1.3.6.1.5.5.7.3.5
+TAG id-kp-ipsecEndSystem
+EXPL "IPSEC End System Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM
+
+# RFC 2459:
+#
+# id-kp-ipsecTunnel     OBJECT IDENTIFIER ::= { id-kp 6 }
+OID 1.3.6.1.5.5.7.3.6
+TAG id-kp-ipsecTunnel
+EXPL "IPSEC Tunnel Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL
+
+# RFC 2459:
+#
+# id-kp-ipsecUser       OBJECT IDENTIFIER ::= { id-kp 7 }
+OID 1.3.6.1.5.5.7.3.7
+TAG id-kp-ipsecUser
+EXPL "IPSEC User Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_IPSEC_USER
+
+# RFC 2459:
+#
+# id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }
+OID 1.3.6.1.5.5.7.3.8
+TAG id-kp-timeStamping
+EXPL "Time Stamping Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_TIME_STAMP
+
+OID 1.3.6.1.5.5.7.3.9
+TAG ocsp-responder
+EXPL "OCSP Responder Certificate"
+NAME NSS_OID_OCSP_RESPONDER
+
+OID 1.3.6.1.5.5.7.7 
+TAG pkix-id-pkix
+
+OID 1.3.6.1.5.5.7.7.5 
+TAG pkix-id-pkip
+
+OID 1.3.6.1.5.5.7.7.5.1 
+TAG pkix-id-regctrl
+EXPL "CRMF Registration Control"
+
+OID 1.3.6.1.5.5.7.7.5.1.1
+TAG regtoken
+EXPL "CRMF Registration Control, Registration Token"
+NAME NSS_OID_PKIX_REGCTRL_REGTOKEN
+
+OID 1.3.6.1.5.5.7.7.5.1.2
+TAG authenticator
+EXPL "CRMF Registration Control, Registration Authenticator"
+NAME NSS_OID_PKIX_REGCTRL_AUTHENTICATOR
+
+OID 1.3.6.1.5.5.7.7.5.1.3
+TAG pkipubinfo
+EXPL "CRMF Registration Control, PKI Publication Info"
+NAME NSS_OID_PKIX_REGCTRL_PKIPUBINFO
+
+OID 1.3.6.1.5.5.7.7.5.1.4
+TAG pki-arch-options
+EXPL "CRMF Registration Control, PKI Archive Options"
+NAME NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS
+
+OID 1.3.6.1.5.5.7.7.5.1.5
+TAG old-cert-id
+EXPL "CRMF Registration Control, Old Certificate ID"
+NAME NSS_OID_PKIX_REGCTRL_OLD_CERT_ID
+
+OID 1.3.6.1.5.5.7.7.5.1.6
+TAG protocol-encryption-key
+EXPL "CRMF Registration Control, Protocol Encryption Key"
+NAME NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY
+
+OID 1.3.6.1.5.5.7.7.5.2 
+TAG pkix-id-reginfo
+EXPL "CRMF Registration Info"
+
+OID 1.3.6.1.5.5.7.7.5.2.1
+TAG utf8-pairs
+EXPL "CRMF Registration Info, UTF8 Pairs"
+NAME NSS_OID_PKIX_REGINFO_UTF8_PAIRS
+
+OID 1.3.6.1.5.5.7.7.5.2.2
+TAG cert-request
+EXPL "CRMF Registration Info, Certificate Request"
+NAME NSS_OID_PKIX_REGINFO_CERT_REQUEST
+
+# RFC 2549:
+#
+# id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
+#         -- arc for access descriptors
+OID 1.3.6.1.5.5.7.48 
+TAG id-ad
+EXPL "PKIX Access Descriptors"
+
+# RFC 2549:
+#
+# id-ad-ocsp      OBJECT IDENTIFIER ::= { id-ad 1 }
+OID 1.3.6.1.5.5.7.48.1
+TAG id-ad-ocsp
+EXPL "PKIX Online Certificate Status Protocol"
+NAME NSS_OID_OID_PKIX_OCSP
+
+OID 1.3.6.1.5.5.7.48.1.1
+TAG basic-response
+EXPL "OCSP Basic Response"
+NAME NSS_OID_PKIX_OCSP_BASIC_RESPONSE
+
+OID 1.3.6.1.5.5.7.48.1.2
+TAG nonce-extension
+EXPL "OCSP Nonce Extension"
+NAME NSS_OID_PKIX_OCSP_NONCE
+
+OID 1.3.6.1.5.5.7.48.1.3
+TAG response
+EXPL "OCSP Response Types Extension"
+NAME NSS_OID_PKIX_OCSP_RESPONSE
+
+OID 1.3.6.1.5.5.7.48.1.4
+TAG crl
+EXPL "OCSP CRL Reference Extension"
+NAME NSS_OID_PKIX_OCSP_CRL
+
+OID 1.3.6.1.5.5.7.48.1.5
+TAG no-check
+EXPL "OCSP No Check Extension"
+NAME NSS_OID_X509_OCSP_NO_CHECK  # X509_... ?
+
+OID 1.3.6.1.5.5.7.48.1.6
+TAG archive-cutoff
+EXPL "OCSP Archive Cutoff Extension"
+NAME NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF
+
+OID 1.3.6.1.5.5.7.48.1.7
+TAG service-locator
+EXPL "OCSP Service Locator Extension"
+NAME NSS_OID_PKIX_OCSP_SERVICE_LOCATOR
+
+# RFC 2549:
+#
+# id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
+OID 1.3.6.1.5.5.7.48.2
+TAG id-ad-caIssuers
+EXPL "Certificate Authority Issuers"
+
+OID 1.3.6.1.6
+TAG snmpv2
+EXPL "Internet: SNMPv2"
+
+OID 1.3.6.1.7
+TAG mail
+EXPL "Internet: mail"
+
+OID 1.3.6.1.7.1
+TAG mime-mhs
+EXPL "Internet: mail MIME mhs"
+
+OID 1.3.12 
+TAG ecma
+EXPL "European Computers Manufacturing Association"
+
+OID 1.3.14
+TAG oiw
+EXPL "Open Systems Implementors Workshop"
+
+OID 1.3.14.3 secsig
+TAG secsig
+EXPL "Open Systems Implementors Workshop Security Special Interest Group"
+
+OID 1.3.14.3.1
+TAG oIWSECSIGAlgorithmObjectIdentifiers
+EXPL "OIW SECSIG Algorithm OIDs"
+
+OID 1.3.14.3.2 
+TAG algorithm
+EXPL "OIW SECSIG Algorithm"
+
+OID 1.3.14.3.2.6 
+TAG desecb
+EXPL "DES-ECB"
+NAME NSS_OID_DES_ECB
+CKM CKM_DES_ECB
+
+OID 1.3.14.3.2.7
+TAG descbc
+EXPL "DES-CBC"
+NAME NSS_OID_DES_CBC
+CKM CKM_DES_CBC
+
+OID 1.3.14.3.2.8
+TAG desofb
+EXPL "DES-OFB"
+NAME NSS_OID_DES_OFB
+# No CKM..
+
+OID 1.3.14.3.2.9 
+TAG descfb
+EXPL "DES-CFB"
+NAME NSS_OID_DES_CFB
+# No CKM..
+
+OID 1.3.14.3.2.10
+TAG desmac
+EXPL "DES-MAC"
+NAME NSS_OID_DES_MAC
+CKM CKM_DES_MAC
+
+OID 1.3.14.3.2.15 
+TAG isoSHAWithRSASignature
+EXPL "ISO SHA with RSA Signature"
+NAME NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE
+# No CKM..
+
+OID 1.3.14.3.2.17 
+TAG desede
+EXPL "DES-EDE"
+NAME NSS_OID_DES_EDE
+# No CKM..
+
+OID 1.3.14.3.2.26 
+TAG sha1
+EXPL "SHA-1"
+NAME NSS_OID_SHA1
+CKM CKM_SHA_1
+
+OID 1.3.14.3.2.27
+TAG bogusDSASignatureWithSHA1Digest
+EXPL "Forgezza DSA Signature with SHA-1 Digest"
+NAME NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST
+CKM CKM_DSA_SHA1
+
+OID 1.3.14.3.3
+TAG authentication-mechanism
+EXPL "OIW SECSIG Authentication Mechanisms"
+
+OID 1.3.14.3.4
+TAG security-attribute
+EXPL "OIW SECSIG Security Attributes"
+
+OID 1.3.14.3.5
+TAG document-definition
+EXPL "OIW SECSIG Document Definitions used in security"
+
+OID 1.3.14.7
+TAG directory-services-sig
+EXPL "OIW directory services sig"
+
+OID 1.3.16
+TAG ewos
+EXPL "European Workshop on Open Systems"
+
+OID 1.3.22
+TAG osf
+EXPL "Open Software Foundation"
+
+OID 1.3.23
+TAG nordunet
+EXPL "Nordunet"
+
+OID 1.3.26
+TAG nato-id-org
+EXPL "NATO identified organisation"
+
+OID 1.3.36
+TAG teletrust
+EXPL "Teletrust"
+
+OID 1.3.52
+TAG smpte
+EXPL "Society of Motion Picture and Television Engineers"
+
+OID 1.3.69
+TAG sita
+EXPL "Societe Internationale de Telecommunications Aeronautiques"
+
+OID 1.3.90
+TAG iana
+EXPL "Internet Assigned Numbers Authority"
+
+OID 1.3.101 
+TAG thawte
+EXPL "Thawte"
+
+OID 2 
+TAG joint-iso-ccitt
+EXPL "Joint ISO/ITU-T assignment"
+
+OID 2.0
+TAG presentation
+EXPL "Joint ISO/ITU-T Presentation"
+
+OID 2.1
+TAG asn-1
+EXPL "Abstract Syntax Notation One"
+
+OID 2.2
+TAG acse
+EXPL "Association Control"
+
+OID 2.3
+TAG rtse
+EXPL "Reliable Transfer"
+
+OID 2.4
+TAG rose
+EXPL "Remote Operations"
+
+OID 2.5
+TAG x500
+EXPL "Directory"
+
+OID 2.5.1
+TAG modules
+EXPL "X.500 modules"
+
+OID 2.5.2
+TAG service-environment
+EXPL "X.500 service environment"
+
+OID 2.5.3
+TAG application-context
+EXPL "X.500 application context"
+
+# RFC 2459:
+#
+# id-at           OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
+OID 2.5.4
+TAG id-at
+EXPL "X.520 attribute types"
+
+# RFC 2459:
+#
+# id-at-commonName        AttributeType   ::=     {id-at 3}
+OID 2.5.4.3
+TAG id-at-commonName
+EXPL "X.520 Common Name"
+NAME NSS_OID_X520_COMMON_NAME
+ATTR "cn"
+
+# RFC 2459:
+#
+# id-at-surname           AttributeType   ::=     {id-at 4}
+OID 2.5.4.4
+TAG id-at-surname
+EXPL "X.520 Surname"
+NAME NSS_OID_X520_SURNAME
+ATTR "sn"
+
+# RFC 2459:
+#
+# id-at-countryName       AttributeType   ::=     {id-at 6}
+OID 2.5.4.6
+TAG id-at-countryName
+EXPL "X.520 Country Name"
+NAME NSS_OID_X520_COUNTRY_NAME
+ATTR "c"
+
+# RFC 2459:
+#
+# id-at-localityName      AttributeType   ::=     {id-at 7}
+OID 2.5.4.7
+TAG id-at-localityName
+EXPL "X.520 Locality Name"
+NAME NSS_OID_X520_LOCALITY_NAME
+ATTR "l"
+
+# RFC 2459:
+#
+# id-at-stateOrProvinceName       AttributeType   ::=     {id-at 8}
+OID 2.5.4.8
+TAG id-at-stateOrProvinceName
+EXPL "X.520 State or Province Name"
+NAME NSS_OID_X520_STATE_OR_PROVINCE_NAME
+ATTR "s"
+
+# RFC 2459:
+#
+# id-at-organizationName          AttributeType   ::=     {id-at 10}
+OID 2.5.4.10
+TAG id-at-organizationName
+EXPL "X.520 Organization Name"
+NAME NSS_OID_X520_ORGANIZATION_NAME
+ATTR "o"
+
+# RFC 2459:
+#
+# id-at-organizationalUnitName    AttributeType   ::=     {id-at 11}
+OID 2.5.4.11
+TAG id-at-organizationalUnitName
+EXPL "X.520 Organizational Unit Name"
+NAME NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME
+ATTR "ou"
+
+# RFC 2459:
+#
+# id-at-title     AttributeType   ::=     {id-at 12}
+OID 2.5.4.12
+TAG id-at-title
+EXPL "X.520 Title"
+NAME NSS_OID_X520_TITLE
+ATTR "title"
+
+# RFC 2459:
+#
+# id-at-name              AttributeType   ::=     {id-at 41}
+OID 2.5.4.41
+TAG id-at-name
+EXPL "X.520 Name"
+NAME NSS_OID_X520_NAME
+ATTR "name"
+
+# RFC 2459:
+#
+# id-at-givenName         AttributeType   ::=     {id-at 42}
+OID 2.5.4.42
+TAG id-at-givenName
+EXPL "X.520 Given Name"
+NAME NSS_OID_X520_GIVEN_NAME
+ATTR "givenName"
+
+# RFC 2459:
+#
+# id-at-initials          AttributeType   ::=     {id-at 43}
+OID 2.5.4.43
+TAG id-at-initials
+EXPL "X.520 Initials"
+NAME NSS_OID_X520_INITIALS
+ATTR "initials"
+
+# RFC 2459:
+#
+# id-at-generationQualifier       AttributeType   ::=     {id-at 44}
+OID 2.5.4.44
+TAG id-at-generationQualifier
+EXPL "X.520 Generation Qualifier"
+NAME NSS_OID_X520_GENERATION_QUALIFIER
+ATTR "generationQualifier"
+
+# RFC 2459:
+#
+# id-at-dnQualifier       AttributeType   ::=     {id-at 46}
+OID 2.5.4.46
+TAG id-at-dnQualifier
+EXPL "X.520 DN Qualifier"
+NAME NSS_OID_X520_DN_QUALIFIER
+ATTR "dnQualifier"
+
+OID 2.5.5
+TAG attribute-syntax
+EXPL "X.500 attribute syntaxes"
+
+OID 2.5.6
+TAG object-classes
+EXPL "X.500 standard object classes"
+
+OID 2.5.7
+TAG attribute-set
+EXPL "X.500 attribute sets"
+
+OID 2.5.8
+TAG algorithms
+EXPL "X.500-defined algorithms"
+
+OID 2.5.8.1 
+TAG encryption
+EXPL "X.500-defined encryption algorithms"
+
+OID 2.5.8.1.1 
+TAG rsa
+EXPL "RSA Encryption Algorithm"
+NAME NSS_OID_X500_RSA_ENCRYPTION
+CKM CKM_RSA_X_509
+
+OID 2.5.9
+TAG abstract-syntax
+EXPL "X.500 abstract syntaxes"
+
+OID 2.5.12
+TAG operational-attribute
+EXPL "DSA Operational Attributes"
+
+OID 2.5.13
+TAG matching-rule
+EXPL "Matching Rule"
+
+OID 2.5.14
+TAG knowledge-matching-rule
+EXPL "X.500 knowledge Matching Rules"
+
+OID 2.5.15
+TAG name-form
+EXPL "X.500 name forms"
+
+OID 2.5.16
+TAG group
+EXPL "X.500 groups"
+
+OID 2.5.17
+TAG subentry
+EXPL "X.500 subentry"
+
+OID 2.5.18
+TAG operational-attribute-type
+EXPL "X.500 operational attribute type"
+
+OID 2.5.19
+TAG operational-binding
+EXPL "X.500 operational binding"
+
+OID 2.5.20
+TAG schema-object-class
+EXPL "X.500 schema Object class"
+
+OID 2.5.21
+TAG schema-operational-attribute
+EXPL "X.500 schema operational attributes"
+
+OID 2.5.23
+TAG administrative-role
+EXPL "X.500 administrative roles"
+
+OID 2.5.24
+TAG access-control-attribute
+EXPL "X.500 access control attribute"
+
+OID 2.5.25
+TAG ros
+EXPL "X.500 ros object"
+
+OID 2.5.26
+TAG contract
+EXPL "X.500 contract"
+
+OID 2.5.27
+TAG package
+EXPL "X.500 package"
+
+OID 2.5.28
+TAG access-control-schema
+EXPL "X.500 access control schema"
+
+# RFC 2459:
+#
+# id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29}
+OID 2.5.29
+TAG id-ce
+EXPL "X.500 Certificate Extension"
+
+OID 2.5.29.5
+TAG subject-directory-attributes
+EXPL "Certificate Subject Directory Attributes"
+NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTR
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }
+OID 2.5.29.9
+TAG id-ce-subjectDirectoryAttributes
+EXPL "Certificate Subject Directory Attributes"
+NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
+OID 2.5.29.14
+TAG id-ce-subjectKeyIdentifier
+EXPL "Certificate Subject Key ID"
+NAME NSS_OID_X509_SUBJECT_KEY_ID
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
+OID 2.5.29.15
+TAG id-ce-keyUsage
+EXPL "Certificate Key Usage"
+NAME NSS_OID_X509_KEY_USAGE
+CERT_EXTENSION SUPPORTED
+# We called it PKCS12_KEY_USAGE
+
+# RFC 2459:
+#
+# id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }
+OID 2.5.29.16
+TAG id-ce-privateKeyUsagePeriod
+EXPL "Certificate Private Key Usage Period"
+NAME NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
+OID 2.5.29.17
+TAG id-ce-subjectAltName
+EXPL "Certificate Subject Alternate Name"
+NAME NSS_OID_X509_SUBJECT_ALT_NAME
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }
+OID 2.5.29.18
+TAG id-ce-issuerAltName
+EXPL "Certificate Issuer Alternate Name"
+NAME NSS_OID_X509_ISSUER_ALT_NAME
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
+OID 2.5.29.19
+TAG id-ce-basicConstraints
+EXPL "Certificate Basic Constraints"
+NAME NSS_OID_X509_BASIC_CONSTRAINTS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
+OID 2.5.29.20
+TAG id-ce-cRLNumber
+EXPL "CRL Number"
+NAME NSS_OID_X509_CRL_NUMBER
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
+OID 2.5.29.21
+TAG id-ce-cRLReasons
+EXPL "CRL Reason Code"
+NAME NSS_OID_X509_REASON_CODE
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
+OID 2.5.29.23
+TAG id-ce-holdInstructionCode
+EXPL "Hold Instruction Code"
+NAME NSS_OID_X509_HOLD_INSTRUCTION_CODE
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
+OID 2.5.29.24
+TAG id-ce-invalidityDate
+EXPL "Invalid Date"
+NAME NSS_OID_X509_INVALID_DATE
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
+OID 2.5.29.27
+TAG id-ce-deltaCRLIndicator
+EXPL "Delta CRL Indicator"
+NAME NSS_OID_X509_DELTA_CRL_INDICATOR
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
+OID 2.5.29.28
+TAG id-ce-issuingDistributionPoint
+EXPL "Issuing Distribution Point"
+NAME NSS_OID_X509_ISSUING_DISTRIBUTION_POINT
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
+OID 2.5.29.29
+TAG id-ce-certificateIssuer
+EXPL "Certificate Issuer"
+NAME NSS_OID_X509_CERTIFICATE_ISSUER
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }
+OID 2.5.29.30
+TAG id-ce-nameConstraints
+EXPL "Certificate Name Constraints"
+NAME NSS_OID_X509_NAME_CONSTRAINTS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}
+OID 2.5.29.31
+TAG id-ce-cRLDistributionPoints
+EXPL "CRL Distribution Points"
+NAME NSS_OID_X509_CRL_DIST_POINTS
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
+OID 2.5.29.32
+TAG id-ce-certificatePolicies
+EXPL "Certificate Policies"
+NAME NSS_OID_X509_CERTIFICATE_POLICIES
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }
+OID 2.5.29.33
+TAG id-ce-policyMappings
+EXPL "Certificate Policy Mappings"
+NAME NSS_OID_X509_POLICY_MAPPINGS
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.5.29.34
+TAG policy-constraints
+EXPL "Certificate Policy Constraints (old)"
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
+OID 2.5.29.35
+TAG id-ce-authorityKeyIdentifier
+EXPL "Certificate Authority Key Identifier"
+NAME NSS_OID_X509_AUTH_KEY_ID
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }
+OID 2.5.29.36
+TAG id-ce-policyConstraints
+EXPL "Certificate Policy Constraints"
+NAME NSS_OID_X509_POLICY_CONSTRAINTS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
+OID 2.5.29.37
+TAG id-ce-extKeyUsage
+EXPL "Extended Key Usage"
+NAME NSS_OID_X509_EXT_KEY_USAGE
+CERT_EXTENSION SUPPORTED
+
+OID 2.5.30
+TAG id-mgt
+EXPL "X.500 Management Object"
+
+OID 2.6
+TAG x400
+EXPL "X.400 MHS"
+
+OID 2.7
+TAG ccr
+EXPL "Committment, Concurrency and Recovery"
+
+OID 2.8
+TAG oda
+EXPL "Office Document Architecture"
+
+OID 2.9
+TAG osi-management
+EXPL "OSI management"
+
+OID 2.10
+TAG tp
+EXPL "Transaction Processing"
+
+OID 2.11
+TAG dor
+EXPL "Distinguished Object Reference"
+
+OID 2.12
+TAG rdt
+EXPL "Referenced Data Transfer"
+
+OID 2.13
+TAG nlm
+EXPL "Network Layer Management"
+
+OID 2.14
+TAG tlm
+EXPL "Transport Layer Management"
+
+OID 2.15
+TAG llm
+EXPL "Link Layer Management"
+
+OID 2.16
+TAG country
+EXPL "Country Assignments"
+
+OID 2.16.124 
+TAG canada
+EXPL "Canada"
+
+OID 2.16.158
+TAG taiwan
+EXPL "Taiwan"
+
+OID 2.16.578 
+TAG norway
+EXPL "Norway"
+
+OID 2.16.756 
+TAG switzerland
+EXPL "Switzerland"
+
+OID 2.16.840 
+TAG us
+EXPL "United States"
+
+OID 2.16.840.1 
+TAG us-company
+EXPL "United States Company"
+
+OID 2.16.840.1.101 
+TAG us-government
+EXPL "United States Government (1.101)"
+
+OID 2.16.840.1.101.2 
+TAG us-dod
+EXPL "United States Department of Defense"
+
+OID 2.16.840.1.101.2.1 
+TAG id-infosec
+EXPL "US DOD Infosec"
+
+OID 2.16.840.1.101.2.1.0 
+TAG id-modules
+EXPL "US DOD Infosec modules"
+
+OID 2.16.840.1.101.2.1.1 
+TAG id-algorithms
+EXPL "US DOD Infosec algorithms (MISSI)"
+
+OID 2.16.840.1.101.2.1.1.2  
+TAG old-dss
+EXPL "MISSI DSS Algorithm (Old)"
+NAME NSS_OID_MISSI_DSS_OLD
+
+# This is labeled as "### mwelch temporary"
+# Is it official?? XXX fgmr
+OID 2.16.840.1.101.2.1.1.4
+TAG skipjack-cbc-64
+EXPL "Skipjack CBC64"
+NAME NSS_OID_FORTEZZA_SKIPJACK
+CKM CKM_SKIPJACK_CBC64
+
+OID 2.16.840.1.101.2.1.1.10
+TAG kea
+EXPL "MISSI KEA Algorithm"
+NAME NSS_OID_MISSI_KEA
+
+OID 2.16.840.1.101.2.1.1.12
+TAG old-kea-dss
+EXPL "MISSI KEA and DSS Algorithm (Old)"
+NAME NSS_OID_MISSI_KEA_DSS_OLD
+
+OID 2.16.840.1.101.2.1.1.19
+TAG dss
+EXPL "MISSI DSS Algorithm"
+NAME NSS_OID_MISSI_DSS
+
+OID 2.16.840.1.101.2.1.1.20
+TAG kea-dss
+EXPL "MISSI KEA and DSS Algorithm"
+NAME NSS_OID_MISSI_KEA_DSS
+
+OID 2.16.840.1.101.2.1.1.22
+TAG alt-kea
+EXPL "MISSI Alternate KEA Algorithm"
+NAME NSS_OID_MISSI_ALT_KEY
+
+OID 2.16.840.1.101.2.1.2 
+TAG id-formats
+EXPL "US DOD Infosec formats"
+
+OID 2.16.840.1.101.2.1.3 
+TAG id-policy
+EXPL "US DOD Infosec policy"
+
+OID 2.16.840.1.101.2.1.4 
+TAG id-object-classes
+EXPL "US DOD Infosec object classes"
+
+OID 2.16.840.1.101.2.1.5 
+TAG id-attributes
+EXPL "US DOD Infosec attributes"
+
+OID 2.16.840.1.101.2.1.6 
+TAG id-attribute-syntax
+EXPL "US DOD Infosec attribute syntax"
+
+OID 2.16.840.1.113730 
+# The Netscape OID space
+TAG netscape
+EXPL "Netscape Communications Corp."
+
+OID 2.16.840.1.113730.1
+TAG cert-ext
+EXPL "Netscape Cert Extensions"
+
+OID 2.16.840.1.113730.1.1
+TAG cert-type
+EXPL "Certificate Type"
+NAME NSS_OID_NS_CERT_EXT_CERT_TYPE
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.2
+TAG base-url
+EXPL "Certificate Extension Base URL"
+NAME NSS_OID_NS_CERT_EXT_BASE_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.3
+TAG revocation-url
+EXPL "Certificate Revocation URL"
+NAME NSS_OID_NS_CERT_EXT_REVOCATION_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.4
+TAG ca-revocation-url
+EXPL "Certificate Authority Revocation URL"
+NAME NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.5
+TAG ca-crl-download-url
+EXPL "Certificate Authority CRL Download URL"
+NAME NSS_OID_NS_CERT_EXT_CA_CRL_URL
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.6
+TAG ca-cert-url
+EXPL "Certificate Authority Certificate Download URL"
+NAME NSS_OID_NS_CERT_EXT_CA_CERT_URL
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.7
+TAG renewal-url
+EXPL "Certificate Renewal URL"
+NAME NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.8
+TAG ca-policy-url
+EXPL "Certificate Authority Policy URL"
+NAME NSS_OID_NS_CERT_EXT_CA_POLICY_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.9
+TAG homepage-url
+EXPL "Certificate Homepage URL"
+NAME NSS_OID_NS_CERT_EXT_HOMEPAGE_URL
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.10
+TAG entity-logo
+EXPL "Certificate Entity Logo"
+NAME NSS_OID_NS_CERT_EXT_ENTITY_LOGO
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.11
+TAG user-picture
+EXPL "Certificate User Picture"
+NAME NSS_OID_NS_CERT_EXT_USER_PICTURE
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.12
+TAG ssl-server-name
+EXPL "Certificate SSL Server Name"
+NAME NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.13
+TAG comment
+EXPL "Certificate Comment"
+NAME NSS_OID_NS_CERT_EXT_COMMENT
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.14
+TAG thayes
+EXPL ""
+NAME NSS_OID_NS_CERT_EXT_THAYES
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.2
+TAG data-type
+EXPL "Netscape Data Types"
+
+OID 2.16.840.1.113730.2.1 
+TAG gif
+EXPL "image/gif"
+NAME NSS_OID_NS_TYPE_GIF
+
+OID 2.16.840.1.113730.2.2 
+TAG jpeg
+EXPL "image/jpeg"
+NAME NSS_OID_NS_TYPE_JPEG
+
+OID 2.16.840.1.113730.2.3 
+TAG url
+EXPL "URL"
+NAME NSS_OID_NS_TYPE_URL
+
+OID 2.16.840.1.113730.2.4 
+TAG html
+EXPL "text/html"
+NAME NSS_OID_NS_TYPE_HTML
+
+OID 2.16.840.1.113730.2.5 
+TAG cert-sequence
+EXPL "Certificate Sequence"
+NAME NSS_OID_NS_TYPE_CERT_SEQUENCE
+
+OID 2.16.840.1.113730.3
+# The Netscape Directory OID space
+TAG directory
+EXPL "Netscape Directory"
+
+OID 2.16.840.1.113730.4
+TAG policy
+EXPL "Netscape Policy Type OIDs"
+
+OID 2.16.840.1.113730.4.1
+TAG export-approved
+EXPL "Strong Crypto Export Approved"
+NAME NSS_OID_NS_KEY_USAGE_GOVT_APPROVED
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.5
+TAG cert-server
+EXPL "Netscape Certificate Server"
+
+OID 2.16.840.1.113730.5.1
+
+OID 2.16.840.1.113730.5.1.1
+TAG recovery-request
+EXPL "Netscape Cert Server Recovery Request"
+NAME NSS_OID_NETSCAPE_RECOVERY_REQUEST
+
+OID 2.16.840.1.113730.6
+TAG algs
+EXPL "Netscape algorithm OIDs"
+
+OID 2.16.840.1.113730.6.1
+TAG smime-kea
+EXPL "Netscape S/MIME KEA"
+NAME NSS_OID_NETSCAPE_SMIME_KEA
+
+OID 2.16.840.1.113730.7
+TAG name-components
+EXPL "Netscape Name Components"
+
+OID 2.16.840.1.113730.7.1
+TAG nickname
+EXPL "Netscape Nickname"
+NAME NSS_OID_NETSCAPE_NICKNAME
+
+OID 2.16.840.1.113733 
+TAG verisign
+EXPL "Verisign"
+
+OID 2.16.840.1.113733.1
+
+OID 2.16.840.1.113733.1.7
+
+OID 2.16.840.1.113733.1.7.1
+
+OID 2.16.840.1.113733.1.7.1.1
+TAG verisign-user-notices
+EXPL "Verisign User Notices"
+NAME NSS_OID_VERISIGN_USER_NOTICES
+
+OID 2.16.840.101 
+TAG us-government
+EXPL "US Government (101)"
+
+OID 2.16.840.102 
+TAG us-government2
+EXPL "US Government (102)"
+ 
+OID 2.16.840.11370 
+TAG old-netscape
+EXPL "Netscape Communications Corp. (Old)"
+
+OID 2.16.840.11370.1 
+TAG ns-cert-ext
+EXPL "Netscape Cert Extensions (Old NS)"
+
+OID 2.16.840.11370.1.1 
+TAG netscape-ok
+EXPL "Netscape says this cert is ok (Old NS)"
+NAME NSS_OID_NS_CERT_EXT_NETSCAPE_OK
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.11370.1.2
+TAG issuer-logo
+EXPL "Certificate Issuer Logo (Old NS)"
+NAME NSS_OID_NS_CERT_EXT_ISSUER_LOGO
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.11370.1.3
+TAG subject-logo
+EXPL "Certificate Subject Logo (Old NS)"
+NAME NSS_OID_NS_CERT_EXT_SUBJECT_LOGO
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.11370.2 
+TAG ns-file-type
+EXPL "Netscape File Type"
+
+OID 2.16.840.11370.3 
+TAG ns-image-type
+EXPL "Netscape Image Type"
+
+OID 2.17
+TAG registration-procedures
+EXPL "Registration procedures"
+
+OID 2.18
+TAG physical-layer-management
+EXPL "Physical layer Management"
+
+OID 2.19
+TAG mheg
+EXPL "MHEG"
+
+OID 2.20
+TAG guls
+EXPL "Generic Upper Layer Security"
+
+OID 2.21
+TAG tls
+EXPL "Transport Layer Security Protocol"
+
+OID 2.22
+TAG nls
+EXPL "Network Layer Security Protocol"
+
+OID 2.23
+TAG organization
+EXPL "International organizations"
diff --git a/security/nss/lib/pki1/pki1.h b/security/nss/lib/pki1/pki1.h
new file mode 100644
index 000000000..c0f8b75c0
--- /dev/null
+++ b/security/nss/lib/pki1/pki1.h
@@ -0,0 +1,3037 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef PKI1_H
+#define PKI1_H
+
+#ifdef DEBUG
+static const char PKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * pki1.h
+ *
+ * This file contains the prototypes to the non-public NSS routines
+ * relating to the PKIX part-1 objects.
+ */
+
+#ifndef PKI1T_H
+#include "pki1t.h"
+#endif /* PKI1T_H */
+
+#ifndef NSSPKI1_H
+#include "nsspki1.h"
+#endif /* NSSPKI1_H */
+
+PR_BEGIN_EXTERN_C
+
+extern const NSSOID nss_builtin_oids[];
+extern const PRUint32 nss_builtin_oid_count;
+
+extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];
+extern const PRUint32 nss_attribute_type_alias_count;
+
+/*
+ * NSSOID
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssOID_CreateFromBER   -- constructor
+ *  nssOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  nssOID_GetDEREncoding
+ *  nssOID_GetUTF8Encoding
+ *
+ * In debug builds, the following non-public calls are also available:
+ *
+ *  nssOID_verifyPointer
+ *  nssOID_getExplanation
+ *  nssOID_getTaggedUTF8
+ */
+
+/*
+ * nssOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromBER
+(
+  NSSBER *berOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_UTF8;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+nssOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssOID_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid poitner to an NSSOID object, 
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssOID_verifyPointer
+(
+  const NSSOID *oid
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+#endif /* DEBUG */
+
+/*
+ * nssOID_getExplanation
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a static pointer to a UTF8-encoded string
+ * describing (in English) the specified OID.  The memory pointed to
+ * by the return value is not owned by the caller, and should not be
+ * freed or modified.  Note that explanations are only provided for
+ * the OIDs built into the NSS library; there is no way to specify an
+ * explanation for dynamically created OIDs.  This routine is intended
+ * only for use in debugging tools such as "derdump."  This routine
+ * may return null upon error, in which case it will have placed an
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *
+ * Return value:
+ *  NULL upon error
+ *  A static pointer to a readonly, non-caller-owned UTF8-encoded
+ *    string explaining the specified OID.
+ */
+
+#ifdef DEBUG
+NSS_EXTERN const NSSUTF8 *
+nssOID_getExplanation
+(
+  NSSOID *oid
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+#endif /* DEBUG */
+
+/*
+ * nssOID_getTaggedUTF8
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a pointer to a caller-owned UTF8-encoded
+ * string containing a tagged encoding of the specified OID.  Note
+ * that OID (component) tags are only provided for the OIDs built 
+ * into the NSS library; there is no way to specify tags for 
+ * dynamically created OIDs.  This routine is intended for use in
+ * debugging tools such as "derdump."   If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return return null upon error, in which case it will have set 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the tagged encoding of
+ *      this NSSOID
+ */
+
+#ifdef DEBUG
+NSS_EXTERN NSSUTF8 *
+nssOID_getTaggedUTF8
+(
+  NSSOID *oid,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+#endif /* DEBUG */
+
+/*
+ * NSSATAV
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssATAV_CreateFromBER   -- constructor
+ *  nssATAV_CreateFromUTF8  -- constructor
+ *  nssATAV_Create          -- constructor
+ *
+ *  nssATAV_Destroy
+ *  nssATAV_GetDEREncoding
+ *  nssATAV_GetUTF8Encoding
+ *  nssATAV_GetType
+ *  nssATAV_GetValue
+ *  nssATAV_Compare
+ *  nssATAV_Duplicate
+ *
+ * In debug builds, the following non-public call is also available:
+ *
+ *  nssATAV_verifyPointer
+ */
+
+/*
+ * nssATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  const NSSBER *berATAV
+);
+
+/*
+ * nssATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  const NSSUTF8 *stringATAV
+);
+
+/*
+ * nssATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+);
+
+/*
+ * nssATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssATAV_Destroy
+(
+  NSSATAV *atav
+);
+
+/*
+ * nssATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_EXTERN NSSDER *
+nssATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An element of enum NSSOIDenum upon success
+ */
+
+NSS_EXTERN const NSSOID *
+nssATAV_GetType
+(
+  NSSATAV *atav
+);
+
+/*
+ * nssATAV_GetValue
+ *
+ * This routine returns a string containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error upon the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have set an 
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+);
+
+/*
+ * nssATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSATAV object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILRUE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssATAV_verifyPointer
+(
+  NSSATAV *atav
+);
+#endif /* DEBUG */
+
+/*
+ * NSSRDN
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssRDN_CreateFromBER   -- constructor
+ *  nssRDN_CreateFromUTF8  -- constructor
+ *  nssRDN_Create          -- constructor
+ *  nssRDN_CreateSimple    -- constructor
+ *
+ *  nssRDN_Destroy
+ *  nssRDN_GetDEREncoding
+ *  nssRDN_GetUTF8Encoding
+ *  nssRDN_AddATAV
+ *  nssRDN_GetATAVCount
+ *  nssRDN_GetATAV
+ *  nssRDN_GetSimpleATAV
+ *  nssRDN_Compare
+ *  nssRDN_Duplicate
+ */
+
+/*
+ * nssRDN_CreateFromBER
+ *
+ * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
+ * RDN.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDN
+);
+
+/*
+ * nssRDN_CreateFromUTF8
+ *
+ * This routine creates an NSSRDN by decoding an UTF8 string 
+ * consisting of either a single ATAV in the "equals" format, e.g., 
+ * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
+ * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error on the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDN
+);
+
+/*
+ * nssRDN_Create
+ *
+ * This routine creates an NSSRDN from one or more NSSATAVs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_Create
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav1,
+  ...
+);
+
+/*
+ * nssRDN_CreateSimple
+ *
+ * This routine creates a simple NSSRDN from a single NSSATAV.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_CreateSimple
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav
+);
+
+/*
+ * nssRDN_Destroy
+ *
+ * This routine will destroy an RDN object.  It should eventually be
+ * called on all RDNs created without an arena.  While it is not 
+ * necessary to call it on RDNs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssRDN_Destroy
+(
+  NSSRDN *rdn
+);
+
+/*
+ * nssRDN_GetDEREncoding
+ *
+ * This routine will DER-encode an RDN object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDN
+ */
+
+NSS_EXTERN NSSDER *
+nssRDN_GetDEREncoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDN_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDN.  A simple (one-ATAV) RDN will be simply
+ * the string representation of that ATAV; a non-simple RDN will be in
+ * parenthesised form.  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * null upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssRDN_GetUTF8Encoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDN_AddATAV
+ *
+ * This routine adds an ATAV to the set of ATAVs in the specified RDN.
+ * Remember that RDNs consist of an unordered set of ATAVs.  If the
+ * RDN was created with a non-null arena argument, that same arena
+ * will be used for any additional required memory.  If the RDN was 
+ * created with a NULL arena argument, any additional memory will
+ * be obtained from the heap.  This routine returns a PRStatus value;
+ * it will return PR_SUCCESS upon success, and upon failure it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssRDN_AddATAV
+(
+  NSSRDN *rdn,
+  NSSATAV *atav
+);
+
+/*
+ * nssRDN_GetATAVCount
+ *
+ * This routine returns the cardinality of the set of ATAVs within
+ * the specified RDN.  This routine may return 0 upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+nssRDN_GetATAVCount
+(
+  NSSRDN *rdn
+);
+
+/*
+ * nssRDN_GetATAV
+ *
+ * This routine returns a pointer to an ATAV that is a member of
+ * the set of ATAVs within the specified RDN.  While the set of
+ * ATAVs within an RDN is unordered, this routine will return
+ * distinct values for distinct values of 'i' as long as the RDN
+ * is not changed in any way.  The RDN may be changed by calling
+ * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
+ * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
+ * The caller owns the ATAV the pointer to which is returned.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+nssRDN_GetATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * nssRDN_GetSimpleATAV
+ *
+ * Most RDNs are actually very simple, with a single ATAV.  This 
+ * routine will return the single ATAV from such an RDN.  The caller
+ * owns the ATAV the pointer to which is returned.  If the optional
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, including the case where
+ * the set of ATAVs in the RDN is nonsingular.  Upon error, this
+ * routine will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_RDN_NOT_SIMPLE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+nssRDN_GetSimpleATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDN_Compare
+ *
+ * This routine compares two RDNs for equality.  For two RDNs to be
+ * equal, they must have the same number of ATAVs, and every ATAV in
+ * one must be equal to an ATAV in the other.  (Note that the sets
+ * of ATAVs are unordered.)  The result of the comparison will be
+ * stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool.  This routine may return PR_FAILURE
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssRDN_Compare
+(
+  NSSRDN *rdn1,
+  NSSRDN *rdn2,
+  PRBool *equalp
+);
+
+/*
+ * nssRDN_Duplicate
+ *
+ * This routine duplicates the specified RDN.  If the optional arena
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, in which case it will have
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new RDN
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_Duplicate
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssRDNSeq_CreateFromBER   -- constructor
+ *  nssRDNSeq_CreateFromUTF8  -- constructor
+ *  nssRDNSeq_Create          -- constructor
+ *
+ *  nssRDNSeq_Destroy
+ *  nssRDNSeq_GetDEREncoding
+ *  nssRDNSeq_GetUTF8Encoding
+ *  nssRDNSeq_AppendRDN
+ *  nssRDNSeq_GetRDNCount
+ *  nssRDNSeq_GetRDN
+ *  nssRDNSeq_Compare
+ *  nssRDNSeq_Duplicate
+ *
+ *  nssRDNSeq_EvaluateUTF8 -- not an object method
+ */
+
+/*
+ * nssRDNSeq_CreateFromBER
+ *
+ * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
+ * sequence of RDNs.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have set an error on the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDNSeq
+);
+
+/*
+ * nssRDNSeq_CreateFromUTF8
+ *
+ * This routine creates an NSSRDNSeq by decoding a UTF8 string
+ * consisting of a comma-separated sequence of RDNs, such as
+ * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDNSeq
+);
+
+/*
+ * nssRDNSeq_Create
+ *
+ * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointero to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSRDN *rdn1,
+  ...
+);
+
+/*
+ * nssRDNSeq_Destroy
+ *
+ * This routine will destroy an RDNSeq object.  It should eventually 
+ * be called on all RDNSeqs created without an arena.  While it is not
+ * necessary to call it on RDNSeqs created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssRDNSeq_Destroy
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * nssRDNSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an RDNSeq object.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return null upon error, in which case it will have
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDNSeq
+ */
+
+NSS_EXTERN NSSDER *
+nssRDNSeq_GetDEREncoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDNSeq_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDNSeq as a comma-separated sequence of RDNs.  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssRDNSeq_GetUTF8Encoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDNSeq_AppendRDN
+ *
+ * This routine appends an RDN to the end of the existing RDN 
+ * sequence.  If the RDNSeq was created with a non-null arena 
+ * argument, that same arena will be used for any additional required
+ * memory.  If the RDNSeq was created with a NULL arena argument, any
+ * additional memory will be obtained from the heap.  This routine
+ * returns a PRStatus value; it will return PR_SUCCESS upon success,
+ * and upon failure it will set an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssRDNSeq_AppendRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSRDN *rdn
+);
+
+/*
+ * nssRDNSeq_GetRDNCount
+ *
+ * This routine returns the cardinality of the sequence of RDNs within
+ * the specified RDNSeq.  This routine may return 0 upon error, in 
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+nssRDNSeq_GetRDNCount
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * nssRDNSeq_GetRDN
+ *
+ * This routine returns a pointer to the i'th RDN in the sequence of
+ * RDNs that make up the specified RDNSeq.  The sequence begins with
+ * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
+ * is on the range [0,c) where c is the cardinality returned from
+ * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
+ * is returned.  If the optional arena argument is non-null, the memory
+ * used will be obtained from that areana; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error upon the error stack.  Note
+ * that the usual UTF8 representation of RDN Sequences is from last
+ * to first.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDN
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDNSeq_GetRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * nssRDNSeq_Compare
+ *
+ * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
+ * be equal, they must have the same number of RDNs, and each RDN in
+ * one sequence must be equal to the corresponding RDN in the other
+ * sequence.  The result of the comparison will be stored at the
+ * location pointed to by the "equalp" variable, which must point to a
+ * valid PRBool.  This routine may return PR_FAILURE upon error, in
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssRDNSeq_Compare
+(
+  NSSRDNSeq *rdnseq1,
+  NSSRDNSeq *rdnseq2,
+  PRBool *equalp
+);
+
+/*
+ * nssRDNSeq_Duplicate
+ *
+ * This routine duplicates the specified RDNSeq.  If the optional arena
+ * argument is non-null, the memory required will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have 
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new RDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_Duplicate
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDNSeq_EvaluateUTF8
+ *
+ * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
+ * string contains the string representation of an RDNSeq.  This 
+ * routine is used by the (directory) Name routines 
+ * nssName_CreateFromUTF8 and nssName_EvaluateUTF8 to determine which
+ * choice of directory name the string may encode.  This routine may 
+ * return PR_FALSE upon error, but it subsumes that condition under the
+ * general "string does not evaluate as an RDNSeq" state, and does not
+ * set an error on the error stack.
+ *
+ * Return value:
+ *  PR_TRUE if the string represents an RDNSeq
+ *  PR_FALSE if otherwise
+ */
+
+NSS_EXTERN PRBool
+nssRDNSeq_EvaluateUTF8
+(
+  NSSUTF8 *str
+);
+
+/*
+ * NSSName
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ * nssName_CreateFromBER   -- constructor
+ * nssName_CreateFromUTF8  -- constructor
+ * nssName_Create          -- constructor
+ *
+ * nssName_Destroy
+ * nssName_GetDEREncoding
+ * nssName_GetUTF8Encoding
+ * nssName_GetChoice
+ * nssName_GetRDNSequence
+ * nssName_GetSpecifiedChoice
+ * nssName_Compare
+ * nssName_Duplicate
+ *
+ * nssName_GetUID
+ * nssName_GetEmail
+ * nssName_GetCommonName
+ * nssName_GetOrganization
+ * nssName_GetOrganizationalUnits
+ * nssName_GetStateOrProvince
+ * nssName_GetLocality
+ * nssName_GetCountry
+ * nssName_GetAttribute
+ *
+ * nssName_EvaluateUTF8 -- not an object method
+ */
+
+/*
+ * nssName_CreateFromBER
+ *
+ * This routine creates an NSSName by decoding a BER- or DER-encoded 
+ * (directory) Name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+nssName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berName
+);
+
+/*
+ * nssName_CreateFromUTF8
+ *
+ * This routine creates an NSSName by decoding a UTF8 string 
+ * consisting of the string representation of one of the choices of 
+ * (directory) names.  Currently the only choice is an RDNSeq.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  The routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+nssName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringName
+);
+
+/*
+ * nssName_Create
+ *
+ * This routine creates an NSSName with the specified choice of
+ * underlying name types.  The value of the choice variable must be
+ * one of the values of the NSSNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                     Type
+ *   ========================   ===========
+ *   NSSNameChoiceRdnSequence   NSSRDNSeq *
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+nssName_Create
+(
+  NSSArena *arenaOpt,
+  NSSNameChoice choice,
+  void *arg
+);
+
+/*
+ * nssName_Destroy
+ *
+ * This routine will destroy a Name object.  It should eventually be
+ * called on all Names created without an arena.  While it is not
+ * necessary to call it on Names created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssName_Destroy
+(
+  NSSName *name
+);
+
+/*
+ * nssName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSName
+ */
+
+NSS_EXTERN NSSDER *
+nssName_GetDEREncoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the Name in the format specified by the 
+ * underlying name choice.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssName_GetUTF8Encoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetChoice
+ *
+ * This routine returns the type of the choice underlying the specified
+ * name.  The return value will be a member of the NSSNameChoice 
+ * enumeration.  This routine may return NSSNameChoiceInvalid upon 
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  NSSNameChoiceInvalid upon error
+ *  An other member of the NSSNameChoice enumeration upon success
+ */
+
+NSS_EXTERN NSSNameChoice
+nssName_GetChoice
+(
+  NSSName *name
+);
+
+/*
+ * nssName_GetRDNSequence
+ *
+ * If the choice underlying the specified NSSName is that of an 
+ * RDNSequence, this routine will return a pointer to that RDN
+ * sequence.  Otherwise, this routine will place an error on the
+ * error stack, and return NULL.  If the optional arena argument is
+ * non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The
+ * caller owns the returned pointer.  This routine may return NULL
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssName_GetRDNSequence
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSName matches the specified
+ * choice, a caller-owned pointer to that underlying object will be
+ * returned.  Otherwise, an error will be placed on the error stack and
+ * NULL will be returned.  If the optional arena argument is non-null, 
+ * the memory required will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  The caller owns the returned
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+nssName_GetSpecifiedChoice
+(
+  NSSName *name,
+  NSSNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_Compare
+ *
+ * This routine compares two Names for equality.  For two Names to be
+ * equal, they must have the same choice of underlying types, and the
+ * underlying values must be equal.  The result of the comparison will
+ * be stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool. This routine may return PR_FAILURE
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssName_Compare
+(
+  NSSName *name1,
+  NSSName *name2,
+  PRBool *equalp
+);
+
+/*
+ * nssName_Duplicate
+ *
+ * This routine duplicates the specified nssname.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it
+ * will have placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSName
+ */
+
+NSS_EXTERN NSSName *
+nssName_Duplicate
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a UID attribute, the UID will be the value of 
+ * that attribute.  Note that no UID attribute is defined in either 
+ * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
+ * defines the type as a caseIgnoreString.  We'll return a Directory 
+ * String.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetUID
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing either a PKIX email address or a PKCS#9 email
+ * address, the result will be the value of that attribute.  If the
+ * optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
+nssName_GetEmail
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a PKIX Common Name, the result will be that name.  If 
+ * the optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetCommonName
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified name, if the choices and content of the name permit.  
+ * If Name consists of a Sequence of Relative Distinguished names 
+ * containing a PKIX Organization, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetOrganization
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified name, if the choices and content of 
+ * the name permit.  If the Name consists of a Sequence of Relative 
+ * Distinguished Names containing one or more organisational units,
+ * the result will be the values of those attributes.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+nssName_GetOrganizationalUnits
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a state or province, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetStateOrProvince
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from the 
+ * specified name, if the choices and content of the name permit.  If
+ * the Name consists of a Sequence of Relative Distinguished names
+ * containing a Locality, the result will be the value of that 
+ * attribute.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetLocality
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a Country, the result will be the value of
+ * that attribute..  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may 
+ * return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+nssName_GetCountry
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetAttribute
+ *
+ * If the specified name consists of a Sequence of Relative 
+ * Distinguished Names containing an attribute with the specified 
+ * type, and the actual value of that attribute may be expressed 
+ * with a Directory String, then the value of that attribute will 
+ * be returned as a Directory String.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetAttribute
+(
+  NSSName *name,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_EvaluateUTF8
+ *
+ * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
+ * string contains the string representation of an NSSName.  This 
+ * routine is used by the GeneralName routine 
+ * nssGeneralName_CreateFromUTF8 to determine which choice of
+ * general name the string may encode.  This routine may return 
+ * PR_FALSE upon error, but it subsumes that condition under the 
+ * general "string does not evaluate as a Name" state, and does not
+ * set an error on the error stack.
+ * 
+ * Return value:
+ *  PR_TRUE if the string represents a Name
+ *  PR_FALSE otherwise
+ */
+
+NSS_EXTERN PRBool
+nssName_EvaluateUTF8
+(
+  NSSUTF8 *str
+);
+
+/*
+ * NSSGeneralName
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ * nssGeneralName_CreateFromBER   -- constructor
+ * nssGeneralName_CreateFromUTF8  -- constructor
+ * nssGeneralName_Create          -- constructor
+ *
+ * nssGeneralName_Destroy
+ * nssGeneralName_GetDEREncoding
+ * nssGeneralName_GetUTF8Encoding
+ * nssGeneralName_GetChoice
+ * nssGeneralName_GetOtherName
+ * nssGeneralName_GetRfc822Name
+ * nssGeneralName_GetDNSName
+ * nssGeneralName_GetX400Address
+ * nssGeneralName_GetDirectoryName
+ * nssGeneralName_GetEdiPartyName
+ * nssGeneralName_GetUniformResourceIdentifier
+ * nssGeneralName_GetIPAddress
+ * nssGeneralName_GetRegisteredID
+ * nssGeneralName_GetSpecifiedChoice
+ * nssGeneralName_Compare
+ * nssGeneralName_Duplicate
+ *
+ * nssGeneralName_GetUID
+ * nssGeneralName_GetEmail
+ * nssGeneralName_GetCommonName
+ * nssGeneralName_GetOrganization
+ * nssGeneralName_GetOrganizationalUnits
+ * nssGeneralName_GetStateOrProvince
+ * nssGeneralName_GetLocality
+ * nssGeneralName_GetCountry
+ * nssGeneralName_GetAttribute
+ */
+
+/*
+ * nssGeneralName_CreateFromBER
+ *
+ * This routine creates an NSSGeneralName by decoding a BER- or DER-
+ * encoded general name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralName
+);
+
+/*
+ * nssGeneralName_CreateFromUTF8
+ *
+ * This routine creates an NSSGeneralName by decoding a UTF8 string
+ * consisting of the string representation of one of the choices of
+ * general names.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.  The routine may return NULL upon
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringGeneralName
+);
+
+/*
+ * nssGeneralName_Create
+ *
+ * This routine creates an NSSGeneralName with the specified choice of
+ * underlying name types.  The value of the choice variable must be one
+ * of the values of the NSSGeneralNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                                         Type
+ *   ============================================   =========
+ *   NSSGeneralNameChoiceOtherName
+ *   NSSGeneralNameChoiceRfc822Name
+ *   NSSGeneralNameChoiceDNSName
+ *   NSSGeneralNameChoiceX400Address
+ *   NSSGeneralNameChoiceDirectoryName              NSSName *
+ *   NSSGeneralNameChoiceEdiPartyName
+ *   NSSGeneralNameChoiceUniformResourceIdentifier
+ *   NSSGeneralNameChoiceIPAddress
+ *   NSSGeneralNameChoiceRegisteredID
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one fo the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_Create
+(
+  NSSGeneralNameChoice choice,
+  void *arg
+);
+
+/*
+ * nssGeneralName_Destroy
+ * 
+ * This routine will destroy a General Name object.  It should 
+ * eventually be called on all General Names created without an arena.
+ * While it is not necessary to call it on General Names created within
+ * an arena, it is not an error to do so.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS. If 
+ * usuccessful, it will set an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralName_Destroy
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * nssGeneralName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralName
+ */
+
+NSS_EXTERN NSSDER *
+nssGeneralName_GetDEREncoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the General Name in the format specified by the
+ * underlying name choice.  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssGeneralName_GetUTF8Encoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetChoice
+ *
+ * This routine returns the type of choice underlying the specified 
+ * general name.  The return value will be a member of the 
+ * NSSGeneralNameChoice enumeration.  This routine may return 
+ * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NSSGeneralNameChoiceInvalid upon error
+ *  An other member of the NSSGeneralNameChoice enumeration 
+ */
+
+NSS_EXTERN NSSGeneralNameChoice
+nssGeneralName_GetChoice
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * nssGeneralName_GetOtherName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * Other Name, this routine will return a pointer to that Other name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSOtherName
+ */
+
+NSS_EXTERN NSSOtherName *
+nssGeneralName_GetOtherName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetRfc822Name
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * RFC 822 Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRFC822Name
+ */
+
+NSS_EXTERN NSSRFC822Name *
+nssGeneralName_GetRfc822Name
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetDNSName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a 
+ * DNS Name, this routine will return a pointer to that DNS name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSDNSName
+ */
+
+NSS_EXTERN NSSDNSName *
+nssGeneralName_GetDNSName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetX400Address
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * X.400 Address, this routine will return a pointer to that Address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSX400Address
+ */
+
+NSS_EXTERN NSSX400Address *
+nssGeneralName_GetX400Address
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetDirectoryName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * (directory) Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSName
+ */
+
+NSS_EXTERN NSSName *
+nssGeneralName_GetName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetEdiPartyName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * EDI Party Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSEdiPartyName
+ */
+
+NSS_EXTERN NSSEdiPartyName *
+nssGeneralName_GetEdiPartyName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetUniformResourceIdentifier
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * URI, this routine will return a pointer to that URI.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSURI
+ */
+
+NSS_EXTERN NSSURI *
+nssGeneralName_GetUniformResourceIdentifier
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetIPAddress
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * IP Address , this routine will return a pointer to that address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSIPAddress
+ */
+
+NSS_EXTERN NSSIPAddress *
+nssGeneralName_GetIPAddress
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetRegisteredID
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * Registered ID, this routine will return a pointer to that ID.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRegisteredID
+ */
+
+NSS_EXTERN NSSRegisteredID *
+nssGeneralName_GetRegisteredID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSGeneralName matches the
+ * specified choice, a caller-owned pointer to that underlying object
+ * will be returned.  Otherwise, an error will be placed on the error
+ * stack and NULL will be returned.  If the optional arena argument
+ * is non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The caller
+ * owns the returned pointer.  This routine may return NULL upon 
+ * error, in which caes it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+nssGeneralName_GetSpecifiedChoice
+(
+  NSSGeneralName *generalName,
+  NSSGeneralNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_Compare
+ * 
+ * This routine compares two General Names for equality.  For two 
+ * General Names to be equal, they must have the same choice of
+ * underlying types, and the underlying values must be equal.  The
+ * result of the comparison will be stored at the location pointed
+ * to by the "equalp" variable, which must point to a valid PRBool.
+ * This routine may return PR_FAILURE upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following value:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralName_Compare
+(
+  NSSGeneralName *generalName1,
+  NSSGeneralName *generalName2,
+  PRBool *equalp
+);
+
+/*
+ * nssGeneralName_Duplicate
+ *
+ * This routine duplicates the specified General Name.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it 
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSGeneralName
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_Duplicate
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished Names containing a UID
+ * attribute, the UID will be the value of that attribute.  Note
+ * that no UID attribute is defined in either PKIX or PKCS#9; 
+ * rather, this seems to derive from RFC 1274, which defines the
+ * type as a caseIgnoreString.  We'll return a Directory String.
+ * If the optional arena argument is non-null, the memory used
+ * will be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetUID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing either
+ * a PKIX email address or a PKCS#9 email address, the result will
+ * be the value of that attribute.  If the General Name is an RFC 822
+ * Name, the result will be the string form of that name.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
+nssGeneralName_GetEmail
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a PKIX
+ * Common Name, the result will be that name.  If the optional arena 
+ * argument is non-null, the memory used will be obtained from that 
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have set 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetCommonName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing an
+ * Organization, the result will be the value of that attribute.  
+ * If the optional arena argument is non-null, the memory used will 
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetOrganization
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified general name, if the choices and 
+ * content of the name permit.  If the General Name is a (directory) 
+ * Name consisting of a Sequence of Relative Distinguished names 
+ * containing one or more organisational units, the result will 
+ * consist of those units.  If the optional arena  argument is non-
+ * null, the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+nssGeneralName_GetOrganizationalUnits
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a state or 
+ * province, the result will be the value of that attribute.  If the 
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetStateOrProvince
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a Locality, 
+ * the result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetLocality
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified general name, if the choices and content of the name 
+ * permit.  If the General Name is a (directory) Name consisting of a
+ * Sequence of Relative Distinguished names containing a Country, the 
+ * result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+nssGeneralName_GetCountry
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetAttribute
+ *
+ * If the specified general name is a (directory) name consisting
+ * of a Sequence of Relative Distinguished Names containing an 
+ * attribute with the specified type, and the actual value of that
+ * attribute may be expressed with a Directory String, then the
+ * value of that attribute will be returned as a Directory String.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetAttribute
+(
+  NSSGeneralName *generalName,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralNameSeq
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  nssGeneralNameSeq_CreateFromBER   -- constructor
+ *  nssGeneralNameSeq_Create          -- constructor
+ *
+ *  nssGeneralNameSeq_Destroy
+ *  nssGeneralNameSeq_GetDEREncoding
+ *  nssGeneralNameSeq_AppendGeneralName
+ *  nssGeneralNameSeq_GetGeneralNameCount
+ *  nssGeneralNameSeq_GetGeneralName
+ *  nssGeneralNameSeq_Compare
+ *  nssGeneralnameSeq_Duplicate
+ */
+
+/*
+ * nssGeneralNameSeq_CreateFromBER
+ *
+ * This routine creates a general name sequence by decoding a BER-
+ * or DER-encoded GeneralNames.  If the optional arena argument is
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+nssGeneralNameSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralNameSeq
+);
+
+/*
+ * nssGeneralNameSeq_Create
+ *
+ * This routine creates an NSSGeneralNameSeq from one or more General
+ * Names.  The final argument to this routine must be NULL.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+nssGeneralNameSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSGeneralName *generalName1,
+  ...
+);
+
+/*
+ * nssGeneralNameSeq_Destroy
+ *
+ * This routine will destroy an NSSGeneralNameSeq object.  It should
+ * eventually be called on all NSSGeneralNameSeqs created without an
+ * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
+ * created within an arena, it is not an error to do so.  This routine
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will set an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralNameSeq_Destroy
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * nssGeneralNameSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an NSSGeneralNameSeq object.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return null upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralNameSeq
+ */
+
+NSS_EXTERN NSSDER *
+nssGeneralNameSeq_GetDEREncoding
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralNameSeq_AppendGeneralName
+ *
+ * This routine appends a General Name to the end of the existing
+ * General Name Sequence.  If the sequence was created with a non-null
+ * arena argument, that same arena will be used for any additional
+ * required memory.  If the sequence was created with a NULL arena
+ * argument, any additional memory will be obtained from the heap.
+ * This routine returns a PRStatus value; it will return PR_SUCCESS
+ * upon success, and upon failure it will set an error on the error
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure.
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralNameSeq_AppendGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSGeneralName *generalName
+);
+
+/*
+ * nssGeneralNameSeq_GetGeneralNameCount
+ *
+ * This routine returns the cardinality of the specified General name
+ * Sequence.  This routine may return 0 upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value;
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+nssGeneralNameSeq_GetGeneralNameCount
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * nssGeneralNameSeq_GetGeneralName
+ *
+ * This routine returns a pointer to the i'th General Name in the 
+ * specified General Name Sequence.  The value of the variable 'i' is
+ * on the range [0,c) where c is the cardinality returned from 
+ * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
+ * Name the pointer to which is returned.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have set
+ * an error upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to a General Name.
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralNameSeq_GetGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * nssGeneralNameSeq_Compare
+ *
+ * This routine compares two General Name Sequences for equality.  For
+ * two General Name Sequences to be equal, they must have the same
+ * cardinality, and each General Name in one sequence must be equal to
+ * the corresponding General Name in the other.  The result of the
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have set an 
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralNameSeq_Compare
+(
+  NSSGeneralNameSeq *generalNameSeq1,
+  NSSGeneralNameSeq *generalNameSeq2,
+  PRBool *equalp
+);
+
+/*
+ * nssGeneralNameSeq_Duplicate
+ *
+ * This routine duplicates the specified sequence of general names.  If
+ * the optional arena argument is non-null, the memory required will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new General Name Sequence.
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+nssGeneralNameSeq_Duplicate
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKI1_H */
diff --git a/security/nss/lib/pki1/pki1t.h b/security/nss/lib/pki1/pki1t.h
new file mode 100644
index 000000000..21366a3b2
--- /dev/null
+++ b/security/nss/lib/pki1/pki1t.h
@@ -0,0 +1,107 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef PKI1T_H
+#define PKI1T_H
+
+#ifdef DEBUG
+static const char PKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * pki1t.h
+ *
+ * This file contains definitions for the types used in the PKIX part-1
+ * code, but not available publicly.
+ */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSOID
+ *
+ * This structure is used to hold our internal table of built-in OID
+ * data.  The fields are as follows:
+ *
+ *  NSSItem     data -- this is the actual DER-encoded multinumber oid
+ *  const char *expl -- this explains the derivation, and is checked
+ *                      in a unit test.  While the field always exists,
+ *                      it is only populated or used in debug builds.
+ *
+ */
+
+struct NSSOIDStr {
+#ifdef DEBUG
+  const NSSUTF8 *tag;
+  const NSSUTF8 *expl;
+#endif /* DEBUG */
+  NSSItem data;
+};
+
+/*
+ * nssAttributeTypeAliasTable
+ *
+ * Attribute types are passed around as oids (at least in the X.500
+ * and PKI worlds, as opposed to ldap).  However, when written as 
+ * strings they usually have well-known aliases, e.g., "ou" or "c."
+ *
+ * This type defines a table, populated in the generated oiddata.c
+ * file, of the aliases we recognize.
+ *
+ * The fields are as follows:
+ *
+ *  NSSUTF8 *alias -- a well-known string alias for an oid
+ *  NSSOID  *oid   -- the oid to which the alias corresponds
+ *
+ */
+
+struct nssAttributeTypeAliasTableStr {
+  const NSSUTF8 *alias;
+  const NSSOID **oid;
+};
+typedef struct nssAttributeTypeAliasTableStr nssAttributeTypeAliasTable;
+
+PR_END_EXTERN_C
+
+#endif /* PKI1T_H */
diff --git a/security/nss/lib/pki1/rdn.c b/security/nss/lib/pki1/rdn.c
new file mode 100644
index 000000000..96fdbfacb
--- /dev/null
+++ b/security/nss/lib/pki1/rdn.c
@@ -0,0 +1,76 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * rdn.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * RelativeDistinguishedName.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * RelativeDistinguishedName
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  RelativeDistinguishedName       ::=
+ *                  SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+ *
+ * An RDN is merely an (unordered) set of ATAV's.  The setSize (that's
+ * a noun, not a verb) variable is a "helper" variable kept for
+ * convenience.
+ */
+
+struct nssRDNStr {
+  PRUint32 setSize;
+  NSSATAV **atavs;
+};
diff --git a/security/nss/lib/pki1/rdnseq.c b/security/nss/lib/pki1/rdnseq.c
new file mode 100644
index 000000000..af2da2b37
--- /dev/null
+++ b/security/nss/lib/pki1/rdnseq.c
@@ -0,0 +1,74 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * rdnseq.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * RDNSequence.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * RDNSequence
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+ *
+ * An RDNSequence is simply an (ordered) sequence of RDN's.  The 
+ * seqSize variable is a "helper" kept for simplicity.
+ */
+
+struct nssRDNSeqStr {
+  PRUint32 seqSize;
+  NSSRDN **rdns;
+};
diff --git a/security/nss/lib/smime/Makefile b/security/nss/lib/smime/Makefile
new file mode 100644
index 000000000..3bc1a719a
--- /dev/null
+++ b/security/nss/lib/smime/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h
new file mode 100644
index 000000000..7243a2d06
--- /dev/null
+++ b/security/nss/lib/smime/cms.h
@@ -0,0 +1,1134 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Interfaces of the CMS implementation.
+ *
+ * $Id$
+ */
+
+#ifndef _CMS_H_
+#define _CMS_H_
+
+#include "seccomon.h"
+
+#include "secoidt.h"
+#include "certt.h"
+#include "keyt.h"
+#include "hasht.h"
+#include "cmst.h"
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/************************************************************************
+ * cmsdecode.c - CMS decoding
+ ************************************************************************/
+
+/*
+ * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
+ *
+ * "poolp" - pointer to arena for message, or NULL if new pool should be created
+ * "cb", "cb_arg" - callback function and argument for delivery of inner content
+ *                  inner content will be stored in the message if cb is NULL.
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ */
+extern NSSCMSDecoderContext *
+NSS_CMSDecoder_Start(PLArenaPool *poolp,
+		      NSSCMSContentCallback cb, void *cb_arg,
+		      PK11PasswordFunc pwfn, void *pwfn_arg,
+		      NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg);
+
+/*
+ * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
+ */
+extern SECStatus
+NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, unsigned long len);
+
+/*
+ * NSS_CMSDecoder_Cancel - cancel a decoding process
+ */
+extern void
+NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx);
+
+/*
+ * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
+ */
+extern NSSCMSMessage *
+NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx);
+
+/*
+ * NSS_CMSMessage_CreateFromDER - decode a CMS message from DER encoded data
+ */
+extern NSSCMSMessage *
+NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
+		    NSSCMSContentCallback cb, void *cb_arg,
+		    PK11PasswordFunc pwfn, void *pwfn_arg,
+		    NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg);
+
+/************************************************************************
+ * cmsencode.c - CMS encoding
+ ************************************************************************/
+
+/*
+ * NSS_CMSEncoder_Start - set up encoding of a CMS message
+ *
+ * "cmsg" - message to encode
+ * "outputfn", "outputarg" - callback function for delivery of DER-encoded output
+ *                           will not be called if NULL.
+ * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output
+ * "destpoolp" - pool to allocate DER-encoded output in
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ * "detached_digestalgs", "detached_digests" - digests from detached content
+ */
+extern NSSCMSEncoderContext *
+NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
+			NSSCMSContentCallback outputfn, void *outputarg,
+			SECItem *dest, PLArenaPool *destpoolp,
+			PK11PasswordFunc pwfn, void *pwfn_arg,
+			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests);
+
+/*
+ * NSS_CMSEncoder_Update - take content data delivery from the user
+ *
+ * "p7ecx" - encoder context
+ * "data" - content data
+ * "len" - length of content data
+ */
+extern SECStatus
+NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len);
+
+/*
+ * NSS_CMSEncoder_Cancel - stop all encoding
+ */
+extern SECStatus
+NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx);
+
+/*
+ * NSS_CMSEncoder_Finish - signal the end of data
+ *
+ * we need to walk down the chain of encoders and the finish them from the innermost out
+ */
+extern SECStatus
+NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx);
+
+/************************************************************************
+ * cmsmessage.c - CMS message object
+ ************************************************************************/
+
+/*
+ * NSS_CMSMessage_Create - create a CMS message object
+ *
+ * "poolp" - arena to allocate memory from, or NULL if new arena should be created
+ */
+extern NSSCMSMessage *
+NSS_CMSMessage_Create(PLArenaPool *poolp);
+
+/*
+ * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding
+ *
+ * "cmsg" - message object
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ * "detached_digestalgs", "detached_digests" - digests from detached content
+ *
+ * used internally.
+ */
+extern void
+NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
+			PK11PasswordFunc pwfn, void *pwfn_arg,
+			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests);
+
+/*
+ * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces.
+ */
+extern void
+NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_Copy - return a copy of the given message. 
+ *
+ * The copy may be virtual or may be real -- either way, the result needs
+ * to be passed to NSS_CMSMessage_Destroy later (as does the original).
+ */
+extern NSSCMSMessage *
+NSS_CMSMessage_Copy(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool
+ */
+extern PLArenaPool *
+NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg);
+
+/*
+ * Return a pointer to the actual content. 
+ * In the case of those types which are encrypted, this returns the *plain* content.
+ * In case of nested contentInfos, this descends and retrieves the innermost content.
+ */
+extern SECItem *
+NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message
+ *
+ * CMS data content objects do not count.
+ */
+extern int
+NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_ContentLevel - find content level #n
+ *
+ * CMS data content objects do not count.
+ */
+extern NSSCMSContentInfo *
+NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n);
+
+/*
+ * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way
+ */
+extern PRBool
+NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage
+ */
+extern PRBool
+NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_IsSigned - see if message contains a signed submessage
+ *
+ * If the CMS message has a SignedData with a signature (not just a SignedData)
+ * return true; false otherwise.  This can/should be called before calling
+ * VerifySignature, which will always indicate failure if no signature is
+ * present, but that does not mean there even was a signature!
+ * Note that the content itself can be empty (detached content was sent
+ * another way); it is the presence of the signature that matters.
+ */
+extern PRBool
+NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_IsContentEmpty - see if content is empty
+ *
+ * returns PR_TRUE is innermost content length is < minLen
+ * XXX need the encrypted content length (why?)
+ */
+extern PRBool
+NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen);
+
+/************************************************************************
+ * cmscinfo.c - CMS contentInfo methods
+ ************************************************************************/
+
+/*
+ * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
+ */
+extern void
+NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists)
+ */
+extern NSSCMSContentInfo *
+NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_SetContent - set cinfo's content type & content to CMS object
+ */
+extern SECStatus
+NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr);
+
+/*
+ * NSS_CMSContentInfo_SetContent_XXXX - typesafe wrappers for NSS_CMSContentInfo_SetType
+ *   set cinfo's content type & content to CMS object
+ */
+extern SECStatus
+NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSContentInfo_GetContent - get pointer to inner content
+ *
+ * needs to be casted...
+ */
+extern void *
+NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo);
+
+/* 
+ * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content
+ *
+ * this is typically only called by NSS_CMSMessage_GetContent()
+ */
+extern SECItem *
+NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
+ * for future reference) and return the inner content type.
+ */
+extern SECOidTag
+NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo);
+
+extern SECItem *
+NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result
+ * for future reference) and return the content encryption algorithm tag.
+ */
+extern SECOidTag
+NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag.
+ */
+extern SECAlgorithmID *
+NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
+				    SECOidTag bulkalgtag, SECItem *parameters, int keysize);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
+				    SECAlgorithmID *algid, int keysize);
+
+extern void
+NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey);
+
+extern PK11SymKey *
+NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo);
+
+extern int
+NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo);
+
+/************************************************************************
+ * cmsutil.c - CMS misc utility functions
+ ************************************************************************/
+
+/*
+ * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding
+ *
+ * make sure that the order of the objects guarantees valid DER (which must be
+ * in lexigraphically ascending order for a SET OF); if reordering is necessary it
+ * will be done in place (in objs).
+ */
+extern SECStatus
+NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2);
+
+/*
+ * NSS_CMSUtil_DERCompare - for use with NSS_CMSArray_Sort to
+ *  sort arrays of SECItems containing DER
+ */
+extern int
+NSS_CMSUtil_DERCompare(void *a, void *b);
+
+/*
+ * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
+ * algorithms.
+ *
+ * algorithmArray - array of algorithm IDs
+ * algid - algorithmid of algorithm to pick
+ *
+ * Returns:
+ *  An integer containing the index of the algorithm in the array or -1 if 
+ *  algorithm was not found.
+ */
+extern int
+NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid);
+
+/*
+ * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
+ * algorithms.
+ *
+ * algorithmArray - array of algorithm IDs
+ * algiddata - id of algorithm to pick
+ *
+ * Returns:
+ *  An integer containing the index of the algorithm in the array or -1 if 
+ *  algorithm was not found.
+ */
+extern int
+NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag);
+
+extern const SECHashObject *
+NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid);
+
+extern const SEC_ASN1Template *
+NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type);
+
+extern size_t
+NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type);
+
+extern NSSCMSContentInfo *
+NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type);
+
+extern const char *
+NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs);
+
+/************************************************************************
+ * cmssigdata.c - CMS signedData methods
+ ************************************************************************/
+
+extern NSSCMSSignedData *
+NSS_CMSSignedData_Create(NSSCMSMessage *cmsg);
+
+extern void
+NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
+ *     before start of encoding.
+ *
+ * In detail:
+ *  - find out about the right value to put into sigd->version
+ *  - come up with a list of digestAlgorithms (which should be the union of the algorithms
+ *         in the signerinfos).
+ *         If we happen to have a pre-set list of algorithms (and digest values!), we
+ *         check if we have all the signerinfos' algorithms. If not, this is an error.
+ */
+extern SECStatus
+NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - create the signatures in all the SignerInfos
+ *
+ * Please note that nothing is done to the Certificates and CRLs in the message - this
+ * is entirely the responsibility of our callers.
+ */
+extern SECStatus
+NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a SignedData
+ *     after all the encapsulated data was passed through the decoder.
+ */
+extern SECStatus
+NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
+ *     after all decoding is finished.
+ */
+extern SECStatus
+NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd);
+
+/* 
+ * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
+ */
+extern NSSCMSSignerInfo **
+NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd);
+
+extern int
+NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd);
+
+extern NSSCMSSignerInfo *
+NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i);
+
+/* 
+ * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
+ */
+extern SECAlgorithmID **
+NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd);
+
+/* 
+ * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
+ */
+extern SECItem **
+NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
+				SECCertUsage certusage, PRBool keepcerts);
+
+/*
+ * NSS_CMSSignedData_HasDigests - see if we have digests in place
+ */
+extern PRBool
+NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_VerifySignerInfo - check a signature.
+ *
+ * The digests were either calculated during decoding (and are stored in the
+ * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
+ *
+ * The verification checks if the signing cert is valid and has a trusted chain
+ * for the purpose specified by "certusage".
+ */
+extern SECStatus
+NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, CERTCertDBHandle *certdb,
+				    SECCertUsage certusage);
+
+/*
+ * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
+*/
+extern SECStatus
+NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, 
+                                  CERTCertDBHandle *certdb, 
+                                  SECCertUsage usage);
+
+extern SECStatus
+NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist);
+
+/*
+ * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs 
+ */
+extern SECStatus
+NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert);
+
+extern SECStatus
+NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert);
+
+extern PRBool
+NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
+				NSSCMSSignerInfo *signerinfo);
+
+extern SECStatus
+NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
+				SECAlgorithmID **digestalgs,
+				SECItem **digests);
+
+extern SECStatus
+NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
+				SECOidTag digestalgtag,
+				SECItem *digestdata);
+
+extern SECStatus
+NSS_CMSSignedData_AddDigest(PLArenaPool *poolp,
+				NSSCMSSignedData *sigd,
+				SECOidTag digestalgtag,
+				SECItem *digest);
+
+extern SECItem *
+NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag);
+
+/*
+ * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
+ *
+ * cert          - base certificates that will be included
+ * include_chain - if true, include the complete cert chain for cert
+ *
+ * More certs and chains can be added via AddCertificate and AddCertChain.
+ *
+ * An error results in a return value of NULL and an error set.
+ */
+extern NSSCMSSignedData *
+NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain);
+
+/************************************************************************
+ * cmssiginfo.c - signerinfo methods
+ ************************************************************************/
+
+extern NSSCMSSignerInfo *
+NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag);
+extern NSSCMSSignerInfo *
+NSS_CMSSignerInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, SECItem *subjKeyID, SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag);
+
+/*
+ * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
+ */
+extern void
+NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si);
+
+/*
+ * NSS_CMSSignerInfo_Sign - sign something
+ *
+ */
+extern SECStatus
+NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType);
+
+extern SECStatus
+NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb,
+			    SECCertUsage certusage);
+
+/*
+ * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo
+ *
+ * Just verifies the signature. The assumption is that verification of the certificate
+ * is done already.
+ */
+extern SECStatus
+NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType);
+
+extern NSSCMSVerificationStatus
+NSS_CMSSignerInfo_GetVerificationStatus(NSSCMSSignerInfo *signerinfo);
+
+extern SECOidData *
+NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo);
+
+extern SECOidTag
+NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo);
+
+extern int
+NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo);
+
+extern CERTCertificateList *
+NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo);
+
+/*
+ * NSS_CMSSignerInfo_GetSigningTime - return the signing time,
+ *				      in UTCTime format, of a CMS signerInfo.
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to XXXX (what?)
+ * A return value of NULL is an error.
+ */
+extern SECStatus
+NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime);
+
+/*
+ * Return the signing cert of a CMS signerInfo.
+ *
+ * the certs in the enclosing SignedData must have been imported already
+ */
+extern CERTCertificate *
+NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb);
+
+/*
+ * NSS_CMSSignerInfo_GetSignerCommonName - return the common name of the signer
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to allocated memory, which must be freed with PORT_Free.
+ * A return value of NULL is an error.
+ */
+extern char *
+NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo);
+
+/*
+ * NSS_CMSSignerInfo_GetSignerEmailAddress - return the common name of the signer
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to allocated memory, which must be freed.
+ * A return value of NULL is an error.
+ */
+extern char *
+NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo);
+
+/*
+ * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr);
+
+/*
+ * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the
+ * unauthenticated attributes of "signerinfo". 
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr);
+
+/* 
+ * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ *
+ * This is expected to be included in outgoing signed
+ * messages for email (S/MIME) but is likely useful in other situations.
+ *
+ * This should only be added once; a second call will do nothing.
+ *
+ * XXX This will probably just shove the current time into "signerinfo"
+ * but it will not actually get signed until the entire item is
+ * processed for encoding.  Is this (expected to be small) delay okay?
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t);
+
+/*
+ * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo".
+ *
+ * This is expected to be included in outgoing signed
+ * messages for email (S/MIME).
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo);
+
+/*
+ * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo".
+ *
+ * This is expected to be included in outgoing signed messages for email (S/MIME).
+ */
+SECStatus
+NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb);
+
+/*
+ * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft.
+ *
+ * This is expected to be included in outgoing signed messages for email (S/MIME),
+ * if compatibility with Microsoft mail clients is wanted.
+ */
+SECStatus
+NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb);
+
+/* 
+ * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo,
+				    SECOidTag digestalg, CERTCertificate signingcert);
+
+/*
+ * XXXX the following needs to be done in the S/MIME layer code
+ * after signature of a signerinfo is verified
+ */
+extern SECStatus
+NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo);
+
+/*
+ * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer
+ */
+extern SECStatus
+NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage);
+
+/************************************************************************
+ * cmsenvdata.c - CMS envelopedData methods
+ ************************************************************************/
+
+/*
+ * NSS_CMSEnvelopedData_Create - create an enveloped data message
+ */
+extern NSSCMSEnvelopedData *
+NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize);
+
+/*
+ * NSS_CMSEnvelopedData_Destroy - destroy an enveloped data message
+ */
+extern void
+NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp);
+
+/*
+ * NSS_CMSEnvelopedData_GetContentInfo - return pointer to this envelopedData's contentinfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSEnvelopedData_GetContentInfo(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_AddRecipient - add a recipientinfo to the enveloped data msg
+ *
+ * rip must be created on the same pool as edp - this is not enforced, though.
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo *rip);
+
+/*
+ * NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding
+ *
+ * at this point, we need
+ * - recipientinfos set up with recipient's certificates
+ * - a content encryption algorithm (if none, 3DES will be used)
+ *
+ * this function will generate a random content encryption key (aka bulk key),
+ * initialize the recipientinfos with certificate identification and wrap the bulk key
+ * using the proper algorithm for every certificiate.
+ * it will finally set the bulk algorithm and key so that the encode step can find it.
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Encode_BeforeData - set up encryption
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Encode_AfterData - finalize this envelopedData for encoding
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, 
+ * derive bulk key & set up our contentinfo
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Decode_AfterData - finish decrypting this envelopedData's content
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Decode_AfterEnd - finish decoding this envelopedData
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd);
+
+
+/************************************************************************
+ * cmsrecinfo.c - CMS recipientInfo methods
+ ************************************************************************/
+
+/*
+ * NSS_CMSRecipientInfo_Create - create a recipientinfo
+ *
+ * we currently do not create KeyAgreement recipientinfos with multiple recipientEncryptedKeys
+ * the certificate is supposed to have been verified by the caller
+ */
+extern NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert);
+
+extern NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_CreateWithSubjKeyID(NSSCMSMessage   *cmsg, 
+                                         SECItem         *subjKeyID,
+                                         SECKEYPublicKey *pubKey);
+
+extern NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert(NSSCMSMessage *cmsg, 
+                                                 CERTCertificate *cert);
+
+/*
+ * NSS_CMSRecipientInfo_CreateNew - create a blank recipientinfo for 
+ * applications which want to encode their own CMS structures and
+ * key exchange types.
+ */
+extern NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_CreateNew(void* pwfn_arg);
+
+/*
+ * NSS_CMSRecipientInfo_CreateFromDER - create a recipientinfo  from partially
+ * decoded DER data for applications which want to encode their own CMS 
+ * structures and key exchange types.
+ */
+extern NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_CreateFromDER(SECItem* input, void* pwfn_arg);
+
+extern void
+NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri);
+
+/*
+ * NSS_CMSRecipientInfo_GetCertAndKey - retrieve the cert and key from the
+ * recipientInfo struct. If retcert or retkey are NULL, the cert or 
+ * key (respectively) would not be returned). This function is a no-op if both 
+ * retcert and retkey are NULL. Caller inherits ownership of the cert and key
+ * he requested (and is responsible to free them).
+ */
+SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri,
+   CERTCertificate** retcert, SECKEYPrivateKey** retkey);
+
+extern int
+NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri);
+
+extern SECItem *
+NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex);
+
+/*
+ * NSS_CMSRecipientInfo_Encode - encode an NSS_CMSRecipientInfo as ASN.1
+ */
+SECStatus NSS_CMSRecipientInfo_Encode(PLArenaPool* poolp,
+                                      const NSSCMSRecipientInfo *src,
+                                      SECItem* returned);
+
+extern SECOidTag
+NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri);
+
+extern SECStatus
+NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, SECOidTag bulkalgtag);
+
+extern PK11SymKey *
+NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
+		CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag);
+
+/************************************************************************
+ * cmsencdata.c - CMS encryptedData methods
+ ************************************************************************/
+/*
+ * NSS_CMSEncryptedData_Create - create an empty encryptedData object.
+ *
+ * "algorithm" specifies the bulk encryption algorithm to use.
+ * "keysize" is the key size.
+ * 
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern NSSCMSEncryptedData *
+NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize);
+
+/*
+ * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object
+ */
+extern void
+NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Encode_BeforeStart - do all the necessary things to a EncryptedData
+ *     before encoding begins.
+ *
+ * In particular:
+ *  - set the correct version value.
+ *  - get the encryption key
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Encode_BeforeData - set up encryption
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Encode_AfterData - finalize this encryptedData for encoding
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Decode_AfterData - finish decrypting this encryptedData's content
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Decode_AfterEnd - finish decoding this encryptedData
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Decode_AfterEnd(NSSCMSEncryptedData *encd);
+
+/************************************************************************
+ * cmsdigdata.c - CMS encryptedData methods
+ ************************************************************************/
+/*
+ * NSS_CMSDigestedData_Create - create a digestedData object (presumably for encoding)
+ *
+ * version will be set by NSS_CMSDigestedData_Encode_BeforeStart
+ * digestAlg is passed as parameter
+ * contentInfo must be filled by the user
+ * digest will be calculated while encoding
+ */
+extern NSSCMSDigestedData *
+NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg);
+
+/*
+ * NSS_CMSDigestedData_Destroy - destroy a digestedData object
+ */
+extern void
+NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Encode_BeforeStart - do all the necessary things to a DigestedData
+ *     before encoding begins.
+ *
+ * In particular:
+ *  - set the right version number. The contentInfo's content type must be set up already.
+ */
+extern SECStatus
+NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Encode_BeforeData - do all the necessary things to a DigestedData
+ *     before the encapsulated data is passed through the encoder.
+ *
+ * In detail:
+ *  - set up the digests if necessary
+ */
+extern SECStatus
+NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Encode_AfterData - do all the necessary things to a DigestedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - finish the digests
+ */
+extern SECStatus
+NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Decode_BeforeData - do all the necessary things to a DigestedData
+ *     before the encapsulated data is passed through the encoder.
+ *
+ * In detail:
+ *  - set up the digests if necessary
+ */
+extern SECStatus
+NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Decode_AfterData - do all the necessary things to a DigestedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - finish the digests
+ */
+extern SECStatus
+NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Decode_AfterEnd - finalize a digestedData.
+ *
+ * In detail:
+ *  - check the digests for equality
+ */
+extern SECStatus
+NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd);
+
+/************************************************************************
+ * cmsdigest.c - digestion routines
+ ************************************************************************/
+
+/*
+ * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the
+ *  digest algorithms in "digestalgs" in parallel.
+ */
+extern NSSCMSDigestContext *
+NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs);
+
+/*
+ * NSS_CMSDigestContext_StartSingle - same as NSS_CMSDigestContext_StartMultiple, but
+ *  only one algorithm.
+ */
+extern NSSCMSDigestContext *
+NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg);
+
+/*
+ * NSS_CMSDigestContext_Update - feed more data into the digest machine
+ */
+extern void
+NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, const unsigned char *data, int len);
+
+/*
+ * NSS_CMSDigestContext_Cancel - cancel digesting operation
+ */
+extern void
+NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx);
+
+/*
+ * NSS_CMSDigestContext_FinishMultiple - finish the digests and put them
+ *  into an array of SECItems (allocated on poolp)
+ */
+extern SECStatus
+NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
+			    SECItem ***digestsp);
+
+/*
+ * NSS_CMSDigestContext_FinishSingle - same as NSS_CMSDigestContext_FinishMultiple,
+ *  but for one digest.
+ */
+extern SECStatus
+NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
+			    SECItem *digest);
+
+/************************************************************************
+ * 
+ ************************************************************************/
+
+/* shortcuts for basic use */
+
+/*
+ * NSS_CMSDEREncode - DER Encode a CMS message, with input being
+ *                    the plaintext message and derOut being the output,
+ *                    stored in arena's pool.
+ */
+extern SECStatus
+NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, 
+                 PLArenaPool *arena);
+
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _CMS_H_ */
diff --git a/security/nss/lib/smime/cmsarray.c b/security/nss/lib/smime/cmsarray.c
new file mode 100644
index 000000000..7f331c82a
--- /dev/null
+++ b/security/nss/lib/smime/cmsarray.c
@@ -0,0 +1,219 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS array functions.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "secerr.h"
+
+/*
+ * ARRAY FUNCTIONS
+ *
+ * In NSS, arrays are rather primitive arrays of pointers.
+ * Makes it easy to walk the array, but hard to count elements
+ * and manage the storage.
+ *
+ * This is a feeble attempt to encapsulate the functionality
+ * and get rid of hundreds of lines of similar code
+ */
+
+/*
+ * NSS_CMSArray_Alloc - allocate an array in an arena
+ *
+ * This allocates space for the array of pointers
+ */
+void **
+NSS_CMSArray_Alloc(PRArenaPool *poolp, int n)
+{
+    return (void **)PORT_ArenaZAlloc(poolp, n * sizeof(void *));
+}
+
+/*
+ * NSS_CMSArray_Add - add an element to the end of an array
+ *
+ * The array of pointers is either created (if array was empty before) or grown.
+ */
+SECStatus
+NSS_CMSArray_Add(PRArenaPool *poolp, void ***array, void *obj)
+{
+    void **p;
+    int n;
+    void **dest;
+
+    PORT_Assert(array != NULL);
+    if (array == NULL)
+	return SECFailure;
+
+    if (*array == NULL) {
+	dest = (void **)PORT_ArenaAlloc(poolp, 2 * sizeof(void *));
+	n = 0;
+    } else {
+	n = 0; p = *array;
+	while (*p++)
+	    n++;
+	dest = (void **)PORT_ArenaGrow (poolp, 
+			      *array,
+			      (n + 1) * sizeof(void *),
+			      (n + 2) * sizeof(void *));
+    }
+
+    if (dest == NULL)
+	return SECFailure;
+
+    dest[n] = obj;
+    dest[n+1] = NULL;
+    *array = dest;
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSArray_IsEmpty - check if array is empty
+ */
+PRBool
+NSS_CMSArray_IsEmpty(void **array)
+{
+    return (array == NULL || array[0] == NULL);
+}
+
+/*
+ * NSS_CMSArray_Count - count number of elements in array
+ */
+int
+NSS_CMSArray_Count(void **array)
+{
+    int n = 0;
+
+    if (array == NULL)
+	return 0;
+
+    while (*array++ != NULL)
+	n++;
+
+    return n;
+}
+
+/*
+ * NSS_CMSArray_Sort - sort an array in place
+ *
+ * If "secondary" or "tertiary are not NULL, it must be arrays with the same
+ *  number of elements as "primary". The same reordering will get applied to it.
+ *
+ * "compare" is a function that returns 
+ *  < 0 when the first element is less than the second
+ *  = 0 when the first element is equal to the second
+ *  > 0 when the first element is greater than the second
+ * to acheive ascending ordering.
+ */
+void
+NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary)
+{
+    int n, i, limit, lastxchg;
+    void *tmp;
+
+    n = NSS_CMSArray_Count(primary);
+
+    PORT_Assert(secondary == NULL || NSS_CMSArray_Count(secondary) == n);
+    PORT_Assert(tertiary == NULL || NSS_CMSArray_Count(tertiary) == n);
+    
+    if (n <= 1)	/* ordering is fine */
+	return;
+    
+    /* yes, ladies and gentlemen, it's BUBBLE SORT TIME! */
+    limit = n - 1;
+    while (1) {
+	lastxchg = 0;
+	for (i = 0; i < limit; i++) {
+	    if ((*compare)(primary[i], primary[i+1]) > 0) {
+		/* exchange the neighbours */
+		tmp = primary[i+1];
+		primary[i+1] = primary[i];
+		primary[i] = tmp;
+		if (secondary) {		/* secondary array? */
+		    tmp = secondary[i+1];	/* exchange there as well */
+		    secondary[i+1] = secondary[i];
+		    secondary[i] = tmp;
+		}
+		if (tertiary) {			/* tertiary array? */
+		    tmp = tertiary[i+1];	/* exchange there as well */
+		    tertiary[i+1] = tertiary[i];
+		    tertiary[i] = tmp;
+		}
+		lastxchg = i+1;	/* index of the last element bubbled up */
+	    }
+	}
+	if (lastxchg == 0)	/* no exchanges, so array is sorted */
+	    break;		/* we're done */
+	limit = lastxchg;	/* array is sorted up to [limit] */
+    }
+}
+
+#if 0
+
+/* array iterator stuff... not used */
+
+typedef void **NSSCMSArrayIterator;
+
+/* iterator */
+NSSCMSArrayIterator
+NSS_CMSArray_First(void **array)
+{
+    if (array == NULL || array[0] == NULL)
+	return NULL;
+    return (NSSCMSArrayIterator)&(array[0]);
+}
+
+void *
+NSS_CMSArray_Obj(NSSCMSArrayIterator iter)
+{
+    void **p = (void **)iter;
+
+    return *iter;	/* which is NULL if we are at the end of the array */
+}
+
+NSSCMSArrayIterator
+NSS_CMSArray_Next(NSSCMSArrayIterator iter)
+{
+    void **p = (void **)iter;
+
+    return (NSSCMSArrayIterator)(p + 1);
+}
+
+#endif
diff --git a/security/nss/lib/smime/cmsasn1.c b/security/nss/lib/smime/cmsasn1.c
new file mode 100644
index 000000000..93d206e90
--- /dev/null
+++ b/security/nss/lib/smime/cmsasn1.c
@@ -0,0 +1,578 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS ASN.1 templates
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "prtime.h"
+#include "secerr.h"
+
+
+extern const SEC_ASN1Template nss_cms_set_of_attribute_template[];
+
+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_PointerToOctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
+
+/* -----------------------------------------------------------------------------
+ * MESSAGE
+ * (uses NSSCMSContentInfo)
+ */
+
+/* forward declaration */
+static const SEC_ASN1Template *
+nss_cms_choose_content_template(void *src_or_dest, PRBool encoding);
+
+static const SEC_ASN1TemplateChooserPtr nss_cms_chooser
+	= nss_cms_choose_content_template;
+
+const SEC_ASN1Template NSSCMSMessageTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSMessage) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSCMSMessage,contentInfo.contentType) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
+     | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSMessage,contentInfo.content),
+	  &nss_cms_chooser },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSS_PointerToCMSMessageTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSMessageTemplate }
+};
+
+/* -----------------------------------------------------------------------------
+ * ENCAPSULATED & ENCRYPTED CONTENTINFO
+ * (both use a NSSCMSContentInfo)
+ */
+static const SEC_ASN1Template NSSCMSEncapsulatedContentInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSContentInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSCMSContentInfo,contentType) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_MAY_STREAM |
+	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSContentInfo,rawContent),
+	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSCMSEncryptedContentInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSContentInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSCMSContentInfo,contentType) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSContentInfo,contentEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM | 
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSContentInfo,rawContent),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * SIGNED DATA
+ */
+
+const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
+
+const SEC_ASN1Template NSSCMSSignedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSSignedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSSignedData,version) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSSignedData,digestAlgorithms),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSSignedData,contentInfo),
+	  NSSCMSEncapsulatedContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSSignedData,rawCerts),
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(NSSCMSSignedData,crls),
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(NSSCMSSignedData,signerInfos),
+	  NSSCMSSignerInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template NSS_PointerToCMSSignedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSSignedDataTemplate }
+};
+
+/* -----------------------------------------------------------------------------
+ * signeridentifier
+ */
+
+static const SEC_ASN1Template NSSCMSSignerIdentifierTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSSignerIdentifier,identifierType), NULL,
+	  sizeof(NSSCMSSignerIdentifier) },
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSSignerIdentifier,id.subjectKeyID),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) ,
+	  NSSCMSRecipientID_SubjectKeyID },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSSignerIdentifier,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSCMSRecipientID_IssuerSN },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * signerinfo
+ */
+
+const SEC_ASN1Template NSSCMSSignerInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSSignerInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSSignerInfo,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSSignerInfo,signerIdentifier),
+	  NSSCMSSignerIdentifierTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSSignerInfo,digestAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSSignerInfo,authAttr),
+	  nss_cms_set_of_attribute_template },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSSignerInfo,digestEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSSignerInfo,encDigest) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(NSSCMSSignerInfo,unAuthAttr),
+	  nss_cms_set_of_attribute_template },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * ENVELOPED DATA
+ */
+
+static const SEC_ASN1Template NSSCMSOriginatorInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSOriginatorInfo) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSOriginatorInfo,rawCerts),
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(NSSCMSOriginatorInfo,crls),
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
+
+const SEC_ASN1Template NSSCMSEnvelopedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSEnvelopedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSEnvelopedData,version) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSEnvelopedData,originatorInfo),
+	  NSSCMSOriginatorInfoTemplate },
+    { SEC_ASN1_SET_OF,
+	  offsetof(NSSCMSEnvelopedData,recipientInfos),
+	  NSSCMSRecipientInfoTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSEnvelopedData,contentInfo),
+	  NSSCMSEncryptedContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(NSSCMSEnvelopedData,unprotectedAttr),
+	  nss_cms_set_of_attribute_template },
+    { 0 }
+};
+
+const SEC_ASN1Template NSS_PointerToCMSEnvelopedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSEnvelopedDataTemplate }
+};
+
+/* here come the 15 gazillion templates for all the v3 varieties of RecipientInfo */
+
+/* -----------------------------------------------------------------------------
+ * key transport recipient info
+ */
+
+static const SEC_ASN1Template NSSCMSRecipientIdentifierTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSRecipientIdentifier,identifierType), NULL,
+	  sizeof(NSSCMSRecipientIdentifier) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSRecipientIdentifier,id.subjectKeyID),
+	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) ,
+	  NSSCMSRecipientID_SubjectKeyID },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSRecipientIdentifier,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSCMSRecipientID_IssuerSN },
+    { 0 }
+};
+
+
+static const SEC_ASN1Template NSSCMSKeyTransRecipientInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSKeyTransRecipientInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSKeyTransRecipientInfo,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSKeyTransRecipientInfo,recipientIdentifier),
+	  NSSCMSRecipientIdentifierTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSKeyTransRecipientInfo,keyEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKeyTransRecipientInfo,encKey) },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * key agreement recipient info
+ */
+
+static const SEC_ASN1Template NSSCMSOriginatorPublicKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSOriginatorPublicKey) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSOriginatorPublicKey,algorithmIdentifier),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSOriginatorPublicKey,publicKey),
+	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+
+static const SEC_ASN1Template NSSCMSOriginatorIdentifierOrKeyTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSOriginatorIdentifierOrKey,identifierType), NULL,
+	  sizeof(NSSCMSOriginatorIdentifierOrKey) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSCMSOriginatorIDOrKey_IssuerSN },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.subjectKeyID),
+	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) ,
+	  NSSCMSOriginatorIDOrKey_SubjectKeyID },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.originatorPublicKey),
+	  NSSCMSOriginatorPublicKeyTemplate,
+	  NSSCMSOriginatorIDOrKey_OriginatorPublicKey },
+    { 0 }
+};
+
+const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSRecipientKeyIdentifier) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSRecipientKeyIdentifier,subjectKeyIdentifier) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSRecipientKeyIdentifier,date) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSRecipientKeyIdentifier,other) },
+    { 0 }
+};
+
+
+static const SEC_ASN1Template NSSCMSKeyAgreeRecipientIdentifierTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,identifierType), NULL,
+	  sizeof(NSSCMSKeyAgreeRecipientIdentifier) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSCMSKeyAgreeRecipientID_IssuerSN },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.recipientKeyIdentifier),
+	  NSSCMSRecipientKeyIdentifierTemplate,
+	  NSSCMSKeyAgreeRecipientID_RKeyID },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSCMSRecipientEncryptedKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSRecipientEncryptedKey) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSRecipientEncryptedKey,recipientIdentifier),
+	  NSSCMSKeyAgreeRecipientIdentifierTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSRecipientEncryptedKey,encKey),
+	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSCMSKeyAgreeRecipientInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSKeyAgreeRecipientInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,version) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,originatorIdentifierOrKey),
+	  NSSCMSOriginatorIdentifierOrKeyTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,ukm),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,keyEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,recipientEncryptedKeys),
+	  NSSCMSRecipientEncryptedKeyTemplate },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * KEK recipient info
+ */
+
+static const SEC_ASN1Template NSSCMSKEKIdentifierTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSKEKIdentifier) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKEKIdentifier,keyIdentifier) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKEKIdentifier,date) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKEKIdentifier,other) },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSCMSKEKRecipientInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSKEKRecipientInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSKEKRecipientInfo,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSKEKRecipientInfo,kekIdentifier),
+	  NSSCMSKEKIdentifierTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSKEKRecipientInfo,keyEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKEKRecipientInfo,encKey) },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * recipient info
+ */
+const SEC_ASN1Template NSSCMSRecipientInfoTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSRecipientInfo,recipientInfoType), NULL,
+	  sizeof(NSSCMSRecipientInfo) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(NSSCMSRecipientInfo,ri.keyAgreeRecipientInfo),
+	  NSSCMSKeyAgreeRecipientInfoTemplate,
+	  NSSCMSRecipientInfoID_KeyAgree },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	  offsetof(NSSCMSRecipientInfo,ri.kekRecipientInfo),
+	  NSSCMSKEKRecipientInfoTemplate,
+	  NSSCMSRecipientInfoID_KEK },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSRecipientInfo,ri.keyTransRecipientInfo),
+	  NSSCMSKeyTransRecipientInfoTemplate,
+	  NSSCMSRecipientInfoID_KeyTrans },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ *
+ */
+
+const SEC_ASN1Template NSSCMSDigestedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSDigestedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSDigestedData,version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSDigestedData,digestAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSDigestedData,contentInfo),
+	  NSSCMSEncapsulatedContentInfoTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSDigestedData,digest) },
+    { 0 }
+};
+
+const SEC_ASN1Template NSS_PointerToCMSDigestedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSDigestedDataTemplate }
+};
+
+const SEC_ASN1Template NSSCMSEncryptedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSEncryptedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSEncryptedData,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSEncryptedData,contentInfo),
+	  NSSCMSEncryptedContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(NSSCMSEncryptedData,unprotectedAttr),
+	  nss_cms_set_of_attribute_template },
+    { 0 }
+};
+
+const SEC_ASN1Template NSS_PointerToCMSEncryptedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSEncryptedDataTemplate }
+};
+
+/* -----------------------------------------------------------------------------
+ * FORTEZZA KEA
+ */
+const SEC_ASN1Template NSS_SMIMEKEAParamTemplateSkipjack[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
+	{ 0 }
+};
+
+const SEC_ASN1Template NSS_SMIMEKEAParamTemplateNoSkipjack[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(NSSCMSSMIMEKEAParameters,nonSkipjackIV) },
+	{ 0 }
+};
+
+const SEC_ASN1Template NSS_SMIMEKEAParamTemplateAllParams[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(NSSCMSSMIMEKEAParameters,nonSkipjackIV) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(NSSCMSSMIMEKEAParameters,bulkKeySize) },
+	{ 0 }
+};
+
+const SEC_ASN1Template *
+nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate)
+{
+	const SEC_ASN1Template *returnVal = NULL;
+
+	switch(whichTemplate)
+	{
+	case NSSCMSKEAUsesNonSkipjack:
+		returnVal = NSS_SMIMEKEAParamTemplateNoSkipjack;
+		break;
+	case NSSCMSKEAUsesSkipjack:
+		returnVal = NSS_SMIMEKEAParamTemplateSkipjack;
+		break;
+	case NSSCMSKEAUsesNonSkipjackWithPaddedEncKey:
+	default:
+		returnVal = NSS_SMIMEKEAParamTemplateAllParams;
+		break;
+	}
+	return returnVal;
+}
+
+/* -----------------------------------------------------------------------------
+ *
+ */
+static const SEC_ASN1Template *
+nss_cms_choose_content_template(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    NSSCMSContentInfo *cinfo;
+
+    PORT_Assert (src_or_dest != NULL);
+    if (src_or_dest == NULL)
+	return NULL;
+
+    cinfo = (NSSCMSContentInfo *)src_or_dest;
+    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+    default:
+	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	break;
+    case SEC_OID_PKCS7_DATA:
+	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
+	break;
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	theTemplate = NSS_PointerToCMSSignedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	theTemplate = NSS_PointerToCMSEnvelopedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	theTemplate = NSS_PointerToCMSDigestedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	theTemplate = NSS_PointerToCMSEncryptedDataTemplate;
+	break;
+    }
+    return theTemplate;
+}
diff --git a/security/nss/lib/smime/cmsattr.c b/security/nss/lib/smime/cmsattr.c
new file mode 100644
index 000000000..26d9dbb78
--- /dev/null
+++ b/security/nss/lib/smime/cmsattr.c
@@ -0,0 +1,461 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS attributes.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+
+/*
+ * -------------------------------------------------------------------
+ * XXX The following Attribute stuff really belongs elsewhere.
+ * The Attribute type is *not* part of CMS but rather X.501.
+ * But for now, since CMS is the only customer of attributes,
+ * we define them here.  Once there is a use outside of CMS,
+ * then change the attribute types and functions from internal
+ * to external naming convention, and move them elsewhere!
+ */
+
+
+/*
+ * NSS_CMSAttribute_Create - create an attribute
+ *
+ * if value is NULL, the attribute won't have a value. It can be added later
+ * with NSS_CMSAttribute_AddValue.
+ */
+NSSCMSAttribute *
+NSS_CMSAttribute_Create(PRArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded)
+{
+    NSSCMSAttribute *attr;
+    SECItem *copiedvalue;
+    void *mark;
+
+    PORT_Assert (poolp != NULL);
+
+    mark = PORT_ArenaMark (poolp);
+
+    attr = (NSSCMSAttribute *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSAttribute));
+    if (attr == NULL)
+	goto loser;
+
+    attr->typeTag = SECOID_FindOIDByTag(oidtag);
+    if (attr->typeTag == NULL)
+	goto loser;
+
+    if (SECITEM_CopyItem(poolp, &(attr->type), &(attr->typeTag->oid)) != SECSuccess)
+	goto loser;
+
+    if (value != NULL) {
+	if ((copiedvalue = SECITEM_ArenaDupItem(poolp, value)) == NULL)
+	    goto loser;
+
+	if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess)
+	    goto loser;
+    }
+
+    attr->encoded = encoded;
+
+    PORT_ArenaUnmark (poolp, mark);
+
+    return attr;
+
+loser:
+    PORT_Assert (mark != NULL);
+    PORT_ArenaRelease (poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSAttribute_AddValue - add another value to an attribute
+ */
+SECStatus
+NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *value)
+{
+    SECItem *copiedvalue;
+    void *mark;
+
+    PORT_Assert (poolp != NULL);
+
+    mark = PORT_ArenaMark(poolp);
+
+    if (value == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	goto loser;
+    }
+
+    if ((copiedvalue = SECITEM_ArenaDupItem(poolp, value)) == NULL)
+	goto loser;
+
+    if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_Assert (mark != NULL);
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSAttribute_GetType - return the OID tag
+ */
+SECOidTag
+NSS_CMSAttribute_GetType(NSSCMSAttribute *attr)
+{
+    SECOidData *typetag;
+
+    typetag = SECOID_FindOID(&(attr->type));
+    if (typetag == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return typetag->offset;
+}
+
+/*
+ * NSS_CMSAttribute_GetValue - return the first attribute value
+ *
+ * We do some sanity checking first:
+ * - Multiple values are *not* expected.
+ * - Empty values are *not* expected.
+ */
+SECItem *
+NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr)
+{
+    SECItem *value;
+
+    if (attr == NULL)
+	return NULL;
+
+    value = attr->values[0];
+
+    if (value == NULL || value->data == NULL || value->len == 0)
+	return NULL;
+
+    if (attr->values[1] != NULL)
+	return NULL;
+
+    return value;
+}
+
+/*
+ * NSS_CMSAttribute_CompareValue - compare the attribute's first value against data
+ */
+PRBool
+NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av)
+{
+    SECItem *value;
+    
+    if (attr == NULL)
+	return PR_FALSE;
+
+    value = NSS_CMSAttribute_GetValue(attr);
+
+    return (value != NULL && value->len == av->len &&
+	PORT_Memcmp (value->data, av->data, value->len) == 0);
+}
+
+/*
+ * templates and functions for separate ASN.1 encoding of attributes
+ *
+ * used in NSS_CMSAttributeArray_Reorder
+ */
+
+/*
+ * helper function for dynamic template determination of the attribute value
+ */
+static const SEC_ASN1Template *
+cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    NSSCMSAttribute *attribute;
+    SECOidData *oiddata;
+    PRBool encoded;
+
+    PORT_Assert (src_or_dest != NULL);
+    if (src_or_dest == NULL)
+	return NULL;
+
+    attribute = (NSSCMSAttribute *)src_or_dest;
+
+    if (encoding && (!attribute->values || !attribute->values[0] ||
+        attribute->encoded)) {
+        /* we're encoding, and the attribute has no value or the attribute
+         * value is already encoded. */
+        return SEC_ASN1_GET(SEC_AnyTemplate);
+    }
+
+    /* get attribute's typeTag */
+    oiddata = attribute->typeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&attribute->type);
+	attribute->typeTag = oiddata;
+    }
+
+    if (oiddata == NULL) {
+	/* still no OID tag? OID is unknown then. en/decode value as ANY. */
+	encoded = PR_TRUE;
+	theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+    } else {
+	switch (oiddata->offset) {
+	case SEC_OID_PKCS9_SMIME_CAPABILITIES:
+	case SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE:
+	    /* these guys need to stay DER-encoded */
+	default:
+	    /* same goes for OIDs that are not handled here */
+	    encoded = PR_TRUE;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	    /* otherwise choose proper template */
+	case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	case SEC_OID_RFC1274_MAIL:
+	case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
+	    break;
+	case SEC_OID_PKCS9_CONTENT_TYPE:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate);
+	    break;
+	case SEC_OID_PKCS9_MESSAGE_DIGEST:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+	case SEC_OID_PKCS9_SIGNING_TIME:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(CERT_TimeChoiceTemplate);
+	    break;
+	  /* XXX Want other types here, too */
+	}
+    }
+
+    if (encoding) {
+	/*
+	 * If we are encoding and we think we have an already-encoded value,
+	 * then the code which initialized this attribute should have set
+	 * the "encoded" property to true (and we would have returned early,
+	 * up above).  No devastating error, but that code should be fixed.
+	 * (It could indicate that the resulting encoded bytes are wrong.)
+	 */
+	PORT_Assert (!encoded);
+    } else {
+	/*
+	 * We are decoding; record whether the resulting value is
+	 * still encoded or not.
+	 */
+	attribute->encoded = encoded;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1TemplateChooserPtr cms_attr_chooser
+	= cms_attr_choose_attr_value_template;
+
+const SEC_ASN1Template nss_cms_attribute_template[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSAttribute) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSCMSAttribute,type) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF,
+	  offsetof(NSSCMSAttribute,values),
+	  &cms_attr_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template nss_cms_set_of_attribute_template[] = {
+    { SEC_ASN1_SET_OF, 0, nss_cms_attribute_template },
+};
+
+/* =============================================================================
+ * Attribute Array methods
+ */
+
+/*
+ * NSS_CMSAttributeArray_Encode - encode an Attribute array as SET OF Attributes
+ *
+ * If you are wondering why this routine does not reorder the attributes
+ * first, and might be tempted to make it do so, see the comment by the
+ * call to ReorderAttributes in cmsencode.c.  (Or, see who else calls this
+ * and think long and hard about the implications of making it always
+ * do the reordering.)
+ */
+SECItem *
+NSS_CMSAttributeArray_Encode(PRArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest)
+{
+    return SEC_ASN1EncodeItem (poolp, dest, (void *)attrs, nss_cms_set_of_attribute_template);
+}
+
+/*
+ * NSS_CMSAttributeArray_Reorder - sort attribute array by attribute's DER encoding
+ *
+ * make sure that the order of the attributes guarantees valid DER (which must be
+ * in lexigraphically ascending order for a SET OF); if reordering is necessary it
+ * will be done in place (in attrs).
+ */
+SECStatus
+NSS_CMSAttributeArray_Reorder(NSSCMSAttribute **attrs)
+{
+    return NSS_CMSArray_SortByDER((void **)attrs, nss_cms_attribute_template, NULL);
+}
+
+/*
+ * NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and
+ * find one that matches the specified object ID.
+ *
+ * If "only" is true, then make sure that there is not more than one attribute
+ * of the same type.  Otherwise, just return the first one found. (XXX Does
+ * anybody really want that first-found behavior?  It was like that when I found it...)
+ */
+NSSCMSAttribute *
+NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only)
+{
+    SECOidData *oid;
+    NSSCMSAttribute *attr1, *attr2;
+
+    if (attrs == NULL)
+	return NULL;
+
+    oid = SECOID_FindOIDByTag(oidtag);
+    if (oid == NULL)
+	return NULL;
+
+    while ((attr1 = *attrs++) != NULL) {
+	if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data,
+							    oid->oid.data,
+							    oid->oid.len) == 0)
+	    break;
+    }
+
+    if (attr1 == NULL)
+	return NULL;
+
+    if (!only)
+	return attr1;
+
+    while ((attr2 = *attrs++) != NULL) {
+	if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data,
+							    oid->oid.data,
+							    oid->oid.len) == 0)
+	    break;
+    }
+
+    if (attr2 != NULL)
+	return NULL;
+
+    return attr1;
+}
+
+/*
+ * NSS_CMSAttributeArray_AddAttr - add an attribute to an
+ * array of attributes. 
+ */
+SECStatus
+NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr)
+{
+    NSSCMSAttribute *oattr;
+    void *mark;
+    SECOidTag type;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* find oidtag of attr */
+    type = NSS_CMSAttribute_GetType(attr);
+
+    /* see if we have one already */
+    oattr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE);
+    PORT_Assert (oattr == NULL);
+    if (oattr != NULL)
+	goto loser;	/* XXX or would it be better to replace it? */
+
+    /* no, shove it in */
+    if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes
+ */
+SECStatus
+NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded)
+{
+    NSSCMSAttribute *attr;
+    void *mark;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* see if we have one already */
+    attr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE);
+    if (attr == NULL) {
+	/* not found? create one! */
+	attr = NSS_CMSAttribute_Create(poolp, type, value, encoded);
+	if (attr == NULL)
+	    goto loser;
+	/* and add it to the list */
+	if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess)
+	    goto loser;
+    } else {
+	/* found, shove it in */
+	/* XXX we need a decent memory model @#$#$!#!!! */
+	attr->values[0] = value;
+	attr->encoded = encoded;
+    }
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
diff --git a/security/nss/lib/smime/cmscinfo.c b/security/nss/lib/smime/cmscinfo.c
new file mode 100644
index 000000000..1129ea33e
--- /dev/null
+++ b/security/nss/lib/smime/cmscinfo.c
@@ -0,0 +1,360 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS contentInfo methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "pk11func.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secerr.h"
+
+/*
+ * NSS_CMSContentInfo_Create - create a content info
+ *
+ * version is set in the _Finalize procedures for each content type
+ */
+
+/*
+ * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
+ */
+void
+NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
+{
+    SECOidTag kind;
+
+    kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+    switch (kind) {
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	NSS_CMSEnvelopedData_Destroy(cinfo->content.envelopedData);
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	NSS_CMSSignedData_Destroy(cinfo->content.signedData);
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	NSS_CMSEncryptedData_Destroy(cinfo->content.encryptedData);
+	break;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	NSS_CMSDigestedData_Destroy(cinfo->content.digestedData);
+	break;
+      default:
+	/* XXX Anything else that needs to be "manually" freed/destroyed? */
+	break;
+    }
+    if (cinfo->digcx) {
+	/* must destroy digest objects */
+	NSS_CMSDigestContext_Cancel(cinfo->digcx);
+	cinfo->digcx = NULL;
+    }
+    if (cinfo->bulkkey)
+	PK11_FreeSymKey(cinfo->bulkkey);
+
+    if (cinfo->ciphcx) {
+	NSS_CMSCipherContext_Destroy(cinfo->ciphcx);
+	cinfo->ciphcx = NULL;
+    }
+    
+    /* we live in a pool, so no need to worry about storage */
+}
+
+/*
+ * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists)
+ */
+NSSCMSContentInfo *
+NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
+{
+    void * ptr                  = NULL;
+    NSSCMSContentInfo * ccinfo  = NULL;
+    SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+    switch (tag) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	ptr    = (void *)cinfo->content.signedData;
+	ccinfo = &(cinfo->content.signedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	ptr    = (void *)cinfo->content.envelopedData;
+	ccinfo = &(cinfo->content.envelopedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	ptr    = (void *)cinfo->content.digestedData;
+	ccinfo = &(cinfo->content.digestedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	ptr    = (void *)cinfo->content.encryptedData;
+	ccinfo = &(cinfo->content.encryptedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_DATA:
+    default:
+	break;
+    }
+    return (ptr ? ccinfo : NULL);
+}
+
+/*
+ * NSS_CMSContentInfo_SetContent - set content type & content
+ */
+SECStatus
+NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr)
+{
+    SECStatus rv;
+
+    cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
+    if (cinfo->contentTypeTag == NULL)
+	return SECFailure;
+    
+    /* do not copy the oid, just create a reference */
+    rv = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
+    if (rv != SECSuccess)
+	return SECFailure;
+
+    cinfo->content.pointer = ptr;
+
+    if (type != SEC_OID_PKCS7_DATA) {
+	/* as we always have some inner data,
+	 * we need to set it to something, just to fool the encoder enough to work on it
+	 * and get us into nss_cms_encoder_notify at that point */
+	cinfo->rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1);
+	if (cinfo->rawContent == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return SECFailure;
+	}
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSContentInfo_SetContent_XXXX - typesafe wrappers for NSS_CMSContentInfo_SetContent
+ */
+
+/*
+ * data == NULL -> pass in data via NSS_CMSEncoder_Update
+ * data != NULL -> take this data
+ */
+SECStatus
+NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached)
+{
+    if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
+	return SECFailure;
+    cinfo->rawContent = (detached) ? 
+			    NULL : (data) ? 
+				data : SECITEM_AllocItem(cmsg->poolp, NULL, 1);
+    return SECSuccess;
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd)
+{
+    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_SIGNED_DATA, (void *)sigd);
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd)
+{
+    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENVELOPED_DATA, (void *)envd);
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd)
+{
+    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DIGESTED_DATA, (void *)digd);
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd)
+{
+    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENCRYPTED_DATA, (void *)encd);
+}
+
+/*
+ * NSS_CMSContentInfo_GetContent - get pointer to inner content
+ *
+ * needs to be casted...
+ */
+void *
+NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
+{
+    SECOidTag tag = (cinfo && cinfo->contentTypeTag) 
+	                ? cinfo->contentTypeTag->offset 
+	                : SEC_OID_UNKNOWN;
+    switch (tag) {
+    case SEC_OID_PKCS7_DATA:
+    case SEC_OID_PKCS7_SIGNED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	return cinfo->content.pointer;
+    default:
+	return NULL;
+    }
+}
+
+/* 
+ * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content
+ *
+ * this is typically only called by NSS_CMSMessage_GetContent()
+ */
+SECItem *
+NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
+{
+    NSSCMSContentInfo *ccinfo;
+    SECOidTag          tag;
+    SECItem           *pItem = NULL;
+
+    tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+    switch (tag) {
+    case SEC_OID_PKCS7_DATA:
+	/* end of recursion - every message has to have a data cinfo */
+	pItem = cinfo->content.data; 
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	ccinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo);
+	if (ccinfo != NULL)
+	    pItem = NSS_CMSContentInfo_GetContent(ccinfo);
+	break;
+    default:
+	PORT_Assert(0);
+	break;
+    }
+    return pItem;
+}
+
+/*
+ * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
+ * for future reference) and return the inner content type.
+ */
+SECOidTag
+NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
+{
+    if (cinfo->contentTypeTag == NULL)
+	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+
+    if (cinfo->contentTypeTag == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return cinfo->contentTypeTag->offset;
+}
+
+SECItem *
+NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
+{
+    if (cinfo->contentTypeTag == NULL)
+	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+
+    if (cinfo->contentTypeTag == NULL)
+	return NULL;
+
+    return &(cinfo->contentTypeTag->oid);
+}
+
+/*
+ * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result
+ * for future reference) and return the content encryption algorithm tag.
+ */
+SECOidTag
+NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
+{
+    if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
+	cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
+
+    return cinfo->contentEncAlgTag;
+}
+
+/*
+ * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag.
+ */
+SECAlgorithmID *
+NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
+{
+    return &(cinfo->contentEncAlg);
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
+				    SECOidTag bulkalgtag, SECItem *parameters, int keysize)
+{
+    SECStatus rv;
+
+    rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
+    if (rv != SECSuccess)
+	return SECFailure;
+    cinfo->keysize = keysize;
+    return SECSuccess;
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
+				    SECAlgorithmID *algid, int keysize)
+{
+    SECStatus rv;
+
+    rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
+    if (rv != SECSuccess)
+	return SECFailure;
+    if (keysize >= 0)
+	cinfo->keysize = keysize;
+    return SECSuccess;
+}
+
+void
+NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
+{
+    cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
+    cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
+}
+
+PK11SymKey *
+NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
+{
+    if (cinfo->bulkkey == NULL)
+	return NULL;
+
+    return PK11_ReferenceSymKey(cinfo->bulkkey);
+}
+
+int
+NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
+{
+    return cinfo->keysize;
+}
diff --git a/security/nss/lib/smime/cmscipher.c b/security/nss/lib/smime/cmscipher.c
new file mode 100644
index 000000000..ca9f31d21
--- /dev/null
+++ b/security/nss/lib/smime/cmscipher.c
@@ -0,0 +1,747 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Encryption/decryption routines for CMS implementation, none of which are exported.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "secoid.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "secpkcs5.h"
+
+/*
+ * -------------------------------------------------------------------
+ * Cipher stuff.
+ */
+
+typedef SECStatus (*nss_cms_cipher_function) (void *, unsigned char *, unsigned int *,
+					unsigned int, const unsigned char *, unsigned int);
+typedef SECStatus (*nss_cms_cipher_destroy) (void *, PRBool);
+
+#define BLOCK_SIZE 4096
+
+struct NSSCMSCipherContextStr {
+    void *		cx;			/* PK11 cipher context */
+    nss_cms_cipher_function doit;
+    nss_cms_cipher_destroy destroy;
+    PRBool		encrypt;		/* encrypt / decrypt switch */
+    int			block_size;		/* block & pad sizes for cipher */
+    int			pad_size;
+    int			pending_count;		/* pending data (not yet en/decrypted */
+    unsigned char	pending_buf[BLOCK_SIZE];/* because of blocking */
+};
+
+/*
+ * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption
+ * based on the given bulk encryption key and algorithm identifier (which 
+ * may include an iv).
+ *
+ * XXX Once both are working, it might be nice to combine this and the
+ * function below (for starting up encryption) into one routine, and just
+ * have two simple cover functions which call it. 
+ */
+NSSCMSCipherContext *
+NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid)
+{
+    NSSCMSCipherContext *cc;
+    void *ciphercx;
+    CK_MECHANISM_TYPE cryptoMechType;
+    SECItem *param;
+    PK11SlotInfo *slot;
+    SECOidTag algtag;
+
+    algtag = SECOID_GetAlgorithmTag(algid);
+
+    /* set param and mechanism */
+    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	SECItem *pwitem;
+
+	pwitem = PK11_GetSymKeyUserData(key);
+	if (!pwitem) 
+	    return NULL;
+
+	cryptoMechType = PK11_GetPBECryptoMechanism(algid, &param, pwitem);
+	if (cryptoMechType == CKM_INVALID_MECHANISM) {
+	    return NULL;
+	}
+
+    } else {
+	cryptoMechType = PK11_AlgtagToMechanism(algtag);
+	if ((param = PK11_ParamFromAlgid(algid)) == NULL)
+	    return NULL;
+    }
+
+    cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext));
+    if (cc == NULL) {
+	SECITEM_FreeItem(param,PR_TRUE);
+	return NULL;
+    }
+
+    /* figure out pad and block sizes */
+    cc->pad_size = PK11_GetBlockSize(cryptoMechType, param);
+    slot = PK11_GetSlotFromKey(key);
+    cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size;
+    PK11_FreeSlot(slot);
+
+    /* create PK11 cipher context */
+    ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_DECRYPT, 
+					  key, param);
+    SECITEM_FreeItem(param, PR_TRUE);
+    if (ciphercx == NULL) {
+	PORT_Free (cc);
+	return NULL;
+    }
+
+    cc->cx = ciphercx;
+    cc->doit =  (nss_cms_cipher_function) PK11_CipherOp;
+    cc->destroy = (nss_cms_cipher_destroy) PK11_DestroyContext;
+    cc->encrypt = PR_FALSE;
+    cc->pending_count = 0;
+
+    return cc;
+}
+
+/*
+ * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption,
+ * based on the given bulk encryption key and algorithm tag.  Fill in the 
+ * algorithm identifier (which may include an iv) appropriately.
+ *
+ * XXX Once both are working, it might be nice to combine this and the
+ * function above (for starting up decryption) into one routine, and just
+ * have two simple cover functions which call it. 
+ */
+NSSCMSCipherContext *
+NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid)
+{
+    NSSCMSCipherContext *cc;
+    void *ciphercx;
+    SECItem *param;
+    SECStatus rv;
+    CK_MECHANISM_TYPE cryptoMechType;
+    PK11SlotInfo *slot;
+    PRBool needToEncodeAlgid = PR_FALSE;
+    SECOidTag algtag = SECOID_GetAlgorithmTag(algid);
+
+    /* set param and mechanism */
+    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	SECItem *pwitem;
+
+	pwitem = PK11_GetSymKeyUserData(key);
+	if (!pwitem) 
+	    return NULL;
+
+	cryptoMechType = PK11_GetPBECryptoMechanism(algid, &param, pwitem);
+	if (cryptoMechType == CKM_INVALID_MECHANISM) {
+	    return NULL;
+	}
+    } else {
+	cryptoMechType = PK11_AlgtagToMechanism(algtag);
+	if ((param = PK11_GenerateNewParam(cryptoMechType, key)) == NULL)
+	    return NULL;
+	needToEncodeAlgid = PR_TRUE;
+    }
+
+    cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext));
+    if (cc == NULL) {
+	goto loser;
+    }
+
+    /* now find pad and block sizes for our mechanism */
+    cc->pad_size = PK11_GetBlockSize(cryptoMechType, param);
+    slot = PK11_GetSlotFromKey(key);
+    cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size;
+    PK11_FreeSlot(slot);
+
+    /* and here we go, creating a PK11 cipher context */
+    ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_ENCRYPT, 
+					  key, param);
+    if (ciphercx == NULL) {
+	PORT_Free(cc);
+	cc = NULL;
+	goto loser;
+    }
+
+    /*
+     * These are placed after the CreateContextBySymKey() because some
+     * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).
+     * Don't move it from here.
+     * XXX is that right? the purpose of this is to get the correct algid
+     *     containing the IVs etc. for encoding. this means we need to set this up
+     *     BEFORE encoding the algid in the contentInfo, right?
+     */
+    if (needToEncodeAlgid) {
+	rv = PK11_ParamToAlgid(algtag, param, poolp, algid);
+	if(rv != SECSuccess) {
+	    PORT_Free(cc);
+	    cc = NULL;
+	    goto loser;
+	}
+    }
+
+    cc->cx = ciphercx;
+    cc->doit = (nss_cms_cipher_function)PK11_CipherOp;
+    cc->destroy = (nss_cms_cipher_destroy)PK11_DestroyContext;
+    cc->encrypt = PR_TRUE;
+    cc->pending_count = 0;
+
+loser:
+    SECITEM_FreeItem(param, PR_TRUE);
+
+    return cc;
+}
+
+void
+NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc)
+{
+    PORT_Assert(cc != NULL);
+    if (cc == NULL)
+	return;
+    (*cc->destroy)(cc->cx, PR_TRUE);
+    PORT_Free(cc);
+}
+
+/*
+ * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt.
+ *
+ * cc - the cipher context
+ * input_len - number of bytes used as input
+ * final - true if this is the final chunk of data
+ *
+ * Result can be used to perform memory allocations.  Note that the amount
+ * is exactly accurate only when not doing a block cipher or when final
+ * is false, otherwise it is an upper bound on the amount because until
+ * we see the data we do not know how many padding bytes there are
+ * (always between 1 and bsize).
+ *
+ * Note that this can return zero, which does not mean that the decrypt
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent decrypt operation, as no output bytes
+ * will be stored.
+ */
+unsigned int
+NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
+{
+    int blocks, block_size;
+
+    PORT_Assert (! cc->encrypt);
+
+    block_size = cc->block_size;
+
+    /*
+     * If this is not a block cipher, then we always have the same
+     * number of output bytes as we had input bytes.
+     */
+    if (block_size == 0)
+	return input_len;
+
+    /*
+     * On the final call, we will always use up all of the pending
+     * bytes plus all of the input bytes, *but*, there will be padding
+     * at the end and we cannot predict how many bytes of padding we
+     * will end up removing.  The amount given here is actually known
+     * to be at least 1 byte too long (because we know we will have
+     * at least 1 byte of padding), but seemed clearer/better to me.
+     */
+    if (final)
+	return cc->pending_count + input_len;
+
+    /*
+     * Okay, this amount is exactly what we will output on the
+     * next cipher operation.  We will always hang onto the last
+     * 1 - block_size bytes for non-final operations.  That is,
+     * we will do as many complete blocks as we can *except* the
+     * last block (complete or partial).  (This is because until
+     * we know we are at the end, we cannot know when to interpret
+     * and removing the padding byte(s), which are guaranteed to
+     * be there.)
+     */
+    blocks = (cc->pending_count + input_len - 1) / block_size;
+    return blocks * block_size;
+}
+
+/*
+ * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt.
+ *
+ * cc - the cipher context
+ * input_len - number of bytes used as input
+ * final - true if this is the final chunk of data
+ *
+ * Result can be used to perform memory allocations.
+ *
+ * Note that this can return zero, which does not mean that the encrypt
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent encrypt operation, as no output bytes
+ * will be stored.
+ */
+unsigned int
+NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
+{
+    int blocks, block_size;
+    int pad_size;
+
+    PORT_Assert (cc->encrypt);
+
+    block_size = cc->block_size;
+    pad_size = cc->pad_size;
+
+    /*
+     * If this is not a block cipher, then we always have the same
+     * number of output bytes as we had input bytes.
+     */
+    if (block_size == 0)
+	return input_len;
+
+    /*
+     * On the final call, we only send out what we need for
+     * remaining bytes plus the padding.  (There is always padding,
+     * so even if we have an exact number of blocks as input, we
+     * will add another full block that is just padding.)
+     */
+    if (final) {
+	if (pad_size == 0) {
+    	    return cc->pending_count + input_len;
+	} else {
+    	    blocks = (cc->pending_count + input_len) / pad_size;
+	    blocks++;
+	    return blocks*pad_size;
+	}
+    }
+
+    /*
+     * Now, count the number of complete blocks of data we have.
+     */
+    blocks = (cc->pending_count + input_len) / block_size;
+
+
+    return blocks * block_size;
+}
+
+
+/*
+ * NSS_CMSCipherContext_Decrypt - do the decryption
+ *
+ * cc - the cipher context
+ * output - buffer for decrypted result bytes
+ * output_len_p - number of bytes in output
+ * max_output_len - upper bound on bytes to put into output
+ * input - pointer to input bytes
+ * input_len - number of input bytes
+ * final - true if this is the final chunk of data
+ *
+ * Decrypts a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the decrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "cc" is the return value from NSS_CMSCipher_StartDecrypt.
+ * When "final" is true, this is the last of the data to be decrypted.
+ *
+ * This is much more complicated than it sounds when the cipher is
+ * a block-type, meaning that the decryption function will only
+ * operate on whole blocks.  But our caller is operating stream-wise,
+ * and can pass in any number of bytes.  So we need to keep track
+ * of block boundaries.  We save excess bytes between calls in "cc".
+ * We also need to determine which bytes are padding, and remove
+ * them from the output.  We can only do this step when we know we
+ * have the final block of data.  PKCS #7 specifies that the padding
+ * used for a block cipher is a string of bytes, each of whose value is
+ * the same as the length of the padding, and that all data is padded.
+ * (Even data that starts out with an exact multiple of blocks gets
+ * added to it another block, all of which is padding.)
+ */ 
+SECStatus
+NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final)
+{
+    int blocks, bsize, pcount, padsize;
+    unsigned int max_needed, ifraglen, ofraglen, output_len;
+    unsigned char *pbuf;
+    SECStatus rv;
+
+    PORT_Assert (! cc->encrypt);
+
+    /*
+     * Check that we have enough room for the output.  Our caller should
+     * already handle this; failure is really an internal error (i.e. bug).
+     */
+    max_needed = NSS_CMSCipherContext_DecryptLength(cc, input_len, final);
+    PORT_Assert (max_output_len >= max_needed);
+    if (max_output_len < max_needed) {
+	/* PORT_SetError (XXX); */
+	return SECFailure;
+    }
+
+    /*
+     * hardware encryption does not like small decryption sizes here, so we
+     * allow both blocking and padding.
+     */
+    bsize = cc->block_size;
+    padsize = cc->pad_size;
+
+    /*
+     * When no blocking or padding work to do, we can simply call the
+     * cipher function and we are done.
+     */
+    if (bsize == 0) {
+	return (* cc->doit) (cc->cx, output, output_len_p, max_output_len,
+			      input, input_len);
+    }
+
+    pcount = cc->pending_count;
+    pbuf = cc->pending_buf;
+
+    output_len = 0;
+
+    if (pcount) {
+	/*
+	 * Try to fill in an entire block, starting with the bytes
+	 * we already have saved away.
+	 */
+	while (input_len && pcount < bsize) {
+	    pbuf[pcount++] = *input++;
+	    input_len--;
+	}
+	/*
+	 * If we have at most a whole block and this is not our last call,
+	 * then we are done for now.  (We do not try to decrypt a lone
+	 * single block because we cannot interpret the padding bytes
+	 * until we know we are handling the very last block of all input.)
+	 */
+	if (input_len == 0 && !final) {
+	    cc->pending_count = pcount;
+	    if (output_len_p)
+		*output_len_p = 0;
+	    return SECSuccess;
+	}
+	/*
+	 * Given the logic above, we expect to have a full block by now.
+	 * If we do not, there is something wrong, either with our own
+	 * logic or with (length of) the data given to us.
+	 */
+	if ((padsize != 0) && (pcount % padsize) != 0) {
+	    PORT_Assert (final);	
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+	/*
+	 * Decrypt the block.
+	 */
+	rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len,
+			    pbuf, pcount);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then NSS_CMSCipherContext_DecryptLength needs to be made smarter!
+	 */
+	PORT_Assert(ofraglen == pcount);
+
+	/*
+	 * Account for the bytes now in output.
+	 */
+	max_output_len -= ofraglen;
+	output_len += ofraglen;
+	output += ofraglen;
+    }
+
+    /*
+     * If this is our last call, we expect to have an exact number of
+     * blocks left to be decrypted; we will decrypt them all.
+     * 
+     * If not our last call, we always save between 1 and bsize bytes
+     * until next time.  (We must do this because we cannot be sure
+     * that none of the decrypted bytes are padding bytes until we
+     * have at least another whole block of data.  You cannot tell by
+     * looking -- the data could be anything -- you can only tell by
+     * context, knowing you are looking at the last block.)  We could
+     * decrypt a whole block now but it is easier if we just treat it
+     * the same way we treat partial block bytes.
+     */
+    if (final) {
+	if (padsize) {
+	    blocks = input_len / padsize;
+	    ifraglen = blocks * padsize;
+	} else ifraglen = input_len;
+	PORT_Assert (ifraglen == input_len);
+
+	if (ifraglen != input_len) {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+    } else {
+	blocks = (input_len - 1) / bsize;
+	ifraglen = blocks * bsize;
+	PORT_Assert (ifraglen < input_len);
+
+	pcount = input_len - ifraglen;
+	PORT_Memcpy (pbuf, input + ifraglen, pcount);
+	cc->pending_count = pcount;
+    }
+
+    if (ifraglen) {
+	rv = (* cc->doit)(cc->cx, output, &ofraglen, max_output_len,
+			    input, ifraglen);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7DecryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ifraglen == ofraglen);
+	if (ifraglen != ofraglen) {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+
+	output_len += ofraglen;
+    } else {
+	ofraglen = 0;
+    }
+
+    /*
+     * If we just did our very last block, "remove" the padding by
+     * adjusting the output length.
+     */
+    if (final && (padsize != 0)) {
+	unsigned int padlen = *(output + ofraglen - 1);
+
+	if (padlen == 0 || padlen > padsize) {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+	output_len -= padlen;
+    }
+
+    PORT_Assert (output_len_p != NULL || output_len == 0);
+    if (output_len_p != NULL)
+	*output_len_p = output_len;
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSCipherContext_Encrypt - do the encryption
+ *
+ * cc - the cipher context
+ * output - buffer for decrypted result bytes
+ * output_len_p - number of bytes in output
+ * max_output_len - upper bound on bytes to put into output
+ * input - pointer to input bytes
+ * input_len - number of input bytes
+ * final - true if this is the final chunk of data
+ *
+ * Encrypts a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the encrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "cc" is the return value from NSS_CMSCipher_StartEncrypt.
+ * When "final" is true, this is the last of the data to be encrypted.
+ *
+ * This is much more complicated than it sounds when the cipher is
+ * a block-type, meaning that the encryption function will only
+ * operate on whole blocks.  But our caller is operating stream-wise,
+ * and can pass in any number of bytes.  So we need to keep track
+ * of block boundaries.  We save excess bytes between calls in "cc".
+ * We also need to add padding bytes at the end.  PKCS #7 specifies
+ * that the padding used for a block cipher is a string of bytes,
+ * each of whose value is the same as the length of the padding,
+ * and that all data is padded.  (Even data that starts out with
+ * an exact multiple of blocks gets added to it another block,
+ * all of which is padding.)
+ *
+ * XXX I would kind of like to combine this with the function above
+ * which does decryption, since they have a lot in common.  But the
+ * tricky parts about padding and filling blocks would be much
+ * harder to read that way, so I left them separate.  At least for
+ * now until it is clear that they are right.
+ */ 
+SECStatus
+NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final)
+{
+    int blocks, bsize, padlen, pcount, padsize;
+    unsigned int max_needed, ifraglen, ofraglen, output_len;
+    unsigned char *pbuf;
+    SECStatus rv;
+
+    PORT_Assert (cc->encrypt);
+
+    /*
+     * Check that we have enough room for the output.  Our caller should
+     * already handle this; failure is really an internal error (i.e. bug).
+     */
+    max_needed = NSS_CMSCipherContext_EncryptLength (cc, input_len, final);
+    PORT_Assert (max_output_len >= max_needed);
+    if (max_output_len < max_needed) {
+	/* PORT_SetError (XXX); */
+	return SECFailure;
+    }
+
+    bsize = cc->block_size;
+    padsize = cc->pad_size;
+
+    /*
+     * When no blocking and padding work to do, we can simply call the
+     * cipher function and we are done.
+     */
+    if (bsize == 0) {
+	return (*cc->doit)(cc->cx, output, output_len_p, max_output_len,
+			      input, input_len);
+    }
+
+    pcount = cc->pending_count;
+    pbuf = cc->pending_buf;
+
+    output_len = 0;
+
+    if (pcount) {
+	/*
+	 * Try to fill in an entire block, starting with the bytes
+	 * we already have saved away.
+	 */
+	while (input_len && pcount < bsize) {
+	    pbuf[pcount++] = *input++;
+	    input_len--;
+	}
+	/*
+	 * If we do not have a full block and we know we will be
+	 * called again, then we are done for now.
+	 */
+	if (pcount < bsize && !final) {
+	    cc->pending_count = pcount;
+	    if (output_len_p != NULL)
+		*output_len_p = 0;
+	    return SECSuccess;
+	}
+	/*
+	 * If we have a whole block available, encrypt it.
+	 */
+	if ((padsize == 0) || (pcount % padsize) == 0) {
+	    rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
+				pbuf, pcount);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    /*
+	     * For now anyway, all of our ciphers have the same number of
+	     * bytes of output as they do input.  If this ever becomes untrue,
+	     * then sec_PKCS7EncryptLength needs to be made smarter!
+	     */
+	    PORT_Assert (ofraglen == pcount);
+
+	    /*
+	     * Account for the bytes now in output.
+	     */
+	    max_output_len -= ofraglen;
+	    output_len += ofraglen;
+	    output += ofraglen;
+
+	    pcount = 0;
+	}
+    }
+
+    if (input_len) {
+	PORT_Assert (pcount == 0);
+
+	blocks = input_len / bsize;
+	ifraglen = blocks * bsize;
+
+	if (ifraglen) {
+	    rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
+				input, ifraglen);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    /*
+	     * For now anyway, all of our ciphers have the same number of
+	     * bytes of output as they do input.  If this ever becomes untrue,
+	     * then sec_PKCS7EncryptLength needs to be made smarter!
+	     */
+	    PORT_Assert (ifraglen == ofraglen);
+
+	    max_output_len -= ofraglen;
+	    output_len += ofraglen;
+	    output += ofraglen;
+	}
+
+	pcount = input_len - ifraglen;
+	PORT_Assert (pcount < bsize);
+	if (pcount)
+	    PORT_Memcpy (pbuf, input + ifraglen, pcount);
+    }
+
+    if (final) {
+	padlen = padsize - (pcount % padsize);
+	PORT_Memset (pbuf + pcount, padlen, padlen);
+	rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
+			    pbuf, pcount+padlen);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7EncryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ofraglen == (pcount+padlen));
+	output_len += ofraglen;
+    } else {
+	cc->pending_count = pcount;
+    }
+
+    PORT_Assert (output_len_p != NULL || output_len == 0);
+    if (output_len_p != NULL)
+	*output_len_p = output_len;
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/smime/cmsdecode.c b/security/nss/lib/smime/cmsdecode.c
new file mode 100644
index 000000000..e238a494f
--- /dev/null
+++ b/security/nss/lib/smime/cmsdecode.c
@@ -0,0 +1,743 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS decoding.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "prtime.h"
+#include "secerr.h"
+
+struct NSSCMSDecoderContextStr {
+    SEC_ASN1DecoderContext *	dcx;		/* ASN.1 decoder context */
+    NSSCMSMessage *		cmsg;		/* backpointer to the root message */
+    SECOidTag			type;		/* type of message */
+    NSSCMSContent		content;	/* pointer to message */
+    NSSCMSDecoderContext *	childp7dcx;	/* inner CMS decoder context */
+    PRBool			saw_contents;
+    int				error;
+    NSSCMSContentCallback	cb;
+    void *			cb_arg;
+};
+
+struct NSSCMSDecoderDataStr {
+    SECItem data; 	/* must be first */
+    unsigned int totalBufferSize;
+};
+
+typedef struct NSSCMSDecoderDataStr NSSCMSDecoderData;
+
+static void      nss_cms_decoder_update_filter (void *arg, const char *data, 
+                 unsigned long len, int depth, SEC_ASN1EncodingPart data_kind);
+static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx);
+static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx);
+static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx);
+static void      nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, 
+		 const unsigned char *data, unsigned long len, PRBool final);
+static NSSCMSDecoderData *nss_cms_create_decoder_data(PRArenaPool *poolp);
+
+extern const SEC_ASN1Template NSSCMSMessageTemplate[];
+
+static NSSCMSDecoderData *
+nss_cms_create_decoder_data(PRArenaPool *poolp)
+{
+    NSSCMSDecoderData *decoderData = NULL;
+
+    decoderData = (NSSCMSDecoderData *)
+			PORT_ArenaAlloc(poolp,sizeof(NSSCMSDecoderData));
+    if (!decoderData) {
+	return NULL;
+    }
+    decoderData->data.data = NULL;
+    decoderData->data.len = 0;
+    decoderData->totalBufferSize = 0;
+    return decoderData;
+}
+
+/* 
+ * nss_cms_decoder_notify -
+ *  this is the driver of the decoding process. It gets called by the ASN.1
+ *  decoder before and after an object is decoded.
+ *  at various points in the decoding process, we intercept to set up and do
+ *  further processing.
+ */
+static void
+nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth)
+{
+    NSSCMSDecoderContext *p7dcx;
+    NSSCMSContentInfo *rootcinfo, *cinfo;
+    PRBool after = !before;
+
+    p7dcx = (NSSCMSDecoderContext *)arg;
+    rootcinfo = &(p7dcx->cmsg->contentInfo);
+
+    /* XXX error handling: need to set p7dcx->error */
+
+#ifdef CMSDEBUG 
+    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
+#endif
+
+    /* so what are we working on right now? */
+    switch (p7dcx->type) {
+    case SEC_OID_UNKNOWN:
+	/*
+	 * right now, we are still decoding the OUTER (root) cinfo
+	 * As soon as we know the inner content type, set up the info,
+	 * but NO inner decoder or filter. The root decoder handles the first
+	 * level children by itself - only for encapsulated contents (which
+	 * are encoded as DER inside of an OCTET STRING) we need to set up a
+	 * child decoder...
+	 */
+	if (after && dest == &(rootcinfo->contentType)) {
+	    p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
+	    p7dcx->content = rootcinfo->content;	
+	    /* is this ready already ? need to alloc? */
+	    /* XXX yes we need to alloc -- continue here */
+	}
+	break;
+    case SEC_OID_PKCS7_DATA:
+	/* this can only happen if the outermost cinfo has DATA in it */
+	/* otherwise, we handle this type implicitely in the inner decoders */
+
+	if (before && dest == &(rootcinfo->content)) {
+	    /* cause the filter to put the data in the right place... 
+	    ** We want the ASN.1 decoder to deliver the decoded bytes to us 
+	    ** from now on 
+	    */
+	    SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
+					  nss_cms_decoder_update_filter,
+					  p7dcx,
+					  (PRBool)(p7dcx->cb != NULL));
+	    break;
+	}
+
+	if (after && dest == &(rootcinfo->content.data)) {
+	    /* remove the filter */
+	    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
+	}
+	break;
+
+    case SEC_OID_PKCS7_SIGNED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+
+	if (before && dest == &(rootcinfo->content))
+	    break;     /* we're not there yet */
+
+	if (p7dcx->content.pointer == NULL)
+	    p7dcx->content = rootcinfo->content;
+
+	/* get this data type's inner contentInfo */
+	cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, 
+	                                      p7dcx->type);
+
+	if (before && dest == &(cinfo->contentType)) {
+	    /* at this point, set up the &%$&$ back pointer */
+	    /* we cannot do it later, because the content itself is optional! */
+	    /* please give me C++ */
+	    switch (p7dcx->type) {
+	    case SEC_OID_PKCS7_SIGNED_DATA:
+		p7dcx->content.signedData->cmsg = p7dcx->cmsg;
+		break;
+	    case SEC_OID_PKCS7_DIGESTED_DATA:
+		p7dcx->content.digestedData->cmsg = p7dcx->cmsg;
+		break;
+	    case SEC_OID_PKCS7_ENVELOPED_DATA:
+		p7dcx->content.envelopedData->cmsg = p7dcx->cmsg;
+		break;
+	    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+		p7dcx->content.encryptedData->cmsg = p7dcx->cmsg;
+		break;
+	    default:
+		PORT_Assert(0);
+		break;
+	    }
+	}
+
+	if (before && dest == &(cinfo->rawContent)) {
+	    /* we want the ASN.1 decoder to deliver the decoded bytes to us 
+	    ** from now on 
+	    */
+	    SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, 
+	                                 nss_cms_decoder_update_filter, 
+					 p7dcx, (PRBool)(p7dcx->cb != NULL));
+
+
+	    /* we're right in front of the data */
+	    if (nss_cms_before_data(p7dcx) != SECSuccess) {
+		SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);	
+		/* stop all processing */
+		p7dcx->error = PORT_GetError();
+	    }
+	}
+	if (after && dest == &(cinfo->rawContent)) {
+	    /* we're right after of the data */
+	    if (nss_cms_after_data(p7dcx) != SECSuccess)
+		p7dcx->error = PORT_GetError();
+
+	    /* we don't need to see the contents anymore */
+	    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
+	}
+	break;
+
+#if 0 /* NIH */
+    case SEC_OID_PKCS7_AUTHENTICATED_DATA:
+#endif
+    default:
+	/* unsupported or unknown message type - fail  gracefully */
+	p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE;
+	break;
+    }
+}
+
+/*
+ * nss_cms_before_data - set up the current encoder to receive data
+ */
+static SECStatus
+nss_cms_before_data(NSSCMSDecoderContext *p7dcx)
+{
+    SECStatus rv;
+    SECOidTag childtype;
+    PLArenaPool *poolp;
+    NSSCMSDecoderContext *childp7dcx;
+    NSSCMSContentInfo *cinfo;
+    const SEC_ASN1Template *template;
+    void *mark = NULL;
+    size_t size;
+    
+    poolp = p7dcx->cmsg->poolp;
+
+    /* call _Decode_BeforeData handlers */
+    switch (p7dcx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	/* we're decoding a signedData, so set up the digests */
+	rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	/* we're encoding a digestedData, so set up the digest */
+	rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Decode_BeforeData(
+	                             p7dcx->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Decode_BeforeData(
+	                             p7dcx->content.encryptedData);
+	break;
+    default:
+	return SECFailure;
+    }
+    if (rv != SECSuccess)
+	return SECFailure;
+
+    /* ok, now we have a pointer to cinfo */
+    /* find out what kind of data is encapsulated */
+    
+    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
+    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+
+    if (childtype == SEC_OID_PKCS7_DATA) {
+	cinfo->content.pointer = (void *) nss_cms_create_decoder_data(poolp);
+	if (cinfo->content.pointer == NULL)
+	    /* set memory error */
+	    return SECFailure;
+
+	p7dcx->childp7dcx = NULL;
+	return SECSuccess;
+    }
+
+    /* set up inner decoder */
+
+    if ((template = NSS_CMSUtil_GetTemplateByTypeTag(childtype)) == NULL)
+	return SECFailure;
+
+    childp7dcx = PORT_ZNew(NSSCMSDecoderContext);
+    if (childp7dcx == NULL)
+	return SECFailure;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* allocate space for the stuff we're creating */
+    size = NSS_CMSUtil_GetSizeByTypeTag(childtype);
+    childp7dcx->content.pointer = (void *)PORT_ArenaZAlloc(poolp, size);
+    if (childp7dcx->content.pointer == NULL)
+	goto loser;
+
+    /* start the child decoder */
+    childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer, 
+                                           template);
+    if (childp7dcx->dcx == NULL)
+	goto loser;
+
+    /* the new decoder needs to notify, too */
+    SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify, 
+                                 childp7dcx);
+
+    /* tell the parent decoder that it needs to feed us the content data */
+    p7dcx->childp7dcx = childp7dcx;
+
+    childp7dcx->type = childtype;	/* our type */
+
+    childp7dcx->cmsg = p7dcx->cmsg;	/* backpointer to root message */
+
+    /* should the child decoder encounter real data, 
+    ** it must give it to the caller 
+    */
+    childp7dcx->cb = p7dcx->cb;
+    childp7dcx->cb_arg = p7dcx->cb_arg;
+
+    /* now set up the parent to hand decoded data to the next level decoder */
+    p7dcx->cb = (NSSCMSContentCallback)NSS_CMSDecoder_Update;
+    p7dcx->cb_arg = childp7dcx;
+
+    PORT_ArenaUnmark(poolp, mark);
+
+    return SECSuccess;
+
+loser:
+    if (mark)
+	PORT_ArenaRelease(poolp, mark);
+    if (childp7dcx)
+	PORT_Free(childp7dcx);
+    p7dcx->childp7dcx = NULL;
+    return SECFailure;
+}
+
+static SECStatus
+nss_cms_after_data(NSSCMSDecoderContext *p7dcx)
+{
+    NSSCMSDecoderContext *childp7dcx;
+    SECStatus rv = SECFailure;
+
+    /* Handle last block. This is necessary to flush out the last bytes
+     * of a possibly incomplete block */
+    nss_cms_decoder_work_data(p7dcx, NULL, 0, PR_TRUE);
+
+    /* finish any "inner" decoders - there's no more data coming... */
+    if (p7dcx->childp7dcx != NULL) {
+	childp7dcx = p7dcx->childp7dcx;
+	if (childp7dcx->dcx != NULL) {
+	    if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) {
+		/* do what? free content? */
+		rv = SECFailure;
+	    } else {
+		rv = nss_cms_after_end(childp7dcx);
+	    }
+	    if (rv != SECSuccess)
+		goto done;
+	}
+	PORT_Free(p7dcx->childp7dcx);
+	p7dcx->childp7dcx = NULL;
+    }
+
+    switch (p7dcx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	/* this will finish the digests and verify */
+	rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Decode_AfterData(
+	                            p7dcx->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	rv = NSS_CMSDigestedData_Decode_AfterData(
+	                           p7dcx->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Decode_AfterData(
+	                            p7dcx->content.encryptedData);
+	break;
+    case SEC_OID_PKCS7_DATA:
+	/* do nothing */
+	break;
+    default:
+	rv = SECFailure;
+	break;
+    }
+done:
+    return rv;
+}
+
+static SECStatus
+nss_cms_after_end(NSSCMSDecoderContext *p7dcx)
+{
+    SECStatus rv = SECSuccess;
+
+    switch (p7dcx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	if (p7dcx->content.signedData)
+	    rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	if (p7dcx->content.envelopedData)
+	    rv = NSS_CMSEnvelopedData_Decode_AfterEnd(
+	                               p7dcx->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	if (p7dcx->content.digestedData)
+	    rv = NSS_CMSDigestedData_Decode_AfterEnd(
+	                              p7dcx->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	if (p7dcx->content.encryptedData)
+	    rv = NSS_CMSEncryptedData_Decode_AfterEnd(
+	                               p7dcx->content.encryptedData);
+	break;
+    case SEC_OID_PKCS7_DATA:
+	break;
+    default:
+	rv = SECFailure;	/* we should not have got that far... */
+	break;
+    }
+    return rv;
+}
+
+/*
+ * nss_cms_decoder_work_data - handle decoded data bytes.
+ *
+ * This function either decrypts the data if needed, and/or calculates digests
+ * on it, then either stores it or passes it on to the next level decoder.
+ */
+static void
+nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, 
+			     const unsigned char *data, unsigned long len,
+			     PRBool final)
+{
+    NSSCMSContentInfo *cinfo;
+    unsigned char *buf = NULL;
+    unsigned char *dest;
+    unsigned int offset;
+    SECStatus rv;
+
+    /*
+     * We should really have data to process, or we should be trying
+     * to finish/flush the last block.  (This is an overly paranoid
+     * check since all callers are in this file and simple inspection
+     * proves they do it right.  But it could find a bug in future
+     * modifications/development, that is why it is here.)
+     */
+    PORT_Assert ((data != NULL && len) || final);
+
+    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
+
+    if (cinfo->ciphcx != NULL) {
+	/*
+	 * we are decrypting.
+	 * 
+	 * XXX If we get an error, we do not want to do the digest or callback,
+	 * but we want to keep decoding.  Or maybe we want to stop decoding
+	 * altogether if there is a callback, because obviously we are not
+	 * sending the data back and they want to know that.
+	 */
+
+	unsigned int outlen = 0;	/* length of decrypted data */
+	unsigned int buflen;		/* length available for decrypted data */
+
+	/* find out about the length of decrypted data */
+	buflen = NSS_CMSCipherContext_DecryptLength(cinfo->ciphcx, len, final);
+
+	/*
+	 * it might happen that we did not provide enough data for a full
+	 * block (decryption unit), and that there is no output available
+	 */
+
+	/* no output available, AND no input? */
+	if (buflen == 0 && len == 0)
+	    goto loser;	/* bail out */
+
+	/*
+	 * have inner decoder: pass the data on (means inner content type is NOT data)
+	 * no inner decoder: we have DATA in here: either call callback or store
+	 */
+	if (buflen != 0) {
+	    /* there will be some output - need to make room for it */
+	    /* allocate buffer from the heap */
+	    buf = (unsigned char *)PORT_Alloc(buflen);
+	    if (buf == NULL) {
+		p7dcx->error = SEC_ERROR_NO_MEMORY;
+		goto loser;
+	    }
+	}
+
+	/*
+	 * decrypt incoming data
+	 * buf can still be NULL here (and buflen == 0) here if we don't expect
+	 * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to
+	 * keep track of incoming data
+	 */
+	rv = NSS_CMSCipherContext_Decrypt(cinfo->ciphcx, buf, &outlen, buflen,
+			       data, len, final);
+	if (rv != SECSuccess) {
+	    p7dcx->error = PORT_GetError();
+	    goto loser;
+	}
+
+	PORT_Assert (final || outlen == buflen);
+	
+	/* swap decrypted data in */
+	data = buf;
+	len = outlen;
+    }
+
+    if (len == 0)
+	goto done;		/* nothing more to do */
+
+    /*
+     * Update the running digests with plaintext bytes (if we need to).
+     */
+    if (cinfo->digcx)
+	NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
+
+    /* at this point, we have the plain decoded & decrypted data 
+    ** which is either more encoded DER (which we need to hand to the child 
+    ** decoder) or data we need to hand back to our caller 
+    */
+
+    /* pass the content back to our caller or */
+    /* feed our freshly decrypted and decoded data into child decoder */
+    if (p7dcx->cb != NULL) {
+	(*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len);
+    }
+#if 1
+    else
+#endif
+    if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) {
+	/* store it in "inner" data item as well */
+	/* find the DATA item in the encapsulated cinfo and store it there */
+	NSSCMSDecoderData *decoderData = 
+				(NSSCMSDecoderData *)cinfo->content.pointer;
+	SECItem *dataItem = &decoderData->data;
+
+	offset = dataItem->len;
+	if (dataItem->len+len > decoderData->totalBufferSize) {
+	    int needLen = (dataItem->len+len) * 2;
+	    dest = (unsigned char *)
+				PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen);
+	    if (dest == NULL) {
+		p7dcx->error = SEC_ERROR_NO_MEMORY;
+		goto loser;
+	    }
+
+	    if (dataItem->len) {
+		PORT_Memcpy(dest, dataItem->data, dataItem->len);
+	    }
+	    decoderData->totalBufferSize = needLen;
+	    dataItem->data = dest;
+	}
+
+	/* copy it in */
+	PORT_Memcpy(dataItem->data + offset, data, len);
+	dataItem->len += len;
+    }
+
+done:
+loser:
+    if (buf)
+	PORT_Free (buf);
+}
+
+/*
+ * nss_cms_decoder_update_filter - process ASN.1 data
+ *
+ * once we have set up a filter in nss_cms_decoder_notify(),
+ * all data processed by the ASN.1 decoder is also passed through here.
+ * we pass the content bytes (as opposed to length and tag bytes) on to
+ * nss_cms_decoder_work_data().
+ */
+static void
+nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len,
+			  int depth, SEC_ASN1EncodingPart data_kind)
+{
+    NSSCMSDecoderContext *p7dcx;
+
+    PORT_Assert (len);	/* paranoia */
+    if (len == 0)
+	return;
+
+    p7dcx = (NSSCMSDecoderContext*)arg;
+
+    p7dcx->saw_contents = PR_TRUE;
+
+    /* pass on the content bytes only */
+    if (data_kind == SEC_ASN1_Contents)
+	nss_cms_decoder_work_data(p7dcx, (const unsigned char *) data, len, 
+	                          PR_FALSE);
+}
+
+/*
+ * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
+ *
+ * "poolp" - pointer to arena for message, or NULL if new pool should be created
+ * "cb", "cb_arg" - callback function and argument for delivery of inner content
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ */
+NSSCMSDecoderContext *
+NSS_CMSDecoder_Start(PRArenaPool *poolp,
+		      NSSCMSContentCallback cb, void *cb_arg,
+		      PK11PasswordFunc pwfn, void *pwfn_arg,
+		      NSSCMSGetDecryptKeyCallback decrypt_key_cb, 
+		      void *decrypt_key_cb_arg)
+{
+    NSSCMSDecoderContext *p7dcx;
+    NSSCMSMessage *cmsg;
+
+    cmsg = NSS_CMSMessage_Create(poolp);
+    if (cmsg == NULL)
+	return NULL;
+
+    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, 
+                                     decrypt_key_cb_arg, NULL, NULL);
+
+    p7dcx = PORT_ZNew(NSSCMSDecoderContext);
+    if (p7dcx == NULL) {
+	NSS_CMSMessage_Destroy(cmsg);
+	return NULL;
+    }
+
+    p7dcx->dcx = SEC_ASN1DecoderStart(cmsg->poolp, cmsg, NSSCMSMessageTemplate);
+    if (p7dcx->dcx == NULL) {
+	PORT_Free (p7dcx);
+	NSS_CMSMessage_Destroy(cmsg);
+	return NULL;
+    }
+
+    SEC_ASN1DecoderSetNotifyProc (p7dcx->dcx, nss_cms_decoder_notify, p7dcx);
+
+    p7dcx->cmsg = cmsg;
+    p7dcx->type = SEC_OID_UNKNOWN;
+
+    p7dcx->cb = cb;
+    p7dcx->cb_arg = cb_arg;
+
+    return p7dcx;
+}
+
+/*
+ * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
+ */
+SECStatus
+NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, 
+                      unsigned long len)
+{
+    SECStatus rv;
+    if (p7dcx->dcx != NULL && p7dcx->error == 0) {	
+    	/* if error is set already, don't bother */
+	rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, buf, len);
+	if (rv != SECSuccess) {
+	    p7dcx->error = PORT_GetError();
+	    PORT_Assert (p7dcx->error);
+	    if (p7dcx->error == 0)
+		p7dcx->error = -1;
+	}
+    }
+
+    if (p7dcx->error == 0)
+	return SECSuccess;
+
+    /* there has been a problem, let's finish the decoder */
+    if (p7dcx->dcx != NULL) {
+	(void) SEC_ASN1DecoderFinish (p7dcx->dcx);
+	p7dcx->dcx = NULL;
+    }
+    PORT_SetError (p7dcx->error);
+
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSDecoder_Cancel - stop decoding in case of error
+ */
+void
+NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx)
+{
+    if (p7dcx->dcx != NULL)
+	(void)SEC_ASN1DecoderFinish(p7dcx->dcx);
+    NSS_CMSMessage_Destroy(p7dcx->cmsg);
+    PORT_Free(p7dcx);
+}
+
+/*
+ * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
+ */
+NSSCMSMessage *
+NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx)
+{
+    NSSCMSMessage *cmsg;
+
+    cmsg = p7dcx->cmsg;
+
+    if (p7dcx->dcx == NULL || 
+        SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess ||
+	nss_cms_after_end(p7dcx) != SECSuccess)
+    {
+	NSS_CMSMessage_Destroy(cmsg);	/* get rid of pool if it's ours */
+	cmsg = NULL;
+    }
+
+    PORT_Free(p7dcx);
+    return cmsg;
+}
+
+NSSCMSMessage *
+NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
+		    NSSCMSContentCallback cb, void *cb_arg,
+		    PK11PasswordFunc pwfn, void *pwfn_arg,
+		    NSSCMSGetDecryptKeyCallback decrypt_key_cb, 
+		    void *decrypt_key_cb_arg)
+{
+    NSSCMSDecoderContext *p7dcx;
+
+    /* first arg(poolp) == NULL => create our own pool */
+    p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg, 
+                                 decrypt_key_cb, decrypt_key_cb_arg);
+    if (p7dcx == NULL)
+	return NULL;
+    NSS_CMSDecoder_Update(p7dcx, (char *)DERmessage->data, DERmessage->len);
+    return NSS_CMSDecoder_Finish(p7dcx);
+}
+
diff --git a/security/nss/lib/smime/cmsdigdata.c b/security/nss/lib/smime/cmsdigdata.c
new file mode 100644
index 000000000..e3eb4159d
--- /dev/null
+++ b/security/nss/lib/smime/cmsdigdata.c
@@ -0,0 +1,231 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS digestedData methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "secitem.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secerr.h"
+
+/*
+ * NSS_CMSDigestedData_Create - create a digestedData object (presumably for encoding)
+ *
+ * version will be set by NSS_CMSDigestedData_Encode_BeforeStart
+ * digestAlg is passed as parameter
+ * contentInfo must be filled by the user
+ * digest will be calculated while encoding
+ */
+NSSCMSDigestedData *
+NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg)
+{
+    void *mark;
+    NSSCMSDigestedData *digd;
+    PLArenaPool *poolp;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    digd = (NSSCMSDigestedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSDigestedData));
+    if (digd == NULL)
+	goto loser;
+
+    digd->cmsg = cmsg;
+
+    if (SECOID_CopyAlgorithmID (poolp, &(digd->digestAlg), digestalg) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return digd;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSDigestedData_Destroy - destroy a digestedData object
+ */
+void
+NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
+{
+    /* everything's in a pool, so don't worry about the storage */
+    NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
+    return;
+}
+
+/*
+ * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo
+ */
+NSSCMSContentInfo *
+NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd)
+{
+    return &(digd->contentInfo);
+}
+
+/*
+ * NSS_CMSDigestedData_Encode_BeforeStart - do all the necessary things to a DigestedData
+ *     before encoding begins.
+ *
+ * In particular:
+ *  - set the right version number. The contentInfo's content type must be set up already.
+ */
+SECStatus
+NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd)
+{
+    unsigned long version;
+    SECItem *dummy;
+
+    version = NSS_CMS_DIGESTED_DATA_VERSION_DATA;
+    if (NSS_CMSContentInfo_GetContentTypeTag(&(digd->contentInfo)) != SEC_OID_PKCS7_DATA)
+	version = NSS_CMS_DIGESTED_DATA_VERSION_ENCAP;
+
+    dummy = SEC_ASN1EncodeInteger(digd->cmsg->poolp, &(digd->version), version);
+    return (dummy == NULL) ? SECFailure : SECSuccess;
+}
+
+/*
+ * NSS_CMSDigestedData_Encode_BeforeData - do all the necessary things to a DigestedData
+ *     before the encapsulated data is passed through the encoder.
+ *
+ * In detail:
+ *  - set up the digests if necessary
+ */
+SECStatus
+NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd)
+{
+    /* set up the digests */
+    if (digd->digestAlg.algorithm.len != 0 && digd->digest.len == 0) {
+	/* if digest is already there, do nothing */
+	digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
+	if (digd->contentInfo.digcx == NULL)
+	    return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSDigestedData_Encode_AfterData - do all the necessary things to a DigestedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - finish the digests
+ */
+SECStatus
+NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd)
+{
+    SECStatus rv = SECSuccess;
+    /* did we have digest calculation going on? */
+    if (digd->contentInfo.digcx) {
+	rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
+				               digd->cmsg->poolp, 
+					       &(digd->digest));
+	/* error has been set by NSS_CMSDigestContext_FinishSingle */
+	digd->contentInfo.digcx = NULL;
+    }
+
+    return rv;
+}
+
+/*
+ * NSS_CMSDigestedData_Decode_BeforeData - do all the necessary things to a DigestedData
+ *     before the encapsulated data is passed through the encoder.
+ *
+ * In detail:
+ *  - set up the digests if necessary
+ */
+SECStatus
+NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd)
+{
+    /* is there a digest algorithm yet? */
+    if (digd->digestAlg.algorithm.len == 0)
+	return SECFailure;
+
+    digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
+    if (digd->contentInfo.digcx == NULL)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSDigestedData_Decode_AfterData - do all the necessary things to a DigestedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - finish the digests
+ */
+SECStatus
+NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd)
+{
+    SECStatus rv = SECSuccess;
+    /* did we have digest calculation going on? */
+    if (digd->contentInfo.digcx) {
+	rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
+				               digd->cmsg->poolp, 
+					       &(digd->cdigest));
+	/* error has been set by NSS_CMSDigestContext_FinishSingle */
+	digd->contentInfo.digcx = NULL;
+    }
+
+    return rv;
+}
+
+/*
+ * NSS_CMSDigestedData_Decode_AfterEnd - finalize a digestedData.
+ *
+ * In detail:
+ *  - check the digests for equality
+ */
+SECStatus
+NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd)
+{
+    /* did we have digest calculation going on? */
+    if (digd->cdigest.len != 0) {
+	/* XXX comparision btw digest & cdigest */
+	/* XXX set status */
+	/* TODO!!!! */
+    }
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/smime/cmsdigest.c b/security/nss/lib/smime/cmsdigest.c
new file mode 100644
index 000000000..e0e923a77
--- /dev/null
+++ b/security/nss/lib/smime/cmsdigest.c
@@ -0,0 +1,294 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS digesting.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+
+/*  #define CMS_FIND_LEAK_MULTIPLE 1 */
+#ifdef CMS_FIND_LEAK_MULTIPLE
+static int stop_on_err = 1;
+static int global_num_digests = 0;
+#endif
+
+struct digestPairStr { 
+    const SECHashObject * digobj;
+    void *                digcx;
+};
+typedef struct digestPairStr digestPair;
+
+struct NSSCMSDigestContextStr {
+    PRBool		saw_contents;
+    PLArenaPool *       pool;
+    int			digcnt;
+    digestPair  *       digPairs;
+};
+
+
+/*
+ * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the
+ *  digest algorithms in "digestalgs" in parallel.
+ */
+NSSCMSDigestContext *
+NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs)
+{
+    PLArenaPool *        pool;
+    NSSCMSDigestContext *cmsdigcx;
+    int digcnt;
+    int i;
+
+#ifdef CMS_FIND_LEAK_MULTIPLE
+    PORT_Assert(global_num_digests == 0 || !stop_on_err);
+#endif
+
+    digcnt = (digestalgs == NULL) ? 0 : NSS_CMSArray_Count((void **)digestalgs);
+    /* It's OK if digcnt is zero.  We have to allow this for "certs only"
+    ** messages.
+    */
+    pool = PORT_NewArena(2048);
+    if (!pool)
+    	return NULL;
+
+    cmsdigcx = PORT_ArenaNew(pool, NSSCMSDigestContext);
+    if (cmsdigcx == NULL)
+	goto loser;
+
+    cmsdigcx->saw_contents = PR_FALSE;
+    cmsdigcx->pool   = pool;
+    cmsdigcx->digcnt = digcnt;
+
+    cmsdigcx->digPairs = PORT_ArenaZNewArray(pool, digestPair, digcnt);
+    if (cmsdigcx->digPairs == NULL) {
+	goto loser;
+    }
+
+    /*
+     * Create a digest object context for each algorithm.
+     */
+    for (i = 0; i < digcnt; i++) {
+	const SECHashObject *digobj;
+	void *digcx;
+
+	digobj = NSS_CMSUtil_GetHashObjByAlgID(digestalgs[i]);
+	/*
+	 * Skip any algorithm we do not even recognize; obviously,
+	 * this could be a problem, but if it is critical then the
+	 * result will just be that the signature does not verify.
+	 * We do not necessarily want to error out here, because
+	 * the particular algorithm may not actually be important,
+	 * but we cannot know that until later.
+	 */
+	if (digobj == NULL)
+	    continue;
+
+	digcx = (*digobj->create)();
+	if (digcx != NULL) {
+	    (*digobj->begin) (digcx);
+	    cmsdigcx->digPairs[i].digobj = digobj;
+	    cmsdigcx->digPairs[i].digcx  = digcx;
+#ifdef CMS_FIND_LEAK_MULTIPLE
+	    global_num_digests++;
+#endif
+	}
+    }
+    return cmsdigcx;
+
+loser:
+    /* no digest objects have been created, or need to be destroyed. */
+    if (pool) {
+    	PORT_FreeArena(pool, PR_FALSE);
+    }
+    return NULL;
+}
+
+/*
+ * NSS_CMSDigestContext_StartSingle - same as 
+ * NSS_CMSDigestContext_StartMultiple, but only one algorithm.
+ */
+NSSCMSDigestContext *
+NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg)
+{
+    SECAlgorithmID *digestalgs[] = { NULL, NULL };		/* fake array */
+
+    digestalgs[0] = digestalg;
+    return NSS_CMSDigestContext_StartMultiple(digestalgs);
+}
+
+/*
+ * NSS_CMSDigestContext_Update - feed more data into the digest machine
+ */
+void
+NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, 
+                            const unsigned char *data, int len)
+{
+    int i;
+    digestPair *pair = cmsdigcx->digPairs;
+
+    cmsdigcx->saw_contents = PR_TRUE;
+
+    for (i = 0; i < cmsdigcx->digcnt; i++, pair++) {
+	if (pair->digcx) {
+	    (*pair->digobj->update)(pair->digcx, data, len);
+    	}
+    }
+}
+
+/*
+ * NSS_CMSDigestContext_Cancel - cancel digesting operation
+ */
+void
+NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx)
+{
+    int i;
+    digestPair *pair = cmsdigcx->digPairs;
+
+    for (i = 0; i < cmsdigcx->digcnt; i++, pair++) {
+	if (pair->digcx) {
+	    (*pair->digobj->destroy)(pair->digcx, PR_TRUE);
+#ifdef CMS_FIND_LEAK_MULTIPLE
+	    --global_num_digests;
+#endif
+    	}
+    }
+#ifdef CMS_FIND_LEAK_MULTIPLE
+    PORT_Assert(global_num_digests == 0 || !stop_on_err);
+#endif
+    PORT_FreeArena(cmsdigcx->pool, PR_FALSE);
+}
+
+/*
+ * NSS_CMSDigestContext_FinishMultiple - finish the digests and put them
+ *  into an array of SECItems (allocated on poolp)
+ */
+SECStatus
+NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, 
+                                    PLArenaPool *poolp,
+			            SECItem ***digestsp)
+{
+    SECItem **  digests = NULL;
+    digestPair *pair;
+    void *      mark;
+    int         i;
+    SECStatus   rv;
+
+    /* no contents? do not finish digests */
+    if (digestsp == NULL || !cmsdigcx->saw_contents) {
+	rv = SECSuccess;
+	goto cleanup;
+    }
+
+    mark = PORT_ArenaMark (poolp);
+
+    /* allocate digest array & SECItems on arena */
+    digests = PORT_ArenaNewArray( poolp, SECItem *, cmsdigcx->digcnt + 1);
+
+    rv = ((digests == NULL) ? SECFailure : SECSuccess);
+    pair = cmsdigcx->digPairs;
+    for (i = 0; rv == SECSuccess && i < cmsdigcx->digcnt; i++, pair++) {
+	SECItem digest;
+	unsigned char hash[HASH_LENGTH_MAX];
+
+	if (!pair->digcx) {
+	    digests[i] = NULL;
+	    continue;
+	}
+
+	digest.type = siBuffer;
+	digest.data = hash;
+	digest.len  = pair->digobj->length;
+	(* pair->digobj->end)(pair->digcx, hash, &digest.len, digest.len);
+	digests[i] = SECITEM_ArenaDupItem(poolp, &digest);
+	if (!digests[i]) {
+	    rv = SECFailure;
+	}
+    }
+    digests[i] = NULL;
+    if (rv == SECSuccess) {
+	PORT_ArenaUnmark(poolp, mark);
+    } else
+	PORT_ArenaRelease(poolp, mark);
+
+cleanup:
+    NSS_CMSDigestContext_Cancel(cmsdigcx);
+    /* Don't change the caller's digests pointer if we have no digests.
+    **  NSS_CMSSignedData_Encode_AfterData depends on this behavior.
+    */
+    if (rv == SECSuccess && digestsp && digests) {
+	*digestsp = digests;
+    }
+    return rv;
+}
+
+/*
+ * NSS_CMSDigestContext_FinishSingle - same as 
+ * NSS_CMSDigestContext_FinishMultiple, but for one digest.
+ */
+SECStatus
+NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, 
+                                  PLArenaPool *poolp,
+			          SECItem *digest)
+{
+    SECStatus rv = SECFailure;
+    SECItem **dp;
+    PLArenaPool *arena = NULL;
+
+    if ((arena = PORT_NewArena(1024)) == NULL)
+	goto loser;
+
+    /* get the digests into arena, then copy the first digest into poolp */
+    rv = NSS_CMSDigestContext_FinishMultiple(cmsdigcx, arena, &dp);
+    if (rv == SECSuccess) {
+	/* now copy it into poolp */
+	rv = SECITEM_CopyItem(poolp, digest, dp[0]);
+    }
+loser:
+    if (arena)
+	PORT_FreeArena(arena, PR_FALSE);
+
+    return rv;
+}
diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c
new file mode 100644
index 000000000..a14a3b7c7
--- /dev/null
+++ b/security/nss/lib/smime/cmsencdata.c
@@ -0,0 +1,283 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS encryptedData methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "secpkcs5.h"
+
+/*
+ * NSS_CMSEncryptedData_Create - create an empty encryptedData object.
+ *
+ * "algorithm" specifies the bulk encryption algorithm to use.
+ * "keysize" is the key size.
+ * 
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+NSSCMSEncryptedData *
+NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, 
+			    int keysize)
+{
+    void *mark;
+    NSSCMSEncryptedData *encd;
+    PLArenaPool *poolp;
+    SECAlgorithmID *pbe_algid;
+    SECStatus rv;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    encd = PORT_ArenaZNew(poolp, NSSCMSEncryptedData);
+    if (encd == NULL)
+	goto loser;
+
+    encd->cmsg = cmsg;
+
+    /* version is set in NSS_CMSEncryptedData_Encode_BeforeStart() */
+
+    if (!SEC_PKCS5IsAlgorithmPBEAlgTag(algorithm)) {
+	rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(encd->contentInfo), 
+						 algorithm, NULL, keysize);
+    } else {
+	/* Assume password-based-encryption.  
+	 * Note: we can't generate pkcs5v2 from this interface.
+	 * PK11_CreateBPEAlgorithmID generates pkcs5v2 by accepting
+	 * non-PBE oids and assuming that they are pkcs5v2 oids, but
+	 * NSS_CMSEncryptedData_Create accepts non-PBE oids as regular
+	 * CMS encrypted data, so we can't tell NSS_CMS_EncryptedData_Create
+	 * to create pkcs5v2 PBEs */
+	pbe_algid = PK11_CreatePBEAlgorithmID(algorithm, 1, NULL);
+	if (pbe_algid == NULL) {
+	    rv = SECFailure;
+	} else {
+	    rv = NSS_CMSContentInfo_SetContentEncAlgID(poolp, 
+				&(encd->contentInfo), pbe_algid, keysize);
+	    SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE);
+	}
+    }
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return encd;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object
+ */
+void
+NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
+{
+    /* everything's in a pool, so don't worry about the storage */
+    NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
+    return;
+}
+
+/*
+ * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo
+ */
+NSSCMSContentInfo *
+NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd)
+{
+    return &(encd->contentInfo);
+}
+
+/*
+ * NSS_CMSEncryptedData_Encode_BeforeStart - do all the necessary things to a EncryptedData
+ *     before encoding begins.
+ *
+ * In particular:
+ *  - set the correct version value.
+ *  - get the encryption key
+ */
+SECStatus
+NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd)
+{
+    int version;
+    PK11SymKey *bulkkey = NULL;
+    SECItem *dummy;
+    NSSCMSContentInfo *cinfo = &(encd->contentInfo);
+
+    if (NSS_CMSArray_IsEmpty((void **)encd->unprotectedAttr))
+	version = NSS_CMS_ENCRYPTED_DATA_VERSION;
+    else
+	version = NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR;
+    
+    dummy = SEC_ASN1EncodeInteger (encd->cmsg->poolp, &(encd->version), version);
+    if (dummy == NULL)
+	return SECFailure;
+
+    /* now get content encryption key (bulk key) by using our cmsg callback */
+    if (encd->cmsg->decrypt_key_cb)
+	bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, 
+		    NSS_CMSContentInfo_GetContentEncAlg(cinfo));
+    if (bulkkey == NULL)
+	return SECFailure;
+
+    /* store the bulk key in the contentInfo so that the encoder can find it */
+    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
+    PK11_FreeSymKey (bulkkey);
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEncryptedData_Encode_BeforeData - set up encryption
+ */
+SECStatus
+NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd)
+{
+    NSSCMSContentInfo *cinfo;
+    PK11SymKey *bulkkey;
+    SECAlgorithmID *algid;
+
+    cinfo = &(encd->contentInfo);
+
+    /* find bulkkey and algorithm - must have been set by NSS_CMSEncryptedData_Encode_BeforeStart */
+    bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
+    if (bulkkey == NULL)
+	return SECFailure;
+    algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
+    if (algid == NULL)
+	return SECFailure;
+
+    /* this may modify algid (with IVs generated in a token).
+     * it is therefore essential that algid is a pointer to the "real" contentEncAlg,
+     * not just to a copy */
+    cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(encd->cmsg->poolp, bulkkey, algid);
+    PK11_FreeSymKey(bulkkey);
+    if (cinfo->ciphcx == NULL)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEncryptedData_Encode_AfterData - finalize this encryptedData for encoding
+ */
+SECStatus
+NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd)
+{
+    if (encd->contentInfo.ciphcx) {
+	NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
+	encd->contentInfo.ciphcx = NULL;
+    }
+
+    /* nothing to do after data */
+    return SECSuccess;
+}
+
+
+/*
+ * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption
+ */
+SECStatus
+NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd)
+{
+    PK11SymKey *bulkkey = NULL;
+    NSSCMSContentInfo *cinfo;
+    SECAlgorithmID *bulkalg;
+    SECStatus rv = SECFailure;
+
+    cinfo = &(encd->contentInfo);
+
+    bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
+
+    if (encd->cmsg->decrypt_key_cb == NULL)	/* no callback? no key../ */
+	goto loser;
+
+    bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, bulkalg);
+    if (bulkkey == NULL)
+	/* no success finding a bulk key */
+	goto loser;
+
+    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
+
+    cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
+    if (cinfo->ciphcx == NULL)
+	goto loser;		/* error has been set by NSS_CMSCipherContext_StartDecrypt */
+
+
+    /* we are done with (this) bulkkey now. */
+    PK11_FreeSymKey(bulkkey);
+
+    rv = SECSuccess;
+
+loser:
+    return rv;
+}
+
+/*
+ * NSS_CMSEncryptedData_Decode_AfterData - finish decrypting this encryptedData's content
+ */
+SECStatus
+NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd)
+{
+    if (encd->contentInfo.ciphcx) {
+	NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
+	encd->contentInfo.ciphcx = NULL;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEncryptedData_Decode_AfterEnd - finish decoding this encryptedData
+ */
+SECStatus
+NSS_CMSEncryptedData_Decode_AfterEnd(NSSCMSEncryptedData *encd)
+{
+    /* apply final touches */
+    return SECSuccess;
+}
diff --git a/security/nss/lib/smime/cmsencode.c b/security/nss/lib/smime/cmsencode.c
new file mode 100644
index 000000000..7e5d2b514
--- /dev/null
+++ b/security/nss/lib/smime/cmsencode.c
@@ -0,0 +1,747 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS encoding.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+struct nss_cms_encoder_output {
+    NSSCMSContentCallback outputfn;
+    void *outputarg;
+    PLArenaPool *destpoolp;
+    SECItem *dest;
+};
+
+struct NSSCMSEncoderContextStr {
+    SEC_ASN1EncoderContext *	ecx;		/* ASN.1 encoder context */
+    PRBool			ecxupdated;	/* true if data was handed in */
+    NSSCMSMessage *		cmsg;		/* pointer to the root message */
+    SECOidTag			type;		/* type tag of the current content */
+    NSSCMSContent		content;	/* pointer to current content */
+    struct nss_cms_encoder_output output;	/* output function */
+    int				error;		/* error code */
+    NSSCMSEncoderContext *	childp7ecx;	/* link to child encoder context */
+};
+
+static SECStatus nss_cms_before_data(NSSCMSEncoderContext *p7ecx);
+static SECStatus nss_cms_after_data(NSSCMSEncoderContext *p7ecx);
+static SECStatus nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len);
+static SECStatus nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
+			     const unsigned char *data, unsigned long len,
+			     PRBool final, PRBool innermost);
+
+extern const SEC_ASN1Template NSSCMSMessageTemplate[];
+
+/*
+ * The little output function that the ASN.1 encoder calls to hand
+ * us bytes which we in turn hand back to our caller (via the callback
+ * they gave us).
+ */
+static void
+nss_cms_encoder_out(void *arg, const char *buf, unsigned long len,
+		      int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct nss_cms_encoder_output *output = (struct nss_cms_encoder_output *)arg;
+    unsigned char *dest;
+    unsigned long offset;
+
+#ifdef CMSDEBUG
+    int i;
+
+    fprintf(stderr, "kind = %d, depth = %d, len = %d\n", data_kind, depth, len);
+    for (i=0; i < len; i++) {
+	fprintf(stderr, " %02x%s", (unsigned int)buf[i] & 0xff, ((i % 16) == 15) ? "\n" : "");
+    }
+    if ((i % 16) != 0)
+	fprintf(stderr, "\n");
+#endif
+
+    if (output->outputfn != NULL)
+	/* call output callback with DER data */
+	output->outputfn(output->outputarg, buf, len);
+
+    if (output->dest != NULL) {
+	/* store DER data in SECItem */
+	offset = output->dest->len;
+	if (offset == 0) {
+	    dest = (unsigned char *)PORT_ArenaAlloc(output->destpoolp, len);
+	} else {
+	    dest = (unsigned char *)PORT_ArenaGrow(output->destpoolp, 
+				  output->dest->data,
+				  output->dest->len,
+				  output->dest->len + len);
+	}
+	if (dest == NULL)
+	    /* oops */
+	    return;
+
+	output->dest->data = dest;
+	output->dest->len += len;
+
+	/* copy it in */
+	PORT_Memcpy(output->dest->data + offset, buf, len);
+    }
+}
+
+/*
+ * nss_cms_encoder_notify - ASN.1 encoder callback
+ *
+ * this function is called by the ASN.1 encoder before and after the encoding of
+ * every object. here, it is used to keep track of data structures, set up
+ * encryption and/or digesting and possibly set up child encoders.
+ */
+static void
+nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth)
+{
+    NSSCMSEncoderContext *p7ecx;
+    NSSCMSContentInfo *rootcinfo, *cinfo;
+    PRBool after = !before;
+    PLArenaPool *poolp;
+    SECOidTag childtype;
+    SECItem *item;
+
+    p7ecx = (NSSCMSEncoderContext *)arg;
+    PORT_Assert(p7ecx != NULL);
+
+    rootcinfo = &(p7ecx->cmsg->contentInfo);
+    poolp = p7ecx->cmsg->poolp;
+
+#ifdef CMSDEBUG
+    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
+#endif
+
+    /*
+     * Watch for the content field, at which point we want to instruct
+     * the ASN.1 encoder to start taking bytes from the buffer.
+     */
+    switch (p7ecx->type) {
+    default:
+    case SEC_OID_UNKNOWN:
+	/* we're still in the root message */
+	if (after && dest == &(rootcinfo->contentType)) {
+	    /* got the content type OID now - so find out the type tag */
+	    p7ecx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
+	    /* set up a pointer to our current content */
+	    p7ecx->content = rootcinfo->content;
+	}
+	break;
+
+    case SEC_OID_PKCS7_DATA:
+	if (before && dest == &(rootcinfo->rawContent)) {
+	    /* just set up encoder to grab from user - no encryption or digesting */
+	    if ((item = rootcinfo->content.data) != NULL)
+		(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
+	    else
+		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
+	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */
+	}
+	break;
+
+    case SEC_OID_PKCS7_SIGNED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+
+	/* when we know what the content is, we encode happily until we reach the inner content */
+	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+
+	if (after && dest == &(cinfo->contentType)) {
+	    /* we're right before encoding the data (if we have some or not) */
+	    /* (for encrypted data, we're right before the contentEncAlg which may change */
+	    /*  in nss_cms_before_data because of IV calculation when setting up encryption) */
+	    if (nss_cms_before_data(p7ecx) != SECSuccess)
+		p7ecx->error = PORT_GetError();
+	}
+	if (before && dest == &(cinfo->rawContent)) {
+	    if (childtype == SEC_OID_PKCS7_DATA && (item = cinfo->content.data) != NULL)
+		/* we have data - feed it in */
+		(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
+	    else
+		/* else try to get it from user */
+		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
+	}
+	if (after && dest == &(cinfo->rawContent)) {
+	    if (nss_cms_after_data(p7ecx) != SECSuccess)
+		p7ecx->error = PORT_GetError();
+	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */
+	}
+	break;
+    }
+}
+
+/*
+ * nss_cms_before_data - setup the current encoder to receive data
+ */
+static SECStatus
+nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
+{
+    SECStatus rv;
+    SECOidTag childtype;
+    NSSCMSContentInfo *cinfo;
+    PLArenaPool *poolp;
+    NSSCMSEncoderContext *childp7ecx;
+    const SEC_ASN1Template *template;
+
+    poolp = p7ecx->cmsg->poolp;
+
+    /* call _Encode_BeforeData handlers */
+    switch (p7ecx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	/* we're encoding a signedData, so set up the digests */
+	rv = NSS_CMSSignedData_Encode_BeforeData(p7ecx->content.signedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	/* we're encoding a digestedData, so set up the digest */
+	rv = NSS_CMSDigestedData_Encode_BeforeData(p7ecx->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Encode_BeforeData(p7ecx->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Encode_BeforeData(p7ecx->content.encryptedData);
+	break;
+    default:
+	rv = SECFailure;
+    }
+    if (rv != SECSuccess)
+	return SECFailure;
+
+    /* ok, now we have a pointer to cinfo */
+    /* find out what kind of data is encapsulated */
+    
+    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+
+    switch (childtype) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+#if 0
+    case SEC_OID_PKCS7_DATA:		/* XXX here also??? maybe yes! */
+#endif
+	/* in these cases, we need to set up a child encoder! */
+	/* create new encoder context */
+	childp7ecx = PORT_ZAlloc(sizeof(NSSCMSEncoderContext));
+	if (childp7ecx == NULL)
+	    return SECFailure;
+
+	/* the CHILD encoder needs to hand its encoded data to the CURRENT encoder
+	 * (which will encrypt and/or digest it)
+	 * this needs to route back into our update function
+	 * which finds the lowest encoding context & encrypts and computes digests */
+	childp7ecx->type = childtype;
+	childp7ecx->content = cinfo->content;
+	/* use the non-recursive update function here, of course */
+	childp7ecx->output.outputfn = (NSSCMSContentCallback)nss_cms_encoder_update;
+	childp7ecx->output.outputarg = p7ecx;
+	childp7ecx->output.destpoolp = NULL;
+	childp7ecx->output.dest = NULL;
+	childp7ecx->cmsg = p7ecx->cmsg;
+
+	template = NSS_CMSUtil_GetTemplateByTypeTag(childtype);
+	if (template == NULL)
+	    goto loser;		/* cannot happen */
+
+	/* now initialize the data for encoding the first third */
+	switch (childp7ecx->type) {
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	    rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);
+	    break;
+	case SEC_OID_PKCS7_ENVELOPED_DATA:
+	    rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);
+	    break;
+	case SEC_OID_PKCS7_DIGESTED_DATA:
+	    rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);
+	    break;
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
+	    break;
+	case SEC_OID_PKCS7_DATA:
+	    rv = SECSuccess;
+	    break;
+	default:
+	    PORT_Assert(0);
+	    break;
+	}
+	if (rv != SECSuccess)
+	    goto loser;
+
+	/*
+	 * Initialize the BER encoder.
+	 */
+	childp7ecx->ecx = SEC_ASN1EncoderStart(cinfo->content.pointer, template,
+					   nss_cms_encoder_out, &(childp7ecx->output));
+	if (childp7ecx->ecx == NULL)
+	    goto loser;
+
+	childp7ecx->ecxupdated = PR_FALSE;
+
+	/*
+	 * Indicate that we are streaming.  We will be streaming until we
+	 * get past the contents bytes.
+	 */
+	SEC_ASN1EncoderSetStreaming(childp7ecx->ecx);
+
+	/*
+	 * The notify function will watch for the contents field.
+	 */
+	SEC_ASN1EncoderSetNotifyProc(childp7ecx->ecx, nss_cms_encoder_notify, childp7ecx);
+
+	/* please note that we are NOT calling SEC_ASN1EncoderUpdate here to kick off the */
+	/* encoding process - we'll do that from the update function instead */
+	/* otherwise we'd be encoding data from a call of the notify function of the */
+	/* parent encoder (which would not work) */
+
+	/* this will kick off the encoding process & encode everything up to the content bytes,
+	 * at which point the notify function sets streaming mode (and possibly creates
+	 * another child encoder). */
+	if (SEC_ASN1EncoderUpdate(childp7ecx->ecx, NULL, 0) != SECSuccess)
+	    goto loser;
+
+	p7ecx->childp7ecx = childp7ecx;
+	break;
+
+    case SEC_OID_PKCS7_DATA:
+	p7ecx->childp7ecx = NULL;
+	break;
+    default:
+	/* we do not know this type */
+	p7ecx->error = SEC_ERROR_BAD_DER;
+	break;
+    }
+
+    return SECSuccess;
+
+loser:
+    if (childp7ecx) {
+	if (childp7ecx->ecx)
+	    SEC_ASN1EncoderFinish(childp7ecx->ecx);
+	PORT_Free(childp7ecx);
+    }
+    return SECFailure;
+}
+
+static SECStatus
+nss_cms_after_data(NSSCMSEncoderContext *p7ecx)
+{
+    SECStatus rv = SECFailure;
+
+    switch (p7ecx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	/* this will finish the digests and sign */
+	rv = NSS_CMSSignedData_Encode_AfterData(p7ecx->content.signedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Encode_AfterData(p7ecx->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	rv = NSS_CMSDigestedData_Encode_AfterData(p7ecx->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Encode_AfterData(p7ecx->content.encryptedData);
+	break;
+    case SEC_OID_PKCS7_DATA:
+	/* do nothing */
+	break;
+    default:
+	rv = SECFailure;
+	break;
+    }
+    return rv;
+}
+
+/*
+ * nss_cms_encoder_work_data - process incoming data
+ *
+ * (from the user or the next encoding layer)
+ * Here, we need to digest and/or encrypt, then pass it on
+ */
+static SECStatus
+nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
+			     const unsigned char *data, unsigned long len,
+			     PRBool final, PRBool innermost)
+{
+    unsigned char *buf = NULL;
+    SECStatus rv;
+    NSSCMSContentInfo *cinfo;
+
+    rv = SECSuccess;		/* may as well be optimistic */
+
+    /*
+     * We should really have data to process, or we should be trying
+     * to finish/flush the last block.  (This is an overly paranoid
+     * check since all callers are in this file and simple inspection
+     * proves they do it right.  But it could find a bug in future
+     * modifications/development, that is why it is here.)
+     */
+    PORT_Assert ((data != NULL && len) || final);
+
+    /* we got data (either from the caller, or from a lower level encoder) */
+    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+
+    /* Update the running digest. */
+    if (len && cinfo->digcx != NULL)
+	NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
+
+    /* Encrypt this chunk. */
+    if (cinfo->ciphcx != NULL) {
+	unsigned int inlen;	/* length of data being encrypted */
+	unsigned int outlen;	/* length of encrypted data */
+	unsigned int buflen;	/* length available for encrypted data */
+
+	inlen = len;
+	buflen = NSS_CMSCipherContext_EncryptLength(cinfo->ciphcx, inlen, final);
+	if (buflen == 0) {
+	    /*
+	     * No output is expected, but the input data may be buffered
+	     * so we still have to call Encrypt.
+	     */
+	    rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, NULL, NULL, 0,
+				   data, inlen, final);
+	    if (final) {
+		len = 0;
+		goto done;
+	    }
+	    return rv;
+	}
+
+	if (dest != NULL)
+	    buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cmsg->poolp, buflen);
+	else
+	    buf = (unsigned char*)PORT_Alloc(buflen);
+
+	if (buf == NULL) {
+	    rv = SECFailure;
+	} else {
+	    rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, buf, &outlen, buflen,
+				   data, inlen, final);
+	    data = buf;
+	    len = outlen;
+	}
+	if (rv != SECSuccess)
+	    /* encryption or malloc failed? */
+	    return rv;
+    }
+
+
+    /*
+     * at this point (data,len) has everything we'd like to give to the CURRENT encoder
+     * (which will encode it, then hand it back to the user or the parent encoder)
+     * We don't encode the data if we're innermost and we're told not to include the data
+     */
+    if (p7ecx->ecx != NULL && len && (!innermost || cinfo->rawContent != NULL))
+	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, (const char *)data, len);
+
+done:
+
+    if (cinfo->ciphcx != NULL) {
+	if (dest != NULL) {
+	    dest->data = buf;
+	    dest->len = len;
+	} else if (buf != NULL) {
+	    PORT_Free (buf);
+	}
+    }
+    return rv;
+}
+
+/*
+ * nss_cms_encoder_update - deliver encoded data to the next higher level
+ *
+ * no recursion here because we REALLY want to end up at the next higher encoder!
+ */
+static SECStatus
+nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)
+{
+    /* XXX Error handling needs help.  Return what?  Do "Finish" on failure? */
+    return nss_cms_encoder_work_data (p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_FALSE);
+}
+
+/*
+ * NSS_CMSEncoder_Start - set up encoding of a CMS message
+ *
+ * "cmsg" - message to encode
+ * "outputfn", "outputarg" - callback function for delivery of DER-encoded output
+ *                           will not be called if NULL.
+ * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output
+ * "destpoolp" - pool to allocate DER-encoded output in
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ * "detached_digestalgs", "detached_digests" - digests from detached content
+ */
+NSSCMSEncoderContext *
+NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
+			NSSCMSContentCallback outputfn, void *outputarg,
+			SECItem *dest, PLArenaPool *destpoolp,
+			PK11PasswordFunc pwfn, void *pwfn_arg,
+			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
+{
+    NSSCMSEncoderContext *p7ecx;
+    SECStatus rv;
+    NSSCMSContentInfo *cinfo;
+
+    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg,
+					detached_digestalgs, detached_digests);
+
+    p7ecx = (NSSCMSEncoderContext *)PORT_ZAlloc(sizeof(NSSCMSEncoderContext));
+    if (p7ecx == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    p7ecx->cmsg = cmsg;
+    p7ecx->output.outputfn = outputfn;
+    p7ecx->output.outputarg = outputarg;
+    p7ecx->output.dest = dest;
+    p7ecx->output.destpoolp = destpoolp;
+    p7ecx->type = SEC_OID_UNKNOWN;
+
+    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
+
+    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
+	break;
+    default:
+	rv = SECFailure;
+	break;
+    }
+    if (rv != SECSuccess) {
+	PORT_Free(p7ecx);
+	return NULL;
+    }
+
+    /* Initialize the BER encoder.
+     * Note that this will not encode anything until the first call to SEC_ASN1EncoderUpdate */
+    p7ecx->ecx = SEC_ASN1EncoderStart(cmsg, NSSCMSMessageTemplate,
+				       nss_cms_encoder_out, &(p7ecx->output));
+    if (p7ecx->ecx == NULL) {
+	PORT_Free (p7ecx);
+	return NULL;
+    }
+    p7ecx->ecxupdated = PR_FALSE;
+
+    /*
+     * Indicate that we are streaming.  We will be streaming until we
+     * get past the contents bytes.
+     */
+    SEC_ASN1EncoderSetStreaming(p7ecx->ecx);
+
+    /*
+     * The notify function will watch for the contents field.
+     */
+    SEC_ASN1EncoderSetNotifyProc(p7ecx->ecx, nss_cms_encoder_notify, p7ecx);
+
+    /* this will kick off the encoding process & encode everything up to the content bytes,
+     * at which point the notify function sets streaming mode (and possibly creates
+     * a child encoder). */
+    if (SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0) != SECSuccess) {
+	PORT_Free (p7ecx);
+	return NULL;
+    }
+
+    return p7ecx;
+}
+
+/*
+ * NSS_CMSEncoder_Update - take content data delivery from the user
+ *
+ * "p7ecx" - encoder context
+ * "data" - content data
+ * "len" - length of content data
+ *
+ * need to find the lowest level (and call SEC_ASN1EncoderUpdate on the way down),
+ * then hand the data to the work_data fn
+ */
+SECStatus
+NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)
+{
+    SECStatus rv;
+    NSSCMSContentInfo *cinfo;
+    SECOidTag childtype;
+
+    if (p7ecx->error)
+	return SECFailure;
+
+    /* hand data to the innermost decoder */
+    if (p7ecx->childp7ecx) {
+	/* recursion here */
+	rv = NSS_CMSEncoder_Update(p7ecx->childp7ecx, data, len);
+    } else {
+	/* we are at innermost decoder */
+	/* find out about our inner content type - must be data */
+	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+	if (childtype != SEC_OID_PKCS7_DATA)
+	    return SECFailure;
+	/* and we must not have preset data */
+	if (cinfo->content.data != NULL)
+	    return SECFailure;
+
+	/*  hand it the data so it can encode it (let DER trickle up the chain) */
+	rv = nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_TRUE);
+    }
+    return rv;
+}
+
+/*
+ * NSS_CMSEncoder_Cancel - stop all encoding
+ *
+ * we need to walk down the chain of encoders and the finish them from the innermost out
+ */
+SECStatus
+NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx)
+{
+    SECStatus rv = SECFailure;
+
+    /* XXX do this right! */
+
+    /*
+     * Finish any inner decoders before us so that all the encoded data is flushed
+     * This basically finishes all the decoders from the innermost to the outermost.
+     * Finishing an inner decoder may result in data being updated to the outer decoder
+     * while we are already in NSS_CMSEncoder_Finish, but that's allright.
+     */
+    if (p7ecx->childp7ecx) {
+	rv = NSS_CMSEncoder_Cancel(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
+	/* remember rv for now */
+    }
+
+    /*
+     * On the way back up, there will be no more data (if we had an
+     * inner encoder, it is done now!)
+     * Flush out any remaining data and/or finish digests.
+     */
+    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));
+    if (rv != SECSuccess)
+	goto loser;
+
+    p7ecx->childp7ecx = NULL;
+
+    /* kick the encoder back into working mode again.
+     * We turn off streaming stuff (which will cause the encoder to continue
+     * encoding happily, now that we have all the data (like digests) ready for it).
+     */
+    SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
+    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);
+
+    /* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
+    rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
+
+loser:
+    SEC_ASN1EncoderFinish(p7ecx->ecx);
+    PORT_Free (p7ecx);
+    return rv;
+}
+
+/*
+ * NSS_CMSEncoder_Finish - signal the end of data
+ *
+ * we need to walk down the chain of encoders and the finish them from the innermost out
+ */
+SECStatus
+NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx)
+{
+    SECStatus rv = SECFailure;
+    NSSCMSContentInfo *cinfo;
+    SECOidTag childtype;
+
+    /*
+     * Finish any inner decoders before us so that all the encoded data is flushed
+     * This basically finishes all the decoders from the innermost to the outermost.
+     * Finishing an inner decoder may result in data being updated to the outer decoder
+     * while we are already in NSS_CMSEncoder_Finish, but that's allright.
+     */
+    if (p7ecx->childp7ecx) {
+	rv = NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    /*
+     * On the way back up, there will be no more data (if we had an
+     * inner encoder, it is done now!)
+     * Flush out any remaining data and/or finish digests.
+     */
+    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));
+    if (rv != SECSuccess)
+	goto loser;
+
+    p7ecx->childp7ecx = NULL;
+
+    /* find out about our inner content type - must be data */
+    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+    if (childtype == SEC_OID_PKCS7_DATA && cinfo->content.data == NULL) {
+	SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
+	/* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
+	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
+    }
+
+    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);
+
+    if (p7ecx->error)
+	rv = SECFailure;
+
+loser:
+    SEC_ASN1EncoderFinish(p7ecx->ecx);
+    PORT_Free (p7ecx);
+    return rv;
+}
diff --git a/security/nss/lib/smime/cmsenvdata.c b/security/nss/lib/smime/cmsenvdata.c
new file mode 100644
index 000000000..c575a995e
--- /dev/null
+++ b/security/nss/lib/smime/cmsenvdata.c
@@ -0,0 +1,421 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS envelopedData methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "secpkcs5.h"
+
+/*
+ * NSS_CMSEnvelopedData_Create - create an enveloped data message
+ */
+NSSCMSEnvelopedData *
+NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize)
+{
+    void *mark;
+    NSSCMSEnvelopedData *envd;
+    PLArenaPool *poolp;
+    SECStatus rv;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    envd = (NSSCMSEnvelopedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSEnvelopedData));
+    if (envd == NULL)
+	goto loser;
+
+    envd->cmsg = cmsg;
+
+    /* version is set in NSS_CMSEnvelopedData_Encode_BeforeStart() */
+
+    rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(envd->contentInfo), algorithm, NULL, keysize);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return envd;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Destroy - destroy an enveloped data message
+ */
+void
+NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp)
+{
+    NSSCMSRecipientInfo **recipientinfos;
+    NSSCMSRecipientInfo *ri;
+
+    if (edp == NULL)
+	return;
+
+    recipientinfos = edp->recipientInfos;
+    if (recipientinfos == NULL)
+	return;
+
+    while ((ri = *recipientinfos++) != NULL)
+	NSS_CMSRecipientInfo_Destroy(ri);
+
+   NSS_CMSContentInfo_Destroy(&(edp->contentInfo));
+
+}
+
+/*
+ * NSS_CMSEnvelopedData_GetContentInfo - return pointer to this envelopedData's contentinfo
+ */
+NSSCMSContentInfo *
+NSS_CMSEnvelopedData_GetContentInfo(NSSCMSEnvelopedData *envd)
+{
+    return &(envd->contentInfo);
+}
+
+/*
+ * NSS_CMSEnvelopedData_AddRecipient - add a recipientinfo to the enveloped data msg
+ *
+ * rip must be created on the same pool as edp - this is not enforced, though.
+ */
+SECStatus
+NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo *rip)
+{
+    void *mark;
+    SECStatus rv;
+
+    /* XXX compare pools, if not same, copy rip into edp's pool */
+
+    PR_ASSERT(edp != NULL);
+    PR_ASSERT(rip != NULL);
+
+    mark = PORT_ArenaMark(edp->cmsg->poolp);
+
+    rv = NSS_CMSArray_Add(edp->cmsg->poolp, (void ***)&(edp->recipientInfos), (void *)rip);
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease(edp->cmsg->poolp, mark);
+	return SECFailure;
+    }
+
+    PORT_ArenaUnmark (edp->cmsg->poolp, mark);
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding
+ *
+ * at this point, we need
+ * - recipientinfos set up with recipient's certificates
+ * - a content encryption algorithm (if none, 3DES will be used)
+ *
+ * this function will generate a random content encryption key (aka bulk key),
+ * initialize the recipientinfos with certificate identification and wrap the bulk key
+ * using the proper algorithm for every certificiate.
+ * it will finally set the bulk algorithm and key so that the encode step can find it.
+ */
+SECStatus
+NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
+{
+    int version;
+    NSSCMSRecipientInfo **recipientinfos;
+    NSSCMSContentInfo *cinfo;
+    PK11SymKey *bulkkey = NULL;
+    SECOidTag bulkalgtag;
+    CK_MECHANISM_TYPE type;
+    PK11SlotInfo *slot;
+    SECStatus rv;
+    SECItem *dummy;
+    PLArenaPool *poolp;
+    extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
+    void *mark = NULL;
+    int i;
+
+    poolp = envd->cmsg->poolp;
+    cinfo = &(envd->contentInfo);
+
+    recipientinfos = envd->recipientInfos;
+    if (recipientinfos == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+#if 0
+	PORT_SetErrorString("Cannot find recipientinfos to encode.");
+#endif
+	goto loser;
+    }
+
+    version = NSS_CMS_ENVELOPED_DATA_VERSION_REG;
+    if (envd->originatorInfo != NULL || envd->unprotectedAttr != NULL) {
+	version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
+    } else {
+	for (i = 0; recipientinfos[i] != NULL; i++) {
+	    if (NSS_CMSRecipientInfo_GetVersion(recipientinfos[i]) != 0) {
+		version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
+		break;
+	    }
+	}
+    }
+    dummy = SEC_ASN1EncodeInteger(poolp, &(envd->version), version);
+    if (dummy == NULL)
+	goto loser;
+
+    /* now we need to have a proper content encryption algorithm
+     * on the SMIME level, we would figure one out by looking at SMIME capabilities
+     * we cannot do that on our level, so if none is set already, we'll just go
+     * with one of the mandatory algorithms (3DES) */
+    if ((bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo)) == SEC_OID_UNKNOWN) {
+	rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, cinfo, SEC_OID_DES_EDE3_CBC, NULL, 168);
+	if (rv != SECSuccess)
+	    goto loser;
+	bulkalgtag = SEC_OID_DES_EDE3_CBC;
+    } 
+
+    /* generate a random bulk key suitable for content encryption alg */
+    type = PK11_AlgtagToMechanism(bulkalgtag);
+    slot = PK11_GetBestSlot(type, envd->cmsg->pwfn_arg);
+    if (slot == NULL)
+	goto loser;	/* error has been set by PK11_GetBestSlot */
+
+    /* this is expensive... */
+    bulkkey = PK11_KeyGen(slot, type, NULL, NSS_CMSContentInfo_GetBulkKeySize(cinfo) / 8, envd->cmsg->pwfn_arg);
+    PK11_FreeSlot(slot);
+    if (bulkkey == NULL)
+	goto loser;	/* error has been set by PK11_KeyGen */
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* Encrypt the bulk key with the public key of each recipient.  */
+    for (i = 0; recipientinfos[i] != NULL; i++) {
+	rv = NSS_CMSRecipientInfo_WrapBulkKey(recipientinfos[i], bulkkey, bulkalgtag);
+	if (rv != SECSuccess)
+	    goto loser;	/* error has been set by NSS_CMSRecipientInfo_EncryptBulkKey */
+	    		/* could be: alg not supported etc. */
+    }
+
+    /* the recipientinfos are all finished. now sort them by DER for SET OF encoding */
+    rv = NSS_CMSArray_SortByDER((void **)envd->recipientInfos, NSSCMSRecipientInfoTemplate, NULL);
+    if (rv != SECSuccess)
+	goto loser;	/* error has been set by NSS_CMSArray_SortByDER */
+
+    /* store the bulk key in the contentInfo so that the encoder can find it */
+    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
+
+    PORT_ArenaUnmark(poolp, mark);
+
+    PK11_FreeSymKey(bulkkey);
+
+    return SECSuccess;
+
+loser:
+    if (mark != NULL)
+	PORT_ArenaRelease (poolp, mark);
+    if (bulkkey)
+	PK11_FreeSymKey(bulkkey);
+
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Encode_BeforeData - set up encryption
+ *
+ * it is essential that this is called before the contentEncAlg is encoded, because
+ * setting up the encryption may generate IVs and thus change it!
+ */
+SECStatus
+NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd)
+{
+    NSSCMSContentInfo *cinfo;
+    PK11SymKey *bulkkey;
+    SECAlgorithmID *algid;
+
+    cinfo = &(envd->contentInfo);
+
+    /* find bulkkey and algorithm - must have been set by NSS_CMSEnvelopedData_Encode_BeforeStart */
+    bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
+    if (bulkkey == NULL)
+	return SECFailure;
+    algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
+    if (algid == NULL)
+	return SECFailure;
+
+    /* this may modify algid (with IVs generated in a token).
+     * it is essential that algid is a pointer to the contentEncAlg data, not a
+     * pointer to a copy! */
+    cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(envd->cmsg->poolp, bulkkey, algid);
+    PK11_FreeSymKey(bulkkey);
+    if (cinfo->ciphcx == NULL)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Encode_AfterData - finalize this envelopedData for encoding
+ */
+SECStatus
+NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd)
+{
+    if (envd->contentInfo.ciphcx) {
+	NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
+	envd->contentInfo.ciphcx = NULL;
+    }
+
+    /* nothing else to do after data */
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, 
+ * derive bulk key & set up our contentinfo
+ */
+SECStatus
+NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd)
+{
+    NSSCMSRecipientInfo *ri;
+    PK11SymKey *bulkkey = NULL;
+    SECOidTag bulkalgtag;
+    SECAlgorithmID *bulkalg;
+    SECStatus rv = SECFailure;
+    NSSCMSContentInfo *cinfo;
+    NSSCMSRecipient **recipient_list = NULL;
+    NSSCMSRecipient *recipient;
+    int rlIndex;
+
+    if (NSS_CMSArray_Count((void **)envd->recipientInfos) == 0) {
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+#if 0
+	PORT_SetErrorString("No recipient data in envelope.");
+#endif
+	goto loser;
+    }
+
+    /* look if one of OUR cert's issuerSN is on the list of recipients, and if so,  */
+    /* get the cert and private key for it right away */
+    recipient_list = nss_cms_recipient_list_create(envd->recipientInfos);
+    if (recipient_list == NULL)
+	goto loser;
+
+    /* what about multiple recipientInfos that match?
+     * especially if, for some reason, we could not produce a bulk key with the first match?!
+     * we could loop & feed partial recipient_list to PK11_FindCertAndKeyByRecipientList...
+     * maybe later... */
+    rlIndex = PK11_FindCertAndKeyByRecipientListNew(recipient_list, envd->cmsg->pwfn_arg);
+
+    /* if that fails, then we're not an intended recipient and cannot decrypt */
+    if (rlIndex < 0) {
+	PORT_SetError(SEC_ERROR_NOT_A_RECIPIENT);
+#if 0
+	PORT_SetErrorString("Cannot decrypt data because proper key cannot be found.");
+#endif
+	goto loser;
+    }
+
+    recipient = recipient_list[rlIndex];
+    if (!recipient->cert || !recipient->privkey) {
+	/* XXX should set an error code ?!? */
+	goto loser;
+    }
+    /* get a pointer to "our" recipientinfo */
+    ri = envd->recipientInfos[recipient->riIndex];
+
+    cinfo = &(envd->contentInfo);
+    bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo);
+    if (bulkalgtag == SEC_OID_UNKNOWN) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+    } else 
+	bulkkey = 
+	    NSS_CMSRecipientInfo_UnwrapBulkKey(ri,recipient->subIndex,
+						    recipient->cert,
+						    recipient->privkey,
+						    bulkalgtag);
+    if (bulkkey == NULL) {
+	/* no success finding a bulk key */
+	goto loser;
+    }
+
+    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
+
+    bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
+
+    cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
+    if (cinfo->ciphcx == NULL)
+	goto loser;		/* error has been set by NSS_CMSCipherContext_StartDecrypt */
+
+
+    rv = SECSuccess;
+
+loser:
+    if (bulkkey)
+	PK11_FreeSymKey(bulkkey);
+    if (recipient_list != NULL)
+	nss_cms_recipient_list_destroy(recipient_list);
+    return rv;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Decode_AfterData - finish decrypting this envelopedData's content
+ */
+SECStatus
+NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd)
+{
+    if (envd && envd->contentInfo.ciphcx) {
+	NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
+	envd->contentInfo.ciphcx = NULL;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Decode_AfterEnd - finish decoding this envelopedData
+ */
+SECStatus
+NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd)
+{
+    /* apply final touches */
+    return SECSuccess;
+}
+
diff --git a/security/nss/lib/smime/cmslocal.h b/security/nss/lib/smime/cmslocal.h
new file mode 100644
index 000000000..666eeb033
--- /dev/null
+++ b/security/nss/lib/smime/cmslocal.h
@@ -0,0 +1,346 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Support routines for CMS implementation, none of which are exported.
+ *
+ * Do not export this file!  If something in here is really needed outside
+ * of smime code, first try to add a CMS interface which will do it for
+ * you.  If that has a problem, then just move out what you need, changing
+ * its name as appropriate!
+ *
+ * $Id$
+ */
+
+#ifndef _CMSLOCAL_H_
+#define _CMSLOCAL_H_
+
+#include "cms.h"
+#include "cmsreclist.h"
+#include "secasn1t.h"
+
+extern const SEC_ASN1Template NSSCMSContentInfoTemplate[];
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/***********************************************************************
+ * cmscipher.c - en/decryption routines
+ ***********************************************************************/
+
+/*
+ * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption
+ * based on the given bulk * encryption key and algorithm identifier (which may include an iv).
+ */
+extern NSSCMSCipherContext *
+NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid);
+
+/*
+ * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption,
+ * based on the given bulk encryption key and algorithm tag.  Fill in the algorithm
+ * identifier (which may include an iv) appropriately.
+ */
+extern NSSCMSCipherContext *
+NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid);
+
+extern void
+NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc);
+
+/*
+ * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt.
+ *
+ * cc - the cipher context
+ * input_len - number of bytes used as input
+ * final - true if this is the final chunk of data
+ *
+ * Result can be used to perform memory allocations.  Note that the amount
+ * is exactly accurate only when not doing a block cipher or when final
+ * is false, otherwise it is an upper bound on the amount because until
+ * we see the data we do not know how many padding bytes there are
+ * (always between 1 and bsize).
+ */
+extern unsigned int
+NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final);
+
+/*
+ * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt.
+ *
+ * cc - the cipher context
+ * input_len - number of bytes used as input
+ * final - true if this is the final chunk of data
+ *
+ * Result can be used to perform memory allocations.
+ */
+extern unsigned int
+NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final);
+
+/*
+ * NSS_CMSCipherContext_Decrypt - do the decryption
+ *
+ * cc - the cipher context
+ * output - buffer for decrypted result bytes
+ * output_len_p - number of bytes in output
+ * max_output_len - upper bound on bytes to put into output
+ * input - pointer to input bytes
+ * input_len - number of input bytes
+ * final - true if this is the final chunk of data
+ *
+ * Decrypts a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the decrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "cc" is the return value from NSS_CMSCipher_StartDecrypt.
+ * When "final" is true, this is the last of the data to be decrypted.
+ */ 
+extern SECStatus
+NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final);
+
+/*
+ * NSS_CMSCipherContext_Encrypt - do the encryption
+ *
+ * cc - the cipher context
+ * output - buffer for decrypted result bytes
+ * output_len_p - number of bytes in output
+ * max_output_len - upper bound on bytes to put into output
+ * input - pointer to input bytes
+ * input_len - number of input bytes
+ * final - true if this is the final chunk of data
+ *
+ * Encrypts a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the encrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "cc" is the return value from NSS_CMSCipher_StartEncrypt.
+ * When "final" is true, this is the last of the data to be encrypted.
+ */ 
+extern SECStatus
+NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final);
+
+/************************************************************************
+ * cmspubkey.c - public key operations
+ ************************************************************************/
+
+/*
+ * NSS_CMSUtil_EncryptSymKey_RSA - wrap a symmetric key with RSA
+ *
+ * this function takes a symmetric key and encrypts it using an RSA public key
+ * according to PKCS#1 and RFC2633 (S/MIME)
+ */
+extern SECStatus
+NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert,
+                              PK11SymKey *key,
+                              SECItem *encKey);
+
+extern SECStatus
+NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp,
+                                    SECKEYPublicKey *publickey,
+                                    PK11SymKey *bulkkey, SECItem *encKey);
+
+/*
+ * NSS_CMSUtil_DecryptSymKey_RSA - unwrap a RSA-wrapped symmetric key
+ *
+ * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric
+ * key handle. Please note that the actual unwrapped key data may not be allowed to leave
+ * a hardware token...
+ */
+extern PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag);
+
+extern SECStatus
+NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+			SECOidTag symalgtag, SECItem *encKey, SECItem **pparams, void *pwfn_arg);
+
+extern PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey,
+			SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
+
+extern SECStatus
+NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+			SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg,
+			SECItem *originatorPubKey);
+
+extern PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey,
+			SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
+
+/************************************************************************
+ * cmsreclist.c - recipient list stuff
+ ************************************************************************/
+extern NSSCMSRecipient **nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos);
+extern void nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list);
+extern NSSCMSRecipientEncryptedKey *NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp);
+
+/************************************************************************
+ * cmsarray.c - misc array functions
+ ************************************************************************/
+/*
+ * NSS_CMSArray_Alloc - allocate an array in an arena
+ */
+extern void **
+NSS_CMSArray_Alloc(PRArenaPool *poolp, int n);
+
+/*
+ * NSS_CMSArray_Add - add an element to the end of an array
+ */
+extern SECStatus
+NSS_CMSArray_Add(PRArenaPool *poolp, void ***array, void *obj);
+
+/*
+ * NSS_CMSArray_IsEmpty - check if array is empty
+ */
+extern PRBool
+NSS_CMSArray_IsEmpty(void **array);
+
+/*
+ * NSS_CMSArray_Count - count number of elements in array
+ */
+extern int
+NSS_CMSArray_Count(void **array);
+
+/*
+ * NSS_CMSArray_Sort - sort an array ascending, in place
+ *
+ * If "secondary" is not NULL, the same reordering gets applied to it.
+ * If "tertiary" is not NULL, the same reordering gets applied to it.
+ * "compare" is a function that returns 
+ *  < 0 when the first element is less than the second
+ *  = 0 when the first element is equal to the second
+ *  > 0 when the first element is greater than the second
+ */
+extern void
+NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary);
+
+/************************************************************************
+ * cmsattr.c - misc attribute functions
+ ************************************************************************/
+/*
+ * NSS_CMSAttribute_Create - create an attribute
+ *
+ * if value is NULL, the attribute won't have a value. It can be added later
+ * with NSS_CMSAttribute_AddValue.
+ */
+extern NSSCMSAttribute *
+NSS_CMSAttribute_Create(PRArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded);
+
+/*
+ * NSS_CMSAttribute_AddValue - add another value to an attribute
+ */
+extern SECStatus
+NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *value);
+
+/*
+ * NSS_CMSAttribute_GetType - return the OID tag
+ */
+extern SECOidTag
+NSS_CMSAttribute_GetType(NSSCMSAttribute *attr);
+
+/*
+ * NSS_CMSAttribute_GetValue - return the first attribute value
+ *
+ * We do some sanity checking first:
+ * - Multiple values are *not* expected.
+ * - Empty values are *not* expected.
+ */
+extern SECItem *
+NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr);
+
+/*
+ * NSS_CMSAttribute_CompareValue - compare the attribute's first value against data
+ */
+extern PRBool
+NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av);
+
+/*
+ * NSS_CMSAttributeArray_Encode - encode an Attribute array as SET OF Attributes
+ *
+ * If you are wondering why this routine does not reorder the attributes
+ * first, and might be tempted to make it do so, see the comment by the
+ * call to ReorderAttributes in cmsencode.c.  (Or, see who else calls this
+ * and think long and hard about the implications of making it always
+ * do the reordering.)
+ */
+extern SECItem *
+NSS_CMSAttributeArray_Encode(PRArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest);
+
+/*
+ * NSS_CMSAttributeArray_Reorder - sort attribute array by attribute's DER encoding
+ *
+ * make sure that the order of the attributes guarantees valid DER (which must be
+ * in lexigraphically ascending order for a SET OF); if reordering is necessary it
+ * will be done in place (in attrs).
+ */
+extern SECStatus
+NSS_CMSAttributeArray_Reorder(NSSCMSAttribute **attrs);
+
+/*
+ * NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and
+ * find one that matches the specified object ID.
+ *
+ * If "only" is true, then make sure that there is not more than one attribute
+ * of the same type.  Otherwise, just return the first one found. (XXX Does
+ * anybody really want that first-found behavior?  It was like that when I found it...)
+ */
+extern NSSCMSAttribute *
+NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only);
+
+/*
+ * NSS_CMSAttributeArray_AddAttr - add an attribute to an
+ * array of attributes. 
+ */
+extern SECStatus
+NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr);
+
+/*
+ * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes
+ */
+extern SECStatus
+NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded);
+
+/*
+ * NSS_CMSSignedData_AddTempCertificate - add temporary certificate references.
+ * They may be needed for signature verification on the data, for example.
+ */
+extern SECStatus
+NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert);
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _CMSLOCAL_H_ */
diff --git a/security/nss/lib/smime/cmsmessage.c b/security/nss/lib/smime/cmsmessage.c
new file mode 100644
index 000000000..1b3d69c74
--- /dev/null
+++ b/security/nss/lib/smime/cmsmessage.c
@@ -0,0 +1,321 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS message methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+/*
+ * NSS_CMSMessage_Create - create a CMS message object
+ *
+ * "poolp" - arena to allocate memory from, or NULL if new arena should be created
+ */
+NSSCMSMessage *
+NSS_CMSMessage_Create(PLArenaPool *poolp)
+{
+    void *mark = NULL;
+    NSSCMSMessage *cmsg;
+    PRBool poolp_is_ours = PR_FALSE;
+
+    if (poolp == NULL) {
+	poolp = PORT_NewArena (1024);           /* XXX what is right value? */
+	if (poolp == NULL)
+	    return NULL;
+	poolp_is_ours = PR_TRUE;
+    } 
+
+    if (!poolp_is_ours)
+	mark = PORT_ArenaMark(poolp);
+
+    cmsg = (NSSCMSMessage *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSMessage));
+    if (cmsg == NULL) {
+	if (!poolp_is_ours) {
+	    if (mark) {
+		PORT_ArenaRelease(poolp, mark);
+	    }
+	} else
+	    PORT_FreeArena(poolp, PR_FALSE);
+	return NULL;
+    }
+
+    cmsg->poolp = poolp;
+    cmsg->poolp_is_ours = poolp_is_ours;
+    cmsg->refCount = 1;
+
+    if (mark)
+	PORT_ArenaUnmark(poolp, mark);
+
+    return cmsg;
+}
+
+/*
+ * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding
+ *
+ * "cmsg" - message object
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ * "detached_digestalgs", "detached_digests" - digests from detached content
+ */
+void
+NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
+			PK11PasswordFunc pwfn, void *pwfn_arg,
+			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
+{
+    if (pwfn)
+	PK11_SetPasswordFunc(pwfn);
+    cmsg->pwfn_arg = pwfn_arg;
+    cmsg->decrypt_key_cb = decrypt_key_cb;
+    cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg;
+    cmsg->detached_digestalgs = detached_digestalgs;
+    cmsg->detached_digests = detached_digests;
+}
+
+/*
+ * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces.
+ */
+void
+NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
+{
+    PORT_Assert (cmsg->refCount > 0);
+    if (cmsg->refCount <= 0)	/* oops */
+	return;
+
+    cmsg->refCount--;		/* thread safety? */
+    if (cmsg->refCount > 0)
+	return;
+
+    NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo));
+
+    /* if poolp is not NULL, cmsg is the owner of its arena */
+    if (cmsg->poolp_is_ours)
+	PORT_FreeArena (cmsg->poolp, PR_FALSE);	/* XXX clear it? */
+}
+
+/*
+ * NSS_CMSMessage_Copy - return a copy of the given message. 
+ *
+ * The copy may be virtual or may be real -- either way, the result needs
+ * to be passed to NSS_CMSMessage_Destroy later (as does the original).
+ */
+NSSCMSMessage *
+NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
+{
+    if (cmsg == NULL)
+	return NULL;
+
+    PORT_Assert (cmsg->refCount > 0);
+
+    cmsg->refCount++; /* XXX chrisk thread safety? */
+    return cmsg;
+}
+
+/*
+ * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool
+ */
+PLArenaPool *
+NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
+{
+    return cmsg->poolp;
+}
+
+/*
+ * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo
+ */
+NSSCMSContentInfo *
+NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
+{
+    return &(cmsg->contentInfo);
+}
+
+/*
+ * Return a pointer to the actual content. 
+ * In the case of those types which are encrypted, this returns the *plain* content.
+ * In case of nested contentInfos, this descends and retrieves the innermost content.
+ */
+SECItem *
+NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
+{
+    /* this is a shortcut */
+    NSSCMSContentInfo * cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
+    SECItem           * pItem = NSS_CMSContentInfo_GetInnerContent(cinfo);
+    return pItem;
+}
+
+/*
+ * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message
+ *
+ * CMS data content objects do not count.
+ */
+int
+NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
+{
+    int count = 0;
+    NSSCMSContentInfo *cinfo;
+
+    /* walk down the chain of contentinfos */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; ) {
+	count++;
+	cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo);
+    }
+    return count;
+}
+
+/*
+ * NSS_CMSMessage_ContentLevel - find content level #n
+ *
+ * CMS data content objects do not count.
+ */
+NSSCMSContentInfo *
+NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
+{
+    int count = 0;
+    NSSCMSContentInfo *cinfo;
+
+    /* walk down the chain of contentinfos */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+	count++;
+    }
+
+    return cinfo;
+}
+
+/*
+ * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way
+ */
+PRBool
+NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
+{
+    NSSCMSContentInfo *cinfo;
+
+    /* descend into CMS message */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+	if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	    continue;	/* next level */
+	
+	if (NSS_CMSSignedData_ContainsCertsOrCrls(cinfo->content.signedData))
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+/*
+ * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage
+ */
+PRBool
+NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
+{
+    NSSCMSContentInfo *cinfo;
+
+    /* walk down the chain of contentinfos */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
+    {
+	switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+	case SEC_OID_PKCS7_ENVELOPED_DATA:
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    return PR_TRUE;
+	default:
+	    break;
+	}
+    }
+    return PR_FALSE;
+}
+
+/*
+ * NSS_CMSMessage_IsSigned - see if message contains a signed submessage
+ *
+ * If the CMS message has a SignedData with a signature (not just a SignedData)
+ * return true; false otherwise.  This can/should be called before calling
+ * VerifySignature, which will always indicate failure if no signature is
+ * present, but that does not mean there even was a signature!
+ * Note that the content itself can be empty (detached content was sent
+ * another way); it is the presence of the signature that matters.
+ */
+PRBool
+NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
+{
+    NSSCMSContentInfo *cinfo;
+
+    /* walk down the chain of contentinfos */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
+    {
+	switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	    if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
+		return PR_TRUE;
+	    break;
+	default:
+	    break;
+	}
+    }
+    return PR_FALSE;
+}
+
+/*
+ * NSS_CMSMessage_IsContentEmpty - see if content is empty
+ *
+ * returns PR_TRUE is innermost content length is < minLen
+ * XXX need the encrypted content length (why?)
+ */
+PRBool
+NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen)
+{
+    SECItem *item = NULL;
+
+    if (cmsg == NULL)
+	return PR_TRUE;
+
+    item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg));
+
+    if (!item) {
+	return PR_TRUE;
+    } else if(item->len <= minLen) {
+	return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
diff --git a/security/nss/lib/smime/cmspubkey.c b/security/nss/lib/smime/cmspubkey.c
new file mode 100644
index 000000000..144dd789d
--- /dev/null
+++ b/security/nss/lib/smime/cmspubkey.c
@@ -0,0 +1,565 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS public key crypto
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+/* ====== RSA ======================================================================= */
+
+/*
+ * NSS_CMSUtil_EncryptSymKey_RSA - wrap a symmetric key with RSA
+ *
+ * this function takes a symmetric key and encrypts it using an RSA public key
+ * according to PKCS#1 and RFC2633 (S/MIME)
+ */
+SECStatus
+NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, 
+                              PK11SymKey *bulkkey,
+                              SECItem *encKey)
+{
+    SECStatus rv;
+    SECKEYPublicKey *publickey;
+
+    publickey = CERT_ExtractPublicKey(cert);
+    if (publickey == NULL)
+	return SECFailure;
+
+    rv = NSS_CMSUtil_EncryptSymKey_RSAPubKey(poolp, publickey, bulkkey, encKey);
+    SECKEY_DestroyPublicKey(publickey);
+    return rv;
+}
+
+SECStatus
+NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp, 
+                                    SECKEYPublicKey *publickey, 
+                                    PK11SymKey *bulkkey, SECItem *encKey)
+{
+    SECStatus rv;
+    int data_len;
+    KeyType keyType;
+    void *mark = NULL;
+
+
+    mark = PORT_ArenaMark(poolp);
+    if (!mark)
+	goto loser;
+
+    /* sanity check */
+    keyType = SECKEY_GetPublicKeyType(publickey);
+    PORT_Assert(keyType == rsaKey);
+    if (keyType != rsaKey) {
+	goto loser;
+    }
+    /* allocate memory for the encrypted key */
+    data_len = SECKEY_PublicKeyStrength(publickey);	/* block size (assumed to be > keylen) */
+    encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, data_len);
+    encKey->len = data_len;
+    if (encKey->data == NULL)
+	goto loser;
+
+    /* encrypt the key now */
+    rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(SEC_OID_PKCS1_RSA_ENCRYPTION),
+				publickey, bulkkey, encKey);
+
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    if (mark) {
+	PORT_ArenaRelease(poolp, mark);
+    }
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSUtil_DecryptSymKey_RSA - unwrap a RSA-wrapped symmetric key
+ *
+ * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric
+ * key handle. Please note that the actual unwrapped key data may not be allowed to leave
+ * a hardware token...
+ */
+PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag)
+{
+    /* that's easy */
+    CK_MECHANISM_TYPE target;
+    PORT_Assert(bulkalgtag != SEC_OID_UNKNOWN);
+    target = PK11_AlgtagToMechanism(bulkalgtag);
+    if (bulkalgtag == SEC_OID_UNKNOWN || target == CKM_INVALID_MECHANISM) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return NULL;
+    }
+    return PK11_PubUnwrapSymKey(privkey, encKey, target, CKA_DECRYPT, 0);
+}
+
+/* ====== MISSI (Fortezza) ========================================================== */
+
+extern const SEC_ASN1Template NSS_SMIMEKEAParamTemplateAllParams[];
+
+SECStatus
+NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *bulkkey,
+			SECOidTag symalgtag, SECItem *encKey, SECItem **pparams, void *pwfn_arg)
+{
+    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
+    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
+    SECStatus rv = SECFailure;
+    SECItem *params = NULL;
+    SECStatus err;
+    PK11SymKey *tek;
+    CERTCertificate *ourCert;
+    SECKEYPublicKey *ourPubKey, *publickey = NULL;
+    SECKEYPrivateKey *ourPrivKey = NULL;
+    NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
+    NSSCMSSMIMEKEAParameters keaParams;
+    PLArenaPool *arena = NULL;
+    extern const SEC_ASN1Template *nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate);
+
+    /* Clear keaParams, since cleanup code checks the lengths */
+    (void) memset(&keaParams, 0, sizeof(keaParams));
+
+    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+    PORT_Assert(certalgtag == SEC_OID_MISSI_KEA_DSS_OLD ||
+		certalgtag == SEC_OID_MISSI_KEA_DSS ||
+		certalgtag == SEC_OID_MISSI_KEA);
+
+#define SMIME_FORTEZZA_RA_LENGTH 128
+#define SMIME_FORTEZZA_IV_LENGTH 24
+#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
+
+    /* We really want to show our KEA tag as the key exchange algorithm tag. */
+    encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
+
+    /* Get the public key of the recipient. */
+    publickey = CERT_ExtractPublicKey(cert);
+    if (publickey == NULL) goto loser;
+
+    /* Find our own cert, and extract its keys. */
+    ourCert = PK11_FindBestKEAMatch(cert, pwfn_arg);
+    if (ourCert == NULL) goto loser;
+
+    arena = PORT_NewArena(1024);
+    if (arena == NULL)
+	goto loser;
+
+    ourPubKey = CERT_ExtractPublicKey(ourCert);
+    if (ourPubKey == NULL) {
+	CERT_DestroyCertificate(ourCert);
+	goto loser;
+    }
+
+    /* While we're here, copy the public key into the outgoing
+     * KEA parameters. */
+    SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey), &(ourPubKey->u.fortezza.KEAKey));
+    SECKEY_DestroyPublicKey(ourPubKey);
+    ourPubKey = NULL;
+
+    /* Extract our private key in order to derive the KEA key. */
+    ourPrivKey = PK11_FindKeyByAnyCert(ourCert, pwfn_arg);
+    CERT_DestroyCertificate(ourCert); /* we're done with this */
+    if (!ourPrivKey)
+	goto loser;
+
+    /* Prepare raItem with 128 bytes (filled with zeros). */
+    keaParams.originatorRA.data = (unsigned char *)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
+    keaParams.originatorRA.len = SMIME_FORTEZZA_RA_LENGTH;
+
+    /* Generate the TEK (token exchange key) which we use
+     * to wrap the bulk encryption key. (keaparams.originatorRA) will be
+     * filled with a random seed which we need to send to
+     * the recipient. (user keying material in RFC2630/DSA speak) */
+    tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
+			 &keaParams.originatorRA, NULL,
+			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+			 CKA_WRAP, 0,  pwfn_arg);
+
+    SECKEY_DestroyPublicKey(publickey);
+    SECKEY_DestroyPrivateKey(ourPrivKey);
+    publickey = NULL;
+    ourPrivKey = NULL;
+    
+    if (!tek)
+	goto loser;
+
+    /* allocate space for the wrapped key data */
+    encKey->data = (unsigned char *)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
+    encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
+
+    if (encKey->data == NULL) {
+	PK11_FreeSymKey(tek);
+	goto loser;
+    }
+
+    /* Wrap the bulk key. What we do with the resulting data
+       depends on whether we're using Skipjack to wrap the key. */
+    switch (PK11_AlgtagToMechanism(symalgtag)) {
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+	/* SKIPJACK, we use the wrap mechanism because we can do it on the hardware */
+	err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, bulkkey, encKey);
+	whichKEA = NSSCMSKEAUsesSkipjack;
+	break;
+    default:
+	/* Not SKIPJACK, we encrypt the raw key data */
+	keaParams.nonSkipjackIV.data = 
+	  (unsigned char *)PORT_ArenaAlloc(arena, SMIME_FORTEZZA_IV_LENGTH);
+	keaParams.nonSkipjackIV.len = SMIME_FORTEZZA_IV_LENGTH;
+	err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, tek, bulkkey, encKey);
+	if (err != SECSuccess)
+	    goto loser;
+
+	if (encKey->len != PK11_GetKeyLength(bulkkey)) {
+	    /* The size of the encrypted key is not the same as
+	       that of the original bulk key, presumably due to
+	       padding. Encode and store the real size of the
+	       bulk key. */
+	    if (SEC_ASN1EncodeInteger(arena, &keaParams.bulkKeySize, PK11_GetKeyLength(bulkkey)) == NULL)
+		err = (SECStatus)PORT_GetError();
+	    else
+		/* use full template for encoding */
+		whichKEA = NSSCMSKEAUsesNonSkipjackWithPaddedEncKey;
+	}
+	else
+	    /* enc key length == bulk key length */
+	    whichKEA = NSSCMSKEAUsesNonSkipjack; 
+	break;
+    }
+
+    PK11_FreeSymKey(tek);
+
+    if (err != SECSuccess)
+	goto loser;
+
+    PORT_Assert(whichKEA != NSSCMSKEAInvalid);
+
+    /* Encode the KEA parameters into the recipient info. */
+    params = SEC_ASN1EncodeItem(poolp, NULL, &keaParams, nss_cms_get_kea_template(whichKEA));
+    if (params == NULL)
+	goto loser;
+
+    /* pass back the algorithm params */
+    *pparams = params;
+
+    rv = SECSuccess;
+
+loser:
+    if (arena)
+	PORT_FreeArena(arena, PR_FALSE);
+    if (publickey)
+        SECKEY_DestroyPublicKey(publickey);
+    if (ourPrivKey)
+        SECKEY_DestroyPrivateKey(ourPrivKey);
+    return rv;
+}
+
+PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
+{
+    /* fortezza: do a key exchange */
+    SECStatus err;
+    CK_MECHANISM_TYPE bulkType;
+    PK11SymKey *tek;
+    SECKEYPublicKey *originatorPubKey;
+    NSSCMSSMIMEKEAParameters keaParams;
+    PK11SymKey *bulkkey;
+    int bulkLength;
+
+    (void) memset(&keaParams, 0, sizeof(keaParams));
+
+    /* NOTE: this uses the SMIME v2 recipientinfo for compatibility.
+       All additional KEA parameters are DER-encoded in the encryption algorithm parameters */
+
+    /* Decode the KEA algorithm parameters. */
+    err = SEC_ASN1DecodeItem(NULL, &keaParams, NSS_SMIMEKEAParamTemplateAllParams,
+			     &(keyEncAlg->parameters));
+    if (err != SECSuccess)
+	goto loser;
+
+    /* get originator's public key */
+   originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
+			   keaParams.originatorKEAKey.len);
+   if (originatorPubKey == NULL)
+	  goto loser;
+    
+   /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
+      The Derive function generates a shared secret and combines it with the originatorRA
+      data to come up with an unique session key */
+   tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
+			 &keaParams.originatorRA, NULL,
+			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+			 CKA_WRAP, 0, pwfn_arg);
+   SECKEY_DestroyPublicKey(originatorPubKey);	/* not needed anymore */
+   if (tek == NULL)
+	goto loser;
+    
+    /* Now that we have the TEK, unwrap the bulk key
+       with which to decrypt the message. We have to
+       do one of two different things depending on 
+       whether Skipjack was used for *bulk* encryption 
+       of the message. */
+    bulkType = PK11_AlgtagToMechanism(bulkalgtag);
+    switch (bulkType) {
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+	/* Skipjack is being used as the bulk encryption algorithm.*/
+	/* Unwrap the bulk key. */
+	bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
+				    encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+	break;
+    default:
+	/* Skipjack was not used for bulk encryption of this
+	   message. Use Skipjack CBC64, with the nonSkipjackIV
+	   part of the KEA key parameters, to decrypt 
+	   the bulk key. If the optional parameter bulkKeySize is present,
+	   bulk key size is different than the encrypted key size */
+	if (keaParams.bulkKeySize.len > 0) {
+	    err = SEC_ASN1DecodeItem(NULL, &bulkLength,
+				     SEC_ASN1_GET(SEC_IntegerTemplate),
+				     &keaParams.bulkKeySize);
+	    if (err != SECSuccess)
+		goto loser;
+	}
+	
+	bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, 
+				    encKey, bulkType, CKA_DECRYPT, bulkLength);
+	break;
+    }
+    return bulkkey;
+loser:
+    return NULL;
+}
+
+/* ====== ESDH (Ephemeral-Static Diffie-Hellman) ==================================== */
+
+SECStatus
+NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+			SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg,
+			SECItem *pubKey)
+{
+#if 0 /* not yet done */
+    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
+    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
+    SECStatus rv;
+    SECItem *params = NULL;
+    int data_len;
+    SECStatus err;
+    PK11SymKey *tek;
+    CERTCertificate *ourCert;
+    SECKEYPublicKey *ourPubKey;
+    NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
+
+    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+    PORT_Assert(certalgtag == SEC_OID_X942_DIFFIE_HELMAN_KEY);
+
+    /* We really want to show our KEA tag as the key exchange algorithm tag. */
+    encalgtag = SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN;
+
+    /* Get the public key of the recipient. */
+    publickey = CERT_ExtractPublicKey(cert);
+    if (publickey == NULL) goto loser;
+
+    /* XXXX generate a DH key pair on a PKCS11 module (XXX which parameters?) */
+    /* XXXX */ourCert = PK11_FindBestKEAMatch(cert, wincx);
+    if (ourCert == NULL) goto loser;
+
+    arena = PORT_NewArena(1024);
+    if (arena == NULL) goto loser;
+
+    /* While we're here, extract the key pair's public key data and copy it into */
+    /* the outgoing parameters. */
+    /* XXXX */ourPubKey = CERT_ExtractPublicKey(ourCert);
+    if (ourPubKey == NULL)
+    {
+	goto loser;
+    }
+    SECITEM_CopyItem(arena, pubKey, /* XXX */&(ourPubKey->u.fortezza.KEAKey));
+    SECKEY_DestroyPublicKey(ourPubKey); /* we only need the private key from now on */
+    ourPubKey = NULL;
+
+    /* Extract our private key in order to derive the KEA key. */
+    ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
+    CERT_DestroyCertificate(ourCert); /* we're done with this */
+    if (!ourPrivKey) goto loser;
+
+    /* If ukm desired, prepare it - allocate enough space (filled with zeros). */
+    if (ukm) {
+	ukm->data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */);
+	ukm->len = /* XXXX */;
+    }
+
+    /* Generate the KEK (key exchange key) according to RFC2631 which we use
+     * to wrap the bulk encryption key. */
+    kek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
+			 ukm, NULL,
+			 /* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP,
+			 CKA_WRAP, 0, wincx);
+
+    SECKEY_DestroyPublicKey(publickey);
+    SECKEY_DestroyPrivateKey(ourPrivKey);
+    publickey = NULL;
+    ourPrivKey = NULL;
+    
+    if (!kek)
+	goto loser;
+
+    /* allocate space for the encrypted CEK (bulk key) */
+    encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
+    encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
+
+    if (encKey->data == NULL)
+    {
+	PK11_FreeSymKey(kek);
+	goto loser;
+    }
+
+
+    /* Wrap the bulk key using CMSRC2WRAP or CMS3DESWRAP, depending on the */
+    /* bulk encryption algorithm */
+    switch (/* XXXX */PK11_AlgtagToMechanism(enccinfo->encalg))
+    {
+    case /* XXXX */CKM_SKIPJACK_CFB8:
+	err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey);
+	whichKEA = NSSCMSKEAUsesSkipjack;
+	break;
+    case /* XXXX */CKM_SKIPJACK_CFB8:
+	err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey);
+	whichKEA = NSSCMSKEAUsesSkipjack;
+	break;
+    default:
+	/* XXXX what do we do here? Neither RC2 nor 3DES... */
+        err = SECFailure;
+        /* set error */
+	break;
+    }
+
+    PK11_FreeSymKey(kek);	/* we do not need the KEK anymore */
+    if (err != SECSuccess)
+	goto loser;
+
+    PORT_Assert(whichKEA != NSSCMSKEAInvalid);
+
+    /* see RFC2630 12.3.1.1 "keyEncryptionAlgorithm must be ..." */
+    /* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */
+    params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA));
+    if (params == NULL)
+	goto loser;
+
+    /* now set keyEncAlg */
+    rv = SECOID_SetAlgorithmID(poolp, keyEncAlg, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, params);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /* XXXXXXX this is not right yet */
+loser:
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if (publickey) {
+        SECKEY_DestroyPublicKey(publickey);
+    }
+    if (ourPrivKey) {
+        SECKEY_DestroyPrivateKey(ourPrivKey);
+    }
+#endif
+    return SECFailure;
+}
+
+PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
+{
+#if 0 /* not yet done */
+    SECStatus err;
+    CK_MECHANISM_TYPE bulkType;
+    PK11SymKey *tek;
+    SECKEYPublicKey *originatorPubKey;
+    NSSCMSSMIMEKEAParameters keaParams;
+
+   /* XXXX get originator's public key */
+   originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
+			   keaParams.originatorKEAKey.len);
+   if (originatorPubKey == NULL)
+      goto loser;
+    
+   /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
+      The Derive function generates a shared secret and combines it with the originatorRA
+      data to come up with an unique session key */
+   tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
+			 &keaParams.originatorRA, NULL,
+			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+			 CKA_WRAP, 0, pwfn_arg);
+   SECKEY_DestroyPublicKey(originatorPubKey);	/* not needed anymore */
+   if (tek == NULL)
+	goto loser;
+    
+    /* Now that we have the TEK, unwrap the bulk key
+       with which to decrypt the message. */
+    /* Skipjack is being used as the bulk encryption algorithm.*/
+    /* Unwrap the bulk key. */
+    bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
+				encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+
+    return bulkkey;
+
+loser:
+#endif
+    return NULL;
+}
+
diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c
new file mode 100644
index 000000000..cd2ca16d5
--- /dev/null
+++ b/security/nss/lib/smime/cmsrecinfo.c
@@ -0,0 +1,717 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS recipientInfo methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+PRBool
+nss_cmsrecipientinfo_usessubjectkeyid(NSSCMSRecipientInfo *ri)
+{
+    if (ri->recipientInfoType == NSSCMSRecipientInfoID_KeyTrans) {
+	NSSCMSRecipientIdentifier *rid;
+	rid = &ri->ri.keyTransRecipientInfo.recipientIdentifier;
+	if (rid->identifierType == NSSCMSRecipientID_SubjectKeyID) {
+	    return PR_TRUE;
+	}
+    }
+    return PR_FALSE;
+}
+
+/*
+ * NOTE: fakeContent marks CMSMessage structure which is only used as a carrier
+ * of pwfn_arg and arena pools. In an ideal world, NSSCMSMessage would not have
+ * been exported, and we would have added an ordinary enum to handle this 
+ * check. Unfortunatly wo don't have that luxury so we are overloading the
+ * contentTypeTag field. NO code should every try to interpret this content tag
+ * as a real OID tag, or use any fields other than pwfn_arg or poolp of this 
+ * CMSMessage for that matter */
+static const SECOidData fakeContent;
+NSSCMSRecipientInfo *
+nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg, 
+			    NSSCMSRecipientIDSelector type,
+                            CERTCertificate *cert, 
+			    SECKEYPublicKey *pubKey, 
+                            SECItem *subjKeyID, 
+			    void* pwfn_arg, 
+			    SECItem* DERinput)
+{
+    NSSCMSRecipientInfo *ri;
+    void *mark;
+    SECOidTag certalgtag;
+    SECStatus rv = SECSuccess;
+    NSSCMSRecipientEncryptedKey *rek;
+    NSSCMSOriginatorIdentifierOrKey *oiok;
+    unsigned long version;
+    SECItem *dummy;
+    PLArenaPool *poolp;
+    CERTSubjectPublicKeyInfo *spki, *freeSpki = NULL;
+    NSSCMSRecipientIdentifier *rid;
+    extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
+
+    if (!cmsg) {
+	/* a CMSMessage wasn't supplied, create a fake one to hold the pwfunc
+	 * and a private arena pool */
+	cmsg = NSS_CMSMessage_Create(NULL);
+        cmsg->pwfn_arg = pwfn_arg;
+	/* mark it as a special cms message */
+	cmsg->contentInfo.contentTypeTag = (SECOidData *)&fakeContent;
+    }
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    ri = (NSSCMSRecipientInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientInfo));
+    if (ri == NULL)
+	goto loser;
+
+    ri->cmsg = cmsg;
+
+    if (DERinput) {
+        /* decode everything from DER */
+        SECItem newinput;
+        SECStatus rv = SECITEM_CopyItem(poolp, &newinput, DERinput);
+        if (SECSuccess != rv)
+            goto loser;
+        rv = SEC_QuickDERDecodeItem(poolp, ri, NSSCMSRecipientInfoTemplate, &newinput);
+        if (SECSuccess != rv)
+            goto loser;
+    }
+
+    switch (type) {
+        case NSSCMSRecipientID_IssuerSN:
+        {
+            ri->cert = CERT_DupCertificate(cert);
+            if (NULL == ri->cert)
+                goto loser;
+            spki = &(cert->subjectPublicKeyInfo);
+            break;
+        }
+        
+        case NSSCMSRecipientID_SubjectKeyID:
+        {
+            PORT_Assert(pubKey);
+            spki = freeSpki = SECKEY_CreateSubjectPublicKeyInfo(pubKey);
+            break;
+        }
+
+	case NSSCMSRecipientID_BrandNew:
+	    goto done;
+	    break;
+
+        default:
+            /* unkown type */
+            goto loser;
+            break;
+    }
+
+    certalgtag = SECOID_GetAlgorithmTag(&(spki->algorithm));
+
+    rid = &ri->ri.keyTransRecipientInfo.recipientIdentifier;
+    switch (certalgtag) {
+    case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans;
+	rid->identifierType = type;
+	if (type == NSSCMSRecipientID_IssuerSN) {
+	    rid->id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
+	    if (rid->id.issuerAndSN == NULL) {
+	      break;
+	    }
+	} else if (type == NSSCMSRecipientID_SubjectKeyID){
+	    NSSCMSKeyTransRecipientInfoEx *riExtra;
+
+	    rid->id.subjectKeyID = PORT_ArenaNew(poolp, SECItem);
+	    if (rid->id.subjectKeyID == NULL) {
+		rv = SECFailure;
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		break;
+	    } 
+	    SECITEM_CopyItem(poolp, rid->id.subjectKeyID, subjKeyID);
+	    if (rid->id.subjectKeyID->data == NULL) {
+		rv = SECFailure;
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		break;
+	    }
+	    riExtra = &ri->ri.keyTransRecipientInfoEx;
+	    riExtra->version = 0;
+	    riExtra->pubKey = SECKEY_CopyPublicKey(pubKey);
+	    if (riExtra->pubKey == NULL) {
+		rv = SECFailure;
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		break;
+	    }
+	} else {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	}
+	break;
+    case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
+	PORT_Assert(type == NSSCMSRecipientID_IssuerSN);
+	if (type != NSSCMSRecipientID_IssuerSN) {
+	    rv = SECFailure;
+	    break;
+	}
+	/* a key agreement op */
+	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyAgree;
+
+	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	/* we do not support the case where multiple recipients 
+	 * share the same KeyAgreeRecipientInfo and have multiple RecipientEncryptedKeys
+	 * in this case, we would need to walk all the recipientInfos, take the
+	 * ones that do KeyAgreement algorithms and join them, algorithm by algorithm
+	 * Then, we'd generate ONE ukm and OriginatorIdentifierOrKey */
+
+	/* only epheremal-static Diffie-Hellman is supported for now
+	 * this is the only form of key agreement that provides potential anonymity
+	 * of the sender, plus we do not have to include certs in the message */
+
+	/* force single recipientEncryptedKey for now */
+	if ((rek = NSS_CMSRecipientEncryptedKey_Create(poolp)) == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+
+	/* hardcoded IssuerSN choice for now */
+	rek->recipientIdentifier.identifierType = NSSCMSKeyAgreeRecipientID_IssuerSN;
+	if ((rek->recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+
+	oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
+
+	/* see RFC2630 12.3.1.1 */
+	oiok->identifierType = NSSCMSOriginatorIDOrKey_OriginatorPublicKey;
+
+	rv = NSS_CMSArray_Add(poolp, (void ***)&ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys,
+				    (void *)rek);
+
+	break;
+    default:
+	/* other algorithms not supported yet */
+	/* NOTE that we do not support any KEK algorithm */
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	rv = SECFailure;
+	break;
+    }
+
+    if (rv == SECFailure)
+	goto loser;
+
+    /* set version */
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType == NSSCMSRecipientID_IssuerSN)
+	    version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN;
+	else
+	    version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY;
+	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyTransRecipientInfo.version), version);
+	if (dummy == NULL)
+	    goto loser;
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyAgreeRecipientInfo.version),
+						NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION);
+	if (dummy == NULL)
+	    goto loser;
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	/* NOTE: this cannot happen as long as we do not support any KEK algorithm */
+	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.kekRecipientInfo.version),
+						NSS_CMS_KEK_RECIPIENT_INFO_VERSION);
+	if (dummy == NULL)
+	    goto loser;
+	break;
+    
+    }
+
+done:
+    PORT_ArenaUnmark (poolp, mark);
+    if (freeSpki)
+      SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
+    return ri;
+
+loser:
+    if (ri && ri->cert) {
+        CERT_DestroyCertificate(ri->cert);
+    }
+    if (freeSpki) {
+      SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
+    }
+    PORT_ArenaRelease (poolp, mark);
+    if (cmsg->contentInfo.contentTypeTag == &fakeContent) {
+	NSS_CMSMessage_Destroy(cmsg);
+    }
+    return NULL;
+}
+
+/*
+ * NSS_CMSRecipientInfo_Create - create a recipientinfo
+ *
+ * we currently do not create KeyAgreement recipientinfos with multiple 
+ * recipientEncryptedKeys the certificate is supposed to have been 
+ * verified by the caller
+ */
+NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert)
+{
+    return nss_cmsrecipientinfo_create(cmsg, NSSCMSRecipientID_IssuerSN, cert, 
+                                       NULL, NULL, NULL, NULL);
+}
+
+NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_CreateNew(void* pwfn_arg)
+{
+    return nss_cmsrecipientinfo_create(NULL, NSSCMSRecipientID_BrandNew, NULL, 
+                                       NULL, NULL, pwfn_arg, NULL);
+}
+
+NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_CreateFromDER(SECItem* input, void* pwfn_arg)
+{
+    return nss_cmsrecipientinfo_create(NULL, NSSCMSRecipientID_BrandNew, NULL, 
+                                       NULL, NULL, pwfn_arg, input);
+}
+
+
+NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_CreateWithSubjKeyID(NSSCMSMessage   *cmsg, 
+                                     SECItem         *subjKeyID,
+                                     SECKEYPublicKey *pubKey)
+{
+    return nss_cmsrecipientinfo_create(cmsg, NSSCMSRecipientID_SubjectKeyID, 
+                                       NULL, pubKey, subjKeyID, NULL, NULL);
+}
+
+NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert(NSSCMSMessage *cmsg,
+                                             CERTCertificate *cert)
+{
+    SECKEYPublicKey *pubKey = NULL;
+    SECItem subjKeyID = {siBuffer, NULL, 0};
+    NSSCMSRecipientInfo *retVal = NULL;
+
+    if (!cmsg || !cert) {
+	return NULL;
+    }
+    pubKey = CERT_ExtractPublicKey(cert);
+    if (!pubKey) {
+	goto done;
+    }
+    if (CERT_FindSubjectKeyIDExtension(cert, &subjKeyID) != SECSuccess ||
+        subjKeyID.data == NULL) {
+	goto done;
+    }
+    retVal = NSS_CMSRecipientInfo_CreateWithSubjKeyID(cmsg, &subjKeyID, pubKey);
+done:
+    if (pubKey)
+	SECKEY_DestroyPublicKey(pubKey);
+
+    if (subjKeyID.data)
+	SECITEM_FreeItem(&subjKeyID, PR_FALSE);
+
+    return retVal;
+}
+
+void
+NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri)
+{
+    if (!ri) {
+        return;
+    }
+    /* version was allocated on the pool, so no need to destroy it */
+    /* issuerAndSN was allocated on the pool, so no need to destroy it */
+    if (ri->cert != NULL)
+	CERT_DestroyCertificate(ri->cert);
+
+    if (nss_cmsrecipientinfo_usessubjectkeyid(ri)) {
+	NSSCMSKeyTransRecipientInfoEx *extra;
+	extra = &ri->ri.keyTransRecipientInfoEx;
+	if (extra->pubKey)
+	    SECKEY_DestroyPublicKey(extra->pubKey);
+    }
+    if (ri->cmsg && ri->cmsg->contentInfo.contentTypeTag == &fakeContent) {
+	NSS_CMSMessage_Destroy(ri->cmsg);
+    }
+
+    /* we're done. */
+}
+
+int
+NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri)
+{
+    unsigned long version;
+    SECItem *versionitem = NULL;
+
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	/* ignore subIndex */
+	versionitem = &(ri->ri.keyTransRecipientInfo.version);
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	/* ignore subIndex */
+	versionitem = &(ri->ri.kekRecipientInfo.version);
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	versionitem = &(ri->ri.keyAgreeRecipientInfo.version);
+	break;
+    }
+
+    PORT_Assert(versionitem);
+    if (versionitem == NULL) 
+	return 0;
+
+    /* always take apart the SECItem */
+    if (SEC_ASN1DecodeInteger(versionitem, &version) != SECSuccess)
+	return 0;
+    else
+	return (int)version;
+}
+
+SECItem *
+NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex)
+{
+    SECItem *enckey = NULL;
+
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	/* ignore subIndex */
+	enckey = &(ri->ri.keyTransRecipientInfo.encKey);
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	/* ignore subIndex */
+	enckey = &(ri->ri.kekRecipientInfo.encKey);
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
+	break;
+    }
+    return enckey;
+}
+
+
+SECOidTag
+NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri)
+{
+    SECOidTag encalgtag = SEC_OID_UNKNOWN; /* an invalid encryption alg */
+
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg));
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg));
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg));
+	break;
+    }
+    return encalgtag;
+}
+
+SECStatus
+NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, 
+                                 SECOidTag bulkalgtag)
+{
+    CERTCertificate *cert;
+    SECOidTag certalgtag;
+    SECStatus rv = SECSuccess;
+    NSSCMSRecipientEncryptedKey *rek;
+    NSSCMSOriginatorIdentifierOrKey *oiok;
+    CERTSubjectPublicKeyInfo *spki, *freeSpki = NULL;
+    PLArenaPool *poolp;
+    NSSCMSKeyTransRecipientInfoEx *extra = NULL;
+    PRBool usesSubjKeyID;
+
+    poolp = ri->cmsg->poolp;
+    cert = ri->cert;
+    usesSubjKeyID = nss_cmsrecipientinfo_usessubjectkeyid(ri);
+    if (cert) {
+	spki = &cert->subjectPublicKeyInfo;
+	certalgtag = SECOID_GetAlgorithmTag(&(spki->algorithm));
+    } else if (usesSubjKeyID) {
+	extra = &ri->ri.keyTransRecipientInfoEx;
+	/* sanity check */
+	PORT_Assert(extra->pubKey);
+	if (!extra->pubKey) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	spki = freeSpki = SECKEY_CreateSubjectPublicKeyInfo(extra->pubKey);
+	certalgtag = SECOID_GetAlgorithmTag(&spki->algorithm);
+    } else {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* XXX set ri->recipientInfoType to the proper value here */
+    /* or should we look if it's been set already ? */
+
+    certalgtag = SECOID_GetAlgorithmTag(&spki->algorithm);
+    switch (certalgtag) {
+    case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	/* wrap the symkey */
+	if (cert) {
+	    rv = NSS_CMSUtil_EncryptSymKey_RSA(poolp, cert, bulkkey, 
+	                         &ri->ri.keyTransRecipientInfo.encKey);
+ 	    if (rv != SECSuccess)
+		break;
+	} else if (usesSubjKeyID) {
+	    PORT_Assert(extra != NULL);
+	    rv = NSS_CMSUtil_EncryptSymKey_RSAPubKey(poolp, extra->pubKey,
+	                         bulkkey, &ri->ri.keyTransRecipientInfo.encKey);
+ 	    if (rv != SECSuccess)
+		break;
+	}
+
+	rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL);
+	break;
+    case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
+	rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0];
+	if (rek == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+
+	oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
+	PORT_Assert(oiok->identifierType == NSSCMSOriginatorIDOrKey_OriginatorPublicKey);
+
+	/* see RFC2630 12.3.1.1 */
+	if (SECOID_SetAlgorithmID(poolp, &oiok->id.originatorPublicKey.algorithmIdentifier,
+				    SEC_OID_X942_DIFFIE_HELMAN_KEY, NULL) != SECSuccess) {
+	    rv = SECFailure;
+	    break;
+	}
+
+	/* this will generate a key pair, compute the shared secret, */
+	/* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */
+	/* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */
+	rv = NSS_CMSUtil_EncryptSymKey_ESDH(poolp, cert, bulkkey,
+					&rek->encKey,
+					&ri->ri.keyAgreeRecipientInfo.ukm,
+					&ri->ri.keyAgreeRecipientInfo.keyEncAlg,
+					&oiok->id.originatorPublicKey.publicKey);
+
+	break;
+    default:
+	/* other algorithms not supported yet */
+	/* NOTE that we do not support any KEK algorithm */
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	rv = SECFailure;
+	break;
+    }
+    if (freeSpki)
+	SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
+
+    return rv;
+}
+
+PK11SymKey *
+NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, 
+	CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag)
+{
+    PK11SymKey *bulkkey = NULL;
+    SECAlgorithmID *encalg;
+    SECOidTag encalgtag;
+    SECItem *enckey;
+    int error;
+
+    ri->cert = CERT_DupCertificate(cert);
+        	/* mark the recipientInfo so we can find it later */
+
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	encalg = &(ri->ri.keyTransRecipientInfo.keyEncAlg);
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg));
+	enckey = &(ri->ri.keyTransRecipientInfo.encKey); /* ignore subIndex */
+	switch (encalgtag) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	    /* RSA encryption algorithm: */
+	    /* get the symmetric (bulk) key by unwrapping it using our private key */
+	    bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag);
+	    break;
+	case SEC_OID_NETSCAPE_SMIME_KEA:
+	    /* FORTEZZA key exchange algorithm */
+	    /* the supplemental data is in the parameters of encalg */
+	    bulkkey = NSS_CMSUtil_DecryptSymKey_MISSI(privkey, enckey, encalg, bulkalgtag, ri->cmsg->pwfn_arg);
+	    break;
+	default:
+	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	    goto loser;
+	}
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	encalg = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg);
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg));
+	enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
+	switch (encalgtag) {
+	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+	    /* Diffie-Helman key exchange */
+	    /* XXX not yet implemented */
+	    /* XXX problem: SEC_OID_X942_DIFFIE_HELMAN_KEY points to a PKCS3 mechanism! */
+	    /* we support ephemeral-static DH only, so if the recipientinfo */
+	    /* has originator stuff in it, we punt (or do we? shouldn't be that hard...) */
+	    /* first, we derive the KEK (a symkey!) using a Derive operation, then we get the */
+	    /* content encryption key using a Unwrap op */
+	    /* the derive operation has to generate the key using the algorithm in RFC2631 */
+	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	    break;
+	default:
+	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	    goto loser;
+	}
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	encalg = &(ri->ri.kekRecipientInfo.keyEncAlg);
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg));
+	enckey = &(ri->ri.kekRecipientInfo.encKey);
+	/* not supported yet */
+	error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	goto loser;
+	break;
+    }
+    /* XXXX continue here */
+    return bulkkey;
+
+loser:
+    return NULL;
+}
+
+SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri,
+                                             CERTCertificate** retcert,
+                                             SECKEYPrivateKey** retkey)
+{
+    CERTCertificate* cert = NULL;
+    NSSCMSRecipient** recipients = NULL;
+    NSSCMSRecipientInfo* recipientInfos[2];
+    SECStatus rv = SECSuccess;
+    SECKEYPrivateKey* key = NULL;
+
+    if (!ri)
+        return SECFailure;
+    
+    if (!retcert && !retkey) {
+        /* nothing requested, nothing found, success */
+        return SECSuccess;
+    }
+
+    if (retcert) {
+        *retcert = NULL;
+    }
+    if (retkey) {
+        *retkey = NULL;
+    }
+
+    if (ri->cert) {
+        cert = CERT_DupCertificate(ri->cert);
+        if (!cert) {
+            rv = SECFailure;
+        }
+    }
+    if (SECSuccess == rv && !cert) {
+        /* we don't have the cert, we have to look for it */
+        /* first build an NSS_CMSRecipient */
+        recipientInfos[0] = ri;
+        recipientInfos[1] = NULL;
+
+        recipients = nss_cms_recipient_list_create(recipientInfos);
+        if (recipients) {
+            /* now look for the cert and key */
+            if (0 == PK11_FindCertAndKeyByRecipientListNew(recipients,
+                ri->cmsg->pwfn_arg)) {
+                cert = CERT_DupCertificate(recipients[0]->cert);
+                key = SECKEY_CopyPrivateKey(recipients[0]->privkey);
+            } else {
+                rv = SECFailure;
+            }
+
+            nss_cms_recipient_list_destroy(recipients);
+        }
+        else {
+            rv = SECFailure;
+        }            
+    } else if (SECSuccess == rv && cert && retkey) {
+        /* we have the cert, we just need the key now */
+        key = PK11_FindPrivateKeyFromCert(cert->slot, cert, ri->cmsg->pwfn_arg);
+    }
+    if (retcert) {
+        *retcert = cert;
+    } else {
+        if (cert) {
+            CERT_DestroyCertificate(cert);
+        }
+    }
+    if (retkey) {
+        *retkey = key;
+    } else {
+        if (key) {
+            SECKEY_DestroyPrivateKey(key);
+        }
+    }
+
+    return rv;
+}
+
+SECStatus NSS_CMSRecipientInfo_Encode(PRArenaPool* poolp,
+                                      const NSSCMSRecipientInfo *src,
+                                      SECItem* returned)
+{
+    extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
+    SECStatus rv = SECFailure;
+    if (!src || !returned) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    } else if (SEC_ASN1EncodeItem(poolp, returned, src,
+        NSSCMSRecipientInfoTemplate))   {
+        rv = SECSuccess;
+    }
+    return rv;
+}
diff --git a/security/nss/lib/smime/cmsreclist.c b/security/nss/lib/smime/cmsreclist.c
new file mode 100644
index 000000000..61eb260be
--- /dev/null
+++ b/security/nss/lib/smime/cmsreclist.c
@@ -0,0 +1,201 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS recipient list functions
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+
+static int
+nss_cms_recipients_traverse(NSSCMSRecipientInfo **recipientinfos, NSSCMSRecipient **recipient_list)
+{
+    int count = 0;
+    int rlindex = 0;
+    int i, j;
+    NSSCMSRecipient *rle;
+    NSSCMSRecipientInfo *ri;
+    NSSCMSRecipientEncryptedKey *rek;
+
+    for (i = 0; recipientinfos[i] != NULL; i++) {
+	ri = recipientinfos[i];
+	switch (ri->recipientInfoType) {
+	case NSSCMSRecipientInfoID_KeyTrans:
+	    if (recipient_list) {
+		NSSCMSRecipientIdentifier *recipId =
+		   &ri->ri.keyTransRecipientInfo.recipientIdentifier;
+
+		if (recipId->identifierType != NSSCMSRecipientID_IssuerSN &&
+                    recipId->identifierType != NSSCMSRecipientID_SubjectKeyID) {
+		    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		    return -1;
+		}                
+		/* alloc one & fill it out */
+		rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
+		if (!rle)
+		    return -1;
+		
+		rle->riIndex = i;
+		rle->subIndex = -1;
+		switch (recipId->identifierType) {
+		case NSSCMSRecipientID_IssuerSN:
+		    rle->kind = RLIssuerSN;
+		    rle->id.issuerAndSN = recipId->id.issuerAndSN;
+		    break;
+		case NSSCMSRecipientID_SubjectKeyID:
+		    rle->kind = RLSubjKeyID;
+		    rle->id.subjectKeyID = recipId->id.subjectKeyID;
+		    break;
+		default: /* we never get here because of identifierType check
+                            we done before. Leaving it to kill compiler warning */
+		    break;
+		}
+		recipient_list[rlindex++] = rle;
+	    } else {
+		count++;
+	    }
+	    break;
+	case NSSCMSRecipientInfoID_KeyAgree:
+	    if (ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys == NULL)
+		break;
+	    for (j=0; ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j] != NULL; j++) {
+		if (recipient_list) {
+		    rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j];
+		    /* alloc one & fill it out */
+		    rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
+		    if (!rle)
+			return -1;
+		    
+		    rle->riIndex = i;
+		    rle->subIndex = j;
+		    switch (rek->recipientIdentifier.identifierType) {
+		    case NSSCMSKeyAgreeRecipientID_IssuerSN:
+			rle->kind = RLIssuerSN;
+			rle->id.issuerAndSN = rek->recipientIdentifier.id.issuerAndSN;
+			break;
+		    case NSSCMSKeyAgreeRecipientID_RKeyID:
+			rle->kind = RLSubjKeyID;
+			rle->id.subjectKeyID = rek->recipientIdentifier.id.recipientKeyIdentifier.subjectKeyIdentifier;
+			break;
+		    }
+		    recipient_list[rlindex++] = rle;
+		} else {
+		    count++;
+		}
+	    }
+	    break;
+	case NSSCMSRecipientInfoID_KEK:
+	    /* KEK is not implemented */
+	    break;
+	}
+    }
+    /* if we have a recipient list, we return on success (-1, above, on failure) */
+    /* otherwise, we return the count. */
+    if (recipient_list) {
+	recipient_list[rlindex] = NULL;
+	return 0;
+    } else {
+	return count;
+    }
+}
+
+NSSCMSRecipient **
+nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos)
+{
+    int count, rv;
+    NSSCMSRecipient **recipient_list;
+
+    /* count the number of recipient identifiers */
+    count = nss_cms_recipients_traverse(recipientinfos, NULL);
+    if (count <= 0) {
+	/* no recipients? */
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+#if 0
+	PORT_SetErrorString("Cannot find recipient data in envelope.");
+#endif
+	return NULL;
+    }
+
+    /* allocate an array of pointers */
+    recipient_list = (NSSCMSRecipient **)
+		    PORT_ZAlloc((count + 1) * sizeof(NSSCMSRecipient *));
+    if (recipient_list == NULL)
+	return NULL;
+
+    /* now fill in the recipient_list */
+    rv = nss_cms_recipients_traverse(recipientinfos, recipient_list);
+    if (rv < 0) {
+	nss_cms_recipient_list_destroy(recipient_list);
+	return NULL;
+    }
+    return recipient_list;
+}
+
+void
+nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list)
+{
+    int i;
+    NSSCMSRecipient *recipient;
+
+    for (i=0; recipient_list[i] != NULL; i++) {
+	recipient = recipient_list[i];
+	if (recipient->cert)
+	    CERT_DestroyCertificate(recipient->cert);
+	if (recipient->privkey)
+	    SECKEY_DestroyPrivateKey(recipient->privkey);
+	if (recipient->slot)
+	    PK11_FreeSlot(recipient->slot);
+	PORT_Free(recipient);
+    }
+    PORT_Free(recipient_list);
+}
+
+NSSCMSRecipientEncryptedKey *
+NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp)
+{
+    return (NSSCMSRecipientEncryptedKey *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientEncryptedKey));
+}
diff --git a/security/nss/lib/smime/cmsreclist.h b/security/nss/lib/smime/cmsreclist.h
new file mode 100644
index 000000000..ba3f39eda
--- /dev/null
+++ b/security/nss/lib/smime/cmsreclist.h
@@ -0,0 +1,62 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * $Id$
+ */
+
+#ifndef _CMSRECLIST_H
+#define _CMSRECLIST_H
+
+struct NSSCMSRecipientStr {
+    int				riIndex;	/* this recipient's index in recipientInfo array */
+    int				subIndex;	/* index into recipientEncryptedKeys */
+						/* (only in NSSCMSKeyAgreeRecipientInfoStr) */
+    enum {RLIssuerSN=0, RLSubjKeyID=1} kind;	/* for conversion recipientinfos -> recipientlist */
+    union {
+	CERTIssuerAndSN *	issuerAndSN;
+	SECItem *		subjectKeyID;
+    } id;
+
+    /* result data (filled out for each recipient that's us) */
+    CERTCertificate *		cert;
+    SECKEYPrivateKey *		privkey;
+    PK11SlotInfo *		slot;
+};
+
+typedef struct NSSCMSRecipientStr NSSCMSRecipient;
+
+#endif /* _CMSRECLIST_H */
diff --git a/security/nss/lib/smime/cmssigdata.c b/security/nss/lib/smime/cmssigdata.c
new file mode 100644
index 000000000..0ba771d65
--- /dev/null
+++ b/security/nss/lib/smime/cmssigdata.c
@@ -0,0 +1,1146 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS signedData methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+/*#include "cdbhdl.h"*/
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+NSSCMSSignedData *
+NSS_CMSSignedData_Create(NSSCMSMessage *cmsg)
+{
+    void *mark;
+    NSSCMSSignedData *sigd;
+    PLArenaPool *poolp;
+
+    if (!cmsg) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSSignedData));
+    if (sigd == NULL)
+	goto loser;
+
+    sigd->cmsg = cmsg;
+
+    /* signerInfos, certs, certlists, crls are all empty */
+    /* version is set in NSS_CMSSignedData_Finalize() */
+
+    PORT_ArenaUnmark(poolp, mark);
+    return sigd;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+void
+NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd)
+{
+    CERTCertificate **certs, **tempCerts, *cert;
+    CERTCertificateList **certlists, *certlist;
+    NSSCMSSignerInfo **signerinfos, *si;
+
+    if (sigd == NULL)
+	return;
+
+    certs = sigd->certs;
+    tempCerts = sigd->tempCerts;
+    certlists = sigd->certLists;
+    signerinfos = sigd->signerInfos;
+
+    if (certs != NULL) {
+	while ((cert = *certs++) != NULL)
+	    CERT_DestroyCertificate (cert);
+    }
+
+    if (tempCerts != NULL) {
+	while ((cert = *tempCerts++) != NULL)
+	    CERT_DestroyCertificate (cert);
+    }
+
+    if (certlists != NULL) {
+	while ((certlist = *certlists++) != NULL)
+	    CERT_DestroyCertificateList (certlist);
+    }
+
+    if (signerinfos != NULL) {
+	while ((si = *signerinfos++) != NULL)
+	    NSS_CMSSignerInfo_Destroy(si);
+    }
+
+    /* everything's in a pool, so don't worry about the storage */
+   NSS_CMSContentInfo_Destroy(&(sigd->contentInfo));
+
+}
+
+/*
+ * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
+ *     before start of encoding.
+ *
+ * In detail:
+ *  - find out about the right value to put into sigd->version
+ *  - come up with a list of digestAlgorithms (which should be the union of the algorithms
+ *         in the signerinfos).
+ *         If we happen to have a pre-set list of algorithms (and digest values!), we
+ *         check if we have all the signerinfos' algorithms. If not, this is an error.
+ */
+SECStatus
+NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd)
+{
+    NSSCMSSignerInfo *signerinfo;
+    SECOidTag digestalgtag;
+    SECItem *dummy;
+    int version;
+    SECStatus rv;
+    PRBool haveDigests = PR_FALSE;
+    int n, i;
+    PLArenaPool *poolp;
+
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    poolp = sigd->cmsg->poolp;
+
+    /* we assume that we have precomputed digests if there is a list of algorithms, and */
+    /* a chunk of data for each of those algorithms */
+    if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) {
+	for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
+	    if (sigd->digests[i] == NULL)
+		break;
+	}
+	if (sigd->digestAlgorithms[i] == NULL)	/* reached the end of the array? */
+	    haveDigests = PR_TRUE;		/* yes: we must have all the digests */
+    }
+	    
+    version = NSS_CMS_SIGNED_DATA_VERSION_BASIC;
+
+    /* RFC2630 5.1 "version is the syntax version number..." */
+    if (NSS_CMSContentInfo_GetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA)
+	version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
+
+    /* prepare all the SignerInfos (there may be none) */
+    for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
+	signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
+
+	/* RFC2630 5.1 "version is the syntax version number..." */
+	if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN)
+	    version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
+	
+	/* collect digestAlgorithms from SignerInfos */
+	/* (we need to know which algorithms we have when the content comes in) */
+	/* do not overwrite any existing digestAlgorithms (and digest) */
+	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
+	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
+	if (n < 0 && haveDigests) {
+	    /* oops, there is a digestalg we do not have a digest for */
+	    /* but we were supposed to have all the digests already... */
+	    goto loser;
+	} else if (n < 0) {
+	    /* add the digestAlgorithm & a NULL digest */
+	    rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL);
+	    if (rv != SECSuccess)
+		goto loser;
+	} else {
+	    /* found it, nothing to do */
+	}
+    }
+
+    dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version);
+    if (dummy == NULL)
+	return SECFailure;
+
+    /* this is a SET OF, so we need to sort them guys */
+    rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, 
+                                SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+				(void **)sigd->digests);
+    if (rv != SECSuccess)
+	return SECFailure;
+    
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+
+SECStatus
+NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    /* set up the digests */
+    if (sigd->digests && sigd->digests[0]) {
+	sigd->contentInfo.digcx = NULL; /* don't attempt to make new ones. */
+    } else if (sigd->digestAlgorithms != NULL) {
+	sigd->contentInfo.digcx = 
+	        NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
+	if (sigd->contentInfo.digcx == NULL)
+	    return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - create the signatures in all the SignerInfos
+ *
+ * Please note that nothing is done to the Certificates and CRLs in the message - this
+ * is entirely the responsibility of our callers.
+ */
+SECStatus
+NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd)
+{
+    NSSCMSSignerInfo **signerinfos, *signerinfo;
+    NSSCMSContentInfo *cinfo;
+    SECOidTag digestalgtag;
+    SECStatus ret = SECFailure;
+    SECStatus rv;
+    SECItem *contentType;
+    int certcount;
+    int i, ci, cli, n, rci, si;
+    PLArenaPool *poolp;
+    CERTCertificateList *certlist;
+    extern const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
+
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    poolp = sigd->cmsg->poolp;
+    cinfo = &(sigd->contentInfo);
+
+    /* did we have digest calculation going on? */
+    if (cinfo->digcx) {
+	rv = NSS_CMSDigestContext_FinishMultiple(cinfo->digcx, poolp, 
+	                                         &(sigd->digests));
+	/* error has been set by NSS_CMSDigestContext_FinishMultiple */
+	cinfo->digcx = NULL;
+	if (rv != SECSuccess)
+	    goto loser;		
+    }
+
+    signerinfos = sigd->signerInfos;
+    certcount = 0;
+
+    /* prepare all the SignerInfos (there may be none) */
+    for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
+	signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
+
+	/* find correct digest for this signerinfo */
+	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
+	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
+	if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) {
+	    /* oops - digest not found */
+	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
+	    goto loser;
+	}
+
+	/* XXX if our content is anything else but data, we need to force the
+	 * presence of signed attributes (RFC2630 5.3 "signedAttributes is a
+	 * collection...") */
+
+	/* pass contentType here as we want a contentType attribute */
+	if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL)
+	    goto loser;
+
+	/* sign the thing */
+	rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	/* while we're at it, count number of certs in certLists */
+	certlist = NSS_CMSSignerInfo_GetCertList(signerinfo);
+	if (certlist)
+	    certcount += certlist->len;
+    }
+
+    /* this is a SET OF, so we need to sort them guys */
+    rv = NSS_CMSArray_SortByDER((void **)signerinfos, NSSCMSSignerInfoTemplate, NULL);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * now prepare certs & crls
+     */
+
+    /* count the rest of the certs */
+    if (sigd->certs != NULL) {
+	for (ci = 0; sigd->certs[ci] != NULL; ci++)
+	    certcount++;
+    }
+
+    if (sigd->certLists != NULL) {
+	for (cli = 0; sigd->certLists[cli] != NULL; cli++)
+	    certcount += sigd->certLists[cli]->len;
+    }
+
+    if (certcount == 0) {
+	sigd->rawCerts = NULL;
+    } else {
+	/*
+	 * Combine all of the certs and cert chains into rawcerts.
+	 * Note: certcount is an upper bound; we may not need that many slots
+	 * but we will allocate anyway to avoid having to do another pass.
+	 * (The temporary space saving is not worth it.)
+	 *
+	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
+	 *  SetOfDERcertficates implementation
+	 */
+	sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *));
+	if (sigd->rawCerts == NULL)
+	    return SECFailure;
+
+	/*
+	 * XXX Want to check for duplicates and not add *any* cert that is
+	 * already in the set.  This will be more important when we start
+	 * dealing with larger sets of certs, dual-key certs (signing and
+	 * encryption), etc.  For the time being we can slide by...
+	 *
+	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
+	 *  SetOfDERcertficates implementation
+	 */
+	rci = 0;
+	if (signerinfos != NULL) {
+	    for (si = 0; signerinfos[si] != NULL; si++) {
+		signerinfo = signerinfos[si];
+		for (ci = 0; ci < signerinfo->certList->len; ci++)
+		    sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]);
+	    }
+	}
+
+	if (sigd->certs != NULL) {
+	    for (ci = 0; sigd->certs[ci] != NULL; ci++)
+		sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert);
+	}
+
+	if (sigd->certLists != NULL) {
+	    for (cli = 0; sigd->certLists[cli] != NULL; cli++) {
+		for (ci = 0; ci < sigd->certLists[cli]->len; ci++)
+		    sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]);
+	    }
+	}
+
+	sigd->rawCerts[rci] = NULL;
+
+	/* this is a SET OF, so we need to sort them guys - we have the DER already, though */
+	NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL);
+    }
+
+    ret = SECSuccess;
+
+loser:
+    return ret;
+}
+
+SECStatus
+NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    /* set up the digests */
+    if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) {
+	/* if digests are already there, do nothing */
+	sigd->contentInfo.digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
+	if (sigd->contentInfo.digcx == NULL)
+	    return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a 
+ *   SignedData after all the encapsulated data was passed through the decoder.
+ */
+SECStatus
+NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd)
+{
+    SECStatus rv = SECSuccess;
+
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* did we have digest calculation going on? */
+    if (sigd->contentInfo.digcx) {
+	rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.digcx, 
+				       sigd->cmsg->poolp, &(sigd->digests));
+	/* error set by NSS_CMSDigestContext_FinishMultiple */
+	sigd->contentInfo.digcx = NULL;
+    }
+    return rv;
+}
+
+/*
+ * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
+ *     after all decoding is finished.
+ */
+SECStatus
+NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd)
+{
+    NSSCMSSignerInfo **signerinfos = NULL;
+    int i;
+
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* set cmsg for all the signerinfos */
+    signerinfos = sigd->signerInfos;
+
+    /* set cmsg for all the signerinfos */
+    if (signerinfos) {
+	for (i = 0; signerinfos[i] != NULL; i++)
+	    signerinfos[i]->cmsg = sigd->cmsg;
+    }
+
+    return SECSuccess;
+}
+
+/* 
+ * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
+ */
+NSSCMSSignerInfo **
+NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    return sigd->signerInfos;
+}
+
+int
+NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return 0;
+    }
+    return NSS_CMSArray_Count((void **)sigd->signerInfos);
+}
+
+NSSCMSSignerInfo *
+NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    return sigd->signerInfos[i];
+}
+
+/* 
+ * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
+ */
+SECAlgorithmID **
+NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    return sigd->digestAlgorithms;
+}
+
+/*
+ * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
+ */
+NSSCMSContentInfo *
+NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    return &(sigd->contentInfo);
+}
+
+/* 
+ * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
+ */
+SECItem **
+NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+    return sigd->rawCerts;
+}
+
+SECStatus
+NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
+				SECCertUsage certusage, PRBool keepcerts)
+{
+    int certcount;
+    CERTCertificate **certArray = NULL;
+    CERTCertList *certList = NULL;
+    CERTCertListNode *node;
+    SECStatus rv;
+    SECItem **rawArray;
+    int i;
+    PRTime now;
+
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    certcount = NSS_CMSArray_Count((void **)sigd->rawCerts);
+
+    /* get the certs in the temp DB */
+    rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts, 
+			 &certArray, PR_FALSE, PR_FALSE, NULL);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* save the certs so they don't get destroyed */
+    for (i=0; i < certcount; i++) {
+	CERTCertificate *cert = certArray[i];
+	if (cert)
+            NSS_CMSSignedData_AddTempCertificate(sigd, cert);
+    }
+
+    if (!keepcerts) {
+	goto done;
+    }
+
+    /* build a CertList for filtering */
+    certList = CERT_NewCertList();
+    if (certList == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    for (i=0; i < certcount; i++) {
+	CERTCertificate *cert = certArray[i];
+	if (cert)
+	    cert = CERT_DupCertificate(cert);
+	if (cert)
+	    CERT_AddCertToListTail(certList,cert);
+    }
+
+    /* filter out the certs we don't want */
+    rv = CERT_FilterCertListByUsage(certList,certusage, PR_FALSE);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* go down the remaining list of certs and verify that they have
+     * valid chains, then import them.
+     */
+    now = PR_Now();
+    for (node = CERT_LIST_HEAD(certList) ; !CERT_LIST_END(node,certList);
+						node= CERT_LIST_NEXT(node)) {
+	CERTCertificateList *certChain;
+
+	if (CERT_VerifyCert(certdb, node->cert, 
+		PR_TRUE, certusage, now, NULL, NULL) != SECSuccess) {
+	    continue;
+	}
+
+	certChain = CERT_CertChainFromCert(node->cert, certusage, PR_FALSE);
+	if (!certChain) {
+	    continue;
+	}
+
+	/*
+	 * CertChain returns an array of SECItems, import expects an array of
+	 * SECItem pointers. Create the SECItem Pointers from the array of
+	 * SECItems.
+ 	 */
+	rawArray = (SECItem **)PORT_Alloc(certChain->len*sizeof (SECItem *));
+	if (!rawArray) {
+	    CERT_DestroyCertificateList(certChain);
+	    continue;
+	}
+	for (i=0; i < certChain->len; i++) {
+	    rawArray[i] = &certChain->certs[i];
+	}
+	(void )CERT_ImportCerts(certdb, certusage, certChain->len, 
+			rawArray,  NULL, keepcerts, PR_FALSE, NULL);
+	PORT_Free(rawArray);
+	CERT_DestroyCertificateList(certChain);
+    }
+
+    rv = SECSuccess;
+
+    /* XXX CRL handling */
+
+done:
+    if (sigd->signerInfos != NULL) {
+	/* fill in all signerinfo's certs */
+	for (i = 0; sigd->signerInfos[i] != NULL; i++)
+	    (void)NSS_CMSSignerInfo_GetSigningCertificate(
+						sigd->signerInfos[i], certdb);
+    }
+
+loser:
+    /* now free everything */
+    if (certArray) {
+	CERT_DestroyCertArray(certArray,certcount);
+    }
+    if (certList) {
+	CERT_DestroyCertList(certList);
+    }
+
+    return rv;
+}
+
+/*
+ * XXX the digests need to be passed in BETWEEN the decoding and the verification in case
+ *     of external signatures!
+ */
+
+/*
+ * NSS_CMSSignedData_VerifySignerInfo - check the signatures.
+ *
+ * The digests were either calculated during decoding (and are stored in the
+ * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
+ *
+ * The verification checks if the signing cert is valid and has a trusted chain
+ * for the purpose specified by "certusage".
+ */
+SECStatus
+NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, 
+			    CERTCertDBHandle *certdb, SECCertUsage certusage)
+{
+    NSSCMSSignerInfo *signerinfo;
+    NSSCMSContentInfo *cinfo;
+    SECOidData *algiddata;
+    SECItem *contentType, *digest;
+    SECOidTag oidTag;
+    SECStatus rv;
+
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    cinfo = &(sigd->contentInfo);
+
+    signerinfo = sigd->signerInfos[i];
+
+    /* verify certificate */
+    rv = NSS_CMSSignerInfo_VerifyCertificate(signerinfo, certdb, certusage);
+    if (rv != SECSuccess)
+	return rv; /* error is set */
+
+    /* find digest and contentType for signerinfo */
+    algiddata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo);
+    oidTag = algiddata ? algiddata->offset : SEC_OID_UNKNOWN;
+    digest = NSS_CMSSignedData_GetDigestValue(sigd, oidTag);
+    /* NULL digest is acceptable. */
+    contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo);
+    /* NULL contentType is acceptable. */
+
+    /* now verify signature */
+    rv = NSS_CMSSignerInfo_Verify(signerinfo, digest, contentType);
+    return rv;
+}
+
+/*
+ * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
+ */
+SECStatus
+NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, 
+                                  CERTCertDBHandle *certdb, 
+                                  SECCertUsage usage)
+{
+    CERTCertificate *cert;
+    SECStatus rv = SECSuccess;
+    int i;
+    int count;
+    PRTime now;
+
+    if (!sigd || !certdb || !sigd->rawCerts) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    count = NSS_CMSArray_Count((void**)sigd->rawCerts);
+    now = PR_Now();
+    for (i=0; i < count; i++) {
+	if (sigd->certs && sigd->certs[i]) {
+	    cert = CERT_DupCertificate(sigd->certs[i]);
+	} else {
+	    cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]);
+	    if (!cert) {
+		rv = SECFailure;
+		break;
+	    }
+	}
+	rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now, 
+                              NULL, NULL);
+	CERT_DestroyCertificate(cert);
+    }
+
+    return rv;
+}
+
+/*
+ * NSS_CMSSignedData_HasDigests - see if we have digests in place
+ */
+PRBool
+NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return PR_FALSE;
+    }
+    return (sigd->digests != NULL);
+}
+
+SECStatus
+NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist)
+{
+    SECStatus rv;
+
+    if (!sigd || !certlist) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* XXX memory?? a certlist has an arena of its own and is not refcounted!?!? */
+    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certLists), (void *)certlist);
+
+    return rv;
+}
+
+/*
+ * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs 
+ */
+SECStatus
+NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert)
+{
+    CERTCertificateList *certlist;
+    SECCertUsage usage;
+    SECStatus rv;
+
+    usage = certUsageEmailSigner;
+
+    if (!sigd || !cert) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* do not include root */
+    certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE);
+    if (certlist == NULL)
+	return SECFailure;
+
+    rv = NSS_CMSSignedData_AddCertList(sigd, certlist);
+
+    return rv;
+}
+
+extern SECStatus
+NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
+{
+    CERTCertificate *c;
+    SECStatus rv;
+
+    if (!sigd || !cert) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    c = CERT_DupCertificate(cert);
+    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->tempCerts), (void *)c);
+    return rv;
+}
+
+SECStatus
+NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
+{
+    CERTCertificate *c;
+    SECStatus rv;
+
+    if (!sigd || !cert) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    c = CERT_DupCertificate(cert);
+    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certs), (void *)c);
+    return rv;
+}
+
+PRBool
+NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd)
+{
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return PR_FALSE;
+    }
+    if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL)
+	return PR_TRUE;
+    else if (sigd->crls != NULL && sigd->crls[0] != NULL)
+	return PR_TRUE;
+    else
+	return PR_FALSE;
+}
+
+SECStatus
+NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
+				NSSCMSSignerInfo *signerinfo)
+{
+    void *mark;
+    SECStatus rv;
+    SECOidTag digestalgtag;
+    PLArenaPool *poolp;
+
+    if (!sigd || !signerinfo) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    poolp = sigd->cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* add signerinfo */
+    rv = NSS_CMSArray_Add(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * add empty digest
+     * Empty because we don't have it yet. Either it gets created during encoding
+     * (if the data is present) or has to be set externally.
+     * XXX maybe pass it in optionally?
+     */
+    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
+    rv = NSS_CMSSignedData_SetDigestValue(sigd, digestalgtag, NULL);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * The last thing to get consistency would be adding the digest.
+     */
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSSignedData_SetDigests - set a signedData's digests member
+ *
+ * "digestalgs" - array of digest algorithm IDs
+ * "digests"    - array of digests corresponding to the digest algorithms
+ */
+SECStatus
+NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
+				SECAlgorithmID **digestalgs,
+				SECItem **digests)
+{
+    int cnt, i, idx;
+
+    if (!sigd || !digestalgs || !digests) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (sigd->digestAlgorithms == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* we assume that the digests array is just not there yet */
+    PORT_Assert(sigd->digests == NULL);
+    if (sigd->digests != NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+
+    /* now allocate one (same size as digestAlgorithms) */
+    cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
+    sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
+    if (sigd->digests == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) {
+	/* try to find the sigd's i'th digest algorithm in the array we passed in */
+	idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]);
+	if (idx < 0) {
+	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
+	    return SECFailure;
+	}
+	if (!digests[idx]) {
+	    /* We have no digest for this algorithm, probably because it is 
+	    ** unrecognized or unsupported.  We'll ignore this here.  If this 
+	    ** digest is needed later, an error will be be generated then.
+	    */
+	    continue;
+	}
+
+	/* found it - now set it */
+	if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL ||
+	    SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess)
+	{
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
+				SECOidTag digestalgtag,
+				SECItem *digestdata)
+{
+    SECItem *digest = NULL;
+    PLArenaPool *poolp;
+    void *mark;
+    int n, cnt;
+
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    poolp = sigd->cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+   
+    if (digestdata) {
+        digest = (SECItem *) PORT_ArenaZAlloc(poolp,sizeof(SECItem));
+
+	/* copy digestdata item to arena (in case we have it and are not only making room) */
+	if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess)
+	    goto loser;
+    }
+
+    /* now allocate one (same size as digestAlgorithms) */
+    if (sigd->digests == NULL) {
+        cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
+        sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
+        if (sigd->digests == NULL) {
+	        PORT_SetError(SEC_ERROR_NO_MEMORY);
+	        return SECFailure;
+        }
+    }
+
+    n = -1;
+    if (sigd->digestAlgorithms != NULL)
+	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
+
+    /* if not found, add a digest */
+    if (n < 0) {
+	if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess)
+	    goto loser;
+    } else {
+	/* replace NULL pointer with digest item (and leak previous value) */
+	sigd->digests[n] = digest;
+    }
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+SECStatus
+NSS_CMSSignedData_AddDigest(PRArenaPool *poolp,
+				NSSCMSSignedData *sigd,
+				SECOidTag digestalgtag,
+				SECItem *digest)
+{
+    SECAlgorithmID *digestalg;
+    void *mark;
+
+    if (!sigd || !poolp) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(poolp);
+
+    digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
+    if (digestalg == NULL)
+	goto loser;
+
+    if (SECOID_SetAlgorithmID (poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */
+	goto loser;
+
+    if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), (void *)digestalg) != SECSuccess ||
+	/* even if digest is NULL, add dummy to have same-size array */
+	NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), (void *)digest) != SECSuccess)
+    {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+/* XXX This function doesn't set the error code on failure. */
+SECItem *
+NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag)
+{
+    int n;
+
+    if (!sigd) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    if (sigd->digestAlgorithms == NULL || sigd->digests == NULL) {
+        PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
+	return NULL;
+    }
+
+    n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
+
+    return (n < 0) ? NULL : sigd->digests[n];
+}
+
+/* =============================================================================
+ * Misc. utility functions
+ */
+
+/*
+ * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
+ *
+ * cert          - base certificates that will be included
+ * include_chain - if true, include the complete cert chain for cert
+ *
+ * More certs and chains can be added via AddCertificate and AddCertChain.
+ *
+ * An error results in a return value of NULL and an error set.
+ *
+ * XXXX CRLs
+ */
+NSSCMSSignedData *
+NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain)
+{
+    NSSCMSSignedData *sigd;
+    void *mark;
+    PLArenaPool *poolp;
+    SECStatus rv;
+
+    if (!cmsg || !cert) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+
+    poolp = cmsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    sigd = NSS_CMSSignedData_Create(cmsg);
+    if (sigd == NULL)
+	goto loser;
+
+    /* no signerinfos, thus no digestAlgorithms */
+
+    /* but certs */
+    if (include_chain) {
+	rv = NSS_CMSSignedData_AddCertChain(sigd, cert);
+    } else {
+	rv = NSS_CMSSignedData_AddCertificate(sigd, cert);
+    }
+    if (rv != SECSuccess)
+	goto loser;
+
+    /* RFC2630 5.2 sez:
+     * In the degenerate case where there are no signers, the
+     * EncapsulatedContentInfo value being "signed" is irrelevant.  In this
+     * case, the content type within the EncapsulatedContentInfo value being
+     * "signed" should be id-data (as defined in section 4), and the content
+     * field of the EncapsulatedContentInfo value should be omitted.
+     */
+    rv = NSS_CMSContentInfo_SetContent_Data(cmsg, &(sigd->contentInfo), NULL, PR_TRUE);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return sigd;
+
+loser:
+    if (sigd)
+	NSS_CMSSignedData_Destroy(sigd);
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/* TODO:
+ * NSS_CMSSignerInfo_GetReceiptRequest()
+ * NSS_CMSSignedData_HasReceiptRequest()
+ * easy way to iterate over signers
+ */
+
diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c
new file mode 100644
index 000000000..306fa47f6
--- /dev/null
+++ b/security/nss/lib/smime/cmssiginfo.c
@@ -0,0 +1,1036 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS signerInfo methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "secder.h"
+#include "cryptohi.h"
+
+#include "smime.h"
+
+/* =============================================================================
+ * SIGNERINFO
+ */
+NSSCMSSignerInfo *
+nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, 
+	CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, 
+	SECKEYPrivateKey *signingKey, SECOidTag digestalgtag);
+
+NSSCMSSignerInfo *
+NSS_CMSSignerInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, SECItem *subjKeyID, 
+	SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag)
+{
+    return nss_cmssignerinfo_create(cmsg, NSSCMSSignerID_SubjectKeyID, NULL, subjKeyID, pubKey, signingKey, digestalgtag); 
+}
+
+NSSCMSSignerInfo *
+NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag)
+{
+    return nss_cmssignerinfo_create(cmsg, NSSCMSSignerID_IssuerSN, cert, NULL, NULL, NULL, digestalgtag); 
+}
+
+NSSCMSSignerInfo *
+nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, 
+	CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, 
+	SECKEYPrivateKey *signingKey, SECOidTag digestalgtag)
+{
+    void *mark;
+    NSSCMSSignerInfo *signerinfo;
+    int version;
+    PLArenaPool *poolp;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    signerinfo = (NSSCMSSignerInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSSignerInfo));
+    if (signerinfo == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+
+    signerinfo->cmsg = cmsg;
+
+    switch(type) {
+    case NSSCMSSignerID_IssuerSN:
+        signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_IssuerSN;
+        if ((signerinfo->cert = CERT_DupCertificate(cert)) == NULL)
+	    goto loser;
+        if ((signerinfo->signerIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL)
+	    goto loser;
+        break;
+    case NSSCMSSignerID_SubjectKeyID:
+        signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_SubjectKeyID;
+        PORT_Assert(subjKeyID);
+        if (!subjKeyID)
+            goto loser;
+
+        signerinfo->signerIdentifier.id.subjectKeyID = PORT_ArenaNew(poolp, SECItem);
+        SECITEM_CopyItem(poolp, signerinfo->signerIdentifier.id.subjectKeyID,
+                         subjKeyID);
+        signerinfo->signingKey = SECKEY_CopyPrivateKey(signingKey);
+        if (!signerinfo->signingKey)
+            goto loser;
+        signerinfo->pubKey = SECKEY_CopyPublicKey(pubKey);
+        if (!signerinfo->pubKey)
+            goto loser;
+        break;
+    default:
+        goto loser;
+    }
+
+    /* set version right now */
+    version = NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN;
+    /* RFC2630 5.3 "version is the syntax version number. If the .... " */
+    if (signerinfo->signerIdentifier.identifierType == NSSCMSSignerID_SubjectKeyID)
+	version = NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY;
+    (void)SEC_ASN1EncodeInteger(poolp, &(signerinfo->version), (long)version);
+
+    if (SECOID_SetAlgorithmID(poolp, &signerinfo->digestAlg, digestalgtag, NULL) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return signerinfo;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
+ */
+void
+NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si)
+{
+    if (si->cert != NULL)
+	CERT_DestroyCertificate(si->cert);
+
+    if (si->certList != NULL) 
+	CERT_DestroyCertificateList(si->certList);
+
+    /* XXX storage ??? */
+}
+
+/*
+ * NSS_CMSSignerInfo_Sign - sign something
+ *
+ */
+SECStatus
+NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType)
+{
+    CERTCertificate *cert;
+    SECKEYPrivateKey *privkey = NULL;
+    SECOidTag digestalgtag;
+    SECOidTag pubkAlgTag;
+    SECItem signature = { 0 };
+    SECStatus rv;
+    PLArenaPool *poolp, *tmppoolp;
+    SECAlgorithmID *algID, freeAlgID;
+    CERTSubjectPublicKeyInfo *spki;
+
+    PORT_Assert (digest != NULL);
+
+    poolp = signerinfo->cmsg->poolp;
+
+    switch (signerinfo->signerIdentifier.identifierType) {
+    case NSSCMSSignerID_IssuerSN:
+        cert = signerinfo->cert;
+
+        if ((privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg)) == NULL)
+	    goto loser;
+        algID = &cert->subjectPublicKeyInfo.algorithm;
+        break;
+    case NSSCMSSignerID_SubjectKeyID:
+        privkey = signerinfo->signingKey;
+        signerinfo->signingKey = NULL;
+        spki = SECKEY_CreateSubjectPublicKeyInfo(signerinfo->pubKey);
+        SECKEY_DestroyPublicKey(signerinfo->pubKey);
+        signerinfo->pubKey = NULL;
+        SECOID_CopyAlgorithmID(NULL, &freeAlgID, &spki->algorithm);
+        SECKEY_DestroySubjectPublicKeyInfo(spki); 
+        algID = &freeAlgID;
+        break;
+    default:
+        goto loser;
+    }
+    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
+    /*
+     * XXX I think there should be a cert-level interface for this,
+     * so that I do not have to know about subjectPublicKeyInfo...
+     */
+    pubkAlgTag = SECOID_GetAlgorithmTag(algID);
+    if (signerinfo->signerIdentifier.identifierType == NSSCMSSignerID_SubjectKeyID) {
+      SECOID_DestroyAlgorithmID(&freeAlgID, PR_FALSE);
+    }
+
+    /* Fortezza MISSI have weird signature formats.  
+     * Map them to standard DSA formats 
+     */
+    pubkAlgTag = PK11_FortezzaMapSig(pubkAlgTag);
+
+    if (signerinfo->authAttr != NULL) {
+	SECOidTag signAlgTag;
+	SECItem encoded_attrs;
+
+	/* find and fill in the message digest attribute. */
+	rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), 
+	                       SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	if (contentType != NULL) {
+	    /* if the caller wants us to, find and fill in the content type attribute. */
+	    rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), 
+	                    SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE);
+	    if (rv != SECSuccess)
+		goto loser;
+	}
+
+	if ((tmppoolp = PORT_NewArena (1024)) == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+
+	/*
+	 * Before encoding, reorder the attributes so that when they
+	 * are encoded, they will be conforming DER, which is required
+	 * to have a specific order and that is what must be used for
+	 * the hash/signature.  We do this here, rather than building
+	 * it into EncodeAttributes, because we do not want to do
+	 * such reordering on incoming messages (which also uses
+	 * EncodeAttributes) or our old signatures (and other "broken"
+	 * implementations) will not verify.  So, we want to guarantee
+	 * that we send out good DER encodings of attributes, but not
+	 * to expect to receive them.
+	 */
+	if (NSS_CMSAttributeArray_Reorder(signerinfo->authAttr) != SECSuccess)
+	    goto loser;
+
+	encoded_attrs.data = NULL;
+	encoded_attrs.len = 0;
+	if (NSS_CMSAttributeArray_Encode(tmppoolp, &(signerinfo->authAttr), 
+	                &encoded_attrs) == NULL)
+	    goto loser;
+
+	signAlgTag = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, 
+                                                     digestalgtag);
+	if (signAlgTag == SEC_OID_UNKNOWN) {
+	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    goto loser;
+	}
+
+	rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, 
+	                  privkey, signAlgTag);
+	PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */
+    } else {
+	rv = SGN_Digest(privkey, digestalgtag, &signature, digest);
+    }
+    SECKEY_DestroyPrivateKey(privkey);
+    privkey = NULL;
+
+    if (rv != SECSuccess)
+	goto loser;
+
+    if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature) 
+          != SECSuccess)
+	goto loser;
+
+    SECITEM_FreeItem(&signature, PR_FALSE);
+
+    if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), pubkAlgTag, 
+                              NULL) != SECSuccess)
+	goto loser;
+
+    return SECSuccess;
+
+loser:
+    if (signature.len != 0)
+	SECITEM_FreeItem (&signature, PR_FALSE);
+    if (privkey)
+	SECKEY_DestroyPrivateKey(privkey);
+    return SECFailure;
+}
+
+SECStatus
+NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb,
+			    SECCertUsage certusage)
+{
+    CERTCertificate *cert;
+    int64 stime;
+
+    if ((cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb)) == NULL) {
+	signerinfo->verificationStatus = NSSCMSVS_SigningCertNotFound;
+	return SECFailure;
+    }
+
+    /*
+     * Get and convert the signing time; if available, it will be used
+     * both on the cert verification and for importing the sender
+     * email profile.
+     */
+    if (NSS_CMSSignerInfo_GetSigningTime (signerinfo, &stime) != SECSuccess)
+	stime = PR_Now(); /* not found or conversion failed, so check against now */
+    
+    /*
+     * XXX  This uses the signing time, if available.  Additionally, we
+     * might want to, if there is no signing time, get the message time
+     * from the mail header itself, and use that.  That would require
+     * a change to our interface though, and for S/MIME callers to pass
+     * in a time (and for non-S/MIME callers to pass in nothing, or
+     * maybe make them pass in the current time, always?).
+     */
+    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certusage, stime, 
+                        signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
+	signerinfo->verificationStatus = NSSCMSVS_SigningCertNotTrusted;
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo
+ *
+ * Just verifies the signature. The assumption is that verification of 
+ * the certificate is done already.
+ */
+SECStatus
+NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, 
+                         SECItem *digest,               /* may be NULL */
+                         SECItem *contentType)          /* may be NULL */
+{
+    SECKEYPublicKey *publickey = NULL;
+    NSSCMSAttribute *attr;
+    SECItem encoded_attrs;
+    CERTCertificate *cert;
+    NSSCMSVerificationStatus vs = NSSCMSVS_Unverified;
+    PLArenaPool *poolp;
+    SECOidTag    digestalgtag;
+    SECOidTag    pubkAlgTag;
+
+    if (signerinfo == NULL)
+	return SECFailure;
+
+    /* NSS_CMSSignerInfo_GetSigningCertificate will fail if 2nd parm is NULL 
+    ** and cert has not been verified 
+    */
+    cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, NULL);
+    if (cert == NULL) {
+	vs = NSSCMSVS_SigningCertNotFound;
+	goto loser;
+    }
+
+    if ((publickey = CERT_ExtractPublicKey(cert)) == NULL) {
+	vs = NSSCMSVS_ProcessingError;
+	goto loser;
+    }
+
+    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
+    pubkAlgTag = SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg));
+    if ((pubkAlgTag == SEC_OID_UNKNOWN) || (digestalgtag == SEC_OID_UNKNOWN)) {
+	vs = NSSCMSVS_SignatureAlgorithmUnknown;
+	goto loser;
+    }
+
+#ifndef NSS_ECC_MORE_THAN_SUITE_B
+    if (pubkAlgTag == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+	vs = NSSCMSVS_SignatureAlgorithmUnknown;
+	goto loser;
+    }
+#endif
+
+    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) {
+	if (contentType) {
+	    /*
+	     * Check content type
+	     *
+	     * RFC2630 sez that if there are any authenticated attributes,
+	     * then there must be one for content type which matches the
+	     * content type of the content being signed, and there must
+	     * be one for message digest which matches our message digest.
+	     * So check these things first.
+	     */
+	    attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
+					SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE);
+	    if (attr == NULL) {
+		vs = NSSCMSVS_MalformedSignature;
+		goto loser;
+	    }
+		
+	    if (NSS_CMSAttribute_CompareValue(attr, contentType) == PR_FALSE) {
+		vs = NSSCMSVS_MalformedSignature;
+		goto loser;
+	    }
+	}
+
+	/*
+	 * Check digest
+	 */
+	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, 
+	                              SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE);
+	if (attr == NULL) {
+	    vs = NSSCMSVS_MalformedSignature;
+	    goto loser;
+	}
+	if (!digest || 
+	    NSS_CMSAttribute_CompareValue(attr, digest) == PR_FALSE) {
+	    vs = NSSCMSVS_DigestMismatch;
+	    goto loser;
+	}
+
+	if ((poolp = PORT_NewArena (1024)) == NULL) {
+	    vs = NSSCMSVS_ProcessingError;
+	    goto loser;
+	}
+
+	/*
+	 * Check signature
+	 *
+	 * The signature is based on a digest of the DER-encoded authenticated
+	 * attributes.  So, first we encode and then we digest/verify.
+	 * we trust the decoder to have the attributes in the right (sorted) 
+	 * order
+	 */
+	encoded_attrs.data = NULL;
+	encoded_attrs.len = 0;
+
+	if (NSS_CMSAttributeArray_Encode(poolp, &(signerinfo->authAttr), 
+	                                 &encoded_attrs) == NULL ||
+		encoded_attrs.data == NULL || encoded_attrs.len == 0) {
+	    vs = NSSCMSVS_ProcessingError;
+	    goto loser;
+	}
+
+	vs = (VFY_VerifyDataDirect(encoded_attrs.data, encoded_attrs.len,
+		publickey, &(signerinfo->encDigest), pubkAlgTag,
+		digestalgtag, NULL, signerinfo->cmsg->pwfn_arg) != SECSuccess) 
+		? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature;
+
+	PORT_FreeArena(poolp, PR_FALSE);  /* awkward memory management :-( */
+
+    } else {
+	SECItem *sig;
+
+	/* No authenticated attributes. 
+	** The signature is based on the plain message digest. 
+	*/
+	sig = &(signerinfo->encDigest);
+	if (sig->len == 0)
+	    goto loser;
+
+	vs = (!digest || 
+	      VFY_VerifyDigestDirect(digest, publickey, sig, pubkAlgTag,
+		digestalgtag, signerinfo->cmsg->pwfn_arg) != SECSuccess) 
+		? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature;
+    }
+
+    if (vs == NSSCMSVS_BadSignature) {
+	int error = PORT_GetError();
+	/*
+	 * XXX Change the generic error into our specific one, because
+	 * in that case we get a better explanation out of the Security
+	 * Advisor.  This is really a bug in the PSM error strings (the
+	 * "generic" error has a lousy/wrong message associated with it
+	 * which assumes the signature verification was done for the
+	 * purposes of checking the issuer signature on a certificate)
+	 * but this is at least an easy workaround and/or in the
+	 * Security Advisor, which specifically checks for the error
+	 * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation
+	 * in that case but does not similarly check for
+	 * SEC_ERROR_BAD_SIGNATURE.  It probably should, but then would
+	 * probably say the wrong thing in the case that it *was* the
+	 * certificate signature check that failed during the cert
+	 * verification done above.  Our error handling is really a mess.
+	 */
+	if (error == SEC_ERROR_BAD_SIGNATURE)
+	    PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	/*
+	 * map algorithm failures to NSSCMSVS values 
+	 */
+	if ((error == SEC_ERROR_PKCS7_KEYALG_MISMATCH) ||
+	    (error == SEC_ERROR_INVALID_ALGORITHM)) {
+	    /* keep the same error code as 3.11 and before */
+	    PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    vs = NSSCMSVS_SignatureAlgorithmUnsupported;
+	}
+    }
+
+    if (publickey != NULL)
+	SECKEY_DestroyPublicKey (publickey);
+
+    signerinfo->verificationStatus = vs;
+
+    return (vs == NSSCMSVS_GoodSignature) ? SECSuccess : SECFailure;
+
+loser:
+    if (publickey != NULL)
+	SECKEY_DestroyPublicKey (publickey);
+
+    signerinfo->verificationStatus = vs;
+
+    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+    return SECFailure;
+}
+
+NSSCMSVerificationStatus
+NSS_CMSSignerInfo_GetVerificationStatus(NSSCMSSignerInfo *signerinfo)
+{
+    return signerinfo->verificationStatus;
+}
+
+SECOidData *
+NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo)
+{
+    return SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
+}
+
+SECOidTag
+NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo)
+{
+    SECOidData *algdata;
+
+    if (!signerinfo) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SEC_OID_UNKNOWN;
+    }
+
+    algdata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
+    if (algdata != NULL)
+	return algdata->offset;
+    else
+	return SEC_OID_UNKNOWN;
+}
+
+CERTCertificateList *
+NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo)
+{
+    return signerinfo->certList;
+}
+
+int
+NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo)
+{
+    unsigned long version;
+
+    /* always take apart the SECItem */
+    if (SEC_ASN1DecodeInteger(&(signerinfo->version), &version) != SECSuccess)
+	return 0;
+    else
+	return (int)version;
+}
+
+/*
+ * NSS_CMSSignerInfo_GetSigningTime - return the signing time,
+ *				      in UTCTime or GeneralizedTime format,
+ *                                    of a CMS signerInfo.
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to XXXX (what?)
+ * A return value of NULL is an error.
+ */
+SECStatus
+NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime)
+{
+    NSSCMSAttribute *attr;
+    SECItem *value;
+
+    if (sinfo == NULL)
+	return SECFailure;
+
+    if (sinfo->signingTime != 0) {
+	*stime = sinfo->signingTime;	/* cached copy */
+	return SECSuccess;
+    }
+
+    attr = NSS_CMSAttributeArray_FindAttrByOidTag(sinfo->authAttr, SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
+    /* XXXX multi-valued attributes NIH */
+    if (attr == NULL || (value = NSS_CMSAttribute_GetValue(attr)) == NULL)
+	return SECFailure;
+    if (DER_DecodeTimeChoice(stime, value) != SECSuccess)
+	return SECFailure;
+    sinfo->signingTime = *stime;	/* make cached copy */
+    return SECSuccess;
+}
+
+/*
+ * Return the signing cert of a CMS signerInfo.
+ *
+ * the certs in the enclosing SignedData must have been imported already
+ */
+CERTCertificate *
+NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb)
+{
+    CERTCertificate *cert;
+    NSSCMSSignerIdentifier *sid;
+
+    if (signerinfo->cert != NULL)
+	return signerinfo->cert;
+
+    /* no certdb, and cert hasn't been set yet? */
+    if (certdb == NULL)
+	return NULL;
+
+    /*
+     * This cert will also need to be freed, but since we save it
+     * in signerinfo for later, we do not want to destroy it when
+     * we leave this function -- we let the clean-up of the entire
+     * cinfo structure later do the destroy of this cert.
+     */
+    sid = &signerinfo->signerIdentifier;
+    switch (sid->identifierType) {
+    case NSSCMSSignerID_IssuerSN:
+	cert = CERT_FindCertByIssuerAndSN(certdb, sid->id.issuerAndSN);
+	break;
+    case NSSCMSSignerID_SubjectKeyID:
+	cert = CERT_FindCertBySubjectKeyID(certdb, sid->id.subjectKeyID);
+	break;
+    default:
+	cert = NULL;
+	break;
+    }
+
+    /* cert can be NULL at that point */
+    signerinfo->cert = cert;	/* earmark it */
+
+    return cert;
+}
+
+/*
+ * NSS_CMSSignerInfo_GetSignerCommonName - return the common name of the signer
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to allocated memory, which must be freed with PORT_Free.
+ * A return value of NULL is an error.
+ */
+char *
+NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo)
+{
+    CERTCertificate *signercert;
+
+    /* will fail if cert is not verified */
+    if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL)
+	return NULL;
+
+    return (CERT_GetCommonName(&signercert->subject));
+}
+
+/*
+ * NSS_CMSSignerInfo_GetSignerEmailAddress - return the common name of the signer
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to allocated memory, which must be freed.
+ * A return value of NULL is an error.
+ */
+char *
+NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo)
+{
+    CERTCertificate *signercert;
+
+    if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL)
+	return NULL;
+
+    if (!signercert->emailAddr || !signercert->emailAddr[0])
+	return NULL;
+
+    return (PORT_Strdup(signercert->emailAddr));
+}
+
+/*
+ * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ */
+SECStatus
+NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr)
+{
+    return NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->authAttr), attr);
+}
+
+/*
+ * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the
+ * unauthenticated attributes of "signerinfo". 
+ */
+SECStatus
+NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr)
+{
+    return NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->unAuthAttr), attr);
+}
+
+/* 
+ * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ *
+ * This is expected to be included in outgoing signed
+ * messages for email (S/MIME) but is likely useful in other situations.
+ *
+ * This should only be added once; a second call will do nothing.
+ *
+ * XXX This will probably just shove the current time into "signerinfo"
+ * but it will not actually get signed until the entire item is
+ * processed for encoding.  Is this (expected to be small) delay okay?
+ */
+SECStatus
+NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t)
+{
+    NSSCMSAttribute *attr;
+    SECItem stime;
+    void *mark;
+    PLArenaPool *poolp;
+
+    poolp = signerinfo->cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* create new signing time attribute */
+    if (DER_EncodeTimeChoice(NULL, &stime, t) != SECSuccess)
+	goto loser;
+
+    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SIGNING_TIME, &stime, PR_FALSE)) == NULL) {
+	SECITEM_FreeItem (&stime, PR_FALSE);
+	goto loser;
+    }
+
+    SECITEM_FreeItem (&stime, PR_FALSE);
+
+    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark (poolp, mark);
+
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/* 
+ * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ *
+ * This is expected to be included in outgoing signed
+ * messages for email (S/MIME).
+ */
+SECStatus
+NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo)
+{
+    NSSCMSAttribute *attr;
+    SECItem *smimecaps = NULL;
+    void *mark;
+    PLArenaPool *poolp;
+
+    poolp = signerinfo->cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    smimecaps = SECITEM_AllocItem(poolp, NULL, 0);
+    if (smimecaps == NULL)
+	goto loser;
+
+    /* create new signing time attribute */
+    if (NSS_SMIMEUtil_CreateSMIMECapabilities(poolp, smimecaps,
+			    PK11_FortezzaHasKEA(signerinfo->cert)) != SECSuccess)
+	goto loser;
+
+    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SMIME_CAPABILITIES, smimecaps, PR_TRUE)) == NULL)
+	goto loser;
+
+    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/* 
+ * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ *
+ * This is expected to be included in outgoing signed messages for email (S/MIME).
+ */
+SECStatus
+NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb)
+{
+    NSSCMSAttribute *attr;
+    SECItem *smimeekp = NULL;
+    void *mark;
+    PLArenaPool *poolp;
+
+    /* verify this cert for encryption */
+    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
+	return SECFailure;
+    }
+
+    poolp = signerinfo->cmsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
+    if (smimeekp == NULL)
+	goto loser;
+
+    /* create new signing time attribute */
+    if (NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess)
+	goto loser;
+
+    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
+	goto loser;
+
+    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/* 
+ * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft.
+ *
+ * This is expected to be included in outgoing signed messages for email (S/MIME),
+ * if compatibility with Microsoft mail clients is wanted.
+ */
+SECStatus
+NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb)
+{
+    NSSCMSAttribute *attr;
+    SECItem *smimeekp = NULL;
+    void *mark;
+    PLArenaPool *poolp;
+
+    /* verify this cert for encryption */
+    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
+	return SECFailure;
+    }
+
+    poolp = signerinfo->cmsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
+    if (smimeekp == NULL)
+	goto loser;
+
+    /* create new signing time attribute */
+    if (NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess)
+	goto loser;
+
+    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
+	goto loser;
+
+    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/* 
+ * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
+ *
+ * 1. digest the DER-encoded signature value of the original signerinfo
+ * 2. create new signerinfo with correct version, sid, digestAlg
+ * 3. add message-digest authAttr, but NO content-type
+ * 4. sign the authAttrs
+ * 5. DER-encode the new signerInfo
+ * 6. add the whole thing to original signerInfo's unAuthAttrs
+ *    as a SEC_OID_PKCS9_COUNTER_SIGNATURE attribute
+ *
+ * XXXX give back the new signerinfo?
+ */
+SECStatus
+NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo,
+				    SECOidTag digestalg, CERTCertificate signingcert)
+{
+    /* XXXX TBD XXXX */
+    return SECFailure;
+}
+
+/*
+ * XXXX the following needs to be done in the S/MIME layer code
+ * after signature of a signerinfo is verified
+ */
+SECStatus
+NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo)
+{
+    CERTCertificate *cert = NULL;
+    SECItem *profile = NULL;
+    NSSCMSAttribute *attr;
+    SECItem *stime = NULL;
+    SECItem *ekp;
+    CERTCertDBHandle *certdb;
+    int save_error;
+    SECStatus rv;
+    PRBool must_free_cert = PR_FALSE;
+
+    certdb = CERT_GetDefaultCertDB();
+
+    /* sanity check - see if verification status is ok (unverified does not count...) */
+    if (signerinfo->verificationStatus != NSSCMSVS_GoodSignature)
+	return SECFailure;
+
+    /* find preferred encryption cert */
+    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr) &&
+	(attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
+			       SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL)
+    { /* we have a SMIME_ENCRYPTION_KEY_PREFERENCE attribute! */
+	ekp = NSS_CMSAttribute_GetValue(attr);
+	if (ekp == NULL)
+	    return SECFailure;
+
+	/* we assume that all certs coming with the message have been imported to the */
+	/* temporary database */
+	cert = NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(certdb, ekp);
+	if (cert == NULL)
+	    return SECFailure;
+	must_free_cert = PR_TRUE;
+    }
+
+    if (cert == NULL) {
+	/* no preferred cert found?
+	 * find the cert the signerinfo is signed with instead */
+	cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb);
+	if (cert == NULL || cert->emailAddr == NULL || !cert->emailAddr[0])
+	    return SECFailure;
+    }
+
+    /* verify this cert for encryption (has been verified for signing so far) */
+    /* don't verify this cert for encryption. It may just be a signing cert.
+     * that's OK, we can still save the S/MIME profile. The encryption cert
+     * should have already been saved */
+#ifdef notdef
+    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
+	if (must_free_cert)
+	    CERT_DestroyCertificate(cert);
+	return SECFailure;
+    }
+#endif
+
+    /* XXX store encryption cert permanently? */
+
+    /*
+     * Remember the current error set because we do not care about
+     * anything set by the functions we are about to call.
+     */
+    save_error = PORT_GetError();
+
+    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) {
+	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
+				       SEC_OID_PKCS9_SMIME_CAPABILITIES,
+				       PR_TRUE);
+	profile = NSS_CMSAttribute_GetValue(attr);
+	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
+				       SEC_OID_PKCS9_SIGNING_TIME,
+				       PR_TRUE);
+	stime = NSS_CMSAttribute_GetValue(attr);
+    }
+
+    rv = CERT_SaveSMimeProfile (cert, profile, stime);
+    if (must_free_cert)
+	CERT_DestroyCertificate(cert);
+
+    /*
+     * Restore the saved error in case the calls above set a new
+     * one that we do not actually care about.
+     */
+    PORT_SetError (save_error);
+
+    return rv;
+}
+
+/*
+ * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer
+ */
+SECStatus
+NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage)
+{
+    if (signerinfo->cert == NULL)
+	return SECFailure;
+
+    /* don't leak if we get called twice */
+    if (signerinfo->certList != NULL) {
+	CERT_DestroyCertificateList(signerinfo->certList);
+	signerinfo->certList = NULL;
+    }
+
+    switch (cm) {
+    case NSSCMSCM_None:
+	signerinfo->certList = NULL;
+	break;
+    case NSSCMSCM_CertOnly:
+	signerinfo->certList = CERT_CertListFromCert(signerinfo->cert);
+	break;
+    case NSSCMSCM_CertChain:
+	signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_FALSE);
+	break;
+    case NSSCMSCM_CertChainWithRoot:
+	signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_TRUE);
+	break;
+    }
+
+    if (cm != NSSCMSCM_None && signerinfo->certList == NULL)
+	return SECFailure;
+    
+    return SECSuccess;
+}
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h
new file mode 100644
index 000000000..82f24da14
--- /dev/null
+++ b/security/nss/lib/smime/cmst.h
@@ -0,0 +1,534 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Header for CMS types.
+ *
+ * $Id$
+ */
+
+#ifndef _CMST_H_
+#define _CMST_H_
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "certt.h"
+#include "secmodt.h"
+#include "secmodt.h"
+
+#include "plarena.h"
+
+/* Non-opaque objects.  NOTE, though: I want them to be treated as
+ * opaque as much as possible.  If I could hide them completely,
+ * I would.  (I tried, but ran into trouble that was taking me too
+ * much time to get out of.)  I still intend to try to do so.
+ * In fact, the only type that "outsiders" should even *name* is
+ * NSSCMSMessage, and they should not reference its fields.
+ */
+/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
+ * This is because when we search the recipient list for the cert and key we
+ * want, we need to invert the order of the loops we used to have. The old
+ * loops were:
+ *
+ *  For each recipient {
+ *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
+ *       [which unrolls to... ]
+ *       For each slot {
+ *            Log into slot;
+ *            search slot for cert;
+ *      }
+ *  }
+ *
+ *  the new loop searchs all the recipients at once on a slot. this allows
+ *  PKCS #11 to order slots in such a way that logout slots don't get checked
+ *  if we can find the cert on a logged in slot. This eliminates lots of
+ *  spurious password prompts when smart cards are installed... so why this
+ *  comment? If you make NSSCMSRecipientInfo completely opaque, you need
+ *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
+ *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
+ *  function.
+ */
+
+typedef struct NSSCMSMessageStr NSSCMSMessage;
+
+typedef union NSSCMSContentUnion NSSCMSContent;
+typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
+
+typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
+typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
+typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
+
+typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
+typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
+typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
+
+typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
+typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
+
+typedef struct NSSCMSSMIMEKEAParametersStr NSSCMSSMIMEKEAParameters;
+
+typedef struct NSSCMSAttributeStr NSSCMSAttribute;
+
+typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
+typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
+
+typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
+typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
+
+/*
+ * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
+ * If specified, this is where the content bytes (only) will be "sent"
+ * as they are recovered during the decoding.
+ * And:
+ * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
+ * This is where the DER-encoded bytes will be "sent".
+ *
+ * XXX Should just combine this with NSSCMSEncoderContentCallback type
+ * and use a simpler, common name.
+ */
+typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
+
+/*
+ * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
+ * to retrieve the decryption key.  This function is intended to be
+ * used for EncryptedData content info's which do not have a key available
+ * in a certificate, etc.
+ */
+typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
+
+
+/* =============================================================================
+ * ENCAPSULATED CONTENTINFO & CONTENTINFO
+ */
+
+union NSSCMSContentUnion {
+    /* either unstructured */
+    SECItem *			data;
+    /* or structured data */
+    NSSCMSDigestedData *	digestedData;
+    NSSCMSEncryptedData	*	encryptedData;
+    NSSCMSEnvelopedData	*	envelopedData;
+    NSSCMSSignedData *		signedData;
+    /* or anonymous pointer to something */
+    void *			pointer;
+};
+
+struct NSSCMSContentInfoStr {
+    SECItem			contentType;
+    NSSCMSContent		content;
+    /* --------- local; not part of encoding --------- */
+    SECOidData *		contentTypeTag;	
+
+    /* additional info for encryptedData and envelopedData */
+    /* we waste this space for signedData and digestedData. sue me. */
+
+    SECAlgorithmID		contentEncAlg;
+    SECItem *			rawContent;		/* encrypted DER, optional */
+							/* XXXX bytes not encrypted, but encoded? */
+    /* --------- local; not part of encoding --------- */
+    PK11SymKey *		bulkkey;		/* bulk encryption key */
+    int				keysize;		/* size of bulk encryption key
+							 * (only used by creation code) */
+    SECOidTag			contentEncAlgTag;	/* oid tag of encryption algorithm
+							 * (only used by creation code) */
+    NSSCMSCipherContext		*ciphcx;		/* context for en/decryption going on */
+    NSSCMSDigestContext		*digcx;			/* context for digesting going on */
+};
+
+/* =============================================================================
+ * MESSAGE
+ */
+
+struct NSSCMSMessageStr {
+    NSSCMSContentInfo	contentInfo;		/* "outer" cinfo */
+    /* --------- local; not part of encoding --------- */
+    PLArenaPool *	poolp;
+    PRBool		poolp_is_ours;
+    int			refCount;
+    /* properties of the "inner" data */
+    SECAlgorithmID **	detached_digestalgs;
+    SECItem **		detached_digests;
+    void *		pwfn_arg;
+    NSSCMSGetDecryptKeyCallback decrypt_key_cb;
+    void *		decrypt_key_cb_arg;
+};
+
+/* =============================================================================
+ * SIGNEDDATA
+ */
+
+struct NSSCMSSignedDataStr {
+    SECItem			version;
+    SECAlgorithmID **		digestAlgorithms;
+    NSSCMSContentInfo		contentInfo;
+    SECItem **			rawCerts;
+    CERTSignedCrl **		crls;
+    NSSCMSSignerInfo **		signerInfos;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;			/* back pointer to message */
+    SECItem **			digests;
+    CERTCertificate **		certs;
+    CERTCertificateList **	certLists;
+    CERTCertificate **          tempCerts;              /* temporary certs, needed
+                                                         * for example for signature
+                                                         * verification */
+};
+#define NSS_CMS_SIGNED_DATA_VERSION_BASIC	1	/* what we *create* */
+#define NSS_CMS_SIGNED_DATA_VERSION_EXT		3	/* what we *create* */
+
+typedef enum {
+    NSSCMSVS_Unverified = 0,
+    NSSCMSVS_GoodSignature = 1,
+    NSSCMSVS_BadSignature = 2,
+    NSSCMSVS_DigestMismatch = 3,
+    NSSCMSVS_SigningCertNotFound = 4,
+    NSSCMSVS_SigningCertNotTrusted = 5,
+    NSSCMSVS_SignatureAlgorithmUnknown = 6,
+    NSSCMSVS_SignatureAlgorithmUnsupported = 7,
+    NSSCMSVS_MalformedSignature = 8,
+    NSSCMSVS_ProcessingError = 9
+} NSSCMSVerificationStatus;
+
+typedef enum {
+    NSSCMSSignerID_IssuerSN = 0,
+    NSSCMSSignerID_SubjectKeyID = 1
+} NSSCMSSignerIDSelector;
+
+struct NSSCMSSignerIdentifierStr {
+    NSSCMSSignerIDSelector identifierType;
+    union {
+	CERTIssuerAndSN *issuerAndSN;
+	SECItem *subjectKeyID;
+    } id;
+};
+
+struct NSSCMSSignerInfoStr {
+    SECItem			version;
+    NSSCMSSignerIdentifier	signerIdentifier;
+    SECAlgorithmID		digestAlg;
+    NSSCMSAttribute **		authAttr;
+    SECAlgorithmID		digestEncAlg;
+    SECItem			encDigest;
+    NSSCMSAttribute **		unAuthAttr;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;			/* back pointer to message */
+    CERTCertificate *		cert;
+    CERTCertificateList *	certList;
+    PRTime			signingTime;
+    NSSCMSVerificationStatus	verificationStatus;
+    SECKEYPrivateKey *          signingKey; /* Used if we're using subjKeyID*/
+    SECKEYPublicKey *           pubKey;
+};
+#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN	1	/* what we *create* */
+#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY	3	/* what we *create* */
+
+typedef enum {
+    NSSCMSCM_None = 0,
+    NSSCMSCM_CertOnly = 1,
+    NSSCMSCM_CertChain = 2,
+    NSSCMSCM_CertChainWithRoot = 3
+} NSSCMSCertChainMode;
+
+/* =============================================================================
+ * ENVELOPED DATA
+ */
+struct NSSCMSEnvelopedDataStr {
+    SECItem			version;
+    NSSCMSOriginatorInfo *	originatorInfo;		/* optional */
+    NSSCMSRecipientInfo **	recipientInfos;
+    NSSCMSContentInfo		contentInfo;
+    NSSCMSAttribute **		unprotectedAttr;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;			/* back pointer to message */
+};
+#define NSS_CMS_ENVELOPED_DATA_VERSION_REG	0	/* what we *create* */
+#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV	2	/* what we *create* */
+
+struct NSSCMSOriginatorInfoStr {
+    SECItem **			rawCerts;
+    CERTSignedCrl **		crls;
+    /* --------- local; not part of encoding --------- */
+    CERTCertificate **		certs;
+};
+
+/* -----------------------------------------------------------------------------
+ * key transport recipient info
+ */
+typedef enum {
+    NSSCMSRecipientID_IssuerSN = 0,
+    NSSCMSRecipientID_SubjectKeyID = 1,
+    NSSCMSRecipientID_BrandNew = 2
+} NSSCMSRecipientIDSelector;
+
+struct NSSCMSRecipientIdentifierStr {
+    NSSCMSRecipientIDSelector	identifierType;
+    union {
+	CERTIssuerAndSN		*issuerAndSN;
+	SECItem 		*subjectKeyID;
+    } id;
+};
+typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
+
+struct NSSCMSKeyTransRecipientInfoStr {
+    SECItem			version;
+    NSSCMSRecipientIdentifier	recipientIdentifier;
+    SECAlgorithmID		keyEncAlg;
+    SECItem			encKey;
+};
+typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
+
+/*
+ * View comments before NSSCMSRecipientInfoStr for purpose of this
+ * structure.
+ */
+struct NSSCMSKeyTransRecipientInfoExStr {
+    NSSCMSKeyTransRecipientInfo recipientInfo;
+    int version;  /* version of this structure (0) */
+    SECKEYPublicKey *pubKey;
+};
+
+typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;
+
+#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN	0	/* what we *create* */
+#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY		2	/* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * key agreement recipient info
+ */
+struct NSSCMSOriginatorPublicKeyStr {
+    SECAlgorithmID			algorithmIdentifier;
+    SECItem				publicKey;			/* bit string! */
+};
+typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
+
+typedef enum {
+    NSSCMSOriginatorIDOrKey_IssuerSN = 0,
+    NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
+    NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
+} NSSCMSOriginatorIDOrKeySelector;
+
+struct NSSCMSOriginatorIdentifierOrKeyStr {
+    NSSCMSOriginatorIDOrKeySelector identifierType;
+    union {
+	CERTIssuerAndSN			*issuerAndSN;		/* static-static */
+	SECItem				*subjectKeyID;		/* static-static */
+	NSSCMSOriginatorPublicKey	originatorPublicKey;	/* ephemeral-static */
+    } id;
+};
+typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
+
+struct NSSCMSRecipientKeyIdentifierStr {
+    SECItem *				subjectKeyIdentifier;
+    SECItem *				date;			/* optional */
+    SECItem *				other;			/* optional */
+};
+typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
+
+typedef enum {
+    NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
+    NSSCMSKeyAgreeRecipientID_RKeyID = 1
+} NSSCMSKeyAgreeRecipientIDSelector;
+
+struct NSSCMSKeyAgreeRecipientIdentifierStr {
+    NSSCMSKeyAgreeRecipientIDSelector	identifierType;
+    union {
+	CERTIssuerAndSN			*issuerAndSN;
+	NSSCMSRecipientKeyIdentifier	recipientKeyIdentifier;
+    } id;
+};
+typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
+
+struct NSSCMSRecipientEncryptedKeyStr {
+    NSSCMSKeyAgreeRecipientIdentifier	recipientIdentifier;
+    SECItem				encKey;
+};
+typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
+
+struct NSSCMSKeyAgreeRecipientInfoStr {
+    SECItem				version;
+    NSSCMSOriginatorIdentifierOrKey	originatorIdentifierOrKey;
+    SECItem *				ukm;				/* optional */
+    SECAlgorithmID			keyEncAlg;
+    NSSCMSRecipientEncryptedKey **	recipientEncryptedKeys;
+};
+typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
+
+#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION	3	/* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * KEK recipient info
+ */
+struct NSSCMSKEKIdentifierStr {
+    SECItem			keyIdentifier;
+    SECItem *			date;			/* optional */
+    SECItem *			other;			/* optional */
+};
+typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
+
+struct NSSCMSKEKRecipientInfoStr {
+    SECItem			version;
+    NSSCMSKEKIdentifier		kekIdentifier;
+    SECAlgorithmID		keyEncAlg;
+    SECItem			encKey;
+};
+typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
+
+#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION	4	/* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * recipient info
+ */
+
+typedef enum {
+    NSSCMSRecipientInfoID_KeyTrans = 0,
+    NSSCMSRecipientInfoID_KeyAgree = 1,
+    NSSCMSRecipientInfoID_KEK = 2
+} NSSCMSRecipientInfoIDSelector;
+
+/*
+ * In order to preserve backwards binary compatibility when implementing
+ * creation of Recipient Info's that uses subjectKeyID in the 
+ * keyTransRecipientInfo we need to stash a public key pointer in this
+ * structure somewhere.  We figured out that NSSCMSKeyTransRecipientInfo
+ * is the smallest member of the ri union.  We're in luck since that's
+ * the very structure that would need to use the public key. So we created
+ * a new structure NSSCMSKeyTransRecipientInfoEx which has a member 
+ * NSSCMSKeyTransRecipientInfo as the first member followed by a version
+ * and a public key pointer.  This way we can keep backwards compatibility
+ * without changing the size of this structure.
+ *
+ * BTW, size of structure:
+ * NSSCMSKeyTransRecipientInfo:  9 ints, 4 pointers
+ * NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
+ * NSSCMSKEKRecipientInfo:      10 ints, 7 pointers
+ *
+ * The new structure:
+ * NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
+ *                                1 int, 1 pointer
+ */
+
+struct NSSCMSRecipientInfoStr {
+    NSSCMSRecipientInfoIDSelector recipientInfoType;
+    union {
+	NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
+	NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
+	NSSCMSKEKRecipientInfo kekRecipientInfo;
+	NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
+    } ri;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;			/* back pointer to message */
+    CERTCertificate *		cert;			/* recipient's certificate */
+};
+
+/* =============================================================================
+ * DIGESTED DATA
+ */
+struct NSSCMSDigestedDataStr {
+    SECItem			version;
+    SECAlgorithmID		digestAlg;
+    NSSCMSContentInfo		contentInfo;
+    SECItem			digest;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;		/* back pointer */
+    SECItem			cdigest;	/* calculated digest */
+};
+#define NSS_CMS_DIGESTED_DATA_VERSION_DATA	0	/* what we *create* */
+#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP	2	/* what we *create* */
+
+/* =============================================================================
+ * ENCRYPTED DATA
+ */
+struct NSSCMSEncryptedDataStr {
+    SECItem			version;
+    NSSCMSContentInfo		contentInfo;
+    NSSCMSAttribute **		unprotectedAttr;	/* optional */
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;		/* back pointer */
+};
+#define NSS_CMS_ENCRYPTED_DATA_VERSION		0	/* what we *create* */
+#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR	2	/* what we *create* */
+
+/* =============================================================================
+ * FORTEZZA KEA
+ */
+
+/* An enumerated type used to select templates based on the encryption
+   scenario and data specifics. */
+typedef enum {
+    NSSCMSKEAInvalid = -1,
+    NSSCMSKEAUsesSkipjack = 0,
+    NSSCMSKEAUsesNonSkipjack = 1,
+    NSSCMSKEAUsesNonSkipjackWithPaddedEncKey = 2
+} NSSCMSKEATemplateSelector;
+
+/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
+                but I cannot think of a more appropriate place at this time. */
+struct NSSCMSSMIMEKEAParametersStr {
+    SECItem originatorKEAKey;	/* sender KEA key (encrypted?) */
+    SECItem originatorRA;	/* random number generated by sender */
+    SECItem nonSkipjackIV;	/* init'n vector for SkipjackCBC64
+			           decryption of KEA key if Skipjack
+				   is not the bulk algorithm used on
+				   the message */
+    SECItem bulkKeySize;	/* if Skipjack is not the bulk
+			           algorithm used on the message,
+				   and the size of the bulk encryption
+				   key is not the same as that of
+				   originatorKEAKey (due to padding
+				   perhaps), this field will contain
+				   the real size of the bulk encryption
+				   key. */
+};
+
+/*
+ * *****************************************************************************
+ * *****************************************************************************
+ * *****************************************************************************
+ */
+
+/*
+ * See comment above about this type not really belonging to CMS.
+ */
+struct NSSCMSAttributeStr {
+    /* The following fields make up an encoded Attribute: */
+    SECItem			type;
+    SECItem **			values;	/* data may or may not be encoded */
+    /* The following fields are not part of an encoded Attribute: */
+    SECOidData *		typeTag;
+    PRBool			encoded;	/* when true, values are encoded */
+};
+
+#endif /* _CMST_H_ */
diff --git a/security/nss/lib/smime/cmsutil.c b/security/nss/lib/smime/cmsutil.c
new file mode 100644
index 000000000..ddd87870a
--- /dev/null
+++ b/security/nss/lib/smime/cmsutil.c
@@ -0,0 +1,351 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * CMS miscellaneous utility functions.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "sechash.h"
+
+/*
+ * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding
+ *
+ * make sure that the order of the objects guarantees valid DER (which must be
+ * in lexigraphically ascending order for a SET OF); if reordering is necessary it
+ * will be done in place (in objs).
+ */
+SECStatus
+NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2)
+{
+    PRArenaPool *poolp;
+    int num_objs;
+    SECItem **enc_objs;
+    SECStatus rv = SECFailure;
+    int i;
+
+    if (objs == NULL)					/* already sorted */
+	return SECSuccess;
+
+    num_objs = NSS_CMSArray_Count((void **)objs);
+    if (num_objs == 0 || num_objs == 1)		/* already sorted. */
+	return SECSuccess;
+
+    poolp = PORT_NewArena (1024);	/* arena for temporaries */
+    if (poolp == NULL)
+	return SECFailure;		/* no memory; nothing we can do... */
+
+    /*
+     * Allocate arrays to hold the individual encodings which we will use
+     * for comparisons and the reordered attributes as they are sorted.
+     */
+    enc_objs = (SECItem **)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(SECItem *));
+    if (enc_objs == NULL)
+	goto loser;
+
+    /* DER encode each individual object. */
+    for (i = 0; i < num_objs; i++) {
+	enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate);
+	if (enc_objs[i] == NULL)
+	    goto loser;
+    }
+    enc_objs[num_objs] = NULL;
+
+    /* now compare and sort objs by the order of enc_objs */
+    NSS_CMSArray_Sort((void **)enc_objs, NSS_CMSUtil_DERCompare, objs, objs2);
+
+    rv = SECSuccess;
+
+loser:
+    PORT_FreeArena (poolp, PR_FALSE);
+    return rv;
+}
+
+/*
+ * NSS_CMSUtil_DERCompare - for use with NSS_CMSArray_Sort to
+ *  sort arrays of SECItems containing DER
+ */
+int
+NSS_CMSUtil_DERCompare(void *a, void *b)
+{
+    SECItem *der1 = (SECItem *)a;
+    SECItem *der2 = (SECItem *)b;
+    unsigned int j;
+
+    /*
+     * Find the lowest (lexigraphically) encoding.  One that is
+     * shorter than all the rest is known to be "less" because each
+     * attribute is of the same type (a SEQUENCE) and so thus the
+     * first octet of each is the same, and the second octet is
+     * the length (or the length of the length with the high bit
+     * set, followed by the length, which also works out to always
+     * order the shorter first).  Two (or more) that have the
+     * same length need to be compared byte by byte until a mismatch
+     * is found.
+     */
+    if (der1->len != der2->len)
+	return (der1->len < der2->len) ? -1 : 1;
+
+    for (j = 0; j < der1->len; j++) {
+	if (der1->data[j] == der2->data[j])
+	    continue;
+	return (der1->data[j] < der2->data[j]) ? -1 : 1;
+    }
+    return 0;
+}
+
+/*
+ * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
+ * algorithms.
+ *
+ * algorithmArray - array of algorithm IDs
+ * algid - algorithmid of algorithm to pick
+ *
+ * Returns:
+ *  An integer containing the index of the algorithm in the array or -1 if 
+ *  algorithm was not found.
+ */
+int
+NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid)
+{
+    int i;
+
+    if (algorithmArray == NULL || algorithmArray[0] == NULL)
+	return -1;
+
+    for (i = 0; algorithmArray[i] != NULL; i++) {
+	if (SECOID_CompareAlgorithmID(algorithmArray[i], algid) == SECEqual)
+	    break;	/* bingo */
+    }
+
+    if (algorithmArray[i] == NULL)
+	return -1;	/* not found */
+
+    return i;
+}
+
+/*
+ * NSS_CMSAlgArray_GetIndexByAlgTag - find a specific algorithm in an array of 
+ * algorithms.
+ *
+ * algorithmArray - array of algorithm IDs
+ * algtag - algorithm tag of algorithm to pick
+ *
+ * Returns:
+ *  An integer containing the index of the algorithm in the array or -1 if 
+ *  algorithm was not found.
+ */
+int
+NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, 
+                                 SECOidTag algtag)
+{
+    SECOidData *algid;
+    int i = -1;
+
+    if (algorithmArray == NULL || algorithmArray[0] == NULL)
+	return i;
+
+#ifdef ORDER_N_SQUARED
+    for (i = 0; algorithmArray[i] != NULL; i++) {
+	algid = SECOID_FindOID(&(algorithmArray[i]->algorithm));
+	if (algid->offset == algtag)
+	    break;	/* bingo */
+    }
+#else
+    algid = SECOID_FindOIDByTag(algtag);
+    if (!algid) 
+    	return i;
+    for (i = 0; algorithmArray[i] != NULL; i++) {
+	if (SECITEM_ItemsAreEqual(&algorithmArray[i]->algorithm, &algid->oid))
+	    break;	/* bingo */
+    }
+#endif
+
+    if (algorithmArray[i] == NULL)
+	return -1;	/* not found */
+
+    return i;
+}
+
+const SECHashObject *
+NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid)
+{
+    SECOidTag oidTag = SECOID_FindOIDTag(&(algid->algorithm));
+    const SECHashObject *digobj = HASH_GetHashObjectByOidTag(oidTag);
+
+    return digobj;
+}
+
+const SEC_ASN1Template *
+NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type)
+{
+    const SEC_ASN1Template *template;
+    extern const SEC_ASN1Template NSSCMSSignedDataTemplate[];
+    extern const SEC_ASN1Template NSSCMSEnvelopedDataTemplate[];
+    extern const SEC_ASN1Template NSSCMSEncryptedDataTemplate[];
+    extern const SEC_ASN1Template NSSCMSDigestedDataTemplate[];
+
+    switch (type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	template = NSSCMSSignedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	template = NSSCMSEnvelopedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	template = NSSCMSEncryptedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	template = NSSCMSDigestedDataTemplate;
+	break;
+    default:
+    case SEC_OID_PKCS7_DATA:
+	template = NULL;
+	break;
+    }
+    return template;
+}
+
+size_t
+NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type)
+{
+    size_t size;
+
+    switch (type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	size = sizeof(NSSCMSSignedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	size = sizeof(NSSCMSEnvelopedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	size = sizeof(NSSCMSEncryptedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	size = sizeof(NSSCMSDigestedData);
+	break;
+    default:
+    case SEC_OID_PKCS7_DATA:
+	size = 0;
+	break;
+    }
+    return size;
+}
+
+NSSCMSContentInfo *
+NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type)
+{
+    NSSCMSContent c;
+    NSSCMSContentInfo *cinfo = NULL;
+
+    if (!msg)
+	return cinfo;
+    c.pointer = msg;
+    switch (type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	cinfo = &(c.signedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	cinfo = &(c.envelopedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	cinfo = &(c.encryptedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	cinfo = &(c.digestedData->contentInfo);
+	break;
+    default:
+	cinfo = NULL;
+    }
+    return cinfo;
+}
+
+const char *
+NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs)
+{
+    switch (vs) {
+    case NSSCMSVS_Unverified:			return "Unverified";
+    case NSSCMSVS_GoodSignature:		return "GoodSignature";
+    case NSSCMSVS_BadSignature:			return "BadSignature";
+    case NSSCMSVS_DigestMismatch:		return "DigestMismatch";
+    case NSSCMSVS_SigningCertNotFound:		return "SigningCertNotFound";
+    case NSSCMSVS_SigningCertNotTrusted:	return "SigningCertNotTrusted";
+    case NSSCMSVS_SignatureAlgorithmUnknown:	return "SignatureAlgorithmUnknown";
+    case NSSCMSVS_SignatureAlgorithmUnsupported: return "SignatureAlgorithmUnsupported";
+    case NSSCMSVS_MalformedSignature:		return "MalformedSignature";
+    case NSSCMSVS_ProcessingError:		return "ProcessingError";
+    default:					return "Unknown";
+    }
+}
+
+SECStatus
+NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, 
+                 PLArenaPool *arena)
+{
+    NSSCMSEncoderContext *ecx;
+    SECStatus rv = SECSuccess;
+    if (!cmsg || !derOut || !arena) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    ecx = NSS_CMSEncoder_Start(cmsg, 0, 0, derOut, arena, 0, 0, 0, 0, 0, 0);
+    if (!ecx) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    if (input) {
+	rv = NSS_CMSEncoder_Update(ecx, (const char*)input->data, input->len);
+	if (rv) {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	}
+    }
+    rv |= NSS_CMSEncoder_Finish(ecx);
+    if (rv) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+    }
+    return rv;
+}
diff --git a/security/nss/lib/smime/config.mk b/security/nss/lib/smime/config.mk
new file mode 100644
index 000000000..b2100bc91
--- /dev/null
+++ b/security/nss/lib/smime/config.mk
@@ -0,0 +1,98 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+RELEASE_LIBS = $(TARGETS)
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+RES = $(OBJDIR)/smime.res
+RESNAME = smime.rc
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnss3 \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/nss3.lib \
+	$(DIST)/lib/nssutil3.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+else
+
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnss3 \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+
+endif
+
+
+SHARED_LIBRARY_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
+	$(NULL)
+
+SHARED_LIBRARY_DIRS = \
+	../pkcs12 \
+	../pkcs7 \
+	$(NULL)
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+endif
diff --git a/security/nss/lib/smime/manifest.mn b/security/nss/lib/smime/manifest.mn
new file mode 100644
index 000000000..a72b41377
--- /dev/null
+++ b/security/nss/lib/smime/manifest.mn
@@ -0,0 +1,84 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	cms.h \
+	cmst.h \
+	smime.h \
+	cmsreclist.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	cmslocal.h \
+	$(NULL)
+
+MODULE = nss
+MAPFILE = $(OBJDIR)/smime.def
+
+CSRCS = \
+	cmsarray.c \
+	cmsasn1.c \
+	cmsattr.c \
+	cmscinfo.c \
+	cmscipher.c \
+	cmsdecode.c \
+	cmsdigdata.c \
+	cmsdigest.c \
+	cmsencdata.c \
+	cmsencode.c \
+	cmsenvdata.c \
+	cmsmessage.c \
+	cmspubkey.c \
+	cmsrecinfo.c \
+	cmsreclist.c \
+	cmssigdata.c \
+	cmssiginfo.c \
+	cmsutil.c \
+	smimemessage.c \
+	smimeutil.c \
+	smimever.c \
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = smime
+LIBRARY_VERSION = 3
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def
new file mode 100644
index 000000000..39ccc45bb
--- /dev/null
+++ b/security/nss/lib/smime/smime.def
@@ -0,0 +1,275 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2000
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSS_3.2 {               # NSS 3.2 release
+;+    global:
+LIBRARY smime3 ;-
+EXPORTS	;-
+NSS_CMSContentInfo_GetBulkKey;
+NSS_CMSContentInfo_GetBulkKeySize;
+NSS_CMSContentInfo_GetContent;
+NSS_CMSContentInfo_GetContentEncAlgTag;
+NSS_CMSContentInfo_GetContentTypeTag;
+NSS_CMSContentInfo_SetBulkKey;
+NSS_CMSContentInfo_SetContent;
+NSS_CMSContentInfo_SetContentEncAlg;
+NSS_CMSContentInfo_SetContent_Data;
+NSS_CMSContentInfo_SetContent_DigestedData;
+NSS_CMSContentInfo_SetContent_EncryptedData;
+NSS_CMSContentInfo_SetContent_EnvelopedData;
+NSS_CMSContentInfo_SetContent_SignedData;
+NSS_CMSDEREncode;
+NSS_CMSDecoder_Cancel;
+NSS_CMSDecoder_Finish;
+NSS_CMSDecoder_Start;
+NSS_CMSDecoder_Update;
+NSS_CMSDigestContext_Cancel;
+NSS_CMSDigestContext_FinishMultiple;
+NSS_CMSDigestContext_FinishSingle;
+NSS_CMSDigestContext_StartMultiple;
+NSS_CMSDigestContext_StartSingle;
+NSS_CMSDigestContext_Update;
+NSS_CMSDigestedData_Create;
+NSS_CMSDigestedData_Destroy;
+NSS_CMSDigestedData_GetContentInfo;
+NSS_CMSEncoder_Cancel;
+NSS_CMSEncoder_Finish;
+NSS_CMSEncoder_Start;
+NSS_CMSEncoder_Update;
+NSS_CMSEncryptedData_Create;
+NSS_CMSEncryptedData_Destroy;
+NSS_CMSEncryptedData_GetContentInfo;
+NSS_CMSEnvelopedData_AddRecipient;
+NSS_CMSEnvelopedData_Create;
+NSS_CMSEnvelopedData_Destroy;
+NSS_CMSEnvelopedData_GetContentInfo;
+NSS_CMSMessage_ContentLevel;
+NSS_CMSMessage_ContentLevelCount;
+NSS_CMSMessage_Copy;
+NSS_CMSMessage_Create;
+NSS_CMSMessage_CreateFromDER;
+NSS_CMSMessage_Destroy;
+NSS_CMSMessage_GetContent;
+NSS_CMSMessage_GetContentInfo;
+NSS_CMSRecipientInfo_Create;
+NSS_CMSRecipientInfo_Destroy;
+NSS_CMSSignedData_AddCertChain;
+NSS_CMSSignedData_AddCertList;
+NSS_CMSSignedData_AddCertificate;
+NSS_CMSSignedData_AddDigest;
+NSS_CMSSignedData_AddSignerInfo;
+NSS_CMSSignedData_Create;
+NSS_CMSSignedData_CreateCertsOnly;
+NSS_CMSSignedData_Destroy;
+NSS_CMSSignedData_GetContentInfo;
+NSS_CMSSignedData_GetDigestAlgs;
+NSS_CMSSignedData_GetSignerInfo;
+NSS_CMSSignedData_HasDigests;
+NSS_CMSSignedData_ImportCerts;
+NSS_CMSSignedData_SetDigests;
+NSS_CMSSignedData_SignerInfoCount;
+NSS_CMSSignedData_VerifyCertsOnly;
+NSS_CMSSignedData_VerifySignerInfo;
+NSS_CMSSignerInfo_AddSMIMECaps;
+NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs;
+NSS_CMSSignerInfo_AddSigningTime;
+NSS_CMSSignerInfo_Create;
+NSS_CMSSignerInfo_Destroy;
+NSS_CMSSignerInfo_GetCertList;
+NSS_CMSSignerInfo_GetSignerCommonName;
+NSS_CMSSignerInfo_GetSignerEmailAddress;
+NSS_CMSSignerInfo_GetSigningCertificate;
+NSS_CMSSignerInfo_GetSigningTime;
+NSS_CMSSignerInfo_GetVerificationStatus;
+NSS_CMSSignerInfo_GetVersion;
+NSS_CMSSignerInfo_IncludeCerts;
+NSS_CMSUtil_VerificationStatusToString;
+NSS_SMIMEUtil_FindBulkAlgForRecipients;
+CERT_DecodeCertPackage;
+SEC_PKCS7AddRecipient;
+SEC_PKCS7AddSigningTime;
+SEC_PKCS7ContentType;
+SEC_PKCS7CreateData;
+SEC_PKCS7CreateEncryptedData;
+SEC_PKCS7CreateEnvelopedData;
+SEC_PKCS7CreateSignedData;
+SEC_PKCS7DecodeItem;
+SEC_PKCS7DecoderFinish;
+SEC_PKCS7DecoderStart;
+SEC_PKCS7DecoderUpdate;
+SEC_PKCS7DecryptContents;
+SEC_PKCS7DestroyContentInfo;
+SEC_PKCS7EncoderFinish;
+SEC_PKCS7EncoderStart;
+SEC_PKCS7EncoderUpdate;
+SEC_PKCS7GetCertificateList;
+SEC_PKCS7GetContent;
+SEC_PKCS7GetEncryptionAlgorithm;
+SEC_PKCS7IncludeCertChain;
+SEC_PKCS7IsContentEmpty;
+SEC_PKCS7VerifySignature;
+SEC_PKCS12AddCertAndKey;
+SEC_PKCS12AddPasswordIntegrity;
+SEC_PKCS12CreateExportContext;
+SEC_PKCS12CreatePasswordPrivSafe;
+SEC_PKCS12CreateUnencryptedSafe;
+SEC_PKCS12EnableCipher;
+SEC_PKCS12Encode;
+SEC_PKCS12DecoderImportBags;
+SEC_PKCS12DecoderFinish;
+SEC_PKCS12DecoderStart;
+SEC_PKCS12DecoderUpdate;
+SEC_PKCS12DecoderValidateBags;
+SEC_PKCS12DecoderVerify;
+SEC_PKCS12DestroyExportContext;
+SEC_PKCS12IsEncryptionAllowed;
+SEC_PKCS12SetPreferredCipher;
+;+    local:
+;+        *;
+;+};
+;+NSS_3.2.1 {               # NSS 3.2.1 release
+;+    global:
+NSSSMIME_VersionCheck;
+;+    local:
+;+        *;
+;+};
+;+NSS_3.3 {     # NSS 3.3 release
+;+    global:
+SEC_PKCS7AddCertificate;
+SEC_PKCS7CreateCertsOnly;
+SEC_PKCS7Encode;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.4 {     # NSS 3.4 release
+;+    global:
+CERT_DecodeCertFromPackage;
+NSS_CMSMessage_IsSigned;
+NSS_CMSSignedData_SetDigestValue;
+NSS_SMIMESignerInfo_SaveSMIMEProfile;
+SEC_PKCS12DecoderGetCerts;
+SEC_PKCS7ContainsCertsOrCrls;
+SEC_PKCS7ContentIsEncrypted;
+SEC_PKCS7ContentIsSigned;
+SEC_PKCS7CopyContentInfo;
+SEC_PKCS7GetSignerCommonName;
+SEC_PKCS7GetSignerEmailAddress;
+SEC_PKCS7GetSigningTime;
+SEC_PKCS7SetContent;
+SEC_PKCS7VerifyDetachedSignature;
+SECMIME_DecryptionAllowed;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.4.1 {     # NSS 3.4.1 release
+;+    global:
+NSS_CMSMessage_IsEncrypted;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.6 {     # NSS 3.6 release
+;+    global:
+NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs;
+NSS_CMSSignerInfo_CreateWithSubjKeyID;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.7 {     # NSS 3.7 release
+;+    global:
+NSS_CMSRecipientInfo_CreateWithSubjKeyID;
+NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.7.2 {   # NSS 3.7.2 release
+;+    global:
+NSS_CMSRecipientInfo_WrapBulkKey;
+NSS_CMSRecipientInfo_UnwrapBulkKey;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.8 {   # NSS 3.8 release
+;+    global:
+NSS_CMSRecipientInfo_CreateNew;
+NSS_CMSRecipientInfo_CreateFromDER;
+NSS_CMSRecipientInfo_Encode;
+NSS_CMSRecipientInfo_GetCertAndKey;
+SEC_PKCS12DecoderSetTargetTokenCAs;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.9 {   # NSS 3.9 release
+;+    global:
+SEC_PKCS7DecoderAbort;
+SEC_PKCS7EncoderAbort;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.9.3 {   # NSS 3.9.3 release
+;+    global:
+CERT_ConvertAndDecodeCertificate;
+SEC_PKCS7EncodeItem;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.10 {   # NSS 3.10 release
+;+    global:
+SEC_PKCS12DecoderIterateInit;
+SEC_PKCS12DecoderIterateNext;
+SEC_PKCS12DecryptionAllowed;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.12.2 {   # NSS 3.12.2 release
+;+    global:
+SEC_PKCS12AddCertOrChainAndKey;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/smime/smime.h b/security/nss/lib/smime/smime.h
new file mode 100644
index 000000000..5fc659023
--- /dev/null
+++ b/security/nss/lib/smime/smime.h
@@ -0,0 +1,156 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Header file for routines specific to S/MIME.  Keep things that are pure
+ * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
+ *
+ * $Id$
+ */
+
+#ifndef _SECMIME_H_
+#define _SECMIME_H_ 1
+
+#include "cms.h"
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * Initialize the local recording of the user S/MIME cipher preferences.
+ * This function is called once for each cipher, the order being
+ * important (first call records greatest preference, and so on).
+ * When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
+ * If the function is called again after that, it is assumed that
+ * the preferences are being reset, and the old preferences are
+ * discarded.
+ *
+ * XXX This is for a particular user, and right now the storage is
+ * XXX local, static.  The preference should be stored elsewhere to allow
+ * XXX for multiple uses of one library?  How does SSL handle this;
+ * XXX it has something similar?
+ *
+ *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
+ *    for example SMIME_DES_CBC_56).
+ *  - If "on" is non-zero then the named cipher is enabled, otherwise
+ *    it is disabled.  (It is not necessary to call the function for
+ *    ciphers that are disabled, however, as that is the default.)
+ *
+ * If the cipher preference is successfully recorded, SECSuccess
+ * is returned.  Otherwise SECFailure is returned.  The only errors
+ * are due to failure allocating memory or bad parameters/calls:
+ *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
+ *	SEC_ERROR_XXX (function is being called more times than there
+ *		are known/expected ciphers)
+ */
+extern SECStatus NSS_SMIMEUtil_EnableCipher(long which, int on);
+
+/*
+ * Initialize the local recording of the S/MIME policy.
+ * This function is called to allow/disallow a particular cipher.
+ *
+ * XXX This is for a the current module, I think, so local, static storage
+ * XXX is okay.  Is that correct, or could multiple uses of the same
+ * XXX library expect to operate under different policies?
+ *
+ *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
+ *    for example SMIME_DES_CBC_56).
+ *  - If "on" is non-zero then the named cipher is enabled, otherwise
+ *    it is disabled.
+ */
+extern SECStatus NSS_SMIMEUtils_AllowCipher(long which, int on);
+
+/*
+ * Does the current policy allow S/MIME decryption of this particular
+ * algorithm and keysize?
+ */
+extern PRBool NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
+
+/*
+ * Does the current policy allow *any* S/MIME encryption (or decryption)?
+ *
+ * This tells whether or not *any* S/MIME encryption can be done,
+ * according to policy.  Callers may use this to do nicer user interface
+ * (say, greying out a checkbox so a user does not even try to encrypt
+ * a message when they are not allowed to) or for any reason they want
+ * to check whether S/MIME encryption (or decryption, for that matter)
+ * may be done.
+ *
+ * It takes no arguments.  The return value is a simple boolean:
+ *   PR_TRUE means encryption (or decryption) is *possible*
+ *	(but may still fail due to other reasons, like because we cannot
+ *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
+ *   PR_FALSE means encryption (or decryption) is not permitted
+ *
+ * There are no errors from this routine.
+ */
+extern PRBool NSS_SMIMEUtil_EncryptionPossible(void);
+
+/*
+ * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities attr value
+ *
+ * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
+ * S/MIME capabilities attribute value.
+ */
+extern SECStatus NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest, PRBool includeFortezzaCiphers);
+
+/*
+ * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
+ */
+extern SECStatus NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert);
+
+/*
+ * NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid
+ */
+extern SECStatus NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert);
+
+/*
+ * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - find cert marked by EncryptionKeyPreference
+ *          attribute
+ */
+extern CERTCertificate *NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECItem *DERekp);
+
+/*
+ * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients
+ */
+extern SECStatus
+NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize);
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _SECMIME_H_ */
diff --git a/security/nss/lib/smime/smime.rc b/security/nss/lib/smime/smime.rc
new file mode 100644
index 000000000..7fd7298d1
--- /dev/null
+++ b/security/nss/lib/smime/smime.rc
@@ -0,0 +1,100 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nss.h"
+#include <winver.h>
+
+#define MY_LIBNAME "smime"
+#define MY_FILEDESCRIPTION "NSS S/MIME Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/smime/smimemessage.c b/security/nss/lib/smime/smimemessage.c
new file mode 100644
index 000000000..76e709332
--- /dev/null
+++ b/security/nss/lib/smime/smimemessage.c
@@ -0,0 +1,218 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * SMIME message methods
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+#include "smime.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+
+
+#if 0
+/*
+ * NSS_SMIMEMessage_CreateEncrypted - start an S/MIME encrypting context.
+ *
+ * "scert" is the cert for the sender.  It will be checked for validity.
+ * "rcerts" are the certs for the recipients.  They will also be checked.
+ *
+ * "certdb" is the cert database to use for verifying the certs.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+NSSCMSMessage *
+NSS_SMIMEMessage_CreateEncrypted(CERTCertificate *scert,
+			CERTCertificate **rcerts,
+			CERTCertDBHandle *certdb,
+			PK11PasswordFunc pwfn,
+			void *pwfn_arg)
+{
+    NSSCMSMessage *cmsg;
+    long cipher;
+    SECOidTag encalg;
+    int keysize;
+    int mapi, rci;
+
+    cipher = smime_choose_cipher (scert, rcerts);
+    if (cipher < 0)
+	return NULL;
+
+    mapi = smime_mapi_by_cipher (cipher);
+    if (mapi < 0)
+	return NULL;
+
+    /*
+     * XXX This is stretching it -- CreateEnvelopedData should probably
+     * take a cipher itself of some sort, because we cannot know what the
+     * future will bring in terms of parameters for each type of algorithm.
+     * For example, just an algorithm and keysize is *not* sufficient to
+     * fully specify the usage of RC5 (which also needs to know rounds and
+     * block size).  Work this out into a better API!
+     */
+    encalg = smime_cipher_map[mapi].algtag;
+    keysize = smime_keysize_by_cipher (cipher);
+    if (keysize < 0)
+	return NULL;
+
+    cinfo = SEC_PKCS7CreateEnvelopedData (scert, certUsageEmailRecipient,
+					  certdb, encalg, keysize,
+					  pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    for (rci = 0; rcerts[rci] != NULL; rci++) {
+	if (rcerts[rci] == scert)
+	    continue;
+	if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient,
+				   NULL) != SECSuccess) {
+	    SEC_PKCS7DestroyContentInfo (cinfo);
+	    return NULL;
+	}
+    }
+
+    return cinfo;
+}
+
+
+/*
+ * Start an S/MIME signing context.
+ *
+ * "scert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "ecert" is the signer's encryption cert.  If it is different from
+ * scert, then it will be included in the signed message so that the
+ * recipient can save it for future encryptions.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
+ * XXX There should be SECMIME functions for hashing, or the hashing should
+ * be built into this interface, which we would like because we would
+ * support more smartcards that way, and then this argument should go away.)
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+
+NSSCMSMessage *
+NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert,
+		      CERTCertificate *ecert,
+		      CERTCertDBHandle *certdb,
+		      SECOidTag digestalgtag,
+		      SECItem *digest,
+		      PK11PasswordFunc pwfn,
+		      void *pwfn_arg)
+{
+    NSSCMSMessage *cmsg;
+    NSSCMSSignedData *sigd;
+    NSSCMSSignerInfo *signerinfo;
+
+    /* See note in header comment above about digestalg. */
+    /* Doesn't explain this.  PORT_Assert (digestalgtag == SEC_OID_SHA1); */
+
+    cmsg = NSS_CMSMessage_Create(NULL);
+    if (cmsg == NULL)
+	return NULL;
+
+    sigd = NSS_CMSSignedData_Create(cmsg);
+    if (sigd == NULL)
+	goto loser;
+
+    /* create just one signerinfo */
+    signerinfo = NSS_CMSSignerInfo_Create(cmsg, scert, digestalgtag);
+    if (signerinfo == NULL)
+	goto loser;
+
+    /* Add the signing time to the signerinfo.  */
+    if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) != SECSuccess)
+	goto loser;
+    
+    /* and add the SMIME profile */
+    if (NSS_SMIMESignerInfo_AddSMIMEProfile(signerinfo, scert) != SECSuccess)
+	goto loser;
+
+    /* now add the signerinfo to the signeddata */
+    if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess)
+	goto loser;
+
+    /* include the signing cert and its entire chain */
+    /* note that there are no checks for duplicate certs in place, as all the */
+    /* essential data structures (like set of certificate) are not there */
+    if (NSS_CMSSignedData_AddCertChain(sigd, scert) != SECSuccess)
+	goto loser;
+
+    /* If the encryption cert and the signing cert differ, then include
+     * the encryption cert too. */
+    if ( ( ecert != NULL ) && ( ecert != scert ) ) {
+	if (NSS_CMSSignedData_AddCertificate(sigd, ecert) != SECSuccess)
+	    goto loser;
+    }
+
+    return cmsg;
+loser:
+    if (cmsg)
+	NSS_CMSMessage_Destroy(cmsg);
+    return NULL;
+}
+#endif
diff --git a/security/nss/lib/smime/smimesym.c b/security/nss/lib/smime/smimesym.c
new file mode 100644
index 000000000..e7bb771e5
--- /dev/null
+++ b/security/nss/lib/smime/smimesym.c
@@ -0,0 +1,8 @@
+extern void SEC_PKCS7DecodeItem();
+extern void SEC_PKCS7DestroyContentInfo();
+
+smime_CMDExports() {
+	SEC_PKCS7DecodeItem();
+	SEC_PKCS7DestroyContentInfo();
+}
+
diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c
new file mode 100644
index 000000000..b2d848cea
--- /dev/null
+++ b/security/nss/lib/smime/smimeutil.c
@@ -0,0 +1,795 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Stuff specific to S/MIME policy and interoperability.
+ *
+ * $Id$
+ */
+
+#include "secmime.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "ciferfam.h"	/* for CIPHER_FAMILY symbols */
+#include "secasn1.h"
+#include "secitem.h"
+#include "cert.h"
+#include "key.h"
+#include "secerr.h"
+#include "cms.h"
+#include "nss.h"
+
+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
+
+/* various integer's ASN.1 encoding */
+static unsigned char asn1_int40[] = { SEC_ASN1_INTEGER, 0x01, 0x28 };
+static unsigned char asn1_int64[] = { SEC_ASN1_INTEGER, 0x01, 0x40 };
+static unsigned char asn1_int128[] = { SEC_ASN1_INTEGER, 0x02, 0x00, 0x80 };
+
+/* RC2 algorithm parameters (used in smime_cipher_map) */
+static SECItem param_int40 = { siBuffer, asn1_int40, sizeof(asn1_int40) };
+static SECItem param_int64 = { siBuffer, asn1_int64, sizeof(asn1_int64) };
+static SECItem param_int128 = { siBuffer, asn1_int128, sizeof(asn1_int128) };
+
+/*
+ * XXX Would like the "parameters" field to be a SECItem *, but the
+ * encoder is having trouble with optional pointers to an ANY.  Maybe
+ * once that is fixed, can change this back...
+ */
+typedef struct {
+    SECItem capabilityID;
+    SECItem parameters;
+    long cipher;		/* optimization */
+} NSSSMIMECapability;
+
+static const SEC_ASN1Template NSSSMIMECapabilityTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSSMIMECapability) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSSMIMECapability,capabilityID), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(NSSSMIMECapability,parameters), },
+    { 0, }
+};
+
+static const SEC_ASN1Template NSSSMIMECapabilitiesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, NSSSMIMECapabilityTemplate }
+};
+
+/*
+ * NSSSMIMEEncryptionKeyPreference - if we find one of these, it needs to prompt us
+ *  to store this and only this certificate permanently for the sender email address.
+ */
+typedef enum {
+    NSSSMIMEEncryptionKeyPref_IssuerSN,
+    NSSSMIMEEncryptionKeyPref_RKeyID,
+    NSSSMIMEEncryptionKeyPref_SubjectKeyID
+} NSSSMIMEEncryptionKeyPrefSelector;
+
+typedef struct {
+    NSSSMIMEEncryptionKeyPrefSelector selector;
+    union {
+	CERTIssuerAndSN			*issuerAndSN;
+	NSSCMSRecipientKeyIdentifier	*recipientKeyID;
+	SECItem				*subjectKeyID;
+    } id;
+} NSSSMIMEEncryptionKeyPreference;
+
+extern const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[];
+
+static const SEC_ASN1Template smime_encryptionkeypref_template[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSSMIMEEncryptionKeyPreference,selector), NULL,
+	  sizeof(NSSSMIMEEncryptionKeyPreference) },
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0
+          | SEC_ASN1_CONSTRUCTED,
+	  offsetof(NSSSMIMEEncryptionKeyPreference,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSSMIMEEncryptionKeyPref_IssuerSN },
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1
+          | SEC_ASN1_CONSTRUCTED,
+	  offsetof(NSSSMIMEEncryptionKeyPreference,id.recipientKeyID),
+	  NSSCMSRecipientKeyIdentifierTemplate,
+	  NSSSMIMEEncryptionKeyPref_RKeyID },
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2
+          | SEC_ASN1_CONSTRUCTED,
+	  offsetof(NSSSMIMEEncryptionKeyPreference,id.subjectKeyID),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate),
+	  NSSSMIMEEncryptionKeyPref_SubjectKeyID },
+    { 0, }
+};
+
+/* smime_cipher_map - map of SMIME symmetric "ciphers" to algtag & parameters */
+typedef struct {
+    unsigned long cipher;
+    SECOidTag algtag;
+    SECItem *parms;
+    PRBool enabled;	/* in the user's preferences */
+    PRBool allowed;	/* per export policy */
+} smime_cipher_map_entry;
+
+/* global: list of supported SMIME symmetric ciphers, ordered roughly by increasing strength */
+static smime_cipher_map_entry smime_cipher_map[] = {
+/*    cipher			algtag			parms		enabled  allowed */
+/*    ---------------------------------------------------------------------------------- */
+    { SMIME_RC2_CBC_40,		SEC_OID_RC2_CBC,	&param_int40,	PR_TRUE, PR_TRUE },
+    { SMIME_DES_CBC_56,		SEC_OID_DES_CBC,	NULL,		PR_TRUE, PR_TRUE },
+    { SMIME_RC2_CBC_64,		SEC_OID_RC2_CBC,	&param_int64,	PR_TRUE, PR_TRUE },
+    { SMIME_RC2_CBC_128,	SEC_OID_RC2_CBC,	&param_int128,	PR_TRUE, PR_TRUE },
+    { SMIME_DES_EDE3_168,	SEC_OID_DES_EDE3_CBC,	NULL,		PR_TRUE, PR_TRUE },
+    { SMIME_AES_CBC_128,	SEC_OID_AES_128_CBC,	NULL,		PR_TRUE, PR_TRUE },
+    { SMIME_FORTEZZA,		SEC_OID_FORTEZZA_SKIPJACK, NULL,	PR_TRUE, PR_TRUE }
+};
+static const int smime_cipher_map_count = sizeof(smime_cipher_map) / sizeof(smime_cipher_map_entry);
+
+/*
+ * smime_mapi_by_cipher - find index into smime_cipher_map by cipher
+ */
+static int
+smime_mapi_by_cipher(unsigned long cipher)
+{
+    int i;
+
+    for (i = 0; i < smime_cipher_map_count; i++) {
+	if (smime_cipher_map[i].cipher == cipher)
+	    return i;	/* bingo */
+    }
+    return -1;		/* should not happen if we're consistent, right? */
+}
+
+/*
+ * NSS_SMIME_EnableCipher - this function locally records the user's preference
+ */
+SECStatus 
+NSS_SMIMEUtil_EnableCipher(unsigned long which, PRBool on)
+{
+    unsigned long mask;
+    int mapi;
+
+    mask = which & CIPHER_FAMILYID_MASK;
+
+    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
+    if (mask != CIPHER_FAMILYID_SMIME)
+	/* XXX set an error! */
+    	return SECFailure;
+
+    mapi = smime_mapi_by_cipher(which);
+    if (mapi < 0)
+	/* XXX set an error */
+	return SECFailure;
+
+    /* do we try to turn on a forbidden cipher? */
+    if (!smime_cipher_map[mapi].allowed && on) {
+	PORT_SetError (SEC_ERROR_BAD_EXPORT_ALGORITHM);
+	return SECFailure;
+    }
+
+    if (smime_cipher_map[mapi].enabled != on)
+	smime_cipher_map[mapi].enabled = on;
+
+    return SECSuccess;
+}
+
+
+/*
+ * this function locally records the export policy
+ */
+SECStatus 
+NSS_SMIMEUtil_AllowCipher(unsigned long which, PRBool on)
+{
+    unsigned long mask;
+    int mapi;
+
+    mask = which & CIPHER_FAMILYID_MASK;
+
+    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
+    if (mask != CIPHER_FAMILYID_SMIME)
+	/* XXX set an error! */
+    	return SECFailure;
+
+    mapi = smime_mapi_by_cipher(which);
+    if (mapi < 0)
+	/* XXX set an error */
+	return SECFailure;
+
+    if (smime_cipher_map[mapi].allowed != on)
+	smime_cipher_map[mapi].allowed = on;
+
+    return SECSuccess;
+}
+
+/*
+ * Based on the given algorithm (including its parameters, in some cases!)
+ * and the given key (may or may not be inspected, depending on the
+ * algorithm), find the appropriate policy algorithm specification
+ * and return it.  If no match can be made, -1 is returned.
+ */
+static SECStatus
+nss_smime_get_cipher_for_alg_and_key(SECAlgorithmID *algid, PK11SymKey *key, unsigned long *cipher)
+{
+    SECOidTag algtag;
+    unsigned int keylen_bits;
+    unsigned long c;
+
+    algtag = SECOID_GetAlgorithmTag(algid);
+    switch (algtag) {
+    case SEC_OID_RC2_CBC:
+	keylen_bits = PK11_GetKeyStrength(key, algid);
+	switch (keylen_bits) {
+	case 40:
+	    c = SMIME_RC2_CBC_40;
+	    break;
+	case 64:
+	    c = SMIME_RC2_CBC_64;
+	    break;
+	case 128:
+	    c = SMIME_RC2_CBC_128;
+	    break;
+	default:
+	    return SECFailure;
+	}
+	break;
+    case SEC_OID_DES_CBC:
+	c = SMIME_DES_CBC_56;
+	break;
+    case SEC_OID_DES_EDE3_CBC:
+	c = SMIME_DES_EDE3_168;
+	break;
+    case SEC_OID_AES_128_CBC:
+	c = SMIME_AES_CBC_128;
+	break;
+    case SEC_OID_FORTEZZA_SKIPJACK:
+	c = SMIME_FORTEZZA;
+	break;
+    default:
+	return SECFailure;
+    }
+    *cipher = c;
+    return SECSuccess;
+}
+
+static PRBool
+nss_smime_cipher_allowed(unsigned long which)
+{
+    int mapi;
+
+    mapi = smime_mapi_by_cipher(which);
+    if (mapi < 0)
+	return PR_FALSE;
+    return smime_cipher_map[mapi].allowed;
+}
+
+PRBool
+NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key)
+{
+    unsigned long which;
+
+    if (nss_smime_get_cipher_for_alg_and_key(algid, key, &which) != SECSuccess)
+	return PR_FALSE;
+
+    return nss_smime_cipher_allowed(which);
+}
+
+
+/*
+ * NSS_SMIME_EncryptionPossible - check if any encryption is allowed
+ *
+ * This tells whether or not *any* S/MIME encryption can be done,
+ * according to policy.  Callers may use this to do nicer user interface
+ * (say, greying out a checkbox so a user does not even try to encrypt
+ * a message when they are not allowed to) or for any reason they want
+ * to check whether S/MIME encryption (or decryption, for that matter)
+ * may be done.
+ *
+ * It takes no arguments.  The return value is a simple boolean:
+ *   PR_TRUE means encryption (or decryption) is *possible*
+ *	(but may still fail due to other reasons, like because we cannot
+ *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
+ *   PR_FALSE means encryption (or decryption) is not permitted
+ *
+ * There are no errors from this routine.
+ */
+PRBool
+NSS_SMIMEUtil_EncryptionPossible(void)
+{
+    int i;
+
+    for (i = 0; i < smime_cipher_map_count; i++) {
+	if (smime_cipher_map[i].allowed)
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+
+static int
+nss_SMIME_FindCipherForSMIMECap(NSSSMIMECapability *cap)
+{
+    int i;
+    SECOidTag capIDTag;
+
+    /* we need the OIDTag here */
+    capIDTag = SECOID_FindOIDTag(&(cap->capabilityID));
+
+    /* go over all the SMIME ciphers we know and see if we find a match */
+    for (i = 0; i < smime_cipher_map_count; i++) {
+	if (smime_cipher_map[i].algtag != capIDTag)
+	    continue;
+	/*
+	 * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing
+	 * 2 NULLs as equal and NULL and non-NULL as not equal), we could
+	 * use that here instead of all of the following comparison code.
+	 */
+	if (!smime_cipher_map[i].parms) { 
+	    if (!cap->parameters.data || !cap->parameters.len)
+		break;	/* both empty: bingo */
+	    if (cap->parameters.len     == 2  &&
+	        cap->parameters.data[0] == SEC_ASN1_NULL &&
+		cap->parameters.data[1] == 0) 
+		break;  /* DER NULL == NULL, bingo */
+	} else if (cap->parameters.data != NULL && 
+	    cap->parameters.len == smime_cipher_map[i].parms->len &&
+	    PORT_Memcmp (cap->parameters.data, smime_cipher_map[i].parms->data,
+			     cap->parameters.len) == 0)
+	{
+	    break;	/* both not empty, same length & equal content: bingo */
+	}
+    }
+
+    if (i == smime_cipher_map_count)
+	return 0;				/* no match found */
+    return smime_cipher_map[i].cipher;	/* match found, point to cipher */
+}
+
+/*
+ * smime_choose_cipher - choose a cipher that works for all the recipients
+ *
+ * "scert"  - sender's certificate
+ * "rcerts" - recipient's certificates
+ */
+static long
+smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts)
+{
+    PRArenaPool *poolp;
+    long cipher;
+    long chosen_cipher;
+    int *cipher_abilities;
+    int *cipher_votes;
+    int weak_mapi;
+    int strong_mapi;
+    int rcount, mapi, max, i;
+    PRBool scert_is_fortezza = (scert == NULL) ? PR_FALSE : PK11_FortezzaHasKEA(scert);
+
+    chosen_cipher = SMIME_RC2_CBC_40;		/* the default, LCD */
+    weak_mapi = smime_mapi_by_cipher(chosen_cipher);
+
+    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
+    if (poolp == NULL)
+	goto done;
+
+    cipher_abilities = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int));
+    cipher_votes     = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int));
+    if (cipher_votes == NULL || cipher_abilities == NULL)
+	goto done;
+
+    /* If the user has the Fortezza preference turned on, make
+     *  that the strong cipher. Otherwise, use triple-DES. */
+    strong_mapi = smime_mapi_by_cipher (SMIME_DES_EDE3_168);
+    if (scert_is_fortezza) {
+	mapi = smime_mapi_by_cipher(SMIME_FORTEZZA);
+	if (mapi >= 0 && smime_cipher_map[mapi].enabled)
+	    strong_mapi = mapi;
+    }
+
+    /* walk all the recipient's certs */
+    for (rcount = 0; rcerts[rcount] != NULL; rcount++) {
+	SECItem *profile;
+	NSSSMIMECapability **caps;
+	int pref;
+
+	/* the first cipher that matches in the user's SMIME profile gets
+	 * "smime_cipher_map_count" votes; the next one gets "smime_cipher_map_count" - 1
+	 * and so on. If every cipher matches, the last one gets 1 (one) vote */
+	pref = smime_cipher_map_count;
+
+	/* find recipient's SMIME profile */
+	profile = CERT_FindSMimeProfile(rcerts[rcount]);
+
+	if (profile != NULL && profile->data != NULL && profile->len > 0) {
+	    /* we have a profile (still DER-encoded) */
+	    caps = NULL;
+	    /* decode it */
+	    if (SEC_QuickDERDecodeItem(poolp, &caps,
+                    NSSSMIMECapabilitiesTemplate, profile) == SECSuccess &&
+		    caps != NULL)
+	    {
+		/* walk the SMIME capabilities for this recipient */
+		for (i = 0; caps[i] != NULL; i++) {
+		    cipher = nss_SMIME_FindCipherForSMIMECap(caps[i]);
+		    mapi = smime_mapi_by_cipher(cipher);
+		    if (mapi >= 0) {
+			/* found the cipher */
+			cipher_abilities[mapi]++;
+			cipher_votes[mapi] += pref;
+			--pref;
+		    }
+		}
+	    }
+	} else {
+	    /* no profile found - so we can only assume that the user can do
+	     * the mandatory algorithms which is RC2-40 (weak crypto) and 3DES (strong crypto) */
+	    SECKEYPublicKey *key;
+	    unsigned int pklen_bits;
+
+	    /*
+	     * if recipient's public key length is > 512, vote for a strong cipher
+	     * please not that the side effect of this is that if only one recipient
+	     * has an export-level public key, the strong cipher is disabled.
+	     *
+	     * XXX This is probably only good for RSA keys.  What I would
+	     * really like is a function to just say;  Is the public key in
+	     * this cert an export-length key?  Then I would not have to
+	     * know things like the value 512, or the kind of key, or what
+	     * a subjectPublicKeyInfo is, etc.
+	     */
+	    key = CERT_ExtractPublicKey(rcerts[rcount]);
+	    pklen_bits = 0;
+	    if (key != NULL) {
+		pklen_bits = SECKEY_PublicKeyStrength (key) * 8;
+		SECKEY_DestroyPublicKey (key);
+	    }
+
+	    if (pklen_bits > 512) {
+		/* cast votes for the strong algorithm */
+		cipher_abilities[strong_mapi]++;
+		cipher_votes[strong_mapi] += pref;
+		pref--;
+	    } 
+
+	    /* always cast (possibly less) votes for the weak algorithm */
+	    cipher_abilities[weak_mapi]++;
+	    cipher_votes[weak_mapi] += pref;
+	}
+	if (profile != NULL)
+	    SECITEM_FreeItem(profile, PR_TRUE);
+    }
+
+    /* find cipher that is agreeable by all recipients and that has the most votes */
+    max = 0;
+    for (mapi = 0; mapi < smime_cipher_map_count; mapi++) {
+	/* if not all of the recipients can do this, forget it */
+	if (cipher_abilities[mapi] != rcount)
+	    continue;
+	/* if cipher is not enabled or not allowed by policy, forget it */
+	if (!smime_cipher_map[mapi].enabled || !smime_cipher_map[mapi].allowed)
+	    continue;
+	/* if we're not doing fortezza, but the cipher is fortezza, forget it */
+	if (!scert_is_fortezza  && (smime_cipher_map[mapi].cipher == SMIME_FORTEZZA))
+	    continue;
+	/* now see if this one has more votes than the last best one */
+	if (cipher_votes[mapi] >= max) {
+	    /* if equal number of votes, prefer the ones further down in the list */
+	    /* with the expectation that these are higher rated ciphers */
+	    chosen_cipher = smime_cipher_map[mapi].cipher;
+	    max = cipher_votes[mapi];
+	}
+    }
+    /* if no common cipher was found, chosen_cipher stays at the default */
+
+done:
+    if (poolp != NULL)
+	PORT_FreeArena (poolp, PR_FALSE);
+
+    return chosen_cipher;
+}
+
+/*
+ * XXX This is a hack for now to satisfy our current interface.
+ * Eventually, with more parameters needing to be specified, just
+ * looking up the keysize is not going to be sufficient.
+ */
+static int
+smime_keysize_by_cipher (unsigned long which)
+{
+    int keysize;
+
+    switch (which) {
+      case SMIME_RC2_CBC_40:
+	keysize = 40;
+	break;
+      case SMIME_RC2_CBC_64:
+	keysize = 64;
+	break;
+      case SMIME_RC2_CBC_128:
+      case SMIME_AES_CBC_128:
+	keysize = 128;
+	break;
+      case SMIME_DES_CBC_56:
+      case SMIME_DES_EDE3_168:
+      case SMIME_FORTEZZA:
+	/*
+	 * These are special; since the key size is fixed, we actually
+	 * want to *avoid* specifying a key size.
+	 */
+	keysize = 0;
+	break;
+      default:
+	keysize = -1;
+	break;
+    }
+
+    return keysize;
+}
+
+/*
+ * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients
+ *
+ * it would be great for UI purposes if there would be a way to find out which recipients
+ * prevented a strong cipher from being used...
+ */
+SECStatus
+NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize)
+{
+    unsigned long cipher;
+    int mapi;
+
+    cipher = smime_choose_cipher(NULL, rcerts);
+    mapi = smime_mapi_by_cipher(cipher);
+
+    *bulkalgtag = smime_cipher_map[mapi].algtag;
+    *keysize = smime_keysize_by_cipher(smime_cipher_map[mapi].cipher);
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities for this instance of NSS
+ *
+ * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
+ * S/MIME capabilities attribute value.
+ *
+ * XXX Please note that, in contradiction to RFC2633 2.5.2, the capabilities only include
+ * symmetric ciphers, NO signature algorithms or key encipherment algorithms.
+ *
+ * "poolp" - arena pool to create the S/MIME capabilities data on
+ * "dest" - SECItem to put the data in
+ * "includeFortezzaCiphers" - PR_TRUE if fortezza ciphers should be included
+ */
+SECStatus
+NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest, PRBool includeFortezzaCiphers)
+{
+    NSSSMIMECapability *cap;
+    NSSSMIMECapability **smime_capabilities;
+    smime_cipher_map_entry *map;
+    SECOidData *oiddata;
+    SECItem *dummy;
+    int i, capIndex;
+
+    /* if we have an old NSSSMIMECapability array, we'll reuse it (has the right size) */
+    /* smime_cipher_map_count + 1 is an upper bound - we might end up with less */
+    smime_capabilities = (NSSSMIMECapability **)PORT_ZAlloc((smime_cipher_map_count + 1)
+				      * sizeof(NSSSMIMECapability *));
+    if (smime_capabilities == NULL)
+	return SECFailure;
+
+    capIndex = 0;
+
+    /* Add all the symmetric ciphers
+     * We walk the cipher list backwards, as it is ordered by increasing strength,
+     * we prefer the stronger cipher over a weaker one, and we have to list the
+     * preferred algorithm first */
+    for (i = smime_cipher_map_count - 1; i >= 0; i--) {
+	/* Find the corresponding entry in the cipher map. */
+	map = &(smime_cipher_map[i]);
+	if (!map->enabled)
+	    continue;
+
+	/* If we're using a non-Fortezza cert, only advertise non-Fortezza
+	   capabilities. (We advertise all capabilities if we have a 
+	   Fortezza cert.) */
+	if ((!includeFortezzaCiphers) && (map->cipher == SMIME_FORTEZZA))
+	    continue;
+
+	/* get next SMIME capability */
+	cap = (NSSSMIMECapability *)PORT_ZAlloc(sizeof(NSSSMIMECapability));
+	if (cap == NULL)
+	    break;
+	smime_capabilities[capIndex++] = cap;
+
+	oiddata = SECOID_FindOIDByTag(map->algtag);
+	if (oiddata == NULL)
+	    break;
+
+	cap->capabilityID.data = oiddata->oid.data;
+	cap->capabilityID.len = oiddata->oid.len;
+	cap->parameters.data = map->parms ? map->parms->data : NULL;
+	cap->parameters.len = map->parms ? map->parms->len : 0;
+	cap->cipher = smime_cipher_map[i].cipher;
+    }
+
+    /* XXX add signature algorithms */
+    /* XXX add key encipherment algorithms */
+
+    smime_capabilities[capIndex] = NULL;	/* last one - now encode */
+    dummy = SEC_ASN1EncodeItem(poolp, dest, &smime_capabilities, NSSSMIMECapabilitiesTemplate);
+
+    /* now that we have the proper encoded SMIMECapabilities (or not),
+     * free the work data */
+    for (i = 0; smime_capabilities[i] != NULL; i++)
+	PORT_Free(smime_capabilities[i]);
+    PORT_Free(smime_capabilities);
+
+    return (dummy == NULL) ? SECFailure : SECSuccess;
+}
+
+/*
+ * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
+ *
+ * "poolp" - arena pool to create the attr value on
+ * "dest" - SECItem to put the data in
+ * "cert" - certificate that should be marked as preferred encryption key
+ *          cert is expected to have been verified for EmailRecipient usage.
+ */
+SECStatus
+NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert)
+{
+    NSSSMIMEEncryptionKeyPreference ekp;
+    SECItem *dummy = NULL;
+    PLArenaPool *tmppoolp = NULL;
+
+    if (cert == NULL)
+	goto loser;
+
+    tmppoolp = PORT_NewArena(1024);
+    if (tmppoolp == NULL)
+	goto loser;
+
+    /* XXX hardcoded IssuerSN choice for now */
+    ekp.selector = NSSSMIMEEncryptionKeyPref_IssuerSN;
+    ekp.id.issuerAndSN = CERT_GetCertIssuerAndSN(tmppoolp, cert);
+    if (ekp.id.issuerAndSN == NULL)
+	goto loser;
+
+    dummy = SEC_ASN1EncodeItem(poolp, dest, &ekp, smime_encryptionkeypref_template);
+
+loser:
+    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
+
+    return (dummy == NULL) ? SECFailure : SECSuccess;
+}
+
+/*
+ * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid
+ *
+ * "poolp" - arena pool to create the attr value on
+ * "dest" - SECItem to put the data in
+ * "cert" - certificate that should be marked as preferred encryption key
+ *          cert is expected to have been verified for EmailRecipient usage.
+ */
+SECStatus
+NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert)
+{
+    SECItem *dummy = NULL;
+    PLArenaPool *tmppoolp = NULL;
+    CERTIssuerAndSN *isn;
+
+    if (cert == NULL)
+	goto loser;
+
+    tmppoolp = PORT_NewArena(1024);
+    if (tmppoolp == NULL)
+	goto loser;
+
+    isn = CERT_GetCertIssuerAndSN(tmppoolp, cert);
+    if (isn == NULL)
+	goto loser;
+
+    dummy = SEC_ASN1EncodeItem(poolp, dest, isn, SEC_ASN1_GET(CERT_IssuerAndSNTemplate));
+
+loser:
+    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
+
+    return (dummy == NULL) ? SECFailure : SECSuccess;
+}
+
+/*
+ * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference -
+ *				find cert marked by EncryptionKeyPreference attribute
+ *
+ * "certdb" - handle for the cert database to look in
+ * "DERekp" - DER-encoded value of S/MIME Encryption Key Preference attribute
+ *
+ * if certificate is supposed to be found among the message's included certificates,
+ * they are assumed to have been imported already.
+ */
+CERTCertificate *
+NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECItem *DERekp)
+{
+    PLArenaPool *tmppoolp = NULL;
+    CERTCertificate *cert = NULL;
+    NSSSMIMEEncryptionKeyPreference ekp;
+
+    tmppoolp = PORT_NewArena(1024);
+    if (tmppoolp == NULL)
+	return NULL;
+
+    /* decode DERekp */
+    if (SEC_QuickDERDecodeItem(tmppoolp, &ekp, smime_encryptionkeypref_template,
+                               DERekp) != SECSuccess)
+	goto loser;
+
+    /* find cert */
+    switch (ekp.selector) {
+    case NSSSMIMEEncryptionKeyPref_IssuerSN:
+	cert = CERT_FindCertByIssuerAndSN(certdb, ekp.id.issuerAndSN);
+	break;
+    case NSSSMIMEEncryptionKeyPref_RKeyID:
+    case NSSSMIMEEncryptionKeyPref_SubjectKeyID:
+	/* XXX not supported yet - we need to be able to look up certs by SubjectKeyID */
+	break;
+    default:
+	PORT_Assert(0);
+    }
+loser:
+    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
+
+    return cert;
+}
+
+extern const char __nss_smime_rcsid[];
+extern const char __nss_smime_sccsid[];
+
+PRBool
+NSSSMIME_VersionCheck(const char *importedVersion)
+{
+    /*
+     * This is the secret handshake algorithm.
+     *
+     * This release has a simple version compatibility
+     * check algorithm.  This release is not backward
+     * compatible with previous major releases.  It is
+     * not compatible with future major, minor, or
+     * patch releases.
+     */
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_smime_rcsid[0] + __nss_smime_sccsid[0]; 
+
+    return NSS_VersionCheck(importedVersion);
+}
+
diff --git a/security/nss/lib/smime/smimever.c b/security/nss/lib/smime/smimever.c
new file mode 100644
index 000000000..df838e30a
--- /dev/null
+++ b/security/nss/lib/smime/smimever.c
@@ -0,0 +1,56 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Library identity and versioning */
+
+#include "nss.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_smime_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_smime_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/softoken/Makefile b/security/nss/lib/softoken/Makefile
new file mode 100644
index 000000000..d70b909a8
--- /dev/null
+++ b/security/nss/lib/softoken/Makefile
@@ -0,0 +1,98 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+# indicates dependency on freebl static lib
+$(SHARED_LIBRARY): $(CRYPTOLIB)
+
+# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
+# pkcs11c.c in 64-bit mode for unknown reasons.  A workaround is
+# to compile it with optimizations turned on.  (Bugzilla bug #63815)
+ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
+ifeq ($(USE_64),1)
+ifndef BUILD_OPT
+$(OBJDIR)/pkcs11.o: pkcs11.c
+	@$(MAKE_OBJDIR)
+	$(CC) -o $@ -c -O2 $(CFLAGS) $<
+$(OBJDIR)/pkcs11c.o: pkcs11c.c
+	@$(MAKE_OBJDIR)
+	$(CC) -o $@ -c -O2 $(CFLAGS) $<
+endif
+endif
+endif
diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk
new file mode 100644
index 000000000..c22c2008b
--- /dev/null
+++ b/security/nss/lib/softoken/config.mk
@@ -0,0 +1,110 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+CRYPTODIR=../freebl
+ifdef MOZILLA_SECURITY_BUILD
+	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
+	CRYPTODIR=../crypto
+endif
+
+EXTRA_LIBS += \
+	$(CRYPTOLIB) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+RES = $(OBJDIR)/$(LIBRARY_NAME).res
+RESNAME = $(LIBRARY_NAME).rc
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnssutil3 \
+	-lsqlite3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
+
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/sqlite3.lib \
+	$(DIST)/lib/nssutil3.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(DIST)/lib/nssutil3.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+else
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnssutil3 \
+	-lsqlite3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+ifeq ($(OS_TARGET),AIX)
+OS_LIBS += -lpthread
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+OS_LIBS += -lbsm 
+endif
+
+ifeq ($(OS_TARGET),WINCE)
+DEFINES += -DDBM_USING_NSPR
+endif
diff --git a/security/nss/lib/softoken/ecdecode.c b/security/nss/lib/softoken/ecdecode.c
new file mode 100644
index 000000000..c037dc519
--- /dev/null
+++ b/security/nss/lib/softoken/ecdecode.c
@@ -0,0 +1,641 @@
+/*
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Elliptic Curve Cryptography library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef NSS_ENABLE_ECC
+
+#include "blapi.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secerr.h"
+#include "ec.h"
+#include "ecl-curve.h"
+
+#define CHECK_OK(func) if (func == NULL) goto cleanup
+#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
+
+/*
+ * Initializes a SECItem from a hexadecimal string
+ *
+ * Warning: This function ignores leading 00's, so any leading 00's
+ * in the hexadecimal string must be optional.
+ */
+static SECItem *
+hexString2SECItem(PRArenaPool *arena, SECItem *item, const char *str)
+{
+    int i = 0;
+    int byteval = 0;
+    int tmp = PORT_Strlen(str);
+
+    if ((tmp % 2) != 0) return NULL;
+    
+    /* skip leading 00's unless the hex string is "00" */
+    while ((tmp > 2) && (str[0] == '0') && (str[1] == '0')) {
+        str += 2;
+        tmp -= 2;
+    }
+
+    item->data = (unsigned char *) PORT_ArenaAlloc(arena, tmp/2);
+    if (item->data == NULL) return NULL;
+    item->len = tmp/2;
+
+    while (str[i]) {
+        if ((str[i] >= '0') && (str[i] <= '9'))
+	    tmp = str[i] - '0';
+	else if ((str[i] >= 'a') && (str[i] <= 'f'))
+	    tmp = str[i] - 'a' + 10;
+	else if ((str[i] >= 'A') && (str[i] <= 'F'))
+	    tmp = str[i] - 'A' + 10;
+	else
+	    return NULL;
+
+	byteval = byteval * 16 + tmp;
+	if ((i % 2) != 0) {
+	    item->data[i/2] = byteval;
+	    byteval = 0;
+	}
+	i++;
+    }
+
+    return item;
+}
+
+/* Copy all of the fields from srcParams into dstParams
+ */
+SECStatus
+EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+	      const ECParams *srcParams)
+{
+    SECStatus rv = SECFailure;
+
+    dstParams->arena = arena;
+    dstParams->type = srcParams->type;
+    dstParams->fieldID.size = srcParams->fieldID.size;
+    dstParams->fieldID.type = srcParams->fieldID.type;
+    if (srcParams->fieldID.type == ec_field_GFp) {
+	CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->fieldID.u.prime,
+	    &srcParams->fieldID.u.prime));
+    } else {
+	CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->fieldID.u.poly,
+	    &srcParams->fieldID.u.poly));
+    }
+    dstParams->fieldID.k1 = srcParams->fieldID.k1;
+    dstParams->fieldID.k2 = srcParams->fieldID.k2;
+    dstParams->fieldID.k3 = srcParams->fieldID.k3;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curve.a,
+	&srcParams->curve.a));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curve.b,
+	&srcParams->curve.b));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curve.seed,
+	&srcParams->curve.seed));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->base,
+	&srcParams->base));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->order,
+	&srcParams->order));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->DEREncoding,
+	&srcParams->DEREncoding));
+	dstParams->name = srcParams->name;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curveOID,
+ 	&srcParams->curveOID));
+    dstParams->cofactor = srcParams->cofactor;
+
+    return SECSuccess;
+
+cleanup:
+    return SECFailure;
+}
+
+static SECStatus
+gf_populate_params(ECCurveName name, ECFieldType field_type, ECParams *params)
+{
+    SECStatus rv = SECFailure;
+    const ECCurveParams *curveParams;
+    /* 2 ['0'+'4'] + MAX_ECKEY_LEN * 2 [x,y] * 2 [hex string] + 1 ['\0'] */
+    char genenc[3 + 2 * 2 * MAX_ECKEY_LEN];
+
+    if ((name < ECCurve_noName) || (name > ECCurve_pastLastCurve)) goto cleanup;
+    params->name = name;
+    curveParams = ecCurve_map[params->name];
+    CHECK_OK(curveParams);
+    params->fieldID.size = curveParams->size;
+    params->fieldID.type = field_type;
+    if (field_type == ec_field_GFp) {
+	CHECK_OK(hexString2SECItem(params->arena, &params->fieldID.u.prime, 
+	    curveParams->irr));
+    } else {
+	CHECK_OK(hexString2SECItem(params->arena, &params->fieldID.u.poly, 
+	    curveParams->irr));
+    }
+    CHECK_OK(hexString2SECItem(params->arena, &params->curve.a, 
+	curveParams->curvea));
+    CHECK_OK(hexString2SECItem(params->arena, &params->curve.b, 
+	curveParams->curveb));
+    genenc[0] = '0';
+    genenc[1] = '4';
+    genenc[2] = '\0';
+    strcat(genenc, curveParams->genx);
+    strcat(genenc, curveParams->geny);
+    CHECK_OK(hexString2SECItem(params->arena, &params->base, genenc));
+    CHECK_OK(hexString2SECItem(params->arena, &params->order, 
+    	curveParams->order));
+    params->cofactor = curveParams->cofactor;
+
+    rv = SECSuccess;
+
+cleanup:
+    return rv;
+}
+
+SECStatus
+EC_FillParams(PRArenaPool *arena, const SECItem *encodedParams, 
+    ECParams *params)
+{
+    SECStatus rv = SECFailure;
+    SECOidTag tag;
+    SECItem oid = { siBuffer, NULL, 0};
+
+#if EC_DEBUG
+    int i;
+
+    printf("Encoded params in EC_DecodeParams: ");
+    for (i = 0; i < encodedParams->len; i++) {
+	    printf("%02x:", encodedParams->data[i]);
+    }
+    printf("\n");
+#endif
+
+    if ((encodedParams->len != ANSI_X962_CURVE_OID_TOTAL_LEN) &&
+	(encodedParams->len != SECG_CURVE_OID_TOTAL_LEN)) {
+	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	    return SECFailure;
+    };
+
+    oid.len = encodedParams->len - 2;
+    oid.data = encodedParams->data + 2;
+    if ((encodedParams->data[0] != SEC_ASN1_OBJECT_ID) ||
+	((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)) { 
+	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	    return SECFailure;
+    }
+
+    params->arena = arena;
+    params->cofactor = 0;
+    params->type = ec_params_named;
+    params->name = ECCurve_noName;
+
+    /* For named curves, fill out curveOID */
+    params->curveOID.len = oid.len;
+    params->curveOID.data = (unsigned char *) PORT_ArenaAlloc(arena, oid.len);
+    if (params->curveOID.data == NULL) goto cleanup;
+    memcpy(params->curveOID.data, oid.data, oid.len);
+
+#if EC_DEBUG
+    printf("Curve: %s\n", SECOID_FindOIDTagDescription(tag));
+#endif
+
+    switch (tag) {
+
+    /* Binary curves */
+
+    case SEC_OID_ANSIX962_EC_C2PNB163V1:
+	/* Populate params for c2pnb163v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB163V2:
+	/* Populate params for c2pnb163v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB163V3:
+	/* Populate params for c2pnb163v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V3, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB176V1:
+	/* Populate params for c2pnb176v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB176V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB191V1:
+	/* Populate params for c2tnb191v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB191V2:
+	/* Populate params for c2tnb191v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB191V3:
+	/* Populate params for c2tnb191v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V3, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB208W1:
+	/* Populate params for c2pnb208w1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB208W1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB239V1:
+	/* Populate params for c2tnb239v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB239V2:
+	/* Populate params for c2tnb239v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB239V3:
+	/* Populate params for c2tnb239v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V3, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB272W1:
+	/* Populate params for c2pnb272w1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB272W1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB304W1:
+	/* Populate params for c2pnb304w1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB304W1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB359V1:
+	/* Populate params for c2tnb359v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB359V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB368W1:
+	/* Populate params for c2pnb368w1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB368W1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB431R1:
+	/* Populate params for c2tnb431r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB431R1, ec_field_GF2m,
+	    params) );
+	break;
+	
+    case SEC_OID_SECG_EC_SECT113R1:
+	/* Populate params for sect113r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_113R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT113R2:
+	/* Populate params for sect113r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_113R2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT131R1:
+	/* Populate params for sect131r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_131R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT131R2:
+	/* Populate params for sect131r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_131R2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT163K1:
+	/* Populate params for sect163k1
+	 * (the NIST K-163 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_163K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT163R1:
+	/* Populate params for sect163r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_163R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT163R2:
+	/* Populate params for sect163r2
+	 * (the NIST B-163 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_163R2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT193R1:
+	/* Populate params for sect193r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_193R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT193R2:
+	/* Populate params for sect193r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_193R2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT233K1:
+	/* Populate params for sect233k1
+	 * (the NIST K-233 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_233K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT233R1:
+	/* Populate params for sect233r1
+	 * (the NIST B-233 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_233R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT239K1:
+	/* Populate params for sect239k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_239K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT283K1:
+        /* Populate params for sect283k1
+	 * (the NIST K-283 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_283K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT283R1:
+	/* Populate params for sect283r1
+	 * (the NIST B-283 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_283R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT409K1:
+	/* Populate params for sect409k1
+	 * (the NIST K-409 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_409K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT409R1:
+	/* Populate params for sect409r1
+	 * (the NIST B-409 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_409R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT571K1:
+	/* Populate params for sect571k1
+	 * (the NIST K-571 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_571K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT571R1:
+	/* Populate params for sect571r1
+	 * (the NIST B-571 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_571R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    /* Prime curves */
+
+    case SEC_OID_ANSIX962_EC_PRIME192V1:
+	/* Populate params for prime192v1 aka secp192r1 
+	 * (the NIST P-192 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_192V1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME192V2:
+	/* Populate params for prime192v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_192V2, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME192V3:
+	/* Populate params for prime192v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_192V3, ec_field_GFp,
+	    params) );
+	break;
+	
+    case SEC_OID_ANSIX962_EC_PRIME239V1:
+	/* Populate params for prime239v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_239V1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME239V2:
+	/* Populate params for prime239v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_239V2, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME239V3:
+	/* Populate params for prime239v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_239V3, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME256V1:
+	/* Populate params for prime256v1 aka secp256r1
+	 * (the NIST P-256 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_256V1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP112R1:
+        /* Populate params for secp112r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_112R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP112R2:
+        /* Populate params for secp112r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_112R2, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP128R1:
+        /* Populate params for secp128r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_128R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP128R2:
+        /* Populate params for secp128r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_128R2, ec_field_GFp,
+	    params) );
+	break;
+	
+    case SEC_OID_SECG_EC_SECP160K1:
+        /* Populate params for secp160k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_160K1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP160R1:
+        /* Populate params for secp160r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_160R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP160R2:
+	/* Populate params for secp160r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_160R2, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP192K1:
+	/* Populate params for secp192k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_192K1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP224K1:
+	/* Populate params for secp224k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_224K1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP224R1:
+	/* Populate params for secp224r1 
+	 * (the NIST P-224 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_224R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP256K1:
+	/* Populate params for secp256k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_256K1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP384R1:
+	/* Populate params for secp384r1
+	 * (the NIST P-384 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_384R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP521R1:
+	/* Populate params for secp521r1 
+	 * (the NIST P-521 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_521R1, ec_field_GFp,
+	    params) );
+	break;
+
+    default:
+	break;
+    };
+
+cleanup:
+    if (!params->cofactor) {
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+#if EC_DEBUG
+	printf("Unrecognized curve, returning NULL params\n");
+#endif
+    }
+
+    return rv;
+}
+
+SECStatus
+EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams)
+{
+    PRArenaPool *arena;
+    ECParams *params;
+    SECStatus rv = SECFailure;
+
+    /* Initialize an arena for the ECParams structure */
+    if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)))
+	return SECFailure;
+
+    params = (ECParams *)PORT_ArenaZAlloc(arena, sizeof(ECParams));
+    if (!params) {
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+
+    /* Copy the encoded params */
+    SECITEM_AllocItem(arena, &(params->DEREncoding),
+	encodedParams->len);
+    memcpy(params->DEREncoding.data, encodedParams->data, encodedParams->len);
+
+    /* Fill out the rest of the ECParams structure based on 
+     * the encoded params 
+     */
+    rv = EC_FillParams(arena, encodedParams, params);
+    if (rv == SECFailure) {
+	PORT_FreeArena(arena, PR_TRUE);	
+	return SECFailure;
+    } else {
+	*ecparams = params;;
+	return SECSuccess;
+    }
+}
+
+#endif /* NSS_ENABLE_ECC */
diff --git a/security/nss/lib/softoken/fipsaudt.c b/security/nss/lib/softoken/fipsaudt.c
new file mode 100644
index 000000000..d17496deb
--- /dev/null
+++ b/security/nss/lib/softoken/fipsaudt.c
@@ -0,0 +1,351 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Network Security Services (NSS).
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2006
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This file implements audit logging required by FIPS 140-2 Security
+ * Level 2.
+ */
+
+#include "prprf.h"
+#include "softoken.h"
+
+/*
+ * Print the value of the returned object handle in the output buffer
+ * on a successful return of the PKCS #11 function.  If the PKCS #11
+ * function failed or the pointer to object handle is NULL (which is
+ * the case for C_DeriveKey with CKM_TLS_KEY_AND_MAC_DERIVE), an empty
+ * string is stored in the output buffer.
+ *
+ * out: the output buffer
+ * outlen: the length of the output buffer
+ * argName: the name of the "pointer to object handle" argument
+ * phObject: the pointer to object handle
+ * rv: the return value of the PKCS #11 function
+ */
+static void sftk_PrintReturnedObjectHandle(char *out, PRUint32 outlen,
+    const char *argName, CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
+{
+    if ((rv == CKR_OK) && phObject) {
+	PR_snprintf(out, outlen,
+	    " *%s=0x%08lX", argName, (PRUint32)*phObject);
+    } else {
+	PORT_Assert(outlen != 0);
+	out[0] = '\0';
+    }
+}
+
+/*
+ * MECHANISM_BUFSIZE needs to be large enough for sftk_PrintMechanism,
+ * which uses <= 49 bytes.
+ */
+#define MECHANISM_BUFSIZE 64
+
+static void sftk_PrintMechanism(char *out, PRUint32 outlen,
+    CK_MECHANISM_PTR pMechanism)
+{
+    if (pMechanism) {
+	/*
+	 * If we change the format string, we need to make sure
+	 * MECHANISM_BUFSIZE is still large enough.  We allow
+	 * 20 bytes for %p on a 64-bit platform.
+	 */
+	PR_snprintf(out, outlen, "%p {mechanism=0x%08lX, ...}",
+	    pMechanism, (PRUint32)pMechanism->mechanism);
+    } else {
+	PR_snprintf(out, outlen, "%p", pMechanism);
+    }
+}
+
+void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+    CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
+{
+    char msg[256];
+    char shObject[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintReturnedObjectHandle(shObject, sizeof shObject,
+	"phObject", phObject, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_CreateObject(hSession=0x%08lX, pTemplate=%p, ulCount=%lu, "
+	"phObject=%p)=0x%08lX%s",
+	(PRUint32)hSession, pTemplate, (PRUint32)ulCount,
+	phObject, (PRUint32)rv, shObject);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+    CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv)
+{
+    char msg[256];
+    char shNewObject[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintReturnedObjectHandle(shNewObject, sizeof shNewObject,
+	"phNewObject", phNewObject, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_CopyObject(hSession=0x%08lX, hObject=0x%08lX, "
+	"pTemplate=%p, ulCount=%lu, phNewObject=%p)=0x%08lX%s",
+	(PRUint32)hSession, (PRUint32)hObject,
+	pTemplate, (PRUint32)ulCount, phNewObject, (PRUint32)rv, shNewObject);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+/* WARNING: hObject has been destroyed and can only be printed. */
+void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_DestroyObject(hSession=0x%08lX, hObject=0x%08lX)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hObject, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_GetObjectSize(hSession=0x%08lX, hObject=0x%08lX, "
+	"pulSize=%p)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hObject,
+	pulSize, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulCount, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_GetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
+	"pTemplate=%p, ulCount=%lu)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hObject,
+	pTemplate, (PRUint32)ulCount, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulCount, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_SetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
+	"pTemplate=%p, ulCount=%lu)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hObject,
+	pTemplate, (PRUint32)ulCount, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_RV rv)
+{
+    char msg[256];
+    char mech[MECHANISM_BUFSIZE];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    PR_snprintf(msg, sizeof msg,
+	"C_%sInit(hSession=0x%08lX, pMechanism=%s, "
+	"hKey=0x%08lX)=0x%08lX",
+	opName, (PRUint32)hSession, mech,
+	(PRUint32)hKey, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
+{
+    char msg[256];
+    char mech[MECHANISM_BUFSIZE];
+    char shKey[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_GenerateKey(hSession=0x%08lX, pMechanism=%s, "
+	"pTemplate=%p, ulCount=%lu, phKey=%p)=0x%08lX%s",
+	(PRUint32)hSession, mech,
+	pTemplate, (PRUint32)ulCount, phKey, (PRUint32)rv, shKey);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+    CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+    CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
+    CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv)
+{
+    char msg[512];
+    char mech[MECHANISM_BUFSIZE];
+    char shPublicKey[32];
+    char shPrivateKey[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    sftk_PrintReturnedObjectHandle(shPublicKey, sizeof shPublicKey,
+	"phPublicKey", phPublicKey, rv);
+    sftk_PrintReturnedObjectHandle(shPrivateKey, sizeof shPrivateKey,
+	"phPrivateKey", phPrivateKey, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_GenerateKeyPair(hSession=0x%08lX, pMechanism=%s, "
+	"pPublicKeyTemplate=%p, ulPublicKeyAttributeCount=%lu, "
+	"pPrivateKeyTemplate=%p, ulPrivateKeyAttributeCount=%lu, "
+	"phPublicKey=%p, phPrivateKey=%p)=0x%08lX%s%s",
+	(PRUint32)hSession, mech,
+	pPublicKeyTemplate, (PRUint32)ulPublicKeyAttributeCount,
+	pPrivateKeyTemplate, (PRUint32)ulPrivateKeyAttributeCount,
+	phPublicKey, phPrivateKey, (PRUint32)rv, shPublicKey, shPrivateKey);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
+    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
+    CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv)
+{
+    char msg[256];
+    char mech[MECHANISM_BUFSIZE];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    PR_snprintf(msg, sizeof msg,
+	"C_WrapKey(hSession=0x%08lX, pMechanism=%s, hWrappingKey=0x%08lX, "
+	"hKey=0x%08lX, pWrappedKey=%p, pulWrappedKeyLen=%p)=0x%08lX",
+	(PRUint32)hSession, mech, (PRUint32)hWrappingKey,
+	(PRUint32)hKey, pWrappedKey, pulWrappedKeyLen, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
+    CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+    CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
+{
+    char msg[256];
+    char mech[MECHANISM_BUFSIZE];
+    char shKey[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_UnwrapKey(hSession=0x%08lX, pMechanism=%s, "
+	"hUnwrappingKey=0x%08lX, pWrappedKey=%p, ulWrappedKeyLen=%lu, "
+	"pTemplate=%p, ulAttributeCount=%lu, phKey=%p)=0x%08lX%s",
+	(PRUint32)hSession, mech,
+	(PRUint32)hUnwrappingKey, pWrappedKey, (PRUint32)ulWrappedKeyLen,
+	pTemplate, (PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+    CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
+{
+    char msg[512];
+    char mech[MECHANISM_BUFSIZE];
+    char shKey[32];
+    char sTlsKeys[128];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
+    if ((rv == CKR_OK) &&
+	(pMechanism->mechanism == CKM_TLS_KEY_AND_MAC_DERIVE)) {
+	CK_SSL3_KEY_MAT_PARAMS *param =
+	    (CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter;
+	CK_SSL3_KEY_MAT_OUT *keymat = param->pReturnedKeyMaterial;
+	PR_snprintf(sTlsKeys, sizeof sTlsKeys,
+	    " hClientMacSecret=0x%08lX hServerMacSecret=0x%08lX"
+	    " hClientKey=0x%08lX hServerKey=0x%08lX",
+	    (PRUint32)keymat->hClientMacSecret,
+	    (PRUint32)keymat->hServerMacSecret,
+	    (PRUint32)keymat->hClientKey,
+	    (PRUint32)keymat->hServerKey);
+    } else {
+	sTlsKeys[0] = '\0';
+    }
+    PR_snprintf(msg, sizeof msg,
+	"C_DeriveKey(hSession=0x%08lX, pMechanism=%s, "
+	"hBaseKey=0x%08lX, pTemplate=%p, ulAttributeCount=%lu, "
+	"phKey=%p)=0x%08lX%s%s",
+	(PRUint32)hSession, mech,
+	(PRUint32)hBaseKey, pTemplate,(PRUint32)ulAttributeCount,
+	phKey, (PRUint32)rv, shKey, sTlsKeys);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hKey, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_DigestKey(hSession=0x%08lX, hKey=0x%08lX)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hKey, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
diff --git a/security/nss/lib/softoken/fipstest.c b/security/nss/lib/softoken/fipstest.c
new file mode 100644
index 000000000..3a9276ead
--- /dev/null
+++ b/security/nss/lib/softoken/fipstest.c
@@ -0,0 +1,1992 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "softoken.h"   /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB,  */
+                        /*              DES-CBC, DES3-ECB, DES3-CBC, RSA */
+                        /*              and DSA.                         */
+#include "seccomon.h"   /* Required for RSA and DSA. */
+#include "lowkeyi.h"    /* Required for RSA and DSA. */
+#include "pkcs11.h"     /* Required for PKCS #11. */
+#include "secerr.h"
+
+#ifdef NSS_ENABLE_ECC
+#include "ec.h"         /* Required for ECDSA */
+#endif
+
+
+/* FIPS preprocessor directives for RC2-ECB and RC2-CBC.        */
+#define FIPS_RC2_KEY_LENGTH                      5  /*  40-bits */
+#define FIPS_RC2_ENCRYPT_LENGTH                  8  /*  64-bits */
+#define FIPS_RC2_DECRYPT_LENGTH                  8  /*  64-bits */
+
+
+/* FIPS preprocessor directives for RC4.                        */
+#define FIPS_RC4_KEY_LENGTH                      5  /*  40-bits */
+#define FIPS_RC4_ENCRYPT_LENGTH                  8  /*  64-bits */
+#define FIPS_RC4_DECRYPT_LENGTH                  8  /*  64-bits */
+
+
+/* FIPS preprocessor directives for DES-ECB and DES-CBC.        */
+#define FIPS_DES_ENCRYPT_LENGTH                  8  /*  64-bits */
+#define FIPS_DES_DECRYPT_LENGTH                  8  /*  64-bits */
+
+
+/* FIPS preprocessor directives for DES3-CBC and DES3-ECB.      */
+#define FIPS_DES3_ENCRYPT_LENGTH                 8  /*  64-bits */
+#define FIPS_DES3_DECRYPT_LENGTH                 8  /*  64-bits */
+
+
+/* FIPS preprocessor directives for AES-ECB and AES-CBC.        */
+#define FIPS_AES_BLOCK_SIZE                     16  /* 128-bits */
+#define FIPS_AES_ENCRYPT_LENGTH                 16  /* 128-bits */
+#define FIPS_AES_DECRYPT_LENGTH                 16  /* 128-bits */
+#define FIPS_AES_128_KEY_SIZE                   16  /* 128-bits */
+#define FIPS_AES_192_KEY_SIZE                   24  /* 192-bits */
+#define FIPS_AES_256_KEY_SIZE                   32  /* 256-bits */
+
+
+/* FIPS preprocessor directives for message digests             */
+#define FIPS_KNOWN_HASH_MESSAGE_LENGTH          64  /* 512-bits */
+
+
+/* FIPS preprocessor directives for RSA.                         */
+#define FIPS_RSA_TYPE                           siBuffer
+#define FIPS_RSA_PUBLIC_EXPONENT_LENGTH           3 /*   24-bits */
+#define FIPS_RSA_PRIVATE_VERSION_LENGTH           1 /*    8-bits */
+#define FIPS_RSA_MESSAGE_LENGTH                 128 /* 1024-bits */
+#define FIPS_RSA_COEFFICIENT_LENGTH              64 /*  512-bits */
+#define FIPS_RSA_PRIME0_LENGTH                   64 /*  512-bits */
+#define FIPS_RSA_PRIME1_LENGTH                   64 /*  512-bits */
+#define FIPS_RSA_EXPONENT0_LENGTH                64 /*  512-bits */
+#define FIPS_RSA_EXPONENT1_LENGTH                64 /*  512-bits */
+#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH        128 /* 1024-bits */
+#define FIPS_RSA_ENCRYPT_LENGTH                 128 /* 1024-bits */
+#define FIPS_RSA_DECRYPT_LENGTH                 128 /* 1024-bits */
+#define FIPS_RSA_SIGNATURE_LENGTH               128 /* 1024-bits */
+#define FIPS_RSA_MODULUS_LENGTH                 128 /* 1024-bits */
+
+
+/* FIPS preprocessor directives for DSA.                        */
+#define FIPS_DSA_TYPE                           siBuffer
+#define FIPS_DSA_DIGEST_LENGTH                  20 /*  160-bits */
+#define FIPS_DSA_SUBPRIME_LENGTH                20 /*  160-bits */
+#define FIPS_DSA_SIGNATURE_LENGTH               40 /*  320-bits */
+#define FIPS_DSA_PRIME_LENGTH                  128 /* 1024-bits */
+#define FIPS_DSA_BASE_LENGTH                   128 /* 1024-bits */
+
+/* FIPS preprocessor directives for RNG.                        */
+#define FIPS_RNG_XKEY_LENGTH                    32  /* 256-bits */
+
+static CK_RV
+sftk_fips_RC2_PowerUpSelfTest( void )
+{
+    /* RC2 Known Key (40-bits). */
+    static const PRUint8 rc2_known_key[] = { "RSARC" };
+
+    /* RC2-CBC Known Initialization Vector (64-bits). */
+    static const PRUint8 rc2_cbc_known_initialization_vector[] = {"Security"};
+
+    /* RC2 Known Plaintext (64-bits). */
+    static const PRUint8 rc2_ecb_known_plaintext[] = {"Netscape"};
+    static const PRUint8 rc2_cbc_known_plaintext[] = {"Netscape"};
+
+    /* RC2 Known Ciphertext (64-bits). */
+    static const PRUint8 rc2_ecb_known_ciphertext[] = {
+				  0x1a,0x71,0x33,0x54,0x8d,0x5c,0xd2,0x30};
+    static const PRUint8 rc2_cbc_known_ciphertext[] = {
+				  0xff,0x41,0xdb,0x94,0x8a,0x4c,0x33,0xb3};
+
+    /* RC2 variables. */
+    PRUint8        rc2_computed_ciphertext[FIPS_RC2_ENCRYPT_LENGTH];
+    PRUint8        rc2_computed_plaintext[FIPS_RC2_DECRYPT_LENGTH];
+    RC2Context *   rc2_context;
+    unsigned int   rc2_bytes_encrypted;
+    unsigned int   rc2_bytes_decrypted;
+    SECStatus      rc2_status;
+
+
+    /******************************************************/
+    /* RC2-ECB Single-Round Known Answer Encryption Test: */
+    /******************************************************/
+
+    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
+                                     NULL, NSS_RC2,
+                                     FIPS_RC2_KEY_LENGTH );
+
+    if( rc2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc2_status = RC2_Encrypt( rc2_context, rc2_computed_ciphertext,
+                              &rc2_bytes_encrypted, FIPS_RC2_ENCRYPT_LENGTH,
+                              rc2_ecb_known_plaintext,
+                              FIPS_RC2_DECRYPT_LENGTH );
+
+    RC2_DestroyContext( rc2_context, PR_TRUE );
+
+    if( ( rc2_status != SECSuccess ) ||
+        ( rc2_bytes_encrypted != FIPS_RC2_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc2_computed_ciphertext, rc2_ecb_known_ciphertext,
+                       FIPS_RC2_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* RC2-ECB Single-Round Known Answer Decryption Test: */
+    /******************************************************/
+
+    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
+                                     NULL, NSS_RC2,
+                                     FIPS_RC2_KEY_LENGTH );
+
+    if( rc2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc2_status = RC2_Decrypt( rc2_context, rc2_computed_plaintext,
+                              &rc2_bytes_decrypted, FIPS_RC2_DECRYPT_LENGTH,
+                              rc2_ecb_known_ciphertext,
+                              FIPS_RC2_ENCRYPT_LENGTH );
+
+    RC2_DestroyContext( rc2_context, PR_TRUE );
+
+    if( ( rc2_status != SECSuccess ) ||
+        ( rc2_bytes_decrypted != FIPS_RC2_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc2_computed_plaintext, rc2_ecb_known_plaintext,
+                       FIPS_RC2_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* RC2-CBC Single-Round Known Answer Encryption Test: */
+    /******************************************************/
+
+    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
+                                     rc2_cbc_known_initialization_vector,
+                                     NSS_RC2_CBC, FIPS_RC2_KEY_LENGTH );
+
+    if( rc2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc2_status = RC2_Encrypt( rc2_context, rc2_computed_ciphertext,
+                              &rc2_bytes_encrypted, FIPS_RC2_ENCRYPT_LENGTH,
+                              rc2_cbc_known_plaintext,
+                              FIPS_RC2_DECRYPT_LENGTH );
+
+    RC2_DestroyContext( rc2_context, PR_TRUE );
+
+    if( ( rc2_status != SECSuccess ) ||
+        ( rc2_bytes_encrypted != FIPS_RC2_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc2_computed_ciphertext, rc2_cbc_known_ciphertext,
+                       FIPS_RC2_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* RC2-CBC Single-Round Known Answer Decryption Test: */
+    /******************************************************/
+
+    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
+                                     rc2_cbc_known_initialization_vector,
+                                     NSS_RC2_CBC, FIPS_RC2_KEY_LENGTH );
+
+    if( rc2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc2_status = RC2_Decrypt( rc2_context, rc2_computed_plaintext,
+                              &rc2_bytes_decrypted, FIPS_RC2_DECRYPT_LENGTH,
+                              rc2_cbc_known_ciphertext,
+                              FIPS_RC2_ENCRYPT_LENGTH );
+
+    RC2_DestroyContext( rc2_context, PR_TRUE );
+
+    if( ( rc2_status != SECSuccess ) ||
+        ( rc2_bytes_decrypted != FIPS_RC2_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc2_computed_plaintext, rc2_ecb_known_plaintext,
+                       FIPS_RC2_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+sftk_fips_RC4_PowerUpSelfTest( void )
+{
+    /* RC4 Known Key (40-bits). */
+    static const PRUint8 rc4_known_key[] = { "RSARC" };
+
+    /* RC4 Known Plaintext (64-bits). */
+    static const PRUint8 rc4_known_plaintext[] = { "Netscape" };
+
+    /* RC4 Known Ciphertext (64-bits). */
+    static const PRUint8 rc4_known_ciphertext[] = {
+				0x29,0x33,0xc7,0x9a,0x9d,0x6c,0x09,0xdd};
+
+    /* RC4 variables. */
+    PRUint8        rc4_computed_ciphertext[FIPS_RC4_ENCRYPT_LENGTH];
+    PRUint8        rc4_computed_plaintext[FIPS_RC4_DECRYPT_LENGTH];
+    RC4Context *   rc4_context;
+    unsigned int   rc4_bytes_encrypted;
+    unsigned int   rc4_bytes_decrypted;
+    SECStatus      rc4_status;
+
+
+    /**************************************************/
+    /* RC4 Single-Round Known Answer Encryption Test: */
+    /**************************************************/
+
+    rc4_context = RC4_CreateContext( rc4_known_key, FIPS_RC4_KEY_LENGTH );
+
+    if( rc4_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc4_status = RC4_Encrypt( rc4_context, rc4_computed_ciphertext,
+                              &rc4_bytes_encrypted, FIPS_RC4_ENCRYPT_LENGTH,
+                              rc4_known_plaintext, FIPS_RC4_DECRYPT_LENGTH );
+
+    RC4_DestroyContext( rc4_context, PR_TRUE );
+
+    if( ( rc4_status != SECSuccess ) ||
+        ( rc4_bytes_encrypted != FIPS_RC4_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc4_computed_ciphertext, rc4_known_ciphertext,
+                       FIPS_RC4_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /**************************************************/
+    /* RC4 Single-Round Known Answer Decryption Test: */
+    /**************************************************/
+
+    rc4_context = RC4_CreateContext( rc4_known_key, FIPS_RC4_KEY_LENGTH );
+
+    if( rc4_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc4_status = RC4_Decrypt( rc4_context, rc4_computed_plaintext,
+                              &rc4_bytes_decrypted, FIPS_RC4_DECRYPT_LENGTH,
+                              rc4_known_ciphertext, FIPS_RC4_ENCRYPT_LENGTH );
+
+    RC4_DestroyContext( rc4_context, PR_TRUE );
+
+    if( ( rc4_status != SECSuccess ) ||
+        ( rc4_bytes_decrypted != FIPS_RC4_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc4_computed_plaintext, rc4_known_plaintext,
+                       FIPS_RC4_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+sftk_fips_DES_PowerUpSelfTest( void )
+{
+    /* DES Known Key (56-bits). */
+    static const PRUint8 des_known_key[] = { "ANSI DES" };
+
+    /* DES-CBC Known Initialization Vector (64-bits). */
+    static const PRUint8 des_cbc_known_initialization_vector[] = { "Security" };
+
+    /* DES Known Plaintext (64-bits). */
+    static const PRUint8 des_ecb_known_plaintext[] = { "Netscape" };
+    static const PRUint8 des_cbc_known_plaintext[] = { "Netscape" };
+
+    /* DES Known Ciphertext (64-bits). */
+    static const PRUint8 des_ecb_known_ciphertext[] = {
+			       0x26,0x14,0xe9,0xc3,0x28,0x80,0x50,0xb0};
+    static const PRUint8 des_cbc_known_ciphertext[]  = {
+			       0x5e,0x95,0x94,0x5d,0x76,0xa2,0xd3,0x7d};
+
+    /* DES variables. */
+    PRUint8        des_computed_ciphertext[FIPS_DES_ENCRYPT_LENGTH];
+    PRUint8        des_computed_plaintext[FIPS_DES_DECRYPT_LENGTH];
+    DESContext *   des_context;
+    unsigned int   des_bytes_encrypted;
+    unsigned int   des_bytes_decrypted;
+    SECStatus      des_status;
+
+
+    /******************************************************/
+    /* DES-ECB Single-Round Known Answer Encryption Test: */
+    /******************************************************/
+
+    des_context = DES_CreateContext( des_known_key, NULL, NSS_DES, PR_TRUE );
+
+    if( des_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des_status = DES_Encrypt( des_context, des_computed_ciphertext,
+                              &des_bytes_encrypted, FIPS_DES_ENCRYPT_LENGTH,
+                              des_ecb_known_plaintext,
+                              FIPS_DES_DECRYPT_LENGTH );
+
+    DES_DestroyContext( des_context, PR_TRUE );
+
+    if( ( des_status != SECSuccess ) ||
+        ( des_bytes_encrypted != FIPS_DES_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des_computed_ciphertext, des_ecb_known_ciphertext,
+                       FIPS_DES_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* DES-ECB Single-Round Known Answer Decryption Test: */
+    /******************************************************/
+
+    des_context = DES_CreateContext( des_known_key, NULL, NSS_DES, PR_FALSE );
+
+    if( des_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des_status = DES_Decrypt( des_context, des_computed_plaintext,
+                              &des_bytes_decrypted, FIPS_DES_DECRYPT_LENGTH,
+                              des_ecb_known_ciphertext,
+                              FIPS_DES_ENCRYPT_LENGTH );
+
+    DES_DestroyContext( des_context, PR_TRUE );
+
+    if( ( des_status != SECSuccess ) ||
+        ( des_bytes_decrypted != FIPS_DES_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des_computed_plaintext, des_ecb_known_plaintext,
+                       FIPS_DES_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* DES-CBC Single-Round Known Answer Encryption Test. */
+    /******************************************************/
+
+    des_context = DES_CreateContext( des_known_key,
+                                     des_cbc_known_initialization_vector,
+                                     NSS_DES_CBC, PR_TRUE );
+
+    if( des_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des_status = DES_Encrypt( des_context, des_computed_ciphertext,
+                              &des_bytes_encrypted, FIPS_DES_ENCRYPT_LENGTH,
+                              des_cbc_known_plaintext,
+                              FIPS_DES_DECRYPT_LENGTH );
+
+    DES_DestroyContext( des_context, PR_TRUE );
+
+    if( ( des_status != SECSuccess ) ||
+        ( des_bytes_encrypted != FIPS_DES_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des_computed_ciphertext, des_cbc_known_ciphertext,
+                       FIPS_DES_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* DES-CBC Single-Round Known Answer Decryption Test. */
+    /******************************************************/
+
+    des_context = DES_CreateContext( des_known_key,
+                                     des_cbc_known_initialization_vector,
+                                     NSS_DES_CBC, PR_FALSE );
+
+    if( des_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des_status = DES_Decrypt( des_context, des_computed_plaintext,
+                              &des_bytes_decrypted, FIPS_DES_DECRYPT_LENGTH,
+                              des_cbc_known_ciphertext,
+                              FIPS_DES_ENCRYPT_LENGTH );
+
+    DES_DestroyContext( des_context, PR_TRUE );
+
+    if( ( des_status != SECSuccess ) ||
+        ( des_bytes_decrypted != FIPS_DES_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des_computed_plaintext, des_cbc_known_plaintext,
+                       FIPS_DES_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+sftk_fips_DES3_PowerUpSelfTest( void )
+{
+    /* DES3 Known Key (56-bits). */
+    static const PRUint8 des3_known_key[] = { "ANSI Triple-DES Key Data" };
+
+    /* DES3-CBC Known Initialization Vector (64-bits). */
+    static const PRUint8 des3_cbc_known_initialization_vector[] = { "Security" };
+
+    /* DES3 Known Plaintext (64-bits). */
+    static const PRUint8 des3_ecb_known_plaintext[] = { "Netscape" };
+    static const PRUint8 des3_cbc_known_plaintext[] = { "Netscape" };
+
+    /* DES3 Known Ciphertext (64-bits). */
+    static const PRUint8 des3_ecb_known_ciphertext[] = {
+			   0x55,0x8e,0xad,0x3c,0xee,0x49,0x69,0xbe};
+    static const PRUint8 des3_cbc_known_ciphertext[] = {
+			   0x43,0xdc,0x6a,0xc1,0xaf,0xa6,0x32,0xf5};
+
+    /* DES3 variables. */
+    PRUint8        des3_computed_ciphertext[FIPS_DES3_ENCRYPT_LENGTH];
+    PRUint8        des3_computed_plaintext[FIPS_DES3_DECRYPT_LENGTH];
+    DESContext *   des3_context;
+    unsigned int   des3_bytes_encrypted;
+    unsigned int   des3_bytes_decrypted;
+    SECStatus      des3_status;
+
+
+    /*******************************************************/
+    /* DES3-ECB Single-Round Known Answer Encryption Test. */
+    /*******************************************************/
+
+    des3_context = DES_CreateContext( des3_known_key, NULL,
+                                     NSS_DES_EDE3, PR_TRUE );
+
+    if( des3_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des3_status = DES_Encrypt( des3_context, des3_computed_ciphertext,
+                               &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH,
+                               des3_ecb_known_plaintext,
+                               FIPS_DES3_DECRYPT_LENGTH );
+
+    DES_DestroyContext( des3_context, PR_TRUE );
+
+    if( ( des3_status != SECSuccess ) ||
+        ( des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des3_computed_ciphertext, des3_ecb_known_ciphertext,
+                       FIPS_DES3_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /*******************************************************/
+    /* DES3-ECB Single-Round Known Answer Decryption Test. */
+    /*******************************************************/
+
+    des3_context = DES_CreateContext( des3_known_key, NULL,
+                                     NSS_DES_EDE3, PR_FALSE );
+
+    if( des3_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des3_status = DES_Decrypt( des3_context, des3_computed_plaintext,
+                               &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH,
+                               des3_ecb_known_ciphertext,
+                               FIPS_DES3_ENCRYPT_LENGTH );
+
+    DES_DestroyContext( des3_context, PR_TRUE );
+
+    if( ( des3_status != SECSuccess ) ||
+        ( des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des3_computed_plaintext, des3_ecb_known_plaintext,
+                       FIPS_DES3_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /*******************************************************/
+    /* DES3-CBC Single-Round Known Answer Encryption Test. */
+    /*******************************************************/
+
+    des3_context = DES_CreateContext( des3_known_key,
+                                      des3_cbc_known_initialization_vector,
+                                      NSS_DES_EDE3_CBC, PR_TRUE );
+
+    if( des3_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des3_status = DES_Encrypt( des3_context, des3_computed_ciphertext,
+                               &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH,
+                               des3_cbc_known_plaintext,
+                               FIPS_DES3_DECRYPT_LENGTH );
+
+    DES_DestroyContext( des3_context, PR_TRUE );
+
+    if( ( des3_status != SECSuccess ) ||
+        ( des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des3_computed_ciphertext, des3_cbc_known_ciphertext,
+                       FIPS_DES3_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /*******************************************************/
+    /* DES3-CBC Single-Round Known Answer Decryption Test. */
+    /*******************************************************/
+
+    des3_context = DES_CreateContext( des3_known_key,
+                                      des3_cbc_known_initialization_vector,
+                                      NSS_DES_EDE3_CBC, PR_FALSE );
+
+    if( des3_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des3_status = DES_Decrypt( des3_context, des3_computed_plaintext,
+                               &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH,
+                               des3_cbc_known_ciphertext,
+                               FIPS_DES3_ENCRYPT_LENGTH );
+
+    DES_DestroyContext( des3_context, PR_TRUE );
+
+    if( ( des3_status != SECSuccess ) ||
+        ( des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des3_computed_plaintext, des3_cbc_known_plaintext,
+                       FIPS_DES3_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+/* AES self-test for 128-bit, 192-bit, or 256-bit key sizes*/
+static CK_RV
+sftk_fips_AES_PowerUpSelfTest( int aes_key_size )
+{
+    /* AES Known Key (up to 256-bits). */
+    static const PRUint8 aes_known_key[] = 
+        { "AES-128 RIJNDAELLEADNJIR 821-SEA" };
+
+    /* AES-CBC Known Initialization Vector (128-bits). */
+    static const PRUint8 aes_cbc_known_initialization_vector[] = 
+        { "SecurityytiruceS" };
+
+    /* AES Known Plaintext (128-bits). (blocksize is 128-bits) */
+    static const PRUint8 aes_known_plaintext[] = { "NetscapeepacsteN" };
+
+    /* AES Known Ciphertext (128-bit key). */
+    static const PRUint8 aes_ecb128_known_ciphertext[] = {
+        0x3c,0xa5,0x96,0xf3,0x34,0x6a,0x96,0xc1,
+        0x03,0x88,0x16,0x7b,0x20,0xbf,0x35,0x47 };
+
+    static const PRUint8 aes_cbc128_known_ciphertext[]  = {
+        0xcf,0x15,0x1d,0x4f,0x96,0xe4,0x4f,0x63,
+        0x15,0x54,0x14,0x1d,0x4e,0xd8,0xd5,0xea };
+
+    /* AES Known Ciphertext (192-bit key). */
+    static const PRUint8 aes_ecb192_known_ciphertext[] = { 
+        0xa0,0x18,0x62,0xed,0x88,0x19,0xcb,0x62,
+        0x88,0x1d,0x4d,0xfe,0x84,0x02,0x89,0x0e };
+
+    static const PRUint8 aes_cbc192_known_ciphertext[]  = { 
+        0x83,0xf7,0xa4,0x76,0xd1,0x6f,0x07,0xbe,
+        0x07,0xbc,0x43,0x2f,0x6d,0xad,0x29,0xe1 };
+
+    /* AES Known Ciphertext (256-bit key). */
+    static const PRUint8 aes_ecb256_known_ciphertext[] = { 
+        0xdb,0xa6,0x52,0x01,0x8a,0x70,0xae,0x66,
+        0x3a,0x99,0xd8,0x95,0x7f,0xfb,0x01,0x67 };
+    
+    static const PRUint8 aes_cbc256_known_ciphertext[]  = { 
+        0x37,0xea,0x07,0x06,0x31,0x1c,0x59,0x27,
+        0xc5,0xc5,0x68,0x71,0x6e,0x34,0x40,0x16 };
+
+    const PRUint8 *aes_ecb_known_ciphertext =
+        ( aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext :
+        ( aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext :
+                                aes_ecb256_known_ciphertext;
+
+    const PRUint8 *aes_cbc_known_ciphertext =
+        ( aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cbc128_known_ciphertext :
+        ( aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cbc192_known_ciphertext :
+                                aes_cbc256_known_ciphertext;
+
+    /* AES variables. */
+    PRUint8        aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH];
+    PRUint8        aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH];
+    AESContext *   aes_context;
+    unsigned int   aes_bytes_encrypted;
+    unsigned int   aes_bytes_decrypted;
+    SECStatus      aes_status;
+
+    /*check if aes_key_size is 128, 192, or 256 bits */
+    if ((aes_key_size != FIPS_AES_128_KEY_SIZE) && 
+        (aes_key_size != FIPS_AES_192_KEY_SIZE) && 
+        (aes_key_size != FIPS_AES_256_KEY_SIZE)) 
+            return( CKR_DEVICE_ERROR );
+
+    /******************************************************/
+    /* AES-ECB Single-Round Known Answer Encryption Test: */
+    /******************************************************/
+
+    aes_context = AES_CreateContext( aes_known_key, NULL, NSS_AES, PR_TRUE,
+                                     aes_key_size, FIPS_AES_BLOCK_SIZE );
+
+    if( aes_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    aes_status = AES_Encrypt( aes_context, aes_computed_ciphertext,
+                              &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH,
+                              aes_known_plaintext,
+                              FIPS_AES_DECRYPT_LENGTH );
+    
+    AES_DestroyContext( aes_context, PR_TRUE );
+
+    if( ( aes_status != SECSuccess ) ||
+        ( aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( aes_computed_ciphertext, aes_ecb_known_ciphertext,
+                       FIPS_AES_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* AES-ECB Single-Round Known Answer Decryption Test: */
+    /******************************************************/
+
+    aes_context = AES_CreateContext( aes_known_key, NULL, NSS_AES, PR_FALSE,
+                                     aes_key_size, FIPS_AES_BLOCK_SIZE );
+
+    if( aes_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    aes_status = AES_Decrypt( aes_context, aes_computed_plaintext,
+                              &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH,
+                              aes_ecb_known_ciphertext,
+                              FIPS_AES_ENCRYPT_LENGTH );
+
+    AES_DestroyContext( aes_context, PR_TRUE );
+
+    if( ( aes_status != SECSuccess ) ||         
+        ( aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( aes_computed_plaintext, aes_known_plaintext,
+                       FIPS_AES_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* AES-CBC Single-Round Known Answer Encryption Test. */
+    /******************************************************/
+
+    aes_context = AES_CreateContext( aes_known_key,
+                                     aes_cbc_known_initialization_vector,
+                                     NSS_AES_CBC, PR_TRUE, aes_key_size, 
+                                     FIPS_AES_BLOCK_SIZE );
+
+    if( aes_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    aes_status = AES_Encrypt( aes_context, aes_computed_ciphertext,
+                              &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH,
+                              aes_known_plaintext,
+                              FIPS_AES_DECRYPT_LENGTH );
+
+    AES_DestroyContext( aes_context, PR_TRUE );
+
+    if( ( aes_status != SECSuccess ) ||
+        ( aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( aes_computed_ciphertext, aes_cbc_known_ciphertext,
+                       FIPS_AES_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* AES-CBC Single-Round Known Answer Decryption Test. */
+    /******************************************************/
+
+    aes_context = AES_CreateContext( aes_known_key,
+                                     aes_cbc_known_initialization_vector,
+                                     NSS_AES_CBC, PR_FALSE, aes_key_size, 
+                                     FIPS_AES_BLOCK_SIZE );
+
+    if( aes_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    aes_status = AES_Decrypt( aes_context, aes_computed_plaintext,
+                              &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH,
+                              aes_cbc_known_ciphertext,
+                              FIPS_AES_ENCRYPT_LENGTH );
+
+    AES_DestroyContext( aes_context, PR_TRUE );
+
+    if( ( aes_status != SECSuccess ) ||
+        ( aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( aes_computed_plaintext, aes_known_plaintext,
+                       FIPS_AES_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+/* Known Hash Message (512-bits).  Used for all hashes (incl. SHA-N [N>1]). */
+static const PRUint8 known_hash_message[] = {
+  "The test message for the MD2, MD5, and SHA-1 hashing algorithms." };
+
+
+static CK_RV
+sftk_fips_MD2_PowerUpSelfTest( void )
+{
+    /* MD2 Known Digest Message (128-bits). */
+    static const PRUint8 md2_known_digest[]  = {
+                                   0x41,0x5a,0x12,0xb2,0x3f,0x28,0x97,0x17,
+                                   0x0c,0x71,0x4e,0xcc,0x40,0xc8,0x1d,0x1b};
+
+    /* MD2 variables. */
+    MD2Context * md2_context;
+    unsigned int md2_bytes_hashed;
+    PRUint8      md2_computed_digest[MD2_LENGTH];
+
+
+    /***********************************************/
+    /* MD2 Single-Round Known Answer Hashing Test. */
+    /***********************************************/
+
+    md2_context = MD2_NewContext();
+
+    if( md2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    MD2_Begin( md2_context );
+
+    MD2_Update( md2_context, known_hash_message,
+                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
+
+    MD2_End( md2_context, md2_computed_digest, &md2_bytes_hashed, MD2_LENGTH );
+
+    MD2_DestroyContext( md2_context , PR_TRUE );
+    
+    if( ( md2_bytes_hashed != MD2_LENGTH ) ||
+        ( PORT_Memcmp( md2_computed_digest, md2_known_digest,
+                       MD2_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+sftk_fips_MD5_PowerUpSelfTest( void )
+{
+    /* MD5 Known Digest Message (128-bits). */
+    static const PRUint8 md5_known_digest[]  = {
+				   0x25,0xc8,0xc0,0x10,0xc5,0x6e,0x68,0x28,
+				   0x28,0xa4,0xa5,0xd2,0x98,0x9a,0xea,0x2d};
+
+    /* MD5 variables. */
+    PRUint8        md5_computed_digest[MD5_LENGTH];
+    SECStatus      md5_status;
+
+
+    /***********************************************/
+    /* MD5 Single-Round Known Answer Hashing Test. */
+    /***********************************************/
+
+    md5_status = MD5_HashBuf( md5_computed_digest, known_hash_message,
+                              FIPS_KNOWN_HASH_MESSAGE_LENGTH );
+
+    if( ( md5_status != SECSuccess ) ||
+        ( PORT_Memcmp( md5_computed_digest, md5_known_digest,
+                       MD5_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+/****************************************************/
+/* Single Round HMAC SHA-X test                     */
+/****************************************************/
+static SECStatus
+sftk_fips_HMAC(unsigned char *hmac_computed,
+               const PRUint8 *secret_key,
+               unsigned int secret_key_length,
+               const PRUint8 *message,
+               unsigned int message_length,
+               HASH_HashType hashAlg )
+{
+    SECStatus hmac_status = SECFailure;
+    HMACContext *cx = NULL;
+    SECHashObject *hashObj = NULL;
+    unsigned int bytes_hashed = 0;
+
+    hashObj = (SECHashObject *) HASH_GetRawHashObject(hashAlg);
+ 
+    if (!hashObj) 
+        return( SECFailure );
+
+    cx = HMAC_Create(hashObj, secret_key, 
+                     secret_key_length, 
+                     PR_TRUE);  /* PR_TRUE for in FIPS mode */
+
+    if (cx == NULL) 
+        return( SECFailure );
+
+    HMAC_Begin(cx);
+    HMAC_Update(cx, message, message_length);
+    hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, 
+                              hashObj->length);
+
+    HMAC_Destroy(cx, PR_TRUE);
+
+    return( hmac_status );
+}
+
+static CK_RV
+sftk_fips_HMAC_PowerUpSelfTest( void )
+{
+    static const PRUint8 HMAC_known_secret_key[] = {
+                         "Firefox and ThunderBird are awesome!"};
+
+    static const PRUint8 HMAC_known_secret_key_length 
+                         = sizeof HMAC_known_secret_key;
+
+    /* known SHA1 hmac (20 bytes) */
+    static const PRUint8 known_SHA1_hmac[] = {
+        0xd5, 0x85, 0xf6, 0x5b, 0x39, 0xfa, 0xb9, 0x05, 
+        0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e, 
+        0x5d, 0x0e, 0x1e, 0x11};
+
+    /* known SHA256 hmac (32 bytes) */
+    static const PRUint8 known_SHA256_hmac[] = {
+        0x05, 0x75, 0x9a, 0x9e, 0x70, 0x5e, 0xe7, 0x44, 
+        0xe2, 0x46, 0x4b, 0x92, 0x22, 0x14, 0x22, 0xe0, 
+        0x1b, 0x92, 0x8a, 0x0c, 0xfe, 0xf5, 0x49, 0xe9, 
+        0xa7, 0x1b, 0x56, 0x7d, 0x1d, 0x29, 0x40, 0x48};        
+
+    /* known SHA384 hmac (48 bytes) */
+    static const PRUint8 known_SHA384_hmac[] = {
+        0xcd, 0x56, 0x14, 0xec, 0x05, 0x53, 0x06, 0x2b,
+        0x7e, 0x9c, 0x8a, 0x18, 0x5e, 0xea, 0xf3, 0x91,
+        0x33, 0xfb, 0x64, 0xf6, 0xe3, 0x9f, 0x89, 0x0b,
+        0xaf, 0xbe, 0x83, 0x4d, 0x3f, 0x3c, 0x43, 0x4d,
+        0x4a, 0x0c, 0x56, 0x98, 0xf8, 0xca, 0xb4, 0xaa,
+        0x9a, 0xf4, 0x0a, 0xaf, 0x4f, 0x69, 0xca, 0x87};
+
+    /* known SHA512 hmac (64 bytes) */
+    static const PRUint8 known_SHA512_hmac[] = {
+        0xf6, 0x0e, 0x97, 0x12, 0x00, 0x67, 0x6e, 0xb9,
+        0x0c, 0xb2, 0x63, 0xf0, 0x60, 0xac, 0x75, 0x62,
+        0x70, 0x95, 0x2a, 0x52, 0x22, 0xee, 0xdd, 0xd2,
+        0x71, 0xb1, 0xe8, 0x26, 0x33, 0xd3, 0x13, 0x27,
+        0xcb, 0xff, 0x44, 0xef, 0x87, 0x97, 0x16, 0xfb,
+        0xd3, 0x0b, 0x48, 0xbe, 0x12, 0x4e, 0xda, 0xb1,
+        0x89, 0x90, 0xfb, 0x06, 0x0c, 0xbe, 0xe5, 0xc4,
+        0xff, 0x24, 0x37, 0x3d, 0xc7, 0xe4, 0xe4, 0x37};
+
+    SECStatus    hmac_status;
+    PRUint8      hmac_computed[HASH_LENGTH_MAX]; 
+
+    /***************************************************/
+    /* HMAC SHA-1 Single-Round Known Answer HMAC Test. */
+    /***************************************************/
+
+    hmac_status = sftk_fips_HMAC(hmac_computed, 
+                                 HMAC_known_secret_key,
+                                 HMAC_known_secret_key_length,
+                                 known_hash_message,
+                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH,
+                                 HASH_AlgSHA1); 
+
+    if( ( hmac_status != SECSuccess ) || 
+        ( PORT_Memcmp( hmac_computed, known_SHA1_hmac,
+                       SHA1_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    /***************************************************/
+    /* HMAC SHA-256 Single-Round Known Answer Test.    */
+    /***************************************************/
+
+    hmac_status = sftk_fips_HMAC(hmac_computed, 
+                                 HMAC_known_secret_key,
+                                 HMAC_known_secret_key_length,
+                                 known_hash_message,
+                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH,
+                                 HASH_AlgSHA256); 
+
+    if( ( hmac_status != SECSuccess ) || 
+        ( PORT_Memcmp( hmac_computed, known_SHA256_hmac,
+                       SHA256_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    /***************************************************/
+    /* HMAC SHA-384 Single-Round Known Answer Test.    */
+    /***************************************************/
+
+    hmac_status = sftk_fips_HMAC(hmac_computed,
+                                 HMAC_known_secret_key,
+                                 HMAC_known_secret_key_length,
+                                 known_hash_message,
+                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH,
+                                 HASH_AlgSHA384);
+
+    if( ( hmac_status != SECSuccess ) ||
+        ( PORT_Memcmp( hmac_computed, known_SHA384_hmac,
+                       SHA384_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    /***************************************************/
+    /* HMAC SHA-512 Single-Round Known Answer Test.    */
+    /***************************************************/
+
+    hmac_status = sftk_fips_HMAC(hmac_computed,
+                                 HMAC_known_secret_key,
+                                 HMAC_known_secret_key_length,
+                                 known_hash_message,
+                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH,
+                                 HASH_AlgSHA512);
+
+    if( ( hmac_status != SECSuccess ) ||
+        ( PORT_Memcmp( hmac_computed, known_SHA512_hmac,
+                       SHA512_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+static CK_RV
+sftk_fips_SHA_PowerUpSelfTest( void )
+{
+    /* SHA-1 Known Digest Message (160-bits). */
+    static const PRUint8 sha1_known_digest[] = {
+			       0x0a,0x6d,0x07,0xba,0x1e,0xbd,0x8a,0x1b,
+			       0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0,
+			       0xe0,0x68,0x47,0x7a};
+
+    /* SHA-256 Known Digest Message (256-bits). */
+    static const PRUint8 sha256_known_digest[] = {
+        0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61,
+        0x11,0xd4,0x0b,0xdc,0xce,0x35,0x14,0x8d,
+        0xf2,0xdd,0xaf,0xaf,0xcf,0xb7,0x87,0xe9,
+        0x96,0xa5,0xd2,0x83,0x62,0x46,0x56,0x79};
+ 
+    /* SHA-384 Known Digest Message (384-bits). */
+    static const PRUint8 sha384_known_digest[] = {
+        0x11,0xfe,0x1c,0x00,0x89,0x48,0xde,0xb3,
+        0x99,0xee,0x1c,0x18,0xb4,0x10,0xfb,0xfe,
+        0xe3,0xa8,0x2c,0xf3,0x04,0xb0,0x2f,0xc8,
+        0xa3,0xc4,0x5e,0xea,0x7e,0x60,0x48,0x7b,
+        0xce,0x2c,0x62,0xf7,0xbc,0xa7,0xe8,0xa3,
+        0xcf,0x24,0xce,0x9c,0xe2,0x8b,0x09,0x72};
+
+    /* SHA-512 Known Digest Message (512-bits). */
+    static const PRUint8 sha512_known_digest[] = {
+        0xc8,0xb3,0x27,0xf9,0x0b,0x24,0xc8,0xbf,
+        0x4c,0xba,0x33,0x54,0xf2,0x31,0xbf,0xdb,
+        0xab,0xfd,0xb3,0x15,0xd7,0xfa,0x48,0x99,
+        0x07,0x60,0x0f,0x57,0x41,0x1a,0xdd,0x28,
+        0x12,0x55,0x25,0xac,0xba,0x3a,0x99,0x12,
+        0x2c,0x7a,0x8f,0x75,0x3a,0xe1,0x06,0x6f,
+        0x30,0x31,0xc9,0x33,0xc6,0x1b,0x90,0x1a,
+        0x6c,0x98,0x9a,0x87,0xd0,0xb2,0xf8,0x07};
+
+    /* SHA-X variables. */
+    PRUint8        sha_computed_digest[HASH_LENGTH_MAX];
+    SECStatus      sha_status;
+
+    /*************************************************/
+    /* SHA-1 Single-Round Known Answer Hashing Test. */
+    /*************************************************/
+
+    sha_status = SHA1_HashBuf( sha_computed_digest, known_hash_message,
+                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
+ 
+    if( ( sha_status != SECSuccess ) ||
+        ( PORT_Memcmp( sha_computed_digest, sha1_known_digest,
+                       SHA1_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    /***************************************************/
+    /* SHA-256 Single-Round Known Answer Hashing Test. */
+    /***************************************************/
+
+    sha_status = SHA256_HashBuf( sha_computed_digest, known_hash_message,
+                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
+
+    if( ( sha_status != SECSuccess ) ||
+        ( PORT_Memcmp( sha_computed_digest, sha256_known_digest,
+                       SHA256_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    /***************************************************/
+    /* SHA-384 Single-Round Known Answer Hashing Test. */
+    /***************************************************/
+
+    sha_status = SHA384_HashBuf( sha_computed_digest, known_hash_message,
+                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
+
+    if( ( sha_status != SECSuccess ) ||
+        ( PORT_Memcmp( sha_computed_digest, sha384_known_digest,
+                       SHA384_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    /***************************************************/
+    /* SHA-512 Single-Round Known Answer Hashing Test. */
+    /***************************************************/
+
+    sha_status = SHA512_HashBuf( sha_computed_digest, known_hash_message,
+                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
+
+    if( ( sha_status != SECSuccess ) ||
+        ( PORT_Memcmp( sha_computed_digest, sha512_known_digest,
+                       SHA512_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+/*
+* Single round RSA Signature Known Answer Test
+*/
+static SECStatus
+sftk_fips_RSA_PowerUpSigSelfTest (HASH_HashType  shaAlg,
+                                  NSSLOWKEYPublicKey *rsa_public_key,
+                                  NSSLOWKEYPrivateKey *rsa_private_key,
+                                  const unsigned char *rsa_known_msg,
+                                  const unsigned int rsa_kmsg_length,
+                                  const unsigned char *rsa_known_signature)
+{
+    SECOidTag      shaOid;   /* SHA OID */
+    unsigned char  sha[HASH_LENGTH_MAX];    /* SHA digest */
+    unsigned int   shaLength = 0;           /* length of SHA */
+    unsigned int   rsa_bytes_signed;
+    unsigned char  rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH];
+    SECStatus      rv;
+
+    if (shaAlg == HASH_AlgSHA1) {
+        if (SHA1_HashBuf(sha, rsa_known_msg, rsa_kmsg_length)
+                            != SECSuccess) {
+             goto loser;
+        }
+        shaLength = SHA1_LENGTH;
+        shaOid = SEC_OID_SHA1;
+    } else if (shaAlg == HASH_AlgSHA256) {
+        if (SHA256_HashBuf(sha, rsa_known_msg, rsa_kmsg_length)
+                            != SECSuccess) {
+             goto loser;
+        }
+        shaLength = SHA256_LENGTH;
+        shaOid = SEC_OID_SHA256;
+    } else if (shaAlg == HASH_AlgSHA384) {
+        if (SHA384_HashBuf(sha, rsa_known_msg, rsa_kmsg_length)
+                            != SECSuccess) {
+             goto loser;
+        }
+        shaLength = SHA384_LENGTH;
+        shaOid = SEC_OID_SHA384;
+    } else if (shaAlg == HASH_AlgSHA512) {
+        if (SHA512_HashBuf(sha, rsa_known_msg, rsa_kmsg_length)
+                            != SECSuccess) {
+             goto loser;
+        }
+        shaLength = SHA512_LENGTH;
+        shaOid = SEC_OID_SHA512;
+    } else {
+        goto loser;
+    }
+
+    /*************************************************/
+    /* RSA Single-Round Known Answer Signature Test. */
+    /*************************************************/
+
+    /* Perform RSA signature with the RSA private key. */
+    rv = RSA_HashSign( shaOid,
+                       rsa_private_key,
+                       rsa_computed_signature,
+                       &rsa_bytes_signed,
+                       FIPS_RSA_SIGNATURE_LENGTH,
+                       sha,
+                       shaLength);
+
+    if( ( rv != SECSuccess ) ||
+        ( rsa_bytes_signed != FIPS_RSA_SIGNATURE_LENGTH ) ||
+        ( PORT_Memcmp( rsa_computed_signature, rsa_known_signature,
+                       FIPS_RSA_SIGNATURE_LENGTH ) != 0 ) ) {
+        goto loser;
+    }
+
+    /****************************************************/
+    /* RSA Single-Round Known Answer Verification Test. */
+    /****************************************************/
+
+    /* Perform RSA verification with the RSA public key. */
+    rv = RSA_HashCheckSign( shaOid,
+                            rsa_public_key,
+                            rsa_computed_signature,
+                            rsa_bytes_signed,
+                            sha,
+                            shaLength);
+
+    if( rv != SECSuccess ) {
+         goto loser;
+    }
+    return( SECSuccess );
+
+loser:
+
+    return( SECFailure );
+
+}
+
+static CK_RV
+sftk_fips_RSA_PowerUpSelfTest( void )
+{
+    /* RSA Known Modulus used in both Public/Private Key Values (1024-bits). */
+    static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = {
+                               0xd5, 0x84, 0x95, 0x07, 0xf4, 0xd0, 0x1f, 0x82,
+                               0xf3, 0x79, 0xf4, 0x99, 0x48, 0x10, 0xe1, 0x71,
+                               0xa5, 0x62, 0x22, 0xa3, 0x4b, 0x00, 0xe3, 0x5b,
+                               0x3a, 0xcc, 0x10, 0x83, 0xe0, 0xaf, 0x61, 0x13,
+                               0x54, 0x6a, 0xa2, 0x6a, 0x2c, 0x5e, 0xb3, 0xcc,
+                               0xa3, 0x71, 0x9a, 0xb2, 0x3e, 0x78, 0xec, 0xb5,
+                               0x0e, 0x6e, 0x31, 0x3b, 0x77, 0x1f, 0x6e, 0x94,
+                               0x41, 0x60, 0xd5, 0x6e, 0xd9, 0xc6, 0xf9, 0x29,
+                               0xc3, 0x40, 0x36, 0x25, 0xdb, 0xea, 0x0b, 0x07,
+                               0xae, 0x76, 0xfd, 0x99, 0x29, 0xf4, 0x22, 0xc1,
+                               0x1a, 0x8f, 0x05, 0xfe, 0x98, 0x09, 0x07, 0x05,
+                               0xc2, 0x0f, 0x0b, 0x11, 0x83, 0x39, 0xca, 0xc7,
+                               0x43, 0x63, 0xff, 0x33, 0x80, 0xe7, 0xc3, 0x78,
+                               0xae, 0xf1, 0x73, 0x52, 0x98, 0x1d, 0xde, 0x5c,
+                               0x53, 0x6e, 0x01, 0x73, 0x0d, 0x12, 0x7e, 0x77,
+                               0x03, 0xf1, 0xef, 0x1b, 0xc8, 0xa8, 0x0f, 0x97};
+
+    /* RSA Known Public Key Values (24-bits). */
+    static const PRUint8 rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] 
+                                                       = { 0x01, 0x00, 0x01 };
+    /* RSA Known Private Key Values (version                 is    8-bits), */
+    /*                              (private exponent        is 1024-bits), */
+    /*                              (private prime0          is  512-bits), */
+    /*                              (private prime1          is  512-bits), */
+    /*                              (private prime exponent0 is  512-bits), */
+    /*                              (private prime exponent1 is  512-bits), */
+    /*                          and (private coefficient     is  512-bits). */
+    static const PRUint8 rsa_version[] = { 0x00 };
+
+    static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH]
+                           = { 0x85, 0x27, 0x47, 0x61, 0x4c, 0xd4, 0xb5, 0xb2,
+                               0x0e, 0x70, 0x91, 0x8f, 0x3d, 0x97, 0xf9, 0x5f,
+                               0xcc, 0x09, 0x65, 0x1c, 0x7c, 0x5b, 0xb3, 0x6d,
+                               0x63, 0x3f, 0x7b, 0x55, 0x22, 0xbb, 0x7c, 0x48,
+                               0x77, 0xae, 0x80, 0x56, 0xc2, 0x10, 0xd5, 0x03,
+                               0xdb, 0x31, 0xaf, 0x8d, 0x54, 0xd4, 0x48, 0x99,
+                               0xa8, 0xc4, 0x23, 0x43, 0xb8, 0x48, 0x0b, 0xc7,
+                               0xbc, 0xf5, 0xcc, 0x64, 0x72, 0xbf, 0x59, 0x06,
+                               0x04, 0x1c, 0x32, 0xf5, 0x14, 0x2e, 0x6e, 0xe2,
+                               0x0f, 0x5c, 0xde, 0x36, 0x3c, 0x6e, 0x7c, 0x4d,
+                               0xcc, 0xd3, 0x00, 0x6e, 0xe5, 0x45, 0x46, 0xef,
+                               0x4d, 0x25, 0x46, 0x6d, 0x7f, 0xed, 0xbb, 0x4f,
+                               0x4d, 0x9f, 0xda, 0x87, 0x47, 0x8f, 0x74, 0x44,
+                               0xb7, 0xbe, 0x9d, 0xf5, 0xdd, 0xd2, 0x4c, 0xa5,
+                               0xab, 0x74, 0xe5, 0x29, 0xa1, 0xd2, 0x45, 0x3b,
+                               0x33, 0xde, 0xd5, 0xae, 0xf7, 0x03, 0x10, 0x21};
+
+    static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH]   = {
+                               0xf9, 0x74, 0x8f, 0x16, 0x02, 0x6b, 0xa0, 0xee,
+                               0x7f, 0x28, 0x97, 0x91, 0xdc, 0xec, 0xc0, 0x7c,
+                               0x49, 0xc2, 0x85, 0x76, 0xee, 0x66, 0x74, 0x2d,
+                               0x1a, 0xb8, 0xf7, 0x2f, 0x11, 0x5b, 0x36, 0xd8,
+                               0x46, 0x33, 0x3b, 0xd8, 0xf3, 0x2d, 0xa1, 0x03,
+                               0x83, 0x2b, 0xec, 0x35, 0x43, 0x32, 0xff, 0xdd,
+                               0x81, 0x7c, 0xfd, 0x65, 0x13, 0x04, 0x7c, 0xfc,
+                               0x03, 0x97, 0xf0, 0xd5, 0x62, 0xdc, 0x0d, 0xbf};
+    static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH]   = {
+                               0xdb, 0x1e, 0xa7, 0x3d, 0xe7, 0xfa, 0x8b, 0x04,
+                               0x83, 0x48, 0xf3, 0xa5, 0x31, 0x9d, 0x35, 0x5e,
+                               0x4d, 0x54, 0x77, 0xcc, 0x84, 0x09, 0xf3, 0x11,
+                               0x0d, 0x54, 0xed, 0x85, 0x39, 0xa9, 0xca, 0xa8,
+                               0xea, 0xae, 0x19, 0x9c, 0x75, 0xdb, 0x88, 0xb8,
+                               0x04, 0x8d, 0x54, 0xc6, 0xa4, 0x80, 0xf8, 0x93,
+                               0xf0, 0xdb, 0x19, 0xef, 0xd7, 0x87, 0x8a, 0x8f,
+                               0x5a, 0x09, 0x2e, 0x54, 0xf3, 0x45, 0x24, 0x29};
+    static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = {
+                               0x6a, 0xd1, 0x25, 0x80, 0x18, 0x33, 0x3c, 0x2b,
+                               0x44, 0x19, 0xfe, 0xa5, 0x40, 0x03, 0xc4, 0xfc,
+                               0xb3, 0x9c, 0xef, 0x07, 0x99, 0x58, 0x17, 0xc1,
+                               0x44, 0xa3, 0x15, 0x7d, 0x7b, 0x22, 0x22, 0xdf,
+                               0x03, 0x58, 0x66, 0xf5, 0x24, 0x54, 0x52, 0x91,
+                               0x2d, 0x76, 0xfe, 0x63, 0x64, 0x4e, 0x0f, 0x50,
+                               0x2b, 0x65, 0x79, 0x1f, 0xf1, 0xbf, 0xc7, 0x41,
+                               0x26, 0xcc, 0xc6, 0x1c, 0xa9, 0x83, 0x6f, 0x03};
+    static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = {
+                               0x12, 0x84, 0x1a, 0x99, 0xce, 0x9a, 0x8b, 0x58,
+                               0xcc, 0x47, 0x43, 0xdf, 0x77, 0xbb, 0xd3, 0x20,
+                               0xae, 0xe4, 0x2e, 0x63, 0x67, 0xdc, 0xf7, 0x5f,
+                               0x3f, 0x83, 0x27, 0xb7, 0x14, 0x52, 0x56, 0xbf,
+                               0xc3, 0x65, 0x06, 0xe1, 0x03, 0xcc, 0x93, 0x57,
+                               0x09, 0x7b, 0x6f, 0xe8, 0x81, 0x4a, 0x2c, 0xb7,
+                               0x43, 0xa9, 0x20, 0x1d, 0xf6, 0x56, 0x8b, 0xcc,
+                               0xe5, 0x4c, 0xd5, 0x4f, 0x74, 0x67, 0x29, 0x51};
+    static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = {
+                               0x23, 0xab, 0xf4, 0x03, 0x2f, 0x29, 0x95, 0x74,
+                               0xac, 0x1a, 0x33, 0x96, 0x62, 0xed, 0xf7, 0xf6,
+                               0xae, 0x07, 0x2a, 0x2e, 0xe8, 0xab, 0xfb, 0x1e,
+                               0xb9, 0xb2, 0x88, 0x1e, 0x85, 0x05, 0x42, 0x64,
+                               0x03, 0xb2, 0x8b, 0xc1, 0x81, 0x75, 0xd7, 0xba,
+                               0xaa, 0xd4, 0x31, 0x3c, 0x8a, 0x96, 0x23, 0x9d,
+                               0x3f, 0x06, 0x3e, 0x44, 0xa9, 0x62, 0x2f, 0x61,
+                               0x5a, 0x51, 0x82, 0x2c, 0x04, 0x85, 0x73, 0xd1};
+
+    /* RSA Known Plaintext Message (1024-bits). */
+    static const PRUint8 rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = {
+                                         "Known plaintext message utilized" 
+                                         "for RSA Encryption &  Decryption"
+                                         "block, SHA1, SHA256, SHA384  and"
+                                         "SHA512 RSA Signature KAT tests."};
+
+    /* RSA Known Ciphertext (1024-bits). */
+    static const PRUint8 rsa_known_ciphertext[] = {
+                               0x1e, 0x7e, 0x12, 0xbb, 0x15, 0x62, 0xd0, 0x23,
+                               0x53, 0x4c, 0x51, 0x97, 0x77, 0x06, 0xa0, 0xbb,
+                               0x26, 0x99, 0x9a, 0x8f, 0x39, 0xad, 0x88, 0x5c,
+                               0xc4, 0xce, 0x33, 0x40, 0x94, 0x92, 0xb4, 0x0e,
+                               0xab, 0x71, 0xa9, 0x5d, 0x9a, 0x37, 0xe3, 0x9a,
+                               0x24, 0x95, 0x13, 0xea, 0x0f, 0xbb, 0xf7, 0xff,
+                               0xdf, 0x31, 0x33, 0x23, 0x1d, 0xce, 0x26, 0x9e,
+                               0xd1, 0xde, 0x98, 0x40, 0xde, 0x57, 0x86, 0x12,
+                               0xf1, 0xe6, 0x5a, 0x3f, 0x08, 0x02, 0x81, 0x85,
+                               0xe0, 0xd9, 0xad, 0x3c, 0x8c, 0x71, 0xf8, 0xcf,
+                               0x0a, 0x98, 0xc5, 0x08, 0xdc, 0xc4, 0xca, 0x8c,
+                               0x23, 0x1b, 0x4d, 0x9b, 0xb5, 0x13, 0x44, 0xe1,
+                               0x5f, 0xf9, 0x30, 0x80, 0x25, 0xe0, 0x1e, 0x94,
+                               0xa3, 0x0c, 0xdc, 0x82, 0x2e, 0xfb, 0x30, 0xbe,
+                               0x89, 0xba, 0x76, 0xb6, 0x23, 0xf7, 0xda, 0x7c,
+                               0xca, 0xe6, 0x02, 0xbd, 0x92, 0xce, 0x64, 0xfc};
+
+    /* RSA Known Signed Hash (1024-bits). */
+    static const PRUint8 rsa_known_sha1_signature[] = {
+                               0xd2, 0xa4, 0xe0, 0x2b, 0xc7, 0x03, 0x7f, 0xc6,
+                               0x06, 0x9e, 0xa2, 0x82, 0x19, 0xe9, 0x2b, 0xaf,
+                               0xe3, 0x48, 0x88, 0xc1, 0xf3, 0xb5, 0x0d, 0xe4,
+                               0x52, 0x9e, 0xad, 0xd5, 0x58, 0xb5, 0x9f, 0xe8,
+                               0x40, 0xe9, 0xb7, 0x2e, 0xc6, 0x71, 0x58, 0x56,
+                               0x04, 0xac, 0xb0, 0xf3, 0x3a, 0x42, 0x38, 0x08,
+                               0xc4, 0x43, 0x39, 0xba, 0x19, 0xce, 0xb1, 0x99,
+                               0xf1, 0x8d, 0x89, 0xd8, 0x50, 0x07, 0x14, 0x3d,
+                               0xcf, 0xd0, 0xb6, 0x79, 0xde, 0x9c, 0x89, 0x32,
+                               0xb0, 0x73, 0x3f, 0xed, 0x03, 0x0b, 0xdf, 0x6d,
+                               0x7e, 0xc9, 0x1c, 0x39, 0xe8, 0x2b, 0x16, 0x09,
+                               0xbb, 0x5f, 0x99, 0x2f, 0xeb, 0xf3, 0x37, 0x73,
+                               0x0d, 0x0e, 0xcc, 0x95, 0xad, 0x90, 0x80, 0x03,
+                               0x1d, 0x80, 0x55, 0x37, 0xa1, 0x2a, 0x71, 0x76,
+                               0x23, 0x87, 0x8c, 0x9b, 0x41, 0x07, 0xc6, 0x3d,
+                               0xc6, 0xa3, 0x7d, 0x1b, 0xff, 0x4e, 0x11, 0x19};
+
+    /* RSA Known Signed Hash (1024-bits). */
+    static const PRUint8 rsa_known_sha256_signature[] = {
+                               0x27, 0x35, 0xdd, 0xc4, 0xf8, 0xe2, 0x0b, 0xa3,
+                               0xef, 0x63, 0x57, 0x3b, 0xe1, 0x58, 0x9a, 0xbc,
+                               0x20, 0x9c, 0x25, 0x12, 0x01, 0xbf, 0xbb, 0x29,
+                               0x80, 0x1a, 0xb1, 0x37, 0x9c, 0xcd, 0x67, 0xc7,
+                               0x0d, 0xf8, 0x64, 0x10, 0x9f, 0xe2, 0xa1, 0x9b,
+                               0x21, 0x90, 0xcc, 0xda, 0x8b, 0x76, 0x5e, 0x79,
+                               0x00, 0x9d, 0x58, 0x8b, 0x8a, 0xb3, 0xc3, 0xb5,
+                               0xf1, 0x54, 0xc5, 0x8c, 0x72, 0xba, 0xde, 0x51,
+                               0x3c, 0x6b, 0x94, 0xd6, 0xf3, 0x1b, 0xa2, 0x53,
+                               0xe6, 0x1a, 0x46, 0x1d, 0x7f, 0x14, 0x86, 0xcc,
+                               0xa6, 0x30, 0x92, 0x96, 0xc0, 0x96, 0x24, 0xf0,
+                               0x42, 0x53, 0x4c, 0xdd, 0x27, 0xdf, 0x1d, 0x2e,
+                               0x8b, 0x83, 0xbe, 0xed, 0x85, 0x1d, 0x50, 0x46,
+                               0xa3, 0x7d, 0x20, 0xea, 0x3e, 0x91, 0xfb, 0xf6,
+                               0x86, 0x51, 0xfd, 0x8c, 0xe5, 0x31, 0xe6, 0x7e,
+                               0x60, 0x08, 0x0e, 0xec, 0xa6, 0xea, 0x24, 0x8d};
+
+    /* RSA Known Signed Hash (1024-bits). */
+    static const PRUint8 rsa_known_sha384_signature[] = {
+                               0x0b, 0x03, 0x94, 0x4f, 0x94, 0x78, 0x9b, 0x96,
+                               0x76, 0xeb, 0x72, 0x58, 0xe1, 0xc5, 0xc7, 0x5f,
+                               0x85, 0x01, 0xa8, 0xc4, 0xf6, 0x1a, 0xb5, 0x2c,
+                               0xd1, 0xd8, 0x87, 0xde, 0x3a, 0x9c, 0x9f, 0x57,
+                               0x81, 0x2a, 0x1e, 0x23, 0x07, 0x70, 0xb0, 0xf9,
+                               0x28, 0x3d, 0xfa, 0xe5, 0x2e, 0x1b, 0x9a, 0x72,
+                               0xc3, 0x74, 0xb3, 0x42, 0x1c, 0x9a, 0x13, 0xdc,
+                               0xc9, 0xd6, 0xd5, 0x88, 0xc9, 0x9c, 0x46, 0xf1,
+                               0x0c, 0xa6, 0xf7, 0xd8, 0x06, 0xa3, 0x1b, 0xdf,
+                               0x55, 0xb3, 0x1b, 0x7b, 0x58, 0x1d, 0xff, 0x19,
+                               0xc7, 0xe0, 0xdd, 0x59, 0xac, 0x2f, 0x78, 0x71,
+                               0xe7, 0xe0, 0x17, 0xa3, 0x1c, 0x5c, 0x92, 0xef,
+                               0xb6, 0x75, 0xed, 0xbe, 0x18, 0x39, 0x6b, 0xd7,
+                               0xc9, 0x08, 0x62, 0x55, 0x62, 0xac, 0x5d, 0xa1,
+                               0x9b, 0xd5, 0xb8, 0x98, 0x15, 0xc0, 0xf5, 0x41,
+                               0x85, 0x44, 0x96, 0xca, 0x10, 0xdc, 0x57, 0x21};
+
+    /* RSA Known Signed Hash (1024-bits). */
+    static const PRUint8 rsa_known_sha512_signature[] = {
+                               0xa5, 0xd0, 0x80, 0x04, 0x22, 0xfc, 0x80, 0x73,
+                               0x7d, 0x46, 0xc8, 0x7b, 0xac, 0x44, 0x7b, 0xe6,
+                               0x07, 0xe5, 0x61, 0x4c, 0x33, 0x7f, 0x6f, 0x46,
+                               0x7c, 0x30, 0xe3, 0x75, 0x59, 0x4b, 0x42, 0xf3,
+                               0x9f, 0x35, 0x3c, 0x10, 0x56, 0xdb, 0xd2, 0x69,
+                               0x43, 0xcb, 0x77, 0xe9, 0x7d, 0xcd, 0x07, 0x43,
+                               0xc5, 0xd4, 0x0c, 0x9d, 0xf5, 0x92, 0xbd, 0x0e,
+                               0x3b, 0xb7, 0x68, 0x88, 0x84, 0xca, 0xae, 0x0d,
+                               0xab, 0x71, 0x10, 0xad, 0xab, 0x27, 0xe4, 0xa3,
+                               0x24, 0x41, 0xeb, 0x1c, 0xa6, 0x5f, 0xf1, 0x85,
+                               0xd0, 0xf6, 0x22, 0x74, 0x3d, 0x81, 0xbe, 0xdd,
+                               0x1b, 0x2a, 0x4c, 0xd1, 0x6c, 0xb5, 0x6d, 0x7a,
+                               0xbb, 0x99, 0x69, 0x01, 0xa6, 0xc0, 0x98, 0xfa,
+                               0x97, 0xa3, 0xd1, 0xb0, 0xdf, 0x09, 0xe3, 0x3d,
+                               0x88, 0xee, 0x90, 0xf3, 0x10, 0x41, 0x0f, 0x06,
+                               0x31, 0xe9, 0x60, 0x2d, 0xbf, 0x63, 0x7b, 0xf8};
+
+    static const RSAPublicKey    bl_public_key = { NULL,
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,         
+                                        FIPS_RSA_MODULUS_LENGTH },
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, 
+                                        FIPS_RSA_PUBLIC_EXPONENT_LENGTH }
+    };
+    static const RSAPrivateKey   bl_private_key = { NULL,
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_version,          
+                                        FIPS_RSA_PRIVATE_VERSION_LENGTH },
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,          
+                                        FIPS_RSA_MODULUS_LENGTH },
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent,  
+                                        FIPS_RSA_PUBLIC_EXPONENT_LENGTH },
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_private_exponent, 
+                                        FIPS_RSA_PRIVATE_EXPONENT_LENGTH },
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_prime0,           
+                                        FIPS_RSA_PRIME0_LENGTH },
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_prime1,           
+                                        FIPS_RSA_PRIME1_LENGTH },
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent0,        
+                                        FIPS_RSA_EXPONENT0_LENGTH },
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent1,        
+                                        FIPS_RSA_EXPONENT1_LENGTH },
+      { FIPS_RSA_TYPE, (unsigned char *)rsa_coefficient,      
+                                        FIPS_RSA_COEFFICIENT_LENGTH }
+    };
+
+    /* RSA variables. */
+#ifdef CREATE_TEMP_ARENAS
+    PLArenaPool *         rsa_public_arena;
+    PLArenaPool *         rsa_private_arena;
+#endif
+    NSSLOWKEYPublicKey *  rsa_public_key;
+    NSSLOWKEYPrivateKey * rsa_private_key;
+    SECStatus             rsa_status;
+
+    NSSLOWKEYPublicKey    low_public_key   = { NULL, NSSLOWKEYRSAKey, };
+    NSSLOWKEYPrivateKey   low_private_key  = { NULL, NSSLOWKEYRSAKey, };
+    PRUint8               rsa_computed_ciphertext[FIPS_RSA_ENCRYPT_LENGTH];
+    PRUint8               rsa_computed_plaintext[FIPS_RSA_DECRYPT_LENGTH];
+
+    /****************************************/
+    /* Compose RSA Public/Private Key Pair. */
+    /****************************************/
+
+    low_public_key.u.rsa  = bl_public_key;
+    low_private_key.u.rsa = bl_private_key;
+
+    rsa_public_key  = &low_public_key;
+    rsa_private_key = &low_private_key;
+
+#ifdef CREATE_TEMP_ARENAS
+    /* Create some space for the RSA public key. */
+    rsa_public_arena = PORT_NewArena( NSS_SOFTOKEN_DEFAULT_CHUNKSIZE );
+
+    if( rsa_public_arena == NULL ) {
+        PORT_SetError( SEC_ERROR_NO_MEMORY );
+        return( CKR_HOST_MEMORY );
+    }
+
+    /* Create some space for the RSA private key. */
+    rsa_private_arena = PORT_NewArena( NSS_SOFTOKEN_DEFAULT_CHUNKSIZE );
+
+    if( rsa_private_arena == NULL ) {
+        PORT_FreeArena( rsa_public_arena, PR_TRUE );
+        PORT_SetError( SEC_ERROR_NO_MEMORY );
+        return( CKR_HOST_MEMORY );
+    }
+
+    rsa_public_key->arena = rsa_public_arena;
+    rsa_private_key->arena = rsa_private_arena;
+#endif
+
+    /**************************************************/
+    /* RSA Single-Round Known Answer Encryption Test. */
+    /**************************************************/
+
+    /* Perform RSA Public Key Encryption. */
+    rsa_status = RSA_PublicKeyOp(&rsa_public_key->u.rsa,
+                                 rsa_computed_ciphertext,
+                                 rsa_known_plaintext_msg);
+
+    if( ( rsa_status != SECSuccess ) ||
+        ( PORT_Memcmp( rsa_computed_ciphertext, rsa_known_ciphertext,
+                       FIPS_RSA_ENCRYPT_LENGTH ) != 0 ) )
+        goto rsa_loser;
+
+    /**************************************************/
+    /* RSA Single-Round Known Answer Decryption Test. */
+    /**************************************************/
+
+    /* Perform RSA Private Key Decryption. */
+    rsa_status = RSA_PrivateKeyOp(&rsa_private_key->u.rsa,
+                                  rsa_computed_plaintext,
+                                  rsa_known_ciphertext);
+
+    if( ( rsa_status != SECSuccess ) ||
+        ( PORT_Memcmp( rsa_computed_plaintext, rsa_known_plaintext_msg,
+                       FIPS_RSA_DECRYPT_LENGTH ) != 0 ) )
+        goto rsa_loser;
+
+    rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA1,
+                           rsa_public_key, rsa_private_key,
+                           rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, 
+                           rsa_known_sha1_signature);
+    if( rsa_status != SECSuccess )
+        goto rsa_loser;
+
+    rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA256,
+                           rsa_public_key, rsa_private_key,
+                           rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
+                           rsa_known_sha256_signature);
+    if( rsa_status != SECSuccess )
+        goto rsa_loser;
+
+    rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA384,
+                           rsa_public_key, rsa_private_key,
+                           rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
+                           rsa_known_sha384_signature);
+    if( rsa_status != SECSuccess )
+        goto rsa_loser;
+
+    rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA512,
+                           rsa_public_key, rsa_private_key,
+                           rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
+                           rsa_known_sha512_signature);
+    if( rsa_status != SECSuccess )
+        goto rsa_loser;
+
+    /* Dispose of all RSA key material. */
+    nsslowkey_DestroyPublicKey( rsa_public_key );
+    nsslowkey_DestroyPrivateKey( rsa_private_key );
+
+    return( CKR_OK );
+
+rsa_loser:
+
+    nsslowkey_DestroyPublicKey( rsa_public_key );
+    nsslowkey_DestroyPrivateKey( rsa_private_key );
+
+    return( CKR_DEVICE_ERROR );
+}
+
+#ifdef NSS_ENABLE_ECC
+
+static CK_RV
+sftk_fips_ECDSA_Test(const PRUint8 *encodedParams, 
+                     unsigned int encodedParamsLen,
+                     const PRUint8 *knownSignature, 
+                     unsigned int knownSignatureLen) {
+
+    /* ECDSA Known Seed info for curves nistp256 and nistk283  */
+    static const PRUint8 ecdsa_Known_Seed[] = {
+                            0x6a, 0x9b, 0xf6, 0xf7, 0xce, 0xed, 0x79, 0x11,
+                            0xf0, 0xc7, 0xc8, 0x9a, 0xa5, 0xd1, 0x57, 0xb1,
+                            0x7b, 0x5a, 0x3b, 0x76, 0x4e, 0x7b, 0x7c, 0xbc,
+                            0xf2, 0x76, 0x1c, 0x1c, 0x7f, 0xc5, 0x53, 0x2f};
+
+    static const PRUint8 msg[] = {
+                            "Firefox and ThunderBird are awesome!"};
+
+    unsigned char sha1[SHA1_LENGTH];  /* SHA-1 hash (160 bits) */
+    unsigned char sig[2*MAX_ECKEY_LEN];
+    SECItem signature, digest;
+    SECItem encodedparams;
+    ECParams *ecparams = NULL;
+    ECPrivateKey *ecdsa_private_key = NULL;
+    ECPublicKey ecdsa_public_key;
+    SECStatus ecdsaStatus = SECSuccess;
+
+    /* construct the ECDSA private/public key pair */
+    encodedparams.type = siBuffer;
+    encodedparams.data = (unsigned char *) encodedParams;
+    encodedparams.len = encodedParamsLen;
+    
+    if (EC_DecodeParams(&encodedparams, &ecparams) != SECSuccess) {
+        return( CKR_DEVICE_ERROR );
+    }
+
+    /* Generates a new EC key pair. The private key is a supplied
+     * random value (in seed) and the public key is the result of 
+     * performing a scalar point multiplication of that value with 
+     * the curve's base point.
+     */
+    ecdsaStatus = EC_NewKeyFromSeed(ecparams, &ecdsa_private_key, 
+                                   ecdsa_Known_Seed, 
+                                   sizeof(ecdsa_Known_Seed));
+    /* free the ecparams they are no longer needed */
+    PORT_FreeArena(ecparams->arena, PR_FALSE);
+    ecparams = NULL;
+    if (ecdsaStatus != SECSuccess) {
+        return ( CKR_DEVICE_ERROR );    
+    }
+
+    /* construct public key from private key. */
+    ecdsaStatus = EC_CopyParams(ecdsa_private_key->ecParams.arena, 
+                                &ecdsa_public_key.ecParams,
+                                &ecdsa_private_key->ecParams);
+    if (ecdsaStatus != SECSuccess) {
+        goto loser;
+    }
+    ecdsa_public_key.publicValue = ecdsa_private_key->publicValue;
+
+    /* validate public key value */
+    ecdsaStatus = EC_ValidatePublicKey(&ecdsa_public_key.ecParams, 
+                                       &ecdsa_public_key.publicValue);
+    if (ecdsaStatus != SECSuccess) {
+        goto loser;
+    }
+
+    /* validate public key value */
+    ecdsaStatus = EC_ValidatePublicKey(&ecdsa_private_key->ecParams, 
+                                       &ecdsa_private_key->publicValue);
+    if (ecdsaStatus != SECSuccess) {
+        goto loser;
+    }
+
+    /***************************************************/
+    /* ECDSA Single-Round Known Answer Signature Test. */
+    /***************************************************/
+    
+    ecdsaStatus = SHA1_HashBuf(sha1, msg, sizeof msg);
+    if (ecdsaStatus != SECSuccess) {
+        goto loser;
+    }
+    digest.type = siBuffer;
+    digest.data = sha1;
+    digest.len = SHA1_LENGTH;
+    
+    memset(sig, 0, sizeof sig);
+    signature.type = siBuffer;
+    signature.data = sig;
+    signature.len = sizeof sig;
+    
+    ecdsaStatus = ECDSA_SignDigestWithSeed(ecdsa_private_key, &signature, 
+                         &digest, ecdsa_Known_Seed, sizeof ecdsa_Known_Seed);
+    if (ecdsaStatus != SECSuccess) {
+        goto loser;
+    }
+
+    if( ( signature.len != knownSignatureLen ) ||
+        ( PORT_Memcmp( signature.data, knownSignature,
+                    knownSignatureLen ) != 0 ) ) {
+        ecdsaStatus = SECFailure;
+        goto loser;
+    }
+    
+    /******************************************************/
+    /* ECDSA Single-Round Known Answer Verification Test. */
+    /******************************************************/
+
+    /* Perform ECDSA verification process. */
+    ecdsaStatus = ECDSA_VerifyDigest(&ecdsa_public_key, &signature, &digest);
+
+loser:
+    /* free the memory for the private key arena*/
+    if (ecdsa_private_key != NULL) {
+        PORT_FreeArena(ecdsa_private_key->ecParams.arena, PR_FALSE);
+    }
+
+    if (ecdsaStatus != SECSuccess) {
+        return CKR_DEVICE_ERROR ;
+    }
+    return( CKR_OK );
+}
+
+static CK_RV
+sftk_fips_ECDSA_PowerUpSelfTest() {
+
+   /* ECDSA Known curve nistp256 == SEC_OID_SECG_EC_SECP256R1 params */
+    static const PRUint8 ecdsa_known_P256_EncodedParams[] = {
+                            0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x03,
+                            0x01,0x07};
+
+    static const PRUint8 ecdsa_known_P256_signature[] = {
+                            0x07,0xb1,0xcb,0x57,0x20,0xa7,0x10,0xd6, 
+                            0x9d,0x37,0x4b,0x1c,0xdc,0x35,0x90,0xff, 
+                            0x1a,0x2d,0x98,0x95,0x1b,0x2f,0xeb,0x7f, 
+                            0xbb,0x81,0xca,0xc0,0x69,0x75,0xea,0xc5,
+                            0x59,0x6a,0x62,0x49,0x3d,0x50,0xc9,0xe1, 
+                            0x27,0x3b,0xff,0x9b,0x13,0x66,0x67,0xdd, 
+                            0x7d,0xd1,0x0d,0x2d,0x7c,0x44,0x04,0x1b, 
+                            0x16,0x21,0x12,0xc5,0xcb,0xbd,0x9e,0x75};
+
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+    /* ECDSA Known curve nistk283 == SEC_OID_SECG_EC_SECT283K1 params */
+    static const PRUint8 ecdsa_known_K283_EncodedParams[] = {
+                            0x06,0x05,0x2b,0x81,0x04,0x00,0x10};
+                         
+    static const PRUint8 ecdsa_known_K283_signature[] = {
+                            0x00,0x45,0x88,0xc0,0x79,0x09,0x07,0xd1, 
+                            0x4e,0x88,0xe6,0xd5,0x2f,0x22,0x04,0x74, 
+                            0x35,0x24,0x65,0xe8,0x15,0xde,0x90,0x66, 
+                            0x94,0x70,0xdd,0x3a,0x14,0x70,0x02,0xd1,
+                            0xef,0x86,0xbd,0x15,0x00,0xd9,0xdc,0xfc, 
+                            0x87,0x2e,0x7c,0x99,0xe2,0xe3,0x79,0xb8, 
+                            0xd9,0x10,0x49,0x78,0x4b,0x59,0x8b,0x05, 
+                            0x77,0xec,0x6c,0xe8,0x35,0xe6,0x2e,0xa9,
+                            0xf9,0x77,0x1f,0x71,0x86,0xa5,0x4a,0xd0};
+#endif
+
+    CK_RV crv;
+
+    /* ECDSA GF(p) prime field curve test */
+    crv = sftk_fips_ECDSA_Test(ecdsa_known_P256_EncodedParams,
+                               sizeof ecdsa_known_P256_EncodedParams,
+                               ecdsa_known_P256_signature,
+                               sizeof ecdsa_known_P256_signature );
+    if (crv != CKR_OK) {
+        return( CKR_DEVICE_ERROR );
+    }
+
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+    /* ECDSA GF(2m) binary field curve test */
+    crv = sftk_fips_ECDSA_Test(ecdsa_known_K283_EncodedParams,
+                               sizeof ecdsa_known_K283_EncodedParams,
+                               ecdsa_known_K283_signature,
+                               sizeof ecdsa_known_K283_signature );
+    if (crv != CKR_OK) {
+        return( CKR_DEVICE_ERROR );
+    }
+#endif
+
+    return( CKR_OK );
+}
+
+#endif    /* NSS_ENABLE_ECC */
+
+static CK_RV
+sftk_fips_DSA_PowerUpSelfTest( void )
+{
+    /* DSA Known P (1024-bits), Q (160-bits), and G (1024-bits) Values. */
+    static const PRUint8 dsa_P[] = {
+         0x80,0xb0,0xd1,0x9d,0x6e,0xa4,0xf3,0x28, 
+         0x9f,0x24,0xa9,0x8a,0x49,0xd0,0x0c,0x63, 
+         0xe8,0x59,0x04,0xf9,0x89,0x4a,0x5e,0xc0, 
+         0x6d,0xd2,0x67,0x6b,0x37,0x81,0x83,0x0c,
+         0xfe,0x3a,0x8a,0xfd,0xa0,0x3b,0x08,0x91, 
+         0x1c,0xcb,0xb5,0x63,0xb0,0x1c,0x70,0xd0, 
+         0xae,0xe1,0x60,0x2e,0x12,0xeb,0x54,0xc7, 
+         0xcf,0xc6,0xcc,0xae,0x97,0x52,0x32,0x63,
+         0xd3,0xeb,0x55,0xea,0x2f,0x4c,0xd5,0xd7, 
+         0x3f,0xda,0xec,0x49,0x27,0x0b,0x14,0x56, 
+         0xc5,0x09,0xbe,0x4d,0x09,0x15,0x75,0x2b, 
+         0xa3,0x42,0x0d,0x03,0x71,0xdf,0x0f,0xf4,
+         0x0e,0xe9,0x0c,0x46,0x93,0x3d,0x3f,0xa6, 
+         0x6c,0xdb,0xca,0xe5,0xac,0x96,0xc8,0x64, 
+         0x5c,0xec,0x4b,0x35,0x65,0xfc,0xfb,0x5a, 
+         0x1b,0x04,0x1b,0xa1,0x0e,0xfd,0x88,0x15};
+        
+    static const PRUint8 dsa_Q[] = {
+         0xad,0x22,0x59,0xdf,0xe5,0xec,0x4c,0x6e, 
+         0xf9,0x43,0xf0,0x4b,0x2d,0x50,0x51,0xc6, 
+         0x91,0x99,0x8b,0xcf};
+        
+    static const PRUint8 dsa_G[] = {
+         0x78,0x6e,0xa9,0xd8,0xcd,0x4a,0x85,0xa4, 
+         0x45,0xb6,0x6e,0x5d,0x21,0x50,0x61,0xf6, 
+         0x5f,0xdf,0x5c,0x7a,0xde,0x0d,0x19,0xd3, 
+         0xc1,0x3b,0x14,0xcc,0x8e,0xed,0xdb,0x17,
+         0xb6,0xca,0xba,0x86,0xa9,0xea,0x51,0x2d, 
+         0xc1,0xa9,0x16,0xda,0xf8,0x7b,0x59,0x8a, 
+         0xdf,0xcb,0xa4,0x67,0x00,0x44,0xea,0x24, 
+         0x73,0xe5,0xcb,0x4b,0xaf,0x2a,0x31,0x25,
+         0x22,0x28,0x3f,0x16,0x10,0x82,0xf7,0xeb, 
+         0x94,0x0d,0xdd,0x09,0x22,0x14,0x08,0x79, 
+         0xba,0x11,0x0b,0xf1,0xff,0x2d,0x67,0xac, 
+         0xeb,0xb6,0x55,0x51,0x69,0x97,0xa7,0x25,
+         0x6b,0x9c,0xa0,0x9b,0xd5,0x08,0x9b,0x27, 
+         0x42,0x1c,0x7a,0x69,0x57,0xe6,0x2e,0xed, 
+         0xa9,0x5b,0x25,0xe8,0x1f,0xd2,0xed,0x1f, 
+         0xdf,0xe7,0x80,0x17,0xba,0x0d,0x4d,0x38};
+
+    /* DSA Known Random Values (known random key block       is 160-bits)  */
+    /*                     and (known random signature block is 160-bits). */
+    static const PRUint8 dsa_known_random_key_block[] = {
+                                                      "Mozilla Rules World!"};
+    static const PRUint8 dsa_known_random_signature_block[] = {
+                                                      "Random DSA Signature"};
+
+    /* DSA Known Digest (160-bits) */
+    static const PRUint8 dsa_known_digest[] = { "DSA Signature Digest" };
+
+    /* DSA Known Signature (320-bits). */
+    static const PRUint8 dsa_known_signature[] = {
+        0x25,0x7c,0x3a,0x79,0x32,0x45,0xb7,0x32, 
+        0x70,0xca,0x62,0x63,0x2b,0xf6,0x29,0x2c, 
+        0x22,0x2a,0x03,0xce,0x48,0x15,0x11,0x72, 
+        0x7b,0x7e,0xf5,0x7a,0xf3,0x10,0x3b,0xde,
+        0x34,0xc1,0x9e,0xd7,0x27,0x9e,0x77,0x38};
+
+    /* DSA variables. */
+    DSAPrivateKey *        dsa_private_key;
+    SECStatus              dsa_status;
+    SECItem                dsa_signature_item;
+    SECItem                dsa_digest_item;
+    DSAPublicKey           dsa_public_key;
+    PRUint8                dsa_computed_signature[FIPS_DSA_SIGNATURE_LENGTH];
+    static const PQGParams dsa_pqg = { NULL,
+			    { FIPS_DSA_TYPE, (unsigned char *)dsa_P, FIPS_DSA_PRIME_LENGTH },
+			    { FIPS_DSA_TYPE, (unsigned char *)dsa_Q, FIPS_DSA_SUBPRIME_LENGTH },
+			    { FIPS_DSA_TYPE, (unsigned char *)dsa_G, FIPS_DSA_BASE_LENGTH }};
+
+    /*******************************************/
+    /* Generate a DSA public/private key pair. */
+    /*******************************************/
+
+    /* Generate a DSA public/private key pair. */
+    dsa_status = DSA_NewKeyFromSeed(&dsa_pqg, dsa_known_random_key_block,
+                                    &dsa_private_key);
+
+    if( dsa_status != SECSuccess )
+        return( CKR_HOST_MEMORY );
+
+    /* construct public key from private key. */
+    dsa_public_key.params      = dsa_private_key->params;
+    dsa_public_key.publicValue = dsa_private_key->publicValue;
+
+    /*************************************************/
+    /* DSA Single-Round Known Answer Signature Test. */
+    /*************************************************/
+
+    dsa_signature_item.data = dsa_computed_signature;
+    dsa_signature_item.len  = sizeof dsa_computed_signature;
+
+    dsa_digest_item.data    = (unsigned char *)dsa_known_digest;
+    dsa_digest_item.len     = SHA1_LENGTH;
+
+    /* Perform DSA signature process. */
+    dsa_status = DSA_SignDigestWithSeed( dsa_private_key, 
+                                         &dsa_signature_item,
+                                         &dsa_digest_item,
+                                         dsa_known_random_signature_block );
+
+    if( ( dsa_status != SECSuccess ) ||
+        ( dsa_signature_item.len != FIPS_DSA_SIGNATURE_LENGTH ) ||
+        ( PORT_Memcmp( dsa_computed_signature, dsa_known_signature,
+                       FIPS_DSA_SIGNATURE_LENGTH ) != 0 ) ) {
+        dsa_status = SECFailure;
+    } else {
+
+    /****************************************************/
+    /* DSA Single-Round Known Answer Verification Test. */
+    /****************************************************/
+
+    /* Perform DSA verification process. */
+    dsa_status = DSA_VerifyDigest( &dsa_public_key, 
+                                   &dsa_signature_item,
+                                   &dsa_digest_item);
+    }
+
+    PORT_FreeArena(dsa_private_key->params.arena, PR_TRUE);
+    /* Don't free public key, it uses same arena as private key */
+
+    /* Verify DSA signature. */
+    if( dsa_status != SECSuccess )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+
+
+}
+
+static CK_RV
+sftk_fips_RNG_PowerUpSelfTest( void )
+{
+   static const PRUint8 XKeyValue[] = {
+                     0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
+                     0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
+                     0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
+                     0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5};
+   static const PRUint8 XSeed[] = {
+                     0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
+                     0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
+                     0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
+                     0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac};
+   static const PRUint8 Q[] = {   
+                     0x85,0x89,0x9c,0x77,0xa3,0x79,0xff,0x1a,
+                     0x86,0x6f,0x2f,0x3e,0x2e,0xf9,0x8c,0x9c,
+                     0x9d,0xef,0xeb,0xed};
+   static const PRUint8 rng_known_GENX[] = {
+                     0x65,0x48,0xe3,0xca,0xac,0x64,0x2d,0xf7,
+                     0x7b,0xd3,0x4e,0x79,0xc9,0x7d,0xa6,0xa8,
+                     0xa2,0xc2,0x1f,0x8f,0xe9,0xb9,0xd3,0xa1,
+                     0x3f,0xf7,0x0c,0xcd,0xa6,0xca,0xbf,0xce,
+                     0x84,0x0e,0xb6,0xf1,0x0d,0xbe,0xa9,0xa3};
+   static const PRUint8 rng_known_DSAX[] = {
+                     0x7a,0x86,0xf1,0x7f,0xbd,0x4e,0x6e,0xd9,
+                     0x0a,0x26,0x21,0xd0,0x19,0xcb,0x86,0x73,
+                     0x10,0x1f,0x60,0xd7};
+
+   SECStatus rng_status = SECSuccess;
+   PRUint8 GENX[2*SHA1_LENGTH];
+   PRUint8 DSAX[FIPS_DSA_SUBPRIME_LENGTH];
+   PRUint8 XKey[FIPS_RNG_XKEY_LENGTH];
+  
+   PORT_Memcpy (XKey, XKeyValue, FIPS_RNG_XKEY_LENGTH);
+   
+   /*******************************************/
+   /* Generate X with a known seed.           */
+   /*******************************************/
+   rng_status = FIPS186Change_GenerateX(XKey, XSeed, GENX);
+
+   /* Verify GENX to perform the RNG integrity check */
+   if( ( rng_status != SECSuccess ) ||
+       ( PORT_Memcmp( GENX, rng_known_GENX,
+                      (2*SHA1_LENGTH) ) != 0 ) )
+       return( CKR_DEVICE_ERROR );
+
+   /*******************************************/
+   /* Generate DSAX fow given Q.              */
+   /*******************************************/
+
+   rng_status = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
+
+   /* Verify DSAX to perform the RNG integrity check */
+   if( ( rng_status != SECSuccess ) ||
+       ( PORT_Memcmp( DSAX, rng_known_DSAX,
+                      (FIPS_DSA_SUBPRIME_LENGTH) ) != 0 ) )
+       return( CKR_DEVICE_ERROR );
+       
+   return( CKR_OK ); 
+}
+
+static CK_RV
+sftk_fipsSoftwareIntegrityTest(void)
+{
+    CK_RV crv = CKR_OK;
+
+    /* make sure that our check file signatures are OK */
+    if( !BLAPI_VerifySelf( NULL ) || 
+	!BLAPI_SHVerify( SOFTOKEN_LIB_NAME, (PRFuncPtr) sftk_fips_HMAC ) ) {
+	crv = CKR_DEVICE_ERROR; /* better error code? checksum error? */
+    }
+    return crv;
+}
+
+CK_RV
+sftk_fipsPowerUpSelfTest( void )
+{
+    CK_RV rv;
+
+    /* RC2 Power-Up SelfTest(s). */
+    rv = sftk_fips_RC2_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* RC4 Power-Up SelfTest(s). */
+    rv = sftk_fips_RC4_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* DES Power-Up SelfTest(s). */
+    rv = sftk_fips_DES_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* DES3 Power-Up SelfTest(s). */
+    rv = sftk_fips_DES3_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+ 
+    /* AES Power-Up SelfTest(s) for 128-bit key. */
+    rv = sftk_fips_AES_PowerUpSelfTest(FIPS_AES_128_KEY_SIZE);
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* AES Power-Up SelfTest(s) for 192-bit key. */
+    rv = sftk_fips_AES_PowerUpSelfTest(FIPS_AES_192_KEY_SIZE);
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* AES Power-Up SelfTest(s) for 256-bit key. */
+    rv = sftk_fips_AES_PowerUpSelfTest(FIPS_AES_256_KEY_SIZE);
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* MD2 Power-Up SelfTest(s). */
+    rv = sftk_fips_MD2_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* MD5 Power-Up SelfTest(s). */
+    rv = sftk_fips_MD5_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* SHA-X Power-Up SelfTest(s). */
+    rv = sftk_fips_SHA_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* HMAC SHA-X Power-Up SelfTest(s). */
+    rv = sftk_fips_HMAC_PowerUpSelfTest();
+ 
+    if( rv != CKR_OK )
+        return rv;
+
+    /* RSA Power-Up SelfTest(s). */
+    rv = sftk_fips_RSA_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* DSA Power-Up SelfTest(s). */
+    rv = sftk_fips_DSA_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* RNG Power-Up SelfTest(s). */
+    rv = sftk_fips_RNG_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+    
+#ifdef NSS_ENABLE_ECC
+    /* ECDSA Power-Up SelfTest(s). */
+    rv = sftk_fips_ECDSA_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+#endif
+
+    /* Software/Firmware Integrity Test. */
+    rv = sftk_fipsSoftwareIntegrityTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* Passed Power-Up SelfTest(s). */
+    return( CKR_OK );
+}
+
diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c
new file mode 100644
index 000000000..ca6aa34f2
--- /dev/null
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -0,0 +1,1554 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *   This implementation has two slots:
+ *	slot 1 is our generic crypto support. It does not require login
+ *   (unless you've enabled FIPS). It supports Public Key ops, and all they
+ *   bulk ciphers and hashes. It can also support Private Key ops for imported
+ *   Private keys. It does not have any token storage.
+ *	slot 2 is our private key support. It requires a login before use. It
+ *   can store Private Keys and Certs as token objects. Currently only private
+ *   keys and their associated Certificates are saved on the token.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+#include "seccomon.h"
+#include "softoken.h"
+#include "lowkeyi.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "prenv.h"
+#include "prprf.h"
+
+#include <ctype.h>
+
+#ifdef XP_UNIX
+#define NSS_AUDIT_WITH_SYSLOG 1
+#include <syslog.h>
+#include <unistd.h>
+#endif
+
+#ifdef SOLARIS
+#include <bsm/libbsm.h>
+#define AUE_FIPS_AUDIT 34444
+#endif
+
+#ifdef LINUX
+#include <pthread.h>
+#include <dlfcn.h>
+#define LIBAUDIT_NAME "libaudit.so.0"
+#ifndef AUDIT_USER
+#define AUDIT_USER 1005  /* message type: message from userspace */
+#endif
+static void *libaudit_handle;
+static int (*audit_open_func)(void);
+static void (*audit_close_func)(int fd);
+static int (*audit_log_user_message_func)(int audit_fd, int type,
+    const char *message, const char *hostname, const char *addr,
+    const char *tty, int result);
+static int (*audit_send_user_message_func)(int fd, int type,
+    const char *message);
+
+static pthread_once_t libaudit_once_control = PTHREAD_ONCE_INIT;
+
+static void
+libaudit_init(void)
+{
+    libaudit_handle = dlopen(LIBAUDIT_NAME, RTLD_LAZY);
+    if (!libaudit_handle) {
+	return;
+    }
+    audit_open_func = dlsym(libaudit_handle, "audit_open");
+    audit_close_func = dlsym(libaudit_handle, "audit_close");
+    /*
+     * audit_send_user_message is the older function.
+     * audit_log_user_message, if available, is preferred.
+     */
+    audit_log_user_message_func = dlsym(libaudit_handle,
+					"audit_log_user_message");
+    if (!audit_log_user_message_func) {
+	audit_send_user_message_func = dlsym(libaudit_handle,
+					     "audit_send_user_message");
+    }
+    if (!audit_open_func || !audit_close_func ||
+	(!audit_log_user_message_func && !audit_send_user_message_func)) {
+	dlclose(libaudit_handle);
+	libaudit_handle = NULL;
+	audit_open_func = NULL;
+	audit_close_func = NULL;
+	audit_log_user_message_func = NULL;
+	audit_send_user_message_func = NULL;
+    }
+}
+#endif /* LINUX */
+
+
+/*
+ * ******************** Password Utilities *******************************
+ */
+static PRBool isLoggedIn = PR_FALSE;
+PRBool sftk_fatalError = PR_FALSE;
+
+/*
+ * This function returns
+ *   - CKR_PIN_INVALID if the password/PIN is not a legal UTF8 string
+ *   - CKR_PIN_LEN_RANGE if the password/PIN is too short or does not
+ *     consist of characters from three or more character classes.
+ *   - CKR_OK otherwise
+ *
+ * The minimum password/PIN length is FIPS_MIN_PIN Unicode characters.
+ * We define five character classes: digits (0-9), ASCII lowercase letters,
+ * ASCII uppercase letters, ASCII non-alphanumeric characters (such as
+ * space and punctuation marks), and non-ASCII characters.  If an ASCII
+ * uppercase letter is the first character of the password/PIN, the
+ * uppercase letter is not counted toward its character class.  Similarly,
+ * if a digit is the last character of the password/PIN, the digit is not
+ * counted toward its character class.
+ *
+ * Although NSC_SetPIN and NSC_InitPIN already do the maximum and minimum
+ * password/PIN length checks, they check the length in bytes as opposed
+ * to characters.  To meet the minimum password/PIN guessing probability
+ * requirements in FIPS 140-2, we need to check the length in characters.
+ */
+static CK_RV sftk_newPinCheck(CK_CHAR_PTR pPin, CK_ULONG ulPinLen) {
+    unsigned int i;
+    int nchar = 0;      /* number of characters */
+    int ntrail = 0;     /* number of trailing bytes to follow */
+    int ndigit = 0;     /* number of decimal digits */
+    int nlower = 0;     /* number of ASCII lowercase letters */
+    int nupper = 0;     /* number of ASCII uppercase letters */
+    int nnonalnum = 0;  /* number of ASCII non-alphanumeric characters */
+    int nnonascii = 0;  /* number of non-ASCII characters */
+    int nclass;         /* number of character classes */
+
+    for (i = 0; i < ulPinLen; i++) {
+	unsigned int byte = pPin[i];
+
+	if (ntrail) {
+	    if ((byte & 0xc0) != 0x80) {
+		/* illegal */
+		nchar = -1;
+		break;
+	    }
+	    if (--ntrail == 0) {
+		nchar++;
+		nnonascii++;
+	    }
+	    continue;
+	}
+	if ((byte & 0x80) == 0x00) {
+	    /* single-byte (ASCII) character */
+	    nchar++;
+	    if (isdigit(byte)) {
+		if (i < ulPinLen - 1) {
+		    ndigit++;
+		}
+	    } else if (islower(byte)) {
+		nlower++;
+	    } else if (isupper(byte)) {
+		if (i > 0) {
+		    nupper++;
+		}
+	    } else {
+		nnonalnum++;
+	    }
+	} else if ((byte & 0xe0) == 0xc0) {
+	    /* leading byte of two-byte character */
+	    ntrail = 1;
+	} else if ((byte & 0xf0) == 0xe0) {
+	    /* leading byte of three-byte character */
+	    ntrail = 2;
+	} else if ((byte & 0xf8) == 0xf0) {
+	    /* leading byte of four-byte character */
+	    ntrail = 3;
+	} else {
+	    /* illegal */
+	    nchar = -1;
+	    break;
+	}
+    }
+    if (nchar == -1) {
+	/* illegal UTF8 string */
+	return CKR_PIN_INVALID;
+    }
+    if (nchar < FIPS_MIN_PIN) {
+	return CKR_PIN_LEN_RANGE;
+    }
+    nclass = (ndigit != 0) + (nlower != 0) + (nupper != 0) +
+	     (nnonalnum != 0) + (nnonascii != 0);
+    if (nclass < 3) {
+	return CKR_PIN_LEN_RANGE;
+    }
+    return CKR_OK;
+}
+
+
+/* FIPS required checks before any useful cryptographic services */
+static CK_RV sftk_fipsCheck(void) {
+    if (sftk_fatalError) 
+	return CKR_DEVICE_ERROR;
+    if (!isLoggedIn) 
+	return CKR_USER_NOT_LOGGED_IN;
+    return CKR_OK;
+}
+
+
+#define SFTK_FIPSCHECK() \
+    CK_RV rv; \
+    if ((rv = sftk_fipsCheck()) != CKR_OK) return rv;
+
+#define SFTK_FIPSFATALCHECK() \
+    if (sftk_fatalError) return CKR_DEVICE_ERROR;
+
+
+/* grab an attribute out of a raw template */
+void *
+fc_getAttribute(CK_ATTRIBUTE_PTR pTemplate, 
+				CK_ULONG ulCount, CK_ATTRIBUTE_TYPE type)
+{
+    int i;
+
+    for (i=0; i < (int) ulCount; i++) {
+	if (pTemplate[i].type == type) {
+	    return pTemplate[i].pValue;
+	}
+    }
+    return NULL;
+}
+
+
+#define __PASTE(x,y)	x##y
+
+/* ------------- forward declare all the NSC_ functions ------------- */
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(NS,name)
+#define CK_NEED_ARG_LIST 1
+
+#include "pkcs11f.h"
+
+/* ------------- forward declare all the FIPS functions ------------- */
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F,name)
+#define CK_NEED_ARG_LIST 1
+
+#include "pkcs11f.h"
+
+/* ------------- build the CK_CRYPTO_TABLE ------------------------- */
+static CK_FUNCTION_LIST sftk_fipsTable = {
+    { 1, 10 },
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+#define CK_PKCS11_FUNCTION_INFO(name) __PASTE(F,name),
+
+
+#include "pkcs11f.h"
+
+};
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+/* CKO_NOT_A_KEY can be any object class that's not a key object. */
+#define CKO_NOT_A_KEY CKO_DATA
+
+#define SFTK_IS_KEY_OBJECT(objClass) \
+    (((objClass) == CKO_PUBLIC_KEY) || \
+    ((objClass) == CKO_PRIVATE_KEY) || \
+    ((objClass) == CKO_SECRET_KEY))
+
+#define SFTK_IS_NONPUBLIC_KEY_OBJECT(objClass) \
+    (((objClass) == CKO_PRIVATE_KEY) || ((objClass) == CKO_SECRET_KEY))
+
+static CK_RV
+sftk_get_object_class_and_fipsCheck(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_OBJECT_CLASS *pObjClass)
+{
+    CK_RV rv;
+    CK_ATTRIBUTE class; 
+    class.type = CKA_CLASS;
+    class.pValue = pObjClass;
+    class.ulValueLen = sizeof(*pObjClass);
+    rv = NSC_GetAttributeValue(hSession, hObject, &class, 1);
+    if ((rv == CKR_OK) && SFTK_IS_NONPUBLIC_KEY_OBJECT(*pObjClass)) {
+	rv = sftk_fipsCheck();
+    }
+    return rv;
+}
+
+/**********************************************************************
+ *
+ *     FIPS 140 auditable event logging
+ *
+ **********************************************************************/
+
+PRBool sftk_audit_enabled = PR_FALSE;
+
+/*
+ * Each audit record must have the following information:
+ * - Date and time of the event
+ * - Type of event
+ * - user (subject) identity
+ * - outcome (success or failure) of the event
+ * - process ID
+ * - name (ID) of the object
+ * - for changes to data (except for authentication data and CSPs), the new
+ *   and old values of the data
+ * - for authentication attempts, the origin of the attempt (e.g., terminal
+ *   identifier)
+ * - for assuming a role, the type of role, and the location of the request
+ */
+void
+sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg)
+{
+#ifdef NSS_AUDIT_WITH_SYSLOG
+    int level;
+
+    switch (severity) {
+    case NSS_AUDIT_ERROR:
+	level = LOG_ERR;
+	break;
+    case NSS_AUDIT_WARNING:
+	level = LOG_WARNING;
+	break;
+    default:
+	level = LOG_INFO;
+	break;
+    }
+    /* timestamp is provided by syslog in the message header */
+    syslog(level | LOG_USER /* facility */,
+	   "NSS " SOFTOKEN_LIB_NAME "[pid=%d uid=%d]: %s",
+	   (int)getpid(), (int)getuid(), msg);
+#ifdef LINUX
+    if (pthread_once(&libaudit_once_control, libaudit_init) != 0) {
+	return;
+    }
+    if (libaudit_handle) {
+	int audit_fd;
+	int result = (severity != NSS_AUDIT_ERROR); /* 1=success; 0=failed */
+	char *message = PR_smprintf("NSS " SOFTOKEN_LIB_NAME ": %s", msg);
+	if (!message) {
+	    return;
+	}
+	audit_fd = audit_open_func();
+	if (audit_fd < 0) {
+	    PR_smprintf_free(message);
+	    return;
+	}
+	if (audit_log_user_message_func) {
+	    audit_log_user_message_func(audit_fd, AUDIT_USER, message,
+					NULL, NULL, NULL, result);
+	} else {
+	    audit_send_user_message_func(audit_fd, AUDIT_USER, message);
+	}
+	audit_close_func(audit_fd);
+	PR_smprintf_free(message);
+    }
+#endif /* LINUX */
+#ifdef SOLARIS
+    {
+        int rd;
+        char *message = PR_smprintf("NSS " SOFTOKEN_LIB_NAME ": %s", msg);
+
+        if (!message) {
+            return;
+        }
+
+        /* open the record descriptor */
+        if ((rd = au_open()) == -1) {
+            PR_smprintf_free(message);
+            return;
+        }
+
+        /* write the audit tokens to the audit record */
+        if (au_write(rd, au_to_text(message))) {
+            (void)au_close(rd, AU_TO_NO_WRITE, AUE_FIPS_AUDIT);
+            PR_smprintf_free(message);
+            return;
+        }
+
+        /* close the record and send it to the audit trail */
+        (void)au_close(rd, AU_TO_WRITE, AUE_FIPS_AUDIT);
+
+        PR_smprintf_free(message);
+    }
+#endif /* SOLARIS */
+#else
+    /* do nothing */
+#endif
+}
+
+
+/**********************************************************************
+ *
+ *     Start of PKCS 11 functions 
+ *
+ **********************************************************************/
+/* return the function list */
+CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) {
+
+    CHECK_FORK();
+
+    *pFunctionList = &sftk_fipsTable;
+    return CKR_OK;
+}
+
+/* sigh global so pkcs11 can read it */
+PRBool nsf_init = PR_FALSE;
+
+/* FC_Initialize initializes the PKCS #11 library. */
+CK_RV FC_Initialize(CK_VOID_PTR pReserved) {
+    const char *envp;
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    if (nsf_init) {
+	return CKR_CRYPTOKI_ALREADY_INITIALIZED;
+    }
+
+    if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) {
+	sftk_audit_enabled = (atoi(envp) == 1);
+    }
+
+    crv = nsc_CommonInitialize(pReserved, PR_TRUE);
+
+    /* not an 'else' rv can be set by either SFTK_LowInit or SFTK_SlotInit*/
+    if (crv != CKR_OK) {
+	sftk_fatalError = PR_TRUE;
+	return crv;
+    }
+
+    sftk_fatalError = PR_FALSE; /* any error has been reset */
+
+    crv = sftk_fipsPowerUpSelfTest();
+    if (crv != CKR_OK) {
+        nsc_CommonFinalize(NULL, PR_TRUE);
+	sftk_fatalError = PR_TRUE;
+	if (sftk_audit_enabled) {
+	    char msg[128];
+	    PR_snprintf(msg,sizeof msg,
+			"C_Initialize()=0x%08lX "
+			"power-up self-tests failed",
+			(PRUint32)crv);
+	    sftk_LogAuditMessage(NSS_AUDIT_ERROR, msg);
+	}
+	return crv;
+    }
+    nsf_init = PR_TRUE;
+
+    return CKR_OK;
+}
+
+/*FC_Finalize indicates that an application is done with the PKCS #11 library.*/
+CK_RV FC_Finalize (CK_VOID_PTR pReserved) {
+   CK_RV crv;
+
+   CHECK_FORK();
+
+   if (!nsf_init) {
+      return CKR_OK;
+   }
+   crv = nsc_CommonFinalize (pReserved, PR_TRUE);
+   nsf_init = (PRBool) !(crv == CKR_OK);
+   return crv;
+}
+
+
+/* FC_GetInfo returns general information about PKCS #11. */
+CK_RV  FC_GetInfo(CK_INFO_PTR pInfo) {
+    CHECK_FORK();
+
+    return NSC_GetInfo(pInfo);
+}
+
+/* FC_GetSlotList obtains a list of slots in the system. */
+CK_RV FC_GetSlotList(CK_BBOOL tokenPresent,
+	 		CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
+    CHECK_FORK();
+
+    return nsc_CommonGetSlotList(tokenPresent,pSlotList,pulCount,
+							 NSC_FIPS_MODULE);
+}
+	
+/* FC_GetSlotInfo obtains information about a particular slot in the system. */
+CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
+    CHECK_FORK();
+
+    return NSC_GetSlotInfo(slotID,pInfo);
+}
+
+
+/*FC_GetTokenInfo obtains information about a particular token in the system.*/
+ CK_RV FC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo) {
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    crv = NSC_GetTokenInfo(slotID,pInfo);
+    if (crv == CKR_OK) 
+       pInfo->flags |= CKF_LOGIN_REQUIRED;
+    return crv;
+
+}
+
+
+
+/*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/
+ CK_RV FC_GetMechanismList(CK_SLOT_ID slotID,
+	CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pusCount) {
+     CHECK_FORK();
+
+    SFTK_FIPSFATALCHECK();
+    if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
+    /* FIPS Slot supports all functions */
+    return NSC_GetMechanismList(slotID,pMechanismList,pusCount);
+}
+
+
+/* FC_GetMechanismInfo obtains information about a particular mechanism 
+ * possibly supported by a token. */
+ CK_RV FC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+    					CK_MECHANISM_INFO_PTR pInfo) {
+    CHECK_FORK();
+
+    SFTK_FIPSFATALCHECK();
+    if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
+    /* FIPS Slot supports all functions */
+    return NSC_GetMechanismInfo(slotID,type,pInfo);
+}
+
+
+/* FC_InitToken initializes a token. */
+ CK_RV FC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
+ 				CK_ULONG usPinLen,CK_CHAR_PTR pLabel) {
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    crv = NSC_InitToken(slotID,pPin,usPinLen,pLabel);
+    if (sftk_audit_enabled) {
+	char msg[128];
+	NSSAuditSeverity severity = (crv == CKR_OK) ?
+		NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+	/* pLabel points to a 32-byte label, which is not null-terminated */
+	PR_snprintf(msg,sizeof msg,
+		"C_InitToken(slotID=%lu, pLabel=\"%.32s\")=0x%08lX",
+		(PRUint32)slotID,pLabel,(PRUint32)crv);
+	sftk_LogAuditMessage(severity, msg);
+    }
+    return crv;
+}
+
+
+/* FC_InitPIN initializes the normal user's PIN. */
+ CK_RV FC_InitPIN(CK_SESSION_HANDLE hSession,
+    					CK_CHAR_PTR pPin, CK_ULONG ulPinLen) {
+    CK_RV rv;
+
+    CHECK_FORK();
+
+    if (sftk_fatalError) return CKR_DEVICE_ERROR;
+    if ((rv = sftk_newPinCheck(pPin,ulPinLen)) == CKR_OK) {
+	rv = NSC_InitPIN(hSession,pPin,ulPinLen);
+    }
+    if (sftk_audit_enabled) {
+	char msg[128];
+	NSSAuditSeverity severity = (rv == CKR_OK) ?
+		NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+	PR_snprintf(msg,sizeof msg,
+		"C_InitPIN(hSession=0x%08lX)=0x%08lX",
+		(PRUint32)hSession,(PRUint32)rv);
+	sftk_LogAuditMessage(severity, msg);
+    }
+    return rv;
+}
+
+
+/* FC_SetPIN modifies the PIN of user that is currently logged in. */
+/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
+ CK_RV FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
+    CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen) {
+    CK_RV rv;
+
+    CHECK_FORK();
+
+    if ((rv = sftk_fipsCheck()) == CKR_OK &&
+	(rv = sftk_newPinCheck(pNewPin,usNewLen)) == CKR_OK) {
+	rv = NSC_SetPIN(hSession,pOldPin,usOldLen,pNewPin,usNewLen);
+    }
+    if (sftk_audit_enabled) {
+	char msg[128];
+	NSSAuditSeverity severity = (rv == CKR_OK) ?
+		NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+	PR_snprintf(msg,sizeof msg,
+		"C_SetPIN(hSession=0x%08lX)=0x%08lX",
+		(PRUint32)hSession,(PRUint32)rv);
+	sftk_LogAuditMessage(severity, msg);
+    }
+    return rv;
+}
+
+/* FC_OpenSession opens a session between an application and a token. */
+ CK_RV FC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+   CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession) {
+    SFTK_FIPSFATALCHECK();
+
+    CHECK_FORK();
+
+    return NSC_OpenSession(slotID,flags,pApplication,Notify,phSession);
+}
+
+
+/* FC_CloseSession closes a session between an application and a token. */
+ CK_RV FC_CloseSession(CK_SESSION_HANDLE hSession) {
+    CHECK_FORK();
+
+    return NSC_CloseSession(hSession);
+}
+
+
+/* FC_CloseAllSessions closes all sessions with a token. */
+ CK_RV FC_CloseAllSessions (CK_SLOT_ID slotID) {
+
+    CHECK_FORK();
+
+    return NSC_CloseAllSessions (slotID);
+}
+
+
+/* FC_GetSessionInfo obtains information about the session. */
+ CK_RV FC_GetSessionInfo(CK_SESSION_HANDLE hSession,
+						CK_SESSION_INFO_PTR pInfo) {
+    CK_RV rv;
+    SFTK_FIPSFATALCHECK();
+
+    CHECK_FORK();
+
+    rv = NSC_GetSessionInfo(hSession,pInfo);
+    if (rv == CKR_OK) {
+	if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
+		pInfo->state = CKS_RO_USER_FUNCTIONS;
+	}
+	if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
+		pInfo->state = CKS_RW_USER_FUNCTIONS;
+	}
+    }
+    return rv;
+}
+
+/* FC_Login logs a user into a token. */
+ CK_RV FC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+				    CK_CHAR_PTR pPin, CK_ULONG usPinLen) {
+    CK_RV rv;
+    PRBool successful;
+    if (sftk_fatalError) return CKR_DEVICE_ERROR;
+    rv = NSC_Login(hSession,userType,pPin,usPinLen);
+    successful = (rv == CKR_OK) || (rv == CKR_USER_ALREADY_LOGGED_IN);
+    if (successful)
+	isLoggedIn = PR_TRUE;
+    if (sftk_audit_enabled) {
+	char msg[128];
+	NSSAuditSeverity severity;
+	severity = successful ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+	PR_snprintf(msg,sizeof msg,
+		    "C_Login(hSession=0x%08lX, userType=%lu)=0x%08lX",
+		    (PRUint32)hSession,(PRUint32)userType,(PRUint32)rv);
+	sftk_LogAuditMessage(severity, msg);
+    }
+    return rv;
+}
+
+/* FC_Logout logs a user out from a token. */
+ CK_RV FC_Logout(CK_SESSION_HANDLE hSession) {
+    CK_RV rv;
+
+    CHECK_FORK();
+
+    if ((rv = sftk_fipsCheck()) == CKR_OK) {
+	rv = NSC_Logout(hSession);
+	isLoggedIn = PR_FALSE;
+    }
+    if (sftk_audit_enabled) {
+	char msg[128];
+	NSSAuditSeverity severity = (rv == CKR_OK) ?
+		NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+	PR_snprintf(msg,sizeof msg,
+		    "C_Logout(hSession=0x%08lX)=0x%08lX",
+		    (PRUint32)hSession,(PRUint32)rv);
+	sftk_LogAuditMessage(severity, msg);
+    }
+    return rv;
+}
+
+
+/* FC_CreateObject creates a new object. */
+ CK_RV FC_CreateObject(CK_SESSION_HANDLE hSession,
+		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
+					CK_OBJECT_HANDLE_PTR phObject) {
+    CK_OBJECT_CLASS * classptr;
+
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS);
+    if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    /* FIPS can't create keys from raw key material */
+    if (SFTK_IS_NONPUBLIC_KEY_OBJECT(*classptr)) {
+	rv = CKR_ATTRIBUTE_VALUE_INVALID;
+    } else {
+	rv = NSC_CreateObject(hSession,pTemplate,ulCount,phObject);
+    }
+    if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(*classptr)) {
+	sftk_AuditCreateObject(hSession,pTemplate,ulCount,phObject,rv);
+    }
+    return rv;
+}
+
+
+
+
+
+/* FC_CopyObject copies an object, creating a new object for the copy. */
+ CK_RV FC_CopyObject(CK_SESSION_HANDLE hSession,
+       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+					CK_OBJECT_HANDLE_PTR phNewObject) {
+    CK_RV rv;
+    CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+    CHECK_FORK();
+
+    SFTK_FIPSFATALCHECK();
+    rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+    if (rv == CKR_OK) {
+	rv = NSC_CopyObject(hSession,hObject,pTemplate,ulCount,phNewObject);
+    }
+    if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+	sftk_AuditCopyObject(hSession,
+	    hObject,pTemplate,ulCount,phNewObject,rv);
+    }
+    return rv;
+}
+
+
+/* FC_DestroyObject destroys an object. */
+ CK_RV FC_DestroyObject(CK_SESSION_HANDLE hSession,
+		 				CK_OBJECT_HANDLE hObject) {
+    CK_RV rv;
+    CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+    CHECK_FORK();
+
+    SFTK_FIPSFATALCHECK();
+    rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+    if (rv == CKR_OK) {
+	rv = NSC_DestroyObject(hSession,hObject);
+    }
+    if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+	sftk_AuditDestroyObject(hSession,hObject,rv);
+    }
+    return rv;
+}
+
+
+/* FC_GetObjectSize gets the size of an object in bytes. */
+ CK_RV FC_GetObjectSize(CK_SESSION_HANDLE hSession,
+    			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) {
+    CK_RV rv;
+    CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+    CHECK_FORK();
+
+    SFTK_FIPSFATALCHECK();
+    rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+    if (rv == CKR_OK) {
+	rv = NSC_GetObjectSize(hSession, hObject, pulSize);
+    }
+    if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+	sftk_AuditGetObjectSize(hSession, hObject, pulSize, rv);
+    }
+    return rv;
+}
+
+
+/* FC_GetAttributeValue obtains the value of one or more object attributes. */
+ CK_RV FC_GetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
+    CK_RV rv;
+    CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+    CHECK_FORK();
+
+    SFTK_FIPSFATALCHECK();
+    rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+    if (rv == CKR_OK) {
+	rv = NSC_GetAttributeValue(hSession,hObject,pTemplate,ulCount);
+    }
+    if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+	sftk_AuditGetAttributeValue(hSession,hObject,pTemplate,ulCount,rv);
+    }
+    return rv;
+}
+
+
+/* FC_SetAttributeValue modifies the value of one or more object attributes */
+ CK_RV FC_SetAttributeValue (CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
+    CK_RV rv;
+    CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+    CHECK_FORK();
+
+    SFTK_FIPSFATALCHECK();
+    rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+    if (rv == CKR_OK) {
+	rv = NSC_SetAttributeValue(hSession,hObject,pTemplate,ulCount);
+    }
+    if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+	sftk_AuditSetAttributeValue(hSession,hObject,pTemplate,ulCount,rv);
+    }
+    return rv;
+}
+
+
+
+/* FC_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+ CK_RV FC_FindObjectsInit(CK_SESSION_HANDLE hSession,
+    			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
+    /* let publically readable object be found */
+    unsigned int i;
+    CK_RV rv;
+    PRBool needLogin = PR_FALSE;
+
+
+    CHECK_FORK();
+
+    SFTK_FIPSFATALCHECK();
+
+    for (i=0; i < usCount; i++) {
+	CK_OBJECT_CLASS class;
+	if (pTemplate[i].type != CKA_CLASS) {
+	    continue;
+	}
+	if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
+	    continue;
+	}
+	if (pTemplate[i].pValue == NULL) {
+	    continue;
+	}
+	class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+	if ((class == CKO_PRIVATE_KEY) || (class == CKO_SECRET_KEY)) {
+	    needLogin = PR_TRUE;
+	    break;
+	}
+    }
+    if (needLogin) {
+	if ((rv = sftk_fipsCheck()) != CKR_OK) return rv;
+    }
+    return NSC_FindObjectsInit(hSession,pTemplate,usCount);
+}
+
+
+/* FC_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+ CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount,
+    					CK_ULONG_PTR pusObjectCount) {
+    CHECK_FORK();
+
+    /* let publically readable object be found */
+    SFTK_FIPSFATALCHECK();
+    return NSC_FindObjects(hSession,phObject,usMaxObjectCount,
+    							pusObjectCount);
+}
+
+
+/*
+ ************** Crypto Functions:     Encrypt ************************
+ */
+
+/* FC_EncryptInit initializes an encryption operation. */
+ CK_RV FC_EncryptInit(CK_SESSION_HANDLE hSession,
+		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    rv = NSC_EncryptInit(hSession,pMechanism,hKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditCryptInit("Encrypt",hSession,pMechanism,hKey,rv);
+    }
+    return rv;
+}
+
+/* FC_Encrypt encrypts single-part data. */
+ CK_RV FC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+    		CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
+					 CK_ULONG_PTR pusEncryptedDataLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_Encrypt(hSession,pData,usDataLen,pEncryptedData,
+							pusEncryptedDataLen);
+}
+
+
+/* FC_EncryptUpdate continues a multiple-part encryption operation. */
+ CK_RV FC_EncryptUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pPart, CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,	
+					CK_ULONG_PTR pusEncryptedPartLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_EncryptUpdate(hSession,pPart,usPartLen,pEncryptedPart,
+						pusEncryptedPartLen);
+}
+
+
+/* FC_EncryptFinal finishes a multiple-part encryption operation. */
+ CK_RV FC_EncryptFinal(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pusLastEncryptedPartLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_EncryptFinal(hSession,pLastEncryptedPart,
+						pusLastEncryptedPartLen);
+}
+
+/*
+ ************** Crypto Functions:     Decrypt ************************
+ */
+
+
+/* FC_DecryptInit initializes a decryption operation. */
+ CK_RV FC_DecryptInit( CK_SESSION_HANDLE hSession,
+			 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    rv = NSC_DecryptInit(hSession,pMechanism,hKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditCryptInit("Decrypt",hSession,pMechanism,hKey,rv);
+    }
+    return rv;
+}
+
+/* FC_Decrypt decrypts encrypted data in a single part. */
+ CK_RV FC_Decrypt(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pEncryptedData,CK_ULONG usEncryptedDataLen,CK_BYTE_PTR pData,
+    						CK_ULONG_PTR pusDataLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_Decrypt(hSession,pEncryptedData,usEncryptedDataLen,pData,
+    								pusDataLen);
+}
+
+
+/* FC_DecryptUpdate continues a multiple-part decryption operation. */
+ CK_RV FC_DecryptUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pEncryptedPart, CK_ULONG usEncryptedPartLen,
+    				CK_BYTE_PTR pPart, CK_ULONG_PTR pusPartLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_DecryptUpdate(hSession,pEncryptedPart,usEncryptedPartLen,
+    							pPart,pusPartLen);
+}
+
+
+/* FC_DecryptFinal finishes a multiple-part decryption operation. */
+ CK_RV FC_DecryptFinal(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pLastPart, CK_ULONG_PTR pusLastPartLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_DecryptFinal(hSession,pLastPart,pusLastPartLen);
+}
+
+
+/*
+ ************** Crypto Functions:     Digest (HASH)  ************************
+ */
+
+/* FC_DigestInit initializes a message-digesting operation. */
+ CK_RV FC_DigestInit(CK_SESSION_HANDLE hSession,
+    					CK_MECHANISM_PTR pMechanism) {
+    SFTK_FIPSFATALCHECK();
+    CHECK_FORK();
+
+    return NSC_DigestInit(hSession, pMechanism);
+}
+
+
+/* FC_Digest digests data in a single part. */
+ CK_RV FC_Digest(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
+    						CK_ULONG_PTR pusDigestLen) {
+    SFTK_FIPSFATALCHECK();
+    CHECK_FORK();
+
+    return NSC_Digest(hSession,pData,usDataLen,pDigest,pusDigestLen);
+}
+
+
+/* FC_DigestUpdate continues a multiple-part message-digesting operation. */
+ CK_RV FC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+					    CK_ULONG usPartLen) {
+    SFTK_FIPSFATALCHECK();
+    CHECK_FORK();
+
+    return NSC_DigestUpdate(hSession,pPart,usPartLen);
+}
+
+
+/* FC_DigestFinal finishes a multiple-part message-digesting operation. */
+ CK_RV FC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
+    						CK_ULONG_PTR pusDigestLen) {
+    SFTK_FIPSFATALCHECK();
+    CHECK_FORK();
+
+    return NSC_DigestFinal(hSession,pDigest,pusDigestLen);
+}
+
+
+/*
+ ************** Crypto Functions:     Sign  ************************
+ */
+
+/* FC_SignInit initializes a signature (private key encryption) operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_SignInit(CK_SESSION_HANDLE hSession,
+		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    rv = NSC_SignInit(hSession,pMechanism,hKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditCryptInit("Sign",hSession,pMechanism,hKey,rv);
+    }
+    return rv;
+}
+
+
+/* FC_Sign signs (encrypts with private key) data in a single part,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_Sign(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pData,CK_ULONG usDataLen,CK_BYTE_PTR pSignature,
+    					CK_ULONG_PTR pusSignatureLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_Sign(hSession,pData,usDataLen,pSignature,pusSignatureLen);
+}
+
+
+/* FC_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+    							CK_ULONG usPartLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_SignUpdate(hSession,pPart,usPartLen);
+}
+
+
+/* FC_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+ CK_RV FC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
+					    CK_ULONG_PTR pusSignatureLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_SignFinal(hSession,pSignature,pusSignatureLen);
+}
+
+/*
+ ************** Crypto Functions:     Sign Recover  ************************
+ */
+/* FC_SignRecoverInit initializes a signature operation,
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+ CK_RV FC_SignRecoverInit(CK_SESSION_HANDLE hSession,
+			 CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    rv = NSC_SignRecoverInit(hSession,pMechanism,hKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditCryptInit("SignRecover",hSession,pMechanism,hKey,rv);
+    }
+    return rv;
+}
+
+
+/* FC_SignRecover signs data in a single operation
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+ CK_RV FC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+  CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_SignRecover(hSession,pData,usDataLen,pSignature,pusSignatureLen);
+}
+
+/*
+ ************** Crypto Functions:     verify  ************************
+ */
+
+/* FC_VerifyInit initializes a verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature (e.g. DSA) */
+ CK_RV FC_VerifyInit(CK_SESSION_HANDLE hSession,
+			   CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    rv = NSC_VerifyInit(hSession,pMechanism,hKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditCryptInit("Verify",hSession,pMechanism,hKey,rv);
+    }
+    return rv;
+}
+
+
+/* FC_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+    CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen) {
+    /* make sure we're legal */
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_Verify(hSession,pData,usDataLen,pSignature,usSignatureLen);
+}
+
+
+/* FC_VerifyUpdate continues a multiple-part verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+						CK_ULONG usPartLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_VerifyUpdate(hSession,pPart,usPartLen);
+}
+
+
+/* FC_VerifyFinal finishes a multiple-part verification operation, 
+ * checking the signature. */
+ CK_RV FC_VerifyFinal(CK_SESSION_HANDLE hSession,
+			CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_VerifyFinal(hSession,pSignature,usSignatureLen);
+}
+
+/*
+ ************** Crypto Functions:     Verify  Recover ************************
+ */
+
+/* FC_VerifyRecoverInit initializes a signature verification operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+ CK_RV FC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    rv = NSC_VerifyRecoverInit(hSession,pMechanism,hKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditCryptInit("VerifyRecover",hSession,pMechanism,hKey,rv);
+    }
+    return rv;
+}
+
+
+/* FC_VerifyRecover verifies a signature in a single-part operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+ CK_RV FC_VerifyRecover(CK_SESSION_HANDLE hSession,
+		 CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen,
+    				CK_BYTE_PTR pData,CK_ULONG_PTR pusDataLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_VerifyRecover(hSession,pSignature,usSignatureLen,pData,
+								pusDataLen);
+}
+
+/*
+ **************************** Key Functions:  ************************
+ */
+
+/* FC_GenerateKey generates a secret key, creating a new key object. */
+ CK_RV FC_GenerateKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,
+    						CK_OBJECT_HANDLE_PTR phKey) {
+    CK_BBOOL *boolptr;
+
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    /* all secret keys must be sensitive, if the upper level code tries to say
+     * otherwise, reject it. */
+    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, ulCount, CKA_SENSITIVE);
+    if (boolptr != NULL) {
+	if (!(*boolptr)) {
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+    }
+
+    rv = NSC_GenerateKey(hSession,pMechanism,pTemplate,ulCount,phKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditGenerateKey(hSession,pMechanism,pTemplate,ulCount,phKey,rv);
+    }
+    return rv;
+}
+
+
+/* FC_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+ CK_RV FC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+    CK_ULONG usPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+    CK_ULONG usPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
+					CK_OBJECT_HANDLE_PTR phPrivateKey) {
+    CK_BBOOL *boolptr;
+    CK_RV crv;
+
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+
+    /* all private keys must be sensitive, if the upper level code tries to say
+     * otherwise, reject it. */
+    boolptr = (CK_BBOOL *) fc_getAttribute(pPrivateKeyTemplate, 
+				usPrivateKeyAttributeCount, CKA_SENSITIVE);
+    if (boolptr != NULL) {
+	if (!(*boolptr)) {
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+    }
+    crv = NSC_GenerateKeyPair (hSession,pMechanism,pPublicKeyTemplate,
+    		usPublicKeyAttributeCount,pPrivateKeyTemplate,
+		usPrivateKeyAttributeCount,phPublicKey,phPrivateKey);
+    if (crv == CKR_GENERAL_ERROR) {
+	/* pairwise consistency check failed. */
+	sftk_fatalError = PR_TRUE;
+    }
+    if (sftk_audit_enabled) {
+	sftk_AuditGenerateKeyPair(hSession,pMechanism,pPublicKeyTemplate,
+    		usPublicKeyAttributeCount,pPrivateKeyTemplate,
+		usPrivateKeyAttributeCount,phPublicKey,phPrivateKey,crv);
+    }
+    return crv;
+}
+
+
+/* FC_WrapKey wraps (i.e., encrypts) a key. */
+ CK_RV FC_WrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
+    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
+					 CK_ULONG_PTR pulWrappedKeyLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    rv = NSC_WrapKey(hSession,pMechanism,hWrappingKey,hKey,pWrappedKey,
+							pulWrappedKeyLen);
+    if (sftk_audit_enabled) {
+	sftk_AuditWrapKey(hSession,pMechanism,hWrappingKey,hKey,pWrappedKey,
+							pulWrappedKeyLen,rv);
+    }
+    return rv;
+}
+
+
+/* FC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
+ CK_RV FC_UnwrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
+    CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+						 CK_OBJECT_HANDLE_PTR phKey) {
+    CK_BBOOL *boolptr;
+
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    /* all secret keys must be sensitive, if the upper level code tries to say
+     * otherwise, reject it. */
+    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, 
+					ulAttributeCount, CKA_SENSITIVE);
+    if (boolptr != NULL) {
+	if (!(*boolptr)) {
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+    }
+    rv = NSC_UnwrapKey(hSession,pMechanism,hUnwrappingKey,pWrappedKey,
+			ulWrappedKeyLen,pTemplate,ulAttributeCount,phKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditUnwrapKey(hSession,pMechanism,hUnwrappingKey,pWrappedKey,
+			ulWrappedKeyLen,pTemplate,ulAttributeCount,phKey,rv);
+    }
+    return rv;
+}
+
+
+/* FC_DeriveKey derives a key from a base key, creating a new key object. */
+ CK_RV FC_DeriveKey( CK_SESSION_HANDLE hSession,
+	 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
+	 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 
+						CK_OBJECT_HANDLE_PTR phKey) {
+    CK_BBOOL *boolptr;
+
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    /* all secret keys must be sensitive, if the upper level code tries to say
+     * otherwise, reject it. */
+    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, 
+					ulAttributeCount, CKA_SENSITIVE);
+    if (boolptr != NULL) {
+	if (!(*boolptr)) {
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+    }
+    rv = NSC_DeriveKey(hSession,pMechanism,hBaseKey,pTemplate,
+			ulAttributeCount, phKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditDeriveKey(hSession,pMechanism,hBaseKey,pTemplate,
+			ulAttributeCount,phKey,rv);
+    }
+    return rv;
+}
+
+/*
+ **************************** Radom Functions:  ************************
+ */
+
+/* FC_SeedRandom mixes additional seed material into the token's random number 
+ * generator. */
+ CK_RV FC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+    CK_ULONG usSeedLen) {
+    CK_RV crv;
+
+    SFTK_FIPSFATALCHECK();
+    CHECK_FORK();
+
+    crv = NSC_SeedRandom(hSession,pSeed,usSeedLen);
+    if (crv != CKR_OK) {
+	sftk_fatalError = PR_TRUE;
+    }
+    return crv;
+}
+
+
+/* FC_GenerateRandom generates random data. */
+ CK_RV FC_GenerateRandom(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR	pRandomData, CK_ULONG ulRandomLen) {
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    SFTK_FIPSFATALCHECK();
+    crv = NSC_GenerateRandom(hSession,pRandomData,ulRandomLen);
+    if (crv != CKR_OK) {
+	sftk_fatalError = PR_TRUE;
+	if (sftk_audit_enabled) {
+	    char msg[128];
+	    PR_snprintf(msg,sizeof msg,
+			"C_GenerateRandom(hSession=0x%08lX, pRandomData=%p, "
+			"ulRandomLen=%lu)=0x%08lX "
+			"self-test: continuous RNG test failed",
+			(PRUint32)hSession,pRandomData,
+			(PRUint32)ulRandomLen,(PRUint32)crv);
+	    sftk_LogAuditMessage(NSS_AUDIT_ERROR, msg);
+	}
+    }
+    return crv;
+}
+
+
+/* FC_GetFunctionStatus obtains an updated status of a function running 
+ * in parallel with an application. */
+ CK_RV FC_GetFunctionStatus(CK_SESSION_HANDLE hSession) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_GetFunctionStatus(hSession);
+}
+
+
+/* FC_CancelFunction cancels a function running in parallel */
+ CK_RV FC_CancelFunction(CK_SESSION_HANDLE hSession) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_CancelFunction(hSession);
+}
+
+/*
+ ****************************  Version 1.1 Functions:  ************************
+ */
+
+/* FC_GetOperationState saves the state of the cryptographic 
+ *operation in a session. */
+CK_RV FC_GetOperationState(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pOperationState, CK_ULONG_PTR pulOperationStateLen) {
+    SFTK_FIPSFATALCHECK();
+    CHECK_FORK();
+
+    return NSC_GetOperationState(hSession,pOperationState,pulOperationStateLen);
+}
+
+
+/* FC_SetOperationState restores the state of the cryptographic operation 
+ * in a session. */
+CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pOperationState, CK_ULONG  ulOperationStateLen,
+        CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) {
+    SFTK_FIPSFATALCHECK();
+    CHECK_FORK();
+
+    return NSC_SetOperationState(hSession,pOperationState,ulOperationStateLen,
+        				hEncryptionKey,hAuthenticationKey);
+}
+
+/* FC_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
+    /* let publically readable object be found */
+    SFTK_FIPSFATALCHECK();
+    CHECK_FORK();
+
+    return NSC_FindObjectsFinal(hSession);
+}
+
+
+/* Dual-function cryptographic operations */
+
+/* FC_DigestEncryptUpdate continues a multiple-part digesting and encryption 
+ * operation. */
+CK_RV FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
+    CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
+					 CK_ULONG_PTR pulEncryptedPartLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_DigestEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
+					 pulEncryptedPartLen);
+}
+
+
+/* FC_DecryptDigestUpdate continues a multiple-part decryption and digesting 
+ * operation. */
+CK_RV FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
+     CK_BYTE_PTR  pEncryptedPart, CK_ULONG  ulEncryptedPartLen,
+    				CK_BYTE_PTR  pPart, CK_ULONG_PTR pulPartLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_DecryptDigestUpdate(hSession, pEncryptedPart,ulEncryptedPartLen,
+    				pPart,pulPartLen);
+}
+
+/* FC_SignEncryptUpdate continues a multiple-part signing and encryption 
+ * operation. */
+CK_RV FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
+	 CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
+					 CK_ULONG_PTR pulEncryptedPartLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_SignEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
+					 pulEncryptedPartLen);
+}
+
+/* FC_DecryptVerifyUpdate continues a multiple-part decryption and verify 
+ * operation. */
+CK_RV FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pEncryptedData, CK_ULONG  ulEncryptedDataLen, 
+				CK_BYTE_PTR  pData, CK_ULONG_PTR pulDataLen) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    return NSC_DecryptVerifyUpdate(hSession,pEncryptedData,ulEncryptedDataLen, 
+				pData,pulDataLen);
+}
+
+
+/* FC_DigestKey continues a multi-part message-digesting operation,
+ * by digesting the value of a secret key as part of the data already digested.
+ */
+CK_RV FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) {
+    SFTK_FIPSCHECK();
+    CHECK_FORK();
+
+    rv = NSC_DigestKey(hSession,hKey);
+    if (sftk_audit_enabled) {
+	sftk_AuditDigestKey(hSession,hKey,rv);
+    }
+    return rv;
+}
+
+
+CK_RV FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
+							 CK_VOID_PTR pReserved)
+{
+    CHECK_FORK();
+
+    return NSC_WaitForSlotEvent(flags, pSlot, pReserved);
+}
diff --git a/security/nss/lib/softoken/legacydb/Makefile b/security/nss/lib/softoken/legacydb/Makefile
new file mode 100644
index 000000000..78a7c78c7
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/Makefile
@@ -0,0 +1,82 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+# indicates dependency on freebl static lib
+$(SHARED_LIBRARY): $(CRYPTOLIB)
diff --git a/security/nss/lib/softoken/legacydb/cdbhdl.h b/security/nss/lib/softoken/legacydb/cdbhdl.h
new file mode 100644
index 000000000..aec617b73
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/cdbhdl.h
@@ -0,0 +1,85 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * cdbhdl.h - certificate database handle
+ *   private to the certdb module
+ *
+ * $Id$
+ */
+#ifndef _CDBHDL_H_
+#define _CDBHDL_H_
+
+#include "nspr.h"
+#include "mcom_db.h"
+#include "pcertt.h"
+#include "prtypes.h"
+
+/*
+ * Handle structure for open certificate databases
+ */
+struct NSSLOWCERTCertDBHandleStr {
+    DB *permCertDB;
+    PZMonitor *dbMon;
+    PRBool dbVerify;
+    PRInt32  ref; /* reference count */
+};
+
+#ifdef DBM_USING_NSPR
+#define NO_RDONLY	PR_RDONLY
+#define NO_RDWR		PR_RDWR
+#define NO_CREATE	(PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE)
+#else
+#define NO_RDONLY	O_RDONLY
+#define NO_RDWR		O_RDWR
+#define NO_CREATE	(O_RDWR | O_CREAT | O_TRUNC)
+#endif
+
+typedef DB * (*rdbfunc)(const char *appName, const char *prefix, 
+				const char *type, int flags);
+typedef int (*rdbstatusfunc)(void);
+
+#define RDB_FAIL 1
+#define RDB_RETRY 2
+
+DB * rdbopen(const char *appName, const char *prefix, 
+				const char *type, int flags, int *status);
+
+DB *dbsopen (const char *dbname , int flags, int mode, DBTYPE type, 
+						const void * appData);
+SECStatus db_Copy(DB *dest,DB *src);
+int db_InitComplete(DB *db);
+
+#endif
diff --git a/security/nss/lib/softoken/legacydb/config.mk b/security/nss/lib/softoken/legacydb/config.mk
new file mode 100644
index 000000000..4f1839426
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/config.mk
@@ -0,0 +1,103 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+CRYPTODIR=../freebl
+ifdef MOZILLA_SECURITY_BUILD
+	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
+	CRYPTODIR=../crypto
+endif
+
+EXTRA_LIBS += \
+	$(CRYPTOLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+RES = $(OBJDIR)/$(LIBRARY_NAME).res
+RESNAME = $(LIBRARY_NAME).rc
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
+
+EXTRA_SHARED_LIBS += \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(DIST)/lib/nssutil3.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+else
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+OS_LIBS += -lbsm 
+endif
+
+ifeq ($(OS_TARGET),WINCE)
+DEFINES += -DDBM_USING_NSPR
+endif
diff --git a/security/nss/lib/softoken/legacydb/dbmshim.c b/security/nss/lib/softoken/legacydb/dbmshim.c
new file mode 100644
index 000000000..9d512ac41
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/dbmshim.c
@@ -0,0 +1,647 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Berkeley DB 1.85 Shim code to handle blobs.
+ *
+ * $Id$
+ */
+#include "mcom_db.h"
+#include "secitem.h"
+#include "nssb64.h"
+#include "blapi.h"
+#include "secerr.h"
+
+#include "lgdb.h"
+
+/*
+ *   Blob block:
+ *   Byte 0   CERTDB Version           -+                       -+
+ *   Byte 1   certDBEntryTypeBlob       |  BLOB_HEAD_LEN         |
+ *   Byte 2   flags (always '0');       |                        |
+ *   Byte 3   reserved (always '0');   -+                        |
+ *   Byte 4   LSB length                | <--BLOB_LENGTH_START   | BLOB_BUF_LEN
+ *   Byte 5       .                     |                        |
+ *   Byte 6       .                     | BLOB_LENGTH_LEN        |
+ *   Byte 7   MSB length                |                        |
+ *   Byte 8   blob_filename   -+       -+  <-- BLOB_NAME_START   |
+ *   Byte 9       .            | BLOB_NAME_LEN                   |
+ *     .          .            |                                 |
+ *   Byte 37      .           -+                                -+
+ */
+#define DBS_BLOCK_SIZE (16*1024) /* 16 k */
+#define DBS_MAX_ENTRY_SIZE (DBS_BLOCK_SIZE - (2048)) /* 14 k */
+#define DBS_CACHE_SIZE	DBS_BLOCK_SIZE*8
+#define ROUNDDIV(x,y) (x+(y-1))/y
+#define BLOB_HEAD_LEN 4
+#define BLOB_LENGTH_START BLOB_HEAD_LEN
+#define BLOB_LENGTH_LEN 4
+#define BLOB_NAME_START BLOB_LENGTH_START+BLOB_LENGTH_LEN
+#define BLOB_NAME_LEN 1+ROUNDDIV(SHA1_LENGTH,3)*4+1
+#define BLOB_BUF_LEN BLOB_HEAD_LEN+BLOB_LENGTH_LEN+BLOB_NAME_LEN
+
+/* a Shim data structure. This data structure has a db built into it. */
+typedef struct DBSStr DBS;
+
+struct DBSStr {
+    DB db;
+    char *blobdir;
+    int mode;
+    PRBool readOnly;
+    PRFileMap *dbs_mapfile;
+    unsigned char *dbs_addr;
+    PRUint32 dbs_len;
+    char staticBlobArea[BLOB_BUF_LEN];
+};
+    
+    
+
+/*
+ * return true if the Datablock contains a blobtype
+ */
+static PRBool
+dbs_IsBlob(DBT *blobData)
+{
+    unsigned char *addr = (unsigned char *)blobData->data;
+    if (blobData->size < BLOB_BUF_LEN) {
+	return PR_FALSE;
+    }
+    return addr && ((certDBEntryType) addr[1] == certDBEntryTypeBlob);
+}
+
+/*
+ * extract the filename in the blob of the real data set.
+ * This value is not malloced (does not need to be freed by the caller.
+ */
+static const char *
+dbs_getBlobFileName(DBT *blobData)
+{
+    char *addr = (char *)blobData->data;
+
+    return &addr[BLOB_NAME_START];
+}
+
+/*
+ * extract the size of the actual blob from the blob record
+ */
+static PRUint32
+dbs_getBlobSize(DBT *blobData)
+{
+    unsigned char *addr = (unsigned char *)blobData->data;
+
+    return (PRUint32)(addr[BLOB_LENGTH_START+3] << 24) | 
+			(addr[BLOB_LENGTH_START+2] << 16) | 
+			(addr[BLOB_LENGTH_START+1] << 8) | 
+			addr[BLOB_LENGTH_START];
+}
+
+
+/* We are using base64 data for the filename, but base64 data can include a
+ * '/' which is interpreted as a path separator on  many platforms. Replace it
+ * with an inocuous '-'. We don't need to convert back because we never actual
+ * decode the filename.
+ */
+
+static void
+dbs_replaceSlash(char *cp, int len)
+{
+   while (len--) {
+	if (*cp == '/') *cp = '-';
+	cp++;
+   }
+}
+
+/*
+ * create a blob record from a key, data and return it in blobData.
+ * NOTE: The data element is static data (keeping with the dbm model).
+ */
+static void
+dbs_mkBlob(DBS *dbsp,const DBT *key, const DBT *data, DBT *blobData)
+{
+   unsigned char sha1_data[SHA1_LENGTH];
+   char *b = dbsp->staticBlobArea;
+   PRUint32 length = data->size;
+   SECItem sha1Item;
+
+   b[0] = CERT_DB_FILE_VERSION; /* certdb version number */
+   b[1] = (char) certDBEntryTypeBlob; /* type */
+   b[2] = 0; /* flags */
+   b[3] = 0; /* reserved */
+   b[BLOB_LENGTH_START] = length & 0xff;
+   b[BLOB_LENGTH_START+1] = (length >> 8) & 0xff;
+   b[BLOB_LENGTH_START+2] = (length >> 16) & 0xff;
+   b[BLOB_LENGTH_START+3] = (length >> 24) & 0xff;
+   sha1Item.data = sha1_data;
+   sha1Item.len = SHA1_LENGTH;
+   SHA1_HashBuf(sha1_data,key->data,key->size);
+   b[BLOB_NAME_START]='b'; /* Make sure we start with a alpha */
+   NSSBase64_EncodeItem(NULL,&b[BLOB_NAME_START+1],BLOB_NAME_LEN-1,&sha1Item);
+   b[BLOB_BUF_LEN-1] = 0;
+   dbs_replaceSlash(&b[BLOB_NAME_START+1],BLOB_NAME_LEN-1);
+   blobData->data = b;
+   blobData->size = BLOB_BUF_LEN;
+   return;
+}
+   
+
+/*
+ * construct a path to the actual blob. The string returned must be
+ * freed by the caller with PR_smprintf_free.
+ *
+ * Note: this file does lots of consistancy checks on the DBT. The
+ * routines that call this depend on these checks, so they don't worry
+ * about them (success of this routine implies a good blobdata record).
+ */ 
+static char *
+dbs_getBlobFilePath(char *blobdir,DBT *blobData)
+{
+    const char *name;
+
+    if (blobdir == NULL) {
+	PR_SetError(SEC_ERROR_BAD_DATABASE,0);
+	return NULL;
+    }
+    if (!dbs_IsBlob(blobData)) {
+	PR_SetError(SEC_ERROR_BAD_DATABASE,0);
+	return NULL;
+    }
+    name = dbs_getBlobFileName(blobData);
+    if (!name || *name == 0) {
+	PR_SetError(SEC_ERROR_BAD_DATABASE,0);
+	return NULL;
+    }
+    return  PR_smprintf("%s" PATH_SEPARATOR "%s", blobdir, name);
+}
+
+/*
+ * Delete a blob file pointed to by the blob record.
+ */
+static void
+dbs_removeBlob(DBS *dbsp, DBT *blobData)
+{
+    char *file;
+
+    file = dbs_getBlobFilePath(dbsp->blobdir, blobData);
+    if (!file) {
+	return;
+    }
+    PR_Delete(file);
+    PR_smprintf_free(file);
+}
+
+/*
+ * Directory modes are slightly different, the 'x' bit needs to be on to
+ * access them. Copy all the read bits to 'x' bits
+ */
+static int
+dbs_DirMode(int mode)
+{
+  int x_bits = (mode >> 2) &  0111;
+  return mode | x_bits;
+}
+
+/*
+ * write a data blob to it's file. blobdData is the blob record that will be
+ * stored in the database. data is the actual data to go out on disk.
+ */
+static int
+dbs_writeBlob(DBS *dbsp, int mode, DBT *blobData, const DBT *data)
+{
+    char *file = NULL;
+    PRFileDesc *filed;
+    PRStatus status;
+    int len;
+    int error = 0;
+
+    file = dbs_getBlobFilePath(dbsp->blobdir, blobData);
+    if (!file) {
+	goto loser;
+    }
+    if (PR_Access(dbsp->blobdir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
+	status = PR_MkDir(dbsp->blobdir,dbs_DirMode(mode));
+	if (status != PR_SUCCESS) {
+	    goto loser;
+	}
+    }
+    filed = PR_OpenFile(file,PR_CREATE_FILE|PR_TRUNCATE|PR_WRONLY, mode);
+    if (filed == NULL) {
+	error = PR_GetError();
+	goto loser;
+    }
+    len = PR_Write(filed,data->data,data->size);
+    error = PR_GetError();
+    PR_Close(filed);
+    if (len < (int)data->size) {
+	goto loser;
+    }
+    PR_smprintf_free(file);
+    return 0;
+
+loser:
+    if (file) {
+	PR_Delete(file);
+	PR_smprintf_free(file);
+    }
+    /* don't let close or delete reset the error */
+    PR_SetError(error,0);
+    return -1;
+}
+
+
+/*
+ * we need to keep a address map in memory between calls to DBM.
+ * remember what we have mapped can close it when we get another dbm
+ * call. 
+ *
+ * NOTE: Not all platforms support mapped files. This code is designed to
+ * detect this at runtime. If map files aren't supported the OS will indicate
+ * this by failing the PR_Memmap call. In this case we emulate mapped files
+ * by just reading in the file into regular memory. We signal this state by
+ * making dbs_mapfile NULL and dbs_addr non-NULL.
+ */
+
+static void
+dbs_freemap(DBS *dbsp)
+{
+    if (dbsp->dbs_mapfile) {
+	PR_MemUnmap(dbsp->dbs_addr,dbsp->dbs_len);
+	PR_CloseFileMap(dbsp->dbs_mapfile);
+	dbsp->dbs_mapfile = NULL;
+	dbsp->dbs_addr = NULL;
+	dbsp->dbs_len = 0;
+    } else if (dbsp->dbs_addr) {
+	PORT_Free(dbsp->dbs_addr);
+	dbsp->dbs_addr = NULL;
+	dbsp->dbs_len = 0;
+    }
+    return;
+}
+
+static void
+dbs_setmap(DBS *dbsp, PRFileMap *mapfile, unsigned char *addr, PRUint32 len)
+{
+    dbsp->dbs_mapfile = mapfile;
+    dbsp->dbs_addr = addr;
+    dbsp->dbs_len = len;
+}
+
+/*
+ * platforms that cannot map the file need to read it into a temp buffer.
+ */
+static unsigned char *
+dbs_EmulateMap(PRFileDesc *filed, int len)
+{
+    unsigned char *addr;
+    PRInt32 dataRead;
+
+    addr = PORT_Alloc(len);
+    if (addr == NULL) {
+	return NULL;
+    }
+
+    dataRead = PR_Read(filed,addr,len);
+    if (dataRead != len) {
+	PORT_Free(addr);
+	if (dataRead > 0) {
+	    /* PR_Read didn't set an error, we need to */
+	    PR_SetError(SEC_ERROR_BAD_DATABASE,0);
+	}
+	return NULL;
+    }
+
+    return addr;
+}
+
+
+/*
+ * pull a database record off the disk
+ * data points to the blob record on input and the real record (if we could
+ * read it) on output. if there is an error data is not modified.
+ */
+static int
+dbs_readBlob(DBS *dbsp, DBT *data)
+{
+    char *file = NULL;
+    PRFileDesc *filed = NULL;
+    PRFileMap *mapfile = NULL;
+    unsigned char *addr = NULL;
+    int error;
+    int len = -1;
+
+    file = dbs_getBlobFilePath(dbsp->blobdir, data);
+    if (!file) {
+	goto loser;
+    }
+    filed = PR_OpenFile(file,PR_RDONLY,0);
+    PR_smprintf_free(file); file = NULL;
+    if (filed == NULL) {
+	goto loser;
+    }
+
+    len = dbs_getBlobSize(data);
+    mapfile = PR_CreateFileMap(filed, len, PR_PROT_READONLY);
+    if (mapfile == NULL) {
+	 /* USE PR_GetError instead of PORT_GetError here
+	  * because we are getting the error from PR_xxx
+	  * function */
+	if (PR_GetError() != PR_NOT_IMPLEMENTED_ERROR) {
+	    goto loser;
+	}
+	addr = dbs_EmulateMap(filed, len);
+    } else {
+	addr = PR_MemMap(mapfile, 0, len);
+    }
+    if (addr == NULL) {
+	goto loser;
+    }
+    PR_Close(filed);
+    dbs_setmap(dbsp,mapfile,addr,len);
+
+    data->data = addr;
+    data->size = len;
+    return 0;
+
+loser:
+    /* preserve the error code */
+    error = PR_GetError();
+    if (mapfile) {
+	PR_CloseFileMap(mapfile);
+    }
+    if (filed) {
+	PR_Close(filed);
+    }
+    PR_SetError(error,0);
+    return -1;
+}
+
+/*
+ * actual DBM shims
+ */
+static int
+dbs_get(const DB *dbs, const DBT *key, DBT *data, unsigned int flags)
+{
+    int ret;
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+    
+
+    dbs_freemap(dbsp);
+    
+    ret = (* db->get)(db, key, data, flags);
+    if ((ret == 0) && dbs_IsBlob(data)) {
+	ret = dbs_readBlob(dbsp,data);
+    }
+
+    return(ret);
+}
+
+static int
+dbs_put(const DB *dbs, DBT *key, const DBT *data, unsigned int flags)
+{
+    DBT blob;
+    int ret = 0;
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+
+    dbs_freemap(dbsp);
+
+    /* If the db is readonly, just pass the data down to rdb and let it fail */
+    if (!dbsp->readOnly) {
+	DBT oldData;
+	int ret1;
+
+	/* make sure the current record is deleted if it's a blob */
+	ret1 = (*db->get)(db,key,&oldData,0);
+        if ((ret1 == 0) && flags == R_NOOVERWRITE) {
+	    /* let DBM return the error to maintain consistancy */
+	    return (* db->put)(db, key, data, flags);
+	}
+	if ((ret1 == 0) && dbs_IsBlob(&oldData)) {
+	    dbs_removeBlob(dbsp, &oldData);
+	}
+
+	if (data->size > DBS_MAX_ENTRY_SIZE) {
+	    dbs_mkBlob(dbsp,key,data,&blob);
+	    ret = dbs_writeBlob(dbsp, dbsp->mode, &blob, data);
+	    data = &blob;
+	}
+    }
+
+    if (ret == 0) {
+	ret = (* db->put)(db, key, data, flags);
+    }
+    return(ret);
+}
+
+static int
+dbs_sync(const DB *dbs, unsigned int flags)
+{
+    DB *db = (DB *)dbs->internal;
+    DBS *dbsp = (DBS *)dbs;
+
+    dbs_freemap(dbsp);
+
+    return (* db->sync)(db, flags);
+}
+
+static int
+dbs_del(const DB *dbs, const DBT *key, unsigned int flags)
+{
+    int ret;
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+
+    dbs_freemap(dbsp);
+
+    if (!dbsp->readOnly) {
+	DBT oldData;
+	ret = (*db->get)(db,key,&oldData,0);
+	if ((ret == 0) && dbs_IsBlob(&oldData)) {
+	    dbs_removeBlob(dbsp,&oldData);
+	}
+    }
+
+    return (* db->del)(db, key, flags);
+}
+
+static int
+dbs_seq(const DB *dbs, DBT *key, DBT *data, unsigned int flags)
+{
+    int ret;
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+    
+    dbs_freemap(dbsp);
+    
+    ret = (* db->seq)(db, key, data, flags);
+    if ((ret == 0) && dbs_IsBlob(data)) {
+	/* don't return a blob read as an error so traversals keep going */
+	(void) dbs_readBlob(dbsp,data);
+    }
+
+    return(ret);
+}
+
+static int
+dbs_close(DB *dbs)
+{
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+    int ret;
+
+    dbs_freemap(dbsp);
+    ret = (* db->close)(db);
+    PORT_Free(dbsp->blobdir);
+    PORT_Free(dbsp);
+    return ret;
+}
+
+static int
+dbs_fd(const DB *dbs)
+{
+    DB *db = (DB *)dbs->internal;
+
+    return (* db->fd)(db);
+}
+
+/*
+ * the naming convention we use is
+ * change the .xxx into .dir. (for nss it's always .db);
+ * if no .extension exists or is equal to .dir, add a .dir 
+ * the returned data must be freed.
+ */
+#define DIRSUFFIX ".dir"
+static char *
+dbs_mkBlobDirName(const char *dbname)
+{
+    int dbname_len = PORT_Strlen(dbname);
+    int dbname_end = dbname_len;
+    const char *cp;
+    char *blobDir = NULL;
+
+    /* scan back from the end looking for either a directory separator, a '.',
+     * or the end of the string. NOTE: Windows should check for both separators
+     * here. For now this is safe because we know NSS always uses a '.'
+     */
+    for (cp = &dbname[dbname_len]; 
+		(cp > dbname) && (*cp != '.') && (*cp != *PATH_SEPARATOR) ;
+			cp--)
+	/* Empty */ ;
+    if (*cp == '.') {
+	dbname_end = cp - dbname;
+	if (PORT_Strcmp(cp,DIRSUFFIX) == 0) {
+	    dbname_end = dbname_len;
+	}
+    }
+    blobDir = PORT_ZAlloc(dbname_end+sizeof(DIRSUFFIX));
+    if (blobDir == NULL) {
+	return NULL;
+    }
+    PORT_Memcpy(blobDir,dbname,dbname_end);
+    PORT_Memcpy(&blobDir[dbname_end],DIRSUFFIX,sizeof(DIRSUFFIX));
+    return blobDir;
+}
+
+#define DBM_DEFAULT 0
+static const HASHINFO dbs_hashInfo = {
+	DBS_BLOCK_SIZE,		/* bucket size, must be greater than = to
+				 * or maximum entry size (+ header)
+				 * we allow before blobing */
+	DBM_DEFAULT,		/* Fill Factor */
+	DBM_DEFAULT,		/* number of elements */
+	DBS_CACHE_SIZE,		/* cache size */
+	DBM_DEFAULT,		/* hash function */
+	DBM_DEFAULT,		/* byte order */
+};
+
+/*
+ * the open function. NOTE: this is the only exposed function in this file.
+ * everything else is called through the function table pointer.
+ */
+DB *
+dbsopen(const char *dbname, int flags, int mode, DBTYPE type,
+							 const void *userData)
+{
+    DB *db = NULL,*dbs = NULL;
+    DBS *dbsp = NULL;
+
+    /* NOTE: we are overriding userData with dbs_hashInfo. since all known
+     * callers pass 0, this is ok, otherwise we should merge the two */
+
+    dbsp = (DBS *)PORT_ZAlloc(sizeof(DBS));
+    if (!dbsp) {
+	return NULL;
+    }
+    dbs = &dbsp->db;
+
+    dbsp->blobdir=dbs_mkBlobDirName(dbname);
+    if (dbsp->blobdir == NULL) {
+	goto loser;
+    }
+    dbsp->mode = mode;
+    dbsp->readOnly = (PRBool)(flags == NO_RDONLY);
+    dbsp->dbs_mapfile = NULL;
+    dbsp->dbs_addr = NULL;
+    dbsp->dbs_len = 0;
+
+    /* the real dbm call */
+    db = dbopen(dbname, flags, mode, type, &dbs_hashInfo);
+    if (db == NULL) {
+	goto loser;
+    }
+    dbs->internal = (void *) db;
+    dbs->type = type;
+    dbs->close = dbs_close;
+    dbs->get = dbs_get;
+    dbs->del = dbs_del;
+    dbs->put = dbs_put;
+    dbs->seq = dbs_seq;
+    dbs->sync = dbs_sync;
+    dbs->fd = dbs_fd;
+
+    return dbs;
+loser:
+    if (db) {
+	(*db->close)(db);
+    }
+    if (dbsp) {
+	if (dbsp->blobdir) {
+	    PORT_Free(dbsp->blobdir);
+	}
+	PORT_Free(dbsp);
+    }
+    return NULL;
+}
diff --git a/security/nss/lib/softoken/legacydb/keydb.c b/security/nss/lib/softoken/legacydb/keydb.c
new file mode 100644
index 000000000..89c274aeb
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/keydb.c
@@ -0,0 +1,2277 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "lowkeyi.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "secoid.h"
+#include "blapi.h"
+#include "secitem.h"
+#include "pcert.h"
+#include "mcom_db.h"
+#include "secerr.h"
+
+#include "keydbi.h"
+#include "lgdb.h"
+
+/*
+ * Record keys for keydb
+ */
+#define SALT_STRING "global-salt"
+#define VERSION_STRING "Version"
+#define KEYDB_PW_CHECK_STRING	"password-check"
+#define KEYDB_PW_CHECK_LEN	14
+#define KEYDB_FAKE_PW_CHECK_STRING	"fake-password-check"
+#define KEYDB_FAKE_PW_CHECK_LEN	19
+
+/* Size of the global salt for key database */
+#define SALT_LENGTH     16
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(NSSLOWKEYEncryptedPrivateKeyInfo) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	offsetof(NSSLOWKEYEncryptedPrivateKeyInfo,algorithm),
+	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(NSSLOWKEYEncryptedPrivateKeyInfo,encryptedData) },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_PointerToEncryptedPrivateKeyInfoTemplate[] = {
+	{ SEC_ASN1_POINTER, 0, nsslowkey_EncryptedPrivateKeyInfoTemplate }
+};
+
+
+/* ====== Default key databse encryption algorithm ====== */
+static void
+sec_destroy_dbkey(NSSLOWKEYDBKey *dbkey)
+{
+    if ( dbkey && dbkey->arena ) {
+	PORT_FreeArena(dbkey->arena, PR_FALSE);
+    }
+}
+
+static void
+free_dbt(DBT *dbt)
+{
+    if ( dbt ) {
+	PORT_Free(dbt->data);
+	PORT_Free(dbt);
+    }
+    
+    return;
+}
+
+static int keydb_Get(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, 
+		     unsigned int flags);
+static int keydb_Put(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, 
+		     unsigned int flags);
+static int keydb_Sync(NSSLOWKEYDBHandle *db, unsigned int flags);
+static int keydb_Del(NSSLOWKEYDBHandle *db, DBT *key, unsigned int flags);
+static int keydb_Seq(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, 
+		     unsigned int flags);
+static void keydb_Close(NSSLOWKEYDBHandle *db);
+
+/*
+ * format of key database entries for version 3 of database:
+ *	byte offset	field
+ *	-----------	-----
+ *	0		version
+ *	1		salt-len
+ *	2		nn-len
+ *	3..		salt-data
+ *	...		nickname
+ *	...		encrypted-key-data
+ */
+static DBT *
+encode_dbkey(NSSLOWKEYDBKey *dbkey,unsigned char version)
+{
+    DBT *bufitem = NULL;
+    unsigned char *buf;
+    int nnlen;
+    char *nn;
+    
+    bufitem = (DBT *)PORT_ZAlloc(sizeof(DBT));
+    if ( bufitem == NULL ) {
+	goto loser;
+    }
+    
+    if ( dbkey->nickname ) {
+	nn = dbkey->nickname;
+	nnlen = PORT_Strlen(nn) + 1;
+    } else {
+	nn = "";
+	nnlen = 1;
+    }
+    
+    /* compute the length of the record */
+    /* 1 + 1 + 1 == version number header + salt length + nn len */
+    bufitem->size = dbkey->salt.len + nnlen + dbkey->derPK.len + 1 + 1 + 1;
+    
+    bufitem->data = (void *)PORT_ZAlloc(bufitem->size);
+    if ( bufitem->data == NULL ) {
+	goto loser;
+    }
+
+    buf = (unsigned char *)bufitem->data;
+    
+    /* set version number */
+    buf[0] = version;
+
+    /* set length of salt */
+    PORT_Assert(dbkey->salt.len < 256);
+    buf[1] = dbkey->salt.len;
+
+    /* set length of nickname */
+    PORT_Assert(nnlen < 256);
+    buf[2] = nnlen;
+
+    /* copy salt */
+    PORT_Memcpy(&buf[3], dbkey->salt.data, dbkey->salt.len);
+
+    /* copy nickname */
+    PORT_Memcpy(&buf[3 + dbkey->salt.len], nn, nnlen);
+
+    /* copy encrypted key */
+    PORT_Memcpy(&buf[3 + dbkey->salt.len + nnlen], dbkey->derPK.data,
+	      dbkey->derPK.len);
+    
+    return(bufitem);
+    
+loser:
+    if ( bufitem ) {
+	free_dbt(bufitem);
+    }
+    
+    return(NULL);
+}
+
+static NSSLOWKEYDBKey *
+decode_dbkey(DBT *bufitem, int expectedVersion)
+{
+    NSSLOWKEYDBKey *dbkey;
+    PLArenaPool *arena = NULL;
+    unsigned char *buf;
+    int version;
+    int keyoff;
+    int nnlen;
+    int saltoff;
+    
+    buf = (unsigned char *)bufitem->data;
+
+    version = buf[0];
+    
+    if ( version != expectedVersion ) {
+	goto loser;
+    }
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey));
+    if ( dbkey == NULL ) {
+	goto loser;
+    }
+
+    dbkey->arena = arena;
+    dbkey->salt.data = NULL;
+    dbkey->derPK.data = NULL;
+    
+    dbkey->salt.len = buf[1];
+    dbkey->salt.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->salt.len);
+    if ( dbkey->salt.data == NULL ) {
+	goto loser;
+    }
+
+    saltoff = 2;
+    keyoff = 2 + dbkey->salt.len;
+    
+    if ( expectedVersion >= 3 ) {
+	nnlen = buf[2];
+	if ( nnlen ) {
+	    dbkey->nickname = (char *)PORT_ArenaZAlloc(arena, nnlen + 1);
+	    if ( dbkey->nickname ) {
+		PORT_Memcpy(dbkey->nickname, &buf[keyoff+1], nnlen);
+	    }
+	}
+	keyoff += ( nnlen + 1 );
+	saltoff = 3;
+    }
+
+    PORT_Memcpy(dbkey->salt.data, &buf[saltoff], dbkey->salt.len);
+    
+    dbkey->derPK.len = bufitem->size - keyoff;
+    dbkey->derPK.data = (unsigned char *)PORT_ArenaZAlloc(arena,dbkey->derPK.len);
+    if ( dbkey->derPK.data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(dbkey->derPK.data, &buf[keyoff], dbkey->derPK.len);
+    
+    return(dbkey);
+    
+loser:
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+static NSSLOWKEYDBKey *
+get_dbkey(NSSLOWKEYDBHandle *handle, DBT *index)
+{
+    NSSLOWKEYDBKey *dbkey;
+    DBT entry;
+    int ret;
+    
+    /* get it from the database */
+    ret = keydb_Get(handle, index, &entry, 0);
+    if ( ret ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return NULL;
+    }
+
+    /* set up dbkey struct */
+
+    dbkey = decode_dbkey(&entry, handle->version);
+
+    return(dbkey);
+}
+
+static SECStatus
+put_dbkey(NSSLOWKEYDBHandle *handle, DBT *index, NSSLOWKEYDBKey *dbkey, PRBool update)
+{
+    DBT *keydata = NULL;
+    int status;
+    
+    keydata = encode_dbkey(dbkey, handle->version);
+    if ( keydata == NULL ) {
+	goto loser;
+    }
+    
+    /* put it in the database */
+    if ( update ) {
+	status = keydb_Put(handle, index, keydata, 0);
+    } else {
+	status = keydb_Put(handle, index, keydata, R_NOOVERWRITE);
+    }
+    
+    if ( status ) {
+	goto loser;
+    }
+
+    /* sync the database */
+    status = keydb_Sync(handle, 0);
+    if ( status ) {
+	goto loser;
+    }
+
+    free_dbt(keydata);
+    return(SECSuccess);
+
+loser:
+    if ( keydata ) {
+	free_dbt(keydata);
+    }
+    
+    return(SECFailure);
+}
+
+SECStatus
+nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, 
+		 SECStatus (* keyfunc)(DBT *k, DBT *d, void *pdata),
+		 void *udata )
+{
+    DBT data;
+    DBT key;
+    SECStatus status;
+    int ret;
+
+    if (handle == NULL) {
+	return(SECFailure);
+    }
+
+    ret = keydb_Seq(handle, &key, &data, R_FIRST);
+    if ( ret ) {
+	return(SECFailure);
+    }
+    
+    do {
+	/* skip version record */
+	if ( data.size > 1 ) {
+	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
+		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+
+	    /* skip password check */
+	    if ( key.size == KEYDB_PW_CHECK_LEN ) {
+		if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING,
+				 KEYDB_PW_CHECK_LEN) == 0 ) {
+		    continue;
+		}
+	    }
+	    
+	    status = (* keyfunc)(&key, &data, udata);
+	    if (status != SECSuccess) {
+		return(status);
+	    }
+	}
+    } while ( keydb_Seq(handle, &key, &data, R_NEXT) == 0 );
+
+    return(SECSuccess);
+}
+
+#ifdef notdef
+typedef struct keyNode {
+    struct keyNode *next;
+    DBT key;
+} keyNode;
+
+typedef struct {
+    PLArenaPool *arena;
+    keyNode *head;
+} keyList;
+
+static SECStatus
+sec_add_key_to_list(DBT *key, DBT *data, void *arg)
+{
+    keyList *keylist;
+    keyNode *node;
+    void *keydata;
+    
+    keylist = (keyList *)arg;
+
+    /* allocate the node struct */
+    node = (keyNode*)PORT_ArenaZAlloc(keylist->arena, sizeof(keyNode));
+    if ( node == NULL ) {
+	return(SECFailure);
+    }
+    
+    /* allocate room for key data */
+    keydata = PORT_ArenaZAlloc(keylist->arena, key->size);
+    if ( keydata == NULL ) {
+	return(SECFailure);
+    }
+
+    /* link node into list */
+    node->next = keylist->head;
+    keylist->head = node;
+
+    /* copy key into node */
+    PORT_Memcpy(keydata, key->data, key->size);
+    node->key.size = key->size;
+    node->key.data = keydata;
+    
+    return(SECSuccess);
+}
+#endif
+
+static SECItem *
+decodeKeyDBGlobalSalt(DBT *saltData)
+{
+    SECItem *saltitem;
+    
+    saltitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if ( saltitem == NULL ) {
+	return(NULL);
+    }
+    
+    saltitem->data = (unsigned char *)PORT_ZAlloc(saltData->size);
+    if ( saltitem->data == NULL ) {
+	PORT_Free(saltitem);
+	return(NULL);
+    }
+    
+    saltitem->len = saltData->size;
+    PORT_Memcpy(saltitem->data, saltData->data, saltitem->len);
+    
+    return(saltitem);
+}
+
+static SECItem *
+GetKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle)
+{
+    DBT saltKey;
+    DBT saltData;
+    int ret;
+    
+    saltKey.data = SALT_STRING;
+    saltKey.size = sizeof(SALT_STRING) - 1;
+
+    ret = keydb_Get(handle, &saltKey, &saltData, 0);
+    if ( ret ) {
+	return(NULL);
+    }
+
+    return(decodeKeyDBGlobalSalt(&saltData));
+}
+
+static SECStatus
+StoreKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle, SECItem *salt)
+{
+    DBT saltKey;
+    DBT saltData;
+    int status;
+    
+    saltKey.data = SALT_STRING;
+    saltKey.size = sizeof(SALT_STRING) - 1;
+
+    saltData.data = (void *)salt->data;
+    saltData.size = salt->len;
+
+    /* put global salt into the database now */
+    status = keydb_Put(handle, &saltKey, &saltData, 0);
+    if ( status ) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+static SECStatus
+makeGlobalVersion(NSSLOWKEYDBHandle *handle)
+{
+    unsigned char version;
+    DBT versionData;
+    DBT versionKey;
+    int status;
+    
+    version = NSSLOWKEY_DB_FILE_VERSION;
+    versionData.data = &version;
+    versionData.size = 1;
+    versionKey.data = VERSION_STRING;
+    versionKey.size = sizeof(VERSION_STRING)-1;
+		
+    /* put version string into the database now */
+    status = keydb_Put(handle, &versionKey, &versionData, 0);
+    if ( status ) {
+	return(SECFailure);
+    }
+    handle->version = version;
+
+    return(SECSuccess);
+}
+
+
+static SECStatus
+makeGlobalSalt(NSSLOWKEYDBHandle *handle)
+{
+    DBT saltKey;
+    DBT saltData;
+    unsigned char saltbuf[16];
+    int status;
+    
+    saltKey.data = SALT_STRING;
+    saltKey.size = sizeof(SALT_STRING) - 1;
+
+    saltData.data = (void *)saltbuf;
+    saltData.size = sizeof(saltbuf);
+    RNG_GenerateGlobalRandomBytes(saltbuf, sizeof(saltbuf));
+
+    /* put global salt into the database now */
+    status = keydb_Put(handle, &saltKey, &saltData, 0);
+    if ( status ) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+static SECStatus
+encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
+		   SECItem *encCheck);
+
+static unsigned char
+nsslowkey_version(NSSLOWKEYDBHandle *handle)
+{
+    DBT versionKey;
+    DBT versionData;
+    int ret;
+    versionKey.data = VERSION_STRING;
+    versionKey.size = sizeof(VERSION_STRING)-1;
+
+    if (handle->db == NULL) {
+	return 255;
+    }
+
+    /* lookup version string in database */
+    ret = keydb_Get( handle, &versionKey, &versionData, 0 );
+
+    /* error accessing the database */
+    if ( ret < 0 ) {
+	return 255;
+    }
+
+    if ( ret >= 1 ) {
+	return 0;
+    }
+    return *( (unsigned char *)versionData.data);
+}
+
+static PRBool
+seckey_HasAServerKey(NSSLOWKEYDBHandle *handle)
+{
+    DBT key;
+    DBT data;
+    int ret;
+    PRBool found = PR_FALSE;
+
+    ret = keydb_Seq(handle, &key, &data, R_FIRST);
+    if ( ret ) {
+	return PR_FALSE;
+    }
+    
+    do {
+	/* skip version record */
+	if ( data.size > 1 ) {
+	    /* skip salt */
+	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
+		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+	    /* skip pw check entry */
+	    if ( key.size == KEYDB_PW_CHECK_LEN ) {
+		if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING, 
+						KEYDB_PW_CHECK_LEN) == 0 ) {
+		    continue;
+		}
+	    }
+
+	    /* keys stored by nickname will have 0 as the last byte of the
+	     * db key.  Other keys must be stored by modulus.  We will not
+	     * update those because they are left over from a keygen that
+	     * never resulted in a cert.
+	     */
+	    if ( ((unsigned char *)key.data)[key.size-1] != 0 ) {
+		continue;
+	    }
+
+	    if (PORT_Strcmp(key.data,"Server-Key") == 0) {
+		found = PR_TRUE;
+	        break;
+	    }
+	    
+	}
+    } while ( keydb_Seq(handle, &key, &data, R_NEXT) == 0 );
+
+    return found;
+}
+
+/* forward declare local create function */
+static NSSLOWKEYDBHandle * nsslowkey_NewHandle(DB *dbHandle);
+
+/*
+ * currently updates key database from v2 to v3
+ */
+static SECStatus
+nsslowkey_UpdateKeyDBPass1(NSSLOWKEYDBHandle *handle)
+{
+    SECStatus rv;
+    DBT checkKey;
+    DBT checkData;
+    DBT saltKey;
+    DBT saltData;
+    DBT key;
+    DBT data;
+    unsigned char version;
+    NSSLOWKEYDBKey *dbkey = NULL;
+    NSSLOWKEYDBHandle *update = NULL;
+    SECItem *oldSalt = NULL;
+    int ret;
+    SECItem checkitem;
+
+    if ( handle->updatedb == NULL ) {
+	return SECSuccess;
+    }
+
+    /* create a full DB Handle for our update so we 
+     * can use the correct locks for the db primatives */
+    update = nsslowkey_NewHandle(handle->updatedb);
+    if ( update == NULL) {
+	return SECSuccess;
+    }
+
+    /* update has now inherited the database handle */
+    handle->updatedb = NULL;
+
+    /*
+     * check the version record
+     */
+    version = nsslowkey_version(update);
+    if (version != 2) {
+	goto done;
+    }
+
+    saltKey.data = SALT_STRING;
+    saltKey.size = sizeof(SALT_STRING) - 1;
+
+    ret = keydb_Get(update, &saltKey, &saltData, 0);
+    if ( ret ) {
+	/* no salt in old db, so it is corrupted */
+	goto done;
+    }
+
+    oldSalt = decodeKeyDBGlobalSalt(&saltData);
+    if ( oldSalt == NULL ) {
+	/* bad salt in old db, so it is corrupted */
+	goto done;
+    }
+
+    /*
+     * look for a pw check entry
+     */
+    checkKey.data = KEYDB_PW_CHECK_STRING;
+    checkKey.size = KEYDB_PW_CHECK_LEN;
+    
+    ret = keydb_Get(update, &checkKey, &checkData, 0 );
+    if (ret) {
+	/*
+	 * if we have a key, but no KEYDB_PW_CHECK_STRING, then this must
+	 * be an old server database, and it does have a password associated
+	 * with it. Put a fake entry in so we can identify this db when we do
+	 * get the password for it.
+	 */
+	if (seckey_HasAServerKey(update)) {
+	    DBT fcheckKey;
+	    DBT fcheckData;
+
+	    /*
+	     * include a fake string
+	     */
+	    fcheckKey.data = KEYDB_FAKE_PW_CHECK_STRING;
+	    fcheckKey.size = KEYDB_FAKE_PW_CHECK_LEN;
+	    fcheckData.data = "1";
+	    fcheckData.size = 1;
+	    /* put global salt into the new database now */
+	    ret = keydb_Put( handle, &saltKey, &saltData, 0);
+	    if ( ret ) {
+		goto done;
+	    }
+	    ret = keydb_Put( handle, &fcheckKey, &fcheckData, 0);
+	    if ( ret ) {
+		goto done;
+	    }
+	} else {
+	    goto done;
+	}
+    } else {
+	/* put global salt into the new database now */
+	ret = keydb_Put( handle, &saltKey, &saltData, 0);
+	if ( ret ) {
+	    goto done;
+	}
+
+	dbkey = decode_dbkey(&checkData, 2);
+	if ( dbkey == NULL ) {
+	    goto done;
+	}
+	checkitem = dbkey->derPK;
+	dbkey->derPK.data = NULL;
+    
+	/* format the new pw check entry */
+	rv = encodePWCheckEntry(NULL, &dbkey->derPK, SEC_OID_RC4, &checkitem);
+	if ( rv != SECSuccess ) {
+	    goto done;
+	}
+
+	rv = put_dbkey(handle, &checkKey, dbkey, PR_TRUE);
+	if ( rv != SECSuccess ) {
+	    goto done;
+	}
+
+	/* free the dbkey */
+	sec_destroy_dbkey(dbkey);
+	dbkey = NULL;
+    }
+    
+    
+    /* now traverse the database */
+    ret = keydb_Seq(update, &key, &data, R_FIRST);
+    if ( ret ) {
+	goto done;
+    }
+    
+    do {
+	/* skip version record */
+	if ( data.size > 1 ) {
+	    /* skip salt */
+	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
+		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+	    /* skip pw check entry */
+	    if ( key.size == checkKey.size ) {
+		if ( PORT_Memcmp(key.data, checkKey.data, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+
+	    /* keys stored by nickname will have 0 as the last byte of the
+	     * db key.  Other keys must be stored by modulus.  We will not
+	     * update those because they are left over from a keygen that
+	     * never resulted in a cert.
+	     */
+	    if ( ((unsigned char *)key.data)[key.size-1] != 0 ) {
+		continue;
+	    }
+	    
+	    dbkey = decode_dbkey(&data, 2);
+	    if ( dbkey == NULL ) {
+		continue;
+	    }
+
+	    /* This puts the key into the new database with the same
+	     * index (nickname) that it had before.  The second pass
+	     * of the update will have the password.  It will decrypt
+	     * and re-encrypt the entries using a new algorithm.
+	     */
+	    dbkey->nickname = (char *)key.data;
+	    rv = put_dbkey(handle, &key, dbkey, PR_FALSE);
+	    dbkey->nickname = NULL;
+
+	    sec_destroy_dbkey(dbkey);
+	}
+    } while ( keydb_Seq(update, &key, &data, R_NEXT) == 0 );
+
+    dbkey = NULL;
+
+done:
+    /* sync the database */
+    ret = keydb_Sync(handle, 0);
+
+    nsslowkey_CloseKeyDB(update);
+    
+    if ( oldSalt ) {
+	SECITEM_FreeItem(oldSalt, PR_TRUE);
+    }
+    
+    if ( dbkey ) {
+	sec_destroy_dbkey(dbkey);
+    }
+
+    return(SECSuccess);
+}
+
+static SECStatus
+openNewDB(const char *appName, const char *prefix, const char *dbname, 
+	NSSLOWKEYDBHandle *handle, NSSLOWKEYDBNameFunc namecb, void *cbarg)
+{
+    SECStatus rv = SECFailure;
+    int status = RDB_FAIL;
+    char *updname = NULL;
+    DB *updatedb = NULL;
+    PRBool updated = PR_FALSE;
+    int ret;
+
+    if (appName) {
+	handle->db = rdbopen( appName, prefix, "key", NO_CREATE, &status);
+    } else {
+	handle->db = dbopen( dbname, NO_CREATE, 0600, DB_HASH, 0 );
+    }
+    /* if create fails then we lose */
+    if ( handle->db == NULL ) {
+	return (status == RDB_RETRY) ? SECWouldBlock: SECFailure;
+    }
+
+    /* force a transactional read, which will verify that one and only one
+     * process attempts the update. */
+    if (nsslowkey_version(handle) == NSSLOWKEY_DB_FILE_VERSION) {
+	/* someone else has already updated the database for us */
+	db_InitComplete(handle->db);
+	return SECSuccess;
+    }
+
+    /*
+     * if we are creating a multiaccess database, see if there is a
+     * local database we can update from.
+     */
+    if (appName) {
+        NSSLOWKEYDBHandle *updateHandle;
+	updatedb = dbopen( dbname, NO_RDONLY, 0600, DB_HASH, 0 );
+	if (!updatedb) {
+	    goto noupdate;
+	}
+
+	/* nsslowkey_version needs a full handle because it calls
+         * the kdb_Get() function, which needs to lock.
+         */
+        updateHandle = nsslowkey_NewHandle(updatedb);
+	if (!updateHandle) {
+	    updatedb->close(updatedb);
+	    goto noupdate;
+	}
+
+	handle->version = nsslowkey_version(updateHandle);
+	if (handle->version != NSSLOWKEY_DB_FILE_VERSION) {
+	    nsslowkey_CloseKeyDB(updateHandle);
+	    goto noupdate;
+	}
+
+	/* copy the new DB from the old one */
+	db_Copy(handle->db, updatedb);
+	nsslowkey_CloseKeyDB(updateHandle);
+	db_InitComplete(handle->db);
+	return SECSuccess;
+    }
+noupdate:
+
+    /* update the version number */
+    rv = makeGlobalVersion(handle);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /*
+     * try to update from v2 db
+     */
+    updname = (*namecb)(cbarg, 2);
+    if ( updname != NULL ) {
+	handle->updatedb = dbopen( updname, NO_RDONLY, 0600, DB_HASH, 0 );
+        PORT_Free( updname );
+
+	if ( handle->updatedb ) {
+	    /*
+	     * Try to update the db using a null password.  If the db
+	     * doesn't have a password, then this will work.  If it does
+	     * have a password, then this will fail and we will do the
+	     * update later
+	     */
+	    rv = nsslowkey_UpdateKeyDBPass1(handle);
+	    if ( rv == SECSuccess ) {
+		updated = PR_TRUE;
+	    }
+	}
+	    
+    }
+
+    /* we are using the old salt if we updated from an old db */
+    if ( ! updated ) {
+	rv = makeGlobalSalt(handle);
+	if ( rv != SECSuccess ) {
+	   goto loser;
+	}
+    }
+	
+    /* sync the database */
+    ret = keydb_Sync(handle, 0);
+    if ( ret ) {
+	rv = SECFailure;
+	goto loser;
+    }
+    rv = SECSuccess;
+
+loser:
+    db_InitComplete(handle->db);
+    return rv;
+}
+
+
+static DB *
+openOldDB(const char *appName, const char *prefix, const char *dbname, 
+					PRBool openflags) {
+    DB *db = NULL;
+
+    if (appName) {
+	db = rdbopen( appName, prefix, "key", openflags, NULL);
+    } else {
+	db = dbopen( dbname, openflags, 0600, DB_HASH, 0 );
+    }
+
+    return db;
+}
+
+/* check for correct version number */
+static PRBool
+verifyVersion(NSSLOWKEYDBHandle *handle)
+{
+    int version = nsslowkey_version(handle);
+
+    handle->version = version;
+    if (version != NSSLOWKEY_DB_FILE_VERSION ) {
+	if (handle->db) {
+	    keydb_Close(handle);
+	    handle->db = NULL;
+	}
+    }
+    return handle->db != NULL;
+}
+
+static NSSLOWKEYDBHandle *
+nsslowkey_NewHandle(DB *dbHandle)
+{
+    NSSLOWKEYDBHandle *handle;
+    handle = (NSSLOWKEYDBHandle *)PORT_ZAlloc (sizeof(NSSLOWKEYDBHandle));
+    if (handle == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    handle->appname = NULL;
+    handle->dbname = NULL;
+    handle->global_salt = NULL;
+    handle->updatedb = NULL;
+    handle->db = dbHandle;
+    handle->ref = 1;
+    handle->lock = PZ_NewLock(nssILockKeyDB);
+
+    return handle;
+}
+
+NSSLOWKEYDBHandle *
+nsslowkey_OpenKeyDB(PRBool readOnly, const char *appName, const char *prefix,
+				NSSLOWKEYDBNameFunc namecb, void *cbarg)
+{
+    NSSLOWKEYDBHandle *handle = NULL;
+    SECStatus rv;
+    int openflags;
+    char *dbname = NULL;
+
+
+    handle = nsslowkey_NewHandle(NULL);
+
+    openflags = readOnly ? NO_RDONLY : NO_RDWR;
+
+
+    dbname = (*namecb)(cbarg, NSSLOWKEY_DB_FILE_VERSION);
+    if ( dbname == NULL ) {
+	goto loser;
+    }
+    handle->appname = appName ? PORT_Strdup(appName) : NULL ;
+    handle->dbname = (appName == NULL) ? PORT_Strdup(dbname) : 
+			(prefix ? PORT_Strdup(prefix) : NULL);
+    handle->readOnly = readOnly;
+
+
+
+    handle->db = openOldDB(appName, prefix, dbname, openflags);
+    if (handle->db) {
+	verifyVersion(handle);
+	if (handle->version == 255) {
+	    goto loser;
+	}
+    }
+
+    /* if first open fails, try to create a new DB */
+    if ( handle->db == NULL ) {
+	if ( readOnly ) {
+	    goto loser;
+	}
+
+	rv = openNewDB(appName, prefix, dbname, handle, namecb, cbarg);
+	/* two processes started to initialize the database at the same time.
+	 * The multiprocess code blocked the second one, then had it retry to
+	 * see if it can just open the database normally */
+	if (rv == SECWouldBlock) {
+	    handle->db = openOldDB(appName,prefix,dbname, openflags);
+	    verifyVersion(handle);
+	    if (handle->db == NULL) {
+		goto loser;
+	    }
+	} else if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    handle->global_salt = GetKeyDBGlobalSalt(handle);
+    if ( dbname )
+        PORT_Free( dbname );
+    return handle;
+
+loser:
+
+    if ( dbname )
+        PORT_Free( dbname );
+    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+    nsslowkey_CloseKeyDB(handle);
+    return NULL;
+}
+
+/*
+ * Close the database
+ */
+void
+nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle)
+{
+    if (handle != NULL) {
+	if (handle->db != NULL) {
+	    keydb_Close(handle);
+	}
+	if (handle->updatedb) {
+	    handle->updatedb->close(handle->updatedb);
+        }
+	if (handle->dbname) PORT_Free(handle->dbname);
+	if (handle->appname) PORT_Free(handle->appname);
+	if (handle->global_salt) {
+	    SECITEM_FreeItem(handle->global_salt,PR_TRUE);
+	}
+	if (handle->lock != NULL) {
+	    PZ_DestroyLock(handle->lock);
+	}
+	    
+	PORT_Free(handle);
+    }
+}
+
+/* Get the key database version */
+int
+nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle)
+{
+    PORT_Assert(handle != NULL);
+
+    return handle->version;
+}
+
+/*
+ * Delete a private key that was stored in the database
+ */
+SECStatus
+nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, const SECItem *pubkey)
+{
+    DBT namekey;
+    int ret;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(SECFailure);
+    }
+
+    /* set up db key and data */
+    namekey.data = pubkey->data;
+    namekey.size = pubkey->len;
+
+    /* delete it from the database */
+    ret = keydb_Del(handle, &namekey, 0);
+    if ( ret ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(SECFailure);
+    }
+
+    /* sync the database */
+    ret = keydb_Sync(handle, 0);
+    if ( ret ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * Store a key in the database, indexed by its public key modulus.(value!)
+ */
+SECStatus
+nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, 
+			   NSSLOWKEYPrivateKey *privkey,
+			   SECItem *pubKeyData,
+			   char *nickname,
+			   SDB *sdb)
+{
+    return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, 
+	     nickname, sdb, PR_FALSE);
+}
+
+SECStatus
+nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle, 
+			   NSSLOWKEYPrivateKey *privkey,
+			   SECItem *pubKeyData,
+			   char *nickname,
+			   SDB *sdb)
+{
+    return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, 
+	     nickname, sdb, PR_TRUE);
+}
+
+/* see if the symetric CKA_ID already Exists.
+ */
+PRBool
+nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id)
+{
+    DBT namekey;
+    DBT dummy;
+    int status;
+
+    namekey.data = (char *)id->data;
+    namekey.size = id->len;
+    status = keydb_Get(handle, &namekey, &dummy, 0);
+    if ( status ) {
+	return PR_FALSE;
+    }
+    
+    return PR_TRUE;
+}
+
+/* see if the public key for this cert is in the database filed
+ * by modulus
+ */
+PRBool
+nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, NSSLOWCERTCertificate *cert)
+{
+    NSSLOWKEYPublicKey *pubkey = NULL;
+    DBT namekey;
+    DBT dummy;
+    int status;
+    
+    /* get cert's public key */
+    pubkey = nsslowcert_ExtractPublicKey(cert);
+    if ( pubkey == NULL ) {
+	return PR_FALSE;
+    }
+
+    /* TNH - make key from NSSLOWKEYPublicKey */
+    switch (pubkey->keyType) {
+      case NSSLOWKEYRSAKey:
+	namekey.data = pubkey->u.rsa.modulus.data;
+	namekey.size = pubkey->u.rsa.modulus.len;
+	break;
+      case NSSLOWKEYDSAKey:
+	namekey.data = pubkey->u.dsa.publicValue.data;
+	namekey.size = pubkey->u.dsa.publicValue.len;
+	break;
+      case NSSLOWKEYDHKey:
+	namekey.data = pubkey->u.dh.publicValue.data;
+	namekey.size = pubkey->u.dh.publicValue.len;
+	break;
+#ifdef NSS_ENABLE_ECC
+      case NSSLOWKEYECKey:
+	namekey.data = pubkey->u.ec.publicValue.data;
+	namekey.size = pubkey->u.ec.publicValue.len;
+	break;
+#endif /* NSS_ENABLE_ECC */
+      default:
+	/* XXX We don't do Fortezza or DH yet. */
+	return PR_FALSE;
+    }
+
+    if (handle->version != 3) {
+	unsigned char buf[SHA1_LENGTH];
+	SHA1_HashBuf(buf,namekey.data,namekey.size);
+	/* NOTE: don't use pubkey after this! it's now thrashed */
+	PORT_Memcpy(namekey.data,buf,sizeof(buf));
+	namekey.size = sizeof(buf);
+    }
+
+    status = keydb_Get(handle, &namekey, &dummy, 0);
+    /* some databases have the key stored as a signed value */
+    if (status) {
+	unsigned char *buf = (unsigned char *)PORT_Alloc(namekey.size+1);
+	if (buf) {
+	    PORT_Memcpy(&buf[1], namekey.data, namekey.size);
+	    buf[0] = 0;
+	    namekey.data = buf;
+	    namekey.size ++;
+    	    status = keydb_Get(handle, &namekey, &dummy, 0);
+	    PORT_Free(buf);
+	}
+    }
+    nsslowkey_DestroyPublicKey(pubkey);
+    if ( status ) {
+	return PR_FALSE;
+    }
+    
+    return PR_TRUE;
+}
+
+typedef struct NSSLowPasswordDataParamStr {
+    SECItem salt;
+    SECItem iter;
+} NSSLowPasswordDataParam;
+
+static const SEC_ASN1Template NSSLOWPasswordParamTemplate[] =
+{
+    {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLowPasswordDataParam) },
+    {SEC_ASN1_OCTET_STRING, offsetof(NSSLowPasswordDataParam, salt) },
+    {SEC_ASN1_INTEGER, offsetof(NSSLowPasswordDataParam, iter) },
+    {0}
+};
+struct LGEncryptedDataInfoStr {
+    SECAlgorithmID algorithm;
+    SECItem encryptedData;
+};
+typedef struct LGEncryptedDataInfoStr LGEncryptedDataInfo;
+
+const SEC_ASN1Template lg_EncryptedDataInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(LGEncryptedDataInfo) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+        offsetof(LGEncryptedDataInfo,algorithm),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+        offsetof(LGEncryptedDataInfo,encryptedData) },
+    { 0 }
+};
+static const unsigned char def_iter_data[] = { SEC_ASN1_INTEGER, 0x01, 0x01 };
+static const SECItem def_iter = { siBuffer , 
+				(unsigned char *)def_iter_data, 
+				sizeof(def_iter_data) };
+
+static SECItem *
+nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data)
+{
+    NSSLowPasswordDataParam param;
+    LGEncryptedDataInfo edi;
+    PLArenaPool *arena;
+    unsigned char one = 1;
+    SECItem *epw = NULL;
+    SECItem *encParam;
+    SECStatus rv;
+
+    param.salt = *salt;
+    param.iter.data = &one;
+    param.iter.len = 1;
+    edi.encryptedData = *data;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    encParam = SEC_ASN1EncodeItem(arena, NULL, &param,
+				  NSSLOWPasswordParamTemplate);
+    if (encParam == NULL) {
+	goto loser;
+    }
+    rv = SECOID_SetAlgorithmID(arena, &edi.algorithm, alg, encParam);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    epw = SEC_ASN1EncodeItem(NULL, NULL, &edi, lg_EncryptedDataInfoTemplate);
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return epw;
+}
+
+static SECItem *
+nsslowkey_DecodePW(const SECItem *derData, SECOidTag *alg, SECItem *salt)
+{
+    NSSLowPasswordDataParam param;
+    LGEncryptedDataInfo edi;
+    PLArenaPool *arena;
+    SECItem *pwe = NULL;
+    SECStatus rv;
+
+    salt->data = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    rv = SEC_QuickDERDecodeItem(arena, &edi, lg_EncryptedDataInfoTemplate, 
+						derData);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    *alg = SECOID_GetAlgorithmTag(&edi.algorithm);
+    rv = SEC_QuickDERDecodeItem(arena, &param, NSSLOWPasswordParamTemplate,
+						&edi.algorithm.parameters);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    if (SECITEM_ItemsAreEqual(&param.iter, &def_iter) ) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(NULL, salt, &param.salt);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    pwe = SECITEM_DupItem(&edi.encryptedData);
+
+loser:
+    if (!pwe && salt->data) {
+	PORT_Free(salt->data);
+	salt->data = NULL;
+    }
+    PORT_FreeArena(arena, PR_FALSE);
+    return pwe;
+}
+
+
+/*
+ * check to see if the user has a password
+ */
+static SECStatus
+nsslowkey_GetPWCheckEntry(NSSLOWKEYDBHandle *handle,NSSLOWKEYPasswordEntry *entry)
+{
+    DBT checkkey; /*, checkdata; */
+    NSSLOWKEYDBKey *dbkey = NULL;
+    SECItem   *global_salt = NULL; 
+    SECItem   *item = NULL; 
+    SECItem   entryData, oid;
+    SECItem   none = { siBuffer, NULL, 0 };
+    SECStatus rv = SECFailure;
+    SECOidTag algorithm;
+
+    if (handle == NULL) {
+	/* PORT_SetError */
+	return(SECFailure);
+    }
+
+    global_salt = GetKeyDBGlobalSalt(handle);
+    if (!global_salt) {
+	global_salt = &none;
+    }
+    if (global_salt->len > sizeof(entry->data)) {
+	/* PORT_SetError */
+	goto loser;
+    }
+	
+    PORT_Memcpy(entry->data, global_salt->data, global_salt->len);
+    entry->salt.data = entry->data;
+    entry->salt.len = global_salt->len;
+    entry->value.data = &entry->data[entry->salt.len];
+
+    checkkey.data = KEYDB_PW_CHECK_STRING;
+    checkkey.size = KEYDB_PW_CHECK_LEN;
+    dbkey = get_dbkey(handle, &checkkey);
+    if (dbkey == NULL) {
+	/* handle 'FAKE' check here */
+	goto loser;
+    }
+
+    oid.len = dbkey->derPK.data[0];
+    oid.data = &dbkey->derPK.data[1];
+
+    if (dbkey->derPK.len < (KEYDB_PW_CHECK_LEN + 1 +oid.len)) {
+	goto loser;
+    }
+    algorithm = SECOID_FindOIDTag(&oid);
+    entryData.type = siBuffer;
+    entryData.len = dbkey->derPK.len - (oid.len+1);
+    entryData.data = &dbkey->derPK.data[oid.len+1];
+
+    item = nsslowkey_EncodePW(algorithm, &dbkey->salt, &entryData);
+    if (!item || (item->len + entry->salt.len) > sizeof(entry->data)) {
+	goto loser;
+    }
+    PORT_Memcpy(entry->value.data, item->data, item->len);
+    entry->value.len = item->len;
+    rv = SECSuccess;
+
+loser:
+    if (item) {
+	SECITEM_FreeItem(item, PR_TRUE);
+    }
+    if (dbkey) {
+ 	sec_destroy_dbkey(dbkey);
+    }
+    if (global_salt && global_salt != &none) {
+	SECITEM_FreeItem(global_salt,PR_TRUE);
+    }
+    return rv;
+}
+
+/*
+ * check to see if the user has a password
+ */
+static SECStatus
+nsslowkey_PutPWCheckEntry(NSSLOWKEYDBHandle *handle,NSSLOWKEYPasswordEntry *entry)
+{
+    DBT checkkey;
+    NSSLOWKEYDBKey *dbkey = NULL;
+    SECItem   *item = NULL; 
+    SECItem   salt; 
+    SECOidTag algid;
+    SECStatus rv = SECFailure;
+    PLArenaPool *arena;
+    int ret;
+
+    if (handle == NULL) {
+	/* PORT_SetError */
+	return(SECFailure);
+    }
+
+    checkkey.data = KEYDB_PW_CHECK_STRING;
+    checkkey.size = KEYDB_PW_CHECK_LEN;
+
+    salt.data = NULL;
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return SECFailure;
+    }
+
+    item = nsslowkey_DecodePW(&entry->value, &algid, &salt);
+    if (item == NULL) {
+	goto loser;
+    }
+
+    dbkey = PORT_ArenaZNew(arena, NSSLOWKEYDBKey);
+    if (dbkey == NULL) {
+	goto loser;
+    }
+
+    dbkey->arena = arena;
+
+    rv = SECITEM_CopyItem(arena, &dbkey->salt, &salt);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    rv = encodePWCheckEntry(arena, &dbkey->derPK, algid, item);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    rv = put_dbkey(handle, &checkkey, dbkey, PR_TRUE);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    if (handle->global_salt) {
+	SECITEM_FreeItem(handle->global_salt, PR_TRUE);
+	handle->global_salt = NULL;
+    }
+    rv = StoreKeyDBGlobalSalt(handle, &entry->salt);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    ret = keydb_Sync(handle, 0);
+    if ( ret ) {
+	rv = SECFailure;
+	goto loser;
+    }
+    handle->global_salt = GetKeyDBGlobalSalt(handle);
+
+loser:
+    if (item) {
+	SECITEM_FreeItem(item, PR_TRUE);
+    }
+    if (arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+    if (salt.data) {
+	PORT_Free(salt.data);
+    }
+    return rv;
+}
+
+#ifdef EC_DEBUG
+#define SEC_PRINT(str1, str2, num, sitem) \
+    printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
+            str1, str2, num, sitem->len); \
+    for (i = 0; i < sitem->len; i++) { \
+	    printf("%02x:", sitem->data[i]); \
+    } \
+    printf("\n") 
+#else
+#define SEC_PRINT(a, b, c, d) 
+#endif /* EC_DEBUG */
+
+
+SECStatus 
+seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, 
+			    SDB *sdbpw, SECItem *result)
+{
+    NSSLOWKEYPrivateKeyInfo *pki = NULL;
+    SECStatus rv = SECFailure;
+    PLArenaPool *temparena = NULL;
+    SECItem *der_item = NULL;
+    SECItem *cipherText = NULL;
+    SECItem *dummy = NULL;
+#ifdef NSS_ENABLE_ECC
+    SECItem *fordebug = NULL;
+    int savelen;
+#endif
+
+    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(temparena == NULL)
+	goto loser;
+
+    /* allocate structures */
+    pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, 
+	sizeof(NSSLOWKEYPrivateKeyInfo));
+    der_item = (SECItem *)PORT_ArenaZAlloc(temparena, sizeof(SECItem));
+    if((pki == NULL) || (der_item == NULL))
+	goto loser;
+
+
+    /* setup private key info */
+    dummy = SEC_ASN1EncodeInteger(temparena, &(pki->version), 
+	NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
+    if(dummy == NULL)
+	goto loser;
+
+    /* Encode the key, and set the algorithm (with params) */
+    switch (pk->keyType) {
+      case NSSLOWKEYRSAKey:
+        prepare_low_rsa_priv_key_for_asn1(pk);
+	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, 
+				   nsslowkey_RSAPrivateKeyTemplate);
+	if (dummy == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	
+	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), 
+				   SEC_OID_PKCS1_RSA_ENCRYPTION, 0);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+	
+	break;
+      case NSSLOWKEYDSAKey:
+        prepare_low_dsa_priv_key_for_asn1(pk);
+	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
+				   nsslowkey_DSAPrivateKeyTemplate);
+	if (dummy == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	
+        prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
+	dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params,
+				   nsslowkey_PQGParamsTemplate);
+	if (dummy == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	
+	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
+				   SEC_OID_ANSIX9_DSA_SIGNATURE, dummy);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+	
+	break;
+      case NSSLOWKEYDHKey:
+        prepare_low_dh_priv_key_for_asn1(pk);
+	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
+				   nsslowkey_DHPrivateKeyTemplate);
+	if (dummy == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
+				   SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+	break;
+#ifdef NSS_ENABLE_ECC
+      case NSSLOWKEYECKey:
+	prepare_low_ec_priv_key_for_asn1(pk);
+	/* Public value is encoded as a bit string so adjust length
+	 * to be in bits before ASN encoding and readjust 
+	 * immediately after.
+	 *
+	 * Since the SECG specification recommends not including the
+	 * parameters as part of ECPrivateKey, we zero out the curveOID
+	 * length before encoding and restore it later.
+	 */
+	pk->u.ec.publicValue.len <<= 3;
+	savelen = pk->u.ec.ecParams.curveOID.len;
+	pk->u.ec.ecParams.curveOID.len = 0;
+	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
+				   nsslowkey_ECPrivateKeyTemplate);
+	pk->u.ec.ecParams.curveOID.len = savelen;
+	pk->u.ec.publicValue.len >>= 3;
+
+	if (dummy == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	dummy = &pk->u.ec.ecParams.DEREncoding;
+
+	/* At this point dummy should contain the encoded params */
+	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
+				   SEC_OID_ANSIX962_EC_PUBLIC_KEY, dummy);
+
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+	
+	fordebug = &(pki->privateKey);
+	SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey", 
+		  pk->keyType, fordebug);
+
+	break;
+#endif /* NSS_ENABLE_ECC */
+      default:
+	/* We don't support DH or Fortezza private keys yet */
+	PORT_Assert(PR_FALSE);
+	break;
+    }
+
+    /* setup encrypted private key info */
+    dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, 
+	nsslowkey_PrivateKeyInfoTemplate);
+
+    SEC_PRINT("seckey_encrypt_private_key()", "PrivateKeyInfo", 
+	      pk->keyType, der_item);
+
+    if(dummy == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = lg_util_encrypt(temparena, sdbpw, dummy, &cipherText);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    rv = SECITEM_CopyItem ( permarena, result, cipherText);
+
+loser:
+
+    if(temparena != NULL)
+	PORT_FreeArena(temparena, PR_TRUE);
+
+    return rv;
+}
+
+static SECStatus 
+seckey_put_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, SDB *sdbpw,
+		       NSSLOWKEYPrivateKey *pk, char *nickname, PRBool update)
+{
+    NSSLOWKEYDBKey *dbkey = NULL;
+    PLArenaPool *arena = NULL;
+    SECStatus rv = SECFailure;
+
+    if((keydb == NULL) || (index == NULL) || (sdbpw == NULL) ||
+	(pk == NULL))
+	return SECFailure;
+	
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(arena == NULL)
+	return SECFailure;
+
+    dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey));
+    if(dbkey == NULL)
+	goto loser;
+    dbkey->arena = arena;
+    dbkey->nickname = nickname;
+
+    rv = seckey_encrypt_private_key(arena, pk, sdbpw, &dbkey->derPK);
+    if(rv != SECSuccess)
+	goto loser;
+
+    rv = put_dbkey(keydb, index, dbkey, update);
+
+    /* let success fall through */
+loser:
+    if(arena != NULL)
+	PORT_FreeArena(arena, PR_TRUE);
+
+    return rv;
+}
+
+/*
+ * Store a key in the database, indexed by its public key modulus.
+ * Note that the nickname is optional.  It was only used by keyutil.
+ */
+SECStatus
+nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, 
+			      NSSLOWKEYPrivateKey *privkey,
+			      SECItem *pubKeyData,
+			      char *nickname,
+			      SDB *sdbpw,
+                              PRBool update)
+{
+    DBT namekey;
+    SECStatus rv;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(SECFailure);
+    }
+
+    /* set up db key and data */
+    namekey.data = pubKeyData->data;
+    namekey.size = pubKeyData->len;
+
+    /* encrypt the private key */
+    rv = seckey_put_private_key(handle, &namekey, sdbpw, privkey, nickname,
+				update);
+    
+    return(rv);
+}
+
+static NSSLOWKEYPrivateKey *
+seckey_decrypt_private_key(SECItem*epki,
+			   SDB *sdbpw)
+{
+    NSSLOWKEYPrivateKey *pk = NULL;
+    NSSLOWKEYPrivateKeyInfo *pki = NULL;
+    SECStatus rv = SECFailure;
+    PLArenaPool *temparena = NULL, *permarena = NULL;
+    SECItem *dest = NULL;
+#ifdef NSS_ENABLE_ECC
+    SECItem *fordebug = NULL;
+#endif
+
+    if((epki == NULL) || (sdbpw == NULL))
+	goto loser;
+
+    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if((temparena == NULL) || (permarena == NULL))
+	goto loser;
+
+    /* allocate temporary items */
+    pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, 
+	sizeof(NSSLOWKEYPrivateKeyInfo));
+
+    /* allocate permanent arena items */
+    pk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(permarena,
+	sizeof(NSSLOWKEYPrivateKey));
+
+    if((pk == NULL) || (pki == NULL))
+	goto loser;
+
+    pk->arena = permarena;
+
+    rv = lg_util_decrypt(sdbpw, epki, &dest);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+	
+    if(dest != NULL)
+    {
+        SECItem newPrivateKey;
+        SECItem newAlgParms;
+
+        SEC_PRINT("seckey_decrypt_private_key()", "PrivateKeyInfo", -1,
+		  dest);
+
+	rv = SEC_QuickDERDecodeItem(temparena, pki, 
+	    nsslowkey_PrivateKeyInfoTemplate, dest);
+	if(rv == SECSuccess)
+	{
+	    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
+	      case SEC_OID_X500_RSA_ENCRYPTION:
+	      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+		pk->keyType = NSSLOWKEYRSAKey;
+		prepare_low_rsa_priv_key_for_asn1(pk);
+                if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+                    &pki->privateKey) ) break;
+		rv = SEC_QuickDERDecodeItem(permarena, pk,
+					nsslowkey_RSAPrivateKeyTemplate,
+					&newPrivateKey);
+		break;
+	      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+		pk->keyType = NSSLOWKEYDSAKey;
+		prepare_low_dsa_priv_key_for_asn1(pk);
+                if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+                    &pki->privateKey) ) break;
+		rv = SEC_QuickDERDecodeItem(permarena, pk,
+					nsslowkey_DSAPrivateKeyTemplate,
+					&newPrivateKey);
+		if (rv != SECSuccess)
+		    goto loser;
+		prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
+                if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms,
+                    &pki->algorithm.parameters) ) break;
+		rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params,
+					nsslowkey_PQGParamsTemplate,
+					&newAlgParms);
+		break;
+	      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+		pk->keyType = NSSLOWKEYDHKey;
+		prepare_low_dh_priv_key_for_asn1(pk);
+                if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+                    &pki->privateKey) ) break;
+		rv = SEC_QuickDERDecodeItem(permarena, pk,
+					nsslowkey_DHPrivateKeyTemplate,
+					&newPrivateKey);
+		break;
+#ifdef NSS_ENABLE_ECC
+	      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+		pk->keyType = NSSLOWKEYECKey;
+		prepare_low_ec_priv_key_for_asn1(pk);
+
+		fordebug = &pki->privateKey;
+		SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", 
+			  pk->keyType, fordebug);
+                if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+                    &pki->privateKey) ) break;
+		rv = SEC_QuickDERDecodeItem(permarena, pk,
+					nsslowkey_ECPrivateKeyTemplate,
+					&newPrivateKey);
+		if (rv != SECSuccess)
+		    goto loser;
+
+		prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams);
+
+		rv = SECITEM_CopyItem(permarena, 
+		    &pk->u.ec.ecParams.DEREncoding, 
+		    &pki->algorithm.parameters);
+
+		if (rv != SECSuccess)
+		    goto loser;
+
+		/* Fill out the rest of EC params */
+		rv = LGEC_FillParams(permarena, &pk->u.ec.ecParams.DEREncoding,
+				   &pk->u.ec.ecParams);
+
+		if (rv != SECSuccess)
+		    goto loser;
+
+		if (pk->u.ec.publicValue.len != 0) {
+		    pk->u.ec.publicValue.len >>= 3;
+		}
+
+		break;
+#endif /* NSS_ENABLE_ECC */
+	      default:
+		rv = SECFailure;
+		break;
+	    }
+	}
+	else if(PORT_GetError() == SEC_ERROR_BAD_DER)
+	{
+	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	    goto loser;
+	}
+    }
+
+    /* let success fall through */
+loser:
+    if(temparena != NULL)
+	PORT_FreeArena(temparena, PR_TRUE);
+    if(dest != NULL)
+	SECITEM_ZfreeItem(dest, PR_TRUE);
+
+    if(rv != SECSuccess)
+    {
+	if(permarena != NULL)
+	    PORT_FreeArena(permarena, PR_TRUE);
+	pk = NULL;
+    }
+
+    return pk;
+}
+
+static NSSLOWKEYPrivateKey *
+seckey_decode_encrypted_private_key(NSSLOWKEYDBKey *dbkey, SDB *sdbpw)
+{
+    if( ( dbkey == NULL ) || ( sdbpw == NULL ) ) {
+	return NULL;
+    }
+
+    return seckey_decrypt_private_key(&(dbkey->derPK), sdbpw);
+}
+
+static NSSLOWKEYPrivateKey *
+seckey_get_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, char **nickname,
+		       SDB *sdbpw)
+{
+    NSSLOWKEYDBKey *dbkey = NULL;
+    NSSLOWKEYPrivateKey *pk = NULL;
+
+    if( ( keydb == NULL ) || ( index == NULL ) || ( sdbpw == NULL ) ) {
+	return NULL;
+    }
+
+    dbkey = get_dbkey(keydb, index);
+    if(dbkey == NULL) {
+	goto loser;
+    }
+    
+    if ( nickname ) {
+	if ( dbkey->nickname && ( dbkey->nickname[0] != 0 ) ) {
+	    *nickname = PORT_Strdup(dbkey->nickname);
+	} else {
+	    *nickname = NULL;
+	}
+    }
+    
+    pk = seckey_decode_encrypted_private_key(dbkey, sdbpw);
+    
+    /* let success fall through */
+loser:
+
+    if ( dbkey != NULL ) {
+	sec_destroy_dbkey(dbkey);
+    }
+
+    return pk;
+}
+
+/*
+ * Find a key in the database, indexed by its public key modulus
+ * This is used to find keys that have been stored before their
+ * certificate arrives.  Once the certificate arrives the key
+ * is looked up by the public modulus in the certificate, and the
+ * re-stored by its nickname.
+ */
+NSSLOWKEYPrivateKey *
+nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus,
+			  				 SDB *sdbpw)
+{
+    DBT namekey;
+    NSSLOWKEYPrivateKey *pk = NULL;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return NULL;
+    }
+
+    /* set up db key */
+    namekey.data = modulus->data;
+    namekey.size = modulus->len;
+
+    pk = seckey_get_private_key(handle, &namekey, NULL, sdbpw);
+    
+    /* no need to free dbkey, since its on the stack, and the data it
+     * points to is owned by the database
+     */
+    return(pk);
+}
+
+char *
+nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle, 
+					SECItem *modulus, SDB *sdbpw)
+{
+    DBT namekey;
+    NSSLOWKEYPrivateKey *pk = NULL;
+    char *nickname = NULL;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return NULL;
+    }
+
+    /* set up db key */
+    namekey.data = modulus->data;
+    namekey.size = modulus->len;
+
+    pk = seckey_get_private_key(handle, &namekey, &nickname, sdbpw);
+    if (pk) {
+	nsslowkey_DestroyPrivateKey(pk);
+    }
+    
+    /* no need to free dbkey, since its on the stack, and the data it
+     * points to is owned by the database
+     */
+    return(nickname);
+}
+/* ===== ENCODING ROUTINES ===== */
+
+static SECStatus
+encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
+		   SECItem *encCheck)
+{
+    SECOidData *oidData;
+    SECStatus rv;
+    
+    oidData = SECOID_FindOIDByTag(alg);
+    if ( oidData == NULL ) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    entry->len = 1 + oidData->oid.len + encCheck->len;
+    if ( arena ) {
+	entry->data = (unsigned char *)PORT_ArenaAlloc(arena, entry->len);
+    } else {
+	entry->data = (unsigned char *)PORT_Alloc(entry->len);
+    }
+    
+    if ( entry->data == NULL ) {
+	goto loser;
+    }
+	
+    /* first length of oid */
+    entry->data[0] = (unsigned char)oidData->oid.len;
+    /* next oid itself */
+    PORT_Memcpy(&entry->data[1], oidData->oid.data, oidData->oid.len);
+    /* finally the encrypted check string */
+    PORT_Memcpy(&entry->data[1+oidData->oid.len], encCheck->data,
+		encCheck->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+    
+
+#define MAX_DB_SIZE 0xffff 
+/*
+ * Clear out all the keys in the existing database
+ */
+static SECStatus
+nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle)
+{
+    SECStatus rv;
+    int ret;
+    int errors = 0;
+
+    if ( handle->db == NULL ) {
+	return(SECSuccess);
+    }
+
+    if (handle->readOnly) {
+	/* set an error code */
+	return SECFailure;
+     }
+
+    if (handle->appname == NULL && handle->dbname == NULL) {
+	return SECFailure;
+    }
+
+    keydb_Close(handle);
+    if (handle->appname) {
+	handle->db= 
+	    rdbopen(handle->appname, handle->dbname, "key", NO_CREATE, NULL);
+    } else {
+	handle->db = dbopen( handle->dbname, NO_CREATE, 0600, DB_HASH, 0 );
+    }
+    if (handle->db == NULL) {
+	/* set an error code */
+	return SECFailure;
+    }
+    
+    rv = makeGlobalVersion(handle);
+    if ( rv != SECSuccess ) {
+	errors++;
+	goto done;
+    }
+
+    if (handle->global_salt) {
+	rv = StoreKeyDBGlobalSalt(handle, handle->global_salt);
+    } else {
+	rv = makeGlobalSalt(handle);
+	if ( rv == SECSuccess ) {
+	    handle->global_salt = GetKeyDBGlobalSalt(handle);
+	}
+    }
+    if ( rv != SECSuccess ) {
+	errors++;
+    }
+
+done:
+    /* sync the database */
+    ret = keydb_Sync(handle, 0);
+    db_InitComplete(handle->db);
+
+    return (errors == 0 ? SECSuccess : SECFailure);
+}
+
+static int
+keydb_Get(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+    PRLock *kdbLock = kdb->lock;
+    DB *db = kdb->db;
+    
+    PORT_Assert(kdbLock != NULL);
+    PZ_Lock(kdbLock);
+
+    ret = (* db->get)(db, key, data, flags);
+
+    prstat = PZ_Unlock(kdbLock);
+
+    return(ret);
+}
+
+static int
+keydb_Put(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret = 0;
+    PRLock *kdbLock = kdb->lock;
+    DB *db = kdb->db;
+
+    PORT_Assert(kdbLock != NULL);
+    PZ_Lock(kdbLock);
+
+    ret = (* db->put)(db, key, data, flags);
+    
+    prstat = PZ_Unlock(kdbLock);
+
+    return(ret);
+}
+
+static int
+keydb_Sync(NSSLOWKEYDBHandle *kdb, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+    PRLock *kdbLock = kdb->lock;
+    DB *db = kdb->db;
+
+    PORT_Assert(kdbLock != NULL);
+    PZ_Lock(kdbLock);
+
+    ret = (* db->sync)(db, flags);
+    
+    prstat = PZ_Unlock(kdbLock);
+
+    return(ret);
+}
+
+static int
+keydb_Del(NSSLOWKEYDBHandle *kdb, DBT *key, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+    PRLock *kdbLock = kdb->lock;
+    DB *db = kdb->db;
+
+    PORT_Assert(kdbLock != NULL);
+    PZ_Lock(kdbLock);
+
+    ret = (* db->del)(db, key, flags);
+    
+    prstat = PZ_Unlock(kdbLock);
+
+    return(ret);
+}
+
+static int
+keydb_Seq(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+    PRLock *kdbLock = kdb->lock;
+    DB *db = kdb->db;
+    
+    PORT_Assert(kdbLock != NULL);
+    PZ_Lock(kdbLock);
+    
+    ret = (* db->seq)(db, key, data, flags);
+
+    prstat = PZ_Unlock(kdbLock);
+
+    return(ret);
+}
+
+static void
+keydb_Close(NSSLOWKEYDBHandle *kdb)
+{
+    PRStatus prstat;
+    PRLock *kdbLock = kdb->lock;
+    DB *db = kdb->db;
+
+    PORT_Assert(kdbLock != NULL);
+    PZ_Lock(kdbLock);
+
+    (* db->close)(db);
+    
+    prstat = PZ_Unlock(kdbLock);
+
+    return;
+}
+
+/*
+ * SDB Entry Points for the Key DB 
+ */
+
+CK_RV
+lg_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2)
+{
+    NSSLOWKEYDBHandle *keydb;
+    NSSLOWKEYPasswordEntry entry;
+    SECStatus rv;
+
+    keydb = lg_getKeyDB(sdb);
+    if (keydb == NULL) {
+        return CKR_TOKEN_WRITE_PROTECTED;
+    }
+    if (PORT_Strcmp(id,"password") != 0) {
+	/* shouldn't happen */
+	return CKR_GENERAL_ERROR; /* no extra data stored */
+    }
+    rv = nsslowkey_GetPWCheckEntry(keydb, &entry);
+    if (rv != SECSuccess) {
+        return CKR_GENERAL_ERROR;
+    }
+    item1->len = entry.salt.len;
+    PORT_Memcpy(item1->data, entry.salt.data, item1->len);
+    item2->len = entry.value.len;
+    PORT_Memcpy(item2->data, entry.value.data, item2->len);
+    return CKR_OK;
+}
+
+CK_RV
+lg_PutMetaData(SDB *sdb, const char *id, 
+	       const SECItem *item1, const SECItem *item2)
+{
+    NSSLOWKEYDBHandle *keydb;
+    NSSLOWKEYPasswordEntry entry;
+    SECStatus rv;
+
+    keydb = lg_getKeyDB(sdb);
+    if (keydb == NULL) {
+        return CKR_TOKEN_WRITE_PROTECTED;
+    }
+    if (PORT_Strcmp(id,"password") != 0) {
+	/* shouldn't happen */
+	return CKR_GENERAL_ERROR; /* no extra data stored */
+    }
+    entry.salt = *item1;
+    entry.value = *item2;
+    rv = nsslowkey_PutPWCheckEntry(keydb, &entry);
+    if (rv != SECSuccess) {
+        return CKR_GENERAL_ERROR;
+    }
+    return CKR_OK;
+}
+
+CK_RV
+lg_Reset(SDB *sdb)
+{
+    NSSLOWKEYDBHandle *keydb;
+    SECStatus rv;
+
+    keydb = lg_getKeyDB(sdb);
+    if (keydb == NULL) {
+        return CKR_TOKEN_WRITE_PROTECTED;
+    }
+    rv = nsslowkey_ResetKeyDB(keydb);
+    if (rv != SECSuccess) {
+        return CKR_GENERAL_ERROR;
+    }
+    return CKR_OK;
+}
+
diff --git a/security/nss/lib/softoken/legacydb/keydbi.h b/security/nss/lib/softoken/legacydb/keydbi.h
new file mode 100644
index 000000000..f7f427266
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/keydbi.h
@@ -0,0 +1,86 @@
+/*
+ * private.h - Private data structures for the software token library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _KEYDBI_H_
+#define _KEYDBI_H_
+
+#include "nspr.h"
+#include "seccomon.h"
+#include "mcom_db.h"
+
+/*
+ * Handle structure for open key databases
+ */
+struct NSSLOWKEYDBHandleStr {
+    DB *db;
+    DB *updatedb;		/* used when updating an old version */
+    SECItem *global_salt;	/* password hashing salt for this db */
+    int version;		/* version of the database */
+    char *appname;		/* multiaccess app name */
+    char *dbname;		/* name of the openned DB */
+    PRBool readOnly;		/* is the DB read only */
+    PRLock *lock;
+    PRInt32 ref;		/* reference count */
+};
+
+/*
+** Typedef for callback for traversing key database.
+**      "key" is the key used to index the data in the database (nickname)
+**      "data" is the key data
+**      "pdata" is the user's data 
+*/
+typedef SECStatus (* NSSLOWKEYTraverseKeysFunc)(DBT *key, DBT *data, void *pdata);
+
+
+SEC_BEGIN_PROTOS
+
+/*
+** Traverse the entire key database, and pass the nicknames and keys to a 
+** user supplied function.
+**      "f" is the user function to call for each key
+**      "udata" is the user's data, which is passed through to "f"
+*/
+extern SECStatus nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, 
+				NSSLOWKEYTraverseKeysFunc f,
+				void *udata);
+
+SEC_END_PROTOS
+
+#endif /* _KEYDBI_H_ */
diff --git a/security/nss/lib/softoken/legacydb/lgattr.c b/security/nss/lib/softoken/legacydb/lgattr.c
new file mode 100644
index 000000000..15cfc63ec
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgattr.c
@@ -0,0 +1,1808 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal PKCS #11 functions. Should only be called by pkcs11.c
+ */
+#include "pkcs11.h"
+#include "lgdb.h"
+
+#include "pcertt.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "blapi.h"
+#include "secerr.h"
+
+/*
+ * Cache the object we are working on during Set's and Get's
+ */
+typedef struct LGObjectCacheStr {
+    CK_OBJECT_CLASS  objclass;
+    CK_OBJECT_HANDLE handle;
+    SDB              *sdb;
+    void             *objectInfo;
+    LGFreeFunc       infoFree;
+    SECItem          dbKey;
+} LGObjectCache;
+
+static const CK_OBJECT_HANDLE lg_classArray[] = {
+    0, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY,
+    CKO_NETSCAPE_TRUST, CKO_NETSCAPE_CRL, CKO_NETSCAPE_SMIME,
+     CKO_CERTIFICATE };
+
+#define handleToClass(handle) \
+    lg_classArray[((handle & LG_TOKEN_TYPE_MASK))>>LG_TOKEN_TYPE_SHIFT]
+
+
+static void lg_DestroyObjectCache(LGObjectCache *obj);
+
+static LGObjectCache *
+lg_NewObjectCache(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE handle)
+{
+    LGObjectCache *obj = NULL;
+    SECStatus rv;
+
+    obj = PORT_New(LGObjectCache);
+    if (obj == NULL) {
+	return NULL;
+    }
+
+    obj->objclass = handleToClass(handle);
+    obj->handle = handle;
+    obj->sdb = sdb;
+    obj->objectInfo = NULL;
+    obj->infoFree = NULL;
+    obj->dbKey.data = NULL;
+    obj->dbKey.len = 0;
+    lg_DBLock(sdb);
+    if (dbKey == NULL) {
+	dbKey = lg_lookupTokenKeyByHandle(sdb,handle);
+    }
+    if (dbKey == NULL) {
+	lg_DBUnlock(sdb);
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(NULL,&obj->dbKey,dbKey);
+    lg_DBUnlock(sdb);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    return obj;
+loser:
+    if (obj) {
+	(void) lg_DestroyObjectCache(obj);
+    }
+    return NULL;
+
+}
+
+/*
+ * free all the data associated with an object. Object reference count must
+ * be 'zero'.
+ */
+static void
+lg_DestroyObjectCache(LGObjectCache *obj)
+{
+    if (obj->dbKey.data) {
+	PORT_Free(obj->dbKey.data);
+	obj->dbKey.data = NULL;
+    } 
+    if (obj->objectInfo) {
+	(*obj->infoFree)(obj->objectInfo);
+	obj->objectInfo = NULL;
+	obj->infoFree = NULL;
+    }
+    PORT_Free(obj);
+}
+/*
+ * ******************** Attribute Utilities *******************************
+ */
+
+static CK_RV
+lg_ULongAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE type, CK_ULONG value)
+{
+    unsigned char *data;
+    int i;
+
+    if (attr->pValue == NULL) {
+	attr->ulValueLen = 4;
+	return CKR_OK;
+    }
+    if (attr->ulValueLen < 4) {
+	attr->ulValueLen = (CK_ULONG) -1;
+	return CKR_BUFFER_TOO_SMALL;
+    }
+
+    data = (unsigned char *)attr->pValue;
+    for (i=0; i < 4; i++) {
+	data[i] = (value >> ((3-i)*8)) & 0xff;
+    }
+    attr->ulValueLen = 4;
+    return CKR_OK;
+}
+
+static CK_RV
+lg_CopyAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE type, 
+				CK_VOID_PTR value, CK_ULONG len)
+{
+
+    if (attr->pValue == NULL) {
+	attr->ulValueLen = len;
+	return CKR_OK;
+    }
+    if (attr->ulValueLen < len) {
+	attr->ulValueLen = (CK_ULONG) -1;
+	return CKR_BUFFER_TOO_SMALL;
+    }
+    PORT_Memcpy(attr->pValue,value,len);
+    attr->ulValueLen = len;
+    return CKR_OK;
+}
+
+static CK_RV
+lg_CopyAttributeSigned(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type, 
+				void  *value, CK_ULONG len)
+{
+    unsigned char * dval = (unsigned char *)value;
+    if (*dval == 0) {
+	dval++;
+	len--;
+    }
+    return lg_CopyAttribute(attribute,type,dval,len);
+}
+
+static CK_RV
+lg_CopyPrivAttribute(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type, 
+				void  *value, CK_ULONG len, SDB *sdbpw)
+{
+    SECItem plainText, *cipherText = NULL;
+    CK_RV crv = CKR_USER_NOT_LOGGED_IN;
+    SECStatus rv;
+
+    plainText.data = value;
+    plainText.len = len;
+    rv = lg_util_encrypt(NULL, sdbpw, &plainText, &cipherText);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    crv = lg_CopyAttribute(attribute,type,cipherText->data,cipherText->len);
+loser:
+    if (cipherText) {
+	SECITEM_FreeItem(cipherText,PR_TRUE);
+    }
+    return crv;
+}
+
+static CK_RV
+lg_CopyPrivAttrSigned(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type, 
+				void  *value, CK_ULONG len, SDB *sdbpw)
+{
+    unsigned char * dval = (unsigned char *)value;
+
+    if (*dval == 0) {
+	dval++;
+	len--;
+    }
+    return lg_CopyPrivAttribute(attribute,type,dval,len,sdbpw);
+}
+
+static CK_RV
+lg_invalidAttribute(CK_ATTRIBUTE *attr)
+{
+    attr->ulValueLen = (CK_ULONG) -1;
+    return CKR_ATTRIBUTE_TYPE_INVALID;
+}
+
+
+#define LG_DEF_ATTRIBUTE(value,len) \
+   { 0, value, len }
+
+#define LG_CLONE_ATTR(attribute, type, staticAttr) \
+    lg_CopyAttribute(attribute, type, staticAttr.pValue, staticAttr.ulValueLen)
+
+CK_BBOOL lg_staticTrueValue = CK_TRUE;
+CK_BBOOL lg_staticFalseValue = CK_FALSE;
+static const CK_ATTRIBUTE lg_StaticTrueAttr = 
+  LG_DEF_ATTRIBUTE(&lg_staticTrueValue,sizeof(lg_staticTrueValue));
+static const CK_ATTRIBUTE lg_StaticFalseAttr = 
+  LG_DEF_ATTRIBUTE(&lg_staticFalseValue,sizeof(lg_staticFalseValue));
+static const CK_ATTRIBUTE lg_StaticNullAttr = LG_DEF_ATTRIBUTE(NULL,0);
+char lg_StaticOneValue = 1;
+static const CK_ATTRIBUTE lg_StaticOneAttr = 
+  LG_DEF_ATTRIBUTE(&lg_StaticOneValue,sizeof(lg_StaticOneValue));
+
+/*
+ * helper functions which get the database and call the underlying 
+ * low level database function.
+ */
+static char *
+lg_FindKeyNicknameByPublicKey(SDB *sdb, SECItem *dbKey)
+{
+    NSSLOWKEYDBHandle *keyHandle;
+    char * label;
+
+    keyHandle = lg_getKeyDB(sdb);
+    if (!keyHandle) {
+	return NULL;
+    }
+
+    label = nsslowkey_FindKeyNicknameByPublicKey(keyHandle, dbKey, 
+						 sdb);
+    return label;
+}
+
+
+NSSLOWKEYPrivateKey *
+lg_FindKeyByPublicKey(SDB *sdb, SECItem *dbKey)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    NSSLOWKEYDBHandle   *keyHandle;
+
+    keyHandle = lg_getKeyDB(sdb);
+    if (keyHandle == NULL) {
+	return NULL;
+    }
+    privKey = nsslowkey_FindKeyByPublicKey(keyHandle, dbKey, sdb);
+    if (privKey == NULL) {
+	return NULL;
+    }
+    return privKey;
+}
+
+static certDBEntrySMime *
+lg_getSMime(LGObjectCache *obj)
+{
+    certDBEntrySMime *entry;
+    NSSLOWCERTCertDBHandle *certHandle;
+
+    if (obj->objclass != CKO_NETSCAPE_SMIME) {
+	return NULL;
+    }
+    if (obj->objectInfo) {
+	return (certDBEntrySMime *)obj->objectInfo;
+    }
+
+    certHandle = lg_getCertDB(obj->sdb);
+    if (!certHandle) {
+	return NULL;
+    }
+    entry = nsslowcert_ReadDBSMimeEntry(certHandle, (char *)obj->dbKey.data);
+    obj->objectInfo = (void *)entry;
+    obj->infoFree = (LGFreeFunc) nsslowcert_DestroyDBEntry;
+    return entry;
+}
+
+static certDBEntryRevocation *
+lg_getCrl(LGObjectCache *obj)
+{
+    certDBEntryRevocation *crl;
+    PRBool isKrl;
+    NSSLOWCERTCertDBHandle *certHandle;
+
+    if (obj->objclass != CKO_NETSCAPE_CRL) {
+	return NULL;
+    }
+    if (obj->objectInfo) {
+	return (certDBEntryRevocation *)obj->objectInfo;
+    }
+
+    isKrl = (PRBool) (obj->handle == LG_TOKEN_KRL_HANDLE);
+    certHandle = lg_getCertDB(obj->sdb);
+    if (!certHandle) {
+	return NULL;
+    }
+
+    crl = nsslowcert_FindCrlByKey(certHandle, &obj->dbKey, isKrl);
+    obj->objectInfo = (void *)crl;
+    obj->infoFree = (LGFreeFunc) nsslowcert_DestroyDBEntry;
+    return crl;
+}
+
+static NSSLOWCERTCertificate *
+lg_getCert(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle)
+{
+    NSSLOWCERTCertificate *cert;
+    CK_OBJECT_CLASS objClass = obj->objclass;
+
+    if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NETSCAPE_TRUST)) {
+	return NULL;
+    }
+    if (objClass == CKO_CERTIFICATE && obj->objectInfo) {
+	return (NSSLOWCERTCertificate *)obj->objectInfo;
+    }
+    cert = nsslowcert_FindCertByKey(certHandle, &obj->dbKey);
+    if (objClass == CKO_CERTIFICATE) {
+	obj->objectInfo = (void *)cert;
+	obj->infoFree = (LGFreeFunc) nsslowcert_DestroyCertificate ;
+    }
+    return cert;
+}
+
+static NSSLOWCERTTrust *
+lg_getTrust(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle)
+{
+    NSSLOWCERTTrust *trust;
+
+    if (obj->objclass != CKO_NETSCAPE_TRUST) {
+	return NULL;
+    }
+    if (obj->objectInfo) {
+	return (NSSLOWCERTTrust *)obj->objectInfo;
+    }
+    trust = nsslowcert_FindTrustByKey(certHandle, &obj->dbKey);
+    obj->objectInfo = (void *)trust;
+    obj->infoFree = (LGFreeFunc) nsslowcert_DestroyTrust ;
+    return trust;
+}
+
+static NSSLOWKEYPublicKey *
+lg_GetPublicKey(LGObjectCache *obj)
+{
+    NSSLOWKEYPublicKey *pubKey;
+    NSSLOWKEYPrivateKey *privKey;
+
+    if (obj->objclass != CKO_PUBLIC_KEY) {
+	return NULL;
+    }
+    if (obj->objectInfo) {
+	return (NSSLOWKEYPublicKey *)obj->objectInfo;
+    }
+    privKey = lg_FindKeyByPublicKey(obj->sdb, &obj->dbKey);
+    if (privKey == NULL) {
+	return NULL;
+    }
+    pubKey = nsslowkey_ConvertToPublicKey(privKey);
+    nsslowkey_DestroyPrivateKey(privKey);
+    obj->objectInfo = (void *) pubKey;
+    obj->infoFree = (LGFreeFunc) nsslowkey_DestroyPublicKey ;
+    return pubKey;
+}
+
+/*
+ * we need two versions of lg_GetPrivateKey. One version that takes the 
+ * DB handle so we can pass the handle we have already acquired in,
+ *  rather than going through the 'getKeyDB' code again, 
+ *  which may fail the second time and another which just aquires
+ *  the key handle from the sdb (where we don't already have a key handle.
+ * This version does the former.
+ */
+static NSSLOWKEYPrivateKey *
+lg_GetPrivateKeyWithDB(LGObjectCache *obj, NSSLOWKEYDBHandle *keyHandle)
+{
+    NSSLOWKEYPrivateKey *privKey;
+
+    if ((obj->objclass != CKO_PRIVATE_KEY) && 
+			(obj->objclass != CKO_SECRET_KEY)) {
+	return NULL;
+    }
+    if (obj->objectInfo) {
+	return (NSSLOWKEYPrivateKey *)obj->objectInfo;
+    }
+    privKey = nsslowkey_FindKeyByPublicKey(keyHandle, &obj->dbKey, obj->sdb);
+    if (privKey == NULL) {
+	return NULL;
+    }
+    obj->objectInfo = (void *) privKey;
+    obj->infoFree = (LGFreeFunc) nsslowkey_DestroyPrivateKey ;
+    return privKey;
+}
+
+/* this version does the latter */
+static NSSLOWKEYPrivateKey *
+lg_GetPrivateKey(LGObjectCache *obj)
+{
+    NSSLOWKEYDBHandle *keyHandle;
+    NSSLOWKEYPrivateKey *privKey;
+
+    keyHandle = lg_getKeyDB(obj->sdb);
+    if (!keyHandle) {
+	return NULL;
+    }
+    privKey = lg_GetPrivateKeyWithDB(obj, keyHandle);
+    return privKey;
+}
+
+/* lg_GetPubItem returns data associated with the public key.
+ * one only needs to free the public key. This comment is here
+ * because this sematic would be non-obvious otherwise. All callers
+ * should include this comment.
+ */
+static SECItem *
+lg_GetPubItem(NSSLOWKEYPublicKey *pubKey) {
+    SECItem *pubItem = NULL;
+    /* get value to compare from the cert's public key */
+    switch ( pubKey->keyType ) {
+    case NSSLOWKEYRSAKey:
+	    pubItem = &pubKey->u.rsa.modulus;
+	    break;
+    case NSSLOWKEYDSAKey:
+	    pubItem = &pubKey->u.dsa.publicValue;
+	    break;
+    case NSSLOWKEYDHKey:
+	    pubItem = &pubKey->u.dh.publicValue;
+	    break;
+#ifdef NSS_ENABLE_ECC
+    case NSSLOWKEYECKey:
+	    pubItem = &pubKey->u.ec.publicValue;
+	    break;
+#endif /* NSS_ENABLE_ECC */
+    default:
+	    break;
+    }
+    return pubItem;
+}
+
+static const SEC_ASN1Template lg_SerialTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWCERTCertificate,serialNumber) },
+    { 0 }
+};
+
+static CK_RV
+lg_FindRSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_RSA;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return lg_ULongAttribute(attribute, type, keyType);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.rsa.modulus.data,key->u.rsa.modulus.len);
+	return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
+    case CKA_DERIVE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_ENCRYPT:
+    case CKA_VERIFY:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_MODULUS:
+	return lg_CopyAttributeSigned(attribute,type,key->u.rsa.modulus.data,
+					key->u.rsa.modulus.len);
+    case CKA_PUBLIC_EXPONENT:
+	return lg_CopyAttributeSigned(attribute, type,
+				key->u.rsa.publicExponent.data,
+				key->u.rsa.publicExponent.len);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindDSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_DSA;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return lg_ULongAttribute(attribute, type, keyType);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.dsa.publicValue.data,
+						key->u.dsa.publicValue.len);
+	return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
+    case CKA_DERIVE:
+    case CKA_ENCRYPT:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_VERIFY:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_VALUE:
+	return lg_CopyAttributeSigned(attribute,type,
+					key->u.dsa.publicValue.data,
+					key->u.dsa.publicValue.len);
+    case CKA_PRIME:
+	return lg_CopyAttributeSigned(attribute,type,
+					key->u.dsa.params.prime.data,
+					key->u.dsa.params.prime.len);
+    case CKA_SUBPRIME:
+	return lg_CopyAttributeSigned(attribute,type,
+				key->u.dsa.params.subPrime.data,
+				key->u.dsa.params.subPrime.len);
+    case CKA_BASE:
+	return lg_CopyAttributeSigned(attribute,type,
+					key->u.dsa.params.base.data,
+					key->u.dsa.params.base.len);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindDHPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_DH;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return lg_ULongAttribute(attribute, type, keyType);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.dh.publicValue.data,key->u.dh.publicValue.len);
+	return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
+    case CKA_DERIVE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_ENCRYPT:
+    case CKA_VERIFY:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_VALUE:
+	return lg_CopyAttributeSigned(attribute,type,
+					key->u.dh.publicValue.data,
+					key->u.dh.publicValue.len);
+    case CKA_PRIME:
+	return lg_CopyAttributeSigned(attribute,type,key->u.dh.prime.data,
+					key->u.dh.prime.len);
+    case CKA_BASE:
+	return lg_CopyAttributeSigned(attribute,type,key->u.dh.base.data,
+					key->u.dh.base.len);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+#ifdef NSS_ENABLE_ECC
+static CK_RV
+lg_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_EC;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return lg_ULongAttribute(attribute, type, keyType);
+    case CKA_ID:
+	SHA1_HashBuf(hash, key->u.ec.publicValue.data,
+		     key->u.ec.publicValue.len);
+	return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
+    case CKA_DERIVE:
+    case CKA_VERIFY:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_ENCRYPT:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_EC_PARAMS:
+	return lg_CopyAttributeSigned(attribute,type,
+					key->u.ec.ecParams.DEREncoding.data,
+					key->u.ec.ecParams.DEREncoding.len);
+    case CKA_EC_POINT:
+	return lg_CopyAttributeSigned(attribute, type,
+					key->u.ec.publicValue.data,
+					key->u.ec.publicValue.len);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+#endif /* NSS_ENABLE_ECC */
+
+
+static CK_RV
+lg_FindPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    NSSLOWKEYPublicKey   *key;
+    CK_RV crv;
+    char *label;
+
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_SENSITIVE:
+    case CKA_ALWAYS_SENSITIVE:
+    case CKA_NEVER_EXTRACTABLE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_MODIFIABLE:
+    case CKA_EXTRACTABLE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_SUBJECT:
+	   return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+    case CKA_START_DATE:
+    case CKA_END_DATE:
+	   return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+    case CKA_LABEL:
+        label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
+	if (label == NULL) {
+	   return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+	}
+	crv = lg_CopyAttribute(attribute,type,label,PORT_Strlen(label));
+	PORT_Free(label);
+	return crv;
+    default:
+	break;
+    }
+
+    key = lg_GetPublicKey(obj);
+    if (key == NULL) {
+	if (type == CKA_ID) {
+	   return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+	}
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    switch (key->keyType) {
+    case NSSLOWKEYRSAKey:
+	return lg_FindRSAPublicKeyAttribute(key,type,attribute);
+    case NSSLOWKEYDSAKey:
+	return lg_FindDSAPublicKeyAttribute(key,type,attribute);
+    case NSSLOWKEYDHKey:
+	return lg_FindDHPublicKeyAttribute(key,type,attribute);
+#ifdef NSS_ENABLE_ECC
+    case NSSLOWKEYECKey:
+	return lg_FindECPublicKeyAttribute(key,type,attribute);
+#endif /* NSS_ENABLE_ECC */
+    default:
+	break;
+    }
+
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindSecretKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    NSSLOWKEYPrivateKey  *key;
+    char *label;
+    unsigned char *keyString;
+    CK_RV crv;
+    int keyTypeLen;
+    CK_ULONG keyLen;
+    CK_KEY_TYPE keyType;
+    PRUint32 keyTypeStorage;
+
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_SENSITIVE:
+    case CKA_ALWAYS_SENSITIVE:
+    case CKA_EXTRACTABLE:
+    case CKA_DERIVE:
+    case CKA_ENCRYPT:
+    case CKA_DECRYPT:
+    case CKA_SIGN:
+    case CKA_VERIFY:
+    case CKA_WRAP:
+    case CKA_UNWRAP:
+    case CKA_MODIFIABLE:
+    case CKA_LOCAL:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_NEVER_EXTRACTABLE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_START_DATE:
+    case CKA_END_DATE:
+	   return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+    case CKA_LABEL:
+        label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
+	if (label == NULL) {
+	   return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+	}
+	crv = lg_CopyAttribute(attribute,type,label,PORT_Strlen(label));
+	PORT_Free(label);
+	return crv;
+    case CKA_ID:
+	return lg_CopyAttribute(attribute,type,obj->dbKey.data,
+						obj->dbKey.len);
+    case CKA_KEY_TYPE:
+    case CKA_VALUE_LEN:
+    case CKA_VALUE:
+	break;
+    default:
+	return lg_invalidAttribute(attribute);
+    }
+
+    key = lg_GetPrivateKey(obj);
+    if (key == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    switch (type) {
+    case CKA_KEY_TYPE:
+	/* handle legacy databases. In legacy databases key_type was stored
+	 * in host order, with any leading zeros stripped off. Only key types
+	 * under 0x1f (AES) were stored. We assume that any values which are
+	 * either 1 byte long (big endian), or have byte[0] between 0 and 
+	 * 0x7f and bytes[1]-bytes[3] equal to '0' (little endian). All other
+	 * values are assumed to be from the new database, which is always 4
+	 * bytes in network order */
+	keyType=0;
+	keyString = key->u.rsa.coefficient.data;
+	keyTypeLen = key->u.rsa.coefficient.len;
+
+
+	/*
+ 	 * Because of various endian and word lengths The database may have
+	 * stored the keyType value in one of the following formats:
+	 *   (kt) <= 0x1f 
+	 *                                   length data
+	 * Big Endian,     pre-3.9, all lengths: 1  (kt)
+	 * Little Endian,  pre-3.9, 32 bits:     4  (kt) 0  0  0
+	 * Little Endian,  pre-3.9, 64 bits:     8  (kt) 0  0  0   0  0  0  0
+	 * All platforms,      3.9, 32 bits:     4    0  0  0 (kt)
+	 * Big Endian,         3.9, 64 bits:     8    0  0  0 (kt) 0  0  0  0
+	 * Little  Endian,     3.9, 64 bits:     8    0  0  0  0   0  0  0 (kt)
+	 * All platforms, >= 3.9.1, all lengths: 4   (a) k1 k2 k3
+	 * where (a) is 0 or >= 0x80. currently (a) can only be 0.
+	 */
+	/*
+ 	 * this key was written on a 64 bit platform with a using NSS 3.9
+	 * or earlier. Reduce the 64 bit possibilities above. When we are
+	 * through, we will only have:
+	 * 
+	 * Big Endian,     pre-3.9, all lengths: 1  (kt)
+	 * Little Endian,  pre-3.9, all lengths: 4  (kt) 0  0  0
+	 * All platforms,      3.9, all lengths: 4    0  0  0 (kt)
+	 * All platforms, => 3.9.1, all lengths: 4   (a) k1 k2 k3
+	 */
+	if (keyTypeLen == 8) {
+	    keyTypeStorage = *(PRUint32 *) keyString;
+	    if (keyTypeStorage == 0) {
+		keyString += sizeof(PRUint32);
+	    }
+	    keyTypeLen = 4;
+	}
+	/*
+	 * Now Handle:
+	 *
+	 * All platforms,      3.9, all lengths: 4    0  0  0 (kt)
+	 * All platforms, => 3.9.1, all lengths: 4   (a) k1 k2 k3
+	 *
+	 * NOTE: if  kt == 0 or ak1k2k3 == 0, the test fails and
+	 * we handle it as:
+	 *
+	 * Little Endian,  pre-3.9, all lengths: 4  (kt) 0  0  0
+	 */
+	if (keyTypeLen == sizeof(keyTypeStorage) &&
+	     (((keyString[0] & 0x80) == 0x80) ||
+		!((keyString[1] == 0) && (keyString[2] == 0)
+	   				    && (keyString[3] == 0))) ) {
+	    PORT_Memcpy(&keyTypeStorage, keyString, sizeof(keyTypeStorage));
+	    keyType = (CK_KEY_TYPE) PR_ntohl(keyTypeStorage);
+	} else {
+	/*
+	 * Now Handle:
+	 *
+	 * Big Endian,     pre-3.9, all lengths: 1  (kt)
+	 * Little Endian,  pre-3.9, all lengths: 4  (kt) 0  0  0
+	 *  -- KeyType == 0 all other cases ---: 4    0  0  0  0
+	 */
+	    keyType = (CK_KEY_TYPE) keyString[0] ;
+        }
+	return lg_ULongAttribute(attribute, type, keyType);
+    case CKA_VALUE:
+	return lg_CopyPrivAttribute(attribute,type,key->u.rsa.privateExponent.data,
+				key->u.rsa.privateExponent.len, obj->sdb);
+    case CKA_VALUE_LEN:
+	keyLen=key->u.rsa.privateExponent.len;
+	return lg_ULongAttribute(attribute,type, keyLen);
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindRSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute, SDB *sdbpw)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_RSA;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return lg_ULongAttribute(attribute, type, keyType);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.rsa.modulus.data,key->u.rsa.modulus.len);
+	return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
+    case CKA_DERIVE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_DECRYPT:
+    case CKA_SIGN:
+    case CKA_SIGN_RECOVER:
+    case CKA_UNWRAP:
+	return LG_CLONE_ATTR(attribute, type,lg_StaticTrueAttr);
+    case CKA_MODULUS:
+	return lg_CopyAttributeSigned(attribute,type,key->u.rsa.modulus.data,
+					key->u.rsa.modulus.len);
+    case CKA_PUBLIC_EXPONENT:
+	return lg_CopyAttributeSigned(attribute, type,
+				key->u.rsa.publicExponent.data,
+				key->u.rsa.publicExponent.len);
+    case CKA_PRIVATE_EXPONENT:
+	return lg_CopyPrivAttrSigned(attribute,type,
+				key->u.rsa.privateExponent.data,
+				key->u.rsa.privateExponent.len, sdbpw);
+    case CKA_PRIME_1:
+	return lg_CopyPrivAttrSigned(attribute, type, key->u.rsa.prime1.data,
+				key->u.rsa.prime1.len, sdbpw);
+    case CKA_PRIME_2:
+	return lg_CopyPrivAttrSigned(attribute, type, key->u.rsa.prime2.data,
+				key->u.rsa.prime2.len, sdbpw);
+    case CKA_EXPONENT_1:
+	return lg_CopyPrivAttrSigned(attribute, type, 
+				key->u.rsa.exponent1.data,
+				key->u.rsa.exponent1.len, sdbpw);
+    case CKA_EXPONENT_2:
+	return lg_CopyPrivAttrSigned(attribute, type, 
+				key->u.rsa.exponent2.data,
+				key->u.rsa.exponent2.len, sdbpw);
+    case CKA_COEFFICIENT:
+	return lg_CopyPrivAttrSigned(attribute, type, 
+				key->u.rsa.coefficient.data,
+				key->u.rsa.coefficient.len, sdbpw);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindDSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute, SDB *sdbpw)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_DSA;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return lg_ULongAttribute(attribute, type, keyType);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.dsa.publicValue.data,
+			  key->u.dsa.publicValue.len);
+	return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
+    case CKA_DERIVE:
+    case CKA_DECRYPT:
+    case CKA_SIGN_RECOVER:
+    case CKA_UNWRAP:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_SIGN:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_VALUE:
+	return lg_CopyPrivAttrSigned(attribute, type,
+				key->u.dsa.privateValue.data,
+				key->u.dsa.privateValue.len, sdbpw);
+    case CKA_PRIME:
+	return lg_CopyAttributeSigned(attribute, type,
+					key->u.dsa.params.prime.data,
+					key->u.dsa.params.prime.len);
+    case CKA_SUBPRIME:
+	return lg_CopyAttributeSigned(attribute, type,
+				key->u.dsa.params.subPrime.data,
+				key->u.dsa.params.subPrime.len);
+    case CKA_BASE:
+	return lg_CopyAttributeSigned(attribute, type,
+					key->u.dsa.params.base.data,
+					key->u.dsa.params.base.len);
+    case CKA_NETSCAPE_DB:
+	return lg_CopyAttributeSigned(attribute, type,
+					key->u.dsa.publicValue.data,
+					key->u.dsa.publicValue.len);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindDHPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute, SDB *sdbpw)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_DH;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return lg_ULongAttribute(attribute, type, keyType);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.dh.publicValue.data,key->u.dh.publicValue.len);
+	return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
+    case CKA_DERIVE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_DECRYPT:
+    case CKA_SIGN:
+    case CKA_SIGN_RECOVER:
+    case CKA_UNWRAP:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_VALUE:
+	return lg_CopyPrivAttrSigned(attribute, type,
+					key->u.dh.privateValue.data,
+					key->u.dh.privateValue.len, sdbpw);
+    case CKA_PRIME:
+	return lg_CopyAttributeSigned(attribute, type, key->u.dh.prime.data,
+					key->u.dh.prime.len);
+    case CKA_BASE:
+	return lg_CopyAttributeSigned(attribute, type, key->u.dh.base.data,
+					key->u.dh.base.len);
+    case CKA_NETSCAPE_DB:
+	return lg_CopyAttributeSigned(attribute, type,
+					key->u.dh.publicValue.data,
+					key->u.dh.publicValue.len);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+#ifdef NSS_ENABLE_ECC
+static CK_RV
+lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute, SDB *sdbpw)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_EC;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return lg_ULongAttribute(attribute, type, keyType);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.ec.publicValue.data,key->u.ec.publicValue.len);
+	return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
+    case CKA_DERIVE:
+    case CKA_SIGN:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_DECRYPT:
+    case CKA_SIGN_RECOVER:
+    case CKA_UNWRAP:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_VALUE:
+	return lg_CopyPrivAttrSigned(attribute, type,
+					key->u.ec.privateValue.data,
+					key->u.ec.privateValue.len, sdbpw);
+    case CKA_EC_PARAMS:
+	return lg_CopyAttributeSigned(attribute, type,
+					key->u.ec.ecParams.DEREncoding.data,
+					key->u.ec.ecParams.DEREncoding.len);
+    case CKA_NETSCAPE_DB:
+	return lg_CopyAttributeSigned(attribute, type,
+					key->u.ec.publicValue.data,
+					key->u.ec.publicValue.len);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+#endif /* NSS_ENABLE_ECC */
+
+static CK_RV
+lg_FindPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    NSSLOWKEYPrivateKey  *key;
+    char *label;
+    CK_RV crv;
+
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_SENSITIVE:
+    case CKA_ALWAYS_SENSITIVE:
+    case CKA_EXTRACTABLE:
+    case CKA_MODIFIABLE:
+    case CKA_LOCAL:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_NEVER_EXTRACTABLE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_SUBJECT:
+	   return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+    case CKA_START_DATE:
+    case CKA_END_DATE:
+	   return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+    case CKA_LABEL:
+        label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
+	if (label == NULL) {
+	   return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+	}
+	crv = lg_CopyAttribute(attribute,type,label,PORT_Strlen(label));
+	PORT_Free(label);
+	return crv;
+    default:
+	break;
+    }
+    key = lg_GetPrivateKey(obj);
+    if (key == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    switch (key->keyType) {
+    case NSSLOWKEYRSAKey:
+	return lg_FindRSAPrivateKeyAttribute(key,type,attribute,obj->sdb);
+    case NSSLOWKEYDSAKey:
+	return lg_FindDSAPrivateKeyAttribute(key,type,attribute,obj->sdb);
+    case NSSLOWKEYDHKey:
+	return lg_FindDHPrivateKeyAttribute(key,type,attribute,obj->sdb);
+#ifdef NSS_ENABLE_ECC
+    case NSSLOWKEYECKey:
+	return lg_FindECPrivateKeyAttribute(key,type,attribute,obj->sdb);
+#endif /* NSS_ENABLE_ECC */
+    default:
+	break;
+    }
+
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindSMIMEAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    certDBEntrySMime *entry;
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_MODIFIABLE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_NETSCAPE_EMAIL:
+	return lg_CopyAttribute(attribute,type,obj->dbKey.data,
+						obj->dbKey.len-1);
+    case CKA_NETSCAPE_SMIME_TIMESTAMP:
+    case CKA_SUBJECT:
+    case CKA_VALUE:
+	break;
+    default:
+	return lg_invalidAttribute(attribute);
+    }
+    entry = lg_getSMime(obj);
+    if (entry == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    switch (type) {
+    case CKA_NETSCAPE_SMIME_TIMESTAMP:
+	return lg_CopyAttribute(attribute,type,entry->optionsDate.data,
+					entry->optionsDate.len);
+    case CKA_SUBJECT:
+	return lg_CopyAttribute(attribute,type,entry->subjectName.data,
+					entry->subjectName.len);
+    case CKA_VALUE:
+	return lg_CopyAttribute(attribute,type,entry->smimeOptions.data,
+					entry->smimeOptions.len);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindTrustAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    NSSLOWCERTTrust *trust;
+    NSSLOWCERTCertDBHandle *certHandle;
+    NSSLOWCERTCertificate *cert;
+    unsigned char hash[SHA1_LENGTH];
+    unsigned int trustFlags;
+    CK_RV crv;
+
+    switch (type) {
+    case CKA_PRIVATE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_MODIFIABLE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_CERT_SHA1_HASH:
+    case CKA_CERT_MD5_HASH:
+    case CKA_TRUST_CLIENT_AUTH:
+    case CKA_TRUST_SERVER_AUTH:
+    case CKA_TRUST_EMAIL_PROTECTION:
+    case CKA_TRUST_CODE_SIGNING:
+    case CKA_TRUST_STEP_UP_APPROVED:
+    case CKA_ISSUER:
+    case CKA_SERIAL_NUMBER:
+	break;
+    default:
+        return lg_invalidAttribute(attribute);
+    }
+    certHandle = lg_getCertDB(obj->sdb);
+    if (!certHandle) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    trust = lg_getTrust(obj, certHandle);
+    if (trust == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    switch (type) {
+    case CKA_CERT_SHA1_HASH:
+	SHA1_HashBuf(hash,trust->derCert->data,trust->derCert->len);
+	return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+    case CKA_CERT_MD5_HASH:
+	MD5_HashBuf(hash,trust->derCert->data,trust->derCert->len);
+	return lg_CopyAttribute(attribute, type, hash, MD5_LENGTH);
+    case CKA_TRUST_CLIENT_AUTH:
+	trustFlags = trust->trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ?
+		trust->trust->sslFlags | CERTDB_TRUSTED_CA : 0 ;
+	goto trust;
+    case CKA_TRUST_SERVER_AUTH:
+	trustFlags = trust->trust->sslFlags;
+	goto trust;
+    case CKA_TRUST_EMAIL_PROTECTION:
+	trustFlags = trust->trust->emailFlags;
+	goto trust;
+    case CKA_TRUST_CODE_SIGNING:
+	trustFlags = trust->trust->objectSigningFlags;
+trust:
+	if (trustFlags & CERTDB_TRUSTED_CA ) {
+	    return lg_ULongAttribute(attribute, type,
+				     CKT_NETSCAPE_TRUSTED_DELEGATOR);
+	}
+	if (trustFlags & CERTDB_TRUSTED) {
+	    return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_TRUSTED);
+	}
+	if (trustFlags & CERTDB_NOT_TRUSTED) {
+	    return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_UNTRUSTED);
+	}
+	if (trustFlags & CERTDB_TRUSTED_UNKNOWN) {
+	    return lg_ULongAttribute(attribute, type,
+				     CKT_NETSCAPE_TRUST_UNKNOWN);
+	}
+	if (trustFlags & CERTDB_VALID_CA) {
+	    return lg_ULongAttribute(attribute, type,
+				     CKT_NETSCAPE_VALID_DELEGATOR);
+	}
+	if (trustFlags & CERTDB_VALID_PEER) {
+	    return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_VALID);
+	}
+	return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_MUST_VERIFY);
+    case CKA_TRUST_STEP_UP_APPROVED:
+	if (trust->trust->sslFlags & CERTDB_GOVT_APPROVED_CA) {
+	    return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+	} else {
+	    return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+	}
+    default:
+	break;
+    }
+
+
+    switch (type) {
+    case CKA_ISSUER:
+	cert = lg_getCert(obj, certHandle);
+	if (cert == NULL) break;
+	crv = lg_CopyAttribute(attribute,type,cert->derIssuer.data,
+						cert->derIssuer.len);
+	break;
+    case CKA_SERIAL_NUMBER:
+	cert = lg_getCert(obj, certHandle);
+	if (cert == NULL) break;
+	crv =  lg_CopyAttribute(attribute,type,cert->derSN.data,
+						cert->derSN.len);
+	break;
+    default:
+	cert = NULL;
+	break;
+    }
+    if (cert) {
+	nsslowcert_DestroyCertificate(cert);
+	return crv;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindCrlAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    certDBEntryRevocation *crl;
+
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_MODIFIABLE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_NETSCAPE_KRL:
+	return ((obj->handle == LG_TOKEN_KRL_HANDLE) 
+		? LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr)
+		: LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr));
+    case CKA_SUBJECT:
+	return lg_CopyAttribute(attribute,type,obj->dbKey.data,
+						obj->dbKey.len);
+    case CKA_NETSCAPE_URL:
+    case CKA_VALUE:
+	break;
+    default:
+	return lg_invalidAttribute(attribute);
+    }
+    crl =  lg_getCrl(obj);
+    if (!crl) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    switch (type) {
+    case CKA_NETSCAPE_URL:
+	if (crl->url == NULL) {
+	    return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+	}
+	return lg_CopyAttribute(attribute, type, crl->url, 
+					PORT_Strlen(crl->url)+1);
+    case CKA_VALUE:
+	return lg_CopyAttribute(attribute, type, crl->derCrl.data, 
+						crl->derCrl.len);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+				CK_ATTRIBUTE *attribute)
+{
+    NSSLOWCERTCertificate  *cert;
+    NSSLOWCERTCertDBHandle *certHandle;
+    NSSLOWKEYPublicKey     *pubKey;
+    unsigned char hash[SHA1_LENGTH];
+    SECItem *item;
+
+    switch (type) {
+    case CKA_PRIVATE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
+    case CKA_MODIFIABLE:
+	return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
+    case CKA_CERTIFICATE_TYPE:
+        /* hardcoding X.509 into here */
+        return lg_ULongAttribute(attribute, type, CKC_X_509);
+    case CKA_VALUE:
+    case CKA_ID:
+    case CKA_LABEL:
+    case CKA_SUBJECT:
+    case CKA_ISSUER:
+    case CKA_SERIAL_NUMBER:
+    case CKA_NETSCAPE_EMAIL:
+	break;
+    default:
+	return lg_invalidAttribute(attribute);
+    }
+
+    certHandle = lg_getCertDB(obj->sdb);
+    if (certHandle == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    cert = lg_getCert(obj, certHandle);
+    if (cert == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    switch (type) {
+    case CKA_VALUE:
+	return lg_CopyAttribute(attribute,type,cert->derCert.data,
+						cert->derCert.len);
+    case CKA_ID:
+	if (((cert->trust->sslFlags & CERTDB_USER) == 0) &&
+		((cert->trust->emailFlags & CERTDB_USER) == 0) &&
+		((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) {
+	    return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+	}
+	pubKey = nsslowcert_ExtractPublicKey(cert);
+	if (pubKey == NULL) break;
+	item = lg_GetPubItem(pubKey);
+	if (item == NULL) {
+	    nsslowkey_DestroyPublicKey(pubKey);
+	    break;
+	}
+	SHA1_HashBuf(hash,item->data,item->len);
+	/* item is imbedded in pubKey, just free the key */
+	nsslowkey_DestroyPublicKey(pubKey);
+	return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+    case CKA_LABEL:
+	return cert->nickname 
+	       ? lg_CopyAttribute(attribute, type, cert->nickname,
+				        PORT_Strlen(cert->nickname))
+	       : LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+    case CKA_SUBJECT:
+	return lg_CopyAttribute(attribute,type,cert->derSubject.data,
+						cert->derSubject.len);
+    case CKA_ISSUER:
+	return lg_CopyAttribute(attribute,type,cert->derIssuer.data,
+						cert->derIssuer.len);
+    case CKA_SERIAL_NUMBER:
+	return lg_CopyAttribute(attribute,type,cert->derSN.data,
+						cert->derSN.len);
+    case CKA_NETSCAPE_EMAIL:
+	return (cert->emailAddr && cert->emailAddr[0])
+	    ? lg_CopyAttribute(attribute, type, cert->emailAddr,
+	                             PORT_Strlen(cert->emailAddr))
+	    : LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+}
+
+CK_RV
+lg_GetSingleAttribute(LGObjectCache *obj, CK_ATTRIBUTE *attribute)
+{
+    /* handle the common ones */
+    CK_ATTRIBUTE_TYPE type = attribute->type;
+    switch (type) {
+    case CKA_CLASS:
+	return lg_ULongAttribute(attribute,type,obj->objclass);
+    case CKA_TOKEN:
+	return LG_CLONE_ATTR(attribute, type,lg_StaticTrueAttr);
+    case CKA_LABEL:
+	if (  (obj->objclass == CKO_CERTIFICATE) 
+	   || (obj->objclass == CKO_PRIVATE_KEY)
+	   || (obj->objclass == CKO_PUBLIC_KEY)
+	   || (obj->objclass == CKO_SECRET_KEY)) {
+	    break;
+	}
+	return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
+    default:
+	break;
+    }
+    switch (obj->objclass) {
+    case CKO_CERTIFICATE:
+	return lg_FindCertAttribute(obj,type,attribute);
+    case CKO_NETSCAPE_CRL:
+	return lg_FindCrlAttribute(obj,type,attribute);
+    case CKO_NETSCAPE_TRUST:
+	return lg_FindTrustAttribute(obj,type,attribute);
+    case CKO_NETSCAPE_SMIME:
+	return lg_FindSMIMEAttribute(obj,type,attribute);
+    case CKO_PUBLIC_KEY:
+	return lg_FindPublicKeyAttribute(obj,type,attribute);
+    case CKO_PRIVATE_KEY:
+	return lg_FindPrivateKeyAttribute(obj,type,attribute);
+    case CKO_SECRET_KEY:
+	return lg_FindSecretKeyAttribute(obj,type,attribute);
+    default:
+	break;
+    }
+    return lg_invalidAttribute(attribute);
+} 
+
+/*
+ * Fill in the attribute template based on the data in the database.
+ */    
+CK_RV
+lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *templ, 
+		CK_ULONG count)
+{
+    LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
+    CK_RV crv, crvCollect = CKR_OK;
+    int i;
+
+    if (obj == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    for (i=0; i < count; i++) {
+	crv = lg_GetSingleAttribute(obj, &templ[i]);
+	if (crvCollect == CKR_OK) crvCollect = crv;
+    }
+
+    lg_DestroyObjectCache(obj);
+    return crvCollect;
+}
+
+PRBool
+lg_cmpAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attribute)
+{
+    unsigned char buf[LG_BUF_SPACE];
+    CK_ATTRIBUTE testAttr;
+    unsigned char *tempBuf = NULL;
+    PRBool match = PR_TRUE;
+    CK_RV crv;
+
+    /* we're going to compare 'attribute' with the actual attribute from
+     * the object. We'll use the length of 'attribute' to decide how much
+     * space we need to read the test attribute. If 'attribute' doesn't give
+     * enough space, then we know the values don't match and that will
+     * show up as ckr != CKR_OK */
+    testAttr = *attribute;
+    testAttr.pValue = buf;
+
+    /* if we don't have enough space, malloc it */
+    if (attribute->ulValueLen > LG_BUF_SPACE) {
+	tempBuf = PORT_Alloc(attribute->ulValueLen);
+	if (!tempBuf) {
+	    return PR_FALSE;
+	}
+	testAttr.pValue = tempBuf;
+    }
+
+    /* get the attribute */
+    crv = lg_GetSingleAttribute(obj, &testAttr);
+    /* if the attribute was read OK, compare it */
+    if ((crv != CKR_OK) || (attribute->ulValueLen != testAttr.ulValueLen) ||
+     (PORT_Memcmp(attribute->pValue,testAttr.pValue,testAttr.ulValueLen)!= 0)){
+	/* something didn't match, this isn't the object we are looking for */
+	match = PR_FALSE;
+    }
+    /* free the buffer we may have allocated */
+    if (tempBuf) {
+	PORT_Free(tempBuf);
+    }
+    return match;
+}
+
+PRBool
+lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class,
+		const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    PRBool match = PR_TRUE;
+    LGObjectCache *obj = lg_NewObjectCache(sdb, dbKey, class);
+    int i;
+
+    if (obj == NULL) {
+	return PR_FALSE;
+    }
+
+    for (i=0; i < count; i++) {
+	match = lg_cmpAttribute(obj, &templ[i]);
+	if (!match) {
+	   break;
+	}
+    }
+
+    /* done looking, free up our cache */
+    lg_DestroyObjectCache(obj);
+
+    /* if we get through the whole list without finding a mismatched attribute,
+     * then this object fits the criteria we are matching */
+    return match;
+}
+
+static CK_RV
+lg_SetCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, 
+					const void *value, unsigned int len)
+{
+    NSSLOWCERTCertificate  *cert;
+    NSSLOWCERTCertDBHandle *certHandle;
+    char *nickname = NULL;
+    SECStatus rv;
+    CK_RV crv;
+
+    /* we can't change  the EMAIL values, but let the
+     * upper layers feel better about the fact we tried to set these */
+    if (type == CKA_NETSCAPE_EMAIL) {
+	return CKR_OK;
+    }
+
+    certHandle = lg_getCertDB(obj->sdb);
+    if (certHandle == NULL) {
+	crv = CKR_TOKEN_WRITE_PROTECTED;
+	goto done;
+    }
+
+    if ((type != CKA_LABEL)  && (type != CKA_ID)) {
+	crv = CKR_ATTRIBUTE_READ_ONLY;
+	goto done;
+    }
+
+    cert = lg_getCert(obj, certHandle);
+    if (cert == NULL) {
+	crv = CKR_OBJECT_HANDLE_INVALID;
+	goto done;
+    }
+
+    /* if the app is trying to set CKA_ID, it's probably because it just
+     * imported the key. Look to see if we need to set the CERTDB_USER bits.
+     */
+    if (type == CKA_ID) {
+	if (((cert->trust->sslFlags & CERTDB_USER) == 0) &&
+		((cert->trust->emailFlags & CERTDB_USER) == 0) &&
+		((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) {
+	    NSSLOWKEYDBHandle      *keyHandle;
+
+	    keyHandle = lg_getKeyDB(obj->sdb);
+	    if (keyHandle) {
+		if (nsslowkey_KeyForCertExists(keyHandle, cert)) {
+		    NSSLOWCERTCertTrust trust = *cert->trust;
+		    trust.sslFlags |= CERTDB_USER;
+		    trust.emailFlags |= CERTDB_USER;
+		    trust.objectSigningFlags |= CERTDB_USER;
+		    nsslowcert_ChangeCertTrust(certHandle,cert,&trust);
+		}
+	    }
+	}
+	crv = CKR_OK;
+	goto done;
+    }
+
+    /* must be CKA_LABEL */
+    if (value != NULL) {
+	nickname = PORT_ZAlloc(len+1);
+	if (nickname == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    goto done;
+	}
+	PORT_Memcpy(nickname,value,len);
+	nickname[len] = 0;
+    }
+    rv = nsslowcert_AddPermNickname(certHandle, cert, nickname);
+    crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+
+done:
+    if (nickname) {
+	PORT_Free(nickname);
+    }
+    return crv;
+}
+
+static CK_RV
+lg_SetPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, 
+			const void *value, unsigned int len, 
+			PRBool *writePrivate)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    NSSLOWKEYDBHandle   *keyHandle;
+    char *nickname = NULL;
+    SECStatus rv;
+    CK_RV crv;
+
+    /* we can't change the ID and we don't store the subject, but let the
+     * upper layers feel better about the fact we tried to set these */
+    if ((type == CKA_ID) || (type == CKA_SUBJECT) ||
+	(type == CKA_LOCAL) || (type == CKA_NEVER_EXTRACTABLE) ||
+	(type == CKA_ALWAYS_SENSITIVE)) {
+	return CKR_OK;
+    }
+
+    keyHandle = lg_getKeyDB(obj->sdb);
+    if (keyHandle == NULL) {
+	crv = CKR_TOKEN_WRITE_PROTECTED;
+	goto done;
+    }
+
+    privKey = lg_GetPrivateKeyWithDB(obj, keyHandle);
+    if (privKey == NULL) {
+	crv = CKR_OBJECT_HANDLE_INVALID;
+	goto done;
+    }
+
+    crv = CKR_ATTRIBUTE_READ_ONLY;
+    switch(type) {
+    case CKA_LABEL:
+	if (value != NULL) {
+	    nickname = PORT_ZAlloc(len+1);
+	    if (nickname == NULL) {
+		crv = CKR_HOST_MEMORY;
+		goto done;
+	    }
+	    PORT_Memcpy(nickname,value,len);
+	    nickname[len] = 0;
+	}
+	rv = nsslowkey_UpdateNickname(keyHandle, privKey, &obj->dbKey, 
+					nickname, obj->sdb);
+	crv = (rv == SECSuccess) ? CKR_OK :  CKR_DEVICE_ERROR;
+	break;
+    case CKA_UNWRAP:
+    case CKA_SIGN:
+    case CKA_DERIVE:
+    case CKA_SIGN_RECOVER:
+    case CKA_DECRYPT:
+	/* ignore attempts to change restrict these.
+	 * legacyDB ignore these flags and always presents all of them 
+	 * that are valid as true. 
+	 * NOTE: We only get here if the current value and the new value do
+	 * not match. */
+	if (*(char *)value == 0) {
+	    crv = CKR_OK;
+	}
+	break;
+    case CKA_VALUE:
+    case CKA_PRIVATE_EXPONENT:
+    case CKA_PRIME_1:
+    case CKA_PRIME_2:
+    case CKA_EXPONENT_1:
+    case CKA_EXPONENT_2:
+    case CKA_COEFFICIENT:
+	/* We aren't really changing these values, we are just triggering
+	 * the database to update it's entry */
+	*writePrivate = PR_TRUE;
+	crv = CKR_OK;
+	break;
+    default:
+	crv = CKR_ATTRIBUTE_READ_ONLY;
+	break;
+    }
+done:
+    if (nickname) {
+	PORT_Free(nickname);
+    }
+    return crv;
+}
+
+static CK_RV
+lg_SetPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, 
+			const void *value, unsigned int len, 
+			PRBool *writePrivate)
+{
+    /* we can't change the ID and we don't store the subject, but let the
+     * upper layers feel better about the fact we tried to set these */
+    if ((type == CKA_ID) || (type == CKA_SUBJECT) || (type == CKA_LABEL)) {
+	return CKR_OK;
+    }
+    return  CKR_ATTRIBUTE_READ_ONLY;
+}
+
+static CK_RV
+lg_SetTrustAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr)
+{
+    unsigned int flags;
+    CK_TRUST  trust;
+    NSSLOWCERTCertificate  *cert;
+    NSSLOWCERTCertDBHandle *certHandle;
+    NSSLOWCERTCertTrust    dbTrust;
+    SECStatus rv;
+    CK_RV crv;
+
+    if (attr->type == CKA_LABEL) {
+	return CKR_OK;
+    }
+
+    crv = lg_GetULongAttribute(attr->type, attr, 1, &trust);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+    flags = lg_MapTrust(trust, (PRBool) (attr->type == CKA_TRUST_CLIENT_AUTH));
+
+    certHandle = lg_getCertDB(obj->sdb);
+
+    if (certHandle == NULL) {
+	crv = CKR_TOKEN_WRITE_PROTECTED;
+	goto done;
+    }
+
+    cert = lg_getCert(obj, certHandle);
+    if (cert == NULL) {
+	crv = CKR_OBJECT_HANDLE_INVALID;
+	goto done;
+    }
+    dbTrust = *cert->trust;
+
+    switch (attr->type) {
+    case CKA_TRUST_EMAIL_PROTECTION:
+	dbTrust.emailFlags = flags |
+		(cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS);
+	break;
+    case CKA_TRUST_CODE_SIGNING:
+	dbTrust.objectSigningFlags = flags |
+		(cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS);
+	break;
+    case CKA_TRUST_CLIENT_AUTH:
+	dbTrust.sslFlags = flags | (cert->trust->sslFlags & 
+				(CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CA));
+	break;
+    case CKA_TRUST_SERVER_AUTH:
+	dbTrust.sslFlags = flags | (cert->trust->sslFlags & 
+			(CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CLIENT_CA));
+	break;
+    default:
+	crv = CKR_ATTRIBUTE_READ_ONLY;
+	goto done;
+    }
+
+    rv = nsslowcert_ChangeCertTrust(certHandle, cert, &dbTrust);
+    crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+done:
+    return crv;
+}
+
+static CK_RV
+lg_SetSingleAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr, 
+		      PRBool *writePrivate)
+{
+    CK_ATTRIBUTE attribLocal;
+    CK_RV crv;
+
+    if ((attr->type == CKA_NETSCAPE_DB) && (obj->objclass == CKO_PRIVATE_KEY)) {
+	*writePrivate = PR_TRUE;
+	return CKR_OK;
+    }
+
+    /* Make sure the attribute exists first */
+    attribLocal.type = attr->type;
+    attribLocal.pValue = NULL;
+    attribLocal.ulValueLen = 0;
+    crv = lg_GetSingleAttribute(obj, &attribLocal);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    /* if we are just setting it to the value we already have,
+     * allow it to happen. Let label setting go through so
+     * we have the opportunity to repair any database corruption. */
+    if (attr->type != CKA_LABEL) {
+	if (lg_cmpAttribute(obj,attr)) {
+	    return CKR_OK;
+	}
+    }
+
+    crv = CKR_ATTRIBUTE_READ_ONLY;
+    switch (obj->objclass) {
+    case CKO_CERTIFICATE:
+	/* change NICKNAME, EMAIL,  */
+	crv = lg_SetCertAttribute(obj,attr->type,
+				  attr->pValue,attr->ulValueLen);
+	break;
+    case CKO_NETSCAPE_CRL:
+	/* change URL */
+	break;
+    case CKO_NETSCAPE_TRUST:
+	crv = lg_SetTrustAttribute(obj,attr);
+	break;
+    case CKO_PRIVATE_KEY:
+    case CKO_SECRET_KEY:
+	crv = lg_SetPrivateKeyAttribute(obj,attr->type,
+			attr->pValue,attr->ulValueLen, writePrivate);
+	break;
+    case CKO_PUBLIC_KEY:
+	crv = lg_SetPublicKeyAttribute(obj,attr->type,
+			attr->pValue,attr->ulValueLen, writePrivate);
+	break;
+    }
+    return crv;
+}
+
+/*
+ * Fill in the attribute template based on the data in the database.
+ */    
+CK_RV
+lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, 
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
+    CK_RV crv, crvCollect = CKR_OK;
+    PRBool writePrivate = PR_FALSE;
+    int i;
+
+    if (obj == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    for (i=0; i < count; i++) {
+	crv = lg_SetSingleAttribute(obj, &templ[i], &writePrivate);
+	if (crvCollect == CKR_OK) crvCollect = crv;
+    }
+
+    /* Write any collected changes out for private and secret keys.
+     *  don't do the write for just the label */
+    if (writePrivate) {
+	NSSLOWKEYPrivateKey *privKey = lg_GetPrivateKey(obj);
+	SECStatus rv = SECFailure;
+	char * label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
+
+	if (privKey) {
+	    rv = nsslowkey_StoreKeyByPublicKeyAlg(lg_getKeyDB(sdb), privKey, 
+		&obj->dbKey, label, sdb, PR_TRUE );
+	}
+	if (rv != SECSuccess) {
+	    crv = CKR_DEVICE_ERROR;
+	}
+    }
+
+    lg_DestroyObjectCache(obj);
+    return crvCollect;
+}
diff --git a/security/nss/lib/softoken/legacydb/lgcreate.c b/security/nss/lib/softoken/legacydb/lgcreate.c
new file mode 100644
index 000000000..1dd1b2709
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgcreate.c
@@ -0,0 +1,957 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "secitem.h"
+#include "pkcs11.h"
+#include "lgdb.h" 
+#include "pcert.h"
+#include "lowkeyi.h"
+#include "blapi.h"
+#include "secder.h"
+
+#include "keydbi.h" 
+
+/*
+ * ******************** Object Creation Utilities ***************************
+ */
+
+/*
+ * check the consistancy and initialize a Certificate Object 
+ */
+static CK_RV
+lg_createCertObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    SECItem derCert;
+    NSSLOWCERTCertificate *cert;
+    NSSLOWCERTCertTrust *trust = NULL;
+    NSSLOWCERTCertTrust userTrust = 
+		{ CERTDB_USER, CERTDB_USER, CERTDB_USER };
+    NSSLOWCERTCertTrust defTrust = 
+		{ CERTDB_TRUSTED_UNKNOWN, 
+			CERTDB_TRUSTED_UNKNOWN, CERTDB_TRUSTED_UNKNOWN };
+    char *label = NULL;
+    char *email = NULL;
+    SECStatus rv;
+    CK_RV crv;
+    PRBool inDB = PR_TRUE;
+    NSSLOWCERTCertDBHandle *certHandle = lg_getCertDB(sdb);
+    NSSLOWKEYDBHandle *keyHandle = NULL;
+    CK_CERTIFICATE_TYPE type;
+    const CK_ATTRIBUTE *attribute;
+
+    /* we can't store any certs private */
+    if (lg_isTrue(CKA_PRIVATE, templ, count)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+	
+    /* We only support X.509 Certs for now */
+    crv = lg_GetULongAttribute(CKA_CERTIFICATE_TYPE, templ, count, &type);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    if (type != CKC_X_509) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* X.509 Certificate */
+    
+
+    if (certHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* get the der cert */ 
+    attribute = lg_FindAttribute(CKA_VALUE, templ, count);
+    if (!attribute) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    derCert.type = 0;
+    derCert.data = (unsigned char *)attribute->pValue;
+    derCert.len = attribute->ulValueLen ;
+
+    label = lg_getString(CKA_LABEL, templ, count);
+
+    cert =  nsslowcert_FindCertByDERCert(certHandle, &derCert);
+    if (cert == NULL) {
+	cert = nsslowcert_DecodeDERCertificate(&derCert, label);
+	inDB = PR_FALSE;
+    }
+    if (cert == NULL) {
+	if (label) PORT_Free(label);
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    keyHandle = lg_getKeyDB(sdb);
+    if (keyHandle) {
+	if (nsslowkey_KeyForCertExists(keyHandle,cert)) {
+	    trust = &userTrust;
+	}
+    }
+
+    if (!inDB) {
+	if (!trust) trust = &defTrust;
+	rv = nsslowcert_AddPermCert(certHandle, cert, label, trust);
+    } else {
+	rv = trust ? nsslowcert_ChangeCertTrust(certHandle,cert,trust) :
+				SECSuccess;
+    }
+
+    if (label) PORT_Free(label);
+
+    if (rv != SECSuccess) {
+	nsslowcert_DestroyCertificate(cert);
+	return CKR_DEVICE_ERROR;
+    }
+
+    /*
+     * Add a NULL S/MIME profile if necessary.
+     */
+    email = lg_getString(CKA_NETSCAPE_EMAIL, templ, count);
+    if (email) {
+	certDBEntrySMime *entry;
+
+	entry = nsslowcert_ReadDBSMimeEntry(certHandle,email);
+	if (!entry) {
+	    nsslowcert_SaveSMimeProfile(certHandle, email, 
+						&cert->derSubject, NULL, NULL);
+	} else {
+	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+	}
+	PORT_Free(email);
+    }
+    *handle=lg_mkHandle(sdb,&cert->certKey,LG_TOKEN_TYPE_CERT);
+    nsslowcert_DestroyCertificate(cert);
+
+    return CKR_OK;
+}
+
+unsigned int
+lg_MapTrust(CK_TRUST trust, PRBool clientAuth)
+{
+    unsigned int trustCA = clientAuth ? CERTDB_TRUSTED_CLIENT_CA :
+							CERTDB_TRUSTED_CA;
+    switch (trust) {
+    case CKT_NETSCAPE_TRUSTED:
+	return CERTDB_VALID_PEER|CERTDB_TRUSTED;
+    case CKT_NETSCAPE_TRUSTED_DELEGATOR:
+	return CERTDB_VALID_CA|trustCA;
+    case CKT_NETSCAPE_UNTRUSTED:
+	return CERTDB_NOT_TRUSTED;
+    case CKT_NETSCAPE_MUST_VERIFY:
+	return 0;
+    case CKT_NETSCAPE_VALID: /* implies must verify */
+	return CERTDB_VALID_PEER;
+    case CKT_NETSCAPE_VALID_DELEGATOR: /* implies must verify */
+	return CERTDB_VALID_CA;
+    default:
+	break;
+    }
+    return CERTDB_TRUSTED_UNKNOWN;
+}
+    
+	
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+lg_createTrustObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    const CK_ATTRIBUTE *issuer = NULL;
+    const CK_ATTRIBUTE *serial = NULL;
+    NSSLOWCERTCertificate *cert = NULL;
+    const CK_ATTRIBUTE *trust;
+    CK_TRUST sslTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST clientTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST emailTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST signTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_BBOOL stepUp;
+    NSSLOWCERTCertTrust dbTrust = { 0 };
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *certHandle = lg_getCertDB(sdb);
+    NSSLOWCERTIssuerAndSN issuerSN;
+
+    /* we can't store any certs private */
+    if (lg_isTrue(CKA_PRIVATE, templ, count)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    if (certHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    issuer = lg_FindAttribute(CKA_ISSUER, templ, count);
+    serial = lg_FindAttribute(CKA_SERIAL_NUMBER, templ, count);
+
+    if (issuer && serial) {
+	issuerSN.derIssuer.data = (unsigned char *)issuer->pValue;
+	issuerSN.derIssuer.len = issuer->ulValueLen ;
+
+	issuerSN.serialNumber.data = (unsigned char *)serial->pValue;
+	issuerSN.serialNumber.len = serial->ulValueLen ;
+
+	cert = nsslowcert_FindCertByIssuerAndSN(certHandle,&issuerSN);
+    }
+
+    if (cert == NULL) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+	
+    lg_GetULongAttribute(CKA_TRUST_SERVER_AUTH, templ, count, &sslTrust);
+    lg_GetULongAttribute(CKA_TRUST_CLIENT_AUTH, templ, count, &clientTrust);
+    lg_GetULongAttribute(CKA_TRUST_EMAIL_PROTECTION, templ, count, &emailTrust);
+    lg_GetULongAttribute(CKA_TRUST_CODE_SIGNING, templ, count, &signTrust);
+    stepUp = CK_FALSE;
+    trust = lg_FindAttribute(CKA_TRUST_STEP_UP_APPROVED, templ, count);
+    if (trust) {
+	if (trust->ulValueLen == sizeof(CK_BBOOL)) {
+	    stepUp = *(CK_BBOOL*)trust->pValue;
+	}
+    }
+
+    /* preserve certain old fields */
+    if (cert->trust) {
+	dbTrust.sslFlags = cert->trust->sslFlags & CERTDB_PRESERVE_TRUST_BITS;
+	dbTrust.emailFlags=
+			cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS;
+	dbTrust.objectSigningFlags = 
+		cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS;
+    }
+
+    dbTrust.sslFlags |= lg_MapTrust(sslTrust,PR_FALSE);
+    dbTrust.sslFlags |= lg_MapTrust(clientTrust,PR_TRUE);
+    dbTrust.emailFlags |= lg_MapTrust(emailTrust,PR_FALSE);
+    dbTrust.objectSigningFlags |= lg_MapTrust(signTrust,PR_FALSE);
+    if (stepUp) {
+	dbTrust.sslFlags |= CERTDB_GOVT_APPROVED_CA;
+    }
+
+    rv = nsslowcert_ChangeCertTrust(certHandle,cert,&dbTrust);
+    *handle=lg_mkHandle(sdb,&cert->certKey,LG_TOKEN_TYPE_TRUST);
+    nsslowcert_DestroyCertificate(cert);
+    if (rv != SECSuccess) {
+	return CKR_DEVICE_ERROR;
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+lg_createSMimeObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    SECItem derSubj,rawProfile,rawTime,emailKey;
+    SECItem *pRawProfile = NULL;
+    SECItem *pRawTime = NULL;
+    char *email = NULL;
+    const CK_ATTRIBUTE *subject = NULL,
+		 *profile = NULL,
+		 *time    = NULL;
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *certHandle;
+    CK_RV ck_rv = CKR_OK;
+
+    /* we can't store any certs private */
+    if (lg_isTrue(CKA_PRIVATE,templ,count)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    certHandle = lg_getCertDB(sdb);
+    if (certHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* lookup SUBJECT */
+    subject = lg_FindAttribute(CKA_SUBJECT,templ,count);
+    PORT_Assert(subject);
+    if (!subject) {
+	ck_rv = CKR_ATTRIBUTE_VALUE_INVALID;
+	goto loser;
+    }
+
+    derSubj.data = (unsigned char *)subject->pValue;
+    derSubj.len = subject->ulValueLen ;
+    derSubj.type = 0;
+
+    /* lookup VALUE */
+    profile = lg_FindAttribute(CKA_VALUE,templ,count);
+    if (profile) {
+	rawProfile.data = (unsigned char *)profile->pValue;
+	rawProfile.len = profile->ulValueLen ;
+	rawProfile.type = siBuffer;
+	pRawProfile = &rawProfile;
+    }
+
+    /* lookup Time */
+    time = lg_FindAttribute(CKA_NETSCAPE_SMIME_TIMESTAMP,templ,count);
+    if (time) {
+	rawTime.data = (unsigned char *)time->pValue;
+	rawTime.len = time->ulValueLen ;
+	rawTime.type = siBuffer;
+	pRawTime = &rawTime;
+    }
+
+
+    email = lg_getString(CKA_NETSCAPE_EMAIL,templ,count);
+    if (!email) {
+	ck_rv = CKR_ATTRIBUTE_VALUE_INVALID;
+	goto loser;
+    }
+
+    /* Store S/MIME Profile by SUBJECT */
+    rv = nsslowcert_SaveSMimeProfile(certHandle, email, &derSubj, 
+				pRawProfile,pRawTime);
+    if (rv != SECSuccess) {
+	ck_rv = CKR_DEVICE_ERROR;
+	goto loser;
+    }
+    emailKey.data = (unsigned char *)email;
+    emailKey.len = PORT_Strlen(email)+1;
+
+    *handle = lg_mkHandle(sdb, &emailKey, LG_TOKEN_TYPE_SMIME);
+
+loser:
+    if (email)   PORT_Free(email);
+
+    return ck_rv;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+lg_createCrlObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    PRBool isKRL = PR_FALSE;
+    SECItem derSubj,derCrl;
+    char *url = NULL;
+    const CK_ATTRIBUTE *subject,*crl;
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *certHandle;
+
+    certHandle = lg_getCertDB(sdb);
+
+    /* we can't store any private crls */
+    if (lg_isTrue(CKA_PRIVATE,templ,count)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    if (certHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* lookup SUBJECT */
+    subject = lg_FindAttribute(CKA_SUBJECT,templ,count);
+    if (!subject) {
+	 return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    derSubj.data = (unsigned char *)subject->pValue;
+    derSubj.len = subject->ulValueLen ;
+
+    /* lookup VALUE */
+    crl = lg_FindAttribute(CKA_VALUE,templ,count);
+    PORT_Assert(crl);
+    if (!crl) {
+	 return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    derCrl.data = (unsigned char *)crl->pValue;
+    derCrl.len = crl->ulValueLen ;
+
+    url = lg_getString(CKA_NETSCAPE_URL,templ,count);
+    isKRL = lg_isTrue(CKA_NETSCAPE_KRL,templ,count);
+
+    /* Store CRL by SUBJECT */
+    rv = nsslowcert_AddCrl(certHandle, &derCrl, &derSubj, url, isKRL);
+
+    if (url) {
+	PORT_Free(url);
+    }
+    if (rv != SECSuccess) {
+	return CKR_DEVICE_ERROR;
+    }
+
+    /* if we overwrote the existing CRL, poison the handle entry so we get
+     * a new object handle */
+    (void) lg_poisonHandle(sdb, &derSubj,
+			isKRL ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL);
+    *handle = lg_mkHandle(sdb, &derSubj,
+			isKRL ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL);
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Public Key Object 
+ */
+static CK_RV
+lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
+     CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE;
+    CK_RV crv;
+    NSSLOWKEYPrivateKey *priv;
+    SECItem pubKey;
+    NSSLOWKEYDBHandle *keyHandle = NULL;
+
+    switch (key_type) {
+    case CKK_RSA:
+	pubKeyAttr = CKA_MODULUS;
+	break;
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	pubKeyAttr = CKA_EC_POINT;
+	break;
+#endif /* NSS_ENABLE_ECC */
+    case CKK_DSA:
+    case CKK_DH:
+	break;
+    default:
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+
+    crv = lg_Attribute2SSecItem(NULL,pubKeyAttr,templ,count,&pubKey);
+    if (crv != CKR_OK) return crv;
+
+    PORT_Assert(pubKey.data);
+    keyHandle = lg_getKeyDB(sdb);
+    if (keyHandle == NULL) {
+	PORT_Free(pubKey.data);
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+    if (keyHandle->version != 3) {
+	unsigned char buf[SHA1_LENGTH];
+	SHA1_HashBuf(buf,pubKey.data,pubKey.len);
+	PORT_Memcpy(pubKey.data,buf,sizeof(buf));
+	pubKey.len = sizeof(buf);
+    }
+    /* make sure the associated private key already exists */
+    /* only works if we are logged in */
+    priv = nsslowkey_FindKeyByPublicKey(keyHandle, &pubKey, sdb /*password*/);
+    if (priv == NULL) {
+	PORT_Free(pubKey.data);
+	return crv;
+    }
+    nsslowkey_DestroyPrivateKey(priv);
+
+    *handle = lg_mkHandle(sdb, &pubKey, LG_TOKEN_TYPE_PUB);
+    PORT_Free(pubKey.data);
+
+    return CKR_OK;
+}
+
+/* make a private key from a verified object */
+static NSSLOWKEYPrivateKey *
+lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUTE *templ, CK_ULONG count,
+	     CK_KEY_TYPE key_type, CK_RV *crvp)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    PLArenaPool *arena;
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	*crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+
+    privKey = (NSSLOWKEYPrivateKey *)
+			PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
+    if (privKey == NULL)  {
+	PORT_FreeArena(arena,PR_FALSE);
+	*crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+
+    /* in future this would be a switch on key_type */
+    privKey->arena = arena;
+    switch (key_type) {
+    case CKK_RSA:
+	privKey->keyType = NSSLOWKEYRSAKey;
+	crv=lg_Attribute2SSecItem(arena,CKA_MODULUS,templ,count,
+					&privKey->u.rsa.modulus);
+	if (crv != CKR_OK) break;
+	crv=lg_Attribute2SSecItem(arena,CKA_PUBLIC_EXPONENT,templ,count,
+					&privKey->u.rsa.publicExponent);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_PRIVATE_EXPONENT,templ,count,
+				&privKey->u.rsa.privateExponent, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_PRIME_1,templ,count,
+					&privKey->u.rsa.prime1, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_PRIME_2,templ,count,
+					&privKey->u.rsa.prime2, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_EXPONENT_1,templ,count,
+					&privKey->u.rsa.exponent1, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_EXPONENT_2,templ,count,
+					&privKey->u.rsa.exponent2, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_COEFFICIENT,templ,count,
+					&privKey->u.rsa.coefficient, sdb);
+	if (crv != CKR_OK) break;
+        rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,
+                          NSSLOWKEY_VERSION);
+	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
+	break;
+
+    case CKK_DSA:
+	privKey->keyType = NSSLOWKEYDSAKey;
+	crv = lg_Attribute2SSecItem(arena,CKA_PRIME,templ,count,
+					&privKey->u.dsa.params.prime);
+    	if (crv != CKR_OK) break;
+	crv = lg_Attribute2SSecItem(arena,CKA_SUBPRIME,templ,count,
+					&privKey->u.dsa.params.subPrime);
+    	if (crv != CKR_OK) break;
+	crv = lg_Attribute2SSecItem(arena,CKA_BASE,templ,count,
+					&privKey->u.dsa.params.base);
+    	if (crv != CKR_OK) break;
+    	crv = lg_PrivAttr2SSecItem(arena,CKA_VALUE,templ,count,
+					&privKey->u.dsa.privateValue, sdb);
+    	if (crv != CKR_OK) break;
+	if (lg_hasAttribute(CKA_NETSCAPE_DB, templ,count)) {
+	    crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB,templ,count,
+						&privKey->u.dsa.publicValue);
+	    /* privKey was zero'd so public value is already set to NULL, 0
+	     * if we don't set it explicitly */
+	}
+	break;
+
+    case CKK_DH:
+	privKey->keyType = NSSLOWKEYDHKey;
+	crv = lg_Attribute2SSecItem(arena,CKA_PRIME,templ,count,
+					&privKey->u.dh.prime);
+    	if (crv != CKR_OK) break;
+	crv = lg_Attribute2SSecItem(arena,CKA_BASE,templ,count,
+					&privKey->u.dh.base);
+    	if (crv != CKR_OK) break;
+    	crv = lg_PrivAttr2SSecItem(arena,CKA_VALUE,templ,count,
+					&privKey->u.dh.privateValue, sdb);
+    	if (crv != CKR_OK) break;
+	if (lg_hasAttribute(CKA_NETSCAPE_DB, templ, count)) {
+	    crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB,templ,count,
+					&privKey->u.dh.publicValue);
+	    /* privKey was zero'd so public value is already set to NULL, 0
+	     * if we don't set it explicitly */
+	}
+	break;
+
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	privKey->keyType = NSSLOWKEYECKey;
+	crv = lg_Attribute2SSecItem(arena, CKA_EC_PARAMS,templ,count,
+	                              &privKey->u.ec.ecParams.DEREncoding);
+    	if (crv != CKR_OK) break;
+
+	/* Fill out the rest of the ecParams structure
+	 * based on the encoded params
+	 */
+	if (LGEC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding,
+		    &privKey->u.ec.ecParams) != SECSuccess) {
+	    crv = CKR_DOMAIN_PARAMS_INVALID;
+	    break;
+	}
+	crv = lg_PrivAttr2SSecItem(arena,CKA_VALUE,templ,count,
+					&privKey->u.ec.privateValue, sdb);
+	if (crv != CKR_OK) break;
+	if (lg_hasAttribute(CKA_NETSCAPE_DB,templ,count)) {
+	    crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB,templ,count,
+					&privKey->u.ec.publicValue);
+	    if (crv != CKR_OK) break;
+	    /* privKey was zero'd so public value is already set to NULL, 0
+	     * if we don't set it explicitly */
+	}
+        rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
+                          NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
+	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+	crv = CKR_KEY_TYPE_INCONSISTENT;
+	break;
+    }
+    *crvp = crv;
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    return privKey;
+}
+
+/*
+ * check the consistancy and initialize a Private Key Object 
+ */
+static CK_RV
+lg_createPrivateKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
+     CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    char *label;
+    SECStatus rv = SECSuccess;
+    CK_RV crv = CKR_DEVICE_ERROR;
+    SECItem pubKey;
+    NSSLOWKEYDBHandle *keyHandle = lg_getKeyDB(sdb);
+
+    if (keyHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    privKey=lg_mkPrivKey(sdb, templ,count,key_type,&crv);
+    if (privKey == NULL) return crv;
+    label = lg_getString(CKA_LABEL,templ,count);
+
+    crv = lg_Attribute2SSecItem(NULL,CKA_NETSCAPE_DB,templ,count,&pubKey);
+    if (crv != CKR_OK) {
+	crv = CKR_TEMPLATE_INCOMPLETE;
+	rv = SECFailure;
+	goto fail;
+    }
+#ifdef notdef
+    if (keyHandle->version != 3) {
+	unsigned char buf[SHA1_LENGTH];
+	SHA1_HashBuf(buf,pubKey.data,pubKey.len);
+	PORT_Memcpy(pubKey.data,buf,sizeof(buf));
+	pubKey.len = sizeof(buf);
+    }
+#endif
+    /* get the key type */
+    if (key_type == CKK_RSA) {
+	rv = RSA_PrivateKeyCheck(&privKey->u.rsa);
+	if (rv == SECFailure) {
+	    goto fail;
+	}
+    }
+    rv = nsslowkey_StoreKeyByPublicKey(keyHandle, privKey, &pubKey, 
+					   label, sdb /*->password*/);
+
+fail:
+    if (label) PORT_Free(label);
+    *handle = lg_mkHandle(sdb,&pubKey,LG_TOKEN_TYPE_PRIV);
+    if (pubKey.data) PORT_Free(pubKey.data);
+    nsslowkey_DestroyPrivateKey(privKey);
+    if (rv != SECSuccess) return crv;
+
+    return CKR_OK;
+}
+
+
+#define LG_KEY_MAX_RETRIES 10 /* don't hang if we are having problems with the rng */
+#define LG_KEY_ID_SIZE 18 /* don't use either SHA1 or MD5 sizes */
+/*
+ * Secret keys must have a CKA_ID value to be stored in the database. This code
+ * will generate one if there wasn't one already. 
+ */
+static CK_RV
+lg_GenerateSecretCKA_ID(NSSLOWKEYDBHandle *handle, SECItem *id, char *label)
+{
+    unsigned int retries;
+    SECStatus rv = SECSuccess;
+    CK_RV crv = CKR_OK;
+
+    id->data = NULL;
+    if (label) {
+	id->data = (unsigned char *)PORT_Strdup(label);
+	if (id->data == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+	id->len = PORT_Strlen(label)+1;
+	if (!nsslowkey_KeyForIDExists(handle,id)) { 
+	    return CKR_OK;
+	}
+	PORT_Free(id->data);
+	id->data = NULL;
+	id->len = 0;
+    }
+    id->data = (unsigned char *)PORT_Alloc(LG_KEY_ID_SIZE);
+    if (id->data == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    id->len = LG_KEY_ID_SIZE;
+
+    retries = 0;
+    do {
+	rv = RNG_GenerateGlobalRandomBytes(id->data,id->len);
+    } while (rv == SECSuccess && nsslowkey_KeyForIDExists(handle,id) && 
+				(++retries <= LG_KEY_MAX_RETRIES));
+
+    if ((rv != SECSuccess) || (retries > LG_KEY_MAX_RETRIES)) {
+	crv = CKR_DEVICE_ERROR; /* random number generator is bad */
+	PORT_Free(id->data);
+	id->data = NULL;
+	id->len = 0;
+    }
+    return crv;
+}
+
+
+static NSSLOWKEYPrivateKey *lg_mkSecretKeyRep(const CK_ATTRIBUTE *templ,
+		 CK_ULONG count, CK_KEY_TYPE key_type, 
+		 SECItem *pubkey, SDB *sdbpw)
+{
+    NSSLOWKEYPrivateKey *privKey = 0;
+    PLArenaPool *arena = 0;
+    CK_KEY_TYPE keyType;
+    PRUint32 keyTypeStorage;
+    SECItem keyTypeItem;
+    CK_RV crv;
+    SECStatus rv;
+    static unsigned char derZero[1] = { 0 };
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
+
+    privKey = (NSSLOWKEYPrivateKey *)
+			PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
+    if (privKey == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
+
+    privKey->arena = arena;
+
+    /* Secret keys are represented in the database as "fake" RSA keys.  
+     * The RSA key is marked as a secret key representation by setting the 
+     * public exponent field to 0, which is an invalid RSA exponent.  
+     * The other fields are set as follows:
+     *   modulus - CKA_ID value for the secret key
+     *   private exponent - CKA_VALUE (the key itself)
+     *   coefficient - CKA_KEY_TYPE, which indicates what encryption algorithm
+     *      is used for the key.
+     *   all others - set to integer 0
+     */
+    privKey->keyType = NSSLOWKEYRSAKey;
+
+    /* The modulus is set to the key id of the symmetric key */
+    crv = lg_Attribute2SecItem(arena, CKA_ID, templ, count, 
+				&privKey->u.rsa.modulus);
+    if (crv != CKR_OK) goto loser;
+
+    /* The public exponent is set to 0 length to indicate a special key */
+    privKey->u.rsa.publicExponent.len = sizeof derZero;
+    privKey->u.rsa.publicExponent.data = derZero;
+
+    /* The private exponent is the actual key value */
+    crv = lg_PrivAttr2SecItem(arena, CKA_VALUE, templ, count,
+				&privKey->u.rsa.privateExponent, sdbpw);
+    if (crv != CKR_OK) goto loser;
+
+    /* All other fields empty - needs testing */
+    privKey->u.rsa.prime1.len = sizeof derZero;
+    privKey->u.rsa.prime1.data = derZero;
+
+    privKey->u.rsa.prime2.len = sizeof derZero;
+    privKey->u.rsa.prime2.data = derZero;
+
+    privKey->u.rsa.exponent1.len = sizeof derZero;
+    privKey->u.rsa.exponent1.data = derZero;
+
+    privKey->u.rsa.exponent2.len = sizeof derZero;
+    privKey->u.rsa.exponent2.data = derZero;
+
+    /* Coeficient set to KEY_TYPE */
+    crv = lg_GetULongAttribute(CKA_KEY_TYPE, templ, count, &keyType);
+    if (crv != CKR_OK) goto loser; 
+    /* on 64 bit platforms, we still want to store 32 bits of keyType (This is
+     * safe since the PKCS #11 defines for all types are 32 bits or less). */
+    keyTypeStorage = (PRUint32) keyType;
+    keyTypeStorage = PR_htonl(keyTypeStorage);
+    keyTypeItem.data = (unsigned char *)&keyTypeStorage;
+    keyTypeItem.len = sizeof (keyTypeStorage);
+    rv = SECITEM_CopyItem(arena, &privKey->u.rsa.coefficient, &keyTypeItem);
+    if (rv != SECSuccess) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    
+    /* Private key version field set normally for compatibility */
+    rv = DER_SetUInteger(privKey->arena, 
+			&privKey->u.rsa.version, NSSLOWKEY_VERSION);
+    if (rv != SECSuccess) { crv = CKR_HOST_MEMORY; goto loser; }
+
+loser:
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	privKey = 0;
+    }
+
+    return privKey;
+}
+
+/*
+ * check the consistancy and initialize a Secret Key Object 
+ */
+static CK_RV
+lg_createSecretKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
+     CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    CK_RV crv;
+    NSSLOWKEYPrivateKey *privKey   = NULL;
+    NSSLOWKEYDBHandle   *keyHandle = NULL;
+    SECItem pubKey;
+    char *label = NULL;
+    SECStatus rv = SECSuccess;
+
+    pubKey.data = 0;
+
+    /* If the object is a TOKEN object, store in the database */
+    keyHandle = lg_getKeyDB(sdb);
+
+    if (keyHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    label = lg_getString(CKA_LABEL,templ,count);
+
+    crv = lg_Attribute2SecItem(NULL,CKA_ID,templ,count,&pubKey);
+						/* Should this be ID? */
+    if (crv != CKR_OK) goto loser;
+
+    /* if we don't have an ID, generate one */
+    if (pubKey.len == 0) {
+	if (pubKey.data) { 
+	    PORT_Free(pubKey.data);
+	    pubKey.data = NULL;
+	}
+	crv = lg_GenerateSecretCKA_ID(keyHandle, &pubKey, label);
+	if (crv != CKR_OK) goto loser;
+    }
+
+    privKey = lg_mkSecretKeyRep(templ, count, key_type, &pubKey, sdb);
+    if (privKey == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+
+    rv = nsslowkey_StoreKeyByPublicKey(keyHandle,
+			privKey, &pubKey, label, sdb /*->password*/);
+    if (rv != SECSuccess) {
+	crv = CKR_DEVICE_ERROR;
+	goto loser;
+    }
+
+    *handle = lg_mkHandle(sdb, &pubKey, LG_TOKEN_TYPE_KEY);
+
+loser:
+    if (label) PORT_Free(label);
+    if (privKey) nsslowkey_DestroyPrivateKey(privKey);
+    if (pubKey.data) PORT_Free(pubKey.data);
+
+    return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Object 
+ */
+static CK_RV
+lg_createKeyObject(SDB *sdb, CK_OBJECT_CLASS objclass, 
+	CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    CK_RV crv;
+    CK_KEY_TYPE key_type;
+
+    /* get the key type */
+    crv = lg_GetULongAttribute(CKA_KEY_TYPE, templ, count, &key_type);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    switch (objclass) {
+    case CKO_PUBLIC_KEY:
+	return lg_createPublicKeyObject(sdb,key_type,handle,templ,count);
+    case CKO_PRIVATE_KEY:
+	return lg_createPrivateKeyObject(sdb,key_type,handle,templ,count);
+    case CKO_SECRET_KEY:
+	return lg_createSecretKeyObject(sdb,key_type,handle,templ,count);
+    default:
+	break;
+    }
+    return CKR_ATTRIBUTE_VALUE_INVALID;
+}
+
+/* 
+ * Parse the template and create an object stored in the DB that reflects.
+ * the object specified in the database.
+ */
+CK_RV
+lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    CK_RV crv;
+    CK_OBJECT_CLASS objclass;
+
+    /* get the object class */
+    crv = lg_GetULongAttribute(CKA_CLASS, templ, count, &objclass);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    /* Now handle the specific object class. 
+     */
+    switch (objclass) {
+    case CKO_CERTIFICATE:
+	crv = lg_createCertObject(sdb,handle,templ,count);
+	break;
+    case CKO_NETSCAPE_TRUST:
+	crv = lg_createTrustObject(sdb,handle,templ,count);
+	break;
+    case CKO_NETSCAPE_CRL:
+	crv = lg_createCrlObject(sdb,handle,templ,count);
+	break;
+    case CKO_NETSCAPE_SMIME:
+	crv = lg_createSMimeObject(sdb,handle,templ,count);
+	break;
+    case CKO_PRIVATE_KEY:
+    case CKO_PUBLIC_KEY:
+    case CKO_SECRET_KEY:
+	crv = lg_createKeyObject(sdb,objclass,handle,templ,count);
+	break;
+    default:
+	crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	break;
+    }
+
+    return crv;
+}
+
diff --git a/security/nss/lib/softoken/legacydb/lgdb.h b/security/nss/lib/softoken/legacydb/lgdb.h
new file mode 100644
index 000000000..207b7aecf
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgdb.h
@@ -0,0 +1,198 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal data structures and functions used by pkcs11.c
+ */
+#ifndef _LGDB_H_
+#define _LGDB_H_ 1
+
+#include "nssilock.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+#include "pkcs11t.h"
+#include "sdb.h"
+#include "cdbhdl.h" 
+
+
+#define MULTIACCESS "multiaccess:"
+
+
+/* machine dependent path stuff used by dbinit.c and pk11db.c */
+#ifdef macintosh
+#define PATH_SEPARATOR ":"
+#define SECMOD_DB "Security Modules"
+#define CERT_DB_FMT "%sCertificates%s"
+#define KEY_DB_FMT "%sKey Database%s"
+#else
+#define PATH_SEPARATOR "/"
+#define SECMOD_DB "secmod.db"
+#define CERT_DB_FMT "%scert%s.db"
+#define KEY_DB_FMT "%skey%s.db"
+#endif
+
+SEC_BEGIN_PROTOS
+
+
+/* internal utility functions used by pkcs11.c */
+extern const CK_ATTRIBUTE *lg_FindAttribute(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern CK_RV lg_Attribute2SecItem(PLArenaPool *,CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item);
+extern CK_RV lg_Attribute2SSecItem(PLArenaPool *,CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item);
+extern CK_RV lg_PrivAttr2SecItem(PLArenaPool *,CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item, SDB *sdbpw);
+extern CK_RV lg_PrivAttr2SSecItem(PLArenaPool *,CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item, SDB *sdbpw);
+extern CK_RV lg_GetULongAttribute(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count, 
+			CK_ULONG *out);
+extern PRBool lg_hasAttribute(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern PRBool lg_isTrue(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern PRBool lg_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
+extern char *lg_getString(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern unsigned int lg_MapTrust(CK_TRUST trust, PRBool clientAuth);
+
+/* clear out all the existing object ID to database key mappings.
+ * used to reinit a token */
+extern CK_RV lg_ClearTokenKeyHashTable(SDB *sdb);
+
+
+extern void lg_FreeSearch(SDBFind *search);
+
+NSSLOWCERTCertDBHandle *lg_getCertDB(SDB *sdb);
+NSSLOWKEYDBHandle *lg_getKeyDB(SDB *sdb);
+
+const char *lg_EvaluateConfigDir(const char *configdir, char **domain);
+
+
+/*
+ * object handle modifiers
+ */
+#define LG_TOKEN_MASK		0xc0000000L
+#define LG_TOKEN_TYPE_MASK	0x38000000L
+#define LG_TOKEN_TYPE_SHIFT	27
+/* keydb (high bit == 0) */
+#define LG_TOKEN_TYPE_PRIV	0x08000000L
+#define LG_TOKEN_TYPE_PUB	0x10000000L
+#define LG_TOKEN_TYPE_KEY	0x18000000L
+/* certdb (high bit == 1) */
+#define LG_TOKEN_TYPE_TRUST	0x20000000L
+#define LG_TOKEN_TYPE_CRL	0x28000000L
+#define LG_TOKEN_TYPE_SMIME	0x30000000L
+#define LG_TOKEN_TYPE_CERT	0x38000000L
+
+#define LG_TOKEN_KRL_HANDLE	(LG_TOKEN_TYPE_CRL|1)
+
+#define LG_SEARCH_BLOCK_SIZE   10
+#define LG_BUF_SPACE	  50
+#define LG_STRICT   PR_FALSE
+
+/*
+ * token object utilities
+ */
+void lg_addHandle(SDBFind *search, CK_OBJECT_HANDLE handle);
+PRBool lg_poisonHandle(SDB *sdb, SECItem *dbkey, CK_OBJECT_HANDLE handle);
+PRBool lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class,
+				const CK_ATTRIBUTE *templ, CK_ULONG count);
+const SECItem *lg_lookupTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle);
+CK_OBJECT_HANDLE lg_mkHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class);
+SECStatus lg_deleteTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle);
+
+SECStatus lg_util_encrypt(PLArenaPool *arena, SDB *sdbpw, 
+			  SECItem *plainText, SECItem **cipherText);
+SECStatus lg_util_decrypt(SDB *sdbpw, 
+			  SECItem *cipherText, SECItem **plainText);
+PLHashTable *lg_GetHashTable(SDB *sdb);
+void lg_DBLock(SDB *sdb);
+void lg_DBUnlock(SDB *sdb);
+
+typedef void (*LGFreeFunc)(void *);
+
+
+/*
+ * database functions
+ */
+
+/* lg_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+CK_RV lg_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *pTemplate, 
+			 CK_ULONG ulCount, SDBFind **search);
+/* lg_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+CK_RV lg_FindObjects(SDB *sdb, SDBFind *search, 
+    CK_OBJECT_HANDLE *phObject,CK_ULONG ulMaxObjectCount,
+    CK_ULONG *pulObjectCount);
+
+/* lg_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV lg_FindObjectsFinal(SDB* lgdb, SDBFind *search);
+
+/* lg_CreateObject parses the template and create an object stored in the 
+ * DB that reflects the object specified in the template.  */
+CK_RV lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+
+CK_RV lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, 
+				CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, 
+			const CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV lg_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id);
+
+CK_RV lg_Close(SDB *sdb);
+CK_RV lg_Reset(SDB *sdb);
+
+/*
+ * The old database doesn't share and doesn't support
+ * transactions.
+ */
+CK_RV lg_Begin(SDB *sdb);
+CK_RV lg_Commit(SDB *sdb);
+CK_RV lg_Abort(SDB *sdb);
+CK_RV lg_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2);
+CK_RV lg_PutMetaData(SDB *sdb, const char *id, 
+			const SECItem *item1, const SECItem *item2);
+
+SEC_END_PROTOS
+
+#endif /* _LGDB_H_ */
diff --git a/security/nss/lib/softoken/legacydb/lgdestroy.c b/security/nss/lib/softoken/legacydb/lgdestroy.c
new file mode 100644
index 000000000..37db2e50e
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgdestroy.c
@@ -0,0 +1,144 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal PKCS #11 functions. Should only be called by pkcs11.c
+ */
+#include "pkcs11.h"
+#include "lgdb.h"
+#include "pcert.h"
+#include "lowkeyi.h"
+
+/*
+ * remove an object.
+ */
+CK_RV
+lg_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id)
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+    NSSLOWCERTCertificate *cert;
+    NSSLOWCERTCertTrust tmptrust;
+    PRBool isKrl;
+    NSSLOWKEYDBHandle *keyHandle;
+    NSSLOWCERTCertDBHandle *certHandle;
+    const SECItem *dbKey;
+
+    object_id &= ~LG_TOKEN_MASK;
+    dbKey = lg_lookupTokenKeyByHandle(sdb,object_id);
+    if (dbKey == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    /* remove the objects from the real data base */
+    switch (object_id & LG_TOKEN_TYPE_MASK) {
+    case LG_TOKEN_TYPE_PRIV:
+    case LG_TOKEN_TYPE_KEY:
+	/* KEYID is the public KEY for DSA and DH, and the MODULUS for
+	 *  RSA */
+	keyHandle = lg_getKeyDB(sdb);
+	if (!keyHandle) {
+	    crv = CKR_TOKEN_WRITE_PROTECTED;
+	    break;
+	}
+	rv = nsslowkey_DeleteKey(keyHandle, dbKey);
+	if (rv != SECSuccess) {
+	    crv = CKR_DEVICE_ERROR;
+	}
+	break;
+    case LG_TOKEN_TYPE_PUB:
+	break; /* public keys only exist at the behest of the priv key */
+    case LG_TOKEN_TYPE_CERT:
+	certHandle = lg_getCertDB(sdb);
+	if (!certHandle) {
+	    crv = CKR_TOKEN_WRITE_PROTECTED;
+	    break;
+	}
+	cert = nsslowcert_FindCertByKey(certHandle,dbKey);
+	if (cert == NULL) {
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+	rv = nsslowcert_DeletePermCertificate(cert);
+	if (rv != SECSuccess) {
+	    crv = CKR_DEVICE_ERROR;
+	}
+	nsslowcert_DestroyCertificate(cert);
+	break;
+    case LG_TOKEN_TYPE_CRL:
+	certHandle = lg_getCertDB(sdb);
+	if (!certHandle) {
+	    crv = CKR_TOKEN_WRITE_PROTECTED;
+	    break;
+	}
+	isKrl = (PRBool) (object_id == LG_TOKEN_KRL_HANDLE);
+	rv = nsslowcert_DeletePermCRL(certHandle, dbKey, isKrl);
+	if (rv == SECFailure) crv = CKR_DEVICE_ERROR;
+	break;
+    case LG_TOKEN_TYPE_TRUST:
+	certHandle = lg_getCertDB(sdb);
+	if (!certHandle) {
+	    crv = CKR_TOKEN_WRITE_PROTECTED;
+	    break;
+	}
+	cert = nsslowcert_FindCertByKey(certHandle, dbKey);
+	if (cert == NULL) {
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+	tmptrust = *cert->trust;
+	tmptrust.sslFlags &= CERTDB_PRESERVE_TRUST_BITS;
+	tmptrust.emailFlags &= CERTDB_PRESERVE_TRUST_BITS;
+	tmptrust.objectSigningFlags &= CERTDB_PRESERVE_TRUST_BITS;
+	tmptrust.sslFlags |= CERTDB_TRUSTED_UNKNOWN;
+	tmptrust.emailFlags |= CERTDB_TRUSTED_UNKNOWN;
+	tmptrust.objectSigningFlags |= CERTDB_TRUSTED_UNKNOWN;
+	rv = nsslowcert_ChangeCertTrust(certHandle, cert, &tmptrust);
+	if (rv != SECSuccess) crv = CKR_DEVICE_ERROR;
+	nsslowcert_DestroyCertificate(cert);
+	break;
+    default:
+	break;
+    }
+    lg_DBLock(sdb);
+    lg_deleteTokenKeyByHandle(sdb,object_id);
+    lg_DBUnlock(sdb);
+
+    return crv;
+}
+
+
+
diff --git a/security/nss/lib/softoken/legacydb/lgfind.c b/security/nss/lib/softoken/legacydb/lgfind.c
new file mode 100644
index 000000000..b45f0096c
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgfind.c
@@ -0,0 +1,940 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "secitem.h"
+#include "pkcs11.h"
+#include "lgdb.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "blapi.h"
+
+#include "keydbi.h" 
+
+/*
+ * This code maps PKCS #11 Finds to legacy database searches. This code
+ * was orginally in pkcs11.c in previous versions of NSS.
+ */
+
+struct SDBFindStr {
+    CK_OBJECT_HANDLE    *handles;
+    int                 size;
+    int                 index;
+    int                 array_size;
+};
+
+
+/*
+ * free a search structure
+ */
+void
+lg_FreeSearch(SDBFind *search)
+{
+    if (search->handles) {
+	PORT_Free(search->handles);
+    }
+    PORT_Free(search);
+}
+
+void
+lg_addHandle(SDBFind *search, CK_OBJECT_HANDLE handle)
+{
+    if (search->handles == NULL) {
+	return;
+    }
+    if (search->size >= search->array_size) {
+	search->array_size += LG_SEARCH_BLOCK_SIZE;
+	search->handles = (CK_OBJECT_HANDLE *) PORT_Realloc(search->handles,
+				 sizeof(CK_OBJECT_HANDLE)* search->array_size);
+	if (search->handles == NULL) {
+	   return;
+	}
+    }
+    search->handles[search->size] = handle;
+    search->size++;
+}
+
+/*
+ * find any certs that may match the template and load them.
+ */
+#define LG_CERT 	0x00000001
+#define LG_TRUST	0x00000002
+#define LG_CRL		0x00000004
+#define LG_SMIME	0x00000008
+#define LG_PRIVATE	0x00000010
+#define LG_PUBLIC	0x00000020
+#define LG_KEY		0x00000040
+
+/*
+ * structure to collect key handles.
+ */
+typedef struct lgEntryDataStr {
+    SDB *sdb;
+    SDBFind *searchHandles;
+    const CK_ATTRIBUTE *template;
+    CK_ULONG templ_count;
+} lgEntryData;
+
+
+static SECStatus
+lg_crl_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg)
+{
+    lgEntryData *crlData;
+    CK_OBJECT_HANDLE class_handle;
+    SDB *sdb;
+    
+    crlData = (lgEntryData *)arg;
+    sdb = crlData->sdb;
+
+    class_handle = (type == certDBEntryTypeRevocation) ? LG_TOKEN_TYPE_CRL :
+							LG_TOKEN_KRL_HANDLE;
+    if (lg_tokenMatch(sdb, key, class_handle,
+			crlData->template, crlData->templ_count)) {
+	lg_addHandle(crlData->searchHandles,
+				 lg_mkHandle(sdb,key,class_handle));
+    }
+    return(SECSuccess);
+}
+
+static void
+lg_searchCrls(SDB *sdb, SECItem *derSubject, PRBool isKrl, 
+		unsigned long classFlags, SDBFind *search,
+		const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+    NSSLOWCERTCertDBHandle *certHandle = NULL;
+
+    certHandle = lg_getCertDB(sdb);
+    if (certHandle == NULL) {
+	return;
+    }
+    if (derSubject->data != NULL)  {
+	certDBEntryRevocation *crl = 
+	    nsslowcert_FindCrlByKey(certHandle, derSubject, isKrl);
+
+	if (crl != NULL) {
+	    lg_addHandle(search, lg_mkHandle(sdb, derSubject,
+		isKrl ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL));
+	    nsslowcert_DestroyDBEntry((certDBEntry *)crl);
+	}
+    } else {
+	lgEntryData crlData;
+
+	/* traverse */
+	crlData.sdb = sdb;
+	crlData.searchHandles = search;
+	crlData.template = pTemplate;
+	crlData.templ_count = ulCount;
+	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeRevocation,
+		lg_crl_collect, (void *)&crlData);
+	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeKeyRevocation,
+		lg_crl_collect, (void *)&crlData);
+    } 
+}
+
+/*
+ * structure to collect key handles.
+ */
+typedef struct lgKeyDataStr {
+    SDB *sdb;
+    NSSLOWKEYDBHandle *keyHandle;
+    SDBFind *searchHandles;
+    SECItem *id;
+    const CK_ATTRIBUTE *template;
+    CK_ULONG templ_count;
+    unsigned long classFlags;
+    PRBool strict;
+} lgKeyData;
+
+static PRBool
+isSecretKey(NSSLOWKEYPrivateKey *privKey)
+{
+  if (privKey->keyType == NSSLOWKEYRSAKey &&
+                privKey->u.rsa.publicExponent.len == 1 &&
+                                privKey->u.rsa.publicExponent.data[0] == 0)
+    return PR_TRUE;
+
+  return PR_FALSE;
+}
+
+
+
+static SECStatus
+lg_key_collect(DBT *key, DBT *data, void *arg)
+{
+    lgKeyData *keyData;
+    NSSLOWKEYPrivateKey *privKey = NULL;
+    SECItem tmpDBKey;
+    SDB *sdb;
+    unsigned long classFlags;
+    
+    keyData = (lgKeyData *)arg;
+    sdb = keyData->sdb;
+    classFlags = keyData->classFlags;
+
+    tmpDBKey.data = key->data;
+    tmpDBKey.len = key->size;
+    tmpDBKey.type = siBuffer;
+
+    PORT_Assert(keyData->keyHandle);
+    if (!keyData->strict && keyData->id && keyData->id->data) {
+	SECItem result;
+	PRBool haveMatch= PR_FALSE;
+	unsigned char hashKey[SHA1_LENGTH];
+	result.data = hashKey;
+	result.len = sizeof(hashKey);
+
+	if (keyData->id->len == 0) {
+	    /* Make sure this isn't a LG_KEY */
+	    privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle, 
+					&tmpDBKey, keyData->sdb/*->password*/);
+	    if (privKey) {
+		/* turn off the unneeded class flags */
+		classFlags &= isSecretKey(privKey) ?  ~(LG_PRIVATE|LG_PUBLIC) :
+							~LG_KEY;
+		haveMatch = (PRBool)
+			((classFlags & (LG_KEY|LG_PRIVATE|LG_PUBLIC)) != 0);
+		nsslowkey_DestroyPrivateKey(privKey);
+	    }
+	} else {
+	    SHA1_HashBuf( hashKey, key->data, key->size ); /* match id */
+	    haveMatch = SECITEM_ItemsAreEqual(keyData->id,&result);
+	    if (!haveMatch && ((unsigned char *)key->data)[0] == 0) {
+		/* This is a fix for backwards compatibility.  The key
+		 * database indexes private keys by the public key, and
+		 * versions of NSS prior to 3.4 stored the public key as
+		 * a signed integer.  The public key is now treated as an
+		 * unsigned integer, with no leading zero.  In order to
+		 * correctly compute the hash of an old key, it is necessary
+		 * to fallback and detect the leading zero.
+		 */
+		SHA1_HashBuf(hashKey, 
+		             (unsigned char *)key->data + 1, key->size - 1);
+		haveMatch = SECITEM_ItemsAreEqual(keyData->id,&result);
+	    }
+	}
+	if (haveMatch) {
+	    if (classFlags & LG_PRIVATE)  {
+		lg_addHandle(keyData->searchHandles,
+			lg_mkHandle(sdb,&tmpDBKey,LG_TOKEN_TYPE_PRIV));
+	    }
+	    if (classFlags & LG_PUBLIC) {
+		lg_addHandle(keyData->searchHandles,
+			lg_mkHandle(sdb,&tmpDBKey,LG_TOKEN_TYPE_PUB));
+	    }
+	    if (classFlags & LG_KEY) {
+		lg_addHandle(keyData->searchHandles,
+			lg_mkHandle(sdb,&tmpDBKey,LG_TOKEN_TYPE_KEY));
+	    }
+	}
+	return SECSuccess;
+    }
+
+    privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle, &tmpDBKey, 
+						 keyData->sdb/*->password*/);
+    if ( privKey == NULL ) {
+	goto loser;
+    }
+
+    if (isSecretKey(privKey)) {
+	if ((classFlags & LG_KEY) && 
+		lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY,
+			keyData->template, keyData->templ_count)) {
+	    lg_addHandle(keyData->searchHandles,
+		lg_mkHandle(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY));
+	}
+    } else {
+	if ((classFlags & LG_PRIVATE) && 
+		lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PRIV,
+			keyData->template, keyData->templ_count)) {
+	    lg_addHandle(keyData->searchHandles,
+		lg_mkHandle(keyData->sdb,&tmpDBKey,LG_TOKEN_TYPE_PRIV));
+	}
+	if ((classFlags & LG_PUBLIC) && 
+		lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PUB,
+			keyData->template, keyData->templ_count)) {
+	    lg_addHandle(keyData->searchHandles,
+		lg_mkHandle(keyData->sdb, &tmpDBKey,LG_TOKEN_TYPE_PUB));
+	}
+    }
+
+loser:
+    if ( privKey ) {
+	nsslowkey_DestroyPrivateKey(privKey);
+    }
+    return(SECSuccess);
+}
+
+static void
+lg_searchKeys(SDB *sdb, SECItem *key_id,
+	unsigned long classFlags, SDBFind *search, PRBool mustStrict,
+	const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+    NSSLOWKEYDBHandle *keyHandle = NULL;
+    NSSLOWKEYPrivateKey *privKey;
+    lgKeyData keyData;
+    PRBool found = PR_FALSE;
+
+    keyHandle = lg_getKeyDB(sdb);
+    if (keyHandle == NULL) {
+	return;
+    }
+
+    if (key_id->data) {
+	privKey = nsslowkey_FindKeyByPublicKey(keyHandle, key_id, sdb);
+	if (privKey) {
+	    if ((classFlags & LG_KEY) && isSecretKey(privKey)) {
+    	        lg_addHandle(search,
+			lg_mkHandle(sdb,key_id,LG_TOKEN_TYPE_KEY));
+		found = PR_TRUE;
+	    }
+	    if ((classFlags & LG_PRIVATE) && !isSecretKey(privKey)) {
+    	        lg_addHandle(search,
+			lg_mkHandle(sdb,key_id,LG_TOKEN_TYPE_PRIV));
+		found = PR_TRUE;
+	    }
+	    if ((classFlags & LG_PUBLIC) && !isSecretKey(privKey)) {
+    	        lg_addHandle(search,
+			lg_mkHandle(sdb,key_id,LG_TOKEN_TYPE_PUB));
+		found = PR_TRUE;
+	    }
+    	    nsslowkey_DestroyPrivateKey(privKey);
+	}
+	/* don't do the traversal if we have an up to date db */
+	if (keyHandle->version != 3) {
+	    goto loser;
+	}
+	/* don't do the traversal if it can't possibly be the correct id */
+	/* all soft token id's are SHA1_HASH_LEN's */
+	if (key_id->len != SHA1_LENGTH) {
+	    goto loser;
+	}
+	if (found) {
+	   /* if we already found some keys, don't do the traversal */
+	   goto loser;
+	}
+    }
+    keyData.sdb = sdb;
+    keyData.keyHandle = keyHandle;
+    keyData.searchHandles = search;
+    keyData.id = key_id;
+    keyData.template = pTemplate;
+    keyData.templ_count = ulCount;
+    keyData.classFlags = classFlags;
+    keyData.strict = mustStrict ? mustStrict : LG_STRICT;
+
+    nsslowkey_TraverseKeys(keyHandle, lg_key_collect, &keyData);
+
+loser:
+    return;
+}
+
+/*
+ * structure to collect certs into
+ */
+typedef struct lgCertDataStr {
+    SDB *sdb;
+    int cert_count;
+    int max_cert_count;
+    NSSLOWCERTCertificate **certs;
+    const CK_ATTRIBUTE *template;
+    CK_ULONG	templ_count;
+    unsigned long classFlags;
+    PRBool	strict;
+} lgCertData;
+
+/*
+ * collect all the certs from the traverse call.
+ */	
+static SECStatus
+lg_cert_collect(NSSLOWCERTCertificate *cert,void *arg)
+{
+    lgCertData *cd = (lgCertData *)arg;
+
+    if (cert == NULL) {
+	return SECSuccess;
+    }
+
+    if (cd->certs == NULL) {
+	return SECFailure;
+    }
+
+    if (cd->strict) {
+	if ((cd->classFlags & LG_CERT) && !lg_tokenMatch(cd->sdb,
+	  &cert->certKey, LG_TOKEN_TYPE_CERT, cd->template,cd->templ_count)) {
+	    return SECSuccess;
+	}
+	if ((cd->classFlags & LG_TRUST) && !lg_tokenMatch(cd->sdb,
+	  &cert->certKey, LG_TOKEN_TYPE_TRUST, 
+					     cd->template, cd->templ_count)) {
+	    return SECSuccess;
+	}
+    }
+
+    /* allocate more space if we need it. This should only happen in
+     * the general traversal case */
+    if (cd->cert_count >= cd->max_cert_count) {
+	int size;
+	cd->max_cert_count += LG_SEARCH_BLOCK_SIZE;
+	size = cd->max_cert_count * sizeof (NSSLOWCERTCertificate *);
+	cd->certs = (NSSLOWCERTCertificate **)PORT_Realloc(cd->certs,size);
+	if (cd->certs == NULL) {
+	    return SECFailure;
+	}
+    }
+
+    cd->certs[cd->cert_count++] = nsslowcert_DupCertificate(cert);
+    return SECSuccess;
+}
+
+/* provide impedence matching ... */
+static SECStatus
+lg_cert_collect2(NSSLOWCERTCertificate *cert, SECItem *dymmy, void *arg)
+{
+    return lg_cert_collect(cert, arg);
+}
+
+static void
+lg_searchSingleCert(lgCertData *certData,NSSLOWCERTCertificate *cert)
+{
+    if (cert == NULL) {
+	    return;
+    }
+    if (certData->strict && 
+	!lg_tokenMatch(certData->sdb, &cert->certKey, LG_TOKEN_TYPE_CERT, 
+				certData->template,certData->templ_count)) {
+	nsslowcert_DestroyCertificate(cert);
+	return;
+    }
+    certData->certs = (NSSLOWCERTCertificate **) 
+				PORT_Alloc(sizeof (NSSLOWCERTCertificate *));
+    if (certData->certs == NULL) {
+	nsslowcert_DestroyCertificate(cert);
+	return;
+    }
+    certData->certs[0] = cert;
+    certData->cert_count = 1;
+}
+
+static void
+lg_CertSetupData(lgCertData *certData,int count)
+{
+    certData->max_cert_count = count;
+
+    if (certData->max_cert_count <= 0) {
+	return;
+    }
+    certData->certs = (NSSLOWCERTCertificate **)
+			 PORT_Alloc( count * sizeof(NSSLOWCERTCertificate *));
+    return;
+}
+
+static void
+lg_searchCertsAndTrust(SDB *sdb, SECItem *derCert, SECItem *name, 
+			SECItem *derSubject, NSSLOWCERTIssuerAndSN *issuerSN, 
+			SECItem *email,
+			unsigned long classFlags, SDBFind *handles, 
+			const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    NSSLOWCERTCertDBHandle *certHandle = NULL;
+    lgCertData certData;
+    int i;
+
+    certHandle = lg_getCertDB(sdb);
+    if (certHandle == NULL) return;
+
+    certData.sdb = sdb;
+    certData.max_cert_count = 0;
+    certData.certs = NULL;
+    certData.cert_count = 0;
+    certData.template = pTemplate;
+    certData.templ_count = ulCount;
+    certData.classFlags = classFlags; 
+    certData.strict = LG_STRICT; 
+
+
+    /*
+     * Find the Cert.
+     */
+    if (derCert->data != NULL) {
+	NSSLOWCERTCertificate *cert = 
+			nsslowcert_FindCertByDERCert(certHandle,derCert);
+	lg_searchSingleCert(&certData,cert);
+    } else if (name->data != NULL) {
+	char *tmp_name = (char*)PORT_Alloc(name->len+1);
+	int count;
+
+	if (tmp_name == NULL) {
+	    return;
+	}
+	PORT_Memcpy(tmp_name,name->data,name->len);
+	tmp_name[name->len] = 0;
+
+	count= nsslowcert_NumPermCertsForNickname(certHandle,tmp_name);
+	lg_CertSetupData(&certData,count);
+	nsslowcert_TraversePermCertsForNickname(certHandle,tmp_name,
+				lg_cert_collect, &certData);
+	PORT_Free(tmp_name);
+    } else if (derSubject->data != NULL) {
+	int count;
+
+	count = nsslowcert_NumPermCertsForSubject(certHandle,derSubject);
+	lg_CertSetupData(&certData,count);
+	nsslowcert_TraversePermCertsForSubject(certHandle,derSubject,
+				lg_cert_collect, &certData);
+    } else if ((issuerSN->derIssuer.data != NULL) && 
+			(issuerSN->serialNumber.data != NULL)) {
+        if (classFlags & LG_CERT) {
+	    NSSLOWCERTCertificate *cert = 
+		nsslowcert_FindCertByIssuerAndSN(certHandle,issuerSN);
+
+	    lg_searchSingleCert(&certData,cert);
+	}
+	if (classFlags & LG_TRUST) {
+	    NSSLOWCERTTrust *trust = 
+		nsslowcert_FindTrustByIssuerAndSN(certHandle, issuerSN);
+
+	    if (trust) {
+		lg_addHandle(handles,
+		    lg_mkHandle(sdb,&trust->dbKey,LG_TOKEN_TYPE_TRUST));
+		nsslowcert_DestroyTrust(trust);
+	    }
+	}
+    } else if (email->data != NULL) {
+	char *tmp_name = (char*)PORT_Alloc(email->len+1);
+	certDBEntrySMime *entry = NULL;
+
+	if (tmp_name == NULL) {
+	    return;
+	}
+	PORT_Memcpy(tmp_name,email->data,email->len);
+	tmp_name[email->len] = 0;
+
+	entry = nsslowcert_ReadDBSMimeEntry(certHandle,tmp_name);
+	if (entry) {
+	    int count;
+	    SECItem *subjectName = &entry->subjectName;
+
+	    count = nsslowcert_NumPermCertsForSubject(certHandle, subjectName);
+	    lg_CertSetupData(&certData,count);
+	    nsslowcert_TraversePermCertsForSubject(certHandle, subjectName, 
+						lg_cert_collect, &certData);
+
+	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+	}
+	PORT_Free(tmp_name);
+    } else {
+	/* we aren't filtering the certs, we are working on all, so turn
+	 * on the strict filters. */
+	certData.strict = PR_TRUE;
+	lg_CertSetupData(&certData,LG_SEARCH_BLOCK_SIZE);
+	nsslowcert_TraversePermCerts(certHandle, lg_cert_collect2, &certData);
+    }
+
+    /*
+     * build the handles
+     */	
+    for (i=0 ; i < certData.cert_count ; i++) {
+	NSSLOWCERTCertificate *cert = certData.certs[i];
+
+	/* if we filtered it would have been on the stuff above */
+	if (classFlags & LG_CERT) {
+	    lg_addHandle(handles,
+		lg_mkHandle(sdb,&cert->certKey,LG_TOKEN_TYPE_CERT));
+	}
+	if ((classFlags & LG_TRUST) && nsslowcert_hasTrust(cert->trust)) {
+	    lg_addHandle(handles,
+		lg_mkHandle(sdb,&cert->certKey,LG_TOKEN_TYPE_TRUST));
+	}
+	nsslowcert_DestroyCertificate(cert);
+    }
+
+    if (certData.certs) PORT_Free(certData.certs);
+    return;
+}
+
+static SECStatus
+lg_smime_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg)
+{
+    lgEntryData *smimeData;
+    SDB *sdb;
+    
+    smimeData = (lgEntryData *)arg;
+    sdb = smimeData->sdb;
+
+    if (lg_tokenMatch(sdb, key, LG_TOKEN_TYPE_SMIME,
+			smimeData->template, smimeData->templ_count)) {
+	lg_addHandle(smimeData->searchHandles,
+				 lg_mkHandle(sdb,key,LG_TOKEN_TYPE_SMIME));
+    }
+    return(SECSuccess);
+}
+
+static void
+lg_searchSMime(SDB *sdb, SECItem *email, SDBFind *handles, 
+			const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    NSSLOWCERTCertDBHandle *certHandle = NULL;
+    certDBEntrySMime *entry;
+
+    certHandle = lg_getCertDB(sdb);
+    if (certHandle == NULL) return;
+
+    if (email->data != NULL) {
+	char *tmp_name = (char*)PORT_Alloc(email->len+1);
+
+	if (tmp_name == NULL) {
+	    return;
+	}
+	PORT_Memcpy(tmp_name,email->data,email->len);
+	tmp_name[email->len] = 0;
+
+	entry = nsslowcert_ReadDBSMimeEntry(certHandle,tmp_name);
+	if (entry) {
+	    SECItem emailKey;
+
+	    emailKey.data = (unsigned char *)tmp_name;
+	    emailKey.len = PORT_Strlen(tmp_name)+1;
+	    emailKey.type = 0;
+	    lg_addHandle(handles,
+		lg_mkHandle(sdb,&emailKey,LG_TOKEN_TYPE_SMIME));
+	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+	}
+	PORT_Free(tmp_name);
+    } else {
+	/* traverse */
+	lgEntryData smimeData;
+
+	/* traverse */
+	smimeData.sdb = sdb;
+	smimeData.searchHandles = handles;
+	smimeData.template = pTemplate;
+	smimeData.templ_count = ulCount;
+	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeSMimeProfile,
+		lg_smime_collect, (void *)&smimeData);
+    }
+    return;
+}
+
+static CK_RV
+lg_searchTokenList(SDB *sdb, SDBFind *search,
+	 		const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    int i;
+    PRBool isKrl = PR_FALSE;
+    SECItem derCert = { siBuffer, NULL, 0 };
+    SECItem derSubject = { siBuffer, NULL, 0 };
+    SECItem name = { siBuffer, NULL, 0 };
+    SECItem email = { siBuffer, NULL, 0 };
+    SECItem key_id = { siBuffer, NULL, 0 };
+    SECItem cert_sha1_hash = { siBuffer, NULL, 0 };
+    SECItem cert_md5_hash  = { siBuffer, NULL, 0 };
+    NSSLOWCERTIssuerAndSN issuerSN = {
+	{ siBuffer, NULL, 0 },
+	{ siBuffer, NULL, 0 }
+    };
+    SECItem *copy = NULL;
+    CK_CERTIFICATE_TYPE certType;
+    CK_OBJECT_CLASS objectClass;
+    CK_RV crv;
+    unsigned long classFlags;
+
+    if (lg_getCertDB(sdb) == NULL) {
+	classFlags = LG_PRIVATE|LG_KEY;
+    } else {
+	classFlags = LG_CERT|LG_TRUST|LG_PUBLIC|LG_SMIME|LG_CRL;
+    }
+
+    /*
+     * look for things to search on token objects for. If the right options
+     * are specified, we can use them as direct indeces into the database
+     * (rather than using linear searches. We can also use the attributes to
+     * limit the kinds of objects we are searching for. Later we can use this
+     * array to filter the remaining objects more finely.
+     */
+    for (i=0 ;classFlags && i < (int)ulCount; i++) {
+
+	switch (pTemplate[i].type) {
+	case CKA_SUBJECT:
+	    copy = &derSubject;
+	    classFlags &= (LG_CERT|LG_PRIVATE|LG_PUBLIC|LG_SMIME|LG_CRL);
+	    break;
+	case CKA_ISSUER: 
+	    copy = &issuerSN.derIssuer;
+	    classFlags &= (LG_CERT|LG_TRUST);
+	    break;
+	case CKA_SERIAL_NUMBER: 
+	    copy = &issuerSN.serialNumber;
+	    classFlags &= (LG_CERT|LG_TRUST);
+	    break;
+	case CKA_VALUE:
+	    copy = &derCert;
+	    classFlags &= (LG_CERT|LG_CRL|LG_SMIME);
+	    break;
+	case CKA_LABEL:
+	    copy = &name;
+	    break;
+	case CKA_NETSCAPE_EMAIL:
+	    copy = &email;
+	    classFlags &= LG_SMIME|LG_CERT;
+	    break;
+	case CKA_NETSCAPE_SMIME_TIMESTAMP:
+	    classFlags &= LG_SMIME;
+	    break;
+	case CKA_CLASS:
+	    crv = lg_GetULongAttribute(CKA_CLASS,&pTemplate[i],1, &objectClass);
+	    if (crv != CKR_OK) {
+		classFlags = 0;
+		break;;
+	    }
+	    switch (objectClass) {
+	    case CKO_CERTIFICATE:
+		classFlags &= LG_CERT;
+		break;
+	    case CKO_NETSCAPE_TRUST:
+		classFlags &= LG_TRUST;
+		break;
+	    case CKO_NETSCAPE_CRL:
+		classFlags &= LG_CRL;
+		break;
+	    case CKO_NETSCAPE_SMIME:
+		classFlags &= LG_SMIME;
+		break;
+	    case CKO_PRIVATE_KEY:
+		classFlags &= LG_PRIVATE;
+		break;
+	    case CKO_PUBLIC_KEY:
+		classFlags &= LG_PUBLIC;
+		break;
+	    case CKO_SECRET_KEY:
+		classFlags &= LG_KEY;
+		break;
+	    default:
+		classFlags = 0;
+		break;
+	    }
+	    break;
+	case CKA_PRIVATE:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
+		classFlags &= (LG_PRIVATE|LG_KEY);
+	    } else {
+		classFlags &= ~(LG_PRIVATE|LG_KEY);
+	    }
+	    break;
+	case CKA_SENSITIVE:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
+		classFlags &= (LG_PRIVATE|LG_KEY);
+	    } else {
+		classFlags = 0;
+	    }
+	    break;
+	case CKA_TOKEN:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    if (*((CK_BBOOL *)pTemplate[i].pValue) != CK_TRUE) {
+		classFlags = 0;
+	    }
+	    break;
+	case CKA_CERT_SHA1_HASH:
+	    classFlags &= LG_TRUST;
+	    copy = &cert_sha1_hash; break;
+	case CKA_CERT_MD5_HASH:
+	    classFlags &= LG_TRUST;
+	    copy = &cert_md5_hash; break;
+	case CKA_CERTIFICATE_TYPE:
+	    crv = lg_GetULongAttribute(CKA_CLASS,&pTemplate[i],1,&certType);
+	    if (crv != CKR_OK) {
+		classFlags = 0;
+	    }
+	    classFlags &= LG_CERT;
+	    if (certType != CKC_X_509) {
+		classFlags = 0;
+	    }
+	    break;
+	case CKA_ID:
+	    copy = &key_id;
+	    classFlags &= (LG_CERT|LG_PRIVATE|LG_KEY|LG_PUBLIC);
+	    break;
+	case CKA_NETSCAPE_KRL:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    classFlags &= LG_CRL;
+	    isKrl = (PRBool)(*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE);
+	    break;
+	case CKA_MODIFIABLE:
+	     break;
+	case CKA_KEY_TYPE:
+	case CKA_DERIVE:
+	    classFlags &= LG_PUBLIC|LG_PRIVATE|LG_KEY;
+	    break;
+	case CKA_VERIFY_RECOVER:
+	    classFlags &= LG_PUBLIC;
+	    break;
+	case CKA_SIGN_RECOVER:
+	    classFlags &= LG_PRIVATE;
+	    break;
+	case CKA_ENCRYPT:
+	case CKA_VERIFY:
+	case CKA_WRAP:
+	    classFlags &= LG_PUBLIC|LG_KEY;
+	    break;
+	case CKA_DECRYPT:
+	case CKA_SIGN:
+	case CKA_UNWRAP:
+	case CKA_ALWAYS_SENSITIVE:
+	case CKA_EXTRACTABLE:
+	case CKA_NEVER_EXTRACTABLE:
+	    classFlags &= LG_PRIVATE|LG_KEY;
+	    break;
+	/* can't be a certificate if it doesn't match one of the above 
+	 * attributes */
+	default: 
+	     classFlags  = 0;
+	     break;
+	}
+ 	if (copy) {
+	    copy->data = (unsigned char*)pTemplate[i].pValue;
+	    copy->len = pTemplate[i].ulValueLen;
+	}
+	copy = NULL;
+    }
+
+    /* certs */
+    if (classFlags & (LG_CERT|LG_TRUST)) {
+	lg_searchCertsAndTrust(sdb,&derCert,&name,&derSubject,
+				 &issuerSN, &email,classFlags,search, 
+				pTemplate, ulCount);
+    }
+
+    /* keys */
+    if (classFlags & (LG_PRIVATE|LG_PUBLIC|LG_KEY)) {
+	PRBool mustStrict = (name.len != 0);
+	lg_searchKeys(sdb, &key_id, classFlags, search,
+			 mustStrict, pTemplate, ulCount);
+    }
+
+    /* crl's */
+    if (classFlags & LG_CRL) {
+	lg_searchCrls(sdb, &derSubject, isKrl, classFlags, search,
+			pTemplate, ulCount);
+    }
+    /* Add S/MIME entry stuff */
+    if (classFlags & LG_SMIME) {
+	lg_searchSMime(sdb, &email, search, pTemplate, ulCount);
+    }
+    return CKR_OK;
+}
+	
+
+/* lg_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+CK_RV lg_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *pTemplate,
+			 CK_ULONG ulCount, SDBFind **retSearch)
+{
+    SDBFind *search;
+    CK_RV crv = CKR_OK;
+  
+    *retSearch = NULL; 
+
+    search = (SDBFind *)PORT_Alloc(sizeof(SDBFind));
+    if (search == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    search->handles = (CK_OBJECT_HANDLE *)
+		PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * LG_SEARCH_BLOCK_SIZE);
+    if (search->handles == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    search->index = 0;
+    search->size = 0;
+    search->array_size = LG_SEARCH_BLOCK_SIZE;
+    /* FIXME - do we still need to get Login state? */
+
+    crv = lg_searchTokenList(sdb, search, pTemplate, ulCount);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    *retSearch = search;
+    return CKR_OK;
+
+loser:
+    if (search) {
+	lg_FreeSearch(search);
+    }
+    return crv;
+}
+
+
+/* lg_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+CK_RV lg_FindObjects(SDB *sdb, SDBFind *search, 
+    CK_OBJECT_HANDLE *phObject,CK_ULONG ulMaxObjectCount,
+    					CK_ULONG *pulObjectCount)
+{
+    int	transfer;
+    int left;
+
+    *pulObjectCount = 0;
+    left = search->size - search->index;
+    transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
+    if (transfer > 0) {
+	PORT_Memcpy(phObject,&search->handles[search->index],
+                                        transfer*sizeof(CK_OBJECT_HANDLE));
+    } else {
+       *phObject = CK_INVALID_HANDLE;
+    }
+
+    search->index += transfer;
+    *pulObjectCount = transfer;
+    return CKR_OK;
+}
+
+/* lg_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV lg_FindObjectsFinal(SDB* lgdb, SDBFind *search)
+{
+
+    if (search != NULL) {
+	lg_FreeSearch(search);
+    }
+    return CKR_OK;
+}
diff --git a/security/nss/lib/softoken/legacydb/lginit.c b/security/nss/lib/softoken/legacydb/lginit.c
new file mode 100644
index 000000000..e77836939
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lginit.c
@@ -0,0 +1,663 @@
+/*
+ * NSS utility functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "keydbi.h"
+#include "lgdb.h"
+#include "secoid.h"
+#include "prenv.h"
+
+typedef struct LGPrivateStr {
+    NSSLOWCERTCertDBHandle *certDB;
+    NSSLOWKEYDBHandle *keyDB;
+    PRLock *dbLock;
+    PLHashTable *hashTable;
+} LGPrivate;
+
+static char *
+lg_certdb_name_cb(void *arg, int dbVersion)
+{
+    const char *configdir = (const char *)arg;
+    const char *dbver;
+    char *smpname = NULL;
+    char *dbname = NULL;
+
+    switch (dbVersion) {
+      case 8:
+	dbver = "8";
+	break;
+      case 7:
+	dbver = "7";
+	break;
+      case 6:
+	dbver = "6";
+	break;
+      case 5:
+	dbver = "5";
+	break;
+      case 4:
+      default:
+	dbver = "";
+	break;
+    }
+
+    /* make sure we return something allocated with PORT_ so we have properly
+     * matched frees at the end */
+    smpname = PR_smprintf(CERT_DB_FMT, configdir, dbver);
+    if (smpname) {
+	dbname = PORT_Strdup(smpname);
+	PR_smprintf_free(smpname);
+    }
+    return dbname;
+}
+    
+static char *
+lg_keydb_name_cb(void *arg, int dbVersion)
+{
+    const char *configdir = (const char *)arg;
+    const char *dbver;
+    char *smpname = NULL;
+    char *dbname = NULL;
+    
+    switch (dbVersion) {
+      case 4:
+	dbver = "4";
+	break;
+      case 3:
+	dbver = "3";
+	break;
+      case 1:
+	dbver = "1";
+	break;
+      case 2:
+      default:
+	dbver = "";
+	break;
+    }
+
+    smpname = PR_smprintf(KEY_DB_FMT, configdir, dbver);
+    if (smpname) {
+	dbname = PORT_Strdup(smpname);
+	PR_smprintf_free(smpname);
+    }
+    return dbname;
+}
+
+const char *
+lg_EvaluateConfigDir(const char *configdir,char **appName)
+{
+    if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS)-1) == 0) {
+	char *cdir;
+
+	*appName = PORT_Strdup(configdir+sizeof(MULTIACCESS)-1);
+	if (*appName == NULL) {
+	    return configdir;
+	}
+	cdir = *appName;
+	while (*cdir && *cdir != ':') {
+	    cdir++;
+	}
+	if (*cdir == ':') {
+	   *cdir = 0;
+	   cdir++;
+	}
+	configdir = cdir;
+    }
+    return configdir;
+}
+
+static int rdbmapflags(int flags);
+static rdbfunc lg_rdbfunc = NULL;
+static rdbstatusfunc lg_rdbstatusfunc = NULL;
+
+/* NOTE: SHLIB_SUFFIX is defined on the command line */
+#define RDBLIB SHLIB_PREFIX"rdb."SHLIB_SUFFIX
+
+DB * rdbopen(const char *appName, const char *prefix, 
+			const char *type, int flags, int *status)
+{
+    PRLibrary *lib;
+    DB *db;
+    char *disableUnload = NULL;
+
+    if (lg_rdbfunc) {
+	db = (*lg_rdbfunc)(appName,prefix,type,rdbmapflags(flags));
+	if (!db && status && lg_rdbstatusfunc) {
+	    *status = (*lg_rdbstatusfunc)();
+	}
+	return db;
+    }
+
+    /*
+     * try to open the library.
+     */
+    lib = PR_LoadLibrary(RDBLIB);
+
+    if (!lib) {
+	return NULL;
+    }
+
+    /* get the entry points */
+    lg_rdbstatusfunc = (rdbstatusfunc) PR_FindSymbol(lib,"rdbstatus");
+    lg_rdbfunc = (rdbfunc) PR_FindSymbol(lib,"rdbopen");
+    if (lg_rdbfunc) {
+	db = (*lg_rdbfunc)(appName,prefix,type,rdbmapflags(flags));
+	if (!db && status && lg_rdbstatusfunc) {
+	    *status = (*lg_rdbstatusfunc)();
+	}
+	return db;
+    }
+
+    /* couldn't find the entry point, unload the library and fail */
+    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    if (!disableUnload) {
+        PR_UnloadLibrary(lib);
+    }
+    return NULL;
+}
+
+/*
+ * the following data structures are from rdb.h.
+ */
+struct RDBStr {
+    DB	db;
+    int (*xactstart)(DB *db);
+    int (*xactdone)(DB *db, PRBool abort);
+    int version;
+    int (*dbinitcomplete)(DB *db);
+};
+
+#define DB_RDB ((DBTYPE) 0xff)
+#define RDB_RDONLY	1
+#define RDB_RDWR 	2
+#define RDB_CREATE      4
+
+static int
+rdbmapflags(int flags) {
+   switch (flags) {
+   case NO_RDONLY:
+	return RDB_RDONLY;
+   case NO_RDWR:
+	return RDB_RDWR;
+   case NO_CREATE:
+	return RDB_CREATE;
+   default:
+	break;
+   }
+   return 0;
+}
+
+PRBool
+db_IsRDB(DB *db)
+{
+    return (PRBool) db->type == DB_RDB;
+}
+
+int
+db_BeginTransaction(DB *db)
+{
+    struct RDBStr *rdb = (struct RDBStr *)db;
+    if (db->type != DB_RDB) {
+	return 0;
+    }
+
+    return rdb->xactstart(db);
+}
+
+int
+db_FinishTransaction(DB *db, PRBool abort)
+{
+    struct RDBStr *rdb = (struct RDBStr *)db;
+    if (db->type != DB_RDB) {
+	return 0;
+    }
+
+    return rdb->xactdone(db, abort);
+}
+
+static DB *
+lg_getRawDB(SDB *sdb)
+{
+    NSSLOWCERTCertDBHandle *certDB;
+    NSSLOWKEYDBHandle *keyDB;
+
+    certDB = lg_getCertDB(sdb);
+    if (certDB) {
+	return certDB->permCertDB;
+    }
+    keyDB = lg_getKeyDB(sdb);
+    if (keyDB) {
+	return keyDB->db;
+    }
+    return NULL;
+}
+
+CK_RV
+lg_Begin(SDB *sdb)
+{
+    DB *db = lg_getRawDB(sdb);
+    int ret;
+
+    if (db == NULL) {
+	return CKR_GENERAL_ERROR; /* shouldn't happen */
+    }
+    ret = db_BeginTransaction(db);
+    if (ret != 0) {
+	return CKR_GENERAL_ERROR; /* could happen */
+    }
+    return CKR_OK;
+}
+
+CK_RV
+lg_Commit(SDB *sdb)
+{
+    DB *db = lg_getRawDB(sdb);
+    int ret;
+
+    if (db == NULL) {
+	return CKR_GENERAL_ERROR; /* shouldn't happen */
+    }
+    ret = db_FinishTransaction(db, PR_FALSE);
+    if (ret != 0) {
+	return CKR_GENERAL_ERROR; /* could happen */
+    }
+    return CKR_OK;
+}
+
+CK_RV
+lg_Abort(SDB *sdb)
+{
+    DB *db = lg_getRawDB(sdb);
+    int ret;
+
+    if (db == NULL) {
+	return CKR_GENERAL_ERROR; /* shouldn't happen */
+    }
+    ret = db_FinishTransaction(db, PR_TRUE);
+    if (ret != 0) {
+	return CKR_GENERAL_ERROR; /* could happen */
+    }
+    return CKR_OK;
+}
+
+int
+db_InitComplete(DB *db)
+{
+    struct RDBStr *rdb = (struct RDBStr *)db;
+    if (db->type != DB_RDB) {
+	return 0;
+    }
+    /* we should have added a version number to the RDBS structure. Since we
+     * didn't, we detect that we have and 'extended' structure if the rdbstatus
+     * func exists */
+    if (!lg_rdbstatusfunc) {
+	return 0;
+    }
+
+    return rdb->dbinitcomplete(db);
+}
+
+
+
+SECStatus
+db_Copy(DB *dest,DB *src)
+{
+    int ret;
+    DBT key,data;
+    ret = (*src->seq)(src, &key, &data, R_FIRST);
+    if (ret)  {
+	return SECSuccess;
+    }
+
+    do {
+	(void)(*dest->put)(dest,&key,&data, R_NOOVERWRITE);
+    } while ( (*src->seq)(src, &key, &data, R_NEXT) == 0);
+    (void)(*dest->sync)(dest,0);
+
+    return SECSuccess;
+}
+
+
+static CK_RV
+lg_OpenCertDB(const char * configdir, const char *prefix, PRBool readOnly,
+    					    NSSLOWCERTCertDBHandle **certdbPtr)
+{
+    NSSLOWCERTCertDBHandle *certdb = NULL;
+    CK_RV        crv = CKR_NETSCAPE_CERTDB_FAILED;
+    SECStatus    rv;
+    char * name = NULL;
+    char * appName = NULL;
+
+    if (prefix == NULL) {
+	prefix = "";
+    }
+
+    configdir = lg_EvaluateConfigDir(configdir, &appName);
+
+    name = PR_smprintf("%s" PATH_SEPARATOR "%s",configdir,prefix);
+    if (name == NULL) goto loser;
+
+    certdb = (NSSLOWCERTCertDBHandle*)PORT_ZAlloc(sizeof(NSSLOWCERTCertDBHandle));
+    if (certdb == NULL) 
+    	goto loser;
+
+    certdb->ref = 1;
+/* fix when we get the DB in */
+    rv = nsslowcert_OpenCertDB(certdb, readOnly, appName, prefix,
+				lg_certdb_name_cb, (void *)name, PR_FALSE);
+    if (rv == SECSuccess) {
+	crv = CKR_OK;
+	*certdbPtr = certdb;
+	certdb = NULL;
+    }
+loser: 
+    if (certdb) PR_Free(certdb);
+    if (name) PR_smprintf_free(name);
+    if (appName) PORT_Free(appName);
+    return crv;
+}
+
+static CK_RV
+lg_OpenKeyDB(const char * configdir, const char *prefix, PRBool readOnly,
+    						NSSLOWKEYDBHandle **keydbPtr)
+{
+    NSSLOWKEYDBHandle *keydb;
+    char * name = NULL;
+    char * appName = NULL;
+
+    if (prefix == NULL) {
+	prefix = "";
+    }
+    configdir = lg_EvaluateConfigDir(configdir, &appName);
+
+    name = PR_smprintf("%s" PATH_SEPARATOR "%s",configdir,prefix);	
+    if (name == NULL) 
+	return CKR_HOST_MEMORY;
+    keydb = nsslowkey_OpenKeyDB(readOnly, appName, prefix, 
+					lg_keydb_name_cb, (void *)name);
+    PR_smprintf_free(name);
+    if (appName) PORT_Free(appName);
+    if (keydb == NULL)
+	return CKR_NETSCAPE_KEYDB_FAILED;
+    *keydbPtr = keydb;
+
+    return CKR_OK;
+}
+
+/*
+ * Accessors for the private parts of the sdb structure.
+ */
+void
+lg_DBLock(SDB *sdb) 
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+    PR_Lock(lgdb_p->dbLock);
+}
+
+void
+lg_DBUnlock(SDB *sdb) 
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+    PR_Unlock(lgdb_p->dbLock);
+}
+
+PLHashTable *
+lg_GetHashTable(SDB *sdb) 
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+    return lgdb_p->hashTable;
+}
+
+NSSLOWCERTCertDBHandle *
+lg_getCertDB(SDB *sdb)
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+
+    return lgdb_p->certDB;
+}
+
+NSSLOWKEYDBHandle *
+lg_getKeyDB(SDB *sdb)
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+
+    return lgdb_p->keyDB;
+}
+
+CK_RV
+lg_Close(SDB *sdb)
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+    lg_ClearTokenKeyHashTable(sdb);
+    if (lgdb_p) {
+    	if (lgdb_p->certDB) {
+	    nsslowcert_ClosePermCertDB(lgdb_p->certDB);
+	} else if (lgdb_p->keyDB) {
+	    nsslowkey_CloseKeyDB(lgdb_p->keyDB);
+	}
+	if (lgdb_p->dbLock) {
+	    PR_DestroyLock(lgdb_p->dbLock);
+	}
+	if (lgdb_p->hashTable) {
+	    PL_HashTableDestroy(lgdb_p->hashTable);
+	}
+	PORT_Free(lgdb_p);
+    }
+    PORT_Free(sdb);
+    return CKR_OK;
+}
+
+static PLHashNumber
+lg_HashNumber(const void *key)
+{
+    return (PLHashNumber) key;
+}
+
+PRIntn
+lg_CompareValues(const void *v1, const void *v2)
+{
+    PLHashNumber value1 = (PLHashNumber) v1;
+    PLHashNumber value2 = (PLHashNumber) v2;
+    return (value1 == value2);
+}
+
+
+/*
+ * helper function to wrap a NSSLOWCERTCertDBHandle or a NSSLOWKEYDBHandle
+ * with and sdb structure.
+ */
+CK_RV 
+lg_init(SDB **pSdb, int flags, NSSLOWCERTCertDBHandle *certdbPtr,
+	 NSSLOWKEYDBHandle *keydbPtr)
+{
+    SDB *sdb = NULL;
+    LGPrivate *lgdb_p = NULL;
+    CK_RV error = CKR_HOST_MEMORY;
+
+    *pSdb = NULL;
+    sdb = (SDB *) PORT_Alloc(sizeof(SDB));
+    if (sdb == NULL) {
+	goto loser;
+    }
+    lgdb_p = (LGPrivate *) PORT_Alloc(sizeof(LGPrivate));
+    if (lgdb_p == NULL) {
+	goto loser;
+    }
+    /* invariant fields */
+    lgdb_p->certDB = certdbPtr;
+    lgdb_p->keyDB = keydbPtr;
+    lgdb_p->dbLock = PR_NewLock();
+    if (lgdb_p->dbLock == NULL) {
+	goto loser;
+    }
+    lgdb_p->hashTable = PL_NewHashTable(64, lg_HashNumber, lg_CompareValues,
+			SECITEM_HashCompare, NULL, 0);
+    if (lgdb_p->hashTable == NULL) {
+	goto loser;
+    }
+
+    sdb->sdb_type = SDB_LEGACY;
+    sdb->sdb_flags = flags;
+    sdb->private = lgdb_p;
+    sdb->sdb_FindObjectsInit = lg_FindObjectsInit;
+    sdb->sdb_FindObjects = lg_FindObjects;
+    sdb->sdb_FindObjectsFinal = lg_FindObjectsFinal;
+    sdb->sdb_GetAttributeValue = lg_GetAttributeValue;
+    sdb->sdb_SetAttributeValue = lg_SetAttributeValue;
+    sdb->sdb_CreateObject = lg_CreateObject;
+    sdb->sdb_DestroyObject = lg_DestroyObject;
+    sdb->sdb_GetMetaData = lg_GetMetaData;
+    sdb->sdb_PutMetaData = lg_PutMetaData;
+    sdb->sdb_Begin = lg_Begin;
+    sdb->sdb_Commit = lg_Commit;
+    sdb->sdb_Abort = lg_Abort;
+    sdb->sdb_Reset = lg_Reset;
+    sdb->sdb_Close = lg_Close;
+
+
+    *pSdb = sdb;
+    return CKR_OK;
+
+loser:
+    if (sdb) {
+	PORT_Free(sdb);
+    }
+    if (lgdb_p) {
+	if (lgdb_p->dbLock) {
+	    PR_DestroyLock(lgdb_p->dbLock);
+	}
+	if (lgdb_p->hashTable) {
+	    PL_HashTableDestroy(lgdb_p->hashTable);
+	}
+	PORT_Free(lgdb_p);
+    }
+    return error;
+
+}
+
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * 			"https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * 			"https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be openned read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the 
+ *			Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the 
+ *			PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ * 			be opened.
+ */
+CK_RV
+legacy_Open(const char *configdir, const char *certPrefix, 
+	    const char *keyPrefix, int certVersion, int keyVersion,
+	    int flags, SDB **certDB, SDB **keyDB)
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+    PRBool readOnly = (flags == SDB_RDONLY)? PR_TRUE: PR_FALSE;
+
+    rv = SECOID_Init();
+    if (SECSuccess != rv) {
+        return CKR_DEVICE_ERROR;
+    }
+    nsslowcert_InitLocks();
+
+    if (keyDB) *keyDB = NULL;
+    if (certDB) *certDB = NULL;
+
+    if (certDB) {
+	NSSLOWCERTCertDBHandle *certdbPtr;
+
+	crv = lg_OpenCertDB(configdir, certPrefix, readOnly, &certdbPtr);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
+	crv = lg_init(certDB, flags, certdbPtr, NULL);
+	if (crv != CKR_OK) {
+	    nsslowcert_ClosePermCertDB(certdbPtr);
+	    goto loser;
+	}
+    }
+    if (keyDB) {
+	NSSLOWKEYDBHandle *keydbPtr;
+
+	crv = lg_OpenKeyDB(configdir, keyPrefix, readOnly, &keydbPtr);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
+	crv = lg_init(keyDB, flags, NULL, keydbPtr);
+	if (crv != CKR_OK) {
+	    nsslowkey_CloseKeyDB(keydbPtr);
+	    goto loser;
+	}
+	if (certDB && *certDB) {
+	    LGPrivate *lgdb_p = (LGPrivate *)(*certDB)->private;
+	    lgdb_p->keyDB = keydbPtr;
+	}
+    }
+
+loser:
+    if (crv != CKR_OK) {
+	if (keyDB && *keyDB) {
+	    lg_Close(*keyDB);
+	    *keyDB = NULL;
+	}
+	if (certDB && *certDB) {
+	    lg_Close(*certDB);
+	    *certDB = NULL;
+	}
+    }
+    return crv;
+}
+
+CK_RV
+legacy_Shutdown(void)
+{
+    nsslowcert_DestroyFreeLists();
+    nsslowcert_DestroyGlobalLocks();
+    SECOID_Shutdown();
+    return CKR_OK;
+}
diff --git a/security/nss/lib/softoken/legacydb/lgutil.c b/security/nss/lib/softoken/legacydb/lgutil.c
new file mode 100644
index 000000000..f474b5fea
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgutil.c
@@ -0,0 +1,424 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "lgdb.h"
+#include "secerr.h"
+#include "lgglue.h"
+
+/*
+ * ******************** Attribute Utilities *******************************
+ */
+
+/*
+ * look up and attribute structure from a type and Object structure.
+ * The returned attribute is referenced and needs to be freed when 
+ * it is no longer needed.
+ */
+const CK_ATTRIBUTE *
+lg_FindAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
+		 CK_ULONG count )
+{
+    int i;
+
+    for (i=0; i < count; i++) {
+	if (templ[i].type == type) {
+	    return &templ[i];
+	}
+    }
+    return NULL;
+}
+
+
+/*
+ * return true if object has attribute
+ */
+PRBool
+lg_hasAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
+		 CK_ULONG count )
+{
+   if (lg_FindAttribute(type, templ, count) == NULL) {
+	return PR_FALSE;
+   }
+   return PR_TRUE;
+}
+
+/* 
+ * copy an attribute into a SECItem. Secitem is allocated in the specified
+ * arena.
+ */
+CK_RV
+lg_Attribute2SecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item)
+{
+    int len;
+    const CK_ATTRIBUTE *attribute;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+    len = attribute->ulValueLen;
+
+    if (arena) {
+    	item->data = (unsigned char *) PORT_ArenaAlloc(arena,len);
+    } else {
+    	item->data = (unsigned char *) PORT_Alloc(len);
+    }
+    if (item->data == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    item->len = len;
+    PORT_Memcpy(item->data, attribute->pValue, len);
+    return CKR_OK;
+}
+
+
+/* 
+ * copy an unsigned attribute into a SECItem. Secitem is allocated in
+ * the specified arena.
+ */
+CK_RV
+lg_Attribute2SSecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item)
+{
+    const CK_ATTRIBUTE *attribute;
+    item->data = NULL;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    (void)SECITEM_AllocItem(arena, item, attribute->ulValueLen);
+    if (item->data == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    PORT_Memcpy(item->data, attribute->pValue, item->len);
+    return CKR_OK;
+}
+
+/* 
+ * copy an unsigned attribute into a SECItem. Secitem is allocated in
+ * the specified arena.
+ */
+CK_RV
+lg_PrivAttr2SSecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item, SDB *sdbpw)
+{
+    const CK_ATTRIBUTE *attribute;
+    SECItem epki, *dest = NULL;
+    SECStatus rv;
+
+    item->data = NULL;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    epki.data = attribute->pValue;
+    epki.len = attribute->ulValueLen;
+
+    rv = lg_util_decrypt(sdbpw, &epki, &dest);
+    if (rv != SECSuccess) {
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+    (void)SECITEM_AllocItem(arena, item, dest->len);
+    if (item->data == NULL) {
+	SECITEM_FreeItem(dest, PR_TRUE);
+	return CKR_HOST_MEMORY;
+    }
+    
+    PORT_Memcpy(item->data, dest->data, item->len);
+    SECITEM_FreeItem(dest, PR_TRUE);
+    return CKR_OK;
+}
+
+CK_RV
+lg_PrivAttr2SecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item, SDB *sdbpw)
+{
+    return lg_PrivAttr2SSecItem(arena, type, templ, count, item, sdbpw);
+}
+
+/*
+ * this is only valid for CK_BBOOL type attributes. Return the state
+ * of that attribute.
+ */
+PRBool
+lg_isTrue(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    const CK_ATTRIBUTE *attribute;
+    PRBool tok = PR_FALSE;
+
+    attribute=lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) { return PR_FALSE; }
+    tok = (PRBool)(*(CK_BBOOL *)attribute->pValue);
+
+    return tok;
+}
+
+/*
+ * return a null terminated string from attribute 'type'. This string
+ * is allocated and needs to be freed with PORT_Free() When complete.
+ */
+char *
+lg_getString(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    const CK_ATTRIBUTE *attribute;
+    char *label = NULL;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return NULL;
+
+    if (attribute->pValue != NULL) {
+	label = (char *) PORT_Alloc(attribute->ulValueLen+1);
+	if (label == NULL) {
+	    return NULL;
+	}
+
+	PORT_Memcpy(label,attribute->pValue, attribute->ulValueLen);
+	label[attribute->ulValueLen] = 0;
+    }
+    return label;
+}
+
+CK_RV
+lg_GetULongAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
+				 CK_ULONG count, CK_ULONG *longData)
+{
+    const CK_ATTRIBUTE *attribute;
+    CK_ULONG value = 0;
+    const unsigned char *data;
+    int i;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    if (attribute->ulValueLen != 4) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    data = (const unsigned char *)attribute->pValue;
+    for (i=0; i < 4; i++) {
+	value |= (CK_ULONG)(data[i]) << ((3-i)*8);
+    }
+
+    *longData = value;
+    return CKR_OK;
+}
+
+/*
+ * ******************** Object Utilities *******************************
+ */
+
+SECStatus
+lg_deleteTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle)
+{
+    SECItem *item;
+    PRBool rem;
+    PLHashTable *hashTable= lg_GetHashTable(sdb);
+
+    item = (SECItem *)PL_HashTableLookup(hashTable, (void *)handle);
+    rem = PL_HashTableRemove(hashTable,(void *)handle) ;
+    if (rem && item) {
+	SECITEM_FreeItem(item,PR_TRUE);
+    }
+    return rem ? SECSuccess : SECFailure;
+}
+
+/* must be called holding lg_DBLock(sdb) */
+static SECStatus
+lg_addTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle, SECItem *key)
+{
+    PLHashEntry *entry;
+    SECItem *item;
+    PLHashTable *hashTable= lg_GetHashTable(sdb);
+
+    item = SECITEM_DupItem(key);
+    if (item == NULL) {
+	return SECFailure;
+    }
+    entry = PL_HashTableAdd(hashTable,(void *)handle,item);
+    if (entry == NULL) {
+	SECITEM_FreeItem(item,PR_TRUE);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* must be called holding lg_DBLock(sdb) */
+const SECItem *
+lg_lookupTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle)
+{
+    PLHashTable *hashTable= lg_GetHashTable(sdb);
+    return (const SECItem *)PL_HashTableLookup(hashTable, (void *)handle);
+}
+
+
+static PRIntn
+lg_freeHashItem(PLHashEntry* entry, PRIntn index, void *arg)
+{
+    SECItem *item = (SECItem *)entry->value;
+
+    SECITEM_FreeItem(item, PR_TRUE);
+    return HT_ENUMERATE_NEXT;
+}
+
+CK_RV
+lg_ClearTokenKeyHashTable(SDB *sdb)
+{
+    PLHashTable *hashTable;
+    lg_DBLock(sdb);
+    hashTable= lg_GetHashTable(sdb);
+    PL_HashTableEnumerateEntries(hashTable, lg_freeHashItem, NULL);
+    lg_DBUnlock(sdb);
+    return CKR_OK;
+}
+
+/*
+ * handle Token Object stuff
+ */
+static void
+lg_XORHash(unsigned char *key, unsigned char *dbkey, int len)
+{
+   int i;
+
+   PORT_Memset(key, 0, 4);
+
+   for (i=0; i < len-4; i += 4) {
+	key[0] ^= dbkey[i];
+	key[1] ^= dbkey[i+1];
+	key[2] ^= dbkey[i+2];
+	key[3] ^= dbkey[i+3];
+   }
+}
+
+/* Make a token handle for an object and record it so we can find it again */
+CK_OBJECT_HANDLE
+lg_mkHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class)
+{
+    unsigned char hashBuf[4];
+    CK_OBJECT_HANDLE handle;
+    const SECItem *key;
+
+    handle = class;
+    /* there is only one KRL, use a fixed handle for it */
+    if (handle != LG_TOKEN_KRL_HANDLE) {
+	lg_XORHash(hashBuf,dbKey->data,dbKey->len);
+	handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) | 
+					(hashBuf[2] << 8)  | hashBuf[3];
+	handle =  class | (handle & ~(LG_TOKEN_TYPE_MASK|LG_TOKEN_MASK));
+	/* we have a CRL who's handle has randomly matched the reserved KRL
+	 * handle, increment it */
+	if (handle == LG_TOKEN_KRL_HANDLE) {
+	    handle++;
+	}
+    }
+
+    lg_DBLock(sdb);
+    while ((key = lg_lookupTokenKeyByHandle(sdb,handle)) != NULL) {
+	if (SECITEM_ItemsAreEqual(key,dbKey)) {
+    	   lg_DBUnlock(sdb);
+	   return handle;
+	}
+	handle++;
+    }
+    lg_addTokenKeyByHandle(sdb,handle,dbKey);
+    lg_DBUnlock(sdb);
+    return handle;
+}
+
+PRBool
+lg_poisonHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class)
+{
+    unsigned char hashBuf[4];
+    CK_OBJECT_HANDLE handle;
+    const SECItem *key;
+
+    handle = class;
+    /* there is only one KRL, use a fixed handle for it */
+    if (handle != LG_TOKEN_KRL_HANDLE) {
+	lg_XORHash(hashBuf,dbKey->data,dbKey->len);
+	handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) | 
+					(hashBuf[2] << 8)  | hashBuf[3];
+	handle = class | (handle & ~(LG_TOKEN_TYPE_MASK|LG_TOKEN_MASK));
+	/* we have a CRL who's handle has randomly matched the reserved KRL
+	 * handle, increment it */
+	if (handle == LG_TOKEN_KRL_HANDLE) {
+	    handle++;
+	}
+    }
+    lg_DBLock(sdb);
+    while ((key = lg_lookupTokenKeyByHandle(sdb,handle)) != NULL) {
+	if (SECITEM_ItemsAreEqual(key,dbKey)) {
+	   key->data[0] ^= 0x80;
+    	   lg_DBUnlock(sdb);
+	   return PR_TRUE;
+	}
+	handle++;
+    }
+    lg_DBUnlock(sdb);
+    return PR_FALSE;
+}
+
+static LGEncryptFunc lg_encrypt_stub = NULL;
+static LGDecryptFunc lg_decrypt_stub = NULL;
+
+void
+legacy_SetCryptFunctions(LGEncryptFunc enc, LGDecryptFunc dec)
+{
+   lg_encrypt_stub = enc;
+   lg_decrypt_stub = dec;
+}
+
+SECStatus lg_util_encrypt(PLArenaPool *arena, SDB *sdb, 
+			  SECItem *plainText, SECItem **cipherText)
+{
+    if (lg_encrypt_stub == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*lg_encrypt_stub)(arena, sdb, plainText, cipherText);
+}
+
+SECStatus lg_util_decrypt(SDB *sdb, SECItem *cipherText, SECItem **plainText)
+{
+    if (lg_decrypt_stub == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*lg_decrypt_stub)(sdb, cipherText, plainText);
+}
+
+
diff --git a/security/nss/lib/softoken/legacydb/lowcert.c b/security/nss/lib/softoken/legacydb/lowcert.c
new file mode 100644
index 000000000..143999045
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lowcert.c
@@ -0,0 +1,827 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Certificate handling code
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "secder.h"
+#include "nssilock.h"
+#include "lowkeyi.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secerr.h"
+#include "pcert.h"
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+static const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWCERTSubjectPublicKeyInfo) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+        offsetof(NSSLOWCERTSubjectPublicKeyInfo,algorithm),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING,
+          offsetof(NSSLOWCERTSubjectPublicKeyInfo,subjectPublicKey), },
+    { 0, }
+};
+
+static const SEC_ASN1Template nsslowcert_RSAPublicKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPublicKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.rsa.modulus), },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.rsa.publicExponent), },
+    { 0, }
+};
+static const SEC_ASN1Template nsslowcert_DSAPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.dsa.publicValue), },
+    { 0, }
+};
+static const SEC_ASN1Template nsslowcert_DHPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.dh.publicValue), },
+    { 0, }
+};
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+static void
+prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+    pubk->u.rsa.modulus.type = siUnsignedInteger;
+    pubk->u.rsa.publicExponent.type = siUnsignedInteger;
+}
+
+static void
+prepare_low_dsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+    pubk->u.dsa.publicValue.type = siUnsignedInteger;
+    pubk->u.dsa.params.prime.type = siUnsignedInteger;
+    pubk->u.dsa.params.subPrime.type = siUnsignedInteger;
+    pubk->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+static void
+prepare_low_dh_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+    pubk->u.dh.prime.type = siUnsignedInteger;
+    pubk->u.dh.base.type = siUnsignedInteger;
+    pubk->u.dh.publicValue.type = siUnsignedInteger;
+}
+
+/*
+ * simple cert decoder to avoid the cost of asn1 engine
+ */ 
+static unsigned char *
+nsslowcert_dataStart(unsigned char *buf, unsigned int length, 
+			unsigned int *data_length, PRBool includeTag,
+                        unsigned char* rettag) {
+    unsigned char tag;
+    unsigned int used_length= 0;
+
+    tag = buf[used_length++];
+
+    if (rettag) {
+        *rettag = tag;
+    }
+
+    /* blow out when we come to the end */
+    if (tag == 0) {
+	return NULL;
+    }
+
+    *data_length = buf[used_length++];
+
+    if (*data_length&0x80) {
+	int  len_count = *data_length & 0x7f;
+
+	*data_length = 0;
+
+	while (len_count-- > 0) {
+	    *data_length = (*data_length << 8) | buf[used_length++];
+	} 
+    }
+
+    if (*data_length > (length-used_length) ) {
+	*data_length = length-used_length;
+	return NULL;
+    }
+    if (includeTag) *data_length += used_length;
+
+    return (buf + (includeTag ? 0 : used_length));	
+}
+
+static void SetTimeType(SECItem* item, unsigned char tagtype)
+{
+    switch (tagtype) {
+        case SEC_ASN1_UTC_TIME:
+            item->type = siUTCTime;
+            break;
+
+        case SEC_ASN1_GENERALIZED_TIME:
+            item->type = siGeneralizedTime;
+            break;
+
+        default:
+            PORT_Assert(0);
+            break;
+    }
+}
+
+static int
+nsslowcert_GetValidityFields(unsigned char *buf,int buf_length,
+	SECItem *notBefore, SECItem *notAfter)
+{
+    unsigned char tagtype;
+    notBefore->data = nsslowcert_dataStart(buf,buf_length,
+						&notBefore->len,PR_FALSE, &tagtype);
+    if (notBefore->data == NULL) return SECFailure;
+    SetTimeType(notBefore, tagtype);
+    buf_length -= (notBefore->data-buf) + notBefore->len;
+    buf = notBefore->data + notBefore->len;
+    notAfter->data = nsslowcert_dataStart(buf,buf_length,
+						&notAfter->len,PR_FALSE, &tagtype);
+    if (notAfter->data == NULL) return SECFailure;
+    SetTimeType(notAfter, tagtype);
+    return SECSuccess;
+}
+
+static int
+nsslowcert_GetCertFields(unsigned char *cert,int cert_length,
+	SECItem *issuer, SECItem *serial, SECItem *derSN, SECItem *subject,
+	SECItem *valid, SECItem *subjkey, SECItem *extensions)
+{
+    unsigned char *buf;
+    unsigned int buf_length;
+    unsigned char *dummy;
+    unsigned int dummylen;
+
+    /* get past the signature wrap */
+    buf = nsslowcert_dataStart(cert,cert_length,&buf_length,PR_FALSE, NULL);
+    if (buf == NULL) return SECFailure;
+    /* get into the raw cert data */
+    buf = nsslowcert_dataStart(buf,buf_length,&buf_length,PR_FALSE, NULL);
+    if (buf == NULL) return SECFailure;
+    /* skip past any optional version number */
+    if ((buf[0] & 0xa0) == 0xa0) {
+	dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE, NULL);
+	if (dummy == NULL) return SECFailure;
+	buf_length -= (dummy-buf) + dummylen;
+	buf = dummy + dummylen;
+    }
+    /* serial number */
+    if (derSN) {
+	derSN->data=nsslowcert_dataStart(buf,buf_length,&derSN->len,PR_TRUE, NULL);
+    }
+    serial->data = nsslowcert_dataStart(buf,buf_length,&serial->len,PR_FALSE, NULL);
+    if (serial->data == NULL) return SECFailure;
+    buf_length -= (serial->data-buf) + serial->len;
+    buf = serial->data + serial->len;
+    /* skip the OID */
+    dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE, NULL);
+    if (dummy == NULL) return SECFailure;
+    buf_length -= (dummy-buf) + dummylen;
+    buf = dummy + dummylen;
+    /* issuer */
+    issuer->data = nsslowcert_dataStart(buf,buf_length,&issuer->len,PR_TRUE, NULL);
+    if (issuer->data == NULL) return SECFailure;
+    buf_length -= (issuer->data-buf) + issuer->len;
+    buf = issuer->data + issuer->len;
+
+    /* only wanted issuer/SN */
+    if (valid == NULL) {
+	return SECSuccess;
+    }
+    /* validity */
+    valid->data = nsslowcert_dataStart(buf,buf_length,&valid->len,PR_FALSE, NULL);
+    if (valid->data == NULL) return SECFailure;
+    buf_length -= (valid->data-buf) + valid->len;
+    buf = valid->data + valid->len;
+    /*subject */
+    subject->data=nsslowcert_dataStart(buf,buf_length,&subject->len,PR_TRUE, NULL);
+    if (subject->data == NULL) return SECFailure;
+    buf_length -= (subject->data-buf) + subject->len;
+    buf = subject->data + subject->len;
+    /* subject  key info */
+    subjkey->data=nsslowcert_dataStart(buf,buf_length,&subjkey->len,PR_TRUE, NULL);
+    if (subjkey->data == NULL) return SECFailure;
+    buf_length -= (subjkey->data-buf) + subjkey->len;
+    buf = subjkey->data + subjkey->len;
+
+    extensions->data = NULL;
+    extensions->len = 0;
+    while (buf_length > 0) {
+	/* EXTENSIONS */
+	if (buf[0] == 0xa3) {
+	    extensions->data = nsslowcert_dataStart(buf,buf_length, 
+					&extensions->len, PR_FALSE, NULL);
+	    break;
+	}
+	dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE,NULL);
+	if (dummy == NULL) return SECFailure;
+	buf_length -= (dummy - buf) + dummylen;
+	buf = dummy + dummylen;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+nsslowcert_GetCertTimes(NSSLOWCERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
+{
+    int rv;
+    NSSLOWCERTValidity validity;
+
+    rv = nsslowcert_GetValidityFields(c->validity.data,c->validity.len,
+				&validity.notBefore,&validity.notAfter);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    
+    /* convert DER not-before time */
+    rv = DER_DecodeTimeChoice(notBefore, &validity.notBefore);
+    if (rv) {
+        return(SECFailure);
+    }
+    
+    /* convert DER not-after time */
+    rv = DER_DecodeTimeChoice(notAfter, &validity.notAfter);
+    if (rv) {
+        return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * is certa newer than certb?  If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb)
+{
+    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
+    SECStatus rv;
+    PRBool newerbefore, newerafter;
+    
+    rv = nsslowcert_GetCertTimes(certa, &notBeforeA, &notAfterA);
+    if ( rv != SECSuccess ) {
+	return(PR_FALSE);
+    }
+    
+    rv = nsslowcert_GetCertTimes(certb, &notBeforeB, &notAfterB);
+    if ( rv != SECSuccess ) {
+	return(PR_TRUE);
+    }
+
+    newerbefore = PR_FALSE;
+    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
+	newerbefore = PR_TRUE;
+    }
+
+    newerafter = PR_FALSE;
+    if ( LL_CMP(notAfterA, >, notAfterB) ) {
+	newerafter = PR_TRUE;
+    }
+    
+    if ( newerbefore && newerafter ) {
+	return(PR_TRUE);
+    }
+    
+    if ( ( !newerbefore ) && ( !newerafter ) ) {
+	return(PR_FALSE);
+    }
+
+    /* get current time */
+    now = PR_Now();
+
+    if ( newerbefore ) {
+	/* cert A was issued after cert B, but expires sooner */
+	/* if A is expired, then pick B */
+	if ( LL_CMP(notAfterA, <, now ) ) {
+	    return(PR_FALSE);
+	}
+	return(PR_TRUE);
+    } else {
+	/* cert B was issued after cert A, but expires sooner */
+	/* if B is expired, then pick A */
+	if ( LL_CMP(notAfterB, <, now ) ) {
+	    return(PR_TRUE);
+	}
+	return(PR_FALSE);
+    }
+}
+
+#define SOFT_DEFAULT_CHUNKSIZE 2048
+
+static SECStatus
+nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena, 
+			      SECItem *issuer, SECItem *sn, SECItem *key)
+{
+    unsigned int len = sn->len + issuer->len;
+
+    if (!arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	goto loser;
+    }
+    key->data = (unsigned char*)PORT_ArenaAlloc(arena, len);
+    if ( !key->data ) {
+	goto loser;
+    }
+
+    key->len = len;
+    /* copy the serialNumber */
+    PORT_Memcpy(key->data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+nsslowcert_KeyFromIssuerAndSNStatic(unsigned char *space,
+	int spaceLen, SECItem *issuer, SECItem *sn, SECItem *key)
+{
+    unsigned int len = sn->len + issuer->len;
+
+    key->data = pkcs11_allocStaticData(len, space, spaceLen);
+    if ( !key->data ) {
+	goto loser;
+    }
+
+    key->len = len;
+    /* copy the serialNumber */
+    PORT_Memcpy(key->data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+
+static char *
+nsslowcert_EmailName(SECItem *derDN, char *space, unsigned int len)
+{
+    unsigned char *buf;
+    unsigned int buf_length;
+
+    /* unwrap outer sequence */
+    buf=nsslowcert_dataStart(derDN->data,derDN->len,&buf_length,PR_FALSE,NULL);
+    if (buf == NULL) return NULL;
+
+    /* Walk each RDN */
+    while (buf_length > 0) {
+	unsigned char *rdn;
+	unsigned int rdn_length;
+
+	/* grab next rdn */
+	rdn=nsslowcert_dataStart(buf, buf_length, &rdn_length, PR_FALSE, NULL);
+	if (rdn == NULL) { return NULL; }
+	buf_length -= (rdn - buf) + rdn_length;
+	buf = rdn+rdn_length;
+
+	while (rdn_length > 0) {
+	    unsigned char *ava;
+	    unsigned int ava_length;
+	    unsigned char *oid;
+	    unsigned int oid_length;
+	    unsigned char *name;
+	    unsigned int name_length;
+	    SECItem oidItem;
+	    SECOidTag type;
+
+	    /* unwrap the ava */
+	    ava=nsslowcert_dataStart(rdn, rdn_length, &ava_length, PR_FALSE, 
+					NULL);
+	    if (ava == NULL) return NULL;
+	    rdn_length -= (ava-rdn)+ava_length;
+	    rdn = ava + ava_length;
+
+	    oid=nsslowcert_dataStart(ava, ava_length, &oid_length, PR_FALSE, 
+					NULL);
+	    if (oid == NULL) { return NULL; }
+	    ava_length -= (oid-ava)+oid_length;
+	    ava = oid+oid_length;
+
+	    name=nsslowcert_dataStart(ava, ava_length, &name_length, PR_FALSE, 
+					NULL);
+	    if (oid == NULL) { return NULL; }
+	    ava_length -= (name-ava)+name_length;
+	    ava = name+name_length;
+
+	    oidItem.data = oid;
+	    oidItem.len = oid_length;
+	    type = SECOID_FindOIDTag(&oidItem);
+	    if ((type == SEC_OID_PKCS9_EMAIL_ADDRESS) || 
+					(type == SEC_OID_RFC1274_MAIL)) {
+		/* Email is supposed to be IA5String, so no 
+		 * translation necessary */
+		char *emailAddr;
+		emailAddr = (char *)pkcs11_copyStaticData(name,name_length+1,
+					(unsigned char *)space,len);
+		if (emailAddr) {
+		    emailAddr[name_length] = 0;
+		}
+		return emailAddr;
+	    }
+	}
+    }
+    return NULL;
+}
+
+static char *
+nsslowcert_EmailAltName(NSSLOWCERTCertificate *cert, char *space, 
+			unsigned int len)
+{
+    unsigned char *exts;
+    unsigned int exts_length;
+
+    /* unwrap the sequence */
+    exts = nsslowcert_dataStart(cert->extensions.data, cert->extensions.len,
+				 &exts_length, PR_FALSE, NULL);
+    /* loop through extension */
+    while (exts && exts_length > 0) {
+	unsigned char * ext;
+	unsigned int ext_length;
+	unsigned char *oid;	
+	unsigned int oid_length;
+	unsigned char *nameList;
+	unsigned int nameList_length;
+	SECItem oidItem;
+	SECOidTag type;
+
+	ext = nsslowcert_dataStart(exts, exts_length, &ext_length, 
+					PR_FALSE, NULL);
+	if (ext == NULL) { break; }
+	exts_length -= (ext - exts) + ext_length;
+	exts = ext+ext_length;
+
+	oid=nsslowcert_dataStart(ext, ext_length, &oid_length, PR_FALSE, NULL);
+	if (oid == NULL) { break; }
+	ext_length -= (oid - ext) + oid_length;
+	ext = oid+oid_length;
+	oidItem.data = oid;
+	oidItem.len = oid_length;
+	type = SECOID_FindOIDTag(&oidItem);
+
+	/* get Alt Extension */
+	if (type != SEC_OID_X509_SUBJECT_ALT_NAME) {
+		continue;
+	}
+
+	/* skip passed the critical flag */
+	if (ext[0] == 0x01) { /* BOOLEAN */
+	    unsigned char *dummy;
+	    unsigned int dummy_length;
+	    dummy = nsslowcert_dataStart(ext, ext_length, &dummy_length, 
+					PR_FALSE, NULL);
+	    if (dummy == NULL) { break; } 
+	    ext_length -= (dummy - ext) + dummy_length;
+	    ext = dummy+dummy_length;
+	}
+
+	   
+	/* unwrap the name list */ 
+	nameList = nsslowcert_dataStart(ext, ext_length, &nameList_length, 
+					PR_FALSE, NULL);
+	if (nameList == NULL) { break; }
+	ext_length -= (nameList - ext) + nameList_length;
+	ext = nameList+nameList_length;
+	nameList = nsslowcert_dataStart(nameList, nameList_length,
+					&nameList_length, PR_FALSE, NULL);
+	/* loop through the name list */
+	while (nameList && nameList_length > 0) {
+	    unsigned char *thisName;
+	    unsigned int thisName_length;
+
+	    thisName = nsslowcert_dataStart(nameList, nameList_length,
+					&thisName_length, PR_FALSE, NULL);
+	    if (thisName == NULL) { break; }
+	    if (nameList[0] == 0xa2) { /* DNS Name */
+		SECItem dn;
+	        char *emailAddr;
+
+		dn.data = thisName;
+		dn.len = thisName_length;
+		emailAddr = nsslowcert_EmailName(&dn, space, len);
+		if (emailAddr) {
+		    return emailAddr;
+		}
+	    }
+	    if (nameList[0] == 0x81) { /* RFC 822name */
+		char *emailAddr;
+		emailAddr = (char *)pkcs11_copyStaticData(thisName,
+			thisName_length+1, (unsigned char *)space,len);
+		if (emailAddr) {
+		    emailAddr[thisName_length] = 0;
+		}
+		return emailAddr;
+	    }
+	    nameList_length -= (thisName-nameList) + thisName_length;
+	    nameList = thisName + thisName_length;
+	}
+	break;
+    }
+    return NULL;
+}
+
+static char *
+nsslowcert_GetCertificateEmailAddress(NSSLOWCERTCertificate *cert)
+{
+    char *emailAddr = NULL;
+    char *str;
+
+    emailAddr = nsslowcert_EmailName(&cert->derSubject,cert->emailAddrSpace,
+					sizeof(cert->emailAddrSpace));
+    /* couldn't find the email address in the DN, check the subject Alt name */
+    if (!emailAddr && cert->extensions.data) {
+	emailAddr = nsslowcert_EmailAltName(cert, cert->emailAddrSpace,
+					sizeof(cert->emailAddrSpace));
+    }
+
+
+    /* make it lower case */
+    str = emailAddr;
+    while ( str && *str ) {
+	*str = tolower( *str );
+	str++;
+    }
+    return emailAddr;
+
+}
+
+/*
+ * take a DER certificate and decode it into a certificate structure
+ */
+NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname)
+{
+    NSSLOWCERTCertificate *cert;
+    int rv;
+
+    /* allocate the certificate structure */
+    cert = nsslowcert_CreateCert();
+    
+    if ( !cert ) {
+	goto loser;
+    }
+    
+	/* point to passed in DER data */
+    cert->derCert = *derSignedCert;
+    cert->nickname = NULL;
+    cert->certKey.data = NULL;
+    cert->referenceCount = 1;
+
+    /* decode the certificate info */
+    rv = nsslowcert_GetCertFields(cert->derCert.data, cert->derCert.len,
+	&cert->derIssuer, &cert->serialNumber, &cert->derSN, &cert->derSubject,
+	&cert->validity, &cert->derSubjKeyInfo, &cert->extensions);
+
+    /* cert->subjectKeyID;	 x509v3 subject key identifier */
+    cert->subjectKeyID.data = NULL;
+    cert->subjectKeyID.len = 0;
+    cert->dbEntry = NULL;
+    cert ->trust = NULL;
+    cert ->dbhandle = NULL;
+
+    /* generate and save the database key for the cert */
+    rv = nsslowcert_KeyFromIssuerAndSNStatic(cert->certKeySpace,
+		sizeof(cert->certKeySpace), &cert->derIssuer, 
+		&cert->serialNumber, &cert->certKey);
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* set the nickname */
+    if ( nickname == NULL ) {
+	cert->nickname = NULL;
+    } else {
+	/* copy and install the nickname */
+	cert->nickname = pkcs11_copyNickname(nickname,cert->nicknameSpace,
+				sizeof(cert->nicknameSpace));
+    }
+
+#ifdef FIXME
+    /* initialize the subjectKeyID */
+    rv = cert_GetKeyID(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+#endif
+
+    /* set the email address */
+    cert->emailAddr = nsslowcert_GetCertificateEmailAddress(cert);
+    
+    
+    cert->referenceCount = 1;
+    
+    return(cert);
+    
+loser:
+    if (cert) {
+	nsslowcert_DestroyCertificate(cert);
+    }
+    
+    return(0);
+}
+
+char *
+nsslowcert_FixupEmailAddr(char *emailAddr)
+{
+    char *retaddr;
+    char *str;
+
+    if ( emailAddr == NULL ) {
+	return(NULL);
+    }
+    
+    /* copy the string */
+    str = retaddr = PORT_Strdup(emailAddr);
+    if ( str == NULL ) {
+	return(NULL);
+    }
+    
+    /* make it lower case */
+    while ( *str ) {
+	*str = tolower( *str );
+	str++;
+    }
+    
+    return(retaddr);
+}
+
+
+/*
+ * Generate a database key, based on serial number and issuer, from a
+ * DER certificate.
+ */
+SECStatus
+nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key)
+{
+    int rv;
+    NSSLOWCERTCertKey certkey;
+
+    PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey));    
+
+    rv = nsslowcert_GetCertFields(derCert->data, derCert->len,
+	&certkey.derIssuer, &certkey.serialNumber, NULL, NULL, 
+	NULL, NULL, NULL);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    return(nsslowcert_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
+				   &certkey.serialNumber, key));
+loser:
+    return(SECFailure);
+}
+
+NSSLOWKEYPublicKey *
+nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert)
+{
+    NSSLOWCERTSubjectPublicKeyInfo spki;
+    NSSLOWKEYPublicKey *pubk;
+    SECItem os;
+    SECStatus rv;
+    PRArenaPool *arena;
+    SECOidTag tag;
+    SECItem newDerSubjKeyInfo;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+        return NULL;
+
+    pubk = (NSSLOWKEYPublicKey *) 
+		PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPublicKey));
+    if (pubk == NULL) {
+        PORT_FreeArena (arena, PR_FALSE);
+        return NULL;
+    }
+
+    pubk->arena = arena;
+    PORT_Memset(&spki,0,sizeof(spki));
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newDerSubjKeyInfo, &cert->derSubjKeyInfo);
+    if ( rv != SECSuccess ) {
+        PORT_FreeArena (arena, PR_FALSE);
+        return NULL;
+    }
+
+    /* we haven't bothered decoding the spki struct yet, do it now */
+    rv = SEC_QuickDERDecodeItem(arena, &spki, 
+		nsslowcert_SubjectPublicKeyInfoTemplate, &newDerSubjKeyInfo);
+    if (rv != SECSuccess) {
+ 	PORT_FreeArena (arena, PR_FALSE);
+ 	return NULL;
+    }
+
+    /* Convert bit string length from bits to bytes */
+    os = spki.subjectPublicKey;
+    DER_ConvertBitString (&os);
+
+    tag = SECOID_GetAlgorithmTag(&spki.algorithm);
+    switch ( tag ) {
+      case SEC_OID_X500_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+        pubk->keyType = NSSLOWKEYRSAKey;
+        prepare_low_rsa_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(arena, pubk, 
+				nsslowcert_RSAPublicKeyTemplate, &os);
+        if (rv == SECSuccess)
+            return pubk;
+        break;
+      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+        pubk->keyType = NSSLOWKEYDSAKey;
+        prepare_low_dsa_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(arena, pubk,
+				 nsslowcert_DSAPublicKeyTemplate, &os);
+        if (rv == SECSuccess) return pubk;
+        break;
+      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+        pubk->keyType = NSSLOWKEYDHKey;
+        prepare_low_dh_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(arena, pubk,
+				 nsslowcert_DHPublicKeyTemplate, &os);
+        if (rv == SECSuccess) return pubk;
+        break;
+#ifdef NSS_ENABLE_ECC
+      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+        pubk->keyType = NSSLOWKEYECKey;
+	/* Since PKCS#11 directly takes the DER encoding of EC params
+	 * and public value, we don't need any decoding here.
+	 */
+        rv = SECITEM_CopyItem(arena, &pubk->u.ec.ecParams.DEREncoding, 
+	    &spki.algorithm.parameters);
+        if ( rv != SECSuccess )
+            break;	
+
+	/* Fill out the rest of the ecParams structure 
+	 * based on the encoded params
+	 */
+	if (LGEC_FillParams(arena, &pubk->u.ec.ecParams.DEREncoding,
+	    &pubk->u.ec.ecParams) != SECSuccess) 
+	    break;
+
+        rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &os);
+	if (rv == SECSuccess) return pubk;
+        break;
+#endif /* NSS_ENABLE_ECC */
+      default:
+        rv = SECFailure;
+        break;
+    }
+
+    nsslowkey_DestroyPublicKey (pubk);
+    return NULL;
+}
+
diff --git a/security/nss/lib/softoken/legacydb/lowkey.c b/security/nss/lib/softoken/legacydb/lowkey.c
new file mode 100644
index 000000000..5ee64d1f2
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lowkey.c
@@ -0,0 +1,468 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "lowkeyi.h" 
+#include "secoid.h" 
+#include "secitem.h"
+#include "secder.h" 
+#include "secasn1.h"
+#include "secerr.h" 
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+static const SEC_ASN1Template nsslowkey_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(NSSLOWKEYAttribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(NSSLOWKEYAttribute, attrValue), 
+	SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate },
+};
+/* ASN1 Templates for new decoder/encoder */
+const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
+    { SEC_ASN1_INTEGER,
+	offsetof(NSSLOWKEYPrivateKeyInfo,version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
+	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
+	nsslowkey_SetOfAttributeTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,base) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.publicExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.privateExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.coefficient) },
+    { 0 }                                                                     
+};                                                                            
+
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+};
+
+const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.base) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.prime) },
+    { 0, }
+};
+
+#ifdef NSS_ENABLE_ECC
+
+/* XXX This is just a placeholder for later when we support
+ * generic curves and need full-blown support for parsing EC
+ * parameters. For now, we only support named curves in which
+ * EC params are simply encoded as an object ID and we don't
+ * use nsslowkey_ECParamsTemplate.
+ */
+const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = {
+    { SEC_ASN1_CHOICE, offsetof(ECParams,type), NULL, sizeof(ECParams) },
+    { SEC_ASN1_OBJECT_ID, offsetof(ECParams,curveOID), NULL, ec_params_named },
+    { 0, }
+};
+
+
+/* NOTE: The SECG specification allows the private key structure
+ * to contain curve parameters but recommends that they be stored
+ * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
+ * instead.
+ */
+const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.ec.version) },
+    { SEC_ASN1_OCTET_STRING, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.privateValue) },
+    /* XXX The following template works for now since we only
+     * support named curves for which the parameters are
+     * encoded as an object ID. When we support generic curves,
+     * we'll need to define nsslowkey_ECParamsTemplate
+     */
+#if 1
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams.curveOID), 
+      SEC_ASN1_SUB(SEC_ObjectIDTemplate) }, 
+#else
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams), 
+      nsslowkey_ECParamsTemplate }, 
+#endif
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.publicValue),
+      SEC_ASN1_SUB(SEC_BitStringTemplate) }, 
+    { 0, }
+};
+
+
+/*
+ * smaller version of EC_FillParams. In this code, we only need
+ * oid and DER data.
+ */
+SECStatus
+LGEC_FillParams(PRArenaPool *arena, const SECItem *encodedParams, 
+    ECParams *params)
+{
+    SECOidTag tag;
+    SECItem oid = { siBuffer, NULL, 0};
+
+#if EC_DEBUG
+    int i;
+
+    printf("Encoded params in EC_DecodeParams: ");
+    for (i = 0; i < encodedParams->len; i++) {
+	    printf("%02x:", encodedParams->data[i]);
+    }
+    printf("\n");
+#endif
+
+    oid.len = encodedParams->len - 2;
+    oid.data = encodedParams->data + 2;
+    if ((encodedParams->data[0] != SEC_ASN1_OBJECT_ID) ||
+	((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)) { 
+	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	    return SECFailure;
+    }
+
+    params->arena = arena;
+
+    /* For named curves, fill out curveOID */
+    params->curveOID.len = oid.len;
+    params->curveOID.data = (unsigned char *) PORT_ArenaAlloc(arena, oid.len);
+    if (params->curveOID.data == NULL)  {
+	return SECFailure;
+    }
+    memcpy(params->curveOID.data, oid.data, oid.len);
+
+    return SECSuccess;
+}
+
+/* Copy all of the fields from srcParams into dstParams
+ */
+SECStatus
+LGEC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+	      const ECParams *srcParams)
+{
+    SECStatus rv = SECFailure;
+
+    dstParams->arena = arena;
+    rv = SECITEM_CopyItem(arena, &dstParams->DEREncoding,
+				 &srcParams->DEREncoding);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv =SECITEM_CopyItem(arena, &dstParams->curveOID,
+				&srcParams->curveOID);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+#endif /* NSS_ENABLE_ECC */
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+void
+prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.rsa.modulus.type = siUnsignedInteger;
+    key->u.rsa.publicExponent.type = siUnsignedInteger;
+    key->u.rsa.privateExponent.type = siUnsignedInteger;
+    key->u.rsa.prime1.type = siUnsignedInteger;
+    key->u.rsa.prime2.type = siUnsignedInteger;
+    key->u.rsa.exponent1.type = siUnsignedInteger;
+    key->u.rsa.exponent2.type = siUnsignedInteger;
+    key->u.rsa.coefficient.type = siUnsignedInteger;
+}
+
+void
+prepare_low_pqg_params_for_asn1(PQGParams *params)
+{
+    params->prime.type = siUnsignedInteger;
+    params->subPrime.type = siUnsignedInteger;
+    params->base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.publicValue.type = siUnsignedInteger;
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+    key->u.dsa.params.prime.type = siUnsignedInteger;
+    key->u.dsa.params.subPrime.type = siUnsignedInteger;
+    key->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dh.prime.type = siUnsignedInteger;
+    key->u.dh.base.type = siUnsignedInteger;
+    key->u.dh.publicValue.type = siUnsignedInteger;
+    key->u.dh.privateValue.type = siUnsignedInteger;
+}
+
+#ifdef NSS_ENABLE_ECC
+void
+prepare_low_ecparams_for_asn1(ECParams *params)
+{
+    params->DEREncoding.type = siUnsignedInteger;
+    params->curveOID.type = siUnsignedInteger;
+}
+
+void
+prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.ec.version.type = siUnsignedInteger;
+    key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
+    key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
+    key->u.ec.privateValue.type = siUnsignedInteger;
+    key->u.ec.publicValue.type = siUnsignedInteger;
+}
+#endif /* NSS_ENABLE_ECC */
+
+void
+nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
+{
+    if (privk && privk->arena) {
+	PORT_FreeArena(privk->arena, PR_TRUE);
+    }
+}
+
+void
+nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
+{
+    if (pubk && pubk->arena) {
+	PORT_FreeArena(pubk->arena, PR_FALSE);
+    }
+}
+unsigned
+nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
+{
+    unsigned char b0;
+
+    /* interpret modulus length as key strength... in
+     * fortezza that's the public key length */
+
+    switch (pubk->keyType) {
+    case NSSLOWKEYRSAKey:
+    	b0 = pubk->u.rsa.modulus.data[0];
+    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+unsigned
+nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk)
+{
+
+    unsigned char b0;
+
+    switch (privk->keyType) {
+    case NSSLOWKEYRSAKey:
+	b0 = privk->u.rsa.modulus.data[0];
+	return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+NSSLOWKEYPublicKey *
+nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
+{
+    NSSLOWKEYPublicKey *pubk;
+    PLArenaPool *arena;
+
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+        PORT_SetError (SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    switch(privk->keyType) {
+      case NSSLOWKEYRSAKey:
+      case NSSLOWKEYNullKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						sizeof (NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    if (privk->keyType == NSSLOWKEYNullKey) return pubk;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus,
+				  &privk->u.rsa.modulus);
+	    if (rv == SECSuccess) {
+		rv = SECITEM_CopyItem (arena, &pubk->u.rsa.publicExponent,
+				       &privk->u.rsa.publicExponent);
+		if (rv == SECSuccess)
+		    return pubk;
+	    }
+	} else {
+	    PORT_SetError (SEC_ERROR_NO_MEMORY);
+	}
+	break;
+      case NSSLOWKEYDSAKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
+				  &privk->u.dsa.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+				  &privk->u.dsa.params.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+				  &privk->u.dsa.params.subPrime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+				  &privk->u.dsa.params.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+      case NSSLOWKEYDHKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
+				  &privk->u.dh.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
+				  &privk->u.dh.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
+				  &privk->u.dh.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+#ifdef NSS_ENABLE_ECC
+      case NSSLOWKEYECKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue,
+				  &privk->u.ec.publicValue);
+	    if (rv != SECSuccess) break;
+	    pubk->u.ec.ecParams.arena = arena;
+	    /* Copy the rest of the params */
+	    rv = LGEC_CopyParams(arena, &(pubk->u.ec.ecParams),
+			       &(privk->u.ec.ecParams));
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+#endif /* NSS_ENABLE_ECC */
+	/* No Fortezza in Low Key implementations (Fortezza keys aren't
+	 * stored in our data base */
+    default:
+	break;
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
diff --git a/security/nss/lib/softoken/legacydb/lowkeyi.h b/security/nss/lib/softoken/legacydb/lowkeyi.h
new file mode 100644
index 000000000..45359d4ef
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lowkeyi.h
@@ -0,0 +1,198 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _LOWKEYI_H_
+#define _LOWKEYI_H_
+
+#include "prtypes.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "pcertt.h"
+#include "lowkeyti.h"
+#include "sdb.h" 
+
+SEC_BEGIN_PROTOS
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
+extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+#ifdef NSS_ENABLE_ECC
+extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_ecparams_for_asn1(ECParams *params);
+#endif /* NSS_ENABLE_ECC */
+
+typedef char * (* NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
+    
+/*
+** Open a key database.
+*/
+extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDB(PRBool readOnly,
+					   const char *domain,
+					   const char *prefix,
+					   NSSLOWKEYDBNameFunc namecb,
+					   void *cbarg);
+
+/*
+** Close the specified key database.
+*/
+extern void nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle);
+
+/*
+ * Get the version number of the database
+ */
+extern int nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle);
+
+/*
+** Delete a key from the database
+*/
+extern SECStatus nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, 
+				  const SECItem *pubkey);
+
+/*
+** Store a key in the database, indexed by its public key modulus.
+**	"pk" is the private key to store
+**	"f" is a the callback function for getting the password
+**	"arg" is the argument for the callback
+*/
+extern SECStatus nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, 
+					    NSSLOWKEYPrivateKey *pk,
+					    SECItem *pubKeyData,
+					    char *nickname,
+					    SDB *sdb);
+
+/* does the key for this cert exist in the database filed by modulus */
+extern PRBool nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle,
+					 NSSLOWCERTCertificate *cert);
+/* does a key with this ID already exist? */
+extern PRBool nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id);
+
+/*
+** Destroy a private key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
+
+/*
+** Destroy a public key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
+
+/*
+** Return the modulus length of "pubKey".
+*/
+extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey);
+
+
+/*
+** Return the modulus length of "privKey".
+*/
+extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey);
+
+
+/*
+** Convert a low private key "privateKey" into a public low key
+*/
+extern NSSLOWKEYPublicKey 
+		*nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
+
+
+SECStatus
+nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle,
+                           NSSLOWKEYPrivateKey *privkey,
+                           SECItem *pubKeyData,
+                           char *nickname,
+                           SDB *sdb);
+
+/* Store key by modulus and specify an encryption algorithm to use.
+ *   handle is the pointer to the key database,
+ *   privkey is the private key to be stored,
+ *   f and arg are the function and arguments to the callback
+ *       to get a password,
+ *   algorithm is the algorithm which the privKey is to be stored.
+ * A return of anything but SECSuccess indicates failure.
+ */
+extern SECStatus 
+nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, 
+			      NSSLOWKEYPrivateKey *privkey, 
+			      SECItem *pubKeyData,
+			      char *nickname,
+			      SDB *sdb,
+                              PRBool update); 
+
+/* Find key by modulus.  This function is the inverse of store key
+ * by modulus.  An attempt to locate the key with "modulus" is 
+ * performed.  If the key is found, the private key is returned,
+ * else NULL is returned.
+ *   modulus is the modulus to locate
+ */
+extern NSSLOWKEYPrivateKey *
+nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus, 
+			  SDB *sdb);
+
+extern char *
+nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
+                                        SECItem *modulus, SDB *sdb);
+
+#ifdef NSS_ENABLE_ECC
+/*
+ * smaller version of EC_FillParams. In this code, we only need
+ * oid and DER data.
+ */
+SECStatus LGEC_FillParams(PRArenaPool *arena, const SECItem *encodedParams, 
+    ECParams *params);
+
+/* Copy all of the fields from srcParams into dstParams */
+SECStatus LGEC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+	      const ECParams *srcParams);
+#endif
+SEC_END_PROTOS
+
+#endif /* _LOWKEYI_H_ */
diff --git a/security/nss/lib/softoken/legacydb/lowkeyti.h b/security/nss/lib/softoken/legacydb/lowkeyti.h
new file mode 100644
index 000000000..7fa74da72
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lowkeyti.h
@@ -0,0 +1,170 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _LOWKEYTI_H_
+#define _LOWKEYTI_H_ 1
+
+#include "blapit.h"
+#include "prtypes.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secasn1t.h"
+#include "secoidt.h"
+
+
+/*
+ * a key in/for the data base
+ */
+struct NSSLOWKEYDBKeyStr {
+    PLArenaPool *arena;
+    int version;
+    char *nickname;
+    SECItem salt;
+    SECItem derPK;
+};
+typedef struct NSSLOWKEYDBKeyStr NSSLOWKEYDBKey;
+
+typedef struct NSSLOWKEYDBHandleStr NSSLOWKEYDBHandle;
+
+#ifdef NSS_USE_KEY4_DB
+#define NSSLOWKEY_DB_FILE_VERSION 4
+#else
+#define NSSLOWKEY_DB_FILE_VERSION 3
+#endif
+
+#define NSSLOWKEY_VERSION	    0	/* what we *create* */
+
+/*
+** Typedef for callback to get a password "key".
+*/
+extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
+#ifdef NSS_ENABLE_ECC
+#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION   1  /* as per SECG 1 C.4 */
+extern const SEC_ASN1Template nsslowkey_ECParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
+#endif /* NSS_ENABLE_ECC */
+
+extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
+
+/*
+ * PKCS #8 attributes
+ */
+struct NSSLOWKEYAttributeStr {
+    SECItem attrType;
+    SECItem *attrValue;
+};
+typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID algorithm;
+    SECItem privateKey;
+    NSSLOWKEYAttribute **attributes;
+};
+typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
+#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION	0	/* what we *create* */
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYEncryptedPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem encryptedData;
+};
+typedef struct NSSLOWKEYEncryptedPrivateKeyInfoStr NSSLOWKEYEncryptedPrivateKeyInfo;
+
+
+typedef enum { 
+    NSSLOWKEYNullKey = 0, 
+    NSSLOWKEYRSAKey = 1, 
+    NSSLOWKEYDSAKey = 2, 
+    NSSLOWKEYDHKey = 4,
+    NSSLOWKEYECKey = 5
+} NSSLOWKEYType;
+
+/*
+** An RSA public key object.
+*/
+struct NSSLOWKEYPublicKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType ;
+    union {
+        RSAPublicKey rsa;
+	DSAPublicKey dsa;
+	DHPublicKey  dh;
+	ECPublicKey  ec;
+    } u;
+};
+typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey;
+
+/*
+** Low Level private key object
+** This is only used by the raw Crypto engines (crypto), keydb (keydb),
+** and PKCS #11. Everyone else uses the high level key structure.
+*/
+struct NSSLOWKEYPrivateKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType;
+    union {
+        RSAPrivateKey rsa;
+	DSAPrivateKey dsa;
+	DHPrivateKey  dh;
+	ECPrivateKey  ec;
+    } u;
+};
+typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey;
+
+
+typedef struct NSSLOWKEYPasswordEntryStr NSSLOWKEYPasswordEntry;
+struct NSSLOWKEYPasswordEntryStr {
+    SECItem salt;
+    SECItem value;
+    unsigned char data[128];
+};
+
+
+#endif	/* _LOWKEYTI_H_ */
diff --git a/security/nss/lib/softoken/legacydb/manifest.mn b/security/nss/lib/softoken/legacydb/manifest.mn
new file mode 100644
index 000000000..c3048646e
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/manifest.mn
@@ -0,0 +1,67 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../..
+
+MODULE = nss
+
+REQUIRES = dbm 
+
+LIBRARY_NAME = nssdbm
+LIBRARY_VERSION = 3
+MAPFILE = $(OBJDIR)/nssdbm.def
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\"
+
+ifdef MOZILLA_CLIENT
+INCLUDES += -I$(DIST)/include/sqlite3
+endif
+
+CSRCS = \
+	dbmshim.c \
+	keydb.c \
+	lgattr.c \
+	lgcreate.c \
+	lgdestroy.c \
+	lgfind.c \
+	lginit.c \
+	lgutil.c \
+	lowcert.c \
+	lowkey.c \
+	pcertdb.c \
+	pk11db.c \
+	$(NULL)
+
diff --git a/security/nss/lib/softoken/legacydb/nssdbm.def b/security/nss/lib/softoken/legacydb/nssdbm.def
new file mode 100644
index 000000000..bf7f7a5a1
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/nssdbm.def
@@ -0,0 +1,64 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2000
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#   Dr Stephen Henson <stephen.henson@gemplus.com>
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+NSSDBM_3.12 {       # NSS 3.12 release
+;+    global:
+LIBRARY nssdbm3 ;-
+EXPORTS ;-
+legacy_Open;
+legacy_Shutdown;
+legacy_ReadSecmodDB;
+legacy_ReleaseSecmodDBData;
+legacy_AddSecmodDB;
+legacy_DeleteSecmodDB;
+legacy_SetCryptFunctions;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/softoken/legacydb/nssdbm.rc b/security/nss/lib/softoken/legacydb/nssdbm.rc
new file mode 100644
index 000000000..d89126a37
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/nssdbm.rc
@@ -0,0 +1,100 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "../softkver.h"
+#include <winver.h>
+
+#define MY_LIBNAME "nssdbm"
+#define MY_FILEDESCRIPTION "Legacy Database Driver"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define SOFTOKEN_VMAJOR_STR STRINGIZE2(SOFTOKEN_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if SOFTOKEN_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME SOFTOKEN_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,0
+ PRODUCTVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", SOFTOKEN_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", SOFTOKEN_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/softoken/legacydb/pcert.h b/security/nss/lib/softoken/legacydb/pcert.h
new file mode 100644
index 000000000..68956abd6
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/pcert.h
@@ -0,0 +1,261 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _PCERTDB_H_
+#define _PCERTDB_H_
+
+#include "plarena.h"
+#include "prlong.h"
+#include "pcertt.h"
+
+#include "lowkeyti.h" 	/* for struct NSSLOWKEYPublicKeyStr */
+
+SEC_BEGIN_PROTOS
+
+/*
+ * initialize any global certificate locks
+ */
+SECStatus nsslowcert_InitLocks(void);
+
+/*
+** Add a DER encoded certificate to the permanent database.
+**	"derCert" is the DER encoded certificate.
+**	"nickname" is the nickname to use for the cert
+**	"trust" is the trust parameters for the cert
+*/
+SECStatus nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *handle, 
+			NSSLOWCERTCertificate *cert,
+				char *nickname, NSSLOWCERTCertTrust *trust);
+SECStatus nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle,
+				NSSLOWCERTCertificate *cert, char *nickname);
+
+SECStatus nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert);
+
+typedef SECStatus (PR_CALLBACK * PermCertCallback)(NSSLOWCERTCertificate *cert,
+                                                   SECItem *k, void *pdata);
+/*
+** Traverse the entire permanent database, and pass the certs off to a
+** user supplied function.
+**	"certfunc" is the user function to call for each certificate
+**	"udata" is the user's data, which is passed through to "certfunc"
+*/
+SECStatus
+nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
+		      PermCertCallback certfunc,
+		      void *udata );
+
+PRBool
+nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle);
+
+certDBEntryRevocation *
+nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle,
+					 SECItem *crlKey, PRBool isKRL);
+
+SECStatus
+nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle,const SECItem *derName,
+								PRBool isKRL);
+SECStatus
+nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl ,
+				SECItem *derKey, char *url, PRBool isKRL);
+
+NSSLOWCERTCertDBHandle *nsslowcert_GetDefaultCertDB();
+NSSLOWKEYPublicKey *nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *);
+
+NSSLOWCERTCertificate *
+nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert,
+                        char *nickname, PRBool isperm, PRBool copyDER);
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert);
+void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert);
+void nsslowcert_DestroyTrust(NSSLOWCERTTrust *Trust);
+
+/*
+ * Lookup a certificate in the databases without locking
+ *	"certKey" is the database key to look for
+ *
+ * XXX - this should be internal, but pkcs 11 needs to call it during a
+ * traversal.
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey);
+
+/*
+ * Lookup trust for a certificate in the databases without locking
+ *	"certKey" is the database key to look for
+ *
+ * XXX - this should be internal, but pkcs 11 needs to call it during a
+ * traversal.
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database.  Return the cert if found.
+**	"issuerAndSN" is the issuer and serial number to look for
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database.  Return the cert if found.
+**	"issuerAndSN" is the issuer and serial number to look for
+*/
+extern NSSLOWCERTTrust *
+nsslowcert_FindTrustByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
+
+/*
+** Find a certificate in the database by a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
+
+/* convert an email address to lower case */
+char *nsslowcert_FixupEmailAddr(char *emailAddr);
+
+/*
+** Decode a DER encoded certificate into an NSSLOWCERTCertificate structure
+**      "derSignedCert" is the DER encoded signed certificate
+**      "copyDER" is true if the DER should be copied, false if the
+**              existing copy should be referenced
+**      "nickname" is the nickname to use in the database.  If it is NULL
+**              then a temporary nickname is generated.
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate (SECItem *derSignedCert, char *nickname);
+
+SECStatus
+nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key);
+
+certDBEntrySMime *
+nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *certHandle,
+							 char *emailAddr);
+void
+nsslowcert_DestroyDBEntry(certDBEntry *entry);
+
+SECStatus
+nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+		const char *domain, const char *prefix,
+                NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile);
+
+void
+nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle);
+
+/*
+ * is certa newer than certb?  If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb);
+
+
+SECStatus
+nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
+		      certDBEntryType type,
+		      SECStatus (* callback)(SECItem *data, SECItem *key,
+					    certDBEntryType type, void *pdata),
+		      void *udata );
+SECStatus
+nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+				 SECItem *derSubject,
+				 NSSLOWCERTCertCallback cb, void *cbarg);
+int
+nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+							 SECItem *derSubject);
+SECStatus
+nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+	 	char *nickname, NSSLOWCERTCertCallback cb, void *cbarg);
+
+int
+nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, 
+							char *nickname);
+SECStatus
+nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert,
+					 NSSLOWCERTCertTrust *trust);
+
+SECStatus
+nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, 
+	SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime);
+
+/*
+ * Change the trust attributes of a certificate and make them permanent
+ * in the database.
+ */
+SECStatus
+nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, 
+	  	NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust);
+
+PRBool
+nsslowcert_needDBVerify(NSSLOWCERTCertDBHandle *handle);
+
+void
+nsslowcert_setDBVerify(NSSLOWCERTCertDBHandle *handle, PRBool value);
+
+PRBool
+nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust);
+
+void
+nsslowcert_DestroyFreeLists(void);
+
+void
+nsslowcert_DestroyGlobalLocks(void);
+
+void
+pkcs11_freeNickname(char *nickname, char *space);
+
+char *
+pkcs11_copyNickname(char *nickname, char *space, int spaceLen);
+
+void
+pkcs11_freeStaticData(unsigned char *data, unsigned char *space);
+
+unsigned char *
+pkcs11_allocStaticData(int datalen, unsigned char *space, int spaceLen);
+
+unsigned char *
+pkcs11_copyStaticData(unsigned char *data, int datalen, unsigned char *space,
+						int spaceLen);
+NSSLOWCERTCertificate *
+nsslowcert_CreateCert(void);
+
+certDBEntry *
+nsslowcert_DecodeAnyDBEntry(SECItem *dbData, const SECItem *dbKey, 
+                            certDBEntryType entryType, void *pdata);
+
+SEC_END_PROTOS
+
+ #endif /* _PCERTDB_H_ */
diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c
new file mode 100644
index 000000000..966164db1
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/pcertdb.c
@@ -0,0 +1,5366 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Permanent Certificate database handling code 
+ *
+ * $Id$
+ */
+#include "lowkeyti.h"
+#include "pcert.h"
+#include "mcom_db.h"
+#include "pcert.h"
+#include "secitem.h"
+#include "secder.h"
+
+#include "secerr.h"
+#include "lgdb.h"
+
+/* forward declaration */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCertNoLocking(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
+static SECStatus
+nsslowcert_UpdateSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, 
+	char *emailAddr, SECItem *derSubject, SECItem *emailProfile, 
+							SECItem *profileTime);
+static SECStatus
+nsslowcert_UpdatePermCert(NSSLOWCERTCertDBHandle *dbhandle,
+    NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust);
+static SECStatus
+nsslowcert_UpdateCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, 
+			SECItem *crlKey, char *url, PRBool isKRL);
+
+static NSSLOWCERTCertificate *certListHead = NULL;
+static NSSLOWCERTTrust *trustListHead = NULL;
+static certDBEntryCert *entryListHead = NULL;
+static int certListCount = 0;
+static int trustListCount = 0;
+static int entryListCount = 0;
+#define MAX_CERT_LIST_COUNT 10
+#define MAX_TRUST_LIST_COUNT 10
+#define MAX_ENTRY_LIST_COUNT 10
+
+/*
+ * the following functions are wrappers for the db library that implement
+ * a global lock to make the database thread safe.
+ */
+static PZLock *dbLock = NULL;
+static PZLock *certRefCountLock = NULL;
+static PZLock *certTrustLock = NULL;
+static PZLock *freeListLock = NULL;
+
+void
+certdb_InitDBLock(NSSLOWCERTCertDBHandle *handle)
+{
+    if (dbLock == NULL) {
+	dbLock = PZ_NewLock(nssILockCertDB);
+	PORT_Assert(dbLock != NULL);
+    }
+}
+
+SECStatus
+nsslowcert_InitLocks(void)
+{
+    if (freeListLock == NULL) {
+	freeListLock = PZ_NewLock(nssILockRefLock);
+	if (freeListLock == NULL) {
+	    return SECFailure;
+	}
+    }
+    if (certRefCountLock == NULL) {
+	certRefCountLock = PZ_NewLock(nssILockRefLock);
+	if (certRefCountLock == NULL) {
+	    return SECFailure;
+	}
+    }
+    if (certTrustLock == NULL ) {
+	certTrustLock = PZ_NewLock(nssILockCertDB);
+	if (certTrustLock == NULL) {
+	    return SECFailure;
+	}
+    }
+    
+    return SECSuccess;
+}
+
+/*
+ * Acquire the global lock on the cert database.
+ * This lock is currently used for the following operations:
+ *	adding or deleting a cert to either the temp or perm databases
+ *	converting a temp to perm or perm to temp
+ *	changing (maybe just adding!?) the trust of a cert
+ *      chaning the DB status checking Configuration
+ */
+static void
+nsslowcert_LockDB(NSSLOWCERTCertDBHandle *handle)
+{
+    PZ_EnterMonitor(handle->dbMon);
+    return;
+}
+
+/*
+ * Free the global cert database lock.
+ */
+static void
+nsslowcert_UnlockDB(NSSLOWCERTCertDBHandle *handle)
+{
+    PRStatus prstat;
+    
+    prstat = PZ_ExitMonitor(handle->dbMon);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+    
+    return;
+}
+
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+static void
+nsslowcert_LockCertRefCount(NSSLOWCERTCertificate *cert)
+{
+    PORT_Assert(certRefCountLock != NULL);
+    
+    PZ_Lock(certRefCountLock);
+    return;
+}
+
+/*
+ * Free the cert reference count lock
+ */
+static void
+nsslowcert_UnlockCertRefCount(NSSLOWCERTCertificate *cert)
+{
+    PRStatus prstat;
+
+    PORT_Assert(certRefCountLock != NULL);
+    
+    prstat = PZ_Unlock(certRefCountLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+/*
+ * Acquire the cert trust lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+static void
+nsslowcert_LockCertTrust(NSSLOWCERTCertificate *cert)
+{
+    PORT_Assert(certTrustLock != NULL);
+
+    PZ_Lock(certTrustLock);
+    return;
+}
+
+/*
+ * Free the cert trust lock
+ */
+static void
+nsslowcert_UnlockCertTrust(NSSLOWCERTCertificate *cert)
+{
+    PRStatus prstat;
+
+    PORT_Assert(certTrustLock != NULL);
+    
+    prstat = PZ_Unlock(certTrustLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+static void
+nsslowcert_LockFreeList(void)
+{
+    PORT_Assert(freeListLock != NULL);
+    
+    PZ_Lock(freeListLock);
+    return;
+}
+
+/*
+ * Free the cert reference count lock
+ */
+static void
+nsslowcert_UnlockFreeList(void)
+{
+    PRStatus prstat;
+
+    PORT_Assert(freeListLock != NULL);
+    
+    prstat = PZ_Unlock(freeListLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *c)
+{
+    if (c) {
+	nsslowcert_LockCertRefCount(c);
+	++c->referenceCount;
+	nsslowcert_UnlockCertRefCount(c);
+    }
+    return c;
+}
+
+static int
+certdb_Get(DB *db, DBT *key, DBT *data, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+    
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+
+    ret = (* db->get)(db, key, data, flags);
+
+    prstat = PZ_Unlock(dbLock);
+
+    return(ret);
+}
+
+static int
+certdb_Put(DB *db, DBT *key, DBT *data, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret = 0;
+
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+
+    ret = (* db->put)(db, key, data, flags);
+    
+    prstat = PZ_Unlock(dbLock);
+
+    return(ret);
+}
+
+static int
+certdb_Sync(DB *db, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+
+    ret = (* db->sync)(db, flags);
+    
+    prstat = PZ_Unlock(dbLock);
+
+    return(ret);
+}
+
+#define DB_NOT_FOUND -30991  /* from DBM 3.2 */
+static int
+certdb_Del(DB *db, DBT *key, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+
+    ret = (* db->del)(db, key, flags);
+    
+    prstat = PZ_Unlock(dbLock);
+
+    /* don't fail if the record is already deleted */
+    if (ret == DB_NOT_FOUND) {
+	ret = 0;
+    }
+
+    return(ret);
+}
+
+static int
+certdb_Seq(DB *db, DBT *key, DBT *data, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+    
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+    
+    ret = (* db->seq)(db, key, data, flags);
+
+    prstat = PZ_Unlock(dbLock);
+
+    return(ret);
+}
+
+static void
+certdb_Close(DB *db)
+{
+    PRStatus prstat;
+
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+
+    (* db->close)(db);
+    
+    prstat = PZ_Unlock(dbLock);
+
+    return;
+}
+
+void
+pkcs11_freeNickname(char *nickname, char *space)
+{
+    if (nickname && nickname != space) {
+	PORT_Free(nickname);
+    }
+}
+
+char *
+pkcs11_copyNickname(char *nickname,char *space, int spaceLen)
+{
+    int len;
+    char *copy = NULL;
+
+    len = PORT_Strlen(nickname)+1;
+    if (len <= spaceLen) {
+	copy = space;
+	PORT_Memcpy(copy,nickname,len);
+    } else {
+	copy = PORT_Strdup(nickname);
+    }
+
+    return copy;
+}
+
+void
+pkcs11_freeStaticData (unsigned char *data, unsigned char *space)
+{
+    if (data && data != space) {
+	PORT_Free(data);
+    }
+}
+
+unsigned char *
+pkcs11_allocStaticData(int len, unsigned char *space, int spaceLen)
+{
+    unsigned char *data = NULL;
+
+    if (len <= spaceLen) {
+	data = space;
+    } else {
+	data = (unsigned char *) PORT_Alloc(len);
+    }
+
+    return data;
+}
+
+unsigned char *
+pkcs11_copyStaticData(unsigned char *data, int len, 
+					unsigned char *space, int spaceLen)
+{
+    unsigned char *copy = pkcs11_allocStaticData(len, space, spaceLen);
+    if (copy) {
+	PORT_Memcpy(copy,data,len);
+    }
+
+    return copy;
+}
+
+/*
+ * destroy a database entry
+ */
+static void
+DestroyDBEntry(certDBEntry *entry)
+{
+    PRArenaPool *arena = entry->common.arena;
+
+    /* must be one of our certDBEntry from the free list */
+    if (arena == NULL) {
+	certDBEntryCert *certEntry;
+	if ( entry->common.type != certDBEntryTypeCert) {
+	    return;
+	}
+	certEntry = (certDBEntryCert *)entry;
+
+	pkcs11_freeStaticData(certEntry->derCert.data, certEntry->derCertSpace);
+	pkcs11_freeNickname(certEntry->nickname, certEntry->nicknameSpace);
+
+	nsslowcert_LockFreeList();
+	if (entryListCount > MAX_ENTRY_LIST_COUNT) {
+	    PORT_Free(certEntry);
+	} else {
+	    entryListCount++;
+	    PORT_Memset(certEntry, 0, sizeof( *certEntry));
+	    certEntry->next = entryListHead;
+	    entryListHead = certEntry;
+	}
+	nsslowcert_UnlockFreeList();
+	return;
+    }
+
+
+    /* Zero out the entry struct, so that any further attempts to use it
+     * will cause an exception (e.g. null pointer reference). */
+    PORT_Memset(&entry->common, 0, sizeof entry->common);
+    PORT_FreeArena(arena, PR_FALSE);
+
+    return;
+}
+
+/* forward references */
+static void nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert);
+
+static SECStatus
+DeleteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryType type, SECItem *dbkey)
+{
+    DBT key;
+    int ret;
+
+    /* init the database key */
+    key.data = dbkey->data;
+    key.size = dbkey->len;
+    
+    dbkey->data[0] = (unsigned char)type;
+
+    /* delete entry from database */
+    ret = certdb_Del(handle->permCertDB, &key, 0 );
+    if ( ret != 0 ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    ret = certdb_Sync(handle->permCertDB, 0);
+    if ( ret ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+ReadDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry,
+	    SECItem *dbkey, SECItem *dbentry, PRArenaPool *arena)
+{
+    DBT data, key;
+    int ret;
+    unsigned char *buf;
+    
+    /* init the database key */
+    key.data = dbkey->data;
+    key.size = dbkey->len;
+    
+    dbkey->data[0] = (unsigned char)entry->type;
+
+    /* read entry from database */
+    ret = certdb_Get(handle->permCertDB, &key, &data, 0 );
+    if ( ret != 0 ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* validate the entry */
+    if ( data.size < SEC_DB_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    buf = (unsigned char *)data.data;
+    /* version 7 has the same schema, we may be using a v7 db if we openned
+     * the databases readonly. */
+    if (!((buf[0] == (unsigned char)CERT_DB_FILE_VERSION) 
+		|| (buf[0] == (unsigned char) CERT_DB_V7_FILE_VERSION))) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    if ( buf[1] != (unsigned char)entry->type ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    /* copy out header information */
+    entry->version = (unsigned int)buf[0];
+    entry->type = (certDBEntryType)buf[1];
+    entry->flags = (unsigned int)buf[2];
+    
+    /* format body of entry for return to caller */
+    dbentry->len = data.size - SEC_DB_ENTRY_HEADER_LEN;
+    if ( dbentry->len ) {
+	if (arena) {
+	    dbentry->data = (unsigned char *)
+				PORT_ArenaAlloc(arena, dbentry->len);
+	    if ( dbentry->data == NULL ) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+    
+	    PORT_Memcpy(dbentry->data, &buf[SEC_DB_ENTRY_HEADER_LEN],
+		  dbentry->len);
+	} else {
+	    dbentry->data = &buf[SEC_DB_ENTRY_HEADER_LEN];
+	}
+    } else {
+	dbentry->data = NULL;
+    }
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/**
+ ** Implement low level database access
+ **/
+static SECStatus
+WriteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry,
+	     SECItem *dbkey, SECItem *dbentry)
+{
+    int ret;
+    DBT data, key;
+    unsigned char *buf;
+    
+    data.data = dbentry->data;
+    data.size = dbentry->len;
+    
+    buf = (unsigned char*)data.data;
+    
+    buf[0] = (unsigned char)entry->version;
+    buf[1] = (unsigned char)entry->type;
+    buf[2] = (unsigned char)entry->flags;
+    
+    key.data = dbkey->data;
+    key.size = dbkey->len;
+    
+    dbkey->data[0] = (unsigned char)entry->type;
+
+    /* put the record into the database now */
+    ret = certdb_Put(handle->permCertDB, &key, &data, 0);
+
+    if ( ret != 0 ) {
+	goto loser;
+    }
+
+    ret = certdb_Sync( handle->permCertDB, 0 );
+    
+    if ( ret ) {
+	goto loser;
+    }
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * encode a database cert record
+ */
+static SECStatus
+EncodeDBCertEntry(certDBEntryCert *entry, PRArenaPool *arena, SECItem *dbitem)
+{
+    unsigned int nnlen;
+    unsigned char *buf;
+    char *nn;
+    char zbuf = 0;
+    
+    if ( entry->nickname ) {
+	nn = entry->nickname;
+    } else {
+	nn = &zbuf;
+    }
+    nnlen = PORT_Strlen(nn) + 1;
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = entry->derCert.len + nnlen + DB_CERT_ENTRY_HEADER_LEN +
+	SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( entry->trust.sslFlags >> 8 ) & 0xff;
+    buf[1] = entry->trust.sslFlags & 0xff;
+    buf[2] = ( entry->trust.emailFlags >> 8 ) & 0xff;
+    buf[3] = entry->trust.emailFlags & 0xff;
+    buf[4] = ( entry->trust.objectSigningFlags >> 8 ) & 0xff;
+    buf[5] = entry->trust.objectSigningFlags & 0xff;
+    buf[6] = ( entry->derCert.len >> 8 ) & 0xff;
+    buf[7] = entry->derCert.len & 0xff;
+    buf[8] = ( nnlen >> 8 ) & 0xff;
+    buf[9] = nnlen & 0xff;
+    
+    PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN], entry->derCert.data,
+	      entry->derCert.len);
+
+    PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN + entry->derCert.len],
+	      nn, nnlen);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * encode a database key for a cert record
+ */
+static SECStatus
+EncodeDBCertKey(const SECItem *certKey, PRArenaPool *arena, SECItem *dbkey)
+{
+    unsigned int len = certKey->len + SEC_DB_KEY_HEADER_LEN;
+    if (arena) {
+	dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
+    } else {
+	if (dbkey->len < len) {
+	    dbkey->data = (unsigned char *)PORT_Alloc(len);
+	}
+    }
+    dbkey->len = len;
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
+	      certKey->data, certKey->len);
+    dbkey->data[0] = certDBEntryTypeCert;
+
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+EncodeDBGenericKey(const SECItem *certKey, PRArenaPool *arena, SECItem *dbkey, 
+				certDBEntryType entryType)
+{
+    /*
+     * we only allow _one_ KRL key!
+     */
+    if (entryType == certDBEntryTypeKeyRevocation) {
+	dbkey->len = SEC_DB_KEY_HEADER_LEN;
+ 	dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+	if ( dbkey->data == NULL ) {
+	    goto loser;
+	}
+        dbkey->data[0] = (unsigned char) entryType;
+        return(SECSuccess);
+    }
+    
+
+    dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN;
+    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
+	      certKey->data, certKey->len);
+    dbkey->data[0] = (unsigned char) entryType;
+
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry)
+{
+    unsigned int nnlen;
+    unsigned int headerlen;
+    int lenoff;
+
+    /* allow updates of old versions of the database */
+    switch ( entry->common.version ) {
+      case 5:
+	headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
+	lenoff = 3;
+	break;
+      case 6:
+	/* should not get here */
+	PORT_Assert(0);
+	headerlen = DB_CERT_V6_ENTRY_HEADER_LEN;
+	lenoff = 3;
+	break;
+      case 7:
+      case 8:
+	headerlen = DB_CERT_ENTRY_HEADER_LEN;
+	lenoff = 6;
+	break;
+      default:
+	/* better not get here */
+	PORT_Assert(0);
+	headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
+	lenoff = 3;
+	break;
+    }
+    
+    /* is record long enough for header? */
+    if ( dbentry->len < headerlen ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* is database entry correct length? */
+    entry->derCert.len = ( ( dbentry->data[lenoff] << 8 ) |
+			  dbentry->data[lenoff+1] );
+    nnlen = ( ( dbentry->data[lenoff+2] << 8 ) | dbentry->data[lenoff+3] );
+    if ( ( entry->derCert.len + nnlen + headerlen )
+	!= dbentry->len) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* copy the dercert */
+
+    entry->derCert.data = pkcs11_copyStaticData(&dbentry->data[headerlen],
+	entry->derCert.len,entry->derCertSpace,sizeof(entry->derCertSpace));
+    if ( entry->derCert.data == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* copy the nickname */
+    if ( nnlen > 1 ) {
+	entry->nickname = (char *)pkcs11_copyStaticData(
+			&dbentry->data[headerlen+entry->derCert.len], nnlen,
+			(unsigned char *)entry->nicknameSpace, 
+			sizeof(entry->nicknameSpace));
+	if ( entry->nickname == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+    } else {
+	entry->nickname = NULL;
+    }
+    
+    if ( entry->common.version < 7 ) {
+	/* allow updates of v5 db */
+	entry->trust.sslFlags = dbentry->data[0];
+	entry->trust.emailFlags = dbentry->data[1];
+	entry->trust.objectSigningFlags = dbentry->data[2];
+    } else {
+	entry->trust.sslFlags = ( dbentry->data[0] << 8 ) | dbentry->data[1];
+	entry->trust.emailFlags = ( dbentry->data[2] << 8 ) | dbentry->data[3];
+	entry->trust.objectSigningFlags =
+	    ( dbentry->data[4] << 8 ) | dbentry->data[5];
+    }
+    
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+
+/*
+ * Create a new certDBEntryCert from existing data
+ */
+static certDBEntryCert *
+NewDBCertEntry(SECItem *derCert, char *nickname,
+	       NSSLOWCERTCertTrust *trust, int flags)
+{
+    certDBEntryCert *entry;
+    PRArenaPool *arena = NULL;
+    int nnlen;
+    
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
+
+    if ( !arena ) {
+	goto loser;
+    }
+	
+    entry = PORT_ArenaZNew(arena, certDBEntryCert);
+    if ( entry == NULL ) {
+	goto loser;
+    }
+    
+    /* fill in the dbCert */
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeCert;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+    
+    if ( trust ) {
+	entry->trust = *trust;
+    }
+
+    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, derCert->len);
+    if ( !entry->derCert.data ) {
+	goto loser;
+    }
+    entry->derCert.len = derCert->len;
+    PORT_Memcpy(entry->derCert.data, derCert->data, derCert->len);
+    
+    nnlen = ( nickname ? strlen(nickname) + 1 : 0 );
+    
+    if ( nnlen ) {
+	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+	if ( !entry->nickname ) {
+	    goto loser;
+	}
+	PORT_Memcpy(entry->nickname, nickname, nnlen);
+	
+    } else {
+	entry->nickname = 0;
+    }
+
+    return(entry);
+
+loser:
+    
+    /* allocation error, free arena and return */
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    return(0);
+}
+
+/*
+ * Decode a version 4 DBCert from the byte stream database format
+ * and construct a current database entry struct
+ */
+static certDBEntryCert *
+DecodeV4DBCertEntry(unsigned char *buf, int len)
+{
+    certDBEntryCert *entry;
+    int certlen;
+    int nnlen;
+    PRArenaPool *arena;
+    
+    /* make sure length is at least long enough for the header */
+    if ( len < DBCERT_V4_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(0);
+    }
+
+    /* get other lengths */
+    certlen = buf[3] << 8 | buf[4];
+    nnlen = buf[5] << 8 | buf[6];
+    
+    /* make sure DB entry is the right size */
+    if ( ( certlen + nnlen + DBCERT_V4_HEADER_LEN ) != len ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(0);
+    }
+
+    /* allocate arena */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
+
+    if ( !arena ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return(0);
+    }
+	
+    /* allocate structure and members */
+    entry = (certDBEntryCert *)  PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
+
+    if ( !entry ) {
+	goto loser;
+    }
+
+    entry->common.arena = arena;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.type = certDBEntryTypeCert;
+    entry->common.flags = 0;
+    entry->trust.sslFlags = buf[0];
+    entry->trust.emailFlags = buf[1];
+    entry->trust.objectSigningFlags = buf[2];
+
+    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, certlen);
+    if ( !entry->derCert.data ) {
+	goto loser;
+    }
+    entry->derCert.len = certlen;
+    PORT_Memcpy(entry->derCert.data, &buf[DBCERT_V4_HEADER_LEN], certlen);
+
+    if ( nnlen ) {
+        entry->nickname = (char *) PORT_ArenaAlloc(arena, nnlen);
+        if ( !entry->nickname ) {
+            goto loser;
+        }
+        PORT_Memcpy(entry->nickname, &buf[DBCERT_V4_HEADER_LEN + certlen], nnlen);
+        
+        if (PORT_Strcmp(entry->nickname, "Server-Cert") == 0) {
+            entry->trust.sslFlags |= CERTDB_USER;
+        }
+    } else {
+        entry->nickname = 0;
+    }
+
+    return(entry);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    return(0);
+}
+
+/*
+ * Encode a Certificate database entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBCertEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECItem tmpitem;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBCertEntry(entry, tmparena, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* get the database key and format it */
+    rv = nsslowcert_KeyFromDERCert(tmparena, &entry->derCert, &tmpitem);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = EncodeDBCertKey(&tmpitem, tmparena, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+    
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+}
+
+
+/*
+ * delete a certificate entry
+ */
+static SECStatus
+DeleteDBCertEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
+{
+    SECItem dbkey;
+    SECStatus rv;
+
+    dbkey.data= NULL;
+    dbkey.len = 0;
+
+    rv = EncodeDBCertKey(certKey, NULL, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = DeleteDBEntry(handle, certDBEntryTypeCert, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    if (dbkey.data) {
+	PORT_Free(dbkey.data);
+    }
+    return(SECSuccess);
+
+loser:
+    if (dbkey.data) {
+	PORT_Free(dbkey.data);
+    }
+    return(SECFailure);
+}
+
+static certDBEntryCert *
+CreateCertEntry(void)
+{
+    certDBEntryCert *entry;
+
+    nsslowcert_LockFreeList();
+    entry = entryListHead;
+    if (entry) {
+	entryListCount--;
+	entryListHead = entry->next;
+    }
+    PORT_Assert(entryListCount >= 0);
+    nsslowcert_UnlockFreeList();
+    if (entry) {
+	return entry;
+    }
+
+    return PORT_ZNew(certDBEntryCert);
+}
+
+static void
+DestroyCertEntryFreeList(void)
+{
+    certDBEntryCert *entry;
+
+    nsslowcert_LockFreeList();
+    while (NULL != (entry = entryListHead)) {
+	entryListCount--;
+	entryListHead = entry->next;
+	PORT_Free(entry);
+    }
+    PORT_Assert(!entryListCount);
+    entryListCount = 0;
+    nsslowcert_UnlockFreeList();
+}
+
+/*
+ * Read a certificate entry
+ */
+static certDBEntryCert *
+ReadDBCertEntry(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey)
+{
+    certDBEntryCert *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    unsigned char buf[512];
+
+    dbkey.data = buf;
+    dbkey.len = sizeof(buf);
+
+    entry = CreateCertEntry();
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = NULL;
+    entry->common.type = certDBEntryTypeCert;
+
+    rv = EncodeDBCertKey(certKey, NULL, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, NULL);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = DecodeDBCertEntry(entry, &dbentry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    pkcs11_freeStaticData(dbkey.data,buf);    
+    dbkey.data = NULL;
+    return(entry);
+    
+loser:
+    pkcs11_freeStaticData(dbkey.data,buf);    
+    dbkey.data = NULL;
+    if ( entry ) {
+        DestroyDBEntry((certDBEntry *)entry);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * encode a database cert record
+ */
+static SECStatus
+EncodeDBCrlEntry(certDBEntryRevocation *entry, PRArenaPool *arena, SECItem *dbitem)
+{
+    unsigned int nnlen = 0;
+    unsigned char *buf;
+  
+    if (entry->url) {  
+	nnlen = PORT_Strlen(entry->url) + 1;
+    }
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = entry->derCrl.len + nnlen 
+		+ SEC_DB_ENTRY_HEADER_LEN + DB_CRL_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( entry->derCrl.len >> 8 ) & 0xff;
+    buf[1] = entry->derCrl.len & 0xff;
+    buf[2] = ( nnlen >> 8 ) & 0xff;
+    buf[3] = nnlen & 0xff;
+    
+    PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN], entry->derCrl.data,
+	      entry->derCrl.len);
+
+    if (nnlen != 0) {
+	PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
+	      entry->url, nnlen);
+    }
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+DecodeDBCrlEntry(certDBEntryRevocation *entry, SECItem *dbentry)
+{
+    unsigned int nnlen;
+    
+    /* is record long enough for header? */
+    if ( dbentry->len < DB_CRL_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* is database entry correct length? */
+    entry->derCrl.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
+    if ( ( entry->derCrl.len + nnlen + DB_CRL_ENTRY_HEADER_LEN )
+	!= dbentry->len) {
+      /* CRL entry is greater than 64 K. Hack to make this continue to work */
+      if (dbentry->len >= (0xffff - DB_CRL_ENTRY_HEADER_LEN) - nnlen) {
+          entry->derCrl.len = 
+                      (dbentry->len - DB_CRL_ENTRY_HEADER_LEN) - nnlen;
+      } else {
+          PORT_SetError(SEC_ERROR_BAD_DATABASE);
+          goto loser;
+      }    
+    }
+    
+    /* copy the dercert */
+    entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+							 entry->derCrl.len);
+    if ( entry->derCrl.data == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    PORT_Memcpy(entry->derCrl.data, &dbentry->data[DB_CRL_ENTRY_HEADER_LEN],
+	      entry->derCrl.len);
+
+    /* copy the url */
+    entry->url = NULL;
+    if (nnlen != 0) {
+	entry->url = (char *)PORT_ArenaAlloc(entry->common.arena, nnlen);
+	if ( entry->url == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->url,
+	      &dbentry->data[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
+	      nnlen);
+    }
+    
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Create a new certDBEntryRevocation from existing data
+ */
+static certDBEntryRevocation *
+NewDBCrlEntry(SECItem *derCrl, char * url, certDBEntryType crlType, int flags)
+{
+    certDBEntryRevocation *entry;
+    PRArenaPool *arena = NULL;
+    int nnlen;
+    
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
+
+    if ( !arena ) {
+	goto loser;
+    }
+	
+    entry = PORT_ArenaZNew(arena, certDBEntryRevocation);
+    if ( entry == NULL ) {
+	goto loser;
+    }
+    
+    /* fill in the dbRevolcation */
+    entry->common.arena = arena;
+    entry->common.type = crlType;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+    
+
+    entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(arena, derCrl->len);
+    if ( !entry->derCrl.data ) {
+	goto loser;
+    }
+
+    if (url) {
+	nnlen = PORT_Strlen(url) + 1;
+	entry->url  = (char *)PORT_ArenaAlloc(arena, nnlen);
+	if ( !entry->url ) {
+	    goto loser;
+	}
+	PORT_Memcpy(entry->url, url, nnlen);
+    } else {
+	entry->url = NULL;
+    }
+
+	
+    entry->derCrl.len = derCrl->len;
+    PORT_Memcpy(entry->derCrl.data, derCrl->data, derCrl->len);
+
+    return(entry);
+
+loser:
+    
+    /* allocation error, free arena and return */
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    return(0);
+}
+
+
+static SECStatus
+WriteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryRevocation *entry,
+				SECItem *crlKey )
+{
+    SECItem dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECItem encodedEntry;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+
+    rv = EncodeDBCrlEntry(entry, tmparena, &encodedEntry);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = EncodeDBGenericKey(crlKey, tmparena, &dbkey, entry->common.type);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+    
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &encodedEntry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+}
+/*
+ * delete a crl entry
+ */
+static SECStatus
+DeleteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, const SECItem *crlKey, 
+						certDBEntryType crlType)
+{
+    SECItem dbkey;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+
+    rv = EncodeDBGenericKey(crlKey, arena, &dbkey, crlType);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = DeleteDBEntry(handle, crlType, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(SECFailure);
+}
+
+/*
+ * Read a certificate entry
+ */
+static certDBEntryRevocation *
+ReadDBCrlEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey,
+						certDBEntryType crlType)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntryRevocation *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntryRevocation *)
+			PORT_ArenaAlloc(arena, sizeof(certDBEntryRevocation));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = crlType;
+
+    rv = EncodeDBGenericKey(certKey, tmparena, &dbkey, crlType);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, NULL);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = DecodeDBCrlEntry(entry, &dbentry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+void
+nsslowcert_DestroyDBEntry(certDBEntry *entry)
+{
+    DestroyDBEntry(entry);
+    return;
+}
+
+/*
+ * Encode a database nickname record
+ */
+static SECStatus
+EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena,
+		      SECItem *dbitem)
+{
+    unsigned char *buf;
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN +
+	SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
+    buf[1] = entry->subjectName.len & 0xff;
+    
+    PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data,
+	      entry->subjectName.len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Encode a database key for a nickname record
+ */
+static SECStatus
+EncodeDBNicknameKey(char *nickname, PRArenaPool *arena,
+		    SECItem *dbkey)
+{
+    unsigned int nnlen;
+    
+    nnlen = PORT_Strlen(nickname) + 1; /* includes null */
+
+    /* now get the database key and format it */
+    dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN;
+    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], nickname, nnlen);
+    dbkey->data[0] = certDBEntryTypeNickname;
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+DecodeDBNicknameEntry(certDBEntryNickname *entry, SECItem *dbentry,
+                      char *nickname)
+{
+    /* is record long enough for header? */
+    if ( dbentry->len < DB_NICKNAME_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* is database entry correct length? */
+    entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    if (( entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN ) !=
+	dbentry->len ){
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* copy the certkey */
+    entry->subjectName.data =
+	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+					 entry->subjectName.len);
+    if ( entry->subjectName.data == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    PORT_Memcpy(entry->subjectName.data,
+	      &dbentry->data[DB_NICKNAME_ENTRY_HEADER_LEN],
+	      entry->subjectName.len);
+    entry->subjectName.type = siBuffer;
+    
+    entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena, 
+                                              PORT_Strlen(nickname)+1);
+    if ( entry->nickname ) {
+	PORT_Strcpy(entry->nickname, nickname);
+    }
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * create a new nickname entry
+ */
+static certDBEntryNickname *
+NewDBNicknameEntry(char *nickname, SECItem *subjectName, unsigned int flags)
+{
+    PRArenaPool *arena = NULL;
+    certDBEntryNickname *entry;
+    int nnlen;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
+						 sizeof(certDBEntryNickname));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* init common fields */
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeNickname;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+
+    /* copy the nickname */
+    nnlen = PORT_Strlen(nickname) + 1;
+    
+    entry->nickname = (char*)PORT_ArenaAlloc(arena, nnlen);
+    if ( entry->nickname == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(entry->nickname, nickname, nnlen);
+    
+    rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    return(entry);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * delete a nickname entry
+ */
+static SECStatus
+DeleteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    SECItem dbkey;
+    
+    if ( nickname == NULL ) {
+	return(SECSuccess);
+    }
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+
+    rv = EncodeDBNicknameKey(nickname, arena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = DeleteDBEntry(handle, certDBEntryTypeNickname, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(SECFailure);
+}
+
+/*
+ * Read a nickname entry
+ */
+static certDBEntryNickname *
+ReadDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntryNickname *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
+						 sizeof(certDBEntryNickname));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeNickname;
+
+    rv = EncodeDBNicknameKey(nickname, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    /* is record long enough for header? */
+    if ( dbentry.len < DB_NICKNAME_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    rv = DecodeDBNicknameEntry(entry, &dbentry, nickname);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * Encode a nickname entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryNickname *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBNicknameEntry(entry, tmparena, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = EncodeDBNicknameKey(entry->nickname, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+    
+}
+
+static SECStatus
+EncodeDBSMimeEntry(certDBEntrySMime *entry, PRArenaPool *arena,
+		   SECItem *dbitem)
+{
+    unsigned char *buf;
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = entry->subjectName.len + entry->smimeOptions.len +
+	entry->optionsDate.len +
+	DB_SMIME_ENTRY_HEADER_LEN + SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
+    buf[1] = entry->subjectName.len & 0xff;
+    buf[2] = ( entry->smimeOptions.len >> 8 ) & 0xff;
+    buf[3] = entry->smimeOptions.len & 0xff;
+    buf[4] = ( entry->optionsDate.len >> 8 ) & 0xff;
+    buf[5] = entry->optionsDate.len & 0xff;
+
+    /* if no smime options, then there should not be an options date either */
+    PORT_Assert( ! ( ( entry->smimeOptions.len == 0 ) &&
+		    ( entry->optionsDate.len != 0 ) ) );
+    
+    PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN], entry->subjectName.data,
+	      entry->subjectName.len);
+    if ( entry->smimeOptions.len ) {
+	PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN+entry->subjectName.len],
+		    entry->smimeOptions.data,
+		    entry->smimeOptions.len);
+	PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN + entry->subjectName.len +
+			 entry->smimeOptions.len],
+		    entry->optionsDate.data,
+		    entry->optionsDate.len);
+    }
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Encode a database key for a SMIME record
+ */
+static SECStatus
+EncodeDBSMimeKey(char *emailAddr, PRArenaPool *arena,
+		 SECItem *dbkey)
+{
+    unsigned int addrlen;
+    
+    addrlen = PORT_Strlen(emailAddr) + 1; /* includes null */
+
+    /* now get the database key and format it */
+    dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN;
+    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], emailAddr, addrlen);
+    dbkey->data[0] = certDBEntryTypeSMimeProfile;
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Decode a database SMIME record
+ */
+static SECStatus
+DecodeDBSMimeEntry(certDBEntrySMime *entry, SECItem *dbentry, char *emailAddr)
+{
+    /* is record long enough for header? */
+    if ( dbentry->len < DB_SMIME_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* is database entry correct length? */
+    entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    entry->smimeOptions.len = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
+    entry->optionsDate.len = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
+    if (( entry->subjectName.len + entry->smimeOptions.len +
+	 entry->optionsDate.len + DB_SMIME_ENTRY_HEADER_LEN ) != dbentry->len){
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* copy the subject name */
+    entry->subjectName.data =
+	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+					 entry->subjectName.len);
+    if ( entry->subjectName.data == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    PORT_Memcpy(entry->subjectName.data,
+	      &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN],
+	      entry->subjectName.len);
+
+    /* copy the smime options */
+    if ( entry->smimeOptions.len ) {
+	entry->smimeOptions.data =
+	    (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+					     entry->smimeOptions.len);
+	if ( entry->smimeOptions.data == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->smimeOptions.data,
+		    &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
+				   entry->subjectName.len],
+		    entry->smimeOptions.len);
+    }
+    if ( entry->optionsDate.len ) {
+	entry->optionsDate.data =
+	    (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+					     entry->optionsDate.len);
+	if ( entry->optionsDate.data == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->optionsDate.data,
+		    &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
+				   entry->subjectName.len +
+				   entry->smimeOptions.len],
+		    entry->optionsDate.len);
+    }
+
+    /* both options and options date must either exist or not exist */
+    if ( ( ( entry->optionsDate.len == 0 ) ||
+	  ( entry->smimeOptions.len == 0 ) ) &&
+	entry->smimeOptions.len != entry->optionsDate.len ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    entry->emailAddr = (char *)PORT_ArenaAlloc(entry->common.arena,
+						PORT_Strlen(emailAddr)+1);
+    if ( entry->emailAddr ) {
+	PORT_Strcpy(entry->emailAddr, emailAddr);
+    }
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * create a new SMIME entry
+ */
+static certDBEntrySMime *
+NewDBSMimeEntry(char *emailAddr, SECItem *subjectName, SECItem *smimeOptions,
+		SECItem *optionsDate, unsigned int flags)
+{
+    PRArenaPool *arena = NULL;
+    certDBEntrySMime *entry;
+    int addrlen;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
+						sizeof(certDBEntrySMime));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* init common fields */
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeSMimeProfile;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+
+    /* copy the email addr */
+    addrlen = PORT_Strlen(emailAddr) + 1;
+    
+    entry->emailAddr = (char*)PORT_ArenaAlloc(arena, addrlen);
+    if ( entry->emailAddr == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(entry->emailAddr, emailAddr, addrlen);
+    
+    /* copy the subject name */
+    rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* copy the smime options */
+    if ( smimeOptions ) {
+	rv = SECITEM_CopyItem(arena, &entry->smimeOptions, smimeOptions);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    } else {
+	PORT_Assert(optionsDate == NULL);
+	entry->smimeOptions.data = NULL;
+	entry->smimeOptions.len = 0;
+    }
+
+    /* copy the options date */
+    if ( optionsDate ) {
+	rv = SECITEM_CopyItem(arena, &entry->optionsDate, optionsDate);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    } else {
+	PORT_Assert(smimeOptions == NULL);
+	entry->optionsDate.data = NULL;
+	entry->optionsDate.len = 0;
+    }
+    
+    return(entry);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * delete a SMIME entry
+ */
+static SECStatus
+DeleteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    SECItem dbkey;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+
+    rv = EncodeDBSMimeKey(emailAddr, arena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = DeleteDBEntry(handle, certDBEntryTypeSMimeProfile, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(SECFailure);
+}
+
+/*
+ * Read a SMIME entry
+ */
+certDBEntrySMime *
+nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntrySMime *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
+						sizeof(certDBEntrySMime));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeSMimeProfile;
+
+    rv = EncodeDBSMimeKey(emailAddr, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    /* is record long enough for header? */
+    if ( dbentry.len < DB_SMIME_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    rv = DecodeDBSMimeEntry(entry, &dbentry, emailAddr);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * Encode a SMIME entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySMime *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBSMimeEntry(entry, tmparena, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = EncodeDBSMimeKey(entry->emailAddr, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+    
+}
+
+/*
+ * Encode a database subject record
+ */
+static SECStatus
+EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena,
+		     SECItem *dbitem)
+{
+    unsigned char *buf;
+    int len;
+    unsigned int ncerts;
+    unsigned int i;
+    unsigned char *tmpbuf;
+    unsigned int nnlen = 0;
+    unsigned int eaddrslen = 0;
+    int keyidoff;
+    SECItem *certKeys;
+    SECItem *keyIDs;
+    
+    if ( entry->nickname ) {
+	nnlen = PORT_Strlen(entry->nickname) + 1;
+    }
+    if ( entry->emailAddrs ) {
+	eaddrslen = 2;
+	for (i=0; i < entry->nemailAddrs; i++) {
+	    eaddrslen += PORT_Strlen(entry->emailAddrs[i]) + 1 + 2;
+	}
+    }
+
+    ncerts = entry->ncerts;
+    
+    /* compute the length of the entry */
+    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen ;
+    len = keyidoff + 4 * ncerts + eaddrslen;
+    for ( i = 0; i < ncerts; i++ ) {
+	len += entry->certKeys[i].len;
+	len += entry->keyIDs[i].len;
+    }
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = len + SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( ncerts >> 8 ) & 0xff;
+    buf[1] = ncerts & 0xff;
+    buf[2] = ( nnlen >> 8 ) & 0xff;
+    buf[3] = nnlen & 0xff;
+    /* v7 email field is NULL in v8 */
+    buf[4] = 0;
+    buf[5] = 0;
+
+    PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN], entry->nickname, nnlen);
+    
+    for ( i = 0; i < ncerts; i++ ) {
+
+	certKeys = entry->certKeys;
+	keyIDs = entry->keyIDs;
+
+	buf[keyidoff+i*2] = ( certKeys[i].len >> 8 ) & 0xff;
+	buf[keyidoff+1+i*2] = certKeys[i].len & 0xff;
+	buf[keyidoff+ncerts*2+i*2] = ( keyIDs[i].len >> 8 ) & 0xff;
+	buf[keyidoff+1+ncerts*2+i*2] = keyIDs[i].len & 0xff;
+    }
+    
+    /* temp pointer used to stuff certkeys and keyids into the buffer */
+    tmpbuf = &buf[keyidoff+ncerts*4];
+
+    for ( i = 0; i < ncerts; i++ ) {
+	certKeys = entry->certKeys;
+	PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len);
+	tmpbuf = tmpbuf + certKeys[i].len;
+    }
+    
+    for ( i = 0; i < ncerts; i++ ) {
+	keyIDs = entry->keyIDs;
+	PORT_Memcpy(tmpbuf, keyIDs[i].data, keyIDs[i].len);
+	tmpbuf = tmpbuf + keyIDs[i].len;
+    }
+
+    if (entry->emailAddrs) {
+	tmpbuf[0] =  (entry->nemailAddrs >> 8) & 0xff;
+	tmpbuf[1] =  entry->nemailAddrs  & 0xff;
+	tmpbuf += 2;
+	for (i=0; i < entry->nemailAddrs; i++) {
+	    int nameLen = PORT_Strlen(entry->emailAddrs[i]) + 1;
+	    tmpbuf[0] =  (nameLen >> 8) & 0xff;
+	    tmpbuf[1] =  nameLen & 0xff;
+	    tmpbuf += 2;
+	    PORT_Memcpy(tmpbuf,entry->emailAddrs[i],nameLen);
+	    tmpbuf +=nameLen;
+	}
+    }
+
+    PORT_Assert(tmpbuf == &buf[len]);
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Encode a database key for a subject record
+ */
+static SECStatus
+EncodeDBSubjectKey(SECItem *derSubject, PRArenaPool *arena,
+		   SECItem *dbkey)
+{
+    dbkey->len = derSubject->len + SEC_DB_KEY_HEADER_LEN;
+    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], derSubject->data,
+	      derSubject->len);
+    dbkey->data[0] = certDBEntryTypeSubject;
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
+		     const SECItem *derSubject)
+{
+    unsigned int ncerts;
+    PRArenaPool *arena;
+    unsigned int len, itemlen;
+    unsigned char *tmpbuf;
+    unsigned char *end;
+    unsigned int i;
+    SECStatus rv;
+    unsigned int keyidoff;
+    unsigned int nnlen, eaddrlen;
+    unsigned int stdlen;
+    
+    arena = entry->common.arena;
+
+    rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* is record long enough for header? */
+    if ( dbentry->len < DB_SUBJECT_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    entry->ncerts = ncerts = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
+    eaddrlen = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
+    stdlen = ncerts * 4 + DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
+    if ( dbentry->len < stdlen) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena,
+						 sizeof(SECItem) * ncerts);
+    entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena,
+					       sizeof(SECItem) * ncerts);
+
+    if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    if ( nnlen > 1 ) { /* null terminator is stored */
+	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+	if ( entry->nickname == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->nickname,
+		    &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN],
+		    nnlen);
+    } else {
+	entry->nickname = NULL;
+    }
+
+    /* if we have an old style email entry, there is only one */    
+    entry->nemailAddrs = 0;
+    if ( eaddrlen > 1 ) { /* null terminator is stored */
+	entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *));
+	if ( entry->emailAddrs == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	entry->emailAddrs[0] = (char *)PORT_ArenaAlloc(arena, eaddrlen);
+	if ( entry->emailAddrs[0] == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->emailAddrs[0],
+		    &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN+nnlen],
+		    eaddrlen);
+	 entry->nemailAddrs = 1;
+    } else {
+	entry->emailAddrs = NULL;
+    }
+    
+    /* collect the lengths of the certKeys and keyIDs, and total the
+     * overall length.
+     */
+    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
+    len = keyidoff + 4 * ncerts;
+
+    tmpbuf = &dbentry->data[0];
+    
+    for ( i = 0; i < ncerts; i++ ) {
+
+	itemlen = ( tmpbuf[keyidoff + 2*i] << 8 ) | tmpbuf[keyidoff + 1 + 2*i] ;
+	len += itemlen;
+	entry->certKeys[i].len = itemlen;
+
+	itemlen = ( tmpbuf[keyidoff + 2*ncerts + 2*i] << 8 ) |
+	    tmpbuf[keyidoff + 1 + 2*ncerts + 2*i] ;
+	len += itemlen;
+	entry->keyIDs[i].len = itemlen;
+    }
+    
+    /* is database entry correct length? */
+    if ( len > dbentry->len ){
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    tmpbuf = &tmpbuf[keyidoff + 4*ncerts];
+    for ( i = 0; i < ncerts; i++ ) {
+	entry->certKeys[i].data =
+	    (unsigned char *)PORT_ArenaAlloc(arena, entry->certKeys[i].len);
+	if ( entry->certKeys[i].data == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->certKeys[i].data, tmpbuf, entry->certKeys[i].len);
+	tmpbuf = &tmpbuf[entry->certKeys[i].len];
+    }
+
+    for ( i = 0; i < ncerts; i++ ) {
+	entry->keyIDs[i].data =
+	    (unsigned char *)PORT_ArenaAlloc(arena, entry->keyIDs[i].len);
+	if ( entry->keyIDs[i].data == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, entry->keyIDs[i].len);
+	tmpbuf = &tmpbuf[entry->keyIDs[i].len];
+    }
+
+    end = &dbentry->data[dbentry->len];
+    if ((eaddrlen == 0) && (tmpbuf+1 < end)) {
+	/* read in the additional email addresses */
+	entry->nemailAddrs = tmpbuf[0] << 8 | tmpbuf[1];
+	tmpbuf += 2;
+	entry->emailAddrs = (char **)
+		PORT_ArenaAlloc(arena, entry->nemailAddrs * sizeof(char *));
+	if (entry->emailAddrs == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	for (i=0; i < entry->nemailAddrs; i++) {
+	    int nameLen;
+	    if (tmpbuf + 2 > end) {
+		goto loser;
+	    }
+
+	    nameLen = tmpbuf[0] << 8 | tmpbuf[1];
+	    entry->emailAddrs[i] = PORT_ArenaAlloc(arena,nameLen);
+	    if (entry->emailAddrs == NULL) {
+	        PORT_SetError(SEC_ERROR_NO_MEMORY);
+	        goto loser;
+	    }
+	    if (tmpbuf + (nameLen+2) > end) {
+		goto loser;
+	    }
+	    PORT_Memcpy(entry->emailAddrs[i],&tmpbuf[2],nameLen);
+	    tmpbuf += 2 + nameLen;
+	}
+    }
+    
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * create a new subject entry with a single cert
+ */
+static certDBEntrySubject *
+NewDBSubjectEntry(SECItem *derSubject, SECItem *certKey,
+		  SECItem *keyID, char *nickname, char *emailAddr,
+		  unsigned int flags)
+{
+    PRArenaPool *arena = NULL;
+    certDBEntrySubject *entry;
+    SECStatus rv;
+    unsigned int nnlen;
+    unsigned int eaddrlen;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
+						  sizeof(certDBEntrySubject));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* init common fields */
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeSubject;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+
+    /* copy the subject */
+    rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    entry->ncerts = 1;
+    entry->nemailAddrs = 0;
+    /* copy nickname */
+    if ( nickname && ( *nickname != '\0' ) ) {
+	nnlen = PORT_Strlen(nickname) + 1;
+	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+	if ( entry->nickname == NULL ) {
+	    goto loser;
+	}
+						  
+	PORT_Memcpy(entry->nickname, nickname, nnlen);
+    } else {
+	entry->nickname = NULL;
+    }
+    
+    /* copy email addr */
+    if ( emailAddr && ( *emailAddr != '\0' ) ) {
+	emailAddr = nsslowcert_FixupEmailAddr(emailAddr);
+	if ( emailAddr == NULL ) {
+	    entry->emailAddrs = NULL;
+	    goto loser;
+	}
+	
+	eaddrlen = PORT_Strlen(emailAddr) + 1;
+	entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *));
+	if ( entry->emailAddrs == NULL ) {
+	    PORT_Free(emailAddr);
+	    goto loser;
+	}
+	entry->emailAddrs[0] = PORT_ArenaStrdup(arena,emailAddr);
+	if (entry->emailAddrs[0]) {
+	    entry->nemailAddrs = 1;
+	} 
+	
+	PORT_Free(emailAddr);
+    } else {
+	entry->emailAddrs = NULL;
+    }
+    
+    /* allocate space for certKeys and keyIDs */
+    entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+    entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+    if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
+	goto loser;
+    }
+
+    /* copy the certKey and keyID */
+    rv = SECITEM_CopyItem(arena, &entry->certKeys[0], certKey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &entry->keyIDs[0], keyID);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    return(entry);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * delete a subject entry
+ */
+static SECStatus
+DeleteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
+{
+    SECItem dbkey;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBSubjectKey(derSubject, arena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = DeleteDBEntry(handle, certDBEntryTypeSubject, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(SECFailure);
+}
+
+/*
+ * Read the subject entry
+ */
+static certDBEntrySubject *
+ReadDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntrySubject *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
+						sizeof(certDBEntrySubject));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeSubject;
+
+    rv = EncodeDBSubjectKey(derSubject, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = DecodeDBSubjectEntry(entry, &dbentry, derSubject);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * Encode a subject name entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySubject *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBSubjectEntry(entry, tmparena, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBSubjectKey(&entry->derSubject, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+    
+}
+
+typedef enum { nsslowcert_remove, nsslowcert_add } nsslowcertUpdateType;
+
+static SECStatus
+nsslowcert_UpdateSubjectEmailAddr(NSSLOWCERTCertDBHandle *dbhandle, 
+	SECItem *derSubject, char *emailAddr, nsslowcertUpdateType updateType)
+{
+    certDBEntrySubject *entry = NULL;
+    int index = -1, i;
+    SECStatus rv;
+   
+    if (emailAddr) { 
+	emailAddr = nsslowcert_FixupEmailAddr(emailAddr);
+	if (emailAddr == NULL) {
+	    return SECFailure;
+	}
+    } else {
+	return SECSuccess;
+    }
+
+    entry = ReadDBSubjectEntry(dbhandle,derSubject);    
+    if (entry == NULL) {
+	rv = SECFailure;
+	goto done;
+    } 
+
+    for (i=0; i < (int)(entry->nemailAddrs); i++) {
+        if (PORT_Strcmp(entry->emailAddrs[i],emailAddr) == 0) {
+	    index = i;
+	}
+    }
+
+    if (updateType == nsslowcert_remove) {
+	if (index == -1) {
+	    rv = SECSuccess;
+	    goto done;
+	}
+	entry->nemailAddrs--;
+	for (i=index; i < (int)(entry->nemailAddrs); i++) {
+	   entry->emailAddrs[i] = entry->emailAddrs[i+1];
+	}
+    } else {
+	char **newAddrs = NULL;
+
+	if (index != -1) {
+	    rv = SECSuccess;
+	    goto done;
+	}
+	newAddrs = (char **)PORT_ArenaAlloc(entry->common.arena,
+		(entry->nemailAddrs+1)* sizeof(char *));
+	if (!newAddrs) {
+	    rv = SECFailure;
+	    goto done;
+	}
+	for (i=0; i < (int)(entry->nemailAddrs); i++) {
+	   newAddrs[i] = entry->emailAddrs[i];
+	}
+	newAddrs[entry->nemailAddrs] = 
+			PORT_ArenaStrdup(entry->common.arena,emailAddr);
+	if (!newAddrs[entry->nemailAddrs]) {
+	   rv = SECFailure;
+	   goto done;
+	}
+	entry->emailAddrs = newAddrs;
+	entry->nemailAddrs++;
+    }
+	
+    /* delete the subject entry */
+    DeleteDBSubjectEntry(dbhandle, derSubject);
+
+    /* write the new one */
+    rv = WriteDBSubjectEntry(dbhandle, entry);
+
+  done:
+    if (entry) DestroyDBEntry((certDBEntry *)entry);
+    if (emailAddr) PORT_Free(emailAddr);
+    return rv;
+}
+
+/*
+ * writes a nickname to an existing subject entry that does not currently
+ * have one
+ */
+static SECStatus
+AddNicknameToSubject(NSSLOWCERTCertDBHandle *dbhandle,
+			NSSLOWCERTCertificate *cert, char *nickname)
+{
+    certDBEntrySubject *entry;
+    SECStatus rv;
+    
+    if ( nickname == NULL ) {
+	return(SECFailure);
+    }
+    
+    entry = ReadDBSubjectEntry(dbhandle,&cert->derSubject);
+    PORT_Assert(entry != NULL);
+    if ( entry == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Assert(entry->nickname == NULL);
+    if ( entry->nickname != NULL ) {
+	goto loser;
+    }
+    
+    entry->nickname = PORT_ArenaStrdup(entry->common.arena, nickname);
+    
+    if ( entry->nickname == NULL ) {
+	goto loser;
+    }
+	
+    /* delete the subject entry */
+    DeleteDBSubjectEntry(dbhandle, &cert->derSubject);
+
+    /* write the new one */
+    rv = WriteDBSubjectEntry(dbhandle, entry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * create a new version entry
+ */
+static certDBEntryVersion *
+NewDBVersionEntry(unsigned int flags)
+{
+    PRArenaPool *arena = NULL;
+    certDBEntryVersion *entry;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    entry = (certDBEntryVersion *)PORT_ArenaAlloc(arena,
+					       sizeof(certDBEntryVersion));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeVersion;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+
+    return(entry);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * Read the version entry
+ */
+static certDBEntryVersion *
+ReadDBVersionEntry(NSSLOWCERTCertDBHandle *handle)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntryVersion *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = PORT_ArenaZNew(arena, certDBEntryVersion);
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeVersion;
+
+    /* now get the database key and format it */
+    dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
+    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
+    if ( dbkey.data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
+	      SEC_DB_VERSION_KEY_LEN);
+
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+
+/*
+ * Encode a version entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBVersionEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryVersion *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem.len = SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbitem.len);
+    if ( dbitem.data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* now get the database key and format it */
+    dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
+    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
+    if ( dbkey.data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
+	      SEC_DB_VERSION_KEY_LEN);
+
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+}
+
+/*
+ * cert is no longer a perm cert, but will remain a temp cert
+ */
+static SECStatus
+RemovePermSubjectNode(NSSLOWCERTCertificate *cert)
+{
+    certDBEntrySubject *entry;
+    unsigned int i;
+    SECStatus rv;
+    
+    entry = ReadDBSubjectEntry(cert->dbhandle,&cert->derSubject);
+    if ( entry == NULL ) {
+	return(SECFailure);
+    }
+
+    PORT_Assert(entry->ncerts);
+    rv = SECFailure;
+    
+    if ( entry->ncerts > 1 ) {
+	for ( i = 0; i < entry->ncerts; i++ ) {
+	    if ( SECITEM_CompareItem(&entry->certKeys[i], &cert->certKey) ==
+		SECEqual ) {
+		/* copy rest of list forward one entry */
+		for ( i = i + 1; i < entry->ncerts; i++ ) {
+		    entry->certKeys[i-1] = entry->certKeys[i];
+		    entry->keyIDs[i-1] = entry->keyIDs[i];
+		}
+		entry->ncerts--;
+		DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+		rv = WriteDBSubjectEntry(cert->dbhandle, entry);
+		break;
+	    }
+	}
+    } else {
+	/* no entries left, delete the perm entry in the DB */
+	if ( entry->emailAddrs ) {
+	    /* if the subject had an email record, then delete it too */
+	    for (i=0; i < entry->nemailAddrs; i++) {
+		DeleteDBSMimeEntry(cert->dbhandle, entry->emailAddrs[i]);
+	    }
+	}
+	if ( entry->nickname ) {
+	    DeleteDBNicknameEntry(cert->dbhandle, entry->nickname);
+	}
+	
+	DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+    }
+    DestroyDBEntry((certDBEntry *)entry);
+
+    return(rv);
+}
+
+/*
+ * add a cert to the perm subject list
+ */
+static SECStatus
+AddPermSubjectNode(certDBEntrySubject *entry, NSSLOWCERTCertificate *cert, 
+								char *nickname)
+{
+    SECItem *newCertKeys, *newKeyIDs;
+    unsigned int i, new_i;
+    SECStatus rv;
+    unsigned int ncerts;
+
+    PORT_Assert(entry);    
+    ncerts = entry->ncerts;
+	
+    if ( nickname && entry->nickname ) {
+	/* nicknames must be the same */
+	PORT_Assert(PORT_Strcmp(nickname, entry->nickname) == 0);
+    }
+
+    if ( ( entry->nickname == NULL ) && ( nickname != NULL ) ) {
+	/* copy nickname into the entry */
+	entry->nickname = PORT_ArenaStrdup(entry->common.arena, nickname);
+	if ( entry->nickname == NULL ) {
+	    return(SECFailure);
+	}
+    }
+	
+    /* a DB entry already exists, so add this cert */
+    newCertKeys = PORT_ArenaZNewArray(entry->common.arena, SECItem, ncerts + 1);
+    newKeyIDs   = PORT_ArenaZNewArray(entry->common.arena, SECItem, ncerts + 1);
+
+    if ( ( newCertKeys == NULL ) || ( newKeyIDs == NULL ) ) {
+	    return(SECFailure);
+    }
+
+    /* Step 1: copy certs older than "cert" into new entry. */
+    for ( i = 0, new_i=0; i < ncerts; i++ ) {
+	NSSLOWCERTCertificate *cmpcert;
+	PRBool isNewer;
+	cmpcert = nsslowcert_FindCertByKey(cert->dbhandle,
+						  &entry->certKeys[i]);
+	/* The entry has been corrupted, remove it from the list */
+	if (!cmpcert) {
+	    continue;
+	}
+
+	isNewer = nsslowcert_IsNewer(cert, cmpcert);
+	nsslowcert_DestroyCertificate(cmpcert);
+	if ( isNewer ) 
+	    break;
+	/* copy this cert entry */
+	newCertKeys[new_i] = entry->certKeys[i];
+	newKeyIDs[new_i]   = entry->keyIDs[i];
+	new_i++; 
+    }
+
+    /* Step 2: Add "cert" to the entry. */
+    rv = SECITEM_CopyItem(entry->common.arena, &newCertKeys[new_i],
+			      &cert->certKey);
+    if ( rv != SECSuccess ) {
+	return(SECFailure);
+    }
+    rv = SECITEM_CopyItem(entry->common.arena, &newKeyIDs[new_i],
+			      &cert->subjectKeyID);
+    if ( rv != SECSuccess ) {
+	return(SECFailure);
+    }
+    new_i++;
+
+    /* Step 3: copy remaining certs (if any) from old entry to new. */
+    for ( ; i < ncerts; i++ ,new_i++) {
+	newCertKeys[new_i] = entry->certKeys[i];
+	newKeyIDs[new_i]   = entry->keyIDs[i];
+    }
+
+    /* update certKeys and keyIDs */
+    entry->certKeys = newCertKeys;
+    entry->keyIDs   = newKeyIDs;
+
+    /* set new count value */
+    entry->ncerts = new_i;
+
+    DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+    rv = WriteDBSubjectEntry(cert->dbhandle, entry);
+    return(rv);
+}
+
+
+SECStatus
+nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+				 SECItem *derSubject,
+				 NSSLOWCERTCertCallback cb, void *cbarg)
+{
+    certDBEntrySubject *entry;
+    unsigned int i;
+    NSSLOWCERTCertificate *cert;
+    SECStatus rv = SECSuccess;
+    
+    entry = ReadDBSubjectEntry(handle, derSubject);
+
+    if ( entry == NULL ) {
+	return(SECFailure);
+    }
+    
+    for( i = 0; i < entry->ncerts; i++ ) {
+	cert = nsslowcert_FindCertByKey(handle, &entry->certKeys[i]);
+	if (!cert) {
+	    continue;
+	}
+	rv = (* cb)(cert, cbarg);
+	nsslowcert_DestroyCertificate(cert);
+	if ( rv == SECFailure ) {
+	    break;
+	}
+    }
+
+    DestroyDBEntry((certDBEntry *)entry);
+
+    return(rv);
+}
+
+int
+nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+							 SECItem *derSubject)
+{
+    certDBEntrySubject *entry;
+    int ret;
+    
+    entry = ReadDBSubjectEntry(handle, derSubject);
+
+    if ( entry == NULL ) {
+	return(SECFailure);
+    }
+
+    ret = entry->ncerts;
+    
+    DestroyDBEntry((certDBEntry *)entry);
+    
+    return(ret);
+}
+
+SECStatus
+nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+		 	char *nickname, NSSLOWCERTCertCallback cb, void *cbarg)
+{
+    certDBEntryNickname *nnentry = NULL;
+    certDBEntrySMime *smentry = NULL;
+    SECStatus rv;
+    SECItem *derSubject = NULL;
+    
+    nnentry = ReadDBNicknameEntry(handle, nickname);
+    if ( nnentry ) {
+	derSubject = &nnentry->subjectName;
+    } else {
+	smentry = nsslowcert_ReadDBSMimeEntry(handle, nickname);
+	if ( smentry ) {
+	    derSubject = &smentry->subjectName;
+	}
+    }
+    
+    if ( derSubject ) {
+	rv = nsslowcert_TraversePermCertsForSubject(handle, derSubject,
+					      cb, cbarg);
+    } else {
+	rv = SECFailure;
+    }
+
+    if ( nnentry ) {
+	DestroyDBEntry((certDBEntry *)nnentry);
+    }
+    if ( smentry ) {
+	DestroyDBEntry((certDBEntry *)smentry);
+    }
+    
+    return(rv);
+}
+
+int
+nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, 
+								char *nickname)
+{
+    certDBEntryNickname *entry;
+    int ret;
+    
+    entry = ReadDBNicknameEntry(handle, nickname);
+    
+    if ( entry ) {
+	ret = nsslowcert_NumPermCertsForSubject(handle, &entry->subjectName);
+	DestroyDBEntry((certDBEntry *)entry);
+    } else {
+	ret = 0;
+    }
+    return(ret);
+}
+
+/*
+ * add a nickname to a cert that doesn't have one
+ */
+static SECStatus
+AddNicknameToPermCert(NSSLOWCERTCertDBHandle *dbhandle,
+				NSSLOWCERTCertificate *cert, char *nickname)
+{
+    certDBEntryCert *entry;
+    int rv;
+
+    entry = cert->dbEntry;
+    PORT_Assert(entry != NULL);
+    if ( entry == NULL ) {
+	goto loser;
+    }
+
+    pkcs11_freeNickname(entry->nickname,entry->nicknameSpace);
+    entry->nickname = NULL;
+    entry->nickname = pkcs11_copyNickname(nickname,entry->nicknameSpace,
+					sizeof(entry->nicknameSpace));
+
+    rv = WriteDBCertEntry(dbhandle, entry);
+    if ( rv ) {
+	goto loser;
+    }
+
+    pkcs11_freeNickname(cert->nickname,cert->nicknameSpace);
+    cert->nickname = NULL;
+    cert->nickname = pkcs11_copyNickname(nickname,cert->nicknameSpace,
+					sizeof(cert->nicknameSpace));
+
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+/*
+ * add a nickname to a cert that is already in the perm database, but doesn't
+ * have one yet (it is probably an e-mail cert).
+ */
+SECStatus
+nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle,
+				NSSLOWCERTCertificate *cert, char *nickname)
+{
+    SECStatus rv = SECFailure;
+    certDBEntrySubject *entry = NULL;
+    certDBEntryNickname *nicknameEntry = NULL;
+    
+    nsslowcert_LockDB(dbhandle);
+
+    entry = ReadDBSubjectEntry(dbhandle, &cert->derSubject);
+    if (entry == NULL) goto loser;
+
+    if ( entry->nickname == NULL ) {
+
+	/* no nickname for subject */
+	rv = AddNicknameToSubject(dbhandle, cert, nickname);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+	rv = AddNicknameToPermCert(dbhandle, cert, nickname);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+	nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0);
+	if ( nicknameEntry == NULL ) {
+	    goto loser;
+	}
+    
+	rv = WriteDBNicknameEntry(dbhandle, nicknameEntry);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    } else {
+	/* subject already has a nickname */
+	rv = AddNicknameToPermCert(dbhandle, cert, entry->nickname);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+	/* make sure nickname entry exists. If the database was corrupted,
+	 * we may have lost the nickname entry. Add it back now  */
+	nicknameEntry = ReadDBNicknameEntry(dbhandle, entry->nickname);
+	if (nicknameEntry == NULL ) {
+	    nicknameEntry = NewDBNicknameEntry(entry->nickname, 
+							&cert->derSubject, 0);
+	    if ( nicknameEntry == NULL ) {
+		goto loser;
+	    }
+    
+	    rv = WriteDBNicknameEntry(dbhandle, nicknameEntry);
+	    if ( rv != SECSuccess ) {
+		goto loser;
+	    }
+	}
+    }
+    rv = SECSuccess;
+
+loser:
+    if (entry) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    if (nicknameEntry) {
+	DestroyDBEntry((certDBEntry *)nicknameEntry);
+    }
+    nsslowcert_UnlockDB(dbhandle);
+    return(rv);
+}
+
+static certDBEntryCert *
+AddCertToPermDB(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCertificate *cert,
+		char *nickname, NSSLOWCERTCertTrust *trust)
+{
+    certDBEntryCert *certEntry = NULL;
+    certDBEntryNickname *nicknameEntry = NULL;
+    certDBEntrySubject *subjectEntry = NULL;
+    int state = 0;
+    SECStatus rv;
+    PRBool donnentry = PR_FALSE;
+
+    if ( nickname ) {
+	donnentry = PR_TRUE;
+    }
+
+    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
+	
+    if ( subjectEntry && subjectEntry->nickname ) {
+	donnentry = PR_FALSE;
+	nickname = subjectEntry->nickname;
+    }
+    
+    certEntry = NewDBCertEntry(&cert->derCert, nickname, trust, 0);
+    if ( certEntry == NULL ) {
+	goto loser;
+    }
+    
+    if ( donnentry ) {
+	nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0);
+	if ( nicknameEntry == NULL ) {
+	    goto loser;
+	}
+    }
+    
+    rv = WriteDBCertEntry(handle, certEntry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    state = 1;
+    
+    if ( nicknameEntry ) {
+	rv = WriteDBNicknameEntry(handle, nicknameEntry);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+    
+    state = 2;
+
+    /* "Change" handles if necessary */
+    cert->dbhandle = handle;
+    
+    /* add to or create new subject entry */
+    if ( subjectEntry ) {
+	/* REWRITE BASED ON SUBJECT ENTRY */
+	rv = AddPermSubjectNode(subjectEntry, cert, nickname);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    } else {
+	/* make a new subject entry - this case is only used when updating
+	 * an old version of the database.  This is OK because the oldnickname
+	 * db format didn't allow multiple certs with the same subject.
+	 */
+	/* where does subjectKeyID and certKey come from? */
+	subjectEntry = NewDBSubjectEntry(&cert->derSubject, &cert->certKey,
+					 &cert->subjectKeyID, nickname,
+					 NULL, 0);
+	if ( subjectEntry == NULL ) {
+	    goto loser;
+	}
+	rv = WriteDBSubjectEntry(handle, subjectEntry);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+    
+    state = 3;
+    
+    if ( nicknameEntry ) {
+	DestroyDBEntry((certDBEntry *)nicknameEntry);
+    }
+    
+    if ( subjectEntry ) {
+	DestroyDBEntry((certDBEntry *)subjectEntry);
+    }
+
+    return(certEntry);
+
+loser:
+    /* don't leave partial entry in the database */
+    if ( state > 0 ) {
+	rv = DeleteDBCertEntry(handle, &cert->certKey);
+    }
+    if ( ( state > 1 ) && donnentry ) {
+	rv = DeleteDBNicknameEntry(handle, nickname);
+    }
+    if ( state > 2 ) {
+	rv = DeleteDBSubjectEntry(handle, &cert->derSubject);
+    }
+    if ( certEntry ) {
+	DestroyDBEntry((certDBEntry *)certEntry);
+    }
+    if ( nicknameEntry ) {
+	DestroyDBEntry((certDBEntry *)nicknameEntry);
+    }
+    if ( subjectEntry ) {
+	DestroyDBEntry((certDBEntry *)subjectEntry);
+    }
+
+    return(NULL);
+}
+
+/* forward declaration */
+static SECStatus
+UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb);
+
+/*
+ * version 8 uses the same schema as version 7. The only differences are
+ * 1) version 8 db uses the blob shim to store data entries > 32k.
+ * 2) version 8 db sets the db block size to 32k.
+ * both of these are dealt with by the handle.
+ */
+
+static SECStatus
+UpdateV8DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+    return UpdateV7DB(handle,updatedb);
+}
+
+
+/*
+ * we could just blindly sequence through reading key data pairs and writing
+ * them back out, but some cert.db's have gotten quite large and may have some
+ * subtle corruption problems, so instead we cycle through the certs and
+ * CRL's and S/MIME profiles and rebuild our subject lists from those records.
+ */
+static SECStatus
+UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+    DBT key, data;
+    int ret;
+    NSSLOWCERTCertificate *cert;
+    PRBool isKRL = PR_FALSE;
+    certDBEntryType entryType;
+    SECItem dbEntry, dbKey;
+    certDBEntryRevocation crlEntry;
+    certDBEntryCert certEntry;
+    certDBEntrySMime smimeEntry;
+    SECStatus rv;
+
+    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
+
+    if ( ret ) {
+	return(SECFailure);
+    }
+    
+    do {
+	unsigned char *dataBuf = (unsigned char *)data.data;
+	unsigned char *keyBuf = (unsigned char *)key.data;
+	dbEntry.data = &dataBuf[SEC_DB_ENTRY_HEADER_LEN];
+	dbEntry.len = data.size - SEC_DB_ENTRY_HEADER_LEN;
+ 	entryType = (certDBEntryType) keyBuf[0];
+	dbKey.data = &keyBuf[SEC_DB_KEY_HEADER_LEN];
+	dbKey.len = key.size - SEC_DB_KEY_HEADER_LEN;
+	if ((dbEntry.len <= 0) || (dbKey.len <= 0)) {
+	    continue;
+	}
+
+	switch (entryType) {
+	/* these entries will get regenerated as we read the 
+	 * rest of the data from the database */
+	case certDBEntryTypeVersion:
+	case certDBEntryTypeSubject:
+	case certDBEntryTypeContentVersion:
+	case certDBEntryTypeNickname:
+	/* smime profiles need entries created after the certs have
+         * been imported, loop over them in a second run */
+	case certDBEntryTypeSMimeProfile:
+	    break;
+
+	case certDBEntryTypeCert:
+	    /* decode Entry */
+    	    certEntry.common.version = (unsigned int)dataBuf[0];
+	    certEntry.common.type = entryType;
+	    certEntry.common.flags = (unsigned int)dataBuf[2];
+	    rv = DecodeDBCertEntry(&certEntry,&dbEntry);
+	    if (rv != SECSuccess) {
+		break;
+	    }
+	    /* should we check for existing duplicates? */
+	    cert = nsslowcert_DecodeDERCertificate(&certEntry.derCert, 
+						certEntry.nickname);
+	    if (cert) {
+		nsslowcert_UpdatePermCert(handle, cert, certEntry.nickname,
+					 		&certEntry.trust);
+		nsslowcert_DestroyCertificate(cert);
+	    }
+	    /* free any data the decode may have allocated. */
+	    pkcs11_freeStaticData(certEntry.derCert.data, 
+						certEntry.derCertSpace);
+	    pkcs11_freeNickname(certEntry.nickname, certEntry.nicknameSpace);
+	    break;
+
+	case certDBEntryTypeKeyRevocation:
+	    isKRL = PR_TRUE;
+	    /* fall through */
+	case certDBEntryTypeRevocation:
+    	    crlEntry.common.version = (unsigned int)dataBuf[0];
+	    crlEntry.common.type = entryType;
+	    crlEntry.common.flags = (unsigned int)dataBuf[2];
+	    crlEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	    if (crlEntry.common.arena == NULL) {
+		break;
+	    }
+	    rv = DecodeDBCrlEntry(&crlEntry,&dbEntry);
+	    if (rv != SECSuccess) {
+		break;
+	    }
+	    nsslowcert_UpdateCrl(handle, &crlEntry.derCrl, &dbKey, 
+						crlEntry.url, isKRL);
+	    /* free data allocated by the decode */
+	    PORT_FreeArena(crlEntry.common.arena, PR_FALSE);
+	    crlEntry.common.arena = NULL;
+	    break;
+
+	default:
+	    break;
+	}
+    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
+
+    /* now loop again updating just the SMimeProfile. */
+    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
+
+    if ( ret ) {
+	return(SECFailure);
+    }
+    
+    do {
+	unsigned char *dataBuf = (unsigned char *)data.data;
+	unsigned char *keyBuf = (unsigned char *)key.data;
+	dbEntry.data = &dataBuf[SEC_DB_ENTRY_HEADER_LEN];
+	dbEntry.len = data.size - SEC_DB_ENTRY_HEADER_LEN;
+ 	entryType = (certDBEntryType) keyBuf[0];
+	if (entryType != certDBEntryTypeSMimeProfile) {
+	    continue;
+	}
+	dbKey.data = &keyBuf[SEC_DB_KEY_HEADER_LEN];
+	dbKey.len = key.size - SEC_DB_KEY_HEADER_LEN;
+	if ((dbEntry.len <= 0) || (dbKey.len <= 0)) {
+	    continue;
+	}
+        smimeEntry.common.version = (unsigned int)dataBuf[0];
+	smimeEntry.common.type = entryType;
+	smimeEntry.common.flags = (unsigned int)dataBuf[2];
+	smimeEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	/* decode entry */
+	rv = DecodeDBSMimeEntry(&smimeEntry,&dbEntry,(char *)dbKey.data);
+	if (rv == SECSuccess) {
+	    nsslowcert_UpdateSMimeProfile(handle, smimeEntry.emailAddr,
+		&smimeEntry.subjectName, &smimeEntry.smimeOptions,
+						 &smimeEntry.optionsDate);
+	}
+	PORT_FreeArena(smimeEntry.common.arena, PR_FALSE);
+	smimeEntry.common.arena = NULL;
+    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
+
+    (* updatedb->close)(updatedb);
+
+    /* a database update is a good time to go back and verify the integrity of
+     * the keys and certs */
+    handle->dbVerify = PR_TRUE; 
+    return(SECSuccess);
+}
+
+/*
+ * NOTE - Version 6 DB did not go out to the real world in a release,
+ * so we can remove this function in a later release.
+ */
+static SECStatus
+UpdateV6DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+    int ret;
+    DBT key, data;
+    unsigned char *buf, *tmpbuf = NULL;
+    certDBEntryType type;
+    certDBEntryNickname *nnEntry = NULL;
+    certDBEntrySubject *subjectEntry = NULL;
+    certDBEntrySMime *emailEntry = NULL;
+    char *nickname;
+    char *emailAddr;
+    SECStatus rv;
+    
+    /*
+     * Sequence through the old database and copy all of the entries
+     * to the new database.  Subject name entries will have the new
+     * fields inserted into them (with zero length).
+     */
+    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
+    if ( ret ) {
+	return(SECFailure);
+    }
+
+    do {
+	buf = (unsigned char *)data.data;
+	
+	if ( data.size >= 3 ) {
+	    if ( buf[0] == 6 ) { /* version number */
+		type = (certDBEntryType)buf[1];
+		if ( type == certDBEntryTypeSubject ) {
+		    /* expando subjecto entrieo */
+		    tmpbuf = (unsigned char *)PORT_Alloc(data.size + 4);
+		    if ( tmpbuf ) {
+			/* copy header stuff */
+			PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN + 2);
+			/* insert 4 more bytes of zero'd header */
+			PORT_Memset(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 2],
+				    0, 4);
+			/* copy rest of the data */
+			PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
+				    &buf[SEC_DB_ENTRY_HEADER_LEN + 2],
+				    data.size - (SEC_DB_ENTRY_HEADER_LEN + 2));
+
+			data.data = (void *)tmpbuf;
+			data.size += 4;
+			buf = tmpbuf;
+		    }
+		} else if ( type == certDBEntryTypeCert ) {
+		    /* expando certo entrieo */
+		    tmpbuf = (unsigned char *)PORT_Alloc(data.size + 3);
+		    if ( tmpbuf ) {
+			/* copy header stuff */
+			PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN);
+
+			/* copy trust flage, setting msb's to 0 */
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN] = 0;
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+1] =
+			    buf[SEC_DB_ENTRY_HEADER_LEN];
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+2] = 0;
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+3] =
+			    buf[SEC_DB_ENTRY_HEADER_LEN+1];
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+4] = 0;
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+5] =
+			    buf[SEC_DB_ENTRY_HEADER_LEN+2];
+			
+			/* copy rest of the data */
+			PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
+				    &buf[SEC_DB_ENTRY_HEADER_LEN + 3],
+				    data.size - (SEC_DB_ENTRY_HEADER_LEN + 3));
+
+			data.data = (void *)tmpbuf;
+			data.size += 3;
+			buf = tmpbuf;
+		    }
+
+		}
+
+		/* update the record version number */
+		buf[0] = CERT_DB_FILE_VERSION;
+
+		/* copy to the new database */
+		ret = certdb_Put(handle->permCertDB, &key, &data, 0);
+		if ( tmpbuf ) {
+		    PORT_Free(tmpbuf);
+		    tmpbuf = NULL;
+		}
+	    }
+	}
+    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
+
+    ret = certdb_Sync(handle->permCertDB, 0);
+
+    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
+    if ( ret ) {
+	return(SECFailure);
+    }
+
+    do {
+	buf = (unsigned char *)data.data;
+	
+	if ( data.size >= 3 ) {
+	    if ( buf[0] == CERT_DB_FILE_VERSION ) { /* version number */
+		type = (certDBEntryType)buf[1];
+		if ( type == certDBEntryTypeNickname ) {
+		    nickname = &((char *)key.data)[1];
+
+		    /* get the matching nickname entry in the new DB */
+		    nnEntry = ReadDBNicknameEntry(handle, nickname);
+		    if ( nnEntry == NULL ) {
+			goto endloop;
+		    }
+		    
+		    /* find the subject entry pointed to by nickname */
+		    subjectEntry = ReadDBSubjectEntry(handle,
+						      &nnEntry->subjectName);
+		    if ( subjectEntry == NULL ) {
+			goto endloop;
+		    }
+		    
+		    subjectEntry->nickname =
+			(char *)PORT_ArenaAlloc(subjectEntry->common.arena,
+						key.size - 1);
+		    if ( subjectEntry->nickname ) {
+			PORT_Memcpy(subjectEntry->nickname, nickname,
+				    key.size - 1);
+			rv = WriteDBSubjectEntry(handle, subjectEntry);
+		    }
+		} else if ( type == certDBEntryTypeSMimeProfile ) {
+		    emailAddr = &((char *)key.data)[1];
+
+		    /* get the matching smime entry in the new DB */
+		    emailEntry = nsslowcert_ReadDBSMimeEntry(handle, emailAddr);
+		    if ( emailEntry == NULL ) {
+			goto endloop;
+		    }
+		    
+		    /* find the subject entry pointed to by nickname */
+		    subjectEntry = ReadDBSubjectEntry(handle,
+						      &emailEntry->subjectName);
+		    if ( subjectEntry == NULL ) {
+			goto endloop;
+		    }
+		    
+		    subjectEntry->emailAddrs = (char **)
+				PORT_ArenaAlloc(subjectEntry->common.arena,
+						sizeof(char *));
+		    if ( subjectEntry->emailAddrs ) {
+			subjectEntry->emailAddrs[0] =
+			     (char *)PORT_ArenaAlloc(subjectEntry->common.arena,
+						key.size - 1);
+			if ( subjectEntry->emailAddrs[0] ) {
+			    PORT_Memcpy(subjectEntry->emailAddrs[0], emailAddr,
+				    key.size - 1);
+			    subjectEntry->nemailAddrs = 1;
+			    rv = WriteDBSubjectEntry(handle, subjectEntry);
+			}
+		    }
+		}
+		
+endloop:
+		if ( subjectEntry ) {
+		    DestroyDBEntry((certDBEntry *)subjectEntry);
+		    subjectEntry = NULL;
+		}
+		if ( nnEntry ) {
+		    DestroyDBEntry((certDBEntry *)nnEntry);
+		    nnEntry = NULL;
+		}
+		if ( emailEntry ) {
+		    DestroyDBEntry((certDBEntry *)emailEntry);
+		    emailEntry = NULL;
+		}
+	    }
+	}
+    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
+
+    ret = certdb_Sync(handle->permCertDB, 0);
+
+    (* updatedb->close)(updatedb);
+    return(SECSuccess);
+}
+
+
+static SECStatus
+updateV5Callback(NSSLOWCERTCertificate *cert, SECItem *k, void *pdata)
+{
+    NSSLOWCERTCertDBHandle *handle;
+    certDBEntryCert *entry;
+    NSSLOWCERTCertTrust *trust;
+    
+    handle = (NSSLOWCERTCertDBHandle *)pdata;
+    trust = &cert->dbEntry->trust;
+
+    /* SSL user certs can be used for email if they have an email addr */
+    if ( cert->emailAddr && ( trust->sslFlags & CERTDB_USER ) &&
+	( trust->emailFlags == 0 ) ) {
+	trust->emailFlags = CERTDB_USER;
+    }
+    /* servers didn't set the user flags on the server cert.. */
+    if (PORT_Strcmp(cert->dbEntry->nickname,"Server-Cert") == 0) {
+	trust->sslFlags |= CERTDB_USER;
+    }
+    
+    entry = AddCertToPermDB(handle, cert, cert->dbEntry->nickname,
+			    &cert->dbEntry->trust);
+    if ( entry ) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    
+    return(SECSuccess);
+}
+
+static SECStatus
+UpdateV5DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+    NSSLOWCERTCertDBHandle updatehandle;
+    SECStatus rv;
+    
+    updatehandle.permCertDB = updatedb;
+    updatehandle.dbMon = PZ_NewMonitor(nssILockCertDB);
+    updatehandle.dbVerify = 0;
+    updatehandle.ref      = 1; /* prevent premature close */
+    
+    rv = nsslowcert_TraversePermCerts(&updatehandle, updateV5Callback,
+			       (void *)handle);
+    
+    PZ_DestroyMonitor(updatehandle.dbMon);
+
+    (* updatedb->close)(updatedb);
+    return(SECSuccess);
+}
+
+static PRBool
+isV4DB(DB *db) {
+    DBT key,data;
+    int ret;
+
+    key.data = "Version";
+    key.size = 7;
+
+    ret = (*db->get)(db, &key, &data, 0);
+    if (ret) {
+	return PR_FALSE;
+    }
+
+    if ((data.size == 1) && (*(unsigned char *)data.data <= 4))  {
+	return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+static SECStatus
+UpdateV4DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+    DBT key, data;
+    certDBEntryCert *entry, *entry2;
+    int ret;
+    PRArenaPool *arena = NULL;
+    NSSLOWCERTCertificate *cert;
+
+    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
+
+    if ( ret ) {
+	return(SECFailure);
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return(SECFailure);
+    }
+    
+    do {
+	if ( data.size != 1 ) { /* skip version number */
+
+	    /* decode the old DB entry */
+	    entry = (certDBEntryCert *)
+		DecodeV4DBCertEntry((unsigned char*)data.data, data.size);
+	    
+	    if ( entry ) {
+		cert = nsslowcert_DecodeDERCertificate(&entry->derCert, 
+						 entry->nickname);
+
+		if ( cert != NULL ) {
+		    /* add to new database */
+		    entry2 = AddCertToPermDB(handle, cert, entry->nickname,
+					     &entry->trust);
+		    
+		    nsslowcert_DestroyCertificate(cert);
+		    if ( entry2 ) {
+			DestroyDBEntry((certDBEntry *)entry2);
+		    }
+		}
+		DestroyDBEntry((certDBEntry *)entry);
+	    }
+	}
+    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
+
+    PORT_FreeArena(arena, PR_FALSE);
+    (* updatedb->close)(updatedb);
+    return(SECSuccess);
+}
+
+
+/*
+ * return true if a database key conflict exists
+ */
+PRBool
+nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle)
+{
+    SECStatus rv;
+    DBT tmpdata;
+    DBT namekey;
+    int ret;
+    SECItem keyitem;
+    PRArenaPool *arena = NULL;
+    SECItem derKey;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+
+    /* get the db key of the cert */
+    rv = nsslowcert_KeyFromDERCert(arena, derCert, &derKey);
+    if ( rv != SECSuccess ) {
+        goto loser;
+    }
+
+    rv = EncodeDBCertKey(&derKey, arena, &keyitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    namekey.data = keyitem.data;
+    namekey.size = keyitem.len;
+    
+    ret = certdb_Get(handle->permCertDB, &namekey, &tmpdata, 0);
+    if ( ret == 0 ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    
+    return(PR_FALSE);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(PR_TRUE);
+}
+
+/*
+ * return true if a nickname conflict exists
+ * NOTE: caller must have already made sure that this exact cert
+ * doesn't exist in the DB
+ */
+static PRBool
+nsslowcert_CertNicknameConflict(char *nickname, SECItem *derSubject,
+			 NSSLOWCERTCertDBHandle *handle)
+{
+    PRBool rv;
+    certDBEntryNickname *entry;
+    
+    if ( nickname == NULL ) {
+	return(PR_FALSE);
+    }
+    
+    entry = ReadDBNicknameEntry(handle, nickname);
+
+    if ( entry == NULL ) {
+	/* no entry for this nickname, so no conflict */
+	return(PR_FALSE);
+    }
+
+    rv = PR_TRUE;
+    if ( SECITEM_CompareItem(derSubject, &entry->subjectName) == SECEqual ) {
+	/* if subject names are the same, then no conflict */
+	rv = PR_FALSE;
+    }
+
+    DestroyDBEntry((certDBEntry *)entry);
+    return(rv);
+}
+
+#ifdef DBM_USING_NSPR
+#define NO_RDONLY	PR_RDONLY
+#define NO_RDWR		PR_RDWR
+#define NO_CREATE	(PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE)
+#else
+#define NO_RDONLY	O_RDONLY
+#define NO_RDWR		O_RDWR
+#define NO_CREATE	(O_RDWR | O_CREAT | O_TRUNC)
+#endif
+
+/*
+ * open an old database that needs to be updated
+ */
+static DB *
+nsslowcert_openolddb(NSSLOWCERTDBNameFunc namecb, void *cbarg, int version)
+{
+    char * tmpname;
+    DB *updatedb = NULL;
+
+    tmpname = (* namecb)(cbarg, version);	/* get v6 db name */
+    if ( tmpname ) {
+	updatedb = dbopen( tmpname, NO_RDONLY, 0600, DB_HASH, 0 );
+	PORT_Free(tmpname);
+    }
+    return updatedb;
+}
+
+static SECStatus
+openNewCertDB(const char *appName, const char *prefix, const char *certdbname, 
+    NSSLOWCERTCertDBHandle *handle, NSSLOWCERTDBNameFunc namecb, void *cbarg)
+{
+    SECStatus rv;
+    certDBEntryVersion *versionEntry = NULL;
+    DB *updatedb = NULL;
+    int status = RDB_FAIL;
+
+    if (appName) {
+	handle->permCertDB=rdbopen( appName, prefix, "cert", NO_CREATE, &status);
+    } else {
+	handle->permCertDB=dbsopen(certdbname, NO_CREATE, 0600, DB_HASH, 0);
+    }
+
+    /* if create fails then we lose */
+    if ( handle->permCertDB == 0 ) {
+	return status == RDB_RETRY ? SECWouldBlock : SECFailure;
+    }
+
+    /* Verify version number; */
+    versionEntry = NewDBVersionEntry(0);
+    if ( versionEntry == NULL ) {
+	rv = SECFailure;
+	goto loser;
+    }
+	
+    rv = WriteDBVersionEntry(handle, versionEntry);
+
+    DestroyDBEntry((certDBEntry *)versionEntry);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* rv must already be Success here because of previous if statement */
+    /* try to upgrade old db here */
+    if (appName &&
+       (updatedb = dbsopen(certdbname, NO_RDONLY, 0600, DB_HASH, 0)) != NULL) {
+	rv = UpdateV8DB(handle, updatedb);
+    } else if ((updatedb = nsslowcert_openolddb(namecb,cbarg,7)) != NULL) {
+	rv = UpdateV7DB(handle, updatedb);
+    } else if ((updatedb = nsslowcert_openolddb(namecb,cbarg,6)) != NULL) {
+	rv = UpdateV6DB(handle, updatedb);
+    } else if ((updatedb = nsslowcert_openolddb(namecb,cbarg,5)) != NULL) {
+	rv = UpdateV5DB(handle, updatedb);
+    } else if ((updatedb = nsslowcert_openolddb(namecb,cbarg,4)) != NULL) {
+	/* NES has v5 format db's with v4 db names! */
+	if (isV4DB(updatedb)) {
+	    rv = UpdateV4DB(handle,updatedb);
+	} else {
+	    rv = UpdateV5DB(handle,updatedb);
+	}
+    }
+
+
+loser:
+    db_InitComplete(handle->permCertDB);
+    return rv;
+}
+
+static int
+nsslowcert_GetVersionNumber( NSSLOWCERTCertDBHandle *handle)
+{
+    certDBEntryVersion *versionEntry = NULL;
+    int version = 0;
+
+    versionEntry = ReadDBVersionEntry(handle); 
+    if ( versionEntry == NULL ) {
+	return 0;
+    }
+    version = versionEntry->common.version;
+    DestroyDBEntry((certDBEntry *)versionEntry);
+    return version;
+}
+
+/*
+ * Open the certificate database and index databases.  Create them if
+ * they are not there or bad.
+ */
+static SECStatus
+nsslowcert_OpenPermCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+		   		const char *appName, const char *prefix,
+				NSSLOWCERTDBNameFunc namecb, void *cbarg)
+{
+    SECStatus rv;
+    int openflags;
+    char *certdbname;
+    int version = 0;
+    
+    certdbname = (* namecb)(cbarg, CERT_DB_FILE_VERSION);
+    if ( certdbname == NULL ) {
+	return(SECFailure);
+    }
+
+    openflags = readOnly ? NO_RDONLY : NO_RDWR;
+
+    /*
+     * first open the permanent file based database.
+     */
+    if (appName) {
+	handle->permCertDB = rdbopen( appName, prefix, "cert", openflags, NULL);
+    } else {
+	handle->permCertDB = dbsopen( certdbname, openflags, 0600, DB_HASH, 0 );
+    }
+
+    /* check for correct version number */
+    if ( handle->permCertDB ) {
+	version = nsslowcert_GetVersionNumber(handle);
+	if ((version != CERT_DB_FILE_VERSION) &&
+		!(appName && version == CERT_DB_V7_FILE_VERSION)) {
+	    goto loser;
+	}
+    } else if ( readOnly ) {
+	/* don't create if readonly */
+	    /* Try openning a version 7 database */
+	    handle->permCertDB = nsslowcert_openolddb(namecb,cbarg, 7);
+	    if (!handle->permCertDB) {
+		goto loser;
+	    }
+	    if (nsslowcert_GetVersionNumber(handle) != 7) {
+		goto loser;
+	    }
+    } else {
+        /* if first open fails, try to create a new DB */
+	rv = openNewCertDB(appName,prefix,certdbname,handle,namecb,cbarg);
+	if (rv == SECWouldBlock) {
+	    /* only the rdb version can fail with wouldblock */
+	    handle->permCertDB = 
+			rdbopen( appName, prefix, "cert", openflags, NULL);
+
+	    /* check for correct version number */
+	    if ( !handle->permCertDB ) {
+		goto loser;
+	    }
+	    version = nsslowcert_GetVersionNumber(handle);
+	    if ((version != CERT_DB_FILE_VERSION) &&
+		!(appName && version == CERT_DB_V7_FILE_VERSION)) {
+		goto loser;
+	    }
+	} else if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    PORT_Free(certdbname);
+    
+    return (SECSuccess);
+    
+loser:
+
+    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+    
+    if ( handle->permCertDB ) {
+	certdb_Close(handle->permCertDB);
+	handle->permCertDB = 0;
+    }
+
+    PORT_Free(certdbname);
+
+    return(SECFailure);
+}
+
+/*
+ * delete all DB records associated with a particular certificate
+ */
+static SECStatus
+DeletePermCert(NSSLOWCERTCertificate *cert)
+{
+    SECStatus rv;
+    SECStatus ret;
+
+    ret = SECSuccess;
+    
+    rv = DeleteDBCertEntry(cert->dbhandle, &cert->certKey);
+    if ( rv != SECSuccess ) {
+	ret = SECFailure;
+    }
+    
+    rv = RemovePermSubjectNode(cert);
+
+
+    return(ret);
+}
+
+/*
+ * Delete a certificate from the permanent database.
+ */
+SECStatus
+nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert)
+{
+    SECStatus rv;
+    
+    nsslowcert_LockDB(cert->dbhandle);
+
+    /* delete the records from the permanent database */
+    rv = DeletePermCert(cert);
+
+    /* get rid of dbcert and stuff pointing to it */
+    DestroyDBEntry((certDBEntry *)cert->dbEntry);
+    cert->dbEntry = NULL;
+    cert->trust = NULL;
+	
+    nsslowcert_UnlockDB(cert->dbhandle);
+    return(rv);
+}
+
+/*
+ * Traverse all of the entries in the database of a particular type
+ * call the given function for each one.
+ */
+SECStatus
+nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
+		      certDBEntryType type,
+		      SECStatus (* callback)(SECItem *data, SECItem *key,
+					    certDBEntryType type, void *pdata),
+		      void *udata )
+{
+    DBT data;
+    DBT key;
+    SECStatus rv;
+    int ret;
+    SECItem dataitem;
+    SECItem keyitem;
+    unsigned char *buf;
+    unsigned char *keybuf;
+    
+    ret = certdb_Seq(handle->permCertDB, &key, &data, R_FIRST);
+
+    if ( ret ) {
+	return(SECFailure);
+    }
+    
+    do {
+	buf = (unsigned char *)data.data;
+	
+	if ( buf[1] == (unsigned char)type ) {
+	    dataitem.len = data.size;
+	    dataitem.data = buf;
+            dataitem.type = siBuffer;
+	    keyitem.len = key.size - SEC_DB_KEY_HEADER_LEN;
+	    keybuf = (unsigned char *)key.data;
+	    keyitem.data = &keybuf[SEC_DB_KEY_HEADER_LEN];
+            keyitem.type = siBuffer;
+	    /* type should equal keybuf[0].  */
+
+	    rv = (* callback)(&dataitem, &keyitem, type, udata);
+	    if ( rv != SECSuccess ) {
+		return(rv);
+	    }
+	}
+    } while ( certdb_Seq(handle->permCertDB, &key, &data, R_NEXT) == 0 );
+
+    return(SECSuccess);
+}
+/*
+ * Decode a certificate and enter it into the temporary certificate database.
+ * Deal with nicknames correctly
+ *
+ * This is the private entry point.
+ */
+static NSSLOWCERTCertificate *
+DecodeACert(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry)
+{
+    NSSLOWCERTCertificate *cert = NULL;
+    
+    cert = nsslowcert_DecodeDERCertificate(&entry->derCert, entry->nickname );
+    
+    if ( cert == NULL ) {
+	goto loser;
+    }
+
+    cert->dbhandle = handle;
+    cert->dbEntry = entry;
+    cert->trust = &entry->trust;
+
+    return(cert);
+
+loser:
+    return(0);
+}
+
+static NSSLOWCERTTrust *
+CreateTrust(void)
+{
+    NSSLOWCERTTrust *trust = NULL;
+
+    nsslowcert_LockFreeList();
+    trust = trustListHead;
+    if (trust) {
+	trustListCount--;
+	trustListHead = trust->next;
+    }
+    PORT_Assert(trustListCount >= 0);
+    nsslowcert_UnlockFreeList();
+    if (trust) {
+	return trust;
+    }
+
+    return PORT_ZNew(NSSLOWCERTTrust);
+}
+
+static void
+DestroyTrustFreeList(void)
+{
+    NSSLOWCERTTrust *trust;
+
+    nsslowcert_LockFreeList();
+    while (NULL != (trust = trustListHead)) {
+	trustListCount--;
+	trustListHead = trust->next;
+	PORT_Free(trust);
+    }
+    PORT_Assert(!trustListCount);
+    trustListCount = 0;
+    nsslowcert_UnlockFreeList();
+}
+
+static NSSLOWCERTTrust * 
+DecodeTrustEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry, 
+                 const SECItem *dbKey)
+{
+    NSSLOWCERTTrust *trust = CreateTrust();
+    if (trust == NULL) {
+	return trust;
+    }
+    trust->dbhandle = handle;
+    trust->dbEntry = entry;
+    trust->dbKey.data = pkcs11_copyStaticData(dbKey->data,dbKey->len,
+				trust->dbKeySpace, sizeof(trust->dbKeySpace));
+    if (!trust->dbKey.data) {
+	PORT_Free(trust);
+	return NULL;
+    }
+    trust->dbKey.len = dbKey->len;
+ 
+    trust->trust = &entry->trust;
+    trust->derCert = &entry->derCert;
+
+    return(trust);
+}
+
+typedef struct {
+    PermCertCallback certfunc;
+    NSSLOWCERTCertDBHandle *handle;
+    void *data;
+} PermCertCallbackState;
+
+/*
+ * traversal callback to decode certs and call callers callback
+ */
+static SECStatus
+certcallback(SECItem *dbdata, SECItem *dbkey, certDBEntryType type, void *data)
+{
+    PermCertCallbackState *mystate;
+    SECStatus rv;
+    certDBEntryCert *entry;
+    SECItem entryitem;
+    NSSLOWCERTCertificate *cert;
+    PRArenaPool *arena = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    entry = (certDBEntryCert *)PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
+    mystate = (PermCertCallbackState *)data;
+    entry->common.version = (unsigned int)dbdata->data[0];
+    entry->common.type = (certDBEntryType)dbdata->data[1];
+    entry->common.flags = (unsigned int)dbdata->data[2];
+    entry->common.arena = arena;
+    
+    entryitem.len = dbdata->len - SEC_DB_ENTRY_HEADER_LEN;
+    entryitem.data = &dbdata->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    rv = DecodeDBCertEntry(entry, &entryitem);
+    if (rv != SECSuccess ) {
+	goto loser;
+    }
+    entry->derCert.type = siBuffer;
+   
+    /* note: Entry is 'inheritted'.  */
+    cert = DecodeACert(mystate->handle, entry);
+
+    rv = (* mystate->certfunc)(cert, dbkey, mystate->data);
+
+    /* arena stored in entry destroyed by nsslowcert_DestroyCertificate */
+    nsslowcert_DestroyCertificateNoLocking(cert);
+
+    return(rv);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return(SECFailure);
+}
+
+/*
+ * Traverse all of the certificates in the permanent database and
+ * call the given function for each one; expect the caller to have lock.
+ */
+static SECStatus
+TraversePermCertsNoLocking(NSSLOWCERTCertDBHandle *handle,
+			   SECStatus (* certfunc)(NSSLOWCERTCertificate *cert,
+						  SECItem *k,
+						  void *pdata),
+			   void *udata )
+{
+    SECStatus rv;
+    PermCertCallbackState mystate;
+
+    mystate.certfunc = certfunc;
+    mystate.handle = handle;
+    mystate.data = udata;
+    rv = nsslowcert_TraverseDBEntries(handle, certDBEntryTypeCert, certcallback,
+			       (void *)&mystate);
+    
+    return(rv);
+}
+
+/*
+ * Traverse all of the certificates in the permanent database and
+ * call the given function for each one.
+ */
+SECStatus
+nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
+		      SECStatus (* certfunc)(NSSLOWCERTCertificate *cert, SECItem *k,
+					    void *pdata),
+		      void *udata )
+{
+    SECStatus rv;
+
+    nsslowcert_LockDB(handle);
+    rv = TraversePermCertsNoLocking(handle, certfunc, udata);
+    nsslowcert_UnlockDB(handle);
+    
+    return(rv);
+}
+
+
+
+/*
+ * Close the database
+ */
+void
+nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle)
+{
+    if ( handle ) {
+	if ( handle->permCertDB ) {
+	    certdb_Close( handle->permCertDB );
+	    handle->permCertDB = NULL;
+	}
+	if (handle->dbMon) {
+    	    PZ_DestroyMonitor(handle->dbMon);
+	    handle->dbMon = NULL;
+	}
+	PORT_Free(handle);
+    }
+    return;
+}
+
+/*
+ * Get the trust attributes from a certificate
+ */
+SECStatus
+nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
+{
+    SECStatus rv;
+    
+    nsslowcert_LockCertTrust(cert);
+    
+    if ( cert->trust == NULL ) {
+	rv = SECFailure;
+    } else {
+	*trust = *cert->trust;
+	rv = SECSuccess;
+    }
+    
+    nsslowcert_UnlockCertTrust(cert);
+    return(rv);
+}
+
+/*
+ * Change the trust attributes of a certificate and make them permanent
+ * in the database.
+ */
+SECStatus
+nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, 
+	 	 	NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
+{
+    certDBEntryCert *entry;
+    int rv;
+    SECStatus ret;
+    
+    nsslowcert_LockDB(handle);
+    nsslowcert_LockCertTrust(cert);
+    /* only set the trust on permanent certs */
+    if ( cert->trust == NULL ) {
+	ret = SECFailure;
+	goto done;
+    }
+
+    *cert->trust = *trust;
+    if ( cert->dbEntry == NULL ) {
+	ret = SECSuccess; /* not in permanent database */
+	goto done;
+    }
+    
+    entry = cert->dbEntry;
+    entry->trust = *trust;
+    
+    rv = WriteDBCertEntry(handle, entry);
+    if ( rv ) {
+	ret = SECFailure;
+	goto done;
+    }
+
+    ret = SECSuccess;
+    
+done:
+    nsslowcert_UnlockCertTrust(cert);
+    nsslowcert_UnlockDB(handle);
+    return(ret);
+}
+
+
+static SECStatus
+nsslowcert_UpdatePermCert(NSSLOWCERTCertDBHandle *dbhandle,
+    NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust)
+{
+    char *oldnn;
+    certDBEntryCert *entry;
+    PRBool conflict;
+    SECStatus ret;
+
+    PORT_Assert(!cert->dbEntry);
+
+    /* don't add a conflicting nickname */
+    conflict = nsslowcert_CertNicknameConflict(nickname, &cert->derSubject,
+					dbhandle);
+    if ( conflict ) {
+	ret = SECFailure;
+	goto done;
+    }
+    
+    /* save old nickname so that we can delete it */
+    oldnn = cert->nickname;
+
+    entry = AddCertToPermDB(dbhandle, cert, nickname, trust);
+    
+    if ( entry == NULL ) {
+	ret = SECFailure;
+	goto done;
+    }
+
+    pkcs11_freeNickname(oldnn,cert->nicknameSpace);
+    
+    cert->nickname = (entry->nickname) ? pkcs11_copyNickname(entry->nickname,
+		cert->nicknameSpace, sizeof(cert->nicknameSpace)) : NULL;
+    cert->trust = &entry->trust;
+    cert->dbEntry = entry;
+    
+    ret = SECSuccess;
+done:
+    return(ret);
+}
+
+SECStatus
+nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *dbhandle,
+    NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust)
+{
+    SECStatus ret;
+
+    nsslowcert_LockDB(dbhandle);
+
+    ret = nsslowcert_UpdatePermCert(dbhandle, cert, nickname, trust);
+    
+    nsslowcert_UnlockDB(dbhandle);
+    return(ret);
+}
+
+/*
+ * Open the certificate database and index databases.  Create them if
+ * they are not there or bad.
+ */
+SECStatus
+nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+	        const char *appName, const char *prefix,
+		NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile)
+{
+    int rv;
+
+    certdb_InitDBLock(handle);
+    
+    handle->dbMon = PZ_NewMonitor(nssILockCertDB);
+    PORT_Assert(handle->dbMon != NULL);
+    handle->dbVerify = PR_FALSE;
+
+    rv = nsslowcert_OpenPermCertDB(handle, readOnly, appName, prefix, 
+							namecb, cbarg);
+    if ( rv ) {
+	goto loser;
+    }
+
+    return (SECSuccess);
+    
+loser:
+
+    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+    return(SECFailure);
+}
+
+PRBool
+nsslowcert_needDBVerify(NSSLOWCERTCertDBHandle *handle)
+{
+    if (!handle) return PR_FALSE;
+    return handle->dbVerify;
+}
+
+void
+nsslowcert_setDBVerify(NSSLOWCERTCertDBHandle *handle, PRBool value)
+{
+    handle->dbVerify = value;
+}
+
+
+/*
+ * Lookup a certificate in the databases.
+ */
+static NSSLOWCERTCertificate *
+FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey, PRBool lockdb)
+{
+    NSSLOWCERTCertificate *cert = NULL;
+    certDBEntryCert *entry;
+    PRBool locked = PR_FALSE;
+    
+    if ( lockdb ) {
+	locked = PR_TRUE;
+	nsslowcert_LockDB(handle);
+    }
+	
+    /* find in perm database */
+    entry = ReadDBCertEntry(handle, certKey);
+	
+    if ( entry == NULL ) {
+ 	goto loser;
+    }
+  
+    /* inherit entry */  
+    cert = DecodeACert(handle, entry);
+
+loser:
+    if (cert == NULL) {
+	if (entry) {
+	    DestroyDBEntry((certDBEntry *)entry);
+	}
+    }
+
+    if ( locked ) {
+	nsslowcert_UnlockDB(handle);
+    }
+    
+    return(cert);
+}
+
+/*
+ * Lookup a certificate in the databases.
+ */
+static NSSLOWCERTTrust *
+FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey, PRBool lockdb)
+{
+    NSSLOWCERTTrust *trust = NULL;
+    certDBEntryCert *entry;
+    PRBool locked = PR_FALSE;
+    
+    if ( lockdb ) {
+	locked = PR_TRUE;
+	nsslowcert_LockDB(handle);
+    }
+	
+    /* find in perm database */
+    entry = ReadDBCertEntry(handle, certKey);
+	
+    if ( entry == NULL ) {
+ 	goto loser;
+    }
+
+    if (!nsslowcert_hasTrust(&entry->trust)) {
+	goto loser;
+    }
+  
+    /* inherit entry */  
+    trust = DecodeTrustEntry(handle, entry, certKey);
+
+loser:
+    if (trust == NULL) {
+	if (entry) {
+	    DestroyDBEntry((certDBEntry *)entry);
+	}
+    }
+
+    if ( locked ) {
+	nsslowcert_UnlockDB(handle);
+    }
+    
+    return(trust);
+}
+
+/*
+ * Lookup a certificate in the databases without locking
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey)
+{
+    return(FindCertByKey(handle, certKey, PR_FALSE));
+}
+
+/*
+ * Lookup a trust object in the databases without locking
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey)
+{
+    return(FindTrustByKey(handle, certKey, PR_FALSE));
+}
+
+/*
+ * Generate a key from an issuerAndSerialNumber, and find the
+ * associated cert in the database.
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN)
+{
+    SECItem certKey;
+    SECItem *sn = &issuerAndSN->serialNumber;
+    SECItem *issuer = &issuerAndSN->derIssuer;
+    NSSLOWCERTCertificate *cert;
+    int data_left = sn->len-1;
+    int data_len = sn->len;
+    int index = 0;
+
+    /* automatically detect DER encoded serial numbers and remove the der
+     * encoding since the database expects unencoded data. 
+     * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
+    if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
+	/* remove the der encoding of the serial number before generating the
+	 * key.. */
+	data_left = sn->len-2;
+	data_len = sn->data[1];
+	index = 2;
+
+	/* extended length ? (not very likely for a serial number) */
+	if (data_len & 0x80) {
+	    int len_count = data_len & 0x7f;
+
+	    data_len = 0;
+	    data_left -= len_count;
+	    if (data_left > 0) {
+		while (len_count --) {
+		    data_len = (data_len << 8) | sn->data[index++];
+		}
+	    } 
+	}
+	/* XXX leaving any leading zeros on the serial number for backwards
+	 * compatibility
+	 */
+	/* not a valid der, must be just an unlucky serial number value */
+	if (data_len != data_left) {
+	    data_len = sn->len;
+	    index = 0;
+	}
+    }
+
+    certKey.type = 0;
+    certKey.data = (unsigned char*)PORT_Alloc(sn->len + issuer->len);
+    certKey.len = data_len + issuer->len;
+    
+    if ( certKey.data == NULL ) {
+	return(0);
+    }
+
+    /* first try the serial number as hand-decoded above*/
+    /* copy the serialNumber */
+    PORT_Memcpy(certKey.data, &sn->data[index], data_len);
+
+    /* copy the issuer */
+    PORT_Memcpy( &certKey.data[data_len],issuer->data,issuer->len);
+
+    cert = nsslowcert_FindCertByKey(handle, &certKey);
+    if (cert) {
+	PORT_Free(certKey.data);
+	return (cert);
+    }
+
+    /* didn't find it, try by der encoded serial number */
+    /* copy the serialNumber */
+    PORT_Memcpy(certKey.data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy( &certKey.data[sn->len], issuer->data, issuer->len);
+    certKey.len = sn->len + issuer->len;
+
+    cert = nsslowcert_FindCertByKey(handle, &certKey);
+    
+    PORT_Free(certKey.data);
+    
+    return(cert);
+}
+
+/*
+ * Generate a key from an issuerAndSerialNumber, and find the
+ * associated cert in the database.
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, 
+					NSSLOWCERTIssuerAndSN *issuerAndSN)
+{
+    SECItem certKey;
+    SECItem *sn = &issuerAndSN->serialNumber;
+    SECItem *issuer = &issuerAndSN->derIssuer;
+    NSSLOWCERTTrust *trust;
+    unsigned char keyBuf[512];
+    int data_left = sn->len-1;
+    int data_len = sn->len;
+    int index = 0;
+    int len;
+
+    /* automatically detect DER encoded serial numbers and remove the der
+     * encoding since the database expects unencoded data. 
+     * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
+    if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
+	/* remove the der encoding of the serial number before generating the
+	 * key.. */
+	data_left = sn->len-2;
+	data_len = sn->data[1];
+	index = 2;
+
+	/* extended length ? (not very likely for a serial number) */
+	if (data_len & 0x80) {
+	    int len_count = data_len & 0x7f;
+
+	    data_len = 0;
+	    data_left -= len_count;
+	    if (data_left > 0) {
+		while (len_count --) {
+		    data_len = (data_len << 8) | sn->data[index++];
+		}
+	    } 
+	}
+	/* XXX leaving any leading zeros on the serial number for backwards
+	 * compatibility
+	 */
+	/* not a valid der, must be just an unlucky serial number value */
+	if (data_len != data_left) {
+	    data_len = sn->len;
+	    index = 0;
+	}
+    }
+
+    certKey.type = 0;
+    certKey.len = data_len + issuer->len;
+    len = sn->len + issuer->len;
+    if (len > sizeof (keyBuf)) {
+	certKey.data = (unsigned char*)PORT_Alloc(len);
+    } else {
+	certKey.data = keyBuf;
+    }
+    
+    if ( certKey.data == NULL ) {
+	return(0);
+    }
+
+    /* first try the serial number as hand-decoded above*/
+    /* copy the serialNumber */
+    PORT_Memcpy(certKey.data, &sn->data[index], data_len);
+
+    /* copy the issuer */
+    PORT_Memcpy( &certKey.data[data_len],issuer->data,issuer->len);
+
+    trust = nsslowcert_FindTrustByKey(handle, &certKey);
+    if (trust) {
+	pkcs11_freeStaticData(certKey.data, keyBuf);
+	return (trust);
+    }
+
+    if (index == 0) {
+	pkcs11_freeStaticData(certKey.data, keyBuf);
+	return NULL;
+    }
+
+    /* didn't find it, try by der encoded serial number */
+    /* copy the serialNumber */
+    PORT_Memcpy(certKey.data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy( &certKey.data[sn->len], issuer->data, issuer->len);
+    certKey.len = sn->len + issuer->len;
+
+    trust = nsslowcert_FindTrustByKey(handle, &certKey);
+    
+    pkcs11_freeStaticData(certKey.data, keyBuf);
+    
+    return(trust);
+}
+
+/*
+ * look for the given DER certificate in the database
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert)
+{
+    PRArenaPool *arena;
+    SECItem certKey;
+    SECStatus rv;
+    NSSLOWCERTCertificate *cert = NULL;
+    
+    /* create a scratch arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return(NULL);
+    }
+    
+    /* extract the database key from the cert */
+    rv = nsslowcert_KeyFromDERCert(arena, derCert, &certKey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* find the certificate */
+    cert = nsslowcert_FindCertByKey(handle, &certKey);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(cert);
+}
+
+static void
+DestroyCertificate(NSSLOWCERTCertificate *cert, PRBool lockdb)
+{
+    int refCount;
+    NSSLOWCERTCertDBHandle *handle;
+    
+    if ( cert ) {
+
+	handle = cert->dbhandle;
+
+	/*
+	 * handle may be NULL, for example if the cert was created with
+	 * nsslowcert_DecodeDERCertificate.
+	 */
+	if ( lockdb && handle ) {
+	    nsslowcert_LockDB(handle);
+	}
+
+        nsslowcert_LockCertRefCount(cert);
+	PORT_Assert(cert->referenceCount > 0);
+	refCount = --cert->referenceCount;
+        nsslowcert_UnlockCertRefCount(cert);
+
+	if ( ( refCount == 0 ) ) {
+	    certDBEntryCert *entry  = cert->dbEntry;
+
+	    if ( entry ) {
+		DestroyDBEntry((certDBEntry *)entry);
+            }
+
+	    pkcs11_freeNickname(cert->nickname,cert->nicknameSpace);
+	    pkcs11_freeNickname(cert->emailAddr,cert->emailAddrSpace);
+	    pkcs11_freeStaticData(cert->certKey.data,cert->certKeySpace);
+	    cert->certKey.data = NULL;
+	    cert->nickname = NULL;
+
+	    /* zero cert before freeing. Any stale references to this cert
+	     * after this point will probably cause an exception.  */
+	    PORT_Memset(cert, 0, sizeof *cert);
+
+	    /* use reflock to protect the free list */
+	    nsslowcert_LockFreeList();
+	    if (certListCount > MAX_CERT_LIST_COUNT) {
+		PORT_Free(cert);
+	    } else {
+		certListCount++;
+		cert->next = certListHead;
+		certListHead = cert;
+	    }
+	    nsslowcert_UnlockFreeList();
+	    cert = NULL;
+        }
+	if ( lockdb && handle ) {
+	    nsslowcert_UnlockDB(handle);
+	}
+    }
+
+    return;
+}
+
+NSSLOWCERTCertificate *
+nsslowcert_CreateCert(void)
+{
+    NSSLOWCERTCertificate *cert;
+    nsslowcert_LockFreeList();
+    cert = certListHead;
+    if (cert) {
+	certListHead = cert->next;
+	certListCount--;
+    }
+    PORT_Assert(certListCount >= 0);
+    nsslowcert_UnlockFreeList();
+    if (cert) {
+	return cert;
+    }
+    return PORT_ZNew(NSSLOWCERTCertificate);
+}
+
+static void
+DestroyCertFreeList(void)
+{
+    NSSLOWCERTCertificate *cert;
+
+    nsslowcert_LockFreeList();
+    while (NULL != (cert = certListHead)) {
+	certListCount--;
+	certListHead = cert->next;
+	PORT_Free(cert);
+    }
+    PORT_Assert(!certListCount);
+    certListCount = 0;
+    nsslowcert_UnlockFreeList();
+}
+
+void
+nsslowcert_DestroyTrust(NSSLOWCERTTrust *trust)
+{
+    certDBEntryCert *entry  = trust->dbEntry;
+
+    if ( entry ) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    pkcs11_freeStaticData(trust->dbKey.data,trust->dbKeySpace);
+    PORT_Memset(trust, 0, sizeof(*trust));
+
+    nsslowcert_LockFreeList();
+    if (trustListCount > MAX_TRUST_LIST_COUNT) {
+	PORT_Free(trust);
+    } else {
+	trustListCount++;
+	trust->next = trustListHead;
+	trustListHead = trust;
+    }
+    nsslowcert_UnlockFreeList();
+
+    return;
+}
+
+void
+nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert)
+{
+    DestroyCertificate(cert, PR_TRUE);
+    return;
+}
+
+static void
+nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert)
+{
+    DestroyCertificate(cert, PR_FALSE);
+    return;
+}
+
+/*
+ * Lookup a CRL in the databases. We mirror the same fast caching data base
+ *  caching stuff used by certificates....?
+ */
+certDBEntryRevocation *
+nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle, 
+						SECItem *crlKey, PRBool isKRL)
+{
+    SECItem keyitem;
+    DBT key;
+    SECStatus rv;
+    PRArenaPool *arena = NULL;
+    certDBEntryRevocation *entry = NULL;
+    certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
+					: certDBEntryTypeRevocation;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBGenericKey(crlKey, arena, &keyitem, crlType);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    key.data = keyitem.data;
+    key.size = keyitem.len;
+
+    /* find in perm database */
+    entry = ReadDBCrlEntry(handle, crlKey, crlType);
+	
+    if ( entry == NULL ) {
+	goto loser;
+    }
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return entry;
+}
+
+/*
+ * replace the existing URL in the data base with a new one
+ */
+static SECStatus
+nsslowcert_UpdateCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, 
+			SECItem *crlKey, char *url, PRBool isKRL)
+{
+    SECStatus rv = SECFailure;
+    certDBEntryRevocation *entry = NULL;
+    certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
+					: certDBEntryTypeRevocation;
+    DeleteDBCrlEntry(handle, crlKey, crlType);
+
+    /* Write the new entry into the data base */
+    entry = NewDBCrlEntry(derCrl, url, crlType, 0);
+    if (entry == NULL) goto done;
+
+    rv = WriteDBCrlEntry(handle, entry, crlKey);
+    if (rv != SECSuccess) goto done;
+
+done:
+    if (entry) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    return rv;
+}
+
+SECStatus
+nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, 
+			SECItem *crlKey, char *url, PRBool isKRL)
+{
+    SECStatus rv;
+
+    rv = nsslowcert_UpdateCrl(handle, derCrl, crlKey, url, isKRL);
+
+    return rv;
+}
+
+SECStatus
+nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle, const SECItem *derName,
+								 PRBool isKRL)
+{
+    SECStatus rv;
+    certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
+					: certDBEntryTypeRevocation;
+    
+    rv = DeleteDBCrlEntry(handle, derName, crlType);
+    if (rv != SECSuccess) goto done;
+  
+done:
+    return rv;
+}
+
+
+PRBool
+nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)
+{
+    if (trust == NULL) {
+	return PR_FALSE;
+    }
+    return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) && 
+		(trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) && 
+			(trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));
+}
+
+/*
+ * This function has the logic that decides if another person's cert and
+ * email profile from an S/MIME message should be saved.  It can deal with
+ * the case when there is no profile.
+ */
+static SECStatus
+nsslowcert_UpdateSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, 
+	char *emailAddr, SECItem *derSubject, SECItem *emailProfile, 
+							SECItem *profileTime)
+{
+    certDBEntrySMime *entry = NULL;
+    SECStatus rv = SECFailure;;
+
+
+    /* find our existing entry */
+    entry = nsslowcert_ReadDBSMimeEntry(dbhandle, emailAddr);
+
+    if ( entry ) {
+	/* keep our old db entry consistant for old applications. */
+	if (!SECITEM_ItemsAreEqual(derSubject, &entry->subjectName)) {
+	    nsslowcert_UpdateSubjectEmailAddr(dbhandle, &entry->subjectName, 
+				emailAddr, nsslowcert_remove);
+	} 
+	DestroyDBEntry((certDBEntry *)entry);
+	entry = NULL;
+    }
+
+    /* now save the entry */
+    entry = NewDBSMimeEntry(emailAddr, derSubject, emailProfile,
+				profileTime, 0);
+    if ( entry == NULL ) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    nsslowcert_LockDB(dbhandle);
+
+    rv = DeleteDBSMimeEntry(dbhandle, emailAddr);
+    /* if delete fails, try to write new entry anyway... */
+
+    /* link subject entry back here */
+    rv = nsslowcert_UpdateSubjectEmailAddr(dbhandle, derSubject, emailAddr,
+					nsslowcert_add);
+    if ( rv != SECSuccess ) {
+	    nsslowcert_UnlockDB(dbhandle);
+	    goto loser;
+    }
+	
+    rv = WriteDBSMimeEntry(dbhandle, entry);
+    if ( rv != SECSuccess ) {
+	    nsslowcert_UnlockDB(dbhandle);
+	    goto loser;
+    }
+
+    nsslowcert_UnlockDB(dbhandle);
+
+    rv = SECSuccess;
+    
+loser:
+    if ( entry ) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    return(rv);
+}
+
+SECStatus
+nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, 
+	SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime)
+{
+    SECStatus rv = SECFailure;;
+
+
+    rv = nsslowcert_UpdateSMimeProfile(dbhandle, emailAddr, 
+	 derSubject, emailProfile, profileTime);
+    
+    return(rv);
+}
+
+void
+nsslowcert_DestroyFreeLists(void)
+{
+    if (freeListLock == NULL) {
+	return;
+    }
+    DestroyCertEntryFreeList();
+    DestroyTrustFreeList();
+    DestroyCertFreeList();
+    PZ_DestroyLock(freeListLock);
+    freeListLock = NULL;
+}
+
+void
+nsslowcert_DestroyGlobalLocks(void)
+{
+    if (dbLock) {
+	PZ_DestroyLock(dbLock);
+	dbLock = NULL;
+    }
+    if (certRefCountLock) {
+	PZ_DestroyLock(certRefCountLock);
+	certRefCountLock = NULL;
+    }
+    if (certTrustLock) {
+	PZ_DestroyLock(certTrustLock);
+	certTrustLock = NULL;
+    }
+}
+
+certDBEntry *
+nsslowcert_DecodeAnyDBEntry(SECItem *dbData, const SECItem *dbKey, 
+                 certDBEntryType entryType, void *pdata)
+{
+    PLArenaPool *arena = NULL;
+    certDBEntry *entry;
+    SECStatus rv;
+    SECItem dbEntry;
+
+
+    if ((dbData->len < SEC_DB_ENTRY_HEADER_LEN) || (dbKey->len == 0)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	goto loser;
+    }
+    dbEntry.data = &dbData->data[SEC_DB_ENTRY_HEADER_LEN];
+    dbEntry.len  = dbData->len - SEC_DB_ENTRY_HEADER_LEN;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+    entry = PORT_ArenaZNew(arena, certDBEntry);
+    if (!entry)
+    	goto loser;
+
+    entry->common.version = (unsigned int)dbData->data[0];
+    entry->common.flags   = (unsigned int)dbData->data[2];
+    entry->common.type    = entryType;
+    entry->common.arena   = arena;
+
+    switch (entryType) {
+    case certDBEntryTypeContentVersion: /* This type appears to be unused */
+    case certDBEntryTypeVersion:        /* This type has only the common hdr */
+	rv = SECSuccess;
+    	break;
+
+    case certDBEntryTypeSubject:
+	rv = DecodeDBSubjectEntry(&entry->subject, &dbEntry, dbKey);
+    	break;
+
+    case certDBEntryTypeNickname:
+	rv = DecodeDBNicknameEntry(&entry->nickname, &dbEntry,
+                                   (char *)dbKey->data);
+    	break;
+
+    /* smime profiles need entries created after the certs have
+     * been imported, loop over them in a second run */
+    case certDBEntryTypeSMimeProfile:
+	rv = DecodeDBSMimeEntry(&entry->smime, &dbEntry, (char *)dbKey->data);
+	break;
+
+    case certDBEntryTypeCert:
+	rv = DecodeDBCertEntry(&entry->cert, &dbEntry);
+	break;
+
+    case certDBEntryTypeKeyRevocation:
+    case certDBEntryTypeRevocation:
+	rv = DecodeDBCrlEntry(&entry->revocation, &dbEntry);
+	break;
+
+    default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    }
+
+    if (rv == SECSuccess)
+	return entry;
+
+loser:
+    if (arena)
+	PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
diff --git a/security/nss/lib/softoken/legacydb/pcertt.h b/security/nss/lib/softoken/legacydb/pcertt.h
new file mode 100644
index 000000000..476a2d079
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/pcertt.h
@@ -0,0 +1,450 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * certt.h - public data structures for the certificate library
+ *
+ * $Id$
+ */
+#ifndef _PCERTT_H_
+#define _PCERTT_H_
+
+#include "prclist.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "plarena.h"
+#include "prcvar.h"
+#include "nssilock.h"
+#include "prio.h"
+#include "prmon.h"
+
+/* Non-opaque objects */
+typedef struct NSSLOWCERTCertDBHandleStr               NSSLOWCERTCertDBHandle;
+typedef struct NSSLOWCERTCertKeyStr                    NSSLOWCERTCertKey;
+
+typedef struct NSSLOWCERTTrustStr                      NSSLOWCERTTrust;
+typedef struct NSSLOWCERTCertTrustStr                  NSSLOWCERTCertTrust;
+typedef struct NSSLOWCERTCertificateStr                NSSLOWCERTCertificate;
+typedef struct NSSLOWCERTCertificateListStr            NSSLOWCERTCertificateList;
+typedef struct NSSLOWCERTIssuerAndSNStr                NSSLOWCERTIssuerAndSN;
+typedef struct NSSLOWCERTSignedDataStr                 NSSLOWCERTSignedData;
+typedef struct NSSLOWCERTSubjectPublicKeyInfoStr       NSSLOWCERTSubjectPublicKeyInfo;
+typedef struct NSSLOWCERTValidityStr                   NSSLOWCERTValidity;
+
+/*
+** An X.509 validity object
+*/
+struct NSSLOWCERTValidityStr {
+    PRArenaPool *arena;
+    SECItem notBefore;
+    SECItem notAfter;
+};
+
+/*
+ * A serial number and issuer name, which is used as a database key
+ */
+struct NSSLOWCERTCertKeyStr {
+    SECItem serialNumber;
+    SECItem derIssuer;
+};
+
+/*
+** A signed data object. Used to implement the "signed" macro used
+** in the X.500 specs.
+*/
+struct NSSLOWCERTSignedDataStr {
+    SECItem data;
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;
+};
+
+/*
+** An X.509 subject-public-key-info object
+*/
+struct NSSLOWCERTSubjectPublicKeyInfoStr {
+    PRArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem subjectPublicKey;
+};
+
+typedef struct _certDBEntryCert certDBEntryCert;
+typedef struct _certDBEntryRevocation certDBEntryRevocation;
+
+struct NSSLOWCERTCertTrustStr {
+    unsigned int sslFlags;
+    unsigned int emailFlags;
+    unsigned int objectSigningFlags;
+};
+
+/*
+** PKCS11 Trust representation
+*/
+struct NSSLOWCERTTrustStr {
+    NSSLOWCERTTrust *next;
+    NSSLOWCERTCertDBHandle *dbhandle;
+    SECItem dbKey;			/* database key for this cert */
+    certDBEntryCert *dbEntry;		/* database entry struct */
+    NSSLOWCERTCertTrust *trust;
+    SECItem *derCert;			/* original DER for the cert */
+    unsigned char dbKeySpace[512];
+};
+
+/*
+** An X.509 certificate object (the unsigned form)
+*/
+struct NSSLOWCERTCertificateStr {
+    /* the arena is used to allocate any data structures that have the same
+     * lifetime as the cert.  This is all stuff that hangs off of the cert
+     * structure, and is all freed at the same time.  I is used when the
+     * cert is decoded, destroyed, and at some times when it changes
+     * state
+     */
+    NSSLOWCERTCertificate *next;
+    NSSLOWCERTCertDBHandle *dbhandle;
+
+    SECItem derCert;			/* original DER for the cert */
+    SECItem derIssuer;			/* DER for issuer name */
+    SECItem derSN;
+    SECItem serialNumber;
+    SECItem derSubject;			/* DER for subject name */
+    SECItem derSubjKeyInfo;
+    NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo;
+    SECItem certKey;			/* database key for this cert */
+    SECItem validity;
+    certDBEntryCert *dbEntry;		/* database entry struct */
+    SECItem subjectKeyID;	/* x509v3 subject key identifier */
+    SECItem extensions;
+    char *nickname;
+    char *emailAddr;
+    NSSLOWCERTCertTrust *trust;
+
+    /* the reference count is modified whenever someone looks up, dups
+     * or destroys a certificate
+     */
+    int referenceCount;
+
+    char nicknameSpace[200];
+    char emailAddrSpace[200];
+    unsigned char certKeySpace[512];
+};
+
+#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
+#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
+#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
+
+#define SEC_CRL_VERSION_1		0	/* default */
+#define SEC_CRL_VERSION_2		1	/* v2 extensions */
+
+struct NSSLOWCERTIssuerAndSNStr {
+    SECItem derIssuer;
+    SECItem serialNumber;
+};
+
+typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
+
+/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
+/* callback to return database name based on version number */
+typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
+
+/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
+
+#include "secasn1t.h"	/* way down here because I expect template stuff to
+			 * move out of here anyway */
+
+/*
+ * Certificate Database related definitions and data structures
+ */
+
+/* version number of certificate database */
+#define CERT_DB_FILE_VERSION		8
+#define CERT_DB_V7_FILE_VERSION		7
+#define CERT_DB_CONTENT_VERSION		2
+
+#define SEC_DB_ENTRY_HEADER_LEN		3
+#define SEC_DB_KEY_HEADER_LEN		1
+
+/* All database entries have this form:
+ * 	
+ *	byte offset	field
+ *	-----------	-----
+ *	0		version
+ *	1		type
+ *	2		flags
+ */
+
+/* database entry types */
+typedef enum {
+    certDBEntryTypeVersion = 0,
+    certDBEntryTypeCert = 1,
+    certDBEntryTypeNickname = 2,
+    certDBEntryTypeSubject = 3,
+    certDBEntryTypeRevocation = 4,
+    certDBEntryTypeKeyRevocation = 5,
+    certDBEntryTypeSMimeProfile = 6,
+    certDBEntryTypeContentVersion = 7,
+    certDBEntryTypeBlob = 8
+} certDBEntryType;
+
+typedef struct {
+    certDBEntryType type;
+    unsigned int version;
+    unsigned int flags;
+    PRArenaPool *arena;
+} certDBEntryCommon;
+
+/*
+ * Certificate entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		sslFlags-msb
+ *	1		sslFlags-lsb
+ *	2		emailFlags-msb
+ *	3		emailFlags-lsb
+ *	4		objectSigningFlags-msb
+ *	5		objectSigningFlags-lsb
+ *	6		derCert-len-msb
+ *	7		derCert-len-lsb
+ *	8		nickname-len-msb
+ *	9		nickname-len-lsb
+ *	...		derCert
+ *	...		nickname
+ *
+ * NOTE: the nickname string as stored in the database is null terminated,
+ *		in other words, the last byte of the db entry is always 0
+ *		if a nickname is present.
+ * NOTE: if nickname is not present, then nickname-len-msb and
+ *		nickname-len-lsb will both be zero.
+ */
+struct _certDBEntryCert {
+    certDBEntryCommon common;
+    certDBEntryCert *next;
+    NSSLOWCERTCertTrust trust;
+    SECItem derCert;
+    char *nickname;
+    char nicknameSpace[200];
+    unsigned char derCertSpace[2048];
+};
+
+/*
+ * Certificate Nickname entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		subjectname-len-msb
+ *	1	        subjectname-len-lsb
+ *	2...		subjectname
+ *
+ * The database key for this type of entry is a nickname string
+ * The "subjectname" value is the DER encoded DN of the identity
+ *   that matches this nickname.
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char *nickname;
+    SECItem subjectName;
+} certDBEntryNickname;
+
+#define DB_NICKNAME_ENTRY_HEADER_LEN 2
+
+/*
+ * Certificate Subject entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		ncerts-msb
+ *	1		ncerts-lsb
+ *	2		nickname-msb
+ *	3		nickname-lsb
+ *	4		emailAddr-msb
+ *	5		emailAddr-lsb
+ *	...		nickname
+ *	...		emailAddr
+ *	...+2*i		certkey-len-msb
+ *	...+1+2*i       certkey-len-lsb
+ *	...+2*ncerts+2*i keyid-len-msb
+ *	...+1+2*ncerts+2*i keyid-len-lsb
+ *	...		certkeys
+ *	...		keyids
+ *
+ * The database key for this type of entry is the DER encoded subject name
+ * The "certkey" value is an array of  certificate database lookup keys that
+ *   points to the database entries for the certificates that matche
+ *   this subject.
+ *
+ */
+typedef struct _certDBEntrySubject {
+    certDBEntryCommon common;
+    SECItem derSubject;
+    unsigned int ncerts;
+    char *nickname;
+    SECItem *certKeys;
+    SECItem *keyIDs;
+    char **emailAddrs;
+    unsigned int nemailAddrs;
+} certDBEntrySubject;
+
+#define DB_SUBJECT_ENTRY_HEADER_LEN 6
+
+/*
+ * Certificate SMIME profile entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		subjectname-len-msb
+ *	1	        subjectname-len-lsb
+ *	2		smimeoptions-len-msb
+ *	3		smimeoptions-len-lsb
+ *	4		options-date-len-msb
+ *	5		options-date-len-lsb
+ *	6...		subjectname
+ *	...		smimeoptions
+ *	...		options-date
+ *
+ * The database key for this type of entry is the email address string
+ * The "subjectname" value is the DER encoded DN of the identity
+ *   that matches this nickname.
+ * The "smimeoptions" value is a string that represents the algorithm
+ *   capabilities on the remote user.
+ * The "options-date" is the date that the smime options value was created.
+ *   This is generally the signing time of the signed message that contained
+ *   the options.  It is a UTCTime value.
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char *emailAddr;
+    SECItem subjectName;
+    SECItem smimeOptions;
+    SECItem optionsDate;
+} certDBEntrySMime;
+
+#define DB_SMIME_ENTRY_HEADER_LEN 6
+
+/*
+ * Crl/krl entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		derCert-len-msb
+ *	1		derCert-len-lsb
+ *	2		url-len-msb
+ *	3		url-len-lsb
+ *	...		derCert
+ *	...		url
+ *
+ * NOTE: the url string as stored in the database is null terminated,
+ *		in other words, the last byte of the db entry is always 0
+ *		if a nickname is present. 
+ * NOTE: if url is not present, then url-len-msb and
+ *		url-len-lsb will both be zero.
+ */
+#define DB_CRL_ENTRY_HEADER_LEN	4
+struct _certDBEntryRevocation {
+    certDBEntryCommon common;
+    SECItem	derCrl;
+    char	*url;	/* where to load the crl from */
+};
+
+/*
+ * Database Version Entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	only the low level header...
+ *
+ * The database key for this type of entry is the string "Version"
+ */
+typedef struct {
+    certDBEntryCommon common;
+} certDBEntryVersion;
+
+#define SEC_DB_VERSION_KEY "Version"
+#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
+
+/*
+ * Database Content Version Entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		contentVersion
+ *
+ * The database key for this type of entry is the string "ContentVersion"
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char contentVersion;
+} certDBEntryContentVersion;
+
+#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
+#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
+
+typedef union {
+    certDBEntryCommon         common;
+    certDBEntryCert           cert;
+    certDBEntryContentVersion content;
+    certDBEntryNickname       nickname;
+    certDBEntryRevocation     revocation;
+    certDBEntrySMime          smime;
+    certDBEntrySubject        subject;
+    certDBEntryVersion        version;
+} certDBEntry;
+
+/* length of the fixed part of a database entry */
+#define DBCERT_V4_HEADER_LEN	7
+#define DB_CERT_V5_ENTRY_HEADER_LEN	7
+#define DB_CERT_V6_ENTRY_HEADER_LEN	7
+#define DB_CERT_ENTRY_HEADER_LEN	10
+
+/* common flags for all types of certificates */
+#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TRUSTED		(1<<1)
+#define CERTDB_SEND_WARN	(1<<2)
+#define CERTDB_VALID_CA		(1<<3)
+#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA	(1<<5)
+#define CERTDB_USER		(1<<6)
+#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
+#define CERTDB_NOT_TRUSTED	(1<<10) /* explicitly don't trust this cert */
+#define CERTDB_TRUSTED_UNKNOWN	(1<<11) /* accept trust from another source */
+
+/* bits not affected by the CKO_NETSCAPE_TRUST object */
+#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | CERTDB_VALID_PEER | \
+        CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
+                                        CERTDB_GOVT_APPROVED_CA)
+
+#endif /* _PCERTT_H_ */
diff --git a/security/nss/lib/softoken/legacydb/pk11db.c b/security/nss/lib/softoken/legacydb/pk11db.c
new file mode 100644
index 000000000..f85a0a6c3
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/pk11db.c
@@ -0,0 +1,773 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+
+#include "pk11pars.h"
+#include "lgdb.h"
+#include "mcom_db.h"
+#include "secerr.h"
+
+#define FREE_CLEAR(p) if (p) { PORT_Free(p); p = NULL; }
+
+/* Construct a database key for a given module */
+static SECStatus secmod_MakeKey(DBT *key, char * module) {
+    int len = 0;
+    char *commonName;
+
+    commonName = secmod_argGetParamValue("name",module);
+    if (commonName == NULL) {
+	commonName = secmod_argGetParamValue("library",module);
+    }
+    if (commonName == NULL) return SECFailure;
+    len = PORT_Strlen(commonName);
+    key->data = commonName;
+    key->size = len;
+    return SECSuccess;
+}
+
+/* free out constructed database key */
+static void 
+secmod_FreeKey(DBT *key) 
+{
+    if (key->data) {
+	PORT_Free(key->data);
+    }
+    key->data = NULL;
+    key->size = 0;
+}
+
+typedef struct secmodDataStr secmodData;
+typedef struct secmodSlotDataStr secmodSlotData;
+struct secmodDataStr {
+    unsigned char major;
+    unsigned char minor;
+    unsigned char nameStart[2];
+    unsigned char slotOffset[2];
+    unsigned char internal;
+    unsigned char fips;
+    unsigned char ssl[8];
+    unsigned char trustOrder[4];
+    unsigned char cipherOrder[4];
+    unsigned char reserved1;
+    unsigned char isModuleDB;
+    unsigned char isModuleDBOnly;
+    unsigned char isCritical;
+    unsigned char reserved[4];
+    unsigned char names[6];	/* enough space for the length fields */
+};
+
+struct secmodSlotDataStr {
+    unsigned char slotID[4];
+    unsigned char defaultFlags[4];
+    unsigned char timeout[4];
+    unsigned char askpw;
+    unsigned char hasRootCerts;
+    unsigned char reserved[18]; /* this makes it a round 32 bytes */
+};
+
+#define SECMOD_DB_VERSION_MAJOR 0
+#define SECMOD_DB_VERSION_MINOR 6
+#define SECMOD_DB_EXT1_VERSION_MAJOR 0
+#define SECMOD_DB_EXT1_VERSION_MINOR 6
+#define SECMOD_DB_NOUI_VERSION_MAJOR 0
+#define SECMOD_DB_NOUI_VERSION_MINOR 4
+
+#define SECMOD_PUTSHORT(dest,src) \
+	(dest)[1] = (unsigned char) ((src)&0xff); \
+	(dest)[0] = (unsigned char) (((src) >> 8) & 0xff);
+#define SECMOD_PUTLONG(dest,src) \
+	(dest)[3] = (unsigned char) ((src)&0xff); \
+	(dest)[2] = (unsigned char) (((src) >> 8) & 0xff); \
+	(dest)[1] = (unsigned char) (((src) >> 16) & 0xff); \
+	(dest)[0] = (unsigned char) (((src) >> 24) & 0xff);
+#define SECMOD_GETSHORT(src) \
+	((unsigned short) (((src)[0] << 8) | (src)[1]))
+#define SECMOD_GETLONG(src) \
+	((unsigned long) (( (unsigned long) (src)[0] << 24) | \
+			( (unsigned long) (src)[1] << 16)  | \
+			( (unsigned long) (src)[2] << 8) | \
+			(unsigned long) (src)[3]))
+
+/*
+ * build a data base entry from a module 
+ */
+static SECStatus 
+secmod_EncodeData(DBT *data, char * module) 
+{
+    secmodData *encoded = NULL;
+    secmodSlotData *slot;
+    unsigned char *dataPtr;
+    unsigned short len, len2 = 0, len3 = 0;
+    int count = 0;
+    unsigned short offset;
+    int dataLen, i;
+    unsigned long order;
+    unsigned long  ssl[2];
+    char *commonName = NULL , *dllName = NULL, *param = NULL, *nss = NULL;
+    char *slotParams, *ciphers;
+    PK11PreSlotInfo *slotInfo = NULL;
+    SECStatus rv = SECFailure;
+
+    rv = secmod_argParseModuleSpec(module,&dllName,&commonName,&param,&nss);
+    if (rv != SECSuccess) return rv;
+    rv = SECFailure;
+
+    if (commonName == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    len = PORT_Strlen(commonName);
+    if (dllName) {
+    	len2 = PORT_Strlen(dllName);
+    }
+    if (param) {
+	len3 = PORT_Strlen(param);
+    }
+
+    slotParams = secmod_argGetParamValue("slotParams",nss); 
+    slotInfo = secmod_argParseSlotInfo(NULL,slotParams,&count);
+    if (slotParams) PORT_Free(slotParams);
+
+    if (count && slotInfo == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    dataLen = sizeof(secmodData) + len + len2 + len3 + sizeof(unsigned short) +
+				 count*sizeof(secmodSlotData);
+
+    data->data = (unsigned char *) PORT_ZAlloc(dataLen);
+    encoded = (secmodData *)data->data;
+    dataPtr = (unsigned char *) data->data;
+    data->size = dataLen;
+
+    if (encoded == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    encoded->major = SECMOD_DB_VERSION_MAJOR;
+    encoded->minor = SECMOD_DB_VERSION_MINOR;
+    encoded->internal = (unsigned char) 
+			(secmod_argHasFlag("flags","internal",nss) ? 1 : 0);
+    encoded->fips = (unsigned char) 
+			(secmod_argHasFlag("flags","FIPS",nss) ? 1 : 0);
+    encoded->isModuleDB = (unsigned char) 
+			(secmod_argHasFlag("flags","isModuleDB",nss) ? 1 : 0);
+    encoded->isModuleDBOnly = (unsigned char) 
+		    (secmod_argHasFlag("flags","isModuleDBOnly",nss) ? 1 : 0);
+    encoded->isCritical = (unsigned char) 
+			(secmod_argHasFlag("flags","critical",nss) ? 1 : 0);
+
+    order = secmod_argReadLong("trustOrder", nss, SECMOD_DEFAULT_TRUST_ORDER, 
+                               NULL);
+    SECMOD_PUTLONG(encoded->trustOrder,order);
+    order = secmod_argReadLong("cipherOrder", nss, SECMOD_DEFAULT_CIPHER_ORDER, 
+                               NULL);
+    SECMOD_PUTLONG(encoded->cipherOrder,order);
+
+   
+    ciphers = secmod_argGetParamValue("ciphers",nss); 
+    secmod_argSetNewCipherFlags(&ssl[0], ciphers);
+    SECMOD_PUTLONG(encoded->ssl,ssl[0]);
+    SECMOD_PUTLONG(&encoded->ssl[4],ssl[1]);
+    if (ciphers) PORT_Free(ciphers);
+
+    offset = (unsigned short) &(((secmodData *)0)->names[0]);
+    SECMOD_PUTSHORT(encoded->nameStart,offset);
+    offset = offset + len + len2 + len3 + 3*sizeof(unsigned short);
+    SECMOD_PUTSHORT(encoded->slotOffset,offset);
+
+
+    SECMOD_PUTSHORT(&dataPtr[offset],((unsigned short)count));
+    slot = (secmodSlotData *)(dataPtr+offset+sizeof(unsigned short));
+
+    offset = 0;
+    SECMOD_PUTSHORT(encoded->names,len);
+    offset += sizeof(unsigned short);
+    PORT_Memcpy(&encoded->names[offset],commonName,len);
+    offset += len;
+
+
+    SECMOD_PUTSHORT(&encoded->names[offset],len2);
+    offset += sizeof(unsigned short);
+    if (len2) PORT_Memcpy(&encoded->names[offset],dllName,len2);
+    offset += len2;
+
+    SECMOD_PUTSHORT(&encoded->names[offset],len3);
+    offset += sizeof(unsigned short);
+    if (len3) PORT_Memcpy(&encoded->names[offset],param,len3);
+    offset += len3;
+
+    if (count) {
+	for (i=0; i < count; i++) {
+	    SECMOD_PUTLONG(slot[i].slotID, slotInfo[i].slotID);
+	    SECMOD_PUTLONG(slot[i].defaultFlags,
+					slotInfo[i].defaultFlags);
+	    SECMOD_PUTLONG(slot[i].timeout,slotInfo[i].timeout);
+	    slot[i].askpw = slotInfo[i].askpw;
+	    slot[i].hasRootCerts = slotInfo[i].hasRootCerts;
+	    PORT_Memset(slot[i].reserved, 0, sizeof(slot[i].reserved));
+	}
+    }
+    rv = SECSuccess;
+
+loser:
+    if (commonName) PORT_Free(commonName);
+    if (dllName) PORT_Free(dllName);
+    if (param) PORT_Free(param);
+    if (slotInfo) PORT_Free(slotInfo);
+    if (nss) PORT_Free(nss);
+    return rv;
+
+}
+
+static void 
+secmod_FreeData(DBT *data)
+{
+    if (data->data) {
+	PORT_Free(data->data);
+    }
+}
+
+static void
+secmod_FreeSlotStrings(char **slotStrings, int count)
+{
+    int i;
+
+    for (i=0; i < count; i++) {
+	if (slotStrings[i]) {
+	    PR_smprintf_free(slotStrings[i]);
+	    slotStrings[i] = NULL;
+	}
+    }
+}
+
+/*
+ * build a module from the data base entry.
+ */
+static char *
+secmod_DecodeData(char *defParams, DBT *data, PRBool *retInternal)
+{
+    secmodData *encoded;
+    secmodSlotData *slots;
+    PLArenaPool *arena;
+    char *commonName 		= NULL;
+    char *dllName    		= NULL;
+    char *parameters 		= NULL;
+    char *nss;
+    char *moduleSpec;
+    char **slotStrings 		= NULL;
+    unsigned char *names;
+    unsigned long slotCount;
+    unsigned long ssl0		=0;
+    unsigned long ssl1		=0;
+    unsigned long slotID;
+    unsigned long defaultFlags;
+    unsigned long timeout;
+    unsigned long trustOrder	=SECMOD_DEFAULT_TRUST_ORDER;
+    unsigned long cipherOrder	=SECMOD_DEFAULT_CIPHER_ORDER;
+    unsigned short len;
+    unsigned short namesOffset  = 0;	/* start of the names block */
+    unsigned long namesRunningOffset;	/* offset to name we are 
+					 * currently processing */
+    unsigned short slotOffset;
+    PRBool isOldVersion  	= PR_FALSE;
+    PRBool internal;
+    PRBool isFIPS;
+    PRBool isModuleDB    	=PR_FALSE;
+    PRBool isModuleDBOnly	=PR_FALSE;
+    PRBool extended      	=PR_FALSE;
+    int i;
+
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL) 
+    	return NULL;
+
+#define CHECK_SIZE(x) \
+    if ((unsigned int) data->size < (unsigned int)(x)) goto db_loser
+
+    /* -------------------------------------------------------------
+    ** Process the buffer header, which is the secmodData struct. 
+    ** It may be an old or new version.  Check the length for each. 
+    */
+
+    CHECK_SIZE( offsetof(secmodData, trustOrder[0]) );
+
+    encoded = (secmodData *)data->data;
+
+    internal = (encoded->internal != 0) ? PR_TRUE: PR_FALSE;
+    isFIPS   = (encoded->fips     != 0) ? PR_TRUE: PR_FALSE;
+
+    if (retInternal)
+	*retInternal = internal;
+    if (internal) {
+	parameters = PORT_ArenaStrdup(arena,defParams);
+	if (parameters == NULL) 
+	    goto loser;
+    }
+    if (internal && (encoded->major == SECMOD_DB_NOUI_VERSION_MAJOR) &&
+ 	(encoded->minor <= SECMOD_DB_NOUI_VERSION_MINOR)) {
+	isOldVersion = PR_TRUE;
+    }
+    if ((encoded->major == SECMOD_DB_EXT1_VERSION_MAJOR) &&
+	(encoded->minor >= SECMOD_DB_EXT1_VERSION_MINOR)) {
+	CHECK_SIZE( sizeof(secmodData));
+	trustOrder     = SECMOD_GETLONG(encoded->trustOrder);
+	cipherOrder    = SECMOD_GETLONG(encoded->cipherOrder);
+	isModuleDB     = (encoded->isModuleDB != 0) ? PR_TRUE: PR_FALSE;
+	isModuleDBOnly = (encoded->isModuleDBOnly != 0) ? PR_TRUE: PR_FALSE;
+	extended       = PR_TRUE;
+    } 
+    if (internal && !extended) {
+	trustOrder = 0;
+	cipherOrder = 100;
+    }
+    /* decode SSL cipher enable flags */
+    ssl0 = SECMOD_GETLONG(encoded->ssl);
+    ssl1 = SECMOD_GETLONG(encoded->ssl + 4);
+
+    slotOffset  = SECMOD_GETSHORT(encoded->slotOffset);
+    namesOffset = SECMOD_GETSHORT(encoded->nameStart);
+
+
+    /*--------------------------------------------------------------
+    ** Now process the variable length set of names.                
+    ** The names have this structure:
+    ** struct {
+    **     BYTE  commonNameLen[ 2 ];
+    **     BYTE  commonName   [ commonNameLen ];
+    **     BTTE  libNameLen   [ 2 ];
+    **     BYTE  libName      [ libNameLen ];
+    ** If it is "extended" it also has these members:
+    **     BYTE  initStringLen[ 2 ];
+    **     BYTE  initString   [ initStringLen ];
+    ** }
+    */
+
+    namesRunningOffset = namesOffset;
+    /* copy the module's common name */
+    CHECK_SIZE( namesRunningOffset + 2);
+    names = (unsigned char *)data->data;
+    len   = SECMOD_GETSHORT(names+namesRunningOffset);
+
+    CHECK_SIZE( namesRunningOffset + 2 + len);
+    commonName = (char*)PORT_ArenaAlloc(arena,len+1);
+    if (commonName == NULL) 
+	goto loser;
+    PORT_Memcpy(commonName, names + namesRunningOffset + 2, len);
+    commonName[len] = 0;
+    namesRunningOffset += len + 2;
+
+    /* copy the module's shared library file name. */
+    CHECK_SIZE( namesRunningOffset + 2);
+    len = SECMOD_GETSHORT(names + namesRunningOffset);
+    if (len) {
+	CHECK_SIZE( namesRunningOffset + 2 + len);
+	dllName = (char*)PORT_ArenaAlloc(arena,len + 1);
+	if (dllName == NULL) 
+	    goto loser;
+	PORT_Memcpy(dllName, names + namesRunningOffset + 2, len);
+	dllName[len] = 0;
+    }
+    namesRunningOffset += len + 2;
+
+    /* copy the module's initialization string, if present. */
+    if (!internal && extended) {
+	CHECK_SIZE( namesRunningOffset + 2);
+	len = SECMOD_GETSHORT(names+namesRunningOffset);
+	if (len) {
+	    CHECK_SIZE( namesRunningOffset + 2 + len );
+	    parameters = (char*)PORT_ArenaAlloc(arena,len + 1);
+	    if (parameters == NULL) 
+		goto loser;
+	    PORT_Memcpy(parameters,names + namesRunningOffset + 2, len);
+	    parameters[len] = 0;
+	}
+	namesRunningOffset += len + 2;
+    }
+
+    /* 
+     * Consistency check: Make sure the slot and names blocks don't
+     * overlap. These blocks can occur in any order, so this check is made 
+     * in 2 parts. First we check the case where the slot block starts 
+     * after the name block. Later, when we have the slot block length,
+     * we check the case where slot block starts before the name block.
+     * NOTE: in most cases any overlap will likely be detected by invalid 
+     * data read from the blocks, but it's better to find out sooner 
+     * than later.
+     */
+    if (slotOffset >= namesOffset) { /* slot block starts after name block */
+	if (slotOffset < namesRunningOffset) {
+	    goto db_loser;
+	}
+    }
+
+    /* ------------------------------------------------------------------
+    ** Part 3, process the slot table.
+    ** This part has this structure:
+    ** struct {
+    **     BYTE slotCount [ 2 ];
+    **     secmodSlotData [ slotCount ];
+    ** {
+    */
+
+    CHECK_SIZE( slotOffset + 2 );
+    slotCount = SECMOD_GETSHORT((unsigned char *)data->data + slotOffset);
+
+    /* 
+     * Consistency check: Part 2. We now have the slot block length, we can 
+     * check the case where the slotblock procedes the name block.
+     */
+    if (slotOffset < namesOffset) { /* slot block starts before name block */
+	if (namesOffset < slotOffset + 2 + slotCount*sizeof(secmodSlotData)) {
+	    goto db_loser;
+	}
+    }
+
+    CHECK_SIZE( (slotOffset + 2 + slotCount * sizeof(secmodSlotData)));
+    slots = (secmodSlotData *) ((unsigned char *)data->data + slotOffset + 2);
+
+    /*  slotCount; */
+    slotStrings = (char **)PORT_ArenaZAlloc(arena, slotCount * sizeof(char *));
+    if (slotStrings == NULL)
+	goto loser;
+    for (i=0; i < (int) slotCount; i++, slots++) {
+	PRBool hasRootCerts	=PR_FALSE;
+	PRBool hasRootTrust	=PR_FALSE;
+	slotID       = SECMOD_GETLONG(slots->slotID);
+	defaultFlags = SECMOD_GETLONG(slots->defaultFlags);
+	timeout      = SECMOD_GETLONG(slots->timeout);
+	hasRootCerts = slots->hasRootCerts;
+	if (isOldVersion && internal && (slotID != 2)) {
+		unsigned long internalFlags=
+			secmod_argSlotFlags("slotFlags",SECMOD_SLOT_FLAGS);
+		defaultFlags |= internalFlags;
+	}
+	if (hasRootCerts && !extended) {
+	    trustOrder = 100;
+	}
+
+	slotStrings[i] = secmod_mkSlotString(slotID, defaultFlags, timeout, 
+	                                   (unsigned char)slots->askpw, 
+	                                   hasRootCerts, hasRootTrust);
+	if (slotStrings[i] == NULL) {
+	    secmod_FreeSlotStrings(slotStrings,i);
+	    goto loser;
+	}
+    }
+
+    nss = secmod_mkNSS(slotStrings, slotCount, internal, isFIPS, isModuleDB, 
+		     isModuleDBOnly, internal, trustOrder, cipherOrder, 
+		     ssl0, ssl1);
+    secmod_FreeSlotStrings(slotStrings,slotCount);
+    /* it's permissible (and normal) for nss to be NULL. it simply means
+     * there are no NSS specific parameters in the database */
+    moduleSpec = secmod_mkNewModuleSpec(dllName,commonName,parameters,nss);
+    PR_smprintf_free(nss);
+    PORT_FreeArena(arena,PR_TRUE);
+    return moduleSpec;
+
+db_loser:
+    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+loser:
+    PORT_FreeArena(arena,PR_TRUE);
+    return NULL;
+}
+
+static DB *
+secmod_OpenDB(const char *appName, const char *filename, const char *dbName, 
+				PRBool readOnly, PRBool update)
+{
+    DB *pkcs11db = NULL;
+
+
+    if (appName) {
+	char *secname = PORT_Strdup(filename);
+	int len = strlen(secname);
+	int status = RDB_FAIL;
+
+	if (len >= 3 && PORT_Strcmp(&secname[len-3],".db") == 0) {
+	   secname[len-3] = 0;
+	}
+    	pkcs11db=
+	   rdbopen(appName, "", secname, readOnly ? NO_RDONLY:NO_RDWR, NULL);
+	if (update && !pkcs11db) {
+	    DB *updatedb;
+
+    	    pkcs11db = rdbopen(appName, "", secname, NO_CREATE, &status);
+	    if (!pkcs11db) {
+		if (status == RDB_RETRY) {
+ 		    pkcs11db= rdbopen(appName, "", secname, 
+					readOnly ? NO_RDONLY:NO_RDWR, NULL);
+		}
+		PORT_Free(secname);
+		return pkcs11db;
+	    }
+	    updatedb = dbopen(dbName, NO_RDONLY, 0600, DB_HASH, 0);
+	    if (updatedb) {
+		db_Copy(pkcs11db,updatedb);
+		(*updatedb->close)(updatedb);
+	    } else {
+		(*pkcs11db->close)(pkcs11db);
+		PORT_Free(secname);
+		return NULL;
+	   }
+	}
+	PORT_Free(secname);
+	return pkcs11db;
+    }
+  
+    /* I'm sure we should do more checks here sometime... */
+    pkcs11db = dbopen(dbName, readOnly ? NO_RDONLY : NO_RDWR, 0600, DB_HASH, 0);
+
+    /* didn't exist? create it */
+    if (pkcs11db == NULL) {
+	 if (readOnly) 
+	     return NULL;
+
+	 pkcs11db = dbopen( dbName, NO_CREATE, 0600, DB_HASH, 0 );
+	 if (pkcs11db) 
+	     (* pkcs11db->sync)(pkcs11db, 0);
+    }
+    return pkcs11db;
+}
+
+static void 
+secmod_CloseDB(DB *pkcs11db) 
+{
+     (*pkcs11db->close)(pkcs11db);
+}
+
+static char *
+secmod_addEscape(const char *string, char quote)
+{
+    char *newString = 0;
+    int escapes = 0, size = 0;
+    const char *src;
+    char *dest;
+
+    for (src=string; *src ; src++) {
+	if ((*src == quote) || (*src == '\\')) escapes++;
+	size++;
+    }
+
+    newString = PORT_ZAlloc(escapes+size+1); 
+    if (newString == NULL) {
+	return NULL;
+    }
+
+    for (src=string, dest=newString; *src; src++,dest++) {
+	if ((*src == '\\') || (*src == quote)) {
+	    *dest++ = '\\';
+	}
+	*dest = *src;
+    }
+
+    return newString;
+}
+
+SECStatus legacy_AddSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *module, PRBool rw);
+
+#define SECMOD_STEP 10
+#define SFTK_DEFAULT_INTERNAL_INIT "library= name=\"NSS Internal PKCS #11 Module\" parameters=\"%s\" NSS=\"Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})\""
+/*
+ * Read all the existing modules in
+ */
+char **
+legacy_ReadSecmodDB(const char *appName, const char *filename,
+				const char *dbname, char *params, PRBool rw)
+{
+    DBT key,data;
+    int ret;
+    DB *pkcs11db = NULL;
+    char **moduleList = NULL, **newModuleList = NULL;
+    int moduleCount = 1;
+    int useCount = SECMOD_STEP;
+
+    moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
+    if (moduleList == NULL) return NULL;
+
+    pkcs11db = secmod_OpenDB(appName,filename,dbname,PR_TRUE,rw);
+    if (pkcs11db == NULL) goto done;
+
+    /* read and parse the file or data base */
+    ret = (*pkcs11db->seq)(pkcs11db, &key, &data, R_FIRST);
+    if (ret)  goto done;
+
+
+    do {
+	char *moduleString;
+	PRBool internal = PR_FALSE;
+	if ((moduleCount+1) >= useCount) {
+	    useCount += SECMOD_STEP;
+	    newModuleList =
+		(char **)PORT_Realloc(moduleList,useCount*sizeof(char *));
+	    if (newModuleList == NULL) goto done;
+	    moduleList = newModuleList;
+	    PORT_Memset(&moduleList[moduleCount+1],0,
+						sizeof(char *)*SECMOD_STEP);
+	}
+	moduleString = secmod_DecodeData(params,&data,&internal);
+	if (internal) {
+	    moduleList[0] = moduleString;
+	} else {
+	    moduleList[moduleCount] = moduleString;
+	    moduleCount++;
+	}
+    } while ( (*pkcs11db->seq)(pkcs11db, &key, &data, R_NEXT) == 0);
+
+done:
+    if (!moduleList[0]) {
+	char * newparams = secmod_addEscape(params,'"');
+	if (newparams) {
+	    moduleList[0] = PR_smprintf(SFTK_DEFAULT_INTERNAL_INIT,newparams,
+						SECMOD_SLOT_FLAGS);
+	    PORT_Free(newparams);
+	}
+    }
+    /* deal with trust cert db here */
+
+    if (pkcs11db) {
+	secmod_CloseDB(pkcs11db);
+    } else if (moduleList[0] && rw) {
+	legacy_AddSecmodDB(appName,filename,dbname,moduleList[0], rw) ;
+    }
+    if (!moduleList[0]) {
+	PORT_Free(moduleList);
+	moduleList = NULL;
+    }
+    return moduleList;
+}
+
+SECStatus
+legacy_ReleaseSecmodDBData(const char *appName, const char *filename, 
+			const char *dbname, char **moduleSpecList, PRBool rw)
+{
+    if (moduleSpecList) {
+	char **index;
+	for(index = moduleSpecList; *index; index++) {
+	    PR_smprintf_free(*index);
+	}
+	PORT_Free(moduleSpecList);
+    }
+    return SECSuccess;
+}
+
+/*
+ * Delete a module from the Data Base
+ */
+SECStatus
+legacy_DeleteSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *args, PRBool rw)
+{
+    DBT key;
+    SECStatus rv = SECFailure;
+    DB *pkcs11db = NULL;
+    int ret;
+
+    if (!rw) return SECFailure;
+
+    /* make sure we have a db handle */
+    pkcs11db = secmod_OpenDB(appName,filename,dbname,PR_FALSE,PR_FALSE);
+    if (pkcs11db == NULL) {
+	return SECFailure;
+    }
+
+    rv = secmod_MakeKey(&key,args);
+    if (rv != SECSuccess) goto done;
+    rv = SECFailure;
+    ret = (*pkcs11db->del)(pkcs11db, &key, 0);
+    secmod_FreeKey(&key);
+    if (ret != 0) goto done;
+
+
+    ret = (*pkcs11db->sync)(pkcs11db, 0);
+    if (ret == 0) rv = SECSuccess;
+
+done:
+    secmod_CloseDB(pkcs11db);
+    return rv;
+}
+
+/*
+ * Add a module to the Data base 
+ */
+SECStatus
+legacy_AddSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *module, PRBool rw)
+{
+    DBT key,data;
+    SECStatus rv = SECFailure;
+    DB *pkcs11db = NULL;
+    int ret;
+
+
+    if (!rw) return SECFailure;
+
+    /* make sure we have a db handle */
+    pkcs11db = secmod_OpenDB(appName,filename,dbname,PR_FALSE,PR_FALSE);
+    if (pkcs11db == NULL) {
+	return SECFailure;
+    }
+
+    rv = secmod_MakeKey(&key,module);
+    if (rv != SECSuccess) goto done;
+    rv = secmod_EncodeData(&data,module);
+    if (rv != SECSuccess) {
+	secmod_FreeKey(&key);
+	goto done;
+    }
+    rv = SECFailure;
+    ret = (*pkcs11db->put)(pkcs11db, &key, &data, 0);
+    secmod_FreeKey(&key);
+    secmod_FreeData(&data);
+    if (ret != 0) goto done;
+
+    ret = (*pkcs11db->sync)(pkcs11db, 0);
+    if (ret == 0) rv = SECSuccess;
+
+done:
+    secmod_CloseDB(pkcs11db);
+    return rv;
+}
diff --git a/security/nss/lib/softoken/lgglue.c b/security/nss/lib/softoken/lgglue.c
new file mode 100644
index 000000000..d541fb722
--- /dev/null
+++ b/security/nss/lib/softoken/lgglue.c
@@ -0,0 +1,429 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+#include "sftkdb.h"
+#include "sftkdbti.h"
+#include "sdb.h"
+#include "prsystem.h"
+#include "prprf.h"
+#include "prenv.h"
+#include "lgglue.h"
+#include "secerr.h"
+
+static LGOpenFunc legacy_glue_open = NULL;
+static LGReadSecmodFunc legacy_glue_readSecmod = NULL;
+static LGReleaseSecmodFunc legacy_glue_releaseSecmod = NULL;
+static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL;
+static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
+static LGShutdownFunc legacy_glue_shutdown = NULL;
+
+/*
+ * The following 3 functions duplicate the work done by bl_LoadLibrary.
+ * We should make bl_LoadLibrary a global and replace the call to
+ * sftkdb_LoadLibrary(const char *libname) with it.
+ */
+#ifdef XP_UNIX
+#include <unistd.h>
+#define LG_MAX_LINKS 20
+static char *
+sftkdb_resolvePath(const char *orig)
+{
+    int count = 0;
+    int len =0;
+    int ret = -1;
+    char *resolved = NULL;
+    char *source = NULL;
+
+    len = 1025; /* MAX PATH +1*/
+    if (strlen(orig)+1 > len) {
+	/* PATH TOO LONG */
+	return NULL;
+    }
+    resolved = PORT_Alloc(len);
+    if (!resolved) {
+	return NULL;
+    }
+    source = PORT_Alloc(len);
+    if (!source) {
+	goto loser;
+    }
+    PORT_Strcpy(source, orig);
+    /* Walk down all the links */
+    while ( count++ < LG_MAX_LINKS) {
+	char *tmp;
+	/* swap our previous sorce out with resolved */
+	/* read it */
+	ret = readlink(source, resolved, len-1);
+	if (ret  < 0) {
+	    break;
+ 	}
+	resolved[ret] = 0;
+	tmp = source; source = resolved; resolved = tmp;
+    }
+    if (count > 1) {
+	ret = 0;
+    }
+loser:
+    if (resolved) {
+	PORT_Free(resolved);
+    }
+    if (ret < 0) {
+	if (source) {
+	    PORT_Free(source);
+	    source = NULL;
+	}
+    }
+    return source;
+}
+
+#endif
+
+static PRLibrary *
+sftkdb_LoadFromPath(const char *path, const char *libname)
+{
+    char *c;
+    int pathLen, nameLen, fullPathLen;
+    char *fullPathName = NULL;
+    PRLibSpec libSpec;
+    PRLibrary *lib = NULL;
+
+
+    /* strip of our parent's library name */ 
+    c = strrchr(path, PR_GetDirectorySeparator());
+    if (!c) {
+	return NULL; /* invalid path */
+    }
+    pathLen = (c-path)+1;
+    nameLen = strlen(libname);
+    fullPathLen = pathLen + nameLen +1;
+    fullPathName = (char *)PORT_Alloc(fullPathLen);
+    if (fullPathName == NULL) {
+	return NULL; /* memory allocation error */
+    }
+    PORT_Memcpy(fullPathName, path, pathLen);
+    PORT_Memcpy(fullPathName+pathLen, libname, nameLen);
+    fullPathName[fullPathLen-1] = 0;
+
+    libSpec.type = PR_LibSpec_Pathname;
+    libSpec.value.pathname = fullPathName;
+    lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
+    PORT_Free(fullPathName);
+    return lib;
+}
+
+static PRLibrary *
+sftkdb_LoadLibrary(const char *libname)
+{
+    PRLibrary *lib = NULL;
+    PRFuncPtr fn_addr;
+    char *parentLibPath = NULL;
+
+    fn_addr  = (PRFuncPtr) &sftkdb_LoadLibrary;
+    parentLibPath = PR_GetLibraryFilePathname(SOFTOKEN_LIB_NAME, fn_addr);
+
+    if (!parentLibPath) {
+	goto done;
+    }
+
+    lib = sftkdb_LoadFromPath(parentLibPath, libname);
+#ifdef XP_UNIX
+    /* handle symbolic link case */
+    if (!lib) {
+	char *trueParentLibPath = sftkdb_resolvePath(parentLibPath);
+	if (!trueParentLibPath) {
+	    goto done;
+	}
+    	lib = sftkdb_LoadFromPath(trueParentLibPath, libname);
+	PORT_Free(trueParentLibPath);
+    }
+#endif
+
+done:
+    if (parentLibPath) {
+	PORT_Free(parentLibPath);
+    }
+
+    /* still couldn't load it, try the generic path */
+    if (!lib) {
+	PRLibSpec libSpec;
+	libSpec.type = PR_LibSpec_Pathname;
+	libSpec.value.pathname = libname;
+	lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
+    }
+    return lib;
+}
+
+/*
+ * stub files for legacy db's to be able to encrypt and decrypt
+ * various keys and attributes.
+ */
+static SECStatus
+sftkdb_encrypt_stub(PRArenaPool *arena, SDB *sdb, SECItem *plainText,
+		    SECItem **cipherText)
+{
+    SFTKDBHandle *handle = sdb->app_private;
+    SECStatus rv;
+
+    if (handle == NULL) {
+	return SECFailure;
+    }
+
+    /* if we aren't the key handle, try the other handle */
+    if (handle->type != SFTK_KEYDB_TYPE) {
+	handle = handle->peerDB;
+    }
+
+    /* not a key handle */
+    if (handle == NULL || handle->passwordLock == NULL) {
+	return SECFailure;
+    }
+
+    PZ_Lock(handle->passwordLock);
+    if (handle->passwordKey.data == NULL) {
+	PZ_Unlock(handle->passwordLock);
+	/* PORT_SetError */
+	return SECFailure;
+    }
+
+    rv = sftkdb_EncryptAttribute(arena, 
+	handle->newKey?handle->newKey:&handle->passwordKey, 
+	plainText, cipherText);
+    PZ_Unlock(handle->passwordLock);
+
+    return rv;
+}
+
+/*
+ * stub files for legacy db's to be able to encrypt and decrypt
+ * various keys and attributes.
+ */
+static SECStatus
+sftkdb_decrypt_stub(SDB *sdb, SECItem *cipherText, SECItem **plainText) 
+{
+    SFTKDBHandle *handle = sdb->app_private;
+    SECStatus rv;
+    SECItem *oldKey = NULL;
+
+    if (handle == NULL) {
+	return SECFailure;
+    }
+
+    /* if we aren't th handle, try the other handle */
+    oldKey = handle->oldKey;
+    if (handle->type != SFTK_KEYDB_TYPE) {
+	handle = handle->peerDB;
+    }
+
+    /* not a key handle */
+    if (handle == NULL || handle->passwordLock == NULL) {
+	return SECFailure;
+    }
+
+    PZ_Lock(handle->passwordLock);
+    if (handle->passwordKey.data == NULL) {
+	PZ_Unlock(handle->passwordLock);
+	/* PORT_SetError */
+	return SECFailure;
+    }
+    rv = sftkdb_DecryptAttribute( oldKey ? oldKey : &handle->passwordKey,
+		cipherText, plainText);
+    PZ_Unlock(handle->passwordLock);
+
+    return rv;
+}
+
+static PRLibrary *legacy_glue_lib = NULL;
+static SECStatus 
+sftkdbLoad_Legacy()
+{
+    PRLibrary *lib = NULL;
+    LGSetCryptFunc setCryptFunction = NULL;
+
+    if (legacy_glue_lib) {
+	return SECSuccess;
+    }
+
+    lib = sftkdb_LoadLibrary(SHLIB_PREFIX"nssdbm"SHLIB_VERSION"."SHLIB_SUFFIX);
+    if (lib == NULL) {
+	return SECFailure;
+    }
+    
+    legacy_glue_open = (LGOpenFunc)PR_FindFunctionSymbol(lib, "legacy_Open");
+    legacy_glue_readSecmod = (LGReadSecmodFunc) PR_FindFunctionSymbol(lib,
+						 "legacy_ReadSecmodDB");
+    legacy_glue_releaseSecmod = (LGReleaseSecmodFunc) PR_FindFunctionSymbol(lib,
+					 	 "legacy_ReleaseSecmodDBData");
+    legacy_glue_deleteSecmod = (LGDeleteSecmodFunc) PR_FindFunctionSymbol(lib,
+						 "legacy_DeleteSecmodDB");
+    legacy_glue_addSecmod = (LGAddSecmodFunc)PR_FindFunctionSymbol(lib, 
+						 "legacy_AddSecmodDB");
+    legacy_glue_shutdown = (LGShutdownFunc) PR_FindFunctionSymbol(lib, 
+						"legacy_Shutdown");
+    setCryptFunction = (LGSetCryptFunc) PR_FindFunctionSymbol(lib, 
+						"legacy_SetCryptFunctions");
+
+    if (!legacy_glue_open || !legacy_glue_readSecmod || 
+	    !legacy_glue_releaseSecmod || !legacy_glue_deleteSecmod || 
+	    !legacy_glue_addSecmod || !setCryptFunction) {
+	PR_UnloadLibrary(lib);
+	return SECFailure;
+    }
+    setCryptFunction(sftkdb_encrypt_stub,sftkdb_decrypt_stub);
+    legacy_glue_lib = lib;
+    return SECSuccess;
+}
+
+CK_RV
+sftkdbCall_open(const char *dir, const char *certPrefix, const char *keyPrefix, 
+		int certVersion, int keyVersion, int flags, 
+		SDB **certDB, SDB **keyDB)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return CKR_GENERAL_ERROR;
+    }
+    if (!legacy_glue_open) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*legacy_glue_open)(dir, certPrefix, keyPrefix, 
+				certVersion, keyVersion,
+				flags, certDB, keyDB);
+}
+
+char **
+sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *params, PRBool rw)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+    if (!legacy_glue_readSecmod) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+    }
+    return (*legacy_glue_readSecmod)(appName, filename, dbname, params, rw);
+}
+
+SECStatus
+sftkdbCall_ReleaseSecmodDBData(const char *appName, 
+			const char *filename, const char *dbname, 
+			char **moduleSpecList, PRBool rw)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    if (!legacy_glue_releaseSecmod) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*legacy_glue_releaseSecmod)(appName, filename, dbname, 
+					  moduleSpecList, rw);
+}
+
+SECStatus
+sftkdbCall_DeleteSecmodDB(const char *appName, 
+		      const char *filename, const char *dbname, 
+		      char *args, PRBool rw)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    if (!legacy_glue_deleteSecmod) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*legacy_glue_deleteSecmod)(appName, filename, dbname, args, rw);
+}
+
+SECStatus
+sftkdbCall_AddSecmodDB(const char *appName, 
+		   const char *filename, const char *dbname, 
+		   char *module, PRBool rw)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    if (!legacy_glue_addSecmod) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*legacy_glue_addSecmod)(appName, filename, dbname, module, rw);
+}
+
+CK_RV
+sftkdbCall_Shutdown(void)
+{
+    CK_RV crv = CKR_OK;
+    char *disableUnload = NULL;
+    if (!legacy_glue_lib) {
+	return CKR_OK;
+    }
+    if (legacy_glue_shutdown) {
+	crv = (*legacy_glue_shutdown)();
+    }
+    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+    if (!disableUnload) {
+        PR_UnloadLibrary(legacy_glue_lib);
+    }
+    legacy_glue_lib = NULL;
+    legacy_glue_open = NULL;
+    legacy_glue_readSecmod = NULL;
+    legacy_glue_releaseSecmod = NULL;
+    legacy_glue_deleteSecmod = NULL;
+    legacy_glue_addSecmod = NULL;
+    return crv;
+}
+    
+
diff --git a/security/nss/lib/softoken/lgglue.h b/security/nss/lib/softoken/lgglue.h
new file mode 100644
index 000000000..8ced909d3
--- /dev/null
+++ b/security/nss/lib/softoken/lgglue.h
@@ -0,0 +1,92 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ * This code defines the glue layer between softoken and the legacy DB library
+ */
+#include "sdb.h"
+
+/*
+ * function prototypes for the callbacks into softoken from the legacyDB
+ */
+
+typedef SECStatus (*LGEncryptFunc)(PRArenaPool *arena, SDB *sdb, 
+				  SECItem *plainText, SECItem **cipherText);
+typedef SECStatus (*LGDecryptFunc)(SDB *sdb, SECItem *cipherText, 
+				   SECItem **plainText);
+
+/*
+ * function prototypes for the exported functions.
+ */
+typedef CK_RV (*LGOpenFunc) (const char *dir, const char *certPrefix, 
+		const char *keyPrefix, 
+		int certVersion, int keyVersion, int flags, 
+		SDB **certDB, SDB **keyDB);
+typedef char ** (*LGReadSecmodFunc)(const char *appName, 
+			const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+typedef SECStatus (*LGReleaseSecmodFunc)(const char *appName,
+			const char *filename, 
+			const char *dbname, char **params, PRBool rw);
+typedef SECStatus (*LGDeleteSecmodFunc)(const char *appName,
+			const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+typedef SECStatus (*LGAddSecmodFunc)(const char *appName, 
+			const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+typedef SECStatus (*LGShutdownFunc)(void);
+typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
+
+
+/*
+ * Softoken Glue Functions
+ */
+CK_RV sftkdbCall_open(const char *dir, const char *certPrefix, 
+		const char *keyPrefix, 
+		int certVersion, int keyVersion, int flags, 
+		SDB **certDB, SDB **keyDB);
+char ** sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+SECStatus sftkdbCall_ReleaseSecmodDBData(const char *appName, 
+			const char *filename, const char *dbname, 
+			char **moduleSpecList, PRBool rw);
+SECStatus sftkdbCall_DeleteSecmodDB(const char *appName, 
+		      const char *filename, const char *dbname, 
+		      char *args, PRBool rw);
+SECStatus sftkdbCall_AddSecmodDB(const char *appName, 
+		   const char *filename, const char *dbname, 
+		   char *module, PRBool rw);
+CK_RV sftkdbCall_Shutdown(void);
+
diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c
new file mode 100644
index 000000000..4174cef63
--- /dev/null
+++ b/security/nss/lib/softoken/lowkey.c
@@ -0,0 +1,525 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "lowkeyi.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secder.h"
+#include "base64.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+#ifdef NSS_ENABLE_ECC
+#include "softoken.h"
+#endif
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+const SEC_ASN1Template nsslowkey_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(NSSLOWKEYAttribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN ,
+        offsetof(NSSLOWKEYAttribute, attrValue),
+	SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate },
+};
+/* ASN1 Templates for new decoder/encoder */
+const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
+    { SEC_ASN1_INTEGER,
+	offsetof(NSSLOWKEYPrivateKeyInfo,version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
+	SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
+	nsslowkey_SetOfAttributeTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,base) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.publicExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.privateExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.coefficient) },
+    { 0 }                                                                     
+};                                                                            
+
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+};
+
+const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.base) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.prime) },
+    { 0, }
+};
+
+#ifdef NSS_ENABLE_ECC
+
+/* XXX This is just a placeholder for later when we support
+ * generic curves and need full-blown support for parsing EC
+ * parameters. For now, we only support named curves in which
+ * EC params are simply encoded as an object ID and we don't
+ * use nsslowkey_ECParamsTemplate.
+ */
+const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = {
+    { SEC_ASN1_CHOICE, offsetof(ECParams,type), NULL, sizeof(ECParams) },
+    { SEC_ASN1_OBJECT_ID, offsetof(ECParams,curveOID), NULL, ec_params_named },
+    { 0, }
+};
+
+
+/* NOTE: The SECG specification allows the private key structure
+ * to contain curve parameters but recommends that they be stored
+ * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
+ * instead.
+ */
+const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.ec.version) },
+    { SEC_ASN1_OCTET_STRING, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.privateValue) },
+    /* XXX The following template works for now since we only
+     * support named curves for which the parameters are
+     * encoded as an object ID. When we support generic curves,
+     * we'll need to define nsslowkey_ECParamsTemplate
+     */
+#if 1
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams.curveOID), 
+      SEC_ASN1_SUB(SEC_ObjectIDTemplate) }, 
+#else
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams), 
+      nsslowkey_ECParamsTemplate }, 
+#endif
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.publicValue),
+      SEC_ASN1_SUB(SEC_BitStringTemplate) }, 
+    { 0, }
+};
+#endif /* NSS_ENABLE_ECC */
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+void
+prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.rsa.modulus.type = siUnsignedInteger;
+    key->u.rsa.publicExponent.type = siUnsignedInteger;
+    key->u.rsa.privateExponent.type = siUnsignedInteger;
+    key->u.rsa.prime1.type = siUnsignedInteger;
+    key->u.rsa.prime2.type = siUnsignedInteger;
+    key->u.rsa.exponent1.type = siUnsignedInteger;
+    key->u.rsa.exponent2.type = siUnsignedInteger;
+    key->u.rsa.coefficient.type = siUnsignedInteger;
+}
+
+void
+prepare_low_pqg_params_for_asn1(PQGParams *params)
+{
+    params->prime.type = siUnsignedInteger;
+    params->subPrime.type = siUnsignedInteger;
+    params->base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.publicValue.type = siUnsignedInteger;
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+    key->u.dsa.params.prime.type = siUnsignedInteger;
+    key->u.dsa.params.subPrime.type = siUnsignedInteger;
+    key->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dh.prime.type = siUnsignedInteger;
+    key->u.dh.base.type = siUnsignedInteger;
+    key->u.dh.publicValue.type = siUnsignedInteger;
+    key->u.dh.privateValue.type = siUnsignedInteger;
+}
+
+#ifdef NSS_ENABLE_ECC
+void
+prepare_low_ecparams_for_asn1(ECParams *params)
+{
+    params->DEREncoding.type = siUnsignedInteger;
+    params->curveOID.type = siUnsignedInteger;
+}
+
+void
+prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.ec.version.type = siUnsignedInteger;
+    key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
+    key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
+    key->u.ec.privateValue.type = siUnsignedInteger;
+    key->u.ec.publicValue.type = siUnsignedInteger;
+}
+#endif /* NSS_ENABLE_ECC */
+
+void
+nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
+{
+    if (privk && privk->arena) {
+	PORT_FreeArena(privk->arena, PR_TRUE);
+    }
+}
+
+void
+nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
+{
+    if (pubk && pubk->arena) {
+	PORT_FreeArena(pubk->arena, PR_FALSE);
+    }
+}
+unsigned
+nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
+{
+    unsigned char b0;
+
+    /* interpret modulus length as key strength... in
+     * fortezza that's the public key length */
+
+    switch (pubk->keyType) {
+    case NSSLOWKEYRSAKey:
+    	b0 = pubk->u.rsa.modulus.data[0];
+    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+unsigned
+nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk)
+{
+
+    unsigned char b0;
+
+    switch (privk->keyType) {
+    case NSSLOWKEYRSAKey:
+	b0 = privk->u.rsa.modulus.data[0];
+	return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+NSSLOWKEYPublicKey *
+nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
+{
+    NSSLOWKEYPublicKey *pubk;
+    PLArenaPool *arena;
+
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+        PORT_SetError (SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    switch(privk->keyType) {
+      case NSSLOWKEYRSAKey:
+      case NSSLOWKEYNullKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						sizeof (NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    if (privk->keyType == NSSLOWKEYNullKey) return pubk;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus,
+				  &privk->u.rsa.modulus);
+	    if (rv == SECSuccess) {
+		rv = SECITEM_CopyItem (arena, &pubk->u.rsa.publicExponent,
+				       &privk->u.rsa.publicExponent);
+		if (rv == SECSuccess)
+		    return pubk;
+	    }
+	} else {
+	    PORT_SetError (SEC_ERROR_NO_MEMORY);
+	}
+	break;
+      case NSSLOWKEYDSAKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
+				  &privk->u.dsa.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+				  &privk->u.dsa.params.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+				  &privk->u.dsa.params.subPrime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+				  &privk->u.dsa.params.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+      case NSSLOWKEYDHKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
+				  &privk->u.dh.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
+				  &privk->u.dh.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
+				  &privk->u.dh.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+#ifdef NSS_ENABLE_ECC
+      case NSSLOWKEYECKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue,
+				  &privk->u.ec.publicValue);
+	    if (rv != SECSuccess) break;
+	    pubk->u.ec.ecParams.arena = arena;
+	    /* Copy the rest of the params */
+	    rv = EC_CopyParams(arena, &(pubk->u.ec.ecParams),
+			       &(privk->u.ec.ecParams));
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+#endif /* NSS_ENABLE_ECC */
+	/* No Fortezza in Low Key implementations (Fortezza keys aren't
+	 * stored in our data base */
+    default:
+	break;
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+NSSLOWKEYPrivateKey *
+nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey)
+{
+    NSSLOWKEYPrivateKey *returnKey = NULL;
+    SECStatus rv = SECFailure;
+    PLArenaPool *poolp;
+
+    if(!privKey) {
+	return NULL;
+    }
+
+    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(!poolp) {
+	return NULL;
+    }
+
+    returnKey = (NSSLOWKEYPrivateKey*)PORT_ArenaZAlloc(poolp, sizeof(NSSLOWKEYPrivateKey));
+    if(!returnKey) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    returnKey->keyType = privKey->keyType;
+    returnKey->arena = poolp;
+
+    switch(privKey->keyType) {
+	case NSSLOWKEYRSAKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.modulus), 
+	    				&(privKey->u.rsa.modulus));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.version), 
+	    				&(privKey->u.rsa.version));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.publicExponent), 
+	    				&(privKey->u.rsa.publicExponent));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.privateExponent), 
+	    				&(privKey->u.rsa.privateExponent));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime1), 
+	    				&(privKey->u.rsa.prime1));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime2), 
+	    				&(privKey->u.rsa.prime2));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent1), 
+	    				&(privKey->u.rsa.exponent1));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent2), 
+	    				&(privKey->u.rsa.exponent2));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.coefficient), 
+	    				&(privKey->u.rsa.coefficient));
+	    if(rv != SECSuccess) break;
+	    break;
+	case NSSLOWKEYDSAKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.publicValue),
+	    				&(privKey->u.dsa.publicValue));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.privateValue),
+	    				&(privKey->u.dsa.privateValue));
+	    if(rv != SECSuccess) break;
+	    returnKey->u.dsa.params.arena = poolp;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.prime),
+					&(privKey->u.dsa.params.prime));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.subPrime),
+					&(privKey->u.dsa.params.subPrime));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.base),
+					&(privKey->u.dsa.params.base));
+	    if(rv != SECSuccess) break;
+	    break;
+	case NSSLOWKEYDHKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.publicValue),
+	    				&(privKey->u.dh.publicValue));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.privateValue),
+	    				&(privKey->u.dh.privateValue));
+	    if(rv != SECSuccess) break;
+	    returnKey->u.dsa.params.arena = poolp;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.prime),
+					&(privKey->u.dh.prime));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base),
+					&(privKey->u.dh.base));
+	    if(rv != SECSuccess) break;
+	    break;
+#ifdef NSS_ENABLE_ECC
+	case NSSLOWKEYECKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
+	    				&(privKey->u.ec.version));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue),
+	    				&(privKey->u.ec.publicValue));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.privateValue),
+	    				&(privKey->u.ec.privateValue));
+	    if(rv != SECSuccess) break;
+	    returnKey->u.ec.ecParams.arena = poolp;
+	    /* Copy the rest of the params */
+	    rv = EC_CopyParams(poolp, &(returnKey->u.ec.ecParams),
+			       &(privKey->u.ec.ecParams));
+	    if (rv != SECSuccess) break;
+	    break;
+#endif /* NSS_ENABLE_ECC */
+	default:
+	    rv = SECFailure;
+    }
+
+loser:
+
+    if(rv != SECSuccess) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	returnKey = NULL;
+    }
+
+    return returnKey;
+}
diff --git a/security/nss/lib/softoken/lowkeyi.h b/security/nss/lib/softoken/lowkeyi.h
new file mode 100644
index 000000000..9c13bfa10
--- /dev/null
+++ b/security/nss/lib/softoken/lowkeyi.h
@@ -0,0 +1,108 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _LOWKEYI_H_
+#define _LOWKEYI_H_
+
+#include "prtypes.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
+extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+#ifdef NSS_ENABLE_ECC
+extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_ecparams_for_asn1(ECParams *params);
+#endif /* NSS_ENABLE_ECC */
+
+/*
+** Destroy a private key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
+
+/*
+** Destroy a public key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
+
+/*
+** Return the modulus length of "pubKey".
+*/
+extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey);
+
+
+/*
+** Return the modulus length of "privKey".
+*/
+extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey);
+
+
+/*
+** Convert a low private key "privateKey" into a public low key
+*/
+extern NSSLOWKEYPublicKey 
+		*nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
+
+/* Make a copy of a low private key in it's own arena.
+ * a return of NULL indicates an error.
+ */
+extern NSSLOWKEYPrivateKey *
+nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey);
+
+
+SEC_END_PROTOS
+
+#endif /* _LOWKEYI_H_ */
diff --git a/security/nss/lib/softoken/lowkeyti.h b/security/nss/lib/softoken/lowkeyti.h
new file mode 100644
index 000000000..15bb9730a
--- /dev/null
+++ b/security/nss/lib/softoken/lowkeyti.h
@@ -0,0 +1,127 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _LOWKEYTI_H_
+#define _LOWKEYTI_H_ 1
+
+#include "blapit.h"
+#include "prtypes.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secasn1t.h"
+#include "secoidt.h"
+
+/*
+** Typedef for callback to get a password "key".
+*/
+extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
+#ifdef NSS_ENABLE_ECC
+#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION   1  /* as per SECG 1 C.4 */
+extern const SEC_ASN1Template nsslowkey_ECParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
+#endif /* NSS_ENABLE_ECC */
+
+extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
+
+/*
+ * PKCS #8 attributes
+ */
+struct NSSLOWKEYAttributeStr {
+    SECItem attrType;
+    SECItem *attrValue;
+};
+typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID algorithm;
+    SECItem privateKey;
+    NSSLOWKEYAttribute **attributes;
+};
+typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
+#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION	0	/* what we *create* */
+
+typedef enum { 
+    NSSLOWKEYNullKey = 0, 
+    NSSLOWKEYRSAKey = 1, 
+    NSSLOWKEYDSAKey = 2, 
+    NSSLOWKEYDHKey = 4,
+    NSSLOWKEYECKey = 5
+} NSSLOWKEYType;
+
+/*
+** An RSA public key object.
+*/
+struct NSSLOWKEYPublicKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType ;
+    union {
+        RSAPublicKey rsa;
+	DSAPublicKey dsa;
+	DHPublicKey  dh;
+	ECPublicKey  ec;
+    } u;
+};
+typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey;
+
+/*
+** Low Level private key object
+** This is only used by the raw Crypto engines (crypto), keydb (keydb),
+** and PKCS #11. Everyone else uses the high level key structure.
+*/
+struct NSSLOWKEYPrivateKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType;
+    union {
+        RSAPrivateKey rsa;
+	DSAPrivateKey dsa;
+	DHPrivateKey  dh;
+	ECPrivateKey  ec;
+    } u;
+};
+typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey;
+
+#endif	/* _LOWKEYTI_H_ */
diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c
new file mode 100644
index 000000000..f91839836
--- /dev/null
+++ b/security/nss/lib/softoken/lowpbe.c
@@ -0,0 +1,1410 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "secport.h"
+#include "hasht.h"
+#include "pkcs11t.h"
+#include "blapi.h"
+#include "hasht.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "lowpbe.h"
+#include "secoid.h"
+#include "alghmac.h"
+#include "softoken.h"
+#include "secerr.h"
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+/* template for PKCS 5 PBE Parameter.  This template has been expanded
+ * based upon the additions in PKCS 12.  This should eventually be moved
+ * if RSA updates PKCS 5.
+ */
+static const SEC_ASN1Template NSSPKCS5PBEParameterTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(NSSPKCS5PBEParameter) },
+    { SEC_ASN1_OCTET_STRING, 
+	offsetof(NSSPKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER,
+	offsetof(NSSPKCS5PBEParameter, iteration) },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSPKCS5PKCS12V2PBEParameterTemplate[] =
+{   
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) },
+    { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) },
+    { 0 }
+};
+
+
+/* PKCS5 v2 */
+
+struct nsspkcs5V2PBEParameterStr {
+    SECAlgorithmID keyParams;  /* parameters of the key generation */
+    SECAlgorithmID algParams;  /* paramters for the encryption or mac op */
+};
+
+typedef struct nsspkcs5V2PBEParameterStr nsspkcs5V2PBEParameter;
+#define PBKDF2
+
+#ifdef PBKDF2
+static const SEC_ASN1Template NSSPKCS5V2PBES2ParameterTemplate[] =
+{   
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(nsspkcs5V2PBEParameter) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+        offsetof(nsspkcs5V2PBEParameter, keyParams), 
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+        offsetof(nsspkcs5V2PBEParameter, algParams),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSPKCS5V2PBEParameterTemplate[] =
+{   
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) },
+    /* this is really a choice, but since we don't understand any other
+     *choice, just inline it. */
+    { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) },
+    { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, keyLength) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+        offsetof(NSSPKCS5PBEParameter, prfAlg),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
+#endif
+
+SECStatus
+nsspkcs5_HashBuf(const SECHashObject *hashObj, unsigned char *dest,
+					 unsigned char *src, int len)
+{
+    void *ctx;
+    unsigned int retLen;
+
+    ctx = hashObj->create();
+    if(ctx == NULL) {
+	return SECFailure;
+    }
+    hashObj->begin(ctx);
+    hashObj->update(ctx, src, len);
+    hashObj->end(ctx, dest, &retLen, hashObj->length);
+    hashObj->destroy(ctx, PR_TRUE);
+    return SECSuccess;
+}
+
+/* generate bits using any hash
+ */
+static SECItem *
+nsspkcs5_PBKDF1(const SECHashObject *hashObj, SECItem *salt, SECItem *pwd, 
+						int iter, PRBool faulty3DES) 
+{
+    SECItem *hash = NULL, *pre_hash = NULL;
+    SECStatus rv = SECFailure;
+
+    if((salt == NULL) || (pwd == NULL) || (iter < 0)) {
+	return NULL;
+    }
+	
+    hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+
+    if((hash != NULL) && (pre_hash != NULL)) {
+	int i, ph_len;
+
+	ph_len = hashObj->length;
+	if((salt->len + pwd->len) > hashObj->length) {
+	    ph_len = salt->len + pwd->len;
+	}
+
+	rv = SECFailure;
+
+	/* allocate buffers */
+	hash->len = hashObj->length;
+	hash->data = (unsigned char *)PORT_ZAlloc(hash->len);
+	pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len);
+
+	/* in pbeSHA1TripleDESCBC there was an allocation error that made
+	 * it into the caller.  We do not want to propagate those errors
+	 * further, so we are doing it correctly, but reading the old method.
+	 */
+	if (faulty3DES) {
+	    pre_hash->len = ph_len;
+	} else {
+	    pre_hash->len = salt->len + pwd->len;
+	}
+
+	/* preform hash */
+	if ((hash->data != NULL) && (pre_hash->data != NULL)) {
+	    rv = SECSuccess;
+	    /* check for 0 length password */
+	    if(pwd->len > 0) {
+		PORT_Memcpy(pre_hash->data, pwd->data, pwd->len);
+	    }
+	    if(salt->len > 0) {
+		PORT_Memcpy((pre_hash->data+pwd->len), salt->data, salt->len);
+	    }
+	    for(i = 0; ((i < iter) && (rv == SECSuccess)); i++) {
+		rv = nsspkcs5_HashBuf(hashObj, hash->data, 
+					pre_hash->data, pre_hash->len);
+		if(rv != SECFailure) {
+		    pre_hash->len = hashObj->length;
+		    PORT_Memcpy(pre_hash->data, hash->data, hashObj->length);
+		}
+	    }
+	}
+    }
+
+    if(pre_hash != NULL) {
+	SECITEM_FreeItem(pre_hash, PR_TRUE);
+    }
+
+    if((rv != SECSuccess) && (hash != NULL)) {
+	SECITEM_FreeItem(hash, PR_TRUE);
+	hash = NULL;
+    }
+
+    return hash;
+}
+
+/* this bit generation routine is described in PKCS 12 and the proposed
+ * extensions to PKCS 5.  an initial hash is generated following the
+ * instructions laid out in PKCS 5.  If the number of bits generated is
+ * insufficient, then the method discussed in the proposed extensions to
+ * PKCS 5 in PKCS 12 are used.  This extension makes use of the HMAC
+ * function.  And the P_Hash function from the TLS standard.
+ */
+static SECItem *
+nsspkcs5_PFXPBE(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param,
+				SECItem *init_hash, unsigned int bytes_needed)
+{
+    SECItem *ret_bits = NULL;
+    int hash_size = 0;
+    unsigned int i;
+    unsigned int hash_iter;
+    unsigned int dig_len;
+    SECStatus rv = SECFailure;
+    unsigned char *state = NULL;
+    unsigned int state_len;
+    HMACContext *cx = NULL;
+
+    hash_size = hashObj->length;
+    hash_iter = (bytes_needed + (unsigned int)hash_size - 1) / hash_size;
+
+    /* allocate return buffer */
+    ret_bits = (SECItem  *)PORT_ZAlloc(sizeof(SECItem));
+    if(ret_bits == NULL)
+	return NULL;
+    ret_bits->data = (unsigned char *)PORT_ZAlloc((hash_iter * hash_size) + 1);
+    ret_bits->len = (hash_iter * hash_size);
+    if(ret_bits->data == NULL) {
+	PORT_Free(ret_bits);
+	return NULL;
+    }
+
+    /* allocate intermediate hash buffer.  8 is for the 8 bytes of
+     * data which are added based on iteration number 
+     */
+
+    if ((unsigned int)hash_size > pbe_param->salt.len) {
+	state_len = hash_size;
+    } else {
+	state_len = pbe_param->salt.len;
+    }
+    state = (unsigned char *)PORT_ZAlloc(state_len);
+    if(state == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    if(pbe_param->salt.len > 0) {
+	PORT_Memcpy(state, pbe_param->salt.data, pbe_param->salt.len);
+    }
+
+    cx = HMAC_Create(hashObj, init_hash->data, init_hash->len, PR_TRUE);
+    if (cx == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    for(i = 0; i < hash_iter; i++) { 
+
+	/* generate output bits */
+	HMAC_Begin(cx);
+	HMAC_Update(cx, state, state_len);
+	HMAC_Update(cx, pbe_param->salt.data, pbe_param->salt.len);
+	rv = HMAC_Finish(cx, ret_bits->data + (i * hash_size),
+			 &dig_len, hash_size);
+	if (rv != SECSuccess)
+	    goto loser;
+	PORT_Assert((unsigned int)hash_size == dig_len);
+
+	/* generate new state */
+	HMAC_Begin(cx);
+	HMAC_Update(cx, state, state_len);
+	rv = HMAC_Finish(cx, state, &state_len, state_len);
+	if (rv != SECSuccess)
+	    goto loser;
+	PORT_Assert(state_len == dig_len);
+    }
+
+loser:
+    if (state != NULL)
+	PORT_ZFree(state, state_len);
+    HMAC_Destroy(cx, PR_TRUE);
+
+    if(rv != SECSuccess) {
+	SECITEM_ZfreeItem(ret_bits, PR_TRUE);
+	ret_bits = NULL;
+    }
+
+    return ret_bits;
+}
+
+/* generate bits for the key and iv determination.  if enough bits
+ * are not generated using PKCS 5, then we need to generate more bits
+ * based on the extension proposed in PKCS 12
+ */
+static SECItem *
+nsspkcs5_PBKDF1Extended(const SECHashObject *hashObj,
+	 NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, PRBool faulty3DES)
+{
+    SECItem * hash 		= NULL;
+    SECItem * newHash 		= NULL;
+    int       bytes_needed;
+    int       bytes_available;
+    
+    bytes_needed = pbe_param->ivLen + pbe_param->keyLen;
+    bytes_available = hashObj->length;
+    
+    hash = nsspkcs5_PBKDF1(hashObj, &pbe_param->salt, pwitem, 
+						pbe_param->iter, faulty3DES);
+
+    if(hash == NULL) {
+	return NULL;
+    }
+
+    if(bytes_needed <= bytes_available) {
+	return hash;
+    } 
+
+    newHash = nsspkcs5_PFXPBE(hashObj, pbe_param, hash, bytes_needed);
+    if (hash != newHash)
+	SECITEM_FreeItem(hash, PR_TRUE);
+    return newHash;
+}
+
+#ifdef PBKDF2
+
+/*
+ * PBDKDF2 is PKCS #5 v2.0 it's currently not used by NSS
+ */
+static void
+do_xor(unsigned char *dest, unsigned char *src, int len)
+{
+   /* use byt xor, not all platforms are happy about inaligned 
+    * integer fetches */
+    while (len--) {
+    	*dest = *dest ^ *src;
+	dest++;
+	src++;
+    }
+}
+
+static SECStatus
+nsspkcs5_PBKFD2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt,
+			int iterations, unsigned int i, unsigned char *T)
+{
+    int j;
+    HMACContext *cx = NULL;
+    unsigned int hLen = hashobj->length;
+    SECStatus rv = SECFailure;
+    unsigned char *last = NULL;
+    unsigned int lastLength = salt->len + 4;
+    unsigned int lastBufLength;
+
+    cx=HMAC_Create(hashobj,pwitem->data,pwitem->len,PR_FALSE);
+    if (cx == NULL) {
+	goto loser;
+    }
+    PORT_Memset(T,0,hLen);
+    lastBufLength = PR_MAX(lastLength, hLen);
+    last = PORT_Alloc(lastBufLength);
+    if (last == NULL) {
+	goto loser;
+    }
+    PORT_Memcpy(last,salt->data,salt->len);
+    last[salt->len  ] = (i >> 24) & 0xff;
+    last[salt->len+1] = (i >> 16) & 0xff;
+    last[salt->len+2] = (i >> 8) & 0xff;
+    last[salt->len+3] =    i  & 0xff;
+
+    /* NOTE: we need at least one iteration to return success! */
+    for (j=0; j < iterations; j++) {
+	HMAC_Begin(cx);
+	HMAC_Update(cx,last,lastLength);
+	rv =HMAC_Finish(cx,last,&lastLength,hLen);
+	if (rv !=SECSuccess) {
+	   break;
+	}
+	do_xor(T,last,hLen);
+    }
+loser:
+    if (cx) {
+	HMAC_Destroy(cx, PR_TRUE);
+    }
+    if (last) {
+	PORT_ZFree(last,lastBufLength);
+    }
+    return rv;
+}
+
+static SECItem *
+nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param, 
+							SECItem *pwitem)
+{
+    int iterations = pbe_param->iter;
+    int bytesNeeded = pbe_param->keyLen;
+    unsigned int dkLen = bytesNeeded;
+    unsigned int hLen = hashobj->length;
+    unsigned int nblocks = (dkLen+hLen-1) / hLen;
+    unsigned int i;
+    unsigned char *rp;
+    unsigned char *T = NULL;
+    SECItem *result = NULL;
+    SECItem *salt = &pbe_param->salt;
+    SECStatus rv = SECFailure;
+
+    result = SECITEM_AllocItem(NULL,NULL,nblocks*hLen);
+    if (result == NULL) {
+	return NULL;
+    }
+
+    T = PORT_Alloc(hLen);
+    if (T == NULL) {
+	goto loser;
+    }
+
+    for (i=1,rp=result->data; i <= nblocks ; i++, rp +=hLen) {
+	rv = nsspkcs5_PBKFD2_F(hashobj,pwitem,salt,iterations,i,T);
+	if (rv != SECSuccess) {
+	    break;
+	}
+	PORT_Memcpy(rp,T,hLen);
+    }
+
+loser:
+    if (T) {
+	PORT_ZFree(T,hLen);
+    }
+    if (rv != SECSuccess) {
+	SECITEM_FreeItem(result,PR_TRUE);
+	result = NULL;
+    } else {
+	result->len = dkLen;
+    }
+	
+    return result;
+}
+#endif
+
+#define HMAC_BUFFER 64
+#define NSSPBE_ROUNDUP(x,y) ((((x)+((y)-1))/(y))*(y))
+#define NSSPBE_MIN(x,y) ((x) < (y) ? (x) : (y))
+/*
+ * This is the extended PBE function defined by the final PKCS #12 spec.
+ */
+static SECItem *
+nsspkcs5_PKCS12PBE(const SECHashObject *hashObject, 
+		   NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, 
+		   PBEBitGenID bitGenPurpose, unsigned int bytesNeeded)
+{
+    PRArenaPool *arena = NULL;
+    unsigned int SLen,PLen;
+    unsigned int hashLength = hashObject->length;
+    unsigned char *S, *P;
+    SECItem *A = NULL, B, D, I;
+    SECItem *salt = &pbe_param->salt;
+    unsigned int c,i = 0;
+    unsigned int hashLen;
+    int iter;
+    unsigned char *iterBuf;
+    void *hash = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(!arena) {
+	return NULL;
+    }
+
+    /* how many hash object lengths are needed */
+    c = (bytesNeeded + (hashLength-1))/hashLength;
+
+    /* initialize our buffers */
+    D.len = HMAC_BUFFER;
+    /* B and D are the same length, use one alloc go get both */
+    D.data = (unsigned char*)PORT_ArenaZAlloc(arena, D.len*2);
+    B.len = D.len;
+    B.data = D.data + D.len;
+
+    /* if all goes well, A will be returned, so don't use our temp arena */
+    A = SECITEM_AllocItem(NULL,NULL,c*hashLength);
+    if (A == NULL) {
+	goto loser;
+    }
+    
+    SLen = NSSPBE_ROUNDUP(salt->len,HMAC_BUFFER);
+    PLen = NSSPBE_ROUNDUP(pwitem->len,HMAC_BUFFER);
+    I.len = SLen+PLen;
+    I.data = (unsigned char*)PORT_ArenaZAlloc(arena, I.len);
+    if (I.data == NULL) {
+	goto loser;
+    }
+
+    /* S & P are only used to initialize I */
+    S = I.data;
+    P = S + SLen;
+
+    PORT_Memset(D.data, (char)bitGenPurpose, D.len);
+    if (SLen) {
+	for (i=0; i < SLen; i += salt->len) {
+	    PORT_Memcpy(S+i, salt->data, NSSPBE_MIN(SLen-i,salt->len));
+	}
+    } 
+    if (PLen) {
+	for (i=0; i < PLen; i += pwitem->len) {
+	    PORT_Memcpy(P+i, pwitem->data, NSSPBE_MIN(PLen-i,pwitem->len));
+	}
+    } 
+
+    iterBuf = (unsigned char*)PORT_ArenaZAlloc(arena,hashLength);
+    if (iterBuf == NULL) {
+	goto loser;
+    }
+
+    hash = hashObject->create();
+    if(!hash) {
+	goto loser;
+    }
+    /* calculate the PBE now */
+    for(i = 0; i < c; i++) {
+	int Bidx;	/* must be signed or the for loop won't terminate */
+	unsigned int k, j;
+	unsigned char *Ai = A->data+i*hashLength;
+
+
+	for(iter = 0; iter < pbe_param->iter; iter++) {
+	    hashObject->begin(hash);
+
+	    if (iter) {
+		hashObject->update(hash, iterBuf, hashLen);
+	    } else {
+		hashObject->update(hash, D.data, D.len);
+		hashObject->update(hash, I.data, I.len); 
+	    }
+
+	    hashObject->end(hash, iterBuf, &hashLen, hashObject->length);
+	    if(hashLen != hashObject->length) {
+		break;
+	    }
+	}
+
+	PORT_Memcpy(Ai, iterBuf, hashLength);
+	for (Bidx = 0; Bidx < B.len; Bidx += hashLength) {
+	    PORT_Memcpy(B.data+Bidx,iterBuf,NSSPBE_MIN(B.len-Bidx,hashLength));
+	}
+
+	k = I.len/B.len;
+	for(j = 0; j < k; j++) {
+	    unsigned int q, carryBit;
+	    unsigned char *Ij = I.data + j*B.len;
+
+	    /* (Ij = Ij+B+1) */
+	    for (Bidx = (B.len-1), q=1, carryBit=0; Bidx >= 0; Bidx--,q=0) {
+		q += (unsigned int)Ij[Bidx];
+		q += (unsigned int)B.data[Bidx];
+		q += carryBit;
+
+		carryBit = (q > 0xff);
+		Ij[Bidx] = (unsigned char)(q & 0xff);
+	    }
+	}
+    }
+loser:
+    if (hash) {
+    	hashObject->destroy(hash, PR_TRUE);
+    }
+    if(arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    if (A) {
+        /* if i != c, then we didn't complete the loop above and must of failed
+         * somwhere along the way */
+        if (i != c) {
+	    SECITEM_ZfreeItem(A,PR_TRUE);
+	    A = NULL;
+        } else {
+    	    A->len = bytesNeeded;
+        }
+    }
+    
+    return A;
+}
+
+/*
+ * generate key as per PKCS 5
+ */
+SECItem *
+nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
+		      SECItem *iv, PRBool faulty3DES)
+{
+    SECItem *hash = NULL, *key = NULL;
+    const SECHashObject *hashObj;
+    PRBool getIV = PR_FALSE;
+
+    if((pbe_param == NULL) || (pwitem == NULL)) {
+	return NULL;
+    }
+
+    key = SECITEM_AllocItem(NULL,NULL,pbe_param->keyLen);
+    if (key == NULL) {
+	return NULL;
+    }
+
+    if (iv && (pbe_param->ivLen) && (iv->data == NULL)) {
+	getIV = PR_TRUE;
+    	iv->data = (unsigned char *)PORT_Alloc(pbe_param->ivLen);
+    	if (iv->data == NULL) {
+	    goto loser;
+	}
+	iv->len = pbe_param->ivLen;
+    }
+
+    hashObj = HASH_GetRawHashObject(pbe_param->hashType);
+    switch (pbe_param->pbeType) {
+    case NSSPKCS5_PBKDF1:
+	hash = nsspkcs5_PBKDF1Extended(hashObj,pbe_param,pwitem,faulty3DES);
+	if (hash == NULL) {
+	    goto loser;
+	}
+	PORT_Assert(hash->len >= key->len+(getIV ? iv->len : 0));
+	if (getIV) {
+	    PORT_Memcpy(iv->data, hash->data+(hash->len - iv->len),iv->len);
+	} 
+	
+    	break;
+#ifdef PBKDF2
+    case NSSPKCS5_PBKDF2:
+	hash = nsspkcs5_PBKDF2(hashObj,pbe_param,pwitem);
+	if (getIV) {
+	    PORT_Memcpy(iv->data, pbe_param->ivData, iv->len);
+	}
+    	break;
+#endif
+    case NSSPKCS5_PKCS12_V2:
+	if (getIV) {
+	    hash = nsspkcs5_PKCS12PBE(hashObj,pbe_param,pwitem,
+						pbeBitGenCipherIV,iv->len);
+	    if (hash == NULL) {
+		goto loser;
+	    }
+	    PORT_Memcpy(iv->data,hash->data,iv->len);
+	    SECITEM_ZfreeItem(hash,PR_TRUE);
+	    hash = NULL;
+	}
+	hash = nsspkcs5_PKCS12PBE(hashObj,pbe_param,pwitem,
+						pbe_param->keyID,key->len);
+    default:
+	break;
+    }
+
+    if (hash == NULL) {
+	goto loser;
+    }
+
+    if (pbe_param->is2KeyDES) {
+	PORT_Memcpy(key->data, hash->data, (key->len * 2) / 3);
+	PORT_Memcpy(&(key->data[(key->len  * 2) / 3]), key->data,
+		    key->len / 3);
+    } else {
+	PORT_Memcpy(key->data, hash->data, key->len);
+    }
+
+    SECITEM_ZfreeItem(hash, PR_TRUE);
+    return key;
+
+loser:
+    if (getIV && iv->data) {
+	PORT_ZFree(iv->data,iv->len);
+	iv->data = NULL;
+    }
+
+    SECITEM_ZfreeItem(key, PR_TRUE);
+    return NULL;
+}
+
+static SECStatus
+nsspkcs5_FillInParam(SECOidTag algorithm, NSSPKCS5PBEParameter *pbe_param)
+{
+    PRBool skipType = PR_FALSE;
+
+    pbe_param->keyLen = 5;
+    pbe_param->ivLen = 8;
+    pbe_param->hashType = HASH_AlgSHA1;
+    pbe_param->pbeType = NSSPKCS5_PBKDF1;
+    pbe_param->encAlg = SEC_OID_RC2_CBC;
+    pbe_param->is2KeyDES = PR_FALSE;
+    switch(algorithm) {
+    /* DES3 Algorithms */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
+	pbe_param->is2KeyDES = PR_TRUE;
+	/* fall through */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
+	pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+	/* fall through */
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
+	pbe_param->keyLen = 24;
+	pbe_param->encAlg = SEC_OID_DES_EDE3_CBC;
+	break;
+
+    /* DES Algorithms */
+    case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+    	pbe_param->hashType = HASH_AlgMD2;
+	goto finish_des;
+    case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+    	pbe_param->hashType = HASH_AlgMD5;
+	/* fall through */
+    case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
+finish_des:
+	pbe_param->keyLen = 8;
+	pbe_param->encAlg =  SEC_OID_DES_CBC;
+	break;
+
+    /* RC2 Algorithms */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	pbe_param->keyLen = 16;
+	/* fall through */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+	break;
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	pbe_param->keyLen = 16;
+	/* fall through */
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	break;
+
+    /* RC4 algorithms */
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	skipType = PR_TRUE;
+	/* fall through */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	pbe_param->keyLen = 16;
+	/* fall through */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	if (!skipType) {
+    	    pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+	}
+	/* fall through */
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
+        pbe_param->ivLen = 0;
+        pbe_param->encAlg =  SEC_OID_RC4;
+        break;
+
+#ifdef PBKDF2
+    case SEC_OID_PKCS5_PBKDF2:
+    case SEC_OID_PKCS5_PBES2:
+    case SEC_OID_PKCS5_PBMAC1:
+	/* everything else will be filled in by the template */
+        pbe_param->ivLen = 0;
+	pbe_param->pbeType = NSSPKCS5_PBKDF2;
+        pbe_param->encAlg =  SEC_OID_PKCS5_PBKDF2;
+	pbe_param->keyLen = 0; /* needs to be set by caller after return */
+	break;
+#endif
+
+    default:
+        return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+/* decode the algid and generate a PKCS 5 parameter from it
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_NewParam(SECOidTag alg, SECItem *salt, int iterator)
+{
+    PRArenaPool *arena = NULL;
+    NSSPKCS5PBEParameter *pbe_param = NULL;
+    SECStatus rv = SECFailure;
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL)
+	return NULL;
+
+    /* allocate memory for the parameter */
+    pbe_param = (NSSPKCS5PBEParameter *)PORT_ArenaZAlloc(arena, 
+	sizeof(NSSPKCS5PBEParameter));
+
+    if (pbe_param == NULL) {
+	goto loser;
+    }
+
+    pbe_param->poolp = arena;
+
+    rv = nsspkcs5_FillInParam(alg, pbe_param);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    pbe_param->iter = iterator;
+    if (salt) {
+	rv = SECITEM_CopyItem(arena,&pbe_param->salt,salt);
+    }
+
+    /* default key gen */
+    pbe_param->keyID = pbeBitGenCipherKey;
+
+loser:
+    if (rv != SECSuccess) {
+	PORT_FreeArena(arena, PR_TRUE);
+	pbe_param = NULL;
+    }
+
+    return pbe_param;
+}
+
+/*
+ * find the hash type needed to implement a specific HMAC.
+ * OID definitions are from pkcs 5 v2.0 and 2.1
+ */
+HASH_HashType
+HASH_FromHMACOid(SECOidTag hmac)
+{
+    switch (hmac) {
+    case SEC_OID_HMAC_SHA1:
+    	return HASH_AlgSHA1;
+    case SEC_OID_HMAC_SHA256:
+    	return HASH_AlgSHA256;
+    case SEC_OID_HMAC_SHA384:
+    	return HASH_AlgSHA384;
+    case SEC_OID_HMAC_SHA512:
+    	return HASH_AlgSHA512;
+    case SEC_OID_HMAC_SHA224:
+    default:
+	break;
+    }
+    return HASH_AlgNULL;
+}
+
+/* decode the algid and generate a PKCS 5 parameter from it
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_AlgidToParam(SECAlgorithmID *algid)
+{
+    NSSPKCS5PBEParameter *pbe_param = NULL;
+    nsspkcs5V2PBEParameter pbev2_param;
+    SECOidTag algorithm;
+    SECStatus rv = SECFailure;
+
+    if (algid == NULL) {
+	return NULL;
+    }
+
+    algorithm = SECOID_GetAlgorithmTag(algid);
+    if (algorithm == SEC_OID_UNKNOWN) {
+	goto loser;
+    }
+
+    pbe_param = nsspkcs5_NewParam(algorithm, NULL, 1);
+    if (pbe_param == NULL) {
+	goto loser;
+    }
+
+    /* decode parameter */
+    rv = SECFailure;
+    switch (pbe_param->pbeType) {
+    case NSSPKCS5_PBKDF1:
+	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, 
+	    NSSPKCS5PBEParameterTemplate, &algid->parameters);
+	break;
+    case NSSPKCS5_PKCS12_V2:
+	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, 
+		NSSPKCS5PKCS12V2PBEParameterTemplate, &algid->parameters);
+	break;
+#ifdef PBKDF2
+    case NSSPKCS5_PBKDF2:
+	PORT_Memset(&pbev2_param,0, sizeof(pbev2_param));
+	/* just the PBE */
+	if (algorithm == SEC_OID_PKCS5_PBKDF2) {
+	    rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
+		NSSPKCS5V2PBEParameterTemplate, &algid->parameters);
+	} else {
+	    /* PBE data an others */
+	    rv = SEC_ASN1DecodeItem(pbe_param->poolp, &pbev2_param, 
+		NSSPKCS5V2PBES2ParameterTemplate, &algid->parameters);
+	    if (rv != SECSuccess) {
+		break;
+	    }
+            pbe_param->encAlg = SECOID_GetAlgorithmTag(&pbev2_param.algParams);
+	    rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
+		NSSPKCS5V2PBEParameterTemplate, 
+		&pbev2_param.keyParams.parameters);
+	    if (rv != SECSuccess) {
+		break;
+	    }
+    	    pbe_param->keyLen = DER_GetInteger(&pbe_param->keyLength);
+	}
+	/* we we are encrypting, save any iv's */
+	if (algorithm == SEC_OID_PKCS5_PBES2) {
+	    pbe_param->ivLen = pbev2_param.algParams.parameters.len;
+	    pbe_param->ivData = pbev2_param.algParams.parameters.data;
+	}
+	pbe_param->hashType = 
+	    HASH_FromHMACOid(SECOID_GetAlgorithmTag(&pbe_param->prfAlg));
+	if (pbe_param->hashType == HASH_AlgNULL) {
+	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    rv = SECFailure;
+	}
+	break;
+#endif
+    }
+
+loser:
+    if (rv == SECSuccess) {
+    	pbe_param->iter = DER_GetInteger(&pbe_param->iteration);
+    } else {
+	nsspkcs5_DestroyPBEParameter(pbe_param);
+	pbe_param = NULL;
+    }
+
+    return pbe_param;
+}
+
+/* destroy a pbe parameter.  it assumes that the parameter was 
+ * generated using the appropriate create function and therefor
+ * contains an arena pool.
+ */
+void 
+nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *pbe_param)
+{
+    if (pbe_param != NULL) {
+	PORT_FreeArena(pbe_param->poolp, PR_FALSE);
+    }
+}
+
+
+/* crypto routines */
+/* perform DES encryption and decryption.  these routines are called
+ * by nsspkcs5_CipherData.  In the case of an error, NULL is returned.
+ */
+static SECItem *
+sec_pkcs5_des(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, 
+								PRBool encrypt)
+{
+    SECItem *dest;
+    SECItem *dup_src;
+    SECStatus rv = SECFailure;
+    int pad;
+
+    if((src == NULL) || (key == NULL) || (iv == NULL))
+	return NULL;
+
+    dup_src = SECITEM_DupItem(src);
+    if(dup_src == NULL) {
+	return NULL;
+    }
+
+    if(encrypt != PR_FALSE) {
+	void *dummy;
+
+	dummy = CBC_PadBuffer(NULL, dup_src->data, 
+	    dup_src->len, &dup_src->len, 8 /* DES_BLOCK_SIZE */);
+	if(dummy == NULL) {
+	    SECITEM_FreeItem(dup_src, PR_TRUE);
+	    return NULL;
+	}
+	dup_src->data = (unsigned char*)dummy;
+    }
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest != NULL) {
+	/* allocate with over flow */
+	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
+	if(dest->data != NULL) {
+	    DESContext *ctxt;
+	    ctxt = DES_CreateContext(key->data, iv->data, 
+			(triple_des ? NSS_DES_EDE3_CBC : NSS_DES_CBC), 
+			encrypt);
+	
+	    if(ctxt != NULL) {
+		rv = (encrypt ? DES_Encrypt : DES_Decrypt)(
+			ctxt, dest->data, &dest->len,
+			dup_src->len + 64, dup_src->data, dup_src->len);
+
+		/* remove padding -- assumes 64 bit blocks */
+		if((encrypt == PR_FALSE) && (rv == SECSuccess)) {
+		    pad = dest->data[dest->len-1];
+		    if((pad > 0) && (pad <= 8)) {
+			if(dest->data[dest->len-pad] != pad) {
+			    rv = SECFailure;
+			    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+			} else {
+			    dest->len -= pad;
+			}
+		    } else {
+			rv = SECFailure;
+			PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+		    }
+		}
+		DES_DestroyContext(ctxt, PR_TRUE);
+	    }
+	}
+    }
+
+    if(rv == SECFailure) {
+	if(dest != NULL) {
+	    SECITEM_FreeItem(dest, PR_TRUE);
+	}
+	dest = NULL;
+    }
+
+    if(dup_src != NULL) {
+	SECITEM_FreeItem(dup_src, PR_TRUE);
+    }
+
+    return dest;
+}
+
+/* perform aes encryption/decryption if an error occurs, NULL is returned
+ */
+static SECItem *
+sec_pkcs5_aes(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, 
+								PRBool encrypt)
+{
+    SECItem *dest;
+    SECItem *dup_src;
+    SECStatus rv = SECFailure;
+    int pad;
+
+    if((src == NULL) || (key == NULL) || (iv == NULL))
+	return NULL;
+
+    dup_src = SECITEM_DupItem(src);
+    if(dup_src == NULL) {
+	return NULL;
+    }
+
+    if(encrypt != PR_FALSE) {
+	void *dummy;
+
+	dummy = CBC_PadBuffer(NULL, dup_src->data, 
+	    dup_src->len, &dup_src->len,AES_BLOCK_SIZE);
+	if(dummy == NULL) {
+	    SECITEM_FreeItem(dup_src, PR_TRUE);
+	    return NULL;
+	}
+	dup_src->data = (unsigned char*)dummy;
+    }
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest != NULL) {
+	/* allocate with over flow */
+	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
+	if(dest->data != NULL) {
+	    AESContext *ctxt;
+	    ctxt = AES_CreateContext(key->data, iv->data, 
+			NSS_AES_CBC, encrypt, key->len, 16);
+	
+	    if(ctxt != NULL) {
+		rv = (encrypt ? AES_Encrypt : AES_Decrypt)(
+			ctxt, dest->data, &dest->len,
+			dup_src->len + 64, dup_src->data, dup_src->len);
+
+		/* remove padding -- assumes 64 bit blocks */
+		if((encrypt == PR_FALSE) && (rv == SECSuccess)) {
+		    pad = dest->data[dest->len-1];
+		    if((pad > 0) && (pad <= 16)) {
+			if(dest->data[dest->len-pad] != pad) {
+			    rv = SECFailure;
+			    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+			} else {
+			    dest->len -= pad;
+			}
+		    } else {
+			rv = SECFailure;
+			PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+		    }
+		}
+		AES_DestroyContext(ctxt, PR_TRUE);
+	    }
+	}
+    }
+
+    if(rv == SECFailure) {
+	if(dest != NULL) {
+	    SECITEM_FreeItem(dest, PR_TRUE);
+	}
+	dest = NULL;
+    }
+
+    if(dup_src != NULL) {
+	SECITEM_FreeItem(dup_src, PR_TRUE);
+    }
+
+    return dest;
+}
+
+/* perform rc2 encryption/decryption if an error occurs, NULL is returned
+ */
+static SECItem *
+sec_pkcs5_rc2(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy, 
+								PRBool encrypt)
+{
+    SECItem *dest;
+    SECItem *dup_src;
+    SECStatus rv = SECFailure;
+    int pad;
+
+    if((src == NULL) || (key == NULL) || (iv == NULL)) {
+	return NULL;
+    }
+
+    dup_src = SECITEM_DupItem(src);
+    if(dup_src == NULL) {
+	return NULL;
+    }
+
+    if(encrypt != PR_FALSE) {
+	void *dummy;
+
+	dummy = CBC_PadBuffer(NULL, dup_src->data, 
+		      dup_src->len, &dup_src->len, 8 /* RC2_BLOCK_SIZE */);
+	if(dummy == NULL) {
+	    SECITEM_FreeItem(dup_src, PR_TRUE);
+	    return NULL;
+	}
+	dup_src->data = (unsigned char*)dummy;
+    }
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest != NULL) {
+	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
+	if(dest->data != NULL) {
+	    RC2Context *ctxt;
+
+	    ctxt = RC2_CreateContext(key->data, key->len, iv->data,
+					 	NSS_RC2_CBC, key->len);
+
+	    if(ctxt != NULL) {
+		rv = (encrypt ? RC2_Encrypt: RC2_Decrypt)(
+			ctxt, dest->data, &dest->len,
+			dup_src->len + 64, dup_src->data, dup_src->len);
+
+		/* assumes 8 byte blocks  -- remove padding */	
+		if((rv == SECSuccess) && (encrypt != PR_TRUE)) {
+		    pad = dest->data[dest->len-1];
+		    if((pad > 0) && (pad <= 8)) {
+			if(dest->data[dest->len-pad] != pad) {
+			    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+			    rv = SECFailure;
+			} else {
+			    dest->len -= pad;
+			}
+		    } else {
+			PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+			rv = SECFailure;
+		    }
+		}
+
+	    }
+	}
+    }
+
+    if((rv != SECSuccess) && (dest != NULL)) {
+	SECITEM_FreeItem(dest, PR_TRUE);
+	dest = NULL;
+    }
+
+    if(dup_src != NULL) {
+	SECITEM_FreeItem(dup_src, PR_TRUE);
+    }
+
+    return dest;
+}
+
+/* perform rc4 encryption and decryption */
+static SECItem *
+sec_pkcs5_rc4(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy_op,
+								 PRBool encrypt)
+{
+    SECItem *dest;
+    SECStatus rv = SECFailure;
+
+    if((src == NULL) || (key == NULL) || (iv == NULL)) {
+	return NULL;
+    }
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest != NULL) {
+	dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
+	    (src->len + 64));
+	if(dest->data != NULL) {
+	    RC4Context *ctxt;
+
+	    ctxt = RC4_CreateContext(key->data, key->len);
+	    if(ctxt) { 
+		rv = (encrypt ? RC4_Encrypt : RC4_Decrypt)(
+				ctxt, dest->data, &dest->len,
+				src->len + 64, src->data, src->len);
+		RC4_DestroyContext(ctxt, PR_TRUE);
+	    }
+	}
+    }
+
+    if((rv != SECSuccess) && (dest)) {
+	SECITEM_FreeItem(dest, PR_TRUE);
+	dest = NULL;
+    }
+
+    return dest;
+}
+/* function pointer template for crypto functions */
+typedef SECItem *(* pkcs5_crypto_func)(SECItem *key, SECItem *iv,
+                                         SECItem *src, PRBool op1, PRBool op2);
+
+/* performs the cipher operation on the src and returns the result.
+ * if an error occurs, NULL is returned. 
+ *
+ * a null length password is allowed.  this corresponds to encrypting
+ * the data with ust the salt.
+ */
+/* change this to use PKCS 11? */
+SECItem *
+nsspkcs5_CipherData(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, 
+		    SECItem *src, PRBool encrypt, PRBool *update)
+{
+    SECItem *key = NULL, iv;
+    SECItem *dest = NULL;
+    PRBool tripleDES = PR_TRUE;
+    pkcs5_crypto_func cryptof;
+
+    iv.data = NULL;
+
+    if (update) { 
+        *update = PR_FALSE;
+    }
+
+    if ((pwitem == NULL) || (src == NULL)) {
+	return NULL;
+    }
+
+    /* get key, and iv */
+    key = nsspkcs5_ComputeKeyAndIV(pbe_param, pwitem, &iv, PR_FALSE);
+    if(key == NULL) {
+	return NULL;
+    }
+
+    switch(pbe_param->encAlg) {
+    /* PKCS 5 v2 only */
+    case SEC_OID_AES_128_CBC:
+    case SEC_OID_AES_192_CBC:
+    case SEC_OID_AES_256_CBC:
+	cryptof = sec_pkcs5_aes;
+	break;
+    case SEC_OID_DES_EDE3_CBC:
+	cryptof = sec_pkcs5_des;
+	tripleDES = PR_TRUE;
+	break;
+    case SEC_OID_DES_CBC:
+	cryptof = sec_pkcs5_des;
+	tripleDES = PR_FALSE;
+	break;
+    case SEC_OID_RC2_CBC:
+	cryptof = sec_pkcs5_rc2;
+	break;
+    case SEC_OID_RC4:
+	cryptof = sec_pkcs5_rc4;
+	break;
+    default:
+	cryptof = NULL;
+	break;
+    }
+
+    if (cryptof == NULL) {
+	goto loser;
+    }
+
+    dest = (*cryptof)(key, &iv, src, tripleDES, encrypt);
+    /* 
+     * it's possible for some keys and keydb's to claim to
+     * be triple des when they're really des. In this case
+     * we simply try des. If des works we set the update flag
+     * so the key db knows it needs to update all it's entries.
+     *  The case can only happen on decrypted of a 
+     *  SEC_OID_DES_EDE3_CBD.
+     */
+    if ((dest == NULL) && (encrypt == PR_FALSE) && 
+				(pbe_param->encAlg == SEC_OID_DES_EDE3_CBC)) {
+	dest = (*cryptof)(key, &iv, src, PR_FALSE, encrypt);
+	if (update && (dest != NULL)) *update = PR_TRUE;
+    }
+
+loser:
+    if (key != NULL) {
+	SECITEM_ZfreeItem(key, PR_TRUE);
+    }
+    if (iv.data != NULL) {
+	SECITEM_ZfreeItem(&iv, PR_FALSE);
+    }
+
+    return dest;
+}
+
+/* creates a algorithm ID containing the PBE algorithm and appropriate
+ * parameters.  the required parameter is the algorithm.  if salt is
+ * not specified, it is generated randomly.  if IV is specified, it overrides
+ * the PKCS 5 generation of the IV.  
+ *
+ * the returned SECAlgorithmID should be destroyed using 
+ * SECOID_DestroyAlgorithmID
+ */
+SECAlgorithmID *
+nsspkcs5_CreateAlgorithmID(PRArenaPool *arena, SECOidTag algorithm, 
+					NSSPKCS5PBEParameter *pbe_param)
+{
+    SECAlgorithmID *algid, *ret_algid = NULL;
+    SECItem der_param;
+    nsspkcs5V2PBEParameter pkcs5v2_param;
+
+    SECStatus rv = SECFailure;
+    void *dummy = NULL;
+
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    der_param.data = NULL;
+    der_param.len = 0;
+
+    /* generate the algorithm id */
+    algid = (SECAlgorithmID *)PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID));
+    if (algid == NULL) {
+	goto loser;
+    }
+
+    if (pbe_param->iteration.data == NULL) {
+	dummy = SEC_ASN1EncodeInteger(pbe_param->poolp,&pbe_param->iteration,
+								pbe_param->iter);
+	if (dummy == NULL) {
+	    goto loser;
+	}
+    }
+    switch (pbe_param->pbeType) {
+    case NSSPKCS5_PBKDF1:
+	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
+					NSSPKCS5PBEParameterTemplate);
+	break;
+    case NSSPKCS5_PKCS12_V2:
+	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
+	    				NSSPKCS5PKCS12V2PBEParameterTemplate);
+	break;
+#ifdef PBKDF2
+    case NSSPKCS5_PBKDF2:
+        if (pbe_param->keyLength.data == NULL) {
+	    dummy = SEC_ASN1EncodeInteger(pbe_param->poolp,
+				&pbe_param->keyLength, pbe_param->keyLen);
+	    if (dummy == NULL) {
+		goto loser;
+	    }
+	}
+	PORT_Memset(&pkcs5v2_param, 0, sizeof(pkcs5v2_param));
+	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
+	    				NSSPKCS5V2PBEParameterTemplate);
+	if (dummy == NULL) {
+	    break;
+	}
+	dummy = NULL;
+	rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.keyParams, 
+				  SEC_OID_PKCS5_PBKDF2, &der_param);
+	if (rv != SECSuccess) {
+	    break;
+	}
+	der_param.data = pbe_param->ivData;
+	der_param.len = pbe_param->ivLen;
+	rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.algParams, 
+		pbe_param->encAlg, pbe_param->ivLen ? &der_param : NULL);
+	if (rv != SECSuccess) {
+	    break;
+	}
+	dummy = SEC_ASN1EncodeItem(arena,  &der_param, &pkcs5v2_param,
+	    				NSSPKCS5V2PBES2ParameterTemplate);
+	break;
+#endif
+    default:
+	break;
+    }
+
+    if (dummy == NULL) {
+	goto loser;
+    }
+	
+    rv = SECOID_SetAlgorithmID(arena, algid, algorithm, &der_param);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID));
+    if (ret_algid == NULL) {
+	goto loser;
+    }
+
+    rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid);
+    if (rv != SECSuccess) {
+	SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE);
+	ret_algid = NULL;
+    }
+
+loser:	
+
+    return ret_algid;
+}
diff --git a/security/nss/lib/softoken/lowpbe.h b/security/nss/lib/softoken/lowpbe.h
new file mode 100644
index 000000000..974b2fa4f
--- /dev/null
+++ b/security/nss/lib/softoken/lowpbe.h
@@ -0,0 +1,140 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SECPKCS5_H_
+#define _SECPKCS5_H_
+
+#include "plarena.h"
+#include "secitem.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "hasht.h"
+
+typedef SECItem * (* SEC_PKCS5GetPBEPassword)(void *arg);
+
+/* used for V2 PKCS 12 Draft Spec */ 
+typedef enum {
+    pbeBitGenIDNull = 0,
+    pbeBitGenCipherKey = 0x01,
+    pbeBitGenCipherIV = 0x02,
+    pbeBitGenIntegrityKey = 0x03
+} PBEBitGenID;
+
+typedef enum {
+    NSSPKCS5_PBKDF1 = 0,
+    NSSPKCS5_PBKDF2 = 1,
+    NSSPKCS5_PKCS12_V2 = 2
+} NSSPKCS5PBEType;
+
+typedef struct NSSPKCS5PBEParameterStr NSSPKCS5PBEParameter;
+
+struct NSSPKCS5PBEParameterStr {
+    PRArenaPool *poolp;
+    SECItem	salt;		/* octet string */
+    SECItem	iteration;	/* integer */
+    SECItem	keyLength;	/* integer */
+
+    /* used locally */
+    int		iter;
+    int 	keyLen;
+    int		ivLen;
+    unsigned char *ivData;
+    HASH_HashType hashType;
+    NSSPKCS5PBEType pbeType;
+    SECAlgorithmID  prfAlg;	
+    PBEBitGenID	keyID;
+    SECOidTag	encAlg;
+    PRBool	is2KeyDES;
+};
+
+
+SEC_BEGIN_PROTOS
+/* Create a PKCS5 Algorithm ID
+ * The algorithm ID is set up using the PKCS #5 parameter structure
+ *  algorithm is the PBE algorithm ID for the desired algorithm
+ *  pbe is a pbe param block with all the info needed to create the 
+ *   algorithm id.
+ * If an error occurs or the algorithm specified is not supported 
+ * or is not a password based encryption algorithm, NULL is returned.
+ * Otherwise, a pointer to the algorithm id is returned.
+ */
+extern SECAlgorithmID *
+nsspkcs5_CreateAlgorithmID(PRArenaPool *arena, SECOidTag algorithm, 
+						NSSPKCS5PBEParameter *pbe);
+
+/*
+ * Convert an Algorithm ID to a PBE Param.
+ * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
+ * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_AlgidToParam(SECAlgorithmID *algid);
+
+/*
+ * Convert an Algorithm ID to a PBE Param.
+ * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
+ * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_NewParam(SECOidTag alg, SECItem *salt, int iterator);
+
+
+/* Encrypt/Decrypt data using password based encryption.  
+ *  algid is the PBE algorithm identifier,
+ *  pwitem is the password,
+ *  src is the source for encryption/decryption,
+ *  encrypt is PR_TRUE for encryption, PR_FALSE for decryption.
+ * The key and iv are generated based upon PKCS #5 then the src
+ * is either encrypted or decrypted.  If an error occurs, NULL
+ * is returned, otherwise the ciphered contents is returned.
+ */
+extern SECItem *
+nsspkcs5_CipherData(NSSPKCS5PBEParameter *, SECItem *pwitem,
+		    SECItem *src, PRBool encrypt, PRBool *update);
+
+extern SECItem *
+nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *, SECItem *pwitem,
+		    			SECItem *iv, PRBool faulty3DES);
+
+/* Destroys PBE parameter */
+extern void
+nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *param);
+
+HASH_HashType HASH_FromHMACOid(SECOidTag oid);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/softoken/manifest.mn b/security/nss/lib/softoken/manifest.mn
new file mode 100644
index 000000000..24f026624
--- /dev/null
+++ b/security/nss/lib/softoken/manifest.mn
@@ -0,0 +1,103 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+MODULE = nss
+DIRS = legacydb
+
+REQUIRES = dbm
+
+LIBRARY_NAME = softokn
+LIBRARY_VERSION = 3
+MAPFILE = $(OBJDIR)/softokn.def
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
+
+ifdef MOZILLA_CLIENT
+INCLUDES += -I$(DIST)/include/sqlite3
+endif
+
+EXPORTS = \
+	pkcs11.h \
+	pkcs11f.h \
+	pkcs11p.h \
+	pkcs11t.h \
+	pkcs11n.h \
+	pkcs11u.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	lgglue.h  \
+	lowkeyi.h \
+	lowkeyti.h \
+	pk11pars.h \
+	pkcs11ni.h \
+	softoken.h \
+	softoknt.h \
+	softkver.h \
+	sdb.h \
+	sftkdbt.h \
+	$(NULL)
+
+CSRCS = \
+	ecdecode.c \
+	fipsaudt.c \
+	fipstest.c \
+	fipstokn.c \
+	lgglue.c   \
+	lowkey.c   \
+	lowpbe.c   \
+	padbuf.c   \
+	pkcs11.c   \
+	pkcs11c.c  \
+	pkcs11u.c  \
+	rsawrapr.c  \
+	sdb.c  \
+	sftkdb.c  \
+	sftkmod.c  \
+	sftkpars.c  \
+	sftkpwd.c  \
+	softkver.c  \
+	tlsprf.c   \
+	$(NULL)
+
+ifdef SQLITE_UNSAFE_THREADS
+DEFINES += -DSQLITE_UNSAFE_THREADS
+endif
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/softoken/padbuf.c b/security/nss/lib/softoken/padbuf.c
new file mode 100644
index 000000000..8c43fa287
--- /dev/null
+++ b/security/nss/lib/softoken/padbuf.c
@@ -0,0 +1,81 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "blapit.h"
+#include "secport.h"
+#include "secerr.h"
+
+/*
+ * Prepare a buffer for any padded CBC encryption algorithm, growing to the 
+ * appropriate boundary and filling with the appropriate padding.
+ * blockSize must be a power of 2.
+ *
+ * NOTE: If arena is non-NULL, we re-allocate from there, otherwise
+ * we assume (and use) XP memory (re)allocation.
+ */
+unsigned char *
+CBC_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, unsigned int inlen,
+	      unsigned int *outlen, int blockSize)
+{
+    unsigned char *outbuf;
+    unsigned int   des_len;
+    unsigned int   i;
+    unsigned char  des_pad_len;
+
+    /*
+     * We need from 1 to blockSize bytes -- we *always* grow.
+     * The extra bytes contain the value of the length of the padding:
+     * if we have 2 bytes of padding, then the padding is "0x02, 0x02".
+     */
+    des_len = (inlen + blockSize) & ~(blockSize - 1);
+
+    if (arena != NULL) {
+	outbuf = (unsigned char*)PORT_ArenaGrow (arena, inbuf, inlen, des_len);
+    } else {
+	outbuf = (unsigned char*)PORT_Realloc (inbuf, des_len);
+    }
+
+    if (outbuf == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    des_pad_len = des_len - inlen;
+    for (i = inlen; i < des_len; i++)
+	outbuf[i] = des_pad_len;
+
+    *outlen = des_len;
+    return outbuf;
+}
diff --git a/security/nss/lib/softoken/pk11pars.h b/security/nss/lib/softoken/pk11pars.h
new file mode 100644
index 000000000..b745c93e9
--- /dev/null
+++ b/security/nss/lib/softoken/pk11pars.h
@@ -0,0 +1,871 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * The following handles the loading, unloading and management of
+ * various PCKS #11 modules
+ */
+
+
+/*
+ * this header file contains routines for parsing PKCS #11 module spec
+ * strings. It contains 'C' code and should only be included in one module.
+ * Currently it is included in both softoken and the wrapper.
+ */
+#include <ctype.h>
+#include "pkcs11.h"
+#include "seccomon.h"
+#include "prprf.h"
+#include "secmodt.h"
+#include "pk11init.h"
+
+#define SECMOD_ARG_LIBRARY_PARAMETER "library="
+#define SECMOD_ARG_NAME_PARAMETER "name="
+#define SECMOD_ARG_MODULE_PARAMETER "parameters="
+#define SECMOD_ARG_NSS_PARAMETER "NSS="
+#define SECMOD_ARG_FORTEZZA_FLAG "FORTEZZA"
+#define SECMOD_ARG_ESCAPE '\\'
+
+struct secmodargSlotFlagTable {
+    char *name;
+    int len;
+    unsigned long value;
+};
+
+#define SECMOD_DEFAULT_CIPHER_ORDER 0
+#define SECMOD_DEFAULT_TRUST_ORDER 50
+
+
+#define SECMOD_ARG_ENTRY(arg,flag) \
+{ #arg , sizeof(#arg)-1, flag }
+static struct secmodargSlotFlagTable secmod_argSlotFlagTable[] = {
+	SECMOD_ARG_ENTRY(RSA,SECMOD_RSA_FLAG),
+	SECMOD_ARG_ENTRY(DSA,SECMOD_RSA_FLAG),
+	SECMOD_ARG_ENTRY(RC2,SECMOD_RC4_FLAG),
+	SECMOD_ARG_ENTRY(RC4,SECMOD_RC2_FLAG),
+	SECMOD_ARG_ENTRY(DES,SECMOD_DES_FLAG),
+	SECMOD_ARG_ENTRY(DH,SECMOD_DH_FLAG),
+	SECMOD_ARG_ENTRY(FORTEZZA,SECMOD_FORTEZZA_FLAG),
+	SECMOD_ARG_ENTRY(RC5,SECMOD_RC5_FLAG),
+	SECMOD_ARG_ENTRY(SHA1,SECMOD_SHA1_FLAG),
+	SECMOD_ARG_ENTRY(MD5,SECMOD_MD5_FLAG),
+	SECMOD_ARG_ENTRY(MD2,SECMOD_MD2_FLAG),
+	SECMOD_ARG_ENTRY(SSL,SECMOD_SSL_FLAG),
+	SECMOD_ARG_ENTRY(TLS,SECMOD_TLS_FLAG),
+	SECMOD_ARG_ENTRY(AES,SECMOD_AES_FLAG),
+	SECMOD_ARG_ENTRY(Camellia,SECMOD_CAMELLIA_FLAG),
+	SECMOD_ARG_ENTRY(PublicCerts,SECMOD_FRIENDLY_FLAG),
+	SECMOD_ARG_ENTRY(RANDOM,SECMOD_RANDOM_FLAG),
+};
+
+#define SECMOD_HANDLE_STRING_ARG(param,target,value,command) \
+    if (PORT_Strncasecmp(param,value,sizeof(value)-1) == 0) { \
+	param += sizeof(value)-1; \
+	if (target) PORT_Free(target); \
+	target = secmod_argFetchValue(param,&next); \
+	param += next; \
+	command ;\
+    } else  
+
+#define SECMOD_HANDLE_FINAL_ARG(param) \
+    { param = secmod_argSkipParameter(param); } param = secmod_argStrip(param);
+	
+
+static int secmod_argSlotFlagTableSize = 
+	sizeof(secmod_argSlotFlagTable)/sizeof(secmod_argSlotFlagTable[0]);
+
+
+static PRBool secmod_argGetPair(char c) {
+    switch (c) {
+    case '\'': return c;
+    case '\"': return c;
+    case '<': return '>';
+    case '{': return '}';
+    case '[': return ']';
+    case '(': return ')';
+    default: break;
+    }
+    return ' ';
+}
+
+static PRBool secmod_argIsBlank(char c) {
+   return isspace(c);
+}
+
+static PRBool secmod_argIsEscape(char c) {
+    return c == '\\';
+}
+
+static PRBool secmod_argIsQuote(char c) {
+    switch (c) {
+    case '\'':
+    case '\"':
+    case '<':
+    case '{': /* } end curly to keep vi bracket matching working */
+    case '(': /* ) */
+    case '[': /* ] */ return PR_TRUE;
+    default: break;
+    }
+    return PR_FALSE;
+}
+
+static PRBool secmod_argHasChar(char *v, char c)
+{
+   for ( ;*v; v++) {
+	if (*v == c) return PR_TRUE;
+   }
+   return PR_FALSE;
+}
+
+static PRBool secmod_argHasBlanks(char *v)
+{
+   for ( ;*v; v++) {
+	if (secmod_argIsBlank(*v)) return PR_TRUE;
+   }
+   return PR_FALSE;
+}
+
+static char *secmod_argStrip(char *c) {
+   while (*c && secmod_argIsBlank(*c)) c++;
+   return c;
+}
+
+static char *
+secmod_argFindEnd(char *string) {
+    char endChar = ' ';
+    PRBool lastEscape = PR_FALSE;
+
+    if (secmod_argIsQuote(*string)) {
+	endChar = secmod_argGetPair(*string);
+	string++;
+    }
+
+    for (;*string; string++) {
+	if (lastEscape) {
+	    lastEscape = PR_FALSE;
+	    continue;
+	}
+	if (secmod_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	} 
+	if ((endChar == ' ') && secmod_argIsBlank(*string)) break;
+	if (*string == endChar) {
+	    break;
+	}
+    }
+
+    return string;
+}
+
+static char *
+secmod_argFetchValue(char *string, int *pcount)
+{
+    char *end = secmod_argFindEnd(string);
+    char *retString, *copyString;
+    PRBool lastEscape = PR_FALSE;
+    int len;
+
+    len = end - string;
+    if (len == 0) {
+	*pcount = 0;
+	return NULL;
+    }
+
+    copyString = retString = (char *)PORT_Alloc(len+1);
+
+    if (*end) len++;
+    *pcount = len;
+    if (retString == NULL) return NULL;
+
+
+    if (secmod_argIsQuote(*string)) string++;
+    for (; string < end; string++) {
+	if (secmod_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	}
+	lastEscape = PR_FALSE;
+	*copyString++ = *string;
+    }
+    *copyString = 0;
+    return retString;
+}
+
+static char *
+secmod_argSkipParameter(char *string) 
+{
+     char *end;
+     /* look for the end of the <name>= */
+     for (;*string; string++) {
+	if (*string == '=') { string++; break; }
+	if (secmod_argIsBlank(*string)) return(string); 
+     }
+
+     end = secmod_argFindEnd(string);
+     if (*end) end++;
+     return end;
+}
+
+
+static SECStatus
+secmod_argParseModuleSpec(char *modulespec, char **lib, char **mod, 
+					char **parameters, char **nss)
+{
+    int next;
+    modulespec = secmod_argStrip(modulespec);
+
+    *lib = *mod = *parameters = *nss = 0;
+
+    while (*modulespec) {
+	SECMOD_HANDLE_STRING_ARG(modulespec,*lib,SECMOD_ARG_LIBRARY_PARAMETER,;)
+	SECMOD_HANDLE_STRING_ARG(modulespec,*mod,SECMOD_ARG_NAME_PARAMETER,;)
+	SECMOD_HANDLE_STRING_ARG(modulespec,*parameters,
+						SECMOD_ARG_MODULE_PARAMETER,;)
+	SECMOD_HANDLE_STRING_ARG(modulespec,*nss,SECMOD_ARG_NSS_PARAMETER,;)
+	SECMOD_HANDLE_FINAL_ARG(modulespec)
+   }
+   return SECSuccess;
+}
+
+
+static char *
+secmod_argGetParamValue(char *paramName,char *parameters)
+{
+    char searchValue[256];
+    int paramLen = strlen(paramName);
+    char *returnValue = NULL;
+    int next;
+
+    if ((parameters == NULL) || (*parameters == 0)) return NULL;
+
+    PORT_Assert(paramLen+2 < sizeof(searchValue));
+
+    PORT_Strcpy(searchValue,paramName);
+    PORT_Strcat(searchValue,"=");
+    while (*parameters) {
+	if (PORT_Strncasecmp(parameters,searchValue,paramLen+1) == 0) {
+	    parameters += paramLen+1;
+	    returnValue = secmod_argFetchValue(parameters,&next);
+	    break;
+	} else {
+	    parameters = secmod_argSkipParameter(parameters);
+	}
+	parameters = secmod_argStrip(parameters);
+   }
+   return returnValue;
+}
+    
+
+static char *
+secmod_argNextFlag(char *flags)
+{
+    for (; *flags ; flags++) {
+	if (*flags == ',') {
+	    flags++;
+	    break;
+	}
+    }
+    return flags;
+}
+
+static PRBool
+secmod_argHasFlag(char *label, char *flag, char *parameters)
+{
+    char *flags,*index;
+    int len = strlen(flag);
+    PRBool found = PR_FALSE;
+
+    flags = secmod_argGetParamValue(label,parameters);
+    if (flags == NULL) return PR_FALSE;
+
+    for (index=flags; *index; index=secmod_argNextFlag(index)) {
+	if (PORT_Strncasecmp(index,flag,len) == 0) {
+	    found=PR_TRUE;
+	    break;
+	}
+    }
+    PORT_Free(flags);
+    return found;
+}
+
+static void
+secmod_argSetNewCipherFlags(unsigned long *newCiphers,char *cipherList)
+{
+    newCiphers[0] = newCiphers[1] = 0;
+    if ((cipherList == NULL) || (*cipherList == 0)) return;
+
+    for (;*cipherList; cipherList=secmod_argNextFlag(cipherList)) {
+	if (PORT_Strncasecmp(cipherList,SECMOD_ARG_FORTEZZA_FLAG,
+				sizeof(SECMOD_ARG_FORTEZZA_FLAG)-1) == 0) {
+	    newCiphers[0] |= SECMOD_FORTEZZA_FLAG;
+	} 
+
+	/* add additional flags here as necessary */
+	/* direct bit mapping escape */
+	if (*cipherList == 0) {
+	   if (cipherList[1] == 'l') {
+		newCiphers[1] |= atoi(&cipherList[2]);
+	   } else {
+		newCiphers[0] |= atoi(&cipherList[2]);
+	   }
+	}
+    }
+}
+
+
+/*
+ * decode a number. handle octal (leading '0'), hex (leading '0x') or decimal
+ */
+static long
+secmod_argDecodeNumber(char *num)
+{
+    int	radix = 10;
+    unsigned long value = 0;
+    long retValue = 0;
+    int sign = 1;
+    int digit;
+
+    if (num == NULL) return retValue;
+
+    num = secmod_argStrip(num);
+
+    if (*num == '-') {
+	sign = -1;
+	num++;
+    }
+
+    if (*num == '0') {
+	radix = 8;
+	num++;
+	if ((*num == 'x') || (*num == 'X')) {
+	    radix = 16;
+	    num++;
+	}
+    }
+
+   
+    for ( ;*num; num++ ) {
+	if (isdigit(*num)) {
+	    digit = *num - '0';
+	} else if ((*num >= 'a') && (*num <= 'f'))  {
+	    digit = *num - 'a' + 10;
+	} else if ((*num >= 'A') && (*num <= 'F'))  {
+	    digit = *num - 'A' + 10;
+	} else {
+	    break;
+	}
+	if (digit >= radix) break;
+	value = value*radix + digit;
+    }
+
+    retValue = ((int) value) * sign;
+    return retValue;
+}
+
+static long
+secmod_argReadLong(char *label,char *params, long defValue, PRBool *isdefault)
+{
+    char *value;
+    long retValue;
+    if (isdefault) *isdefault = PR_FALSE; 
+
+    value = secmod_argGetParamValue(label,params);
+    if (value == NULL) {
+	if (isdefault) *isdefault = PR_TRUE;
+	return defValue;
+    }
+    retValue = secmod_argDecodeNumber(value);
+    if (value) PORT_Free(value);
+
+    return retValue;
+}
+
+
+static unsigned long
+secmod_argSlotFlags(char *label,char *params)
+{
+    char *flags,*index;
+    unsigned long retValue = 0;
+    int i;
+    PRBool all = PR_FALSE;
+
+    flags = secmod_argGetParamValue(label,params);
+    if (flags == NULL) return 0;
+
+    if (PORT_Strcasecmp(flags,"all") == 0) all = PR_TRUE;
+
+    for (index=flags; *index; index=secmod_argNextFlag(index)) {
+	for (i=0; i < secmod_argSlotFlagTableSize; i++) {
+	    if (all || (PORT_Strncasecmp(index, secmod_argSlotFlagTable[i].name,
+				secmod_argSlotFlagTable[i].len) == 0)) {
+		retValue |= secmod_argSlotFlagTable[i].value;
+	    }
+	}
+    }
+    PORT_Free(flags);
+    return retValue;
+}
+
+
+static void
+secmod_argDecodeSingleSlotInfo(char *name, char *params, 
+                               PK11PreSlotInfo *slotInfo)
+{
+    char *askpw;
+
+    slotInfo->slotID=secmod_argDecodeNumber(name);
+    slotInfo->defaultFlags=secmod_argSlotFlags("slotFlags",params);
+    slotInfo->timeout=secmod_argReadLong("timeout",params, 0, NULL);
+
+    askpw = secmod_argGetParamValue("askpw",params);
+    slotInfo->askpw = 0;
+
+    if (askpw) {
+	if (PORT_Strcasecmp(askpw,"every") == 0) {
+    	    slotInfo->askpw = -1;
+	} else if (PORT_Strcasecmp(askpw,"timeout") == 0) {
+    	    slotInfo->askpw = 1;
+	} 
+	PORT_Free(askpw);
+	slotInfo->defaultFlags |= PK11_OWN_PW_DEFAULTS;
+    }
+    slotInfo->hasRootCerts = secmod_argHasFlag("rootFlags", "hasRootCerts", 
+                                               params);
+    slotInfo->hasRootTrust = secmod_argHasFlag("rootFlags", "hasRootTrust", 
+                                               params);
+}
+
+static char *
+secmod_argGetName(char *inString, int *next) 
+{
+    char *name=NULL;
+    char *string;
+    int len;
+
+    /* look for the end of the <name>= */
+    for (string = inString;*string; string++) {
+	if (*string == '=') { break; }
+	if (secmod_argIsBlank(*string)) break;
+    }
+
+    len = string - inString;
+
+    *next = len; 
+    if (*string == '=') (*next) += 1;
+    if (len > 0) {
+	name = PORT_Alloc(len+1);
+	PORT_Strncpy(name,inString,len);
+	name[len] = 0;
+    }
+    return name;
+}
+
+static PK11PreSlotInfo *
+secmod_argParseSlotInfo(PRArenaPool *arena, char *slotParams, int *retCount)
+{
+    char *slotIndex;
+    PK11PreSlotInfo *slotInfo = NULL;
+    int i=0,count = 0,next;
+
+    *retCount = 0;
+    if ((slotParams == NULL) || (*slotParams == 0))  return NULL;
+
+    /* first count the number of slots */
+    for (slotIndex = secmod_argStrip(slotParams); *slotIndex; 
+	 slotIndex = secmod_argStrip(secmod_argSkipParameter(slotIndex))) {
+	count++;
+    }
+
+    /* get the data structures */
+    if (arena) {
+	slotInfo = (PK11PreSlotInfo *) 
+			PORT_ArenaAlloc(arena,count*sizeof(PK11PreSlotInfo));
+	PORT_Memset(slotInfo,0,count*sizeof(PK11PreSlotInfo));
+    } else {
+	slotInfo = (PK11PreSlotInfo *) 
+			PORT_ZAlloc(count*sizeof(PK11PreSlotInfo));
+    }
+    if (slotInfo == NULL) return NULL;
+
+    for (slotIndex = secmod_argStrip(slotParams), i = 0; 
+					*slotIndex && i < count ; ) {
+	char *name;
+	name = secmod_argGetName(slotIndex,&next);
+	slotIndex += next;
+
+	if (!secmod_argIsBlank(*slotIndex)) {
+	    char *args = secmod_argFetchValue(slotIndex,&next);
+	    slotIndex += next;
+	    if (args) {
+		secmod_argDecodeSingleSlotInfo(name,args,&slotInfo[i]);
+		i++;
+		PORT_Free(args);
+	    }
+	}
+	if (name) PORT_Free(name);
+	slotIndex = secmod_argStrip(slotIndex);
+    }
+    *retCount = i;
+    return slotInfo;
+}
+
+static char *secmod_nullString = "";
+
+static char *
+secmod_formatValue(PRArenaPool *arena, char *value, char quote)
+{
+    char *vp,*vp2,*retval;
+    int size = 0, escapes = 0;
+
+    for (vp=value; *vp ;vp++) {
+	if ((*vp == quote) || (*vp == SECMOD_ARG_ESCAPE)) escapes++;
+	size++;
+    }
+    if (arena) {
+	retval = PORT_ArenaZAlloc(arena,size+escapes+1);
+    } else {
+	retval = PORT_ZAlloc(size+escapes+1);
+    }
+    if (retval == NULL) return NULL;
+    vp2 = retval;
+    for (vp=value; *vp; vp++) {
+	if ((*vp == quote) || (*vp == SECMOD_ARG_ESCAPE)) 
+				*vp2++ = SECMOD_ARG_ESCAPE;
+	*vp2++ = *vp;
+    }
+    return retval;
+}
+    
+static char *secmod_formatPair(char *name,char *value, char quote)
+{
+    char openQuote = quote;
+    char closeQuote = secmod_argGetPair(quote);
+    char *newValue = NULL;
+    char *returnValue;
+    PRBool need_quote = PR_FALSE;
+
+    if (!value || (*value == 0)) return secmod_nullString;
+
+    if (secmod_argHasBlanks(value) || secmod_argIsQuote(value[0]))
+							 need_quote=PR_TRUE;
+
+    if ((need_quote && secmod_argHasChar(value,closeQuote))
+				 || secmod_argHasChar(value,SECMOD_ARG_ESCAPE)) {
+	value = newValue = secmod_formatValue(NULL, value,quote);
+	if (newValue == NULL) return secmod_nullString;
+    }
+    if (need_quote) {
+    	returnValue = PR_smprintf("%s=%c%s%c",name,openQuote,value,closeQuote);
+    } else {
+    	returnValue = PR_smprintf("%s=%s",name,value);
+    }
+    if (returnValue == NULL) returnValue = secmod_nullString;
+
+    if (newValue) PORT_Free(newValue);
+
+    return returnValue;
+}
+
+static char *secmod_formatIntPair(char *name, unsigned long value, 
+                                  unsigned long def)
+{
+    char *returnValue;
+
+    if (value == def) return secmod_nullString;
+
+    returnValue = PR_smprintf("%s=%d",name,value);
+
+    return returnValue;
+}
+
+static void
+secmod_freePair(char *pair)
+{
+    if (pair && pair != secmod_nullString) {
+	PR_smprintf_free(pair);
+    }
+}
+
+#define MAX_FLAG_SIZE  sizeof("internal")+sizeof("FIPS")+sizeof("moduleDB")+\
+				sizeof("moduleDBOnly")+sizeof("critical")
+static char *
+secmod_mkNSSFlags(PRBool internal, PRBool isFIPS,
+		PRBool isModuleDB, PRBool isModuleDBOnly, PRBool isCritical)
+{
+    char *flags = (char *)PORT_ZAlloc(MAX_FLAG_SIZE);
+    PRBool first = PR_TRUE;
+
+    PORT_Memset(flags,0,MAX_FLAG_SIZE);
+    if (internal) {
+	PORT_Strcat(flags,"internal");
+	first = PR_FALSE;
+    }
+    if (isFIPS) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"FIPS");
+	first = PR_FALSE;
+    }
+    if (isModuleDB) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"moduleDB");
+	first = PR_FALSE;
+    }
+    if (isModuleDBOnly) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"moduleDBOnly");
+	first = PR_FALSE;
+    }
+    if (isCritical) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"critical");
+	first = PR_FALSE;
+    }
+    return flags;
+}
+
+static char *
+secmod_mkCipherFlags(unsigned long ssl0, unsigned long ssl1)
+{
+    char *cipher = NULL;
+    int i;
+
+    for (i=0; i < sizeof(ssl0)*8; i++) {
+	if (ssl0 & (1<<i)) {
+	    char *string;
+	    if ((1<<i) == SECMOD_FORTEZZA_FLAG) {
+		string = PR_smprintf("%s","FORTEZZA");
+	    } else {
+		string = PR_smprintf("0h0x%08x",1<<i);
+	    }
+	    if (cipher) {
+		char *tmp;
+		tmp = PR_smprintf("%s,%s",cipher,string);
+		PR_smprintf_free(cipher);
+		PR_smprintf_free(string);
+		cipher = tmp;
+	    } else {
+		cipher = string;
+	    }
+	}
+    }
+    for (i=0; i < sizeof(ssl0)*8; i++) {
+	if (ssl1 & (1<<i)) {
+	    if (cipher) {
+		char *tmp;
+		tmp = PR_smprintf("%s,0l0x%08x",cipher,1<<i);
+		PR_smprintf_free(cipher);
+		cipher = tmp;
+	    } else {
+		cipher = PR_smprintf("0l0x%08x",1<<i);
+	    }
+	}
+    }
+
+    return cipher;
+}
+
+static char *
+secmod_mkSlotFlags(unsigned long defaultFlags)
+{
+    char *flags=NULL;
+    int i,j;
+
+    for (i=0; i < sizeof(defaultFlags)*8; i++) {
+	if (defaultFlags & (1<<i)) {
+	    char *string = NULL;
+
+	    for (j=0; j < secmod_argSlotFlagTableSize; j++) {
+		if (secmod_argSlotFlagTable[j].value == ( 1UL << i )) {
+		    string = secmod_argSlotFlagTable[j].name;
+		    break;
+		}
+	    }
+	    if (string) {
+		if (flags) {
+		    char *tmp;
+		    tmp = PR_smprintf("%s,%s",flags,string);
+		    PR_smprintf_free(flags);
+		    flags = tmp;
+		} else {
+		    flags = PR_smprintf("%s",string);
+		}
+	    }
+	}
+    }
+
+    return flags;
+}
+
+#define SECMOD_MAX_ROOT_FLAG_SIZE  sizeof("hasRootCerts")+sizeof("hasRootTrust")
+
+static char *
+secmod_mkRootFlags(PRBool hasRootCerts, PRBool hasRootTrust)
+{
+    char *flags= (char *)PORT_ZAlloc(SECMOD_MAX_ROOT_FLAG_SIZE);
+    PRBool first = PR_TRUE;
+
+    PORT_Memset(flags,0,SECMOD_MAX_ROOT_FLAG_SIZE);
+    if (hasRootCerts) {
+	PORT_Strcat(flags,"hasRootCerts");
+	first = PR_FALSE;
+    }
+    if (hasRootTrust) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"hasRootTrust");
+	first = PR_FALSE;
+    }
+    return flags;
+}
+
+static char *
+secmod_mkSlotString(unsigned long slotID, unsigned long defaultFlags,
+		  unsigned long timeout, unsigned char askpw_in,
+		  PRBool hasRootCerts, PRBool hasRootTrust) {
+    char *askpw,*flags,*rootFlags,*slotString;
+    char *flagPair,*rootFlagsPair;
+	
+    switch (askpw_in) {
+    case 0xff:
+	askpw = "every";
+	break;
+    case 1:
+	askpw = "timeout";
+	break;
+    default:
+	askpw = "any";
+	break;
+    }
+    flags = secmod_mkSlotFlags(defaultFlags);
+    rootFlags = secmod_mkRootFlags(hasRootCerts,hasRootTrust);
+    flagPair=secmod_formatPair("slotFlags",flags,'\'');
+    rootFlagsPair=secmod_formatPair("rootFlags",rootFlags,'\'');
+    if (flags) PR_smprintf_free(flags);
+    if (rootFlags) PORT_Free(rootFlags);
+    if (defaultFlags & PK11_OWN_PW_DEFAULTS) {
+    	slotString = PR_smprintf("0x%08lx=[%s askpw=%s timeout=%d %s]",
+				(PRUint32)slotID,flagPair,askpw,timeout,
+				rootFlagsPair);
+    } else {
+    	slotString = PR_smprintf("0x%08lx=[%s %s]",
+				(PRUint32)slotID,flagPair,rootFlagsPair);
+    }
+    secmod_freePair(flagPair);
+    secmod_freePair(rootFlagsPair);
+    return slotString;
+}
+
+static char *
+secmod_mkNSS(char **slotStrings, int slotCount, PRBool internal, PRBool isFIPS,
+	  PRBool isModuleDB,  PRBool isModuleDBOnly, PRBool isCritical, 
+	  unsigned long trustOrder, unsigned long cipherOrder,
+				unsigned long ssl0, unsigned long ssl1) {
+    int slotLen, i;
+    char *slotParams, *ciphers, *nss, *nssFlags, *tmp;
+    char *trustOrderPair,*cipherOrderPair,*slotPair,*cipherPair,*flagPair;
+
+
+    /* now let's build up the string
+     * first the slot infos
+     */
+    slotLen=0;
+    for (i=0; i < (int)slotCount; i++) {
+	slotLen += PORT_Strlen(slotStrings[i])+1;
+    }
+    slotLen += 1; /* space for the final NULL */
+
+    slotParams = (char *)PORT_ZAlloc(slotLen);
+    PORT_Memset(slotParams,0,slotLen);
+    for (i=0; i < (int)slotCount; i++) {
+	PORT_Strcat(slotParams,slotStrings[i]);
+	PORT_Strcat(slotParams," ");
+	PR_smprintf_free(slotStrings[i]);
+	slotStrings[i]=NULL;
+    }
+    
+    /*
+     * now the NSS structure
+     */
+    nssFlags = secmod_mkNSSFlags(internal,isFIPS,isModuleDB,isModuleDBOnly,
+							isCritical); 
+	/* for now only the internal module is critical */
+    ciphers = secmod_mkCipherFlags(ssl0, ssl1);
+
+    trustOrderPair=secmod_formatIntPair("trustOrder",trustOrder,
+					SECMOD_DEFAULT_TRUST_ORDER);
+    cipherOrderPair=secmod_formatIntPair("cipherOrder",cipherOrder,
+					SECMOD_DEFAULT_CIPHER_ORDER);
+    slotPair=secmod_formatPair("slotParams",slotParams,'{'); /* } */
+    if (slotParams) PORT_Free(slotParams);
+    cipherPair=secmod_formatPair("ciphers",ciphers,'\'');
+    if (ciphers) PR_smprintf_free(ciphers);
+    flagPair=secmod_formatPair("Flags",nssFlags,'\'');
+    if (nssFlags) PORT_Free(nssFlags);
+    nss = PR_smprintf("%s %s %s %s %s",trustOrderPair,
+			cipherOrderPair,slotPair,cipherPair,flagPair);
+    secmod_freePair(trustOrderPair);
+    secmod_freePair(cipherOrderPair);
+    secmod_freePair(slotPair);
+    secmod_freePair(cipherPair);
+    secmod_freePair(flagPair);
+    tmp = secmod_argStrip(nss);
+    if (*tmp == '\0') {
+	PR_smprintf_free(nss);
+	nss = NULL;
+    }
+    return nss;
+}
+
+static char *
+secmod_mkNewModuleSpec(char *dllName, char *commonName, char *parameters, 
+								char *NSS) {
+    char *moduleSpec;
+    char *lib,*name,*param,*nss;
+
+    /*
+     * now the final spec
+     */
+    lib = secmod_formatPair("library",dllName,'\"');
+    name = secmod_formatPair("name",commonName,'\"');
+    param = secmod_formatPair("parameters",parameters,'\"');
+    nss = secmod_formatPair("NSS",NSS,'\"');
+    moduleSpec = PR_smprintf("%s %s %s %s", lib,name,param,nss);
+    secmod_freePair(lib);
+    secmod_freePair(name);
+    secmod_freePair(param);
+    secmod_freePair(nss);
+    return (moduleSpec);
+}
+
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
new file mode 100644
index 000000000..3f0771b33
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -0,0 +1,4218 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *   This implementation has two slots:
+ *	slot 1 is our generic crypto support. It does not require login.
+ *   It supports Public Key ops, and all they bulk ciphers and hashes. 
+ *   It can also support Private Key ops for imported Private keys. It does 
+ *   not have any token storage.
+ *	slot 2 is our private key support. It requires a login before use. It
+ *   can store Private Keys and Certs as token objects. Currently only private
+ *   keys and their associated Certificates are saved on the token.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+#include "seccomon.h"
+#include "secitem.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "softoken.h"
+#include "lowkeyi.h"
+#include "blapi.h"
+#include "secder.h"
+#include "secport.h"
+#include "secrng.h"
+#include "nss.h"
+#include "prtypes.h"
+#include "nspr.h"
+#include "softkver.h"
+#include "secoid.h"
+#include "sftkdb.h"
+#include "sftkpars.h"
+
+/*
+ * ******************** Static data *******************************
+ */
+
+/* The next three strings must be exactly 32 characters long */
+static char *manufacturerID      = "Mozilla Foundation              ";
+static char manufacturerID_space[33];
+static char *libraryDescription  = "NSS Internal Crypto Services    ";
+static char libraryDescription_space[33];
+
+/*
+ * In FIPS mode, we disallow login attempts for 1 second after a login
+ * failure so that there are at most 60 login attempts per minute.
+ */
+static PRIntervalTime loginWaitTime;
+static PRUint32	      minSessionObjectHandle = 1U;
+
+#define __PASTE(x,y)    x##y
+
+/*
+ * we renamed all our internal functions, get the correct
+ * definitions for them...
+ */ 
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+
+#define CK_EXTERN extern
+#define CK_PKCS11_FUNCTION_INFO(func) \
+		CK_RV __PASTE(NS,func)
+#define CK_NEED_ARG_LIST	1
+ 
+#include "pkcs11f.h"
+ 
+ 
+ 
+/* build the crypto module table */
+static const CK_FUNCTION_LIST sftk_funcList = {
+    { 1, 10 },
+ 
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+ 
+#define CK_PKCS11_FUNCTION_INFO(func) \
+				__PASTE(NS,func),
+#include "pkcs11f.h"
+ 
+};
+ 
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+ 
+ 
+#undef __PASTE
+
+/* List of DES Weak Keys */ 
+typedef unsigned char desKey[8];
+static const desKey  sftk_desWeakTable[] = {
+#ifdef noParity
+    /* weak */
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e },
+    { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 },
+    { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
+    /* semi-weak */
+    { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe },
+    { 0xfe, 0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00, 0xfe },
+
+    { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 },
+    { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e },
+
+    { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0x0f, 0x00, 0x0f },
+    { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 },
+
+    { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
+    { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e },
+
+    { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e },
+    { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 },
+
+    { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe },
+    { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 },
+#else
+    /* weak */
+    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
+    { 0x1f, 0x1f, 0x1f, 0x1f, 0x0e, 0x0e, 0x0e, 0x0e },
+    { 0xe0, 0xe0, 0xe0, 0xe0, 0xf1, 0xf1, 0xf1, 0xf1 },
+    { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
+
+    /* semi-weak */
+    { 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe },
+    { 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01 },
+
+    { 0x1f, 0xe0, 0x1f, 0xe0, 0x0e, 0xf1, 0x0e, 0xf1 },
+    { 0xe0, 0x1f, 0xe0, 0x1f, 0xf1, 0x0e, 0xf1, 0x0e },
+
+    { 0x01, 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1 },
+    { 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1, 0x01 },
+
+    { 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
+    { 0xfe, 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e },
+
+    { 0x01, 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e },
+    { 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e, 0x01 },
+
+    { 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1, 0xfe }, 
+    { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1 }
+#endif
+};
+
+    
+static const int sftk_desWeakTableSize = sizeof(sftk_desWeakTable)/
+						sizeof(sftk_desWeakTable[0]);
+
+/* DES KEY Parity conversion table. Takes each byte/2 as an index, returns
+ * that byte with the proper parity bit set */
+static const unsigned char parityTable[256] = {
+/* Even...0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e */
+/* E */   0x01,0x02,0x04,0x07,0x08,0x0b,0x0d,0x0e,
+/* Odd....0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e */
+/* O */   0x10,0x13,0x15,0x16,0x19,0x1a,0x1c,0x1f,
+/* Odd....0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e */
+/* O */   0x20,0x23,0x25,0x26,0x29,0x2a,0x2c,0x2f,
+/* Even...0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e */
+/* E */   0x31,0x32,0x34,0x37,0x38,0x3b,0x3d,0x3e,
+/* Odd....0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e */
+/* O */   0x40,0x43,0x45,0x46,0x49,0x4a,0x4c,0x4f,
+/* Even...0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e */
+/* E */   0x51,0x52,0x54,0x57,0x58,0x5b,0x5d,0x5e,
+/* Even...0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e */
+/* E */   0x61,0x62,0x64,0x67,0x68,0x6b,0x6d,0x6e,
+/* Odd....0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e */
+/* O */   0x70,0x73,0x75,0x76,0x79,0x7a,0x7c,0x7f,
+/* Odd....0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e */
+/* O */   0x80,0x83,0x85,0x86,0x89,0x8a,0x8c,0x8f,
+/* Even...0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e */
+/* E */   0x91,0x92,0x94,0x97,0x98,0x9b,0x9d,0x9e,
+/* Even...0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae */
+/* E */   0xa1,0xa2,0xa4,0xa7,0xa8,0xab,0xad,0xae,
+/* Odd....0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe */
+/* O */   0xb0,0xb3,0xb5,0xb6,0xb9,0xba,0xbc,0xbf,
+/* Even...0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce */
+/* E */   0xc1,0xc2,0xc4,0xc7,0xc8,0xcb,0xcd,0xce,
+/* Odd....0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde */
+/* O */   0xd0,0xd3,0xd5,0xd6,0xd9,0xda,0xdc,0xdf,
+/* Odd....0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee */
+/* O */   0xe0,0xe3,0xe5,0xe6,0xe9,0xea,0xec,0xef,
+/* Even...0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe */
+/* E */   0xf1,0xf2,0xf4,0xf7,0xf8,0xfb,0xfd,0xfe,
+};
+
+/* Mechanisms */
+struct mechanismList {
+    CK_MECHANISM_TYPE	type;
+    CK_MECHANISM_INFO	info;
+    PRBool		privkey;
+};
+
+/*
+ * the following table includes a complete list of mechanism defined by
+ * PKCS #11 version 2.01. Those Mechanisms not supported by this PKCS #11
+ * module are ifdef'ed out.
+ */
+#define CKF_EN_DE		CKF_ENCRYPT      | CKF_DECRYPT
+#define CKF_WR_UN		CKF_WRAP         | CKF_UNWRAP
+#define CKF_SN_VR		CKF_SIGN         | CKF_VERIFY
+#define CKF_SN_RE		CKF_SIGN_RECOVER | CKF_VERIFY_RECOVER
+
+#define CKF_EN_DE_WR_UN 	CKF_EN_DE       | CKF_WR_UN
+#define CKF_SN_VR_RE		CKF_SN_VR       | CKF_SN_RE
+#define CKF_DUZ_IT_ALL		CKF_EN_DE_WR_UN | CKF_SN_VR_RE
+
+#define CKF_EC_PNU		CKF_EC_FP | CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS
+
+#define CKF_EC_BPNU		CKF_EC_F_2M | CKF_EC_PNU
+
+#define CK_MAX 0xffffffff
+
+static const struct mechanismList mechanisms[] = {
+
+     /*
+      * PKCS #11 Mechanism List.
+      *
+      * The first argument is the PKCS #11 Mechanism we support.
+      * The second argument is Mechanism info structure. It includes:
+      *    The minimum key size,
+      *       in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs.
+      *       in bytes for RC5, AES, Camellia, and CAST*
+      *       ignored for DES*, IDEA and FORTEZZA based
+      *    The maximum key size,
+      *       in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs.
+      *       in bytes for RC5, AES, Camellia, and CAST*
+      *       ignored for DES*, IDEA and FORTEZZA based
+      *     Flags
+      *	      What operations are supported by this mechanism.
+      *  The third argument is a bool which tells if this mechanism is 
+      *    supported in the database token.
+      *
+      */
+
+     /* ------------------------- RSA Operations ---------------------------*/
+     {CKM_RSA_PKCS_KEY_PAIR_GEN,{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_GENERATE_KEY_PAIR},PR_TRUE},
+     {CKM_RSA_PKCS,             {RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_DUZ_IT_ALL},       PR_TRUE},
+#ifdef SFTK_RSA9796_SUPPORTED
+     {CKM_RSA_9796,		{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_DUZ_IT_ALL},       PR_TRUE},
+#endif
+     {CKM_RSA_X_509,		{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_DUZ_IT_ALL},       PR_TRUE},
+     /* -------------- RSA Multipart Signing Operations -------------------- */
+     {CKM_MD2_RSA_PKCS,		{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_SN_VR}, 	PR_TRUE},
+     {CKM_MD5_RSA_PKCS,		{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_SN_VR}, 	PR_TRUE},
+     {CKM_SHA1_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_SN_VR}, 	PR_TRUE},
+     {CKM_SHA256_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_SN_VR}, 	PR_TRUE},
+     {CKM_SHA384_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_SN_VR}, 	PR_TRUE},
+     {CKM_SHA512_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_SN_VR}, 	PR_TRUE},
+     /* ------------------------- DSA Operations --------------------------- */
+     {CKM_DSA_KEY_PAIR_GEN,	{DSA_MIN_P_BITS, DSA_MAX_P_BITS,
+				 CKF_GENERATE_KEY_PAIR}, PR_TRUE},
+     {CKM_DSA,			{DSA_MIN_P_BITS, DSA_MAX_P_BITS, 
+				 CKF_SN_VR},              PR_TRUE},
+     {CKM_DSA_SHA1,		{DSA_MIN_P_BITS, DSA_MAX_P_BITS,
+				 CKF_SN_VR},              PR_TRUE},
+     /* -------------------- Diffie Hellman Operations --------------------- */
+     /* no diffie hellman yet */
+     {CKM_DH_PKCS_KEY_PAIR_GEN,	{DH_MIN_P_BITS, DH_MAX_P_BITS, 
+				 CKF_GENERATE_KEY_PAIR}, PR_TRUE}, 
+     {CKM_DH_PKCS_DERIVE,	{DH_MIN_P_BITS, DH_MAX_P_BITS,
+				 CKF_DERIVE}, 	PR_TRUE}, 
+#ifdef NSS_ENABLE_ECC
+     /* -------------------- Elliptic Curve Operations --------------------- */
+     {CKM_EC_KEY_PAIR_GEN,      {112, 571, CKF_GENERATE_KEY_PAIR|CKF_EC_BPNU}, PR_TRUE}, 
+     {CKM_ECDH1_DERIVE,         {112, 571, CKF_DERIVE|CKF_EC_BPNU}, PR_TRUE}, 
+     {CKM_ECDSA,                {112, 571, CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
+     {CKM_ECDSA_SHA1,           {112, 571, CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
+#endif /* NSS_ENABLE_ECC */
+     /* ------------------------- RC2 Operations --------------------------- */
+     {CKM_RC2_KEY_GEN,		{1, 128, CKF_GENERATE},		PR_TRUE},
+     {CKM_RC2_ECB,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_RC2_CBC,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_RC2_MAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_RC2_MAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_RC2_CBC_PAD,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
+     /* ------------------------- RC4 Operations --------------------------- */
+     {CKM_RC4_KEY_GEN,		{1, 256, CKF_GENERATE},		PR_FALSE},
+     {CKM_RC4,			{1, 256, CKF_EN_DE_WR_UN},	PR_FALSE},
+     /* ------------------------- DES Operations --------------------------- */
+     {CKM_DES_KEY_GEN,		{ 8,  8, CKF_GENERATE},		PR_TRUE},
+     {CKM_DES_ECB,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_DES_CBC,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_DES_MAC,		{ 8,  8, CKF_SN_VR},		PR_TRUE},
+     {CKM_DES_MAC_GENERAL,	{ 8,  8, CKF_SN_VR},		PR_TRUE},
+     {CKM_DES_CBC_PAD,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_DES2_KEY_GEN,		{24, 24, CKF_GENERATE},		PR_TRUE},
+     {CKM_DES3_KEY_GEN,		{24, 24, CKF_GENERATE},		PR_TRUE },
+     {CKM_DES3_ECB,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
+     {CKM_DES3_CBC,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
+     {CKM_DES3_MAC,		{24, 24, CKF_SN_VR},		PR_TRUE },
+     {CKM_DES3_MAC_GENERAL,	{24, 24, CKF_SN_VR},		PR_TRUE },
+     {CKM_DES3_CBC_PAD,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
+     /* ------------------------- CDMF Operations --------------------------- */
+     {CKM_CDMF_KEY_GEN,		{8,  8, CKF_GENERATE},		PR_TRUE},
+     {CKM_CDMF_ECB,		{8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_CDMF_CBC,		{8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_CDMF_MAC,		{8,  8, CKF_SN_VR},		PR_TRUE},
+     {CKM_CDMF_MAC_GENERAL,	{8,  8, CKF_SN_VR},		PR_TRUE},
+     {CKM_CDMF_CBC_PAD,		{8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
+     /* ------------------------- AES Operations --------------------------- */
+     {CKM_AES_KEY_GEN,		{16, 32, CKF_GENERATE},		PR_TRUE},
+     {CKM_AES_ECB,		{16, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_AES_CBC,		{16, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_AES_MAC,		{16, 32, CKF_SN_VR},		PR_TRUE},
+     {CKM_AES_MAC_GENERAL,	{16, 32, CKF_SN_VR},		PR_TRUE},
+     {CKM_AES_CBC_PAD,		{16, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
+     /* ------------------------- Camellia Operations --------------------- */
+     {CKM_CAMELLIA_KEY_GEN,	{16, 32, CKF_GENERATE},         PR_TRUE},
+     {CKM_CAMELLIA_ECB,  	{16, 32, CKF_EN_DE_WR_UN},      PR_TRUE},
+     {CKM_CAMELLIA_CBC, 	{16, 32, CKF_EN_DE_WR_UN},      PR_TRUE},
+     {CKM_CAMELLIA_MAC, 	{16, 32, CKF_SN_VR},            PR_TRUE},
+     {CKM_CAMELLIA_MAC_GENERAL,	{16, 32, CKF_SN_VR},            PR_TRUE},
+     {CKM_CAMELLIA_CBC_PAD,	{16, 32, CKF_EN_DE_WR_UN},      PR_TRUE},
+     /* ------------------------- Hashing Operations ----------------------- */
+     {CKM_MD2,			{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_MD2_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_MD2_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_MD5,			{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_MD5_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_MD5_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA_1,		{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_SHA_1_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA_1_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA256,		{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_SHA256_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA256_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA384,		{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_SHA384_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA384_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA512,		{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_SHA512_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA512_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_TLS_PRF_GENERAL,	{0, 512, CKF_SN_VR},		PR_FALSE},
+     /* ------------------------- CAST Operations --------------------------- */
+#ifdef NSS_SOFTOKEN_DOES_CAST
+     /* Cast operations are not supported ( yet? ) */
+     {CKM_CAST_KEY_GEN,		{1,  8, CKF_GENERATE},		PR_TRUE}, 
+     {CKM_CAST_ECB,		{1,  8, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_CAST_CBC,		{1,  8, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_CAST_MAC,		{1,  8, CKF_SN_VR},		PR_TRUE}, 
+     {CKM_CAST_MAC_GENERAL,	{1,  8, CKF_SN_VR},		PR_TRUE}, 
+     {CKM_CAST_CBC_PAD,		{1,  8, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_CAST3_KEY_GEN,	{1, 16, CKF_GENERATE},		PR_TRUE}, 
+     {CKM_CAST3_ECB,		{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_CAST3_CBC,		{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_CAST3_MAC,		{1, 16, CKF_SN_VR},		PR_TRUE}, 
+     {CKM_CAST3_MAC_GENERAL,	{1, 16, CKF_SN_VR},		PR_TRUE}, 
+     {CKM_CAST3_CBC_PAD,	{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_CAST5_KEY_GEN,	{1, 16, CKF_GENERATE},		PR_TRUE}, 
+     {CKM_CAST5_ECB,		{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_CAST5_CBC,		{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_CAST5_MAC,		{1, 16, CKF_SN_VR},		PR_TRUE}, 
+     {CKM_CAST5_MAC_GENERAL,	{1, 16, CKF_SN_VR},		PR_TRUE}, 
+     {CKM_CAST5_CBC_PAD,	{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+#endif
+#if NSS_SOFTOKEN_DOES_RC5
+     /* ------------------------- RC5 Operations --------------------------- */
+     {CKM_RC5_KEY_GEN,		{1, 32, CKF_GENERATE},          PR_TRUE},
+     {CKM_RC5_ECB,		{1, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_RC5_CBC,		{1, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
+     {CKM_RC5_MAC,		{1, 32, CKF_SN_VR},  		PR_TRUE},
+     {CKM_RC5_MAC_GENERAL,	{1, 32, CKF_SN_VR},  		PR_TRUE},
+     {CKM_RC5_CBC_PAD,		{1, 32, CKF_EN_DE_WR_UN}, 	PR_TRUE},
+#endif
+#ifdef NSS_SOFTOKEN_DOES_IDEA
+     /* ------------------------- IDEA Operations -------------------------- */
+     {CKM_IDEA_KEY_GEN,		{16, 16, CKF_GENERATE}, 	PR_TRUE}, 
+     {CKM_IDEA_ECB,		{16, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_IDEA_CBC,		{16, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
+     {CKM_IDEA_MAC,		{16, 16, CKF_SN_VR},		PR_TRUE}, 
+     {CKM_IDEA_MAC_GENERAL,	{16, 16, CKF_SN_VR},		PR_TRUE}, 
+     {CKM_IDEA_CBC_PAD,		{16, 16, CKF_EN_DE_WR_UN}, 	PR_TRUE}, 
+#endif
+     /* --------------------- Secret Key Operations ------------------------ */
+     {CKM_GENERIC_SECRET_KEY_GEN,	{1, 32, CKF_GENERATE}, PR_TRUE}, 
+     {CKM_CONCATENATE_BASE_AND_KEY,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_CONCATENATE_BASE_AND_DATA,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_CONCATENATE_DATA_AND_BASE,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_XOR_BASE_AND_DATA,		{1, 32, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_EXTRACT_KEY_FROM_KEY,		{1, 32, CKF_DERIVE},   PR_FALSE}, 
+     /* ---------------------- SSL Key Derivations ------------------------- */
+     {CKM_SSL3_PRE_MASTER_KEY_GEN,	{48, 48, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_SSL3_MASTER_KEY_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SSL3_MASTER_KEY_DERIVE_DH,	{8, 128, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SSL3_KEY_AND_MAC_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SSL3_MD5_MAC,			{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SSL3_SHA1_MAC,		{ 0, 20, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_MD5_KEY_DERIVATION,		{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_MD2_KEY_DERIVATION,		{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SHA1_KEY_DERIVATION,		{ 0, 20, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_TLS_MASTER_KEY_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_TLS_MASTER_KEY_DERIVE_DH,	{8, 128, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_TLS_KEY_AND_MAC_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
+     /* ---------------------- PBE Key Derivations  ------------------------ */
+     {CKM_PBE_MD2_DES_CBC,		{8, 8, CKF_DERIVE},   PR_TRUE},
+     {CKM_PBE_MD5_DES_CBC,		{8, 8, CKF_DERIVE},   PR_TRUE},
+     /* ------------------ NETSCAPE PBE Key Derivations  ------------------- */
+     {CKM_NETSCAPE_PBE_SHA1_DES_CBC,	     { 8, 8, CKF_GENERATE}, PR_TRUE},
+     {CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, {24,24, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_DES3_EDE_CBC,	     {24,24, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_DES2_EDE_CBC,	     {24,24, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_RC2_40_CBC,		     {40,40, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_RC2_128_CBC,		     {128,128, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_RC4_40,		     {40,40, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_RC4_128,		     {128,128, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBA_SHA1_WITH_SHA1_HMAC,	     {20,20, CKF_GENERATE}, PR_TRUE},
+     {CKM_PKCS5_PBKD2,   		     {1,256, CKF_GENERATE}, PR_TRUE},
+     {CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN,    {20,20, CKF_GENERATE}, PR_TRUE},
+     {CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN,     {16,16, CKF_GENERATE}, PR_TRUE},
+     {CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN,     {16,16, CKF_GENERATE}, PR_TRUE},
+     /* ------------------ AES Key Wrap (also encrypt)  ------------------- */
+     {CKM_NETSCAPE_AES_KEY_WRAP,	{16, 32, CKF_EN_DE_WR_UN},  PR_TRUE},
+     {CKM_NETSCAPE_AES_KEY_WRAP_PAD,	{16, 32, CKF_EN_DE_WR_UN},  PR_TRUE},
+};
+static const CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]);
+
+static PRBool nsc_init = PR_FALSE;
+
+#if defined(XP_UNIX) && !defined(NO_PTHREADS)
+
+#include <pthread.h>
+
+PRBool forked = PR_FALSE;
+
+void ForkedChild(void)
+{
+    if (nsc_init || nsf_init) {
+        forked = PR_TRUE;
+    }
+}
+
+#endif
+
+static char *
+sftk_setStringName(const char *inString, char *buffer, int buffer_length, 		PRBool nullTerminate)
+{
+    int full_length, string_length;
+
+    full_length = nullTerminate ? buffer_length -1 : buffer_length;
+    string_length = PORT_Strlen(inString);
+    /* 
+     *  shorten the string, respecting utf8 encoding
+     *  to do so, we work backward from the end 
+     *  bytes looking from the end are either:
+     *    - ascii [0x00,0x7f]
+     *    - the [2-n]th byte of a multibyte sequence 
+     *        [0x3F,0xBF], i.e, most significant 2 bits are '10'
+     *    - the first byte of a multibyte sequence [0xC0,0xFD],
+     *        i.e, most significant 2 bits are '11'
+     *
+     *    When the string is too long, we lop off any trailing '10' bytes,
+     *  if any. When these are all eliminated we lop off
+     *  one additional byte. Thus if we lopped any '10'
+     *  we'll be lopping a '11' byte (the first byte of the multibyte sequence),
+     *  otherwise we're lopping off an ascii character.
+     *
+     *    To test for '10' bytes, we first AND it with 
+     *  11000000 (0xc0) so that we get 10000000 (0x80) if and only if
+     *  the byte starts with 10. We test for equality.
+     */
+    while ( string_length > full_length ) {
+	/* need to shorten */
+	while ( string_length > 0 && 
+	      ((inString[string_length-1]&(char)0xc0) == (char)0x80)) {
+	    /* lop off '10' byte */
+	    string_length--;
+	}
+	/* 
+	 * test string_length in case bad data is received
+	 * and string consisted of all '10' bytes,
+	 * avoiding any infinite loop
+         */
+	if ( string_length ) {
+	    /* remove either '11' byte or an asci byte */
+	    string_length--;
+	}
+    }
+    PORT_Memset(buffer,' ',full_length);
+    if (nullTerminate) {
+	buffer[full_length] = 0;
+    }
+    PORT_Memcpy(buffer,inString,string_length);
+    return buffer;
+}
+/*
+ * Configuration utils
+ */
+static CK_RV
+sftk_configure(const char *man, const char *libdes)
+{
+
+    /* make sure the internationalization was done correctly... */
+    if (man) {
+	manufacturerID = sftk_setStringName(man,manufacturerID_space,
+					sizeof(manufacturerID_space), PR_TRUE);
+    }
+    if (libdes) {
+	libraryDescription = sftk_setStringName(libdes,
+		libraryDescription_space, sizeof(libraryDescription_space), 
+		PR_TRUE);
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * ******************** Password Utilities *******************************
+ */
+
+/*
+ * see if the key DB password is enabled
+ */
+static PRBool
+sftk_hasNullPassword(SFTKSlot *slot, SFTKDBHandle *keydb)
+{
+    PRBool pwenabled;
+   
+    pwenabled = PR_FALSE;
+    if (sftkdb_HasPasswordSet(keydb) == SECSuccess) {
+	PRBool tokenRemoved = PR_FALSE;
+    	SECStatus rv = sftkdb_CheckPassword(keydb, "", &tokenRemoved);
+	if (tokenRemoved) {
+	    sftk_CloseAllSessions(slot);
+	}
+	return (rv  == SECSuccess);
+    }
+
+    return pwenabled;
+}
+
+/*
+ * ******************** Object Creation Utilities ***************************
+ */
+
+
+/* Make sure a given attribute exists. If it doesn't, initialize it to
+ * value and len
+ */
+CK_RV
+sftk_defaultAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type,void *value,
+							unsigned int len)
+{
+    if ( !sftk_hasAttribute(object, type)) {
+	return sftk_AddAttributeType(object,type,value,len);
+    }
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Data Object 
+ */
+static CK_RV
+sftk_handleDataObject(SFTKSession *session,SFTKObject *object)
+{
+    CK_RV crv;
+
+    /* first reject private and token data objects */
+    if (sftk_isTrue(object,CKA_PRIVATE) || sftk_isTrue(object,CKA_TOKEN)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* now just verify the required date fields */
+    crv = sftk_defaultAttribute(object,CKA_APPLICATION,NULL,0);
+    if (crv != CKR_OK) return crv;
+    crv = sftk_defaultAttribute(object,CKA_VALUE,NULL,0);
+    if (crv != CKR_OK) return crv;
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Certificate Object 
+ */
+static CK_RV
+sftk_handleCertObject(SFTKSession *session,SFTKObject *object)
+{
+    CK_CERTIFICATE_TYPE type;
+    SFTKAttribute *attribute;
+    CK_RV crv;
+
+    /* certificates must have a type */
+    if ( !sftk_hasAttribute(object,CKA_CERTIFICATE_TYPE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* we can't store any certs private */
+    if (sftk_isTrue(object,CKA_PRIVATE)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+	
+    /* We only support X.509 Certs for now */
+    attribute = sftk_FindAttribute(object,CKA_CERTIFICATE_TYPE);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+    type = *(CK_CERTIFICATE_TYPE *)attribute->attrib.pValue;
+    sftk_FreeAttribute(attribute);
+
+    if (type != CKC_X_509) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* X.509 Certificate */
+
+    /* make sure we have a cert */
+    if ( !sftk_hasAttribute(object,CKA_VALUE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* in PKCS #11, Subject is a required field */
+    if ( !sftk_hasAttribute(object,CKA_SUBJECT) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* in PKCS #11, Issuer is a required field */
+    if ( !sftk_hasAttribute(object,CKA_ISSUER) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* in PKCS #11, Serial is a required field */
+    if ( !sftk_hasAttribute(object,CKA_SERIAL_NUMBER) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* add it to the object */
+    object->objectInfo = NULL;
+    object->infoFree = (SFTKFree) NULL;
+    
+    /* now just verify the required date fields */
+    crv = sftk_defaultAttribute(object, CKA_ID, NULL, 0);
+    if (crv != CKR_OK) { return crv; }
+
+    if (sftk_isTrue(object,CKA_TOKEN)) {
+	SFTKSlot *slot = session->slot;
+	SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+
+	if (certHandle == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	crv = sftkdb_write(certHandle, object, &object->handle);
+	sftk_freeDB(certHandle);
+	return crv;
+    }
+
+    return CKR_OK;
+}
+	
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+sftk_handleTrustObject(SFTKSession *session,SFTKObject *object)
+{
+    /* we can't store any certs private */
+    if (sftk_isTrue(object,CKA_PRIVATE)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* certificates must have a type */
+    if ( !sftk_hasAttribute(object,CKA_ISSUER) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !sftk_hasAttribute(object,CKA_SERIAL_NUMBER) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !sftk_hasAttribute(object,CKA_CERT_SHA1_HASH) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !sftk_hasAttribute(object,CKA_CERT_MD5_HASH) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    if (sftk_isTrue(object,CKA_TOKEN)) {
+	SFTKSlot *slot = session->slot;
+	SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+	CK_RV crv;
+
+	if (certHandle == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	crv = sftkdb_write(certHandle, object, &object->handle);
+	sftk_freeDB(certHandle);
+	return crv;
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+sftk_handleSMimeObject(SFTKSession *session,SFTKObject *object)
+{
+
+    /* we can't store any certs private */
+    if (sftk_isTrue(object,CKA_PRIVATE)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* certificates must have a type */
+    if ( !sftk_hasAttribute(object,CKA_SUBJECT) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !sftk_hasAttribute(object,CKA_NETSCAPE_EMAIL) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    if (sftk_isTrue(object,CKA_TOKEN)) {
+	SFTKSlot *slot = session->slot;
+	SFTKDBHandle *certHandle;
+	CK_RV crv;
+
+	PORT_Assert(slot);
+	if (slot == NULL) {
+	    return CKR_SESSION_HANDLE_INVALID;
+	}
+
+	certHandle = sftk_getCertDB(slot);
+	if (certHandle == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	crv = sftkdb_write(certHandle, object, &object->handle);
+	sftk_freeDB(certHandle);
+	return crv;
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+sftk_handleCrlObject(SFTKSession *session,SFTKObject *object)
+{
+
+    /* we can't store any certs private */
+    if (sftk_isTrue(object,CKA_PRIVATE)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* certificates must have a type */
+    if ( !sftk_hasAttribute(object,CKA_SUBJECT) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !sftk_hasAttribute(object,CKA_VALUE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    if (sftk_isTrue(object,CKA_TOKEN)) {
+	SFTKSlot *slot = session->slot;
+	SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+	CK_RV crv;
+
+	if (certHandle == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	crv = sftkdb_write(certHandle, object, &object->handle);
+	sftk_freeDB(certHandle);
+	return crv;
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Public Key Object 
+ */
+static CK_RV
+sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
+							 CK_KEY_TYPE key_type)
+{
+    CK_BBOOL encrypt = CK_TRUE;
+    CK_BBOOL recover = CK_TRUE;
+    CK_BBOOL wrap = CK_TRUE;
+    CK_BBOOL derive = CK_FALSE;
+    CK_BBOOL verify = CK_TRUE;
+    CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE;
+    CK_RV crv;
+
+    switch (key_type) {
+    case CKK_RSA:
+	crv = sftk_ConstrainAttribute(object, CKA_MODULUS,
+						 RSA_MIN_MODULUS_BITS, 0, 0);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	crv = sftk_ConstrainAttribute(object, CKA_PUBLIC_EXPONENT, 2, 0, 0);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	pubKeyAttr = CKA_MODULUS;
+	break;
+    case CKK_DSA:
+	crv = sftk_ConstrainAttribute(object, CKA_SUBPRIME, 
+						DSA_Q_BITS, DSA_Q_BITS, 0);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	crv = sftk_ConstrainAttribute(object, CKA_PRIME, 
+					DSA_MIN_P_BITS, DSA_MAX_P_BITS, 64);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	crv = sftk_ConstrainAttribute(object, CKA_BASE, 1, DSA_MAX_P_BITS, 0);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	crv = sftk_ConstrainAttribute(object, CKA_VALUE, 1, DSA_MAX_P_BITS, 0);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	encrypt = CK_FALSE;
+	recover = CK_FALSE;
+	wrap = CK_FALSE;
+	break;
+    case CKK_DH:
+	crv = sftk_ConstrainAttribute(object, CKA_PRIME, 
+					DH_MIN_P_BITS, DH_MAX_P_BITS, 0);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	crv = sftk_ConstrainAttribute(object, CKA_BASE, 1, DH_MAX_P_BITS, 0);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	crv = sftk_ConstrainAttribute(object, CKA_VALUE, 1, DH_MAX_P_BITS, 0);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	verify = CK_FALSE;
+	derive = CK_TRUE;
+	encrypt = CK_FALSE;
+	recover = CK_FALSE;
+	wrap = CK_FALSE;
+	break;
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_EC_POINT)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	pubKeyAttr = CKA_EC_POINT;
+	derive = CK_TRUE;    /* for ECDH */
+	verify = CK_TRUE;    /* for ECDSA */
+	encrypt = CK_FALSE;
+	recover = CK_FALSE;
+	wrap = CK_FALSE;
+	break;
+#endif /* NSS_ENABLE_ECC */
+    default:
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* make sure the required fields exist */
+    crv = sftk_defaultAttribute(object,CKA_SUBJECT,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_ENCRYPT,&encrypt,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_VERIFY,&verify,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_VERIFY_RECOVER,
+						&recover,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_WRAP,&wrap,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_DERIVE,&derive,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    object->objectInfo = sftk_GetPubKey(object,key_type, &crv);
+    if (object->objectInfo == NULL) {
+	return crv;
+    }
+    object->infoFree = (SFTKFree) nsslowkey_DestroyPublicKey;
+
+    if (sftk_isTrue(object,CKA_TOKEN)) {
+	SFTKSlot *slot = session->slot;
+	SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+
+	if (certHandle == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	crv = sftkdb_write(certHandle, object, &object->handle);
+	sftk_freeDB(certHandle);
+	return crv;
+    }
+
+    return CKR_OK;
+}
+
+static NSSLOWKEYPrivateKey * 
+sftk_mkPrivKey(SFTKObject *object,CK_KEY_TYPE key, CK_RV *rvp);
+
+/*
+ * check the consistancy and initialize a Private Key Object 
+ */
+static CK_RV
+sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE key_type)
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL encrypt = CK_TRUE;
+    CK_BBOOL sign = CK_FALSE;
+    CK_BBOOL recover = CK_TRUE;
+    CK_BBOOL wrap = CK_TRUE;
+    CK_BBOOL derive = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    SECItem mod;
+    CK_RV crv;
+
+    switch (key_type) {
+    case CKK_RSA:
+	if ( !sftk_hasAttribute(object, CKA_MODULUS)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_PUBLIC_EXPONENT)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_PRIVATE_EXPONENT)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_PRIME_1)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_PRIME_2)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_EXPONENT_1)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_EXPONENT_2)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_COEFFICIENT)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	/* make sure Netscape DB attribute is set correctly */
+	crv = sftk_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS);
+	if (crv != CKR_OK) return crv;
+	crv = sftk_forceAttribute(object, CKA_NETSCAPE_DB, 
+						sftk_item_expand(&mod));
+	if (mod.data) PORT_Free(mod.data);
+	if (crv != CKR_OK) return crv;
+
+	sign = CK_TRUE;
+	derive = CK_FALSE;
+	break;
+    case CKK_DSA:
+	if ( !sftk_hasAttribute(object, CKA_SUBPRIME)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	sign = CK_TRUE;
+	derive = CK_FALSE;
+	/* fall through */
+    case CKK_DH:
+	if ( !sftk_hasAttribute(object, CKA_PRIME)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_BASE)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_VALUE)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	encrypt = CK_FALSE;
+	recover = CK_FALSE;
+	wrap = CK_FALSE;
+	break;
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !sftk_hasAttribute(object, CKA_VALUE)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	encrypt = CK_FALSE;
+	sign = CK_TRUE;
+	recover = CK_FALSE;
+	wrap = CK_FALSE;
+	break;
+#endif /* NSS_ENABLE_ECC */
+    default:
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    crv = sftk_defaultAttribute(object,CKA_SUBJECT,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_DECRYPT,&encrypt,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_SIGN,&sign,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_SIGN_RECOVER,&recover,
+							     sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_UNWRAP,&wrap,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_DERIVE,&derive,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    /* the next two bits get modified only in the key gen and token cases */
+    crv = sftk_forceAttribute(object,CKA_ALWAYS_SENSITIVE,
+						&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_forceAttribute(object,CKA_NEVER_EXTRACTABLE,
+						&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    /* should we check the non-token RSA private keys? */
+
+    if (sftk_isTrue(object,CKA_TOKEN)) {
+	SFTKSlot *slot = session->slot;
+	SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
+	CK_RV crv;
+
+	if (keyHandle == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	crv = sftkdb_write(keyHandle, object, &object->handle);
+	sftk_freeDB(keyHandle);
+	return crv;
+    } else {
+	object->objectInfo = sftk_mkPrivKey(object,key_type,&crv);
+	if (object->objectInfo == NULL) return crv;
+	object->infoFree = (SFTKFree) nsslowkey_DestroyPrivateKey;
+    }
+    return CKR_OK;
+}
+
+/* forward declare the DES formating function for handleSecretKey */
+void sftk_FormatDESKey(unsigned char *key, int length);
+
+/* Validate secret key data, and set defaults */
+static CK_RV
+validateSecretKey(SFTKSession *session, SFTKObject *object, 
+					CK_KEY_TYPE key_type, PRBool isFIPS)
+{
+    CK_RV crv;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    SFTKAttribute *attribute = NULL;
+    unsigned long requiredLen;
+
+    crv = sftk_defaultAttribute(object,CKA_SENSITIVE,
+				isFIPS?&cktrue:&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_EXTRACTABLE,
+						&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_ENCRYPT,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_DECRYPT,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_SIGN,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_VERIFY,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_WRAP,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_UNWRAP,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    if ( !sftk_hasAttribute(object, CKA_VALUE)) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    /* the next two bits get modified only in the key gen and token cases */
+    crv = sftk_forceAttribute(object,CKA_ALWAYS_SENSITIVE,
+						&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_forceAttribute(object,CKA_NEVER_EXTRACTABLE,
+						&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    /* some types of keys have a value length */
+    crv = CKR_OK;
+    switch (key_type) {
+    /* force CKA_VALUE_LEN to be set */
+    case CKK_GENERIC_SECRET:
+    case CKK_RC2:
+    case CKK_RC4:
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKK_RC5:
+#endif
+#ifdef NSS_SOFTOKEN_DOES_CAST
+    case CKK_CAST:
+    case CKK_CAST3:
+    case CKK_CAST5:
+#endif
+#if NSS_SOFTOKEN_DOES_IDEA
+    case CKK_IDEA:
+#endif
+	attribute = sftk_FindAttribute(object,CKA_VALUE);
+	/* shouldn't happen */
+	if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+	crv = sftk_forceAttribute(object, CKA_VALUE_LEN, 
+			&attribute->attrib.ulValueLen, sizeof(CK_ULONG));
+	sftk_FreeAttribute(attribute);
+	break;
+    /* force the value to have the correct parity */
+    case CKK_DES:
+    case CKK_DES2:
+    case CKK_DES3:
+    case CKK_CDMF:
+	attribute = sftk_FindAttribute(object,CKA_VALUE);
+	/* shouldn't happen */
+	if (attribute == NULL) 
+	    return CKR_TEMPLATE_INCOMPLETE;
+	requiredLen = sftk_MapKeySize(key_type);
+	if (attribute->attrib.ulValueLen != requiredLen) {
+	    sftk_FreeAttribute(attribute);
+	    return CKR_KEY_SIZE_RANGE;
+	}
+	sftk_FormatDESKey((unsigned char*)attribute->attrib.pValue,
+						 attribute->attrib.ulValueLen);
+	sftk_FreeAttribute(attribute);
+	break;
+    default:
+	break;
+    }
+
+    return crv;
+}
+
+/*
+ * check the consistancy and initialize a Secret Key Object 
+ */
+static CK_RV
+sftk_handleSecretKeyObject(SFTKSession *session,SFTKObject *object,
+					CK_KEY_TYPE key_type, PRBool isFIPS)
+{
+    CK_RV crv;
+
+    /* First validate and set defaults */
+    crv = validateSecretKey(session, object, key_type, isFIPS);
+    if (crv != CKR_OK) goto loser;
+
+    /* If the object is a TOKEN object, store in the database */
+    if (sftk_isTrue(object,CKA_TOKEN)) {
+	SFTKSlot *slot = session->slot;
+	SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
+	CK_RV crv;
+
+	if (keyHandle == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	crv = sftkdb_write(keyHandle, object, &object->handle);
+	sftk_freeDB(keyHandle);
+	return crv;
+    }
+
+loser:
+
+    return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Object 
+ */
+static CK_RV
+sftk_handleKeyObject(SFTKSession *session, SFTKObject *object)
+{
+    SFTKAttribute *attribute;
+    CK_KEY_TYPE key_type;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_RV crv;
+
+    /* verify the required fields */
+    if ( !sftk_hasAttribute(object,CKA_KEY_TYPE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* now verify the common fields */
+    crv = sftk_defaultAttribute(object,CKA_ID,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_START_DATE,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    crv = sftk_defaultAttribute(object,CKA_END_DATE,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    /* CKA_DERIVE is common to all keys, but it's default value is
+     * key dependent */
+    crv = sftk_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    /* get the key type */
+    attribute = sftk_FindAttribute(object,CKA_KEY_TYPE);
+    if (!attribute) {
+        return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+    sftk_FreeAttribute(attribute);
+
+    switch (object->objclass) {
+    case CKO_PUBLIC_KEY:
+	return sftk_handlePublicKeyObject(session,object,key_type);
+    case CKO_PRIVATE_KEY:
+	return sftk_handlePrivateKeyObject(session,object,key_type);
+    case CKO_SECRET_KEY:
+	/* make sure the required fields exist */
+	return sftk_handleSecretKeyObject(session,object,key_type,
+			     (PRBool)(session->slot->slotID == FIPS_SLOT_ID));
+    default:
+	break;
+    }
+    return CKR_ATTRIBUTE_VALUE_INVALID;
+}
+
+/*
+ * check the consistancy and Verify a DSA Parameter Object 
+ */
+static CK_RV
+sftk_handleDSAParameterObject(SFTKSession *session, SFTKObject *object)
+{
+    SFTKAttribute *primeAttr = NULL;
+    SFTKAttribute *subPrimeAttr = NULL;
+    SFTKAttribute *baseAttr = NULL;
+    SFTKAttribute *seedAttr = NULL;
+    SFTKAttribute *hAttr = NULL;
+    SFTKAttribute *attribute;
+    CK_RV crv = CKR_TEMPLATE_INCOMPLETE;
+    PQGParams params;
+    PQGVerify vfy, *verify = NULL;
+    SECStatus result,rv;
+
+    primeAttr = sftk_FindAttribute(object,CKA_PRIME);
+    if (primeAttr == NULL) goto loser;
+    params.prime.data = primeAttr->attrib.pValue;
+    params.prime.len = primeAttr->attrib.ulValueLen;
+
+    subPrimeAttr = sftk_FindAttribute(object,CKA_SUBPRIME);
+    if (subPrimeAttr == NULL) goto loser;
+    params.subPrime.data = subPrimeAttr->attrib.pValue;
+    params.subPrime.len = subPrimeAttr->attrib.ulValueLen;
+
+    baseAttr = sftk_FindAttribute(object,CKA_BASE);
+    if (baseAttr == NULL) goto loser;
+    params.base.data = baseAttr->attrib.pValue;
+    params.base.len = baseAttr->attrib.ulValueLen;
+
+    attribute = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_COUNTER);
+    if (attribute != NULL) {
+	vfy.counter = *(CK_ULONG *) attribute->attrib.pValue;
+	sftk_FreeAttribute(attribute);
+
+	seedAttr = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_SEED);
+	if (seedAttr == NULL) goto loser;
+	vfy.seed.data = seedAttr->attrib.pValue;
+	vfy.seed.len = seedAttr->attrib.ulValueLen;
+
+	hAttr = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_H);
+	if (hAttr == NULL) goto loser;
+	vfy.h.data = hAttr->attrib.pValue;
+	vfy.h.len = hAttr->attrib.ulValueLen;
+
+	verify = &vfy;
+    }
+
+    crv = CKR_FUNCTION_FAILED;
+    rv = PQG_VerifyParams(&params,verify,&result);
+    if (rv == SECSuccess) {
+	crv = (result== SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+loser:
+    if (hAttr) sftk_FreeAttribute(hAttr);
+    if (seedAttr) sftk_FreeAttribute(seedAttr);
+    if (baseAttr) sftk_FreeAttribute(baseAttr);
+    if (subPrimeAttr) sftk_FreeAttribute(subPrimeAttr);
+    if (primeAttr) sftk_FreeAttribute(primeAttr);
+
+    return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Parameter Object 
+ */
+static CK_RV
+sftk_handleKeyParameterObject(SFTKSession *session, SFTKObject *object)
+{
+    SFTKAttribute *attribute;
+    CK_KEY_TYPE key_type;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_RV crv;
+
+    /* verify the required fields */
+    if ( !sftk_hasAttribute(object,CKA_KEY_TYPE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* now verify the common fields */
+    crv = sftk_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    /* get the key type */
+    attribute = sftk_FindAttribute(object,CKA_KEY_TYPE);
+    if (!attribute) {
+        return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+    sftk_FreeAttribute(attribute);
+
+    switch (key_type) {
+    case CKK_DSA:
+	return sftk_handleDSAParameterObject(session,object);
+	
+    default:
+	break;
+    }
+    return CKR_KEY_TYPE_INCONSISTENT;
+}
+
+/* 
+ * Handle Object does all the object consistancy checks, automatic attribute
+ * generation, attribute defaulting, etc. If handleObject succeeds, the object
+ * will be assigned an object handle, and the object installed in the session
+ * or stored in the DB.
+ */
+CK_RV
+sftk_handleObject(SFTKObject *object, SFTKSession *session)
+{
+    SFTKSlot *slot = session->slot;
+    SFTKAttribute *attribute;
+    SFTKObject *duplicateObject = NULL;
+    CK_OBJECT_HANDLE handle;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_RV crv;
+
+    /* make sure all the base object types are defined. If not set the
+     * defaults */
+    crv = sftk_defaultAttribute(object,CKA_TOKEN,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK) return crv;
+    crv = sftk_defaultAttribute(object,CKA_PRIVATE,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK) return crv;
+    crv = sftk_defaultAttribute(object,CKA_LABEL,NULL,0);
+    if (crv != CKR_OK) return crv;
+    crv = sftk_defaultAttribute(object,CKA_MODIFIABLE,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK) return crv;
+
+    /* don't create a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(sftk_isTrue(object,CKA_PRIVATE))) {
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+
+    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
+				(sftk_isTrue(object,CKA_TOKEN))) {
+	return CKR_SESSION_READ_ONLY;
+    }
+	
+    /* Assign a unique SESSION object handle to every new object,
+     * whether it is a session object or a token object.  
+     * At this point, all new objects are structured as session objects.
+     * Objects with the CKA_TOKEN attribute true will be turned into 
+     * token objects and will have a token object handle assigned to 
+     * them by a call to sftk_mkHandle in the handler for each object 
+     * class, invoked below.
+     *
+     * It may be helpful to note/remember that 
+     * sftk_narrowToXxxObject uses sftk_isToken,
+     * sftk_isToken examines the sign bit of the object's handle, but
+     * sftk_isTrue(...,CKA_TOKEN) examines the CKA_TOKEN attribute.
+     */
+    do {
+	PRUint32 wrappedAround;
+
+	duplicateObject = NULL;
+	PZ_Lock(slot->objectLock);
+	wrappedAround = slot->sessionObjectHandleCount &  SFTK_TOKEN_MASK;
+	handle        = slot->sessionObjectHandleCount & ~SFTK_TOKEN_MASK;
+	if (!handle) /* don't allow zero handle */
+	    handle = minSessionObjectHandle;  
+	slot->sessionObjectHandleCount = (handle + 1U) | wrappedAround;
+	/* Is there already a session object with this handle? */
+	if (wrappedAround) {
+	    sftkqueue_find(duplicateObject, handle, slot->sessObjHashTable, \
+	                   slot->sessObjHashSize);
+	}
+	PZ_Unlock(slot->objectLock);
+    } while (duplicateObject != NULL);
+    object->handle = handle;
+
+    /* get the object class */
+    attribute = sftk_FindAttribute(object,CKA_CLASS);
+    if (attribute == NULL) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    object->objclass = *(CK_OBJECT_CLASS *)attribute->attrib.pValue;
+    sftk_FreeAttribute(attribute);
+
+    /* Now handle the specific object class. 
+     * At this point, all objects are session objects, and the session
+     * number must be passed to the object class handlers.
+     */
+    switch (object->objclass) {
+    case CKO_DATA:
+	crv = sftk_handleDataObject(session,object);
+	break;
+    case CKO_CERTIFICATE:
+	crv = sftk_handleCertObject(session,object);
+	break;
+    case CKO_NETSCAPE_TRUST:
+	crv = sftk_handleTrustObject(session,object);
+	break;
+    case CKO_NETSCAPE_CRL:
+	crv = sftk_handleCrlObject(session,object);
+	break;
+    case CKO_NETSCAPE_SMIME:
+	crv = sftk_handleSMimeObject(session,object);
+	break;
+    case CKO_PRIVATE_KEY:
+    case CKO_PUBLIC_KEY:
+    case CKO_SECRET_KEY:
+	crv = sftk_handleKeyObject(session,object);
+	break;
+    case CKO_KG_PARAMETERS:
+	crv = sftk_handleKeyParameterObject(session,object);
+	break;
+    default:
+	crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	break;
+    }
+
+    /* can't fail from here on out unless the pk_handlXXX functions have
+     * failed the request */
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    /* Now link the object into the slot and session structures.
+     * If the object has a true CKA_TOKEN attribute, the above object
+     * class handlers will have set the sign bit in the object handle,
+     * causing the following test to be true.
+     */
+    if (sftk_isToken(object->handle)) {
+	sftk_convertSessionToToken(object);
+    } else {
+	object->slot = slot;
+	sftk_AddObject(session,object);
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * ******************** Public Key Utilities ***************************
+ */
+/* Generate a low public key structure from an object */
+NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,CK_KEY_TYPE key_type, 
+								CK_RV *crvp)
+{
+    NSSLOWKEYPublicKey *pubKey;
+    PLArenaPool *arena;
+    CK_RV crv;
+
+    if (object->objclass != CKO_PUBLIC_KEY) {
+	*crvp = CKR_KEY_TYPE_INCONSISTENT;
+	return NULL;
+    }
+
+    if (sftk_isToken(object->handle)) {
+/* ferret out the token object handle */
+    }
+
+    /* If we already have a key, use it */
+    if (object->objectInfo) {
+	*crvp = CKR_OK;
+	return (NSSLOWKEYPublicKey *)object->objectInfo;
+    }
+
+    /* allocate the structure */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	*crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+
+    pubKey = (NSSLOWKEYPublicKey *)
+			PORT_ArenaAlloc(arena,sizeof(NSSLOWKEYPublicKey));
+    if (pubKey == NULL) {
+    	PORT_FreeArena(arena,PR_FALSE);
+	*crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+
+    /* fill in the structure */
+    pubKey->arena = arena;
+    switch (key_type) {
+    case CKK_RSA:
+	pubKey->keyType = NSSLOWKEYRSAKey;
+	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.rsa.modulus,
+							object,CKA_MODULUS);
+    	if (crv != CKR_OK) break;
+    	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.rsa.publicExponent,
+						object,CKA_PUBLIC_EXPONENT);
+	break;
+    case CKK_DSA:
+	pubKey->keyType = NSSLOWKEYDSAKey;
+	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dsa.params.prime,
+							object,CKA_PRIME);
+    	if (crv != CKR_OK) break;
+	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dsa.params.subPrime,
+							object,CKA_SUBPRIME);
+    	if (crv != CKR_OK) break;
+	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dsa.params.base,
+							object,CKA_BASE);
+    	if (crv != CKR_OK) break;
+    	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dsa.publicValue,
+							object,CKA_VALUE);
+	break;
+    case CKK_DH:
+	pubKey->keyType = NSSLOWKEYDHKey;
+	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.prime,
+							object,CKA_PRIME);
+    	if (crv != CKR_OK) break;
+	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.base,
+							object,CKA_BASE);
+    	if (crv != CKR_OK) break;
+    	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.publicValue,
+							object,CKA_VALUE);
+	break;
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	pubKey->keyType = NSSLOWKEYECKey;
+	crv = sftk_Attribute2SSecItem(arena,
+	                              &pubKey->u.ec.ecParams.DEREncoding,
+	                              object,CKA_EC_PARAMS);
+	if (crv != CKR_OK) break;
+
+	/* Fill out the rest of the ecParams structure 
+	 * based on the encoded params
+	 */
+	if (EC_FillParams(arena, &pubKey->u.ec.ecParams.DEREncoding,
+		    &pubKey->u.ec.ecParams) != SECSuccess) {
+	    crv = CKR_DOMAIN_PARAMS_INVALID;
+	    break;
+	}
+	    
+	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.ec.publicValue,
+	                              object,CKA_EC_POINT);
+	break;
+#endif /* NSS_ENABLE_ECC */
+    default:
+	crv = CKR_KEY_TYPE_INCONSISTENT;
+	break;
+    }
+    *crvp = crv;
+    if (crv != CKR_OK) {
+    	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+
+    object->objectInfo = pubKey;
+    object->infoFree = (SFTKFree) nsslowkey_DestroyPublicKey;
+    return pubKey;
+}
+
+/* make a private key from a verified object */
+static NSSLOWKEYPrivateKey *
+sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    SFTKItemTemplate itemTemplate[SFTK_MAX_ITEM_TEMPLATE];
+    int itemTemplateCount = 0;
+    PLArenaPool *arena;
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	*crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+
+    privKey = (NSSLOWKEYPrivateKey *)
+			PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
+    if (privKey == NULL)  {
+	PORT_FreeArena(arena,PR_FALSE);
+	*crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+
+    /* in future this would be a switch on key_type */
+    privKey->arena = arena;
+    switch (key_type) {
+    case CKK_RSA:
+	privKey->keyType = NSSLOWKEYRSAKey;
+
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.rsa.modulus,CKA_MODULUS);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.rsa.publicExponent, CKA_PUBLIC_EXPONENT);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.rsa.privateExponent, CKA_PRIVATE_EXPONENT);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.rsa.prime1, CKA_PRIME_1);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.rsa.prime2, CKA_PRIME_2);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.rsa.exponent1, CKA_EXPONENT_1);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.rsa.exponent2, CKA_EXPONENT_2);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.rsa.coefficient, CKA_COEFFICIENT);
+	itemTemplateCount++;
+        rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,
+                          NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
+	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
+	break;
+
+    case CKK_DSA:
+	privKey->keyType = NSSLOWKEYDSAKey;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.dsa.params.prime, CKA_PRIME);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.dsa.params.subPrime, CKA_SUBPRIME);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.dsa.params.base, CKA_BASE);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.dsa.privateValue, CKA_VALUE);
+	itemTemplateCount++;
+	/* privKey was zero'd so public value is already set to NULL, 0
+	 * if we don't set it explicitly */
+	break;
+
+    case CKK_DH:
+	privKey->keyType = NSSLOWKEYDHKey;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.dh.prime, CKA_PRIME);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.dh.base, CKA_BASE);
+	itemTemplateCount++;
+	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+		&privKey->u.dh.privateValue, CKA_VALUE);
+	itemTemplateCount++;
+	/* privKey was zero'd so public value is already set to NULL, 0
+	 * if we don't set it explicitly */
+	break;
+
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	privKey->keyType = NSSLOWKEYECKey;
+	crv = sftk_Attribute2SSecItem(arena, 
+				      &privKey->u.ec.ecParams.DEREncoding,
+				      object,CKA_EC_PARAMS);
+    	if (crv != CKR_OK) break;
+
+	/* Fill out the rest of the ecParams structure
+	 * based on the encoded params
+	 */
+	if (EC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding,
+		    &privKey->u.ec.ecParams) != SECSuccess) {
+	    crv = CKR_DOMAIN_PARAMS_INVALID;
+	    break;
+	}
+	crv = sftk_Attribute2SSecItem(arena,&privKey->u.ec.privateValue,
+							object,CKA_VALUE);
+	if (crv != CKR_OK) break;
+
+	if (sftk_hasAttribute(object, CKA_NETSCAPE_DB)) {
+	    crv = sftk_Attribute2SSecItem(arena, &privKey->u.ec.publicValue,
+ 				object, CKA_NETSCAPE_DB);
+	    if (crv != CKR_OK) break;
+	    /* privKey was zero'd so public value is already set to NULL, 0
+	     * if we don't set it explicitly */
+	}
+        rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
+                          NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
+	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+	crv = CKR_KEY_TYPE_INCONSISTENT;
+	break;
+    }
+    if (crv == CKR_OK && itemTemplateCount != 0) {
+	PORT_Assert(itemTemplateCount > 0);
+	PORT_Assert(itemTemplateCount <= SFTK_MAX_ITEM_TEMPLATE);
+	crv = sftk_MultipleAttribute2SecItem(arena, object, itemTemplate, 
+						itemTemplateCount);
+    }
+    *crvp = crv;
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    return privKey;
+}
+
+
+/* Generate a low private key structure from an object */
+NSSLOWKEYPrivateKey *
+sftk_GetPrivKey(SFTKObject *object,CK_KEY_TYPE key_type, CK_RV *crvp)
+{
+    NSSLOWKEYPrivateKey *priv = NULL;
+
+    if (object->objclass != CKO_PRIVATE_KEY) {
+	*crvp = CKR_KEY_TYPE_INCONSISTENT;
+	return NULL;
+    }
+    if (object->objectInfo) {
+	*crvp = CKR_OK;
+	return (NSSLOWKEYPrivateKey *)object->objectInfo;
+    }
+
+    priv = sftk_mkPrivKey(object, key_type, crvp);
+    object->objectInfo = priv;
+    object->infoFree = (SFTKFree) nsslowkey_DestroyPrivateKey;
+    return priv;
+}
+
+/*
+ **************************** Symetric Key utils ************************
+ */
+/*
+ * set the DES key with parity bits correctly
+ */
+void
+sftk_FormatDESKey(unsigned char *key, int length)
+{
+    int i;
+
+    /* format the des key */
+    for (i=0; i < length; i++) {
+	key[i] = parityTable[key[i]>>1];
+    }
+}
+
+/*
+ * check a des key (des2 or des3 subkey) for weak keys.
+ */
+PRBool
+sftk_CheckDESKey(unsigned char *key)
+{
+    int i;
+
+    /* format the des key with parity  */
+    sftk_FormatDESKey(key, 8);
+
+    for (i=0; i < sftk_desWeakTableSize; i++) {
+	if (PORT_Memcmp(key,sftk_desWeakTable[i],8) == 0) {
+	    return PR_TRUE;
+	}
+    }
+    return PR_FALSE;
+}
+
+/*
+ * check if a des or triple des key is weak.
+ */
+PRBool
+sftk_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type)
+{
+
+    switch(key_type) {
+    case CKK_DES:
+	return sftk_CheckDESKey(key);
+    case CKM_DES2_KEY_GEN:
+	if (sftk_CheckDESKey(key)) return PR_TRUE;
+	return sftk_CheckDESKey(&key[8]);
+    case CKM_DES3_KEY_GEN:
+	if (sftk_CheckDESKey(key)) return PR_TRUE;
+	if (sftk_CheckDESKey(&key[8])) return PR_TRUE;
+	return sftk_CheckDESKey(&key[16]);
+    default:
+	break;
+    }
+    return PR_FALSE;
+}
+
+
+/**********************************************************************
+ *
+ *     Start of PKCS 11 functions 
+ *
+ **********************************************************************/
+
+
+/* return the function list */
+CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
+{
+    CHECK_FORK();
+
+    *pFunctionList = (CK_FUNCTION_LIST_PTR) &sftk_funcList;
+    return CKR_OK;
+}
+
+/* return the function list */
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
+{
+    CHECK_FORK();
+
+    return NSC_GetFunctionList(pFunctionList);
+}
+
+static PLHashNumber
+sftk_HashNumber(const void *key)
+{
+    return (PLHashNumber) key;
+}
+
+/*
+ * eventually I'd like to expunge all occurances of XXX_SLOT_ID and
+ * just go with the info in the slot. This is one place, however,
+ * where it might be a little difficult.
+ */
+const char *
+sftk_getDefTokName(CK_SLOT_ID slotID)
+{
+    static char buf[33];
+
+    switch (slotID) {
+    case NETSCAPE_SLOT_ID:
+	return "NSS Generic Crypto Services     ";
+    case PRIVATE_KEY_SLOT_ID:
+	return "NSS Certificate DB              ";
+    case FIPS_SLOT_ID:
+        return "NSS FIPS 140-2 Certificate DB   ";
+    default:
+	break;
+    }
+    sprintf(buf,"NSS Application Token %08x  ",(unsigned int) slotID);
+    return buf;
+}
+
+const char *
+sftk_getDefSlotName(CK_SLOT_ID slotID)
+{
+    static char buf[65];
+
+    switch (slotID) {
+    case NETSCAPE_SLOT_ID:
+	return 
+	 "NSS Internal Cryptographic Services                             ";
+    case PRIVATE_KEY_SLOT_ID:
+	return 
+	 "NSS User Private Key and Certificate Services                   ";
+    case FIPS_SLOT_ID:
+        return 
+         "NSS FIPS 140-2 User Private Key Services                        ";
+    default:
+	break;
+    }
+    sprintf(buf,
+     "NSS Application Slot %08x                                   ",
+							(unsigned int) slotID);
+    return buf;
+}
+
+static CK_ULONG nscSlotCount[2] = {0 , 0};
+static CK_SLOT_ID_PTR nscSlotList[2] = {NULL, NULL};
+static CK_ULONG nscSlotListSize[2] = {0, 0};
+static PLHashTable *nscSlotHashTable[2] = {NULL, NULL};
+
+static int
+sftk_GetModuleIndex(CK_SLOT_ID slotID)
+{
+    if ((slotID == FIPS_SLOT_ID) || (slotID >= SFTK_MIN_FIPS_USER_SLOT_ID)) {
+	return NSC_FIPS_MODULE;
+    }
+    return NSC_NON_FIPS_MODULE;
+}
+
+/* look up a slot structure from the ID (used to be a macro when we only
+ * had two slots) */
+/* if all is true, return the slot even if it has been 'unloaded' */
+/* if all is false, only return the slots which are present */
+SFTKSlot *
+sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all)
+{
+    SFTKSlot *slot;
+    int index = sftk_GetModuleIndex(slotID);
+    
+    if (nscSlotHashTable[index] == NULL) return NULL;
+    slot = (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index], 
+							(void *)slotID);
+    /* cleared slots shouldn't 'show up' */
+    if (slot && !all && !slot->present) slot = NULL;
+    return slot;
+}
+
+SFTKSlot *
+sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
+{
+    CK_ULONG slotIDIndex = (handle >> 24) & 0x7f;
+    CK_ULONG moduleIndex = (handle >> 31) & 1;
+
+    if (slotIDIndex >= nscSlotCount[moduleIndex]) {
+	return NULL;
+    }
+
+    return sftk_SlotFromID(nscSlotList[moduleIndex][slotIDIndex], PR_FALSE);
+}
+ 
+static CK_RV
+sftk_RegisterSlot(SFTKSlot *slot, int moduleIndex)
+{
+    PLHashEntry *entry;
+    int index;
+
+    index = sftk_GetModuleIndex(slot->slotID);
+
+    /* make sure the slotID for this module is valid */
+    if (moduleIndex != index) {
+	return CKR_SLOT_ID_INVALID;
+    }
+
+    if (nscSlotList[index] == NULL) {
+	nscSlotListSize[index] = NSC_SLOT_LIST_BLOCK_SIZE;
+	nscSlotList[index] = (CK_SLOT_ID *)
+		PORT_ZAlloc(nscSlotListSize[index]*sizeof(CK_SLOT_ID));
+	if (nscSlotList[index] == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+    }
+    if (nscSlotCount[index] >= nscSlotListSize[index]) {
+	CK_SLOT_ID* oldNscSlotList = nscSlotList[index];
+	CK_ULONG oldNscSlotListSize = nscSlotListSize[index];
+	nscSlotListSize[index] += NSC_SLOT_LIST_BLOCK_SIZE;
+	nscSlotList[index] = (CK_SLOT_ID *) PORT_Realloc(oldNscSlotList,
+				nscSlotListSize[index]*sizeof(CK_SLOT_ID));
+	if (nscSlotList[index] == NULL) {
+            nscSlotList[index] = oldNscSlotList;
+            nscSlotListSize[index] = oldNscSlotListSize;
+            return CKR_HOST_MEMORY;
+	}
+    }
+
+    if (nscSlotHashTable[index] == NULL) {
+	nscSlotHashTable[index] = PL_NewHashTable(64,sftk_HashNumber,
+				PL_CompareValues, PL_CompareValues, NULL, 0);
+	if (nscSlotHashTable[index] == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+    }
+
+    entry = PL_HashTableAdd(nscSlotHashTable[index],(void *)slot->slotID,slot);
+    if (entry == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    slot->index = (nscSlotCount[index] & 0x7f) | ((index << 7) & 0x80);
+    nscSlotList[index][nscSlotCount[index]++] = slot->slotID;
+
+    return CKR_OK;
+}
+
+
+/*
+ * ths function has all the common initialization that happens whenever we
+ * create a new slot or repurpose an old slot (only valid for slotID's 4 
+ * and greater).
+ *
+ * things that are not reinitialized are:
+ *   slotID (can't change)
+ *   slotDescription (can't change once defined) 
+ *   the locks and hash tables (difficult to change in running code, and
+ *     unnecessary. hash tables and list are cleared on shutdown, but they
+ *     are cleared in a 'friendly' way).
+ *   session and object ID counters -- so any old sessions and objects in the
+ *     application will get properly notified that the world has changed.
+ * 
+ * things that are reinitialized:
+ *   database (otherwise what would the point be;).
+ *   state variables related to databases.
+ *   session count stat info.
+ *   tokenDescription.
+ *
+ * NOTE: slotID's 4 and greater show up as removable devices.
+ *
+ */
+CK_RV
+SFTK_SlotReInit(SFTKSlot *slot, char *configdir, char *updatedir, 
+	char *updateID, sftk_token_parameters *params, int moduleIndex)
+{
+    PRBool needLogin = !params->noKeyDB;
+    CK_RV crv;
+
+    slot->hasTokens = PR_FALSE;
+    slot->sessionIDConflict = 0;
+    slot->sessionCount = 0;
+    slot->rwSessionCount = 0;
+    slot->needLogin = PR_FALSE;
+    slot->isLoggedIn = PR_FALSE;
+    slot->ssoLoggedIn = PR_FALSE;
+    slot->DB_loaded = PR_FALSE;
+    slot->certDB = NULL;
+    slot->keyDB = NULL;
+    slot->minimumPinLen = 0;
+    slot->readOnly = params->readOnly;
+    sftk_setStringName(params->tokdes ? params->tokdes : 
+	sftk_getDefTokName(slot->slotID), slot->tokDescription, 
+					sizeof(slot->tokDescription),PR_TRUE);
+    sftk_setStringName(params->updtokdes ? params->updtokdes : " ", 
+				slot->updateTokDescription, 
+				sizeof(slot->updateTokDescription),PR_TRUE);
+
+    if ((!params->noCertDB) || (!params->noKeyDB)) {
+	SFTKDBHandle * certHandle = NULL;
+	SFTKDBHandle *keyHandle = NULL;
+	crv = sftk_DBInit(params->configdir ? params->configdir : configdir,
+		params->certPrefix, params->keyPrefix, 
+		params->updatedir ? params->updatedir : updatedir,
+		params->updCertPrefix, params->updKeyPrefix,
+		params->updateID  ? params->updateID : updateID, 
+		params->readOnly, params->noCertDB, params->noKeyDB,
+		params->forceOpen, &certHandle, &keyHandle);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
+
+	slot->certDB = certHandle;
+	slot->keyDB = keyHandle;
+    }
+    if (needLogin) {
+	/* if the data base is initialized with a null password,remember that */
+	slot->needLogin = 
+		(PRBool)!sftk_hasNullPassword(slot, slot->keyDB);
+	if ((params->minPW >= 0) && (params->minPW <= SFTK_MAX_PIN)) {
+	    slot->minimumPinLen = params->minPW;
+	}
+	if ((slot->minimumPinLen == 0) && (params->pwRequired)) {
+	    slot->minimumPinLen = 1;
+	}
+	if ((moduleIndex == NSC_FIPS_MODULE) &&
+		(slot->minimumPinLen < FIPS_MIN_PIN)) {
+	    slot->minimumPinLen = FIPS_MIN_PIN;
+	}
+    }
+
+    slot->present = PR_TRUE;
+    return CKR_OK;
+
+loser:
+    SFTK_ShutdownSlot(slot);
+    return crv;
+}
+
+/*
+ * initialize one of the slot structures. figure out which by the ID
+ */
+CK_RV
+SFTK_SlotInit(char *configdir, char *updatedir, char *updateID,
+		sftk_token_parameters *params, int moduleIndex)
+{
+    unsigned int i;
+    CK_SLOT_ID slotID = params->slotID;
+    SFTKSlot *slot;
+    CK_RV crv = CKR_HOST_MEMORY;
+
+    /*
+     * first we initialize everything that is 'permanent' with this slot.
+     * that is everything we aren't going to shutdown if we close this slot
+     * and open it up again with different databases */
+
+    slot = PORT_ZNew(SFTKSlot);
+
+    if (slot == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    slot->optimizeSpace = params->optimizeSpace;
+    if (slot->optimizeSpace) {
+	slot->sessObjHashSize = SPACE_SESSION_OBJECT_HASH_SIZE;
+	slot->sessHashSize = SPACE_SESSION_HASH_SIZE;
+	slot->numSessionLocks = 1;
+    } else {
+	slot->sessObjHashSize = TIME_SESSION_OBJECT_HASH_SIZE;
+	slot->sessHashSize = TIME_SESSION_HASH_SIZE;
+	slot->numSessionLocks = slot->sessHashSize/BUCKETS_PER_SESSION_LOCK;
+    }
+    slot->sessionLockMask = slot->numSessionLocks-1;
+
+    slot->slotLock = PZ_NewLock(nssILockSession);
+    if (slot->slotLock == NULL)
+	goto mem_loser;
+    slot->sessionLock = PORT_ZNewArray(PZLock *, slot->numSessionLocks);
+    if (slot->sessionLock == NULL)
+	goto mem_loser;
+    for (i=0; i < slot->numSessionLocks; i++) {
+        slot->sessionLock[i] = PZ_NewLock(nssILockSession);
+        if (slot->sessionLock[i] == NULL) 
+	    goto mem_loser;
+    }
+    slot->objectLock = PZ_NewLock(nssILockObject);
+    if (slot->objectLock == NULL) 
+    	goto mem_loser;
+    slot->pwCheckLock = PR_NewLock();
+    if (slot->pwCheckLock == NULL) 
+    	goto mem_loser;
+    slot->head = PORT_ZNewArray(SFTKSession *, slot->sessHashSize);
+    if (slot->head == NULL) 
+	goto mem_loser;
+    slot->sessObjHashTable = PORT_ZNewArray(SFTKObject *, slot->sessObjHashSize);
+    if (slot->sessObjHashTable == NULL) 
+	goto mem_loser;
+    slot->tokObjHashTable = PL_NewHashTable(64,sftk_HashNumber,PL_CompareValues,
+					SECITEM_HashCompare, NULL, 0);
+    if (slot->tokObjHashTable == NULL) 
+	goto mem_loser;
+
+    slot->sessionIDCount = 0;
+    slot->sessionObjectHandleCount = minSessionObjectHandle;
+    slot->slotID = slotID;
+    sftk_setStringName(params->slotdes ? params->slotdes : 
+	      sftk_getDefSlotName(slotID), slot->slotDescription, 
+					sizeof(slot->slotDescription), PR_TRUE);
+
+    /* call the reinit code to set everything that changes between token
+     * init calls */
+    crv = SFTK_SlotReInit(slot, configdir, updatedir, updateID,
+			   params, moduleIndex);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    crv = sftk_RegisterSlot(slot, moduleIndex);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    return CKR_OK;
+
+mem_loser:
+    crv = CKR_HOST_MEMORY;
+loser:
+   SFTK_DestroySlotData(slot);
+    return crv;
+}
+
+
+CK_RV sftk_CloseAllSessions(SFTKSlot *slot)
+{
+    SFTKSession *session;
+    unsigned int i;
+    SFTKDBHandle *handle;
+
+    /* first log out the card */
+    handle = sftk_getKeyDB(slot);
+    PZ_Lock(slot->slotLock);
+    slot->isLoggedIn = PR_FALSE;
+    if (handle) {
+	sftkdb_ClearPassword(handle);
+    }
+    PZ_Unlock(slot->slotLock);
+    if (handle) {
+        sftk_freeDB(handle);
+    }
+
+    /* now close all the current sessions */
+    /* NOTE: If you try to open new sessions before NSC_CloseAllSessions
+     * completes, some of those new sessions may or may not be closed by
+     * NSC_CloseAllSessions... but any session running when this code starts
+     * will guarrenteed be close, and no session will be partially closed */
+    for (i=0; i < slot->sessHashSize; i++) {
+	PZLock *lock = SFTK_SESSION_LOCK(slot,i);
+	do {
+	    PZ_Lock(lock);
+	    session = slot->head[i];
+	    /* hand deque */
+	    /* this duplicates function of NSC_close session functions, but 
+	     * because we know that we are freeing all the sessions, we can
+	     * do more efficient processing */
+	    if (session) {
+		slot->head[i] = session->next;
+		if (session->next) session->next->prev = NULL;
+		session->next = session->prev = NULL;
+		PZ_Unlock(lock);
+		PZ_Lock(slot->slotLock);
+		--slot->sessionCount;
+		PZ_Unlock(slot->slotLock);
+		if (session->info.flags & CKF_RW_SESSION) {
+		    PR_AtomicDecrement(&slot->rwSessionCount);
+		}
+	    } else {
+		PZ_Unlock(lock);
+	    }
+	    if (session) sftk_FreeSession(session);
+	} while (session != NULL);
+    }
+    return CKR_OK;
+}
+
+/*
+ * shut down the databases.
+ * we get the slot lock (which also protects slot->certDB and slot->keyDB)
+ * and clear the values so the new users will not find the databases.
+ * once things are clear, we can release our references to the databases.
+ * The databases will close when the last reference is released.
+ *
+ * We use reference counts so that we don't crash if someone shuts down
+ * a token that another thread is actively using.
+ */
+static void
+sftk_DBShutdown(SFTKSlot *slot)
+{
+    SFTKDBHandle *certHandle;
+    SFTKDBHandle      *keyHandle;
+    PZ_Lock(slot->slotLock);
+    certHandle = slot->certDB;
+    slot->certDB = NULL;
+    keyHandle = slot->keyDB;
+    slot->keyDB = NULL;
+    PZ_Unlock(slot->slotLock);
+    if (certHandle) {
+	sftk_freeDB(certHandle);
+    }
+    if (keyHandle) {
+	sftk_freeDB(keyHandle);
+    }
+}
+
+CK_RV
+SFTK_ShutdownSlot(SFTKSlot *slot)
+{
+    /* make sure no new PK11 calls work except C_GetSlotInfo */
+    slot->present = PR_FALSE;
+
+    /* close all outstanding sessions
+     * the sessHashSize variable guarentees we have all the session
+     * mechanism set up */
+    if (slot->head) {
+	sftk_CloseAllSessions(slot);
+     }
+
+    /* clear all objects.. session objects are cleared as a result of
+     * closing all the sessions. We just need to clear the token object
+     * cache. slot->tokObjHashTable guarentees we have the token 
+     * infrastructure set up. */
+    if (slot->tokObjHashTable) {
+	SFTK_ClearTokenKeyHashTable(slot);
+    }
+
+    /* clear the slot description for the next guy */
+    PORT_Memset(slot->tokDescription, 0, sizeof(slot->tokDescription));
+
+    /* now shut down the databases. */
+    sftk_DBShutdown(slot);
+    return CKR_OK;
+}
+
+/*
+ * initialize one of the slot structures. figure out which by the ID
+ */
+CK_RV
+SFTK_DestroySlotData(SFTKSlot *slot)
+{
+    unsigned int i;
+
+    SFTK_ShutdownSlot(slot);
+
+    if (slot->tokObjHashTable) {
+	PL_HashTableDestroy(slot->tokObjHashTable);
+	slot->tokObjHashTable = NULL;
+    }
+
+    if (slot->sessObjHashTable) {
+	PORT_Free(slot->sessObjHashTable);
+	slot->sessObjHashTable = NULL;
+    }
+    slot->sessObjHashSize = 0;
+
+    if (slot->head) {
+	PORT_Free(slot->head);
+	slot->head = NULL;
+    }
+    slot->sessHashSize = 0;
+
+    /* OK everything has been disassembled, now we can finally get rid
+     * of the locks */
+    PZ_DestroyLock(slot->slotLock);
+    slot->slotLock = NULL;
+    if (slot->sessionLock) {
+	for (i=0; i < slot->numSessionLocks; i++) {
+	    if (slot->sessionLock[i]) {
+		PZ_DestroyLock(slot->sessionLock[i]);
+		slot->sessionLock[i] = NULL;
+	    }
+	}
+	PORT_Free(slot->sessionLock);
+	slot->sessionLock = NULL;
+    }
+    if (slot->objectLock) {
+	PZ_DestroyLock(slot->objectLock);
+	slot->objectLock = NULL;
+    }
+    if (slot->pwCheckLock) {
+	PR_DestroyLock(slot->pwCheckLock);
+	slot->pwCheckLock = NULL;
+    }
+    PORT_Free(slot);
+    return CKR_OK;
+}
+
+/*
+ * handle the SECMOD.db
+ */
+char **
+NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args)
+{
+    char *secmod = NULL;
+    char *appName = NULL;
+    char *filename = NULL;
+    SDBType dbType = SDB_LEGACY;
+    PRBool rw;
+    static char *success="Success";
+    char **rvstr = NULL;
+
+#if defined(XP_UNIX) && !defined(NO_PTHREADS)
+    if (forked) return NULL;
+#endif
+
+    secmod = sftk_getSecmodName(parameters, &dbType, &appName,&filename, &rw);
+
+    switch (function) {
+    case SECMOD_MODULE_DB_FUNCTION_FIND:
+	rvstr = sftkdb_ReadSecmodDB(dbType,appName,filename,secmod,(char *)parameters,rw);
+	break;
+    case SECMOD_MODULE_DB_FUNCTION_ADD:
+	rvstr = (sftkdb_AddSecmodDB(dbType,appName,filename,secmod,(char *)args,rw) 
+				== SECSuccess) ? &success: NULL;
+	break;
+    case SECMOD_MODULE_DB_FUNCTION_DEL:
+	rvstr = (sftkdb_DeleteSecmodDB(dbType,appName,filename,secmod,(char *)args,rw)
+				 == SECSuccess) ? &success: NULL;
+	break;
+    case SECMOD_MODULE_DB_FUNCTION_RELEASE:
+	rvstr = (sftkdb_ReleaseSecmodDBData(dbType, appName,filename,secmod,
+			(char **)args,rw) == SECSuccess) ? &success: NULL;
+	break;
+    }
+    if (secmod) PR_smprintf_free(secmod);
+    if (appName) PORT_Free(appName);
+    if (filename) PORT_Free(filename);
+    return rvstr;
+}
+
+static void nscFreeAllSlots(int moduleIndex)
+{
+    /* free all the slots */
+    SFTKSlot *slot = NULL;
+    CK_SLOT_ID slotID;
+    int i;
+
+    if (nscSlotList[moduleIndex]) {
+	CK_ULONG tmpSlotCount = nscSlotCount[moduleIndex];
+	CK_SLOT_ID_PTR tmpSlotList = nscSlotList[moduleIndex];
+	PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex];
+
+	/* first close all the session */
+	for (i=0; i < (int) tmpSlotCount; i++) {
+	    slotID = tmpSlotList[i];
+	    (void) NSC_CloseAllSessions(slotID);
+	}
+
+	/* now clear out the statics */
+	nscSlotList[moduleIndex] = NULL;
+	nscSlotCount[moduleIndex] = 0;
+	nscSlotHashTable[moduleIndex] = NULL;
+	nscSlotListSize[moduleIndex] = 0;
+
+	for (i=0; i < (int) tmpSlotCount; i++) {
+	    slotID = tmpSlotList[i];
+	    slot = (SFTKSlot *)
+			PL_HashTableLookup(tmpSlotHashTable, (void *)slotID);
+	    PORT_Assert(slot);
+	    if (!slot) continue;
+	    SFTK_DestroySlotData(slot);
+	    PL_HashTableRemove(tmpSlotHashTable, (void *)slotID);
+	}
+	PORT_Free(tmpSlotList);
+	PL_HashTableDestroy(tmpSlotHashTable);
+    }
+}
+
+static void
+sftk_closePeer(PRBool isFIPS)
+{
+    CK_SLOT_ID slotID = isFIPS ? PRIVATE_KEY_SLOT_ID: FIPS_SLOT_ID;
+    SFTKSlot *slot;
+    int moduleIndex = isFIPS? NSC_NON_FIPS_MODULE : NSC_FIPS_MODULE;
+    PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex];
+
+    slot = (SFTKSlot *) PL_HashTableLookup(tmpSlotHashTable, (void *)slotID);
+    if (slot == NULL) {
+	return;
+    }
+    sftk_DBShutdown(slot);
+    return;
+}
+
+/* NSC_Initialize initializes the Cryptoki library. */
+CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+    CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *) pReserved;
+    int i;
+    int moduleIndex = isFIPS? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;
+
+    if (isFIPS) {
+	loginWaitTime = PR_SecondsToInterval(1);
+    }
+
+    rv = SECOID_Init();
+    if (rv != SECSuccess) {
+	crv = CKR_DEVICE_ERROR;
+	return crv;
+    }
+
+    rv = RNG_RNGInit();         /* initialize random number generator */
+    if (rv != SECSuccess) {
+	crv = CKR_DEVICE_ERROR;
+	return crv;
+    }
+    RNG_SystemInfoForRNG();
+
+
+    /* NOTE:
+     * we should be getting out mutexes from this list, not statically binding
+     * them from NSPR. This should happen before we allow the internal to split
+     * off from the rest on NSS.
+     */
+
+    /* initialize the key and cert db's */
+    if (init_args && (!(init_args->flags & CKF_OS_LOCKING_OK))) {
+        if (init_args->CreateMutex && init_args->DestroyMutex &&
+            init_args->LockMutex && init_args->UnlockMutex) {
+            /* softoken always uses NSPR (ie. OS locking), and doesn't know how
+             * to use the lock functions provided by the application.
+             */
+            crv = CKR_CANT_LOCK;
+            return crv;
+        }
+        if (init_args->CreateMutex || init_args->DestroyMutex ||
+            init_args->LockMutex || init_args->UnlockMutex) {
+            /* only some of the lock functions were provided by the
+             * application. This is invalid per PKCS#11 spec.
+             */
+            crv = CKR_ARGUMENTS_BAD;
+            return crv;
+        }
+    }
+    crv = CKR_ARGUMENTS_BAD;
+    if ((init_args && init_args->LibraryParameters)) {
+	sftk_parameters paramStrings;
+       
+	crv = sftk_parseParameters
+		((char *)init_args->LibraryParameters, &paramStrings, isFIPS);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	crv = sftk_configure(paramStrings.man, paramStrings.libdes);
+        if (crv != CKR_OK) {
+	    goto loser;
+	}
+
+	/* if we have a peer already open, have him close his DB's so we
+	 * don't clobber each other. */
+	if ((isFIPS && nsc_init) || (!isFIPS && nsf_init)) {
+	    sftk_closePeer(isFIPS);
+	    if (sftk_audit_enabled) {
+		if (isFIPS && nsc_init) {
+		    sftk_LogAuditMessage(NSS_AUDIT_INFO, "enabled FIPS mode");
+		} else {
+		    sftk_LogAuditMessage(NSS_AUDIT_INFO, "disabled FIPS mode");
+		}
+	    }
+	}
+
+	for (i=0; i < paramStrings.token_count; i++) {
+	    crv = SFTK_SlotInit(paramStrings.configdir, 
+			paramStrings.updatedir, paramStrings.updateID,
+			&paramStrings.tokens[i], moduleIndex);
+	    if (crv != CKR_OK) {
+                nscFreeAllSlots(moduleIndex);
+                break;
+            }
+	}
+loser:
+	sftk_freeParams(&paramStrings);
+    }
+    if (CKR_OK == crv) {
+        sftk_InitFreeLists();
+    }
+
+#if defined(XP_UNIX) && !defined(NO_PTHREADS)
+    if (CKR_OK == crv) {
+        pthread_atfork(NULL, NULL, ForkedChild);
+    }
+#endif
+    return crv;
+}
+
+CK_RV NSC_Initialize(CK_VOID_PTR pReserved)
+{
+    CK_RV crv;
+    
+    CHECK_FORK();
+
+    if (nsc_init) {
+	return CKR_CRYPTOKI_ALREADY_INITIALIZED;
+    }
+    crv = nsc_CommonInitialize(pReserved,PR_FALSE);
+    nsc_init = (PRBool) (crv == CKR_OK);
+    return crv;
+}
+
+
+/* NSC_Finalize indicates that an application is done with the 
+ * Cryptoki library.*/
+CK_RV nsc_CommonFinalize (CK_VOID_PTR pReserved, PRBool isFIPS)
+{
+    nscFreeAllSlots(isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE);
+
+    /* don't muck with the globals is our peer is still initialized */
+    if (isFIPS && nsc_init) {
+	return CKR_OK;
+    }
+    if (!isFIPS && nsf_init) {
+	return CKR_OK;
+    }
+
+    sftk_CleanupFreeLists();
+    sftkdb_Shutdown();
+
+    /* This function does not discard all our previously aquired entropy. */
+    RNG_RNGShutdown();
+
+    /* tell freeBL to clean up after itself */
+    BL_Cleanup();
+    /* unload freeBL shared library from memory */
+    BL_Unload();
+    /* clean up the default OID table */
+    SECOID_Shutdown();
+    nsc_init = PR_FALSE;
+
+    return CKR_OK;
+}
+
+/* NSC_Finalize indicates that an application is done with the 
+ * Cryptoki library.*/
+CK_RV NSC_Finalize (CK_VOID_PTR pReserved)
+{
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    if (!nsc_init) {
+	return CKR_OK;
+    }
+
+    crv = nsc_CommonFinalize (pReserved, PR_FALSE);
+
+    nsc_init = (PRBool) !(crv == CKR_OK);
+
+    return crv;
+}
+
+extern const char __nss_softokn_rcsid[];
+extern const char __nss_softokn_sccsid[];
+
+/* NSC_GetInfo returns general information about Cryptoki. */
+CK_RV  NSC_GetInfo(CK_INFO_PTR pInfo)
+{
+    volatile char c; /* force a reference that won't get optimized away */
+
+    CHECK_FORK();
+    
+    c = __nss_softokn_rcsid[0] + __nss_softokn_sccsid[0]; 
+    pInfo->cryptokiVersion.major = 2;
+    pInfo->cryptokiVersion.minor = 20;
+    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
+    pInfo->libraryVersion.major = SOFTOKEN_VMAJOR;
+    pInfo->libraryVersion.minor = SOFTOKEN_VMINOR;
+    PORT_Memcpy(pInfo->libraryDescription,libraryDescription,32);
+    pInfo->flags = 0;
+    return CKR_OK;
+}
+
+
+/* NSC_GetSlotList obtains a list of slots in the system. */
+CK_RV nsc_CommonGetSlotList(CK_BBOOL tokenPresent, 
+	CK_SLOT_ID_PTR	pSlotList, CK_ULONG_PTR pulCount, int moduleIndex)
+{
+    *pulCount = nscSlotCount[moduleIndex];
+    if (pSlotList != NULL) {
+	PORT_Memcpy(pSlotList,nscSlotList[moduleIndex],
+				nscSlotCount[moduleIndex]*sizeof(CK_SLOT_ID));
+    }
+    return CKR_OK;
+}
+
+/* NSC_GetSlotList obtains a list of slots in the system. */
+CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent,
+	 		CK_SLOT_ID_PTR	pSlotList, CK_ULONG_PTR pulCount)
+{
+    CHECK_FORK();
+    return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount, 
+							NSC_NON_FIPS_MODULE);
+}
+	
+/* NSC_GetSlotInfo obtains information about a particular slot in the system. */
+CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
+{
+    SFTKSlot *slot = sftk_SlotFromID(slotID, PR_TRUE);
+
+    CHECK_FORK();
+
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    pInfo->firmwareVersion.major = 0;
+    pInfo->firmwareVersion.minor = 0;
+
+    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,
+		sizeof(pInfo->manufacturerID));
+    PORT_Memcpy(pInfo->slotDescription,slot->slotDescription,
+		sizeof(pInfo->slotDescription));
+    pInfo->flags = (slot->present) ? CKF_TOKEN_PRESENT : 0;
+
+    /* all user defined slots are defined as removable */
+    if (slotID >= SFTK_MIN_USER_SLOT_ID) {
+	pInfo->flags |= CKF_REMOVABLE_DEVICE;
+    } else {
+	/* In the case where we are doing a merge update, we need
+	 * the DB slot to be removable so the token name can change
+	 * appropriately. */
+	SFTKDBHandle *handle = sftk_getKeyDB(slot);
+	if (handle) { 
+	    if (sftkdb_InUpdateMerge(handle)) {
+		pInfo->flags |= CKF_REMOVABLE_DEVICE;
+	    }
+            sftk_freeDB(handle);
+	}
+    }
+
+    /* ok we really should read it out of the keydb file. */
+    /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
+    pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR;
+    pInfo->hardwareVersion.minor = SOFTOKEN_VMINOR;
+    return CKR_OK;
+}
+
+/*
+ * check the current state of the 'needLogin' flag in case the database has
+ * been changed underneath us.
+ */
+static PRBool
+sftk_checkNeedLogin(SFTKSlot *slot, SFTKDBHandle *keyHandle)
+{
+    if (sftkdb_PWCached(keyHandle) == SECSuccess) {
+	return slot->needLogin;
+    }
+    slot->needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle);
+    return (slot->needLogin);
+}
+
+static PRBool
+sftk_isBlank(const char *s, int len)
+{
+    int i;
+    for (i=0; i < len; i++) {
+	if (s[i] != ' ') {
+	    return PR_FALSE;
+	}
+    }
+    return PR_TRUE;
+}
+
+/* NSC_GetTokenInfo obtains information about a particular token in 
+ * the system. */
+CK_RV NSC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo)
+{
+    SFTKSlot *slot;
+    SFTKDBHandle *handle;
+
+    CHECK_FORK();
+    
+    if (!nsc_init && !nsf_init) return CKR_CRYPTOKI_NOT_INITIALIZED;
+    slot = sftk_SlotFromID(slotID, PR_FALSE);
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
+    PORT_Memcpy(pInfo->model,"NSS 3           ",16);
+    PORT_Memcpy(pInfo->serialNumber,"0000000000000000",16);
+    PORT_Memcpy(pInfo->utcTime,"0000000000000000",16);
+    pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
+    pInfo->ulSessionCount = slot->sessionCount;
+    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
+    pInfo->ulRwSessionCount = slot->rwSessionCount;
+    pInfo->firmwareVersion.major = 0;
+    pInfo->firmwareVersion.minor = 0;
+    PORT_Memcpy(pInfo->label,slot->tokDescription,sizeof(pInfo->label));
+    handle = sftk_getKeyDB(slot);
+    pInfo->flags = CKF_RNG | CKF_DUAL_CRYPTO_OPERATIONS;
+    if (handle == NULL) {
+	pInfo->flags |= CKF_WRITE_PROTECTED;
+	pInfo->ulMaxPinLen = 0;
+	pInfo->ulMinPinLen = 0;
+	pInfo->ulTotalPublicMemory = 0;
+	pInfo->ulFreePublicMemory = 0;
+	pInfo->ulTotalPrivateMemory = 0;
+	pInfo->ulFreePrivateMemory = 0;
+	pInfo->hardwareVersion.major = 4;
+	pInfo->hardwareVersion.minor = 0;
+    } else {
+	/*
+	 * we have three possible states which we may be in:
+	 *   (1) No DB password has been initialized. This also means we
+	 *   have no keys in the key db.
+	 *   (2) Password initialized to NULL. This means we have keys, but
+	 *   the user has chosen not use a password.
+	 *   (3) Finally we have an initialized password whicn is not NULL, and
+	 *   we will need to prompt for it.
+	 */
+	if (sftkdb_HasPasswordSet(handle) == SECFailure) {
+	    pInfo->flags |= CKF_LOGIN_REQUIRED;
+	} else if (!sftk_checkNeedLogin(slot,handle)) {
+	    pInfo->flags |= CKF_USER_PIN_INITIALIZED;
+	} else {
+	    pInfo->flags |= CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED;
+	/* 
+         * if we are doing a merge style update, and we need to get the password
+	 * of our source database (the database we are updating from), make sure we
+         * return a token name that will match the database we are prompting for.
+	 */
+	if (sftkdb_NeedUpdateDBPassword(handle)) {
+	    /* if we have an update tok description, use it. otherwise
+             * use the updateID for this database */
+	    if (!sftk_isBlank(slot->updateTokDescription,
+						sizeof(pInfo->label))) {
+		PORT_Memcpy(pInfo->label,slot->updateTokDescription,
+				sizeof(pInfo->label));
+	    } else {
+		/* build from updateID */
+		const char *updateID = sftkdb_GetUpdateID(handle);
+		if (updateID) {
+		    sftk_setStringName(updateID, (char *)pInfo->label,
+				 sizeof(pInfo->label), PR_FALSE);
+		}
+	    }
+	}
+	}
+	pInfo->ulMaxPinLen = SFTK_MAX_PIN;
+	pInfo->ulMinPinLen = (CK_ULONG)slot->minimumPinLen;
+	pInfo->ulTotalPublicMemory = 1;
+	pInfo->ulFreePublicMemory = 1;
+	pInfo->ulTotalPrivateMemory = 1;
+	pInfo->ulFreePrivateMemory = 1;
+#ifdef SHDB_FIXME
+	pInfo->hardwareVersion.major = CERT_DB_FILE_VERSION;
+	pInfo->hardwareVersion.minor = handle->version;
+#else
+	pInfo->hardwareVersion.major = 0;
+	pInfo->hardwareVersion.minor = 0;
+#endif
+        sftk_freeDB(handle);
+    }
+    /*
+     * CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED  how CKF_TOKEN_INITIALIZED
+     *                                              should be set
+     *         0                   0                           1
+     *         1                   0                           0
+     *         0                   1                           1
+     *         1                   1                           1
+     */
+    if (!(pInfo->flags & CKF_LOGIN_REQUIRED) ||
+	(pInfo->flags & CKF_USER_PIN_INITIALIZED)) {
+	pInfo->flags |= CKF_TOKEN_INITIALIZED;
+    }
+    return CKR_OK;
+}
+
+/* NSC_GetMechanismList obtains a list of mechanism types 
+ * supported by a token. */
+CK_RV NSC_GetMechanismList(CK_SLOT_ID slotID,
+	CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount)
+{
+    CK_ULONG i;
+
+    CHECK_FORK();
+
+    switch (slotID) {
+    /* default: */
+    case NETSCAPE_SLOT_ID:
+	*pulCount = mechanismCount;
+	if (pMechanismList != NULL) {
+	    for (i=0; i < mechanismCount; i++) {
+		pMechanismList[i] = mechanisms[i].type;
+	    }
+	}
+	break;
+     default:
+	*pulCount = 0;
+	for (i=0; i < mechanismCount; i++) {
+	    if (mechanisms[i].privkey) {
+		(*pulCount)++;
+		if (pMechanismList != NULL) {
+		    *pMechanismList++ = mechanisms[i].type;
+		}
+	    }
+	}
+	break;
+    }
+    return CKR_OK;
+}
+
+
+/* NSC_GetMechanismInfo obtains information about a particular mechanism 
+ * possibly supported by a token. */
+CK_RV NSC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+    					CK_MECHANISM_INFO_PTR pInfo)
+{
+    PRBool isPrivateKey;
+    CK_ULONG i;
+
+    CHECK_FORK();
+    
+    switch (slotID) {
+    case NETSCAPE_SLOT_ID:
+	isPrivateKey = PR_FALSE;
+	break;
+    default:
+	isPrivateKey = PR_TRUE;
+	break;
+    }
+    for (i=0; i < mechanismCount; i++) {
+        if (type == mechanisms[i].type) {
+	    if (isPrivateKey && !mechanisms[i].privkey) {
+    		return CKR_MECHANISM_INVALID;
+	    }
+	    PORT_Memcpy(pInfo,&mechanisms[i].info, sizeof(CK_MECHANISM_INFO));
+	    return CKR_OK;
+	}
+    }
+    return CKR_MECHANISM_INVALID;
+}
+
+CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op)
+{
+    CK_ULONG i;
+    CK_FLAGS flags;
+
+    switch (op) {
+    case CKA_ENCRYPT:         flags = CKF_ENCRYPT;         break;
+    case CKA_DECRYPT:         flags = CKF_DECRYPT;         break;
+    case CKA_WRAP:            flags = CKF_WRAP;            break;
+    case CKA_UNWRAP:          flags = CKF_UNWRAP;          break;
+    case CKA_SIGN:            flags = CKF_SIGN;            break;
+    case CKA_SIGN_RECOVER:    flags = CKF_SIGN_RECOVER;    break;
+    case CKA_VERIFY:          flags = CKF_VERIFY;          break;
+    case CKA_VERIFY_RECOVER:  flags = CKF_VERIFY_RECOVER;  break;
+    case CKA_DERIVE:          flags = CKF_DERIVE;          break;
+    default:
+    	return CKR_ARGUMENTS_BAD;
+    }
+    for (i=0; i < mechanismCount; i++) {
+        if (type == mechanisms[i].type) {
+	    return (flags & mechanisms[i].info.flags) ? CKR_OK 
+	                                              : CKR_MECHANISM_INVALID;
+	}
+    }
+    return CKR_MECHANISM_INVALID;
+}
+
+/* NSC_InitToken initializes a token. */
+CK_RV NSC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
+ 				CK_ULONG ulPinLen,CK_CHAR_PTR pLabel) {
+    SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
+    SFTKDBHandle *handle;
+    SFTKDBHandle *certHandle;
+    SECStatus rv;
+    unsigned int i;
+    SFTKObject *object;
+
+    CHECK_FORK();
+
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    /* don't initialize the database if we aren't talking to a token
+     * that uses the key database.
+     */
+    if (slotID == NETSCAPE_SLOT_ID) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* first, delete all our loaded key and cert objects from our 
+     * internal list. */
+    PZ_Lock(slot->objectLock);
+    for (i=0; i < slot->sessObjHashSize; i++) {
+	do {
+	    object = slot->sessObjHashTable[i];
+	    /* hand deque */
+	    /* this duplicates function of NSC_close session functions, but 
+	     * because we know that we are freeing all the sessions, we can
+	     * do more efficient processing */
+	    if (object) {
+		slot->sessObjHashTable[i] = object->next;
+
+		if (object->next) object->next->prev = NULL;
+		object->next = object->prev = NULL;
+	    }
+	    if (object) sftk_FreeObject(object);
+	} while (object != NULL);
+    }
+    slot->DB_loaded = PR_FALSE;
+    PZ_Unlock(slot->objectLock);
+
+    /* then clear out the key database */
+    handle = sftk_getKeyDB(slot);
+    if (handle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    rv = sftkdb_ResetKeyDB(handle);
+    sftk_freeDB(handle);
+    if (rv != SECSuccess) {
+	return CKR_DEVICE_ERROR;
+    }
+
+    /* finally  mark all the user certs as non-user certs */
+    certHandle = sftk_getCertDB(slot);
+    if (certHandle == NULL) return CKR_OK;
+
+    sftk_freeDB(certHandle);
+
+    return CKR_OK; /*is this the right function for not implemented*/
+}
+
+
+/* NSC_InitPIN initializes the normal user's PIN. */
+CK_RV NSC_InitPIN(CK_SESSION_HANDLE hSession,
+    					CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
+{
+    SFTKSession *sp = NULL;
+    SFTKSlot *slot;
+    SFTKDBHandle *handle = NULL;
+    char newPinStr[SFTK_MAX_PIN+1];
+    SECStatus rv;
+    CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+    PRBool tokenRemoved = PR_FALSE;
+
+    CHECK_FORK();
+    
+    sp = sftk_SessionFromHandle(hSession);
+    if (sp == NULL) {
+	goto loser;
+    }
+
+    slot = sftk_SlotFromSession(sp);
+    if (slot == NULL) {
+	goto loser;
+    }
+
+    handle = sftk_getKeyDB(slot);
+    if (handle == NULL) {
+	crv = CKR_PIN_LEN_RANGE;
+	goto loser;
+    }
+
+
+    if (sp->info.state != CKS_RW_SO_FUNCTIONS) {
+	crv = CKR_USER_NOT_LOGGED_IN;
+	goto loser;
+    }
+
+    sftk_FreeSession(sp);
+    sp = NULL;
+
+    /* make sure the pins aren't too long */
+    if (ulPinLen > SFTK_MAX_PIN) {
+	crv = CKR_PIN_LEN_RANGE;
+	goto loser;
+    }
+    if (ulPinLen < (CK_ULONG)slot->minimumPinLen) {
+	crv = CKR_PIN_LEN_RANGE;
+	goto loser;
+    }
+
+    if (sftkdb_HasPasswordSet(handle) != SECFailure) {
+	crv = CKR_DEVICE_ERROR;
+	goto loser;
+    }
+
+    /* convert to null terminated string */
+    PORT_Memcpy(newPinStr, pPin, ulPinLen);
+    newPinStr[ulPinLen] = 0; 
+
+    /* build the hashed pins which we pass around */
+
+    /* change the data base */
+    rv = sftkdb_ChangePassword(handle, NULL, newPinStr, &tokenRemoved);
+    if (tokenRemoved) {
+	sftk_CloseAllSessions(slot);
+    }
+    sftk_freeDB(handle);
+    handle = NULL;
+
+    /* Now update our local copy of the pin */
+    if (rv == SECSuccess) {
+	if (ulPinLen == 0) slot->needLogin = PR_FALSE;
+	return CKR_OK;
+    }
+    crv = CKR_PIN_INCORRECT;
+
+loser:
+    if (sp) {
+	sftk_FreeSession(sp);
+    }
+    if (handle) {
+	sftk_freeDB(handle);
+    }
+    return crv;
+}
+
+
+/* NSC_SetPIN modifies the PIN of user that is currently logged in. */
+/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
+CK_RV NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
+    CK_ULONG ulOldLen, CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen)
+{
+    SFTKSession *sp = NULL;
+    SFTKSlot *slot;
+    SFTKDBHandle *handle = NULL;
+    char newPinStr[SFTK_MAX_PIN+1],oldPinStr[SFTK_MAX_PIN+1];
+    SECStatus rv;
+    CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+    PRBool tokenRemoved = PR_FALSE;
+
+    CHECK_FORK();
+    
+    sp = sftk_SessionFromHandle(hSession);
+    if (sp == NULL) {
+	goto loser;
+    }
+
+    slot = sftk_SlotFromSession(sp);
+    if (!slot) {
+	goto loser;
+    }
+
+    handle = sftk_getKeyDB(slot);
+    if (handle == NULL) {
+	sftk_FreeSession(sp);
+	return CKR_PIN_LEN_RANGE; /* XXX FIXME wrong return value */
+    }
+
+    if (slot->needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) {
+	crv = CKR_USER_NOT_LOGGED_IN;
+	goto loser;
+    }
+
+    sftk_FreeSession(sp);
+    sp = NULL;
+
+    /* make sure the pins aren't too long */
+    if ((ulNewLen > SFTK_MAX_PIN) || (ulOldLen > SFTK_MAX_PIN)) {
+	crv = CKR_PIN_LEN_RANGE;
+	goto loser;
+    }
+    if (ulNewLen < (CK_ULONG)slot->minimumPinLen) {
+	crv = CKR_PIN_LEN_RANGE;
+	goto loser;
+    }
+
+
+    /* convert to null terminated string */
+    PORT_Memcpy(newPinStr,pNewPin,ulNewLen);
+    newPinStr[ulNewLen] = 0; 
+    PORT_Memcpy(oldPinStr,pOldPin,ulOldLen);
+    oldPinStr[ulOldLen] = 0; 
+
+    /* change the data base password */
+    PR_Lock(slot->pwCheckLock);
+    rv = sftkdb_ChangePassword(handle, oldPinStr, newPinStr, &tokenRemoved);
+    if (tokenRemoved) {
+	sftk_CloseAllSessions(slot);
+    }
+    sftk_freeDB(handle);
+    handle = NULL;
+    if ((rv != SECSuccess) && (slot->slotID == FIPS_SLOT_ID)) {
+	PR_Sleep(loginWaitTime);
+    }
+    PR_Unlock(slot->pwCheckLock);
+
+    /* Now update our local copy of the pin */
+    if (rv == SECSuccess) {
+	slot->needLogin = (PRBool)(ulNewLen != 0);
+	return CKR_OK;
+    }
+    crv = CKR_PIN_INCORRECT;
+loser:
+    if (sp) {
+	sftk_FreeSession(sp);
+    }
+    if (handle) {
+	sftk_freeDB(handle);
+    }
+    return crv;
+}
+
+/* NSC_OpenSession opens a session between an application and a token. */
+CK_RV NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+   CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession)
+{
+    SFTKSlot *slot;
+    CK_SESSION_HANDLE sessionID;
+    SFTKSession *session;
+    SFTKSession *sameID;
+
+    CHECK_FORK();
+    
+    slot = sftk_SlotFromID(slotID, PR_FALSE);
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    /* new session (we only have serial sessions) */
+    session = sftk_NewSession(slotID, Notify, pApplication,
+						 flags | CKF_SERIAL_SESSION);
+    if (session == NULL) return CKR_HOST_MEMORY;
+
+    if (slot->readOnly && (flags & CKF_RW_SESSION)) {
+	/* NETSCAPE_SLOT_ID is Read ONLY */
+	session->info.flags &= ~CKF_RW_SESSION;
+    }
+    PZ_Lock(slot->slotLock);
+    ++slot->sessionCount;
+    PZ_Unlock(slot->slotLock);
+    if (session->info.flags & CKF_RW_SESSION) {
+	PR_AtomicIncrement(&slot->rwSessionCount);
+    }
+
+    do {
+        PZLock *lock;
+        do {
+            sessionID = (PR_AtomicIncrement(&slot->sessionIDCount) & 0xffffff)
+                        | (slot->index << 24);
+        } while (sessionID == CK_INVALID_HANDLE);
+        lock = SFTK_SESSION_LOCK(slot,sessionID);
+        PZ_Lock(lock);
+        sftkqueue_find(sameID, sessionID, slot->head, slot->sessHashSize);
+        if (sameID == NULL) {
+            session->handle = sessionID;
+            sftk_update_state(slot, session);
+            sftkqueue_add(session, sessionID, slot->head,slot->sessHashSize);
+        } else {
+            slot->sessionIDConflict++;  /* for debugging */
+        }
+        PZ_Unlock(lock);
+    } while (sameID != NULL);
+
+    *phSession = sessionID;
+    return CKR_OK;
+}
+
+
+/* NSC_CloseSession closes a session between an application and a token. */
+CK_RV NSC_CloseSession(CK_SESSION_HANDLE hSession)
+{
+    SFTKSlot *slot;
+    SFTKSession *session;
+    PRBool sessionFound;
+    PZLock *lock;
+
+    CHECK_FORK();
+
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    slot = sftk_SlotFromSession(session);
+    sessionFound = PR_FALSE;
+
+    /* lock */
+    lock = SFTK_SESSION_LOCK(slot,hSession);
+    PZ_Lock(lock);
+    if (sftkqueue_is_queued(session,hSession,slot->head,slot->sessHashSize)) {
+	sessionFound = PR_TRUE;
+	sftkqueue_delete(session,hSession,slot->head,slot->sessHashSize);
+	session->refCount--; /* can't go to zero while we hold the reference */
+	PORT_Assert(session->refCount > 0);
+    }
+    PZ_Unlock(lock);
+
+    if (sessionFound) {
+	SFTKDBHandle *handle;
+	handle = sftk_getKeyDB(slot);
+	PZ_Lock(slot->slotLock);
+	if (--slot->sessionCount == 0) {
+	    slot->isLoggedIn = PR_FALSE;
+	    if (handle) {
+		sftkdb_ClearPassword(handle);
+	    }
+	}
+	PZ_Unlock(slot->slotLock);
+	if (handle) {
+	    sftk_freeDB(handle);
+	}
+	if (session->info.flags & CKF_RW_SESSION) {
+	    PR_AtomicDecrement(&slot->rwSessionCount);
+	}
+    }
+
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+
+/* NSC_CloseAllSessions closes all sessions with a token. */
+CK_RV NSC_CloseAllSessions (CK_SLOT_ID slotID)
+{
+    SFTKSlot *slot;
+
+    CHECK_FORK();
+
+    slot = sftk_SlotFromID(slotID, PR_FALSE);
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    return sftk_CloseAllSessions(slot);
+}
+
+
+
+/* NSC_GetSessionInfo obtains information about the session. */
+CK_RV NSC_GetSessionInfo(CK_SESSION_HANDLE hSession,
+    						CK_SESSION_INFO_PTR pInfo)
+{
+    SFTKSession *session;
+
+    CHECK_FORK();
+
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+
+    PORT_Memcpy(pInfo,&session->info,sizeof(CK_SESSION_INFO));
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+/* NSC_Login logs a user into a token. */
+CK_RV NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+				    CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
+{
+    SFTKSlot *slot;
+    SFTKSession *session;
+    SFTKDBHandle *handle;
+    CK_FLAGS sessionFlags;
+    SECStatus rv;
+    CK_RV crv;
+    char pinStr[SFTK_MAX_PIN+1];
+    PRBool tokenRemoved = PR_FALSE;
+
+    CHECK_FORK();
+
+    /* get the slot */
+    slot = sftk_SlotFromSessionHandle(hSession);
+    if (slot == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    /* make sure the session is valid */
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+    sessionFlags = session->info.flags;
+    sftk_FreeSession(session);
+    session = NULL;
+
+    /* can't log into the Netscape Slot */
+    if (slot->slotID == NETSCAPE_SLOT_ID) {
+	 return CKR_USER_TYPE_INVALID;
+    }
+
+    if (slot->isLoggedIn) return CKR_USER_ALREADY_LOGGED_IN;
+    slot->ssoLoggedIn = PR_FALSE;
+
+    if (ulPinLen > SFTK_MAX_PIN) return CKR_PIN_LEN_RANGE;
+
+    /* convert to null terminated string */
+    PORT_Memcpy(pinStr,pPin,ulPinLen);
+    pinStr[ulPinLen] = 0; 
+
+    handle = sftk_getKeyDB(slot);
+    if (handle == NULL) {
+	 return CKR_USER_TYPE_INVALID;
+    }
+
+    /*
+     * Deal with bootstrap. We allow the SSO to login in with a NULL
+     * password if and only if we haven't initialized the KEY DB yet.
+     * We only allow this on a RW session.
+     */
+    rv = sftkdb_HasPasswordSet(handle);
+    if (rv == SECFailure) {
+	/* allow SSO's to log in only if there is not password on the
+	 * key database */
+	if (((userType == CKU_SO) && (sessionFlags & CKF_RW_SESSION))
+	    /* fips always needs to authenticate, even if there isn't a db */
+					|| (slot->slotID == FIPS_SLOT_ID)) {
+	    /* should this be a fixed password? */
+	    if (ulPinLen == 0) {
+		sftkdb_ClearPassword(handle);
+    		PZ_Lock(slot->slotLock);
+		slot->isLoggedIn = PR_TRUE;
+		slot->ssoLoggedIn = (PRBool)(userType == CKU_SO);
+		PZ_Unlock(slot->slotLock);
+		sftk_update_all_states(slot);
+		crv = CKR_OK;
+		goto done;
+	    }
+	    crv = CKR_PIN_INCORRECT;
+	    goto done;
+	} 
+	crv = CKR_USER_TYPE_INVALID;
+	goto done;
+    } 
+
+    /* don't allow the SSO to log in if the user is already initialized */
+    if (userType != CKU_USER) { 
+	crv = CKR_USER_TYPE_INVALID; 
+	goto done;
+    }
+
+
+    /* build the hashed pins which we pass around */
+    PR_Lock(slot->pwCheckLock);
+    rv = sftkdb_CheckPassword(handle,pinStr, &tokenRemoved);
+    if (tokenRemoved) {
+	sftk_CloseAllSessions(slot);
+    }
+    if ((rv != SECSuccess) && (slot->slotID == FIPS_SLOT_ID)) {
+	PR_Sleep(loginWaitTime);
+    }
+    PR_Unlock(slot->pwCheckLock);
+    if (rv == SECSuccess) {
+	PZ_Lock(slot->slotLock);
+	/* make sure the login state matches the underlying
+	 * database state */
+	slot->isLoggedIn = sftkdb_PWCached(handle) == SECSuccess ?
+		PR_TRUE : PR_FALSE;
+	PZ_Unlock(slot->slotLock);
+
+ 	sftk_freeDB(handle);
+	handle = NULL;
+
+	/* update all sessions */
+	sftk_update_all_states(slot);
+	return CKR_OK;
+    }
+
+    crv = CKR_PIN_INCORRECT;
+done:
+    if (handle) {
+	sftk_freeDB(handle);
+    }
+    return crv;
+}
+
+/* NSC_Logout logs a user out from a token. */
+CK_RV NSC_Logout(CK_SESSION_HANDLE hSession)
+{
+    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+    SFTKSession *session;
+    SFTKDBHandle *handle;
+
+    CHECK_FORK();
+
+    if (slot == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    sftk_FreeSession(session);
+    session = NULL;
+
+    if (!slot->isLoggedIn) return CKR_USER_NOT_LOGGED_IN;
+
+    handle = sftk_getKeyDB(slot);
+    PZ_Lock(slot->slotLock);
+    slot->isLoggedIn = PR_FALSE;
+    slot->ssoLoggedIn = PR_FALSE;
+    if (handle) {
+	sftkdb_ClearPassword(handle);
+    }
+    PZ_Unlock(slot->slotLock);
+    if (handle) {
+	sftk_freeDB(handle);
+    }
+
+    sftk_update_all_states(slot);
+    return CKR_OK;
+}
+
+/*
+ * Create a new slot on the fly. The slot that is passed in is the
+ * slot the request came from. Only the crypto or FIPS slots can
+ * be used. The resulting slot will live in the same module as
+ * the slot the request was passed to. object is the creation object
+ * that specifies the module spec for the new slot.
+ */
+static CK_RV sftk_CreateNewSlot(SFTKSlot *slot, CK_OBJECT_CLASS class,
+                                SFTKObject *object)
+{
+    CK_SLOT_ID idMin, idMax;
+    PRBool isFIPS = PR_FALSE;
+    unsigned long moduleIndex;
+    SFTKAttribute *attribute;
+    sftk_parameters paramStrings;
+    char *paramString;
+    CK_SLOT_ID slotID = 0;
+    SFTKSlot *newSlot = NULL;
+    CK_RV crv = CKR_OK;
+
+    /* only the crypto or FIPS slots can create new slot objects */
+    if (slot->slotID == NETSCAPE_SLOT_ID) {
+	idMin = SFTK_MIN_USER_SLOT_ID;
+	idMax = SFTK_MAX_USER_SLOT_ID;
+	moduleIndex = NSC_NON_FIPS_MODULE;
+	isFIPS = PR_FALSE;
+    } else if (slot->slotID == FIPS_SLOT_ID) {
+	idMin = SFTK_MIN_FIPS_USER_SLOT_ID;
+	idMax = SFTK_MAX_FIPS_USER_SLOT_ID;
+	moduleIndex = NSC_FIPS_MODULE;
+	isFIPS = PR_TRUE;
+    } else {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    attribute = sftk_FindAttribute(object,CKA_NETSCAPE_MODULE_SPEC);
+    if (attribute == NULL) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    paramString = (char *)attribute->attrib.pValue;
+    crv = sftk_parseParameters(paramString, &paramStrings, isFIPS);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    /* enforce only one at a time */
+    if (paramStrings.token_count != 1) {
+	crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	goto loser;
+    }
+
+    slotID = paramStrings.tokens[0].slotID;
+
+    /* stay within the valid ID space */
+    if ((slotID < idMin) || (slotID > idMax)) {
+	crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	goto loser;
+    }
+
+    /* unload any existing slot at this id */
+    newSlot = sftk_SlotFromID(slotID, PR_TRUE);
+    if (newSlot && newSlot->present) {
+	crv = SFTK_ShutdownSlot(newSlot);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
+    }
+
+    /* if we were just planning on deleting the slot, then do so now */
+    if (class == CKO_NETSCAPE_DELSLOT) {
+	/* sort of a unconventional use of this error code, be we are
+         * overusing CKR_ATTRIBUTE_VALUE_INVALID, and it does apply */
+	crv = newSlot ? CKR_OK : CKR_SLOT_ID_INVALID;
+	goto loser; /* really exit */
+    }
+
+    if (newSlot) {
+	crv = SFTK_SlotReInit(newSlot, paramStrings.configdir, 
+			paramStrings.updatedir, paramStrings.updateID,
+			&paramStrings.tokens[0], moduleIndex);
+    } else {
+	crv = SFTK_SlotInit(paramStrings.configdir, 
+			paramStrings.updatedir, paramStrings.updateID,
+			&paramStrings.tokens[0], moduleIndex);
+    }
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+loser:
+    sftk_freeParams(&paramStrings);
+    sftk_FreeAttribute(attribute);
+
+    return crv;
+}
+
+
+/* NSC_CreateObject creates a new object. */
+CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
+		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
+					CK_OBJECT_HANDLE_PTR phObject)
+{
+    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+    SFTKSession *session;
+    SFTKObject *object;
+    /* make sure class isn't randomly CKO_NETSCAPE_NEWSLOT or
+     * CKO_NETSCPE_DELSLOT. */
+    CK_OBJECT_CLASS class = CKO_VENDOR_DEFINED;
+    CK_RV crv;
+    int i;
+
+    CHECK_FORK();
+
+    *phObject = CK_INVALID_HANDLE;
+
+    if (slot == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    object = sftk_NewObject(slot); /* fill in the handle later */
+    if (object == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulCount; i++) {
+	crv = sftk_AddAttributeType(object,sftk_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) {
+	    sftk_FreeObject(object);
+	    return crv;
+	}
+	if ((pTemplate[i].type == CKA_CLASS) && pTemplate[i].pValue) {
+	    class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+	}
+    }
+
+    /* get the session */
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+	sftk_FreeObject(object);
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    /*
+     * handle pseudo objects (CKO_NEWSLOT)
+     */
+    if ((class == CKO_NETSCAPE_NEWSLOT)  || (class == CKO_NETSCAPE_DELSLOT)) {
+	crv = sftk_CreateNewSlot(slot, class, object);
+	goto done;
+    } 
+
+    /*
+     * handle the base object stuff
+     */
+    crv = sftk_handleObject(object,session);
+    *phObject = object->handle;
+done:
+    sftk_FreeSession(session);
+    sftk_FreeObject(object);
+
+    return crv;
+}
+
+
+
+/* NSC_CopyObject copies an object, creating a new object for the copy. */
+CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession,
+       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+					CK_OBJECT_HANDLE_PTR phNewObject) 
+{
+    SFTKObject *destObject,*srcObject;
+    SFTKSession *session;
+    CK_RV crv = CKR_OK;
+    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+    int i;
+
+    CHECK_FORK();
+
+    if (slot == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+    /* Get srcObject so we can find the class */
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+    srcObject = sftk_ObjectFromHandle(hObject,session);
+    if (srcObject == NULL) {
+	sftk_FreeSession(session);
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    /*
+     * create an object to hang the attributes off of
+     */
+    destObject = sftk_NewObject(slot); /* fill in the handle later */
+    if (destObject == NULL) {
+	sftk_FreeSession(session);
+        sftk_FreeObject(srcObject);
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulCount; i++) {
+	if (sftk_modifyType(pTemplate[i].type,srcObject->objclass) == SFTK_NEVER) {
+	    crv = CKR_ATTRIBUTE_READ_ONLY;
+	    break;
+	}
+	crv = sftk_AddAttributeType(destObject,sftk_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) { break; }
+    }
+    if (crv != CKR_OK) {
+	sftk_FreeSession(session);
+        sftk_FreeObject(srcObject);
+	sftk_FreeObject(destObject);
+	return crv;
+    }
+
+    /* sensitive can only be changed to CK_TRUE */
+    if (sftk_hasAttribute(destObject,CKA_SENSITIVE)) {
+	if (!sftk_isTrue(destObject,CKA_SENSITIVE)) {
+	    sftk_FreeSession(session);
+            sftk_FreeObject(srcObject);
+	    sftk_FreeObject(destObject);
+	    return CKR_ATTRIBUTE_READ_ONLY;
+	}
+    }
+
+    /*
+     * now copy the old attributes from the new attributes
+     */
+    /* don't create a token object if we aren't in a rw session */
+    /* we need to hold the lock to copy a consistant version of
+     * the object. */
+    crv = sftk_CopyObject(destObject,srcObject);
+
+    destObject->objclass = srcObject->objclass;
+    sftk_FreeObject(srcObject);
+    if (crv != CKR_OK) {
+	sftk_FreeObject(destObject);
+	sftk_FreeSession(session);
+        return crv;
+    }
+
+    crv = sftk_handleObject(destObject,session);
+    *phNewObject = destObject->handle;
+    sftk_FreeSession(session);
+    sftk_FreeObject(destObject);
+    
+    return crv;
+}
+
+
+/* NSC_GetObjectSize gets the size of an object in bytes. */
+CK_RV NSC_GetObjectSize(CK_SESSION_HANDLE hSession,
+    			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize)
+{
+    CHECK_FORK();
+
+    *pulSize = 0;
+    return CKR_OK;
+}
+
+
+/* NSC_GetAttributeValue obtains the value of one or more object attributes. */
+CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount)
+{
+    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+    SFTKSession *session;
+    SFTKObject *object;
+    SFTKAttribute *attribute;
+    PRBool sensitive;
+    CK_RV crv;
+    int i;
+
+    CHECK_FORK();
+
+    if (slot == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+    /*
+     * make sure we're allowed
+     */
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    /* short circuit everything for token objects */
+    if (sftk_isToken(hObject)) {
+	SFTKSlot *slot = sftk_SlotFromSession(session);
+	SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, hObject);
+	SFTKDBHandle *keydb = NULL;
+
+	if (dbHandle == NULL) {
+	    sftk_FreeSession(session);
+	    return CKR_OBJECT_HANDLE_INVALID;
+	}
+
+	crv = sftkdb_GetAttributeValue(dbHandle, hObject, pTemplate, ulCount);
+
+	/* make sure we don't export any sensitive information */
+	keydb = sftk_getKeyDB(slot);
+	if (dbHandle == keydb) {
+	    for (i=0; i < (int) ulCount; i++) {
+		if (sftk_isSensitive(pTemplate[i].type,CKO_PRIVATE_KEY)) {
+		    crv = CKR_ATTRIBUTE_SENSITIVE;
+		    if (pTemplate[i].pValue && (pTemplate[i].ulValueLen!= -1)){
+			PORT_Memset(pTemplate[i].pValue, 0, 
+					pTemplate[i].ulValueLen);
+		    }
+		    pTemplate[i].ulValueLen = -1;
+		}
+	    }
+	}
+
+	sftk_FreeSession(session);
+	sftk_freeDB(dbHandle);
+	if (keydb) {
+	    sftk_freeDB(keydb);
+	}
+	return crv;
+    }
+
+    /* handle the session object */
+    object = sftk_ObjectFromHandle(hObject,session);
+    sftk_FreeSession(session);
+    if (object == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    /* don't read a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(sftk_isTrue(object,CKA_PRIVATE))) {
+	sftk_FreeObject(object);
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+    crv = CKR_OK;
+    sensitive = sftk_isTrue(object,CKA_SENSITIVE);
+    for (i=0; i < (int) ulCount; i++) {
+	/* Make sure that this attribute is retrievable */
+	if (sensitive && sftk_isSensitive(pTemplate[i].type,object->objclass)) {
+	    crv = CKR_ATTRIBUTE_SENSITIVE;
+	    pTemplate[i].ulValueLen = -1;
+	    continue;
+	}
+	attribute = sftk_FindAttribute(object,pTemplate[i].type);
+	if (attribute == NULL) {
+	    crv = CKR_ATTRIBUTE_TYPE_INVALID;
+	    pTemplate[i].ulValueLen = -1;
+	    continue;
+	}
+	if (pTemplate[i].pValue != NULL) {
+	    PORT_Memcpy(pTemplate[i].pValue,attribute->attrib.pValue,
+						attribute->attrib.ulValueLen);
+	}
+	pTemplate[i].ulValueLen = attribute->attrib.ulValueLen;
+	sftk_FreeAttribute(attribute);
+    }
+
+    sftk_FreeObject(object);
+    return crv;
+}
+
+/* NSC_SetAttributeValue modifies the value of one or more object attributes */
+CK_RV NSC_SetAttributeValue (CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount)
+{
+    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+    SFTKSession *session;
+    SFTKAttribute *attribute;
+    SFTKObject *object;
+    PRBool isToken;
+    CK_RV crv = CKR_OK;
+    CK_BBOOL legal;
+    int i;
+
+    CHECK_FORK();
+
+    if (slot == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+    /*
+     * make sure we're allowed
+     */
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    object = sftk_ObjectFromHandle(hObject,session);
+    if (object == NULL) {
+        sftk_FreeSession(session);
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    /* don't modify a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(sftk_isTrue(object,CKA_PRIVATE))) {
+	sftk_FreeSession(session);
+	sftk_FreeObject(object);
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+    /* don't modify a token object if we aren't in a rw session */
+    isToken = sftk_isTrue(object,CKA_TOKEN);
+    if (((session->info.flags & CKF_RW_SESSION) == 0) && isToken) {
+	sftk_FreeSession(session);
+	sftk_FreeObject(object);
+	return CKR_SESSION_READ_ONLY;
+    }
+    sftk_FreeSession(session);
+
+    /* only change modifiable objects */
+    if (!sftk_isTrue(object,CKA_MODIFIABLE)) {
+	sftk_FreeObject(object);
+	return CKR_ATTRIBUTE_READ_ONLY;
+    }
+
+    for (i=0; i < (int) ulCount; i++) {
+	/* Make sure that this attribute is changeable */
+	switch (sftk_modifyType(pTemplate[i].type,object->objclass)) {
+	case SFTK_NEVER:
+	case SFTK_ONCOPY:
+        default:
+	    crv = CKR_ATTRIBUTE_READ_ONLY;
+	    break;
+
+        case SFTK_SENSITIVE:
+	    legal = (pTemplate[i].type == CKA_EXTRACTABLE) ? CK_FALSE : CK_TRUE;
+	    if ((*(CK_BBOOL *)pTemplate[i].pValue) != legal) {
+	        crv = CKR_ATTRIBUTE_READ_ONLY;
+	    }
+	    break;
+        case SFTK_ALWAYS:
+	    break;
+	}
+	if (crv != CKR_OK) break;
+
+	/* find the old attribute */
+	attribute = sftk_FindAttribute(object,pTemplate[i].type);
+	if (attribute == NULL) {
+	    crv =CKR_ATTRIBUTE_TYPE_INVALID;
+	    break;
+	}
+    	sftk_FreeAttribute(attribute);
+	crv = sftk_forceAttribute(object,sftk_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) break;
+
+    }
+
+    sftk_FreeObject(object);
+    return crv;
+}
+
+static CK_RV
+sftk_expandSearchList(SFTKSearchResults *search, int count)
+{
+    search->array_size += count;
+    search->handles = (CK_OBJECT_HANDLE *)PORT_Realloc(search->handles,
+			sizeof(CK_OBJECT_HANDLE)*search->array_size);
+    return search->handles ? CKR_OK : CKR_HOST_MEMORY;
+}
+
+
+
+static CK_RV
+sftk_searchDatabase(SFTKDBHandle *handle, SFTKSearchResults *search,
+                        const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    CK_RV crv;
+    int objectListSize = search->array_size-search->size;
+    CK_OBJECT_HANDLE *array = &search->handles[search->size];
+    SDBFind *find;
+    CK_ULONG count;
+
+    crv = sftkdb_FindObjectsInit(handle, pTemplate, ulCount, &find);
+    if (crv != CKR_OK)
+	return crv;
+    do {
+	crv = sftkdb_FindObjects(handle, find, array, objectListSize, &count);
+	if ((crv != CKR_OK) || (count == 0))
+	    break;
+	search->size += count;
+	objectListSize -= count;
+	if (objectListSize > 0)
+	    break;
+	crv = sftk_expandSearchList(search,NSC_SEARCH_BLOCK_SIZE);
+	objectListSize = NSC_SEARCH_BLOCK_SIZE;
+	array = &search->handles[search->size];
+    } while (crv == CKR_OK);
+    sftkdb_FindObjectsFinal(handle, find);
+
+    return crv;
+}
+
+/* softoken used to search the SMimeEntries automatically instead of
+ * doing this in pk11wrap. This code should really be up in
+ * pk11wrap so that it will work with other tokens other than softoken.
+ */
+CK_RV
+sftk_emailhack(SFTKSlot *slot, SFTKDBHandle *handle, 
+    SFTKSearchResults *search, CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    PRBool isCert = PR_FALSE;
+    int emailIndex = -1;
+    int i;
+    SFTKSearchResults smime_search;
+    CK_ATTRIBUTE smime_template[2];
+    CK_OBJECT_CLASS smime_class = CKO_NETSCAPE_SMIME;
+    SFTKAttribute *attribute = NULL;
+    SFTKObject *object = NULL;
+    CK_RV crv = CKR_OK;
+
+
+    smime_search.handles = NULL; /* paranoia, some one is bound to add a goto
+				  * loser before this gets initialized */
+
+    /* see if we are looking for email certs */
+    for (i=0; i < ulCount; i++) {
+	if (pTemplate[i].type == CKA_CLASS) {
+	   if ((pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS) ||
+	       (*(CK_OBJECT_CLASS *)pTemplate[i].pValue) != CKO_CERTIFICATE)) {
+		/* not a cert, skip out */
+		break;
+	   }
+	   isCert = PR_TRUE;
+	} else if (pTemplate[i].type == CKA_NETSCAPE_EMAIL) {
+	   emailIndex = i;
+	 
+	}
+	if (isCert && (emailIndex != -1)) break;
+    }
+
+    if (!isCert || (emailIndex == -1)) {
+	return CKR_OK;
+    }
+
+    /* we are doing a cert and email search, find the SMimeEntry */
+    smime_template[0].type = CKA_CLASS;
+    smime_template[0].pValue = &smime_class;
+    smime_template[0].ulValueLen = sizeof(smime_class);
+    smime_template[1] = pTemplate[emailIndex];
+
+    smime_search.handles = (CK_OBJECT_HANDLE *)
+		PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE);
+    if (smime_search.handles == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    smime_search.index = 0;
+    smime_search.size = 0;
+    smime_search.array_size = NSC_SEARCH_BLOCK_SIZE;
+	
+    crv = sftk_searchDatabase(handle, &smime_search, smime_template, 2);
+    if (crv != CKR_OK || smime_search.size == 0) {
+	goto loser;
+    }
+
+    /* get the SMime subject */
+    object = sftk_NewTokenObject(slot, NULL, smime_search.handles[0]);
+    if (object == NULL) {
+	crv = CKR_HOST_MEMORY; /* is there any other reason for this failure? */
+	goto loser;
+    }
+    attribute = sftk_FindAttribute(object,CKA_SUBJECT);
+    if (attribute == NULL) {
+	crv = CKR_ATTRIBUTE_TYPE_INVALID;
+	goto loser;
+    }
+
+    /* now find the certs with that subject */
+    pTemplate[emailIndex] = attribute->attrib;
+    /* now add the appropriate certs to the search list */
+    crv = sftk_searchDatabase(handle, search, pTemplate, ulCount);
+    pTemplate[emailIndex] = smime_template[1]; /* restore the user's template*/
+
+loser:
+    if (attribute) {
+	sftk_FreeAttribute(attribute);
+    }
+    if (object) {
+	sftk_FreeObject(object);
+    }
+    if (smime_search.handles) {
+	PORT_Free(smime_search.handles);
+    }
+
+    return crv;
+}
+	
+
+static CK_RV
+sftk_searchTokenList(SFTKSlot *slot, SFTKSearchResults *search,
+                        CK_ATTRIBUTE *pTemplate, CK_LONG ulCount,
+                        PRBool *tokenOnly, PRBool isLoggedIn)
+{
+    CK_RV crv;
+    CK_RV crv2;
+    SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+
+    crv = sftk_searchDatabase(certHandle, search, pTemplate, ulCount);
+    crv2 = sftk_emailhack(slot, certHandle, search, pTemplate, ulCount);
+    if (crv == CKR_OK) crv2 = crv;
+    sftk_freeDB(certHandle);
+
+    if (crv == CKR_OK && isLoggedIn) {
+	SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
+    	crv = sftk_searchDatabase(keyHandle, search, pTemplate, ulCount);
+    	sftk_freeDB(keyHandle);
+    }
+    return crv;
+}
+
+/* NSC_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+CK_RV NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
+    			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount)
+{
+    SFTKSearchResults *search = NULL, *freeSearch = NULL;
+    SFTKSession *session = NULL;
+    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+    PRBool tokenOnly = PR_FALSE;
+    CK_RV crv = CKR_OK;
+    PRBool isLoggedIn;
+
+    CHECK_FORK();
+    
+    if (slot == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+	crv = CKR_SESSION_HANDLE_INVALID;
+	goto loser;
+    }
+   
+    search = (SFTKSearchResults *)PORT_Alloc(sizeof(SFTKSearchResults));
+    if (search == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    search->handles = (CK_OBJECT_HANDLE *)
+		PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE);
+    if (search->handles == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    search->index = 0;
+    search->size = 0;
+    search->array_size = NSC_SEARCH_BLOCK_SIZE;
+    isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn);
+
+    crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, &tokenOnly,
+								isLoggedIn);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    
+    /* build list of found objects in the session */
+    if (!tokenOnly) {
+	crv = sftk_searchObjectList(search, slot->sessObjHashTable, 
+				slot->sessObjHashSize, slot->objectLock, 
+					pTemplate, ulCount, isLoggedIn);
+    }
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    if ((freeSearch = session->search) != NULL) {
+	session->search = NULL;
+	sftk_FreeSearch(freeSearch);
+    }
+    session->search = search;
+    sftk_FreeSession(session);
+    return CKR_OK;
+
+loser:
+    if (search) {
+	sftk_FreeSearch(search);
+    }
+    if (session) {
+	sftk_FreeSession(session);
+    }
+    return crv;
+}
+
+
+/* NSC_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+CK_RV NSC_FindObjects(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE_PTR phObject,CK_ULONG ulMaxObjectCount,
+    					CK_ULONG_PTR pulObjectCount)
+{
+    SFTKSession *session;
+    SFTKSearchResults *search;
+    int	transfer;
+    int left;
+
+    CHECK_FORK();
+
+    *pulObjectCount = 0;
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    if (session->search == NULL) {
+	sftk_FreeSession(session);
+	return CKR_OK;
+    }
+    search = session->search;
+    left = session->search->size - session->search->index;
+    transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
+    if (transfer > 0) {
+	PORT_Memcpy(phObject,&search->handles[search->index],
+                                        transfer*sizeof(CK_OBJECT_HANDLE));
+    } else {
+       *phObject = CK_INVALID_HANDLE;
+    }
+
+    search->index += transfer;
+    if (search->index == search->size) {
+	session->search = NULL;
+	sftk_FreeSearch(search);
+    }
+    *pulObjectCount = transfer;
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+/* NSC_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+    SFTKSession *session;
+    SFTKSearchResults *search;
+
+    CHECK_FORK();
+
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    search = session->search;
+    session->search = NULL;
+    sftk_FreeSession(session);
+    if (search != NULL) {
+	sftk_FreeSearch(search);
+    }
+    return CKR_OK;
+}
+
+
+
+CK_RV NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
+							 CK_VOID_PTR pReserved)
+{
+    CHECK_FORK();
+
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
diff --git a/security/nss/lib/softoken/pkcs11.h b/security/nss/lib/softoken/pkcs11.h
new file mode 100644
index 000000000..9352fc1c6
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11.h
@@ -0,0 +1,323 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   RSA Labs
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ *
+ * The latest version of this header can be found at:
+ *    http://www.rsalabs.com/pkcs/pkcs-11/index.html
+ */
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 6 platform-specific macros must be defined.  These
+ * macros are described below, and typical definitions for them
+ * are also given.  Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a PKCS #11 library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 6 macros, the packing convention
+ * for PKCS #11 structures should be set.  The PKCS #11
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * In a Win32 environment, this might be done by using the
+ * following preprocessor directive before including pkcs11.h
+ * or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * In a Win16 environment, this might be done by using the
+ * following preprocessor directive before including pkcs11.h
+ * or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own here.  You might
+ * not need to do anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object.  It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * In a Win32 environment, it might be defined by
+ *
+ * #define CK_PTR *
+ *
+ * In a Win16 environment, it might be defined by
+ *
+ * #define CK_PTR far *
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
+ * an exportable PKCS #11 library function definition out of a
+ * return type and a function name.  It should be used in the
+ * following fashion to define the exposed PKCS #11 functions in
+ * a PKCS #11 library:
+ *
+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * )
+ * {
+ *   ...
+ * }
+ *
+ * For defining a function in a Win32 PKCS #11 .dll, it might be
+ * defined by
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllexport) name
+ *
+ * For defining a function in a Win16 PKCS #11 .dll, it might be
+ * defined by
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable PKCS #11 library function declaration out of a
+ * return type and a function name.  It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * );
+ *
+ * For declaring a function in a Win32 PKCS #11 .dll, it might
+ * be defined by
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllimport) name
+ *
+ * For declaring a function in a Win16 PKCS #11 .dll, it might
+ * be defined by
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a PKCS #11 API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name.  It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a PKCS #11 API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // PKCS #11 API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * For accessing functions in a Win32 PKCS #11 .dll, in might be
+ * defined by
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __declspec(dllimport) (* name)
+ *
+ * For accessing functions in a Win16 PKCS #11 .dll, it might be
+ * defined by
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV.  It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * In a Win32 environment, it might be defined by
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ * In a Win16 environment, it might be defined by
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various PKCS #11 types and #define'd values are in the
+ * file pkcs11t.h. */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y)      x##y
+
+
+/* packing defines */
+#include "pkcs11p.h"
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the PKCS #11
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points.  That is, for
+ * each PKCS #11 function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the PKCS #11
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's PKCS #11 version
+ * and then a whole slew of function pointers to the routines in
+ * the library.  This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  __PASTE(CK_,name) name;
+  
+struct CK_FUNCTION_LIST {
+
+  CK_VERSION    version;  /* PKCS #11 version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the PKCS #11
+ * function prototypes. */
+#include "pkcs11f.h" 
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+/* unpack */
+#include "pkcs11u.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
new file mode 100644
index 000000000..76d648f95
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -0,0 +1,6124 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *   This implementation has two slots:
+ *	slot 1 is our generic crypto support. It does not require login.
+ *   It supports Public Key ops, and all they bulk ciphers and hashes. 
+ *   It can also support Private Key ops for imported Private keys. It does 
+ *   not have any token storage.
+ *	slot 2 is our private key support. It requires a login before use. It
+ *   can store Private Keys and Certs as token objects. Currently only private
+ *   keys and their associated Certificates are saved on the token.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+#include "seccomon.h"
+#include "secitem.h"
+#include "secport.h"
+#include "blapi.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "lowkeyi.h"
+#include "sechash.h"
+#include "secder.h"
+#include "secdig.h"
+#include "lowpbe.h"	/* We do PBE below */
+#include "pkcs11t.h"
+#include "secoid.h"
+#include "alghmac.h"
+#include "softoken.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+#include "prprf.h"
+
+#define __PASTE(x,y)    x##y
+
+/*
+ * we renamed all our internal functions, get the correct
+ * definitions for them...
+ */ 
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+
+#define CK_EXTERN extern
+#define CK_PKCS11_FUNCTION_INFO(func) \
+		CK_RV __PASTE(NS,func)
+#define CK_NEED_ARG_LIST	1
+ 
+#include "pkcs11f.h"
+
+typedef struct {
+    uint8 client_version[2];
+    uint8 random[46];
+} SSL3RSAPreMasterSecret;
+
+static void sftk_Null(void *data, PRBool freeit)
+{
+    return;
+} 
+
+#ifdef NSS_ENABLE_ECC
+#ifdef EC_DEBUG
+#define SEC_PRINT(str1, str2, num, sitem) \
+    printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
+            str1, str2, num, sitem->len); \
+    for (i = 0; i < sitem->len; i++) { \
+	    printf("%02x:", sitem->data[i]); \
+    } \
+    printf("\n") 
+#else
+#define SEC_PRINT(a, b, c, d) 
+#endif
+#endif /* NSS_ENABLE_ECC */
+
+/*
+ * free routines.... Free local type  allocated data, and convert
+ * other free routines to the destroy signature.
+ */
+static void
+sftk_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit)
+{
+    nsslowkey_DestroyPrivateKey(key);
+}
+
+static void
+sftk_Space(void *data, PRBool freeit)
+{
+    PORT_Free(data);
+} 
+
+
+/*
+ * turn a CDMF key into a des key. CDMF is an old IBM scheme to export DES by
+ * Deprecating a full des key to 40 bit key strenth.
+ */
+static CK_RV
+sftk_cdmf2des(unsigned char *cdmfkey, unsigned char *deskey)
+{
+    unsigned char key1[8] = { 0xc4, 0x08, 0xb0, 0x54, 0x0b, 0xa1, 0xe0, 0xae };
+    unsigned char key2[8] = { 0xef, 0x2c, 0x04, 0x1c, 0xe6, 0x38, 0x2f, 0xe6 };
+    unsigned char enc_src[8];
+    unsigned char enc_dest[8];
+    unsigned int leng,i;
+    DESContext *descx;
+    SECStatus rv;
+    
+    
+    /* zero the parity bits */
+    for (i=0; i < 8; i++) {
+	enc_src[i] = cdmfkey[i] & 0xfe;
+    }
+
+    /* encrypt with key 1 */
+    descx = DES_CreateContext(key1, NULL, NSS_DES, PR_TRUE);
+    if (descx == NULL) return CKR_HOST_MEMORY;
+    rv = DES_Encrypt(descx, enc_dest, &leng, 8, enc_src, 8);
+    DES_DestroyContext(descx,PR_TRUE);
+    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+
+    /* xor source with des, zero the parity bits and deprecate the key*/
+    for (i=0; i < 8; i++) {
+	if (i & 1) {
+	    enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0xfe;
+	} else {
+	    enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0x0e;
+	}
+    }
+
+    /* encrypt with key 2 */
+    descx = DES_CreateContext(key2, NULL, NSS_DES, PR_TRUE);
+    if (descx == NULL) return CKR_HOST_MEMORY;
+    rv = DES_Encrypt(descx, deskey, &leng, 8, enc_src, 8);
+    DES_DestroyContext(descx,PR_TRUE);
+    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+
+    /* set the corret parity on our new des key */	
+    sftk_FormatDESKey(deskey, 8);
+    return CKR_OK;
+}
+
+
+/* NSC_DestroyObject destroys an object. */
+CK_RV
+NSC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+    SFTKSession *session;
+    SFTKObject *object;
+    SFTKFreeStatus status;
+
+    CHECK_FORK();
+
+    if (slot == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+    /*
+     * This whole block just makes sure we really can destroy the
+     * requested object.
+     */
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    object = sftk_ObjectFromHandle(hObject,session);
+    if (object == NULL) {
+	sftk_FreeSession(session);
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    /* don't destroy a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(sftk_isTrue(object,CKA_PRIVATE))) {
+	sftk_FreeSession(session);
+	sftk_FreeObject(object);
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+    /* don't destroy a token object if we aren't in a rw session */
+
+    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
+				(sftk_isTrue(object,CKA_TOKEN))) {
+	sftk_FreeSession(session);
+	sftk_FreeObject(object);
+	return CKR_SESSION_READ_ONLY;
+    }
+
+    sftk_DeleteObject(session,object);
+
+    sftk_FreeSession(session);
+
+    /*
+     * get some indication if the object is destroyed. Note: this is not
+     * 100%. Someone may have an object reference outstanding (though that
+     * should not be the case by here. Also note that the object is "half"
+     * destroyed. Our internal representation is destroyed, but it may still
+     * be in the data base.
+     */
+    status = sftk_FreeObject(object);
+
+    return (status != SFTK_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+
+/*
+ ************** Crypto Functions:     Utilities ************************
+ */
+
+
+/*
+ * map SEC_ERROR_xxx to CKR_xxx.
+ */
+static CK_RV
+sftk_MapCryptError(int error)
+{
+    switch (error) {
+	case SEC_ERROR_INVALID_ARGS:
+	    return CKR_ARGUMENTS_BAD;
+	case SEC_ERROR_INPUT_LEN:
+	    return CKR_DATA_LEN_RANGE;
+	case SEC_ERROR_OUTPUT_LEN:
+	    return CKR_BUFFER_TOO_SMALL;
+    }
+    return CKR_DEVICE_ERROR;
+}
+ 
+/* 
+ * return a context based on the SFTKContext type.
+ */
+SFTKSessionContext *
+sftk_ReturnContextByType(SFTKSession *session, SFTKContextType type)
+{
+    switch (type) {
+	case SFTK_ENCRYPT:
+	case SFTK_DECRYPT:
+	    return session->enc_context;
+	case SFTK_HASH:
+	    return session->hash_context;
+	case SFTK_SIGN:
+	case SFTK_SIGN_RECOVER:
+	case SFTK_VERIFY:
+	case SFTK_VERIFY_RECOVER:
+	    return session->hash_context;
+    }
+    return NULL;
+}
+
+/* 
+ * change a context based on the SFTKContext type.
+ */
+void
+sftk_SetContextByType(SFTKSession *session, SFTKContextType type, 
+						SFTKSessionContext *context)
+{
+    switch (type) {
+	case SFTK_ENCRYPT:
+	case SFTK_DECRYPT:
+	    session->enc_context = context;
+	    break;
+	case SFTK_HASH:
+	    session->hash_context = context;
+	    break;
+	case SFTK_SIGN:
+	case SFTK_SIGN_RECOVER:
+	case SFTK_VERIFY:
+	case SFTK_VERIFY_RECOVER:
+	    session->hash_context = context;
+	    break;
+    }
+    return;
+}
+
+/*
+ * code to grab the context. Needed by every C_XXXUpdate, C_XXXFinal,
+ * and C_XXX function. The function takes a session handle, the context type,
+ * and wether or not the session needs to be multipart. It returns the context,
+ * and optionally returns the session pointer (if sessionPtr != NULL) if session
+ * pointer is returned, the caller is responsible for freeing it.
+ */
+static CK_RV
+sftk_GetContext(CK_SESSION_HANDLE handle,SFTKSessionContext **contextPtr,
+	SFTKContextType type, PRBool needMulti, SFTKSession **sessionPtr)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+
+    session = sftk_SessionFromHandle(handle);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    context = sftk_ReturnContextByType(session,type);
+    /* make sure the context is valid */
+    if((context==NULL)||(context->type!=type)||(needMulti&&!(context->multi))){
+        sftk_FreeSession(session);
+	return CKR_OPERATION_NOT_INITIALIZED;
+    }
+    *contextPtr = context;
+    if (sessionPtr != NULL) {
+	*sessionPtr = session;
+    } else {
+	sftk_FreeSession(session);
+    }
+    return CKR_OK;
+}
+
+/*
+ ************** Crypto Functions:     Encrypt ************************
+ */
+
+/*
+ * All the NSC_InitXXX functions have a set of common checks and processing they
+ * all need to do at the beginning. This is done here.
+ */
+static CK_RV
+sftk_InitGeneric(SFTKSession *session,SFTKSessionContext **contextPtr,
+		 SFTKContextType ctype,SFTKObject **keyPtr,
+		 CK_OBJECT_HANDLE hKey, CK_KEY_TYPE *keyTypePtr,
+		 CK_OBJECT_CLASS pubKeyType, CK_ATTRIBUTE_TYPE operation)
+{
+    SFTKObject *key = NULL;
+    SFTKAttribute *att;
+    SFTKSessionContext *context;
+
+    /* We can only init if there is not current context active */
+    if (sftk_ReturnContextByType(session,ctype) != NULL) {
+	return CKR_OPERATION_ACTIVE;
+    }
+
+    /* find the key */
+    if (keyPtr) {
+        key = sftk_ObjectFromHandle(hKey,session);
+        if (key == NULL) {
+	    return CKR_KEY_HANDLE_INVALID;
+    	}
+
+	/* make sure it's a valid  key for this operation */
+	if (((key->objclass != CKO_SECRET_KEY) && (key->objclass != pubKeyType))
+					|| !sftk_isTrue(key,operation)) {
+	    sftk_FreeObject(key);
+	    return CKR_KEY_TYPE_INCONSISTENT;
+	}
+	/* get the key type */
+	att = sftk_FindAttribute(key,CKA_KEY_TYPE);
+	if (att == NULL) {
+	    sftk_FreeObject(key);
+	    return CKR_KEY_TYPE_INCONSISTENT;
+	}
+	PORT_Assert(att->attrib.ulValueLen == sizeof(CK_KEY_TYPE));
+	if (att->attrib.ulValueLen != sizeof(CK_KEY_TYPE)) {
+	    sftk_FreeAttribute(att);
+	    sftk_FreeObject(key);
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+	PORT_Memcpy(keyTypePtr, att->attrib.pValue, sizeof(CK_KEY_TYPE));
+	sftk_FreeAttribute(att);
+	*keyPtr = key;
+    }
+
+    /* allocate the context structure */
+    context = (SFTKSessionContext *)PORT_Alloc(sizeof(SFTKSessionContext));
+    if (context == NULL) {
+	if (key) sftk_FreeObject(key);
+	return CKR_HOST_MEMORY;
+    }
+    context->type = ctype;
+    context->multi = PR_TRUE;
+    context->cipherInfo = NULL;
+    context->hashInfo = NULL;
+    context->doPad = PR_FALSE;
+    context->padDataLength = 0;
+    context->key = key;
+    context->blockSize = 0;
+
+    *contextPtr = context;
+    return CKR_OK;
+}
+
+/* NSC_CryptInit initializes an encryption/Decryption operation. */
+/* This function is used by NSC_EncryptInit, NSC_DecryptInit, 
+ *                          NSC_WrapKey, NSC_UnwrapKey, 
+ *                          NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac),
+ * The only difference in their uses is the value of etype.
+ */
+static CK_RV
+sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		 CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE etype,
+		 SFTKContextType contextType, PRBool isEncrypt)
+{
+    SFTKSession *session;
+    SFTKObject *key;
+    SFTKSessionContext *context;
+    SFTKAttribute *att;
+    CK_RC2_CBC_PARAMS *rc2_param;
+#if NSS_SOFTOKEN_DOES_RC5
+    CK_RC5_CBC_PARAMS *rc5_param;
+    SECItem rc5Key;
+#endif
+    CK_KEY_TYPE key_type;
+    CK_RV crv = CKR_OK;
+    unsigned effectiveKeyLength;
+    unsigned char newdeskey[24];
+    PRBool useNewKey=PR_FALSE;
+    int t;
+
+    crv = sftk_MechAllowsOperation(pMechanism->mechanism, etype);
+    if (crv != CKR_OK) 
+    	return crv;
+
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+
+    crv = sftk_InitGeneric(session,&context,contextType,&key,hKey,&key_type,
+    			isEncrypt ?CKO_PUBLIC_KEY:CKO_PRIVATE_KEY, etype);
+						
+    if (crv != CKR_OK) {
+	sftk_FreeSession(session);
+	return crv;
+    }
+
+    context->doPad = PR_FALSE;
+    switch(pMechanism->mechanism) {
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+	if (key_type != CKK_RSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	context->multi = PR_FALSE;
+	if (isEncrypt) {
+	    NSSLOWKEYPublicKey *pubKey = sftk_GetPubKey(key,CKK_RSA,&crv);
+	    if (pubKey == NULL) {
+		break;
+	    }
+	    context->maxLen = nsslowkey_PublicModulusLen(pubKey);
+	    context->cipherInfo =  (void *)pubKey;
+	    context->update = (SFTKCipher) 
+		(pMechanism->mechanism == CKM_RSA_X_509
+					? RSA_EncryptRaw : RSA_EncryptBlock);
+	} else {
+	    NSSLOWKEYPrivateKey *privKey = sftk_GetPrivKey(key,CKK_RSA,&crv);
+	    if (privKey == NULL) {
+		break;
+	    }
+	    context->maxLen = nsslowkey_PrivateModulusLen(privKey);
+	    context->cipherInfo =  (void *)privKey;
+	    context->update = (SFTKCipher) 
+		(pMechanism->mechanism == CKM_RSA_X_509
+					? RSA_DecryptRaw : RSA_DecryptBlock);
+	}
+	context->destroy = sftk_Null;
+	break;
+    case CKM_RC2_CBC_PAD:
+	context->doPad = PR_TRUE;
+	/* fall thru */
+    case CKM_RC2_ECB:
+    case CKM_RC2_CBC:
+	context->blockSize = 8;
+	if (key_type != CKK_RC2) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = sftk_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	rc2_param = (CK_RC2_CBC_PARAMS *)pMechanism->pParameter;
+	effectiveKeyLength = (rc2_param->ulEffectiveBits+7)/8;
+	context->cipherInfo = 
+	    RC2_CreateContext((unsigned char*)att->attrib.pValue,
+			      att->attrib.ulValueLen, rc2_param->iv,
+			      pMechanism->mechanism == CKM_RC2_ECB ? NSS_RC2 :
+			      NSS_RC2_CBC,effectiveKeyLength);
+	sftk_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (SFTKCipher) (isEncrypt ? RC2_Encrypt : RC2_Decrypt);
+	context->destroy = (SFTKDestroy) RC2_DestroyContext;
+	break;
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKM_RC5_CBC_PAD:
+	context->doPad = PR_TRUE;
+	/* fall thru */
+    case CKM_RC5_ECB:
+    case CKM_RC5_CBC:
+	if (key_type != CKK_RC5) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = sftk_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	rc5_param = (CK_RC5_CBC_PARAMS *)pMechanism->pParameter;
+	context->blockSize = rc5_param->ulWordsize*2;
+	rc5Key.data = (unsigned char*)att->attrib.pValue;
+	rc5Key.len = att->attrib.ulValueLen;
+	context->cipherInfo = RC5_CreateContext(&rc5Key,rc5_param->ulRounds,
+	   rc5_param->ulWordsize,rc5_param->pIv,
+		 pMechanism->mechanism == CKM_RC5_ECB ? NSS_RC5 : NSS_RC5_CBC);
+	sftk_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (SFTKCipher) (isEncrypt ? RC5_Encrypt : RC5_Decrypt);
+	context->destroy = (SFTKDestroy) RC5_DestroyContext;
+	break;
+#endif
+    case CKM_RC4:
+	if (key_type != CKK_RC4) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = sftk_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	context->cipherInfo = 
+	    RC4_CreateContext((unsigned char*)att->attrib.pValue,
+			      att->attrib.ulValueLen);
+	sftk_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;  /* WRONG !!! */
+	    break;
+	}
+	context->update = (SFTKCipher) (isEncrypt ? RC4_Encrypt : RC4_Decrypt);
+	context->destroy = (SFTKDestroy) RC4_DestroyContext;
+	break;
+    case CKM_CDMF_CBC_PAD:
+	context->doPad = PR_TRUE;
+	/* fall thru */
+    case CKM_CDMF_ECB:
+    case CKM_CDMF_CBC:
+	if (key_type != CKK_CDMF) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = (pMechanism->mechanism == CKM_CDMF_ECB) ? NSS_DES : NSS_DES_CBC;
+	if (crv != CKR_OK) break;
+	goto finish_des;
+    case CKM_DES_ECB:
+	if (key_type != CKK_DES) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = NSS_DES;
+	goto finish_des;
+    case CKM_DES_CBC_PAD:
+	context->doPad = PR_TRUE;
+	/* fall thru */
+    case CKM_DES_CBC:
+	if (key_type != CKK_DES) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = NSS_DES_CBC;
+	goto finish_des;
+    case CKM_DES3_ECB:
+	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = NSS_DES_EDE3;
+	goto finish_des;
+    case CKM_DES3_CBC_PAD:
+	context->doPad = PR_TRUE;
+	/* fall thru */
+    case CKM_DES3_CBC:
+	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = NSS_DES_EDE3_CBC;
+finish_des:
+	context->blockSize = 8;
+	att = sftk_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	if (key_type == CKK_DES2 && 
+            (t == NSS_DES_EDE3_CBC || t == NSS_DES_EDE3)) {
+	    /* extend DES2 key to DES3 key. */
+	    memcpy(newdeskey, att->attrib.pValue, 16);
+	    memcpy(newdeskey + 16, newdeskey, 8);
+	    useNewKey=PR_TRUE;
+	} else if (key_type == CKK_CDMF) {
+	    crv = sftk_cdmf2des((unsigned char*)att->attrib.pValue,newdeskey);
+	    if (crv != CKR_OK) {
+		sftk_FreeAttribute(att);
+		break;
+	    }
+	    useNewKey=PR_TRUE;
+	}
+	context->cipherInfo = DES_CreateContext(
+		useNewKey ? newdeskey : (unsigned char*)att->attrib.pValue,
+		(unsigned char*)pMechanism->pParameter,t, isEncrypt);
+	if (useNewKey) 
+	    memset(newdeskey, 0, sizeof newdeskey);
+	sftk_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (SFTKCipher) (isEncrypt ? DES_Encrypt : DES_Decrypt);
+	context->destroy = (SFTKDestroy) DES_DestroyContext;
+	break;
+
+    case CKM_CAMELLIA_CBC_PAD:
+	context->doPad = PR_TRUE;
+	/* fall thru */
+    case CKM_CAMELLIA_CBC:
+	if (!pMechanism->pParameter ||
+		 pMechanism->ulParameterLen != 16) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
+	/* fall thru */
+    case CKM_CAMELLIA_ECB:
+	context->blockSize = 16;
+	if (key_type != CKK_CAMELLIA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = sftk_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	context->cipherInfo = Camellia_CreateContext(
+	    (unsigned char*)att->attrib.pValue,
+	    (unsigned char*)pMechanism->pParameter,
+	    pMechanism->mechanism ==
+	    CKM_CAMELLIA_ECB ? NSS_CAMELLIA : NSS_CAMELLIA_CBC,
+	    isEncrypt, att->attrib.ulValueLen);
+	sftk_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (SFTKCipher) (isEncrypt ?
+					Camellia_Encrypt : Camellia_Decrypt);
+	context->destroy = (SFTKDestroy) Camellia_DestroyContext;
+	break;
+
+    case CKM_AES_CBC_PAD:
+	context->doPad = PR_TRUE;
+	/* fall thru */
+    case CKM_AES_ECB:
+    case CKM_AES_CBC:
+	context->blockSize = 16;
+	if (key_type != CKK_AES) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = sftk_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	context->cipherInfo = AES_CreateContext(
+	    (unsigned char*)att->attrib.pValue,
+	    (unsigned char*)pMechanism->pParameter,
+	    pMechanism->mechanism == CKM_AES_ECB ? NSS_AES : NSS_AES_CBC,
+	    isEncrypt, att->attrib.ulValueLen, 16);
+	sftk_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (SFTKCipher) (isEncrypt ? AES_Encrypt : AES_Decrypt);
+	context->destroy = (SFTKDestroy) AES_DestroyContext;
+	break;
+
+    case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
+    	context->doPad = PR_TRUE;
+	/* fall thru */
+    case CKM_NETSCAPE_AES_KEY_WRAP:
+	context->multi = PR_FALSE;
+	context->blockSize = 8;
+	if (key_type != CKK_AES) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = sftk_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	context->cipherInfo = AESKeyWrap_CreateContext(
+	    (unsigned char*)att->attrib.pValue,
+	    (unsigned char*)pMechanism->pParameter,
+	    isEncrypt, att->attrib.ulValueLen);
+	sftk_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (SFTKCipher) (isEncrypt ? AESKeyWrap_Encrypt 
+	                                          : AESKeyWrap_Decrypt);
+	context->destroy = (SFTKDestroy) AESKeyWrap_DestroyContext;
+	break;
+
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        sftk_FreeContext(context);
+	sftk_FreeSession(session);
+	return crv;
+    }
+    sftk_SetContextByType(session, contextType, context);
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+/* NSC_EncryptInit initializes an encryption operation. */
+CK_RV NSC_EncryptInit(CK_SESSION_HANDLE hSession,
+		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+    CHECK_FORK();
+    return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, 
+						SFTK_ENCRYPT, PR_TRUE);
+}
+
+/* NSC_EncryptUpdate continues a multiple-part encryption operation. */
+CK_RV NSC_EncryptUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,	
+					CK_ULONG_PTR pulEncryptedPartLen)
+{
+    SFTKSessionContext *context;
+    unsigned int outlen,i;
+    unsigned int padoutlen = 0;
+    unsigned int maxout = *pulEncryptedPartLen;
+    CK_RV crv;
+    SECStatus rv;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_TRUE,NULL);
+    if (crv != CKR_OK) return crv;
+
+    if (!pEncryptedPart) {
+	if (context->doPad) {
+	    CK_ULONG totalDataAvailable = ulPartLen + context->padDataLength;
+	    CK_ULONG blocksToSend = totalDataAvailable/context->blockSize;
+
+	    *pulEncryptedPartLen = blocksToSend * context->blockSize;
+	    return CKR_OK;
+	}
+	*pulEncryptedPartLen = ulPartLen;
+	return CKR_OK;
+    }
+
+    /* do padding */
+    if (context->doPad) {
+	/* deal with previous buffered data */
+	if (context->padDataLength != 0) {
+	    /* fill in the padded to a full block size */
+	    for (i=context->padDataLength; 
+			(ulPartLen != 0) && i < context->blockSize; i++) {
+		context->padBuf[i] = *pPart++;
+		ulPartLen--;
+		context->padDataLength++;
+	    }
+
+	    /* not enough data to encrypt yet? then return */
+	    if (context->padDataLength != context->blockSize) {
+		*pulEncryptedPartLen = 0;
+		return CKR_OK;
+	    }
+	    /* encrypt the current padded data */
+    	    rv = (*context->update)(context->cipherInfo, pEncryptedPart, 
+		&padoutlen, context->blockSize, context->padBuf,
+							context->blockSize);
+	    if (rv != SECSuccess) {
+		return sftk_MapCryptError(PORT_GetError());
+	    }
+	    pEncryptedPart += padoutlen;
+	    maxout -= padoutlen;
+	}
+	/* save the residual */
+	context->padDataLength = ulPartLen % context->blockSize;
+	if (context->padDataLength) {
+	    PORT_Memcpy(context->padBuf,
+			&pPart[ulPartLen-context->padDataLength],
+							context->padDataLength);
+	    ulPartLen -= context->padDataLength;
+	}
+	/* if we've exhausted our new buffer, we're done */
+	if (ulPartLen == 0) {
+	    *pulEncryptedPartLen = padoutlen;
+	    return CKR_OK;
+	}
+    }
+
+
+    /* do it: NOTE: this assumes buf size in is >= buf size out! */
+    rv = (*context->update)(context->cipherInfo,pEncryptedPart, 
+					&outlen, maxout, pPart, ulPartLen);
+    *pulEncryptedPartLen = (CK_ULONG) (outlen + padoutlen);
+    if (rv != SECSuccess) {
+	return sftk_MapCryptError(PORT_GetError());
+    }
+    return CKR_OK;
+}
+
+
+/* NSC_EncryptFinal finishes a multiple-part encryption operation. */
+CK_RV NSC_EncryptFinal(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int outlen,i;
+    unsigned int maxout = *pulLastEncryptedPartLen;
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+    PRBool contextFinished = PR_TRUE;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_TRUE,&session);
+    if (crv != CKR_OK) return crv;
+
+    *pulLastEncryptedPartLen = 0;
+    if (!pLastEncryptedPart) {
+	/* caller is checking the amount of remaining data */
+	if (context->blockSize > 0 && context->doPad) {
+	    *pulLastEncryptedPartLen = context->blockSize;
+	    contextFinished = PR_FALSE; /* still have padding to go */
+	}
+	goto finish;
+    }
+
+    /* do padding */
+    if (context->doPad) {
+	unsigned char  padbyte = (unsigned char) 
+				(context->blockSize - context->padDataLength); 
+	/* fill out rest of pad buffer with pad magic*/
+	for (i=context->padDataLength; i < context->blockSize; i++) {
+	    context->padBuf[i] = padbyte;
+	}
+	rv = (*context->update)(context->cipherInfo,pLastEncryptedPart, 
+			&outlen, maxout, context->padBuf, context->blockSize);
+	if (rv == SECSuccess) *pulLastEncryptedPartLen = (CK_ULONG) outlen;
+    }
+
+finish:
+    if (contextFinished) {
+	sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
+	sftk_FreeContext(context);
+    }
+    sftk_FreeSession(session);
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/* NSC_Encrypt encrypts single-part data. */
+CK_RV NSC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+    		   CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
+		   CK_ULONG_PTR pulEncryptedDataLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int outlen;
+    unsigned int maxoutlen = *pulEncryptedDataLen;
+    CK_RV crv;
+    CK_RV crv2;
+    SECStatus rv = SECSuccess;
+    SECItem   pText;
+
+    pText.type = siBuffer;
+    pText.data = pData;
+    pText.len  = ulDataLen;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (!pEncryptedData) {
+	*pulEncryptedDataLen = context->multi ? 
+		ulDataLen + 2 * context->blockSize : context->maxLen;
+	goto finish;
+    }
+
+    if (context->doPad) {
+	if (context->multi) {
+	    CK_ULONG finalLen;
+	    /* padding is fairly complicated, have the update and final 
+	     * code deal with it */
+	    sftk_FreeSession(session);
+	    crv = NSC_EncryptUpdate(hSession, pData, ulDataLen, pEncryptedData, 
+	                            pulEncryptedDataLen);
+	    if (crv != CKR_OK) 
+	    	*pulEncryptedDataLen = 0;
+	    maxoutlen      -= *pulEncryptedDataLen;
+	    pEncryptedData += *pulEncryptedDataLen;
+	    finalLen = maxoutlen;
+	    crv2 = NSC_EncryptFinal(hSession, pEncryptedData, &finalLen);
+	    if (crv2 == CKR_OK) 
+	    	*pulEncryptedDataLen += finalLen;
+	    return crv == CKR_OK ? crv2 : crv;
+	}
+	/* doPad without multi means that padding must be done on the first
+	** and only update.  There will be no final.
+	*/
+	PORT_Assert(context->blockSize > 1);
+	if (context->blockSize > 1) {
+	    CK_ULONG remainder = ulDataLen % context->blockSize;
+	    CK_ULONG padding   = context->blockSize - remainder;
+	    pText.len += padding;
+	    pText.data = PORT_ZAlloc(pText.len);
+	    if (pText.data) {
+		memcpy(pText.data, pData, ulDataLen);
+		memset(pText.data + ulDataLen, padding, padding);
+	    } else {
+		crv = CKR_HOST_MEMORY;
+		goto fail;
+	    }
+	}
+    }
+
+    /* do it: NOTE: this assumes buf size is big enough. */
+    rv = (*context->update)(context->cipherInfo, pEncryptedData, 
+			    &outlen, maxoutlen, pText.data, pText.len);
+    crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+    *pulEncryptedDataLen = (CK_ULONG) outlen;
+    if (pText.data != pData)
+    	PORT_ZFree(pText.data, pText.len);
+fail:
+    sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
+    sftk_FreeContext(context);
+finish:
+    sftk_FreeSession(session);
+
+    return crv;
+}
+
+
+/*
+ ************** Crypto Functions:     Decrypt ************************
+ */
+
+/* NSC_DecryptInit initializes a decryption operation. */
+CK_RV NSC_DecryptInit( CK_SESSION_HANDLE hSession,
+			 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+    CHECK_FORK();
+
+    return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT,
+						SFTK_DECRYPT, PR_FALSE);
+}
+
+/* NSC_DecryptUpdate continues a multiple-part decryption operation. */
+CK_RV NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen,
+    				CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen)
+{
+    SFTKSessionContext *context;
+    unsigned int padoutlen = 0;
+    unsigned int outlen;
+    unsigned int maxout = *pulPartLen;
+    CK_RV crv;
+    SECStatus rv;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_TRUE,NULL);
+    if (crv != CKR_OK) return crv;
+
+    /* this can only happen on an NSS programming error */
+    PORT_Assert((context->padDataLength == 0) 
+		|| context->padDataLength == context->blockSize);
+
+
+    if (!pPart) {
+	if (context->doPad) {
+	    /* we can check the data length here because if we are padding,
+	     * then we must be using a block cipher. In the non-padding case
+	     * the error will be returned by the underlying decryption
+	     * function when do do the actual decrypt. We need to do the
+	     * check here to avoid returning a negative length to the caller.
+ 	     */
+	    if ((ulEncryptedPartLen == 0) ||
+		(ulEncryptedPartLen % context->blockSize) != 0) {
+		return CKR_ENCRYPTED_DATA_LEN_RANGE;
+	    }
+	    *pulPartLen = 
+		ulEncryptedPartLen + context->padDataLength - context->blockSize;
+	    return CKR_OK;
+	}
+	/* for stream ciphers there is are no constraints on ulEncryptedPartLen.
+	 * for block ciphers, it must be a multiple of blockSize. The error is
+	 * detected when this function is called again do decrypt the output.
+	 */
+	*pulPartLen = ulEncryptedPartLen;
+	return CKR_OK;
+    }
+
+    if (context->doPad) {
+	/* first decrypt our saved buffer */
+	if (context->padDataLength != 0) {
+    	    rv = (*context->update)(context->cipherInfo, pPart, &padoutlen,
+		 maxout, context->padBuf, context->blockSize);
+    	    if (rv != SECSuccess)  return CKR_DEVICE_ERROR;
+	    pPart += padoutlen;
+	    maxout -= padoutlen;
+	}
+	/* now save the final block for the next decrypt or the final */
+	PORT_Memcpy(context->padBuf,&pEncryptedPart[ulEncryptedPartLen -
+				context->blockSize], context->blockSize);
+	context->padDataLength = context->blockSize;
+	ulEncryptedPartLen -= context->padDataLength;
+    }
+
+    /* do it: NOTE: this assumes buf size in is >= buf size out! */
+    rv = (*context->update)(context->cipherInfo,pPart, &outlen,
+		 maxout, pEncryptedPart, ulEncryptedPartLen);
+    *pulPartLen = (CK_ULONG) (outlen + padoutlen);
+    return (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+
+/* NSC_DecryptFinal finishes a multiple-part decryption operation. */
+CK_RV NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int outlen;
+    unsigned int maxout = *pulLastPartLen;
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_TRUE,&session);
+    if (crv != CKR_OK) return crv;
+
+    *pulLastPartLen = 0;
+    if (!pLastPart) {
+	/* caller is checking the amount of remaining data */
+	if (context->padDataLength > 0) {
+	    *pulLastPartLen = context->padDataLength;
+	}
+	rv = SECSuccess;
+	goto finish;
+    }
+
+    if (context->doPad) {
+	/* decrypt our saved buffer */
+	if (context->padDataLength != 0) {
+	    /* this assumes that pLastPart is big enough to hold the *whole*
+	     * buffer!!! */
+    	    rv = (*context->update)(context->cipherInfo, pLastPart, &outlen,
+		 maxout, context->padBuf, context->blockSize);
+    	    if (rv == SECSuccess) {
+		unsigned int padSize = 
+			    (unsigned int) pLastPart[context->blockSize-1];
+		if ((padSize > context->blockSize) || (padSize == 0)) {
+		    rv = SECFailure;
+		} else {
+		    *pulLastPartLen = outlen - padSize;
+		}
+	    }
+	}
+    }
+
+    sftk_SetContextByType(session, SFTK_DECRYPT, NULL);
+    sftk_FreeContext(context);
+finish:
+    sftk_FreeSession(session);
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/* NSC_Decrypt decrypts encrypted data in a single part. */
+CK_RV NSC_Decrypt(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pEncryptedData,CK_ULONG ulEncryptedDataLen,CK_BYTE_PTR pData,
+    						CK_ULONG_PTR pulDataLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int outlen;
+    unsigned int maxoutlen = *pulDataLen;
+    CK_RV crv;
+    CK_RV crv2;
+    SECStatus rv = SECSuccess;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (!pData) {
+	*pulDataLen = ulEncryptedDataLen + context->blockSize;
+	goto finish;
+    }
+
+    if (context->doPad && context->multi) {
+	CK_ULONG finalLen;
+	/* padding is fairly complicated, have the update and final 
+	 * code deal with it */
+	sftk_FreeSession(session);
+	crv = NSC_DecryptUpdate(hSession,pEncryptedData,ulEncryptedDataLen,
+							pData, pulDataLen);
+	if (crv != CKR_OK) 
+	    *pulDataLen = 0;
+	maxoutlen -= *pulDataLen;
+	pData     += *pulDataLen;
+	finalLen = maxoutlen;
+	crv2 = NSC_DecryptFinal(hSession, pData, &finalLen);
+	if (crv2 == CKR_OK) 
+	    *pulDataLen += finalLen;
+	return crv == CKR_OK ? crv2 : crv;
+    }
+
+    rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, 
+					pEncryptedData, ulEncryptedDataLen);
+    /* XXX need to do MUCH better error mapping than this. */
+    crv = (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
+    if (rv == SECSuccess && context->doPad) {
+    	CK_ULONG padding = pData[outlen - 1];
+	if (padding > context->blockSize || !padding) {
+	    crv = CKR_ENCRYPTED_DATA_INVALID;
+	} else
+	    outlen -= padding;
+    }
+    *pulDataLen = (CK_ULONG) outlen;
+    sftk_SetContextByType(session, SFTK_DECRYPT, NULL);
+    sftk_FreeContext(context);
+finish:
+    sftk_FreeSession(session);
+    return crv;
+}
+
+
+
+/*
+ ************** Crypto Functions:     Digest (HASH)  ************************
+ */
+
+/* NSC_DigestInit initializes a message-digesting operation. */
+CK_RV NSC_DigestInit(CK_SESSION_HANDLE hSession,
+    					CK_MECHANISM_PTR pMechanism)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    CK_RV crv = CKR_OK;
+
+    CHECK_FORK();
+
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) 
+    	return CKR_SESSION_HANDLE_INVALID;
+    crv = sftk_InitGeneric(session,&context,SFTK_HASH,NULL,0,NULL, 0, 0);
+    if (crv != CKR_OK) {
+	sftk_FreeSession(session);
+	return crv;
+    }
+
+
+#define INIT_MECH(mech,mmm) \
+    case mech: { \
+	mmm ## Context * mmm ## _ctx = mmm ## _NewContext(); \
+	context->cipherInfo    = (void *)mmm ## _ctx; \
+	context->cipherInfoLen = mmm ## _FlattenSize(mmm ## _ctx); \
+	context->currentMech   = mech; \
+	context->hashUpdate    = (SFTKHash)    mmm ## _Update; \
+	context->end           = (SFTKEnd)     mmm ## _End; \
+	context->destroy       = (SFTKDestroy) mmm ## _DestroyContext; \
+	context->maxLen        = mmm ## _LENGTH; \
+        if (mmm ## _ctx) \
+	    mmm ## _Begin(mmm ## _ctx); \
+	else  \
+	    crv = CKR_HOST_MEMORY; \
+	break; \
+    }
+
+    switch(pMechanism->mechanism) {
+    INIT_MECH(CKM_MD2,    MD2)
+    INIT_MECH(CKM_MD5,    MD5)
+    INIT_MECH(CKM_SHA_1,  SHA1)
+    INIT_MECH(CKM_SHA256, SHA256)
+    INIT_MECH(CKM_SHA384, SHA384)
+    INIT_MECH(CKM_SHA512, SHA512)
+
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        sftk_FreeContext(context);
+	sftk_FreeSession(session);
+	return crv;
+    }
+    sftk_SetContextByType(session, SFTK_HASH, context);
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+
+/* NSC_Digest digests data in a single part. */
+CK_RV NSC_Digest(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pDigest,
+    						CK_ULONG_PTR pulDigestLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int digestLen;
+    unsigned int maxout = *pulDigestLen;
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_HASH,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (pDigest == NULL) {
+	*pulDigestLen = context->maxLen;
+	goto finish;
+    }
+
+    /* do it: */
+    (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
+    /*  NOTE: this assumes buf size is bigenough for the algorithm */
+    (*context->end)(context->cipherInfo, pDigest, &digestLen,maxout);
+    *pulDigestLen = digestLen;
+
+    sftk_SetContextByType(session, SFTK_HASH, NULL);
+    sftk_FreeContext(context);
+finish:
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+
+/* NSC_DigestUpdate continues a multiple-part message-digesting operation. */
+CK_RV NSC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+					    CK_ULONG ulPartLen)
+{
+    SFTKSessionContext *context;
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_HASH,PR_TRUE,NULL);
+    if (crv != CKR_OK) return crv;
+    /* do it: */
+    (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
+    return CKR_OK;
+}
+
+
+/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
+CK_RV NSC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
+    						CK_ULONG_PTR pulDigestLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int maxout = *pulDigestLen;
+    unsigned int digestLen;
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session);
+    if (crv != CKR_OK) return crv;
+
+    if (pDigest != NULL) {
+        (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
+        *pulDigestLen = digestLen;
+	sftk_SetContextByType(session, SFTK_HASH, NULL);
+	sftk_FreeContext(context);
+    } else {
+	*pulDigestLen = context->maxLen;
+    }
+
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+/*
+ * these helper functions are used by Generic Macing and Signing functions
+ * that use hashes as part of their operations. 
+ */
+#define DOSUB(mmm) \
+static CK_RV \
+sftk_doSub ## mmm(SFTKSessionContext *context) { \
+    mmm ## Context * mmm ## _ctx = mmm ## _NewContext(); \
+    context->hashInfo    = (void *)      mmm ## _ctx; \
+    context->hashUpdate  = (SFTKHash)    mmm ## _Update; \
+    context->end         = (SFTKEnd)     mmm ## _End; \
+    context->hashdestroy = (SFTKDestroy) mmm ## _DestroyContext; \
+    if (!context->hashInfo) { \
+	return CKR_HOST_MEMORY; \
+    } \
+    mmm ## _Begin( mmm ## _ctx ); \
+    return CKR_OK; \
+}
+
+DOSUB(MD2)
+DOSUB(MD5)
+DOSUB(SHA1)
+DOSUB(SHA256)
+DOSUB(SHA384)
+DOSUB(SHA512)
+
+/*
+ * HMAC General copies only a portion of the result. This update routine likes
+ * the final HMAC output with the signature.
+ */
+static SECStatus
+sftk_HMACCopy(CK_ULONG *copyLen,unsigned char *sig,unsigned int *sigLen,
+		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
+{
+    if (maxLen < *copyLen) return SECFailure;
+    PORT_Memcpy(sig,hash,*copyLen);
+    *sigLen = *copyLen;
+    return SECSuccess;
+}
+
+/* Verify is just a compare for HMAC */
+static SECStatus
+sftk_HMACCmp(CK_ULONG *copyLen,unsigned char *sig,unsigned int sigLen,
+				unsigned char *hash, unsigned int hashLen)
+{
+    return (PORT_Memcmp(sig,hash,*copyLen) == 0) ? SECSuccess : SECFailure ; 
+}
+
+/*
+ * common HMAC initalization routine
+ */
+static CK_RV
+sftk_doHMACInit(SFTKSessionContext *context,HASH_HashType hash,
+					SFTKObject *key, CK_ULONG mac_size)
+{
+    SFTKAttribute *keyval;
+    HMACContext *HMACcontext;
+    CK_ULONG *intpointer;
+    const SECHashObject *hashObj = HASH_GetRawHashObject(hash);
+    PRBool isFIPS = (key->slot->slotID == FIPS_SLOT_ID);
+
+    /* required by FIPS 198 Section 4 */
+    if (isFIPS && (mac_size < 4 || mac_size < hashObj->length/2)) {
+	return CKR_BUFFER_TOO_SMALL;
+    }
+
+    keyval = sftk_FindAttribute(key,CKA_VALUE);
+    if (keyval == NULL) return CKR_KEY_SIZE_RANGE;
+
+    HMACcontext = HMAC_Create(hashObj, 
+		(const unsigned char*)keyval->attrib.pValue,
+		keyval->attrib.ulValueLen, isFIPS);
+    context->hashInfo = HMACcontext;
+    context->multi = PR_TRUE;
+    sftk_FreeAttribute(keyval);
+    if (context->hashInfo == NULL) {
+	if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
+	    return CKR_KEY_SIZE_RANGE;
+	}
+	return CKR_HOST_MEMORY;
+    }
+    context->hashUpdate = (SFTKHash) HMAC_Update;
+    context->end = (SFTKEnd) HMAC_Finish;
+
+    context->hashdestroy = (SFTKDestroy) HMAC_Destroy;
+    intpointer = (CK_ULONG *) PORT_Alloc(sizeof(CK_ULONG));
+    if (intpointer == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    *intpointer = mac_size;
+    context->cipherInfo = (void *) intpointer;
+    context->destroy = (SFTKDestroy) sftk_Space;
+    context->update = (SFTKCipher) sftk_HMACCopy;
+    context->verify = (SFTKVerify) sftk_HMACCmp;
+    context->maxLen = hashObj->length;
+    HMAC_Begin(HMACcontext);
+    return CKR_OK;
+}
+
+/*
+ *  SSL Macing support. SSL Macs are inited, then update with the base
+ * hashing algorithm, then finalized in sign and verify
+ */
+
+/*
+ * FROM SSL:
+ * 60 bytes is 3 times the maximum length MAC size that is supported.
+ * We probably should have one copy of this table. We still need this table
+ * in ssl to 'sign' the handshake hashes.
+ */
+static unsigned char ssl_pad_1 [60] = {
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36
+};
+static unsigned char ssl_pad_2 [60] = {
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c
+};
+
+static SECStatus
+sftk_SSLMACSign(SFTKSSLMACInfo *info,unsigned char *sig,unsigned int *sigLen,
+		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
+{
+    unsigned char tmpBuf[SFTK_MAX_MAC_LENGTH];
+    unsigned int out;
+
+    info->begin(info->hashContext);
+    info->update(info->hashContext,info->key,info->keySize);
+    info->update(info->hashContext,ssl_pad_2,info->padSize);
+    info->update(info->hashContext,hash,hashLen);
+    info->end(info->hashContext,tmpBuf,&out,SFTK_MAX_MAC_LENGTH);
+    PORT_Memcpy(sig,tmpBuf,info->macSize);
+    *sigLen = info->macSize;
+    return SECSuccess;
+}
+
+static SECStatus
+sftk_SSLMACVerify(SFTKSSLMACInfo *info,unsigned char *sig,unsigned int sigLen,
+		unsigned char *hash, unsigned int hashLen)
+{
+    unsigned char tmpBuf[SFTK_MAX_MAC_LENGTH];
+    unsigned int out;
+
+    info->begin(info->hashContext);
+    info->update(info->hashContext,info->key,info->keySize);
+    info->update(info->hashContext,ssl_pad_2,info->padSize);
+    info->update(info->hashContext,hash,hashLen);
+    info->end(info->hashContext,tmpBuf,&out,SFTK_MAX_MAC_LENGTH);
+    return (PORT_Memcmp(sig,tmpBuf,info->macSize) == 0) ? 
+						SECSuccess : SECFailure;
+}
+
+/*
+ * common HMAC initalization routine
+ */
+static CK_RV
+sftk_doSSLMACInit(SFTKSessionContext *context,SECOidTag oid,
+					SFTKObject *key, CK_ULONG mac_size)
+{
+    SFTKAttribute *keyval;
+    SFTKBegin begin;
+    int padSize;
+    SFTKSSLMACInfo *sslmacinfo;
+    CK_RV crv = CKR_MECHANISM_INVALID;
+
+    if (oid == SEC_OID_SHA1) {
+	crv = sftk_doSubSHA1(context);
+	if (crv != CKR_OK) return crv;
+	begin = (SFTKBegin) SHA1_Begin;
+	padSize = 40;
+    } else {
+	crv = sftk_doSubMD5(context);
+	if (crv != CKR_OK) return crv;
+	begin = (SFTKBegin) MD5_Begin;
+	padSize = 48;
+    }
+    context->multi = PR_TRUE;
+
+    keyval = sftk_FindAttribute(key,CKA_VALUE);
+    if (keyval == NULL) return CKR_KEY_SIZE_RANGE;
+
+    context->hashUpdate(context->hashInfo,keyval->attrib.pValue,
+						 keyval->attrib.ulValueLen);
+    context->hashUpdate(context->hashInfo,ssl_pad_1,padSize);
+    sslmacinfo = (SFTKSSLMACInfo *) PORT_Alloc(sizeof(SFTKSSLMACInfo));
+    if (sslmacinfo == NULL) {
+        sftk_FreeAttribute(keyval);
+	return CKR_HOST_MEMORY;
+    }
+    sslmacinfo->macSize = mac_size;
+    sslmacinfo->hashContext = context->hashInfo;
+    PORT_Memcpy(sslmacinfo->key,keyval->attrib.pValue,
+					keyval->attrib.ulValueLen);
+    sslmacinfo->keySize = keyval->attrib.ulValueLen;
+    sslmacinfo->begin = begin;
+    sslmacinfo->end = context->end;
+    sslmacinfo->update = context->hashUpdate;
+    sslmacinfo->padSize = padSize;
+    sftk_FreeAttribute(keyval);
+    context->cipherInfo = (void *) sslmacinfo;
+    context->destroy = (SFTKDestroy) sftk_Space;
+    context->update = (SFTKCipher) sftk_SSLMACSign;
+    context->verify = (SFTKVerify) sftk_SSLMACVerify;
+    context->maxLen = mac_size;
+    return CKR_OK;
+}
+
+/*
+ ************** Crypto Functions:     Sign  ************************
+ */
+
+/*
+ * Check if We're using CBCMacing and initialize the session context if we are.
+ */
+static CK_RV
+sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ 	CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE keyUsage,
+						 SFTKContextType contextType)
+	
+{
+    CK_MECHANISM cbc_mechanism;
+    CK_ULONG mac_bytes = SFTK_INVALID_MAC_SIZE;
+    CK_RC2_CBC_PARAMS rc2_params;
+#if NSS_SOFTOKEN_DOES_RC5
+    CK_RC5_CBC_PARAMS rc5_params;
+    CK_RC5_MAC_GENERAL_PARAMS *rc5_mac;
+#endif
+    unsigned char ivBlock[SFTK_MAX_BLOCK_SIZE];
+    SFTKSessionContext *context;
+    CK_RV crv;
+    int blockSize;
+
+    switch (pMechanism->mechanism) {
+    case CKM_RC2_MAC_GENERAL:
+	mac_bytes = 
+	    ((CK_RC2_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
+	/* fall through */
+    case CKM_RC2_MAC:
+	/* this works because ulEffectiveBits is in the same place in both the
+	 * CK_RC2_MAC_GENERAL_PARAMS and CK_RC2_CBC_PARAMS */
+	rc2_params.ulEffectiveBits = ((CK_RC2_MAC_GENERAL_PARAMS *)
+				pMechanism->pParameter)->ulEffectiveBits;
+	PORT_Memset(rc2_params.iv,0,sizeof(rc2_params.iv));
+	cbc_mechanism.mechanism = CKM_RC2_CBC;
+	cbc_mechanism.pParameter = &rc2_params;
+	cbc_mechanism.ulParameterLen = sizeof(rc2_params);
+	blockSize = 8;
+	break;
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKM_RC5_MAC_GENERAL:
+	mac_bytes = 
+	    ((CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
+	/* fall through */
+    case CKM_RC5_MAC:
+	/* this works because ulEffectiveBits is in the same place in both the
+	 * CK_RC5_MAC_GENERAL_PARAMS and CK_RC5_CBC_PARAMS */
+	rc5_mac = (CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter;
+	rc5_params.ulWordsize = rc5_mac->ulWordsize;
+	rc5_params.ulRounds = rc5_mac->ulRounds;
+	rc5_params.pIv = ivBlock;
+	blockSize = rc5_mac->ulWordsize*2;
+	rc5_params.ulIvLen = blockSize;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_RC5_CBC;
+	cbc_mechanism.pParameter = &rc5_params;
+	cbc_mechanism.ulParameterLen = sizeof(rc5_params);
+	break;
+#endif
+    /* add cast and idea later */
+    case CKM_DES_MAC_GENERAL:
+	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+	/* fall through */
+    case CKM_DES_MAC:
+	blockSize = 8;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_DES_CBC;
+	cbc_mechanism.pParameter = &ivBlock;
+	cbc_mechanism.ulParameterLen = blockSize;
+	break;
+    case CKM_DES3_MAC_GENERAL:
+	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+	/* fall through */
+    case CKM_DES3_MAC:
+	blockSize = 8;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_DES3_CBC;
+	cbc_mechanism.pParameter = &ivBlock;
+	cbc_mechanism.ulParameterLen = blockSize;
+	break;
+    case CKM_CDMF_MAC_GENERAL:
+	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+	/* fall through */
+    case CKM_CDMF_MAC:
+	blockSize = 8;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_CDMF_CBC;
+	cbc_mechanism.pParameter = &ivBlock;
+	cbc_mechanism.ulParameterLen = blockSize;
+	break;
+    case CKM_CAMELLIA_MAC_GENERAL:
+	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+	/* fall through */
+    case CKM_CAMELLIA_MAC:
+	blockSize = 16;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_CAMELLIA_CBC;
+	cbc_mechanism.pParameter = &ivBlock;
+	cbc_mechanism.ulParameterLen = blockSize;
+	break;
+    case CKM_AES_MAC_GENERAL:
+	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+	/* fall through */
+    case CKM_AES_MAC:
+	blockSize = 16;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_AES_CBC;
+	cbc_mechanism.pParameter = &ivBlock;
+	cbc_mechanism.ulParameterLen = blockSize;
+	break;
+    default:
+	return CKR_FUNCTION_NOT_SUPPORTED;
+    }
+
+    crv = sftk_CryptInit(hSession, &cbc_mechanism, hKey, keyUsage,
+							contextType, PR_TRUE);
+    if (crv != CKR_OK) return crv;
+    crv = sftk_GetContext(hSession,&context,contextType,PR_TRUE,NULL);
+
+    /* this shouldn't happen! */
+    PORT_Assert(crv == CKR_OK);
+    if (crv != CKR_OK) return crv;
+    context->blockSize = blockSize;
+    if (mac_bytes == SFTK_INVALID_MAC_SIZE) mac_bytes = blockSize/2;
+    context->macSize = mac_bytes;
+    return CKR_OK;
+}
+
+/*
+ * encode RSA PKCS #1 Signature data before signing... 
+ */
+static SECStatus
+sftk_HashSign(SFTKHashSignInfo *info,unsigned char *sig,unsigned int *sigLen,
+		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
+{
+    return RSA_HashSign(info->hashOid,info->key,sig,sigLen,maxLen,
+							hash,hashLen);
+}
+
+/* XXX Old template; want to expunge it eventually. */
+static DERTemplate SECAlgorithmIDTemplate[] = {
+    { DER_SEQUENCE,
+	  0, NULL, sizeof(SECAlgorithmID) },
+    { DER_OBJECT_ID,
+	  offsetof(SECAlgorithmID,algorithm), },
+    { DER_OPTIONAL | DER_ANY,
+	  offsetof(SECAlgorithmID,parameters), },
+    { 0, }
+};
+
+/*
+ * XXX OLD Template.  Once all uses have been switched over to new one,
+ * remove this.
+ */
+static DERTemplate SGNDigestInfoTemplate[] = {
+    { DER_SEQUENCE,
+	  0, NULL, sizeof(SGNDigestInfo) },
+    { DER_INLINE,
+	  offsetof(SGNDigestInfo,digestAlgorithm),
+	  SECAlgorithmIDTemplate, },
+    { DER_OCTET_STRING,
+	  offsetof(SGNDigestInfo,digest), },
+    { 0, }
+};
+
+SECStatus
+RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
+		unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
+		unsigned char *hash, unsigned int hashLen)
+{
+    
+    SECStatus rv = SECFailure;
+    SECItem digder;
+    PLArenaPool *arena = NULL;
+    SGNDigestInfo *di = NULL;
+
+    digder.data = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) { goto loser; }
+    
+    /* Construct digest info */
+    di = SGN_CreateDigestInfo(hashOid, hash, hashLen);
+    if (!di) { goto loser; }
+
+    /* Der encode the digest as a DigestInfo */
+    rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /*
+    ** Encrypt signature after constructing appropriate PKCS#1 signature
+    ** block
+    */
+    rv = RSA_Sign(key,sig,sigLen,maxLen,digder.data,digder.len);
+
+  loser:
+    SGN_DestroyDigestInfo(di);
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return rv;
+}
+
+static SECStatus
+nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen,
+                               void *dataBuf, unsigned int dataLen)
+{
+    SECItem signature, digest;
+    NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
+
+    signature.data = (unsigned char *)sigBuf;
+    signature.len = sigLen;
+    digest.data = (unsigned char *)dataBuf;
+    digest.len = dataLen;
+    return DSA_VerifyDigest(&(key->u.dsa), &signature, &digest);
+}
+
+static SECStatus
+nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
+                  unsigned int *sigLen, unsigned int maxSigLen,
+                  void *dataBuf, unsigned int dataLen)
+{
+    SECItem signature, digest;
+    SECStatus rv;
+    NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
+
+    signature.data = (unsigned char *)sigBuf;
+    signature.len = maxSigLen;
+    digest.data = (unsigned char *)dataBuf;
+    digest.len = dataLen;
+    rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
+    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	sftk_fatalError = PR_TRUE;
+    }
+    *sigLen = signature.len;
+    return rv;
+}
+
+#ifdef NSS_ENABLE_ECC
+static SECStatus
+nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
+                    void *dataBuf, unsigned int dataLen)
+{
+    SECItem signature, digest;
+    NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
+
+    signature.data = (unsigned char *)sigBuf;
+    signature.len = sigLen;
+    digest.data = (unsigned char *)dataBuf;
+    digest.len = dataLen;
+    return ECDSA_VerifyDigest(&(key->u.ec), &signature, &digest);
+}
+
+static SECStatus
+nsc_ECDSASignStub(void *ctx, void *sigBuf,
+                  unsigned int *sigLen, unsigned int maxSigLen,
+                  void *dataBuf, unsigned int dataLen)
+{
+    SECItem signature, digest;
+    SECStatus rv;
+    NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
+
+    signature.data = (unsigned char *)sigBuf;
+    signature.len = maxSigLen;
+    digest.data = (unsigned char *)dataBuf;
+    digest.len = dataLen;
+    rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest);
+    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	sftk_fatalError = PR_TRUE;
+    }
+    *sigLen = signature.len;
+    return rv;
+}
+#endif /* NSS_ENABLE_ECC */
+
+/* NSC_SignInit setups up the signing operations. There are three basic
+ * types of signing:
+ *	(1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
+ *  to data in a single Sign operation (which often looks a lot like an
+ *  encrypt, with data coming in and data going out).
+ *	(2) Hash based signing, where we continually hash the data, then apply
+ *  some sort of signature to the end.
+ *	(3) Block Encryption CBC MAC's, where the Data is encrypted with a key,
+ *  and only the final block is part of the mac.
+ *
+ *  For case number 3, we initialize a context much like the Encryption Context
+ *  (in fact we share code). We detect case 3 in C_SignUpdate, C_Sign, and 
+ *  C_Final by the following method... if it's not multi-part, and it's doesn't
+ *  have a hash context, it must be a block Encryption CBC MAC.
+ *
+ *  For case number 2, we initialize a hash structure, as well as make it 
+ *  multi-part. Updates are simple calls to the hash update function. Final
+ *  calls the hashend, then passes the result to the 'update' function (which
+ *  operates as a final signature function). In some hash based MAC'ing (as
+ *  opposed to hash base signatures), the update function is can be simply a 
+ *  copy (as is the case with HMAC).
+ */
+CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession,
+		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+    SFTKSession *session;
+    SFTKObject *key;
+    SFTKSessionContext *context;
+    CK_KEY_TYPE key_type;
+    CK_RV crv = CKR_OK;
+    NSSLOWKEYPrivateKey *privKey;
+    SFTKHashSignInfo *info = NULL;
+
+    CHECK_FORK();
+
+    /* Block Cipher MACing Algorithms use a different Context init method..*/
+    crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_SIGN, SFTK_SIGN);
+    if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
+
+    /* we're not using a block cipher mac */
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    crv = sftk_InitGeneric(session,&context,SFTK_SIGN,&key,hKey,&key_type,
+						CKO_PRIVATE_KEY,CKA_SIGN);
+    if (crv != CKR_OK) {
+	sftk_FreeSession(session);
+	return crv;
+    }
+
+    context->multi = PR_FALSE;
+
+#define INIT_RSA_SIGN_MECH(mmm) \
+    case CKM_ ## mmm ## _RSA_PKCS: \
+        context->multi = PR_TRUE; \
+	crv = sftk_doSub ## mmm (context); \
+	if (crv != CKR_OK) break; \
+	context->update = (SFTKCipher) sftk_HashSign; \
+	info = PORT_New(SFTKHashSignInfo); \
+	if (info == NULL) { crv = CKR_HOST_MEMORY; break; } \
+	info->hashOid = SEC_OID_ ## mmm ; \
+	goto finish_rsa; 
+
+    switch(pMechanism->mechanism) {
+    INIT_RSA_SIGN_MECH(MD5)
+    INIT_RSA_SIGN_MECH(MD2)
+    INIT_RSA_SIGN_MECH(SHA1)
+    INIT_RSA_SIGN_MECH(SHA256)
+    INIT_RSA_SIGN_MECH(SHA384)
+    INIT_RSA_SIGN_MECH(SHA512)
+
+    case CKM_RSA_PKCS:
+	context->update = (SFTKCipher) RSA_Sign;
+	goto finish_rsa;
+    case CKM_RSA_X_509:
+	context->update = (SFTKCipher)  RSA_SignRaw;
+finish_rsa:
+	if (key_type != CKK_RSA) {
+	    if (info) PORT_Free(info);
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	privKey = sftk_GetPrivKey(key,CKK_RSA,&crv);
+	if (privKey == NULL) {
+	    if (info) PORT_Free(info);
+	    break;
+	}
+	/* OK, info is allocated only if we're doing hash and sign mechanism.
+	 * It's necessary to be able to set the correct OID in the final 
+	 * signature.
+	 */
+	if (info) {
+	    info->key = privKey;
+	    context->cipherInfo = info;
+	    context->destroy = (SFTKDestroy)sftk_Space;
+	} else {
+	    context->cipherInfo = privKey;
+	    context->destroy = (SFTKDestroy)sftk_Null;
+	}
+	context->maxLen = nsslowkey_PrivateModulusLen(privKey);
+	break;
+
+    case CKM_DSA_SHA1:
+        context->multi = PR_TRUE;
+	crv = sftk_doSubSHA1(context);
+	if (crv != CKR_OK) break;
+	/* fall through */
+    case CKM_DSA:
+	if (key_type != CKK_DSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	privKey = sftk_GetPrivKey(key,CKK_DSA,&crv);
+	if (privKey == NULL) {
+	    break;
+	}
+	context->cipherInfo = privKey;
+	context->update     = (SFTKCipher) nsc_DSA_Sign_Stub;
+	context->destroy    = (privKey == key->objectInfo) ?
+		(SFTKDestroy) sftk_Null:(SFTKDestroy)sftk_FreePrivKey;
+	context->maxLen     = DSA_SIGNATURE_LEN;
+
+	break;
+
+#ifdef NSS_ENABLE_ECC
+    case CKM_ECDSA_SHA1:
+	context->multi = PR_TRUE;
+	crv = sftk_doSubSHA1(context);
+	if (crv != CKR_OK) break;
+	/* fall through */
+    case CKM_ECDSA:
+	if (key_type != CKK_EC) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	privKey = sftk_GetPrivKey(key,CKK_EC,&crv);
+	if (privKey == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->cipherInfo = privKey;
+	context->update     = (SFTKCipher) nsc_ECDSASignStub;
+	context->destroy    = (privKey == key->objectInfo) ?
+		(SFTKDestroy) sftk_Null:(SFTKDestroy)sftk_FreePrivKey;
+	context->maxLen     = MAX_ECKEY_LEN * 2;
+
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+#define INIT_HMAC_MECH(mmm) \
+    case CKM_ ## mmm ## _HMAC_GENERAL: \
+	crv = sftk_doHMACInit(context, HASH_Alg ## mmm ,key, \
+				*(CK_ULONG *)pMechanism->pParameter); \
+	break; \
+    case CKM_ ## mmm ## _HMAC: \
+	crv = sftk_doHMACInit(context, HASH_Alg ## mmm ,key, mmm ## _LENGTH); \
+	break; 
+
+    INIT_HMAC_MECH(MD2)
+    INIT_HMAC_MECH(MD5)
+    INIT_HMAC_MECH(SHA256)
+    INIT_HMAC_MECH(SHA384)
+    INIT_HMAC_MECH(SHA512)
+
+    case CKM_SHA_1_HMAC_GENERAL:
+	crv = sftk_doHMACInit(context,HASH_AlgSHA1,key,
+				*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_SHA_1_HMAC:
+	crv = sftk_doHMACInit(context,HASH_AlgSHA1,key,SHA1_LENGTH);
+	break;
+
+    case CKM_SSL3_MD5_MAC:
+	crv = sftk_doSSLMACInit(context,SEC_OID_MD5,key,
+					*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_SSL3_SHA1_MAC:
+	crv = sftk_doSSLMACInit(context,SEC_OID_SHA1,key,
+					*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_TLS_PRF_GENERAL:
+	crv = sftk_TLSPRFInit(context, key, key_type);
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        sftk_FreeContext(context);
+	sftk_FreeSession(session);
+	return crv;
+    }
+    sftk_SetContextByType(session, SFTK_SIGN, context);
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+
+/* MACUpdate is the common implementation for SignUpdate and VerifyUpdate.
+ * (sign and verify only very in their setup and final operations) */
+static CK_RV 
+sftk_MACUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+    					CK_ULONG ulPartLen,SFTKContextType type)
+{
+    unsigned int outlen;
+    SFTKSessionContext *context;
+    CK_RV crv;
+    SECStatus rv;
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,type,PR_TRUE,NULL);
+    if (crv != CKR_OK) return crv;
+
+    if (context->hashInfo) {
+	(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
+	return CKR_OK;
+    }
+
+    /* must be block cipher macing */
+
+    /* deal with previous buffered data */
+    if (context->padDataLength != 0) {
+	int i;
+	/* fill in the padded to a full block size */
+	for (i=context->padDataLength; (ulPartLen != 0) && 
+					i < (int)context->blockSize; i++) {
+	    context->padBuf[i] = *pPart++;
+	    ulPartLen--;
+	    context->padDataLength++;
+	}
+
+	/* not enough data to encrypt yet? then return */
+	if (context->padDataLength != context->blockSize)  return CKR_OK;
+	/* encrypt the current padded data */
+    	rv = (*context->update)(context->cipherInfo,context->macBuf,&outlen,
+			SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
+    	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+    }
+
+    /* save the residual */
+    context->padDataLength = ulPartLen % context->blockSize;
+    if (context->padDataLength) {
+	PORT_Memcpy(context->padBuf,
+		    &pPart[ulPartLen-context->padDataLength],
+		    context->padDataLength);
+	ulPartLen -= context->padDataLength;
+    }
+
+    /* if we've exhausted our new buffer, we're done */
+    if (ulPartLen == 0) { return CKR_OK; }
+
+    /* run the data through out encrypter */	
+    while (ulPartLen) {
+    	rv = (*context->update)(context->cipherInfo, context->padBuf, &outlen, 
+			SFTK_MAX_BLOCK_SIZE, pPart, context->blockSize);
+	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+	/* paranoia.. make sure we exit the loop */
+	PORT_Assert(ulPartLen >= context->blockSize);
+	if (ulPartLen < context->blockSize) break;
+	ulPartLen -= context->blockSize;
+    }
+
+    return CKR_OK;
+	
+}
+
+/* NSC_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_RV NSC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+    							CK_ULONG ulPartLen)
+{
+    CHECK_FORK();
+
+    return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_SIGN);
+}
+
+
+/* NSC_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+CK_RV NSC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
+					    CK_ULONG_PTR pulSignatureLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int outlen;
+    unsigned int digestLen;
+    unsigned int maxoutlen = *pulSignatureLen;
+    unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    *pulSignatureLen = 0;
+    crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_TRUE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (!pSignature) {
+	*pulSignatureLen = context->maxLen;
+	goto finish;
+    } else if (context->hashInfo) {
+        (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
+	rv = (*context->update)(context->cipherInfo, pSignature,
+					&outlen, maxoutlen, tmpbuf, digestLen);
+        *pulSignatureLen = (CK_ULONG) outlen;
+    } else {
+	/* deal with the last block if any residual */
+	if (context->padDataLength) {
+	    /* fill out rest of pad buffer with pad magic*/
+	    int i;
+	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
+		context->padBuf[i] = 0;
+	    }
+	    rv = (*context->update)(context->cipherInfo,context->macBuf,
+		&outlen,SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
+	}
+	if (rv == SECSuccess) {
+	    PORT_Memcpy(pSignature,context->macBuf,context->macSize);
+	    *pulSignatureLen = context->macSize;
+	}
+    }
+
+    sftk_FreeContext(context);
+    sftk_SetContextByType(session, SFTK_SIGN, NULL);
+
+finish:
+    sftk_FreeSession(session);
+
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/* NSC_Sign signs (encrypts with private key) data in a single part,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_RV NSC_Sign(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pSignature,
+    					CK_ULONG_PTR pulSignatureLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int outlen;
+    unsigned int maxoutlen = *pulSignatureLen;
+    CK_RV crv,crv2;
+    SECStatus rv = SECSuccess;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (!pSignature) {
+	*pulSignatureLen = context->maxLen;
+	goto finish;
+    }
+
+    /* multi part Signing are completely implemented by SignUpdate and
+     * sign Final */
+    if (context->multi) {
+        sftk_FreeSession(session);
+	crv = NSC_SignUpdate(hSession,pData,ulDataLen);
+	if (crv != CKR_OK) *pulSignatureLen = 0;
+	crv2 = NSC_SignFinal(hSession, pSignature, pulSignatureLen);
+	return crv == CKR_OK ? crv2 :crv;
+    }
+
+    rv = (*context->update)(context->cipherInfo, pSignature,
+					&outlen, maxoutlen, pData, ulDataLen);
+    *pulSignatureLen = (CK_ULONG) outlen;
+    sftk_FreeContext(context);
+    sftk_SetContextByType(session, SFTK_SIGN, NULL);
+
+finish:
+    sftk_FreeSession(session);
+
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+
+/*
+ ************** Crypto Functions:     Sign Recover  ************************
+ */
+/* NSC_SignRecoverInit initializes a signature operation,
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+CK_RV NSC_SignRecoverInit(CK_SESSION_HANDLE hSession,
+			 CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)
+{
+    CHECK_FORK();
+
+    switch (pMechanism->mechanism) {
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+	return NSC_SignInit(hSession,pMechanism,hKey);
+    default:
+	break;
+    }
+    return CKR_MECHANISM_INVALID;
+}
+
+
+/* NSC_SignRecover signs data in a single operation
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+CK_RV NSC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
+{
+    CHECK_FORK();
+
+    return NSC_Sign(hSession,pData,ulDataLen,pSignature,pulSignatureLen);
+}
+
+/*
+ ************** Crypto Functions:     verify  ************************
+ */
+
+/* Handle RSA Signature formatting */
+static SECStatus
+sftk_hashCheckSign(SFTKHashVerifyInfo *info, unsigned char *sig, 
+	unsigned int sigLen, unsigned char *digest, unsigned int digestLen)
+{
+    return RSA_HashCheckSign(info->hashOid, info->key, sig, sigLen,
+						digest, digestLen);
+}
+
+SECStatus
+RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
+	unsigned char *sig, unsigned int sigLen,
+	unsigned char *digest, unsigned int digestLen)
+{
+
+    SECItem it;
+    SGNDigestInfo *di = NULL;
+    SECStatus rv = SECSuccess;
+    
+    it.data = NULL;
+
+    if (key == NULL) goto loser;
+
+    it.len = nsslowkey_PublicModulusLen(key); 
+    if (!it.len) goto loser;
+
+    it.data = (unsigned char *) PORT_Alloc(it.len);
+    if (it.data == NULL) goto loser;
+
+    /* decrypt the block */
+    rv = RSA_CheckSignRecover(key, it.data, &it.len, it.len, sig, sigLen);
+    if (rv != SECSuccess) goto loser;
+
+    di = SGN_DecodeDigestInfo(&it);
+    if (di == NULL) goto loser;
+    if (di->digest.len != digestLen)  goto loser; 
+
+    /* make sure the tag is OK */
+    if (SECOID_GetAlgorithmTag(&di->digestAlgorithm) != hashOid) {
+	goto loser;
+    }
+    /* make sure the "parameters" are not too bogus. */
+    if (di->digestAlgorithm.parameters.len > 2) {
+	goto loser;
+    }
+    /* Now check the signature */
+    if (PORT_Memcmp(digest, di->digest.data, di->digest.len) == 0) {
+	goto done;
+    }
+
+  loser:
+    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+    rv = SECFailure;
+
+  done:
+    if (it.data != NULL) PORT_Free(it.data);
+    if (di != NULL) SGN_DestroyDigestInfo(di);
+    
+    return rv;
+}
+
+/* NSC_VerifyInit initializes a verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature (e.g. DSA) */
+CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession,
+			   CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) 
+{
+    SFTKSession *session;
+    SFTKObject *key;
+    SFTKSessionContext *context;
+    CK_KEY_TYPE key_type;
+    CK_RV crv = CKR_OK;
+    NSSLOWKEYPublicKey *pubKey;
+    SFTKHashVerifyInfo *info = NULL;
+
+    CHECK_FORK();
+
+    /* Block Cipher MACing Algorithms use a different Context init method..*/
+    crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_VERIFY, SFTK_VERIFY);
+    if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
+
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    crv = sftk_InitGeneric(session,&context,SFTK_VERIFY,&key,hKey,&key_type,
+						CKO_PUBLIC_KEY,CKA_VERIFY);
+    if (crv != CKR_OK) {
+	sftk_FreeSession(session);
+	return crv;
+    }
+
+    context->multi = PR_FALSE;
+
+#define INIT_RSA_VFY_MECH(mmm) \
+    case CKM_ ## mmm ## _RSA_PKCS: \
+        context->multi = PR_TRUE; \
+	crv = sftk_doSub ## mmm (context); \
+	if (crv != CKR_OK) break; \
+	context->verify = (SFTKVerify) sftk_hashCheckSign; \
+	info = PORT_New(SFTKHashVerifyInfo); \
+	if (info == NULL) { crv = CKR_HOST_MEMORY; break; } \
+	info->hashOid = SEC_OID_ ## mmm ; \
+	goto finish_rsa; 
+
+    switch(pMechanism->mechanism) {
+    INIT_RSA_VFY_MECH(MD5) 
+    INIT_RSA_VFY_MECH(MD2) 
+    INIT_RSA_VFY_MECH(SHA1) 
+    INIT_RSA_VFY_MECH(SHA256) 
+    INIT_RSA_VFY_MECH(SHA384) 
+    INIT_RSA_VFY_MECH(SHA512) 
+
+    case CKM_RSA_PKCS:
+	context->verify = (SFTKVerify) RSA_CheckSign;
+	goto finish_rsa;
+    case CKM_RSA_X_509:
+	context->verify = (SFTKVerify) RSA_CheckSignRaw;
+finish_rsa:
+	if (key_type != CKK_RSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	pubKey = sftk_GetPubKey(key,CKK_RSA,&crv);
+	if (pubKey == NULL) {
+	    break;
+	}
+	if (info) {
+	    info->key = pubKey;
+	    context->cipherInfo = info;
+	    context->destroy = sftk_Space;
+	} else {
+	    context->cipherInfo = pubKey;
+	    context->destroy = sftk_Null;
+	}
+	break;
+    case CKM_DSA_SHA1:
+        context->multi = PR_TRUE;
+	crv = sftk_doSubSHA1(context);
+	if (crv != CKR_OK) break;
+	/* fall through */
+    case CKM_DSA:
+	if (key_type != CKK_DSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	pubKey = sftk_GetPubKey(key,CKK_DSA,&crv);
+	if (pubKey == NULL) {
+	    break;
+	}
+	context->cipherInfo = pubKey;
+	context->verify     = (SFTKVerify) nsc_DSA_Verify_Stub;
+	context->destroy    = sftk_Null;
+	break;
+#ifdef NSS_ENABLE_ECC
+    case CKM_ECDSA_SHA1:
+	context->multi = PR_TRUE;
+	crv = sftk_doSubSHA1(context);
+	if (crv != CKR_OK) break;
+	/* fall through */
+    case CKM_ECDSA:
+	if (key_type != CKK_EC) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	pubKey = sftk_GetPubKey(key,CKK_EC,&crv);
+	if (pubKey == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->cipherInfo = pubKey;
+	context->verify     = (SFTKVerify) nsc_ECDSAVerifyStub;
+	context->destroy    = sftk_Null;
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+    INIT_HMAC_MECH(MD2)
+    INIT_HMAC_MECH(MD5)
+    INIT_HMAC_MECH(SHA256)
+    INIT_HMAC_MECH(SHA384)
+    INIT_HMAC_MECH(SHA512)
+
+    case CKM_SHA_1_HMAC_GENERAL:
+	crv = sftk_doHMACInit(context,HASH_AlgSHA1,key,
+				*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_SHA_1_HMAC:
+	crv = sftk_doHMACInit(context,HASH_AlgSHA1,key,SHA1_LENGTH);
+	break;
+
+    case CKM_SSL3_MD5_MAC:
+	crv = sftk_doSSLMACInit(context,SEC_OID_MD5,key,
+					*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_SSL3_SHA1_MAC:
+	crv = sftk_doSSLMACInit(context,SEC_OID_SHA1,key,
+					*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_TLS_PRF_GENERAL:
+	crv = sftk_TLSPRFInit(context, key, key_type);
+	break;
+
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+	if (info) PORT_Free(info);
+        PORT_Free(context);
+	sftk_FreeSession(session);
+	return crv;
+    }
+    sftk_SetContextByType(session, SFTK_VERIFY, context);
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+/* NSC_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+    CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    CK_RV crv, crv2;
+    SECStatus rv;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    /* multi part Verifying are completely implemented by VerifyUpdate and
+     * VerifyFinal */
+    if (context->multi) {
+	sftk_FreeSession(session);
+	crv = NSC_VerifyUpdate(hSession, pData, ulDataLen);
+	crv2 = NSC_VerifyFinal(hSession, pSignature, ulSignatureLen);
+	return crv == CKR_OK ? crv2 :crv;
+    }
+
+    rv = (*context->verify)(context->cipherInfo,pSignature, ulSignatureLen,
+							 pData, ulDataLen);
+    sftk_FreeContext(context);
+    sftk_SetContextByType(session, SFTK_VERIFY, NULL);
+    sftk_FreeSession(session);
+
+    return (rv == SECSuccess) ? CKR_OK : CKR_SIGNATURE_INVALID;
+
+}
+
+
+/* NSC_VerifyUpdate continues a multiple-part verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_RV NSC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+						CK_ULONG ulPartLen)
+{
+    CHECK_FORK();
+
+    return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_VERIFY);
+}
+
+
+/* NSC_VerifyFinal finishes a multiple-part verification operation, 
+ * checking the signature. */
+CK_RV NSC_VerifyFinal(CK_SESSION_HANDLE hSession,
+			CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int outlen;
+    unsigned int digestLen;
+    unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_TRUE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (context->hashInfo) {
+        (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
+	rv = (*context->verify)(context->cipherInfo, pSignature, 
+					ulSignatureLen, tmpbuf, digestLen);
+    } else {
+	if (context->padDataLength) {
+	    /* fill out rest of pad buffer with pad magic*/
+	    int i;
+	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
+		context->padBuf[i] = 0;
+	    }
+	    rv = (*context->update)(context->cipherInfo,context->macBuf, 
+		&outlen,SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
+	}
+	if (rv == SECSuccess) {
+	    rv =(PORT_Memcmp(pSignature,context->macBuf,context->macSize) == 0)
+				 ? SECSuccess : SECFailure;
+	}
+    }
+
+    sftk_FreeContext(context);
+    sftk_SetContextByType(session, SFTK_VERIFY, NULL);
+    sftk_FreeSession(session);
+    return (rv == SECSuccess) ? CKR_OK : CKR_SIGNATURE_INVALID;
+
+}
+
+/*
+ ************** Crypto Functions:     Verify  Recover ************************
+ */
+
+/* NSC_VerifyRecoverInit initializes a signature verification operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+CK_RV NSC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)
+{
+    SFTKSession *session;
+    SFTKObject *key;
+    SFTKSessionContext *context;
+    CK_KEY_TYPE key_type;
+    CK_RV crv = CKR_OK;
+    NSSLOWKEYPublicKey *pubKey;
+
+    CHECK_FORK();
+
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    crv = sftk_InitGeneric(session,&context,SFTK_VERIFY_RECOVER,
+			&key,hKey,&key_type,CKO_PUBLIC_KEY,CKA_VERIFY_RECOVER);
+    if (crv != CKR_OK) {
+	sftk_FreeSession(session);
+	return crv;
+    }
+
+    context->multi = PR_TRUE;
+
+    switch(pMechanism->mechanism) {
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+	if (key_type != CKK_RSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	context->multi = PR_FALSE;
+	pubKey = sftk_GetPubKey(key,CKK_RSA,&crv);
+	if (pubKey == NULL) {
+	    break;
+	}
+	context->cipherInfo = pubKey;
+	context->update = (SFTKCipher) (pMechanism->mechanism == CKM_RSA_X_509
+			? RSA_CheckSignRecoverRaw : RSA_CheckSignRecover);
+	context->destroy = sftk_Null;
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_Free(context);
+	sftk_FreeSession(session);
+	return crv;
+    }
+    sftk_SetContextByType(session, SFTK_VERIFY_RECOVER, context);
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+
+/* NSC_VerifyRecover verifies a signature in a single-part operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+CK_RV NSC_VerifyRecover(CK_SESSION_HANDLE hSession,
+		 CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen,
+    				CK_BYTE_PTR pData,CK_ULONG_PTR pulDataLen)
+{
+    SFTKSession *session;
+    SFTKSessionContext *context;
+    unsigned int outlen;
+    unsigned int maxoutlen = *pulDataLen;
+    CK_RV crv;
+    SECStatus rv;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession,&context,SFTK_VERIFY_RECOVER,
+							PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+    if (pData == NULL) {
+	/* to return the actual size, we need  to do the decrypt, just return
+	 * the max size, which is the size of the input signature. */
+	*pulDataLen = ulSignatureLen;
+	rv = SECSuccess;
+	goto finish;
+    }
+
+    rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, 
+						pSignature, ulSignatureLen);
+    *pulDataLen = (CK_ULONG) outlen;
+
+    sftk_FreeContext(context);
+    sftk_SetContextByType(session, SFTK_VERIFY_RECOVER, NULL);
+finish:
+    sftk_FreeSession(session);
+    return (rv == SECSuccess)  ? CKR_OK : CKR_SIGNATURE_INVALID;
+}
+
+/*
+ **************************** Random Functions:  ************************
+ */
+
+/* NSC_SeedRandom mixes additional seed material into the token's random number 
+ * generator. */
+CK_RV NSC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+    CK_ULONG ulSeedLen) 
+{
+    SECStatus rv;
+
+    CHECK_FORK();
+
+    rv = RNG_RandomUpdate(pSeed, ulSeedLen);
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/* NSC_GenerateRandom generates random data. */
+CK_RV NSC_GenerateRandom(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR	pRandomData, CK_ULONG ulRandomLen)
+{
+    SECStatus rv;
+
+    CHECK_FORK();
+
+    rv = RNG_GenerateGlobalRandomBytes(pRandomData, ulRandomLen);
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/*
+ **************************** Key Functions:  ************************
+ */
+
+
+/*
+ * generate a password based encryption key. This code uses
+ * PKCS5 to do the work.
+ */
+static CK_RV
+nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism,
+			void *buf, CK_ULONG *key_length, PRBool faulty3DES)
+{
+    SECItem *pbe_key = NULL, iv, pwitem;
+    CK_PBE_PARAMS *pbe_params = NULL;
+    CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL;
+
+    *key_length = 0;
+    iv.data = NULL; iv.len = 0;
+
+    if (pMechanism->mechanism == CKM_PKCS5_PBKD2) {
+	pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
+	pwitem.data = (unsigned char *)pbkd2_params->pPassword;
+	/* was this a typo in the PKCS #11 spec? */
+	pwitem.len = *pbkd2_params->ulPasswordLen;
+    } else {
+	pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
+	pwitem.data = (unsigned char *)pbe_params->pPassword;
+	pwitem.len = pbe_params->ulPasswordLen;
+    }
+    pbe_key = nsspkcs5_ComputeKeyAndIV(pkcs5_pbe, &pwitem, &iv, faulty3DES);
+    if (pbe_key == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    PORT_Memcpy(buf, pbe_key->data, pbe_key->len);
+    *key_length = pbe_key->len;
+    SECITEM_ZfreeItem(pbe_key, PR_TRUE);
+    pbe_key = NULL;
+
+    if (iv.data) {
+        if (pbe_params && pbe_params->pInitVector != NULL) {
+	    PORT_Memcpy(pbe_params->pInitVector, iv.data, iv.len);
+        }
+        PORT_Free(iv.data);
+    }
+
+    return CKR_OK;
+}
+static CK_RV
+nsc_parameter_gen(CK_KEY_TYPE key_type, SFTKObject *key)
+{
+    SFTKAttribute *attribute;
+    CK_ULONG counter;
+    unsigned int seedBits = 0;
+    unsigned int primeBits;
+    unsigned int j;
+    CK_RV crv = CKR_OK;
+    PQGParams *params = NULL;
+    PQGVerify *vfy = NULL;
+    SECStatus rv;
+
+    attribute = sftk_FindAttribute(key, CKA_PRIME_BITS);
+    if (attribute == NULL) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    primeBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
+    sftk_FreeAttribute(attribute);
+    j = PQG_PBITS_TO_INDEX(primeBits);
+    if (j == (unsigned int)-1) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    attribute = sftk_FindAttribute(key, CKA_NETSCAPE_PQG_SEED_BITS);
+    if (attribute != NULL) {
+	seedBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
+	sftk_FreeAttribute(attribute);
+    }
+
+    sftk_DeleteAttributeType(key,CKA_PRIME_BITS);
+    sftk_DeleteAttributeType(key,CKA_NETSCAPE_PQG_SEED_BITS);
+
+    if (seedBits == 0) {
+	rv = PQG_ParamGen(j, &params, &vfy);
+    } else {
+	rv = PQG_ParamGenSeedLen(j,seedBits/8, &params, &vfy);
+    }
+
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	    sftk_fatalError = PR_TRUE;
+	}
+	return CKR_DEVICE_ERROR;
+    }
+    crv = sftk_AddAttributeType(key,CKA_PRIME,
+				 params->prime.data, params->prime.len);
+    if (crv != CKR_OK) goto loser;
+    crv = sftk_AddAttributeType(key,CKA_SUBPRIME,
+				 params->subPrime.data, params->subPrime.len);
+    if (crv != CKR_OK) goto loser;
+    crv = sftk_AddAttributeType(key,CKA_BASE,
+				 params->base.data, params->base.len);
+    if (crv != CKR_OK) goto loser;
+    counter = vfy->counter;
+    crv = sftk_AddAttributeType(key,CKA_NETSCAPE_PQG_COUNTER,
+				 &counter, sizeof(counter));
+    crv = sftk_AddAttributeType(key,CKA_NETSCAPE_PQG_SEED,
+				 vfy->seed.data, vfy->seed.len);
+    if (crv != CKR_OK) goto loser;
+    crv = sftk_AddAttributeType(key,CKA_NETSCAPE_PQG_H,
+				 vfy->h.data, vfy->h.len);
+    if (crv != CKR_OK) goto loser;
+
+loser:
+    if (params) {
+	PQG_DestroyParams(params);
+    }
+    if (vfy) {
+	PQG_DestroyVerify(vfy);
+    }
+    return crv;
+}
+
+
+static CK_RV
+nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type,
+							CK_ULONG *key_length)
+{
+    CK_RV crv = CKR_OK;
+
+    switch (mechanism) {
+    case CKM_RC2_KEY_GEN:
+	*key_type = CKK_RC2;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKM_RC5_KEY_GEN:
+	*key_type = CKK_RC5;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+#endif
+    case CKM_RC4_KEY_GEN:
+	*key_type = CKK_RC4;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+    case CKM_GENERIC_SECRET_KEY_GEN:
+	*key_type = CKK_GENERIC_SECRET;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+    case CKM_CDMF_KEY_GEN:
+	*key_type = CKK_CDMF;
+	*key_length = 8;
+	break;
+    case CKM_DES_KEY_GEN:
+	*key_type = CKK_DES;
+	*key_length = 8;
+	break;
+    case CKM_DES2_KEY_GEN:
+	*key_type = CKK_DES2;
+	*key_length = 16;
+	break;
+    case CKM_DES3_KEY_GEN:
+	*key_type = CKK_DES3;
+	*key_length = 24;
+	break;
+    case CKM_CAMELLIA_KEY_GEN:
+	*key_type = CKK_CAMELLIA;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+    case CKM_AES_KEY_GEN:
+	*key_type = CKK_AES;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+    default:
+	PORT_Assert(0);
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    return crv;
+}
+
+CK_RV
+nsc_SetupHMACKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe)
+{
+    SECItem  salt;
+    CK_PBE_PARAMS *pbe_params = NULL;
+    NSSPKCS5PBEParameter *params;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+
+    *pbe = NULL;
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    params = (NSSPKCS5PBEParameter *) PORT_ArenaZAlloc(arena,
+				sizeof(NSSPKCS5PBEParameter));
+    if (params == NULL) {
+	PORT_FreeArena(arena,PR_TRUE);
+	return CKR_HOST_MEMORY;
+    }
+
+    params->poolp = arena;
+    params->ivLen = 0;
+    params->pbeType = NSSPKCS5_PKCS12_V2;
+    params->hashType = HASH_AlgSHA1;
+    params->encAlg = SEC_OID_SHA1; /* any invalid value */
+    params->is2KeyDES = PR_FALSE;
+    params->keyID = pbeBitGenIntegrityKey;
+    pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
+    params->iter = pbe_params->ulIteration;
+
+    salt.data = (unsigned char *)pbe_params->pSalt;
+    salt.len = (unsigned int)pbe_params->ulSaltLen;
+    rv = SECITEM_CopyItem(arena,&params->salt,&salt);
+    if (rv != SECSuccess) {
+	PORT_FreeArena(arena,PR_TRUE);
+	return CKR_HOST_MEMORY;
+    }
+    switch (pMechanism->mechanism) {
+    case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
+    case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+	params->hashType = HASH_AlgSHA1; 
+	params->keyLen = 20;
+	break;
+    case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
+	params->hashType = HASH_AlgMD5; 
+	params->keyLen = 16;
+	break;
+    case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
+	params->hashType = HASH_AlgMD2; 
+	params->keyLen = 16;
+	break;
+    default:
+	PORT_FreeArena(arena,PR_TRUE);
+	return CKR_MECHANISM_INVALID;
+    }
+    *pbe = params;
+    return CKR_OK;
+}
+
+/* maybe this should be table driven? */
+static CK_RV
+nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter  **pbe,
+				CK_KEY_TYPE *key_type, CK_ULONG *key_length)
+{
+    CK_RV crv = CKR_OK;
+    SECOidData *oid;
+    CK_PBE_PARAMS *pbe_params = NULL;
+    NSSPKCS5PBEParameter *params = NULL;
+    CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL;
+    SECItem salt;
+    CK_ULONG iteration = 0;
+
+    *pbe = NULL;
+
+    oid = SECOID_FindOIDByMechanism(pMechanism->mechanism);
+    if (oid == NULL) {
+	return CKR_MECHANISM_INVALID;
+    }
+
+    if (pMechanism->mechanism == CKM_PKCS5_PBKD2) {
+	pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
+	if (pbkd2_params->saltSource != CKZ_SALT_SPECIFIED) {
+	    return CKR_MECHANISM_PARAM_INVALID;
+	}
+	salt.data = (unsigned char *)pbkd2_params->pSaltSourceData;
+	salt.len = (unsigned int)pbkd2_params->ulSaltSourceDataLen;
+	iteration = pbkd2_params->iterations;
+    } else {
+	pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
+	salt.data = (unsigned char *)pbe_params->pSalt;
+	salt.len = (unsigned int)pbe_params->ulSaltLen;
+	iteration = pbe_params->ulIteration;
+    }
+    params=nsspkcs5_NewParam(oid->offset, &salt, iteration);
+    if (params == NULL) {
+	return CKR_MECHANISM_INVALID;
+    }
+
+    switch (params->encAlg) {
+    case SEC_OID_DES_CBC:
+	*key_type = CKK_DES;
+	*key_length = params->keyLen;
+	break;
+    case SEC_OID_DES_EDE3_CBC:
+	*key_type = params->is2KeyDES ? CKK_DES2 : CKK_DES3;
+	*key_length = params->keyLen;
+	break;
+    case SEC_OID_RC2_CBC:
+	*key_type = CKK_RC2;
+	*key_length = params->keyLen;
+	break;
+    case SEC_OID_RC4:
+	*key_type = CKK_RC4;
+	*key_length = params->keyLen;
+	break;
+    case SEC_OID_PKCS5_PBKDF2:
+	/* sigh, PKCS #11 currently only defines SHA1 for the KDF hash type. 
+	 * we do the check here because this where we would handle multiple
+	 * hash types in the future */
+	if (pbkd2_params == NULL || 
+		pbkd2_params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
+	/* key type must already be set */
+	if (*key_type == CKK_INVALID_KEY_TYPE) {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    break;
+	}
+	/* PBKDF2 needs to calculate the key length from the other parameters
+	 */
+	if (*key_length == 0) {
+	    *key_length = sftk_MapKeySize(*key_type);
+	}
+	if (*key_length == 0) {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    break;
+	}
+	params->keyLen = *key_length;
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	nsspkcs5_DestroyPBEParameter(params);
+	break;
+    }
+    if (crv == CKR_OK) {
+    	*pbe = params;
+    }
+    return crv;
+}
+
+/* NSC_GenerateKey generates a secret key, creating a new key object. */
+CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,
+    						CK_OBJECT_HANDLE_PTR phKey)
+{
+    SFTKObject *key;
+    SFTKSession *session;
+    PRBool checkWeak = PR_FALSE;
+    CK_ULONG key_length = 0;
+    CK_KEY_TYPE key_type = CKK_INVALID_KEY_TYPE;
+    CK_OBJECT_CLASS objclass = CKO_SECRET_KEY;
+    CK_RV crv = CKR_OK;
+    CK_BBOOL cktrue = CK_TRUE;
+    int i;
+    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+    unsigned char buf[MAX_KEY_LEN];
+    enum {nsc_pbe, nsc_ssl, nsc_bulk, nsc_param} key_gen_type;
+    NSSPKCS5PBEParameter *pbe_param;
+    SSL3RSAPreMasterSecret *rsa_pms;
+    CK_VERSION *version;
+    /* in very old versions of NSS, there were implementation errors with key 
+     * generation methods.  We want to beable to read these, but not 
+     * produce them any more.  The affected algorithm was 3DES.
+     */
+    PRBool faultyPBE3DES = PR_FALSE;
+
+    CHECK_FORK();
+
+    if (!slot) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    key = sftk_NewObject(slot); /* fill in the handle later */
+    if (key == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulCount; i++) {
+	if (pTemplate[i].type == CKA_VALUE_LEN) {
+	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
+	    continue;
+	}
+	/* some algorithms need keytype specified */
+	if (pTemplate[i].type == CKA_KEY_TYPE) {
+	    key_type = *(CK_ULONG *)pTemplate[i].pValue;
+	    continue;
+	}
+
+	crv = sftk_AddAttributeType(key,sftk_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) break;
+    }
+    if (crv != CKR_OK) {
+	sftk_FreeObject(key);
+	return crv;
+    }
+
+    /* make sure we don't have any class, key_type, or value fields */
+    sftk_DeleteAttributeType(key,CKA_CLASS);
+    sftk_DeleteAttributeType(key,CKA_KEY_TYPE);
+    sftk_DeleteAttributeType(key,CKA_VALUE);
+
+    /* Now Set up the parameters to generate the key (based on mechanism) */
+    key_gen_type = nsc_bulk; /* bulk key by default */
+    switch (pMechanism->mechanism) {
+    case CKM_CDMF_KEY_GEN:
+    case CKM_DES_KEY_GEN:
+    case CKM_DES2_KEY_GEN:
+    case CKM_DES3_KEY_GEN:
+	checkWeak = PR_TRUE;
+    case CKM_RC2_KEY_GEN:
+    case CKM_RC4_KEY_GEN:
+    case CKM_GENERIC_SECRET_KEY_GEN:
+    case CKM_CAMELLIA_KEY_GEN:
+    case CKM_AES_KEY_GEN:
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKM_RC5_KEY_GEN:
+#endif
+	crv = nsc_SetupBulkKeyGen(pMechanism->mechanism,&key_type,&key_length);
+	break;
+    case CKM_SSL3_PRE_MASTER_KEY_GEN:
+	key_type = CKK_GENERIC_SECRET;
+	key_length = 48;
+	key_gen_type = nsc_ssl;
+	break;
+    case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+    case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
+	key_gen_type = nsc_pbe;
+	key_type = CKK_GENERIC_SECRET;
+	crv = nsc_SetupHMACKeyGen(pMechanism, &pbe_param);
+	break;
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+	faultyPBE3DES = PR_TRUE;
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC4_128:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PKCS5_PBKD2:
+	key_gen_type = nsc_pbe;
+	crv = nsc_SetupPBEKeyGen(pMechanism,&pbe_param, &key_type, &key_length);
+	break;
+    case CKM_DSA_PARAMETER_GEN:
+	key_gen_type = nsc_param;
+	key_type = CKK_DSA;
+	objclass = CKO_KG_PARAMETERS;
+	crv = CKR_OK;
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    /* make sure we aren't going to overflow the buffer */
+    if (sizeof(buf) < key_length) {
+	/* someone is getting pretty optimistic about how big their key can
+	 * be... */
+        crv = CKR_TEMPLATE_INCONSISTENT;
+    }
+
+    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
+
+    /* if there was no error,
+     * key_type *MUST* be set in the switch statement above */
+    PORT_Assert( key_type != CKK_INVALID_KEY_TYPE );
+
+    /*
+     * now to the actual key gen.
+     */
+    switch (key_gen_type) {
+    case nsc_pbe:
+	crv = nsc_pbe_key_gen(pbe_param, pMechanism, buf, &key_length,
+			       faultyPBE3DES);
+	nsspkcs5_DestroyPBEParameter(pbe_param);
+	break;
+    case nsc_ssl:
+	rsa_pms = (SSL3RSAPreMasterSecret *)buf;
+	version = (CK_VERSION *)pMechanism->pParameter;
+	rsa_pms->client_version[0] = version->major;
+        rsa_pms->client_version[1] = version->minor;
+        crv = 
+	    NSC_GenerateRandom(0,&rsa_pms->random[0], sizeof(rsa_pms->random));
+	break;
+    case nsc_bulk:
+	/* get the key, check for weak keys and repeat if found */
+	do {
+            crv = NSC_GenerateRandom(0, buf, key_length);
+	} while (crv == CKR_OK && checkWeak && sftk_IsWeakKey(buf,key_type));
+	break;
+    case nsc_param:
+	/* generate parameters */
+	*buf = 0;
+	crv = nsc_parameter_gen(key_type,key);
+	break;
+    }
+
+    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
+
+    /* Add the class, key_type, and value */
+    crv = sftk_AddAttributeType(key,CKA_CLASS,&objclass,sizeof(CK_OBJECT_CLASS));
+    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
+    crv = sftk_AddAttributeType(key,CKA_KEY_TYPE,&key_type,sizeof(CK_KEY_TYPE));
+    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
+    if (key_length != 0) {
+	crv = sftk_AddAttributeType(key,CKA_VALUE,buf,key_length);
+	if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
+    }
+
+    /* get the session */
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+	sftk_FreeObject(key);
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    /*
+     * handle the base object stuff
+     */
+    crv = sftk_handleObject(key,session);
+    sftk_FreeSession(session);
+    if (sftk_isTrue(key,CKA_SENSITIVE)) {
+	sftk_forceAttribute(key,CKA_ALWAYS_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
+    }
+    if (!sftk_isTrue(key,CKA_EXTRACTABLE)) {
+	sftk_forceAttribute(key,CKA_NEVER_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
+    }
+
+    *phKey = key->handle;
+    sftk_FreeObject(key);
+    return crv;
+}
+
+#define PAIRWISE_DIGEST_LENGTH			SHA1_LENGTH /* 160-bits */
+#define PAIRWISE_MESSAGE_LENGTH			20          /* 160-bits */
+
+/*
+ * FIPS 140-2 pairwise consistency check utilized to validate key pair.
+ *
+ * This function returns
+ *   CKR_OK               if pairwise consistency check passed
+ *   CKR_GENERAL_ERROR    if pairwise consistency check failed
+ *   other error codes    if paiswise consistency check could not be
+ *                        performed, for example, CKR_HOST_MEMORY.
+ */
+static CK_RV
+sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession,
+    SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType)
+{
+    /*
+     *                      Key type    Mechanism type
+     *                      --------------------------------
+     * For encrypt/decrypt: CKK_RSA  => CKM_RSA_PKCS
+     *                      others   => CKM_INVALID_MECHANISM
+     *
+     * For sign/verify:     CKK_RSA  => CKM_RSA_PKCS
+     *                      CKK_DSA  => CKM_DSA
+     *                      CKK_EC   => CKM_ECDSA
+     *                      others   => CKM_INVALID_MECHANISM
+     *
+     * None of these mechanisms has a parameter.
+     */
+    CK_MECHANISM mech = {0, NULL, 0};
+
+    CK_ULONG modulusLen;
+    PRBool isEncryptable = PR_FALSE;
+    PRBool canSignVerify = PR_FALSE;
+    PRBool isDerivable = PR_FALSE;
+    CK_RV crv;
+
+    /* Variables used for Encrypt/Decrypt functions. */
+    unsigned char *known_message = (unsigned char *)"Known Crypto Message";
+    unsigned char plaintext[PAIRWISE_MESSAGE_LENGTH];
+    CK_ULONG bytes_decrypted;
+    unsigned char *ciphertext;
+    unsigned char *text_compared;
+    CK_ULONG bytes_encrypted;
+    CK_ULONG bytes_compared;
+
+    /* Variables used for Signature/Verification functions. */
+    /* always uses SHA-1 digest */
+    unsigned char *known_digest = (unsigned char *)"Mozilla Rules World!";
+    unsigned char *signature;
+    CK_ULONG signature_length;
+
+    if (keyType == CKK_RSA) {
+	SFTKAttribute *attribute;
+
+	/* Get modulus length of private key. */
+	attribute = sftk_FindAttribute(privateKey, CKA_MODULUS);
+	if (attribute == NULL) {
+	    return CKR_DEVICE_ERROR;
+	}
+	modulusLen = attribute->attrib.ulValueLen;
+	if (*(unsigned char *)attribute->attrib.pValue == 0) {
+	    modulusLen--;
+	}
+	sftk_FreeAttribute(attribute);
+    }
+
+    /**************************************************/
+    /* Pairwise Consistency Check of Encrypt/Decrypt. */
+    /**************************************************/
+
+    isEncryptable = sftk_isTrue(privateKey, CKA_DECRYPT); 
+
+    /*
+     * If the decryption attribute is set, attempt to encrypt
+     * with the public key and decrypt with the private key.
+     */
+    if (isEncryptable) {
+	if (keyType != CKK_RSA) {
+	    return CKR_DEVICE_ERROR;
+	}
+	bytes_encrypted = modulusLen;
+	mech.mechanism = CKM_RSA_PKCS;
+
+	/* Allocate space for ciphertext. */
+	ciphertext = (unsigned char *) PORT_ZAlloc(bytes_encrypted);
+	if (ciphertext == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+
+	/* Prepare for encryption using the public key. */
+	crv = NSC_EncryptInit(hSession, &mech, publicKey->handle);
+	if (crv != CKR_OK) {
+	    PORT_Free(ciphertext);
+	    return crv;
+	}
+
+	/* Encrypt using the public key. */
+	crv = NSC_Encrypt(hSession,
+			  known_message,
+			  PAIRWISE_MESSAGE_LENGTH,
+			  ciphertext,
+			  &bytes_encrypted);
+	if (crv != CKR_OK) {
+	    PORT_Free(ciphertext);
+	    return crv;
+	}
+
+	/* Always use the smaller of these two values . . . */
+	bytes_compared = PR_MIN(bytes_encrypted, PAIRWISE_MESSAGE_LENGTH);
+
+	/*
+	 * If there was a failure, the plaintext
+	 * goes at the end, therefore . . .
+	 */
+	text_compared = ciphertext + bytes_encrypted - bytes_compared;
+
+	/*
+	 * Check to ensure that ciphertext does
+	 * NOT EQUAL known input message text
+	 * per FIPS PUB 140-2 directive.
+	 */
+	if (PORT_Memcmp(text_compared, known_message,
+			bytes_compared) == 0) {
+	    /* Set error to Invalid PRIVATE Key. */
+	    PORT_SetError(SEC_ERROR_INVALID_KEY);
+	    PORT_Free(ciphertext);
+	    return CKR_GENERAL_ERROR;
+	}
+
+	/* Prepare for decryption using the private key. */
+	crv = NSC_DecryptInit(hSession, &mech, privateKey->handle);
+	if (crv != CKR_OK) {
+	    PORT_Free(ciphertext);
+	    return crv;
+	}
+
+	memset(plaintext, 0, PAIRWISE_MESSAGE_LENGTH);
+
+	/*
+	 * Initialize bytes decrypted to be the
+	 * expected PAIRWISE_MESSAGE_LENGTH.
+	 */
+	bytes_decrypted = PAIRWISE_MESSAGE_LENGTH;
+
+	/*
+	 * Decrypt using the private key.
+	 * NOTE:  No need to reset the
+	 *        value of bytes_encrypted.
+	 */
+	crv = NSC_Decrypt(hSession,
+			  ciphertext,
+			  bytes_encrypted,
+			  plaintext,
+			  &bytes_decrypted);
+
+	/* Finished with ciphertext; free it. */
+	PORT_Free(ciphertext);
+
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+
+	/*
+	 * Check to ensure that the output plaintext
+	 * does EQUAL known input message text.
+	 */
+	if ((bytes_decrypted != PAIRWISE_MESSAGE_LENGTH) ||
+	    (PORT_Memcmp(plaintext, known_message,
+			 PAIRWISE_MESSAGE_LENGTH) != 0)) {
+	    /* Set error to Bad PUBLIC Key. */
+	    PORT_SetError(SEC_ERROR_BAD_KEY);
+	    return CKR_GENERAL_ERROR;
+	}
+    }
+
+    /**********************************************/
+    /* Pairwise Consistency Check of Sign/Verify. */
+    /**********************************************/
+
+    canSignVerify = sftk_isTrue(privateKey, CKA_SIGN);
+    
+    if (canSignVerify) {
+	/* Determine length of signature. */
+	switch (keyType) {
+	case CKK_RSA:
+	    signature_length = modulusLen;
+	    mech.mechanism = CKM_RSA_PKCS;
+	    break;
+	case CKK_DSA:
+	    signature_length = DSA_SIGNATURE_LEN;
+	    mech.mechanism = CKM_DSA;
+	    break;
+#ifdef NSS_ENABLE_ECC
+	case CKK_EC:
+	    signature_length = MAX_ECKEY_LEN * 2;
+	    mech.mechanism = CKM_ECDSA;
+	    break;
+#endif
+	default:
+	    return CKR_DEVICE_ERROR;
+	}
+	
+	/* Allocate space for signature data. */
+	signature = (unsigned char *) PORT_ZAlloc(signature_length);
+	if (signature == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+	
+	/* Sign the known hash using the private key. */
+	crv = NSC_SignInit(hSession, &mech, privateKey->handle);
+	if (crv != CKR_OK) {
+	    PORT_Free(signature);
+	    return crv;
+	}
+
+	crv = NSC_Sign(hSession,
+		       known_digest,
+		       PAIRWISE_DIGEST_LENGTH,
+		       signature,
+		       &signature_length);
+	if (crv != CKR_OK) {
+	    PORT_Free(signature);
+	    return crv;
+	}
+	
+	/* Verify the known hash using the public key. */
+	crv = NSC_VerifyInit(hSession, &mech, publicKey->handle);
+	if (crv != CKR_OK) {
+	    PORT_Free(signature);
+	    return crv;
+	}
+
+	crv = NSC_Verify(hSession,
+			 known_digest,
+			 PAIRWISE_DIGEST_LENGTH,
+			 signature,
+			 signature_length);
+
+	/* Free signature data. */
+	PORT_Free(signature);
+
+	if ((crv == CKR_SIGNATURE_LEN_RANGE) ||
+		(crv == CKR_SIGNATURE_INVALID)) {
+	    return CKR_GENERAL_ERROR;
+	}
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+    }
+
+    /**********************************************/
+    /* Pairwise Consistency Check for Derivation  */
+    /**********************************************/
+
+    isDerivable = sftk_isTrue(privateKey, CKA_DERIVE);
+    
+    if (isDerivable) {
+	/* 
+	 * We are not doing consistency check for Diffie-Hellman Key - 
+	 * otherwise it would be here
+	 * This is also true for Elliptic Curve Diffie-Hellman keys
+	 * NOTE: EC keys are currently subjected to pairwise
+	 * consistency check for signing/verification.
+	 */
+	/*
+	 * FIPS 140-2 had the following pairwise consistency test for
+	 * public and private keys used for key agreement:
+	 *   If the keys are used to perform key agreement, then the
+	 *   cryptographic module shall create a second, compatible
+	 *   key pair.  The cryptographic module shall perform both
+	 *   sides of the key agreement algorithm and shall compare
+	 *   the resulting shared values.  If the shared values are
+	 *   not equal, the test shall fail.
+	 * This test was removed in Change Notice 3.
+	 */
+
+    }
+
+    return CKR_OK;
+}
+
+/* NSC_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+CK_RV NSC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+    CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+    CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
+    					CK_OBJECT_HANDLE_PTR phPrivateKey)
+{
+    SFTKObject *	publicKey,*privateKey;
+    SFTKSession *	session;
+    CK_KEY_TYPE 	key_type;
+    CK_RV 		crv 	= CKR_OK;
+    CK_BBOOL 		cktrue 	= CK_TRUE;
+    SECStatus 		rv;
+    CK_OBJECT_CLASS 	pubClass = CKO_PUBLIC_KEY;
+    CK_OBJECT_CLASS 	privClass = CKO_PRIVATE_KEY;
+    int 		i;
+    SFTKSlot *		slot 	= sftk_SlotFromSessionHandle(hSession);
+    unsigned int bitSize;
+
+    /* RSA */
+    int 		public_modulus_bits = 0;
+    SECItem 		pubExp;
+    RSAPrivateKey *	rsaPriv;
+
+    /* DSA */
+    PQGParams 		pqgParam;
+    DHParams  		dhParam;
+    DSAPrivateKey *	dsaPriv;
+
+    /* Diffie Hellman */
+    int 		private_value_bits = 0;
+    DHPrivateKey *	dhPriv;
+
+#ifdef NSS_ENABLE_ECC
+    /* Elliptic Curve Cryptography */
+    SECItem  		ecEncodedParams;  /* DER Encoded parameters */
+    ECPrivateKey *	ecPriv;
+    ECParams *          ecParams;
+#endif /* NSS_ENABLE_ECC */
+
+    CHECK_FORK();
+
+    if (!slot) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    publicKey = sftk_NewObject(slot); /* fill in the handle later */
+    if (publicKey == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the publicKey
+     */
+    for (i=0; i < (int) ulPublicKeyAttributeCount; i++) {
+	if (pPublicKeyTemplate[i].type == CKA_MODULUS_BITS) {
+	    public_modulus_bits = *(CK_ULONG *)pPublicKeyTemplate[i].pValue;
+	    continue;
+	}
+
+	crv = sftk_AddAttributeType(publicKey,
+				    sftk_attr_expand(&pPublicKeyTemplate[i]));
+	if (crv != CKR_OK) break;
+    }
+
+    if (crv != CKR_OK) {
+	sftk_FreeObject(publicKey);
+	return CKR_HOST_MEMORY;
+    }
+
+    privateKey = sftk_NewObject(slot); /* fill in the handle later */
+    if (privateKey == NULL) {
+	sftk_FreeObject(publicKey);
+	return CKR_HOST_MEMORY;
+    }
+    /*
+     * now load the private key template
+     */
+    for (i=0; i < (int) ulPrivateKeyAttributeCount; i++) {
+	if (pPrivateKeyTemplate[i].type == CKA_VALUE_BITS) {
+	    private_value_bits = *(CK_ULONG *)pPrivateKeyTemplate[i].pValue;
+	    continue;
+	}
+
+	crv = sftk_AddAttributeType(privateKey,
+				    sftk_attr_expand(&pPrivateKeyTemplate[i]));
+	if (crv != CKR_OK) break;
+    }
+
+    if (crv != CKR_OK) {
+	sftk_FreeObject(publicKey);
+	sftk_FreeObject(privateKey);
+	return CKR_HOST_MEMORY;
+    }
+    sftk_DeleteAttributeType(privateKey,CKA_CLASS);
+    sftk_DeleteAttributeType(privateKey,CKA_KEY_TYPE);
+    sftk_DeleteAttributeType(privateKey,CKA_VALUE);
+    sftk_DeleteAttributeType(publicKey,CKA_CLASS);
+    sftk_DeleteAttributeType(publicKey,CKA_KEY_TYPE);
+    sftk_DeleteAttributeType(publicKey,CKA_VALUE);
+
+    /* Now Set up the parameters to generate the key (based on mechanism) */
+    switch (pMechanism->mechanism) {
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+	/* format the keys */
+    	sftk_DeleteAttributeType(publicKey,CKA_MODULUS);
+    	sftk_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
+    	sftk_DeleteAttributeType(privateKey,CKA_MODULUS);
+    	sftk_DeleteAttributeType(privateKey,CKA_PRIVATE_EXPONENT);
+    	sftk_DeleteAttributeType(privateKey,CKA_PUBLIC_EXPONENT);
+    	sftk_DeleteAttributeType(privateKey,CKA_PRIME_1);
+    	sftk_DeleteAttributeType(privateKey,CKA_PRIME_2);
+    	sftk_DeleteAttributeType(privateKey,CKA_EXPONENT_1);
+    	sftk_DeleteAttributeType(privateKey,CKA_EXPONENT_2);
+    	sftk_DeleteAttributeType(privateKey,CKA_COEFFICIENT);
+	key_type = CKK_RSA;
+	if (public_modulus_bits == 0) {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    break;
+	}
+	if (public_modulus_bits < RSA_MIN_MODULUS_BITS) {
+	    crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	    break;
+	}
+	if (public_modulus_bits % 2 != 0) {
+	    crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	    break;
+	}
+
+	/* extract the exponent */
+	crv=sftk_Attribute2SSecItem(NULL,&pubExp,publicKey,CKA_PUBLIC_EXPONENT);
+	if (crv != CKR_OK) break;
+        bitSize = sftk_GetLengthInBits(pubExp.data, pubExp.len);
+	if (bitSize < 2) {
+	    crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	    break;
+	}
+        crv = sftk_AddAttributeType(privateKey,CKA_PUBLIC_EXPONENT,
+				    		    sftk_item_expand(&pubExp));
+	if (crv != CKR_OK) {
+	    PORT_Free(pubExp.data);
+	    break;
+	}
+
+	rsaPriv = RSA_NewKey(public_modulus_bits, &pubExp);
+	PORT_Free(pubExp.data);
+	if (rsaPriv == NULL) {
+	    if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+		sftk_fatalError = PR_TRUE;
+	    }
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+        /* now fill in the RSA dependent paramenters in the public key */
+        crv = sftk_AddAttributeType(publicKey,CKA_MODULUS,
+			   sftk_item_expand(&rsaPriv->modulus));
+	if (crv != CKR_OK) goto kpg_done;
+        /* now fill in the RSA dependent paramenters in the private key */
+        crv = sftk_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
+			   sftk_item_expand(&rsaPriv->modulus));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = sftk_AddAttributeType(privateKey,CKA_MODULUS,
+			   sftk_item_expand(&rsaPriv->modulus));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = sftk_AddAttributeType(privateKey,CKA_PRIVATE_EXPONENT,
+			   sftk_item_expand(&rsaPriv->privateExponent));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = sftk_AddAttributeType(privateKey,CKA_PRIME_1,
+			   sftk_item_expand(&rsaPriv->prime1));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = sftk_AddAttributeType(privateKey,CKA_PRIME_2,
+			   sftk_item_expand(&rsaPriv->prime2));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = sftk_AddAttributeType(privateKey,CKA_EXPONENT_1,
+			   sftk_item_expand(&rsaPriv->exponent1));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = sftk_AddAttributeType(privateKey,CKA_EXPONENT_2,
+			   sftk_item_expand(&rsaPriv->exponent2));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = sftk_AddAttributeType(privateKey,CKA_COEFFICIENT,
+			   sftk_item_expand(&rsaPriv->coefficient));
+kpg_done:
+	/* Should zeroize the contents first, since this func doesn't. */
+	PORT_FreeArena(rsaPriv->arena, PR_TRUE);
+	break;
+    case CKM_DSA_KEY_PAIR_GEN:
+    	sftk_DeleteAttributeType(publicKey,CKA_VALUE);
+    	sftk_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
+	sftk_DeleteAttributeType(privateKey,CKA_PRIME);
+	sftk_DeleteAttributeType(privateKey,CKA_SUBPRIME);
+	sftk_DeleteAttributeType(privateKey,CKA_BASE);
+	key_type = CKK_DSA;
+
+	/* extract the necessary paramters and copy them to the private key */
+	crv=sftk_Attribute2SSecItem(NULL,&pqgParam.prime,publicKey,CKA_PRIME);
+	if (crv != CKR_OK) break;
+	crv=sftk_Attribute2SSecItem(NULL,&pqgParam.subPrime,publicKey,
+	                            CKA_SUBPRIME);
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    break;
+	}
+	crv=sftk_Attribute2SSecItem(NULL,&pqgParam.base,publicKey,CKA_BASE);
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    break;
+	}
+        crv = sftk_AddAttributeType(privateKey,CKA_PRIME,
+				    sftk_item_expand(&pqgParam.prime));
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    PORT_Free(pqgParam.base.data);
+	    break;
+	}
+        crv = sftk_AddAttributeType(privateKey,CKA_SUBPRIME,
+			    	    sftk_item_expand(&pqgParam.subPrime));
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    PORT_Free(pqgParam.base.data);
+	    break;
+	}
+        crv = sftk_AddAttributeType(privateKey,CKA_BASE,
+			    	    sftk_item_expand(&pqgParam.base));
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    PORT_Free(pqgParam.base.data);
+	    break;
+	}
+
+        bitSize = sftk_GetLengthInBits(pqgParam.subPrime.data, 
+							pqgParam.subPrime.len);
+        if (bitSize != DSA_Q_BITS)  {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    PORT_Free(pqgParam.base.data);
+	    break;
+	}
+        bitSize = sftk_GetLengthInBits(pqgParam.prime.data,pqgParam.prime.len);
+        if ((bitSize <  DSA_MIN_P_BITS) || (bitSize > DSA_MAX_P_BITS)) {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    PORT_Free(pqgParam.base.data);
+	    break;
+	}
+        bitSize = sftk_GetLengthInBits(pqgParam.base.data,pqgParam.base.len);
+        if ((bitSize <  1) || (bitSize > DSA_MAX_P_BITS)) {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    PORT_Free(pqgParam.base.data);
+	    break;
+	}
+	    
+	/* Generate the key */
+	rv = DSA_NewKey(&pqgParam, &dsaPriv);
+
+	PORT_Free(pqgParam.prime.data);
+	PORT_Free(pqgParam.subPrime.data);
+	PORT_Free(pqgParam.base.data);
+
+	if (rv != SECSuccess) {
+	    if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+		sftk_fatalError = PR_TRUE;
+	    }
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+
+	/* store the generated key into the attributes */
+        crv = sftk_AddAttributeType(publicKey,CKA_VALUE,
+			   sftk_item_expand(&dsaPriv->publicValue));
+	if (crv != CKR_OK) goto dsagn_done;
+
+        /* now fill in the RSA dependent paramenters in the private key */
+        crv = sftk_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
+			   sftk_item_expand(&dsaPriv->publicValue));
+	if (crv != CKR_OK) goto dsagn_done;
+        crv = sftk_AddAttributeType(privateKey,CKA_VALUE,
+			   sftk_item_expand(&dsaPriv->privateValue));
+
+dsagn_done:
+	/* should zeroize, since this function doesn't. */
+	PORT_FreeArena(dsaPriv->params.arena, PR_TRUE);
+	break;
+
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+	sftk_DeleteAttributeType(privateKey,CKA_PRIME);
+	sftk_DeleteAttributeType(privateKey,CKA_BASE);
+	sftk_DeleteAttributeType(privateKey,CKA_VALUE);
+    	sftk_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
+	key_type = CKK_DH;
+
+	/* extract the necessary parameters and copy them to private keys */
+        crv = sftk_Attribute2SSecItem(NULL, &dhParam.prime, publicKey, 
+				      CKA_PRIME);
+	if (crv != CKR_OK) break;
+	crv = sftk_Attribute2SSecItem(NULL, &dhParam.base, publicKey, CKA_BASE);
+	if (crv != CKR_OK) {
+	    PORT_Free(dhParam.prime.data);
+	    break;
+	}
+	crv = sftk_AddAttributeType(privateKey, CKA_PRIME, 
+				    sftk_item_expand(&dhParam.prime));
+	if (crv != CKR_OK) {
+	    PORT_Free(dhParam.prime.data);
+	    PORT_Free(dhParam.base.data);
+	    break;
+	}
+	crv = sftk_AddAttributeType(privateKey, CKA_BASE, 
+				    sftk_item_expand(&dhParam.base));
+	if (crv != CKR_OK) {
+	    PORT_Free(dhParam.prime.data);
+	    PORT_Free(dhParam.base.data);
+	    break;
+	}
+        bitSize = sftk_GetLengthInBits(dhParam.prime.data,dhParam.prime.len);
+        if ((bitSize <  DH_MIN_P_BITS) || (bitSize > DH_MAX_P_BITS)) {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    PORT_Free(dhParam.prime.data);
+	    PORT_Free(dhParam.base.data);
+	    break;
+	}
+        bitSize = sftk_GetLengthInBits(dhParam.base.data,dhParam.base.len);
+        if ((bitSize <  1) || (bitSize > DH_MAX_P_BITS)) {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    PORT_Free(dhParam.prime.data);
+	    PORT_Free(dhParam.base.data);
+	    break;
+	}
+
+	rv = DH_NewKey(&dhParam, &dhPriv);
+	PORT_Free(dhParam.prime.data);
+	PORT_Free(dhParam.base.data);
+	if (rv != SECSuccess) { 
+	    if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+		sftk_fatalError = PR_TRUE;
+	    }
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+
+	crv=sftk_AddAttributeType(publicKey, CKA_VALUE, 
+				sftk_item_expand(&dhPriv->publicValue));
+	if (crv != CKR_OK) goto dhgn_done;
+
+        crv = sftk_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
+			   sftk_item_expand(&dhPriv->publicValue));
+	if (crv != CKR_OK) goto dhgn_done;
+
+	crv=sftk_AddAttributeType(privateKey, CKA_VALUE, 
+			      sftk_item_expand(&dhPriv->privateValue));
+
+dhgn_done:
+	/* should zeroize, since this function doesn't. */
+	PORT_FreeArena(dhPriv->arena, PR_TRUE);
+	break;
+
+#ifdef NSS_ENABLE_ECC
+    case CKM_EC_KEY_PAIR_GEN:
+	sftk_DeleteAttributeType(privateKey,CKA_EC_PARAMS);
+	sftk_DeleteAttributeType(privateKey,CKA_VALUE);
+    	sftk_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
+	key_type = CKK_EC;
+
+	/* extract the necessary parameters and copy them to private keys */
+	crv = sftk_Attribute2SSecItem(NULL, &ecEncodedParams, publicKey, 
+				      CKA_EC_PARAMS);
+	if (crv != CKR_OK) break;
+
+	crv = sftk_AddAttributeType(privateKey, CKA_EC_PARAMS, 
+				    sftk_item_expand(&ecEncodedParams));
+	if (crv != CKR_OK) {
+	  PORT_Free(ecEncodedParams.data);
+	  break;
+	}
+
+	/* Decode ec params before calling EC_NewKey */
+	rv = EC_DecodeParams(&ecEncodedParams, &ecParams);
+	PORT_Free(ecEncodedParams.data);
+	if (rv != SECSuccess) {
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+	rv = EC_NewKey(ecParams, &ecPriv);
+	PORT_FreeArena(ecParams->arena, PR_TRUE);
+	if (rv != SECSuccess) { 
+	    if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+		sftk_fatalError = PR_TRUE;
+	    }
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+
+	crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, 
+				sftk_item_expand(&ecPriv->publicValue));
+	if (crv != CKR_OK) goto ecgn_done;
+
+	crv = sftk_AddAttributeType(privateKey, CKA_VALUE, 
+			      sftk_item_expand(&ecPriv->privateValue));
+	if (crv != CKR_OK) goto ecgn_done;
+
+        crv = sftk_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
+			   sftk_item_expand(&ecPriv->publicValue));
+ecgn_done:
+	/* should zeroize, since this function doesn't. */
+	PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+	crv = CKR_MECHANISM_INVALID;
+    }
+
+    if (crv != CKR_OK) {
+	sftk_FreeObject(privateKey);
+	sftk_FreeObject(publicKey);
+	return crv;
+    }
+
+
+    /* Add the class, key_type The loop lets us check errors blow out
+     *  on errors and clean up at the bottom */
+    session = NULL; /* make pedtantic happy... session cannot leave the*/
+		    /* loop below NULL unless an error is set... */
+    do {
+	crv = sftk_AddAttributeType(privateKey,CKA_CLASS,&privClass,
+						sizeof(CK_OBJECT_CLASS));
+        if (crv != CKR_OK) break;
+	crv = sftk_AddAttributeType(publicKey,CKA_CLASS,&pubClass,
+						sizeof(CK_OBJECT_CLASS));
+        if (crv != CKR_OK) break;
+	crv = sftk_AddAttributeType(privateKey,CKA_KEY_TYPE,&key_type,
+						sizeof(CK_KEY_TYPE));
+        if (crv != CKR_OK) break;
+	crv = sftk_AddAttributeType(publicKey,CKA_KEY_TYPE,&key_type,
+						sizeof(CK_KEY_TYPE));
+        if (crv != CKR_OK) break;
+        session = sftk_SessionFromHandle(hSession);
+        if (session == NULL) crv = CKR_SESSION_HANDLE_INVALID;
+    } while (0);
+
+    if (crv != CKR_OK) {
+	 sftk_FreeObject(privateKey);
+	 sftk_FreeObject(publicKey);
+	 return crv;
+    }
+
+    /*
+     * handle the base object cleanup for the public Key
+     */
+    crv = sftk_handleObject(privateKey,session);
+    if (crv != CKR_OK) {
+        sftk_FreeSession(session);
+	sftk_FreeObject(privateKey);
+	sftk_FreeObject(publicKey);
+	return crv;
+    }
+
+    /*
+     * handle the base object cleanup for the private Key
+     * If we have any problems, we destroy the public Key we've
+     * created and linked.
+     */
+    crv = sftk_handleObject(publicKey,session);
+    sftk_FreeSession(session);
+    if (crv != CKR_OK) {
+	sftk_FreeObject(publicKey);
+	NSC_DestroyObject(hSession,privateKey->handle);
+	sftk_FreeObject(privateKey);
+	return crv;
+    }
+    if (sftk_isTrue(privateKey,CKA_SENSITIVE)) {
+	sftk_forceAttribute(privateKey,CKA_ALWAYS_SENSITIVE,
+						&cktrue,sizeof(CK_BBOOL));
+    }
+    if (sftk_isTrue(publicKey,CKA_SENSITIVE)) {
+	sftk_forceAttribute(publicKey,CKA_ALWAYS_SENSITIVE,
+						&cktrue,sizeof(CK_BBOOL));
+    }
+    if (!sftk_isTrue(privateKey,CKA_EXTRACTABLE)) {
+	sftk_forceAttribute(privateKey,CKA_NEVER_EXTRACTABLE,
+						&cktrue,sizeof(CK_BBOOL));
+    }
+    if (!sftk_isTrue(publicKey,CKA_EXTRACTABLE)) {
+	sftk_forceAttribute(publicKey,CKA_NEVER_EXTRACTABLE,
+						&cktrue,sizeof(CK_BBOOL));
+    }
+
+    /* Perform FIPS 140-2 pairwise consistency check. */
+    crv = sftk_PairwiseConsistencyCheck(hSession,
+					publicKey, privateKey, key_type);
+    if (crv != CKR_OK) {
+	NSC_DestroyObject(hSession,publicKey->handle);
+	sftk_FreeObject(publicKey);
+	NSC_DestroyObject(hSession,privateKey->handle);
+	sftk_FreeObject(privateKey);
+	if (sftk_audit_enabled) {
+	    char msg[128];
+	    PR_snprintf(msg,sizeof msg,
+			"C_GenerateKeyPair(hSession=0x%08lX, "
+			"pMechanism->mechanism=0x%08lX)=0x%08lX "
+			"self-test: pair-wise consistency test failed",
+			(PRUint32)hSession,(PRUint32)pMechanism->mechanism,
+			(PRUint32)crv);
+	    sftk_LogAuditMessage(NSS_AUDIT_ERROR, msg);
+	}
+	return crv;
+    }
+
+    *phPrivateKey = privateKey->handle;
+    *phPublicKey = publicKey->handle;
+    sftk_FreeObject(publicKey);
+    sftk_FreeObject(privateKey);
+
+    return CKR_OK;
+}
+
+static SECItem *sftk_PackagePrivateKey(SFTKObject *key, CK_RV *crvp)
+{
+    NSSLOWKEYPrivateKey *lk = NULL;
+    NSSLOWKEYPrivateKeyInfo *pki = NULL;
+    SFTKAttribute *attribute = NULL;
+    PLArenaPool *arena = NULL;
+    SECOidTag algorithm = SEC_OID_UNKNOWN;
+    void *dummy, *param = NULL;
+    SECStatus rv = SECSuccess;
+    SECItem *encodedKey = NULL;
+#ifdef NSS_ENABLE_ECC
+    SECItem *fordebug;
+    int savelen;
+#endif
+
+    if(!key) {
+	*crvp = CKR_KEY_HANDLE_INVALID; /* really can't happen */
+	return NULL;
+    }
+
+    attribute = sftk_FindAttribute(key, CKA_KEY_TYPE);
+    if(!attribute) {
+	*crvp = CKR_KEY_TYPE_INCONSISTENT;
+	return NULL;
+    }
+
+    lk = sftk_GetPrivKey(key, *(CK_KEY_TYPE *)attribute->attrib.pValue, crvp);
+    sftk_FreeAttribute(attribute);
+    if(!lk) {
+	return NULL;
+    }
+
+    arena = PORT_NewArena(2048); 	/* XXX different size? */
+    if(!arena) {
+	*crvp = CKR_HOST_MEMORY;
+	rv = SECFailure;
+	goto loser;
+    }
+
+    pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena, 
+					sizeof(NSSLOWKEYPrivateKeyInfo));
+    if(!pki) {
+	*crvp = CKR_HOST_MEMORY;
+	rv = SECFailure;
+	goto loser;
+    }
+    pki->arena = arena;
+
+    param = NULL;
+    switch(lk->keyType) {
+	case NSSLOWKEYRSAKey:
+	    prepare_low_rsa_priv_key_for_asn1(lk);
+	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
+				       nsslowkey_RSAPrivateKeyTemplate);
+	    algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
+	    break;
+	case NSSLOWKEYDSAKey:
+            prepare_low_dsa_priv_key_export_for_asn1(lk);
+	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
+				       nsslowkey_DSAPrivateKeyExportTemplate);
+	    prepare_low_pqg_params_for_asn1(&lk->u.dsa.params);
+	    param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
+				       nsslowkey_PQGParamsTemplate);
+	    algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
+	    break;
+#ifdef NSS_ENABLE_ECC	    
+        case NSSLOWKEYECKey:
+            prepare_low_ec_priv_key_for_asn1(lk);
+	    /* Public value is encoded as a bit string so adjust length
+	     * to be in bits before ASN encoding and readjust 
+	     * immediately after.
+	     *
+	     * Since the SECG specification recommends not including the
+	     * parameters as part of ECPrivateKey, we zero out the curveOID
+	     * length before encoding and restore it later.
+	     */
+	    lk->u.ec.publicValue.len <<= 3;
+	    savelen = lk->u.ec.ecParams.curveOID.len;
+	    lk->u.ec.ecParams.curveOID.len = 0;
+	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
+				       nsslowkey_ECPrivateKeyTemplate);
+	    lk->u.ec.ecParams.curveOID.len = savelen;
+	    lk->u.ec.publicValue.len >>= 3;
+
+	    fordebug = &pki->privateKey;
+	    SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType,
+		      fordebug);
+
+	    param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding);
+
+	    algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
+	    break;
+#endif /* NSS_ENABLE_ECC */
+	case NSSLOWKEYDHKey:
+	default:
+	    dummy = NULL;
+	    break;
+    }
+ 
+    if(!dummy || ((lk->keyType == NSSLOWKEYDSAKey) && !param)) {
+	*crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
+	rv = SECFailure;
+	goto loser;
+    }
+    
+    rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, algorithm, 
+			       (SECItem*)param);
+    if(rv != SECSuccess) {
+	*crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
+	rv = SECFailure;
+	goto loser;
+    }
+
+    dummy = SEC_ASN1EncodeInteger(arena, &pki->version,
+				  NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
+    if(!dummy) {
+	*crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
+	rv = SECFailure;
+	goto loser;
+    }
+
+    encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki, 
+				    nsslowkey_PrivateKeyInfoTemplate);
+    *crvp = encodedKey ? CKR_OK : CKR_DEVICE_ERROR;
+
+#ifdef NSS_ENABLE_ECC
+    fordebug = encodedKey;
+    SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKeyInfo", lk->keyType,
+	      fordebug);
+#endif
+loser:
+    if(arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    if(lk && (lk != key->objectInfo)) {
+	nsslowkey_DestroyPrivateKey(lk);
+    }
+ 
+    if(param) {
+	SECITEM_ZfreeItem((SECItem*)param, PR_TRUE);
+    }
+
+    if(rv != SECSuccess) {
+	return NULL;
+    }
+
+    return encodedKey;
+}
+    
+/* it doesn't matter yet, since we colapse error conditions in the
+ * level above, but we really should map those few key error differences */
+static CK_RV 
+sftk_mapWrap(CK_RV crv) 
+{ 
+    switch (crv) {
+    case CKR_ENCRYPTED_DATA_INVALID:  crv = CKR_WRAPPED_KEY_INVALID; break;
+    }
+    return crv; 
+}
+
+/* NSC_WrapKey wraps (i.e., encrypts) a key. */
+CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
+    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
+					 CK_ULONG_PTR pulWrappedKeyLen)
+{
+    SFTKSession *session;
+    SFTKAttribute *attribute;
+    SFTKObject *key;
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+    	return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    key = sftk_ObjectFromHandle(hKey,session);
+    sftk_FreeSession(session);
+    if (key == NULL) {
+	return CKR_KEY_HANDLE_INVALID;
+    }
+
+    switch(key->objclass) {
+	case CKO_SECRET_KEY:
+	  {
+	    SFTKSessionContext *context = NULL;
+	    SECItem pText;
+
+	    attribute = sftk_FindAttribute(key,CKA_VALUE);
+
+	    if (attribute == NULL) {
+		crv = CKR_KEY_TYPE_INCONSISTENT;
+		break;
+	    }
+	    crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey, 
+					CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
+	    if (crv != CKR_OK) {
+		sftk_FreeAttribute(attribute);
+		break;
+	    }
+
+	    pText.type = siBuffer;
+	    pText.data = (unsigned char *)attribute->attrib.pValue;
+	    pText.len  = attribute->attrib.ulValueLen;
+
+	    /* Find out if this is a block cipher. */
+	    crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_FALSE,NULL);
+	    if (crv != CKR_OK || !context) 
+	        break;
+	    if (context->blockSize > 1) {
+		unsigned int remainder = pText.len % context->blockSize;
+	        if (!context->doPad && remainder) {
+		    /* When wrapping secret keys with unpadded block ciphers, 
+		    ** the keys are zero padded, if necessary, to fill out 
+		    ** a full block.
+		    */
+		    pText.len += context->blockSize - remainder;
+		    pText.data = PORT_ZAlloc(pText.len);
+		    if (pText.data)
+			memcpy(pText.data, attribute->attrib.pValue,
+			                   attribute->attrib.ulValueLen);
+		    else {
+			crv = CKR_HOST_MEMORY;
+			break;
+		    }
+		}
+	    }
+
+	    crv = NSC_Encrypt(hSession, (CK_BYTE_PTR)pText.data, 
+		              pText.len, pWrappedKey, pulWrappedKeyLen);
+	    /* always force a finalize, both on errors and when
+	     * we are just getting the size */
+	    if (crv != CKR_OK || pWrappedKey == NULL) {
+	    	CK_RV lcrv ;
+		lcrv = sftk_GetContext(hSession,&context,
+				       SFTK_ENCRYPT,PR_FALSE,NULL);
+		sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
+	    	if (lcrv == CKR_OK && context) {
+		    sftk_FreeContext(context);
+		}
+    	    }
+
+	    if (pText.data != (unsigned char *)attribute->attrib.pValue) 
+	    	PORT_ZFree(pText.data, pText.len);
+	    sftk_FreeAttribute(attribute);
+	    break;
+	  }
+
+	case CKO_PRIVATE_KEY:
+	    {
+		SECItem *bpki = sftk_PackagePrivateKey(key, &crv);
+		SFTKSessionContext *context = NULL;
+
+		if(!bpki) {
+		    break;
+		}
+
+		crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey,
+					CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
+		if(crv != CKR_OK) {
+		    SECITEM_ZfreeItem(bpki, PR_TRUE);
+		    crv = CKR_KEY_TYPE_INCONSISTENT;
+		    break;
+		}
+
+		crv = NSC_Encrypt(hSession, bpki->data, bpki->len,
+					pWrappedKey, pulWrappedKeyLen);
+		/* always force a finalize */
+		if (crv != CKR_OK || pWrappedKey == NULL) {
+	    	    CK_RV lcrv ;
+		    lcrv = sftk_GetContext(hSession,&context,
+					   SFTK_ENCRYPT,PR_FALSE,NULL);
+		    sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
+	    	    if (lcrv == CKR_OK && context)  {
+			sftk_FreeContext(context);
+		    }
+		}
+		SECITEM_ZfreeItem(bpki, PR_TRUE);
+		break;
+	    }
+
+	default:
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+    }
+    sftk_FreeObject(key);
+
+    return sftk_mapWrap(crv);
+}
+
+/*
+ * import a pprivate key info into the desired slot
+ */
+static SECStatus
+sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
+{
+    CK_BBOOL cktrue = CK_TRUE; 
+    CK_KEY_TYPE keyType = CKK_RSA;
+    SECStatus rv = SECFailure;
+    const SEC_ASN1Template *keyTemplate, *paramTemplate;
+    void *paramDest = NULL;
+    PLArenaPool *arena;
+    NSSLOWKEYPrivateKey *lpk = NULL;
+    NSSLOWKEYPrivateKeyInfo *pki = NULL;
+    CK_RV crv = CKR_KEY_TYPE_INCONSISTENT;
+
+    arena = PORT_NewArena(2048);
+    if(!arena) {
+	return SECFailure;
+    }
+
+    pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena, 
+					sizeof(NSSLOWKEYPrivateKeyInfo));
+    if(!pki) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return SECFailure;
+    }
+
+    if(SEC_ASN1DecodeItem(arena, pki, nsslowkey_PrivateKeyInfoTemplate, bpki) 
+				!= SECSuccess) {
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+
+    lpk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(arena,
+						  sizeof(NSSLOWKEYPrivateKey));
+    if(lpk == NULL) {
+	goto loser;
+    }
+    lpk->arena = arena;
+
+    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	    keyTemplate = nsslowkey_RSAPrivateKeyTemplate;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    lpk->keyType = NSSLOWKEYRSAKey;
+	    prepare_low_rsa_priv_key_for_asn1(lpk);
+	    break;
+	case SEC_OID_ANSIX9_DSA_SIGNATURE:
+	    keyTemplate = nsslowkey_DSAPrivateKeyExportTemplate;
+	    paramTemplate = nsslowkey_PQGParamsTemplate;
+	    paramDest = &(lpk->u.dsa.params);
+	    lpk->keyType = NSSLOWKEYDSAKey;
+	    prepare_low_dsa_priv_key_export_for_asn1(lpk);
+	    prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params);
+	    break;
+	/* case NSSLOWKEYDHKey: */
+#ifdef NSS_ENABLE_ECC
+        case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+	    keyTemplate = nsslowkey_ECPrivateKeyTemplate;
+	    paramTemplate = NULL;
+	    paramDest = &(lpk->u.ec.ecParams.DEREncoding);
+	    lpk->keyType = NSSLOWKEYECKey;
+	    prepare_low_ec_priv_key_for_asn1(lpk);
+	    prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams);
+	    break;
+#endif /* NSS_ENABLE_ECC */
+	default:
+	    keyTemplate = NULL;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    break;
+    }
+
+    if(!keyTemplate) {
+	goto loser;
+    }
+
+    /* decode the private key and any algorithm parameters */
+    rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+
+#ifdef NSS_ENABLE_ECC
+    if (lpk->keyType == NSSLOWKEYECKey) {
+        /* convert length in bits to length in bytes */
+	lpk->u.ec.publicValue.len >>= 3;
+        rv = SECITEM_CopyItem(arena, 
+			      &(lpk->u.ec.ecParams.DEREncoding),
+	                      &(pki->algorithm.parameters));
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+#endif /* NSS_ENABLE_ECC */
+
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+    if(paramDest && paramTemplate) {
+	rv = SEC_QuickDERDecodeItem(arena, paramDest, paramTemplate, 
+				 &(pki->algorithm.parameters));
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    rv = SECFailure;
+
+    switch (lpk->keyType) {
+        case NSSLOWKEYRSAKey:
+	    keyType = CKK_RSA;
+	    if(sftk_hasAttribute(key, CKA_NETSCAPE_DB)) {
+		sftk_DeleteAttributeType(key, CKA_NETSCAPE_DB);
+	    }
+	    crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
+					sizeof(keyType));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_UNWRAP, &cktrue, 
+					sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_DECRYPT, &cktrue, 
+					sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue, 
+					sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
+				    sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_MODULUS, 
+				sftk_item_expand(&lpk->u.rsa.modulus));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_PUBLIC_EXPONENT, 
+	     			sftk_item_expand(&lpk->u.rsa.publicExponent));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_PRIVATE_EXPONENT, 
+	     			sftk_item_expand(&lpk->u.rsa.privateExponent));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_PRIME_1, 
+				sftk_item_expand(&lpk->u.rsa.prime1));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_PRIME_2, 
+	     			sftk_item_expand(&lpk->u.rsa.prime2));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_EXPONENT_1, 
+	     			sftk_item_expand(&lpk->u.rsa.exponent1));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_EXPONENT_2, 
+	     			sftk_item_expand(&lpk->u.rsa.exponent2));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_COEFFICIENT, 
+	     			sftk_item_expand(&lpk->u.rsa.coefficient));
+	    break;
+        case NSSLOWKEYDSAKey:
+	    keyType = CKK_DSA;
+	    crv = (sftk_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK :
+						CKR_KEY_TYPE_INCONSISTENT;
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
+						sizeof(keyType));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue, 
+						sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
+						sizeof(CK_BBOOL)); 
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_PRIME,    
+				    sftk_item_expand(&lpk->u.dsa.params.prime));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_SUBPRIME,
+				 sftk_item_expand(&lpk->u.dsa.params.subPrime));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_BASE,  
+				    sftk_item_expand(&lpk->u.dsa.params.base));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_VALUE, 
+			sftk_item_expand(&lpk->u.dsa.privateValue));
+	    if(crv != CKR_OK) break;
+	    break;
+#ifdef notdef
+        case NSSLOWKEYDHKey:
+	    template = dhTemplate;
+	    templateCount = sizeof(dhTemplate)/sizeof(CK_ATTRIBUTE);
+	    keyType = CKK_DH;
+	    break;
+#endif
+	/* what about fortezza??? */
+#ifdef NSS_ENABLE_ECC
+        case NSSLOWKEYECKey:
+	    keyType = CKK_EC;
+	    crv = (sftk_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK :
+						CKR_KEY_TYPE_INCONSISTENT;
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
+						sizeof(keyType));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue, 
+						sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
+						sizeof(CK_BBOOL)); 
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_DERIVE, &cktrue, 
+						sizeof(CK_BBOOL)); 
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_EC_PARAMS,
+				 sftk_item_expand(&lpk->u.ec.ecParams.DEREncoding));
+	    if(crv != CKR_OK) break;
+	    crv = sftk_AddAttributeType(key, CKA_VALUE, 
+			sftk_item_expand(&lpk->u.ec.privateValue));
+	    if(crv != CKR_OK) break;
+	    /* XXX Do we need to decode the EC Params here ?? */
+	    break;
+#endif /* NSS_ENABLE_ECC */
+	default:
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+    }
+
+loser:
+    if(lpk) {
+	nsslowkey_DestroyPrivateKey(lpk);
+    }
+
+    if(crv != CKR_OK) {
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+/* NSC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
+CK_RV NSC_UnwrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
+    CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+						 CK_OBJECT_HANDLE_PTR phKey)
+{
+    SFTKObject *key = NULL;
+    SFTKSession *session;
+    CK_ULONG key_length = 0;
+    unsigned char * buf = NULL;
+    CK_RV crv = CKR_OK;
+    int i;
+    CK_ULONG bsize = ulWrappedKeyLen;
+    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+    SECItem bpki;
+    CK_OBJECT_CLASS target_type = CKO_SECRET_KEY;
+
+    CHECK_FORK();
+
+    if (!slot) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    key = sftk_NewObject(slot); /* fill in the handle later */
+    if (key == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulAttributeCount; i++) {
+	if (pTemplate[i].type == CKA_VALUE_LEN) {
+	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
+	    continue;
+	}
+        if (pTemplate[i].type == CKA_CLASS) {
+	    target_type = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+	}
+	crv = sftk_AddAttributeType(key,sftk_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) break;
+    }
+    if (crv != CKR_OK) {
+	sftk_FreeObject(key);
+	return crv;
+    }
+
+    crv = sftk_CryptInit(hSession,pMechanism,hUnwrappingKey,CKA_UNWRAP,
+							SFTK_DECRYPT, PR_FALSE);
+    if (crv != CKR_OK) {
+	sftk_FreeObject(key);
+	return sftk_mapWrap(crv);
+    }
+
+    /* allocate the buffer to decrypt into 
+     * this assumes the unwrapped key is never larger than the
+     * wrapped key. For all the mechanisms we support this is true */
+    buf = (unsigned char *)PORT_Alloc( ulWrappedKeyLen);
+    bsize = ulWrappedKeyLen;
+
+    crv = NSC_Decrypt(hSession, pWrappedKey, ulWrappedKeyLen, buf, &bsize);
+    if (crv != CKR_OK) {
+	sftk_FreeObject(key);
+	PORT_Free(buf);
+	return sftk_mapWrap(crv);
+    }
+
+    switch(target_type) {
+	case CKO_SECRET_KEY:
+	    if (!sftk_hasAttribute(key,CKA_KEY_TYPE)) {
+		crv = CKR_TEMPLATE_INCOMPLETE;
+		break;
+	    }
+
+	    if (key_length == 0 || key_length > bsize) {
+		key_length = bsize;
+	    }
+	    if (key_length > MAX_KEY_LEN) {
+		crv = CKR_TEMPLATE_INCONSISTENT;
+		break;
+	    }
+    
+	    /* add the value */
+	    crv = sftk_AddAttributeType(key,CKA_VALUE,buf,key_length);
+	    break;
+	case CKO_PRIVATE_KEY:
+	    bpki.data = (unsigned char *)buf;
+	    bpki.len = bsize;
+	    crv = CKR_OK;
+	    if(sftk_unwrapPrivateKey(key, &bpki) != SECSuccess) {
+		crv = CKR_TEMPLATE_INCOMPLETE;
+	    }
+	    break;
+	default:
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+    }
+
+    PORT_ZFree(buf, bsize);
+    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
+
+    /* get the session */
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+	sftk_FreeObject(key);
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    /*
+     * handle the base object stuff
+     */
+    crv = sftk_handleObject(key,session);
+    *phKey = key->handle;
+    sftk_FreeSession(session);
+    sftk_FreeObject(key);
+
+    return crv;
+
+}
+
+/*
+ * The SSL key gen mechanism create's lots of keys. This function handles the
+ * details of each of these key creation.
+ */
+static CK_RV
+sftk_buildSSLKey(CK_SESSION_HANDLE hSession, SFTKObject *baseKey, 
+    PRBool isMacKey, unsigned char *keyBlock, unsigned int keySize,
+						 CK_OBJECT_HANDLE *keyHandle)
+{
+    SFTKObject *key;
+    SFTKSession *session;
+    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_RV crv = CKR_HOST_MEMORY;
+
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    *keyHandle = CK_INVALID_HANDLE;
+    key = sftk_NewObject(baseKey->slot); 
+    if (key == NULL) return CKR_HOST_MEMORY;
+    sftk_narrowToSessionObject(key)->wasDerived = PR_TRUE;
+
+    crv = sftk_CopyObject(key,baseKey);
+    if (crv != CKR_OK) goto loser;
+    if (isMacKey) {
+	crv = sftk_forceAttribute(key,CKA_KEY_TYPE,&keyType,sizeof(keyType));
+	if (crv != CKR_OK) goto loser;
+	crv = sftk_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = sftk_forceAttribute(key,CKA_ENCRYPT,&ckfalse,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = sftk_forceAttribute(key,CKA_DECRYPT,&ckfalse,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = sftk_forceAttribute(key,CKA_SIGN,&cktrue,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = sftk_forceAttribute(key,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = sftk_forceAttribute(key,CKA_WRAP,&ckfalse,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = sftk_forceAttribute(key,CKA_UNWRAP,&ckfalse,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+    }
+    crv = sftk_forceAttribute(key,CKA_VALUE,keyBlock,keySize);
+    if (crv != CKR_OK) goto loser;
+
+    /* get the session */
+    crv = CKR_HOST_MEMORY;
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) { goto loser; }
+
+    crv = sftk_handleObject(key,session);
+    sftk_FreeSession(session);
+    *keyHandle = key->handle;
+loser:
+    if (key) sftk_FreeObject(key);
+    return crv;
+}
+
+/*
+ * if there is an error, we need to free the keys we already created in SSL
+ * This is the routine that will do it..
+ */
+static void
+sftk_freeSSLKeys(CK_SESSION_HANDLE session,
+				CK_SSL3_KEY_MAT_OUT *returnedMaterial ) 
+{
+	if (returnedMaterial->hClientMacSecret != CK_INVALID_HANDLE) {
+	   NSC_DestroyObject(session,returnedMaterial->hClientMacSecret);
+	}
+	if (returnedMaterial->hServerMacSecret != CK_INVALID_HANDLE) {
+	   NSC_DestroyObject(session, returnedMaterial->hServerMacSecret);
+	}
+	if (returnedMaterial->hClientKey != CK_INVALID_HANDLE) {
+	   NSC_DestroyObject(session, returnedMaterial->hClientKey);
+	}
+	if (returnedMaterial->hServerKey != CK_INVALID_HANDLE) {
+	   NSC_DestroyObject(session, returnedMaterial->hServerKey);
+	}
+}
+
+/*
+ * when deriving from sensitive and extractable keys, we need to preserve some
+ * of the semantics in the derived key. This helper routine maintains these
+ * semantics.
+ */
+static CK_RV
+sftk_DeriveSensitiveCheck(SFTKObject *baseKey,SFTKObject *destKey) 
+{
+    PRBool hasSensitive;
+    PRBool sensitive = PR_FALSE;
+    PRBool hasExtractable;
+    PRBool extractable = PR_TRUE;
+    CK_RV crv = CKR_OK;
+    SFTKAttribute *att;
+
+    hasSensitive = PR_FALSE;
+    att = sftk_FindAttribute(destKey,CKA_SENSITIVE);
+    if (att) {
+        hasSensitive = PR_TRUE;
+	sensitive = (PRBool) *(CK_BBOOL *)att->attrib.pValue;
+	sftk_FreeAttribute(att);
+    }
+
+    hasExtractable = PR_FALSE;
+    att = sftk_FindAttribute(destKey,CKA_EXTRACTABLE);
+    if (att) {
+        hasExtractable = PR_TRUE;
+	extractable = (PRBool) *(CK_BBOOL *)att->attrib.pValue;
+	sftk_FreeAttribute(att);
+    }
+
+
+    /* don't make a key more accessible */
+    if (sftk_isTrue(baseKey,CKA_SENSITIVE) && hasSensitive && 
+						(sensitive == PR_FALSE)) {
+	return CKR_KEY_FUNCTION_NOT_PERMITTED;
+    }
+    if (!sftk_isTrue(baseKey,CKA_EXTRACTABLE) && hasExtractable && 
+						(extractable == PR_TRUE)) {
+	return CKR_KEY_FUNCTION_NOT_PERMITTED;
+    }
+
+    /* inherit parent's sensitivity */
+    if (!hasSensitive) {
+        att = sftk_FindAttribute(baseKey,CKA_SENSITIVE);
+	if (att == NULL) return CKR_KEY_TYPE_INCONSISTENT;
+	crv = sftk_defaultAttribute(destKey,sftk_attr_expand(&att->attrib));
+	sftk_FreeAttribute(att);
+	if (crv != CKR_OK) return crv;
+    }
+    if (!hasExtractable) {
+        att = sftk_FindAttribute(baseKey,CKA_EXTRACTABLE);
+	if (att == NULL) return CKR_KEY_TYPE_INCONSISTENT;
+	crv = sftk_defaultAttribute(destKey,sftk_attr_expand(&att->attrib));
+	sftk_FreeAttribute(att);
+	if (crv != CKR_OK) return crv;
+    }
+
+    /* we should inherit the parent's always extractable/ never sensitive info,
+     * but handleObject always forces this attributes, so we would need to do
+     * something special. */
+    return CKR_OK;
+}
+
+/*
+ * make known fixed PKCS #11 key types to their sizes in bytes
+ */	
+unsigned long
+sftk_MapKeySize(CK_KEY_TYPE keyType) 
+{
+    switch (keyType) {
+    case CKK_CDMF:
+	return 8;
+    case CKK_DES:
+	return 8;
+    case CKK_DES2:
+	return 16;
+    case CKK_DES3:
+	return 24;
+    /* IDEA and CAST need to be added */
+    default:
+	break;
+    }
+    return 0;
+}
+
+/*
+ * SSL Key generation given pre master secret
+ */
+#define NUM_MIXERS 9
+static const char * const mixers[NUM_MIXERS] = { 
+    "A", 
+    "BB", 
+    "CCC", 
+    "DDDD", 
+    "EEEEE", 
+    "FFFFFF", 
+    "GGGGGGG",
+    "HHHHHHHH",
+    "IIIIIIIII" };
+#define SSL3_PMS_LENGTH 48
+#define SSL3_MASTER_SECRET_LENGTH 48
+#define SSL3_RANDOM_LENGTH 32
+
+
+/* NSC_DeriveKey derives a key from a base key, creating a new key object. */
+CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession,
+	 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
+	 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 
+						CK_OBJECT_HANDLE_PTR phKey)
+{
+    SFTKSession *   session;
+    SFTKSlot    *   slot	= sftk_SlotFromSessionHandle(hSession);
+    SFTKObject  *   key;
+    SFTKObject  *   sourceKey;
+    SFTKAttribute * att;
+    SFTKAttribute * att2;
+    unsigned char * buf;
+    SHA1Context *   sha;
+    MD5Context *    md5;
+    MD2Context *    md2;
+    CK_ULONG        macSize;
+    CK_ULONG        tmpKeySize;
+    CK_ULONG        IVSize;
+    CK_ULONG        keySize	= 0;
+    CK_RV           crv 	= CKR_OK;
+    CK_BBOOL        cktrue	= CK_TRUE;
+    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
+    CK_OBJECT_CLASS classType	= CKO_SECRET_KEY;
+    CK_KEY_DERIVATION_STRING_DATA *stringPtr;
+    PRBool          isTLS = PR_FALSE;
+    PRBool          isDH = PR_FALSE;
+    SECStatus       rv;
+    int             i;
+    unsigned int    outLen;
+    unsigned char   sha_out[SHA1_LENGTH];
+    unsigned char   key_block[NUM_MIXERS * MD5_LENGTH];
+    unsigned char   key_block2[MD5_LENGTH];
+    PRBool          isFIPS;		
+
+    CHECK_FORK();
+
+    if (!slot) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    if (phKey) *phKey = CK_INVALID_HANDLE;
+
+    key = sftk_NewObject(slot); /* fill in the handle later */
+    if (key == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    isFIPS = (slot->slotID == FIPS_SLOT_ID);
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulAttributeCount; i++) {
+	crv = sftk_AddAttributeType(key,sftk_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) break;
+
+	if (pTemplate[i].type == CKA_KEY_TYPE) {
+	    keyType = *(CK_KEY_TYPE *)pTemplate[i].pValue;
+	}
+	if (pTemplate[i].type == CKA_VALUE_LEN) {
+	    keySize = *(CK_ULONG *)pTemplate[i].pValue;
+	}
+    }
+    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
+
+    if (keySize == 0) {
+	keySize = sftk_MapKeySize(keyType);
+    }
+
+    /* Derive can only create SECRET KEY's currently... */
+    classType = CKO_SECRET_KEY;
+    crv = sftk_forceAttribute (key,CKA_CLASS,&classType,sizeof(classType));
+    if (crv != CKR_OK) {
+	sftk_FreeObject(key);
+	return crv;
+    }
+
+    /* look up the base key we're deriving with */ 
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) {
+	sftk_FreeObject(key);
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    sourceKey = sftk_ObjectFromHandle(hBaseKey,session);
+    sftk_FreeSession(session);
+    if (sourceKey == NULL) {
+	sftk_FreeObject(key);
+        return CKR_KEY_HANDLE_INVALID;
+    }
+
+    /* get the value of the base key */
+    att = sftk_FindAttribute(sourceKey,CKA_VALUE);
+    if (att == NULL) {
+	sftk_FreeObject(key);
+	sftk_FreeObject(sourceKey);
+        return CKR_KEY_HANDLE_INVALID;
+    }
+
+    switch (pMechanism->mechanism) {
+    /*
+     * generate the master secret 
+     */
+    case CKM_TLS_MASTER_KEY_DERIVE:
+    case CKM_TLS_MASTER_KEY_DERIVE_DH:
+	isTLS = PR_TRUE;
+	/* fall thru */
+    case CKM_SSL3_MASTER_KEY_DERIVE:
+    case CKM_SSL3_MASTER_KEY_DERIVE_DH:
+      {
+	CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ssl3_master;
+	SSL3RSAPreMasterSecret *          rsa_pms;
+	unsigned char                     crsrdata[SSL3_RANDOM_LENGTH * 2];
+
+        if ((pMechanism->mechanism == CKM_SSL3_MASTER_KEY_DERIVE_DH) ||
+            (pMechanism->mechanism == CKM_TLS_MASTER_KEY_DERIVE_DH))
+		isDH = PR_TRUE;
+
+	/* first do the consistancy checks */
+	if (!isDH && (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE);
+	if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
+					CKK_GENERIC_SECRET)) {
+	    if (att2) sftk_FreeAttribute(att2);
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+	sftk_FreeAttribute(att2);
+	if (keyType != CKK_GENERIC_SECRET) {
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+	if ((keySize != 0) && (keySize != SSL3_MASTER_SECRET_LENGTH)) {
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+
+	/* finally do the key gen */
+	ssl3_master = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)
+					pMechanism->pParameter;
+
+	PORT_Memcpy(crsrdata, 
+	            ssl3_master->RandomInfo.pClientRandom, SSL3_RANDOM_LENGTH);
+	PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, 
+	            ssl3_master->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH);
+
+	if (ssl3_master->pVersion) {
+	    SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key);
+	    rsa_pms = (SSL3RSAPreMasterSecret *) att->attrib.pValue;
+	    /* don't leak more key material then necessary for SSL to work */
+	    if ((sessKey == NULL) || sessKey->wasDerived) {
+		ssl3_master->pVersion->major = 0xff;
+		ssl3_master->pVersion->minor = 0xff;
+	    } else {
+		ssl3_master->pVersion->major = rsa_pms->client_version[0];
+		ssl3_master->pVersion->minor = rsa_pms->client_version[1];
+	    }
+	}
+	if (ssl3_master->RandomInfo.ulClientRandomLen != SSL3_RANDOM_LENGTH) {
+	   crv = CKR_MECHANISM_PARAM_INVALID;
+	   break;
+	}
+	if (ssl3_master->RandomInfo.ulServerRandomLen != SSL3_RANDOM_LENGTH) {
+	   crv = CKR_MECHANISM_PARAM_INVALID;
+	   break;
+	}
+
+        if (isTLS) {
+	    SECStatus status;
+ 	    SECItem crsr   = { siBuffer, NULL, 0 };
+ 	    SECItem master = { siBuffer, NULL, 0 };
+ 	    SECItem pms    = { siBuffer, NULL, 0 };
+
+ 	    crsr.data   = crsrdata;
+	    crsr.len    = sizeof crsrdata;
+ 	    master.data = key_block;
+	    master.len  = SSL3_MASTER_SECRET_LENGTH;
+ 	    pms.data    = (unsigned char*)att->attrib.pValue;
+	    pms.len     =                 att->attrib.ulValueLen;
+
+	    status = TLS_PRF(&pms, "master secret", &crsr, &master, isFIPS);
+	    if (status != SECSuccess) {
+	    	crv = CKR_FUNCTION_FAILED;
+		break;
+	    }
+	} else {
+	    /* now allocate the hash contexts */
+	    md5 = MD5_NewContext();
+	    if (md5 == NULL) { 
+		crv = CKR_HOST_MEMORY;
+		break;
+	    }
+	    sha = SHA1_NewContext();
+	    if (sha == NULL) { 
+		PORT_Free(md5);
+		crv = CKR_HOST_MEMORY;
+		break;
+	    }
+            for (i = 0; i < 3; i++) {
+              SHA1_Begin(sha);
+              SHA1_Update(sha, (unsigned char*) mixers[i], strlen(mixers[i]));
+              SHA1_Update(sha, (const unsigned char*)att->attrib.pValue, 
+			  att->attrib.ulValueLen);
+              SHA1_Update(sha, crsrdata, sizeof crsrdata);
+              SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
+              PORT_Assert(outLen == SHA1_LENGTH);
+
+              MD5_Begin(md5);
+              MD5_Update(md5, (const unsigned char*)att->attrib.pValue, 
+			 att->attrib.ulValueLen);
+              MD5_Update(md5, sha_out, outLen);
+              MD5_End(md5, &key_block[i*MD5_LENGTH], &outLen, MD5_LENGTH);
+              PORT_Assert(outLen == MD5_LENGTH);
+            }
+	    PORT_Free(md5);
+	    PORT_Free(sha);
+	}
+
+	/* store the results */
+	crv = sftk_forceAttribute
+			(key,CKA_VALUE,key_block,SSL3_MASTER_SECRET_LENGTH);
+	if (crv != CKR_OK) break;
+	keyType = CKK_GENERIC_SECRET;
+	crv = sftk_forceAttribute (key,CKA_KEY_TYPE,&keyType,sizeof(keyType));
+	if (isTLS) {
+	    /* TLS's master secret is used to "sign" finished msgs with PRF. */
+	    /* XXX This seems like a hack.   But SFTK_Derive only accepts 
+	     * one "operation" argument. */
+	    crv = sftk_forceAttribute(key,CKA_SIGN,  &cktrue,sizeof(CK_BBOOL));
+	    if (crv != CKR_OK) break;
+	    crv = sftk_forceAttribute(key,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
+	    if (crv != CKR_OK) break;
+	    /* While we're here, we might as well force this, too. */
+	    crv = sftk_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
+	    if (crv != CKR_OK) break;
+	}
+	break;
+      }
+
+    case CKM_TLS_KEY_AND_MAC_DERIVE:
+	isTLS = PR_TRUE;
+	/* fall thru */
+    case CKM_SSL3_KEY_AND_MAC_DERIVE:
+      {
+	CK_SSL3_KEY_MAT_PARAMS *ssl3_keys;
+	CK_SSL3_KEY_MAT_OUT *   ssl3_keys_out;
+	CK_ULONG                effKeySize;
+	unsigned int            block_needed;
+	unsigned char           srcrdata[SSL3_RANDOM_LENGTH * 2];
+	unsigned char           crsrdata[SSL3_RANDOM_LENGTH * 2];
+
+	crv = sftk_DeriveSensitiveCheck(sourceKey,key);
+	if (crv != CKR_OK) break;
+
+	if (att->attrib.ulValueLen != SSL3_MASTER_SECRET_LENGTH) {
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+	att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE);
+	if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
+					CKK_GENERIC_SECRET)) {
+	    if (att2) sftk_FreeAttribute(att2);
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+	sftk_FreeAttribute(att2);
+	md5 = MD5_NewContext();
+	if (md5 == NULL) { 
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	sha = SHA1_NewContext();
+	if (sha == NULL) { 
+	    PORT_Free(md5);
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	ssl3_keys = (CK_SSL3_KEY_MAT_PARAMS *) pMechanism->pParameter;
+
+	PORT_Memcpy(srcrdata, 
+	            ssl3_keys->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH);
+	PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH, 
+		    ssl3_keys->RandomInfo.pClientRandom, SSL3_RANDOM_LENGTH);
+
+	PORT_Memcpy(crsrdata, 
+		    ssl3_keys->RandomInfo.pClientRandom, SSL3_RANDOM_LENGTH);
+	PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, 
+		    ssl3_keys->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH);
+
+	/*
+	 * clear out our returned keys so we can recover on failure
+	 */
+	ssl3_keys_out = ssl3_keys->pReturnedKeyMaterial;
+	ssl3_keys_out->hClientMacSecret = CK_INVALID_HANDLE;
+	ssl3_keys_out->hServerMacSecret = CK_INVALID_HANDLE;
+	ssl3_keys_out->hClientKey       = CK_INVALID_HANDLE;
+	ssl3_keys_out->hServerKey       = CK_INVALID_HANDLE;
+
+	/*
+	 * How much key material do we need?
+	 */
+	macSize    = ssl3_keys->ulMacSizeInBits/8;
+	effKeySize = ssl3_keys->ulKeySizeInBits/8;
+	IVSize     = ssl3_keys->ulIVSizeInBits/8;
+	if (keySize == 0) {
+	    effKeySize = keySize;
+	}
+	block_needed = 2 * (macSize + effKeySize + 
+	                    ((!ssl3_keys->bIsExport) * IVSize));
+	PORT_Assert(block_needed <= sizeof key_block);
+	if (block_needed > sizeof key_block)
+	    block_needed = sizeof key_block;
+
+	/*
+	 * generate the key material: This looks amazingly similar to the
+	 * PMS code, and is clearly crying out for a function to provide it.
+	 */
+	if (isTLS) {
+	    SECStatus     status;
+	    SECItem       srcr   = { siBuffer, NULL, 0 };
+	    SECItem       keyblk = { siBuffer, NULL, 0 };
+	    SECItem       master = { siBuffer, NULL, 0 }; 
+
+	    srcr.data   = srcrdata;
+	    srcr.len    = sizeof srcrdata;
+	    keyblk.data = key_block;
+	    keyblk.len  = block_needed;
+	    master.data = (unsigned char*)att->attrib.pValue;
+	    master.len  =                 att->attrib.ulValueLen;
+
+	    status = TLS_PRF(&master, "key expansion", &srcr, &keyblk,
+			      isFIPS);
+	    if (status != SECSuccess) {
+		goto key_and_mac_derive_fail;
+	    }
+	} else {
+	    unsigned int block_bytes = 0;
+	    /* key_block = 
+	     *     MD5(master_secret + SHA('A' + master_secret + 
+	     *                      ServerHello.random + ClientHello.random)) +
+	     *     MD5(master_secret + SHA('BB' + master_secret + 
+	     *                      ServerHello.random + ClientHello.random)) +
+	     *     MD5(master_secret + SHA('CCC' + master_secret + 
+	     *                      ServerHello.random + ClientHello.random)) +
+	     *     [...];
+	     */
+	    for (i = 0; i < NUM_MIXERS && block_bytes < block_needed; i++) {
+	      SHA1_Begin(sha);
+	      SHA1_Update(sha, (unsigned char*) mixers[i], strlen(mixers[i]));
+	      SHA1_Update(sha, (const unsigned char*)att->attrib.pValue, 
+			  att->attrib.ulValueLen);
+	      SHA1_Update(sha, srcrdata, sizeof srcrdata);
+	      SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
+	      PORT_Assert(outLen == SHA1_LENGTH);
+	      MD5_Begin(md5);
+	      MD5_Update(md5, (const unsigned char*)att->attrib.pValue,
+			 att->attrib.ulValueLen);
+	      MD5_Update(md5, sha_out, outLen);
+	      MD5_End(md5, &key_block[i*MD5_LENGTH], &outLen, MD5_LENGTH);
+	      PORT_Assert(outLen == MD5_LENGTH);
+	      block_bytes += outLen;
+	    }
+	}
+
+	/*
+	 * Put the key material where it goes.
+	 */
+	i = 0;			/* now shows how much consumed */
+
+	/* 
+	 * The key_block is partitioned as follows:
+	 * client_write_MAC_secret[CipherSpec.hash_size]
+	 */
+	crv = sftk_buildSSLKey(hSession,key,PR_TRUE,&key_block[i],macSize,
+					 &ssl3_keys_out->hClientMacSecret);
+	if (crv != CKR_OK)
+	    goto key_and_mac_derive_fail;
+
+	i += macSize;
+
+	/* 
+	 * server_write_MAC_secret[CipherSpec.hash_size]
+	 */
+	crv = sftk_buildSSLKey(hSession,key,PR_TRUE,&key_block[i],macSize,
+					    &ssl3_keys_out->hServerMacSecret);
+	if (crv != CKR_OK) {
+	    goto key_and_mac_derive_fail;
+	}
+	i += macSize;
+
+	if (keySize) {
+	    if (!ssl3_keys->bIsExport) {
+		/* 
+		** Generate Domestic write keys and IVs.
+		** client_write_key[CipherSpec.key_material]
+		*/
+		crv = sftk_buildSSLKey(hSession,key,PR_FALSE,&key_block[i],
+					keySize, &ssl3_keys_out->hClientKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+		i += keySize;
+
+		/* 
+		** server_write_key[CipherSpec.key_material]
+		*/
+		crv = sftk_buildSSLKey(hSession,key,PR_FALSE,&key_block[i],
+					keySize, &ssl3_keys_out->hServerKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+		i += keySize;
+
+		/* 
+		** client_write_IV[CipherSpec.IV_size]
+		*/
+		if (IVSize > 0) {
+		    PORT_Memcpy(ssl3_keys_out->pIVClient, 
+		                &key_block[i], IVSize);
+		    i += IVSize;
+		}
+
+		/* 
+		** server_write_IV[CipherSpec.IV_size]
+		*/
+		if (IVSize > 0) {
+		    PORT_Memcpy(ssl3_keys_out->pIVServer, 
+		                &key_block[i], IVSize);
+		    i += IVSize;
+		}
+		PORT_Assert(i <= sizeof key_block);
+
+	    } else if (!isTLS) {
+
+		/*
+		** Generate SSL3 Export write keys and IVs.
+		** client_write_key[CipherSpec.key_material]
+		** final_client_write_key = MD5(client_write_key +
+		**                   ClientHello.random + ServerHello.random);
+		*/
+		MD5_Begin(md5);
+		MD5_Update(md5, &key_block[i], effKeySize);
+            	MD5_Update(md5, crsrdata, sizeof crsrdata);
+		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
+		i += effKeySize;
+		crv = sftk_buildSSLKey(hSession,key,PR_FALSE,key_block2,
+				 	keySize,&ssl3_keys_out->hClientKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+
+		/*
+		** server_write_key[CipherSpec.key_material]
+		** final_server_write_key = MD5(server_write_key +
+		**                    ServerHello.random + ClientHello.random);
+		*/
+		MD5_Begin(md5);
+		MD5_Update(md5, &key_block[i], effKeySize);
+            	MD5_Update(md5, srcrdata, sizeof srcrdata);
+		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
+		i += effKeySize;
+		crv = sftk_buildSSLKey(hSession,key,PR_FALSE,key_block2,
+					 keySize,&ssl3_keys_out->hServerKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+
+		/*
+		** client_write_IV = 
+		**	MD5(ClientHello.random + ServerHello.random);
+		*/
+		MD5_Begin(md5);
+            	MD5_Update(md5, crsrdata, sizeof crsrdata);
+		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
+		PORT_Memcpy(ssl3_keys_out->pIVClient, key_block2, IVSize);
+
+		/*
+		** server_write_IV = 
+		**	MD5(ServerHello.random + ClientHello.random);
+		*/
+		MD5_Begin(md5);
+            	MD5_Update(md5, srcrdata, sizeof srcrdata);
+		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
+		PORT_Memcpy(ssl3_keys_out->pIVServer, key_block2, IVSize);
+
+	    } else {
+
+		/*
+		** Generate TLS Export write keys and IVs.
+		*/
+		SECStatus     status;
+		SECItem       secret = { siBuffer, NULL, 0 };
+		SECItem       crsr   = { siBuffer, NULL, 0 };
+		SECItem       keyblk = { siBuffer, NULL, 0 };
+
+		/*
+		** client_write_key[CipherSpec.key_material]
+		** final_client_write_key = PRF(client_write_key, 
+		**                              "client write key",
+		**                              client_random + server_random);
+		*/
+		secret.data = &key_block[i];
+		secret.len  = effKeySize;
+		i          += effKeySize;
+		crsr.data   = crsrdata;
+		crsr.len    = sizeof crsrdata;
+		keyblk.data = key_block2;
+		keyblk.len  = sizeof key_block2;
+		status = TLS_PRF(&secret, "client write key", &crsr, &keyblk,
+				  isFIPS);
+		if (status != SECSuccess) {
+		    goto key_and_mac_derive_fail;
+		}
+		crv = sftk_buildSSLKey(hSession, key, PR_FALSE, key_block2, 
+				       keySize, &ssl3_keys_out->hClientKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+
+		/*
+		** server_write_key[CipherSpec.key_material]
+		** final_server_write_key = PRF(server_write_key,
+		**                              "server write key",
+		**                              client_random + server_random);
+		*/
+		secret.data = &key_block[i];
+		secret.len  = effKeySize;
+		i          += effKeySize;
+		keyblk.data = key_block2;
+		keyblk.len  = sizeof key_block2;
+		status = TLS_PRF(&secret, "server write key", &crsr, &keyblk,
+				  isFIPS);
+		if (status != SECSuccess) {
+		    goto key_and_mac_derive_fail;
+		}
+		crv = sftk_buildSSLKey(hSession, key, PR_FALSE, key_block2, 
+				       keySize, &ssl3_keys_out->hServerKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+
+		/*
+		** iv_block = PRF("", "IV block", 
+		**                    client_random + server_random);
+		** client_write_IV[SecurityParameters.IV_size]
+		** server_write_IV[SecurityParameters.IV_size]
+		*/
+		if (IVSize) {
+		    secret.data = NULL;
+		    secret.len  = 0;
+		    keyblk.data = &key_block[i];
+		    keyblk.len  = 2 * IVSize;
+		    status = TLS_PRF(&secret, "IV block", &crsr, &keyblk,
+				      isFIPS);
+		    if (status != SECSuccess) {
+			goto key_and_mac_derive_fail;
+		    }
+		    PORT_Memcpy(ssl3_keys_out->pIVClient, keyblk.data, IVSize);
+		    PORT_Memcpy(ssl3_keys_out->pIVServer, keyblk.data + IVSize,
+                                IVSize);
+		}
+	    }
+	}
+
+	crv = CKR_OK;
+
+	if (0) {
+key_and_mac_derive_fail:
+	    if (crv == CKR_OK)
+	    	crv = CKR_FUNCTION_FAILED;
+	    sftk_freeSSLKeys(hSession, ssl3_keys_out);
+	}
+	MD5_DestroyContext(md5, PR_TRUE);
+	SHA1_DestroyContext(sha, PR_TRUE);
+	sftk_FreeObject(key);
+	key = NULL;
+	break;
+      }
+
+    case CKM_CONCATENATE_BASE_AND_KEY:
+      {
+	SFTKObject *newKey;
+
+	crv = sftk_DeriveSensitiveCheck(sourceKey,key);
+	if (crv != CKR_OK) break;
+
+	session = sftk_SessionFromHandle(hSession);
+	if (session == NULL) {
+            crv = CKR_SESSION_HANDLE_INVALID;
+	    break;
+    	}
+
+	newKey = sftk_ObjectFromHandle(*(CK_OBJECT_HANDLE *)
+					pMechanism->pParameter,session);
+	sftk_FreeSession(session);
+	if ( newKey == NULL) {
+            crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+
+	if (sftk_isTrue(newKey,CKA_SENSITIVE)) {
+	    crv = sftk_forceAttribute(newKey,CKA_SENSITIVE,&cktrue,
+							sizeof(CK_BBOOL));
+	    if (crv != CKR_OK) {
+		sftk_FreeObject(newKey);
+		break;
+	    }
+	}
+
+	att2 = sftk_FindAttribute(newKey,CKA_VALUE);
+	if (att2 == NULL) {
+	    sftk_FreeObject(newKey);
+            crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	tmpKeySize = att->attrib.ulValueLen+att2->attrib.ulValueLen;
+	if (keySize == 0) keySize = tmpKeySize;
+	if (keySize > tmpKeySize) {
+	    sftk_FreeObject(newKey);
+	    sftk_FreeAttribute(att2);
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
+	if (buf == NULL) {
+	    sftk_FreeAttribute(att2);
+	    sftk_FreeObject(newKey);
+	    crv = CKR_HOST_MEMORY;	
+	    break;
+	}
+
+	PORT_Memcpy(buf,att->attrib.pValue,att->attrib.ulValueLen);
+	PORT_Memcpy(buf+att->attrib.ulValueLen,
+				att2->attrib.pValue,att2->attrib.ulValueLen);
+
+	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,tmpKeySize);
+	sftk_FreeAttribute(att2);
+	sftk_FreeObject(newKey);
+	break;
+      }
+
+    case CKM_CONCATENATE_BASE_AND_DATA:
+	crv = sftk_DeriveSensitiveCheck(sourceKey,key);
+	if (crv != CKR_OK) break;
+
+	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
+	tmpKeySize = att->attrib.ulValueLen+stringPtr->ulLen;
+	if (keySize == 0) keySize = tmpKeySize;
+	if (keySize > tmpKeySize) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
+	if (buf == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+
+	PORT_Memcpy(buf,att->attrib.pValue,att->attrib.ulValueLen);
+	PORT_Memcpy(buf+att->attrib.ulValueLen,stringPtr->pData,
+							stringPtr->ulLen);
+
+	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,tmpKeySize);
+	break;
+    case CKM_CONCATENATE_DATA_AND_BASE:
+	crv = sftk_DeriveSensitiveCheck(sourceKey,key);
+	if (crv != CKR_OK) break;
+
+	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
+	tmpKeySize = att->attrib.ulValueLen+stringPtr->ulLen;
+	if (keySize == 0) keySize = tmpKeySize;
+	if (keySize > tmpKeySize) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
+	if (buf == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+
+	PORT_Memcpy(buf,stringPtr->pData,stringPtr->ulLen);
+	PORT_Memcpy(buf+stringPtr->ulLen,att->attrib.pValue,
+							att->attrib.ulValueLen);
+
+	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,tmpKeySize);
+	break;
+    case CKM_XOR_BASE_AND_DATA:
+	crv = sftk_DeriveSensitiveCheck(sourceKey,key);
+	if (crv != CKR_OK) break;
+
+	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
+	tmpKeySize = PR_MIN(att->attrib.ulValueLen,stringPtr->ulLen);
+	if (keySize == 0) keySize = tmpKeySize;
+	if (keySize > tmpKeySize) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(keySize);
+	if (buf == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+
+	
+	PORT_Memcpy(buf,att->attrib.pValue,keySize);
+	for (i=0; i < (int)keySize; i++) {
+	    buf[i] ^= stringPtr->pData[i];
+	}
+
+	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,keySize);
+	break;
+
+    case CKM_EXTRACT_KEY_FROM_KEY:
+      {
+	/* the following assumes 8 bits per byte */
+	CK_ULONG extract = *(CK_EXTRACT_PARAMS *)pMechanism->pParameter;
+	CK_ULONG shift   = extract & 0x7;      /* extract mod 8 the fast way */
+	CK_ULONG offset  = extract >> 3;       /* extract div 8 the fast way */
+
+	crv = sftk_DeriveSensitiveCheck(sourceKey,key);
+	if (crv != CKR_OK) break;
+
+	if (keySize == 0)  {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    break;
+	}
+	/* make sure we have enough bits in the original key */
+	if (att->attrib.ulValueLen < 
+			(offset + keySize + ((shift != 0)? 1 :0)) ) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(keySize);
+	if (buf == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+
+	/* copy the bits we need into the new key */	
+	for (i=0; i < (int)keySize; i++) {
+	    unsigned char *value =
+			 ((unsigned char *)att->attrib.pValue)+offset+i;
+	    if (shift) {
+	        buf[i] = (value[0] << (shift)) | (value[1] >> (8 - shift));
+	    } else {
+		buf[i] = value[0];
+	    }
+	}
+
+	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,keySize);
+	break;
+      }
+    case CKM_MD2_KEY_DERIVATION:
+	if (keySize == 0) keySize = MD2_LENGTH;
+	if (keySize > MD2_LENGTH) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	/* now allocate the hash contexts */
+	md2 = MD2_NewContext();
+	if (md2 == NULL) { 
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	MD2_Begin(md2);
+	MD2_Update(md2,(const unsigned char*)att->attrib.pValue,
+		   att->attrib.ulValueLen);
+	MD2_End(md2,key_block,&outLen,MD2_LENGTH);
+	MD2_DestroyContext(md2, PR_TRUE);
+
+	crv = sftk_forceAttribute (key,CKA_VALUE,key_block,keySize);
+	break;
+    case CKM_MD5_KEY_DERIVATION:
+	if (keySize == 0) keySize = MD5_LENGTH;
+	if (keySize > MD5_LENGTH) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	/* now allocate the hash contexts */
+	md5 = MD5_NewContext();
+	if (md5 == NULL) { 
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	MD5_Begin(md5);
+	MD5_Update(md5,(const unsigned char*)att->attrib.pValue,
+		   att->attrib.ulValueLen);
+	MD5_End(md5,key_block,&outLen,MD5_LENGTH);
+	MD5_DestroyContext(md5, PR_TRUE);
+
+	crv = sftk_forceAttribute (key,CKA_VALUE,key_block,keySize);
+	break;
+     case CKM_SHA1_KEY_DERIVATION:
+	if (keySize == 0) keySize = SHA1_LENGTH;
+	if (keySize > SHA1_LENGTH) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	/* now allocate the hash contexts */
+	sha = SHA1_NewContext();
+	if (sha == NULL) { 
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	SHA1_Begin(sha);
+	SHA1_Update(sha,(const unsigned char*)att->attrib.pValue,
+		    att->attrib.ulValueLen);
+	SHA1_End(sha,key_block,&outLen,SHA1_LENGTH);
+	SHA1_DestroyContext(sha, PR_TRUE);
+
+	crv = sftk_forceAttribute(key,CKA_VALUE,key_block,keySize);
+	break;
+
+    case CKM_DH_PKCS_DERIVE:
+      {
+	SECItem  derived,  dhPublic;
+	SECItem  dhPrime,  dhValue;
+	/* sourceKey - values for the local existing low key */
+	/* get prime and value attributes */
+	crv = sftk_Attribute2SecItem(NULL, &dhPrime, sourceKey, CKA_PRIME); 
+	if (crv != SECSuccess) break;
+	crv = sftk_Attribute2SecItem(NULL, &dhValue, sourceKey, CKA_VALUE); 
+	if (crv != SECSuccess) {
+ 	    PORT_Free(dhPrime.data);
+	    break;
+	}
+
+	dhPublic.data = pMechanism->pParameter;
+	dhPublic.len  = pMechanism->ulParameterLen;
+
+	/* calculate private value - oct */
+	rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize); 
+
+	PORT_Free(dhPrime.data);
+	PORT_Free(dhValue.data);
+     
+	if (rv == SECSuccess) {
+	    sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
+	    PORT_ZFree(derived.data, derived.len);
+	} else
+	    crv = CKR_HOST_MEMORY;
+	    
+	break;
+      }
+
+#ifdef NSS_ENABLE_ECC
+    case CKM_ECDH1_DERIVE:
+    case CKM_ECDH1_COFACTOR_DERIVE:
+      {
+	SECItem  ecScalar, ecPoint;
+	SECItem  tmp;
+	PRBool   withCofactor = PR_FALSE;
+	unsigned char secret_hash[20];
+	unsigned char *secret;
+	unsigned char *keyData = NULL;
+	int secretlen;
+	CK_ECDH1_DERIVE_PARAMS *mechParams;
+	NSSLOWKEYPrivateKey *privKey;
+
+	/* Check mechanism parameters */
+	mechParams = (CK_ECDH1_DERIVE_PARAMS *) pMechanism->pParameter;
+	if ((pMechanism->ulParameterLen != sizeof(CK_ECDH1_DERIVE_PARAMS)) ||
+	    ((mechParams->kdf == CKD_NULL) &&
+		((mechParams->ulSharedDataLen != 0) || 
+		    (mechParams->pSharedData != NULL)))) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
+
+	privKey = sftk_GetPrivKey(sourceKey, CKK_EC, &crv);
+	if (privKey == NULL) {
+	    break;
+	}
+
+	/* Now we are working with a non-NULL private key */
+	SECITEM_CopyItem(NULL, &ecScalar, &privKey->u.ec.privateValue);
+
+	ecPoint.data = mechParams->pPublicData;
+	ecPoint.len  = mechParams->ulPublicDataLen;
+
+	if (pMechanism->mechanism == CKM_ECDH1_COFACTOR_DERIVE) {
+	    withCofactor = PR_TRUE;
+	} else {
+	    /* When not using cofactor derivation, one should
+	     * validate the public key to avoid small subgroup
+	     * attacks.
+	     */
+	    if (EC_ValidatePublicKey(&privKey->u.ec.ecParams, &ecPoint) 
+		!= SECSuccess) {
+		crv = CKR_ARGUMENTS_BAD;
+		PORT_Free(ecScalar.data);
+		if (privKey != sourceKey->objectInfo)
+		    nsslowkey_DestroyPrivateKey(privKey);
+		break;
+	    }
+	}
+
+	rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar,
+	                 withCofactor, &tmp); 
+	PORT_Free(ecScalar.data);
+	if (privKey != sourceKey->objectInfo)
+	   nsslowkey_DestroyPrivateKey(privKey);
+
+	if (rv != SECSuccess) {
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+
+	/*
+	 * tmp is the raw data created by ECDH_Derive,
+	 * secret and secretlen are the values we will eventually pass as our
+	 * generated key.
+	 */
+	secret = tmp.data;
+	secretlen = tmp.len;
+
+	/*
+	 * apply the kdf function.
+	 */
+	if (mechParams->kdf == CKD_SHA1_KDF) {
+	    /* Compute SHA1 hash */
+	    PORT_Memset(secret_hash, 0, 20);
+	    rv = SHA1_HashBuf(secret_hash, tmp.data, tmp.len);
+	    if (rv != SECSuccess) {
+		PORT_ZFree(tmp.data, tmp.len);
+		crv = CKR_HOST_MEMORY;
+		break;
+	    } 
+	    secret = secret_hash;
+	    secretlen = 20;
+	}
+
+	/*
+	 * if keySize is supplied, then we are generating a key of a specific 
+	 * length. This is done by taking the least significant 'keySize' 
+	 * bytes from the unsigned value calculated by ECDH. Note: this may 
+	 * mean padding temp with extra leading zeros from what ECDH_Derive 
+	 * already returned (which itself may contain leading zeros).
+ 	 */
+	if (keySize) {
+	    if (secretlen < keySize) {
+	        keyData = PORT_ZAlloc(keySize);
+		if (!keyData) {
+		    PORT_ZFree(tmp.data, tmp.len);
+		    crv = CKR_HOST_MEMORY;
+		    break;
+		}
+		PORT_Memcpy(&keyData[keySize-secretlen],secret,secretlen);
+		secret = keyData;
+	    } else {
+		secret += (secretlen - keySize);
+	    }
+	    secretlen = keySize;
+	}
+
+	sftk_forceAttribute(key, CKA_VALUE, secret, secretlen);
+	PORT_ZFree(tmp.data, tmp.len);
+	if (keyData) {
+	    PORT_ZFree(keyData, keySize);
+	}
+	PORT_Memset(secret_hash, 0, 20);
+	    
+	break;
+      }
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+	crv = CKR_MECHANISM_INVALID;
+    }
+    sftk_FreeAttribute(att);
+    sftk_FreeObject(sourceKey);
+    if (crv != CKR_OK) { 
+	if (key) sftk_FreeObject(key);
+	return crv;
+    }
+
+    /* link the key object into the list */
+    if (key) {
+	SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key);
+	PORT_Assert(sessKey);
+	/* get the session */
+	sessKey->wasDerived = PR_TRUE;
+	session = sftk_SessionFromHandle(hSession);
+	if (session == NULL) {
+	    sftk_FreeObject(key);
+	    return CKR_HOST_MEMORY;
+	}
+
+	crv = sftk_handleObject(key,session);
+	sftk_FreeSession(session);
+	*phKey = key->handle;
+	sftk_FreeObject(key);
+    }
+    return crv;
+}
+
+
+/* NSC_GetFunctionStatus obtains an updated status of a function running 
+ * in parallel with an application. */
+CK_RV NSC_GetFunctionStatus(CK_SESSION_HANDLE hSession)
+{
+    CHECK_FORK();
+
+    return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+/* NSC_CancelFunction cancels a function running in parallel */
+CK_RV NSC_CancelFunction(CK_SESSION_HANDLE hSession)
+{
+    CHECK_FORK();
+
+    return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+/* NSC_GetOperationState saves the state of the cryptographic 
+ *operation in a session.
+ * NOTE: This code only works for digest functions for now. eventually need
+ * to add full flatten/resurect to our state stuff so that all types of state
+ * can be saved */
+CK_RV NSC_GetOperationState(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pOperationState, CK_ULONG_PTR pulOperationStateLen)
+{
+    SFTKSessionContext *context;
+    SFTKSession *session;
+    CK_RV crv;
+    CK_ULONG pOSLen = *pulOperationStateLen;
+
+    CHECK_FORK();
+
+    /* make sure we're legal */
+    crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session);
+    if (crv != CKR_OK) return crv;
+
+    *pulOperationStateLen = context->cipherInfoLen + sizeof(CK_MECHANISM_TYPE)
+				+ sizeof(SFTKContextType);
+    if (pOperationState == NULL) {
+        sftk_FreeSession(session);
+	return CKR_OK;
+    } else {
+	if (pOSLen < *pulOperationStateLen) {
+	    return CKR_BUFFER_TOO_SMALL;
+	}
+    }
+    PORT_Memcpy(pOperationState,&context->type,sizeof(SFTKContextType));
+    pOperationState += sizeof(SFTKContextType);
+    PORT_Memcpy(pOperationState,&context->currentMech,
+						sizeof(CK_MECHANISM_TYPE));
+    pOperationState += sizeof(CK_MECHANISM_TYPE);
+    PORT_Memcpy(pOperationState,context->cipherInfo,context->cipherInfoLen);
+    sftk_FreeSession(session);
+    return CKR_OK;
+}
+
+
+#define sftk_Decrement(stateSize,len) \
+	stateSize = ((stateSize) > (CK_ULONG)(len)) ? \
+				((stateSize) - (CK_ULONG)(len)) : 0;
+
+/* NSC_SetOperationState restores the state of the cryptographic 
+ * operation in a session. This is coded like it can restore lots of
+ * states, but it only works for truly flat cipher structures. */
+CK_RV NSC_SetOperationState(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pOperationState, CK_ULONG  ulOperationStateLen,
+        CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey)
+{
+    SFTKSessionContext *context;
+    SFTKSession *session;
+    SFTKContextType type;
+    CK_MECHANISM mech;
+    CK_RV crv = CKR_OK;
+
+    CHECK_FORK();
+
+    while (ulOperationStateLen != 0) {
+	/* get what type of state we're dealing with... */
+	PORT_Memcpy(&type,pOperationState, sizeof(SFTKContextType));
+
+	/* fix up session contexts based on type */
+	session = sftk_SessionFromHandle(hSession);
+	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+	context = sftk_ReturnContextByType(session, type);
+	sftk_SetContextByType(session, type, NULL);
+	if (context) { 
+	     sftk_FreeContext(context);
+	}
+	pOperationState += sizeof(SFTKContextType);
+	sftk_Decrement(ulOperationStateLen,sizeof(SFTKContextType));
+
+
+	/* get the mechanism structure */
+	PORT_Memcpy(&mech.mechanism,pOperationState,sizeof(CK_MECHANISM_TYPE));
+	pOperationState += sizeof(CK_MECHANISM_TYPE);
+	sftk_Decrement(ulOperationStateLen, sizeof(CK_MECHANISM_TYPE));
+	/* should be filled in... but not necessary for hash */
+	mech.pParameter = NULL;
+	mech.ulParameterLen = 0;
+	switch (type) {
+	case SFTK_HASH:
+	    crv = NSC_DigestInit(hSession,&mech);
+	    if (crv != CKR_OK) break;
+	    crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, 
+								NULL);
+	    if (crv != CKR_OK) break;
+	    PORT_Memcpy(context->cipherInfo,pOperationState,
+						context->cipherInfoLen);
+	    pOperationState += context->cipherInfoLen;
+	    sftk_Decrement(ulOperationStateLen,context->cipherInfoLen);
+	    break;
+	default:
+	    /* do sign/encrypt/decrypt later */
+	    crv = CKR_SAVED_STATE_INVALID;
+         }
+         sftk_FreeSession(session);
+	 if (crv != CKR_OK) break;
+    }
+    return crv;
+}
+
+/* Dual-function cryptographic operations */
+
+/* NSC_DigestEncryptUpdate continues a multiple-part digesting and encryption 
+ * operation. */
+CK_RV NSC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
+    CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
+					 CK_ULONG_PTR pulEncryptedPartLen)
+{
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,	
+						      pulEncryptedPartLen);
+    if (crv != CKR_OK) return crv;
+    crv = NSC_DigestUpdate(hSession,pPart,ulPartLen);
+
+    return crv;
+}
+
+
+/* NSC_DecryptDigestUpdate continues a multiple-part decryption and 
+ * digesting operation. */
+CK_RV NSC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR  pEncryptedPart, CK_ULONG  ulEncryptedPartLen,
+    				CK_BYTE_PTR  pPart, CK_ULONG_PTR pulPartLen)
+{
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    crv = NSC_DecryptUpdate(hSession,pEncryptedPart, ulEncryptedPartLen, 
+							pPart,	pulPartLen);
+    if (crv != CKR_OK) return crv;
+    crv = NSC_DigestUpdate(hSession,pPart,*pulPartLen);
+
+    return crv;
+}
+
+
+/* NSC_SignEncryptUpdate continues a multiple-part signing and 
+ * encryption operation. */
+CK_RV NSC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
+	 CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
+					 CK_ULONG_PTR pulEncryptedPartLen)
+{
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,	
+						      pulEncryptedPartLen);
+    if (crv != CKR_OK) return crv;
+    crv = NSC_SignUpdate(hSession,pPart,ulPartLen);
+
+    return crv;
+}
+
+
+/* NSC_DecryptVerifyUpdate continues a multiple-part decryption 
+ * and verify operation. */
+CK_RV NSC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pEncryptedData, CK_ULONG  ulEncryptedDataLen, 
+				CK_BYTE_PTR  pData, CK_ULONG_PTR pulDataLen)
+{
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    crv = NSC_DecryptUpdate(hSession,pEncryptedData, ulEncryptedDataLen, 
+							pData,	pulDataLen);
+    if (crv != CKR_OK) return crv;
+    crv = NSC_VerifyUpdate(hSession, pData, *pulDataLen);
+
+    return crv;
+}
+
+/* NSC_DigestKey continues a multi-part message-digesting operation,
+ * by digesting the value of a secret key as part of the data already digested.
+ */
+CK_RV NSC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) 
+{
+    SFTKSession *session = NULL;
+    SFTKObject *key = NULL;
+    SFTKAttribute *att;
+    CK_RV crv;
+
+    CHECK_FORK();
+
+    session = sftk_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+
+    key = sftk_ObjectFromHandle(hKey,session);
+    sftk_FreeSession(session);
+    if (key == NULL)  return CKR_KEY_HANDLE_INVALID;
+
+    /* PUT ANY DIGEST KEY RESTRICTION CHECKS HERE */
+
+    /* make sure it's a valid  key for this operation */
+    if (key->objclass != CKO_SECRET_KEY) {
+	sftk_FreeObject(key);
+	return CKR_KEY_TYPE_INCONSISTENT;
+    }
+    /* get the key value */
+    att = sftk_FindAttribute(key,CKA_VALUE);
+    sftk_FreeObject(key);
+    if (!att) {
+        return CKR_KEY_HANDLE_INVALID;        
+    }
+    crv = NSC_DigestUpdate(hSession,(CK_BYTE_PTR)att->attrib.pValue,
+			   att->attrib.ulValueLen);
+    sftk_FreeAttribute(att);
+    return crv;
+}
diff --git a/security/nss/lib/softoken/pkcs11f.h b/security/nss/lib/softoken/pkcs11f.h
new file mode 100644
index 000000000..a6bc91f46
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11f.h
@@ -0,0 +1,937 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * RSA Security INC.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* This function contains pretty much everything about all the */
+/* PKCS #11  function prototypes.  Because this information is */
+/* used for more than just declaring function prototypes, the */
+/* order of the functions appearing herein is important, and */
+/* should not be altered. */
+
+
+
+/* General-purpose */
+
+/* C_Initialize initializes the PKCS #11 library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
+                            * cast to CK_C_INITIALIZE_ARGS_PTR
+                            * and dereferenced */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * PKCS #11 library. */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about PKCS #11. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_INFO_PTR   pInfo  /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
+                                            * function list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
+  CK_ULONG_PTR   pulCount       /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID       slotID,  /* the ID of the slot */
+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,          /* ID of token's slot */
+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
+(
+  CK_SLOT_ID         slotID,    /* ID of the token's slot */
+  CK_UTF8CHAR_PTR    pPin,      /* the SO's initial PIN */
+  CK_ULONG           ulPinLen,  /* length in bytes of the PIN */
+  CK_UTF8CHAR_PTR    pLabel     /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
+  CK_ULONG          ulOldLen,  /* length of the old PIN */
+  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
+  CK_ULONG          ulNewLen   /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,        /* the slot's ID */
+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
+  CK_VOID_PTR           pApplication,  /* passed to callback */
+  CK_NOTIFY             Notify,        /* callback function */
+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID  /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,             /* session's handle */
+  CK_BYTE_PTR       pOperationState,      /* gets state */
+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session. */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR      pOperationState,      /* holds state */
+  CK_ULONG         ulOperationStateLen,  /* holds state length */
+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_USER_TYPE      userType,  /* the user type */
+  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
+  CK_ULONG          ulPinLen   /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
+  CK_ULONG          ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy. */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
+  CK_ULONG             ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
+  CK_ULONG_PTR      pulSize    /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes. */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
+  CK_ULONG          ulCount     /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE    hSession,          /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pData,               /* the plaintext data */
+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pPart,              /* the plaintext data */
+  CK_ULONG          ulPartLen,          /* plaintext data len */
+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,                /* session handle */
+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
+  CK_BYTE_PTR       pData,              /* gets plaintext */
+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* input length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pData,        /* data to be digested */
+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* data to be digested */
+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested. */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ *signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* the data to sign */
+  CK_ULONG          ulPartLen  /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ *  cannot be recovered from the signature (e.g. DSA). */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */ 
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pData,          /* signed data */
+  CK_ULONG          ulDataLen,      /* length of signed data */
+  CK_BYTE_PTR       pSignature,     /* signature */
+  CK_ULONG          ulSignatureLen  /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* signed data */
+  CK_ULONG          ulPartLen  /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pSignature,     /* signature to verify */
+  CK_ULONG          ulSignatureLen  /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* signature to verify */
+  CK_ULONG          ulSignatureLen,  /* signature length */
+  CK_BYTE_PTR       pData,           /* gets signed data */
+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
+  CK_ULONG             ulCount,     /* # of attrs in template */
+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,                    /* session
+                                                     * handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
+                                                     * mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
+                                                     * for pub.
+                                                     * key */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
+                                                     * attrs. */
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
+                                                     * for priv.
+                                                     * key */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
+                                                     * attrs. */
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
+                                                     * key
+                                                     * handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
+                                                     * priv. key
+                                                     * handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object. */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator. */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pSeed,     /* the seed material */
+  CK_ULONG          ulSeedLen  /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_BYTE_PTR       RandomData,  /* receives the random data */
+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel. */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for PKCS #11 Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FLAGS flags,        /* blocking/nonblocking flag */
+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
+);
+#endif
diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h
new file mode 100644
index 000000000..3ab201562
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -0,0 +1,715 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal data structures and functions used by pkcs11.c
+ */
+#ifndef _PKCS11I_H_
+#define _PKCS11I_H_ 1
+
+#include "nssilock.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+#include "pkcs11t.h"
+
+#include "sftkdbt.h"
+
+
+/* 
+ * Configuration Defines 
+ *
+ * The following defines affect the space verse speed trade offs of
+ * the PKCS #11 module. For the most part the current settings are optimized
+ * for web servers, where we want faster speed and lower lock contention at
+ * the expense of space.
+ */
+
+/* 
+ * The attribute allocation strategy is static allocation:
+ *   Attributes are pre-allocated as part of the session object and used from
+ *   the object array.
+ */
+#define MAX_OBJS_ATTRS 45	/* number of attributes to preallocate in
+				 * the object (must me the absolute max) */
+#define ATTR_SPACE 50  		/* Maximum size of attribute data before extra
+				 * data needs to be allocated. This is set to
+				 * enough space to hold an SSL MASTER secret */
+
+#define NSC_STRICT      PR_FALSE  /* forces the code to do strict template
+				   * matching when doing C_FindObject on token
+				   * objects. This will slow down search in
+				   * NSS. */
+/* default search block allocations and increments */
+#define NSC_CERT_BLOCK_SIZE     50
+#define NSC_SEARCH_BLOCK_SIZE   5 
+#define NSC_SLOT_LIST_BLOCK_SIZE 10
+
+#define NSC_FIPS_MODULE 1
+#define NSC_NON_FIPS_MODULE 0
+
+/* these are data base storage hashes, not cryptographic hashes.. The define
+ * the effective size of the various object hash tables */
+/* clients care more about memory usage than lookup performance on
+ * cyrptographic objects. Clients also have less objects around to play with 
+ *
+ * we eventually should make this configurable at runtime! Especially now that
+ * NSS is a shared library.
+ */
+#define SPACE_ATTRIBUTE_HASH_SIZE 32 
+#define SPACE_SESSION_OBJECT_HASH_SIZE 32
+#define SPACE_SESSION_HASH_SIZE 32
+#define TIME_ATTRIBUTE_HASH_SIZE 32
+#define TIME_SESSION_OBJECT_HASH_SIZE 1024
+#define TIME_SESSION_HASH_SIZE 1024
+#define MAX_OBJECT_LIST_SIZE 800  
+				  /* how many objects to keep on the free list
+				   * before we start freeing them */
+#define MAX_KEY_LEN 256 	  /* maximum symmetric key length in bytes */
+
+#define MULTIACCESS "multiaccess:"
+
+/*
+ * LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number.
+ * With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0.
+ * With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0.
+ *
+ * HASH_SIZE   LOG2_BUCKETS_PER   BUCKETS_PER_LOCK  NUMBER_OF_BUCKETS
+ * 1024        9                  512               2
+ * 1024        5                  32                32
+ * 1024        1                  2                 512
+ * 1024        0                  1                 1024
+ * 4096        11                 2048              2
+ * 4096        9                  512               8
+ * 4096        5                  32                128
+ * 4096        1                  2                 2048
+ * 4096        0                  1                 4096
+ */
+#define LOG2_BUCKETS_PER_SESSION_LOCK 1
+#define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK))
+/* NOSPREAD sessionID to hash table index macro has been slower. */
+
+/* define typedefs, double as forward declarations as well */
+typedef struct SFTKAttributeStr SFTKAttribute;
+typedef struct SFTKObjectListStr SFTKObjectList;
+typedef struct SFTKObjectFreeListStr SFTKObjectFreeList;
+typedef struct SFTKObjectListElementStr SFTKObjectListElement;
+typedef struct SFTKObjectStr SFTKObject;
+typedef struct SFTKSessionObjectStr SFTKSessionObject;
+typedef struct SFTKTokenObjectStr SFTKTokenObject;
+typedef struct SFTKSessionStr SFTKSession;
+typedef struct SFTKSlotStr SFTKSlot;
+typedef struct SFTKSessionContextStr SFTKSessionContext;
+typedef struct SFTKSearchResultsStr SFTKSearchResults;
+typedef struct SFTKHashVerifyInfoStr SFTKHashVerifyInfo;
+typedef struct SFTKHashSignInfoStr SFTKHashSignInfo;
+typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
+typedef struct SFTKItemTemplateStr SFTKItemTemplate;
+
+/* define function pointer typdefs for pointer tables */
+typedef void (*SFTKDestroy)(void *, PRBool);
+typedef void (*SFTKBegin)(void *);
+typedef SECStatus (*SFTKCipher)(void *,void *,unsigned int *,unsigned int,
+					void *, unsigned int);
+typedef SECStatus (*SFTKVerify)(void *,void *,unsigned int,void *,unsigned int);
+typedef void (*SFTKHash)(void *,void *,unsigned int);
+typedef void (*SFTKEnd)(void *,void *,unsigned int *,unsigned int);
+typedef void (*SFTKFree)(void *);
+
+/* Value to tell if an attribute is modifiable or not.
+ *    NEVER: attribute is only set on creation.
+ *    ONCOPY: attribute is set on creation and can only be changed on copy.
+ *    SENSITIVE: attribute can only be changed to TRUE.
+ *    ALWAYS: attribute can always be changed.
+ */
+typedef enum {
+	SFTK_NEVER = 0,
+	SFTK_ONCOPY = 1,
+	SFTK_SENSITIVE = 2,
+	SFTK_ALWAYS = 3
+} SFTKModifyType;
+
+/*
+ * Free Status Enum... tell us more information when we think we're
+ * deleting an object.
+ */
+typedef enum {
+	SFTK_DestroyFailure,
+	SFTK_Destroyed,
+	SFTK_Busy
+} SFTKFreeStatus;
+
+/*
+ * attribute values of an object.
+ */
+struct SFTKAttributeStr {
+    SFTKAttribute  	*next;
+    SFTKAttribute  	*prev;
+    PRBool		freeAttr;
+    PRBool		freeData;
+    /*must be called handle to make sftkqueue_find work */
+    CK_ATTRIBUTE_TYPE	handle;
+    CK_ATTRIBUTE 	attrib;
+    unsigned char space[ATTR_SPACE];
+};
+
+
+/*
+ * doubly link list of objects
+ */
+struct SFTKObjectListStr {
+    SFTKObjectList *next;
+    SFTKObjectList *prev;
+    SFTKObject	   *parent;
+};
+
+struct SFTKObjectFreeListStr {
+    SFTKObject	*head;
+    PZLock	*lock;
+    int		count;
+};
+
+/*
+ * PKCS 11 crypto object structure
+ */
+struct SFTKObjectStr {
+    SFTKObject *next;
+    SFTKObject	*prev;
+    CK_OBJECT_CLASS 	objclass;
+    CK_OBJECT_HANDLE	handle;
+    int 		refCount;
+    PZLock 		*refLock;
+    SFTKSlot	   	*slot;
+    void 		*objectInfo;
+    SFTKFree 		infoFree;
+};
+
+struct SFTKTokenObjectStr {
+    SFTKObject  obj;
+    SECItem	dbKey;
+};
+
+struct SFTKSessionObjectStr {
+    SFTKObject	   obj;
+    SFTKObjectList sessionList;
+    PZLock		*attributeLock;
+    SFTKSession   	*session;
+    PRBool		wasDerived;
+    int nextAttr;
+    SFTKAttribute	attrList[MAX_OBJS_ATTRS];
+    PRBool		optimizeSpace;
+    unsigned int	hashSize;
+    SFTKAttribute 	*head[1];
+};
+
+/*
+ * struct to deal with a temparary list of objects
+ */
+struct SFTKObjectListElementStr {
+    SFTKObjectListElement	*next;
+    SFTKObject 			*object;
+};
+
+/*
+ * Area to hold Search results
+ */
+struct SFTKSearchResultsStr {
+    CK_OBJECT_HANDLE	*handles;
+    int			size;
+    int			index;
+    int			array_size;
+};
+
+
+/* 
+ * the universal crypto/hash/sign/verify context structure
+ */
+typedef enum {
+    SFTK_ENCRYPT,
+    SFTK_DECRYPT,
+    SFTK_HASH,
+    SFTK_SIGN,
+    SFTK_SIGN_RECOVER,
+    SFTK_VERIFY,
+    SFTK_VERIFY_RECOVER
+} SFTKContextType;
+
+
+#define SFTK_MAX_BLOCK_SIZE 16
+/* currently SHA512 is the biggest hash length */
+#define SFTK_MAX_MAC_LENGTH 64
+#define SFTK_INVALID_MAC_SIZE 0xffffffff
+
+struct SFTKSessionContextStr {
+    SFTKContextType	type;
+    PRBool		multi; 		/* is multipart */
+    PRBool		doPad; 		/* use PKCS padding for block ciphers */
+    unsigned int	blockSize; 	/* blocksize for padding */
+    unsigned int	padDataLength; 	/* length of the valid data in padbuf */
+    unsigned char	padBuf[SFTK_MAX_BLOCK_SIZE];
+    unsigned char	macBuf[SFTK_MAX_BLOCK_SIZE];
+    CK_ULONG		macSize;	/* size of a general block cipher mac*/
+    void		*cipherInfo;
+    void		*hashInfo;
+    unsigned int	cipherInfoLen;
+    CK_MECHANISM_TYPE	currentMech;
+    SFTKCipher		update;
+    SFTKHash		hashUpdate;
+    SFTKEnd		end;
+    SFTKDestroy		destroy;
+    SFTKDestroy		hashdestroy;
+    SFTKVerify		verify;
+    unsigned int	maxLen;
+    SFTKObject		*key;
+};
+
+/*
+ * Sessions (have objects)
+ */
+struct SFTKSessionStr {
+    SFTKSession        *next;
+    SFTKSession        *prev;
+    CK_SESSION_HANDLE	handle;
+    int			refCount;
+    PZLock		*objectLock;
+    int			objectIDCount;
+    CK_SESSION_INFO	info;
+    CK_NOTIFY		notify;
+    CK_VOID_PTR		appData;
+    SFTKSlot		*slot;
+    SFTKSearchResults	*search;
+    SFTKSessionContext	*enc_context;
+    SFTKSessionContext	*hash_context;
+    SFTKSessionContext	*sign_context;
+    SFTKObjectList	*objects[1];
+};
+
+/*
+ * slots (have sessions and objects)
+ *
+ * The array of sessionLock's protect the session hash table (head[])
+ * as well as the reference count of session objects in that bucket
+ * (head[]->refCount),  objectLock protects all elements of the slot's
+ * object hash tables (sessObjHashTable[] and tokObjHashTable), and
+ * sessionObjectHandleCount.
+ * slotLock protects the remaining protected elements:
+ * password, isLoggedIn, ssoLoggedIn, and sessionCount,
+ * and pwCheckLock serializes the key database password checks in
+ * NSC_SetPIN and NSC_Login.
+ *
+ * Each of the fields below has the following lifetime as commented
+ * next to the fields:
+ *   invariant  - This value is set when the slot is first created and
+ * never changed until it is destroyed.
+ *   per load   - This value is set when the slot is first created, or 
+ * when the slot is used to open another directory. Between open and close
+ * this field does not change.
+ *   variable - This value changes through the normal process of slot operation.
+ *      - reset. The value of this variable is cleared during an open/close 
+ *   cycles.
+ *      - preserved. The value of this variable is preserved over open/close
+ *   cycles.
+ */
+struct SFTKSlotStr {
+    CK_SLOT_ID		slotID;			/* invariant */
+    PZLock		*slotLock;		/* invariant */
+    PZLock		**sessionLock;		/* invariant */
+    unsigned int	numSessionLocks;	/* invariant */
+    unsigned long	sessionLockMask;	/* invariant */
+    PZLock		*objectLock;		/* invariant */
+    PRLock		*pwCheckLock;		/* invariant */
+    PRBool		present;		/* variable -set */
+    PRBool		hasTokens;		/* per load */
+    PRBool		isLoggedIn;		/* variable - reset */
+    PRBool		ssoLoggedIn;		/* variable - reset */
+    PRBool		needLogin;		/* per load */
+    PRBool		DB_loaded;		/* per load */
+    PRBool		readOnly;		/* per load */
+    PRBool		optimizeSpace;		/* invariant */
+    SFTKDBHandle	*certDB;		/* per load */
+    SFTKDBHandle	*keyDB;			/* per load */
+    int			minimumPinLen;		/* per load */
+    PRInt32		sessionIDCount;		/* atomically incremented */
+                                        	/* (preserved) */
+    int			sessionIDConflict; 	/* not protected by a lock */
+                                            	/* (preserved) */
+    int			sessionCount;           /* variable - reset */
+    PRInt32             rwSessionCount;    	/* set by atomic operations */
+                                          	/* (reset) */
+    int			sessionObjectHandleCount;/* variable - perserved */
+    int			index;			/* invariant */
+    PLHashTable		*tokObjHashTable;	/* invariant */
+    SFTKObject		**sessObjHashTable;	/* variable - reset */
+    unsigned int	sessObjHashSize;	/* invariant */
+    SFTKSession		**head;			/* variable -reset */
+    unsigned int	sessHashSize;		/* invariant */
+    char		tokDescription[33];	/* per load */
+    char		updateTokDescription[33]; /* per load */
+    char		slotDescription[65];	/* invariant */
+};
+
+/*
+ * special joint operations Contexts
+ */
+struct SFTKHashVerifyInfoStr {
+    SECOidTag   	hashOid;
+    NSSLOWKEYPublicKey	*key;
+};
+
+struct SFTKHashSignInfoStr {
+    SECOidTag   	hashOid;
+    NSSLOWKEYPrivateKey	*key;
+};
+
+/* context for the Final SSLMAC message */
+struct SFTKSSLMACInfoStr {
+    void 		*hashContext;
+    SFTKBegin		begin;
+    SFTKHash		update;
+    SFTKEnd		end;
+    CK_ULONG		macSize;
+    int			padSize;
+    unsigned char	key[MAX_KEY_LEN];
+    unsigned int	keySize;
+};
+
+/*
+ * Template based on SECItems, suitable for passing as arrays
+ */
+struct SFTKItemTemplateStr {
+    CK_ATTRIBUTE_TYPE	type;
+    SECItem		*item;
+};
+
+/* macro for setting SFTKTemplates. */
+#define SFTK_SET_ITEM_TEMPLATE(templ, count, itemPtr, attr) \
+   templ[count].type = attr; \
+   templ[count].item = itemPtr
+
+#define SFTK_MAX_ITEM_TEMPLATE 10
+
+/*
+ * session handle modifiers
+ */
+#define SFTK_SESSION_SLOT_MASK	0xff000000L
+
+/*
+ * object handle modifiers
+ */
+#define SFTK_TOKEN_MASK		0x80000000L
+#define SFTK_TOKEN_MAGIC	0x80000000L
+#define SFTK_TOKEN_TYPE_MASK	0x70000000L
+/* keydb (high bit == 0) */
+#define SFTK_TOKEN_TYPE_PRIV	0x10000000L
+#define SFTK_TOKEN_TYPE_PUB	0x20000000L
+#define SFTK_TOKEN_TYPE_KEY	0x30000000L
+/* certdb (high bit == 1) */
+#define SFTK_TOKEN_TYPE_TRUST	0x40000000L
+#define SFTK_TOKEN_TYPE_CRL	0x50000000L
+#define SFTK_TOKEN_TYPE_SMIME	0x60000000L
+#define SFTK_TOKEN_TYPE_CERT	0x70000000L
+
+#define SFTK_TOKEN_KRL_HANDLE	(SFTK_TOKEN_MAGIC|SFTK_TOKEN_TYPE_CRL|1)
+/* how big (in bytes) a password/pin we can deal with */
+#define SFTK_MAX_PIN	255
+/* minimum password/pin length (in Unicode characters) in FIPS mode */
+#define FIPS_MIN_PIN	7
+
+/* slot ID's */
+#define NETSCAPE_SLOT_ID 1
+#define PRIVATE_KEY_SLOT_ID 2
+#define FIPS_SLOT_ID 3
+
+/* slot helper macros */
+#define sftk_SlotFromSession(sp) ((sp)->slot)
+#define sftk_isToken(id) (((id) & SFTK_TOKEN_MASK) == SFTK_TOKEN_MAGIC)
+
+/* the session hash multiplier (see bug 201081) */
+#define SHMULTIPLIER 1791398085
+
+/* queueing helper macros */
+#define sftk_hash(value,size) \
+	((PRUint32)((value) * SHMULTIPLIER) & (size-1))
+#define sftkqueue_add(element,id,head,hash_size) \
+	{ int tmp = sftk_hash(id,hash_size); \
+	(element)->next = (head)[tmp]; \
+	(element)->prev = NULL; \
+	if ((head)[tmp]) (head)[tmp]->prev = (element); \
+	(head)[tmp] = (element); }
+#define sftkqueue_find(element,id,head,hash_size) \
+	for( (element) = (head)[sftk_hash(id,hash_size)]; (element) != NULL; \
+					 (element) = (element)->next) { \
+	    if ((element)->handle == (id)) { break; } }
+#define sftkqueue_is_queued(element,id,head,hash_size) \
+	( ((element)->next) || ((element)->prev) || \
+	 ((head)[sftk_hash(id,hash_size)] == (element)) )
+#define sftkqueue_delete(element,id,head,hash_size) \
+	if ((element)->next) (element)->next->prev = (element)->prev; \
+	if ((element)->prev) (element)->prev->next = (element)->next; \
+	   else (head)[sftk_hash(id,hash_size)] = ((element)->next); \
+	(element)->next = NULL; \
+	(element)->prev = NULL; \
+
+#define sftkqueue_init_element(element) \
+    (element)->prev = NULL;
+
+#define sftkqueue_add2(element, id, index, head) \
+    {                                            \
+	(element)->next = (head)[index];         \
+	if ((head)[index])                       \
+	    (head)[index]->prev = (element);     \
+	(head)[index] = (element);               \
+    }
+
+#define sftkqueue_find2(element, id, index, head) \
+    for ( (element) = (head)[index];              \
+          (element) != NULL;                      \
+          (element) = (element)->next) {          \
+	if ((element)->handle == (id)) { break; } \
+    }
+
+#define sftkqueue_delete2(element, id, index, head) \
+	if ((element)->next) (element)->next->prev = (element)->prev; \
+	if ((element)->prev) (element)->prev->next = (element)->next; \
+	   else (head)[index] = ((element)->next);
+
+#define sftkqueue_clear_deleted_element(element) \
+	(element)->next = NULL; \
+	(element)->prev = NULL; \
+
+
+/* sessionID (handle) is used to determine session lock bucket */
+#ifdef NOSPREAD
+/* NOSPREAD:	(ID>>L2LPB) & (perbucket-1) */
+#define SFTK_SESSION_LOCK(slot,handle) \
+    ((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) \
+        & (slot)->sessionLockMask])
+#else
+/* SPREAD:	ID & (perbucket-1) */
+#define SFTK_SESSION_LOCK(slot,handle) \
+    ((slot)->sessionLock[(handle) & (slot)->sessionLockMask])
+#endif
+
+/* expand an attribute & secitem structures out */
+#define sftk_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
+#define sftk_item_expand(ip) (ip)->data,(ip)->len
+
+typedef struct sftk_token_parametersStr {
+    CK_SLOT_ID slotID;
+    char *configdir;
+    char *certPrefix;
+    char *keyPrefix;
+    char *updatedir;
+    char *updCertPrefix;
+    char *updKeyPrefix;
+    char *updateID;
+    char *tokdes;
+    char *slotdes;
+    char *updtokdes;
+    int minPW; 
+    PRBool readOnly;
+    PRBool noCertDB;
+    PRBool noKeyDB;
+    PRBool forceOpen;
+    PRBool pwRequired;
+    PRBool optimizeSpace;
+} sftk_token_parameters;
+
+typedef struct sftk_parametersStr {
+    char *configdir;
+    char *updatedir;
+    char *updateID;
+    char *secmodName;
+    char *man;
+    char *libdes; 
+    PRBool readOnly;
+    PRBool noModDB;
+    PRBool noCertDB;
+    PRBool forceOpen;
+    PRBool pwRequired;
+    PRBool optimizeSpace;
+    sftk_token_parameters *tokens;
+    int token_count;
+} sftk_parameters;
+
+
+/* machine dependent path stuff used by dbinit.c and pk11db.c */
+#ifdef macintosh
+#define PATH_SEPARATOR ":"
+#define SECMOD_DB "Security Modules"
+#define CERT_DB_FMT "%sCertificates%s"
+#define KEY_DB_FMT "%sKey Database%s"
+#else
+#define PATH_SEPARATOR "/"
+#define SECMOD_DB "secmod.db"
+#define CERT_DB_FMT "%scert%s.db"
+#define KEY_DB_FMT "%skey%s.db"
+#endif
+
+SEC_BEGIN_PROTOS
+
+/* shared functions between pkcs11.c and fipstokn.c */
+extern PRBool nsf_init;
+extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS);
+extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS);
+extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent, 
+	CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex);
+
+/* slot initialization, reinit, shutdown and destruction */
+extern CK_RV SFTK_SlotInit(char *configdir, char *updatedir, char *updateID,
+			sftk_token_parameters *params, int moduleIndex);
+extern CK_RV SFTK_SlotReInit(SFTKSlot *slot, char *configdir,
+			char *updatedir, char *updateID,
+			sftk_token_parameters *params, int moduleIndex);
+extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot);
+extern CK_RV SFTK_ShutdownSlot(SFTKSlot *slot);
+extern CK_RV sftk_CloseAllSessions(SFTKSlot *slot);
+
+
+/* internal utility functions used by pkcs11.c */
+extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object,
+					 CK_ATTRIBUTE_TYPE type);
+extern void sftk_FreeAttribute(SFTKAttribute *attribute);
+extern CK_RV sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+				   void *valPtr,
+				  CK_ULONG length);
+extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
+				    SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_MultipleAttribute2SecItem(PLArenaPool *arena, 
+		SFTKObject *object, SFTKItemTemplate *templ, int count);
+extern unsigned int sftk_GetLengthInBits(unsigned char *buf,
+							 unsigned int bufLen);
+extern CK_RV sftk_ConstrainAttribute(SFTKObject *object, 
+	CK_ATTRIBUTE_TYPE type, int minLength, int maxLength, int minMultiple);
+extern PRBool sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern PRBool sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern void sftk_DeleteAttributeType(SFTKObject *object,
+				     CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
+				    SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item,
+				     SFTKObject *object,
+				     CK_ATTRIBUTE_TYPE type);
+extern SFTKModifyType sftk_modifyType(CK_ATTRIBUTE_TYPE type,
+				      CK_OBJECT_CLASS inClass);
+extern PRBool sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
+extern char *sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern void sftk_nullAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+                                                         CK_ULONG *longData);
+extern CK_RV sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+				 void *value, unsigned int len);
+extern CK_RV sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+				   void *value, unsigned int len);
+extern unsigned int sftk_MapTrust(CK_TRUST trust, PRBool clientAuth);
+
+extern SFTKObject *sftk_NewObject(SFTKSlot *slot);
+extern CK_RV sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject);
+extern SFTKFreeStatus sftk_FreeObject(SFTKObject *object);
+extern CK_RV sftk_DeleteObject(SFTKSession *session, SFTKObject *object);
+extern void sftk_ReferenceObject(SFTKObject *object);
+extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle,
+					 SFTKSession *session);
+extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object);
+extern void sftk_AddObject(SFTKSession *session, SFTKObject *object);
+/* clear out all the existing object ID to database key mappings.
+ * used to reinit a token */
+extern CK_RV SFTK_ClearTokenKeyHashTable(SFTKSlot *slot);
+
+extern CK_RV sftk_searchObjectList(SFTKSearchResults *search,
+				   SFTKObject **head, unsigned int size,
+				   PZLock *lock, CK_ATTRIBUTE_PTR inTemplate,
+				   int count, PRBool isLoggedIn);
+extern SFTKObjectListElement *sftk_FreeObjectListElement(
+					     SFTKObjectListElement *objectList);
+extern void sftk_FreeObjectList(SFTKObjectListElement *objectList);
+extern void sftk_FreeSearch(SFTKSearchResults *search);
+extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
+
+extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
+extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
+extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
+extern void sftk_FreeSession(SFTKSession *session);
+extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
+				    CK_VOID_PTR pApplication, CK_FLAGS flags);
+extern void sftk_update_state(SFTKSlot *slot,SFTKSession *session);
+extern void sftk_update_all_states(SFTKSlot *slot);
+extern void sftk_FreeContext(SFTKSessionContext *context);
+extern void sftk_InitFreeLists(void);
+extern void sftk_CleanupFreeLists(void);
+
+extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,
+					  CK_KEY_TYPE key_type, CK_RV *crvp);
+extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object,
+					    CK_KEY_TYPE key_type, CK_RV *crvp);
+extern void sftk_FormatDESKey(unsigned char *key, int length);
+extern PRBool sftk_CheckDESKey(unsigned char *key);
+extern PRBool sftk_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type);
+
+/* mechanism allows this operation */
+extern CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op);
+
+/* helper function which calls nsslowkey_FindKeyByPublicKey after safely
+ * acquiring a reference to the keydb from the slot */
+NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
+
+/*
+ * narrow objects
+ */
+SFTKSessionObject * sftk_narrowToSessionObject(SFTKObject *);
+SFTKTokenObject * sftk_narrowToTokenObject(SFTKObject *);
+
+/*
+ * token object utilities
+ */
+void sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle);
+PRBool sftk_poisonHandle(SFTKSlot *slot, SECItem *dbkey, 
+						CK_OBJECT_HANDLE handle);
+SFTKObject * sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, 
+						CK_OBJECT_HANDLE handle);
+SFTKTokenObject *sftk_convertSessionToToken(SFTKObject *so);
+
+/****************************************
+ * implement TLS Pseudo Random Function (PRF)
+ */
+
+extern CK_RV
+sftk_TLSPRFInit(SFTKSessionContext *context, 
+		  SFTKObject *        key, 
+		  CK_KEY_TYPE         key_type);
+
+SEC_END_PROTOS
+
+#endif /* _PKCS11I_H_ */
diff --git a/security/nss/lib/softoken/pkcs11n.h b/security/nss/lib/softoken/pkcs11n.h
new file mode 100644
index 000000000..345e5cb94
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11n.h
@@ -0,0 +1,289 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _PKCS11N_H_
+#define _PKCS11N_H_
+
+#ifdef DEBUG
+static const char CKT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * pkcs11n.h
+ *
+ * This file contains the NSS-specific type definitions for Cryptoki
+ * (PKCS#11).
+ */
+
+/*
+ * NSSCK_VENDOR_NSS
+ *
+ * Cryptoki reserves the high half of all the number spaces for
+ * vendor-defined use.  I'd like to keep all of our NSS-
+ * specific values together, but not in the oh-so-obvious
+ * 0x80000001, 0x80000002, etc. area.  So I've picked an offset,
+ * and constructed values for the beginnings of our spaces.
+ *
+ * Note that some "historical" Netscape values don't fall within
+ * this range.
+ */
+#define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */
+
+/*
+ * NSS-defined object classes
+ * 
+ */
+#define CKO_NSS (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKO_NSS_CRL                (CKO_NSS + 1)
+#define CKO_NSS_SMIME              (CKO_NSS + 2)
+#define CKO_NSS_TRUST              (CKO_NSS + 3)
+#define CKO_NSS_BUILTIN_ROOT_LIST  (CKO_NSS + 4)
+#define CKO_NSS_NEWSLOT            (CKO_NSS + 5)
+#define CKO_NSS_DELSLOT            (CKO_NSS + 6)
+
+
+/*
+ * NSS-defined key types
+ *
+ */
+#define CKK_NSS (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKK_NSS_PKCS8              (CKK_NSS + 1)
+/*
+ * NSS-defined certificate types
+ *
+ */
+#define CKC_NSS (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+/* FAKE PKCS #11 defines */
+#define CKA_DIGEST            0x81000000L
+#define CKA_FLAGS_ONLY        0 /* CKA_CLASS */
+
+/*
+ * NSS-defined object attributes
+ *
+ */
+#define CKA_NSS (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKA_NSS_URL                (CKA_NSS +  1)
+#define CKA_NSS_EMAIL              (CKA_NSS +  2)
+#define CKA_NSS_SMIME_INFO         (CKA_NSS +  3)
+#define CKA_NSS_SMIME_TIMESTAMP    (CKA_NSS +  4)
+#define CKA_NSS_PKCS8_SALT         (CKA_NSS +  5)
+#define CKA_NSS_PASSWORD_CHECK     (CKA_NSS +  6)
+#define CKA_NSS_EXPIRES            (CKA_NSS +  7)
+#define CKA_NSS_KRL                (CKA_NSS +  8)
+
+#define CKA_NSS_PQG_COUNTER        (CKA_NSS +  20)
+#define CKA_NSS_PQG_SEED           (CKA_NSS +  21)
+#define CKA_NSS_PQG_H              (CKA_NSS +  22)
+#define CKA_NSS_PQG_SEED_BITS      (CKA_NSS +  23)
+#define CKA_NSS_MODULE_SPEC        (CKA_NSS +  24)
+#define CKA_NSS_OVERRIDE_EXTENSIONS (CKA_NSS +  25)
+
+/*
+ * Trust attributes:
+ *
+ * If trust goes standard, these probably will too.  So I'll
+ * put them all in one place.
+ */
+
+#define CKA_TRUST (CKA_NSS + 0x2000)
+
+/* "Usage" key information */
+#define CKA_TRUST_DIGITAL_SIGNATURE     (CKA_TRUST +  1)
+#define CKA_TRUST_NON_REPUDIATION       (CKA_TRUST +  2)
+#define CKA_TRUST_KEY_ENCIPHERMENT      (CKA_TRUST +  3)
+#define CKA_TRUST_DATA_ENCIPHERMENT     (CKA_TRUST +  4)
+#define CKA_TRUST_KEY_AGREEMENT         (CKA_TRUST +  5)
+#define CKA_TRUST_KEY_CERT_SIGN         (CKA_TRUST +  6)
+#define CKA_TRUST_CRL_SIGN              (CKA_TRUST +  7)
+
+/* "Purpose" trust information */
+#define CKA_TRUST_SERVER_AUTH           (CKA_TRUST +  8)
+#define CKA_TRUST_CLIENT_AUTH           (CKA_TRUST +  9)
+#define CKA_TRUST_CODE_SIGNING          (CKA_TRUST + 10)
+#define CKA_TRUST_EMAIL_PROTECTION      (CKA_TRUST + 11)
+#define CKA_TRUST_IPSEC_END_SYSTEM      (CKA_TRUST + 12)
+#define CKA_TRUST_IPSEC_TUNNEL          (CKA_TRUST + 13)
+#define CKA_TRUST_IPSEC_USER            (CKA_TRUST + 14)
+#define CKA_TRUST_TIME_STAMPING         (CKA_TRUST + 15)
+#define CKA_TRUST_STEP_UP_APPROVED      (CKA_TRUST + 16)
+
+#define CKA_CERT_SHA1_HASH	        (CKA_TRUST + 100)
+#define CKA_CERT_MD5_HASH		(CKA_TRUST + 101)
+
+/* NSS trust stuff */
+/* XXX fgmr new ones here-- step-up, etc. */
+
+/* HISTORICAL: define used to pass in the database key for DSA private keys */
+#define CKA_NETSCAPE_DB                 0xD5A0DB00L
+#define CKA_NETSCAPE_TRUST              0x80000001L
+
+/* FAKE PKCS #11 defines */
+#define CKM_FAKE_RANDOM       0x80000efeUL
+#define CKM_INVALID_MECHANISM 0xffffffffUL
+
+/*
+ * NSS-defined crypto mechanisms
+ *
+ */
+#define CKM_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKM_NSS_AES_KEY_WRAP      (CKM_NSS + 1)
+#define CKM_NSS_AES_KEY_WRAP_PAD  (CKM_NSS + 2)
+
+/*
+ * HISTORICAL:
+ * Do not attempt to use these. They are only used by NETSCAPE's internal
+ * PKCS #11 interface. Most of these are place holders for other mechanism
+ * and will change in the future.
+ */
+#define CKM_NETSCAPE_PBE_SHA1_DES_CBC           0x80000002UL
+#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC    0x80000003UL
+#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC    0x80000004UL
+#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC   0x80000005UL
+#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4        0x80000006UL
+#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4       0x80000007UL
+#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC   0x80000008UL
+#define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN      0x80000009UL
+#define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN       0x8000000aUL
+#define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN       0x8000000bUL
+
+#define CKM_TLS_PRF_GENERAL                     0x80000373UL
+
+/*
+ * NSS-defined return values
+ *
+ */
+#define CKR_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKR_NSS_CERTDB_FAILED      (CKR_NSS + 1)
+#define CKR_NSS_KEYDB_FAILED       (CKR_NSS + 2)
+
+/*
+ * Trust info
+ *
+ * This isn't part of the Cryptoki standard (yet), so I'm putting
+ * all the definitions here.  Some of this would move to nssckt.h
+ * if trust info were made part of the standard.  In view of this
+ * possibility, I'm putting my (NSS) values in the NSS
+ * vendor space, like everything else.
+ */
+
+typedef CK_ULONG          CK_TRUST;
+
+/* The following trust types are defined: */
+#define CKT_VENDOR_DEFINED     0x80000000
+
+#define CKT_NSS (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+/* If trust goes standard, these'll probably drop out of vendor space. */
+#define CKT_NSS_TRUSTED            (CKT_NSS + 1)
+#define CKT_NSS_TRUSTED_DELEGATOR  (CKT_NSS + 2)
+#define CKT_NSS_UNTRUSTED          (CKT_NSS + 3)
+#define CKT_NSS_MUST_VERIFY        (CKT_NSS + 4)
+#define CKT_NSS_TRUST_UNKNOWN      (CKT_NSS + 5) /* default */
+
+/* 
+ * These may well remain NSS-specific; I'm only using them
+ * to cache resolution data.
+ */
+#define CKT_NSS_VALID              (CKT_NSS + 10)
+#define CKT_NSS_VALID_DELEGATOR    (CKT_NSS + 11)
+
+/* don't leave old programs in a lurch just yet, give them the old NETSCAPE
+ * synonym */
+#define CKO_NETSCAPE_CRL                CKO_NSS_CRL
+#define CKO_NETSCAPE_SMIME              CKO_NSS_SMIME
+#define CKO_NETSCAPE_TRUST              CKO_NSS_TRUST
+#define CKO_NETSCAPE_BUILTIN_ROOT_LIST  CKO_NSS_BUILTIN_ROOT_LIST
+#define CKO_NETSCAPE_NEWSLOT            CKO_NSS_NEWSLOT
+#define CKO_NETSCAPE_DELSLOT            CKO_NSS_DELSLOT
+#define CKK_NETSCAPE_PKCS8              CKK_NSS_PKCS8
+#define CKA_NETSCAPE_URL                CKA_NSS_URL
+#define CKA_NETSCAPE_EMAIL              CKA_NSS_EMAIL
+#define CKA_NETSCAPE_SMIME_INFO         CKA_NSS_SMIME_INFO
+#define CKA_NETSCAPE_SMIME_TIMESTAMP    CKA_NSS_SMIME_TIMESTAMP
+#define CKA_NETSCAPE_PKCS8_SALT         CKA_NSS_PKCS8_SALT
+#define CKA_NETSCAPE_PASSWORD_CHECK     CKA_NSS_PASSWORD_CHECK
+#define CKA_NETSCAPE_EXPIRES            CKA_NSS_EXPIRES
+#define CKA_NETSCAPE_KRL                CKA_NSS_KRL
+#define CKA_NETSCAPE_PQG_COUNTER        CKA_NSS_PQG_COUNTER
+#define CKA_NETSCAPE_PQG_SEED           CKA_NSS_PQG_SEED
+#define CKA_NETSCAPE_PQG_H              CKA_NSS_PQG_H
+#define CKA_NETSCAPE_PQG_SEED_BITS      CKA_NSS_PQG_SEED_BITS
+#define CKA_NETSCAPE_MODULE_SPEC        CKA_NSS_MODULE_SPEC
+#define CKM_NETSCAPE_AES_KEY_WRAP	CKM_NSS_AES_KEY_WRAP
+#define CKM_NETSCAPE_AES_KEY_WRAP_PAD	CKM_NSS_AES_KEY_WRAP_PAD
+#define CKR_NETSCAPE_CERTDB_FAILED      CKR_NSS_CERTDB_FAILED
+#define CKR_NETSCAPE_KEYDB_FAILED       CKR_NSS_KEYDB_FAILED
+#define CKT_NETSCAPE_TRUSTED            CKT_NSS_TRUSTED
+#define CKT_NETSCAPE_TRUSTED_DELEGATOR  CKT_NSS_TRUSTED_DELEGATOR
+#define CKT_NETSCAPE_UNTRUSTED          CKT_NSS_UNTRUSTED
+#define CKT_NETSCAPE_MUST_VERIFY        CKT_NSS_MUST_VERIFY
+#define CKT_NETSCAPE_TRUST_UNKNOWN      CKT_NSS_TRUST_UNKNOWN
+#define CKT_NETSCAPE_VALID              CKT_NSS_VALID
+#define CKT_NETSCAPE_VALID_DELEGATOR    CKT_NSS_VALID_DELEGATOR
+
+/*
+ * These are not really PKCS #11 values specifically. They are the 'loadable'
+ * module spec NSS uses. The are available for others to use as well, but not
+ * part of the formal PKCS #11 spec.
+ *
+ * The function 'FIND' returns an array of PKCS #11 initialization strings
+ * The function 'ADD' takes a PKCS #11 initialization string and stores it.
+ * The function 'DEL' takes a 'name= library=' value and deletes the associated
+ *  string.
+ * The function 'RELEASE' frees the array returned by 'FIND'
+ */
+#define SECMOD_MODULE_DB_FUNCTION_FIND  0
+#define SECMOD_MODULE_DB_FUNCTION_ADD   1
+#define SECMOD_MODULE_DB_FUNCTION_DEL   2
+#define SECMOD_MODULE_DB_FUNCTION_RELEASE 3 
+typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function,
+                                        char *parameters, void *moduleSpec);
+
+/* softoken slot ID's */
+#define SFTK_MIN_USER_SLOT_ID 4
+#define SFTK_MAX_USER_SLOT_ID 100
+#define SFTK_MIN_FIPS_USER_SLOT_ID 101
+#define SFTK_MAX_FIPS_USER_SLOT_ID 127
+
+
+#endif /* _PKCS11N_H_ */
diff --git a/security/nss/lib/softoken/pkcs11ni.h b/security/nss/lib/softoken/pkcs11ni.h
new file mode 100644
index 000000000..9e584a9f0
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11ni.h
@@ -0,0 +1,52 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _PKCS11NI_H_
+#define _PKCS11NI_H_
+
+/*
+ * pkcs11ni.h
+ *
+ * This file contains softoken private exports for NSS
+ */
+
+/* softoken slot ID's */
+#define SFTK_MIN_USER_SLOT_ID 4
+#define SFTK_MAX_USER_SLOT_ID 100
+#define SFTK_MIN_FIPS_USER_SLOT_ID 101
+#define SFTK_MAX_FIPS_USER_SLOT_ID 127
+
+
+#endif /* _PKCS11NI_H_ */
diff --git a/security/nss/lib/softoken/pkcs11p.h b/security/nss/lib/softoken/pkcs11p.h
new file mode 100644
index 000000000..f1ea25805
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11p.h
@@ -0,0 +1,54 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security Inc. Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* these data types are platform/implementation dependent. */
+/*
+ * Packing was removed from the shipped RSA header files, even
+ * though it's still needed. put in a central file to help merging..
+ */
+
+#if defined(_WIN32)
+#ifdef _MSC_VER
+#pragma warning(disable:4103)
+#endif
+#pragma pack(push, cryptoki, 1)
+#endif
+
diff --git a/security/nss/lib/softoken/pkcs11t.h b/security/nss/lib/softoken/pkcs11t.h
new file mode 100644
index 000000000..104fa698a
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11t.h
@@ -0,0 +1,1774 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * RSA Security, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CK_TRUE 1
+#define CK_FALSE 0
+
+#include "prtypes.h"
+
+#define CK_PTR *
+#define CK_NULL_PTR 0
+#define CK_CALLBACK_FUNCTION(rtype,func) rtype (PR_CALLBACK * func)
+#define CK_DECLARE_FUNCTION(rtype,func) extern rtype func
+#define CK_DECLARE_FUNCTION_POINTER(rtype,func) rtype (PR_CALLBACK * func)
+
+#define CK_INVALID_SESSION    0
+
+/* an unsigned 8-bit value */
+typedef unsigned char     CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE           CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE           CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE           CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int          CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG          CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE    0
+
+
+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
+typedef void        CK_PTR   CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+
+/* pack */
+#include "pkcs11p.h"
+
+typedef struct CK_VERSION {
+  CK_BYTE       major;  /* integer portion of version number */
+  CK_BYTE       minor;  /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+  /* manufacturerID and libraryDecription have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_VERSION    cryptokiVersion;     /* PKCS #11 interface ver */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_FLAGS      flags;               /* must be zero */
+
+  /* libraryDescription and libraryVersion are new for v2.0 */
+  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
+  CK_VERSION    libraryVersion;          /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR    CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * PKCS #11 provides to an application */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER       0
+
+
+typedef CK_ULONG          CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+  /* slotDescription and manufacturerID have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
+  CK_FLAGS      flags;
+
+  /* hardwareVersion and firmwareVersion are new for v2.0 */
+  CK_VERSION    hardwareVersion;  /* version of hardware */
+  CK_VERSION    firmwareVersion;  /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag              Mask        Meaning
+ */
+#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
+#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
+#define CKF_HW_SLOT           0x00000004  /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+  /* label, manufacturerID, and model have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   label[32];           /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_UTF8CHAR   model[16];           /* blank padded */
+  CK_CHAR       serialNumber[16];    /* blank padded */
+  CK_FLAGS      flags;               /* see below */
+
+  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+   * changed from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
+  CK_ULONG      ulSessionCount;        /* sess. now open */
+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
+  CK_ULONG      ulMaxPinLen;           /* in bytes */
+  CK_ULONG      ulMinPinLen;           /* in bytes */
+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
+
+  /* hardwareVersion, firmwareVersion, and time are new for
+   * v2.0 */
+  CK_VERSION    hardwareVersion;       /* version of hardware */
+  CK_VERSION    firmwareVersion;       /* version of firmware */
+  CK_CHAR       utcTime[16];           /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ *      Bit Flag                    Mask        Meaning
+ */
+#define CKF_RNG                     0x00000001  /* has random #
+                                                 * generator */
+#define CKF_WRITE_PROTECTED         0x00000002  /* token is
+                                                 * write-
+                                                 * protected */
+#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
+                                                 * login */
+#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
+                                                 * PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state */
+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
+ * that the token has some sort of clock.  The time on that
+ * clock is returned in the token info structure */
+#define CKF_CLOCK_ON_TOKEN          0x00000040
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the PKCS #11 library itself */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
+
+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized. */
+#define CKF_TOKEN_INITIALIZED       0x00000400
+
+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
+ * true, the token supports secondary authentication for
+ * private key objects. This flag is deprecated in v2.11 and
+   onwards. */
+#define CKF_SECONDARY_AUTHENTICATION  0x00000800
+
+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication. */
+#define CKF_USER_PIN_COUNT_LOW       0x00010000
+
+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect user PIN will it to become locked. */
+#define CKF_USER_PIN_FINAL_TRY       0x00020000
+
+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible. */
+#define CKF_USER_PIN_LOCKED          0x00040000
+
+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
+
+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication. */
+#define CKF_SO_PIN_COUNT_LOW         0x00100000
+
+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect SO PIN will it to become locked. */
+#define CKF_SO_PIN_FINAL_TRY         0x00200000
+
+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED            0x00400000
+
+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a PKCS #11-assigned value that
+ * identifies a session */
+typedef CK_ULONG          CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of PKCS #11 users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO    0
+/* Normal user */
+#define CKU_USER  1
+/* Context specific (added in v2.20) */
+#define CKU_CONTEXT_SPECIFIC   2
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_STATE;
+#define CKS_RO_PUBLIC_SESSION  0
+#define CKS_RO_USER_FUNCTIONS  1
+#define CKS_RW_PUBLIC_SESSION  2
+#define CKS_RW_USER_FUNCTIONS  3
+#define CKS_RW_SO_FUNCTIONS    4
+
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+  CK_SLOT_ID    slotID;
+  CK_STATE      state;
+  CK_FLAGS      flags;          /* see below */
+
+  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ *      Bit Flag                Mask        Meaning
+ */
+#define CKF_RW_SESSION          0x00000002  /* session is r/w */
+#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object  */
+typedef CK_ULONG          CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that PKCS #11 recognizes.  It is defined
+ * as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+/* CKO_HW_FEATURE is new for v2.10 */
+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
+/* CKO_MECHANISM is new for v2.20 */
+#define CKO_DATA              0x00000000
+#define CKO_CERTIFICATE       0x00000001
+#define CKO_PUBLIC_KEY        0x00000002
+#define CKO_PRIVATE_KEY       0x00000003
+#define CKO_SECRET_KEY        0x00000004
+#define CKO_HW_FEATURE        0x00000005
+#define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_MECHANISM         0x00000007
+#define CKO_VENDOR_DEFINED    0x80000000
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
+ * value that identifies the hardware feature type of an object
+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+/* CKH_USER_INTERFACE is new for v2.20 */
+#define CKH_MONOTONIC_COUNTER  0x00000001
+#define CKH_CLOCK           0x00000002
+#define CKH_USER_INTERFACE  0x00000003
+#define CKH_VENDOR_DEFINED  0x80000000
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA             0x00000000
+#define CKK_DSA             0x00000001
+#define CKK_DH              0x00000002
+
+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
+#define CKK_ECDSA           0x00000003
+#define CKK_EC              0x00000003
+#define CKK_X9_42_DH        0x00000004
+#define CKK_KEA             0x00000005
+
+#define CKK_GENERIC_SECRET  0x00000010
+#define CKK_RC2             0x00000011
+#define CKK_RC4             0x00000012
+#define CKK_DES             0x00000013
+#define CKK_DES2            0x00000014
+#define CKK_DES3            0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST            0x00000016
+#define CKK_CAST3           0x00000017
+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
+#define CKK_CAST5           0x00000018
+#define CKK_CAST128         0x00000018
+#define CKK_RC5             0x00000019
+#define CKK_IDEA            0x0000001A
+#define CKK_SKIPJACK        0x0000001B
+#define CKK_BATON           0x0000001C
+#define CKK_JUNIPER         0x0000001D
+#define CKK_CDMF            0x0000001E
+#define CKK_AES             0x0000001F
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKK_BLOWFISH        0x00000020
+#define CKK_TWOFISH         0x00000021
+
+/* Camellia is proposed for v2.20 Amendment 3 */
+#define CKK_CAMELLIA        0x00000025
+
+#define CKK_VENDOR_DEFINED  0x80000000
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+/* CKC_X_509_ATTR_CERT is new for v2.10 */
+/* CKC_WTLS is new for v2.20 */
+#define CKC_X_509           0x00000000
+#define CKC_X_509_ATTR_CERT 0x00000001
+#define CKC_WTLS            0x00000002
+#define CKC_VENDOR_DEFINED  0x80000000
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+   consists of an array of values. */
+#define CKF_ARRAY_ATTRIBUTE    0x40000000
+
+/* The following attribute types are defined: */
+#define CKA_CLASS              0x00000000
+#define CKA_TOKEN              0x00000001
+#define CKA_PRIVATE            0x00000002
+#define CKA_LABEL              0x00000003
+#define CKA_APPLICATION        0x00000010
+#define CKA_VALUE              0x00000011
+
+/* CKA_OBJECT_ID is new for v2.10 */
+#define CKA_OBJECT_ID          0x00000012
+
+#define CKA_CERTIFICATE_TYPE   0x00000080
+#define CKA_ISSUER             0x00000081
+#define CKA_SERIAL_NUMBER      0x00000082
+
+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
+ * for v2.10 */
+#define CKA_AC_ISSUER          0x00000083
+#define CKA_OWNER              0x00000084
+#define CKA_ATTR_TYPES         0x00000085
+
+/* CKA_TRUSTED is new for v2.11 */
+#define CKA_TRUSTED            0x00000086
+
+/* CKA_CERTIFICATE_CATEGORY ...
+ * CKA_CHECK_VALUE are new for v2.20 */
+#define CKA_CERTIFICATE_CATEGORY        0x00000087
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
+#define CKA_URL                         0x00000089
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
+#define CKA_CHECK_VALUE                 0x00000090
+
+#define CKA_KEY_TYPE           0x00000100
+#define CKA_SUBJECT            0x00000101
+#define CKA_ID                 0x00000102
+#define CKA_SENSITIVE          0x00000103
+#define CKA_ENCRYPT            0x00000104
+#define CKA_DECRYPT            0x00000105
+#define CKA_WRAP               0x00000106
+#define CKA_UNWRAP             0x00000107
+#define CKA_SIGN               0x00000108
+#define CKA_SIGN_RECOVER       0x00000109
+#define CKA_VERIFY             0x0000010A
+#define CKA_VERIFY_RECOVER     0x0000010B
+#define CKA_DERIVE             0x0000010C
+#define CKA_START_DATE         0x00000110
+#define CKA_END_DATE           0x00000111
+#define CKA_MODULUS            0x00000120
+#define CKA_MODULUS_BITS       0x00000121
+#define CKA_PUBLIC_EXPONENT    0x00000122
+#define CKA_PRIVATE_EXPONENT   0x00000123
+#define CKA_PRIME_1            0x00000124
+#define CKA_PRIME_2            0x00000125
+#define CKA_EXPONENT_1         0x00000126
+#define CKA_EXPONENT_2         0x00000127
+#define CKA_COEFFICIENT        0x00000128
+#define CKA_PRIME              0x00000130
+#define CKA_SUBPRIME           0x00000131
+#define CKA_BASE               0x00000132
+
+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
+#define CKA_PRIME_BITS         0x00000133
+#define CKA_SUBPRIME_BITS      0x00000134
+#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
+/* (To retain backwards-compatibility) */
+
+#define CKA_VALUE_BITS         0x00000160
+#define CKA_VALUE_LEN          0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
+ * and CKA_EC_POINT are new for v2.0 */
+#define CKA_EXTRACTABLE        0x00000162
+#define CKA_LOCAL              0x00000163
+#define CKA_NEVER_EXTRACTABLE  0x00000164
+#define CKA_ALWAYS_SENSITIVE   0x00000165
+
+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
+#define CKA_KEY_GEN_MECHANISM  0x00000166
+
+#define CKA_MODIFIABLE         0x00000170
+
+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
+ * CKA_EC_PARAMS is preferred. */
+#define CKA_ECDSA_PARAMS       0x00000180
+#define CKA_EC_PARAMS          0x00000180
+
+#define CKA_EC_POINT           0x00000181
+
+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+ * are new for v2.10. Deprecated in v2.11 and onwards. */
+#define CKA_SECONDARY_AUTH     0x00000200
+#define CKA_AUTH_PIN_FLAGS     0x00000201
+
+/* CKA_ALWAYS_AUTHENTICATE ...
+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
+#define CKA_ALWAYS_AUTHENTICATE  0x00000202
+
+#define CKA_WRAP_WITH_TRUSTED    0x00000210
+#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
+#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
+
+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
+ * are new for v2.10 */
+#define CKA_HW_FEATURE_TYPE    0x00000300
+#define CKA_RESET_ON_INIT      0x00000301
+#define CKA_HAS_RESET          0x00000302
+
+/* The following attributes are new for v2.20 */
+#define CKA_PIXEL_X                     0x00000400
+#define CKA_PIXEL_Y                     0x00000401
+#define CKA_RESOLUTION                  0x00000402
+#define CKA_CHAR_ROWS                   0x00000403
+#define CKA_CHAR_COLUMNS                0x00000404
+#define CKA_COLOR                       0x00000405
+#define CKA_BITS_PER_PIXEL              0x00000406
+#define CKA_CHAR_SETS                   0x00000480
+#define CKA_ENCODING_METHODS            0x00000481
+#define CKA_MIME_TYPES                  0x00000482
+#define CKA_MECHANISM_TYPE              0x00000500
+#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
+#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
+#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
+
+#define CKA_VENDOR_DEFINED     0x80000000
+
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute */
+typedef struct CK_ATTRIBUTE {
+  CK_ATTRIBUTE_TYPE type;
+  CK_VOID_PTR       pValue;
+
+  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG          ulValueLen;  /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
+  CK_CHAR       month[2];  /* the month ("01" - "12") */
+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
+#define CKM_RSA_PKCS                   0x00000001
+#define CKM_RSA_9796                   0x00000002
+#define CKM_RSA_X_509                  0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
+ * are new for v2.0.  They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS               0x00000004
+#define CKM_MD5_RSA_PKCS               0x00000005
+#define CKM_SHA1_RSA_PKCS              0x00000006
+
+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
+#define CKM_RIPEMD128_RSA_PKCS         0x00000007
+#define CKM_RIPEMD160_RSA_PKCS         0x00000008
+#define CKM_RSA_PKCS_OAEP              0x00000009
+
+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
+#define CKM_RSA_X9_31                  0x0000000B
+#define CKM_SHA1_RSA_X9_31             0x0000000C
+#define CKM_RSA_PKCS_PSS               0x0000000D
+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
+
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010
+#define CKM_DSA                        0x00000011
+#define CKM_DSA_SHA1                   0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
+#define CKM_DH_PKCS_DERIVE             0x00000021
+
+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
+ * v2.11 */
+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
+#define CKM_X9_42_DH_DERIVE            0x00000031
+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
+#define CKM_X9_42_MQV_DERIVE           0x00000033
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_RSA_PKCS            0x00000040
+#define CKM_SHA384_RSA_PKCS            0x00000041
+#define CKM_SHA512_RSA_PKCS            0x00000042
+#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
+#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
+#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
+
+/* CKM_SHA224 new for v2.20 amendment 3 */
+#define CKM_SHA224_RSA_PKCS            0x00000046
+#define CKM_SHA224_RSA_PKCS_PSS        0x00000047
+
+#define CKM_RC2_KEY_GEN                0x00000100
+#define CKM_RC2_ECB                    0x00000101
+#define CKM_RC2_CBC                    0x00000102
+#define CKM_RC2_MAC                    0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
+#define CKM_RC2_MAC_GENERAL            0x00000104
+#define CKM_RC2_CBC_PAD                0x00000105
+
+#define CKM_RC4_KEY_GEN                0x00000110
+#define CKM_RC4                        0x00000111
+#define CKM_DES_KEY_GEN                0x00000120
+#define CKM_DES_ECB                    0x00000121
+#define CKM_DES_CBC                    0x00000122
+#define CKM_DES_MAC                    0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
+#define CKM_DES_MAC_GENERAL            0x00000124
+#define CKM_DES_CBC_PAD                0x00000125
+
+#define CKM_DES2_KEY_GEN               0x00000130
+#define CKM_DES3_KEY_GEN               0x00000131
+#define CKM_DES3_ECB                   0x00000132
+#define CKM_DES3_CBC                   0x00000133
+#define CKM_DES3_MAC                   0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+#define CKM_DES3_MAC_GENERAL           0x00000135
+#define CKM_DES3_CBC_PAD               0x00000136
+#define CKM_CDMF_KEY_GEN               0x00000140
+#define CKM_CDMF_ECB                   0x00000141
+#define CKM_CDMF_CBC                   0x00000142
+#define CKM_CDMF_MAC                   0x00000143
+#define CKM_CDMF_MAC_GENERAL           0x00000144
+#define CKM_CDMF_CBC_PAD               0x00000145
+
+/* the following four DES mechanisms are new for v2.20 */
+#define CKM_DES_OFB64                  0x00000150
+#define CKM_DES_OFB8                   0x00000151
+#define CKM_DES_CFB64                  0x00000152
+#define CKM_DES_CFB8                   0x00000153
+
+#define CKM_MD2                        0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD2_HMAC                   0x00000201
+#define CKM_MD2_HMAC_GENERAL           0x00000202
+
+#define CKM_MD5                        0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD5_HMAC                   0x00000211
+#define CKM_MD5_HMAC_GENERAL           0x00000212
+
+#define CKM_SHA_1                      0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
+#define CKM_SHA_1_HMAC                 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL         0x00000222
+
+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
+#define CKM_RIPEMD128                  0x00000230
+#define CKM_RIPEMD128_HMAC             0x00000231
+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
+#define CKM_RIPEMD160                  0x00000240
+#define CKM_RIPEMD160_HMAC             0x00000241
+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256                     0x00000250
+#define CKM_SHA256_HMAC                0x00000251
+#define CKM_SHA256_HMAC_GENERAL        0x00000252
+#define CKM_SHA384                     0x00000260
+#define CKM_SHA384_HMAC                0x00000261
+#define CKM_SHA384_HMAC_GENERAL        0x00000262
+#define CKM_SHA512                     0x00000270
+#define CKM_SHA512_HMAC                0x00000271
+#define CKM_SHA512_HMAC_GENERAL        0x00000272
+
+/* CKM_SHA224 new for v2.20 amendment 3 */
+#define CKM_SHA224                     0x00000255
+#define CKM_SHA224_HMAC                0x00000256
+#define CKM_SHA224_HMAC_GENERAL        0x00000257
+
+/* All of the following mechanisms are new for v2.0 */
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST_KEY_GEN               0x00000300
+#define CKM_CAST_ECB                   0x00000301
+#define CKM_CAST_CBC                   0x00000302
+#define CKM_CAST_MAC                   0x00000303
+#define CKM_CAST_MAC_GENERAL           0x00000304
+#define CKM_CAST_CBC_PAD               0x00000305
+#define CKM_CAST3_KEY_GEN              0x00000310
+#define CKM_CAST3_ECB                  0x00000311
+#define CKM_CAST3_CBC                  0x00000312
+#define CKM_CAST3_MAC                  0x00000313
+#define CKM_CAST3_MAC_GENERAL          0x00000314
+#define CKM_CAST3_CBC_PAD              0x00000315
+#define CKM_CAST5_KEY_GEN              0x00000320
+#define CKM_CAST128_KEY_GEN            0x00000320
+#define CKM_CAST5_ECB                  0x00000321
+#define CKM_CAST128_ECB                0x00000321
+#define CKM_CAST5_CBC                  0x00000322
+#define CKM_CAST128_CBC                0x00000322
+#define CKM_CAST5_MAC                  0x00000323
+#define CKM_CAST128_MAC                0x00000323
+#define CKM_CAST5_MAC_GENERAL          0x00000324
+#define CKM_CAST128_MAC_GENERAL        0x00000324
+#define CKM_CAST5_CBC_PAD              0x00000325
+#define CKM_CAST128_CBC_PAD            0x00000325
+#define CKM_RC5_KEY_GEN                0x00000330
+#define CKM_RC5_ECB                    0x00000331
+#define CKM_RC5_CBC                    0x00000332
+#define CKM_RC5_MAC                    0x00000333
+#define CKM_RC5_MAC_GENERAL            0x00000334
+#define CKM_RC5_CBC_PAD                0x00000335
+#define CKM_IDEA_KEY_GEN               0x00000340
+#define CKM_IDEA_ECB                   0x00000341
+#define CKM_IDEA_CBC                   0x00000342
+#define CKM_IDEA_MAC                   0x00000343
+#define CKM_IDEA_MAC_GENERAL           0x00000344
+#define CKM_IDEA_CBC_PAD               0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
+#define CKM_XOR_BASE_AND_DATA          0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
+
+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
+
+/* CKM_TLS_PRF is new for v2.20 */
+#define CKM_TLS_PRF                    0x00000378
+
+#define CKM_SSL3_MD5_MAC               0x00000380
+#define CKM_SSL3_SHA1_MAC              0x00000381
+#define CKM_MD5_KEY_DERIVATION         0x00000390
+#define CKM_MD2_KEY_DERIVATION         0x00000391
+#define CKM_SHA1_KEY_DERIVATION        0x00000392
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_KEY_DERIVATION      0x00000393
+#define CKM_SHA384_KEY_DERIVATION      0x00000394
+#define CKM_SHA512_KEY_DERIVATION      0x00000395
+
+/* CKM_SHA224 new for v2.20 amendment 3 */
+#define CKM_SHA224_KEY_DERIVATION      0x00000396
+
+#define CKM_PBE_MD2_DES_CBC            0x000003A0
+#define CKM_PBE_MD5_DES_CBC            0x000003A1
+#define CKM_PBE_MD5_CAST_CBC           0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
+#define CKM_PBE_SHA1_RC4_128           0x000003A6
+#define CKM_PBE_SHA1_RC4_40            0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
+
+/* CKM_PKCS5_PBKD2 is new for v2.10 */
+#define CKM_PKCS5_PBKD2                0x000003B0
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
+
+/* WTLS mechanisms are new for v2.20 */
+#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
+#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
+#define CKM_WTLS_PRF                        0x000003D3
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
+
+#define CKM_KEY_WRAP_LYNKS             0x00000400
+#define CKM_KEY_WRAP_SET_OAEP          0x00000401
+
+/* CKM_CMS_SIG is new for v2.20 */
+#define CKM_CMS_SIG                    0x00000500
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN           0x00001000
+#define CKM_SKIPJACK_ECB64             0x00001001
+#define CKM_SKIPJACK_CBC64             0x00001002
+#define CKM_SKIPJACK_OFB64             0x00001003
+#define CKM_SKIPJACK_CFB64             0x00001004
+#define CKM_SKIPJACK_CFB32             0x00001005
+#define CKM_SKIPJACK_CFB16             0x00001006
+#define CKM_SKIPJACK_CFB8              0x00001007
+#define CKM_SKIPJACK_WRAP              0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
+#define CKM_SKIPJACK_RELAYX            0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN           0x00001010
+#define CKM_KEA_KEY_DERIVE             0x00001011
+#define CKM_FORTEZZA_TIMESTAMP         0x00001020
+#define CKM_BATON_KEY_GEN              0x00001030
+#define CKM_BATON_ECB128               0x00001031
+#define CKM_BATON_ECB96                0x00001032
+#define CKM_BATON_CBC128               0x00001033
+#define CKM_BATON_COUNTER              0x00001034
+#define CKM_BATON_SHUFFLE              0x00001035
+#define CKM_BATON_WRAP                 0x00001036
+
+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
+ * CKM_EC_KEY_PAIR_GEN is preferred */
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
+#define CKM_EC_KEY_PAIR_GEN            0x00001040
+
+#define CKM_ECDSA                      0x00001041
+#define CKM_ECDSA_SHA1                 0x00001042
+
+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
+ * are new for v2.11 */
+#define CKM_ECDH1_DERIVE               0x00001050
+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
+#define CKM_ECMQV_DERIVE               0x00001052
+
+#define CKM_JUNIPER_KEY_GEN            0x00001060
+#define CKM_JUNIPER_ECB128             0x00001061
+#define CKM_JUNIPER_CBC128             0x00001062
+#define CKM_JUNIPER_COUNTER            0x00001063
+#define CKM_JUNIPER_SHUFFLE            0x00001064
+#define CKM_JUNIPER_WRAP               0x00001065
+#define CKM_FASTHASH                   0x00001070
+
+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
+ * new for v2.11 */
+#define CKM_AES_KEY_GEN                0x00001080
+#define CKM_AES_ECB                    0x00001081
+#define CKM_AES_CBC                    0x00001082
+#define CKM_AES_MAC                    0x00001083
+#define CKM_AES_MAC_GENERAL            0x00001084
+#define CKM_AES_CBC_PAD                0x00001085
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKM_BLOWFISH_KEY_GEN           0x00001090
+#define CKM_BLOWFISH_CBC               0x00001091
+#define CKM_TWOFISH_KEY_GEN            0x00001092
+#define CKM_TWOFISH_CBC                0x00001093
+
+/* Camellia is proposed for v2.20 Amendment 3 */
+#define CKM_CAMELLIA_KEY_GEN           0x00000550
+#define CKM_CAMELLIA_ECB               0x00000551
+#define CKM_CAMELLIA_CBC               0x00000552
+#define CKM_CAMELLIA_MAC               0x00000553
+#define CKM_CAMELLIA_MAC_GENERAL       0x00000554
+#define CKM_CAMELLIA_CBC_PAD           0x00000555
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557
+
+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
+#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
+#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
+#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
+#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
+#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
+#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
+
+#define CKM_DSA_PARAMETER_GEN          0x00002000
+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
+#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
+
+#define CKM_VENDOR_DEFINED             0x80000000
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism  */
+typedef struct CK_MECHANISM {
+  CK_MECHANISM_TYPE mechanism;
+  CK_VOID_PTR       pParameter;
+
+  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG          ulParameterLen;  /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism */
+typedef struct CK_MECHANISM_INFO {
+    CK_ULONG    ulMinKeySize;
+    CK_ULONG    ulMaxKeySize;
+    CK_FLAGS    flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ *      Bit Flag               Mask        Meaning */
+#define CKF_HW                 0x00000001  /* performed by HW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
+ * and CKF_DERIVE are new for v2.0.  They specify whether or not
+ * a mechanism can be used for a particular task */
+#define CKF_ENCRYPT            0x00000100
+#define CKF_DECRYPT            0x00000200
+#define CKF_DIGEST             0x00000400
+#define CKF_SIGN               0x00000800
+#define CKF_SIGN_RECOVER       0x00001000
+#define CKF_VERIFY             0x00002000
+#define CKF_VERIFY_RECOVER     0x00004000
+#define CKF_GENERATE           0x00008000
+#define CKF_GENERATE_KEY_PAIR  0x00010000
+#define CKF_WRAP               0x00020000
+#define CKF_UNWRAP             0x00040000
+#define CKF_DERIVE             0x00080000
+
+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
+ * describe a token's EC capabilities not available in mechanism
+ * information. */
+#define CKF_EC_F_P             0x00100000
+#define CKF_EC_F_2M            0x00200000
+#define CKF_EC_ECPARAMETERS    0x00400000
+#define CKF_EC_NAMEDCURVE      0x00800000
+#define CKF_EC_UNCOMPRESS      0x01000000
+#define CKF_EC_COMPRESS        0x02000000
+
+#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a
+ * PKCS #11 function */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_RV;
+
+#define CKR_OK                                0x00000000
+#define CKR_CANCEL                            0x00000001
+#define CKR_HOST_MEMORY                       0x00000002
+#define CKR_SLOT_ID_INVALID                   0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR                     0x00000005
+#define CKR_FUNCTION_FAILED                   0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD                     0x00000007
+#define CKR_NO_EVENT                          0x00000008
+#define CKR_NEED_TO_CREATE_THREADS            0x00000009
+#define CKR_CANT_LOCK                         0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
+#define CKR_DATA_INVALID                      0x00000020
+#define CKR_DATA_LEN_RANGE                    0x00000021
+#define CKR_DEVICE_ERROR                      0x00000030
+#define CKR_DEVICE_MEMORY                     0x00000031
+#define CKR_DEVICE_REMOVED                    0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
+#define CKR_FUNCTION_CANCELED                 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
+
+#define CKR_KEY_HANDLE_INVALID                0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE                    0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+#define CKR_KEY_NOT_NEEDED                    0x00000064
+#define CKR_KEY_CHANGED                       0x00000065
+#define CKR_KEY_NEEDED                        0x00000066
+#define CKR_KEY_INDIGESTIBLE                  0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
+#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
+
+#define CKR_MECHANISM_INVALID                 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID           0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID             0x00000082
+#define CKR_OPERATION_ACTIVE                  0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
+#define CKR_PIN_INCORRECT                     0x000000A0
+#define CKR_PIN_INVALID                       0x000000A1
+#define CKR_PIN_LEN_RANGE                     0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED                       0x000000A3
+#define CKR_PIN_LOCKED                        0x000000A4
+
+#define CKR_SESSION_CLOSED                    0x000000B0
+#define CKR_SESSION_COUNT                     0x000000B1
+#define CKR_SESSION_HANDLE_INVALID            0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
+#define CKR_SESSION_READ_ONLY                 0x000000B5
+#define CKR_SESSION_EXISTS                    0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
+
+#define CKR_SIGNATURE_INVALID                 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
+#define CKR_USER_NOT_LOGGED_IN                0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
+#define CKR_USER_TYPE_INVALID                 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
+#define CKR_USER_TOO_MANY_TYPES               0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID               0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
+
+/* These are new to v2.0 */
+#define CKR_RANDOM_NO_RNG                     0x00000121
+
+/* These are new to v2.11 */
+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
+
+/* These are new to v2.0 */
+#define CKR_BUFFER_TOO_SMALL                  0x00000150
+#define CKR_SAVED_STATE_INVALID               0x00000160
+#define CKR_INFORMATION_SENSITIVE             0x00000170
+#define CKR_STATE_UNSAVEABLE                  0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
+#define CKR_MUTEX_BAD                         0x000001A0
+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
+
+/* This is new to v2.20 */
+#define CKR_FUNCTION_REJECTED                 0x00000200
+
+#define CKR_VENDOR_DEFINED                    0x80000000
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_NOTIFICATION   event,
+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a PKCS #11 spec
+ * version and pointers of appropriate types to all the
+ * PKCS #11 functions */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize */
+typedef struct CK_C_INITIALIZE_ARGS {
+  CK_CREATEMUTEX CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX LockMutex;
+  CK_UNLOCKMUTEX UnlockMutex;
+  CK_FLAGS flags;
+  /* The official PKCS #11 spec does not have a 'LibraryParameters' field, but
+   * a reserved field. NSS needs a way to pass instance-specific information
+   * to the library (like where to find its config files, etc). This
+   * information is usually provided by the installer and passed uninterpreted
+   * by NSS to the library, though NSS does know the specifics of the softoken
+   * version of this parameter. Most compliant PKCS#11 modules expect this 
+   * parameter to be NULL, and will return CKR_ARGUMENTS_BAD from
+   * C_Initialize if Library parameters is supplied. */
+  CK_CHAR_PTR *LibraryParameters;
+  /* This field is only present if the LibraryParameters is not NULL. It must
+   * be NULL in all cases */
+  CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag                           Mask       Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
+#define CKF_OS_LOCKING_OK                  0x00000002
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK     1
+
+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme. */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
+ * are new for v2.20 */
+#define CKG_MGF1_SHA1         0x00000001
+#define CKG_MGF1_SHA256       0x00000002
+#define CKG_MGF1_SHA384       0x00000003
+#define CKG_MGF1_SHA512       0x00000004
+
+/* v2.20 amendment 3 */
+#define CKG_MGF1_SHA224	      0x00000005
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme. */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED    0x00000001
+
+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism. */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+        CK_MECHANISM_TYPE hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+        CK_VOID_PTR pSourceData;
+        CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s). */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+        CK_MECHANISM_TYPE    hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_ULONG             sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+/* CK_EC_KDF_TYPE is new for v2.11. */
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL                 0x00000001
+#define CKD_SHA1_KDF             0x00000002
+
+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+
+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* The following X9.42 DH key derivation functions are defined
+   (besides CKD_NULL already defined : */
+#define CKD_SHA1_KDF_ASN1        0x00000003
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004
+
+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+  CK_BBOOL      isSender;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pRandomB;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
+ * holds the effective keysize */
+typedef CK_ULONG          CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism */
+typedef struct CK_RC2_CBC_PARAMS {
+  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+
+  CK_BYTE       iv[8];            /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+  CK_BYTE_PTR   pIv;         /* pointer to IV */
+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulWordsize;   /* wordsize in bits */
+  CK_ULONG      ulRounds;     /* number of rounds */
+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
+ * the MAC */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[8];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[16];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+  CK_ULONG      ulPasswordLen;
+  CK_BYTE_PTR   pPassword;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+  CK_ULONG      ulPAndGLen;
+  CK_ULONG      ulQLen;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pPrimeP;
+  CK_BYTE_PTR   pBaseG;
+  CK_BYTE_PTR   pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+  CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+  CK_ULONG      ulOldWrappedXLen;
+  CK_BYTE_PTR   pOldWrappedX;
+  CK_ULONG      ulOldPasswordLen;
+  CK_BYTE_PTR   pOldPassword;
+  CK_ULONG      ulOldPublicDataLen;
+  CK_BYTE_PTR   pOldPublicData;
+  CK_ULONG      ulOldRandomLen;
+  CK_BYTE_PTR   pOldRandomA;
+  CK_ULONG      ulNewPasswordLen;
+  CK_BYTE_PTR   pNewPassword;
+  CK_ULONG      ulNewPublicDataLen;
+  CK_BYTE_PTR   pNewPublicData;
+  CK_ULONG      ulNewRandomLen;
+  CK_BYTE_PTR   pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+  CK_BYTE_PTR      pInitVector;
+  CK_UTF8CHAR_PTR  pPassword;
+  CK_ULONG         ulPasswordLen;
+  CK_BYTE_PTR      pSalt;
+  CK_ULONG         ulSaltLen;
+  CK_ULONG         ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+  CK_BYTE       bBC;     /* block contents byte */
+  CK_BYTE_PTR   pX;      /* extra data */
+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
+  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+  CK_BYTE_PTR  pClientRandom;
+  CK_ULONG     ulClientRandomLen;
+  CK_BYTE_PTR  pServerRandom;
+  CK_ULONG     ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+  CK_SSL3_RANDOM_DATA RandomInfo;
+  CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hClientMacSecret;
+  CK_OBJECT_HANDLE hServerMacSecret;
+  CK_OBJECT_HANDLE hClientKey;
+  CK_OBJECT_HANDLE hServerKey;
+  CK_BYTE_PTR      pIVClient;
+  CK_BYTE_PTR      pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_BBOOL                bIsExport;
+  CK_SSL3_RANDOM_DATA     RandomInfo;
+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+/* CK_TLS_PRF_PARAMS is new for version 2.20 */
+typedef struct CK_TLS_PRF_PARAMS {
+  CK_BYTE_PTR  pSeed;
+  CK_ULONG     ulSeedLen;
+  CK_BYTE_PTR  pLabel;
+  CK_ULONG     ulLabelLen;
+  CK_BYTE_PTR  pOutput;
+  CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+/* WTLS is new for version 2.20 */
+typedef struct CK_WTLS_RANDOM_DATA {
+  CK_BYTE_PTR pClientRandom;
+  CK_ULONG    ulClientRandomLen;
+  CK_BYTE_PTR pServerRandom;
+  CK_ULONG    ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+  CK_MECHANISM_TYPE   DigestMechanism;
+  CK_WTLS_RANDOM_DATA RandomInfo;
+  CK_BYTE_PTR         pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+  CK_MECHANISM_TYPE DigestMechanism;
+  CK_BYTE_PTR       pSeed;
+  CK_ULONG          ulSeedLen;
+  CK_BYTE_PTR       pLabel;
+  CK_ULONG          ulLabelLen;
+  CK_BYTE_PTR       pOutput;
+  CK_ULONG_PTR      pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hMacSecret;
+  CK_OBJECT_HANDLE hKey;
+  CK_BYTE_PTR      pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+  CK_MECHANISM_TYPE       DigestMechanism;
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_ULONG                ulSequenceNumber;
+  CK_BBOOL                bIsExport;
+  CK_WTLS_RANDOM_DATA     RandomInfo;
+  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+/* CMS is new for version 2.20 */
+typedef struct CK_CMS_SIG_PARAMS {
+  CK_OBJECT_HANDLE      certificateHandle;
+  CK_MECHANISM_PTR      pSigningMechanism;
+  CK_MECHANISM_PTR      pDigestMechanism;
+  CK_UTF8CHAR_PTR       pContentType;
+  CK_BYTE_PTR           pRequestedAttributes;
+  CK_ULONG              ulRequestedAttributesLen;
+  CK_BYTE_PTR           pRequiredAttributes;
+  CK_ULONG              ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+  CK_BYTE_PTR pData;
+  CK_ULONG    ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+  CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+/* The following PRFs are defined in PKCS #5 v2.0. */
+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
+
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED        0x00000001
+
+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
+        CK_VOID_PTR                                pSaltSourceData;
+        CK_ULONG                                   ulSaltSourceDataLen;
+        CK_ULONG                                   iterations;
+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+        CK_VOID_PTR                                pPrfData;
+        CK_ULONG                                   ulPrfDataLen;
+        CK_UTF8CHAR_PTR                            pPassword;
+        CK_ULONG_PTR                               ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+/* NSS Specific defines */
+
+/* defines that have been deprecated in 2.20, but maintained in our
+ * header file for backward compatibility */
+#define CKO_KG_PARAMETERS     CKO_DOMAIN_PARAMETERS
+#define CKF_EC_FP             CKF_EC_F_P
+/* new in v2.11 deprecated by 2.20 */
+#define CKR_KEY_PARAMS_INVALID                0x0000006B
+
+/* stuff that for historic reasons is in this header file but should have
+ * been in pkcs11n.h */
+#define CKK_INVALID_KEY_TYPE  0xffffffff
+
+#include "pkcs11n.h"
+
+/* undo packing */
+#include "pkcs11u.h"
+
+#endif
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
new file mode 100644
index 000000000..0d649e26e
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -0,0 +1,2012 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal PKCS #11 functions. Should only be called by pkcs11.c
+ */
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "lowkeyi.h"
+#include "secasn1.h"
+#include "blapi.h"
+#include "secerr.h"
+#include "prnetdb.h" /* for PR_ntohl */
+#include "sftkdb.h"
+
+/*
+ * ******************** Attribute Utilities *******************************
+ */
+
+/*
+ * create a new attribute with type, value, and length. Space is allocated
+ * to hold value.
+ */
+static SFTKAttribute *
+sftk_NewAttribute(SFTKObject *object,
+	CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value, CK_ULONG len)
+{
+    SFTKAttribute *attribute;
+
+    SFTKSessionObject *so = sftk_narrowToSessionObject(object);
+    int index;
+
+    if (so == NULL)  {
+	/* allocate new attribute in a buffer */
+	PORT_Assert(0);
+	return NULL;
+    }
+    /* 
+     * We attempt to keep down contention on Malloc and Arena locks by
+     * limiting the number of these calls on high traversed paths. This
+     * is done for attributes by 'allocating' them from a pool already
+     * allocated by the parent object.
+     */
+    PZ_Lock(so->attributeLock);
+    index = so->nextAttr++;
+    PZ_Unlock(so->attributeLock);
+    PORT_Assert(index < MAX_OBJS_ATTRS);
+    if (index >= MAX_OBJS_ATTRS) return NULL;
+
+    attribute = &so->attrList[index];
+    attribute->attrib.type = type;
+    attribute->freeAttr = PR_FALSE;
+    attribute->freeData = PR_FALSE;
+    if (value) {
+        if (len <= ATTR_SPACE) {
+	    attribute->attrib.pValue = attribute->space;
+	} else {
+	    attribute->attrib.pValue = PORT_Alloc(len);
+    	    attribute->freeData = PR_TRUE;
+	}
+	if (attribute->attrib.pValue == NULL) {
+	    return NULL;
+	}
+	PORT_Memcpy(attribute->attrib.pValue,value,len);
+	attribute->attrib.ulValueLen = len;
+    } else {
+	attribute->attrib.pValue = NULL;
+	attribute->attrib.ulValueLen = 0;
+    }
+    attribute->attrib.type = type;
+    attribute->handle = type;
+    attribute->next = attribute->prev = NULL;
+    return attribute;
+}
+
+/*
+ * Free up all the memory associated with an attribute. Reference count
+ * must be zero to call this.
+ */
+static void
+sftk_DestroyAttribute(SFTKAttribute *attribute)
+{
+    if (attribute->freeData) {
+	if (attribute->attrib.pValue) {
+	    /* clear out the data in the attribute value... it may have been
+	     * sensitive data */
+	    PORT_Memset(attribute->attrib.pValue, 0,
+						attribute->attrib.ulValueLen);
+	}
+	PORT_Free(attribute->attrib.pValue);
+    }
+    PORT_Free(attribute);
+}
+
+/*
+ * release a reference to an attribute structure
+ */
+void
+sftk_FreeAttribute(SFTKAttribute *attribute)
+{
+    if (attribute->freeAttr) {
+	sftk_DestroyAttribute(attribute);
+	return;
+    }
+}
+
+static SFTKAttribute *    
+sftk_FindTokenAttribute(SFTKTokenObject *object,CK_ATTRIBUTE_TYPE type)
+{
+    SFTKAttribute *myattribute = NULL;
+    SFTKDBHandle *dbHandle = NULL;
+    CK_RV crv;
+
+    myattribute = (SFTKAttribute*)PORT_Alloc(sizeof(SFTKAttribute));
+    if (myattribute == NULL) {
+	goto loser;
+    }
+
+    dbHandle = sftk_getDBForTokenObject(object->obj.slot, object->obj.handle);
+
+    myattribute->handle = type;
+    myattribute->attrib.type = type;
+    myattribute->attrib.pValue = myattribute->space;
+    myattribute->attrib.ulValueLen = ATTR_SPACE;
+    myattribute->next = myattribute->prev = NULL;
+    myattribute->freeAttr = PR_TRUE;
+    myattribute->freeData = PR_FALSE;
+
+    crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle,
+		&myattribute->attrib, 1);
+
+    /* attribute is bigger than our attribute space buffer, malloc it */
+    if (crv == CKR_BUFFER_TOO_SMALL) {
+    	myattribute->attrib.pValue = NULL;
+    	crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle,
+		&myattribute->attrib, 1);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
+	myattribute->attrib.pValue = PORT_Alloc(myattribute->attrib.ulValueLen);
+	if (myattribute->attrib.pValue == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+	myattribute->freeData = PR_TRUE;
+    	crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle,
+		 &myattribute->attrib, 1);
+    } 
+loser:
+    if (dbHandle) {
+	sftk_freeDB(dbHandle);
+    }
+    if (crv != CKR_OK) {
+	if (myattribute) {
+	    myattribute->attrib.ulValueLen = 0;
+	    sftk_FreeAttribute(myattribute);
+	    myattribute = NULL;
+	}
+    }
+    return myattribute;
+} 
+
+/*
+ * look up and attribute structure from a type and Object structure.
+ * The returned attribute is referenced and needs to be freed when 
+ * it is no longer needed.
+ */
+SFTKAttribute *
+sftk_FindAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
+{
+    SFTKAttribute *attribute;
+    SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+
+    if (sessObject == NULL) {
+	return sftk_FindTokenAttribute(sftk_narrowToTokenObject(object),type);
+    }
+
+    PZ_Lock(sessObject->attributeLock);
+    sftkqueue_find(attribute,type,sessObject->head, sessObject->hashSize);
+    PZ_Unlock(sessObject->attributeLock);
+
+    return(attribute);
+}
+
+/*
+ * Take a buffer and it's length and return it's true size in bits;
+ */
+unsigned int
+sftk_GetLengthInBits(unsigned char *buf, unsigned int bufLen)
+{
+    unsigned int size = bufLen * 8;
+    unsigned int i;
+
+    /* Get the real length in bytes */
+    for (i=0; i < bufLen; i++) {
+	unsigned char  c = *buf++;
+	if (c != 0) {
+	    unsigned char m;
+	    for (m=0x80; m > 0 ;  m = m >> 1) {
+		if ((c & m) != 0) {
+		    break;
+		} 
+		size--;
+	    }
+	    break;
+	}
+	size-=8;
+    }
+    return size;
+}
+
+/*
+ * Constrain a big num attribute. to size and padding
+ * minLength means length of the object must be greater than equal to minLength
+ * maxLength means length of the object must be less than equal to maxLength
+ * minMultiple means that object length mod minMultiple must equal 0.
+ * all input sizes are in bits.
+ * if any constraint is '0' that constraint is not checked.
+ */
+CK_RV
+sftk_ConstrainAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, 
+			int minLength, int maxLength, int minMultiple)
+{
+    SFTKAttribute *attribute;
+    int size;
+    unsigned char *ptr;
+
+    attribute = sftk_FindAttribute(object, type);
+    if (!attribute) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    ptr = (unsigned char *) attribute->attrib.pValue;
+    if (ptr == NULL) {
+	sftk_FreeAttribute(attribute);
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    size = sftk_GetLengthInBits(ptr, attribute->attrib.ulValueLen);
+    sftk_FreeAttribute(attribute);
+
+    if ((minLength != 0) && (size <  minLength)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    if ((maxLength != 0) && (size >  maxLength)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    if ((minMultiple != 0) && ((size % minMultiple) != 0)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    return CKR_OK;
+}
+
+PRBool
+sftk_hasAttributeToken(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+    CK_ATTRIBUTE template;
+    CK_RV crv;
+    SFTKDBHandle *dbHandle;
+
+    dbHandle = sftk_getDBForTokenObject(object->obj.slot, object->obj.handle);
+    template.type = type;
+    template.pValue = NULL;
+    template.ulValueLen = 0;
+
+    crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle, &template, 1);
+    sftk_freeDB(dbHandle);
+
+    /* attribute is bigger than our attribute space buffer, malloc it */
+    return (crv == CKR_OK) ? PR_TRUE : PR_FALSE;
+}
+
+/*
+ * return true if object has attribute
+ */
+PRBool
+sftk_hasAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
+{
+    SFTKAttribute *attribute;
+    SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+
+    if (sessObject == NULL) {
+	return sftk_hasAttributeToken(sftk_narrowToTokenObject(object), type);
+    }
+
+    PZ_Lock(sessObject->attributeLock);
+    sftkqueue_find(attribute,type,sessObject->head, sessObject->hashSize);
+    PZ_Unlock(sessObject->attributeLock);
+
+    return (PRBool)(attribute != NULL);
+}
+
+/*
+ * add an attribute to an object
+ */
+static void
+sftk_AddAttribute(SFTKObject *object,SFTKAttribute *attribute)
+{
+    SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+
+    if (sessObject == NULL) return;
+    PZ_Lock(sessObject->attributeLock);
+    sftkqueue_add(attribute,attribute->handle,
+				sessObject->head, sessObject->hashSize);
+    PZ_Unlock(sessObject->attributeLock);
+}
+
+/* 
+ * copy an unsigned attribute into a SECItem. Secitem is allocated in
+ * the specified arena.
+ */
+CK_RV
+sftk_Attribute2SSecItem(PLArenaPool *arena,SECItem *item,SFTKObject *object,
+                                      CK_ATTRIBUTE_TYPE type)
+{
+    SFTKAttribute *attribute;
+
+    item->data = NULL;
+
+    attribute = sftk_FindAttribute(object, type);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    (void)SECITEM_AllocItem(arena, item, attribute->attrib.ulValueLen);
+    if (item->data == NULL) {
+	sftk_FreeAttribute(attribute);
+	return CKR_HOST_MEMORY;
+    }
+    PORT_Memcpy(item->data, attribute->attrib.pValue, item->len);
+    sftk_FreeAttribute(attribute);
+    return CKR_OK;
+}
+
+/* 
+ * fetch multiple attributes into  SECItems. Secitem data is allocated in
+ * the specified arena.
+ */
+CK_RV
+sftk_MultipleAttribute2SecItem(PLArenaPool *arena, SFTKObject *object,
+	 SFTKItemTemplate *itemTemplate, int itemTemplateCount)
+{
+
+    CK_RV crv = CKR_OK;
+    CK_ATTRIBUTE templateSpace[SFTK_MAX_ITEM_TEMPLATE];
+    CK_ATTRIBUTE *template;
+    SFTKTokenObject *tokObject;
+    SFTKDBHandle *dbHandle = NULL;
+    int i;
+
+    tokObject = sftk_narrowToTokenObject(object);
+
+    /* session objects, just loop through the list */
+    if (tokObject == NULL) {
+	for (i=0; i < itemTemplateCount; i++) {
+	    crv = sftk_Attribute2SecItem(arena,itemTemplate[i].item, object,
+					 itemTemplate[i].type);
+	    if (crv != CKR_OK) {
+		return crv;
+	    }
+	}
+	return CKR_OK;
+    }
+
+    /* don't do any work if none is required */
+    if (itemTemplateCount == 0) {
+	return CKR_OK;
+    }
+
+    /* don't allocate the template unless we need it */
+    if (itemTemplateCount > SFTK_MAX_ITEM_TEMPLATE) {
+	template = PORT_NewArray(CK_ATTRIBUTE, itemTemplateCount);
+    } else {
+	template = templateSpace;
+    }
+
+    if (template == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+
+    dbHandle = sftk_getDBForTokenObject(object->slot, object->handle);
+    if (dbHandle == NULL) {
+	crv = CKR_OBJECT_HANDLE_INVALID;
+	goto loser;
+    }
+
+    /* set up the PKCS #11 template */
+    for (i=0; i < itemTemplateCount; i++) {
+	template[i].type = itemTemplate[i].type;
+	template[i].pValue = NULL;
+	template[i].ulValueLen = 0;
+    }
+
+    /* fetch the attribute lengths */
+    crv = sftkdb_GetAttributeValue(dbHandle, object->handle,
+				   template, itemTemplateCount);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    /* allocate space for the attributes */
+    for (i=0; i < itemTemplateCount ; i++) {
+	template[i].pValue = PORT_ArenaAlloc(arena, template[i].ulValueLen);
+	if (template[i].pValue == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+    }
+
+    /* fetch the attributes */
+    crv = sftkdb_GetAttributeValue(dbHandle, object->handle,
+				   template, itemTemplateCount);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    /* Fill in the items */	
+    for (i=0; i < itemTemplateCount; i++) {
+	itemTemplate[i].item->data = template[i].pValue;
+	itemTemplate[i].item->len = template[i].ulValueLen;
+    }
+
+loser:
+    if (template != templateSpace) {
+	PORT_Free(template);
+    }
+    if (dbHandle) {
+	sftk_freeDB(dbHandle);
+    }
+	     
+    return crv;
+}
+
+
+/*
+ * delete an attribute from an object
+ */
+static void
+sftk_DeleteAttribute(SFTKObject *object, SFTKAttribute *attribute)
+{
+    SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+
+    if (sessObject == NULL) {
+	return ;
+    }
+    PZ_Lock(sessObject->attributeLock);
+    if (sftkqueue_is_queued(attribute,attribute->handle,
+				sessObject->head, sessObject->hashSize)) {
+	sftkqueue_delete(attribute,attribute->handle,
+				sessObject->head, sessObject->hashSize);
+    }
+    PZ_Unlock(sessObject->attributeLock);
+}
+
+/*
+ * this is only valid for CK_BBOOL type attributes. Return the state
+ * of that attribute.
+ */
+PRBool
+sftk_isTrue(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
+{
+    SFTKAttribute *attribute;
+    PRBool tok = PR_FALSE;
+
+    attribute=sftk_FindAttribute(object,type);
+    if (attribute == NULL) { return PR_FALSE; }
+    tok = (PRBool)(*(CK_BBOOL *)attribute->attrib.pValue);
+    sftk_FreeAttribute(attribute);
+
+    return tok;
+}
+
+/*
+ * force an attribute to null.
+ * this is for sensitive keys which are stored in the database, we don't
+ * want to keep this info around in memory in the clear.
+ */
+void
+sftk_nullAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
+{
+    SFTKAttribute *attribute;
+
+    attribute=sftk_FindAttribute(object,type);
+    if (attribute == NULL) return;
+
+    if (attribute->attrib.pValue != NULL) {
+	PORT_Memset(attribute->attrib.pValue,0,attribute->attrib.ulValueLen);
+	if (attribute->freeData) {
+	    PORT_Free(attribute->attrib.pValue);
+	}
+	attribute->freeData = PR_FALSE;
+	attribute->attrib.pValue = NULL;
+	attribute->attrib.ulValueLen = 0;
+    }
+    sftk_FreeAttribute(attribute);
+}
+
+
+static CK_RV
+sftk_forceTokenAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type, 
+						void *value, unsigned int len)
+{
+    CK_ATTRIBUTE attribute;
+    SFTKDBHandle *dbHandle = NULL;
+    SFTKTokenObject *to = sftk_narrowToTokenObject(object);
+    CK_RV crv;
+
+    PORT_Assert(to);
+    if (to == NULL) {
+	return CKR_DEVICE_ERROR;
+    }
+
+    dbHandle = sftk_getDBForTokenObject(object->slot, object->handle);
+
+    attribute.type = type;
+    attribute.pValue = value;
+    attribute.ulValueLen = len;
+
+    crv = sftkdb_SetAttributeValue(dbHandle, object->handle,
+		&attribute, 1);
+    sftk_freeDB(dbHandle);
+    return crv;
+}
+	
+/*
+ * force an attribute to a specifc value.
+ */
+CK_RV
+sftk_forceAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type, void *value,
+						unsigned int len)
+{
+    SFTKAttribute *attribute;
+    void *att_val = NULL;
+    PRBool freeData = PR_FALSE;
+
+    PORT_Assert(object);
+    PORT_Assert(object->refCount);
+    PORT_Assert(object->slot);
+    if (!object ||
+        !object->refCount ||
+        !object->slot) {
+        return CKR_DEVICE_ERROR;
+    }
+    if (sftk_isToken(object->handle)) {
+	return sftk_forceTokenAttribute(object,type,value,len);
+    }
+    attribute=sftk_FindAttribute(object,type);
+    if (attribute == NULL) return sftk_AddAttributeType(object,type,value,len);
+
+
+    if (value) {
+        if (len <= ATTR_SPACE) {
+	    att_val = attribute->space;
+	} else {
+	    att_val = PORT_Alloc(len);
+	    freeData = PR_TRUE;
+	}
+	if (att_val == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+	if (attribute->attrib.pValue == att_val) {
+	    PORT_Memset(attribute->attrib.pValue,0,
+					attribute->attrib.ulValueLen);
+	}
+	PORT_Memcpy(att_val,value,len);
+    }
+    if (attribute->attrib.pValue != NULL) {
+	if (attribute->attrib.pValue != att_val) {
+	    PORT_Memset(attribute->attrib.pValue,0,
+					attribute->attrib.ulValueLen);
+	}
+	if (attribute->freeData) {
+	    PORT_Free(attribute->attrib.pValue);
+	}
+	attribute->freeData = PR_FALSE;
+	attribute->attrib.pValue = NULL;
+	attribute->attrib.ulValueLen = 0;
+    }
+    if (att_val) {
+	attribute->attrib.pValue = att_val;
+	attribute->attrib.ulValueLen = len;
+	attribute->freeData = freeData;
+    }
+    sftk_FreeAttribute(attribute);
+    return CKR_OK;
+}
+
+/*
+ * return a null terminated string from attribute 'type'. This string
+ * is allocated and needs to be freed with PORT_Free() When complete.
+ */
+char *
+sftk_getString(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
+{
+    SFTKAttribute *attribute;
+    char *label = NULL;
+
+    attribute=sftk_FindAttribute(object,type);
+    if (attribute == NULL) return NULL;
+
+    if (attribute->attrib.pValue != NULL) {
+	label = (char *) PORT_Alloc(attribute->attrib.ulValueLen+1);
+	if (label == NULL) {
+    	    sftk_FreeAttribute(attribute);
+	    return NULL;
+	}
+
+	PORT_Memcpy(label,attribute->attrib.pValue,
+						attribute->attrib.ulValueLen);
+	label[attribute->attrib.ulValueLen] = 0;
+    }
+    sftk_FreeAttribute(attribute);
+    return label;
+}
+
+/*
+ * decode when a particular attribute may be modified
+ * 	SFTK_NEVER: This attribute must be set at object creation time and
+ *  can never be modified.
+ *	SFTK_ONCOPY: This attribute may be modified only when you copy the
+ *  object.
+ *	SFTK_SENSITIVE: The CKA_SENSITIVE attribute can only be changed from
+ *  CK_FALSE to CK_TRUE.
+ *	SFTK_ALWAYS: This attribute can always be modified.
+ * Some attributes vary their modification type based on the class of the 
+ *   object.
+ */
+SFTKModifyType
+sftk_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
+{
+    /* if we don't know about it, user user defined, always allow modify */
+    SFTKModifyType mtype = SFTK_ALWAYS; 
+
+    switch(type) {
+    /* NEVER */
+    case CKA_CLASS:
+    case CKA_CERTIFICATE_TYPE:
+    case CKA_KEY_TYPE:
+    case CKA_MODULUS:
+    case CKA_MODULUS_BITS:
+    case CKA_PUBLIC_EXPONENT:
+    case CKA_PRIVATE_EXPONENT:
+    case CKA_PRIME:
+    case CKA_SUBPRIME:
+    case CKA_BASE:
+    case CKA_PRIME_1:
+    case CKA_PRIME_2:
+    case CKA_EXPONENT_1:
+    case CKA_EXPONENT_2:
+    case CKA_COEFFICIENT:
+    case CKA_VALUE_LEN:
+    case CKA_ALWAYS_SENSITIVE:
+    case CKA_NEVER_EXTRACTABLE:
+    case CKA_NETSCAPE_DB:
+	mtype = SFTK_NEVER;
+	break;
+
+    /* ONCOPY */
+    case CKA_TOKEN:
+    case CKA_PRIVATE:
+    case CKA_MODIFIABLE:
+	mtype = SFTK_ONCOPY;
+	break;
+
+    /* SENSITIVE */
+    case CKA_SENSITIVE:
+    case CKA_EXTRACTABLE:
+	mtype = SFTK_SENSITIVE;
+	break;
+
+    /* ALWAYS */
+    case CKA_LABEL:
+    case CKA_APPLICATION:
+    case CKA_ID:
+    case CKA_SERIAL_NUMBER:
+    case CKA_START_DATE:
+    case CKA_END_DATE:
+    case CKA_DERIVE:
+    case CKA_ENCRYPT:
+    case CKA_DECRYPT:
+    case CKA_SIGN:
+    case CKA_VERIFY:
+    case CKA_SIGN_RECOVER:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+    case CKA_UNWRAP:
+	mtype = SFTK_ALWAYS;
+	break;
+
+    /* DEPENDS ON CLASS */
+    case CKA_VALUE:
+	mtype = (inClass == CKO_DATA) ? SFTK_ALWAYS : SFTK_NEVER;
+	break;
+
+    case CKA_SUBJECT:
+	mtype = (inClass == CKO_CERTIFICATE) ? SFTK_NEVER : SFTK_ALWAYS;
+	break;
+    default:
+	break;
+    }
+    return mtype;
+}
+
+/* decode if a particular attribute is sensitive (cannot be read
+ * back to the user of if the object is set to SENSITIVE) */
+PRBool
+sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
+{
+    switch(type) {
+    /* ALWAYS */
+    case CKA_PRIVATE_EXPONENT:
+    case CKA_PRIME_1:
+    case CKA_PRIME_2:
+    case CKA_EXPONENT_1:
+    case CKA_EXPONENT_2:
+    case CKA_COEFFICIENT:
+	return PR_TRUE;
+
+    /* DEPENDS ON CLASS */
+    case CKA_VALUE:
+	/* PRIVATE and SECRET KEYS have SENSITIVE values */
+	return (PRBool)((inClass == CKO_PRIVATE_KEY) || (inClass == CKO_SECRET_KEY));
+
+    default:
+	break;
+    }
+    return PR_FALSE;
+}
+
+/* 
+ * copy an attribute into a SECItem. Secitem is allocated in the specified
+ * arena.
+ */
+CK_RV
+sftk_Attribute2SecItem(PLArenaPool *arena,SECItem *item,SFTKObject *object,
+					CK_ATTRIBUTE_TYPE type)
+{
+    int len;
+    SFTKAttribute *attribute;
+
+    attribute = sftk_FindAttribute(object, type);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+    len = attribute->attrib.ulValueLen;
+
+    if (arena) {
+    	item->data = (unsigned char *) PORT_ArenaAlloc(arena,len);
+    } else {
+    	item->data = (unsigned char *) PORT_Alloc(len);
+    }
+    if (item->data == NULL) {
+	sftk_FreeAttribute(attribute);
+	return CKR_HOST_MEMORY;
+    }
+    item->len = len;
+    PORT_Memcpy(item->data,attribute->attrib.pValue, len);
+    sftk_FreeAttribute(attribute);
+    return CKR_OK;
+}
+
+CK_RV
+sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+							 CK_ULONG *longData)
+{
+    SFTKAttribute *attribute;
+
+    attribute = sftk_FindAttribute(object, type);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    if (attribute->attrib.ulValueLen != sizeof(CK_ULONG)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    *longData = *(CK_ULONG *)attribute->attrib.pValue;
+    sftk_FreeAttribute(attribute);
+    return CKR_OK;
+}
+
+void
+sftk_DeleteAttributeType(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
+{
+    SFTKAttribute *attribute;
+    attribute = sftk_FindAttribute(object, type);
+    if (attribute == NULL) return ;
+    sftk_DeleteAttribute(object,attribute);
+    sftk_FreeAttribute(attribute);
+}
+
+CK_RV
+sftk_AddAttributeType(SFTKObject *object,CK_ATTRIBUTE_TYPE type,void *valPtr,
+							CK_ULONG length)
+{
+    SFTKAttribute *attribute;
+    attribute = sftk_NewAttribute(object,type,valPtr,length);
+    if (attribute == NULL) { return CKR_HOST_MEMORY; }
+    sftk_AddAttribute(object,attribute);
+    return CKR_OK;
+}
+
+/*
+ * ******************** Object Utilities *******************************
+ */
+
+/* must be called holding sftk_tokenKeyLock(slot) */
+static SECItem *
+sftk_lookupTokenKeyByHandle(SFTKSlot *slot, CK_OBJECT_HANDLE handle)
+{
+    return (SECItem *)PL_HashTableLookup(slot->tokObjHashTable, (void *)handle);
+}
+
+/*
+ * use the refLock. This operations should be very rare, so the added
+ * contention on the ref lock should be lower than the overhead of adding
+ * a new lock. We use separate functions for this just in case I'm wrong.
+ */
+static void
+sftk_tokenKeyLock(SFTKSlot *slot) {
+    PZ_Lock(slot->objectLock);
+}
+
+static void
+sftk_tokenKeyUnlock(SFTKSlot *slot) {
+    PZ_Unlock(slot->objectLock);
+}
+
+static PRIntn
+sftk_freeHashItem(PLHashEntry* entry, PRIntn index, void *arg)
+{
+    SECItem *item = (SECItem *)entry->value;
+
+    SECITEM_FreeItem(item, PR_TRUE);
+    return HT_ENUMERATE_NEXT;
+}
+
+CK_RV
+SFTK_ClearTokenKeyHashTable(SFTKSlot *slot)
+{
+    sftk_tokenKeyLock(slot);
+    PORT_Assert(!slot->present);
+    PL_HashTableEnumerateEntries(slot->tokObjHashTable, sftk_freeHashItem, NULL);
+    sftk_tokenKeyUnlock(slot);
+    return CKR_OK;
+}
+
+
+/* allocation hooks that allow us to recycle old object structures */
+static SFTKObjectFreeList sessionObjectList = { NULL, NULL, 0 };
+static SFTKObjectFreeList tokenObjectList = { NULL, NULL, 0 };
+
+SFTKObject *
+sftk_GetObjectFromList(PRBool *hasLocks, PRBool optimizeSpace, 
+     SFTKObjectFreeList *list, unsigned int hashSize, PRBool isSessionObject)
+{
+    SFTKObject *object;
+    int size = 0;
+
+    if (!optimizeSpace) {
+	PZ_Lock(list->lock);
+	object = list->head;
+	if (object) {
+	    list->head = object->next;
+	    list->count--;
+	}    	
+	PZ_Unlock(list->lock);
+	if (object) {
+	    object->next = object->prev = NULL;
+            *hasLocks = PR_TRUE;
+	    return object;
+	}
+    }
+    size = isSessionObject ? sizeof(SFTKSessionObject) 
+		+ hashSize *sizeof(SFTKAttribute *) : sizeof(SFTKTokenObject);
+
+    object  = (SFTKObject*)PORT_ZAlloc(size);
+    if (isSessionObject && object) {
+	((SFTKSessionObject *)object)->hashSize = hashSize;
+    }
+    *hasLocks = PR_FALSE;
+    return object;
+}
+
+static void
+sftk_PutObjectToList(SFTKObject *object, SFTKObjectFreeList *list,
+						PRBool isSessionObject) {
+
+    /* the code below is equivalent to :
+     *     optimizeSpace = isSessionObject ? object->optimizeSpace : PR_FALSE;
+     * just faster.
+     */
+    PRBool optimizeSpace = isSessionObject && 
+				((SFTKSessionObject *)object)->optimizeSpace; 
+    if (object->refLock && !optimizeSpace 
+	               && (list->count < MAX_OBJECT_LIST_SIZE)) {
+	PZ_Lock(list->lock);
+	object->next = list->head;
+	list->head = object;
+	list->count++;
+	PZ_Unlock(list->lock);
+	return;
+    }
+    if (isSessionObject) {
+	SFTKSessionObject *so = (SFTKSessionObject *)object;
+	PZ_DestroyLock(so->attributeLock);
+	so->attributeLock = NULL;
+    }
+    if (object->refLock) {
+	PZ_DestroyLock(object->refLock);
+	object->refLock = NULL;
+    }
+    PORT_Free(object);
+}
+
+static SFTKObject *
+sftk_freeObjectData(SFTKObject *object) {
+   SFTKObject *next = object->next;
+
+   PORT_Free(object);
+   return next;
+}
+
+static void
+sftk_InitFreeList(SFTKObjectFreeList *list)
+{
+    list->lock = PZ_NewLock(nssILockObject);
+}
+
+void sftk_InitFreeLists(void)
+{
+    sftk_InitFreeList(&sessionObjectList);
+    sftk_InitFreeList(&tokenObjectList);
+}
+   
+static void
+sftk_CleanupFreeList(SFTKObjectFreeList *list, PRBool isSessionList)
+{
+    SFTKObject *object;
+
+    if (!list->lock) {
+	return;
+    }
+    PZ_Lock(list->lock);
+    for (object= list->head; object != NULL; 
+					object = sftk_freeObjectData(object)) {
+	PZ_DestroyLock(object->refLock);
+	if (isSessionList) {
+	    PZ_DestroyLock(((SFTKSessionObject *)object)->attributeLock);
+	}
+    }
+    list->count = 0;
+    list->head = NULL;
+    PZ_Unlock(list->lock);
+    PZ_DestroyLock(list->lock);
+    list->lock = NULL;
+}
+
+void
+sftk_CleanupFreeLists(void)
+{
+    sftk_CleanupFreeList(&sessionObjectList, PR_TRUE);
+    sftk_CleanupFreeList(&tokenObjectList, PR_FALSE);
+}
+
+
+/*
+ * Create a new object
+ */
+SFTKObject *
+sftk_NewObject(SFTKSlot *slot)
+{
+    SFTKObject *object;
+    SFTKSessionObject *sessObject;
+    PRBool hasLocks = PR_FALSE;
+    unsigned int i;
+    unsigned int hashSize = 0;
+
+    hashSize = (slot->optimizeSpace) ? SPACE_ATTRIBUTE_HASH_SIZE :
+				TIME_ATTRIBUTE_HASH_SIZE;
+
+    object = sftk_GetObjectFromList(&hasLocks, slot->optimizeSpace,
+				&sessionObjectList,  hashSize, PR_TRUE);
+    if (object == NULL) {
+	return NULL;
+    }
+    sessObject = (SFTKSessionObject *)object;
+    sessObject->nextAttr = 0;
+
+    for (i=0; i < MAX_OBJS_ATTRS; i++) {
+	sessObject->attrList[i].attrib.pValue = NULL;
+	sessObject->attrList[i].freeData = PR_FALSE;
+    }
+    sessObject->optimizeSpace = slot->optimizeSpace;
+
+    object->handle = 0;
+    object->next = object->prev = NULL;
+    object->slot = slot;
+    
+    object->refCount = 1;
+    sessObject->sessionList.next = NULL;
+    sessObject->sessionList.prev = NULL;
+    sessObject->sessionList.parent = object;
+    sessObject->session = NULL;
+    sessObject->wasDerived = PR_FALSE;
+    if (!hasLocks) object->refLock = PZ_NewLock(nssILockRefLock);
+    if (object->refLock == NULL) {
+	PORT_Free(object);
+	return NULL;
+    }
+    if (!hasLocks) sessObject->attributeLock = PZ_NewLock(nssILockAttribute);
+    if (sessObject->attributeLock == NULL) {
+	PZ_DestroyLock(object->refLock);
+	PORT_Free(object);
+	return NULL;
+    }
+    for (i=0; i < sessObject->hashSize; i++) {
+	sessObject->head[i] = NULL;
+    }
+    object->objectInfo = NULL;
+    object->infoFree = NULL;
+    return object;
+}
+
+static CK_RV
+sftk_DestroySessionObjectData(SFTKSessionObject *so)
+{
+	int i;
+
+	for (i=0; i < MAX_OBJS_ATTRS; i++) {
+	    unsigned char *value = so->attrList[i].attrib.pValue;
+	    if (value) {
+		PORT_Memset(value,0,so->attrList[i].attrib.ulValueLen);
+		if (so->attrList[i].freeData) {
+		    PORT_Free(value);
+		}
+		so->attrList[i].attrib.pValue = NULL;
+		so->attrList[i].freeData = PR_FALSE;
+	    }
+	}
+/*	PZ_DestroyLock(so->attributeLock);*/
+	return CKR_OK;
+}
+
+/*
+ * free all the data associated with an object. Object reference count must
+ * be 'zero'.
+ */
+static CK_RV
+sftk_DestroyObject(SFTKObject *object)
+{
+    CK_RV crv = CKR_OK;
+    SFTKSessionObject *so = sftk_narrowToSessionObject(object);
+    SFTKTokenObject *to = sftk_narrowToTokenObject(object);
+
+    PORT_Assert(object->refCount == 0);
+
+    /* delete the database value */
+    if (to) {
+	if (to->dbKey.data) {
+	   PORT_Free(to->dbKey.data);
+	   to->dbKey.data = NULL;
+	}
+    } 
+    if (so) {
+	sftk_DestroySessionObjectData(so);
+    }
+    if (object->objectInfo) {
+	(*object->infoFree)(object->objectInfo);
+	object->objectInfo = NULL;
+	object->infoFree = NULL;
+    }
+    if (so) {
+	sftk_PutObjectToList(object,&sessionObjectList,PR_TRUE);
+    } else {
+	sftk_PutObjectToList(object,&tokenObjectList,PR_FALSE);
+    }
+    return crv;
+}
+
+void
+sftk_ReferenceObject(SFTKObject *object)
+{
+    PZ_Lock(object->refLock);
+    object->refCount++;
+    PZ_Unlock(object->refLock);
+}
+
+static SFTKObject *
+sftk_ObjectFromHandleOnSlot(CK_OBJECT_HANDLE handle, SFTKSlot *slot)
+{
+    SFTKObject *object;
+    PRUint32 index = sftk_hash(handle, slot->sessObjHashSize);
+
+    if (sftk_isToken(handle)) {
+	return sftk_NewTokenObject(slot, NULL, handle);
+    }
+
+    PZ_Lock(slot->objectLock);
+    sftkqueue_find2(object, handle, index, slot->sessObjHashTable);
+    if (object) {
+	sftk_ReferenceObject(object);
+    }
+    PZ_Unlock(slot->objectLock);
+
+    return(object);
+}
+/*
+ * look up and object structure from a handle. OBJECT_Handles only make
+ * sense in terms of a given session.  make a reference to that object
+ * structure returned.
+ */
+SFTKObject *
+sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle, SFTKSession *session)
+{
+    SFTKSlot *slot = sftk_SlotFromSession(session);
+
+    return sftk_ObjectFromHandleOnSlot(handle,slot);
+}
+
+
+/*
+ * release a reference to an object handle
+ */
+SFTKFreeStatus
+sftk_FreeObject(SFTKObject *object)
+{
+    PRBool destroy = PR_FALSE;
+    CK_RV crv;
+
+    PZ_Lock(object->refLock);
+    if (object->refCount == 1) destroy = PR_TRUE;
+    object->refCount--;
+    PZ_Unlock(object->refLock);
+
+    if (destroy) {
+	crv = sftk_DestroyObject(object);
+	if (crv != CKR_OK) {
+	   return SFTK_DestroyFailure;
+	} 
+	return SFTK_Destroyed;
+    }
+    return SFTK_Busy;
+}
+ 
+/*
+ * add an object to a slot and session queue. These two functions
+ * adopt the object.
+ */
+void
+sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object)
+{
+    PRUint32 index = sftk_hash(object->handle, slot->sessObjHashSize);
+    sftkqueue_init_element(object);
+    PZ_Lock(slot->objectLock);
+    sftkqueue_add2(object, object->handle, index, slot->sessObjHashTable);
+    PZ_Unlock(slot->objectLock);
+}
+
+void
+sftk_AddObject(SFTKSession *session, SFTKObject *object)
+{
+    SFTKSlot *slot = sftk_SlotFromSession(session);
+    SFTKSessionObject *so = sftk_narrowToSessionObject(object);
+
+    if (so) {
+	PZ_Lock(session->objectLock);
+	sftkqueue_add(&so->sessionList,0,session->objects,0);
+	so->session = session;
+	PZ_Unlock(session->objectLock);
+    }
+    sftk_AddSlotObject(slot,object);
+    sftk_ReferenceObject(object);
+} 
+
+/*
+ * delete an object from a slot and session queue
+ */
+CK_RV
+sftk_DeleteObject(SFTKSession *session, SFTKObject *object)
+{
+    SFTKSlot *slot = sftk_SlotFromSession(session);
+    SFTKSessionObject *so = sftk_narrowToSessionObject(object);
+    SFTKTokenObject *to = sftk_narrowToTokenObject(object);
+    CK_RV crv = CKR_OK;
+    PRUint32 index = sftk_hash(object->handle, slot->sessObjHashSize);
+
+    /* Handle Token case */
+    if (so && so->session) {
+	SFTKSession *session = so->session;
+	PZ_Lock(session->objectLock);
+	sftkqueue_delete(&so->sessionList,0,session->objects,0);
+	PZ_Unlock(session->objectLock);
+	PZ_Lock(slot->objectLock);
+	sftkqueue_delete2(object, object->handle, index, slot->sessObjHashTable);
+	PZ_Unlock(slot->objectLock);
+	sftkqueue_clear_deleted_element(object);
+	sftk_FreeObject(object); /* free the reference owned by the queue */
+    } else {
+	SFTKDBHandle *handle = sftk_getDBForTokenObject(slot, object->handle);
+
+	PORT_Assert(to);
+	crv = sftkdb_DestroyObject(handle, object->handle);
+	sftk_freeDB(handle);
+    } 
+    return crv;
+}
+
+/*
+ * Token objects don't explicitly store their attributes, so we need to know
+ * what attributes make up a particular token object before we can copy it.
+ * below are the tables by object type.
+ */
+static const CK_ATTRIBUTE_TYPE commonAttrs[] = {
+    CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_MODIFIABLE
+};
+static const CK_ULONG commonAttrsCount = 
+			sizeof(commonAttrs)/sizeof(commonAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE commonKeyAttrs[] = {
+    CKA_ID, CKA_START_DATE, CKA_END_DATE, CKA_DERIVE, CKA_LOCAL, CKA_KEY_TYPE
+};
+static const CK_ULONG commonKeyAttrsCount = 
+			sizeof(commonKeyAttrs)/sizeof(commonKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE secretKeyAttrs[] = {
+    CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN,
+    CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_VALUE
+};
+static const CK_ULONG secretKeyAttrsCount = 
+			sizeof(secretKeyAttrs)/sizeof(secretKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE commonPubKeyAttrs[] = {
+    CKA_ENCRYPT, CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_WRAP, CKA_SUBJECT
+};
+static const CK_ULONG commonPubKeyAttrsCount = 
+			sizeof(commonPubKeyAttrs)/sizeof(commonPubKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE rsaPubKeyAttrs[] = {
+    CKA_MODULUS, CKA_PUBLIC_EXPONENT
+};
+static const CK_ULONG rsaPubKeyAttrsCount = 
+			sizeof(rsaPubKeyAttrs)/sizeof(rsaPubKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE dsaPubKeyAttrs[] = {
+    CKA_SUBPRIME, CKA_PRIME, CKA_BASE, CKA_VALUE
+};
+static const CK_ULONG dsaPubKeyAttrsCount = 
+			sizeof(dsaPubKeyAttrs)/sizeof(dsaPubKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE dhPubKeyAttrs[] = {
+    CKA_PRIME, CKA_BASE, CKA_VALUE
+};
+static const CK_ULONG dhPubKeyAttrsCount = 
+			sizeof(dhPubKeyAttrs)/sizeof(dhPubKeyAttrs[0]);
+#ifdef NSS_ENABLE_ECC
+static const CK_ATTRIBUTE_TYPE ecPubKeyAttrs[] = {
+    CKA_EC_PARAMS, CKA_EC_POINT
+};
+static const CK_ULONG ecPubKeyAttrsCount = 
+			sizeof(ecPubKeyAttrs)/sizeof(ecPubKeyAttrs[0]);
+#endif
+
+static const CK_ATTRIBUTE_TYPE commonPrivKeyAttrs[] = {
+    CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_SUBJECT,
+    CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_NETSCAPE_DB
+};
+static const CK_ULONG commonPrivKeyAttrsCount = 
+		sizeof(commonPrivKeyAttrs)/sizeof(commonPrivKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE rsaPrivKeyAttrs[] = {
+    CKA_MODULUS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT, 
+    CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT
+};
+static const CK_ULONG rsaPrivKeyAttrsCount = 
+			sizeof(rsaPrivKeyAttrs)/sizeof(rsaPrivKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE dsaPrivKeyAttrs[] = {
+    CKA_SUBPRIME, CKA_PRIME, CKA_BASE, CKA_VALUE
+};
+static const CK_ULONG dsaPrivKeyAttrsCount = 
+			sizeof(dsaPrivKeyAttrs)/sizeof(dsaPrivKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE dhPrivKeyAttrs[] = {
+    CKA_PRIME, CKA_BASE, CKA_VALUE
+};
+static const CK_ULONG dhPrivKeyAttrsCount = 
+			sizeof(dhPrivKeyAttrs)/sizeof(dhPrivKeyAttrs[0]);
+#ifdef NSS_ENABLE_ECC
+static const CK_ATTRIBUTE_TYPE ecPrivKeyAttrs[] = {
+    CKA_EC_PARAMS, CKA_VALUE
+};
+static const CK_ULONG ecPrivKeyAttrsCount = 
+			sizeof(ecPrivKeyAttrs)/sizeof(ecPrivKeyAttrs[0]);
+#endif
+
+static const CK_ATTRIBUTE_TYPE certAttrs[] = {
+    CKA_CERTIFICATE_TYPE, CKA_VALUE, CKA_SUBJECT, CKA_ISSUER, CKA_SERIAL_NUMBER
+};
+static const CK_ULONG certAttrsCount = 
+		sizeof(certAttrs)/sizeof(certAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE trustAttrs[] = {
+    CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
+    CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_EMAIL_PROTECTION,
+    CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ULONG trustAttrsCount = 
+		sizeof(trustAttrs)/sizeof(trustAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE smimeAttrs[] = {
+    CKA_SUBJECT, CKA_NETSCAPE_EMAIL, CKA_NETSCAPE_SMIME_TIMESTAMP, CKA_VALUE
+};
+static const CK_ULONG smimeAttrsCount = 
+		sizeof(smimeAttrs)/sizeof(smimeAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE crlAttrs[] = {
+    CKA_SUBJECT, CKA_VALUE, CKA_NETSCAPE_URL, CKA_NETSCAPE_KRL
+};
+static const CK_ULONG crlAttrsCount = 
+		sizeof(crlAttrs)/sizeof(crlAttrs[0]);
+
+/* copy an object based on it's table */
+CK_RV
+stfk_CopyTokenAttributes(SFTKObject *destObject,SFTKTokenObject *src_to,
+	const CK_ATTRIBUTE_TYPE *attrArray, CK_ULONG attrCount)
+{
+    SFTKAttribute *attribute;
+    SFTKAttribute *newAttribute;
+    CK_RV crv = CKR_OK;
+    unsigned int i;
+
+    for (i=0; i < attrCount; i++) {
+	if (!sftk_hasAttribute(destObject,attrArray[i])) {
+	    attribute =sftk_FindAttribute(&src_to->obj, attrArray[i]);
+	    if (!attribute) {
+		continue; /* return CKR_ATTRIBUTE_VALUE_INVALID; */
+	    }
+	    /* we need to copy the attribute since each attribute
+	     * only has one set of link list pointers */
+	    newAttribute = sftk_NewAttribute( destObject,
+				sftk_attr_expand(&attribute->attrib));
+	    sftk_FreeAttribute(attribute); /* free the old attribute */
+	    if (!newAttribute) {
+		return CKR_HOST_MEMORY;
+	    }
+	    sftk_AddAttribute(destObject,newAttribute);
+	}
+    }
+    return crv;
+}
+
+CK_RV
+stfk_CopyTokenPrivateKey(SFTKObject *destObject,SFTKTokenObject *src_to)
+{
+    CK_RV crv;
+    CK_KEY_TYPE key_type;
+    SFTKAttribute *attribute;
+
+    /* copy the common attributes for all keys first */
+    crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs,
+							commonKeyAttrsCount);
+    if (crv != CKR_OK) {
+	goto fail;
+    }
+    /* copy the common attributes for all private keys next */
+    crv = stfk_CopyTokenAttributes(destObject, src_to, commonPrivKeyAttrs,
+						commonPrivKeyAttrsCount);
+    if (crv != CKR_OK) {
+	goto fail;
+    }
+    attribute =sftk_FindAttribute(&src_to->obj, CKA_KEY_TYPE);
+    PORT_Assert(attribute); /* if it wasn't here, ww should have failed
+			     * copying the common attributes */
+    if (!attribute) {
+	/* OK, so CKR_ATTRIBUTE_VALUE_INVALID is the immediate error, but
+	 * the fact is, the only reason we couldn't get the attribute would
+	 * be a memory error or database error (an error in the 'device').
+	 * if we have a database error code, we could return it here */
+	crv = CKR_DEVICE_ERROR;
+	goto fail;
+    }
+    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+    sftk_FreeAttribute(attribute);
+    
+    /* finally copy the attributes for various private key types */
+    switch (key_type) {
+    case CKK_RSA:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, rsaPrivKeyAttrs,
+							rsaPrivKeyAttrsCount);
+	break;
+    case CKK_DSA:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPrivKeyAttrs,
+							dsaPrivKeyAttrsCount);
+	break;
+    case CKK_DH:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs,
+							dhPrivKeyAttrsCount);
+	break;
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs,
+							ecPrivKeyAttrsCount);
+	break;
+#endif
+     default:
+	crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
+				* of token keys into our database. */
+    }
+fail:
+    return crv;
+}
+
+CK_RV
+stfk_CopyTokenPublicKey(SFTKObject *destObject,SFTKTokenObject *src_to)
+{
+    CK_RV crv;
+    CK_KEY_TYPE key_type;
+    SFTKAttribute *attribute;
+
+    /* copy the common attributes for all keys first */
+    crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs,
+							commonKeyAttrsCount);
+    if (crv != CKR_OK) {
+	goto fail;
+    }
+
+    /* copy the common attributes for all public keys next */
+    crv = stfk_CopyTokenAttributes(destObject, src_to, commonPubKeyAttrs,
+							commonPubKeyAttrsCount);
+    if (crv != CKR_OK) {
+	goto fail;
+    }
+    attribute =sftk_FindAttribute(&src_to->obj, CKA_KEY_TYPE);
+    PORT_Assert(attribute); /* if it wasn't here, ww should have failed
+			     * copying the common attributes */
+    if (!attribute) {
+	/* OK, so CKR_ATTRIBUTE_VALUE_INVALID is the immediate error, but
+	 * the fact is, the only reason we couldn't get the attribute would
+	 * be a memory error or database error (an error in the 'device').
+	 * if we have a database error code, we could return it here */
+	crv = CKR_DEVICE_ERROR;
+	goto fail;
+    }
+    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+    sftk_FreeAttribute(attribute);
+    
+    /* finally copy the attributes for various public key types */
+    switch (key_type) {
+    case CKK_RSA:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, rsaPubKeyAttrs,
+							rsaPubKeyAttrsCount);
+	break;
+    case CKK_DSA:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPubKeyAttrs,
+							dsaPubKeyAttrsCount);
+	break;
+    case CKK_DH:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs,
+							dhPubKeyAttrsCount);
+	break;
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs,
+							ecPubKeyAttrsCount);
+	break;
+#endif
+     default:
+	crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
+				* of token keys into our database. */
+    }
+fail:
+    return crv;
+}
+CK_RV
+stfk_CopyTokenSecretKey(SFTKObject *destObject,SFTKTokenObject *src_to)
+{
+    CK_RV crv;
+    crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs,
+							commonKeyAttrsCount);
+    if (crv != CKR_OK) {
+	goto fail;
+    }
+    crv = stfk_CopyTokenAttributes(destObject, src_to, secretKeyAttrs,
+							secretKeyAttrsCount);
+fail:
+    return crv;
+}
+
+/*
+ * Copy a token object. We need to explicitly copy the relevant
+ * attributes since token objects don't store those attributes in
+ * the token itself.
+ */
+CK_RV
+sftk_CopyTokenObject(SFTKObject *destObject,SFTKObject *srcObject)
+{
+    SFTKTokenObject *src_to = sftk_narrowToTokenObject(srcObject);
+    CK_RV crv;
+
+    PORT_Assert(src_to);
+    if (src_to == NULL) {
+	return CKR_DEVICE_ERROR; /* internal state inconsistant */
+    }
+
+    crv = stfk_CopyTokenAttributes(destObject, src_to, commonAttrs,
+							commonAttrsCount);
+    if (crv != CKR_OK) {
+	goto fail;
+    }
+    switch (src_to->obj.objclass) {
+    case CKO_CERTIFICATE:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, certAttrs,
+							certAttrsCount);
+ 	break;
+    case CKO_NETSCAPE_TRUST:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, trustAttrs,
+							trustAttrsCount);
+	break;
+    case CKO_NETSCAPE_SMIME:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, smimeAttrs,
+							smimeAttrsCount);
+	break;
+    case CKO_NETSCAPE_CRL:
+	crv = stfk_CopyTokenAttributes(destObject, src_to, crlAttrs,
+							crlAttrsCount);
+	break;
+    case CKO_PRIVATE_KEY:
+	crv = stfk_CopyTokenPrivateKey(destObject,src_to);
+	break;
+    case CKO_PUBLIC_KEY:
+	crv = stfk_CopyTokenPublicKey(destObject,src_to);
+	break;
+    case CKO_SECRET_KEY:
+	crv = stfk_CopyTokenSecretKey(destObject,src_to);
+	break;
+    default:
+	crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
+				* of token keys into our database. */
+    }
+fail:
+    return crv;
+}
+
+/*
+ * copy the attributes from one object to another. Don't overwrite existing
+ * attributes. NOTE: This is a pretty expensive operation since it
+ * grabs the attribute locks for the src object for a *long* time.
+ */
+CK_RV
+sftk_CopyObject(SFTKObject *destObject,SFTKObject *srcObject)
+{
+    SFTKAttribute *attribute;
+    SFTKSessionObject *src_so = sftk_narrowToSessionObject(srcObject);
+    unsigned int i;
+
+    if (src_so == NULL) {
+	return sftk_CopyTokenObject(destObject,srcObject); 
+    }
+
+    PZ_Lock(src_so->attributeLock);
+    for(i=0; i < src_so->hashSize; i++) {
+	attribute = src_so->head[i];
+	do {
+	    if (attribute) {
+		if (!sftk_hasAttribute(destObject,attribute->handle)) {
+		    /* we need to copy the attribute since each attribute
+		     * only has one set of link list pointers */
+		    SFTKAttribute *newAttribute = sftk_NewAttribute(
+			  destObject,sftk_attr_expand(&attribute->attrib));
+		    if (newAttribute == NULL) {
+			PZ_Unlock(src_so->attributeLock);
+			return CKR_HOST_MEMORY;
+		    }
+		    sftk_AddAttribute(destObject,newAttribute);
+		}
+		attribute=attribute->next;
+	    }
+	} while (attribute != NULL);
+    }
+    PZ_Unlock(src_so->attributeLock);
+
+    return CKR_OK;
+}
+
+/*
+ * ******************** Search Utilities *******************************
+ */
+
+/* add an object to a search list */
+CK_RV
+AddToList(SFTKObjectListElement **list,SFTKObject *object)
+{
+     SFTKObjectListElement *newElem = 
+	(SFTKObjectListElement *)PORT_Alloc(sizeof(SFTKObjectListElement));
+
+     if (newElem == NULL) return CKR_HOST_MEMORY;
+
+     newElem->next = *list;
+     newElem->object = object;
+     sftk_ReferenceObject(object);
+
+    *list = newElem;
+    return CKR_OK;
+}
+
+
+/* return true if the object matches the template */
+PRBool
+sftk_objectMatch(SFTKObject *object,CK_ATTRIBUTE_PTR theTemplate,int count)
+{
+    int i;
+
+    for (i=0; i < count; i++) {
+	SFTKAttribute *attribute = sftk_FindAttribute(object,theTemplate[i].type);
+	if (attribute == NULL) {
+	    return PR_FALSE;
+	}
+	if (attribute->attrib.ulValueLen == theTemplate[i].ulValueLen) {
+	    if (PORT_Memcmp(attribute->attrib.pValue,theTemplate[i].pValue,
+					theTemplate[i].ulValueLen) == 0) {
+        	sftk_FreeAttribute(attribute);
+		continue;
+	    }
+	}
+        sftk_FreeAttribute(attribute);
+	return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+/* search through all the objects in the queue and return the template matches
+ * in the object list.
+ */
+CK_RV
+sftk_searchObjectList(SFTKSearchResults *search,SFTKObject **head, 
+	unsigned int size, PZLock *lock, CK_ATTRIBUTE_PTR theTemplate, 
+						int count, PRBool isLoggedIn)
+{
+    unsigned int i;
+    SFTKObject *object;
+    CK_RV crv = CKR_OK;
+
+    for(i=0; i < size; i++) {
+        /* We need to hold the lock to copy a consistant version of
+         * the linked list. */
+        PZ_Lock(lock);
+	for (object = head[i]; object != NULL; object= object->next) {
+	    if (sftk_objectMatch(object,theTemplate,count)) {
+		/* don't return objects that aren't yet visible */
+		if ((!isLoggedIn) && sftk_isTrue(object,CKA_PRIVATE)) continue;
+		sftk_addHandle(search,object->handle);
+	    }
+	}
+        PZ_Unlock(lock);
+    }
+    return crv;
+}
+
+/*
+ * free a single list element. Return the Next object in the list.
+ */
+SFTKObjectListElement *
+sftk_FreeObjectListElement(SFTKObjectListElement *objectList)
+{
+    SFTKObjectListElement *ol = objectList->next;
+
+    sftk_FreeObject(objectList->object);
+    PORT_Free(objectList);
+    return ol;
+}
+
+/* free an entire object list */
+void
+sftk_FreeObjectList(SFTKObjectListElement *objectList)
+{
+    SFTKObjectListElement *ol;
+
+    for (ol= objectList; ol != NULL; ol = sftk_FreeObjectListElement(ol)) {}
+}
+
+/*
+ * free a search structure
+ */
+void
+sftk_FreeSearch(SFTKSearchResults *search)
+{
+    if (search->handles) {
+	PORT_Free(search->handles);
+    }
+    PORT_Free(search);
+}
+
+/*
+ * ******************** Session Utilities *******************************
+ */
+
+/* update the sessions state based in it's flags and wether or not it's
+ * logged in */
+void
+sftk_update_state(SFTKSlot *slot,SFTKSession *session)
+{
+    if (slot->isLoggedIn) {
+	if (slot->ssoLoggedIn) {
+    	    session->info.state = CKS_RW_SO_FUNCTIONS;
+	} else if (session->info.flags & CKF_RW_SESSION) {
+    	    session->info.state = CKS_RW_USER_FUNCTIONS;
+	} else {
+    	    session->info.state = CKS_RO_USER_FUNCTIONS;
+	}
+    } else {
+	if (session->info.flags & CKF_RW_SESSION) {
+    	    session->info.state = CKS_RW_PUBLIC_SESSION;
+	} else {
+    	    session->info.state = CKS_RO_PUBLIC_SESSION;
+	}
+    }
+}
+
+/* update the state of all the sessions on a slot */
+void
+sftk_update_all_states(SFTKSlot *slot)
+{
+    unsigned int i;
+    SFTKSession *session;
+
+    for (i=0; i < slot->sessHashSize; i++) {
+	PZLock *lock = SFTK_SESSION_LOCK(slot,i);
+	PZ_Lock(lock);
+	for (session = slot->head[i]; session; session = session->next) {
+	    sftk_update_state(slot,session);
+	}
+	PZ_Unlock(lock);
+    }
+}
+
+/*
+ * context are cipher and digest contexts that are associated with a session
+ */
+void
+sftk_FreeContext(SFTKSessionContext *context)
+{
+    if (context->cipherInfo) {
+	(*context->destroy)(context->cipherInfo,PR_TRUE);
+    }
+    if (context->hashInfo) {
+	(*context->hashdestroy)(context->hashInfo,PR_TRUE);
+    }
+    if (context->key) {
+	sftk_FreeObject(context->key);
+	context->key = NULL;
+    }
+    PORT_Free(context);
+}
+
+/*
+ * create a new nession. NOTE: The session handle is not set, and the
+ * session is not added to the slot's session queue.
+ */
+SFTKSession *
+sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
+							     CK_FLAGS flags)
+{
+    SFTKSession *session;
+    SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
+
+    if (slot == NULL) return NULL;
+
+    session = (SFTKSession*)PORT_Alloc(sizeof(SFTKSession));
+    if (session == NULL) return NULL;
+
+    session->next = session->prev = NULL;
+    session->refCount = 1;
+    session->enc_context = NULL;
+    session->hash_context = NULL;
+    session->sign_context = NULL;
+    session->search = NULL;
+    session->objectIDCount = 1;
+    session->objectLock = PZ_NewLock(nssILockObject);
+    if (session->objectLock == NULL) {
+	PORT_Free(session);
+	return NULL;
+    }
+    session->objects[0] = NULL;
+
+    session->slot = slot;
+    session->notify = notify;
+    session->appData = pApplication;
+    session->info.flags = flags;
+    session->info.slotID = slotID;
+    session->info.ulDeviceError = 0;
+    sftk_update_state(slot,session);
+    return session;
+}
+
+
+/* free all the data associated with a session. */
+static void
+sftk_DestroySession(SFTKSession *session)
+{
+    SFTKObjectList *op,*next;
+    PORT_Assert(session->refCount == 0);
+
+    /* clean out the attributes */
+    /* since no one is referencing us, it's safe to walk the chain
+     * without a lock */
+    for (op = session->objects[0]; op != NULL; op = next) {
+        next = op->next;
+        /* paranoia */
+	op->next = op->prev = NULL;
+	sftk_DeleteObject(session,op->parent);
+    }
+    PZ_DestroyLock(session->objectLock);
+    if (session->enc_context) {
+	sftk_FreeContext(session->enc_context);
+    }
+    if (session->hash_context) {
+	sftk_FreeContext(session->hash_context);
+    }
+    if (session->sign_context) {
+	sftk_FreeContext(session->sign_context);
+    }
+    if (session->search) {
+	sftk_FreeSearch(session->search);
+    }
+    PORT_Free(session);
+}
+
+
+/*
+ * look up a session structure from a session handle
+ * generate a reference to it.
+ */
+SFTKSession *
+sftk_SessionFromHandle(CK_SESSION_HANDLE handle)
+{
+    SFTKSlot	*slot = sftk_SlotFromSessionHandle(handle);
+    SFTKSession *session;
+    PZLock	*lock;
+    
+    if (!slot) return NULL;
+    lock = SFTK_SESSION_LOCK(slot,handle);
+
+    PZ_Lock(lock);
+    sftkqueue_find(session,handle,slot->head,slot->sessHashSize);
+    if (session) session->refCount++;
+    PZ_Unlock(lock);
+
+    return (session);
+}
+
+/*
+ * release a reference to a session handle
+ */
+void
+sftk_FreeSession(SFTKSession *session)
+{
+    PRBool destroy = PR_FALSE;
+    SFTKSlot *slot = sftk_SlotFromSession(session);
+    PZLock *lock = SFTK_SESSION_LOCK(slot,session->handle);
+
+    PZ_Lock(lock);
+    if (session->refCount == 1) destroy = PR_TRUE;
+    session->refCount--;
+    PZ_Unlock(lock);
+
+    if (destroy) sftk_DestroySession(session);
+}
+
+void
+sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle)
+{
+    if (search->handles == NULL) {
+	return;
+    }
+    if (search->size >= search->array_size) {
+	search->array_size += NSC_SEARCH_BLOCK_SIZE;
+	search->handles = (CK_OBJECT_HANDLE *) PORT_Realloc(search->handles,
+				 sizeof(CK_OBJECT_HANDLE)* search->array_size);
+	if (search->handles == NULL) {
+	   return;
+	}
+    }
+    search->handles[search->size] = handle;
+    search->size++;
+}
+
+static  CK_RV
+handleToClass(SFTKSlot *slot, CK_OBJECT_HANDLE handle, 
+	      CK_OBJECT_CLASS *objClass)
+{
+    SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, handle);
+    CK_ATTRIBUTE objClassTemplate;
+    CK_RV crv;
+
+    *objClass = CKO_DATA;
+    objClassTemplate.type = CKA_CLASS;
+    objClassTemplate.pValue = objClass;
+    objClassTemplate.ulValueLen = sizeof(*objClass);
+    crv = sftkdb_GetAttributeValue(dbHandle, handle, &objClassTemplate, 1);
+    sftk_freeDB(dbHandle);
+    return crv;
+}
+
+SFTKObject *
+sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, CK_OBJECT_HANDLE handle)
+{
+    SFTKObject *object = NULL;
+    SFTKTokenObject *tokObject = NULL;
+    PRBool hasLocks = PR_FALSE;
+    CK_RV crv;
+
+    object = sftk_GetObjectFromList(&hasLocks, PR_FALSE, &tokenObjectList,  0,
+							PR_FALSE);
+    if (object == NULL) {
+	return NULL;
+    }
+    tokObject = (SFTKTokenObject *) object;
+
+    object->handle = handle;
+    /* every object must have a class, if we can't get it, the object
+     * doesn't exist */
+    crv = handleToClass(slot, handle, &object->objclass);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    object->slot = slot;
+    object->objectInfo = NULL;
+    object->infoFree = NULL;
+    if (!hasLocks) {
+	object->refLock = PZ_NewLock(nssILockRefLock);
+    }
+    if (object->refLock == NULL) {
+	goto loser;
+    }
+    object->refCount = 1;
+
+    return object;
+loser:
+    if (object) {
+	(void) sftk_DestroyObject(object);
+    }
+    return NULL;
+
+}
+
+SFTKTokenObject *
+sftk_convertSessionToToken(SFTKObject *obj)
+{
+    SECItem *key;
+    SFTKSessionObject *so = (SFTKSessionObject *)obj;
+    SFTKTokenObject *to = sftk_narrowToTokenObject(obj);
+    SECStatus rv;
+
+    sftk_DestroySessionObjectData(so);
+    PZ_DestroyLock(so->attributeLock);
+    if (to == NULL) {
+	return NULL;
+    }
+    sftk_tokenKeyLock(so->obj.slot);
+    key = sftk_lookupTokenKeyByHandle(so->obj.slot,so->obj.handle);
+    if (key == NULL) {
+    	sftk_tokenKeyUnlock(so->obj.slot);
+	return NULL;
+    }
+    rv = SECITEM_CopyItem(NULL,&to->dbKey,key);
+    sftk_tokenKeyUnlock(so->obj.slot);
+    if (rv == SECFailure) {
+	return NULL;
+    }
+
+    return to;
+}
+
+SFTKSessionObject *
+sftk_narrowToSessionObject(SFTKObject *obj)
+{
+    return !sftk_isToken(obj->handle) ? (SFTKSessionObject *)obj : NULL;
+}
+
+SFTKTokenObject *
+sftk_narrowToTokenObject(SFTKObject *obj)
+{
+    return sftk_isToken(obj->handle) ? (SFTKTokenObject *)obj : NULL;
+}
+
diff --git a/security/nss/lib/softoken/pkcs11u.h b/security/nss/lib/softoken/pkcs11u.h
new file mode 100644
index 000000000..8383b471d
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11u.h
@@ -0,0 +1,52 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security Inc. Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/*
+ * reset any packing set by pkcs11p.h
+ */
+
+#if defined (_WIN32)
+#ifdef _MSC_VER
+#pragma warning(disable:4103)
+#endif
+#pragma pack(pop, cryptoki)
+#endif
+
diff --git a/security/nss/lib/softoken/rsawrapr.c b/security/nss/lib/softoken/rsawrapr.c
new file mode 100644
index 000000000..6c7fa0f30
--- /dev/null
+++ b/security/nss/lib/softoken/rsawrapr.c
@@ -0,0 +1,917 @@
+/*
+ * PKCS#1 encoding and decoding functions.
+ * This file is believed to contain no code licensed from other parties.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "blapi.h"
+#include "softoken.h"
+#include "sechash.h"
+
+#include "lowkeyi.h"
+#include "secerr.h"
+
+#define RSA_BLOCK_MIN_PAD_LEN		8
+#define RSA_BLOCK_FIRST_OCTET		0x00
+#define RSA_BLOCK_PRIVATE0_PAD_OCTET	0x00
+#define RSA_BLOCK_PRIVATE_PAD_OCTET	0xff
+#define RSA_BLOCK_AFTER_PAD_OCTET	0x00
+
+#define OAEP_SALT_LEN		8
+#define OAEP_PAD_LEN		8
+#define OAEP_PAD_OCTET		0x00
+
+#define FLAT_BUFSIZE 512	/* bytes to hold flattened SHA1Context. */
+
+static SHA1Context *
+SHA1_CloneContext(SHA1Context *original)
+{
+    SHA1Context *  clone	= NULL;
+    unsigned char *pBuf;
+    int            sha1ContextSize = SHA1_FlattenSize(original);
+    SECStatus      frv;
+    unsigned char  buf[FLAT_BUFSIZE];
+
+    PORT_Assert(sizeof buf >= sha1ContextSize);
+    if (sizeof buf >= sha1ContextSize) {
+    	pBuf = buf;
+    } else {
+        pBuf = PORT_Alloc(sha1ContextSize);
+	if (!pBuf)
+	    goto done;
+    }
+
+    frv = SHA1_Flatten(original, pBuf);
+    if (frv == SECSuccess) {
+	clone = SHA1_Resurrect(pBuf, NULL);
+	memset(pBuf, 0, sha1ContextSize);
+    }
+done:
+    if (pBuf != buf)
+    	PORT_Free(pBuf);
+    return clone;
+}
+
+/*
+ * Modify data by XORing it with a special hash of salt.
+ */
+static SECStatus
+oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
+		 unsigned char *salt, unsigned int saltlen)
+{
+    SHA1Context *sha1cx;
+    unsigned char *dp, *dataend;
+    unsigned char end_octet;
+
+    sha1cx = SHA1_NewContext();
+    if (sha1cx == NULL) {
+	return SECFailure;
+    }
+
+    /*
+     * Get a hash of salt started; we will use it several times,
+     * adding in a different end octet (x00, x01, x02, ...).
+     */
+    SHA1_Begin (sha1cx);
+    SHA1_Update (sha1cx, salt, saltlen);
+    end_octet = 0;
+
+    dp = data;
+    dataend = data + datalen;
+
+    while (dp < dataend) {
+	SHA1Context *sha1cx_h1;
+	unsigned int sha1len, sha1off;
+	unsigned char sha1[SHA1_LENGTH];
+
+	/*
+	 * Create hash of (salt || end_octet)
+	 */
+	sha1cx_h1 = SHA1_CloneContext (sha1cx);
+	SHA1_Update (sha1cx_h1, &end_octet, 1);
+	SHA1_End (sha1cx_h1, sha1, &sha1len, sizeof(sha1));
+	SHA1_DestroyContext (sha1cx_h1, PR_TRUE);
+	PORT_Assert (sha1len == SHA1_LENGTH);
+
+	/*
+	 * XOR that hash with the data.
+	 * When we have fewer than SHA1_LENGTH octets of data
+	 * left to xor, use just the low-order ones of the hash.
+	 */
+	sha1off = 0;
+	if ((dataend - dp) < SHA1_LENGTH)
+	    sha1off = SHA1_LENGTH - (dataend - dp);
+	while (sha1off < SHA1_LENGTH)
+	    *dp++ ^= sha1[sha1off++];
+
+	/*
+	 * Bump for next hash chunk.
+	 */
+	end_octet++;
+    }
+
+    SHA1_DestroyContext (sha1cx, PR_TRUE);
+    return SECSuccess;
+}
+
+/*
+ * Modify salt by XORing it with a special hash of data.
+ */
+static SECStatus
+oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
+		 unsigned char *data, unsigned int datalen)
+{
+    unsigned char sha1[SHA1_LENGTH];
+    unsigned char *psalt, *psha1, *saltend;
+    SECStatus rv;
+
+    /*
+     * Create a hash of data.
+     */
+    rv = SHA1_HashBuf (sha1, data, datalen);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    /*
+     * XOR the low-order octets of that hash with salt.
+     */
+    PORT_Assert (saltlen <= SHA1_LENGTH);
+    saltend = salt + saltlen;
+    psalt = salt;
+    psha1 = sha1 + SHA1_LENGTH - saltlen;
+    while (psalt < saltend) {
+	*psalt++ ^= *psha1++;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * Format one block of data for public/private key encryption using
+ * the rules defined in PKCS #1.
+ */
+static unsigned char *
+rsa_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
+		   SECItem *data)
+{
+    unsigned char *block;
+    unsigned char *bp;
+    int padLen;
+    int i;
+    SECStatus rv;
+
+    block = (unsigned char *) PORT_Alloc(modulusLen);
+    if (block == NULL)
+	return NULL;
+
+    bp = block;
+
+    /*
+     * All RSA blocks start with two octets:
+     *	0x00 || BlockType
+     */
+    *bp++ = RSA_BLOCK_FIRST_OCTET;
+    *bp++ = (unsigned char) blockType;
+
+    switch (blockType) {
+
+      /*
+       * Blocks intended for private-key operation.
+       */
+      case RSA_BlockPrivate0: /* essentially unused */
+      case RSA_BlockPrivate:	 /* preferred method */
+	/*
+	 * 0x00 || BT || Pad || 0x00 || ActualData
+	 *   1      1   padLen    1      data->len
+	 * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
+	 */
+	padLen = modulusLen - data->len - 3;
+	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+	if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+	PORT_Memset (bp,
+		   blockType == RSA_BlockPrivate0
+			? RSA_BLOCK_PRIVATE0_PAD_OCTET
+			: RSA_BLOCK_PRIVATE_PAD_OCTET,
+		   padLen);
+	bp += padLen;
+	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+	PORT_Memcpy (bp, data->data, data->len);
+	break;
+
+      /*
+       * Blocks intended for public-key operation.
+       */
+      case RSA_BlockPublic:
+
+	/*
+	 * 0x00 || BT || Pad || 0x00 || ActualData
+	 *   1      1   padLen    1      data->len
+	 * Pad is all non-zero random bytes.
+	 */
+	padLen = modulusLen - data->len - 3;
+	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+	if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+	for (i = 0; i < padLen; i++) {
+	    /* Pad with non-zero random data. */
+	    do {
+		rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
+	    } while (rv == SECSuccess && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
+	    if (rv != SECSuccess) {
+		sftk_fatalError = PR_TRUE;
+		PORT_Free (block);
+		return NULL;
+	    }
+	}
+	bp += padLen;
+	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+	PORT_Memcpy (bp, data->data, data->len);
+
+	break;
+
+      /*
+       * Blocks intended for public-key operation, using
+       * Optimal Asymmetric Encryption Padding (OAEP).
+       */
+      case RSA_BlockOAEP:
+	/*
+	 * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
+	 *   1      1     OAEP_SALT_LEN     OAEP_PAD_LEN + data->len [+ N]
+	 *
+	 * where:
+	 *   PaddedData is "Pad1 || ActualData [|| Pad2]"
+	 *   Salt is random data.
+	 *   Pad1 is all zeros.
+	 *   Pad2, if present, is random data.
+	 *   (The "modified" fields are all the same length as the original
+	 * unmodified values; they are just xor'd with other values.)
+	 *
+	 *   Modified1 is an XOR of PaddedData with a special octet
+	 * string constructed of iterated hashing of Salt (see below).
+	 *   Modified2 is an XOR of Salt with the low-order octets of
+	 * the hash of Modified1 (see farther below ;-).
+	 *
+	 * Whew!
+	 */
+
+
+	/*
+	 * Salt
+	 */
+	rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
+	if (rv != SECSuccess) {
+	    sftk_fatalError = PR_TRUE;
+	    PORT_Free (block);
+	    return NULL;
+	}
+	bp += OAEP_SALT_LEN;
+
+	/*
+	 * Pad1
+	 */
+	PORT_Memset (bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
+	bp += OAEP_PAD_LEN;
+
+	/*
+	 * Data
+	 */
+	PORT_Memcpy (bp, data->data, data->len);
+	bp += data->len;
+
+	/*
+	 * Pad2
+	 */
+	if (bp < (block + modulusLen)) {
+	    rv = RNG_GenerateGlobalRandomBytes(bp, block - bp + modulusLen);
+	    if (rv != SECSuccess) {
+		sftk_fatalError = PR_TRUE;
+		PORT_Free (block);
+		return NULL;
+	    }
+	}
+
+	/*
+	 * Now we have the following:
+	 * 0x00 || BT || Salt || PaddedData
+	 * (From this point on, "Pad1 || Data [|| Pad2]" is treated
+	 * as the one entity PaddedData.)
+	 *
+	 * We need to turn PaddedData into Modified1.
+	 */
+	if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
+			     modulusLen - 2 - OAEP_SALT_LEN,
+			     block + 2, OAEP_SALT_LEN) != SECSuccess) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+
+	/*
+	 * Now we have:
+	 * 0x00 || BT || Salt || Modified1(PaddedData)
+	 *
+	 * The remaining task is to turn Salt into Modified2.
+	 */
+	if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
+			     block + 2 + OAEP_SALT_LEN,
+			     modulusLen - 2 - OAEP_SALT_LEN) != SECSuccess) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+
+	break;
+
+      default:
+	PORT_Assert (0);
+	PORT_Free (block);
+	return NULL;
+    }
+
+    return block;
+}
+
+static SECStatus
+rsa_FormatBlock(SECItem *result, unsigned modulusLen,
+		RSA_BlockType blockType, SECItem *data)
+{
+    /*
+     * XXX For now assume that the data length fits in a single
+     * XXX encryption block; the ASSERTs below force this.
+     * XXX To fix it, each case will have to loop over chunks whose
+     * XXX lengths satisfy the assertions, until all data is handled.
+     * XXX (Unless RSA has more to say about how to handle data
+     * XXX which does not fit in a single encryption block?)
+     * XXX And I do not know what the result is supposed to be,
+     * XXX so the interface to this function may need to change
+     * XXX to allow for returning multiple blocks, if they are
+     * XXX not wanted simply concatenated one after the other.
+     */
+
+    switch (blockType) {
+      case RSA_BlockPrivate0:
+      case RSA_BlockPrivate:
+      case RSA_BlockPublic:
+	/*
+	 * 0x00 || BT || Pad || 0x00 || ActualData
+	 *
+	 * The "3" below is the first octet + the second octet + the 0x00
+	 * octet that always comes just before the ActualData.
+	 */
+	PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
+
+	result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+	if (result->data == NULL) {
+	    result->len = 0;
+	    return SECFailure;
+	}
+	result->len = modulusLen;
+
+	break;
+
+      case RSA_BlockOAEP:
+	/*
+	 * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
+	 *
+	 * The "2" below is the first octet + the second octet.
+	 * (The other fields do not contain the clear values, but are
+	 * the same length as the clear values.)
+	 */
+	PORT_Assert (data->len <= (modulusLen - (2 + OAEP_SALT_LEN
+						 + OAEP_PAD_LEN)));
+
+	result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+	if (result->data == NULL) {
+	    result->len = 0;
+	    return SECFailure;
+	}
+	result->len = modulusLen;
+
+	break;
+
+      case RSA_BlockRaw:
+	/*
+	 * Pad || ActualData
+	 * Pad is zeros. The application is responsible for recovering
+	 * the actual data.
+	 */
+	if (data->len > modulusLen ) {
+	    return SECFailure;
+	}
+	result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
+	result->len = modulusLen;
+	PORT_Memcpy(result->data+(modulusLen-data->len),data->data,data->len);
+	break;
+
+      default:
+	PORT_Assert (0);
+	result->data = NULL;
+	result->len = 0;
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_Sign(NSSLOWKEYPrivateKey *key, 
+         unsigned char *      output, 
+	 unsigned int *       output_len,
+         unsigned int         maxOutputLen, 
+	 unsigned char *      input, 
+	 unsigned int         input_len)
+{
+    SECStatus     rv          = SECSuccess;
+    unsigned int  modulus_len = nsslowkey_PrivateModulusLen(key);
+    SECItem       formatted;
+    SECItem       unformatted;
+
+    if (maxOutputLen < modulus_len) 
+    	return SECFailure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	return SECFailure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPrivate,
+			 &unformatted);
+    if (rv != SECSuccess) 
+    	goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	sftk_fatalError = PR_TRUE;
+    }
+    *output_len = modulus_len;
+
+    goto done;
+
+done:
+    if (formatted.data != NULL) 
+    	PORT_ZFree(formatted.data, modulus_len);
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSign(NSSLOWKEYPublicKey *key,
+              unsigned char *     sign, 
+	      unsigned int        sign_len, 
+	      unsigned char *     hash, 
+	      unsigned int        hash_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned int    i;
+    unsigned char * buffer;
+
+    modulus_len = nsslowkey_PublicModulusLen(key);
+    if (sign_len != modulus_len) 
+    	goto failure;
+    /*
+     * 0x00 || BT || Pad || 0x00 || ActualData
+     *
+     * The "3" below is the first octet + the second octet + the 0x00
+     * octet that always comes just before the ActualData.
+     */
+    if (hash_len > modulus_len - (3 + RSA_BLOCK_MIN_PAD_LEN)) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * check the padding that was used
+     */
+    if (buffer[0] != 0 || buffer[1] != 1) 
+    	goto loser;
+    for (i = 2; i < modulus_len - hash_len - 1; i++) {
+	if (buffer[i] != 0xff) 
+	    goto loser;
+    }
+    if (buffer[i] != 0) 
+	goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0)
+	goto loser;
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecover(NSSLOWKEYPublicKey *key,
+                     unsigned char *     data,
+                     unsigned int *      data_len, 
+		     unsigned int        max_output_len, 
+		     unsigned char *     sign,
+		     unsigned int        sign_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned int    i;
+    unsigned char * buffer;
+
+    if (sign_len != modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess)
+    	goto loser;
+    *data_len = 0;
+
+    /*
+     * check the padding that was used
+     */
+    if (buffer[0] != 0 || buffer[1] != 1) 
+    	goto loser;
+    for (i = 2; i < modulus_len; i++) {
+	if (buffer[i] == 0) {
+	    *data_len = modulus_len - i - 1;
+	    break;
+	}
+	if (buffer[i] != 0xff) 
+	    goto loser;
+    }
+    if (*data_len == 0) 
+    	goto loser;
+    if (*data_len > max_output_len) 
+    	goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    PORT_Memcpy(data,buffer + modulus_len - *data_len, *data_len);
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptBlock(NSSLOWKEYPublicKey *key, 
+                 unsigned char *     output, 
+		 unsigned int *      output_len,
+                 unsigned int        max_output_len, 
+		 unsigned char *     input, 
+		 unsigned int        input_len)
+{
+    SECStatus     rv;
+    unsigned int  modulus_len = nsslowkey_PublicModulusLen(key);
+    SECItem       formatted;
+    SECItem       unformatted;
+
+    formatted.data = NULL;
+    if (max_output_len < modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPublic,
+			 &unformatted);
+    if (rv != SECSuccess) 
+	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess) 
+    	goto failure;
+
+    PORT_ZFree(formatted.data, modulus_len);
+    *output_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    if (formatted.data != NULL) 
+	PORT_ZFree(formatted.data, modulus_len);
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, 
+                 unsigned char *      output, 
+		 unsigned int *       output_len,
+                 unsigned int         max_output_len, 
+		 unsigned char *      input, 
+		 unsigned int         input_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PrivateModulusLen(key);
+    unsigned int    i;
+    unsigned char * buffer;
+
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+    if (input_len != modulus_len)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PrivateKeyOp(&key->u.rsa, buffer, input);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	    sftk_fatalError = PR_TRUE;
+	}
+    	goto loser;
+    }
+
+    if (buffer[0] != 0 || buffer[1] != 2) 
+    	goto loser;
+    *output_len = 0;
+    for (i = 2; i < modulus_len; i++) {
+	if (buffer[i] == 0) {
+	    *output_len = modulus_len - i - 1;
+	    break;
+	}
+    }
+    if (*output_len == 0) 
+    	goto loser;
+    if (*output_len > max_output_len) 
+    	goto loser;
+
+    PORT_Memcpy(output, buffer + modulus_len - *output_len, *output_len);
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+/*
+ * added to make pkcs #11 happy
+ *   RAW is RSA_X_509
+ */
+SECStatus
+RSA_SignRaw(NSSLOWKEYPrivateKey *key, 
+            unsigned char *      output, 
+	    unsigned int *       output_len,
+            unsigned int         maxOutputLen, 
+	    unsigned char *      input, 
+	    unsigned int         input_len)
+{
+    SECStatus    rv          = SECSuccess;
+    unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
+    SECItem      formatted;
+    SECItem      unformatted;
+
+    if (maxOutputLen < modulus_len) 
+    	return SECFailure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	return SECFailure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
+    if (rv != SECSuccess) 
+    	goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	sftk_fatalError = PR_TRUE;
+    }
+    *output_len = modulus_len;
+
+done:
+    if (formatted.data != NULL) 
+    	PORT_ZFree(formatted.data, modulus_len);
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRaw(NSSLOWKEYPublicKey *key,
+                 unsigned char *     sign, 
+		 unsigned int        sign_len, 
+		 unsigned char *     hash, 
+		 unsigned int        hash_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned char * buffer;
+
+    if (sign_len != modulus_len) 
+    	goto failure;
+    if (hash_len > modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    /* NOTE: should we verify the leading zeros? */
+    if (PORT_Memcmp(buffer + (modulus_len-hash_len), hash, hash_len) != 0)
+	goto loser;
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecoverRaw(NSSLOWKEYPublicKey *key,
+                        unsigned char *     data,
+                        unsigned int *      data_len, 
+			unsigned int        max_output_len, 
+			unsigned char *     sign,
+			unsigned int        sign_len)
+{
+    SECStatus      rv;
+    unsigned int   modulus_len = nsslowkey_PublicModulusLen(key);
+
+    if (sign_len != modulus_len) 
+    	goto failure;
+    if (max_output_len < modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, data, sign);
+    if (rv != SECSuccess)
+	goto failure;
+
+    *data_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    return SECFailure;
+}
+
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptRaw(NSSLOWKEYPublicKey *key, 
+	       unsigned char *     output, 
+	       unsigned int *      output_len,
+               unsigned int        max_output_len, 
+	       unsigned char *     input, 
+	       unsigned int        input_len)
+{
+    SECStatus rv;
+    unsigned int  modulus_len = nsslowkey_PublicModulusLen(key);
+    SECItem       formatted;
+    SECItem       unformatted;
+
+    formatted.data = NULL;
+    if (max_output_len < modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
+    if (rv != SECSuccess)
+	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess) 
+    	goto failure;
+
+    PORT_ZFree(formatted.data, modulus_len);
+    *output_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    if (formatted.data != NULL) 
+	PORT_ZFree(formatted.data, modulus_len);
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, 
+               unsigned char *      output, 
+	       unsigned int *       output_len,
+               unsigned int         max_output_len, 
+	       unsigned char *      input, 
+	       unsigned int         input_len)
+{
+    SECStatus     rv;
+    unsigned int  modulus_len = nsslowkey_PrivateModulusLen(key);
+
+    if (modulus_len <= 0) 
+    	goto failure;
+    if (modulus_len > max_output_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+    if (input_len != modulus_len) 
+    	goto failure;
+
+    rv = RSA_PrivateKeyOp(&key->u.rsa, output, input);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	    sftk_fatalError = PR_TRUE;
+	}
+    	goto failure;
+    }
+
+    *output_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    return SECFailure;
+}
diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c
new file mode 100644
index 000000000..f492e8e97
--- /dev/null
+++ b/security/nss/lib/softoken/sdb.c
@@ -0,0 +1,2028 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Red Hat, Inc.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Robert Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *   This implementation has two slots:
+ *	slot 1 is our generic crypto support. It does not require login.
+ *   It supports Public Key ops, and all they bulk ciphers and hashes. 
+ *   It can also support Private Key ops for imported Private keys. It does 
+ *   not have any token storage.
+ *	slot 2 is our private key support. It requires a login before use. It
+ *   can store Private Keys and Certs as token objects. Currently only private
+ *   keys and their associated Certificates are saved on the token.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+
+#include "sdb.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include <sqlite3.h>
+#include "prthread.h"
+#include "prio.h"
+#include "stdio.h"
+#include "secport.h"
+#include "prmon.h"
+#include "prenv.h"
+
+#ifdef SQLITE_UNSAFE_THREADS
+#include "prlock.h"
+/*
+ * SQLite can be compiled to be thread safe or not.
+ * turn on SQLITE_UNSAFE_THREADS if the OS does not support
+ * a thread safe version of sqlite.
+ */
+static PRLock *sqlite_lock = NULL;
+
+#define LOCK_SQLITE()  PR_Lock(sqlite_lock);
+#define UNLOCK_SQLITE()  PR_Unlock(sqlite_lock);
+#else
+#define LOCK_SQLITE()  
+#define UNLOCK_SQLITE()  
+#endif
+
+typedef enum {
+	SDB_CERT = 1,
+	SDB_KEY = 2
+} sdbDataType;
+
+/*
+ * defines controlling how long we wait to acquire locks.
+ *
+ * SDB_SQLITE_BUSY_TIMEOUT specifies how long (in milliseconds)
+ *  sqlite will wait on lock. If that timeout expires, sqlite will
+ *  return SQLITE_BUSY.
+ * SDB_BUSY_RETRY_TIME specifies how many seconds the sdb_ code waits
+ *  after receiving a busy before retrying.
+ * SDB_MAX_BUSY_RETRIES specifies how many times the sdb_ will retry on
+ *  a busy condition.
+ *
+ * SDB_SQLITE_BUSY_TIMEOUT affects all opertions, both manual 
+ *   (prepare/step/reset/finalize) and automatic (sqlite3_exec()).
+ * SDB_BUSY_RETRY_TIME and SDB_MAX_BUSY_RETRIES only affect manual operations
+ * 
+ * total wait time for automatic operations: 
+ *   1 second (SDB_SQLITE_BUSY_TIMEOUT/1000).
+ * total wait time for manual operations: 
+ *   (1 second + 5 seconds) * 10 = 60 seconds.
+ * (SDB_SQLITE_BUSY_TIMEOUT/1000 + SDB_BUSY_RETRY_TIME)*SDB_MAX_BUSY_RETRIES
+ */
+#define SDB_SQLITE_BUSY_TIMEOUT 1000 /* milliseconds */
+#define SDB_BUSY_RETRY_TIME        5 /* seconds */
+#define SDB_MAX_BUSY_RETRIES      10
+
+/*
+ * Note on use of sqlReadDB: Only one thread at a time may have an actual
+ * operation going on given sqlite3 * database. An operation is defined as
+ * the time from a sqlite3_prepare() until the sqlite3_finalize().
+ * Multiple sqlite3 * databases can be open and have simultaneous operations
+ * going. We use the sqlXactDB for all write operations. This database
+ * is only opened when we first create a transaction and closed when the
+ * transaction is complete. sqlReadDB is open when we first opened the database
+ * and is used for all read operation. It's use is protected by a monitor. This
+ * is because an operation can span the use of FindObjectsInit() through the
+ * call to FindObjectsFinal(). In the intermediate time it is possible to call
+ * other operations like NSC_GetAttributeValue */
+
+struct SDBPrivateStr {
+    char *sqlDBName;		/* invariant, path to this database */
+    sqlite3 *sqlXactDB;		/* access protected by dbMon, use protected
+                                 * by the transaction. Current transaction db*/
+    PRThread *sqlXactThread;	/* protected by dbMon,
+			         * current transaction thread */
+    sqlite3 *sqlReadDB;		/* use protected by dbMon, value invariant */
+    PRIntervalTime lastUpdateTime;  /* last time the cache was updated */
+    PRIntervalTime updateInterval;  /* how long the cache can go before it 
+                                     * must be updated again */
+    sdbDataType type;		/* invariant, database type */
+    char *table;	        /* invariant, SQL table which contains the db */
+    char *cacheTable;	        /* invariant, SQL table cache of db */
+    PRMonitor *dbMon;		/* invariant, monitor to protect 
+				 * sqlXact* fields, and use of the sqlReadDB */
+};
+
+typedef struct SDBPrivateStr SDBPrivate;
+
+/*
+ * known attributes
+ */
+static const CK_ATTRIBUTE_TYPE known_attributes[] = {
+    CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION,
+    CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER,
+    CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED,
+    CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL,
+    CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY,
+    CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE,
+    CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER,
+    CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE,
+    CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT,
+    CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT,
+    CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS, 
+    CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE,
+    CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE,
+    CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS,
+    CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+    CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_WRAP_TEMPLATE,
+    CKA_UNWRAP_TEMPLATE, CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT,
+    CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y, CKA_RESOLUTION, CKA_CHAR_ROWS,
+    CKA_CHAR_COLUMNS, CKA_COLOR, CKA_BITS_PER_PIXEL, CKA_CHAR_SETS,
+    CKA_ENCODING_METHODS, CKA_MIME_TYPES, CKA_MECHANISM_TYPE,
+    CKA_REQUIRED_CMS_ATTRIBUTES, CKA_DEFAULT_CMS_ATTRIBUTES,
+    CKA_SUPPORTED_CMS_ATTRIBUTES, CKA_NETSCAPE_URL, CKA_NETSCAPE_EMAIL,
+    CKA_NETSCAPE_SMIME_INFO, CKA_NETSCAPE_SMIME_TIMESTAMP,
+    CKA_NETSCAPE_PKCS8_SALT, CKA_NETSCAPE_PASSWORD_CHECK, CKA_NETSCAPE_EXPIRES,
+    CKA_NETSCAPE_KRL, CKA_NETSCAPE_PQG_COUNTER, CKA_NETSCAPE_PQG_SEED,
+    CKA_NETSCAPE_PQG_H, CKA_NETSCAPE_PQG_SEED_BITS, CKA_NETSCAPE_MODULE_SPEC,
+    CKA_TRUST_DIGITAL_SIGNATURE, CKA_TRUST_NON_REPUDIATION,
+    CKA_TRUST_KEY_ENCIPHERMENT, CKA_TRUST_DATA_ENCIPHERMENT,
+    CKA_TRUST_KEY_AGREEMENT, CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN,
+    CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING,
+    CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_IPSEC_END_SYSTEM,
+    CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING,
+    CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
+    CKA_NETSCAPE_DB, CKA_NETSCAPE_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS
+};
+
+static int known_attributes_size= sizeof(known_attributes)/
+			   sizeof(known_attributes[0]);
+
+/* Magic for an explicit NULL. NOTE: ideally this should be
+ * out of band data. Since it's not completely out of band, pick
+ * a value that has no meaning to any existing PKCS #11 attributes.
+ * This value is 1) not a valid string (imbedded '\0'). 2) not a U_LONG
+ * or a normal key (too short). 3) not a bool (too long). 4) not an RSA
+ * public exponent (too many bits).
+ */
+const unsigned char SQLITE_EXPLICIT_NULL[] = { 0xa5, 0x0, 0x5a };
+#define SQLITE_EXPLICIT_NULL_LEN 3
+
+/*
+ * determine when we've completed our tasks
+ */
+static int 
+sdb_done(int err, int *count)
+{
+    /* allow as many rows as the database wants to give */
+    if (err == SQLITE_ROW) {
+	*count = 0;
+	return 0;
+    }
+    if (err != SQLITE_BUSY) {
+	return 1;
+    }
+    /* err == SQLITE_BUSY, Dont' retry forever in this case */
+    if (++(*count) >= SDB_MAX_BUSY_RETRIES) {
+	return 1;
+    }
+    return 0;
+}
+
+/*
+ * 
+ * strdup limited to 'n' bytes. (Note: len of file is assumed to be >= len)
+ *
+ * We don't have a PORT_ version of this function,
+ * I suspect it's only normally available in glib,
+ */
+static char *
+sdb_strndup(const char *file, int len)
+{
+   char *result = PORT_Alloc(len+1);
+
+   if (result == NULL) {
+	return result;
+   }
+
+   PORT_Memcpy(result, file, len);
+   result[len] = 0;
+   return result;
+}
+
+/*
+ * call back from  sqlite3_exec("Pragma database_list"). Looks for the
+ * temp directory, then return the file the temp directory is stored
+ * at. */
+static int 
+sdb_getTempDirCallback(void *arg, int columnCount, char **cval, char **cname)
+{
+    int i;
+    int found = 0;
+    char *file = NULL;
+    char *end, *dir;
+
+    /* we've already found the temp directory, don't look at any more records*/
+    if (*(char **)arg) {
+	return SQLITE_OK;
+    }
+
+    /* look at the columns to see if this record is the temp database,
+     * and does it say where it is stored */
+    for (i=0; i < columnCount; i++) {
+	if (PORT_Strcmp(cname[i],"name") == 0) {
+	    if (PORT_Strcmp(cval[i], "temp") == 0) {
+		found++;
+		continue;
+	    }
+	}
+	if (PORT_Strcmp(cname[i],"file") == 0) {
+	    if (cval[i] && (*cval[i] != 0)) {
+		file = cval[i];
+	    }
+	}
+    }
+
+    /* if we couldn't find it, ask for the next record */
+    if (!found || !file) {
+	return SQLITE_OK;
+    }
+
+    /* drop of the database file name and just return the directory */
+    end = PORT_Strrchr(file, '/');
+    if (!end) {
+	return SQLITE_OK;
+    }
+    dir = sdb_strndup(file, end-file);
+
+    *(char **)arg = dir;
+    return SQLITE_OK;
+}
+
+/*
+ * find out where sqlite stores the temp tables. We do this by creating
+ * a temp table, then looking for the database name that sqlite3 creates.
+ */
+static char *
+sdb_getTempDir(sqlite3 *sqlDB)
+{
+    char *tempDir = NULL;
+    int sqlerr;
+
+    /* create a temporary table */
+    sqlerr = sqlite3_exec(sqlDB, "CREATE TEMPORARY TABLE myTemp (id)",
+			  NULL, 0, NULL);
+    if (sqlerr != SQLITE_OK) {
+	return NULL;
+    }
+    /* look for through the database list for the temp directory */
+    sqlerr = sqlite3_exec(sqlDB, "PRAGMA database_list", 
+		sdb_getTempDirCallback, &tempDir, NULL);
+
+    /* drop the temp table we created */
+    sqlite3_exec(sqlDB, "DROP TABLE myTemp", NULL, 0, NULL);
+
+    if (sqlerr != SQLITE_OK) {
+	return NULL;
+    }
+    return tempDir;
+}
+
+
+/*
+ * Map SQL_LITE errors to PKCS #11 errors as best we can.
+ */
+static int 
+sdb_mapSQLError(sdbDataType type, int sqlerr)
+{
+    switch (sqlerr) {
+    /* good matches */
+    case SQLITE_OK:
+    case SQLITE_DONE:
+	return CKR_OK;
+    case SQLITE_NOMEM:
+	return CKR_HOST_MEMORY;
+    case SQLITE_READONLY:
+	return CKR_TOKEN_WRITE_PROTECTED;
+    /* close matches */
+    case SQLITE_AUTH:
+    case SQLITE_PERM:
+	/*return CKR_USER_NOT_LOGGED_IN; */
+    case SQLITE_CANTOPEN:
+    case SQLITE_NOTFOUND:
+	/* NSS distiguishes between failure to open the cert and the key db */
+	return type == SDB_CERT ? 
+		CKR_NETSCAPE_CERTDB_FAILED : CKR_NETSCAPE_KEYDB_FAILED;
+    case SQLITE_IOERR:
+	return CKR_DEVICE_ERROR;
+    default:
+	break;
+    }
+    return CKR_GENERAL_ERROR;
+}
+
+
+/*
+ * build up database name from a directory, prefix, name, version and flags.
+ */
+static char *sdb_BuildFileName(const char * directory, 
+			const char *prefix, const char *type, 
+			int version, int flags)
+{
+    char *dbname = NULL;
+    /* build the full dbname */
+    dbname = sqlite3_mprintf("%s/%s%s%d.db",directory, prefix, type, version);
+    return dbname;
+}
+
+
+/*
+ * find out how expensive the access system call is for non-existant files
+ * in the given directory.
+ */
+PRIntervalTime
+sdb_measureAccess(const char *directory)
+{
+    char *temp;
+    PRIntervalTime time;
+    PRIntervalTime delta;
+    PRIntervalTime next;
+    int i;
+
+    /* no directory, just return one */
+    if (directory == NULL) {
+	return 1;
+    }
+
+    /* measure 200 iterations so we have some resolution in the timer
+     * to work with. This code tries to open 200 unique files so that
+     * any caching code is defeated and we can get a reasonable idea about
+     * how well the underlying file system works */
+    time =  PR_IntervalNow();
+    for (i=0; i < 200; i++) { 
+        temp  = sdb_BuildFileName(directory,"","._dOeSnotExist_", time+i, 0);
+	PR_Access(temp,PR_ACCESS_EXISTS);
+        sqlite3_free(temp);
+    } 
+    next = PR_IntervalNow();
+    delta = next - time;
+
+    /* always return 1 or greater */
+    if (delta == 0) delta = 1;
+    return delta;
+}
+
+/*
+ * some file sytems are very slow to run sqlite3 on, particularly if the
+ * access count is pretty high. On these filesystems is faster to create
+ * a temporary database on the local filesystem and access that. This
+ * code uses a temporary table to create that cache. Temp tables are
+ * automatically cleared when the database handle it was created on
+ * Is freed.
+ */
+static const char DROP_CACHE_CMD[] = "DROP TABLE %s";
+static const char CREATE_CACHE_CMD[] =
+  "CREATE TEMPORARY TABLE %s AS SELECT * FROM %s";
+static const char CREATE_ISSUER_INDEX_CMD[] = 
+  "CREATE INDEX issuer ON %s (a81)";
+static const char CREATE_SUBJECT_INDEX_CMD[] = 
+  "CREATE INDEX subject ON %s (a101)";
+static const char CREATE_LABEL_INDEX_CMD[] = "CREATE INDEX label ON %s (a3)";
+static const char CREATE_ID_INDEX_CMD[] = "CREATE INDEX ckaid ON %s (a102)";
+
+static CK_RV
+sdb_buildCache(sqlite3 *sqlDB, sdbDataType type, 
+		const char *cacheTable, const char *table)
+{
+    char *newStr;
+    int sqlerr = SQLITE_OK;
+
+    newStr = sqlite3_mprintf(CREATE_CACHE_CMD, cacheTable, table);
+    if (newStr == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+    sqlite3_free(newStr);
+    if (sqlerr != SQLITE_OK) {
+	return sdb_mapSQLError(type, sqlerr); 
+    }
+    /* failure to create the indexes is not an issue */
+    newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, cacheTable);
+    if (newStr == NULL) {
+	return CKR_OK;
+    }
+    sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+    sqlite3_free(newStr);
+    newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, cacheTable);
+    if (newStr == NULL) {
+	return CKR_OK;
+    }
+    sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+    sqlite3_free(newStr);
+    newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, cacheTable);
+    if (newStr == NULL) {
+	return CKR_OK;
+    }
+    sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+    sqlite3_free(newStr);
+    newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, cacheTable);
+    if (newStr == NULL) {
+	return CKR_OK;
+    }
+    sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+    sqlite3_free(newStr);
+    return CKR_OK;
+}
+
+/*
+ * update the cache and the data records describing it.
+ *  The cache is updated by dropping the temp database and recreating it.
+ */
+static CK_RV
+sdb_updateCache(SDBPrivate *sdb_p)
+{
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    char *newStr;
+
+    /* drop the old table */
+    newStr = sqlite3_mprintf(DROP_CACHE_CMD, sdb_p->cacheTable);
+    if (newStr == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    sqlerr = sqlite3_exec(sdb_p->sqlReadDB, newStr, NULL, 0, NULL);
+    sqlite3_free(newStr);
+    if ((sqlerr != SQLITE_OK) && (sqlerr != SQLITE_ERROR )) {
+        /* something went wrong with the drop, don't try to refresh...
+         * NOTE: SQLITE_ERROR is returned if the table doesn't exist. In
+         * that case, we just continue on and try to reload it */
+	return sdb_mapSQLError(sdb_p->type, sqlerr); 
+    }
+	
+
+    /* set up the new table */
+    error = sdb_buildCache(sdb_p->sqlReadDB,sdb_p->type,
+				sdb_p->cacheTable,sdb_p->table );
+    if (error == CKR_OK) {
+	/* we have a new cache! */
+	sdb_p->lastUpdateTime = PR_IntervalNow();
+    }
+    return error;
+}
+
+/*
+ *  The sharing of sqlite3 handles across threads is tricky. Older versions
+ *  couldn't at all, but newer ones can under strict conditions. Basically
+ *  no 2 threads can use the same handle while another thread has an open
+ *  stmt running. Once the sqlite3_stmt is finalized, another thread can then
+ *  use the database handle.
+ *
+ *  We use monitors to protect against trying to use a database before
+ *  it's sqlite3_stmt is finalized. This is preferable to the opening and
+ *  closing the database each operation because there is significant overhead
+ *  in the open and close. Also continually opening and closing the database
+ *  defeats the cache code as the cache table is lost on close (thus
+ *  requiring us to have to reinitialize the cache every operation).
+ * 
+ *  An execption to the shared handle is transations. All writes happen
+ *  through a transaction. When we are in  a transaction, we must use the 
+ *  same database pointer for that entire transation. In this case we save 
+ *  the transaction database and use it for all accesses on the transaction 
+ *  thread. Other threads use the common database.  
+ *
+ *  There can only be once active transaction on the database at a time.
+ *
+ *  sdb_openDBLocal() provides us with a valid database handle for whatever
+ *  state we are in (reading or in a transaction), and acquires any locks
+ *  appropriate to that state. It also decides when it's time to refresh
+ *  the cache before we start an operation. Any database handle returned
+ *  just eventually be closed with sdb_closeDBLocal().
+ *
+ *  The table returned either points to the database's physical table, or
+ *  to the cached shadow. Tranactions always return the physical table
+ *  and read operations return either the physical table or the cache
+ *  depending on whether or not the cache exists.
+ */
+static CK_RV 
+sdb_openDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB, const char **table)
+{
+    *sqlDB = NULL;
+
+    PR_EnterMonitor(sdb_p->dbMon);
+
+    if (table) {
+	*table = sdb_p->table;
+    }
+
+    /* We're in a transaction, use the transaction DB */
+    if ((sdb_p->sqlXactDB) && (sdb_p->sqlXactThread == PR_GetCurrentThread())) {
+	*sqlDB =sdb_p->sqlXactDB;
+	/* only one thread can get here, safe to unlock */
+        PR_ExitMonitor(sdb_p->dbMon);
+	return CKR_OK;
+    }
+
+    /*
+     * if we are just reading from the table, we may have the table
+     * cached in a temporary table (especially if it's on a shared FS).
+     * In that case we want to see updates to the table, the the granularity
+     * is on order of human scale, not computer scale.
+     */
+    if (table && sdb_p->cacheTable) {
+	PRIntervalTime now = PR_IntervalNow();
+	if ((now - sdb_p->lastUpdateTime) > sdb_p->updateInterval) {
+	       sdb_updateCache(sdb_p);
+        }
+	*table = sdb_p->cacheTable;
+    }
+
+    *sqlDB = sdb_p->sqlReadDB;
+
+    /* leave holding the lock. only one thread can actually use a given
+     * database connection at once */
+	
+    return CKR_OK;
+}
+
+/* closing the local database currenly means unlocking the monitor */
+static CK_RV 
+sdb_closeDBLocal(SDBPrivate *sdb_p, sqlite3 *sqlDB) 
+{
+   if (sdb_p->sqlXactDB != sqlDB) {
+	/* if we weren't in a transaction, we got a lock */
+        PR_ExitMonitor(sdb_p->dbMon);
+   }
+   return CKR_OK;
+}
+
+
+/*
+ * wrapper to sqlite3_open which also sets the busy_timeout
+ */
+static int
+sdb_openDB(const char *name, sqlite3 **sqlDB, int flags)
+{
+    int sqlerr;
+    /*
+     * in sqlite3 3.5.0, there is a new open call that allows us
+     * to specify read only. Most new OS's are still on 3.3.x (including
+     * NSS's internal version and the version shipped with Firefox).
+     */
+    *sqlDB = NULL;
+    sqlerr = sqlite3_open(name, sqlDB);
+    if (sqlerr != SQLITE_OK) {
+	return sqlerr;
+    }
+
+    sqlerr = sqlite3_busy_timeout(*sqlDB, SDB_SQLITE_BUSY_TIMEOUT);
+    if (sqlerr != SQLITE_OK) {
+	sqlite3_close(*sqlDB);
+	*sqlDB = NULL;
+	return sqlerr;
+    }
+    return SQLITE_OK;
+}
+
+/* Sigh, if we created a new table since we opened the database,
+ * the database handle will not see the new table, we need to close this
+ * database and reopen it. Caller must be in a transaction or holding
+ * the dbMon. sqlDB is changed on success. */
+static int 
+sdb_reopenDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB) {
+    sqlite3 *newDB;
+    int sqlerr;
+
+    /* open a new database */
+    sqlerr = sdb_openDB(sdb_p->sqlDBName, &newDB, SDB_RDONLY);
+    if (sqlerr != SQLITE_OK) {
+	return sqlerr;
+    }
+
+    /* if we are in a transaction, we may not be holding the monitor.
+     * grab it before we update the transaction database. This is
+     * safe since are using monitors. */
+    PR_EnterMonitor(sdb_p->dbMon);
+    /* update our view of the database */
+    if (sdb_p->sqlReadDB == *sqlDB) {
+	sdb_p->sqlReadDB = newDB;
+    } else if (sdb_p->sqlXactDB == *sqlDB) {
+	sdb_p->sqlXactDB = newDB;
+    }
+    PR_ExitMonitor(sdb_p->dbMon);
+
+    /* close the old one */
+    sqlite3_close(*sqlDB);
+
+    *sqlDB = newDB;
+    return SQLITE_OK;
+}
+
+struct SDBFindStr {
+    sqlite3 *sqlDB;
+    sqlite3_stmt *findstmt;
+};
+
+
+static const char FIND_OBJECTS_CMD[] =  "SELECT ALL * FROM %s WHERE %s;";
+static const char FIND_OBJECTS_ALL_CMD[] = "SELECT ALL * FROM %s;";
+CK_RV
+sdb_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *template, CK_ULONG count, 
+				SDBFind **find)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = NULL;
+    const char *table;
+    char *newStr, *findStr = NULL;
+    sqlite3_stmt *findstmt = NULL;
+    char *join="";
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    int i;
+
+    LOCK_SQLITE()
+    *find = NULL;
+    error = sdb_openDBLocal(sdb_p, &sqlDB, &table);
+    if (error != CKR_OK) {
+	goto loser;
+    }
+
+    findStr = sqlite3_mprintf("");
+    for (i=0; findStr && i < count; i++) {
+	newStr = sqlite3_mprintf("%s%sa%x=$DATA%d", findStr, join,
+				template[i].type, i);
+        join=" AND ";
+	sqlite3_free(findStr);
+	findStr = newStr;
+    }
+
+    if (findStr == NULL) {
+	error = CKR_HOST_MEMORY;
+	goto loser;
+    }
+
+    if (count == 0) {
+	newStr = sqlite3_mprintf(FIND_OBJECTS_ALL_CMD, table);
+    } else {
+	newStr = sqlite3_mprintf(FIND_OBJECTS_CMD, table, findStr);
+    }
+    sqlite3_free(findStr);
+    if (newStr == NULL) {
+	error = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &findstmt, NULL);
+    sqlite3_free(newStr);
+    for (i=0; sqlerr == SQLITE_OK && i < count; i++) {
+	const void *blobData = template[i].pValue;
+	unsigned int blobSize = template[i].ulValueLen;
+	if (blobSize == 0) {
+	    blobSize = SQLITE_EXPLICIT_NULL_LEN;
+	    blobData = SQLITE_EXPLICIT_NULL;
+	}
+	sqlerr = sqlite3_bind_blob(findstmt, i+1, blobData, blobSize,
+				   SQLITE_TRANSIENT);
+    }
+    if (sqlerr == SQLITE_OK) {
+	*find = PORT_New(SDBFind);
+	if (*find == NULL) {
+	    error = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+	(*find)->findstmt = findstmt;
+	(*find)->sqlDB = sqlDB;
+	UNLOCK_SQLITE()  
+	return CKR_OK;
+    } 
+    error = sdb_mapSQLError(sdb_p->type, sqlerr);
+
+loser: 
+    if (findstmt) {
+	sqlite3_finalize(findstmt);
+    }
+    if (sqlDB) {
+	sdb_closeDBLocal(sdb_p, sqlDB) ;
+    }
+    UNLOCK_SQLITE()  
+    return error;
+}
+
+
+CK_RV
+sdb_FindObjects(SDB *sdb, SDBFind *sdbFind, CK_OBJECT_HANDLE *object, 
+		CK_ULONG arraySize, CK_ULONG *count)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3_stmt *stmt = sdbFind->findstmt;
+    int sqlerr = SQLITE_OK;
+    int retry = 0;
+
+    *count = 0;
+
+    if (arraySize == 0) {
+	return CKR_OK;
+    }
+    LOCK_SQLITE()  
+
+    do {
+	sqlerr = sqlite3_step(stmt);
+	if (sqlerr == SQLITE_BUSY) {
+	    PR_Sleep(SDB_BUSY_RETRY_TIME);
+	}
+	if (sqlerr == SQLITE_ROW) {
+	    /* only care about the id */
+	    *object++= sqlite3_column_int(stmt, 0);
+	    arraySize--;
+	    (*count)++;
+	}
+    } while (!sdb_done(sqlerr,&retry) && (arraySize > 0));
+
+    /* we only have some of the objects, there is probably more,
+     * set the sqlerr to an OK value so we return CKR_OK */
+    if (sqlerr == SQLITE_ROW && arraySize == 0) {
+	sqlerr = SQLITE_DONE;
+    }
+    UNLOCK_SQLITE()  
+
+    return sdb_mapSQLError(sdb_p->type, sqlerr);
+}
+
+CK_RV
+sdb_FindObjectsFinal(SDB *sdb, SDBFind *sdbFind)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3_stmt *stmt = sdbFind->findstmt;
+    sqlite3 *sqlDB = sdbFind->sqlDB;
+    int sqlerr = SQLITE_OK;
+
+    LOCK_SQLITE()  
+    if (stmt) {
+	sqlite3_reset(stmt);
+	sqlerr = sqlite3_finalize(stmt);
+    }
+    if (sqlDB) {
+	sdb_closeDBLocal(sdb_p, sqlDB) ;
+    }
+    PORT_Free(sdbFind);
+
+    UNLOCK_SQLITE()  
+    return sdb_mapSQLError(sdb_p->type, sqlerr);
+}
+
+static const char GET_ATTRIBUTE_CMD[] = "SELECT ALL %s FROM %s WHERE id=$ID;";
+CK_RV
+sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id, 
+				CK_ATTRIBUTE *template, CK_ULONG count)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = NULL;
+    sqlite3_stmt *stmt = NULL;
+    char *getStr = NULL;
+    char *newStr = NULL;
+    const char *table = NULL;
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    int found = 0;
+    int retry = 0;
+    int i;
+
+
+    /* open a new db if necessary */
+    error = sdb_openDBLocal(sdb_p, &sqlDB, &table);
+    if (error != CKR_OK) {
+	goto loser;
+    }
+
+    getStr = sqlite3_mprintf("");
+    for (i=0; getStr && i < count; i++) {
+	if (i==0) {
+	    newStr = sqlite3_mprintf("a%x", template[i].type);
+	} else {
+	    newStr = sqlite3_mprintf("%s, a%x", getStr, template[i].type);
+	}
+	sqlite3_free(getStr);
+	getStr = newStr;
+    }
+
+    if (getStr == NULL) {
+	error = CKR_HOST_MEMORY;
+	goto loser;
+    }
+
+    newStr = sqlite3_mprintf(GET_ATTRIBUTE_CMD, getStr, table);
+    sqlite3_free(getStr);
+    getStr = NULL;
+    if (newStr == NULL) {
+	error = CKR_HOST_MEMORY;
+	goto loser;
+    }
+
+    sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
+    if (sqlerr != SQLITE_OK) { goto loser; }
+    sqlerr = sqlite3_bind_int(stmt, 1, object_id);
+    if (sqlerr != SQLITE_OK) { goto loser; }
+    do {
+	sqlerr = sqlite3_step(stmt);
+	if (sqlerr == SQLITE_BUSY) {
+	    PR_Sleep(SDB_BUSY_RETRY_TIME);
+	}
+	if (sqlerr == SQLITE_ROW) {
+	    for (i=0; i < count; i++) {
+		int column = i;
+	    	int blobSize;
+	    	const char *blobData;
+
+	    	blobSize = sqlite3_column_bytes(stmt, column);
+		blobData = sqlite3_column_blob(stmt, column);
+		if (blobData == NULL) {
+		    template[i].ulValueLen = -1;
+		    error = CKR_ATTRIBUTE_TYPE_INVALID; 
+		    continue;
+		}
+		/* If the blob equals our explicit NULL value, then the 
+		 * attribute is a NULL. */
+		if ((blobSize == SQLITE_EXPLICIT_NULL_LEN) &&
+		   	(PORT_Memcmp(blobData, SQLITE_EXPLICIT_NULL, 
+			      SQLITE_EXPLICIT_NULL_LEN) == 0)) {
+		    blobSize = 0;
+		}
+		if (template[i].pValue) {
+		    if (template[i].ulValueLen < blobSize) {
+			template[i].ulValueLen = -1;
+		    	error = CKR_BUFFER_TOO_SMALL;
+			continue;
+		    }
+	    	    PORT_Memcpy(template[i].pValue, blobData, blobSize);
+		}
+		template[i].ulValueLen = blobSize;
+	    }
+	    found = 1;
+	}
+    } while (!sdb_done(sqlerr,&retry));
+
+loser:
+    /* fix up the error if necessary */
+    if (error == CKR_OK) {
+	error = sdb_mapSQLError(sdb_p->type, sqlerr);
+	if (!found && error == CKR_OK) {
+	    error = CKR_OBJECT_HANDLE_INVALID;
+	}
+    }
+    if (newStr) {
+	sqlite3_free(newStr);
+    }
+
+    if (stmt) {
+	sqlite3_reset(stmt);
+	sqlite3_finalize(stmt);
+    }
+
+    /* if we had to open a new database, free it now */
+    if (sqlDB) {
+	sdb_closeDBLocal(sdb_p, sqlDB) ;
+    }
+    return error;
+}
+
+CK_RV
+sdb_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, 
+				CK_ATTRIBUTE *template, CK_ULONG count)
+{
+    CK_RV crv;
+
+    if (count == 0) {
+	return CKR_OK;
+    }
+
+    LOCK_SQLITE()  
+    crv = sdb_GetAttributeValueNoLock(sdb, object_id, template, count);
+    UNLOCK_SQLITE()  
+    return crv;
+}
+   
+static const char SET_ATTRIBUTE_CMD[] = "UPDATE %s SET %s WHERE id=$ID;";
+CK_RV
+sdb_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, 
+			const CK_ATTRIBUTE *template, CK_ULONG count)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = NULL;
+    sqlite3_stmt *stmt = NULL;
+    char *setStr = NULL;
+    char *newStr = NULL;
+    int sqlerr = SQLITE_OK;
+    int retry = 0;
+    CK_RV error = CKR_OK;
+    int i;
+
+    if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    if (count == 0) {
+	return CKR_OK;
+    }
+
+    LOCK_SQLITE()  
+    setStr = sqlite3_mprintf("");
+    for (i=0; setStr && i < count; i++) {
+	if (i==0) {
+	    sqlite3_free(setStr);
+   	    setStr = sqlite3_mprintf("a%x=$VALUE%d", 
+				template[i].type, i);
+	    continue;
+	}
+	newStr = sqlite3_mprintf("%s,a%x=$VALUE%d", setStr, 
+				template[i].type, i);
+	sqlite3_free(setStr);
+	setStr = newStr;
+    }
+    newStr = NULL;
+
+    if (setStr == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    newStr =  sqlite3_mprintf(SET_ATTRIBUTE_CMD, sdb_p->table, setStr);
+    sqlite3_free(setStr);
+    if (newStr == NULL) {
+	UNLOCK_SQLITE()  
+	return CKR_HOST_MEMORY;
+    }
+    error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+    if (error != CKR_OK) {
+	goto loser;
+    }
+    sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
+    if (sqlerr != SQLITE_OK) goto loser;
+    for (i=0; i < count; i++) {
+	if (template[i].ulValueLen != 0) {
+	    sqlerr = sqlite3_bind_blob(stmt, i+1, template[i].pValue, 
+				template[i].ulValueLen, SQLITE_STATIC);
+	} else {
+	    sqlerr = sqlite3_bind_blob(stmt, i+2, SQLITE_EXPLICIT_NULL, 
+			SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC);
+	}
+        if (sqlerr != SQLITE_OK) goto loser;
+    }
+    sqlerr = sqlite3_bind_int(stmt, i+1, object_id);
+    if (sqlerr != SQLITE_OK) goto loser;
+
+    do {
+	sqlerr = sqlite3_step(stmt);
+	if (sqlerr == SQLITE_BUSY) {
+	    PR_Sleep(SDB_BUSY_RETRY_TIME);
+	}
+    } while (!sdb_done(sqlerr,&retry));
+
+loser:
+    if (newStr) {
+	sqlite3_free(newStr);
+    }
+    if (error == CKR_OK) {
+	error = sdb_mapSQLError(sdb_p->type, sqlerr);
+    }
+
+    if (stmt) {
+	sqlite3_reset(stmt);
+	sqlite3_finalize(stmt);
+    }
+
+    if (sqlDB) {
+	sdb_closeDBLocal(sdb_p, sqlDB) ;
+    }
+
+    UNLOCK_SQLITE()  
+    return error;
+}
+
+/*
+ * check to see if a candidate object handle already exists.
+ */
+static PRBool
+sdb_objectExists(SDB *sdb, CK_OBJECT_HANDLE candidate)
+{
+    CK_RV crv;
+    CK_ATTRIBUTE template = { CKA_LABEL, NULL, 0 };
+
+    crv = sdb_GetAttributeValueNoLock(sdb,candidate,&template, 1);
+    if (crv == CKR_OBJECT_HANDLE_INVALID) {
+	return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+/*
+ * if we're here, we are in a transaction, so it's safe
+ * to examine the current state of the database
+ */
+static CK_OBJECT_HANDLE
+sdb_getObjectId(SDB *sdb)
+{
+    CK_OBJECT_HANDLE candidate;
+    static CK_OBJECT_HANDLE next_obj = CK_INVALID_HANDLE;
+    int count;
+    /*
+     * get an initial object handle to use
+     */
+    if (next_obj == CK_INVALID_HANDLE) {
+        PRTime time;
+	time = PR_Now();
+
+	next_obj = (CK_OBJECT_HANDLE)(time & 0x3fffffffL);
+    }
+    candidate = next_obj++;
+    /* detect that we've looped through all the handles... */
+    for (count = 0; count < 0x40000000; count++, candidate = next_obj++) {
+	/* mask off excess bits */
+	candidate &= 0x3fffffff;
+	/* if we hit zero, go to the next entry */
+	if (candidate == CK_INVALID_HANDLE) {
+	    continue;
+	}
+	/* make sure we aren't already using */
+	if (!sdb_objectExists(sdb, candidate)) {
+	    /* this one is free */
+	    return candidate;
+	}
+    }
+
+    /* no handle is free, fail */
+    return CK_INVALID_HANDLE;
+}
+
+static const char CREATE_CMD[] = "INSERT INTO %s (id%s) VALUES($ID%s);";
+CK_RV
+sdb_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *object_id, 
+		 const CK_ATTRIBUTE *template, CK_ULONG count)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = NULL;
+    sqlite3_stmt *stmt = NULL;
+    char *columnStr = NULL;
+    char *valueStr = NULL;
+    char *newStr = NULL;
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    CK_OBJECT_HANDLE this_object = CK_INVALID_HANDLE;
+    int retry = 0;
+    int i;
+
+    if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    LOCK_SQLITE()  
+    if ((*object_id != CK_INVALID_HANDLE) && 
+		!sdb_objectExists(sdb, *object_id)) {
+	this_object = *object_id;
+    } else {
+	this_object = sdb_getObjectId(sdb);
+    }
+    if (this_object == CK_INVALID_HANDLE) {
+	UNLOCK_SQLITE();
+	return CKR_HOST_MEMORY;
+    }
+    columnStr = sqlite3_mprintf("");
+    valueStr = sqlite3_mprintf("");
+    *object_id = this_object;
+    for (i=0; columnStr && valueStr && i < count; i++) {
+   	newStr = sqlite3_mprintf("%s,a%x", columnStr, template[i].type);
+	sqlite3_free(columnStr);
+	columnStr = newStr;
+   	newStr = sqlite3_mprintf("%s,$VALUE%d", valueStr, i);
+	sqlite3_free(valueStr);
+	valueStr = newStr;
+    }
+    newStr = NULL;
+    if ((columnStr == NULL) || (valueStr == NULL)) {
+	if (columnStr) {
+	    sqlite3_free(columnStr);
+	}
+	if (valueStr) {
+	    sqlite3_free(valueStr);
+	}
+	UNLOCK_SQLITE()  
+	return CKR_HOST_MEMORY;
+    }
+    newStr =  sqlite3_mprintf(CREATE_CMD, sdb_p->table, columnStr, valueStr);
+    sqlite3_free(columnStr);
+    sqlite3_free(valueStr);
+    error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+    if (error != CKR_OK) {
+	goto loser;
+    }
+    sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
+    if (sqlerr != SQLITE_OK) goto loser;
+    sqlerr = sqlite3_bind_int(stmt, 1, *object_id);
+    if (sqlerr != SQLITE_OK) goto loser;
+    for (i=0; i < count; i++) {
+	if (template[i].ulValueLen) {
+	    sqlerr = sqlite3_bind_blob(stmt, i+2, template[i].pValue, 
+			template[i].ulValueLen, SQLITE_STATIC);
+	} else {
+	    sqlerr = sqlite3_bind_blob(stmt, i+2, SQLITE_EXPLICIT_NULL, 
+			SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC);
+	}
+        if (sqlerr != SQLITE_OK) goto loser;
+    }
+
+    do {
+	sqlerr = sqlite3_step(stmt);
+	if (sqlerr == SQLITE_BUSY) {
+	    PR_Sleep(SDB_BUSY_RETRY_TIME);
+	}
+    } while (!sdb_done(sqlerr,&retry));
+
+loser:
+    if (newStr) {
+	sqlite3_free(newStr);
+    }
+    if (error == CKR_OK) {
+	error = sdb_mapSQLError(sdb_p->type, sqlerr);
+    }
+
+    if (stmt) {
+	sqlite3_reset(stmt);
+	sqlite3_finalize(stmt);
+    }
+
+    if (sqlDB) {
+	sdb_closeDBLocal(sdb_p, sqlDB) ;
+    }
+    UNLOCK_SQLITE()  
+
+    return error;
+}
+
+static const char DESTROY_CMD[] = "DELETE FROM %s WHERE (id=$ID);";
+CK_RV
+sdb_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = NULL;
+    sqlite3_stmt *stmt = NULL;
+    char *newStr = NULL;
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    int retry = 0;
+
+    if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    LOCK_SQLITE()  
+    error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+    if (error != CKR_OK) {
+	goto loser;
+    }
+    newStr =  sqlite3_mprintf(DESTROY_CMD, sdb_p->table);
+    if (newStr == NULL) {
+	error = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    sqlerr =sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
+    sqlite3_free(newStr);
+    if (sqlerr != SQLITE_OK) goto loser;
+    sqlerr =sqlite3_bind_int(stmt, 1, object_id);
+    if (sqlerr != SQLITE_OK) goto loser;
+
+    do {
+	sqlerr = sqlite3_step(stmt);
+	if (sqlerr == SQLITE_BUSY) {
+	    PR_Sleep(SDB_BUSY_RETRY_TIME);
+	}
+    } while (!sdb_done(sqlerr,&retry));
+
+loser:
+    if (error == CKR_OK) {
+	error = sdb_mapSQLError(sdb_p->type, sqlerr);
+    }
+
+    if (stmt) {
+	sqlite3_reset(stmt);
+	sqlite3_finalize(stmt);
+    }
+
+    if (sqlDB) {
+	sdb_closeDBLocal(sdb_p, sqlDB) ;
+    }
+
+    UNLOCK_SQLITE()  
+    return error;
+}
+   
+static const char BEGIN_CMD[] = "BEGIN IMMEDIATE TRANSACTION;";
+/*
+ * start a transaction.
+ *
+ * We need to open a new database, then store that new database into
+ * the private data structure. We open the database first, then use locks
+ * to protect storing the data to prevent deadlocks.
+ */
+CK_RV
+sdb_Begin(SDB *sdb)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = NULL;
+    sqlite3_stmt *stmt = NULL;
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    int retry = 0;
+
+
+    if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+
+    LOCK_SQLITE()  
+
+    /* get a new version that we will use for the entire transaction */
+    sqlerr = sdb_openDB(sdb_p->sqlDBName, &sqlDB, SDB_RDWR);
+    if (sqlerr != SQLITE_OK) {
+	goto loser;
+    }
+
+    sqlerr =sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL);
+
+    do {
+	sqlerr = sqlite3_step(stmt);
+	if (sqlerr == SQLITE_BUSY) {
+	    PR_Sleep(SDB_BUSY_RETRY_TIME);
+	}
+    } while (!sdb_done(sqlerr,&retry));
+
+    if (stmt) {
+	sqlite3_reset(stmt);
+	sqlite3_finalize(stmt);
+    }
+
+loser:
+    error = sdb_mapSQLError(sdb_p->type, sqlerr);
+
+    /* we are starting a new transaction, 
+     * and if we succeeded, then save this database for the rest of
+     * our transaction */
+    if (error == CKR_OK) {
+	/* we hold a 'BEGIN TRANSACTION' and a sdb_p->lock. At this point
+	 * sdb_p->sqlXactDB MUST be null */
+	PR_EnterMonitor(sdb_p->dbMon);
+	PORT_Assert(sdb_p->sqlXactDB == NULL);
+	sdb_p->sqlXactDB = sqlDB;
+	sdb_p->sqlXactThread = PR_GetCurrentThread();
+        PR_ExitMonitor(sdb_p->dbMon);
+    } else {
+	/* we failed to start our transaction,
+	 * free any databases we opened. */
+	if (sqlDB) {
+	    sqlite3_close(sqlDB);
+	}
+    }
+
+    UNLOCK_SQLITE()  
+    return error;
+}
+
+/*
+ * Complete a transaction. Basically undo everything we did in begin.
+ * There are 2 flavors Abort and Commit. Basically the only differerence between
+ * these 2 are what the database will show. (no change in to former, change in
+ * the latter).
+ */
+static CK_RV 
+sdb_complete(SDB *sdb, const char *cmd)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = NULL;
+    sqlite3_stmt *stmt = NULL;
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    int retry = 0;
+
+
+    if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* We must have a transation database, or we shouldn't have arrived here */
+    PR_EnterMonitor(sdb_p->dbMon);
+    PORT_Assert(sdb_p->sqlXactDB);
+    if (sdb_p->sqlXactDB == NULL) {
+        PR_ExitMonitor(sdb_p->dbMon);
+	return CKR_GENERAL_ERROR; /* shouldn't happen */
+    }
+    PORT_Assert( sdb_p->sqlXactThread == PR_GetCurrentThread());
+    if ( sdb_p->sqlXactThread != PR_GetCurrentThread()) {
+        PR_ExitMonitor(sdb_p->dbMon);
+	return CKR_GENERAL_ERROR; /* shouldn't happen */
+    }
+    sqlDB = sdb_p->sqlXactDB;
+    sdb_p->sqlXactDB = NULL; /* no one else can get to this DB, 
+			      * safe to unlock */
+    sdb_p->sqlXactThread = NULL; 
+    PR_ExitMonitor(sdb_p->dbMon);
+
+    sqlerr =sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL);
+
+    do {
+	sqlerr = sqlite3_step(stmt);
+	if (sqlerr == SQLITE_BUSY) {
+	    PR_Sleep(SDB_BUSY_RETRY_TIME);
+	}
+    } while (!sdb_done(sqlerr,&retry));
+
+    /* Pending BEGIN TRANSACTIONS Can move forward at this point. */
+
+    if (stmt) {
+	sqlite3_reset(stmt);
+	sqlite3_finalize(stmt);
+    }
+
+    /* we we have a cached DB image, update it as well */
+    if (sdb_p->cacheTable) {
+	PR_EnterMonitor(sdb_p->dbMon);
+	sdb_updateCache(sdb_p);
+	PR_ExitMonitor(sdb_p->dbMon);
+    }
+
+    error = sdb_mapSQLError(sdb_p->type, sqlerr);
+
+    /* We just finished a transaction.
+     * Free the database, and remove it from the list */
+    sqlite3_close(sqlDB);
+
+    return error;
+}
+
+static const char COMMIT_CMD[] = "COMMIT TRANSACTION;";
+CK_RV
+sdb_Commit(SDB *sdb)
+{
+    CK_RV crv;
+    LOCK_SQLITE()  
+    crv = sdb_complete(sdb,COMMIT_CMD);
+    UNLOCK_SQLITE()  
+    return crv;
+}
+
+static const char ROLLBACK_CMD[] = "ROLLBACK TRANSACTION;";
+CK_RV
+sdb_Abort(SDB *sdb)
+{
+    CK_RV crv;
+    LOCK_SQLITE()  
+    crv = sdb_complete(sdb,ROLLBACK_CMD);
+    UNLOCK_SQLITE()  
+    return crv;
+}
+
+static int tableExists(sqlite3 *sqlDB, const char *tableName);
+
+static const char GET_PW_CMD[] = "SELECT ALL * FROM metaData WHERE id=$ID;";
+CK_RV
+sdb_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = sdb_p->sqlXactDB;
+    sqlite3_stmt *stmt = NULL;
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    int found = 0;
+    int retry = 0;
+
+    LOCK_SQLITE()  
+    error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+    if (error != CKR_OK) {
+	goto loser;
+    }
+
+    /* handle 'test' versions of the sqlite db */
+    sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL);
+    /* Sigh, if we created a new table since we opened the database,
+     * the database handle will not see the new table, we need to close this
+     * database and reopen it. This is safe because we are holding the lock
+     * still. */
+    if (sqlerr == SQLITE_SCHEMA) {
+	sqlerr = sdb_reopenDBLocal(sdb_p, &sqlDB);
+	if (sqlerr != SQLITE_OK) {
+	    goto loser;
+	}
+	sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL);
+    }
+    if (sqlerr != SQLITE_OK) goto loser;
+    sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC);
+    do {
+	sqlerr = sqlite3_step(stmt);
+	if (sqlerr == SQLITE_BUSY) {
+	    PR_Sleep(SDB_BUSY_RETRY_TIME);
+	}
+	if (sqlerr == SQLITE_ROW) {
+	    const char *blobData;
+	    unsigned int len = item1->len;
+	    item1->len = sqlite3_column_bytes(stmt, 1);
+	    if (item1->len > len) {
+		error = CKR_BUFFER_TOO_SMALL;
+		continue;
+	    }
+	    blobData = sqlite3_column_blob(stmt, 1);
+	    PORT_Memcpy(item1->data,blobData, item1->len);
+	    if (item2) {
+		len = item2->len;
+		item2->len = sqlite3_column_bytes(stmt, 2);
+		if (item2->len > len) {
+		    error = CKR_BUFFER_TOO_SMALL;
+		    continue;
+		}
+		blobData = sqlite3_column_blob(stmt, 2);
+		PORT_Memcpy(item2->data,blobData, item2->len);
+	    }
+	    found = 1;
+	}
+    } while (!sdb_done(sqlerr,&retry));
+
+loser:
+    /* fix up the error if necessary */
+    if (error == CKR_OK) {
+	error = sdb_mapSQLError(sdb_p->type, sqlerr);
+	if (!found && error == CKR_OK) {
+	    error = CKR_OBJECT_HANDLE_INVALID;
+	}
+    }
+
+    if (stmt) {
+	sqlite3_reset(stmt);
+	sqlite3_finalize(stmt);
+    }
+
+    if (sqlDB) {
+	sdb_closeDBLocal(sdb_p, sqlDB) ;
+    }
+    UNLOCK_SQLITE()  
+
+    return error;
+}
+
+static const char PW_CREATE_TABLE_CMD[] =
+ "CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);";
+static const char PW_CREATE_CMD[] =
+ "INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);";
+static const char MD_CREATE_CMD[]  =
+ "INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);";
+CK_RV
+sdb_PutMetaData(SDB *sdb, const char *id, const SECItem *item1, 
+					   const SECItem *item2)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = sdb_p->sqlXactDB;
+    sqlite3_stmt *stmt = NULL;
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    int retry = 0;
+    const char *cmd = PW_CREATE_CMD;
+
+    LOCK_SQLITE()  
+    error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+    if (error != CKR_OK) {
+	goto loser;
+    }
+
+    if (!tableExists(sqlDB, "metaData")) {
+    	sqlerr = sqlite3_exec(sqlDB, PW_CREATE_TABLE_CMD, NULL, 0, NULL);
+        if (sqlerr != SQLITE_OK) goto loser;
+    }
+    if (item2 == NULL) {
+	cmd = MD_CREATE_CMD;
+    }
+    sqlerr = sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL);
+    if (sqlerr != SQLITE_OK) goto loser;
+    sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC);
+    if (sqlerr != SQLITE_OK) goto loser;
+    sqlerr = sqlite3_bind_blob(stmt, 2, item1->data, item1->len, SQLITE_STATIC);
+    if (sqlerr != SQLITE_OK) goto loser;
+    if (item2) {
+    	sqlerr = sqlite3_bind_blob(stmt, 3, item2->data, 
+				   item2->len, SQLITE_STATIC);
+        if (sqlerr != SQLITE_OK) goto loser;
+    }
+
+    do {
+	sqlerr = sqlite3_step(stmt);
+	if (sqlerr == SQLITE_BUSY) {
+	    PR_Sleep(SDB_BUSY_RETRY_TIME);
+	}
+    } while (!sdb_done(sqlerr,&retry));
+
+loser:
+    /* fix up the error if necessary */
+    if (error == CKR_OK) {
+	error = sdb_mapSQLError(sdb_p->type, sqlerr);
+    }
+
+    if (stmt) {
+	sqlite3_reset(stmt);
+	sqlite3_finalize(stmt);
+    }
+
+    if (sqlDB) {
+	sdb_closeDBLocal(sdb_p, sqlDB) ;
+    }
+    UNLOCK_SQLITE()  
+
+    return error;
+}
+
+static const char RESET_CMD[] = "DROP TABLE IF EXISTS %s;";
+CK_RV
+sdb_Reset(SDB *sdb)
+{
+    SDBPrivate *sdb_p = sdb->private;
+    sqlite3  *sqlDB = NULL;
+    char *newStr;
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+
+    /* only Key databases can be reset */
+    if (sdb_p->type != SDB_KEY) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    LOCK_SQLITE()  
+    error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+    if (error != CKR_OK) {
+	goto loser;
+    }
+
+    /* delete the key table */
+    newStr =  sqlite3_mprintf(RESET_CMD, sdb_p->table);
+    if (newStr == NULL) {
+	error = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+    sqlite3_free(newStr);
+
+    if (sqlerr != SQLITE_OK) goto loser;
+
+    /* delete the password entry table */
+    sqlerr = sqlite3_exec(sqlDB, "DROP TABLE IF EXISTS metaData;", 
+                          NULL, 0, NULL);
+
+loser:
+    /* fix up the error if necessary */
+    if (error == CKR_OK) {
+	error = sdb_mapSQLError(sdb_p->type, sqlerr);
+    }
+
+    if (sqlDB) {
+	sdb_closeDBLocal(sdb_p, sqlDB) ;
+    }
+
+    UNLOCK_SQLITE()  
+    return error;
+}
+
+
+CK_RV 
+sdb_Close(SDB *sdb) 
+{
+    SDBPrivate *sdb_p = sdb->private;
+    int sqlerr = SQLITE_OK;
+    sdbDataType type = sdb_p->type;
+
+    sqlerr = sqlite3_close(sdb_p->sqlReadDB);
+    PORT_Free(sdb_p->sqlDBName);
+    if (sdb_p->cacheTable) {
+	sqlite3_free(sdb_p->cacheTable);
+    }
+    if (sdb_p->dbMon) {
+	PR_DestroyMonitor(sdb_p->dbMon);
+    }
+    free(sdb_p);
+    free(sdb);
+    return sdb_mapSQLError(type, sqlerr);
+}
+
+
+/*
+ * functions to support open
+ */
+
+static const char CHECK_TABLE_CMD[] = "SELECT ALL * FROM %s LIMIT 0;";
+/* return 1 if sqlDB contains table 'tableName */
+static int tableExists(sqlite3 *sqlDB, const char *tableName)
+{
+    char * cmd = sqlite3_mprintf(CHECK_TABLE_CMD, tableName);
+    int sqlerr = SQLITE_OK;
+
+    if (cmd == NULL) {
+	return 0;
+    }
+
+    sqlerr = sqlite3_exec(sqlDB, cmd, NULL, 0, 0);
+    sqlite3_free(cmd);
+
+    return (sqlerr == SQLITE_OK) ? 1 : 0;
+}
+
+/*
+ * initialize a single database
+ */
+static const char INIT_CMD[] =
+ "CREATE TABLE %s (id PRIMARY KEY UNIQUE ON CONFLICT ABORT%s)";
+static const char ALTER_CMD[] = 
+ "ALTER TABLE %s ADD COLUMN a%x";
+
+CK_RV 
+sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
+	 int *newInit, int flags, PRIntervalTime accessTime, SDB **pSdb)
+{
+    int i;
+    char *initStr = NULL;
+    char *newStr;
+    int inTransaction = 0;
+    SDB *sdb = NULL;
+    SDBPrivate *sdb_p = NULL;
+    sqlite3 *sqlDB = NULL;
+    int sqlerr = SQLITE_OK;
+    CK_RV error = CKR_OK;
+    char *cacheTable = NULL;
+    PRIntervalTime now = 0;
+    PRIntervalTime tempAccess = 0;
+    char *tempDir = NULL;
+    char *env;
+    PRBool enableCache = PR_FALSE;
+
+    *pSdb = NULL;
+    *inUpdate = 0;
+
+    /* sqlite3 doesn't have a flag to specify that we want to 
+     * open the database read only. If the db doesn't exist,
+     * sqlite3 will always create it.
+     */
+    LOCK_SQLITE();
+    if ((flags == SDB_RDONLY) && PR_Access(dbname, PR_ACCESS_EXISTS)) {
+	error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
+	goto loser;
+    }
+    sqlerr = sdb_openDB(dbname, &sqlDB, flags);
+    if (sqlerr != SQLITE_OK) {
+	error = sdb_mapSQLError(type, sqlerr); 
+	goto loser;
+    }
+
+    if (flags != SDB_RDONLY) {
+	sqlerr = sqlite3_exec(sqlDB, BEGIN_CMD, NULL, 0, NULL);
+	if (sqlerr != SQLITE_OK) {
+	    error = sdb_mapSQLError(type, sqlerr);
+	    goto loser;
+	}
+	inTransaction = 1;
+    }
+    if (!tableExists(sqlDB,table)) {
+	*newInit = 1;
+	if (flags != SDB_CREATE) {
+	    error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
+	    goto loser;
+	}
+	initStr = sqlite3_mprintf("");
+	for (i=0; initStr && i < known_attributes_size; i++) {
+	    newStr = sqlite3_mprintf("%s, a%x",initStr, known_attributes[i]);
+	    sqlite3_free(initStr);
+	    initStr = newStr;
+	}
+	if (initStr == NULL) {
+	    error = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+
+	newStr = sqlite3_mprintf(INIT_CMD, table, initStr);
+	sqlite3_free(initStr);
+	if (newStr == NULL) {
+            error = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+	sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+	sqlite3_free(newStr);
+	if (sqlerr != SQLITE_OK) {
+            error = sdb_mapSQLError(type, sqlerr); 
+	    goto loser;
+	}
+
+	newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, table);
+	if (newStr == NULL) {
+            error = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+	sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+	sqlite3_free(newStr);
+	if (sqlerr != SQLITE_OK) {
+            error = sdb_mapSQLError(type, sqlerr); 
+	    goto loser;
+	}
+
+	newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, table);
+	if (newStr == NULL) {
+            error = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+	sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+	sqlite3_free(newStr);
+	if (sqlerr != SQLITE_OK) {
+            error = sdb_mapSQLError(type, sqlerr); 
+	    goto loser;
+	}
+
+	newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, table);
+	if (newStr == NULL) {
+            error = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+	sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+	sqlite3_free(newStr);
+	if (sqlerr != SQLITE_OK) {
+            error = sdb_mapSQLError(type, sqlerr); 
+	    goto loser;
+	}
+
+	newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, table);
+	if (newStr == NULL) {
+            error = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+	sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+	sqlite3_free(newStr);
+	if (sqlerr != SQLITE_OK) {
+            error = sdb_mapSQLError(type, sqlerr); 
+	    goto loser;
+	}
+    }
+    /*
+     * detect the case where we have created the database, but have
+     * not yet updated it.
+     *
+     * We only check the Key database because only the key database has
+     * a metaData table. The metaData table is created when a password
+     * is set, or in the case of update, when a password is supplied.
+     * If no key database exists, then the update would have happened immediately
+     * on noticing that the cert database didn't exist (see newInit set above).
+     */
+    if (type == SDB_KEY && !tableExists(sqlDB, "metaData")) {
+	*newInit = 1;
+    }
+    
+    /* access to network filesystems are significantly slower than local ones
+     * for database operations. In those cases we need to create a cached copy
+     * of the database in a temporary location on the local disk. SQLITE
+     * already provides a way to create a temporary table and initialize it,
+     * so we use it for the cache (see sdb_buildCache for how it's done).*/
+
+     /* 
+      * we decide whether or not to use the cache based on the following input.
+      *
+      * NSS_SDB_USE_CACHE environment variable is non-existant or set to 
+      *   anything other than "no" or "yes" ("auto", for instance).
+      *   This is the normal case. NSS will measure the performance of access
+      *   to the temp database versus the access to the users passed in 
+      *   database location. If the temp database location is "significantly"
+      *   faster we will use the cache.
+      *
+      * NSS_SDB_USE_CACHE environment variable is set to "no": cache will not
+      *   be used.
+      *
+      * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will
+      *   always be used.
+      *
+      * It is expected that most applications would use the "auto" selection,
+      * the environment variable is primarily to simplify testing, and to 
+      * correct potential corner cases where  */
+
+     env = PR_GetEnv("NSS_SDB_USE_CACHE");
+
+     if (env && PORT_Strcasecmp(env,"no") == 0) {
+	enableCache = PR_FALSE;
+     } else if (env && PORT_Strcasecmp(env,"yes") == 0) {
+	enableCache = PR_TRUE;
+     } else {
+	/*
+	 *  Use PR_Access to determine how expensive it
+	 * is to check for the existance of a local file compared to the same
+	 * check in the temp directory. If the temp directory is faster, cache
+	 * the database there. */
+	tempDir = sdb_getTempDir(sqlDB);
+	tempAccess = sdb_measureAccess(tempDir);
+	PORT_Free(tempDir);
+	tempDir = NULL;
+
+	/* there is a cost to continually copying the database, account for
+	 * that cost in the temp access time with the arbitrary factor of 4 */
+	tempAccess = tempAccess*4;
+	enableCache = (tempAccess < accessTime) ? PR_TRUE : PR_FALSE;
+    }
+
+    if (enableCache) {
+	/* try to set the temp store to memory.*/
+	sqlite3_exec(sqlDB, "PRAGMA temp_store=MEMORY", NULL, 0, NULL);
+	/* Failure to set the temp store to memory is not fatal,
+         * ignore the error */
+
+	cacheTable = sqlite3_mprintf("%sCache",table);
+	if (cacheTable == NULL) {
+	    error = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+	/* build the cache table */
+	error = sdb_buildCache(sqlDB, type, cacheTable, table);
+	if (error != CKR_OK) {
+	    goto loser;
+	}
+	/* initialize the last cache build time */
+	now = PR_IntervalNow();
+    }
+
+    sdb = (SDB *) malloc(sizeof(SDB));
+    sdb_p = (SDBPrivate *) malloc(sizeof(SDBPrivate));
+
+    /* invariant fields */
+    sdb_p->sqlDBName = PORT_Strdup(dbname);
+    sdb_p->type = type;
+    sdb_p->table = table;
+    sdb_p->cacheTable = cacheTable;
+    sdb_p->lastUpdateTime = now;
+    /* set the cache delay time. This is how long we will wait before we
+     * decide the existing cache is stale. Currently set to 10 sec */
+    sdb_p->updateInterval = PR_SecondsToInterval(10); 
+    sdb_p->dbMon = PR_NewMonitor();
+    /* these fields are protected by the lock */
+    sdb_p->sqlXactDB = NULL;
+    sdb_p->sqlXactThread = NULL;
+    sdb->private = sdb_p;
+    sdb->sdb_type = SDB_SQL;
+    sdb->sdb_flags = flags | SDB_HAS_META;
+    sdb->sdb_FindObjectsInit = sdb_FindObjectsInit;
+    sdb->sdb_FindObjects = sdb_FindObjects;
+    sdb->sdb_FindObjectsFinal = sdb_FindObjectsFinal;
+    sdb->sdb_GetAttributeValue = sdb_GetAttributeValue;
+    sdb->sdb_SetAttributeValue = sdb_SetAttributeValue;
+    sdb->sdb_CreateObject = sdb_CreateObject;
+    sdb->sdb_DestroyObject = sdb_DestroyObject;
+    sdb->sdb_GetMetaData = sdb_GetMetaData;
+    sdb->sdb_PutMetaData = sdb_PutMetaData;
+    sdb->sdb_Begin = sdb_Begin;
+    sdb->sdb_Commit = sdb_Commit;
+    sdb->sdb_Abort = sdb_Abort;
+    sdb->sdb_Close = sdb_Close;
+
+    if (inTransaction) {
+	sqlerr = sqlite3_exec(sqlDB, COMMIT_CMD, NULL, 0, NULL);
+	if (sqlerr != SQLITE_OK) {
+	    error = sdb_mapSQLError(sdb_p->type, sqlerr);
+	    goto loser;
+	}
+	inTransaction = 0;
+    }
+
+    sdb_p->sqlReadDB = sqlDB;
+
+    *pSdb = sdb;
+    UNLOCK_SQLITE();
+    return CKR_OK;
+
+loser:
+    /* lots of stuff to do */
+    if (inTransaction) {
+	sqlite3_exec(sqlDB, ROLLBACK_CMD, NULL, 0, NULL);
+    }
+    if (sdb) {
+	free(sdb);
+    }
+    if (sdb_p) {
+	free(sdb_p);
+    }
+    if (sqlDB) {
+	sqlite3_close(sqlDB);
+    }
+    UNLOCK_SQLITE();
+    return error;
+
+}
+
+
+/* sdbopen */
+CK_RV
+s_open(const char *directory, const char *certPrefix, const char *keyPrefix,
+	int cert_version, int key_version, int flags, 
+	SDB **certdb, SDB **keydb, int *newInit)
+{
+    char *cert = sdb_BuildFileName(directory, certPrefix,
+				   "cert", cert_version, flags);
+    char *key = sdb_BuildFileName(directory, keyPrefix,
+				   "key", key_version, flags);
+    CK_RV error = CKR_OK;
+    int inUpdate;
+    PRIntervalTime accessTime;
+
+    *certdb = NULL;
+    *keydb = NULL;
+    *newInit = 0;
+
+#ifdef SQLITE_UNSAFE_THREADS
+    if (sqlite_lock == NULL) {
+	sqlite_lock = PR_NewLock();
+	if (sqlite_lock == NULL) {
+	    error = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+    }
+#endif
+
+    /* how long does it take to test for a non-existant file in our working
+     * directory? Allows us to test if we may be on a network file system */
+    accessTime = sdb_measureAccess(directory);
+
+    /*
+     * open the cert data base
+     */
+    if (certdb) {
+	/* initialize Certificate database */
+	error = sdb_init(cert, "nssPublic", SDB_CERT, &inUpdate,
+			 newInit, flags, accessTime, certdb);
+	if (error != CKR_OK) {
+	    goto loser;
+	}
+    }
+
+    /*
+     * open the key data base: 
+     *  NOTE:if we want to implement a single database, we open
+     *  the same database file as the certificate here.
+     *
+     *  cert an key db's have different tables, so they will not
+     *  conflict.
+     */
+    if (keydb) {
+	/* initialize the Key database */
+	error = sdb_init(key, "nssPrivate", SDB_KEY, &inUpdate, 
+			newInit, flags, accessTime, keydb);
+	if (error != CKR_OK) {
+	    goto loser;
+	} 
+    }
+
+
+loser:
+    if (cert) {
+	sqlite3_free(cert);
+    }
+    if (key) {
+	sqlite3_free(key);
+    }
+
+    if (error != CKR_OK) {
+	/* currently redundant, but could be necessary if more code is added
+	 * just before loser */
+	if (keydb && *keydb) {
+	    sdb_Close(*keydb);
+	}
+	if (certdb && *certdb) {
+	    sdb_Close(*certdb);
+	}
+    }
+
+    return error;
+}
+
+CK_RV
+s_shutdown()
+{
+#ifdef SQLITE_UNSAFE_THREADS
+    if (sqlite_lock) {
+	PR_DestroyLock(sqlite_lock);
+	sqlite_lock = NULL;
+    }
+#endif
+    return CKR_OK;
+}
diff --git a/security/nss/lib/softoken/sdb.h b/security/nss/lib/softoken/sdb.h
new file mode 100644
index 000000000..9e041f476
--- /dev/null
+++ b/security/nss/lib/softoken/sdb.h
@@ -0,0 +1,111 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Red Hat, Inc.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Robert Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *   This implementation has two slots:
+ *	slot 1 is our generic crypto support. It does not require login.
+ *   It supports Public Key ops, and all they bulk ciphers and hashes. 
+ *   It can also support Private Key ops for imported Private keys. It does 
+ *   not have any token storage.
+ *	slot 2 is our private key support. It requires a login before use. It
+ *   can store Private Keys and Certs as token objects. Currently only private
+ *   keys and their associated Certificates are saved on the token.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+
+/*
+ * the following data structures should be moved to a 'rdb.h'.
+ */
+
+#ifndef _SDB_H
+#define _SDB_H 1
+#include "pkcs11t.h"
+#include "secitem.h"
+#include "sftkdbt.h"
+#include <sqlite3.h>
+
+#define STATIC_CMD_SIZE 2048
+
+typedef struct SDBFindStr SDBFind;
+typedef struct SDBStr SDB;
+
+struct SDBStr {
+    void *private;
+    int  version;
+    SDBType sdb_type;
+    int  sdb_flags;
+    void *app_private;
+    CK_RV (*sdb_FindObjectsInit)(SDB *sdb, const CK_ATTRIBUTE *template, 
+				 CK_ULONG count, SDBFind **find);
+    CK_RV (*sdb_FindObjects)(SDB *sdb, SDBFind *find, CK_OBJECT_HANDLE *ids, 
+				CK_ULONG arraySize, CK_ULONG *count);
+    CK_RV (*sdb_FindObjectsFinal)(SDB *sdb, SDBFind *find);
+    CK_RV (*sdb_GetAttributeValue)(SDB *sdb, CK_OBJECT_HANDLE object, 
+				CK_ATTRIBUTE *template, CK_ULONG count);
+    CK_RV (*sdb_SetAttributeValue)(SDB *sdb, CK_OBJECT_HANDLE object, 
+				const CK_ATTRIBUTE *template, CK_ULONG count);
+    CK_RV (*sdb_CreateObject)(SDB *sdb, CK_OBJECT_HANDLE *object, 
+				const CK_ATTRIBUTE *template, CK_ULONG count);
+    CK_RV (*sdb_DestroyObject)(SDB *sdb, CK_OBJECT_HANDLE object);
+    CK_RV (*sdb_GetMetaData)(SDB *sdb, const char *id, 
+				SECItem *item1, SECItem *item2);
+    CK_RV (*sdb_PutMetaData)(SDB *sdb, const char *id,
+				const SECItem *item1, const SECItem *item2);
+    CK_RV (*sdb_Begin)(SDB *sdb);
+    CK_RV (*sdb_Commit)(SDB *sdb);
+    CK_RV (*sdb_Abort)(SDB *sdb);
+    CK_RV (*sdb_Reset)(SDB *sdb);
+    CK_RV (*sdb_Close)(SDB *sdb);
+};
+
+CK_RV s_open(const char *directory, const char *certPrefix, 
+	     const char *keyPrefix,
+	     int cert_version, int key_version, 
+	     int flags, SDB **certdb, SDB **keydb, int *newInit);
+CK_RV s_shutdown();
+
+/* flags */
+#define SDB_RDONLY      1
+#define SDB_RDWR        2
+#define SDB_CREATE      4
+#define SDB_HAS_META    8
+
+#endif
diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c
new file mode 100644
index 000000000..149ee9fa1
--- /dev/null
+++ b/security/nss/lib/softoken/sftkdb.c
@@ -0,0 +1,2410 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. For the rest of NSS, only one kind of database handle exists:
+ *
+ *     SFTKDBHandle
+ *
+ * There is one SFTKDBHandle for the each key database and one for each cert 
+ * database. These databases are opened as associated pairs, one pair per
+ * slot. SFTKDBHandles are reference counted objects.
+ *
+ * Each SFTKDBHandle points to a low level database handle (SDB). This handle
+ * represents the underlying physical database. These objects are not 
+ * reference counted, an are 'owned' by their respective SFTKDBHandles.
+ *
+ *  
+ */
+#include "sftkdb.h"
+#include "sftkdbti.h"
+#include "pkcs11t.h"
+#include "pkcs11i.h"
+#include "sdb.h"
+#include "prprf.h" 
+#include "secmodt.h"
+#include "pratom.h"
+#include "lgglue.h"
+#include "sftkpars.h"
+#include "secerr.h"
+
+/*
+ * We want all databases to have the same binary representation independent of
+ * endianness or length of the host architecture. In general PKCS #11 attributes
+ * are endian/length independent except those attributes that pass CK_ULONG.
+ *
+ * The following functions fixes up the CK_ULONG type attributes so that the data
+ * base sees a machine independent view. CK_ULONGs are stored as 4 byte network
+ * byte order values (big endian).
+ */
+#define BBP 8
+
+static PRBool
+sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type) 
+{
+    switch(type) {
+    case CKA_CLASS:
+    case CKA_CERTIFICATE_TYPE:
+    case CKA_CERTIFICATE_CATEGORY:
+    case CKA_KEY_TYPE:
+    case CKA_JAVA_MIDP_SECURITY_DOMAIN:
+
+    case CKA_TRUST_DIGITAL_SIGNATURE:
+    case CKA_TRUST_NON_REPUDIATION:
+    case CKA_TRUST_KEY_ENCIPHERMENT:
+    case CKA_TRUST_DATA_ENCIPHERMENT:
+    case CKA_TRUST_KEY_AGREEMENT:
+    case CKA_TRUST_KEY_CERT_SIGN:
+    case CKA_TRUST_CRL_SIGN:
+
+    case CKA_TRUST_SERVER_AUTH:
+    case CKA_TRUST_CLIENT_AUTH:
+    case CKA_TRUST_CODE_SIGNING:
+    case CKA_TRUST_EMAIL_PROTECTION:
+    case CKA_TRUST_IPSEC_END_SYSTEM:
+    case CKA_TRUST_IPSEC_TUNNEL:
+    case CKA_TRUST_IPSEC_USER:
+    case CKA_TRUST_TIME_STAMPING:
+    case CKA_TRUST_STEP_UP_APPROVED:
+	return PR_TRUE;
+    default:
+	break;
+    }
+    return PR_FALSE;
+    
+}
+
+/* are the attributes private? */
+static PRBool
+sftkdb_isPrivateAttribute(CK_ATTRIBUTE_TYPE type) 
+{
+    switch(type) {
+    case CKA_VALUE:
+    case CKA_PRIVATE_EXPONENT:
+    case CKA_PRIME_1:
+    case CKA_PRIME_2:
+    case CKA_EXPONENT_1:
+    case CKA_EXPONENT_2:
+    case CKA_COEFFICIENT:
+	return PR_TRUE;
+    default:
+	break;
+    }
+    return PR_FALSE;
+}
+
+/* These attributes must be authenticated with an hmac. */
+static PRBool
+sftkdb_isAuthenticatedAttribute(CK_ATTRIBUTE_TYPE type) 
+{
+    switch(type) {
+    case CKA_MODULUS:
+    case CKA_PUBLIC_EXPONENT:
+    case CKA_CERT_SHA1_HASH:
+    case CKA_CERT_MD5_HASH:
+    case CKA_TRUST_SERVER_AUTH:
+    case CKA_TRUST_CLIENT_AUTH:
+    case CKA_TRUST_EMAIL_PROTECTION:
+    case CKA_TRUST_CODE_SIGNING:
+    case CKA_TRUST_STEP_UP_APPROVED:
+    case CKA_NSS_OVERRIDE_EXTENSIONS:
+	return PR_TRUE;
+    default:
+	break;
+    }
+    return PR_FALSE;
+}
+
+/*
+ * convert a native ULONG to a database ulong. Database ulong's
+ * are all 4 byte big endian values.
+ */
+void
+sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value)
+{ 
+    int i;
+
+    for (i=0; i < SDB_ULONG_SIZE; i++) {
+	data[i] = (value >> (SDB_ULONG_SIZE-1-i)*BBP) & 0xff;
+    }
+}
+
+/*
+ * convert a database ulong back to a native ULONG. (reverse of the above
+ * function.
+ */
+static CK_ULONG
+sftk_SDBULong2ULong(unsigned char *data)
+{
+    int i;
+    CK_ULONG value = 0;
+
+    for (i=0; i < SDB_ULONG_SIZE; i++) {
+	value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE-1-i)*BBP);
+    }
+    return value;
+}
+
+/*
+ * fix up the input templates. Our fixed up ints are stored in data and must
+ * be freed by the caller. The new template must also be freed. If there are no
+ * CK_ULONG attributes, the orignal template is passed in as is.
+ */
+static CK_ATTRIBUTE *
+sftkdb_fixupTemplateIn(const CK_ATTRIBUTE *template, int count, 
+			unsigned char **dataOut)
+{
+    int i;
+    int ulongCount = 0;
+    unsigned char *data;
+    CK_ATTRIBUTE *ntemplate;
+
+    *dataOut = NULL;
+
+    /* first count the number of CK_ULONG attributes */
+    for (i=0; i < count; i++) {
+	/* Don't 'fixup' NULL values */
+	if (!template[i].pValue) {
+	    continue;
+	}
+	if (template[i].ulValueLen == sizeof (CK_ULONG)) {
+	    if ( sftkdb_isULONGAttribute(template[i].type)) {
+		ulongCount++;
+	    }
+	}
+    }
+    /* no attributes to fixup, just call on through */
+    if (ulongCount == 0) {
+	return (CK_ATTRIBUTE *)template;
+    }
+
+    /* allocate space for new ULONGS */
+    data = (unsigned char *)PORT_Alloc(SDB_ULONG_SIZE*ulongCount);
+    if (!data) {
+	return NULL;
+    }
+
+    /* allocate new template */
+    ntemplate = PORT_NewArray(CK_ATTRIBUTE,count);
+    if (!ntemplate) {
+	PORT_Free(data);
+	return NULL;
+    }
+    *dataOut = data;
+    /* copy the old template, fixup the actual ulongs */
+    for (i=0; i < count; i++) {
+	ntemplate[i] = template[i];
+	/* Don't 'fixup' NULL values */
+	if (!template[i].pValue) {
+	    continue;
+	}
+	if (template[i].ulValueLen == sizeof (CK_ULONG)) {
+	    if ( sftkdb_isULONGAttribute(template[i].type) ) {
+		CK_ULONG value = *(CK_ULONG *) template[i].pValue;
+		sftk_ULong2SDBULong(data, value);
+		ntemplate[i].pValue = data;
+		ntemplate[i].ulValueLen = SDB_ULONG_SIZE;
+		data += SDB_ULONG_SIZE;
+	    }
+	}
+    }
+    return ntemplate;
+}
+
+
+static const char SFTKDB_META_SIG_TEMPLATE[] = "sig_%s_%08x_%08x";
+
+/*
+ * return a string describing the database type (key or cert)
+ */
+const char *
+sftkdb_TypeString(SFTKDBHandle *handle)
+{
+   return (handle->type == SFTK_KEYDB_TYPE) ? "key" : "cert";
+}
+
+/*
+ * Some attributes are signed with an Hmac and a pbe key generated from
+ * the password. This signature is stored indexed by object handle and
+ * attribute type in the meta data table in the key database.
+ *
+ * Signature entries are indexed by the string
+ * sig_[cert/key]_{ObjectID}_{Attribute}
+ *
+ * This function fetches that pkcs5 signature. Caller supplies a SECItem
+ * pre-allocated to the appropriate size if the SECItem is too small the
+ * function will fail with CKR_BUFFER_TOO_SMALL.
+ */
+static CK_RV
+sftkdb_getAttributeSignature(SFTKDBHandle *handle, SFTKDBHandle *keyHandle, 
+		CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE type,
+		SECItem *signText)
+{
+    SDB *db;
+    char id[30];
+    CK_RV crv;
+
+    db = SFTK_GET_SDB(keyHandle);
+
+    sprintf(id, SFTKDB_META_SIG_TEMPLATE,
+	sftkdb_TypeString(handle),
+	(unsigned int)objectID, (unsigned int)type);
+
+    crv = (*db->sdb_GetMetaData)(db, id, signText, NULL);
+    return crv;
+}
+
+/*
+ * Some attributes are signed with an Hmac and a pbe key generated from
+ * the password. This signature is stored indexed by object handle and
+ * attribute type in the meta data table in the key database.
+ *
+ * Signature entries are indexed by the string
+ * sig_[cert/key]_{ObjectID}_{Attribute}
+ *
+ * This function stores that pkcs5 signature.
+ */
+CK_RV
+sftkdb_PutAttributeSignature(SFTKDBHandle *handle, SDB *keyTarget, 
+		CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE type,
+		SECItem *signText)
+{
+    char id[30];
+    CK_RV crv;
+
+    sprintf(id, SFTKDB_META_SIG_TEMPLATE,
+	sftkdb_TypeString(handle),
+	(unsigned int)objectID, (unsigned int)type);
+
+    crv = (*keyTarget->sdb_PutMetaData)(keyTarget, id, signText, NULL);
+    return crv;
+}
+
+/*
+ * fix up returned data. NOTE: sftkdb_fixupTemplateIn has already allocated
+ * separate data sections for the database ULONG values.
+ */
+static CK_RV
+sftkdb_fixupTemplateOut(CK_ATTRIBUTE *template, CK_OBJECT_HANDLE objectID,
+		CK_ATTRIBUTE *ntemplate, int count, SFTKDBHandle *handle)
+{
+    int i;
+    CK_RV crv = CKR_OK;
+    SFTKDBHandle *keyHandle;
+    PRBool checkSig = PR_TRUE;
+    PRBool checkEnc = PR_TRUE;
+
+    PORT_Assert(handle);
+
+    /* find the key handle */
+    keyHandle = handle;
+    if (handle->type != SFTK_KEYDB_TYPE) {
+	checkEnc = PR_FALSE;
+	keyHandle = handle->peerDB;
+    }
+
+    if ((keyHandle == NULL) || 
+	((SFTK_GET_SDB(keyHandle)->sdb_flags & SDB_HAS_META) == 0)  ||
+	(keyHandle->passwordKey.data == NULL)) {
+	checkSig = PR_FALSE;
+    }
+
+    for (i=0; i < count; i++) {
+	CK_ULONG length = template[i].ulValueLen;
+	template[i].ulValueLen = ntemplate[i].ulValueLen;
+	/* fixup ulongs */
+	if (ntemplate[i].ulValueLen == SDB_ULONG_SIZE) {
+	    if (sftkdb_isULONGAttribute(template[i].type)) {
+		if (template[i].pValue) {
+		    CK_ULONG value;
+		    unsigned char *data;
+
+		    data = (unsigned char *)ntemplate[i].pValue;
+		    value = sftk_SDBULong2ULong(ntemplate[i].pValue);
+		    if (length < sizeof(CK_ULONG)) {
+			template[i].ulValueLen = -1;
+			crv = CKR_BUFFER_TOO_SMALL;
+			continue;
+		    } 
+		    PORT_Memcpy(template[i].pValue,&value,sizeof(CK_ULONG));
+		}
+		template[i].ulValueLen = sizeof(CK_ULONG);
+	    }
+	}
+
+	/* if no data was retrieved, no need to process encrypted or signed
+	 * attributes */
+	if ((template[i].pValue == NULL) || (template[i].ulValueLen == -1)) {
+	    continue;
+	}
+
+	/* fixup private attributes */
+	if (checkEnc && sftkdb_isPrivateAttribute(ntemplate[i].type)) {
+	    /* we have a private attribute */
+	    /* This code depends on the fact that the cipherText is bigger
+	     * than the plain text */
+	    SECItem cipherText;
+	    SECItem *plainText;
+	    SECStatus rv;
+
+	    cipherText.data = ntemplate[i].pValue;
+	    cipherText.len = ntemplate[i].ulValueLen;
+    	    PZ_Lock(handle->passwordLock);
+	    if (handle->passwordKey.data == NULL) {
+		PZ_Unlock(handle->passwordLock);
+		template[i].ulValueLen = -1;
+		crv = CKR_USER_NOT_LOGGED_IN;
+		continue;
+	    }
+	    rv = sftkdb_DecryptAttribute(&handle->passwordKey, 
+					&cipherText, &plainText);
+	    PZ_Unlock(handle->passwordLock);
+	    if (rv != SECSuccess) {
+		PORT_Memset(template[i].pValue, 0, template[i].ulValueLen);
+		template[i].ulValueLen = -1;
+		crv = CKR_GENERAL_ERROR;
+		continue;
+	    }
+	    PORT_Assert(template[i].ulValueLen >= plainText->len);
+	    if (template[i].ulValueLen < plainText->len) {
+		SECITEM_FreeItem(plainText,PR_TRUE);
+		PORT_Memset(template[i].pValue, 0, template[i].ulValueLen);
+		template[i].ulValueLen = -1;
+		crv = CKR_GENERAL_ERROR;
+		continue;
+	    }
+		
+	    /* copy the plain text back into the template */
+	    PORT_Memcpy(template[i].pValue, plainText->data, plainText->len);
+	    template[i].ulValueLen = plainText->len;
+	    SECITEM_FreeItem(plainText,PR_TRUE);
+	}
+	/* make sure signed attributes are valid */
+	if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)) {
+	    SECStatus rv;
+	    SECItem signText;
+	    SECItem plainText;
+	    unsigned char signData[SDB_MAX_META_DATA_LEN];
+
+	    signText.data = signData;
+	    signText.len = sizeof(signData);
+
+	    rv = sftkdb_getAttributeSignature(handle, keyHandle, 
+				objectID, ntemplate[i].type, &signText);
+	    if (rv != SECSuccess) {
+		PORT_Memset(template[i].pValue, 0, template[i].ulValueLen);
+		template[i].ulValueLen = -1;
+		crv = CKR_DATA_INVALID; /* better error code? */
+		continue;
+	    }
+
+	    plainText.data = ntemplate[i].pValue;
+	    plainText.len = ntemplate[i].ulValueLen;
+
+	    /*
+	     * we do a second check holding the lock just in case the user
+	     * loggout while we were trying to get the signature.
+	     */
+    	    PZ_Lock(keyHandle->passwordLock);
+	    if (keyHandle->passwordKey.data == NULL) {
+		/* if we are no longer logged in, no use checking the other
+		 * Signatures either. */
+		checkSig = PR_FALSE; 
+		PZ_Unlock(keyHandle->passwordLock);
+		continue;
+	    }
+
+	    rv = sftkdb_VerifyAttribute(&keyHandle->passwordKey, 
+				objectID, ntemplate[i].type,
+				&plainText, &signText);
+	    PZ_Unlock(keyHandle->passwordLock);
+	    if (rv != SECSuccess) {
+		PORT_Memset(template[i].pValue, 0, template[i].ulValueLen);
+		template[i].ulValueLen = -1;
+		crv = CKR_SIGNATURE_INVALID; /* better error code? */
+	    }
+	    /* This Attribute is fine */
+	}
+    }
+    return crv;
+}
+
+/*
+ * Some attributes are signed with an HMAC and a pbe key generated from
+ * the password. This signature is stored indexed by object handle and
+ *
+ * Those attributes are:
+ * 1) Trust object hashes and trust values.
+ * 2) public key values.
+ *
+ * Certs themselves are considered properly authenticated by virtue of their
+ * signature, or their matching hash with the trust object.
+ *
+ * These signature is only checked for objects coming from shared databases. 
+ * Older dbm style databases have such no signature checks. HMACs are also 
+ * only checked when the token is logged in, as it requires a pbe generated 
+ * from the password.
+ *
+ * Tokens which have no key database (and therefore no master password) do not
+ * have any stored signature values. Signature values are stored in the key
+ * database, since the signature data is tightly coupled to the key database
+ * password. 
+ *
+ * This function takes a template of attributes that were either created or
+ * modified. These attributes are checked to see if the need to be signed.
+ * If they do, then this function signs the attributes and writes them
+ * to the meta data store.
+ *
+ * This function can fail if there are attributes that must be signed, but
+ * the token is not logged in.
+ *
+ * The caller is expected to abort any transaction he was in in the
+ * event of a failure of this function.
+ */
+static CK_RV
+sftk_signTemplate(PLArenaPool *arena, SFTKDBHandle *handle, 
+		  PRBool mayBeUpdateDB,
+		  CK_OBJECT_HANDLE objectID, const CK_ATTRIBUTE *template,
+		  CK_ULONG count)
+{
+    int i;
+    SFTKDBHandle *keyHandle = handle;
+    SDB *keyTarget = NULL;
+
+    PORT_Assert(handle);
+
+    if (handle->type != SFTK_KEYDB_TYPE) {
+	keyHandle = handle->peerDB;
+    }
+
+    /* no key DB defined? then no need to sign anything */
+    if (keyHandle == NULL) {
+	return CKR_OK;
+    }
+
+    /* When we are in a middle of an update, we have an update database set, 
+     * but we want to write to the real database. The bool mayBeUpdateDB is
+     * set to TRUE if it's possible that we want to write an update database
+     * rather than a primary */
+    keyTarget = (mayBeUpdateDB && keyHandle->update) ? 
+		keyHandle->update : keyHandle->db;
+
+    /* skip the the database does not support meta data */
+    if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) {
+	return CKR_OK;
+    }
+
+    for (i=0; i < count; i ++) {
+	if (sftkdb_isAuthenticatedAttribute(template[i].type)) {
+	    SECStatus rv;
+	    SECItem *signText;
+	    SECItem plainText;
+
+	    plainText.data = template[i].pValue;
+	    plainText.len = template[i].ulValueLen;
+	    PZ_Lock(keyHandle->passwordLock);
+	    if (keyHandle->passwordKey.data == NULL) {
+		PZ_Unlock(keyHandle->passwordLock);
+		return CKR_USER_NOT_LOGGED_IN;
+	    }
+	    rv = sftkdb_SignAttribute(arena, &keyHandle->passwordKey, 
+				objectID, template[i].type,
+				&plainText, &signText);
+	    PZ_Unlock(keyHandle->passwordLock);
+	    if (rv != SECSuccess) {
+		return CKR_GENERAL_ERROR; /* better error code here? */
+	    }
+	    rv = sftkdb_PutAttributeSignature(handle, keyTarget, 
+				objectID, template[i].type, signText);
+	    if (rv != SECSuccess) {
+		return CKR_GENERAL_ERROR; /* better error code here? */
+	    }
+	}
+    }
+    return CKR_OK;
+}
+
+static CK_RV
+sftkdb_CreateObject(PRArenaPool *arena, SFTKDBHandle *handle, 
+	SDB *db, CK_OBJECT_HANDLE *objectID,
+        CK_ATTRIBUTE *template, CK_ULONG count)
+{
+    PRBool inTransaction = PR_FALSE;
+    CK_RV crv;
+
+    inTransaction = PR_TRUE;
+    
+    crv = (*db->sdb_CreateObject)(db, objectID, template, count);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    crv = sftk_signTemplate(arena, handle, (db == handle->update),
+					*objectID, template, count);
+loser:
+
+    return crv;
+}
+
+
+CK_ATTRIBUTE * 
+sftk_ExtractTemplate(PLArenaPool *arena, SFTKObject *object, 
+		     SFTKDBHandle *handle,CK_ULONG *pcount, 
+		     CK_RV *crv)
+{
+    int count;
+    CK_ATTRIBUTE *template;
+    int i, templateIndex;
+    SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+    PRBool doEnc = PR_TRUE;
+
+    *crv = CKR_OK;
+
+    if (sessObject == NULL) {
+	*crv = CKR_GENERAL_ERROR; /* internal programming error */
+	return NULL;
+    }
+
+    PORT_Assert(handle);
+    /* find the key handle */
+    if (handle->type != SFTK_KEYDB_TYPE) {
+	doEnc = PR_FALSE;
+    }
+
+    PZ_Lock(sessObject->attributeLock);
+    count = 0;
+    for (i=0; i < sessObject->hashSize; i++) {
+	SFTKAttribute *attr;
+   	for (attr=sessObject->head[i]; attr; attr=attr->next) {
+	    count++;
+	}
+    }
+    template = PORT_ArenaNewArray(arena, CK_ATTRIBUTE, count);
+    if (template == NULL) {
+        PZ_Unlock(sessObject->attributeLock);
+	*crv = CKR_HOST_MEMORY;
+	return NULL;
+    }
+    templateIndex = 0;
+    for (i=0; i < sessObject->hashSize; i++) {
+	SFTKAttribute *attr;
+   	for (attr=sessObject->head[i]; attr; attr=attr->next) {
+	    CK_ATTRIBUTE *tp = &template[templateIndex++];
+	    /* copy the attribute */
+	    *tp = attr->attrib;
+
+	    /* fixup  ULONG s */
+	    if ((tp->ulValueLen == sizeof (CK_ULONG)) &&
+		(sftkdb_isULONGAttribute(tp->type)) ) {
+		CK_ULONG value = *(CK_ULONG *) tp->pValue;
+		unsigned char *data;
+
+		tp->pValue = PORT_ArenaAlloc(arena, SDB_ULONG_SIZE);
+		data = (unsigned char *)tp->pValue;
+		if (data == NULL) {
+		    *crv = CKR_HOST_MEMORY;
+		    break;
+		}
+		sftk_ULong2SDBULong(data, value);
+		tp->ulValueLen = SDB_ULONG_SIZE;
+	    }
+
+	    /* encrypt private attributes */
+	    if (doEnc && sftkdb_isPrivateAttribute(tp->type)) {
+		/* we have a private attribute */
+		SECItem *cipherText;
+		SECItem plainText;
+		SECStatus rv;
+
+		plainText.data = tp->pValue;
+		plainText.len = tp->ulValueLen;
+		PZ_Lock(handle->passwordLock);
+		if (handle->passwordKey.data == NULL) {
+		    PZ_Unlock(handle->passwordLock);
+		    *crv = CKR_USER_NOT_LOGGED_IN;
+		    break;
+		}
+		rv = sftkdb_EncryptAttribute(arena, &handle->passwordKey, 
+						&plainText, &cipherText);
+		PZ_Unlock(handle->passwordLock);
+		if (rv == SECSuccess) {
+		    tp->pValue = cipherText->data;
+		    tp->ulValueLen = cipherText->len;
+		} else {
+		    *crv = CKR_GENERAL_ERROR; /* better error code here? */
+		    break;
+		}
+		PORT_Memset(plainText.data, 0, plainText.len);
+	    }
+	}
+    }
+    PORT_Assert(templateIndex <= count);
+    PZ_Unlock(sessObject->attributeLock);
+
+    if (*crv != CKR_OK) {
+	return NULL;
+    }
+    if (pcount) {
+	*pcount = count;
+    }
+    return template;
+
+}
+
+/*
+ * return a pointer to the attribute in the give template.
+ * The return value is not const, as the caller may modify
+ * the given attribute value, but such modifications will
+ * modify the actual value in the template.
+ */
+static CK_ATTRIBUTE *
+sftkdb_getAttributeFromTemplate(CK_ATTRIBUTE_TYPE attribute, 
+			    CK_ATTRIBUTE *ptemplate, CK_ULONG len)
+{
+    CK_ULONG i;
+
+    for (i=0; i < len; i++) {
+	if (attribute == ptemplate[i].type) {
+	    return &ptemplate[i];
+	}
+    }
+    return NULL;
+}
+
+
+/*
+ * fetch a template which identifies 'unique' entries based on object type
+ */
+static CK_RV
+sftkdb_getFindTemplate(CK_OBJECT_CLASS objectType, unsigned char *objTypeData,
+			CK_ATTRIBUTE *findTemplate, CK_ULONG *findCount,
+			CK_ATTRIBUTE *ptemplate, int len)
+{
+    CK_ATTRIBUTE *attr;
+    CK_ULONG count = 1;
+
+    sftk_ULong2SDBULong(objTypeData, objectType);
+    findTemplate[0].type = CKA_CLASS;
+    findTemplate[0].pValue = objTypeData;
+    findTemplate[0].ulValueLen = SDB_ULONG_SIZE;
+
+    switch (objectType) {
+    case CKO_CERTIFICATE:
+    case CKO_NSS_TRUST:
+	attr = sftkdb_getAttributeFromTemplate(CKA_ISSUER, ptemplate, len);
+	if (attr == NULL) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	findTemplate[1] = *attr;
+	attr = sftkdb_getAttributeFromTemplate(CKA_SERIAL_NUMBER, 
+					ptemplate, len);
+	if (attr == NULL) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	findTemplate[2] = *attr;
+	count = 3;
+	break;
+	
+    case CKO_PRIVATE_KEY:
+    case CKO_PUBLIC_KEY:
+    case CKO_SECRET_KEY:
+	attr = sftkdb_getAttributeFromTemplate(CKA_ID, ptemplate, len);
+	if (attr == NULL) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	findTemplate[1] = *attr;
+	count = 2;
+	break;
+
+    case CKO_NSS_CRL:
+	attr = sftkdb_getAttributeFromTemplate(CKA_SUBJECT, ptemplate, len);
+	if (attr == NULL) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	findTemplate[1] = *attr;
+	count = 2;
+	break;
+
+    case CKO_NSS_SMIME:
+	attr = sftkdb_getAttributeFromTemplate(CKA_SUBJECT, ptemplate, len);
+	if (attr == NULL) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	findTemplate[1] = *attr;
+	attr = sftkdb_getAttributeFromTemplate(CKA_NSS_EMAIL, ptemplate, len);
+	if (attr == NULL) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	findTemplate[2] = *attr;
+	count = 3;
+	break;
+    default:
+	attr = sftkdb_getAttributeFromTemplate(CKA_VALUE, ptemplate, len);
+	if (attr == NULL) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	findTemplate[1] = *attr;
+	count = 2;
+	break;
+    }
+    *findCount = count;
+
+    return CKR_OK;
+}
+
+/*
+ * look to see if this object already exists and return it's object ID if
+ * it does.
+ */
+static CK_RV
+sftkdb_lookupObject(SDB *db, CK_OBJECT_CLASS objectType, 
+		 CK_OBJECT_HANDLE *id, CK_ATTRIBUTE *ptemplate, CK_ULONG len)
+{
+    CK_ATTRIBUTE findTemplate[3];
+    CK_ULONG count = 1;
+    CK_ULONG objCount = 0;
+    SDBFind *find = NULL;
+    unsigned char objTypeData[SDB_ULONG_SIZE];
+    CK_RV crv;
+
+    *id = CK_INVALID_HANDLE;
+    if (objectType == CKO_NSS_CRL) {
+	return CKR_OK;
+    }
+    crv = sftkdb_getFindTemplate(objectType, objTypeData,
+			findTemplate, &count, ptemplate, len);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    /* use the raw find, so we get the correct database */
+    crv = (*db->sdb_FindObjectsInit)(db, findTemplate, count, &find);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+    (*db->sdb_FindObjects)(db, find, id, 1, &objCount);
+    (*db->sdb_FindObjectsFinal)(db, find);
+
+    if (objCount == 0) {
+	*id = CK_INVALID_HANDLE;
+    }
+    return CKR_OK;
+}
+
+/*
+ * set an attribute and sign it if necessary
+ */
+static CK_RV
+sftkdb_setAttributeValue(PRArenaPool *arena, SFTKDBHandle *handle, 
+	SDB *db, CK_OBJECT_HANDLE objectID, const CK_ATTRIBUTE *template, 
+	CK_ULONG count)
+{
+    CK_RV crv;
+    crv = (*db->sdb_SetAttributeValue)(db, objectID, template, count);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+    crv = sftk_signTemplate(arena, handle, db == handle->update, 
+				objectID, template, count);
+    return crv;
+}
+
+/*
+ * write a softoken object out to the database.
+ */
+CK_RV
+sftkdb_write(SFTKDBHandle *handle, SFTKObject *object, 
+	     CK_OBJECT_HANDLE *objectID)
+{
+    CK_ATTRIBUTE *template;
+    PLArenaPool *arena;
+    CK_ULONG count;
+    CK_RV crv;
+    SDB *db;
+    PRBool inTransaction = PR_FALSE;
+    CK_OBJECT_HANDLE id;
+
+    *objectID = CK_INVALID_HANDLE;
+
+    if (handle == NULL) {
+	return  CKR_TOKEN_WRITE_PROTECTED;
+    }
+    db = SFTK_GET_SDB(handle);
+
+    arena = PORT_NewArena(256);
+    if (arena ==  NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    template = sftk_ExtractTemplate(arena, object, handle, &count, &crv);
+    if (!template) {
+	goto loser;
+    }
+
+    crv = (*db->sdb_Begin)(db);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    inTransaction = PR_TRUE;
+
+    crv = sftkdb_lookupObject(db, object->objclass, &id, template, count);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    if (id == CK_INVALID_HANDLE) {
+        crv = sftkdb_CreateObject(arena, handle, db, objectID, template, count);
+    } else {
+	/* object already exists, modify it's attributes */
+	*objectID = id;
+        crv = sftkdb_setAttributeValue(arena, handle, db, id, template, count);
+    }
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    crv = (*db->sdb_Commit)(db);
+    inTransaction = PR_FALSE;
+
+loser:
+    if (inTransaction) {
+	(*handle->db->sdb_Abort)(handle->db);
+	/* It is trivial to show the following code cannot
+	 * happen unless something is horribly wrong with our compilier or
+	 * hardware */
+	PORT_Assert(crv != CKR_OK);
+	if (crv == CKR_OK) crv = CKR_GENERAL_ERROR;
+    }
+
+    if (arena) {
+	PORT_FreeArena(arena,PR_FALSE);
+    }
+    if (crv == CKR_OK) {
+	*objectID |= (handle->type | SFTK_TOKEN_TYPE);
+    } 
+    return crv;
+}
+
+
+CK_RV 
+sftkdb_FindObjectsInit(SFTKDBHandle *handle, const CK_ATTRIBUTE *template,
+				 CK_ULONG count, SDBFind **find) 
+{
+    unsigned char *data = NULL;
+    CK_ATTRIBUTE *ntemplate = NULL;
+    CK_RV crv;
+    SDB *db;
+
+    if (handle == NULL) {
+	return CKR_OK;
+    }
+    db = SFTK_GET_SDB(handle);
+
+    if (count !=  0) {
+	ntemplate = sftkdb_fixupTemplateIn(template, count, &data);
+	if (ntemplate == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+    }
+	
+    crv = (*db->sdb_FindObjectsInit)(db, ntemplate, 
+					     count, find);
+    if (data) {
+	PORT_Free(ntemplate);
+	PORT_Free(data);
+    }
+    return crv;
+}
+
+CK_RV 
+sftkdb_FindObjects(SFTKDBHandle *handle, SDBFind *find, 
+			CK_OBJECT_HANDLE *ids, int arraySize, CK_ULONG *count)
+{
+    CK_RV crv;
+    SDB *db;
+
+    if (handle == NULL) {
+	*count = 0;
+	return CKR_OK;
+    }
+    db = SFTK_GET_SDB(handle);
+
+    crv = (*db->sdb_FindObjects)(db, find, ids, 
+					    arraySize, count);
+    if (crv == CKR_OK) {
+	int i;
+	for (i=0; i < *count; i++) {
+	    ids[i] |= (handle->type | SFTK_TOKEN_TYPE);
+	}
+    }
+    return crv;
+}
+
+CK_RV sftkdb_FindObjectsFinal(SFTKDBHandle *handle, SDBFind *find)
+{
+    SDB *db;
+    if (handle == NULL) {
+	return CKR_OK;
+    }
+    db = SFTK_GET_SDB(handle);
+    return (*db->sdb_FindObjectsFinal)(db, find);
+}
+
+CK_RV
+sftkdb_GetAttributeValue(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID,
+                                CK_ATTRIBUTE *template, CK_ULONG count)
+{
+    CK_RV crv,crv2;
+    CK_ATTRIBUTE *ntemplate;
+    unsigned char *data = NULL;
+    SDB *db;
+
+    if (handle == NULL) {
+	return CKR_GENERAL_ERROR;
+    }
+
+    /* short circuit common attributes */
+    if (count == 1 && 
+	  (template[0].type == CKA_TOKEN || 
+	   template[0].type == CKA_PRIVATE ||
+	   template[0].type == CKA_SENSITIVE)) {
+	CK_BBOOL boolVal = CK_TRUE;
+
+	if (template[0].pValue == NULL) {
+	    template[0].ulValueLen = sizeof(CK_BBOOL);
+	    return CKR_OK;
+	}
+	if (template[0].ulValueLen < sizeof(CK_BBOOL)) {
+	    template[0].ulValueLen = -1;
+	    return CKR_BUFFER_TOO_SMALL;
+	}
+
+	if ((template[0].type == CKA_PRIVATE) &&
+    				(handle->type != SFTK_KEYDB_TYPE)) {
+	    boolVal = CK_FALSE;
+	}
+	if ((template[0].type == CKA_SENSITIVE) &&
+    				(handle->type != SFTK_KEYDB_TYPE)) {
+	    boolVal = CK_FALSE;
+	}
+	*(CK_BBOOL *)template[0].pValue = boolVal;
+	template[0].ulValueLen = sizeof(CK_BBOOL);
+	return CKR_OK;
+    }
+
+    db = SFTK_GET_SDB(handle);
+    /* nothing to do */
+    if (count == 0) {
+	return CKR_OK;
+    }
+    ntemplate = sftkdb_fixupTemplateIn(template, count, &data);
+    if (ntemplate == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    objectID &= SFTK_OBJ_ID_MASK;
+    crv = (*db->sdb_GetAttributeValue)(db, objectID, 
+						ntemplate, count);
+    crv2 = sftkdb_fixupTemplateOut(template, objectID, ntemplate, 
+						count, handle);
+    if (crv == CKR_OK) crv = crv2;
+    if (data) {
+	PORT_Free(ntemplate);
+	PORT_Free(data);
+    }
+    return crv;
+
+}
+
+CK_RV
+sftkdb_SetAttributeValue(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID,
+                                const CK_ATTRIBUTE *template, CK_ULONG count)
+{
+    CK_RV crv = CKR_OK;
+    CK_ATTRIBUTE *ntemplate;
+    unsigned char *data = NULL;
+    PLArenaPool *arena = NULL;
+    SDB *db;
+
+    if (handle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    db = SFTK_GET_SDB(handle);
+    /* nothing to do */
+    if (count == 0) {
+	return CKR_OK;
+    }
+
+    ntemplate = sftkdb_fixupTemplateIn(template, count, &data);
+    if (ntemplate == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    arena = PORT_NewArena(256);
+    if (arena ==  NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    objectID &= SFTK_OBJ_ID_MASK;
+    crv = (*db->sdb_Begin)(db);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    crv = sftkdb_setAttributeValue(arena, handle, db, 
+				   objectID, template, count);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    crv = (*db->sdb_Commit)(db);
+loser:
+    if (crv != CKR_OK) {
+	(*db->sdb_Abort)(db);
+    }
+    if (data) {
+	PORT_Free(ntemplate);
+	PORT_Free(data);
+    }
+    PORT_FreeArena(arena, PR_FALSE);
+    return crv;
+}
+
+CK_RV
+sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID)
+{
+    CK_RV crv = CKR_OK;
+    SDB *db;
+
+    if (handle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+    db = SFTK_GET_SDB(handle);
+    objectID &= SFTK_OBJ_ID_MASK;
+    crv = (*db->sdb_Begin)(db);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    crv = (*db->sdb_DestroyObject)(db, objectID);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    crv = (*db->sdb_Commit)(db);
+loser:
+    if (crv != CKR_OK) {
+	(*db->sdb_Abort)(db);
+    }
+    return crv;
+}
+
+CK_RV
+sftkdb_CloseDB(SFTKDBHandle *handle)
+{
+    if (handle == NULL) {
+	return CKR_OK;
+    }
+    if (handle->update) {
+	(*handle->update->sdb_Close)(handle->update);
+    }
+    if (handle->db) {
+	(*handle->db->sdb_Close)(handle->db);
+    }
+    if (handle->passwordLock) {
+	PZ_DestroyLock(handle->passwordLock);
+    }
+    if (handle->updatePasswordKey) {
+	SECITEM_FreeItem(handle->updatePasswordKey, PR_TRUE);
+    }
+    if (handle->updateID) {
+	PORT_Free(handle->updateID);
+    }
+    PORT_Free(handle);
+    return CKR_OK;
+}
+
+/*
+ * reset a database to it's uninitialized state. 
+ */
+static CK_RV
+sftkdb_ResetDB(SFTKDBHandle *handle)
+{
+    CK_RV crv = CKR_OK;
+    SDB *db;
+    if (handle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+    db = SFTK_GET_SDB(handle);
+    crv = (*db->sdb_Begin)(db);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    crv = (*db->sdb_Reset)(db);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    crv = (*db->sdb_Commit)(db);
+loser:
+    if (crv != CKR_OK) {
+	(*db->sdb_Abort)(db);
+    }
+    return crv;
+}
+
+
+CK_RV
+sftkdb_Begin(SFTKDBHandle *handle)
+{
+    CK_RV crv = CKR_OK;
+    SDB *db;
+
+    if (handle == NULL) {
+	return CKR_OK;
+    }
+    db = SFTK_GET_SDB(handle);
+    if (db) {
+	crv = (*db->sdb_Begin)(db);
+    }
+    return crv;
+}
+
+CK_RV
+sftkdb_Commit(SFTKDBHandle *handle)
+{
+    CK_RV crv = CKR_OK;
+    SDB *db;
+
+    if (handle == NULL) {
+	return CKR_OK;
+    }
+    db = SFTK_GET_SDB(handle);
+    if (db) {
+	(*db->sdb_Commit)(db);
+    }
+    return crv;
+}
+
+CK_RV
+sftkdb_Abort(SFTKDBHandle *handle)
+{
+    CK_RV crv = CKR_OK;
+    SDB *db;
+
+    if (handle == NULL) {
+	return CKR_OK;
+    }
+    db = SFTK_GET_SDB(handle);
+    if (db) {
+	crv = (db->sdb_Abort)(db);
+    }
+    return crv;
+}
+
+
+/*
+ * functions to update the database from an old database
+ */
+
+/*
+ * known attributes
+ */
+static const CK_ATTRIBUTE_TYPE known_attributes[] = {
+    CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION,
+    CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER,
+    CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED,
+    CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL,
+    CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY,
+    CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE,
+    CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER,
+    CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE,
+    CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT,
+    CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT,
+    CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS, 
+    CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE,
+    CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE,
+    CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS,
+    CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+    CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_WRAP_TEMPLATE,
+    CKA_UNWRAP_TEMPLATE, CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT,
+    CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y, CKA_RESOLUTION, CKA_CHAR_ROWS,
+    CKA_CHAR_COLUMNS, CKA_COLOR, CKA_BITS_PER_PIXEL, CKA_CHAR_SETS,
+    CKA_ENCODING_METHODS, CKA_MIME_TYPES, CKA_MECHANISM_TYPE,
+    CKA_REQUIRED_CMS_ATTRIBUTES, CKA_DEFAULT_CMS_ATTRIBUTES,
+    CKA_SUPPORTED_CMS_ATTRIBUTES, CKA_NSS_URL, CKA_NSS_EMAIL,
+    CKA_NSS_SMIME_INFO, CKA_NSS_SMIME_TIMESTAMP,
+    CKA_NSS_PKCS8_SALT, CKA_NSS_PASSWORD_CHECK, CKA_NSS_EXPIRES,
+    CKA_NSS_KRL, CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED,
+    CKA_NSS_PQG_H, CKA_NSS_PQG_SEED_BITS, CKA_NSS_MODULE_SPEC,
+    CKA_TRUST_DIGITAL_SIGNATURE, CKA_TRUST_NON_REPUDIATION,
+    CKA_TRUST_KEY_ENCIPHERMENT, CKA_TRUST_DATA_ENCIPHERMENT,
+    CKA_TRUST_KEY_AGREEMENT, CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN,
+    CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING,
+    CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_IPSEC_END_SYSTEM,
+    CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING,
+    CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
+    CKA_NETSCAPE_DB, CKA_NETSCAPE_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS
+};
+
+static int known_attributes_size= sizeof(known_attributes)/
+			   sizeof(known_attributes[0]);
+
+static CK_RV
+sftkdb_GetObjectTemplate(SDB *source, CK_OBJECT_HANDLE id,
+		CK_ATTRIBUTE *ptemplate, CK_ULONG *max)
+{
+    int i,j;
+    CK_RV crv;
+
+    if (*max < known_attributes_size) {
+	*max = known_attributes_size;
+	return CKR_BUFFER_TOO_SMALL;
+    }
+    for (i=0; i < known_attributes_size; i++) {
+	ptemplate[i].type = known_attributes[i];
+	ptemplate[i].pValue = NULL;
+	ptemplate[i].ulValueLen = 0;
+    }
+
+    crv = (*source->sdb_GetAttributeValue)(source, id, 
+					ptemplate, known_attributes_size);
+
+    if ((crv != CKR_OK) && (crv != CKR_ATTRIBUTE_TYPE_INVALID)) {
+	return crv;
+    }
+
+    for (i=0, j=0; i < known_attributes_size; i++, j++) {
+	while (i < known_attributes_size && (ptemplate[i].ulValueLen == -1)) {
+	    i++;
+	}
+	if (i >= known_attributes_size) {
+	    break;
+	}
+	/* cheap optimization */
+	if (i == j) {
+	   continue;
+	}
+	ptemplate[j] = ptemplate[i];
+    }
+    *max = j;
+    return CKR_OK;
+}
+
+static const char SFTKDB_META_UPDATE_TEMPLATE[] = "upd_%s_%s";
+
+/*
+ * check to see if we have already updated this database.
+ * a NULL updateID means we are trying to do an in place 
+ * single database update. In that case we have already
+ * determined that an update was necessary.
+ */
+static PRBool 
+sftkdb_hasUpdate(const char *typeString, SDB *db, const char *updateID)
+{
+    char *id;
+    CK_RV crv;
+    SECItem dummy = { 0, NULL, 0 };
+    unsigned char dummyData[SDB_MAX_META_DATA_LEN];
+
+    if (!updateID) {
+	return PR_FALSE;
+    }
+    id = PR_smprintf(SFTKDB_META_UPDATE_TEMPLATE, typeString, updateID);
+    if (id == NULL) {
+	return PR_FALSE;
+    }
+    dummy.data = dummyData;
+    dummy.len = sizeof(dummyData);
+
+    crv = (*db->sdb_GetMetaData)(db, id, &dummy, NULL);
+    PR_smprintf_free(id);
+    return crv == CKR_OK ? PR_TRUE : PR_FALSE;
+}
+
+/*
+ * we just completed an update, store the update id
+ * so we don't need to do it again. If non was given,
+ * there is nothing to do.
+ */
+static CK_RV
+sftkdb_putUpdate(const char *typeString, SDB *db, const char *updateID)
+{
+    char *id;
+    CK_RV crv;
+    SECItem dummy = { 0, NULL, 0 };
+
+    /* if no id was given, nothing to do */
+    if (updateID == NULL) {
+	return CKR_OK;
+    }
+
+    dummy.data = (unsigned char *)updateID;
+    dummy.len = PORT_Strlen(updateID);
+
+    id = PR_smprintf(SFTKDB_META_UPDATE_TEMPLATE, typeString, updateID);
+    if (id == NULL) {
+	return PR_FALSE;
+    }
+
+    crv = (*db->sdb_PutMetaData)(db, id, &dummy, NULL);
+    PR_smprintf_free(id);
+    return crv;
+}
+
+/*
+ * get a ULong attribute from a template:
+ * NOTE: this is a raw templated stored in database order!
+ */
+static CK_ULONG
+sftkdb_getULongFromTemplate(CK_ATTRIBUTE_TYPE type, 
+			CK_ATTRIBUTE *ptemplate, CK_ULONG len)
+{
+    CK_ATTRIBUTE *attr = sftkdb_getAttributeFromTemplate(type,
+					ptemplate, len);
+
+    if (attr && attr->pValue && attr->ulValueLen == SDB_ULONG_SIZE) {
+	return sftk_SDBULong2ULong(attr->pValue);
+    }
+    return (CK_ULONG)-1;
+}
+
+/*
+ * we need to find a unique CKA_ID.
+ *  The basic idea is to just increment the lowest byte.
+ *  This code also handles the following corner cases:
+ *   1) the single byte overflows. On overflow we increment the next byte up 
+ *    and so forth until we have overflowed the entire CKA_ID.
+ *   2) If we overflow the entire CKA_ID we expand it by one byte.
+ *   3) the CKA_ID is non-existant, we create a new one with one byte.
+ *    This means no matter what CKA_ID is passed, the result of this function 
+ *    is always a new CKA_ID, and this function will never return the same 
+ *    CKA_ID the it has returned in the passed.
+ */
+static CK_RV
+sftkdb_incrementCKAID(PRArenaPool *arena, CK_ATTRIBUTE *ptemplate)
+{
+    unsigned char *buf = ptemplate->pValue;
+    CK_ULONG len = ptemplate->ulValueLen;
+
+    if (buf == NULL || len == (CK_ULONG)-1) {
+	/* we have no valid CKAID, we'll create a basic one byte CKA_ID below */
+	len = 0;
+    } else {
+	CK_ULONG i;
+
+	/* walk from the back to front, incrementing
+	 * the CKA_ID until we no longer have a carry,
+	 * or have hit the front of the id. */
+	for (i=len; i != 0; i--) {
+	    buf[i-1]++;
+	    if (buf[i-1] != 0) {
+		/* no more carries, the increment is complete */
+		return CKR_OK;
+	     }
+	}
+	/* we've now overflowed, fall through and expand the CKA_ID by 
+	 * one byte */
+    } 
+    buf = PORT_ArenaAlloc(arena, len+1);
+    if (!buf) {
+	return CKR_HOST_MEMORY;
+    }
+    if (len > 0) {
+	 PORT_Memcpy(buf, ptemplate->pValue, len);
+    }
+    buf[len] = 0;
+    ptemplate->pValue = buf;
+    ptemplate->ulValueLen = len+1;
+    return CKR_OK;
+}
+
+/*
+ * drop an attribute from a template.
+ */
+void
+sftkdb_dropAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE *ptemplate, 
+			CK_ULONG *plen)
+{
+   CK_ULONG count = *plen;
+   CK_ULONG i;
+
+   for (i=0; i < count; i++) {
+	if (attr->type == ptemplate[i].type) {
+	    break;
+	}
+   }
+
+   if (i == count) {
+	/* attribute not found */
+	return;
+   }
+
+   /* copy the remaining attributes up */
+   for ( i++; i < count; i++) {
+	ptemplate[i-1] = ptemplate[i];
+   }
+
+   /* decrement the template size */
+   *plen = count -1;
+}
+
+/*
+ * create some defines for the following functions to document the meaning
+ * of true/false. (make's it easier to remember what means what.
+ */
+typedef enum {
+	SFTKDB_DO_NOTHING = 0,
+	SFTKDB_ADD_OBJECT,
+	SFTKDB_MODIFY_OBJECT,
+	SFTKDB_DROP_ATTRIBUTE
+} sftkdbUpdateStatus;
+
+/*
+ * helper function to reconsile a single trust entry.
+ *   Identify which trust entry we want to keep.
+ *   If we don't need to do anything (the records are already equal).
+ *       return SFTKDB_DO_NOTHING.
+ *   If we want to use the source version,
+ *       return SFTKDB_MODIFY_OBJECT
+ *   If we want to use the target version,
+ *       return SFTKDB_DROP_ATTRIBUTE
+ *
+ *   In the end the caller will remove any attributes in the source
+ *   template when SFTKDB_DROP_ATTRIBUTE is specified, then use do a 
+ *   set attributes with that template on the target if we received 
+ *   any SFTKDB_MODIFY_OBJECT returns.
+ */
+sftkdbUpdateStatus
+sftkdb_reconsileTrustEntry(PRArenaPool *arena, CK_ATTRIBUTE *target, 
+			   CK_ATTRIBUTE *source)
+{
+    CK_ULONG targetTrust = sftkdb_getULongFromTemplate(target->type,
+			target, 1);
+    CK_ULONG sourceTrust = sftkdb_getULongFromTemplate(target->type,
+			source, 1);
+
+    /*
+     * try to pick the best solution between the source and the
+     * target. Update the source template if we want the target value
+     * to win out. Prefer cases where we don't actually update the
+     * trust entry.
+     */
+
+    /* they are the same, everything is already kosher */
+    if (targetTrust == sourceTrust) {
+	return SFTKDB_DO_NOTHING;
+    }
+
+    /* handle the case where the source Trust attribute may be a bit
+     * flakey */
+    if (sourceTrust == (CK_ULONG)-1) {
+	/*
+	 * The source Trust is invalid. We know that the target Trust
+	 * must be valid here, otherwise the above 
+	 * targetTrust == sourceTrust check would have succeeded.
+	 */
+	return SFTKDB_DROP_ATTRIBUTE;
+    }
+
+    /* target is invalid, use the source's idea of the trust value */
+    if (targetTrust == (CK_ULONG)-1) {
+	/* overwriting the target in this case is OK */
+	return SFTKDB_MODIFY_OBJECT;
+    }
+
+    /* at this point we know that both attributes exist and have the
+     * appropriate length (SDB_ULONG_SIZE). We no longer need to check
+     * ulValueLen for either attribute.
+     */
+    if (sourceTrust == CKT_NSS_TRUST_UNKNOWN) {
+	return SFTKDB_DROP_ATTRIBUTE;
+    }
+
+    /* target has no idea, use the source's idea of the trust value */
+    if (targetTrust == CKT_NSS_TRUST_UNKNOWN) {
+	/* overwriting the target in this case is OK */
+	return SFTKDB_MODIFY_OBJECT;
+    }
+
+    /* so both the target and the source have some idea of what this 
+     * trust attribute should be, and neither agree exactly. 
+     * At this point, we prefer 'hard' attributes over 'soft' ones. 
+     * 'hard' ones are CKT_NSS_TRUSTED, CKT_NSS_TRUSTED_DELEGATOR, and
+     * CKT_NSS_UNTRUTED. Soft ones are ones which don't change the
+     * actual trust of the cert (CKT_MUST_VERIFY, CKT_NSS_VALID,
+     * CKT_NSS_VALID_DELEGATOR).
+     */
+    if ((sourceTrust == CKT_NSS_MUST_VERIFY) 
+	|| (sourceTrust == CKT_NSS_VALID)
+	|| (sourceTrust == CKT_NSS_VALID_DELEGATOR)) {
+	return SFTKDB_DROP_ATTRIBUTE;
+    }
+    if ((targetTrust == CKT_NSS_MUST_VERIFY) 
+	|| (targetTrust == CKT_NSS_VALID)
+	|| (targetTrust == CKT_NSS_VALID_DELEGATOR)) {
+	/* again, overwriting the target in this case is OK */
+	return SFTKDB_MODIFY_OBJECT;
+    }
+
+    /* both have hard attributes, we have a conflict, let the target win. */
+    return SFTKDB_DROP_ATTRIBUTE;
+}
+
+const CK_ATTRIBUTE_TYPE sftkdb_trustList[] =
+	{ CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH,
+	  CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION,
+	  CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER,
+	  CKA_TRUST_TIME_STAMPING };
+
+#define SFTK_TRUST_TEMPLATE_COUNT \
+		(sizeof(sftkdb_trustList)/sizeof(sftkdb_trustList[0]))
+/*
+ * Run through the list of known trust types, and reconsile each trust
+ * entry one by one. Keep track of we really need to write out the source
+ * trust object (overwriting the existing one).
+ */
+static sftkdbUpdateStatus
+sftkdb_reconsileTrust(PRArenaPool *arena, SDB *db, CK_OBJECT_HANDLE id, 
+		      CK_ATTRIBUTE *ptemplate, CK_ULONG *plen)
+{
+    CK_ATTRIBUTE trustTemplate[SFTK_TRUST_TEMPLATE_COUNT];
+    unsigned char trustData[SFTK_TRUST_TEMPLATE_COUNT*SDB_ULONG_SIZE];
+    sftkdbUpdateStatus update = SFTKDB_DO_NOTHING;
+    CK_ULONG i;
+    CK_RV crv;
+
+
+    for (i=0; i < SFTK_TRUST_TEMPLATE_COUNT;  i++) {
+	trustTemplate[i].type = sftkdb_trustList[i];
+	trustTemplate[i].pValue = &trustData[i*SDB_ULONG_SIZE];
+	trustTemplate[i].ulValueLen = SDB_ULONG_SIZE;
+    }
+    crv = (*db->sdb_GetAttributeValue)(db, id, 
+				trustTemplate, SFTK_TRUST_TEMPLATE_COUNT);
+    if ((crv != CKR_OK) && (crv != CKR_ATTRIBUTE_TYPE_INVALID)) {
+	/* target trust has some problems, update it */
+	update = SFTKDB_MODIFY_OBJECT;
+	goto done;
+    }
+
+    for (i=0; i < SFTK_TRUST_TEMPLATE_COUNT; i++) {
+	CK_ATTRIBUTE *attr = sftkdb_getAttributeFromTemplate(
+			trustTemplate[i].type, ptemplate, *plen);
+	sftkdbUpdateStatus status;
+
+
+	/* if target trust value doesn't exist, nothing to merge */
+	if (trustTemplate[i].ulValueLen == (CK_ULONG)-1) {
+	    /* if the source exists, then we want the source entry,
+	     * go ahead and update */
+	    if (attr && attr->ulValueLen != (CK_ULONG)-1) {
+		update = SFTKDB_MODIFY_OBJECT;
+	    }
+	    continue;
+	}
+
+	/*
+	 * the source doesn't have the attribute, go to the next attribute
+	 */
+	if (attr == NULL) {
+	    continue;
+		
+	}
+	status = sftkdb_reconsileTrustEntry(arena, &trustTemplate[i], attr);
+	if (status == SFTKDB_MODIFY_OBJECT) {
+	    update = SFTKDB_MODIFY_OBJECT;
+	} else if (status == SFTKDB_DROP_ATTRIBUTE) {
+	    /* drop the source copy of the attribute, we are going with
+	     * the target's version */
+	    sftkdb_dropAttribute(attr, ptemplate, plen);
+	}
+    }
+
+    /* finally manage stepup */
+    if (update == SFTKDB_MODIFY_OBJECT) {
+	CK_BBOOL stepUpBool = CK_FALSE;
+	/* if we are going to write from the source, make sure we don't
+	 * overwrite the stepup bit if it's on*/
+	trustTemplate[0].type = CKA_TRUST_STEP_UP_APPROVED;
+	trustTemplate[0].pValue = &stepUpBool;
+	trustTemplate[0].ulValueLen = sizeof(stepUpBool);
+    	crv = (*db->sdb_GetAttributeValue)(db, id, trustTemplate, 1);
+	if ((crv == CKR_OK) && (stepUpBool == CK_TRUE)) {
+	    sftkdb_dropAttribute(trustTemplate, ptemplate, plen);
+	}
+    } else {
+	/* we currently aren't going to update. If the source stepup bit is
+	 * on however, do an update so the target gets it as well */
+	CK_ATTRIBUTE *attr;
+
+	attr = sftkdb_getAttributeFromTemplate(CKA_TRUST_STEP_UP_APPROVED,
+			ptemplate, *plen);
+	if (attr && (attr->ulValueLen == sizeof(CK_BBOOL)) &&  
+			(*(CK_BBOOL *)(attr->pValue) == CK_TRUE)) {
+		update = SFTKDB_MODIFY_OBJECT;
+	}
+    }
+    
+done:
+    return update;
+}
+
+static sftkdbUpdateStatus
+sftkdb_handleIDAndName(PRArenaPool *arena, SDB *db, CK_OBJECT_HANDLE id, 
+		      CK_ATTRIBUTE *ptemplate, CK_ULONG *plen)
+{
+    sftkdbUpdateStatus update = SFTKDB_DO_NOTHING;
+    CK_ATTRIBUTE *attr1, *attr2;
+    CK_ATTRIBUTE ttemplate[2] = {
+	{CKA_ID, NULL, 0},
+	{CKA_LABEL, NULL, 0}
+    };
+    CK_RV crv;
+
+    attr1 = sftkdb_getAttributeFromTemplate(CKA_LABEL, ptemplate, *plen);
+    attr2 = sftkdb_getAttributeFromTemplate(CKA_ID, ptemplate, *plen);
+
+    /* if the source has neither an id nor label, don't bother updating */
+    if ( (!attr1 || attr1->ulValueLen == 0) &&
+	 (! attr2 ||  attr2->ulValueLen == 0) ) {
+	return SFTKDB_DO_NOTHING;
+    }
+
+    /* the source has either an id or a label, see what the target has */
+    crv = (*db->sdb_GetAttributeValue)(db, id, ttemplate, 2);
+
+    /* if the target has neither, update from the source */
+    if ( ((ttemplate[0].ulValueLen == 0) || 
+	  (ttemplate[0].ulValueLen == (CK_ULONG)-1))  &&
+         ((ttemplate[1].ulValueLen == 0) || 
+	  (ttemplate[1].ulValueLen == (CK_ULONG)-1)) ) {
+	return SFTKDB_MODIFY_OBJECT;
+    }
+
+    /* check the CKA_ID */
+    if ((ttemplate[0].ulValueLen != 0) && 
+	(ttemplate[0].ulValueLen != (CK_ULONG)-1)) {
+	/* we have a CKA_ID in the target, don't overwrite
+	 * the target with an empty CKA_ID from the source*/
+	if (attr1 && attr1->ulValueLen == 0) {
+	    sftkdb_dropAttribute(attr1, ptemplate, plen);
+	}
+    } else if (attr1 && attr1->ulValueLen != 0) {
+	/* source has a CKA_ID, but the target doesn't, update the target */
+	update = SFTKDB_MODIFY_OBJECT;
+    }
+
+
+    /* check the nickname */
+    if ((ttemplate[1].ulValueLen != 0) && 
+	(ttemplate[1].ulValueLen != (CK_ULONG)-1)) {
+
+	/* we have a nickname in the target, and we don't have to update
+	 * the CKA_ID. We are done. NOTE: if we add addition attributes
+	 * in this check, this shortcut can only go on the last of them. */
+	if (update == SFTKDB_DO_NOTHING) {
+	    return update;
+	}
+	/* we have a nickname in the target, don't overwrite
+	 * the target with an empty nickname from the source */
+	if (attr2 && attr2->ulValueLen == 0) {
+	    sftkdb_dropAttribute(attr2, ptemplate, plen);
+	}
+    } else if (attr2 && attr2->ulValueLen != 0) {
+	/* source has a nickname, but the target doesn't, update the target */
+	update = SFTKDB_MODIFY_OBJECT;
+    }
+
+    return update;
+}
+
+
+		
+/*
+ * This function updates the template before we write the object out.
+ *
+ * If we are going to skip updating this object, return PR_FALSE.
+ * If it should be updated we return PR_TRUE.
+ * To help readability, these have been defined 
+ * as SFTK_DONT_UPDATE and SFTK_UPDATE respectively.
+ */
+static PRBool
+sftkdb_updateObjectTemplate(PRArenaPool *arena, SDB *db, 
+		    CK_OBJECT_CLASS objectType, 
+		    CK_ATTRIBUTE *ptemplate, CK_ULONG *plen,
+		    CK_OBJECT_HANDLE *targetID)
+{
+    CK_ATTRIBUTE findTemplate[3];
+    CK_ULONG count = 1;
+    CK_ULONG objCount = 0;
+    CK_OBJECT_HANDLE id;
+    SDBFind *find = NULL;
+    unsigned char objTypeData[SDB_ULONG_SIZE];
+    CK_RV crv;
+
+    crv = sftkdb_getFindTemplate(objectType, objTypeData,
+			findTemplate, &count, ptemplate, *plen);
+    if (crv != CKR_OK) {
+	return SFTKDB_DO_NOTHING;
+    }
+
+    do {
+	/* use the raw find, so we get the correct database */
+	crv = (*db->sdb_FindObjectsInit)(db, findTemplate, count, &find);
+	if (crv != CKR_OK) {
+	    return SFTKDB_DO_NOTHING;
+	}
+	(*db->sdb_FindObjects)(db, find, &id, 1, &objCount);
+	(*db->sdb_FindObjectsFinal)(db, find);
+
+	/* This object already exists, don't update */
+	if (objCount == 1) {
+    	    CK_ATTRIBUTE *attr = NULL;
+	    /* special post processing for attributes */
+	    switch (objectType) {
+	    case CKO_CERTIFICATE:
+	    case CKO_PUBLIC_KEY:
+	    case CKO_PRIVATE_KEY:
+		/* update target's CKA_ID and labels if they don't already 
+		 * exist */
+		*targetID = id;
+		return sftkdb_handleIDAndName(arena, db, id, ptemplate, plen);
+	    case CKO_NSS_TRUST:
+		/* if we have conflicting trust object types,
+		 * we need to reconsile them */
+		*targetID = id;
+		return sftkdb_reconsileTrust(arena, db, id, ptemplate, plen);
+	    case CKO_SECRET_KEY:
+		/* secret keys in the old database are all sdr keys, 
+		 * unfortunately they all appear to have the same CKA_ID, 
+		 * even though they are truly different keys, so we always 
+		 * want to update these keys, but we need to 
+		 * give them a new CKA_ID */
+		/* NOTE: this changes ptemplate */
+		attr = sftkdb_getAttributeFromTemplate(CKA_ID,ptemplate,*plen);
+		crv = sftkdb_incrementCKAID(arena, attr); 
+		/* in the extremely rare event that we needed memory and
+		 * couldn't get it, don't have, just drop the key */
+		if (crv != CKR_OK) {
+		    return SFTKDB_DO_NOTHING;
+		}
+		findTemplate[1] = *attr;
+		objCount = 0; /* repeat this find loop */
+		break;
+	    default:
+		/* for all other objects, if we found the equivalent object,
+		 * don't update it */
+	        return SFTKDB_DO_NOTHING;
+	    }
+	}
+    } while (objCount == 1);
+
+    /* this object doesn't exist, update it */
+    return SFTKDB_ADD_OBJECT;
+}
+
+
+#define MAX_ATTRIBUTES 500
+static CK_RV
+sftkdb_mergeObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE id, 
+		   SECItem *key)
+{
+    CK_ATTRIBUTE template[MAX_ATTRIBUTES];
+    CK_ATTRIBUTE *ptemplate;
+    CK_ULONG max_attributes = MAX_ATTRIBUTES;
+    CK_OBJECT_CLASS objectType;
+    SDB *source = handle->update;
+    SDB *target = handle->db;
+    int i;
+    CK_RV crv;
+    PLArenaPool *arena = NULL;
+
+    arena = PORT_NewArena(256);
+    if (arena ==  NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    ptemplate = &template[0];
+    id &= SFTK_OBJ_ID_MASK;
+    crv = sftkdb_GetObjectTemplate(source, id, ptemplate, &max_attributes);
+    if (crv == CKR_BUFFER_TOO_SMALL) {
+	ptemplate = PORT_ArenaNewArray(arena, CK_ATTRIBUTE, max_attributes);
+	if (ptemplate == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	} else {
+            crv = sftkdb_GetObjectTemplate(source, id, 
+					   ptemplate, &max_attributes);
+	}
+    }
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    for (i=0; i < max_attributes; i++) {
+	ptemplate[i].pValue = PORT_ArenaAlloc(arena,ptemplate[i].ulValueLen);
+	if (ptemplate[i].pValue == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    goto loser;
+	}
+    }
+    crv = (*source->sdb_GetAttributeValue)(source, id, 
+					   ptemplate, max_attributes);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate,
+							 max_attributes);
+
+    /*
+     * Update Object updates the object template if necessary then returns 
+     * whether or not we need to actually write the object out to our target 
+     * database.
+     */
+    if (!handle->updateID) {
+	    crv = sftkdb_CreateObject(arena, handle, target, &id, 
+				ptemplate, max_attributes);
+    } else {
+	sftkdbUpdateStatus update_status;
+	update_status  = sftkdb_updateObjectTemplate(arena, target, 
+			objectType, ptemplate, &max_attributes, &id);
+	switch (update_status) {
+	case SFTKDB_ADD_OBJECT:
+	    crv = sftkdb_CreateObject(arena, handle, target, &id, 
+				ptemplate, max_attributes);
+	    break;
+	case SFTKDB_MODIFY_OBJECT:
+    	    crv = sftkdb_setAttributeValue(arena, handle, target, 
+				   id, ptemplate, max_attributes);
+	    break;
+	case SFTKDB_DO_NOTHING:
+	case SFTKDB_DROP_ATTRIBUTE:
+	    break;
+	}
+    } 
+
+loser:
+    if (arena) {
+	PORT_FreeArena(arena,PR_TRUE);
+    }
+    return crv;
+}
+	
+
+#define MAX_IDS 10
+/*
+ * update a new database from an old one, now that we have the key
+ */
+CK_RV
+sftkdb_Update(SFTKDBHandle *handle, SECItem *key)
+{
+    SDBFind *find = NULL;
+    CK_ULONG idCount = MAX_IDS;
+    CK_OBJECT_HANDLE ids[MAX_IDS];
+    SECItem *updatePasswordKey = NULL;
+    CK_RV crv, crv2;
+    PRBool inTransaction = PR_FALSE;
+    int i;
+
+    if (handle == NULL) {
+	return CKR_OK;
+    }
+    if (handle->update == NULL) {
+	return CKR_OK;
+    }
+
+    /*
+     * put the whole update under a transaction. This allows us to handle
+     * any possible race conditions between with the updateID check.
+     */
+    crv = (*handle->db->sdb_Begin)(handle->db);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    inTransaction = PR_TRUE;
+    
+    /* some one else has already updated this db */
+    if (sftkdb_hasUpdate(sftkdb_TypeString(handle), 
+			 handle->db, handle->updateID)) {
+	crv = CKR_OK;
+	goto done;
+    }
+
+    updatePasswordKey = sftkdb_GetUpdatePasswordKey(handle);
+    if (updatePasswordKey) {
+	/* pass the source DB key to the legacy code, 
+	 * so it can decrypt things */
+	handle->oldKey = updatePasswordKey;
+    }
+    
+    /* find all the objects */
+    crv = sftkdb_FindObjectsInit(handle, NULL, 0, &find);
+
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    while ((crv == CKR_OK) && (idCount == MAX_IDS)) {
+	crv = sftkdb_FindObjects(handle, find, ids, MAX_IDS, &idCount);
+	for (i=0; (crv == CKR_OK) && (i < idCount); i++) {
+	    crv = sftkdb_mergeObject(handle, ids[i], key);
+	}
+    }
+    crv2 = sftkdb_FindObjectsFinal(handle, find);
+    if (crv == CKR_OK) crv = crv2;
+
+loser:
+    /* no longer need the old key value */
+    handle->oldKey = NULL;
+
+    /* update the password - even if we didn't update objects */
+    if (handle->type == SFTK_KEYDB_TYPE) {
+	SECItem item1, item2;
+	unsigned char data1[SDB_MAX_META_DATA_LEN];
+	unsigned char data2[SDB_MAX_META_DATA_LEN];
+
+	item1.data = data1;
+ 	item1.len = sizeof(data1);
+	item2.data = data2;
+ 	item2.len = sizeof(data2);
+
+	/* if the target db already has a password, skip this. */
+	crv = (*handle->db->sdb_GetMetaData)(handle->db, "password",
+			&item1, &item2);
+	if (crv == CKR_OK) {
+	    goto done;
+	}
+
+
+	/* nope, update it from the source */
+	crv = (*handle->update->sdb_GetMetaData)(handle->update, "password",
+			&item1, &item2);
+	if (crv != CKR_OK) {
+	    goto done;
+	}
+	crv = (*handle->db->sdb_PutMetaData)(handle->db, "password", &item1,
+						&item2);
+	if (crv != CKR_OK) {
+	    goto done;
+	}
+    }
+
+done:
+    /* finally mark this up to date db up to date */
+    /* some one else has already updated this db */
+    if (crv == CKR_OK) {
+	crv = sftkdb_putUpdate(sftkdb_TypeString(handle), 
+				handle->db, handle->updateID);
+    }
+
+    if (inTransaction) {
+	if (crv == CKR_OK) {
+	    crv = (*handle->db->sdb_Commit)(handle->db);
+	} else {
+	    (*handle->db->sdb_Abort)(handle->db);
+	}
+    }
+    if (handle->update) {
+	(*handle->update->sdb_Close)(handle->update);
+	handle->update = NULL;
+    }
+    if (handle->updateID) {
+	PORT_Free(handle->updateID);
+	handle->updateID = NULL;
+    }
+    sftkdb_FreeUpdatePasswordKey(handle);
+    if (updatePasswordKey) {
+	SECITEM_ZfreeItem(updatePasswordKey, PR_TRUE);
+    }
+    handle->updateDBIsInit = PR_FALSE;
+    return crv;
+}
+
+/******************************************************************
+ * DB handle managing functions.
+ * 
+ * These functions are called by softoken to initialize, acquire,
+ * and release database handles.
+ */
+
+const char *
+sftkdb_GetUpdateID(SFTKDBHandle *handle)
+{
+    return handle->updateID;
+}
+
+/* release a database handle */
+void
+sftk_freeDB(SFTKDBHandle *handle)
+{
+    PRInt32 ref;
+
+    if (!handle) return;
+    ref = PR_AtomicDecrement(&handle->ref);
+    if (ref == 0) {
+	sftkdb_CloseDB(handle);
+    }
+    return;
+}
+
+
+/*
+ * acquire a database handle for a certificate db  
+ * (database for public objects) 
+ */
+SFTKDBHandle *
+sftk_getCertDB(SFTKSlot *slot)
+{
+    SFTKDBHandle *dbHandle;
+
+    PZ_Lock(slot->slotLock);
+    dbHandle = slot->certDB;
+    if (dbHandle) {
+        PR_AtomicIncrement(&dbHandle->ref);
+    }
+    PZ_Unlock(slot->slotLock);
+    return dbHandle;
+}
+
+/*
+ * acquire a database handle for a key database 
+ * (database for private objects)
+ */
+SFTKDBHandle *
+sftk_getKeyDB(SFTKSlot *slot)
+{
+    SFTKDBHandle *dbHandle;
+
+    PZ_Lock(slot->slotLock);
+    dbHandle = slot->keyDB;
+    if (dbHandle) {
+        PR_AtomicIncrement(&dbHandle->ref);
+    }
+    PZ_Unlock(slot->slotLock);
+    return dbHandle;
+}
+
+/*
+ * acquire the database for a specific object. NOTE: objectID must point
+ * to a Token object!
+ */
+SFTKDBHandle *
+sftk_getDBForTokenObject(SFTKSlot *slot, CK_OBJECT_HANDLE objectID)
+{
+    SFTKDBHandle *dbHandle;
+
+    PZ_Lock(slot->slotLock);
+    dbHandle = objectID & SFTK_KEYDB_TYPE ? slot->keyDB : slot->certDB;
+    if (dbHandle) {
+        PR_AtomicIncrement(&dbHandle->ref);
+    }
+    PZ_Unlock(slot->slotLock);
+    return dbHandle;
+}
+
+/*
+ * initialize a new database handle
+ */
+static SFTKDBHandle *
+sftk_NewDBHandle(SDB *sdb, int type)
+{
+   SFTKDBHandle *handle = PORT_New(SFTKDBHandle);
+   handle->ref = 1;
+   handle->db = sdb;
+   handle->update = NULL;
+   handle->peerDB = NULL;
+   handle->newKey = NULL;
+   handle->oldKey = NULL;
+   handle->updatePasswordKey = NULL;
+   handle->updateID = NULL;
+   handle->type = type;
+   handle->passwordKey.data = NULL;
+   handle->passwordKey.len = 0;
+   handle->passwordLock = NULL;
+   if (type == SFTK_KEYDB_TYPE) {
+	handle->passwordLock = PZ_NewLock();
+   }
+   sdb->app_private = handle;
+   return handle;
+}
+
+/*
+ * reset the key database to it's uninitialized state. This call
+ * will clear all the key entried.
+ */
+SECStatus
+sftkdb_ResetKeyDB(SFTKDBHandle *handle)
+{
+    CK_RV crv;
+
+    /* only rest the key db */
+    if (handle->type != SFTK_KEYDB_TYPE) {
+	return SECFailure;
+    }
+    crv = sftkdb_ResetDB(handle);
+    if (crv != CKR_OK) {
+	/* set error */
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static PRBool
+sftk_oldVersionExists(const char *dir, int version)
+{
+    int i;
+    PRStatus exists = PR_FAILURE;
+    char *file = NULL;
+
+    for (i=version; i > 1 ; i--) {
+	file = PR_smprintf("%s%d.db",dir,i);
+	if (file == NULL) {
+	    continue;
+	}
+	exists = PR_Access(file, PR_ACCESS_EXISTS);
+	PR_smprintf_free(file);
+	if (exists == PR_SUCCESS) {
+	    return PR_TRUE;
+	}
+    }
+    return PR_FALSE;
+}
+
+static PRBool
+sftk_hasLegacyDB(const char *confdir, const char *certPrefix, 
+		 const char *keyPrefix, int certVersion, int keyVersion)
+{
+    char *dir;
+    PRBool exists;
+
+    if (certPrefix == NULL) {
+	certPrefix = "";
+    }
+
+    if (keyPrefix == NULL) {
+	keyPrefix = "";
+    }
+
+    dir= PR_smprintf("%s/%scert", confdir, certPrefix);
+    if (dir == NULL) {
+	return PR_FALSE;
+    }
+
+    exists = sftk_oldVersionExists(dir, certVersion);
+    PR_smprintf_free(dir);
+    if (exists) {
+	return PR_TRUE;
+    }
+
+    dir= PR_smprintf("%s/%skey", confdir, keyPrefix);
+    if (dir == NULL) {
+	return PR_FALSE;
+    }
+
+    exists = sftk_oldVersionExists(dir, keyVersion);
+    PR_smprintf_free(dir);
+    return exists;
+}
+
+/*
+ * initialize certificate and key database handles as a pair.
+ *
+ * This function figures out what type of database we are opening and
+ * calls the appropriate low level function to open the database.
+ * It also figures out whether or not to setup up automatic update.
+ */
+CK_RV 
+sftk_DBInit(const char *configdir, const char *certPrefix,
+                const char *keyPrefix, const char *updatedir,
+		const char *updCertPrefix, const char *updKeyPrefix, 
+		const char *updateID, PRBool readOnly, PRBool noCertDB,
+                PRBool noKeyDB, PRBool forceOpen,
+                SFTKDBHandle **certDB, SFTKDBHandle **keyDB)
+{
+    const char *confdir;
+    SDBType dbType;
+    char *appName = NULL;
+    SDB *keySDB, *certSDB;
+    CK_RV crv = CKR_OK;
+    int flags = SDB_RDONLY;
+    PRBool newInit = PR_FALSE;
+    PRBool needUpdate = PR_FALSE;
+
+    if (!readOnly) {
+	flags = SDB_CREATE;
+    }
+
+    *certDB = NULL;
+    *keyDB = NULL;
+
+    if (noKeyDB && noCertDB) {
+	return CKR_OK;
+    }
+    confdir = sftk_EvaluateConfigDir(configdir, &dbType, &appName);
+
+    /*
+     * now initialize the appropriate database
+     */
+    switch (dbType) {
+    case SDB_LEGACY:
+	crv = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags,
+		noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
+	break;
+    case SDB_MULTIACCESS:
+	crv = sftkdbCall_open(configdir, certPrefix, keyPrefix, 8, 3, flags,
+		noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
+	break;
+    case SDB_SQL:
+    case SDB_EXTERN: /* SHOULD open a loadable db */
+	crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags, 
+		noCertDB? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit);
+
+        /*
+	 * if we failed to open the DB's read only, use the old ones if
+	 * the exists.
+	 */
+	if (crv != CKR_OK) {
+	    if ((flags == SDB_RDONLY)  &&
+	         sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
+	    /* we have legacy databases, if we failed to open the new format 
+	     * DB's read only, just use the legacy ones */
+		crv = sftkdbCall_open(confdir, certPrefix, 
+			keyPrefix, 8, 3, flags, noCertDB? NULL : &certSDB,
+			noKeyDB ? NULL : &keySDB);
+	    }
+	/* Handle the database merge case.
+         *
+         * For the merge case, we need help from the application. Only
+         * the application knows where the old database is, and what unique
+         * identifier it has associated with it.
+         *
+         * If the client supplies these values, we use them to determine
+         * if we need to update.
+         */
+	} else if (
+	      /* both update params have been supplied */
+	      updatedir  && *updatedir && updateID  && *updateID
+	      /* old dbs exist? */
+	      && sftk_hasLegacyDB(updatedir, updCertPrefix, updKeyPrefix, 8, 3) 
+	      /* and they have not yet been updated? */
+	      && ((noKeyDB || !sftkdb_hasUpdate("key", keySDB, updateID)) 
+	      || (noCertDB || !sftkdb_hasUpdate("cert", certSDB, updateID)))) {
+	    /* we need to update */
+	    confdir = updatedir;
+	    certPrefix = updCertPrefix;
+	    keyPrefix = updKeyPrefix;
+	    needUpdate = PR_TRUE;
+	} else if (newInit) {
+	    /* if the new format DB was also a newly created DB, and we
+	     * succeeded, then need to update that new database with data
+	     * from the existing legacy DB */
+	    if (sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
+		needUpdate = PR_TRUE;
+	    }
+	}
+	break;
+    default:
+	crv = CKR_GENERAL_ERROR; /* can't happen, EvaluationConfigDir MUST 
+				  * return one of the types we already 
+				  * specified. */
+    }
+    if (crv != CKR_OK) {
+	goto done;
+    }
+    if (!noCertDB) {
+	*certDB = sftk_NewDBHandle(certSDB, SFTK_CERTDB_TYPE);
+    } else {
+	*certDB = NULL;
+    }
+    if (!noKeyDB) {
+	*keyDB = sftk_NewDBHandle(keySDB, SFTK_KEYDB_TYPE);
+    } else {
+	*keyDB = NULL;
+    }
+
+    /* link them together */
+    if (*certDB) {
+	(*certDB)->peerDB = *keyDB;
+    }
+    if (*keyDB) {
+	(*keyDB)->peerDB = *certDB;
+    }
+
+    /*
+     * if we need to update, open the legacy database and
+     * mark the handle as needing update.
+     */
+    if (needUpdate) {
+	SDB *updateCert = NULL;
+	SDB *updateKey = NULL;
+	CK_RV crv2;
+
+	crv2 = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags,
+		noCertDB ? NULL : &updateCert, noKeyDB ? NULL : &updateKey);
+	if (crv2 == CKR_OK) {
+	    if (*certDB) {
+		(*certDB)->update = updateCert;
+		(*certDB)->updateID = updateID && *updateID 
+				? PORT_Strdup(updateID) : NULL;
+		updateCert->app_private = (*certDB);
+	    }
+	    if (*keyDB) {
+		PRBool tokenRemoved = PR_FALSE;
+		(*keyDB)->update = updateKey;
+		(*keyDB)->updateID = updateID && *updateID ? 
+					PORT_Strdup(updateID) : NULL;
+		updateKey->app_private = (*keyDB);
+		(*keyDB)->updateDBIsInit = PR_TRUE;
+		(*keyDB)->updateDBIsInit = 
+			(sftkdb_HasPasswordSet(*keyDB) == SECSuccess) ?
+			 PR_TRUE : PR_FALSE;
+		/* if the password on the key db is NULL, kick off our update
+		 * chain of events */
+		sftkdb_CheckPassword((*keyDB), "", &tokenRemoved);
+	    } else {
+		/* we don't have a key DB, update the certificate DB now */
+		sftkdb_Update(*certDB, NULL);
+	    }
+	}
+    }
+done:
+    if (appName) {
+	PORT_Free(appName);
+    }
+   return forceOpen ? CKR_OK : crv;
+}
+
+CK_RV 
+sftkdb_Shutdown(void)
+{
+  s_shutdown();
+  sftkdbCall_Shutdown();
+  return CKR_OK;
+}
+
diff --git a/security/nss/lib/softoken/sftkdb.h b/security/nss/lib/softoken/sftkdb.h
new file mode 100644
index 000000000..14113fb3d
--- /dev/null
+++ b/security/nss/lib/softoken/sftkdb.h
@@ -0,0 +1,119 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "sftkdbt.h"
+#include "sdb.h"
+#include "pkcs11i.h"
+#include "pkcs11t.h"
+
+/* raw database stuff */
+CK_RV sftkdb_write(SFTKDBHandle *handle, SFTKObject *,CK_OBJECT_HANDLE *);
+CK_RV sftkdb_FindObjectsInit(SFTKDBHandle *sdb, const CK_ATTRIBUTE *template,
+				 CK_ULONG count, SDBFind **find);
+CK_RV sftkdb_FindObjects(SFTKDBHandle *sdb, SDBFind *find, 
+			CK_OBJECT_HANDLE *ids, int arraySize, CK_ULONG *count);
+CK_RV sftkdb_FindObjectsFinal(SFTKDBHandle *sdb, SDBFind *find);
+CK_RV sftkdb_GetAttributeValue(SFTKDBHandle *handle,
+	 CK_OBJECT_HANDLE object_id, CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV sftkdb_SetAttributeValue(SFTKDBHandle *handle, 
+	 CK_OBJECT_HANDLE object_id, const CK_ATTRIBUTE *template, 
+	 CK_ULONG count);
+CK_RV sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE object_id);
+CK_RV sftkdb_closeDB(SFTKDBHandle *handle);
+
+
+/* secmod.db functions */
+char ** sftkdb_ReadSecmodDB(SDBType dbType, const char *appName, 
+			    const char *filename, const char *dbname, 
+			    char *params, PRBool rw);
+SECStatus sftkdb_ReleaseSecmodDBData(SDBType dbType, const char *appName, 
+				     const char *filename, const char *dbname, 
+				     char **moduleSpecList, PRBool rw);
+SECStatus sftkdb_DeleteSecmodDB(SDBType dbType, const char *appName, 
+				const char *filename, const char *dbname, 
+				char *args, PRBool rw);
+SECStatus sftkdb_AddSecmodDB(SDBType dbType, const char *appName, 
+			     const char *filename, const char *dbname, 
+			     char *module, PRBool rw);
+
+/* keydb functions */
+
+SECStatus sftkdb_PWIsInitialized(SFTKDBHandle *keydb);
+SECStatus sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw,
+			       PRBool *tokenRemoved);
+SECStatus sftkdb_PWCached(SFTKDBHandle *keydb);
+SECStatus sftkdb_HasPasswordSet(SFTKDBHandle *keydb);
+SECStatus sftkdb_ResetKeyDB(SFTKDBHandle *keydb);
+SECStatus sftkdb_ChangePassword(SFTKDBHandle *keydb, 
+				char *oldPin, char *newPin,
+				PRBool *tokenRemoved);
+SECStatus sftkdb_ClearPassword(SFTKDBHandle *keydb);
+PRBool sftkdb_InUpdateMerge(SFTKDBHandle *keydb);
+PRBool sftkdb_NeedUpdateDBPassword(SFTKDBHandle *keydb);
+const char *sftkdb_GetUpdateID(SFTKDBHandle *keydb);
+SECItem *sftkdb_GetUpdatePasswordKey(SFTKDBHandle *keydb);
+void sftkdb_FreeUpdatePasswordKey(SFTKDBHandle *keydb);
+
+/* Utility functions */
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ *                      "https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ *                      "https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be openned read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the
+ *                      Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the
+ *                      PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ *                      be opened.
+ */
+CK_RV sftk_DBInit(const char *configdir, const char *certPrefix,
+	 	const char *keyPrefix, const char *updatedir, 
+		const char *updCertPrefix, const char *updKeyPrefix,
+		const char *updateID, PRBool readOnly, PRBool noCertDB, 
+		PRBool noKeyDB, PRBool forceOpen, 
+		SFTKDBHandle **certDB, SFTKDBHandle **keyDB);
+CK_RV sftkdb_Shutdown(void);
+
+SFTKDBHandle *sftk_getCertDB(SFTKSlot *slot);
+SFTKDBHandle *sftk_getKeyDB(SFTKSlot *slot);
+SFTKDBHandle *sftk_getDBForTokenObject(SFTKSlot *slot, 
+                                       CK_OBJECT_HANDLE objectID);
+void sftk_freeDB(SFTKDBHandle *certHandle);
diff --git a/security/nss/lib/softoken/sftkdbt.h b/security/nss/lib/softoken/sftkdbt.h
new file mode 100644
index 000000000..f8cdb0639
--- /dev/null
+++ b/security/nss/lib/softoken/sftkdbt.h
@@ -0,0 +1,51 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef SFTKDBT_H
+#define SFTKDBT_H 1
+typedef struct SFTKDBHandleStr SFTKDBHandle;
+
+#define SDB_MAX_META_DATA_LEN	256
+#define SDB_ULONG_SIZE 4
+
+typedef enum {
+   SDB_SQL,
+   SDB_EXTERN,
+   SDB_LEGACY,
+   SDB_MULTIACCESS
+} SDBType;
+
+#endif
diff --git a/security/nss/lib/softoken/sftkdbti.h b/security/nss/lib/softoken/sftkdbti.h
new file mode 100644
index 000000000..efaf842cb
--- /dev/null
+++ b/security/nss/lib/softoken/sftkdbti.h
@@ -0,0 +1,92 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef SFTKDBTI_H
+#define SFTKDBTI_H 1
+
+/*
+ * private defines
+ */
+struct SFTKDBHandleStr {
+    SDB   *db;
+    PRInt32 ref;
+    CK_OBJECT_HANDLE  type;
+    SECItem passwordKey;
+    SECItem *newKey;
+    SECItem *oldKey;
+    SECItem *updatePasswordKey;
+    PZLock *passwordLock;
+    SFTKDBHandle *peerDB;
+    SDB   *update;
+    char  *updateID;
+    PRBool updateDBIsInit;
+};
+
+#define SFTK_KEYDB_TYPE 0x40000000
+#define SFTK_CERTDB_TYPE 0x00000000
+#define SFTK_OBJ_TYPE_MASK 0xc0000000
+#define SFTK_OBJ_ID_MASK (~SFTK_OBJ_TYPE_MASK)
+#define SFTK_TOKEN_TYPE 0x80000000
+
+/* the following is the number of id's to handle on the stack at a time,
+ * it's not an upper limit of IDS that can be stored in the database */
+#define SFTK_MAX_IDS 10
+
+#define SFTK_GET_SDB(handle) \
+	((handle)->update ? (handle)->update : (handle)->db)
+
+SECStatus sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText,
+			SECItem **plainText);
+SECStatus sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey,
+			SECItem *plainText, SECItem **cipherText);
+SECStatus sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
+			CK_OBJECT_HANDLE objectID,
+			CK_ATTRIBUTE_TYPE attrType,
+			SECItem *plainText, SECItem **sigText);
+SECStatus sftkdb_VerifyAttribute(SECItem *passKey,
+			CK_OBJECT_HANDLE objectID,
+			CK_ATTRIBUTE_TYPE attrType,
+			SECItem *plainText, SECItem *sigText);
+
+void sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value);
+CK_RV sftkdb_Update(SFTKDBHandle *handle, SECItem *key);
+CK_RV sftkdb_PutAttributeSignature(SFTKDBHandle *handle, 
+		SDB *keyTarget, CK_OBJECT_HANDLE objectID, 
+		CK_ATTRIBUTE_TYPE type, SECItem *signText);
+
+
+
+#endif
diff --git a/security/nss/lib/softoken/sftkmod.c b/security/nss/lib/softoken/sftkmod.c
new file mode 100644
index 000000000..408270bdd
--- /dev/null
+++ b/security/nss/lib/softoken/sftkmod.c
@@ -0,0 +1,695 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. For the rest of NSS, only one kind of database handle exists:
+ *
+ *     SFTKDBHandle
+ *
+ * There is one SFTKDBHandle for the each key database and one for each cert 
+ * database. These databases are opened as associated pairs, one pair per
+ * slot. SFTKDBHandles are reference counted objects.
+ *
+ * Each SFTKDBHandle points to a low level database handle (SDB). This handle
+ * represents the underlying physical database. These objects are not 
+ * reference counted, an are 'owned' by their respective SFTKDBHandles.
+ *
+ *  
+ */
+#include "sftkdb.h"
+#include "sftkpars.h"
+#include "prprf.h" 
+#include "prsystem.h"
+#include "lgglue.h"
+#include "secmodt.h"
+
+/****************************************************************
+ *
+ * Secmod database.
+ *
+ * The new secmod database is simply a text file with each of the module
+ * entries. in the following form:
+ *
+ * #
+ * # This is a comment The next line is the library to load
+ * library=libmypkcs11.so
+ * name="My PKCS#11 module"
+ * params="my library's param string"
+ * nss="NSS parameters"
+ * other="parameters for other libraries and applications"
+ * 
+ * library=libmynextpk11.so
+ * name="My other PKCS#11 module"
+ */
+
+static char *
+sftkdb_quote(const char *string, char quote)
+{
+    char *newString = 0;
+    int escapes = 0, size = 0;
+    const char *src;
+    char *dest;
+
+    size=2;
+    for (src=string; *src ; src++) {
+	if ((*src == quote) || (*src == '\\')) escapes++;
+	size++;
+    }
+
+    dest = newString = PORT_ZAlloc(escapes+size+1); 
+    if (newString == NULL) {
+	return NULL;
+    }
+
+    *dest++=quote;
+    for (src=string; *src; src++,dest++) {
+	if ((*src == '\\') || (*src == quote)) {
+	    *dest++ = '\\';
+	}
+	*dest = *src;
+    }
+    *dest=quote;
+
+    return newString;
+}
+
+/*
+ * Smart string cat functions. Automatically manage the memory.
+ * The first parameter is the source string. If it's null, we 
+ * allocate memory for it. If it's not, we reallocate memory
+ * so the the concanenated string fits.
+ */
+static char *
+sftkdb_DupnCat(char *baseString, const char *str, int str_len)
+{
+    int len = (baseString ? PORT_Strlen(baseString) : 0) + 1;
+    char *newString;
+
+    len += str_len;
+    newString = (char *) PORT_Realloc(baseString,len);
+    if (newString == NULL) {
+	PORT_Free(baseString);
+	return NULL;
+    }
+    if (baseString == NULL) *newString = 0;
+    return PORT_Strncat(newString,str, str_len);
+}
+
+/* Same as sftkdb_DupnCat except it concatenates the full string, not a
+ * partial one */
+static char *
+sftkdb_DupCat(char *baseString, const char *str)
+{
+    return sftkdb_DupnCat(baseString, str, PORT_Strlen(str));
+}
+
+/* function to free up all the memory associated with a null terminated
+ * array of module specs */
+static SECStatus
+sftkdb_releaseSpecList(char **moduleSpecList)
+{
+    if (moduleSpecList) {
+	char **index;
+	for(index = moduleSpecList; *index; index++) {
+	    PORT_Free(*index);
+	}
+	PORT_Free(moduleSpecList);
+    }
+    return SECSuccess;
+}
+
+#define SECMOD_STEP 10
+static SECStatus
+sftkdb_growList(char ***pModuleList, int *useCount, int last)
+{
+    char **newModuleList;
+
+    *useCount += SECMOD_STEP;
+    newModuleList = (char **)PORT_Realloc(*pModuleList,
+					  *useCount*sizeof(char *));
+    if (newModuleList == NULL) {
+	return SECFailure;
+    }
+    PORT_Memset(&newModuleList[last],0, sizeof(char *)*SECMOD_STEP);
+    *pModuleList = newModuleList;
+    return SECSuccess;
+}
+
+static 
+char *sftk_getOldSecmodName(const char *dbname,const char *filename)
+{
+    char *file = NULL;
+    char *dirPath = PORT_Strdup(dbname);
+    char *sep;
+
+    sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR);
+#ifdef WINDOWS
+    if (!sep) {
+	sep = PORT_Strrchr(dirPath,'/');
+    }
+#endif
+    if (sep) {
+	*(sep)=0;
+    }
+    file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
+    PORT_Free(dirPath);
+    return file;
+}
+
+#define MAX_LINE_LENGTH 2048
+#define SFTK_DEFAULT_INTERNAL_INIT1 "library= name=\"NSS Internal PKCS #11 Module\" parameters="
+#define SFTK_DEFAULT_INTERNAL_INIT2 " NSS=\"Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={"
+#define SFTK_DEFAULT_INTERNAL_INIT3 " askpw=any timeout=30})\""
+
+#ifdef XP_UNIX
+#include <unistd.h>
+#endif
+/*
+ * Read all the existing modules in out of the file.
+ */
+char **
+sftkdb_ReadSecmodDB(SDBType dbType, const char *appName, 
+		    const char *filename, const char *dbname, 
+		    char *params, PRBool rw)
+{
+    FILE *fd = NULL;
+    char **moduleList = NULL;
+    int moduleCount = 1;
+    int useCount = SECMOD_STEP;
+    char line[MAX_LINE_LENGTH];
+    PRBool internal = PR_FALSE;
+    PRBool skipParams = PR_FALSE;
+    char *moduleString = NULL;
+    char *paramsValue=NULL;
+    PRBool failed = PR_TRUE;
+
+    if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+	return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw);
+    }
+
+    moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
+    if (moduleList == NULL) return NULL;
+
+    /* do we really want to use streams here */
+    fd = fopen(dbname, "r");
+    if (fd == NULL) goto done;
+
+    /*
+     * the following loop takes line separated config lines and colapses
+     * the lines to a single string, escaping and quoting as necessary.
+     */
+    /* loop state variables */
+    moduleString = NULL;  /* current concatenated string */
+    internal = PR_FALSE;	     /* is this an internal module */
+    skipParams = PR_FALSE;	   /* did we find an override parameter block*/
+    paramsValue = NULL;		   /* the current parameter block value */
+    while (fgets(line, sizeof(line), fd) != NULL) { 
+	int len = PORT_Strlen(line);
+
+	/* remove the ending newline */
+	if (len && line[len-1] == '\n') {
+	    len--;
+	    line[len] = 0;
+	}
+	if (*line == '#') {
+	    continue;
+	}
+	if (*line != 0) {
+	    /*
+	     * The PKCS #11 group standard assumes blocks of strings
+	     * separated by new lines, clumped by new lines. Internally
+	     * we take strings separated by spaces, so we may need to escape
+	     * certain spaces.
+	     */
+	    char *value = PORT_Strchr(line,'=');
+
+	    /* there is no value, write out the stanza as is */
+	    if (value == NULL || value[1] == 0) {
+		if (moduleString) {
+		    moduleString = sftkdb_DupnCat(moduleString," ", 1);
+		    if (moduleString == NULL) goto loser;
+		}
+	        moduleString = sftkdb_DupCat(moduleString, line);
+		if (moduleString == NULL) goto loser;
+	    /* value is already quoted, just write it out */
+	    } else if (value[1] == '"') {
+		if (moduleString) {
+		    moduleString = sftkdb_DupnCat(moduleString," ", 1);
+		    if (moduleString == NULL) goto loser;
+		}
+	        moduleString = sftkdb_DupCat(moduleString, line);
+		if (moduleString == NULL) goto loser;
+		/* we have an override parameter section, remember that
+		 * we found this (see following comment about why this
+		 * is necessary). */
+	        if (PORT_Strncasecmp(line, "parameters", 10) == 0) {
+			skipParams = PR_TRUE;
+		}
+	    /*
+	     * The internal token always overrides it's parameter block
+	     * from the passed in parameters, so wait until then end
+	     * before we include the parameter block in case we need to 
+	     * override it. NOTE: if the parameter block is quoted with ("),
+	     * this override does not happen. This allows you to override
+	     * the application's parameter configuration.
+	     *
+	     * parameter block state is controlled by the following variables:
+	     *  skipParams - Bool : set to true of we have an override param
+	     *    block (all other blocks, either implicit or explicit are
+	     *    ignored).
+	     *  paramsValue - char * : pointer to the current param block. In
+	     *    the absence of overrides, paramsValue is set to the first
+	     *    parameter block we find. All subsequent blocks are ignored.
+	     *    When we find an internal token, the application passed
+	     *    parameters take precident.
+	     */
+	    } else if (PORT_Strncasecmp(line, "parameters", 10) == 0) {
+		/* already have parameters */
+		if (paramsValue) {
+			continue;
+		}
+		paramsValue = sftkdb_quote(&value[1], '"');
+		if (paramsValue == NULL) goto loser;
+		continue;
+	    } else {
+	    /* may need to quote */
+	        char *newLine;
+		if (moduleString) {
+		    moduleString = sftkdb_DupnCat(moduleString," ", 1);
+		    if (moduleString == NULL) goto loser;
+		}
+		moduleString = sftkdb_DupnCat(moduleString,line,value-line+1);
+		if (moduleString == NULL)  goto loser;
+	        newLine = sftkdb_quote(&value[1],'"');
+		if (newLine == NULL) goto loser;
+		moduleString = sftkdb_DupCat(moduleString,newLine);
+	        PORT_Free(newLine);
+		if (moduleString == NULL) goto loser;
+	    }
+
+	    /* check to see if it's internal? */
+	    if (PORT_Strncasecmp(line, "NSS=", 4) == 0) {
+		/* This should be case insensitive! reviewers make
+		 * me fix it if it's not */
+		if (PORT_Strstr(line,"internal")) {
+		    internal = PR_TRUE;
+		    /* override the parameters */
+		    if (paramsValue) {
+			PORT_Free(paramsValue);
+		    }
+		    paramsValue = sftkdb_quote(params, '"');
+		}
+	    }
+	    continue;
+	}
+	if ((moduleString == NULL) || (*moduleString == 0)) {
+	    continue;
+	}
+
+	/* 
+	 * if we are here, we have found a complete stanza. Now write out
+	 * any param section we may have found.
+	 */
+	if (paramsValue) {
+	    /* we had an override */
+	    if (!skipParams) {
+		moduleString = sftkdb_DupnCat(moduleString," parameters=", 12);
+		if (moduleString == NULL) goto loser;
+		moduleString = sftkdb_DupCat(moduleString, paramsValue);
+		if (moduleString == NULL) goto loser;
+	    }
+	    PORT_Free(paramsValue);
+	    paramsValue = NULL;
+	}
+
+	if ((moduleCount+1) >= useCount) {
+	    SECStatus rv;
+	    rv = sftkdb_growList(&moduleList, &useCount,  moduleCount+1);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+	}
+
+	if (internal) {
+	    moduleList[0] = moduleString;
+	} else {
+	    moduleList[moduleCount] = moduleString;
+	    moduleCount++;
+	}
+	moduleString = NULL;
+	internal = PR_FALSE;
+	skipParams = PR_FALSE;
+    } 
+
+    if (moduleString) {
+	PORT_Free(moduleString);
+	moduleString = NULL;
+    }
+done:
+    /* if we couldn't open a pkcs11 database, look for the old one */
+    if (fd == NULL) {
+	char *olddbname = sftk_getOldSecmodName(dbname,filename);
+	PRStatus status;
+	char **oldModuleList;
+	int i;
+
+	/* couldn't get the old name */
+	if (!olddbname) {
+	    goto bail;
+	}
+
+	/* old one doesn't exist */
+	status = PR_Access(olddbname, PR_ACCESS_EXISTS);
+	if (status != PR_SUCCESS) {
+	    goto bail;
+	}
+
+	oldModuleList = sftkdbCall_ReadSecmodDB(appName, filename, 
+					olddbname, params, rw);
+	/* old one had no modules */
+	if (!oldModuleList) {
+	    goto bail;
+	}
+
+	/* count the modules */
+	for (i=0; oldModuleList[i]; i++) { }
+
+	/* grow the moduleList if necessary */
+	if (i >= useCount) {
+	    SECStatus rv;
+	    rv = sftkdb_growList(&moduleList,&useCount,moduleCount+1);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+	}
+	
+	/* write each module out, and copy it */
+	for (i=0; oldModuleList[i]; i++) {
+	    if (rw) {
+		sftkdb_AddSecmodDB(dbType,appName,filename,dbname,
+				oldModuleList[i],rw);
+	    }
+	    if (moduleList[i]) {
+		PORT_Free(moduleList[i]);
+	    }
+	    moduleList[i] = PORT_Strdup(oldModuleList[i]);
+	}
+
+	/* done with the old module list */
+	sftkdbCall_ReleaseSecmodDBData(appName, filename, olddbname, 
+				  oldModuleList, rw);
+bail:
+	if (olddbname) {
+	    PR_smprintf_free(olddbname);
+	}
+    }
+	
+    if (!moduleList[0]) {
+	char * newParams;
+	moduleString = PORT_Strdup(SFTK_DEFAULT_INTERNAL_INIT1);
+	newParams = sftkdb_quote(params,'"');
+	if (newParams == NULL) goto loser;
+	moduleString = sftkdb_DupCat(moduleString, newParams);
+	PORT_Free(newParams);
+	if (moduleString == NULL) goto loser;
+	moduleString = sftkdb_DupCat(moduleString, SFTK_DEFAULT_INTERNAL_INIT2);
+	if (moduleString == NULL) goto loser;
+	moduleString = sftkdb_DupCat(moduleString, SECMOD_SLOT_FLAGS);
+	if (moduleString == NULL) goto loser;
+	moduleString = sftkdb_DupCat(moduleString, SFTK_DEFAULT_INTERNAL_INIT3);
+	if (moduleString == NULL) goto loser;
+	moduleList[0] = moduleString;
+	moduleString = NULL;
+    }
+    failed = PR_FALSE;
+
+loser:
+    /*
+     * cleanup
+     */
+    /* deal with trust cert db here */
+    if (moduleString) {
+	PORT_Free(moduleString);
+	moduleString = NULL;
+    }
+    if (paramsValue) {
+	PORT_Free(paramsValue);
+	paramsValue = NULL;
+    }
+    if (failed || (moduleList[0] == NULL)) {
+	/* This is wrong! FIXME */
+	sftkdb_releaseSpecList(moduleList);
+	moduleList = NULL;
+	failed = PR_TRUE;
+    }
+    if (fd != NULL) {
+	fclose(fd);
+    } else if (!failed && rw) {
+	/* update our internal module */
+	sftkdb_AddSecmodDB(dbType,appName,filename,dbname,moduleList[0],rw);
+    }
+    return moduleList;
+}
+
+SECStatus
+sftkdb_ReleaseSecmodDBData(SDBType dbType, const char *appName, 
+			const char *filename, const char *dbname, 
+			char **moduleSpecList, PRBool rw)
+{
+    if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+	return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname, 
+					  moduleSpecList, rw);
+    }
+    if (moduleSpecList) {
+	sftkdb_releaseSpecList(moduleSpecList);
+    }
+    return SECSuccess;
+}
+
+
+/*
+ * Delete a module from the Data Base
+ */
+SECStatus
+sftkdb_DeleteSecmodDB(SDBType dbType, const char *appName, 
+		      const char *filename, const char *dbname, 
+		      char *args, PRBool rw)
+{
+    /* SHDB_FIXME implement */
+    FILE *fd = NULL;
+    FILE *fd2 = NULL;
+    char line[MAX_LINE_LENGTH];
+    char *dbname2 = NULL;
+    char *block = NULL;
+    char *name = NULL;
+    char *lib = NULL;
+    int name_len, lib_len;
+    PRBool skip = PR_FALSE;
+    PRBool found = PR_FALSE;
+
+    if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+	return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw);
+    }
+
+    if (!rw) {
+	return SECFailure;
+    }
+
+    dbname2 = strdup(dbname);
+    if (dbname2 == NULL) goto loser;
+    dbname2[strlen(dbname)-1]++;
+
+    /* do we really want to use streams here */
+    fd = fopen(dbname, "r");
+    if (fd == NULL) goto loser;
+    fd2 = fopen(dbname2, "w+");
+    if (fd2 == NULL) goto loser;
+
+    name = sftk_argGetParamValue("name",args);
+    if (name) {
+	name_len = PORT_Strlen(name);
+    }
+    lib = sftk_argGetParamValue("library",args);
+    if (lib) {
+	lib_len = PORT_Strlen(lib);
+    }
+
+
+    /*
+     * the following loop takes line separated config files and colapses
+     * the lines to a single string, escaping and quoting as necessary.
+     */
+    /* loop state variables */
+    block = NULL;
+    skip = PR_FALSE;
+    while (fgets(line, sizeof(line), fd) != NULL) { 
+	/* If we are processing a block (we haven't hit a blank line yet */
+	if (*line != '\n') {
+	    /* skip means we are in the middle of a block we are deleting */
+	    if (skip) {
+		continue;
+	    }
+	    /* if we haven't found the block yet, check to see if this block
+	     * matches our requirements */
+	    if (!found && ((name && (PORT_Strncasecmp(line,"name=",5) == 0) &&
+		 (PORT_Strncmp(line+5,name,name_len) == 0))  ||
+	        (lib && (PORT_Strncasecmp(line,"library=",8) == 0) &&
+		 (PORT_Strncmp(line+8,lib,lib_len) == 0)))) {
+
+		/* yup, we don't need to save any more data, */
+		PORT_Free(block);
+		block=NULL;
+		/* we don't need to collect more of this block */
+		skip = PR_TRUE;
+		/* we don't need to continue searching for the block */
+		found =PR_TRUE;
+		continue;
+	    }
+	    /* not our match, continue to collect data in this block */
+	    block = sftkdb_DupCat(block,line);
+	    continue;
+	}
+	/* we've collected a block of data that wasn't the module we were
+	 * looking for, write it out */
+	if (block) {
+	    fwrite(block, PORT_Strlen(block), 1, fd2);
+	    PORT_Free(block);
+	    block = NULL;
+	}
+	/* If we didn't just delete the this block, keep the blank line */
+	if (!skip) {
+	    fputs(line,fd2);
+	}
+	/* we are definately not in a deleted block anymore */
+	skip = PR_FALSE;
+    } 
+    fclose(fd);
+    fclose(fd2);
+    /* rename dbname2 to dbname */
+    if (found) {
+	PR_Delete(dbname);
+	PR_Rename(dbname2,dbname);
+    }
+    PORT_Free(dbname2);
+    return SECSuccess;
+
+loser:
+    if (fd != NULL) {
+	fclose(fd);
+    }
+    if (fd2 != NULL) {
+	fclose(fd2);
+    }
+    if (dbname2) {
+	PR_Delete(dbname2);
+	PORT_Free(dbname2);
+    }
+    return SECFailure;
+}
+
+/*
+ * Add a module to the Data base 
+ */
+SECStatus
+sftkdb_AddSecmodDB(SDBType dbType, const char *appName, 
+		   const char *filename, const char *dbname, 
+		   char *module, PRBool rw)
+{
+    FILE *fd = NULL;
+    char *block = NULL;
+    PRBool libFound = PR_FALSE;
+
+    if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+	return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw);
+    }
+
+    /* can't write to a read only module */
+    if (!rw) {
+	return SECFailure;
+    }
+
+    /* remove the previous version if it exists */
+    (void) sftkdb_DeleteSecmodDB(dbType, appName, filename, dbname, module, rw);
+
+    /* do we really want to use streams here */
+    fd = fopen(dbname, "a+");
+    if (fd == NULL) {
+	return SECFailure;
+    }
+    module = sftk_argStrip(module);
+    while (*module) {
+	int count;
+	char *keyEnd = PORT_Strchr(module,'=');
+	char *value;
+
+	if (PORT_Strncmp(module, "library=", 8) == 0) {
+	   libFound=PR_TRUE;
+	}
+	if (keyEnd == NULL) {
+	    block = sftkdb_DupCat(block, module);
+	    break;
+	}
+	value = sftk_argFetchValue(&keyEnd[1], &count);
+	block = sftkdb_DupnCat(block, module, keyEnd-module+1);
+	if (block == NULL) { goto loser; }
+	if (value) {
+	    block = sftkdb_DupCat(block, sftk_argStrip(value));
+	    PORT_Free(value);
+	}
+	if (block == NULL) { goto loser; }
+	block = sftkdb_DupnCat(block, "\n", 1);
+	module = keyEnd + 1 + count;
+	module = sftk_argStrip(module);
+    }
+    if (block) {
+	if (!libFound) {
+	    fprintf(fd,"library=\n");
+	}
+	fwrite(block, PORT_Strlen(block), 1, fd);
+	fprintf(fd,"\n");
+	PORT_Free(block);
+	block = NULL;
+    }
+    fclose(fd);
+    return SECSuccess;
+
+loser:
+    PORT_Free(block);
+    fclose(fd);
+    return SECFailure;
+}
+  
+
diff --git a/security/nss/lib/softoken/sftkpars.c b/security/nss/lib/softoken/sftkpars.c
new file mode 100644
index 000000000..c170eb3b3
--- /dev/null
+++ b/security/nss/lib/softoken/sftkpars.c
@@ -0,0 +1,644 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+#include "sftkpars.h"
+#include "pkcs11i.h"
+#include "sdb.h"
+#include "prprf.h" 
+#include "prenv.h"
+
+/*
+ * this file contains routines for parsing PKCS #11 module spec
+ * strings.
+ */
+
+#define SFTK_HANDLE_STRING_ARG(param,target,value,command) \
+    if (PORT_Strncasecmp(param,value,sizeof(value)-1) == 0) { \
+	param += sizeof(value)-1; \
+	target = sftk_argFetchValue(param,&next); \
+	param += next; \
+	command ;\
+    } else  
+
+#define SFTK_HANDLE_FINAL_ARG(param) \
+    { param = sftk_argSkipParameter(param); } param = sftk_argStrip(param);
+
+static PRBool sftk_argGetPair(char c) {
+    switch (c) {
+    case '\'': return c;
+    case '\"': return c;
+    case '<': return '>';
+    case '{': return '}';
+    case '[': return ']';
+    case '(': return ')';
+    default: break;
+    }
+    return ' ';
+}
+
+static PRBool sftk_argIsBlank(char c) {
+   return isspace(c);
+}
+
+static PRBool sftk_argIsEscape(char c) {
+    return c == '\\';
+}
+
+static PRBool sftk_argIsQuote(char c) {
+    switch (c) {
+    case '\'':
+    case '\"':
+    case '<':
+    case '{': /* } end curly to keep vi bracket matching working */
+    case '(': /* ) */
+    case '[': /* ] */ return PR_TRUE;
+    default: break;
+    }
+    return PR_FALSE;
+}
+
+char *sftk_argStrip(char *c) {
+   while (*c && sftk_argIsBlank(*c)) c++;
+   return c;
+}
+
+static char *
+sftk_argFindEnd(char *string) {
+    char endChar = ' ';
+    PRBool lastEscape = PR_FALSE;
+
+    if (sftk_argIsQuote(*string)) {
+	endChar = sftk_argGetPair(*string);
+	string++;
+    }
+
+    for (;*string; string++) {
+	if (lastEscape) {
+	    lastEscape = PR_FALSE;
+	    continue;
+	}
+	if (sftk_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	} 
+	if ((endChar == ' ') && sftk_argIsBlank(*string)) break;
+	if (*string == endChar) {
+	    break;
+	}
+    }
+
+    return string;
+}
+
+char *
+sftk_argFetchValue(char *string, int *pcount)
+{
+    char *end = sftk_argFindEnd(string);
+    char *retString, *copyString;
+    PRBool lastEscape = PR_FALSE;
+    int len;
+
+    len = end - string;
+    if (len == 0) {
+	*pcount = 0;
+	return NULL;
+    }
+
+    copyString = retString = (char *)PORT_Alloc(len+1);
+
+    if (*end) len++;
+    *pcount = len;
+    if (retString == NULL) return NULL;
+
+
+    if (sftk_argIsQuote(*string)) string++;
+    for (; string < end; string++) {
+	if (sftk_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	}
+	lastEscape = PR_FALSE;
+	*copyString++ = *string;
+    }
+    *copyString = 0;
+    return retString;
+}
+
+static char *
+sftk_argSkipParameter(char *string) 
+{
+     char *end;
+     /* look for the end of the <name>= */
+     for (;*string; string++) {
+	if (*string == '=') { string++; break; }
+	if (sftk_argIsBlank(*string)) return(string); 
+     }
+
+     end = sftk_argFindEnd(string);
+     if (*end) end++;
+     return end;
+}
+
+char *
+sftk_argGetParamValue(char *paramName,char *parameters)
+{
+    char searchValue[256];
+    int paramLen = strlen(paramName);
+    char *returnValue = NULL;
+    int next;
+
+    if ((parameters == NULL) || (*parameters == 0)) return NULL;
+
+    PORT_Assert(paramLen+2 < sizeof(searchValue));
+
+    PORT_Strcpy(searchValue,paramName);
+    PORT_Strcat(searchValue,"=");
+    while (*parameters) {
+	if (PORT_Strncasecmp(parameters,searchValue,paramLen+1) == 0) {
+	    parameters += paramLen+1;
+	    returnValue = sftk_argFetchValue(parameters,&next);
+	    break;
+	} else {
+	    parameters = sftk_argSkipParameter(parameters);
+	}
+	parameters = sftk_argStrip(parameters);
+   }
+   return returnValue;
+}
+    
+static char *
+sftk_argNextFlag(char *flags)
+{
+    for (; *flags ; flags++) {
+	if (*flags == ',') {
+	    flags++;
+	    break;
+	}
+    }
+    return flags;
+}
+
+static PRBool
+sftk_argHasFlag(char *label, char *flag, char *parameters)
+{
+    char *flags,*index;
+    int len = strlen(flag);
+    PRBool found = PR_FALSE;
+
+    flags = sftk_argGetParamValue(label,parameters);
+    if (flags == NULL) return PR_FALSE;
+
+    for (index=flags; *index; index=sftk_argNextFlag(index)) {
+	if (PORT_Strncasecmp(index,flag,len) == 0) {
+	    found=PR_TRUE;
+	    break;
+	}
+    }
+    PORT_Free(flags);
+    return found;
+}
+
+/*
+ * decode a number. handle octal (leading '0'), hex (leading '0x') or decimal
+ */
+static long
+sftk_argDecodeNumber(char *num)
+{
+    int	radix = 10;
+    unsigned long value = 0;
+    long retValue = 0;
+    int sign = 1;
+    int digit;
+
+    if (num == NULL) return retValue;
+
+    num = sftk_argStrip(num);
+
+    if (*num == '-') {
+	sign = -1;
+	num++;
+    }
+
+    if (*num == '0') {
+	radix = 8;
+	num++;
+	if ((*num == 'x') || (*num == 'X')) {
+	    radix = 16;
+	    num++;
+	}
+    }
+
+   
+    for ( ;*num; num++ ) {
+	if (isdigit(*num)) {
+	    digit = *num - '0';
+	} else if ((*num >= 'a') && (*num <= 'f'))  {
+	    digit = *num - 'a' + 10;
+	} else if ((*num >= 'A') && (*num <= 'F'))  {
+	    digit = *num - 'A' + 10;
+	} else {
+	    break;
+	}
+	if (digit >= radix) break;
+	value = value*radix + digit;
+    }
+
+    retValue = ((int) value) * sign;
+    return retValue;
+}
+
+static char *
+sftk_argGetName(char *inString, int *next) 
+{
+    char *name=NULL;
+    char *string;
+    int len;
+
+    /* look for the end of the <name>= */
+    for (string = inString;*string; string++) {
+	if (*string == '=') { break; }
+	if (sftk_argIsBlank(*string)) break;
+    }
+
+    len = string - inString;
+
+    *next = len; 
+    if (*string == '=') (*next) += 1;
+    if (len > 0) {
+	name = PORT_Alloc(len+1);
+	PORT_Strncpy(name,inString,len);
+	name[len] = 0;
+    }
+    return name;
+}
+
+#define FREE_CLEAR(p) if (p) { PORT_Free(p); p = NULL; }
+
+static void
+sftk_parseTokenFlags(char *tmp, sftk_token_parameters *parsed) { 
+    parsed->readOnly = sftk_argHasFlag("flags","readOnly",tmp);
+    parsed->noCertDB = sftk_argHasFlag("flags","noCertDB",tmp);
+    parsed->noKeyDB = sftk_argHasFlag("flags","noKeyDB",tmp);
+    parsed->forceOpen = sftk_argHasFlag("flags","forceOpen",tmp);
+    parsed->pwRequired = sftk_argHasFlag("flags","passwordRequired",tmp);
+    parsed->optimizeSpace = sftk_argHasFlag("flags","optimizeSpace",tmp);
+    return;
+}
+
+static void
+sftk_parseFlags(char *tmp, sftk_parameters *parsed) { 
+    parsed->noModDB = sftk_argHasFlag("flags","noModDB",tmp);
+    parsed->readOnly = sftk_argHasFlag("flags","readOnly",tmp);
+    /* keep legacy interface working */
+    parsed->noCertDB = sftk_argHasFlag("flags","noCertDB",tmp);
+    parsed->forceOpen = sftk_argHasFlag("flags","forceOpen",tmp);
+    parsed->pwRequired = sftk_argHasFlag("flags","passwordRequired",tmp);
+    parsed->optimizeSpace = sftk_argHasFlag("flags","optimizeSpace",tmp);
+    return;
+}
+
+static CK_RV
+sftk_parseTokenParameters(char *param, sftk_token_parameters *parsed) 
+{
+    int next;
+    char *tmp;
+    char *index;
+    index = sftk_argStrip(param);
+
+    while (*index) {
+	SFTK_HANDLE_STRING_ARG(index,parsed->configdir,"configDir=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->updatedir,"updateDir=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->updCertPrefix,"updateCertPrefix=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->updKeyPrefix,"updateKeyPrefix=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->updateID,"updateID=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->certPrefix,"certPrefix=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->keyPrefix,"keyPrefix=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->tokdes,"tokenDescription=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->updtokdes,
+						"updateTokenDescription=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->slotdes,"slotDescription=",;)
+	SFTK_HANDLE_STRING_ARG(index,tmp,"minPWLen=", 
+			if(tmp) { parsed->minPW=atoi(tmp); PORT_Free(tmp); })
+	SFTK_HANDLE_STRING_ARG(index,tmp,"flags=", 
+	   if(tmp) { sftk_parseTokenFlags(param,parsed); PORT_Free(tmp); })
+	SFTK_HANDLE_FINAL_ARG(index)
+   }
+   return CKR_OK;
+}
+
+static void
+sftk_parseTokens(char *tokenParams, sftk_parameters *parsed)
+{
+    char *tokenIndex;
+    sftk_token_parameters *tokens = NULL;
+    int i=0,count = 0,next;
+
+    if ((tokenParams == NULL) || (*tokenParams == 0))  return;
+
+    /* first count the number of slots */
+    for (tokenIndex = sftk_argStrip(tokenParams); *tokenIndex;
+	 tokenIndex = sftk_argStrip(sftk_argSkipParameter(tokenIndex))) {
+	count++;
+    }
+
+    /* get the data structures */
+    tokens = (sftk_token_parameters *) 
+			PORT_ZAlloc(count*sizeof(sftk_token_parameters));
+    if (tokens == NULL) return;
+
+    for (tokenIndex = sftk_argStrip(tokenParams), i = 0;
+					*tokenIndex && i < count ; i++ ) {
+	char *name;
+	name = sftk_argGetName(tokenIndex,&next);
+	tokenIndex += next;
+
+	tokens[i].slotID = sftk_argDecodeNumber(name);
+        tokens[i].readOnly = PR_FALSE;
+	tokens[i].noCertDB = PR_FALSE;
+	tokens[i].noKeyDB = PR_FALSE;
+	if (!sftk_argIsBlank(*tokenIndex)) {
+	    char *args = sftk_argFetchValue(tokenIndex,&next);
+	    tokenIndex += next;
+	    if (args) {
+		sftk_parseTokenParameters(args,&tokens[i]);
+		PORT_Free(args);
+	    }
+	}
+	if (name) PORT_Free(name);
+	tokenIndex = sftk_argStrip(tokenIndex);
+    }
+    parsed->token_count = i;
+    parsed->tokens = tokens;
+    return; 
+}
+
+CK_RV
+sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS) 
+{
+    int next;
+    char *tmp;
+    char *index;
+    char *certPrefix = NULL, *keyPrefix = NULL;
+    char *tokdes = NULL, *ptokdes = NULL, *pupdtokdes = NULL;
+    char *slotdes = NULL, *pslotdes = NULL;
+    char *fslotdes = NULL, *ftokdes = NULL;
+    char *minPW = NULL;
+    index = sftk_argStrip(param);
+
+    PORT_Memset(parsed, 0, sizeof(sftk_parameters));
+
+    while (*index) {
+	SFTK_HANDLE_STRING_ARG(index,parsed->configdir,"configDir=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->updatedir,"updateDir=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->updateID,"updateID=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->secmodName,"secmod=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->man,"manufacturerID=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->libdes,"libraryDescription=",;)
+	/* constructed values, used so legacy interfaces still work */
+	SFTK_HANDLE_STRING_ARG(index,certPrefix,"certPrefix=",;)
+        SFTK_HANDLE_STRING_ARG(index,keyPrefix,"keyPrefix=",;)
+        SFTK_HANDLE_STRING_ARG(index,tokdes,"cryptoTokenDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,ptokdes,"dbTokenDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,slotdes,"cryptoSlotDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,pslotdes,"dbSlotDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,fslotdes,"FIPSSlotDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,ftokdes,"FIPSTokenDescription=",;)
+	SFTK_HANDLE_STRING_ARG(index,pupdtokdes, "updateTokenDescription=",;)
+	SFTK_HANDLE_STRING_ARG(index,minPW,"minPWLen=",;)
+
+	SFTK_HANDLE_STRING_ARG(index,tmp,"flags=", 
+		if(tmp) { sftk_parseFlags(param,parsed); PORT_Free(tmp); })
+	SFTK_HANDLE_STRING_ARG(index,tmp,"tokens=", 
+		if(tmp) { sftk_parseTokens(tmp,parsed); PORT_Free(tmp); })
+	SFTK_HANDLE_FINAL_ARG(index)
+    }
+    if (parsed->tokens == NULL) {
+	int  count = isFIPS ? 1 : 2;
+	int  index = count-1;
+	sftk_token_parameters *tokens = NULL;
+
+	tokens = (sftk_token_parameters *) 
+			PORT_ZAlloc(count*sizeof(sftk_token_parameters));
+	if (tokens == NULL) {
+	    goto loser;
+	}
+	parsed->tokens = tokens;
+    	parsed->token_count = count;
+	tokens[index].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID;
+	tokens[index].certPrefix = certPrefix;
+	tokens[index].keyPrefix = keyPrefix;
+	tokens[index].minPW = minPW ? atoi(minPW) : 0;
+	tokens[index].readOnly = parsed->readOnly;
+	tokens[index].noCertDB = parsed->noCertDB;
+	tokens[index].noKeyDB = parsed->noCertDB;
+	tokens[index].forceOpen = parsed->forceOpen;
+	tokens[index].pwRequired = parsed->pwRequired;
+	tokens[index].optimizeSpace = parsed->optimizeSpace;
+	tokens[0].optimizeSpace = parsed->optimizeSpace;
+	certPrefix = NULL;
+	keyPrefix = NULL;
+	if (isFIPS) {
+	    tokens[index].tokdes = ftokdes;
+	    tokens[index].updtokdes = pupdtokdes;
+	    tokens[index].slotdes = fslotdes;
+	    fslotdes = NULL;
+	    ftokdes = NULL;
+	    pupdtokdes = NULL;
+	} else {
+	    tokens[index].tokdes = ptokdes;
+	    tokens[index].updtokdes = pupdtokdes;
+	    tokens[index].slotdes = pslotdes;
+	    tokens[0].slotID = NETSCAPE_SLOT_ID;
+	    tokens[0].tokdes = tokdes;
+	    tokens[0].slotdes = slotdes;
+	    tokens[0].noCertDB = PR_TRUE;
+	    tokens[0].noKeyDB = PR_TRUE;
+	    pupdtokdes = NULL;
+	    ptokdes = NULL;
+	    pslotdes = NULL;
+	    tokdes = NULL;
+	    slotdes = NULL;
+	}
+    }
+
+loser:
+    FREE_CLEAR(certPrefix);
+    FREE_CLEAR(keyPrefix);
+    FREE_CLEAR(tokdes);
+    FREE_CLEAR(ptokdes);
+    FREE_CLEAR(pupdtokdes);
+    FREE_CLEAR(slotdes);
+    FREE_CLEAR(pslotdes);
+    FREE_CLEAR(fslotdes);
+    FREE_CLEAR(ftokdes);
+    FREE_CLEAR(minPW);
+    return CKR_OK;
+}
+
+void
+sftk_freeParams(sftk_parameters *params)
+{
+    int i;
+
+    for (i=0; i < params->token_count; i++) {
+	FREE_CLEAR(params->tokens[i].configdir);
+	FREE_CLEAR(params->tokens[i].certPrefix);
+	FREE_CLEAR(params->tokens[i].keyPrefix);
+	FREE_CLEAR(params->tokens[i].tokdes);
+	FREE_CLEAR(params->tokens[i].slotdes);
+	FREE_CLEAR(params->tokens[i].updatedir);
+	FREE_CLEAR(params->tokens[i].updCertPrefix);
+	FREE_CLEAR(params->tokens[i].updKeyPrefix);
+	FREE_CLEAR(params->tokens[i].updateID);
+	FREE_CLEAR(params->tokens[i].updtokdes);
+    }
+
+    FREE_CLEAR(params->configdir);
+    FREE_CLEAR(params->secmodName);
+    FREE_CLEAR(params->man);
+    FREE_CLEAR(params->libdes); 
+    FREE_CLEAR(params->tokens);
+    FREE_CLEAR(params->updatedir);
+    FREE_CLEAR(params->updateID);
+}
+
+#define SQLDB "sql:"
+#define EXTERNDB "extern:"
+#define LEGACY "dbm:"
+const char *
+sftk_EvaluateConfigDir(const char *configdir, SDBType *dbType, char **appName)
+{
+    *appName = NULL;
+    *dbType = SDB_LEGACY;
+    if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS)-1) == 0) {
+	char *cdir;
+	*dbType = SDB_MULTIACCESS;
+
+	*appName = PORT_Strdup(configdir+sizeof(MULTIACCESS)-1);
+	if (*appName == NULL) {
+	    return configdir;
+	}
+	cdir = *appName;
+	while (*cdir && *cdir != ':') {
+	    cdir++;
+	}
+	if (*cdir == ':') {
+	   *cdir = 0;
+	   cdir++;
+	}
+	configdir = cdir;
+    } else if (PORT_Strncmp(configdir, SQLDB, sizeof(SQLDB)-1) == 0) {
+	*dbType = SDB_SQL;
+	configdir = configdir + sizeof(SQLDB) -1;
+    } else if (PORT_Strncmp(configdir, EXTERNDB, sizeof(EXTERNDB)-1) == 0) {
+	*dbType = SDB_EXTERN;
+	configdir = configdir + sizeof(EXTERNDB) -1;
+    } else if (PORT_Strncmp(configdir, LEGACY, sizeof(LEGACY)-1) == 0) {
+	*dbType = SDB_LEGACY;
+	configdir = configdir + sizeof(LEGACY) -1;
+    } else {
+	/* look up the default from the environment */
+	char *defaultType = PR_GetEnv("NSS_DEFAULT_DB_TYPE");
+	if (defaultType == NULL) {
+	    /* none specified, go with the legacy */
+	    return configdir;
+	}
+	if (PORT_Strncmp(defaultType, SQLDB, sizeof(SQLDB)-2) == 0) {
+	    *dbType = SDB_SQL;
+	} else if (PORT_Strncmp(defaultType,EXTERNDB,sizeof(EXTERNDB)-2)==0) {
+	    *dbType = SDB_EXTERN;
+	} else if (PORT_Strncmp(defaultType, LEGACY, sizeof(LEGACY)-2) == 0) {
+	    *dbType = SDB_LEGACY;
+	}
+    }
+    return configdir;
+}
+
+char *
+sftk_getSecmodName(char *param, SDBType *dbType, char **appName,
+		   char **filename, PRBool *rw)
+{
+    int next;
+    char *configdir = NULL;
+    char *secmodName = NULL;
+    char *value = NULL;
+    char *save_params = param;
+    const char *lconfigdir;
+    param = sftk_argStrip(param);
+	
+
+    while (*param) {
+	SFTK_HANDLE_STRING_ARG(param,configdir,"configDir=",;)
+	SFTK_HANDLE_STRING_ARG(param,secmodName,"secmod=",;)
+	SFTK_HANDLE_FINAL_ARG(param)
+   }
+
+   *rw = PR_TRUE;
+   if (sftk_argHasFlag("flags","readOnly",save_params)) {
+	*rw = PR_FALSE;
+   }
+
+   if (!secmodName || *secmodName == '\0') {
+	if (secmodName) PORT_Free(secmodName);
+	secmodName = PORT_Strdup(SECMOD_DB);
+   }
+
+   *filename = secmodName;
+   lconfigdir = sftk_EvaluateConfigDir(configdir, dbType, appName);
+
+   if (sftk_argHasFlag("flags","noModDB",save_params)) {
+	/* there isn't a module db, don't load the legacy support */
+	*dbType = SDB_SQL;
+        *rw = PR_FALSE;
+   }
+
+   /* only use the renamed secmod for legacy databases */
+   if ((*dbType != SDB_LEGACY) && (*dbType != SDB_MULTIACCESS)) {
+	secmodName="pkcs11.txt";
+   }
+
+   if (lconfigdir) {
+	value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
+   } else {
+	value = PR_smprintf("%s",secmodName);
+   }
+   if (configdir) PORT_Free(configdir);
+   return value;
+}
diff --git a/security/nss/lib/softoken/sftkpars.h b/security/nss/lib/softoken/sftkpars.h
new file mode 100644
index 000000000..0086edfba
--- /dev/null
+++ b/security/nss/lib/softoken/sftkpars.h
@@ -0,0 +1,49 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "pkcs11i.h"
+#include "sftkdbt.h"
+
+/* parsing functions */
+char * sftk_argFetchValue(char *string, int *pcount);
+char * sftk_getSecmodName(char *param, SDBType *dbType, char **appName, char **filename,PRBool *rw);
+char *sftk_argStrip(char *c);
+CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
+void sftk_freeParams(sftk_parameters *params);
+const char *sftk_EvaluateConfigDir(const char *configdir, SDBType *dbType, char **app);
+char * sftk_argGetParamValue(char *paramName,char *parameters);
+
+
+
diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
new file mode 100644
index 000000000..7198596a6
--- /dev/null
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -0,0 +1,1299 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. For the rest of NSS, only one kind of database handle exists:
+ *
+ *     SFTKDBHandle
+ *
+ * There is one SFTKDBHandle for the each key database and one for each cert 
+ * database. These databases are opened as associated pairs, one pair per
+ * slot. SFTKDBHandles are reference counted objects.
+ *
+ * Each SFTKDBHandle points to a low level database handle (SDB). This handle
+ * represents the underlying physical database. These objects are not 
+ * reference counted, an are 'owned' by their respective SFTKDBHandles.
+ *
+ *  
+ */
+#include "sftkdb.h"
+#include "sftkdbti.h"
+#include "pkcs11t.h"
+#include "pkcs11i.h"
+#include "sdb.h"
+#include "prprf.h" 
+#include "secmodt.h"
+#include "sftkpars.h"
+#include "pratom.h"
+#include "blapi.h"
+#include "secoid.h"
+#include "sechash.h"
+#include "lowpbe.h"
+#include "secdert.h"
+#include "prsystem.h"
+#include "lgglue.h"
+#include "secerr.h"
+
+  
+/******************************************************************
+ * 
+ * Key DB password handling functions
+ *
+ * These functions manage the key db password (set, reset, initialize, use).
+ *
+ * The key is managed on 'this side' of the database. All private data is
+ * encrypted before it is sent to the database itself. Besides PBE's, the
+ * database management code can also mix in various fixed keys so the data
+ * in the database is no longer considered 'plain text'.
+ */
+
+
+/* take string password and turn it into a key. The key is dependent
+ * on a global salt entry acquired from the database. This salted
+ * value will be based to a pkcs5 pbe function before it is used
+ * in an actual encryption */
+static SECStatus
+sftkdb_passwordToKey(SFTKDBHandle *keydb, SECItem *salt,
+			const char *pw, SECItem *key)
+{
+    SHA1Context *cx = NULL;
+    SECStatus rv = SECFailure;
+
+    key->data = PORT_Alloc(SHA1_LENGTH);
+    if (key->data == NULL) {
+	goto loser;
+    }
+    key->len = SHA1_LENGTH;
+
+    cx = SHA1_NewContext();
+    if ( cx == NULL) {
+	goto loser;
+    }
+    SHA1_Begin(cx);
+    if (salt  && salt->data ) {
+	SHA1_Update(cx, salt->data, salt->len);
+    }
+    SHA1_Update(cx, (unsigned char *)pw, PORT_Strlen(pw));
+    SHA1_End(cx, key->data, &key->len, key->len);
+    rv = SECSuccess;
+    
+loser:
+    if (cx) {
+	SHA1_DestroyContext(cx, PR_TRUE);
+    }
+    if (rv != SECSuccess) {
+	if (key->data != NULL) {
+	    PORT_ZFree(key->data,key->len);
+	}
+	key->data = NULL;
+    }
+    return rv;
+}
+
+/*
+ * Cipher text stored in the database contains 3 elements:
+ * 1) an identifier describing the encryption algorithm.
+ * 2) an entry specific salt value.
+ * 3) the encrypted value.
+ *
+ * The following data structure represents the encrypted data in a decoded
+ * (but still encrypted) form.
+ */
+typedef struct sftkCipherValueStr sftkCipherValue;
+struct sftkCipherValueStr {
+    PLArenaPool *arena;
+    SECOidTag  alg;
+    NSSPKCS5PBEParameter *param;
+    SECItem    salt;
+    SECItem    value;
+};
+
+#define SFTK_CIPHERTEXT_VERSION 3
+
+struct SFTKDBEncryptedDataInfoStr {
+    SECAlgorithmID algorithm;
+    SECItem encryptedData;
+};
+typedef struct SFTKDBEncryptedDataInfoStr SFTKDBEncryptedDataInfo;
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+const SEC_ASN1Template sftkdb_EncryptedDataInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(SFTKDBEncryptedDataInfo) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN ,
+        offsetof(SFTKDBEncryptedDataInfo,algorithm),
+        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+        offsetof(SFTKDBEncryptedDataInfo,encryptedData) },
+    { 0 }
+};
+
+/*
+ * This parses the cipherText into cipher value. NOTE: cipherValue will point
+ * to data in cipherText, if cipherText is freed, cipherValue will be invalid.
+ */
+static SECStatus
+sftkdb_decodeCipherText(SECItem *cipherText, sftkCipherValue *cipherValue)
+{
+    PLArenaPool *arena = NULL;
+    SFTKDBEncryptedDataInfo edi;
+    SECStatus rv;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return SECFailure;
+    }
+    cipherValue->arena = NULL;
+    cipherValue->param = NULL;
+
+    rv = SEC_QuickDERDecodeItem(arena, &edi, sftkdb_EncryptedDataInfoTemplate,
+                            cipherText);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    cipherValue->alg = SECOID_GetAlgorithmTag(&edi.algorithm);
+    cipherValue->param = nsspkcs5_AlgidToParam(&edi.algorithm);
+    if (cipherValue->param == NULL) {
+	goto loser;
+    }
+    cipherValue->value = edi.encryptedData;
+    cipherValue->arena = arena;
+
+    return SECSuccess;
+loser:
+    if (cipherValue->param) {
+	nsspkcs5_DestroyPBEParameter(cipherValue->param);
+	cipherValue->param = NULL;
+    }
+    if (arena) {
+	PORT_FreeArena(arena,PR_FALSE);
+    }
+    return SECFailure;
+}
+
+
+
+/* 
+ * unlike decode, Encode actually allocates a SECItem the caller must free
+ * The caller can pass an optional arena to to indicate where to place
+ * the resultant cipherText.
+ */
+static SECStatus
+sftkdb_encodeCipherText(PLArenaPool *arena, sftkCipherValue *cipherValue, 
+                        SECItem **cipherText)
+{
+    SFTKDBEncryptedDataInfo edi;
+    SECAlgorithmID *algid;
+    SECStatus rv;
+    PLArenaPool *localArena = NULL;
+
+
+    localArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (localArena == NULL) {
+	return SECFailure;
+    }
+
+    algid = nsspkcs5_CreateAlgorithmID(localArena, cipherValue->alg, 
+					cipherValue->param);
+    if (algid == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    rv = SECOID_CopyAlgorithmID(localArena, &edi.algorithm, algid);
+    SECOID_DestroyAlgorithmID(algid, PR_TRUE);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    edi.encryptedData = cipherValue->value;
+
+    *cipherText = SEC_ASN1EncodeItem(arena, NULL, &edi, 
+				    sftkdb_EncryptedDataInfoTemplate);
+    if (*cipherText == NULL) {
+	rv = SECFailure;
+    }
+
+loser:
+    if (localArena) {
+	PORT_FreeArena(localArena,PR_FALSE);
+    }
+
+    return rv;
+}
+
+
+/*
+ * Use our key to decode a cipherText block from the database.
+ *
+ * plain text is allocated by nsspkcs5_CipherData and must be freed
+ * with SECITEM_FreeItem by the caller.
+ */
+SECStatus
+sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, SECItem **plain) 
+{
+    SECStatus rv;
+    sftkCipherValue cipherValue;
+
+    /* First get the cipher type */
+    rv = sftkdb_decodeCipherText(cipherText, &cipherValue);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value, 
+				    PR_FALSE, NULL);
+    if (*plain == NULL) {
+	rv = SECFailure;
+	goto loser;
+    } 
+
+loser:
+    if (cipherValue.param) {
+	nsspkcs5_DestroyPBEParameter(cipherValue.param);
+    }
+    if (cipherValue.arena) {
+	PORT_FreeArena(cipherValue.arena,PR_FALSE);
+    }
+    return rv;
+}
+
+/*
+ * encrypt a block. This function returned the encrypted ciphertext which
+ * the caller must free. If the caller provides an arena, cipherText will
+ * be allocated out of that arena. This also generated the per entry
+ * salt automatically.
+ */
+SECStatus
+sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey, 
+		SECItem *plainText, SECItem **cipherText) 
+{
+    SECStatus rv;
+    sftkCipherValue cipherValue;
+    SECItem *cipher = NULL;
+    NSSPKCS5PBEParameter *param = NULL;
+    unsigned char saltData[HASH_LENGTH_MAX];
+
+    cipherValue.alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
+    cipherValue.salt.len = SHA1_LENGTH;
+    cipherValue.salt.data = saltData;
+    RNG_GenerateGlobalRandomBytes(saltData,cipherValue.salt.len);
+
+    param = nsspkcs5_NewParam(cipherValue.alg, &cipherValue.salt, 1);
+    if (param == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    cipher = nsspkcs5_CipherData(param, passKey, plainText, PR_TRUE, NULL);
+    if (cipher == NULL) {
+	rv = SECFailure;
+	goto loser;
+    } 
+    cipherValue.value = *cipher;
+    cipherValue.param = param;
+
+    rv = sftkdb_encodeCipherText(arena, &cipherValue, cipherText);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+loser:
+    if (cipher) {
+	SECITEM_FreeItem(cipher, PR_TRUE);
+    }
+    if (param) {
+	nsspkcs5_DestroyPBEParameter(param);
+    }
+    return rv;
+}
+
+/*
+ * use the password and the pbe parameters to generate an HMAC for the
+ * given plain text data. This is used by sftkdb_VerifyAttribute and
+ * sftkdb_SignAttribute. Signature is returned in signData. The caller
+ * must preallocate the space in the secitem.
+ */
+static SECStatus
+sftkdb_pbehash(SECOidTag sigOid, SECItem *passKey, 
+	       NSSPKCS5PBEParameter *param,
+	       CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType,
+	       SECItem *plainText, SECItem *signData)
+{
+    SECStatus rv = SECFailure;
+    SECItem *key = NULL;
+    HMACContext *hashCx = NULL;
+    HASH_HashType hashType = HASH_AlgNULL;
+    const SECHashObject *hashObj;
+    unsigned char addressData[SDB_ULONG_SIZE];
+
+    hashType = HASH_FromHMACOid(param->encAlg);
+    if (hashType == HASH_AlgNULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+
+    hashObj = HASH_GetRawHashObject(hashType);
+    if (hashObj == NULL) {
+	goto loser;
+    }
+
+    key = nsspkcs5_ComputeKeyAndIV(param, passKey, NULL, PR_FALSE);
+    if (!key) {
+	goto loser;
+    }
+
+    hashCx = HMAC_Create(hashObj, key->data, key->len, PR_TRUE);
+    if (!hashCx) {
+	goto loser;
+    }
+    HMAC_Begin(hashCx);
+    /* Tie this value to a particular object. This is most important for
+     * the trust attributes, where and attacker could copy a value for
+     * 'validCA' from another cert in the database */
+    sftk_ULong2SDBULong(addressData, objectID);
+    HMAC_Update(hashCx, addressData, SDB_ULONG_SIZE);
+    sftk_ULong2SDBULong(addressData, attrType);
+    HMAC_Update(hashCx, addressData, SDB_ULONG_SIZE);
+
+    HMAC_Update(hashCx, plainText->data, plainText->len);
+    rv = HMAC_Finish(hashCx, signData->data, &signData->len, signData->len);
+
+loser:
+    if (hashCx) {
+	HMAC_Destroy(hashCx, PR_TRUE);
+    }
+    if (key) {
+	SECITEM_FreeItem(key,PR_TRUE);
+    }
+    return rv;
+}
+
+/*
+ * Use our key to verify a signText block from the database matches
+ * the plainText from the database. The signText is a PKCS 5 v2 pbe.
+ * plainText is the plainText of the attribute.
+ */
+SECStatus
+sftkdb_VerifyAttribute(SECItem *passKey, CK_OBJECT_HANDLE objectID, 
+	     CK_ATTRIBUTE_TYPE attrType, 
+	     SECItem *plainText, SECItem *signText) 
+{
+    SECStatus rv;
+    sftkCipherValue signValue;
+    SECItem signature;
+    unsigned char signData[HASH_LENGTH_MAX];
+    
+
+    /* First get the cipher type */
+    rv = sftkdb_decodeCipherText(signText, &signValue);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    signature.data = signData;
+    signature.len = sizeof(signData);
+
+    rv = sftkdb_pbehash(signValue.alg, passKey, signValue.param, 
+			objectID, attrType, plainText, &signature);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    if (SECITEM_CompareItem(&signValue.value,&signature) != 0) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	rv = SECFailure;
+    }
+
+loser:
+    if (signValue.param) {
+	nsspkcs5_DestroyPBEParameter(signValue.param);
+    }
+    if (signValue.arena) {
+	PORT_FreeArena(signValue.arena,PR_FALSE);
+    }
+    return rv;
+}
+
+/*
+ * Use our key to create a signText block the plain text of an
+ * attribute. The signText is a PKCS 5 v2 pbe.
+ */
+SECStatus
+sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey, 
+	 CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType, 
+	 SECItem *plainText, SECItem **signature) 
+{
+    SECStatus rv;
+    sftkCipherValue signValue;
+    NSSPKCS5PBEParameter *param = NULL;
+    unsigned char saltData[HASH_LENGTH_MAX];
+    unsigned char signData[HASH_LENGTH_MAX];
+    SECOidTag hmacAlg = SEC_OID_HMAC_SHA256; /* hash for authentication */
+    SECOidTag prfAlg = SEC_OID_HMAC_SHA256;  /* hash for pb key generation */
+    HASH_HashType prfType;
+    unsigned int hmacLength;
+    unsigned int prfLength;
+
+    /* this code allows us to fetch the lengths and hashes on the fly
+     * by simply changing the OID above */
+    prfType = HASH_FromHMACOid(prfAlg);
+    PORT_Assert(prfType != HASH_AlgNULL);
+    prfLength = HASH_GetRawHashObject(prfType)->length;
+    PORT_Assert(prfLength <= HASH_LENGTH_MAX);
+
+    hmacLength = HASH_GetRawHashObject(HASH_FromHMACOid(hmacAlg))->length;
+    PORT_Assert(hmacLength <= HASH_LENGTH_MAX);
+
+    /* initialize our CipherValue structure */
+    signValue.alg = SEC_OID_PKCS5_PBMAC1;
+    signValue.salt.len = prfLength;
+    signValue.salt.data = saltData;
+    signValue.value.data = signData;
+    signValue.value.len = hmacLength;
+    RNG_GenerateGlobalRandomBytes(saltData,prfLength);
+
+    /* initialize our pkcs5 paramter */
+    param = nsspkcs5_NewParam(signValue.alg, &signValue.salt, 1);
+    if (param == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    param->keyID = pbeBitGenIntegrityKey;
+    /* set the PKCS 5 v2 parameters, not extractable from the
+     * data passed into nsspkcs5_NewParam */
+    param->encAlg = hmacAlg;
+    param->hashType = prfType;
+    param->keyLen = hmacLength;
+    rv = SECOID_SetAlgorithmID(param->poolp, &param->prfAlg, prfAlg, NULL);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+
+    /* calculate the mac */
+    rv = sftkdb_pbehash(signValue.alg, passKey, param, objectID, attrType,
+			plainText, &signValue.value);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    signValue.param = param;
+
+    /* write it out */
+    rv = sftkdb_encodeCipherText(arena, &signValue, signature);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+loser:
+    if (param) {
+	nsspkcs5_DestroyPBEParameter(param);
+    }
+    return rv;
+}
+
+/*
+ * safely swith the passed in key for the one caches in the keydb handle
+ * 
+ * A key attached to the handle tells us the the token is logged in.
+ * We can used the key attached to the handle in sftkdb_EncryptAttribute 
+ *  and sftkdb_DecryptAttribute calls.
+ */  
+static void 
+sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey)
+{
+    unsigned char *data;
+    int len;
+
+    if (keydb->passwordLock == NULL) {
+	PORT_Assert(keydb->type != SFTK_KEYDB_TYPE);
+	return;
+    }
+
+    /* an atomic pointer set would be nice */
+    PZ_Lock(keydb->passwordLock);
+    data = keydb->passwordKey.data;
+    len = keydb->passwordKey.len;
+    keydb->passwordKey.data = passKey->data;
+    keydb->passwordKey.len = passKey->len;
+    passKey->data = data;
+    passKey->len = len;
+    PZ_Unlock(keydb->passwordLock);
+}
+
+/*
+ * returns true if we are in a middle of a merge style update.
+ */
+PRBool
+sftkdb_InUpdateMerge(SFTKDBHandle *keydb)
+{
+    return keydb->updateID ? PR_TRUE : PR_FALSE;
+}
+
+/*
+ * returns true if we are looking for the password for the user's old source
+ * database as part of a merge style update.
+ */
+PRBool
+sftkdb_NeedUpdateDBPassword(SFTKDBHandle *keydb)
+{
+    if (!sftkdb_InUpdateMerge(keydb)) {
+	return PR_FALSE;
+    }
+    if (keydb->updateDBIsInit && !keydb->updatePasswordKey) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+/*
+ * fetch an update password key from a handle.
+ */
+SECItem *
+sftkdb_GetUpdatePasswordKey(SFTKDBHandle *handle)
+{
+    SECItem *key = NULL;
+
+    /* if we're a cert db, fetch it from our peer key db */
+    if (handle->type == SFTK_CERTDB_TYPE) {
+	handle = handle->peerDB;
+    }
+
+    /* don't have one */
+    if (!handle) {
+	return NULL;
+    }
+
+    PZ_Lock(handle->passwordLock);
+    if (handle->updatePasswordKey) {
+	key = SECITEM_DupItem(handle->updatePasswordKey);
+    }
+    PZ_Unlock(handle->passwordLock);
+
+    return key;
+}
+
+/*
+ * free the update password key from a handle.
+ */
+void
+sftkdb_FreeUpdatePasswordKey(SFTKDBHandle *handle)
+{
+    SECItem *key = NULL;
+
+    /* if we're a cert db, we don't have one */
+    if (handle->type == SFTK_CERTDB_TYPE) {
+	return;
+    }
+
+    /* don't have one */
+    if (!handle) {
+	return;
+    }
+
+    PZ_Lock(handle->passwordLock);
+    if (handle->updatePasswordKey) {
+	key = handle->updatePasswordKey;
+	handle->updatePasswordKey = NULL;
+    }
+    PZ_Unlock(handle->passwordLock);
+
+    if (key) {
+	SECITEM_ZfreeItem(key, PR_TRUE);
+    }
+
+    return;
+}
+
+/*
+ * what password db we use depends heavily on the update state machine
+ * 
+ *  1) no update db, return the normal database.
+ *  2) update db and no merge return the update db.
+ *  3) update db and in merge: 
+ *      return the update db if we need the update db's password, 
+ *      otherwise return our normal datbase.
+ */
+static SDB *
+sftk_getPWSDB(SFTKDBHandle *keydb)
+{
+    if (!keydb->update) {
+	return keydb->db;
+    }
+    if (!sftkdb_InUpdateMerge(keydb)) {
+	return keydb->update;
+    }
+    if (sftkdb_NeedUpdateDBPassword(keydb)) {
+	return keydb->update;
+    }
+    return keydb->db;
+}
+
+/*
+ * return success if we have a valid password entry.
+ * This is will show up outside of PKCS #11 as CKF_USER_PIN_INIT
+ * in the token flags.
+ */
+SECStatus 
+sftkdb_HasPasswordSet(SFTKDBHandle *keydb)
+{
+    SECItem salt, value;
+    unsigned char saltData[SDB_MAX_META_DATA_LEN];
+    unsigned char valueData[SDB_MAX_META_DATA_LEN];
+    CK_RV crv;
+    SDB *db;
+
+    if (keydb == NULL) {
+	return SECFailure;
+    }
+
+    db = sftk_getPWSDB(keydb);
+    if (db == NULL) {
+	return SECFailure;
+    }
+
+    salt.data = saltData;
+    salt.len = sizeof(saltData);
+    value.data = valueData;
+    value.len = sizeof(valueData);
+    crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
+    return (crv == CKR_OK) ? SECSuccess : SECFailure;
+}
+
+#define SFTK_PW_CHECK_STRING "password-check"
+#define SFTK_PW_CHECK_LEN 14
+
+/*
+ * check if the supplied password is valid
+ */
+SECStatus  
+sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
+{
+    SECStatus rv;
+    SECItem salt, value;
+    unsigned char saltData[SDB_MAX_META_DATA_LEN];
+    unsigned char valueData[SDB_MAX_META_DATA_LEN];
+    SECItem key;
+    SECItem *result = NULL;
+    SDB *db;
+    CK_RV crv;
+
+    if (keydb == NULL) {
+	return SECFailure;
+    }
+
+    db = sftk_getPWSDB(keydb);
+    if (db == NULL) {
+	return SECFailure;
+    }
+
+    key.data = NULL;
+    key.len = 0;
+
+    if (pw == NULL) pw="";
+
+    /* get the entry from the database */
+    salt.data = saltData;
+    salt.len = sizeof(saltData);
+    value.data = valueData;
+    value.len = sizeof(valueData);
+    crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
+    if (crv != CKR_OK) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    /* get our intermediate key based on the entry salt value */
+    rv = sftkdb_passwordToKey(keydb, &salt, pw, &key);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    /* decrypt the entry value */
+    rv = sftkdb_DecryptAttribute(&key, &value, &result);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    /* if it's what we expect, update our key in the database handle and
+     * return Success */
+    if ((result->len == SFTK_PW_CHECK_LEN) &&
+      PORT_Memcmp(result->data, SFTK_PW_CHECK_STRING, SFTK_PW_CHECK_LEN) == 0){
+	/*
+	 * We have a password, now lets handle any potential update cases..
+	 * 
+	 * First, the normal case: no update. In this case we only need the
+	 *  the password for our only DB, which we now have, we switch 
+	 *  the keys and fall through.
+	 * Second regular (non-merge) update: The target DB does not yet have
+	 *  a password initialized, we now have the password for the source DB,
+	 *  so we can switch the keys and simply update the target database.
+	 * Merge update case: This one is trickier.
+	 *   1) If we need the source DB password, then we just got it here.
+	 *       We need to save that password,
+	 *       then we need to check to see if we need or have the target 
+	 *         database password.
+	 *       If we have it (it's the same as the source), or don't need 
+	 *         it (it's not set or is ""), we can start the update now.
+	 *       If we don't have it, we need the application to get it from 
+	 *         the user. Clear our sessions out to simulate a token 
+	 *         removal. C_GetTokenInfo will change the token description 
+	 *         and the token will still appear to be logged out.
+	 *   2) If we already have the source DB  password, this password is 
+	 *         for the target database. We can now move forward with the 
+	 *         update, as we now have both required passwords.
+	 *
+	 */
+        PZ_Lock(keydb->passwordLock);
+	if (sftkdb_NeedUpdateDBPassword(keydb)) {
+	    /* Squirrel this special key away.
+	     * This has the side effect of turning sftkdb_NeedLegacyPW off,
+	     * as well as changing which database is returned from 
+	     * SFTK_GET_PW_DB (thus effecting both sftkdb_CheckPassword()
+	     * and sftkdb_HasPasswordSet()) */
+	    keydb->updatePasswordKey = SECITEM_DupItem(&key);
+	    PZ_Unlock(keydb->passwordLock);
+	    if (keydb->updatePasswordKey == NULL) {
+		/* PORT_Error set by SECITEM_DupItem */
+		rv = SECFailure;
+		goto done;
+	    }
+
+	    /* Simulate a token removal -- we need to do this any
+             * any case at this point so the token name is correct. */
+	    *tokenRemoved = PR_TRUE;
+
+	    /* 
+	     * OK, we got the update DB password, see if we need a password
+	     * for the target...
+	     */
+	    if (sftkdb_HasPasswordSet(keydb) == SECSuccess) {
+		/* We have a password, do we know what the password is?
+		 *  check 1) for the password the user supplied for the 
+		 *           update DB,
+		 *    and 2) for the null password.
+		 *
+		 * RECURSION NOTE: we are calling ourselves here. This means
+		 *  any updates, switchKeys, etc will have been completed
+		 *  if these functions return successfully, in those cases
+		 *  just exit returning Success. We don't recurse infinitely
+		 *  because we are making this call from a NeedUpdateDBPassword
+		 *  block and we've already set that update password at this
+		 *  point.  */
+		rv = sftkdb_CheckPassword(keydb, pw, tokenRemoved);
+		if (rv == SECSuccess) {
+		    /* source and target databases have the same password, we 
+		     * are good to go */
+		    goto done;
+		}
+		sftkdb_CheckPassword(keydb, "", tokenRemoved);
+
+		/*
+		 * Important 'NULL' code here. At this point either we 
+		 * succeeded in logging in with "" or we didn't.
+                 *
+                 *  If we did succeed at login, our machine state will be set
+		 * to logged in appropriately. The application will find that 
+		 * it's logged in as soon as it opens a new session. We have 
+		 * also completed the update. Life is good.
+		 * 
+		 *  If we did not succeed, well the user still successfully
+		 * logged into the update database, since we faked the token 
+		 * removal it's just like the user logged into his smart card 
+		 * then removed it. the actual login work, so we report that 
+		 * success back to the user, but we won't actually be
+		 * logged in. The application will find this out when it
+		 * checks it's login state, thus triggering another password
+		 * prompt so we can get the real target DB password.
+		 *
+		 * summary, we exit from here with SECSuccess no matter what.
+		 */
+		rv = SECSuccess;
+		goto done;
+	    } else {
+		/* there is no password, just fall through to update.
+		 * update will write the source DB's password record
+		 * into the target DB just like it would in a non-merge
+		 * update case. */
+	    }
+	} else {
+	    PZ_Unlock(keydb->passwordLock);
+	}
+	/* load the keys, so the keydb can parse it's key set */
+	sftkdb_switchKeys(keydb, &key);
+
+	/* we need to update, do it now */
+	if (keydb->update) {
+	    /* update the peer certdb if it exists */
+	    if (keydb->peerDB) {
+		sftkdb_Update(keydb->peerDB, &key);
+	    }
+	    sftkdb_Update(keydb, &key);
+	}
+    } else {
+        rv = SECFailure;
+	/*PORT_SetError( bad password); */
+    }
+
+done:
+    if (key.data) {
+	PORT_ZFree(key.data,key.len);
+    }
+    if (result) {
+	SECITEM_FreeItem(result,PR_TRUE);
+    }
+    return rv;
+}
+
+/*
+ * return Success if the there is a cached password key.
+ */
+SECStatus
+sftkdb_PWCached(SFTKDBHandle *keydb)
+{
+    return keydb->passwordKey.data ? SECSuccess : SECFailure;
+}
+
+
+static CK_RV
+sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
+		       CK_OBJECT_HANDLE id, SECItem *newKey)
+{
+    CK_RV crv = CKR_OK;
+    CK_RV crv2;
+    CK_ATTRIBUTE authAttrs[] = {
+	{CKA_MODULUS, NULL, 0},
+	{CKA_PUBLIC_EXPONENT, NULL, 0},
+	{CKA_CERT_SHA1_HASH, NULL, 0},
+	{CKA_CERT_MD5_HASH, NULL, 0},
+	{CKA_TRUST_SERVER_AUTH, NULL, 0},
+	{CKA_TRUST_CLIENT_AUTH, NULL, 0},
+	{CKA_TRUST_EMAIL_PROTECTION, NULL, 0},
+	{CKA_TRUST_CODE_SIGNING, NULL, 0},
+	{CKA_TRUST_STEP_UP_APPROVED, NULL, 0},
+	{CKA_NSS_OVERRIDE_EXTENSIONS, NULL, 0},
+    };
+    CK_ULONG authAttrCount = sizeof(authAttrs)/sizeof(CK_ATTRIBUTE);
+    int i, count;
+    SFTKDBHandle *keyHandle = handle;
+    SDB *keyTarget = NULL;
+
+    id &= SFTK_OBJ_ID_MASK;
+
+    if (handle->type != SFTK_KEYDB_TYPE) {
+	keyHandle = handle->peerDB;
+    }
+
+    if (keyHandle == NULL) {
+	return CKR_OK;
+    }
+
+    /* old DB's don't have meta data, finished with MACs */
+    keyTarget = SFTK_GET_SDB(keyHandle);
+    if ((keyTarget->sdb_flags &SDB_HAS_META) == 0) {
+	return CKR_OK;
+    }
+
+    /*
+     * STEP 1: find the MACed attributes of this object 
+     */
+    crv2 = sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
+    count = 0;
+    /* allocate space for the attributes */
+    for (i=0; i < authAttrCount; i++) {
+	if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)){
+	    continue;
+	}
+	count++;
+        authAttrs[i].pValue = PORT_ArenaAlloc(arena,authAttrs[i].ulValueLen);
+	if (authAttrs[i].pValue == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+    }
+
+    /* if count was zero, none were found, finished with MACs */
+    if (count == 0) {
+	return CKR_OK;
+    }
+
+    crv = sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
+    /* ignore error code, we expect some possible errors */
+
+    /* GetAttributeValue just verified the old macs, safe to write
+     * them out then... */
+    for (i=0; i < authAttrCount; i++) {
+	SECItem *signText;
+	SECItem plainText;
+	SECStatus rv;
+
+	if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)){
+	    continue;
+	}
+
+	plainText.data = authAttrs[i].pValue;
+	plainText.len = authAttrs[i].ulValueLen;
+	rv = sftkdb_SignAttribute(arena, newKey, id, 
+			authAttrs[i].type, &plainText, &signText);
+	if (rv != SECSuccess) {
+	    return CKR_GENERAL_ERROR;
+	}
+	rv = sftkdb_PutAttributeSignature(handle, keyTarget, id, 
+				authAttrs[i].type, signText);
+	if (rv != SECSuccess) {
+	    return CKR_GENERAL_ERROR;
+	}
+    }
+
+    return CKR_OK;
+}
+	
+static CK_RV
+sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
+		       CK_OBJECT_HANDLE id, SECItem *newKey)
+{
+    CK_RV crv = CKR_OK;
+    CK_RV crv2;
+    CK_ATTRIBUTE *first, *last;
+    CK_ATTRIBUTE privAttrs[] = {
+	{CKA_VALUE, NULL, 0},
+	{CKA_PRIVATE_EXPONENT, NULL, 0},
+	{CKA_PRIME_1, NULL, 0},
+	{CKA_PRIME_2, NULL, 0},
+	{CKA_EXPONENT_1, NULL, 0},
+	{CKA_EXPONENT_2, NULL, 0},
+	{CKA_COEFFICIENT, NULL, 0} };
+    CK_ULONG privAttrCount = sizeof(privAttrs)/sizeof(CK_ATTRIBUTE);
+    int i, count;
+
+    /*
+     * STEP 1. Read the old attributes in the clear.
+     */
+
+    /* Get the attribute sizes.
+     *  ignore the error code, we will have unknown attributes here */
+    crv2 = sftkdb_GetAttributeValue(keydb, id, privAttrs, privAttrCount);
+
+    /*
+     * find the valid block of attributes and fill allocate space for
+     * their data */
+    first = last = NULL;
+    for (i=0; i < privAttrCount; i++) {
+         /* find the block of attributes that are appropriate for this 
+          * objects. There should only be once contiguous block, if not 
+          * there's an error.
+          *
+          * find the first and last good entry.
+          */
+	if ((privAttrs[i].ulValueLen == -1) || (privAttrs[i].ulValueLen == 0)){
+	    if (!first) continue;
+	    if (!last) {
+		/* previous entry was last good entry */
+		last= &privAttrs[i-1];
+	    }
+	    continue;
+	}
+	if (!first) {
+	    first = &privAttrs[i];
+	}
+	if (last) {
+	   /* OOPS, we've found another good entry beyond the end of the
+	    * last good entry, we need to fail here. */
+	   crv = CKR_GENERAL_ERROR;
+	   break;
+	}
+        privAttrs[i].pValue = PORT_ArenaAlloc(arena,privAttrs[i].ulValueLen);
+	if (privAttrs[i].pValue == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+    }
+    if (first == NULL) {
+	/* no valid entries found, return error based on crv2 */
+	return crv2;
+    }
+    if (last == NULL) {
+	last = &privAttrs[privAttrCount-1];
+    }
+    if (crv != CKR_OK) {
+	return crv;
+    }
+    /* read the attributes */
+    count = (last-first)+1;
+    crv = sftkdb_GetAttributeValue(keydb, id, first, count);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    /*
+     * STEP 2: read the encrypt the attributes with the new key.
+     */
+    for (i=0; i < count; i++) {
+	SECItem plainText;
+	SECItem *result;
+	SECStatus rv;
+
+	plainText.data = first[i].pValue;
+	plainText.len = first[i].ulValueLen;
+    	rv = sftkdb_EncryptAttribute(arena, newKey, &plainText, &result);
+	if (rv != SECSuccess) {
+	   return CKR_GENERAL_ERROR;
+	}
+	first[i].pValue = result->data;
+	first[i].ulValueLen = result->len;
+	/* clear our sensitive data out */
+	PORT_Memset(plainText.data, 0, plainText.len);
+    }
+
+
+    /*
+     * STEP 3: write the newly encrypted attributes out directly
+     */
+    id &= SFTK_OBJ_ID_MASK;
+    keydb->newKey = newKey;
+    crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, id, first, count);
+    keydb->newKey = NULL;
+
+    return crv;
+}
+	
+static CK_RV
+sftk_convertAttributes(SFTKDBHandle *handle, 
+			CK_OBJECT_HANDLE id, SECItem *newKey)
+{
+    CK_RV crv = CKR_OK;
+    PLArenaPool *arena = NULL;
+
+    /* get a new arena to simplify cleanup */
+    arena = PORT_NewArena(1024);
+    if (!arena) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * first handle the MACS
+     */
+    crv = sftk_updateMacs(arena, handle, id, newKey);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    if (handle->type == SFTK_KEYDB_TYPE) {
+	crv = sftk_updateEncrypted(arena, handle, id, newKey);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
+    }
+
+    /* free up our mess */
+    /* NOTE: at this point we know we've cleared out any unencrypted data */
+    PORT_FreeArena(arena, PR_FALSE);
+    return CKR_OK;
+
+loser:
+    /* there may be unencrypted data, clear it out down */
+    PORT_FreeArena(arena, PR_TRUE);
+    return crv;
+}
+
+
+/*
+ * must be called with the old key active.
+ */
+CK_RV
+sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template, 
+			CK_ULONG count, SECItem *newKey)
+{
+    SDBFind *find = NULL;
+    CK_ULONG idCount = SFTK_MAX_IDS;
+    CK_OBJECT_HANDLE ids[SFTK_MAX_IDS];
+    CK_RV crv, crv2;
+    int i;
+
+    crv = sftkdb_FindObjectsInit(handle, template, count, &find);
+
+    if (crv != CKR_OK) {
+	return crv;
+    }
+    while ((crv == CKR_OK) && (idCount == SFTK_MAX_IDS)) {
+	crv = sftkdb_FindObjects(handle, find, ids, SFTK_MAX_IDS, &idCount);
+	for (i=0; (crv == CKR_OK) && (i < idCount); i++) {
+	    crv = sftk_convertAttributes(handle, ids[i], newKey);
+	}
+    }
+    crv2 = sftkdb_FindObjectsFinal(handle, find);
+    if (crv == CKR_OK) crv = crv2;
+
+    return crv;
+}
+
+
+/*
+ * change the database password.
+ */
+SECStatus
+sftkdb_ChangePassword(SFTKDBHandle *keydb, 
+                      char *oldPin, char *newPin, PRBool *tokenRemoved)
+{
+    SECStatus rv = SECSuccess;
+    SECItem plainText;
+    SECItem newKey;
+    SECItem *result = NULL;
+    SECItem salt, value;
+    SFTKDBHandle *certdb;
+    unsigned char saltData[SDB_MAX_META_DATA_LEN];
+    unsigned char valueData[SDB_MAX_META_DATA_LEN];
+    CK_RV crv;
+    SDB *db;
+
+    if (keydb == NULL) {
+	return SECFailure;
+    }
+
+    db = SFTK_GET_SDB(keydb);
+    if (db == NULL) {
+	return SECFailure;
+    }
+
+    newKey.data = NULL;
+
+    /* make sure we have a valid old pin */
+    crv = (*keydb->db->sdb_Begin)(keydb->db);
+    if (crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+    salt.data = saltData;
+    salt.len = sizeof(saltData);
+    value.data = valueData;
+    value.len = sizeof(valueData);
+    crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
+    if (crv == CKR_OK) {
+	rv = sftkdb_CheckPassword(keydb, oldPin, tokenRemoved);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+    } else {
+	salt.len = SHA1_LENGTH;
+    	RNG_GenerateGlobalRandomBytes(salt.data,salt.len);
+    }
+
+    rv = sftkdb_passwordToKey(keydb, &salt, newPin, &newKey);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+
+    /*
+     * convert encrypted entries here.
+     */
+    crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey);
+    if (crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+    /* fix up certdb macs */
+    certdb = keydb->peerDB;
+    if (certdb) {
+	CK_ATTRIBUTE objectType = { CKA_CLASS, 0, sizeof(CK_OBJECT_CLASS) };
+	CK_OBJECT_CLASS myClass = CKO_NETSCAPE_TRUST;
+
+	objectType.pValue = &myClass;
+	crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey);
+	if (crv != CKR_OK) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	myClass = CKO_PUBLIC_KEY;
+	crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey);
+	if (crv != CKR_OK) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+    }
+
+
+    plainText.data = (unsigned char *)SFTK_PW_CHECK_STRING;
+    plainText.len = SFTK_PW_CHECK_LEN;
+
+    rv = sftkdb_EncryptAttribute(NULL, &newKey, &plainText, &result);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    value.data = result->data;
+    value.len = result->len;
+    crv = (*keydb->db->sdb_PutMetaData)(keydb->db, "password", &salt, &value);
+    if (crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+    crv = (*keydb->db->sdb_Commit)(keydb->db);
+    if (crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    keydb->newKey = NULL;
+
+    sftkdb_switchKeys(keydb, &newKey);
+
+loser:
+    if (newKey.data) {
+	PORT_ZFree(newKey.data,newKey.len);
+    }
+    if (result) {
+	SECITEM_FreeItem(result, PR_FALSE);
+    }
+    if (rv != SECSuccess) {
+        (*keydb->db->sdb_Abort)(keydb->db);
+    }
+    
+    return rv;
+}
+
+/*
+ * loose our cached password
+ */
+SECStatus
+sftkdb_ClearPassword(SFTKDBHandle *keydb)
+{
+    SECItem oldKey;
+    oldKey.data = NULL;
+    oldKey.len = 0;
+    sftkdb_switchKeys(keydb, &oldKey);
+    if (oldKey.data) {
+	PORT_ZFree(oldKey.data, oldKey.len);
+    }
+    return SECSuccess;
+}
+
+
diff --git a/security/nss/lib/softoken/softkver.c b/security/nss/lib/softoken/softkver.c
new file mode 100644
index 000000000..931d620e1
--- /dev/null
+++ b/security/nss/lib/softoken/softkver.c
@@ -0,0 +1,56 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2002
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Library identity and versioning */
+
+#include "softkver.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_softokn_rcsid[] = "$Header: NSS " SOFTOKEN_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_softokn_sccsid[] = "@(#)NSS " SOFTOKEN_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
new file mode 100644
index 000000000..26bf9775a
--- /dev/null
+++ b/security/nss/lib/softoken/softkver.h
@@ -0,0 +1,66 @@
+/*
+ * Softoken version numbers
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SOFTKVER_H_
+#define _SOFTKVER_H_
+
+#ifdef NSS_ENABLE_ECC
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+#define SOFTOKEN_ECC_STRING " Extended ECC"
+#else
+#define SOFTOKEN_ECC_STRING " Basic ECC"
+#endif
+#else
+#define SOFTOKEN_ECC_STRING ""
+#endif
+
+/*
+ * Softoken's major version, minor version, patch level, and whether
+ * this is a beta release.
+ *
+ * The format of the version string should be
+ *     "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
+ */
+#define SOFTOKEN_VERSION  "3.12.1.0" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VMAJOR   3
+#define SOFTOKEN_VMINOR   12
+#define SOFTOKEN_VPATCH   1
+#define SOFTOKEN_BETA     PR_FALSE
+
+#endif /* _SOFTKVER_H_ */
diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h
new file mode 100644
index 000000000..35dabffaa
--- /dev/null
+++ b/security/nss/lib/softoken/softoken.h
@@ -0,0 +1,284 @@
+/*
+ * softoken.h - private data structures and prototypes for the softoken lib
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _SOFTOKEN_H_
+#define _SOFTOKEN_H_
+
+#include "blapi.h"
+#include "lowkeyti.h"
+#include "softoknt.h"
+#include "secoidt.h"
+
+#include "pkcs11t.h"     /* CK_RV Required for sftk_fipsPowerUpSelfTest(). */
+
+SEC_BEGIN_PROTOS
+
+/*
+** RSA encryption/decryption. When encrypting/decrypting the output
+** buffer must be at least the size of the public key modulus.
+*/
+
+/*
+** Format some data into a PKCS#1 encryption block, preparing the
+** data for RSA encryption.
+**	"result" where the formatted block is stored (memory is allocated)
+**	"modulusLen" the size of the formatted block
+**	"blockType" what block type to use (SEC_RSABlock*)
+**	"data" the data to format
+*/
+extern SECStatus RSA_FormatBlock(SECItem *result,
+				 unsigned int modulusLen,
+				 RSA_BlockType blockType,
+				 SECItem *data);
+/*
+** Similar, but just returns a pointer to the allocated memory, *and*
+** will *only* format one block, even if we (in the future) modify
+** RSA_FormatBlock() to loop over multiples of modulusLen.
+*/
+extern unsigned char *RSA_FormatOneBlock(unsigned int modulusLen,
+					 RSA_BlockType blockType,
+					 SECItem *data);
+
+
+
+/*
+ * convenience wrappers for doing single RSA operations. They create the
+ * RSA context internally and take care of the formatting
+ * requirements. Blinding happens automagically within RSA_Sign and
+ * RSA_DecryptBlock.
+ */
+extern
+SECStatus RSA_Sign(NSSLOWKEYPrivateKey *key, unsigned char *output,
+		       unsigned int *outputLen, unsigned int maxOutputLen,
+		       unsigned char *input, unsigned int inputLen);
+extern
+SECStatus RSA_HashSign(SECOidTag hashOid,
+			NSSLOWKEYPrivateKey *key, unsigned char *sig,
+			unsigned int *sigLen, unsigned int maxLen,
+			unsigned char *hash, unsigned int hashLen);
+extern
+SECStatus RSA_CheckSign(NSSLOWKEYPublicKey *key, unsigned char *sign,
+			    unsigned int signLength, unsigned char *hash,
+			    unsigned int hashLength);
+extern
+SECStatus RSA_HashCheckSign(SECOidTag hashOid,
+			    NSSLOWKEYPublicKey *key, unsigned char *sig,
+			    unsigned int sigLen, unsigned char *digest,
+			    unsigned int digestLen);
+extern
+SECStatus RSA_CheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
+    			    unsigned int *data_len,unsigned int max_output_len, 
+			    unsigned char *sign, unsigned int sign_len);
+extern
+SECStatus RSA_EncryptBlock(NSSLOWKEYPublicKey *key, unsigned char *output,
+			   unsigned int *outputLen, unsigned int maxOutputLen,
+			   unsigned char *input, unsigned int inputLen);
+extern
+SECStatus RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, unsigned char *output,
+			   unsigned int *outputLen, unsigned int maxOutputLen,
+			   unsigned char *input, unsigned int inputLen);
+
+/*
+ * added to make pkcs #11 happy
+ *   RAW is RSA_X_509
+ */
+extern
+SECStatus RSA_SignRaw( NSSLOWKEYPrivateKey *key, unsigned char *output,
+			 unsigned int *output_len, unsigned int maxOutputLen,
+			 unsigned char *input, unsigned int input_len);
+extern
+SECStatus RSA_CheckSignRaw( NSSLOWKEYPublicKey *key, unsigned char *sign, 
+			    unsigned int sign_len, unsigned char *hash, 
+			    unsigned int hash_len);
+extern
+SECStatus RSA_CheckSignRecoverRaw( NSSLOWKEYPublicKey *key, unsigned char *data,
+			    unsigned int *data_len, unsigned int max_output_len,
+			    unsigned char *sign, unsigned int sign_len);
+extern
+SECStatus RSA_EncryptRaw( NSSLOWKEYPublicKey *key, unsigned char *output,
+			    unsigned int *output_len,
+			    unsigned int max_output_len, 
+			    unsigned char *input, unsigned int input_len);
+extern
+SECStatus RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
+			     unsigned int *output_len,
+    			     unsigned int max_output_len,
+			     unsigned char *input, unsigned int input_len);
+#ifdef NSS_ENABLE_ECC
+/*
+** pepare an ECParam structure from DEREncoded params
+ */
+extern SECStatus EC_FillParams(PRArenaPool *arena,
+                               const SECItem *encodedParams, ECParams *params);
+extern SECStatus EC_DecodeParams(const SECItem *encodedParams, 
+				ECParams **ecparams);
+extern SECStatus EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+              			const ECParams *srcParams);
+#endif
+
+
+/*
+** Prepare a buffer for padded CBC encryption, growing to the appropriate 
+** boundary, filling with the appropriate padding.
+**
+** blockSize must be a power of 2.
+**
+** We add from 1 to blockSize bytes -- we *always* grow.
+** The extra bytes contain the value of the length of the padding:
+** if we have 2 bytes of padding, then the padding is "0x02, 0x02".
+**
+** NOTE: If arena is non-NULL, we re-allocate from there, otherwise
+** we assume (and use) PR memory (re)allocation.
+*/
+extern unsigned char * CBC_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, 
+                                     unsigned int inlen, unsigned int *outlen,
+				     int blockSize);
+
+
+/****************************************/
+/*
+** Power-Up selftests required for FIPS and invoked only
+** under PKCS #11 FIPS mode.
+*/
+extern CK_RV sftk_fipsPowerUpSelfTest( void ); 
+
+/*
+** make known fixed PKCS #11 key types to their sizes in bytes
+*/	
+unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
+
+/*
+** FIPS 140-2 auditing
+*/
+extern PRBool sftk_audit_enabled;
+
+extern void sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg);
+
+extern void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+			CK_OBJECT_HANDLE_PTR phObject, CK_RV rv);
+
+extern void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+			CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv);
+
+extern void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject, CK_RV rv);
+
+extern void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize,
+			CK_RV rv);
+
+extern void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+			CK_ULONG ulCount, CK_RV rv);
+
+extern void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+			CK_ULONG ulCount, CK_RV rv);
+
+extern void sftk_AuditCryptInit(const char *opName,
+			CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_OBJECT_HANDLE hKey, CK_RV rv);
+
+extern void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+			CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+			CK_ULONG ulPublicKeyAttributeCount,
+			CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+			CK_ULONG ulPrivateKeyAttributeCount,
+			CK_OBJECT_HANDLE_PTR phPublicKey,
+			CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv);
+
+extern void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey,
+			CK_BYTE_PTR pWrappedKey,
+			CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv);
+
+extern void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_OBJECT_HANDLE hUnwrappingKey,
+			CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+			CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_OBJECT_HANDLE hBaseKey,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+			CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hKey, CK_RV rv);
+
+/*
+** FIPS 140-2 Error state
+*/
+extern PRBool sftk_fatalError;
+
+/*
+** macros to check for forked child after C_Initialize
+*/
+#if defined(XP_UNIX) && !defined(NO_PTHREADS)
+
+extern PRBool forked;
+
+extern void ForkedChild(void);
+
+#define CHECK_FORK() \
+    do { if (forked) return CKR_DEVICE_ERROR; } while (0)
+
+#else
+
+#define CHECK_FORK()
+
+#endif
+
+SEC_END_PROTOS
+
+#endif /* _SOFTOKEN_H_ */
diff --git a/security/nss/lib/softoken/softokn.def b/security/nss/lib/softoken/softokn.def
new file mode 100644
index 000000000..2544d1b92
--- /dev/null
+++ b/security/nss/lib/softoken/softokn.def
@@ -0,0 +1,61 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2000
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#   Dr Stephen Henson <stephen.henson@gemplus.com>
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+NSS_3.4 {       # NSS 3.4 release
+;+    global:
+LIBRARY softokn3 ;-
+EXPORTS ;-
+C_GetFunctionList; Make this function like a real PKCS #11 module as well
+FC_GetFunctionList;
+NSC_GetFunctionList;
+NSC_ModuleDBFunc;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/softoken/softokn.rc b/security/nss/lib/softoken/softokn.rc
new file mode 100644
index 000000000..860155318
--- /dev/null
+++ b/security/nss/lib/softoken/softokn.rc
@@ -0,0 +1,100 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "softkver.h"
+#include <winver.h>
+
+#define MY_LIBNAME "softokn"
+#define MY_FILEDESCRIPTION "NSS PKCS #11 Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define SOFTOKEN_VMAJOR_STR STRINGIZE2(SOFTOKEN_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if SOFTOKEN_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME SOFTOKEN_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,0
+ PRODUCTVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", SOFTOKEN_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", SOFTOKEN_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/softoken/softoknt.h b/security/nss/lib/softoken/softoknt.h
new file mode 100644
index 000000000..3af94e286
--- /dev/null
+++ b/security/nss/lib/softoken/softoknt.h
@@ -0,0 +1,73 @@
+/*
+ * softoknt.h - public data structures for the software token library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _SOFTOKNT_H_
+#define _SOFTOKNT_H_
+
+/*
+ * RSA block types
+ *
+ * The actual values are important -- they are fixed, *not* arbitrary.
+ * The explicit value assignments are not needed (because C would give
+ * us those same values anyway) but are included as a reminder...
+ */
+typedef enum {
+    RSA_BlockPrivate0 = 0,	/* unused, really */
+    RSA_BlockPrivate = 1,	/* pad for a private-key operation */
+    RSA_BlockPublic = 2,	/* pad for a public-key operation */
+    RSA_BlockOAEP = 3,		/* use OAEP padding */
+				/* XXX is this only for a public-key
+				   operation? If so, add "Public" */
+    RSA_BlockRaw = 4,		/* simply justify the block appropriately */
+    RSA_BlockTotal
+} RSA_BlockType;
+
+#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE   2048
+
+/*
+ * FIPS 140-2 auditing
+ */
+typedef enum {
+    NSS_AUDIT_ERROR = 3,    /* errors */
+    NSS_AUDIT_WARNING = 2,  /* warning messages */
+    NSS_AUDIT_INFO = 1      /* informational messages */
+} NSSAuditSeverity;
+
+#endif /* _SOFTOKNT_H_ */
diff --git a/security/nss/lib/softoken/tlsprf.c b/security/nss/lib/softoken/tlsprf.c
new file mode 100644
index 000000000..23e996d5f
--- /dev/null
+++ b/security/nss/lib/softoken/tlsprf.c
@@ -0,0 +1,215 @@
+/* tlsprf.c - TLS Pseudo Random Function (PRF) implementation
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "pkcs11i.h"
+#include "blapi.h"
+
+#define SFTK_OFFSETOF(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
+
+static void sftk_TLSPRFNull(void *data, PRBool freeit)
+{
+    return;
+} 
+
+typedef struct {
+    PRUint32	   cxSize;	/* size of allocated block, in bytes.        */
+    PRUint32       cxBufSize;   /* sizeof buffer at cxBufPtr.                */
+    unsigned char *cxBufPtr;	/* points to real buffer, may be cxBuf.      */
+    PRUint32	   cxKeyLen;	/* bytes of cxBufPtr containing key.         */
+    PRUint32	   cxDataLen;	/* bytes of cxBufPtr containing data.        */
+    SECStatus	   cxRv;	/* records failure of void functions.        */
+    PRBool	   cxIsFIPS;	/* true if conforming to FIPS 198.           */
+    unsigned char  cxBuf[512];	/* actual size may be larger than 512.       */
+} TLSPRFContext;
+
+static void
+sftk_TLSPRFHashUpdate(TLSPRFContext *cx, const unsigned char *data, 
+                        unsigned int data_len)
+{
+    PRUint32 bytesUsed = cx->cxKeyLen + cx->cxDataLen;
+
+    if (cx->cxRv != SECSuccess)	/* function has previously failed. */
+    	return;
+    if (bytesUsed + data_len > cx->cxBufSize) {
+	/* We don't use realloc here because 
+	** (a) realloc doesn't zero out the old block, and 
+	** (b) if realloc fails, we lose the old block.
+	*/
+	PRUint32 newBufSize = bytesUsed + data_len + 512;
+    	unsigned char * newBuf = (unsigned char *)PORT_Alloc(newBufSize);
+	if (!newBuf) {
+	   cx->cxRv = SECFailure;
+	   return;
+	}
+	PORT_Memcpy(newBuf, cx->cxBufPtr, bytesUsed);
+	if (cx->cxBufPtr != cx->cxBuf) {
+	    PORT_ZFree(cx->cxBufPtr, bytesUsed);
+	}
+	cx->cxBufPtr  = newBuf;
+	cx->cxBufSize = newBufSize;
+    }
+    PORT_Memcpy(cx->cxBufPtr + bytesUsed, data, data_len);
+    cx->cxDataLen += data_len;
+}
+
+static void 
+sftk_TLSPRFEnd(TLSPRFContext *ctx, unsigned char *hashout,
+	 unsigned int *pDigestLen, unsigned int maxDigestLen)
+{
+    *pDigestLen = 0; /* tells Verify that no data has been input yet. */
+}
+
+/* Compute the PRF values from the data previously input. */
+static SECStatus
+sftk_TLSPRFUpdate(TLSPRFContext *cx, 
+                  unsigned char *sig,		/* output goes here. */
+		  unsigned int * sigLen, 	/* how much output.  */
+		  unsigned int   maxLen, 	/* output buffer size */
+		  unsigned char *hash, 		/* unused. */
+		  unsigned int   hashLen)	/* unused. */
+{
+    SECStatus rv;
+    SECItem sigItem;
+    SECItem seedItem;
+    SECItem secretItem;
+
+    if (cx->cxRv != SECSuccess)
+    	return cx->cxRv;
+
+    secretItem.data = cx->cxBufPtr;
+    secretItem.len  = cx->cxKeyLen;
+
+    seedItem.data = cx->cxBufPtr + cx->cxKeyLen;
+    seedItem.len  = cx->cxDataLen;
+
+    sigItem.data = sig;
+    sigItem.len  = maxLen;
+
+    rv = TLS_PRF(&secretItem, NULL, &seedItem, &sigItem, cx->cxIsFIPS);
+    if (rv == SECSuccess && sigLen != NULL)
+    	*sigLen = sigItem.len;
+    return rv;
+
+}
+
+static SECStatus
+sftk_TLSPRFVerify(TLSPRFContext *cx, 
+                  unsigned char *sig, 		/* input, for comparison. */
+		  unsigned int   sigLen,	/* length of sig.         */
+		  unsigned char *hash, 		/* data to be verified.   */
+		  unsigned int   hashLen)	/* size of hash data.     */
+{
+    unsigned char * tmp    = (unsigned char *)PORT_Alloc(sigLen);
+    unsigned int    tmpLen = sigLen;
+    SECStatus       rv;
+
+    if (!tmp)
+    	return SECFailure;
+    if (hashLen) {
+    	/* hashLen is non-zero when the user does a one-step verify.
+	** In this case, none of the data has been input yet.
+	*/
+    	sftk_TLSPRFHashUpdate(cx, hash, hashLen);
+    }
+    rv = sftk_TLSPRFUpdate(cx, tmp, &tmpLen, sigLen, NULL, 0);
+    if (rv == SECSuccess) {
+    	rv = (SECStatus)(1 - !PORT_Memcmp(tmp, sig, sigLen));
+    }
+    PORT_ZFree(tmp, sigLen);
+    return rv;
+}
+
+static void
+sftk_TLSPRFHashDestroy(TLSPRFContext *cx, PRBool freeit)
+{
+    if (freeit) {
+	if (cx->cxBufPtr != cx->cxBuf) 
+	    PORT_ZFree(cx->cxBufPtr, cx->cxBufSize);
+	PORT_ZFree(cx, cx->cxSize);
+    }
+}
+
+CK_RV
+sftk_TLSPRFInit(SFTKSessionContext *context, 
+		  SFTKObject *        key, 
+		  CK_KEY_TYPE         key_type)
+{
+    SFTKAttribute * keyVal;
+    TLSPRFContext * prf_cx;
+    CK_RV           crv = CKR_HOST_MEMORY;
+    PRUint32        keySize;
+    PRUint32        blockSize;
+
+    if (key_type != CKK_GENERIC_SECRET)
+    	return CKR_KEY_TYPE_INCONSISTENT; /* CKR_KEY_FUNCTION_NOT_PERMITTED */
+
+    context->multi = PR_TRUE;
+
+    keyVal = sftk_FindAttribute(key, CKA_VALUE);
+    keySize = (!keyVal) ? 0 : keyVal->attrib.ulValueLen;
+    blockSize = keySize + sizeof(TLSPRFContext);
+    prf_cx = (TLSPRFContext *)PORT_Alloc(blockSize);
+    if (!prf_cx) 
+    	goto done;
+    prf_cx->cxSize    = blockSize;
+    prf_cx->cxKeyLen  = keySize;
+    prf_cx->cxDataLen = 0;
+    prf_cx->cxBufSize = blockSize - SFTK_OFFSETOF(TLSPRFContext, cxBuf);
+    prf_cx->cxRv      = SECSuccess;
+    prf_cx->cxIsFIPS  = (key->slot->slotID == FIPS_SLOT_ID);
+    prf_cx->cxBufPtr  = prf_cx->cxBuf;
+    if (keySize)
+	PORT_Memcpy(prf_cx->cxBufPtr, keyVal->attrib.pValue, keySize);
+
+    context->hashInfo    = (void *) prf_cx;
+    context->cipherInfo  = (void *) prf_cx;
+    context->hashUpdate  = (SFTKHash)    sftk_TLSPRFHashUpdate;
+    context->end         = (SFTKEnd)     sftk_TLSPRFEnd;
+    context->update      = (SFTKCipher)  sftk_TLSPRFUpdate;
+    context->verify      = (SFTKVerify)  sftk_TLSPRFVerify;
+    context->destroy     = (SFTKDestroy) sftk_TLSPRFNull;
+    context->hashdestroy = (SFTKDestroy) sftk_TLSPRFHashDestroy;
+    crv = CKR_OK;
+
+done:
+    if (keyVal) 
+	sftk_FreeAttribute(keyVal);
+    return crv;
+}
+
diff --git a/security/nss/lib/sqlite/Makefile b/security/nss/lib/sqlite/Makefile
new file mode 100644
index 000000000..7e0b30282
--- /dev/null
+++ b/security/nss/lib/sqlite/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/sqlite/config.mk b/security/nss/lib/sqlite/config.mk
new file mode 100644
index 000000000..c6ca93fe4
--- /dev/null
+++ b/security/nss/lib/sqlite/config.mk
@@ -0,0 +1,63 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+#RES = $(OBJDIR)/$(LIBRARY_NAME).res
+#RESNAME = $(LIBRARY_NAME).rc
+endif
+
+ifeq ($(OS_TARGET),AIX)
+EXTRA_LIBS += -lpthreads
+ifdef BUILD_OPT
+OPTIMIZER=
+endif
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+OS_LIBS += -lbsm 
+endif
+
diff --git a/security/nss/lib/sqlite/manifest.mn b/security/nss/lib/sqlite/manifest.mn
new file mode 100644
index 000000000..023ae7c66
--- /dev/null
+++ b/security/nss/lib/sqlite/manifest.mn
@@ -0,0 +1,66 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+LIBRARY_NAME = sqlite
+LIBRARY_VERSION = 3
+MAPFILE = $(OBJDIR)/sqlite.def
+DEFINES += -DTHREADSAFE=1
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	sqlite3.h \
+	$(NULL)
+
+
+CSRCS = \
+	sqlite3.c \
+	$(NULL)
+
+
+
+# only add module debugging in opt builds if DEBUG_PKCS11 is set
+ifdef DEBUG_PKCS11
+  DEFINES += -DDEBUG_MODULE
+endif
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/sqlite/sqlite.def b/security/nss/lib/sqlite/sqlite.def
new file mode 100644
index 000000000..76ec47c51
--- /dev/null
+++ b/security/nss/lib/sqlite/sqlite.def
@@ -0,0 +1,141 @@
+;+#
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+SQLITE_3 {       
+;+    global:
+LIBRARY sqlite3 ;-
+EXPORTS ;-
+sqlite3_aggregate_context;
+sqlite3_aggregate_count;
+sqlite3_apis;
+sqlite3_auto_extension;
+sqlite3_bind_blob;
+sqlite3_bind_double;
+sqlite3_bind_int;
+sqlite3_bind_int64;
+sqlite3_bind_null;
+sqlite3_bind_parameter_count;
+sqlite3_bind_parameter_index;
+sqlite3_bind_parameter_name;
+sqlite3_bind_text;
+sqlite3_bind_text16;
+sqlite3_bind_value;
+sqlite3_busy_handler;
+sqlite3_busy_timeout;
+sqlite3_changes;
+sqlite3_clear_bindings;
+sqlite3_close;
+sqlite3_collation_needed;
+sqlite3_collation_needed16;
+sqlite3_column_blob;
+sqlite3_column_bytes;
+sqlite3_column_bytes16;
+sqlite3_column_count;
+sqlite3_column_decltype;
+sqlite3_column_decltype16;
+sqlite3_column_double;
+sqlite3_column_int;
+sqlite3_column_int64;
+sqlite3_column_name;
+sqlite3_column_name16;
+sqlite3_column_text;
+sqlite3_column_text16;
+sqlite3_column_type;
+sqlite3_column_value;
+sqlite3_commit_hook;
+sqlite3_complete;
+sqlite3_complete16;
+sqlite3_create_collation;
+sqlite3_create_collation16;
+sqlite3_create_function;
+sqlite3_create_function16;
+sqlite3_create_module;
+sqlite3_data_count;
+sqlite3_db_handle;
+sqlite3_declare_vtab;
+sqlite3_enable_load_extension;
+sqlite3_enable_shared_cache;
+sqlite3_errcode;
+sqlite3_errmsg;
+sqlite3_errmsg16;
+sqlite3_exec;
+sqlite3_expired;
+sqlite3_extended_result_codes;
+sqlite3_finalize;
+sqlite3_free;
+sqlite3_free_table;
+sqlite3_get_autocommit;
+sqlite3_get_auxdata;
+sqlite3_get_table;
+sqlite3_global_recover;
+sqlite3_interrupt;
+sqlite3_last_insert_rowid;
+sqlite3_libversion;
+sqlite3_libversion_number;
+sqlite3_load_extension;
+sqlite3_malloc;
+sqlite3_mprintf;
+sqlite3_open;
+sqlite3_open16;
+sqlite3_overload_function;
+sqlite3_prepare;
+sqlite3_prepare16;
+sqlite3_prepare16_v2;
+sqlite3_prepare_v2;
+sqlite3_profile;
+sqlite3_progress_handler;
+sqlite3_realloc;
+sqlite3_reset;
+sqlite3_reset_auto_extension;
+sqlite3_result_blob;
+sqlite3_result_double;
+sqlite3_result_error;
+sqlite3_result_error16;
+sqlite3_result_int;
+sqlite3_result_int64;
+sqlite3_result_null;
+sqlite3_result_text;
+sqlite3_result_text16;
+sqlite3_result_text16be;
+sqlite3_result_text16le;
+sqlite3_result_value;
+sqlite3_rollback_hook;
+sqlite3_set_authorizer;
+sqlite3_set_auxdata;
+sqlite3_sleep;
+sqlite3_snprintf;
+sqlite3_step;
+sqlite3_thread_cleanup;
+sqlite3_total_changes;
+sqlite3_trace;
+sqlite3_transfer_bindings;
+sqlite3_update_hook;
+sqlite3_user_data;
+sqlite3_value_blob;
+sqlite3_value_bytes;
+sqlite3_value_bytes16;
+sqlite3_value_double;
+sqlite3_value_int;
+sqlite3_value_int64;
+sqlite3_value_numeric_type;
+sqlite3_value_text;
+sqlite3_value_text16;
+sqlite3_value_text16be;
+sqlite3_value_text16le;
+sqlite3_value_type;
+sqlite3_version;
+sqlite3_vmprintf;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/sqlite/sqlite3.c b/security/nss/lib/sqlite/sqlite3.c
new file mode 100644
index 000000000..8de8cbbfc
--- /dev/null
+++ b/security/nss/lib/sqlite/sqlite3.c
@@ -0,0 +1,64897 @@
+/******************************************************************************
+** This file is an amalgamation of many separate C source files from SQLite
+** version 3.3.17.  By combining all the individual C code files into this 
+** single large file, the entire code can be compiled as a one translation
+** unit.  This allows many compilers to do optimizations that would not be
+** possible if the files were compiled separately.  Performance improvements
+** of 5% are more are commonly seen when SQLite is compiled as a single
+** translation unit.
+**
+** This file is all you need to compile SQLite.  To use SQLite in other
+** programs, you need this file and the "sqlite3.h" header file that defines
+** the programming interface to the SQLite library.  (If you do not have 
+** the "sqlite3.h" header file at hand, you will find a copy in the first
+** 1885 lines past this header comment.)  Additional code files may be
+** needed if you want a wrapper to interface SQLite with your choice of
+** programming language.  The code for the "sqlite3" command-line shell
+** is also in a separate file.  This file contains only code for the core
+** SQLite library.
+**
+** This amalgamation was generated on 2007-04-25 12:08:23 UTC.
+*/
+#define SQLITE_AMALGAMATION 1
+/************** Begin file sqlite3.h *****************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This header file defines the interface that the SQLite library
+** presents to client programs.
+**
+** @(#) $Id$
+*/
+#ifndef _SQLITE3_H_
+#define _SQLITE3_H_
+#include <stdarg.h>     /* Needed for the definition of va_list */
+
+/*
+** Make sure we can call this stuff from C++.
+*/
+#if 0
+extern "C" {
+#endif
+
+/*
+** The version of the SQLite library.
+*/
+#ifdef SQLITE_VERSION
+# undef SQLITE_VERSION
+#endif
+#define SQLITE_VERSION         "3.3.17"
+
+/*
+** The format of the version string is "X.Y.Z<trailing string>", where
+** X is the major version number, Y is the minor version number and Z
+** is the release number. The trailing string is often "alpha" or "beta".
+** For example "3.1.1beta".
+**
+** The SQLITE_VERSION_NUMBER is an integer with the value 
+** (X*100000 + Y*1000 + Z). For example, for version "3.1.1beta", 
+** SQLITE_VERSION_NUMBER is set to 3001001. To detect if they are using 
+** version 3.1.1 or greater at compile time, programs may use the test 
+** (SQLITE_VERSION_NUMBER>=3001001).
+*/
+#ifdef SQLITE_VERSION_NUMBER
+# undef SQLITE_VERSION_NUMBER
+#endif
+#define SQLITE_VERSION_NUMBER 3003017
+
+/*
+** The version string is also compiled into the library so that a program
+** can check to make sure that the lib*.a file and the *.h file are from
+** the same version.  The sqlite3_libversion() function returns a pointer
+** to the sqlite3_version variable - useful in DLLs which cannot access
+** global variables.
+*/
+extern const char sqlite3_version[];
+const char *sqlite3_libversion(void);
+
+/*
+** Return the value of the SQLITE_VERSION_NUMBER macro when the
+** library was compiled.
+*/
+int sqlite3_libversion_number(void);
+
+/*
+** Each open sqlite database is represented by an instance of the
+** following opaque structure.
+*/
+typedef struct sqlite3 sqlite3;
+
+
+/*
+** Some compilers do not support the "long long" datatype.  So we have
+** to do a typedef that for 64-bit integers that depends on what compiler
+** is being used.
+*/
+#ifdef SQLITE_INT64_TYPE
+  typedef SQLITE_INT64_TYPE sqlite_int64;
+  typedef unsigned SQLITE_INT64_TYPE sqlite_uint64;
+#elif defined(_MSC_VER) || defined(__BORLANDC__)
+  typedef __int64 sqlite_int64;
+  typedef unsigned __int64 sqlite_uint64;
+#else
+  typedef long long int sqlite_int64;
+  typedef unsigned long long int sqlite_uint64;
+#endif
+
+/*
+** If compiling for a processor that lacks floating point support,
+** substitute integer for floating-point
+*/
+#ifdef SQLITE_OMIT_FLOATING_POINT
+# define double sqlite_int64
+#endif
+
+/*
+** A function to close the database.
+**
+** Call this function with a pointer to a structure that was previously
+** returned from sqlite3_open() and the corresponding database will by closed.
+**
+** All SQL statements prepared using sqlite3_prepare() or
+** sqlite3_prepare16() must be deallocated using sqlite3_finalize() before
+** this routine is called. Otherwise, SQLITE_BUSY is returned and the
+** database connection remains open.
+*/
+int sqlite3_close(sqlite3 *);
+
+/*
+** The type for a callback function.
+*/
+typedef int (*sqlite3_callback)(void*,int,char**, char**);
+
+/*
+** A function to executes one or more statements of SQL.
+**
+** If one or more of the SQL statements are queries, then
+** the callback function specified by the 3rd parameter is
+** invoked once for each row of the query result.  This callback
+** should normally return 0.  If the callback returns a non-zero
+** value then the query is aborted, all subsequent SQL statements
+** are skipped and the sqlite3_exec() function returns the SQLITE_ABORT.
+**
+** The 1st parameter is an arbitrary pointer that is passed
+** to the callback function as its first parameter.
+**
+** The 2nd parameter to the callback function is the number of
+** columns in the query result.  The 3rd parameter to the callback
+** is an array of strings holding the values for each column.
+** The 4th parameter to the callback is an array of strings holding
+** the names of each column.
+**
+** The callback function may be NULL, even for queries.  A NULL
+** callback is not an error.  It just means that no callback
+** will be invoked.
+**
+** If an error occurs while parsing or evaluating the SQL (but
+** not while executing the callback) then an appropriate error
+** message is written into memory obtained from malloc() and
+** *errmsg is made to point to that message.  The calling function
+** is responsible for freeing the memory that holds the error
+** message.   Use sqlite3_free() for this.  If errmsg==NULL,
+** then no error message is ever written.
+**
+** The return value is is SQLITE_OK if there are no errors and
+** some other return code if there is an error.  The particular
+** return value depends on the type of error. 
+**
+** If the query could not be executed because a database file is
+** locked or busy, then this function returns SQLITE_BUSY.  (This
+** behavior can be modified somewhat using the sqlite3_busy_handler()
+** and sqlite3_busy_timeout() functions below.)
+*/
+int sqlite3_exec(
+  sqlite3*,                     /* An open database */
+  const char *sql,              /* SQL to be executed */
+  sqlite3_callback,             /* Callback function */
+  void *,                       /* 1st argument to callback function */
+  char **errmsg                 /* Error msg written here */
+);
+
+/*
+** Return values for sqlite3_exec() and sqlite3_step()
+*/
+#define SQLITE_OK           0   /* Successful result */
+/* beginning-of-error-codes */
+#define SQLITE_ERROR        1   /* SQL error or missing database */
+#define SQLITE_INTERNAL     2   /* NOT USED. Internal logic error in SQLite */
+#define SQLITE_PERM         3   /* Access permission denied */
+#define SQLITE_ABORT        4   /* Callback routine requested an abort */
+#define SQLITE_BUSY         5   /* The database file is locked */
+#define SQLITE_LOCKED       6   /* A table in the database is locked */
+#define SQLITE_NOMEM        7   /* A malloc() failed */
+#define SQLITE_READONLY     8   /* Attempt to write a readonly database */
+#define SQLITE_INTERRUPT    9   /* Operation terminated by sqlite3_interrupt()*/
+#define SQLITE_IOERR       10   /* Some kind of disk I/O error occurred */
+#define SQLITE_CORRUPT     11   /* The database disk image is malformed */
+#define SQLITE_NOTFOUND    12   /* NOT USED. Table or record not found */
+#define SQLITE_FULL        13   /* Insertion failed because database is full */
+#define SQLITE_CANTOPEN    14   /* Unable to open the database file */
+#define SQLITE_PROTOCOL    15   /* NOT USED. Database lock protocol error */
+#define SQLITE_EMPTY       16   /* Database is empty */
+#define SQLITE_SCHEMA      17   /* The database schema changed */
+#define SQLITE_TOOBIG      18   /* NOT USED. Too much data for one row */
+#define SQLITE_CONSTRAINT  19   /* Abort due to contraint violation */
+#define SQLITE_MISMATCH    20   /* Data type mismatch */
+#define SQLITE_MISUSE      21   /* Library used incorrectly */
+#define SQLITE_NOLFS       22   /* Uses OS features not supported on host */
+#define SQLITE_AUTH        23   /* Authorization denied */
+#define SQLITE_FORMAT      24   /* Auxiliary database format error */
+#define SQLITE_RANGE       25   /* 2nd parameter to sqlite3_bind out of range */
+#define SQLITE_NOTADB      26   /* File opened that is not a database file */
+#define SQLITE_ROW         100  /* sqlite3_step() has another row ready */
+#define SQLITE_DONE        101  /* sqlite3_step() has finished executing */
+/* end-of-error-codes */
+
+/*
+** Using the sqlite3_extended_result_codes() API, you can cause
+** SQLite to return result codes with additional information in
+** their upper bits.  The lower 8 bits will be the same as the
+** primary result codes above.  But the upper bits might contain
+** more specific error information.
+**
+** To extract the primary result code from an extended result code,
+** simply mask off the lower 8 bits.
+**
+**        primary = extended & 0xff;
+**
+** New result error codes may be added from time to time.  Software
+** that uses the extended result codes should plan accordingly and be
+** sure to always handle new unknown codes gracefully.
+**
+** The SQLITE_OK result code will never be extended.  It will always
+** be exactly zero.
+**
+** The extended result codes always have the primary result code
+** as a prefix.  Primary result codes only contain a single "_"
+** character.  Extended result codes contain two or more "_" characters.
+*/
+#define SQLITE_IOERR_READ          (SQLITE_IOERR | (1<<8))
+#define SQLITE_IOERR_SHORT_READ    (SQLITE_IOERR | (2<<8))
+#define SQLITE_IOERR_WRITE         (SQLITE_IOERR | (3<<8))
+#define SQLITE_IOERR_FSYNC         (SQLITE_IOERR | (4<<8))
+#define SQLITE_IOERR_DIR_FSYNC     (SQLITE_IOERR | (5<<8))
+#define SQLITE_IOERR_TRUNCATE      (SQLITE_IOERR | (6<<8))
+#define SQLITE_IOERR_FSTAT         (SQLITE_IOERR | (7<<8))
+#define SQLITE_IOERR_UNLOCK        (SQLITE_IOERR | (8<<8))
+#define SQLITE_IOERR_RDLOCK        (SQLITE_IOERR | (9<<8))
+#define SQLITE_IOERR_DELETE        (SQLITE_IOERR | (10<<8))
+
+/*
+** Enable or disable the extended result codes.
+*/
+int sqlite3_extended_result_codes(sqlite3*, int onoff);
+
+/*
+** Each entry in an SQLite table has a unique integer key.  (The key is
+** the value of the INTEGER PRIMARY KEY column if there is such a column,
+** otherwise the key is generated automatically.  The unique key is always
+** available as the ROWID, OID, or _ROWID_ column.)  The following routine
+** returns the integer key of the most recent insert in the database.
+*/
+sqlite_int64 sqlite3_last_insert_rowid(sqlite3*);
+
+/*
+** This function returns the number of database rows that were changed
+** (or inserted or deleted) by the most recent SQL statement.  Only
+** changes that are directly specified by the INSERT, UPDATE, or
+** DELETE statement are counted.  Auxiliary changes caused by
+** triggers are not counted.   Within the body of a trigger, however,
+** the sqlite3_changes() API can be called to find the number of
+** changes in the most recently completed INSERT, UPDATE, or DELETE
+** statement within the body of the trigger.
+**
+** All changes are counted, even if they were later undone by a
+** ROLLBACK or ABORT.  Except, changes associated with creating and
+** dropping tables are not counted.
+**
+** If a callback invokes sqlite3_exec() or sqlite3_step() recursively,
+** then the changes in the inner, recursive call are counted together
+** with the changes in the outer call.
+**
+** SQLite implements the command "DELETE FROM table" without a WHERE clause
+** by dropping and recreating the table.  (This is much faster than going
+** through and deleting individual elements form the table.)  Because of
+** this optimization, the change count for "DELETE FROM table" will be
+** zero regardless of the number of elements that were originally in the
+** table. To get an accurate count of the number of rows deleted, use
+** "DELETE FROM table WHERE 1" instead.
+*/
+int sqlite3_changes(sqlite3*);
+
+/*
+** This function returns the number of database rows that have been
+** modified by INSERT, UPDATE or DELETE statements since the database handle
+** was opened. This includes UPDATE, INSERT and DELETE statements executed
+** as part of trigger programs. All changes are counted as soon as the
+** statement that makes them is completed (when the statement handle is
+** passed to sqlite3_reset() or sqlite_finalise()).
+**
+** SQLite implements the command "DELETE FROM table" without a WHERE clause
+** by dropping and recreating the table.  (This is much faster than going
+** through and deleting individual elements form the table.)  Because of
+** this optimization, the change count for "DELETE FROM table" will be
+** zero regardless of the number of elements that were originally in the
+** table. To get an accurate count of the number of rows deleted, use
+** "DELETE FROM table WHERE 1" instead.
+*/
+int sqlite3_total_changes(sqlite3*);
+
+/* This function causes any pending database operation to abort and
+** return at its earliest opportunity.  This routine is typically
+** called in response to a user action such as pressing "Cancel"
+** or Ctrl-C where the user wants a long query operation to halt
+** immediately.
+**
+** It is safe to call this routine from a different thread that the
+** thread that is currently running the database operation. 
+*/
+void sqlite3_interrupt(sqlite3*);
+
+
+/* These functions return true if the given input string comprises
+** one or more complete SQL statements. For the sqlite3_complete() call,
+** the parameter must be a nul-terminated UTF-8 string. For
+** sqlite3_complete16(), a nul-terminated machine byte order UTF-16 string
+** is required.
+**
+** This routine is useful for command-line input to see of the user has
+** entered a complete statement of SQL or if the current statement needs
+** to be continued on the next line.  The algorithm is simple.  If the 
+** last token other than spaces and comments is a semicolon, then return 
+** true.  Actually, the algorithm is a little more complicated than that
+** in order to deal with triggers, but the basic idea is the same:  the
+** statement is not complete unless it ends in a semicolon.
+*/
+int sqlite3_complete(const char *sql);
+int sqlite3_complete16(const void *sql);
+
+/*
+** This routine identifies a callback function that is invoked
+** whenever an attempt is made to open a database table that is
+** currently locked by another process or thread.  If the busy callback
+** is NULL, then sqlite3_exec() returns SQLITE_BUSY immediately if
+** it finds a locked table.  If the busy callback is not NULL, then
+** sqlite3_exec() invokes the callback with two arguments.  The
+** first argument to the handler is a copy of the void* pointer which
+** is the third argument to this routine.  The second argument to
+** the handler is the number of times that the busy handler has
+** been invoked for this locking event.  If the
+** busy callback returns 0, then sqlite3_exec() immediately returns
+** SQLITE_BUSY.  If the callback returns non-zero, then sqlite3_exec()
+** tries to open the table again and the cycle repeats.
+**
+** The presence of a busy handler does not guarantee that
+** it will be invoked when there is lock contention.
+** If SQLite determines that invoking the busy handler could result in
+** a deadlock, it will return SQLITE_BUSY instead.
+** Consider a scenario where one process is holding a read lock that
+** it is trying to promote to a reserved lock and
+** a second process is holding a reserved lock that it is trying
+** to promote to an exclusive lock.  The first process cannot proceed
+** because it is blocked by the second and the second process cannot
+** proceed because it is blocked by the first.  If both processes
+** invoke the busy handlers, neither will make any progress.  Therefore,
+** SQLite returns SQLITE_BUSY for the first process, hoping that this
+** will induce the first process to release its read lock and allow
+** the second process to proceed.
+**
+** The default busy callback is NULL.
+**
+** Sqlite is re-entrant, so the busy handler may start a new query. 
+** (It is not clear why anyone would every want to do this, but it
+** is allowed, in theory.)  But the busy handler may not close the
+** database.  Closing the database from a busy handler will delete 
+** data structures out from under the executing query and will 
+** probably result in a coredump.
+*/
+int sqlite3_busy_handler(sqlite3*, int(*)(void*,int), void*);
+
+/*
+** This routine sets a busy handler that sleeps for a while when a
+** table is locked.  The handler will sleep multiple times until 
+** at least "ms" milleseconds of sleeping have been done.  After
+** "ms" milleseconds of sleeping, the handler returns 0 which
+** causes sqlite3_exec() to return SQLITE_BUSY.
+**
+** Calling this routine with an argument less than or equal to zero
+** turns off all busy handlers.
+*/
+int sqlite3_busy_timeout(sqlite3*, int ms);
+
+/*
+** This next routine is really just a wrapper around sqlite3_exec().
+** Instead of invoking a user-supplied callback for each row of the
+** result, this routine remembers each row of the result in memory
+** obtained from malloc(), then returns all of the result after the
+** query has finished. 
+**
+** As an example, suppose the query result where this table:
+**
+**        Name        | Age
+**        -----------------------
+**        Alice       | 43
+**        Bob         | 28
+**        Cindy       | 21
+**
+** If the 3rd argument were &azResult then after the function returns
+** azResult will contain the following data:
+**
+**        azResult[0] = "Name";
+**        azResult[1] = "Age";
+**        azResult[2] = "Alice";
+**        azResult[3] = "43";
+**        azResult[4] = "Bob";
+**        azResult[5] = "28";
+**        azResult[6] = "Cindy";
+**        azResult[7] = "21";
+**
+** Notice that there is an extra row of data containing the column
+** headers.  But the *nrow return value is still 3.  *ncolumn is
+** set to 2.  In general, the number of values inserted into azResult
+** will be ((*nrow) + 1)*(*ncolumn).
+**
+** After the calling function has finished using the result, it should 
+** pass the result data pointer to sqlite3_free_table() in order to 
+** release the memory that was malloc-ed.  Because of the way the 
+** malloc() happens, the calling function must not try to call 
+** free() directly.  Only sqlite3_free_table() is able to release 
+** the memory properly and safely.
+**
+** The return value of this routine is the same as from sqlite3_exec().
+*/
+int sqlite3_get_table(
+  sqlite3*,               /* An open database */
+  const char *sql,       /* SQL to be executed */
+  char ***resultp,       /* Result written to a char *[]  that this points to */
+  int *nrow,             /* Number of result rows written here */
+  int *ncolumn,          /* Number of result columns written here */
+  char **errmsg          /* Error msg written here */
+);
+
+/*
+** Call this routine to free the memory that sqlite3_get_table() allocated.
+*/
+void sqlite3_free_table(char **result);
+
+/*
+** The following routines are variants of the "sprintf()" from the
+** standard C library.  The resulting string is written into memory
+** obtained from malloc() so that there is never a possiblity of buffer
+** overflow.  These routines also implement some additional formatting
+** options that are useful for constructing SQL statements.
+**
+** The strings returned by these routines should be freed by calling
+** sqlite3_free().
+**
+** All of the usual printf formatting options apply.  In addition, there
+** is a "%q" option.  %q works like %s in that it substitutes a null-terminated
+** string from the argument list.  But %q also doubles every '\'' character.
+** %q is designed for use inside a string literal.  By doubling each '\''
+** character it escapes that character and allows it to be inserted into
+** the string.
+**
+** For example, so some string variable contains text as follows:
+**
+**      char *zText = "It's a happy day!";
+**
+** We can use this text in an SQL statement as follows:
+**
+**      char *z = sqlite3_mprintf("INSERT INTO TABLES('%q')", zText);
+**      sqlite3_exec(db, z, callback1, 0, 0);
+**      sqlite3_free(z);
+**
+** Because the %q format string is used, the '\'' character in zText
+** is escaped and the SQL generated is as follows:
+**
+**      INSERT INTO table1 VALUES('It''s a happy day!')
+**
+** This is correct.  Had we used %s instead of %q, the generated SQL
+** would have looked like this:
+**
+**      INSERT INTO table1 VALUES('It's a happy day!');
+**
+** This second example is an SQL syntax error.  As a general rule you
+** should always use %q instead of %s when inserting text into a string 
+** literal.
+*/
+char *sqlite3_mprintf(const char*,...);
+char *sqlite3_vmprintf(const char*, va_list);
+char *sqlite3_snprintf(int,char*,const char*, ...);
+
+/*
+** SQLite uses its own memory allocator.  On many installations, this
+** memory allocator is identical to the standard malloc()/realloc()/free()
+** and can be used interchangable.  On others, the implementations are
+** different.  For maximum portability, it is best not to mix calls
+** to the standard malloc/realloc/free with the sqlite versions.
+*/
+void *sqlite3_malloc(int);
+void *sqlite3_realloc(void*, int);
+void sqlite3_free(void*);
+
+#ifndef SQLITE_OMIT_AUTHORIZATION
+/*
+** This routine registers a callback with the SQLite library.  The
+** callback is invoked (at compile-time, not at run-time) for each
+** attempt to access a column of a table in the database.  The callback
+** returns SQLITE_OK if access is allowed, SQLITE_DENY if the entire
+** SQL statement should be aborted with an error and SQLITE_IGNORE
+** if the column should be treated as a NULL value.
+*/
+int sqlite3_set_authorizer(
+  sqlite3*,
+  int (*xAuth)(void*,int,const char*,const char*,const char*,const char*),
+  void *pUserData
+);
+#endif
+
+/*
+** The second parameter to the access authorization function above will
+** be one of the values below.  These values signify what kind of operation
+** is to be authorized.  The 3rd and 4th parameters to the authorization
+** function will be parameters or NULL depending on which of the following
+** codes is used as the second parameter.  The 5th parameter is the name
+** of the database ("main", "temp", etc.) if applicable.  The 6th parameter
+** is the name of the inner-most trigger or view that is responsible for
+** the access attempt or NULL if this access attempt is directly from 
+** input SQL code.
+**
+**                                          Arg-3           Arg-4
+*/
+#define SQLITE_COPY                  0   /* Table Name      File Name       */
+#define SQLITE_CREATE_INDEX          1   /* Index Name      Table Name      */
+#define SQLITE_CREATE_TABLE          2   /* Table Name      NULL            */
+#define SQLITE_CREATE_TEMP_INDEX     3   /* Index Name      Table Name      */
+#define SQLITE_CREATE_TEMP_TABLE     4   /* Table Name      NULL            */
+#define SQLITE_CREATE_TEMP_TRIGGER   5   /* Trigger Name    Table Name      */
+#define SQLITE_CREATE_TEMP_VIEW      6   /* View Name       NULL            */
+#define SQLITE_CREATE_TRIGGER        7   /* Trigger Name    Table Name      */
+#define SQLITE_CREATE_VIEW           8   /* View Name       NULL            */
+#define SQLITE_DELETE                9   /* Table Name      NULL            */
+#define SQLITE_DROP_INDEX           10   /* Index Name      Table Name      */
+#define SQLITE_DROP_TABLE           11   /* Table Name      NULL            */
+#define SQLITE_DROP_TEMP_INDEX      12   /* Index Name      Table Name      */
+#define SQLITE_DROP_TEMP_TABLE      13   /* Table Name      NULL            */
+#define SQLITE_DROP_TEMP_TRIGGER    14   /* Trigger Name    Table Name      */
+#define SQLITE_DROP_TEMP_VIEW       15   /* View Name       NULL            */
+#define SQLITE_DROP_TRIGGER         16   /* Trigger Name    Table Name      */
+#define SQLITE_DROP_VIEW            17   /* View Name       NULL            */
+#define SQLITE_INSERT               18   /* Table Name      NULL            */
+#define SQLITE_PRAGMA               19   /* Pragma Name     1st arg or NULL */
+#define SQLITE_READ                 20   /* Table Name      Column Name     */
+#define SQLITE_SELECT               21   /* NULL            NULL            */
+#define SQLITE_TRANSACTION          22   /* NULL            NULL            */
+#define SQLITE_UPDATE               23   /* Table Name      Column Name     */
+#define SQLITE_ATTACH               24   /* Filename        NULL            */
+#define SQLITE_DETACH               25   /* Database Name   NULL            */
+#define SQLITE_ALTER_TABLE          26   /* Database Name   Table Name      */
+#define SQLITE_REINDEX              27   /* Index Name      NULL            */
+#define SQLITE_ANALYZE              28   /* Table Name      NULL            */
+#define SQLITE_CREATE_VTABLE        29   /* Table Name      Module Name     */
+#define SQLITE_DROP_VTABLE          30   /* Table Name      Module Name     */
+#define SQLITE_FUNCTION             31   /* Function Name   NULL            */
+
+/*
+** The return value of the authorization function should be one of the
+** following constants:
+*/
+/* #define SQLITE_OK  0   // Allow access (This is actually defined above) */
+#define SQLITE_DENY   1   /* Abort the SQL statement with an error */
+#define SQLITE_IGNORE 2   /* Don't allow access, but don't generate an error */
+
+/*
+** Register a function for tracing SQL command evaluation.  The function
+** registered by sqlite3_trace() is invoked at the first sqlite3_step()
+** for the evaluation of an SQL statement.  The function registered by
+** sqlite3_profile() runs at the end of each SQL statement and includes
+** information on how long that statement ran.
+**
+** The sqlite3_profile() API is currently considered experimental and
+** is subject to change.
+*/
+void *sqlite3_trace(sqlite3*, void(*xTrace)(void*,const char*), void*);
+void *sqlite3_profile(sqlite3*,
+   void(*xProfile)(void*,const char*,sqlite_uint64), void*);
+
+/*
+** This routine configures a callback function - the progress callback - that
+** is invoked periodically during long running calls to sqlite3_exec(),
+** sqlite3_step() and sqlite3_get_table(). An example use for this API is to 
+** keep a GUI updated during a large query.
+**
+** The progress callback is invoked once for every N virtual machine opcodes,
+** where N is the second argument to this function. The progress callback
+** itself is identified by the third argument to this function. The fourth
+** argument to this function is a void pointer passed to the progress callback
+** function each time it is invoked.
+**
+** If a call to sqlite3_exec(), sqlite3_step() or sqlite3_get_table() results 
+** in less than N opcodes being executed, then the progress callback is not
+** invoked.
+** 
+** To remove the progress callback altogether, pass NULL as the third
+** argument to this function.
+**
+** If the progress callback returns a result other than 0, then the current 
+** query is immediately terminated and any database changes rolled back. If the
+** query was part of a larger transaction, then the transaction is not rolled
+** back and remains active. The sqlite3_exec() call returns SQLITE_ABORT. 
+**
+******* THIS IS AN EXPERIMENTAL API AND IS SUBJECT TO CHANGE ******
+*/
+void sqlite3_progress_handler(sqlite3*, int, int(*)(void*), void*);
+
+/*
+** Register a callback function to be invoked whenever a new transaction
+** is committed.  The pArg argument is passed through to the callback.
+** callback.  If the callback function returns non-zero, then the commit
+** is converted into a rollback.
+**
+** If another function was previously registered, its pArg value is returned.
+** Otherwise NULL is returned.
+**
+** Registering a NULL function disables the callback.
+**
+******* THIS IS AN EXPERIMENTAL API AND IS SUBJECT TO CHANGE ******
+*/
+void *sqlite3_commit_hook(sqlite3*, int(*)(void*), void*);
+
+/*
+** Open the sqlite database file "filename".  The "filename" is UTF-8
+** encoded for sqlite3_open() and UTF-16 encoded in the native byte order
+** for sqlite3_open16().  An sqlite3* handle is returned in *ppDb, even
+** if an error occurs. If the database is opened (or created) successfully,
+** then SQLITE_OK is returned. Otherwise an error code is returned. The
+** sqlite3_errmsg() or sqlite3_errmsg16()  routines can be used to obtain
+** an English language description of the error.
+**
+** If the database file does not exist, then a new database is created.
+** The encoding for the database is UTF-8 if sqlite3_open() is called and
+** UTF-16 if sqlite3_open16 is used.
+**
+** Whether or not an error occurs when it is opened, resources associated
+** with the sqlite3* handle should be released by passing it to
+** sqlite3_close() when it is no longer required.
+*/
+int sqlite3_open(
+  const char *filename,   /* Database filename (UTF-8) */
+  sqlite3 **ppDb          /* OUT: SQLite db handle */
+);
+int sqlite3_open16(
+  const void *filename,   /* Database filename (UTF-16) */
+  sqlite3 **ppDb          /* OUT: SQLite db handle */
+);
+
+/*
+** Return the error code for the most recent sqlite3_* API call associated
+** with sqlite3 handle 'db'. SQLITE_OK is returned if the most recent 
+** API call was successful.
+**
+** Calls to many sqlite3_* functions set the error code and string returned
+** by sqlite3_errcode(), sqlite3_errmsg() and sqlite3_errmsg16()
+** (overwriting the previous values). Note that calls to sqlite3_errcode(),
+** sqlite3_errmsg() and sqlite3_errmsg16() themselves do not affect the
+** results of future invocations.
+**
+** Assuming no other intervening sqlite3_* API calls are made, the error
+** code returned by this function is associated with the same error as
+** the strings  returned by sqlite3_errmsg() and sqlite3_errmsg16().
+*/
+int sqlite3_errcode(sqlite3 *db);
+
+/*
+** Return a pointer to a UTF-8 encoded string describing in english the
+** error condition for the most recent sqlite3_* API call. The returned
+** string is always terminated by an 0x00 byte.
+**
+** The string "not an error" is returned when the most recent API call was
+** successful.
+*/
+const char *sqlite3_errmsg(sqlite3*);
+
+/*
+** Return a pointer to a UTF-16 native byte order encoded string describing
+** in english the error condition for the most recent sqlite3_* API call.
+** The returned string is always terminated by a pair of 0x00 bytes.
+**
+** The string "not an error" is returned when the most recent API call was
+** successful.
+*/
+const void *sqlite3_errmsg16(sqlite3*);
+
+/*
+** An instance of the following opaque structure is used to represent
+** a compiled SQL statment.
+*/
+typedef struct sqlite3_stmt sqlite3_stmt;
+
+/*
+** To execute an SQL query, it must first be compiled into a byte-code
+** program using one of the following routines. The only difference between
+** them is that the second argument, specifying the SQL statement to
+** compile, is assumed to be encoded in UTF-8 for the sqlite3_prepare()
+** function and UTF-16 for sqlite3_prepare16().
+**
+** The first parameter "db" is an SQLite database handle. The second
+** parameter "zSql" is the statement to be compiled, encoded as either
+** UTF-8 or UTF-16 (see above). If the next parameter, "nBytes", is less
+** than zero, then zSql is read up to the first nul terminator.  If
+** "nBytes" is not less than zero, then it is the length of the string zSql
+** in bytes (not characters).
+**
+** *pzTail is made to point to the first byte past the end of the first
+** SQL statement in zSql.  This routine only compiles the first statement
+** in zSql, so *pzTail is left pointing to what remains uncompiled.
+**
+** *ppStmt is left pointing to a compiled SQL statement that can be
+** executed using sqlite3_step().  Or if there is an error, *ppStmt may be
+** set to NULL.  If the input text contained no SQL (if the input is and
+** empty string or a comment) then *ppStmt is set to NULL.
+**
+** On success, SQLITE_OK is returned.  Otherwise an error code is returned.
+*/
+int sqlite3_prepare(
+  sqlite3 *db,            /* Database handle */
+  const char *zSql,       /* SQL statement, UTF-8 encoded */
+  int nBytes,             /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,  /* OUT: Statement handle */
+  const char **pzTail     /* OUT: Pointer to unused portion of zSql */
+);
+int sqlite3_prepare16(
+  sqlite3 *db,            /* Database handle */
+  const void *zSql,       /* SQL statement, UTF-16 encoded */
+  int nBytes,             /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,  /* OUT: Statement handle */
+  const void **pzTail     /* OUT: Pointer to unused portion of zSql */
+);
+
+/*
+** Newer versions of the prepare API work just like the legacy versions
+** but with one exception:  The a copy of the SQL text is saved in the
+** sqlite3_stmt structure that is returned.  If this copy exists, it
+** modifieds the behavior of sqlite3_step() slightly.  First, sqlite3_step()
+** will no longer return an SQLITE_SCHEMA error but will instead automatically
+** rerun the compiler to rebuild the prepared statement.  Secondly, 
+** sqlite3_step() now turns a full result code - the result code that
+** use used to have to call sqlite3_reset() to get.
+*/
+int sqlite3_prepare_v2(
+  sqlite3 *db,            /* Database handle */
+  const char *zSql,       /* SQL statement, UTF-8 encoded */
+  int nBytes,             /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,  /* OUT: Statement handle */
+  const char **pzTail     /* OUT: Pointer to unused portion of zSql */
+);
+int sqlite3_prepare16_v2(
+  sqlite3 *db,            /* Database handle */
+  const void *zSql,       /* SQL statement, UTF-16 encoded */
+  int nBytes,             /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,  /* OUT: Statement handle */
+  const void **pzTail     /* OUT: Pointer to unused portion of zSql */
+);
+
+/*
+** Pointers to the following two opaque structures are used to communicate
+** with the implementations of user-defined functions.
+*/
+typedef struct sqlite3_context sqlite3_context;
+typedef struct Mem sqlite3_value;
+
+/*
+** In the SQL strings input to sqlite3_prepare() and sqlite3_prepare16(),
+** one or more literals can be replace by parameters "?" or "?NNN" or 
+** ":AAA" or "@AAA" or "$VVV" where NNN is a integer, AAA is an identifer,
+** and VVV is a variable name according  to the syntax rules of the
+** TCL programming language.  The value of these parameters (also called
+** "host parameter names") can be set using the routines listed below.
+**
+** In every case, the first argument is a pointer to the sqlite3_stmt
+** structure returned from sqlite3_prepare().  The second argument is the
+** index of the host parameter name.  The first host parameter as an index 
+** of 1.  For named host parameters (":AAA" or "$VVV") you can use 
+** sqlite3_bind_parameter_index() to get the correct index value given
+** the parameter name.  If the same named parameter occurs more than
+** once, it is assigned the same index each time.
+**
+** The fifth argument to sqlite3_bind_blob(), sqlite3_bind_text(), and
+** sqlite3_bind_text16() is a destructor used to dispose of the BLOB or
+** text after SQLite has finished with it.  If the fifth argument is the
+** special value SQLITE_STATIC, then the library assumes that the information
+** is in static, unmanaged space and does not need to be freed.  If the
+** fifth argument has the value SQLITE_TRANSIENT, then SQLite makes its
+** own private copy of the data before the sqlite3_bind_* routine returns.
+**
+** The sqlite3_bind_* routine must be called before sqlite3_step() and after
+** an sqlite3_prepare() or sqlite3_reset().  Bindings persist across
+** multiple calls to sqlite3_reset() and sqlite3_step().  Unbound parameters 
+** are interpreted as NULL.
+*/
+int sqlite3_bind_blob(sqlite3_stmt*, int, const void*, int n, void(*)(void*));
+int sqlite3_bind_double(sqlite3_stmt*, int, double);
+int sqlite3_bind_int(sqlite3_stmt*, int, int);
+int sqlite3_bind_int64(sqlite3_stmt*, int, sqlite_int64);
+int sqlite3_bind_null(sqlite3_stmt*, int);
+int sqlite3_bind_text(sqlite3_stmt*, int, const char*, int n, void(*)(void*));
+int sqlite3_bind_text16(sqlite3_stmt*, int, const void*, int, void(*)(void*));
+int sqlite3_bind_value(sqlite3_stmt*, int, const sqlite3_value*);
+
+/*
+** Return the number of host parameters in a compiled SQL statement.  This
+** routine was added to support DBD::SQLite.
+*/
+int sqlite3_bind_parameter_count(sqlite3_stmt*);
+
+/*
+** Return the name of the i-th name parameter.  Ordinary parameters "?" are
+** nameless and a NULL is returned.  For parameters of the form :AAA or
+** $VVV the complete text of the parameter name is returned, including
+** the initial ":" or "$".  NULL is returned if the index is out of range.
+*/
+const char *sqlite3_bind_parameter_name(sqlite3_stmt*, int);
+
+/*
+** Return the index of a parameter with the given name.  The name
+** must match exactly.  If no parameter with the given name is found,
+** return 0.
+*/
+int sqlite3_bind_parameter_index(sqlite3_stmt*, const char *zName);
+
+/*
+** Set all the parameters in the compiled SQL statement to NULL.
+*/
+int sqlite3_clear_bindings(sqlite3_stmt*);
+
+/*
+** Return the number of columns in the result set returned by the compiled
+** SQL statement. This routine returns 0 if pStmt is an SQL statement
+** that does not return data (for example an UPDATE).
+*/
+int sqlite3_column_count(sqlite3_stmt *pStmt);
+
+/*
+** The first parameter is a compiled SQL statement. This function returns
+** the column heading for the Nth column of that statement, where N is the
+** second function parameter.  The string returned is UTF-8 for
+** sqlite3_column_name() and UTF-16 for sqlite3_column_name16().
+*/
+const char *sqlite3_column_name(sqlite3_stmt*,int);
+const void *sqlite3_column_name16(sqlite3_stmt*,int);
+
+/*
+** The first argument to the following calls is a compiled SQL statement.
+** These functions return information about the Nth column returned by 
+** the statement, where N is the second function argument.
+**
+** If the Nth column returned by the statement is not a column value,
+** then all of the functions return NULL. Otherwise, the return the 
+** name of the attached database, table and column that the expression
+** extracts a value from.
+**
+** As with all other SQLite APIs, those postfixed with "16" return UTF-16
+** encoded strings, the other functions return UTF-8. The memory containing
+** the returned strings is valid until the statement handle is finalized().
+**
+** These APIs are only available if the library was compiled with the 
+** SQLITE_ENABLE_COLUMN_METADATA preprocessor symbol defined.
+*/
+const char *sqlite3_column_database_name(sqlite3_stmt*,int);
+const void *sqlite3_column_database_name16(sqlite3_stmt*,int);
+const char *sqlite3_column_table_name(sqlite3_stmt*,int);
+const void *sqlite3_column_table_name16(sqlite3_stmt*,int);
+const char *sqlite3_column_origin_name(sqlite3_stmt*,int);
+const void *sqlite3_column_origin_name16(sqlite3_stmt*,int);
+
+/*
+** The first parameter is a compiled SQL statement. If this statement
+** is a SELECT statement, the Nth column of the returned result set 
+** of the SELECT is a table column then the declared type of the table
+** column is returned. If the Nth column of the result set is not at table
+** column, then a NULL pointer is returned. The returned string is always
+** UTF-8 encoded. For example, in the database schema:
+**
+** CREATE TABLE t1(c1 VARIANT);
+**
+** And the following statement compiled:
+**
+** SELECT c1 + 1, c1 FROM t1;
+**
+** Then this routine would return the string "VARIANT" for the second
+** result column (i==1), and a NULL pointer for the first result column
+** (i==0).
+*/
+const char *sqlite3_column_decltype(sqlite3_stmt *, int i);
+
+/*
+** The first parameter is a compiled SQL statement. If this statement
+** is a SELECT statement, the Nth column of the returned result set 
+** of the SELECT is a table column then the declared type of the table
+** column is returned. If the Nth column of the result set is not at table
+** column, then a NULL pointer is returned. The returned string is always
+** UTF-16 encoded. For example, in the database schema:
+**
+** CREATE TABLE t1(c1 INTEGER);
+**
+** And the following statement compiled:
+**
+** SELECT c1 + 1, c1 FROM t1;
+**
+** Then this routine would return the string "INTEGER" for the second
+** result column (i==1), and a NULL pointer for the first result column
+** (i==0).
+*/
+const void *sqlite3_column_decltype16(sqlite3_stmt*,int);
+
+/* 
+** After an SQL query has been compiled with a call to either
+** sqlite3_prepare() or sqlite3_prepare16(), then this function must be
+** called one or more times to execute the statement.
+**
+** The return value will be either SQLITE_BUSY, SQLITE_DONE, 
+** SQLITE_ROW, SQLITE_ERROR, or SQLITE_MISUSE.
+**
+** SQLITE_BUSY means that the database engine attempted to open
+** a locked database and there is no busy callback registered.
+** Call sqlite3_step() again to retry the open.
+**
+** SQLITE_DONE means that the statement has finished executing
+** successfully.  sqlite3_step() should not be called again on this virtual
+** machine.
+**
+** If the SQL statement being executed returns any data, then 
+** SQLITE_ROW is returned each time a new row of data is ready
+** for processing by the caller. The values may be accessed using
+** the sqlite3_column_*() functions described below. sqlite3_step()
+** is called again to retrieve the next row of data.
+** 
+** SQLITE_ERROR means that a run-time error (such as a constraint
+** violation) has occurred.  sqlite3_step() should not be called again on
+** the VM. More information may be found by calling sqlite3_errmsg().
+**
+** SQLITE_MISUSE means that the this routine was called inappropriately.
+** Perhaps it was called on a virtual machine that had already been
+** finalized or on one that had previously returned SQLITE_ERROR or
+** SQLITE_DONE.  Or it could be the case the the same database connection
+** is being used simulataneously by two or more threads.
+*/
+int sqlite3_step(sqlite3_stmt*);
+
+/*
+** Return the number of values in the current row of the result set.
+**
+** After a call to sqlite3_step() that returns SQLITE_ROW, this routine
+** will return the same value as the sqlite3_column_count() function.
+** After sqlite3_step() has returned an SQLITE_DONE, SQLITE_BUSY or
+** error code, or before sqlite3_step() has been called on a 
+** compiled SQL statement, this routine returns zero.
+*/
+int sqlite3_data_count(sqlite3_stmt *pStmt);
+
+/*
+** Values are stored in the database in one of the following fundamental
+** types.
+*/
+#define SQLITE_INTEGER  1
+#define SQLITE_FLOAT    2
+/* #define SQLITE_TEXT  3  // See below */
+#define SQLITE_BLOB     4
+#define SQLITE_NULL     5
+
+/*
+** SQLite version 2 defines SQLITE_TEXT differently.  To allow both
+** version 2 and version 3 to be included, undefine them both if a
+** conflict is seen.  Define SQLITE3_TEXT to be the version 3 value.
+*/
+#ifdef SQLITE_TEXT
+# undef SQLITE_TEXT
+#else
+# define SQLITE_TEXT     3
+#endif
+#define SQLITE3_TEXT     3
+
+/*
+** The next group of routines returns information about the information
+** in a single column of the current result row of a query.  In every
+** case the first parameter is a pointer to the SQL statement that is being
+** executed (the sqlite_stmt* that was returned from sqlite3_prepare()) and
+** the second argument is the index of the column for which information 
+** should be returned.  iCol is zero-indexed.  The left-most column as an
+** index of 0.
+**
+** If the SQL statement is not currently point to a valid row, or if the
+** the colulmn index is out of range, the result is undefined.
+**
+** These routines attempt to convert the value where appropriate.  For
+** example, if the internal representation is FLOAT and a text result
+** is requested, sprintf() is used internally to do the conversion
+** automatically.  The following table details the conversions that
+** are applied:
+**
+**    Internal Type    Requested Type     Conversion
+**    -------------    --------------    --------------------------
+**       NULL             INTEGER         Result is 0
+**       NULL             FLOAT           Result is 0.0
+**       NULL             TEXT            Result is an empty string
+**       NULL             BLOB            Result is a zero-length BLOB
+**       INTEGER          FLOAT           Convert from integer to float
+**       INTEGER          TEXT            ASCII rendering of the integer
+**       INTEGER          BLOB            Same as for INTEGER->TEXT
+**       FLOAT            INTEGER         Convert from float to integer
+**       FLOAT            TEXT            ASCII rendering of the float
+**       FLOAT            BLOB            Same as FLOAT->TEXT
+**       TEXT             INTEGER         Use atoi()
+**       TEXT             FLOAT           Use atof()
+**       TEXT             BLOB            No change
+**       BLOB             INTEGER         Convert to TEXT then use atoi()
+**       BLOB             FLOAT           Convert to TEXT then use atof()
+**       BLOB             TEXT            Add a \000 terminator if needed
+**
+** The following access routines are provided:
+**
+** _type()     Return the datatype of the result.  This is one of
+**             SQLITE_INTEGER, SQLITE_FLOAT, SQLITE_TEXT, SQLITE_BLOB,
+**             or SQLITE_NULL.
+** _blob()     Return the value of a BLOB.
+** _bytes()    Return the number of bytes in a BLOB value or the number
+**             of bytes in a TEXT value represented as UTF-8.  The \000
+**             terminator is included in the byte count for TEXT values.
+** _bytes16()  Return the number of bytes in a BLOB value or the number
+**             of bytes in a TEXT value represented as UTF-16.  The \u0000
+**             terminator is included in the byte count for TEXT values.
+** _double()   Return a FLOAT value.
+** _int()      Return an INTEGER value in the host computer's native
+**             integer representation.  This might be either a 32- or 64-bit
+**             integer depending on the host.
+** _int64()    Return an INTEGER value as a 64-bit signed integer.
+** _text()     Return the value as UTF-8 text.
+** _text16()   Return the value as UTF-16 text.
+*/
+const void *sqlite3_column_blob(sqlite3_stmt*, int iCol);
+int sqlite3_column_bytes(sqlite3_stmt*, int iCol);
+int sqlite3_column_bytes16(sqlite3_stmt*, int iCol);
+double sqlite3_column_double(sqlite3_stmt*, int iCol);
+int sqlite3_column_int(sqlite3_stmt*, int iCol);
+sqlite_int64 sqlite3_column_int64(sqlite3_stmt*, int iCol);
+const unsigned char *sqlite3_column_text(sqlite3_stmt*, int iCol);
+const void *sqlite3_column_text16(sqlite3_stmt*, int iCol);
+int sqlite3_column_type(sqlite3_stmt*, int iCol);
+int sqlite3_column_numeric_type(sqlite3_stmt*, int iCol);
+sqlite3_value *sqlite3_column_value(sqlite3_stmt*, int iCol);
+
+/*
+** The sqlite3_finalize() function is called to delete a compiled
+** SQL statement obtained by a previous call to sqlite3_prepare()
+** or sqlite3_prepare16(). If the statement was executed successfully, or
+** not executed at all, then SQLITE_OK is returned. If execution of the
+** statement failed then an error code is returned. 
+**
+** This routine can be called at any point during the execution of the
+** virtual machine.  If the virtual machine has not completed execution
+** when this routine is called, that is like encountering an error or
+** an interrupt.  (See sqlite3_interrupt().)  Incomplete updates may be
+** rolled back and transactions cancelled,  depending on the circumstances,
+** and the result code returned will be SQLITE_ABORT.
+*/
+int sqlite3_finalize(sqlite3_stmt *pStmt);
+
+/*
+** The sqlite3_reset() function is called to reset a compiled SQL
+** statement obtained by a previous call to sqlite3_prepare() or
+** sqlite3_prepare16() back to it's initial state, ready to be re-executed.
+** Any SQL statement variables that had values bound to them using
+** the sqlite3_bind_*() API retain their values.
+*/
+int sqlite3_reset(sqlite3_stmt *pStmt);
+
+/*
+** The following two functions are used to add user functions or aggregates
+** implemented in C to the SQL langauge interpreted by SQLite. The
+** difference only between the two is that the second parameter, the
+** name of the (scalar) function or aggregate, is encoded in UTF-8 for
+** sqlite3_create_function() and UTF-16 for sqlite3_create_function16().
+**
+** The first argument is the database handle that the new function or
+** aggregate is to be added to. If a single program uses more than one
+** database handle internally, then user functions or aggregates must 
+** be added individually to each database handle with which they will be
+** used.
+**
+** The third parameter is the number of arguments that the function or
+** aggregate takes. If this parameter is negative, then the function or
+** aggregate may take any number of arguments.
+**
+** The fourth parameter is one of SQLITE_UTF* values defined below,
+** indicating the encoding that the function is most likely to handle
+** values in.  This does not change the behaviour of the programming
+** interface. However, if two versions of the same function are registered
+** with different encoding values, SQLite invokes the version likely to
+** minimize conversions between text encodings.
+**
+** The seventh, eighth and ninth parameters, xFunc, xStep and xFinal, are
+** pointers to user implemented C functions that implement the user
+** function or aggregate. A scalar function requires an implementation of
+** the xFunc callback only, NULL pointers should be passed as the xStep
+** and xFinal parameters. An aggregate function requires an implementation
+** of xStep and xFinal, but NULL should be passed for xFunc. To delete an
+** existing user function or aggregate, pass NULL for all three function
+** callback. Specifying an inconstent set of callback values, such as an
+** xFunc and an xFinal, or an xStep but no xFinal, SQLITE_ERROR is
+** returned.
+*/
+int sqlite3_create_function(
+  sqlite3 *,
+  const char *zFunctionName,
+  int nArg,
+  int eTextRep,
+  void*,
+  void (*xFunc)(sqlite3_context*,int,sqlite3_value**),
+  void (*xStep)(sqlite3_context*,int,sqlite3_value**),
+  void (*xFinal)(sqlite3_context*)
+);
+int sqlite3_create_function16(
+  sqlite3*,
+  const void *zFunctionName,
+  int nArg,
+  int eTextRep,
+  void*,
+  void (*xFunc)(sqlite3_context*,int,sqlite3_value**),
+  void (*xStep)(sqlite3_context*,int,sqlite3_value**),
+  void (*xFinal)(sqlite3_context*)
+);
+
+/*
+** This function is deprecated.  Do not use it.  It continues to exist
+** so as not to break legacy code.  But new code should avoid using it.
+*/
+int sqlite3_aggregate_count(sqlite3_context*);
+
+/*
+** The next group of routines returns information about parameters to
+** a user-defined function.  Function implementations use these routines
+** to access their parameters.  These routines are the same as the
+** sqlite3_column_* routines except that these routines take a single
+** sqlite3_value* pointer instead of an sqlite3_stmt* and an integer
+** column number.
+*/
+const void *sqlite3_value_blob(sqlite3_value*);
+int sqlite3_value_bytes(sqlite3_value*);
+int sqlite3_value_bytes16(sqlite3_value*);
+double sqlite3_value_double(sqlite3_value*);
+int sqlite3_value_int(sqlite3_value*);
+sqlite_int64 sqlite3_value_int64(sqlite3_value*);
+const unsigned char *sqlite3_value_text(sqlite3_value*);
+const void *sqlite3_value_text16(sqlite3_value*);
+const void *sqlite3_value_text16le(sqlite3_value*);
+const void *sqlite3_value_text16be(sqlite3_value*);
+int sqlite3_value_type(sqlite3_value*);
+int sqlite3_value_numeric_type(sqlite3_value*);
+
+/*
+** Aggregate functions use the following routine to allocate
+** a structure for storing their state.  The first time this routine
+** is called for a particular aggregate, a new structure of size nBytes
+** is allocated, zeroed, and returned.  On subsequent calls (for the
+** same aggregate instance) the same buffer is returned.  The implementation
+** of the aggregate can use the returned buffer to accumulate data.
+**
+** The buffer allocated is freed automatically by SQLite.
+*/
+void *sqlite3_aggregate_context(sqlite3_context*, int nBytes);
+
+/*
+** The pUserData parameter to the sqlite3_create_function()
+** routine used to register user functions is available to
+** the implementation of the function using this call.
+*/
+void *sqlite3_user_data(sqlite3_context*);
+
+/*
+** The following two functions may be used by scalar user functions to
+** associate meta-data with argument values. If the same value is passed to
+** multiple invocations of the user-function during query execution, under
+** some circumstances the associated meta-data may be preserved. This may
+** be used, for example, to add a regular-expression matching scalar
+** function. The compiled version of the regular expression is stored as
+** meta-data associated with the SQL value passed as the regular expression
+** pattern.
+**
+** Calling sqlite3_get_auxdata() returns a pointer to the meta data
+** associated with the Nth argument value to the current user function
+** call, where N is the second parameter. If no meta-data has been set for
+** that value, then a NULL pointer is returned.
+**
+** The sqlite3_set_auxdata() is used to associate meta data with a user
+** function argument. The third parameter is a pointer to the meta data
+** to be associated with the Nth user function argument value. The fourth
+** parameter specifies a 'delete function' that will be called on the meta
+** data pointer to release it when it is no longer required. If the delete
+** function pointer is NULL, it is not invoked.
+**
+** In practice, meta-data is preserved between function calls for
+** expressions that are constant at compile time. This includes literal
+** values and SQL variables.
+*/
+void *sqlite3_get_auxdata(sqlite3_context*, int);
+void sqlite3_set_auxdata(sqlite3_context*, int, void*, void (*)(void*));
+
+
+/*
+** These are special value for the destructor that is passed in as the
+** final argument to routines like sqlite3_result_blob().  If the destructor
+** argument is SQLITE_STATIC, it means that the content pointer is constant
+** and will never change.  It does not need to be destroyed.  The 
+** SQLITE_TRANSIENT value means that the content will likely change in
+** the near future and that SQLite should make its own private copy of
+** the content before returning.
+**
+** The typedef is necessary to work around problems in certain
+** C++ compilers.  See ticket #2191.
+*/
+typedef void (*sqlite3_destructor_type)(void*);
+#define SQLITE_STATIC      ((sqlite3_destructor_type)0)
+#define SQLITE_TRANSIENT   ((sqlite3_destructor_type)-1)
+
+/*
+** User-defined functions invoke the following routines in order to
+** set their return value.
+*/
+void sqlite3_result_blob(sqlite3_context*, const void*, int, void(*)(void*));
+void sqlite3_result_double(sqlite3_context*, double);
+void sqlite3_result_error(sqlite3_context*, const char*, int);
+void sqlite3_result_error16(sqlite3_context*, const void*, int);
+void sqlite3_result_int(sqlite3_context*, int);
+void sqlite3_result_int64(sqlite3_context*, sqlite_int64);
+void sqlite3_result_null(sqlite3_context*);
+void sqlite3_result_text(sqlite3_context*, const char*, int, void(*)(void*));
+void sqlite3_result_text16(sqlite3_context*, const void*, int, void(*)(void*));
+void sqlite3_result_text16le(sqlite3_context*, const void*, int,void(*)(void*));
+void sqlite3_result_text16be(sqlite3_context*, const void*, int,void(*)(void*));
+void sqlite3_result_value(sqlite3_context*, sqlite3_value*);
+
+/*
+** These are the allowed values for the eTextRep argument to
+** sqlite3_create_collation and sqlite3_create_function.
+*/
+#define SQLITE_UTF8           1
+#define SQLITE_UTF16LE        2
+#define SQLITE_UTF16BE        3
+#define SQLITE_UTF16          4    /* Use native byte order */
+#define SQLITE_ANY            5    /* sqlite3_create_function only */
+#define SQLITE_UTF16_ALIGNED  8    /* sqlite3_create_collation only */
+
+/*
+** These two functions are used to add new collation sequences to the
+** sqlite3 handle specified as the first argument. 
+**
+** The name of the new collation sequence is specified as a UTF-8 string
+** for sqlite3_create_collation() and a UTF-16 string for
+** sqlite3_create_collation16(). In both cases the name is passed as the
+** second function argument.
+**
+** The third argument must be one of the constants SQLITE_UTF8,
+** SQLITE_UTF16LE or SQLITE_UTF16BE, indicating that the user-supplied
+** routine expects to be passed pointers to strings encoded using UTF-8,
+** UTF-16 little-endian or UTF-16 big-endian respectively.
+**
+** A pointer to the user supplied routine must be passed as the fifth
+** argument. If it is NULL, this is the same as deleting the collation
+** sequence (so that SQLite cannot call it anymore). Each time the user
+** supplied function is invoked, it is passed a copy of the void* passed as
+** the fourth argument to sqlite3_create_collation() or
+** sqlite3_create_collation16() as its first parameter.
+**
+** The remaining arguments to the user-supplied routine are two strings,
+** each represented by a [length, data] pair and encoded in the encoding
+** that was passed as the third argument when the collation sequence was
+** registered. The user routine should return negative, zero or positive if
+** the first string is less than, equal to, or greater than the second
+** string. i.e. (STRING1 - STRING2).
+*/
+int sqlite3_create_collation(
+  sqlite3*, 
+  const char *zName, 
+  int eTextRep, 
+  void*,
+  int(*xCompare)(void*,int,const void*,int,const void*)
+);
+int sqlite3_create_collation16(
+  sqlite3*, 
+  const char *zName, 
+  int eTextRep, 
+  void*,
+  int(*xCompare)(void*,int,const void*,int,const void*)
+);
+
+/*
+** To avoid having to register all collation sequences before a database
+** can be used, a single callback function may be registered with the
+** database handle to be called whenever an undefined collation sequence is
+** required.
+**
+** If the function is registered using the sqlite3_collation_needed() API,
+** then it is passed the names of undefined collation sequences as strings
+** encoded in UTF-8. If sqlite3_collation_needed16() is used, the names
+** are passed as UTF-16 in machine native byte order. A call to either
+** function replaces any existing callback.
+**
+** When the user-function is invoked, the first argument passed is a copy
+** of the second argument to sqlite3_collation_needed() or
+** sqlite3_collation_needed16(). The second argument is the database
+** handle. The third argument is one of SQLITE_UTF8, SQLITE_UTF16BE or
+** SQLITE_UTF16LE, indicating the most desirable form of the collation
+** sequence function required. The fourth parameter is the name of the
+** required collation sequence.
+**
+** The collation sequence is returned to SQLite by a collation-needed
+** callback using the sqlite3_create_collation() or
+** sqlite3_create_collation16() APIs, described above.
+*/
+int sqlite3_collation_needed(
+  sqlite3*, 
+  void*, 
+  void(*)(void*,sqlite3*,int eTextRep,const char*)
+);
+int sqlite3_collation_needed16(
+  sqlite3*, 
+  void*,
+  void(*)(void*,sqlite3*,int eTextRep,const void*)
+);
+
+/*
+** Specify the key for an encrypted database.  This routine should be
+** called right after sqlite3_open().
+**
+** The code to implement this API is not available in the public release
+** of SQLite.
+*/
+int sqlite3_key(
+  sqlite3 *db,                   /* Database to be rekeyed */
+  const void *pKey, int nKey     /* The key */
+);
+
+/*
+** Change the key on an open database.  If the current database is not
+** encrypted, this routine will encrypt it.  If pNew==0 or nNew==0, the
+** database is decrypted.
+**
+** The code to implement this API is not available in the public release
+** of SQLite.
+*/
+int sqlite3_rekey(
+  sqlite3 *db,                   /* Database to be rekeyed */
+  const void *pKey, int nKey     /* The new key */
+);
+
+/*
+** Sleep for a little while. The second parameter is the number of
+** miliseconds to sleep for. 
+**
+** If the operating system does not support sleep requests with 
+** milisecond time resolution, then the time will be rounded up to 
+** the nearest second. The number of miliseconds of sleep actually 
+** requested from the operating system is returned.
+*/
+int sqlite3_sleep(int);
+
+/*
+** Return TRUE (non-zero) if the statement supplied as an argument needs
+** to be recompiled.  A statement needs to be recompiled whenever the
+** execution environment changes in a way that would alter the program
+** that sqlite3_prepare() generates.  For example, if new functions or
+** collating sequences are registered or if an authorizer function is
+** added or changed.
+**
+*/
+int sqlite3_expired(sqlite3_stmt*);
+
+/*
+** Move all bindings from the first prepared statement over to the second.
+** This routine is useful, for example, if the first prepared statement
+** fails with an SQLITE_SCHEMA error.  The same SQL can be prepared into
+** the second prepared statement then all of the bindings transfered over
+** to the second statement before the first statement is finalized.
+*/
+int sqlite3_transfer_bindings(sqlite3_stmt*, sqlite3_stmt*);
+
+/*
+** If the following global variable is made to point to a
+** string which is the name of a directory, then all temporary files
+** created by SQLite will be placed in that directory.  If this variable
+** is NULL pointer, then SQLite does a search for an appropriate temporary
+** file directory.
+**
+** Once sqlite3_open() has been called, changing this variable will invalidate
+** the current temporary database, if any.
+*/
+extern char *sqlite3_temp_directory;
+
+/*
+** This function is called to recover from a malloc() failure that occured
+** within the SQLite library. Normally, after a single malloc() fails the 
+** library refuses to function (all major calls return SQLITE_NOMEM).
+** This function restores the library state so that it can be used again.
+**
+** All existing statements (sqlite3_stmt pointers) must be finalized or
+** reset before this call is made. Otherwise, SQLITE_BUSY is returned.
+** If any in-memory databases are in use, either as a main or TEMP
+** database, SQLITE_ERROR is returned. In either of these cases, the 
+** library is not reset and remains unusable.
+**
+** This function is *not* threadsafe. Calling this from within a threaded
+** application when threads other than the caller have used SQLite is
+** dangerous and will almost certainly result in malfunctions.
+**
+** This functionality can be omitted from a build by defining the 
+** SQLITE_OMIT_GLOBALRECOVER at compile time.
+*/
+int sqlite3_global_recover(void);
+
+/*
+** Test to see whether or not the database connection is in autocommit
+** mode.  Return TRUE if it is and FALSE if not.  Autocommit mode is on
+** by default.  Autocommit is disabled by a BEGIN statement and reenabled
+** by the next COMMIT or ROLLBACK.
+*/
+int sqlite3_get_autocommit(sqlite3*);
+
+/*
+** Return the sqlite3* database handle to which the prepared statement given
+** in the argument belongs.  This is the same database handle that was
+** the first argument to the sqlite3_prepare() that was used to create
+** the statement in the first place.
+*/
+sqlite3 *sqlite3_db_handle(sqlite3_stmt*);
+
+/*
+** Register a callback function with the database connection identified by the 
+** first argument to be invoked whenever a row is updated, inserted or deleted.
+** Any callback set by a previous call to this function for the same 
+** database connection is overridden.
+**
+** The second argument is a pointer to the function to invoke when a 
+** row is updated, inserted or deleted. The first argument to the callback is
+** a copy of the third argument to sqlite3_update_hook. The second callback 
+** argument is one of SQLITE_INSERT, SQLITE_DELETE or SQLITE_UPDATE, depending
+** on the operation that caused the callback to be invoked. The third and 
+** fourth arguments to the callback contain pointers to the database and 
+** table name containing the affected row. The final callback parameter is 
+** the rowid of the row. In the case of an update, this is the rowid after 
+** the update takes place.
+**
+** The update hook is not invoked when internal system tables are
+** modified (i.e. sqlite_master and sqlite_sequence).
+**
+** If another function was previously registered, its pArg value is returned.
+** Otherwise NULL is returned.
+*/
+void *sqlite3_update_hook(
+  sqlite3*, 
+  void(*)(void *,int ,char const *,char const *,sqlite_int64),
+  void*
+);
+
+/*
+** Register a callback to be invoked whenever a transaction is rolled
+** back. 
+**
+** The new callback function overrides any existing rollback-hook
+** callback. If there was an existing callback, then it's pArg value 
+** (the third argument to sqlite3_rollback_hook() when it was registered) 
+** is returned. Otherwise, NULL is returned.
+**
+** For the purposes of this API, a transaction is said to have been 
+** rolled back if an explicit "ROLLBACK" statement is executed, or
+** an error or constraint causes an implicit rollback to occur. The 
+** callback is not invoked if a transaction is automatically rolled
+** back because the database connection is closed.
+*/
+void *sqlite3_rollback_hook(sqlite3*, void(*)(void *), void*);
+
+/*
+** This function is only available if the library is compiled without
+** the SQLITE_OMIT_SHARED_CACHE macro defined. It is used to enable or
+** disable (if the argument is true or false, respectively) the 
+** "shared pager" feature.
+*/
+int sqlite3_enable_shared_cache(int);
+
+/*
+** Attempt to free N bytes of heap memory by deallocating non-essential
+** memory allocations held by the database library (example: memory 
+** used to cache database pages to improve performance).
+**
+** This function is not a part of standard builds.  It is only created
+** if SQLite is compiled with the SQLITE_ENABLE_MEMORY_MANAGEMENT macro.
+*/
+int sqlite3_release_memory(int);
+
+/*
+** Place a "soft" limit on the amount of heap memory that may be allocated by
+** SQLite within the current thread. If an internal allocation is requested 
+** that would exceed the specified limit, sqlite3_release_memory() is invoked
+** one or more times to free up some space before the allocation is made.
+**
+** The limit is called "soft", because if sqlite3_release_memory() cannot free
+** sufficient memory to prevent the limit from being exceeded, the memory is
+** allocated anyway and the current operation proceeds.
+**
+** This function is only available if the library was compiled with the 
+** SQLITE_ENABLE_MEMORY_MANAGEMENT option set.
+** memory-management has been enabled.
+*/
+void sqlite3_soft_heap_limit(int);
+
+/*
+** This routine makes sure that all thread-local storage has been
+** deallocated for the current thread.
+**
+** This routine is not technically necessary.  All thread-local storage
+** will be automatically deallocated once memory-management and
+** shared-cache are disabled and the soft heap limit has been set
+** to zero.  This routine is provided as a convenience for users who
+** want to make absolutely sure they have not forgotten something
+** prior to killing off a thread.
+*/
+void sqlite3_thread_cleanup(void);
+
+/*
+** Return meta information about a specific column of a specific database
+** table accessible using the connection handle passed as the first function 
+** argument.
+**
+** The column is identified by the second, third and fourth parameters to 
+** this function. The second parameter is either the name of the database
+** (i.e. "main", "temp" or an attached database) containing the specified
+** table or NULL. If it is NULL, then all attached databases are searched
+** for the table using the same algorithm as the database engine uses to 
+** resolve unqualified table references.
+**
+** The third and fourth parameters to this function are the table and column 
+** name of the desired column, respectively. Neither of these parameters 
+** may be NULL.
+**
+** Meta information is returned by writing to the memory locations passed as
+** the 5th and subsequent parameters to this function. Any of these 
+** arguments may be NULL, in which case the corresponding element of meta 
+** information is ommitted.
+**
+** Parameter     Output Type      Description
+** -----------------------------------
+**
+**   5th         const char*      Data type
+**   6th         const char*      Name of the default collation sequence 
+**   7th         int              True if the column has a NOT NULL constraint
+**   8th         int              True if the column is part of the PRIMARY KEY
+**   9th         int              True if the column is AUTOINCREMENT
+**
+**
+** The memory pointed to by the character pointers returned for the 
+** declaration type and collation sequence is valid only until the next 
+** call to any sqlite API function.
+**
+** If the specified table is actually a view, then an error is returned.
+**
+** If the specified column is "rowid", "oid" or "_rowid_" and an 
+** INTEGER PRIMARY KEY column has been explicitly declared, then the output 
+** parameters are set for the explicitly declared column. If there is no
+** explicitly declared IPK column, then the output parameters are set as 
+** follows:
+**
+**     data type: "INTEGER"
+**     collation sequence: "BINARY"
+**     not null: 0
+**     primary key: 1
+**     auto increment: 0
+**
+** This function may load one or more schemas from database files. If an
+** error occurs during this process, or if the requested table or column
+** cannot be found, an SQLITE error code is returned and an error message
+** left in the database handle (to be retrieved using sqlite3_errmsg()).
+**
+** This API is only available if the library was compiled with the
+** SQLITE_ENABLE_COLUMN_METADATA preprocessor symbol defined.
+*/
+int sqlite3_table_column_metadata(
+  sqlite3 *db,                /* Connection handle */
+  const char *zDbName,        /* Database name or NULL */
+  const char *zTableName,     /* Table name */
+  const char *zColumnName,    /* Column name */
+  char const **pzDataType,    /* OUTPUT: Declared data type */
+  char const **pzCollSeq,     /* OUTPUT: Collation sequence name */
+  int *pNotNull,              /* OUTPUT: True if NOT NULL constraint exists */
+  int *pPrimaryKey,           /* OUTPUT: True if column part of PK */
+  int *pAutoinc               /* OUTPUT: True if colums is auto-increment */
+);
+
+/*
+****** EXPERIMENTAL - subject to change without notice **************
+**
+** Attempt to load an SQLite extension library contained in the file
+** zFile.  The entry point is zProc.  zProc may be 0 in which case the
+** name of the entry point defaults to "sqlite3_extension_init".
+**
+** Return SQLITE_OK on success and SQLITE_ERROR if something goes wrong.
+**
+** If an error occurs and pzErrMsg is not 0, then fill *pzErrMsg with 
+** error message text.  The calling function should free this memory
+** by calling sqlite3_free().
+**
+** Extension loading must be enabled using sqlite3_enable_load_extension()
+** prior to calling this API or an error will be returned.
+**
+****** EXPERIMENTAL - subject to change without notice **************
+*/
+int sqlite3_load_extension(
+  sqlite3 *db,          /* Load the extension into this database connection */
+  const char *zFile,    /* Name of the shared library containing extension */
+  const char *zProc,    /* Entry point.  Derived from zFile if 0 */
+  char **pzErrMsg       /* Put error message here if not 0 */
+);
+
+/*
+** So as not to open security holes in older applications that are
+** unprepared to deal with extension load, and as a means of disabling
+** extension loading while executing user-entered SQL, the following
+** API is provided to turn the extension loading mechanism on and
+** off.  It is off by default.  See ticket #1863.
+**
+** Call this routine with onoff==1 to turn extension loading on
+** and call it with onoff==0 to turn it back off again.
+*/
+int sqlite3_enable_load_extension(sqlite3 *db, int onoff);
+
+/*
+****** EXPERIMENTAL - subject to change without notice **************
+**
+** Register an extension entry point that is automatically invoked
+** whenever a new database connection is opened.
+**
+** This API can be invoked at program startup in order to register
+** one or more statically linked extensions that will be available
+** to all new database connections.
+**
+** Duplicate extensions are detected so calling this routine multiple
+** times with the same extension is harmless.
+**
+** This routine stores a pointer to the extension in an array
+** that is obtained from malloc().  If you run a memory leak
+** checker on your program and it reports a leak because of this
+** array, then invoke sqlite3_automatic_extension_reset() prior
+** to shutdown to free the memory.
+**
+** Automatic extensions apply across all threads.
+*/
+int sqlite3_auto_extension(void *xEntryPoint);
+
+
+/*
+****** EXPERIMENTAL - subject to change without notice **************
+**
+** Disable all previously registered automatic extensions.  This
+** routine undoes the effect of all prior sqlite3_automatic_extension()
+** calls.
+**
+** This call disabled automatic extensions in all threads.
+*/
+void sqlite3_reset_auto_extension(void);
+
+
+/*
+****** EXPERIMENTAL - subject to change without notice **************
+**
+** The interface to the virtual-table mechanism is currently considered
+** to be experimental.  The interface might change in incompatible ways.
+** If this is a problem for you, do not use the interface at this time.
+**
+** When the virtual-table mechanism stablizes, we will declare the
+** interface fixed, support it indefinitely, and remove this comment.
+*/
+
+/*
+** Structures used by the virtual table interface
+*/
+typedef struct sqlite3_vtab sqlite3_vtab;
+typedef struct sqlite3_index_info sqlite3_index_info;
+typedef struct sqlite3_vtab_cursor sqlite3_vtab_cursor;
+typedef struct sqlite3_module sqlite3_module;
+
+/*
+** A module is a class of virtual tables.  Each module is defined
+** by an instance of the following structure.  This structure consists
+** mostly of methods for the module.
+*/
+struct sqlite3_module {
+  int iVersion;
+  int (*xCreate)(sqlite3*, void *pAux,
+               int argc, const char *const*argv,
+               sqlite3_vtab **ppVTab, char**);
+  int (*xConnect)(sqlite3*, void *pAux,
+               int argc, const char *const*argv,
+               sqlite3_vtab **ppVTab, char**);
+  int (*xBestIndex)(sqlite3_vtab *pVTab, sqlite3_index_info*);
+  int (*xDisconnect)(sqlite3_vtab *pVTab);
+  int (*xDestroy)(sqlite3_vtab *pVTab);
+  int (*xOpen)(sqlite3_vtab *pVTab, sqlite3_vtab_cursor **ppCursor);
+  int (*xClose)(sqlite3_vtab_cursor*);
+  int (*xFilter)(sqlite3_vtab_cursor*, int idxNum, const char *idxStr,
+                int argc, sqlite3_value **argv);
+  int (*xNext)(sqlite3_vtab_cursor*);
+  int (*xEof)(sqlite3_vtab_cursor*);
+  int (*xColumn)(sqlite3_vtab_cursor*, sqlite3_context*, int);
+  int (*xRowid)(sqlite3_vtab_cursor*, sqlite_int64 *pRowid);
+  int (*xUpdate)(sqlite3_vtab *, int, sqlite3_value **, sqlite_int64 *);
+  int (*xBegin)(sqlite3_vtab *pVTab);
+  int (*xSync)(sqlite3_vtab *pVTab);
+  int (*xCommit)(sqlite3_vtab *pVTab);
+  int (*xRollback)(sqlite3_vtab *pVTab);
+  int (*xFindFunction)(sqlite3_vtab *pVtab, int nArg, const char *zName,
+                       void (**pxFunc)(sqlite3_context*,int,sqlite3_value**),
+                       void **ppArg);
+};
+
+/*
+** The sqlite3_index_info structure and its substructures is used to
+** pass information into and receive the reply from the xBestIndex
+** method of an sqlite3_module.  The fields under **Inputs** are the
+** inputs to xBestIndex and are read-only.  xBestIndex inserts its
+** results into the **Outputs** fields.
+**
+** The aConstraint[] array records WHERE clause constraints of the
+** form:
+**
+**         column OP expr
+**
+** Where OP is =, <, <=, >, or >=.  The particular operator is stored
+** in aConstraint[].op.  The index of the column is stored in 
+** aConstraint[].iColumn.  aConstraint[].usable is TRUE if the
+** expr on the right-hand side can be evaluated (and thus the constraint
+** is usable) and false if it cannot.
+**
+** The optimizer automatically inverts terms of the form "expr OP column"
+** and makes other simplificatinos to the WHERE clause in an attempt to
+** get as many WHERE clause terms into the form shown above as possible.
+** The aConstraint[] array only reports WHERE clause terms in the correct
+** form that refer to the particular virtual table being queried.
+**
+** Information about the ORDER BY clause is stored in aOrderBy[].
+** Each term of aOrderBy records a column of the ORDER BY clause.
+**
+** The xBestIndex method must fill aConstraintUsage[] with information
+** about what parameters to pass to xFilter.  If argvIndex>0 then
+** the right-hand side of the corresponding aConstraint[] is evaluated
+** and becomes the argvIndex-th entry in argv.  If aConstraintUsage[].omit
+** is true, then the constraint is assumed to be fully handled by the
+** virtual table and is not checked again by SQLite.
+**
+** The idxNum and idxPtr values are recorded and passed into xFilter.
+** sqlite3_free() is used to free idxPtr if needToFreeIdxPtr is true.
+**
+** The orderByConsumed means that output from xFilter will occur in
+** the correct order to satisfy the ORDER BY clause so that no separate
+** sorting step is required.
+**
+** The estimatedCost value is an estimate of the cost of doing the
+** particular lookup.  A full scan of a table with N entries should have
+** a cost of N.  A binary search of a table of N entries should have a
+** cost of approximately log(N).
+*/
+struct sqlite3_index_info {
+  /* Inputs */
+  const int nConstraint;     /* Number of entries in aConstraint */
+  const struct sqlite3_index_constraint {
+     int iColumn;              /* Column on left-hand side of constraint */
+     unsigned char op;         /* Constraint operator */
+     unsigned char usable;     /* True if this constraint is usable */
+     int iTermOffset;          /* Used internally - xBestIndex should ignore */
+  } *const aConstraint;      /* Table of WHERE clause constraints */
+  const int nOrderBy;        /* Number of terms in the ORDER BY clause */
+  const struct sqlite3_index_orderby {
+     int iColumn;              /* Column number */
+     unsigned char desc;       /* True for DESC.  False for ASC. */
+  } *const aOrderBy;         /* The ORDER BY clause */
+
+  /* Outputs */
+  struct sqlite3_index_constraint_usage {
+    int argvIndex;           /* if >0, constraint is part of argv to xFilter */
+    unsigned char omit;      /* Do not code a test for this constraint */
+  } *const aConstraintUsage;
+  int idxNum;                /* Number used to identify the index */
+  char *idxStr;              /* String, possibly obtained from sqlite3_malloc */
+  int needToFreeIdxStr;      /* Free idxStr using sqlite3_free() if true */
+  int orderByConsumed;       /* True if output is already ordered */
+  double estimatedCost;      /* Estimated cost of using this index */
+};
+#define SQLITE_INDEX_CONSTRAINT_EQ    2
+#define SQLITE_INDEX_CONSTRAINT_GT    4
+#define SQLITE_INDEX_CONSTRAINT_LE    8
+#define SQLITE_INDEX_CONSTRAINT_LT    16
+#define SQLITE_INDEX_CONSTRAINT_GE    32
+#define SQLITE_INDEX_CONSTRAINT_MATCH 64
+
+/*
+** This routine is used to register a new module name with an SQLite
+** connection.  Module names must be registered before creating new
+** virtual tables on the module, or before using preexisting virtual
+** tables of the module.
+*/
+int sqlite3_create_module(
+  sqlite3 *db,               /* SQLite connection to register module with */
+  const char *zName,         /* Name of the module */
+  const sqlite3_module *,    /* Methods for the module */
+  void *                     /* Client data for xCreate/xConnect */
+);
+
+/*
+** Every module implementation uses a subclass of the following structure
+** to describe a particular instance of the module.  Each subclass will
+** be taylored to the specific needs of the module implementation.   The
+** purpose of this superclass is to define certain fields that are common
+** to all module implementations.
+**
+** Virtual tables methods can set an error message by assigning a
+** string obtained from sqlite3_mprintf() to zErrMsg.  The method should
+** take care that any prior string is freed by a call to sqlite3_free()
+** prior to assigning a new string to zErrMsg.  After the error message
+** is delivered up to the client application, the string will be automatically
+** freed by sqlite3_free() and the zErrMsg field will be zeroed.  Note
+** that sqlite3_mprintf() and sqlite3_free() are used on the zErrMsg field
+** since virtual tables are commonly implemented in loadable extensions which
+** do not have access to sqlite3MPrintf() or sqlite3Free().
+*/
+struct sqlite3_vtab {
+  const sqlite3_module *pModule;  /* The module for this virtual table */
+  int nRef;                       /* Used internally */
+  char *zErrMsg;                  /* Error message from sqlite3_mprintf() */
+  /* Virtual table implementations will typically add additional fields */
+};
+
+/* Every module implementation uses a subclass of the following structure
+** to describe cursors that point into the virtual table and are used
+** to loop through the virtual table.  Cursors are created using the
+** xOpen method of the module.  Each module implementation will define
+** the content of a cursor structure to suit its own needs.
+**
+** This superclass exists in order to define fields of the cursor that
+** are common to all implementations.
+*/
+struct sqlite3_vtab_cursor {
+  sqlite3_vtab *pVtab;      /* Virtual table of this cursor */
+  /* Virtual table implementations will typically add additional fields */
+};
+
+/*
+** The xCreate and xConnect methods of a module use the following API
+** to declare the format (the names and datatypes of the columns) of
+** the virtual tables they implement.
+*/
+int sqlite3_declare_vtab(sqlite3*, const char *zCreateTable);
+
+/*
+** Virtual tables can provide alternative implementations of functions
+** using the xFindFunction method.  But global versions of those functions
+** must exist in order to be overloaded.
+**
+** This API makes sure a global version of a function with a particular
+** name and number of parameters exists.  If no such function exists
+** before this API is called, a new function is created.  The implementation
+** of the new function always causes an exception to be thrown.  So
+** the new function is not good for anything by itself.  Its only
+** purpose is to be a place-holder function that can be overloaded
+** by virtual tables.
+**
+** This API should be considered part of the virtual table interface,
+** which is experimental and subject to change.
+*/
+int sqlite3_overload_function(sqlite3*, const char *zFuncName, int nArg);
+
+/*
+** The interface to the virtual-table mechanism defined above (back up
+** to a comment remarkably similar to this one) is currently considered
+** to be experimental.  The interface might change in incompatible ways.
+** If this is a problem for you, do not use the interface at this time.
+**
+** When the virtual-table mechanism stablizes, we will declare the
+** interface fixed, support it indefinitely, and remove this comment.
+**
+****** EXPERIMENTAL - subject to change without notice **************
+*/
+
+/*
+** Undo the hack that converts floating point types to integer for
+** builds on processors without floating point support.
+*/
+#ifdef SQLITE_OMIT_FLOATING_POINT
+# undef double
+#endif
+
+#if 0
+}  /* End of the 'extern "C"' block */
+#endif
+#endif
+
+/************** End of sqlite3.h *********************************************/
+/************** Begin file date.c ********************************************/
+/*
+** 2003 October 31
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains the C functions that implement date and time
+** functions for SQLite.  
+**
+** There is only one exported symbol in this file - the function
+** sqlite3RegisterDateTimeFunctions() found at the bottom of the file.
+** All other code has file scope.
+**
+** $Id$
+**
+** NOTES:
+**
+** SQLite processes all times and dates as Julian Day numbers.  The
+** dates and times are stored as the number of days since noon
+** in Greenwich on November 24, 4714 B.C. according to the Gregorian
+** calendar system. 
+**
+** 1970-01-01 00:00:00 is JD 2440587.5
+** 2000-01-01 00:00:00 is JD 2451544.5
+**
+** This implemention requires years to be expressed as a 4-digit number
+** which means that only dates between 0000-01-01 and 9999-12-31 can
+** be represented, even though julian day numbers allow a much wider
+** range of dates.
+**
+** The Gregorian calendar system is used for all dates and times,
+** even those that predate the Gregorian calendar.  Historians usually
+** use the Julian calendar for dates prior to 1582-10-15 and for some
+** dates afterwards, depending on locale.  Beware of this difference.
+**
+** The conversion algorithms are implemented based on descriptions
+** in the following text:
+**
+**      Jean Meeus
+**      Astronomical Algorithms, 2nd Edition, 1998
+**      ISBM 0-943396-61-1
+**      Willmann-Bell, Inc
+**      Richmond, Virginia (USA)
+*/
+/************** Include sqliteInt.h in the middle of date.c ******************/
+/************** Begin file sqliteInt.h ***************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** Internal interface definitions for SQLite.
+**
+** @(#) $Id$
+*/
+#ifndef _SQLITEINT_H_
+#define _SQLITEINT_H_
+
+#if defined(SQLITE_TCL) || defined(TCLSH)
+# include <tcl.h>
+#endif
+
+/*
+** Many people are failing to set -DNDEBUG=1 when compiling SQLite.
+** Setting NDEBUG makes the code smaller and run faster.  So the following
+** lines are added to automatically set NDEBUG unless the -DSQLITE_DEBUG=1
+** option is set.  Thus NDEBUG becomes an opt-in rather than an opt-out
+** feature.
+*/
+#if !defined(NDEBUG) && !defined(SQLITE_DEBUG) 
+# define NDEBUG 1
+#endif
+
+/*
+** These #defines should enable >2GB file support on Posix if the
+** underlying operating system supports it.  If the OS lacks
+** large file support, or if the OS is windows, these should be no-ops.
+**
+** Large file support can be disabled using the -DSQLITE_DISABLE_LFS switch
+** on the compiler command line.  This is necessary if you are compiling
+** on a recent machine (ex: RedHat 7.2) but you want your code to work
+** on an older machine (ex: RedHat 6.0).  If you compile on RedHat 7.2
+** without this option, LFS is enable.  But LFS does not exist in the kernel
+** in RedHat 6.0, so the code won't work.  Hence, for maximum binary
+** portability you should omit LFS.
+**
+** Similar is true for MacOS.  LFS is only supported on MacOS 9 and later.
+*/
+#ifndef SQLITE_DISABLE_LFS
+# define _LARGE_FILE       1
+# ifndef _FILE_OFFSET_BITS
+#   define _FILE_OFFSET_BITS 64
+# endif
+# define _LARGEFILE_SOURCE 1
+#endif
+
+/************** Include hash.h in the middle of sqliteInt.h ******************/
+/************** Begin file hash.h ********************************************/
+/*
+** 2001 September 22
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This is the header file for the generic hash-table implemenation
+** used in SQLite.
+**
+** $Id$
+*/
+#ifndef _SQLITE_HASH_H_
+#define _SQLITE_HASH_H_
+
+/* Forward declarations of structures. */
+typedef struct Hash Hash;
+typedef struct HashElem HashElem;
+
+/* A complete hash table is an instance of the following structure.
+** The internals of this structure are intended to be opaque -- client
+** code should not attempt to access or modify the fields of this structure
+** directly.  Change this structure only by using the routines below.
+** However, many of the "procedures" and "functions" for modifying and
+** accessing this structure are really macros, so we can't really make
+** this structure opaque.
+*/
+struct Hash {
+  char keyClass;          /* SQLITE_HASH_INT, _POINTER, _STRING, _BINARY */
+  char copyKey;           /* True if copy of key made on insert */
+  int count;              /* Number of entries in this table */
+  HashElem *first;        /* The first element of the array */
+  void *(*xMalloc)(int);  /* malloc() function to use */
+  void (*xFree)(void *);  /* free() function to use */
+  int htsize;             /* Number of buckets in the hash table */
+  struct _ht {            /* the hash table */
+    int count;               /* Number of entries with this hash */
+    HashElem *chain;         /* Pointer to first entry with this hash */
+  } *ht;
+};
+
+/* Each element in the hash table is an instance of the following 
+** structure.  All elements are stored on a single doubly-linked list.
+**
+** Again, this structure is intended to be opaque, but it can't really
+** be opaque because it is used by macros.
+*/
+struct HashElem {
+  HashElem *next, *prev;   /* Next and previous elements in the table */
+  void *data;              /* Data associated with this element */
+  void *pKey; int nKey;    /* Key associated with this element */
+};
+
+/*
+** There are 4 different modes of operation for a hash table:
+**
+**   SQLITE_HASH_INT         nKey is used as the key and pKey is ignored.
+**
+**   SQLITE_HASH_POINTER     pKey is used as the key and nKey is ignored.
+**
+**   SQLITE_HASH_STRING      pKey points to a string that is nKey bytes long
+**                           (including the null-terminator, if any).  Case
+**                           is ignored in comparisons.
+**
+**   SQLITE_HASH_BINARY      pKey points to binary data nKey bytes long. 
+**                           memcmp() is used to compare keys.
+**
+** A copy of the key is made for SQLITE_HASH_STRING and SQLITE_HASH_BINARY
+** if the copyKey parameter to HashInit is 1.  
+*/
+/* #define SQLITE_HASH_INT       1 // NOT USED */
+/* #define SQLITE_HASH_POINTER   2 // NOT USED */
+#define SQLITE_HASH_STRING    3
+#define SQLITE_HASH_BINARY    4
+
+/*
+** Access routines.  To delete, insert a NULL pointer.
+*/
+void sqlite3HashInit(Hash*, int keytype, int copyKey);
+void *sqlite3HashInsert(Hash*, const void *pKey, int nKey, void *pData);
+void *sqlite3HashFind(const Hash*, const void *pKey, int nKey);
+void sqlite3HashClear(Hash*);
+
+/*
+** Macros for looping over all elements of a hash table.  The idiom is
+** like this:
+**
+**   Hash h;
+**   HashElem *p;
+**   ...
+**   for(p=sqliteHashFirst(&h); p; p=sqliteHashNext(p)){
+**     SomeStructure *pData = sqliteHashData(p);
+**     // do something with pData
+**   }
+*/
+#define sqliteHashFirst(H)  ((H)->first)
+#define sqliteHashNext(E)   ((E)->next)
+#define sqliteHashData(E)   ((E)->data)
+#define sqliteHashKey(E)    ((E)->pKey)
+#define sqliteHashKeysize(E) ((E)->nKey)
+
+/*
+** Number of entries in a hash table
+*/
+#define sqliteHashCount(H)  ((H)->count)
+
+#endif /* _SQLITE_HASH_H_ */
+
+/************** End of hash.h ************************************************/
+/************** Continuing where we left off in sqliteInt.h ******************/
+/************** Include parse.h in the middle of sqliteInt.h *****************/
+/************** Begin file parse.h *******************************************/
+#define TK_SEMI                            1
+#define TK_EXPLAIN                         2
+#define TK_QUERY                           3
+#define TK_PLAN                            4
+#define TK_BEGIN                           5
+#define TK_TRANSACTION                     6
+#define TK_DEFERRED                        7
+#define TK_IMMEDIATE                       8
+#define TK_EXCLUSIVE                       9
+#define TK_COMMIT                         10
+#define TK_END                            11
+#define TK_ROLLBACK                       12
+#define TK_CREATE                         13
+#define TK_TABLE                          14
+#define TK_IF                             15
+#define TK_NOT                            16
+#define TK_EXISTS                         17
+#define TK_TEMP                           18
+#define TK_LP                             19
+#define TK_RP                             20
+#define TK_AS                             21
+#define TK_COMMA                          22
+#define TK_ID                             23
+#define TK_ABORT                          24
+#define TK_AFTER                          25
+#define TK_ANALYZE                        26
+#define TK_ASC                            27
+#define TK_ATTACH                         28
+#define TK_BEFORE                         29
+#define TK_CASCADE                        30
+#define TK_CAST                           31
+#define TK_CONFLICT                       32
+#define TK_DATABASE                       33
+#define TK_DESC                           34
+#define TK_DETACH                         35
+#define TK_EACH                           36
+#define TK_FAIL                           37
+#define TK_FOR                            38
+#define TK_IGNORE                         39
+#define TK_INITIALLY                      40
+#define TK_INSTEAD                        41
+#define TK_LIKE_KW                        42
+#define TK_MATCH                          43
+#define TK_KEY                            44
+#define TK_OF                             45
+#define TK_OFFSET                         46
+#define TK_PRAGMA                         47
+#define TK_RAISE                          48
+#define TK_REPLACE                        49
+#define TK_RESTRICT                       50
+#define TK_ROW                            51
+#define TK_TRIGGER                        52
+#define TK_VACUUM                         53
+#define TK_VIEW                           54
+#define TK_VIRTUAL                        55
+#define TK_REINDEX                        56
+#define TK_RENAME                         57
+#define TK_CTIME_KW                       58
+#define TK_ANY                            59
+#define TK_OR                             60
+#define TK_AND                            61
+#define TK_IS                             62
+#define TK_BETWEEN                        63
+#define TK_IN                             64
+#define TK_ISNULL                         65
+#define TK_NOTNULL                        66
+#define TK_NE                             67
+#define TK_EQ                             68
+#define TK_GT                             69
+#define TK_LE                             70
+#define TK_LT                             71
+#define TK_GE                             72
+#define TK_ESCAPE                         73
+#define TK_BITAND                         74
+#define TK_BITOR                          75
+#define TK_LSHIFT                         76
+#define TK_RSHIFT                         77
+#define TK_PLUS                           78
+#define TK_MINUS                          79
+#define TK_STAR                           80
+#define TK_SLASH                          81
+#define TK_REM                            82
+#define TK_CONCAT                         83
+#define TK_COLLATE                        84
+#define TK_UMINUS                         85
+#define TK_UPLUS                          86
+#define TK_BITNOT                         87
+#define TK_STRING                         88
+#define TK_JOIN_KW                        89
+#define TK_CONSTRAINT                     90
+#define TK_DEFAULT                        91
+#define TK_NULL                           92
+#define TK_PRIMARY                        93
+#define TK_UNIQUE                         94
+#define TK_CHECK                          95
+#define TK_REFERENCES                     96
+#define TK_AUTOINCR                       97
+#define TK_ON                             98
+#define TK_DELETE                         99
+#define TK_UPDATE                         100
+#define TK_INSERT                         101
+#define TK_SET                            102
+#define TK_DEFERRABLE                     103
+#define TK_FOREIGN                        104
+#define TK_DROP                           105
+#define TK_UNION                          106
+#define TK_ALL                            107
+#define TK_EXCEPT                         108
+#define TK_INTERSECT                      109
+#define TK_SELECT                         110
+#define TK_DISTINCT                       111
+#define TK_DOT                            112
+#define TK_FROM                           113
+#define TK_JOIN                           114
+#define TK_USING                          115
+#define TK_ORDER                          116
+#define TK_BY                             117
+#define TK_GROUP                          118
+#define TK_HAVING                         119
+#define TK_LIMIT                          120
+#define TK_WHERE                          121
+#define TK_INTO                           122
+#define TK_VALUES                         123
+#define TK_INTEGER                        124
+#define TK_FLOAT                          125
+#define TK_BLOB                           126
+#define TK_REGISTER                       127
+#define TK_VARIABLE                       128
+#define TK_CASE                           129
+#define TK_WHEN                           130
+#define TK_THEN                           131
+#define TK_ELSE                           132
+#define TK_INDEX                          133
+#define TK_ALTER                          134
+#define TK_TO                             135
+#define TK_ADD                            136
+#define TK_COLUMNKW                       137
+#define TK_TO_TEXT                        138
+#define TK_TO_BLOB                        139
+#define TK_TO_NUMERIC                     140
+#define TK_TO_INT                         141
+#define TK_TO_REAL                        142
+#define TK_END_OF_FILE                    143
+#define TK_ILLEGAL                        144
+#define TK_SPACE                          145
+#define TK_UNCLOSED_STRING                146
+#define TK_COMMENT                        147
+#define TK_FUNCTION                       148
+#define TK_COLUMN                         149
+#define TK_AGG_FUNCTION                   150
+#define TK_AGG_COLUMN                     151
+#define TK_CONST_FUNC                     152
+
+/************** End of parse.h ***********************************************/
+/************** Continuing where we left off in sqliteInt.h ******************/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <stddef.h>
+
+/*
+** If compiling for a processor that lacks floating point support,
+** substitute integer for floating-point
+*/
+#ifdef SQLITE_OMIT_FLOATING_POINT
+# define double sqlite_int64
+# define LONGDOUBLE_TYPE sqlite_int64
+# ifndef SQLITE_BIG_DBL
+#   define SQLITE_BIG_DBL (0x7fffffffffffffff)
+# endif
+# define SQLITE_OMIT_DATETIME_FUNCS 1
+# define SQLITE_OMIT_TRACE 1
+#endif
+#ifndef SQLITE_BIG_DBL
+# define SQLITE_BIG_DBL (1e99)
+#endif
+
+/*
+** The maximum number of in-memory pages to use for the main database
+** table and for temporary tables. Internally, the MAX_PAGES and 
+** TEMP_PAGES macros are used. To override the default values at
+** compilation time, the SQLITE_DEFAULT_CACHE_SIZE and 
+** SQLITE_DEFAULT_TEMP_CACHE_SIZE macros should be set.
+*/
+#ifdef SQLITE_DEFAULT_CACHE_SIZE
+# define MAX_PAGES SQLITE_DEFAULT_CACHE_SIZE
+#else
+# define MAX_PAGES   2000
+#endif
+#ifdef SQLITE_DEFAULT_TEMP_CACHE_SIZE
+# define TEMP_PAGES SQLITE_DEFAULT_TEMP_CACHE_SIZE
+#else
+# define TEMP_PAGES   500
+#endif
+
+/*
+** OMIT_TEMPDB is set to 1 if SQLITE_OMIT_TEMPDB is defined, or 0
+** afterward. Having this macro allows us to cause the C compiler 
+** to omit code used by TEMP tables without messy #ifndef statements.
+*/
+#ifdef SQLITE_OMIT_TEMPDB
+#define OMIT_TEMPDB 1
+#else
+#define OMIT_TEMPDB 0
+#endif
+
+/*
+** If the following macro is set to 1, then NULL values are considered
+** distinct when determining whether or not two entries are the same
+** in a UNIQUE index.  This is the way PostgreSQL, Oracle, DB2, MySQL,
+** OCELOT, and Firebird all work.  The SQL92 spec explicitly says this
+** is the way things are suppose to work.
+**
+** If the following macro is set to 0, the NULLs are indistinct for
+** a UNIQUE index.  In this mode, you can only have a single NULL entry
+** for a column declared UNIQUE.  This is the way Informix and SQL Server
+** work.
+*/
+#define NULL_DISTINCT_FOR_UNIQUE 1
+
+/*
+** The maximum number of attached databases.  This must be at least 2
+** in order to support the main database file (0) and the file used to
+** hold temporary tables (1).  And it must be less than 32 because
+** we use a bitmask of databases with a u32 in places (for example
+** the Parse.cookieMask field).
+*/
+#define MAX_ATTACHED 10
+
+/*
+** The maximum value of a ?nnn wildcard that the parser will accept.
+*/
+#define SQLITE_MAX_VARIABLE_NUMBER 999
+
+/*
+** The "file format" number is an integer that is incremented whenever
+** the VDBE-level file format changes.  The following macros define the
+** the default file format for new databases and the maximum file format
+** that the library can read.
+*/
+#define SQLITE_MAX_FILE_FORMAT 4
+#ifndef SQLITE_DEFAULT_FILE_FORMAT
+# define SQLITE_DEFAULT_FILE_FORMAT 1
+#endif
+
+/*
+** Provide a default value for TEMP_STORE in case it is not specified
+** on the command-line
+*/
+#ifndef TEMP_STORE
+# define TEMP_STORE 1
+#endif
+
+/*
+** GCC does not define the offsetof() macro so we'll have to do it
+** ourselves.
+*/
+#ifndef offsetof
+#define offsetof(STRUCTURE,FIELD) ((int)((char*)&((STRUCTURE*)0)->FIELD))
+#endif
+
+/*
+** Check to see if this machine uses EBCDIC.  (Yes, believe it or
+** not, there are still machines out there that use EBCDIC.)
+*/
+#if 'A' == '\301'
+# define SQLITE_EBCDIC 1
+#else
+# define SQLITE_ASCII 1
+#endif
+
+/*
+** Integers of known sizes.  These typedefs might change for architectures
+** where the sizes very.  Preprocessor macros are available so that the
+** types can be conveniently redefined at compile-type.  Like this:
+**
+**         cc '-DUINTPTR_TYPE=long long int' ...
+*/
+#ifndef UINT32_TYPE
+# define UINT32_TYPE unsigned int
+#endif
+#ifndef UINT16_TYPE
+# define UINT16_TYPE unsigned short int
+#endif
+#ifndef INT16_TYPE
+# define INT16_TYPE short int
+#endif
+#ifndef UINT8_TYPE
+# define UINT8_TYPE unsigned char
+#endif
+#ifndef INT8_TYPE
+# define INT8_TYPE signed char
+#endif
+#ifndef LONGDOUBLE_TYPE
+# define LONGDOUBLE_TYPE long double
+#endif
+typedef sqlite_int64 i64;          /* 8-byte signed integer */
+typedef sqlite_uint64 u64;         /* 8-byte unsigned integer */
+typedef UINT32_TYPE u32;           /* 4-byte unsigned integer */
+typedef UINT16_TYPE u16;           /* 2-byte unsigned integer */
+typedef INT16_TYPE i16;            /* 2-byte signed integer */
+typedef UINT8_TYPE u8;             /* 1-byte unsigned integer */
+typedef UINT8_TYPE i8;             /* 1-byte signed integer */
+
+/*
+** Macros to determine whether the machine is big or little endian,
+** evaluated at runtime.
+*/
+extern const int sqlite3one;
+#if defined(i386) || defined(__i386__) || defined(_M_IX86)
+# define SQLITE_BIGENDIAN    0
+# define SQLITE_LITTLEENDIAN 1
+# define SQLITE_UTF16NATIVE  SQLITE_UTF16LE
+#else
+# define SQLITE_BIGENDIAN    (*(char *)(&sqlite3one)==0)
+# define SQLITE_LITTLEENDIAN (*(char *)(&sqlite3one)==1)
+# define SQLITE_UTF16NATIVE (SQLITE_BIGENDIAN?SQLITE_UTF16BE:SQLITE_UTF16LE)
+#endif
+
+/*
+** An instance of the following structure is used to store the busy-handler
+** callback for a given sqlite handle. 
+**
+** The sqlite.busyHandler member of the sqlite struct contains the busy
+** callback for the database handle. Each pager opened via the sqlite
+** handle is passed a pointer to sqlite.busyHandler. The busy-handler
+** callback is currently invoked only from within pager.c.
+*/
+typedef struct BusyHandler BusyHandler;
+struct BusyHandler {
+  int (*xFunc)(void *,int);  /* The busy callback */
+  void *pArg;                /* First arg to busy callback */
+  int nBusy;                 /* Incremented with each busy call */
+};
+
+/*
+** Defer sourcing vdbe.h and btree.h until after the "u8" and 
+** "BusyHandler typedefs.
+*/
+/************** Include vdbe.h in the middle of sqliteInt.h ******************/
+/************** Begin file vdbe.h ********************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** Header file for the Virtual DataBase Engine (VDBE)
+**
+** This header defines the interface to the virtual database engine
+** or VDBE.  The VDBE implements an abstract machine that runs a
+** simple program to access and modify the underlying database.
+**
+** $Id$
+*/
+#ifndef _SQLITE_VDBE_H_
+#define _SQLITE_VDBE_H_
+
+/*
+** A single VDBE is an opaque structure named "Vdbe".  Only routines
+** in the source file sqliteVdbe.c are allowed to see the insides
+** of this structure.
+*/
+typedef struct Vdbe Vdbe;
+
+/*
+** A single instruction of the virtual machine has an opcode
+** and as many as three operands.  The instruction is recorded
+** as an instance of the following structure:
+*/
+struct VdbeOp {
+  u8 opcode;          /* What operation to perform */
+  int p1;             /* First operand */
+  int p2;             /* Second parameter (often the jump destination) */
+  char *p3;           /* Third parameter */
+  int p3type;         /* One of the P3_xxx constants defined below */
+#ifdef VDBE_PROFILE
+  int cnt;            /* Number of times this instruction was executed */
+  long long cycles;   /* Total time spend executing this instruction */
+#endif
+};
+typedef struct VdbeOp VdbeOp;
+
+/*
+** A smaller version of VdbeOp used for the VdbeAddOpList() function because
+** it takes up less space.
+*/
+struct VdbeOpList {
+  u8 opcode;          /* What operation to perform */
+  signed char p1;     /* First operand */
+  short int p2;       /* Second parameter (often the jump destination) */
+  char *p3;           /* Third parameter */
+};
+typedef struct VdbeOpList VdbeOpList;
+
+/*
+** Allowed values of VdbeOp.p3type
+*/
+#define P3_NOTUSED    0   /* The P3 parameter is not used */
+#define P3_DYNAMIC  (-1)  /* Pointer to a string obtained from sqliteMalloc() */
+#define P3_STATIC   (-2)  /* Pointer to a static string */
+#define P3_COLLSEQ  (-4)  /* P3 is a pointer to a CollSeq structure */
+#define P3_FUNCDEF  (-5)  /* P3 is a pointer to a FuncDef structure */
+#define P3_KEYINFO  (-6)  /* P3 is a pointer to a KeyInfo structure */
+#define P3_VDBEFUNC (-7)  /* P3 is a pointer to a VdbeFunc structure */
+#define P3_MEM      (-8)  /* P3 is a pointer to a Mem*    structure */
+#define P3_TRANSIENT (-9) /* P3 is a pointer to a transient string */
+#define P3_VTAB     (-10) /* P3 is a pointer to an sqlite3_vtab structure */
+#define P3_MPRINTF  (-11) /* P3 is a string obtained from sqlite3_mprintf() */
+
+/* When adding a P3 argument using P3_KEYINFO, a copy of the KeyInfo structure
+** is made.  That copy is freed when the Vdbe is finalized.  But if the
+** argument is P3_KEYINFO_HANDOFF, the passed in pointer is used.  It still
+** gets freed when the Vdbe is finalized so it still should be obtained
+** from a single sqliteMalloc().  But no copy is made and the calling
+** function should *not* try to free the KeyInfo.
+*/
+#define P3_KEYINFO_HANDOFF (-9)
+
+/*
+** The Vdbe.aColName array contains 5n Mem structures, where n is the 
+** number of columns of data returned by the statement.
+*/
+#define COLNAME_NAME     0
+#define COLNAME_DECLTYPE 1
+#define COLNAME_DATABASE 2
+#define COLNAME_TABLE    3
+#define COLNAME_COLUMN   4
+#define COLNAME_N        5      /* Number of COLNAME_xxx symbols */
+
+/*
+** The following macro converts a relative address in the p2 field
+** of a VdbeOp structure into a negative number so that 
+** sqlite3VdbeAddOpList() knows that the address is relative.  Calling
+** the macro again restores the address.
+*/
+#define ADDR(X)  (-1-(X))
+
+/*
+** The makefile scans the vdbe.c source file and creates the "opcodes.h"
+** header file that defines a number for each opcode used by the VDBE.
+*/
+/************** Include opcodes.h in the middle of vdbe.h ********************/
+/************** Begin file opcodes.h *****************************************/
+/* Automatically generated.  Do not edit */
+/* See the mkopcodeh.awk script for details */
+#define OP_MemLoad                              1
+#define OP_VNext                                2
+#define OP_HexBlob                            126   /* same as TK_BLOB     */
+#define OP_Column                               3
+#define OP_SetCookie                            4
+#define OP_IfMemPos                             5
+#define OP_Real                               125   /* same as TK_FLOAT    */
+#define OP_Sequence                             6
+#define OP_MoveGt                               7
+#define OP_Ge                                  72   /* same as TK_GE       */
+#define OP_RowKey                               8
+#define OP_Eq                                  68   /* same as TK_EQ       */
+#define OP_OpenWrite                            9
+#define OP_NotNull                             66   /* same as TK_NOTNULL  */
+#define OP_If                                  10
+#define OP_ToInt                              141   /* same as TK_TO_INT   */
+#define OP_String8                             88   /* same as TK_STRING   */
+#define OP_Pop                                 11
+#define OP_VRowid                              12
+#define OP_CollSeq                             13
+#define OP_OpenRead                            14
+#define OP_Expire                              15
+#define OP_AutoCommit                          17
+#define OP_Gt                                  69   /* same as TK_GT       */
+#define OP_IntegrityCk                         18
+#define OP_Sort                                19
+#define OP_Function                            20
+#define OP_And                                 61   /* same as TK_AND      */
+#define OP_Subtract                            79   /* same as TK_MINUS    */
+#define OP_Noop                                21
+#define OP_Return                              22
+#define OP_Remainder                           82   /* same as TK_REM      */
+#define OP_NewRowid                            23
+#define OP_Multiply                            80   /* same as TK_STAR     */
+#define OP_IfMemNeg                            24
+#define OP_Variable                            25
+#define OP_String                              26
+#define OP_RealAffinity                        27
+#define OP_ParseSchema                         28
+#define OP_VOpen                               29
+#define OP_Close                               30
+#define OP_CreateIndex                         31
+#define OP_IsUnique                            32
+#define OP_NotFound                            33
+#define OP_Int64                               34
+#define OP_MustBeInt                           35
+#define OP_Halt                                36
+#define OP_Rowid                               37
+#define OP_IdxLT                               38
+#define OP_AddImm                              39
+#define OP_Statement                           40
+#define OP_RowData                             41
+#define OP_MemMax                              42
+#define OP_Push                                43
+#define OP_Or                                  60   /* same as TK_OR       */
+#define OP_NotExists                           44
+#define OP_MemIncr                             45
+#define OP_Gosub                               46
+#define OP_Divide                              81   /* same as TK_SLASH    */
+#define OP_Integer                             47
+#define OP_ToNumeric                          140   /* same as TK_TO_NUMERIC*/
+#define OP_MemInt                              48
+#define OP_Prev                                49
+#define OP_Concat                              83   /* same as TK_CONCAT   */
+#define OP_BitAnd                              74   /* same as TK_BITAND   */
+#define OP_VColumn                             50
+#define OP_CreateTable                         51
+#define OP_Last                                52
+#define OP_IsNull                              65   /* same as TK_ISNULL   */
+#define OP_IdxRowid                            53
+#define OP_MakeIdxRec                          54
+#define OP_ShiftRight                          77   /* same as TK_RSHIFT   */
+#define OP_ResetCount                          55
+#define OP_FifoWrite                           56
+#define OP_Callback                            57
+#define OP_ContextPush                         58
+#define OP_DropTrigger                         59
+#define OP_DropIndex                           62
+#define OP_IdxGE                               63
+#define OP_IdxDelete                           64
+#define OP_Vacuum                              73
+#define OP_MoveLe                              84
+#define OP_IfNot                               86
+#define OP_DropTable                           89
+#define OP_MakeRecord                          90
+#define OP_ToBlob                             139   /* same as TK_TO_BLOB  */
+#define OP_Delete                              91
+#define OP_AggFinal                            92
+#define OP_ShiftLeft                           76   /* same as TK_LSHIFT   */
+#define OP_Dup                                 93
+#define OP_Goto                                94
+#define OP_TableLock                           95
+#define OP_FifoRead                            96
+#define OP_Clear                               97
+#define OP_IdxGT                               98
+#define OP_MoveLt                              99
+#define OP_Le                                  70   /* same as TK_LE       */
+#define OP_VerifyCookie                       100
+#define OP_AggStep                            101
+#define OP_Pull                               102
+#define OP_ToText                             138   /* same as TK_TO_TEXT  */
+#define OP_Not                                 16   /* same as TK_NOT      */
+#define OP_ToReal                             142   /* same as TK_TO_REAL  */
+#define OP_SetNumColumns                      103
+#define OP_AbsValue                           104
+#define OP_Transaction                        105
+#define OP_VFilter                            106
+#define OP_Negative                            85   /* same as TK_UMINUS   */
+#define OP_Ne                                  67   /* same as TK_NE       */
+#define OP_VDestroy                           107
+#define OP_ContextPop                         108
+#define OP_BitOr                               75   /* same as TK_BITOR    */
+#define OP_Next                               109
+#define OP_IdxInsert                          110
+#define OP_Distinct                           111
+#define OP_Lt                                  71   /* same as TK_LT       */
+#define OP_Insert                             112
+#define OP_Destroy                            113
+#define OP_ReadCookie                         114
+#define OP_ForceInt                           115
+#define OP_LoadAnalysis                       116
+#define OP_Explain                            117
+#define OP_IfMemZero                          118
+#define OP_OpenPseudo                         119
+#define OP_OpenEphemeral                      120
+#define OP_Null                               121
+#define OP_Blob                               122
+#define OP_Add                                 78   /* same as TK_PLUS     */
+#define OP_MemStore                           123
+#define OP_Rewind                             124
+#define OP_MoveGe                             127
+#define OP_VBegin                             128
+#define OP_VUpdate                            129
+#define OP_BitNot                              87   /* same as TK_BITNOT   */
+#define OP_VCreate                            130
+#define OP_MemMove                            131
+#define OP_MemNull                            132
+#define OP_Found                              133
+#define OP_NullRow                            134
+
+/* The following opcode values are never used */
+#define OP_NotUsed_135                        135
+#define OP_NotUsed_136                        136
+#define OP_NotUsed_137                        137
+
+/* Opcodes that are guaranteed to never push a value onto the stack
+** contain a 1 their corresponding position of the following mask
+** set.  See the opcodeNoPush() function in vdbeaux.c  */
+#define NOPUSH_MASK_0 0xeeb4
+#define NOPUSH_MASK_1 0x796b
+#define NOPUSH_MASK_2 0x7ddb
+#define NOPUSH_MASK_3 0xff92
+#define NOPUSH_MASK_4 0xffff
+#define NOPUSH_MASK_5 0xdaf7
+#define NOPUSH_MASK_6 0xfefe
+#define NOPUSH_MASK_7 0x99d9
+#define NOPUSH_MASK_8 0x7c67
+#define NOPUSH_MASK_9 0x0000
+
+/************** End of opcodes.h *********************************************/
+/************** Continuing where we left off in vdbe.h ***********************/
+
+/*
+** Prototypes for the VDBE interface.  See comments on the implementation
+** for a description of what each of these routines does.
+*/
+Vdbe *sqlite3VdbeCreate(sqlite3*);
+void sqlite3VdbeCreateCallback(Vdbe*, int*);
+int sqlite3VdbeAddOp(Vdbe*,int,int,int);
+int sqlite3VdbeOp3(Vdbe*,int,int,int,const char *zP3,int);
+int sqlite3VdbeAddOpList(Vdbe*, int nOp, VdbeOpList const *aOp);
+void sqlite3VdbeChangeP1(Vdbe*, int addr, int P1);
+void sqlite3VdbeChangeP2(Vdbe*, int addr, int P2);
+void sqlite3VdbeJumpHere(Vdbe*, int addr);
+void sqlite3VdbeChangeToNoop(Vdbe*, int addr, int N);
+void sqlite3VdbeChangeP3(Vdbe*, int addr, const char *zP1, int N);
+VdbeOp *sqlite3VdbeGetOp(Vdbe*, int);
+int sqlite3VdbeMakeLabel(Vdbe*);
+void sqlite3VdbeDelete(Vdbe*);
+void sqlite3VdbeMakeReady(Vdbe*,int,int,int,int);
+int sqlite3VdbeFinalize(Vdbe*);
+void sqlite3VdbeResolveLabel(Vdbe*, int);
+int sqlite3VdbeCurrentAddr(Vdbe*);
+void sqlite3VdbeTrace(Vdbe*,FILE*);
+void sqlite3VdbeResetStepResult(Vdbe*);
+int sqlite3VdbeReset(Vdbe*);
+int sqliteVdbeSetVariables(Vdbe*,int,const char**);
+void sqlite3VdbeSetNumCols(Vdbe*,int);
+int sqlite3VdbeSetColName(Vdbe*, int, int, const char *, int);
+void sqlite3VdbeCountChanges(Vdbe*);
+sqlite3 *sqlite3VdbeDb(Vdbe*);
+void sqlite3VdbeSetSql(Vdbe*, const char *z, int n);
+const char *sqlite3VdbeGetSql(Vdbe*);
+void sqlite3VdbeSwap(Vdbe*,Vdbe*);
+
+#ifndef NDEBUG
+  void sqlite3VdbeComment(Vdbe*, const char*, ...);
+# define VdbeComment(X)  sqlite3VdbeComment X
+#else
+# define VdbeComment(X)
+#endif
+
+#endif
+
+/************** End of vdbe.h ************************************************/
+/************** Continuing where we left off in sqliteInt.h ******************/
+/************** Include btree.h in the middle of sqliteInt.h *****************/
+/************** Begin file btree.h *******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This header file defines the interface that the sqlite B-Tree file
+** subsystem.  See comments in the source code for a detailed description
+** of what each interface routine does.
+**
+** @(#) $Id$
+*/
+#ifndef _BTREE_H_
+#define _BTREE_H_
+
+/* TODO: This definition is just included so other modules compile. It
+** needs to be revisited.
+*/
+#define SQLITE_N_BTREE_META 10
+
+/*
+** If defined as non-zero, auto-vacuum is enabled by default. Otherwise
+** it must be turned on for each database using "PRAGMA auto_vacuum = 1".
+*/
+#ifndef SQLITE_DEFAULT_AUTOVACUUM
+  #define SQLITE_DEFAULT_AUTOVACUUM 0
+#endif
+
+/*
+** Forward declarations of structure
+*/
+typedef struct Btree Btree;
+typedef struct BtCursor BtCursor;
+typedef struct BtShared BtShared;
+
+
+int sqlite3BtreeOpen(
+  const char *zFilename,   /* Name of database file to open */
+  sqlite3 *db,             /* Associated database connection */
+  Btree **,                /* Return open Btree* here */
+  int flags                /* Flags */
+);
+
+/* The flags parameter to sqlite3BtreeOpen can be the bitwise or of the
+** following values.
+**
+** NOTE:  These values must match the corresponding PAGER_ values in
+** pager.h.
+*/
+#define BTREE_OMIT_JOURNAL  1  /* Do not use journal.  No argument */
+#define BTREE_NO_READLOCK   2  /* Omit readlocks on readonly files */
+#define BTREE_MEMORY        4  /* In-memory DB.  No argument */
+
+int sqlite3BtreeClose(Btree*);
+int sqlite3BtreeSetBusyHandler(Btree*,BusyHandler*);
+int sqlite3BtreeSetCacheSize(Btree*,int);
+int sqlite3BtreeSetSafetyLevel(Btree*,int,int);
+int sqlite3BtreeSyncDisabled(Btree*);
+int sqlite3BtreeSetPageSize(Btree*,int,int);
+int sqlite3BtreeGetPageSize(Btree*);
+int sqlite3BtreeGetReserve(Btree*);
+int sqlite3BtreeSetAutoVacuum(Btree *, int);
+int sqlite3BtreeGetAutoVacuum(Btree *);
+int sqlite3BtreeBeginTrans(Btree*,int);
+int sqlite3BtreeCommitPhaseOne(Btree*, const char *zMaster);
+int sqlite3BtreeCommitPhaseTwo(Btree*);
+int sqlite3BtreeCommit(Btree*);
+int sqlite3BtreeRollback(Btree*);
+int sqlite3BtreeBeginStmt(Btree*);
+int sqlite3BtreeCommitStmt(Btree*);
+int sqlite3BtreeRollbackStmt(Btree*);
+int sqlite3BtreeCreateTable(Btree*, int*, int flags);
+int sqlite3BtreeIsInTrans(Btree*);
+int sqlite3BtreeIsInStmt(Btree*);
+int sqlite3BtreeIsInReadTrans(Btree*);
+void *sqlite3BtreeSchema(Btree *, int, void(*)(void *));
+int sqlite3BtreeSchemaLocked(Btree *);
+int sqlite3BtreeLockTable(Btree *, int, u8);
+
+const char *sqlite3BtreeGetFilename(Btree *);
+const char *sqlite3BtreeGetDirname(Btree *);
+const char *sqlite3BtreeGetJournalname(Btree *);
+int sqlite3BtreeCopyFile(Btree *, Btree *);
+
+/* The flags parameter to sqlite3BtreeCreateTable can be the bitwise OR
+** of the following flags:
+*/
+#define BTREE_INTKEY     1    /* Table has only 64-bit signed integer keys */
+#define BTREE_ZERODATA   2    /* Table has keys only - no data */
+#define BTREE_LEAFDATA   4    /* Data stored in leaves only.  Implies INTKEY */
+
+int sqlite3BtreeDropTable(Btree*, int, int*);
+int sqlite3BtreeClearTable(Btree*, int);
+int sqlite3BtreeGetMeta(Btree*, int idx, u32 *pValue);
+int sqlite3BtreeUpdateMeta(Btree*, int idx, u32 value);
+
+int sqlite3BtreeCursor(
+  Btree*,                              /* BTree containing table to open */
+  int iTable,                          /* Index of root page */
+  int wrFlag,                          /* 1 for writing.  0 for read-only */
+  int(*)(void*,int,const void*,int,const void*),  /* Key comparison function */
+  void*,                               /* First argument to compare function */
+  BtCursor **ppCursor                  /* Returned cursor */
+);
+
+void sqlite3BtreeSetCompare(
+  BtCursor *,
+  int(*)(void*,int,const void*,int,const void*),
+  void*
+);
+
+int sqlite3BtreeCloseCursor(BtCursor*);
+int sqlite3BtreeMoveto(BtCursor*,const void *pKey,i64 nKey,int bias,int *pRes);
+int sqlite3BtreeDelete(BtCursor*);
+int sqlite3BtreeInsert(BtCursor*, const void *pKey, i64 nKey,
+                                  const void *pData, int nData, int bias);
+int sqlite3BtreeFirst(BtCursor*, int *pRes);
+int sqlite3BtreeLast(BtCursor*, int *pRes);
+int sqlite3BtreeNext(BtCursor*, int *pRes);
+int sqlite3BtreeEof(BtCursor*);
+int sqlite3BtreeFlags(BtCursor*);
+int sqlite3BtreePrevious(BtCursor*, int *pRes);
+int sqlite3BtreeKeySize(BtCursor*, i64 *pSize);
+int sqlite3BtreeKey(BtCursor*, u32 offset, u32 amt, void*);
+const void *sqlite3BtreeKeyFetch(BtCursor*, int *pAmt);
+const void *sqlite3BtreeDataFetch(BtCursor*, int *pAmt);
+int sqlite3BtreeDataSize(BtCursor*, u32 *pSize);
+int sqlite3BtreeData(BtCursor*, u32 offset, u32 amt, void*);
+
+char *sqlite3BtreeIntegrityCheck(Btree*, int *aRoot, int nRoot, int, int*);
+struct Pager *sqlite3BtreePager(Btree*);
+
+
+#ifdef SQLITE_TEST
+int sqlite3BtreeCursorInfo(BtCursor*, int*, int);
+void sqlite3BtreeCursorList(Btree*);
+#endif
+
+#ifdef SQLITE_DEBUG
+int sqlite3BtreePageDump(Btree*, int, int recursive);
+#else
+#define sqlite3BtreePageDump(X,Y,Z) SQLITE_OK
+#endif
+
+#endif /* _BTREE_H_ */
+
+/************** End of btree.h ***********************************************/
+/************** Continuing where we left off in sqliteInt.h ******************/
+/************** Include pager.h in the middle of sqliteInt.h *****************/
+/************** Begin file pager.h *******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This header file defines the interface that the sqlite page cache
+** subsystem.  The page cache subsystem reads and writes a file a page
+** at a time and provides a journal for rollback.
+**
+** @(#) $Id$
+*/
+
+#ifndef _PAGER_H_
+#define _PAGER_H_
+
+/*
+** The default size of a database page.
+*/
+#ifndef SQLITE_DEFAULT_PAGE_SIZE
+# define SQLITE_DEFAULT_PAGE_SIZE 1024
+#endif
+
+/* Maximum page size.  The upper bound on this value is 32768.  This a limit
+** imposed by necessity of storing the value in a 2-byte unsigned integer
+** and the fact that the page size must be a power of 2.
+**
+** This value is used to initialize certain arrays on the stack at
+** various places in the code.  On embedded machines where stack space
+** is limited and the flexibility of having large pages is not needed,
+** it makes good sense to reduce the maximum page size to something more
+** reasonable, like 1024.
+*/
+#ifndef SQLITE_MAX_PAGE_SIZE
+# define SQLITE_MAX_PAGE_SIZE 32768
+#endif
+
+/*
+** Maximum number of pages in one database.
+*/
+#define SQLITE_MAX_PAGE 1073741823
+
+/*
+** The type used to represent a page number.  The first page in a file
+** is called page 1.  0 is used to represent "not a page".
+*/
+typedef unsigned int Pgno;
+
+/*
+** Each open file is managed by a separate instance of the "Pager" structure.
+*/
+typedef struct Pager Pager;
+
+/*
+** Handle type for pages.
+*/
+typedef struct PgHdr DbPage;
+
+/*
+** Allowed values for the flags parameter to sqlite3PagerOpen().
+**
+** NOTE: This values must match the corresponding BTREE_ values in btree.h.
+*/
+#define PAGER_OMIT_JOURNAL  0x0001    /* Do not use a rollback journal */
+#define PAGER_NO_READLOCK   0x0002    /* Omit readlocks on readonly files */
+
+/*
+** Valid values for the second argument to sqlite3PagerLockingMode().
+*/
+#define PAGER_LOCKINGMODE_QUERY      -1
+#define PAGER_LOCKINGMODE_NORMAL      0
+#define PAGER_LOCKINGMODE_EXCLUSIVE   1
+
+/*
+** See source code comments for a detailed description of the following
+** routines:
+*/
+int sqlite3PagerOpen(Pager **ppPager, const char *zFilename,
+                     int nExtra, int flags);
+void sqlite3PagerSetBusyhandler(Pager*, BusyHandler *pBusyHandler);
+void sqlite3PagerSetDestructor(Pager*, void(*)(DbPage*,int));
+void sqlite3PagerSetReiniter(Pager*, void(*)(DbPage*,int));
+int sqlite3PagerSetPagesize(Pager*, int);
+int sqlite3PagerReadFileheader(Pager*, int, unsigned char*);
+void sqlite3PagerSetCachesize(Pager*, int);
+int sqlite3PagerClose(Pager *pPager);
+int sqlite3PagerAcquire(Pager *pPager, Pgno pgno, DbPage **ppPage, int clrFlag);
+#define sqlite3PagerGet(A,B,C) sqlite3PagerAcquire(A,B,C,0)
+DbPage *sqlite3PagerLookup(Pager *pPager, Pgno pgno);
+int sqlite3PagerRef(DbPage*);
+int sqlite3PagerUnref(DbPage*);
+Pgno sqlite3PagerPagenumber(DbPage*);
+int sqlite3PagerWrite(DbPage*);
+int sqlite3PagerIswriteable(DbPage*);
+int sqlite3PagerOverwrite(Pager *pPager, Pgno pgno, void*);
+int sqlite3PagerPagecount(Pager*);
+int sqlite3PagerTruncate(Pager*,Pgno);
+int sqlite3PagerBegin(DbPage*, int exFlag);
+int sqlite3PagerCommitPhaseOne(Pager*,const char *zMaster, Pgno);
+int sqlite3PagerCommitPhaseTwo(Pager*);
+int sqlite3PagerRollback(Pager*);
+int sqlite3PagerIsreadonly(Pager*);
+int sqlite3PagerStmtBegin(Pager*);
+int sqlite3PagerStmtCommit(Pager*);
+int sqlite3PagerStmtRollback(Pager*);
+void sqlite3PagerDontRollback(DbPage*);
+void sqlite3PagerDontWrite(DbPage*);
+int sqlite3PagerRefcount(Pager*);
+int *sqlite3PagerStats(Pager*);
+void sqlite3PagerSetSafetyLevel(Pager*,int,int);
+const char *sqlite3PagerFilename(Pager*);
+const char *sqlite3PagerDirname(Pager*);
+const char *sqlite3PagerJournalname(Pager*);
+int sqlite3PagerNosync(Pager*);
+int sqlite3PagerRename(Pager*, const char *zNewName);
+void sqlite3PagerSetCodec(Pager*,void*(*)(void*,void*,Pgno,int),void*);
+int sqlite3PagerMovepage(Pager*,DbPage*,Pgno);
+int sqlite3PagerReset(Pager*);
+int sqlite3PagerReleaseMemory(int);
+
+void *sqlite3PagerGetData(DbPage *); 
+void *sqlite3PagerGetExtra(DbPage *); 
+int sqlite3PagerLockingMode(Pager *, int);
+
+#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST)
+int sqlite3PagerLockstate(Pager*);
+#endif
+
+#ifdef SQLITE_TEST
+void sqlite3PagerRefdump(Pager*);
+int pager3_refinfo_enable;
+#endif
+
+#ifdef SQLITE_TEST
+void disable_simulated_io_errors(void);
+void enable_simulated_io_errors(void);
+#else
+# define disable_simulated_io_errors()
+# define enable_simulated_io_errors()
+#endif
+
+#endif /* _PAGER_H_ */
+
+/************** End of pager.h ***********************************************/
+/************** Continuing where we left off in sqliteInt.h ******************/
+
+#ifdef SQLITE_MEMDEBUG
+/*
+** The following global variables are used for testing and debugging
+** only.  They only work if SQLITE_MEMDEBUG is defined.
+*/
+extern int sqlite3_nMalloc;      /* Number of sqliteMalloc() calls */
+extern int sqlite3_nFree;        /* Number of sqliteFree() calls */
+extern int sqlite3_iMallocFail;  /* Fail sqliteMalloc() after this many calls */
+extern int sqlite3_iMallocReset; /* Set iMallocFail to this when it reaches 0 */
+
+extern void *sqlite3_pFirst;         /* Pointer to linked list of allocations */
+extern int sqlite3_nMaxAlloc;        /* High water mark of ThreadData.nAlloc */
+extern int sqlite3_mallocDisallowed; /* assert() in sqlite3Malloc() if set */
+extern int sqlite3_isFail;           /* True if all malloc calls should fail */
+extern const char *sqlite3_zFile;    /* Filename to associate debug info with */
+extern int sqlite3_iLine;            /* Line number for debug info */
+
+#define ENTER_MALLOC (sqlite3_zFile = __FILE__, sqlite3_iLine = __LINE__)
+#define sqliteMalloc(x)          (ENTER_MALLOC, sqlite3Malloc(x,1))
+#define sqliteMallocRaw(x)       (ENTER_MALLOC, sqlite3MallocRaw(x,1))
+#define sqliteRealloc(x,y)       (ENTER_MALLOC, sqlite3Realloc(x,y))
+#define sqliteStrDup(x)          (ENTER_MALLOC, sqlite3StrDup(x))
+#define sqliteStrNDup(x,y)       (ENTER_MALLOC, sqlite3StrNDup(x,y))
+#define sqliteReallocOrFree(x,y) (ENTER_MALLOC, sqlite3ReallocOrFree(x,y))
+
+#else
+
+#define ENTER_MALLOC 0
+#define sqliteMalloc(x)          sqlite3Malloc(x,1)
+#define sqliteMallocRaw(x)       sqlite3MallocRaw(x,1)
+#define sqliteRealloc(x,y)       sqlite3Realloc(x,y)
+#define sqliteStrDup(x)          sqlite3StrDup(x)
+#define sqliteStrNDup(x,y)       sqlite3StrNDup(x,y)
+#define sqliteReallocOrFree(x,y) sqlite3ReallocOrFree(x,y)
+
+#endif
+
+#define sqliteFree(x)          sqlite3FreeX(x)
+#define sqliteAllocSize(x)     sqlite3AllocSize(x)
+
+
+/*
+** An instance of this structure might be allocated to store information
+** specific to a single thread.
+*/
+struct ThreadData {
+  int dummy;               /* So that this structure is never empty */
+
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+  int nSoftHeapLimit;      /* Suggested max mem allocation.  No limit if <0 */
+  int nAlloc;              /* Number of bytes currently allocated */
+  Pager *pPager;           /* Linked list of all pagers in this thread */
+#endif
+
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  u8 useSharedData;        /* True if shared pagers and schemas are enabled */
+  BtShared *pBtree;        /* Linked list of all currently open BTrees */
+#endif
+};
+
+/*
+** Name of the master database table.  The master database table
+** is a special table that holds the names and attributes of all
+** user tables and indices.
+*/
+#define MASTER_NAME       "sqlite_master"
+#define TEMP_MASTER_NAME  "sqlite_temp_master"
+
+/*
+** The root-page of the master database table.
+*/
+#define MASTER_ROOT       1
+
+/*
+** The name of the schema table.
+*/
+#define SCHEMA_TABLE(x)  ((!OMIT_TEMPDB)&&(x==1)?TEMP_MASTER_NAME:MASTER_NAME)
+
+/*
+** A convenience macro that returns the number of elements in
+** an array.
+*/
+#define ArraySize(X)    (sizeof(X)/sizeof(X[0]))
+
+/*
+** Forward references to structures
+*/
+typedef struct AggInfo AggInfo;
+typedef struct AuthContext AuthContext;
+typedef struct CollSeq CollSeq;
+typedef struct Column Column;
+typedef struct Db Db;
+typedef struct Schema Schema;
+typedef struct Expr Expr;
+typedef struct ExprList ExprList;
+typedef struct FKey FKey;
+typedef struct FuncDef FuncDef;
+typedef struct IdList IdList;
+typedef struct Index Index;
+typedef struct KeyClass KeyClass;
+typedef struct KeyInfo KeyInfo;
+typedef struct Module Module;
+typedef struct NameContext NameContext;
+typedef struct Parse Parse;
+typedef struct Select Select;
+typedef struct SrcList SrcList;
+typedef struct ThreadData ThreadData;
+typedef struct Table Table;
+typedef struct TableLock TableLock;
+typedef struct Token Token;
+typedef struct TriggerStack TriggerStack;
+typedef struct TriggerStep TriggerStep;
+typedef struct Trigger Trigger;
+typedef struct WhereInfo WhereInfo;
+typedef struct WhereLevel WhereLevel;
+
+/*
+** Each database file to be accessed by the system is an instance
+** of the following structure.  There are normally two of these structures
+** in the sqlite.aDb[] array.  aDb[0] is the main database file and
+** aDb[1] is the database file used to hold temporary tables.  Additional
+** databases may be attached.
+*/
+struct Db {
+  char *zName;         /* Name of this database */
+  Btree *pBt;          /* The B*Tree structure for this database file */
+  u8 inTrans;          /* 0: not writable.  1: Transaction.  2: Checkpoint */
+  u8 safety_level;     /* How aggressive at synching data to disk */
+  void *pAux;               /* Auxiliary data.  Usually NULL */
+  void (*xFreeAux)(void*);  /* Routine to free pAux */
+  Schema *pSchema;     /* Pointer to database schema (possibly shared) */
+};
+
+/*
+** An instance of the following structure stores a database schema.
+**
+** If there are no virtual tables configured in this schema, the
+** Schema.db variable is set to NULL. After the first virtual table
+** has been added, it is set to point to the database connection 
+** used to create the connection. Once a virtual table has been
+** added to the Schema structure and the Schema.db variable populated, 
+** only that database connection may use the Schema to prepare 
+** statements.
+*/
+struct Schema {
+  int schema_cookie;   /* Database schema version number for this file */
+  Hash tblHash;        /* All tables indexed by name */
+  Hash idxHash;        /* All (named) indices indexed by name */
+  Hash trigHash;       /* All triggers indexed by name */
+  Hash aFKey;          /* Foreign keys indexed by to-table */
+  Table *pSeqTab;      /* The sqlite_sequence table used by AUTOINCREMENT */
+  u8 file_format;      /* Schema format version for this file */
+  u8 enc;              /* Text encoding used by this database */
+  u16 flags;           /* Flags associated with this schema */
+  int cache_size;      /* Number of pages to use in the cache */
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  sqlite3 *db;         /* "Owner" connection. See comment above */
+#endif
+};
+
+/*
+** These macros can be used to test, set, or clear bits in the 
+** Db.flags field.
+*/
+#define DbHasProperty(D,I,P)     (((D)->aDb[I].pSchema->flags&(P))==(P))
+#define DbHasAnyProperty(D,I,P)  (((D)->aDb[I].pSchema->flags&(P))!=0)
+#define DbSetProperty(D,I,P)     (D)->aDb[I].pSchema->flags|=(P)
+#define DbClearProperty(D,I,P)   (D)->aDb[I].pSchema->flags&=~(P)
+
+/*
+** Allowed values for the DB.flags field.
+**
+** The DB_SchemaLoaded flag is set after the database schema has been
+** read into internal hash tables.
+**
+** DB_UnresetViews means that one or more views have column names that
+** have been filled out.  If the schema changes, these column names might
+** changes and so the view will need to be reset.
+*/
+#define DB_SchemaLoaded    0x0001  /* The schema has been loaded */
+#define DB_UnresetViews    0x0002  /* Some views have defined column names */
+#define DB_Empty           0x0004  /* The file is empty (length 0 bytes) */
+
+
+/*
+** Each database is an instance of the following structure.
+**
+** The sqlite.lastRowid records the last insert rowid generated by an
+** insert statement.  Inserts on views do not affect its value.  Each
+** trigger has its own context, so that lastRowid can be updated inside
+** triggers as usual.  The previous value will be restored once the trigger
+** exits.  Upon entering a before or instead of trigger, lastRowid is no
+** longer (since after version 2.8.12) reset to -1.
+**
+** The sqlite.nChange does not count changes within triggers and keeps no
+** context.  It is reset at start of sqlite3_exec.
+** The sqlite.lsChange represents the number of changes made by the last
+** insert, update, or delete statement.  It remains constant throughout the
+** length of a statement and is then updated by OP_SetCounts.  It keeps a
+** context stack just like lastRowid so that the count of changes
+** within a trigger is not seen outside the trigger.  Changes to views do not
+** affect the value of lsChange.
+** The sqlite.csChange keeps track of the number of current changes (since
+** the last statement) and is used to update sqlite_lsChange.
+**
+** The member variables sqlite.errCode, sqlite.zErrMsg and sqlite.zErrMsg16
+** store the most recent error code and, if applicable, string. The
+** internal function sqlite3Error() is used to set these variables
+** consistently.
+*/
+struct sqlite3 {
+  int nDb;                      /* Number of backends currently in use */
+  Db *aDb;                      /* All backends */
+  int flags;                    /* Miscellanous flags. See below */
+  int errCode;                  /* Most recent error code (SQLITE_*) */
+  int errMask;                  /* & result codes with this before returning */
+  u8 autoCommit;                /* The auto-commit flag. */
+  u8 temp_store;                /* 1: file 2: memory 0: default */
+  int nTable;                   /* Number of tables in the database */
+  CollSeq *pDfltColl;           /* The default collating sequence (BINARY) */
+  i64 lastRowid;                /* ROWID of most recent insert (see above) */
+  i64 priorNewRowid;            /* Last randomly generated ROWID */
+  int magic;                    /* Magic number for detect library misuse */
+  int nChange;                  /* Value returned by sqlite3_changes() */
+  int nTotalChange;             /* Value returned by sqlite3_total_changes() */
+  struct sqlite3InitInfo {      /* Information used during initialization */
+    int iDb;                    /* When back is being initialized */
+    int newTnum;                /* Rootpage of table being initialized */
+    u8 busy;                    /* TRUE if currently initializing */
+  } init;
+  int nExtension;               /* Number of loaded extensions */
+  void **aExtension;            /* Array of shared libraray handles */
+  struct Vdbe *pVdbe;           /* List of active virtual machines */
+  int activeVdbeCnt;            /* Number of vdbes currently executing */
+  void (*xTrace)(void*,const char*);        /* Trace function */
+  void *pTraceArg;                          /* Argument to the trace function */
+  void (*xProfile)(void*,const char*,u64);  /* Profiling function */
+  void *pProfileArg;                        /* Argument to profile function */
+  void *pCommitArg;                 /* Argument to xCommitCallback() */   
+  int (*xCommitCallback)(void*);    /* Invoked at every commit. */
+  void *pRollbackArg;               /* Argument to xRollbackCallback() */   
+  void (*xRollbackCallback)(void*); /* Invoked at every commit. */
+  void *pUpdateArg;
+  void (*xUpdateCallback)(void*,int, const char*,const char*,sqlite_int64);
+  void(*xCollNeeded)(void*,sqlite3*,int eTextRep,const char*);
+  void(*xCollNeeded16)(void*,sqlite3*,int eTextRep,const void*);
+  void *pCollNeededArg;
+  sqlite3_value *pErr;          /* Most recent error message */
+  char *zErrMsg;                /* Most recent error message (UTF-8 encoded) */
+  char *zErrMsg16;              /* Most recent error message (UTF-16 encoded) */
+  union {
+    int isInterrupted;          /* True if sqlite3_interrupt has been called */
+    double notUsed1;            /* Spacer */
+  } u1;
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  int (*xAuth)(void*,int,const char*,const char*,const char*,const char*);
+                                /* Access authorization function */
+  void *pAuthArg;               /* 1st argument to the access auth function */
+#endif
+#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
+  int (*xProgress)(void *);     /* The progress callback */
+  void *pProgressArg;           /* Argument to the progress callback */
+  int nProgressOps;             /* Number of opcodes for progress callback */
+#endif
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  Hash aModule;                 /* populated by sqlite3_create_module() */
+  Table *pVTab;                 /* vtab with active Connect/Create method */
+  sqlite3_vtab **aVTrans;       /* Virtual tables with open transactions */
+  int nVTrans;                  /* Allocated size of aVTrans */
+#endif
+  Hash aFunc;                   /* All functions that can be in SQL exprs */
+  Hash aCollSeq;                /* All collating sequences */
+  BusyHandler busyHandler;      /* Busy callback */
+  int busyTimeout;              /* Busy handler timeout, in msec */
+  Db aDbStatic[2];              /* Static space for the 2 default backends */
+#ifdef SQLITE_SSE
+  sqlite3_stmt *pFetch;         /* Used by SSE to fetch stored statements */
+#endif
+  u8 dfltLockMode;              /* Default locking-mode for attached dbs */
+};
+
+/*
+** A macro to discover the encoding of a database.
+*/
+#define ENC(db) ((db)->aDb[0].pSchema->enc)
+
+/*
+** Possible values for the sqlite.flags and or Db.flags fields.
+**
+** On sqlite.flags, the SQLITE_InTrans value means that we have
+** executed a BEGIN.  On Db.flags, SQLITE_InTrans means a statement
+** transaction is active on that particular database file.
+*/
+#define SQLITE_VdbeTrace      0x00000001  /* True to trace VDBE execution */
+#define SQLITE_InTrans        0x00000008  /* True if in a transaction */
+#define SQLITE_InternChanges  0x00000010  /* Uncommitted Hash table changes */
+#define SQLITE_FullColNames   0x00000020  /* Show full column names on SELECT */
+#define SQLITE_ShortColNames  0x00000040  /* Show short columns names */
+#define SQLITE_CountRows      0x00000080  /* Count rows changed by INSERT, */
+                                          /*   DELETE, or UPDATE and return */
+                                          /*   the count using a callback. */
+#define SQLITE_NullCallback   0x00000100  /* Invoke the callback once if the */
+                                          /*   result set is empty */
+#define SQLITE_SqlTrace       0x00000200  /* Debug print SQL as it executes */
+#define SQLITE_VdbeListing    0x00000400  /* Debug listings of VDBE programs */
+#define SQLITE_WriteSchema    0x00000800  /* OK to update SQLITE_MASTER */
+#define SQLITE_NoReadlock     0x00001000  /* Readlocks are omitted when 
+                                          ** accessing read-only databases */
+#define SQLITE_IgnoreChecks   0x00002000  /* Do not enforce check constraints */
+#define SQLITE_ReadUncommitted 0x00004000 /* For shared-cache mode */
+#define SQLITE_LegacyFileFmt  0x00008000  /* Create new databases in format 1 */
+#define SQLITE_FullFSync      0x00010000  /* Use full fsync on the backend */
+#define SQLITE_LoadExtension  0x00020000  /* Enable load_extension */
+
+#define SQLITE_RecoveryMode   0x00040000  /* Ignore schema errors */
+
+/*
+** Possible values for the sqlite.magic field.
+** The numbers are obtained at random and have no special meaning, other
+** than being distinct from one another.
+*/
+#define SQLITE_MAGIC_OPEN     0xa029a697  /* Database is open */
+#define SQLITE_MAGIC_CLOSED   0x9f3c2d33  /* Database is closed */
+#define SQLITE_MAGIC_BUSY     0xf03b7906  /* Database currently in use */
+#define SQLITE_MAGIC_ERROR    0xb5357930  /* An SQLITE_MISUSE error occurred */
+
+/*
+** Each SQL function is defined by an instance of the following
+** structure.  A pointer to this structure is stored in the sqlite.aFunc
+** hash table.  When multiple functions have the same name, the hash table
+** points to a linked list of these structures.
+*/
+struct FuncDef {
+  i16 nArg;            /* Number of arguments.  -1 means unlimited */
+  u8 iPrefEnc;         /* Preferred text encoding (SQLITE_UTF8, 16LE, 16BE) */
+  u8 needCollSeq;      /* True if sqlite3GetFuncCollSeq() might be called */
+  u8 flags;            /* Some combination of SQLITE_FUNC_* */
+  void *pUserData;     /* User data parameter */
+  FuncDef *pNext;      /* Next function with same name */
+  void (*xFunc)(sqlite3_context*,int,sqlite3_value**); /* Regular function */
+  void (*xStep)(sqlite3_context*,int,sqlite3_value**); /* Aggregate step */
+  void (*xFinalize)(sqlite3_context*);                /* Aggregate finializer */
+  char zName[1];       /* SQL name of the function.  MUST BE LAST */
+};
+
+/*
+** Each SQLite module (virtual table definition) is defined by an
+** instance of the following structure, stored in the sqlite3.aModule
+** hash table.
+*/
+struct Module {
+  const sqlite3_module *pModule;       /* Callback pointers */
+  const char *zName;                   /* Name passed to create_module() */
+  void *pAux;                          /* pAux passed to create_module() */
+};
+
+/*
+** Possible values for FuncDef.flags
+*/
+#define SQLITE_FUNC_LIKE   0x01  /* Candidate for the LIKE optimization */
+#define SQLITE_FUNC_CASE   0x02  /* Case-sensitive LIKE-type function */
+#define SQLITE_FUNC_EPHEM  0x04  /* Ephermeral.  Delete with VDBE */
+
+/*
+** information about each column of an SQL table is held in an instance
+** of this structure.
+*/
+struct Column {
+  char *zName;     /* Name of this column */
+  Expr *pDflt;     /* Default value of this column */
+  char *zType;     /* Data type for this column */
+  char *zColl;     /* Collating sequence.  If NULL, use the default */
+  u8 notNull;      /* True if there is a NOT NULL constraint */
+  u8 isPrimKey;    /* True if this column is part of the PRIMARY KEY */
+  char affinity;   /* One of the SQLITE_AFF_... values */
+};
+
+/*
+** A "Collating Sequence" is defined by an instance of the following
+** structure. Conceptually, a collating sequence consists of a name and
+** a comparison routine that defines the order of that sequence.
+**
+** There may two seperate implementations of the collation function, one
+** that processes text in UTF-8 encoding (CollSeq.xCmp) and another that
+** processes text encoded in UTF-16 (CollSeq.xCmp16), using the machine
+** native byte order. When a collation sequence is invoked, SQLite selects
+** the version that will require the least expensive encoding
+** translations, if any.
+**
+** The CollSeq.pUser member variable is an extra parameter that passed in
+** as the first argument to the UTF-8 comparison function, xCmp.
+** CollSeq.pUser16 is the equivalent for the UTF-16 comparison function,
+** xCmp16.
+**
+** If both CollSeq.xCmp and CollSeq.xCmp16 are NULL, it means that the
+** collating sequence is undefined.  Indices built on an undefined
+** collating sequence may not be read or written.
+*/
+struct CollSeq {
+  char *zName;         /* Name of the collating sequence, UTF-8 encoded */
+  u8 enc;              /* Text encoding handled by xCmp() */
+  u8 type;             /* One of the SQLITE_COLL_... values below */
+  void *pUser;         /* First argument to xCmp() */
+  int (*xCmp)(void*,int, const void*, int, const void*);
+};
+
+/*
+** Allowed values of CollSeq flags:
+*/
+#define SQLITE_COLL_BINARY  1  /* The default memcmp() collating sequence */
+#define SQLITE_COLL_NOCASE  2  /* The built-in NOCASE collating sequence */
+#define SQLITE_COLL_REVERSE 3  /* The built-in REVERSE collating sequence */
+#define SQLITE_COLL_USER    0  /* Any other user-defined collating sequence */
+
+/*
+** A sort order can be either ASC or DESC.
+*/
+#define SQLITE_SO_ASC       0  /* Sort in ascending order */
+#define SQLITE_SO_DESC      1  /* Sort in ascending order */
+
+/*
+** Column affinity types.
+**
+** These used to have mnemonic name like 'i' for SQLITE_AFF_INTEGER and
+** 't' for SQLITE_AFF_TEXT.  But we can save a little space and improve
+** the speed a little by number the values consecutively.  
+**
+** But rather than start with 0 or 1, we begin with 'a'.  That way,
+** when multiple affinity types are concatenated into a string and
+** used as the P3 operand, they will be more readable.
+**
+** Note also that the numeric types are grouped together so that testing
+** for a numeric type is a single comparison.
+*/
+#define SQLITE_AFF_TEXT     'a'
+#define SQLITE_AFF_NONE     'b'
+#define SQLITE_AFF_NUMERIC  'c'
+#define SQLITE_AFF_INTEGER  'd'
+#define SQLITE_AFF_REAL     'e'
+
+#define sqlite3IsNumericAffinity(X)  ((X)>=SQLITE_AFF_NUMERIC)
+
+/*
+** Each SQL table is represented in memory by an instance of the
+** following structure.
+**
+** Table.zName is the name of the table.  The case of the original
+** CREATE TABLE statement is stored, but case is not significant for
+** comparisons.
+**
+** Table.nCol is the number of columns in this table.  Table.aCol is a
+** pointer to an array of Column structures, one for each column.
+**
+** If the table has an INTEGER PRIMARY KEY, then Table.iPKey is the index of
+** the column that is that key.   Otherwise Table.iPKey is negative.  Note
+** that the datatype of the PRIMARY KEY must be INTEGER for this field to
+** be set.  An INTEGER PRIMARY KEY is used as the rowid for each row of
+** the table.  If a table has no INTEGER PRIMARY KEY, then a random rowid
+** is generated for each row of the table.  Table.hasPrimKey is true if
+** the table has any PRIMARY KEY, INTEGER or otherwise.
+**
+** Table.tnum is the page number for the root BTree page of the table in the
+** database file.  If Table.iDb is the index of the database table backend
+** in sqlite.aDb[].  0 is for the main database and 1 is for the file that
+** holds temporary tables and indices.  If Table.isEphem
+** is true, then the table is stored in a file that is automatically deleted
+** when the VDBE cursor to the table is closed.  In this case Table.tnum 
+** refers VDBE cursor number that holds the table open, not to the root
+** page number.  Transient tables are used to hold the results of a
+** sub-query that appears instead of a real table name in the FROM clause 
+** of a SELECT statement.
+*/
+struct Table {
+  char *zName;     /* Name of the table */
+  int nCol;        /* Number of columns in this table */
+  Column *aCol;    /* Information about each column */
+  int iPKey;       /* If not less then 0, use aCol[iPKey] as the primary key */
+  Index *pIndex;   /* List of SQL indexes on this table. */
+  int tnum;        /* Root BTree node for this table (see note above) */
+  Select *pSelect; /* NULL for tables.  Points to definition if a view. */
+  int nRef;          /* Number of pointers to this Table */
+  Trigger *pTrigger; /* List of SQL triggers on this table */
+  FKey *pFKey;       /* Linked list of all foreign keys in this table */
+  char *zColAff;     /* String defining the affinity of each column */
+#ifndef SQLITE_OMIT_CHECK
+  Expr *pCheck;      /* The AND of all CHECK constraints */
+#endif
+#ifndef SQLITE_OMIT_ALTERTABLE
+  int addColOffset;  /* Offset in CREATE TABLE statement to add a new column */
+#endif
+  u8 readOnly;     /* True if this table should not be written by the user */
+  u8 isEphem;      /* True if created using OP_OpenEphermeral */
+  u8 hasPrimKey;   /* True if there exists a primary key */
+  u8 keyConf;      /* What to do in case of uniqueness conflict on iPKey */
+  u8 autoInc;      /* True if the integer primary key is autoincrement */
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  u8 isVirtual;             /* True if this is a virtual table */
+  u8 isCommit;              /* True once the CREATE TABLE has been committed */
+  Module *pMod;             /* Pointer to the implementation of the module */
+  sqlite3_vtab *pVtab;      /* Pointer to the module instance */
+  int nModuleArg;           /* Number of arguments to the module */
+  char **azModuleArg;       /* Text of all module args. [0] is module name */
+#endif
+  Schema *pSchema;
+};
+
+/*
+** Test to see whether or not a table is a virtual table.  This is
+** done as a macro so that it will be optimized out when virtual
+** table support is omitted from the build.
+*/
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+#  define IsVirtual(X) ((X)->isVirtual)
+#else
+#  define IsVirtual(X) 0
+#endif
+
+/*
+** Each foreign key constraint is an instance of the following structure.
+**
+** A foreign key is associated with two tables.  The "from" table is
+** the table that contains the REFERENCES clause that creates the foreign
+** key.  The "to" table is the table that is named in the REFERENCES clause.
+** Consider this example:
+**
+**     CREATE TABLE ex1(
+**       a INTEGER PRIMARY KEY,
+**       b INTEGER CONSTRAINT fk1 REFERENCES ex2(x)
+**     );
+**
+** For foreign key "fk1", the from-table is "ex1" and the to-table is "ex2".
+**
+** Each REFERENCES clause generates an instance of the following structure
+** which is attached to the from-table.  The to-table need not exist when
+** the from-table is created.  The existance of the to-table is not checked
+** until an attempt is made to insert data into the from-table.
+**
+** The sqlite.aFKey hash table stores pointers to this structure
+** given the name of a to-table.  For each to-table, all foreign keys
+** associated with that table are on a linked list using the FKey.pNextTo
+** field.
+*/
+struct FKey {
+  Table *pFrom;     /* The table that constains the REFERENCES clause */
+  FKey *pNextFrom;  /* Next foreign key in pFrom */
+  char *zTo;        /* Name of table that the key points to */
+  FKey *pNextTo;    /* Next foreign key that points to zTo */
+  int nCol;         /* Number of columns in this key */
+  struct sColMap {  /* Mapping of columns in pFrom to columns in zTo */
+    int iFrom;         /* Index of column in pFrom */
+    char *zCol;        /* Name of column in zTo.  If 0 use PRIMARY KEY */
+  } *aCol;          /* One entry for each of nCol column s */
+  u8 isDeferred;    /* True if constraint checking is deferred till COMMIT */
+  u8 updateConf;    /* How to resolve conflicts that occur on UPDATE */
+  u8 deleteConf;    /* How to resolve conflicts that occur on DELETE */
+  u8 insertConf;    /* How to resolve conflicts that occur on INSERT */
+};
+
+/*
+** SQLite supports many different ways to resolve a contraint
+** error.  ROLLBACK processing means that a constraint violation
+** causes the operation in process to fail and for the current transaction
+** to be rolled back.  ABORT processing means the operation in process
+** fails and any prior changes from that one operation are backed out,
+** but the transaction is not rolled back.  FAIL processing means that
+** the operation in progress stops and returns an error code.  But prior
+** changes due to the same operation are not backed out and no rollback
+** occurs.  IGNORE means that the particular row that caused the constraint
+** error is not inserted or updated.  Processing continues and no error
+** is returned.  REPLACE means that preexisting database rows that caused
+** a UNIQUE constraint violation are removed so that the new insert or
+** update can proceed.  Processing continues and no error is reported.
+**
+** RESTRICT, SETNULL, and CASCADE actions apply only to foreign keys.
+** RESTRICT is the same as ABORT for IMMEDIATE foreign keys and the
+** same as ROLLBACK for DEFERRED keys.  SETNULL means that the foreign
+** key is set to NULL.  CASCADE means that a DELETE or UPDATE of the
+** referenced table row is propagated into the row that holds the
+** foreign key.
+** 
+** The following symbolic values are used to record which type
+** of action to take.
+*/
+#define OE_None     0   /* There is no constraint to check */
+#define OE_Rollback 1   /* Fail the operation and rollback the transaction */
+#define OE_Abort    2   /* Back out changes but do no rollback transaction */
+#define OE_Fail     3   /* Stop the operation but leave all prior changes */
+#define OE_Ignore   4   /* Ignore the error. Do not do the INSERT or UPDATE */
+#define OE_Replace  5   /* Delete existing record, then do INSERT or UPDATE */
+
+#define OE_Restrict 6   /* OE_Abort for IMMEDIATE, OE_Rollback for DEFERRED */
+#define OE_SetNull  7   /* Set the foreign key value to NULL */
+#define OE_SetDflt  8   /* Set the foreign key value to its default */
+#define OE_Cascade  9   /* Cascade the changes */
+
+#define OE_Default  99  /* Do whatever the default action is */
+
+
+/*
+** An instance of the following structure is passed as the first
+** argument to sqlite3VdbeKeyCompare and is used to control the 
+** comparison of the two index keys.
+**
+** If the KeyInfo.incrKey value is true and the comparison would
+** otherwise be equal, then return a result as if the second key
+** were larger.
+*/
+struct KeyInfo {
+  u8 enc;             /* Text encoding - one of the TEXT_Utf* values */
+  u8 incrKey;         /* Increase 2nd key by epsilon before comparison */
+  int nField;         /* Number of entries in aColl[] */
+  u8 *aSortOrder;     /* If defined an aSortOrder[i] is true, sort DESC */
+  CollSeq *aColl[1];  /* Collating sequence for each term of the key */
+};
+
+/*
+** Each SQL index is represented in memory by an
+** instance of the following structure.
+**
+** The columns of the table that are to be indexed are described
+** by the aiColumn[] field of this structure.  For example, suppose
+** we have the following table and index:
+**
+**     CREATE TABLE Ex1(c1 int, c2 int, c3 text);
+**     CREATE INDEX Ex2 ON Ex1(c3,c1);
+**
+** In the Table structure describing Ex1, nCol==3 because there are
+** three columns in the table.  In the Index structure describing
+** Ex2, nColumn==2 since 2 of the 3 columns of Ex1 are indexed.
+** The value of aiColumn is {2, 0}.  aiColumn[0]==2 because the 
+** first column to be indexed (c3) has an index of 2 in Ex1.aCol[].
+** The second column to be indexed (c1) has an index of 0 in
+** Ex1.aCol[], hence Ex2.aiColumn[1]==0.
+**
+** The Index.onError field determines whether or not the indexed columns
+** must be unique and what to do if they are not.  When Index.onError=OE_None,
+** it means this is not a unique index.  Otherwise it is a unique index
+** and the value of Index.onError indicate the which conflict resolution 
+** algorithm to employ whenever an attempt is made to insert a non-unique
+** element.
+*/
+struct Index {
+  char *zName;     /* Name of this index */
+  int nColumn;     /* Number of columns in the table used by this index */
+  int *aiColumn;   /* Which columns are used by this index.  1st is 0 */
+  unsigned *aiRowEst; /* Result of ANALYZE: Est. rows selected by each column */
+  Table *pTable;   /* The SQL table being indexed */
+  int tnum;        /* Page containing root of this index in database file */
+  u8 onError;      /* OE_Abort, OE_Ignore, OE_Replace, or OE_None */
+  u8 autoIndex;    /* True if is automatically created (ex: by UNIQUE) */
+  char *zColAff;   /* String defining the affinity of each column */
+  Index *pNext;    /* The next index associated with the same table */
+  Schema *pSchema; /* Schema containing this index */
+  u8 *aSortOrder;  /* Array of size Index.nColumn. True==DESC, False==ASC */
+  char **azColl;   /* Array of collation sequence names for index */
+};
+
+/*
+** Each token coming out of the lexer is an instance of
+** this structure.  Tokens are also used as part of an expression.
+**
+** Note if Token.z==0 then Token.dyn and Token.n are undefined and
+** may contain random values.  Do not make any assuptions about Token.dyn
+** and Token.n when Token.z==0.
+*/
+struct Token {
+  const unsigned char *z; /* Text of the token.  Not NULL-terminated! */
+  unsigned dyn  : 1;      /* True for malloced memory, false for static */
+  unsigned n    : 31;     /* Number of characters in this token */
+};
+
+/*
+** An instance of this structure contains information needed to generate
+** code for a SELECT that contains aggregate functions.
+**
+** If Expr.op==TK_AGG_COLUMN or TK_AGG_FUNCTION then Expr.pAggInfo is a
+** pointer to this structure.  The Expr.iColumn field is the index in
+** AggInfo.aCol[] or AggInfo.aFunc[] of information needed to generate
+** code for that node.
+**
+** AggInfo.pGroupBy and AggInfo.aFunc.pExpr point to fields within the
+** original Select structure that describes the SELECT statement.  These
+** fields do not need to be freed when deallocating the AggInfo structure.
+*/
+struct AggInfo {
+  u8 directMode;          /* Direct rendering mode means take data directly
+                          ** from source tables rather than from accumulators */
+  u8 useSortingIdx;       /* In direct mode, reference the sorting index rather
+                          ** than the source table */
+  int sortingIdx;         /* Cursor number of the sorting index */
+  ExprList *pGroupBy;     /* The group by clause */
+  int nSortingColumn;     /* Number of columns in the sorting index */
+  struct AggInfo_col {    /* For each column used in source tables */
+    Table *pTab;             /* Source table */
+    int iTable;              /* Cursor number of the source table */
+    int iColumn;             /* Column number within the source table */
+    int iSorterColumn;       /* Column number in the sorting index */
+    int iMem;                /* Memory location that acts as accumulator */
+    Expr *pExpr;             /* The original expression */
+  } *aCol;
+  int nColumn;            /* Number of used entries in aCol[] */
+  int nColumnAlloc;       /* Number of slots allocated for aCol[] */
+  int nAccumulator;       /* Number of columns that show through to the output.
+                          ** Additional columns are used only as parameters to
+                          ** aggregate functions */
+  struct AggInfo_func {   /* For each aggregate function */
+    Expr *pExpr;             /* Expression encoding the function */
+    FuncDef *pFunc;          /* The aggregate function implementation */
+    int iMem;                /* Memory location that acts as accumulator */
+    int iDistinct;           /* Ephermeral table used to enforce DISTINCT */
+  } *aFunc;
+  int nFunc;              /* Number of entries in aFunc[] */
+  int nFuncAlloc;         /* Number of slots allocated for aFunc[] */
+};
+
+/*
+** Each node of an expression in the parse tree is an instance
+** of this structure.
+**
+** Expr.op is the opcode.  The integer parser token codes are reused
+** as opcodes here.  For example, the parser defines TK_GE to be an integer
+** code representing the ">=" operator.  This same integer code is reused
+** to represent the greater-than-or-equal-to operator in the expression
+** tree.
+**
+** Expr.pRight and Expr.pLeft are subexpressions.  Expr.pList is a list
+** of argument if the expression is a function.
+**
+** Expr.token is the operator token for this node.  For some expressions
+** that have subexpressions, Expr.token can be the complete text that gave
+** rise to the Expr.  In the latter case, the token is marked as being
+** a compound token.
+**
+** An expression of the form ID or ID.ID refers to a column in a table.
+** For such expressions, Expr.op is set to TK_COLUMN and Expr.iTable is
+** the integer cursor number of a VDBE cursor pointing to that table and
+** Expr.iColumn is the column number for the specific column.  If the
+** expression is used as a result in an aggregate SELECT, then the
+** value is also stored in the Expr.iAgg column in the aggregate so that
+** it can be accessed after all aggregates are computed.
+**
+** If the expression is a function, the Expr.iTable is an integer code
+** representing which function.  If the expression is an unbound variable
+** marker (a question mark character '?' in the original SQL) then the
+** Expr.iTable holds the index number for that variable.
+**
+** If the expression is a subquery then Expr.iColumn holds an integer
+** register number containing the result of the subquery.  If the
+** subquery gives a constant result, then iTable is -1.  If the subquery
+** gives a different answer at different times during statement processing
+** then iTable is the address of a subroutine that computes the subquery.
+**
+** The Expr.pSelect field points to a SELECT statement.  The SELECT might
+** be the right operand of an IN operator.  Or, if a scalar SELECT appears
+** in an expression the opcode is TK_SELECT and Expr.pSelect is the only
+** operand.
+**
+** If the Expr is of type OP_Column, and the table it is selecting from
+** is a disk table or the "old.*" pseudo-table, then pTab points to the
+** corresponding table definition.
+*/
+struct Expr {
+  u8 op;                 /* Operation performed by this node */
+  char affinity;         /* The affinity of the column or 0 if not a column */
+  u16 flags;             /* Various flags.  See below */
+  CollSeq *pColl;        /* The collation type of the column or 0 */
+  Expr *pLeft, *pRight;  /* Left and right subnodes */
+  ExprList *pList;       /* A list of expressions used as function arguments
+                         ** or in "<expr> IN (<expr-list)" */
+  Token token;           /* An operand token */
+  Token span;            /* Complete text of the expression */
+  int iTable, iColumn;   /* When op==TK_COLUMN, then this expr node means the
+                         ** iColumn-th field of the iTable-th table. */
+  AggInfo *pAggInfo;     /* Used by TK_AGG_COLUMN and TK_AGG_FUNCTION */
+  int iAgg;              /* Which entry in pAggInfo->aCol[] or ->aFunc[] */
+  int iRightJoinTable;   /* If EP_FromJoin, the right table of the join */
+  Select *pSelect;       /* When the expression is a sub-select.  Also the
+                         ** right side of "<expr> IN (<select>)" */
+  Table *pTab;           /* Table for OP_Column expressions. */
+  Schema *pSchema;
+};
+
+/*
+** The following are the meanings of bits in the Expr.flags field.
+*/
+#define EP_FromJoin     0x01  /* Originated in ON or USING clause of a join */
+#define EP_Agg          0x02  /* Contains one or more aggregate functions */
+#define EP_Resolved     0x04  /* IDs have been resolved to COLUMNs */
+#define EP_Error        0x08  /* Expression contains one or more errors */
+#define EP_Distinct     0x10  /* Aggregate function with DISTINCT keyword */
+#define EP_VarSelect    0x20  /* pSelect is correlated, not constant */
+#define EP_Dequoted     0x40  /* True if the string has been dequoted */
+#define EP_InfixFunc    0x80  /* True for an infix function: LIKE, GLOB, etc */
+#define EP_ExpCollate  0x100  /* Collating sequence specified explicitly */
+
+/*
+** These macros can be used to test, set, or clear bits in the 
+** Expr.flags field.
+*/
+#define ExprHasProperty(E,P)     (((E)->flags&(P))==(P))
+#define ExprHasAnyProperty(E,P)  (((E)->flags&(P))!=0)
+#define ExprSetProperty(E,P)     (E)->flags|=(P)
+#define ExprClearProperty(E,P)   (E)->flags&=~(P)
+
+/*
+** A list of expressions.  Each expression may optionally have a
+** name.  An expr/name combination can be used in several ways, such
+** as the list of "expr AS ID" fields following a "SELECT" or in the
+** list of "ID = expr" items in an UPDATE.  A list of expressions can
+** also be used as the argument to a function, in which case the a.zName
+** field is not used.
+*/
+struct ExprList {
+  int nExpr;             /* Number of expressions on the list */
+  int nAlloc;            /* Number of entries allocated below */
+  int iECursor;          /* VDBE Cursor associated with this ExprList */
+  struct ExprList_item {
+    Expr *pExpr;           /* The list of expressions */
+    char *zName;           /* Token associated with this expression */
+    u8 sortOrder;          /* 1 for DESC or 0 for ASC */
+    u8 isAgg;              /* True if this is an aggregate like count(*) */
+    u8 done;               /* A flag to indicate when processing is finished */
+  } *a;                  /* One entry for each expression */
+};
+
+/*
+** An instance of this structure can hold a simple list of identifiers,
+** such as the list "a,b,c" in the following statements:
+**
+**      INSERT INTO t(a,b,c) VALUES ...;
+**      CREATE INDEX idx ON t(a,b,c);
+**      CREATE TRIGGER trig BEFORE UPDATE ON t(a,b,c) ...;
+**
+** The IdList.a.idx field is used when the IdList represents the list of
+** column names after a table name in an INSERT statement.  In the statement
+**
+**     INSERT INTO t(a,b,c) ...
+**
+** If "a" is the k-th column of table "t", then IdList.a[0].idx==k.
+*/
+struct IdList {
+  struct IdList_item {
+    char *zName;      /* Name of the identifier */
+    int idx;          /* Index in some Table.aCol[] of a column named zName */
+  } *a;
+  int nId;         /* Number of identifiers on the list */
+  int nAlloc;      /* Number of entries allocated for a[] below */
+};
+
+/*
+** The bitmask datatype defined below is used for various optimizations.
+**
+** Changing this from a 64-bit to a 32-bit type limits the number of
+** tables in a join to 32 instead of 64.  But it also reduces the size
+** of the library by 738 bytes on ix86.
+*/
+typedef u64 Bitmask;
+
+/*
+** The following structure describes the FROM clause of a SELECT statement.
+** Each table or subquery in the FROM clause is a separate element of
+** the SrcList.a[] array.
+**
+** With the addition of multiple database support, the following structure
+** can also be used to describe a particular table such as the table that
+** is modified by an INSERT, DELETE, or UPDATE statement.  In standard SQL,
+** such a table must be a simple name: ID.  But in SQLite, the table can
+** now be identified by a database name, a dot, then the table name: ID.ID.
+**
+** The jointype starts out showing the join type between the current table
+** and the next table on the list.  The parser builds the list this way.
+** But sqlite3SrcListShiftJoinType() later shifts the jointypes so that each
+** jointype expresses the join between the table and the previous table.
+*/
+struct SrcList {
+  i16 nSrc;        /* Number of tables or subqueries in the FROM clause */
+  i16 nAlloc;      /* Number of entries allocated in a[] below */
+  struct SrcList_item {
+    char *zDatabase;  /* Name of database holding this table */
+    char *zName;      /* Name of the table */
+    char *zAlias;     /* The "B" part of a "A AS B" phrase.  zName is the "A" */
+    Table *pTab;      /* An SQL table corresponding to zName */
+    Select *pSelect;  /* A SELECT statement used in place of a table name */
+    u8 isPopulated;   /* Temporary table associated with SELECT is populated */
+    u8 jointype;      /* Type of join between this able and the previous */
+    int iCursor;      /* The VDBE cursor number used to access this table */
+    Expr *pOn;        /* The ON clause of a join */
+    IdList *pUsing;   /* The USING clause of a join */
+    Bitmask colUsed;  /* Bit N (1<<N) set if column N or pTab is used */
+  } a[1];             /* One entry for each identifier on the list */
+};
+
+/*
+** Permitted values of the SrcList.a.jointype field
+*/
+#define JT_INNER     0x0001    /* Any kind of inner or cross join */
+#define JT_CROSS     0x0002    /* Explicit use of the CROSS keyword */
+#define JT_NATURAL   0x0004    /* True for a "natural" join */
+#define JT_LEFT      0x0008    /* Left outer join */
+#define JT_RIGHT     0x0010    /* Right outer join */
+#define JT_OUTER     0x0020    /* The "OUTER" keyword is present */
+#define JT_ERROR     0x0040    /* unknown or unsupported join type */
+
+/*
+** For each nested loop in a WHERE clause implementation, the WhereInfo
+** structure contains a single instance of this structure.  This structure
+** is intended to be private the the where.c module and should not be
+** access or modified by other modules.
+**
+** The pIdxInfo and pBestIdx fields are used to help pick the best
+** index on a virtual table.  The pIdxInfo pointer contains indexing
+** information for the i-th table in the FROM clause before reordering.
+** All the pIdxInfo pointers are freed by whereInfoFree() in where.c.
+** The pBestIdx pointer is a copy of pIdxInfo for the i-th table after
+** FROM clause ordering.  This is a little confusing so I will repeat
+** it in different words.  WhereInfo.a[i].pIdxInfo is index information 
+** for WhereInfo.pTabList.a[i].  WhereInfo.a[i].pBestInfo is the
+** index information for the i-th loop of the join.  pBestInfo is always
+** either NULL or a copy of some pIdxInfo.  So for cleanup it is 
+** sufficient to free all of the pIdxInfo pointers.
+** 
+*/
+struct WhereLevel {
+  int iFrom;            /* Which entry in the FROM clause */
+  int flags;            /* Flags associated with this level */
+  int iMem;             /* First memory cell used by this level */
+  int iLeftJoin;        /* Memory cell used to implement LEFT OUTER JOIN */
+  Index *pIdx;          /* Index used.  NULL if no index */
+  int iTabCur;          /* The VDBE cursor used to access the table */
+  int iIdxCur;          /* The VDBE cursor used to acesss pIdx */
+  int brk;              /* Jump here to break out of the loop */
+  int nxt;              /* Jump here to start the next IN combination */
+  int cont;             /* Jump here to continue with the next loop cycle */
+  int top;              /* First instruction of interior of the loop */
+  int op, p1, p2;       /* Opcode used to terminate the loop */
+  int nEq;              /* Number of == or IN constraints on this loop */
+  int nIn;              /* Number of IN operators constraining this loop */
+  struct InLoop {
+    int iCur;              /* The VDBE cursor used by this IN operator */
+    int topAddr;           /* Top of the IN loop */
+  } *aInLoop;           /* Information about each nested IN operator */
+  sqlite3_index_info *pBestIdx;  /* Index information for this level */
+
+  /* The following field is really not part of the current level.  But
+  ** we need a place to cache index information for each table in the
+  ** FROM clause and the WhereLevel structure is a convenient place.
+  */
+  sqlite3_index_info *pIdxInfo;  /* Index info for n-th source table */
+};
+
+/*
+** The WHERE clause processing routine has two halves.  The
+** first part does the start of the WHERE loop and the second
+** half does the tail of the WHERE loop.  An instance of
+** this structure is returned by the first half and passed
+** into the second half to give some continuity.
+*/
+struct WhereInfo {
+  Parse *pParse;
+  SrcList *pTabList;   /* List of tables in the join */
+  int iTop;            /* The very beginning of the WHERE loop */
+  int iContinue;       /* Jump here to continue with next record */
+  int iBreak;          /* Jump here to break out of the loop */
+  int nLevel;          /* Number of nested loop */
+  sqlite3_index_info **apInfo;  /* Array of pointers to index info structures */
+  WhereLevel a[1];     /* Information about each nest loop in the WHERE */
+};
+
+/*
+** A NameContext defines a context in which to resolve table and column
+** names.  The context consists of a list of tables (the pSrcList) field and
+** a list of named expression (pEList).  The named expression list may
+** be NULL.  The pSrc corresponds to the FROM clause of a SELECT or
+** to the table being operated on by INSERT, UPDATE, or DELETE.  The
+** pEList corresponds to the result set of a SELECT and is NULL for
+** other statements.
+**
+** NameContexts can be nested.  When resolving names, the inner-most 
+** context is searched first.  If no match is found, the next outer
+** context is checked.  If there is still no match, the next context
+** is checked.  This process continues until either a match is found
+** or all contexts are check.  When a match is found, the nRef member of
+** the context containing the match is incremented. 
+**
+** Each subquery gets a new NameContext.  The pNext field points to the
+** NameContext in the parent query.  Thus the process of scanning the
+** NameContext list corresponds to searching through successively outer
+** subqueries looking for a match.
+*/
+struct NameContext {
+  Parse *pParse;       /* The parser */
+  SrcList *pSrcList;   /* One or more tables used to resolve names */
+  ExprList *pEList;    /* Optional list of named expressions */
+  int nRef;            /* Number of names resolved by this context */
+  int nErr;            /* Number of errors encountered while resolving names */
+  u8 allowAgg;         /* Aggregate functions allowed here */
+  u8 hasAgg;           /* True if aggregates are seen */
+  u8 isCheck;          /* True if resolving names in a CHECK constraint */
+  int nDepth;          /* Depth of subquery recursion. 1 for no recursion */
+  AggInfo *pAggInfo;   /* Information about aggregates at this level */
+  NameContext *pNext;  /* Next outer name context.  NULL for outermost */
+};
+
+/*
+** An instance of the following structure contains all information
+** needed to generate code for a single SELECT statement.
+**
+** nLimit is set to -1 if there is no LIMIT clause.  nOffset is set to 0.
+** If there is a LIMIT clause, the parser sets nLimit to the value of the
+** limit and nOffset to the value of the offset (or 0 if there is not
+** offset).  But later on, nLimit and nOffset become the memory locations
+** in the VDBE that record the limit and offset counters.
+**
+** addrOpenEphm[] entries contain the address of OP_OpenEphemeral opcodes.
+** These addresses must be stored so that we can go back and fill in
+** the P3_KEYINFO and P2 parameters later.  Neither the KeyInfo nor
+** the number of columns in P2 can be computed at the same time
+** as the OP_OpenEphm instruction is coded because not
+** enough information about the compound query is known at that point.
+** The KeyInfo for addrOpenTran[0] and [1] contains collating sequences
+** for the result set.  The KeyInfo for addrOpenTran[2] contains collating
+** sequences for the ORDER BY clause.
+*/
+struct Select {
+  ExprList *pEList;      /* The fields of the result */
+  u8 op;                 /* One of: TK_UNION TK_ALL TK_INTERSECT TK_EXCEPT */
+  u8 isDistinct;         /* True if the DISTINCT keyword is present */
+  u8 isResolved;         /* True once sqlite3SelectResolve() has run. */
+  u8 isAgg;              /* True if this is an aggregate query */
+  u8 usesEphm;           /* True if uses an OpenEphemeral opcode */
+  u8 disallowOrderBy;    /* Do not allow an ORDER BY to be attached if TRUE */
+  char affinity;         /* MakeRecord with this affinity for SRT_Set */
+  SrcList *pSrc;         /* The FROM clause */
+  Expr *pWhere;          /* The WHERE clause */
+  ExprList *pGroupBy;    /* The GROUP BY clause */
+  Expr *pHaving;         /* The HAVING clause */
+  ExprList *pOrderBy;    /* The ORDER BY clause */
+  Select *pPrior;        /* Prior select in a compound select statement */
+  Select *pRightmost;    /* Right-most select in a compound select statement */
+  Expr *pLimit;          /* LIMIT expression. NULL means not used. */
+  Expr *pOffset;         /* OFFSET expression. NULL means not used. */
+  int iLimit, iOffset;   /* Memory registers holding LIMIT & OFFSET counters */
+  int addrOpenEphm[3];   /* OP_OpenEphem opcodes related to this select */
+};
+
+/*
+** The results of a select can be distributed in several ways.
+*/
+#define SRT_Union        1  /* Store result as keys in an index */
+#define SRT_Except       2  /* Remove result from a UNION index */
+#define SRT_Discard      3  /* Do not save the results anywhere */
+
+/* The ORDER BY clause is ignored for all of the above */
+#define IgnorableOrderby(X) (X<=SRT_Discard)
+
+#define SRT_Callback     4  /* Invoke a callback with each row of result */
+#define SRT_Mem          5  /* Store result in a memory cell */
+#define SRT_Set          6  /* Store non-null results as keys in an index */
+#define SRT_Table        7  /* Store result as data with an automatic rowid */
+#define SRT_EphemTab     8  /* Create transient tab and store like SRT_Table */
+#define SRT_Subroutine   9  /* Call a subroutine to handle results */
+#define SRT_Exists      10  /* Store 1 if the result is not empty */
+
+/*
+** An SQL parser context.  A copy of this structure is passed through
+** the parser and down into all the parser action routine in order to
+** carry around information that is global to the entire parse.
+**
+** The structure is divided into two parts.  When the parser and code
+** generate call themselves recursively, the first part of the structure
+** is constant but the second part is reset at the beginning and end of
+** each recursion.
+**
+** The nTableLock and aTableLock variables are only used if the shared-cache 
+** feature is enabled (if sqlite3Tsd()->useSharedData is true). They are
+** used to store the set of table-locks required by the statement being
+** compiled. Function sqlite3TableLock() is used to add entries to the
+** list.
+*/
+struct Parse {
+  sqlite3 *db;         /* The main database structure */
+  int rc;              /* Return code from execution */
+  char *zErrMsg;       /* An error message */
+  Vdbe *pVdbe;         /* An engine for executing database bytecode */
+  u8 colNamesSet;      /* TRUE after OP_ColumnName has been issued to pVdbe */
+  u8 nameClash;        /* A permanent table name clashes with temp table name */
+  u8 checkSchema;      /* Causes schema cookie check after an error */
+  u8 nested;           /* Number of nested calls to the parser/code generator */
+  u8 parseError;       /* True if a parsing error has been seen */
+  int nErr;            /* Number of errors seen */
+  int nTab;            /* Number of previously allocated VDBE cursors */
+  int nMem;            /* Number of memory cells used so far */
+  int nSet;            /* Number of sets used so far */
+  int ckOffset;        /* Stack offset to data used by CHECK constraints */
+  u32 writeMask;       /* Start a write transaction on these databases */
+  u32 cookieMask;      /* Bitmask of schema verified databases */
+  int cookieGoto;      /* Address of OP_Goto to cookie verifier subroutine */
+  int cookieValue[MAX_ATTACHED+2];  /* Values of cookies to verify */
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  int nTableLock;        /* Number of locks in aTableLock */
+  TableLock *aTableLock; /* Required table locks for shared-cache mode */
+#endif
+
+  /* Above is constant between recursions.  Below is reset before and after
+  ** each recursion */
+
+  int nVar;            /* Number of '?' variables seen in the SQL so far */
+  int nVarExpr;        /* Number of used slots in apVarExpr[] */
+  int nVarExprAlloc;   /* Number of allocated slots in apVarExpr[] */
+  Expr **apVarExpr;    /* Pointers to :aaa and $aaaa wildcard expressions */
+  u8 explain;          /* True if the EXPLAIN flag is found on the query */
+  Token sErrToken;     /* The token at which the error occurred */
+  Token sNameToken;    /* Token with unqualified schema object name */
+  Token sLastToken;    /* The last token parsed */
+  const char *zSql;    /* All SQL text */
+  const char *zTail;   /* All SQL text past the last semicolon parsed */
+  Table *pNewTable;    /* A table being constructed by CREATE TABLE */
+  Trigger *pNewTrigger;     /* Trigger under construct by a CREATE TRIGGER */
+  TriggerStack *trigStack;  /* Trigger actions being coded */
+  const char *zAuthContext; /* The 6th parameter to db->xAuth callbacks */
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  Token sArg;                /* Complete text of a module argument */
+  u8 declareVtab;            /* True if inside sqlite3_declare_vtab() */
+  Table *pVirtualLock;       /* Require virtual table lock on this table */
+#endif
+};
+
+#ifdef SQLITE_OMIT_VIRTUALTABLE
+  #define IN_DECLARE_VTAB 0
+#else
+  #define IN_DECLARE_VTAB (pParse->declareVtab)
+#endif
+
+/*
+** An instance of the following structure can be declared on a stack and used
+** to save the Parse.zAuthContext value so that it can be restored later.
+*/
+struct AuthContext {
+  const char *zAuthContext;   /* Put saved Parse.zAuthContext here */
+  Parse *pParse;              /* The Parse structure */
+};
+
+/*
+** Bitfield flags for P2 value in OP_Insert and OP_Delete
+*/
+#define OPFLAG_NCHANGE   1    /* Set to update db->nChange */
+#define OPFLAG_LASTROWID 2    /* Set to update db->lastRowid */
+#define OPFLAG_ISUPDATE  4    /* This OP_Insert is an sql UPDATE */
+#define OPFLAG_APPEND    8    /* This is likely to be an append */
+
+/*
+ * Each trigger present in the database schema is stored as an instance of
+ * struct Trigger. 
+ *
+ * Pointers to instances of struct Trigger are stored in two ways.
+ * 1. In the "trigHash" hash table (part of the sqlite3* that represents the 
+ *    database). This allows Trigger structures to be retrieved by name.
+ * 2. All triggers associated with a single table form a linked list, using the
+ *    pNext member of struct Trigger. A pointer to the first element of the
+ *    linked list is stored as the "pTrigger" member of the associated
+ *    struct Table.
+ *
+ * The "step_list" member points to the first element of a linked list
+ * containing the SQL statements specified as the trigger program.
+ */
+struct Trigger {
+  char *name;             /* The name of the trigger                        */
+  char *table;            /* The table or view to which the trigger applies */
+  u8 op;                  /* One of TK_DELETE, TK_UPDATE, TK_INSERT         */
+  u8 tr_tm;               /* One of TRIGGER_BEFORE, TRIGGER_AFTER */
+  Expr *pWhen;            /* The WHEN clause of the expresion (may be NULL) */
+  IdList *pColumns;       /* If this is an UPDATE OF <column-list> trigger,
+                             the <column-list> is stored here */
+  Token nameToken;        /* Token containing zName. Use during parsing only */
+  Schema *pSchema;        /* Schema containing the trigger */
+  Schema *pTabSchema;     /* Schema containing the table */
+  TriggerStep *step_list; /* Link list of trigger program steps             */
+  Trigger *pNext;         /* Next trigger associated with the table */
+};
+
+/*
+** A trigger is either a BEFORE or an AFTER trigger.  The following constants
+** determine which. 
+**
+** If there are multiple triggers, you might of some BEFORE and some AFTER.
+** In that cases, the constants below can be ORed together.
+*/
+#define TRIGGER_BEFORE  1
+#define TRIGGER_AFTER   2
+
+/*
+ * An instance of struct TriggerStep is used to store a single SQL statement
+ * that is a part of a trigger-program. 
+ *
+ * Instances of struct TriggerStep are stored in a singly linked list (linked
+ * using the "pNext" member) referenced by the "step_list" member of the 
+ * associated struct Trigger instance. The first element of the linked list is
+ * the first step of the trigger-program.
+ * 
+ * The "op" member indicates whether this is a "DELETE", "INSERT", "UPDATE" or
+ * "SELECT" statement. The meanings of the other members is determined by the 
+ * value of "op" as follows:
+ *
+ * (op == TK_INSERT)
+ * orconf    -> stores the ON CONFLICT algorithm
+ * pSelect   -> If this is an INSERT INTO ... SELECT ... statement, then
+ *              this stores a pointer to the SELECT statement. Otherwise NULL.
+ * target    -> A token holding the name of the table to insert into.
+ * pExprList -> If this is an INSERT INTO ... VALUES ... statement, then
+ *              this stores values to be inserted. Otherwise NULL.
+ * pIdList   -> If this is an INSERT INTO ... (<column-names>) VALUES ... 
+ *              statement, then this stores the column-names to be
+ *              inserted into.
+ *
+ * (op == TK_DELETE)
+ * target    -> A token holding the name of the table to delete from.
+ * pWhere    -> The WHERE clause of the DELETE statement if one is specified.
+ *              Otherwise NULL.
+ * 
+ * (op == TK_UPDATE)
+ * target    -> A token holding the name of the table to update rows of.
+ * pWhere    -> The WHERE clause of the UPDATE statement if one is specified.
+ *              Otherwise NULL.
+ * pExprList -> A list of the columns to update and the expressions to update
+ *              them to. See sqlite3Update() documentation of "pChanges"
+ *              argument.
+ * 
+ */
+struct TriggerStep {
+  int op;              /* One of TK_DELETE, TK_UPDATE, TK_INSERT, TK_SELECT */
+  int orconf;          /* OE_Rollback etc. */
+  Trigger *pTrig;      /* The trigger that this step is a part of */
+
+  Select *pSelect;     /* Valid for SELECT and sometimes 
+			  INSERT steps (when pExprList == 0) */
+  Token target;        /* Valid for DELETE, UPDATE, INSERT steps */
+  Expr *pWhere;        /* Valid for DELETE, UPDATE steps */
+  ExprList *pExprList; /* Valid for UPDATE statements and sometimes 
+			   INSERT steps (when pSelect == 0)         */
+  IdList *pIdList;     /* Valid for INSERT statements only */
+  TriggerStep *pNext;  /* Next in the link-list */
+  TriggerStep *pLast;  /* Last element in link-list. Valid for 1st elem only */
+};
+
+/*
+ * An instance of struct TriggerStack stores information required during code
+ * generation of a single trigger program. While the trigger program is being
+ * coded, its associated TriggerStack instance is pointed to by the
+ * "pTriggerStack" member of the Parse structure.
+ *
+ * The pTab member points to the table that triggers are being coded on. The 
+ * newIdx member contains the index of the vdbe cursor that points at the temp
+ * table that stores the new.* references. If new.* references are not valid
+ * for the trigger being coded (for example an ON DELETE trigger), then newIdx
+ * is set to -1. The oldIdx member is analogous to newIdx, for old.* references.
+ *
+ * The ON CONFLICT policy to be used for the trigger program steps is stored 
+ * as the orconf member. If this is OE_Default, then the ON CONFLICT clause 
+ * specified for individual triggers steps is used.
+ *
+ * struct TriggerStack has a "pNext" member, to allow linked lists to be
+ * constructed. When coding nested triggers (triggers fired by other triggers)
+ * each nested trigger stores its parent trigger's TriggerStack as the "pNext" 
+ * pointer. Once the nested trigger has been coded, the pNext value is restored
+ * to the pTriggerStack member of the Parse stucture and coding of the parent
+ * trigger continues.
+ *
+ * Before a nested trigger is coded, the linked list pointed to by the 
+ * pTriggerStack is scanned to ensure that the trigger is not about to be coded
+ * recursively. If this condition is detected, the nested trigger is not coded.
+ */
+struct TriggerStack {
+  Table *pTab;         /* Table that triggers are currently being coded on */
+  int newIdx;          /* Index of vdbe cursor to "new" temp table */
+  int oldIdx;          /* Index of vdbe cursor to "old" temp table */
+  int orconf;          /* Current orconf policy */
+  int ignoreJump;      /* where to jump to for a RAISE(IGNORE) */
+  Trigger *pTrigger;   /* The trigger currently being coded */
+  TriggerStack *pNext; /* Next trigger down on the trigger stack */
+};
+
+/*
+** The following structure contains information used by the sqliteFix...
+** routines as they walk the parse tree to make database references
+** explicit.  
+*/
+typedef struct DbFixer DbFixer;
+struct DbFixer {
+  Parse *pParse;      /* The parsing context.  Error messages written here */
+  const char *zDb;    /* Make sure all objects are contained in this database */
+  const char *zType;  /* Type of the container - used for error messages */
+  const Token *pName; /* Name of the container - used for error messages */
+};
+
+/*
+** A pointer to this structure is used to communicate information
+** from sqlite3Init and OP_ParseSchema into the sqlite3InitCallback.
+*/
+typedef struct {
+  sqlite3 *db;        /* The database being initialized */
+  int iDb;            /* 0 for main database.  1 for TEMP, 2.. for ATTACHed */
+  char **pzErrMsg;    /* Error message stored here */
+  int rc;             /* Result code stored here */
+} InitData;
+
+/*
+ * This global flag is set for performance testing of triggers. When it is set
+ * SQLite will perform the overhead of building new and old trigger references 
+ * even when no triggers exist
+ */
+extern int sqlite3_always_code_trigger_setup;
+
+/*
+** The SQLITE_CORRUPT_BKPT macro can be either a constant (for production
+** builds) or a function call (for debugging).  If it is a function call,
+** it allows the operator to set a breakpoint at the spot where database
+** corruption is first detected.
+*/
+#ifdef SQLITE_DEBUG
+  extern int sqlite3Corrupt(void);
+# define SQLITE_CORRUPT_BKPT sqlite3Corrupt()
+#else
+# define SQLITE_CORRUPT_BKPT SQLITE_CORRUPT
+#endif
+
+/*
+** Internal function prototypes
+*/
+int sqlite3StrICmp(const char *, const char *);
+int sqlite3StrNICmp(const char *, const char *, int);
+int sqlite3HashNoCase(const char *, int);
+int sqlite3IsNumber(const char*, int*, u8);
+int sqlite3Compare(const char *, const char *);
+int sqlite3SortCompare(const char *, const char *);
+void sqlite3RealToSortable(double r, char *);
+
+void *sqlite3Malloc(int,int);
+void *sqlite3MallocRaw(int,int);
+void sqlite3Free(void*);
+void *sqlite3Realloc(void*,int);
+char *sqlite3StrDup(const char*);
+char *sqlite3StrNDup(const char*, int);
+# define sqlite3CheckMemory(a,b)
+void *sqlite3ReallocOrFree(void*,int);
+void sqlite3FreeX(void*);
+void *sqlite3MallocX(int);
+int sqlite3AllocSize(void *);
+
+char *sqlite3MPrintf(const char*, ...);
+char *sqlite3VMPrintf(const char*, va_list);
+void sqlite3DebugPrintf(const char*, ...);
+void *sqlite3TextToPtr(const char*);
+void sqlite3SetString(char **, ...);
+void sqlite3ErrorMsg(Parse*, const char*, ...);
+void sqlite3ErrorClear(Parse*);
+void sqlite3Dequote(char*);
+void sqlite3DequoteExpr(Expr*);
+int sqlite3KeywordCode(const unsigned char*, int);
+int sqlite3RunParser(Parse*, const char*, char **);
+void sqlite3FinishCoding(Parse*);
+Expr *sqlite3Expr(int, Expr*, Expr*, const Token*);
+Expr *sqlite3ExprOrFree(int, Expr*, Expr*, const Token*);
+Expr *sqlite3RegisterExpr(Parse*,Token*);
+Expr *sqlite3ExprAnd(Expr*, Expr*);
+void sqlite3ExprSpan(Expr*,Token*,Token*);
+Expr *sqlite3ExprFunction(ExprList*, Token*);
+void sqlite3ExprAssignVarNumber(Parse*, Expr*);
+void sqlite3ExprDelete(Expr*);
+ExprList *sqlite3ExprListAppend(ExprList*,Expr*,Token*);
+void sqlite3ExprListDelete(ExprList*);
+int sqlite3Init(sqlite3*, char**);
+int sqlite3InitCallback(void*, int, char**, char**);
+void sqlite3Pragma(Parse*,Token*,Token*,Token*,int);
+void sqlite3ResetInternalSchema(sqlite3*, int);
+void sqlite3BeginParse(Parse*,int);
+void sqlite3CommitInternalChanges(sqlite3*);
+Table *sqlite3ResultSetOfSelect(Parse*,char*,Select*);
+void sqlite3OpenMasterTable(Parse *, int);
+void sqlite3StartTable(Parse*,Token*,Token*,int,int,int,int);
+void sqlite3AddColumn(Parse*,Token*);
+void sqlite3AddNotNull(Parse*, int);
+void sqlite3AddPrimaryKey(Parse*, ExprList*, int, int, int);
+void sqlite3AddCheckConstraint(Parse*, Expr*);
+void sqlite3AddColumnType(Parse*,Token*);
+void sqlite3AddDefaultValue(Parse*,Expr*);
+void sqlite3AddCollateType(Parse*, const char*, int);
+void sqlite3EndTable(Parse*,Token*,Token*,Select*);
+
+void sqlite3CreateView(Parse*,Token*,Token*,Token*,Select*,int,int);
+
+#if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_VIRTUALTABLE)
+  int sqlite3ViewGetColumnNames(Parse*,Table*);
+#else
+# define sqlite3ViewGetColumnNames(A,B) 0
+#endif
+
+void sqlite3DropTable(Parse*, SrcList*, int, int);
+void sqlite3DeleteTable(Table*);
+void sqlite3Insert(Parse*, SrcList*, ExprList*, Select*, IdList*, int);
+void *sqlite3ArrayAllocate(void*,int,int,int*,int*,int*);
+IdList *sqlite3IdListAppend(IdList*, Token*);
+int sqlite3IdListIndex(IdList*,const char*);
+SrcList *sqlite3SrcListAppend(SrcList*, Token*, Token*);
+SrcList *sqlite3SrcListAppendFromTerm(SrcList*, Token*, Token*, Token*,
+                                      Select*, Expr*, IdList*);
+void sqlite3SrcListShiftJoinType(SrcList*);
+void sqlite3SrcListAssignCursors(Parse*, SrcList*);
+void sqlite3IdListDelete(IdList*);
+void sqlite3SrcListDelete(SrcList*);
+void sqlite3CreateIndex(Parse*,Token*,Token*,SrcList*,ExprList*,int,Token*,
+                        Token*, int, int);
+void sqlite3DropIndex(Parse*, SrcList*, int);
+void sqlite3AddKeyType(Vdbe*, ExprList*);
+void sqlite3AddIdxKeyType(Vdbe*, Index*);
+int sqlite3Select(Parse*, Select*, int, int, Select*, int, int*, char *aff);
+Select *sqlite3SelectNew(ExprList*,SrcList*,Expr*,ExprList*,Expr*,ExprList*,
+                        int,Expr*,Expr*);
+void sqlite3SelectDelete(Select*);
+void sqlite3SelectUnbind(Select*);
+Table *sqlite3SrcListLookup(Parse*, SrcList*);
+int sqlite3IsReadOnly(Parse*, Table*, int);
+void sqlite3OpenTable(Parse*, int iCur, int iDb, Table*, int);
+void sqlite3DeleteFrom(Parse*, SrcList*, Expr*);
+void sqlite3Update(Parse*, SrcList*, ExprList*, Expr*, int);
+WhereInfo *sqlite3WhereBegin(Parse*, SrcList*, Expr*, ExprList**);
+void sqlite3WhereEnd(WhereInfo*);
+void sqlite3ExprCodeGetColumn(Vdbe*, Table*, int, int);
+void sqlite3ExprCode(Parse*, Expr*);
+void sqlite3ExprCodeAndCache(Parse*, Expr*);
+int sqlite3ExprCodeExprList(Parse*, ExprList*);
+void sqlite3ExprIfTrue(Parse*, Expr*, int, int);
+void sqlite3ExprIfFalse(Parse*, Expr*, int, int);
+void sqlite3NextedParse(Parse*, const char*, ...);
+Table *sqlite3FindTable(sqlite3*,const char*, const char*);
+Table *sqlite3LocateTable(Parse*,const char*, const char*);
+Index *sqlite3FindIndex(sqlite3*,const char*, const char*);
+void sqlite3UnlinkAndDeleteTable(sqlite3*,int,const char*);
+void sqlite3UnlinkAndDeleteIndex(sqlite3*,int,const char*);
+void sqlite3Vacuum(Parse*);
+int sqlite3RunVacuum(char**, sqlite3*);
+char *sqlite3NameFromToken(Token*);
+int sqlite3ExprCheck(Parse*, Expr*, int, int*);
+int sqlite3ExprCompare(Expr*, Expr*);
+int sqliteFuncId(Token*);
+int sqlite3ExprResolveNames(NameContext *, Expr *);
+int sqlite3ExprAnalyzeAggregates(NameContext*, Expr*);
+int sqlite3ExprAnalyzeAggList(NameContext*,ExprList*);
+Vdbe *sqlite3GetVdbe(Parse*);
+Expr *sqlite3CreateIdExpr(const char*);
+void sqlite3Randomness(int, void*);
+void sqlite3RollbackAll(sqlite3*);
+void sqlite3CodeVerifySchema(Parse*, int);
+void sqlite3BeginTransaction(Parse*, int);
+void sqlite3CommitTransaction(Parse*);
+void sqlite3RollbackTransaction(Parse*);
+int sqlite3ExprIsConstant(Expr*);
+int sqlite3ExprIsConstantOrFunction(Expr*);
+int sqlite3ExprIsInteger(Expr*, int*);
+int sqlite3IsRowid(const char*);
+void sqlite3GenerateRowDelete(sqlite3*, Vdbe*, Table*, int, int);
+void sqlite3GenerateRowIndexDelete(Vdbe*, Table*, int, char*);
+void sqlite3GenerateIndexKey(Vdbe*, Index*, int);
+void sqlite3GenerateConstraintChecks(Parse*,Table*,int,char*,int,int,int,int);
+void sqlite3CompleteInsertion(Parse*, Table*, int, char*, int, int, int, int);
+void sqlite3OpenTableAndIndices(Parse*, Table*, int, int);
+void sqlite3BeginWriteOperation(Parse*, int, int);
+Expr *sqlite3ExprDup(Expr*);
+void sqlite3TokenCopy(Token*, Token*);
+ExprList *sqlite3ExprListDup(ExprList*);
+SrcList *sqlite3SrcListDup(SrcList*);
+IdList *sqlite3IdListDup(IdList*);
+Select *sqlite3SelectDup(Select*);
+FuncDef *sqlite3FindFunction(sqlite3*,const char*,int,int,u8,int);
+void sqlite3RegisterBuiltinFunctions(sqlite3*);
+void sqlite3RegisterDateTimeFunctions(sqlite3*);
+int sqlite3SafetyOn(sqlite3*);
+int sqlite3SafetyOff(sqlite3*);
+int sqlite3SafetyCheck(sqlite3*);
+void sqlite3ChangeCookie(sqlite3*, Vdbe*, int);
+
+#ifndef SQLITE_OMIT_TRIGGER
+  void sqlite3BeginTrigger(Parse*, Token*,Token*,int,int,IdList*,SrcList*,
+                           Expr*,int, int);
+  void sqlite3FinishTrigger(Parse*, TriggerStep*, Token*);
+  void sqlite3DropTrigger(Parse*, SrcList*, int);
+  void sqlite3DropTriggerPtr(Parse*, Trigger*);
+  int sqlite3TriggersExist(Parse*, Table*, int, ExprList*);
+  int sqlite3CodeRowTrigger(Parse*, int, ExprList*, int, Table *, int, int, 
+                           int, int);
+  void sqliteViewTriggers(Parse*, Table*, Expr*, int, ExprList*);
+  void sqlite3DeleteTriggerStep(TriggerStep*);
+  TriggerStep *sqlite3TriggerSelectStep(Select*);
+  TriggerStep *sqlite3TriggerInsertStep(Token*, IdList*, ExprList*,Select*,int);
+  TriggerStep *sqlite3TriggerUpdateStep(Token*, ExprList*, Expr*, int);
+  TriggerStep *sqlite3TriggerDeleteStep(Token*, Expr*);
+  void sqlite3DeleteTrigger(Trigger*);
+  void sqlite3UnlinkAndDeleteTrigger(sqlite3*,int,const char*);
+#else
+# define sqlite3TriggersExist(A,B,C,D,E,F) 0
+# define sqlite3DeleteTrigger(A)
+# define sqlite3DropTriggerPtr(A,B)
+# define sqlite3UnlinkAndDeleteTrigger(A,B,C)
+# define sqlite3CodeRowTrigger(A,B,C,D,E,F,G,H,I) 0
+#endif
+
+int sqlite3JoinType(Parse*, Token*, Token*, Token*);
+void sqlite3CreateForeignKey(Parse*, ExprList*, Token*, ExprList*, int);
+void sqlite3DeferForeignKey(Parse*, int);
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  void sqlite3AuthRead(Parse*,Expr*,SrcList*);
+  int sqlite3AuthCheck(Parse*,int, const char*, const char*, const char*);
+  void sqlite3AuthContextPush(Parse*, AuthContext*, const char*);
+  void sqlite3AuthContextPop(AuthContext*);
+#else
+# define sqlite3AuthRead(a,b,c)
+# define sqlite3AuthCheck(a,b,c,d,e)    SQLITE_OK
+# define sqlite3AuthContextPush(a,b,c)
+# define sqlite3AuthContextPop(a)  ((void)(a))
+#endif
+void sqlite3Attach(Parse*, Expr*, Expr*, Expr*);
+void sqlite3Detach(Parse*, Expr*);
+int sqlite3BtreeFactory(const sqlite3 *db, const char *zFilename,
+                       int omitJournal, int nCache, Btree **ppBtree);
+int sqlite3FixInit(DbFixer*, Parse*, int, const char*, const Token*);
+int sqlite3FixSrcList(DbFixer*, SrcList*);
+int sqlite3FixSelect(DbFixer*, Select*);
+int sqlite3FixExpr(DbFixer*, Expr*);
+int sqlite3FixExprList(DbFixer*, ExprList*);
+int sqlite3FixTriggerStep(DbFixer*, TriggerStep*);
+int sqlite3AtoF(const char *z, double*);
+char *sqlite3_snprintf(int,char*,const char*,...);
+int sqlite3GetInt32(const char *, int*);
+int sqlite3FitsIn64Bits(const char *);
+int sqlite3utf16ByteLen(const void *pData, int nChar);
+int sqlite3utf8CharLen(const char *pData, int nByte);
+int sqlite3ReadUtf8(const unsigned char *);
+int sqlite3PutVarint(unsigned char *, u64);
+int sqlite3GetVarint(const unsigned char *, u64 *);
+int sqlite3GetVarint32(const unsigned char *, u32 *);
+int sqlite3VarintLen(u64 v);
+void sqlite3IndexAffinityStr(Vdbe *, Index *);
+void sqlite3TableAffinityStr(Vdbe *, Table *);
+char sqlite3CompareAffinity(Expr *pExpr, char aff2);
+int sqlite3IndexAffinityOk(Expr *pExpr, char idx_affinity);
+char sqlite3ExprAffinity(Expr *pExpr);
+int sqlite3atoi64(const char*, i64*);
+void sqlite3Error(sqlite3*, int, const char*,...);
+void *sqlite3HexToBlob(const char *z);
+int sqlite3TwoPartName(Parse *, Token *, Token *, Token **);
+const char *sqlite3ErrStr(int);
+int sqlite3ReadUniChar(const char *zStr, int *pOffset, u8 *pEnc, int fold);
+int sqlite3ReadSchema(Parse *pParse);
+CollSeq *sqlite3FindCollSeq(sqlite3*,u8 enc, const char *,int,int);
+CollSeq *sqlite3LocateCollSeq(Parse *pParse, const char *zName, int nName);
+CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr);
+Expr *sqlite3ExprSetColl(Parse *pParse, Expr *, Token *);
+int sqlite3CheckCollSeq(Parse *, CollSeq *);
+int sqlite3CheckIndexCollSeq(Parse *, Index *);
+int sqlite3CheckObjectName(Parse *, const char *);
+void sqlite3VdbeSetChanges(sqlite3 *, int);
+void sqlite3utf16Substr(sqlite3_context *,int,sqlite3_value **);
+
+const void *sqlite3ValueText(sqlite3_value*, u8);
+int sqlite3ValueBytes(sqlite3_value*, u8);
+void sqlite3ValueSetStr(sqlite3_value*, int, const void *,u8, void(*)(void*));
+void sqlite3ValueFree(sqlite3_value*);
+sqlite3_value *sqlite3ValueNew(void);
+char *sqlite3utf16to8(const void*, int);
+int sqlite3ValueFromExpr(Expr *, u8, u8, sqlite3_value **);
+void sqlite3ValueApplyAffinity(sqlite3_value *, u8, u8);
+extern const unsigned char sqlite3UpperToLower[];
+void sqlite3RootPageMoved(Db*, int, int);
+void sqlite3Reindex(Parse*, Token*, Token*);
+void sqlite3AlterFunctions(sqlite3*);
+void sqlite3AlterRenameTable(Parse*, SrcList*, Token*);
+int sqlite3GetToken(const unsigned char *, int *);
+void sqlite3NestedParse(Parse*, const char*, ...);
+void sqlite3ExpirePreparedStatements(sqlite3*);
+void sqlite3CodeSubselect(Parse *, Expr *);
+int sqlite3SelectResolve(Parse *, Select *, NameContext *);
+void sqlite3ColumnDefault(Vdbe *, Table *, int);
+void sqlite3AlterFinishAddColumn(Parse *, Token *);
+void sqlite3AlterBeginAddColumn(Parse *, SrcList *);
+const char *sqlite3TestErrorName(int);
+CollSeq *sqlite3GetCollSeq(sqlite3*, CollSeq *, const char *, int);
+char sqlite3AffinityType(const Token*);
+void sqlite3Analyze(Parse*, Token*, Token*);
+int sqlite3InvokeBusyHandler(BusyHandler*);
+int sqlite3FindDb(sqlite3*, Token*);
+void sqlite3AnalysisLoad(sqlite3*,int iDB);
+void sqlite3DefaultRowEst(Index*);
+void sqlite3RegisterLikeFunctions(sqlite3*, int);
+int sqlite3IsLikeFunction(sqlite3*,Expr*,int*,char*);
+ThreadData *sqlite3ThreadData(void);
+const ThreadData *sqlite3ThreadDataReadOnly(void);
+void sqlite3ReleaseThreadData(void);
+void sqlite3AttachFunctions(sqlite3 *);
+void sqlite3MinimumFileFormat(Parse*, int, int);
+void sqlite3SchemaFree(void *);
+Schema *sqlite3SchemaGet(Btree *);
+int sqlite3SchemaToIndex(sqlite3 *db, Schema *);
+KeyInfo *sqlite3IndexKeyinfo(Parse *, Index *);
+int sqlite3CreateFunc(sqlite3 *, const char *, int, int, void *, 
+  void (*)(sqlite3_context*,int,sqlite3_value **),
+  void (*)(sqlite3_context*,int,sqlite3_value **), void (*)(sqlite3_context*));
+int sqlite3ApiExit(sqlite3 *db, int);
+int sqlite3MallocFailed(void);
+void sqlite3FailedMalloc(void);
+void sqlite3AbortOtherActiveVdbes(sqlite3 *, Vdbe *);
+int sqlite3OpenTempDatabase(Parse *);
+
+#ifndef SQLITE_OMIT_LOAD_EXTENSION
+  void sqlite3CloseExtensions(sqlite3*);
+  int sqlite3AutoLoadExtensions(sqlite3*);
+#else
+# define sqlite3CloseExtensions(X)
+# define sqlite3AutoLoadExtensions(X)  SQLITE_OK
+#endif
+
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  void sqlite3TableLock(Parse *, int, int, u8, const char *);
+#else
+  #define sqlite3TableLock(v,w,x,y,z)
+#endif
+
+#ifdef SQLITE_MEMDEBUG
+  void sqlite3MallocDisallow(void);
+  void sqlite3MallocAllow(void);
+  int sqlite3TestMallocFail(void);
+#else
+  #define sqlite3TestMallocFail() 0
+  #define sqlite3MallocDisallow()
+  #define sqlite3MallocAllow()
+#endif
+
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+  void *sqlite3ThreadSafeMalloc(int);
+  void sqlite3ThreadSafeFree(void *);
+#else
+  #define sqlite3ThreadSafeMalloc sqlite3MallocX
+  #define sqlite3ThreadSafeFree sqlite3FreeX
+#endif
+
+#ifdef SQLITE_OMIT_VIRTUALTABLE
+#  define sqlite3VtabClear(X)
+#  define sqlite3VtabSync(X,Y) (Y)
+#  define sqlite3VtabRollback(X)
+#  define sqlite3VtabCommit(X)
+#else
+   void sqlite3VtabClear(Table*);
+   int sqlite3VtabSync(sqlite3 *db, int rc);
+   int sqlite3VtabRollback(sqlite3 *db);
+   int sqlite3VtabCommit(sqlite3 *db);
+#endif
+void sqlite3VtabLock(sqlite3_vtab*);
+void sqlite3VtabUnlock(sqlite3*, sqlite3_vtab*);
+void sqlite3VtabBeginParse(Parse*, Token*, Token*, Token*);
+void sqlite3VtabFinishParse(Parse*, Token*);
+void sqlite3VtabArgInit(Parse*);
+void sqlite3VtabArgExtend(Parse*, Token*);
+int sqlite3VtabCallCreate(sqlite3*, int, const char *, char **);
+int sqlite3VtabCallConnect(Parse*, Table*);
+int sqlite3VtabCallDestroy(sqlite3*, int, const char *);
+int sqlite3VtabBegin(sqlite3 *, sqlite3_vtab *);
+FuncDef *sqlite3VtabOverloadFunction(FuncDef*, int nArg, Expr*);
+void sqlite3InvalidFunction(sqlite3_context*,int,sqlite3_value**);
+int sqlite3Reprepare(Vdbe*);
+
+#ifdef SQLITE_SSE
+#include "sseInt.h"
+#endif
+
+/*
+** If the SQLITE_ENABLE IOTRACE exists then the global variable
+** sqlite3_io_trace is a pointer to a printf-like routine used to
+** print I/O tracing messages. 
+*/
+#ifdef SQLITE_ENABLE_IOTRACE
+# define IOTRACE(A)  if( sqlite3_io_trace ){ sqlite3_io_trace A; }
+  void sqlite3VdbeIOTraceSql(Vdbe*);
+#else
+# define IOTRACE(A)
+# define sqlite3VdbeIOTraceSql(X)
+#endif
+extern void (*sqlite3_io_trace)(const char*,...);
+
+#endif
+
+/************** End of sqliteInt.h *******************************************/
+/************** Continuing where we left off in date.c ***********************/
+/************** Include os.h in the middle of date.c *************************/
+/************** Begin file os.h **********************************************/
+/*
+** 2001 September 16
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+******************************************************************************
+**
+** This header file (together with is companion C source-code file
+** "os.c") attempt to abstract the underlying operating system so that
+** the SQLite library will work on both POSIX and windows systems.
+*/
+#ifndef _SQLITE_OS_H_
+#define _SQLITE_OS_H_
+
+/*
+** Figure out if we are dealing with Unix, Windows, or some other
+** operating system.
+*/
+#if defined(OS_OTHER)
+# if OS_OTHER==1
+#   undef OS_UNIX
+#   define OS_UNIX 0
+#   undef OS_WIN
+#   define OS_WIN 0
+#   undef OS_OS2
+#   define OS_OS2 0
+# else
+#   undef OS_OTHER
+# endif
+#endif
+#if !defined(OS_UNIX) && !defined(OS_OTHER)
+# define OS_OTHER 0
+# ifndef OS_WIN
+#   if defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || defined(__MINGW32__) || defined(__BORLANDC__)
+#     define OS_WIN 1
+#     define OS_UNIX 0
+#     define OS_OS2 0
+#   elif defined(_EMX_) || defined(_OS2) || defined(OS2) || defined(_OS2_) || defined(__OS2__)
+#     define OS_WIN 0
+#     define OS_UNIX 0
+#     define OS_OS2 1
+#   else
+#     define OS_WIN 0
+#     define OS_UNIX 1
+#     define OS_OS2 0
+#  endif
+# else
+#  define OS_UNIX 0
+#  define OS_OS2 0
+# endif
+#else
+# ifndef OS_WIN
+#  define OS_WIN 0
+# endif
+#endif
+
+
+/*
+** Define the maximum size of a temporary filename
+*/
+#if OS_WIN
+# include <windows.h>
+# define SQLITE_TEMPNAME_SIZE (MAX_PATH+50)
+#elif OS_OS2
+# define INCL_DOSDATETIME
+# define INCL_DOSFILEMGR
+# define INCL_DOSERRORS
+# define INCL_DOSMISC
+# define INCL_DOSPROCESS
+# define INCL_DOSMODULEMGR
+# include <os2.h>
+# define SQLITE_TEMPNAME_SIZE (CCHMAXPATHCOMP)
+#else
+# define SQLITE_TEMPNAME_SIZE 200
+#endif
+
+/* If the SET_FULLSYNC macro is not defined above, then make it
+** a no-op
+*/
+#ifndef SET_FULLSYNC
+# define SET_FULLSYNC(x,y)
+#endif
+
+/*
+** The default size of a disk sector
+*/
+#ifndef SQLITE_DEFAULT_SECTOR_SIZE
+# define SQLITE_DEFAULT_SECTOR_SIZE 512
+#endif
+
+/*
+** Temporary files are named starting with this prefix followed by 16 random
+** alphanumeric characters, and no file extension. They are stored in the
+** OS's standard temporary file directory, and are deleted prior to exit.
+** If sqlite is being embedded in another program, you may wish to change the
+** prefix to reflect your program's name, so that if your program exits
+** prematurely, old temporary files can be easily identified. This can be done
+** using -DTEMP_FILE_PREFIX=myprefix_ on the compiler command line.
+**
+** 2006-10-31:  The default prefix used to be "sqlite_".  But then
+** Mcafee started using SQLite in their anti-virus product and it
+** started putting files with the "sqlite" name in the c:/temp folder.
+** This annoyed many windows users.  Those users would then do a 
+** Google search for "sqlite", find the telephone numbers of the
+** developers and call to wake them up at night and complain.
+** For this reason, the default name prefix is changed to be "sqlite" 
+** spelled backwards.  So the temp files are still identified, but
+** anybody smart enough to figure out the code is also likely smart
+** enough to know that calling the developer will not help get rid
+** of the file.
+*/
+#ifndef TEMP_FILE_PREFIX
+# define TEMP_FILE_PREFIX "etilqs_"
+#endif
+
+/*
+** Define the interfaces for Unix, Windows, and OS/2.
+*/
+#if OS_UNIX
+#define sqlite3OsOpenReadWrite      sqlite3UnixOpenReadWrite
+#define sqlite3OsOpenExclusive      sqlite3UnixOpenExclusive
+#define sqlite3OsOpenReadOnly       sqlite3UnixOpenReadOnly
+#define sqlite3OsDelete             sqlite3UnixDelete
+#define sqlite3OsFileExists         sqlite3UnixFileExists
+#define sqlite3OsFullPathname       sqlite3UnixFullPathname
+#define sqlite3OsIsDirWritable      sqlite3UnixIsDirWritable
+#define sqlite3OsSyncDirectory      sqlite3UnixSyncDirectory
+#define sqlite3OsTempFileName       sqlite3UnixTempFileName
+#define sqlite3OsRandomSeed         sqlite3UnixRandomSeed
+#define sqlite3OsSleep              sqlite3UnixSleep
+#define sqlite3OsCurrentTime        sqlite3UnixCurrentTime
+#define sqlite3OsEnterMutex         sqlite3UnixEnterMutex
+#define sqlite3OsLeaveMutex         sqlite3UnixLeaveMutex
+#define sqlite3OsInMutex            sqlite3UnixInMutex
+#define sqlite3OsThreadSpecificData sqlite3UnixThreadSpecificData
+#define sqlite3OsMalloc             sqlite3GenericMalloc
+#define sqlite3OsRealloc            sqlite3GenericRealloc
+#define sqlite3OsFree               sqlite3GenericFree
+#define sqlite3OsAllocationSize     sqlite3GenericAllocationSize
+#define sqlite3OsDlopen             sqlite3UnixDlopen
+#define sqlite3OsDlsym              sqlite3UnixDlsym
+#define sqlite3OsDlclose            sqlite3UnixDlclose
+#endif
+#if OS_WIN
+#define sqlite3OsOpenReadWrite      sqlite3WinOpenReadWrite
+#define sqlite3OsOpenExclusive      sqlite3WinOpenExclusive
+#define sqlite3OsOpenReadOnly       sqlite3WinOpenReadOnly
+#define sqlite3OsDelete             sqlite3WinDelete
+#define sqlite3OsFileExists         sqlite3WinFileExists
+#define sqlite3OsFullPathname       sqlite3WinFullPathname
+#define sqlite3OsIsDirWritable      sqlite3WinIsDirWritable
+#define sqlite3OsSyncDirectory      sqlite3WinSyncDirectory
+#define sqlite3OsTempFileName       sqlite3WinTempFileName
+#define sqlite3OsRandomSeed         sqlite3WinRandomSeed
+#define sqlite3OsSleep              sqlite3WinSleep
+#define sqlite3OsCurrentTime        sqlite3WinCurrentTime
+#define sqlite3OsEnterMutex         sqlite3WinEnterMutex
+#define sqlite3OsLeaveMutex         sqlite3WinLeaveMutex
+#define sqlite3OsInMutex            sqlite3WinInMutex
+#define sqlite3OsThreadSpecificData sqlite3WinThreadSpecificData
+#define sqlite3OsMalloc             sqlite3GenericMalloc
+#define sqlite3OsRealloc            sqlite3GenericRealloc
+#define sqlite3OsFree               sqlite3GenericFree
+#define sqlite3OsAllocationSize     sqlite3GenericAllocationSize
+#define sqlite3OsDlopen             sqlite3WinDlopen
+#define sqlite3OsDlsym              sqlite3WinDlsym
+#define sqlite3OsDlclose            sqlite3WinDlclose
+#endif
+#if OS_OS2
+#define sqlite3OsOpenReadWrite      sqlite3Os2OpenReadWrite
+#define sqlite3OsOpenExclusive      sqlite3Os2OpenExclusive
+#define sqlite3OsOpenReadOnly       sqlite3Os2OpenReadOnly
+#define sqlite3OsDelete             sqlite3Os2Delete
+#define sqlite3OsFileExists         sqlite3Os2FileExists
+#define sqlite3OsFullPathname       sqlite3Os2FullPathname
+#define sqlite3OsIsDirWritable      sqlite3Os2IsDirWritable
+#define sqlite3OsSyncDirectory      sqlite3Os2SyncDirectory
+#define sqlite3OsTempFileName       sqlite3Os2TempFileName
+#define sqlite3OsRandomSeed         sqlite3Os2RandomSeed
+#define sqlite3OsSleep              sqlite3Os2Sleep
+#define sqlite3OsCurrentTime        sqlite3Os2CurrentTime
+#define sqlite3OsEnterMutex         sqlite3Os2EnterMutex
+#define sqlite3OsLeaveMutex         sqlite3Os2LeaveMutex
+#define sqlite3OsInMutex            sqlite3Os2InMutex
+#define sqlite3OsThreadSpecificData sqlite3Os2ThreadSpecificData
+#define sqlite3OsMalloc             sqlite3GenericMalloc
+#define sqlite3OsRealloc            sqlite3GenericRealloc
+#define sqlite3OsFree               sqlite3GenericFree
+#define sqlite3OsAllocationSize     sqlite3GenericAllocationSize
+#define sqlite3OsDlopen             sqlite3Os2Dlopen
+#define sqlite3OsDlsym              sqlite3Os2Dlsym
+#define sqlite3OsDlclose            sqlite3Os2Dlclose
+#endif
+
+
+
+
+/*
+** If using an alternative OS interface, then we must have an "os_other.h"
+** header file available for that interface.  Presumably the "os_other.h"
+** header file contains #defines similar to those above.
+*/
+#if OS_OTHER
+# include "os_other.h"
+#endif
+
+
+
+/*
+** Forward declarations
+*/
+typedef struct OsFile OsFile;
+typedef struct IoMethod IoMethod;
+
+/*
+** An instance of the following structure contains pointers to all
+** methods on an OsFile object.
+*/
+struct IoMethod {
+  int (*xClose)(OsFile**);
+  int (*xOpenDirectory)(OsFile*, const char*);
+  int (*xRead)(OsFile*, void*, int amt);
+  int (*xWrite)(OsFile*, const void*, int amt);
+  int (*xSeek)(OsFile*, i64 offset);
+  int (*xTruncate)(OsFile*, i64 size);
+  int (*xSync)(OsFile*, int);
+  void (*xSetFullSync)(OsFile *id, int setting);
+  int (*xFileHandle)(OsFile *id);
+  int (*xFileSize)(OsFile*, i64 *pSize);
+  int (*xLock)(OsFile*, int);
+  int (*xUnlock)(OsFile*, int);
+  int (*xLockState)(OsFile *id);
+  int (*xCheckReservedLock)(OsFile *id);
+  int (*xSectorSize)(OsFile *id);
+};
+
+/*
+** The OsFile object describes an open disk file in an OS-dependent way.
+** The version of OsFile defined here is a generic version.  Each OS
+** implementation defines its own subclass of this structure that contains
+** additional information needed to handle file I/O.  But the pMethod
+** entry (pointing to the virtual function table) always occurs first
+** so that we can always find the appropriate methods.
+*/
+struct OsFile {
+  IoMethod const *pMethod;
+};
+
+/*
+** The following values may be passed as the second argument to
+** sqlite3OsLock(). The various locks exhibit the following semantics:
+**
+** SHARED:    Any number of processes may hold a SHARED lock simultaneously.
+** RESERVED:  A single process may hold a RESERVED lock on a file at
+**            any time. Other processes may hold and obtain new SHARED locks.
+** PENDING:   A single process may hold a PENDING lock on a file at
+**            any one time. Existing SHARED locks may persist, but no new
+**            SHARED locks may be obtained by other processes.
+** EXCLUSIVE: An EXCLUSIVE lock precludes all other locks.
+**
+** PENDING_LOCK may not be passed directly to sqlite3OsLock(). Instead, a
+** process that requests an EXCLUSIVE lock may actually obtain a PENDING
+** lock. This can be upgraded to an EXCLUSIVE lock by a subsequent call to
+** sqlite3OsLock().
+*/
+#define NO_LOCK         0
+#define SHARED_LOCK     1
+#define RESERVED_LOCK   2
+#define PENDING_LOCK    3
+#define EXCLUSIVE_LOCK  4
+
+/*
+** File Locking Notes:  (Mostly about windows but also some info for Unix)
+**
+** We cannot use LockFileEx() or UnlockFileEx() on Win95/98/ME because
+** those functions are not available.  So we use only LockFile() and
+** UnlockFile().
+**
+** LockFile() prevents not just writing but also reading by other processes.
+** A SHARED_LOCK is obtained by locking a single randomly-chosen 
+** byte out of a specific range of bytes. The lock byte is obtained at 
+** random so two separate readers can probably access the file at the 
+** same time, unless they are unlucky and choose the same lock byte.
+** An EXCLUSIVE_LOCK is obtained by locking all bytes in the range.
+** There can only be one writer.  A RESERVED_LOCK is obtained by locking
+** a single byte of the file that is designated as the reserved lock byte.
+** A PENDING_LOCK is obtained by locking a designated byte different from
+** the RESERVED_LOCK byte.
+**
+** On WinNT/2K/XP systems, LockFileEx() and UnlockFileEx() are available,
+** which means we can use reader/writer locks.  When reader/writer locks
+** are used, the lock is placed on the same range of bytes that is used
+** for probabilistic locking in Win95/98/ME.  Hence, the locking scheme
+** will support two or more Win95 readers or two or more WinNT readers.
+** But a single Win95 reader will lock out all WinNT readers and a single
+** WinNT reader will lock out all other Win95 readers.
+**
+** The following #defines specify the range of bytes used for locking.
+** SHARED_SIZE is the number of bytes available in the pool from which
+** a random byte is selected for a shared lock.  The pool of bytes for
+** shared locks begins at SHARED_FIRST. 
+**
+** These #defines are available in sqlite_aux.h so that adaptors for
+** connecting SQLite to other operating systems can use the same byte
+** ranges for locking.  In particular, the same locking strategy and
+** byte ranges are used for Unix.  This leaves open the possiblity of having
+** clients on win95, winNT, and unix all talking to the same shared file
+** and all locking correctly.  To do so would require that samba (or whatever
+** tool is being used for file sharing) implements locks correctly between
+** windows and unix.  I'm guessing that isn't likely to happen, but by
+** using the same locking range we are at least open to the possibility.
+**
+** Locking in windows is manditory.  For this reason, we cannot store
+** actual data in the bytes used for locking.  The pager never allocates
+** the pages involved in locking therefore.  SHARED_SIZE is selected so
+** that all locks will fit on a single page even at the minimum page size.
+** PENDING_BYTE defines the beginning of the locks.  By default PENDING_BYTE
+** is set high so that we don't have to allocate an unused page except
+** for very large databases.  But one should test the page skipping logic 
+** by setting PENDING_BYTE low and running the entire regression suite.
+**
+** Changing the value of PENDING_BYTE results in a subtly incompatible
+** file format.  Depending on how it is changed, you might not notice
+** the incompatibility right away, even running a full regression test.
+** The default location of PENDING_BYTE is the first byte past the
+** 1GB boundary.
+**
+*/
+#ifndef SQLITE_TEST
+#define PENDING_BYTE      0x40000000  /* First byte past the 1GB boundary */
+#else
+extern unsigned int sqlite3_pending_byte;
+#define PENDING_BYTE sqlite3_pending_byte
+#endif
+
+#define RESERVED_BYTE     (PENDING_BYTE+1)
+#define SHARED_FIRST      (PENDING_BYTE+2)
+#define SHARED_SIZE       510
+
+/*
+** Prototypes for operating system interface routines.
+*/
+int sqlite3OsClose(OsFile**);
+int sqlite3OsOpenDirectory(OsFile*, const char*);
+int sqlite3OsRead(OsFile*, void*, int amt);
+int sqlite3OsWrite(OsFile*, const void*, int amt);
+int sqlite3OsSeek(OsFile*, i64 offset);
+int sqlite3OsTruncate(OsFile*, i64 size);
+int sqlite3OsSync(OsFile*, int);
+void sqlite3OsSetFullSync(OsFile *id, int setting);
+int sqlite3OsFileHandle(OsFile *id);
+int sqlite3OsFileSize(OsFile*, i64 *pSize);
+int sqlite3OsLock(OsFile*, int);
+int sqlite3OsUnlock(OsFile*, int);
+int sqlite3OsLockState(OsFile *id);
+int sqlite3OsCheckReservedLock(OsFile *id);
+int sqlite3OsOpenReadWrite(const char*, OsFile**, int*);
+int sqlite3OsOpenExclusive(const char*, OsFile**, int);
+int sqlite3OsOpenReadOnly(const char*, OsFile**);
+int sqlite3OsDelete(const char*);
+int sqlite3OsFileExists(const char*);
+char *sqlite3OsFullPathname(const char*);
+int sqlite3OsIsDirWritable(char*);
+int sqlite3OsSyncDirectory(const char*);
+int sqlite3OsSectorSize(OsFile *id);
+int sqlite3OsTempFileName(char*);
+int sqlite3OsRandomSeed(char*);
+int sqlite3OsSleep(int ms);
+int sqlite3OsCurrentTime(double*);
+void sqlite3OsEnterMutex(void);
+void sqlite3OsLeaveMutex(void);
+int sqlite3OsInMutex(int);
+ThreadData *sqlite3OsThreadSpecificData(int);
+void *sqlite3OsMalloc(int);
+void *sqlite3OsRealloc(void *, int);
+void sqlite3OsFree(void *);
+int sqlite3OsAllocationSize(void *);
+void *sqlite3OsDlopen(const char*);
+void *sqlite3OsDlsym(void*, const char*);
+int sqlite3OsDlclose(void*);
+
+/*
+** If the SQLITE_ENABLE_REDEF_IO macro is defined, then the OS-layer
+** interface routines are not called directly but are invoked using
+** pointers to functions.  This allows the implementation of various
+** OS-layer interface routines to be modified at run-time.  There are
+** obscure but legitimate reasons for wanting to do this.  But for
+** most users, a direct call to the underlying interface is preferable
+** so the the redefinable I/O interface is turned off by default.
+*/
+#ifdef SQLITE_ENABLE_REDEF_IO
+
+/*
+** When redefinable I/O is enabled, a single global instance of the
+** following structure holds pointers to the routines that SQLite 
+** uses to talk with the underlying operating system.  Modify this
+** structure (before using any SQLite API!) to accomodate perculiar
+** operating system interfaces or behaviors.
+*/
+struct sqlite3OsVtbl {
+  int (*xOpenReadWrite)(const char*, OsFile**, int*);
+  int (*xOpenExclusive)(const char*, OsFile**, int);
+  int (*xOpenReadOnly)(const char*, OsFile**);
+
+  int (*xDelete)(const char*);
+  int (*xFileExists)(const char*);
+  char *(*xFullPathname)(const char*);
+  int (*xIsDirWritable)(char*);
+  int (*xSyncDirectory)(const char*);
+  int (*xTempFileName)(char*);
+
+  int (*xRandomSeed)(char*);
+  int (*xSleep)(int ms);
+  int (*xCurrentTime)(double*);
+
+  void (*xEnterMutex)(void);
+  void (*xLeaveMutex)(void);
+  int (*xInMutex)(int);
+  ThreadData *(*xThreadSpecificData)(int);
+
+  void *(*xMalloc)(int);
+  void *(*xRealloc)(void *, int);
+  void (*xFree)(void *);
+  int (*xAllocationSize)(void *);
+
+  void *(*xDlopen)(const char*);
+  void *(*xDlsym)(void*, const char*);
+  int (*xDlclose)(void*);
+};
+
+/* Macro used to comment out routines that do not exists when there is
+** no disk I/O or extension loading
+*/
+#ifdef SQLITE_OMIT_DISKIO
+# define IF_DISKIO(X)  0
+#else
+# define IF_DISKIO(X)  X
+#endif
+#ifdef SQLITE_OMIT_LOAD_EXTENSION
+# define IF_DLOPEN(X)  0
+#else
+# define IF_DLOPEN(X)  X
+#endif
+
+
+#if defined(_SQLITE_OS_C_) || defined(SQLITE_AMALGAMATION)
+  /*
+  ** The os.c file implements the global virtual function table.
+  ** We have to put this file here because the initializers
+  ** (ex: sqlite3OsRandomSeed) are macros that are about to be
+  ** redefined.
+  */
+  struct sqlite3OsVtbl sqlite3Os = {
+    IF_DISKIO( sqlite3OsOpenReadWrite ),
+    IF_DISKIO( sqlite3OsOpenExclusive ),
+    IF_DISKIO( sqlite3OsOpenReadOnly ),
+    IF_DISKIO( sqlite3OsDelete ),
+    IF_DISKIO( sqlite3OsFileExists ),
+    IF_DISKIO( sqlite3OsFullPathname ),
+    IF_DISKIO( sqlite3OsIsDirWritable ),
+    IF_DISKIO( sqlite3OsSyncDirectory ),
+    IF_DISKIO( sqlite3OsTempFileName ),
+    sqlite3OsRandomSeed,
+    sqlite3OsSleep,
+    sqlite3OsCurrentTime,
+    sqlite3OsEnterMutex,
+    sqlite3OsLeaveMutex,
+    sqlite3OsInMutex,
+    sqlite3OsThreadSpecificData,
+    sqlite3OsMalloc,
+    sqlite3OsRealloc,
+    sqlite3OsFree,
+    sqlite3OsAllocationSize,
+    IF_DLOPEN( sqlite3OsDlopen ),
+    IF_DLOPEN( sqlite3OsDlsym ),
+    IF_DLOPEN( sqlite3OsDlclose ),
+  };
+#else
+  /*
+  ** Files other than os.c just reference the global virtual function table. 
+  */
+  extern struct sqlite3OsVtbl sqlite3Os;
+#endif /* _SQLITE_OS_C_ */
+
+
+/* This additional API routine is available with redefinable I/O */
+struct sqlite3OsVtbl *sqlite3_os_switch(void);
+
+
+/*
+** Redefine the OS interface to go through the virtual function table
+** rather than calling routines directly.
+*/
+#undef sqlite3OsOpenReadWrite
+#undef sqlite3OsOpenExclusive
+#undef sqlite3OsOpenReadOnly
+#undef sqlite3OsDelete
+#undef sqlite3OsFileExists
+#undef sqlite3OsFullPathname
+#undef sqlite3OsIsDirWritable
+#undef sqlite3OsSyncDirectory
+#undef sqlite3OsTempFileName
+#undef sqlite3OsRandomSeed
+#undef sqlite3OsSleep
+#undef sqlite3OsCurrentTime
+#undef sqlite3OsEnterMutex
+#undef sqlite3OsLeaveMutex
+#undef sqlite3OsInMutex
+#undef sqlite3OsThreadSpecificData
+#undef sqlite3OsMalloc
+#undef sqlite3OsRealloc
+#undef sqlite3OsFree
+#undef sqlite3OsAllocationSize
+#define sqlite3OsOpenReadWrite      sqlite3Os.xOpenReadWrite
+#define sqlite3OsOpenExclusive      sqlite3Os.xOpenExclusive
+#define sqlite3OsOpenReadOnly       sqlite3Os.xOpenReadOnly
+#define sqlite3OsDelete             sqlite3Os.xDelete
+#define sqlite3OsFileExists         sqlite3Os.xFileExists
+#define sqlite3OsFullPathname       sqlite3Os.xFullPathname
+#define sqlite3OsIsDirWritable      sqlite3Os.xIsDirWritable
+#define sqlite3OsSyncDirectory      sqlite3Os.xSyncDirectory
+#define sqlite3OsTempFileName       sqlite3Os.xTempFileName
+#define sqlite3OsRandomSeed         sqlite3Os.xRandomSeed
+#define sqlite3OsSleep              sqlite3Os.xSleep
+#define sqlite3OsCurrentTime        sqlite3Os.xCurrentTime
+#define sqlite3OsEnterMutex         sqlite3Os.xEnterMutex
+#define sqlite3OsLeaveMutex         sqlite3Os.xLeaveMutex
+#define sqlite3OsInMutex            sqlite3Os.xInMutex
+#define sqlite3OsThreadSpecificData sqlite3Os.xThreadSpecificData
+#define sqlite3OsMalloc             sqlite3Os.xMalloc
+#define sqlite3OsRealloc            sqlite3Os.xRealloc
+#define sqlite3OsFree               sqlite3Os.xFree
+#define sqlite3OsAllocationSize     sqlite3Os.xAllocationSize
+
+#endif /* SQLITE_ENABLE_REDEF_IO */
+
+#endif /* _SQLITE_OS_H_ */
+
+/************** End of os.h **************************************************/
+/************** Continuing where we left off in date.c ***********************/
+#include <ctype.h>
+#include <time.h>
+
+#ifndef SQLITE_OMIT_DATETIME_FUNCS
+
+/*
+** A structure for holding a single date and time.
+*/
+typedef struct DateTime DateTime;
+struct DateTime {
+  double rJD;      /* The julian day number */
+  int Y, M, D;     /* Year, month, and day */
+  int h, m;        /* Hour and minutes */
+  int tz;          /* Timezone offset in minutes */
+  double s;        /* Seconds */
+  char validYMD;   /* True if Y,M,D are valid */
+  char validHMS;   /* True if h,m,s are valid */
+  char validJD;    /* True if rJD is valid */
+  char validTZ;    /* True if tz is valid */
+};
+
+
+/*
+** Convert zDate into one or more integers.  Additional arguments
+** come in groups of 5 as follows:
+**
+**       N       number of digits in the integer
+**       min     minimum allowed value of the integer
+**       max     maximum allowed value of the integer
+**       nextC   first character after the integer
+**       pVal    where to write the integers value.
+**
+** Conversions continue until one with nextC==0 is encountered.
+** The function returns the number of successful conversions.
+*/
+static int getDigits(const char *zDate, ...){
+  va_list ap;
+  int val;
+  int N;
+  int min;
+  int max;
+  int nextC;
+  int *pVal;
+  int cnt = 0;
+  va_start(ap, zDate);
+  do{
+    N = va_arg(ap, int);
+    min = va_arg(ap, int);
+    max = va_arg(ap, int);
+    nextC = va_arg(ap, int);
+    pVal = va_arg(ap, int*);
+    val = 0;
+    while( N-- ){
+      if( !isdigit(*(u8*)zDate) ){
+        goto end_getDigits;
+      }
+      val = val*10 + *zDate - '0';
+      zDate++;
+    }
+    if( val<min || val>max || (nextC!=0 && nextC!=*zDate) ){
+      goto end_getDigits;
+    }
+    *pVal = val;
+    zDate++;
+    cnt++;
+  }while( nextC );
+end_getDigits:
+  va_end(ap);
+  return cnt;
+}
+
+/*
+** Read text from z[] and convert into a floating point number.  Return
+** the number of digits converted.
+*/
+#define getValue sqlite3AtoF
+
+/*
+** Parse a timezone extension on the end of a date-time.
+** The extension is of the form:
+**
+**        (+/-)HH:MM
+**
+** If the parse is successful, write the number of minutes
+** of change in *pnMin and return 0.  If a parser error occurs,
+** return 0.
+**
+** A missing specifier is not considered an error.
+*/
+static int parseTimezone(const char *zDate, DateTime *p){
+  int sgn = 0;
+  int nHr, nMn;
+  while( isspace(*(u8*)zDate) ){ zDate++; }
+  p->tz = 0;
+  if( *zDate=='-' ){
+    sgn = -1;
+  }else if( *zDate=='+' ){
+    sgn = +1;
+  }else{
+    return *zDate!=0;
+  }
+  zDate++;
+  if( getDigits(zDate, 2, 0, 14, ':', &nHr, 2, 0, 59, 0, &nMn)!=2 ){
+    return 1;
+  }
+  zDate += 5;
+  p->tz = sgn*(nMn + nHr*60);
+  while( isspace(*(u8*)zDate) ){ zDate++; }
+  return *zDate!=0;
+}
+
+/*
+** Parse times of the form HH:MM or HH:MM:SS or HH:MM:SS.FFFF.
+** The HH, MM, and SS must each be exactly 2 digits.  The
+** fractional seconds FFFF can be one or more digits.
+**
+** Return 1 if there is a parsing error and 0 on success.
+*/
+static int parseHhMmSs(const char *zDate, DateTime *p){
+  int h, m, s;
+  double ms = 0.0;
+  if( getDigits(zDate, 2, 0, 24, ':', &h, 2, 0, 59, 0, &m)!=2 ){
+    return 1;
+  }
+  zDate += 5;
+  if( *zDate==':' ){
+    zDate++;
+    if( getDigits(zDate, 2, 0, 59, 0, &s)!=1 ){
+      return 1;
+    }
+    zDate += 2;
+    if( *zDate=='.' && isdigit((u8)zDate[1]) ){
+      double rScale = 1.0;
+      zDate++;
+      while( isdigit(*(u8*)zDate) ){
+        ms = ms*10.0 + *zDate - '0';
+        rScale *= 10.0;
+        zDate++;
+      }
+      ms /= rScale;
+    }
+  }else{
+    s = 0;
+  }
+  p->validJD = 0;
+  p->validHMS = 1;
+  p->h = h;
+  p->m = m;
+  p->s = s + ms;
+  if( parseTimezone(zDate, p) ) return 1;
+  p->validTZ = p->tz!=0;
+  return 0;
+}
+
+/*
+** Convert from YYYY-MM-DD HH:MM:SS to julian day.  We always assume
+** that the YYYY-MM-DD is according to the Gregorian calendar.
+**
+** Reference:  Meeus page 61
+*/
+static void computeJD(DateTime *p){
+  int Y, M, D, A, B, X1, X2;
+
+  if( p->validJD ) return;
+  if( p->validYMD ){
+    Y = p->Y;
+    M = p->M;
+    D = p->D;
+  }else{
+    Y = 2000;  /* If no YMD specified, assume 2000-Jan-01 */
+    M = 1;
+    D = 1;
+  }
+  if( M<=2 ){
+    Y--;
+    M += 12;
+  }
+  A = Y/100;
+  B = 2 - A + (A/4);
+  X1 = 365.25*(Y+4716);
+  X2 = 30.6001*(M+1);
+  p->rJD = X1 + X2 + D + B - 1524.5;
+  p->validJD = 1;
+  if( p->validHMS ){
+    p->rJD += (p->h*3600.0 + p->m*60.0 + p->s)/86400.0;
+    if( p->validTZ ){
+      p->rJD -= p->tz*60/86400.0;
+      p->validYMD = 0;
+      p->validHMS = 0;
+      p->validTZ = 0;
+    }
+  }
+}
+
+/*
+** Parse dates of the form
+**
+**     YYYY-MM-DD HH:MM:SS.FFF
+**     YYYY-MM-DD HH:MM:SS
+**     YYYY-MM-DD HH:MM
+**     YYYY-MM-DD
+**
+** Write the result into the DateTime structure and return 0
+** on success and 1 if the input string is not a well-formed
+** date.
+*/
+static int parseYyyyMmDd(const char *zDate, DateTime *p){
+  int Y, M, D, neg;
+
+  if( zDate[0]=='-' ){
+    zDate++;
+    neg = 1;
+  }else{
+    neg = 0;
+  }
+  if( getDigits(zDate,4,0,9999,'-',&Y,2,1,12,'-',&M,2,1,31,0,&D)!=3 ){
+    return 1;
+  }
+  zDate += 10;
+  while( isspace(*(u8*)zDate) || 'T'==*(u8*)zDate ){ zDate++; }
+  if( parseHhMmSs(zDate, p)==0 ){
+    /* We got the time */
+  }else if( *zDate==0 ){
+    p->validHMS = 0;
+  }else{
+    return 1;
+  }
+  p->validJD = 0;
+  p->validYMD = 1;
+  p->Y = neg ? -Y : Y;
+  p->M = M;
+  p->D = D;
+  if( p->validTZ ){
+    computeJD(p);
+  }
+  return 0;
+}
+
+/*
+** Attempt to parse the given string into a Julian Day Number.  Return
+** the number of errors.
+**
+** The following are acceptable forms for the input string:
+**
+**      YYYY-MM-DD HH:MM:SS.FFF  +/-HH:MM
+**      DDDD.DD 
+**      now
+**
+** In the first form, the +/-HH:MM is always optional.  The fractional
+** seconds extension (the ".FFF") is optional.  The seconds portion
+** (":SS.FFF") is option.  The year and date can be omitted as long
+** as there is a time string.  The time string can be omitted as long
+** as there is a year and date.
+*/
+static int parseDateOrTime(const char *zDate, DateTime *p){
+  memset(p, 0, sizeof(*p));
+  if( parseYyyyMmDd(zDate,p)==0 ){
+    return 0;
+  }else if( parseHhMmSs(zDate, p)==0 ){
+    return 0;
+  }else if( sqlite3StrICmp(zDate,"now")==0){
+    double r;
+    sqlite3OsCurrentTime(&r);
+    p->rJD = r;
+    p->validJD = 1;
+    return 0;
+  }else if( sqlite3IsNumber(zDate, 0, SQLITE_UTF8) ){
+    getValue(zDate, &p->rJD);
+    p->validJD = 1;
+    return 0;
+  }
+  return 1;
+}
+
+/*
+** Compute the Year, Month, and Day from the julian day number.
+*/
+static void computeYMD(DateTime *p){
+  int Z, A, B, C, D, E, X1;
+  if( p->validYMD ) return;
+  if( !p->validJD ){
+    p->Y = 2000;
+    p->M = 1;
+    p->D = 1;
+  }else{
+    Z = p->rJD + 0.5;
+    A = (Z - 1867216.25)/36524.25;
+    A = Z + 1 + A - (A/4);
+    B = A + 1524;
+    C = (B - 122.1)/365.25;
+    D = 365.25*C;
+    E = (B-D)/30.6001;
+    X1 = 30.6001*E;
+    p->D = B - D - X1;
+    p->M = E<14 ? E-1 : E-13;
+    p->Y = p->M>2 ? C - 4716 : C - 4715;
+  }
+  p->validYMD = 1;
+}
+
+/*
+** Compute the Hour, Minute, and Seconds from the julian day number.
+*/
+static void computeHMS(DateTime *p){
+  int Z, s;
+  if( p->validHMS ) return;
+  computeJD(p);
+  Z = p->rJD + 0.5;
+  s = (p->rJD + 0.5 - Z)*86400000.0 + 0.5;
+  p->s = 0.001*s;
+  s = p->s;
+  p->s -= s;
+  p->h = s/3600;
+  s -= p->h*3600;
+  p->m = s/60;
+  p->s += s - p->m*60;
+  p->validHMS = 1;
+}
+
+/*
+** Compute both YMD and HMS
+*/
+static void computeYMD_HMS(DateTime *p){
+  computeYMD(p);
+  computeHMS(p);
+}
+
+/*
+** Clear the YMD and HMS and the TZ
+*/
+static void clearYMD_HMS_TZ(DateTime *p){
+  p->validYMD = 0;
+  p->validHMS = 0;
+  p->validTZ = 0;
+}
+
+/*
+** Compute the difference (in days) between localtime and UTC (a.k.a. GMT)
+** for the time value p where p is in UTC.
+*/
+static double localtimeOffset(DateTime *p){
+  DateTime x, y;
+  time_t t;
+  x = *p;
+  computeYMD_HMS(&x);
+  if( x.Y<1971 || x.Y>=2038 ){
+    x.Y = 2000;
+    x.M = 1;
+    x.D = 1;
+    x.h = 0;
+    x.m = 0;
+    x.s = 0.0;
+  } else {
+    int s = x.s + 0.5;
+    x.s = s;
+  }
+  x.tz = 0;
+  x.validJD = 0;
+  computeJD(&x);
+  t = (x.rJD-2440587.5)*86400.0 + 0.5;
+#ifdef HAVE_LOCALTIME_R
+  {
+    struct tm sLocal;
+    localtime_r(&t, &sLocal);
+    y.Y = sLocal.tm_year + 1900;
+    y.M = sLocal.tm_mon + 1;
+    y.D = sLocal.tm_mday;
+    y.h = sLocal.tm_hour;
+    y.m = sLocal.tm_min;
+    y.s = sLocal.tm_sec;
+  }
+#else
+  {
+    struct tm *pTm;
+    sqlite3OsEnterMutex();
+    pTm = localtime(&t);
+    y.Y = pTm->tm_year + 1900;
+    y.M = pTm->tm_mon + 1;
+    y.D = pTm->tm_mday;
+    y.h = pTm->tm_hour;
+    y.m = pTm->tm_min;
+    y.s = pTm->tm_sec;
+    sqlite3OsLeaveMutex();
+  }
+#endif
+  y.validYMD = 1;
+  y.validHMS = 1;
+  y.validJD = 0;
+  y.validTZ = 0;
+  computeJD(&y);
+  return y.rJD - x.rJD;
+}
+
+/*
+** Process a modifier to a date-time stamp.  The modifiers are
+** as follows:
+**
+**     NNN days
+**     NNN hours
+**     NNN minutes
+**     NNN.NNNN seconds
+**     NNN months
+**     NNN years
+**     start of month
+**     start of year
+**     start of week
+**     start of day
+**     weekday N
+**     unixepoch
+**     localtime
+**     utc
+**
+** Return 0 on success and 1 if there is any kind of error.
+*/
+static int parseModifier(const char *zMod, DateTime *p){
+  int rc = 1;
+  int n;
+  double r;
+  char *z, zBuf[30];
+  z = zBuf;
+  for(n=0; n<sizeof(zBuf)-1 && zMod[n]; n++){
+    z[n] = tolower(zMod[n]);
+  }
+  z[n] = 0;
+  switch( z[0] ){
+    case 'l': {
+      /*    localtime
+      **
+      ** Assuming the current time value is UTC (a.k.a. GMT), shift it to
+      ** show local time.
+      */
+      if( strcmp(z, "localtime")==0 ){
+        computeJD(p);
+        p->rJD += localtimeOffset(p);
+        clearYMD_HMS_TZ(p);
+        rc = 0;
+      }
+      break;
+    }
+    case 'u': {
+      /*
+      **    unixepoch
+      **
+      ** Treat the current value of p->rJD as the number of
+      ** seconds since 1970.  Convert to a real julian day number.
+      */
+      if( strcmp(z, "unixepoch")==0 && p->validJD ){
+        p->rJD = p->rJD/86400.0 + 2440587.5;
+        clearYMD_HMS_TZ(p);
+        rc = 0;
+      }else if( strcmp(z, "utc")==0 ){
+        double c1;
+        computeJD(p);
+        c1 = localtimeOffset(p);
+        p->rJD -= c1;
+        clearYMD_HMS_TZ(p);
+        p->rJD += c1 - localtimeOffset(p);
+        rc = 0;
+      }
+      break;
+    }
+    case 'w': {
+      /*
+      **    weekday N
+      **
+      ** Move the date to the same time on the next occurrence of
+      ** weekday N where 0==Sunday, 1==Monday, and so forth.  If the
+      ** date is already on the appropriate weekday, this is a no-op.
+      */
+      if( strncmp(z, "weekday ", 8)==0 && getValue(&z[8],&r)>0
+                 && (n=r)==r && n>=0 && r<7 ){
+        int Z;
+        computeYMD_HMS(p);
+        p->validTZ = 0;
+        p->validJD = 0;
+        computeJD(p);
+        Z = p->rJD + 1.5;
+        Z %= 7;
+        if( Z>n ) Z -= 7;
+        p->rJD += n - Z;
+        clearYMD_HMS_TZ(p);
+        rc = 0;
+      }
+      break;
+    }
+    case 's': {
+      /*
+      **    start of TTTTT
+      **
+      ** Move the date backwards to the beginning of the current day,
+      ** or month or year.
+      */
+      if( strncmp(z, "start of ", 9)!=0 ) break;
+      z += 9;
+      computeYMD(p);
+      p->validHMS = 1;
+      p->h = p->m = 0;
+      p->s = 0.0;
+      p->validTZ = 0;
+      p->validJD = 0;
+      if( strcmp(z,"month")==0 ){
+        p->D = 1;
+        rc = 0;
+      }else if( strcmp(z,"year")==0 ){
+        computeYMD(p);
+        p->M = 1;
+        p->D = 1;
+        rc = 0;
+      }else if( strcmp(z,"day")==0 ){
+        rc = 0;
+      }
+      break;
+    }
+    case '+':
+    case '-':
+    case '0':
+    case '1':
+    case '2':
+    case '3':
+    case '4':
+    case '5':
+    case '6':
+    case '7':
+    case '8':
+    case '9': {
+      n = getValue(z, &r);
+      assert( n>=1 );
+      if( z[n]==':' ){
+        /* A modifier of the form (+|-)HH:MM:SS.FFF adds (or subtracts) the
+        ** specified number of hours, minutes, seconds, and fractional seconds
+        ** to the time.  The ".FFF" may be omitted.  The ":SS.FFF" may be
+        ** omitted.
+        */
+        const char *z2 = z;
+        DateTime tx;
+        int day;
+        if( !isdigit(*(u8*)z2) ) z2++;
+        memset(&tx, 0, sizeof(tx));
+        if( parseHhMmSs(z2, &tx) ) break;
+        computeJD(&tx);
+        tx.rJD -= 0.5;
+        day = (int)tx.rJD;
+        tx.rJD -= day;
+        if( z[0]=='-' ) tx.rJD = -tx.rJD;
+        computeJD(p);
+        clearYMD_HMS_TZ(p);
+        p->rJD += tx.rJD;
+        rc = 0;
+        break;
+      }
+      z += n;
+      while( isspace(*(u8*)z) ) z++;
+      n = strlen(z);
+      if( n>10 || n<3 ) break;
+      if( z[n-1]=='s' ){ z[n-1] = 0; n--; }
+      computeJD(p);
+      rc = 0;
+      if( n==3 && strcmp(z,"day")==0 ){
+        p->rJD += r;
+      }else if( n==4 && strcmp(z,"hour")==0 ){
+        p->rJD += r/24.0;
+      }else if( n==6 && strcmp(z,"minute")==0 ){
+        p->rJD += r/(24.0*60.0);
+      }else if( n==6 && strcmp(z,"second")==0 ){
+        p->rJD += r/(24.0*60.0*60.0);
+      }else if( n==5 && strcmp(z,"month")==0 ){
+        int x, y;
+        computeYMD_HMS(p);
+        p->M += r;
+        x = p->M>0 ? (p->M-1)/12 : (p->M-12)/12;
+        p->Y += x;
+        p->M -= x*12;
+        p->validJD = 0;
+        computeJD(p);
+        y = r;
+        if( y!=r ){
+          p->rJD += (r - y)*30.0;
+        }
+      }else if( n==4 && strcmp(z,"year")==0 ){
+        computeYMD_HMS(p);
+        p->Y += r;
+        p->validJD = 0;
+        computeJD(p);
+      }else{
+        rc = 1;
+      }
+      clearYMD_HMS_TZ(p);
+      break;
+    }
+    default: {
+      break;
+    }
+  }
+  return rc;
+}
+
+/*
+** Process time function arguments.  argv[0] is a date-time stamp.
+** argv[1] and following are modifiers.  Parse them all and write
+** the resulting time into the DateTime structure p.  Return 0
+** on success and 1 if there are any errors.
+*/
+static int isDate(int argc, sqlite3_value **argv, DateTime *p){
+  int i;
+  if( argc==0 ) return 1;
+  if( SQLITE_NULL==sqlite3_value_type(argv[0]) || 
+      parseDateOrTime((char*)sqlite3_value_text(argv[0]), p) ) return 1;
+  for(i=1; i<argc; i++){
+    if( SQLITE_NULL==sqlite3_value_type(argv[i]) || 
+        parseModifier((char*)sqlite3_value_text(argv[i]), p) ) return 1;
+  }
+  return 0;
+}
+
+
+/*
+** The following routines implement the various date and time functions
+** of SQLite.
+*/
+
+/*
+**    julianday( TIMESTRING, MOD, MOD, ...)
+**
+** Return the julian day number of the date specified in the arguments
+*/
+static void juliandayFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  DateTime x;
+  if( isDate(argc, argv, &x)==0 ){
+    computeJD(&x);
+    sqlite3_result_double(context, x.rJD);
+  }
+}
+
+/*
+**    datetime( TIMESTRING, MOD, MOD, ...)
+**
+** Return YYYY-MM-DD HH:MM:SS
+*/
+static void datetimeFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  DateTime x;
+  if( isDate(argc, argv, &x)==0 ){
+    char zBuf[100];
+    computeYMD_HMS(&x);
+    sprintf(zBuf, "%04d-%02d-%02d %02d:%02d:%02d",x.Y, x.M, x.D, x.h, x.m,
+           (int)(x.s));
+    sqlite3_result_text(context, zBuf, -1, SQLITE_TRANSIENT);
+  }
+}
+
+/*
+**    time( TIMESTRING, MOD, MOD, ...)
+**
+** Return HH:MM:SS
+*/
+static void timeFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  DateTime x;
+  if( isDate(argc, argv, &x)==0 ){
+    char zBuf[100];
+    computeHMS(&x);
+    sprintf(zBuf, "%02d:%02d:%02d", x.h, x.m, (int)x.s);
+    sqlite3_result_text(context, zBuf, -1, SQLITE_TRANSIENT);
+  }
+}
+
+/*
+**    date( TIMESTRING, MOD, MOD, ...)
+**
+** Return YYYY-MM-DD
+*/
+static void dateFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  DateTime x;
+  if( isDate(argc, argv, &x)==0 ){
+    char zBuf[100];
+    computeYMD(&x);
+    sprintf(zBuf, "%04d-%02d-%02d", x.Y, x.M, x.D);
+    sqlite3_result_text(context, zBuf, -1, SQLITE_TRANSIENT);
+  }
+}
+
+/*
+**    strftime( FORMAT, TIMESTRING, MOD, MOD, ...)
+**
+** Return a string described by FORMAT.  Conversions as follows:
+**
+**   %d  day of month
+**   %f  ** fractional seconds  SS.SSS
+**   %H  hour 00-24
+**   %j  day of year 000-366
+**   %J  ** Julian day number
+**   %m  month 01-12
+**   %M  minute 00-59
+**   %s  seconds since 1970-01-01
+**   %S  seconds 00-59
+**   %w  day of week 0-6  sunday==0
+**   %W  week of year 00-53
+**   %Y  year 0000-9999
+**   %%  %
+*/
+static void strftimeFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  DateTime x;
+  int n, i, j;
+  char *z;
+  const char *zFmt = (const char*)sqlite3_value_text(argv[0]);
+  char zBuf[100];
+  if( zFmt==0 || isDate(argc-1, argv+1, &x) ) return;
+  for(i=0, n=1; zFmt[i]; i++, n++){
+    if( zFmt[i]=='%' ){
+      switch( zFmt[i+1] ){
+        case 'd':
+        case 'H':
+        case 'm':
+        case 'M':
+        case 'S':
+        case 'W':
+          n++;
+          /* fall thru */
+        case 'w':
+        case '%':
+          break;
+        case 'f':
+          n += 8;
+          break;
+        case 'j':
+          n += 3;
+          break;
+        case 'Y':
+          n += 8;
+          break;
+        case 's':
+        case 'J':
+          n += 50;
+          break;
+        default:
+          return;  /* ERROR.  return a NULL */
+      }
+      i++;
+    }
+  }
+  if( n<sizeof(zBuf) ){
+    z = zBuf;
+  }else{
+    z = sqliteMalloc( n );
+    if( z==0 ) return;
+  }
+  computeJD(&x);
+  computeYMD_HMS(&x);
+  for(i=j=0; zFmt[i]; i++){
+    if( zFmt[i]!='%' ){
+      z[j++] = zFmt[i];
+    }else{
+      i++;
+      switch( zFmt[i] ){
+        case 'd':  sprintf(&z[j],"%02d",x.D); j+=2; break;
+        case 'f': {
+          double s = x.s;
+          if( s>59.999 ) s = 59.999;
+          sqlite3_snprintf(7, &z[j],"%06.3f", s);
+          j += strlen(&z[j]);
+          break;
+        }
+        case 'H':  sprintf(&z[j],"%02d",x.h); j+=2; break;
+        case 'W': /* Fall thru */
+        case 'j': {
+          int nDay;             /* Number of days since 1st day of year */
+          DateTime y = x;
+          y.validJD = 0;
+          y.M = 1;
+          y.D = 1;
+          computeJD(&y);
+          nDay = x.rJD - y.rJD + 0.5;
+          if( zFmt[i]=='W' ){
+            int wd;   /* 0=Monday, 1=Tuesday, ... 6=Sunday */
+            wd = ((int)(x.rJD+0.5)) % 7;
+            sprintf(&z[j],"%02d",(nDay+7-wd)/7);
+            j += 2;
+          }else{
+            sprintf(&z[j],"%03d",nDay+1);
+            j += 3;
+          }
+          break;
+        }
+        case 'J':  sprintf(&z[j],"%.16g",x.rJD); j+=strlen(&z[j]); break;
+        case 'm':  sprintf(&z[j],"%02d",x.M); j+=2; break;
+        case 'M':  sprintf(&z[j],"%02d",x.m); j+=2; break;
+        case 's': {
+          sprintf(&z[j],"%d",(int)((x.rJD-2440587.5)*86400.0 + 0.5));
+          j += strlen(&z[j]);
+          break;
+        }
+        case 'S':  sprintf(&z[j],"%02d",(int)x.s); j+=2; break;
+        case 'w':  z[j++] = (((int)(x.rJD+1.5)) % 7) + '0'; break;
+        case 'Y':  sprintf(&z[j],"%04d",x.Y); j+=strlen(&z[j]); break;
+        case '%':  z[j++] = '%'; break;
+      }
+    }
+  }
+  z[j] = 0;
+  sqlite3_result_text(context, z, -1, SQLITE_TRANSIENT);
+  if( z!=zBuf ){
+    sqliteFree(z);
+  }
+}
+
+/*
+** current_time()
+**
+** This function returns the same value as time('now').
+*/
+static void ctimeFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  sqlite3_value *pVal = sqlite3ValueNew();
+  if( pVal ){
+    sqlite3ValueSetStr(pVal, -1, "now", SQLITE_UTF8, SQLITE_STATIC);
+    timeFunc(context, 1, &pVal);
+    sqlite3ValueFree(pVal);
+  }
+}
+
+/*
+** current_date()
+**
+** This function returns the same value as date('now').
+*/
+static void cdateFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  sqlite3_value *pVal = sqlite3ValueNew();
+  if( pVal ){
+    sqlite3ValueSetStr(pVal, -1, "now", SQLITE_UTF8, SQLITE_STATIC);
+    dateFunc(context, 1, &pVal);
+    sqlite3ValueFree(pVal);
+  }
+}
+
+/*
+** current_timestamp()
+**
+** This function returns the same value as datetime('now').
+*/
+static void ctimestampFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  sqlite3_value *pVal = sqlite3ValueNew();
+  if( pVal ){
+    sqlite3ValueSetStr(pVal, -1, "now", SQLITE_UTF8, SQLITE_STATIC);
+    datetimeFunc(context, 1, &pVal);
+    sqlite3ValueFree(pVal);
+  }
+}
+#endif /* !defined(SQLITE_OMIT_DATETIME_FUNCS) */
+
+#ifdef SQLITE_OMIT_DATETIME_FUNCS
+/*
+** If the library is compiled to omit the full-scale date and time
+** handling (to get a smaller binary), the following minimal version
+** of the functions current_time(), current_date() and current_timestamp()
+** are included instead. This is to support column declarations that
+** include "DEFAULT CURRENT_TIME" etc.
+**
+** This function uses the C-library functions time(), gmtime()
+** and strftime(). The format string to pass to strftime() is supplied
+** as the user-data for the function.
+*/
+static void currentTimeFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  time_t t;
+  char *zFormat = (char *)sqlite3_user_data(context);
+  char zBuf[20];
+
+  time(&t);
+#ifdef SQLITE_TEST
+  {
+    extern int sqlite3_current_time;  /* See os_XXX.c */
+    if( sqlite3_current_time ){
+      t = sqlite3_current_time;
+    }
+  }
+#endif
+
+#ifdef HAVE_GMTIME_R
+  {
+    struct tm sNow;
+    gmtime_r(&t, &sNow);
+    strftime(zBuf, 20, zFormat, &sNow);
+  }
+#else
+  {
+    struct tm *pTm;
+    sqlite3OsEnterMutex();
+    pTm = gmtime(&t);
+    strftime(zBuf, 20, zFormat, pTm);
+    sqlite3OsLeaveMutex();
+  }
+#endif
+
+  sqlite3_result_text(context, zBuf, -1, SQLITE_TRANSIENT);
+}
+#endif
+
+/*
+** This function registered all of the above C functions as SQL
+** functions.  This should be the only routine in this file with
+** external linkage.
+*/
+void sqlite3RegisterDateTimeFunctions(sqlite3 *db){
+#ifndef SQLITE_OMIT_DATETIME_FUNCS
+  static const struct {
+     char *zName;
+     int nArg;
+     void (*xFunc)(sqlite3_context*,int,sqlite3_value**);
+  } aFuncs[] = {
+    { "julianday", -1, juliandayFunc   },
+    { "date",      -1, dateFunc        },
+    { "time",      -1, timeFunc        },
+    { "datetime",  -1, datetimeFunc    },
+    { "strftime",  -1, strftimeFunc    },
+    { "current_time",       0, ctimeFunc      },
+    { "current_timestamp",  0, ctimestampFunc },
+    { "current_date",       0, cdateFunc      },
+  };
+  int i;
+
+  for(i=0; i<sizeof(aFuncs)/sizeof(aFuncs[0]); i++){
+    sqlite3CreateFunc(db, aFuncs[i].zName, aFuncs[i].nArg,
+        SQLITE_UTF8, 0, aFuncs[i].xFunc, 0, 0);
+  }
+#else
+  static const struct {
+     char *zName;
+     char *zFormat;
+  } aFuncs[] = {
+    { "current_time", "%H:%M:%S" },
+    { "current_date", "%Y-%m-%d" },
+    { "current_timestamp", "%Y-%m-%d %H:%M:%S" }
+  };
+  int i;
+
+  for(i=0; i<sizeof(aFuncs)/sizeof(aFuncs[0]); i++){
+    sqlite3CreateFunc(db, aFuncs[i].zName, 0, SQLITE_UTF8, 
+        aFuncs[i].zFormat, currentTimeFunc, 0, 0);
+  }
+#endif
+}
+
+/************** End of date.c ************************************************/
+/************** Begin file os.c **********************************************/
+/*
+** 2005 November 29
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+******************************************************************************
+**
+** This file contains OS interface code that is common to all
+** architectures.
+*/
+#define _SQLITE_OS_C_ 1
+#undef _SQLITE_OS_C_
+
+/*
+** The following routines are convenience wrappers around methods
+** of the OsFile object.  This is mostly just syntactic sugar.  All
+** of this would be completely automatic if SQLite were coded using
+** C++ instead of plain old C.
+*/
+int sqlite3OsClose(OsFile **pId){
+  OsFile *id;
+  if( pId!=0 && (id = *pId)!=0 ){
+    return id->pMethod->xClose(pId);
+  }else{
+    return SQLITE_OK;
+  }
+}
+int sqlite3OsOpenDirectory(OsFile *id, const char *zName){
+  return id->pMethod->xOpenDirectory(id, zName);
+}
+int sqlite3OsRead(OsFile *id, void *pBuf, int amt){
+  return id->pMethod->xRead(id, pBuf, amt);
+}
+int sqlite3OsWrite(OsFile *id, const void *pBuf, int amt){
+  return id->pMethod->xWrite(id, pBuf, amt);
+}
+int sqlite3OsSeek(OsFile *id, i64 offset){
+  return id->pMethod->xSeek(id, offset);
+}
+int sqlite3OsTruncate(OsFile *id, i64 size){
+  return id->pMethod->xTruncate(id, size);
+}
+int sqlite3OsSync(OsFile *id, int fullsync){
+  return id->pMethod->xSync(id, fullsync);
+}
+void sqlite3OsSetFullSync(OsFile *id, int value){
+  id->pMethod->xSetFullSync(id, value);
+}
+#if defined(SQLITE_TEST) || defined(SQLITE_DEBUG)
+/* This method is currently only used while interactively debugging the 
+** pager. More specificly, it can only be used when sqlite3DebugPrintf() is
+** included in the build. */
+int sqlite3OsFileHandle(OsFile *id){
+  return id->pMethod->xFileHandle(id);
+}
+#endif
+int sqlite3OsFileSize(OsFile *id, i64 *pSize){
+  return id->pMethod->xFileSize(id, pSize);
+}
+int sqlite3OsLock(OsFile *id, int lockType){
+  return id->pMethod->xLock(id, lockType);
+}
+int sqlite3OsUnlock(OsFile *id, int lockType){
+  return id->pMethod->xUnlock(id, lockType);
+}
+int sqlite3OsLockState(OsFile *id){
+  return id->pMethod->xLockState(id);
+}
+int sqlite3OsCheckReservedLock(OsFile *id){
+  return id->pMethod->xCheckReservedLock(id);
+}
+int sqlite3OsSectorSize(OsFile *id){
+  int (*xSectorSize)(OsFile*) = id->pMethod->xSectorSize;
+  return xSectorSize ? xSectorSize(id) : SQLITE_DEFAULT_SECTOR_SIZE;
+}
+
+#ifdef SQLITE_ENABLE_REDEF_IO
+/*
+** A function to return a pointer to the virtual function table.
+** This routine really does not accomplish very much since the
+** virtual function table is a global variable and anybody who
+** can call this function can just as easily access the variable
+** for themselves.  Nevertheless, we include this routine for
+** backwards compatibility with an earlier redefinable I/O
+** interface design.
+*/
+struct sqlite3OsVtbl *sqlite3_os_switch(void){
+  return &sqlite3Os;
+}
+#endif
+
+/************** End of os.c **************************************************/
+/************** Begin file printf.c ******************************************/
+/*
+** The "printf" code that follows dates from the 1980's.  It is in
+** the public domain.  The original comments are included here for
+** completeness.  They are very out-of-date but might be useful as
+** an historical reference.  Most of the "enhancements" have been backed
+** out so that the functionality is now the same as standard printf().
+**
+**************************************************************************
+**
+** The following modules is an enhanced replacement for the "printf" subroutines
+** found in the standard C library.  The following enhancements are
+** supported:
+**
+**      +  Additional functions.  The standard set of "printf" functions
+**         includes printf, fprintf, sprintf, vprintf, vfprintf, and
+**         vsprintf.  This module adds the following:
+**
+**           *  snprintf -- Works like sprintf, but has an extra argument
+**                          which is the size of the buffer written to.
+**
+**           *  mprintf --  Similar to sprintf.  Writes output to memory
+**                          obtained from malloc.
+**
+**           *  xprintf --  Calls a function to dispose of output.
+**
+**           *  nprintf --  No output, but returns the number of characters
+**                          that would have been output by printf.
+**
+**           *  A v- version (ex: vsnprintf) of every function is also
+**              supplied.
+**
+**      +  A few extensions to the formatting notation are supported:
+**
+**           *  The "=" flag (similar to "-") causes the output to be
+**              be centered in the appropriately sized field.
+**
+**           *  The %b field outputs an integer in binary notation.
+**
+**           *  The %c field now accepts a precision.  The character output
+**              is repeated by the number of times the precision specifies.
+**
+**           *  The %' field works like %c, but takes as its character the
+**              next character of the format string, instead of the next
+**              argument.  For example,  printf("%.78'-")  prints 78 minus
+**              signs, the same as  printf("%.78c",'-').
+**
+**      +  When compiled using GCC on a SPARC, this version of printf is
+**         faster than the library printf for SUN OS 4.1.
+**
+**      +  All functions are fully reentrant.
+**
+*/
+
+/*
+** Conversion types fall into various categories as defined by the
+** following enumeration.
+*/
+#define etRADIX       1 /* Integer types.  %d, %x, %o, and so forth */
+#define etFLOAT       2 /* Floating point.  %f */
+#define etEXP         3 /* Exponentional notation. %e and %E */
+#define etGENERIC     4 /* Floating or exponential, depending on exponent. %g */
+#define etSIZE        5 /* Return number of characters processed so far. %n */
+#define etSTRING      6 /* Strings. %s */
+#define etDYNSTRING   7 /* Dynamically allocated strings. %z */
+#define etPERCENT     8 /* Percent symbol. %% */
+#define etCHARX       9 /* Characters. %c */
+/* The rest are extensions, not normally found in printf() */
+#define etCHARLIT    10 /* Literal characters.  %' */
+#define etSQLESCAPE  11 /* Strings with '\'' doubled.  %q */
+#define etSQLESCAPE2 12 /* Strings with '\'' doubled and enclosed in '',
+                          NULL pointers replaced by SQL NULL.  %Q */
+#define etTOKEN      13 /* a pointer to a Token structure */
+#define etSRCLIST    14 /* a pointer to a SrcList */
+#define etPOINTER    15 /* The %p conversion */
+
+
+/*
+** An "etByte" is an 8-bit unsigned value.
+*/
+typedef unsigned char etByte;
+
+/*
+** Each builtin conversion character (ex: the 'd' in "%d") is described
+** by an instance of the following structure
+*/
+typedef struct et_info {   /* Information about each format field */
+  char fmttype;            /* The format field code letter */
+  etByte base;             /* The base for radix conversion */
+  etByte flags;            /* One or more of FLAG_ constants below */
+  etByte type;             /* Conversion paradigm */
+  etByte charset;          /* Offset into aDigits[] of the digits string */
+  etByte prefix;           /* Offset into aPrefix[] of the prefix string */
+} et_info;
+
+/*
+** Allowed values for et_info.flags
+*/
+#define FLAG_SIGNED  1     /* True if the value to convert is signed */
+#define FLAG_INTERN  2     /* True if for internal use only */
+#define FLAG_STRING  4     /* Allow infinity precision */
+
+
+/*
+** The following table is searched linearly, so it is good to put the
+** most frequently used conversion types first.
+*/
+static const char aDigits[] = "0123456789ABCDEF0123456789abcdef";
+static const char aPrefix[] = "-x0\000X0";
+static const et_info fmtinfo[] = {
+  {  'd', 10, 1, etRADIX,      0,  0 },
+  {  's',  0, 4, etSTRING,     0,  0 },
+  {  'g',  0, 1, etGENERIC,    30, 0 },
+  {  'z',  0, 6, etDYNSTRING,  0,  0 },
+  {  'q',  0, 4, etSQLESCAPE,  0,  0 },
+  {  'Q',  0, 4, etSQLESCAPE2, 0,  0 },
+  {  'c',  0, 0, etCHARX,      0,  0 },
+  {  'o',  8, 0, etRADIX,      0,  2 },
+  {  'u', 10, 0, etRADIX,      0,  0 },
+  {  'x', 16, 0, etRADIX,      16, 1 },
+  {  'X', 16, 0, etRADIX,      0,  4 },
+#ifndef SQLITE_OMIT_FLOATING_POINT
+  {  'f',  0, 1, etFLOAT,      0,  0 },
+  {  'e',  0, 1, etEXP,        30, 0 },
+  {  'E',  0, 1, etEXP,        14, 0 },
+  {  'G',  0, 1, etGENERIC,    14, 0 },
+#endif
+  {  'i', 10, 1, etRADIX,      0,  0 },
+  {  'n',  0, 0, etSIZE,       0,  0 },
+  {  '%',  0, 0, etPERCENT,    0,  0 },
+  {  'p', 16, 0, etPOINTER,    0,  1 },
+  {  'T',  0, 2, etTOKEN,      0,  0 },
+  {  'S',  0, 2, etSRCLIST,    0,  0 },
+};
+#define etNINFO  (sizeof(fmtinfo)/sizeof(fmtinfo[0]))
+
+/*
+** If SQLITE_OMIT_FLOATING_POINT is defined, then none of the floating point
+** conversions will work.
+*/
+#ifndef SQLITE_OMIT_FLOATING_POINT
+/*
+** "*val" is a double such that 0.1 <= *val < 10.0
+** Return the ascii code for the leading digit of *val, then
+** multiply "*val" by 10.0 to renormalize.
+**
+** Example:
+**     input:     *val = 3.14159
+**     output:    *val = 1.4159    function return = '3'
+**
+** The counter *cnt is incremented each time.  After counter exceeds
+** 16 (the number of significant digits in a 64-bit float) '0' is
+** always returned.
+*/
+static int et_getdigit(LONGDOUBLE_TYPE *val, int *cnt){
+  int digit;
+  LONGDOUBLE_TYPE d;
+  if( (*cnt)++ >= 16 ) return '0';
+  digit = (int)*val;
+  d = digit;
+  digit += '0';
+  *val = (*val - d)*10.0;
+  return digit;
+}
+#endif /* SQLITE_OMIT_FLOATING_POINT */
+
+/*
+** On machines with a small stack size, you can redefine the
+** SQLITE_PRINT_BUF_SIZE to be less than 350.  But beware - for
+** smaller values some %f conversions may go into an infinite loop.
+*/
+#ifndef SQLITE_PRINT_BUF_SIZE
+# define SQLITE_PRINT_BUF_SIZE 350
+#endif
+#define etBUFSIZE SQLITE_PRINT_BUF_SIZE  /* Size of the output buffer */
+
+/*
+** The root program.  All variations call this core.
+**
+** INPUTS:
+**   func   This is a pointer to a function taking three arguments
+**            1. A pointer to anything.  Same as the "arg" parameter.
+**            2. A pointer to the list of characters to be output
+**               (Note, this list is NOT null terminated.)
+**            3. An integer number of characters to be output.
+**               (Note: This number might be zero.)
+**
+**   arg    This is the pointer to anything which will be passed as the
+**          first argument to "func".  Use it for whatever you like.
+**
+**   fmt    This is the format string, as in the usual print.
+**
+**   ap     This is a pointer to a list of arguments.  Same as in
+**          vfprint.
+**
+** OUTPUTS:
+**          The return value is the total number of characters sent to
+**          the function "func".  Returns -1 on a error.
+**
+** Note that the order in which automatic variables are declared below
+** seems to make a big difference in determining how fast this beast
+** will run.
+*/
+static int vxprintf(
+  void (*func)(void*,const char*,int),     /* Consumer of text */
+  void *arg,                         /* First argument to the consumer */
+  int useExtended,                   /* Allow extended %-conversions */
+  const char *fmt,                   /* Format string */
+  va_list ap                         /* arguments */
+){
+  int c;                     /* Next character in the format string */
+  char *bufpt;               /* Pointer to the conversion buffer */
+  int precision;             /* Precision of the current field */
+  int length;                /* Length of the field */
+  int idx;                   /* A general purpose loop counter */
+  int count;                 /* Total number of characters output */
+  int width;                 /* Width of the current field */
+  etByte flag_leftjustify;   /* True if "-" flag is present */
+  etByte flag_plussign;      /* True if "+" flag is present */
+  etByte flag_blanksign;     /* True if " " flag is present */
+  etByte flag_alternateform; /* True if "#" flag is present */
+  etByte flag_altform2;      /* True if "!" flag is present */
+  etByte flag_zeropad;       /* True if field width constant starts with zero */
+  etByte flag_long;          /* True if "l" flag is present */
+  etByte flag_longlong;      /* True if the "ll" flag is present */
+  etByte done;               /* Loop termination flag */
+  sqlite_uint64 longvalue;   /* Value for integer types */
+  LONGDOUBLE_TYPE realvalue; /* Value for real types */
+  const et_info *infop;      /* Pointer to the appropriate info structure */
+  char buf[etBUFSIZE];       /* Conversion buffer */
+  char prefix;               /* Prefix character.  "+" or "-" or " " or '\0'. */
+  etByte errorflag = 0;      /* True if an error is encountered */
+  etByte xtype;              /* Conversion paradigm */
+  char *zExtra;              /* Extra memory used for etTCLESCAPE conversions */
+  static const char spaces[] =
+   "                                                                         ";
+#define etSPACESIZE (sizeof(spaces)-1)
+#ifndef SQLITE_OMIT_FLOATING_POINT
+  int  exp, e2;              /* exponent of real numbers */
+  double rounder;            /* Used for rounding floating point values */
+  etByte flag_dp;            /* True if decimal point should be shown */
+  etByte flag_rtz;           /* True if trailing zeros should be removed */
+  etByte flag_exp;           /* True to force display of the exponent */
+  int nsd;                   /* Number of significant digits returned */
+#endif
+
+  func(arg,"",0);
+  count = length = 0;
+  bufpt = 0;
+  for(; (c=(*fmt))!=0; ++fmt){
+    if( c!='%' ){
+      int amt;
+      bufpt = (char *)fmt;
+      amt = 1;
+      while( (c=(*++fmt))!='%' && c!=0 ) amt++;
+      (*func)(arg,bufpt,amt);
+      count += amt;
+      if( c==0 ) break;
+    }
+    if( (c=(*++fmt))==0 ){
+      errorflag = 1;
+      (*func)(arg,"%",1);
+      count++;
+      break;
+    }
+    /* Find out what flags are present */
+    flag_leftjustify = flag_plussign = flag_blanksign = 
+     flag_alternateform = flag_altform2 = flag_zeropad = 0;
+    done = 0;
+    do{
+      switch( c ){
+        case '-':   flag_leftjustify = 1;     break;
+        case '+':   flag_plussign = 1;        break;
+        case ' ':   flag_blanksign = 1;       break;
+        case '#':   flag_alternateform = 1;   break;
+        case '!':   flag_altform2 = 1;        break;
+        case '0':   flag_zeropad = 1;         break;
+        default:    done = 1;                 break;
+      }
+    }while( !done && (c=(*++fmt))!=0 );
+    /* Get the field width */
+    width = 0;
+    if( c=='*' ){
+      width = va_arg(ap,int);
+      if( width<0 ){
+        flag_leftjustify = 1;
+        width = -width;
+      }
+      c = *++fmt;
+    }else{
+      while( c>='0' && c<='9' ){
+        width = width*10 + c - '0';
+        c = *++fmt;
+      }
+    }
+    if( width > etBUFSIZE-10 ){
+      width = etBUFSIZE-10;
+    }
+    /* Get the precision */
+    if( c=='.' ){
+      precision = 0;
+      c = *++fmt;
+      if( c=='*' ){
+        precision = va_arg(ap,int);
+        if( precision<0 ) precision = -precision;
+        c = *++fmt;
+      }else{
+        while( c>='0' && c<='9' ){
+          precision = precision*10 + c - '0';
+          c = *++fmt;
+        }
+      }
+    }else{
+      precision = -1;
+    }
+    /* Get the conversion type modifier */
+    if( c=='l' ){
+      flag_long = 1;
+      c = *++fmt;
+      if( c=='l' ){
+        flag_longlong = 1;
+        c = *++fmt;
+      }else{
+        flag_longlong = 0;
+      }
+    }else{
+      flag_long = flag_longlong = 0;
+    }
+    /* Fetch the info entry for the field */
+    infop = 0;
+    for(idx=0; idx<etNINFO; idx++){
+      if( c==fmtinfo[idx].fmttype ){
+        infop = &fmtinfo[idx];
+        if( useExtended || (infop->flags & FLAG_INTERN)==0 ){
+          xtype = infop->type;
+        }else{
+          return -1;
+        }
+        break;
+      }
+    }
+    zExtra = 0;
+    if( infop==0 ){
+      return -1;
+    }
+
+
+    /* Limit the precision to prevent overflowing buf[] during conversion */
+    if( precision>etBUFSIZE-40 && (infop->flags & FLAG_STRING)==0 ){
+      precision = etBUFSIZE-40;
+    }
+
+    /*
+    ** At this point, variables are initialized as follows:
+    **
+    **   flag_alternateform          TRUE if a '#' is present.
+    **   flag_altform2               TRUE if a '!' is present.
+    **   flag_plussign               TRUE if a '+' is present.
+    **   flag_leftjustify            TRUE if a '-' is present or if the
+    **                               field width was negative.
+    **   flag_zeropad                TRUE if the width began with 0.
+    **   flag_long                   TRUE if the letter 'l' (ell) prefixed
+    **                               the conversion character.
+    **   flag_longlong               TRUE if the letter 'll' (ell ell) prefixed
+    **                               the conversion character.
+    **   flag_blanksign              TRUE if a ' ' is present.
+    **   width                       The specified field width.  This is
+    **                               always non-negative.  Zero is the default.
+    **   precision                   The specified precision.  The default
+    **                               is -1.
+    **   xtype                       The class of the conversion.
+    **   infop                       Pointer to the appropriate info struct.
+    */
+    switch( xtype ){
+      case etPOINTER:
+        flag_longlong = sizeof(char*)==sizeof(i64);
+        flag_long = sizeof(char*)==sizeof(long int);
+        /* Fall through into the next case */
+      case etRADIX:
+        if( infop->flags & FLAG_SIGNED ){
+          i64 v;
+          if( flag_longlong )   v = va_arg(ap,i64);
+          else if( flag_long )  v = va_arg(ap,long int);
+          else                  v = va_arg(ap,int);
+          if( v<0 ){
+            longvalue = -v;
+            prefix = '-';
+          }else{
+            longvalue = v;
+            if( flag_plussign )        prefix = '+';
+            else if( flag_blanksign )  prefix = ' ';
+            else                       prefix = 0;
+          }
+        }else{
+          if( flag_longlong )   longvalue = va_arg(ap,u64);
+          else if( flag_long )  longvalue = va_arg(ap,unsigned long int);
+          else                  longvalue = va_arg(ap,unsigned int);
+          prefix = 0;
+        }
+        if( longvalue==0 ) flag_alternateform = 0;
+        if( flag_zeropad && precision<width-(prefix!=0) ){
+          precision = width-(prefix!=0);
+        }
+        bufpt = &buf[etBUFSIZE-1];
+        {
+          register const char *cset;      /* Use registers for speed */
+          register int base;
+          cset = &aDigits[infop->charset];
+          base = infop->base;
+          do{                                           /* Convert to ascii */
+            *(--bufpt) = cset[longvalue%base];
+            longvalue = longvalue/base;
+          }while( longvalue>0 );
+        }
+        length = &buf[etBUFSIZE-1]-bufpt;
+        for(idx=precision-length; idx>0; idx--){
+          *(--bufpt) = '0';                             /* Zero pad */
+        }
+        if( prefix ) *(--bufpt) = prefix;               /* Add sign */
+        if( flag_alternateform && infop->prefix ){      /* Add "0" or "0x" */
+          const char *pre;
+          char x;
+          pre = &aPrefix[infop->prefix];
+          if( *bufpt!=pre[0] ){
+            for(; (x=(*pre))!=0; pre++) *(--bufpt) = x;
+          }
+        }
+        length = &buf[etBUFSIZE-1]-bufpt;
+        break;
+      case etFLOAT:
+      case etEXP:
+      case etGENERIC:
+        realvalue = va_arg(ap,double);
+#ifndef SQLITE_OMIT_FLOATING_POINT
+        if( precision<0 ) precision = 6;         /* Set default precision */
+        if( precision>etBUFSIZE/2-10 ) precision = etBUFSIZE/2-10;
+        if( realvalue<0.0 ){
+          realvalue = -realvalue;
+          prefix = '-';
+        }else{
+          if( flag_plussign )          prefix = '+';
+          else if( flag_blanksign )    prefix = ' ';
+          else                         prefix = 0;
+        }
+        if( xtype==etGENERIC && precision>0 ) precision--;
+#if 0
+        /* Rounding works like BSD when the constant 0.4999 is used.  Wierd! */
+        for(idx=precision, rounder=0.4999; idx>0; idx--, rounder*=0.1);
+#else
+        /* It makes more sense to use 0.5 */
+        for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){}
+#endif
+        if( xtype==etFLOAT ) realvalue += rounder;
+        /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
+        exp = 0;
+        if( realvalue>0.0 ){
+          while( realvalue>=1e32 && exp<=350 ){ realvalue *= 1e-32; exp+=32; }
+          while( realvalue>=1e8 && exp<=350 ){ realvalue *= 1e-8; exp+=8; }
+          while( realvalue>=10.0 && exp<=350 ){ realvalue *= 0.1; exp++; }
+          while( realvalue<1e-8 && exp>=-350 ){ realvalue *= 1e8; exp-=8; }
+          while( realvalue<1.0 && exp>=-350 ){ realvalue *= 10.0; exp--; }
+          if( exp>350 || exp<-350 ){
+            bufpt = "NaN";
+            length = 3;
+            break;
+          }
+        }
+        bufpt = buf;
+        /*
+        ** If the field type is etGENERIC, then convert to either etEXP
+        ** or etFLOAT, as appropriate.
+        */
+        flag_exp = xtype==etEXP;
+        if( xtype!=etFLOAT ){
+          realvalue += rounder;
+          if( realvalue>=10.0 ){ realvalue *= 0.1; exp++; }
+        }
+        if( xtype==etGENERIC ){
+          flag_rtz = !flag_alternateform;
+          if( exp<-4 || exp>precision ){
+            xtype = etEXP;
+          }else{
+            precision = precision - exp;
+            xtype = etFLOAT;
+          }
+        }else{
+          flag_rtz = 0;
+        }
+        if( xtype==etEXP ){
+          e2 = 0;
+        }else{
+          e2 = exp;
+        }
+        nsd = 0;
+        flag_dp = (precision>0) | flag_alternateform | flag_altform2;
+        /* The sign in front of the number */
+        if( prefix ){
+          *(bufpt++) = prefix;
+        }
+        /* Digits prior to the decimal point */
+        if( e2<0 ){
+          *(bufpt++) = '0';
+        }else{
+          for(; e2>=0; e2--){
+            *(bufpt++) = et_getdigit(&realvalue,&nsd);
+          }
+        }
+        /* The decimal point */
+        if( flag_dp ){
+          *(bufpt++) = '.';
+        }
+        /* "0" digits after the decimal point but before the first
+        ** significant digit of the number */
+        for(e2++; e2<0 && precision>0; precision--, e2++){
+          *(bufpt++) = '0';
+        }
+        /* Significant digits after the decimal point */
+        while( (precision--)>0 ){
+          *(bufpt++) = et_getdigit(&realvalue,&nsd);
+        }
+        /* Remove trailing zeros and the "." if no digits follow the "." */
+        if( flag_rtz && flag_dp ){
+          while( bufpt[-1]=='0' ) *(--bufpt) = 0;
+          assert( bufpt>buf );
+          if( bufpt[-1]=='.' ){
+            if( flag_altform2 ){
+              *(bufpt++) = '0';
+            }else{
+              *(--bufpt) = 0;
+            }
+          }
+        }
+        /* Add the "eNNN" suffix */
+        if( flag_exp || (xtype==etEXP && exp) ){
+          *(bufpt++) = aDigits[infop->charset];
+          if( exp<0 ){
+            *(bufpt++) = '-'; exp = -exp;
+          }else{
+            *(bufpt++) = '+';
+          }
+          if( exp>=100 ){
+            *(bufpt++) = (exp/100)+'0';                /* 100's digit */
+            exp %= 100;
+          }
+          *(bufpt++) = exp/10+'0';                     /* 10's digit */
+          *(bufpt++) = exp%10+'0';                     /* 1's digit */
+        }
+        *bufpt = 0;
+
+        /* The converted number is in buf[] and zero terminated. Output it.
+        ** Note that the number is in the usual order, not reversed as with
+        ** integer conversions. */
+        length = bufpt-buf;
+        bufpt = buf;
+
+        /* Special case:  Add leading zeros if the flag_zeropad flag is
+        ** set and we are not left justified */
+        if( flag_zeropad && !flag_leftjustify && length < width){
+          int i;
+          int nPad = width - length;
+          for(i=width; i>=nPad; i--){
+            bufpt[i] = bufpt[i-nPad];
+          }
+          i = prefix!=0;
+          while( nPad-- ) bufpt[i++] = '0';
+          length = width;
+        }
+#endif
+        break;
+      case etSIZE:
+        *(va_arg(ap,int*)) = count;
+        length = width = 0;
+        break;
+      case etPERCENT:
+        buf[0] = '%';
+        bufpt = buf;
+        length = 1;
+        break;
+      case etCHARLIT:
+      case etCHARX:
+        c = buf[0] = (xtype==etCHARX ? va_arg(ap,int) : *++fmt);
+        if( precision>=0 ){
+          for(idx=1; idx<precision; idx++) buf[idx] = c;
+          length = precision;
+        }else{
+          length =1;
+        }
+        bufpt = buf;
+        break;
+      case etSTRING:
+      case etDYNSTRING:
+        bufpt = va_arg(ap,char*);
+        if( bufpt==0 ){
+          bufpt = "";
+        }else if( xtype==etDYNSTRING ){
+          zExtra = bufpt;
+        }
+        length = strlen(bufpt);
+        if( precision>=0 && precision<length ) length = precision;
+        break;
+      case etSQLESCAPE:
+      case etSQLESCAPE2: {
+        int i, j, n, ch, isnull;
+        int needQuote;
+        char *escarg = va_arg(ap,char*);
+        isnull = escarg==0;
+        if( isnull ) escarg = (xtype==etSQLESCAPE2 ? "NULL" : "(NULL)");
+        for(i=n=0; (ch=escarg[i])!=0; i++){
+          if( ch=='\'' )  n++;
+        }
+        needQuote = !isnull && xtype==etSQLESCAPE2;
+        n += i + 1 + needQuote*2;
+        if( n>etBUFSIZE ){
+          bufpt = zExtra = sqliteMalloc( n );
+          if( bufpt==0 ) return -1;
+        }else{
+          bufpt = buf;
+        }
+        j = 0;
+        if( needQuote ) bufpt[j++] = '\'';
+        for(i=0; (ch=escarg[i])!=0; i++){
+          bufpt[j++] = ch;
+          if( ch=='\'' ) bufpt[j++] = ch;
+        }
+        if( needQuote ) bufpt[j++] = '\'';
+        bufpt[j] = 0;
+        length = j;
+        /* The precision is ignored on %q and %Q */
+        /* if( precision>=0 && precision<length ) length = precision; */
+        break;
+      }
+      case etTOKEN: {
+        Token *pToken = va_arg(ap, Token*);
+        if( pToken && pToken->z ){
+          (*func)(arg, (char*)pToken->z, pToken->n);
+        }
+        length = width = 0;
+        break;
+      }
+      case etSRCLIST: {
+        SrcList *pSrc = va_arg(ap, SrcList*);
+        int k = va_arg(ap, int);
+        struct SrcList_item *pItem = &pSrc->a[k];
+        assert( k>=0 && k<pSrc->nSrc );
+        if( pItem->zDatabase && pItem->zDatabase[0] ){
+          (*func)(arg, pItem->zDatabase, strlen(pItem->zDatabase));
+          (*func)(arg, ".", 1);
+        }
+        (*func)(arg, pItem->zName, strlen(pItem->zName));
+        length = width = 0;
+        break;
+      }
+    }/* End switch over the format type */
+    /*
+    ** The text of the conversion is pointed to by "bufpt" and is
+    ** "length" characters long.  The field width is "width".  Do
+    ** the output.
+    */
+    if( !flag_leftjustify ){
+      register int nspace;
+      nspace = width-length;
+      if( nspace>0 ){
+        count += nspace;
+        while( nspace>=etSPACESIZE ){
+          (*func)(arg,spaces,etSPACESIZE);
+          nspace -= etSPACESIZE;
+        }
+        if( nspace>0 ) (*func)(arg,spaces,nspace);
+      }
+    }
+    if( length>0 ){
+      (*func)(arg,bufpt,length);
+      count += length;
+    }
+    if( flag_leftjustify ){
+      register int nspace;
+      nspace = width-length;
+      if( nspace>0 ){
+        count += nspace;
+        while( nspace>=etSPACESIZE ){
+          (*func)(arg,spaces,etSPACESIZE);
+          nspace -= etSPACESIZE;
+        }
+        if( nspace>0 ) (*func)(arg,spaces,nspace);
+      }
+    }
+    if( zExtra ){
+      sqliteFree(zExtra);
+    }
+  }/* End for loop over the format string */
+  return errorflag ? -1 : count;
+} /* End of function */
+
+
+/* This structure is used to store state information about the
+** write to memory that is currently in progress.
+*/
+struct sgMprintf {
+  char *zBase;     /* A base allocation */
+  char *zText;     /* The string collected so far */
+  int  nChar;      /* Length of the string so far */
+  int  nTotal;     /* Output size if unconstrained */
+  int  nAlloc;     /* Amount of space allocated in zText */
+  void *(*xRealloc)(void*,int);  /* Function used to realloc memory */
+};
+
+/* 
+** This function implements the callback from vxprintf. 
+**
+** This routine add nNewChar characters of text in zNewText to
+** the sgMprintf structure pointed to by "arg".
+*/
+static void mout(void *arg, const char *zNewText, int nNewChar){
+  struct sgMprintf *pM = (struct sgMprintf*)arg;
+  pM->nTotal += nNewChar;
+  if( pM->nChar + nNewChar + 1 > pM->nAlloc ){
+    if( pM->xRealloc==0 ){
+      nNewChar =  pM->nAlloc - pM->nChar - 1;
+    }else{
+      pM->nAlloc = pM->nChar + nNewChar*2 + 1;
+      if( pM->zText==pM->zBase ){
+        pM->zText = pM->xRealloc(0, pM->nAlloc);
+        if( pM->zText && pM->nChar ){
+          memcpy(pM->zText, pM->zBase, pM->nChar);
+        }
+      }else{
+        char *zNew;
+        zNew = pM->xRealloc(pM->zText, pM->nAlloc);
+        if( zNew ){
+          pM->zText = zNew;
+        }
+      }
+    }
+  }
+  if( pM->zText ){
+    if( nNewChar>0 ){
+      memcpy(&pM->zText[pM->nChar], zNewText, nNewChar);
+      pM->nChar += nNewChar;
+    }
+    pM->zText[pM->nChar] = 0;
+  }
+}
+
+/*
+** This routine is a wrapper around xprintf() that invokes mout() as
+** the consumer.  
+*/
+static char *base_vprintf(
+  void *(*xRealloc)(void*,int),   /* Routine to realloc memory. May be NULL */
+  int useInternal,                /* Use internal %-conversions if true */
+  char *zInitBuf,                 /* Initially write here, before mallocing */
+  int nInitBuf,                   /* Size of zInitBuf[] */
+  const char *zFormat,            /* format string */
+  va_list ap                      /* arguments */
+){
+  struct sgMprintf sM;
+  sM.zBase = sM.zText = zInitBuf;
+  sM.nChar = sM.nTotal = 0;
+  sM.nAlloc = nInitBuf;
+  sM.xRealloc = xRealloc;
+  vxprintf(mout, &sM, useInternal, zFormat, ap);
+  if( xRealloc ){
+    if( sM.zText==sM.zBase ){
+      sM.zText = xRealloc(0, sM.nChar+1);
+      if( sM.zText ){
+        memcpy(sM.zText, sM.zBase, sM.nChar+1);
+      }
+    }else if( sM.nAlloc>sM.nChar+10 ){
+      char *zNew = xRealloc(sM.zText, sM.nChar+1);
+      if( zNew ){
+        sM.zText = zNew;
+      }
+    }
+  }
+  return sM.zText;
+}
+
+/*
+** Realloc that is a real function, not a macro.
+*/
+static void *printf_realloc(void *old, int size){
+  return sqliteRealloc(old,size);
+}
+
+/*
+** Print into memory obtained from sqliteMalloc().  Use the internal
+** %-conversion extensions.
+*/
+char *sqlite3VMPrintf(const char *zFormat, va_list ap){
+  char zBase[SQLITE_PRINT_BUF_SIZE];
+  return base_vprintf(printf_realloc, 1, zBase, sizeof(zBase), zFormat, ap);
+}
+
+/*
+** Print into memory obtained from sqliteMalloc().  Use the internal
+** %-conversion extensions.
+*/
+char *sqlite3MPrintf(const char *zFormat, ...){
+  va_list ap;
+  char *z;
+  char zBase[SQLITE_PRINT_BUF_SIZE];
+  va_start(ap, zFormat);
+  z = base_vprintf(printf_realloc, 1, zBase, sizeof(zBase), zFormat, ap);
+  va_end(ap);
+  return z;
+}
+
+/*
+** Print into memory obtained from sqlite3_malloc().  Omit the internal
+** %-conversion extensions.
+*/
+char *sqlite3_vmprintf(const char *zFormat, va_list ap){
+  char zBase[SQLITE_PRINT_BUF_SIZE];
+  return base_vprintf(sqlite3_realloc, 0, zBase, sizeof(zBase), zFormat, ap);
+}
+
+/*
+** Print into memory obtained from sqlite3_malloc()().  Omit the internal
+** %-conversion extensions.
+*/
+char *sqlite3_mprintf(const char *zFormat, ...){
+  va_list ap;
+  char *z;
+  va_start(ap, zFormat);
+  z = sqlite3_vmprintf(zFormat, ap);
+  va_end(ap);
+  return z;
+}
+
+/*
+** sqlite3_snprintf() works like snprintf() except that it ignores the
+** current locale settings.  This is important for SQLite because we
+** are not able to use a "," as the decimal point in place of "." as
+** specified by some locales.
+*/
+char *sqlite3_snprintf(int n, char *zBuf, const char *zFormat, ...){
+  char *z;
+  va_list ap;
+
+  va_start(ap,zFormat);
+  z = base_vprintf(0, 0, zBuf, n, zFormat, ap);
+  va_end(ap);
+  return z;
+}
+
+#if defined(SQLITE_TEST) || defined(SQLITE_DEBUG)
+/*
+** A version of printf() that understands %lld.  Used for debugging.
+** The printf() built into some versions of windows does not understand %lld
+** and segfaults if you give it a long long int.
+*/
+void sqlite3DebugPrintf(const char *zFormat, ...){
+  extern int getpid(void);
+  va_list ap;
+  char zBuf[500];
+  va_start(ap, zFormat);
+  base_vprintf(0, 0, zBuf, sizeof(zBuf), zFormat, ap);
+  va_end(ap);
+  fprintf(stdout,"%s", zBuf);
+  fflush(stdout);
+}
+#endif
+
+/************** End of printf.c **********************************************/
+/************** Begin file random.c ******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains code to implement a pseudo-random number
+** generator (PRNG) for SQLite.
+**
+** Random numbers are used by some of the database backends in order
+** to generate random integer keys for tables or random filenames.
+**
+** $Id$
+*/
+
+
+/*
+** Get a single 8-bit random value from the RC4 PRNG.  The Mutex
+** must be held while executing this routine.
+**
+** Why not just use a library random generator like lrand48() for this?
+** Because the OP_NewRowid opcode in the VDBE depends on having a very
+** good source of random numbers.  The lrand48() library function may
+** well be good enough.  But maybe not.  Or maybe lrand48() has some
+** subtle problems on some systems that could cause problems.  It is hard
+** to know.  To minimize the risk of problems due to bad lrand48()
+** implementations, SQLite uses this random number generator based
+** on RC4, which we know works very well.
+**
+** (Later):  Actually, OP_NewRowid does not depend on a good source of
+** randomness any more.  But we will leave this code in all the same.
+*/
+static int randomByte(void){
+  unsigned char t;
+
+  /* All threads share a single random number generator.
+  ** This structure is the current state of the generator.
+  */
+  static struct {
+    unsigned char isInit;          /* True if initialized */
+    unsigned char i, j;            /* State variables */
+    unsigned char s[256];          /* State variables */
+  } prng;
+
+  /* Initialize the state of the random number generator once,
+  ** the first time this routine is called.  The seed value does
+  ** not need to contain a lot of randomness since we are not
+  ** trying to do secure encryption or anything like that...
+  **
+  ** Nothing in this file or anywhere else in SQLite does any kind of
+  ** encryption.  The RC4 algorithm is being used as a PRNG (pseudo-random
+  ** number generator) not as an encryption device.
+  */
+  if( !prng.isInit ){
+    int i;
+    char k[256];
+    prng.j = 0;
+    prng.i = 0;
+    sqlite3OsRandomSeed(k);
+    for(i=0; i<256; i++){
+      prng.s[i] = i;
+    }
+    for(i=0; i<256; i++){
+      prng.j += prng.s[i] + k[i];
+      t = prng.s[prng.j];
+      prng.s[prng.j] = prng.s[i];
+      prng.s[i] = t;
+    }
+    prng.isInit = 1;
+  }
+
+  /* Generate and return single random byte
+  */
+  prng.i++;
+  t = prng.s[prng.i];
+  prng.j += t;
+  prng.s[prng.i] = prng.s[prng.j];
+  prng.s[prng.j] = t;
+  t += prng.s[prng.i];
+  return prng.s[t];
+}
+
+/*
+** Return N random bytes.
+*/
+void sqlite3Randomness(int N, void *pBuf){
+  unsigned char *zBuf = pBuf;
+  sqlite3OsEnterMutex();
+  while( N-- ){
+    *(zBuf++) = randomByte();
+  }
+  sqlite3OsLeaveMutex();
+}
+
+/************** End of random.c **********************************************/
+/************** Begin file utf.c *********************************************/
+/*
+** 2004 April 13
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains routines used to translate between UTF-8, 
+** UTF-16, UTF-16BE, and UTF-16LE.
+**
+** $Id$
+**
+** Notes on UTF-8:
+**
+**   Byte-0    Byte-1    Byte-2    Byte-3    Value
+**  0xxxxxxx                                 00000000 00000000 0xxxxxxx
+**  110yyyyy  10xxxxxx                       00000000 00000yyy yyxxxxxx
+**  1110zzzz  10yyyyyy  10xxxxxx             00000000 zzzzyyyy yyxxxxxx
+**  11110uuu  10uuzzzz  10yyyyyy  10xxxxxx   000uuuuu zzzzyyyy yyxxxxxx
+**
+**
+** Notes on UTF-16:  (with wwww+1==uuuuu)
+**
+**      Word-0               Word-1          Value
+**  110110ww wwzzzzyy   110111yy yyxxxxxx    000uuuuu zzzzyyyy yyxxxxxx
+**  zzzzyyyy yyxxxxxx                        00000000 zzzzyyyy yyxxxxxx
+**
+**
+** BOM or Byte Order Mark:
+**     0xff 0xfe   little-endian utf-16 follows
+**     0xfe 0xff   big-endian utf-16 follows
+**
+**
+** Handling of malformed strings:
+**
+** SQLite accepts and processes malformed strings without an error wherever
+** possible. However this is not possible when converting between UTF-8 and
+** UTF-16.
+**
+** When converting malformed UTF-8 strings to UTF-16, one instance of the
+** replacement character U+FFFD for each byte that cannot be interpeted as
+** part of a valid unicode character.
+**
+** When converting malformed UTF-16 strings to UTF-8, one instance of the
+** replacement character U+FFFD for each pair of bytes that cannot be
+** interpeted as part of a valid unicode character.
+**
+** This file contains the following public routines:
+**
+** sqlite3VdbeMemTranslate() - Translate the encoding used by a Mem* string.
+** sqlite3VdbeMemHandleBom() - Handle byte-order-marks in UTF16 Mem* strings.
+** sqlite3utf16ByteLen()     - Calculate byte-length of a void* UTF16 string.
+** sqlite3utf8CharLen()      - Calculate char-length of a char* UTF8 string.
+** sqlite3utf8LikeCompare()  - Do a LIKE match given two UTF8 char* strings.
+**
+*/
+/************** Include vdbeInt.h in the middle of utf.c *********************/
+/************** Begin file vdbeInt.h *****************************************/
+/*
+** 2003 September 6
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This is the header file for information that is private to the
+** VDBE.  This information used to all be at the top of the single
+** source code file "vdbe.c".  When that file became too big (over
+** 6000 lines long) it was split up into several smaller files and
+** this header information was factored out.
+*/
+#ifndef _VDBEINT_H_
+#define _VDBEINT_H_
+
+/*
+** intToKey() and keyToInt() used to transform the rowid.  But with
+** the latest versions of the design they are no-ops.
+*/
+#define keyToInt(X)   (X)
+#define intToKey(X)   (X)
+
+/*
+** The makefile scans the vdbe.c source file and creates the following
+** array of string constants which are the names of all VDBE opcodes.  This
+** array is defined in a separate source code file named opcode.c which is
+** automatically generated by the makefile.
+*/
+extern const char *const sqlite3OpcodeNames[];
+
+/*
+** SQL is translated into a sequence of instructions to be
+** executed by a virtual machine.  Each instruction is an instance
+** of the following structure.
+*/
+typedef struct VdbeOp Op;
+
+/*
+** Boolean values
+*/
+typedef unsigned char Bool;
+
+/*
+** A cursor is a pointer into a single BTree within a database file.
+** The cursor can seek to a BTree entry with a particular key, or
+** loop over all entries of the Btree.  You can also insert new BTree
+** entries or retrieve the key or data from the entry that the cursor
+** is currently pointing to.
+** 
+** Every cursor that the virtual machine has open is represented by an
+** instance of the following structure.
+**
+** If the Cursor.isTriggerRow flag is set it means that this cursor is
+** really a single row that represents the NEW or OLD pseudo-table of
+** a row trigger.  The data for the row is stored in Cursor.pData and
+** the rowid is in Cursor.iKey.
+*/
+struct Cursor {
+  BtCursor *pCursor;    /* The cursor structure of the backend */
+  int iDb;              /* Index of cursor database in db->aDb[] (or -1) */
+  i64 lastRowid;        /* Last rowid from a Next or NextIdx operation */
+  i64 nextRowid;        /* Next rowid returned by OP_NewRowid */
+  Bool zeroed;          /* True if zeroed out and ready for reuse */
+  Bool rowidIsValid;    /* True if lastRowid is valid */
+  Bool atFirst;         /* True if pointing to first entry */
+  Bool useRandomRowid;  /* Generate new record numbers semi-randomly */
+  Bool nullRow;         /* True if pointing to a row with no data */
+  Bool nextRowidValid;  /* True if the nextRowid field is valid */
+  Bool pseudoTable;     /* This is a NEW or OLD pseudo-tables of a trigger */
+  Bool deferredMoveto;  /* A call to sqlite3BtreeMoveto() is needed */
+  Bool isTable;         /* True if a table requiring integer keys */
+  Bool isIndex;         /* True if an index containing keys only - no data */
+  u8 bogusIncrKey;      /* Something for pIncrKey to point to if pKeyInfo==0 */
+  i64 movetoTarget;     /* Argument to the deferred sqlite3BtreeMoveto() */
+  Btree *pBt;           /* Separate file holding temporary table */
+  int nData;            /* Number of bytes in pData */
+  char *pData;          /* Data for a NEW or OLD pseudo-table */
+  i64 iKey;             /* Key for the NEW or OLD pseudo-table row */
+  u8 *pIncrKey;         /* Pointer to pKeyInfo->incrKey */
+  KeyInfo *pKeyInfo;    /* Info about index keys needed by index cursors */
+  int nField;           /* Number of fields in the header */
+  i64 seqCount;         /* Sequence counter */
+  sqlite3_vtab_cursor *pVtabCursor;  /* The cursor for a virtual table */
+  const sqlite3_module *pModule;     /* Module for cursor pVtabCursor */
+
+  /* Cached information about the header for the data record that the
+  ** cursor is currently pointing to.  Only valid if cacheValid is true.
+  ** aRow might point to (ephemeral) data for the current row, or it might
+  ** be NULL.
+  */
+  int cacheStatus;      /* Cache is valid if this matches Vdbe.cacheCtr */
+  int payloadSize;      /* Total number of bytes in the record */
+  u32 *aType;           /* Type values for all entries in the record */
+  u32 *aOffset;         /* Cached offsets to the start of each columns data */
+  u8 *aRow;             /* Data for the current row, if all on one page */
+};
+typedef struct Cursor Cursor;
+
+/*
+** Number of bytes of string storage space available to each stack
+** layer without having to malloc.  NBFS is short for Number of Bytes
+** For Strings.
+*/
+#define NBFS 32
+
+/*
+** A value for Cursor.cacheValid that means the cache is always invalid.
+*/
+#define CACHE_STALE 0
+
+/*
+** Internally, the vdbe manipulates nearly all SQL values as Mem
+** structures. Each Mem struct may cache multiple representations (string,
+** integer etc.) of the same value.  A value (and therefore Mem structure)
+** has the following properties:
+**
+** Each value has a manifest type. The manifest type of the value stored
+** in a Mem struct is returned by the MemType(Mem*) macro. The type is
+** one of SQLITE_NULL, SQLITE_INTEGER, SQLITE_REAL, SQLITE_TEXT or
+** SQLITE_BLOB.
+*/
+struct Mem {
+  union {
+    i64 i;              /* Integer value. Or FuncDef* when flags==MEM_Agg */
+    FuncDef *pDef;      /* Used only when flags==MEM_Agg */
+  } u;
+  double r;           /* Real value */
+  char *z;            /* String or BLOB value */
+  int n;              /* Number of characters in string value, including '\0' */
+  u16 flags;          /* Some combination of MEM_Null, MEM_Str, MEM_Dyn, etc. */
+  u8  type;           /* One of MEM_Null, MEM_Str, etc. */
+  u8  enc;            /* TEXT_Utf8, TEXT_Utf16le, or TEXT_Utf16be */
+  void (*xDel)(void *);  /* If not null, call this function to delete Mem.z */
+  char zShort[NBFS];  /* Space for short strings */
+};
+typedef struct Mem Mem;
+
+/* One or more of the following flags are set to indicate the validOK
+** representations of the value stored in the Mem struct.
+**
+** If the MEM_Null flag is set, then the value is an SQL NULL value.
+** No other flags may be set in this case.
+**
+** If the MEM_Str flag is set then Mem.z points at a string representation.
+** Usually this is encoded in the same unicode encoding as the main
+** database (see below for exceptions). If the MEM_Term flag is also
+** set, then the string is nul terminated. The MEM_Int and MEM_Real 
+** flags may coexist with the MEM_Str flag.
+**
+** Multiple of these values can appear in Mem.flags.  But only one
+** at a time can appear in Mem.type.
+*/
+#define MEM_Null      0x0001   /* Value is NULL */
+#define MEM_Str       0x0002   /* Value is a string */
+#define MEM_Int       0x0004   /* Value is an integer */
+#define MEM_Real      0x0008   /* Value is a real number */
+#define MEM_Blob      0x0010   /* Value is a BLOB */
+
+/* Whenever Mem contains a valid string or blob representation, one of
+** the following flags must be set to determine the memory management
+** policy for Mem.z.  The MEM_Term flag tells us whether or not the
+** string is \000 or \u0000 terminated
+*/
+#define MEM_Term      0x0020   /* String rep is nul terminated */
+#define MEM_Dyn       0x0040   /* Need to call sqliteFree() on Mem.z */
+#define MEM_Static    0x0080   /* Mem.z points to a static string */
+#define MEM_Ephem     0x0100   /* Mem.z points to an ephemeral string */
+#define MEM_Short     0x0200   /* Mem.z points to Mem.zShort */
+#define MEM_Agg       0x0400   /* Mem.z points to an agg function context */
+
+
+/* A VdbeFunc is just a FuncDef (defined in sqliteInt.h) that contains
+** additional information about auxiliary information bound to arguments
+** of the function.  This is used to implement the sqlite3_get_auxdata()
+** and sqlite3_set_auxdata() APIs.  The "auxdata" is some auxiliary data
+** that can be associated with a constant argument to a function.  This
+** allows functions such as "regexp" to compile their constant regular
+** expression argument once and reused the compiled code for multiple
+** invocations.
+*/
+struct VdbeFunc {
+  FuncDef *pFunc;               /* The definition of the function */
+  int nAux;                     /* Number of entries allocated for apAux[] */
+  struct AuxData {
+    void *pAux;                   /* Aux data for the i-th argument */
+    void (*xDelete)(void *);      /* Destructor for the aux data */
+  } apAux[1];                   /* One slot for each function argument */
+};
+typedef struct VdbeFunc VdbeFunc;
+
+/*
+** The "context" argument for a installable function.  A pointer to an
+** instance of this structure is the first argument to the routines used
+** implement the SQL functions.
+**
+** There is a typedef for this structure in sqlite.h.  So all routines,
+** even the public interface to SQLite, can use a pointer to this structure.
+** But this file is the only place where the internal details of this
+** structure are known.
+**
+** This structure is defined inside of vdbeInt.h because it uses substructures
+** (Mem) which are only defined there.
+*/
+struct sqlite3_context {
+  FuncDef *pFunc;       /* Pointer to function information.  MUST BE FIRST */
+  VdbeFunc *pVdbeFunc;  /* Auxilary data, if created. */
+  Mem s;                /* The return value is stored here */
+  Mem *pMem;            /* Memory cell used to store aggregate context */
+  u8 isError;           /* Set to true for an error */
+  CollSeq *pColl;       /* Collating sequence */
+};
+
+/*
+** A Set structure is used for quick testing to see if a value
+** is part of a small set.  Sets are used to implement code like
+** this:
+**            x.y IN ('hi','hoo','hum')
+*/
+typedef struct Set Set;
+struct Set {
+  Hash hash;             /* A set is just a hash table */
+  HashElem *prev;        /* Previously accessed hash elemen */
+};
+
+/*
+** A FifoPage structure holds a single page of valves.  Pages are arranged
+** in a list.
+*/
+typedef struct FifoPage FifoPage;
+struct FifoPage {
+  int nSlot;         /* Number of entries aSlot[] */
+  int iWrite;        /* Push the next value into this entry in aSlot[] */
+  int iRead;         /* Read the next value from this entry in aSlot[] */
+  FifoPage *pNext;   /* Next page in the fifo */
+  i64 aSlot[1];      /* One or more slots for rowid values */
+};
+
+/*
+** The Fifo structure is typedef-ed in vdbeInt.h.  But the implementation
+** of that structure is private to this file.
+**
+** The Fifo structure describes the entire fifo.  
+*/
+typedef struct Fifo Fifo;
+struct Fifo {
+  int nEntry;         /* Total number of entries */
+  FifoPage *pFirst;   /* First page on the list */
+  FifoPage *pLast;    /* Last page on the list */
+};
+
+/*
+** A Context stores the last insert rowid, the last statement change count,
+** and the current statement change count (i.e. changes since last statement).
+** The current keylist is also stored in the context.
+** Elements of Context structure type make up the ContextStack, which is
+** updated by the ContextPush and ContextPop opcodes (used by triggers).
+** The context is pushed before executing a trigger a popped when the
+** trigger finishes.
+*/
+typedef struct Context Context;
+struct Context {
+  i64 lastRowid;    /* Last insert rowid (sqlite3.lastRowid) */
+  int nChange;      /* Statement changes (Vdbe.nChanges)     */
+  Fifo sFifo;       /* Records that will participate in a DELETE or UPDATE */
+};
+
+/*
+** An instance of the virtual machine.  This structure contains the complete
+** state of the virtual machine.
+**
+** The "sqlite3_stmt" structure pointer that is returned by sqlite3_compile()
+** is really a pointer to an instance of this structure.
+**
+** The Vdbe.inVtabMethod variable is set to non-zero for the duration of
+** any virtual table method invocations made by the vdbe program. It is
+** set to 2 for xDestroy method calls and 1 for all other methods. This
+** variable is used for two purposes: to allow xDestroy methods to execute
+** "DROP TABLE" statements and to prevent some nasty side effects of
+** malloc failure when SQLite is invoked recursively by a virtual table 
+** method function.
+*/
+struct Vdbe {
+  sqlite3 *db;        /* The whole database */
+  Vdbe *pPrev,*pNext; /* Linked list of VDBEs with the same Vdbe.db */
+  FILE *trace;        /* Write an execution trace here, if not NULL */
+  int nOp;            /* Number of instructions in the program */
+  int nOpAlloc;       /* Number of slots allocated for aOp[] */
+  Op *aOp;            /* Space to hold the virtual machine's program */
+  int nLabel;         /* Number of labels used */
+  int nLabelAlloc;    /* Number of slots allocated in aLabel[] */
+  int *aLabel;        /* Space to hold the labels */
+  Mem *aStack;        /* The operand stack, except string values */
+  Mem *pTos;          /* Top entry in the operand stack */
+  Mem **apArg;        /* Arguments to currently executing user function */
+  Mem *aColName;      /* Column names to return */
+  int nCursor;        /* Number of slots in apCsr[] */
+  Cursor **apCsr;     /* One element of this array for each open cursor */
+  int nVar;           /* Number of entries in aVar[] */
+  Mem *aVar;          /* Values for the OP_Variable opcode. */
+  char **azVar;       /* Name of variables */
+  int okVar;          /* True if azVar[] has been initialized */
+  int magic;              /* Magic number for sanity checking */
+  int nMem;               /* Number of memory locations currently allocated */
+  Mem *aMem;              /* The memory locations */
+  int nCallback;          /* Number of callbacks invoked so far */
+  int cacheCtr;           /* Cursor row cache generation counter */
+  Fifo sFifo;             /* A list of ROWIDs */
+  int contextStackTop;    /* Index of top element in the context stack */
+  int contextStackDepth;  /* The size of the "context" stack */
+  Context *contextStack;  /* Stack used by opcodes ContextPush & ContextPop*/
+  int pc;                 /* The program counter */
+  int rc;                 /* Value to return */
+  unsigned uniqueCnt;     /* Used by OP_MakeRecord when P2!=0 */
+  int errorAction;        /* Recovery action to do in case of an error */
+  int inTempTrans;        /* True if temp database is transactioned */
+  int returnStack[100];   /* Return address stack for OP_Gosub & OP_Return */
+  int returnDepth;        /* Next unused element in returnStack[] */
+  int nResColumn;         /* Number of columns in one row of the result set */
+  char **azResColumn;     /* Values for one row of result */ 
+  int popStack;           /* Pop the stack this much on entry to VdbeExec() */
+  char *zErrMsg;          /* Error message written here */
+  u8 resOnStack;          /* True if there are result values on the stack */
+  u8 explain;             /* True if EXPLAIN present on SQL command */
+  u8 changeCntOn;         /* True to update the change-counter */
+  u8 aborted;             /* True if ROLLBACK in another VM causes an abort */
+  u8 expired;             /* True if the VM needs to be recompiled */
+  u8 minWriteFileFormat;  /* Minimum file format for writable database files */
+  u8 inVtabMethod;        /* See comments above */
+  int nChange;            /* Number of db changes made since last reset */
+  i64 startTime;          /* Time when query started - used for profiling */
+  int nSql;             /* Number of bytes in zSql */
+  char *zSql;           /* Text of the SQL statement that generated this */
+#ifdef SQLITE_SSE
+  int fetchId;          /* Statement number used by sqlite3_fetch_statement */
+  int lru;              /* Counter used for LRU cache replacement */
+#endif
+};
+
+/*
+** The following are allowed values for Vdbe.magic
+*/
+#define VDBE_MAGIC_INIT     0x26bceaa5    /* Building a VDBE program */
+#define VDBE_MAGIC_RUN      0xbdf20da3    /* VDBE is ready to execute */
+#define VDBE_MAGIC_HALT     0x519c2973    /* VDBE has completed execution */
+#define VDBE_MAGIC_DEAD     0xb606c3c8    /* The VDBE has been deallocated */
+
+/*
+** Function prototypes
+*/
+void sqlite3VdbeFreeCursor(Vdbe *, Cursor*);
+void sqliteVdbePopStack(Vdbe*,int);
+int sqlite3VdbeCursorMoveto(Cursor*);
+#if defined(SQLITE_DEBUG) || defined(VDBE_PROFILE)
+void sqlite3VdbePrintOp(FILE*, int, Op*);
+#endif
+#ifdef SQLITE_DEBUG
+void sqlite3VdbePrintSql(Vdbe*);
+#endif
+int sqlite3VdbeSerialTypeLen(u32);
+u32 sqlite3VdbeSerialType(Mem*, int);
+int sqlite3VdbeSerialPut(unsigned char*, Mem*, int);
+int sqlite3VdbeSerialGet(const unsigned char*, u32, Mem*);
+void sqlite3VdbeDeleteAuxData(VdbeFunc*, int);
+
+int sqlite2BtreeKeyCompare(BtCursor *, const void *, int, int, int *);
+int sqlite3VdbeIdxKeyCompare(Cursor*, int , const unsigned char*, int*);
+int sqlite3VdbeIdxRowid(BtCursor *, i64 *);
+int sqlite3MemCompare(const Mem*, const Mem*, const CollSeq*);
+int sqlite3VdbeRecordCompare(void*,int,const void*,int, const void*);
+int sqlite3VdbeIdxRowidLen(const u8*);
+int sqlite3VdbeExec(Vdbe*);
+int sqlite3VdbeList(Vdbe*);
+int sqlite3VdbeHalt(Vdbe*);
+int sqlite3VdbeChangeEncoding(Mem *, int);
+int sqlite3VdbeMemCopy(Mem*, const Mem*);
+void sqlite3VdbeMemShallowCopy(Mem*, const Mem*, int);
+int sqlite3VdbeMemMove(Mem*, Mem*);
+int sqlite3VdbeMemNulTerminate(Mem*);
+int sqlite3VdbeMemSetStr(Mem*, const char*, int, u8, void(*)(void*));
+void sqlite3VdbeMemSetInt64(Mem*, i64);
+void sqlite3VdbeMemSetDouble(Mem*, double);
+void sqlite3VdbeMemSetNull(Mem*);
+int sqlite3VdbeMemMakeWriteable(Mem*);
+int sqlite3VdbeMemDynamicify(Mem*);
+int sqlite3VdbeMemStringify(Mem*, int);
+i64 sqlite3VdbeIntValue(Mem*);
+int sqlite3VdbeMemIntegerify(Mem*);
+double sqlite3VdbeRealValue(Mem*);
+void sqlite3VdbeIntegerAffinity(Mem*);
+int sqlite3VdbeMemRealify(Mem*);
+int sqlite3VdbeMemNumerify(Mem*);
+int sqlite3VdbeMemFromBtree(BtCursor*,int,int,int,Mem*);
+void sqlite3VdbeMemRelease(Mem *p);
+int sqlite3VdbeMemFinalize(Mem*, FuncDef*);
+#ifndef NDEBUG
+void sqlite3VdbeMemSanity(Mem*);
+int sqlite3VdbeOpcodeNoPush(u8);
+#endif
+int sqlite3VdbeMemTranslate(Mem*, u8);
+void sqlite3VdbeMemPrettyPrint(Mem *pMem, char *zBuf);
+int sqlite3VdbeMemHandleBom(Mem *pMem);
+void sqlite3VdbeFifoInit(Fifo*);
+int sqlite3VdbeFifoPush(Fifo*, i64);
+int sqlite3VdbeFifoPop(Fifo*, i64*);
+void sqlite3VdbeFifoClear(Fifo*);
+
+#endif /* !defined(_VDBEINT_H_) */
+
+/************** End of vdbeInt.h *********************************************/
+/************** Continuing where we left off in utf.c ************************/
+
+/*
+** The following constant value is used by the SQLITE_BIGENDIAN and
+** SQLITE_LITTLEENDIAN macros.
+*/
+const int sqlite3one = 1;
+
+/*
+** This table maps from the first byte of a UTF-8 character to the number
+** of trailing bytes expected. A value '4' indicates that the table key
+** is not a legal first byte for a UTF-8 character.
+*/
+static const u8 xtra_utf8_bytes[256]  = {
+/* 0xxxxxxx */
+0, 0, 0, 0, 0, 0, 0, 0,     0, 0, 0, 0, 0, 0, 0, 0,
+0, 0, 0, 0, 0, 0, 0, 0,     0, 0, 0, 0, 0, 0, 0, 0,
+0, 0, 0, 0, 0, 0, 0, 0,     0, 0, 0, 0, 0, 0, 0, 0,
+0, 0, 0, 0, 0, 0, 0, 0,     0, 0, 0, 0, 0, 0, 0, 0,
+0, 0, 0, 0, 0, 0, 0, 0,     0, 0, 0, 0, 0, 0, 0, 0,
+0, 0, 0, 0, 0, 0, 0, 0,     0, 0, 0, 0, 0, 0, 0, 0,
+0, 0, 0, 0, 0, 0, 0, 0,     0, 0, 0, 0, 0, 0, 0, 0,
+0, 0, 0, 0, 0, 0, 0, 0,     0, 0, 0, 0, 0, 0, 0, 0,
+
+/* 10wwwwww */
+4, 4, 4, 4, 4, 4, 4, 4,     4, 4, 4, 4, 4, 4, 4, 4,
+4, 4, 4, 4, 4, 4, 4, 4,     4, 4, 4, 4, 4, 4, 4, 4,
+4, 4, 4, 4, 4, 4, 4, 4,     4, 4, 4, 4, 4, 4, 4, 4,
+4, 4, 4, 4, 4, 4, 4, 4,     4, 4, 4, 4, 4, 4, 4, 4,
+
+/* 110yyyyy */
+1, 1, 1, 1, 1, 1, 1, 1,     1, 1, 1, 1, 1, 1, 1, 1,
+1, 1, 1, 1, 1, 1, 1, 1,     1, 1, 1, 1, 1, 1, 1, 1,
+
+/* 1110zzzz */
+2, 2, 2, 2, 2, 2, 2, 2,     2, 2, 2, 2, 2, 2, 2, 2,
+
+/* 11110yyy */
+3, 3, 3, 3, 3, 3, 3, 3,     4, 4, 4, 4, 4, 4, 4, 4,
+};
+
+/*
+** This table maps from the number of trailing bytes in a UTF-8 character
+** to an integer constant that is effectively calculated for each character
+** read by a naive implementation of a UTF-8 character reader. The code
+** in the READ_UTF8 macro explains things best.
+*/
+static const int xtra_utf8_bits[] =  {
+  0,
+  12416,          /* (0xC0 << 6) + (0x80) */
+  925824,         /* (0xE0 << 12) + (0x80 << 6) + (0x80) */
+  63447168        /* (0xF0 << 18) + (0x80 << 12) + (0x80 << 6) + 0x80 */
+};
+
+/*
+** If a UTF-8 character contains N bytes extra bytes (N bytes follow
+** the initial byte so that the total character length is N+1) then
+** masking the character with utf8_mask[N] must produce a non-zero
+** result.  Otherwise, we have an (illegal) overlong encoding.
+*/
+static const int utf_mask[] = {
+  0x00000000,
+  0xffffff80,
+  0xfffff800,
+  0xffff0000,
+};
+
+#define READ_UTF8(zIn, c) { \
+  int xtra;                                            \
+  c = *(zIn)++;                                        \
+  xtra = xtra_utf8_bytes[c];                           \
+  switch( xtra ){                                      \
+    case 4: c = (int)0xFFFD; break;                    \
+    case 3: c = (c<<6) + *(zIn)++;                     \
+    case 2: c = (c<<6) + *(zIn)++;                     \
+    case 1: c = (c<<6) + *(zIn)++;                     \
+    c -= xtra_utf8_bits[xtra];                         \
+    if( (utf_mask[xtra]&c)==0                          \
+        || (c&0xFFFFF800)==0xD800                      \
+        || (c&0xFFFFFFFE)==0xFFFE ){  c = 0xFFFD; }    \
+  }                                                    \
+}
+int sqlite3ReadUtf8(const unsigned char *z){
+  int c;
+  READ_UTF8(z, c);
+  return c;
+}
+
+#define SKIP_UTF8(zIn) {                               \
+  zIn += (xtra_utf8_bytes[*(u8 *)zIn] + 1);            \
+}
+
+#define WRITE_UTF8(zOut, c) {                          \
+  if( c<0x00080 ){                                     \
+    *zOut++ = (c&0xFF);                                \
+  }                                                    \
+  else if( c<0x00800 ){                                \
+    *zOut++ = 0xC0 + ((c>>6)&0x1F);                    \
+    *zOut++ = 0x80 + (c & 0x3F);                       \
+  }                                                    \
+  else if( c<0x10000 ){                                \
+    *zOut++ = 0xE0 + ((c>>12)&0x0F);                   \
+    *zOut++ = 0x80 + ((c>>6) & 0x3F);                  \
+    *zOut++ = 0x80 + (c & 0x3F);                       \
+  }else{                                               \
+    *zOut++ = 0xF0 + ((c>>18) & 0x07);                 \
+    *zOut++ = 0x80 + ((c>>12) & 0x3F);                 \
+    *zOut++ = 0x80 + ((c>>6) & 0x3F);                  \
+    *zOut++ = 0x80 + (c & 0x3F);                       \
+  }                                                    \
+}
+
+#define WRITE_UTF16LE(zOut, c) {                                \
+  if( c<=0xFFFF ){                                              \
+    *zOut++ = (c&0x00FF);                                       \
+    *zOut++ = ((c>>8)&0x00FF);                                  \
+  }else{                                                        \
+    *zOut++ = (((c>>10)&0x003F) + (((c-0x10000)>>10)&0x00C0));  \
+    *zOut++ = (0x00D8 + (((c-0x10000)>>18)&0x03));              \
+    *zOut++ = (c&0x00FF);                                       \
+    *zOut++ = (0x00DC + ((c>>8)&0x03));                         \
+  }                                                             \
+}
+
+#define WRITE_UTF16BE(zOut, c) {                                \
+  if( c<=0xFFFF ){                                              \
+    *zOut++ = ((c>>8)&0x00FF);                                  \
+    *zOut++ = (c&0x00FF);                                       \
+  }else{                                                        \
+    *zOut++ = (0x00D8 + (((c-0x10000)>>18)&0x03));              \
+    *zOut++ = (((c>>10)&0x003F) + (((c-0x10000)>>10)&0x00C0));  \
+    *zOut++ = (0x00DC + ((c>>8)&0x03));                         \
+    *zOut++ = (c&0x00FF);                                       \
+  }                                                             \
+}
+
+#define READ_UTF16LE(zIn, c){                                         \
+  c = (*zIn++);                                                       \
+  c += ((*zIn++)<<8);                                                 \
+  if( c>=0xD800 && c<=0xE000 ){                                       \
+    int c2 = (*zIn++);                                                \
+    c2 += ((*zIn++)<<8);                                              \
+    c = (c2&0x03FF) + ((c&0x003F)<<10) + (((c&0x03C0)+0x0040)<<10);   \
+    if( (c & 0xFFFF0000)==0 ) c = 0xFFFD;                             \
+  }                                                                   \
+}
+
+#define READ_UTF16BE(zIn, c){                                         \
+  c = ((*zIn++)<<8);                                                  \
+  c += (*zIn++);                                                      \
+  if( c>=0xD800 && c<=0xE000 ){                                       \
+    int c2 = ((*zIn++)<<8);                                           \
+    c2 += (*zIn++);                                                   \
+    c = (c2&0x03FF) + ((c&0x003F)<<10) + (((c&0x03C0)+0x0040)<<10);   \
+    if( (c & 0xFFFF0000)==0 ) c = 0xFFFD;                             \
+  }                                                                   \
+}
+
+#define SKIP_UTF16BE(zIn){                                            \
+  if( *zIn>=0xD8 && (*zIn<0xE0 || (*zIn==0xE0 && *(zIn+1)==0x00)) ){  \
+    zIn += 4;                                                         \
+  }else{                                                              \
+    zIn += 2;                                                         \
+  }                                                                   \
+}
+#define SKIP_UTF16LE(zIn){                                            \
+  zIn++;                                                              \
+  if( *zIn>=0xD8 && (*zIn<0xE0 || (*zIn==0xE0 && *(zIn-1)==0x00)) ){  \
+    zIn += 3;                                                         \
+  }else{                                                              \
+    zIn += 1;                                                         \
+  }                                                                   \
+}
+
+#define RSKIP_UTF16LE(zIn){                                            \
+  if( *zIn>=0xD8 && (*zIn<0xE0 || (*zIn==0xE0 && *(zIn-1)==0x00)) ){  \
+    zIn -= 4;                                                         \
+  }else{                                                              \
+    zIn -= 2;                                                         \
+  }                                                                   \
+}
+#define RSKIP_UTF16BE(zIn){                                            \
+  zIn--;                                                              \
+  if( *zIn>=0xD8 && (*zIn<0xE0 || (*zIn==0xE0 && *(zIn+1)==0x00)) ){  \
+    zIn -= 3;                                                         \
+  }else{                                                              \
+    zIn -= 1;                                                         \
+  }                                                                   \
+}
+
+/*
+** If the TRANSLATE_TRACE macro is defined, the value of each Mem is
+** printed on stderr on the way into and out of sqlite3VdbeMemTranslate().
+*/ 
+/* #define TRANSLATE_TRACE 1 */
+
+#ifndef SQLITE_OMIT_UTF16
+/*
+** This routine transforms the internal text encoding used by pMem to
+** desiredEnc. It is an error if the string is already of the desired
+** encoding, or if *pMem does not contain a string value.
+*/
+int sqlite3VdbeMemTranslate(Mem *pMem, u8 desiredEnc){
+  unsigned char zShort[NBFS]; /* Temporary short output buffer */
+  int len;                    /* Maximum length of output string in bytes */
+  unsigned char *zOut;                  /* Output buffer */
+  unsigned char *zIn;                   /* Input iterator */
+  unsigned char *zTerm;                 /* End of input */
+  unsigned char *z;                     /* Output iterator */
+  unsigned int c;
+
+  assert( pMem->flags&MEM_Str );
+  assert( pMem->enc!=desiredEnc );
+  assert( pMem->enc!=0 );
+  assert( pMem->n>=0 );
+
+#if defined(TRANSLATE_TRACE) && defined(SQLITE_DEBUG)
+  {
+    char zBuf[100];
+    sqlite3VdbeMemPrettyPrint(pMem, zBuf);
+    fprintf(stderr, "INPUT:  %s\n", zBuf);
+  }
+#endif
+
+  /* If the translation is between UTF-16 little and big endian, then 
+  ** all that is required is to swap the byte order. This case is handled
+  ** differently from the others.
+  */
+  if( pMem->enc!=SQLITE_UTF8 && desiredEnc!=SQLITE_UTF8 ){
+    u8 temp;
+    int rc;
+    rc = sqlite3VdbeMemMakeWriteable(pMem);
+    if( rc!=SQLITE_OK ){
+      assert( rc==SQLITE_NOMEM );
+      return SQLITE_NOMEM;
+    }
+    zIn = (u8*)pMem->z;
+    zTerm = &zIn[pMem->n];
+    while( zIn<zTerm ){
+      temp = *zIn;
+      *zIn = *(zIn+1);
+      zIn++;
+      *zIn++ = temp;
+    }
+    pMem->enc = desiredEnc;
+    goto translate_out;
+  }
+
+  /* Set len to the maximum number of bytes required in the output buffer. */
+  if( desiredEnc==SQLITE_UTF8 ){
+    /* When converting from UTF-16, the maximum growth results from
+    ** translating a 2-byte character to a 4-byte UTF-8 character.
+    ** A single byte is required for the output string
+    ** nul-terminator.
+    */
+    len = pMem->n * 2 + 1;
+  }else{
+    /* When converting from UTF-8 to UTF-16 the maximum growth is caused
+    ** when a 1-byte UTF-8 character is translated into a 2-byte UTF-16
+    ** character. Two bytes are required in the output buffer for the
+    ** nul-terminator.
+    */
+    len = pMem->n * 2 + 2;
+  }
+
+  /* Set zIn to point at the start of the input buffer and zTerm to point 1
+  ** byte past the end.
+  **
+  ** Variable zOut is set to point at the output buffer. This may be space
+  ** obtained from malloc(), or Mem.zShort, if it large enough and not in
+  ** use, or the zShort array on the stack (see above).
+  */
+  zIn = (u8*)pMem->z;
+  zTerm = &zIn[pMem->n];
+  if( len>NBFS ){
+    zOut = sqliteMallocRaw(len);
+    if( !zOut ) return SQLITE_NOMEM;
+  }else{
+    zOut = zShort;
+  }
+  z = zOut;
+
+  if( pMem->enc==SQLITE_UTF8 ){
+    if( desiredEnc==SQLITE_UTF16LE ){
+      /* UTF-8 -> UTF-16 Little-endian */
+      while( zIn<zTerm ){
+        READ_UTF8(zIn, c); 
+        WRITE_UTF16LE(z, c);
+      }
+    }else{
+      assert( desiredEnc==SQLITE_UTF16BE );
+      /* UTF-8 -> UTF-16 Big-endian */
+      while( zIn<zTerm ){
+        READ_UTF8(zIn, c); 
+        WRITE_UTF16BE(z, c);
+      }
+    }
+    pMem->n = z - zOut;
+    *z++ = 0;
+  }else{
+    assert( desiredEnc==SQLITE_UTF8 );
+    if( pMem->enc==SQLITE_UTF16LE ){
+      /* UTF-16 Little-endian -> UTF-8 */
+      while( zIn<zTerm ){
+        READ_UTF16LE(zIn, c); 
+        WRITE_UTF8(z, c);
+      }
+    }else{
+      /* UTF-16 Little-endian -> UTF-8 */
+      while( zIn<zTerm ){
+        READ_UTF16BE(zIn, c); 
+        WRITE_UTF8(z, c);
+      }
+    }
+    pMem->n = z - zOut;
+  }
+  *z = 0;
+  assert( (pMem->n+(desiredEnc==SQLITE_UTF8?1:2))<=len );
+
+  sqlite3VdbeMemRelease(pMem);
+  pMem->flags &= ~(MEM_Static|MEM_Dyn|MEM_Ephem|MEM_Short);
+  pMem->enc = desiredEnc;
+  if( zOut==zShort ){
+    memcpy(pMem->zShort, zOut, len);
+    zOut = (u8*)pMem->zShort;
+    pMem->flags |= (MEM_Term|MEM_Short);
+  }else{
+    pMem->flags |= (MEM_Term|MEM_Dyn);
+  }
+  pMem->z = (char*)zOut;
+
+translate_out:
+#if defined(TRANSLATE_TRACE) && defined(SQLITE_DEBUG)
+  {
+    char zBuf[100];
+    sqlite3VdbeMemPrettyPrint(pMem, zBuf);
+    fprintf(stderr, "OUTPUT: %s\n", zBuf);
+  }
+#endif
+  return SQLITE_OK;
+}
+
+/*
+** This routine checks for a byte-order mark at the beginning of the 
+** UTF-16 string stored in *pMem. If one is present, it is removed and
+** the encoding of the Mem adjusted. This routine does not do any
+** byte-swapping, it just sets Mem.enc appropriately.
+**
+** The allocation (static, dynamic etc.) and encoding of the Mem may be
+** changed by this function.
+*/
+int sqlite3VdbeMemHandleBom(Mem *pMem){
+  int rc = SQLITE_OK;
+  u8 bom = 0;
+
+  if( pMem->n<0 || pMem->n>1 ){
+    u8 b1 = *(u8 *)pMem->z;
+    u8 b2 = *(((u8 *)pMem->z) + 1);
+    if( b1==0xFE && b2==0xFF ){
+      bom = SQLITE_UTF16BE;
+    }
+    if( b1==0xFF && b2==0xFE ){
+      bom = SQLITE_UTF16LE;
+    }
+  }
+  
+  if( bom ){
+    /* This function is called as soon as a string is stored in a Mem*,
+    ** from within sqlite3VdbeMemSetStr(). At that point it is not possible
+    ** for the string to be stored in Mem.zShort, or for it to be stored
+    ** in dynamic memory with no destructor.
+    */
+    assert( !(pMem->flags&MEM_Short) );
+    assert( !(pMem->flags&MEM_Dyn) || pMem->xDel );
+    if( pMem->flags & MEM_Dyn ){
+      void (*xDel)(void*) = pMem->xDel;
+      char *z = pMem->z;
+      pMem->z = 0;
+      pMem->xDel = 0;
+      rc = sqlite3VdbeMemSetStr(pMem, &z[2], pMem->n-2, bom, SQLITE_TRANSIENT);
+      xDel(z);
+    }else{
+      rc = sqlite3VdbeMemSetStr(pMem, &pMem->z[2], pMem->n-2, bom, 
+          SQLITE_TRANSIENT);
+    }
+  }
+  return rc;
+}
+#endif /* SQLITE_OMIT_UTF16 */
+
+/*
+** pZ is a UTF-8 encoded unicode string. If nByte is less than zero,
+** return the number of unicode characters in pZ up to (but not including)
+** the first 0x00 byte. If nByte is not less than zero, return the
+** number of unicode characters in the first nByte of pZ (or up to 
+** the first 0x00, whichever comes first).
+*/
+int sqlite3utf8CharLen(const char *z, int nByte){
+  int r = 0;
+  const char *zTerm;
+  if( nByte>=0 ){
+    zTerm = &z[nByte];
+  }else{
+    zTerm = (const char *)(-1);
+  }
+  assert( z<=zTerm );
+  while( *z!=0 && z<zTerm ){
+    SKIP_UTF8(z);
+    r++;
+  }
+  return r;
+}
+
+#ifndef SQLITE_OMIT_UTF16
+/*
+** Convert a UTF-16 string in the native encoding into a UTF-8 string.
+** Memory to hold the UTF-8 string is obtained from malloc and must be
+** freed by the calling function.
+**
+** NULL is returned if there is an allocation error.
+*/
+char *sqlite3utf16to8(const void *z, int nByte){
+  Mem m;
+  memset(&m, 0, sizeof(m));
+  sqlite3VdbeMemSetStr(&m, z, nByte, SQLITE_UTF16NATIVE, SQLITE_STATIC);
+  sqlite3VdbeChangeEncoding(&m, SQLITE_UTF8);
+  assert( (m.flags & MEM_Term)!=0 || sqlite3MallocFailed() );
+  assert( (m.flags & MEM_Str)!=0 || sqlite3MallocFailed() );
+  return (m.flags & MEM_Dyn)!=0 ? m.z : sqliteStrDup(m.z);
+}
+
+/*
+** pZ is a UTF-16 encoded unicode string. If nChar is less than zero,
+** return the number of bytes up to (but not including), the first pair
+** of consecutive 0x00 bytes in pZ. If nChar is not less than zero,
+** then return the number of bytes in the first nChar unicode characters
+** in pZ (or up until the first pair of 0x00 bytes, whichever comes first).
+*/
+int sqlite3utf16ByteLen(const void *zIn, int nChar){
+  unsigned int c = 1;
+  char const *z = zIn;
+  int n = 0;
+  if( SQLITE_UTF16NATIVE==SQLITE_UTF16BE ){
+    /* Using an "if (SQLITE_UTF16NATIVE==SQLITE_UTF16BE)" construct here
+    ** and in other parts of this file means that at one branch will
+    ** not be covered by coverage testing on any single host. But coverage
+    ** will be complete if the tests are run on both a little-endian and 
+    ** big-endian host. Because both the UTF16NATIVE and SQLITE_UTF16BE
+    ** macros are constant at compile time the compiler can determine
+    ** which branch will be followed. It is therefore assumed that no runtime
+    ** penalty is paid for this "if" statement.
+    */
+    while( c && ((nChar<0) || n<nChar) ){
+      READ_UTF16BE(z, c);
+      n++;
+    }
+  }else{
+    while( c && ((nChar<0) || n<nChar) ){
+      READ_UTF16LE(z, c);
+      n++;
+    }
+  }
+  return (z-(char const *)zIn)-((c==0)?2:0);
+}
+
+/*
+** UTF-16 implementation of the substr()
+*/
+void sqlite3utf16Substr(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  int y, z;
+  unsigned char const *zStr;
+  unsigned char const *zStrEnd;
+  unsigned char const *zStart;
+  unsigned char const *zEnd;
+  int i;
+
+  zStr = (unsigned char const *)sqlite3_value_text16(argv[0]);
+  zStrEnd = &zStr[sqlite3_value_bytes16(argv[0])];
+  y = sqlite3_value_int(argv[1]);
+  z = sqlite3_value_int(argv[2]);
+
+  if( y>0 ){
+    y = y-1;
+    zStart = zStr;
+    if( SQLITE_UTF16BE==SQLITE_UTF16NATIVE ){
+      for(i=0; i<y && zStart<zStrEnd; i++) SKIP_UTF16BE(zStart);
+    }else{
+      for(i=0; i<y && zStart<zStrEnd; i++) SKIP_UTF16LE(zStart);
+    }
+  }else{
+    zStart = zStrEnd;
+    if( SQLITE_UTF16BE==SQLITE_UTF16NATIVE ){
+      for(i=y; i<0 && zStart>zStr; i++) RSKIP_UTF16BE(zStart);
+    }else{
+      for(i=y; i<0 && zStart>zStr; i++) RSKIP_UTF16LE(zStart);
+    }
+    for(; i<0; i++) z -= 1;
+  }
+
+  zEnd = zStart;
+  if( SQLITE_UTF16BE==SQLITE_UTF16NATIVE ){
+    for(i=0; i<z && zEnd<zStrEnd; i++) SKIP_UTF16BE(zEnd);
+  }else{
+    for(i=0; i<z && zEnd<zStrEnd; i++) SKIP_UTF16LE(zEnd);
+  }
+
+  sqlite3_result_text16(context, zStart, zEnd-zStart, SQLITE_TRANSIENT);
+}
+
+#if defined(SQLITE_TEST)
+/*
+** This routine is called from the TCL test function "translate_selftest".
+** It checks that the primitives for serializing and deserializing
+** characters in each encoding are inverses of each other.
+*/
+void sqlite3utfSelfTest(){
+  unsigned int i, t;
+  unsigned char zBuf[20];
+  unsigned char *z;
+  int n;
+  unsigned int c;
+
+  for(i=0; i<0x00110000; i++){
+    z = zBuf;
+    WRITE_UTF8(z, i);
+    n = z-zBuf;
+    z = zBuf;
+    READ_UTF8(z, c);
+    t = i;
+    if( i>=0xD800 && i<=0xDFFF ) t = 0xFFFD;
+    if( (i&0xFFFFFFFE)==0xFFFE ) t = 0xFFFD;
+    assert( c==t );
+    assert( (z-zBuf)==n );
+  }
+  for(i=0; i<0x00110000; i++){
+    if( i>=0xD800 && i<=0xE000 ) continue;
+    z = zBuf;
+    WRITE_UTF16LE(z, i);
+    n = z-zBuf;
+    z = zBuf;
+    READ_UTF16LE(z, c);
+    assert( c==i );
+    assert( (z-zBuf)==n );
+  }
+  for(i=0; i<0x00110000; i++){
+    if( i>=0xD800 && i<=0xE000 ) continue;
+    z = zBuf;
+    WRITE_UTF16BE(z, i);
+    n = z-zBuf;
+    z = zBuf;
+    READ_UTF16BE(z, c);
+    assert( c==i );
+    assert( (z-zBuf)==n );
+  }
+}
+#endif /* SQLITE_TEST */
+#endif /* SQLITE_OMIT_UTF16 */
+
+/************** End of utf.c *************************************************/
+/************** Begin file util.c ********************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** Utility functions used throughout sqlite.
+**
+** This file contains functions for allocating memory, comparing
+** strings, and stuff like that.
+**
+** $Id$
+*/
+
+/*
+** MALLOC WRAPPER ARCHITECTURE
+**
+** The sqlite code accesses dynamic memory allocation/deallocation by invoking
+** the following six APIs (which may be implemented as macros).
+**
+**     sqlite3Malloc()
+**     sqlite3MallocRaw()
+**     sqlite3Realloc()
+**     sqlite3ReallocOrFree()
+**     sqlite3Free()
+**     sqlite3AllocSize()
+**
+** The function sqlite3FreeX performs the same task as sqlite3Free and is
+** guaranteed to be a real function. The same holds for sqlite3MallocX
+**
+** The above APIs are implemented in terms of the functions provided in the
+** operating-system interface. The OS interface is never accessed directly
+** by code outside of this file.
+**
+**     sqlite3OsMalloc()
+**     sqlite3OsRealloc()
+**     sqlite3OsFree()
+**     sqlite3OsAllocationSize()
+**
+** Functions sqlite3MallocRaw() and sqlite3Realloc() may invoke 
+** sqlite3_release_memory() if a call to sqlite3OsMalloc() or
+** sqlite3OsRealloc() fails (or if the soft-heap-limit for the thread is
+** exceeded). Function sqlite3Malloc() usually invokes
+** sqlite3MallocRaw().
+**
+** MALLOC TEST WRAPPER ARCHITECTURE
+**
+** The test wrapper provides extra test facilities to ensure the library 
+** does not leak memory and handles the failure of the underlying OS level
+** allocation system correctly. It is only present if the library is 
+** compiled with the SQLITE_MEMDEBUG macro set.
+**
+**     * Guardposts to detect overwrites.
+**     * Ability to cause a specific Malloc() or Realloc() to fail.
+**     * Audit outstanding memory allocations (i.e check for leaks).
+*/
+
+#define MAX(x,y) ((x)>(y)?(x):(y))
+
+#if defined(SQLITE_ENABLE_MEMORY_MANAGEMENT) && !defined(SQLITE_OMIT_DISKIO)
+/*
+** Set the soft heap-size limit for the current thread. Passing a negative
+** value indicates no limit.
+*/
+void sqlite3_soft_heap_limit(int n){
+  ThreadData *pTd = sqlite3ThreadData();
+  if( pTd ){
+    pTd->nSoftHeapLimit = n;
+  }
+  sqlite3ReleaseThreadData();
+}
+
+/*
+** Release memory held by SQLite instances created by the current thread.
+*/
+int sqlite3_release_memory(int n){
+  return sqlite3PagerReleaseMemory(n);
+}
+#else
+/* If SQLITE_ENABLE_MEMORY_MANAGEMENT is not defined, then define a version
+** of sqlite3_release_memory() to be used by other code in this file.
+** This is done for no better reason than to reduce the number of 
+** pre-processor #ifndef statements.
+*/
+#define sqlite3_release_memory(x) 0    /* 0 == no memory freed */
+#endif
+
+#ifdef SQLITE_MEMDEBUG
+/*--------------------------------------------------------------------------
+** Begin code for memory allocation system test layer.
+**
+** Memory debugging is turned on by defining the SQLITE_MEMDEBUG macro.
+**
+** SQLITE_MEMDEBUG==1    -> Fence-posting only (thread safe) 
+** SQLITE_MEMDEBUG==2    -> Fence-posting + linked list of allocations (not ts)
+** SQLITE_MEMDEBUG==3    -> Above + backtraces (not thread safe, req. glibc)
+*/
+
+/* Figure out whether or not to store backtrace() information for each malloc.
+** The backtrace() function is only used if SQLITE_MEMDEBUG is set to 2 or 
+** greater and glibc is in use. If we don't want to use backtrace(), then just
+** define it as an empty macro and set the amount of space reserved to 0.
+*/
+#if defined(__GLIBC__) && SQLITE_MEMDEBUG>2
+  extern int backtrace(void **, int);
+  #define TESTALLOC_STACKSIZE 128
+  #define TESTALLOC_STACKFRAMES ((TESTALLOC_STACKSIZE-8)/sizeof(void*))
+#else
+  #define backtrace(x, y)
+  #define TESTALLOC_STACKSIZE 0
+  #define TESTALLOC_STACKFRAMES 0
+#endif
+
+/*
+** Number of 32-bit guard words.  This should probably be a multiple of
+** 2 since on 64-bit machines we want the value returned by sqliteMalloc()
+** to be 8-byte aligned.
+*/
+#ifndef TESTALLOC_NGUARD
+# define TESTALLOC_NGUARD 2
+#endif
+
+/*
+** Size reserved for storing file-name along with each malloc()ed blob.
+*/
+#define TESTALLOC_FILESIZE 64
+
+/*
+** Size reserved for storing the user string. Each time a Malloc() or Realloc()
+** call succeeds, up to TESTALLOC_USERSIZE bytes of the string pointed to by
+** sqlite3_malloc_id are stored along with the other test system metadata.
+*/
+#define TESTALLOC_USERSIZE 64
+const char *sqlite3_malloc_id = 0;
+
+/*
+** Blocks used by the test layer have the following format:
+**
+**        <sizeof(void *) pNext pointer>
+**        <sizeof(void *) pPrev pointer>
+**        <TESTALLOC_NGUARD 32-bit guard words>
+**            <The application level allocation>
+**        <TESTALLOC_NGUARD 32-bit guard words>
+**        <32-bit line number>
+**        <TESTALLOC_FILESIZE bytes containing null-terminated file name>
+**        <TESTALLOC_STACKSIZE bytes of backtrace() output>
+*/ 
+
+#define TESTALLOC_OFFSET_GUARD1(p)    (sizeof(void *) * 2)
+#define TESTALLOC_OFFSET_DATA(p) ( \
+  TESTALLOC_OFFSET_GUARD1(p) + sizeof(u32) * TESTALLOC_NGUARD \
+)
+#define TESTALLOC_OFFSET_GUARD2(p) ( \
+  TESTALLOC_OFFSET_DATA(p) + sqlite3OsAllocationSize(p) - TESTALLOC_OVERHEAD \
+)
+#define TESTALLOC_OFFSET_LINENUMBER(p) ( \
+  TESTALLOC_OFFSET_GUARD2(p) + sizeof(u32) * TESTALLOC_NGUARD \
+)
+#define TESTALLOC_OFFSET_FILENAME(p) ( \
+  TESTALLOC_OFFSET_LINENUMBER(p) + sizeof(u32) \
+)
+#define TESTALLOC_OFFSET_USER(p) ( \
+  TESTALLOC_OFFSET_FILENAME(p) + TESTALLOC_FILESIZE \
+)
+#define TESTALLOC_OFFSET_STACK(p) ( \
+  TESTALLOC_OFFSET_USER(p) + TESTALLOC_USERSIZE + 8 - \
+  (TESTALLOC_OFFSET_USER(p) % 8) \
+)
+
+#define TESTALLOC_OVERHEAD ( \
+  sizeof(void *)*2 +                   /* pPrev and pNext pointers */   \
+  TESTALLOC_NGUARD*sizeof(u32)*2 +              /* Guard words */       \
+  sizeof(u32) + TESTALLOC_FILESIZE +   /* File and line number */       \
+  TESTALLOC_USERSIZE +                 /* User string */                \
+  TESTALLOC_STACKSIZE                  /* backtrace() stack */          \
+)
+
+
+/*
+** For keeping track of the number of mallocs and frees.   This
+** is used to check for memory leaks.  The iMallocFail and iMallocReset
+** values are used to simulate malloc() failures during testing in 
+** order to verify that the library correctly handles an out-of-memory
+** condition.
+*/
+int sqlite3_nMalloc;         /* Number of sqliteMalloc() calls */
+int sqlite3_nFree;           /* Number of sqliteFree() calls */
+int sqlite3_memUsed;         /* TODO Total memory obtained from malloc */
+int sqlite3_memMax;          /* TODO Mem usage high-water mark */
+int sqlite3_iMallocFail;     /* Fail sqliteMalloc() after this many calls */
+int sqlite3_iMallocReset = -1; /* When iMallocFail reaches 0, set to this */
+
+void *sqlite3_pFirst = 0;         /* Pointer to linked list of allocations */
+int sqlite3_nMaxAlloc = 0;        /* High water mark of ThreadData.nAlloc */
+int sqlite3_mallocDisallowed = 0; /* assert() in sqlite3Malloc() if set */
+int sqlite3_isFail = 0;           /* True if all malloc calls should fail */
+const char *sqlite3_zFile = 0;    /* Filename to associate debug info with */
+int sqlite3_iLine = 0;            /* Line number for debug info */
+
+/*
+** Check for a simulated memory allocation failure.  Return true if
+** the failure should be simulated.  Return false to proceed as normal.
+*/
+int sqlite3TestMallocFail(){
+  if( sqlite3_isFail ){
+    return 1;
+  }
+  if( sqlite3_iMallocFail>=0 ){
+    sqlite3_iMallocFail--;
+    if( sqlite3_iMallocFail==0 ){
+      sqlite3_iMallocFail = sqlite3_iMallocReset;
+      sqlite3_isFail = 1;
+      return 1;
+    }
+  }
+  return 0;
+}
+
+/*
+** The argument is a pointer returned by sqlite3OsMalloc() or xRealloc().
+** assert() that the first and last (TESTALLOC_NGUARD*4) bytes are set to the
+** values set by the applyGuards() function.
+*/
+static void checkGuards(u32 *p)
+{
+  int i;
+  char *zAlloc = (char *)p;
+  char *z;
+
+  /* First set of guard words */
+  z = &zAlloc[TESTALLOC_OFFSET_GUARD1(p)];
+  for(i=0; i<TESTALLOC_NGUARD; i++){
+    assert(((u32 *)z)[i]==0xdead1122);
+  }
+
+  /* Second set of guard words */
+  z = &zAlloc[TESTALLOC_OFFSET_GUARD2(p)];
+  for(i=0; i<TESTALLOC_NGUARD; i++){
+    u32 guard = 0;
+    memcpy(&guard, &z[i*sizeof(u32)], sizeof(u32));
+    assert(guard==0xdead3344);
+  }
+}
+
+/*
+** The argument is a pointer returned by sqlite3OsMalloc() or Realloc(). The
+** first and last (TESTALLOC_NGUARD*4) bytes are set to known values for use as 
+** guard-posts.
+*/
+static void applyGuards(u32 *p)
+{
+  int i;
+  char *z;
+  char *zAlloc = (char *)p;
+
+  /* First set of guard words */
+  z = &zAlloc[TESTALLOC_OFFSET_GUARD1(p)];
+  for(i=0; i<TESTALLOC_NGUARD; i++){
+    ((u32 *)z)[i] = 0xdead1122;
+  }
+
+  /* Second set of guard words */
+  z = &zAlloc[TESTALLOC_OFFSET_GUARD2(p)];
+  for(i=0; i<TESTALLOC_NGUARD; i++){
+    static const int guard = 0xdead3344;
+    memcpy(&z[i*sizeof(u32)], &guard, sizeof(u32));
+  }
+
+  /* Line number */
+  z = &((char *)z)[TESTALLOC_NGUARD*sizeof(u32)];             /* Guard words */
+  z = &zAlloc[TESTALLOC_OFFSET_LINENUMBER(p)];
+  memcpy(z, &sqlite3_iLine, sizeof(u32));
+
+  /* File name */
+  z = &zAlloc[TESTALLOC_OFFSET_FILENAME(p)];
+  strncpy(z, sqlite3_zFile, TESTALLOC_FILESIZE);
+  z[TESTALLOC_FILESIZE - 1] = '\0';
+
+  /* User string */
+  z = &zAlloc[TESTALLOC_OFFSET_USER(p)];
+  z[0] = 0;
+  if( sqlite3_malloc_id ){
+    strncpy(z, sqlite3_malloc_id, TESTALLOC_USERSIZE);
+    z[TESTALLOC_USERSIZE-1] = 0;
+  }
+
+  /* backtrace() stack */
+  z = &zAlloc[TESTALLOC_OFFSET_STACK(p)];
+  backtrace((void **)z, TESTALLOC_STACKFRAMES);
+
+  /* Sanity check to make sure checkGuards() is working */
+  checkGuards(p);
+}
+
+/*
+** The argument is a malloc()ed pointer as returned by the test-wrapper.
+** Return a pointer to the Os level allocation.
+*/
+static void *getOsPointer(void *p)
+{
+  char *z = (char *)p;
+  return (void *)(&z[-1 * TESTALLOC_OFFSET_DATA(p)]);
+}
+
+
+#if SQLITE_MEMDEBUG>1
+/*
+** The argument points to an Os level allocation. Link it into the threads list
+** of allocations.
+*/
+static void linkAlloc(void *p){
+  void **pp = (void **)p;
+  pp[0] = 0;
+  pp[1] = sqlite3_pFirst;
+  if( sqlite3_pFirst ){
+    ((void **)sqlite3_pFirst)[0] = p;
+  }
+  sqlite3_pFirst = p;
+}
+
+/*
+** The argument points to an Os level allocation. Unlinke it from the threads
+** list of allocations.
+*/
+static void unlinkAlloc(void *p)
+{
+  void **pp = (void **)p;
+  if( p==sqlite3_pFirst ){
+    assert(!pp[0]);
+    assert(!pp[1] || ((void **)(pp[1]))[0]==p);
+    sqlite3_pFirst = pp[1];
+    if( sqlite3_pFirst ){
+      ((void **)sqlite3_pFirst)[0] = 0;
+    }
+  }else{
+    void **pprev = pp[0];
+    void **pnext = pp[1];
+    assert(pprev);
+    assert(pprev[1]==p);
+    pprev[1] = (void *)pnext;
+    if( pnext ){
+      assert(pnext[0]==p);
+      pnext[0] = (void *)pprev;
+    }
+  }
+}
+
+/*
+** Pointer p is a pointer to an OS level allocation that has just been
+** realloc()ed. Set the list pointers that point to this entry to it's new
+** location.
+*/
+static void relinkAlloc(void *p)
+{
+  void **pp = (void **)p;
+  if( pp[0] ){
+    ((void **)(pp[0]))[1] = p;
+  }else{
+    sqlite3_pFirst = p;
+  }
+  if( pp[1] ){
+    ((void **)(pp[1]))[0] = p;
+  }
+}
+#else
+#define linkAlloc(x)
+#define relinkAlloc(x)
+#define unlinkAlloc(x)
+#endif
+
+/*
+** This function sets the result of the Tcl interpreter passed as an argument
+** to a list containing an entry for each currently outstanding call made to 
+** sqliteMalloc and friends by the current thread. Each list entry is itself a
+** list, consisting of the following (in order):
+**
+**     * The number of bytes allocated
+**     * The __FILE__ macro at the time of the sqliteMalloc() call.
+**     * The __LINE__ macro ...
+**     * The value of the sqlite3_malloc_id variable ...
+**     * The output of backtrace() (if available) ...
+**
+** Todo: We could have a version of this function that outputs to stdout, 
+** to debug memory leaks when Tcl is not available.
+*/
+#if defined(TCLSH) && defined(SQLITE_DEBUG) && SQLITE_MEMDEBUG>1
+int sqlite3OutstandingMallocs(Tcl_Interp *interp){
+  void *p;
+  Tcl_Obj *pRes = Tcl_NewObj();
+  Tcl_IncrRefCount(pRes);
+
+
+  for(p=sqlite3_pFirst; p; p=((void **)p)[1]){
+    Tcl_Obj *pEntry = Tcl_NewObj();
+    Tcl_Obj *pStack = Tcl_NewObj();
+    char *z;
+    u32 iLine;
+    int nBytes = sqlite3OsAllocationSize(p) - TESTALLOC_OVERHEAD;
+    char *zAlloc = (char *)p;
+    int i;
+
+    Tcl_ListObjAppendElement(0, pEntry, Tcl_NewIntObj(nBytes));
+
+    z = &zAlloc[TESTALLOC_OFFSET_FILENAME(p)];
+    Tcl_ListObjAppendElement(0, pEntry, Tcl_NewStringObj(z, -1));
+
+    z = &zAlloc[TESTALLOC_OFFSET_LINENUMBER(p)];
+    memcpy(&iLine, z, sizeof(u32));
+    Tcl_ListObjAppendElement(0, pEntry, Tcl_NewIntObj(iLine));
+
+    z = &zAlloc[TESTALLOC_OFFSET_USER(p)];
+    Tcl_ListObjAppendElement(0, pEntry, Tcl_NewStringObj(z, -1));
+
+    z = &zAlloc[TESTALLOC_OFFSET_STACK(p)];
+    for(i=0; i<TESTALLOC_STACKFRAMES; i++){
+      char zHex[128];
+      sprintf(zHex, "%p", ((void **)z)[i]);
+      Tcl_ListObjAppendElement(0, pStack, Tcl_NewStringObj(zHex, -1));
+    }
+
+    Tcl_ListObjAppendElement(0, pEntry, pStack);
+    Tcl_ListObjAppendElement(0, pRes, pEntry);
+  }
+
+  Tcl_ResetResult(interp);
+  Tcl_SetObjResult(interp, pRes);
+  Tcl_DecrRefCount(pRes);
+  return TCL_OK;
+}
+#endif
+
+/*
+** This is the test layer's wrapper around sqlite3OsMalloc().
+*/
+static void * OSMALLOC(int n){
+  sqlite3OsEnterMutex();
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+  sqlite3_nMaxAlloc = 
+      MAX(sqlite3_nMaxAlloc, sqlite3ThreadDataReadOnly()->nAlloc);
+#endif
+  assert( !sqlite3_mallocDisallowed );
+  if( !sqlite3TestMallocFail() ){
+    u32 *p;
+    p = (u32 *)sqlite3OsMalloc(n + TESTALLOC_OVERHEAD);
+    assert(p);
+    sqlite3_nMalloc++;
+    applyGuards(p);
+    linkAlloc(p);
+    sqlite3OsLeaveMutex();
+    return (void *)(&p[TESTALLOC_NGUARD + 2*sizeof(void *)/sizeof(u32)]);
+  }
+  sqlite3OsLeaveMutex();
+  return 0;
+}
+
+static int OSSIZEOF(void *p){
+  if( p ){
+    u32 *pOs = (u32 *)getOsPointer(p);
+    return sqlite3OsAllocationSize(pOs) - TESTALLOC_OVERHEAD;
+  }
+  return 0;
+}
+
+/*
+** This is the test layer's wrapper around sqlite3OsFree(). The argument is a
+** pointer to the space allocated for the application to use.
+*/
+static void OSFREE(void *pFree){
+  u32 *p;         /* Pointer to the OS-layer allocation */
+  sqlite3OsEnterMutex();
+  p = (u32 *)getOsPointer(pFree);
+  checkGuards(p);
+  unlinkAlloc(p);
+  memset(pFree, 0x55, OSSIZEOF(pFree));
+  sqlite3OsFree(p);
+  sqlite3_nFree++;
+  sqlite3OsLeaveMutex();
+}
+
+/*
+** This is the test layer's wrapper around sqlite3OsRealloc().
+*/
+static void * OSREALLOC(void *pRealloc, int n){
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+  sqlite3_nMaxAlloc = 
+      MAX(sqlite3_nMaxAlloc, sqlite3ThreadDataReadOnly()->nAlloc);
+#endif
+  assert( !sqlite3_mallocDisallowed );
+  if( !sqlite3TestMallocFail() ){
+    u32 *p = (u32 *)getOsPointer(pRealloc);
+    checkGuards(p);
+    p = sqlite3OsRealloc(p, n + TESTALLOC_OVERHEAD);
+    applyGuards(p);
+    relinkAlloc(p);
+    return (void *)(&p[TESTALLOC_NGUARD + 2*sizeof(void *)/sizeof(u32)]);
+  }
+  return 0;
+}
+
+static void OSMALLOC_FAILED(){
+  sqlite3_isFail = 0;
+}
+
+#else
+/* Define macros to call the sqlite3OsXXX interface directly if 
+** the SQLITE_MEMDEBUG macro is not defined.
+*/
+#define OSMALLOC(x)        sqlite3OsMalloc(x)
+#define OSREALLOC(x,y)     sqlite3OsRealloc(x,y)
+#define OSFREE(x)          sqlite3OsFree(x)
+#define OSSIZEOF(x)        sqlite3OsAllocationSize(x)
+#define OSMALLOC_FAILED()
+
+#endif  /* SQLITE_MEMDEBUG */
+/*
+** End code for memory allocation system test layer.
+**--------------------------------------------------------------------------*/
+
+/*
+** This routine is called when we are about to allocate n additional bytes
+** of memory.  If the new allocation will put is over the soft allocation
+** limit, then invoke sqlite3_release_memory() to try to release some
+** memory before continuing with the allocation.
+**
+** This routine also makes sure that the thread-specific-data (TSD) has
+** be allocated.  If it has not and can not be allocated, then return
+** false.  The updateMemoryUsedCount() routine below will deallocate
+** the TSD if it ought to be.
+**
+** If SQLITE_ENABLE_MEMORY_MANAGEMENT is not defined, this routine is
+** a no-op
+*/ 
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+static int enforceSoftLimit(int n){
+  ThreadData *pTsd = sqlite3ThreadData();
+  if( pTsd==0 ){
+    return 0;
+  }
+  assert( pTsd->nAlloc>=0 );
+  if( n>0 && pTsd->nSoftHeapLimit>0 ){
+    while( pTsd->nAlloc+n>pTsd->nSoftHeapLimit && sqlite3_release_memory(n) ){}
+  }
+  return 1;
+}
+#else
+# define enforceSoftLimit(X)  1
+#endif
+
+/*
+** Update the count of total outstanding memory that is held in
+** thread-specific-data (TSD).  If after this update the TSD is
+** no longer being used, then deallocate it.
+**
+** If SQLITE_ENABLE_MEMORY_MANAGEMENT is not defined, this routine is
+** a no-op
+*/
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+static void updateMemoryUsedCount(int n){
+  ThreadData *pTsd = sqlite3ThreadData();
+  if( pTsd ){
+    pTsd->nAlloc += n;
+    assert( pTsd->nAlloc>=0 );
+    if( pTsd->nAlloc==0 && pTsd->nSoftHeapLimit==0 ){
+      sqlite3ReleaseThreadData();
+    }
+  }
+}
+#else
+#define updateMemoryUsedCount(x)  /* no-op */
+#endif
+
+/*
+** Allocate and return N bytes of uninitialised memory by calling
+** sqlite3OsMalloc(). If the Malloc() call fails, attempt to free memory 
+** by calling sqlite3_release_memory().
+*/
+void *sqlite3MallocRaw(int n, int doMemManage){
+  void *p = 0;
+  if( n>0 && !sqlite3MallocFailed() && (!doMemManage || enforceSoftLimit(n)) ){
+    while( (p = OSMALLOC(n))==0 && sqlite3_release_memory(n) ){}
+    if( !p ){
+      sqlite3FailedMalloc();
+      OSMALLOC_FAILED();
+    }else if( doMemManage ){
+      updateMemoryUsedCount(OSSIZEOF(p));
+    }
+  }
+  return p;
+}
+
+/*
+** Resize the allocation at p to n bytes by calling sqlite3OsRealloc(). The
+** pointer to the new allocation is returned.  If the Realloc() call fails,
+** attempt to free memory by calling sqlite3_release_memory().
+*/
+void *sqlite3Realloc(void *p, int n){
+  if( sqlite3MallocFailed() ){
+    return 0;
+  }
+
+  if( !p ){
+    return sqlite3Malloc(n, 1);
+  }else{
+    void *np = 0;
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+    int origSize = OSSIZEOF(p);
+#endif
+    if( enforceSoftLimit(n - origSize) ){
+      while( (np = OSREALLOC(p, n))==0 && sqlite3_release_memory(n) ){}
+      if( !np ){
+        sqlite3FailedMalloc();
+        OSMALLOC_FAILED();
+      }else{
+        updateMemoryUsedCount(OSSIZEOF(np) - origSize);
+      }
+    }
+    return np;
+  }
+}
+
+/*
+** Free the memory pointed to by p. p must be either a NULL pointer or a 
+** value returned by a previous call to sqlite3Malloc() or sqlite3Realloc().
+*/
+void sqlite3FreeX(void *p){
+  if( p ){
+    updateMemoryUsedCount(0 - OSSIZEOF(p));
+    OSFREE(p);
+  }
+}
+
+/*
+** A version of sqliteMalloc() that is always a function, not a macro.
+** Currently, this is used only to alloc to allocate the parser engine.
+*/
+void *sqlite3MallocX(int n){
+  return sqliteMalloc(n);
+}
+
+/*
+** sqlite3Malloc
+** sqlite3ReallocOrFree
+**
+** These two are implemented as wrappers around sqlite3MallocRaw(), 
+** sqlite3Realloc() and sqlite3Free().
+*/ 
+void *sqlite3Malloc(int n, int doMemManage){
+  void *p = sqlite3MallocRaw(n, doMemManage);
+  if( p ){
+    memset(p, 0, n);
+  }
+  return p;
+}
+void *sqlite3ReallocOrFree(void *p, int n){
+  void *pNew;
+  pNew = sqlite3Realloc(p, n);
+  if( !pNew ){
+    sqlite3FreeX(p);
+  }
+  return pNew;
+}
+
+/*
+** sqlite3ThreadSafeMalloc() and sqlite3ThreadSafeFree() are used in those
+** rare scenarios where sqlite may allocate memory in one thread and free
+** it in another. They are exactly the same as sqlite3Malloc() and 
+** sqlite3Free() except that:
+**
+**   * The allocated memory is not included in any calculations with 
+**     respect to the soft-heap-limit, and
+**
+**   * sqlite3ThreadSafeMalloc() must be matched with ThreadSafeFree(),
+**     not sqlite3Free(). Calling sqlite3Free() on memory obtained from
+**     ThreadSafeMalloc() will cause an error somewhere down the line.
+*/
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+void *sqlite3ThreadSafeMalloc(int n){
+  (void)ENTER_MALLOC;
+  return sqlite3Malloc(n, 0);
+}
+void sqlite3ThreadSafeFree(void *p){
+  (void)ENTER_MALLOC;
+  if( p ){
+    OSFREE(p);
+  }
+}
+#endif
+
+
+/*
+** Return the number of bytes allocated at location p. p must be either 
+** a NULL pointer (in which case 0 is returned) or a pointer returned by 
+** sqlite3Malloc(), sqlite3Realloc() or sqlite3ReallocOrFree().
+**
+** The number of bytes allocated does not include any overhead inserted by 
+** any malloc() wrapper functions that may be called. So the value returned
+** is the number of bytes that were available to SQLite using pointer p, 
+** regardless of how much memory was actually allocated.
+*/
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+int sqlite3AllocSize(void *p){
+  return OSSIZEOF(p);
+}
+#endif
+
+/*
+** Make a copy of a string in memory obtained from sqliteMalloc(). These 
+** functions call sqlite3MallocRaw() directly instead of sqliteMalloc(). This
+** is because when memory debugging is turned on, these two functions are 
+** called via macros that record the current file and line number in the
+** ThreadData structure.
+*/
+char *sqlite3StrDup(const char *z){
+  char *zNew;
+  if( z==0 ) return 0;
+  zNew = sqlite3MallocRaw(strlen(z)+1, 1);
+  if( zNew ) strcpy(zNew, z);
+  return zNew;
+}
+char *sqlite3StrNDup(const char *z, int n){
+  char *zNew;
+  if( z==0 ) return 0;
+  zNew = sqlite3MallocRaw(n+1, 1);
+  if( zNew ){
+    memcpy(zNew, z, n);
+    zNew[n] = 0;
+  }
+  return zNew;
+}
+
+/*
+** Create a string from the 2nd and subsequent arguments (up to the
+** first NULL argument), store the string in memory obtained from
+** sqliteMalloc() and make the pointer indicated by the 1st argument
+** point to that string.  The 1st argument must either be NULL or 
+** point to memory obtained from sqliteMalloc().
+*/
+void sqlite3SetString(char **pz, ...){
+  va_list ap;
+  int nByte;
+  const char *z;
+  char *zResult;
+
+  assert( pz!=0 );
+  nByte = 1;
+  va_start(ap, pz);
+  while( (z = va_arg(ap, const char*))!=0 ){
+    nByte += strlen(z);
+  }
+  va_end(ap);
+  sqliteFree(*pz);
+  *pz = zResult = sqliteMallocRaw( nByte );
+  if( zResult==0 ){
+    return;
+  }
+  *zResult = 0;
+  va_start(ap, pz);
+  while( (z = va_arg(ap, const char*))!=0 ){
+    strcpy(zResult, z);
+    zResult += strlen(zResult);
+  }
+  va_end(ap);
+}
+
+/*
+** Set the most recent error code and error string for the sqlite
+** handle "db". The error code is set to "err_code".
+**
+** If it is not NULL, string zFormat specifies the format of the
+** error string in the style of the printf functions: The following
+** format characters are allowed:
+**
+**      %s      Insert a string
+**      %z      A string that should be freed after use
+**      %d      Insert an integer
+**      %T      Insert a token
+**      %S      Insert the first element of a SrcList
+**
+** zFormat and any string tokens that follow it are assumed to be
+** encoded in UTF-8.
+**
+** To clear the most recent error for sqlite handle "db", sqlite3Error
+** should be called with err_code set to SQLITE_OK and zFormat set
+** to NULL.
+*/
+void sqlite3Error(sqlite3 *db, int err_code, const char *zFormat, ...){
+  if( db && (db->pErr || (db->pErr = sqlite3ValueNew())!=0) ){
+    db->errCode = err_code;
+    if( zFormat ){
+      char *z;
+      va_list ap;
+      va_start(ap, zFormat);
+      z = sqlite3VMPrintf(zFormat, ap);
+      va_end(ap);
+      sqlite3ValueSetStr(db->pErr, -1, z, SQLITE_UTF8, sqlite3FreeX);
+    }else{
+      sqlite3ValueSetStr(db->pErr, 0, 0, SQLITE_UTF8, SQLITE_STATIC);
+    }
+  }
+}
+
+/*
+** Add an error message to pParse->zErrMsg and increment pParse->nErr.
+** The following formatting characters are allowed:
+**
+**      %s      Insert a string
+**      %z      A string that should be freed after use
+**      %d      Insert an integer
+**      %T      Insert a token
+**      %S      Insert the first element of a SrcList
+**
+** This function should be used to report any error that occurs whilst
+** compiling an SQL statement (i.e. within sqlite3_prepare()). The
+** last thing the sqlite3_prepare() function does is copy the error
+** stored by this function into the database handle using sqlite3Error().
+** Function sqlite3Error() should be used during statement execution
+** (sqlite3_step() etc.).
+*/
+void sqlite3ErrorMsg(Parse *pParse, const char *zFormat, ...){
+  va_list ap;
+  pParse->nErr++;
+  sqliteFree(pParse->zErrMsg);
+  va_start(ap, zFormat);
+  pParse->zErrMsg = sqlite3VMPrintf(zFormat, ap);
+  va_end(ap);
+}
+
+/*
+** Clear the error message in pParse, if any
+*/
+void sqlite3ErrorClear(Parse *pParse){
+  sqliteFree(pParse->zErrMsg);
+  pParse->zErrMsg = 0;
+  pParse->nErr = 0;
+}
+
+/*
+** Convert an SQL-style quoted string into a normal string by removing
+** the quote characters.  The conversion is done in-place.  If the
+** input does not begin with a quote character, then this routine
+** is a no-op.
+**
+** 2002-Feb-14: This routine is extended to remove MS-Access style
+** brackets from around identifers.  For example:  "[a-b-c]" becomes
+** "a-b-c".
+*/
+void sqlite3Dequote(char *z){
+  int quote;
+  int i, j;
+  if( z==0 ) return;
+  quote = z[0];
+  switch( quote ){
+    case '\'':  break;
+    case '"':   break;
+    case '`':   break;                /* For MySQL compatibility */
+    case '[':   quote = ']';  break;  /* For MS SqlServer compatibility */
+    default:    return;
+  }
+  for(i=1, j=0; z[i]; i++){
+    if( z[i]==quote ){
+      if( z[i+1]==quote ){
+        z[j++] = quote;
+        i++;
+      }else{
+        z[j++] = 0;
+        break;
+      }
+    }else{
+      z[j++] = z[i];
+    }
+  }
+}
+
+/* An array to map all upper-case characters into their corresponding
+** lower-case character. 
+*/
+const unsigned char sqlite3UpperToLower[] = {
+#ifdef SQLITE_ASCII
+      0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15, 16, 17,
+     18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35,
+     36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53,
+     54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 97, 98, 99,100,101,102,103,
+    104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,
+    122, 91, 92, 93, 94, 95, 96, 97, 98, 99,100,101,102,103,104,105,106,107,
+    108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,
+    126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,
+    144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,
+    162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,
+    180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,
+    198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,
+    216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,
+    234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,
+    252,253,254,255
+#endif
+#ifdef SQLITE_EBCDIC
+      0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15, /* 0x */
+     16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, /* 1x */
+     32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, /* 2x */
+     48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, /* 3x */
+     64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, /* 4x */
+     80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, /* 5x */
+     96, 97, 66, 67, 68, 69, 70, 71, 72, 73,106,107,108,109,110,111, /* 6x */
+    112, 81, 82, 83, 84, 85, 86, 87, 88, 89,122,123,124,125,126,127, /* 7x */
+    128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143, /* 8x */
+    144,145,146,147,148,149,150,151,152,153,154,155,156,157,156,159, /* 9x */
+    160,161,162,163,164,165,166,167,168,169,170,171,140,141,142,175, /* Ax */
+    176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191, /* Bx */
+    192,129,130,131,132,133,134,135,136,137,202,203,204,205,206,207, /* Cx */
+    208,145,146,147,148,149,150,151,152,153,218,219,220,221,222,223, /* Dx */
+    224,225,162,163,164,165,166,167,168,169,232,203,204,205,206,207, /* Ex */
+    239,240,241,242,243,244,245,246,247,248,249,219,220,221,222,255, /* Fx */
+#endif
+};
+#define UpperToLower sqlite3UpperToLower
+
+/*
+** Some systems have stricmp().  Others have strcasecmp().  Because
+** there is no consistency, we will define our own.
+*/
+int sqlite3StrICmp(const char *zLeft, const char *zRight){
+  register unsigned char *a, *b;
+  a = (unsigned char *)zLeft;
+  b = (unsigned char *)zRight;
+  while( *a!=0 && UpperToLower[*a]==UpperToLower[*b]){ a++; b++; }
+  return UpperToLower[*a] - UpperToLower[*b];
+}
+int sqlite3StrNICmp(const char *zLeft, const char *zRight, int N){
+  register unsigned char *a, *b;
+  a = (unsigned char *)zLeft;
+  b = (unsigned char *)zRight;
+  while( N-- > 0 && *a!=0 && UpperToLower[*a]==UpperToLower[*b]){ a++; b++; }
+  return N<0 ? 0 : UpperToLower[*a] - UpperToLower[*b];
+}
+
+/*
+** Return TRUE if z is a pure numeric string.  Return FALSE if the
+** string contains any character which is not part of a number. If
+** the string is numeric and contains the '.' character, set *realnum
+** to TRUE (otherwise FALSE).
+**
+** An empty string is considered non-numeric.
+*/
+int sqlite3IsNumber(const char *z, int *realnum, u8 enc){
+  int incr = (enc==SQLITE_UTF8?1:2);
+  if( enc==SQLITE_UTF16BE ) z++;
+  if( *z=='-' || *z=='+' ) z += incr;
+  if( !isdigit(*(u8*)z) ){
+    return 0;
+  }
+  z += incr;
+  if( realnum ) *realnum = 0;
+  while( isdigit(*(u8*)z) ){ z += incr; }
+  if( *z=='.' ){
+    z += incr;
+    if( !isdigit(*(u8*)z) ) return 0;
+    while( isdigit(*(u8*)z) ){ z += incr; }
+    if( realnum ) *realnum = 1;
+  }
+  if( *z=='e' || *z=='E' ){
+    z += incr;
+    if( *z=='+' || *z=='-' ) z += incr;
+    if( !isdigit(*(u8*)z) ) return 0;
+    while( isdigit(*(u8*)z) ){ z += incr; }
+    if( realnum ) *realnum = 1;
+  }
+  return *z==0;
+}
+
+/*
+** The string z[] is an ascii representation of a real number.
+** Convert this string to a double.
+**
+** This routine assumes that z[] really is a valid number.  If it
+** is not, the result is undefined.
+**
+** This routine is used instead of the library atof() function because
+** the library atof() might want to use "," as the decimal point instead
+** of "." depending on how locale is set.  But that would cause problems
+** for SQL.  So this routine always uses "." regardless of locale.
+*/
+int sqlite3AtoF(const char *z, double *pResult){
+#ifndef SQLITE_OMIT_FLOATING_POINT
+  int sign = 1;
+  const char *zBegin = z;
+  LONGDOUBLE_TYPE v1 = 0.0;
+  while( isspace(*z) ) z++;
+  if( *z=='-' ){
+    sign = -1;
+    z++;
+  }else if( *z=='+' ){
+    z++;
+  }
+  while( isdigit(*(u8*)z) ){
+    v1 = v1*10.0 + (*z - '0');
+    z++;
+  }
+  if( *z=='.' ){
+    LONGDOUBLE_TYPE divisor = 1.0;
+    z++;
+    while( isdigit(*(u8*)z) ){
+      v1 = v1*10.0 + (*z - '0');
+      divisor *= 10.0;
+      z++;
+    }
+    v1 /= divisor;
+  }
+  if( *z=='e' || *z=='E' ){
+    int esign = 1;
+    int eval = 0;
+    LONGDOUBLE_TYPE scale = 1.0;
+    z++;
+    if( *z=='-' ){
+      esign = -1;
+      z++;
+    }else if( *z=='+' ){
+      z++;
+    }
+    while( isdigit(*(u8*)z) ){
+      eval = eval*10 + *z - '0';
+      z++;
+    }
+    while( eval>=64 ){ scale *= 1.0e+64; eval -= 64; }
+    while( eval>=16 ){ scale *= 1.0e+16; eval -= 16; }
+    while( eval>=4 ){ scale *= 1.0e+4; eval -= 4; }
+    while( eval>=1 ){ scale *= 1.0e+1; eval -= 1; }
+    if( esign<0 ){
+      v1 /= scale;
+    }else{
+      v1 *= scale;
+    }
+  }
+  *pResult = sign<0 ? -v1 : v1;
+  return z - zBegin;
+#else
+  return sqlite3atoi64(z, pResult);
+#endif /* SQLITE_OMIT_FLOATING_POINT */
+}
+
+/*
+** Return TRUE if zNum is a 64-bit signed integer and write
+** the value of the integer into *pNum.  If zNum is not an integer
+** or is an integer that is too large to be expressed with 64 bits,
+** then return false.  If n>0 and the integer is string is not
+** exactly n bytes long, return false.
+**
+** When this routine was originally written it dealt with only
+** 32-bit numbers.  At that time, it was much faster than the
+** atoi() library routine in RedHat 7.2.
+*/
+int sqlite3atoi64(const char *zNum, i64 *pNum){
+  i64 v = 0;
+  int neg;
+  int i, c;
+  while( isspace(*zNum) ) zNum++;
+  if( *zNum=='-' ){
+    neg = 1;
+    zNum++;
+  }else if( *zNum=='+' ){
+    neg = 0;
+    zNum++;
+  }else{
+    neg = 0;
+  }
+  for(i=0; (c=zNum[i])>='0' && c<='9'; i++){
+    v = v*10 + c - '0';
+  }
+  *pNum = neg ? -v : v;
+  return c==0 && i>0 && 
+      (i<19 || (i==19 && memcmp(zNum,"9223372036854775807",19)<=0));
+}
+
+/*
+** The string zNum represents an integer.  There might be some other
+** information following the integer too, but that part is ignored.
+** If the integer that the prefix of zNum represents will fit in a
+** 32-bit signed integer, return TRUE.  Otherwise return FALSE.
+**
+** This routine returns FALSE for the string -2147483648 even that
+** that number will in fact fit in a 32-bit integer.  But positive
+** 2147483648 will not fit in 32 bits.  So it seems safer to return
+** false.
+*/
+static int sqlite3FitsIn32Bits(const char *zNum){
+  int i, c;
+  if( *zNum=='-' || *zNum=='+' ) zNum++;
+  for(i=0; (c=zNum[i])>='0' && c<='9'; i++){}
+  return i<10 || (i==10 && memcmp(zNum,"2147483647",10)<=0);
+}
+
+/*
+** If zNum represents an integer that will fit in 32-bits, then set
+** *pValue to that integer and return true.  Otherwise return false.
+*/
+int sqlite3GetInt32(const char *zNum, int *pValue){
+  if( sqlite3FitsIn32Bits(zNum) ){
+    *pValue = atoi(zNum);
+    return 1;
+  }
+  return 0;
+}
+
+/*
+** The string zNum represents an integer.  There might be some other
+** information following the integer too, but that part is ignored.
+** If the integer that the prefix of zNum represents will fit in a
+** 64-bit signed integer, return TRUE.  Otherwise return FALSE.
+**
+** This routine returns FALSE for the string -9223372036854775808 even that
+** that number will, in theory fit in a 64-bit integer.  Positive
+** 9223373036854775808 will not fit in 64 bits.  So it seems safer to return
+** false.
+*/
+int sqlite3FitsIn64Bits(const char *zNum){
+  int i, c;
+  if( *zNum=='-' || *zNum=='+' ) zNum++;
+  for(i=0; (c=zNum[i])>='0' && c<='9'; i++){}
+  return i<19 || (i==19 && memcmp(zNum,"9223372036854775807",19)<=0);
+}
+
+
+/*
+** Change the sqlite.magic from SQLITE_MAGIC_OPEN to SQLITE_MAGIC_BUSY.
+** Return an error (non-zero) if the magic was not SQLITE_MAGIC_OPEN
+** when this routine is called.
+**
+** This routine is called when entering an SQLite API.  The SQLITE_MAGIC_OPEN
+** value indicates that the database connection passed into the API is
+** open and is not being used by another thread.  By changing the value
+** to SQLITE_MAGIC_BUSY we indicate that the connection is in use.
+** sqlite3SafetyOff() below will change the value back to SQLITE_MAGIC_OPEN
+** when the API exits. 
+**
+** This routine is a attempt to detect if two threads use the
+** same sqlite* pointer at the same time.  There is a race 
+** condition so it is possible that the error is not detected.
+** But usually the problem will be seen.  The result will be an
+** error which can be used to debug the application that is
+** using SQLite incorrectly.
+**
+** Ticket #202:  If db->magic is not a valid open value, take care not
+** to modify the db structure at all.  It could be that db is a stale
+** pointer.  In other words, it could be that there has been a prior
+** call to sqlite3_close(db) and db has been deallocated.  And we do
+** not want to write into deallocated memory.
+*/
+int sqlite3SafetyOn(sqlite3 *db){
+  if( db->magic==SQLITE_MAGIC_OPEN ){
+    db->magic = SQLITE_MAGIC_BUSY;
+    return 0;
+  }else if( db->magic==SQLITE_MAGIC_BUSY ){
+    db->magic = SQLITE_MAGIC_ERROR;
+    db->u1.isInterrupted = 1;
+  }
+  return 1;
+}
+
+/*
+** Change the magic from SQLITE_MAGIC_BUSY to SQLITE_MAGIC_OPEN.
+** Return an error (non-zero) if the magic was not SQLITE_MAGIC_BUSY
+** when this routine is called.
+*/
+int sqlite3SafetyOff(sqlite3 *db){
+  if( db->magic==SQLITE_MAGIC_BUSY ){
+    db->magic = SQLITE_MAGIC_OPEN;
+    return 0;
+  }else {
+    db->magic = SQLITE_MAGIC_ERROR;
+    db->u1.isInterrupted = 1;
+    return 1;
+  }
+}
+
+/*
+** Check to make sure we have a valid db pointer.  This test is not
+** foolproof but it does provide some measure of protection against
+** misuse of the interface such as passing in db pointers that are
+** NULL or which have been previously closed.  If this routine returns
+** TRUE it means that the db pointer is invalid and should not be
+** dereferenced for any reason.  The calling function should invoke
+** SQLITE_MISUSE immediately.
+*/
+int sqlite3SafetyCheck(sqlite3 *db){
+  int magic;
+  if( db==0 ) return 1;
+  magic = db->magic;
+  if( magic!=SQLITE_MAGIC_CLOSED &&
+         magic!=SQLITE_MAGIC_OPEN &&
+         magic!=SQLITE_MAGIC_BUSY ) return 1;
+  return 0;
+}
+
+/*
+** The variable-length integer encoding is as follows:
+**
+** KEY:
+**         A = 0xxxxxxx    7 bits of data and one flag bit
+**         B = 1xxxxxxx    7 bits of data and one flag bit
+**         C = xxxxxxxx    8 bits of data
+**
+**  7 bits - A
+** 14 bits - BA
+** 21 bits - BBA
+** 28 bits - BBBA
+** 35 bits - BBBBA
+** 42 bits - BBBBBA
+** 49 bits - BBBBBBA
+** 56 bits - BBBBBBBA
+** 64 bits - BBBBBBBBC
+*/
+
+/*
+** Write a 64-bit variable-length integer to memory starting at p[0].
+** The length of data write will be between 1 and 9 bytes.  The number
+** of bytes written is returned.
+**
+** A variable-length integer consists of the lower 7 bits of each byte
+** for all bytes that have the 8th bit set and one byte with the 8th
+** bit clear.  Except, if we get to the 9th byte, it stores the full
+** 8 bits and is the last byte.
+*/
+int sqlite3PutVarint(unsigned char *p, u64 v){
+  int i, j, n;
+  u8 buf[10];
+  if( v & (((u64)0xff000000)<<32) ){
+    p[8] = v;
+    v >>= 8;
+    for(i=7; i>=0; i--){
+      p[i] = (v & 0x7f) | 0x80;
+      v >>= 7;
+    }
+    return 9;
+  }    
+  n = 0;
+  do{
+    buf[n++] = (v & 0x7f) | 0x80;
+    v >>= 7;
+  }while( v!=0 );
+  buf[0] &= 0x7f;
+  assert( n<=9 );
+  for(i=0, j=n-1; j>=0; j--, i++){
+    p[i] = buf[j];
+  }
+  return n;
+}
+
+/*
+** Read a 64-bit variable-length integer from memory starting at p[0].
+** Return the number of bytes read.  The value is stored in *v.
+*/
+int sqlite3GetVarint(const unsigned char *p, u64 *v){
+  u32 x;
+  u64 x64;
+  int n;
+  unsigned char c;
+  if( ((c = p[0]) & 0x80)==0 ){
+    *v = c;
+    return 1;
+  }
+  x = c & 0x7f;
+  if( ((c = p[1]) & 0x80)==0 ){
+    *v = (x<<7) | c;
+    return 2;
+  }
+  x = (x<<7) | (c&0x7f);
+  if( ((c = p[2]) & 0x80)==0 ){
+    *v = (x<<7) | c;
+    return 3;
+  }
+  x = (x<<7) | (c&0x7f);
+  if( ((c = p[3]) & 0x80)==0 ){
+    *v = (x<<7) | c;
+    return 4;
+  }
+  x64 = (x<<7) | (c&0x7f);
+  n = 4;
+  do{
+    c = p[n++];
+    if( n==9 ){
+      x64 = (x64<<8) | c;
+      break;
+    }
+    x64 = (x64<<7) | (c&0x7f);
+  }while( (c & 0x80)!=0 );
+  *v = x64;
+  return n;
+}
+
+/*
+** Read a 32-bit variable-length integer from memory starting at p[0].
+** Return the number of bytes read.  The value is stored in *v.
+*/
+int sqlite3GetVarint32(const unsigned char *p, u32 *v){
+  u32 x;
+  int n;
+  unsigned char c;
+  if( ((signed char*)p)[0]>=0 ){
+    *v = p[0];
+    return 1;
+  }
+  x = p[0] & 0x7f;
+  if( ((signed char*)p)[1]>=0 ){
+    *v = (x<<7) | p[1];
+    return 2;
+  }
+  x = (x<<7) | (p[1] & 0x7f);
+  n = 2;
+  do{
+    x = (x<<7) | ((c = p[n++])&0x7f);
+  }while( (c & 0x80)!=0 && n<9 );
+  *v = x;
+  return n;
+}
+
+/*
+** Return the number of bytes that will be needed to store the given
+** 64-bit integer.
+*/
+int sqlite3VarintLen(u64 v){
+  int i = 0;
+  do{
+    i++;
+    v >>= 7;
+  }while( v!=0 && i<9 );
+  return i;
+}
+
+#if !defined(SQLITE_OMIT_BLOB_LITERAL) || defined(SQLITE_HAS_CODEC) \
+    || defined(SQLITE_TEST)
+/*
+** Translate a single byte of Hex into an integer.
+*/
+static int hexToInt(int h){
+  if( h>='0' && h<='9' ){
+    return h - '0';
+  }else if( h>='a' && h<='f' ){
+    return h - 'a' + 10;
+  }else{
+    assert( h>='A' && h<='F' );
+    return h - 'A' + 10;
+  }
+}
+#endif /* !SQLITE_OMIT_BLOB_LITERAL || SQLITE_HAS_CODEC || SQLITE_TEST */
+
+#if !defined(SQLITE_OMIT_BLOB_LITERAL) || defined(SQLITE_HAS_CODEC)
+/*
+** Convert a BLOB literal of the form "x'hhhhhh'" into its binary
+** value.  Return a pointer to its binary value.  Space to hold the
+** binary value has been obtained from malloc and must be freed by
+** the calling routine.
+*/
+void *sqlite3HexToBlob(const char *z){
+  char *zBlob;
+  int i;
+  int n = strlen(z);
+  if( n%2 ) return 0;
+
+  zBlob = (char *)sqliteMalloc(n/2);
+  if( zBlob ){
+    for(i=0; i<n; i+=2){
+      zBlob[i/2] = (hexToInt(z[i])<<4) | hexToInt(z[i+1]);
+    }
+  }
+  return zBlob;
+}
+#endif /* !SQLITE_OMIT_BLOB_LITERAL || SQLITE_HAS_CODEC */
+
+#if defined(SQLITE_TEST)
+/*
+** Convert text generated by the "%p" conversion format back into
+** a pointer.
+*/
+void *sqlite3TextToPtr(const char *z){
+  void *p;
+  u64 v;
+  u32 v2;
+  if( z[0]=='0' && z[1]=='x' ){
+    z += 2;
+  }
+  v = 0;
+  while( *z ){
+    v = (v<<4) + hexToInt(*z);
+    z++;
+  }
+  if( sizeof(p)==sizeof(v) ){
+    memcpy(&p, &v, sizeof(p));
+  }else{
+    assert( sizeof(p)==sizeof(v2) );
+    v2 = (u32)v;
+    memcpy(&p, &v2, sizeof(p));
+  }
+  return p;
+}
+#endif
+
+/*
+** Return a pointer to the ThreadData associated with the calling thread.
+*/
+ThreadData *sqlite3ThreadData(){
+  ThreadData *p = (ThreadData*)sqlite3OsThreadSpecificData(1);
+  if( !p ){
+    sqlite3FailedMalloc();
+  }
+  return p;
+}
+
+/*
+** Return a pointer to the ThreadData associated with the calling thread.
+** If no ThreadData has been allocated to this thread yet, return a pointer
+** to a substitute ThreadData structure that is all zeros. 
+*/
+const ThreadData *sqlite3ThreadDataReadOnly(){
+  static const ThreadData zeroData = {0};  /* Initializer to silence warnings
+                                           ** from broken compilers */
+  const ThreadData *pTd = sqlite3OsThreadSpecificData(0);
+  return pTd ? pTd : &zeroData;
+}
+
+/*
+** Check to see if the ThreadData for this thread is all zero.  If it
+** is, then deallocate it. 
+*/
+void sqlite3ReleaseThreadData(){
+  sqlite3OsThreadSpecificData(-1);
+}
+
+/*
+** This function must be called before exiting any API function (i.e. 
+** returning control to the user) that has called sqlite3Malloc or
+** sqlite3Realloc.
+**
+** The returned value is normally a copy of the second argument to this
+** function. However, if a malloc() failure has occured since the previous
+** invocation SQLITE_NOMEM is returned instead. 
+**
+** If the first argument, db, is not NULL and a malloc() error has occured,
+** then the connection error-code (the value returned by sqlite3_errcode())
+** is set to SQLITE_NOMEM.
+*/
+static int mallocHasFailed = 0;
+int sqlite3ApiExit(sqlite3* db, int rc){
+  if( sqlite3MallocFailed() ){
+    mallocHasFailed = 0;
+    sqlite3OsLeaveMutex();
+    sqlite3Error(db, SQLITE_NOMEM, 0);
+    rc = SQLITE_NOMEM;
+  }
+  return rc & (db ? db->errMask : 0xff);
+}
+
+/* 
+** Return true is a malloc has failed in this thread since the last call
+** to sqlite3ApiExit(), or false otherwise.
+*/
+int sqlite3MallocFailed(){
+  return (mallocHasFailed && sqlite3OsInMutex(1));
+}
+
+/* 
+** Set the "malloc has failed" condition to true for this thread.
+*/
+void sqlite3FailedMalloc(){
+  if( !sqlite3MallocFailed() ){
+    sqlite3OsEnterMutex();
+    assert( mallocHasFailed==0 );
+    mallocHasFailed = 1;
+  }
+}
+
+#ifdef SQLITE_MEMDEBUG
+/*
+** This function sets a flag in the thread-specific-data structure that will
+** cause an assert to fail if sqliteMalloc() or sqliteRealloc() is called.
+*/
+void sqlite3MallocDisallow(){
+  assert( sqlite3_mallocDisallowed>=0 );
+  sqlite3_mallocDisallowed++;
+}
+
+/*
+** This function clears the flag set in the thread-specific-data structure set
+** by sqlite3MallocDisallow().
+*/
+void sqlite3MallocAllow(){
+  assert( sqlite3_mallocDisallowed>0 );
+  sqlite3_mallocDisallowed--;
+}
+#endif
+
+/************** End of util.c ************************************************/
+/************** Begin file hash.c ********************************************/
+/*
+** 2001 September 22
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This is the implementation of generic hash-tables
+** used in SQLite.
+**
+** $Id$
+*/
+
+/* Turn bulk memory into a hash table object by initializing the
+** fields of the Hash structure.
+**
+** "pNew" is a pointer to the hash table that is to be initialized.
+** keyClass is one of the constants SQLITE_HASH_INT, SQLITE_HASH_POINTER,
+** SQLITE_HASH_BINARY, or SQLITE_HASH_STRING.  The value of keyClass 
+** determines what kind of key the hash table will use.  "copyKey" is
+** true if the hash table should make its own private copy of keys and
+** false if it should just use the supplied pointer.  CopyKey only makes
+** sense for SQLITE_HASH_STRING and SQLITE_HASH_BINARY and is ignored
+** for other key classes.
+*/
+void sqlite3HashInit(Hash *pNew, int keyClass, int copyKey){
+  assert( pNew!=0 );
+  assert( keyClass>=SQLITE_HASH_STRING && keyClass<=SQLITE_HASH_BINARY );
+  pNew->keyClass = keyClass;
+#if 0
+  if( keyClass==SQLITE_HASH_POINTER || keyClass==SQLITE_HASH_INT ) copyKey = 0;
+#endif
+  pNew->copyKey = copyKey;
+  pNew->first = 0;
+  pNew->count = 0;
+  pNew->htsize = 0;
+  pNew->ht = 0;
+  pNew->xMalloc = sqlite3MallocX;
+  pNew->xFree = sqlite3FreeX;
+}
+
+/* Remove all entries from a hash table.  Reclaim all memory.
+** Call this routine to delete a hash table or to reset a hash table
+** to the empty state.
+*/
+void sqlite3HashClear(Hash *pH){
+  HashElem *elem;         /* For looping over all elements of the table */
+
+  assert( pH!=0 );
+  elem = pH->first;
+  pH->first = 0;
+  if( pH->ht ) pH->xFree(pH->ht);
+  pH->ht = 0;
+  pH->htsize = 0;
+  while( elem ){
+    HashElem *next_elem = elem->next;
+    if( pH->copyKey && elem->pKey ){
+      pH->xFree(elem->pKey);
+    }
+    pH->xFree(elem);
+    elem = next_elem;
+  }
+  pH->count = 0;
+}
+
+#if 0 /* NOT USED */
+/*
+** Hash and comparison functions when the mode is SQLITE_HASH_INT
+*/
+static int intHash(const void *pKey, int nKey){
+  return nKey ^ (nKey<<8) ^ (nKey>>8);
+}
+static int intCompare(const void *pKey1, int n1, const void *pKey2, int n2){
+  return n2 - n1;
+}
+#endif
+
+#if 0 /* NOT USED */
+/*
+** Hash and comparison functions when the mode is SQLITE_HASH_POINTER
+*/
+static int ptrHash(const void *pKey, int nKey){
+  uptr x = Addr(pKey);
+  return x ^ (x<<8) ^ (x>>8);
+}
+static int ptrCompare(const void *pKey1, int n1, const void *pKey2, int n2){
+  if( pKey1==pKey2 ) return 0;
+  if( pKey1<pKey2 ) return -1;
+  return 1;
+}
+#endif
+
+/*
+** Hash and comparison functions when the mode is SQLITE_HASH_STRING
+*/
+static int strHash(const void *pKey, int nKey){
+  const char *z = (const char *)pKey;
+  int h = 0;
+  if( nKey<=0 ) nKey = strlen(z);
+  while( nKey > 0  ){
+    h = (h<<3) ^ h ^ sqlite3UpperToLower[(unsigned char)*z++];
+    nKey--;
+  }
+  return h & 0x7fffffff;
+}
+static int strCompare(const void *pKey1, int n1, const void *pKey2, int n2){
+  if( n1!=n2 ) return 1;
+  return sqlite3StrNICmp((const char*)pKey1,(const char*)pKey2,n1);
+}
+
+/*
+** Hash and comparison functions when the mode is SQLITE_HASH_BINARY
+*/
+static int binHash(const void *pKey, int nKey){
+  int h = 0;
+  const char *z = (const char *)pKey;
+  while( nKey-- > 0 ){
+    h = (h<<3) ^ h ^ *(z++);
+  }
+  return h & 0x7fffffff;
+}
+static int binCompare(const void *pKey1, int n1, const void *pKey2, int n2){
+  if( n1!=n2 ) return 1;
+  return memcmp(pKey1,pKey2,n1);
+}
+
+/*
+** Return a pointer to the appropriate hash function given the key class.
+**
+** The C syntax in this function definition may be unfamilar to some 
+** programmers, so we provide the following additional explanation:
+**
+** The name of the function is "hashFunction".  The function takes a
+** single parameter "keyClass".  The return value of hashFunction()
+** is a pointer to another function.  Specifically, the return value
+** of hashFunction() is a pointer to a function that takes two parameters
+** with types "const void*" and "int" and returns an "int".
+*/
+static int (*hashFunction(int keyClass))(const void*,int){
+#if 0  /* HASH_INT and HASH_POINTER are never used */
+  switch( keyClass ){
+    case SQLITE_HASH_INT:     return &intHash;
+    case SQLITE_HASH_POINTER: return &ptrHash;
+    case SQLITE_HASH_STRING:  return &strHash;
+    case SQLITE_HASH_BINARY:  return &binHash;;
+    default: break;
+  }
+  return 0;
+#else
+  if( keyClass==SQLITE_HASH_STRING ){
+    return &strHash;
+  }else{
+    assert( keyClass==SQLITE_HASH_BINARY );
+    return &binHash;
+  }
+#endif
+}
+
+/*
+** Return a pointer to the appropriate hash function given the key class.
+**
+** For help in interpreted the obscure C code in the function definition,
+** see the header comment on the previous function.
+*/
+static int (*compareFunction(int keyClass))(const void*,int,const void*,int){
+#if 0 /* HASH_INT and HASH_POINTER are never used */
+  switch( keyClass ){
+    case SQLITE_HASH_INT:     return &intCompare;
+    case SQLITE_HASH_POINTER: return &ptrCompare;
+    case SQLITE_HASH_STRING:  return &strCompare;
+    case SQLITE_HASH_BINARY:  return &binCompare;
+    default: break;
+  }
+  return 0;
+#else
+  if( keyClass==SQLITE_HASH_STRING ){
+    return &strCompare;
+  }else{
+    assert( keyClass==SQLITE_HASH_BINARY );
+    return &binCompare;
+  }
+#endif
+}
+
+/* Link an element into the hash table
+*/
+static void insertElement(
+  Hash *pH,              /* The complete hash table */
+  struct _ht *pEntry,    /* The entry into which pNew is inserted */
+  HashElem *pNew         /* The element to be inserted */
+){
+  HashElem *pHead;       /* First element already in pEntry */
+  pHead = pEntry->chain;
+  if( pHead ){
+    pNew->next = pHead;
+    pNew->prev = pHead->prev;
+    if( pHead->prev ){ pHead->prev->next = pNew; }
+    else             { pH->first = pNew; }
+    pHead->prev = pNew;
+  }else{
+    pNew->next = pH->first;
+    if( pH->first ){ pH->first->prev = pNew; }
+    pNew->prev = 0;
+    pH->first = pNew;
+  }
+  pEntry->count++;
+  pEntry->chain = pNew;
+}
+
+
+/* Resize the hash table so that it cantains "new_size" buckets.
+** "new_size" must be a power of 2.  The hash table might fail 
+** to resize if sqliteMalloc() fails.
+*/
+static void rehash(Hash *pH, int new_size){
+  struct _ht *new_ht;            /* The new hash table */
+  HashElem *elem, *next_elem;    /* For looping over existing elements */
+  int (*xHash)(const void*,int); /* The hash function */
+
+  assert( (new_size & (new_size-1))==0 );
+  new_ht = (struct _ht *)pH->xMalloc( new_size*sizeof(struct _ht) );
+  if( new_ht==0 ) return;
+  if( pH->ht ) pH->xFree(pH->ht);
+  pH->ht = new_ht;
+  pH->htsize = new_size;
+  xHash = hashFunction(pH->keyClass);
+  for(elem=pH->first, pH->first=0; elem; elem = next_elem){
+    int h = (*xHash)(elem->pKey, elem->nKey) & (new_size-1);
+    next_elem = elem->next;
+    insertElement(pH, &new_ht[h], elem);
+  }
+}
+
+/* This function (for internal use only) locates an element in an
+** hash table that matches the given key.  The hash for this key has
+** already been computed and is passed as the 4th parameter.
+*/
+static HashElem *findElementGivenHash(
+  const Hash *pH,     /* The pH to be searched */
+  const void *pKey,   /* The key we are searching for */
+  int nKey,
+  int h               /* The hash for this key. */
+){
+  HashElem *elem;                /* Used to loop thru the element list */
+  int count;                     /* Number of elements left to test */
+  int (*xCompare)(const void*,int,const void*,int);  /* comparison function */
+
+  if( pH->ht ){
+    struct _ht *pEntry = &pH->ht[h];
+    elem = pEntry->chain;
+    count = pEntry->count;
+    xCompare = compareFunction(pH->keyClass);
+    while( count-- && elem ){
+      if( (*xCompare)(elem->pKey,elem->nKey,pKey,nKey)==0 ){ 
+        return elem;
+      }
+      elem = elem->next;
+    }
+  }
+  return 0;
+}
+
+/* Remove a single entry from the hash table given a pointer to that
+** element and a hash on the element's key.
+*/
+static void removeElementGivenHash(
+  Hash *pH,         /* The pH containing "elem" */
+  HashElem* elem,   /* The element to be removed from the pH */
+  int h             /* Hash value for the element */
+){
+  struct _ht *pEntry;
+  if( elem->prev ){
+    elem->prev->next = elem->next; 
+  }else{
+    pH->first = elem->next;
+  }
+  if( elem->next ){
+    elem->next->prev = elem->prev;
+  }
+  pEntry = &pH->ht[h];
+  if( pEntry->chain==elem ){
+    pEntry->chain = elem->next;
+  }
+  pEntry->count--;
+  if( pEntry->count<=0 ){
+    pEntry->chain = 0;
+  }
+  if( pH->copyKey ){
+    pH->xFree(elem->pKey);
+  }
+  pH->xFree( elem );
+  pH->count--;
+  if( pH->count<=0 ){
+    assert( pH->first==0 );
+    assert( pH->count==0 );
+    sqlite3HashClear(pH);
+  }
+}
+
+/* Attempt to locate an element of the hash table pH with a key
+** that matches pKey,nKey.  Return the data for this element if it is
+** found, or NULL if there is no match.
+*/
+void *sqlite3HashFind(const Hash *pH, const void *pKey, int nKey){
+  int h;             /* A hash on key */
+  HashElem *elem;    /* The element that matches key */
+  int (*xHash)(const void*,int);  /* The hash function */
+
+  if( pH==0 || pH->ht==0 ) return 0;
+  xHash = hashFunction(pH->keyClass);
+  assert( xHash!=0 );
+  h = (*xHash)(pKey,nKey);
+  assert( (pH->htsize & (pH->htsize-1))==0 );
+  elem = findElementGivenHash(pH,pKey,nKey, h & (pH->htsize-1));
+  return elem ? elem->data : 0;
+}
+
+/* Insert an element into the hash table pH.  The key is pKey,nKey
+** and the data is "data".
+**
+** If no element exists with a matching key, then a new
+** element is created.  A copy of the key is made if the copyKey
+** flag is set.  NULL is returned.
+**
+** If another element already exists with the same key, then the
+** new data replaces the old data and the old data is returned.
+** The key is not copied in this instance.  If a malloc fails, then
+** the new data is returned and the hash table is unchanged.
+**
+** If the "data" parameter to this function is NULL, then the
+** element corresponding to "key" is removed from the hash table.
+*/
+void *sqlite3HashInsert(Hash *pH, const void *pKey, int nKey, void *data){
+  int hraw;             /* Raw hash value of the key */
+  int h;                /* the hash of the key modulo hash table size */
+  HashElem *elem;       /* Used to loop thru the element list */
+  HashElem *new_elem;   /* New element added to the pH */
+  int (*xHash)(const void*,int);  /* The hash function */
+
+  assert( pH!=0 );
+  xHash = hashFunction(pH->keyClass);
+  assert( xHash!=0 );
+  hraw = (*xHash)(pKey, nKey);
+  assert( (pH->htsize & (pH->htsize-1))==0 );
+  h = hraw & (pH->htsize-1);
+  elem = findElementGivenHash(pH,pKey,nKey,h);
+  if( elem ){
+    void *old_data = elem->data;
+    if( data==0 ){
+      removeElementGivenHash(pH,elem,h);
+    }else{
+      elem->data = data;
+    }
+    return old_data;
+  }
+  if( data==0 ) return 0;
+  new_elem = (HashElem*)pH->xMalloc( sizeof(HashElem) );
+  if( new_elem==0 ) return data;
+  if( pH->copyKey && pKey!=0 ){
+    new_elem->pKey = pH->xMalloc( nKey );
+    if( new_elem->pKey==0 ){
+      pH->xFree(new_elem);
+      return data;
+    }
+    memcpy((void*)new_elem->pKey, pKey, nKey);
+  }else{
+    new_elem->pKey = (void*)pKey;
+  }
+  new_elem->nKey = nKey;
+  pH->count++;
+  if( pH->htsize==0 ){
+    rehash(pH,8);
+    if( pH->htsize==0 ){
+      pH->count = 0;
+      if( pH->copyKey ){
+        pH->xFree(new_elem->pKey);
+      }
+      pH->xFree(new_elem);
+      return data;
+    }
+  }
+  if( pH->count > pH->htsize ){
+    rehash(pH,pH->htsize*2);
+  }
+  assert( pH->htsize>0 );
+  assert( (pH->htsize & (pH->htsize-1))==0 );
+  h = hraw & (pH->htsize-1);
+  insertElement(pH, &pH->ht[h], new_elem);
+  new_elem->data = data;
+  return 0;
+}
+
+/************** End of hash.c ************************************************/
+/************** Begin file opcodes.c *****************************************/
+/* Automatically generated.  Do not edit */
+/* See the mkopcodec.awk script for details. */
+#if !defined(SQLITE_OMIT_EXPLAIN) || !defined(NDEBUG) || defined(VDBE_PROFILE) || defined(SQLITE_DEBUG)
+const char *const sqlite3OpcodeNames[] = { "?",
+ /*   1 */ "MemLoad",
+ /*   2 */ "VNext",
+ /*   3 */ "Column",
+ /*   4 */ "SetCookie",
+ /*   5 */ "IfMemPos",
+ /*   6 */ "Sequence",
+ /*   7 */ "MoveGt",
+ /*   8 */ "RowKey",
+ /*   9 */ "OpenWrite",
+ /*  10 */ "If",
+ /*  11 */ "Pop",
+ /*  12 */ "VRowid",
+ /*  13 */ "CollSeq",
+ /*  14 */ "OpenRead",
+ /*  15 */ "Expire",
+ /*  16 */ "Not",
+ /*  17 */ "AutoCommit",
+ /*  18 */ "IntegrityCk",
+ /*  19 */ "Sort",
+ /*  20 */ "Function",
+ /*  21 */ "Noop",
+ /*  22 */ "Return",
+ /*  23 */ "NewRowid",
+ /*  24 */ "IfMemNeg",
+ /*  25 */ "Variable",
+ /*  26 */ "String",
+ /*  27 */ "RealAffinity",
+ /*  28 */ "ParseSchema",
+ /*  29 */ "VOpen",
+ /*  30 */ "Close",
+ /*  31 */ "CreateIndex",
+ /*  32 */ "IsUnique",
+ /*  33 */ "NotFound",
+ /*  34 */ "Int64",
+ /*  35 */ "MustBeInt",
+ /*  36 */ "Halt",
+ /*  37 */ "Rowid",
+ /*  38 */ "IdxLT",
+ /*  39 */ "AddImm",
+ /*  40 */ "Statement",
+ /*  41 */ "RowData",
+ /*  42 */ "MemMax",
+ /*  43 */ "Push",
+ /*  44 */ "NotExists",
+ /*  45 */ "MemIncr",
+ /*  46 */ "Gosub",
+ /*  47 */ "Integer",
+ /*  48 */ "MemInt",
+ /*  49 */ "Prev",
+ /*  50 */ "VColumn",
+ /*  51 */ "CreateTable",
+ /*  52 */ "Last",
+ /*  53 */ "IdxRowid",
+ /*  54 */ "MakeIdxRec",
+ /*  55 */ "ResetCount",
+ /*  56 */ "FifoWrite",
+ /*  57 */ "Callback",
+ /*  58 */ "ContextPush",
+ /*  59 */ "DropTrigger",
+ /*  60 */ "Or",
+ /*  61 */ "And",
+ /*  62 */ "DropIndex",
+ /*  63 */ "IdxGE",
+ /*  64 */ "IdxDelete",
+ /*  65 */ "IsNull",
+ /*  66 */ "NotNull",
+ /*  67 */ "Ne",
+ /*  68 */ "Eq",
+ /*  69 */ "Gt",
+ /*  70 */ "Le",
+ /*  71 */ "Lt",
+ /*  72 */ "Ge",
+ /*  73 */ "Vacuum",
+ /*  74 */ "BitAnd",
+ /*  75 */ "BitOr",
+ /*  76 */ "ShiftLeft",
+ /*  77 */ "ShiftRight",
+ /*  78 */ "Add",
+ /*  79 */ "Subtract",
+ /*  80 */ "Multiply",
+ /*  81 */ "Divide",
+ /*  82 */ "Remainder",
+ /*  83 */ "Concat",
+ /*  84 */ "MoveLe",
+ /*  85 */ "Negative",
+ /*  86 */ "IfNot",
+ /*  87 */ "BitNot",
+ /*  88 */ "String8",
+ /*  89 */ "DropTable",
+ /*  90 */ "MakeRecord",
+ /*  91 */ "Delete",
+ /*  92 */ "AggFinal",
+ /*  93 */ "Dup",
+ /*  94 */ "Goto",
+ /*  95 */ "TableLock",
+ /*  96 */ "FifoRead",
+ /*  97 */ "Clear",
+ /*  98 */ "IdxGT",
+ /*  99 */ "MoveLt",
+ /* 100 */ "VerifyCookie",
+ /* 101 */ "AggStep",
+ /* 102 */ "Pull",
+ /* 103 */ "SetNumColumns",
+ /* 104 */ "AbsValue",
+ /* 105 */ "Transaction",
+ /* 106 */ "VFilter",
+ /* 107 */ "VDestroy",
+ /* 108 */ "ContextPop",
+ /* 109 */ "Next",
+ /* 110 */ "IdxInsert",
+ /* 111 */ "Distinct",
+ /* 112 */ "Insert",
+ /* 113 */ "Destroy",
+ /* 114 */ "ReadCookie",
+ /* 115 */ "ForceInt",
+ /* 116 */ "LoadAnalysis",
+ /* 117 */ "Explain",
+ /* 118 */ "IfMemZero",
+ /* 119 */ "OpenPseudo",
+ /* 120 */ "OpenEphemeral",
+ /* 121 */ "Null",
+ /* 122 */ "Blob",
+ /* 123 */ "MemStore",
+ /* 124 */ "Rewind",
+ /* 125 */ "Real",
+ /* 126 */ "HexBlob",
+ /* 127 */ "MoveGe",
+ /* 128 */ "VBegin",
+ /* 129 */ "VUpdate",
+ /* 130 */ "VCreate",
+ /* 131 */ "MemMove",
+ /* 132 */ "MemNull",
+ /* 133 */ "Found",
+ /* 134 */ "NullRow",
+ /* 135 */ "NotUsed_135",
+ /* 136 */ "NotUsed_136",
+ /* 137 */ "NotUsed_137",
+ /* 138 */ "ToText",
+ /* 139 */ "ToBlob",
+ /* 140 */ "ToNumeric",
+ /* 141 */ "ToInt",
+ /* 142 */ "ToReal",
+};
+#endif
+
+/************** End of opcodes.c *********************************************/
+/************** Begin file os_os2.c ******************************************/
+/*
+** 2006 Feb 14
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+******************************************************************************
+**
+** This file contains code that is specific to OS/2.
+*/
+
+#if (__GNUC__ > 3 || __GNUC__ == 3 && __GNUC_MINOR__ >= 3) && defined(OS2_HIGH_MEMORY)
+/* os2safe.h has to be included before os2.h, needed for high mem */
+#include <os2safe.h>
+#endif
+
+
+#if OS_OS2
+
+/*
+** Macros used to determine whether or not to use threads.
+*/
+#if defined(THREADSAFE) && THREADSAFE
+# define SQLITE_OS2_THREADS 1
+#endif
+
+/*
+** Include code that is common to all os_*.c files
+*/
+/************** Include os_common.h in the middle of os_os2.c ****************/
+/************** Begin file os_common.h ***************************************/
+/*
+** 2004 May 22
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+******************************************************************************
+**
+** This file contains macros and a little bit of code that is common to
+** all of the platform-specific files (os_*.c) and is #included into those
+** files.
+**
+** This file should be #included by the os_*.c files only.  It is not a
+** general purpose header file.
+*/
+
+/*
+** At least two bugs have slipped in because we changed the MEMORY_DEBUG
+** macro to SQLITE_DEBUG and some older makefiles have not yet made the
+** switch.  The following code should catch this problem at compile-time.
+*/
+#ifdef MEMORY_DEBUG
+# error "The MEMORY_DEBUG macro is obsolete.  Use SQLITE_DEBUG instead."
+#endif
+
+
+/*
+ * When testing, this global variable stores the location of the
+ * pending-byte in the database file.
+ */
+#ifdef SQLITE_TEST
+unsigned int sqlite3_pending_byte = 0x40000000;
+#endif
+
+int sqlite3_os_trace = 0;
+#ifdef SQLITE_DEBUG
+#define OSTRACE1(X)         if( sqlite3_os_trace ) sqlite3DebugPrintf(X)
+#define OSTRACE2(X,Y)       if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y)
+#define OSTRACE3(X,Y,Z)     if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y,Z)
+#define OSTRACE4(X,Y,Z,A)   if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y,Z,A)
+#define OSTRACE5(X,Y,Z,A,B) if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y,Z,A,B)
+#define OSTRACE6(X,Y,Z,A,B,C) \
+    if(sqlite3_os_trace) sqlite3DebugPrintf(X,Y,Z,A,B,C)
+#define OSTRACE7(X,Y,Z,A,B,C,D) \
+    if(sqlite3_os_trace) sqlite3DebugPrintf(X,Y,Z,A,B,C,D)
+#else
+#define OSTRACE1(X)
+#define OSTRACE2(X,Y)
+#define OSTRACE3(X,Y,Z)
+#define OSTRACE4(X,Y,Z,A)
+#define OSTRACE5(X,Y,Z,A,B)
+#define OSTRACE6(X,Y,Z,A,B,C)
+#define OSTRACE7(X,Y,Z,A,B,C,D)
+#endif
+
+/*
+** Macros for performance tracing.  Normally turned off.  Only works
+** on i486 hardware.
+*/
+#ifdef SQLITE_PERFORMANCE_TRACE
+__inline__ unsigned long long int hwtime(void){
+  unsigned long long int x;
+  __asm__("rdtsc\n\t"
+          "mov %%edx, %%ecx\n\t"
+          :"=A" (x));
+  return x;
+}
+static unsigned long long int g_start;
+static unsigned int elapse;
+#define TIMER_START       g_start=hwtime()
+#define TIMER_END         elapse=hwtime()-g_start
+#define TIMER_ELAPSED     elapse
+#else
+#define TIMER_START
+#define TIMER_END
+#define TIMER_ELAPSED     0
+#endif
+
+/*
+** If we compile with the SQLITE_TEST macro set, then the following block
+** of code will give us the ability to simulate a disk I/O error.  This
+** is used for testing the I/O recovery logic.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_io_error_hit = 0;
+int sqlite3_io_error_pending = 0;
+int sqlite3_io_error_persist = 0;
+int sqlite3_diskfull_pending = 0;
+int sqlite3_diskfull = 0;
+#define SimulateIOError(CODE)  \
+  if( sqlite3_io_error_pending || sqlite3_io_error_hit ) \
+     if( sqlite3_io_error_pending-- == 1 \
+         || (sqlite3_io_error_persist && sqlite3_io_error_hit) ) \
+                { local_ioerr(); CODE; }
+static void local_ioerr(){
+  IOTRACE(("IOERR\n"));
+  sqlite3_io_error_hit = 1;
+}
+#define SimulateDiskfullError(CODE) \
+   if( sqlite3_diskfull_pending ){ \
+     if( sqlite3_diskfull_pending == 1 ){ \
+       local_ioerr(); \
+       sqlite3_diskfull = 1; \
+       sqlite3_io_error_hit = 1; \
+       CODE; \
+     }else{ \
+       sqlite3_diskfull_pending--; \
+     } \
+   }
+#else
+#define SimulateIOError(A)
+#define SimulateDiskfullError(A)
+#endif
+
+/*
+** When testing, keep a count of the number of open files.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_open_file_count = 0;
+#define OpenCounter(X)  sqlite3_open_file_count+=(X)
+#else
+#define OpenCounter(X)
+#endif
+
+/*
+** sqlite3GenericMalloc
+** sqlite3GenericRealloc
+** sqlite3GenericOsFree
+** sqlite3GenericAllocationSize
+**
+** Implementation of the os level dynamic memory allocation interface in terms
+** of the standard malloc(), realloc() and free() found in many operating
+** systems. No rocket science here.
+**
+** There are two versions of these four functions here. The version
+** implemented here is only used if memory-management or memory-debugging is
+** enabled. This version allocates an extra 8-bytes at the beginning of each
+** block and stores the size of the allocation there.
+**
+** If neither memory-management or debugging is enabled, the second
+** set of implementations is used instead.
+*/
+#if defined(SQLITE_ENABLE_MEMORY_MANAGEMENT) || defined (SQLITE_MEMDEBUG)
+void *sqlite3GenericMalloc(int n){
+  char *p = (char *)malloc(n+8);
+  assert(n>0);
+  assert(sizeof(int)<=8);
+  if( p ){
+    *(int *)p = n;
+    p += 8;
+  }
+  return (void *)p;
+}
+void *sqlite3GenericRealloc(void *p, int n){
+  char *p2 = ((char *)p - 8);
+  assert(n>0);
+  p2 = (char*)realloc(p2, n+8);
+  if( p2 ){
+    *(int *)p2 = n;
+    p2 += 8;
+  }
+  return (void *)p2;
+}
+void sqlite3GenericFree(void *p){
+  assert(p);
+  free((void *)((char *)p - 8));
+}
+int sqlite3GenericAllocationSize(void *p){
+  return p ? *(int *)((char *)p - 8) : 0;
+}
+#else
+void *sqlite3GenericMalloc(int n){
+  char *p = (char *)malloc(n);
+  return (void *)p;
+}
+void *sqlite3GenericRealloc(void *p, int n){
+  assert(n>0);
+  p = realloc(p, n);
+  return p;
+}
+void sqlite3GenericFree(void *p){
+  assert(p);
+  free(p);
+}
+/* Never actually used, but needed for the linker */
+int sqlite3GenericAllocationSize(void *p){ return 0; }
+#endif
+
+/*
+** The default size of a disk sector
+*/
+#ifndef PAGER_SECTOR_SIZE
+# define PAGER_SECTOR_SIZE 512
+#endif
+
+/************** End of os_common.h *******************************************/
+/************** Continuing where we left off in os_os2.c *********************/
+
+/*
+** The os2File structure is subclass of OsFile specific for the OS/2
+** protability layer.
+*/
+typedef struct os2File os2File;
+struct os2File {
+  IoMethod const *pMethod;  /* Always the first entry */
+  HFILE h;                  /* Handle for accessing the file */
+  int delOnClose;           /* True if file is to be deleted on close */
+  char* pathToDel;          /* Name of file to delete on close */
+  unsigned char locktype;   /* Type of lock currently held on this file */
+};
+
+/*
+** Do not include any of the File I/O interface procedures if the
+** SQLITE_OMIT_DISKIO macro is defined (indicating that there database
+** will be in-memory only)
+*/
+#ifndef SQLITE_OMIT_DISKIO
+
+/*
+** Delete the named file
+*/
+int sqlite3Os2Delete( const char *zFilename ){
+  APIRET rc = NO_ERROR;
+
+  rc = DosDelete( (PSZ)zFilename );
+  OSTRACE2( "DELETE \"%s\"\n", zFilename );
+  return rc == NO_ERROR ? SQLITE_OK : SQLITE_IOERR;
+}
+
+/*
+** Return TRUE if the named file exists.
+*/
+int sqlite3Os2FileExists( const char *zFilename ){
+  FILESTATUS3 fsts3ConfigInfo;
+  memset(&fsts3ConfigInfo, 0, sizeof(fsts3ConfigInfo));
+  return DosQueryPathInfo( (PSZ)zFilename, FIL_STANDARD,
+        &fsts3ConfigInfo, sizeof(FILESTATUS3) ) == NO_ERROR;
+}
+
+/* Forward declaration */
+int allocateOs2File( os2File *pInit, OsFile **pld );
+
+/*
+** Attempt to open a file for both reading and writing.  If that
+** fails, try opening it read-only.  If the file does not exist,
+** try to create it.
+**
+** On success, a handle for the open file is written to *id
+** and *pReadonly is set to 0 if the file was opened for reading and
+** writing or 1 if the file was opened read-only.  The function returns
+** SQLITE_OK.
+**
+** On failure, the function returns SQLITE_CANTOPEN and leaves
+** *id and *pReadonly unchanged.
+*/
+int sqlite3Os2OpenReadWrite(
+  const char *zFilename,
+  OsFile **pld,
+  int *pReadonly
+){
+  os2File  f;
+  HFILE    hf;
+  ULONG    ulAction;
+  APIRET   rc = NO_ERROR;
+
+  assert( *pld == 0 );
+  rc = DosOpen( (PSZ)zFilename, &hf, &ulAction, 0L,
+            FILE_ARCHIVED | FILE_NORMAL,
+                OPEN_ACTION_CREATE_IF_NEW | OPEN_ACTION_OPEN_IF_EXISTS,
+                OPEN_FLAGS_FAIL_ON_ERROR | OPEN_FLAGS_RANDOM |
+                    OPEN_SHARE_DENYNONE | OPEN_ACCESS_READWRITE, (PEAOP2)NULL );
+  if( rc != NO_ERROR ){
+    rc = DosOpen( (PSZ)zFilename, &hf, &ulAction, 0L,
+            FILE_ARCHIVED | FILE_NORMAL,
+                OPEN_ACTION_CREATE_IF_NEW | OPEN_ACTION_OPEN_IF_EXISTS,
+                OPEN_FLAGS_FAIL_ON_ERROR | OPEN_FLAGS_RANDOM |
+                        OPEN_SHARE_DENYWRITE | OPEN_ACCESS_READONLY, (PEAOP2)NULL );
+    if( rc != NO_ERROR ){
+        return SQLITE_CANTOPEN;
+    }
+    *pReadonly = 1;
+  }
+  else{
+    *pReadonly = 0;
+  }
+  f.h = hf;
+  f.locktype = NO_LOCK;
+  f.delOnClose = 0;
+  f.pathToDel = NULL;
+  OpenCounter(+1);
+  OSTRACE3( "OPEN R/W %d \"%s\"\n", hf, zFilename );
+  return allocateOs2File( &f, pld );
+}
+
+
+/*
+** Attempt to open a new file for exclusive access by this process.
+** The file will be opened for both reading and writing.  To avoid
+** a potential security problem, we do not allow the file to have
+** previously existed.  Nor do we allow the file to be a symbolic
+** link.
+**
+** If delFlag is true, then make arrangements to automatically delete
+** the file when it is closed.
+**
+** On success, write the file handle into *id and return SQLITE_OK.
+**
+** On failure, return SQLITE_CANTOPEN.
+*/
+int sqlite3Os2OpenExclusive( const char *zFilename, OsFile **pld, int delFlag ){
+  os2File  f;
+  HFILE    hf;
+  ULONG    ulAction;
+  APIRET   rc = NO_ERROR;
+
+  assert( *pld == 0 );
+  rc = DosOpen( (PSZ)zFilename, &hf, &ulAction, 0L, FILE_NORMAL,
+            OPEN_ACTION_CREATE_IF_NEW | OPEN_ACTION_REPLACE_IF_EXISTS,
+            OPEN_FLAGS_FAIL_ON_ERROR | OPEN_FLAGS_RANDOM |
+                OPEN_SHARE_DENYREADWRITE | OPEN_ACCESS_READWRITE, (PEAOP2)NULL );
+  if( rc != NO_ERROR ){
+    return SQLITE_CANTOPEN;
+  }
+
+  f.h = hf;
+  f.locktype = NO_LOCK;
+  f.delOnClose = delFlag ? 1 : 0;
+  f.pathToDel = delFlag ? sqlite3OsFullPathname( zFilename ) : NULL;
+  OpenCounter( +1 );
+  if( delFlag ) DosForceDelete( sqlite3OsFullPathname( zFilename ) );
+  OSTRACE3( "OPEN EX %d \"%s\"\n", hf, sqlite3OsFullPathname ( zFilename ) );
+  return allocateOs2File( &f, pld );
+}
+
+/*
+** Attempt to open a new file for read-only access.
+**
+** On success, write the file handle into *id and return SQLITE_OK.
+**
+** On failure, return SQLITE_CANTOPEN.
+*/
+int sqlite3Os2OpenReadOnly( const char *zFilename, OsFile **pld ){
+  os2File  f;
+  HFILE    hf;
+  ULONG    ulAction;
+  APIRET   rc = NO_ERROR;
+
+  assert( *pld == 0 );
+  rc = DosOpen( (PSZ)zFilename, &hf, &ulAction, 0L,
+            FILE_NORMAL, OPEN_ACTION_OPEN_IF_EXISTS,
+            OPEN_FLAGS_FAIL_ON_ERROR | OPEN_FLAGS_RANDOM |
+                OPEN_SHARE_DENYWRITE | OPEN_ACCESS_READONLY, (PEAOP2)NULL );
+  if( rc != NO_ERROR ){
+    return SQLITE_CANTOPEN;
+  }
+  f.h = hf;
+  f.locktype = NO_LOCK;
+  f.delOnClose = 0;
+  f.pathToDel = NULL;
+  OpenCounter( +1 );
+  OSTRACE3( "OPEN RO %d \"%s\"\n", hf, zFilename );
+  return allocateOs2File( &f, pld );
+}
+
+/*
+** Attempt to open a file descriptor for the directory that contains a
+** file.  This file descriptor can be used to fsync() the directory
+** in order to make sure the creation of a new file is actually written
+** to disk.
+**
+** This routine is only meaningful for Unix.  It is a no-op under
+** OS/2 since OS/2 does not support hard links.
+**
+** On success, a handle for a previously open file is at *id is
+** updated with the new directory file descriptor and SQLITE_OK is
+** returned.
+**
+** On failure, the function returns SQLITE_CANTOPEN and leaves
+** *id unchanged.
+*/
+int os2OpenDirectory(
+  OsFile *id,
+  const char *zDirname
+){
+  return SQLITE_OK;
+}
+
+/*
+** Create a temporary file name in zBuf.  zBuf must be big enough to
+** hold at least SQLITE_TEMPNAME_SIZE characters.
+*/
+int sqlite3Os2TempFileName( char *zBuf ){
+  static const unsigned char zChars[] =
+    "abcdefghijklmnopqrstuvwxyz"
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+    "0123456789";
+  int i, j;
+  PSZ zTempPath = 0;
+  if( DosScanEnv( "TEMP", &zTempPath ) ){
+    if( DosScanEnv( "TMP", &zTempPath ) ){
+      if( DosScanEnv( "TMPDIR", &zTempPath ) ){
+           ULONG ulDriveNum = 0, ulDriveMap = 0;
+           DosQueryCurrentDisk( &ulDriveNum, &ulDriveMap );
+           sprintf( zTempPath, "%c:", (char)( 'A' + ulDriveNum - 1 ) );
+      }
+    }
+  }
+  for(;;){
+      sprintf( zBuf, "%s\\"TEMP_FILE_PREFIX, zTempPath );
+      j = strlen( zBuf );
+      sqlite3Randomness( 15, &zBuf[j] );
+      for( i = 0; i < 15; i++, j++ ){
+        zBuf[j] = (char)zChars[ ((unsigned char)zBuf[j])%(sizeof(zChars)-1) ];
+      }
+      zBuf[j] = 0;
+      if( !sqlite3OsFileExists( zBuf ) ) break;
+  }
+  OSTRACE2( "TEMP FILENAME: %s\n", zBuf );
+  return SQLITE_OK;
+}
+
+/*
+** Close a file.
+*/
+int os2Close( OsFile **pld ){
+  os2File *pFile;
+  APIRET rc = NO_ERROR;
+  if( pld && (pFile = (os2File*)*pld) != 0 ){
+    OSTRACE2( "CLOSE %d\n", pFile->h );
+    rc = DosClose( pFile->h );
+    pFile->locktype = NO_LOCK;
+    if( pFile->delOnClose != 0 ){
+        rc = DosForceDelete( pFile->pathToDel );
+    }
+    *pld = 0;
+    OpenCounter( -1 );
+  }
+
+  return rc == NO_ERROR ? SQLITE_OK : SQLITE_IOERR;
+}
+
+/*
+** Read data from a file into a buffer.  Return SQLITE_OK if all
+** bytes were read successfully and SQLITE_IOERR if anything goes
+** wrong.
+*/
+int os2Read( OsFile *id, void *pBuf, int amt ){
+  ULONG got;
+  assert( id!=0 );
+  SimulateIOError( return SQLITE_IOERR );
+  OSTRACE3( "READ %d lock=%d\n", ((os2File*)id)->h, ((os2File*)id)->locktype );
+  DosRead( ((os2File*)id)->h, pBuf, amt, &got );
+  if (got == (ULONG)amt)
+    return SQLITE_OK;
+  else if (got < 0)
+    return SQLITE_IOERR_READ;
+  else {
+    memset(&((char*)pBuf)[got], 0, amt-got);
+    return SQLITE_IOERR_SHORT_READ;
+  }
+}
+
+/*
+** Write data from a buffer into a file.  Return SQLITE_OK on success
+** or some other error code on failure.
+*/
+int os2Write( OsFile *id, const void *pBuf, int amt ){
+  APIRET rc = NO_ERROR;
+  ULONG wrote;
+  assert( id!=0 );
+  SimulateIOError( return SQLITE_IOERR );
+  SimulateDiskfullError( return SQLITE_FULL );
+  OSTRACE3( "WRITE %d lock=%d\n", ((os2File*)id)->h, ((os2File*)id)->locktype );
+  while( amt > 0 &&
+      (rc = DosWrite( ((os2File*)id)->h, (PVOID)pBuf, amt, &wrote )) && wrote > 0 ){
+      amt -= wrote;
+      pBuf = &((char*)pBuf)[wrote];
+  }
+
+  return ( rc != NO_ERROR || amt > (int)wrote ) ? SQLITE_FULL : SQLITE_OK;
+}
+
+/*
+** Move the read/write pointer in a file.
+*/
+int os2Seek( OsFile *id, i64 offset ){
+  APIRET rc = NO_ERROR;
+  ULONG filePointer = 0L;
+  assert( id!=0 );
+  rc = DosSetFilePtr( ((os2File*)id)->h, offset, FILE_BEGIN, &filePointer );
+  OSTRACE3( "SEEK %d %lld\n", ((os2File*)id)->h, offset );
+  return rc == NO_ERROR ? SQLITE_OK : SQLITE_IOERR;
+}
+
+/*
+** Make sure all writes to a particular file are committed to disk.
+*/
+int os2Sync( OsFile *id, int dataOnly ){
+  assert( id!=0 );
+  OSTRACE3( "SYNC %d lock=%d\n", ((os2File*)id)->h, ((os2File*)id)->locktype );
+  return DosResetBuffer( ((os2File*)id)->h ) == NO_ERROR ? SQLITE_OK : SQLITE_IOERR;
+}
+
+/*
+** Sync the directory zDirname. This is a no-op on operating systems other
+** than UNIX.
+*/
+int sqlite3Os2SyncDirectory( const char *zDirname ){
+  SimulateIOError( return SQLITE_IOERR );
+  return SQLITE_OK;
+}
+
+/*
+** Truncate an open file to a specified size
+*/
+int os2Truncate( OsFile *id, i64 nByte ){
+  APIRET rc = NO_ERROR;
+  ULONG upperBits = nByte>>32;
+  assert( id!=0 );
+  OSTRACE3( "TRUNCATE %d %lld\n", ((os2File*)id)->h, nByte );
+  SimulateIOError( return SQLITE_IOERR );
+  rc = DosSetFilePtr( ((os2File*)id)->h, nByte, FILE_BEGIN, &upperBits );
+  if( rc != NO_ERROR ){
+    return SQLITE_IOERR;
+  }
+  rc = DosSetFilePtr( ((os2File*)id)->h, 0L, FILE_END, &upperBits );
+  return rc == NO_ERROR ? SQLITE_OK : SQLITE_IOERR;
+}
+
+/*
+** Determine the current size of a file in bytes
+*/
+int os2FileSize( OsFile *id, i64 *pSize ){
+  APIRET rc = NO_ERROR;
+  FILESTATUS3 fsts3FileInfo;
+  memset(&fsts3FileInfo, 0, sizeof(fsts3FileInfo));
+  assert( id!=0 );
+  SimulateIOError( return SQLITE_IOERR );
+  rc = DosQueryFileInfo( ((os2File*)id)->h, FIL_STANDARD, &fsts3FileInfo, sizeof(FILESTATUS3) );
+  if( rc == NO_ERROR ){
+    *pSize = fsts3FileInfo.cbFile;
+    return SQLITE_OK;
+  }
+  else{
+    return SQLITE_IOERR;
+  }
+}
+
+/*
+** Acquire a reader lock.
+*/
+static int getReadLock( os2File *id ){
+  FILELOCK  LockArea,
+            UnlockArea;
+  memset(&LockArea, 0, sizeof(LockArea));
+  memset(&UnlockArea, 0, sizeof(UnlockArea));
+  LockArea.lOffset = SHARED_FIRST;
+  LockArea.lRange = SHARED_SIZE;
+  UnlockArea.lOffset = 0L;
+  UnlockArea.lRange = 0L;
+  return DosSetFileLocks( id->h, &UnlockArea, &LockArea, 2000L, 1L );
+}
+
+/*
+** Undo a readlock
+*/
+static int unlockReadLock( os2File *id ){
+  FILELOCK  LockArea,
+            UnlockArea;
+  memset(&LockArea, 0, sizeof(LockArea));
+  memset(&UnlockArea, 0, sizeof(UnlockArea));
+  LockArea.lOffset = 0L;
+  LockArea.lRange = 0L;
+  UnlockArea.lOffset = SHARED_FIRST;
+  UnlockArea.lRange = SHARED_SIZE;
+  return DosSetFileLocks( id->h, &UnlockArea, &LockArea, 2000L, 1L );
+}
+
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+/*
+** Check that a given pathname is a directory and is writable
+**
+*/
+int sqlite3Os2IsDirWritable( char *zDirname ){
+  FILESTATUS3 fsts3ConfigInfo;
+  APIRET rc = NO_ERROR;
+  memset(&fsts3ConfigInfo, 0, sizeof(fsts3ConfigInfo));
+  if( zDirname==0 ) return 0;
+  if( strlen(zDirname)>CCHMAXPATH ) return 0;
+  rc = DosQueryPathInfo( (PSZ)zDirname, FIL_STANDARD, &fsts3ConfigInfo, sizeof(FILESTATUS3) );
+  if( rc != NO_ERROR ) return 0;
+  if( (fsts3ConfigInfo.attrFile & FILE_DIRECTORY) != FILE_DIRECTORY ) return 0;
+
+  return 1;
+}
+#endif /* SQLITE_OMIT_PAGER_PRAGMAS */
+
+/*
+** Lock the file with the lock specified by parameter locktype - one
+** of the following:
+**
+**     (1) SHARED_LOCK
+**     (2) RESERVED_LOCK
+**     (3) PENDING_LOCK
+**     (4) EXCLUSIVE_LOCK
+**
+** Sometimes when requesting one lock state, additional lock states
+** are inserted in between.  The locking might fail on one of the later
+** transitions leaving the lock state different from what it started but
+** still short of its goal.  The following chart shows the allowed
+** transitions and the inserted intermediate states:
+**
+**    UNLOCKED -> SHARED
+**    SHARED -> RESERVED
+**    SHARED -> (PENDING) -> EXCLUSIVE
+**    RESERVED -> (PENDING) -> EXCLUSIVE
+**    PENDING -> EXCLUSIVE
+**
+** This routine will only increase a lock.  The os2Unlock() routine
+** erases all locks at once and returns us immediately to locking level 0.
+** It is not possible to lower the locking level one step at a time.  You
+** must go straight to locking level 0.
+*/
+int os2Lock( OsFile *id, int locktype ){
+  APIRET rc = SQLITE_OK;    /* Return code from subroutines */
+  APIRET res = NO_ERROR;    /* Result of an OS/2 lock call */
+  int newLocktype;       /* Set id->locktype to this value before exiting */
+  int gotPendingLock = 0;/* True if we acquired a PENDING lock this time */
+  FILELOCK  LockArea,
+            UnlockArea;
+  os2File *pFile = (os2File*)id;
+  memset(&LockArea, 0, sizeof(LockArea));
+  memset(&UnlockArea, 0, sizeof(UnlockArea));
+  assert( pFile!=0 );
+  OSTRACE4( "LOCK %d %d was %d\n", pFile->h, locktype, pFile->locktype );
+
+  /* If there is already a lock of this type or more restrictive on the
+  ** OsFile, do nothing. Don't use the end_lock: exit path, as
+  ** sqlite3OsEnterMutex() hasn't been called yet.
+  */
+  if( pFile->locktype>=locktype ){
+    return SQLITE_OK;
+  }
+
+  /* Make sure the locking sequence is correct
+  */
+  assert( pFile->locktype!=NO_LOCK || locktype==SHARED_LOCK );
+  assert( locktype!=PENDING_LOCK );
+  assert( locktype!=RESERVED_LOCK || pFile->locktype==SHARED_LOCK );
+
+  /* Lock the PENDING_LOCK byte if we need to acquire a PENDING lock or
+  ** a SHARED lock.  If we are acquiring a SHARED lock, the acquisition of
+  ** the PENDING_LOCK byte is temporary.
+  */
+  newLocktype = pFile->locktype;
+  if( pFile->locktype==NO_LOCK
+   || (locktype==EXCLUSIVE_LOCK && pFile->locktype==RESERVED_LOCK)
+  ){
+    int cnt = 3;
+
+    LockArea.lOffset = PENDING_BYTE;
+    LockArea.lRange = 1L;
+    UnlockArea.lOffset = 0L;
+    UnlockArea.lRange = 0L;
+
+    while( cnt-->0 && (res = DosSetFileLocks( pFile->h, &UnlockArea, &LockArea, 2000L, 1L) )!=NO_ERROR ){
+      /* Try 3 times to get the pending lock.  The pending lock might be
+      ** held by another reader process who will release it momentarily.
+      */
+      OSTRACE2( "could not get a PENDING lock. cnt=%d\n", cnt );
+      DosSleep(1);
+    }
+    gotPendingLock = res;
+  }
+
+  /* Acquire a shared lock
+  */
+  if( locktype==SHARED_LOCK && res ){
+    assert( pFile->locktype==NO_LOCK );
+    res = getReadLock(pFile);
+    if( res == NO_ERROR ){
+      newLocktype = SHARED_LOCK;
+    }
+  }
+
+  /* Acquire a RESERVED lock
+  */
+  if( locktype==RESERVED_LOCK && res ){
+    assert( pFile->locktype==SHARED_LOCK );
+    LockArea.lOffset = RESERVED_BYTE;
+    LockArea.lRange = 1L;
+    UnlockArea.lOffset = 0L;
+    UnlockArea.lRange = 0L;
+    res = DosSetFileLocks( pFile->h, &UnlockArea, &LockArea, 2000L, 1L );
+    if( res == NO_ERROR ){
+      newLocktype = RESERVED_LOCK;
+    }
+  }
+
+  /* Acquire a PENDING lock
+  */
+  if( locktype==EXCLUSIVE_LOCK && res ){
+    newLocktype = PENDING_LOCK;
+    gotPendingLock = 0;
+  }
+
+  /* Acquire an EXCLUSIVE lock
+  */
+  if( locktype==EXCLUSIVE_LOCK && res ){
+    assert( pFile->locktype>=SHARED_LOCK );
+    res = unlockReadLock(pFile);
+    OSTRACE2( "unreadlock = %d\n", res );
+    LockArea.lOffset = SHARED_FIRST;
+    LockArea.lRange = SHARED_SIZE;
+    UnlockArea.lOffset = 0L;
+    UnlockArea.lRange = 0L;
+    res = DosSetFileLocks( pFile->h, &UnlockArea, &LockArea, 2000L, 1L );
+    if( res == NO_ERROR ){
+      newLocktype = EXCLUSIVE_LOCK;
+    }else{
+      OSTRACE2( "error-code = %d\n", res );
+    }
+  }
+
+  /* If we are holding a PENDING lock that ought to be released, then
+  ** release it now.
+  */
+  if( gotPendingLock && locktype==SHARED_LOCK ){
+    LockArea.lOffset = 0L;
+    LockArea.lRange = 0L;
+    UnlockArea.lOffset = PENDING_BYTE;
+    UnlockArea.lRange = 1L;
+    DosSetFileLocks( pFile->h, &UnlockArea, &LockArea, 2000L, 1L );
+  }
+
+  /* Update the state of the lock has held in the file descriptor then
+  ** return the appropriate result code.
+  */
+  if( res == NO_ERROR ){
+    rc = SQLITE_OK;
+  }else{
+    OSTRACE4( "LOCK FAILED %d trying for %d but got %d\n", pFile->h,
+           locktype, newLocktype );
+    rc = SQLITE_BUSY;
+  }
+  pFile->locktype = newLocktype;
+  return rc;
+}
+
+/*
+** This routine checks if there is a RESERVED lock held on the specified
+** file by this or any other process. If such a lock is held, return
+** non-zero, otherwise zero.
+*/
+int os2CheckReservedLock( OsFile *id ){
+  APIRET rc = NO_ERROR;
+  os2File *pFile = (os2File*)id;
+  assert( pFile!=0 );
+  if( pFile->locktype>=RESERVED_LOCK ){
+    rc = 1;
+    OSTRACE3( "TEST WR-LOCK %d %d (local)\n", pFile->h, rc );
+  }else{
+    FILELOCK  LockArea,
+              UnlockArea;
+    memset(&LockArea, 0, sizeof(LockArea));
+    memset(&UnlockArea, 0, sizeof(UnlockArea));
+    LockArea.lOffset = RESERVED_BYTE;
+    LockArea.lRange = 1L;
+    UnlockArea.lOffset = 0L;
+    UnlockArea.lRange = 0L;
+    rc = DosSetFileLocks( pFile->h, &UnlockArea, &LockArea, 2000L, 1L );
+    if( rc == NO_ERROR ){
+      LockArea.lOffset = 0L;
+      LockArea.lRange = 0L;
+      UnlockArea.lOffset = RESERVED_BYTE;
+      UnlockArea.lRange = 1L;
+      rc = DosSetFileLocks( pFile->h, &UnlockArea, &LockArea, 2000L, 1L );
+    }
+    OSTRACE3( "TEST WR-LOCK %d %d (remote)\n", pFile->h, rc );
+  }
+  return rc;
+}
+
+/*
+** Lower the locking level on file descriptor id to locktype.  locktype
+** must be either NO_LOCK or SHARED_LOCK.
+**
+** If the locking level of the file descriptor is already at or below
+** the requested locking level, this routine is a no-op.
+**
+** It is not possible for this routine to fail if the second argument
+** is NO_LOCK.  If the second argument is SHARED_LOCK then this routine
+** might return SQLITE_IOERR;
+*/
+int os2Unlock( OsFile *id, int locktype ){
+  int type;
+  APIRET rc = SQLITE_OK;
+  os2File *pFile = (os2File*)id;
+  FILELOCK  LockArea,
+            UnlockArea;
+  memset(&LockArea, 0, sizeof(LockArea));
+  memset(&UnlockArea, 0, sizeof(UnlockArea));
+  assert( pFile!=0 );
+  assert( locktype<=SHARED_LOCK );
+  OSTRACE4( "UNLOCK %d to %d was %d\n", pFile->h, locktype, pFile->locktype );
+  type = pFile->locktype;
+  if( type>=EXCLUSIVE_LOCK ){
+    LockArea.lOffset = 0L;
+    LockArea.lRange = 0L;
+    UnlockArea.lOffset = SHARED_FIRST;
+    UnlockArea.lRange = SHARED_SIZE;
+    DosSetFileLocks( pFile->h, &UnlockArea, &LockArea, 2000L, 1L );
+    if( locktype==SHARED_LOCK && getReadLock(pFile) != NO_ERROR ){
+      /* This should never happen.  We should always be able to
+      ** reacquire the read lock */
+      rc = SQLITE_IOERR;
+    }
+  }
+  if( type>=RESERVED_LOCK ){
+    LockArea.lOffset = 0L;
+    LockArea.lRange = 0L;
+    UnlockArea.lOffset = RESERVED_BYTE;
+    UnlockArea.lRange = 1L;
+    DosSetFileLocks( pFile->h, &UnlockArea, &LockArea, 2000L, 1L );
+  }
+  if( locktype==NO_LOCK && type>=SHARED_LOCK ){
+    unlockReadLock(pFile);
+  }
+  if( type>=PENDING_LOCK ){
+    LockArea.lOffset = 0L;
+    LockArea.lRange = 0L;
+    UnlockArea.lOffset = PENDING_BYTE;
+    UnlockArea.lRange = 1L;
+    DosSetFileLocks( pFile->h, &UnlockArea, &LockArea, 2000L, 1L );
+  }
+  pFile->locktype = locktype;
+  return rc;
+}
+
+/*
+** Turn a relative pathname into a full pathname.  Return a pointer
+** to the full pathname stored in space obtained from sqliteMalloc().
+** The calling function is responsible for freeing this space once it
+** is no longer needed.
+*/
+char *sqlite3Os2FullPathname( const char *zRelative ){
+  char *zFull = 0;
+  if( strchr(zRelative, ':') ){
+    sqlite3SetString( &zFull, zRelative, (char*)0 );
+  }else{
+    char zBuff[SQLITE_TEMPNAME_SIZE - 2] = {0};
+    char zDrive[1] = {0};
+    ULONG cbzFullLen = SQLITE_TEMPNAME_SIZE;
+    ULONG ulDriveNum = 0;
+    ULONG ulDriveMap = 0;
+    DosQueryCurrentDisk( &ulDriveNum, &ulDriveMap );
+    DosQueryCurrentDir( 0L, zBuff, &cbzFullLen );
+    zFull = sqliteMalloc( cbzFullLen );
+    sprintf( zDrive, "%c", (char)('A' + ulDriveNum - 1) );
+    sqlite3SetString( &zFull, zDrive, ":\\", zBuff, "\\", zRelative, (char*)0 );
+  }
+  return zFull;
+}
+
+/*
+** The fullSync option is meaningless on os2, or correct me if I'm wrong.  This is a no-op.
+** From os_unix.c: Change the value of the fullsync flag in the given file descriptor.
+** From os_unix.c: ((unixFile*)id)->fullSync = v;
+*/
+static void os2SetFullSync( OsFile *id, int v ){
+  return;
+}
+
+/*
+** Return the underlying file handle for an OsFile
+*/
+static int os2FileHandle( OsFile *id ){
+  return (int)((os2File*)id)->h;
+}
+
+/*
+** Return an integer that indices the type of lock currently held
+** by this handle.  (Used for testing and analysis only.)
+*/
+static int os2LockState( OsFile *id ){
+  return ((os2File*)id)->locktype;
+}
+
+/*
+** Return the sector size in bytes of the underlying block device for
+** the specified file. This is almost always 512 bytes, but may be
+** larger for some devices.
+**
+** SQLite code assumes this function cannot fail. It also assumes that
+** if two files are created in the same file-system directory (i.e.
+** a database and it's journal file) that the sector size will be the
+** same for both.
+*/
+static int os2SectorSize(OsFile *id){
+  return SQLITE_DEFAULT_SECTOR_SIZE;
+}
+
+/*
+** This vector defines all the methods that can operate on an OsFile
+** for os2.
+*/
+static const IoMethod sqlite3Os2IoMethod = {
+  os2Close,
+  os2OpenDirectory,
+  os2Read,
+  os2Write,
+  os2Seek,
+  os2Truncate,
+  os2Sync,
+  os2SetFullSync,
+  os2FileHandle,
+  os2FileSize,
+  os2Lock,
+  os2Unlock,
+  os2LockState,
+  os2CheckReservedLock,
+  os2SectorSize,
+};
+
+/*
+** Allocate memory for an OsFile.  Initialize the new OsFile
+** to the value given in pInit and return a pointer to the new
+** OsFile.  If we run out of memory, close the file and return NULL.
+*/
+int allocateOs2File( os2File *pInit, OsFile **pld ){
+  os2File *pNew;
+  pNew = sqliteMalloc( sizeof(*pNew) );
+  if( pNew==0 ){
+    DosClose( pInit->h );
+    *pld = 0;
+    return SQLITE_NOMEM;
+  }else{
+    *pNew = *pInit;
+    pNew->pMethod = &sqlite3Os2IoMethod;
+    pNew->locktype = NO_LOCK;
+    *pld = (OsFile*)pNew;
+    OpenCounter(+1);
+    return SQLITE_OK;
+  }
+}
+
+#endif /* SQLITE_OMIT_DISKIO */
+/***************************************************************************
+** Everything above deals with file I/O.  Everything that follows deals
+** with other miscellanous aspects of the operating system interface
+****************************************************************************/
+
+#ifndef SQLITE_OMIT_LOAD_EXTENSION
+/*
+** Interfaces for opening a shared library, finding entry points
+** within the shared library, and closing the shared library.
+*/
+void *sqlite3Os2Dlopen(const char *zFilename){
+  UCHAR loadErr[256];
+  HMODULE hmod;
+  APIRET rc;
+  rc = DosLoadModule(loadErr, sizeof(loadErr), zFilename, &hmod);
+  if (rc != NO_ERROR) return 0;
+  return (void*)hmod;
+}
+void *sqlite3Os2Dlsym(void *pHandle, const char *zSymbol){
+  PFN pfn;
+  APIRET rc;
+  rc = DosQueryProcAddr((HMODULE)pHandle, 0L, zSymbol, &pfn);
+  if (rc != NO_ERROR) {
+    /* if the symbol itself was not found, search again for the same
+     * symbol with an extra underscore, that might be needed depending
+     * on the calling convention */
+    char _zSymbol[256] = "_";
+    strncat(_zSymbol, zSymbol, 255);
+    rc = DosQueryProcAddr((HMODULE)pHandle, 0L, _zSymbol, &pfn);
+  }
+  if (rc != NO_ERROR) return 0;
+  return pfn;
+}
+int sqlite3Os2Dlclose(void *pHandle){
+  return DosFreeModule((HMODULE)pHandle);
+}
+#endif /* SQLITE_OMIT_LOAD_EXTENSION */
+
+
+/*
+** Get information to seed the random number generator.  The seed
+** is written into the buffer zBuf[256].  The calling function must
+** supply a sufficiently large buffer.
+*/
+int sqlite3Os2RandomSeed( char *zBuf ){
+  /* We have to initialize zBuf to prevent valgrind from reporting
+  ** errors.  The reports issued by valgrind are incorrect - we would
+  ** prefer that the randomness be increased by making use of the
+  ** uninitialized space in zBuf - but valgrind errors tend to worry
+  ** some users.  Rather than argue, it seems easier just to initialize
+  ** the whole array and silence valgrind, even if that means less randomness
+  ** in the random seed.
+  **
+  ** When testing, initializing zBuf[] to zero is all we do.  That means
+  ** that we always use the same random number sequence. This makes the
+  ** tests repeatable.
+  */
+  memset( zBuf, 0, 256 );
+  DosGetDateTime( (PDATETIME)zBuf );
+  return SQLITE_OK;
+}
+
+/*
+** Sleep for a little while.  Return the amount of time slept.
+*/
+int sqlite3Os2Sleep( int ms ){
+  DosSleep( ms );
+  return ms;
+}
+
+/*
+** Static variables used for thread synchronization
+*/
+static int inMutex = 0;
+#ifdef SQLITE_OS2_THREADS
+static ULONG mutexOwner;
+#endif
+
+/*
+** The following pair of routines implement mutual exclusion for
+** multi-threaded processes.  Only a single thread is allowed to
+** executed code that is surrounded by EnterMutex() and LeaveMutex().
+**
+** SQLite uses only a single Mutex.  There is not much critical
+** code and what little there is executes quickly and without blocking.
+*/
+void sqlite3Os2EnterMutex(){
+  PTIB ptib;
+#ifdef SQLITE_OS2_THREADS
+  DosEnterCritSec();
+  DosGetInfoBlocks( &ptib, NULL );
+  mutexOwner = ptib->tib_ptib2->tib2_ultid;
+#endif
+  assert( !inMutex );
+  inMutex = 1;
+}
+void sqlite3Os2LeaveMutex(){
+  PTIB ptib;
+  assert( inMutex );
+  inMutex = 0;
+#ifdef SQLITE_OS2_THREADS
+  DosGetInfoBlocks( &ptib, NULL );
+  assert( mutexOwner == ptib->tib_ptib2->tib2_ultid );
+  DosExitCritSec();
+#endif
+}
+
+/*
+** Return TRUE if the mutex is currently held.
+**
+** If the thisThreadOnly parameter is true, return true if and only if the
+** calling thread holds the mutex.  If the parameter is false, return
+** true if any thread holds the mutex.
+*/
+int sqlite3Os2InMutex( int thisThreadOnly ){
+#ifdef SQLITE_OS2_THREADS
+  PTIB ptib;
+  DosGetInfoBlocks( &ptib, NULL );
+  return inMutex>0 && (thisThreadOnly==0 || mutexOwner==ptib->tib_ptib2->tib2_ultid);
+#else
+  return inMutex>0;
+#endif
+}
+
+/*
+** The following variable, if set to a non-zero value, becomes the result
+** returned from sqlite3OsCurrentTime().  This is used for testing.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_current_time = 0;
+#endif
+
+/*
+** Find the current time (in Universal Coordinated Time).  Write the
+** current time and date as a Julian Day number into *prNow and
+** return 0.  Return 1 if the time and date cannot be found.
+*/
+int sqlite3Os2CurrentTime( double *prNow ){
+  double now;
+  USHORT second, minute, hour,
+         day, month, year;
+  DATETIME dt;
+  DosGetDateTime( &dt );
+  second = (USHORT)dt.seconds;
+  minute = (USHORT)dt.minutes + dt.timezone;
+  hour = (USHORT)dt.hours;
+  day = (USHORT)dt.day;
+  month = (USHORT)dt.month;
+  year = (USHORT)dt.year;
+
+  /* Calculations from http://www.astro.keele.ac.uk/~rno/Astronomy/hjd.html
+     http://www.astro.keele.ac.uk/~rno/Astronomy/hjd-0.1.c */
+  /* Calculate the Julian days */
+  now = day - 32076 +
+    1461*(year + 4800 + (month - 14)/12)/4 +
+    367*(month - 2 - (month - 14)/12*12)/12 -
+    3*((year + 4900 + (month - 14)/12)/100)/4;
+
+  /* Add the fractional hours, mins and seconds */
+  now += (hour + 12.0)/24.0;
+  now += minute/1440.0;
+  now += second/86400.0;
+  *prNow = now;
+#ifdef SQLITE_TEST
+  if( sqlite3_current_time ){
+    *prNow = sqlite3_current_time/86400.0 + 2440587.5;
+  }
+#endif
+  return 0;
+}
+
+/*
+** Remember the number of thread-specific-data blocks allocated.
+** Use this to verify that we are not leaking thread-specific-data.
+** Ticket #1601
+*/
+#ifdef SQLITE_TEST
+int sqlite3_tsd_count = 0;
+# define TSD_COUNTER_INCR InterlockedIncrement( &sqlite3_tsd_count )
+# define TSD_COUNTER_DECR InterlockedDecrement( &sqlite3_tsd_count )
+#else
+# define TSD_COUNTER_INCR  /* no-op */
+# define TSD_COUNTER_DECR  /* no-op */
+#endif
+
+/*
+** If called with allocateFlag>1, then return a pointer to thread
+** specific data for the current thread.  Allocate and zero the
+** thread-specific data if it does not already exist necessary.
+**
+** If called with allocateFlag==0, then check the current thread
+** specific data.  Return it if it exists.  If it does not exist,
+** then return NULL.
+**
+** If called with allocateFlag<0, check to see if the thread specific
+** data is allocated and is all zero.  If it is then deallocate it.
+** Return a pointer to the thread specific data or NULL if it is
+** unallocated or gets deallocated.
+*/
+ThreadData *sqlite3Os2ThreadSpecificData( int allocateFlag ){
+  static ThreadData **s_ppTsd = NULL;
+  static const ThreadData zeroData = {0, 0, 0};
+  ThreadData *pTsd;
+
+  if( !s_ppTsd ){
+    sqlite3OsEnterMutex();
+    if( !s_ppTsd ){
+      PULONG pul;
+      APIRET rc = DosAllocThreadLocalMemory(1, &pul);
+      if( rc != NO_ERROR ){
+        sqlite3OsLeaveMutex();
+        return 0;
+      }
+      s_ppTsd = (ThreadData **)pul;
+    }
+    sqlite3OsLeaveMutex();
+  }
+  pTsd = *s_ppTsd;
+  if( allocateFlag>0 ){
+    if( !pTsd ){
+      pTsd = sqlite3OsMalloc( sizeof(zeroData) );
+      if( pTsd ){
+        *pTsd = zeroData;
+        *s_ppTsd = pTsd;
+        TSD_COUNTER_INCR;
+      }
+    }
+  }else if( pTsd!=0 && allocateFlag<0
+              && memcmp( pTsd, &zeroData, sizeof(ThreadData) )==0 ){
+    sqlite3OsFree(pTsd);
+    *s_ppTsd = NULL;
+    TSD_COUNTER_DECR;
+    pTsd = 0;
+  }
+  return pTsd;
+}
+#endif /* OS_OS2 */
+
+/************** End of os_os2.c **********************************************/
+/************** Begin file os_unix.c *****************************************/
+/*
+** 2004 May 22
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+******************************************************************************
+**
+** This file contains code that is specific to Unix systems.
+*/
+#if OS_UNIX              /* This file is used on unix only */
+
+/* #define SQLITE_ENABLE_LOCKING_STYLE 0 */
+
+/*
+** These #defines should enable >2GB file support on Posix if the
+** underlying operating system supports it.  If the OS lacks
+** large file support, these should be no-ops.
+**
+** Large file support can be disabled using the -DSQLITE_DISABLE_LFS switch
+** on the compiler command line.  This is necessary if you are compiling
+** on a recent machine (ex: RedHat 7.2) but you want your code to work
+** on an older machine (ex: RedHat 6.0).  If you compile on RedHat 7.2
+** without this option, LFS is enable.  But LFS does not exist in the kernel
+** in RedHat 6.0, so the code won't work.  Hence, for maximum binary
+** portability you should omit LFS.
+*/
+#ifndef SQLITE_DISABLE_LFS
+# define _LARGE_FILE       1
+# ifndef _FILE_OFFSET_BITS
+#   define _FILE_OFFSET_BITS 64
+# endif
+# define _LARGEFILE_SOURCE 1
+#endif
+
+/*
+** standard include files.
+*/
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/time.h>
+#include <errno.h>
+#ifdef SQLITE_ENABLE_LOCKING_STYLE
+#include <sys/ioctl.h>
+#include <sys/param.h>
+#include <sys/mount.h>
+#endif /* SQLITE_ENABLE_LOCKING_STYLE */
+
+/*
+** If we are to be thread-safe, include the pthreads header and define
+** the SQLITE_UNIX_THREADS macro.
+*/
+#ifndef THREADSAFE
+# define THREADSAFE 1
+#endif
+#if THREADSAFE
+# include <pthread.h>
+# define SQLITE_UNIX_THREADS 1
+#endif
+
+/*
+** Default permissions when creating a new file
+*/
+#ifndef SQLITE_DEFAULT_FILE_PERMISSIONS
+# define SQLITE_DEFAULT_FILE_PERMISSIONS 0644
+#endif
+
+
+
+/*
+** The unixFile structure is subclass of OsFile specific for the unix
+** protability layer.
+*/
+typedef struct unixFile unixFile;
+struct unixFile {
+  IoMethod const *pMethod;  /* Always the first entry */
+  struct openCnt *pOpen;    /* Info about all open fd's on this inode */
+  struct lockInfo *pLock;   /* Info about locks on this inode */
+#ifdef SQLITE_ENABLE_LOCKING_STYLE
+  void *lockingContext;     /* Locking style specific state */
+#endif /* SQLITE_ENABLE_LOCKING_STYLE */
+  int h;                    /* The file descriptor */
+  unsigned char locktype;   /* The type of lock held on this fd */
+  unsigned char isOpen;     /* True if needs to be closed */
+  unsigned char fullSync;   /* Use F_FULLSYNC if available */
+  int dirfd;                /* File descriptor for the directory */
+  i64 offset;               /* Seek offset */
+#ifdef SQLITE_UNIX_THREADS
+  pthread_t tid;            /* The thread that "owns" this OsFile */
+#endif
+};
+
+/*
+** Provide the ability to override some OS-layer functions during
+** testing.  This is used to simulate OS crashes to verify that 
+** commits are atomic even in the event of an OS crash.
+*/
+#ifdef SQLITE_CRASH_TEST
+  extern int sqlite3CrashTestEnable;
+  extern int sqlite3CrashOpenReadWrite(const char*, OsFile**, int*);
+  extern int sqlite3CrashOpenExclusive(const char*, OsFile**, int);
+  extern int sqlite3CrashOpenReadOnly(const char*, OsFile**, int);
+# define CRASH_TEST_OVERRIDE(X,A,B,C) \
+    if(sqlite3CrashTestEnable){ return X(A,B,C); }
+#else
+# define CRASH_TEST_OVERRIDE(X,A,B,C)  /* no-op */
+#endif
+
+
+/*
+** Include code that is common to all os_*.c files
+*/
+/************** Include os_common.h in the middle of os_unix.c ***************/
+/************** Begin file os_common.h ***************************************/
+/*
+** 2004 May 22
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+******************************************************************************
+**
+** This file contains macros and a little bit of code that is common to
+** all of the platform-specific files (os_*.c) and is #included into those
+** files.
+**
+** This file should be #included by the os_*.c files only.  It is not a
+** general purpose header file.
+*/
+
+/*
+** At least two bugs have slipped in because we changed the MEMORY_DEBUG
+** macro to SQLITE_DEBUG and some older makefiles have not yet made the
+** switch.  The following code should catch this problem at compile-time.
+*/
+#ifdef MEMORY_DEBUG
+# error "The MEMORY_DEBUG macro is obsolete.  Use SQLITE_DEBUG instead."
+#endif
+
+
+/*
+ * When testing, this global variable stores the location of the
+ * pending-byte in the database file.
+ */
+#ifdef SQLITE_TEST
+unsigned int sqlite3_pending_byte = 0x40000000;
+#endif
+
+int sqlite3_os_trace = 0;
+#ifdef SQLITE_DEBUG
+#define OSTRACE1(X)         if( sqlite3_os_trace ) sqlite3DebugPrintf(X)
+#define OSTRACE2(X,Y)       if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y)
+#define OSTRACE3(X,Y,Z)     if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y,Z)
+#define OSTRACE4(X,Y,Z,A)   if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y,Z,A)
+#define OSTRACE5(X,Y,Z,A,B) if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y,Z,A,B)
+#define OSTRACE6(X,Y,Z,A,B,C) \
+    if(sqlite3_os_trace) sqlite3DebugPrintf(X,Y,Z,A,B,C)
+#define OSTRACE7(X,Y,Z,A,B,C,D) \
+    if(sqlite3_os_trace) sqlite3DebugPrintf(X,Y,Z,A,B,C,D)
+#else
+#define OSTRACE1(X)
+#define OSTRACE2(X,Y)
+#define OSTRACE3(X,Y,Z)
+#define OSTRACE4(X,Y,Z,A)
+#define OSTRACE5(X,Y,Z,A,B)
+#define OSTRACE6(X,Y,Z,A,B,C)
+#define OSTRACE7(X,Y,Z,A,B,C,D)
+#endif
+
+/*
+** Macros for performance tracing.  Normally turned off.  Only works
+** on i486 hardware.
+*/
+#ifdef SQLITE_PERFORMANCE_TRACE
+__inline__ unsigned long long int hwtime(void){
+  unsigned long long int x;
+  __asm__("rdtsc\n\t"
+          "mov %%edx, %%ecx\n\t"
+          :"=A" (x));
+  return x;
+}
+static unsigned long long int g_start;
+static unsigned int elapse;
+#define TIMER_START       g_start=hwtime()
+#define TIMER_END         elapse=hwtime()-g_start
+#define TIMER_ELAPSED     elapse
+#else
+#define TIMER_START
+#define TIMER_END
+#define TIMER_ELAPSED     0
+#endif
+
+/*
+** If we compile with the SQLITE_TEST macro set, then the following block
+** of code will give us the ability to simulate a disk I/O error.  This
+** is used for testing the I/O recovery logic.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_io_error_hit = 0;
+int sqlite3_io_error_pending = 0;
+int sqlite3_io_error_persist = 0;
+int sqlite3_diskfull_pending = 0;
+int sqlite3_diskfull = 0;
+#define SimulateIOError(CODE)  \
+  if( sqlite3_io_error_pending || sqlite3_io_error_hit ) \
+     if( sqlite3_io_error_pending-- == 1 \
+         || (sqlite3_io_error_persist && sqlite3_io_error_hit) ) \
+                { local_ioerr(); CODE; }
+static void local_ioerr(){
+  IOTRACE(("IOERR\n"));
+  sqlite3_io_error_hit = 1;
+}
+#define SimulateDiskfullError(CODE) \
+   if( sqlite3_diskfull_pending ){ \
+     if( sqlite3_diskfull_pending == 1 ){ \
+       local_ioerr(); \
+       sqlite3_diskfull = 1; \
+       sqlite3_io_error_hit = 1; \
+       CODE; \
+     }else{ \
+       sqlite3_diskfull_pending--; \
+     } \
+   }
+#else
+#define SimulateIOError(A)
+#define SimulateDiskfullError(A)
+#endif
+
+/*
+** When testing, keep a count of the number of open files.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_open_file_count = 0;
+#define OpenCounter(X)  sqlite3_open_file_count+=(X)
+#else
+#define OpenCounter(X)
+#endif
+
+/*
+** sqlite3GenericMalloc
+** sqlite3GenericRealloc
+** sqlite3GenericOsFree
+** sqlite3GenericAllocationSize
+**
+** Implementation of the os level dynamic memory allocation interface in terms
+** of the standard malloc(), realloc() and free() found in many operating
+** systems. No rocket science here.
+**
+** There are two versions of these four functions here. The version
+** implemented here is only used if memory-management or memory-debugging is
+** enabled. This version allocates an extra 8-bytes at the beginning of each
+** block and stores the size of the allocation there.
+**
+** If neither memory-management or debugging is enabled, the second
+** set of implementations is used instead.
+*/
+#if defined(SQLITE_ENABLE_MEMORY_MANAGEMENT) || defined (SQLITE_MEMDEBUG)
+void *sqlite3GenericMalloc(int n){
+  char *p = (char *)malloc(n+8);
+  assert(n>0);
+  assert(sizeof(int)<=8);
+  if( p ){
+    *(int *)p = n;
+    p += 8;
+  }
+  return (void *)p;
+}
+void *sqlite3GenericRealloc(void *p, int n){
+  char *p2 = ((char *)p - 8);
+  assert(n>0);
+  p2 = (char*)realloc(p2, n+8);
+  if( p2 ){
+    *(int *)p2 = n;
+    p2 += 8;
+  }
+  return (void *)p2;
+}
+void sqlite3GenericFree(void *p){
+  assert(p);
+  free((void *)((char *)p - 8));
+}
+int sqlite3GenericAllocationSize(void *p){
+  return p ? *(int *)((char *)p - 8) : 0;
+}
+#else
+void *sqlite3GenericMalloc(int n){
+  char *p = (char *)malloc(n);
+  return (void *)p;
+}
+void *sqlite3GenericRealloc(void *p, int n){
+  assert(n>0);
+  p = realloc(p, n);
+  return p;
+}
+void sqlite3GenericFree(void *p){
+  assert(p);
+  free(p);
+}
+/* Never actually used, but needed for the linker */
+int sqlite3GenericAllocationSize(void *p){ return 0; }
+#endif
+
+/*
+** The default size of a disk sector
+*/
+#ifndef PAGER_SECTOR_SIZE
+# define PAGER_SECTOR_SIZE 512
+#endif
+
+/************** End of os_common.h *******************************************/
+/************** Continuing where we left off in os_unix.c ********************/
+
+/*
+** Do not include any of the File I/O interface procedures if the
+** SQLITE_OMIT_DISKIO macro is defined (indicating that the database
+** will be in-memory only)
+*/
+#ifndef SQLITE_OMIT_DISKIO
+
+
+/*
+** Define various macros that are missing from some systems.
+*/
+#ifndef O_LARGEFILE
+# define O_LARGEFILE 0
+#endif
+#ifdef SQLITE_DISABLE_LFS
+# undef O_LARGEFILE
+# define O_LARGEFILE 0
+#endif
+#ifndef O_NOFOLLOW
+# define O_NOFOLLOW 0
+#endif
+#ifndef O_BINARY
+# define O_BINARY 0
+#endif
+
+/*
+** The DJGPP compiler environment looks mostly like Unix, but it
+** lacks the fcntl() system call.  So redefine fcntl() to be something
+** that always succeeds.  This means that locking does not occur under
+** DJGPP.  But it's DOS - what did you expect?
+*/
+#ifdef __DJGPP__
+# define fcntl(A,B,C) 0
+#endif
+
+/*
+** The threadid macro resolves to the thread-id or to 0.  Used for
+** testing and debugging only.
+*/
+#ifdef SQLITE_UNIX_THREADS
+#define threadid pthread_self()
+#else
+#define threadid 0
+#endif
+
+/*
+** Set or check the OsFile.tid field.  This field is set when an OsFile
+** is first opened.  All subsequent uses of the OsFile verify that the
+** same thread is operating on the OsFile.  Some operating systems do
+** not allow locks to be overridden by other threads and that restriction
+** means that sqlite3* database handles cannot be moved from one thread
+** to another.  This logic makes sure a user does not try to do that
+** by mistake.
+**
+** Version 3.3.1 (2006-01-15):  OsFiles can be moved from one thread to
+** another as long as we are running on a system that supports threads
+** overriding each others locks (which now the most common behavior)
+** or if no locks are held.  But the OsFile.pLock field needs to be
+** recomputed because its key includes the thread-id.  See the 
+** transferOwnership() function below for additional information
+*/
+#if defined(SQLITE_UNIX_THREADS)
+# define SET_THREADID(X)   (X)->tid = pthread_self()
+# define CHECK_THREADID(X) (threadsOverrideEachOthersLocks==0 && \
+                            !pthread_equal((X)->tid, pthread_self()))
+#else
+# define SET_THREADID(X)
+# define CHECK_THREADID(X) 0
+#endif
+
+/*
+** Here is the dirt on POSIX advisory locks:  ANSI STD 1003.1 (1996)
+** section 6.5.2.2 lines 483 through 490 specify that when a process
+** sets or clears a lock, that operation overrides any prior locks set
+** by the same process.  It does not explicitly say so, but this implies
+** that it overrides locks set by the same process using a different
+** file descriptor.  Consider this test case:
+**
+**       int fd1 = open("./file1", O_RDWR|O_CREAT, 0644);
+**       int fd2 = open("./file2", O_RDWR|O_CREAT, 0644);
+**
+** Suppose ./file1 and ./file2 are really the same file (because
+** one is a hard or symbolic link to the other) then if you set
+** an exclusive lock on fd1, then try to get an exclusive lock
+** on fd2, it works.  I would have expected the second lock to
+** fail since there was already a lock on the file due to fd1.
+** But not so.  Since both locks came from the same process, the
+** second overrides the first, even though they were on different
+** file descriptors opened on different file names.
+**
+** Bummer.  If you ask me, this is broken.  Badly broken.  It means
+** that we cannot use POSIX locks to synchronize file access among
+** competing threads of the same process.  POSIX locks will work fine
+** to synchronize access for threads in separate processes, but not
+** threads within the same process.
+**
+** To work around the problem, SQLite has to manage file locks internally
+** on its own.  Whenever a new database is opened, we have to find the
+** specific inode of the database file (the inode is determined by the
+** st_dev and st_ino fields of the stat structure that fstat() fills in)
+** and check for locks already existing on that inode.  When locks are
+** created or removed, we have to look at our own internal record of the
+** locks to see if another thread has previously set a lock on that same
+** inode.
+**
+** The OsFile structure for POSIX is no longer just an integer file
+** descriptor.  It is now a structure that holds the integer file
+** descriptor and a pointer to a structure that describes the internal
+** locks on the corresponding inode.  There is one locking structure
+** per inode, so if the same inode is opened twice, both OsFile structures
+** point to the same locking structure.  The locking structure keeps
+** a reference count (so we will know when to delete it) and a "cnt"
+** field that tells us its internal lock status.  cnt==0 means the
+** file is unlocked.  cnt==-1 means the file has an exclusive lock.
+** cnt>0 means there are cnt shared locks on the file.
+**
+** Any attempt to lock or unlock a file first checks the locking
+** structure.  The fcntl() system call is only invoked to set a 
+** POSIX lock if the internal lock structure transitions between
+** a locked and an unlocked state.
+**
+** 2004-Jan-11:
+** More recent discoveries about POSIX advisory locks.  (The more
+** I discover, the more I realize the a POSIX advisory locks are
+** an abomination.)
+**
+** If you close a file descriptor that points to a file that has locks,
+** all locks on that file that are owned by the current process are
+** released.  To work around this problem, each OsFile structure contains
+** a pointer to an openCnt structure.  There is one openCnt structure
+** per open inode, which means that multiple OsFiles can point to a single
+** openCnt.  When an attempt is made to close an OsFile, if there are
+** other OsFiles open on the same inode that are holding locks, the call
+** to close() the file descriptor is deferred until all of the locks clear.
+** The openCnt structure keeps a list of file descriptors that need to
+** be closed and that list is walked (and cleared) when the last lock
+** clears.
+**
+** First, under Linux threads, because each thread has a separate
+** process ID, lock operations in one thread do not override locks
+** to the same file in other threads.  Linux threads behave like
+** separate processes in this respect.  But, if you close a file
+** descriptor in linux threads, all locks are cleared, even locks
+** on other threads and even though the other threads have different
+** process IDs.  Linux threads is inconsistent in this respect.
+** (I'm beginning to think that linux threads is an abomination too.)
+** The consequence of this all is that the hash table for the lockInfo
+** structure has to include the process id as part of its key because
+** locks in different threads are treated as distinct.  But the 
+** openCnt structure should not include the process id in its
+** key because close() clears lock on all threads, not just the current
+** thread.  Were it not for this goofiness in linux threads, we could
+** combine the lockInfo and openCnt structures into a single structure.
+**
+** 2004-Jun-28:
+** On some versions of linux, threads can override each others locks.
+** On others not.  Sometimes you can change the behavior on the same
+** system by setting the LD_ASSUME_KERNEL environment variable.  The
+** POSIX standard is silent as to which behavior is correct, as far
+** as I can tell, so other versions of unix might show the same
+** inconsistency.  There is no little doubt in my mind that posix
+** advisory locks and linux threads are profoundly broken.
+**
+** To work around the inconsistencies, we have to test at runtime 
+** whether or not threads can override each others locks.  This test
+** is run once, the first time any lock is attempted.  A static 
+** variable is set to record the results of this test for future
+** use.
+*/
+
+/*
+** An instance of the following structure serves as the key used
+** to locate a particular lockInfo structure given its inode.
+**
+** If threads cannot override each others locks, then we set the
+** lockKey.tid field to the thread ID.  If threads can override
+** each others locks then tid is always set to zero.  tid is omitted
+** if we compile without threading support.
+*/
+struct lockKey {
+  dev_t dev;       /* Device number */
+  ino_t ino;       /* Inode number */
+#ifdef SQLITE_UNIX_THREADS
+  pthread_t tid;   /* Thread ID or zero if threads can override each other */
+#endif
+};
+
+/*
+** An instance of the following structure is allocated for each open
+** inode on each thread with a different process ID.  (Threads have
+** different process IDs on linux, but not on most other unixes.)
+**
+** A single inode can have multiple file descriptors, so each OsFile
+** structure contains a pointer to an instance of this object and this
+** object keeps a count of the number of OsFiles pointing to it.
+*/
+struct lockInfo {
+  struct lockKey key;  /* The lookup key */
+  int cnt;             /* Number of SHARED locks held */
+  int locktype;        /* One of SHARED_LOCK, RESERVED_LOCK etc. */
+  int nRef;            /* Number of pointers to this structure */
+};
+
+/*
+** An instance of the following structure serves as the key used
+** to locate a particular openCnt structure given its inode.  This
+** is the same as the lockKey except that the thread ID is omitted.
+*/
+struct openKey {
+  dev_t dev;   /* Device number */
+  ino_t ino;   /* Inode number */
+};
+
+/*
+** An instance of the following structure is allocated for each open
+** inode.  This structure keeps track of the number of locks on that
+** inode.  If a close is attempted against an inode that is holding
+** locks, the close is deferred until all locks clear by adding the
+** file descriptor to be closed to the pending list.
+*/
+struct openCnt {
+  struct openKey key;   /* The lookup key */
+  int nRef;             /* Number of pointers to this structure */
+  int nLock;            /* Number of outstanding locks */
+  int nPending;         /* Number of pending close() operations */
+  int *aPending;        /* Malloced space holding fd's awaiting a close() */
+};
+
+/* 
+** These hash tables map inodes and file descriptors (really, lockKey and
+** openKey structures) into lockInfo and openCnt structures.  Access to 
+** these hash tables must be protected by a mutex.
+*/
+static Hash lockHash = {SQLITE_HASH_BINARY, 0, 0, 0, 
+    sqlite3ThreadSafeMalloc, sqlite3ThreadSafeFree, 0, 0};
+static Hash openHash = {SQLITE_HASH_BINARY, 0, 0, 0, 
+    sqlite3ThreadSafeMalloc, sqlite3ThreadSafeFree, 0, 0};
+
+#ifdef SQLITE_ENABLE_LOCKING_STYLE
+/*
+** The locking styles are associated with the different file locking
+** capabilities supported by different file systems.  
+**
+** POSIX locking style fully supports shared and exclusive byte-range locks 
+** ADP locking only supports exclusive byte-range locks
+** FLOCK only supports a single file-global exclusive lock
+** DOTLOCK isn't a true locking style, it refers to the use of a special
+**   file named the same as the database file with a '.lock' extension, this
+**   can be used on file systems that do not offer any reliable file locking
+** NO locking means that no locking will be attempted, this is only used for
+**   read-only file systems currently
+** UNSUPPORTED means that no locking will be attempted, this is only used for
+**   file systems that are known to be unsupported
+*/
+typedef enum {
+	posixLockingStyle = 0,       /* standard posix-advisory locks */
+	afpLockingStyle,             /* use afp locks */
+	flockLockingStyle,           /* use flock() */
+	dotlockLockingStyle,         /* use <file>.lock files */
+	noLockingStyle,              /* useful for read-only file system */
+	unsupportedLockingStyle      /* indicates unsupported file system */
+} sqlite3LockingStyle;
+#endif /* SQLITE_ENABLE_LOCKING_STYLE */
+
+#ifdef SQLITE_UNIX_THREADS
+/*
+** This variable records whether or not threads can override each others
+** locks.
+**
+**    0:  No.  Threads cannot override each others locks.
+**    1:  Yes.  Threads can override each others locks.
+**   -1:  We don't know yet.
+**
+** On some systems, we know at compile-time if threads can override each
+** others locks.  On those systems, the SQLITE_THREAD_OVERRIDE_LOCK macro
+** will be set appropriately.  On other systems, we have to check at
+** runtime.  On these latter systems, SQLTIE_THREAD_OVERRIDE_LOCK is
+** undefined.
+**
+** This variable normally has file scope only.  But during testing, we make
+** it a global so that the test code can change its value in order to verify
+** that the right stuff happens in either case.
+*/
+#ifndef SQLITE_THREAD_OVERRIDE_LOCK
+# define SQLITE_THREAD_OVERRIDE_LOCK -1
+#endif
+#ifdef SQLITE_TEST
+int threadsOverrideEachOthersLocks = SQLITE_THREAD_OVERRIDE_LOCK;
+#else
+static int threadsOverrideEachOthersLocks = SQLITE_THREAD_OVERRIDE_LOCK;
+#endif
+
+/*
+** This structure holds information passed into individual test
+** threads by the testThreadLockingBehavior() routine.
+*/
+struct threadTestData {
+  int fd;                /* File to be locked */
+  struct flock lock;     /* The locking operation */
+  int result;            /* Result of the locking operation */
+};
+
+#ifdef SQLITE_LOCK_TRACE
+/*
+** Print out information about all locking operations.
+**
+** This routine is used for troubleshooting locks on multithreaded
+** platforms.  Enable by compiling with the -DSQLITE_LOCK_TRACE
+** command-line option on the compiler.  This code is normally
+** turned off.
+*/
+static int lockTrace(int fd, int op, struct flock *p){
+  char *zOpName, *zType;
+  int s;
+  int savedErrno;
+  if( op==F_GETLK ){
+    zOpName = "GETLK";
+  }else if( op==F_SETLK ){
+    zOpName = "SETLK";
+  }else{
+    s = fcntl(fd, op, p);
+    sqlite3DebugPrintf("fcntl unknown %d %d %d\n", fd, op, s);
+    return s;
+  }
+  if( p->l_type==F_RDLCK ){
+    zType = "RDLCK";
+  }else if( p->l_type==F_WRLCK ){
+    zType = "WRLCK";
+  }else if( p->l_type==F_UNLCK ){
+    zType = "UNLCK";
+  }else{
+    assert( 0 );
+  }
+  assert( p->l_whence==SEEK_SET );
+  s = fcntl(fd, op, p);
+  savedErrno = errno;
+  sqlite3DebugPrintf("fcntl %d %d %s %s %d %d %d %d\n",
+     threadid, fd, zOpName, zType, (int)p->l_start, (int)p->l_len,
+     (int)p->l_pid, s);
+  if( s==(-1) && op==F_SETLK && (p->l_type==F_RDLCK || p->l_type==F_WRLCK) ){
+    struct flock l2;
+    l2 = *p;
+    fcntl(fd, F_GETLK, &l2);
+    if( l2.l_type==F_RDLCK ){
+      zType = "RDLCK";
+    }else if( l2.l_type==F_WRLCK ){
+      zType = "WRLCK";
+    }else if( l2.l_type==F_UNLCK ){
+      zType = "UNLCK";
+    }else{
+      assert( 0 );
+    }
+    sqlite3DebugPrintf("fcntl-failure-reason: %s %d %d %d\n",
+       zType, (int)l2.l_start, (int)l2.l_len, (int)l2.l_pid);
+  }
+  errno = savedErrno;
+  return s;
+}
+#define fcntl lockTrace
+#endif /* SQLITE_LOCK_TRACE */
+
+/*
+** The testThreadLockingBehavior() routine launches two separate
+** threads on this routine.  This routine attempts to lock a file
+** descriptor then returns.  The success or failure of that attempt
+** allows the testThreadLockingBehavior() procedure to determine
+** whether or not threads can override each others locks.
+*/
+static void *threadLockingTest(void *pArg){
+  struct threadTestData *pData = (struct threadTestData*)pArg;
+  pData->result = fcntl(pData->fd, F_SETLK, &pData->lock);
+  return pArg;
+}
+
+/*
+** This procedure attempts to determine whether or not threads
+** can override each others locks then sets the 
+** threadsOverrideEachOthersLocks variable appropriately.
+*/
+static void testThreadLockingBehavior(int fd_orig){
+  int fd;
+  struct threadTestData d[2];
+  pthread_t t[2];
+
+  fd = dup(fd_orig);
+  if( fd<0 ) return;
+  memset(d, 0, sizeof(d));
+  d[0].fd = fd;
+  d[0].lock.l_type = F_RDLCK;
+  d[0].lock.l_len = 1;
+  d[0].lock.l_start = 0;
+  d[0].lock.l_whence = SEEK_SET;
+  d[1] = d[0];
+  d[1].lock.l_type = F_WRLCK;
+  pthread_create(&t[0], 0, threadLockingTest, &d[0]);
+  pthread_create(&t[1], 0, threadLockingTest, &d[1]);
+  pthread_join(t[0], 0);
+  pthread_join(t[1], 0);
+  close(fd);
+  threadsOverrideEachOthersLocks =  d[0].result==0 && d[1].result==0;
+}
+#endif /* SQLITE_UNIX_THREADS */
+
+/*
+** Release a lockInfo structure previously allocated by findLockInfo().
+*/
+static void releaseLockInfo(struct lockInfo *pLock){
+  assert( sqlite3OsInMutex(1) );
+  if (pLock == NULL)
+    return;
+  pLock->nRef--;
+  if( pLock->nRef==0 ){
+    sqlite3HashInsert(&lockHash, &pLock->key, sizeof(pLock->key), 0);
+    sqlite3ThreadSafeFree(pLock);
+  }
+}
+
+/*
+** Release a openCnt structure previously allocated by findLockInfo().
+*/
+static void releaseOpenCnt(struct openCnt *pOpen){
+  assert( sqlite3OsInMutex(1) );
+  if (pOpen == NULL)
+    return;
+  pOpen->nRef--;
+  if( pOpen->nRef==0 ){
+    sqlite3HashInsert(&openHash, &pOpen->key, sizeof(pOpen->key), 0);
+    free(pOpen->aPending);
+    sqlite3ThreadSafeFree(pOpen);
+  }
+}
+
+#ifdef SQLITE_ENABLE_LOCKING_STYLE
+/*
+** Tests a byte-range locking query to see if byte range locks are 
+** supported, if not we fall back to dotlockLockingStyle.
+*/
+static sqlite3LockingStyle sqlite3TestLockingStyle(const char *filePath, 
+  int fd) {
+  /* test byte-range lock using fcntl */
+  struct flock lockInfo;
+  
+  lockInfo.l_len = 1;
+  lockInfo.l_start = 0;
+  lockInfo.l_whence = SEEK_SET;
+  lockInfo.l_type = F_RDLCK;
+  
+  if (fcntl(fd, F_GETLK, &lockInfo) != -1) {
+    return posixLockingStyle;
+  } 
+  
+  /* testing for flock can give false positives.  So if if the above test
+  ** fails, then we fall back to using dot-lock style locking.
+  */  
+  return dotlockLockingStyle;
+}
+
+/* 
+** Examines the f_fstypename entry in the statfs structure as returned by 
+** stat() for the file system hosting the database file, assigns the 
+** appropriate locking style based on it's value.  These values and 
+** assignments are based on Darwin/OSX behavior and have not been tested on 
+** other systems.
+*/
+static sqlite3LockingStyle sqlite3DetectLockingStyle(const char *filePath, 
+  int fd) {
+
+#ifdef SQLITE_FIXED_LOCKING_STYLE
+  return (sqlite3LockingStyle)SQLITE_FIXED_LOCKING_STYLE;
+#else
+  struct statfs fsInfo;
+
+  if (statfs(filePath, &fsInfo) == -1)
+    return sqlite3TestLockingStyle(filePath, fd);
+  
+  if (fsInfo.f_flags & MNT_RDONLY)
+    return noLockingStyle;
+  
+  if( (!strcmp(fsInfo.f_fstypename, "hfs")) ||
+    (!strcmp(fsInfo.f_fstypename, "ufs")) )
+		return posixLockingStyle;
+  
+  if(!strcmp(fsInfo.f_fstypename, "afpfs"))
+    return afpLockingStyle;
+  
+  if(!strcmp(fsInfo.f_fstypename, "nfs")) 
+    return sqlite3TestLockingStyle(filePath, fd);
+  
+  if(!strcmp(fsInfo.f_fstypename, "smbfs"))
+    return flockLockingStyle;
+  
+  if(!strcmp(fsInfo.f_fstypename, "msdos"))
+    return dotlockLockingStyle;
+  
+  if(!strcmp(fsInfo.f_fstypename, "webdav"))
+    return unsupportedLockingStyle;
+  
+  return sqlite3TestLockingStyle(filePath, fd);  
+#endif // SQLITE_FIXED_LOCKING_STYLE
+}
+
+#endif /* SQLITE_ENABLE_LOCKING_STYLE */
+
+/*
+** Given a file descriptor, locate lockInfo and openCnt structures that
+** describes that file descriptor.  Create new ones if necessary.  The
+** return values might be uninitialized if an error occurs.
+**
+** Return the number of errors.
+*/
+static int findLockInfo(
+  int fd,                      /* The file descriptor used in the key */
+  struct lockInfo **ppLock,    /* Return the lockInfo structure here */
+  struct openCnt **ppOpen      /* Return the openCnt structure here */
+){
+  int rc;
+  struct lockKey key1;
+  struct openKey key2;
+  struct stat statbuf;
+  struct lockInfo *pLock;
+  struct openCnt *pOpen;
+  rc = fstat(fd, &statbuf);
+  if( rc!=0 ) return 1;
+
+  assert( sqlite3OsInMutex(1) );
+  memset(&key1, 0, sizeof(key1));
+  key1.dev = statbuf.st_dev;
+  key1.ino = statbuf.st_ino;
+#ifdef SQLITE_UNIX_THREADS
+  if( threadsOverrideEachOthersLocks<0 ){
+    testThreadLockingBehavior(fd);
+  }
+  key1.tid = threadsOverrideEachOthersLocks ? 0 : pthread_self();
+#endif
+  memset(&key2, 0, sizeof(key2));
+  key2.dev = statbuf.st_dev;
+  key2.ino = statbuf.st_ino;
+  pLock = (struct lockInfo*)sqlite3HashFind(&lockHash, &key1, sizeof(key1));
+  if( pLock==0 ){
+    struct lockInfo *pOld;
+    pLock = sqlite3ThreadSafeMalloc( sizeof(*pLock) );
+    if( pLock==0 ){
+      rc = 1;
+      goto exit_findlockinfo;
+    }
+    pLock->key = key1;
+    pLock->nRef = 1;
+    pLock->cnt = 0;
+    pLock->locktype = 0;
+    pOld = sqlite3HashInsert(&lockHash, &pLock->key, sizeof(key1), pLock);
+    if( pOld!=0 ){
+      assert( pOld==pLock );
+      sqlite3ThreadSafeFree(pLock);
+      rc = 1;
+      goto exit_findlockinfo;
+    }
+  }else{
+    pLock->nRef++;
+  }
+  *ppLock = pLock;
+  if( ppOpen!=0 ){
+    pOpen = (struct openCnt*)sqlite3HashFind(&openHash, &key2, sizeof(key2));
+    if( pOpen==0 ){
+      struct openCnt *pOld;
+      pOpen = sqlite3ThreadSafeMalloc( sizeof(*pOpen) );
+      if( pOpen==0 ){
+        releaseLockInfo(pLock);
+        rc = 1;
+        goto exit_findlockinfo;
+      }
+      pOpen->key = key2;
+      pOpen->nRef = 1;
+      pOpen->nLock = 0;
+      pOpen->nPending = 0;
+      pOpen->aPending = 0;
+      pOld = sqlite3HashInsert(&openHash, &pOpen->key, sizeof(key2), pOpen);
+      if( pOld!=0 ){
+        assert( pOld==pOpen );
+        sqlite3ThreadSafeFree(pOpen);
+        releaseLockInfo(pLock);
+        rc = 1;
+        goto exit_findlockinfo;
+      }
+    }else{
+      pOpen->nRef++;
+    }
+    *ppOpen = pOpen;
+  }
+
+exit_findlockinfo:
+  return rc;
+}
+
+#ifdef SQLITE_DEBUG
+/*
+** Helper function for printing out trace information from debugging
+** binaries. This returns the string represetation of the supplied
+** integer lock-type.
+*/
+static const char *locktypeName(int locktype){
+  switch( locktype ){
+  case NO_LOCK: return "NONE";
+  case SHARED_LOCK: return "SHARED";
+  case RESERVED_LOCK: return "RESERVED";
+  case PENDING_LOCK: return "PENDING";
+  case EXCLUSIVE_LOCK: return "EXCLUSIVE";
+  }
+  return "ERROR";
+}
+#endif
+
+/*
+** If we are currently in a different thread than the thread that the
+** unixFile argument belongs to, then transfer ownership of the unixFile
+** over to the current thread.
+**
+** A unixFile is only owned by a thread on systems where one thread is
+** unable to override locks created by a different thread.  RedHat9 is
+** an example of such a system.
+**
+** Ownership transfer is only allowed if the unixFile is currently unlocked.
+** If the unixFile is locked and an ownership is wrong, then return
+** SQLITE_MISUSE.  SQLITE_OK is returned if everything works.
+*/
+#ifdef SQLITE_UNIX_THREADS
+static int transferOwnership(unixFile *pFile){
+  int rc;
+  pthread_t hSelf;
+  if( threadsOverrideEachOthersLocks ){
+    /* Ownership transfers not needed on this system */
+    return SQLITE_OK;
+  }
+  hSelf = pthread_self();
+  if( pthread_equal(pFile->tid, hSelf) ){
+    /* We are still in the same thread */
+    OSTRACE1("No-transfer, same thread\n");
+    return SQLITE_OK;
+  }
+  if( pFile->locktype!=NO_LOCK ){
+    /* We cannot change ownership while we are holding a lock! */
+    return SQLITE_MISUSE;
+  }
+  OSTRACE4("Transfer ownership of %d from %d to %d\n",
+            pFile->h, pFile->tid, hSelf);
+  pFile->tid = hSelf;
+  if (pFile->pLock != NULL) {
+    releaseLockInfo(pFile->pLock);
+    rc = findLockInfo(pFile->h, &pFile->pLock, 0);
+    OSTRACE5("LOCK    %d is now %s(%s,%d)\n", pFile->h,
+           locktypeName(pFile->locktype),
+           locktypeName(pFile->pLock->locktype), pFile->pLock->cnt);
+    return rc;
+  } else {
+    return SQLITE_OK;
+  }
+}
+#else
+  /* On single-threaded builds, ownership transfer is a no-op */
+# define transferOwnership(X) SQLITE_OK
+#endif
+
+/*
+** Delete the named file
+*/
+int sqlite3UnixDelete(const char *zFilename){
+  SimulateIOError(return SQLITE_IOERR_DELETE);
+  unlink(zFilename);
+  return SQLITE_OK;
+}
+
+/*
+** Return TRUE if the named file exists.
+*/
+int sqlite3UnixFileExists(const char *zFilename){
+  return access(zFilename, 0)==0;
+}
+
+/* Forward declaration */
+static int allocateUnixFile(
+  int h,                    /* File descriptor of the open file */
+  OsFile **pId,             /* Write the real file descriptor here */
+  const char *zFilename,    /* Name of the file being opened */
+  int delFlag               /* If true, make sure the file deletes on close */
+);
+
+/*
+** Attempt to open a file for both reading and writing.  If that
+** fails, try opening it read-only.  If the file does not exist,
+** try to create it.
+**
+** On success, a handle for the open file is written to *id
+** and *pReadonly is set to 0 if the file was opened for reading and
+** writing or 1 if the file was opened read-only.  The function returns
+** SQLITE_OK.
+**
+** On failure, the function returns SQLITE_CANTOPEN and leaves
+** *id and *pReadonly unchanged.
+*/
+int sqlite3UnixOpenReadWrite(
+  const char *zFilename,
+  OsFile **pId,
+  int *pReadonly
+){
+  int h;
+  
+  CRASH_TEST_OVERRIDE(sqlite3CrashOpenReadWrite, zFilename, pId, pReadonly);
+  assert( 0==*pId );
+  h = open(zFilename, O_RDWR|O_CREAT|O_LARGEFILE|O_BINARY,
+                        SQLITE_DEFAULT_FILE_PERMISSIONS);
+  if( h<0 ){
+#ifdef EISDIR
+    if( errno==EISDIR ){
+      return SQLITE_CANTOPEN;
+    }
+#endif
+    h = open(zFilename, O_RDONLY|O_LARGEFILE|O_BINARY);
+    if( h<0 ){
+      return SQLITE_CANTOPEN; 
+    }
+    *pReadonly = 1;
+  }else{
+    *pReadonly = 0;
+  }
+  return allocateUnixFile(h, pId, zFilename, 0);
+}
+
+
+/*
+** Attempt to open a new file for exclusive access by this process.
+** The file will be opened for both reading and writing.  To avoid
+** a potential security problem, we do not allow the file to have
+** previously existed.  Nor do we allow the file to be a symbolic
+** link.
+**
+** If delFlag is true, then make arrangements to automatically delete
+** the file when it is closed.
+**
+** On success, write the file handle into *id and return SQLITE_OK.
+**
+** On failure, return SQLITE_CANTOPEN.
+*/
+int sqlite3UnixOpenExclusive(const char *zFilename, OsFile **pId, int delFlag){
+  int h;
+
+  CRASH_TEST_OVERRIDE(sqlite3CrashOpenExclusive, zFilename, pId, delFlag);
+  assert( 0==*pId );
+  h = open(zFilename,
+                O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW|O_LARGEFILE|O_BINARY,
+                delFlag ? 0600 : SQLITE_DEFAULT_FILE_PERMISSIONS);
+  if( h<0 ){
+    return SQLITE_CANTOPEN;
+  }
+  return allocateUnixFile(h, pId, zFilename, delFlag);
+}
+
+/*
+** Attempt to open a new file for read-only access.
+**
+** On success, write the file handle into *id and return SQLITE_OK.
+**
+** On failure, return SQLITE_CANTOPEN.
+*/
+int sqlite3UnixOpenReadOnly(const char *zFilename, OsFile **pId){
+  int h;
+  
+  CRASH_TEST_OVERRIDE(sqlite3CrashOpenReadOnly, zFilename, pId, 0);
+  assert( 0==*pId );
+  h = open(zFilename, O_RDONLY|O_LARGEFILE|O_BINARY);
+  if( h<0 ){
+    return SQLITE_CANTOPEN;
+  }
+  return allocateUnixFile(h, pId, zFilename, 0);
+}
+
+/*
+** Attempt to open a file descriptor for the directory that contains a
+** file.  This file descriptor can be used to fsync() the directory
+** in order to make sure the creation of a new file is actually written
+** to disk.
+**
+** This routine is only meaningful for Unix.  It is a no-op under
+** windows since windows does not support hard links.
+**
+** If FULL_FSYNC is enabled, this function is not longer useful, 
+** a FULL_FSYNC sync applies to all pending disk operations.
+**
+** On success, a handle for a previously open file at *id is
+** updated with the new directory file descriptor and SQLITE_OK is
+** returned.
+**
+** On failure, the function returns SQLITE_CANTOPEN and leaves
+** *id unchanged.
+*/
+static int unixOpenDirectory(
+  OsFile *id,
+  const char *zDirname
+){
+  unixFile *pFile = (unixFile*)id;
+  assert( pFile!=0 );
+  SET_THREADID(pFile);
+  assert( pFile->dirfd<0 );
+  pFile->dirfd = open(zDirname, O_RDONLY|O_BINARY, 0);
+  if( pFile->dirfd<0 ){
+    return SQLITE_CANTOPEN; 
+  }
+  OSTRACE3("OPENDIR %-3d %s\n", pFile->dirfd, zDirname);
+  return SQLITE_OK;
+}
+
+/*
+** Create a temporary file name in zBuf.  zBuf must be big enough to
+** hold at least SQLITE_TEMPNAME_SIZE characters.
+*/
+int sqlite3UnixTempFileName(char *zBuf){
+  static const char *azDirs[] = {
+     0,
+     "/var/tmp",
+     "/usr/tmp",
+     "/tmp",
+     ".",
+  };
+  static const unsigned char zChars[] =
+    "abcdefghijklmnopqrstuvwxyz"
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+    "0123456789";
+  int i, j;
+  struct stat buf;
+  const char *zDir = ".";
+  azDirs[0] = sqlite3_temp_directory;
+  for(i=0; i<sizeof(azDirs)/sizeof(azDirs[0]); i++){
+    if( azDirs[i]==0 ) continue;
+    if( stat(azDirs[i], &buf) ) continue;
+    if( !S_ISDIR(buf.st_mode) ) continue;
+    if( access(azDirs[i], 07) ) continue;
+    zDir = azDirs[i];
+    break;
+  }
+  do{
+    sprintf(zBuf, "%s/"TEMP_FILE_PREFIX, zDir);
+    j = strlen(zBuf);
+    sqlite3Randomness(15, &zBuf[j]);
+    for(i=0; i<15; i++, j++){
+      zBuf[j] = (char)zChars[ ((unsigned char)zBuf[j])%(sizeof(zChars)-1) ];
+    }
+    zBuf[j] = 0;
+  }while( access(zBuf,0)==0 );
+  return SQLITE_OK; 
+}
+
+/*
+** Check that a given pathname is a directory and is writable 
+**
+*/
+int sqlite3UnixIsDirWritable(char *zBuf){
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+  struct stat buf;
+  if( zBuf==0 ) return 0;
+  if( zBuf[0]==0 ) return 0;
+  if( stat(zBuf, &buf) ) return 0;
+  if( !S_ISDIR(buf.st_mode) ) return 0;
+  if( access(zBuf, 07) ) return 0;
+#endif /* SQLITE_OMIT_PAGER_PRAGMAS */
+  return 1;
+}
+
+/*
+** Seek to the offset in id->offset then read cnt bytes into pBuf.
+** Return the number of bytes actually read.  Update the offset.
+*/
+static int seekAndRead(unixFile *id, void *pBuf, int cnt){
+  int got;
+  i64 newOffset;
+  TIMER_START;
+#if defined(USE_PREAD)
+  got = pread(id->h, pBuf, cnt, id->offset);
+  SimulateIOError( got = -1 );
+#elif defined(USE_PREAD64)
+  got = pread64(id->h, pBuf, cnt, id->offset);
+  SimulateIOError( got = -1 );
+#else
+  newOffset = lseek(id->h, id->offset, SEEK_SET);
+  SimulateIOError( newOffset-- );
+  if( newOffset!=id->offset ){
+    return -1;
+  }
+  got = read(id->h, pBuf, cnt);
+#endif
+  TIMER_END;
+  OSTRACE5("READ    %-3d %5d %7lld %d\n", id->h, got, id->offset, TIMER_ELAPSED);
+  if( got>0 ){
+    id->offset += got;
+  }
+  return got;
+}
+
+/*
+** Read data from a file into a buffer.  Return SQLITE_OK if all
+** bytes were read successfully and SQLITE_IOERR if anything goes
+** wrong.
+*/
+static int unixRead(OsFile *id, void *pBuf, int amt){
+  int got;
+  assert( id );
+  got = seekAndRead((unixFile*)id, pBuf, amt);
+  if( got==amt ){
+    return SQLITE_OK;
+  }else if( got<0 ){
+    return SQLITE_IOERR_READ;
+  }else{
+    memset(&((char*)pBuf)[got], 0, amt-got);
+    return SQLITE_IOERR_SHORT_READ;
+  }
+}
+
+/*
+** Seek to the offset in id->offset then read cnt bytes into pBuf.
+** Return the number of bytes actually read.  Update the offset.
+*/
+static int seekAndWrite(unixFile *id, const void *pBuf, int cnt){
+  int got;
+  i64 newOffset;
+  TIMER_START;
+#if defined(USE_PREAD)
+  got = pwrite(id->h, pBuf, cnt, id->offset);
+#elif defined(USE_PREAD64)
+  got = pwrite64(id->h, pBuf, cnt, id->offset);
+#else
+  newOffset = lseek(id->h, id->offset, SEEK_SET);
+  if( newOffset!=id->offset ){
+    return -1;
+  }
+  got = write(id->h, pBuf, cnt);
+#endif
+  TIMER_END;
+  OSTRACE5("WRITE   %-3d %5d %7lld %d\n", id->h, got, id->offset, TIMER_ELAPSED);
+  if( got>0 ){
+    id->offset += got;
+  }
+  return got;
+}
+
+
+/*
+** Write data from a buffer into a file.  Return SQLITE_OK on success
+** or some other error code on failure.
+*/
+static int unixWrite(OsFile *id, const void *pBuf, int amt){
+  int wrote = 0;
+  assert( id );
+  assert( amt>0 );
+  while( amt>0 && (wrote = seekAndWrite((unixFile*)id, pBuf, amt))>0 ){
+    amt -= wrote;
+    pBuf = &((char*)pBuf)[wrote];
+  }
+  SimulateIOError(( wrote=(-1), amt=1 ));
+  SimulateDiskfullError(( wrote=0, amt=1 ));
+  if( amt>0 ){
+    if( wrote<0 ){
+      return SQLITE_IOERR_WRITE;
+    }else{
+      return SQLITE_FULL;
+    }
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Move the read/write pointer in a file.
+*/
+static int unixSeek(OsFile *id, i64 offset){
+  assert( id );
+#ifdef SQLITE_TEST
+  if( offset ) SimulateDiskfullError(return SQLITE_FULL);
+#endif
+  ((unixFile*)id)->offset = offset;
+  return SQLITE_OK;
+}
+
+#ifdef SQLITE_TEST
+/*
+** Count the number of fullsyncs and normal syncs.  This is used to test
+** that syncs and fullsyncs are occuring at the right times.
+*/
+int sqlite3_sync_count = 0;
+int sqlite3_fullsync_count = 0;
+#endif
+
+/*
+** Use the fdatasync() API only if the HAVE_FDATASYNC macro is defined.
+** Otherwise use fsync() in its place.
+*/
+#ifndef HAVE_FDATASYNC
+# define fdatasync fsync
+#endif
+
+/*
+** Define HAVE_FULLFSYNC to 0 or 1 depending on whether or not
+** the F_FULLFSYNC macro is defined.  F_FULLFSYNC is currently
+** only available on Mac OS X.  But that could change.
+*/
+#ifdef F_FULLFSYNC
+# define HAVE_FULLFSYNC 1
+#else
+# define HAVE_FULLFSYNC 0
+#endif
+
+
+/*
+** The fsync() system call does not work as advertised on many
+** unix systems.  The following procedure is an attempt to make
+** it work better.
+**
+** The SQLITE_NO_SYNC macro disables all fsync()s.  This is useful
+** for testing when we want to run through the test suite quickly.
+** You are strongly advised *not* to deploy with SQLITE_NO_SYNC
+** enabled, however, since with SQLITE_NO_SYNC enabled, an OS crash
+** or power failure will likely corrupt the database file.
+*/
+static int full_fsync(int fd, int fullSync, int dataOnly){
+  int rc;
+
+  /* Record the number of times that we do a normal fsync() and 
+  ** FULLSYNC.  This is used during testing to verify that this procedure
+  ** gets called with the correct arguments.
+  */
+#ifdef SQLITE_TEST
+  if( fullSync ) sqlite3_fullsync_count++;
+  sqlite3_sync_count++;
+#endif
+
+  /* If we compiled with the SQLITE_NO_SYNC flag, then syncing is a
+  ** no-op
+  */
+#ifdef SQLITE_NO_SYNC
+  rc = SQLITE_OK;
+#else
+
+#if HAVE_FULLFSYNC
+  if( fullSync ){
+    rc = fcntl(fd, F_FULLFSYNC, 0);
+  }else{
+    rc = 1;
+  }
+  /* If the FULLFSYNC failed, fall back to attempting an fsync().
+   * It shouldn't be possible for fullfsync to fail on the local 
+   * file system (on OSX), so failure indicates that FULLFSYNC
+   * isn't supported for this file system. So, attempt an fsync 
+   * and (for now) ignore the overhead of a superfluous fcntl call.  
+   * It'd be better to detect fullfsync support once and avoid 
+   * the fcntl call every time sync is called.
+   */
+  if( rc ) rc = fsync(fd);
+
+#else 
+  if( dataOnly ){
+    rc = fdatasync(fd);
+  }else{
+    rc = fsync(fd);
+  }
+#endif /* HAVE_FULLFSYNC */
+#endif /* defined(SQLITE_NO_SYNC) */
+
+  return rc;
+}
+
+/*
+** Make sure all writes to a particular file are committed to disk.
+**
+** If dataOnly==0 then both the file itself and its metadata (file
+** size, access time, etc) are synced.  If dataOnly!=0 then only the
+** file data is synced.
+**
+** Under Unix, also make sure that the directory entry for the file
+** has been created by fsync-ing the directory that contains the file.
+** If we do not do this and we encounter a power failure, the directory
+** entry for the journal might not exist after we reboot.  The next
+** SQLite to access the file will not know that the journal exists (because
+** the directory entry for the journal was never created) and the transaction
+** will not roll back - possibly leading to database corruption.
+*/
+static int unixSync(OsFile *id, int dataOnly){
+  int rc;
+  unixFile *pFile = (unixFile*)id;
+  assert( pFile );
+  OSTRACE2("SYNC    %-3d\n", pFile->h);
+  rc = full_fsync(pFile->h, pFile->fullSync, dataOnly);
+  SimulateIOError( rc=1 );
+  if( rc ){
+    return SQLITE_IOERR_FSYNC;
+  }
+  if( pFile->dirfd>=0 ){
+    OSTRACE4("DIRSYNC %-3d (have_fullfsync=%d fullsync=%d)\n", pFile->dirfd,
+            HAVE_FULLFSYNC, pFile->fullSync);
+#ifndef SQLITE_DISABLE_DIRSYNC
+    /* The directory sync is only attempted if full_fsync is
+    ** turned off or unavailable.  If a full_fsync occurred above,
+    ** then the directory sync is superfluous.
+    */
+    if( (!HAVE_FULLFSYNC || !pFile->fullSync) && full_fsync(pFile->dirfd,0,0) ){
+       /*
+       ** We have received multiple reports of fsync() returning
+       ** errors when applied to directories on certain file systems.
+       ** A failed directory sync is not a big deal.  So it seems
+       ** better to ignore the error.  Ticket #1657
+       */
+       /* return SQLITE_IOERR; */
+    }
+#endif
+    close(pFile->dirfd);  /* Only need to sync once, so close the directory */
+    pFile->dirfd = -1;    /* when we are done. */
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Sync the directory zDirname. This is a no-op on operating systems other
+** than UNIX.
+**
+** This is used to make sure the master journal file has truely been deleted
+** before making changes to individual journals on a multi-database commit.
+** The F_FULLFSYNC option is not needed here.
+*/
+int sqlite3UnixSyncDirectory(const char *zDirname){
+#ifdef SQLITE_DISABLE_DIRSYNC
+  return SQLITE_OK;
+#else
+  int fd;
+  int r;
+  fd = open(zDirname, O_RDONLY|O_BINARY, 0);
+  OSTRACE3("DIRSYNC %-3d (%s)\n", fd, zDirname);
+  if( fd<0 ){
+    return SQLITE_CANTOPEN; 
+  }
+  r = fsync(fd);
+  close(fd);
+  SimulateIOError( r=1 );
+  if( r ){
+    return SQLITE_IOERR_DIR_FSYNC;
+  }else{
+    return SQLITE_OK;
+  }
+#endif
+}
+
+/*
+** Truncate an open file to a specified size
+*/
+static int unixTruncate(OsFile *id, i64 nByte){
+  int rc;
+  assert( id );
+  rc = ftruncate(((unixFile*)id)->h, nByte);
+  SimulateIOError( rc=1 );
+  if( rc ){
+    return SQLITE_IOERR_TRUNCATE;
+  }else{
+    return SQLITE_OK;
+  }
+}
+
+/*
+** Determine the current size of a file in bytes
+*/
+static int unixFileSize(OsFile *id, i64 *pSize){
+  int rc;
+  struct stat buf;
+  assert( id );
+  rc = fstat(((unixFile*)id)->h, &buf);
+  SimulateIOError( rc=1 );
+  if( rc!=0 ){
+    return SQLITE_IOERR_FSTAT;
+  }
+  *pSize = buf.st_size;
+  return SQLITE_OK;
+}
+
+/*
+** This routine checks if there is a RESERVED lock held on the specified
+** file by this or any other process. If such a lock is held, return
+** non-zero.  If the file is unlocked or holds only SHARED locks, then
+** return zero.
+*/
+static int unixCheckReservedLock(OsFile *id){
+  int r = 0;
+  unixFile *pFile = (unixFile*)id;
+
+  assert( pFile );
+  sqlite3OsEnterMutex(); /* Because pFile->pLock is shared across threads */
+
+  /* Check if a thread in this process holds such a lock */
+  if( pFile->pLock->locktype>SHARED_LOCK ){
+    r = 1;
+  }
+
+  /* Otherwise see if some other process holds it.
+  */
+  if( !r ){
+    struct flock lock;
+    lock.l_whence = SEEK_SET;
+    lock.l_start = RESERVED_BYTE;
+    lock.l_len = 1;
+    lock.l_type = F_WRLCK;
+    fcntl(pFile->h, F_GETLK, &lock);
+    if( lock.l_type!=F_UNLCK ){
+      r = 1;
+    }
+  }
+  
+  sqlite3OsLeaveMutex();
+  OSTRACE3("TEST WR-LOCK %d %d\n", pFile->h, r);
+
+  return r;
+}
+
+/*
+** Lock the file with the lock specified by parameter locktype - one
+** of the following:
+**
+**     (1) SHARED_LOCK
+**     (2) RESERVED_LOCK
+**     (3) PENDING_LOCK
+**     (4) EXCLUSIVE_LOCK
+**
+** Sometimes when requesting one lock state, additional lock states
+** are inserted in between.  The locking might fail on one of the later
+** transitions leaving the lock state different from what it started but
+** still short of its goal.  The following chart shows the allowed
+** transitions and the inserted intermediate states:
+**
+**    UNLOCKED -> SHARED
+**    SHARED -> RESERVED
+**    SHARED -> (PENDING) -> EXCLUSIVE
+**    RESERVED -> (PENDING) -> EXCLUSIVE
+**    PENDING -> EXCLUSIVE
+**
+** This routine will only increase a lock.  Use the sqlite3OsUnlock()
+** routine to lower a locking level.
+*/
+static int unixLock(OsFile *id, int locktype){
+  /* The following describes the implementation of the various locks and
+  ** lock transitions in terms of the POSIX advisory shared and exclusive
+  ** lock primitives (called read-locks and write-locks below, to avoid
+  ** confusion with SQLite lock names). The algorithms are complicated
+  ** slightly in order to be compatible with windows systems simultaneously
+  ** accessing the same database file, in case that is ever required.
+  **
+  ** Symbols defined in os.h indentify the 'pending byte' and the 'reserved
+  ** byte', each single bytes at well known offsets, and the 'shared byte
+  ** range', a range of 510 bytes at a well known offset.
+  **
+  ** To obtain a SHARED lock, a read-lock is obtained on the 'pending
+  ** byte'.  If this is successful, a random byte from the 'shared byte
+  ** range' is read-locked and the lock on the 'pending byte' released.
+  **
+  ** A process may only obtain a RESERVED lock after it has a SHARED lock.
+  ** A RESERVED lock is implemented by grabbing a write-lock on the
+  ** 'reserved byte'. 
+  **
+  ** A process may only obtain a PENDING lock after it has obtained a
+  ** SHARED lock. A PENDING lock is implemented by obtaining a write-lock
+  ** on the 'pending byte'. This ensures that no new SHARED locks can be
+  ** obtained, but existing SHARED locks are allowed to persist. A process
+  ** does not have to obtain a RESERVED lock on the way to a PENDING lock.
+  ** This property is used by the algorithm for rolling back a journal file
+  ** after a crash.
+  **
+  ** An EXCLUSIVE lock, obtained after a PENDING lock is held, is
+  ** implemented by obtaining a write-lock on the entire 'shared byte
+  ** range'. Since all other locks require a read-lock on one of the bytes
+  ** within this range, this ensures that no other locks are held on the
+  ** database. 
+  **
+  ** The reason a single byte cannot be used instead of the 'shared byte
+  ** range' is that some versions of windows do not support read-locks. By
+  ** locking a random byte from a range, concurrent SHARED locks may exist
+  ** even if the locking primitive used is always a write-lock.
+  */
+  int rc = SQLITE_OK;
+  unixFile *pFile = (unixFile*)id;
+  struct lockInfo *pLock = pFile->pLock;
+  struct flock lock;
+  int s;
+
+  assert( pFile );
+  OSTRACE7("LOCK    %d %s was %s(%s,%d) pid=%d\n", pFile->h,
+      locktypeName(locktype), locktypeName(pFile->locktype),
+      locktypeName(pLock->locktype), pLock->cnt , getpid());
+
+  /* If there is already a lock of this type or more restrictive on the
+  ** OsFile, do nothing. Don't use the end_lock: exit path, as
+  ** sqlite3OsEnterMutex() hasn't been called yet.
+  */
+  if( pFile->locktype>=locktype ){
+    OSTRACE3("LOCK    %d %s ok (already held)\n", pFile->h,
+            locktypeName(locktype));
+    return SQLITE_OK;
+  }
+
+  /* Make sure the locking sequence is correct
+  */
+  assert( pFile->locktype!=NO_LOCK || locktype==SHARED_LOCK );
+  assert( locktype!=PENDING_LOCK );
+  assert( locktype!=RESERVED_LOCK || pFile->locktype==SHARED_LOCK );
+
+  /* This mutex is needed because pFile->pLock is shared across threads
+  */
+  sqlite3OsEnterMutex();
+
+  /* Make sure the current thread owns the pFile.
+  */
+  rc = transferOwnership(pFile);
+  if( rc!=SQLITE_OK ){
+    sqlite3OsLeaveMutex();
+    return rc;
+  }
+  pLock = pFile->pLock;
+
+  /* If some thread using this PID has a lock via a different OsFile*
+  ** handle that precludes the requested lock, return BUSY.
+  */
+  if( (pFile->locktype!=pLock->locktype && 
+          (pLock->locktype>=PENDING_LOCK || locktype>SHARED_LOCK))
+  ){
+    rc = SQLITE_BUSY;
+    goto end_lock;
+  }
+
+  /* If a SHARED lock is requested, and some thread using this PID already
+  ** has a SHARED or RESERVED lock, then increment reference counts and
+  ** return SQLITE_OK.
+  */
+  if( locktype==SHARED_LOCK && 
+      (pLock->locktype==SHARED_LOCK || pLock->locktype==RESERVED_LOCK) ){
+    assert( locktype==SHARED_LOCK );
+    assert( pFile->locktype==0 );
+    assert( pLock->cnt>0 );
+    pFile->locktype = SHARED_LOCK;
+    pLock->cnt++;
+    pFile->pOpen->nLock++;
+    goto end_lock;
+  }
+
+  lock.l_len = 1L;
+
+  lock.l_whence = SEEK_SET;
+
+  /* A PENDING lock is needed before acquiring a SHARED lock and before
+  ** acquiring an EXCLUSIVE lock.  For the SHARED lock, the PENDING will
+  ** be released.
+  */
+  if( locktype==SHARED_LOCK 
+      || (locktype==EXCLUSIVE_LOCK && pFile->locktype<PENDING_LOCK)
+  ){
+    lock.l_type = (locktype==SHARED_LOCK?F_RDLCK:F_WRLCK);
+    lock.l_start = PENDING_BYTE;
+    s = fcntl(pFile->h, F_SETLK, &lock);
+    if( s==(-1) ){
+      rc = (errno==EINVAL) ? SQLITE_NOLFS : SQLITE_BUSY;
+      goto end_lock;
+    }
+  }
+
+
+  /* If control gets to this point, then actually go ahead and make
+  ** operating system calls for the specified lock.
+  */
+  if( locktype==SHARED_LOCK ){
+    assert( pLock->cnt==0 );
+    assert( pLock->locktype==0 );
+
+    /* Now get the read-lock */
+    lock.l_start = SHARED_FIRST;
+    lock.l_len = SHARED_SIZE;
+    s = fcntl(pFile->h, F_SETLK, &lock);
+
+    /* Drop the temporary PENDING lock */
+    lock.l_start = PENDING_BYTE;
+    lock.l_len = 1L;
+    lock.l_type = F_UNLCK;
+    if( fcntl(pFile->h, F_SETLK, &lock)!=0 ){
+      rc = SQLITE_IOERR_UNLOCK;  /* This should never happen */
+      goto end_lock;
+    }
+    if( s==(-1) ){
+      rc = (errno==EINVAL) ? SQLITE_NOLFS : SQLITE_BUSY;
+    }else{
+      pFile->locktype = SHARED_LOCK;
+      pFile->pOpen->nLock++;
+      pLock->cnt = 1;
+    }
+  }else if( locktype==EXCLUSIVE_LOCK && pLock->cnt>1 ){
+    /* We are trying for an exclusive lock but another thread in this
+    ** same process is still holding a shared lock. */
+    rc = SQLITE_BUSY;
+  }else{
+    /* The request was for a RESERVED or EXCLUSIVE lock.  It is
+    ** assumed that there is a SHARED or greater lock on the file
+    ** already.
+    */
+    assert( 0!=pFile->locktype );
+    lock.l_type = F_WRLCK;
+    switch( locktype ){
+      case RESERVED_LOCK:
+        lock.l_start = RESERVED_BYTE;
+        break;
+      case EXCLUSIVE_LOCK:
+        lock.l_start = SHARED_FIRST;
+        lock.l_len = SHARED_SIZE;
+        break;
+      default:
+        assert(0);
+    }
+    s = fcntl(pFile->h, F_SETLK, &lock);
+    if( s==(-1) ){
+      rc = (errno==EINVAL) ? SQLITE_NOLFS : SQLITE_BUSY;
+    }
+  }
+  
+  if( rc==SQLITE_OK ){
+    pFile->locktype = locktype;
+    pLock->locktype = locktype;
+  }else if( locktype==EXCLUSIVE_LOCK ){
+    pFile->locktype = PENDING_LOCK;
+    pLock->locktype = PENDING_LOCK;
+  }
+
+end_lock:
+  sqlite3OsLeaveMutex();
+  OSTRACE4("LOCK    %d %s %s\n", pFile->h, locktypeName(locktype), 
+      rc==SQLITE_OK ? "ok" : "failed");
+  return rc;
+}
+
+/*
+** Lower the locking level on file descriptor pFile to locktype.  locktype
+** must be either NO_LOCK or SHARED_LOCK.
+**
+** If the locking level of the file descriptor is already at or below
+** the requested locking level, this routine is a no-op.
+*/
+static int unixUnlock(OsFile *id, int locktype){
+  struct lockInfo *pLock;
+  struct flock lock;
+  int rc = SQLITE_OK;
+  unixFile *pFile = (unixFile*)id;
+
+  assert( pFile );
+  OSTRACE7("UNLOCK  %d %d was %d(%d,%d) pid=%d\n", pFile->h, locktype,
+      pFile->locktype, pFile->pLock->locktype, pFile->pLock->cnt, getpid());
+
+  assert( locktype<=SHARED_LOCK );
+  if( pFile->locktype<=locktype ){
+    return SQLITE_OK;
+  }
+  if( CHECK_THREADID(pFile) ){
+    return SQLITE_MISUSE;
+  }
+  sqlite3OsEnterMutex();
+  pLock = pFile->pLock;
+  assert( pLock->cnt!=0 );
+  if( pFile->locktype>SHARED_LOCK ){
+    assert( pLock->locktype==pFile->locktype );
+    if( locktype==SHARED_LOCK ){
+      lock.l_type = F_RDLCK;
+      lock.l_whence = SEEK_SET;
+      lock.l_start = SHARED_FIRST;
+      lock.l_len = SHARED_SIZE;
+      if( fcntl(pFile->h, F_SETLK, &lock)==(-1) ){
+        /* This should never happen */
+        rc = SQLITE_IOERR_RDLOCK;
+      }
+    }
+    lock.l_type = F_UNLCK;
+    lock.l_whence = SEEK_SET;
+    lock.l_start = PENDING_BYTE;
+    lock.l_len = 2L;  assert( PENDING_BYTE+1==RESERVED_BYTE );
+    if( fcntl(pFile->h, F_SETLK, &lock)!=(-1) ){
+      pLock->locktype = SHARED_LOCK;
+    }else{
+      rc = SQLITE_IOERR_UNLOCK;  /* This should never happen */
+    }
+  }
+  if( locktype==NO_LOCK ){
+    struct openCnt *pOpen;
+
+    /* Decrement the shared lock counter.  Release the lock using an
+    ** OS call only when all threads in this same process have released
+    ** the lock.
+    */
+    pLock->cnt--;
+    if( pLock->cnt==0 ){
+      lock.l_type = F_UNLCK;
+      lock.l_whence = SEEK_SET;
+      lock.l_start = lock.l_len = 0L;
+      if( fcntl(pFile->h, F_SETLK, &lock)!=(-1) ){
+        pLock->locktype = NO_LOCK;
+      }else{
+        rc = SQLITE_IOERR_UNLOCK;  /* This should never happen */
+      }
+    }
+
+    /* Decrement the count of locks against this same file.  When the
+    ** count reaches zero, close any other file descriptors whose close
+    ** was deferred because of outstanding locks.
+    */
+    pOpen = pFile->pOpen;
+    pOpen->nLock--;
+    assert( pOpen->nLock>=0 );
+    if( pOpen->nLock==0 && pOpen->nPending>0 ){
+      int i;
+      for(i=0; i<pOpen->nPending; i++){
+        close(pOpen->aPending[i]);
+      }
+      free(pOpen->aPending);
+      pOpen->nPending = 0;
+      pOpen->aPending = 0;
+    }
+  }
+  sqlite3OsLeaveMutex();
+  pFile->locktype = locktype;
+  return rc;
+}
+
+/*
+** Close a file.
+*/
+static int unixClose(OsFile **pId){
+  unixFile *id = (unixFile*)*pId;
+
+  if( !id ) return SQLITE_OK;
+  unixUnlock(*pId, NO_LOCK);
+  if( id->dirfd>=0 ) close(id->dirfd);
+  id->dirfd = -1;
+  sqlite3OsEnterMutex();
+
+  if( id->pOpen->nLock ){
+    /* If there are outstanding locks, do not actually close the file just
+    ** yet because that would clear those locks.  Instead, add the file
+    ** descriptor to pOpen->aPending.  It will be automatically closed when
+    ** the last lock is cleared.
+    */
+    int *aNew;
+    struct openCnt *pOpen = id->pOpen;
+    aNew = realloc( pOpen->aPending, (pOpen->nPending+1)*sizeof(int) );
+    if( aNew==0 ){
+      /* If a malloc fails, just leak the file descriptor */
+    }else{
+      pOpen->aPending = aNew;
+      pOpen->aPending[pOpen->nPending] = id->h;
+      pOpen->nPending++;
+    }
+  }else{
+    /* There are no outstanding locks so we can close the file immediately */
+    close(id->h);
+  }
+  releaseLockInfo(id->pLock);
+  releaseOpenCnt(id->pOpen);
+
+  sqlite3OsLeaveMutex();
+  id->isOpen = 0;
+  OSTRACE2("CLOSE   %-3d\n", id->h);
+  OpenCounter(-1);
+  sqlite3ThreadSafeFree(id);
+  *pId = 0;
+  return SQLITE_OK;
+}
+
+
+#ifdef SQLITE_ENABLE_LOCKING_STYLE
+#pragma mark AFP Support
+
+/*
+ ** The afpLockingContext structure contains all afp lock specific state
+ */
+typedef struct afpLockingContext afpLockingContext;
+struct afpLockingContext {
+  unsigned long long sharedLockByte;
+  char *filePath;
+};
+
+struct ByteRangeLockPB2
+{
+  unsigned long long offset;        /* offset to first byte to lock */
+  unsigned long long length;        /* nbr of bytes to lock */
+  unsigned long long retRangeStart; /* nbr of 1st byte locked if successful */
+  unsigned char unLockFlag;         /* 1 = unlock, 0 = lock */
+  unsigned char startEndFlag;       /* 1=rel to end of fork, 0=rel to start */
+  int fd;                           /* file desc to assoc this lock with */
+};
+
+#define afpfsByteRangeLock2FSCTL	_IOWR('z', 23, struct ByteRangeLockPB2)
+
+/* return 0 on success, 1 on failure.  To match the behavior of the 
+  normal posix file locking (used in unixLock for example), we should 
+  provide 'richer' return codes - specifically to differentiate between
+  'file busy' and 'file system error' results */
+static int _AFPFSSetLock(const char *path, int fd, unsigned long long offset, 
+                         unsigned long long length, int setLockFlag)
+{
+  struct ByteRangeLockPB2	pb;
+  int                     err;
+  
+  pb.unLockFlag = setLockFlag ? 0 : 1;
+  pb.startEndFlag = 0;
+  pb.offset = offset;
+  pb.length = length; 
+  pb.fd = fd;
+  OSTRACE5("AFPLOCK setting lock %s for %d in range %llx:%llx\n", 
+    (setLockFlag?"ON":"OFF"), fd, offset, length);
+  err = fsctl(path, afpfsByteRangeLock2FSCTL, &pb, 0);
+  if ( err==-1 ) {
+    OSTRACE4("AFPLOCK failed to fsctl() '%s' %d %s\n", path, errno, 
+      strerror(errno));
+    return 1; /* error */
+  } else {
+    return 0;
+  }
+}
+
+/*
+ ** This routine checks if there is a RESERVED lock held on the specified
+ ** file by this or any other process. If such a lock is held, return
+ ** non-zero.  If the file is unlocked or holds only SHARED locks, then
+ ** return zero.
+ */
+static int afpUnixCheckReservedLock(OsFile *id){
+  int r = 0;
+  unixFile *pFile = (unixFile*)id;
+  
+  assert( pFile ); 
+  afpLockingContext *context = (afpLockingContext *) pFile->lockingContext;
+  
+  /* Check if a thread in this process holds such a lock */
+  if( pFile->locktype>SHARED_LOCK ){
+    r = 1;
+  }
+  
+  /* Otherwise see if some other process holds it.
+   */
+  if ( !r ) {
+    /* lock the byte */
+    int failed = _AFPFSSetLock(context->filePath, pFile->h, RESERVED_BYTE, 1,1);  
+    if (failed) {
+      /* if we failed to get the lock then someone else must have it */
+      r = 1;
+    } else {
+      /* if we succeeded in taking the reserved lock, unlock it to restore
+      ** the original state */
+      _AFPFSSetLock(context->filePath, pFile->h, RESERVED_BYTE, 1, 0);
+    }
+  }
+  OSTRACE3("TEST WR-LOCK %d %d\n", pFile->h, r);
+  
+  return r;
+}
+
+/* AFP-style locking following the behavior of unixLock, see the unixLock 
+** function comments for details of lock management. */
+static int afpUnixLock(OsFile *id, int locktype)
+{
+  int rc = SQLITE_OK;
+  unixFile *pFile = (unixFile*)id;
+  afpLockingContext *context = (afpLockingContext *) pFile->lockingContext;
+  int gotPendingLock = 0;
+  
+  assert( pFile );
+  OSTRACE5("LOCK    %d %s was %s pid=%d\n", pFile->h,
+         locktypeName(locktype), locktypeName(pFile->locktype), getpid());  
+  /* If there is already a lock of this type or more restrictive on the
+    ** OsFile, do nothing. Don't use the afp_end_lock: exit path, as
+    ** sqlite3OsEnterMutex() hasn't been called yet.
+    */
+  if( pFile->locktype>=locktype ){
+    OSTRACE3("LOCK    %d %s ok (already held)\n", pFile->h,
+           locktypeName(locktype));
+    return SQLITE_OK;
+  }
+
+  /* Make sure the locking sequence is correct
+    */
+  assert( pFile->locktype!=NO_LOCK || locktype==SHARED_LOCK );
+  assert( locktype!=PENDING_LOCK );
+  assert( locktype!=RESERVED_LOCK || pFile->locktype==SHARED_LOCK );
+  
+  /* This mutex is needed because pFile->pLock is shared across threads
+    */
+  sqlite3OsEnterMutex();
+
+  /* Make sure the current thread owns the pFile.
+    */
+  rc = transferOwnership(pFile);
+  if( rc!=SQLITE_OK ){
+    sqlite3OsLeaveMutex();
+    return rc;
+  }
+    
+  /* A PENDING lock is needed before acquiring a SHARED lock and before
+    ** acquiring an EXCLUSIVE lock.  For the SHARED lock, the PENDING will
+    ** be released.
+    */
+  if( locktype==SHARED_LOCK 
+      || (locktype==EXCLUSIVE_LOCK && pFile->locktype<PENDING_LOCK)
+      ){
+    int failed = _AFPFSSetLock(context->filePath, pFile->h, 
+      PENDING_BYTE, 1, 1);
+    if (failed) {
+      rc = SQLITE_BUSY;
+      goto afp_end_lock;
+    }
+  }
+  
+  /* If control gets to this point, then actually go ahead and make
+    ** operating system calls for the specified lock.
+    */
+  if( locktype==SHARED_LOCK ){
+    int lk, failed;
+    int tries = 0;
+    
+    /* Now get the read-lock */
+    /* note that the quality of the randomness doesn't matter that much */
+    lk = random(); 
+    context->sharedLockByte = (lk & 0x7fffffff)%(SHARED_SIZE - 1);
+    failed = _AFPFSSetLock(context->filePath, pFile->h, 
+      SHARED_FIRST+context->sharedLockByte, 1, 1);
+    
+    /* Drop the temporary PENDING lock */
+    if (_AFPFSSetLock(context->filePath, pFile->h, PENDING_BYTE, 1, 0)) {
+      rc = SQLITE_IOERR_UNLOCK;  /* This should never happen */
+      goto afp_end_lock;
+    }
+    
+    if( failed ){
+      rc = SQLITE_BUSY;
+    } else {
+      pFile->locktype = SHARED_LOCK;
+    }
+  }else{
+    /* The request was for a RESERVED or EXCLUSIVE lock.  It is
+    ** assumed that there is a SHARED or greater lock on the file
+    ** already.
+    */
+    int failed = 0;
+    assert( 0!=pFile->locktype );
+    if (locktype >= RESERVED_LOCK && pFile->locktype < RESERVED_LOCK) {
+        /* Acquire a RESERVED lock */
+        failed = _AFPFSSetLock(context->filePath, pFile->h, RESERVED_BYTE, 1,1);
+    }
+    if (!failed && locktype == EXCLUSIVE_LOCK) {
+      /* Acquire an EXCLUSIVE lock */
+        
+      /* Remove the shared lock before trying the range.  we'll need to 
+      ** reestablish the shared lock if we can't get the  afpUnixUnlock
+      */
+      if (!_AFPFSSetLock(context->filePath, pFile->h, SHARED_FIRST +
+                         context->sharedLockByte, 1, 0)) {
+        /* now attemmpt to get the exclusive lock range */
+        failed = _AFPFSSetLock(context->filePath, pFile->h, SHARED_FIRST, 
+                               SHARED_SIZE, 1);
+        if (failed && _AFPFSSetLock(context->filePath, pFile->h, SHARED_FIRST +
+                                    context->sharedLockByte, 1, 1)) {
+          rc = SQLITE_IOERR_RDLOCK; /* this should never happen */
+        }
+      } else {
+        /* */
+        rc = SQLITE_IOERR_UNLOCK; /* this should never happen */
+      }
+    }
+    if( failed && rc == SQLITE_OK){
+      rc = SQLITE_BUSY;
+    }
+  }
+  
+  if( rc==SQLITE_OK ){
+    pFile->locktype = locktype;
+  }else if( locktype==EXCLUSIVE_LOCK ){
+    pFile->locktype = PENDING_LOCK;
+  }
+  
+afp_end_lock:
+    sqlite3OsLeaveMutex();
+  OSTRACE4("LOCK    %d %s %s\n", pFile->h, locktypeName(locktype), 
+         rc==SQLITE_OK ? "ok" : "failed");
+  return rc;
+}
+
+/*
+ ** Lower the locking level on file descriptor pFile to locktype.  locktype
+ ** must be either NO_LOCK or SHARED_LOCK.
+ **
+ ** If the locking level of the file descriptor is already at or below
+ ** the requested locking level, this routine is a no-op.
+ */
+static int afpUnixUnlock(OsFile *id, int locktype) {
+  struct flock lock;
+  int rc = SQLITE_OK;
+  unixFile *pFile = (unixFile*)id;
+  afpLockingContext *context = (afpLockingContext *) pFile->lockingContext;
+
+  assert( pFile );
+  OSTRACE5("UNLOCK  %d %d was %d pid=%d\n", pFile->h, locktype,
+         pFile->locktype, getpid());
+  
+  assert( locktype<=SHARED_LOCK );
+  if( pFile->locktype<=locktype ){
+    return SQLITE_OK;
+  }
+  if( CHECK_THREADID(pFile) ){
+    return SQLITE_MISUSE;
+  }
+  sqlite3OsEnterMutex();
+  if( pFile->locktype>SHARED_LOCK ){
+    if( locktype==SHARED_LOCK ){
+      int failed = 0;
+
+      /* unlock the exclusive range - then re-establish the shared lock */
+      if (pFile->locktype==EXCLUSIVE_LOCK) {
+        failed = _AFPFSSetLock(context->filePath, pFile->h, SHARED_FIRST, 
+                                 SHARED_SIZE, 0);
+        if (!failed) {
+          /* successfully removed the exclusive lock */
+          if (_AFPFSSetLock(context->filePath, pFile->h, SHARED_FIRST+
+                            context->sharedLockByte, 1, 1)) {
+            /* failed to re-establish our shared lock */
+            rc = SQLITE_IOERR_RDLOCK; /* This should never happen */
+          }
+        } else {
+          /* This should never happen - failed to unlock the exclusive range */
+          rc = SQLITE_IOERR_UNLOCK;
+        } 
+      }
+    }
+    if (rc == SQLITE_OK && pFile->locktype>=PENDING_LOCK) {
+      if (_AFPFSSetLock(context->filePath, pFile->h, PENDING_BYTE, 1, 0)){
+        /* failed to release the pending lock */
+        rc = SQLITE_IOERR_UNLOCK; /* This should never happen */
+      }
+    } 
+    if (rc == SQLITE_OK && pFile->locktype>=RESERVED_LOCK) {
+      if (_AFPFSSetLock(context->filePath, pFile->h, RESERVED_BYTE, 1, 0)) {
+        /* failed to release the reserved lock */
+        rc = SQLITE_IOERR_UNLOCK;  /* This should never happen */
+      }
+    } 
+  }
+  if( locktype==NO_LOCK ){
+    int failed = _AFPFSSetLock(context->filePath, pFile->h, 
+                               SHARED_FIRST + context->sharedLockByte, 1, 0);
+    if (failed) {
+      rc = SQLITE_IOERR_UNLOCK;  /* This should never happen */
+    }
+  }
+  if (rc == SQLITE_OK)
+    pFile->locktype = locktype;
+  sqlite3OsLeaveMutex();
+  return rc;
+}
+
+/*
+ ** Close a file & cleanup AFP specific locking context 
+ */
+static int afpUnixClose(OsFile **pId) {
+  unixFile *id = (unixFile*)*pId;
+  
+  if( !id ) return SQLITE_OK;
+  afpUnixUnlock(*pId, NO_LOCK);
+  /* free the AFP locking structure */
+  if (id->lockingContext != NULL) {
+    if (((afpLockingContext *)id->lockingContext)->filePath != NULL)
+      sqlite3ThreadSafeFree(((afpLockingContext*)id->lockingContext)->filePath);
+    sqlite3ThreadSafeFree(id->lockingContext);
+  }
+  
+  if( id->dirfd>=0 ) close(id->dirfd);
+  id->dirfd = -1;
+  close(id->h);
+  id->isOpen = 0;
+  OSTRACE2("CLOSE   %-3d\n", id->h);
+  OpenCounter(-1);
+  sqlite3ThreadSafeFree(id);
+  *pId = 0;
+  return SQLITE_OK;
+}
+
+
+#pragma mark flock() style locking
+
+/*
+ ** The flockLockingContext is not used
+ */
+typedef void flockLockingContext;
+
+static int flockUnixCheckReservedLock(OsFile *id) {
+  unixFile *pFile = (unixFile*)id;
+  
+  if (pFile->locktype == RESERVED_LOCK) {
+    return 1; /* already have a reserved lock */
+  } else {
+    /* attempt to get the lock */
+    int rc = flock(pFile->h, LOCK_EX | LOCK_NB);
+    if (!rc) {
+      /* got the lock, unlock it */
+      flock(pFile->h, LOCK_UN);
+      return 0;  /* no one has it reserved */
+    }
+    return 1; /* someone else might have it reserved */
+  }
+}
+
+static int flockUnixLock(OsFile *id, int locktype) {
+  unixFile *pFile = (unixFile*)id;
+  
+  /* if we already have a lock, it is exclusive.  
+  // Just adjust level and punt on outta here. */
+  if (pFile->locktype > NO_LOCK) {
+    pFile->locktype = locktype;
+    return SQLITE_OK;
+  }
+  
+  /* grab an exclusive lock */
+  int rc = flock(pFile->h, LOCK_EX | LOCK_NB);
+  if (rc) {
+    /* didn't get, must be busy */
+    return SQLITE_BUSY;
+  } else {
+    /* got it, set the type and return ok */
+    pFile->locktype = locktype;
+    return SQLITE_OK;
+  }
+}
+
+static int flockUnixUnlock(OsFile *id, int locktype) {
+  unixFile *pFile = (unixFile*)id;
+  
+  assert( locktype<=SHARED_LOCK );
+  
+  /* no-op if possible */
+  if( pFile->locktype==locktype ){
+    return SQLITE_OK;
+  }
+  
+  /* shared can just be set because we always have an exclusive */
+  if (locktype==SHARED_LOCK) {
+    pFile->locktype = locktype;
+    return SQLITE_OK;
+  }
+  
+  /* no, really, unlock. */
+  int rc = flock(pFile->h, LOCK_UN);
+  if (rc)
+    return SQLITE_IOERR_UNLOCK;
+  else {
+    pFile->locktype = NO_LOCK;
+    return SQLITE_OK;
+  }
+}
+
+/*
+ ** Close a file.
+ */
+static int flockUnixClose(OsFile **pId) {
+  unixFile *id = (unixFile*)*pId;
+  
+  if( !id ) return SQLITE_OK;
+  flockUnixUnlock(*pId, NO_LOCK);
+  
+  if( id->dirfd>=0 ) close(id->dirfd);
+  id->dirfd = -1;
+  sqlite3OsEnterMutex();
+  
+  close(id->h);  
+  sqlite3OsLeaveMutex();
+  id->isOpen = 0;
+  OSTRACE2("CLOSE   %-3d\n", id->h);
+  OpenCounter(-1);
+  sqlite3ThreadSafeFree(id);
+  *pId = 0;
+  return SQLITE_OK;
+}
+
+#pragma mark Old-School .lock file based locking
+
+/*
+ ** The dotlockLockingContext structure contains all dotlock (.lock) lock
+ ** specific state
+ */
+typedef struct dotlockLockingContext dotlockLockingContext;
+struct dotlockLockingContext {
+  char *lockPath;
+};
+
+
+static int dotlockUnixCheckReservedLock(OsFile *id) {
+  unixFile *pFile = (unixFile*)id;
+  dotlockLockingContext *context = 
+    (dotlockLockingContext *) pFile->lockingContext;
+  
+  if (pFile->locktype == RESERVED_LOCK) {
+    return 1; /* already have a reserved lock */
+  } else {
+    struct stat statBuf;
+    if (lstat(context->lockPath,&statBuf) == 0)
+      /* file exists, someone else has the lock */
+      return 1;
+    else
+      /* file does not exist, we could have it if we want it */
+      return 0;
+  }
+}
+
+static int dotlockUnixLock(OsFile *id, int locktype) {
+  unixFile *pFile = (unixFile*)id;
+  dotlockLockingContext *context = 
+    (dotlockLockingContext *) pFile->lockingContext;
+  
+  /* if we already have a lock, it is exclusive.  
+  // Just adjust level and punt on outta here. */
+  if (pFile->locktype > NO_LOCK) {
+    pFile->locktype = locktype;
+    
+    /* Always update the timestamp on the old file */
+    utimes(context->lockPath,NULL);
+    return SQLITE_OK;
+  }
+  
+  /* check to see if lock file already exists */
+  struct stat statBuf;
+  if (lstat(context->lockPath,&statBuf) == 0){
+    return SQLITE_BUSY; // it does, busy
+  }
+  
+  /* grab an exclusive lock */
+  int fd = open(context->lockPath,O_RDONLY|O_CREAT|O_EXCL,0600);
+  if (fd < 0) {
+    /* failed to open/create the file, someone else may have stolen the lock */
+    return SQLITE_BUSY; 
+  }
+  close(fd);
+  
+  /* got it, set the type and return ok */
+  pFile->locktype = locktype;
+  return SQLITE_OK;
+}
+
+static int dotlockUnixUnlock(OsFile *id, int locktype) {
+  unixFile *pFile = (unixFile*)id;
+  dotlockLockingContext *context = 
+    (dotlockLockingContext *) pFile->lockingContext;
+  
+  assert( locktype<=SHARED_LOCK );
+  
+  /* no-op if possible */
+  if( pFile->locktype==locktype ){
+    return SQLITE_OK;
+  }
+  
+  /* shared can just be set because we always have an exclusive */
+  if (locktype==SHARED_LOCK) {
+    pFile->locktype = locktype;
+    return SQLITE_OK;
+  }
+  
+  /* no, really, unlock. */
+  unlink(context->lockPath);
+  pFile->locktype = NO_LOCK;
+  return SQLITE_OK;
+}
+
+/*
+ ** Close a file.
+ */
+static int dotlockUnixClose(OsFile **pId) {
+  unixFile *id = (unixFile*)*pId;
+  
+  if( !id ) return SQLITE_OK;
+  dotlockUnixUnlock(*pId, NO_LOCK);
+  /* free the dotlock locking structure */
+  if (id->lockingContext != NULL) {
+    if (((dotlockLockingContext *)id->lockingContext)->lockPath != NULL)
+      sqlite3ThreadSafeFree( ( (dotlockLockingContext *)
+        id->lockingContext)->lockPath);
+    sqlite3ThreadSafeFree(id->lockingContext);
+  }
+  
+  if( id->dirfd>=0 ) close(id->dirfd);
+  id->dirfd = -1;
+  sqlite3OsEnterMutex();
+  
+  close(id->h);
+  
+  sqlite3OsLeaveMutex();
+  id->isOpen = 0;
+  OSTRACE2("CLOSE   %-3d\n", id->h);
+  OpenCounter(-1);
+  sqlite3ThreadSafeFree(id);
+  *pId = 0;
+  return SQLITE_OK;
+}
+
+
+#pragma mark No locking
+
+/*
+ ** The nolockLockingContext is void
+ */
+typedef void nolockLockingContext;
+
+static int nolockUnixCheckReservedLock(OsFile *id) {
+  return 0;
+}
+
+static int nolockUnixLock(OsFile *id, int locktype) {
+  return SQLITE_OK;
+}
+
+static int nolockUnixUnlock(OsFile *id, int locktype) {
+  return SQLITE_OK;
+}
+
+/*
+ ** Close a file.
+ */
+static int nolockUnixClose(OsFile **pId) {
+  unixFile *id = (unixFile*)*pId;
+  
+  if( !id ) return SQLITE_OK;
+  if( id->dirfd>=0 ) close(id->dirfd);
+  id->dirfd = -1;
+  sqlite3OsEnterMutex();
+  
+  close(id->h);
+  
+  sqlite3OsLeaveMutex();
+  id->isOpen = 0;
+  OSTRACE2("CLOSE   %-3d\n", id->h);
+  OpenCounter(-1);
+  sqlite3ThreadSafeFree(id);
+  *pId = 0;
+  return SQLITE_OK;
+}
+
+#endif /* SQLITE_ENABLE_LOCKING_STYLE */
+
+/*
+** Turn a relative pathname into a full pathname.  Return a pointer
+** to the full pathname stored in space obtained from sqliteMalloc().
+** The calling function is responsible for freeing this space once it
+** is no longer needed.
+*/
+char *sqlite3UnixFullPathname(const char *zRelative){
+  char *zFull = 0;
+  if( zRelative[0]=='/' ){
+    sqlite3SetString(&zFull, zRelative, (char*)0);
+  }else{
+    char *zBuf = sqliteMalloc(5000);
+    if( zBuf==0 ){
+      return 0;
+    }
+    zBuf[0] = 0;
+    sqlite3SetString(&zFull, getcwd(zBuf, 5000), "/", zRelative,
+                    (char*)0);
+    sqliteFree(zBuf);
+  }
+
+#if 0
+  /*
+  ** Remove "/./" path elements and convert "/A/./" path elements
+  ** to just "/".
+  */
+  if( zFull ){
+    int i, j;
+    for(i=j=0; zFull[i]; i++){
+      if( zFull[i]=='/' ){
+        if( zFull[i+1]=='/' ) continue;
+        if( zFull[i+1]=='.' && zFull[i+2]=='/' ){
+          i += 1;
+          continue;
+        }
+        if( zFull[i+1]=='.' && zFull[i+2]=='.' && zFull[i+3]=='/' ){
+          while( j>0 && zFull[j-1]!='/' ){ j--; }
+          i += 3;
+          continue;
+        }
+      }
+      zFull[j++] = zFull[i];
+    }
+    zFull[j] = 0;
+  }
+#endif
+
+  return zFull;
+}
+
+/*
+** Change the value of the fullsync flag in the given file descriptor.
+*/
+static void unixSetFullSync(OsFile *id, int v){
+  ((unixFile*)id)->fullSync = v;
+}
+
+/*
+** Return the underlying file handle for an OsFile
+*/
+static int unixFileHandle(OsFile *id){
+  return ((unixFile*)id)->h;
+}
+
+/*
+** Return an integer that indices the type of lock currently held
+** by this handle.  (Used for testing and analysis only.)
+*/
+static int unixLockState(OsFile *id){
+  return ((unixFile*)id)->locktype;
+}
+
+/*
+** Return the sector size in bytes of the underlying block device for
+** the specified file. This is almost always 512 bytes, but may be
+** larger for some devices.
+**
+** SQLite code assumes this function cannot fail. It also assumes that
+** if two files are created in the same file-system directory (i.e.
+** a database and it's journal file) that the sector size will be the
+** same for both.
+*/
+static int unixSectorSize(OsFile *id){
+  return SQLITE_DEFAULT_SECTOR_SIZE;
+}
+
+/*
+** This vector defines all the methods that can operate on an OsFile
+** for unix.
+*/
+static const IoMethod sqlite3UnixIoMethod = {
+  unixClose,
+  unixOpenDirectory,
+  unixRead,
+  unixWrite,
+  unixSeek,
+  unixTruncate,
+  unixSync,
+  unixSetFullSync,
+  unixFileHandle,
+  unixFileSize,
+  unixLock,
+  unixUnlock,
+  unixLockState,
+  unixCheckReservedLock,
+  unixSectorSize,
+};
+
+#ifdef SQLITE_ENABLE_LOCKING_STYLE
+/*
+ ** This vector defines all the methods that can operate on an OsFile
+ ** for unix with AFP style file locking.
+ */
+static const IoMethod sqlite3AFPLockingUnixIoMethod = {
+    afpUnixClose,
+    unixOpenDirectory,
+    unixRead,
+    unixWrite,
+    unixSeek,
+    unixTruncate,
+    unixSync,
+    unixSetFullSync,
+    unixFileHandle,
+    unixFileSize,
+    afpUnixLock,
+    afpUnixUnlock,
+    unixLockState,
+    afpUnixCheckReservedLock,
+    unixSectorSize,
+};
+
+/*
+ ** This vector defines all the methods that can operate on an OsFile
+ ** for unix with flock() style file locking.
+ */
+static const IoMethod sqlite3FlockLockingUnixIoMethod = {
+    flockUnixClose,
+    unixOpenDirectory,
+    unixRead,
+    unixWrite,
+    unixSeek,
+    unixTruncate,
+    unixSync,
+    unixSetFullSync,
+    unixFileHandle,
+    unixFileSize,
+    flockUnixLock,
+    flockUnixUnlock,
+    unixLockState,
+    flockUnixCheckReservedLock,
+    unixSectorSize,
+};
+
+/*
+ ** This vector defines all the methods that can operate on an OsFile
+ ** for unix with dotlock style file locking.
+ */
+static const IoMethod sqlite3DotlockLockingUnixIoMethod = {
+    dotlockUnixClose,
+    unixOpenDirectory,
+    unixRead,
+    unixWrite,
+    unixSeek,
+    unixTruncate,
+    unixSync,
+    unixSetFullSync,
+    unixFileHandle,
+    unixFileSize,
+    dotlockUnixLock,
+    dotlockUnixUnlock,
+    unixLockState,
+    dotlockUnixCheckReservedLock,
+    unixSectorSize,
+};
+
+/*
+ ** This vector defines all the methods that can operate on an OsFile
+ ** for unix with dotlock style file locking.
+ */
+static const IoMethod sqlite3NolockLockingUnixIoMethod = {
+  nolockUnixClose,
+  unixOpenDirectory,
+  unixRead,
+  unixWrite,
+  unixSeek,
+  unixTruncate,
+  unixSync,
+  unixSetFullSync,
+  unixFileHandle,
+  unixFileSize,
+  nolockUnixLock,
+  nolockUnixUnlock,
+  unixLockState,
+  nolockUnixCheckReservedLock,
+  unixSectorSize,
+};
+
+#endif /* SQLITE_ENABLE_LOCKING_STYLE */
+
+/*
+** Allocate memory for a new unixFile and initialize that unixFile.
+** Write a pointer to the new unixFile into *pId.
+** If we run out of memory, close the file and return an error.
+*/
+#ifdef SQLITE_ENABLE_LOCKING_STYLE
+/* 
+ ** When locking extensions are enabled, the filepath and locking style 
+ ** are needed to determine the unixFile pMethod to use for locking operations.
+ ** The locking-style specific lockingContext data structure is created 
+ ** and assigned here also.
+ */
+static int allocateUnixFile(
+  int h,                  /* Open file descriptor of file being opened */
+  OsFile **pId,           /* Write completed initialization here */
+  const char *zFilename,  /* Name of the file being opened */
+  int delFlag             /* Delete-on-or-before-close flag */
+){
+  sqlite3LockingStyle lockingStyle;
+  unixFile *pNew;
+  unixFile f;
+  int rc;
+
+  memset(&f, 0, sizeof(f));
+  lockingStyle = sqlite3DetectLockingStyle(zFilename, h);
+  if ( lockingStyle == posixLockingStyle ) {
+    sqlite3OsEnterMutex();
+    rc = findLockInfo(h, &f.pLock, &f.pOpen);
+    sqlite3OsLeaveMutex();
+    if( rc ){
+      close(h);
+      unlink(zFilename);
+      return SQLITE_NOMEM;
+    }
+  } else {
+    /*  pLock and pOpen are only used for posix advisory locking  */
+    f.pLock = NULL;
+    f.pOpen = NULL;
+  }
+  if( delFlag ){
+    unlink(zFilename);
+  }
+  f.dirfd = -1;
+  f.h = h;
+  SET_THREADID(&f);
+  pNew = sqlite3ThreadSafeMalloc( sizeof(unixFile) );
+  if( pNew==0 ){
+    close(h);
+    sqlite3OsEnterMutex();
+    releaseLockInfo(f.pLock);
+    releaseOpenCnt(f.pOpen);
+    sqlite3OsLeaveMutex();
+    *pId = 0;
+    return SQLITE_NOMEM;
+  }else{
+    *pNew = f;
+    switch(lockingStyle) {
+      case afpLockingStyle:
+        /* afp locking uses the file path so it needs to be included in
+        ** the afpLockingContext */
+        pNew->pMethod = &sqlite3AFPLockingUnixIoMethod;
+        pNew->lockingContext = 
+          sqlite3ThreadSafeMalloc(sizeof(afpLockingContext));
+        ((afpLockingContext *)pNew->lockingContext)->filePath = 
+          sqlite3ThreadSafeMalloc(strlen(zFilename) + 1);
+        strcpy(((afpLockingContext *)pNew->lockingContext)->filePath, 
+               zFilename);
+        srandomdev();
+        break;
+      case flockLockingStyle:
+        /* flock locking doesn't need additional lockingContext information */
+        pNew->pMethod = &sqlite3FlockLockingUnixIoMethod;
+        break;
+      case dotlockLockingStyle:
+        /* dotlock locking uses the file path so it needs to be included in
+         ** the dotlockLockingContext */
+        pNew->pMethod = &sqlite3DotlockLockingUnixIoMethod;
+        pNew->lockingContext = sqlite3ThreadSafeMalloc(
+          sizeof(dotlockLockingContext));
+        ((dotlockLockingContext *)pNew->lockingContext)->lockPath = 
+            sqlite3ThreadSafeMalloc(strlen(zFilename) + strlen(".lock") + 1);
+        sprintf(((dotlockLockingContext *)pNew->lockingContext)->lockPath, 
+                "%s.lock", zFilename);
+        break;
+      case posixLockingStyle:
+        /* posix locking doesn't need additional lockingContext information */
+        pNew->pMethod = &sqlite3UnixIoMethod;
+        break;
+      case noLockingStyle:
+      case unsupportedLockingStyle:
+      default: 
+        pNew->pMethod = &sqlite3NolockLockingUnixIoMethod;
+    }
+    *pId = (OsFile*)pNew;
+    OpenCounter(+1);
+    return SQLITE_OK;
+  }
+}
+#else /* SQLITE_ENABLE_LOCKING_STYLE */
+static int allocateUnixFile(
+  int h,                 /* Open file descriptor on file being opened */
+  OsFile **pId,          /* Write the resul unixFile structure here */
+  const char *zFilename, /* Name of the file being opened */
+  int delFlag            /* If true, delete the file on or before closing */
+){
+  unixFile *pNew;
+  unixFile f;
+  int rc;
+
+  memset(&f, 0, sizeof(f));
+  sqlite3OsEnterMutex();
+  rc = findLockInfo(h, &f.pLock, &f.pOpen);
+  sqlite3OsLeaveMutex();
+  if( delFlag ){
+    unlink(zFilename);
+  }
+  if( rc ){
+    close(h);
+    return SQLITE_NOMEM;
+  }
+  OSTRACE3("OPEN    %-3d %s\n", h, zFilename);
+  f.dirfd = -1;
+  f.h = h;
+  SET_THREADID(&f);
+  pNew = sqlite3ThreadSafeMalloc( sizeof(unixFile) );
+  if( pNew==0 ){
+    close(h);
+    sqlite3OsEnterMutex();
+    releaseLockInfo(f.pLock);
+    releaseOpenCnt(f.pOpen);
+    sqlite3OsLeaveMutex();
+    *pId = 0;
+    return SQLITE_NOMEM;
+  }else{
+    *pNew = f;
+    pNew->pMethod = &sqlite3UnixIoMethod;
+    *pId = (OsFile*)pNew;
+    OpenCounter(+1);
+    return SQLITE_OK;
+  }
+}
+#endif /* SQLITE_ENABLE_LOCKING_STYLE */
+
+#endif /* SQLITE_OMIT_DISKIO */
+/***************************************************************************
+** Everything above deals with file I/O.  Everything that follows deals
+** with other miscellanous aspects of the operating system interface
+****************************************************************************/
+
+
+#ifndef SQLITE_OMIT_LOAD_EXTENSION
+/*
+** Interfaces for opening a shared library, finding entry points
+** within the shared library, and closing the shared library.
+*/
+#include <dlfcn.h>
+void *sqlite3UnixDlopen(const char *zFilename){
+  return dlopen(zFilename, RTLD_NOW | RTLD_GLOBAL);
+}
+void *sqlite3UnixDlsym(void *pHandle, const char *zSymbol){
+  return dlsym(pHandle, zSymbol);
+}
+int sqlite3UnixDlclose(void *pHandle){
+  return dlclose(pHandle);
+}
+#endif /* SQLITE_OMIT_LOAD_EXTENSION */
+
+/*
+** Get information to seed the random number generator.  The seed
+** is written into the buffer zBuf[256].  The calling function must
+** supply a sufficiently large buffer.
+*/
+int sqlite3UnixRandomSeed(char *zBuf){
+  /* We have to initialize zBuf to prevent valgrind from reporting
+  ** errors.  The reports issued by valgrind are incorrect - we would
+  ** prefer that the randomness be increased by making use of the
+  ** uninitialized space in zBuf - but valgrind errors tend to worry
+  ** some users.  Rather than argue, it seems easier just to initialize
+  ** the whole array and silence valgrind, even if that means less randomness
+  ** in the random seed.
+  **
+  ** When testing, initializing zBuf[] to zero is all we do.  That means
+  ** that we always use the same random number sequence.  This makes the
+  ** tests repeatable.
+  */
+  memset(zBuf, 0, 256);
+#if !defined(SQLITE_TEST)
+  {
+    int pid, fd;
+    fd = open("/dev/urandom", O_RDONLY);
+    if( fd<0 ){
+      time_t t;
+      time(&t);
+      memcpy(zBuf, &t, sizeof(t));
+      pid = getpid();
+      memcpy(&zBuf[sizeof(time_t)], &pid, sizeof(pid));
+    }else{
+      read(fd, zBuf, 256);
+      close(fd);
+    }
+  }
+#endif
+  return SQLITE_OK;
+}
+
+/*
+** Sleep for a little while.  Return the amount of time slept.
+** The argument is the number of milliseconds we want to sleep.
+*/
+int sqlite3UnixSleep(int ms){
+#if defined(HAVE_USLEEP) && HAVE_USLEEP
+  usleep(ms*1000);
+  return ms;
+#else
+  sleep((ms+999)/1000);
+  return 1000*((ms+999)/1000);
+#endif
+}
+
+/*
+** Static variables used for thread synchronization.
+**
+** inMutex      the nesting depth of the recursive mutex.  The thread
+**              holding mutexMain can read this variable at any time.
+**              But is must hold mutexAux to change this variable.  Other
+**              threads must hold mutexAux to read the variable and can
+**              never write.
+**
+** mutexOwner   The thread id of the thread holding mutexMain.  Same
+**              access rules as for inMutex.
+**
+** mutexOwnerValid   True if the value in mutexOwner is valid.  The same
+**                   access rules apply as for inMutex.
+**
+** mutexMain    The main mutex.  Hold this mutex in order to get exclusive
+**              access to SQLite data structures.
+**
+** mutexAux     An auxiliary mutex needed to access variables defined above.
+**
+** Mutexes are always acquired in this order: mutexMain mutexAux.   It
+** is not necessary to acquire mutexMain in order to get mutexAux - just
+** do not attempt to acquire them in the reverse order: mutexAux mutexMain.
+** Either get the mutexes with mutexMain first or get mutexAux only.
+**
+** When running on a platform where the three variables inMutex, mutexOwner,
+** and mutexOwnerValid can be set atomically, the mutexAux is not required.
+** On many systems, all three are 32-bit integers and writing to a 32-bit
+** integer is atomic.  I think.  But there are no guarantees.  So it seems
+** safer to protect them using mutexAux.
+*/
+static int inMutex = 0;
+#ifdef SQLITE_UNIX_THREADS
+static pthread_t mutexOwner;          /* Thread holding mutexMain */
+static int mutexOwnerValid = 0;       /* True if mutexOwner is valid */
+static pthread_mutex_t mutexMain = PTHREAD_MUTEX_INITIALIZER; /* The mutex */
+static pthread_mutex_t mutexAux = PTHREAD_MUTEX_INITIALIZER;  /* Aux mutex */
+#endif
+
+/*
+** The following pair of routine implement mutual exclusion for
+** multi-threaded processes.  Only a single thread is allowed to
+** executed code that is surrounded by EnterMutex() and LeaveMutex().
+**
+** SQLite uses only a single Mutex.  There is not much critical
+** code and what little there is executes quickly and without blocking.
+**
+** As of version 3.3.2, this mutex must be recursive.
+*/
+void sqlite3UnixEnterMutex(){
+#ifdef SQLITE_UNIX_THREADS
+  pthread_mutex_lock(&mutexAux);
+  if( !mutexOwnerValid || !pthread_equal(mutexOwner, pthread_self()) ){
+    pthread_mutex_unlock(&mutexAux);
+    pthread_mutex_lock(&mutexMain);
+    assert( inMutex==0 );
+    assert( !mutexOwnerValid );
+    pthread_mutex_lock(&mutexAux);
+    mutexOwner = pthread_self();
+    mutexOwnerValid = 1;
+  }
+  inMutex++;
+  pthread_mutex_unlock(&mutexAux);
+#else
+  inMutex++;
+#endif
+}
+void sqlite3UnixLeaveMutex(){
+  assert( inMutex>0 );
+#ifdef SQLITE_UNIX_THREADS
+  pthread_mutex_lock(&mutexAux);
+  inMutex--;
+  assert( pthread_equal(mutexOwner, pthread_self()) );
+  if( inMutex==0 ){
+    assert( mutexOwnerValid );
+    mutexOwnerValid = 0;
+    pthread_mutex_unlock(&mutexMain);
+  }
+  pthread_mutex_unlock(&mutexAux);
+#else
+  inMutex--;
+#endif
+}
+
+/*
+** Return TRUE if the mutex is currently held.
+**
+** If the thisThrd parameter is true, return true only if the
+** calling thread holds the mutex.  If the parameter is false, return
+** true if any thread holds the mutex.
+*/
+int sqlite3UnixInMutex(int thisThrd){
+#ifdef SQLITE_UNIX_THREADS
+  int rc;
+  pthread_mutex_lock(&mutexAux);
+  rc = inMutex>0 && (thisThrd==0 || pthread_equal(mutexOwner,pthread_self()));
+  pthread_mutex_unlock(&mutexAux);
+  return rc;
+#else
+  return inMutex>0;
+#endif
+}
+
+/*
+** Remember the number of thread-specific-data blocks allocated.
+** Use this to verify that we are not leaking thread-specific-data.
+** Ticket #1601
+*/
+#ifdef SQLITE_TEST
+int sqlite3_tsd_count = 0;
+# ifdef SQLITE_UNIX_THREADS
+    static pthread_mutex_t tsd_counter_mutex = PTHREAD_MUTEX_INITIALIZER;
+#   define TSD_COUNTER(N) \
+             pthread_mutex_lock(&tsd_counter_mutex); \
+             sqlite3_tsd_count += N; \
+             pthread_mutex_unlock(&tsd_counter_mutex);
+# else
+#   define TSD_COUNTER(N)  sqlite3_tsd_count += N
+# endif
+#else
+# define TSD_COUNTER(N)  /* no-op */
+#endif
+
+/*
+** If called with allocateFlag>0, then return a pointer to thread
+** specific data for the current thread.  Allocate and zero the
+** thread-specific data if it does not already exist.
+**
+** If called with allocateFlag==0, then check the current thread
+** specific data.  Return it if it exists.  If it does not exist,
+** then return NULL.
+**
+** If called with allocateFlag<0, check to see if the thread specific
+** data is allocated and is all zero.  If it is then deallocate it.
+** Return a pointer to the thread specific data or NULL if it is
+** unallocated or gets deallocated.
+*/
+ThreadData *sqlite3UnixThreadSpecificData(int allocateFlag){
+  static const ThreadData zeroData = {0};  /* Initializer to silence warnings
+                                           ** from broken compilers */
+#ifdef SQLITE_UNIX_THREADS
+  static pthread_key_t key;
+  static int keyInit = 0;
+  ThreadData *pTsd;
+
+  if( !keyInit ){
+    sqlite3OsEnterMutex();
+    if( !keyInit ){
+      int rc;
+      rc = pthread_key_create(&key, 0);
+      if( rc ){
+        sqlite3OsLeaveMutex();
+        return 0;
+      }
+      keyInit = 1;
+    }
+    sqlite3OsLeaveMutex();
+  }
+
+  pTsd = pthread_getspecific(key);
+  if( allocateFlag>0 ){
+    if( pTsd==0 ){
+      if( !sqlite3TestMallocFail() ){
+        pTsd = sqlite3OsMalloc(sizeof(zeroData));
+      }
+#ifdef SQLITE_MEMDEBUG
+      sqlite3_isFail = 0;
+#endif
+      if( pTsd ){
+        *pTsd = zeroData;
+        pthread_setspecific(key, pTsd);
+        TSD_COUNTER(+1);
+      }
+    }
+  }else if( pTsd!=0 && allocateFlag<0 
+            && memcmp(pTsd, &zeroData, sizeof(ThreadData))==0 ){
+    sqlite3OsFree(pTsd);
+    pthread_setspecific(key, 0);
+    TSD_COUNTER(-1);
+    pTsd = 0;
+  }
+  return pTsd;
+#else
+  static ThreadData *pTsd = 0;
+  if( allocateFlag>0 ){
+    if( pTsd==0 ){
+      if( !sqlite3TestMallocFail() ){
+        pTsd = sqlite3OsMalloc( sizeof(zeroData) );
+      }
+#ifdef SQLITE_MEMDEBUG
+      sqlite3_isFail = 0;
+#endif
+      if( pTsd ){
+        *pTsd = zeroData;
+        TSD_COUNTER(+1);
+      }
+    }
+  }else if( pTsd!=0 && allocateFlag<0
+            && memcmp(pTsd, &zeroData, sizeof(ThreadData))==0 ){
+    sqlite3OsFree(pTsd);
+    TSD_COUNTER(-1);
+    pTsd = 0;
+  }
+  return pTsd;
+#endif
+}
+
+/*
+** The following variable, if set to a non-zero value, becomes the result
+** returned from sqlite3OsCurrentTime().  This is used for testing.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_current_time = 0;
+#endif
+
+/*
+** Find the current time (in Universal Coordinated Time).  Write the
+** current time and date as a Julian Day number into *prNow and
+** return 0.  Return 1 if the time and date cannot be found.
+*/
+int sqlite3UnixCurrentTime(double *prNow){
+#ifdef NO_GETTOD
+  time_t t;
+  time(&t);
+  *prNow = t/86400.0 + 2440587.5;
+#else
+  struct timeval sNow;
+#ifdef _SVID_GETTOD
+  gettimeofday(&sNow);
+#else
+  gettimeofday(&sNow, 0);
+#endif
+  *prNow = 2440587.5 + sNow.tv_sec/86400.0 + sNow.tv_usec/86400000000.0;
+#endif
+#ifdef SQLITE_TEST
+  if( sqlite3_current_time ){
+    *prNow = sqlite3_current_time/86400.0 + 2440587.5;
+  }
+#endif
+  return 0;
+}
+
+#endif /* OS_UNIX */
+
+/************** End of os_unix.c *********************************************/
+/************** Begin file os_win.c ******************************************/
+/*
+** 2004 May 22
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+******************************************************************************
+**
+** This file contains code that is specific to windows.
+*/
+#if OS_WIN               /* This file is used for windows only */
+
+#include <winbase.h>
+
+#ifdef __CYGWIN__
+# include <sys/cygwin.h>
+#endif
+
+/*
+** Macros used to determine whether or not to use threads.
+*/
+#if defined(THREADSAFE) && THREADSAFE
+# define SQLITE_W32_THREADS 1
+#endif
+
+/*
+** Include code that is common to all os_*.c files
+*/
+/************** Include os_common.h in the middle of os_win.c ****************/
+/************** Begin file os_common.h ***************************************/
+/*
+** 2004 May 22
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+******************************************************************************
+**
+** This file contains macros and a little bit of code that is common to
+** all of the platform-specific files (os_*.c) and is #included into those
+** files.
+**
+** This file should be #included by the os_*.c files only.  It is not a
+** general purpose header file.
+*/
+
+/*
+** At least two bugs have slipped in because we changed the MEMORY_DEBUG
+** macro to SQLITE_DEBUG and some older makefiles have not yet made the
+** switch.  The following code should catch this problem at compile-time.
+*/
+#ifdef MEMORY_DEBUG
+# error "The MEMORY_DEBUG macro is obsolete.  Use SQLITE_DEBUG instead."
+#endif
+
+
+/*
+ * When testing, this global variable stores the location of the
+ * pending-byte in the database file.
+ */
+#ifdef SQLITE_TEST
+unsigned int sqlite3_pending_byte = 0x40000000;
+#endif
+
+int sqlite3_os_trace = 0;
+#ifdef SQLITE_DEBUG
+#define OSTRACE1(X)         if( sqlite3_os_trace ) sqlite3DebugPrintf(X)
+#define OSTRACE2(X,Y)       if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y)
+#define OSTRACE3(X,Y,Z)     if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y,Z)
+#define OSTRACE4(X,Y,Z,A)   if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y,Z,A)
+#define OSTRACE5(X,Y,Z,A,B) if( sqlite3_os_trace ) sqlite3DebugPrintf(X,Y,Z,A,B)
+#define OSTRACE6(X,Y,Z,A,B,C) \
+    if(sqlite3_os_trace) sqlite3DebugPrintf(X,Y,Z,A,B,C)
+#define OSTRACE7(X,Y,Z,A,B,C,D) \
+    if(sqlite3_os_trace) sqlite3DebugPrintf(X,Y,Z,A,B,C,D)
+#else
+#define OSTRACE1(X)
+#define OSTRACE2(X,Y)
+#define OSTRACE3(X,Y,Z)
+#define OSTRACE4(X,Y,Z,A)
+#define OSTRACE5(X,Y,Z,A,B)
+#define OSTRACE6(X,Y,Z,A,B,C)
+#define OSTRACE7(X,Y,Z,A,B,C,D)
+#endif
+
+/*
+** Macros for performance tracing.  Normally turned off.  Only works
+** on i486 hardware.
+*/
+#ifdef SQLITE_PERFORMANCE_TRACE
+__inline__ unsigned long long int hwtime(void){
+  unsigned long long int x;
+  __asm__("rdtsc\n\t"
+          "mov %%edx, %%ecx\n\t"
+          :"=A" (x));
+  return x;
+}
+static unsigned long long int g_start;
+static unsigned int elapse;
+#define TIMER_START       g_start=hwtime()
+#define TIMER_END         elapse=hwtime()-g_start
+#define TIMER_ELAPSED     elapse
+#else
+#define TIMER_START
+#define TIMER_END
+#define TIMER_ELAPSED     0
+#endif
+
+/*
+** If we compile with the SQLITE_TEST macro set, then the following block
+** of code will give us the ability to simulate a disk I/O error.  This
+** is used for testing the I/O recovery logic.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_io_error_hit = 0;
+int sqlite3_io_error_pending = 0;
+int sqlite3_io_error_persist = 0;
+int sqlite3_diskfull_pending = 0;
+int sqlite3_diskfull = 0;
+#define SimulateIOError(CODE)  \
+  if( sqlite3_io_error_pending || sqlite3_io_error_hit ) \
+     if( sqlite3_io_error_pending-- == 1 \
+         || (sqlite3_io_error_persist && sqlite3_io_error_hit) ) \
+                { local_ioerr(); CODE; }
+static void local_ioerr(){
+  IOTRACE(("IOERR\n"));
+  sqlite3_io_error_hit = 1;
+}
+#define SimulateDiskfullError(CODE) \
+   if( sqlite3_diskfull_pending ){ \
+     if( sqlite3_diskfull_pending == 1 ){ \
+       local_ioerr(); \
+       sqlite3_diskfull = 1; \
+       sqlite3_io_error_hit = 1; \
+       CODE; \
+     }else{ \
+       sqlite3_diskfull_pending--; \
+     } \
+   }
+#else
+#define SimulateIOError(A)
+#define SimulateDiskfullError(A)
+#endif
+
+/*
+** When testing, keep a count of the number of open files.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_open_file_count = 0;
+#define OpenCounter(X)  sqlite3_open_file_count+=(X)
+#else
+#define OpenCounter(X)
+#endif
+
+/*
+** sqlite3GenericMalloc
+** sqlite3GenericRealloc
+** sqlite3GenericOsFree
+** sqlite3GenericAllocationSize
+**
+** Implementation of the os level dynamic memory allocation interface in terms
+** of the standard malloc(), realloc() and free() found in many operating
+** systems. No rocket science here.
+**
+** There are two versions of these four functions here. The version
+** implemented here is only used if memory-management or memory-debugging is
+** enabled. This version allocates an extra 8-bytes at the beginning of each
+** block and stores the size of the allocation there.
+**
+** If neither memory-management or debugging is enabled, the second
+** set of implementations is used instead.
+*/
+#if defined(SQLITE_ENABLE_MEMORY_MANAGEMENT) || defined (SQLITE_MEMDEBUG)
+void *sqlite3GenericMalloc(int n){
+  char *p = (char *)malloc(n+8);
+  assert(n>0);
+  assert(sizeof(int)<=8);
+  if( p ){
+    *(int *)p = n;
+    p += 8;
+  }
+  return (void *)p;
+}
+void *sqlite3GenericRealloc(void *p, int n){
+  char *p2 = ((char *)p - 8);
+  assert(n>0);
+  p2 = (char*)realloc(p2, n+8);
+  if( p2 ){
+    *(int *)p2 = n;
+    p2 += 8;
+  }
+  return (void *)p2;
+}
+void sqlite3GenericFree(void *p){
+  assert(p);
+  free((void *)((char *)p - 8));
+}
+int sqlite3GenericAllocationSize(void *p){
+  return p ? *(int *)((char *)p - 8) : 0;
+}
+#else
+void *sqlite3GenericMalloc(int n){
+  char *p = (char *)malloc(n);
+  return (void *)p;
+}
+void *sqlite3GenericRealloc(void *p, int n){
+  assert(n>0);
+  p = realloc(p, n);
+  return p;
+}
+void sqlite3GenericFree(void *p){
+  assert(p);
+  free(p);
+}
+/* Never actually used, but needed for the linker */
+int sqlite3GenericAllocationSize(void *p){ return 0; }
+#endif
+
+/*
+** The default size of a disk sector
+*/
+#ifndef PAGER_SECTOR_SIZE
+# define PAGER_SECTOR_SIZE 512
+#endif
+
+/************** End of os_common.h *******************************************/
+/************** Continuing where we left off in os_win.c *********************/
+
+/*
+** Determine if we are dealing with WindowsCE - which has a much
+** reduced API.
+*/
+#if defined(_WIN32_WCE)
+# define OS_WINCE 1
+# define AreFileApisANSI() 1
+#else
+# define OS_WINCE 0
+#endif
+
+/*
+** WinCE lacks native support for file locking so we have to fake it
+** with some code of our own.
+*/
+#if OS_WINCE
+typedef struct winceLock {
+  int nReaders;       /* Number of reader locks obtained */
+  BOOL bPending;      /* Indicates a pending lock has been obtained */
+  BOOL bReserved;     /* Indicates a reserved lock has been obtained */
+  BOOL bExclusive;    /* Indicates an exclusive lock has been obtained */
+} winceLock;
+#endif
+
+/*
+** The winFile structure is a subclass of OsFile specific to the win32
+** portability layer.
+*/
+typedef struct winFile winFile;
+struct winFile {
+  IoMethod const *pMethod;/* Must be first */
+  HANDLE h;               /* Handle for accessing the file */
+  unsigned char locktype; /* Type of lock currently held on this file */
+  short sharedLockByte;   /* Randomly chosen byte used as a shared lock */
+#if OS_WINCE
+  WCHAR *zDeleteOnClose;  /* Name of file to delete when closing */
+  HANDLE hMutex;          /* Mutex used to control access to shared lock */  
+  HANDLE hShared;         /* Shared memory segment used for locking */
+  winceLock local;        /* Locks obtained by this instance of winFile */
+  winceLock *shared;      /* Global shared lock memory for the file  */
+#endif
+};
+
+
+/*
+** Do not include any of the File I/O interface procedures if the
+** SQLITE_OMIT_DISKIO macro is defined (indicating that there database
+** will be in-memory only)
+*/
+#ifndef SQLITE_OMIT_DISKIO
+
+/*
+** The following variable is (normally) set once and never changes
+** thereafter.  It records whether the operating system is Win95
+** or WinNT.
+**
+** 0:   Operating system unknown.
+** 1:   Operating system is Win95.
+** 2:   Operating system is WinNT.
+**
+** In order to facilitate testing on a WinNT system, the test fixture
+** can manually set this value to 1 to emulate Win98 behavior.
+*/
+int sqlite3_os_type = 0;
+
+/*
+** Return true (non-zero) if we are running under WinNT, Win2K, WinXP,
+** or WinCE.  Return false (zero) for Win95, Win98, or WinME.
+**
+** Here is an interesting observation:  Win95, Win98, and WinME lack
+** the LockFileEx() API.  But we can still statically link against that
+** API as long as we don't call it win running Win95/98/ME.  A call to
+** this routine is used to determine if the host is Win95/98/ME or
+** WinNT/2K/XP so that we will know whether or not we can safely call
+** the LockFileEx() API.
+*/
+#if OS_WINCE
+# define isNT()  (1)
+#else
+  static int isNT(void){
+    if( sqlite3_os_type==0 ){
+      OSVERSIONINFO sInfo;
+      sInfo.dwOSVersionInfoSize = sizeof(sInfo);
+      GetVersionEx(&sInfo);
+      sqlite3_os_type = sInfo.dwPlatformId==VER_PLATFORM_WIN32_NT ? 2 : 1;
+    }
+    return sqlite3_os_type==2;
+  }
+#endif /* OS_WINCE */
+
+/*
+** Convert a UTF-8 string to microsoft unicode (UTF-16?). 
+**
+** Space to hold the returned string is obtained from sqliteMalloc.
+*/
+static WCHAR *utf8ToUnicode(const char *zFilename){
+  int nChar;
+  WCHAR *zWideFilename;
+
+  nChar = MultiByteToWideChar(CP_UTF8, 0, zFilename, -1, NULL, 0);
+  zWideFilename = sqliteMalloc( nChar*sizeof(zWideFilename[0]) );
+  if( zWideFilename==0 ){
+    return 0;
+  }
+  nChar = MultiByteToWideChar(CP_UTF8, 0, zFilename, -1, zWideFilename, nChar);
+  if( nChar==0 ){
+    sqliteFree(zWideFilename);
+    zWideFilename = 0;
+  }
+  return zWideFilename;
+}
+
+/*
+** Convert microsoft unicode to UTF-8.  Space to hold the returned string is
+** obtained from sqliteMalloc().
+*/
+static char *unicodeToUtf8(const WCHAR *zWideFilename){
+  int nByte;
+  char *zFilename;
+
+  nByte = WideCharToMultiByte(CP_UTF8, 0, zWideFilename, -1, 0, 0, 0, 0);
+  zFilename = sqliteMalloc( nByte );
+  if( zFilename==0 ){
+    return 0;
+  }
+  nByte = WideCharToMultiByte(CP_UTF8, 0, zWideFilename, -1, zFilename, nByte,
+                              0, 0);
+  if( nByte == 0 ){
+    sqliteFree(zFilename);
+    zFilename = 0;
+  }
+  return zFilename;
+}
+
+/*
+** Convert an ansi string to microsoft unicode, based on the
+** current codepage settings for file apis.
+** 
+** Space to hold the returned string is obtained
+** from sqliteMalloc.
+*/
+static WCHAR *mbcsToUnicode(const char *zFilename){
+  int nByte;
+  WCHAR *zMbcsFilename;
+  int codepage = AreFileApisANSI() ? CP_ACP : CP_OEMCP;
+
+  nByte = MultiByteToWideChar(codepage, 0, zFilename, -1, NULL,0)*sizeof(WCHAR);
+  zMbcsFilename = sqliteMalloc( nByte*sizeof(zMbcsFilename[0]) );
+  if( zMbcsFilename==0 ){
+    return 0;
+  }
+  nByte = MultiByteToWideChar(codepage, 0, zFilename, -1, zMbcsFilename, nByte);
+  if( nByte==0 ){
+    sqliteFree(zMbcsFilename);
+    zMbcsFilename = 0;
+  }
+  return zMbcsFilename;
+}
+
+/*
+** Convert microsoft unicode to multibyte character string, based on the
+** user's Ansi codepage.
+**
+** Space to hold the returned string is obtained from
+** sqliteMalloc().
+*/
+static char *unicodeToMbcs(const WCHAR *zWideFilename){
+  int nByte;
+  char *zFilename;
+  int codepage = AreFileApisANSI() ? CP_ACP : CP_OEMCP;
+
+  nByte = WideCharToMultiByte(codepage, 0, zWideFilename, -1, 0, 0, 0, 0);
+  zFilename = sqliteMalloc( nByte );
+  if( zFilename==0 ){
+    return 0;
+  }
+  nByte = WideCharToMultiByte(codepage, 0, zWideFilename, -1, zFilename, nByte,
+                              0, 0);
+  if( nByte == 0 ){
+    sqliteFree(zFilename);
+    zFilename = 0;
+  }
+  return zFilename;
+}
+
+/*
+** Convert multibyte character string to UTF-8.  Space to hold the
+** returned string is obtained from sqliteMalloc().
+*/
+static char *mbcsToUtf8(const char *zFilename){
+  char *zFilenameUtf8;
+  WCHAR *zTmpWide;
+
+  zTmpWide = mbcsToUnicode(zFilename);
+  if( zTmpWide==0 ){
+    return 0;
+  }
+  zFilenameUtf8 = unicodeToUtf8(zTmpWide);
+  sqliteFree(zTmpWide);
+  return zFilenameUtf8;
+}
+
+/*
+** Convert UTF-8 to multibyte character string.  Space to hold the 
+** returned string is obtained from sqliteMalloc().
+*/
+static char *utf8ToMbcs(const char *zFilename){
+  char *zFilenameMbcs;
+  WCHAR *zTmpWide;
+
+  zTmpWide = utf8ToUnicode(zFilename);
+  if( zTmpWide==0 ){
+    return 0;
+  }
+  zFilenameMbcs = unicodeToMbcs(zTmpWide);
+  sqliteFree(zTmpWide);
+  return zFilenameMbcs;
+}
+
+#if OS_WINCE
+/*************************************************************************
+** This section contains code for WinCE only.
+*/
+/*
+** WindowsCE does not have a localtime() function.  So create a
+** substitute.
+*/
+struct tm *__cdecl localtime(const time_t *t)
+{
+  static struct tm y;
+  FILETIME uTm, lTm;
+  SYSTEMTIME pTm;
+  i64 t64;
+  t64 = *t;
+  t64 = (t64 + 11644473600)*10000000;
+  uTm.dwLowDateTime = t64 & 0xFFFFFFFF;
+  uTm.dwHighDateTime= t64 >> 32;
+  FileTimeToLocalFileTime(&uTm,&lTm);
+  FileTimeToSystemTime(&lTm,&pTm);
+  y.tm_year = pTm.wYear - 1900;
+  y.tm_mon = pTm.wMonth - 1;
+  y.tm_wday = pTm.wDayOfWeek;
+  y.tm_mday = pTm.wDay;
+  y.tm_hour = pTm.wHour;
+  y.tm_min = pTm.wMinute;
+  y.tm_sec = pTm.wSecond;
+  return &y;
+}
+
+/* This will never be called, but defined to make the code compile */
+#define GetTempPathA(a,b)
+
+#define LockFile(a,b,c,d,e)       winceLockFile(&a, b, c, d, e)
+#define UnlockFile(a,b,c,d,e)     winceUnlockFile(&a, b, c, d, e)
+#define LockFileEx(a,b,c,d,e,f)   winceLockFileEx(&a, b, c, d, e, f)
+
+#define HANDLE_TO_WINFILE(a) (winFile*)&((char*)a)[-offsetof(winFile,h)]
+
+/*
+** Acquire a lock on the handle h
+*/
+static void winceMutexAcquire(HANDLE h){
+   DWORD dwErr;
+   do {
+     dwErr = WaitForSingleObject(h, INFINITE);
+   } while (dwErr != WAIT_OBJECT_0 && dwErr != WAIT_ABANDONED);
+}
+/*
+** Release a lock acquired by winceMutexAcquire()
+*/
+#define winceMutexRelease(h) ReleaseMutex(h)
+
+/*
+** Create the mutex and shared memory used for locking in the file
+** descriptor pFile
+*/
+static BOOL winceCreateLock(const char *zFilename, winFile *pFile){
+  WCHAR *zTok;
+  WCHAR *zName = utf8ToUnicode(zFilename);
+  BOOL bInit = TRUE;
+
+  /* Initialize the local lockdata */
+  ZeroMemory(&pFile->local, sizeof(pFile->local));
+
+  /* Replace the backslashes from the filename and lowercase it
+  ** to derive a mutex name. */
+  zTok = CharLowerW(zName);
+  for (;*zTok;zTok++){
+    if (*zTok == '\\') *zTok = '_';
+  }
+
+  /* Create/open the named mutex */
+  pFile->hMutex = CreateMutexW(NULL, FALSE, zName);
+  if (!pFile->hMutex){
+    sqliteFree(zName);
+    return FALSE;
+  }
+
+  /* Acquire the mutex before continuing */
+  winceMutexAcquire(pFile->hMutex);
+  
+  /* Since the names of named mutexes, semaphores, file mappings etc are 
+  ** case-sensitive, take advantage of that by uppercasing the mutex name
+  ** and using that as the shared filemapping name.
+  */
+  CharUpperW(zName);
+  pFile->hShared = CreateFileMappingW(INVALID_HANDLE_VALUE, NULL,
+                                       PAGE_READWRITE, 0, sizeof(winceLock),
+                                       zName);  
+
+  /* Set a flag that indicates we're the first to create the memory so it 
+  ** must be zero-initialized */
+  if (GetLastError() == ERROR_ALREADY_EXISTS){
+    bInit = FALSE;
+  }
+
+  sqliteFree(zName);
+
+  /* If we succeeded in making the shared memory handle, map it. */
+  if (pFile->hShared){
+    pFile->shared = (winceLock*)MapViewOfFile(pFile->hShared, 
+             FILE_MAP_READ|FILE_MAP_WRITE, 0, 0, sizeof(winceLock));
+    /* If mapping failed, close the shared memory handle and erase it */
+    if (!pFile->shared){
+      CloseHandle(pFile->hShared);
+      pFile->hShared = NULL;
+    }
+  }
+
+  /* If shared memory could not be created, then close the mutex and fail */
+  if (pFile->hShared == NULL){
+    winceMutexRelease(pFile->hMutex);
+    CloseHandle(pFile->hMutex);
+    pFile->hMutex = NULL;
+    return FALSE;
+  }
+  
+  /* Initialize the shared memory if we're supposed to */
+  if (bInit) {
+    ZeroMemory(pFile->shared, sizeof(winceLock));
+  }
+
+  winceMutexRelease(pFile->hMutex);
+  return TRUE;
+}
+
+/*
+** Destroy the part of winFile that deals with wince locks
+*/
+static void winceDestroyLock(winFile *pFile){
+  if (pFile->hMutex){
+    /* Acquire the mutex */
+    winceMutexAcquire(pFile->hMutex);
+
+    /* The following blocks should probably assert in debug mode, but they
+       are to cleanup in case any locks remained open */
+    if (pFile->local.nReaders){
+      pFile->shared->nReaders --;
+    }
+    if (pFile->local.bReserved){
+      pFile->shared->bReserved = FALSE;
+    }
+    if (pFile->local.bPending){
+      pFile->shared->bPending = FALSE;
+    }
+    if (pFile->local.bExclusive){
+      pFile->shared->bExclusive = FALSE;
+    }
+
+    /* De-reference and close our copy of the shared memory handle */
+    UnmapViewOfFile(pFile->shared);
+    CloseHandle(pFile->hShared);
+
+    if( pFile->zDeleteOnClose ){
+      DeleteFileW(pFile->zDeleteOnClose);
+      sqliteFree(pFile->zDeleteOnClose);
+      pFile->zDeleteOnClose = 0;
+    }
+
+    /* Done with the mutex */
+    winceMutexRelease(pFile->hMutex);    
+    CloseHandle(pFile->hMutex);
+    pFile->hMutex = NULL;
+  }
+}
+
+/* 
+** An implementation of the LockFile() API of windows for wince
+*/
+static BOOL winceLockFile(
+  HANDLE *phFile,
+  DWORD dwFileOffsetLow,
+  DWORD dwFileOffsetHigh,
+  DWORD nNumberOfBytesToLockLow,
+  DWORD nNumberOfBytesToLockHigh
+){
+  winFile *pFile = HANDLE_TO_WINFILE(phFile);
+  BOOL bReturn = FALSE;
+
+  if (!pFile->hMutex) return TRUE;
+  winceMutexAcquire(pFile->hMutex);
+
+  /* Wanting an exclusive lock? */
+  if (dwFileOffsetLow == SHARED_FIRST
+       && nNumberOfBytesToLockLow == SHARED_SIZE){
+    if (pFile->shared->nReaders == 0 && pFile->shared->bExclusive == 0){
+       pFile->shared->bExclusive = TRUE;
+       pFile->local.bExclusive = TRUE;
+       bReturn = TRUE;
+    }
+  }
+
+  /* Want a read-only lock? */
+  else if ((dwFileOffsetLow >= SHARED_FIRST &&
+            dwFileOffsetLow < SHARED_FIRST + SHARED_SIZE) &&
+            nNumberOfBytesToLockLow == 1){
+    if (pFile->shared->bExclusive == 0){
+      pFile->local.nReaders ++;
+      if (pFile->local.nReaders == 1){
+        pFile->shared->nReaders ++;
+      }
+      bReturn = TRUE;
+    }
+  }
+
+  /* Want a pending lock? */
+  else if (dwFileOffsetLow == PENDING_BYTE && nNumberOfBytesToLockLow == 1){
+    /* If no pending lock has been acquired, then acquire it */
+    if (pFile->shared->bPending == 0) {
+      pFile->shared->bPending = TRUE;
+      pFile->local.bPending = TRUE;
+      bReturn = TRUE;
+    }
+  }
+  /* Want a reserved lock? */
+  else if (dwFileOffsetLow == RESERVED_BYTE && nNumberOfBytesToLockLow == 1){
+    if (pFile->shared->bReserved == 0) {
+      pFile->shared->bReserved = TRUE;
+      pFile->local.bReserved = TRUE;
+      bReturn = TRUE;
+    }
+  }
+
+  winceMutexRelease(pFile->hMutex);
+  return bReturn;
+}
+
+/*
+** An implementation of the UnlockFile API of windows for wince
+*/
+static BOOL winceUnlockFile(
+  HANDLE *phFile,
+  DWORD dwFileOffsetLow,
+  DWORD dwFileOffsetHigh,
+  DWORD nNumberOfBytesToUnlockLow,
+  DWORD nNumberOfBytesToUnlockHigh
+){
+  winFile *pFile = HANDLE_TO_WINFILE(phFile);
+  BOOL bReturn = FALSE;
+
+  if (!pFile->hMutex) return TRUE;
+  winceMutexAcquire(pFile->hMutex);
+
+  /* Releasing a reader lock or an exclusive lock */
+  if (dwFileOffsetLow >= SHARED_FIRST &&
+       dwFileOffsetLow < SHARED_FIRST + SHARED_SIZE){
+    /* Did we have an exclusive lock? */
+    if (pFile->local.bExclusive){
+      pFile->local.bExclusive = FALSE;
+      pFile->shared->bExclusive = FALSE;
+      bReturn = TRUE;
+    }
+
+    /* Did we just have a reader lock? */
+    else if (pFile->local.nReaders){
+      pFile->local.nReaders --;
+      if (pFile->local.nReaders == 0)
+      {
+        pFile->shared->nReaders --;
+      }
+      bReturn = TRUE;
+    }
+  }
+
+  /* Releasing a pending lock */
+  else if (dwFileOffsetLow == PENDING_BYTE && nNumberOfBytesToUnlockLow == 1){
+    if (pFile->local.bPending){
+      pFile->local.bPending = FALSE;
+      pFile->shared->bPending = FALSE;
+      bReturn = TRUE;
+    }
+  }
+  /* Releasing a reserved lock */
+  else if (dwFileOffsetLow == RESERVED_BYTE && nNumberOfBytesToUnlockLow == 1){
+    if (pFile->local.bReserved) {
+      pFile->local.bReserved = FALSE;
+      pFile->shared->bReserved = FALSE;
+      bReturn = TRUE;
+    }
+  }
+
+  winceMutexRelease(pFile->hMutex);
+  return bReturn;
+}
+
+/*
+** An implementation of the LockFileEx() API of windows for wince
+*/
+static BOOL winceLockFileEx(
+  HANDLE *phFile,
+  DWORD dwFlags,
+  DWORD dwReserved,
+  DWORD nNumberOfBytesToLockLow,
+  DWORD nNumberOfBytesToLockHigh,
+  LPOVERLAPPED lpOverlapped
+){
+  /* If the caller wants a shared read lock, forward this call
+  ** to winceLockFile */
+  if (lpOverlapped->Offset == SHARED_FIRST &&
+      dwFlags == 1 &&
+      nNumberOfBytesToLockLow == SHARED_SIZE){
+    return winceLockFile(phFile, SHARED_FIRST, 0, 1, 0);
+  }
+  return FALSE;
+}
+/*
+** End of the special code for wince
+*****************************************************************************/
+#endif /* OS_WINCE */
+
+/*
+** Convert a UTF-8 filename into whatever form the underlying
+** operating system wants filenames in.  Space to hold the result
+** is obtained from sqliteMalloc and must be freed by the calling
+** function.
+*/
+static void *convertUtf8Filename(const char *zFilename){
+  void *zConverted = 0;
+  if( isNT() ){
+    zConverted = utf8ToUnicode(zFilename);
+  }else{
+    zConverted = utf8ToMbcs(zFilename);
+  }
+  /* caller will handle out of memory */
+  return zConverted;
+}
+
+/*
+** Delete the named file.
+**
+** Note that windows does not allow a file to be deleted if some other
+** process has it open.  Sometimes a virus scanner or indexing program
+** will open a journal file shortly after it is created in order to do
+** whatever it is it does.  While this other process is holding the
+** file open, we will be unable to delete it.  To work around this
+** problem, we delay 100 milliseconds and try to delete again.  Up
+** to MX_DELETION_ATTEMPTs deletion attempts are run before giving
+** up and returning an error.
+*/
+#define MX_DELETION_ATTEMPTS 3
+int sqlite3WinDelete(const char *zFilename){
+  int cnt = 0;
+  int rc;
+  void *zConverted = convertUtf8Filename(zFilename);
+  if( zConverted==0 ){
+    return SQLITE_NOMEM;
+  }
+  SimulateIOError(return SQLITE_IOERR_DELETE);
+  if( isNT() ){
+    do{
+      rc = DeleteFileW(zConverted);
+    }while( rc==0 && GetFileAttributesW(zConverted)!=0xffffffff 
+            && cnt++ < MX_DELETION_ATTEMPTS && (Sleep(100), 1) );
+  }else{
+#if OS_WINCE
+    return SQLITE_NOMEM;
+#else
+    do{
+      rc = DeleteFileA(zConverted);
+    }while( rc==0 && GetFileAttributesA(zConverted)!=0xffffffff
+            && cnt++ < MX_DELETION_ATTEMPTS && (Sleep(100), 1) );
+#endif
+  }
+  sqliteFree(zConverted);
+  OSTRACE2("DELETE \"%s\"\n", zFilename);
+  return rc!=0 ? SQLITE_OK : SQLITE_IOERR;
+}
+
+/*
+** Return TRUE if the named file exists.
+*/
+int sqlite3WinFileExists(const char *zFilename){
+  int exists = 0;
+  void *zConverted = convertUtf8Filename(zFilename);
+  if( zConverted==0 ){
+    return SQLITE_NOMEM;
+  }
+  if( isNT() ){
+    exists = GetFileAttributesW((WCHAR*)zConverted) != 0xffffffff;
+  }else{
+#if OS_WINCE
+    return SQLITE_NOMEM;
+#else
+    exists = GetFileAttributesA((char*)zConverted) != 0xffffffff;
+#endif
+  }
+  sqliteFree(zConverted);
+  return exists;
+}
+
+/* Forward declaration */
+static int allocateWinFile(winFile *pInit, OsFile **pId);
+
+/*
+** Attempt to open a file for both reading and writing.  If that
+** fails, try opening it read-only.  If the file does not exist,
+** try to create it.
+**
+** On success, a handle for the open file is written to *id
+** and *pReadonly is set to 0 if the file was opened for reading and
+** writing or 1 if the file was opened read-only.  The function returns
+** SQLITE_OK.
+**
+** On failure, the function returns SQLITE_CANTOPEN and leaves
+** *id and *pReadonly unchanged.
+*/
+int sqlite3WinOpenReadWrite(
+  const char *zFilename,
+  OsFile **pId,
+  int *pReadonly
+){
+  winFile f;
+  HANDLE h;
+  void *zConverted = convertUtf8Filename(zFilename);
+  if( zConverted==0 ){
+    return SQLITE_NOMEM;
+  }
+  assert( *pId==0 );
+
+  if( isNT() ){
+    h = CreateFileW((WCHAR*)zConverted,
+       GENERIC_READ | GENERIC_WRITE,
+       FILE_SHARE_READ | FILE_SHARE_WRITE,
+       NULL,
+       OPEN_ALWAYS,
+       FILE_ATTRIBUTE_NORMAL | FILE_FLAG_RANDOM_ACCESS,
+       NULL
+    );
+    if( h==INVALID_HANDLE_VALUE ){
+      h = CreateFileW((WCHAR*)zConverted,
+         GENERIC_READ,
+         FILE_SHARE_READ | FILE_SHARE_WRITE,
+         NULL,
+         OPEN_ALWAYS,
+         FILE_ATTRIBUTE_NORMAL | FILE_FLAG_RANDOM_ACCESS,
+         NULL
+      );
+      if( h==INVALID_HANDLE_VALUE ){
+        sqliteFree(zConverted);
+        return SQLITE_CANTOPEN;
+      }
+      *pReadonly = 1;
+    }else{
+      *pReadonly = 0;
+    }
+#if OS_WINCE
+    if (!winceCreateLock(zFilename, &f)){
+      CloseHandle(h);
+      sqliteFree(zConverted);
+      return SQLITE_CANTOPEN;
+    }
+#endif
+  }else{
+#if OS_WINCE
+    return SQLITE_NOMEM;
+#else
+    h = CreateFileA((char*)zConverted,
+       GENERIC_READ | GENERIC_WRITE,
+       FILE_SHARE_READ | FILE_SHARE_WRITE,
+       NULL,
+       OPEN_ALWAYS,
+       FILE_ATTRIBUTE_NORMAL | FILE_FLAG_RANDOM_ACCESS,
+       NULL
+    );
+    if( h==INVALID_HANDLE_VALUE ){
+      h = CreateFileA((char*)zConverted,
+         GENERIC_READ,
+         FILE_SHARE_READ | FILE_SHARE_WRITE,
+         NULL,
+         OPEN_ALWAYS,
+         FILE_ATTRIBUTE_NORMAL | FILE_FLAG_RANDOM_ACCESS,
+         NULL
+      );
+      if( h==INVALID_HANDLE_VALUE ){
+        sqliteFree(zConverted);
+        return SQLITE_CANTOPEN;
+      }
+      *pReadonly = 1;
+    }else{
+      *pReadonly = 0;
+    }
+#endif /* OS_WINCE */
+  }
+
+  sqliteFree(zConverted);
+
+  f.h = h;
+#if OS_WINCE
+  f.zDeleteOnClose = 0;
+#endif
+  OSTRACE3("OPEN R/W %d \"%s\"\n", h, zFilename);
+  return allocateWinFile(&f, pId);
+}
+
+
+/*
+** Attempt to open a new file for exclusive access by this process.
+** The file will be opened for both reading and writing.  To avoid
+** a potential security problem, we do not allow the file to have
+** previously existed.  Nor do we allow the file to be a symbolic
+** link.
+**
+** If delFlag is true, then make arrangements to automatically delete
+** the file when it is closed.
+**
+** On success, write the file handle into *id and return SQLITE_OK.
+**
+** On failure, return SQLITE_CANTOPEN.
+**
+** Sometimes if we have just deleted a prior journal file, windows
+** will fail to open a new one because there is a "pending delete".
+** To work around this bug, we pause for 100 milliseconds and attempt
+** a second open after the first one fails.  The whole operation only
+** fails if both open attempts are unsuccessful.
+*/
+int sqlite3WinOpenExclusive(const char *zFilename, OsFile **pId, int delFlag){
+  winFile f;
+  HANDLE h;
+  DWORD fileflags;
+  void *zConverted = convertUtf8Filename(zFilename);
+  if( zConverted==0 ){
+    return SQLITE_NOMEM;
+  }
+  assert( *pId == 0 );
+  fileflags = FILE_FLAG_RANDOM_ACCESS;
+#if !OS_WINCE
+  if( delFlag ){
+    fileflags |= FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE;
+  }
+#endif
+  if( isNT() ){
+    int cnt = 0;
+    do{
+      h = CreateFileW((WCHAR*)zConverted,
+         GENERIC_READ | GENERIC_WRITE,
+         0,
+         NULL,
+         CREATE_ALWAYS,
+         fileflags,
+         NULL
+      );
+    }while( h==INVALID_HANDLE_VALUE && cnt++ < 2 && (Sleep(100), 1) );
+  }else{
+#if OS_WINCE
+    return SQLITE_NOMEM;
+#else
+    int cnt = 0;
+    do{
+      h = CreateFileA((char*)zConverted,
+        GENERIC_READ | GENERIC_WRITE,
+        0,
+        NULL,
+        CREATE_ALWAYS,
+        fileflags,
+        NULL
+      );
+    }while( h==INVALID_HANDLE_VALUE && cnt++ < 2 && (Sleep(100), 1) );
+#endif /* OS_WINCE */
+  }
+#if OS_WINCE
+  if( delFlag && h!=INVALID_HANDLE_VALUE ){
+    f.zDeleteOnClose = zConverted;
+    zConverted = 0;
+  }
+  f.hMutex = NULL;
+#endif
+  sqliteFree(zConverted);
+  if( h==INVALID_HANDLE_VALUE ){
+    return SQLITE_CANTOPEN;
+  }
+  f.h = h;
+  OSTRACE3("OPEN EX %d \"%s\"\n", h, zFilename);
+  return allocateWinFile(&f, pId);
+}
+
+/*
+** Attempt to open a new file for read-only access.
+**
+** On success, write the file handle into *id and return SQLITE_OK.
+**
+** On failure, return SQLITE_CANTOPEN.
+*/
+int sqlite3WinOpenReadOnly(const char *zFilename, OsFile **pId){
+  winFile f;
+  HANDLE h;
+  void *zConverted = convertUtf8Filename(zFilename);
+  if( zConverted==0 ){
+    return SQLITE_NOMEM;
+  }
+  assert( *pId==0 );
+  if( isNT() ){
+    h = CreateFileW((WCHAR*)zConverted,
+       GENERIC_READ,
+       0,
+       NULL,
+       OPEN_EXISTING,
+       FILE_ATTRIBUTE_NORMAL | FILE_FLAG_RANDOM_ACCESS,
+       NULL
+    );
+  }else{
+#if OS_WINCE
+    return SQLITE_NOMEM;
+#else
+    h = CreateFileA((char*)zConverted,
+       GENERIC_READ,
+       0,
+       NULL,
+       OPEN_EXISTING,
+       FILE_ATTRIBUTE_NORMAL | FILE_FLAG_RANDOM_ACCESS,
+       NULL
+    );
+#endif
+  }
+  sqliteFree(zConverted);
+  if( h==INVALID_HANDLE_VALUE ){
+    return SQLITE_CANTOPEN;
+  }
+  f.h = h;
+#if OS_WINCE
+  f.zDeleteOnClose = 0;
+  f.hMutex = NULL;
+#endif
+  OSTRACE3("OPEN RO %d \"%s\"\n", h, zFilename);
+  return allocateWinFile(&f, pId);
+}
+
+/*
+** Attempt to open a file descriptor for the directory that contains a
+** file.  This file descriptor can be used to fsync() the directory
+** in order to make sure the creation of a new file is actually written
+** to disk.
+**
+** This routine is only meaningful for Unix.  It is a no-op under
+** windows since windows does not support hard links.
+**
+** On success, a handle for a previously open file is at *id is
+** updated with the new directory file descriptor and SQLITE_OK is
+** returned.
+**
+** On failure, the function returns SQLITE_CANTOPEN and leaves
+** *id unchanged.
+*/
+static int winOpenDirectory(
+  OsFile *id,
+  const char *zDirname
+){
+  return SQLITE_OK;
+}
+
+/*
+** Create a temporary file name in zBuf.  zBuf must be big enough to
+** hold at least SQLITE_TEMPNAME_SIZE characters.
+*/
+int sqlite3WinTempFileName(char *zBuf){
+  static char zChars[] =
+    "abcdefghijklmnopqrstuvwxyz"
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+    "0123456789";
+  int i, j;
+  char zTempPath[SQLITE_TEMPNAME_SIZE];
+  if( sqlite3_temp_directory ){
+    strncpy(zTempPath, sqlite3_temp_directory, SQLITE_TEMPNAME_SIZE-30);
+    zTempPath[SQLITE_TEMPNAME_SIZE-30] = 0;
+  }else if( isNT() ){
+    char *zMulti;
+    WCHAR zWidePath[SQLITE_TEMPNAME_SIZE];
+    GetTempPathW(SQLITE_TEMPNAME_SIZE-30, zWidePath);
+    zMulti = unicodeToUtf8(zWidePath);
+    if( zMulti ){
+      strncpy(zTempPath, zMulti, SQLITE_TEMPNAME_SIZE-30);
+      zTempPath[SQLITE_TEMPNAME_SIZE-30] = 0;
+      sqliteFree(zMulti);
+    }else{
+      return SQLITE_NOMEM;
+    }
+  }else{
+    char *zUtf8;
+    char zMbcsPath[SQLITE_TEMPNAME_SIZE];
+    GetTempPathA(SQLITE_TEMPNAME_SIZE-30, zMbcsPath);
+    zUtf8 = mbcsToUtf8(zMbcsPath);
+    if( zUtf8 ){
+      strncpy(zTempPath, zUtf8, SQLITE_TEMPNAME_SIZE-30);
+      zTempPath[SQLITE_TEMPNAME_SIZE-30] = 0;
+      sqliteFree(zUtf8);
+    }else{
+      return SQLITE_NOMEM;
+    }
+  }
+  for(i=strlen(zTempPath); i>0 && zTempPath[i-1]=='\\'; i--){}
+  zTempPath[i] = 0;
+  for(;;){
+    sprintf(zBuf, "%s\\"TEMP_FILE_PREFIX, zTempPath);
+    j = strlen(zBuf);
+    sqlite3Randomness(15, &zBuf[j]);
+    for(i=0; i<15; i++, j++){
+      zBuf[j] = (char)zChars[ ((unsigned char)zBuf[j])%(sizeof(zChars)-1) ];
+    }
+    zBuf[j] = 0;
+    if( !sqlite3OsFileExists(zBuf) ) break;
+  }
+  OSTRACE2("TEMP FILENAME: %s\n", zBuf);
+  return SQLITE_OK; 
+}
+
+/*
+** Close a file.
+**
+** It is reported that an attempt to close a handle might sometimes
+** fail.  This is a very unreasonable result, but windows is notorious
+** for being unreasonable so I do not doubt that it might happen.  If
+** the close fails, we pause for 100 milliseconds and try again.  As
+** many as MX_CLOSE_ATTEMPT attempts to close the handle are made before
+** giving up and returning an error.
+*/
+#define MX_CLOSE_ATTEMPT 3
+static int winClose(OsFile **pId){
+  winFile *pFile;
+  int rc = 1;
+  if( pId && (pFile = (winFile*)*pId)!=0 ){
+    int rc, cnt = 0;
+    OSTRACE2("CLOSE %d\n", pFile->h);
+    do{
+      rc = CloseHandle(pFile->h);
+    }while( rc==0 && cnt++ < MX_CLOSE_ATTEMPT && (Sleep(100), 1) );
+#if OS_WINCE
+    winceDestroyLock(pFile);
+#endif
+    OpenCounter(-1);
+    sqliteFree(pFile);
+    *pId = 0;
+  }
+  return rc ? SQLITE_OK : SQLITE_IOERR;
+}
+
+/*
+** Read data from a file into a buffer.  Return SQLITE_OK if all
+** bytes were read successfully and SQLITE_IOERR if anything goes
+** wrong.
+*/
+static int winRead(OsFile *id, void *pBuf, int amt){
+  DWORD got;
+  assert( id!=0 );
+  SimulateIOError(return SQLITE_IOERR_READ);
+  OSTRACE3("READ %d lock=%d\n", ((winFile*)id)->h, ((winFile*)id)->locktype);
+  if( !ReadFile(((winFile*)id)->h, pBuf, amt, &got, 0) ){
+    return SQLITE_IOERR_READ;
+  }
+  if( got==(DWORD)amt ){
+    return SQLITE_OK;
+  }else{
+    memset(&((char*)pBuf)[got], 0, amt-got);
+    return SQLITE_IOERR_SHORT_READ;
+  }
+}
+
+/*
+** Write data from a buffer into a file.  Return SQLITE_OK on success
+** or some other error code on failure.
+*/
+static int winWrite(OsFile *id, const void *pBuf, int amt){
+  int rc = 0;
+  DWORD wrote;
+  assert( id!=0 );
+  SimulateIOError(return SQLITE_IOERR_READ);
+  SimulateDiskfullError(return SQLITE_FULL);
+  OSTRACE3("WRITE %d lock=%d\n", ((winFile*)id)->h, ((winFile*)id)->locktype);
+  assert( amt>0 );
+  while( amt>0 && (rc = WriteFile(((winFile*)id)->h, pBuf, amt, &wrote, 0))!=0
+         && wrote>0 ){
+    amt -= wrote;
+    pBuf = &((char*)pBuf)[wrote];
+  }
+  if( !rc || amt>(int)wrote ){
+    return SQLITE_FULL;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Some microsoft compilers lack this definition.
+*/
+#ifndef INVALID_SET_FILE_POINTER
+# define INVALID_SET_FILE_POINTER ((DWORD)-1)
+#endif
+
+/*
+** Move the read/write pointer in a file.
+*/
+static int winSeek(OsFile *id, i64 offset){
+  LONG upperBits = offset>>32;
+  LONG lowerBits = offset & 0xffffffff;
+  DWORD rc;
+  assert( id!=0 );
+#ifdef SQLITE_TEST
+  if( offset ) SimulateDiskfullError(return SQLITE_FULL);
+#endif
+  rc = SetFilePointer(((winFile*)id)->h, lowerBits, &upperBits, FILE_BEGIN);
+  OSTRACE3("SEEK %d %lld\n", ((winFile*)id)->h, offset);
+  if( rc==INVALID_SET_FILE_POINTER && GetLastError()!=NO_ERROR ){
+    return SQLITE_FULL;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Make sure all writes to a particular file are committed to disk.
+*/
+static int winSync(OsFile *id, int dataOnly){
+  assert( id!=0 );
+  OSTRACE3("SYNC %d lock=%d\n", ((winFile*)id)->h, ((winFile*)id)->locktype);
+  if( FlushFileBuffers(((winFile*)id)->h) ){
+    return SQLITE_OK;
+  }else{
+    return SQLITE_IOERR;
+  }
+}
+
+/*
+** Sync the directory zDirname. This is a no-op on operating systems other
+** than UNIX.
+*/
+int sqlite3WinSyncDirectory(const char *zDirname){
+  SimulateIOError(return SQLITE_IOERR_READ);
+  return SQLITE_OK;
+}
+
+/*
+** Truncate an open file to a specified size
+*/
+static int winTruncate(OsFile *id, i64 nByte){
+  LONG upperBits = nByte>>32;
+  assert( id!=0 );
+  OSTRACE3("TRUNCATE %d %lld\n", ((winFile*)id)->h, nByte);
+  SimulateIOError(return SQLITE_IOERR_TRUNCATE);
+  SetFilePointer(((winFile*)id)->h, nByte, &upperBits, FILE_BEGIN);
+  SetEndOfFile(((winFile*)id)->h);
+  return SQLITE_OK;
+}
+
+/*
+** Determine the current size of a file in bytes
+*/
+static int winFileSize(OsFile *id, i64 *pSize){
+  DWORD upperBits, lowerBits;
+  assert( id!=0 );
+  SimulateIOError(return SQLITE_IOERR_FSTAT);
+  lowerBits = GetFileSize(((winFile*)id)->h, &upperBits);
+  *pSize = (((i64)upperBits)<<32) + lowerBits;
+  return SQLITE_OK;
+}
+
+/*
+** LOCKFILE_FAIL_IMMEDIATELY is undefined on some Windows systems.
+*/
+#ifndef LOCKFILE_FAIL_IMMEDIATELY
+# define LOCKFILE_FAIL_IMMEDIATELY 1
+#endif
+
+/*
+** Acquire a reader lock.
+** Different API routines are called depending on whether or not this
+** is Win95 or WinNT.
+*/
+static int getReadLock(winFile *id){
+  int res;
+  if( isNT() ){
+    OVERLAPPED ovlp;
+    ovlp.Offset = SHARED_FIRST;
+    ovlp.OffsetHigh = 0;
+    ovlp.hEvent = 0;
+    res = LockFileEx(id->h, LOCKFILE_FAIL_IMMEDIATELY, 0, SHARED_SIZE,0,&ovlp);
+  }else{
+    int lk;
+    sqlite3Randomness(sizeof(lk), &lk);
+    id->sharedLockByte = (lk & 0x7fffffff)%(SHARED_SIZE - 1);
+    res = LockFile(id->h, SHARED_FIRST+id->sharedLockByte, 0, 1, 0);
+  }
+  return res;
+}
+
+/*
+** Undo a readlock
+*/
+static int unlockReadLock(winFile *pFile){
+  int res;
+  if( isNT() ){
+    res = UnlockFile(pFile->h, SHARED_FIRST, 0, SHARED_SIZE, 0);
+  }else{
+    res = UnlockFile(pFile->h, SHARED_FIRST + pFile->sharedLockByte, 0, 1, 0);
+  }
+  return res;
+}
+
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+/*
+** Check that a given pathname is a directory and is writable 
+**
+*/
+int sqlite3WinIsDirWritable(char *zDirname){
+  int fileAttr;
+  void *zConverted;
+  if( zDirname==0 ) return 0;
+  if( !isNT() && strlen(zDirname)>MAX_PATH ) return 0;
+
+  zConverted = convertUtf8Filename(zDirname);
+  if( zConverted==0 ){
+    return SQLITE_NOMEM;
+  }
+  if( isNT() ){
+    fileAttr = GetFileAttributesW((WCHAR*)zConverted);
+  }else{
+#if OS_WINCE
+    return 0;
+#else
+    fileAttr = GetFileAttributesA((char*)zConverted);
+#endif
+  }
+  sqliteFree(zConverted);
+  if( fileAttr == 0xffffffff ) return 0;
+  if( (fileAttr & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY ){
+    return 0;
+  }
+  return 1;
+}
+#endif /* SQLITE_OMIT_PAGER_PRAGMAS */
+
+/*
+** Lock the file with the lock specified by parameter locktype - one
+** of the following:
+**
+**     (1) SHARED_LOCK
+**     (2) RESERVED_LOCK
+**     (3) PENDING_LOCK
+**     (4) EXCLUSIVE_LOCK
+**
+** Sometimes when requesting one lock state, additional lock states
+** are inserted in between.  The locking might fail on one of the later
+** transitions leaving the lock state different from what it started but
+** still short of its goal.  The following chart shows the allowed
+** transitions and the inserted intermediate states:
+**
+**    UNLOCKED -> SHARED
+**    SHARED -> RESERVED
+**    SHARED -> (PENDING) -> EXCLUSIVE
+**    RESERVED -> (PENDING) -> EXCLUSIVE
+**    PENDING -> EXCLUSIVE
+**
+** This routine will only increase a lock.  The winUnlock() routine
+** erases all locks at once and returns us immediately to locking level 0.
+** It is not possible to lower the locking level one step at a time.  You
+** must go straight to locking level 0.
+*/
+static int winLock(OsFile *id, int locktype){
+  int rc = SQLITE_OK;    /* Return code from subroutines */
+  int res = 1;           /* Result of a windows lock call */
+  int newLocktype;       /* Set id->locktype to this value before exiting */
+  int gotPendingLock = 0;/* True if we acquired a PENDING lock this time */
+  winFile *pFile = (winFile*)id;
+
+  assert( pFile!=0 );
+  OSTRACE5("LOCK %d %d was %d(%d)\n",
+          pFile->h, locktype, pFile->locktype, pFile->sharedLockByte);
+
+  /* If there is already a lock of this type or more restrictive on the
+  ** OsFile, do nothing. Don't use the end_lock: exit path, as
+  ** sqlite3OsEnterMutex() hasn't been called yet.
+  */
+  if( pFile->locktype>=locktype ){
+    return SQLITE_OK;
+  }
+
+  /* Make sure the locking sequence is correct
+  */
+  assert( pFile->locktype!=NO_LOCK || locktype==SHARED_LOCK );
+  assert( locktype!=PENDING_LOCK );
+  assert( locktype!=RESERVED_LOCK || pFile->locktype==SHARED_LOCK );
+
+  /* Lock the PENDING_LOCK byte if we need to acquire a PENDING lock or
+  ** a SHARED lock.  If we are acquiring a SHARED lock, the acquisition of
+  ** the PENDING_LOCK byte is temporary.
+  */
+  newLocktype = pFile->locktype;
+  if( pFile->locktype==NO_LOCK
+   || (locktype==EXCLUSIVE_LOCK && pFile->locktype==RESERVED_LOCK)
+  ){
+    int cnt = 3;
+    while( cnt-->0 && (res = LockFile(pFile->h, PENDING_BYTE, 0, 1, 0))==0 ){
+      /* Try 3 times to get the pending lock.  The pending lock might be
+      ** held by another reader process who will release it momentarily.
+      */
+      OSTRACE2("could not get a PENDING lock. cnt=%d\n", cnt);
+      Sleep(1);
+    }
+    gotPendingLock = res;
+  }
+
+  /* Acquire a shared lock
+  */
+  if( locktype==SHARED_LOCK && res ){
+    assert( pFile->locktype==NO_LOCK );
+    res = getReadLock(pFile);
+    if( res ){
+      newLocktype = SHARED_LOCK;
+    }
+  }
+
+  /* Acquire a RESERVED lock
+  */
+  if( locktype==RESERVED_LOCK && res ){
+    assert( pFile->locktype==SHARED_LOCK );
+    res = LockFile(pFile->h, RESERVED_BYTE, 0, 1, 0);
+    if( res ){
+      newLocktype = RESERVED_LOCK;
+    }
+  }
+
+  /* Acquire a PENDING lock
+  */
+  if( locktype==EXCLUSIVE_LOCK && res ){
+    newLocktype = PENDING_LOCK;
+    gotPendingLock = 0;
+  }
+
+  /* Acquire an EXCLUSIVE lock
+  */
+  if( locktype==EXCLUSIVE_LOCK && res ){
+    assert( pFile->locktype>=SHARED_LOCK );
+    res = unlockReadLock(pFile);
+    OSTRACE2("unreadlock = %d\n", res);
+    res = LockFile(pFile->h, SHARED_FIRST, 0, SHARED_SIZE, 0);
+    if( res ){
+      newLocktype = EXCLUSIVE_LOCK;
+    }else{
+      OSTRACE2("error-code = %d\n", GetLastError());
+    }
+  }
+
+  /* If we are holding a PENDING lock that ought to be released, then
+  ** release it now.
+  */
+  if( gotPendingLock && locktype==SHARED_LOCK ){
+    UnlockFile(pFile->h, PENDING_BYTE, 0, 1, 0);
+  }
+
+  /* Update the state of the lock has held in the file descriptor then
+  ** return the appropriate result code.
+  */
+  if( res ){
+    rc = SQLITE_OK;
+  }else{
+    OSTRACE4("LOCK FAILED %d trying for %d but got %d\n", pFile->h,
+           locktype, newLocktype);
+    rc = SQLITE_BUSY;
+  }
+  pFile->locktype = newLocktype;
+  return rc;
+}
+
+/*
+** This routine checks if there is a RESERVED lock held on the specified
+** file by this or any other process. If such a lock is held, return
+** non-zero, otherwise zero.
+*/
+static int winCheckReservedLock(OsFile *id){
+  int rc;
+  winFile *pFile = (winFile*)id;
+  assert( pFile!=0 );
+  if( pFile->locktype>=RESERVED_LOCK ){
+    rc = 1;
+    OSTRACE3("TEST WR-LOCK %d %d (local)\n", pFile->h, rc);
+  }else{
+    rc = LockFile(pFile->h, RESERVED_BYTE, 0, 1, 0);
+    if( rc ){
+      UnlockFile(pFile->h, RESERVED_BYTE, 0, 1, 0);
+    }
+    rc = !rc;
+    OSTRACE3("TEST WR-LOCK %d %d (remote)\n", pFile->h, rc);
+  }
+  return rc;
+}
+
+/*
+** Lower the locking level on file descriptor id to locktype.  locktype
+** must be either NO_LOCK or SHARED_LOCK.
+**
+** If the locking level of the file descriptor is already at or below
+** the requested locking level, this routine is a no-op.
+**
+** It is not possible for this routine to fail if the second argument
+** is NO_LOCK.  If the second argument is SHARED_LOCK then this routine
+** might return SQLITE_IOERR;
+*/
+static int winUnlock(OsFile *id, int locktype){
+  int type;
+  int rc = SQLITE_OK;
+  winFile *pFile = (winFile*)id;
+  assert( pFile!=0 );
+  assert( locktype<=SHARED_LOCK );
+  OSTRACE5("UNLOCK %d to %d was %d(%d)\n", pFile->h, locktype,
+          pFile->locktype, pFile->sharedLockByte);
+  type = pFile->locktype;
+  if( type>=EXCLUSIVE_LOCK ){
+    UnlockFile(pFile->h, SHARED_FIRST, 0, SHARED_SIZE, 0);
+    if( locktype==SHARED_LOCK && !getReadLock(pFile) ){
+      /* This should never happen.  We should always be able to
+      ** reacquire the read lock */
+      rc = SQLITE_IOERR_UNLOCK;
+    }
+  }
+  if( type>=RESERVED_LOCK ){
+    UnlockFile(pFile->h, RESERVED_BYTE, 0, 1, 0);
+  }
+  if( locktype==NO_LOCK && type>=SHARED_LOCK ){
+    unlockReadLock(pFile);
+  }
+  if( type>=PENDING_LOCK ){
+    UnlockFile(pFile->h, PENDING_BYTE, 0, 1, 0);
+  }
+  pFile->locktype = locktype;
+  return rc;
+}
+
+/*
+** Turn a relative pathname into a full pathname.  Return a pointer
+** to the full pathname stored in space obtained from sqliteMalloc().
+** The calling function is responsible for freeing this space once it
+** is no longer needed.
+*/
+char *sqlite3WinFullPathname(const char *zRelative){
+  char *zFull;
+#if defined(__CYGWIN__)
+  int nByte;
+  nByte = strlen(zRelative) + MAX_PATH + 1001;
+  zFull = sqliteMalloc( nByte );
+  if( zFull==0 ) return 0;
+  if( cygwin_conv_to_full_win32_path(zRelative, zFull) ) return 0;
+#elif OS_WINCE
+  /* WinCE has no concept of a relative pathname, or so I am told. */
+  zFull = sqliteStrDup(zRelative);
+#else
+  int nByte;
+  void *zConverted;
+  zConverted = convertUtf8Filename(zRelative);
+  if( isNT() ){
+    WCHAR *zTemp;
+    nByte = GetFullPathNameW((WCHAR*)zConverted, 0, 0, 0) + 3;
+    zTemp = sqliteMalloc( nByte*sizeof(zTemp[0]) );
+    if( zTemp==0 ){
+      sqliteFree(zConverted);
+      return 0;
+    }
+    GetFullPathNameW((WCHAR*)zConverted, nByte, zTemp, 0);
+    sqliteFree(zConverted);
+    zFull = unicodeToUtf8(zTemp);
+    sqliteFree(zTemp);
+  }else{
+    char *zTemp;
+    nByte = GetFullPathNameA((char*)zConverted, 0, 0, 0) + 3;
+    zTemp = sqliteMalloc( nByte*sizeof(zTemp[0]) );
+    if( zTemp==0 ){
+      sqliteFree(zConverted);
+      return 0;
+    }
+    GetFullPathNameA((char*)zConverted, nByte, zTemp, 0);
+    sqliteFree(zConverted);
+    zFull = mbcsToUtf8(zTemp);
+    sqliteFree(zTemp);
+  }
+#endif
+  return zFull;
+}
+
+/*
+** The fullSync option is meaningless on windows.   This is a no-op.
+*/
+static void winSetFullSync(OsFile *id, int v){
+  return;
+}
+
+/*
+** Return the underlying file handle for an OsFile
+*/
+static int winFileHandle(OsFile *id){
+  return (int)((winFile*)id)->h;
+}
+
+/*
+** Return an integer that indices the type of lock currently held
+** by this handle.  (Used for testing and analysis only.)
+*/
+static int winLockState(OsFile *id){
+  return ((winFile*)id)->locktype;
+}
+
+/*
+** Return the sector size in bytes of the underlying block device for
+** the specified file. This is almost always 512 bytes, but may be
+** larger for some devices.
+**
+** SQLite code assumes this function cannot fail. It also assumes that
+** if two files are created in the same file-system directory (i.e.
+** a database and it's journal file) that the sector size will be the
+** same for both.
+*/
+static int winSectorSize(OsFile *id){
+  return SQLITE_DEFAULT_SECTOR_SIZE;
+}
+
+/*
+** This vector defines all the methods that can operate on an OsFile
+** for win32.
+*/
+static const IoMethod sqlite3WinIoMethod = {
+  winClose,
+  winOpenDirectory,
+  winRead,
+  winWrite,
+  winSeek,
+  winTruncate,
+  winSync,
+  winSetFullSync,
+  winFileHandle,
+  winFileSize,
+  winLock,
+  winUnlock,
+  winLockState,
+  winCheckReservedLock,
+  winSectorSize,
+};
+
+/*
+** Allocate memory for an OsFile.  Initialize the new OsFile
+** to the value given in pInit and return a pointer to the new
+** OsFile.  If we run out of memory, close the file and return NULL.
+*/
+static int allocateWinFile(winFile *pInit, OsFile **pId){
+  winFile *pNew;
+  pNew = sqliteMalloc( sizeof(*pNew) );
+  if( pNew==0 ){
+    CloseHandle(pInit->h);
+#if OS_WINCE
+    sqliteFree(pInit->zDeleteOnClose);
+#endif
+    *pId = 0;
+    return SQLITE_NOMEM;
+  }else{
+    *pNew = *pInit;
+    pNew->pMethod = &sqlite3WinIoMethod;
+    pNew->locktype = NO_LOCK;
+    pNew->sharedLockByte = 0;
+    *pId = (OsFile*)pNew;
+    OpenCounter(+1);
+    return SQLITE_OK;
+  }
+}
+
+
+#endif /* SQLITE_OMIT_DISKIO */
+/***************************************************************************
+** Everything above deals with file I/O.  Everything that follows deals
+** with other miscellanous aspects of the operating system interface
+****************************************************************************/
+
+#if !defined(SQLITE_OMIT_LOAD_EXTENSION)
+/*
+** Interfaces for opening a shared library, finding entry points
+** within the shared library, and closing the shared library.
+*/
+void *sqlite3WinDlopen(const char *zFilename){
+  HANDLE h;
+  void *zConverted = convertUtf8Filename(zFilename);
+  if( zConverted==0 ){
+    return 0;
+  }
+  if( isNT() ){
+    h = LoadLibraryW((WCHAR*)zConverted);
+  }else{
+#if OS_WINCE
+    return 0;
+#else
+    h = LoadLibraryA((char*)zConverted);
+#endif
+  }
+  sqliteFree(zConverted);
+  return (void*)h;
+  
+}
+void *sqlite3WinDlsym(void *pHandle, const char *zSymbol){
+#if OS_WINCE
+  /* The GetProcAddressA() routine is only available on wince. */
+  return GetProcAddressA((HANDLE)pHandle, zSymbol);
+#else
+  /* All other windows platforms expect GetProcAddress() to take
+  ** an Ansi string regardless of the _UNICODE setting */
+  return GetProcAddress((HANDLE)pHandle, zSymbol);
+#endif
+}
+int sqlite3WinDlclose(void *pHandle){
+  return FreeLibrary((HANDLE)pHandle);
+}
+#endif /* !SQLITE_OMIT_LOAD_EXTENSION */
+
+/*
+** Get information to seed the random number generator.  The seed
+** is written into the buffer zBuf[256].  The calling function must
+** supply a sufficiently large buffer.
+*/
+int sqlite3WinRandomSeed(char *zBuf){
+  /* We have to initialize zBuf to prevent valgrind from reporting
+  ** errors.  The reports issued by valgrind are incorrect - we would
+  ** prefer that the randomness be increased by making use of the
+  ** uninitialized space in zBuf - but valgrind errors tend to worry
+  ** some users.  Rather than argue, it seems easier just to initialize
+  ** the whole array and silence valgrind, even if that means less randomness
+  ** in the random seed.
+  **
+  ** When testing, initializing zBuf[] to zero is all we do.  That means
+  ** that we always use the same random number sequence.* This makes the
+  ** tests repeatable.
+  */
+  memset(zBuf, 0, 256);
+  GetSystemTime((LPSYSTEMTIME)zBuf);
+  return SQLITE_OK;
+}
+
+/*
+** Sleep for a little while.  Return the amount of time slept.
+*/
+int sqlite3WinSleep(int ms){
+  Sleep(ms);
+  return ms;
+}
+
+/*
+** Static variables used for thread synchronization
+*/
+static int inMutex = 0;
+#ifdef SQLITE_W32_THREADS
+  static DWORD mutexOwner;
+  static CRITICAL_SECTION cs;
+#endif
+
+/*
+** The following pair of routines implement mutual exclusion for
+** multi-threaded processes.  Only a single thread is allowed to
+** executed code that is surrounded by EnterMutex() and LeaveMutex().
+**
+** SQLite uses only a single Mutex.  There is not much critical
+** code and what little there is executes quickly and without blocking.
+**
+** Version 3.3.1 and earlier used a simple mutex.  Beginning with
+** version 3.3.2, a recursive mutex is required.
+*/
+void sqlite3WinEnterMutex(){
+#ifdef SQLITE_W32_THREADS
+  static int isInit = 0;
+  while( !isInit ){
+    static long lock = 0;
+    if( InterlockedIncrement(&lock)==1 ){
+      InitializeCriticalSection(&cs);
+      isInit = 1;
+    }else{
+      Sleep(1);
+    }
+  }
+  EnterCriticalSection(&cs);
+  mutexOwner = GetCurrentThreadId();
+#endif
+  inMutex++;
+}
+void sqlite3WinLeaveMutex(){
+  assert( inMutex );
+  inMutex--;
+#ifdef SQLITE_W32_THREADS
+  assert( mutexOwner==GetCurrentThreadId() );
+  LeaveCriticalSection(&cs);
+#endif
+}
+
+/*
+** Return TRUE if the mutex is currently held.
+**
+** If the thisThreadOnly parameter is true, return true if and only if the
+** calling thread holds the mutex.  If the parameter is false, return
+** true if any thread holds the mutex.
+*/
+int sqlite3WinInMutex(int thisThreadOnly){
+#ifdef SQLITE_W32_THREADS
+  return inMutex>0 && (thisThreadOnly==0 || mutexOwner==GetCurrentThreadId());
+#else
+  return inMutex>0;
+#endif
+}
+
+
+/*
+** The following variable, if set to a non-zero value, becomes the result
+** returned from sqlite3OsCurrentTime().  This is used for testing.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_current_time = 0;
+#endif
+
+/*
+** Find the current time (in Universal Coordinated Time).  Write the
+** current time and date as a Julian Day number into *prNow and
+** return 0.  Return 1 if the time and date cannot be found.
+*/
+int sqlite3WinCurrentTime(double *prNow){
+  FILETIME ft;
+  /* FILETIME structure is a 64-bit value representing the number of 
+     100-nanosecond intervals since January 1, 1601 (= JD 2305813.5). 
+  */
+  double now;
+#if OS_WINCE
+  SYSTEMTIME time;
+  GetSystemTime(&time);
+  SystemTimeToFileTime(&time,&ft);
+#else
+  GetSystemTimeAsFileTime( &ft );
+#endif
+  now = ((double)ft.dwHighDateTime) * 4294967296.0; 
+  *prNow = (now + ft.dwLowDateTime)/864000000000.0 + 2305813.5;
+#ifdef SQLITE_TEST
+  if( sqlite3_current_time ){
+    *prNow = sqlite3_current_time/86400.0 + 2440587.5;
+  }
+#endif
+  return 0;
+}
+
+/*
+** Remember the number of thread-specific-data blocks allocated.
+** Use this to verify that we are not leaking thread-specific-data.
+** Ticket #1601
+*/
+#ifdef SQLITE_TEST
+int sqlite3_tsd_count = 0;
+# define TSD_COUNTER_INCR InterlockedIncrement(&sqlite3_tsd_count)
+# define TSD_COUNTER_DECR InterlockedDecrement(&sqlite3_tsd_count)
+#else
+# define TSD_COUNTER_INCR  /* no-op */
+# define TSD_COUNTER_DECR  /* no-op */
+#endif
+
+
+
+/*
+** If called with allocateFlag>1, then return a pointer to thread
+** specific data for the current thread.  Allocate and zero the
+** thread-specific data if it does not already exist necessary.
+**
+** If called with allocateFlag==0, then check the current thread
+** specific data.  Return it if it exists.  If it does not exist,
+** then return NULL.
+**
+** If called with allocateFlag<0, check to see if the thread specific
+** data is allocated and is all zero.  If it is then deallocate it.
+** Return a pointer to the thread specific data or NULL if it is
+** unallocated or gets deallocated.
+*/
+ThreadData *sqlite3WinThreadSpecificData(int allocateFlag){
+  static int key;
+  static int keyInit = 0;
+  static const ThreadData zeroData = {0};
+  ThreadData *pTsd;
+
+  if( !keyInit ){
+    sqlite3OsEnterMutex();
+    if( !keyInit ){
+      key = TlsAlloc();
+      if( key==0xffffffff ){
+        sqlite3OsLeaveMutex();
+        return 0;
+      }
+      keyInit = 1;
+    }
+    sqlite3OsLeaveMutex();
+  }
+  pTsd = TlsGetValue(key);
+  if( allocateFlag>0 ){
+    if( !pTsd ){
+      pTsd = sqlite3OsMalloc( sizeof(zeroData) );
+      if( pTsd ){
+        *pTsd = zeroData;
+        TlsSetValue(key, pTsd);
+        TSD_COUNTER_INCR;
+      }
+    }
+  }else if( pTsd!=0 && allocateFlag<0 
+              && memcmp(pTsd, &zeroData, sizeof(ThreadData))==0 ){
+    sqlite3OsFree(pTsd);
+    TlsSetValue(key, 0);
+    TSD_COUNTER_DECR;
+    pTsd = 0;
+  }
+  return pTsd;
+}
+#endif /* OS_WIN */
+
+/************** End of os_win.c **********************************************/
+/************** Begin file pager.c *******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This is the implementation of the page cache subsystem or "pager".
+** 
+** The pager is used to access a database disk file.  It implements
+** atomic commit and rollback through the use of a journal file that
+** is separate from the database file.  The pager also implements file
+** locking to prevent two processes from writing the same database
+** file simultaneously, or one process from reading the database while
+** another is writing.
+**
+** @(#) $Id$
+*/
+#ifndef SQLITE_OMIT_DISKIO
+
+/*
+** Macros for troubleshooting.  Normally turned off
+*/
+#if 0
+#define sqlite3DebugPrintf printf
+#define PAGERTRACE1(X)       sqlite3DebugPrintf(X)
+#define PAGERTRACE2(X,Y)     sqlite3DebugPrintf(X,Y)
+#define PAGERTRACE3(X,Y,Z)   sqlite3DebugPrintf(X,Y,Z)
+#define PAGERTRACE4(X,Y,Z,W) sqlite3DebugPrintf(X,Y,Z,W)
+#define PAGERTRACE5(X,Y,Z,W,V) sqlite3DebugPrintf(X,Y,Z,W,V)
+#else
+#define PAGERTRACE1(X)
+#define PAGERTRACE2(X,Y)
+#define PAGERTRACE3(X,Y,Z)
+#define PAGERTRACE4(X,Y,Z,W)
+#define PAGERTRACE5(X,Y,Z,W,V)
+#endif
+
+/*
+** The following two macros are used within the PAGERTRACEX() macros above
+** to print out file-descriptors. 
+**
+** PAGERID() takes a pointer to a Pager struct as it's argument. The
+** associated file-descriptor is returned. FILEHANDLEID() takes an OsFile
+** struct as it's argument.
+*/
+#define PAGERID(p) ((int)(p->fd))
+#define FILEHANDLEID(fd) ((int)fd)
+
+/*
+** The page cache as a whole is always in one of the following
+** states:
+**
+**   PAGER_UNLOCK        The page cache is not currently reading or 
+**                       writing the database file.  There is no
+**                       data held in memory.  This is the initial
+**                       state.
+**
+**   PAGER_SHARED        The page cache is reading the database.
+**                       Writing is not permitted.  There can be
+**                       multiple readers accessing the same database
+**                       file at the same time.
+**
+**   PAGER_RESERVED      This process has reserved the database for writing
+**                       but has not yet made any changes.  Only one process
+**                       at a time can reserve the database.  The original
+**                       database file has not been modified so other
+**                       processes may still be reading the on-disk
+**                       database file.
+**
+**   PAGER_EXCLUSIVE     The page cache is writing the database.
+**                       Access is exclusive.  No other processes or
+**                       threads can be reading or writing while one
+**                       process is writing.
+**
+**   PAGER_SYNCED        The pager moves to this state from PAGER_EXCLUSIVE
+**                       after all dirty pages have been written to the
+**                       database file and the file has been synced to
+**                       disk. All that remains to do is to remove or
+**                       truncate the journal file and the transaction 
+**                       will be committed.
+**
+** The page cache comes up in PAGER_UNLOCK.  The first time a
+** sqlite3PagerGet() occurs, the state transitions to PAGER_SHARED.
+** After all pages have been released using sqlite_page_unref(),
+** the state transitions back to PAGER_UNLOCK.  The first time
+** that sqlite3PagerWrite() is called, the state transitions to
+** PAGER_RESERVED.  (Note that sqlite3PagerWrite() can only be
+** called on an outstanding page which means that the pager must
+** be in PAGER_SHARED before it transitions to PAGER_RESERVED.)
+** PAGER_RESERVED means that there is an open rollback journal.
+** The transition to PAGER_EXCLUSIVE occurs before any changes
+** are made to the database file, though writes to the rollback
+** journal occurs with just PAGER_RESERVED.  After an sqlite3PagerRollback()
+** or sqlite3PagerCommitPhaseTwo(), the state can go back to PAGER_SHARED,
+** or it can stay at PAGER_EXCLUSIVE if we are in exclusive access mode.
+*/
+#define PAGER_UNLOCK      0
+#define PAGER_SHARED      1   /* same as SHARED_LOCK */
+#define PAGER_RESERVED    2   /* same as RESERVED_LOCK */
+#define PAGER_EXCLUSIVE   4   /* same as EXCLUSIVE_LOCK */
+#define PAGER_SYNCED      5
+
+/*
+** If the SQLITE_BUSY_RESERVED_LOCK macro is set to true at compile-time,
+** then failed attempts to get a reserved lock will invoke the busy callback.
+** This is off by default.  To see why, consider the following scenario:
+** 
+** Suppose thread A already has a shared lock and wants a reserved lock.
+** Thread B already has a reserved lock and wants an exclusive lock.  If
+** both threads are using their busy callbacks, it might be a long time
+** be for one of the threads give up and allows the other to proceed.
+** But if the thread trying to get the reserved lock gives up quickly
+** (if it never invokes its busy callback) then the contention will be
+** resolved quickly.
+*/
+#ifndef SQLITE_BUSY_RESERVED_LOCK
+# define SQLITE_BUSY_RESERVED_LOCK 0
+#endif
+
+/*
+** This macro rounds values up so that if the value is an address it
+** is guaranteed to be an address that is aligned to an 8-byte boundary.
+*/
+#define FORCE_ALIGNMENT(X)   (((X)+7)&~7)
+
+/*
+** Each in-memory image of a page begins with the following header.
+** This header is only visible to this pager module.  The client
+** code that calls pager sees only the data that follows the header.
+**
+** Client code should call sqlite3PagerWrite() on a page prior to making
+** any modifications to that page.  The first time sqlite3PagerWrite()
+** is called, the original page contents are written into the rollback
+** journal and PgHdr.inJournal and PgHdr.needSync are set.  Later, once
+** the journal page has made it onto the disk surface, PgHdr.needSync
+** is cleared.  The modified page cannot be written back into the original
+** database file until the journal pages has been synced to disk and the
+** PgHdr.needSync has been cleared.
+**
+** The PgHdr.dirty flag is set when sqlite3PagerWrite() is called and
+** is cleared again when the page content is written back to the original
+** database file.
+*/
+typedef struct PgHdr PgHdr;
+struct PgHdr {
+  Pager *pPager;                 /* The pager to which this page belongs */
+  Pgno pgno;                     /* The page number for this page */
+  PgHdr *pNextHash, *pPrevHash;  /* Hash collision chain for PgHdr.pgno */
+  PgHdr *pNextFree, *pPrevFree;  /* Freelist of pages where nRef==0 */
+  PgHdr *pNextAll;               /* A list of all pages */
+  u8 inJournal;                  /* TRUE if has been written to journal */
+  u8 dirty;                      /* TRUE if we need to write back changes */
+  u8 needSync;                   /* Sync journal before writing this page */
+  u8 alwaysRollback;             /* Disable DontRollback() for this page */
+  u8 needRead;                   /* Read content if PagerWrite() is called */
+  short int nRef;                /* Number of users of this page */
+  PgHdr *pDirty, *pPrevDirty;    /* Dirty pages */
+  u32 notUsed;                   /* Buffer space */
+#ifdef SQLITE_CHECK_PAGES
+  u32 pageHash;
+#endif
+  /* pPager->pageSize bytes of page data follow this header */
+  /* Pager.nExtra bytes of local data follow the page data */
+};
+
+/*
+** For an in-memory only database, some extra information is recorded about
+** each page so that changes can be rolled back.  (Journal files are not
+** used for in-memory databases.)  The following information is added to
+** the end of every EXTRA block for in-memory databases.
+**
+** This information could have been added directly to the PgHdr structure.
+** But then it would take up an extra 8 bytes of storage on every PgHdr
+** even for disk-based databases.  Splitting it out saves 8 bytes.  This
+** is only a savings of 0.8% but those percentages add up.
+*/
+typedef struct PgHistory PgHistory;
+struct PgHistory {
+  u8 *pOrig;     /* Original page text.  Restore to this on a full rollback */
+  u8 *pStmt;     /* Text as it was at the beginning of the current statement */
+  PgHdr *pNextStmt, *pPrevStmt;  /* List of pages in the statement journal */
+  u8 inStmt;                     /* TRUE if in the statement subjournal */
+};
+
+/*
+** A macro used for invoking the codec if there is one
+*/
+#ifdef SQLITE_HAS_CODEC
+# define CODEC1(P,D,N,X) if( P->xCodec!=0 ){ P->xCodec(P->pCodecArg,D,N,X); }
+# define CODEC2(P,D,N,X) ((char*)(P->xCodec!=0?P->xCodec(P->pCodecArg,D,N,X):D))
+#else
+# define CODEC1(P,D,N,X) /* NO-OP */
+# define CODEC2(P,D,N,X) ((char*)D)
+#endif
+
+/*
+** Convert a pointer to a PgHdr into a pointer to its data
+** and back again.
+*/
+#define PGHDR_TO_DATA(P)  ((void*)(&(P)[1]))
+#define DATA_TO_PGHDR(D)  (&((PgHdr*)(D))[-1])
+#define PGHDR_TO_EXTRA(G,P) ((void*)&((char*)(&(G)[1]))[(P)->pageSize])
+#define PGHDR_TO_HIST(P,PGR)  \
+            ((PgHistory*)&((char*)(&(P)[1]))[(PGR)->pageSize+(PGR)->nExtra])
+
+/*
+** A open page cache is an instance of the following structure.
+**
+** Pager.errCode may be set to SQLITE_IOERR, SQLITE_CORRUPT, or
+** or SQLITE_FULL. Once one of the first three errors occurs, it persists
+** and is returned as the result of every major pager API call.  The
+** SQLITE_FULL return code is slightly different. It persists only until the
+** next successful rollback is performed on the pager cache. Also,
+** SQLITE_FULL does not affect the sqlite3PagerGet() and sqlite3PagerLookup()
+** APIs, they may still be used successfully.
+*/
+struct Pager {
+  u8 journalOpen;             /* True if journal file descriptors is valid */
+  u8 journalStarted;          /* True if header of journal is synced */
+  u8 useJournal;              /* Use a rollback journal on this file */
+  u8 noReadlock;              /* Do not bother to obtain readlocks */
+  u8 stmtOpen;                /* True if the statement subjournal is open */
+  u8 stmtInUse;               /* True we are in a statement subtransaction */
+  u8 stmtAutoopen;            /* Open stmt journal when main journal is opened*/
+  u8 noSync;                  /* Do not sync the journal if true */
+  u8 fullSync;                /* Do extra syncs of the journal for robustness */
+  u8 full_fsync;              /* Use F_FULLFSYNC when available */
+  u8 state;                   /* PAGER_UNLOCK, _SHARED, _RESERVED, etc. */
+  u8 tempFile;                /* zFilename is a temporary file */
+  u8 readOnly;                /* True for a read-only database */
+  u8 needSync;                /* True if an fsync() is needed on the journal */
+  u8 dirtyCache;              /* True if cached pages have changed */
+  u8 alwaysRollback;          /* Disable DontRollback() for all pages */
+  u8 memDb;                   /* True to inhibit all file I/O */
+  u8 setMaster;               /* True if a m-j name has been written to jrnl */
+  u8 doNotSync;               /* Boolean. While true, do not spill the cache */
+  u8 exclusiveMode;           /* Boolean. True if locking_mode==EXCLUSIVE */
+  u8 changeCountDone;         /* Set after incrementing the change-counter */
+  int errCode;                /* One of several kinds of errors */
+  int dbSize;                 /* Number of pages in the file */
+  int origDbSize;             /* dbSize before the current change */
+  int stmtSize;               /* Size of database (in pages) at stmt_begin() */
+  int nRec;                   /* Number of pages written to the journal */
+  u32 cksumInit;              /* Quasi-random value added to every checksum */
+  int stmtNRec;               /* Number of records in stmt subjournal */
+  int nExtra;                 /* Add this many bytes to each in-memory page */
+  int pageSize;               /* Number of bytes in a page */
+  int nPage;                  /* Total number of in-memory pages */
+  int nMaxPage;               /* High water mark of nPage */
+  int nRef;                   /* Number of in-memory pages with PgHdr.nRef>0 */
+  int mxPage;                 /* Maximum number of pages to hold in cache */
+  u8 *aInJournal;             /* One bit for each page in the database file */
+  u8 *aInStmt;                /* One bit for each page in the database */
+  char *zFilename;            /* Name of the database file */
+  char *zJournal;             /* Name of the journal file */
+  char *zDirectory;           /* Directory hold database and journal files */
+  OsFile *fd, *jfd;           /* File descriptors for database and journal */
+  OsFile *stfd;               /* File descriptor for the statement subjournal*/
+  BusyHandler *pBusyHandler;  /* Pointer to sqlite.busyHandler */
+  PgHdr *pFirst, *pLast;      /* List of free pages */
+  PgHdr *pFirstSynced;        /* First free page with PgHdr.needSync==0 */
+  PgHdr *pAll;                /* List of all pages */
+  PgHdr *pStmt;               /* List of pages in the statement subjournal */
+  PgHdr *pDirty;              /* List of all dirty pages */
+  i64 journalOff;             /* Current byte offset in the journal file */
+  i64 journalHdr;             /* Byte offset to previous journal header */
+  i64 stmtHdrOff;             /* First journal header written this statement */
+  i64 stmtCksum;              /* cksumInit when statement was started */
+  i64 stmtJSize;              /* Size of journal at stmt_begin() */
+  int sectorSize;             /* Assumed sector size during rollback */
+#ifdef SQLITE_TEST
+  int nHit, nMiss;            /* Cache hits and missing */
+  int nRead, nWrite;          /* Database pages read/written */
+#endif
+  void (*xDestructor)(DbPage*,int); /* Call this routine when freeing pages */
+  void (*xReiniter)(DbPage*,int);   /* Call this routine when reloading pages */
+#ifdef SQLITE_HAS_CODEC
+  void *(*xCodec)(void*,void*,Pgno,int); /* Routine for en/decoding data */
+  void *pCodecArg;            /* First argument to xCodec() */
+#endif
+  int nHash;                  /* Size of the pager hash table */
+  PgHdr **aHash;              /* Hash table to map page number to PgHdr */
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+  Pager *pNext;               /* Linked list of pagers in this thread */
+#endif
+  char *pTmpSpace;            /* Pager.pageSize bytes of space for tmp use */
+  char dbFileVers[16];        /* Changes whenever database file changes */
+};
+
+/*
+** The following global variables hold counters used for
+** testing purposes only.  These variables do not exist in
+** a non-testing build.  These variables are not thread-safe.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_pager_readdb_count = 0;    /* Number of full pages read from DB */
+int sqlite3_pager_writedb_count = 0;   /* Number of full pages written to DB */
+int sqlite3_pager_writej_count = 0;    /* Number of pages written to journal */
+int sqlite3_pager_pgfree_count = 0;    /* Number of cache pages freed */
+# define PAGER_INCR(v)  v++
+#else
+# define PAGER_INCR(v)
+#endif
+
+
+
+/*
+** Journal files begin with the following magic string.  The data
+** was obtained from /dev/random.  It is used only as a sanity check.
+**
+** Since version 2.8.0, the journal format contains additional sanity
+** checking information.  If the power fails while the journal is begin
+** written, semi-random garbage data might appear in the journal
+** file after power is restored.  If an attempt is then made
+** to roll the journal back, the database could be corrupted.  The additional
+** sanity checking data is an attempt to discover the garbage in the
+** journal and ignore it.
+**
+** The sanity checking information for the new journal format consists
+** of a 32-bit checksum on each page of data.  The checksum covers both
+** the page number and the pPager->pageSize bytes of data for the page.
+** This cksum is initialized to a 32-bit random value that appears in the
+** journal file right after the header.  The random initializer is important,
+** because garbage data that appears at the end of a journal is likely
+** data that was once in other files that have now been deleted.  If the
+** garbage data came from an obsolete journal file, the checksums might
+** be correct.  But by initializing the checksum to random value which
+** is different for every journal, we minimize that risk.
+*/
+static const unsigned char aJournalMagic[] = {
+  0xd9, 0xd5, 0x05, 0xf9, 0x20, 0xa1, 0x63, 0xd7,
+};
+
+/*
+** The size of the header and of each page in the journal is determined
+** by the following macros.
+*/
+#define JOURNAL_PG_SZ(pPager)  ((pPager->pageSize) + 8)
+
+/*
+** The journal header size for this pager. In the future, this could be
+** set to some value read from the disk controller. The important
+** characteristic is that it is the same size as a disk sector.
+*/
+#define JOURNAL_HDR_SZ(pPager) (pPager->sectorSize)
+
+/*
+** The macro MEMDB is true if we are dealing with an in-memory database.
+** We do this as a macro so that if the SQLITE_OMIT_MEMORYDB macro is set,
+** the value of MEMDB will be a constant and the compiler will optimize
+** out code that would never execute.
+*/
+#ifdef SQLITE_OMIT_MEMORYDB
+# define MEMDB 0
+#else
+# define MEMDB pPager->memDb
+#endif
+
+/*
+** Page number PAGER_MJ_PGNO is never used in an SQLite database (it is
+** reserved for working around a windows/posix incompatibility). It is
+** used in the journal to signify that the remainder of the journal file 
+** is devoted to storing a master journal name - there are no more pages to
+** roll back. See comments for function writeMasterJournal() for details.
+*/
+/* #define PAGER_MJ_PGNO(x) (PENDING_BYTE/((x)->pageSize)) */
+#define PAGER_MJ_PGNO(x) ((PENDING_BYTE/((x)->pageSize))+1)
+
+/*
+** The maximum legal page number is (2^31 - 1).
+*/
+#define PAGER_MAX_PGNO 2147483647
+
+/*
+** Enable reference count tracking (for debugging) here:
+*/
+#ifdef SQLITE_DEBUG
+  int pager3_refinfo_enable = 0;
+  static void pager_refinfo(PgHdr *p){
+    static int cnt = 0;
+    if( !pager3_refinfo_enable ) return;
+    sqlite3DebugPrintf(
+       "REFCNT: %4d addr=%p nRef=%-3d total=%d\n",
+       p->pgno, PGHDR_TO_DATA(p), p->nRef, p->pPager->nRef
+    );
+    cnt++;   /* Something to set a breakpoint on */
+  }
+# define REFINFO(X)  pager_refinfo(X)
+#else
+# define REFINFO(X)
+#endif
+
+/*
+** Return true if page *pPg has already been written to the statement
+** journal (or statement snapshot has been created, if *pPg is part
+** of an in-memory database).
+*/
+static int pageInStatement(PgHdr *pPg){
+  Pager *pPager = pPg->pPager;
+  if( MEMDB ){
+    return PGHDR_TO_HIST(pPg, pPager)->inStmt;
+  }else{
+    Pgno pgno = pPg->pgno;
+    u8 *a = pPager->aInStmt;
+    return (a && (int)pgno<=pPager->stmtSize && (a[pgno/8] & (1<<(pgno&7))));
+  }
+}
+
+/*
+** Change the size of the pager hash table to N.  N must be a power
+** of two.
+*/
+static void pager_resize_hash_table(Pager *pPager, int N){
+  PgHdr **aHash, *pPg;
+  assert( N>0 && (N&(N-1))==0 );
+  aHash = sqliteMalloc( sizeof(aHash[0])*N );
+  if( aHash==0 ){
+    /* Failure to rehash is not an error.  It is only a performance hit. */
+    return;
+  }
+  sqliteFree(pPager->aHash);
+  pPager->nHash = N;
+  pPager->aHash = aHash;
+  for(pPg=pPager->pAll; pPg; pPg=pPg->pNextAll){
+    int h;
+    if( pPg->pgno==0 ){
+      assert( pPg->pNextHash==0 && pPg->pPrevHash==0 );
+      continue;
+    }
+    h = pPg->pgno & (N-1);
+    pPg->pNextHash = aHash[h];
+    if( aHash[h] ){
+      aHash[h]->pPrevHash = pPg;
+    }
+    aHash[h] = pPg;
+    pPg->pPrevHash = 0;
+  }
+}
+
+/*
+** Read a 32-bit integer from the given file descriptor.  Store the integer
+** that is read in *pRes.  Return SQLITE_OK if everything worked, or an
+** error code is something goes wrong.
+**
+** All values are stored on disk as big-endian.
+*/
+static int read32bits(OsFile *fd, u32 *pRes){
+  unsigned char ac[4];
+  int rc = sqlite3OsRead(fd, ac, sizeof(ac));
+  if( rc==SQLITE_OK ){
+    *pRes = (ac[0]<<24) | (ac[1]<<16) | (ac[2]<<8) | ac[3];
+  }
+  return rc;
+}
+
+/*
+** Write a 32-bit integer into a string buffer in big-endian byte order.
+*/
+static void put32bits(char *ac, u32 val){
+  ac[0] = (val>>24) & 0xff;
+  ac[1] = (val>>16) & 0xff;
+  ac[2] = (val>>8) & 0xff;
+  ac[3] = val & 0xff;
+}
+
+/*
+** Write a 32-bit integer into the given file descriptor.  Return SQLITE_OK
+** on success or an error code is something goes wrong.
+*/
+static int write32bits(OsFile *fd, u32 val){
+  char ac[4];
+  put32bits(ac, val);
+  return sqlite3OsWrite(fd, ac, 4);
+}
+
+/*
+** Read a 32-bit integer at offset 'offset' from the page identified by
+** page header 'p'.
+*/
+static u32 retrieve32bits(PgHdr *p, int offset){
+  unsigned char *ac;
+  ac = &((unsigned char*)PGHDR_TO_DATA(p))[offset];
+  return (ac[0]<<24) | (ac[1]<<16) | (ac[2]<<8) | ac[3];
+}
+
+
+/*
+** This function should be called when an error occurs within the pager
+** code. The first argument is a pointer to the pager structure, the
+** second the error-code about to be returned by a pager API function. 
+** The value returned is a copy of the second argument to this function. 
+**
+** If the second argument is SQLITE_IOERR, SQLITE_CORRUPT, or SQLITE_FULL
+** the error becomes persistent. All subsequent API calls on this Pager
+** will immediately return the same error code.
+*/
+static int pager_error(Pager *pPager, int rc){
+  int rc2 = rc & 0xff;
+  assert( pPager->errCode==SQLITE_FULL || pPager->errCode==SQLITE_OK );
+  if(
+    rc2==SQLITE_FULL ||
+    rc2==SQLITE_IOERR ||
+    rc2==SQLITE_CORRUPT
+  ){
+    pPager->errCode = rc;
+  }
+  return rc;
+}
+
+#ifdef SQLITE_CHECK_PAGES
+/*
+** Return a 32-bit hash of the page data for pPage.
+*/
+static u32 pager_pagehash(PgHdr *pPage){
+  u32 hash = 0;
+  int i;
+  unsigned char *pData = (unsigned char *)PGHDR_TO_DATA(pPage);
+  for(i=0; i<pPage->pPager->pageSize; i++){
+    hash = (hash+i)^pData[i];
+  }
+  return hash;
+}
+
+/*
+** The CHECK_PAGE macro takes a PgHdr* as an argument. If SQLITE_CHECK_PAGES
+** is defined, and NDEBUG is not defined, an assert() statement checks
+** that the page is either dirty or still matches the calculated page-hash.
+*/
+#define CHECK_PAGE(x) checkPage(x)
+static void checkPage(PgHdr *pPg){
+  Pager *pPager = pPg->pPager;
+  assert( !pPg->pageHash || pPager->errCode || MEMDB || pPg->dirty || 
+      pPg->pageHash==pager_pagehash(pPg) );
+}
+
+#else
+#define CHECK_PAGE(x)
+#endif
+
+/*
+** When this is called the journal file for pager pPager must be open.
+** The master journal file name is read from the end of the file and 
+** written into memory obtained from sqliteMalloc(). *pzMaster is
+** set to point at the memory and SQLITE_OK returned. The caller must
+** sqliteFree() *pzMaster.
+**
+** If no master journal file name is present *pzMaster is set to 0 and
+** SQLITE_OK returned.
+*/
+static int readMasterJournal(OsFile *pJrnl, char **pzMaster){
+  int rc;
+  u32 len;
+  i64 szJ;
+  u32 cksum;
+  int i;
+  unsigned char aMagic[8]; /* A buffer to hold the magic header */
+
+  *pzMaster = 0;
+
+  rc = sqlite3OsFileSize(pJrnl, &szJ);
+  if( rc!=SQLITE_OK || szJ<16 ) return rc;
+
+  rc = sqlite3OsSeek(pJrnl, szJ-16);
+  if( rc!=SQLITE_OK ) return rc;
+ 
+  rc = read32bits(pJrnl, &len);
+  if( rc!=SQLITE_OK ) return rc;
+
+  rc = read32bits(pJrnl, &cksum);
+  if( rc!=SQLITE_OK ) return rc;
+
+  rc = sqlite3OsRead(pJrnl, aMagic, 8);
+  if( rc!=SQLITE_OK || memcmp(aMagic, aJournalMagic, 8) ) return rc;
+
+  rc = sqlite3OsSeek(pJrnl, szJ-16-len);
+  if( rc!=SQLITE_OK ) return rc;
+
+  *pzMaster = (char *)sqliteMalloc(len+1);
+  if( !*pzMaster ){
+    return SQLITE_NOMEM;
+  }
+  rc = sqlite3OsRead(pJrnl, *pzMaster, len);
+  if( rc!=SQLITE_OK ){
+    sqliteFree(*pzMaster);
+    *pzMaster = 0;
+    return rc;
+  }
+
+  /* See if the checksum matches the master journal name */
+  for(i=0; i<len; i++){
+    cksum -= (*pzMaster)[i];
+  }
+  if( cksum ){
+    /* If the checksum doesn't add up, then one or more of the disk sectors
+    ** containing the master journal filename is corrupted. This means
+    ** definitely roll back, so just return SQLITE_OK and report a (nul)
+    ** master-journal filename.
+    */
+    sqliteFree(*pzMaster);
+    *pzMaster = 0;
+  }else{
+    (*pzMaster)[len] = '\0';
+  }
+   
+  return SQLITE_OK;
+}
+
+/*
+** Seek the journal file descriptor to the next sector boundary where a
+** journal header may be read or written. Pager.journalOff is updated with
+** the new seek offset.
+**
+** i.e for a sector size of 512:
+**
+** Input Offset              Output Offset
+** ---------------------------------------
+** 0                         0
+** 512                       512
+** 100                       512
+** 2000                      2048
+** 
+*/
+static int seekJournalHdr(Pager *pPager){
+  i64 offset = 0;
+  i64 c = pPager->journalOff;
+  if( c ){
+    offset = ((c-1)/JOURNAL_HDR_SZ(pPager) + 1) * JOURNAL_HDR_SZ(pPager);
+  }
+  assert( offset%JOURNAL_HDR_SZ(pPager)==0 );
+  assert( offset>=c );
+  assert( (offset-c)<JOURNAL_HDR_SZ(pPager) );
+  pPager->journalOff = offset;
+  return sqlite3OsSeek(pPager->jfd, pPager->journalOff);
+}
+
+/*
+** The journal file must be open when this routine is called. A journal
+** header (JOURNAL_HDR_SZ bytes) is written into the journal file at the
+** current location.
+**
+** The format for the journal header is as follows:
+** - 8 bytes: Magic identifying journal format.
+** - 4 bytes: Number of records in journal, or -1 no-sync mode is on.
+** - 4 bytes: Random number used for page hash.
+** - 4 bytes: Initial database page count.
+** - 4 bytes: Sector size used by the process that wrote this journal.
+** 
+** Followed by (JOURNAL_HDR_SZ - 24) bytes of unused space.
+*/
+static int writeJournalHdr(Pager *pPager){
+  char zHeader[sizeof(aJournalMagic)+16];
+  int rc;
+
+  if( pPager->stmtHdrOff==0 ){
+    pPager->stmtHdrOff = pPager->journalOff;
+  }
+
+  rc = seekJournalHdr(pPager);
+  if( rc ) return rc;
+
+  pPager->journalHdr = pPager->journalOff;
+  pPager->journalOff += JOURNAL_HDR_SZ(pPager);
+
+  /* FIX ME: 
+  **
+  ** Possibly for a pager not in no-sync mode, the journal magic should not
+  ** be written until nRec is filled in as part of next syncJournal(). 
+  **
+  ** Actually maybe the whole journal header should be delayed until that
+  ** point. Think about this.
+  */
+  memcpy(zHeader, aJournalMagic, sizeof(aJournalMagic));
+  /* The nRec Field. 0xFFFFFFFF for no-sync journals. */
+  put32bits(&zHeader[sizeof(aJournalMagic)], pPager->noSync ? 0xffffffff : 0);
+  /* The random check-hash initialiser */ 
+  sqlite3Randomness(sizeof(pPager->cksumInit), &pPager->cksumInit);
+  put32bits(&zHeader[sizeof(aJournalMagic)+4], pPager->cksumInit);
+  /* The initial database size */
+  put32bits(&zHeader[sizeof(aJournalMagic)+8], pPager->dbSize);
+  /* The assumed sector size for this process */
+  put32bits(&zHeader[sizeof(aJournalMagic)+12], pPager->sectorSize);
+  IOTRACE(("JHDR %p %lld %d\n", pPager, pPager->journalHdr, sizeof(zHeader)))
+  rc = sqlite3OsWrite(pPager->jfd, zHeader, sizeof(zHeader));
+
+  /* The journal header has been written successfully. Seek the journal
+  ** file descriptor to the end of the journal header sector.
+  */
+  if( rc==SQLITE_OK ){
+    IOTRACE(("JTAIL %p %lld\n", pPager, pPager->journalOff-1))
+    rc = sqlite3OsSeek(pPager->jfd, pPager->journalOff-1);
+    if( rc==SQLITE_OK ){
+      rc = sqlite3OsWrite(pPager->jfd, "\000", 1);
+    }
+  }
+  return rc;
+}
+
+/*
+** The journal file must be open when this is called. A journal header file
+** (JOURNAL_HDR_SZ bytes) is read from the current location in the journal
+** file. See comments above function writeJournalHdr() for a description of
+** the journal header format.
+**
+** If the header is read successfully, *nRec is set to the number of
+** page records following this header and *dbSize is set to the size of the
+** database before the transaction began, in pages. Also, pPager->cksumInit
+** is set to the value read from the journal header. SQLITE_OK is returned
+** in this case.
+**
+** If the journal header file appears to be corrupted, SQLITE_DONE is
+** returned and *nRec and *dbSize are not set.  If JOURNAL_HDR_SZ bytes
+** cannot be read from the journal file an error code is returned.
+*/
+static int readJournalHdr(
+  Pager *pPager, 
+  i64 journalSize,
+  u32 *pNRec, 
+  u32 *pDbSize
+){
+  int rc;
+  unsigned char aMagic[8]; /* A buffer to hold the magic header */
+
+  rc = seekJournalHdr(pPager);
+  if( rc ) return rc;
+
+  if( pPager->journalOff+JOURNAL_HDR_SZ(pPager) > journalSize ){
+    return SQLITE_DONE;
+  }
+
+  rc = sqlite3OsRead(pPager->jfd, aMagic, sizeof(aMagic));
+  if( rc ) return rc;
+
+  if( memcmp(aMagic, aJournalMagic, sizeof(aMagic))!=0 ){
+    return SQLITE_DONE;
+  }
+
+  rc = read32bits(pPager->jfd, pNRec);
+  if( rc ) return rc;
+
+  rc = read32bits(pPager->jfd, &pPager->cksumInit);
+  if( rc ) return rc;
+
+  rc = read32bits(pPager->jfd, pDbSize);
+  if( rc ) return rc;
+
+  /* Update the assumed sector-size to match the value used by 
+  ** the process that created this journal. If this journal was
+  ** created by a process other than this one, then this routine
+  ** is being called from within pager_playback(). The local value
+  ** of Pager.sectorSize is restored at the end of that routine.
+  */
+  rc = read32bits(pPager->jfd, (u32 *)&pPager->sectorSize);
+  if( rc ) return rc;
+
+  pPager->journalOff += JOURNAL_HDR_SZ(pPager);
+  rc = sqlite3OsSeek(pPager->jfd, pPager->journalOff);
+  return rc;
+}
+
+
+/*
+** Write the supplied master journal name into the journal file for pager
+** pPager at the current location. The master journal name must be the last
+** thing written to a journal file. If the pager is in full-sync mode, the
+** journal file descriptor is advanced to the next sector boundary before
+** anything is written. The format is:
+**
+** + 4 bytes: PAGER_MJ_PGNO.
+** + N bytes: length of master journal name.
+** + 4 bytes: N
+** + 4 bytes: Master journal name checksum.
+** + 8 bytes: aJournalMagic[].
+**
+** The master journal page checksum is the sum of the bytes in the master
+** journal name.
+**
+** If zMaster is a NULL pointer (occurs for a single database transaction), 
+** this call is a no-op.
+*/
+static int writeMasterJournal(Pager *pPager, const char *zMaster){
+  int rc;
+  int len; 
+  int i; 
+  u32 cksum = 0;
+  char zBuf[sizeof(aJournalMagic)+2*4];
+
+  if( !zMaster || pPager->setMaster) return SQLITE_OK;
+  pPager->setMaster = 1;
+
+  len = strlen(zMaster);
+  for(i=0; i<len; i++){
+    cksum += zMaster[i];
+  }
+
+  /* If in full-sync mode, advance to the next disk sector before writing
+  ** the master journal name. This is in case the previous page written to
+  ** the journal has already been synced.
+  */
+  if( pPager->fullSync ){
+    rc = seekJournalHdr(pPager);
+    if( rc!=SQLITE_OK ) return rc;
+  }
+  pPager->journalOff += (len+20);
+
+  rc = write32bits(pPager->jfd, PAGER_MJ_PGNO(pPager));
+  if( rc!=SQLITE_OK ) return rc;
+
+  rc = sqlite3OsWrite(pPager->jfd, zMaster, len);
+  if( rc!=SQLITE_OK ) return rc;
+
+  put32bits(zBuf, len);
+  put32bits(&zBuf[4], cksum);
+  memcpy(&zBuf[8], aJournalMagic, sizeof(aJournalMagic));
+  rc = sqlite3OsWrite(pPager->jfd, zBuf, 8+sizeof(aJournalMagic));
+  pPager->needSync = !pPager->noSync;
+  return rc;
+}
+
+/*
+** Add or remove a page from the list of all pages that are in the
+** statement journal.
+**
+** The Pager keeps a separate list of pages that are currently in
+** the statement journal.  This helps the sqlite3PagerStmtCommit()
+** routine run MUCH faster for the common case where there are many
+** pages in memory but only a few are in the statement journal.
+*/
+static void page_add_to_stmt_list(PgHdr *pPg){
+  Pager *pPager = pPg->pPager;
+  PgHistory *pHist = PGHDR_TO_HIST(pPg, pPager);
+  assert( MEMDB );
+  if( !pHist->inStmt ){
+    assert( pHist->pPrevStmt==0 && pHist->pNextStmt==0 );
+    if( pPager->pStmt ){
+      PGHDR_TO_HIST(pPager->pStmt, pPager)->pPrevStmt = pPg;
+    }
+    pHist->pNextStmt = pPager->pStmt;
+    pPager->pStmt = pPg;
+    pHist->inStmt = 1;
+  }
+}
+
+/*
+** Find a page in the hash table given its page number.  Return
+** a pointer to the page or NULL if not found.
+*/
+static PgHdr *pager_lookup(Pager *pPager, Pgno pgno){
+  PgHdr *p;
+  if( pPager->aHash==0 ) return 0;
+  p = pPager->aHash[pgno & (pPager->nHash-1)];
+  while( p && p->pgno!=pgno ){
+    p = p->pNextHash;
+  }
+  return p;
+}
+
+/*
+** Unlock the database file.
+*/
+static void pager_unlock(Pager *pPager){
+  if( !pPager->exclusiveMode ){
+    if( !MEMDB ){
+      sqlite3OsUnlock(pPager->fd, NO_LOCK);
+      pPager->dbSize = -1;
+      IOTRACE(("UNLOCK %p\n", pPager))
+    }
+    pPager->state = PAGER_UNLOCK;
+    pPager->changeCountDone = 0;
+  }
+}
+
+/*
+** Execute a rollback if a transaction is active and unlock the 
+** database file. This is a no-op if the pager has already entered
+** the error-state.
+*/
+static void pagerUnlockAndRollback(Pager *p){
+  if( p->errCode ) return;
+  assert( p->state>=PAGER_RESERVED || p->journalOpen==0 );
+  if( p->state>=PAGER_RESERVED ){
+    sqlite3PagerRollback(p);
+  }
+  pager_unlock(p);
+  assert( p->errCode || !p->journalOpen || (p->exclusiveMode&&!p->journalOff) );
+  assert( p->errCode || !p->stmtOpen || p->exclusiveMode );
+}
+
+
+/*
+** Clear the in-memory cache.  This routine
+** sets the state of the pager back to what it was when it was first
+** opened.  Any outstanding pages are invalidated and subsequent attempts
+** to access those pages will likely result in a coredump.
+*/
+static void pager_reset(Pager *pPager){
+  PgHdr *pPg, *pNext;
+  if( pPager->errCode ) return;
+  for(pPg=pPager->pAll; pPg; pPg=pNext){
+    IOTRACE(("PGFREE %p %d\n", pPager, pPg->pgno));
+    PAGER_INCR(sqlite3_pager_pgfree_count);
+    pNext = pPg->pNextAll;
+    sqliteFree(pPg);
+  }
+  pPager->pStmt = 0;
+  pPager->pFirst = 0;
+  pPager->pFirstSynced = 0;
+  pPager->pLast = 0;
+  pPager->pAll = 0;
+  pPager->nHash = 0;
+  sqliteFree(pPager->aHash);
+  pPager->nPage = 0;
+  pPager->aHash = 0;
+  pPager->nRef = 0;
+}
+
+/*
+** This routine ends a transaction.  A transaction is ended by either
+** a COMMIT or a ROLLBACK.
+**
+** When this routine is called, the pager has the journal file open and
+** a RESERVED or EXCLUSIVE lock on the database.  This routine will release
+** the database lock and acquires a SHARED lock in its place if that is
+** the appropriate thing to do.  Release locks usually is appropriate,
+** unless we are in exclusive access mode or unless this is a 
+** COMMIT AND BEGIN or ROLLBACK AND BEGIN operation.
+**
+** The journal file is either deleted or truncated.
+**
+** TODO: Consider keeping the journal file open for temporary databases.
+** This might give a performance improvement on windows where opening
+** a file is an expensive operation.
+*/
+static int pager_end_transaction(Pager *pPager){
+  PgHdr *pPg;
+  int rc = SQLITE_OK;
+  int rc2 = SQLITE_OK;
+  assert( !MEMDB );
+  if( pPager->state<PAGER_RESERVED ){
+    return SQLITE_OK;
+  }
+  sqlite3PagerStmtCommit(pPager);
+  if( pPager->stmtOpen && !pPager->exclusiveMode ){
+    sqlite3OsClose(&pPager->stfd);
+    pPager->stmtOpen = 0;
+  }
+  if( pPager->journalOpen ){
+    if( pPager->exclusiveMode 
+          && (rc = sqlite3OsTruncate(pPager->jfd, 0))==SQLITE_OK ){;
+      sqlite3OsSeek(pPager->jfd, 0);
+      pPager->journalOff = 0;
+      pPager->journalStarted = 0;
+    }else{
+      sqlite3OsClose(&pPager->jfd);
+      pPager->journalOpen = 0;
+      if( rc==SQLITE_OK ){
+        rc = sqlite3OsDelete(pPager->zJournal);
+      }
+    }
+    sqliteFree( pPager->aInJournal );
+    pPager->aInJournal = 0;
+    for(pPg=pPager->pAll; pPg; pPg=pPg->pNextAll){
+      pPg->inJournal = 0;
+      pPg->dirty = 0;
+      pPg->needSync = 0;
+      pPg->alwaysRollback = 0;
+#ifdef SQLITE_CHECK_PAGES
+      pPg->pageHash = pager_pagehash(pPg);
+#endif
+    }
+    pPager->pDirty = 0;
+    pPager->dirtyCache = 0;
+    pPager->nRec = 0;
+  }else{
+    assert( pPager->aInJournal==0 );
+    assert( pPager->dirtyCache==0 || pPager->useJournal==0 );
+  }
+
+  if( !pPager->exclusiveMode ){
+    rc2 = sqlite3OsUnlock(pPager->fd, SHARED_LOCK);
+    pPager->state = PAGER_SHARED;
+  }else if( pPager->state==PAGER_SYNCED ){
+    pPager->state = PAGER_EXCLUSIVE;
+  }
+  pPager->origDbSize = 0;
+  pPager->setMaster = 0;
+  pPager->needSync = 0;
+  pPager->pFirstSynced = pPager->pFirst;
+  pPager->dbSize = -1;
+
+  return (rc==SQLITE_OK?rc2:rc);
+}
+
+/*
+** Compute and return a checksum for the page of data.
+**
+** This is not a real checksum.  It is really just the sum of the 
+** random initial value and the page number.  We experimented with
+** a checksum of the entire data, but that was found to be too slow.
+**
+** Note that the page number is stored at the beginning of data and
+** the checksum is stored at the end.  This is important.  If journal
+** corruption occurs due to a power failure, the most likely scenario
+** is that one end or the other of the record will be changed.  It is
+** much less likely that the two ends of the journal record will be
+** correct and the middle be corrupt.  Thus, this "checksum" scheme,
+** though fast and simple, catches the mostly likely kind of corruption.
+**
+** FIX ME:  Consider adding every 200th (or so) byte of the data to the
+** checksum.  That way if a single page spans 3 or more disk sectors and
+** only the middle sector is corrupt, we will still have a reasonable
+** chance of failing the checksum and thus detecting the problem.
+*/
+static u32 pager_cksum(Pager *pPager, const u8 *aData){
+  u32 cksum = pPager->cksumInit;
+  int i = pPager->pageSize-200;
+  while( i>0 ){
+    cksum += aData[i];
+    i -= 200;
+  }
+  return cksum;
+}
+
+/* Forward declaration */
+static void makeClean(PgHdr*);
+
+/*
+** Read a single page from the journal file opened on file descriptor
+** jfd.  Playback this one page.
+**
+** If useCksum==0 it means this journal does not use checksums.  Checksums
+** are not used in statement journals because statement journals do not
+** need to survive power failures.
+*/
+static int pager_playback_one_page(Pager *pPager, OsFile *jfd, int useCksum){
+  int rc;
+  PgHdr *pPg;                   /* An existing page in the cache */
+  Pgno pgno;                    /* The page number of a page in journal */
+  u32 cksum;                    /* Checksum used for sanity checking */
+  u8 *aData = (u8 *)pPager->pTmpSpace;   /* Temp storage for a page */
+
+  /* useCksum should be true for the main journal and false for
+  ** statement journals.  Verify that this is always the case
+  */
+  assert( jfd == (useCksum ? pPager->jfd : pPager->stfd) );
+  assert( aData );
+
+  rc = read32bits(jfd, &pgno);
+  if( rc!=SQLITE_OK ) return rc;
+  rc = sqlite3OsRead(jfd, aData, pPager->pageSize);
+  if( rc!=SQLITE_OK ) return rc;
+  pPager->journalOff += pPager->pageSize + 4;
+
+  /* Sanity checking on the page.  This is more important that I originally
+  ** thought.  If a power failure occurs while the journal is being written,
+  ** it could cause invalid data to be written into the journal.  We need to
+  ** detect this invalid data (with high probability) and ignore it.
+  */
+  if( pgno==0 || pgno==PAGER_MJ_PGNO(pPager) ){
+    return SQLITE_DONE;
+  }
+  if( pgno>(unsigned)pPager->dbSize ){
+    return SQLITE_OK;
+  }
+  if( useCksum ){
+    rc = read32bits(jfd, &cksum);
+    if( rc ) return rc;
+    pPager->journalOff += 4;
+    if( pager_cksum(pPager, aData)!=cksum ){
+      return SQLITE_DONE;
+    }
+  }
+
+  assert( pPager->state==PAGER_RESERVED || pPager->state>=PAGER_EXCLUSIVE );
+
+  /* If the pager is in RESERVED state, then there must be a copy of this
+  ** page in the pager cache. In this case just update the pager cache,
+  ** not the database file. The page is left marked dirty in this case.
+  **
+  ** If in EXCLUSIVE state, then we update the pager cache if it exists
+  ** and the main file. The page is then marked not dirty.
+  **
+  ** Ticket #1171:  The statement journal might contain page content that is
+  ** different from the page content at the start of the transaction.
+  ** This occurs when a page is changed prior to the start of a statement
+  ** then changed again within the statement.  When rolling back such a
+  ** statement we must not write to the original database unless we know
+  ** for certain that original page contents are in the main rollback
+  ** journal.  Otherwise, if a full ROLLBACK occurs after the statement
+  ** rollback the full ROLLBACK will not restore the page to its original
+  ** content.  Two conditions must be met before writing to the database
+  ** files. (1) the database must be locked.  (2) we know that the original
+  ** page content is in the main journal either because the page is not in
+  ** cache or else it is marked as needSync==0.
+  */
+  pPg = pager_lookup(pPager, pgno);
+  assert( pPager->state>=PAGER_EXCLUSIVE || pPg!=0 );
+  PAGERTRACE3("PLAYBACK %d page %d\n", PAGERID(pPager), pgno);
+  if( pPager->state>=PAGER_EXCLUSIVE && (pPg==0 || pPg->needSync==0) ){
+    rc = sqlite3OsSeek(pPager->fd, (pgno-1)*(i64)pPager->pageSize);
+    if( rc==SQLITE_OK ){
+      rc = sqlite3OsWrite(pPager->fd, aData, pPager->pageSize);
+    }
+    if( pPg ){
+      makeClean(pPg);
+    }
+  }
+  if( pPg ){
+    /* No page should ever be explicitly rolled back that is in use, except
+    ** for page 1 which is held in use in order to keep the lock on the
+    ** database active. However such a page may be rolled back as a result
+    ** of an internal error resulting in an automatic call to
+    ** sqlite3PagerRollback().
+    */
+    void *pData;
+    /* assert( pPg->nRef==0 || pPg->pgno==1 ); */
+    pData = PGHDR_TO_DATA(pPg);
+    memcpy(pData, aData, pPager->pageSize);
+    if( pPager->xReiniter ){
+      pPager->xReiniter(pPg, pPager->pageSize);
+    }
+#ifdef SQLITE_CHECK_PAGES
+    pPg->pageHash = pager_pagehash(pPg);
+#endif
+    /* If this was page 1, then restore the value of Pager.dbFileVers.
+    ** Do this before any decoding. */
+    if( pgno==1 ){
+      memcpy(&pPager->dbFileVers, &((u8*)pData)[24],sizeof(pPager->dbFileVers));
+    }
+
+    /* Decode the page just read from disk */
+    CODEC1(pPager, pData, pPg->pgno, 3);
+  }
+  return rc;
+}
+
+/*
+** Parameter zMaster is the name of a master journal file. A single journal
+** file that referred to the master journal file has just been rolled back.
+** This routine checks if it is possible to delete the master journal file,
+** and does so if it is.
+**
+** The master journal file contains the names of all child journals.
+** To tell if a master journal can be deleted, check to each of the
+** children.  If all children are either missing or do not refer to
+** a different master journal, then this master journal can be deleted.
+*/
+static int pager_delmaster(const char *zMaster){
+  int rc;
+  int master_open = 0;
+  OsFile *master = 0;
+  char *zMasterJournal = 0; /* Contents of master journal file */
+  i64 nMasterJournal;       /* Size of master journal file */
+
+  /* Open the master journal file exclusively in case some other process
+  ** is running this routine also. Not that it makes too much difference.
+  */
+  rc = sqlite3OsOpenReadOnly(zMaster, &master);
+  assert( rc!=SQLITE_OK || master );
+  if( rc!=SQLITE_OK ) goto delmaster_out;
+  master_open = 1;
+  rc = sqlite3OsFileSize(master, &nMasterJournal);
+  if( rc!=SQLITE_OK ) goto delmaster_out;
+
+  if( nMasterJournal>0 ){
+    char *zJournal;
+    char *zMasterPtr = 0;
+
+    /* Load the entire master journal file into space obtained from
+    ** sqliteMalloc() and pointed to by zMasterJournal. 
+    */
+    zMasterJournal = (char *)sqliteMalloc(nMasterJournal);
+    if( !zMasterJournal ){
+      rc = SQLITE_NOMEM;
+      goto delmaster_out;
+    }
+    rc = sqlite3OsRead(master, zMasterJournal, nMasterJournal);
+    if( rc!=SQLITE_OK ) goto delmaster_out;
+
+    zJournal = zMasterJournal;
+    while( (zJournal-zMasterJournal)<nMasterJournal ){
+      if( sqlite3OsFileExists(zJournal) ){
+        /* One of the journals pointed to by the master journal exists.
+        ** Open it and check if it points at the master journal. If
+        ** so, return without deleting the master journal file.
+        */
+        OsFile *journal = 0;
+        int c;
+
+        rc = sqlite3OsOpenReadOnly(zJournal, &journal);
+        assert( rc!=SQLITE_OK || journal );
+        if( rc!=SQLITE_OK ){
+          goto delmaster_out;
+        }
+
+        rc = readMasterJournal(journal, &zMasterPtr);
+        sqlite3OsClose(&journal);
+        if( rc!=SQLITE_OK ){
+          goto delmaster_out;
+        }
+
+        c = zMasterPtr!=0 && strcmp(zMasterPtr, zMaster)==0;
+        sqliteFree(zMasterPtr);
+        if( c ){
+          /* We have a match. Do not delete the master journal file. */
+          goto delmaster_out;
+        }
+      }
+      zJournal += (strlen(zJournal)+1);
+    }
+  }
+  
+  rc = sqlite3OsDelete(zMaster);
+
+delmaster_out:
+  if( zMasterJournal ){
+    sqliteFree(zMasterJournal);
+  }  
+  if( master_open ){
+    sqlite3OsClose(&master);
+  }
+  return rc;
+}
+
+
+static void pager_truncate_cache(Pager *pPager);
+
+/*
+** Truncate the main file of the given pager to the number of pages
+** indicated. Also truncate the cached representation of the file.
+*/
+static int pager_truncate(Pager *pPager, int nPage){
+  int rc = SQLITE_OK;
+  if( pPager->state>=PAGER_EXCLUSIVE ){
+    rc = sqlite3OsTruncate(pPager->fd, pPager->pageSize*(i64)nPage);
+  }
+  if( rc==SQLITE_OK ){
+    pPager->dbSize = nPage;
+    pager_truncate_cache(pPager);
+  }
+  return rc;
+}
+
+/*
+** Playback the journal and thus restore the database file to
+** the state it was in before we started making changes.  
+**
+** The journal file format is as follows: 
+**
+**  (1)  8 byte prefix.  A copy of aJournalMagic[].
+**  (2)  4 byte big-endian integer which is the number of valid page records
+**       in the journal.  If this value is 0xffffffff, then compute the
+**       number of page records from the journal size.
+**  (3)  4 byte big-endian integer which is the initial value for the 
+**       sanity checksum.
+**  (4)  4 byte integer which is the number of pages to truncate the
+**       database to during a rollback.
+**  (5)  4 byte integer which is the number of bytes in the master journal
+**       name.  The value may be zero (indicate that there is no master
+**       journal.)
+**  (6)  N bytes of the master journal name.  The name will be nul-terminated
+**       and might be shorter than the value read from (5).  If the first byte
+**       of the name is \000 then there is no master journal.  The master
+**       journal name is stored in UTF-8.
+**  (7)  Zero or more pages instances, each as follows:
+**        +  4 byte page number.
+**        +  pPager->pageSize bytes of data.
+**        +  4 byte checksum
+**
+** When we speak of the journal header, we mean the first 6 items above.
+** Each entry in the journal is an instance of the 7th item.
+**
+** Call the value from the second bullet "nRec".  nRec is the number of
+** valid page entries in the journal.  In most cases, you can compute the
+** value of nRec from the size of the journal file.  But if a power
+** failure occurred while the journal was being written, it could be the
+** case that the size of the journal file had already been increased but
+** the extra entries had not yet made it safely to disk.  In such a case,
+** the value of nRec computed from the file size would be too large.  For
+** that reason, we always use the nRec value in the header.
+**
+** If the nRec value is 0xffffffff it means that nRec should be computed
+** from the file size.  This value is used when the user selects the
+** no-sync option for the journal.  A power failure could lead to corruption
+** in this case.  But for things like temporary table (which will be
+** deleted when the power is restored) we don't care.  
+**
+** If the file opened as the journal file is not a well-formed
+** journal file then all pages up to the first corrupted page are rolled
+** back (or no pages if the journal header is corrupted). The journal file
+** is then deleted and SQLITE_OK returned, just as if no corruption had
+** been encountered.
+**
+** If an I/O or malloc() error occurs, the journal-file is not deleted
+** and an error code is returned.
+*/
+static int pager_playback(Pager *pPager, int isHot){
+  i64 szJ;                 /* Size of the journal file in bytes */
+  u32 nRec;                /* Number of Records in the journal */
+  int i;                   /* Loop counter */
+  Pgno mxPg = 0;           /* Size of the original file in pages */
+  int rc;                  /* Result code of a subroutine */
+  char *zMaster = 0;       /* Name of master journal file if any */
+
+  /* Figure out how many records are in the journal.  Abort early if
+  ** the journal is empty.
+  */
+  assert( pPager->journalOpen );
+  rc = sqlite3OsFileSize(pPager->jfd, &szJ);
+  if( rc!=SQLITE_OK || szJ==0 ){
+    goto end_playback;
+  }
+
+  /* Read the master journal name from the journal, if it is present.
+  ** If a master journal file name is specified, but the file is not
+  ** present on disk, then the journal is not hot and does not need to be
+  ** played back.
+  */
+  rc = readMasterJournal(pPager->jfd, &zMaster);
+  assert( rc!=SQLITE_DONE );
+  if( rc!=SQLITE_OK || (zMaster && !sqlite3OsFileExists(zMaster)) ){
+    sqliteFree(zMaster);
+    zMaster = 0;
+    if( rc==SQLITE_DONE ) rc = SQLITE_OK;
+    goto end_playback;
+  }
+  sqlite3OsSeek(pPager->jfd, 0);
+  pPager->journalOff = 0;
+
+  /* This loop terminates either when the readJournalHdr() call returns
+  ** SQLITE_DONE or an IO error occurs. */
+  while( 1 ){
+
+    /* Read the next journal header from the journal file.  If there are
+    ** not enough bytes left in the journal file for a complete header, or
+    ** it is corrupted, then a process must of failed while writing it.
+    ** This indicates nothing more needs to be rolled back.
+    */
+    rc = readJournalHdr(pPager, szJ, &nRec, &mxPg);
+    if( rc!=SQLITE_OK ){ 
+      if( rc==SQLITE_DONE ){
+        rc = SQLITE_OK;
+      }
+      goto end_playback;
+    }
+
+    /* If nRec is 0xffffffff, then this journal was created by a process
+    ** working in no-sync mode. This means that the rest of the journal
+    ** file consists of pages, there are no more journal headers. Compute
+    ** the value of nRec based on this assumption.
+    */
+    if( nRec==0xffffffff ){
+      assert( pPager->journalOff==JOURNAL_HDR_SZ(pPager) );
+      nRec = (szJ - JOURNAL_HDR_SZ(pPager))/JOURNAL_PG_SZ(pPager);
+    }
+
+    /* If nRec is 0 and this rollback is of a transaction created by this
+    ** process. In this case the rest of the journal file consists of
+    ** journalled copies of pages that need to be read back into the cache.
+    */
+    if( nRec==0 && !isHot ){
+      nRec = (szJ - pPager->journalOff) / JOURNAL_PG_SZ(pPager);
+    }
+
+    /* If this is the first header read from the journal, truncate the
+    ** database file back to it's original size.
+    */
+    if( pPager->journalOff==JOURNAL_HDR_SZ(pPager) ){
+      rc = pager_truncate(pPager, mxPg);
+      if( rc!=SQLITE_OK ){
+        goto end_playback;
+      }
+    }
+
+    /* Copy original pages out of the journal and back into the database file.
+    */
+    for(i=0; i<nRec; i++){
+      rc = pager_playback_one_page(pPager, pPager->jfd, 1);
+      if( rc!=SQLITE_OK ){
+        if( rc==SQLITE_DONE ){
+          rc = SQLITE_OK;
+          pPager->journalOff = szJ;
+          break;
+        }else{
+          goto end_playback;
+        }
+      }
+    }
+  }
+  /*NOTREACHED*/
+  assert( 0 );
+
+end_playback:
+  if( rc==SQLITE_OK ){
+    rc = pager_end_transaction(pPager);
+  }
+  if( zMaster ){
+    /* If there was a master journal and this routine will return success,
+    ** see if it is possible to delete the master journal.
+    */
+    if( rc==SQLITE_OK ){
+      rc = pager_delmaster(zMaster);
+    }
+    sqliteFree(zMaster);
+  }
+
+  /* The Pager.sectorSize variable may have been updated while rolling
+  ** back a journal created by a process with a different sector size
+  ** value. Reset it to the correct value for this process.
+  */
+  pPager->sectorSize = sqlite3OsSectorSize(pPager->fd);
+  return rc;
+}
+
+/*
+** Playback the statement journal.
+**
+** This is similar to playing back the transaction journal but with
+** a few extra twists.
+**
+**    (1)  The number of pages in the database file at the start of
+**         the statement is stored in pPager->stmtSize, not in the
+**         journal file itself.
+**
+**    (2)  In addition to playing back the statement journal, also
+**         playback all pages of the transaction journal beginning
+**         at offset pPager->stmtJSize.
+*/
+static int pager_stmt_playback(Pager *pPager){
+  i64 szJ;                 /* Size of the full journal */
+  i64 hdrOff;
+  int nRec;                /* Number of Records */
+  int i;                   /* Loop counter */
+  int rc;
+
+  szJ = pPager->journalOff;
+#ifndef NDEBUG 
+  {
+    i64 os_szJ;
+    rc = sqlite3OsFileSize(pPager->jfd, &os_szJ);
+    if( rc!=SQLITE_OK ) return rc;
+    assert( szJ==os_szJ );
+  }
+#endif
+
+  /* Set hdrOff to be the offset just after the end of the last journal
+  ** page written before the first journal-header for this statement
+  ** transaction was written, or the end of the file if no journal
+  ** header was written.
+  */
+  hdrOff = pPager->stmtHdrOff;
+  assert( pPager->fullSync || !hdrOff );
+  if( !hdrOff ){
+    hdrOff = szJ;
+  }
+  
+  /* Truncate the database back to its original size.
+  */
+  rc = pager_truncate(pPager, pPager->stmtSize);
+  assert( pPager->state>=PAGER_SHARED );
+
+  /* Figure out how many records are in the statement journal.
+  */
+  assert( pPager->stmtInUse && pPager->journalOpen );
+  sqlite3OsSeek(pPager->stfd, 0);
+  nRec = pPager->stmtNRec;
+  
+  /* Copy original pages out of the statement journal and back into the
+  ** database file.  Note that the statement journal omits checksums from
+  ** each record since power-failure recovery is not important to statement
+  ** journals.
+  */
+  for(i=nRec-1; i>=0; i--){
+    rc = pager_playback_one_page(pPager, pPager->stfd, 0);
+    assert( rc!=SQLITE_DONE );
+    if( rc!=SQLITE_OK ) goto end_stmt_playback;
+  }
+
+  /* Now roll some pages back from the transaction journal. Pager.stmtJSize
+  ** was the size of the journal file when this statement was started, so
+  ** everything after that needs to be rolled back, either into the
+  ** database, the memory cache, or both.
+  **
+  ** If it is not zero, then Pager.stmtHdrOff is the offset to the start
+  ** of the first journal header written during this statement transaction.
+  */
+  rc = sqlite3OsSeek(pPager->jfd, pPager->stmtJSize);
+  if( rc!=SQLITE_OK ){
+    goto end_stmt_playback;
+  }
+  pPager->journalOff = pPager->stmtJSize;
+  pPager->cksumInit = pPager->stmtCksum;
+  while( pPager->journalOff < hdrOff ){
+    rc = pager_playback_one_page(pPager, pPager->jfd, 1);
+    assert( rc!=SQLITE_DONE );
+    if( rc!=SQLITE_OK ) goto end_stmt_playback;
+  }
+
+  while( pPager->journalOff < szJ ){
+    u32 nJRec;         /* Number of Journal Records */
+    u32 dummy;
+    rc = readJournalHdr(pPager, szJ, &nJRec, &dummy);
+    if( rc!=SQLITE_OK ){
+      assert( rc!=SQLITE_DONE );
+      goto end_stmt_playback;
+    }
+    if( nJRec==0 ){
+      nJRec = (szJ - pPager->journalOff) / (pPager->pageSize+8);
+    }
+    for(i=nJRec-1; i>=0 && pPager->journalOff < szJ; i--){
+      rc = pager_playback_one_page(pPager, pPager->jfd, 1);
+      assert( rc!=SQLITE_DONE );
+      if( rc!=SQLITE_OK ) goto end_stmt_playback;
+    }
+  }
+
+  pPager->journalOff = szJ;
+  
+end_stmt_playback:
+  if( rc==SQLITE_OK) {
+    pPager->journalOff = szJ;
+    /* pager_reload_cache(pPager); */
+  }
+  return rc;
+}
+
+/*
+** Change the maximum number of in-memory pages that are allowed.
+*/
+void sqlite3PagerSetCachesize(Pager *pPager, int mxPage){
+  if( mxPage>10 ){
+    pPager->mxPage = mxPage;
+  }else{
+    pPager->mxPage = 10;
+  }
+}
+
+/*
+** Adjust the robustness of the database to damage due to OS crashes
+** or power failures by changing the number of syncs()s when writing
+** the rollback journal.  There are three levels:
+**
+**    OFF       sqlite3OsSync() is never called.  This is the default
+**              for temporary and transient files.
+**
+**    NORMAL    The journal is synced once before writes begin on the
+**              database.  This is normally adequate protection, but
+**              it is theoretically possible, though very unlikely,
+**              that an inopertune power failure could leave the journal
+**              in a state which would cause damage to the database
+**              when it is rolled back.
+**
+**    FULL      The journal is synced twice before writes begin on the
+**              database (with some additional information - the nRec field
+**              of the journal header - being written in between the two
+**              syncs).  If we assume that writing a
+**              single disk sector is atomic, then this mode provides
+**              assurance that the journal will not be corrupted to the
+**              point of causing damage to the database during rollback.
+**
+** Numeric values associated with these states are OFF==1, NORMAL=2,
+** and FULL=3.
+*/
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+void sqlite3PagerSetSafetyLevel(Pager *pPager, int level, int full_fsync){
+  pPager->noSync =  level==1 || pPager->tempFile;
+  pPager->fullSync = level==3 && !pPager->tempFile;
+  pPager->full_fsync = full_fsync;
+  if( pPager->noSync ) pPager->needSync = 0;
+}
+#endif
+
+/*
+** The following global variable is incremented whenever the library
+** attempts to open a temporary file.  This information is used for
+** testing and analysis only.  
+*/
+#ifdef SQLITE_TEST
+int sqlite3_opentemp_count = 0;
+#endif
+
+/*
+** Open a temporary file. 
+**
+** Write the file descriptor into *fd.  Return SQLITE_OK on success or some
+** other error code if we fail.
+**
+** The OS will automatically delete the temporary file when it is
+** closed.
+*/
+static int sqlite3PagerOpentemp(OsFile **pFd){
+  int cnt = 8;
+  int rc;
+  char zFile[SQLITE_TEMPNAME_SIZE];
+
+#ifdef SQLITE_TEST
+  sqlite3_opentemp_count++;  /* Used for testing and analysis only */
+#endif
+  do{
+    cnt--;
+    sqlite3OsTempFileName(zFile);
+    rc = sqlite3OsOpenExclusive(zFile, pFd, 1);
+    assert( rc!=SQLITE_OK || *pFd );
+  }while( cnt>0 && rc!=SQLITE_OK && rc!=SQLITE_NOMEM );
+  return rc;
+}
+
+/*
+** Create a new page cache and put a pointer to the page cache in *ppPager.
+** The file to be cached need not exist.  The file is not locked until
+** the first call to sqlite3PagerGet() and is only held open until the
+** last page is released using sqlite3PagerUnref().
+**
+** If zFilename is NULL then a randomly-named temporary file is created
+** and used as the file to be cached.  The file will be deleted
+** automatically when it is closed.
+**
+** If zFilename is ":memory:" then all information is held in cache.
+** It is never written to disk.  This can be used to implement an
+** in-memory database.
+*/
+int sqlite3PagerOpen(
+  Pager **ppPager,         /* Return the Pager structure here */
+  const char *zFilename,   /* Name of the database file to open */
+  int nExtra,              /* Extra bytes append to each in-memory page */
+  int flags                /* flags controlling this file */
+){
+  Pager *pPager = 0;
+  char *zFullPathname = 0;
+  int nameLen;  /* Compiler is wrong. This is always initialized before use */
+  OsFile *fd = 0;
+  int rc = SQLITE_OK;
+  int i;
+  int tempFile = 0;
+  int memDb = 0;
+  int readOnly = 0;
+  int useJournal = (flags & PAGER_OMIT_JOURNAL)==0;
+  int noReadlock = (flags & PAGER_NO_READLOCK)!=0;
+  char zTemp[SQLITE_TEMPNAME_SIZE];
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+  /* A malloc() cannot fail in sqlite3ThreadData() as one or more calls to 
+  ** malloc() must have already been made by this thread before it gets
+  ** to this point. This means the ThreadData must have been allocated already
+  ** so that ThreadData.nAlloc can be set. It would be nice to assert
+  ** that ThreadData.nAlloc is non-zero, but alas this breaks test cases 
+  ** written to invoke the pager directly.
+  */
+  ThreadData *pTsd = sqlite3ThreadData();
+  assert( pTsd );
+#endif
+
+  /* We used to test if malloc() had already failed before proceeding. 
+  ** But the way this function is used in SQLite means that can never
+  ** happen. Furthermore, if the malloc-failed flag is already set, 
+  ** either the call to sqliteStrDup() or sqliteMalloc() below will
+  ** fail shortly and SQLITE_NOMEM returned anyway.
+  */
+  *ppPager = 0;
+
+  /* Open the pager file and set zFullPathname to point at malloc()ed 
+  ** memory containing the complete filename (i.e. including the directory).
+  */
+  if( zFilename && zFilename[0] ){
+#ifndef SQLITE_OMIT_MEMORYDB
+    if( strcmp(zFilename,":memory:")==0 ){
+      memDb = 1;
+      zFullPathname = sqliteStrDup("");
+    }else
+#endif
+    {
+      zFullPathname = sqlite3OsFullPathname(zFilename);
+      if( zFullPathname ){
+        rc = sqlite3OsOpenReadWrite(zFullPathname, &fd, &readOnly);
+        assert( rc!=SQLITE_OK || fd );
+      }
+    }
+  }else{
+    rc = sqlite3PagerOpentemp(&fd);
+    sqlite3OsTempFileName(zTemp);
+    zFilename = zTemp;
+    zFullPathname = sqlite3OsFullPathname(zFilename);
+    if( rc==SQLITE_OK ){
+      tempFile = 1;
+    }
+  }
+
+  /* Allocate the Pager structure. As part of the same allocation, allocate
+  ** space for the full paths of the file, directory and journal 
+  ** (Pager.zFilename, Pager.zDirectory and Pager.zJournal).
+  */
+  if( zFullPathname ){
+    nameLen = strlen(zFullPathname);
+    pPager = sqliteMalloc( sizeof(*pPager) + nameLen*3 + 30 );
+    if( pPager && rc==SQLITE_OK ){
+      pPager->pTmpSpace = (char *)sqliteMallocRaw(SQLITE_DEFAULT_PAGE_SIZE);
+    }
+  }
+
+
+  /* If an error occured in either of the blocks above, free the memory 
+  ** pointed to by zFullPathname, free the Pager structure and close the 
+  ** file. Since the pager is not allocated there is no need to set 
+  ** any Pager.errMask variables.
+  */
+  if( !pPager || !zFullPathname || !pPager->pTmpSpace || rc!=SQLITE_OK ){
+    sqlite3OsClose(&fd);
+    sqliteFree(zFullPathname);
+    sqliteFree(pPager);
+    return ((rc==SQLITE_OK)?SQLITE_NOMEM:rc);
+  }
+
+  PAGERTRACE3("OPEN %d %s\n", FILEHANDLEID(fd), zFullPathname);
+  IOTRACE(("OPEN %p %s\n", pPager, zFullPathname))
+  pPager->zFilename = (char*)&pPager[1];
+  pPager->zDirectory = &pPager->zFilename[nameLen+1];
+  pPager->zJournal = &pPager->zDirectory[nameLen+1];
+  strcpy(pPager->zFilename, zFullPathname);
+  strcpy(pPager->zDirectory, zFullPathname);
+
+  for(i=nameLen; i>0 && pPager->zDirectory[i-1]!='/'; i--){}
+  if( i>0 ) pPager->zDirectory[i-1] = 0;
+  strcpy(pPager->zJournal, zFullPathname);
+  sqliteFree(zFullPathname);
+  strcpy(&pPager->zJournal[nameLen], "-journal");
+  pPager->fd = fd;
+  /* pPager->journalOpen = 0; */
+  pPager->useJournal = useJournal && !memDb;
+  pPager->noReadlock = noReadlock && readOnly;
+  /* pPager->stmtOpen = 0; */
+  /* pPager->stmtInUse = 0; */
+  /* pPager->nRef = 0; */
+  pPager->dbSize = memDb-1;
+  pPager->pageSize = SQLITE_DEFAULT_PAGE_SIZE;
+  /* pPager->stmtSize = 0; */
+  /* pPager->stmtJSize = 0; */
+  /* pPager->nPage = 0; */
+  /* pPager->nMaxPage = 0; */
+  pPager->mxPage = 100;
+  assert( PAGER_UNLOCK==0 );
+  /* pPager->state = PAGER_UNLOCK; */
+  /* pPager->errMask = 0; */
+  pPager->tempFile = tempFile;
+  assert( tempFile==PAGER_LOCKINGMODE_NORMAL 
+          || tempFile==PAGER_LOCKINGMODE_EXCLUSIVE );
+  assert( PAGER_LOCKINGMODE_EXCLUSIVE==1 );
+  pPager->exclusiveMode = tempFile; 
+  pPager->memDb = memDb;
+  pPager->readOnly = readOnly;
+  /* pPager->needSync = 0; */
+  pPager->noSync = pPager->tempFile || !useJournal;
+  pPager->fullSync = (pPager->noSync?0:1);
+  /* pPager->pFirst = 0; */
+  /* pPager->pFirstSynced = 0; */
+  /* pPager->pLast = 0; */
+  pPager->nExtra = FORCE_ALIGNMENT(nExtra);
+  assert(fd||memDb);
+  if( !memDb ){
+    pPager->sectorSize = sqlite3OsSectorSize(fd);
+  }
+  /* pPager->pBusyHandler = 0; */
+  /* memset(pPager->aHash, 0, sizeof(pPager->aHash)); */
+  *ppPager = pPager;
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+  pPager->pNext = pTsd->pPager;
+  pTsd->pPager = pPager;
+#endif
+  return SQLITE_OK;
+}
+
+/*
+** Set the busy handler function.
+*/
+void sqlite3PagerSetBusyhandler(Pager *pPager, BusyHandler *pBusyHandler){
+  pPager->pBusyHandler = pBusyHandler;
+}
+
+/*
+** Set the destructor for this pager.  If not NULL, the destructor is called
+** when the reference count on each page reaches zero.  The destructor can
+** be used to clean up information in the extra segment appended to each page.
+**
+** The destructor is not called as a result sqlite3PagerClose().  
+** Destructors are only called by sqlite3PagerUnref().
+*/
+void sqlite3PagerSetDestructor(Pager *pPager, void (*xDesc)(DbPage*,int)){
+  pPager->xDestructor = xDesc;
+}
+
+/*
+** Set the reinitializer for this pager.  If not NULL, the reinitializer
+** is called when the content of a page in cache is restored to its original
+** value as a result of a rollback.  The callback gives higher-level code
+** an opportunity to restore the EXTRA section to agree with the restored
+** page data.
+*/
+void sqlite3PagerSetReiniter(Pager *pPager, void (*xReinit)(DbPage*,int)){
+  pPager->xReiniter = xReinit;
+}
+
+/*
+** Set the page size.  Return the new size.  If the suggest new page
+** size is inappropriate, then an alternative page size is selected
+** and returned.
+*/
+int sqlite3PagerSetPagesize(Pager *pPager, int pageSize){
+  assert( pageSize>=512 && pageSize<=SQLITE_MAX_PAGE_SIZE );
+  if( !pPager->memDb && pPager->nRef==0 ){
+    pager_reset(pPager);
+    pPager->pageSize = pageSize;
+    pPager->pTmpSpace = sqlite3ReallocOrFree(pPager->pTmpSpace, pageSize);
+  }
+  return pPager->pageSize;
+}
+
+/*
+** The following set of routines are used to disable the simulated
+** I/O error mechanism.  These routines are used to avoid simulated
+** errors in places where we do not care about errors.
+**
+** Unless -DSQLITE_TEST=1 is used, these routines are all no-ops
+** and generate no code.
+*/
+#ifdef SQLITE_TEST
+extern int sqlite3_io_error_pending;
+extern int sqlite3_io_error_hit;
+static int saved_cnt;
+void disable_simulated_io_errors(void){
+  saved_cnt = sqlite3_io_error_pending;
+  sqlite3_io_error_pending = -1;
+}
+void enable_simulated_io_errors(void){
+  sqlite3_io_error_pending = saved_cnt;
+}
+#else
+# define disable_simulated_io_errors()
+# define enable_simulated_io_errors()
+#endif
+
+/*
+** Read the first N bytes from the beginning of the file into memory
+** that pDest points to. 
+**
+** No error checking is done. The rational for this is that this function 
+** may be called even if the file does not exist or contain a header. In 
+** these cases sqlite3OsRead() will return an error, to which the correct 
+** response is to zero the memory at pDest and continue.  A real IO error 
+** will presumably recur and be picked up later (Todo: Think about this).
+*/
+int sqlite3PagerReadFileheader(Pager *pPager, int N, unsigned char *pDest){
+  int rc = SQLITE_OK;
+  memset(pDest, 0, N);
+  if( MEMDB==0 ){
+    disable_simulated_io_errors();
+    sqlite3OsSeek(pPager->fd, 0);
+    enable_simulated_io_errors();
+    IOTRACE(("DBHDR %p 0 %d\n", pPager, N))
+    rc = sqlite3OsRead(pPager->fd, pDest, N);
+    if( rc==SQLITE_IOERR_SHORT_READ ){
+      rc = SQLITE_OK;
+    }
+  }
+  return rc;
+}
+
+/*
+** Return the total number of pages in the disk file associated with
+** pPager. 
+**
+** If the PENDING_BYTE lies on the page directly after the end of the
+** file, then consider this page part of the file too. For example, if
+** PENDING_BYTE is byte 4096 (the first byte of page 5) and the size of the
+** file is 4096 bytes, 5 is returned instead of 4.
+*/
+int sqlite3PagerPagecount(Pager *pPager){
+  i64 n;
+  int rc;
+  assert( pPager!=0 );
+  if( pPager->errCode ){
+    return 0;
+  }
+  if( pPager->dbSize>=0 ){
+    n = pPager->dbSize;
+  } else {
+    if( (rc = sqlite3OsFileSize(pPager->fd, &n))!=SQLITE_OK ){
+      pager_error(pPager, rc);
+      return 0;
+    }
+    if( n>0 && n<pPager->pageSize ){
+      n = 1;
+    }else{
+      n /= pPager->pageSize;
+    }
+    if( pPager->state!=PAGER_UNLOCK ){
+      pPager->dbSize = n;
+    }
+  }
+  if( n==(PENDING_BYTE/pPager->pageSize) ){
+    n++;
+  }
+  return n;
+}
+
+
+#ifndef SQLITE_OMIT_MEMORYDB
+/*
+** Clear a PgHistory block
+*/
+static void clearHistory(PgHistory *pHist){
+  sqliteFree(pHist->pOrig);
+  sqliteFree(pHist->pStmt);
+  pHist->pOrig = 0;
+  pHist->pStmt = 0;
+}
+#else
+#define clearHistory(x)
+#endif
+
+/*
+** Forward declaration
+*/
+static int syncJournal(Pager*);
+
+/*
+** Unlink pPg from it's hash chain. Also set the page number to 0 to indicate
+** that the page is not part of any hash chain. This is required because the
+** sqlite3PagerMovepage() routine can leave a page in the 
+** pNextFree/pPrevFree list that is not a part of any hash-chain.
+*/
+static void unlinkHashChain(Pager *pPager, PgHdr *pPg){
+  if( pPg->pgno==0 ){
+    assert( pPg->pNextHash==0 && pPg->pPrevHash==0 );
+    return;
+  }
+  if( pPg->pNextHash ){
+    pPg->pNextHash->pPrevHash = pPg->pPrevHash;
+  }
+  if( pPg->pPrevHash ){
+    assert( pPager->aHash[pPg->pgno & (pPager->nHash-1)]!=pPg );
+    pPg->pPrevHash->pNextHash = pPg->pNextHash;
+  }else{
+    int h = pPg->pgno & (pPager->nHash-1);
+    pPager->aHash[h] = pPg->pNextHash;
+  }
+  if( MEMDB ){
+    clearHistory(PGHDR_TO_HIST(pPg, pPager));
+  }
+  pPg->pgno = 0;
+  pPg->pNextHash = pPg->pPrevHash = 0;
+}
+
+/*
+** Unlink a page from the free list (the list of all pages where nRef==0)
+** and from its hash collision chain.
+*/
+static void unlinkPage(PgHdr *pPg){
+  Pager *pPager = pPg->pPager;
+
+  /* Keep the pFirstSynced pointer pointing at the first synchronized page */
+  if( pPg==pPager->pFirstSynced ){
+    PgHdr *p = pPg->pNextFree;
+    while( p && p->needSync ){ p = p->pNextFree; }
+    pPager->pFirstSynced = p;
+  }
+
+  /* Unlink from the freelist */
+  if( pPg->pPrevFree ){
+    pPg->pPrevFree->pNextFree = pPg->pNextFree;
+  }else{
+    assert( pPager->pFirst==pPg );
+    pPager->pFirst = pPg->pNextFree;
+  }
+  if( pPg->pNextFree ){
+    pPg->pNextFree->pPrevFree = pPg->pPrevFree;
+  }else{
+    assert( pPager->pLast==pPg );
+    pPager->pLast = pPg->pPrevFree;
+  }
+  pPg->pNextFree = pPg->pPrevFree = 0;
+
+  /* Unlink from the pgno hash table */
+  unlinkHashChain(pPager, pPg);
+}
+
+/*
+** This routine is used to truncate the cache when a database
+** is truncated.  Drop from the cache all pages whose pgno is
+** larger than pPager->dbSize and is unreferenced.
+**
+** Referenced pages larger than pPager->dbSize are zeroed.
+**
+** Actually, at the point this routine is called, it would be
+** an error to have a referenced page.  But rather than delete
+** that page and guarantee a subsequent segfault, it seems better
+** to zero it and hope that we error out sanely.
+*/
+static void pager_truncate_cache(Pager *pPager){
+  PgHdr *pPg;
+  PgHdr **ppPg;
+  int dbSize = pPager->dbSize;
+
+  ppPg = &pPager->pAll;
+  while( (pPg = *ppPg)!=0 ){
+    if( pPg->pgno<=dbSize ){
+      ppPg = &pPg->pNextAll;
+    }else if( pPg->nRef>0 ){
+      memset(PGHDR_TO_DATA(pPg), 0, pPager->pageSize);
+      ppPg = &pPg->pNextAll;
+    }else{
+      *ppPg = pPg->pNextAll;
+      IOTRACE(("PGFREE %p %d\n", pPager, pPg->pgno));
+      PAGER_INCR(sqlite3_pager_pgfree_count);
+      unlinkPage(pPg);
+      makeClean(pPg);
+      sqliteFree(pPg);
+      pPager->nPage--;
+    }
+  }
+}
+
+/*
+** Try to obtain a lock on a file.  Invoke the busy callback if the lock
+** is currently not available.  Repeat until the busy callback returns
+** false or until the lock succeeds.
+**
+** Return SQLITE_OK on success and an error code if we cannot obtain
+** the lock.
+*/
+static int pager_wait_on_lock(Pager *pPager, int locktype){
+  int rc;
+
+  /* The OS lock values must be the same as the Pager lock values */
+  assert( PAGER_SHARED==SHARED_LOCK );
+  assert( PAGER_RESERVED==RESERVED_LOCK );
+  assert( PAGER_EXCLUSIVE==EXCLUSIVE_LOCK );
+
+  /* If the file is currently unlocked then the size must be unknown */
+  assert( pPager->state>=PAGER_SHARED || pPager->dbSize<0 || MEMDB );
+
+  if( pPager->state>=locktype ){
+    rc = SQLITE_OK;
+  }else{
+    do {
+      rc = sqlite3OsLock(pPager->fd, locktype);
+    }while( rc==SQLITE_BUSY && sqlite3InvokeBusyHandler(pPager->pBusyHandler) );
+    if( rc==SQLITE_OK ){
+      pPager->state = locktype;
+      IOTRACE(("LOCK %p %d\n", pPager, locktype))
+    }
+  }
+  return rc;
+}
+
+/*
+** Truncate the file to the number of pages specified.
+*/
+int sqlite3PagerTruncate(Pager *pPager, Pgno nPage){
+  int rc;
+  assert( pPager->state>=PAGER_SHARED || MEMDB );
+  sqlite3PagerPagecount(pPager);
+  if( pPager->errCode ){
+    rc = pPager->errCode;
+    return rc;
+  }
+  if( nPage>=(unsigned)pPager->dbSize ){
+    return SQLITE_OK;
+  }
+  if( MEMDB ){
+    pPager->dbSize = nPage;
+    pager_truncate_cache(pPager);
+    return SQLITE_OK;
+  }
+  rc = syncJournal(pPager);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+
+  /* Get an exclusive lock on the database before truncating. */
+  rc = pager_wait_on_lock(pPager, EXCLUSIVE_LOCK);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+
+  rc = pager_truncate(pPager, nPage);
+  return rc;
+}
+
+/*
+** Shutdown the page cache.  Free all memory and close all files.
+**
+** If a transaction was in progress when this routine is called, that
+** transaction is rolled back.  All outstanding pages are invalidated
+** and their memory is freed.  Any attempt to use a page associated
+** with this page cache after this function returns will likely
+** result in a coredump.
+**
+** This function always succeeds. If a transaction is active an attempt
+** is made to roll it back. If an error occurs during the rollback 
+** a hot journal may be left in the filesystem but no error is returned
+** to the caller.
+*/
+int sqlite3PagerClose(Pager *pPager){
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+  /* A malloc() cannot fail in sqlite3ThreadData() as one or more calls to 
+  ** malloc() must have already been made by this thread before it gets
+  ** to this point. This means the ThreadData must have been allocated already
+  ** so that ThreadData.nAlloc can be set.
+  */
+  ThreadData *pTsd = sqlite3ThreadData();
+  assert( pPager );
+  assert( pTsd && pTsd->nAlloc );
+#endif
+
+  disable_simulated_io_errors();
+  pPager->errCode = 0;
+  pPager->exclusiveMode = 0;
+  pager_reset(pPager);
+  pagerUnlockAndRollback(pPager);
+  enable_simulated_io_errors();
+  PAGERTRACE2("CLOSE %d\n", PAGERID(pPager));
+  IOTRACE(("CLOSE %p\n", pPager))
+  assert( pPager->errCode || (pPager->journalOpen==0 && pPager->stmtOpen==0) );
+  if( pPager->journalOpen ){
+    sqlite3OsClose(&pPager->jfd);
+  }
+  sqliteFree(pPager->aInJournal);
+  if( pPager->stmtOpen ){
+    sqlite3OsClose(&pPager->stfd);
+  }
+  sqlite3OsClose(&pPager->fd);
+  /* Temp files are automatically deleted by the OS
+  ** if( pPager->tempFile ){
+  **   sqlite3OsDelete(pPager->zFilename);
+  ** }
+  */
+
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+  /* Remove the pager from the linked list of pagers starting at 
+  ** ThreadData.pPager if memory-management is enabled.
+  */
+  if( pPager==pTsd->pPager ){
+    pTsd->pPager = pPager->pNext;
+  }else{
+    Pager *pTmp;
+    for(pTmp = pTsd->pPager; pTmp->pNext!=pPager; pTmp=pTmp->pNext){}
+    pTmp->pNext = pPager->pNext;
+  }
+#endif
+  sqliteFree(pPager->aHash);
+  sqliteFree(pPager->pTmpSpace);
+  sqliteFree(pPager);
+  return SQLITE_OK;
+}
+
+/*
+** Return the page number for the given page data.
+*/
+Pgno sqlite3PagerPagenumber(DbPage *p){
+  return p->pgno;
+}
+
+/*
+** The page_ref() function increments the reference count for a page.
+** If the page is currently on the freelist (the reference count is zero) then
+** remove it from the freelist.
+**
+** For non-test systems, page_ref() is a macro that calls _page_ref()
+** online of the reference count is zero.  For test systems, page_ref()
+** is a real function so that we can set breakpoints and trace it.
+*/
+static void _page_ref(PgHdr *pPg){
+  if( pPg->nRef==0 ){
+    /* The page is currently on the freelist.  Remove it. */
+    if( pPg==pPg->pPager->pFirstSynced ){
+      PgHdr *p = pPg->pNextFree;
+      while( p && p->needSync ){ p = p->pNextFree; }
+      pPg->pPager->pFirstSynced = p;
+    }
+    if( pPg->pPrevFree ){
+      pPg->pPrevFree->pNextFree = pPg->pNextFree;
+    }else{
+      pPg->pPager->pFirst = pPg->pNextFree;
+    }
+    if( pPg->pNextFree ){
+      pPg->pNextFree->pPrevFree = pPg->pPrevFree;
+    }else{
+      pPg->pPager->pLast = pPg->pPrevFree;
+    }
+    pPg->pPager->nRef++;
+  }
+  pPg->nRef++;
+  REFINFO(pPg);
+}
+#ifdef SQLITE_DEBUG
+  static void page_ref(PgHdr *pPg){
+    if( pPg->nRef==0 ){
+      _page_ref(pPg);
+    }else{
+      pPg->nRef++;
+      REFINFO(pPg);
+    }
+  }
+#else
+# define page_ref(P)   ((P)->nRef==0?_page_ref(P):(void)(P)->nRef++)
+#endif
+
+/*
+** Increment the reference count for a page.  The input pointer is
+** a reference to the page data.
+*/
+int sqlite3PagerRef(DbPage *pPg){
+  page_ref(pPg);
+  return SQLITE_OK;
+}
+
+/*
+** Sync the journal.  In other words, make sure all the pages that have
+** been written to the journal have actually reached the surface of the
+** disk.  It is not safe to modify the original database file until after
+** the journal has been synced.  If the original database is modified before
+** the journal is synced and a power failure occurs, the unsynced journal
+** data would be lost and we would be unable to completely rollback the
+** database changes.  Database corruption would occur.
+** 
+** This routine also updates the nRec field in the header of the journal.
+** (See comments on the pager_playback() routine for additional information.)
+** If the sync mode is FULL, two syncs will occur.  First the whole journal
+** is synced, then the nRec field is updated, then a second sync occurs.
+**
+** For temporary databases, we do not care if we are able to rollback
+** after a power failure, so sync occurs.
+**
+** This routine clears the needSync field of every page current held in
+** memory.
+*/
+static int syncJournal(Pager *pPager){
+  PgHdr *pPg;
+  int rc = SQLITE_OK;
+
+  /* Sync the journal before modifying the main database
+  ** (assuming there is a journal and it needs to be synced.)
+  */
+  if( pPager->needSync ){
+    if( !pPager->tempFile ){
+      assert( pPager->journalOpen );
+      /* assert( !pPager->noSync ); // noSync might be set if synchronous
+      ** was turned off after the transaction was started.  Ticket #615 */
+#ifndef NDEBUG
+      {
+        /* Make sure the pPager->nRec counter we are keeping agrees
+        ** with the nRec computed from the size of the journal file.
+        */
+        i64 jSz;
+        rc = sqlite3OsFileSize(pPager->jfd, &jSz);
+        if( rc!=0 ) return rc;
+        assert( pPager->journalOff==jSz );
+      }
+#endif
+      {
+        /* Write the nRec value into the journal file header. If in
+        ** full-synchronous mode, sync the journal first. This ensures that
+        ** all data has really hit the disk before nRec is updated to mark
+        ** it as a candidate for rollback. 
+        */
+        if( pPager->fullSync ){
+          PAGERTRACE2("SYNC journal of %d\n", PAGERID(pPager));
+          IOTRACE(("JSYNC %p\n", pPager))
+          rc = sqlite3OsSync(pPager->jfd, 0);
+          if( rc!=0 ) return rc;
+        }
+        rc = sqlite3OsSeek(pPager->jfd,
+                           pPager->journalHdr + sizeof(aJournalMagic));
+        if( rc ) return rc;
+        IOTRACE(("JHDR %p %lld %d\n", pPager,
+                  pPager->journalHdr + sizeof(aJournalMagic), 4))
+        rc = write32bits(pPager->jfd, pPager->nRec);
+        if( rc ) return rc;
+
+        rc = sqlite3OsSeek(pPager->jfd, pPager->journalOff);
+        if( rc ) return rc;
+      }
+      PAGERTRACE2("SYNC journal of %d\n", PAGERID(pPager));
+      IOTRACE(("JSYNC %d\n", pPager))
+      rc = sqlite3OsSync(pPager->jfd, pPager->full_fsync);
+      if( rc!=0 ) return rc;
+      pPager->journalStarted = 1;
+    }
+    pPager->needSync = 0;
+
+    /* Erase the needSync flag from every page.
+    */
+    for(pPg=pPager->pAll; pPg; pPg=pPg->pNextAll){
+      pPg->needSync = 0;
+    }
+    pPager->pFirstSynced = pPager->pFirst;
+  }
+
+#ifndef NDEBUG
+  /* If the Pager.needSync flag is clear then the PgHdr.needSync
+  ** flag must also be clear for all pages.  Verify that this
+  ** invariant is true.
+  */
+  else{
+    for(pPg=pPager->pAll; pPg; pPg=pPg->pNextAll){
+      assert( pPg->needSync==0 );
+    }
+    assert( pPager->pFirstSynced==pPager->pFirst );
+  }
+#endif
+
+  return rc;
+}
+
+/*
+** Merge two lists of pages connected by pDirty and in pgno order.
+** Do not both fixing the pPrevDirty pointers.
+*/
+static PgHdr *merge_pagelist(PgHdr *pA, PgHdr *pB){
+  PgHdr result, *pTail;
+  pTail = &result;
+  while( pA && pB ){
+    if( pA->pgno<pB->pgno ){
+      pTail->pDirty = pA;
+      pTail = pA;
+      pA = pA->pDirty;
+    }else{
+      pTail->pDirty = pB;
+      pTail = pB;
+      pB = pB->pDirty;
+    }
+  }
+  if( pA ){
+    pTail->pDirty = pA;
+  }else if( pB ){
+    pTail->pDirty = pB;
+  }else{
+    pTail->pDirty = 0;
+  }
+  return result.pDirty;
+}
+
+/*
+** Sort the list of pages in accending order by pgno.  Pages are
+** connected by pDirty pointers.  The pPrevDirty pointers are
+** corrupted by this sort.
+*/
+#define N_SORT_BUCKET_ALLOC 25
+#define N_SORT_BUCKET       25
+#ifdef SQLITE_TEST
+  int sqlite3_pager_n_sort_bucket = 0;
+  #undef N_SORT_BUCKET
+  #define N_SORT_BUCKET \
+   (sqlite3_pager_n_sort_bucket?sqlite3_pager_n_sort_bucket:N_SORT_BUCKET_ALLOC)
+#endif
+static PgHdr *sort_pagelist(PgHdr *pIn){
+  PgHdr *a[N_SORT_BUCKET_ALLOC], *p;
+  int i;
+  memset(a, 0, sizeof(a));
+  while( pIn ){
+    p = pIn;
+    pIn = p->pDirty;
+    p->pDirty = 0;
+    for(i=0; i<N_SORT_BUCKET-1; i++){
+      if( a[i]==0 ){
+        a[i] = p;
+        break;
+      }else{
+        p = merge_pagelist(a[i], p);
+        a[i] = 0;
+      }
+    }
+    if( i==N_SORT_BUCKET-1 ){
+      /* Coverage: To get here, there need to be 2^(N_SORT_BUCKET) 
+      ** elements in the input list. This is possible, but impractical.
+      ** Testing this line is the point of global variable
+      ** sqlite3_pager_n_sort_bucket.
+      */
+      a[i] = merge_pagelist(a[i], p);
+    }
+  }
+  p = a[0];
+  for(i=1; i<N_SORT_BUCKET; i++){
+    p = merge_pagelist(p, a[i]);
+  }
+  return p;
+}
+
+/*
+** Given a list of pages (connected by the PgHdr.pDirty pointer) write
+** every one of those pages out to the database file and mark them all
+** as clean.
+*/
+static int pager_write_pagelist(PgHdr *pList){
+  Pager *pPager;
+  int rc;
+
+  if( pList==0 ) return SQLITE_OK;
+  pPager = pList->pPager;
+
+  /* At this point there may be either a RESERVED or EXCLUSIVE lock on the
+  ** database file. If there is already an EXCLUSIVE lock, the following
+  ** calls to sqlite3OsLock() are no-ops.
+  **
+  ** Moving the lock from RESERVED to EXCLUSIVE actually involves going
+  ** through an intermediate state PENDING.   A PENDING lock prevents new
+  ** readers from attaching to the database but is unsufficient for us to
+  ** write.  The idea of a PENDING lock is to prevent new readers from
+  ** coming in while we wait for existing readers to clear.
+  **
+  ** While the pager is in the RESERVED state, the original database file
+  ** is unchanged and we can rollback without having to playback the
+  ** journal into the original database file.  Once we transition to
+  ** EXCLUSIVE, it means the database file has been changed and any rollback
+  ** will require a journal playback.
+  */
+  rc = pager_wait_on_lock(pPager, EXCLUSIVE_LOCK);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+
+  pList = sort_pagelist(pList);
+  while( pList ){
+    assert( pList->dirty );
+    rc = sqlite3OsSeek(pPager->fd, (pList->pgno-1)*(i64)pPager->pageSize);
+    if( rc ) return rc;
+    /* If there are dirty pages in the page cache with page numbers greater
+    ** than Pager.dbSize, this means sqlite3PagerTruncate() was called to
+    ** make the file smaller (presumably by auto-vacuum code). Do not write
+    ** any such pages to the file.
+    */
+    if( pList->pgno<=pPager->dbSize ){
+      char *pData = CODEC2(pPager, PGHDR_TO_DATA(pList), pList->pgno, 6);
+      PAGERTRACE3("STORE %d page %d\n", PAGERID(pPager), pList->pgno);
+      IOTRACE(("PGOUT %p %d\n", pPager, pList->pgno));
+      rc = sqlite3OsWrite(pPager->fd, pData, pPager->pageSize);
+      PAGER_INCR(sqlite3_pager_writedb_count);
+      PAGER_INCR(pPager->nWrite);
+      if( pList->pgno==1 ){
+        memcpy(&pPager->dbFileVers, &pData[24], sizeof(pPager->dbFileVers));
+      }
+    }
+#ifndef NDEBUG
+    else{
+      PAGERTRACE3("NOSTORE %d page %d\n", PAGERID(pPager), pList->pgno);
+    }
+#endif
+    if( rc ) return rc;
+    pList->dirty = 0;
+#ifdef SQLITE_CHECK_PAGES
+    pList->pageHash = pager_pagehash(pList);
+#endif
+    pList = pList->pDirty;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Collect every dirty page into a dirty list and
+** return a pointer to the head of that list.  All pages are
+** collected even if they are still in use.
+*/
+static PgHdr *pager_get_all_dirty_pages(Pager *pPager){
+  return pPager->pDirty;
+}
+
+/*
+** Return TRUE if there is a hot journal on the given pager.
+** A hot journal is one that needs to be played back.
+**
+** If the current size of the database file is 0 but a journal file
+** exists, that is probably an old journal left over from a prior
+** database with the same name.  Just delete the journal.
+*/
+static int hasHotJournal(Pager *pPager){
+  if( !pPager->useJournal ) return 0;
+  if( !sqlite3OsFileExists(pPager->zJournal) ){
+    return 0;
+  }
+  if( sqlite3OsCheckReservedLock(pPager->fd) ){
+    return 0;
+  }
+  if( sqlite3PagerPagecount(pPager)==0 ){
+    sqlite3OsDelete(pPager->zJournal);
+    return 0;
+  }else{
+    return 1;
+  }
+}
+
+/*
+** Try to find a page in the cache that can be recycled. 
+**
+** This routine may return SQLITE_IOERR, SQLITE_FULL or SQLITE_OK. It 
+** does not set the pPager->errCode variable.
+*/
+static int pager_recycle(Pager *pPager, int syncOk, PgHdr **ppPg){
+  PgHdr *pPg;
+  *ppPg = 0;
+
+  assert(!MEMDB);
+
+  /* Find a page to recycle.  Try to locate a page that does not
+  ** require us to do an fsync() on the journal.
+  */
+  pPg = pPager->pFirstSynced;
+
+  /* If we could not find a page that does not require an fsync()
+  ** on the journal file then fsync the journal file.  This is a
+  ** very slow operation, so we work hard to avoid it.  But sometimes
+  ** it can't be helped.
+  */
+  if( pPg==0 && pPager->pFirst && syncOk && !MEMDB){
+    int rc = syncJournal(pPager);
+    if( rc!=0 ){
+      return rc;
+    }
+    if( pPager->fullSync ){
+      /* If in full-sync mode, write a new journal header into the
+      ** journal file. This is done to avoid ever modifying a journal
+      ** header that is involved in the rollback of pages that have
+      ** already been written to the database (in case the header is
+      ** trashed when the nRec field is updated).
+      */
+      pPager->nRec = 0;
+      assert( pPager->journalOff > 0 );
+      assert( pPager->doNotSync==0 );
+      rc = writeJournalHdr(pPager);
+      if( rc!=0 ){
+        return rc;
+      }
+    }
+    pPg = pPager->pFirst;
+  }
+  if( pPg==0 ){
+    return SQLITE_OK;
+  }
+
+  assert( pPg->nRef==0 );
+
+  /* Write the page to the database file if it is dirty.
+  */
+  if( pPg->dirty ){
+    int rc;
+    assert( pPg->needSync==0 );
+    makeClean(pPg);
+    pPg->dirty = 1;
+    pPg->pDirty = 0;
+    rc = pager_write_pagelist( pPg );
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+  }
+  assert( pPg->dirty==0 );
+
+  /* If the page we are recycling is marked as alwaysRollback, then
+  ** set the global alwaysRollback flag, thus disabling the
+  ** sqlite3PagerDontRollback() optimization for the rest of this transaction.
+  ** It is necessary to do this because the page marked alwaysRollback
+  ** might be reloaded at a later time but at that point we won't remember
+  ** that is was marked alwaysRollback.  This means that all pages must
+  ** be marked as alwaysRollback from here on out.
+  */
+  if( pPg->alwaysRollback ){
+    IOTRACE(("ALWAYS_ROLLBACK %p\n", pPager))
+    pPager->alwaysRollback = 1;
+  }
+
+  /* Unlink the old page from the free list and the hash table
+  */
+  unlinkPage(pPg);
+  assert( pPg->pgno==0 );
+
+  *ppPg = pPg;
+  return SQLITE_OK;
+}
+
+/*
+** This function is called to free superfluous dynamically allocated memory
+** held by the pager system. Memory in use by any SQLite pager allocated
+** by the current thread may be sqliteFree()ed.
+**
+** nReq is the number of bytes of memory required. Once this much has
+** been released, the function returns. A negative value for nReq means
+** free as much memory as possible. The return value is the total number 
+** of bytes of memory released.
+*/
+#ifdef SQLITE_ENABLE_MEMORY_MANAGEMENT
+int sqlite3PagerReleaseMemory(int nReq){
+  const ThreadData *pTsdro = sqlite3ThreadDataReadOnly();
+  int nReleased = 0;
+  int i;
+
+  /* If the the global mutex is held, this subroutine becomes a
+  ** o-op; zero bytes of memory are freed.  This is because
+  ** some of the code invoked by this function may also
+  ** try to obtain the mutex, resulting in a deadlock.
+  */
+  if( sqlite3OsInMutex(0) ){
+    return 0;
+  }
+
+  /* Outermost loop runs for at most two iterations. First iteration we
+  ** try to find memory that can be released without calling fsync(). Second
+  ** iteration (which only runs if the first failed to free nReq bytes of
+  ** memory) is permitted to call fsync(). This is of course much more 
+  ** expensive.
+  */
+  for(i=0; i<=1; i++){
+
+    /* Loop through all the SQLite pagers opened by the current thread. */
+    Pager *pPager = pTsdro->pPager;
+    for( ; pPager && (nReq<0 || nReleased<nReq); pPager=pPager->pNext){
+      PgHdr *pPg;
+      int rc;
+
+      if( MEMDB ){
+        continue;
+      }
+
+      /* For each pager, try to free as many pages as possible (without 
+      ** calling fsync() if this is the first iteration of the outermost 
+      ** loop).
+      */
+      while( SQLITE_OK==(rc = pager_recycle(pPager, i, &pPg)) && pPg) {
+        /* We've found a page to free. At this point the page has been 
+        ** removed from the page hash-table, free-list and synced-list 
+        ** (pFirstSynced). It is still in the all pages (pAll) list. 
+        ** Remove it from this list before freeing.
+        **
+        ** Todo: Check the Pager.pStmt list to make sure this is Ok. It 
+        ** probably is though.
+        */
+        PgHdr *pTmp;
+        assert( pPg );
+        if( pPg==pPager->pAll ){
+           pPager->pAll = pPg->pNextAll;
+        }else{
+          for( pTmp=pPager->pAll; pTmp->pNextAll!=pPg; pTmp=pTmp->pNextAll ){}
+          pTmp->pNextAll = pPg->pNextAll;
+        }
+        nReleased += sqliteAllocSize(pPg);
+        IOTRACE(("PGFREE %p %d\n", pPager, pPg->pgno));
+        PAGER_INCR(sqlite3_pager_pgfree_count);
+        sqliteFree(pPg);
+      }
+
+      if( rc!=SQLITE_OK ){
+        /* An error occured whilst writing to the database file or 
+        ** journal in pager_recycle(). The error is not returned to the 
+        ** caller of this function. Instead, set the Pager.errCode variable.
+        ** The error will be returned to the user (or users, in the case 
+        ** of a shared pager cache) of the pager for which the error occured.
+        */
+        assert( (rc&0xff)==SQLITE_IOERR || rc==SQLITE_FULL );
+        assert( pPager->state>=PAGER_RESERVED );
+        pager_error(pPager, rc);
+      }
+    }
+  }
+
+  return nReleased;
+}
+#endif /* SQLITE_ENABLE_MEMORY_MANAGEMENT */
+
+/*
+** Read the content of page pPg out of the database file.
+*/
+static int readDbPage(Pager *pPager, PgHdr *pPg, Pgno pgno){
+  int rc;
+  assert( MEMDB==0 );
+  rc = sqlite3OsSeek(pPager->fd, (pgno-1)*(i64)pPager->pageSize);
+  if( rc==SQLITE_OK ){
+    rc = sqlite3OsRead(pPager->fd, PGHDR_TO_DATA(pPg),
+                          pPager->pageSize);
+  }
+  PAGER_INCR(sqlite3_pager_readdb_count);
+  PAGER_INCR(pPager->nRead);
+  IOTRACE(("PGIN %p %d\n", pPager, pgno));
+  PAGERTRACE3("FETCH %d page %d\n", PAGERID(pPager), pPg->pgno);
+  if( pgno==1 ){
+    memcpy(&pPager->dbFileVers, &((u8*)PGHDR_TO_DATA(pPg))[24],
+                                              sizeof(pPager->dbFileVers));
+  }
+  CODEC1(pPager, PGHDR_TO_DATA(pPg), pPg->pgno, 3);
+  return rc;
+}
+
+
+/*
+** This function is called to obtain the shared lock required before
+** data may be read from the pager cache. If the shared lock has already
+** been obtained, this function is a no-op.
+**
+** Immediately after obtaining the shared lock (if required), this function
+** checks for a hot-journal file. If one is found, an emergency rollback
+** is performed immediately.
+*/
+static int pagerSharedLock(Pager *pPager){
+  int rc = SQLITE_OK;
+
+  if( pPager->state==PAGER_UNLOCK ){
+    if( !MEMDB ){
+      assert( pPager->nRef==0 );
+      if( !pPager->noReadlock ){
+        rc = pager_wait_on_lock(pPager, SHARED_LOCK);
+        if( rc!=SQLITE_OK ){
+          return pager_error(pPager, rc);
+        }
+        assert( pPager->state>=SHARED_LOCK );
+      }
+  
+      /* If a journal file exists, and there is no RESERVED lock on the
+      ** database file, then it either needs to be played back or deleted.
+      */
+      if( hasHotJournal(pPager) ){
+        /* Get an EXCLUSIVE lock on the database file. At this point it is
+        ** important that a RESERVED lock is not obtained on the way to the
+        ** EXCLUSIVE lock. If it were, another process might open the
+        ** database file, detect the RESERVED lock, and conclude that the
+        ** database is safe to read while this process is still rolling it 
+        ** back.
+        ** 
+        ** Because the intermediate RESERVED lock is not requested, the
+        ** second process will get to this point in the code and fail to
+        ** obtain it's own EXCLUSIVE lock on the database file.
+        */
+        rc = sqlite3OsLock(pPager->fd, EXCLUSIVE_LOCK);
+        if( rc!=SQLITE_OK ){
+          pager_unlock(pPager);
+          return pager_error(pPager, rc);
+        }
+        pPager->state = PAGER_EXCLUSIVE;
+ 
+        /* Open the journal for reading only.  Return SQLITE_BUSY if
+        ** we are unable to open the journal file. 
+        **
+        ** The journal file does not need to be locked itself.  The
+        ** journal file is never open unless the main database file holds
+        ** a write lock, so there is never any chance of two or more
+        ** processes opening the journal at the same time.
+        **
+	** Open the journal for read/write access. This is because in 
+	** exclusive-access mode the file descriptor will be kept open and
+        ** possibly used for a transaction later on. On some systems, the
+        ** OsTruncate() call used in exclusive-access mode also requires
+        ** a read/write file handle.
+        */
+        rc = SQLITE_BUSY;
+        if( sqlite3OsFileExists(pPager->zJournal) ){
+          int ro;
+          assert( !pPager->tempFile );
+          rc = sqlite3OsOpenReadWrite(pPager->zJournal, &pPager->jfd, &ro);
+          assert( rc!=SQLITE_OK || pPager->jfd );
+          if( ro ){
+            rc = SQLITE_BUSY;
+            sqlite3OsClose(&pPager->jfd);
+          }
+        }
+        if( rc!=SQLITE_OK ){
+          pager_unlock(pPager);
+          return SQLITE_BUSY;
+        }
+        pPager->journalOpen = 1;
+        pPager->journalStarted = 0;
+        pPager->journalOff = 0;
+        pPager->setMaster = 0;
+        pPager->journalHdr = 0;
+ 
+        /* Playback and delete the journal.  Drop the database write
+        ** lock and reacquire the read lock.
+        */
+        rc = pager_playback(pPager, 1);
+        if( rc!=SQLITE_OK ){
+          return pager_error(pPager, rc);
+        }
+        assert(pPager->state==PAGER_SHARED || 
+            (pPager->exclusiveMode && pPager->state>PAGER_SHARED)
+        );
+      }
+
+      if( pPager->pAll ){
+        /* The shared-lock has just been acquired on the database file
+        ** and there are already pages in the cache (from a previous
+        ** read or write transaction).  Check to see if the database
+        ** has been modified.  If the database has changed, flush the
+        ** cache.
+        **
+        ** Database changes is detected by looking at 15 bytes beginning
+        ** at offset 24 into the file.  The first 4 of these 16 bytes are
+        ** a 32-bit counter that is incremented with each change.  The
+        ** other bytes change randomly with each file change when
+        ** a codec is in use.
+        ** 
+        ** There is a vanishingly small chance that a change will not be 
+        ** deteched.  The chance of an undetected change is so small that
+        ** it can be neglected.
+        */
+        char dbFileVers[sizeof(pPager->dbFileVers)];
+        sqlite3PagerPagecount(pPager);
+
+        if( pPager->errCode ){
+          return pPager->errCode;
+        }
+
+        if( pPager->dbSize>0 ){
+          rc = sqlite3OsSeek(pPager->fd, 24);
+          if( rc!=SQLITE_OK ){
+            return rc;
+          }
+          rc = sqlite3OsRead(pPager->fd, &dbFileVers, sizeof(dbFileVers));
+          if( rc!=SQLITE_OK ){
+            return rc;
+          }
+        }else{
+          memset(dbFileVers, 0, sizeof(dbFileVers));
+        }
+
+        if( memcmp(pPager->dbFileVers, dbFileVers, sizeof(dbFileVers))!=0 ){
+          pager_reset(pPager);
+        }
+      }
+    }
+    assert( pPager->exclusiveMode || pPager->state<=PAGER_SHARED );
+    if( pPager->state==PAGER_UNLOCK ){
+      pPager->state = PAGER_SHARED;
+    }
+  }
+
+  return rc;
+}
+
+/*
+** Allocate a PgHdr object.   Either create a new one or reuse
+** an existing one that is not otherwise in use.
+**
+** A new PgHdr structure is created if any of the following are
+** true:
+**
+**     (1)  We have not exceeded our maximum allocated cache size
+**          as set by the "PRAGMA cache_size" command.
+**
+**     (2)  There are no unused PgHdr objects available at this time.
+**
+**     (3)  This is an in-memory database.
+**
+**     (4)  There are no PgHdr objects that do not require a journal
+**          file sync and a sync of the journal file is currently
+**          prohibited.
+**
+** Otherwise, reuse an existing PgHdr.  In other words, reuse an
+** existing PgHdr if all of the following are true:
+**
+**     (1)  We have reached or exceeded the maximum cache size
+**          allowed by "PRAGMA cache_size".
+**
+**     (2)  There is a PgHdr available with PgHdr->nRef==0
+**
+**     (3)  We are not in an in-memory database
+**
+**     (4)  Either there is an available PgHdr that does not need
+**          to be synced to disk or else disk syncing is currently
+**          allowed.
+*/
+static int pagerAllocatePage(Pager *pPager, PgHdr **ppPg){
+  int rc = SQLITE_OK;
+  PgHdr *pPg;
+
+  /* Create a new PgHdr if any of the four conditions defined 
+  ** above is met: */
+  if( pPager->nPage<pPager->mxPage
+   || pPager->pFirst==0 
+   || MEMDB
+   || (pPager->pFirstSynced==0 && pPager->doNotSync)
+  ){
+    if( pPager->nPage>=pPager->nHash ){
+      pager_resize_hash_table(pPager,
+         pPager->nHash<256 ? 256 : pPager->nHash*2);
+      if( pPager->nHash==0 ){
+        rc = SQLITE_NOMEM;
+        goto pager_allocate_out;
+      }
+    }
+    pPg = sqliteMallocRaw( sizeof(*pPg) + pPager->pageSize
+                            + sizeof(u32) + pPager->nExtra
+                            + MEMDB*sizeof(PgHistory) );
+    if( pPg==0 ){
+      rc = SQLITE_NOMEM;
+      goto pager_allocate_out;
+    }
+    memset(pPg, 0, sizeof(*pPg));
+    if( MEMDB ){
+      memset(PGHDR_TO_HIST(pPg, pPager), 0, sizeof(PgHistory));
+    }
+    pPg->pPager = pPager;
+    pPg->pNextAll = pPager->pAll;
+    pPager->pAll = pPg;
+    pPager->nPage++;
+    if( pPager->nPage>pPager->nMaxPage ){
+      assert( pPager->nMaxPage==(pPager->nPage-1) );
+      pPager->nMaxPage++;
+    }
+  }else{
+    /* Recycle an existing page with a zero ref-count. */
+    rc = pager_recycle(pPager, 1, &pPg);
+    if( rc!=SQLITE_OK ){
+      goto pager_allocate_out;
+    }
+    assert( pPager->state>=SHARED_LOCK );
+    assert(pPg);
+  }
+  *ppPg = pPg;
+
+pager_allocate_out:
+  return rc;
+}
+
+/*
+** Acquire a page.
+**
+** A read lock on the disk file is obtained when the first page is acquired. 
+** This read lock is dropped when the last page is released.
+**
+** A _get works for any page number greater than 0.  If the database
+** file is smaller than the requested page, then no actual disk
+** read occurs and the memory image of the page is initialized to
+** all zeros.  The extra data appended to a page is always initialized
+** to zeros the first time a page is loaded into memory.
+**
+** The acquisition might fail for several reasons.  In all cases,
+** an appropriate error code is returned and *ppPage is set to NULL.
+**
+** See also sqlite3PagerLookup().  Both this routine and _lookup() attempt
+** to find a page in the in-memory cache first.  If the page is not already
+** in memory, this routine goes to disk to read it in whereas _lookup()
+** just returns 0.  This routine acquires a read-lock the first time it
+** has to go to disk, and could also playback an old journal if necessary.
+** Since _lookup() never goes to disk, it never has to deal with locks
+** or journal files.
+**
+** If noContent is false, the page contents are actually read from disk.
+** If noContent is true, it means that we do not care about the contents
+** of the page at this time, so do not do a disk read.  Just fill in the
+** page content with zeros.  But mark the fact that we have not read the
+** content by setting the PgHdr.needRead flag.  Later on, if 
+** sqlite3PagerWrite() is called on this page, that means that the
+** content is needed and the disk read should occur at that point.
+*/
+int sqlite3PagerAcquire(
+  Pager *pPager,      /* The pager open on the database file */
+  Pgno pgno,          /* Page number to fetch */
+  DbPage **ppPage,    /* Write a pointer to the page here */
+  int noContent       /* Do not bother reading content from disk if true */
+){
+  PgHdr *pPg;
+  int rc;
+
+  assert( pPager->state==PAGER_UNLOCK || pPager->nRef>0 || pgno==1 );
+
+  /* The maximum page number is 2^31. Return SQLITE_CORRUPT if a page
+  ** number greater than this, or zero, is requested.
+  */
+  if( pgno>PAGER_MAX_PGNO || pgno==0 || pgno==PAGER_MJ_PGNO(pPager) ){
+    return SQLITE_CORRUPT_BKPT;
+  }
+
+  /* Make sure we have not hit any critical errors.
+  */ 
+  assert( pPager!=0 );
+  *ppPage = 0;
+  if( pPager->errCode && pPager->errCode!=SQLITE_FULL ){
+    return pPager->errCode;
+  }
+
+  /* If this is the first page accessed, then get a SHARED lock
+  ** on the database file. pagerSharedLock() is a no-op if 
+  ** a database lock is already held.
+  */
+  rc = pagerSharedLock(pPager);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+  assert( pPager->state!=PAGER_UNLOCK );
+
+  pPg = pager_lookup(pPager, pgno);
+  if( pPg==0 ){
+    /* The requested page is not in the page cache. */
+    int nMax;
+    int h;
+    PAGER_INCR(pPager->nMiss);
+    rc = pagerAllocatePage(pPager, &pPg);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+
+    pPg->pgno = pgno;
+    assert( !MEMDB || pgno>pPager->stmtSize );
+    if( pPager->aInJournal && (int)pgno<=pPager->origDbSize ){
+      sqlite3CheckMemory(pPager->aInJournal, pgno/8);
+      assert( pPager->journalOpen );
+      pPg->inJournal = (pPager->aInJournal[pgno/8] & (1<<(pgno&7)))!=0;
+      pPg->needSync = 0;
+    }else{
+      pPg->inJournal = 0;
+      pPg->needSync = 0;
+    }
+
+    makeClean(pPg);
+    pPg->nRef = 1;
+    REFINFO(pPg);
+
+    pPager->nRef++;
+    if( pPager->nExtra>0 ){
+      memset(PGHDR_TO_EXTRA(pPg, pPager), 0, pPager->nExtra);
+    }
+    nMax = sqlite3PagerPagecount(pPager);
+    if( pPager->errCode ){
+      sqlite3PagerUnref(pPg);
+      rc = pPager->errCode;
+      return rc;
+    }
+
+    /* Populate the page with data, either by reading from the database
+    ** file, or by setting the entire page to zero.
+    */
+    if( nMax<(int)pgno || MEMDB || (noContent && !pPager->alwaysRollback) ){
+      memset(PGHDR_TO_DATA(pPg), 0, pPager->pageSize);
+      pPg->needRead = noContent && !pPager->alwaysRollback;
+      IOTRACE(("ZERO %p %d\n", pPager, pgno));
+    }else{
+      rc = readDbPage(pPager, pPg, pgno);
+      if( rc!=SQLITE_OK && rc!=SQLITE_IOERR_SHORT_READ ){
+        pPg->pgno = 0;
+        sqlite3PagerUnref(pPg);
+        return rc;
+      }
+    }
+
+    /* Link the page into the page hash table */
+    h = pgno & (pPager->nHash-1);
+    assert( pgno!=0 );
+    pPg->pNextHash = pPager->aHash[h];
+    pPager->aHash[h] = pPg;
+    if( pPg->pNextHash ){
+      assert( pPg->pNextHash->pPrevHash==0 );
+      pPg->pNextHash->pPrevHash = pPg;
+    }
+
+#ifdef SQLITE_CHECK_PAGES
+    pPg->pageHash = pager_pagehash(pPg);
+#endif
+  }else{
+    /* The requested page is in the page cache. */
+    assert(pPager->nRef>0 || pgno==1);
+    PAGER_INCR(pPager->nHit);
+    page_ref(pPg);
+  }
+  *ppPage = pPg;
+  return SQLITE_OK;
+}
+
+/*
+** Acquire a page if it is already in the in-memory cache.  Do
+** not read the page from disk.  Return a pointer to the page,
+** or 0 if the page is not in cache.
+**
+** See also sqlite3PagerGet().  The difference between this routine
+** and sqlite3PagerGet() is that _get() will go to the disk and read
+** in the page if the page is not already in cache.  This routine
+** returns NULL if the page is not in cache or if a disk I/O error 
+** has ever happened.
+*/
+DbPage *sqlite3PagerLookup(Pager *pPager, Pgno pgno){
+  PgHdr *pPg;
+
+  assert( pPager!=0 );
+  assert( pgno!=0 );
+
+  if( pPager->state==PAGER_UNLOCK ){
+    assert( !pPager->pAll || pPager->exclusiveMode );
+    return 0;
+  }
+  if( pPager->errCode && pPager->errCode!=SQLITE_FULL ){
+    return 0;
+  }
+  pPg = pager_lookup(pPager, pgno);
+  if( pPg==0 ) return 0;
+  page_ref(pPg);
+  return pPg;
+}
+
+/*
+** Release a page.
+**
+** If the number of references to the page drop to zero, then the
+** page is added to the LRU list.  When all references to all pages
+** are released, a rollback occurs and the lock on the database is
+** removed.
+*/
+int sqlite3PagerUnref(DbPage *pPg){
+
+  /* Decrement the reference count for this page
+  */
+  assert( pPg->nRef>0 );
+  pPg->nRef--;
+  REFINFO(pPg);
+
+  CHECK_PAGE(pPg);
+
+  /* When the number of references to a page reach 0, call the
+  ** destructor and add the page to the freelist.
+  */
+  if( pPg->nRef==0 ){
+    Pager *pPager;
+    pPager = pPg->pPager;
+    pPg->pNextFree = 0;
+    pPg->pPrevFree = pPager->pLast;
+    pPager->pLast = pPg;
+    if( pPg->pPrevFree ){
+      pPg->pPrevFree->pNextFree = pPg;
+    }else{
+      pPager->pFirst = pPg;
+    }
+    if( pPg->needSync==0 && pPager->pFirstSynced==0 ){
+      pPager->pFirstSynced = pPg;
+    }
+    if( pPager->xDestructor ){
+      pPager->xDestructor(pPg, pPager->pageSize);
+    }
+  
+    /* When all pages reach the freelist, drop the read lock from
+    ** the database file.
+    */
+    pPager->nRef--;
+    assert( pPager->nRef>=0 );
+    if( pPager->nRef==0 && (!pPager->exclusiveMode || pPager->journalOff>0) ){
+      pagerUnlockAndRollback(pPager);
+    }
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Create a journal file for pPager.  There should already be a RESERVED
+** or EXCLUSIVE lock on the database file when this routine is called.
+**
+** Return SQLITE_OK if everything.  Return an error code and release the
+** write lock if anything goes wrong.
+*/
+static int pager_open_journal(Pager *pPager){
+  int rc;
+  assert( !MEMDB );
+  assert( pPager->state>=PAGER_RESERVED );
+  assert( pPager->journalOpen==0 );
+  assert( pPager->useJournal );
+  assert( pPager->aInJournal==0 );
+  sqlite3PagerPagecount(pPager);
+  pPager->aInJournal = sqliteMalloc( pPager->dbSize/8 + 1 );
+  if( pPager->aInJournal==0 ){
+    rc = SQLITE_NOMEM;
+    goto failed_to_open_journal;
+  }
+  rc = sqlite3OsOpenExclusive(pPager->zJournal, &pPager->jfd,
+                                 pPager->tempFile);
+  assert( rc!=SQLITE_OK || pPager->jfd );
+  pPager->journalOff = 0;
+  pPager->setMaster = 0;
+  pPager->journalHdr = 0;
+  if( rc!=SQLITE_OK ){
+    if( rc==SQLITE_NOMEM ){
+      sqlite3OsDelete(pPager->zJournal);
+    }
+    goto failed_to_open_journal;
+  }
+  sqlite3OsSetFullSync(pPager->jfd, pPager->full_fsync);
+  sqlite3OsSetFullSync(pPager->fd, pPager->full_fsync);
+  sqlite3OsOpenDirectory(pPager->jfd, pPager->zDirectory);
+  pPager->journalOpen = 1;
+  pPager->journalStarted = 0;
+  pPager->needSync = 0;
+  pPager->alwaysRollback = 0;
+  pPager->nRec = 0;
+  if( pPager->errCode ){
+    rc = pPager->errCode;
+    goto failed_to_open_journal;
+  }
+  pPager->origDbSize = pPager->dbSize;
+
+  rc = writeJournalHdr(pPager);
+
+  if( pPager->stmtAutoopen && rc==SQLITE_OK ){
+    rc = sqlite3PagerStmtBegin(pPager);
+  }
+  if( rc!=SQLITE_OK && rc!=SQLITE_NOMEM ){
+    rc = pager_end_transaction(pPager);
+    if( rc==SQLITE_OK ){
+      rc = SQLITE_FULL;
+    }
+  }
+  return rc;
+
+failed_to_open_journal:
+  sqliteFree(pPager->aInJournal);
+  pPager->aInJournal = 0;
+  return rc;
+}
+
+/*
+** Acquire a write-lock on the database.  The lock is removed when
+** the any of the following happen:
+**
+**   *  sqlite3PagerCommitPhaseTwo() is called.
+**   *  sqlite3PagerRollback() is called.
+**   *  sqlite3PagerClose() is called.
+**   *  sqlite3PagerUnref() is called to on every outstanding page.
+**
+** The first parameter to this routine is a pointer to any open page of the
+** database file.  Nothing changes about the page - it is used merely to
+** acquire a pointer to the Pager structure and as proof that there is
+** already a read-lock on the database.
+**
+** The second parameter indicates how much space in bytes to reserve for a
+** master journal file-name at the start of the journal when it is created.
+**
+** A journal file is opened if this is not a temporary file.  For temporary
+** files, the opening of the journal file is deferred until there is an
+** actual need to write to the journal.
+**
+** If the database is already reserved for writing, this routine is a no-op.
+**
+** If exFlag is true, go ahead and get an EXCLUSIVE lock on the file
+** immediately instead of waiting until we try to flush the cache.  The
+** exFlag is ignored if a transaction is already active.
+*/
+int sqlite3PagerBegin(DbPage *pPg, int exFlag){
+  Pager *pPager = pPg->pPager;
+  int rc = SQLITE_OK;
+  assert( pPg->nRef>0 );
+  assert( pPager->state!=PAGER_UNLOCK );
+  if( pPager->state==PAGER_SHARED ){
+    assert( pPager->aInJournal==0 );
+    if( MEMDB ){
+      pPager->state = PAGER_EXCLUSIVE;
+      pPager->origDbSize = pPager->dbSize;
+    }else{
+      rc = sqlite3OsLock(pPager->fd, RESERVED_LOCK);
+      if( rc==SQLITE_OK ){
+        pPager->state = PAGER_RESERVED;
+        if( exFlag ){
+          rc = pager_wait_on_lock(pPager, EXCLUSIVE_LOCK);
+        }
+      }
+      if( rc!=SQLITE_OK ){
+        return rc;
+      }
+      pPager->dirtyCache = 0;
+      PAGERTRACE2("TRANSACTION %d\n", PAGERID(pPager));
+      if( pPager->useJournal && !pPager->tempFile ){
+        rc = pager_open_journal(pPager);
+      }
+    }
+  }else if( pPager->journalOpen && pPager->journalOff==0 ){
+    /* This happens when the pager was in exclusive-access mode last
+    ** time a (read or write) transaction was successfully concluded
+    ** by this connection. Instead of deleting the journal file it was 
+    ** kept open and truncated to 0 bytes.
+    */
+    assert( pPager->nRec==0 );
+    assert( pPager->origDbSize==0 );
+    assert( pPager->aInJournal==0 );
+    sqlite3PagerPagecount(pPager);
+    pPager->aInJournal = sqliteMalloc( pPager->dbSize/8 + 1 );
+    if( !pPager->aInJournal ){
+      rc = SQLITE_NOMEM;
+    }else{
+      pPager->origDbSize = pPager->dbSize;
+      rc = writeJournalHdr(pPager);
+    }
+  }
+  assert( !pPager->journalOpen || pPager->journalOff>0 || rc!=SQLITE_OK );
+  return rc;
+}
+
+/*
+** Make a page dirty.  Set its dirty flag and add it to the dirty
+** page list.
+*/
+static void makeDirty(PgHdr *pPg){
+  if( pPg->dirty==0 ){
+    Pager *pPager = pPg->pPager;
+    pPg->dirty = 1;
+    pPg->pDirty = pPager->pDirty;
+    if( pPager->pDirty ){
+      pPager->pDirty->pPrevDirty = pPg;
+    }
+    pPg->pPrevDirty = 0;
+    pPager->pDirty = pPg;
+  }
+}
+
+/*
+** Make a page clean.  Clear its dirty bit and remove it from the
+** dirty page list.
+*/
+static void makeClean(PgHdr *pPg){
+  if( pPg->dirty ){
+    pPg->dirty = 0;
+    if( pPg->pDirty ){
+      pPg->pDirty->pPrevDirty = pPg->pPrevDirty;
+    }
+    if( pPg->pPrevDirty ){
+      pPg->pPrevDirty->pDirty = pPg->pDirty;
+    }else{
+      pPg->pPager->pDirty = pPg->pDirty;
+    }
+  }
+}
+
+
+/*
+** Mark a data page as writeable.  The page is written into the journal 
+** if it is not there already.  This routine must be called before making
+** changes to a page.
+**
+** The first time this routine is called, the pager creates a new
+** journal and acquires a RESERVED lock on the database.  If the RESERVED
+** lock could not be acquired, this routine returns SQLITE_BUSY.  The
+** calling routine must check for that return value and be careful not to
+** change any page data until this routine returns SQLITE_OK.
+**
+** If the journal file could not be written because the disk is full,
+** then this routine returns SQLITE_FULL and does an immediate rollback.
+** All subsequent write attempts also return SQLITE_FULL until there
+** is a call to sqlite3PagerCommit() or sqlite3PagerRollback() to
+** reset.
+*/
+static int pager_write(PgHdr *pPg){
+  void *pData = PGHDR_TO_DATA(pPg);
+  Pager *pPager = pPg->pPager;
+  int rc = SQLITE_OK;
+
+  /* Check for errors
+  */
+  if( pPager->errCode ){ 
+    return pPager->errCode;
+  }
+  if( pPager->readOnly ){
+    return SQLITE_PERM;
+  }
+
+  assert( !pPager->setMaster );
+
+  CHECK_PAGE(pPg);
+
+  /* If this page was previously acquired with noContent==1, that means
+  ** we didn't really read in the content of the page.  This can happen
+  ** (for example) when the page is being moved to the freelist.  But
+  ** now we are (perhaps) moving the page off of the freelist for
+  ** reuse and we need to know its original content so that content
+  ** can be stored in the rollback journal.  So do the read at this
+  ** time.
+  */
+  if( pPg->needRead ){
+    rc = readDbPage(pPager, pPg, pPg->pgno);
+    if( rc==SQLITE_OK ){
+      pPg->needRead = 0;
+    }else{
+      return rc;
+    }
+  }
+
+  /* Mark the page as dirty.  If the page has already been written
+  ** to the journal then we can return right away.
+  */
+  makeDirty(pPg);
+  if( pPg->inJournal && (pageInStatement(pPg) || pPager->stmtInUse==0) ){
+    pPager->dirtyCache = 1;
+  }else{
+
+    /* If we get this far, it means that the page needs to be
+    ** written to the transaction journal or the ckeckpoint journal
+    ** or both.
+    **
+    ** First check to see that the transaction journal exists and
+    ** create it if it does not.
+    */
+    assert( pPager->state!=PAGER_UNLOCK );
+    rc = sqlite3PagerBegin(pPg, 0);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+    assert( pPager->state>=PAGER_RESERVED );
+    if( !pPager->journalOpen && pPager->useJournal ){
+      rc = pager_open_journal(pPager);
+      if( rc!=SQLITE_OK ) return rc;
+    }
+    assert( pPager->journalOpen || !pPager->useJournal );
+    pPager->dirtyCache = 1;
+  
+    /* The transaction journal now exists and we have a RESERVED or an
+    ** EXCLUSIVE lock on the main database file.  Write the current page to
+    ** the transaction journal if it is not there already.
+    */
+    if( !pPg->inJournal && (pPager->useJournal || MEMDB) ){
+      if( (int)pPg->pgno <= pPager->origDbSize ){
+        int szPg;
+        if( MEMDB ){
+          PgHistory *pHist = PGHDR_TO_HIST(pPg, pPager);
+          PAGERTRACE3("JOURNAL %d page %d\n", PAGERID(pPager), pPg->pgno);
+          assert( pHist->pOrig==0 );
+          pHist->pOrig = sqliteMallocRaw( pPager->pageSize );
+          if( pHist->pOrig ){
+            memcpy(pHist->pOrig, PGHDR_TO_DATA(pPg), pPager->pageSize);
+          }
+        }else{
+          u32 cksum, saved;
+          char *pData2, *pEnd;
+          /* We should never write to the journal file the page that
+          ** contains the database locks.  The following assert verifies
+          ** that we do not. */
+          assert( pPg->pgno!=PAGER_MJ_PGNO(pPager) );
+          pData2 = CODEC2(pPager, pData, pPg->pgno, 7);
+          cksum = pager_cksum(pPager, (u8*)pData2);
+          pEnd = pData2 + pPager->pageSize;
+          pData2 -= 4;
+          saved = *(u32*)pEnd;
+          put32bits(pEnd, cksum);
+          szPg = pPager->pageSize+8;
+          put32bits(pData2, pPg->pgno);
+          rc = sqlite3OsWrite(pPager->jfd, pData2, szPg);
+          IOTRACE(("JOUT %p %d %lld %d\n", pPager, pPg->pgno,
+                   pPager->journalOff, szPg));
+          PAGER_INCR(sqlite3_pager_writej_count);
+          pPager->journalOff += szPg;
+          PAGERTRACE4("JOURNAL %d page %d needSync=%d\n",
+                  PAGERID(pPager), pPg->pgno, pPg->needSync);
+          *(u32*)pEnd = saved;
+
+	  /* An error has occured writing to the journal file. The 
+          ** transaction will be rolled back by the layer above.
+          */
+          if( rc!=SQLITE_OK ){
+            return rc;
+          }
+
+          pPager->nRec++;
+          assert( pPager->aInJournal!=0 );
+          pPager->aInJournal[pPg->pgno/8] |= 1<<(pPg->pgno&7);
+          pPg->needSync = !pPager->noSync;
+          if( pPager->stmtInUse ){
+            pPager->aInStmt[pPg->pgno/8] |= 1<<(pPg->pgno&7);
+          }
+        }
+      }else{
+        pPg->needSync = !pPager->journalStarted && !pPager->noSync;
+        PAGERTRACE4("APPEND %d page %d needSync=%d\n",
+                PAGERID(pPager), pPg->pgno, pPg->needSync);
+      }
+      if( pPg->needSync ){
+        pPager->needSync = 1;
+      }
+      pPg->inJournal = 1;
+    }
+  
+    /* If the statement journal is open and the page is not in it,
+    ** then write the current page to the statement journal.  Note that
+    ** the statement journal format differs from the standard journal format
+    ** in that it omits the checksums and the header.
+    */
+    if( pPager->stmtInUse 
+     && !pageInStatement(pPg) 
+     && (int)pPg->pgno<=pPager->stmtSize 
+    ){
+      assert( pPg->inJournal || (int)pPg->pgno>pPager->origDbSize );
+      if( MEMDB ){
+        PgHistory *pHist = PGHDR_TO_HIST(pPg, pPager);
+        assert( pHist->pStmt==0 );
+        pHist->pStmt = sqliteMallocRaw( pPager->pageSize );
+        if( pHist->pStmt ){
+          memcpy(pHist->pStmt, PGHDR_TO_DATA(pPg), pPager->pageSize);
+        }
+        PAGERTRACE3("STMT-JOURNAL %d page %d\n", PAGERID(pPager), pPg->pgno);
+        page_add_to_stmt_list(pPg);
+      }else{
+        char *pData2 = CODEC2(pPager, pData, pPg->pgno, 7)-4;
+        put32bits(pData2, pPg->pgno);
+        rc = sqlite3OsWrite(pPager->stfd, pData2, pPager->pageSize+4);
+        PAGERTRACE3("STMT-JOURNAL %d page %d\n", PAGERID(pPager), pPg->pgno);
+        if( rc!=SQLITE_OK ){
+          return rc;
+        }
+        pPager->stmtNRec++;
+        assert( pPager->aInStmt!=0 );
+        pPager->aInStmt[pPg->pgno/8] |= 1<<(pPg->pgno&7);
+      }
+    }
+  }
+
+  /* Update the database size and return.
+  */
+  assert( pPager->state>=PAGER_SHARED );
+  if( pPager->dbSize<(int)pPg->pgno ){
+    pPager->dbSize = pPg->pgno;
+    if( !MEMDB && pPager->dbSize==PENDING_BYTE/pPager->pageSize ){
+      pPager->dbSize++;
+    }
+  }
+  return rc;
+}
+
+/*
+** This function is used to mark a data-page as writable. It uses 
+** pager_write() to open a journal file (if it is not already open)
+** and write the page *pData to the journal.
+**
+** The difference between this function and pager_write() is that this
+** function also deals with the special case where 2 or more pages
+** fit on a single disk sector. In this case all co-resident pages
+** must have been written to the journal file before returning.
+*/
+int sqlite3PagerWrite(DbPage *pDbPage){
+  int rc = SQLITE_OK;
+
+  PgHdr *pPg = pDbPage;
+  Pager *pPager = pPg->pPager;
+  Pgno nPagePerSector = (pPager->sectorSize/pPager->pageSize);
+
+  if( !MEMDB && nPagePerSector>1 ){
+    Pgno nPageCount;          /* Total number of pages in database file */
+    Pgno pg1;                 /* First page of the sector pPg is located on. */
+    int nPage;                /* Number of pages starting at pg1 to journal */
+    int ii;
+
+    /* Set the doNotSync flag to 1. This is because we cannot allow a journal
+    ** header to be written between the pages journaled by this function.
+    */
+    assert( pPager->doNotSync==0 );
+    pPager->doNotSync = 1;
+
+    /* This trick assumes that both the page-size and sector-size are
+    ** an integer power of 2. It sets variable pg1 to the identifier
+    ** of the first page of the sector pPg is located on.
+    */
+    pg1 = ((pPg->pgno-1) & ~(nPagePerSector-1)) + 1;
+
+    nPageCount = sqlite3PagerPagecount(pPager);
+    if( pPg->pgno>nPageCount ){
+      nPage = (pPg->pgno - pg1)+1;
+    }else if( (pg1+nPagePerSector-1)>nPageCount ){
+      nPage = nPageCount+1-pg1;
+    }else{
+      nPage = nPagePerSector;
+    }
+    assert(nPage>0);
+    assert(pg1<=pPg->pgno);
+    assert((pg1+nPage)>pPg->pgno);
+
+    for(ii=0; ii<nPage && rc==SQLITE_OK; ii++){
+      Pgno pg = pg1+ii;
+      if( !pPager->aInJournal || pg==pPg->pgno || 
+          pg>pPager->origDbSize || !(pPager->aInJournal[pg/8]&(1<<(pg&7)))
+      ) {
+        if( pg!=PAGER_MJ_PGNO(pPager) ){
+          PgHdr *pPage;
+          rc = sqlite3PagerGet(pPager, pg, &pPage);
+          if( rc==SQLITE_OK ){
+            rc = pager_write(pPage);
+            sqlite3PagerUnref(pPage);
+          }
+        }
+      }
+    }
+
+    assert( pPager->doNotSync==1 );
+    pPager->doNotSync = 0;
+  }else{
+    rc = pager_write(pDbPage);
+  }
+  return rc;
+}
+
+/*
+** Return TRUE if the page given in the argument was previously passed
+** to sqlite3PagerWrite().  In other words, return TRUE if it is ok
+** to change the content of the page.
+*/
+#ifndef NDEBUG
+int sqlite3PagerIswriteable(DbPage *pPg){
+  return pPg->dirty;
+}
+#endif
+
+#ifndef SQLITE_OMIT_VACUUM
+/*
+** Replace the content of a single page with the information in the third
+** argument.
+*/
+int sqlite3PagerOverwrite(Pager *pPager, Pgno pgno, void *pData){
+  PgHdr *pPg;
+  int rc;
+
+  rc = sqlite3PagerGet(pPager, pgno, &pPg);
+  if( rc==SQLITE_OK ){
+    rc = sqlite3PagerWrite(pPg);
+    if( rc==SQLITE_OK ){
+      memcpy(sqlite3PagerGetData(pPg), pData, pPager->pageSize);
+    }
+    sqlite3PagerUnref(pPg);
+  }
+  return rc;
+}
+#endif
+
+/*
+** A call to this routine tells the pager that it is not necessary to
+** write the information on page pPg back to the disk, even though
+** that page might be marked as dirty.
+**
+** The overlying software layer calls this routine when all of the data
+** on the given page is unused.  The pager marks the page as clean so
+** that it does not get written to disk.
+**
+** Tests show that this optimization, together with the
+** sqlite3PagerDontRollback() below, more than double the speed
+** of large INSERT operations and quadruple the speed of large DELETEs.
+**
+** When this routine is called, set the alwaysRollback flag to true.
+** Subsequent calls to sqlite3PagerDontRollback() for the same page
+** will thereafter be ignored.  This is necessary to avoid a problem
+** where a page with data is added to the freelist during one part of
+** a transaction then removed from the freelist during a later part
+** of the same transaction and reused for some other purpose.  When it
+** is first added to the freelist, this routine is called.  When reused,
+** the sqlite3PagerDontRollback() routine is called.  But because the
+** page contains critical data, we still need to be sure it gets
+** rolled back in spite of the sqlite3PagerDontRollback() call.
+*/
+void sqlite3PagerDontWrite(DbPage *pDbPage){
+  PgHdr *pPg = pDbPage;
+  Pager *pPager = pPg->pPager;
+
+  if( MEMDB ) return;
+  pPg->alwaysRollback = 1;
+  if( pPg->dirty && !pPager->stmtInUse ){
+    assert( pPager->state>=PAGER_SHARED );
+    if( pPager->dbSize==(int)pPg->pgno && pPager->origDbSize<pPager->dbSize ){
+      /* If this pages is the last page in the file and the file has grown
+      ** during the current transaction, then do NOT mark the page as clean.
+      ** When the database file grows, we must make sure that the last page
+      ** gets written at least once so that the disk file will be the correct
+      ** size. If you do not write this page and the size of the file
+      ** on the disk ends up being too small, that can lead to database
+      ** corruption during the next transaction.
+      */
+    }else{
+      PAGERTRACE3("DONT_WRITE page %d of %d\n", pPg->pgno, PAGERID(pPager));
+      IOTRACE(("CLEAN %p %d\n", pPager, pPg->pgno))
+      makeClean(pPg);
+#ifdef SQLITE_CHECK_PAGES
+      pPg->pageHash = pager_pagehash(pPg);
+#endif
+    }
+  }
+}
+
+/*
+** A call to this routine tells the pager that if a rollback occurs,
+** it is not necessary to restore the data on the given page.  This
+** means that the pager does not have to record the given page in the
+** rollback journal.
+**
+** If we have not yet actually read the content of this page (if
+** the PgHdr.needRead flag is set) then this routine acts as a promise
+** that we will never need to read the page content in the future.
+** so the needRead flag can be cleared at this point.
+*/
+void sqlite3PagerDontRollback(DbPage *pPg){
+  Pager *pPager = pPg->pPager;
+
+  assert( pPager->state>=PAGER_RESERVED );
+  if( pPager->journalOpen==0 ) return;
+  if( pPg->alwaysRollback || pPager->alwaysRollback || MEMDB ) return;
+  if( !pPg->inJournal && (int)pPg->pgno <= pPager->origDbSize ){
+    assert( pPager->aInJournal!=0 );
+    pPager->aInJournal[pPg->pgno/8] |= 1<<(pPg->pgno&7);
+    pPg->inJournal = 1;
+    pPg->needRead = 0;
+    if( pPager->stmtInUse ){
+      pPager->aInStmt[pPg->pgno/8] |= 1<<(pPg->pgno&7);
+    }
+    PAGERTRACE3("DONT_ROLLBACK page %d of %d\n", pPg->pgno, PAGERID(pPager));
+    IOTRACE(("GARBAGE %p %d\n", pPager, pPg->pgno))
+  }
+  if( pPager->stmtInUse 
+   && !pageInStatement(pPg) 
+   && (int)pPg->pgno<=pPager->stmtSize 
+  ){
+    assert( pPg->inJournal || (int)pPg->pgno>pPager->origDbSize );
+    assert( pPager->aInStmt!=0 );
+    pPager->aInStmt[pPg->pgno/8] |= 1<<(pPg->pgno&7);
+  }
+}
+
+
+/*
+** This routine is called to increment the database file change-counter,
+** stored at byte 24 of the pager file.
+*/
+static int pager_incr_changecounter(Pager *pPager){
+  PgHdr *pPgHdr;
+  u32 change_counter;
+  int rc;
+
+  if( !pPager->changeCountDone ){
+    /* Open page 1 of the file for writing. */
+    rc = sqlite3PagerGet(pPager, 1, &pPgHdr);
+    if( rc!=SQLITE_OK ) return rc;
+    rc = sqlite3PagerWrite(pPgHdr);
+    if( rc!=SQLITE_OK ) return rc;
+  
+    /* Read the current value at byte 24. */
+    change_counter = retrieve32bits(pPgHdr, 24);
+  
+    /* Increment the value just read and write it back to byte 24. */
+    change_counter++;
+    put32bits(((char*)PGHDR_TO_DATA(pPgHdr))+24, change_counter);
+  
+    /* Release the page reference. */
+    sqlite3PagerUnref(pPgHdr);
+    pPager->changeCountDone = 1;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Sync the database file for the pager pPager. zMaster points to the name
+** of a master journal file that should be written into the individual
+** journal file. zMaster may be NULL, which is interpreted as no master
+** journal (a single database transaction).
+**
+** This routine ensures that the journal is synced, all dirty pages written
+** to the database file and the database file synced. The only thing that
+** remains to commit the transaction is to delete the journal file (or
+** master journal file if specified).
+**
+** Note that if zMaster==NULL, this does not overwrite a previous value
+** passed to an sqlite3PagerCommitPhaseOne() call.
+**
+** If parameter nTrunc is non-zero, then the pager file is truncated to
+** nTrunc pages (this is used by auto-vacuum databases).
+*/
+int sqlite3PagerCommitPhaseOne(Pager *pPager, const char *zMaster, Pgno nTrunc){
+  int rc = SQLITE_OK;
+
+  PAGERTRACE4("DATABASE SYNC: File=%s zMaster=%s nTrunc=%d\n", 
+      pPager->zFilename, zMaster, nTrunc);
+
+  /* If this is an in-memory db, or no pages have been written to, or this
+  ** function has already been called, it is a no-op.
+  */
+  if( pPager->state!=PAGER_SYNCED && !MEMDB && pPager->dirtyCache ){
+    PgHdr *pPg;
+    assert( pPager->journalOpen );
+
+    /* If a master journal file name has already been written to the
+    ** journal file, then no sync is required. This happens when it is
+    ** written, then the process fails to upgrade from a RESERVED to an
+    ** EXCLUSIVE lock. The next time the process tries to commit the
+    ** transaction the m-j name will have already been written.
+    */
+    if( !pPager->setMaster ){
+      rc = pager_incr_changecounter(pPager);
+      if( rc!=SQLITE_OK ) goto sync_exit;
+#ifndef SQLITE_OMIT_AUTOVACUUM
+      if( nTrunc!=0 ){
+        /* If this transaction has made the database smaller, then all pages
+        ** being discarded by the truncation must be written to the journal
+        ** file.
+        */
+        Pgno i;
+        int iSkip = PAGER_MJ_PGNO(pPager);
+        for( i=nTrunc+1; i<=pPager->origDbSize; i++ ){
+          if( !(pPager->aInJournal[i/8] & (1<<(i&7))) && i!=iSkip ){
+            rc = sqlite3PagerGet(pPager, i, &pPg);
+            if( rc!=SQLITE_OK ) goto sync_exit;
+            rc = sqlite3PagerWrite(pPg);
+            sqlite3PagerUnref(pPg);
+            if( rc!=SQLITE_OK ) goto sync_exit;
+          }
+        } 
+      }
+#endif
+      rc = writeMasterJournal(pPager, zMaster);
+      if( rc!=SQLITE_OK ) goto sync_exit;
+      rc = syncJournal(pPager);
+      if( rc!=SQLITE_OK ) goto sync_exit;
+    }
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    if( nTrunc!=0 ){
+      rc = sqlite3PagerTruncate(pPager, nTrunc);
+      if( rc!=SQLITE_OK ) goto sync_exit;
+    }
+#endif
+
+    /* Write all dirty pages to the database file */
+    pPg = pager_get_all_dirty_pages(pPager);
+    rc = pager_write_pagelist(pPg);
+    if( rc!=SQLITE_OK ) goto sync_exit;
+    pPager->pDirty = 0;
+
+    /* Sync the database file. */
+    if( !pPager->noSync ){
+      rc = sqlite3OsSync(pPager->fd, 0);
+    }
+    IOTRACE(("DBSYNC %p\n", pPager))
+
+    pPager->state = PAGER_SYNCED;
+  }else if( MEMDB && nTrunc!=0 ){
+    rc = sqlite3PagerTruncate(pPager, nTrunc);
+  }
+
+sync_exit:
+  return rc;
+}
+
+
+/*
+** Commit all changes to the database and release the write lock.
+**
+** If the commit fails for any reason, a rollback attempt is made
+** and an error code is returned.  If the commit worked, SQLITE_OK
+** is returned.
+*/
+int sqlite3PagerCommitPhaseTwo(Pager *pPager){
+  int rc;
+  PgHdr *pPg;
+
+  if( pPager->errCode ){
+    return pPager->errCode;
+  }
+  if( pPager->state<PAGER_RESERVED ){
+    return SQLITE_ERROR;
+  }
+  PAGERTRACE2("COMMIT %d\n", PAGERID(pPager));
+  if( MEMDB ){
+    pPg = pager_get_all_dirty_pages(pPager);
+    while( pPg ){
+      PgHistory *pHist = PGHDR_TO_HIST(pPg, pPager);
+      clearHistory(pHist);
+      pPg->dirty = 0;
+      pPg->inJournal = 0;
+      pHist->inStmt = 0;
+      pPg->needSync = 0;
+      pHist->pPrevStmt = pHist->pNextStmt = 0;
+      pPg = pPg->pDirty;
+    }
+    pPager->pDirty = 0;
+#ifndef NDEBUG
+    for(pPg=pPager->pAll; pPg; pPg=pPg->pNextAll){
+      PgHistory *pHist = PGHDR_TO_HIST(pPg, pPager);
+      assert( !pPg->alwaysRollback );
+      assert( !pHist->pOrig );
+      assert( !pHist->pStmt );
+    }
+#endif
+    pPager->pStmt = 0;
+    pPager->state = PAGER_SHARED;
+    return SQLITE_OK;
+  }
+  assert( pPager->journalOpen || !pPager->dirtyCache );
+  assert( pPager->state==PAGER_SYNCED || !pPager->dirtyCache );
+  rc = pager_end_transaction(pPager);
+  return pager_error(pPager, rc);
+}
+
+/*
+** Rollback all changes.  The database falls back to PAGER_SHARED mode.
+** All in-memory cache pages revert to their original data contents.
+** The journal is deleted.
+**
+** This routine cannot fail unless some other process is not following
+** the correct locking protocol or unless some other
+** process is writing trash into the journal file (SQLITE_CORRUPT) or
+** unless a prior malloc() failed (SQLITE_NOMEM).  Appropriate error
+** codes are returned for all these occasions.  Otherwise,
+** SQLITE_OK is returned.
+*/
+int sqlite3PagerRollback(Pager *pPager){
+  int rc;
+  PAGERTRACE2("ROLLBACK %d\n", PAGERID(pPager));
+  if( MEMDB ){
+    PgHdr *p;
+    for(p=pPager->pAll; p; p=p->pNextAll){
+      PgHistory *pHist;
+      assert( !p->alwaysRollback );
+      if( !p->dirty ){
+        assert( !((PgHistory *)PGHDR_TO_HIST(p, pPager))->pOrig );
+        assert( !((PgHistory *)PGHDR_TO_HIST(p, pPager))->pStmt );
+        continue;
+      }
+
+      pHist = PGHDR_TO_HIST(p, pPager);
+      if( pHist->pOrig ){
+        memcpy(PGHDR_TO_DATA(p), pHist->pOrig, pPager->pageSize);
+        PAGERTRACE3("ROLLBACK-PAGE %d of %d\n", p->pgno, PAGERID(pPager));
+      }else{
+        PAGERTRACE3("PAGE %d is clean on %d\n", p->pgno, PAGERID(pPager));
+      }
+      clearHistory(pHist);
+      p->dirty = 0;
+      p->inJournal = 0;
+      pHist->inStmt = 0;
+      pHist->pPrevStmt = pHist->pNextStmt = 0;
+      if( pPager->xReiniter ){
+        pPager->xReiniter(p, pPager->pageSize);
+      }
+    }
+    pPager->pDirty = 0;
+    pPager->pStmt = 0;
+    pPager->dbSize = pPager->origDbSize;
+    pager_truncate_cache(pPager);
+    pPager->stmtInUse = 0;
+    pPager->state = PAGER_SHARED;
+    return SQLITE_OK;
+  }
+
+  if( !pPager->dirtyCache || !pPager->journalOpen ){
+    rc = pager_end_transaction(pPager);
+    return rc;
+  }
+
+  if( pPager->errCode && pPager->errCode!=SQLITE_FULL ){
+    if( pPager->state>=PAGER_EXCLUSIVE ){
+      pager_playback(pPager, 0);
+    }
+    return pPager->errCode;
+  }
+  if( pPager->state==PAGER_RESERVED ){
+    int rc2;
+    rc = pager_playback(pPager, 0);
+    rc2 = pager_end_transaction(pPager);
+    if( rc==SQLITE_OK ){
+      rc = rc2;
+    }
+  }else{
+    rc = pager_playback(pPager, 0);
+  }
+  /* pager_reset(pPager); */
+  pPager->dbSize = -1;
+
+  /* If an error occurs during a ROLLBACK, we can no longer trust the pager
+  ** cache. So call pager_error() on the way out to make any error 
+  ** persistent.
+  */
+  return pager_error(pPager, rc);
+}
+
+/*
+** Return TRUE if the database file is opened read-only.  Return FALSE
+** if the database is (in theory) writable.
+*/
+int sqlite3PagerIsreadonly(Pager *pPager){
+  return pPager->readOnly;
+}
+
+/*
+** Return the number of references to the pager.
+*/
+int sqlite3PagerRefcount(Pager *pPager){
+  return pPager->nRef;
+}
+
+#ifdef SQLITE_TEST
+/*
+** This routine is used for testing and analysis only.
+*/
+int *sqlite3PagerStats(Pager *pPager){
+  static int a[11];
+  a[0] = pPager->nRef;
+  a[1] = pPager->nPage;
+  a[2] = pPager->mxPage;
+  a[3] = pPager->dbSize;
+  a[4] = pPager->state;
+  a[5] = pPager->errCode;
+  a[6] = pPager->nHit;
+  a[7] = pPager->nMiss;
+  a[8] = 0;  /* Used to be pPager->nOvfl */
+  a[9] = pPager->nRead;
+  a[10] = pPager->nWrite;
+  return a;
+}
+#endif
+
+/*
+** Set the statement rollback point.
+**
+** This routine should be called with the transaction journal already
+** open.  A new statement journal is created that can be used to rollback
+** changes of a single SQL command within a larger transaction.
+*/
+int sqlite3PagerStmtBegin(Pager *pPager){
+  int rc;
+  assert( !pPager->stmtInUse );
+  assert( pPager->state>=PAGER_SHARED );
+  assert( pPager->dbSize>=0 );
+  PAGERTRACE2("STMT-BEGIN %d\n", PAGERID(pPager));
+  if( MEMDB ){
+    pPager->stmtInUse = 1;
+    pPager->stmtSize = pPager->dbSize;
+    return SQLITE_OK;
+  }
+  if( !pPager->journalOpen ){
+    pPager->stmtAutoopen = 1;
+    return SQLITE_OK;
+  }
+  assert( pPager->journalOpen );
+  pPager->aInStmt = sqliteMalloc( pPager->dbSize/8 + 1 );
+  if( pPager->aInStmt==0 ){
+    /* sqlite3OsLock(pPager->fd, SHARED_LOCK); */
+    return SQLITE_NOMEM;
+  }
+#ifndef NDEBUG
+  rc = sqlite3OsFileSize(pPager->jfd, &pPager->stmtJSize);
+  if( rc ) goto stmt_begin_failed;
+  assert( pPager->stmtJSize == pPager->journalOff );
+#endif
+  pPager->stmtJSize = pPager->journalOff;
+  pPager->stmtSize = pPager->dbSize;
+  pPager->stmtHdrOff = 0;
+  pPager->stmtCksum = pPager->cksumInit;
+  if( !pPager->stmtOpen ){
+    rc = sqlite3PagerOpentemp(&pPager->stfd);
+    if( rc ) goto stmt_begin_failed;
+    pPager->stmtOpen = 1;
+    pPager->stmtNRec = 0;
+  }
+  pPager->stmtInUse = 1;
+  return SQLITE_OK;
+ 
+stmt_begin_failed:
+  if( pPager->aInStmt ){
+    sqliteFree(pPager->aInStmt);
+    pPager->aInStmt = 0;
+  }
+  return rc;
+}
+
+/*
+** Commit a statement.
+*/
+int sqlite3PagerStmtCommit(Pager *pPager){
+  if( pPager->stmtInUse ){
+    PgHdr *pPg, *pNext;
+    PAGERTRACE2("STMT-COMMIT %d\n", PAGERID(pPager));
+    if( !MEMDB ){
+      sqlite3OsSeek(pPager->stfd, 0);
+      /* sqlite3OsTruncate(pPager->stfd, 0); */
+      sqliteFree( pPager->aInStmt );
+      pPager->aInStmt = 0;
+    }else{
+      for(pPg=pPager->pStmt; pPg; pPg=pNext){
+        PgHistory *pHist = PGHDR_TO_HIST(pPg, pPager);
+        pNext = pHist->pNextStmt;
+        assert( pHist->inStmt );
+        pHist->inStmt = 0;
+        pHist->pPrevStmt = pHist->pNextStmt = 0;
+        sqliteFree(pHist->pStmt);
+        pHist->pStmt = 0;
+      }
+    }
+    pPager->stmtNRec = 0;
+    pPager->stmtInUse = 0;
+    pPager->pStmt = 0;
+  }
+  pPager->stmtAutoopen = 0;
+  return SQLITE_OK;
+}
+
+/*
+** Rollback a statement.
+*/
+int sqlite3PagerStmtRollback(Pager *pPager){
+  int rc;
+  if( pPager->stmtInUse ){
+    PAGERTRACE2("STMT-ROLLBACK %d\n", PAGERID(pPager));
+    if( MEMDB ){
+      PgHdr *pPg;
+      PgHistory *pHist;
+      for(pPg=pPager->pStmt; pPg; pPg=pHist->pNextStmt){
+        pHist = PGHDR_TO_HIST(pPg, pPager);
+        if( pHist->pStmt ){
+          memcpy(PGHDR_TO_DATA(pPg), pHist->pStmt, pPager->pageSize);
+          sqliteFree(pHist->pStmt);
+          pHist->pStmt = 0;
+        }
+      }
+      pPager->dbSize = pPager->stmtSize;
+      pager_truncate_cache(pPager);
+      rc = SQLITE_OK;
+    }else{
+      rc = pager_stmt_playback(pPager);
+    }
+    sqlite3PagerStmtCommit(pPager);
+  }else{
+    rc = SQLITE_OK;
+  }
+  pPager->stmtAutoopen = 0;
+  return rc;
+}
+
+/*
+** Return the full pathname of the database file.
+*/
+const char *sqlite3PagerFilename(Pager *pPager){
+  return pPager->zFilename;
+}
+
+/*
+** Return the directory of the database file.
+*/
+const char *sqlite3PagerDirname(Pager *pPager){
+  return pPager->zDirectory;
+}
+
+/*
+** Return the full pathname of the journal file.
+*/
+const char *sqlite3PagerJournalname(Pager *pPager){
+  return pPager->zJournal;
+}
+
+/*
+** Return true if fsync() calls are disabled for this pager.  Return FALSE
+** if fsync()s are executed normally.
+*/
+int sqlite3PagerNosync(Pager *pPager){
+  return pPager->noSync;
+}
+
+#ifdef SQLITE_HAS_CODEC
+/*
+** Set the codec for this pager
+*/
+void sqlite3PagerSetCodec(
+  Pager *pPager,
+  void *(*xCodec)(void*,void*,Pgno,int),
+  void *pCodecArg
+){
+  pPager->xCodec = xCodec;
+  pPager->pCodecArg = pCodecArg;
+}
+#endif
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+/*
+** Move the page identified by pData to location pgno in the file. 
+**
+** There must be no references to the current page pgno. If current page
+** pgno is not already in the rollback journal, it is not written there by
+** by this routine. The same applies to the page pData refers to on entry to
+** this routine.
+**
+** References to the page refered to by pData remain valid. Updating any
+** meta-data associated with page pData (i.e. data stored in the nExtra bytes
+** allocated along with the page) is the responsibility of the caller.
+**
+** A transaction must be active when this routine is called. It used to be
+** required that a statement transaction was not active, but this restriction
+** has been removed (CREATE INDEX needs to move a page when a statement
+** transaction is active).
+*/
+int sqlite3PagerMovepage(Pager *pPager, DbPage *pPg, Pgno pgno){
+  PgHdr *pPgOld; 
+  int h;
+  Pgno needSyncPgno = 0;
+
+  assert( pPg->nRef>0 );
+
+  PAGERTRACE5("MOVE %d page %d (needSync=%d) moves to %d\n", 
+      PAGERID(pPager), pPg->pgno, pPg->needSync, pgno);
+  IOTRACE(("MOVE %p %d %d\n", pPager, pPg->pgno, pgno))
+
+  if( pPg->needSync ){
+    needSyncPgno = pPg->pgno;
+    assert( pPg->inJournal );
+    assert( pPg->dirty );
+    assert( pPager->needSync );
+  }
+
+  /* Unlink pPg from it's hash-chain */
+  unlinkHashChain(pPager, pPg);
+
+  /* If the cache contains a page with page-number pgno, remove it
+  ** from it's hash chain. Also, if the PgHdr.needSync was set for 
+  ** page pgno before the 'move' operation, it needs to be retained 
+  ** for the page moved there.
+  */
+  pPgOld = pager_lookup(pPager, pgno);
+  if( pPgOld ){
+    assert( pPgOld->nRef==0 );
+    unlinkHashChain(pPager, pPgOld);
+    makeClean(pPgOld);
+    if( pPgOld->needSync ){
+      assert( pPgOld->inJournal );
+      pPg->inJournal = 1;
+      pPg->needSync = 1;
+      assert( pPager->needSync );
+    }
+  }
+
+  /* Change the page number for pPg and insert it into the new hash-chain. */
+  assert( pgno!=0 );
+  pPg->pgno = pgno;
+  h = pgno & (pPager->nHash-1);
+  if( pPager->aHash[h] ){
+    assert( pPager->aHash[h]->pPrevHash==0 );
+    pPager->aHash[h]->pPrevHash = pPg;
+  }
+  pPg->pNextHash = pPager->aHash[h];
+  pPager->aHash[h] = pPg;
+  pPg->pPrevHash = 0;
+
+  makeDirty(pPg);
+  pPager->dirtyCache = 1;
+
+  if( needSyncPgno ){
+    /* If needSyncPgno is non-zero, then the journal file needs to be 
+    ** sync()ed before any data is written to database file page needSyncPgno.
+    ** Currently, no such page exists in the page-cache and the 
+    ** Pager.aInJournal bit has been set. This needs to be remedied by loading
+    ** the page into the pager-cache and setting the PgHdr.needSync flag.
+    **
+    ** The sqlite3PagerGet() call may cause the journal to sync. So make
+    ** sure the Pager.needSync flag is set too.
+    */
+    int rc;
+    PgHdr *pPgHdr;
+    assert( pPager->needSync );
+    rc = sqlite3PagerGet(pPager, needSyncPgno, &pPgHdr);
+    if( rc!=SQLITE_OK ) return rc;
+    pPager->needSync = 1;
+    pPgHdr->needSync = 1;
+    pPgHdr->inJournal = 1;
+    makeDirty(pPgHdr);
+    sqlite3PagerUnref(pPgHdr);
+  }
+
+  return SQLITE_OK;
+}
+#endif
+
+/*
+** Return a pointer to the data for the specified page.
+*/
+void *sqlite3PagerGetData(DbPage *pPg){
+  return PGHDR_TO_DATA(pPg);
+}
+
+/*
+** Return a pointer to the Pager.nExtra bytes of "extra" space 
+** allocated along with the specified page.
+*/
+void *sqlite3PagerGetExtra(DbPage *pPg){
+  Pager *pPager = pPg->pPager;
+  return (pPager?PGHDR_TO_EXTRA(pPg, pPager):0);
+}
+
+/*
+** Get/set the locking-mode for this pager. Parameter eMode must be one
+** of PAGER_LOCKINGMODE_QUERY, PAGER_LOCKINGMODE_NORMAL or 
+** PAGER_LOCKINGMODE_EXCLUSIVE. If the parameter is not _QUERY, then
+** the locking-mode is set to the value specified.
+**
+** The returned value is either PAGER_LOCKINGMODE_NORMAL or
+** PAGER_LOCKINGMODE_EXCLUSIVE, indicating the current (possibly updated)
+** locking-mode.
+*/
+int sqlite3PagerLockingMode(Pager *pPager, int eMode){
+  assert( eMode==PAGER_LOCKINGMODE_QUERY
+            || eMode==PAGER_LOCKINGMODE_NORMAL
+            || eMode==PAGER_LOCKINGMODE_EXCLUSIVE );
+  assert( PAGER_LOCKINGMODE_QUERY<0 );
+  assert( PAGER_LOCKINGMODE_NORMAL>=0 && PAGER_LOCKINGMODE_EXCLUSIVE>=0 );
+  if( eMode>=0 && !pPager->tempFile ){
+    pPager->exclusiveMode = eMode;
+  }
+  return (int)pPager->exclusiveMode;
+}
+
+#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST)
+/*
+** Return the current state of the file lock for the given pager.
+** The return value is one of NO_LOCK, SHARED_LOCK, RESERVED_LOCK,
+** PENDING_LOCK, or EXCLUSIVE_LOCK.
+*/
+int sqlite3PagerLockstate(Pager *pPager){
+  return sqlite3OsLockState(pPager->fd);
+}
+#endif
+
+#ifdef SQLITE_DEBUG
+/*
+** Print a listing of all referenced pages and their ref count.
+*/
+void sqlite3PagerRefdump(Pager *pPager){
+  PgHdr *pPg;
+  for(pPg=pPager->pAll; pPg; pPg=pPg->pNextAll){
+    if( pPg->nRef<=0 ) continue;
+    sqlite3DebugPrintf("PAGE %3d addr=%p nRef=%d\n", 
+       pPg->pgno, PGHDR_TO_DATA(pPg), pPg->nRef);
+  }
+}
+#endif
+
+#endif /* SQLITE_OMIT_DISKIO */
+
+/************** End of pager.c ***********************************************/
+/************** Begin file btree.c *******************************************/
+/*
+** 2004 April 6
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** $Id$
+**
+** This file implements a external (disk-based) database using BTrees.
+** For a detailed discussion of BTrees, refer to
+**
+**     Donald E. Knuth, THE ART OF COMPUTER PROGRAMMING, Volume 3:
+**     "Sorting And Searching", pages 473-480. Addison-Wesley
+**     Publishing Company, Reading, Massachusetts.
+**
+** The basic idea is that each page of the file contains N database
+** entries and N+1 pointers to subpages.
+**
+**   ----------------------------------------------------------------
+**   |  Ptr(0) | Key(0) | Ptr(1) | Key(1) | ... | Key(N-1) | Ptr(N) |
+**   ----------------------------------------------------------------
+**
+** All of the keys on the page that Ptr(0) points to have values less
+** than Key(0).  All of the keys on page Ptr(1) and its subpages have
+** values greater than Key(0) and less than Key(1).  All of the keys
+** on Ptr(N) and its subpages have values greater than Key(N-1).  And
+** so forth.
+**
+** Finding a particular key requires reading O(log(M)) pages from the 
+** disk where M is the number of entries in the tree.
+**
+** In this implementation, a single file can hold one or more separate 
+** BTrees.  Each BTree is identified by the index of its root page.  The
+** key and data for any entry are combined to form the "payload".  A
+** fixed amount of payload can be carried directly on the database
+** page.  If the payload is larger than the preset amount then surplus
+** bytes are stored on overflow pages.  The payload for an entry
+** and the preceding pointer are combined to form a "Cell".  Each 
+** page has a small header which contains the Ptr(N) pointer and other
+** information such as the size of key and data.
+**
+** FORMAT DETAILS
+**
+** The file is divided into pages.  The first page is called page 1,
+** the second is page 2, and so forth.  A page number of zero indicates
+** "no such page".  The page size can be anything between 512 and 65536.
+** Each page can be either a btree page, a freelist page or an overflow
+** page.
+**
+** The first page is always a btree page.  The first 100 bytes of the first
+** page contain a special header (the "file header") that describes the file.
+** The format of the file header is as follows:
+**
+**   OFFSET   SIZE    DESCRIPTION
+**      0      16     Header string: "SQLite format 3\000"
+**     16       2     Page size in bytes.  
+**     18       1     File format write version
+**     19       1     File format read version
+**     20       1     Bytes of unused space at the end of each page
+**     21       1     Max embedded payload fraction
+**     22       1     Min embedded payload fraction
+**     23       1     Min leaf payload fraction
+**     24       4     File change counter
+**     28       4     Reserved for future use
+**     32       4     First freelist page
+**     36       4     Number of freelist pages in the file
+**     40      60     15 4-byte meta values passed to higher layers
+**
+** All of the integer values are big-endian (most significant byte first).
+**
+** The file change counter is incremented when the database is changed more
+** than once within the same second.  This counter, together with the
+** modification time of the file, allows other processes to know
+** when the file has changed and thus when they need to flush their
+** cache.
+**
+** The max embedded payload fraction is the amount of the total usable
+** space in a page that can be consumed by a single cell for standard
+** B-tree (non-LEAFDATA) tables.  A value of 255 means 100%.  The default
+** is to limit the maximum cell size so that at least 4 cells will fit
+** on one page.  Thus the default max embedded payload fraction is 64.
+**
+** If the payload for a cell is larger than the max payload, then extra
+** payload is spilled to overflow pages.  Once an overflow page is allocated,
+** as many bytes as possible are moved into the overflow pages without letting
+** the cell size drop below the min embedded payload fraction.
+**
+** The min leaf payload fraction is like the min embedded payload fraction
+** except that it applies to leaf nodes in a LEAFDATA tree.  The maximum
+** payload fraction for a LEAFDATA tree is always 100% (or 255) and it
+** not specified in the header.
+**
+** Each btree pages is divided into three sections:  The header, the
+** cell pointer array, and the cell area area.  Page 1 also has a 100-byte
+** file header that occurs before the page header.
+**
+**      |----------------|
+**      | file header    |   100 bytes.  Page 1 only.
+**      |----------------|
+**      | page header    |   8 bytes for leaves.  12 bytes for interior nodes
+**      |----------------|
+**      | cell pointer   |   |  2 bytes per cell.  Sorted order.
+**      | array          |   |  Grows downward
+**      |                |   v
+**      |----------------|
+**      | unallocated    |
+**      | space          |
+**      |----------------|   ^  Grows upwards
+**      | cell content   |   |  Arbitrary order interspersed with freeblocks.
+**      | area           |   |  and free space fragments.
+**      |----------------|
+**
+** The page headers looks like this:
+**
+**   OFFSET   SIZE     DESCRIPTION
+**      0       1      Flags. 1: intkey, 2: zerodata, 4: leafdata, 8: leaf
+**      1       2      byte offset to the first freeblock
+**      3       2      number of cells on this page
+**      5       2      first byte of the cell content area
+**      7       1      number of fragmented free bytes
+**      8       4      Right child (the Ptr(N) value).  Omitted on leaves.
+**
+** The flags define the format of this btree page.  The leaf flag means that
+** this page has no children.  The zerodata flag means that this page carries
+** only keys and no data.  The intkey flag means that the key is a integer
+** which is stored in the key size entry of the cell header rather than in
+** the payload area.
+**
+** The cell pointer array begins on the first byte after the page header.
+** The cell pointer array contains zero or more 2-byte numbers which are
+** offsets from the beginning of the page to the cell content in the cell
+** content area.  The cell pointers occur in sorted order.  The system strives
+** to keep free space after the last cell pointer so that new cells can
+** be easily added without having to defragment the page.
+**
+** Cell content is stored at the very end of the page and grows toward the
+** beginning of the page.
+**
+** Unused space within the cell content area is collected into a linked list of
+** freeblocks.  Each freeblock is at least 4 bytes in size.  The byte offset
+** to the first freeblock is given in the header.  Freeblocks occur in
+** increasing order.  Because a freeblock must be at least 4 bytes in size,
+** any group of 3 or fewer unused bytes in the cell content area cannot
+** exist on the freeblock chain.  A group of 3 or fewer free bytes is called
+** a fragment.  The total number of bytes in all fragments is recorded.
+** in the page header at offset 7.
+**
+**    SIZE    DESCRIPTION
+**      2     Byte offset of the next freeblock
+**      2     Bytes in this freeblock
+**
+** Cells are of variable length.  Cells are stored in the cell content area at
+** the end of the page.  Pointers to the cells are in the cell pointer array
+** that immediately follows the page header.  Cells is not necessarily
+** contiguous or in order, but cell pointers are contiguous and in order.
+**
+** Cell content makes use of variable length integers.  A variable
+** length integer is 1 to 9 bytes where the lower 7 bits of each 
+** byte are used.  The integer consists of all bytes that have bit 8 set and
+** the first byte with bit 8 clear.  The most significant byte of the integer
+** appears first.  A variable-length integer may not be more than 9 bytes long.
+** As a special case, all 8 bytes of the 9th byte are used as data.  This
+** allows a 64-bit integer to be encoded in 9 bytes.
+**
+**    0x00                      becomes  0x00000000
+**    0x7f                      becomes  0x0000007f
+**    0x81 0x00                 becomes  0x00000080
+**    0x82 0x00                 becomes  0x00000100
+**    0x80 0x7f                 becomes  0x0000007f
+**    0x8a 0x91 0xd1 0xac 0x78  becomes  0x12345678
+**    0x81 0x81 0x81 0x81 0x01  becomes  0x10204081
+**
+** Variable length integers are used for rowids and to hold the number of
+** bytes of key and data in a btree cell.
+**
+** The content of a cell looks like this:
+**
+**    SIZE    DESCRIPTION
+**      4     Page number of the left child. Omitted if leaf flag is set.
+**     var    Number of bytes of data. Omitted if the zerodata flag is set.
+**     var    Number of bytes of key. Or the key itself if intkey flag is set.
+**      *     Payload
+**      4     First page of the overflow chain.  Omitted if no overflow
+**
+** Overflow pages form a linked list.  Each page except the last is completely
+** filled with data (pagesize - 4 bytes).  The last page can have as little
+** as 1 byte of data.
+**
+**    SIZE    DESCRIPTION
+**      4     Page number of next overflow page
+**      *     Data
+**
+** Freelist pages come in two subtypes: trunk pages and leaf pages.  The
+** file header points to first in a linked list of trunk page.  Each trunk
+** page points to multiple leaf pages.  The content of a leaf page is
+** unspecified.  A trunk page looks like this:
+**
+**    SIZE    DESCRIPTION
+**      4     Page number of next trunk page
+**      4     Number of leaf pointers on this page
+**      *     zero or more pages numbers of leaves
+*/
+
+/* Round up a number to the next larger multiple of 8.  This is used
+** to force 8-byte alignment on 64-bit architectures.
+*/
+#define ROUND8(x)   ((x+7)&~7)
+
+
+/* The following value is the maximum cell size assuming a maximum page
+** size give above.
+*/
+#define MX_CELL_SIZE(pBt)  (pBt->pageSize-8)
+
+/* The maximum number of cells on a single page of the database.  This
+** assumes a minimum cell size of 3 bytes.  Such small cells will be
+** exceedingly rare, but they are possible.
+*/
+#define MX_CELL(pBt) ((pBt->pageSize-8)/3)
+
+/* Forward declarations */
+typedef struct MemPage MemPage;
+typedef struct BtLock BtLock;
+
+/*
+** This is a magic string that appears at the beginning of every
+** SQLite database in order to identify the file as a real database.
+**
+** You can change this value at compile-time by specifying a
+** -DSQLITE_FILE_HEADER="..." on the compiler command-line.  The
+** header must be exactly 16 bytes including the zero-terminator so
+** the string itself should be 15 characters long.  If you change
+** the header, then your custom library will not be able to read 
+** databases generated by the standard tools and the standard tools
+** will not be able to read databases created by your custom library.
+*/
+#ifndef SQLITE_FILE_HEADER /* 123456789 123456 */
+#  define SQLITE_FILE_HEADER "SQLite format 3"
+#endif
+static const char zMagicHeader[] = SQLITE_FILE_HEADER;
+
+/*
+** Page type flags.  An ORed combination of these flags appear as the
+** first byte of every BTree page.
+*/
+#define PTF_INTKEY    0x01
+#define PTF_ZERODATA  0x02
+#define PTF_LEAFDATA  0x04
+#define PTF_LEAF      0x08
+
+/*
+** As each page of the file is loaded into memory, an instance of the following
+** structure is appended and initialized to zero.  This structure stores
+** information about the page that is decoded from the raw file page.
+**
+** The pParent field points back to the parent page.  This allows us to
+** walk up the BTree from any leaf to the root.  Care must be taken to
+** unref() the parent page pointer when this page is no longer referenced.
+** The pageDestructor() routine handles that chore.
+*/
+struct MemPage {
+  u8 isInit;           /* True if previously initialized. MUST BE FIRST! */
+  u8 idxShift;         /* True if Cell indices have changed */
+  u8 nOverflow;        /* Number of overflow cell bodies in aCell[] */
+  u8 intKey;           /* True if intkey flag is set */
+  u8 leaf;             /* True if leaf flag is set */
+  u8 zeroData;         /* True if table stores keys only */
+  u8 leafData;         /* True if tables stores data on leaves only */
+  u8 hasData;          /* True if this page stores data */
+  u8 hdrOffset;        /* 100 for page 1.  0 otherwise */
+  u8 childPtrSize;     /* 0 if leaf==1.  4 if leaf==0 */
+  u16 maxLocal;        /* Copy of Btree.maxLocal or Btree.maxLeaf */
+  u16 minLocal;        /* Copy of Btree.minLocal or Btree.minLeaf */
+  u16 cellOffset;      /* Index in aData of first cell pointer */
+  u16 idxParent;       /* Index in parent of this node */
+  u16 nFree;           /* Number of free bytes on the page */
+  u16 nCell;           /* Number of cells on this page, local and ovfl */
+  struct _OvflCell {   /* Cells that will not fit on aData[] */
+    u8 *pCell;          /* Pointers to the body of the overflow cell */
+    u16 idx;            /* Insert this cell before idx-th non-overflow cell */
+  } aOvfl[5];
+  BtShared *pBt;       /* Pointer back to BTree structure */
+  u8 *aData;           /* Pointer back to the start of the page */
+  DbPage *pDbPage;     /* Pager page handle */
+  Pgno pgno;           /* Page number for this page */
+  MemPage *pParent;    /* The parent of this page.  NULL for root */
+};
+
+/*
+** The in-memory image of a disk page has the auxiliary information appended
+** to the end.  EXTRA_SIZE is the number of bytes of space needed to hold
+** that extra information.
+*/
+#define EXTRA_SIZE sizeof(MemPage)
+
+/* Btree handle */
+struct Btree {
+  sqlite3 *pSqlite;
+  BtShared *pBt;
+  u8 inTrans;            /* TRANS_NONE, TRANS_READ or TRANS_WRITE */
+};
+
+/*
+** Btree.inTrans may take one of the following values.
+**
+** If the shared-data extension is enabled, there may be multiple users
+** of the Btree structure. At most one of these may open a write transaction,
+** but any number may have active read transactions. Variable Btree.pDb 
+** points to the handle that owns any current write-transaction.
+*/
+#define TRANS_NONE  0
+#define TRANS_READ  1
+#define TRANS_WRITE 2
+
+/*
+** Everything we need to know about an open database
+*/
+struct BtShared {
+  Pager *pPager;        /* The page cache */
+  BtCursor *pCursor;    /* A list of all open cursors */
+  MemPage *pPage1;      /* First page of the database */
+  u8 inStmt;            /* True if we are in a statement subtransaction */
+  u8 readOnly;          /* True if the underlying file is readonly */
+  u8 maxEmbedFrac;      /* Maximum payload as % of total page size */
+  u8 minEmbedFrac;      /* Minimum payload as % of total page size */
+  u8 minLeafFrac;       /* Minimum leaf payload as % of total page size */
+  u8 pageSizeFixed;     /* True if the page size can no longer be changed */
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  u8 autoVacuum;        /* True if database supports auto-vacuum */
+#endif
+  u16 pageSize;         /* Total number of bytes on a page */
+  u16 usableSize;       /* Number of usable bytes on each page */
+  int maxLocal;         /* Maximum local payload in non-LEAFDATA tables */
+  int minLocal;         /* Minimum local payload in non-LEAFDATA tables */
+  int maxLeaf;          /* Maximum local payload in a LEAFDATA table */
+  int minLeaf;          /* Minimum local payload in a LEAFDATA table */
+  BusyHandler *pBusyHandler;   /* Callback for when there is lock contention */
+  u8 inTransaction;     /* Transaction state */
+  int nRef;             /* Number of references to this structure */
+  int nTransaction;     /* Number of open transactions (read + write) */
+  void *pSchema;        /* Pointer to space allocated by sqlite3BtreeSchema() */
+  void (*xFreeSchema)(void*);  /* Destructor for BtShared.pSchema */
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  BtLock *pLock;        /* List of locks held on this shared-btree struct */
+  BtShared *pNext;      /* Next in ThreadData.pBtree linked list */
+#endif
+};
+
+/*
+** An instance of the following structure is used to hold information
+** about a cell.  The parseCellPtr() function fills in this structure
+** based on information extract from the raw disk page.
+*/
+typedef struct CellInfo CellInfo;
+struct CellInfo {
+  u8 *pCell;     /* Pointer to the start of cell content */
+  i64 nKey;      /* The key for INTKEY tables, or number of bytes in key */
+  u32 nData;     /* Number of bytes of data */
+  u32 nPayload;  /* Total amount of payload */
+  u16 nHeader;   /* Size of the cell content header in bytes */
+  u16 nLocal;    /* Amount of payload held locally */
+  u16 iOverflow; /* Offset to overflow page number.  Zero if no overflow */
+  u16 nSize;     /* Size of the cell content on the main b-tree page */
+};
+
+/*
+** A cursor is a pointer to a particular entry in the BTree.
+** The entry is identified by its MemPage and the index in
+** MemPage.aCell[] of the entry.
+*/
+struct BtCursor {
+  Btree *pBtree;            /* The Btree to which this cursor belongs */
+  BtCursor *pNext, *pPrev;  /* Forms a linked list of all cursors */
+  int (*xCompare)(void*,int,const void*,int,const void*); /* Key comp func */
+  void *pArg;               /* First arg to xCompare() */
+  Pgno pgnoRoot;            /* The root page of this tree */
+  MemPage *pPage;           /* Page that contains the entry */
+  int idx;                  /* Index of the entry in pPage->aCell[] */
+  CellInfo info;            /* A parse of the cell we are pointing at */
+  u8 wrFlag;                /* True if writable */
+  u8 eState;                /* One of the CURSOR_XXX constants (see below) */
+  void *pKey;      /* Saved key that was cursor's last known position */
+  i64 nKey;        /* Size of pKey, or last integer key */
+  int skip;        /* (skip<0) -> Prev() is a no-op. (skip>0) -> Next() is */
+};
+
+/*
+** Potential values for BtCursor.eState.
+**
+** CURSOR_VALID:
+**   Cursor points to a valid entry. getPayload() etc. may be called.
+**
+** CURSOR_INVALID:
+**   Cursor does not point to a valid entry. This can happen (for example) 
+**   because the table is empty or because BtreeCursorFirst() has not been
+**   called.
+**
+** CURSOR_REQUIRESEEK:
+**   The table that this cursor was opened on still exists, but has been 
+**   modified since the cursor was last used. The cursor position is saved
+**   in variables BtCursor.pKey and BtCursor.nKey. When a cursor is in 
+**   this state, restoreOrClearCursorPosition() can be called to attempt to
+**   seek the cursor to the saved position.
+*/
+#define CURSOR_INVALID           0
+#define CURSOR_VALID             1
+#define CURSOR_REQUIRESEEK       2
+
+/*
+** The TRACE macro will print high-level status information about the
+** btree operation when the global variable sqlite3_btree_trace is
+** enabled.
+*/
+#if SQLITE_TEST
+# define TRACE(X)   if( sqlite3_btree_trace )\
+/*                        { sqlite3DebugPrintf X; fflush(stdout); } */ \
+{ printf X; fflush(stdout); }
+int sqlite3_btree_trace=0;  /* True to enable tracing */
+#else
+# define TRACE(X)
+#endif
+
+/*
+** Forward declaration
+*/
+static int checkReadLocks(Btree*,Pgno,BtCursor*);
+
+/*
+** Read or write a two- and four-byte big-endian integer values.
+*/
+static u32 get2byte(unsigned char *p){
+  return (p[0]<<8) | p[1];
+}
+static u32 get4byte(unsigned char *p){
+  return (p[0]<<24) | (p[1]<<16) | (p[2]<<8) | p[3];
+}
+static void put2byte(unsigned char *p, u32 v){
+  p[0] = v>>8;
+  p[1] = v;
+}
+static void put4byte(unsigned char *p, u32 v){
+  p[0] = v>>24;
+  p[1] = v>>16;
+  p[2] = v>>8;
+  p[3] = v;
+}
+
+/*
+** Routines to read and write variable-length integers.  These used to
+** be defined locally, but now we use the varint routines in the util.c
+** file.
+*/
+#define getVarint    sqlite3GetVarint
+/* #define getVarint32  sqlite3GetVarint32 */
+#define getVarint32(A,B)  ((*B=*(A))<=0x7f?1:sqlite3GetVarint32(A,B))
+#define putVarint    sqlite3PutVarint
+
+/* The database page the PENDING_BYTE occupies. This page is never used.
+** TODO: This macro is very similary to PAGER_MJ_PGNO() in pager.c. They
+** should possibly be consolidated (presumably in pager.h).
+**
+** If disk I/O is omitted (meaning that the database is stored purely
+** in memory) then there is no pending byte.
+*/
+#ifdef SQLITE_OMIT_DISKIO
+# define PENDING_BYTE_PAGE(pBt)  0x7fffffff
+#else
+# define PENDING_BYTE_PAGE(pBt) ((PENDING_BYTE/(pBt)->pageSize)+1)
+#endif
+
+/*
+** A linked list of the following structures is stored at BtShared.pLock.
+** Locks are added (or upgraded from READ_LOCK to WRITE_LOCK) when a cursor 
+** is opened on the table with root page BtShared.iTable. Locks are removed
+** from this list when a transaction is committed or rolled back, or when
+** a btree handle is closed.
+*/
+struct BtLock {
+  Btree *pBtree;        /* Btree handle holding this lock */
+  Pgno iTable;          /* Root page of table */
+  u8 eLock;             /* READ_LOCK or WRITE_LOCK */
+  BtLock *pNext;        /* Next in BtShared.pLock list */
+};
+
+/* Candidate values for BtLock.eLock */
+#define READ_LOCK     1
+#define WRITE_LOCK    2
+
+#ifdef SQLITE_OMIT_SHARED_CACHE
+  /*
+  ** The functions queryTableLock(), lockTable() and unlockAllTables()
+  ** manipulate entries in the BtShared.pLock linked list used to store
+  ** shared-cache table level locks. If the library is compiled with the
+  ** shared-cache feature disabled, then there is only ever one user
+  ** of each BtShared structure and so this locking is not necessary. 
+  ** So define the lock related functions as no-ops.
+  */
+  #define queryTableLock(a,b,c) SQLITE_OK
+  #define lockTable(a,b,c) SQLITE_OK
+  #define unlockAllTables(a)
+#else
+
+
+/*
+** Query to see if btree handle p may obtain a lock of type eLock 
+** (READ_LOCK or WRITE_LOCK) on the table with root-page iTab. Return
+** SQLITE_OK if the lock may be obtained (by calling lockTable()), or
+** SQLITE_LOCKED if not.
+*/
+static int queryTableLock(Btree *p, Pgno iTab, u8 eLock){
+  BtShared *pBt = p->pBt;
+  BtLock *pIter;
+
+  /* This is a no-op if the shared-cache is not enabled */
+  if( 0==sqlite3ThreadDataReadOnly()->useSharedData ){
+    return SQLITE_OK;
+  }
+
+  /* This (along with lockTable()) is where the ReadUncommitted flag is
+  ** dealt with. If the caller is querying for a read-lock and the flag is
+  ** set, it is unconditionally granted - even if there are write-locks
+  ** on the table. If a write-lock is requested, the ReadUncommitted flag
+  ** is not considered.
+  **
+  ** In function lockTable(), if a read-lock is demanded and the 
+  ** ReadUncommitted flag is set, no entry is added to the locks list 
+  ** (BtShared.pLock).
+  **
+  ** To summarize: If the ReadUncommitted flag is set, then read cursors do
+  ** not create or respect table locks. The locking procedure for a 
+  ** write-cursor does not change.
+  */
+  if( 
+    !p->pSqlite || 
+    0==(p->pSqlite->flags&SQLITE_ReadUncommitted) || 
+    eLock==WRITE_LOCK ||
+    iTab==MASTER_ROOT
+  ){
+    for(pIter=pBt->pLock; pIter; pIter=pIter->pNext){
+      if( pIter->pBtree!=p && pIter->iTable==iTab && 
+          (pIter->eLock!=eLock || eLock!=READ_LOCK) ){
+        return SQLITE_LOCKED;
+      }
+    }
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Add a lock on the table with root-page iTable to the shared-btree used
+** by Btree handle p. Parameter eLock must be either READ_LOCK or 
+** WRITE_LOCK.
+**
+** SQLITE_OK is returned if the lock is added successfully. SQLITE_BUSY and
+** SQLITE_NOMEM may also be returned.
+*/
+static int lockTable(Btree *p, Pgno iTable, u8 eLock){
+  BtShared *pBt = p->pBt;
+  BtLock *pLock = 0;
+  BtLock *pIter;
+
+  /* This is a no-op if the shared-cache is not enabled */
+  if( 0==sqlite3ThreadDataReadOnly()->useSharedData ){
+    return SQLITE_OK;
+  }
+
+  assert( SQLITE_OK==queryTableLock(p, iTable, eLock) );
+
+  /* If the read-uncommitted flag is set and a read-lock is requested,
+  ** return early without adding an entry to the BtShared.pLock list. See
+  ** comment in function queryTableLock() for more info on handling 
+  ** the ReadUncommitted flag.
+  */
+  if( 
+    (p->pSqlite) && 
+    (p->pSqlite->flags&SQLITE_ReadUncommitted) && 
+    (eLock==READ_LOCK) &&
+    iTable!=MASTER_ROOT
+  ){
+    return SQLITE_OK;
+  }
+
+  /* First search the list for an existing lock on this table. */
+  for(pIter=pBt->pLock; pIter; pIter=pIter->pNext){
+    if( pIter->iTable==iTable && pIter->pBtree==p ){
+      pLock = pIter;
+      break;
+    }
+  }
+
+  /* If the above search did not find a BtLock struct associating Btree p
+  ** with table iTable, allocate one and link it into the list.
+  */
+  if( !pLock ){
+    pLock = (BtLock *)sqliteMalloc(sizeof(BtLock));
+    if( !pLock ){
+      return SQLITE_NOMEM;
+    }
+    pLock->iTable = iTable;
+    pLock->pBtree = p;
+    pLock->pNext = pBt->pLock;
+    pBt->pLock = pLock;
+  }
+
+  /* Set the BtLock.eLock variable to the maximum of the current lock
+  ** and the requested lock. This means if a write-lock was already held
+  ** and a read-lock requested, we don't incorrectly downgrade the lock.
+  */
+  assert( WRITE_LOCK>READ_LOCK );
+  if( eLock>pLock->eLock ){
+    pLock->eLock = eLock;
+  }
+
+  return SQLITE_OK;
+}
+
+/*
+** Release all the table locks (locks obtained via calls to the lockTable()
+** procedure) held by Btree handle p.
+*/
+static void unlockAllTables(Btree *p){
+  BtLock **ppIter = &p->pBt->pLock;
+
+  /* If the shared-cache extension is not enabled, there should be no
+  ** locks in the BtShared.pLock list, making this procedure a no-op. Assert
+  ** that this is the case.
+  */
+  assert( sqlite3ThreadDataReadOnly()->useSharedData || 0==*ppIter );
+
+  while( *ppIter ){
+    BtLock *pLock = *ppIter;
+    if( pLock->pBtree==p ){
+      *ppIter = pLock->pNext;
+      sqliteFree(pLock);
+    }else{
+      ppIter = &pLock->pNext;
+    }
+  }
+}
+#endif /* SQLITE_OMIT_SHARED_CACHE */
+
+static void releasePage(MemPage *pPage);  /* Forward reference */
+
+/*
+** Save the current cursor position in the variables BtCursor.nKey 
+** and BtCursor.pKey. The cursor's state is set to CURSOR_REQUIRESEEK.
+*/
+static int saveCursorPosition(BtCursor *pCur){
+  int rc;
+
+  assert( CURSOR_VALID==pCur->eState );
+  assert( 0==pCur->pKey );
+
+  rc = sqlite3BtreeKeySize(pCur, &pCur->nKey);
+
+  /* If this is an intKey table, then the above call to BtreeKeySize()
+  ** stores the integer key in pCur->nKey. In this case this value is
+  ** all that is required. Otherwise, if pCur is not open on an intKey
+  ** table, then malloc space for and store the pCur->nKey bytes of key 
+  ** data.
+  */
+  if( rc==SQLITE_OK && 0==pCur->pPage->intKey){
+    void *pKey = sqliteMalloc(pCur->nKey);
+    if( pKey ){
+      rc = sqlite3BtreeKey(pCur, 0, pCur->nKey, pKey);
+      if( rc==SQLITE_OK ){
+        pCur->pKey = pKey;
+      }else{
+        sqliteFree(pKey);
+      }
+    }else{
+      rc = SQLITE_NOMEM;
+    }
+  }
+  assert( !pCur->pPage->intKey || !pCur->pKey );
+
+  if( rc==SQLITE_OK ){
+    releasePage(pCur->pPage);
+    pCur->pPage = 0;
+    pCur->eState = CURSOR_REQUIRESEEK;
+  }
+
+  return rc;
+}
+
+/*
+** Save the positions of all cursors except pExcept open on the table 
+** with root-page iRoot. Usually, this is called just before cursor
+** pExcept is used to modify the table (BtreeDelete() or BtreeInsert()).
+*/
+static int saveAllCursors(BtShared *pBt, Pgno iRoot, BtCursor *pExcept){
+  BtCursor *p;
+  for(p=pBt->pCursor; p; p=p->pNext){
+    if( p!=pExcept && (0==iRoot || p->pgnoRoot==iRoot) && 
+        p->eState==CURSOR_VALID ){
+      int rc = saveCursorPosition(p);
+      if( SQLITE_OK!=rc ){
+        return rc;
+      }
+    }
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Clear the current cursor position.
+*/
+static void clearCursorPosition(BtCursor *pCur){
+  sqliteFree(pCur->pKey);
+  pCur->pKey = 0;
+  pCur->eState = CURSOR_INVALID;
+}
+
+/*
+** Restore the cursor to the position it was in (or as close to as possible)
+** when saveCursorPosition() was called. Note that this call deletes the 
+** saved position info stored by saveCursorPosition(), so there can be
+** at most one effective restoreOrClearCursorPosition() call after each 
+** saveCursorPosition().
+**
+** If the second argument argument - doSeek - is false, then instead of 
+** returning the cursor to it's saved position, any saved position is deleted
+** and the cursor state set to CURSOR_INVALID.
+*/
+static int restoreOrClearCursorPositionX(BtCursor *pCur){
+  int rc;
+  assert( pCur->eState==CURSOR_REQUIRESEEK );
+  pCur->eState = CURSOR_INVALID;
+  rc = sqlite3BtreeMoveto(pCur, pCur->pKey, pCur->nKey, 0, &pCur->skip);
+  if( rc==SQLITE_OK ){
+    sqliteFree(pCur->pKey);
+    pCur->pKey = 0;
+    assert( pCur->eState==CURSOR_VALID || pCur->eState==CURSOR_INVALID );
+  }
+  return rc;
+}
+
+#define restoreOrClearCursorPosition(p) \
+  (p->eState==CURSOR_REQUIRESEEK?restoreOrClearCursorPositionX(p):SQLITE_OK)
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+/*
+** These macros define the location of the pointer-map entry for a 
+** database page. The first argument to each is the number of usable
+** bytes on each page of the database (often 1024). The second is the
+** page number to look up in the pointer map.
+**
+** PTRMAP_PAGENO returns the database page number of the pointer-map
+** page that stores the required pointer. PTRMAP_PTROFFSET returns
+** the offset of the requested map entry.
+**
+** If the pgno argument passed to PTRMAP_PAGENO is a pointer-map page,
+** then pgno is returned. So (pgno==PTRMAP_PAGENO(pgsz, pgno)) can be
+** used to test if pgno is a pointer-map page. PTRMAP_ISPAGE implements
+** this test.
+*/
+#define PTRMAP_PAGENO(pBt, pgno) ptrmapPageno(pBt, pgno)
+#define PTRMAP_PTROFFSET(pBt, pgno) (5*(pgno-ptrmapPageno(pBt, pgno)-1))
+#define PTRMAP_ISPAGE(pBt, pgno) (PTRMAP_PAGENO((pBt),(pgno))==(pgno))
+
+static Pgno ptrmapPageno(BtShared *pBt, Pgno pgno){
+  int nPagesPerMapPage = (pBt->usableSize/5)+1;
+  int iPtrMap = (pgno-2)/nPagesPerMapPage;
+  int ret = (iPtrMap*nPagesPerMapPage) + 2; 
+  if( ret==PENDING_BYTE_PAGE(pBt) ){
+    ret++;
+  }
+  return ret;
+}
+
+/*
+** The pointer map is a lookup table that identifies the parent page for
+** each child page in the database file.  The parent page is the page that
+** contains a pointer to the child.  Every page in the database contains
+** 0 or 1 parent pages.  (In this context 'database page' refers
+** to any page that is not part of the pointer map itself.)  Each pointer map
+** entry consists of a single byte 'type' and a 4 byte parent page number.
+** The PTRMAP_XXX identifiers below are the valid types.
+**
+** The purpose of the pointer map is to facility moving pages from one
+** position in the file to another as part of autovacuum.  When a page
+** is moved, the pointer in its parent must be updated to point to the
+** new location.  The pointer map is used to locate the parent page quickly.
+**
+** PTRMAP_ROOTPAGE: The database page is a root-page. The page-number is not
+**                  used in this case.
+**
+** PTRMAP_FREEPAGE: The database page is an unused (free) page. The page-number 
+**                  is not used in this case.
+**
+** PTRMAP_OVERFLOW1: The database page is the first page in a list of 
+**                   overflow pages. The page number identifies the page that
+**                   contains the cell with a pointer to this overflow page.
+**
+** PTRMAP_OVERFLOW2: The database page is the second or later page in a list of
+**                   overflow pages. The page-number identifies the previous
+**                   page in the overflow page list.
+**
+** PTRMAP_BTREE: The database page is a non-root btree page. The page number
+**               identifies the parent page in the btree.
+*/
+#define PTRMAP_ROOTPAGE 1
+#define PTRMAP_FREEPAGE 2
+#define PTRMAP_OVERFLOW1 3
+#define PTRMAP_OVERFLOW2 4
+#define PTRMAP_BTREE 5
+
+/*
+** Write an entry into the pointer map.
+**
+** This routine updates the pointer map entry for page number 'key'
+** so that it maps to type 'eType' and parent page number 'pgno'.
+** An error code is returned if something goes wrong, otherwise SQLITE_OK.
+*/
+static int ptrmapPut(BtShared *pBt, Pgno key, u8 eType, Pgno parent){
+  DbPage *pDbPage;  /* The pointer map page */
+  u8 *pPtrmap;      /* The pointer map data */
+  Pgno iPtrmap;     /* The pointer map page number */
+  int offset;       /* Offset in pointer map page */
+  int rc;
+
+  /* The master-journal page number must never be used as a pointer map page */
+  assert( 0==PTRMAP_ISPAGE(pBt, PENDING_BYTE_PAGE(pBt)) );
+
+  assert( pBt->autoVacuum );
+  if( key==0 ){
+    return SQLITE_CORRUPT_BKPT;
+  }
+  iPtrmap = PTRMAP_PAGENO(pBt, key);
+  rc = sqlite3PagerGet(pBt->pPager, iPtrmap, &pDbPage);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+  offset = PTRMAP_PTROFFSET(pBt, key);
+  pPtrmap = (u8 *)sqlite3PagerGetData(pDbPage);
+
+  if( eType!=pPtrmap[offset] || get4byte(&pPtrmap[offset+1])!=parent ){
+    TRACE(("PTRMAP_UPDATE: %d->(%d,%d)\n", key, eType, parent));
+    rc = sqlite3PagerWrite(pDbPage);
+    if( rc==SQLITE_OK ){
+      pPtrmap[offset] = eType;
+      put4byte(&pPtrmap[offset+1], parent);
+    }
+  }
+
+  sqlite3PagerUnref(pDbPage);
+  return rc;
+}
+
+/*
+** Read an entry from the pointer map.
+**
+** This routine retrieves the pointer map entry for page 'key', writing
+** the type and parent page number to *pEType and *pPgno respectively.
+** An error code is returned if something goes wrong, otherwise SQLITE_OK.
+*/
+static int ptrmapGet(BtShared *pBt, Pgno key, u8 *pEType, Pgno *pPgno){
+  DbPage *pDbPage;   /* The pointer map page */
+  int iPtrmap;       /* Pointer map page index */
+  u8 *pPtrmap;       /* Pointer map page data */
+  int offset;        /* Offset of entry in pointer map */
+  int rc;
+
+  iPtrmap = PTRMAP_PAGENO(pBt, key);
+  rc = sqlite3PagerGet(pBt->pPager, iPtrmap, &pDbPage);
+  if( rc!=0 ){
+    return rc;
+  }
+  pPtrmap = (u8 *)sqlite3PagerGetData(pDbPage);
+
+  offset = PTRMAP_PTROFFSET(pBt, key);
+  assert( pEType!=0 );
+  *pEType = pPtrmap[offset];
+  if( pPgno ) *pPgno = get4byte(&pPtrmap[offset+1]);
+
+  sqlite3PagerUnref(pDbPage);
+  if( *pEType<1 || *pEType>5 ) return SQLITE_CORRUPT_BKPT;
+  return SQLITE_OK;
+}
+
+#endif /* SQLITE_OMIT_AUTOVACUUM */
+
+/*
+** Given a btree page and a cell index (0 means the first cell on
+** the page, 1 means the second cell, and so forth) return a pointer
+** to the cell content.
+**
+** This routine works only for pages that do not contain overflow cells.
+*/
+static u8 *findCell(MemPage *pPage, int iCell){
+  u8 *data = pPage->aData;
+  assert( iCell>=0 );
+  assert( iCell<get2byte(&data[pPage->hdrOffset+3]) );
+  return data + get2byte(&data[pPage->cellOffset+2*iCell]);
+}
+
+/*
+** This a more complex version of findCell() that works for
+** pages that do contain overflow cells.  See insert
+*/
+static u8 *findOverflowCell(MemPage *pPage, int iCell){
+  int i;
+  for(i=pPage->nOverflow-1; i>=0; i--){
+    int k;
+    struct _OvflCell *pOvfl;
+    pOvfl = &pPage->aOvfl[i];
+    k = pOvfl->idx;
+    if( k<=iCell ){
+      if( k==iCell ){
+        return pOvfl->pCell;
+      }
+      iCell--;
+    }
+  }
+  return findCell(pPage, iCell);
+}
+
+/*
+** Parse a cell content block and fill in the CellInfo structure.  There
+** are two versions of this function.  parseCell() takes a cell index
+** as the second argument and parseCellPtr() takes a pointer to the
+** body of the cell as its second argument.
+*/
+static void parseCellPtr(
+  MemPage *pPage,         /* Page containing the cell */
+  u8 *pCell,              /* Pointer to the cell text. */
+  CellInfo *pInfo         /* Fill in this structure */
+){
+  int n;                  /* Number bytes in cell content header */
+  u32 nPayload;           /* Number of bytes of cell payload */
+
+  pInfo->pCell = pCell;
+  assert( pPage->leaf==0 || pPage->leaf==1 );
+  n = pPage->childPtrSize;
+  assert( n==4-4*pPage->leaf );
+  if( pPage->hasData ){
+    n += getVarint32(&pCell[n], &nPayload);
+  }else{
+    nPayload = 0;
+  }
+  pInfo->nData = nPayload;
+  if( pPage->intKey ){
+    n += getVarint(&pCell[n], (u64 *)&pInfo->nKey);
+  }else{
+    u32 x;
+    n += getVarint32(&pCell[n], &x);
+    pInfo->nKey = x;
+    nPayload += x;
+  }
+  pInfo->nPayload = nPayload;
+  pInfo->nHeader = n;
+  if( nPayload<=pPage->maxLocal ){
+    /* This is the (easy) common case where the entire payload fits
+    ** on the local page.  No overflow is required.
+    */
+    int nSize;          /* Total size of cell content in bytes */
+    pInfo->nLocal = nPayload;
+    pInfo->iOverflow = 0;
+    nSize = nPayload + n;
+    if( nSize<4 ){
+      nSize = 4;        /* Minimum cell size is 4 */
+    }
+    pInfo->nSize = nSize;
+  }else{
+    /* If the payload will not fit completely on the local page, we have
+    ** to decide how much to store locally and how much to spill onto
+    ** overflow pages.  The strategy is to minimize the amount of unused
+    ** space on overflow pages while keeping the amount of local storage
+    ** in between minLocal and maxLocal.
+    **
+    ** Warning:  changing the way overflow payload is distributed in any
+    ** way will result in an incompatible file format.
+    */
+    int minLocal;  /* Minimum amount of payload held locally */
+    int maxLocal;  /* Maximum amount of payload held locally */
+    int surplus;   /* Overflow payload available for local storage */
+
+    minLocal = pPage->minLocal;
+    maxLocal = pPage->maxLocal;
+    surplus = minLocal + (nPayload - minLocal)%(pPage->pBt->usableSize - 4);
+    if( surplus <= maxLocal ){
+      pInfo->nLocal = surplus;
+    }else{
+      pInfo->nLocal = minLocal;
+    }
+    pInfo->iOverflow = pInfo->nLocal + n;
+    pInfo->nSize = pInfo->iOverflow + 4;
+  }
+}
+static void parseCell(
+  MemPage *pPage,         /* Page containing the cell */
+  int iCell,              /* The cell index.  First cell is 0 */
+  CellInfo *pInfo         /* Fill in this structure */
+){
+  parseCellPtr(pPage, findCell(pPage, iCell), pInfo);
+}
+
+/*
+** Compute the total number of bytes that a Cell needs in the cell
+** data area of the btree-page.  The return number includes the cell
+** data header and the local payload, but not any overflow page or
+** the space used by the cell pointer.
+*/
+#ifndef NDEBUG
+static int cellSize(MemPage *pPage, int iCell){
+  CellInfo info;
+  parseCell(pPage, iCell, &info);
+  return info.nSize;
+}
+#endif
+static int cellSizePtr(MemPage *pPage, u8 *pCell){
+  CellInfo info;
+  parseCellPtr(pPage, pCell, &info);
+  return info.nSize;
+}
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+/*
+** If the cell pCell, part of page pPage contains a pointer
+** to an overflow page, insert an entry into the pointer-map
+** for the overflow page.
+*/
+static int ptrmapPutOvflPtr(MemPage *pPage, u8 *pCell){
+  if( pCell ){
+    CellInfo info;
+    parseCellPtr(pPage, pCell, &info);
+    assert( (info.nData+(pPage->intKey?0:info.nKey))==info.nPayload );
+    if( (info.nData+(pPage->intKey?0:info.nKey))>info.nLocal ){
+      Pgno ovfl = get4byte(&pCell[info.iOverflow]);
+      return ptrmapPut(pPage->pBt, ovfl, PTRMAP_OVERFLOW1, pPage->pgno);
+    }
+  }
+  return SQLITE_OK;
+}
+/*
+** If the cell with index iCell on page pPage contains a pointer
+** to an overflow page, insert an entry into the pointer-map
+** for the overflow page.
+*/
+static int ptrmapPutOvfl(MemPage *pPage, int iCell){
+  u8 *pCell;
+  pCell = findOverflowCell(pPage, iCell);
+  return ptrmapPutOvflPtr(pPage, pCell);
+}
+#endif
+
+
+/* A bunch of assert() statements to check the transaction state variables
+** of handle p (type Btree*) are internally consistent.
+*/
+#define btreeIntegrity(p) \
+  assert( p->inTrans!=TRANS_NONE || p->pBt->nTransaction<p->pBt->nRef ); \
+  assert( p->pBt->nTransaction<=p->pBt->nRef ); \
+  assert( p->pBt->inTransaction!=TRANS_NONE || p->pBt->nTransaction==0 ); \
+  assert( p->pBt->inTransaction>=p->inTrans ); 
+
+/*
+** Defragment the page given.  All Cells are moved to the
+** end of the page and all free space is collected into one
+** big FreeBlk that occurs in between the header and cell
+** pointer array and the cell content area.
+*/
+static int defragmentPage(MemPage *pPage){
+  int i;                     /* Loop counter */
+  int pc;                    /* Address of a i-th cell */
+  int addr;                  /* Offset of first byte after cell pointer array */
+  int hdr;                   /* Offset to the page header */
+  int size;                  /* Size of a cell */
+  int usableSize;            /* Number of usable bytes on a page */
+  int cellOffset;            /* Offset to the cell pointer array */
+  int brk;                   /* Offset to the cell content area */
+  int nCell;                 /* Number of cells on the page */
+  unsigned char *data;       /* The page data */
+  unsigned char *temp;       /* Temp area for cell content */
+
+  assert( sqlite3PagerIswriteable(pPage->pDbPage) );
+  assert( pPage->pBt!=0 );
+  assert( pPage->pBt->usableSize <= SQLITE_MAX_PAGE_SIZE );
+  assert( pPage->nOverflow==0 );
+  temp = sqliteMalloc( pPage->pBt->pageSize );
+  if( temp==0 ) return SQLITE_NOMEM;
+  data = pPage->aData;
+  hdr = pPage->hdrOffset;
+  cellOffset = pPage->cellOffset;
+  nCell = pPage->nCell;
+  assert( nCell==get2byte(&data[hdr+3]) );
+  usableSize = pPage->pBt->usableSize;
+  brk = get2byte(&data[hdr+5]);
+  memcpy(&temp[brk], &data[brk], usableSize - brk);
+  brk = usableSize;
+  for(i=0; i<nCell; i++){
+    u8 *pAddr;     /* The i-th cell pointer */
+    pAddr = &data[cellOffset + i*2];
+    pc = get2byte(pAddr);
+    assert( pc<pPage->pBt->usableSize );
+    size = cellSizePtr(pPage, &temp[pc]);
+    brk -= size;
+    memcpy(&data[brk], &temp[pc], size);
+    put2byte(pAddr, brk);
+  }
+  assert( brk>=cellOffset+2*nCell );
+  put2byte(&data[hdr+5], brk);
+  data[hdr+1] = 0;
+  data[hdr+2] = 0;
+  data[hdr+7] = 0;
+  addr = cellOffset+2*nCell;
+  memset(&data[addr], 0, brk-addr);
+  sqliteFree(temp);
+  return SQLITE_OK;
+}
+
+/*
+** Allocate nByte bytes of space on a page.
+**
+** Return the index into pPage->aData[] of the first byte of
+** the new allocation. Or return 0 if there is not enough free
+** space on the page to satisfy the allocation request.
+**
+** If the page contains nBytes of free space but does not contain
+** nBytes of contiguous free space, then this routine automatically
+** calls defragementPage() to consolidate all free space before 
+** allocating the new chunk.
+*/
+static int allocateSpace(MemPage *pPage, int nByte){
+  int addr, pc, hdr;
+  int size;
+  int nFrag;
+  int top;
+  int nCell;
+  int cellOffset;
+  unsigned char *data;
+  
+  data = pPage->aData;
+  assert( sqlite3PagerIswriteable(pPage->pDbPage) );
+  assert( pPage->pBt );
+  if( nByte<4 ) nByte = 4;
+  if( pPage->nFree<nByte || pPage->nOverflow>0 ) return 0;
+  pPage->nFree -= nByte;
+  hdr = pPage->hdrOffset;
+
+  nFrag = data[hdr+7];
+  if( nFrag<60 ){
+    /* Search the freelist looking for a slot big enough to satisfy the
+    ** space request. */
+    addr = hdr+1;
+    while( (pc = get2byte(&data[addr]))>0 ){
+      size = get2byte(&data[pc+2]);
+      if( size>=nByte ){
+        if( size<nByte+4 ){
+          memcpy(&data[addr], &data[pc], 2);
+          data[hdr+7] = nFrag + size - nByte;
+          return pc;
+        }else{
+          put2byte(&data[pc+2], size-nByte);
+          return pc + size - nByte;
+        }
+      }
+      addr = pc;
+    }
+  }
+
+  /* Allocate memory from the gap in between the cell pointer array
+  ** and the cell content area.
+  */
+  top = get2byte(&data[hdr+5]);
+  nCell = get2byte(&data[hdr+3]);
+  cellOffset = pPage->cellOffset;
+  if( nFrag>=60 || cellOffset + 2*nCell > top - nByte ){
+    if( defragmentPage(pPage) ) return 0;
+    top = get2byte(&data[hdr+5]);
+  }
+  top -= nByte;
+  assert( cellOffset + 2*nCell <= top );
+  put2byte(&data[hdr+5], top);
+  return top;
+}
+
+/*
+** Return a section of the pPage->aData to the freelist.
+** The first byte of the new free block is pPage->aDisk[start]
+** and the size of the block is "size" bytes.
+**
+** Most of the effort here is involved in coalesing adjacent
+** free blocks into a single big free block.
+*/
+static void freeSpace(MemPage *pPage, int start, int size){
+  int addr, pbegin, hdr;
+  unsigned char *data = pPage->aData;
+
+  assert( pPage->pBt!=0 );
+  assert( sqlite3PagerIswriteable(pPage->pDbPage) );
+  assert( start>=pPage->hdrOffset+6+(pPage->leaf?0:4) );
+  assert( (start + size)<=pPage->pBt->usableSize );
+  if( size<4 ) size = 4;
+
+#ifdef SQLITE_SECURE_DELETE
+  /* Overwrite deleted information with zeros when the SECURE_DELETE 
+  ** option is enabled at compile-time */
+  memset(&data[start], 0, size);
+#endif
+
+  /* Add the space back into the linked list of freeblocks */
+  hdr = pPage->hdrOffset;
+  addr = hdr + 1;
+  while( (pbegin = get2byte(&data[addr]))<start && pbegin>0 ){
+    assert( pbegin<=pPage->pBt->usableSize-4 );
+    assert( pbegin>addr );
+    addr = pbegin;
+  }
+  assert( pbegin<=pPage->pBt->usableSize-4 );
+  assert( pbegin>addr || pbegin==0 );
+  put2byte(&data[addr], start);
+  put2byte(&data[start], pbegin);
+  put2byte(&data[start+2], size);
+  pPage->nFree += size;
+
+  /* Coalesce adjacent free blocks */
+  addr = pPage->hdrOffset + 1;
+  while( (pbegin = get2byte(&data[addr]))>0 ){
+    int pnext, psize;
+    assert( pbegin>addr );
+    assert( pbegin<=pPage->pBt->usableSize-4 );
+    pnext = get2byte(&data[pbegin]);
+    psize = get2byte(&data[pbegin+2]);
+    if( pbegin + psize + 3 >= pnext && pnext>0 ){
+      int frag = pnext - (pbegin+psize);
+      assert( frag<=data[pPage->hdrOffset+7] );
+      data[pPage->hdrOffset+7] -= frag;
+      put2byte(&data[pbegin], get2byte(&data[pnext]));
+      put2byte(&data[pbegin+2], pnext+get2byte(&data[pnext+2])-pbegin);
+    }else{
+      addr = pbegin;
+    }
+  }
+
+  /* If the cell content area begins with a freeblock, remove it. */
+  if( data[hdr+1]==data[hdr+5] && data[hdr+2]==data[hdr+6] ){
+    int top;
+    pbegin = get2byte(&data[hdr+1]);
+    memcpy(&data[hdr+1], &data[pbegin], 2);
+    top = get2byte(&data[hdr+5]);
+    put2byte(&data[hdr+5], top + get2byte(&data[pbegin+2]));
+  }
+}
+
+/*
+** Decode the flags byte (the first byte of the header) for a page
+** and initialize fields of the MemPage structure accordingly.
+*/
+static void decodeFlags(MemPage *pPage, int flagByte){
+  BtShared *pBt;     /* A copy of pPage->pBt */
+
+  assert( pPage->hdrOffset==(pPage->pgno==1 ? 100 : 0) );
+  pPage->intKey = (flagByte & (PTF_INTKEY|PTF_LEAFDATA))!=0;
+  pPage->zeroData = (flagByte & PTF_ZERODATA)!=0;
+  pPage->leaf = (flagByte & PTF_LEAF)!=0;
+  pPage->childPtrSize = 4*(pPage->leaf==0);
+  pBt = pPage->pBt;
+  if( flagByte & PTF_LEAFDATA ){
+    pPage->leafData = 1;
+    pPage->maxLocal = pBt->maxLeaf;
+    pPage->minLocal = pBt->minLeaf;
+  }else{
+    pPage->leafData = 0;
+    pPage->maxLocal = pBt->maxLocal;
+    pPage->minLocal = pBt->minLocal;
+  }
+  pPage->hasData = !(pPage->zeroData || (!pPage->leaf && pPage->leafData));
+}
+
+/*
+** Initialize the auxiliary information for a disk block.
+**
+** The pParent parameter must be a pointer to the MemPage which
+** is the parent of the page being initialized.  The root of a
+** BTree has no parent and so for that page, pParent==NULL.
+**
+** Return SQLITE_OK on success.  If we see that the page does
+** not contain a well-formed database page, then return 
+** SQLITE_CORRUPT.  Note that a return of SQLITE_OK does not
+** guarantee that the page is well-formed.  It only shows that
+** we failed to detect any corruption.
+*/
+static int initPage(
+  MemPage *pPage,        /* The page to be initialized */
+  MemPage *pParent       /* The parent.  Might be NULL */
+){
+  int pc;            /* Address of a freeblock within pPage->aData[] */
+  int hdr;           /* Offset to beginning of page header */
+  u8 *data;          /* Equal to pPage->aData */
+  BtShared *pBt;        /* The main btree structure */
+  int usableSize;    /* Amount of usable space on each page */
+  int cellOffset;    /* Offset from start of page to first cell pointer */
+  int nFree;         /* Number of unused bytes on the page */
+  int top;           /* First byte of the cell content area */
+
+  pBt = pPage->pBt;
+  assert( pBt!=0 );
+  assert( pParent==0 || pParent->pBt==pBt );
+  assert( pPage->pgno==sqlite3PagerPagenumber(pPage->pDbPage) );
+  assert( pPage->aData == &((unsigned char*)pPage)[-pBt->pageSize] );
+  if( pPage->pParent!=pParent && (pPage->pParent!=0 || pPage->isInit) ){
+    /* The parent page should never change unless the file is corrupt */
+    return SQLITE_CORRUPT_BKPT;
+  }
+  if( pPage->isInit ) return SQLITE_OK;
+  if( pPage->pParent==0 && pParent!=0 ){
+    pPage->pParent = pParent;
+    sqlite3PagerRef(pParent->pDbPage);
+  }
+  hdr = pPage->hdrOffset;
+  data = pPage->aData;
+  decodeFlags(pPage, data[hdr]);
+  pPage->nOverflow = 0;
+  pPage->idxShift = 0;
+  usableSize = pBt->usableSize;
+  pPage->cellOffset = cellOffset = hdr + 12 - 4*pPage->leaf;
+  top = get2byte(&data[hdr+5]);
+  pPage->nCell = get2byte(&data[hdr+3]);
+  if( pPage->nCell>MX_CELL(pBt) ){
+    /* To many cells for a single page.  The page must be corrupt */
+    return SQLITE_CORRUPT_BKPT;
+  }
+  if( pPage->nCell==0 && pParent!=0 && pParent->pgno!=1 ){
+    /* All pages must have at least one cell, except for root pages */
+    return SQLITE_CORRUPT_BKPT;
+  }
+
+  /* Compute the total free space on the page */
+  pc = get2byte(&data[hdr+1]);
+  nFree = data[hdr+7] + top - (cellOffset + 2*pPage->nCell);
+  while( pc>0 ){
+    int next, size;
+    if( pc>usableSize-4 ){
+      /* Free block is off the page */
+      return SQLITE_CORRUPT_BKPT; 
+    }
+    next = get2byte(&data[pc]);
+    size = get2byte(&data[pc+2]);
+    if( next>0 && next<=pc+size+3 ){
+      /* Free blocks must be in accending order */
+      return SQLITE_CORRUPT_BKPT; 
+    }
+    nFree += size;
+    pc = next;
+  }
+  pPage->nFree = nFree;
+  if( nFree>=usableSize ){
+    /* Free space cannot exceed total page size */
+    return SQLITE_CORRUPT_BKPT; 
+  }
+
+  pPage->isInit = 1;
+  return SQLITE_OK;
+}
+
+/*
+** Set up a raw page so that it looks like a database page holding
+** no entries.
+*/
+static void zeroPage(MemPage *pPage, int flags){
+  unsigned char *data = pPage->aData;
+  BtShared *pBt = pPage->pBt;
+  int hdr = pPage->hdrOffset;
+  int first;
+
+  assert( sqlite3PagerPagenumber(pPage->pDbPage)==pPage->pgno );
+  assert( &data[pBt->pageSize] == (unsigned char*)pPage );
+  assert( sqlite3PagerIswriteable(pPage->pDbPage) );
+  memset(&data[hdr], 0, pBt->usableSize - hdr);
+  data[hdr] = flags;
+  first = hdr + 8 + 4*((flags&PTF_LEAF)==0);
+  memset(&data[hdr+1], 0, 4);
+  data[hdr+7] = 0;
+  put2byte(&data[hdr+5], pBt->usableSize);
+  pPage->nFree = pBt->usableSize - first;
+  decodeFlags(pPage, flags);
+  pPage->hdrOffset = hdr;
+  pPage->cellOffset = first;
+  pPage->nOverflow = 0;
+  pPage->idxShift = 0;
+  pPage->nCell = 0;
+  pPage->isInit = 1;
+}
+
+/*
+** Get a page from the pager.  Initialize the MemPage.pBt and
+** MemPage.aData elements if needed.
+**
+** If the noContent flag is set, it means that we do not care about
+** the content of the page at this time.  So do not go to the disk
+** to fetch the content.  Just fill in the content with zeros for now.
+** If in the future we call sqlite3PagerWrite() on this page, that
+** means we have started to be concerned about content and the disk
+** read should occur at that point.
+*/
+static int getPage(BtShared *pBt, Pgno pgno, MemPage **ppPage, int noContent){
+  int rc;
+  MemPage *pPage;
+  DbPage *pDbPage;
+
+  rc = sqlite3PagerAcquire(pBt->pPager, pgno, (DbPage**)&pDbPage, noContent);
+  if( rc ) return rc;
+  pPage = (MemPage *)sqlite3PagerGetExtra(pDbPage);
+  pPage->aData = sqlite3PagerGetData(pDbPage);
+  pPage->pDbPage = pDbPage;
+  pPage->pBt = pBt;
+  pPage->pgno = pgno;
+  pPage->hdrOffset = pPage->pgno==1 ? 100 : 0;
+  *ppPage = pPage;
+  return SQLITE_OK;
+}
+
+/*
+** Get a page from the pager and initialize it.  This routine
+** is just a convenience wrapper around separate calls to
+** getPage() and initPage().
+*/
+static int getAndInitPage(
+  BtShared *pBt,          /* The database file */
+  Pgno pgno,           /* Number of the page to get */
+  MemPage **ppPage,    /* Write the page pointer here */
+  MemPage *pParent     /* Parent of the page */
+){
+  int rc;
+  if( pgno==0 ){
+    return SQLITE_CORRUPT_BKPT; 
+  }
+  rc = getPage(pBt, pgno, ppPage, 0);
+  if( rc==SQLITE_OK && (*ppPage)->isInit==0 ){
+    rc = initPage(*ppPage, pParent);
+  }
+  return rc;
+}
+
+/*
+** Release a MemPage.  This should be called once for each prior
+** call to getPage.
+*/
+static void releasePage(MemPage *pPage){
+  if( pPage ){
+    assert( pPage->aData );
+    assert( pPage->pBt );
+    assert( &pPage->aData[pPage->pBt->pageSize]==(unsigned char*)pPage );
+    sqlite3PagerUnref(pPage->pDbPage);
+  }
+}
+
+/*
+** This routine is called when the reference count for a page
+** reaches zero.  We need to unref the pParent pointer when that
+** happens.
+*/
+static void pageDestructor(DbPage *pData, int pageSize){
+  MemPage *pPage;
+  assert( (pageSize & 7)==0 );
+  pPage = (MemPage *)sqlite3PagerGetExtra(pData);
+  if( pPage->pParent ){
+    MemPage *pParent = pPage->pParent;
+    pPage->pParent = 0;
+    releasePage(pParent);
+  }
+  pPage->isInit = 0;
+}
+
+/*
+** During a rollback, when the pager reloads information into the cache
+** so that the cache is restored to its original state at the start of
+** the transaction, for each page restored this routine is called.
+**
+** This routine needs to reset the extra data section at the end of the
+** page to agree with the restored data.
+*/
+static void pageReinit(DbPage *pData, int pageSize){
+  MemPage *pPage;
+  assert( (pageSize & 7)==0 );
+  pPage = (MemPage *)sqlite3PagerGetExtra(pData);
+  if( pPage->isInit ){
+    pPage->isInit = 0;
+    initPage(pPage, pPage->pParent);
+  }
+}
+
+/*
+** Open a database file.
+** 
+** zFilename is the name of the database file.  If zFilename is NULL
+** a new database with a random name is created.  This randomly named
+** database file will be deleted when sqlite3BtreeClose() is called.
+*/
+int sqlite3BtreeOpen(
+  const char *zFilename,  /* Name of the file containing the BTree database */
+  sqlite3 *pSqlite,       /* Associated database handle */
+  Btree **ppBtree,        /* Pointer to new Btree object written here */
+  int flags               /* Options */
+){
+  BtShared *pBt;          /* Shared part of btree structure */
+  Btree *p;               /* Handle to return */
+  int rc;
+  int nReserve;
+  unsigned char zDbHeader[100];
+#if !defined(SQLITE_OMIT_SHARED_CACHE) && !defined(SQLITE_OMIT_DISKIO)
+  const ThreadData *pTsdro;
+#endif
+
+  /* Set the variable isMemdb to true for an in-memory database, or 
+  ** false for a file-based database. This symbol is only required if
+  ** either of the shared-data or autovacuum features are compiled 
+  ** into the library.
+  */
+#if !defined(SQLITE_OMIT_SHARED_CACHE) || !defined(SQLITE_OMIT_AUTOVACUUM)
+  #ifdef SQLITE_OMIT_MEMORYDB
+    const int isMemdb = 0;
+  #else
+    const int isMemdb = zFilename && !strcmp(zFilename, ":memory:");
+  #endif
+#endif
+
+  p = sqliteMalloc(sizeof(Btree));
+  if( !p ){
+    return SQLITE_NOMEM;
+  }
+  p->inTrans = TRANS_NONE;
+  p->pSqlite = pSqlite;
+
+  /* Try to find an existing Btree structure opened on zFilename. */
+#if !defined(SQLITE_OMIT_SHARED_CACHE) && !defined(SQLITE_OMIT_DISKIO)
+  pTsdro = sqlite3ThreadDataReadOnly();
+  if( pTsdro->useSharedData && zFilename && !isMemdb ){
+    char *zFullPathname = sqlite3OsFullPathname(zFilename);
+    if( !zFullPathname ){
+      sqliteFree(p);
+      return SQLITE_NOMEM;
+    }
+    for(pBt=pTsdro->pBtree; pBt; pBt=pBt->pNext){
+      assert( pBt->nRef>0 );
+      if( 0==strcmp(zFullPathname, sqlite3PagerFilename(pBt->pPager)) ){
+        p->pBt = pBt;
+        *ppBtree = p;
+        pBt->nRef++;
+        sqliteFree(zFullPathname);
+        return SQLITE_OK;
+      }
+    }
+    sqliteFree(zFullPathname);
+  }
+#endif
+
+  /*
+  ** The following asserts make sure that structures used by the btree are
+  ** the right size.  This is to guard against size changes that result
+  ** when compiling on a different architecture.
+  */
+  assert( sizeof(i64)==8 || sizeof(i64)==4 );
+  assert( sizeof(u64)==8 || sizeof(u64)==4 );
+  assert( sizeof(u32)==4 );
+  assert( sizeof(u16)==2 );
+  assert( sizeof(Pgno)==4 );
+
+  pBt = sqliteMalloc( sizeof(*pBt) );
+  if( pBt==0 ){
+    *ppBtree = 0;
+    sqliteFree(p);
+    return SQLITE_NOMEM;
+  }
+  rc = sqlite3PagerOpen(&pBt->pPager, zFilename, EXTRA_SIZE, flags);
+  if( rc==SQLITE_OK ){
+    rc = sqlite3PagerReadFileheader(pBt->pPager,sizeof(zDbHeader),zDbHeader);
+  }
+  if( rc!=SQLITE_OK ){
+    if( pBt->pPager ){
+      sqlite3PagerClose(pBt->pPager);
+    }
+    sqliteFree(pBt);
+    sqliteFree(p);
+    *ppBtree = 0;
+    return rc;
+  }
+  p->pBt = pBt;
+
+  sqlite3PagerSetDestructor(pBt->pPager, pageDestructor);
+  sqlite3PagerSetReiniter(pBt->pPager, pageReinit);
+  pBt->pCursor = 0;
+  pBt->pPage1 = 0;
+  pBt->readOnly = sqlite3PagerIsreadonly(pBt->pPager);
+  pBt->pageSize = get2byte(&zDbHeader[16]);
+  if( pBt->pageSize<512 || pBt->pageSize>SQLITE_MAX_PAGE_SIZE
+       || ((pBt->pageSize-1)&pBt->pageSize)!=0 ){
+    pBt->pageSize = SQLITE_DEFAULT_PAGE_SIZE;
+    pBt->maxEmbedFrac = 64;   /* 25% */
+    pBt->minEmbedFrac = 32;   /* 12.5% */
+    pBt->minLeafFrac = 32;    /* 12.5% */
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    /* If the magic name ":memory:" will create an in-memory database, then
+    ** do not set the auto-vacuum flag, even if SQLITE_DEFAULT_AUTOVACUUM
+    ** is true. On the other hand, if SQLITE_OMIT_MEMORYDB has been defined,
+    ** then ":memory:" is just a regular file-name. Respect the auto-vacuum
+    ** default in this case.
+    */
+    if( zFilename && !isMemdb ){
+      pBt->autoVacuum = SQLITE_DEFAULT_AUTOVACUUM;
+    }
+#endif
+    nReserve = 0;
+  }else{
+    nReserve = zDbHeader[20];
+    pBt->maxEmbedFrac = zDbHeader[21];
+    pBt->minEmbedFrac = zDbHeader[22];
+    pBt->minLeafFrac = zDbHeader[23];
+    pBt->pageSizeFixed = 1;
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    pBt->autoVacuum = (get4byte(&zDbHeader[36 + 4*4])?1:0);
+#endif
+  }
+  pBt->usableSize = pBt->pageSize - nReserve;
+  assert( (pBt->pageSize & 7)==0 );  /* 8-byte alignment of pageSize */
+  sqlite3PagerSetPagesize(pBt->pPager, pBt->pageSize);
+
+#if !defined(SQLITE_OMIT_SHARED_CACHE) && !defined(SQLITE_OMIT_DISKIO)
+  /* Add the new btree to the linked list starting at ThreadData.pBtree.
+  ** There is no chance that a malloc() may fail inside of the 
+  ** sqlite3ThreadData() call, as the ThreadData structure must have already
+  ** been allocated for pTsdro->useSharedData to be non-zero.
+  */
+  if( pTsdro->useSharedData && zFilename && !isMemdb ){
+    pBt->pNext = pTsdro->pBtree;
+    sqlite3ThreadData()->pBtree = pBt;
+  }
+#endif
+  pBt->nRef = 1;
+  *ppBtree = p;
+  return SQLITE_OK;
+}
+
+/*
+** Close an open database and invalidate all cursors.
+*/
+int sqlite3BtreeClose(Btree *p){
+  BtShared *pBt = p->pBt;
+  BtCursor *pCur;
+
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  ThreadData *pTsd;
+#endif
+
+  /* Close all cursors opened via this handle.  */
+  pCur = pBt->pCursor;
+  while( pCur ){
+    BtCursor *pTmp = pCur;
+    pCur = pCur->pNext;
+    if( pTmp->pBtree==p ){
+      sqlite3BtreeCloseCursor(pTmp);
+    }
+  }
+
+  /* Rollback any active transaction and free the handle structure.
+  ** The call to sqlite3BtreeRollback() drops any table-locks held by
+  ** this handle.
+  */
+  sqlite3BtreeRollback(p);
+  sqliteFree(p);
+
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  /* If there are still other outstanding references to the shared-btree
+  ** structure, return now. The remainder of this procedure cleans 
+  ** up the shared-btree.
+  */
+  assert( pBt->nRef>0 );
+  pBt->nRef--;
+  if( pBt->nRef ){
+    return SQLITE_OK;
+  }
+
+  /* Remove the shared-btree from the thread wide list. Call 
+  ** ThreadDataReadOnly() and then cast away the const property of the 
+  ** pointer to avoid allocating thread data if it is not really required.
+  */
+  pTsd = (ThreadData *)sqlite3ThreadDataReadOnly();
+  if( pTsd->pBtree==pBt ){
+    assert( pTsd==sqlite3ThreadData() );
+    pTsd->pBtree = pBt->pNext;
+  }else{
+    BtShared *pPrev;
+    for(pPrev=pTsd->pBtree; pPrev && pPrev->pNext!=pBt; pPrev=pPrev->pNext){}
+    if( pPrev ){
+      assert( pTsd==sqlite3ThreadData() );
+      pPrev->pNext = pBt->pNext;
+    }
+  }
+#endif
+
+  /* Close the pager and free the shared-btree structure */
+  assert( !pBt->pCursor );
+  sqlite3PagerClose(pBt->pPager);
+  if( pBt->xFreeSchema && pBt->pSchema ){
+    pBt->xFreeSchema(pBt->pSchema);
+  }
+  sqliteFree(pBt->pSchema);
+  sqliteFree(pBt);
+  return SQLITE_OK;
+}
+
+/*
+** Change the busy handler callback function.
+*/
+int sqlite3BtreeSetBusyHandler(Btree *p, BusyHandler *pHandler){
+  BtShared *pBt = p->pBt;
+  pBt->pBusyHandler = pHandler;
+  sqlite3PagerSetBusyhandler(pBt->pPager, pHandler);
+  return SQLITE_OK;
+}
+
+/*
+** Change the limit on the number of pages allowed in the cache.
+**
+** The maximum number of cache pages is set to the absolute
+** value of mxPage.  If mxPage is negative, the pager will
+** operate asynchronously - it will not stop to do fsync()s
+** to insure data is written to the disk surface before
+** continuing.  Transactions still work if synchronous is off,
+** and the database cannot be corrupted if this program
+** crashes.  But if the operating system crashes or there is
+** an abrupt power failure when synchronous is off, the database
+** could be left in an inconsistent and unrecoverable state.
+** Synchronous is on by default so database corruption is not
+** normally a worry.
+*/
+int sqlite3BtreeSetCacheSize(Btree *p, int mxPage){
+  BtShared *pBt = p->pBt;
+  sqlite3PagerSetCachesize(pBt->pPager, mxPage);
+  return SQLITE_OK;
+}
+
+/*
+** Change the way data is synced to disk in order to increase or decrease
+** how well the database resists damage due to OS crashes and power
+** failures.  Level 1 is the same as asynchronous (no syncs() occur and
+** there is a high probability of damage)  Level 2 is the default.  There
+** is a very low but non-zero probability of damage.  Level 3 reduces the
+** probability of damage to near zero but with a write performance reduction.
+*/
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+int sqlite3BtreeSetSafetyLevel(Btree *p, int level, int fullSync){
+  BtShared *pBt = p->pBt;
+  sqlite3PagerSetSafetyLevel(pBt->pPager, level, fullSync);
+  return SQLITE_OK;
+}
+#endif
+
+/*
+** Return TRUE if the given btree is set to safety level 1.  In other
+** words, return TRUE if no sync() occurs on the disk files.
+*/
+int sqlite3BtreeSyncDisabled(Btree *p){
+  BtShared *pBt = p->pBt;
+  assert( pBt && pBt->pPager );
+  return sqlite3PagerNosync(pBt->pPager);
+}
+
+#if !defined(SQLITE_OMIT_PAGER_PRAGMAS) || !defined(SQLITE_OMIT_VACUUM)
+/*
+** Change the default pages size and the number of reserved bytes per page.
+**
+** The page size must be a power of 2 between 512 and 65536.  If the page
+** size supplied does not meet this constraint then the page size is not
+** changed.
+**
+** Page sizes are constrained to be a power of two so that the region
+** of the database file used for locking (beginning at PENDING_BYTE,
+** the first byte past the 1GB boundary, 0x40000000) needs to occur
+** at the beginning of a page.
+**
+** If parameter nReserve is less than zero, then the number of reserved
+** bytes per page is left unchanged.
+*/
+int sqlite3BtreeSetPageSize(Btree *p, int pageSize, int nReserve){
+  BtShared *pBt = p->pBt;
+  if( pBt->pageSizeFixed ){
+    return SQLITE_READONLY;
+  }
+  if( nReserve<0 ){
+    nReserve = pBt->pageSize - pBt->usableSize;
+  }
+  if( pageSize>=512 && pageSize<=SQLITE_MAX_PAGE_SIZE &&
+        ((pageSize-1)&pageSize)==0 ){
+    assert( (pageSize & 7)==0 );
+    assert( !pBt->pPage1 && !pBt->pCursor );
+    pBt->pageSize = sqlite3PagerSetPagesize(pBt->pPager, pageSize);
+  }
+  pBt->usableSize = pBt->pageSize - nReserve;
+  return SQLITE_OK;
+}
+
+/*
+** Return the currently defined page size
+*/
+int sqlite3BtreeGetPageSize(Btree *p){
+  return p->pBt->pageSize;
+}
+int sqlite3BtreeGetReserve(Btree *p){
+  return p->pBt->pageSize - p->pBt->usableSize;
+}
+#endif /* !defined(SQLITE_OMIT_PAGER_PRAGMAS) || !defined(SQLITE_OMIT_VACUUM) */
+
+/*
+** Change the 'auto-vacuum' property of the database. If the 'autoVacuum'
+** parameter is non-zero, then auto-vacuum mode is enabled. If zero, it
+** is disabled. The default value for the auto-vacuum property is 
+** determined by the SQLITE_DEFAULT_AUTOVACUUM macro.
+*/
+int sqlite3BtreeSetAutoVacuum(Btree *p, int autoVacuum){
+  BtShared *pBt = p->pBt;;
+#ifdef SQLITE_OMIT_AUTOVACUUM
+  return SQLITE_READONLY;
+#else
+  if( pBt->pageSizeFixed ){
+    return SQLITE_READONLY;
+  }
+  pBt->autoVacuum = (autoVacuum?1:0);
+  return SQLITE_OK;
+#endif
+}
+
+/*
+** Return the value of the 'auto-vacuum' property. If auto-vacuum is 
+** enabled 1 is returned. Otherwise 0.
+*/
+int sqlite3BtreeGetAutoVacuum(Btree *p){
+#ifdef SQLITE_OMIT_AUTOVACUUM
+  return 0;
+#else
+  return p->pBt->autoVacuum;
+#endif
+}
+
+
+/*
+** Get a reference to pPage1 of the database file.  This will
+** also acquire a readlock on that file.
+**
+** SQLITE_OK is returned on success.  If the file is not a
+** well-formed database file, then SQLITE_CORRUPT is returned.
+** SQLITE_BUSY is returned if the database is locked.  SQLITE_NOMEM
+** is returned if we run out of memory. 
+*/
+static int lockBtree(BtShared *pBt){
+  int rc, pageSize;
+  MemPage *pPage1;
+  if( pBt->pPage1 ) return SQLITE_OK;
+  rc = getPage(pBt, 1, &pPage1, 0);
+  if( rc!=SQLITE_OK ) return rc;
+  
+
+  /* Do some checking to help insure the file we opened really is
+  ** a valid database file. 
+  */
+  rc = SQLITE_NOTADB;
+  if( sqlite3PagerPagecount(pBt->pPager)>0 ){
+    u8 *page1 = pPage1->aData;
+    if( memcmp(page1, zMagicHeader, 16)!=0 ){
+      goto page1_init_failed;
+    }
+    if( page1[18]>1 ){
+      pBt->readOnly = 1;
+    }
+    if( page1[19]>1 ){
+      goto page1_init_failed;
+    }
+    pageSize = get2byte(&page1[16]);
+    if( ((pageSize-1)&pageSize)!=0 || pageSize<512 ){
+      goto page1_init_failed;
+    }
+    assert( (pageSize & 7)==0 );
+    pBt->pageSize = pageSize;
+    pBt->usableSize = pageSize - page1[20];
+    if( pBt->usableSize<500 ){
+      goto page1_init_failed;
+    }
+    pBt->maxEmbedFrac = page1[21];
+    pBt->minEmbedFrac = page1[22];
+    pBt->minLeafFrac = page1[23];
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    pBt->autoVacuum = (get4byte(&page1[36 + 4*4])?1:0);
+#endif
+  }
+
+  /* maxLocal is the maximum amount of payload to store locally for
+  ** a cell.  Make sure it is small enough so that at least minFanout
+  ** cells can will fit on one page.  We assume a 10-byte page header.
+  ** Besides the payload, the cell must store:
+  **     2-byte pointer to the cell
+  **     4-byte child pointer
+  **     9-byte nKey value
+  **     4-byte nData value
+  **     4-byte overflow page pointer
+  ** So a cell consists of a 2-byte poiner, a header which is as much as
+  ** 17 bytes long, 0 to N bytes of payload, and an optional 4 byte overflow
+  ** page pointer.
+  */
+  pBt->maxLocal = (pBt->usableSize-12)*pBt->maxEmbedFrac/255 - 23;
+  pBt->minLocal = (pBt->usableSize-12)*pBt->minEmbedFrac/255 - 23;
+  pBt->maxLeaf = pBt->usableSize - 35;
+  pBt->minLeaf = (pBt->usableSize-12)*pBt->minLeafFrac/255 - 23;
+  if( pBt->minLocal>pBt->maxLocal || pBt->maxLocal<0 ){
+    goto page1_init_failed;
+  }
+  assert( pBt->maxLeaf + 23 <= MX_CELL_SIZE(pBt) );
+  pBt->pPage1 = pPage1;
+  return SQLITE_OK;
+
+page1_init_failed:
+  releasePage(pPage1);
+  pBt->pPage1 = 0;
+  return rc;
+}
+
+/*
+** This routine works like lockBtree() except that it also invokes the
+** busy callback if there is lock contention.
+*/
+static int lockBtreeWithRetry(Btree *pRef){
+  int rc = SQLITE_OK;
+  if( pRef->inTrans==TRANS_NONE ){
+    u8 inTransaction = pRef->pBt->inTransaction;
+    btreeIntegrity(pRef);
+    rc = sqlite3BtreeBeginTrans(pRef, 0);
+    pRef->pBt->inTransaction = inTransaction;
+    pRef->inTrans = TRANS_NONE;
+    if( rc==SQLITE_OK ){
+      pRef->pBt->nTransaction--;
+    }
+    btreeIntegrity(pRef);
+  }
+  return rc;
+}
+       
+
+/*
+** If there are no outstanding cursors and we are not in the middle
+** of a transaction but there is a read lock on the database, then
+** this routine unrefs the first page of the database file which 
+** has the effect of releasing the read lock.
+**
+** If there are any outstanding cursors, this routine is a no-op.
+**
+** If there is a transaction in progress, this routine is a no-op.
+*/
+static void unlockBtreeIfUnused(BtShared *pBt){
+  if( pBt->inTransaction==TRANS_NONE && pBt->pCursor==0 && pBt->pPage1!=0 ){
+    if( sqlite3PagerRefcount(pBt->pPager)>=1 ){
+      if( pBt->pPage1->aData==0 ){
+        MemPage *pPage = pBt->pPage1;
+        pPage->aData = &((u8*)pPage)[-pBt->pageSize];
+        pPage->pBt = pBt;
+        pPage->pgno = 1;
+      }
+      releasePage(pBt->pPage1);
+    }
+    pBt->pPage1 = 0;
+    pBt->inStmt = 0;
+  }
+}
+
+/*
+** Create a new database by initializing the first page of the
+** file.
+*/
+static int newDatabase(BtShared *pBt){
+  MemPage *pP1;
+  unsigned char *data;
+  int rc;
+  if( sqlite3PagerPagecount(pBt->pPager)>0 ) return SQLITE_OK;
+  pP1 = pBt->pPage1;
+  assert( pP1!=0 );
+  data = pP1->aData;
+  rc = sqlite3PagerWrite(pP1->pDbPage);
+  if( rc ) return rc;
+  memcpy(data, zMagicHeader, sizeof(zMagicHeader));
+  assert( sizeof(zMagicHeader)==16 );
+  put2byte(&data[16], pBt->pageSize);
+  data[18] = 1;
+  data[19] = 1;
+  data[20] = pBt->pageSize - pBt->usableSize;
+  data[21] = pBt->maxEmbedFrac;
+  data[22] = pBt->minEmbedFrac;
+  data[23] = pBt->minLeafFrac;
+  memset(&data[24], 0, 100-24);
+  zeroPage(pP1, PTF_INTKEY|PTF_LEAF|PTF_LEAFDATA );
+  pBt->pageSizeFixed = 1;
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  if( pBt->autoVacuum ){
+    put4byte(&data[36 + 4*4], 1);
+  }
+#endif
+  return SQLITE_OK;
+}
+
+/*
+** Attempt to start a new transaction. A write-transaction
+** is started if the second argument is nonzero, otherwise a read-
+** transaction.  If the second argument is 2 or more and exclusive
+** transaction is started, meaning that no other process is allowed
+** to access the database.  A preexisting transaction may not be
+** upgraded to exclusive by calling this routine a second time - the
+** exclusivity flag only works for a new transaction.
+**
+** A write-transaction must be started before attempting any 
+** changes to the database.  None of the following routines 
+** will work unless a transaction is started first:
+**
+**      sqlite3BtreeCreateTable()
+**      sqlite3BtreeCreateIndex()
+**      sqlite3BtreeClearTable()
+**      sqlite3BtreeDropTable()
+**      sqlite3BtreeInsert()
+**      sqlite3BtreeDelete()
+**      sqlite3BtreeUpdateMeta()
+**
+** If an initial attempt to acquire the lock fails because of lock contention
+** and the database was previously unlocked, then invoke the busy handler
+** if there is one.  But if there was previously a read-lock, do not
+** invoke the busy handler - just return SQLITE_BUSY.  SQLITE_BUSY is 
+** returned when there is already a read-lock in order to avoid a deadlock.
+**
+** Suppose there are two processes A and B.  A has a read lock and B has
+** a reserved lock.  B tries to promote to exclusive but is blocked because
+** of A's read lock.  A tries to promote to reserved but is blocked by B.
+** One or the other of the two processes must give way or there can be
+** no progress.  By returning SQLITE_BUSY and not invoking the busy callback
+** when A already has a read lock, we encourage A to give up and let B
+** proceed.
+*/
+int sqlite3BtreeBeginTrans(Btree *p, int wrflag){
+  BtShared *pBt = p->pBt;
+  int rc = SQLITE_OK;
+
+  btreeIntegrity(p);
+
+  /* If the btree is already in a write-transaction, or it
+  ** is already in a read-transaction and a read-transaction
+  ** is requested, this is a no-op.
+  */
+  if( p->inTrans==TRANS_WRITE || (p->inTrans==TRANS_READ && !wrflag) ){
+    return SQLITE_OK;
+  }
+
+  /* Write transactions are not possible on a read-only database */
+  if( pBt->readOnly && wrflag ){
+    return SQLITE_READONLY;
+  }
+
+  /* If another database handle has already opened a write transaction 
+  ** on this shared-btree structure and a second write transaction is
+  ** requested, return SQLITE_BUSY.
+  */
+  if( pBt->inTransaction==TRANS_WRITE && wrflag ){
+    return SQLITE_BUSY;
+  }
+
+  do {
+    if( pBt->pPage1==0 ){
+      rc = lockBtree(pBt);
+    }
+
+    if( rc==SQLITE_OK && wrflag ){
+      if( pBt->readOnly ){
+        rc = SQLITE_READONLY;
+      }else{
+        rc = sqlite3PagerBegin(pBt->pPage1->pDbPage, wrflag>1);
+        if( rc==SQLITE_OK ){
+          rc = newDatabase(pBt);
+        }
+      }
+    }
+  
+    if( rc==SQLITE_OK ){
+      if( wrflag ) pBt->inStmt = 0;
+    }else{
+      unlockBtreeIfUnused(pBt);
+    }
+  }while( rc==SQLITE_BUSY && pBt->inTransaction==TRANS_NONE &&
+          sqlite3InvokeBusyHandler(pBt->pBusyHandler) );
+
+  if( rc==SQLITE_OK ){
+    if( p->inTrans==TRANS_NONE ){
+      pBt->nTransaction++;
+    }
+    p->inTrans = (wrflag?TRANS_WRITE:TRANS_READ);
+    if( p->inTrans>pBt->inTransaction ){
+      pBt->inTransaction = p->inTrans;
+    }
+  }
+
+  btreeIntegrity(p);
+  return rc;
+}
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+
+/*
+** Set the pointer-map entries for all children of page pPage. Also, if
+** pPage contains cells that point to overflow pages, set the pointer
+** map entries for the overflow pages as well.
+*/
+static int setChildPtrmaps(MemPage *pPage){
+  int i;                             /* Counter variable */
+  int nCell;                         /* Number of cells in page pPage */
+  int rc = SQLITE_OK;                /* Return code */
+  BtShared *pBt = pPage->pBt;
+  int isInitOrig = pPage->isInit;
+  Pgno pgno = pPage->pgno;
+
+  initPage(pPage, 0);
+  nCell = pPage->nCell;
+
+  for(i=0; i<nCell; i++){
+    u8 *pCell = findCell(pPage, i);
+
+    rc = ptrmapPutOvflPtr(pPage, pCell);
+    if( rc!=SQLITE_OK ){
+      goto set_child_ptrmaps_out;
+    }
+
+    if( !pPage->leaf ){
+      Pgno childPgno = get4byte(pCell);
+      rc = ptrmapPut(pBt, childPgno, PTRMAP_BTREE, pgno);
+      if( rc!=SQLITE_OK ) goto set_child_ptrmaps_out;
+    }
+  }
+
+  if( !pPage->leaf ){
+    Pgno childPgno = get4byte(&pPage->aData[pPage->hdrOffset+8]);
+    rc = ptrmapPut(pBt, childPgno, PTRMAP_BTREE, pgno);
+  }
+
+set_child_ptrmaps_out:
+  pPage->isInit = isInitOrig;
+  return rc;
+}
+
+/*
+** Somewhere on pPage, which is guarenteed to be a btree page, not an overflow
+** page, is a pointer to page iFrom. Modify this pointer so that it points to
+** iTo. Parameter eType describes the type of pointer to be modified, as 
+** follows:
+**
+** PTRMAP_BTREE:     pPage is a btree-page. The pointer points at a child 
+**                   page of pPage.
+**
+** PTRMAP_OVERFLOW1: pPage is a btree-page. The pointer points at an overflow
+**                   page pointed to by one of the cells on pPage.
+**
+** PTRMAP_OVERFLOW2: pPage is an overflow-page. The pointer points at the next
+**                   overflow page in the list.
+*/
+static int modifyPagePointer(MemPage *pPage, Pgno iFrom, Pgno iTo, u8 eType){
+  if( eType==PTRMAP_OVERFLOW2 ){
+    /* The pointer is always the first 4 bytes of the page in this case.  */
+    if( get4byte(pPage->aData)!=iFrom ){
+      return SQLITE_CORRUPT_BKPT;
+    }
+    put4byte(pPage->aData, iTo);
+  }else{
+    int isInitOrig = pPage->isInit;
+    int i;
+    int nCell;
+
+    initPage(pPage, 0);
+    nCell = pPage->nCell;
+
+    for(i=0; i<nCell; i++){
+      u8 *pCell = findCell(pPage, i);
+      if( eType==PTRMAP_OVERFLOW1 ){
+        CellInfo info;
+        parseCellPtr(pPage, pCell, &info);
+        if( info.iOverflow ){
+          if( iFrom==get4byte(&pCell[info.iOverflow]) ){
+            put4byte(&pCell[info.iOverflow], iTo);
+            break;
+          }
+        }
+      }else{
+        if( get4byte(pCell)==iFrom ){
+          put4byte(pCell, iTo);
+          break;
+        }
+      }
+    }
+  
+    if( i==nCell ){
+      if( eType!=PTRMAP_BTREE || 
+          get4byte(&pPage->aData[pPage->hdrOffset+8])!=iFrom ){
+        return SQLITE_CORRUPT_BKPT;
+      }
+      put4byte(&pPage->aData[pPage->hdrOffset+8], iTo);
+    }
+
+    pPage->isInit = isInitOrig;
+  }
+  return SQLITE_OK;
+}
+
+
+/*
+** Move the open database page pDbPage to location iFreePage in the 
+** database. The pDbPage reference remains valid.
+*/
+static int relocatePage(
+  BtShared *pBt,           /* Btree */
+  MemPage *pDbPage,        /* Open page to move */
+  u8 eType,                /* Pointer map 'type' entry for pDbPage */
+  Pgno iPtrPage,           /* Pointer map 'page-no' entry for pDbPage */
+  Pgno iFreePage           /* The location to move pDbPage to */
+){
+  MemPage *pPtrPage;   /* The page that contains a pointer to pDbPage */
+  Pgno iDbPage = pDbPage->pgno;
+  Pager *pPager = pBt->pPager;
+  int rc;
+
+  assert( eType==PTRMAP_OVERFLOW2 || eType==PTRMAP_OVERFLOW1 || 
+      eType==PTRMAP_BTREE || eType==PTRMAP_ROOTPAGE );
+
+  /* Move page iDbPage from it's current location to page number iFreePage */
+  TRACE(("AUTOVACUUM: Moving %d to free page %d (ptr page %d type %d)\n", 
+      iDbPage, iFreePage, iPtrPage, eType));
+  rc = sqlite3PagerMovepage(pPager, pDbPage->pDbPage, iFreePage);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+  pDbPage->pgno = iFreePage;
+
+  /* If pDbPage was a btree-page, then it may have child pages and/or cells
+  ** that point to overflow pages. The pointer map entries for all these
+  ** pages need to be changed.
+  **
+  ** If pDbPage is an overflow page, then the first 4 bytes may store a
+  ** pointer to a subsequent overflow page. If this is the case, then
+  ** the pointer map needs to be updated for the subsequent overflow page.
+  */
+  if( eType==PTRMAP_BTREE || eType==PTRMAP_ROOTPAGE ){
+    rc = setChildPtrmaps(pDbPage);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+  }else{
+    Pgno nextOvfl = get4byte(pDbPage->aData);
+    if( nextOvfl!=0 ){
+      rc = ptrmapPut(pBt, nextOvfl, PTRMAP_OVERFLOW2, iFreePage);
+      if( rc!=SQLITE_OK ){
+        return rc;
+      }
+    }
+  }
+
+  /* Fix the database pointer on page iPtrPage that pointed at iDbPage so
+  ** that it points at iFreePage. Also fix the pointer map entry for
+  ** iPtrPage.
+  */
+  if( eType!=PTRMAP_ROOTPAGE ){
+    rc = getPage(pBt, iPtrPage, &pPtrPage, 0);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+    rc = sqlite3PagerWrite(pPtrPage->pDbPage);
+    if( rc!=SQLITE_OK ){
+      releasePage(pPtrPage);
+      return rc;
+    }
+    rc = modifyPagePointer(pPtrPage, iDbPage, iFreePage, eType);
+    releasePage(pPtrPage);
+    if( rc==SQLITE_OK ){
+      rc = ptrmapPut(pBt, iFreePage, eType, iPtrPage);
+    }
+  }
+  return rc;
+}
+
+/* Forward declaration required by autoVacuumCommit(). */
+static int allocateBtreePage(BtShared *, MemPage **, Pgno *, Pgno, u8);
+
+/*
+** This routine is called prior to sqlite3PagerCommit when a transaction
+** is commited for an auto-vacuum database.
+**
+** If SQLITE_OK is returned, then *pnTrunc is set to the number of pages
+** the database file should be truncated to during the commit process. 
+** i.e. the database has been reorganized so that only the first *pnTrunc
+** pages are in use.
+*/
+static int autoVacuumCommit(BtShared *pBt, Pgno *pnTrunc){
+  Pager *pPager = pBt->pPager;
+  Pgno nFreeList;            /* Number of pages remaining on the free-list. */
+  int nPtrMap;               /* Number of pointer-map pages deallocated */
+  Pgno origSize;             /* Pages in the database file */
+  Pgno finSize;              /* Pages in the database file after truncation */
+  int rc;                    /* Return code */
+  u8 eType;
+  int pgsz = pBt->pageSize;  /* Page size for this database */
+  Pgno iDbPage;              /* The database page to move */
+  MemPage *pDbMemPage = 0;   /* "" */
+  Pgno iPtrPage;             /* The page that contains a pointer to iDbPage */
+  Pgno iFreePage;            /* The free-list page to move iDbPage to */
+  MemPage *pFreeMemPage = 0; /* "" */
+
+#ifndef NDEBUG
+  int nRef = sqlite3PagerRefcount(pPager);
+#endif
+
+  assert( pBt->autoVacuum );
+  if( PTRMAP_ISPAGE(pBt, sqlite3PagerPagecount(pPager)) ){
+    return SQLITE_CORRUPT_BKPT;
+  }
+
+  /* Figure out how many free-pages are in the database. If there are no
+  ** free pages, then auto-vacuum is a no-op.
+  */
+  nFreeList = get4byte(&pBt->pPage1->aData[36]);
+  if( nFreeList==0 ){
+    *pnTrunc = 0;
+    return SQLITE_OK;
+  }
+
+  /* This block figures out how many pages there are in the database
+  ** now (variable origSize), and how many there will be after the
+  ** truncation (variable finSize).
+  **
+  ** The final size is the original size, less the number of free pages
+  ** in the database, less any pointer-map pages that will no longer
+  ** be required, less 1 if the pending-byte page was part of the database
+  ** but is not after the truncation.
+  **/
+  origSize = sqlite3PagerPagecount(pPager);
+  if( origSize==PENDING_BYTE_PAGE(pBt) ){
+    origSize--;
+  }
+  nPtrMap = (nFreeList-origSize+PTRMAP_PAGENO(pBt, origSize)+pgsz/5)/(pgsz/5);
+  finSize = origSize - nFreeList - nPtrMap;
+  if( origSize>PENDING_BYTE_PAGE(pBt) && finSize<=PENDING_BYTE_PAGE(pBt) ){
+    finSize--;
+  }
+  while( PTRMAP_ISPAGE(pBt, finSize) || finSize==PENDING_BYTE_PAGE(pBt) ){
+    finSize--;
+  }
+  TRACE(("AUTOVACUUM: Begin (db size %d->%d)\n", origSize, finSize));
+
+  /* Variable 'finSize' will be the size of the file in pages after
+  ** the auto-vacuum has completed (the current file size minus the number
+  ** of pages on the free list). Loop through the pages that lie beyond
+  ** this mark, and if they are not already on the free list, move them
+  ** to a free page earlier in the file (somewhere before finSize).
+  */
+  for( iDbPage=finSize+1; iDbPage<=origSize; iDbPage++ ){
+    /* If iDbPage is a pointer map page, or the pending-byte page, skip it. */
+    if( PTRMAP_ISPAGE(pBt, iDbPage) || iDbPage==PENDING_BYTE_PAGE(pBt) ){
+      continue;
+    }
+
+    rc = ptrmapGet(pBt, iDbPage, &eType, &iPtrPage);
+    if( rc!=SQLITE_OK ) goto autovacuum_out;
+    if( eType==PTRMAP_ROOTPAGE ){
+      rc = SQLITE_CORRUPT_BKPT;
+      goto autovacuum_out;
+    }
+
+    /* If iDbPage is free, do not swap it.  */
+    if( eType==PTRMAP_FREEPAGE ){
+      continue;
+    }
+    rc = getPage(pBt, iDbPage, &pDbMemPage, 0);
+    if( rc!=SQLITE_OK ) goto autovacuum_out;
+
+    /* Find the next page in the free-list that is not already at the end 
+    ** of the file. A page can be pulled off the free list using the 
+    ** allocateBtreePage() routine.
+    */
+    do{
+      if( pFreeMemPage ){
+        releasePage(pFreeMemPage);
+        pFreeMemPage = 0;
+      }
+      rc = allocateBtreePage(pBt, &pFreeMemPage, &iFreePage, 0, 0);
+      if( rc!=SQLITE_OK ){
+        releasePage(pDbMemPage);
+        goto autovacuum_out;
+      }
+      assert( iFreePage<=origSize );
+    }while( iFreePage>finSize );
+    releasePage(pFreeMemPage);
+    pFreeMemPage = 0;
+
+    /* Relocate the page into the body of the file. Note that although the 
+    ** page has moved within the database file, the pDbMemPage pointer 
+    ** remains valid. This means that this function can run without
+    ** invalidating cursors open on the btree. This is important in 
+    ** shared-cache mode.
+    */
+    rc = relocatePage(pBt, pDbMemPage, eType, iPtrPage, iFreePage);
+    releasePage(pDbMemPage);
+    if( rc!=SQLITE_OK ) goto autovacuum_out;
+  }
+
+  /* The entire free-list has been swapped to the end of the file. So
+  ** truncate the database file to finSize pages and consider the
+  ** free-list empty.
+  */
+  rc = sqlite3PagerWrite(pBt->pPage1->pDbPage);
+  if( rc!=SQLITE_OK ) goto autovacuum_out;
+  put4byte(&pBt->pPage1->aData[32], 0);
+  put4byte(&pBt->pPage1->aData[36], 0);
+  *pnTrunc = finSize;
+  assert( finSize!=PENDING_BYTE_PAGE(pBt) );
+
+autovacuum_out:
+  assert( nRef==sqlite3PagerRefcount(pPager) );
+  if( rc!=SQLITE_OK ){
+    sqlite3PagerRollback(pPager);
+  }
+  return rc;
+}
+#endif
+
+/*
+** This routine does the first phase of a two-phase commit.  This routine
+** causes a rollback journal to be created (if it does not already exist)
+** and populated with enough information so that if a power loss occurs
+** the database can be restored to its original state by playing back
+** the journal.  Then the contents of the journal are flushed out to
+** the disk.  After the journal is safely on oxide, the changes to the
+** database are written into the database file and flushed to oxide.
+** At the end of this call, the rollback journal still exists on the
+** disk and we are still holding all locks, so the transaction has not
+** committed.  See sqlite3BtreeCommit() for the second phase of the
+** commit process.
+**
+** This call is a no-op if no write-transaction is currently active on pBt.
+**
+** Otherwise, sync the database file for the btree pBt. zMaster points to
+** the name of a master journal file that should be written into the
+** individual journal file, or is NULL, indicating no master journal file 
+** (single database transaction).
+**
+** When this is called, the master journal should already have been
+** created, populated with this journal pointer and synced to disk.
+**
+** Once this is routine has returned, the only thing required to commit
+** the write-transaction for this database file is to delete the journal.
+*/
+int sqlite3BtreeCommitPhaseOne(Btree *p, const char *zMaster){
+  int rc = SQLITE_OK;
+  if( p->inTrans==TRANS_WRITE ){
+    BtShared *pBt = p->pBt;
+    Pgno nTrunc = 0;
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    if( pBt->autoVacuum ){
+      rc = autoVacuumCommit(pBt, &nTrunc); 
+      if( rc!=SQLITE_OK ){
+        return rc;
+      }
+    }
+#endif
+    rc = sqlite3PagerCommitPhaseOne(pBt->pPager, zMaster, nTrunc);
+  }
+  return rc;
+}
+
+/*
+** Commit the transaction currently in progress.
+**
+** This routine implements the second phase of a 2-phase commit.  The
+** sqlite3BtreeSync() routine does the first phase and should be invoked
+** prior to calling this routine.  The sqlite3BtreeSync() routine did
+** all the work of writing information out to disk and flushing the
+** contents so that they are written onto the disk platter.  All this
+** routine has to do is delete or truncate the rollback journal
+** (which causes the transaction to commit) and drop locks.
+**
+** This will release the write lock on the database file.  If there
+** are no active cursors, it also releases the read lock.
+*/
+int sqlite3BtreeCommitPhaseTwo(Btree *p){
+  BtShared *pBt = p->pBt;
+
+  btreeIntegrity(p);
+
+  /* If the handle has a write-transaction open, commit the shared-btrees 
+  ** transaction and set the shared state to TRANS_READ.
+  */
+  if( p->inTrans==TRANS_WRITE ){
+    int rc;
+    assert( pBt->inTransaction==TRANS_WRITE );
+    assert( pBt->nTransaction>0 );
+    rc = sqlite3PagerCommitPhaseTwo(pBt->pPager);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+    pBt->inTransaction = TRANS_READ;
+    pBt->inStmt = 0;
+  }
+  unlockAllTables(p);
+
+  /* If the handle has any kind of transaction open, decrement the transaction
+  ** count of the shared btree. If the transaction count reaches 0, set
+  ** the shared state to TRANS_NONE. The unlockBtreeIfUnused() call below
+  ** will unlock the pager.
+  */
+  if( p->inTrans!=TRANS_NONE ){
+    pBt->nTransaction--;
+    if( 0==pBt->nTransaction ){
+      pBt->inTransaction = TRANS_NONE;
+    }
+  }
+
+  /* Set the handles current transaction state to TRANS_NONE and unlock
+  ** the pager if this call closed the only read or write transaction.
+  */
+  p->inTrans = TRANS_NONE;
+  unlockBtreeIfUnused(pBt);
+
+  btreeIntegrity(p);
+  return SQLITE_OK;
+}
+
+/*
+** Do both phases of a commit.
+*/
+int sqlite3BtreeCommit(Btree *p){
+  int rc;
+  rc = sqlite3BtreeCommitPhaseOne(p, 0);
+  if( rc==SQLITE_OK ){
+    rc = sqlite3BtreeCommitPhaseTwo(p);
+  }
+  return rc;
+}
+
+#ifndef NDEBUG
+/*
+** Return the number of write-cursors open on this handle. This is for use
+** in assert() expressions, so it is only compiled if NDEBUG is not
+** defined.
+*/
+static int countWriteCursors(BtShared *pBt){
+  BtCursor *pCur;
+  int r = 0;
+  for(pCur=pBt->pCursor; pCur; pCur=pCur->pNext){
+    if( pCur->wrFlag ) r++; 
+  }
+  return r;
+}
+#endif
+
+#if defined(SQLITE_TEST) || defined(SQLITE_DEBUG)
+/*
+** Print debugging information about all cursors to standard output.
+*/
+void sqlite3BtreeCursorList(Btree *p){
+  BtCursor *pCur;
+  BtShared *pBt = p->pBt;
+  for(pCur=pBt->pCursor; pCur; pCur=pCur->pNext){
+    MemPage *pPage = pCur->pPage;
+    char *zMode = pCur->wrFlag ? "rw" : "ro";
+    sqlite3DebugPrintf("CURSOR %p rooted at %4d(%s) currently at %d.%d%s\n",
+       pCur, pCur->pgnoRoot, zMode,
+       pPage ? pPage->pgno : 0, pCur->idx,
+       (pCur->eState==CURSOR_VALID) ? "" : " eof"
+    );
+  }
+}
+#endif
+
+/*
+** Rollback the transaction in progress.  All cursors will be
+** invalided by this operation.  Any attempt to use a cursor
+** that was open at the beginning of this operation will result
+** in an error.
+**
+** This will release the write lock on the database file.  If there
+** are no active cursors, it also releases the read lock.
+*/
+int sqlite3BtreeRollback(Btree *p){
+  int rc;
+  BtShared *pBt = p->pBt;
+  MemPage *pPage1;
+
+  rc = saveAllCursors(pBt, 0, 0);
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  if( rc!=SQLITE_OK ){
+    /* This is a horrible situation. An IO or malloc() error occured whilst
+    ** trying to save cursor positions. If this is an automatic rollback (as
+    ** the result of a constraint, malloc() failure or IO error) then 
+    ** the cache may be internally inconsistent (not contain valid trees) so
+    ** we cannot simply return the error to the caller. Instead, abort 
+    ** all queries that may be using any of the cursors that failed to save.
+    */
+    while( pBt->pCursor ){
+      sqlite3 *db = pBt->pCursor->pBtree->pSqlite;
+      if( db ){
+        sqlite3AbortOtherActiveVdbes(db, 0);
+      }
+    }
+  }
+#endif
+  btreeIntegrity(p);
+  unlockAllTables(p);
+
+  if( p->inTrans==TRANS_WRITE ){
+    int rc2;
+
+    assert( TRANS_WRITE==pBt->inTransaction );
+    rc2 = sqlite3PagerRollback(pBt->pPager);
+    if( rc2!=SQLITE_OK ){
+      rc = rc2;
+    }
+
+    /* The rollback may have destroyed the pPage1->aData value.  So
+    ** call getPage() on page 1 again to make sure pPage1->aData is
+    ** set correctly. */
+    if( getPage(pBt, 1, &pPage1, 0)==SQLITE_OK ){
+      releasePage(pPage1);
+    }
+    assert( countWriteCursors(pBt)==0 );
+    pBt->inTransaction = TRANS_READ;
+  }
+
+  if( p->inTrans!=TRANS_NONE ){
+    assert( pBt->nTransaction>0 );
+    pBt->nTransaction--;
+    if( 0==pBt->nTransaction ){
+      pBt->inTransaction = TRANS_NONE;
+    }
+  }
+
+  p->inTrans = TRANS_NONE;
+  pBt->inStmt = 0;
+  unlockBtreeIfUnused(pBt);
+
+  btreeIntegrity(p);
+  return rc;
+}
+
+/*
+** Start a statement subtransaction.  The subtransaction can
+** can be rolled back independently of the main transaction.
+** You must start a transaction before starting a subtransaction.
+** The subtransaction is ended automatically if the main transaction
+** commits or rolls back.
+**
+** Only one subtransaction may be active at a time.  It is an error to try
+** to start a new subtransaction if another subtransaction is already active.
+**
+** Statement subtransactions are used around individual SQL statements
+** that are contained within a BEGIN...COMMIT block.  If a constraint
+** error occurs within the statement, the effect of that one statement
+** can be rolled back without having to rollback the entire transaction.
+*/
+int sqlite3BtreeBeginStmt(Btree *p){
+  int rc;
+  BtShared *pBt = p->pBt;
+  if( (p->inTrans!=TRANS_WRITE) || pBt->inStmt ){
+    return pBt->readOnly ? SQLITE_READONLY : SQLITE_ERROR;
+  }
+  assert( pBt->inTransaction==TRANS_WRITE );
+  rc = pBt->readOnly ? SQLITE_OK : sqlite3PagerStmtBegin(pBt->pPager);
+  pBt->inStmt = 1;
+  return rc;
+}
+
+
+/*
+** Commit the statment subtransaction currently in progress.  If no
+** subtransaction is active, this is a no-op.
+*/
+int sqlite3BtreeCommitStmt(Btree *p){
+  int rc;
+  BtShared *pBt = p->pBt;
+  if( pBt->inStmt && !pBt->readOnly ){
+    rc = sqlite3PagerStmtCommit(pBt->pPager);
+  }else{
+    rc = SQLITE_OK;
+  }
+  pBt->inStmt = 0;
+  return rc;
+}
+
+/*
+** Rollback the active statement subtransaction.  If no subtransaction
+** is active this routine is a no-op.
+**
+** All cursors will be invalidated by this operation.  Any attempt
+** to use a cursor that was open at the beginning of this operation
+** will result in an error.
+*/
+int sqlite3BtreeRollbackStmt(Btree *p){
+  int rc = SQLITE_OK;
+  BtShared *pBt = p->pBt;
+  sqlite3MallocDisallow();
+  if( pBt->inStmt && !pBt->readOnly ){
+    rc = sqlite3PagerStmtRollback(pBt->pPager);
+    assert( countWriteCursors(pBt)==0 );
+    pBt->inStmt = 0;
+  }
+  sqlite3MallocAllow();
+  return rc;
+}
+
+/*
+** Default key comparison function to be used if no comparison function
+** is specified on the sqlite3BtreeCursor() call.
+*/
+static int dfltCompare(
+  void *NotUsed,             /* User data is not used */
+  int n1, const void *p1,    /* First key to compare */
+  int n2, const void *p2     /* Second key to compare */
+){
+  int c;
+  c = memcmp(p1, p2, n1<n2 ? n1 : n2);
+  if( c==0 ){
+    c = n1 - n2;
+  }
+  return c;
+}
+
+/*
+** Create a new cursor for the BTree whose root is on the page
+** iTable.  The act of acquiring a cursor gets a read lock on 
+** the database file.
+**
+** If wrFlag==0, then the cursor can only be used for reading.
+** If wrFlag==1, then the cursor can be used for reading or for
+** writing if other conditions for writing are also met.  These
+** are the conditions that must be met in order for writing to
+** be allowed:
+**
+** 1:  The cursor must have been opened with wrFlag==1
+**
+** 2:  Other database connections that share the same pager cache
+**     but which are not in the READ_UNCOMMITTED state may not have
+**     cursors open with wrFlag==0 on the same table.  Otherwise
+**     the changes made by this write cursor would be visible to
+**     the read cursors in the other database connection.
+**
+** 3:  The database must be writable (not on read-only media)
+**
+** 4:  There must be an active transaction.
+**
+** No checking is done to make sure that page iTable really is the
+** root page of a b-tree.  If it is not, then the cursor acquired
+** will not work correctly.
+**
+** The comparison function must be logically the same for every cursor
+** on a particular table.  Changing the comparison function will result
+** in incorrect operations.  If the comparison function is NULL, a
+** default comparison function is used.  The comparison function is
+** always ignored for INTKEY tables.
+*/
+int sqlite3BtreeCursor(
+  Btree *p,                                   /* The btree */
+  int iTable,                                 /* Root page of table to open */
+  int wrFlag,                                 /* 1 to write. 0 read-only */
+  int (*xCmp)(void*,int,const void*,int,const void*), /* Key Comparison func */
+  void *pArg,                                 /* First arg to xCompare() */
+  BtCursor **ppCur                            /* Write new cursor here */
+){
+  int rc;
+  BtCursor *pCur;
+  BtShared *pBt = p->pBt;
+
+  *ppCur = 0;
+  if( wrFlag ){
+    if( pBt->readOnly ){
+      return SQLITE_READONLY;
+    }
+    if( checkReadLocks(p, iTable, 0) ){
+      return SQLITE_LOCKED;
+    }
+  }
+
+  if( pBt->pPage1==0 ){
+    rc = lockBtreeWithRetry(p);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+    if( pBt->readOnly && wrFlag ){
+      return SQLITE_READONLY;
+    }
+  }
+  pCur = sqliteMalloc( sizeof(*pCur) );
+  if( pCur==0 ){
+    rc = SQLITE_NOMEM;
+    goto create_cursor_exception;
+  }
+  pCur->pgnoRoot = (Pgno)iTable;
+  if( iTable==1 && sqlite3PagerPagecount(pBt->pPager)==0 ){
+    rc = SQLITE_EMPTY;
+    goto create_cursor_exception;
+  }
+  rc = getAndInitPage(pBt, pCur->pgnoRoot, &pCur->pPage, 0);
+  if( rc!=SQLITE_OK ){
+    goto create_cursor_exception;
+  }
+
+  /* Now that no other errors can occur, finish filling in the BtCursor
+  ** variables, link the cursor into the BtShared list and set *ppCur (the
+  ** output argument to this function).
+  */
+  pCur->xCompare = xCmp ? xCmp : dfltCompare;
+  pCur->pArg = pArg;
+  pCur->pBtree = p;
+  pCur->wrFlag = wrFlag;
+  pCur->pNext = pBt->pCursor;
+  if( pCur->pNext ){
+    pCur->pNext->pPrev = pCur;
+  }
+  pBt->pCursor = pCur;
+  pCur->eState = CURSOR_INVALID;
+  *ppCur = pCur;
+
+  return SQLITE_OK;
+create_cursor_exception:
+  if( pCur ){
+    releasePage(pCur->pPage);
+    sqliteFree(pCur);
+  }
+  unlockBtreeIfUnused(pBt);
+  return rc;
+}
+
+#if 0  /* Not Used */
+/*
+** Change the value of the comparison function used by a cursor.
+*/
+void sqlite3BtreeSetCompare(
+  BtCursor *pCur,     /* The cursor to whose comparison function is changed */
+  int(*xCmp)(void*,int,const void*,int,const void*), /* New comparison func */
+  void *pArg          /* First argument to xCmp() */
+){
+  pCur->xCompare = xCmp ? xCmp : dfltCompare;
+  pCur->pArg = pArg;
+}
+#endif
+
+/*
+** Close a cursor.  The read lock on the database file is released
+** when the last cursor is closed.
+*/
+int sqlite3BtreeCloseCursor(BtCursor *pCur){
+  BtShared *pBt = pCur->pBtree->pBt;
+  clearCursorPosition(pCur);
+  if( pCur->pPrev ){
+    pCur->pPrev->pNext = pCur->pNext;
+  }else{
+    pBt->pCursor = pCur->pNext;
+  }
+  if( pCur->pNext ){
+    pCur->pNext->pPrev = pCur->pPrev;
+  }
+  releasePage(pCur->pPage);
+  unlockBtreeIfUnused(pBt);
+  sqliteFree(pCur);
+  return SQLITE_OK;
+}
+
+/*
+** Make a temporary cursor by filling in the fields of pTempCur.
+** The temporary cursor is not on the cursor list for the Btree.
+*/
+static void getTempCursor(BtCursor *pCur, BtCursor *pTempCur){
+  memcpy(pTempCur, pCur, sizeof(*pCur));
+  pTempCur->pNext = 0;
+  pTempCur->pPrev = 0;
+  if( pTempCur->pPage ){
+    sqlite3PagerRef(pTempCur->pPage->pDbPage);
+  }
+}
+
+/*
+** Delete a temporary cursor such as was made by the CreateTemporaryCursor()
+** function above.
+*/
+static void releaseTempCursor(BtCursor *pCur){
+  if( pCur->pPage ){
+    sqlite3PagerUnref(pCur->pPage->pDbPage);
+  }
+}
+
+/*
+** Make sure the BtCursor.info field of the given cursor is valid.
+** If it is not already valid, call parseCell() to fill it in.
+**
+** BtCursor.info is a cache of the information in the current cell.
+** Using this cache reduces the number of calls to parseCell().
+*/
+static void getCellInfo(BtCursor *pCur){
+  if( pCur->info.nSize==0 ){
+    parseCell(pCur->pPage, pCur->idx, &pCur->info);
+  }else{
+#ifndef NDEBUG
+    CellInfo info;
+    memset(&info, 0, sizeof(info));
+    parseCell(pCur->pPage, pCur->idx, &info);
+    assert( memcmp(&info, &pCur->info, sizeof(info))==0 );
+#endif
+  }
+}
+
+/*
+** Set *pSize to the size of the buffer needed to hold the value of
+** the key for the current entry.  If the cursor is not pointing
+** to a valid entry, *pSize is set to 0. 
+**
+** For a table with the INTKEY flag set, this routine returns the key
+** itself, not the number of bytes in the key.
+*/
+int sqlite3BtreeKeySize(BtCursor *pCur, i64 *pSize){
+  int rc = restoreOrClearCursorPosition(pCur);
+  if( rc==SQLITE_OK ){
+    assert( pCur->eState==CURSOR_INVALID || pCur->eState==CURSOR_VALID );
+    if( pCur->eState==CURSOR_INVALID ){
+      *pSize = 0;
+    }else{
+      getCellInfo(pCur);
+      *pSize = pCur->info.nKey;
+    }
+  }
+  return rc;
+}
+
+/*
+** Set *pSize to the number of bytes of data in the entry the
+** cursor currently points to.  Always return SQLITE_OK.
+** Failure is not possible.  If the cursor is not currently
+** pointing to an entry (which can happen, for example, if
+** the database is empty) then *pSize is set to 0.
+*/
+int sqlite3BtreeDataSize(BtCursor *pCur, u32 *pSize){
+  int rc = restoreOrClearCursorPosition(pCur);
+  if( rc==SQLITE_OK ){
+    assert( pCur->eState==CURSOR_INVALID || pCur->eState==CURSOR_VALID );
+    if( pCur->eState==CURSOR_INVALID ){
+      /* Not pointing at a valid entry - set *pSize to 0. */
+      *pSize = 0;
+    }else{
+      getCellInfo(pCur);
+      *pSize = pCur->info.nData;
+    }
+  }
+  return rc;
+}
+
+/*
+** Read payload information from the entry that the pCur cursor is
+** pointing to.  Begin reading the payload at "offset" and read
+** a total of "amt" bytes.  Put the result in zBuf.
+**
+** This routine does not make a distinction between key and data.
+** It just reads bytes from the payload area.  Data might appear
+** on the main page or be scattered out on multiple overflow pages.
+*/
+static int getPayload(
+  BtCursor *pCur,      /* Cursor pointing to entry to read from */
+  int offset,          /* Begin reading this far into payload */
+  int amt,             /* Read this many bytes */
+  unsigned char *pBuf, /* Write the bytes into this buffer */ 
+  int skipKey          /* offset begins at data if this is true */
+){
+  unsigned char *aPayload;
+  Pgno nextPage;
+  int rc;
+  MemPage *pPage;
+  BtShared *pBt;
+  int ovflSize;
+  u32 nKey;
+
+  assert( pCur!=0 && pCur->pPage!=0 );
+  assert( pCur->eState==CURSOR_VALID );
+  pBt = pCur->pBtree->pBt;
+  pPage = pCur->pPage;
+  assert( pCur->idx>=0 && pCur->idx<pPage->nCell );
+  getCellInfo(pCur);
+  aPayload = pCur->info.pCell + pCur->info.nHeader;
+  if( pPage->intKey ){
+    nKey = 0;
+  }else{
+    nKey = pCur->info.nKey;
+  }
+  assert( offset>=0 );
+  if( skipKey ){
+    offset += nKey;
+  }
+  if( offset+amt > nKey+pCur->info.nData ){
+    return SQLITE_ERROR;
+  }
+  if( offset<pCur->info.nLocal ){
+    int a = amt;
+    if( a+offset>pCur->info.nLocal ){
+      a = pCur->info.nLocal - offset;
+    }
+    memcpy(pBuf, &aPayload[offset], a);
+    if( a==amt ){
+      return SQLITE_OK;
+    }
+    offset = 0;
+    pBuf += a;
+    amt -= a;
+  }else{
+    offset -= pCur->info.nLocal;
+  }
+  ovflSize = pBt->usableSize - 4;
+  if( amt>0 ){
+    nextPage = get4byte(&aPayload[pCur->info.nLocal]);
+    while( amt>0 && nextPage ){
+      DbPage *pDbPage;
+      rc = sqlite3PagerGet(pBt->pPager, nextPage, &pDbPage);
+      if( rc!=0 ){
+        return rc;
+      }
+      aPayload = sqlite3PagerGetData(pDbPage);
+      nextPage = get4byte(aPayload);
+      if( offset<ovflSize ){
+        int a = amt;
+        if( a + offset > ovflSize ){
+          a = ovflSize - offset;
+        }
+        memcpy(pBuf, &aPayload[offset+4], a);
+        offset = 0;
+        amt -= a;
+        pBuf += a;
+      }else{
+        offset -= ovflSize;
+      }
+      sqlite3PagerUnref(pDbPage);
+    }
+  }
+
+  if( amt>0 ){
+    return SQLITE_CORRUPT_BKPT;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Read part of the key associated with cursor pCur.  Exactly
+** "amt" bytes will be transfered into pBuf[].  The transfer
+** begins at "offset".
+**
+** Return SQLITE_OK on success or an error code if anything goes
+** wrong.  An error is returned if "offset+amt" is larger than
+** the available payload.
+*/
+int sqlite3BtreeKey(BtCursor *pCur, u32 offset, u32 amt, void *pBuf){
+  int rc = restoreOrClearCursorPosition(pCur);
+  if( rc==SQLITE_OK ){
+    assert( pCur->eState==CURSOR_VALID );
+    assert( pCur->pPage!=0 );
+    if( pCur->pPage->intKey ){
+      return SQLITE_CORRUPT_BKPT;
+    }
+    assert( pCur->pPage->intKey==0 );
+    assert( pCur->idx>=0 && pCur->idx<pCur->pPage->nCell );
+    rc = getPayload(pCur, offset, amt, (unsigned char*)pBuf, 0);
+  }
+  return rc;
+}
+
+/*
+** Read part of the data associated with cursor pCur.  Exactly
+** "amt" bytes will be transfered into pBuf[].  The transfer
+** begins at "offset".
+**
+** Return SQLITE_OK on success or an error code if anything goes
+** wrong.  An error is returned if "offset+amt" is larger than
+** the available payload.
+*/
+int sqlite3BtreeData(BtCursor *pCur, u32 offset, u32 amt, void *pBuf){
+  int rc = restoreOrClearCursorPosition(pCur);
+  if( rc==SQLITE_OK ){
+    assert( pCur->eState==CURSOR_VALID );
+    assert( pCur->pPage!=0 );
+    assert( pCur->idx>=0 && pCur->idx<pCur->pPage->nCell );
+    rc = getPayload(pCur, offset, amt, pBuf, 1);
+  }
+  return rc;
+}
+
+/*
+** Return a pointer to payload information from the entry that the 
+** pCur cursor is pointing to.  The pointer is to the beginning of
+** the key if skipKey==0 and it points to the beginning of data if
+** skipKey==1.  The number of bytes of available key/data is written
+** into *pAmt.  If *pAmt==0, then the value returned will not be
+** a valid pointer.
+**
+** This routine is an optimization.  It is common for the entire key
+** and data to fit on the local page and for there to be no overflow
+** pages.  When that is so, this routine can be used to access the
+** key and data without making a copy.  If the key and/or data spills
+** onto overflow pages, then getPayload() must be used to reassembly
+** the key/data and copy it into a preallocated buffer.
+**
+** The pointer returned by this routine looks directly into the cached
+** page of the database.  The data might change or move the next time
+** any btree routine is called.
+*/
+static const unsigned char *fetchPayload(
+  BtCursor *pCur,      /* Cursor pointing to entry to read from */
+  int *pAmt,           /* Write the number of available bytes here */
+  int skipKey          /* read beginning at data if this is true */
+){
+  unsigned char *aPayload;
+  MemPage *pPage;
+  u32 nKey;
+  int nLocal;
+
+  assert( pCur!=0 && pCur->pPage!=0 );
+  assert( pCur->eState==CURSOR_VALID );
+  pPage = pCur->pPage;
+  assert( pCur->idx>=0 && pCur->idx<pPage->nCell );
+  getCellInfo(pCur);
+  aPayload = pCur->info.pCell;
+  aPayload += pCur->info.nHeader;
+  if( pPage->intKey ){
+    nKey = 0;
+  }else{
+    nKey = pCur->info.nKey;
+  }
+  if( skipKey ){
+    aPayload += nKey;
+    nLocal = pCur->info.nLocal - nKey;
+  }else{
+    nLocal = pCur->info.nLocal;
+    if( nLocal>nKey ){
+      nLocal = nKey;
+    }
+  }
+  *pAmt = nLocal;
+  return aPayload;
+}
+
+
+/*
+** For the entry that cursor pCur is point to, return as
+** many bytes of the key or data as are available on the local
+** b-tree page.  Write the number of available bytes into *pAmt.
+**
+** The pointer returned is ephemeral.  The key/data may move
+** or be destroyed on the next call to any Btree routine.
+**
+** These routines is used to get quick access to key and data
+** in the common case where no overflow pages are used.
+*/
+const void *sqlite3BtreeKeyFetch(BtCursor *pCur, int *pAmt){
+  if( pCur->eState==CURSOR_VALID ){
+    return (const void*)fetchPayload(pCur, pAmt, 0);
+  }
+  return 0;
+}
+const void *sqlite3BtreeDataFetch(BtCursor *pCur, int *pAmt){
+  if( pCur->eState==CURSOR_VALID ){
+    return (const void*)fetchPayload(pCur, pAmt, 1);
+  }
+  return 0;
+}
+
+
+/*
+** Move the cursor down to a new child page.  The newPgno argument is the
+** page number of the child page to move to.
+*/
+static int moveToChild(BtCursor *pCur, u32 newPgno){
+  int rc;
+  MemPage *pNewPage;
+  MemPage *pOldPage;
+  BtShared *pBt = pCur->pBtree->pBt;
+
+  assert( pCur->eState==CURSOR_VALID );
+  rc = getAndInitPage(pBt, newPgno, &pNewPage, pCur->pPage);
+  if( rc ) return rc;
+  pNewPage->idxParent = pCur->idx;
+  pOldPage = pCur->pPage;
+  pOldPage->idxShift = 0;
+  releasePage(pOldPage);
+  pCur->pPage = pNewPage;
+  pCur->idx = 0;
+  pCur->info.nSize = 0;
+  if( pNewPage->nCell<1 ){
+    return SQLITE_CORRUPT_BKPT;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Return true if the page is the virtual root of its table.
+**
+** The virtual root page is the root page for most tables.  But
+** for the table rooted on page 1, sometime the real root page
+** is empty except for the right-pointer.  In such cases the
+** virtual root page is the page that the right-pointer of page
+** 1 is pointing to.
+*/
+static int isRootPage(MemPage *pPage){
+  MemPage *pParent = pPage->pParent;
+  if( pParent==0 ) return 1;
+  if( pParent->pgno>1 ) return 0;
+  if( get2byte(&pParent->aData[pParent->hdrOffset+3])==0 ) return 1;
+  return 0;
+}
+
+/*
+** Move the cursor up to the parent page.
+**
+** pCur->idx is set to the cell index that contains the pointer
+** to the page we are coming from.  If we are coming from the
+** right-most child page then pCur->idx is set to one more than
+** the largest cell index.
+*/
+static void moveToParent(BtCursor *pCur){
+  MemPage *pParent;
+  MemPage *pPage;
+  int idxParent;
+
+  assert( pCur->eState==CURSOR_VALID );
+  pPage = pCur->pPage;
+  assert( pPage!=0 );
+  assert( !isRootPage(pPage) );
+  pParent = pPage->pParent;
+  assert( pParent!=0 );
+  idxParent = pPage->idxParent;
+  sqlite3PagerRef(pParent->pDbPage);
+  releasePage(pPage);
+  pCur->pPage = pParent;
+  pCur->info.nSize = 0;
+  assert( pParent->idxShift==0 );
+  pCur->idx = idxParent;
+}
+
+/*
+** Move the cursor to the root page
+*/
+static int moveToRoot(BtCursor *pCur){
+  MemPage *pRoot;
+  int rc = SQLITE_OK;
+  BtShared *pBt = pCur->pBtree->pBt;
+
+  if( pCur->eState==CURSOR_REQUIRESEEK ){
+    clearCursorPosition(pCur);
+  }
+  pRoot = pCur->pPage;
+  if( pRoot && pRoot->pgno==pCur->pgnoRoot ){
+    assert( pRoot->isInit );
+  }else{
+    if( 
+      SQLITE_OK!=(rc = getAndInitPage(pBt, pCur->pgnoRoot, &pRoot, 0))
+    ){
+      pCur->eState = CURSOR_INVALID;
+      return rc;
+    }
+    releasePage(pCur->pPage);
+    pCur->pPage = pRoot;
+  }
+  pCur->idx = 0;
+  pCur->info.nSize = 0;
+  if( pRoot->nCell==0 && !pRoot->leaf ){
+    Pgno subpage;
+    assert( pRoot->pgno==1 );
+    subpage = get4byte(&pRoot->aData[pRoot->hdrOffset+8]);
+    assert( subpage>0 );
+    pCur->eState = CURSOR_VALID;
+    rc = moveToChild(pCur, subpage);
+  }
+  pCur->eState = ((pCur->pPage->nCell>0)?CURSOR_VALID:CURSOR_INVALID);
+  return rc;
+}
+
+/*
+** Move the cursor down to the left-most leaf entry beneath the
+** entry to which it is currently pointing.
+**
+** The left-most leaf is the one with the smallest key - the first
+** in ascending order.
+*/
+static int moveToLeftmost(BtCursor *pCur){
+  Pgno pgno;
+  int rc;
+  MemPage *pPage;
+
+  assert( pCur->eState==CURSOR_VALID );
+  while( !(pPage = pCur->pPage)->leaf ){
+    assert( pCur->idx>=0 && pCur->idx<pPage->nCell );
+    pgno = get4byte(findCell(pPage, pCur->idx));
+    rc = moveToChild(pCur, pgno);
+    if( rc ) return rc;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Move the cursor down to the right-most leaf entry beneath the
+** page to which it is currently pointing.  Notice the difference
+** between moveToLeftmost() and moveToRightmost().  moveToLeftmost()
+** finds the left-most entry beneath the *entry* whereas moveToRightmost()
+** finds the right-most entry beneath the *page*.
+**
+** The right-most entry is the one with the largest key - the last
+** key in ascending order.
+*/
+static int moveToRightmost(BtCursor *pCur){
+  Pgno pgno;
+  int rc;
+  MemPage *pPage;
+
+  assert( pCur->eState==CURSOR_VALID );
+  while( !(pPage = pCur->pPage)->leaf ){
+    pgno = get4byte(&pPage->aData[pPage->hdrOffset+8]);
+    pCur->idx = pPage->nCell;
+    rc = moveToChild(pCur, pgno);
+    if( rc ) return rc;
+  }
+  pCur->idx = pPage->nCell - 1;
+  pCur->info.nSize = 0;
+  return SQLITE_OK;
+}
+
+/* Move the cursor to the first entry in the table.  Return SQLITE_OK
+** on success.  Set *pRes to 0 if the cursor actually points to something
+** or set *pRes to 1 if the table is empty.
+*/
+int sqlite3BtreeFirst(BtCursor *pCur, int *pRes){
+  int rc;
+  rc = moveToRoot(pCur);
+  if( rc ) return rc;
+  if( pCur->eState==CURSOR_INVALID ){
+    assert( pCur->pPage->nCell==0 );
+    *pRes = 1;
+    return SQLITE_OK;
+  }
+  assert( pCur->pPage->nCell>0 );
+  *pRes = 0;
+  rc = moveToLeftmost(pCur);
+  return rc;
+}
+
+/* Move the cursor to the last entry in the table.  Return SQLITE_OK
+** on success.  Set *pRes to 0 if the cursor actually points to something
+** or set *pRes to 1 if the table is empty.
+*/
+int sqlite3BtreeLast(BtCursor *pCur, int *pRes){
+  int rc;
+  rc = moveToRoot(pCur);
+  if( rc ) return rc;
+  if( CURSOR_INVALID==pCur->eState ){
+    assert( pCur->pPage->nCell==0 );
+    *pRes = 1;
+    return SQLITE_OK;
+  }
+  assert( pCur->eState==CURSOR_VALID );
+  *pRes = 0;
+  rc = moveToRightmost(pCur);
+  return rc;
+}
+
+/* Move the cursor so that it points to an entry near pKey/nKey.
+** Return a success code.
+**
+** For INTKEY tables, only the nKey parameter is used.  pKey is
+** ignored.  For other tables, nKey is the number of bytes of data
+** in pKey.  The comparison function specified when the cursor was
+** created is used to compare keys.
+**
+** If an exact match is not found, then the cursor is always
+** left pointing at a leaf page which would hold the entry if it
+** were present.  The cursor might point to an entry that comes
+** before or after the key.
+**
+** The result of comparing the key with the entry to which the
+** cursor is written to *pRes if pRes!=NULL.  The meaning of
+** this value is as follows:
+**
+**     *pRes<0      The cursor is left pointing at an entry that
+**                  is smaller than pKey or if the table is empty
+**                  and the cursor is therefore left point to nothing.
+**
+**     *pRes==0     The cursor is left pointing at an entry that
+**                  exactly matches pKey.
+**
+**     *pRes>0      The cursor is left pointing at an entry that
+**                  is larger than pKey.
+*/
+int sqlite3BtreeMoveto(
+  BtCursor *pCur,        /* The cursor to be moved */
+  const void *pKey,      /* The key content for indices.  Not used by tables */
+  i64 nKey,              /* Size of pKey.  Or the key for tables */
+  int biasRight,         /* If true, bias the search to the high end */
+  int *pRes              /* Search result flag */
+){
+  int rc;
+  rc = moveToRoot(pCur);
+  if( rc ) return rc;
+  assert( pCur->pPage );
+  assert( pCur->pPage->isInit );
+  if( pCur->eState==CURSOR_INVALID ){
+    *pRes = -1;
+    assert( pCur->pPage->nCell==0 );
+    return SQLITE_OK;
+  }
+  for(;;){
+    int lwr, upr;
+    Pgno chldPg;
+    MemPage *pPage = pCur->pPage;
+    int c = -1;  /* pRes return if table is empty must be -1 */
+    lwr = 0;
+    upr = pPage->nCell-1;
+    if( !pPage->intKey && pKey==0 ){
+      return SQLITE_CORRUPT_BKPT;
+    }
+    if( biasRight ){
+      pCur->idx = upr;
+    }else{
+      pCur->idx = (upr+lwr)/2;
+    }
+    if( lwr<=upr ) for(;;){
+      void *pCellKey;
+      i64 nCellKey;
+      pCur->info.nSize = 0;
+      if( pPage->intKey ){
+        u8 *pCell;
+        pCell = findCell(pPage, pCur->idx) + pPage->childPtrSize;
+        if( pPage->hasData ){
+          u32 dummy;
+          pCell += getVarint32(pCell, &dummy);
+        }
+        getVarint(pCell, (u64 *)&nCellKey);
+        if( nCellKey<nKey ){
+          c = -1;
+        }else if( nCellKey>nKey ){
+          c = +1;
+        }else{
+          c = 0;
+        }
+      }else{
+        int available;
+        pCellKey = (void *)fetchPayload(pCur, &available, 0);
+        nCellKey = pCur->info.nKey;
+        if( available>=nCellKey ){
+          c = pCur->xCompare(pCur->pArg, nCellKey, pCellKey, nKey, pKey);
+        }else{
+          pCellKey = sqliteMallocRaw( nCellKey );
+          if( pCellKey==0 ) return SQLITE_NOMEM;
+          rc = sqlite3BtreeKey(pCur, 0, nCellKey, (void *)pCellKey);
+          c = pCur->xCompare(pCur->pArg, nCellKey, pCellKey, nKey, pKey);
+          sqliteFree(pCellKey);
+          if( rc ) return rc;
+        }
+      }
+      if( c==0 ){
+        if( pPage->leafData && !pPage->leaf ){
+          lwr = pCur->idx;
+          upr = lwr - 1;
+          break;
+        }else{
+          if( pRes ) *pRes = 0;
+          return SQLITE_OK;
+        }
+      }
+      if( c<0 ){
+        lwr = pCur->idx+1;
+      }else{
+        upr = pCur->idx-1;
+      }
+      if( lwr>upr ){
+        break;
+      }
+      pCur->idx = (lwr+upr)/2;
+    }
+    assert( lwr==upr+1 );
+    assert( pPage->isInit );
+    if( pPage->leaf ){
+      chldPg = 0;
+    }else if( lwr>=pPage->nCell ){
+      chldPg = get4byte(&pPage->aData[pPage->hdrOffset+8]);
+    }else{
+      chldPg = get4byte(findCell(pPage, lwr));
+    }
+    if( chldPg==0 ){
+      assert( pCur->idx>=0 && pCur->idx<pCur->pPage->nCell );
+      if( pRes ) *pRes = c;
+      return SQLITE_OK;
+    }
+    pCur->idx = lwr;
+    pCur->info.nSize = 0;
+    rc = moveToChild(pCur, chldPg);
+    if( rc ){
+      return rc;
+    }
+  }
+  /* NOT REACHED */
+}
+
+/*
+** Return TRUE if the cursor is not pointing at an entry of the table.
+**
+** TRUE will be returned after a call to sqlite3BtreeNext() moves
+** past the last entry in the table or sqlite3BtreePrev() moves past
+** the first entry.  TRUE is also returned if the table is empty.
+*/
+int sqlite3BtreeEof(BtCursor *pCur){
+  /* TODO: What if the cursor is in CURSOR_REQUIRESEEK but all table entries
+  ** have been deleted? This API will need to change to return an error code
+  ** as well as the boolean result value.
+  */
+  return (CURSOR_VALID!=pCur->eState);
+}
+
+/*
+** Advance the cursor to the next entry in the database.  If
+** successful then set *pRes=0.  If the cursor
+** was already pointing to the last entry in the database before
+** this routine was called, then set *pRes=1.
+*/
+int sqlite3BtreeNext(BtCursor *pCur, int *pRes){
+  int rc;
+  MemPage *pPage;
+
+  rc = restoreOrClearCursorPosition(pCur);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+  assert( pRes!=0 );
+  pPage = pCur->pPage;
+  if( CURSOR_INVALID==pCur->eState ){
+    *pRes = 1;
+    return SQLITE_OK;
+  }
+  if( pCur->skip>0 ){
+    pCur->skip = 0;
+    *pRes = 0;
+    return SQLITE_OK;
+  }
+  pCur->skip = 0;
+
+  assert( pPage->isInit );
+  assert( pCur->idx<pPage->nCell );
+
+  pCur->idx++;
+  pCur->info.nSize = 0;
+  if( pCur->idx>=pPage->nCell ){
+    if( !pPage->leaf ){
+      rc = moveToChild(pCur, get4byte(&pPage->aData[pPage->hdrOffset+8]));
+      if( rc ) return rc;
+      rc = moveToLeftmost(pCur);
+      *pRes = 0;
+      return rc;
+    }
+    do{
+      if( isRootPage(pPage) ){
+        *pRes = 1;
+        pCur->eState = CURSOR_INVALID;
+        return SQLITE_OK;
+      }
+      moveToParent(pCur);
+      pPage = pCur->pPage;
+    }while( pCur->idx>=pPage->nCell );
+    *pRes = 0;
+    if( pPage->leafData ){
+      rc = sqlite3BtreeNext(pCur, pRes);
+    }else{
+      rc = SQLITE_OK;
+    }
+    return rc;
+  }
+  *pRes = 0;
+  if( pPage->leaf ){
+    return SQLITE_OK;
+  }
+  rc = moveToLeftmost(pCur);
+  return rc;
+}
+
+/*
+** Step the cursor to the back to the previous entry in the database.  If
+** successful then set *pRes=0.  If the cursor
+** was already pointing to the first entry in the database before
+** this routine was called, then set *pRes=1.
+*/
+int sqlite3BtreePrevious(BtCursor *pCur, int *pRes){
+  int rc;
+  Pgno pgno;
+  MemPage *pPage;
+
+  rc = restoreOrClearCursorPosition(pCur);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+  if( CURSOR_INVALID==pCur->eState ){
+    *pRes = 1;
+    return SQLITE_OK;
+  }
+  if( pCur->skip<0 ){
+    pCur->skip = 0;
+    *pRes = 0;
+    return SQLITE_OK;
+  }
+  pCur->skip = 0;
+
+  pPage = pCur->pPage;
+  assert( pPage->isInit );
+  assert( pCur->idx>=0 );
+  if( !pPage->leaf ){
+    pgno = get4byte( findCell(pPage, pCur->idx) );
+    rc = moveToChild(pCur, pgno);
+    if( rc ) return rc;
+    rc = moveToRightmost(pCur);
+  }else{
+    while( pCur->idx==0 ){
+      if( isRootPage(pPage) ){
+        pCur->eState = CURSOR_INVALID;
+        *pRes = 1;
+        return SQLITE_OK;
+      }
+      moveToParent(pCur);
+      pPage = pCur->pPage;
+    }
+    pCur->idx--;
+    pCur->info.nSize = 0;
+    if( pPage->leafData && !pPage->leaf ){
+      rc = sqlite3BtreePrevious(pCur, pRes);
+    }else{
+      rc = SQLITE_OK;
+    }
+  }
+  *pRes = 0;
+  return rc;
+}
+
+/*
+** Allocate a new page from the database file.
+**
+** The new page is marked as dirty.  (In other words, sqlite3PagerWrite()
+** has already been called on the new page.)  The new page has also
+** been referenced and the calling routine is responsible for calling
+** sqlite3PagerUnref() on the new page when it is done.
+**
+** SQLITE_OK is returned on success.  Any other return value indicates
+** an error.  *ppPage and *pPgno are undefined in the event of an error.
+** Do not invoke sqlite3PagerUnref() on *ppPage if an error is returned.
+**
+** If the "nearby" parameter is not 0, then a (feeble) effort is made to 
+** locate a page close to the page number "nearby".  This can be used in an
+** attempt to keep related pages close to each other in the database file,
+** which in turn can make database access faster.
+**
+** If the "exact" parameter is not 0, and the page-number nearby exists 
+** anywhere on the free-list, then it is guarenteed to be returned. This
+** is only used by auto-vacuum databases when allocating a new table.
+*/
+static int allocateBtreePage(
+  BtShared *pBt, 
+  MemPage **ppPage, 
+  Pgno *pPgno, 
+  Pgno nearby,
+  u8 exact
+){
+  MemPage *pPage1;
+  int rc;
+  int n;     /* Number of pages on the freelist */
+  int k;     /* Number of leaves on the trunk of the freelist */
+  MemPage *pTrunk = 0;
+  MemPage *pPrevTrunk = 0;
+
+  pPage1 = pBt->pPage1;
+  n = get4byte(&pPage1->aData[36]);
+  if( n>0 ){
+    /* There are pages on the freelist.  Reuse one of those pages. */
+    Pgno iTrunk;
+    u8 searchList = 0; /* If the free-list must be searched for 'nearby' */
+    
+    /* If the 'exact' parameter was true and a query of the pointer-map
+    ** shows that the page 'nearby' is somewhere on the free-list, then
+    ** the entire-list will be searched for that page.
+    */
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    if( exact ){
+      u8 eType;
+      assert( nearby>0 );
+      assert( pBt->autoVacuum );
+      rc = ptrmapGet(pBt, nearby, &eType, 0);
+      if( rc ) return rc;
+      if( eType==PTRMAP_FREEPAGE ){
+        searchList = 1;
+      }
+      *pPgno = nearby;
+    }
+#endif
+
+    /* Decrement the free-list count by 1. Set iTrunk to the index of the
+    ** first free-list trunk page. iPrevTrunk is initially 1.
+    */
+    rc = sqlite3PagerWrite(pPage1->pDbPage);
+    if( rc ) return rc;
+    put4byte(&pPage1->aData[36], n-1);
+
+    /* The code within this loop is run only once if the 'searchList' variable
+    ** is not true. Otherwise, it runs once for each trunk-page on the
+    ** free-list until the page 'nearby' is located.
+    */
+    do {
+      pPrevTrunk = pTrunk;
+      if( pPrevTrunk ){
+        iTrunk = get4byte(&pPrevTrunk->aData[0]);
+      }else{
+        iTrunk = get4byte(&pPage1->aData[32]);
+      }
+      rc = getPage(pBt, iTrunk, &pTrunk, 0);
+      if( rc ){
+        pTrunk = 0;
+        goto end_allocate_page;
+      }
+
+      k = get4byte(&pTrunk->aData[4]);
+      if( k==0 && !searchList ){
+        /* The trunk has no leaves and the list is not being searched. 
+        ** So extract the trunk page itself and use it as the newly 
+        ** allocated page */
+        assert( pPrevTrunk==0 );
+        rc = sqlite3PagerWrite(pTrunk->pDbPage);
+        if( rc ){
+          goto end_allocate_page;
+        }
+        *pPgno = iTrunk;
+        memcpy(&pPage1->aData[32], &pTrunk->aData[0], 4);
+        *ppPage = pTrunk;
+        pTrunk = 0;
+        TRACE(("ALLOCATE: %d trunk - %d free pages left\n", *pPgno, n-1));
+      }else if( k>pBt->usableSize/4 - 8 ){
+        /* Value of k is out of range.  Database corruption */
+        rc = SQLITE_CORRUPT_BKPT;
+        goto end_allocate_page;
+#ifndef SQLITE_OMIT_AUTOVACUUM
+      }else if( searchList && nearby==iTrunk ){
+        /* The list is being searched and this trunk page is the page
+        ** to allocate, regardless of whether it has leaves.
+        */
+        assert( *pPgno==iTrunk );
+        *ppPage = pTrunk;
+        searchList = 0;
+        rc = sqlite3PagerWrite(pTrunk->pDbPage);
+        if( rc ){
+          goto end_allocate_page;
+        }
+        if( k==0 ){
+          if( !pPrevTrunk ){
+            memcpy(&pPage1->aData[32], &pTrunk->aData[0], 4);
+          }else{
+            memcpy(&pPrevTrunk->aData[0], &pTrunk->aData[0], 4);
+          }
+        }else{
+          /* The trunk page is required by the caller but it contains 
+          ** pointers to free-list leaves. The first leaf becomes a trunk
+          ** page in this case.
+          */
+          MemPage *pNewTrunk;
+          Pgno iNewTrunk = get4byte(&pTrunk->aData[8]);
+          rc = getPage(pBt, iNewTrunk, &pNewTrunk, 0);
+          if( rc!=SQLITE_OK ){
+            goto end_allocate_page;
+          }
+          rc = sqlite3PagerWrite(pNewTrunk->pDbPage);
+          if( rc!=SQLITE_OK ){
+            releasePage(pNewTrunk);
+            goto end_allocate_page;
+          }
+          memcpy(&pNewTrunk->aData[0], &pTrunk->aData[0], 4);
+          put4byte(&pNewTrunk->aData[4], k-1);
+          memcpy(&pNewTrunk->aData[8], &pTrunk->aData[12], (k-1)*4);
+          releasePage(pNewTrunk);
+          if( !pPrevTrunk ){
+            put4byte(&pPage1->aData[32], iNewTrunk);
+          }else{
+            rc = sqlite3PagerWrite(pPrevTrunk->pDbPage);
+            if( rc ){
+              goto end_allocate_page;
+            }
+            put4byte(&pPrevTrunk->aData[0], iNewTrunk);
+          }
+        }
+        pTrunk = 0;
+        TRACE(("ALLOCATE: %d trunk - %d free pages left\n", *pPgno, n-1));
+#endif
+      }else{
+        /* Extract a leaf from the trunk */
+        int closest;
+        Pgno iPage;
+        unsigned char *aData = pTrunk->aData;
+        rc = sqlite3PagerWrite(pTrunk->pDbPage);
+        if( rc ){
+          goto end_allocate_page;
+        }
+        if( nearby>0 ){
+          int i, dist;
+          closest = 0;
+          dist = get4byte(&aData[8]) - nearby;
+          if( dist<0 ) dist = -dist;
+          for(i=1; i<k; i++){
+            int d2 = get4byte(&aData[8+i*4]) - nearby;
+            if( d2<0 ) d2 = -d2;
+            if( d2<dist ){
+              closest = i;
+              dist = d2;
+            }
+          }
+        }else{
+          closest = 0;
+        }
+
+        iPage = get4byte(&aData[8+closest*4]);
+        if( !searchList || iPage==nearby ){
+          *pPgno = iPage;
+          if( *pPgno>sqlite3PagerPagecount(pBt->pPager) ){
+            /* Free page off the end of the file */
+            return SQLITE_CORRUPT_BKPT;
+          }
+          TRACE(("ALLOCATE: %d was leaf %d of %d on trunk %d"
+                 ": %d more free pages\n",
+                 *pPgno, closest+1, k, pTrunk->pgno, n-1));
+          if( closest<k-1 ){
+            memcpy(&aData[8+closest*4], &aData[4+k*4], 4);
+          }
+          put4byte(&aData[4], k-1);
+          rc = getPage(pBt, *pPgno, ppPage, 1);
+          if( rc==SQLITE_OK ){
+            sqlite3PagerDontRollback((*ppPage)->pDbPage);
+            rc = sqlite3PagerWrite((*ppPage)->pDbPage);
+            if( rc!=SQLITE_OK ){
+              releasePage(*ppPage);
+            }
+          }
+          searchList = 0;
+        }
+      }
+      releasePage(pPrevTrunk);
+      pPrevTrunk = 0;
+    }while( searchList );
+  }else{
+    /* There are no pages on the freelist, so create a new page at the
+    ** end of the file */
+    *pPgno = sqlite3PagerPagecount(pBt->pPager) + 1;
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    if( pBt->autoVacuum && PTRMAP_ISPAGE(pBt, *pPgno) ){
+      /* If *pPgno refers to a pointer-map page, allocate two new pages
+      ** at the end of the file instead of one. The first allocated page
+      ** becomes a new pointer-map page, the second is used by the caller.
+      */
+      TRACE(("ALLOCATE: %d from end of file (pointer-map page)\n", *pPgno));
+      assert( *pPgno!=PENDING_BYTE_PAGE(pBt) );
+      (*pPgno)++;
+    }
+#endif
+
+    assert( *pPgno!=PENDING_BYTE_PAGE(pBt) );
+    rc = getPage(pBt, *pPgno, ppPage, 0);
+    if( rc ) return rc;
+    rc = sqlite3PagerWrite((*ppPage)->pDbPage);
+    if( rc!=SQLITE_OK ){
+      releasePage(*ppPage);
+    }
+    TRACE(("ALLOCATE: %d from end of file\n", *pPgno));
+  }
+
+  assert( *pPgno!=PENDING_BYTE_PAGE(pBt) );
+
+end_allocate_page:
+  releasePage(pTrunk);
+  releasePage(pPrevTrunk);
+  return rc;
+}
+
+/*
+** Add a page of the database file to the freelist.
+**
+** sqlite3PagerUnref() is NOT called for pPage.
+*/
+static int freePage(MemPage *pPage){
+  BtShared *pBt = pPage->pBt;
+  MemPage *pPage1 = pBt->pPage1;
+  int rc, n, k;
+
+  /* Prepare the page for freeing */
+  assert( pPage->pgno>1 );
+  pPage->isInit = 0;
+  releasePage(pPage->pParent);
+  pPage->pParent = 0;
+
+  /* Increment the free page count on pPage1 */
+  rc = sqlite3PagerWrite(pPage1->pDbPage);
+  if( rc ) return rc;
+  n = get4byte(&pPage1->aData[36]);
+  put4byte(&pPage1->aData[36], n+1);
+
+#ifdef SQLITE_SECURE_DELETE
+  /* If the SQLITE_SECURE_DELETE compile-time option is enabled, then
+  ** always fully overwrite deleted information with zeros.
+  */
+  rc = sqlite3PagerWrite(pPage->pDbPage);
+  if( rc ) return rc;
+  memset(pPage->aData, 0, pPage->pBt->pageSize);
+#endif
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  /* If the database supports auto-vacuum, write an entry in the pointer-map
+  ** to indicate that the page is free.
+  */
+  if( pBt->autoVacuum ){
+    rc = ptrmapPut(pBt, pPage->pgno, PTRMAP_FREEPAGE, 0);
+    if( rc ) return rc;
+  }
+#endif
+
+  if( n==0 ){
+    /* This is the first free page */
+    rc = sqlite3PagerWrite(pPage->pDbPage);
+    if( rc ) return rc;
+    memset(pPage->aData, 0, 8);
+    put4byte(&pPage1->aData[32], pPage->pgno);
+    TRACE(("FREE-PAGE: %d first\n", pPage->pgno));
+  }else{
+    /* Other free pages already exist.  Retrive the first trunk page
+    ** of the freelist and find out how many leaves it has. */
+    MemPage *pTrunk;
+    rc = getPage(pBt, get4byte(&pPage1->aData[32]), &pTrunk, 0);
+    if( rc ) return rc;
+    k = get4byte(&pTrunk->aData[4]);
+    if( k>=pBt->usableSize/4 - 8 ){
+      /* The trunk is full.  Turn the page being freed into a new
+      ** trunk page with no leaves. */
+      rc = sqlite3PagerWrite(pPage->pDbPage);
+      if( rc ) return rc;
+      put4byte(pPage->aData, pTrunk->pgno);
+      put4byte(&pPage->aData[4], 0);
+      put4byte(&pPage1->aData[32], pPage->pgno);
+      TRACE(("FREE-PAGE: %d new trunk page replacing %d\n",
+              pPage->pgno, pTrunk->pgno));
+    }else{
+      /* Add the newly freed page as a leaf on the current trunk */
+      rc = sqlite3PagerWrite(pTrunk->pDbPage);
+      if( rc==SQLITE_OK ){
+        put4byte(&pTrunk->aData[4], k+1);
+        put4byte(&pTrunk->aData[8+k*4], pPage->pgno);
+#ifndef SQLITE_SECURE_DELETE
+        sqlite3PagerDontWrite(pPage->pDbPage);
+#endif
+      }
+      TRACE(("FREE-PAGE: %d leaf on trunk page %d\n",pPage->pgno,pTrunk->pgno));
+    }
+    releasePage(pTrunk);
+  }
+  return rc;
+}
+
+/*
+** Free any overflow pages associated with the given Cell.
+*/
+static int clearCell(MemPage *pPage, unsigned char *pCell){
+  BtShared *pBt = pPage->pBt;
+  CellInfo info;
+  Pgno ovflPgno;
+  int rc;
+  int nOvfl;
+  int ovflPageSize;
+
+  parseCellPtr(pPage, pCell, &info);
+  if( info.iOverflow==0 ){
+    return SQLITE_OK;  /* No overflow pages. Return without doing anything */
+  }
+  ovflPgno = get4byte(&pCell[info.iOverflow]);
+  ovflPageSize = pBt->usableSize - 4;
+  nOvfl = (info.nPayload - info.nLocal + ovflPageSize - 1)/ovflPageSize;
+  assert( ovflPgno==0 || nOvfl>0 );
+  while( nOvfl-- ){
+    MemPage *pOvfl;
+    if( ovflPgno==0 || ovflPgno>sqlite3PagerPagecount(pBt->pPager) ){
+      return SQLITE_CORRUPT_BKPT;
+    }
+    rc = getPage(pBt, ovflPgno, &pOvfl, nOvfl==0);
+    if( rc ) return rc;
+    if( nOvfl ){
+      ovflPgno = get4byte(pOvfl->aData);
+    }
+    rc = freePage(pOvfl);
+    sqlite3PagerUnref(pOvfl->pDbPage);
+    if( rc ) return rc;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Create the byte sequence used to represent a cell on page pPage
+** and write that byte sequence into pCell[].  Overflow pages are
+** allocated and filled in as necessary.  The calling procedure
+** is responsible for making sure sufficient space has been allocated
+** for pCell[].
+**
+** Note that pCell does not necessary need to point to the pPage->aData
+** area.  pCell might point to some temporary storage.  The cell will
+** be constructed in this temporary area then copied into pPage->aData
+** later.
+*/
+static int fillInCell(
+  MemPage *pPage,                /* The page that contains the cell */
+  unsigned char *pCell,          /* Complete text of the cell */
+  const void *pKey, i64 nKey,    /* The key */
+  const void *pData,int nData,   /* The data */
+  int *pnSize                    /* Write cell size here */
+){
+  int nPayload;
+  const u8 *pSrc;
+  int nSrc, n, rc;
+  int spaceLeft;
+  MemPage *pOvfl = 0;
+  MemPage *pToRelease = 0;
+  unsigned char *pPrior;
+  unsigned char *pPayload;
+  BtShared *pBt = pPage->pBt;
+  Pgno pgnoOvfl = 0;
+  int nHeader;
+  CellInfo info;
+
+  /* Fill in the header. */
+  nHeader = 0;
+  if( !pPage->leaf ){
+    nHeader += 4;
+  }
+  if( pPage->hasData ){
+    nHeader += putVarint(&pCell[nHeader], nData);
+  }else{
+    nData = 0;
+  }
+  nHeader += putVarint(&pCell[nHeader], *(u64*)&nKey);
+  parseCellPtr(pPage, pCell, &info);
+  assert( info.nHeader==nHeader );
+  assert( info.nKey==nKey );
+  assert( info.nData==nData );
+  
+  /* Fill in the payload */
+  nPayload = nData;
+  if( pPage->intKey ){
+    pSrc = pData;
+    nSrc = nData;
+    nData = 0;
+  }else{
+    nPayload += nKey;
+    pSrc = pKey;
+    nSrc = nKey;
+  }
+  *pnSize = info.nSize;
+  spaceLeft = info.nLocal;
+  pPayload = &pCell[nHeader];
+  pPrior = &pCell[info.iOverflow];
+
+  while( nPayload>0 ){
+    if( spaceLeft==0 ){
+#ifndef SQLITE_OMIT_AUTOVACUUM
+      Pgno pgnoPtrmap = pgnoOvfl; /* Overflow page pointer-map entry page */
+#endif
+      rc = allocateBtreePage(pBt, &pOvfl, &pgnoOvfl, pgnoOvfl, 0);
+#ifndef SQLITE_OMIT_AUTOVACUUM
+      /* If the database supports auto-vacuum, and the second or subsequent
+      ** overflow page is being allocated, add an entry to the pointer-map
+      ** for that page now. The entry for the first overflow page will be
+      ** added later, by the insertCell() routine.
+      */
+      if( pBt->autoVacuum && pgnoPtrmap!=0 && rc==SQLITE_OK ){
+        rc = ptrmapPut(pBt, pgnoOvfl, PTRMAP_OVERFLOW2, pgnoPtrmap);
+      }
+#endif
+      if( rc ){
+        releasePage(pToRelease);
+        return rc;
+      }
+      put4byte(pPrior, pgnoOvfl);
+      releasePage(pToRelease);
+      pToRelease = pOvfl;
+      pPrior = pOvfl->aData;
+      put4byte(pPrior, 0);
+      pPayload = &pOvfl->aData[4];
+      spaceLeft = pBt->usableSize - 4;
+    }
+    n = nPayload;
+    if( n>spaceLeft ) n = spaceLeft;
+    if( n>nSrc ) n = nSrc;
+    assert( pSrc );
+    memcpy(pPayload, pSrc, n);
+    nPayload -= n;
+    pPayload += n;
+    pSrc += n;
+    nSrc -= n;
+    spaceLeft -= n;
+    if( nSrc==0 ){
+      nSrc = nData;
+      pSrc = pData;
+    }
+  }
+  releasePage(pToRelease);
+  return SQLITE_OK;
+}
+
+/*
+** Change the MemPage.pParent pointer on the page whose number is
+** given in the second argument so that MemPage.pParent holds the
+** pointer in the third argument.
+*/
+static int reparentPage(BtShared *pBt, Pgno pgno, MemPage *pNewParent, int idx){
+  MemPage *pThis;
+  DbPage *pDbPage;
+
+  assert( pNewParent!=0 );
+  if( pgno==0 ) return SQLITE_OK;
+  assert( pBt->pPager!=0 );
+  pDbPage = sqlite3PagerLookup(pBt->pPager, pgno);
+  if( pDbPage ){
+    pThis = (MemPage *)sqlite3PagerGetExtra(pDbPage);
+    if( pThis->isInit ){
+      assert( pThis->aData==(sqlite3PagerGetData(pDbPage)) );
+      if( pThis->pParent!=pNewParent ){
+        if( pThis->pParent ) sqlite3PagerUnref(pThis->pParent->pDbPage);
+        pThis->pParent = pNewParent;
+        sqlite3PagerRef(pNewParent->pDbPage);
+      }
+      pThis->idxParent = idx;
+    }
+    sqlite3PagerUnref(pDbPage);
+  }
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  if( pBt->autoVacuum ){
+    return ptrmapPut(pBt, pgno, PTRMAP_BTREE, pNewParent->pgno);
+  }
+#endif
+  return SQLITE_OK;
+}
+
+
+
+/*
+** Change the pParent pointer of all children of pPage to point back
+** to pPage.
+**
+** In other words, for every child of pPage, invoke reparentPage()
+** to make sure that each child knows that pPage is its parent.
+**
+** This routine gets called after you memcpy() one page into
+** another.
+*/
+static int reparentChildPages(MemPage *pPage){
+  int i;
+  BtShared *pBt = pPage->pBt;
+  int rc = SQLITE_OK;
+
+  if( pPage->leaf ) return SQLITE_OK;
+
+  for(i=0; i<pPage->nCell; i++){
+    u8 *pCell = findCell(pPage, i);
+    if( !pPage->leaf ){
+      rc = reparentPage(pBt, get4byte(pCell), pPage, i);
+      if( rc!=SQLITE_OK ) return rc;
+    }
+  }
+  if( !pPage->leaf ){
+    rc = reparentPage(pBt, get4byte(&pPage->aData[pPage->hdrOffset+8]), 
+       pPage, i);
+    pPage->idxShift = 0;
+  }
+  return rc;
+}
+
+/*
+** Remove the i-th cell from pPage.  This routine effects pPage only.
+** The cell content is not freed or deallocated.  It is assumed that
+** the cell content has been copied someplace else.  This routine just
+** removes the reference to the cell from pPage.
+**
+** "sz" must be the number of bytes in the cell.
+*/
+static void dropCell(MemPage *pPage, int idx, int sz){
+  int i;          /* Loop counter */
+  int pc;         /* Offset to cell content of cell being deleted */
+  u8 *data;       /* pPage->aData */
+  u8 *ptr;        /* Used to move bytes around within data[] */
+
+  assert( idx>=0 && idx<pPage->nCell );
+  assert( sz==cellSize(pPage, idx) );
+  assert( sqlite3PagerIswriteable(pPage->pDbPage) );
+  data = pPage->aData;
+  ptr = &data[pPage->cellOffset + 2*idx];
+  pc = get2byte(ptr);
+  assert( pc>10 && pc+sz<=pPage->pBt->usableSize );
+  freeSpace(pPage, pc, sz);
+  for(i=idx+1; i<pPage->nCell; i++, ptr+=2){
+    ptr[0] = ptr[2];
+    ptr[1] = ptr[3];
+  }
+  pPage->nCell--;
+  put2byte(&data[pPage->hdrOffset+3], pPage->nCell);
+  pPage->nFree += 2;
+  pPage->idxShift = 1;
+}
+
+/*
+** Insert a new cell on pPage at cell index "i".  pCell points to the
+** content of the cell.
+**
+** If the cell content will fit on the page, then put it there.  If it
+** will not fit, then make a copy of the cell content into pTemp if
+** pTemp is not null.  Regardless of pTemp, allocate a new entry
+** in pPage->aOvfl[] and make it point to the cell content (either
+** in pTemp or the original pCell) and also record its index. 
+** Allocating a new entry in pPage->aCell[] implies that 
+** pPage->nOverflow is incremented.
+**
+** If nSkip is non-zero, then do not copy the first nSkip bytes of the
+** cell. The caller will overwrite them after this function returns. If
+** nSkip is non-zero, then pCell may not point to an invalid memory location 
+** (but pCell+nSkip is always valid).
+*/
+static int insertCell(
+  MemPage *pPage,   /* Page into which we are copying */
+  int i,            /* New cell becomes the i-th cell of the page */
+  u8 *pCell,        /* Content of the new cell */
+  int sz,           /* Bytes of content in pCell */
+  u8 *pTemp,        /* Temp storage space for pCell, if needed */
+  u8 nSkip          /* Do not write the first nSkip bytes of the cell */
+){
+  int idx;          /* Where to write new cell content in data[] */
+  int j;            /* Loop counter */
+  int top;          /* First byte of content for any cell in data[] */
+  int end;          /* First byte past the last cell pointer in data[] */
+  int ins;          /* Index in data[] where new cell pointer is inserted */
+  int hdr;          /* Offset into data[] of the page header */
+  int cellOffset;   /* Address of first cell pointer in data[] */
+  u8 *data;         /* The content of the whole page */
+  u8 *ptr;          /* Used for moving information around in data[] */
+
+  assert( i>=0 && i<=pPage->nCell+pPage->nOverflow );
+  assert( sz==cellSizePtr(pPage, pCell) );
+  assert( sqlite3PagerIswriteable(pPage->pDbPage) );
+  if( pPage->nOverflow || sz+2>pPage->nFree ){
+    if( pTemp ){
+      memcpy(pTemp+nSkip, pCell+nSkip, sz-nSkip);
+      pCell = pTemp;
+    }
+    j = pPage->nOverflow++;
+    assert( j<sizeof(pPage->aOvfl)/sizeof(pPage->aOvfl[0]) );
+    pPage->aOvfl[j].pCell = pCell;
+    pPage->aOvfl[j].idx = i;
+    pPage->nFree = 0;
+  }else{
+    data = pPage->aData;
+    hdr = pPage->hdrOffset;
+    top = get2byte(&data[hdr+5]);
+    cellOffset = pPage->cellOffset;
+    end = cellOffset + 2*pPage->nCell + 2;
+    ins = cellOffset + 2*i;
+    if( end > top - sz ){
+      int rc = defragmentPage(pPage);
+      if( rc!=SQLITE_OK ) return rc;
+      top = get2byte(&data[hdr+5]);
+      assert( end + sz <= top );
+    }
+    idx = allocateSpace(pPage, sz);
+    assert( idx>0 );
+    assert( end <= get2byte(&data[hdr+5]) );
+    pPage->nCell++;
+    pPage->nFree -= 2;
+    memcpy(&data[idx+nSkip], pCell+nSkip, sz-nSkip);
+    for(j=end-2, ptr=&data[j]; j>ins; j-=2, ptr-=2){
+      ptr[0] = ptr[-2];
+      ptr[1] = ptr[-1];
+    }
+    put2byte(&data[ins], idx);
+    put2byte(&data[hdr+3], pPage->nCell);
+    pPage->idxShift = 1;
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    if( pPage->pBt->autoVacuum ){
+      /* The cell may contain a pointer to an overflow page. If so, write
+      ** the entry for the overflow page into the pointer map.
+      */
+      CellInfo info;
+      parseCellPtr(pPage, pCell, &info);
+      assert( (info.nData+(pPage->intKey?0:info.nKey))==info.nPayload );
+      if( (info.nData+(pPage->intKey?0:info.nKey))>info.nLocal ){
+        Pgno pgnoOvfl = get4byte(&pCell[info.iOverflow]);
+        int rc = ptrmapPut(pPage->pBt, pgnoOvfl, PTRMAP_OVERFLOW1, pPage->pgno);
+        if( rc!=SQLITE_OK ) return rc;
+      }
+    }
+#endif
+  }
+
+  return SQLITE_OK;
+}
+
+/*
+** Add a list of cells to a page.  The page should be initially empty.
+** The cells are guaranteed to fit on the page.
+*/
+static void assemblePage(
+  MemPage *pPage,   /* The page to be assemblied */
+  int nCell,        /* The number of cells to add to this page */
+  u8 **apCell,      /* Pointers to cell bodies */
+  int *aSize        /* Sizes of the cells */
+){
+  int i;            /* Loop counter */
+  int totalSize;    /* Total size of all cells */
+  int hdr;          /* Index of page header */
+  int cellptr;      /* Address of next cell pointer */
+  int cellbody;     /* Address of next cell body */
+  u8 *data;         /* Data for the page */
+
+  assert( pPage->nOverflow==0 );
+  totalSize = 0;
+  for(i=0; i<nCell; i++){
+    totalSize += aSize[i];
+  }
+  assert( totalSize+2*nCell<=pPage->nFree );
+  assert( pPage->nCell==0 );
+  cellptr = pPage->cellOffset;
+  data = pPage->aData;
+  hdr = pPage->hdrOffset;
+  put2byte(&data[hdr+3], nCell);
+  if( nCell ){
+    cellbody = allocateSpace(pPage, totalSize);
+    assert( cellbody>0 );
+    assert( pPage->nFree >= 2*nCell );
+    pPage->nFree -= 2*nCell;
+    for(i=0; i<nCell; i++){
+      put2byte(&data[cellptr], cellbody);
+      memcpy(&data[cellbody], apCell[i], aSize[i]);
+      cellptr += 2;
+      cellbody += aSize[i];
+    }
+    assert( cellbody==pPage->pBt->usableSize );
+  }
+  pPage->nCell = nCell;
+}
+
+/*
+** The following parameters determine how many adjacent pages get involved
+** in a balancing operation.  NN is the number of neighbors on either side
+** of the page that participate in the balancing operation.  NB is the
+** total number of pages that participate, including the target page and
+** NN neighbors on either side.
+**
+** The minimum value of NN is 1 (of course).  Increasing NN above 1
+** (to 2 or 3) gives a modest improvement in SELECT and DELETE performance
+** in exchange for a larger degradation in INSERT and UPDATE performance.
+** The value of NN appears to give the best results overall.
+*/
+#define NN 1             /* Number of neighbors on either side of pPage */
+#define NB (NN*2+1)      /* Total pages involved in the balance */
+
+/* Forward reference */
+static int balance(MemPage*, int);
+
+#ifndef SQLITE_OMIT_QUICKBALANCE
+/*
+** This version of balance() handles the common special case where
+** a new entry is being inserted on the extreme right-end of the
+** tree, in other words, when the new entry will become the largest
+** entry in the tree.
+**
+** Instead of trying balance the 3 right-most leaf pages, just add
+** a new page to the right-hand side and put the one new entry in
+** that page.  This leaves the right side of the tree somewhat
+** unbalanced.  But odds are that we will be inserting new entries
+** at the end soon afterwards so the nearly empty page will quickly
+** fill up.  On average.
+**
+** pPage is the leaf page which is the right-most page in the tree.
+** pParent is its parent.  pPage must have a single overflow entry
+** which is also the right-most entry on the page.
+*/
+static int balance_quick(MemPage *pPage, MemPage *pParent){
+  int rc;
+  MemPage *pNew;
+  Pgno pgnoNew;
+  u8 *pCell;
+  int szCell;
+  CellInfo info;
+  BtShared *pBt = pPage->pBt;
+  int parentIdx = pParent->nCell;   /* pParent new divider cell index */
+  int parentSize;                   /* Size of new divider cell */
+  u8 parentCell[64];                /* Space for the new divider cell */
+
+  /* Allocate a new page. Insert the overflow cell from pPage
+  ** into it. Then remove the overflow cell from pPage.
+  */
+  rc = allocateBtreePage(pBt, &pNew, &pgnoNew, 0, 0);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+  pCell = pPage->aOvfl[0].pCell;
+  szCell = cellSizePtr(pPage, pCell);
+  zeroPage(pNew, pPage->aData[0]);
+  assemblePage(pNew, 1, &pCell, &szCell);
+  pPage->nOverflow = 0;
+
+  /* Set the parent of the newly allocated page to pParent. */
+  pNew->pParent = pParent;
+  sqlite3PagerRef(pParent->pDbPage);
+
+  /* pPage is currently the right-child of pParent. Change this
+  ** so that the right-child is the new page allocated above and
+  ** pPage is the next-to-right child. 
+  */
+  assert( pPage->nCell>0 );
+  parseCellPtr(pPage, findCell(pPage, pPage->nCell-1), &info);
+  rc = fillInCell(pParent, parentCell, 0, info.nKey, 0, 0, &parentSize);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+  assert( parentSize<64 );
+  rc = insertCell(pParent, parentIdx, parentCell, parentSize, 0, 4);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+  put4byte(findOverflowCell(pParent,parentIdx), pPage->pgno);
+  put4byte(&pParent->aData[pParent->hdrOffset+8], pgnoNew);
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  /* If this is an auto-vacuum database, update the pointer map
+  ** with entries for the new page, and any pointer from the 
+  ** cell on the page to an overflow page.
+  */
+  if( pBt->autoVacuum ){
+    rc = ptrmapPut(pBt, pgnoNew, PTRMAP_BTREE, pParent->pgno);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+    rc = ptrmapPutOvfl(pNew, 0);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+  }
+#endif
+
+  /* Release the reference to the new page and balance the parent page,
+  ** in case the divider cell inserted caused it to become overfull.
+  */
+  releasePage(pNew);
+  return balance(pParent, 0);
+}
+#endif /* SQLITE_OMIT_QUICKBALANCE */
+
+/*
+** The ISAUTOVACUUM macro is used within balance_nonroot() to determine
+** if the database supports auto-vacuum or not. Because it is used
+** within an expression that is an argument to another macro 
+** (sqliteMallocRaw), it is not possible to use conditional compilation.
+** So, this macro is defined instead.
+*/
+#ifndef SQLITE_OMIT_AUTOVACUUM
+#define ISAUTOVACUUM (pBt->autoVacuum)
+#else
+#define ISAUTOVACUUM 0
+#endif
+
+/*
+** This routine redistributes Cells on pPage and up to NN*2 siblings
+** of pPage so that all pages have about the same amount of free space.
+** Usually NN siblings on either side of pPage is used in the balancing,
+** though more siblings might come from one side if pPage is the first
+** or last child of its parent.  If pPage has fewer than 2*NN siblings
+** (something which can only happen if pPage is the root page or a 
+** child of root) then all available siblings participate in the balancing.
+**
+** The number of siblings of pPage might be increased or decreased by one or
+** two in an effort to keep pages nearly full but not over full. The root page
+** is special and is allowed to be nearly empty. If pPage is 
+** the root page, then the depth of the tree might be increased
+** or decreased by one, as necessary, to keep the root page from being
+** overfull or completely empty.
+**
+** Note that when this routine is called, some of the Cells on pPage
+** might not actually be stored in pPage->aData[].  This can happen
+** if the page is overfull.  Part of the job of this routine is to
+** make sure all Cells for pPage once again fit in pPage->aData[].
+**
+** In the course of balancing the siblings of pPage, the parent of pPage
+** might become overfull or underfull.  If that happens, then this routine
+** is called recursively on the parent.
+**
+** If this routine fails for any reason, it might leave the database
+** in a corrupted state.  So if this routine fails, the database should
+** be rolled back.
+*/
+static int balance_nonroot(MemPage *pPage){
+  MemPage *pParent;            /* The parent of pPage */
+  BtShared *pBt;                  /* The whole database */
+  int nCell = 0;               /* Number of cells in apCell[] */
+  int nMaxCells = 0;           /* Allocated size of apCell, szCell, aFrom. */
+  int nOld;                    /* Number of pages in apOld[] */
+  int nNew;                    /* Number of pages in apNew[] */
+  int nDiv;                    /* Number of cells in apDiv[] */
+  int i, j, k;                 /* Loop counters */
+  int idx;                     /* Index of pPage in pParent->aCell[] */
+  int nxDiv;                   /* Next divider slot in pParent->aCell[] */
+  int rc;                      /* The return code */
+  int leafCorrection;          /* 4 if pPage is a leaf.  0 if not */
+  int leafData;                /* True if pPage is a leaf of a LEAFDATA tree */
+  int usableSpace;             /* Bytes in pPage beyond the header */
+  int pageFlags;               /* Value of pPage->aData[0] */
+  int subtotal;                /* Subtotal of bytes in cells on one page */
+  int iSpace = 0;              /* First unused byte of aSpace[] */
+  MemPage *apOld[NB];          /* pPage and up to two siblings */
+  Pgno pgnoOld[NB];            /* Page numbers for each page in apOld[] */
+  MemPage *apCopy[NB];         /* Private copies of apOld[] pages */
+  MemPage *apNew[NB+2];        /* pPage and up to NB siblings after balancing */
+  Pgno pgnoNew[NB+2];          /* Page numbers for each page in apNew[] */
+  u8 *apDiv[NB];               /* Divider cells in pParent */
+  int cntNew[NB+2];            /* Index in aCell[] of cell after i-th page */
+  int szNew[NB+2];             /* Combined size of cells place on i-th page */
+  u8 **apCell = 0;             /* All cells begin balanced */
+  int *szCell;                 /* Local size of all cells in apCell[] */
+  u8 *aCopy[NB];               /* Space for holding data of apCopy[] */
+  u8 *aSpace;                  /* Space to hold copies of dividers cells */
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  u8 *aFrom = 0;
+#endif
+
+  /* 
+  ** Find the parent page.
+  */
+  assert( pPage->isInit );
+  assert( sqlite3PagerIswriteable(pPage->pDbPage) );
+  pBt = pPage->pBt;
+  pParent = pPage->pParent;
+  assert( pParent );
+  if( SQLITE_OK!=(rc = sqlite3PagerWrite(pParent->pDbPage)) ){
+    return rc;
+  }
+  TRACE(("BALANCE: begin page %d child of %d\n", pPage->pgno, pParent->pgno));
+
+#ifndef SQLITE_OMIT_QUICKBALANCE
+  /*
+  ** A special case:  If a new entry has just been inserted into a
+  ** table (that is, a btree with integer keys and all data at the leaves)
+  ** and the new entry is the right-most entry in the tree (it has the
+  ** largest key) then use the special balance_quick() routine for
+  ** balancing.  balance_quick() is much faster and results in a tighter
+  ** packing of data in the common case.
+  */
+  if( pPage->leaf &&
+      pPage->intKey &&
+      pPage->leafData &&
+      pPage->nOverflow==1 &&
+      pPage->aOvfl[0].idx==pPage->nCell &&
+      pPage->pParent->pgno!=1 &&
+      get4byte(&pParent->aData[pParent->hdrOffset+8])==pPage->pgno
+  ){
+    /*
+    ** TODO: Check the siblings to the left of pPage. It may be that
+    ** they are not full and no new page is required.
+    */
+    return balance_quick(pPage, pParent);
+  }
+#endif
+
+  /*
+  ** Find the cell in the parent page whose left child points back
+  ** to pPage.  The "idx" variable is the index of that cell.  If pPage
+  ** is the rightmost child of pParent then set idx to pParent->nCell 
+  */
+  if( pParent->idxShift ){
+    Pgno pgno;
+    pgno = pPage->pgno;
+    assert( pgno==sqlite3PagerPagenumber(pPage->pDbPage) );
+    for(idx=0; idx<pParent->nCell; idx++){
+      if( get4byte(findCell(pParent, idx))==pgno ){
+        break;
+      }
+    }
+    assert( idx<pParent->nCell
+             || get4byte(&pParent->aData[pParent->hdrOffset+8])==pgno );
+  }else{
+    idx = pPage->idxParent;
+  }
+
+  /*
+  ** Initialize variables so that it will be safe to jump
+  ** directly to balance_cleanup at any moment.
+  */
+  nOld = nNew = 0;
+  sqlite3PagerRef(pParent->pDbPage);
+
+  /*
+  ** Find sibling pages to pPage and the cells in pParent that divide
+  ** the siblings.  An attempt is made to find NN siblings on either
+  ** side of pPage.  More siblings are taken from one side, however, if
+  ** pPage there are fewer than NN siblings on the other side.  If pParent
+  ** has NB or fewer children then all children of pParent are taken.
+  */
+  nxDiv = idx - NN;
+  if( nxDiv + NB > pParent->nCell ){
+    nxDiv = pParent->nCell - NB + 1;
+  }
+  if( nxDiv<0 ){
+    nxDiv = 0;
+  }
+  nDiv = 0;
+  for(i=0, k=nxDiv; i<NB; i++, k++){
+    if( k<pParent->nCell ){
+      apDiv[i] = findCell(pParent, k);
+      nDiv++;
+      assert( !pParent->leaf );
+      pgnoOld[i] = get4byte(apDiv[i]);
+    }else if( k==pParent->nCell ){
+      pgnoOld[i] = get4byte(&pParent->aData[pParent->hdrOffset+8]);
+    }else{
+      break;
+    }
+    rc = getAndInitPage(pBt, pgnoOld[i], &apOld[i], pParent);
+    if( rc ) goto balance_cleanup;
+    apOld[i]->idxParent = k;
+    apCopy[i] = 0;
+    assert( i==nOld );
+    nOld++;
+    nMaxCells += 1+apOld[i]->nCell+apOld[i]->nOverflow;
+  }
+
+  /* Make nMaxCells a multiple of 2 in order to preserve 8-byte
+  ** alignment */
+  nMaxCells = (nMaxCells + 1)&~1;
+
+  /*
+  ** Allocate space for memory structures
+  */
+  apCell = sqliteMallocRaw( 
+       nMaxCells*sizeof(u8*)                           /* apCell */
+     + nMaxCells*sizeof(int)                           /* szCell */
+     + ROUND8(sizeof(MemPage))*NB                      /* aCopy */
+     + pBt->pageSize*(5+NB)                            /* aSpace */
+     + (ISAUTOVACUUM ? nMaxCells : 0)                  /* aFrom */
+  );
+  if( apCell==0 ){
+    rc = SQLITE_NOMEM;
+    goto balance_cleanup;
+  }
+  szCell = (int*)&apCell[nMaxCells];
+  aCopy[0] = (u8*)&szCell[nMaxCells];
+  assert( ((aCopy[0] - (u8*)apCell) & 7)==0 ); /* 8-byte alignment required */
+  for(i=1; i<NB; i++){
+    aCopy[i] = &aCopy[i-1][pBt->pageSize+ROUND8(sizeof(MemPage))];
+    assert( ((aCopy[i] - (u8*)apCell) & 7)==0 ); /* 8-byte alignment required */
+  }
+  aSpace = &aCopy[NB-1][pBt->pageSize+ROUND8(sizeof(MemPage))];
+  assert( ((aSpace - (u8*)apCell) & 7)==0 ); /* 8-byte alignment required */
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  if( pBt->autoVacuum ){
+    aFrom = &aSpace[5*pBt->pageSize];
+  }
+#endif
+  
+  /*
+  ** Make copies of the content of pPage and its siblings into aOld[].
+  ** The rest of this function will use data from the copies rather
+  ** that the original pages since the original pages will be in the
+  ** process of being overwritten.
+  */
+  for(i=0; i<nOld; i++){
+    MemPage *p = apCopy[i] = (MemPage*)&aCopy[i][pBt->pageSize];
+    p->aData = &((u8*)p)[-pBt->pageSize];
+    memcpy(p->aData, apOld[i]->aData, pBt->pageSize + sizeof(MemPage));
+    /* The memcpy() above changes the value of p->aData so we have to
+    ** set it again. */
+    p->aData = &((u8*)p)[-pBt->pageSize];
+  }
+
+  /*
+  ** Load pointers to all cells on sibling pages and the divider cells
+  ** into the local apCell[] array.  Make copies of the divider cells
+  ** into space obtained form aSpace[] and remove the the divider Cells
+  ** from pParent.
+  **
+  ** If the siblings are on leaf pages, then the child pointers of the
+  ** divider cells are stripped from the cells before they are copied
+  ** into aSpace[].  In this way, all cells in apCell[] are without
+  ** child pointers.  If siblings are not leaves, then all cell in
+  ** apCell[] include child pointers.  Either way, all cells in apCell[]
+  ** are alike.
+  **
+  ** leafCorrection:  4 if pPage is a leaf.  0 if pPage is not a leaf.
+  **       leafData:  1 if pPage holds key+data and pParent holds only keys.
+  */
+  nCell = 0;
+  leafCorrection = pPage->leaf*4;
+  leafData = pPage->leafData && pPage->leaf;
+  for(i=0; i<nOld; i++){
+    MemPage *pOld = apCopy[i];
+    int limit = pOld->nCell+pOld->nOverflow;
+    for(j=0; j<limit; j++){
+      assert( nCell<nMaxCells );
+      apCell[nCell] = findOverflowCell(pOld, j);
+      szCell[nCell] = cellSizePtr(pOld, apCell[nCell]);
+#ifndef SQLITE_OMIT_AUTOVACUUM
+      if( pBt->autoVacuum ){
+        int a;
+        aFrom[nCell] = i;
+        for(a=0; a<pOld->nOverflow; a++){
+          if( pOld->aOvfl[a].pCell==apCell[nCell] ){
+            aFrom[nCell] = 0xFF;
+            break;
+          }
+        }
+      }
+#endif
+      nCell++;
+    }
+    if( i<nOld-1 ){
+      int sz = cellSizePtr(pParent, apDiv[i]);
+      if( leafData ){
+        /* With the LEAFDATA flag, pParent cells hold only INTKEYs that
+        ** are duplicates of keys on the child pages.  We need to remove
+        ** the divider cells from pParent, but the dividers cells are not
+        ** added to apCell[] because they are duplicates of child cells.
+        */
+        dropCell(pParent, nxDiv, sz);
+      }else{
+        u8 *pTemp;
+        assert( nCell<nMaxCells );
+        szCell[nCell] = sz;
+        pTemp = &aSpace[iSpace];
+        iSpace += sz;
+        assert( iSpace<=pBt->pageSize*5 );
+        memcpy(pTemp, apDiv[i], sz);
+        apCell[nCell] = pTemp+leafCorrection;
+#ifndef SQLITE_OMIT_AUTOVACUUM
+        if( pBt->autoVacuum ){
+          aFrom[nCell] = 0xFF;
+        }
+#endif
+        dropCell(pParent, nxDiv, sz);
+        szCell[nCell] -= leafCorrection;
+        assert( get4byte(pTemp)==pgnoOld[i] );
+        if( !pOld->leaf ){
+          assert( leafCorrection==0 );
+          /* The right pointer of the child page pOld becomes the left
+          ** pointer of the divider cell */
+          memcpy(apCell[nCell], &pOld->aData[pOld->hdrOffset+8], 4);
+        }else{
+          assert( leafCorrection==4 );
+        }
+        nCell++;
+      }
+    }
+  }
+
+  /*
+  ** Figure out the number of pages needed to hold all nCell cells.
+  ** Store this number in "k".  Also compute szNew[] which is the total
+  ** size of all cells on the i-th page and cntNew[] which is the index
+  ** in apCell[] of the cell that divides page i from page i+1.  
+  ** cntNew[k] should equal nCell.
+  **
+  ** Values computed by this block:
+  **
+  **           k: The total number of sibling pages
+  **    szNew[i]: Spaced used on the i-th sibling page.
+  **   cntNew[i]: Index in apCell[] and szCell[] for the first cell to
+  **              the right of the i-th sibling page.
+  ** usableSpace: Number of bytes of space available on each sibling.
+  ** 
+  */
+  usableSpace = pBt->usableSize - 12 + leafCorrection;
+  for(subtotal=k=i=0; i<nCell; i++){
+    assert( i<nMaxCells );
+    subtotal += szCell[i] + 2;
+    if( subtotal > usableSpace ){
+      szNew[k] = subtotal - szCell[i];
+      cntNew[k] = i;
+      if( leafData ){ i--; }
+      subtotal = 0;
+      k++;
+    }
+  }
+  szNew[k] = subtotal;
+  cntNew[k] = nCell;
+  k++;
+
+  /*
+  ** The packing computed by the previous block is biased toward the siblings
+  ** on the left side.  The left siblings are always nearly full, while the
+  ** right-most sibling might be nearly empty.  This block of code attempts
+  ** to adjust the packing of siblings to get a better balance.
+  **
+  ** This adjustment is more than an optimization.  The packing above might
+  ** be so out of balance as to be illegal.  For example, the right-most
+  ** sibling might be completely empty.  This adjustment is not optional.
+  */
+  for(i=k-1; i>0; i--){
+    int szRight = szNew[i];  /* Size of sibling on the right */
+    int szLeft = szNew[i-1]; /* Size of sibling on the left */
+    int r;              /* Index of right-most cell in left sibling */
+    int d;              /* Index of first cell to the left of right sibling */
+
+    r = cntNew[i-1] - 1;
+    d = r + 1 - leafData;
+    assert( d<nMaxCells );
+    assert( r<nMaxCells );
+    while( szRight==0 || szRight+szCell[d]+2<=szLeft-(szCell[r]+2) ){
+      szRight += szCell[d] + 2;
+      szLeft -= szCell[r] + 2;
+      cntNew[i-1]--;
+      r = cntNew[i-1] - 1;
+      d = r + 1 - leafData;
+    }
+    szNew[i] = szRight;
+    szNew[i-1] = szLeft;
+  }
+
+  /* Either we found one or more cells (cntnew[0])>0) or we are the
+  ** a virtual root page.  A virtual root page is when the real root
+  ** page is page 1 and we are the only child of that page.
+  */
+  assert( cntNew[0]>0 || (pParent->pgno==1 && pParent->nCell==0) );
+
+  /*
+  ** Allocate k new pages.  Reuse old pages where possible.
+  */
+  assert( pPage->pgno>1 );
+  pageFlags = pPage->aData[0];
+  for(i=0; i<k; i++){
+    MemPage *pNew;
+    if( i<nOld ){
+      pNew = apNew[i] = apOld[i];
+      pgnoNew[i] = pgnoOld[i];
+      apOld[i] = 0;
+      rc = sqlite3PagerWrite(pNew->pDbPage);
+      nNew++;
+      if( rc ) goto balance_cleanup;
+    }else{
+      assert( i>0 );
+      rc = allocateBtreePage(pBt, &pNew, &pgnoNew[i], pgnoNew[i-1], 0);
+      if( rc ) goto balance_cleanup;
+      apNew[i] = pNew;
+      nNew++;
+    }
+    zeroPage(pNew, pageFlags);
+  }
+
+  /* Free any old pages that were not reused as new pages.
+  */
+  while( i<nOld ){
+    rc = freePage(apOld[i]);
+    if( rc ) goto balance_cleanup;
+    releasePage(apOld[i]);
+    apOld[i] = 0;
+    i++;
+  }
+
+  /*
+  ** Put the new pages in accending order.  This helps to
+  ** keep entries in the disk file in order so that a scan
+  ** of the table is a linear scan through the file.  That
+  ** in turn helps the operating system to deliver pages
+  ** from the disk more rapidly.
+  **
+  ** An O(n^2) insertion sort algorithm is used, but since
+  ** n is never more than NB (a small constant), that should
+  ** not be a problem.
+  **
+  ** When NB==3, this one optimization makes the database
+  ** about 25% faster for large insertions and deletions.
+  */
+  for(i=0; i<k-1; i++){
+    int minV = pgnoNew[i];
+    int minI = i;
+    for(j=i+1; j<k; j++){
+      if( pgnoNew[j]<(unsigned)minV ){
+        minI = j;
+        minV = pgnoNew[j];
+      }
+    }
+    if( minI>i ){
+      int t;
+      MemPage *pT;
+      t = pgnoNew[i];
+      pT = apNew[i];
+      pgnoNew[i] = pgnoNew[minI];
+      apNew[i] = apNew[minI];
+      pgnoNew[minI] = t;
+      apNew[minI] = pT;
+    }
+  }
+  TRACE(("BALANCE: old: %d %d %d  new: %d(%d) %d(%d) %d(%d) %d(%d) %d(%d)\n",
+    pgnoOld[0], 
+    nOld>=2 ? pgnoOld[1] : 0,
+    nOld>=3 ? pgnoOld[2] : 0,
+    pgnoNew[0], szNew[0],
+    nNew>=2 ? pgnoNew[1] : 0, nNew>=2 ? szNew[1] : 0,
+    nNew>=3 ? pgnoNew[2] : 0, nNew>=3 ? szNew[2] : 0,
+    nNew>=4 ? pgnoNew[3] : 0, nNew>=4 ? szNew[3] : 0,
+    nNew>=5 ? pgnoNew[4] : 0, nNew>=5 ? szNew[4] : 0));
+
+  /*
+  ** Evenly distribute the data in apCell[] across the new pages.
+  ** Insert divider cells into pParent as necessary.
+  */
+  j = 0;
+  for(i=0; i<nNew; i++){
+    /* Assemble the new sibling page. */
+    MemPage *pNew = apNew[i];
+    assert( j<nMaxCells );
+    assert( pNew->pgno==pgnoNew[i] );
+    assemblePage(pNew, cntNew[i]-j, &apCell[j], &szCell[j]);
+    assert( pNew->nCell>0 || (nNew==1 && cntNew[0]==0) );
+    assert( pNew->nOverflow==0 );
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    /* If this is an auto-vacuum database, update the pointer map entries
+    ** that point to the siblings that were rearranged. These can be: left
+    ** children of cells, the right-child of the page, or overflow pages
+    ** pointed to by cells.
+    */
+    if( pBt->autoVacuum ){
+      for(k=j; k<cntNew[i]; k++){
+        assert( k<nMaxCells );
+        if( aFrom[k]==0xFF || apCopy[aFrom[k]]->pgno!=pNew->pgno ){
+          rc = ptrmapPutOvfl(pNew, k-j);
+          if( rc!=SQLITE_OK ){
+            goto balance_cleanup;
+          }
+        }
+      }
+    }
+#endif
+
+    j = cntNew[i];
+
+    /* If the sibling page assembled above was not the right-most sibling,
+    ** insert a divider cell into the parent page.
+    */
+    if( i<nNew-1 && j<nCell ){
+      u8 *pCell;
+      u8 *pTemp;
+      int sz;
+
+      assert( j<nMaxCells );
+      pCell = apCell[j];
+      sz = szCell[j] + leafCorrection;
+      if( !pNew->leaf ){
+        memcpy(&pNew->aData[8], pCell, 4);
+        pTemp = 0;
+      }else if( leafData ){
+	/* If the tree is a leaf-data tree, and the siblings are leaves, 
+        ** then there is no divider cell in apCell[]. Instead, the divider 
+        ** cell consists of the integer key for the right-most cell of 
+        ** the sibling-page assembled above only.
+        */
+        CellInfo info;
+        j--;
+        parseCellPtr(pNew, apCell[j], &info);
+        pCell = &aSpace[iSpace];
+        fillInCell(pParent, pCell, 0, info.nKey, 0, 0, &sz);
+        iSpace += sz;
+        assert( iSpace<=pBt->pageSize*5 );
+        pTemp = 0;
+      }else{
+        pCell -= 4;
+        pTemp = &aSpace[iSpace];
+        iSpace += sz;
+        assert( iSpace<=pBt->pageSize*5 );
+      }
+      rc = insertCell(pParent, nxDiv, pCell, sz, pTemp, 4);
+      if( rc!=SQLITE_OK ) goto balance_cleanup;
+      put4byte(findOverflowCell(pParent,nxDiv), pNew->pgno);
+#ifndef SQLITE_OMIT_AUTOVACUUM
+      /* If this is an auto-vacuum database, and not a leaf-data tree,
+      ** then update the pointer map with an entry for the overflow page
+      ** that the cell just inserted points to (if any).
+      */
+      if( pBt->autoVacuum && !leafData ){
+        rc = ptrmapPutOvfl(pParent, nxDiv);
+        if( rc!=SQLITE_OK ){
+          goto balance_cleanup;
+        }
+      }
+#endif
+      j++;
+      nxDiv++;
+    }
+  }
+  assert( j==nCell );
+  assert( nOld>0 );
+  assert( nNew>0 );
+  if( (pageFlags & PTF_LEAF)==0 ){
+    memcpy(&apNew[nNew-1]->aData[8], &apCopy[nOld-1]->aData[8], 4);
+  }
+  if( nxDiv==pParent->nCell+pParent->nOverflow ){
+    /* Right-most sibling is the right-most child of pParent */
+    put4byte(&pParent->aData[pParent->hdrOffset+8], pgnoNew[nNew-1]);
+  }else{
+    /* Right-most sibling is the left child of the first entry in pParent
+    ** past the right-most divider entry */
+    put4byte(findOverflowCell(pParent, nxDiv), pgnoNew[nNew-1]);
+  }
+
+  /*
+  ** Reparent children of all cells.
+  */
+  for(i=0; i<nNew; i++){
+    rc = reparentChildPages(apNew[i]);
+    if( rc!=SQLITE_OK ) goto balance_cleanup;
+  }
+  rc = reparentChildPages(pParent);
+  if( rc!=SQLITE_OK ) goto balance_cleanup;
+
+  /*
+  ** Balance the parent page.  Note that the current page (pPage) might
+  ** have been added to the freelist so it might no longer be initialized.
+  ** But the parent page will always be initialized.
+  */
+  assert( pParent->isInit );
+  rc = balance(pParent, 0);
+  
+  /*
+  ** Cleanup before returning.
+  */
+balance_cleanup:
+  sqliteFree(apCell);
+  for(i=0; i<nOld; i++){
+    releasePage(apOld[i]);
+  }
+  for(i=0; i<nNew; i++){
+    releasePage(apNew[i]);
+  }
+  releasePage(pParent);
+  TRACE(("BALANCE: finished with %d: old=%d new=%d cells=%d\n",
+          pPage->pgno, nOld, nNew, nCell));
+  return rc;
+}
+
+/*
+** This routine is called for the root page of a btree when the root
+** page contains no cells.  This is an opportunity to make the tree
+** shallower by one level.
+*/
+static int balance_shallower(MemPage *pPage){
+  MemPage *pChild;             /* The only child page of pPage */
+  Pgno pgnoChild;              /* Page number for pChild */
+  int rc = SQLITE_OK;          /* Return code from subprocedures */
+  BtShared *pBt;                  /* The main BTree structure */
+  int mxCellPerPage;           /* Maximum number of cells per page */
+  u8 **apCell;                 /* All cells from pages being balanced */
+  int *szCell;                 /* Local size of all cells */
+
+  assert( pPage->pParent==0 );
+  assert( pPage->nCell==0 );
+  pBt = pPage->pBt;
+  mxCellPerPage = MX_CELL(pBt);
+  apCell = sqliteMallocRaw( mxCellPerPage*(sizeof(u8*)+sizeof(int)) );
+  if( apCell==0 ) return SQLITE_NOMEM;
+  szCell = (int*)&apCell[mxCellPerPage];
+  if( pPage->leaf ){
+    /* The table is completely empty */
+    TRACE(("BALANCE: empty table %d\n", pPage->pgno));
+  }else{
+    /* The root page is empty but has one child.  Transfer the
+    ** information from that one child into the root page if it 
+    ** will fit.  This reduces the depth of the tree by one.
+    **
+    ** If the root page is page 1, it has less space available than
+    ** its child (due to the 100 byte header that occurs at the beginning
+    ** of the database fle), so it might not be able to hold all of the 
+    ** information currently contained in the child.  If this is the 
+    ** case, then do not do the transfer.  Leave page 1 empty except
+    ** for the right-pointer to the child page.  The child page becomes
+    ** the virtual root of the tree.
+    */
+    pgnoChild = get4byte(&pPage->aData[pPage->hdrOffset+8]);
+    assert( pgnoChild>0 );
+    assert( pgnoChild<=sqlite3PagerPagecount(pPage->pBt->pPager) );
+    rc = getPage(pPage->pBt, pgnoChild, &pChild, 0);
+    if( rc ) goto end_shallow_balance;
+    if( pPage->pgno==1 ){
+      rc = initPage(pChild, pPage);
+      if( rc ) goto end_shallow_balance;
+      assert( pChild->nOverflow==0 );
+      if( pChild->nFree>=100 ){
+        /* The child information will fit on the root page, so do the
+        ** copy */
+        int i;
+        zeroPage(pPage, pChild->aData[0]);
+        for(i=0; i<pChild->nCell; i++){
+          apCell[i] = findCell(pChild,i);
+          szCell[i] = cellSizePtr(pChild, apCell[i]);
+        }
+        assemblePage(pPage, pChild->nCell, apCell, szCell);
+        /* Copy the right-pointer of the child to the parent. */
+        put4byte(&pPage->aData[pPage->hdrOffset+8], 
+            get4byte(&pChild->aData[pChild->hdrOffset+8]));
+        freePage(pChild);
+        TRACE(("BALANCE: child %d transfer to page 1\n", pChild->pgno));
+      }else{
+        /* The child has more information that will fit on the root.
+        ** The tree is already balanced.  Do nothing. */
+        TRACE(("BALANCE: child %d will not fit on page 1\n", pChild->pgno));
+      }
+    }else{
+      memcpy(pPage->aData, pChild->aData, pPage->pBt->usableSize);
+      pPage->isInit = 0;
+      pPage->pParent = 0;
+      rc = initPage(pPage, 0);
+      assert( rc==SQLITE_OK );
+      freePage(pChild);
+      TRACE(("BALANCE: transfer child %d into root %d\n",
+              pChild->pgno, pPage->pgno));
+    }
+    rc = reparentChildPages(pPage);
+    assert( pPage->nOverflow==0 );
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    if( pBt->autoVacuum ){
+      int i;
+      for(i=0; i<pPage->nCell; i++){ 
+        rc = ptrmapPutOvfl(pPage, i);
+        if( rc!=SQLITE_OK ){
+          goto end_shallow_balance;
+        }
+      }
+    }
+#endif
+    if( rc!=SQLITE_OK ) goto end_shallow_balance;
+    releasePage(pChild);
+  }
+end_shallow_balance:
+  sqliteFree(apCell);
+  return rc;
+}
+
+
+/*
+** The root page is overfull
+**
+** When this happens, Create a new child page and copy the
+** contents of the root into the child.  Then make the root
+** page an empty page with rightChild pointing to the new
+** child.   Finally, call balance_internal() on the new child
+** to cause it to split.
+*/
+static int balance_deeper(MemPage *pPage){
+  int rc;             /* Return value from subprocedures */
+  MemPage *pChild;    /* Pointer to a new child page */
+  Pgno pgnoChild;     /* Page number of the new child page */
+  BtShared *pBt;         /* The BTree */
+  int usableSize;     /* Total usable size of a page */
+  u8 *data;           /* Content of the parent page */
+  u8 *cdata;          /* Content of the child page */
+  int hdr;            /* Offset to page header in parent */
+  int brk;            /* Offset to content of first cell in parent */
+
+  assert( pPage->pParent==0 );
+  assert( pPage->nOverflow>0 );
+  pBt = pPage->pBt;
+  rc = allocateBtreePage(pBt, &pChild, &pgnoChild, pPage->pgno, 0);
+  if( rc ) return rc;
+  assert( sqlite3PagerIswriteable(pChild->pDbPage) );
+  usableSize = pBt->usableSize;
+  data = pPage->aData;
+  hdr = pPage->hdrOffset;
+  brk = get2byte(&data[hdr+5]);
+  cdata = pChild->aData;
+  memcpy(cdata, &data[hdr], pPage->cellOffset+2*pPage->nCell-hdr);
+  memcpy(&cdata[brk], &data[brk], usableSize-brk);
+  assert( pChild->isInit==0 );
+  rc = initPage(pChild, pPage);
+  if( rc ) goto balancedeeper_out;
+  memcpy(pChild->aOvfl, pPage->aOvfl, pPage->nOverflow*sizeof(pPage->aOvfl[0]));
+  pChild->nOverflow = pPage->nOverflow;
+  if( pChild->nOverflow ){
+    pChild->nFree = 0;
+  }
+  assert( pChild->nCell==pPage->nCell );
+  zeroPage(pPage, pChild->aData[0] & ~PTF_LEAF);
+  put4byte(&pPage->aData[pPage->hdrOffset+8], pgnoChild);
+  TRACE(("BALANCE: copy root %d into %d\n", pPage->pgno, pChild->pgno));
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  if( pBt->autoVacuum ){
+    int i;
+    rc = ptrmapPut(pBt, pChild->pgno, PTRMAP_BTREE, pPage->pgno);
+    if( rc ) goto balancedeeper_out;
+    for(i=0; i<pChild->nCell; i++){
+      rc = ptrmapPutOvfl(pChild, i);
+      if( rc!=SQLITE_OK ){
+        return rc;
+      }
+    }
+  }
+#endif
+  rc = balance_nonroot(pChild);
+
+balancedeeper_out:
+  releasePage(pChild);
+  return rc;
+}
+
+/*
+** Decide if the page pPage needs to be balanced.  If balancing is
+** required, call the appropriate balancing routine.
+*/
+static int balance(MemPage *pPage, int insert){
+  int rc = SQLITE_OK;
+  if( pPage->pParent==0 ){
+    if( pPage->nOverflow>0 ){
+      rc = balance_deeper(pPage);
+    }
+    if( rc==SQLITE_OK && pPage->nCell==0 ){
+      rc = balance_shallower(pPage);
+    }
+  }else{
+    if( pPage->nOverflow>0 || 
+        (!insert && pPage->nFree>pPage->pBt->usableSize*2/3) ){
+      rc = balance_nonroot(pPage);
+    }
+  }
+  return rc;
+}
+
+/*
+** This routine checks all cursors that point to table pgnoRoot.
+** If any of those cursors were opened with wrFlag==0 in a different
+** database connection (a database connection that shares the pager
+** cache with the current connection) and that other connection 
+** is not in the ReadUncommmitted state, then this routine returns 
+** SQLITE_LOCKED.
+**
+** In addition to checking for read-locks (where a read-lock 
+** means a cursor opened with wrFlag==0) this routine also moves
+** all cursors write cursors so that they are pointing to the 
+** first Cell on the root page.  This is necessary because an insert 
+** or delete might change the number of cells on a page or delete
+** a page entirely and we do not want to leave any cursors 
+** pointing to non-existant pages or cells.
+*/
+static int checkReadLocks(Btree *pBtree, Pgno pgnoRoot, BtCursor *pExclude){
+  BtCursor *p;
+  BtShared *pBt = pBtree->pBt;
+  sqlite3 *db = pBtree->pSqlite;
+  for(p=pBt->pCursor; p; p=p->pNext){
+    if( p==pExclude ) continue;
+    if( p->eState!=CURSOR_VALID ) continue;
+    if( p->pgnoRoot!=pgnoRoot ) continue;
+    if( p->wrFlag==0 ){
+      sqlite3 *dbOther = p->pBtree->pSqlite;
+      if( dbOther==0 ||
+         (dbOther!=db && (dbOther->flags & SQLITE_ReadUncommitted)==0) ){
+        return SQLITE_LOCKED;
+      }
+    }else if( p->pPage->pgno!=p->pgnoRoot ){
+      moveToRoot(p);
+    }
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Insert a new record into the BTree.  The key is given by (pKey,nKey)
+** and the data is given by (pData,nData).  The cursor is used only to
+** define what table the record should be inserted into.  The cursor
+** is left pointing at a random location.
+**
+** For an INTKEY table, only the nKey value of the key is used.  pKey is
+** ignored.  For a ZERODATA table, the pData and nData are both ignored.
+*/
+int sqlite3BtreeInsert(
+  BtCursor *pCur,                /* Insert data into the table of this cursor */
+  const void *pKey, i64 nKey,    /* The key of the new record */
+  const void *pData, int nData,  /* The data of the new record */
+  int appendBias                 /* True if this is likely an append */
+){
+  int rc;
+  int loc;
+  int szNew;
+  MemPage *pPage;
+  BtShared *pBt = pCur->pBtree->pBt;
+  unsigned char *oldCell;
+  unsigned char *newCell = 0;
+
+  if( pBt->inTransaction!=TRANS_WRITE ){
+    /* Must start a transaction before doing an insert */
+    return pBt->readOnly ? SQLITE_READONLY : SQLITE_ERROR;
+  }
+  assert( !pBt->readOnly );
+  if( !pCur->wrFlag ){
+    return SQLITE_PERM;   /* Cursor not open for writing */
+  }
+  if( checkReadLocks(pCur->pBtree, pCur->pgnoRoot, pCur) ){
+    return SQLITE_LOCKED; /* The table pCur points to has a read lock */
+  }
+
+  /* Save the positions of any other cursors open on this table */
+  clearCursorPosition(pCur);
+  if( 
+    SQLITE_OK!=(rc = saveAllCursors(pBt, pCur->pgnoRoot, pCur)) ||
+    SQLITE_OK!=(rc = sqlite3BtreeMoveto(pCur, pKey, nKey, appendBias, &loc))
+  ){
+    return rc;
+  }
+
+  pPage = pCur->pPage;
+  assert( pPage->intKey || nKey>=0 );
+  assert( pPage->leaf || !pPage->leafData );
+  TRACE(("INSERT: table=%d nkey=%lld ndata=%d page=%d %s\n",
+          pCur->pgnoRoot, nKey, nData, pPage->pgno,
+          loc==0 ? "overwrite" : "new entry"));
+  assert( pPage->isInit );
+  rc = sqlite3PagerWrite(pPage->pDbPage);
+  if( rc ) return rc;
+  newCell = sqliteMallocRaw( MX_CELL_SIZE(pBt) );
+  if( newCell==0 ) return SQLITE_NOMEM;
+  rc = fillInCell(pPage, newCell, pKey, nKey, pData, nData, &szNew);
+  if( rc ) goto end_insert;
+  assert( szNew==cellSizePtr(pPage, newCell) );
+  assert( szNew<=MX_CELL_SIZE(pBt) );
+  if( loc==0 && CURSOR_VALID==pCur->eState ){
+    int szOld;
+    assert( pCur->idx>=0 && pCur->idx<pPage->nCell );
+    oldCell = findCell(pPage, pCur->idx);
+    if( !pPage->leaf ){
+      memcpy(newCell, oldCell, 4);
+    }
+    szOld = cellSizePtr(pPage, oldCell);
+    rc = clearCell(pPage, oldCell);
+    if( rc ) goto end_insert;
+    dropCell(pPage, pCur->idx, szOld);
+  }else if( loc<0 && pPage->nCell>0 ){
+    assert( pPage->leaf );
+    pCur->idx++;
+    pCur->info.nSize = 0;
+  }else{
+    assert( pPage->leaf );
+  }
+  rc = insertCell(pPage, pCur->idx, newCell, szNew, 0, 0);
+  if( rc!=SQLITE_OK ) goto end_insert;
+  rc = balance(pPage, 1);
+  /* sqlite3BtreePageDump(pCur->pBt, pCur->pgnoRoot, 1); */
+  /* fflush(stdout); */
+  if( rc==SQLITE_OK ){
+    moveToRoot(pCur);
+  }
+end_insert:
+  sqliteFree(newCell);
+  return rc;
+}
+
+/*
+** Delete the entry that the cursor is pointing to.  The cursor
+** is left pointing at a random location.
+*/
+int sqlite3BtreeDelete(BtCursor *pCur){
+  MemPage *pPage = pCur->pPage;
+  unsigned char *pCell;
+  int rc;
+  Pgno pgnoChild = 0;
+  BtShared *pBt = pCur->pBtree->pBt;
+
+  assert( pPage->isInit );
+  if( pBt->inTransaction!=TRANS_WRITE ){
+    /* Must start a transaction before doing a delete */
+    return pBt->readOnly ? SQLITE_READONLY : SQLITE_ERROR;
+  }
+  assert( !pBt->readOnly );
+  if( pCur->idx >= pPage->nCell ){
+    return SQLITE_ERROR;  /* The cursor is not pointing to anything */
+  }
+  if( !pCur->wrFlag ){
+    return SQLITE_PERM;   /* Did not open this cursor for writing */
+  }
+  if( checkReadLocks(pCur->pBtree, pCur->pgnoRoot, pCur) ){
+    return SQLITE_LOCKED; /* The table pCur points to has a read lock */
+  }
+
+  /* Restore the current cursor position (a no-op if the cursor is not in 
+  ** CURSOR_REQUIRESEEK state) and save the positions of any other cursors 
+  ** open on the same table. Then call sqlite3PagerWrite() on the page
+  ** that the entry will be deleted from.
+  */
+  if( 
+    (rc = restoreOrClearCursorPosition(pCur))!=0 ||
+    (rc = saveAllCursors(pBt, pCur->pgnoRoot, pCur))!=0 ||
+    (rc = sqlite3PagerWrite(pPage->pDbPage))!=0
+  ){
+    return rc;
+  }
+
+  /* Locate the cell within it's page and leave pCell pointing to the
+  ** data. The clearCell() call frees any overflow pages associated with the
+  ** cell. The cell itself is still intact.
+  */
+  pCell = findCell(pPage, pCur->idx);
+  if( !pPage->leaf ){
+    pgnoChild = get4byte(pCell);
+  }
+  rc = clearCell(pPage, pCell);
+  if( rc ) return rc;
+
+  if( !pPage->leaf ){
+    /*
+    ** The entry we are about to delete is not a leaf so if we do not
+    ** do something we will leave a hole on an internal page.
+    ** We have to fill the hole by moving in a cell from a leaf.  The
+    ** next Cell after the one to be deleted is guaranteed to exist and
+    ** to be a leaf so we can use it.
+    */
+    BtCursor leafCur;
+    unsigned char *pNext;
+    int szNext;  /* The compiler warning is wrong: szNext is always 
+                 ** initialized before use.  Adding an extra initialization
+                 ** to silence the compiler slows down the code. */
+    int notUsed;
+    unsigned char *tempCell = 0;
+    assert( !pPage->leafData );
+    getTempCursor(pCur, &leafCur);
+    rc = sqlite3BtreeNext(&leafCur, &notUsed);
+    if( rc==SQLITE_OK ){
+      rc = sqlite3PagerWrite(leafCur.pPage->pDbPage);
+    }
+    if( rc==SQLITE_OK ){
+      TRACE(("DELETE: table=%d delete internal from %d replace from leaf %d\n",
+         pCur->pgnoRoot, pPage->pgno, leafCur.pPage->pgno));
+      dropCell(pPage, pCur->idx, cellSizePtr(pPage, pCell));
+      pNext = findCell(leafCur.pPage, leafCur.idx);
+      szNext = cellSizePtr(leafCur.pPage, pNext);
+      assert( MX_CELL_SIZE(pBt)>=szNext+4 );
+      tempCell = sqliteMallocRaw( MX_CELL_SIZE(pBt) );
+      if( tempCell==0 ){
+        rc = SQLITE_NOMEM;
+      }
+    }
+    if( rc==SQLITE_OK ){
+      rc = insertCell(pPage, pCur->idx, pNext-4, szNext+4, tempCell, 0);
+    }
+    if( rc==SQLITE_OK ){
+      put4byte(findOverflowCell(pPage, pCur->idx), pgnoChild);
+      rc = balance(pPage, 0);
+    }
+    if( rc==SQLITE_OK ){
+      dropCell(leafCur.pPage, leafCur.idx, szNext);
+      rc = balance(leafCur.pPage, 0);
+    }
+    sqliteFree(tempCell);
+    releaseTempCursor(&leafCur);
+  }else{
+    TRACE(("DELETE: table=%d delete from leaf %d\n",
+       pCur->pgnoRoot, pPage->pgno));
+    dropCell(pPage, pCur->idx, cellSizePtr(pPage, pCell));
+    rc = balance(pPage, 0);
+  }
+  if( rc==SQLITE_OK ){
+    moveToRoot(pCur);
+  }
+  return rc;
+}
+
+/*
+** Create a new BTree table.  Write into *piTable the page
+** number for the root page of the new table.
+**
+** The type of type is determined by the flags parameter.  Only the
+** following values of flags are currently in use.  Other values for
+** flags might not work:
+**
+**     BTREE_INTKEY|BTREE_LEAFDATA     Used for SQL tables with rowid keys
+**     BTREE_ZERODATA                  Used for SQL indices
+*/
+int sqlite3BtreeCreateTable(Btree *p, int *piTable, int flags){
+  BtShared *pBt = p->pBt;
+  MemPage *pRoot;
+  Pgno pgnoRoot;
+  int rc;
+  if( pBt->inTransaction!=TRANS_WRITE ){
+    /* Must start a transaction first */
+    return pBt->readOnly ? SQLITE_READONLY : SQLITE_ERROR;
+  }
+  assert( !pBt->readOnly );
+
+  /* It is illegal to create a table if any cursors are open on the
+  ** database. This is because in auto-vacuum mode the backend may
+  ** need to move a database page to make room for the new root-page.
+  ** If an open cursor was using the page a problem would occur.
+  */
+  if( pBt->pCursor ){
+    return SQLITE_LOCKED;
+  }
+
+#ifdef SQLITE_OMIT_AUTOVACUUM
+  rc = allocateBtreePage(pBt, &pRoot, &pgnoRoot, 1, 0);
+  if( rc ) return rc;
+#else
+  if( pBt->autoVacuum ){
+    Pgno pgnoMove;      /* Move a page here to make room for the root-page */
+    MemPage *pPageMove; /* The page to move to. */
+
+    /* Read the value of meta[3] from the database to determine where the
+    ** root page of the new table should go. meta[3] is the largest root-page
+    ** created so far, so the new root-page is (meta[3]+1).
+    */
+    rc = sqlite3BtreeGetMeta(p, 4, &pgnoRoot);
+    if( rc!=SQLITE_OK ) return rc;
+    pgnoRoot++;
+
+    /* The new root-page may not be allocated on a pointer-map page, or the
+    ** PENDING_BYTE page.
+    */
+    if( pgnoRoot==PTRMAP_PAGENO(pBt, pgnoRoot) ||
+        pgnoRoot==PENDING_BYTE_PAGE(pBt) ){
+      pgnoRoot++;
+    }
+    assert( pgnoRoot>=3 );
+
+    /* Allocate a page. The page that currently resides at pgnoRoot will
+    ** be moved to the allocated page (unless the allocated page happens
+    ** to reside at pgnoRoot).
+    */
+    rc = allocateBtreePage(pBt, &pPageMove, &pgnoMove, pgnoRoot, 1);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+
+    if( pgnoMove!=pgnoRoot ){
+      /* pgnoRoot is the page that will be used for the root-page of
+      ** the new table (assuming an error did not occur). But we were
+      ** allocated pgnoMove. If required (i.e. if it was not allocated
+      ** by extending the file), the current page at position pgnoMove
+      ** is already journaled.
+      */
+      u8 eType;
+      Pgno iPtrPage;
+
+      releasePage(pPageMove);
+
+      /* Move the page currently at pgnoRoot to pgnoMove. */
+      rc = getPage(pBt, pgnoRoot, &pRoot, 0);
+      if( rc!=SQLITE_OK ){
+        return rc;
+      }
+      rc = ptrmapGet(pBt, pgnoRoot, &eType, &iPtrPage);
+      if( rc!=SQLITE_OK || eType==PTRMAP_ROOTPAGE || eType==PTRMAP_FREEPAGE ){
+        releasePage(pRoot);
+        return rc;
+      }
+      assert( eType!=PTRMAP_ROOTPAGE );
+      assert( eType!=PTRMAP_FREEPAGE );
+      rc = sqlite3PagerWrite(pRoot->pDbPage);
+      if( rc!=SQLITE_OK ){
+        releasePage(pRoot);
+        return rc;
+      }
+      rc = relocatePage(pBt, pRoot, eType, iPtrPage, pgnoMove);
+      releasePage(pRoot);
+
+      /* Obtain the page at pgnoRoot */
+      if( rc!=SQLITE_OK ){
+        return rc;
+      }
+      rc = getPage(pBt, pgnoRoot, &pRoot, 0);
+      if( rc!=SQLITE_OK ){
+        return rc;
+      }
+      rc = sqlite3PagerWrite(pRoot->pDbPage);
+      if( rc!=SQLITE_OK ){
+        releasePage(pRoot);
+        return rc;
+      }
+    }else{
+      pRoot = pPageMove;
+    } 
+
+    /* Update the pointer-map and meta-data with the new root-page number. */
+    rc = ptrmapPut(pBt, pgnoRoot, PTRMAP_ROOTPAGE, 0);
+    if( rc ){
+      releasePage(pRoot);
+      return rc;
+    }
+    rc = sqlite3BtreeUpdateMeta(p, 4, pgnoRoot);
+    if( rc ){
+      releasePage(pRoot);
+      return rc;
+    }
+
+  }else{
+    rc = allocateBtreePage(pBt, &pRoot, &pgnoRoot, 1, 0);
+    if( rc ) return rc;
+  }
+#endif
+  assert( sqlite3PagerIswriteable(pRoot->pDbPage) );
+  zeroPage(pRoot, flags | PTF_LEAF);
+  sqlite3PagerUnref(pRoot->pDbPage);
+  *piTable = (int)pgnoRoot;
+  return SQLITE_OK;
+}
+
+/*
+** Erase the given database page and all its children.  Return
+** the page to the freelist.
+*/
+static int clearDatabasePage(
+  BtShared *pBt,           /* The BTree that contains the table */
+  Pgno pgno,            /* Page number to clear */
+  MemPage *pParent,     /* Parent page.  NULL for the root */
+  int freePageFlag      /* Deallocate page if true */
+){
+  MemPage *pPage = 0;
+  int rc;
+  unsigned char *pCell;
+  int i;
+
+  if( pgno>sqlite3PagerPagecount(pBt->pPager) ){
+    return SQLITE_CORRUPT_BKPT;
+  }
+
+  rc = getAndInitPage(pBt, pgno, &pPage, pParent);
+  if( rc ) goto cleardatabasepage_out;
+  for(i=0; i<pPage->nCell; i++){
+    pCell = findCell(pPage, i);
+    if( !pPage->leaf ){
+      rc = clearDatabasePage(pBt, get4byte(pCell), pPage->pParent, 1);
+      if( rc ) goto cleardatabasepage_out;
+    }
+    rc = clearCell(pPage, pCell);
+    if( rc ) goto cleardatabasepage_out;
+  }
+  if( !pPage->leaf ){
+    rc = clearDatabasePage(pBt, get4byte(&pPage->aData[8]), pPage->pParent, 1);
+    if( rc ) goto cleardatabasepage_out;
+  }
+  if( freePageFlag ){
+    rc = freePage(pPage);
+  }else if( (rc = sqlite3PagerWrite(pPage->pDbPage))==0 ){
+    zeroPage(pPage, pPage->aData[0] | PTF_LEAF);
+  }
+
+cleardatabasepage_out:
+  releasePage(pPage);
+  return rc;
+}
+
+/*
+** Delete all information from a single table in the database.  iTable is
+** the page number of the root of the table.  After this routine returns,
+** the root page is empty, but still exists.
+**
+** This routine will fail with SQLITE_LOCKED if there are any open
+** read cursors on the table.  Open write cursors are moved to the
+** root of the table.
+*/
+int sqlite3BtreeClearTable(Btree *p, int iTable){
+  int rc;
+  BtShared *pBt = p->pBt;
+  if( p->inTrans!=TRANS_WRITE ){
+    return pBt->readOnly ? SQLITE_READONLY : SQLITE_ERROR;
+  }
+  rc = checkReadLocks(p, iTable, 0);
+  if( rc ){
+    return rc;
+  }
+
+  /* Save the position of all cursors open on this table */
+  if( SQLITE_OK!=(rc = saveAllCursors(pBt, iTable, 0)) ){
+    return rc;
+  }
+
+  return clearDatabasePage(pBt, (Pgno)iTable, 0, 0);
+}
+
+/*
+** Erase all information in a table and add the root of the table to
+** the freelist.  Except, the root of the principle table (the one on
+** page 1) is never added to the freelist.
+**
+** This routine will fail with SQLITE_LOCKED if there are any open
+** cursors on the table.
+**
+** If AUTOVACUUM is enabled and the page at iTable is not the last
+** root page in the database file, then the last root page 
+** in the database file is moved into the slot formerly occupied by
+** iTable and that last slot formerly occupied by the last root page
+** is added to the freelist instead of iTable.  In this say, all
+** root pages are kept at the beginning of the database file, which
+** is necessary for AUTOVACUUM to work right.  *piMoved is set to the 
+** page number that used to be the last root page in the file before
+** the move.  If no page gets moved, *piMoved is set to 0.
+** The last root page is recorded in meta[3] and the value of
+** meta[3] is updated by this procedure.
+*/
+int sqlite3BtreeDropTable(Btree *p, int iTable, int *piMoved){
+  int rc;
+  MemPage *pPage = 0;
+  BtShared *pBt = p->pBt;
+
+  if( p->inTrans!=TRANS_WRITE ){
+    return pBt->readOnly ? SQLITE_READONLY : SQLITE_ERROR;
+  }
+
+  /* It is illegal to drop a table if any cursors are open on the
+  ** database. This is because in auto-vacuum mode the backend may
+  ** need to move another root-page to fill a gap left by the deleted
+  ** root page. If an open cursor was using this page a problem would 
+  ** occur.
+  */
+  if( pBt->pCursor ){
+    return SQLITE_LOCKED;
+  }
+
+  rc = getPage(pBt, (Pgno)iTable, &pPage, 0);
+  if( rc ) return rc;
+  rc = sqlite3BtreeClearTable(p, iTable);
+  if( rc ){
+    releasePage(pPage);
+    return rc;
+  }
+
+  *piMoved = 0;
+
+  if( iTable>1 ){
+#ifdef SQLITE_OMIT_AUTOVACUUM
+    rc = freePage(pPage);
+    releasePage(pPage);
+#else
+    if( pBt->autoVacuum ){
+      Pgno maxRootPgno;
+      rc = sqlite3BtreeGetMeta(p, 4, &maxRootPgno);
+      if( rc!=SQLITE_OK ){
+        releasePage(pPage);
+        return rc;
+      }
+
+      if( iTable==maxRootPgno ){
+        /* If the table being dropped is the table with the largest root-page
+        ** number in the database, put the root page on the free list. 
+        */
+        rc = freePage(pPage);
+        releasePage(pPage);
+        if( rc!=SQLITE_OK ){
+          return rc;
+        }
+      }else{
+        /* The table being dropped does not have the largest root-page
+        ** number in the database. So move the page that does into the 
+        ** gap left by the deleted root-page.
+        */
+        MemPage *pMove;
+        releasePage(pPage);
+        rc = getPage(pBt, maxRootPgno, &pMove, 0);
+        if( rc!=SQLITE_OK ){
+          return rc;
+        }
+        rc = relocatePage(pBt, pMove, PTRMAP_ROOTPAGE, 0, iTable);
+        releasePage(pMove);
+        if( rc!=SQLITE_OK ){
+          return rc;
+        }
+        rc = getPage(pBt, maxRootPgno, &pMove, 0);
+        if( rc!=SQLITE_OK ){
+          return rc;
+        }
+        rc = freePage(pMove);
+        releasePage(pMove);
+        if( rc!=SQLITE_OK ){
+          return rc;
+        }
+        *piMoved = maxRootPgno;
+      }
+
+      /* Set the new 'max-root-page' value in the database header. This
+      ** is the old value less one, less one more if that happens to
+      ** be a root-page number, less one again if that is the
+      ** PENDING_BYTE_PAGE.
+      */
+      maxRootPgno--;
+      if( maxRootPgno==PENDING_BYTE_PAGE(pBt) ){
+        maxRootPgno--;
+      }
+      if( maxRootPgno==PTRMAP_PAGENO(pBt, maxRootPgno) ){
+        maxRootPgno--;
+      }
+      assert( maxRootPgno!=PENDING_BYTE_PAGE(pBt) );
+
+      rc = sqlite3BtreeUpdateMeta(p, 4, maxRootPgno);
+    }else{
+      rc = freePage(pPage);
+      releasePage(pPage);
+    }
+#endif
+  }else{
+    /* If sqlite3BtreeDropTable was called on page 1. */
+    zeroPage(pPage, PTF_INTKEY|PTF_LEAF );
+    releasePage(pPage);
+  }
+  return rc;  
+}
+
+
+/*
+** Read the meta-information out of a database file.  Meta[0]
+** is the number of free pages currently in the database.  Meta[1]
+** through meta[15] are available for use by higher layers.  Meta[0]
+** is read-only, the others are read/write.
+** 
+** The schema layer numbers meta values differently.  At the schema
+** layer (and the SetCookie and ReadCookie opcodes) the number of
+** free pages is not visible.  So Cookie[0] is the same as Meta[1].
+*/
+int sqlite3BtreeGetMeta(Btree *p, int idx, u32 *pMeta){
+  DbPage *pDbPage;
+  int rc;
+  unsigned char *pP1;
+  BtShared *pBt = p->pBt;
+
+  /* Reading a meta-data value requires a read-lock on page 1 (and hence
+  ** the sqlite_master table. We grab this lock regardless of whether or
+  ** not the SQLITE_ReadUncommitted flag is set (the table rooted at page
+  ** 1 is treated as a special case by queryTableLock() and lockTable()).
+  */
+  rc = queryTableLock(p, 1, READ_LOCK);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+
+  assert( idx>=0 && idx<=15 );
+  rc = sqlite3PagerGet(pBt->pPager, 1, &pDbPage);
+  if( rc ) return rc;
+  pP1 = (unsigned char *)sqlite3PagerGetData(pDbPage);
+  *pMeta = get4byte(&pP1[36 + idx*4]);
+  sqlite3PagerUnref(pDbPage);
+
+  /* If autovacuumed is disabled in this build but we are trying to 
+  ** access an autovacuumed database, then make the database readonly. 
+  */
+#ifdef SQLITE_OMIT_AUTOVACUUM
+  if( idx==4 && *pMeta>0 ) pBt->readOnly = 1;
+#endif
+
+  /* Grab the read-lock on page 1. */
+  rc = lockTable(p, 1, READ_LOCK);
+  return rc;
+}
+
+/*
+** Write meta-information back into the database.  Meta[0] is
+** read-only and may not be written.
+*/
+int sqlite3BtreeUpdateMeta(Btree *p, int idx, u32 iMeta){
+  BtShared *pBt = p->pBt;
+  unsigned char *pP1;
+  int rc;
+  assert( idx>=1 && idx<=15 );
+  if( p->inTrans!=TRANS_WRITE ){
+    return pBt->readOnly ? SQLITE_READONLY : SQLITE_ERROR;
+  }
+  assert( pBt->pPage1!=0 );
+  pP1 = pBt->pPage1->aData;
+  rc = sqlite3PagerWrite(pBt->pPage1->pDbPage);
+  if( rc ) return rc;
+  put4byte(&pP1[36 + idx*4], iMeta);
+  return SQLITE_OK;
+}
+
+/*
+** Return the flag byte at the beginning of the page that the cursor
+** is currently pointing to.
+*/
+int sqlite3BtreeFlags(BtCursor *pCur){
+  /* TODO: What about CURSOR_REQUIRESEEK state? Probably need to call
+  ** restoreOrClearCursorPosition() here.
+  */
+  MemPage *pPage = pCur->pPage;
+  return pPage ? pPage->aData[pPage->hdrOffset] : 0;
+}
+
+#ifdef SQLITE_DEBUG
+/*
+** Print a disassembly of the given page on standard output.  This routine
+** is used for debugging and testing only.
+*/
+static int btreePageDump(BtShared *pBt, int pgno, int recursive, MemPage *pParent){
+  int rc;
+  MemPage *pPage;
+  int i, j, c;
+  int nFree;
+  u16 idx;
+  int hdr;
+  int nCell;
+  int isInit;
+  unsigned char *data;
+  char range[20];
+  unsigned char payload[20];
+
+  rc = getPage(pBt, (Pgno)pgno, &pPage, 0);
+  isInit = pPage->isInit;
+  if( pPage->isInit==0 ){
+    initPage(pPage, pParent);
+  }
+  if( rc ){
+    return rc;
+  }
+  hdr = pPage->hdrOffset;
+  data = pPage->aData;
+  c = data[hdr];
+  pPage->intKey = (c & (PTF_INTKEY|PTF_LEAFDATA))!=0;
+  pPage->zeroData = (c & PTF_ZERODATA)!=0;
+  pPage->leafData = (c & PTF_LEAFDATA)!=0;
+  pPage->leaf = (c & PTF_LEAF)!=0;
+  pPage->hasData = !(pPage->zeroData || (!pPage->leaf && pPage->leafData));
+  nCell = get2byte(&data[hdr+3]);
+  sqlite3DebugPrintf("PAGE %d:  flags=0x%02x  frag=%d   parent=%d\n", pgno,
+    data[hdr], data[hdr+7], 
+    (pPage->isInit && pPage->pParent) ? pPage->pParent->pgno : 0);
+  assert( hdr == (pgno==1 ? 100 : 0) );
+  idx = hdr + 12 - pPage->leaf*4;
+  for(i=0; i<nCell; i++){
+    CellInfo info;
+    Pgno child;
+    unsigned char *pCell;
+    int sz;
+    int addr;
+
+    addr = get2byte(&data[idx + 2*i]);
+    pCell = &data[addr];
+    parseCellPtr(pPage, pCell, &info);
+    sz = info.nSize;
+    sprintf(range,"%d..%d", addr, addr+sz-1);
+    if( pPage->leaf ){
+      child = 0;
+    }else{
+      child = get4byte(pCell);
+    }
+    sz = info.nData;
+    if( !pPage->intKey ) sz += info.nKey;
+    if( sz>sizeof(payload)-1 ) sz = sizeof(payload)-1;
+    memcpy(payload, &pCell[info.nHeader], sz);
+    for(j=0; j<sz; j++){
+      if( payload[j]<0x20 || payload[j]>0x7f ) payload[j] = '.';
+    }
+    payload[sz] = 0;
+    sqlite3DebugPrintf(
+      "cell %2d: i=%-10s chld=%-4d nk=%-4lld nd=%-4d payload=%s\n",
+      i, range, child, info.nKey, info.nData, payload
+    );
+  }
+  if( !pPage->leaf ){
+    sqlite3DebugPrintf("right_child: %d\n", get4byte(&data[hdr+8]));
+  }
+  nFree = 0;
+  i = 0;
+  idx = get2byte(&data[hdr+1]);
+  while( idx>0 && idx<pPage->pBt->usableSize ){
+    int sz = get2byte(&data[idx+2]);
+    sprintf(range,"%d..%d", idx, idx+sz-1);
+    nFree += sz;
+    sqlite3DebugPrintf("freeblock %2d: i=%-10s size=%-4d total=%d\n",
+       i, range, sz, nFree);
+    idx = get2byte(&data[idx]);
+    i++;
+  }
+  if( idx!=0 ){
+    sqlite3DebugPrintf("ERROR: next freeblock index out of range: %d\n", idx);
+  }
+  if( recursive && !pPage->leaf ){
+    for(i=0; i<nCell; i++){
+      unsigned char *pCell = findCell(pPage, i);
+      btreePageDump(pBt, get4byte(pCell), 1, pPage);
+      idx = get2byte(pCell);
+    }
+    btreePageDump(pBt, get4byte(&data[hdr+8]), 1, pPage);
+  }
+  pPage->isInit = isInit;
+  sqlite3PagerUnref(pPage->pDbPage);
+  fflush(stdout);
+  return SQLITE_OK;
+}
+int sqlite3BtreePageDump(Btree *p, int pgno, int recursive){
+  return btreePageDump(p->pBt, pgno, recursive, 0);
+}
+#endif
+
+#if defined(SQLITE_TEST) || defined(SQLITE_DEBUG)
+/*
+** Fill aResult[] with information about the entry and page that the
+** cursor is pointing to.
+** 
+**   aResult[0] =  The page number
+**   aResult[1] =  The entry number
+**   aResult[2] =  Total number of entries on this page
+**   aResult[3] =  Cell size (local payload + header)
+**   aResult[4] =  Number of free bytes on this page
+**   aResult[5] =  Number of free blocks on the page
+**   aResult[6] =  Total payload size (local + overflow)
+**   aResult[7] =  Header size in bytes
+**   aResult[8] =  Local payload size
+**   aResult[9] =  Parent page number
+**   aResult[10]=  Page number of the first overflow page
+**
+** This routine is used for testing and debugging only.
+*/
+int sqlite3BtreeCursorInfo(BtCursor *pCur, int *aResult, int upCnt){
+  int cnt, idx;
+  MemPage *pPage = pCur->pPage;
+  BtCursor tmpCur;
+
+  int rc = restoreOrClearCursorPosition(pCur);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+
+  assert( pPage->isInit );
+  getTempCursor(pCur, &tmpCur);
+  while( upCnt-- ){
+    moveToParent(&tmpCur);
+  }
+  pPage = tmpCur.pPage;
+  aResult[0] = sqlite3PagerPagenumber(pPage->pDbPage);
+  assert( aResult[0]==pPage->pgno );
+  aResult[1] = tmpCur.idx;
+  aResult[2] = pPage->nCell;
+  if( tmpCur.idx>=0 && tmpCur.idx<pPage->nCell ){
+    getCellInfo(&tmpCur);
+    aResult[3] = tmpCur.info.nSize;
+    aResult[6] = tmpCur.info.nData;
+    aResult[7] = tmpCur.info.nHeader;
+    aResult[8] = tmpCur.info.nLocal;
+  }else{
+    aResult[3] = 0;
+    aResult[6] = 0;
+    aResult[7] = 0;
+    aResult[8] = 0;
+  }
+  aResult[4] = pPage->nFree;
+  cnt = 0;
+  idx = get2byte(&pPage->aData[pPage->hdrOffset+1]);
+  while( idx>0 && idx<pPage->pBt->usableSize ){
+    cnt++;
+    idx = get2byte(&pPage->aData[idx]);
+  }
+  aResult[5] = cnt;
+  if( pPage->pParent==0 || isRootPage(pPage) ){
+    aResult[9] = 0;
+  }else{
+    aResult[9] = pPage->pParent->pgno;
+  }
+  if( tmpCur.info.iOverflow ){
+    aResult[10] = get4byte(&tmpCur.info.pCell[tmpCur.info.iOverflow]);
+  }else{
+    aResult[10] = 0;
+  }
+  releaseTempCursor(&tmpCur);
+  return SQLITE_OK;
+}
+#endif
+
+/*
+** Return the pager associated with a BTree.  This routine is used for
+** testing and debugging only.
+*/
+Pager *sqlite3BtreePager(Btree *p){
+  return p->pBt->pPager;
+}
+
+/*
+** This structure is passed around through all the sanity checking routines
+** in order to keep track of some global state information.
+*/
+typedef struct IntegrityCk IntegrityCk;
+struct IntegrityCk {
+  BtShared *pBt;    /* The tree being checked out */
+  Pager *pPager;    /* The associated pager.  Also accessible by pBt->pPager */
+  int nPage;        /* Number of pages in the database */
+  int *anRef;       /* Number of times each page is referenced */
+  int mxErr;        /* Stop accumulating errors when this reaches zero */
+  char *zErrMsg;    /* An error message.  NULL if no errors seen. */
+  int nErr;         /* Number of messages written to zErrMsg so far */
+};
+
+#ifndef SQLITE_OMIT_INTEGRITY_CHECK
+/*
+** Append a message to the error message string.
+*/
+static void checkAppendMsg(
+  IntegrityCk *pCheck,
+  char *zMsg1,
+  const char *zFormat,
+  ...
+){
+  va_list ap;
+  char *zMsg2;
+  if( !pCheck->mxErr ) return;
+  pCheck->mxErr--;
+  pCheck->nErr++;
+  va_start(ap, zFormat);
+  zMsg2 = sqlite3VMPrintf(zFormat, ap);
+  va_end(ap);
+  if( zMsg1==0 ) zMsg1 = "";
+  if( pCheck->zErrMsg ){
+    char *zOld = pCheck->zErrMsg;
+    pCheck->zErrMsg = 0;
+    sqlite3SetString(&pCheck->zErrMsg, zOld, "\n", zMsg1, zMsg2, (char*)0);
+    sqliteFree(zOld);
+  }else{
+    sqlite3SetString(&pCheck->zErrMsg, zMsg1, zMsg2, (char*)0);
+  }
+  sqliteFree(zMsg2);
+}
+#endif /* SQLITE_OMIT_INTEGRITY_CHECK */
+
+#ifndef SQLITE_OMIT_INTEGRITY_CHECK
+/*
+** Add 1 to the reference count for page iPage.  If this is the second
+** reference to the page, add an error message to pCheck->zErrMsg.
+** Return 1 if there are 2 ore more references to the page and 0 if
+** if this is the first reference to the page.
+**
+** Also check that the page number is in bounds.
+*/
+static int checkRef(IntegrityCk *pCheck, int iPage, char *zContext){
+  if( iPage==0 ) return 1;
+  if( iPage>pCheck->nPage || iPage<0 ){
+    checkAppendMsg(pCheck, zContext, "invalid page number %d", iPage);
+    return 1;
+  }
+  if( pCheck->anRef[iPage]==1 ){
+    checkAppendMsg(pCheck, zContext, "2nd reference to page %d", iPage);
+    return 1;
+  }
+  return  (pCheck->anRef[iPage]++)>1;
+}
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+/*
+** Check that the entry in the pointer-map for page iChild maps to 
+** page iParent, pointer type ptrType. If not, append an error message
+** to pCheck.
+*/
+static void checkPtrmap(
+  IntegrityCk *pCheck,   /* Integrity check context */
+  Pgno iChild,           /* Child page number */
+  u8 eType,              /* Expected pointer map type */
+  Pgno iParent,          /* Expected pointer map parent page number */
+  char *zContext         /* Context description (used for error msg) */
+){
+  int rc;
+  u8 ePtrmapType;
+  Pgno iPtrmapParent;
+
+  rc = ptrmapGet(pCheck->pBt, iChild, &ePtrmapType, &iPtrmapParent);
+  if( rc!=SQLITE_OK ){
+    checkAppendMsg(pCheck, zContext, "Failed to read ptrmap key=%d", iChild);
+    return;
+  }
+
+  if( ePtrmapType!=eType || iPtrmapParent!=iParent ){
+    checkAppendMsg(pCheck, zContext, 
+      "Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)", 
+      iChild, eType, iParent, ePtrmapType, iPtrmapParent);
+  }
+}
+#endif
+
+/*
+** Check the integrity of the freelist or of an overflow page list.
+** Verify that the number of pages on the list is N.
+*/
+static void checkList(
+  IntegrityCk *pCheck,  /* Integrity checking context */
+  int isFreeList,       /* True for a freelist.  False for overflow page list */
+  int iPage,            /* Page number for first page in the list */
+  int N,                /* Expected number of pages in the list */
+  char *zContext        /* Context for error messages */
+){
+  int i;
+  int expected = N;
+  int iFirst = iPage;
+  while( N-- > 0 && pCheck->mxErr ){
+    DbPage *pOvflPage;
+    unsigned char *pOvflData;
+    if( iPage<1 ){
+      checkAppendMsg(pCheck, zContext,
+         "%d of %d pages missing from overflow list starting at %d",
+          N+1, expected, iFirst);
+      break;
+    }
+    if( checkRef(pCheck, iPage, zContext) ) break;
+    if( sqlite3PagerGet(pCheck->pPager, (Pgno)iPage, &pOvflPage) ){
+      checkAppendMsg(pCheck, zContext, "failed to get page %d", iPage);
+      break;
+    }
+    pOvflData = (unsigned char *)sqlite3PagerGetData(pOvflPage);
+    if( isFreeList ){
+      int n = get4byte(&pOvflData[4]);
+#ifndef SQLITE_OMIT_AUTOVACUUM
+      if( pCheck->pBt->autoVacuum ){
+        checkPtrmap(pCheck, iPage, PTRMAP_FREEPAGE, 0, zContext);
+      }
+#endif
+      if( n>pCheck->pBt->usableSize/4-8 ){
+        checkAppendMsg(pCheck, zContext,
+           "freelist leaf count too big on page %d", iPage);
+        N--;
+      }else{
+        for(i=0; i<n; i++){
+          Pgno iFreePage = get4byte(&pOvflData[8+i*4]);
+#ifndef SQLITE_OMIT_AUTOVACUUM
+          if( pCheck->pBt->autoVacuum ){
+            checkPtrmap(pCheck, iFreePage, PTRMAP_FREEPAGE, 0, zContext);
+          }
+#endif
+          checkRef(pCheck, iFreePage, zContext);
+        }
+        N -= n;
+      }
+    }
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    else{
+      /* If this database supports auto-vacuum and iPage is not the last
+      ** page in this overflow list, check that the pointer-map entry for
+      ** the following page matches iPage.
+      */
+      if( pCheck->pBt->autoVacuum && N>0 ){
+        i = get4byte(pOvflData);
+        checkPtrmap(pCheck, i, PTRMAP_OVERFLOW2, iPage, zContext);
+      }
+    }
+#endif
+    iPage = get4byte(pOvflData);
+    sqlite3PagerUnref(pOvflPage);
+  }
+}
+#endif /* SQLITE_OMIT_INTEGRITY_CHECK */
+
+#ifndef SQLITE_OMIT_INTEGRITY_CHECK
+/*
+** Do various sanity checks on a single page of a tree.  Return
+** the tree depth.  Root pages return 0.  Parents of root pages
+** return 1, and so forth.
+** 
+** These checks are done:
+**
+**      1.  Make sure that cells and freeblocks do not overlap
+**          but combine to completely cover the page.
+**  NO  2.  Make sure cell keys are in order.
+**  NO  3.  Make sure no key is less than or equal to zLowerBound.
+**  NO  4.  Make sure no key is greater than or equal to zUpperBound.
+**      5.  Check the integrity of overflow pages.
+**      6.  Recursively call checkTreePage on all children.
+**      7.  Verify that the depth of all children is the same.
+**      8.  Make sure this page is at least 33% full or else it is
+**          the root of the tree.
+*/
+static int checkTreePage(
+  IntegrityCk *pCheck,  /* Context for the sanity check */
+  int iPage,            /* Page number of the page to check */
+  MemPage *pParent,     /* Parent page */
+  char *zParentContext  /* Parent context */
+){
+  MemPage *pPage;
+  int i, rc, depth, d2, pgno, cnt;
+  int hdr, cellStart;
+  int nCell;
+  u8 *data;
+  BtShared *pBt;
+  int usableSize;
+  char zContext[100];
+  char *hit;
+
+  sprintf(zContext, "Page %d: ", iPage);
+
+  /* Check that the page exists
+  */
+  pBt = pCheck->pBt;
+  usableSize = pBt->usableSize;
+  if( iPage==0 ) return 0;
+  if( checkRef(pCheck, iPage, zParentContext) ) return 0;
+  if( (rc = getPage(pBt, (Pgno)iPage, &pPage, 0))!=0 ){
+    checkAppendMsg(pCheck, zContext,
+       "unable to get the page. error code=%d", rc);
+    return 0;
+  }
+  if( (rc = initPage(pPage, pParent))!=0 ){
+    checkAppendMsg(pCheck, zContext, "initPage() returns error code %d", rc);
+    releasePage(pPage);
+    return 0;
+  }
+
+  /* Check out all the cells.
+  */
+  depth = 0;
+  for(i=0; i<pPage->nCell && pCheck->mxErr; i++){
+    u8 *pCell;
+    int sz;
+    CellInfo info;
+
+    /* Check payload overflow pages
+    */
+    sprintf(zContext, "On tree page %d cell %d: ", iPage, i);
+    pCell = findCell(pPage,i);
+    parseCellPtr(pPage, pCell, &info);
+    sz = info.nData;
+    if( !pPage->intKey ) sz += info.nKey;
+    assert( sz==info.nPayload );
+    if( sz>info.nLocal ){
+      int nPage = (sz - info.nLocal + usableSize - 5)/(usableSize - 4);
+      Pgno pgnoOvfl = get4byte(&pCell[info.iOverflow]);
+#ifndef SQLITE_OMIT_AUTOVACUUM
+      if( pBt->autoVacuum ){
+        checkPtrmap(pCheck, pgnoOvfl, PTRMAP_OVERFLOW1, iPage, zContext);
+      }
+#endif
+      checkList(pCheck, 0, pgnoOvfl, nPage, zContext);
+    }
+
+    /* Check sanity of left child page.
+    */
+    if( !pPage->leaf ){
+      pgno = get4byte(pCell);
+#ifndef SQLITE_OMIT_AUTOVACUUM
+      if( pBt->autoVacuum ){
+        checkPtrmap(pCheck, pgno, PTRMAP_BTREE, iPage, zContext);
+      }
+#endif
+      d2 = checkTreePage(pCheck,pgno,pPage,zContext);
+      if( i>0 && d2!=depth ){
+        checkAppendMsg(pCheck, zContext, "Child page depth differs");
+      }
+      depth = d2;
+    }
+  }
+  if( !pPage->leaf ){
+    pgno = get4byte(&pPage->aData[pPage->hdrOffset+8]);
+    sprintf(zContext, "On page %d at right child: ", iPage);
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    if( pBt->autoVacuum ){
+      checkPtrmap(pCheck, pgno, PTRMAP_BTREE, iPage, 0);
+    }
+#endif
+    checkTreePage(pCheck, pgno, pPage, zContext);
+  }
+ 
+  /* Check for complete coverage of the page
+  */
+  data = pPage->aData;
+  hdr = pPage->hdrOffset;
+  hit = sqliteMalloc( usableSize );
+  if( hit ){
+    memset(hit, 1, get2byte(&data[hdr+5]));
+    nCell = get2byte(&data[hdr+3]);
+    cellStart = hdr + 12 - 4*pPage->leaf;
+    for(i=0; i<nCell; i++){
+      int pc = get2byte(&data[cellStart+i*2]);
+      int size = cellSizePtr(pPage, &data[pc]);
+      int j;
+      if( (pc+size-1)>=usableSize || pc<0 ){
+        checkAppendMsg(pCheck, 0, 
+            "Corruption detected in cell %d on page %d",i,iPage,0);
+      }else{
+        for(j=pc+size-1; j>=pc; j--) hit[j]++;
+      }
+    }
+    for(cnt=0, i=get2byte(&data[hdr+1]); i>0 && i<usableSize && cnt<10000; 
+           cnt++){
+      int size = get2byte(&data[i+2]);
+      int j;
+      if( (i+size-1)>=usableSize || i<0 ){
+        checkAppendMsg(pCheck, 0,  
+            "Corruption detected in cell %d on page %d",i,iPage,0);
+      }else{
+        for(j=i+size-1; j>=i; j--) hit[j]++;
+      }
+      i = get2byte(&data[i]);
+    }
+    for(i=cnt=0; i<usableSize; i++){
+      if( hit[i]==0 ){
+        cnt++;
+      }else if( hit[i]>1 ){
+        checkAppendMsg(pCheck, 0,
+          "Multiple uses for byte %d of page %d", i, iPage);
+        break;
+      }
+    }
+    if( cnt!=data[hdr+7] ){
+      checkAppendMsg(pCheck, 0, 
+          "Fragmented space is %d byte reported as %d on page %d",
+          cnt, data[hdr+7], iPage);
+    }
+  }
+  sqliteFree(hit);
+
+  releasePage(pPage);
+  return depth+1;
+}
+#endif /* SQLITE_OMIT_INTEGRITY_CHECK */
+
+#ifndef SQLITE_OMIT_INTEGRITY_CHECK
+/*
+** This routine does a complete check of the given BTree file.  aRoot[] is
+** an array of pages numbers were each page number is the root page of
+** a table.  nRoot is the number of entries in aRoot.
+**
+** If everything checks out, this routine returns NULL.  If something is
+** amiss, an error message is written into memory obtained from malloc()
+** and a pointer to that error message is returned.  The calling function
+** is responsible for freeing the error message when it is done.
+*/
+char *sqlite3BtreeIntegrityCheck(
+  Btree *p,     /* The btree to be checked */
+  int *aRoot,   /* An array of root pages numbers for individual trees */
+  int nRoot,    /* Number of entries in aRoot[] */
+  int mxErr,    /* Stop reporting errors after this many */
+  int *pnErr    /* Write number of errors seen to this variable */
+){
+  int i;
+  int nRef;
+  IntegrityCk sCheck;
+  BtShared *pBt = p->pBt;
+
+  nRef = sqlite3PagerRefcount(pBt->pPager);
+  if( lockBtreeWithRetry(p)!=SQLITE_OK ){
+    return sqliteStrDup("Unable to acquire a read lock on the database");
+  }
+  sCheck.pBt = pBt;
+  sCheck.pPager = pBt->pPager;
+  sCheck.nPage = sqlite3PagerPagecount(sCheck.pPager);
+  sCheck.mxErr = mxErr;
+  sCheck.nErr = 0;
+  *pnErr = 0;
+  if( sCheck.nPage==0 ){
+    unlockBtreeIfUnused(pBt);
+    return 0;
+  }
+  sCheck.anRef = sqliteMallocRaw( (sCheck.nPage+1)*sizeof(sCheck.anRef[0]) );
+  if( !sCheck.anRef ){
+    unlockBtreeIfUnused(pBt);
+    *pnErr = 1;
+    return sqlite3MPrintf("Unable to malloc %d bytes", 
+        (sCheck.nPage+1)*sizeof(sCheck.anRef[0]));
+  }
+  for(i=0; i<=sCheck.nPage; i++){ sCheck.anRef[i] = 0; }
+  i = PENDING_BYTE_PAGE(pBt);
+  if( i<=sCheck.nPage ){
+    sCheck.anRef[i] = 1;
+  }
+  sCheck.zErrMsg = 0;
+
+  /* Check the integrity of the freelist
+  */
+  checkList(&sCheck, 1, get4byte(&pBt->pPage1->aData[32]),
+            get4byte(&pBt->pPage1->aData[36]), "Main freelist: ");
+
+  /* Check all the tables.
+  */
+  for(i=0; i<nRoot && sCheck.mxErr; i++){
+    if( aRoot[i]==0 ) continue;
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    if( pBt->autoVacuum && aRoot[i]>1 ){
+      checkPtrmap(&sCheck, aRoot[i], PTRMAP_ROOTPAGE, 0, 0);
+    }
+#endif
+    checkTreePage(&sCheck, aRoot[i], 0, "List of tree roots: ");
+  }
+
+  /* Make sure every page in the file is referenced
+  */
+  for(i=1; i<=sCheck.nPage && sCheck.mxErr; i++){
+#ifdef SQLITE_OMIT_AUTOVACUUM
+    if( sCheck.anRef[i]==0 ){
+      checkAppendMsg(&sCheck, 0, "Page %d is never used", i);
+    }
+#else
+    /* If the database supports auto-vacuum, make sure no tables contain
+    ** references to pointer-map pages.
+    */
+    if( sCheck.anRef[i]==0 && 
+       (PTRMAP_PAGENO(pBt, i)!=i || !pBt->autoVacuum) ){
+      checkAppendMsg(&sCheck, 0, "Page %d is never used", i);
+    }
+    if( sCheck.anRef[i]!=0 && 
+       (PTRMAP_PAGENO(pBt, i)==i && pBt->autoVacuum) ){
+      checkAppendMsg(&sCheck, 0, "Pointer map page %d is referenced", i);
+    }
+#endif
+  }
+
+  /* Make sure this analysis did not leave any unref() pages
+  */
+  unlockBtreeIfUnused(pBt);
+  if( nRef != sqlite3PagerRefcount(pBt->pPager) ){
+    checkAppendMsg(&sCheck, 0, 
+      "Outstanding page count goes from %d to %d during this analysis",
+      nRef, sqlite3PagerRefcount(pBt->pPager)
+    );
+  }
+
+  /* Clean  up and report errors.
+  */
+  sqliteFree(sCheck.anRef);
+  *pnErr = sCheck.nErr;
+  return sCheck.zErrMsg;
+}
+#endif /* SQLITE_OMIT_INTEGRITY_CHECK */
+
+/*
+** Return the full pathname of the underlying database file.
+*/
+const char *sqlite3BtreeGetFilename(Btree *p){
+  assert( p->pBt->pPager!=0 );
+  return sqlite3PagerFilename(p->pBt->pPager);
+}
+
+/*
+** Return the pathname of the directory that contains the database file.
+*/
+const char *sqlite3BtreeGetDirname(Btree *p){
+  assert( p->pBt->pPager!=0 );
+  return sqlite3PagerDirname(p->pBt->pPager);
+}
+
+/*
+** Return the pathname of the journal file for this database. The return
+** value of this routine is the same regardless of whether the journal file
+** has been created or not.
+*/
+const char *sqlite3BtreeGetJournalname(Btree *p){
+  assert( p->pBt->pPager!=0 );
+  return sqlite3PagerJournalname(p->pBt->pPager);
+}
+
+#ifndef SQLITE_OMIT_VACUUM
+/*
+** Copy the complete content of pBtFrom into pBtTo.  A transaction
+** must be active for both files.
+**
+** The size of file pBtFrom may be reduced by this operation.
+** If anything goes wrong, the transaction on pBtFrom is rolled back.
+*/
+int sqlite3BtreeCopyFile(Btree *pTo, Btree *pFrom){
+  int rc = SQLITE_OK;
+  Pgno i, nPage, nToPage, iSkip;
+
+  BtShared *pBtTo = pTo->pBt;
+  BtShared *pBtFrom = pFrom->pBt;
+
+  if( pTo->inTrans!=TRANS_WRITE || pFrom->inTrans!=TRANS_WRITE ){
+    return SQLITE_ERROR;
+  }
+  if( pBtTo->pCursor ) return SQLITE_BUSY;
+  nToPage = sqlite3PagerPagecount(pBtTo->pPager);
+  nPage = sqlite3PagerPagecount(pBtFrom->pPager);
+  iSkip = PENDING_BYTE_PAGE(pBtTo);
+  for(i=1; rc==SQLITE_OK && i<=nPage; i++){
+    DbPage *pDbPage;
+    if( i==iSkip ) continue;
+    rc = sqlite3PagerGet(pBtFrom->pPager, i, &pDbPage);
+    if( rc ) break;
+    rc = sqlite3PagerOverwrite(pBtTo->pPager, i, sqlite3PagerGetData(pDbPage));
+    sqlite3PagerUnref(pDbPage);
+  }
+
+  /* If the file is shrinking, journal the pages that are being truncated
+  ** so that they can be rolled back if the commit fails.
+  */
+  for(i=nPage+1; rc==SQLITE_OK && i<=nToPage; i++){
+    DbPage *pDbPage;
+    if( i==iSkip ) continue;
+    rc = sqlite3PagerGet(pBtTo->pPager, i, &pDbPage);
+    if( rc ) break;
+    rc = sqlite3PagerWrite(pDbPage);
+    sqlite3PagerDontWrite(pDbPage);
+    /* Yeah.  It seems wierd to call DontWrite() right after Write().  But
+    ** that is because the names of those procedures do not exactly 
+    ** represent what they do.  Write() really means "put this page in the
+    ** rollback journal and mark it as dirty so that it will be written
+    ** to the database file later."  DontWrite() undoes the second part of
+    ** that and prevents the page from being written to the database.  The
+    ** page is still on the rollback journal, though.  And that is the whole
+    ** point of this loop: to put pages on the rollback journal. */
+    sqlite3PagerUnref(pDbPage);
+  }
+  if( !rc && nPage<nToPage ){
+    rc = sqlite3PagerTruncate(pBtTo->pPager, nPage);
+  }
+
+  if( rc ){
+    sqlite3BtreeRollback(pTo);
+  }
+  return rc;  
+}
+#endif /* SQLITE_OMIT_VACUUM */
+
+/*
+** Return non-zero if a transaction is active.
+*/
+int sqlite3BtreeIsInTrans(Btree *p){
+  return (p && (p->inTrans==TRANS_WRITE));
+}
+
+/*
+** Return non-zero if a statement transaction is active.
+*/
+int sqlite3BtreeIsInStmt(Btree *p){
+  return (p->pBt && p->pBt->inStmt);
+}
+
+/*
+** Return non-zero if a read (or write) transaction is active.
+*/
+int sqlite3BtreeIsInReadTrans(Btree *p){
+  return (p && (p->inTrans!=TRANS_NONE));
+}
+
+/*
+** This function returns a pointer to a blob of memory associated with
+** a single shared-btree. The memory is used by client code for it's own
+** purposes (for example, to store a high-level schema associated with 
+** the shared-btree). The btree layer manages reference counting issues.
+**
+** The first time this is called on a shared-btree, nBytes bytes of memory
+** are allocated, zeroed, and returned to the caller. For each subsequent 
+** call the nBytes parameter is ignored and a pointer to the same blob
+** of memory returned. 
+**
+** Just before the shared-btree is closed, the function passed as the 
+** xFree argument when the memory allocation was made is invoked on the 
+** blob of allocated memory. This function should not call sqliteFree()
+** on the memory, the btree layer does that.
+*/
+void *sqlite3BtreeSchema(Btree *p, int nBytes, void(*xFree)(void *)){
+  BtShared *pBt = p->pBt;
+  if( !pBt->pSchema ){
+    pBt->pSchema = sqliteMalloc(nBytes);
+    pBt->xFreeSchema = xFree;
+  }
+  return pBt->pSchema;
+}
+
+/*
+** Return true if another user of the same shared btree as the argument
+** handle holds an exclusive lock on the sqlite_master table.
+*/
+int sqlite3BtreeSchemaLocked(Btree *p){
+  return (queryTableLock(p, MASTER_ROOT, READ_LOCK)!=SQLITE_OK);
+}
+
+
+#ifndef SQLITE_OMIT_SHARED_CACHE
+/*
+** Obtain a lock on the table whose root page is iTab.  The
+** lock is a write lock if isWritelock is true or a read lock
+** if it is false.
+*/
+int sqlite3BtreeLockTable(Btree *p, int iTab, u8 isWriteLock){
+  int rc = SQLITE_OK;
+  u8 lockType = (isWriteLock?WRITE_LOCK:READ_LOCK);
+  rc = queryTableLock(p, iTab, lockType);
+  if( rc==SQLITE_OK ){
+    rc = lockTable(p, iTab, lockType);
+  }
+  return rc;
+}
+#endif
+
+/*
+** The following debugging interface has to be in this file (rather
+** than in, for example, test1.c) so that it can get access to
+** the definition of BtShared.
+*/
+#if defined(SQLITE_DEBUG) && defined(TCLSH)
+int sqlite3_shared_cache_report(
+  void * clientData,
+  Tcl_Interp *interp,
+  int objc,
+  Tcl_Obj *CONST objv[]
+){
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  const ThreadData *pTd = sqlite3ThreadDataReadOnly();
+  if( pTd->useSharedData ){
+    BtShared *pBt;
+    Tcl_Obj *pRet = Tcl_NewObj();
+    for(pBt=pTd->pBtree; pBt; pBt=pBt->pNext){
+      const char *zFile = sqlite3PagerFilename(pBt->pPager);
+      Tcl_ListObjAppendElement(interp, pRet, Tcl_NewStringObj(zFile, -1));
+      Tcl_ListObjAppendElement(interp, pRet, Tcl_NewIntObj(pBt->nRef));
+    }
+    Tcl_SetObjResult(interp, pRet);
+  }
+#endif
+  return TCL_OK;
+}
+#endif
+
+/************** End of btree.c ***********************************************/
+/************** Begin file vdbefifo.c ****************************************/
+/*
+** 2005 June 16
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file implements a FIFO queue of rowids used for processing
+** UPDATE and DELETE statements.
+*/
+
+/*
+** Allocate a new FifoPage and return a pointer to it.  Return NULL if
+** we run out of memory.  Leave space on the page for nEntry entries.
+*/
+static FifoPage *allocateFifoPage(int nEntry){
+  FifoPage *pPage;
+  if( nEntry>32767 ){
+    nEntry = 32767;
+  }
+  pPage = sqliteMallocRaw( sizeof(FifoPage) + sizeof(i64)*(nEntry-1) );
+  if( pPage ){
+    pPage->nSlot = nEntry;
+    pPage->iWrite = 0;
+    pPage->iRead = 0;
+    pPage->pNext = 0;
+  }
+  return pPage;
+}
+
+/*
+** Initialize a Fifo structure.
+*/
+void sqlite3VdbeFifoInit(Fifo *pFifo){
+  memset(pFifo, 0, sizeof(*pFifo));
+}
+
+/*
+** Push a single 64-bit integer value into the Fifo.  Return SQLITE_OK
+** normally.   SQLITE_NOMEM is returned if we are unable to allocate
+** memory.
+*/
+int sqlite3VdbeFifoPush(Fifo *pFifo, i64 val){
+  FifoPage *pPage;
+  pPage = pFifo->pLast;
+  if( pPage==0 ){
+    pPage = pFifo->pLast = pFifo->pFirst = allocateFifoPage(20);
+    if( pPage==0 ){
+      return SQLITE_NOMEM;
+    }
+  }else if( pPage->iWrite>=pPage->nSlot ){
+    pPage->pNext = allocateFifoPage(pFifo->nEntry);
+    if( pPage->pNext==0 ){
+      return SQLITE_NOMEM;
+    }
+    pPage = pFifo->pLast = pPage->pNext;
+  }
+  pPage->aSlot[pPage->iWrite++] = val;
+  pFifo->nEntry++;
+  return SQLITE_OK;
+}
+
+/*
+** Extract a single 64-bit integer value from the Fifo.  The integer
+** extracted is the one least recently inserted.  If the Fifo is empty
+** return SQLITE_DONE.
+*/
+int sqlite3VdbeFifoPop(Fifo *pFifo, i64 *pVal){
+  FifoPage *pPage;
+  if( pFifo->nEntry==0 ){
+    return SQLITE_DONE;
+  }
+  assert( pFifo->nEntry>0 );
+  pPage = pFifo->pFirst;
+  assert( pPage!=0 );
+  assert( pPage->iWrite>pPage->iRead );
+  assert( pPage->iWrite<=pPage->nSlot );
+  assert( pPage->iRead<pPage->nSlot );
+  assert( pPage->iRead>=0 );
+  *pVal = pPage->aSlot[pPage->iRead++];
+  pFifo->nEntry--;
+  if( pPage->iRead>=pPage->iWrite ){
+    pFifo->pFirst = pPage->pNext;
+    sqliteFree(pPage);
+    if( pFifo->nEntry==0 ){
+      assert( pFifo->pLast==pPage );
+      pFifo->pLast = 0;
+    }else{
+      assert( pFifo->pFirst!=0 );
+    }
+  }else{
+    assert( pFifo->nEntry>0 );
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Delete all information from a Fifo object.   Free all memory held
+** by the Fifo.
+*/
+void sqlite3VdbeFifoClear(Fifo *pFifo){
+  FifoPage *pPage, *pNextPage;
+  for(pPage=pFifo->pFirst; pPage; pPage=pNextPage){
+    pNextPage = pPage->pNext;
+    sqliteFree(pPage);
+  }
+  sqlite3VdbeFifoInit(pFifo);
+}
+
+/************** End of vdbefifo.c ********************************************/
+/************** Begin file vdbemem.c *****************************************/
+/*
+** 2004 May 26
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+**
+** This file contains code use to manipulate "Mem" structure.  A "Mem"
+** stores a single value in the VDBE.  Mem is an opaque structure visible
+** only within the VDBE.  Interface routines refer to a Mem using the
+** name sqlite_value
+*/
+
+/*
+** If pMem is an object with a valid string representation, this routine
+** ensures the internal encoding for the string representation is
+** 'desiredEnc', one of SQLITE_UTF8, SQLITE_UTF16LE or SQLITE_UTF16BE.
+**
+** If pMem is not a string object, or the encoding of the string
+** representation is already stored using the requested encoding, then this
+** routine is a no-op.
+**
+** SQLITE_OK is returned if the conversion is successful (or not required).
+** SQLITE_NOMEM may be returned if a malloc() fails during conversion
+** between formats.
+*/
+int sqlite3VdbeChangeEncoding(Mem *pMem, int desiredEnc){
+  int rc;
+  if( !(pMem->flags&MEM_Str) || pMem->enc==desiredEnc ){
+    return SQLITE_OK;
+  }
+#ifdef SQLITE_OMIT_UTF16
+  return SQLITE_ERROR;
+#else
+
+
+  /* MemTranslate() may return SQLITE_OK or SQLITE_NOMEM. If NOMEM is returned,
+  ** then the encoding of the value may not have changed.
+  */
+  rc = sqlite3VdbeMemTranslate(pMem, desiredEnc);
+  assert(rc==SQLITE_OK    || rc==SQLITE_NOMEM);
+  assert(rc==SQLITE_OK    || pMem->enc!=desiredEnc);
+  assert(rc==SQLITE_NOMEM || pMem->enc==desiredEnc);
+  return rc;
+#endif
+}
+
+/*
+** Make the given Mem object MEM_Dyn.
+**
+** Return SQLITE_OK on success or SQLITE_NOMEM if malloc fails.
+*/
+int sqlite3VdbeMemDynamicify(Mem *pMem){
+  int n = pMem->n;
+  u8 *z;
+  if( (pMem->flags & (MEM_Ephem|MEM_Static|MEM_Short))==0 ){
+    return SQLITE_OK;
+  }
+  assert( (pMem->flags & MEM_Dyn)==0 );
+  assert( pMem->flags & (MEM_Str|MEM_Blob) );
+  z = sqliteMallocRaw( n+2 );
+  if( z==0 ){
+    return SQLITE_NOMEM;
+  }
+  pMem->flags |= MEM_Dyn|MEM_Term;
+  pMem->xDel = 0;
+  memcpy(z, pMem->z, n );
+  z[n] = 0;
+  z[n+1] = 0;
+  pMem->z = (char*)z;
+  pMem->flags &= ~(MEM_Ephem|MEM_Static|MEM_Short);
+  return SQLITE_OK;
+}
+
+/*
+** Make the given Mem object either MEM_Short or MEM_Dyn so that bytes
+** of the Mem.z[] array can be modified.
+**
+** Return SQLITE_OK on success or SQLITE_NOMEM if malloc fails.
+*/
+int sqlite3VdbeMemMakeWriteable(Mem *pMem){
+  int n;
+  u8 *z;
+  if( (pMem->flags & (MEM_Ephem|MEM_Static))==0 ){
+    return SQLITE_OK;
+  }
+  assert( (pMem->flags & MEM_Dyn)==0 );
+  assert( pMem->flags & (MEM_Str|MEM_Blob) );
+  if( (n = pMem->n)+2<sizeof(pMem->zShort) ){
+    z = (u8*)pMem->zShort;
+    pMem->flags |= MEM_Short|MEM_Term;
+  }else{
+    z = sqliteMallocRaw( n+2 );
+    if( z==0 ){
+      return SQLITE_NOMEM;
+    }
+    pMem->flags |= MEM_Dyn|MEM_Term;
+    pMem->xDel = 0;
+  }
+  memcpy(z, pMem->z, n );
+  z[n] = 0;
+  z[n+1] = 0;
+  pMem->z = (char*)z;
+  pMem->flags &= ~(MEM_Ephem|MEM_Static);
+  assert(0==(1&(int)pMem->z));
+  return SQLITE_OK;
+}
+
+/*
+** Make sure the given Mem is \u0000 terminated.
+*/
+int sqlite3VdbeMemNulTerminate(Mem *pMem){
+  if( (pMem->flags & MEM_Term)!=0 || (pMem->flags & MEM_Str)==0 ){
+    return SQLITE_OK;   /* Nothing to do */
+  }
+  if( pMem->flags & (MEM_Static|MEM_Ephem) ){
+    return sqlite3VdbeMemMakeWriteable(pMem);
+  }else{
+    char *z = sqliteMalloc(pMem->n+2);
+    if( !z ) return SQLITE_NOMEM;
+    memcpy(z, pMem->z, pMem->n);
+    z[pMem->n] = 0;
+    z[pMem->n+1] = 0;
+    if( pMem->xDel ){
+      pMem->xDel(pMem->z);
+    }else{
+      sqliteFree(pMem->z);
+    }
+    pMem->xDel = 0;
+    pMem->z = z;
+    pMem->flags |= MEM_Term;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Add MEM_Str to the set of representations for the given Mem.  Numbers
+** are converted using sqlite3_snprintf().  Converting a BLOB to a string
+** is a no-op.
+**
+** Existing representations MEM_Int and MEM_Real are *not* invalidated.
+**
+** A MEM_Null value will never be passed to this function. This function is
+** used for converting values to text for returning to the user (i.e. via
+** sqlite3_value_text()), or for ensuring that values to be used as btree
+** keys are strings. In the former case a NULL pointer is returned the
+** user and the later is an internal programming error.
+*/
+int sqlite3VdbeMemStringify(Mem *pMem, int enc){
+  int rc = SQLITE_OK;
+  int fg = pMem->flags;
+  char *z = pMem->zShort;
+
+  assert( !(fg&(MEM_Str|MEM_Blob)) );
+  assert( fg&(MEM_Int|MEM_Real) );
+
+  /* For a Real or Integer, use sqlite3_snprintf() to produce the UTF-8
+  ** string representation of the value. Then, if the required encoding
+  ** is UTF-16le or UTF-16be do a translation.
+  ** 
+  ** FIX ME: It would be better if sqlite3_snprintf() could do UTF-16.
+  */
+  if( fg & MEM_Int ){
+    sqlite3_snprintf(NBFS, z, "%lld", pMem->u.i);
+  }else{
+    assert( fg & MEM_Real );
+    sqlite3_snprintf(NBFS, z, "%!.15g", pMem->r);
+  }
+  pMem->n = strlen(z);
+  pMem->z = z;
+  pMem->enc = SQLITE_UTF8;
+  pMem->flags |= MEM_Str | MEM_Short | MEM_Term;
+  sqlite3VdbeChangeEncoding(pMem, enc);
+  return rc;
+}
+
+/*
+** Memory cell pMem contains the context of an aggregate function.
+** This routine calls the finalize method for that function.  The
+** result of the aggregate is stored back into pMem.
+**
+** Return SQLITE_ERROR if the finalizer reports an error.  SQLITE_OK
+** otherwise.
+*/
+int sqlite3VdbeMemFinalize(Mem *pMem, FuncDef *pFunc){
+  int rc = SQLITE_OK;
+  if( pFunc && pFunc->xFinalize ){
+    sqlite3_context ctx;
+    assert( (pMem->flags & MEM_Null)!=0 || pFunc==pMem->u.pDef );
+    ctx.s.flags = MEM_Null;
+    ctx.s.z = pMem->zShort;
+    ctx.pMem = pMem;
+    ctx.pFunc = pFunc;
+    ctx.isError = 0;
+    pFunc->xFinalize(&ctx);
+    if( pMem->z && pMem->z!=pMem->zShort ){
+      sqliteFree( pMem->z );
+    }
+    *pMem = ctx.s;
+    if( pMem->flags & MEM_Short ){
+      pMem->z = pMem->zShort;
+    }
+    if( ctx.isError ){
+      rc = SQLITE_ERROR;
+    }
+  }
+  return rc;
+}
+
+/*
+** Release any memory held by the Mem. This may leave the Mem in an
+** inconsistent state, for example with (Mem.z==0) and
+** (Mem.type==SQLITE_TEXT).
+*/
+void sqlite3VdbeMemRelease(Mem *p){
+  if( p->flags & (MEM_Dyn|MEM_Agg) ){
+    if( p->xDel ){
+      if( p->flags & MEM_Agg ){
+        sqlite3VdbeMemFinalize(p, p->u.pDef);
+        assert( (p->flags & MEM_Agg)==0 );
+        sqlite3VdbeMemRelease(p);
+      }else{
+        p->xDel((void *)p->z);
+      }
+    }else{
+      sqliteFree(p->z);
+    }
+    p->z = 0;
+    p->xDel = 0;
+  }
+}
+
+/*
+** Return some kind of integer value which is the best we can do
+** at representing the value that *pMem describes as an integer.
+** If pMem is an integer, then the value is exact.  If pMem is
+** a floating-point then the value returned is the integer part.
+** If pMem is a string or blob, then we make an attempt to convert
+** it into a integer and return that.  If pMem is NULL, return 0.
+**
+** If pMem is a string, its encoding might be changed.
+*/
+i64 sqlite3VdbeIntValue(Mem *pMem){
+  int flags = pMem->flags;
+  if( flags & MEM_Int ){
+    return pMem->u.i;
+  }else if( flags & MEM_Real ){
+    return (i64)pMem->r;
+  }else if( flags & (MEM_Str|MEM_Blob) ){
+    i64 value;
+    if( sqlite3VdbeChangeEncoding(pMem, SQLITE_UTF8)
+       || sqlite3VdbeMemNulTerminate(pMem) ){
+      return 0;
+    }
+    assert( pMem->z );
+    sqlite3atoi64(pMem->z, &value);
+    return value;
+  }else{
+    return 0;
+  }
+}
+
+/*
+** Return the best representation of pMem that we can get into a
+** double.  If pMem is already a double or an integer, return its
+** value.  If it is a string or blob, try to convert it to a double.
+** If it is a NULL, return 0.0.
+*/
+double sqlite3VdbeRealValue(Mem *pMem){
+  if( pMem->flags & MEM_Real ){
+    return pMem->r;
+  }else if( pMem->flags & MEM_Int ){
+    return (double)pMem->u.i;
+  }else if( pMem->flags & (MEM_Str|MEM_Blob) ){
+    double val = 0.0;
+    if( sqlite3VdbeChangeEncoding(pMem, SQLITE_UTF8)
+       || sqlite3VdbeMemNulTerminate(pMem) ){
+      return 0.0;
+    }
+    assert( pMem->z );
+    sqlite3AtoF(pMem->z, &val);
+    return val;
+  }else{
+    return 0.0;
+  }
+}
+
+/*
+** The MEM structure is already a MEM_Real.  Try to also make it a
+** MEM_Int if we can.
+*/
+void sqlite3VdbeIntegerAffinity(Mem *pMem){
+  assert( pMem->flags & MEM_Real );
+  pMem->u.i = pMem->r;
+  if( ((double)pMem->u.i)==pMem->r ){
+    pMem->flags |= MEM_Int;
+  }
+}
+
+/*
+** Convert pMem to type integer.  Invalidate any prior representations.
+*/
+int sqlite3VdbeMemIntegerify(Mem *pMem){
+  pMem->u.i = sqlite3VdbeIntValue(pMem);
+  sqlite3VdbeMemRelease(pMem);
+  pMem->flags = MEM_Int;
+  return SQLITE_OK;
+}
+
+/*
+** Convert pMem so that it is of type MEM_Real.
+** Invalidate any prior representations.
+*/
+int sqlite3VdbeMemRealify(Mem *pMem){
+  pMem->r = sqlite3VdbeRealValue(pMem);
+  sqlite3VdbeMemRelease(pMem);
+  pMem->flags = MEM_Real;
+  return SQLITE_OK;
+}
+
+/*
+** Convert pMem so that it has types MEM_Real or MEM_Int or both.
+** Invalidate any prior representations.
+*/
+int sqlite3VdbeMemNumerify(Mem *pMem){
+  sqlite3VdbeMemRealify(pMem);
+  sqlite3VdbeIntegerAffinity(pMem);
+  return SQLITE_OK;
+}
+
+/*
+** Delete any previous value and set the value stored in *pMem to NULL.
+*/
+void sqlite3VdbeMemSetNull(Mem *pMem){
+  sqlite3VdbeMemRelease(pMem);
+  pMem->flags = MEM_Null;
+  pMem->type = SQLITE_NULL;
+  pMem->n = 0;
+}
+
+/*
+** Delete any previous value and set the value stored in *pMem to val,
+** manifest type INTEGER.
+*/
+void sqlite3VdbeMemSetInt64(Mem *pMem, i64 val){
+  sqlite3VdbeMemRelease(pMem);
+  pMem->u.i = val;
+  pMem->flags = MEM_Int;
+  pMem->type = SQLITE_INTEGER;
+}
+
+/*
+** Delete any previous value and set the value stored in *pMem to val,
+** manifest type REAL.
+*/
+void sqlite3VdbeMemSetDouble(Mem *pMem, double val){
+  sqlite3VdbeMemRelease(pMem);
+  pMem->r = val;
+  pMem->flags = MEM_Real;
+  pMem->type = SQLITE_FLOAT;
+}
+
+/*
+** Make an shallow copy of pFrom into pTo.  Prior contents of
+** pTo are overwritten.  The pFrom->z field is not duplicated.  If
+** pFrom->z is used, then pTo->z points to the same thing as pFrom->z
+** and flags gets srcType (either MEM_Ephem or MEM_Static).
+*/
+void sqlite3VdbeMemShallowCopy(Mem *pTo, const Mem *pFrom, int srcType){
+  memcpy(pTo, pFrom, sizeof(*pFrom)-sizeof(pFrom->zShort));
+  pTo->xDel = 0;
+  if( pTo->flags & (MEM_Str|MEM_Blob) ){
+    pTo->flags &= ~(MEM_Dyn|MEM_Static|MEM_Short|MEM_Ephem);
+    assert( srcType==MEM_Ephem || srcType==MEM_Static );
+    pTo->flags |= srcType;
+  }
+}
+
+/*
+** Make a full copy of pFrom into pTo.  Prior contents of pTo are
+** freed before the copy is made.
+*/
+int sqlite3VdbeMemCopy(Mem *pTo, const Mem *pFrom){
+  int rc;
+  if( pTo->flags & MEM_Dyn ){
+    sqlite3VdbeMemRelease(pTo);
+  }
+  sqlite3VdbeMemShallowCopy(pTo, pFrom, MEM_Ephem);
+  if( pTo->flags & MEM_Ephem ){
+    rc = sqlite3VdbeMemMakeWriteable(pTo);
+  }else{
+    rc = SQLITE_OK;
+  }
+  return rc;
+}
+
+/*
+** Transfer the contents of pFrom to pTo. Any existing value in pTo is
+** freed. If pFrom contains ephemeral data, a copy is made.
+**
+** pFrom contains an SQL NULL when this routine returns.  SQLITE_NOMEM
+** might be returned if pFrom held ephemeral data and we were unable
+** to allocate enough space to make a copy.
+*/
+int sqlite3VdbeMemMove(Mem *pTo, Mem *pFrom){
+  int rc;
+  if( pTo->flags & MEM_Dyn ){
+    sqlite3VdbeMemRelease(pTo);
+  }
+  memcpy(pTo, pFrom, sizeof(Mem));
+  if( pFrom->flags & MEM_Short ){
+    pTo->z = pTo->zShort;
+  }
+  pFrom->flags = MEM_Null;
+  pFrom->xDel = 0;
+  if( pTo->flags & MEM_Ephem ){
+    rc = sqlite3VdbeMemMakeWriteable(pTo);
+  }else{
+    rc = SQLITE_OK;
+  }
+  return rc;
+}
+
+/*
+** Change the value of a Mem to be a string or a BLOB.
+*/
+int sqlite3VdbeMemSetStr(
+  Mem *pMem,          /* Memory cell to set to string value */
+  const char *z,      /* String pointer */
+  int n,              /* Bytes in string, or negative */
+  u8 enc,             /* Encoding of z.  0 for BLOBs */
+  void (*xDel)(void*) /* Destructor function */
+){
+  sqlite3VdbeMemRelease(pMem);
+  if( !z ){
+    pMem->flags = MEM_Null;
+    pMem->type = SQLITE_NULL;
+    return SQLITE_OK;
+  }
+
+  pMem->z = (char *)z;
+  if( xDel==SQLITE_STATIC ){
+    pMem->flags = MEM_Static;
+  }else if( xDel==SQLITE_TRANSIENT ){
+    pMem->flags = MEM_Ephem;
+  }else{
+    pMem->flags = MEM_Dyn;
+    pMem->xDel = xDel;
+  }
+
+  pMem->enc = enc;
+  pMem->type = enc==0 ? SQLITE_BLOB : SQLITE_TEXT;
+  pMem->n = n;
+
+  assert( enc==0 || enc==SQLITE_UTF8 || enc==SQLITE_UTF16LE 
+      || enc==SQLITE_UTF16BE );
+  switch( enc ){
+    case 0:
+      pMem->flags |= MEM_Blob;
+      pMem->enc = SQLITE_UTF8;
+      break;
+
+    case SQLITE_UTF8:
+      pMem->flags |= MEM_Str;
+      if( n<0 ){
+        pMem->n = strlen(z);
+        pMem->flags |= MEM_Term;
+      }
+      break;
+
+#ifndef SQLITE_OMIT_UTF16
+    case SQLITE_UTF16LE:
+    case SQLITE_UTF16BE:
+      pMem->flags |= MEM_Str;
+      if( pMem->n<0 ){
+        pMem->n = sqlite3utf16ByteLen(pMem->z,-1);
+        pMem->flags |= MEM_Term;
+      }
+      if( sqlite3VdbeMemHandleBom(pMem) ){
+        return SQLITE_NOMEM;
+      }
+#endif /* SQLITE_OMIT_UTF16 */
+  }
+  if( pMem->flags&MEM_Ephem ){
+    return sqlite3VdbeMemMakeWriteable(pMem);
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Compare the values contained by the two memory cells, returning
+** negative, zero or positive if pMem1 is less than, equal to, or greater
+** than pMem2. Sorting order is NULL's first, followed by numbers (integers
+** and reals) sorted numerically, followed by text ordered by the collating
+** sequence pColl and finally blob's ordered by memcmp().
+**
+** Two NULL values are considered equal by this function.
+*/
+int sqlite3MemCompare(const Mem *pMem1, const Mem *pMem2, const CollSeq *pColl){
+  int rc;
+  int f1, f2;
+  int combined_flags;
+
+  /* Interchange pMem1 and pMem2 if the collating sequence specifies
+  ** DESC order.
+  */
+  f1 = pMem1->flags;
+  f2 = pMem2->flags;
+  combined_flags = f1|f2;
+ 
+  /* If one value is NULL, it is less than the other. If both values
+  ** are NULL, return 0.
+  */
+  if( combined_flags&MEM_Null ){
+    return (f2&MEM_Null) - (f1&MEM_Null);
+  }
+
+  /* If one value is a number and the other is not, the number is less.
+  ** If both are numbers, compare as reals if one is a real, or as integers
+  ** if both values are integers.
+  */
+  if( combined_flags&(MEM_Int|MEM_Real) ){
+    if( !(f1&(MEM_Int|MEM_Real)) ){
+      return 1;
+    }
+    if( !(f2&(MEM_Int|MEM_Real)) ){
+      return -1;
+    }
+    if( (f1 & f2 & MEM_Int)==0 ){
+      double r1, r2;
+      if( (f1&MEM_Real)==0 ){
+        r1 = pMem1->u.i;
+      }else{
+        r1 = pMem1->r;
+      }
+      if( (f2&MEM_Real)==0 ){
+        r2 = pMem2->u.i;
+      }else{
+        r2 = pMem2->r;
+      }
+      if( r1<r2 ) return -1;
+      if( r1>r2 ) return 1;
+      return 0;
+    }else{
+      assert( f1&MEM_Int );
+      assert( f2&MEM_Int );
+      if( pMem1->u.i < pMem2->u.i ) return -1;
+      if( pMem1->u.i > pMem2->u.i ) return 1;
+      return 0;
+    }
+  }
+
+  /* If one value is a string and the other is a blob, the string is less.
+  ** If both are strings, compare using the collating functions.
+  */
+  if( combined_flags&MEM_Str ){
+    if( (f1 & MEM_Str)==0 ){
+      return 1;
+    }
+    if( (f2 & MEM_Str)==0 ){
+      return -1;
+    }
+
+    assert( pMem1->enc==pMem2->enc );
+    assert( pMem1->enc==SQLITE_UTF8 || 
+            pMem1->enc==SQLITE_UTF16LE || pMem1->enc==SQLITE_UTF16BE );
+
+    /* The collation sequence must be defined at this point, even if
+    ** the user deletes the collation sequence after the vdbe program is
+    ** compiled (this was not always the case).
+    */
+    assert( !pColl || pColl->xCmp );
+
+    if( pColl ){
+      if( pMem1->enc==pColl->enc ){
+        /* The strings are already in the correct encoding.  Call the
+        ** comparison function directly */
+        return pColl->xCmp(pColl->pUser,pMem1->n,pMem1->z,pMem2->n,pMem2->z);
+      }else{
+        u8 origEnc = pMem1->enc;
+        const void *v1, *v2;
+        int n1, n2;
+        /* Convert the strings into the encoding that the comparison
+        ** function expects */
+        v1 = sqlite3ValueText((sqlite3_value*)pMem1, pColl->enc);
+        n1 = v1==0 ? 0 : pMem1->n;
+        assert( n1==sqlite3ValueBytes((sqlite3_value*)pMem1, pColl->enc) );
+        v2 = sqlite3ValueText((sqlite3_value*)pMem2, pColl->enc);
+        n2 = v2==0 ? 0 : pMem2->n;
+        assert( n2==sqlite3ValueBytes((sqlite3_value*)pMem2, pColl->enc) );
+        /* Do the comparison */
+        rc = pColl->xCmp(pColl->pUser, n1, v1, n2, v2);
+        /* Convert the strings back into the database encoding */
+        sqlite3ValueText((sqlite3_value*)pMem1, origEnc);
+        sqlite3ValueText((sqlite3_value*)pMem2, origEnc);
+        return rc;
+      }
+    }
+    /* If a NULL pointer was passed as the collate function, fall through
+    ** to the blob case and use memcmp().  */
+  }
+ 
+  /* Both values must be blobs.  Compare using memcmp().  */
+  rc = memcmp(pMem1->z, pMem2->z, (pMem1->n>pMem2->n)?pMem2->n:pMem1->n);
+  if( rc==0 ){
+    rc = pMem1->n - pMem2->n;
+  }
+  return rc;
+}
+
+/*
+** Move data out of a btree key or data field and into a Mem structure.
+** The data or key is taken from the entry that pCur is currently pointing
+** to.  offset and amt determine what portion of the data or key to retrieve.
+** key is true to get the key or false to get data.  The result is written
+** into the pMem element.
+**
+** The pMem structure is assumed to be uninitialized.  Any prior content
+** is overwritten without being freed.
+**
+** If this routine fails for any reason (malloc returns NULL or unable
+** to read from the disk) then the pMem is left in an inconsistent state.
+*/
+int sqlite3VdbeMemFromBtree(
+  BtCursor *pCur,   /* Cursor pointing at record to retrieve. */
+  int offset,       /* Offset from the start of data to return bytes from. */
+  int amt,          /* Number of bytes to return. */
+  int key,          /* If true, retrieve from the btree key, not data. */
+  Mem *pMem         /* OUT: Return data in this Mem structure. */
+){
+  char *zData;       /* Data from the btree layer */
+  int available = 0; /* Number of bytes available on the local btree page */
+
+  if( key ){
+    zData = (char *)sqlite3BtreeKeyFetch(pCur, &available);
+  }else{
+    zData = (char *)sqlite3BtreeDataFetch(pCur, &available);
+  }
+  assert( zData!=0 );
+
+  pMem->n = amt;
+  if( offset+amt<=available ){
+    pMem->z = &zData[offset];
+    pMem->flags = MEM_Blob|MEM_Ephem;
+  }else{
+    int rc;
+    if( amt>NBFS-2 ){
+      zData = (char *)sqliteMallocRaw(amt+2);
+      if( !zData ){
+        return SQLITE_NOMEM;
+      }
+      pMem->flags = MEM_Blob|MEM_Dyn|MEM_Term;
+      pMem->xDel = 0;
+    }else{
+      zData = &(pMem->zShort[0]);
+      pMem->flags = MEM_Blob|MEM_Short|MEM_Term;
+    }
+    pMem->z = zData;
+    pMem->enc = 0;
+    pMem->type = SQLITE_BLOB;
+
+    if( key ){
+      rc = sqlite3BtreeKey(pCur, offset, amt, zData);
+    }else{
+      rc = sqlite3BtreeData(pCur, offset, amt, zData);
+    }
+    zData[amt] = 0;
+    zData[amt+1] = 0;
+    if( rc!=SQLITE_OK ){
+      if( amt>NBFS-2 ){
+        assert( zData!=pMem->zShort );
+        assert( pMem->flags & MEM_Dyn );
+        sqliteFree(zData);
+      } else {
+        assert( zData==pMem->zShort );
+        assert( pMem->flags & MEM_Short );
+      }
+      return rc;
+    }
+  }
+
+  return SQLITE_OK;
+}
+
+#ifndef NDEBUG
+/*
+** Perform various checks on the memory cell pMem. An assert() will
+** fail if pMem is internally inconsistent.
+*/
+void sqlite3VdbeMemSanity(Mem *pMem){
+  int flags = pMem->flags;
+  assert( flags!=0 );  /* Must define some type */
+  if( pMem->flags & (MEM_Str|MEM_Blob) ){
+    int x = pMem->flags & (MEM_Static|MEM_Dyn|MEM_Ephem|MEM_Short);
+    assert( x!=0 );            /* Strings must define a string subtype */
+    assert( (x & (x-1))==0 );  /* Only one string subtype can be defined */
+    assert( pMem->z!=0 );      /* Strings must have a value */
+    /* Mem.z points to Mem.zShort iff the subtype is MEM_Short */
+    assert( (pMem->flags & MEM_Short)==0 || pMem->z==pMem->zShort );
+    assert( (pMem->flags & MEM_Short)!=0 || pMem->z!=pMem->zShort );
+    /* No destructor unless there is MEM_Dyn */
+    assert( pMem->xDel==0 || (pMem->flags & MEM_Dyn)!=0 );
+
+    if( (flags & MEM_Str) ){
+      assert( pMem->enc==SQLITE_UTF8 || 
+              pMem->enc==SQLITE_UTF16BE ||
+              pMem->enc==SQLITE_UTF16LE 
+      );
+      /* If the string is UTF-8 encoded and nul terminated, then pMem->n
+      ** must be the length of the string.  (Later:)  If the database file
+      ** has been corrupted, '\000' characters might have been inserted
+      ** into the middle of the string.  In that case, the strlen() might
+      ** be less.
+      */
+      if( pMem->enc==SQLITE_UTF8 && (flags & MEM_Term) ){ 
+        assert( strlen(pMem->z)<=pMem->n );
+        assert( pMem->z[pMem->n]==0 );
+      }
+    }
+  }else{
+    /* Cannot define a string subtype for non-string objects */
+    assert( (pMem->flags & (MEM_Static|MEM_Dyn|MEM_Ephem|MEM_Short))==0 );
+    assert( pMem->xDel==0 );
+  }
+  /* MEM_Null excludes all other types */
+  assert( (pMem->flags&(MEM_Str|MEM_Int|MEM_Real|MEM_Blob))==0
+          || (pMem->flags&MEM_Null)==0 );
+  /* If the MEM is both real and integer, the values are equal */
+  assert( (pMem->flags & (MEM_Int|MEM_Real))!=(MEM_Int|MEM_Real) 
+          || pMem->r==pMem->u.i );
+}
+#endif
+
+/* This function is only available internally, it is not part of the
+** external API. It works in a similar way to sqlite3_value_text(),
+** except the data returned is in the encoding specified by the second
+** parameter, which must be one of SQLITE_UTF16BE, SQLITE_UTF16LE or
+** SQLITE_UTF8.
+**
+** (2006-02-16:)  The enc value can be or-ed with SQLITE_UTF16_ALIGNED.
+** If that is the case, then the result must be aligned on an even byte
+** boundary.
+*/
+const void *sqlite3ValueText(sqlite3_value* pVal, u8 enc){
+  if( !pVal ) return 0;
+  assert( (enc&3)==(enc&~SQLITE_UTF16_ALIGNED) );
+
+  if( pVal->flags&MEM_Null ){
+    return 0;
+  }
+  assert( (MEM_Blob>>3) == MEM_Str );
+  pVal->flags |= (pVal->flags & MEM_Blob)>>3;
+  if( pVal->flags&MEM_Str ){
+    sqlite3VdbeChangeEncoding(pVal, enc & ~SQLITE_UTF16_ALIGNED);
+    if( (enc & SQLITE_UTF16_ALIGNED)!=0 && 1==(1&(int)pVal->z) ){
+      assert( (pVal->flags & (MEM_Ephem|MEM_Static))!=0 );
+      if( sqlite3VdbeMemMakeWriteable(pVal)!=SQLITE_OK ){
+        return 0;
+      }
+    }
+    sqlite3VdbeMemNulTerminate(pVal);
+  }else{
+    assert( (pVal->flags&MEM_Blob)==0 );
+    sqlite3VdbeMemStringify(pVal, enc);
+    assert( 0==(1&(int)pVal->z) );
+  }
+  assert(pVal->enc==(enc & ~SQLITE_UTF16_ALIGNED) || sqlite3MallocFailed() );
+  if( pVal->enc==(enc & ~SQLITE_UTF16_ALIGNED) ){
+    return pVal->z;
+  }else{
+    return 0;
+  }
+}
+
+/*
+** Create a new sqlite3_value object.
+*/
+sqlite3_value* sqlite3ValueNew(void){
+  Mem *p = sqliteMalloc(sizeof(*p));
+  if( p ){
+    p->flags = MEM_Null;
+    p->type = SQLITE_NULL;
+  }
+  return p;
+}
+
+/*
+** Create a new sqlite3_value object, containing the value of pExpr.
+**
+** This only works for very simple expressions that consist of one constant
+** token (i.e. "5", "5.1", "NULL", "'a string'"). If the expression can
+** be converted directly into a value, then the value is allocated and
+** a pointer written to *ppVal. The caller is responsible for deallocating
+** the value by passing it to sqlite3ValueFree() later on. If the expression
+** cannot be converted to a value, then *ppVal is set to NULL.
+*/
+int sqlite3ValueFromExpr(
+  Expr *pExpr, 
+  u8 enc, 
+  u8 affinity,
+  sqlite3_value **ppVal
+){
+  int op;
+  char *zVal = 0;
+  sqlite3_value *pVal = 0;
+
+  if( !pExpr ){
+    *ppVal = 0;
+    return SQLITE_OK;
+  }
+  op = pExpr->op;
+
+  if( op==TK_STRING || op==TK_FLOAT || op==TK_INTEGER ){
+    zVal = sqliteStrNDup((char*)pExpr->token.z, pExpr->token.n);
+    pVal = sqlite3ValueNew();
+    if( !zVal || !pVal ) goto no_mem;
+    sqlite3Dequote(zVal);
+    sqlite3ValueSetStr(pVal, -1, zVal, SQLITE_UTF8, sqlite3FreeX);
+    if( (op==TK_INTEGER || op==TK_FLOAT ) && affinity==SQLITE_AFF_NONE ){
+      sqlite3ValueApplyAffinity(pVal, SQLITE_AFF_NUMERIC, enc);
+    }else{
+      sqlite3ValueApplyAffinity(pVal, affinity, enc);
+    }
+  }else if( op==TK_UMINUS ) {
+    if( SQLITE_OK==sqlite3ValueFromExpr(pExpr->pLeft, enc, affinity, &pVal) ){
+      pVal->u.i = -1 * pVal->u.i;
+      pVal->r = -1.0 * pVal->r;
+    }
+  }
+#ifndef SQLITE_OMIT_BLOB_LITERAL
+  else if( op==TK_BLOB ){
+    int nVal;
+    pVal = sqlite3ValueNew();
+    zVal = sqliteStrNDup((char*)pExpr->token.z+1, pExpr->token.n-1);
+    if( !zVal || !pVal ) goto no_mem;
+    sqlite3Dequote(zVal);
+    nVal = strlen(zVal)/2;
+    sqlite3VdbeMemSetStr(pVal, sqlite3HexToBlob(zVal), nVal, 0, sqlite3FreeX);
+    sqliteFree(zVal);
+  }
+#endif
+
+  *ppVal = pVal;
+  return SQLITE_OK;
+
+no_mem:
+  sqliteFree(zVal);
+  sqlite3ValueFree(pVal);
+  *ppVal = 0;
+  return SQLITE_NOMEM;
+}
+
+/*
+** Change the string value of an sqlite3_value object
+*/
+void sqlite3ValueSetStr(
+  sqlite3_value *v, 
+  int n, 
+  const void *z, 
+  u8 enc,
+  void (*xDel)(void*)
+){
+  if( v ) sqlite3VdbeMemSetStr((Mem *)v, z, n, enc, xDel);
+}
+
+/*
+** Free an sqlite3_value object
+*/
+void sqlite3ValueFree(sqlite3_value *v){
+  if( !v ) return;
+  sqlite3ValueSetStr(v, 0, 0, SQLITE_UTF8, SQLITE_STATIC);
+  sqliteFree(v);
+}
+
+/*
+** Return the number of bytes in the sqlite3_value object assuming
+** that it uses the encoding "enc"
+*/
+int sqlite3ValueBytes(sqlite3_value *pVal, u8 enc){
+  Mem *p = (Mem*)pVal;
+  if( (p->flags & MEM_Blob)!=0 || sqlite3ValueText(pVal, enc) ){
+    return p->n;
+  }
+  return 0;
+}
+
+/************** End of vdbemem.c *********************************************/
+/************** Begin file vdbeaux.c *****************************************/
+/*
+** 2003 September 6
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains code used for creating, destroying, and populating
+** a VDBE (or an "sqlite3_stmt" as it is known to the outside world.)  Prior
+** to version 2.8.7, all this code was combined into the vdbe.c source file.
+** But that file was getting too big so this subroutines were split out.
+*/
+
+
+/*
+** When debugging the code generator in a symbolic debugger, one can
+** set the sqlite3_vdbe_addop_trace to 1 and all opcodes will be printed
+** as they are added to the instruction stream.
+*/
+#ifdef SQLITE_DEBUG
+int sqlite3_vdbe_addop_trace = 0;
+#endif
+
+
+/*
+** Create a new virtual database engine.
+*/
+Vdbe *sqlite3VdbeCreate(sqlite3 *db){
+  Vdbe *p;
+  p = sqliteMalloc( sizeof(Vdbe) );
+  if( p==0 ) return 0;
+  p->db = db;
+  if( db->pVdbe ){
+    db->pVdbe->pPrev = p;
+  }
+  p->pNext = db->pVdbe;
+  p->pPrev = 0;
+  db->pVdbe = p;
+  p->magic = VDBE_MAGIC_INIT;
+  return p;
+}
+
+/*
+** Remember the SQL string for a prepared statement.
+*/
+void sqlite3VdbeSetSql(Vdbe *p, const char *z, int n){
+  if( p==0 ) return;
+  assert( p->zSql==0 );
+  p->zSql = sqlite3StrNDup(z, n);
+}
+
+/*
+** Return the SQL associated with a prepared statement
+*/
+const char *sqlite3VdbeGetSql(Vdbe *p){
+  return p->zSql;
+}
+
+/*
+** Swap all content between two VDBE structures.
+*/
+void sqlite3VdbeSwap(Vdbe *pA, Vdbe *pB){
+  Vdbe tmp, *pTmp;
+  char *zTmp;
+  int nTmp;
+  tmp = *pA;
+  *pA = *pB;
+  *pB = tmp;
+  pTmp = pA->pNext;
+  pA->pNext = pB->pNext;
+  pB->pNext = pTmp;
+  pTmp = pA->pPrev;
+  pA->pPrev = pB->pPrev;
+  pB->pPrev = pTmp;
+  zTmp = pA->zSql;
+  pA->zSql = pB->zSql;
+  pB->zSql = zTmp;
+  nTmp = pA->nSql;
+  pA->nSql = pB->nSql;
+  pB->nSql = nTmp;
+}
+
+/*
+** Turn tracing on or off
+*/
+void sqlite3VdbeTrace(Vdbe *p, FILE *trace){
+  p->trace = trace;
+}
+
+/*
+** Resize the Vdbe.aOp array so that it contains at least N
+** elements. If the Vdbe is in VDBE_MAGIC_RUN state, then
+** the Vdbe.aOp array will be sized to contain exactly N
+** elements. Vdbe.nOpAlloc is set to reflect the new size of
+** the array.
+**
+** If an out-of-memory error occurs while resizing the array,
+** Vdbe.aOp and Vdbe.nOpAlloc remain unchanged (this is so that
+** any opcodes already allocated can be correctly deallocated
+** along with the rest of the Vdbe).
+*/
+static void resizeOpArray(Vdbe *p, int N){
+  int runMode = p->magic==VDBE_MAGIC_RUN;
+  if( runMode || p->nOpAlloc<N ){
+    VdbeOp *pNew;
+    int nNew = N + 100*(!runMode);
+    int oldSize = p->nOpAlloc;
+    pNew = sqliteRealloc(p->aOp, nNew*sizeof(Op));
+    if( pNew ){
+      p->nOpAlloc = nNew;
+      p->aOp = pNew;
+      if( nNew>oldSize ){
+        memset(&p->aOp[oldSize], 0, (nNew-oldSize)*sizeof(Op));
+      }
+    }
+  }
+}
+
+/*
+** Add a new instruction to the list of instructions current in the
+** VDBE.  Return the address of the new instruction.
+**
+** Parameters:
+**
+**    p               Pointer to the VDBE
+**
+**    op              The opcode for this instruction
+**
+**    p1, p2          First two of the three possible operands.
+**
+** Use the sqlite3VdbeResolveLabel() function to fix an address and
+** the sqlite3VdbeChangeP3() function to change the value of the P3
+** operand.
+*/
+int sqlite3VdbeAddOp(Vdbe *p, int op, int p1, int p2){
+  int i;
+  VdbeOp *pOp;
+
+  i = p->nOp;
+  assert( p->magic==VDBE_MAGIC_INIT );
+  if( p->nOpAlloc<=i ){
+    resizeOpArray(p, i+1);
+    if( sqlite3MallocFailed() ){
+      return 0;
+    }
+  }
+  p->nOp++;
+  pOp = &p->aOp[i];
+  pOp->opcode = op;
+  pOp->p1 = p1;
+  pOp->p2 = p2;
+  pOp->p3 = 0;
+  pOp->p3type = P3_NOTUSED;
+  p->expired = 0;
+#ifdef SQLITE_DEBUG
+  if( sqlite3_vdbe_addop_trace ) sqlite3VdbePrintOp(0, i, &p->aOp[i]);
+#endif
+  return i;
+}
+
+/*
+** Add an opcode that includes the p3 value.
+*/
+int sqlite3VdbeOp3(Vdbe *p, int op, int p1, int p2, const char *zP3,int p3type){
+  int addr = sqlite3VdbeAddOp(p, op, p1, p2);
+  sqlite3VdbeChangeP3(p, addr, zP3, p3type);
+  return addr;
+}
+
+/*
+** Create a new symbolic label for an instruction that has yet to be
+** coded.  The symbolic label is really just a negative number.  The
+** label can be used as the P2 value of an operation.  Later, when
+** the label is resolved to a specific address, the VDBE will scan
+** through its operation list and change all values of P2 which match
+** the label into the resolved address.
+**
+** The VDBE knows that a P2 value is a label because labels are
+** always negative and P2 values are suppose to be non-negative.
+** Hence, a negative P2 value is a label that has yet to be resolved.
+**
+** Zero is returned if a malloc() fails.
+*/
+int sqlite3VdbeMakeLabel(Vdbe *p){
+  int i;
+  i = p->nLabel++;
+  assert( p->magic==VDBE_MAGIC_INIT );
+  if( i>=p->nLabelAlloc ){
+    p->nLabelAlloc = p->nLabelAlloc*2 + 10;
+    p->aLabel = sqliteReallocOrFree(p->aLabel,
+                                    p->nLabelAlloc*sizeof(p->aLabel[0]));
+  }
+  if( p->aLabel ){
+    p->aLabel[i] = -1;
+  }
+  return -1-i;
+}
+
+/*
+** Resolve label "x" to be the address of the next instruction to
+** be inserted.  The parameter "x" must have been obtained from
+** a prior call to sqlite3VdbeMakeLabel().
+*/
+void sqlite3VdbeResolveLabel(Vdbe *p, int x){
+  int j = -1-x;
+  assert( p->magic==VDBE_MAGIC_INIT );
+  assert( j>=0 && j<p->nLabel );
+  if( p->aLabel ){
+    p->aLabel[j] = p->nOp;
+  }
+}
+
+/*
+** Return non-zero if opcode 'op' is guarenteed not to push more values
+** onto the VDBE stack than it pops off.
+*/
+static int opcodeNoPush(u8 op){
+  /* The 10 NOPUSH_MASK_n constants are defined in the automatically
+  ** generated header file opcodes.h. Each is a 16-bit bitmask, one
+  ** bit corresponding to each opcode implemented by the virtual
+  ** machine in vdbe.c. The bit is true if the word "no-push" appears
+  ** in a comment on the same line as the "case OP_XXX:" in 
+  ** sqlite3VdbeExec() in vdbe.c.
+  **
+  ** If the bit is true, then the corresponding opcode is guarenteed not
+  ** to grow the stack when it is executed. Otherwise, it may grow the
+  ** stack by at most one entry.
+  **
+  ** NOPUSH_MASK_0 corresponds to opcodes 0 to 15. NOPUSH_MASK_1 contains
+  ** one bit for opcodes 16 to 31, and so on.
+  **
+  ** 16-bit bitmasks (rather than 32-bit) are specified in opcodes.h 
+  ** because the file is generated by an awk program. Awk manipulates
+  ** all numbers as floating-point and we don't want to risk a rounding
+  ** error if someone builds with an awk that uses (for example) 32-bit 
+  ** IEEE floats.
+  */ 
+  static const u32 masks[5] = {
+    NOPUSH_MASK_0 + (((unsigned)NOPUSH_MASK_1)<<16),
+    NOPUSH_MASK_2 + (((unsigned)NOPUSH_MASK_3)<<16),
+    NOPUSH_MASK_4 + (((unsigned)NOPUSH_MASK_5)<<16),
+    NOPUSH_MASK_6 + (((unsigned)NOPUSH_MASK_7)<<16),
+    NOPUSH_MASK_8 + (((unsigned)NOPUSH_MASK_9)<<16)
+  };
+  assert( op<32*5 );
+  return (masks[op>>5] & (1<<(op&0x1F)));
+}
+
+#ifndef NDEBUG
+int sqlite3VdbeOpcodeNoPush(u8 op){
+  return opcodeNoPush(op);
+}
+#endif
+
+/*
+** Loop through the program looking for P2 values that are negative.
+** Each such value is a label.  Resolve the label by setting the P2
+** value to its correct non-zero value.
+**
+** This routine is called once after all opcodes have been inserted.
+**
+** Variable *pMaxFuncArgs is set to the maximum value of any P2 argument 
+** to an OP_Function, OP_AggStep or OP_VFilter opcode. This is used by 
+** sqlite3VdbeMakeReady() to size the Vdbe.apArg[] array.
+**
+** The integer *pMaxStack is set to the maximum number of vdbe stack
+** entries that static analysis reveals this program might need.
+**
+** This routine also does the following optimization:  It scans for
+** Halt instructions where P1==SQLITE_CONSTRAINT or P2==OE_Abort or for
+** IdxInsert instructions where P2!=0.  If no such instruction is
+** found, then every Statement instruction is changed to a Noop.  In
+** this way, we avoid creating the statement journal file unnecessarily.
+*/
+static void resolveP2Values(Vdbe *p, int *pMaxFuncArgs, int *pMaxStack){
+  int i;
+  int nMaxArgs = 0;
+  int nMaxStack = p->nOp;
+  Op *pOp;
+  int *aLabel = p->aLabel;
+  int doesStatementRollback = 0;
+  int hasStatementBegin = 0;
+  for(pOp=p->aOp, i=p->nOp-1; i>=0; i--, pOp++){
+    u8 opcode = pOp->opcode;
+
+    if( opcode==OP_Function || opcode==OP_AggStep 
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+        || opcode==OP_VUpdate
+#endif
+    ){
+      if( pOp->p2>nMaxArgs ) nMaxArgs = pOp->p2;
+    }else if( opcode==OP_Halt ){
+      if( pOp->p1==SQLITE_CONSTRAINT && pOp->p2==OE_Abort ){
+        doesStatementRollback = 1;
+      }
+    }else if( opcode==OP_Statement ){
+      hasStatementBegin = 1;
+    }else if( opcode==OP_VFilter ){
+      int n;
+      assert( p->nOp - i >= 3 );
+      assert( pOp[-2].opcode==OP_Integer );
+      n = pOp[-2].p1;
+      if( n>nMaxArgs ) nMaxArgs = n;
+    }
+    if( opcodeNoPush(opcode) ){
+      nMaxStack--;
+    }
+
+    if( pOp->p2>=0 ) continue;
+    assert( -1-pOp->p2<p->nLabel );
+    pOp->p2 = aLabel[-1-pOp->p2];
+  }
+  sqliteFree(p->aLabel);
+  p->aLabel = 0;
+
+  *pMaxFuncArgs = nMaxArgs;
+  *pMaxStack = nMaxStack;
+
+  /* If we never rollback a statement transaction, then statement
+  ** transactions are not needed.  So change every OP_Statement
+  ** opcode into an OP_Noop.  This avoid a call to sqlite3OsOpenExclusive()
+  ** which can be expensive on some platforms.
+  */
+  if( hasStatementBegin && !doesStatementRollback ){
+    for(pOp=p->aOp, i=p->nOp-1; i>=0; i--, pOp++){
+      if( pOp->opcode==OP_Statement ){
+        pOp->opcode = OP_Noop;
+      }
+    }
+  }
+}
+
+/*
+** Return the address of the next instruction to be inserted.
+*/
+int sqlite3VdbeCurrentAddr(Vdbe *p){
+  assert( p->magic==VDBE_MAGIC_INIT );
+  return p->nOp;
+}
+
+/*
+** Add a whole list of operations to the operation stack.  Return the
+** address of the first operation added.
+*/
+int sqlite3VdbeAddOpList(Vdbe *p, int nOp, VdbeOpList const *aOp){
+  int addr;
+  assert( p->magic==VDBE_MAGIC_INIT );
+  resizeOpArray(p, p->nOp + nOp);
+  if( sqlite3MallocFailed() ){
+    return 0;
+  }
+  addr = p->nOp;
+  if( nOp>0 ){
+    int i;
+    VdbeOpList const *pIn = aOp;
+    for(i=0; i<nOp; i++, pIn++){
+      int p2 = pIn->p2;
+      VdbeOp *pOut = &p->aOp[i+addr];
+      pOut->opcode = pIn->opcode;
+      pOut->p1 = pIn->p1;
+      pOut->p2 = p2<0 ? addr + ADDR(p2) : p2;
+      pOut->p3 = pIn->p3;
+      pOut->p3type = pIn->p3 ? P3_STATIC : P3_NOTUSED;
+#ifdef SQLITE_DEBUG
+      if( sqlite3_vdbe_addop_trace ){
+        sqlite3VdbePrintOp(0, i+addr, &p->aOp[i+addr]);
+      }
+#endif
+    }
+    p->nOp += nOp;
+  }
+  return addr;
+}
+
+/*
+** Change the value of the P1 operand for a specific instruction.
+** This routine is useful when a large program is loaded from a
+** static array using sqlite3VdbeAddOpList but we want to make a
+** few minor changes to the program.
+*/
+void sqlite3VdbeChangeP1(Vdbe *p, int addr, int val){
+  assert( p==0 || p->magic==VDBE_MAGIC_INIT );
+  if( p && addr>=0 && p->nOp>addr && p->aOp ){
+    p->aOp[addr].p1 = val;
+  }
+}
+
+/*
+** Change the value of the P2 operand for a specific instruction.
+** This routine is useful for setting a jump destination.
+*/
+void sqlite3VdbeChangeP2(Vdbe *p, int addr, int val){
+  assert( val>=0 );
+  assert( p==0 || p->magic==VDBE_MAGIC_INIT );
+  if( p && addr>=0 && p->nOp>addr && p->aOp ){
+    p->aOp[addr].p2 = val;
+  }
+}
+
+/*
+** Change the P2 operand of instruction addr so that it points to
+** the address of the next instruction to be coded.
+*/
+void sqlite3VdbeJumpHere(Vdbe *p, int addr){
+  sqlite3VdbeChangeP2(p, addr, p->nOp);
+}
+
+
+/*
+** If the input FuncDef structure is ephemeral, then free it.  If
+** the FuncDef is not ephermal, then do nothing.
+*/
+static void freeEphemeralFunction(FuncDef *pDef){
+  if( pDef && (pDef->flags & SQLITE_FUNC_EPHEM)!=0 ){
+    sqliteFree(pDef);
+  }
+}
+
+/*
+** Delete a P3 value if necessary.
+*/
+static void freeP3(int p3type, void *p3){
+  if( p3 ){
+    switch( p3type ){
+      case P3_DYNAMIC:
+      case P3_KEYINFO:
+      case P3_KEYINFO_HANDOFF: {
+        sqliteFree(p3);
+        break;
+      }
+      case P3_MPRINTF: {
+        sqlite3_free(p3);
+        break;
+      }
+      case P3_VDBEFUNC: {
+        VdbeFunc *pVdbeFunc = (VdbeFunc *)p3;
+        freeEphemeralFunction(pVdbeFunc->pFunc);
+        sqlite3VdbeDeleteAuxData(pVdbeFunc, 0);
+        sqliteFree(pVdbeFunc);
+        break;
+      }
+      case P3_FUNCDEF: {
+        freeEphemeralFunction((FuncDef*)p3);
+        break;
+      }
+      case P3_MEM: {
+        sqlite3ValueFree((sqlite3_value*)p3);
+        break;
+      }
+    }
+  }
+}
+
+
+/*
+** Change N opcodes starting at addr to No-ops.
+*/
+void sqlite3VdbeChangeToNoop(Vdbe *p, int addr, int N){
+  VdbeOp *pOp = &p->aOp[addr];
+  while( N-- ){
+    freeP3(pOp->p3type, pOp->p3);
+    memset(pOp, 0, sizeof(pOp[0]));
+    pOp->opcode = OP_Noop;
+    pOp++;
+  }
+}
+
+/*
+** Change the value of the P3 operand for a specific instruction.
+** This routine is useful when a large program is loaded from a
+** static array using sqlite3VdbeAddOpList but we want to make a
+** few minor changes to the program.
+**
+** If n>=0 then the P3 operand is dynamic, meaning that a copy of
+** the string is made into memory obtained from sqliteMalloc().
+** A value of n==0 means copy bytes of zP3 up to and including the
+** first null byte.  If n>0 then copy n+1 bytes of zP3.
+**
+** If n==P3_KEYINFO it means that zP3 is a pointer to a KeyInfo structure.
+** A copy is made of the KeyInfo structure into memory obtained from
+** sqliteMalloc, to be freed when the Vdbe is finalized.
+** n==P3_KEYINFO_HANDOFF indicates that zP3 points to a KeyInfo structure
+** stored in memory that the caller has obtained from sqliteMalloc. The 
+** caller should not free the allocation, it will be freed when the Vdbe is
+** finalized.
+** 
+** Other values of n (P3_STATIC, P3_COLLSEQ etc.) indicate that zP3 points
+** to a string or structure that is guaranteed to exist for the lifetime of
+** the Vdbe. In these cases we can just copy the pointer.
+**
+** If addr<0 then change P3 on the most recently inserted instruction.
+*/
+void sqlite3VdbeChangeP3(Vdbe *p, int addr, const char *zP3, int n){
+  Op *pOp;
+  assert( p==0 || p->magic==VDBE_MAGIC_INIT );
+  if( p==0 || p->aOp==0 || sqlite3MallocFailed() ){
+    if (n != P3_KEYINFO) {
+      freeP3(n, (void*)*(char**)&zP3);
+    }
+    return;
+  }
+  if( addr<0 || addr>=p->nOp ){
+    addr = p->nOp - 1;
+    if( addr<0 ) return;
+  }
+  pOp = &p->aOp[addr];
+  freeP3(pOp->p3type, pOp->p3);
+  pOp->p3 = 0;
+  if( zP3==0 ){
+    pOp->p3 = 0;
+    pOp->p3type = P3_NOTUSED;
+  }else if( n==P3_KEYINFO ){
+    KeyInfo *pKeyInfo;
+    int nField, nByte;
+
+    nField = ((KeyInfo*)zP3)->nField;
+    nByte = sizeof(*pKeyInfo) + (nField-1)*sizeof(pKeyInfo->aColl[0]) + nField;
+    pKeyInfo = sqliteMallocRaw( nByte );
+    pOp->p3 = (char*)pKeyInfo;
+    if( pKeyInfo ){
+      unsigned char *aSortOrder;
+      memcpy(pKeyInfo, zP3, nByte);
+      aSortOrder = pKeyInfo->aSortOrder;
+      if( aSortOrder ){
+        pKeyInfo->aSortOrder = (unsigned char*)&pKeyInfo->aColl[nField];
+        memcpy(pKeyInfo->aSortOrder, aSortOrder, nField);
+      }
+      pOp->p3type = P3_KEYINFO;
+    }else{
+      pOp->p3type = P3_NOTUSED;
+    }
+  }else if( n==P3_KEYINFO_HANDOFF ){
+    pOp->p3 = (char*)zP3;
+    pOp->p3type = P3_KEYINFO;
+  }else if( n<0 ){
+    pOp->p3 = (char*)zP3;
+    pOp->p3type = n;
+  }else{
+    if( n==0 ) n = strlen(zP3);
+    pOp->p3 = sqliteStrNDup(zP3, n);
+    pOp->p3type = P3_DYNAMIC;
+  }
+}
+
+#ifndef NDEBUG
+/*
+** Replace the P3 field of the most recently coded instruction with
+** comment text.
+*/
+void sqlite3VdbeComment(Vdbe *p, const char *zFormat, ...){
+  va_list ap;
+  assert( p->nOp>0 || p->aOp==0 );
+  assert( p->aOp==0 || p->aOp[p->nOp-1].p3==0 || sqlite3MallocFailed() );
+  va_start(ap, zFormat);
+  sqlite3VdbeChangeP3(p, -1, sqlite3VMPrintf(zFormat, ap), P3_DYNAMIC);
+  va_end(ap);
+}
+#endif
+
+/*
+** Return the opcode for a given address.
+*/
+VdbeOp *sqlite3VdbeGetOp(Vdbe *p, int addr){
+  assert( p->magic==VDBE_MAGIC_INIT );
+  assert( (addr>=0 && addr<p->nOp) || sqlite3MallocFailed() );
+  return ((addr>=0 && addr<p->nOp)?(&p->aOp[addr]):0);
+}
+
+#if !defined(SQLITE_OMIT_EXPLAIN) || !defined(NDEBUG) \
+     || defined(VDBE_PROFILE) || defined(SQLITE_DEBUG)
+/*
+** Compute a string that describes the P3 parameter for an opcode.
+** Use zTemp for any required temporary buffer space.
+*/
+static char *displayP3(Op *pOp, char *zTemp, int nTemp){
+  char *zP3;
+  assert( nTemp>=20 );
+  switch( pOp->p3type ){
+    case P3_KEYINFO: {
+      int i, j;
+      KeyInfo *pKeyInfo = (KeyInfo*)pOp->p3;
+      sprintf(zTemp, "keyinfo(%d", pKeyInfo->nField);
+      i = strlen(zTemp);
+      for(j=0; j<pKeyInfo->nField; j++){
+        CollSeq *pColl = pKeyInfo->aColl[j];
+        if( pColl ){
+          int n = strlen(pColl->zName);
+          if( i+n>nTemp-6 ){
+            strcpy(&zTemp[i],",...");
+            break;
+          }
+          zTemp[i++] = ',';
+          if( pKeyInfo->aSortOrder && pKeyInfo->aSortOrder[j] ){
+            zTemp[i++] = '-';
+          }
+          strcpy(&zTemp[i], pColl->zName);
+          i += n;
+        }else if( i+4<nTemp-6 ){
+          strcpy(&zTemp[i],",nil");
+          i += 4;
+        }
+      }
+      zTemp[i++] = ')';
+      zTemp[i] = 0;
+      assert( i<nTemp );
+      zP3 = zTemp;
+      break;
+    }
+    case P3_COLLSEQ: {
+      CollSeq *pColl = (CollSeq*)pOp->p3;
+      sprintf(zTemp, "collseq(%.20s)", pColl->zName);
+      zP3 = zTemp;
+      break;
+    }
+    case P3_FUNCDEF: {
+      FuncDef *pDef = (FuncDef*)pOp->p3;
+      sqlite3_snprintf(nTemp, zTemp, "%s(%d)", pDef->zName, pDef->nArg);
+      zP3 = zTemp;
+      break;
+    }
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+    case P3_VTAB: {
+      sqlite3_vtab *pVtab = (sqlite3_vtab*)pOp->p3;
+      sqlite3_snprintf(nTemp, zTemp, "vtab:%p:%p", pVtab, pVtab->pModule);
+      zP3 = zTemp;
+      break;
+    }
+#endif
+    default: {
+      zP3 = pOp->p3;
+      if( zP3==0 || pOp->opcode==OP_Noop ){
+        zP3 = "";
+      }
+    }
+  }
+  assert( zP3!=0 );
+  return zP3;
+}
+#endif
+
+
+#if defined(VDBE_PROFILE) || defined(SQLITE_DEBUG)
+/*
+** Print a single opcode.  This routine is used for debugging only.
+*/
+void sqlite3VdbePrintOp(FILE *pOut, int pc, Op *pOp){
+  char *zP3;
+  char zPtr[50];
+  static const char *zFormat1 = "%4d %-13s %4d %4d %s\n";
+  if( pOut==0 ) pOut = stdout;
+  zP3 = displayP3(pOp, zPtr, sizeof(zPtr));
+  fprintf(pOut, zFormat1,
+      pc, sqlite3OpcodeNames[pOp->opcode], pOp->p1, pOp->p2, zP3);
+  fflush(pOut);
+}
+#endif
+
+/*
+** Release an array of N Mem elements
+*/
+static void releaseMemArray(Mem *p, int N){
+  if( p ){
+    while( N-->0 ){
+      sqlite3VdbeMemRelease(p++);
+    }
+  }
+}
+
+#ifndef SQLITE_OMIT_EXPLAIN
+/*
+** Give a listing of the program in the virtual machine.
+**
+** The interface is the same as sqlite3VdbeExec().  But instead of
+** running the code, it invokes the callback once for each instruction.
+** This feature is used to implement "EXPLAIN".
+*/
+int sqlite3VdbeList(
+  Vdbe *p                   /* The VDBE */
+){
+  sqlite3 *db = p->db;
+  int i;
+  int rc = SQLITE_OK;
+
+  assert( p->explain );
+  if( p->magic!=VDBE_MAGIC_RUN ) return SQLITE_MISUSE;
+  assert( db->magic==SQLITE_MAGIC_BUSY );
+  assert( p->rc==SQLITE_OK || p->rc==SQLITE_BUSY );
+
+  /* Even though this opcode does not put dynamic strings onto the
+  ** the stack, they may become dynamic if the user calls
+  ** sqlite3_column_text16(), causing a translation to UTF-16 encoding.
+  */
+  if( p->pTos==&p->aStack[4] ){
+    releaseMemArray(p->aStack, 5);
+  }
+  p->resOnStack = 0;
+
+  do{
+    i = p->pc++;
+  }while( i<p->nOp && p->explain==2 && p->aOp[i].opcode!=OP_Explain );
+  if( i>=p->nOp ){
+    p->rc = SQLITE_OK;
+    rc = SQLITE_DONE;
+  }else if( db->u1.isInterrupted ){
+    p->rc = SQLITE_INTERRUPT;
+    rc = SQLITE_ERROR;
+    sqlite3SetString(&p->zErrMsg, sqlite3ErrStr(p->rc), (char*)0);
+  }else{
+    Op *pOp = &p->aOp[i];
+    Mem *pMem = p->aStack;
+    pMem->flags = MEM_Int;
+    pMem->type = SQLITE_INTEGER;
+    pMem->u.i = i;                                /* Program counter */
+    pMem++;
+
+    pMem->flags = MEM_Static|MEM_Str|MEM_Term;
+    pMem->z = (char*)sqlite3OpcodeNames[pOp->opcode];  /* Opcode */
+    assert( pMem->z!=0 );
+    pMem->n = strlen(pMem->z);
+    pMem->type = SQLITE_TEXT;
+    pMem->enc = SQLITE_UTF8;
+    pMem++;
+
+    pMem->flags = MEM_Int;
+    pMem->u.i = pOp->p1;                          /* P1 */
+    pMem->type = SQLITE_INTEGER;
+    pMem++;
+
+    pMem->flags = MEM_Int;
+    pMem->u.i = pOp->p2;                          /* P2 */
+    pMem->type = SQLITE_INTEGER;
+    pMem++;
+
+    pMem->flags = MEM_Ephem|MEM_Str|MEM_Term;   /* P3 */
+    pMem->z = displayP3(pOp, pMem->zShort, sizeof(pMem->zShort));
+    assert( pMem->z!=0 );
+    pMem->n = strlen(pMem->z);
+    pMem->type = SQLITE_TEXT;
+    pMem->enc = SQLITE_UTF8;
+
+    p->nResColumn = 5 - 2*(p->explain-1);
+    p->pTos = pMem;
+    p->rc = SQLITE_OK;
+    p->resOnStack = 1;
+    rc = SQLITE_ROW;
+  }
+  return rc;
+}
+#endif /* SQLITE_OMIT_EXPLAIN */
+
+#ifdef SQLITE_DEBUG
+/*
+** Print the SQL that was used to generate a VDBE program.
+*/
+void sqlite3VdbePrintSql(Vdbe *p){
+  int nOp = p->nOp;
+  VdbeOp *pOp;
+  if( nOp<1 ) return;
+  pOp = &p->aOp[nOp-1];
+  if( pOp->opcode==OP_Noop && pOp->p3!=0 ){
+    const char *z = pOp->p3;
+    while( isspace(*(u8*)z) ) z++;
+    printf("SQL: [%s]\n", z);
+  }
+}
+#endif
+
+#if !defined(SQLITE_OMIT_TRACE) && defined(SQLITE_ENABLE_IOTRACE)
+/*
+** Print an IOTRACE message showing SQL content.
+*/
+void sqlite3VdbeIOTraceSql(Vdbe *p){
+  int nOp = p->nOp;
+  VdbeOp *pOp;
+  if( sqlite3_io_trace==0 ) return;
+  if( nOp<1 ) return;
+  pOp = &p->aOp[nOp-1];
+  if( pOp->opcode==OP_Noop && pOp->p3!=0 ){
+    char *z = sqlite3StrDup(pOp->p3);
+    int i, j;
+    for(i=0; isspace(z[i]); i++){}
+    for(j=0; z[i]; i++){
+      if( isspace(z[i]) ){
+        if( z[i-1]!=' ' ){
+          z[j++] = ' ';
+        }
+      }else{
+        z[j++] = z[i];
+      }
+    }
+    z[j] = 0;
+    sqlite3_io_trace("SQL %s\n", z);
+    sqliteFree(z);
+  }
+}
+#endif /* !SQLITE_OMIT_TRACE && SQLITE_ENABLE_IOTRACE */
+
+
+/*
+** Prepare a virtual machine for execution.  This involves things such
+** as allocating stack space and initializing the program counter.
+** After the VDBE has be prepped, it can be executed by one or more
+** calls to sqlite3VdbeExec().  
+**
+** This is the only way to move a VDBE from VDBE_MAGIC_INIT to
+** VDBE_MAGIC_RUN.
+*/
+void sqlite3VdbeMakeReady(
+  Vdbe *p,                       /* The VDBE */
+  int nVar,                      /* Number of '?' see in the SQL statement */
+  int nMem,                      /* Number of memory cells to allocate */
+  int nCursor,                   /* Number of cursors to allocate */
+  int isExplain                  /* True if the EXPLAIN keywords is present */
+){
+  int n;
+
+  assert( p!=0 );
+  assert( p->magic==VDBE_MAGIC_INIT );
+
+  /* There should be at least one opcode.
+  */
+  assert( p->nOp>0 );
+
+  /* Set the magic to VDBE_MAGIC_RUN sooner rather than later. This
+   * is because the call to resizeOpArray() below may shrink the
+   * p->aOp[] array to save memory if called when in VDBE_MAGIC_RUN 
+   * state.
+   */
+  p->magic = VDBE_MAGIC_RUN;
+
+  /* No instruction ever pushes more than a single element onto the
+  ** stack.  And the stack never grows on successive executions of the
+  ** same loop.  So the total number of instructions is an upper bound
+  ** on the maximum stack depth required.  (Added later:)  The
+  ** resolveP2Values() call computes a tighter upper bound on the
+  ** stack size.
+  **
+  ** Allocation all the stack space we will ever need.
+  */
+  if( p->aStack==0 ){
+    int nArg;       /* Maximum number of args passed to a user function. */
+    int nStack;     /* Maximum number of stack entries required */
+    resolveP2Values(p, &nArg, &nStack);
+    resizeOpArray(p, p->nOp);
+    assert( nVar>=0 );
+    assert( nStack<p->nOp );
+    if( isExplain ){
+      nStack = 10;
+    }
+    p->aStack = sqliteMalloc(
+        nStack*sizeof(p->aStack[0])    /* aStack */
+      + nArg*sizeof(Mem*)              /* apArg */
+      + nVar*sizeof(Mem)               /* aVar */
+      + nVar*sizeof(char*)             /* azVar */
+      + nMem*sizeof(Mem)               /* aMem */
+      + nCursor*sizeof(Cursor*)        /* apCsr */
+    );
+    if( !sqlite3MallocFailed() ){
+      p->aMem = &p->aStack[nStack];
+      p->nMem = nMem;
+      p->aVar = &p->aMem[nMem];
+      p->nVar = nVar;
+      p->okVar = 0;
+      p->apArg = (Mem**)&p->aVar[nVar];
+      p->azVar = (char**)&p->apArg[nArg];
+      p->apCsr = (Cursor**)&p->azVar[nVar];
+      p->nCursor = nCursor;
+      for(n=0; n<nVar; n++){
+        p->aVar[n].flags = MEM_Null;
+      }
+    }
+  }
+  for(n=0; n<p->nMem; n++){
+    p->aMem[n].flags = MEM_Null;
+  }
+
+  p->pTos = &p->aStack[-1];
+  p->pc = -1;
+  p->rc = SQLITE_OK;
+  p->uniqueCnt = 0;
+  p->returnDepth = 0;
+  p->errorAction = OE_Abort;
+  p->popStack =  0;
+  p->explain |= isExplain;
+  p->magic = VDBE_MAGIC_RUN;
+  p->nChange = 0;
+  p->cacheCtr = 1;
+  p->minWriteFileFormat = 255;
+#ifdef VDBE_PROFILE
+  {
+    int i;
+    for(i=0; i<p->nOp; i++){
+      p->aOp[i].cnt = 0;
+      p->aOp[i].cycles = 0;
+    }
+  }
+#endif
+}
+
+/*
+** Close a cursor and release all the resources that cursor happens
+** to hold.
+*/
+void sqlite3VdbeFreeCursor(Vdbe *p, Cursor *pCx){
+  if( pCx==0 ){
+    return;
+  }
+  if( pCx->pCursor ){
+    sqlite3BtreeCloseCursor(pCx->pCursor);
+  }
+  if( pCx->pBt ){
+    sqlite3BtreeClose(pCx->pBt);
+  }
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  if( pCx->pVtabCursor ){
+    sqlite3_vtab_cursor *pVtabCursor = pCx->pVtabCursor;
+    const sqlite3_module *pModule = pCx->pModule;
+    p->inVtabMethod = 1;
+    sqlite3SafetyOff(p->db);
+    pModule->xClose(pVtabCursor);
+    sqlite3SafetyOn(p->db);
+    p->inVtabMethod = 0;
+  }
+#endif
+  sqliteFree(pCx->pData);
+  sqliteFree(pCx->aType);
+  sqliteFree(pCx);
+}
+
+/*
+** Close all cursors
+*/
+static void closeAllCursors(Vdbe *p){
+  int i;
+  if( p->apCsr==0 ) return;
+  for(i=0; i<p->nCursor; i++){
+    if( !p->inVtabMethod || (p->apCsr[i] && !p->apCsr[i]->pVtabCursor) ){
+      sqlite3VdbeFreeCursor(p, p->apCsr[i]);
+      p->apCsr[i] = 0;
+    }
+  }
+}
+
+/*
+** Clean up the VM after execution.
+**
+** This routine will automatically close any cursors, lists, and/or
+** sorters that were left open.  It also deletes the values of
+** variables in the aVar[] array.
+*/
+static void Cleanup(Vdbe *p){
+  int i;
+  if( p->aStack ){
+    releaseMemArray(p->aStack, 1 + (p->pTos - p->aStack));
+    p->pTos = &p->aStack[-1];
+  }
+  closeAllCursors(p);
+  releaseMemArray(p->aMem, p->nMem);
+  sqlite3VdbeFifoClear(&p->sFifo);
+  if( p->contextStack ){
+    for(i=0; i<p->contextStackTop; i++){
+      sqlite3VdbeFifoClear(&p->contextStack[i].sFifo);
+    }
+    sqliteFree(p->contextStack);
+  }
+  p->contextStack = 0;
+  p->contextStackDepth = 0;
+  p->contextStackTop = 0;
+  sqliteFree(p->zErrMsg);
+  p->zErrMsg = 0;
+}
+
+/*
+** Set the number of result columns that will be returned by this SQL
+** statement. This is now set at compile time, rather than during
+** execution of the vdbe program so that sqlite3_column_count() can
+** be called on an SQL statement before sqlite3_step().
+*/
+void sqlite3VdbeSetNumCols(Vdbe *p, int nResColumn){
+  Mem *pColName;
+  int n;
+  releaseMemArray(p->aColName, p->nResColumn*COLNAME_N);
+  sqliteFree(p->aColName);
+  n = nResColumn*COLNAME_N;
+  p->nResColumn = nResColumn;
+  p->aColName = pColName = (Mem*)sqliteMalloc( sizeof(Mem)*n );
+  if( p->aColName==0 ) return;
+  while( n-- > 0 ){
+    (pColName++)->flags = MEM_Null;
+  }
+}
+
+/*
+** Set the name of the idx'th column to be returned by the SQL statement.
+** zName must be a pointer to a nul terminated string.
+**
+** This call must be made after a call to sqlite3VdbeSetNumCols().
+**
+** If N==P3_STATIC  it means that zName is a pointer to a constant static
+** string and we can just copy the pointer. If it is P3_DYNAMIC, then 
+** the string is freed using sqliteFree() when the vdbe is finished with
+** it. Otherwise, N bytes of zName are copied.
+*/
+int sqlite3VdbeSetColName(Vdbe *p, int idx, int var, const char *zName, int N){
+  int rc;
+  Mem *pColName;
+  assert( idx<p->nResColumn );
+  assert( var<COLNAME_N );
+  if( sqlite3MallocFailed() ) return SQLITE_NOMEM;
+  assert( p->aColName!=0 );
+  pColName = &(p->aColName[idx+var*p->nResColumn]);
+  if( N==P3_DYNAMIC || N==P3_STATIC ){
+    rc = sqlite3VdbeMemSetStr(pColName, zName, -1, SQLITE_UTF8, SQLITE_STATIC);
+  }else{
+    rc = sqlite3VdbeMemSetStr(pColName, zName, N, SQLITE_UTF8,SQLITE_TRANSIENT);
+  }
+  if( rc==SQLITE_OK && N==P3_DYNAMIC ){
+    pColName->flags = (pColName->flags&(~MEM_Static))|MEM_Dyn;
+    pColName->xDel = 0;
+  }
+  return rc;
+}
+
+/*
+** A read or write transaction may or may not be active on database handle
+** db. If a transaction is active, commit it. If there is a
+** write-transaction spanning more than one database file, this routine
+** takes care of the master journal trickery.
+*/
+static int vdbeCommit(sqlite3 *db){
+  int i;
+  int nTrans = 0;  /* Number of databases with an active write-transaction */
+  int rc = SQLITE_OK;
+  int needXcommit = 0;
+
+  /* Before doing anything else, call the xSync() callback for any
+  ** virtual module tables written in this transaction. This has to
+  ** be done before determining whether a master journal file is 
+  ** required, as an xSync() callback may add an attached database
+  ** to the transaction.
+  */
+  rc = sqlite3VtabSync(db, rc);
+  if( rc!=SQLITE_OK ){
+    return rc;
+  }
+
+  /* This loop determines (a) if the commit hook should be invoked and
+  ** (b) how many database files have open write transactions, not 
+  ** including the temp database. (b) is important because if more than 
+  ** one database file has an open write transaction, a master journal
+  ** file is required for an atomic commit.
+  */ 
+  for(i=0; i<db->nDb; i++){ 
+    Btree *pBt = db->aDb[i].pBt;
+    if( pBt && sqlite3BtreeIsInTrans(pBt) ){
+      needXcommit = 1;
+      if( i!=1 ) nTrans++;
+    }
+  }
+
+  /* If there are any write-transactions at all, invoke the commit hook */
+  if( needXcommit && db->xCommitCallback ){
+    sqlite3SafetyOff(db);
+    rc = db->xCommitCallback(db->pCommitArg);
+    sqlite3SafetyOn(db);
+    if( rc ){
+      return SQLITE_CONSTRAINT;
+    }
+  }
+
+  /* The simple case - no more than one database file (not counting the
+  ** TEMP database) has a transaction active.   There is no need for the
+  ** master-journal.
+  **
+  ** If the return value of sqlite3BtreeGetFilename() is a zero length
+  ** string, it means the main database is :memory:.  In that case we do
+  ** not support atomic multi-file commits, so use the simple case then
+  ** too.
+  */
+  if( 0==strlen(sqlite3BtreeGetFilename(db->aDb[0].pBt)) || nTrans<=1 ){
+    for(i=0; rc==SQLITE_OK && i<db->nDb; i++){ 
+      Btree *pBt = db->aDb[i].pBt;
+      if( pBt ){
+        rc = sqlite3BtreeCommitPhaseOne(pBt, 0);
+      }
+    }
+
+    /* Do the commit only if all databases successfully complete phase 1. 
+    ** If one of the BtreeCommitPhaseOne() calls fails, this indicates an
+    ** IO error while deleting or truncating a journal file. It is unlikely,
+    ** but could happen. In this case abandon processing and return the error.
+    */
+    for(i=0; rc==SQLITE_OK && i<db->nDb; i++){
+      Btree *pBt = db->aDb[i].pBt;
+      if( pBt ){
+        rc = sqlite3BtreeCommitPhaseTwo(pBt);
+      }
+    }
+    if( rc==SQLITE_OK ){
+      sqlite3VtabCommit(db);
+    }
+  }
+
+  /* The complex case - There is a multi-file write-transaction active.
+  ** This requires a master journal file to ensure the transaction is
+  ** committed atomicly.
+  */
+#ifndef SQLITE_OMIT_DISKIO
+  else{
+    int needSync = 0;
+    char *zMaster = 0;   /* File-name for the master journal */
+    char const *zMainFile = sqlite3BtreeGetFilename(db->aDb[0].pBt);
+    OsFile *master = 0;
+
+    /* Select a master journal file name */
+    do {
+      u32 random;
+      sqliteFree(zMaster);
+      sqlite3Randomness(sizeof(random), &random);
+      zMaster = sqlite3MPrintf("%s-mj%08X", zMainFile, random&0x7fffffff);
+      if( !zMaster ){
+        return SQLITE_NOMEM;
+      }
+    }while( sqlite3OsFileExists(zMaster) );
+
+    /* Open the master journal. */
+    rc = sqlite3OsOpenExclusive(zMaster, &master, 0);
+    if( rc!=SQLITE_OK ){
+      sqliteFree(zMaster);
+      return rc;
+    }
+ 
+    /* Write the name of each database file in the transaction into the new
+    ** master journal file. If an error occurs at this point close
+    ** and delete the master journal file. All the individual journal files
+    ** still have 'null' as the master journal pointer, so they will roll
+    ** back independently if a failure occurs.
+    */
+    for(i=0; i<db->nDb; i++){ 
+      Btree *pBt = db->aDb[i].pBt;
+      if( i==1 ) continue;   /* Ignore the TEMP database */
+      if( pBt && sqlite3BtreeIsInTrans(pBt) ){
+        char const *zFile = sqlite3BtreeGetJournalname(pBt);
+        if( zFile[0]==0 ) continue;  /* Ignore :memory: databases */
+        if( !needSync && !sqlite3BtreeSyncDisabled(pBt) ){
+          needSync = 1;
+        }
+        rc = sqlite3OsWrite(master, zFile, strlen(zFile)+1);
+        if( rc!=SQLITE_OK ){
+          sqlite3OsClose(&master);
+          sqlite3OsDelete(zMaster);
+          sqliteFree(zMaster);
+          return rc;
+        }
+      }
+    }
+
+
+    /* Sync the master journal file. Before doing this, open the directory
+    ** the master journal file is store in so that it gets synced too.
+    */
+    zMainFile = sqlite3BtreeGetDirname(db->aDb[0].pBt);
+    rc = sqlite3OsOpenDirectory(master, zMainFile);
+    if( rc!=SQLITE_OK ||
+          (needSync && (rc=sqlite3OsSync(master,0))!=SQLITE_OK) ){
+      sqlite3OsClose(&master);
+      sqlite3OsDelete(zMaster);
+      sqliteFree(zMaster);
+      return rc;
+    }
+
+    /* Sync all the db files involved in the transaction. The same call
+    ** sets the master journal pointer in each individual journal. If
+    ** an error occurs here, do not delete the master journal file.
+    **
+    ** If the error occurs during the first call to
+    ** sqlite3BtreeCommitPhaseOne(), then there is a chance that the
+    ** master journal file will be orphaned. But we cannot delete it,
+    ** in case the master journal file name was written into the journal
+    ** file before the failure occured.
+    */
+    for(i=0; rc==SQLITE_OK && i<db->nDb; i++){ 
+      Btree *pBt = db->aDb[i].pBt;
+      if( pBt && sqlite3BtreeIsInTrans(pBt) ){
+        rc = sqlite3BtreeCommitPhaseOne(pBt, zMaster);
+      }
+    }
+    sqlite3OsClose(&master);
+    if( rc!=SQLITE_OK ){
+      sqliteFree(zMaster);
+      return rc;
+    }
+
+    /* Delete the master journal file. This commits the transaction. After
+    ** doing this the directory is synced again before any individual
+    ** transaction files are deleted.
+    */
+    rc = sqlite3OsDelete(zMaster);
+    sqliteFree(zMaster);
+    zMaster = 0;
+    if( rc ){
+      return rc;
+    }
+    rc = sqlite3OsSyncDirectory(zMainFile);
+    if( rc!=SQLITE_OK ){
+      /* This is not good. The master journal file has been deleted, but
+      ** the directory sync failed. There is no completely safe course of
+      ** action from here. The individual journals contain the name of the
+      ** master journal file, but there is no way of knowing if that
+      ** master journal exists now or if it will exist after the operating
+      ** system crash that may follow the fsync() failure.
+      */
+      return rc;
+    }
+
+    /* All files and directories have already been synced, so the following
+    ** calls to sqlite3BtreeCommitPhaseTwo() are only closing files and
+    ** deleting or truncating journals. If something goes wrong while
+    ** this is happening we don't really care. The integrity of the
+    ** transaction is already guaranteed, but some stray 'cold' journals
+    ** may be lying around. Returning an error code won't help matters.
+    */
+    disable_simulated_io_errors();
+    for(i=0; i<db->nDb; i++){ 
+      Btree *pBt = db->aDb[i].pBt;
+      if( pBt ){
+        sqlite3BtreeCommitPhaseTwo(pBt);
+      }
+    }
+    enable_simulated_io_errors();
+
+    sqlite3VtabCommit(db);
+  }
+#endif
+
+  return rc;
+}
+
+/* 
+** This routine checks that the sqlite3.activeVdbeCnt count variable
+** matches the number of vdbe's in the list sqlite3.pVdbe that are
+** currently active. An assertion fails if the two counts do not match.
+** This is an internal self-check only - it is not an essential processing
+** step.
+**
+** This is a no-op if NDEBUG is defined.
+*/
+#ifndef NDEBUG
+static void checkActiveVdbeCnt(sqlite3 *db){
+  Vdbe *p;
+  int cnt = 0;
+  p = db->pVdbe;
+  while( p ){
+    if( p->magic==VDBE_MAGIC_RUN && p->pc>=0 ){
+      cnt++;
+    }
+    p = p->pNext;
+  }
+  assert( cnt==db->activeVdbeCnt );
+}
+#else
+#define checkActiveVdbeCnt(x)
+#endif
+
+/*
+** Find every active VM other than pVdbe and change its status to
+** aborted.  This happens when one VM causes a rollback due to an
+** ON CONFLICT ROLLBACK clause (for example).  The other VMs must be
+** aborted so that they do not have data rolled out from underneath
+** them leading to a segfault.
+*/
+void sqlite3AbortOtherActiveVdbes(sqlite3 *db, Vdbe *pExcept){
+  Vdbe *pOther;
+  for(pOther=db->pVdbe; pOther; pOther=pOther->pNext){
+    if( pOther==pExcept ) continue;
+    if( pOther->magic!=VDBE_MAGIC_RUN || pOther->pc<0 ) continue;
+    checkActiveVdbeCnt(db);
+    closeAllCursors(pOther);
+    checkActiveVdbeCnt(db);
+    pOther->aborted = 1;
+  }
+}
+
+/*
+** This routine is called the when a VDBE tries to halt.  If the VDBE
+** has made changes and is in autocommit mode, then commit those
+** changes.  If a rollback is needed, then do the rollback.
+**
+** This routine is the only way to move the state of a VM from
+** SQLITE_MAGIC_RUN to SQLITE_MAGIC_HALT.
+**
+** Return an error code.  If the commit could not complete because of
+** lock contention, return SQLITE_BUSY.  If SQLITE_BUSY is returned, it
+** means the close did not happen and needs to be repeated.
+*/
+int sqlite3VdbeHalt(Vdbe *p){
+  sqlite3 *db = p->db;
+  int i;
+  int (*xFunc)(Btree *pBt) = 0;  /* Function to call on each btree backend */
+  int isSpecialError;            /* Set to true if SQLITE_NOMEM or IOERR */
+
+  /* This function contains the logic that determines if a statement or
+  ** transaction will be committed or rolled back as a result of the
+  ** execution of this virtual machine. 
+  **
+  ** Special errors:
+  **
+  **     If an SQLITE_NOMEM error has occured in a statement that writes to
+  **     the database, then either a statement or transaction must be rolled
+  **     back to ensure the tree-structures are in a consistent state. A
+  **     statement transaction is rolled back if one is open, otherwise the
+  **     entire transaction must be rolled back.
+  **
+  **     If an SQLITE_IOERR error has occured in a statement that writes to
+  **     the database, then the entire transaction must be rolled back. The
+  **     I/O error may have caused garbage to be written to the journal 
+  **     file. Were the transaction to continue and eventually be rolled 
+  **     back that garbage might end up in the database file.
+  **     
+  **     In both of the above cases, the Vdbe.errorAction variable is 
+  **     ignored. If the sqlite3.autoCommit flag is false and a transaction
+  **     is rolled back, it will be set to true.
+  **
+  ** Other errors:
+  **
+  ** No error:
+  **
+  */
+
+  if( sqlite3MallocFailed() ){
+    p->rc = SQLITE_NOMEM;
+  }
+  if( p->magic!=VDBE_MAGIC_RUN ){
+    /* Already halted.  Nothing to do. */
+    assert( p->magic==VDBE_MAGIC_HALT );
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+    closeAllCursors(p);
+#endif
+    return SQLITE_OK;
+  }
+  closeAllCursors(p);
+  checkActiveVdbeCnt(db);
+
+  /* No commit or rollback needed if the program never started */
+  if( p->pc>=0 ){
+    int mrc;   /* Primary error code from p->rc */
+    /* Check for one of the special errors - SQLITE_NOMEM or SQLITE_IOERR */
+    mrc = p->rc & 0xff;
+    isSpecialError = ((mrc==SQLITE_NOMEM || mrc==SQLITE_IOERR)?1:0);
+    if( isSpecialError ){
+      /* This loop does static analysis of the query to see which of the
+      ** following three categories it falls into:
+      **
+      **     Read-only
+      **     Query with statement journal
+      **     Query without statement journal
+      **
+      ** We could do something more elegant than this static analysis (i.e.
+      ** store the type of query as part of the compliation phase), but 
+      ** handling malloc() or IO failure is a fairly obscure edge case so 
+      ** this is probably easier. Todo: Might be an opportunity to reduce 
+      ** code size a very small amount though...
+      */
+      int isReadOnly = 1;
+      int isStatement = 0;
+      assert(p->aOp || p->nOp==0);
+      for(i=0; i<p->nOp; i++){ 
+        switch( p->aOp[i].opcode ){
+          case OP_Transaction:
+            isReadOnly = 0;
+            break;
+          case OP_Statement:
+            isStatement = 1;
+            break;
+        }
+      }
+  
+      /* If the query was read-only, we need do no rollback at all. Otherwise,
+      ** proceed with the special handling.
+      */
+      if( !isReadOnly ){
+        if( p->rc==SQLITE_NOMEM && isStatement ){
+          xFunc = sqlite3BtreeRollbackStmt;
+        }else{
+          /* We are forced to roll back the active transaction. Before doing
+          ** so, abort any other statements this handle currently has active.
+          */
+          sqlite3AbortOtherActiveVdbes(db, p);
+          sqlite3RollbackAll(db);
+          db->autoCommit = 1;
+        }
+      }
+    }
+  
+    /* If the auto-commit flag is set and this is the only active vdbe, then
+    ** we do either a commit or rollback of the current transaction. 
+    **
+    ** Note: This block also runs if one of the special errors handled 
+    ** above has occured. 
+    */
+    if( db->autoCommit && db->activeVdbeCnt==1 ){
+      if( p->rc==SQLITE_OK || (p->errorAction==OE_Fail && !isSpecialError) ){
+	/* The auto-commit flag is true, and the vdbe program was 
+        ** successful or hit an 'OR FAIL' constraint. This means a commit 
+        ** is required.
+        */
+        int rc = vdbeCommit(db);
+        if( rc==SQLITE_BUSY ){
+          return SQLITE_BUSY;
+        }else if( rc!=SQLITE_OK ){
+          p->rc = rc;
+          sqlite3RollbackAll(db);
+        }else{
+          sqlite3CommitInternalChanges(db);
+        }
+      }else{
+        sqlite3RollbackAll(db);
+      }
+    }else if( !xFunc ){
+      if( p->rc==SQLITE_OK || p->errorAction==OE_Fail ){
+        xFunc = sqlite3BtreeCommitStmt;
+      }else if( p->errorAction==OE_Abort ){
+        xFunc = sqlite3BtreeRollbackStmt;
+      }else{
+        sqlite3AbortOtherActiveVdbes(db, p);
+        sqlite3RollbackAll(db);
+        db->autoCommit = 1;
+      }
+    }
+  
+    /* If xFunc is not NULL, then it is one of sqlite3BtreeRollbackStmt or
+    ** sqlite3BtreeCommitStmt. Call it once on each backend. If an error occurs
+    ** and the return code is still SQLITE_OK, set the return code to the new
+    ** error value.
+    */
+    assert(!xFunc ||
+      xFunc==sqlite3BtreeCommitStmt ||
+      xFunc==sqlite3BtreeRollbackStmt
+    );
+    for(i=0; xFunc && i<db->nDb; i++){ 
+      int rc;
+      Btree *pBt = db->aDb[i].pBt;
+      if( pBt ){
+        rc = xFunc(pBt);
+        if( rc && (p->rc==SQLITE_OK || p->rc==SQLITE_CONSTRAINT) ){
+          p->rc = rc;
+          sqlite3SetString(&p->zErrMsg, 0);
+        }
+      }
+    }
+  
+    /* If this was an INSERT, UPDATE or DELETE and the statement was committed, 
+    ** set the change counter. 
+    */
+    if( p->changeCntOn && p->pc>=0 ){
+      if( !xFunc || xFunc==sqlite3BtreeCommitStmt ){
+        sqlite3VdbeSetChanges(db, p->nChange);
+      }else{
+        sqlite3VdbeSetChanges(db, 0);
+      }
+      p->nChange = 0;
+    }
+  
+    /* Rollback or commit any schema changes that occurred. */
+    if( p->rc!=SQLITE_OK && db->flags&SQLITE_InternChanges ){
+      sqlite3ResetInternalSchema(db, 0);
+      db->flags = (db->flags | SQLITE_InternChanges);
+    }
+  }
+
+  /* We have successfully halted and closed the VM.  Record this fact. */
+  if( p->pc>=0 ){
+    db->activeVdbeCnt--;
+  }
+  p->magic = VDBE_MAGIC_HALT;
+  checkActiveVdbeCnt(db);
+
+  return SQLITE_OK;
+}
+
+/*
+** Each VDBE holds the result of the most recent sqlite3_step() call
+** in p->rc.  This routine sets that result back to SQLITE_OK.
+*/
+void sqlite3VdbeResetStepResult(Vdbe *p){
+  p->rc = SQLITE_OK;
+}
+
+/*
+** Clean up a VDBE after execution but do not delete the VDBE just yet.
+** Write any error messages into *pzErrMsg.  Return the result code.
+**
+** After this routine is run, the VDBE should be ready to be executed
+** again.
+**
+** To look at it another way, this routine resets the state of the
+** virtual machine from VDBE_MAGIC_RUN or VDBE_MAGIC_HALT back to
+** VDBE_MAGIC_INIT.
+*/
+int sqlite3VdbeReset(Vdbe *p){
+  sqlite3 *db;
+  db = p->db;
+
+  /* If the VM did not run to completion or if it encountered an
+  ** error, then it might not have been halted properly.  So halt
+  ** it now.
+  */
+  sqlite3SafetyOn(db);
+  sqlite3VdbeHalt(p);
+  sqlite3SafetyOff(db);
+
+  /* If the VDBE has be run even partially, then transfer the error code
+  ** and error message from the VDBE into the main database structure.  But
+  ** if the VDBE has just been set to run but has not actually executed any
+  ** instructions yet, leave the main database error information unchanged.
+  */
+  if( p->pc>=0 ){
+    if( p->zErrMsg ){
+      sqlite3ValueSetStr(db->pErr, -1, p->zErrMsg, SQLITE_UTF8, sqlite3FreeX);
+      db->errCode = p->rc;
+      p->zErrMsg = 0;
+    }else if( p->rc ){
+      sqlite3Error(db, p->rc, 0);
+    }else{
+      sqlite3Error(db, SQLITE_OK, 0);
+    }
+  }else if( p->rc && p->expired ){
+    /* The expired flag was set on the VDBE before the first call
+    ** to sqlite3_step(). For consistency (since sqlite3_step() was
+    ** called), set the database error in this case as well.
+    */
+    sqlite3Error(db, p->rc, 0);
+  }
+
+  /* Reclaim all memory used by the VDBE
+  */
+  Cleanup(p);
+
+  /* Save profiling information from this VDBE run.
+  */
+  assert( p->pTos<&p->aStack[p->pc<0?0:p->pc] || !p->aStack );
+#ifdef VDBE_PROFILE
+  {
+    FILE *out = fopen("vdbe_profile.out", "a");
+    if( out ){
+      int i;
+      fprintf(out, "---- ");
+      for(i=0; i<p->nOp; i++){
+        fprintf(out, "%02x", p->aOp[i].opcode);
+      }
+      fprintf(out, "\n");
+      for(i=0; i<p->nOp; i++){
+        fprintf(out, "%6d %10lld %8lld ",
+           p->aOp[i].cnt,
+           p->aOp[i].cycles,
+           p->aOp[i].cnt>0 ? p->aOp[i].cycles/p->aOp[i].cnt : 0
+        );
+        sqlite3VdbePrintOp(out, i, &p->aOp[i]);
+      }
+      fclose(out);
+    }
+  }
+#endif
+  p->magic = VDBE_MAGIC_INIT;
+  p->aborted = 0;
+  if( p->rc==SQLITE_SCHEMA ){
+    sqlite3ResetInternalSchema(db, 0);
+  }
+  return p->rc & db->errMask;
+}
+ 
+/*
+** Clean up and delete a VDBE after execution.  Return an integer which is
+** the result code.  Write any error message text into *pzErrMsg.
+*/
+int sqlite3VdbeFinalize(Vdbe *p){
+  int rc = SQLITE_OK;
+  if( p->magic==VDBE_MAGIC_RUN || p->magic==VDBE_MAGIC_HALT ){
+    rc = sqlite3VdbeReset(p);
+    assert( (rc & p->db->errMask)==rc );
+  }else if( p->magic!=VDBE_MAGIC_INIT ){
+    return SQLITE_MISUSE;
+  }
+  sqlite3VdbeDelete(p);
+  return rc;
+}
+
+/*
+** Call the destructor for each auxdata entry in pVdbeFunc for which
+** the corresponding bit in mask is clear.  Auxdata entries beyond 31
+** are always destroyed.  To destroy all auxdata entries, call this
+** routine with mask==0.
+*/
+void sqlite3VdbeDeleteAuxData(VdbeFunc *pVdbeFunc, int mask){
+  int i;
+  for(i=0; i<pVdbeFunc->nAux; i++){
+    struct AuxData *pAux = &pVdbeFunc->apAux[i];
+    if( (i>31 || !(mask&(1<<i))) && pAux->pAux ){
+      if( pAux->xDelete ){
+        pAux->xDelete(pAux->pAux);
+      }
+      pAux->pAux = 0;
+    }
+  }
+}
+
+/*
+** Delete an entire VDBE.
+*/
+void sqlite3VdbeDelete(Vdbe *p){
+  int i;
+  if( p==0 ) return;
+  Cleanup(p);
+  if( p->pPrev ){
+    p->pPrev->pNext = p->pNext;
+  }else{
+    assert( p->db->pVdbe==p );
+    p->db->pVdbe = p->pNext;
+  }
+  if( p->pNext ){
+    p->pNext->pPrev = p->pPrev;
+  }
+  if( p->aOp ){
+    for(i=0; i<p->nOp; i++){
+      Op *pOp = &p->aOp[i];
+      freeP3(pOp->p3type, pOp->p3);
+    }
+    sqliteFree(p->aOp);
+  }
+  releaseMemArray(p->aVar, p->nVar);
+  sqliteFree(p->aLabel);
+  sqliteFree(p->aStack);
+  releaseMemArray(p->aColName, p->nResColumn*COLNAME_N);
+  sqliteFree(p->aColName);
+  sqliteFree(p->zSql);
+  p->magic = VDBE_MAGIC_DEAD;
+  sqliteFree(p);
+}
+
+/*
+** If a MoveTo operation is pending on the given cursor, then do that
+** MoveTo now.  Return an error code.  If no MoveTo is pending, this
+** routine does nothing and returns SQLITE_OK.
+*/
+int sqlite3VdbeCursorMoveto(Cursor *p){
+  if( p->deferredMoveto ){
+    int res, rc;
+#ifdef SQLITE_TEST
+    extern int sqlite3_search_count;
+#endif
+    assert( p->isTable );
+    rc = sqlite3BtreeMoveto(p->pCursor, 0, p->movetoTarget, 0, &res);
+    if( rc ) return rc;
+    *p->pIncrKey = 0;
+    p->lastRowid = keyToInt(p->movetoTarget);
+    p->rowidIsValid = res==0;
+    if( res<0 ){
+      rc = sqlite3BtreeNext(p->pCursor, &res);
+      if( rc ) return rc;
+    }
+#ifdef SQLITE_TEST
+    sqlite3_search_count++;
+#endif
+    p->deferredMoveto = 0;
+    p->cacheStatus = CACHE_STALE;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** The following functions:
+**
+** sqlite3VdbeSerialType()
+** sqlite3VdbeSerialTypeLen()
+** sqlite3VdbeSerialRead()
+** sqlite3VdbeSerialLen()
+** sqlite3VdbeSerialWrite()
+**
+** encapsulate the code that serializes values for storage in SQLite
+** data and index records. Each serialized value consists of a
+** 'serial-type' and a blob of data. The serial type is an 8-byte unsigned
+** integer, stored as a varint.
+**
+** In an SQLite index record, the serial type is stored directly before
+** the blob of data that it corresponds to. In a table record, all serial
+** types are stored at the start of the record, and the blobs of data at
+** the end. Hence these functions allow the caller to handle the
+** serial-type and data blob seperately.
+**
+** The following table describes the various storage classes for data:
+**
+**   serial type        bytes of data      type
+**   --------------     ---------------    ---------------
+**      0                     0            NULL
+**      1                     1            signed integer
+**      2                     2            signed integer
+**      3                     3            signed integer
+**      4                     4            signed integer
+**      5                     6            signed integer
+**      6                     8            signed integer
+**      7                     8            IEEE float
+**      8                     0            Integer constant 0
+**      9                     0            Integer constant 1
+**     10,11                               reserved for expansion
+**    N>=12 and even       (N-12)/2        BLOB
+**    N>=13 and odd        (N-13)/2        text
+**
+** The 8 and 9 types were added in 3.3.0, file format 4.  Prior versions
+** of SQLite will not understand those serial types.
+*/
+
+/*
+** Return the serial-type for the value stored in pMem.
+*/
+u32 sqlite3VdbeSerialType(Mem *pMem, int file_format){
+  int flags = pMem->flags;
+
+  if( flags&MEM_Null ){
+    return 0;
+  }
+  if( flags&MEM_Int ){
+    /* Figure out whether to use 1, 2, 4, 6 or 8 bytes. */
+#   define MAX_6BYTE ((((i64)0x00001000)<<32)-1)
+    i64 i = pMem->u.i;
+    u64 u;
+    if( file_format>=4 && (i&1)==i ){
+      return 8+i;
+    }
+    u = i<0 ? -i : i;
+    if( u<=127 ) return 1;
+    if( u<=32767 ) return 2;
+    if( u<=8388607 ) return 3;
+    if( u<=2147483647 ) return 4;
+    if( u<=MAX_6BYTE ) return 5;
+    return 6;
+  }
+  if( flags&MEM_Real ){
+    return 7;
+  }
+  if( flags&MEM_Str ){
+    int n = pMem->n;
+    assert( n>=0 );
+    return ((n*2) + 13);
+  }
+  assert( (flags & MEM_Blob)!=0 );
+  return (pMem->n*2 + 12);
+}
+
+/*
+** Return the length of the data corresponding to the supplied serial-type.
+*/
+int sqlite3VdbeSerialTypeLen(u32 serial_type){
+  if( serial_type>=12 ){
+    return (serial_type-12)/2;
+  }else{
+    static const u8 aSize[] = { 0, 1, 2, 3, 4, 6, 8, 8, 0, 0, 0, 0 };
+    return aSize[serial_type];
+  }
+}
+
+/*
+** Write the serialized data blob for the value stored in pMem into 
+** buf. It is assumed that the caller has allocated sufficient space.
+** Return the number of bytes written.
+*/ 
+int sqlite3VdbeSerialPut(unsigned char *buf, Mem *pMem, int file_format){
+  u32 serial_type = sqlite3VdbeSerialType(pMem, file_format);
+  int len;
+
+  /* Integer and Real */
+  if( serial_type<=7 && serial_type>0 ){
+    u64 v;
+    int i;
+    if( serial_type==7 ){
+      assert( sizeof(v)==sizeof(pMem->r) );
+      memcpy(&v, &pMem->r, sizeof(v));
+    }else{
+      v = pMem->u.i;
+    }
+    len = i = sqlite3VdbeSerialTypeLen(serial_type);
+    while( i-- ){
+      buf[i] = (v&0xFF);
+      v >>= 8;
+    }
+    return len;
+  }
+
+  /* String or blob */
+  if( serial_type>=12 ){
+    len = sqlite3VdbeSerialTypeLen(serial_type);
+    memcpy(buf, pMem->z, len);
+    return len;
+  }
+
+  /* NULL or constants 0 or 1 */
+  return 0;
+}
+
+/*
+** Deserialize the data blob pointed to by buf as serial type serial_type
+** and store the result in pMem.  Return the number of bytes read.
+*/ 
+int sqlite3VdbeSerialGet(
+  const unsigned char *buf,     /* Buffer to deserialize from */
+  u32 serial_type,              /* Serial type to deserialize */
+  Mem *pMem                     /* Memory cell to write value into */
+){
+  switch( serial_type ){
+    case 10:   /* Reserved for future use */
+    case 11:   /* Reserved for future use */
+    case 0: {  /* NULL */
+      pMem->flags = MEM_Null;
+      break;
+    }
+    case 1: { /* 1-byte signed integer */
+      pMem->u.i = (signed char)buf[0];
+      pMem->flags = MEM_Int;
+      return 1;
+    }
+    case 2: { /* 2-byte signed integer */
+      pMem->u.i = (((signed char)buf[0])<<8) | buf[1];
+      pMem->flags = MEM_Int;
+      return 2;
+    }
+    case 3: { /* 3-byte signed integer */
+      pMem->u.i = (((signed char)buf[0])<<16) | (buf[1]<<8) | buf[2];
+      pMem->flags = MEM_Int;
+      return 3;
+    }
+    case 4: { /* 4-byte signed integer */
+      pMem->u.i = (buf[0]<<24) | (buf[1]<<16) | (buf[2]<<8) | buf[3];
+      pMem->flags = MEM_Int;
+      return 4;
+    }
+    case 5: { /* 6-byte signed integer */
+      u64 x = (((signed char)buf[0])<<8) | buf[1];
+      u32 y = (buf[2]<<24) | (buf[3]<<16) | (buf[4]<<8) | buf[5];
+      x = (x<<32) | y;
+      pMem->u.i = *(i64*)&x;
+      pMem->flags = MEM_Int;
+      return 6;
+    }
+    case 6:   /* 8-byte signed integer */
+    case 7: { /* IEEE floating point */
+      u64 x;
+      u32 y;
+#if !defined(NDEBUG) && !defined(SQLITE_OMIT_FLOATING_POINT)
+      /* Verify that integers and floating point values use the same
+      ** byte order.  The byte order differs on some (broken) architectures.
+      */
+      static const u64 t1 = ((u64)0x3ff00000)<<32;
+      static const double r1 = 1.0;
+      assert( sizeof(r1)==sizeof(t1) && memcmp(&r1, &t1, sizeof(r1))==0 );
+#endif
+
+      x = (buf[0]<<24) | (buf[1]<<16) | (buf[2]<<8) | buf[3];
+      y = (buf[4]<<24) | (buf[5]<<16) | (buf[6]<<8) | buf[7];
+      x = (x<<32) | y;
+      if( serial_type==6 ){
+        pMem->u.i = *(i64*)&x;
+        pMem->flags = MEM_Int;
+      }else{
+        assert( sizeof(x)==8 && sizeof(pMem->r)==8 );
+        memcpy(&pMem->r, &x, sizeof(x));
+        /* pMem->r = *(double*)&x; */
+        pMem->flags = MEM_Real;
+      }
+      return 8;
+    }
+    case 8:    /* Integer 0 */
+    case 9: {  /* Integer 1 */
+      pMem->u.i = serial_type-8;
+      pMem->flags = MEM_Int;
+      return 0;
+    }
+    default: {
+      int len = (serial_type-12)/2;
+      pMem->z = (char *)buf;
+      pMem->n = len;
+      pMem->xDel = 0;
+      if( serial_type&0x01 ){
+        pMem->flags = MEM_Str | MEM_Ephem;
+      }else{
+        pMem->flags = MEM_Blob | MEM_Ephem;
+      }
+      return len;
+    }
+  }
+  return 0;
+}
+
+/*
+** The header of a record consists of a sequence variable-length integers.
+** These integers are almost always small and are encoded as a single byte.
+** The following macro takes advantage this fact to provide a fast decode
+** of the integers in a record header.  It is faster for the common case
+** where the integer is a single byte.  It is a little slower when the
+** integer is two or more bytes.  But overall it is faster.
+**
+** The following expressions are equivalent:
+**
+**     x = sqlite3GetVarint32( A, &B );
+**
+**     x = GetVarint( A, B );
+**
+*/
+#define GetVarint(A,B)  ((B = *(A))<=0x7f ? 1 : sqlite3GetVarint32(A, &B))
+
+/*
+** This function compares the two table rows or index records specified by 
+** {nKey1, pKey1} and {nKey2, pKey2}, returning a negative, zero
+** or positive integer if {nKey1, pKey1} is less than, equal to or 
+** greater than {nKey2, pKey2}.  Both Key1 and Key2 must be byte strings
+** composed by the OP_MakeRecord opcode of the VDBE.
+*/
+int sqlite3VdbeRecordCompare(
+  void *userData,
+  int nKey1, const void *pKey1, 
+  int nKey2, const void *pKey2
+){
+  KeyInfo *pKeyInfo = (KeyInfo*)userData;
+  u32 d1, d2;          /* Offset into aKey[] of next data element */
+  u32 idx1, idx2;      /* Offset into aKey[] of next header element */
+  u32 szHdr1, szHdr2;  /* Number of bytes in header */
+  int i = 0;
+  int nField;
+  int rc = 0;
+  const unsigned char *aKey1 = (const unsigned char *)pKey1;
+  const unsigned char *aKey2 = (const unsigned char *)pKey2;
+
+  Mem mem1;
+  Mem mem2;
+  mem1.enc = pKeyInfo->enc;
+  mem2.enc = pKeyInfo->enc;
+  
+  idx1 = GetVarint(aKey1, szHdr1);
+  d1 = szHdr1;
+  idx2 = GetVarint(aKey2, szHdr2);
+  d2 = szHdr2;
+  nField = pKeyInfo->nField;
+  while( idx1<szHdr1 && idx2<szHdr2 ){
+    u32 serial_type1;
+    u32 serial_type2;
+
+    /* Read the serial types for the next element in each key. */
+    idx1 += GetVarint( aKey1+idx1, serial_type1 );
+    if( d1>=nKey1 && sqlite3VdbeSerialTypeLen(serial_type1)>0 ) break;
+    idx2 += GetVarint( aKey2+idx2, serial_type2 );
+    if( d2>=nKey2 && sqlite3VdbeSerialTypeLen(serial_type2)>0 ) break;
+
+    /* Extract the values to be compared.
+    */
+    d1 += sqlite3VdbeSerialGet(&aKey1[d1], serial_type1, &mem1);
+    d2 += sqlite3VdbeSerialGet(&aKey2[d2], serial_type2, &mem2);
+
+    /* Do the comparison
+    */
+    rc = sqlite3MemCompare(&mem1, &mem2, i<nField ? pKeyInfo->aColl[i] : 0);
+    if( mem1.flags & MEM_Dyn ) sqlite3VdbeMemRelease(&mem1);
+    if( mem2.flags & MEM_Dyn ) sqlite3VdbeMemRelease(&mem2);
+    if( rc!=0 ){
+      break;
+    }
+    i++;
+  }
+
+  /* One of the keys ran out of fields, but all the fields up to that point
+  ** were equal. If the incrKey flag is true, then the second key is
+  ** treated as larger.
+  */
+  if( rc==0 ){
+    if( pKeyInfo->incrKey ){
+      rc = -1;
+    }else if( d1<nKey1 ){
+      rc = 1;
+    }else if( d2<nKey2 ){
+      rc = -1;
+    }
+  }else if( pKeyInfo->aSortOrder && i<pKeyInfo->nField
+               && pKeyInfo->aSortOrder[i] ){
+    rc = -rc;
+  }
+
+  return rc;
+}
+
+/*
+** The argument is an index entry composed using the OP_MakeRecord opcode.
+** The last entry in this record should be an integer (specifically
+** an integer rowid).  This routine returns the number of bytes in
+** that integer.
+*/
+int sqlite3VdbeIdxRowidLen(const u8 *aKey){
+  u32 szHdr;        /* Size of the header */
+  u32 typeRowid;    /* Serial type of the rowid */
+
+  sqlite3GetVarint32(aKey, &szHdr);
+  sqlite3GetVarint32(&aKey[szHdr-1], &typeRowid);
+  return sqlite3VdbeSerialTypeLen(typeRowid);
+}
+  
+
+/*
+** pCur points at an index entry created using the OP_MakeRecord opcode.
+** Read the rowid (the last field in the record) and store it in *rowid.
+** Return SQLITE_OK if everything works, or an error code otherwise.
+*/
+int sqlite3VdbeIdxRowid(BtCursor *pCur, i64 *rowid){
+  i64 nCellKey = 0;
+  int rc;
+  u32 szHdr;        /* Size of the header */
+  u32 typeRowid;    /* Serial type of the rowid */
+  u32 lenRowid;     /* Size of the rowid */
+  Mem m, v;
+
+  sqlite3BtreeKeySize(pCur, &nCellKey);
+  if( nCellKey<=0 ){
+    return SQLITE_CORRUPT_BKPT;
+  }
+  rc = sqlite3VdbeMemFromBtree(pCur, 0, nCellKey, 1, &m);
+  if( rc ){
+    return rc;
+  }
+  sqlite3GetVarint32((u8*)m.z, &szHdr);
+  sqlite3GetVarint32((u8*)&m.z[szHdr-1], &typeRowid);
+  lenRowid = sqlite3VdbeSerialTypeLen(typeRowid);
+  sqlite3VdbeSerialGet((u8*)&m.z[m.n-lenRowid], typeRowid, &v);
+  *rowid = v.u.i;
+  sqlite3VdbeMemRelease(&m);
+  return SQLITE_OK;
+}
+
+/*
+** Compare the key of the index entry that cursor pC is point to against
+** the key string in pKey (of length nKey).  Write into *pRes a number
+** that is negative, zero, or positive if pC is less than, equal to,
+** or greater than pKey.  Return SQLITE_OK on success.
+**
+** pKey is either created without a rowid or is truncated so that it
+** omits the rowid at the end.  The rowid at the end of the index entry
+** is ignored as well.
+*/
+int sqlite3VdbeIdxKeyCompare(
+  Cursor *pC,                 /* The cursor to compare against */
+  int nKey, const u8 *pKey,   /* The key to compare */
+  int *res                    /* Write the comparison result here */
+){
+  i64 nCellKey = 0;
+  int rc;
+  BtCursor *pCur = pC->pCursor;
+  int lenRowid;
+  Mem m;
+
+  sqlite3BtreeKeySize(pCur, &nCellKey);
+  if( nCellKey<=0 ){
+    *res = 0;
+    return SQLITE_OK;
+  }
+  rc = sqlite3VdbeMemFromBtree(pC->pCursor, 0, nCellKey, 1, &m);
+  if( rc ){
+    return rc;
+  }
+  lenRowid = sqlite3VdbeIdxRowidLen((u8*)m.z);
+  *res = sqlite3VdbeRecordCompare(pC->pKeyInfo, m.n-lenRowid, m.z, nKey, pKey);
+  sqlite3VdbeMemRelease(&m);
+  return SQLITE_OK;
+}
+
+/*
+** This routine sets the value to be returned by subsequent calls to
+** sqlite3_changes() on the database handle 'db'. 
+*/
+void sqlite3VdbeSetChanges(sqlite3 *db, int nChange){
+  db->nChange = nChange;
+  db->nTotalChange += nChange;
+}
+
+/*
+** Set a flag in the vdbe to update the change counter when it is finalised
+** or reset.
+*/
+void sqlite3VdbeCountChanges(Vdbe *v){
+  v->changeCntOn = 1;
+}
+
+/*
+** Mark every prepared statement associated with a database connection
+** as expired.
+**
+** An expired statement means that recompilation of the statement is
+** recommend.  Statements expire when things happen that make their
+** programs obsolete.  Removing user-defined functions or collating
+** sequences, or changing an authorization function are the types of
+** things that make prepared statements obsolete.
+*/
+void sqlite3ExpirePreparedStatements(sqlite3 *db){
+  Vdbe *p;
+  for(p = db->pVdbe; p; p=p->pNext){
+    p->expired = 1;
+  }
+}
+
+/*
+** Return the database associated with the Vdbe.
+*/
+sqlite3 *sqlite3VdbeDb(Vdbe *v){
+  return v->db;
+}
+
+/************** End of vdbeaux.c *********************************************/
+/************** Begin file vdbeapi.c *****************************************/
+/*
+** 2004 May 26
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+**
+** This file contains code use to implement APIs that are part of the
+** VDBE.
+*/
+
+/*
+** Return TRUE (non-zero) of the statement supplied as an argument needs
+** to be recompiled.  A statement needs to be recompiled whenever the
+** execution environment changes in a way that would alter the program
+** that sqlite3_prepare() generates.  For example, if new functions or
+** collating sequences are registered or if an authorizer function is
+** added or changed.
+*/
+int sqlite3_expired(sqlite3_stmt *pStmt){
+  Vdbe *p = (Vdbe*)pStmt;
+  return p==0 || p->expired;
+}
+
+/**************************** sqlite3_value_  *******************************
+** The following routines extract information from a Mem or sqlite3_value
+** structure.
+*/
+const void *sqlite3_value_blob(sqlite3_value *pVal){
+  Mem *p = (Mem*)pVal;
+  if( p->flags & (MEM_Blob|MEM_Str) ){
+    return p->z;
+  }else{
+    return sqlite3_value_text(pVal);
+  }
+}
+int sqlite3_value_bytes(sqlite3_value *pVal){
+  return sqlite3ValueBytes(pVal, SQLITE_UTF8);
+}
+int sqlite3_value_bytes16(sqlite3_value *pVal){
+  return sqlite3ValueBytes(pVal, SQLITE_UTF16NATIVE);
+}
+double sqlite3_value_double(sqlite3_value *pVal){
+  return sqlite3VdbeRealValue((Mem*)pVal);
+}
+int sqlite3_value_int(sqlite3_value *pVal){
+  return sqlite3VdbeIntValue((Mem*)pVal);
+}
+sqlite_int64 sqlite3_value_int64(sqlite3_value *pVal){
+  return sqlite3VdbeIntValue((Mem*)pVal);
+}
+const unsigned char *sqlite3_value_text(sqlite3_value *pVal){
+  return (const unsigned char *)sqlite3ValueText(pVal, SQLITE_UTF8);
+}
+#ifndef SQLITE_OMIT_UTF16
+const void *sqlite3_value_text16(sqlite3_value* pVal){
+  return sqlite3ValueText(pVal, SQLITE_UTF16NATIVE);
+}
+const void *sqlite3_value_text16be(sqlite3_value *pVal){
+  return sqlite3ValueText(pVal, SQLITE_UTF16BE);
+}
+const void *sqlite3_value_text16le(sqlite3_value *pVal){
+  return sqlite3ValueText(pVal, SQLITE_UTF16LE);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+int sqlite3_value_type(sqlite3_value* pVal){
+  return pVal->type;
+}
+/* sqlite3_value_numeric_type() defined in vdbe.c */
+
+/**************************** sqlite3_result_  *******************************
+** The following routines are used by user-defined functions to specify
+** the function result.
+*/
+void sqlite3_result_blob(
+  sqlite3_context *pCtx, 
+  const void *z, 
+  int n, 
+  void (*xDel)(void *)
+){
+  assert( n>=0 );
+  sqlite3VdbeMemSetStr(&pCtx->s, z, n, 0, xDel);
+}
+void sqlite3_result_double(sqlite3_context *pCtx, double rVal){
+  sqlite3VdbeMemSetDouble(&pCtx->s, rVal);
+}
+void sqlite3_result_error(sqlite3_context *pCtx, const char *z, int n){
+  pCtx->isError = 1;
+  sqlite3VdbeMemSetStr(&pCtx->s, z, n, SQLITE_UTF8, SQLITE_TRANSIENT);
+}
+#ifndef SQLITE_OMIT_UTF16
+void sqlite3_result_error16(sqlite3_context *pCtx, const void *z, int n){
+  pCtx->isError = 1;
+  sqlite3VdbeMemSetStr(&pCtx->s, z, n, SQLITE_UTF16NATIVE, SQLITE_TRANSIENT);
+}
+#endif
+void sqlite3_result_int(sqlite3_context *pCtx, int iVal){
+  sqlite3VdbeMemSetInt64(&pCtx->s, (i64)iVal);
+}
+void sqlite3_result_int64(sqlite3_context *pCtx, i64 iVal){
+  sqlite3VdbeMemSetInt64(&pCtx->s, iVal);
+}
+void sqlite3_result_null(sqlite3_context *pCtx){
+  sqlite3VdbeMemSetNull(&pCtx->s);
+}
+void sqlite3_result_text(
+  sqlite3_context *pCtx, 
+  const char *z, 
+  int n,
+  void (*xDel)(void *)
+){
+  sqlite3VdbeMemSetStr(&pCtx->s, z, n, SQLITE_UTF8, xDel);
+}
+#ifndef SQLITE_OMIT_UTF16
+void sqlite3_result_text16(
+  sqlite3_context *pCtx, 
+  const void *z, 
+  int n, 
+  void (*xDel)(void *)
+){
+  sqlite3VdbeMemSetStr(&pCtx->s, z, n, SQLITE_UTF16NATIVE, xDel);
+}
+void sqlite3_result_text16be(
+  sqlite3_context *pCtx, 
+  const void *z, 
+  int n, 
+  void (*xDel)(void *)
+){
+  sqlite3VdbeMemSetStr(&pCtx->s, z, n, SQLITE_UTF16BE, xDel);
+}
+void sqlite3_result_text16le(
+  sqlite3_context *pCtx, 
+  const void *z, 
+  int n, 
+  void (*xDel)(void *)
+){
+  sqlite3VdbeMemSetStr(&pCtx->s, z, n, SQLITE_UTF16LE, xDel);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+void sqlite3_result_value(sqlite3_context *pCtx, sqlite3_value *pValue){
+  sqlite3VdbeMemCopy(&pCtx->s, pValue);
+}
+
+
+/*
+** Execute the statement pStmt, either until a row of data is ready, the
+** statement is completely executed or an error occurs.
+**
+** This routine implements the bulk of the logic behind the sqlite_step()
+** API.  The only thing omitted is the automatic recompile if a 
+** schema change has occurred.  That detail is handled by the
+** outer sqlite3_step() wrapper procedure.
+*/
+static int sqlite3Step(Vdbe *p){
+  sqlite3 *db;
+  int rc;
+
+  /* Assert that malloc() has not failed */
+  assert( !sqlite3MallocFailed() );
+
+  if( p==0 || p->magic!=VDBE_MAGIC_RUN ){
+    return SQLITE_MISUSE;
+  }
+  if( p->aborted ){
+    return SQLITE_ABORT;
+  }
+  if( p->pc<=0 && p->expired ){
+    if( p->rc==SQLITE_OK ){
+      p->rc = SQLITE_SCHEMA;
+    }
+    rc = SQLITE_ERROR;
+    goto end_of_step;
+  }
+  db = p->db;
+  if( sqlite3SafetyOn(db) ){
+    p->rc = SQLITE_MISUSE;
+    return SQLITE_MISUSE;
+  }
+  if( p->pc<0 ){
+    /* If there are no other statements currently running, then
+    ** reset the interrupt flag.  This prevents a call to sqlite3_interrupt
+    ** from interrupting a statement that has not yet started.
+    */
+    if( db->activeVdbeCnt==0 ){
+      db->u1.isInterrupted = 0;
+    }
+
+#ifndef SQLITE_OMIT_TRACE
+    /* Invoke the trace callback if there is one
+    */
+    if( db->xTrace && !db->init.busy ){
+      assert( p->nOp>0 );
+      assert( p->aOp[p->nOp-1].opcode==OP_Noop );
+      assert( p->aOp[p->nOp-1].p3!=0 );
+      assert( p->aOp[p->nOp-1].p3type==P3_DYNAMIC );
+      sqlite3SafetyOff(db);
+      db->xTrace(db->pTraceArg, p->aOp[p->nOp-1].p3);
+      if( sqlite3SafetyOn(db) ){
+        p->rc = SQLITE_MISUSE;
+        return SQLITE_MISUSE;
+      }
+    }
+    if( db->xProfile && !db->init.busy ){
+      double rNow;
+      sqlite3OsCurrentTime(&rNow);
+      p->startTime = (rNow - (int)rNow)*3600.0*24.0*1000000000.0;
+    }
+#endif
+
+    /* Print a copy of SQL as it is executed if the SQL_TRACE pragma is turned
+    ** on in debugging mode.
+    */
+#ifdef SQLITE_DEBUG
+    if( (db->flags & SQLITE_SqlTrace)!=0 ){
+      sqlite3DebugPrintf("SQL-trace: %s\n", p->aOp[p->nOp-1].p3);
+    }
+#endif /* SQLITE_DEBUG */
+
+    db->activeVdbeCnt++;
+    p->pc = 0;
+  }
+#ifndef SQLITE_OMIT_EXPLAIN
+  if( p->explain ){
+    rc = sqlite3VdbeList(p);
+  }else
+#endif /* SQLITE_OMIT_EXPLAIN */
+  {
+    rc = sqlite3VdbeExec(p);
+  }
+
+  if( sqlite3SafetyOff(db) ){
+    rc = SQLITE_MISUSE;
+  }
+
+#ifndef SQLITE_OMIT_TRACE
+  /* Invoke the profile callback if there is one
+  */
+  if( rc!=SQLITE_ROW && db->xProfile && !db->init.busy ){
+    double rNow;
+    u64 elapseTime;
+
+    sqlite3OsCurrentTime(&rNow);
+    elapseTime = (rNow - (int)rNow)*3600.0*24.0*1000000000.0 - p->startTime;
+    assert( p->nOp>0 );
+    assert( p->aOp[p->nOp-1].opcode==OP_Noop );
+    assert( p->aOp[p->nOp-1].p3!=0 );
+    assert( p->aOp[p->nOp-1].p3type==P3_DYNAMIC );
+    db->xProfile(db->pProfileArg, p->aOp[p->nOp-1].p3, elapseTime);
+  }
+#endif
+
+  sqlite3Error(p->db, rc, 0);
+  p->rc = sqlite3ApiExit(p->db, p->rc);
+end_of_step:
+  assert( (rc&0xff)==rc );
+  if( p->zSql && (rc&0xff)<SQLITE_ROW ){
+    /* This behavior occurs if sqlite3_prepare_v2() was used to build
+    ** the prepared statement.  Return error codes directly */
+    return p->rc;
+  }else{
+    /* This is for legacy sqlite3_prepare() builds and when the code
+    ** is SQLITE_ROW or SQLITE_DONE */
+    return rc;
+  }
+}
+
+/*
+** This is the top-level implementation of sqlite3_step().  Call
+** sqlite3Step() to do most of the work.  If a schema error occurs,
+** call sqlite3Reprepare() and try again.
+*/
+#ifdef SQLITE_OMIT_PARSER
+int sqlite3_step(sqlite3_stmt *pStmt){
+  return sqlite3Step((Vdbe*)pStmt);
+}
+#else
+int sqlite3_step(sqlite3_stmt *pStmt){
+  int cnt = 0;
+  int rc;
+  Vdbe *v = (Vdbe*)pStmt;
+  while( (rc = sqlite3Step(v))==SQLITE_SCHEMA
+         && cnt++ < 5
+         && sqlite3Reprepare(v) ){
+    sqlite3_reset(pStmt);
+    v->expired = 0;
+  }
+  return rc;
+}
+#endif
+
+/*
+** Extract the user data from a sqlite3_context structure and return a
+** pointer to it.
+*/
+void *sqlite3_user_data(sqlite3_context *p){
+  assert( p && p->pFunc );
+  return p->pFunc->pUserData;
+}
+
+/*
+** The following is the implementation of an SQL function that always
+** fails with an error message stating that the function is used in the
+** wrong context.  The sqlite3_overload_function() API might construct
+** SQL function that use this routine so that the functions will exist
+** for name resolution but are actually overloaded by the xFindFunction
+** method of virtual tables.
+*/
+void sqlite3InvalidFunction(
+  sqlite3_context *context,  /* The function calling context */
+  int argc,                  /* Number of arguments to the function */
+  sqlite3_value **argv       /* Value of each argument */
+){
+  const char *zName = context->pFunc->zName;
+  char *zErr;
+  zErr = sqlite3MPrintf(
+      "unable to use function %s in the requested context", zName);
+  sqlite3_result_error(context, zErr, -1);
+  sqliteFree(zErr);
+}
+
+/*
+** Allocate or return the aggregate context for a user function.  A new
+** context is allocated on the first call.  Subsequent calls return the
+** same context that was returned on prior calls.
+*/
+void *sqlite3_aggregate_context(sqlite3_context *p, int nByte){
+  Mem *pMem = p->pMem;
+  assert( p && p->pFunc && p->pFunc->xStep );
+  if( (pMem->flags & MEM_Agg)==0 ){
+    if( nByte==0 ){
+      assert( pMem->flags==MEM_Null );
+      pMem->z = 0;
+    }else{
+      pMem->flags = MEM_Agg;
+      pMem->xDel = sqlite3FreeX;
+      pMem->u.pDef = p->pFunc;
+      if( nByte<=NBFS ){
+        pMem->z = pMem->zShort;
+        memset(pMem->z, 0, nByte);
+      }else{
+        pMem->z = sqliteMalloc( nByte );
+      }
+    }
+  }
+  return (void*)pMem->z;
+}
+
+/*
+** Return the auxilary data pointer, if any, for the iArg'th argument to
+** the user-function defined by pCtx.
+*/
+void *sqlite3_get_auxdata(sqlite3_context *pCtx, int iArg){
+  VdbeFunc *pVdbeFunc = pCtx->pVdbeFunc;
+  if( !pVdbeFunc || iArg>=pVdbeFunc->nAux || iArg<0 ){
+    return 0;
+  }
+  return pVdbeFunc->apAux[iArg].pAux;
+}
+
+/*
+** Set the auxilary data pointer and delete function, for the iArg'th
+** argument to the user-function defined by pCtx. Any previous value is
+** deleted by calling the delete function specified when it was set.
+*/
+void sqlite3_set_auxdata(
+  sqlite3_context *pCtx, 
+  int iArg, 
+  void *pAux, 
+  void (*xDelete)(void*)
+){
+  struct AuxData *pAuxData;
+  VdbeFunc *pVdbeFunc;
+  if( iArg<0 ) return;
+
+  pVdbeFunc = pCtx->pVdbeFunc;
+  if( !pVdbeFunc || pVdbeFunc->nAux<=iArg ){
+    int nMalloc = sizeof(VdbeFunc) + sizeof(struct AuxData)*iArg;
+    pVdbeFunc = sqliteRealloc(pVdbeFunc, nMalloc);
+    if( !pVdbeFunc ) return;
+    pCtx->pVdbeFunc = pVdbeFunc;
+    memset(&pVdbeFunc->apAux[pVdbeFunc->nAux], 0, 
+             sizeof(struct AuxData)*(iArg+1-pVdbeFunc->nAux));
+    pVdbeFunc->nAux = iArg+1;
+    pVdbeFunc->pFunc = pCtx->pFunc;
+  }
+
+  pAuxData = &pVdbeFunc->apAux[iArg];
+  if( pAuxData->pAux && pAuxData->xDelete ){
+    pAuxData->xDelete(pAuxData->pAux);
+  }
+  pAuxData->pAux = pAux;
+  pAuxData->xDelete = xDelete;
+}
+
+/*
+** Return the number of times the Step function of a aggregate has been 
+** called.
+**
+** This function is deprecated.  Do not use it for new code.  It is
+** provide only to avoid breaking legacy code.  New aggregate function
+** implementations should keep their own counts within their aggregate
+** context.
+*/
+int sqlite3_aggregate_count(sqlite3_context *p){
+  assert( p && p->pFunc && p->pFunc->xStep );
+  return p->pMem->n;
+}
+
+/*
+** Return the number of columns in the result set for the statement pStmt.
+*/
+int sqlite3_column_count(sqlite3_stmt *pStmt){
+  Vdbe *pVm = (Vdbe *)pStmt;
+  return pVm ? pVm->nResColumn : 0;
+}
+
+/*
+** Return the number of values available from the current row of the
+** currently executing statement pStmt.
+*/
+int sqlite3_data_count(sqlite3_stmt *pStmt){
+  Vdbe *pVm = (Vdbe *)pStmt;
+  if( pVm==0 || !pVm->resOnStack ) return 0;
+  return pVm->nResColumn;
+}
+
+
+/*
+** Check to see if column iCol of the given statement is valid.  If
+** it is, return a pointer to the Mem for the value of that column.
+** If iCol is not valid, return a pointer to a Mem which has a value
+** of NULL.
+*/
+static Mem *columnMem(sqlite3_stmt *pStmt, int i){
+  Vdbe *pVm = (Vdbe *)pStmt;
+  int vals = sqlite3_data_count(pStmt);
+  if( i>=vals || i<0 ){
+    static const Mem nullMem = {{0}, 0.0, "", 0, MEM_Null, MEM_Null };
+    sqlite3Error(pVm->db, SQLITE_RANGE, 0);
+    return (Mem*)&nullMem;
+  }
+  return &pVm->pTos[(1-vals)+i];
+}
+
+/*
+** This function is called after invoking an sqlite3_value_XXX function on a 
+** column value (i.e. a value returned by evaluating an SQL expression in the
+** select list of a SELECT statement) that may cause a malloc() failure. If 
+** malloc() has failed, the threads mallocFailed flag is cleared and the result
+** code of statement pStmt set to SQLITE_NOMEM.
+**
+** Specificly, this is called from within:
+**
+**     sqlite3_column_int()
+**     sqlite3_column_int64()
+**     sqlite3_column_text()
+**     sqlite3_column_text16()
+**     sqlite3_column_real()
+**     sqlite3_column_bytes()
+**     sqlite3_column_bytes16()
+**
+** But not for sqlite3_column_blob(), which never calls malloc().
+*/
+static void columnMallocFailure(sqlite3_stmt *pStmt)
+{
+  /* If malloc() failed during an encoding conversion within an
+  ** sqlite3_column_XXX API, then set the return code of the statement to
+  ** SQLITE_NOMEM. The next call to _step() (if any) will return SQLITE_ERROR
+  ** and _finalize() will return NOMEM.
+  */
+  Vdbe *p = (Vdbe *)pStmt;
+  p->rc = sqlite3ApiExit(0, p->rc);
+}
+
+/**************************** sqlite3_column_  *******************************
+** The following routines are used to access elements of the current row
+** in the result set.
+*/
+const void *sqlite3_column_blob(sqlite3_stmt *pStmt, int i){
+  const void *val;
+  sqlite3MallocDisallow();
+  val = sqlite3_value_blob( columnMem(pStmt,i) );
+  sqlite3MallocAllow();
+  return val;
+}
+int sqlite3_column_bytes(sqlite3_stmt *pStmt, int i){
+  int val = sqlite3_value_bytes( columnMem(pStmt,i) );
+  columnMallocFailure(pStmt);
+  return val;
+}
+int sqlite3_column_bytes16(sqlite3_stmt *pStmt, int i){
+  int val = sqlite3_value_bytes16( columnMem(pStmt,i) );
+  columnMallocFailure(pStmt);
+  return val;
+}
+double sqlite3_column_double(sqlite3_stmt *pStmt, int i){
+  double val = sqlite3_value_double( columnMem(pStmt,i) );
+  columnMallocFailure(pStmt);
+  return val;
+}
+int sqlite3_column_int(sqlite3_stmt *pStmt, int i){
+  int val = sqlite3_value_int( columnMem(pStmt,i) );
+  columnMallocFailure(pStmt);
+  return val;
+}
+sqlite_int64 sqlite3_column_int64(sqlite3_stmt *pStmt, int i){
+  sqlite_int64 val = sqlite3_value_int64( columnMem(pStmt,i) );
+  columnMallocFailure(pStmt);
+  return val;
+}
+const unsigned char *sqlite3_column_text(sqlite3_stmt *pStmt, int i){
+  const unsigned char *val = sqlite3_value_text( columnMem(pStmt,i) );
+  columnMallocFailure(pStmt);
+  return val;
+}
+sqlite3_value *sqlite3_column_value(sqlite3_stmt *pStmt, int i){
+  return columnMem(pStmt, i);
+}
+#ifndef SQLITE_OMIT_UTF16
+const void *sqlite3_column_text16(sqlite3_stmt *pStmt, int i){
+  const void *val = sqlite3_value_text16( columnMem(pStmt,i) );
+  columnMallocFailure(pStmt);
+  return val;
+}
+#endif /* SQLITE_OMIT_UTF16 */
+int sqlite3_column_type(sqlite3_stmt *pStmt, int i){
+  return sqlite3_value_type( columnMem(pStmt,i) );
+}
+
+/* The following function is experimental and subject to change or
+** removal */
+/*int sqlite3_column_numeric_type(sqlite3_stmt *pStmt, int i){
+**  return sqlite3_value_numeric_type( columnMem(pStmt,i) );
+**}
+*/
+
+/*
+** Convert the N-th element of pStmt->pColName[] into a string using
+** xFunc() then return that string.  If N is out of range, return 0.
+**
+** There are up to 5 names for each column.  useType determines which
+** name is returned.  Here are the names:
+**
+**    0      The column name as it should be displayed for output
+**    1      The datatype name for the column
+**    2      The name of the database that the column derives from
+**    3      The name of the table that the column derives from
+**    4      The name of the table column that the result column derives from
+**
+** If the result is not a simple column reference (if it is an expression
+** or a constant) then useTypes 2, 3, and 4 return NULL.
+*/
+static const void *columnName(
+  sqlite3_stmt *pStmt,
+  int N,
+  const void *(*xFunc)(Mem*),
+  int useType
+){
+  const void *ret;
+  Vdbe *p = (Vdbe *)pStmt;
+  int n = sqlite3_column_count(pStmt);
+
+  if( p==0 || N>=n || N<0 ){
+    return 0;
+  }
+  N += useType*n;
+  ret = xFunc(&p->aColName[N]);
+
+  /* A malloc may have failed inside of the xFunc() call. If this is the case,
+  ** clear the mallocFailed flag and return NULL.
+  */
+  sqlite3ApiExit(0, 0);
+  return ret;
+}
+
+/*
+** Return the name of the Nth column of the result set returned by SQL
+** statement pStmt.
+*/
+const char *sqlite3_column_name(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text, COLNAME_NAME);
+}
+#ifndef SQLITE_OMIT_UTF16
+const void *sqlite3_column_name16(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text16, COLNAME_NAME);
+}
+#endif
+
+/*
+** Return the column declaration type (if applicable) of the 'i'th column
+** of the result set of SQL statement pStmt.
+*/
+const char *sqlite3_column_decltype(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text, COLNAME_DECLTYPE);
+}
+#ifndef SQLITE_OMIT_UTF16
+const void *sqlite3_column_decltype16(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text16, COLNAME_DECLTYPE);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+
+#ifdef SQLITE_ENABLE_COLUMN_METADATA
+/*
+** Return the name of the database from which a result column derives.
+** NULL is returned if the result column is an expression or constant or
+** anything else which is not an unabiguous reference to a database column.
+*/
+const char *sqlite3_column_database_name(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text, COLNAME_DATABASE);
+}
+#ifndef SQLITE_OMIT_UTF16
+const void *sqlite3_column_database_name16(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text16, COLNAME_DATABASE);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+
+/*
+** Return the name of the table from which a result column derives.
+** NULL is returned if the result column is an expression or constant or
+** anything else which is not an unabiguous reference to a database column.
+*/
+const char *sqlite3_column_table_name(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text, COLNAME_TABLE);
+}
+#ifndef SQLITE_OMIT_UTF16
+const void *sqlite3_column_table_name16(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text16, COLNAME_TABLE);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+
+/*
+** Return the name of the table column from which a result column derives.
+** NULL is returned if the result column is an expression or constant or
+** anything else which is not an unabiguous reference to a database column.
+*/
+const char *sqlite3_column_origin_name(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text, COLNAME_COLUMN);
+}
+#ifndef SQLITE_OMIT_UTF16
+const void *sqlite3_column_origin_name16(sqlite3_stmt *pStmt, int N){
+  return columnName(
+      pStmt, N, (const void*(*)(Mem*))sqlite3_value_text16, COLNAME_COLUMN);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+#endif /* SQLITE_ENABLE_COLUMN_METADATA */
+
+
+/******************************* sqlite3_bind_  ***************************
+** 
+** Routines used to attach values to wildcards in a compiled SQL statement.
+*/
+/*
+** Unbind the value bound to variable i in virtual machine p. This is the 
+** the same as binding a NULL value to the column. If the "i" parameter is
+** out of range, then SQLITE_RANGE is returned. Othewise SQLITE_OK.
+**
+** The error code stored in database p->db is overwritten with the return
+** value in any case.
+*/
+static int vdbeUnbind(Vdbe *p, int i){
+  Mem *pVar;
+  if( p==0 || p->magic!=VDBE_MAGIC_RUN || p->pc>=0 ){
+    if( p ) sqlite3Error(p->db, SQLITE_MISUSE, 0);
+    return SQLITE_MISUSE;
+  }
+  if( i<1 || i>p->nVar ){
+    sqlite3Error(p->db, SQLITE_RANGE, 0);
+    return SQLITE_RANGE;
+  }
+  i--;
+  pVar = &p->aVar[i];
+  sqlite3VdbeMemRelease(pVar);
+  pVar->flags = MEM_Null;
+  sqlite3Error(p->db, SQLITE_OK, 0);
+  return SQLITE_OK;
+}
+
+/*
+** Bind a text or BLOB value.
+*/
+static int bindText(
+  sqlite3_stmt *pStmt, 
+  int i, 
+  const void *zData, 
+  int nData, 
+  void (*xDel)(void*),
+  int encoding
+){
+  Vdbe *p = (Vdbe *)pStmt;
+  Mem *pVar;
+  int rc;
+
+  rc = vdbeUnbind(p, i);
+  if( rc || zData==0 ){
+    return rc;
+  }
+  pVar = &p->aVar[i-1];
+  rc = sqlite3VdbeMemSetStr(pVar, zData, nData, encoding, xDel);
+  if( rc==SQLITE_OK && encoding!=0 ){
+    rc = sqlite3VdbeChangeEncoding(pVar, ENC(p->db));
+  }
+
+  sqlite3Error(((Vdbe *)pStmt)->db, rc, 0);
+  return sqlite3ApiExit(((Vdbe *)pStmt)->db, rc);
+}
+
+
+/*
+** Bind a blob value to an SQL statement variable.
+*/
+int sqlite3_bind_blob(
+  sqlite3_stmt *pStmt, 
+  int i, 
+  const void *zData, 
+  int nData, 
+  void (*xDel)(void*)
+){
+  return bindText(pStmt, i, zData, nData, xDel, 0);
+}
+int sqlite3_bind_double(sqlite3_stmt *pStmt, int i, double rValue){
+  int rc;
+  Vdbe *p = (Vdbe *)pStmt;
+  rc = vdbeUnbind(p, i);
+  if( rc==SQLITE_OK ){
+    sqlite3VdbeMemSetDouble(&p->aVar[i-1], rValue);
+  }
+  return rc;
+}
+int sqlite3_bind_int(sqlite3_stmt *p, int i, int iValue){
+  return sqlite3_bind_int64(p, i, (i64)iValue);
+}
+int sqlite3_bind_int64(sqlite3_stmt *pStmt, int i, sqlite_int64 iValue){
+  int rc;
+  Vdbe *p = (Vdbe *)pStmt;
+  rc = vdbeUnbind(p, i);
+  if( rc==SQLITE_OK ){
+    sqlite3VdbeMemSetInt64(&p->aVar[i-1], iValue);
+  }
+  return rc;
+}
+int sqlite3_bind_null(sqlite3_stmt* p, int i){
+  return vdbeUnbind((Vdbe *)p, i);
+}
+int sqlite3_bind_text( 
+  sqlite3_stmt *pStmt, 
+  int i, 
+  const char *zData, 
+  int nData, 
+  void (*xDel)(void*)
+){
+  return bindText(pStmt, i, zData, nData, xDel, SQLITE_UTF8);
+}
+#ifndef SQLITE_OMIT_UTF16
+int sqlite3_bind_text16(
+  sqlite3_stmt *pStmt, 
+  int i, 
+  const void *zData, 
+  int nData, 
+  void (*xDel)(void*)
+){
+  return bindText(pStmt, i, zData, nData, xDel, SQLITE_UTF16NATIVE);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+int sqlite3_bind_value(sqlite3_stmt *pStmt, int i, const sqlite3_value *pValue){
+  int rc;
+  Vdbe *p = (Vdbe *)pStmt;
+  rc = vdbeUnbind(p, i);
+  if( rc==SQLITE_OK ){
+    sqlite3VdbeMemCopy(&p->aVar[i-1], pValue);
+  }
+  return rc;
+}
+
+/*
+** Return the number of wildcards that can be potentially bound to.
+** This routine is added to support DBD::SQLite.  
+*/
+int sqlite3_bind_parameter_count(sqlite3_stmt *pStmt){
+  Vdbe *p = (Vdbe*)pStmt;
+  return p ? p->nVar : 0;
+}
+
+/*
+** Create a mapping from variable numbers to variable names
+** in the Vdbe.azVar[] array, if such a mapping does not already
+** exist.
+*/
+static void createVarMap(Vdbe *p){
+  if( !p->okVar ){
+    int j;
+    Op *pOp;
+    for(j=0, pOp=p->aOp; j<p->nOp; j++, pOp++){
+      if( pOp->opcode==OP_Variable ){
+        assert( pOp->p1>0 && pOp->p1<=p->nVar );
+        p->azVar[pOp->p1-1] = pOp->p3;
+      }
+    }
+    p->okVar = 1;
+  }
+}
+
+/*
+** Return the name of a wildcard parameter.  Return NULL if the index
+** is out of range or if the wildcard is unnamed.
+**
+** The result is always UTF-8.
+*/
+const char *sqlite3_bind_parameter_name(sqlite3_stmt *pStmt, int i){
+  Vdbe *p = (Vdbe*)pStmt;
+  if( p==0 || i<1 || i>p->nVar ){
+    return 0;
+  }
+  createVarMap(p);
+  return p->azVar[i-1];
+}
+
+/*
+** Given a wildcard parameter name, return the index of the variable
+** with that name.  If there is no variable with the given name,
+** return 0.
+*/
+int sqlite3_bind_parameter_index(sqlite3_stmt *pStmt, const char *zName){
+  Vdbe *p = (Vdbe*)pStmt;
+  int i;
+  if( p==0 ){
+    return 0;
+  }
+  createVarMap(p); 
+  if( zName ){
+    for(i=0; i<p->nVar; i++){
+      const char *z = p->azVar[i];
+      if( z && strcmp(z,zName)==0 ){
+        return i+1;
+      }
+    }
+  }
+  return 0;
+}
+
+/*
+** Transfer all bindings from the first statement over to the second.
+** If the two statements contain a different number of bindings, then
+** an SQLITE_ERROR is returned.
+*/
+int sqlite3_transfer_bindings(sqlite3_stmt *pFromStmt, sqlite3_stmt *pToStmt){
+  Vdbe *pFrom = (Vdbe*)pFromStmt;
+  Vdbe *pTo = (Vdbe*)pToStmt;
+  int i, rc = SQLITE_OK;
+  if( (pFrom->magic!=VDBE_MAGIC_RUN && pFrom->magic!=VDBE_MAGIC_HALT)
+    || (pTo->magic!=VDBE_MAGIC_RUN && pTo->magic!=VDBE_MAGIC_HALT) ){
+    return SQLITE_MISUSE;
+  }
+  if( pFrom->nVar!=pTo->nVar ){
+    return SQLITE_ERROR;
+  }
+  for(i=0; rc==SQLITE_OK && i<pFrom->nVar; i++){
+    sqlite3MallocDisallow();
+    rc = sqlite3VdbeMemMove(&pTo->aVar[i], &pFrom->aVar[i]);
+    sqlite3MallocAllow();
+  }
+  assert( rc==SQLITE_OK || rc==SQLITE_NOMEM );
+  return rc;
+}
+
+/*
+** Return the sqlite3* database handle to which the prepared statement given
+** in the argument belongs.  This is the same database handle that was
+** the first argument to the sqlite3_prepare() that was used to create
+** the statement in the first place.
+*/
+sqlite3 *sqlite3_db_handle(sqlite3_stmt *pStmt){
+  return pStmt ? ((Vdbe*)pStmt)->db : 0;
+}
+
+/************** End of vdbeapi.c *********************************************/
+/************** Begin file vdbe.c ********************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** The code in this file implements execution method of the 
+** Virtual Database Engine (VDBE).  A separate file ("vdbeaux.c")
+** handles housekeeping details such as creating and deleting
+** VDBE instances.  This file is solely interested in executing
+** the VDBE program.
+**
+** In the external interface, an "sqlite3_stmt*" is an opaque pointer
+** to a VDBE.
+**
+** The SQL parser generates a program which is then executed by
+** the VDBE to do the work of the SQL statement.  VDBE programs are 
+** similar in form to assembly language.  The program consists of
+** a linear sequence of operations.  Each operation has an opcode 
+** and 3 operands.  Operands P1 and P2 are integers.  Operand P3 
+** is a null-terminated string.   The P2 operand must be non-negative.
+** Opcodes will typically ignore one or more operands.  Many opcodes
+** ignore all three operands.
+**
+** Computation results are stored on a stack.  Each entry on the
+** stack is either an integer, a null-terminated string, a floating point
+** number, or the SQL "NULL" value.  An inplicit conversion from one
+** type to the other occurs as necessary.
+** 
+** Most of the code in this file is taken up by the sqlite3VdbeExec()
+** function which does the work of interpreting a VDBE program.
+** But other routines are also provided to help in building up
+** a program instruction by instruction.
+**
+** Various scripts scan this source file in order to generate HTML
+** documentation, headers files, or other derived files.  The formatting
+** of the code in this file is, therefore, important.  See other comments
+** in this file for details.  If in doubt, do not deviate from existing
+** commenting and indentation practices when changing or adding code.
+**
+** $Id$
+*/
+
+/*
+** The following global variable is incremented every time a cursor
+** moves, either by the OP_MoveXX, OP_Next, or OP_Prev opcodes.  The test
+** procedures use this information to make sure that indices are
+** working correctly.  This variable has no function other than to
+** help verify the correct operation of the library.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_search_count = 0;
+#endif
+
+/*
+** When this global variable is positive, it gets decremented once before
+** each instruction in the VDBE.  When reaches zero, the u1.isInterrupted
+** field of the sqlite3 structure is set in order to simulate and interrupt.
+**
+** This facility is used for testing purposes only.  It does not function
+** in an ordinary build.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_interrupt_count = 0;
+#endif
+
+/*
+** The next global variable is incremented each type the OP_Sort opcode
+** is executed.  The test procedures use this information to make sure that
+** sorting is occurring or not occuring at appropriate times.   This variable
+** has no function other than to help verify the correct operation of the
+** library.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_sort_count = 0;
+#endif
+
+/*
+** Release the memory associated with the given stack level.  This
+** leaves the Mem.flags field in an inconsistent state.
+*/
+#define Release(P) if((P)->flags&MEM_Dyn){ sqlite3VdbeMemRelease(P); }
+
+/*
+** Convert the given stack entity into a string if it isn't one
+** already. Return non-zero if a malloc() fails.
+*/
+#define Stringify(P, enc) \
+   if(((P)->flags&(MEM_Str|MEM_Blob))==0 && sqlite3VdbeMemStringify(P,enc)) \
+     { goto no_mem; }
+
+/*
+** Convert the given stack entity into a string that has been obtained
+** from sqliteMalloc().  This is different from Stringify() above in that
+** Stringify() will use the NBFS bytes of static string space if the string
+** will fit but this routine always mallocs for space.
+** Return non-zero if we run out of memory.
+*/
+#define Dynamicify(P,enc) sqlite3VdbeMemDynamicify(P)
+
+/*
+** The header of a record consists of a sequence variable-length integers.
+** These integers are almost always small and are encoded as a single byte.
+** The following macro takes advantage this fact to provide a fast decode
+** of the integers in a record header.  It is faster for the common case
+** where the integer is a single byte.  It is a little slower when the
+** integer is two or more bytes.  But overall it is faster.
+**
+** The following expressions are equivalent:
+**
+**     x = sqlite3GetVarint32( A, &B );
+**
+**     x = GetVarint( A, B );
+**
+*/
+#define GetVarint(A,B)  ((B = *(A))<=0x7f ? 1 : sqlite3GetVarint32(A, &B))
+
+/*
+** An ephemeral string value (signified by the MEM_Ephem flag) contains
+** a pointer to a dynamically allocated string where some other entity
+** is responsible for deallocating that string.  Because the stack entry
+** does not control the string, it might be deleted without the stack
+** entry knowing it.
+**
+** This routine converts an ephemeral string into a dynamically allocated
+** string that the stack entry itself controls.  In other words, it
+** converts an MEM_Ephem string into an MEM_Dyn string.
+*/
+#define Deephemeralize(P) \
+   if( ((P)->flags&MEM_Ephem)!=0 \
+       && sqlite3VdbeMemMakeWriteable(P) ){ goto no_mem;}
+
+/*
+** Argument pMem points at a memory cell that will be passed to a
+** user-defined function or returned to the user as the result of a query.
+** The second argument, 'db_enc' is the text encoding used by the vdbe for
+** stack variables.  This routine sets the pMem->enc and pMem->type
+** variables used by the sqlite3_value_*() routines.
+*/
+#define storeTypeInfo(A,B) _storeTypeInfo(A)
+static void _storeTypeInfo(Mem *pMem){
+  int flags = pMem->flags;
+  if( flags & MEM_Null ){
+    pMem->type = SQLITE_NULL;
+  }
+  else if( flags & MEM_Int ){
+    pMem->type = SQLITE_INTEGER;
+  }
+  else if( flags & MEM_Real ){
+    pMem->type = SQLITE_FLOAT;
+  }
+  else if( flags & MEM_Str ){
+    pMem->type = SQLITE_TEXT;
+  }else{
+    pMem->type = SQLITE_BLOB;
+  }
+}
+
+/*
+** Pop the stack N times.
+*/
+static void popStack(Mem **ppTos, int N){
+  Mem *pTos = *ppTos;
+  while( N>0 ){
+    N--;
+    Release(pTos);
+    pTos--;
+  }
+  *ppTos = pTos;
+}
+
+/*
+** Allocate cursor number iCur.  Return a pointer to it.  Return NULL
+** if we run out of memory.
+*/
+static Cursor *allocateCursor(Vdbe *p, int iCur, int iDb){
+  Cursor *pCx;
+  assert( iCur<p->nCursor );
+  if( p->apCsr[iCur] ){
+    sqlite3VdbeFreeCursor(p, p->apCsr[iCur]);
+  }
+  p->apCsr[iCur] = pCx = sqliteMalloc( sizeof(Cursor) );
+  if( pCx ){
+    pCx->iDb = iDb;
+  }
+  return pCx;
+}
+
+/*
+** Try to convert a value into a numeric representation if we can
+** do so without loss of information.  In other words, if the string
+** looks like a number, convert it into a number.  If it does not
+** look like a number, leave it alone.
+*/
+static void applyNumericAffinity(Mem *pRec){
+  if( (pRec->flags & (MEM_Real|MEM_Int))==0 ){
+    int realnum;
+    sqlite3VdbeMemNulTerminate(pRec);
+    if( (pRec->flags&MEM_Str)
+         && sqlite3IsNumber(pRec->z, &realnum, pRec->enc) ){
+      i64 value;
+      sqlite3VdbeChangeEncoding(pRec, SQLITE_UTF8);
+      if( !realnum && sqlite3atoi64(pRec->z, &value) ){
+        sqlite3VdbeMemRelease(pRec);
+        pRec->u.i = value;
+        pRec->flags = MEM_Int;
+      }else{
+        sqlite3VdbeMemRealify(pRec);
+      }
+    }
+  }
+}
+
+/*
+** Processing is determine by the affinity parameter:
+**
+** SQLITE_AFF_INTEGER:
+** SQLITE_AFF_REAL:
+** SQLITE_AFF_NUMERIC:
+**    Try to convert pRec to an integer representation or a 
+**    floating-point representation if an integer representation
+**    is not possible.  Note that the integer representation is
+**    always preferred, even if the affinity is REAL, because
+**    an integer representation is more space efficient on disk.
+**
+** SQLITE_AFF_TEXT:
+**    Convert pRec to a text representation.
+**
+** SQLITE_AFF_NONE:
+**    No-op.  pRec is unchanged.
+*/
+static void applyAffinity(Mem *pRec, char affinity, u8 enc){
+  if( affinity==SQLITE_AFF_TEXT ){
+    /* Only attempt the conversion to TEXT if there is an integer or real
+    ** representation (blob and NULL do not get converted) but no string
+    ** representation.
+    */
+    if( 0==(pRec->flags&MEM_Str) && (pRec->flags&(MEM_Real|MEM_Int)) ){
+      sqlite3VdbeMemStringify(pRec, enc);
+    }
+    pRec->flags &= ~(MEM_Real|MEM_Int);
+  }else if( affinity!=SQLITE_AFF_NONE ){
+    assert( affinity==SQLITE_AFF_INTEGER || affinity==SQLITE_AFF_REAL
+             || affinity==SQLITE_AFF_NUMERIC );
+    applyNumericAffinity(pRec);
+    if( pRec->flags & MEM_Real ){
+      sqlite3VdbeIntegerAffinity(pRec);
+    }
+  }
+}
+
+/*
+** Try to convert the type of a function argument or a result column
+** into a numeric representation.  Use either INTEGER or REAL whichever
+** is appropriate.  But only do the conversion if it is possible without
+** loss of information and return the revised type of the argument.
+**
+** This is an EXPERIMENTAL api and is subject to change or removal.
+*/
+int sqlite3_value_numeric_type(sqlite3_value *pVal){
+  Mem *pMem = (Mem*)pVal;
+  applyNumericAffinity(pMem);
+  storeTypeInfo(pMem, 0);
+  return pMem->type;
+}
+
+/*
+** Exported version of applyAffinity(). This one works on sqlite3_value*, 
+** not the internal Mem* type.
+*/
+void sqlite3ValueApplyAffinity(sqlite3_value *pVal, u8 affinity, u8 enc){
+  applyAffinity((Mem *)pVal, affinity, enc);
+}
+
+#ifdef SQLITE_DEBUG
+/*
+** Write a nice string representation of the contents of cell pMem
+** into buffer zBuf, length nBuf.
+*/
+void sqlite3VdbeMemPrettyPrint(Mem *pMem, char *zBuf){
+  char *zCsr = zBuf;
+  int f = pMem->flags;
+
+  static const char *const encnames[] = {"(X)", "(8)", "(16LE)", "(16BE)"};
+
+  if( f&MEM_Blob ){
+    int i;
+    char c;
+    if( f & MEM_Dyn ){
+      c = 'z';
+      assert( (f & (MEM_Static|MEM_Ephem))==0 );
+    }else if( f & MEM_Static ){
+      c = 't';
+      assert( (f & (MEM_Dyn|MEM_Ephem))==0 );
+    }else if( f & MEM_Ephem ){
+      c = 'e';
+      assert( (f & (MEM_Static|MEM_Dyn))==0 );
+    }else{
+      c = 's';
+    }
+
+    zCsr += sprintf(zCsr, "%c", c);
+    zCsr += sprintf(zCsr, "%d[", pMem->n);
+    for(i=0; i<16 && i<pMem->n; i++){
+      zCsr += sprintf(zCsr, "%02X ", ((int)pMem->z[i] & 0xFF));
+    }
+    for(i=0; i<16 && i<pMem->n; i++){
+      char z = pMem->z[i];
+      if( z<32 || z>126 ) *zCsr++ = '.';
+      else *zCsr++ = z;
+    }
+
+    zCsr += sprintf(zCsr, "]");
+    *zCsr = '\0';
+  }else if( f & MEM_Str ){
+    int j, k;
+    zBuf[0] = ' ';
+    if( f & MEM_Dyn ){
+      zBuf[1] = 'z';
+      assert( (f & (MEM_Static|MEM_Ephem))==0 );
+    }else if( f & MEM_Static ){
+      zBuf[1] = 't';
+      assert( (f & (MEM_Dyn|MEM_Ephem))==0 );
+    }else if( f & MEM_Ephem ){
+      zBuf[1] = 'e';
+      assert( (f & (MEM_Static|MEM_Dyn))==0 );
+    }else{
+      zBuf[1] = 's';
+    }
+    k = 2;
+    k += sprintf(&zBuf[k], "%d", pMem->n);
+    zBuf[k++] = '[';
+    for(j=0; j<15 && j<pMem->n; j++){
+      u8 c = pMem->z[j];
+      if( c>=0x20 && c<0x7f ){
+        zBuf[k++] = c;
+      }else{
+        zBuf[k++] = '.';
+      }
+    }
+    zBuf[k++] = ']';
+    k += sprintf(&zBuf[k], encnames[pMem->enc]);
+    zBuf[k++] = 0;
+  }
+}
+#endif
+
+
+#ifdef VDBE_PROFILE
+/*
+** The following routine only works on pentium-class processors.
+** It uses the RDTSC opcode to read the cycle count value out of the
+** processor and returns that value.  This can be used for high-res
+** profiling.
+*/
+__inline__ unsigned long long int hwtime(void){
+  unsigned long long int x;
+  __asm__("rdtsc\n\t"
+          "mov %%edx, %%ecx\n\t"
+          :"=A" (x));
+  return x;
+}
+#endif
+
+/*
+** The CHECK_FOR_INTERRUPT macro defined here looks to see if the
+** sqlite3_interrupt() routine has been called.  If it has been, then
+** processing of the VDBE program is interrupted.
+**
+** This macro added to every instruction that does a jump in order to
+** implement a loop.  This test used to be on every single instruction,
+** but that meant we more testing that we needed.  By only testing the
+** flag on jump instructions, we get a (small) speed improvement.
+*/
+#define CHECK_FOR_INTERRUPT \
+   if( db->u1.isInterrupted ) goto abort_due_to_interrupt;
+
+
+/*
+** Execute as much of a VDBE program as we can then return.
+**
+** sqlite3VdbeMakeReady() must be called before this routine in order to
+** close the program with a final OP_Halt and to set up the callbacks
+** and the error message pointer.
+**
+** Whenever a row or result data is available, this routine will either
+** invoke the result callback (if there is one) or return with
+** SQLITE_ROW.
+**
+** If an attempt is made to open a locked database, then this routine
+** will either invoke the busy callback (if there is one) or it will
+** return SQLITE_BUSY.
+**
+** If an error occurs, an error message is written to memory obtained
+** from sqliteMalloc() and p->zErrMsg is made to point to that memory.
+** The error code is stored in p->rc and this routine returns SQLITE_ERROR.
+**
+** If the callback ever returns non-zero, then the program exits
+** immediately.  There will be no error message but the p->rc field is
+** set to SQLITE_ABORT and this routine will return SQLITE_ERROR.
+**
+** A memory allocation error causes p->rc to be set to SQLITE_NOMEM and this
+** routine to return SQLITE_ERROR.
+**
+** Other fatal errors return SQLITE_ERROR.
+**
+** After this routine has finished, sqlite3VdbeFinalize() should be
+** used to clean up the mess that was left behind.
+*/
+int sqlite3VdbeExec(
+  Vdbe *p                    /* The VDBE */
+){
+  int pc;                    /* The program counter */
+  Op *pOp;                   /* Current operation */
+  int rc = SQLITE_OK;        /* Value to return */
+  sqlite3 *db = p->db;       /* The database */
+  u8 encoding = ENC(db);     /* The database encoding */
+  Mem *pTos;                 /* Top entry in the operand stack */
+#ifdef VDBE_PROFILE
+  unsigned long long start;  /* CPU clock count at start of opcode */
+  int origPc;                /* Program counter at start of opcode */
+#endif
+#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
+  int nProgressOps = 0;      /* Opcodes executed since progress callback. */
+#endif
+#ifndef NDEBUG
+  Mem *pStackLimit;
+#endif
+
+  if( p->magic!=VDBE_MAGIC_RUN ) return SQLITE_MISUSE;
+  assert( db->magic==SQLITE_MAGIC_BUSY );
+  pTos = p->pTos;
+  if( p->rc==SQLITE_NOMEM ){
+    /* This happens if a malloc() inside a call to sqlite3_column_text() or
+    ** sqlite3_column_text16() failed.  */
+    goto no_mem;
+  }
+  assert( p->rc==SQLITE_OK || p->rc==SQLITE_BUSY );
+  p->rc = SQLITE_OK;
+  assert( p->explain==0 );
+  if( p->popStack ){
+    popStack(&pTos, p->popStack);
+    p->popStack = 0;
+  }
+  p->resOnStack = 0;
+  db->busyHandler.nBusy = 0;
+  CHECK_FOR_INTERRUPT;
+  sqlite3VdbeIOTraceSql(p);
+#ifdef SQLITE_DEBUG
+  if( (p->db->flags & SQLITE_VdbeListing)!=0
+    || sqlite3OsFileExists("vdbe_explain")
+  ){
+    int i;
+    printf("VDBE Program Listing:\n");
+    sqlite3VdbePrintSql(p);
+    for(i=0; i<p->nOp; i++){
+      sqlite3VdbePrintOp(stdout, i, &p->aOp[i]);
+    }
+  }
+  if( sqlite3OsFileExists("vdbe_trace") ){
+    p->trace = stdout;
+  }
+#endif
+  for(pc=p->pc; rc==SQLITE_OK; pc++){
+    assert( pc>=0 && pc<p->nOp );
+    assert( pTos<=&p->aStack[pc] );
+    if( sqlite3MallocFailed() ) goto no_mem;
+#ifdef VDBE_PROFILE
+    origPc = pc;
+    start = hwtime();
+#endif
+    pOp = &p->aOp[pc];
+
+    /* Only allow tracing if SQLITE_DEBUG is defined.
+    */
+#ifdef SQLITE_DEBUG
+    if( p->trace ){
+      if( pc==0 ){
+        printf("VDBE Execution Trace:\n");
+        sqlite3VdbePrintSql(p);
+      }
+      sqlite3VdbePrintOp(p->trace, pc, pOp);
+    }
+    if( p->trace==0 && pc==0 && sqlite3OsFileExists("vdbe_sqltrace") ){
+      sqlite3VdbePrintSql(p);
+    }
+#endif
+      
+
+    /* Check to see if we need to simulate an interrupt.  This only happens
+    ** if we have a special test build.
+    */
+#ifdef SQLITE_TEST
+    if( sqlite3_interrupt_count>0 ){
+      sqlite3_interrupt_count--;
+      if( sqlite3_interrupt_count==0 ){
+        sqlite3_interrupt(db);
+      }
+    }
+#endif
+
+#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
+    /* Call the progress callback if it is configured and the required number
+    ** of VDBE ops have been executed (either since this invocation of
+    ** sqlite3VdbeExec() or since last time the progress callback was called).
+    ** If the progress callback returns non-zero, exit the virtual machine with
+    ** a return code SQLITE_ABORT.
+    */
+    if( db->xProgress ){
+      if( db->nProgressOps==nProgressOps ){
+        if( sqlite3SafetyOff(db) ) goto abort_due_to_misuse;
+        if( db->xProgress(db->pProgressArg)!=0 ){
+          sqlite3SafetyOn(db);
+          rc = SQLITE_ABORT;
+          continue; /* skip to the next iteration of the for loop */
+        }
+        nProgressOps = 0;
+        if( sqlite3SafetyOn(db) ) goto abort_due_to_misuse;
+      }
+      nProgressOps++;
+    }
+#endif
+
+#ifndef NDEBUG
+    /* This is to check that the return value of static function
+    ** opcodeNoPush() (see vdbeaux.c) returns values that match the
+    ** implementation of the virtual machine in this file. If
+    ** opcodeNoPush() returns non-zero, then the stack is guarenteed
+    ** not to grow when the opcode is executed. If it returns zero, then
+    ** the stack may grow by at most 1.
+    **
+    ** The global wrapper function sqlite3VdbeOpcodeUsesStack() is not 
+    ** available if NDEBUG is defined at build time.
+    */ 
+    pStackLimit = pTos;
+    if( !sqlite3VdbeOpcodeNoPush(pOp->opcode) ){
+      pStackLimit++;
+    }
+#endif
+
+    switch( pOp->opcode ){
+
+/*****************************************************************************
+** What follows is a massive switch statement where each case implements a
+** separate instruction in the virtual machine.  If we follow the usual
+** indentation conventions, each case should be indented by 6 spaces.  But
+** that is a lot of wasted space on the left margin.  So the code within
+** the switch statement will break with convention and be flush-left. Another
+** big comment (similar to this one) will mark the point in the code where
+** we transition back to normal indentation.
+**
+** The formatting of each case is important.  The makefile for SQLite
+** generates two C files "opcodes.h" and "opcodes.c" by scanning this
+** file looking for lines that begin with "case OP_".  The opcodes.h files
+** will be filled with #defines that give unique integer values to each
+** opcode and the opcodes.c file is filled with an array of strings where
+** each string is the symbolic name for the corresponding opcode.  If the
+** case statement is followed by a comment of the form "/# same as ... #/"
+** that comment is used to determine the particular value of the opcode.
+**
+** If a comment on the same line as the "case OP_" construction contains
+** the word "no-push", then the opcode is guarenteed not to grow the 
+** vdbe stack when it is executed. See function opcode() in
+** vdbeaux.c for details.
+**
+** Documentation about VDBE opcodes is generated by scanning this file
+** for lines of that contain "Opcode:".  That line and all subsequent
+** comment lines are used in the generation of the opcode.html documentation
+** file.
+**
+** SUMMARY:
+**
+**     Formatting is important to scripts that scan this file.
+**     Do not deviate from the formatting style currently in use.
+**
+*****************************************************************************/
+
+/* Opcode:  Goto * P2 *
+**
+** An unconditional jump to address P2.
+** The next instruction executed will be 
+** the one at index P2 from the beginning of
+** the program.
+*/
+case OP_Goto: {             /* no-push */
+  CHECK_FOR_INTERRUPT;
+  pc = pOp->p2 - 1;
+  break;
+}
+
+/* Opcode:  Gosub * P2 *
+**
+** Push the current address plus 1 onto the return address stack
+** and then jump to address P2.
+**
+** The return address stack is of limited depth.  If too many
+** OP_Gosub operations occur without intervening OP_Returns, then
+** the return address stack will fill up and processing will abort
+** with a fatal error.
+*/
+case OP_Gosub: {            /* no-push */
+  assert( p->returnDepth<sizeof(p->returnStack)/sizeof(p->returnStack[0]) );
+  p->returnStack[p->returnDepth++] = pc+1;
+  pc = pOp->p2 - 1;
+  break;
+}
+
+/* Opcode:  Return * * *
+**
+** Jump immediately to the next instruction after the last unreturned
+** OP_Gosub.  If an OP_Return has occurred for all OP_Gosubs, then
+** processing aborts with a fatal error.
+*/
+case OP_Return: {           /* no-push */
+  assert( p->returnDepth>0 );
+  p->returnDepth--;
+  pc = p->returnStack[p->returnDepth] - 1;
+  break;
+}
+
+/* Opcode:  Halt P1 P2 P3
+**
+** Exit immediately.  All open cursors, Fifos, etc are closed
+** automatically.
+**
+** P1 is the result code returned by sqlite3_exec(), sqlite3_reset(),
+** or sqlite3_finalize().  For a normal halt, this should be SQLITE_OK (0).
+** For errors, it can be some other value.  If P1!=0 then P2 will determine
+** whether or not to rollback the current transaction.  Do not rollback
+** if P2==OE_Fail. Do the rollback if P2==OE_Rollback.  If P2==OE_Abort,
+** then back out all changes that have occurred during this execution of the
+** VDBE, but do not rollback the transaction. 
+**
+** If P3 is not null then it is an error message string.
+**
+** There is an implied "Halt 0 0 0" instruction inserted at the very end of
+** every program.  So a jump past the last instruction of the program
+** is the same as executing Halt.
+*/
+case OP_Halt: {            /* no-push */
+  p->pTos = pTos;
+  p->rc = pOp->p1;
+  p->pc = pc;
+  p->errorAction = pOp->p2;
+  if( pOp->p3 ){
+    sqlite3SetString(&p->zErrMsg, pOp->p3, (char*)0);
+  }
+  rc = sqlite3VdbeHalt(p);
+  assert( rc==SQLITE_BUSY || rc==SQLITE_OK );
+  if( rc==SQLITE_BUSY ){
+    p->rc = SQLITE_BUSY;
+    return SQLITE_BUSY;
+  }
+  return p->rc ? SQLITE_ERROR : SQLITE_DONE;
+}
+
+/* Opcode: Integer P1 * *
+**
+** The 32-bit integer value P1 is pushed onto the stack.
+*/
+case OP_Integer: {
+  pTos++;
+  pTos->flags = MEM_Int;
+  pTos->u.i = pOp->p1;
+  break;
+}
+
+/* Opcode: Int64 * * P3
+**
+** P3 is a string representation of an integer.  Convert that integer
+** to a 64-bit value and push it onto the stack.
+*/
+case OP_Int64: {
+  pTos++;
+  assert( pOp->p3!=0 );
+  pTos->flags = MEM_Str|MEM_Static|MEM_Term;
+  pTos->z = pOp->p3;
+  pTos->n = strlen(pTos->z);
+  pTos->enc = SQLITE_UTF8;
+  pTos->u.i = sqlite3VdbeIntValue(pTos);
+  pTos->flags |= MEM_Int;
+  break;
+}
+
+/* Opcode: Real * * P3
+**
+** The string value P3 is converted to a real and pushed on to the stack.
+*/
+case OP_Real: {            /* same as TK_FLOAT, */
+  pTos++;
+  pTos->flags = MEM_Str|MEM_Static|MEM_Term;
+  pTos->z = pOp->p3;
+  pTos->n = strlen(pTos->z);
+  pTos->enc = SQLITE_UTF8;
+  pTos->r = sqlite3VdbeRealValue(pTos);
+  pTos->flags |= MEM_Real;
+  sqlite3VdbeChangeEncoding(pTos, encoding);
+  break;
+}
+
+/* Opcode: String8 * * P3
+**
+** P3 points to a nul terminated UTF-8 string. This opcode is transformed 
+** into an OP_String before it is executed for the first time.
+*/
+case OP_String8: {         /* same as TK_STRING */
+  assert( pOp->p3!=0 );
+  pOp->opcode = OP_String;
+  pOp->p1 = strlen(pOp->p3);
+
+#ifndef SQLITE_OMIT_UTF16
+  if( encoding!=SQLITE_UTF8 ){
+    pTos++;
+    sqlite3VdbeMemSetStr(pTos, pOp->p3, -1, SQLITE_UTF8, SQLITE_STATIC);
+    if( SQLITE_OK!=sqlite3VdbeChangeEncoding(pTos, encoding) ) goto no_mem;
+    if( SQLITE_OK!=sqlite3VdbeMemDynamicify(pTos) ) goto no_mem;
+    pTos->flags &= ~(MEM_Dyn);
+    pTos->flags |= MEM_Static;
+    if( pOp->p3type==P3_DYNAMIC ){
+      sqliteFree(pOp->p3);
+    }
+    pOp->p3type = P3_DYNAMIC;
+    pOp->p3 = pTos->z;
+    pOp->p1 = pTos->n;
+    break;
+  }
+#endif
+  /* Otherwise fall through to the next case, OP_String */
+}
+  
+/* Opcode: String P1 * P3
+**
+** The string value P3 of length P1 (bytes) is pushed onto the stack.
+*/
+case OP_String: {
+  pTos++;
+  assert( pOp->p3!=0 );
+  pTos->flags = MEM_Str|MEM_Static|MEM_Term;
+  pTos->z = pOp->p3;
+  pTos->n = pOp->p1;
+  pTos->enc = encoding;
+  break;
+}
+
+/* Opcode: Null * * *
+**
+** Push a NULL onto the stack.
+*/
+case OP_Null: {
+  pTos++;
+  pTos->flags = MEM_Null;
+  pTos->n = 0;
+  break;
+}
+
+
+#ifndef SQLITE_OMIT_BLOB_LITERAL
+/* Opcode: HexBlob * * P3
+**
+** P3 is an UTF-8 SQL hex encoding of a blob. The blob is pushed onto the
+** vdbe stack.
+**
+** The first time this instruction executes, in transforms itself into a
+** 'Blob' opcode with a binary blob as P3.
+*/
+case OP_HexBlob: {            /* same as TK_BLOB */
+  pOp->opcode = OP_Blob;
+  pOp->p1 = strlen(pOp->p3)/2;
+  if( pOp->p1 ){
+    char *zBlob = sqlite3HexToBlob(pOp->p3);
+    if( !zBlob ) goto no_mem;
+    if( pOp->p3type==P3_DYNAMIC ){
+      sqliteFree(pOp->p3);
+    }
+    pOp->p3 = zBlob;
+    pOp->p3type = P3_DYNAMIC;
+  }else{
+    if( pOp->p3type==P3_DYNAMIC ){
+      sqliteFree(pOp->p3);
+    }
+    pOp->p3type = P3_STATIC;
+    pOp->p3 = "";
+  }
+
+  /* Fall through to the next case, OP_Blob. */
+}
+
+/* Opcode: Blob P1 * P3
+**
+** P3 points to a blob of data P1 bytes long. Push this
+** value onto the stack. This instruction is not coded directly
+** by the compiler. Instead, the compiler layer specifies
+** an OP_HexBlob opcode, with the hex string representation of
+** the blob as P3. This opcode is transformed to an OP_Blob
+** the first time it is executed.
+*/
+case OP_Blob: {
+  pTos++;
+  sqlite3VdbeMemSetStr(pTos, pOp->p3, pOp->p1, 0, 0);
+  break;
+}
+#endif /* SQLITE_OMIT_BLOB_LITERAL */
+
+/* Opcode: Variable P1 * *
+**
+** Push the value of variable P1 onto the stack.  A variable is
+** an unknown in the original SQL string as handed to sqlite3_compile().
+** Any occurance of the '?' character in the original SQL is considered
+** a variable.  Variables in the SQL string are number from left to
+** right beginning with 1.  The values of variables are set using the
+** sqlite3_bind() API.
+*/
+case OP_Variable: {
+  int j = pOp->p1 - 1;
+  assert( j>=0 && j<p->nVar );
+
+  pTos++;
+  sqlite3VdbeMemShallowCopy(pTos, &p->aVar[j], MEM_Static);
+  break;
+}
+
+/* Opcode: Pop P1 * *
+**
+** P1 elements are popped off of the top of stack and discarded.
+*/
+case OP_Pop: {            /* no-push */
+  assert( pOp->p1>=0 );
+  popStack(&pTos, pOp->p1);
+  assert( pTos>=&p->aStack[-1] );
+  break;
+}
+
+/* Opcode: Dup P1 P2 *
+**
+** A copy of the P1-th element of the stack 
+** is made and pushed onto the top of the stack.
+** The top of the stack is element 0.  So the
+** instruction "Dup 0 0 0" will make a copy of the
+** top of the stack.
+**
+** If the content of the P1-th element is a dynamically
+** allocated string, then a new copy of that string
+** is made if P2==0.  If P2!=0, then just a pointer
+** to the string is copied.
+**
+** Also see the Pull instruction.
+*/
+case OP_Dup: {
+  Mem *pFrom = &pTos[-pOp->p1];
+  assert( pFrom<=pTos && pFrom>=p->aStack );
+  pTos++;
+  sqlite3VdbeMemShallowCopy(pTos, pFrom, MEM_Ephem);
+  if( pOp->p2 ){
+    Deephemeralize(pTos);
+  }
+  break;
+}
+
+/* Opcode: Pull P1 * *
+**
+** The P1-th element is removed from its current location on 
+** the stack and pushed back on top of the stack.  The
+** top of the stack is element 0, so "Pull 0 0 0" is
+** a no-op.  "Pull 1 0 0" swaps the top two elements of
+** the stack.
+**
+** See also the Dup instruction.
+*/
+case OP_Pull: {            /* no-push */
+  Mem *pFrom = &pTos[-pOp->p1];
+  int i;
+  Mem ts;
+
+  ts = *pFrom;
+  Deephemeralize(pTos);
+  for(i=0; i<pOp->p1; i++, pFrom++){
+    Deephemeralize(&pFrom[1]);
+    assert( (pFrom->flags & MEM_Ephem)==0 );
+    *pFrom = pFrom[1];
+    if( pFrom->flags & MEM_Short ){
+      assert( pFrom->flags & (MEM_Str|MEM_Blob) );
+      assert( pFrom->z==pFrom[1].zShort );
+      pFrom->z = pFrom->zShort;
+    }
+  }
+  *pTos = ts;
+  if( pTos->flags & MEM_Short ){
+    assert( pTos->flags & (MEM_Str|MEM_Blob) );
+    assert( pTos->z==pTos[-pOp->p1].zShort );
+    pTos->z = pTos->zShort;
+  }
+  break;
+}
+
+/* Opcode: Push P1 * *
+**
+** Overwrite the value of the P1-th element down on the
+** stack (P1==0 is the top of the stack) with the value
+** of the top of the stack.  Then pop the top of the stack.
+*/
+case OP_Push: {            /* no-push */
+  Mem *pTo = &pTos[-pOp->p1];
+
+  assert( pTo>=p->aStack );
+  sqlite3VdbeMemMove(pTo, pTos);
+  pTos--;
+  break;
+}
+
+/* Opcode: Callback P1 * *
+**
+** The top P1 values on the stack represent a single result row from
+** a query.  This opcode causes the sqlite3_step() call to terminate
+** with an SQLITE_ROW return code and it sets up the sqlite3_stmt
+** structure to provide access to the top P1 values as the result
+** row.  When the sqlite3_step() function is run again, the top P1
+** values will be automatically popped from the stack before the next
+** instruction executes.
+*/
+case OP_Callback: {            /* no-push */
+  Mem *pMem;
+  Mem *pFirstColumn;
+  assert( p->nResColumn==pOp->p1 );
+
+  /* Data in the pager might be moved or changed out from under us
+  ** in between the return from this sqlite3_step() call and the
+  ** next call to sqlite3_step().  So deephermeralize everything on 
+  ** the stack.  Note that ephemeral data is never stored in memory 
+  ** cells so we do not have to worry about them.
+  */
+  pFirstColumn = &pTos[0-pOp->p1];
+  for(pMem = p->aStack; pMem<pFirstColumn; pMem++){
+    Deephemeralize(pMem);
+  }
+
+  /* Invalidate all ephemeral cursor row caches */
+  p->cacheCtr = (p->cacheCtr + 2)|1;
+
+  /* Make sure the results of the current row are \000 terminated
+  ** and have an assigned type.  The results are deephemeralized as
+  ** as side effect.
+  */
+  for(; pMem<=pTos; pMem++ ){
+    sqlite3VdbeMemNulTerminate(pMem);
+    storeTypeInfo(pMem, encoding);
+  }
+
+  /* Set up the statement structure so that it will pop the current
+  ** results from the stack when the statement returns.
+  */
+  p->resOnStack = 1;
+  p->nCallback++;
+  p->popStack = pOp->p1;
+  p->pc = pc + 1;
+  p->pTos = pTos;
+  return SQLITE_ROW;
+}
+
+/* Opcode: Concat P1 P2 *
+**
+** Look at the first P1+2 elements of the stack.  Append them all 
+** together with the lowest element first.  The original P1+2 elements
+** are popped from the stack if P2==0 and retained if P2==1.  If
+** any element of the stack is NULL, then the result is NULL.
+**
+** When P1==1, this routine makes a copy of the top stack element
+** into memory obtained from sqliteMalloc().
+*/
+case OP_Concat: {           /* same as TK_CONCAT */
+  char *zNew;
+  int nByte;
+  int nField;
+  int i, j;
+  Mem *pTerm;
+
+  /* Loop through the stack elements to see how long the result will be. */
+  nField = pOp->p1 + 2;
+  pTerm = &pTos[1-nField];
+  nByte = 0;
+  for(i=0; i<nField; i++, pTerm++){
+    assert( pOp->p2==0 || (pTerm->flags&MEM_Str) );
+    if( pTerm->flags&MEM_Null ){
+      nByte = -1;
+      break;
+    }
+    Stringify(pTerm, encoding);
+    nByte += pTerm->n;
+  }
+
+  if( nByte<0 ){
+    /* If nByte is less than zero, then there is a NULL value on the stack.
+    ** In this case just pop the values off the stack (if required) and
+    ** push on a NULL.
+    */
+    if( pOp->p2==0 ){
+      popStack(&pTos, nField);
+    }
+    pTos++;
+    pTos->flags = MEM_Null;
+  }else{
+    /* Otherwise malloc() space for the result and concatenate all the
+    ** stack values.
+    */
+    zNew = sqliteMallocRaw( nByte+2 );
+    if( zNew==0 ) goto no_mem;
+    j = 0;
+    pTerm = &pTos[1-nField];
+    for(i=j=0; i<nField; i++, pTerm++){
+      int n = pTerm->n;
+      assert( pTerm->flags & (MEM_Str|MEM_Blob) );
+      memcpy(&zNew[j], pTerm->z, n);
+      j += n;
+    }
+    zNew[j] = 0;
+    zNew[j+1] = 0;
+    assert( j==nByte );
+
+    if( pOp->p2==0 ){
+      popStack(&pTos, nField);
+    }
+    pTos++;
+    pTos->n = j;
+    pTos->flags = MEM_Str|MEM_Dyn|MEM_Term;
+    pTos->xDel = 0;
+    pTos->enc = encoding;
+    pTos->z = zNew;
+  }
+  break;
+}
+
+/* Opcode: Add * * *
+**
+** Pop the top two elements from the stack, add them together,
+** and push the result back onto the stack.  If either element
+** is a string then it is converted to a double using the atof()
+** function before the addition.
+** If either operand is NULL, the result is NULL.
+*/
+/* Opcode: Multiply * * *
+**
+** Pop the top two elements from the stack, multiply them together,
+** and push the result back onto the stack.  If either element
+** is a string then it is converted to a double using the atof()
+** function before the multiplication.
+** If either operand is NULL, the result is NULL.
+*/
+/* Opcode: Subtract * * *
+**
+** Pop the top two elements from the stack, subtract the
+** first (what was on top of the stack) from the second (the
+** next on stack)
+** and push the result back onto the stack.  If either element
+** is a string then it is converted to a double using the atof()
+** function before the subtraction.
+** If either operand is NULL, the result is NULL.
+*/
+/* Opcode: Divide * * *
+**
+** Pop the top two elements from the stack, divide the
+** first (what was on top of the stack) from the second (the
+** next on stack)
+** and push the result back onto the stack.  If either element
+** is a string then it is converted to a double using the atof()
+** function before the division.  Division by zero returns NULL.
+** If either operand is NULL, the result is NULL.
+*/
+/* Opcode: Remainder * * *
+**
+** Pop the top two elements from the stack, divide the
+** first (what was on top of the stack) from the second (the
+** next on stack)
+** and push the remainder after division onto the stack.  If either element
+** is a string then it is converted to a double using the atof()
+** function before the division.  Division by zero returns NULL.
+** If either operand is NULL, the result is NULL.
+*/
+case OP_Add:                   /* same as TK_PLUS, no-push */
+case OP_Subtract:              /* same as TK_MINUS, no-push */
+case OP_Multiply:              /* same as TK_STAR, no-push */
+case OP_Divide:                /* same as TK_SLASH, no-push */
+case OP_Remainder: {           /* same as TK_REM, no-push */
+  Mem *pNos = &pTos[-1];
+  int flags;
+  assert( pNos>=p->aStack );
+  flags = pTos->flags | pNos->flags;
+  if( (flags & MEM_Null)!=0 ){
+    Release(pTos);
+    pTos--;
+    Release(pTos);
+    pTos->flags = MEM_Null;
+  }else if( (pTos->flags & pNos->flags & MEM_Int)==MEM_Int ){
+    i64 a, b;
+    a = pTos->u.i;
+    b = pNos->u.i;
+    switch( pOp->opcode ){
+      case OP_Add:         b += a;       break;
+      case OP_Subtract:    b -= a;       break;
+      case OP_Multiply:    b *= a;       break;
+      case OP_Divide: {
+        if( a==0 ) goto divide_by_zero;
+        b /= a;
+        break;
+      }
+      default: {
+        if( a==0 ) goto divide_by_zero;
+        b %= a;
+        break;
+      }
+    }
+    Release(pTos);
+    pTos--;
+    Release(pTos);
+    pTos->u.i = b;
+    pTos->flags = MEM_Int;
+  }else{
+    double a, b;
+    a = sqlite3VdbeRealValue(pTos);
+    b = sqlite3VdbeRealValue(pNos);
+    switch( pOp->opcode ){
+      case OP_Add:         b += a;       break;
+      case OP_Subtract:    b -= a;       break;
+      case OP_Multiply:    b *= a;       break;
+      case OP_Divide: {
+        if( a==0.0 ) goto divide_by_zero;
+        b /= a;
+        break;
+      }
+      default: {
+        int ia = (int)a;
+        int ib = (int)b;
+        if( ia==0.0 ) goto divide_by_zero;
+        b = ib % ia;
+        break;
+      }
+    }
+    Release(pTos);
+    pTos--;
+    Release(pTos);
+    pTos->r = b;
+    pTos->flags = MEM_Real;
+    if( (flags & MEM_Real)==0 ){
+      sqlite3VdbeIntegerAffinity(pTos);
+    }
+  }
+  break;
+
+divide_by_zero:
+  Release(pTos);
+  pTos--;
+  Release(pTos);
+  pTos->flags = MEM_Null;
+  break;
+}
+
+/* Opcode: CollSeq * * P3
+**
+** P3 is a pointer to a CollSeq struct. If the next call to a user function
+** or aggregate calls sqlite3GetFuncCollSeq(), this collation sequence will
+** be returned. This is used by the built-in min(), max() and nullif()
+** functions.
+**
+** The interface used by the implementation of the aforementioned functions
+** to retrieve the collation sequence set by this opcode is not available
+** publicly, only to user functions defined in func.c.
+*/
+case OP_CollSeq: {             /* no-push */
+  assert( pOp->p3type==P3_COLLSEQ );
+  break;
+}
+
+/* Opcode: Function P1 P2 P3
+**
+** Invoke a user function (P3 is a pointer to a Function structure that
+** defines the function) with P2 arguments taken from the stack.  Pop all
+** arguments from the stack and push back the result.
+**
+** P1 is a 32-bit bitmask indicating whether or not each argument to the 
+** function was determined to be constant at compile time. If the first
+** argument was constant then bit 0 of P1 is set. This is used to determine
+** whether meta data associated with a user function argument using the
+** sqlite3_set_auxdata() API may be safely retained until the next
+** invocation of this opcode.
+**
+** See also: AggStep and AggFinal
+*/
+case OP_Function: {
+  int i;
+  Mem *pArg;
+  sqlite3_context ctx;
+  sqlite3_value **apVal;
+  int n = pOp->p2;
+
+  apVal = p->apArg;
+  assert( apVal || n==0 );
+
+  pArg = &pTos[1-n];
+  for(i=0; i<n; i++, pArg++){
+    apVal[i] = pArg;
+    storeTypeInfo(pArg, encoding);
+  }
+
+  assert( pOp->p3type==P3_FUNCDEF || pOp->p3type==P3_VDBEFUNC );
+  if( pOp->p3type==P3_FUNCDEF ){
+    ctx.pFunc = (FuncDef*)pOp->p3;
+    ctx.pVdbeFunc = 0;
+  }else{
+    ctx.pVdbeFunc = (VdbeFunc*)pOp->p3;
+    ctx.pFunc = ctx.pVdbeFunc->pFunc;
+  }
+
+  ctx.s.flags = MEM_Null;
+  ctx.s.z = 0;
+  ctx.s.xDel = 0;
+  ctx.isError = 0;
+  if( ctx.pFunc->needCollSeq ){
+    assert( pOp>p->aOp );
+    assert( pOp[-1].p3type==P3_COLLSEQ );
+    assert( pOp[-1].opcode==OP_CollSeq );
+    ctx.pColl = (CollSeq *)pOp[-1].p3;
+  }
+  if( sqlite3SafetyOff(db) ) goto abort_due_to_misuse;
+  (*ctx.pFunc->xFunc)(&ctx, n, apVal);
+  if( sqlite3SafetyOn(db) ) goto abort_due_to_misuse;
+  if( sqlite3MallocFailed() ) goto no_mem;
+  popStack(&pTos, n);
+
+  /* If any auxilary data functions have been called by this user function,
+  ** immediately call the destructor for any non-static values.
+  */
+  if( ctx.pVdbeFunc ){
+    sqlite3VdbeDeleteAuxData(ctx.pVdbeFunc, pOp->p1);
+    pOp->p3 = (char *)ctx.pVdbeFunc;
+    pOp->p3type = P3_VDBEFUNC;
+  }
+
+  /* If the function returned an error, throw an exception */
+  if( ctx.isError ){
+    sqlite3SetString(&p->zErrMsg, sqlite3_value_text(&ctx.s), (char*)0);
+    rc = SQLITE_ERROR;
+  }
+
+  /* Copy the result of the function to the top of the stack */
+  sqlite3VdbeChangeEncoding(&ctx.s, encoding);
+  pTos++;
+  pTos->flags = 0;
+  sqlite3VdbeMemMove(pTos, &ctx.s);
+  break;
+}
+
+/* Opcode: BitAnd * * *
+**
+** Pop the top two elements from the stack.  Convert both elements
+** to integers.  Push back onto the stack the bit-wise AND of the
+** two elements.
+** If either operand is NULL, the result is NULL.
+*/
+/* Opcode: BitOr * * *
+**
+** Pop the top two elements from the stack.  Convert both elements
+** to integers.  Push back onto the stack the bit-wise OR of the
+** two elements.
+** If either operand is NULL, the result is NULL.
+*/
+/* Opcode: ShiftLeft * * *
+**
+** Pop the top two elements from the stack.  Convert both elements
+** to integers.  Push back onto the stack the second element shifted
+** left by N bits where N is the top element on the stack.
+** If either operand is NULL, the result is NULL.
+*/
+/* Opcode: ShiftRight * * *
+**
+** Pop the top two elements from the stack.  Convert both elements
+** to integers.  Push back onto the stack the second element shifted
+** right by N bits where N is the top element on the stack.
+** If either operand is NULL, the result is NULL.
+*/
+case OP_BitAnd:                 /* same as TK_BITAND, no-push */
+case OP_BitOr:                  /* same as TK_BITOR, no-push */
+case OP_ShiftLeft:              /* same as TK_LSHIFT, no-push */
+case OP_ShiftRight: {           /* same as TK_RSHIFT, no-push */
+  Mem *pNos = &pTos[-1];
+  i64 a, b;
+
+  assert( pNos>=p->aStack );
+  if( (pTos->flags | pNos->flags) & MEM_Null ){
+    popStack(&pTos, 2);
+    pTos++;
+    pTos->flags = MEM_Null;
+    break;
+  }
+  a = sqlite3VdbeIntValue(pNos);
+  b = sqlite3VdbeIntValue(pTos);
+  switch( pOp->opcode ){
+    case OP_BitAnd:      a &= b;     break;
+    case OP_BitOr:       a |= b;     break;
+    case OP_ShiftLeft:   a <<= b;    break;
+    case OP_ShiftRight:  a >>= b;    break;
+    default:   /* CANT HAPPEN */     break;
+  }
+  Release(pTos);
+  pTos--;
+  Release(pTos);
+  pTos->u.i = a;
+  pTos->flags = MEM_Int;
+  break;
+}
+
+/* Opcode: AddImm  P1 * *
+** 
+** Add the value P1 to whatever is on top of the stack.  The result
+** is always an integer.
+**
+** To force the top of the stack to be an integer, just add 0.
+*/
+case OP_AddImm: {            /* no-push */
+  assert( pTos>=p->aStack );
+  sqlite3VdbeMemIntegerify(pTos);
+  pTos->u.i += pOp->p1;
+  break;
+}
+
+/* Opcode: ForceInt P1 P2 *
+**
+** Convert the top of the stack into an integer.  If the current top of
+** the stack is not numeric (meaning that is is a NULL or a string that
+** does not look like an integer or floating point number) then pop the
+** stack and jump to P2.  If the top of the stack is numeric then
+** convert it into the least integer that is greater than or equal to its
+** current value if P1==0, or to the least integer that is strictly
+** greater than its current value if P1==1.
+*/
+case OP_ForceInt: {            /* no-push */
+  i64 v;
+  assert( pTos>=p->aStack );
+  applyAffinity(pTos, SQLITE_AFF_NUMERIC, encoding);
+  if( (pTos->flags & (MEM_Int|MEM_Real))==0 ){
+    Release(pTos);
+    pTos--;
+    pc = pOp->p2 - 1;
+    break;
+  }
+  if( pTos->flags & MEM_Int ){
+    v = pTos->u.i + (pOp->p1!=0);
+  }else{
+    /* FIX ME:  should this not be assert( pTos->flags & MEM_Real ) ??? */
+    sqlite3VdbeMemRealify(pTos);
+    v = (int)pTos->r;
+    if( pTos->r>(double)v ) v++;
+    if( pOp->p1 && pTos->r==(double)v ) v++;
+  }
+  Release(pTos);
+  pTos->u.i = v;
+  pTos->flags = MEM_Int;
+  break;
+}
+
+/* Opcode: MustBeInt P1 P2 *
+** 
+** Force the top of the stack to be an integer.  If the top of the
+** stack is not an integer and cannot be converted into an integer
+** with out data loss, then jump immediately to P2, or if P2==0
+** raise an SQLITE_MISMATCH exception.
+**
+** If the top of the stack is not an integer and P2 is not zero and
+** P1 is 1, then the stack is popped.  In all other cases, the depth
+** of the stack is unchanged.
+*/
+case OP_MustBeInt: {            /* no-push */
+  assert( pTos>=p->aStack );
+  applyAffinity(pTos, SQLITE_AFF_NUMERIC, encoding);
+  if( (pTos->flags & MEM_Int)==0 ){
+    if( pOp->p2==0 ){
+      rc = SQLITE_MISMATCH;
+      goto abort_due_to_error;
+    }else{
+      if( pOp->p1 ) popStack(&pTos, 1);
+      pc = pOp->p2 - 1;
+    }
+  }else{
+    Release(pTos);
+    pTos->flags = MEM_Int;
+  }
+  break;
+}
+
+/* Opcode: RealAffinity * * *
+**
+** If the top of the stack is an integer, convert it to a real value.
+**
+** This opcode is used when extracting information from a column that
+** has REAL affinity.  Such column values may still be stored as
+** integers, for space efficiency, but after extraction we want them
+** to have only a real value.
+*/
+case OP_RealAffinity: {                  /* no-push */
+  assert( pTos>=p->aStack );
+  if( pTos->flags & MEM_Int ){
+    sqlite3VdbeMemRealify(pTos);
+  }
+  break;
+}
+
+#ifndef SQLITE_OMIT_CAST
+/* Opcode: ToText * * *
+**
+** Force the value on the top of the stack to be text.
+** If the value is numeric, convert it to a string using the
+** equivalent of printf().  Blob values are unchanged and
+** are afterwards simply interpreted as text.
+**
+** A NULL value is not changed by this routine.  It remains NULL.
+*/
+case OP_ToText: {                  /* same as TK_TO_TEXT, no-push */
+  assert( pTos>=p->aStack );
+  if( pTos->flags & MEM_Null ) break;
+  assert( MEM_Str==(MEM_Blob>>3) );
+  pTos->flags |= (pTos->flags&MEM_Blob)>>3;
+  applyAffinity(pTos, SQLITE_AFF_TEXT, encoding);
+  assert( pTos->flags & MEM_Str );
+  pTos->flags &= ~(MEM_Int|MEM_Real|MEM_Blob);
+  break;
+}
+
+/* Opcode: ToBlob * * *
+**
+** Force the value on the top of the stack to be a BLOB.
+** If the value is numeric, convert it to a string first.
+** Strings are simply reinterpreted as blobs with no change
+** to the underlying data.
+**
+** A NULL value is not changed by this routine.  It remains NULL.
+*/
+case OP_ToBlob: {                  /* same as TK_TO_BLOB, no-push */
+  assert( pTos>=p->aStack );
+  if( pTos->flags & MEM_Null ) break;
+  if( (pTos->flags & MEM_Blob)==0 ){
+    applyAffinity(pTos, SQLITE_AFF_TEXT, encoding);
+    assert( pTos->flags & MEM_Str );
+    pTos->flags |= MEM_Blob;
+  }
+  pTos->flags &= ~(MEM_Int|MEM_Real|MEM_Str);
+  break;
+}
+
+/* Opcode: ToNumeric * * *
+**
+** Force the value on the top of the stack to be numeric (either an
+** integer or a floating-point number.)
+** If the value is text or blob, try to convert it to an using the
+** equivalent of atoi() or atof() and store 0 if no such conversion 
+** is possible.
+**
+** A NULL value is not changed by this routine.  It remains NULL.
+*/
+case OP_ToNumeric: {                  /* same as TK_TO_NUMERIC, no-push */
+  assert( pTos>=p->aStack );
+  if( (pTos->flags & MEM_Null)==0 ){
+    sqlite3VdbeMemNumerify(pTos);
+  }
+  break;
+}
+#endif /* SQLITE_OMIT_CAST */
+
+/* Opcode: ToInt * * *
+**
+** Force the value on the top of the stack to be an integer.  If
+** The value is currently a real number, drop its fractional part.
+** If the value is text or blob, try to convert it to an integer using the
+** equivalent of atoi() and store 0 if no such conversion is possible.
+**
+** A NULL value is not changed by this routine.  It remains NULL.
+*/
+case OP_ToInt: {                  /* same as TK_TO_INT, no-push */
+  assert( pTos>=p->aStack );
+  if( (pTos->flags & MEM_Null)==0 ){
+    sqlite3VdbeMemIntegerify(pTos);
+  }
+  break;
+}
+
+#ifndef SQLITE_OMIT_CAST
+/* Opcode: ToReal * * *
+**
+** Force the value on the top of the stack to be a floating point number.
+** If The value is currently an integer, convert it.
+** If the value is text or blob, try to convert it to an integer using the
+** equivalent of atoi() and store 0 if no such conversion is possible.
+**
+** A NULL value is not changed by this routine.  It remains NULL.
+*/
+case OP_ToReal: {                  /* same as TK_TO_REAL, no-push */
+  assert( pTos>=p->aStack );
+  if( (pTos->flags & MEM_Null)==0 ){
+    sqlite3VdbeMemRealify(pTos);
+  }
+  break;
+}
+#endif /* SQLITE_OMIT_CAST */
+
+/* Opcode: Eq P1 P2 P3
+**
+** Pop the top two elements from the stack.  If they are equal, then
+** jump to instruction P2.  Otherwise, continue to the next instruction.
+**
+** If the 0x100 bit of P1 is true and either operand is NULL then take the
+** jump.  If the 0x100 bit of P1 is clear then fall thru if either operand
+** is NULL.
+**
+** If the 0x200 bit of P1 is set and either operand is NULL then
+** both operands are converted to integers prior to comparison.
+** NULL operands are converted to zero and non-NULL operands are
+** converted to 1.  Thus, for example, with 0x200 set,  NULL==NULL is true
+** whereas it would normally be NULL.  Similarly,  NULL==123 is false when
+** 0x200 is set but is NULL when the 0x200 bit of P1 is clear.
+**
+** The least significant byte of P1 (mask 0xff) must be an affinity character -
+** SQLITE_AFF_TEXT, SQLITE_AFF_INTEGER, and so forth. An attempt is made 
+** to coerce both values
+** according to the affinity before the comparison is made. If the byte is
+** 0x00, then numeric affinity is used.
+**
+** Once any conversions have taken place, and neither value is NULL, 
+** the values are compared. If both values are blobs, or both are text,
+** then memcmp() is used to determine the results of the comparison. If
+** both values are numeric, then a numeric comparison is used. If the
+** two values are of different types, then they are inequal.
+**
+** If P2 is zero, do not jump.  Instead, push an integer 1 onto the
+** stack if the jump would have been taken, or a 0 if not.  Push a
+** NULL if either operand was NULL.
+**
+** If P3 is not NULL it is a pointer to a collating sequence (a CollSeq
+** structure) that defines how to compare text.
+*/
+/* Opcode: Ne P1 P2 P3
+**
+** This works just like the Eq opcode except that the jump is taken if
+** the operands from the stack are not equal.  See the Eq opcode for
+** additional information.
+*/
+/* Opcode: Lt P1 P2 P3
+**
+** This works just like the Eq opcode except that the jump is taken if
+** the 2nd element down on the stack is less than the top of the stack.
+** See the Eq opcode for additional information.
+*/
+/* Opcode: Le P1 P2 P3
+**
+** This works just like the Eq opcode except that the jump is taken if
+** the 2nd element down on the stack is less than or equal to the
+** top of the stack.  See the Eq opcode for additional information.
+*/
+/* Opcode: Gt P1 P2 P3
+**
+** This works just like the Eq opcode except that the jump is taken if
+** the 2nd element down on the stack is greater than the top of the stack.
+** See the Eq opcode for additional information.
+*/
+/* Opcode: Ge P1 P2 P3
+**
+** This works just like the Eq opcode except that the jump is taken if
+** the 2nd element down on the stack is greater than or equal to the
+** top of the stack.  See the Eq opcode for additional information.
+*/
+case OP_Eq:               /* same as TK_EQ, no-push */
+case OP_Ne:               /* same as TK_NE, no-push */
+case OP_Lt:               /* same as TK_LT, no-push */
+case OP_Le:               /* same as TK_LE, no-push */
+case OP_Gt:               /* same as TK_GT, no-push */
+case OP_Ge: {             /* same as TK_GE, no-push */
+  Mem *pNos;
+  int flags;
+  int res;
+  char affinity;
+
+  pNos = &pTos[-1];
+  flags = pTos->flags|pNos->flags;
+
+  /* If either value is a NULL P2 is not zero, take the jump if the least
+  ** significant byte of P1 is true. If P2 is zero, then push a NULL onto
+  ** the stack.
+  */
+  if( flags&MEM_Null ){
+    if( (pOp->p1 & 0x200)!=0 ){
+      /* The 0x200 bit of P1 means, roughly "do not treat NULL as the
+      ** magic SQL value it normally is - treat it as if it were another
+      ** integer".
+      **
+      ** With 0x200 set, if either operand is NULL then both operands
+      ** are converted to integers prior to being passed down into the
+      ** normal comparison logic below.  NULL operands are converted to
+      ** zero and non-NULL operands are converted to 1.  Thus, for example,
+      ** with 0x200 set,  NULL==NULL is true whereas it would normally
+      ** be NULL.  Similarly,  NULL!=123 is true.
+      */
+      sqlite3VdbeMemSetInt64(pTos, (pTos->flags & MEM_Null)==0);
+      sqlite3VdbeMemSetInt64(pNos, (pNos->flags & MEM_Null)==0);
+    }else{
+      /* If the 0x200 bit of P1 is clear and either operand is NULL then
+      ** the result is always NULL.  The jump is taken if the 0x100 bit
+      ** of P1 is set.
+      */
+      popStack(&pTos, 2);
+      if( pOp->p2 ){
+        if( pOp->p1 & 0x100 ){
+          pc = pOp->p2-1;
+        }
+      }else{
+        pTos++;
+        pTos->flags = MEM_Null;
+      }
+      break;
+    }
+  }
+
+  affinity = pOp->p1 & 0xFF;
+  if( affinity ){
+    applyAffinity(pNos, affinity, encoding);
+    applyAffinity(pTos, affinity, encoding);
+  }
+
+  assert( pOp->p3type==P3_COLLSEQ || pOp->p3==0 );
+  res = sqlite3MemCompare(pNos, pTos, (CollSeq*)pOp->p3);
+  switch( pOp->opcode ){
+    case OP_Eq:    res = res==0;     break;
+    case OP_Ne:    res = res!=0;     break;
+    case OP_Lt:    res = res<0;      break;
+    case OP_Le:    res = res<=0;     break;
+    case OP_Gt:    res = res>0;      break;
+    default:       res = res>=0;     break;
+  }
+
+  popStack(&pTos, 2);
+  if( pOp->p2 ){
+    if( res ){
+      pc = pOp->p2-1;
+    }
+  }else{
+    pTos++;
+    pTos->flags = MEM_Int;
+    pTos->u.i = res;
+  }
+  break;
+}
+
+/* Opcode: And * * *
+**
+** Pop two values off the stack.  Take the logical AND of the
+** two values and push the resulting boolean value back onto the
+** stack. 
+*/
+/* Opcode: Or * * *
+**
+** Pop two values off the stack.  Take the logical OR of the
+** two values and push the resulting boolean value back onto the
+** stack. 
+*/
+case OP_And:              /* same as TK_AND, no-push */
+case OP_Or: {             /* same as TK_OR, no-push */
+  Mem *pNos = &pTos[-1];
+  int v1, v2;    /* 0==TRUE, 1==FALSE, 2==UNKNOWN or NULL */
+
+  assert( pNos>=p->aStack );
+  if( pTos->flags & MEM_Null ){
+    v1 = 2;
+  }else{
+    sqlite3VdbeMemIntegerify(pTos);
+    v1 = pTos->u.i==0;
+  }
+  if( pNos->flags & MEM_Null ){
+    v2 = 2;
+  }else{
+    sqlite3VdbeMemIntegerify(pNos);
+    v2 = pNos->u.i==0;
+  }
+  if( pOp->opcode==OP_And ){
+    static const unsigned char and_logic[] = { 0, 1, 2, 1, 1, 1, 2, 1, 2 };
+    v1 = and_logic[v1*3+v2];
+  }else{
+    static const unsigned char or_logic[] = { 0, 0, 0, 0, 1, 2, 0, 2, 2 };
+    v1 = or_logic[v1*3+v2];
+  }
+  popStack(&pTos, 2);
+  pTos++;
+  if( v1==2 ){
+    pTos->flags = MEM_Null;
+  }else{
+    pTos->u.i = v1==0;
+    pTos->flags = MEM_Int;
+  }
+  break;
+}
+
+/* Opcode: Negative * * *
+**
+** Treat the top of the stack as a numeric quantity.  Replace it
+** with its additive inverse.  If the top of the stack is NULL
+** its value is unchanged.
+*/
+/* Opcode: AbsValue * * *
+**
+** Treat the top of the stack as a numeric quantity.  Replace it
+** with its absolute value. If the top of the stack is NULL
+** its value is unchanged.
+*/
+case OP_Negative:              /* same as TK_UMINUS, no-push */
+case OP_AbsValue: {
+  assert( pTos>=p->aStack );
+  if( pTos->flags & MEM_Real ){
+    neg_abs_real_case:
+    Release(pTos);
+    if( pOp->opcode==OP_Negative || pTos->r<0.0 ){
+      pTos->r = -pTos->r;
+    }
+    pTos->flags = MEM_Real;
+  }else if( pTos->flags & MEM_Int ){
+    Release(pTos);
+    if( pOp->opcode==OP_Negative || pTos->u.i<0 ){
+      pTos->u.i = -pTos->u.i;
+    }
+    pTos->flags = MEM_Int;
+  }else if( pTos->flags & MEM_Null ){
+    /* Do nothing */
+  }else{
+    sqlite3VdbeMemNumerify(pTos);
+    goto neg_abs_real_case;
+  }
+  break;
+}
+
+/* Opcode: Not * * *
+**
+** Interpret the top of the stack as a boolean value.  Replace it
+** with its complement.  If the top of the stack is NULL its value
+** is unchanged.
+*/
+case OP_Not: {                /* same as TK_NOT, no-push */
+  assert( pTos>=p->aStack );
+  if( pTos->flags & MEM_Null ) break;  /* Do nothing to NULLs */
+  sqlite3VdbeMemIntegerify(pTos);
+  assert( (pTos->flags & MEM_Dyn)==0 );
+  pTos->u.i = !pTos->u.i;
+  pTos->flags = MEM_Int;
+  break;
+}
+
+/* Opcode: BitNot * * *
+**
+** Interpret the top of the stack as an value.  Replace it
+** with its ones-complement.  If the top of the stack is NULL its
+** value is unchanged.
+*/
+case OP_BitNot: {             /* same as TK_BITNOT, no-push */
+  assert( pTos>=p->aStack );
+  if( pTos->flags & MEM_Null ) break;  /* Do nothing to NULLs */
+  sqlite3VdbeMemIntegerify(pTos);
+  assert( (pTos->flags & MEM_Dyn)==0 );
+  pTos->u.i = ~pTos->u.i;
+  pTos->flags = MEM_Int;
+  break;
+}
+
+/* Opcode: Noop * * *
+**
+** Do nothing.  This instruction is often useful as a jump
+** destination.
+*/
+/*
+** The magic Explain opcode are only inserted when explain==2 (which
+** is to say when the EXPLAIN QUERY PLAN syntax is used.)
+** This opcode records information from the optimizer.  It is the
+** the same as a no-op.  This opcodesnever appears in a real VM program.
+*/
+case OP_Explain:
+case OP_Noop: {            /* no-push */
+  break;
+}
+
+/* Opcode: If P1 P2 *
+**
+** Pop a single boolean from the stack.  If the boolean popped is
+** true, then jump to p2.  Otherwise continue to the next instruction.
+** An integer is false if zero and true otherwise.  A string is
+** false if it has zero length and true otherwise.
+**
+** If the value popped of the stack is NULL, then take the jump if P1
+** is true and fall through if P1 is false.
+*/
+/* Opcode: IfNot P1 P2 *
+**
+** Pop a single boolean from the stack.  If the boolean popped is
+** false, then jump to p2.  Otherwise continue to the next instruction.
+** An integer is false if zero and true otherwise.  A string is
+** false if it has zero length and true otherwise.
+**
+** If the value popped of the stack is NULL, then take the jump if P1
+** is true and fall through if P1 is false.
+*/
+case OP_If:                 /* no-push */
+case OP_IfNot: {            /* no-push */
+  int c;
+  assert( pTos>=p->aStack );
+  if( pTos->flags & MEM_Null ){
+    c = pOp->p1;
+  }else{
+#ifdef SQLITE_OMIT_FLOATING_POINT
+    c = sqlite3VdbeIntValue(pTos);
+#else
+    c = sqlite3VdbeRealValue(pTos)!=0.0;
+#endif
+    if( pOp->opcode==OP_IfNot ) c = !c;
+  }
+  Release(pTos);
+  pTos--;
+  if( c ) pc = pOp->p2-1;
+  break;
+}
+
+/* Opcode: IsNull P1 P2 *
+**
+** Check the top of the stack and jump to P2 if the top of the stack
+** is NULL.  If P1 is positive, then pop P1 elements from the stack
+** regardless of whether or not the jump is taken.  If P1 is negative,
+** pop -P1 elements from the stack only if the jump is taken and leave
+** the stack unchanged if the jump is not taken.
+*/
+case OP_IsNull: {            /* same as TK_ISNULL, no-push */
+  if( pTos->flags & MEM_Null ){
+    pc = pOp->p2-1;
+    if( pOp->p1<0 ){
+      popStack(&pTos, -pOp->p1);
+    }
+  }
+  if( pOp->p1>0 ){
+    popStack(&pTos, pOp->p1);
+  }
+  break;
+}
+
+/* Opcode: NotNull P1 P2 *
+**
+** Jump to P2 if the top abs(P1) values on the stack are all not NULL.  
+** Regardless of whether or not the jump is taken, pop the stack
+** P1 times if P1 is greater than zero.  But if P1 is negative,
+** leave the stack unchanged.
+*/
+case OP_NotNull: {            /* same as TK_NOTNULL, no-push */
+  int i, cnt;
+  cnt = pOp->p1;
+  if( cnt<0 ) cnt = -cnt;
+  assert( &pTos[1-cnt] >= p->aStack );
+  for(i=0; i<cnt && (pTos[1+i-cnt].flags & MEM_Null)==0; i++){}
+  if( i>=cnt ) pc = pOp->p2-1;
+  if( pOp->p1>0 ) popStack(&pTos, cnt);
+  break;
+}
+
+/* Opcode: SetNumColumns P1 P2 *
+**
+** Before the OP_Column opcode can be executed on a cursor, this
+** opcode must be called to set the number of fields in the table.
+**
+** This opcode sets the number of columns for cursor P1 to P2.
+**
+** If OP_KeyAsData is to be applied to cursor P1, it must be executed
+** before this op-code.
+*/
+case OP_SetNumColumns: {       /* no-push */
+  Cursor *pC;
+  assert( (pOp->p1)<p->nCursor );
+  assert( p->apCsr[pOp->p1]!=0 );
+  pC = p->apCsr[pOp->p1];
+  pC->nField = pOp->p2;
+  break;
+}
+
+/* Opcode: Column P1 P2 P3
+**
+** Interpret the data that cursor P1 points to as a structure built using
+** the MakeRecord instruction.  (See the MakeRecord opcode for additional
+** information about the format of the data.) Push onto the stack the value
+** of the P2-th column contained in the data. If there are less that (P2+1) 
+** values in the record, push a NULL onto the stack.
+**
+** If the KeyAsData opcode has previously executed on this cursor, then the
+** field might be extracted from the key rather than the data.
+**
+** If the column contains fewer than P2 fields, then push a NULL.  Or
+** if P3 is of type P3_MEM, then push the P3 value.  The P3 value will
+** be default value for a column that has been added using the ALTER TABLE
+** ADD COLUMN command.  If P3 is an ordinary string, just push a NULL.
+** When P3 is a string it is really just a comment describing the value
+** to be pushed, not a default value.
+*/
+case OP_Column: {
+  u32 payloadSize;   /* Number of bytes in the record */
+  int p1 = pOp->p1;  /* P1 value of the opcode */
+  int p2 = pOp->p2;  /* column number to retrieve */
+  Cursor *pC = 0;    /* The VDBE cursor */
+  char *zRec;        /* Pointer to complete record-data */
+  BtCursor *pCrsr;   /* The BTree cursor */
+  u32 *aType;        /* aType[i] holds the numeric type of the i-th column */
+  u32 *aOffset;      /* aOffset[i] is offset to start of data for i-th column */
+  u32 nField;        /* number of fields in the record */
+  int len;           /* The length of the serialized data for the column */
+  int i;             /* Loop counter */
+  char *zData;       /* Part of the record being decoded */
+  Mem sMem;          /* For storing the record being decoded */
+
+  sMem.flags = 0;
+  assert( p1<p->nCursor );
+  pTos++;
+  pTos->flags = MEM_Null;
+
+  /* This block sets the variable payloadSize to be the total number of
+  ** bytes in the record.
+  **
+  ** zRec is set to be the complete text of the record if it is available.
+  ** The complete record text is always available for pseudo-tables
+  ** If the record is stored in a cursor, the complete record text
+  ** might be available in the  pC->aRow cache.  Or it might not be.
+  ** If the data is unavailable,  zRec is set to NULL.
+  **
+  ** We also compute the number of columns in the record.  For cursors,
+  ** the number of columns is stored in the Cursor.nField element.  For
+  ** records on the stack, the next entry down on the stack is an integer
+  ** which is the number of records.
+  */
+  pC = p->apCsr[p1];
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  assert( pC->pVtabCursor==0 );
+#endif
+  assert( pC!=0 );
+  if( pC->pCursor!=0 ){
+    /* The record is stored in a B-Tree */
+    rc = sqlite3VdbeCursorMoveto(pC);
+    if( rc ) goto abort_due_to_error;
+    zRec = 0;
+    pCrsr = pC->pCursor;
+    if( pC->nullRow ){
+      payloadSize = 0;
+    }else if( pC->cacheStatus==p->cacheCtr ){
+      payloadSize = pC->payloadSize;
+      zRec = (char*)pC->aRow;
+    }else if( pC->isIndex ){
+      i64 payloadSize64;
+      sqlite3BtreeKeySize(pCrsr, &payloadSize64);
+      payloadSize = payloadSize64;
+    }else{
+      sqlite3BtreeDataSize(pCrsr, &payloadSize);
+    }
+    nField = pC->nField;
+  }else if( pC->pseudoTable ){
+    /* The record is the sole entry of a pseudo-table */
+    payloadSize = pC->nData;
+    zRec = pC->pData;
+    pC->cacheStatus = CACHE_STALE;
+    assert( payloadSize==0 || zRec!=0 );
+    nField = pC->nField;
+    pCrsr = 0;
+  }else{
+    zRec = 0;
+    payloadSize = 0;
+    pCrsr = 0;
+    nField = 0;
+  }
+
+  /* If payloadSize is 0, then just push a NULL onto the stack. */
+  if( payloadSize==0 ){
+    assert( pTos->flags==MEM_Null );
+    break;
+  }
+
+  assert( p2<nField );
+
+  /* Read and parse the table header.  Store the results of the parse
+  ** into the record header cache fields of the cursor.
+  */
+  if( pC && pC->cacheStatus==p->cacheCtr ){
+    aType = pC->aType;
+    aOffset = pC->aOffset;
+  }else{
+    u8 *zIdx;        /* Index into header */
+    u8 *zEndHdr;     /* Pointer to first byte after the header */
+    u32 offset;      /* Offset into the data */
+    int szHdrSz;     /* Size of the header size field at start of record */
+    int avail;       /* Number of bytes of available data */
+
+    aType = pC->aType;
+    if( aType==0 ){
+      pC->aType = aType = sqliteMallocRaw( 2*nField*sizeof(aType) );
+    }
+    if( aType==0 ){
+      goto no_mem;
+    }
+    pC->aOffset = aOffset = &aType[nField];
+    pC->payloadSize = payloadSize;
+    pC->cacheStatus = p->cacheCtr;
+
+    /* Figure out how many bytes are in the header */
+    if( zRec ){
+      zData = zRec;
+    }else{
+      if( pC->isIndex ){
+        zData = (char*)sqlite3BtreeKeyFetch(pCrsr, &avail);
+      }else{
+        zData = (char*)sqlite3BtreeDataFetch(pCrsr, &avail);
+      }
+      /* If KeyFetch()/DataFetch() managed to get the entire payload,
+      ** save the payload in the pC->aRow cache.  That will save us from
+      ** having to make additional calls to fetch the content portion of
+      ** the record.
+      */
+      if( avail>=payloadSize ){
+        zRec = zData;
+        pC->aRow = (u8*)zData;
+      }else{
+        pC->aRow = 0;
+      }
+    }
+    /* The following assert is true in all cases accept when
+    ** the database file has been corrupted externally.
+    **    assert( zRec!=0 || avail>=payloadSize || avail>=9 ); */
+    szHdrSz = GetVarint((u8*)zData, offset);
+
+    /* The KeyFetch() or DataFetch() above are fast and will get the entire
+    ** record header in most cases.  But they will fail to get the complete
+    ** record header if the record header does not fit on a single page
+    ** in the B-Tree.  When that happens, use sqlite3VdbeMemFromBtree() to
+    ** acquire the complete header text.
+    */
+    if( !zRec && avail<offset ){
+      rc = sqlite3VdbeMemFromBtree(pCrsr, 0, offset, pC->isIndex, &sMem);
+      if( rc!=SQLITE_OK ){
+        goto op_column_out;
+      }
+      zData = sMem.z;
+    }
+    zEndHdr = (u8 *)&zData[offset];
+    zIdx = (u8 *)&zData[szHdrSz];
+
+    /* Scan the header and use it to fill in the aType[] and aOffset[]
+    ** arrays.  aType[i] will contain the type integer for the i-th
+    ** column and aOffset[i] will contain the offset from the beginning
+    ** of the record to the start of the data for the i-th column
+    */
+    for(i=0; i<nField; i++){
+      if( zIdx<zEndHdr ){
+        aOffset[i] = offset;
+        zIdx += GetVarint(zIdx, aType[i]);
+        offset += sqlite3VdbeSerialTypeLen(aType[i]);
+      }else{
+        /* If i is less that nField, then there are less fields in this
+        ** record than SetNumColumns indicated there are columns in the
+        ** table. Set the offset for any extra columns not present in
+        ** the record to 0. This tells code below to push a NULL onto the
+        ** stack instead of deserializing a value from the record.
+        */
+        aOffset[i] = 0;
+      }
+    }
+    Release(&sMem);
+    sMem.flags = MEM_Null;
+
+    /* If we have read more header data than was contained in the header,
+    ** or if the end of the last field appears to be past the end of the
+    ** record, then we must be dealing with a corrupt database.
+    */
+    if( zIdx>zEndHdr || offset>payloadSize ){
+      rc = SQLITE_CORRUPT_BKPT;
+      goto op_column_out;
+    }
+  }
+
+  /* Get the column information. If aOffset[p2] is non-zero, then 
+  ** deserialize the value from the record. If aOffset[p2] is zero,
+  ** then there are not enough fields in the record to satisfy the
+  ** request.  In this case, set the value NULL or to P3 if P3 is
+  ** a pointer to a Mem object.
+  */
+  if( aOffset[p2] ){
+    assert( rc==SQLITE_OK );
+    if( zRec ){
+      zData = &zRec[aOffset[p2]];
+    }else{
+      len = sqlite3VdbeSerialTypeLen(aType[p2]);
+      rc = sqlite3VdbeMemFromBtree(pCrsr, aOffset[p2], len, pC->isIndex,&sMem);
+      if( rc!=SQLITE_OK ){
+        goto op_column_out;
+      }
+      zData = sMem.z;
+    }
+    sqlite3VdbeSerialGet((u8*)zData, aType[p2], pTos);
+    pTos->enc = encoding;
+  }else{
+    if( pOp->p3type==P3_MEM ){
+      sqlite3VdbeMemShallowCopy(pTos, (Mem *)(pOp->p3), MEM_Static);
+    }else{
+      pTos->flags = MEM_Null;
+    }
+  }
+
+  /* If we dynamically allocated space to hold the data (in the
+  ** sqlite3VdbeMemFromBtree() call above) then transfer control of that
+  ** dynamically allocated space over to the pTos structure.
+  ** This prevents a memory copy.
+  */
+  if( (sMem.flags & MEM_Dyn)!=0 ){
+    assert( pTos->flags & MEM_Ephem );
+    assert( pTos->flags & (MEM_Str|MEM_Blob) );
+    assert( pTos->z==sMem.z );
+    assert( sMem.flags & MEM_Term );
+    pTos->flags &= ~MEM_Ephem;
+    pTos->flags |= MEM_Dyn|MEM_Term;
+  }
+
+  /* pTos->z might be pointing to sMem.zShort[].  Fix that so that we
+  ** can abandon sMem */
+  rc = sqlite3VdbeMemMakeWriteable(pTos);
+
+op_column_out:
+  break;
+}
+
+/* Opcode: MakeRecord P1 P2 P3
+**
+** Convert the top abs(P1) entries of the stack into a single entry
+** suitable for use as a data record in a database table or as a key
+** in an index.  The details of the format are irrelavant as long as
+** the OP_Column opcode can decode the record later and as long as the
+** sqlite3VdbeRecordCompare function will correctly compare two encoded
+** records.  Refer to source code comments for the details of the record
+** format.
+**
+** The original stack entries are popped from the stack if P1>0 but
+** remain on the stack if P1<0.
+**
+** If P2 is not zero and one or more of the entries are NULL, then jump
+** to the address given by P2.  This feature can be used to skip a
+** uniqueness test on indices.
+**
+** P3 may be a string that is P1 characters long.  The nth character of the
+** string indicates the column affinity that should be used for the nth
+** field of the index key (i.e. the first character of P3 corresponds to the
+** lowest element on the stack).
+**
+** The mapping from character to affinity is given by the SQLITE_AFF_
+** macros defined in sqliteInt.h.
+**
+** If P3 is NULL then all index fields have the affinity NONE.
+**
+** See also OP_MakeIdxRec
+*/
+/* Opcode: MakeIdxRec P1 P2 P3
+**
+** This opcode works just OP_MakeRecord except that it reads an extra
+** integer from the stack (thus reading a total of abs(P1+1) entries)
+** and appends that extra integer to the end of the record as a varint.
+** This results in an index key.
+*/
+case OP_MakeIdxRec:
+case OP_MakeRecord: {
+  /* Assuming the record contains N fields, the record format looks
+  ** like this:
+  **
+  ** ------------------------------------------------------------------------
+  ** | hdr-size | type 0 | type 1 | ... | type N-1 | data0 | ... | data N-1 | 
+  ** ------------------------------------------------------------------------
+  **
+  ** Data(0) is taken from the lowest element of the stack and data(N-1) is
+  ** the top of the stack.
+  **
+  ** Each type field is a varint representing the serial type of the 
+  ** corresponding data element (see sqlite3VdbeSerialType()). The
+  ** hdr-size field is also a varint which is the offset from the beginning
+  ** of the record to data0.
+  */
+  unsigned char *zNewRecord;
+  unsigned char *zCsr;
+  Mem *pRec;
+  Mem *pRowid = 0;
+  int nData = 0;         /* Number of bytes of data space */
+  int nHdr = 0;          /* Number of bytes of header space */
+  int nByte = 0;         /* Space required for this record */
+  int nVarint;           /* Number of bytes in a varint */
+  u32 serial_type;       /* Type field */
+  int containsNull = 0;  /* True if any of the data fields are NULL */
+  char zTemp[NBFS];      /* Space to hold small records */
+  Mem *pData0;
+
+  int leaveOnStack;      /* If true, leave the entries on the stack */
+  int nField;            /* Number of fields in the record */
+  int jumpIfNull;        /* Jump here if non-zero and any entries are NULL. */
+  int addRowid;          /* True to append a rowid column at the end */
+  char *zAffinity;       /* The affinity string for the record */
+  int file_format;       /* File format to use for encoding */
+
+  leaveOnStack = ((pOp->p1<0)?1:0);
+  nField = pOp->p1 * (leaveOnStack?-1:1);
+  jumpIfNull = pOp->p2;
+  addRowid = pOp->opcode==OP_MakeIdxRec;
+  zAffinity = pOp->p3;
+
+  pData0 = &pTos[1-nField];
+  assert( pData0>=p->aStack );
+  containsNull = 0;
+  file_format = p->minWriteFileFormat;
+
+  /* Loop through the elements that will make up the record to figure
+  ** out how much space is required for the new record.
+  */
+  for(pRec=pData0; pRec<=pTos; pRec++){
+    if( zAffinity ){
+      applyAffinity(pRec, zAffinity[pRec-pData0], encoding);
+    }
+    if( pRec->flags&MEM_Null ){
+      containsNull = 1;
+    }
+    serial_type = sqlite3VdbeSerialType(pRec, file_format);
+    nData += sqlite3VdbeSerialTypeLen(serial_type);
+    nHdr += sqlite3VarintLen(serial_type);
+  }
+
+  /* If we have to append a varint rowid to this record, set 'rowid'
+  ** to the value of the rowid and increase nByte by the amount of space
+  ** required to store it and the 0x00 seperator byte.
+  */
+  if( addRowid ){
+    pRowid = &pTos[0-nField];
+    assert( pRowid>=p->aStack );
+    sqlite3VdbeMemIntegerify(pRowid);
+    serial_type = sqlite3VdbeSerialType(pRowid, 0);
+    nData += sqlite3VdbeSerialTypeLen(serial_type);
+    nHdr += sqlite3VarintLen(serial_type);
+  }
+
+  /* Add the initial header varint and total the size */
+  nHdr += nVarint = sqlite3VarintLen(nHdr);
+  if( nVarint<sqlite3VarintLen(nHdr) ){
+    nHdr++;
+  }
+  nByte = nHdr+nData;
+
+  /* Allocate space for the new record. */
+  if( nByte>sizeof(zTemp) ){
+    zNewRecord = sqliteMallocRaw(nByte);
+    if( !zNewRecord ){
+      goto no_mem;
+    }
+  }else{
+    zNewRecord = (u8*)zTemp;
+  }
+
+  /* Write the record */
+  zCsr = zNewRecord;
+  zCsr += sqlite3PutVarint(zCsr, nHdr);
+  for(pRec=pData0; pRec<=pTos; pRec++){
+    serial_type = sqlite3VdbeSerialType(pRec, file_format);
+    zCsr += sqlite3PutVarint(zCsr, serial_type);      /* serial type */
+  }
+  if( addRowid ){
+    zCsr += sqlite3PutVarint(zCsr, sqlite3VdbeSerialType(pRowid, 0));
+  }
+  for(pRec=pData0; pRec<=pTos; pRec++){
+    zCsr += sqlite3VdbeSerialPut(zCsr, pRec, file_format);  /* serial data */
+  }
+  if( addRowid ){
+    zCsr += sqlite3VdbeSerialPut(zCsr, pRowid, 0);
+  }
+  assert( zCsr==(zNewRecord+nByte) );
+
+  /* Pop entries off the stack if required. Push the new record on. */
+  if( !leaveOnStack ){
+    popStack(&pTos, nField+addRowid);
+  }
+  pTos++;
+  pTos->n = nByte;
+  if( nByte<=sizeof(zTemp) ){
+    assert( zNewRecord==(unsigned char *)zTemp );
+    pTos->z = pTos->zShort;
+    memcpy(pTos->zShort, zTemp, nByte);
+    pTos->flags = MEM_Blob | MEM_Short;
+  }else{
+    assert( zNewRecord!=(unsigned char *)zTemp );
+    pTos->z = (char*)zNewRecord;
+    pTos->flags = MEM_Blob | MEM_Dyn;
+    pTos->xDel = 0;
+  }
+  pTos->enc = SQLITE_UTF8;  /* In case the blob is ever converted to text */
+
+  /* If a NULL was encountered and jumpIfNull is non-zero, take the jump. */
+  if( jumpIfNull && containsNull ){
+    pc = jumpIfNull - 1;
+  }
+  break;
+}
+
+/* Opcode: Statement P1 * *
+**
+** Begin an individual statement transaction which is part of a larger
+** BEGIN..COMMIT transaction.  This is needed so that the statement
+** can be rolled back after an error without having to roll back the
+** entire transaction.  The statement transaction will automatically
+** commit when the VDBE halts.
+**
+** The statement is begun on the database file with index P1.  The main
+** database file has an index of 0 and the file used for temporary tables
+** has an index of 1.
+*/
+case OP_Statement: {       /* no-push */
+  int i = pOp->p1;
+  Btree *pBt;
+  if( i>=0 && i<db->nDb && (pBt = db->aDb[i].pBt)!=0 && !(db->autoCommit) ){
+    assert( sqlite3BtreeIsInTrans(pBt) );
+    if( !sqlite3BtreeIsInStmt(pBt) ){
+      rc = sqlite3BtreeBeginStmt(pBt);
+    }
+  }
+  break;
+}
+
+/* Opcode: AutoCommit P1 P2 *
+**
+** Set the database auto-commit flag to P1 (1 or 0). If P2 is true, roll
+** back any currently active btree transactions. If there are any active
+** VMs (apart from this one), then the COMMIT or ROLLBACK statement fails.
+**
+** This instruction causes the VM to halt.
+*/
+case OP_AutoCommit: {       /* no-push */
+  u8 i = pOp->p1;
+  u8 rollback = pOp->p2;
+
+  assert( i==1 || i==0 );
+  assert( i==1 || rollback==0 );
+
+  assert( db->activeVdbeCnt>0 );  /* At least this one VM is active */
+
+  if( db->activeVdbeCnt>1 && i && !db->autoCommit ){
+    /* If this instruction implements a COMMIT or ROLLBACK, other VMs are
+    ** still running, and a transaction is active, return an error indicating
+    ** that the other VMs must complete first. 
+    */
+    sqlite3SetString(&p->zErrMsg, "cannot ", rollback?"rollback":"commit", 
+        " transaction - SQL statements in progress", (char*)0);
+    rc = SQLITE_ERROR;
+  }else if( i!=db->autoCommit ){
+    if( pOp->p2 ){
+      assert( i==1 );
+      sqlite3RollbackAll(db);
+      db->autoCommit = 1;
+    }else{
+      db->autoCommit = i;
+      if( sqlite3VdbeHalt(p)==SQLITE_BUSY ){
+        p->pTos = pTos;
+        p->pc = pc;
+        db->autoCommit = 1-i;
+        p->rc = SQLITE_BUSY;
+        return SQLITE_BUSY;
+      }
+    }
+    if( p->rc==SQLITE_OK ){
+      return SQLITE_DONE;
+    }else{
+      return SQLITE_ERROR;
+    }
+  }else{
+    sqlite3SetString(&p->zErrMsg,
+        (!i)?"cannot start a transaction within a transaction":(
+        (rollback)?"cannot rollback - no transaction is active":
+                   "cannot commit - no transaction is active"), (char*)0);
+         
+    rc = SQLITE_ERROR;
+  }
+  break;
+}
+
+/* Opcode: Transaction P1 P2 *
+**
+** Begin a transaction.  The transaction ends when a Commit or Rollback
+** opcode is encountered.  Depending on the ON CONFLICT setting, the
+** transaction might also be rolled back if an error is encountered.
+**
+** P1 is the index of the database file on which the transaction is
+** started.  Index 0 is the main database file and index 1 is the
+** file used for temporary tables.
+**
+** If P2 is non-zero, then a write-transaction is started.  A RESERVED lock is
+** obtained on the database file when a write-transaction is started.  No
+** other process can start another write transaction while this transaction is
+** underway.  Starting a write transaction also creates a rollback journal. A
+** write transaction must be started before any changes can be made to the
+** database.  If P2 is 2 or greater then an EXCLUSIVE lock is also obtained
+** on the file.
+**
+** If P2 is zero, then a read-lock is obtained on the database file.
+*/
+case OP_Transaction: {       /* no-push */
+  int i = pOp->p1;
+  Btree *pBt;
+
+  assert( i>=0 && i<db->nDb );
+  pBt = db->aDb[i].pBt;
+
+  if( pBt ){
+    rc = sqlite3BtreeBeginTrans(pBt, pOp->p2);
+    if( rc==SQLITE_BUSY ){
+      p->pc = pc;
+      p->rc = SQLITE_BUSY;
+      p->pTos = pTos;
+      return SQLITE_BUSY;
+    }
+    if( rc!=SQLITE_OK && rc!=SQLITE_READONLY /* && rc!=SQLITE_BUSY */ ){
+      goto abort_due_to_error;
+    }
+  }
+  break;
+}
+
+/* Opcode: ReadCookie P1 P2 *
+**
+** Read cookie number P2 from database P1 and push it onto the stack.
+** P2==0 is the schema version.  P2==1 is the database format.
+** P2==2 is the recommended pager cache size, and so forth.  P1==0 is
+** the main database file and P1==1 is the database file used to store
+** temporary tables.
+**
+** There must be a read-lock on the database (either a transaction
+** must be started or there must be an open cursor) before
+** executing this instruction.
+*/
+case OP_ReadCookie: {
+  int iMeta;
+  assert( pOp->p2<SQLITE_N_BTREE_META );
+  assert( pOp->p1>=0 && pOp->p1<db->nDb );
+  assert( db->aDb[pOp->p1].pBt!=0 );
+  /* The indexing of meta values at the schema layer is off by one from
+  ** the indexing in the btree layer.  The btree considers meta[0] to
+  ** be the number of free pages in the database (a read-only value)
+  ** and meta[1] to be the schema cookie.  The schema layer considers
+  ** meta[1] to be the schema cookie.  So we have to shift the index
+  ** by one in the following statement.
+  */
+  rc = sqlite3BtreeGetMeta(db->aDb[pOp->p1].pBt, 1 + pOp->p2, (u32 *)&iMeta);
+  pTos++;
+  pTos->u.i = iMeta;
+  pTos->flags = MEM_Int;
+  break;
+}
+
+/* Opcode: SetCookie P1 P2 *
+**
+** Write the top of the stack into cookie number P2 of database P1.
+** P2==0 is the schema version.  P2==1 is the database format.
+** P2==2 is the recommended pager cache size, and so forth.  P1==0 is
+** the main database file and P1==1 is the database file used to store
+** temporary tables.
+**
+** A transaction must be started before executing this opcode.
+*/
+case OP_SetCookie: {       /* no-push */
+  Db *pDb;
+  assert( pOp->p2<SQLITE_N_BTREE_META );
+  assert( pOp->p1>=0 && pOp->p1<db->nDb );
+  pDb = &db->aDb[pOp->p1];
+  assert( pDb->pBt!=0 );
+  assert( pTos>=p->aStack );
+  sqlite3VdbeMemIntegerify(pTos);
+  /* See note about index shifting on OP_ReadCookie */
+  rc = sqlite3BtreeUpdateMeta(pDb->pBt, 1+pOp->p2, (int)pTos->u.i);
+  if( pOp->p2==0 ){
+    /* When the schema cookie changes, record the new cookie internally */
+    pDb->pSchema->schema_cookie = pTos->u.i;
+    db->flags |= SQLITE_InternChanges;
+  }else if( pOp->p2==1 ){
+    /* Record changes in the file format */
+    pDb->pSchema->file_format = pTos->u.i;
+  }
+  assert( (pTos->flags & MEM_Dyn)==0 );
+  pTos--;
+  if( pOp->p1==1 ){
+    /* Invalidate all prepared statements whenever the TEMP database
+    ** schema is changed.  Ticket #1644 */
+    sqlite3ExpirePreparedStatements(db);
+  }
+  break;
+}
+
+/* Opcode: VerifyCookie P1 P2 *
+**
+** Check the value of global database parameter number 0 (the
+** schema version) and make sure it is equal to P2.  
+** P1 is the database number which is 0 for the main database file
+** and 1 for the file holding temporary tables and some higher number
+** for auxiliary databases.
+**
+** The cookie changes its value whenever the database schema changes.
+** This operation is used to detect when that the cookie has changed
+** and that the current process needs to reread the schema.
+**
+** Either a transaction needs to have been started or an OP_Open needs
+** to be executed (to establish a read lock) before this opcode is
+** invoked.
+*/
+case OP_VerifyCookie: {       /* no-push */
+  int iMeta;
+  Btree *pBt;
+  assert( pOp->p1>=0 && pOp->p1<db->nDb );
+  pBt = db->aDb[pOp->p1].pBt;
+  if( pBt ){
+    rc = sqlite3BtreeGetMeta(pBt, 1, (u32 *)&iMeta);
+  }else{
+    rc = SQLITE_OK;
+    iMeta = 0;
+  }
+  if( rc==SQLITE_OK && iMeta!=pOp->p2 ){
+    sqlite3SetString(&p->zErrMsg, "database schema has changed", (char*)0);
+    /* If the schema-cookie from the database file matches the cookie 
+    ** stored with the in-memory representation of the schema, do
+    ** not reload the schema from the database file.
+    **
+    ** If virtual-tables are in use, this is not just an optimisation.
+    ** Often, v-tables store their data in other SQLite tables, which
+    ** are queried from within xNext() and other v-table methods using
+    ** prepared queries. If such a query is out-of-date, we do not want to
+    ** discard the database schema, as the user code implementing the
+    ** v-table would have to be ready for the sqlite3_vtab structure itself
+    ** to be invalidated whenever sqlite3_step() is called from within 
+    ** a v-table method.
+    */
+    if( db->aDb[pOp->p1].pSchema->schema_cookie!=iMeta ){
+      sqlite3ResetInternalSchema(db, pOp->p1);
+    }
+
+    sqlite3ExpirePreparedStatements(db);
+    rc = SQLITE_SCHEMA;
+  }
+  break;
+}
+
+/* Opcode: OpenRead P1 P2 P3
+**
+** Open a read-only cursor for the database table whose root page is
+** P2 in a database file.  The database file is determined by an 
+** integer from the top of the stack.  0 means the main database and
+** 1 means the database used for temporary tables.  Give the new 
+** cursor an identifier of P1.  The P1 values need not be contiguous
+** but all P1 values should be small integers.  It is an error for
+** P1 to be negative.
+**
+** If P2==0 then take the root page number from the next of the stack.
+**
+** There will be a read lock on the database whenever there is an
+** open cursor.  If the database was unlocked prior to this instruction
+** then a read lock is acquired as part of this instruction.  A read
+** lock allows other processes to read the database but prohibits
+** any other process from modifying the database.  The read lock is
+** released when all cursors are closed.  If this instruction attempts
+** to get a read lock but fails, the script terminates with an
+** SQLITE_BUSY error code.
+**
+** The P3 value is a pointer to a KeyInfo structure that defines the
+** content and collating sequence of indices.  P3 is NULL for cursors
+** that are not pointing to indices.
+**
+** See also OpenWrite.
+*/
+/* Opcode: OpenWrite P1 P2 P3
+**
+** Open a read/write cursor named P1 on the table or index whose root
+** page is P2.  If P2==0 then take the root page number from the stack.
+**
+** The P3 value is a pointer to a KeyInfo structure that defines the
+** content and collating sequence of indices.  P3 is NULL for cursors
+** that are not pointing to indices.
+**
+** This instruction works just like OpenRead except that it opens the cursor
+** in read/write mode.  For a given table, there can be one or more read-only
+** cursors or a single read/write cursor but not both.
+**
+** See also OpenRead.
+*/
+case OP_OpenRead:          /* no-push */
+case OP_OpenWrite: {       /* no-push */
+  int i = pOp->p1;
+  int p2 = pOp->p2;
+  int wrFlag;
+  Btree *pX;
+  int iDb;
+  Cursor *pCur;
+  Db *pDb;
+  
+  assert( pTos>=p->aStack );
+  sqlite3VdbeMemIntegerify(pTos);
+  iDb = pTos->u.i;
+  assert( (pTos->flags & MEM_Dyn)==0 );
+  pTos--;
+  assert( iDb>=0 && iDb<db->nDb );
+  pDb = &db->aDb[iDb];
+  pX = pDb->pBt;
+  assert( pX!=0 );
+  if( pOp->opcode==OP_OpenWrite ){
+    wrFlag = 1;
+    if( pDb->pSchema->file_format < p->minWriteFileFormat ){
+      p->minWriteFileFormat = pDb->pSchema->file_format;
+    }
+  }else{
+    wrFlag = 0;
+  }
+  if( p2<=0 ){
+    assert( pTos>=p->aStack );
+    sqlite3VdbeMemIntegerify(pTos);
+    p2 = pTos->u.i;
+    assert( (pTos->flags & MEM_Dyn)==0 );
+    pTos--;
+    assert( p2>=2 );
+  }
+  assert( i>=0 );
+  pCur = allocateCursor(p, i, iDb);
+  if( pCur==0 ) goto no_mem;
+  pCur->nullRow = 1;
+  if( pX==0 ) break;
+  /* We always provide a key comparison function.  If the table being
+  ** opened is of type INTKEY, the comparision function will be ignored. */
+  rc = sqlite3BtreeCursor(pX, p2, wrFlag,
+           sqlite3VdbeRecordCompare, pOp->p3,
+           &pCur->pCursor);
+  if( pOp->p3type==P3_KEYINFO ){
+    pCur->pKeyInfo = (KeyInfo*)pOp->p3;
+    pCur->pIncrKey = &pCur->pKeyInfo->incrKey;
+    pCur->pKeyInfo->enc = ENC(p->db);
+  }else{
+    pCur->pKeyInfo = 0;
+    pCur->pIncrKey = &pCur->bogusIncrKey;
+  }
+  switch( rc ){
+    case SQLITE_BUSY: {
+      p->pc = pc;
+      p->rc = SQLITE_BUSY;
+      p->pTos = &pTos[1 + (pOp->p2<=0)]; /* Operands must remain on stack */
+      return SQLITE_BUSY;
+    }
+    case SQLITE_OK: {
+      int flags = sqlite3BtreeFlags(pCur->pCursor);
+      /* Sanity checking.  Only the lower four bits of the flags byte should
+      ** be used.  Bit 3 (mask 0x08) is unpreditable.  The lower 3 bits
+      ** (mask 0x07) should be either 5 (intkey+leafdata for tables) or
+      ** 2 (zerodata for indices).  If these conditions are not met it can
+      ** only mean that we are dealing with a corrupt database file
+      */
+      if( (flags & 0xf0)!=0 || ((flags & 0x07)!=5 && (flags & 0x07)!=2) ){
+        rc = SQLITE_CORRUPT_BKPT;
+        goto abort_due_to_error;
+      }
+      pCur->isTable = (flags & BTREE_INTKEY)!=0;
+      pCur->isIndex = (flags & BTREE_ZERODATA)!=0;
+      /* If P3==0 it means we are expected to open a table.  If P3!=0 then
+      ** we expect to be opening an index.  If this is not what happened,
+      ** then the database is corrupt
+      */
+      if( (pCur->isTable && pOp->p3type==P3_KEYINFO)
+       || (pCur->isIndex && pOp->p3type!=P3_KEYINFO) ){
+        rc = SQLITE_CORRUPT_BKPT;
+        goto abort_due_to_error;
+      }
+      break;
+    }
+    case SQLITE_EMPTY: {
+      pCur->isTable = pOp->p3type!=P3_KEYINFO;
+      pCur->isIndex = !pCur->isTable;
+      rc = SQLITE_OK;
+      break;
+    }
+    default: {
+      goto abort_due_to_error;
+    }
+  }
+  break;
+}
+
+/* Opcode: OpenEphemeral P1 P2 P3
+**
+** Open a new cursor P1 to a transient table.
+** The cursor is always opened read/write even if 
+** the main database is read-only.  The transient or virtual
+** table is deleted automatically when the cursor is closed.
+**
+** P2 is the number of columns in the virtual table.
+** The cursor points to a BTree table if P3==0 and to a BTree index
+** if P3 is not 0.  If P3 is not NULL, it points to a KeyInfo structure
+** that defines the format of keys in the index.
+**
+** This opcode was once called OpenTemp.  But that created
+** confusion because the term "temp table", might refer either
+** to a TEMP table at the SQL level, or to a table opened by
+** this opcode.  Then this opcode was call OpenVirtual.  But
+** that created confusion with the whole virtual-table idea.
+*/
+case OP_OpenEphemeral: {       /* no-push */
+  int i = pOp->p1;
+  Cursor *pCx;
+  assert( i>=0 );
+  pCx = allocateCursor(p, i, -1);
+  if( pCx==0 ) goto no_mem;
+  pCx->nullRow = 1;
+  rc = sqlite3BtreeFactory(db, 0, 1, TEMP_PAGES, &pCx->pBt);
+  if( rc==SQLITE_OK ){
+    rc = sqlite3BtreeBeginTrans(pCx->pBt, 1);
+  }
+  if( rc==SQLITE_OK ){
+    /* If a transient index is required, create it by calling
+    ** sqlite3BtreeCreateTable() with the BTREE_ZERODATA flag before
+    ** opening it. If a transient table is required, just use the
+    ** automatically created table with root-page 1 (an INTKEY table).
+    */
+    if( pOp->p3 ){
+      int pgno;
+      assert( pOp->p3type==P3_KEYINFO );
+      rc = sqlite3BtreeCreateTable(pCx->pBt, &pgno, BTREE_ZERODATA); 
+      if( rc==SQLITE_OK ){
+        assert( pgno==MASTER_ROOT+1 );
+        rc = sqlite3BtreeCursor(pCx->pBt, pgno, 1, sqlite3VdbeRecordCompare,
+            pOp->p3, &pCx->pCursor);
+        pCx->pKeyInfo = (KeyInfo*)pOp->p3;
+        pCx->pKeyInfo->enc = ENC(p->db);
+        pCx->pIncrKey = &pCx->pKeyInfo->incrKey;
+      }
+      pCx->isTable = 0;
+    }else{
+      rc = sqlite3BtreeCursor(pCx->pBt, MASTER_ROOT, 1, 0, 0, &pCx->pCursor);
+      pCx->isTable = 1;
+      pCx->pIncrKey = &pCx->bogusIncrKey;
+    }
+  }
+  pCx->nField = pOp->p2;
+  pCx->isIndex = !pCx->isTable;
+  break;
+}
+
+/* Opcode: OpenPseudo P1 * *
+**
+** Open a new cursor that points to a fake table that contains a single
+** row of data.  Any attempt to write a second row of data causes the
+** first row to be deleted.  All data is deleted when the cursor is
+** closed.
+**
+** A pseudo-table created by this opcode is useful for holding the
+** NEW or OLD tables in a trigger.  Also used to hold the a single
+** row output from the sorter so that the row can be decomposed into
+** individual columns using the OP_Column opcode.
+*/
+case OP_OpenPseudo: {       /* no-push */
+  int i = pOp->p1;
+  Cursor *pCx;
+  assert( i>=0 );
+  pCx = allocateCursor(p, i, -1);
+  if( pCx==0 ) goto no_mem;
+  pCx->nullRow = 1;
+  pCx->pseudoTable = 1;
+  pCx->pIncrKey = &pCx->bogusIncrKey;
+  pCx->isTable = 1;
+  pCx->isIndex = 0;
+  break;
+}
+
+/* Opcode: Close P1 * *
+**
+** Close a cursor previously opened as P1.  If P1 is not
+** currently open, this instruction is a no-op.
+*/
+case OP_Close: {       /* no-push */
+  int i = pOp->p1;
+  if( i>=0 && i<p->nCursor ){
+    sqlite3VdbeFreeCursor(p, p->apCsr[i]);
+    p->apCsr[i] = 0;
+  }
+  break;
+}
+
+/* Opcode: MoveGe P1 P2 *
+**
+** Pop the top of the stack and use its value as a key.  Reposition
+** cursor P1 so that it points to the smallest entry that is greater
+** than or equal to the key that was popped ffrom the stack.
+** If there are no records greater than or equal to the key and P2 
+** is not zero, then jump to P2.
+**
+** See also: Found, NotFound, Distinct, MoveLt, MoveGt, MoveLe
+*/
+/* Opcode: MoveGt P1 P2 *
+**
+** Pop the top of the stack and use its value as a key.  Reposition
+** cursor P1 so that it points to the smallest entry that is greater
+** than the key from the stack.
+** If there are no records greater than the key and P2 is not zero,
+** then jump to P2.
+**
+** See also: Found, NotFound, Distinct, MoveLt, MoveGe, MoveLe
+*/
+/* Opcode: MoveLt P1 P2 *
+**
+** Pop the top of the stack and use its value as a key.  Reposition
+** cursor P1 so that it points to the largest entry that is less
+** than the key from the stack.
+** If there are no records less than the key and P2 is not zero,
+** then jump to P2.
+**
+** See also: Found, NotFound, Distinct, MoveGt, MoveGe, MoveLe
+*/
+/* Opcode: MoveLe P1 P2 *
+**
+** Pop the top of the stack and use its value as a key.  Reposition
+** cursor P1 so that it points to the largest entry that is less than
+** or equal to the key that was popped from the stack.
+** If there are no records less than or eqal to the key and P2 is not zero,
+** then jump to P2.
+**
+** See also: Found, NotFound, Distinct, MoveGt, MoveGe, MoveLt
+*/
+case OP_MoveLt:         /* no-push */
+case OP_MoveLe:         /* no-push */
+case OP_MoveGe:         /* no-push */
+case OP_MoveGt: {       /* no-push */
+  int i = pOp->p1;
+  Cursor *pC;
+
+  assert( pTos>=p->aStack );
+  assert( i>=0 && i<p->nCursor );
+  pC = p->apCsr[i];
+  assert( pC!=0 );
+  if( pC->pCursor!=0 ){
+    int res, oc;
+    oc = pOp->opcode;
+    pC->nullRow = 0;
+    *pC->pIncrKey = oc==OP_MoveGt || oc==OP_MoveLe;
+    if( pC->isTable ){
+      i64 iKey;
+      sqlite3VdbeMemIntegerify(pTos);
+      iKey = intToKey(pTos->u.i);
+      if( pOp->p2==0 && pOp->opcode==OP_MoveGe ){
+        pC->movetoTarget = iKey;
+        pC->deferredMoveto = 1;
+        assert( (pTos->flags & MEM_Dyn)==0 );
+        pTos--;
+        break;
+      }
+      rc = sqlite3BtreeMoveto(pC->pCursor, 0, (u64)iKey, 0, &res);
+      if( rc!=SQLITE_OK ){
+        goto abort_due_to_error;
+      }
+      pC->lastRowid = pTos->u.i;
+      pC->rowidIsValid = res==0;
+    }else{
+      assert( pTos->flags & MEM_Blob );
+      /* Stringify(pTos, encoding); */
+      rc = sqlite3BtreeMoveto(pC->pCursor, pTos->z, pTos->n, 0, &res);
+      if( rc!=SQLITE_OK ){
+        goto abort_due_to_error;
+      }
+      pC->rowidIsValid = 0;
+    }
+    pC->deferredMoveto = 0;
+    pC->cacheStatus = CACHE_STALE;
+    *pC->pIncrKey = 0;
+#ifdef SQLITE_TEST
+    sqlite3_search_count++;
+#endif
+    if( oc==OP_MoveGe || oc==OP_MoveGt ){
+      if( res<0 ){
+        rc = sqlite3BtreeNext(pC->pCursor, &res);
+        if( rc!=SQLITE_OK ) goto abort_due_to_error;
+        pC->rowidIsValid = 0;
+      }else{
+        res = 0;
+      }
+    }else{
+      assert( oc==OP_MoveLt || oc==OP_MoveLe );
+      if( res>=0 ){
+        rc = sqlite3BtreePrevious(pC->pCursor, &res);
+        if( rc!=SQLITE_OK ) goto abort_due_to_error;
+        pC->rowidIsValid = 0;
+      }else{
+        /* res might be negative because the table is empty.  Check to
+        ** see if this is the case.
+        */
+        res = sqlite3BtreeEof(pC->pCursor);
+      }
+    }
+    if( res ){
+      if( pOp->p2>0 ){
+        pc = pOp->p2 - 1;
+      }else{
+        pC->nullRow = 1;
+      }
+    }
+  }
+  Release(pTos);
+  pTos--;
+  break;
+}
+
+/* Opcode: Distinct P1 P2 *
+**
+** Use the top of the stack as a record created using MakeRecord.  P1 is a
+** cursor on a table that declared as an index.  If that table contains an
+** entry that matches the top of the stack fall thru.  If the top of the stack
+** matches no entry in P1 then jump to P2.
+**
+** The cursor is left pointing at the matching entry if it exists.  The
+** record on the top of the stack is not popped.
+**
+** This instruction is similar to NotFound except that this operation
+** does not pop the key from the stack.
+**
+** The instruction is used to implement the DISTINCT operator on SELECT
+** statements.  The P1 table is not a true index but rather a record of
+** all results that have produced so far.  
+**
+** See also: Found, NotFound, MoveTo, IsUnique, NotExists
+*/
+/* Opcode: Found P1 P2 *
+**
+** Top of the stack holds a blob constructed by MakeRecord.  P1 is an index.
+** If an entry that matches the top of the stack exists in P1 then
+** jump to P2.  If the top of the stack does not match any entry in P1
+** then fall thru.  The P1 cursor is left pointing at the matching entry
+** if it exists.  The blob is popped off the top of the stack.
+**
+** This instruction is used to implement the IN operator where the
+** left-hand side is a SELECT statement.  P1 is not a true index but
+** is instead a temporary index that holds the results of the SELECT
+** statement.  This instruction just checks to see if the left-hand side
+** of the IN operator (stored on the top of the stack) exists in the
+** result of the SELECT statement.
+**
+** See also: Distinct, NotFound, MoveTo, IsUnique, NotExists
+*/
+/* Opcode: NotFound P1 P2 *
+**
+** The top of the stack holds a blob constructed by MakeRecord.  P1 is
+** an index.  If no entry exists in P1 that matches the blob then jump
+** to P2.  If an entry does existing, fall through.  The cursor is left
+** pointing to the entry that matches.  The blob is popped from the stack.
+**
+** The difference between this operation and Distinct is that
+** Distinct does not pop the key from the stack.
+**
+** See also: Distinct, Found, MoveTo, NotExists, IsUnique
+*/
+case OP_Distinct:       /* no-push */
+case OP_NotFound:       /* no-push */
+case OP_Found: {        /* no-push */
+  int i = pOp->p1;
+  int alreadyExists = 0;
+  Cursor *pC;
+  assert( pTos>=p->aStack );
+  assert( i>=0 && i<p->nCursor );
+  assert( p->apCsr[i]!=0 );
+  if( (pC = p->apCsr[i])->pCursor!=0 ){
+    int res, rx;
+    assert( pC->isTable==0 );
+    Stringify(pTos, encoding);
+    rx = sqlite3BtreeMoveto(pC->pCursor, pTos->z, pTos->n, 0, &res);
+    alreadyExists = rx==SQLITE_OK && res==0;
+    pC->deferredMoveto = 0;
+    pC->cacheStatus = CACHE_STALE;
+  }
+  if( pOp->opcode==OP_Found ){
+    if( alreadyExists ) pc = pOp->p2 - 1;
+  }else{
+    if( !alreadyExists ) pc = pOp->p2 - 1;
+  }
+  if( pOp->opcode!=OP_Distinct ){
+    Release(pTos);
+    pTos--;
+  }
+  break;
+}
+
+/* Opcode: IsUnique P1 P2 *
+**
+** The top of the stack is an integer record number.  Call this
+** record number R.  The next on the stack is an index key created
+** using MakeIdxRec.  Call it K.  This instruction pops R from the
+** stack but it leaves K unchanged.
+**
+** P1 is an index.  So it has no data and its key consists of a
+** record generated by OP_MakeRecord where the last field is the 
+** rowid of the entry that the index refers to.
+** 
+** This instruction asks if there is an entry in P1 where the
+** fields matches K but the rowid is different from R.
+** If there is no such entry, then there is an immediate
+** jump to P2.  If any entry does exist where the index string
+** matches K but the record number is not R, then the record
+** number for that entry is pushed onto the stack and control
+** falls through to the next instruction.
+**
+** See also: Distinct, NotFound, NotExists, Found
+*/
+case OP_IsUnique: {        /* no-push */
+  int i = pOp->p1;
+  Mem *pNos = &pTos[-1];
+  Cursor *pCx;
+  BtCursor *pCrsr;
+  i64 R;
+
+  /* Pop the value R off the top of the stack
+  */
+  assert( pNos>=p->aStack );
+  sqlite3VdbeMemIntegerify(pTos);
+  R = pTos->u.i;
+  assert( (pTos->flags & MEM_Dyn)==0 );
+  pTos--;
+  assert( i>=0 && i<p->nCursor );
+  pCx = p->apCsr[i];
+  assert( pCx!=0 );
+  pCrsr = pCx->pCursor;
+  if( pCrsr!=0 ){
+    int res;
+    i64 v;         /* The record number on the P1 entry that matches K */
+    char *zKey;    /* The value of K */
+    int nKey;      /* Number of bytes in K */
+    int len;       /* Number of bytes in K without the rowid at the end */
+    int szRowid;   /* Size of the rowid column at the end of zKey */
+
+    /* Make sure K is a string and make zKey point to K
+    */
+    Stringify(pNos, encoding);
+    zKey = pNos->z;
+    nKey = pNos->n;
+
+    szRowid = sqlite3VdbeIdxRowidLen((u8*)zKey);
+    len = nKey-szRowid;
+
+    /* Search for an entry in P1 where all but the last four bytes match K.
+    ** If there is no such entry, jump immediately to P2.
+    */
+    assert( pCx->deferredMoveto==0 );
+    pCx->cacheStatus = CACHE_STALE;
+    rc = sqlite3BtreeMoveto(pCrsr, zKey, len, 0, &res);
+    if( rc!=SQLITE_OK ){
+      goto abort_due_to_error;
+    }
+    if( res<0 ){
+      rc = sqlite3BtreeNext(pCrsr, &res);
+      if( res ){
+        pc = pOp->p2 - 1;
+        break;
+      }
+    }
+    rc = sqlite3VdbeIdxKeyCompare(pCx, len, (u8*)zKey, &res); 
+    if( rc!=SQLITE_OK ) goto abort_due_to_error;
+    if( res>0 ){
+      pc = pOp->p2 - 1;
+      break;
+    }
+
+    /* At this point, pCrsr is pointing to an entry in P1 where all but
+    ** the final entry (the rowid) matches K.  Check to see if the
+    ** final rowid column is different from R.  If it equals R then jump
+    ** immediately to P2.
+    */
+    rc = sqlite3VdbeIdxRowid(pCrsr, &v);
+    if( rc!=SQLITE_OK ){
+      goto abort_due_to_error;
+    }
+    if( v==R ){
+      pc = pOp->p2 - 1;
+      break;
+    }
+
+    /* The final varint of the key is different from R.  Push it onto
+    ** the stack.  (The record number of an entry that violates a UNIQUE
+    ** constraint.)
+    */
+    pTos++;
+    pTos->u.i = v;
+    pTos->flags = MEM_Int;
+  }
+  break;
+}
+
+/* Opcode: NotExists P1 P2 *
+**
+** Use the top of the stack as a integer key.  If a record with that key
+** does not exist in table of P1, then jump to P2.  If the record
+** does exist, then fall thru.  The cursor is left pointing to the
+** record if it exists.  The integer key is popped from the stack.
+**
+** The difference between this operation and NotFound is that this
+** operation assumes the key is an integer and that P1 is a table whereas
+** NotFound assumes key is a blob constructed from MakeRecord and
+** P1 is an index.
+**
+** See also: Distinct, Found, MoveTo, NotFound, IsUnique
+*/
+case OP_NotExists: {        /* no-push */
+  int i = pOp->p1;
+  Cursor *pC;
+  BtCursor *pCrsr;
+  assert( pTos>=p->aStack );
+  assert( i>=0 && i<p->nCursor );
+  assert( p->apCsr[i]!=0 );
+  if( (pCrsr = (pC = p->apCsr[i])->pCursor)!=0 ){
+    int res;
+    u64 iKey;
+    assert( pTos->flags & MEM_Int );
+    assert( p->apCsr[i]->isTable );
+    iKey = intToKey(pTos->u.i);
+    rc = sqlite3BtreeMoveto(pCrsr, 0, iKey, 0,&res);
+    pC->lastRowid = pTos->u.i;
+    pC->rowidIsValid = res==0;
+    pC->nullRow = 0;
+    pC->cacheStatus = CACHE_STALE;
+    /* res might be uninitialized if rc!=SQLITE_OK.  But if rc!=SQLITE_OK
+    ** processing is about to abort so we really do not care whether or not
+    ** the following jump is taken.  (In other words, do not stress over
+    ** the error that valgrind sometimes shows on the next statement when
+    ** running ioerr.test and similar failure-recovery test scripts.) */
+    if( res!=0 ){
+      pc = pOp->p2 - 1;
+      pC->rowidIsValid = 0;
+    }
+  }
+  Release(pTos);
+  pTos--;
+  break;
+}
+
+/* Opcode: Sequence P1 * *
+**
+** Push an integer onto the stack which is the next available
+** sequence number for cursor P1.  The sequence number on the
+** cursor is incremented after the push.
+*/
+case OP_Sequence: {
+  int i = pOp->p1;
+  assert( pTos>=p->aStack );
+  assert( i>=0 && i<p->nCursor );
+  assert( p->apCsr[i]!=0 );
+  pTos++;
+  pTos->u.i = p->apCsr[i]->seqCount++;
+  pTos->flags = MEM_Int;
+  break;
+}
+
+
+/* Opcode: NewRowid P1 P2 *
+**
+** Get a new integer record number (a.k.a "rowid") used as the key to a table.
+** The record number is not previously used as a key in the database
+** table that cursor P1 points to.  The new record number is pushed 
+** onto the stack.
+**
+** If P2>0 then P2 is a memory cell that holds the largest previously
+** generated record number.  No new record numbers are allowed to be less
+** than this value.  When this value reaches its maximum, a SQLITE_FULL
+** error is generated.  The P2 memory cell is updated with the generated
+** record number.  This P2 mechanism is used to help implement the
+** AUTOINCREMENT feature.
+*/
+case OP_NewRowid: {
+  int i = pOp->p1;
+  i64 v = 0;
+  Cursor *pC;
+  assert( i>=0 && i<p->nCursor );
+  assert( p->apCsr[i]!=0 );
+  if( (pC = p->apCsr[i])->pCursor==0 ){
+    /* The zero initialization above is all that is needed */
+  }else{
+    /* The next rowid or record number (different terms for the same
+    ** thing) is obtained in a two-step algorithm.
+    **
+    ** First we attempt to find the largest existing rowid and add one
+    ** to that.  But if the largest existing rowid is already the maximum
+    ** positive integer, we have to fall through to the second
+    ** probabilistic algorithm
+    **
+    ** The second algorithm is to select a rowid at random and see if
+    ** it already exists in the table.  If it does not exist, we have
+    ** succeeded.  If the random rowid does exist, we select a new one
+    ** and try again, up to 1000 times.
+    **
+    ** For a table with less than 2 billion entries, the probability
+    ** of not finding a unused rowid is about 1.0e-300.  This is a 
+    ** non-zero probability, but it is still vanishingly small and should
+    ** never cause a problem.  You are much, much more likely to have a
+    ** hardware failure than for this algorithm to fail.
+    **
+    ** The analysis in the previous paragraph assumes that you have a good
+    ** source of random numbers.  Is a library function like lrand48()
+    ** good enough?  Maybe. Maybe not. It's hard to know whether there
+    ** might be subtle bugs is some implementations of lrand48() that
+    ** could cause problems. To avoid uncertainty, SQLite uses its own 
+    ** random number generator based on the RC4 algorithm.
+    **
+    ** To promote locality of reference for repetitive inserts, the
+    ** first few attempts at chosing a random rowid pick values just a little
+    ** larger than the previous rowid.  This has been shown experimentally
+    ** to double the speed of the COPY operation.
+    */
+    int res, rx=SQLITE_OK, cnt;
+    i64 x;
+    cnt = 0;
+    if( (sqlite3BtreeFlags(pC->pCursor)&(BTREE_INTKEY|BTREE_ZERODATA)) !=
+          BTREE_INTKEY ){
+      rc = SQLITE_CORRUPT_BKPT;
+      goto abort_due_to_error;
+    }
+    assert( (sqlite3BtreeFlags(pC->pCursor) & BTREE_INTKEY)!=0 );
+    assert( (sqlite3BtreeFlags(pC->pCursor) & BTREE_ZERODATA)==0 );
+
+#ifdef SQLITE_32BIT_ROWID
+#   define MAX_ROWID 0x7fffffff
+#else
+    /* Some compilers complain about constants of the form 0x7fffffffffffffff.
+    ** Others complain about 0x7ffffffffffffffffLL.  The following macro seems
+    ** to provide the constant while making all compilers happy.
+    */
+#   define MAX_ROWID  ( (((u64)0x7fffffff)<<32) | (u64)0xffffffff )
+#endif
+
+    if( !pC->useRandomRowid ){
+      if( pC->nextRowidValid ){
+        v = pC->nextRowid;
+      }else{
+        rc = sqlite3BtreeLast(pC->pCursor, &res);
+        if( rc!=SQLITE_OK ){
+          goto abort_due_to_error;
+        }
+        if( res ){
+          v = 1;
+        }else{
+          sqlite3BtreeKeySize(pC->pCursor, &v);
+          v = keyToInt(v);
+          if( v==MAX_ROWID ){
+            pC->useRandomRowid = 1;
+          }else{
+            v++;
+          }
+        }
+      }
+
+#ifndef SQLITE_OMIT_AUTOINCREMENT
+      if( pOp->p2 ){
+        Mem *pMem;
+        assert( pOp->p2>0 && pOp->p2<p->nMem );  /* P2 is a valid memory cell */
+        pMem = &p->aMem[pOp->p2];
+        sqlite3VdbeMemIntegerify(pMem);
+        assert( (pMem->flags & MEM_Int)!=0 );  /* mem(P2) holds an integer */
+        if( pMem->u.i==MAX_ROWID || pC->useRandomRowid ){
+          rc = SQLITE_FULL;
+          goto abort_due_to_error;
+        }
+        if( v<pMem->u.i+1 ){
+          v = pMem->u.i + 1;
+        }
+        pMem->u.i = v;
+      }
+#endif
+
+      if( v<MAX_ROWID ){
+        pC->nextRowidValid = 1;
+        pC->nextRowid = v+1;
+      }else{
+        pC->nextRowidValid = 0;
+      }
+    }
+    if( pC->useRandomRowid ){
+      assert( pOp->p2==0 );  /* SQLITE_FULL must have occurred prior to this */
+      v = db->priorNewRowid;
+      cnt = 0;
+      do{
+        if( v==0 || cnt>2 ){
+          sqlite3Randomness(sizeof(v), &v);
+          if( cnt<5 ) v &= 0xffffff;
+        }else{
+          unsigned char r;
+          sqlite3Randomness(1, &r);
+          v += r + 1;
+        }
+        if( v==0 ) continue;
+        x = intToKey(v);
+        rx = sqlite3BtreeMoveto(pC->pCursor, 0, (u64)x, 0, &res);
+        cnt++;
+      }while( cnt<1000 && rx==SQLITE_OK && res==0 );
+      db->priorNewRowid = v;
+      if( rx==SQLITE_OK && res==0 ){
+        rc = SQLITE_FULL;
+        goto abort_due_to_error;
+      }
+    }
+    pC->rowidIsValid = 0;
+    pC->deferredMoveto = 0;
+    pC->cacheStatus = CACHE_STALE;
+  }
+  pTos++;
+  pTos->u.i = v;
+  pTos->flags = MEM_Int;
+  break;
+}
+
+/* Opcode: Insert P1 P2 P3
+**
+** Write an entry into the table of cursor P1.  A new entry is
+** created if it doesn't already exist or the data for an existing
+** entry is overwritten.  The data is the value on the top of the
+** stack.  The key is the next value down on the stack.  The key must
+** be an integer.  The stack is popped twice by this instruction.
+**
+** If the OPFLAG_NCHANGE flag of P2 is set, then the row change count is
+** incremented (otherwise not).  If the OPFLAG_LASTROWID flag of P2 is set,
+** then rowid is stored for subsequent return by the
+** sqlite3_last_insert_rowid() function (otherwise it's unmodified).
+**
+** Parameter P3 may point to a string containing the table-name, or
+** may be NULL. If it is not NULL, then the update-hook 
+** (sqlite3.xUpdateCallback) is invoked following a successful insert.
+**
+** This instruction only works on tables.  The equivalent instruction
+** for indices is OP_IdxInsert.
+*/
+case OP_Insert: {         /* no-push */
+  Mem *pNos = &pTos[-1];
+  int i = pOp->p1;
+  Cursor *pC;
+  assert( pNos>=p->aStack );
+  assert( i>=0 && i<p->nCursor );
+  assert( p->apCsr[i]!=0 );
+  if( ((pC = p->apCsr[i])->pCursor!=0 || pC->pseudoTable) ){
+    i64 iKey;   /* The integer ROWID or key for the record to be inserted */
+
+    assert( pNos->flags & MEM_Int );
+    assert( pC->isTable );
+    iKey = intToKey(pNos->u.i);
+
+    if( pOp->p2 & OPFLAG_NCHANGE ) p->nChange++;
+    if( pOp->p2 & OPFLAG_LASTROWID ) db->lastRowid = pNos->u.i;
+    if( pC->nextRowidValid && pNos->u.i>=pC->nextRowid ){
+      pC->nextRowidValid = 0;
+    }
+    if( pTos->flags & MEM_Null ){
+      pTos->z = 0;
+      pTos->n = 0;
+    }else{
+      assert( pTos->flags & (MEM_Blob|MEM_Str) );
+    }
+    if( pC->pseudoTable ){
+      sqliteFree(pC->pData);
+      pC->iKey = iKey;
+      pC->nData = pTos->n;
+      if( pTos->flags & MEM_Dyn ){
+        pC->pData = pTos->z;
+        pTos->flags = MEM_Null;
+      }else{
+        pC->pData = sqliteMallocRaw( pC->nData+2 );
+        if( !pC->pData ) goto no_mem;
+        memcpy(pC->pData, pTos->z, pC->nData);
+        pC->pData[pC->nData] = 0;
+        pC->pData[pC->nData+1] = 0;
+      }
+      pC->nullRow = 0;
+    }else{
+      rc = sqlite3BtreeInsert(pC->pCursor, 0, iKey,
+                              pTos->z, pTos->n,
+                              pOp->p2 & OPFLAG_APPEND);
+    }
+    
+    pC->rowidIsValid = 0;
+    pC->deferredMoveto = 0;
+    pC->cacheStatus = CACHE_STALE;
+
+    /* Invoke the update-hook if required. */
+    if( rc==SQLITE_OK && db->xUpdateCallback && pOp->p3 ){
+      const char *zDb = db->aDb[pC->iDb].zName;
+      const char *zTbl = pOp->p3;
+      int op = ((pOp->p2 & OPFLAG_ISUPDATE) ? SQLITE_UPDATE : SQLITE_INSERT);
+      assert( pC->isTable );
+      db->xUpdateCallback(db->pUpdateArg, op, zDb, zTbl, iKey);
+      assert( pC->iDb>=0 );
+    }
+  }
+  popStack(&pTos, 2);
+
+  break;
+}
+
+/* Opcode: Delete P1 P2 P3
+**
+** Delete the record at which the P1 cursor is currently pointing.
+**
+** The cursor will be left pointing at either the next or the previous
+** record in the table. If it is left pointing at the next record, then
+** the next Next instruction will be a no-op.  Hence it is OK to delete
+** a record from within an Next loop.
+**
+** If the OPFLAG_NCHANGE flag of P2 is set, then the row change count is
+** incremented (otherwise not).
+**
+** If P1 is a pseudo-table, then this instruction is a no-op.
+*/
+case OP_Delete: {        /* no-push */
+  int i = pOp->p1;
+  Cursor *pC;
+  assert( i>=0 && i<p->nCursor );
+  pC = p->apCsr[i];
+  assert( pC!=0 );
+  if( pC->pCursor!=0 ){
+    i64 iKey;
+
+    /* If the update-hook will be invoked, set iKey to the rowid of the
+    ** row being deleted.
+    */
+    if( db->xUpdateCallback && pOp->p3 ){
+      assert( pC->isTable );
+      if( pC->rowidIsValid ){
+        iKey = pC->lastRowid;
+      }else{
+        rc = sqlite3BtreeKeySize(pC->pCursor, &iKey);
+        if( rc ){
+          goto abort_due_to_error;
+        }
+        iKey = keyToInt(iKey);
+      }
+    }
+
+    rc = sqlite3VdbeCursorMoveto(pC);
+    if( rc ) goto abort_due_to_error;
+    rc = sqlite3BtreeDelete(pC->pCursor);
+    pC->nextRowidValid = 0;
+    pC->cacheStatus = CACHE_STALE;
+
+    /* Invoke the update-hook if required. */
+    if( rc==SQLITE_OK && db->xUpdateCallback && pOp->p3 ){
+      const char *zDb = db->aDb[pC->iDb].zName;
+      const char *zTbl = pOp->p3;
+      db->xUpdateCallback(db->pUpdateArg, SQLITE_DELETE, zDb, zTbl, iKey);
+      assert( pC->iDb>=0 );
+    }
+  }
+  if( pOp->p2 & OPFLAG_NCHANGE ) p->nChange++;
+  break;
+}
+
+/* Opcode: ResetCount P1 * *
+**
+** This opcode resets the VMs internal change counter to 0. If P1 is true,
+** then the value of the change counter is copied to the database handle
+** change counter (returned by subsequent calls to sqlite3_changes())
+** before it is reset. This is used by trigger programs.
+*/
+case OP_ResetCount: {        /* no-push */
+  if( pOp->p1 ){
+    sqlite3VdbeSetChanges(db, p->nChange);
+  }
+  p->nChange = 0;
+  break;
+}
+
+/* Opcode: RowData P1 * *
+**
+** Push onto the stack the complete row data for cursor P1.
+** There is no interpretation of the data.  It is just copied
+** onto the stack exactly as it is found in the database file.
+**
+** If the cursor is not pointing to a valid row, a NULL is pushed
+** onto the stack.
+*/
+/* Opcode: RowKey P1 * *
+**
+** Push onto the stack the complete row key for cursor P1.
+** There is no interpretation of the key.  It is just copied
+** onto the stack exactly as it is found in the database file.
+**
+** If the cursor is not pointing to a valid row, a NULL is pushed
+** onto the stack.
+*/
+case OP_RowKey:
+case OP_RowData: {
+  int i = pOp->p1;
+  Cursor *pC;
+  u32 n;
+
+  /* Note that RowKey and RowData are really exactly the same instruction */
+  pTos++;
+  assert( i>=0 && i<p->nCursor );
+  pC = p->apCsr[i];
+  assert( pC->isTable || pOp->opcode==OP_RowKey );
+  assert( pC->isIndex || pOp->opcode==OP_RowData );
+  assert( pC!=0 );
+  if( pC->nullRow ){
+    pTos->flags = MEM_Null;
+  }else if( pC->pCursor!=0 ){
+    BtCursor *pCrsr = pC->pCursor;
+    rc = sqlite3VdbeCursorMoveto(pC);
+    if( rc ) goto abort_due_to_error;
+    if( pC->nullRow ){
+      pTos->flags = MEM_Null;
+      break;
+    }else if( pC->isIndex ){
+      i64 n64;
+      assert( !pC->isTable );
+      sqlite3BtreeKeySize(pCrsr, &n64);
+      n = n64;
+    }else{
+      sqlite3BtreeDataSize(pCrsr, &n);
+    }
+    pTos->n = n;
+    if( n<=NBFS ){
+      pTos->flags = MEM_Blob | MEM_Short;
+      pTos->z = pTos->zShort;
+    }else{
+      char *z = sqliteMallocRaw( n );
+      if( z==0 ) goto no_mem;
+      pTos->flags = MEM_Blob | MEM_Dyn;
+      pTos->xDel = 0;
+      pTos->z = z;
+    }
+    if( pC->isIndex ){
+      rc = sqlite3BtreeKey(pCrsr, 0, n, pTos->z);
+    }else{
+      rc = sqlite3BtreeData(pCrsr, 0, n, pTos->z);
+    }
+  }else if( pC->pseudoTable ){
+    pTos->n = pC->nData;
+    pTos->z = pC->pData;
+    pTos->flags = MEM_Blob|MEM_Ephem;
+  }else{
+    pTos->flags = MEM_Null;
+  }
+  pTos->enc = SQLITE_UTF8;  /* In case the blob is ever cast to text */
+  break;
+}
+
+/* Opcode: Rowid P1 * *
+**
+** Push onto the stack an integer which is the key of the table entry that
+** P1 is currently point to.
+*/
+case OP_Rowid: {
+  int i = pOp->p1;
+  Cursor *pC;
+  i64 v;
+
+  assert( i>=0 && i<p->nCursor );
+  pC = p->apCsr[i];
+  assert( pC!=0 );
+  rc = sqlite3VdbeCursorMoveto(pC);
+  if( rc ) goto abort_due_to_error;
+  pTos++;
+  if( pC->rowidIsValid ){
+    v = pC->lastRowid;
+  }else if( pC->pseudoTable ){
+    v = keyToInt(pC->iKey);
+  }else if( pC->nullRow || pC->pCursor==0 ){
+    pTos->flags = MEM_Null;
+    break;
+  }else{
+    assert( pC->pCursor!=0 );
+    sqlite3BtreeKeySize(pC->pCursor, &v);
+    v = keyToInt(v);
+  }
+  pTos->u.i = v;
+  pTos->flags = MEM_Int;
+  break;
+}
+
+/* Opcode: NullRow P1 * *
+**
+** Move the cursor P1 to a null row.  Any OP_Column operations
+** that occur while the cursor is on the null row will always push 
+** a NULL onto the stack.
+*/
+case OP_NullRow: {        /* no-push */
+  int i = pOp->p1;
+  Cursor *pC;
+
+  assert( i>=0 && i<p->nCursor );
+  pC = p->apCsr[i];
+  assert( pC!=0 );
+  pC->nullRow = 1;
+  pC->rowidIsValid = 0;
+  break;
+}
+
+/* Opcode: Last P1 P2 *
+**
+** The next use of the Rowid or Column or Next instruction for P1 
+** will refer to the last entry in the database table or index.
+** If the table or index is empty and P2>0, then jump immediately to P2.
+** If P2 is 0 or if the table or index is not empty, fall through
+** to the following instruction.
+*/
+case OP_Last: {        /* no-push */
+  int i = pOp->p1;
+  Cursor *pC;
+  BtCursor *pCrsr;
+
+  assert( i>=0 && i<p->nCursor );
+  pC = p->apCsr[i];
+  assert( pC!=0 );
+  if( (pCrsr = pC->pCursor)!=0 ){
+    int res;
+    rc = sqlite3BtreeLast(pCrsr, &res);
+    pC->nullRow = res;
+    pC->deferredMoveto = 0;
+    pC->cacheStatus = CACHE_STALE;
+    if( res && pOp->p2>0 ){
+      pc = pOp->p2 - 1;
+    }
+  }else{
+    pC->nullRow = 0;
+  }
+  break;
+}
+
+
+/* Opcode: Sort P1 P2 *
+**
+** This opcode does exactly the same thing as OP_Rewind except that
+** it increments an undocumented global variable used for testing.
+**
+** Sorting is accomplished by writing records into a sorting index,
+** then rewinding that index and playing it back from beginning to
+** end.  We use the OP_Sort opcode instead of OP_Rewind to do the
+** rewinding so that the global variable will be incremented and
+** regression tests can determine whether or not the optimizer is
+** correctly optimizing out sorts.
+*/
+case OP_Sort: {        /* no-push */
+#ifdef SQLITE_TEST
+  sqlite3_sort_count++;
+  sqlite3_search_count--;
+#endif
+  /* Fall through into OP_Rewind */
+}
+/* Opcode: Rewind P1 P2 *
+**
+** The next use of the Rowid or Column or Next instruction for P1 
+** will refer to the first entry in the database table or index.
+** If the table or index is empty and P2>0, then jump immediately to P2.
+** If P2 is 0 or if the table or index is not empty, fall through
+** to the following instruction.
+*/
+case OP_Rewind: {        /* no-push */
+  int i = pOp->p1;
+  Cursor *pC;
+  BtCursor *pCrsr;
+  int res;
+
+  assert( i>=0 && i<p->nCursor );
+  pC = p->apCsr[i];
+  assert( pC!=0 );
+  if( (pCrsr = pC->pCursor)!=0 ){
+    rc = sqlite3BtreeFirst(pCrsr, &res);
+    pC->atFirst = res==0;
+    pC->deferredMoveto = 0;
+    pC->cacheStatus = CACHE_STALE;
+  }else{
+    res = 1;
+  }
+  pC->nullRow = res;
+  if( res && pOp->p2>0 ){
+    pc = pOp->p2 - 1;
+  }
+  break;
+}
+
+/* Opcode: Next P1 P2 *
+**
+** Advance cursor P1 so that it points to the next key/data pair in its
+** table or index.  If there are no more key/value pairs then fall through
+** to the following instruction.  But if the cursor advance was successful,
+** jump immediately to P2.
+**
+** See also: Prev
+*/
+/* Opcode: Prev P1 P2 *
+**
+** Back up cursor P1 so that it points to the previous key/data pair in its
+** table or index.  If there is no previous key/value pairs then fall through
+** to the following instruction.  But if the cursor backup was successful,
+** jump immediately to P2.
+*/
+case OP_Prev:          /* no-push */
+case OP_Next: {        /* no-push */
+  Cursor *pC;
+  BtCursor *pCrsr;
+
+  CHECK_FOR_INTERRUPT;
+  assert( pOp->p1>=0 && pOp->p1<p->nCursor );
+  pC = p->apCsr[pOp->p1];
+  if( pC==0 ){
+    break;  /* See ticket #2273 */
+  }
+  if( (pCrsr = pC->pCursor)!=0 ){
+    int res;
+    if( pC->nullRow ){
+      res = 1;
+    }else{
+      assert( pC->deferredMoveto==0 );
+      rc = pOp->opcode==OP_Next ? sqlite3BtreeNext(pCrsr, &res) :
+                                  sqlite3BtreePrevious(pCrsr, &res);
+      pC->nullRow = res;
+      pC->cacheStatus = CACHE_STALE;
+    }
+    if( res==0 ){
+      pc = pOp->p2 - 1;
+#ifdef SQLITE_TEST
+      sqlite3_search_count++;
+#endif
+    }
+  }else{
+    pC->nullRow = 1;
+  }
+  pC->rowidIsValid = 0;
+  break;
+}
+
+/* Opcode: IdxInsert P1 P2 *
+**
+** The top of the stack holds a SQL index key made using either the
+** MakeIdxRec or MakeRecord instructions.  This opcode writes that key
+** into the index P1.  Data for the entry is nil.
+**
+** P2 is a flag that provides a hint to the b-tree layer that this
+** insert is likely to be an append.
+**
+** This instruction only works for indices.  The equivalent instruction
+** for tables is OP_Insert.
+*/
+case OP_IdxInsert: {        /* no-push */
+  int i = pOp->p1;
+  Cursor *pC;
+  BtCursor *pCrsr;
+  assert( pTos>=p->aStack );
+  assert( i>=0 && i<p->nCursor );
+  assert( p->apCsr[i]!=0 );
+  assert( pTos->flags & MEM_Blob );
+  if( (pCrsr = (pC = p->apCsr[i])->pCursor)!=0 ){
+    int nKey = pTos->n;
+    const char *zKey = pTos->z;
+    assert( pC->isTable==0 );
+    rc = sqlite3BtreeInsert(pCrsr, zKey, nKey, "", 0, pOp->p2);
+    assert( pC->deferredMoveto==0 );
+    pC->cacheStatus = CACHE_STALE;
+  }
+  Release(pTos);
+  pTos--;
+  break;
+}
+
+/* Opcode: IdxDelete P1 * *
+**
+** The top of the stack is an index key built using the either the
+** MakeIdxRec or MakeRecord opcodes.
+** This opcode removes that entry from the index.
+*/
+case OP_IdxDelete: {        /* no-push */
+  int i = pOp->p1;
+  Cursor *pC;
+  BtCursor *pCrsr;
+  assert( pTos>=p->aStack );
+  assert( pTos->flags & MEM_Blob );
+  assert( i>=0 && i<p->nCursor );
+  assert( p->apCsr[i]!=0 );
+  if( (pCrsr = (pC = p->apCsr[i])->pCursor)!=0 ){
+    int res;
+    rc = sqlite3BtreeMoveto(pCrsr, pTos->z, pTos->n, 0, &res);
+    if( rc==SQLITE_OK && res==0 ){
+      rc = sqlite3BtreeDelete(pCrsr);
+    }
+    assert( pC->deferredMoveto==0 );
+    pC->cacheStatus = CACHE_STALE;
+  }
+  Release(pTos);
+  pTos--;
+  break;
+}
+
+/* Opcode: IdxRowid P1 * *
+**
+** Push onto the stack an integer which is the last entry in the record at
+** the end of the index key pointed to by cursor P1.  This integer should be
+** the rowid of the table entry to which this index entry points.
+**
+** See also: Rowid, MakeIdxRec.
+*/
+case OP_IdxRowid: {
+  int i = pOp->p1;
+  BtCursor *pCrsr;
+  Cursor *pC;
+
+  assert( i>=0 && i<p->nCursor );
+  assert( p->apCsr[i]!=0 );
+  pTos++;
+  pTos->flags = MEM_Null;
+  if( (pCrsr = (pC = p->apCsr[i])->pCursor)!=0 ){
+    i64 rowid;
+
+    assert( pC->deferredMoveto==0 );
+    assert( pC->isTable==0 );
+    if( pC->nullRow ){
+      pTos->flags = MEM_Null;
+    }else{
+      rc = sqlite3VdbeIdxRowid(pCrsr, &rowid);
+      if( rc!=SQLITE_OK ){
+        goto abort_due_to_error;
+      }
+      pTos->flags = MEM_Int;
+      pTos->u.i = rowid;
+    }
+  }
+  break;
+}
+
+/* Opcode: IdxGT P1 P2 *
+**
+** The top of the stack is an index entry that omits the ROWID.  Compare
+** the top of stack against the index that P1 is currently pointing to.
+** Ignore the ROWID on the P1 index.
+**
+** The top of the stack might have fewer columns that P1.
+**
+** If the P1 index entry is greater than the top of the stack
+** then jump to P2.  Otherwise fall through to the next instruction.
+** In either case, the stack is popped once.
+*/
+/* Opcode: IdxGE P1 P2 P3
+**
+** The top of the stack is an index entry that omits the ROWID.  Compare
+** the top of stack against the index that P1 is currently pointing to.
+** Ignore the ROWID on the P1 index.
+**
+** If the P1 index entry is greater than or equal to the top of the stack
+** then jump to P2.  Otherwise fall through to the next instruction.
+** In either case, the stack is popped once.
+**
+** If P3 is the "+" string (or any other non-NULL string) then the
+** index taken from the top of the stack is temporarily increased by
+** an epsilon prior to the comparison.  This make the opcode work
+** like IdxGT except that if the key from the stack is a prefix of
+** the key in the cursor, the result is false whereas it would be
+** true with IdxGT.
+*/
+/* Opcode: IdxLT P1 P2 P3
+**
+** The top of the stack is an index entry that omits the ROWID.  Compare
+** the top of stack against the index that P1 is currently pointing to.
+** Ignore the ROWID on the P1 index.
+**
+** If the P1 index entry is less than  the top of the stack
+** then jump to P2.  Otherwise fall through to the next instruction.
+** In either case, the stack is popped once.
+**
+** If P3 is the "+" string (or any other non-NULL string) then the
+** index taken from the top of the stack is temporarily increased by
+** an epsilon prior to the comparison.  This makes the opcode work
+** like IdxLE.
+*/
+case OP_IdxLT:          /* no-push */
+case OP_IdxGT:          /* no-push */
+case OP_IdxGE: {        /* no-push */
+  int i= pOp->p1;
+  Cursor *pC;
+
+  assert( i>=0 && i<p->nCursor );
+  assert( p->apCsr[i]!=0 );
+  assert( pTos>=p->aStack );
+  if( (pC = p->apCsr[i])->pCursor!=0 ){
+    int res;
+ 
+    assert( pTos->flags & MEM_Blob );  /* Created using OP_Make*Key */
+    Stringify(pTos, encoding);
+    assert( pC->deferredMoveto==0 );
+    *pC->pIncrKey = pOp->p3!=0;
+    assert( pOp->p3==0 || pOp->opcode!=OP_IdxGT );
+    rc = sqlite3VdbeIdxKeyCompare(pC, pTos->n, (u8*)pTos->z, &res);
+    *pC->pIncrKey = 0;
+    if( rc!=SQLITE_OK ){
+      break;
+    }
+    if( pOp->opcode==OP_IdxLT ){
+      res = -res;
+    }else if( pOp->opcode==OP_IdxGE ){
+      res++;
+    }
+    if( res>0 ){
+      pc = pOp->p2 - 1 ;
+    }
+  }
+  Release(pTos);
+  pTos--;
+  break;
+}
+
+/* Opcode: Destroy P1 P2 *
+**
+** Delete an entire database table or index whose root page in the database
+** file is given by P1.
+**
+** The table being destroyed is in the main database file if P2==0.  If
+** P2==1 then the table to be clear is in the auxiliary database file
+** that is used to store tables create using CREATE TEMPORARY TABLE.
+**
+** If AUTOVACUUM is enabled then it is possible that another root page
+** might be moved into the newly deleted root page in order to keep all
+** root pages contiguous at the beginning of the database.  The former
+** value of the root page that moved - its value before the move occurred -
+** is pushed onto the stack.  If no page movement was required (because
+** the table being dropped was already the last one in the database) then
+** a zero is pushed onto the stack.  If AUTOVACUUM is disabled
+** then a zero is pushed onto the stack.
+**
+** See also: Clear
+*/
+case OP_Destroy: {
+  int iMoved;
+  int iCnt;
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  Vdbe *pVdbe;
+  iCnt = 0;
+  for(pVdbe=db->pVdbe; pVdbe; pVdbe=pVdbe->pNext){
+    if( pVdbe->magic==VDBE_MAGIC_RUN && pVdbe->inVtabMethod<2 && pVdbe->pc>=0 ){
+      iCnt++;
+    }
+  }
+#else
+  iCnt = db->activeVdbeCnt;
+#endif
+  if( iCnt>1 ){
+    rc = SQLITE_LOCKED;
+  }else{
+    assert( iCnt==1 );
+    rc = sqlite3BtreeDropTable(db->aDb[pOp->p2].pBt, pOp->p1, &iMoved);
+    pTos++;
+    pTos->flags = MEM_Int;
+    pTos->u.i = iMoved;
+#ifndef SQLITE_OMIT_AUTOVACUUM
+    if( rc==SQLITE_OK && iMoved!=0 ){
+      sqlite3RootPageMoved(&db->aDb[pOp->p2], iMoved, pOp->p1);
+    }
+#endif
+  }
+  break;
+}
+
+/* Opcode: Clear P1 P2 *
+**
+** Delete all contents of the database table or index whose root page
+** in the database file is given by P1.  But, unlike Destroy, do not
+** remove the table or index from the database file.
+**
+** The table being clear is in the main database file if P2==0.  If
+** P2==1 then the table to be clear is in the auxiliary database file
+** that is used to store tables create using CREATE TEMPORARY TABLE.
+**
+** See also: Destroy
+*/
+case OP_Clear: {        /* no-push */
+
+  /* For consistency with the way other features of SQLite operate
+  ** with a truncate, we will also skip the update callback.
+  */
+#if 0
+  Btree *pBt = db->aDb[pOp->p2].pBt;
+  if( db->xUpdateCallback && pOp->p3 ){
+    const char *zDb = db->aDb[pOp->p2].zName;
+    const char *zTbl = pOp->p3;
+    BtCursor *pCur = 0;
+    int fin = 0;
+
+    rc = sqlite3BtreeCursor(pBt, pOp->p1, 0, 0, 0, &pCur);
+    if( rc!=SQLITE_OK ){
+      goto abort_due_to_error;
+    }
+    for(
+      rc=sqlite3BtreeFirst(pCur, &fin); 
+      rc==SQLITE_OK && !fin; 
+      rc=sqlite3BtreeNext(pCur, &fin)
+    ){
+      i64 iKey;
+      rc = sqlite3BtreeKeySize(pCur, &iKey);
+      if( rc ){
+        break;
+      }
+      iKey = keyToInt(iKey);
+      db->xUpdateCallback(db->pUpdateArg, SQLITE_DELETE, zDb, zTbl, iKey);
+    }
+    sqlite3BtreeCloseCursor(pCur);
+    if( rc!=SQLITE_OK ){
+      goto abort_due_to_error;
+    }
+  }
+#endif
+  rc = sqlite3BtreeClearTable(db->aDb[pOp->p2].pBt, pOp->p1);
+  break;
+}
+
+/* Opcode: CreateTable P1 * *
+**
+** Allocate a new table in the main database file if P2==0 or in the
+** auxiliary database file if P2==1.  Push the page number
+** for the root page of the new table onto the stack.
+**
+** The difference between a table and an index is this:  A table must
+** have a 4-byte integer key and can have arbitrary data.  An index
+** has an arbitrary key but no data.
+**
+** See also: CreateIndex
+*/
+/* Opcode: CreateIndex P1 * *
+**
+** Allocate a new index in the main database file if P2==0 or in the
+** auxiliary database file if P2==1.  Push the page number of the
+** root page of the new index onto the stack.
+**
+** See documentation on OP_CreateTable for additional information.
+*/
+case OP_CreateIndex:
+case OP_CreateTable: {
+  int pgno;
+  int flags;
+  Db *pDb;
+  assert( pOp->p1>=0 && pOp->p1<db->nDb );
+  pDb = &db->aDb[pOp->p1];
+  assert( pDb->pBt!=0 );
+  if( pOp->opcode==OP_CreateTable ){
+    /* flags = BTREE_INTKEY; */
+    flags = BTREE_LEAFDATA|BTREE_INTKEY;
+  }else{
+    flags = BTREE_ZERODATA;
+  }
+  rc = sqlite3BtreeCreateTable(pDb->pBt, &pgno, flags);
+  pTos++;
+  if( rc==SQLITE_OK ){
+    pTos->u.i = pgno;
+    pTos->flags = MEM_Int;
+  }else{
+    pTos->flags = MEM_Null;
+  }
+  break;
+}
+
+/* Opcode: ParseSchema P1 P2 P3
+**
+** Read and parse all entries from the SQLITE_MASTER table of database P1
+** that match the WHERE clause P3.  P2 is the "force" flag.   Always do
+** the parsing if P2 is true.  If P2 is false, then this routine is a
+** no-op if the schema is not currently loaded.  In other words, if P2
+** is false, the SQLITE_MASTER table is only parsed if the rest of the
+** schema is already loaded into the symbol table.
+**
+** This opcode invokes the parser to create a new virtual machine,
+** then runs the new virtual machine.  It is thus a reentrant opcode.
+*/
+case OP_ParseSchema: {        /* no-push */
+  char *zSql;
+  int iDb = pOp->p1;
+  const char *zMaster;
+  InitData initData;
+
+  assert( iDb>=0 && iDb<db->nDb );
+  if( !pOp->p2 && !DbHasProperty(db, iDb, DB_SchemaLoaded) ){
+    break;
+  }
+  zMaster = SCHEMA_TABLE(iDb);
+  initData.db = db;
+  initData.iDb = pOp->p1;
+  initData.pzErrMsg = &p->zErrMsg;
+  zSql = sqlite3MPrintf(
+     "SELECT name, rootpage, sql FROM '%q'.%s WHERE %s",
+     db->aDb[iDb].zName, zMaster, pOp->p3);
+  if( zSql==0 ) goto no_mem;
+  sqlite3SafetyOff(db);
+  assert( db->init.busy==0 );
+  db->init.busy = 1;
+  assert( !sqlite3MallocFailed() );
+  rc = sqlite3_exec(db, zSql, sqlite3InitCallback, &initData, 0);
+  if( rc==SQLITE_ABORT ) rc = initData.rc;
+  sqliteFree(zSql);
+  db->init.busy = 0;
+  sqlite3SafetyOn(db);
+  if( rc==SQLITE_NOMEM ){
+    sqlite3FailedMalloc();
+    goto no_mem;
+  }
+  break;  
+}
+
+#if !defined(SQLITE_OMIT_ANALYZE) && !defined(SQLITE_OMIT_PARSER)
+/* Opcode: LoadAnalysis P1 * *
+**
+** Read the sqlite_stat1 table for database P1 and load the content
+** of that table into the internal index hash table.  This will cause
+** the analysis to be used when preparing all subsequent queries.
+*/
+case OP_LoadAnalysis: {        /* no-push */
+  int iDb = pOp->p1;
+  assert( iDb>=0 && iDb<db->nDb );
+  sqlite3AnalysisLoad(db, iDb);
+  break;  
+}
+#endif /* !defined(SQLITE_OMIT_ANALYZE) && !defined(SQLITE_OMIT_PARSER)  */
+
+/* Opcode: DropTable P1 * P3
+**
+** Remove the internal (in-memory) data structures that describe
+** the table named P3 in database P1.  This is called after a table
+** is dropped in order to keep the internal representation of the
+** schema consistent with what is on disk.
+*/
+case OP_DropTable: {        /* no-push */
+  sqlite3UnlinkAndDeleteTable(db, pOp->p1, pOp->p3);
+  break;
+}
+
+/* Opcode: DropIndex P1 * P3
+**
+** Remove the internal (in-memory) data structures that describe
+** the index named P3 in database P1.  This is called after an index
+** is dropped in order to keep the internal representation of the
+** schema consistent with what is on disk.
+*/
+case OP_DropIndex: {        /* no-push */
+  sqlite3UnlinkAndDeleteIndex(db, pOp->p1, pOp->p3);
+  break;
+}
+
+/* Opcode: DropTrigger P1 * P3
+**
+** Remove the internal (in-memory) data structures that describe
+** the trigger named P3 in database P1.  This is called after a trigger
+** is dropped in order to keep the internal representation of the
+** schema consistent with what is on disk.
+*/
+case OP_DropTrigger: {        /* no-push */
+  sqlite3UnlinkAndDeleteTrigger(db, pOp->p1, pOp->p3);
+  break;
+}
+
+
+#ifndef SQLITE_OMIT_INTEGRITY_CHECK
+/* Opcode: IntegrityCk P1 P2 *
+**
+** Do an analysis of the currently open database.  Push onto the
+** stack the text of an error message describing any problems.
+** If no problems are found, push a NULL onto the stack.
+**
+** P1 is the address of a memory cell that contains the maximum
+** number of allowed errors.  At most mem[P1] errors will be reported.
+** In other words, the analysis stops as soon as mem[P1] errors are 
+** seen.  Mem[P1] is updated with the number of errors remaining.
+**
+** The root page numbers of all tables in the database are integer
+** values on the stack.  This opcode pulls as many integers as it
+** can off of the stack and uses those numbers as the root pages.
+**
+** If P2 is not zero, the check is done on the auxiliary database
+** file, not the main database file.
+**
+** This opcode is used to implement the integrity_check pragma.
+*/
+case OP_IntegrityCk: {
+  int nRoot;
+  int *aRoot;
+  int j;
+  int nErr;
+  char *z;
+  Mem *pnErr;
+
+  for(nRoot=0; &pTos[-nRoot]>=p->aStack; nRoot++){
+    if( (pTos[-nRoot].flags & MEM_Int)==0 ) break;
+  }
+  assert( nRoot>0 );
+  aRoot = sqliteMallocRaw( sizeof(int*)*(nRoot+1) );
+  if( aRoot==0 ) goto no_mem;
+  j = pOp->p1;
+  assert( j>=0 && j<p->nMem );
+  pnErr = &p->aMem[j];
+  assert( (pnErr->flags & MEM_Int)!=0 );
+  for(j=0; j<nRoot; j++){
+    Mem *pMem = &pTos[-j];
+    aRoot[j] = pMem->u.i;
+  }
+  aRoot[j] = 0;
+  popStack(&pTos, nRoot);
+  pTos++;
+  z = sqlite3BtreeIntegrityCheck(db->aDb[pOp->p2].pBt, aRoot, nRoot,
+                                 pnErr->u.i, &nErr);
+  pnErr->u.i -= nErr;
+  if( nErr==0 ){
+    assert( z==0 );
+    pTos->flags = MEM_Null;
+  }else{
+    pTos->z = z;
+    pTos->n = strlen(z);
+    pTos->flags = MEM_Str | MEM_Dyn | MEM_Term;
+    pTos->xDel = 0;
+  }
+  pTos->enc = SQLITE_UTF8;
+  sqlite3VdbeChangeEncoding(pTos, encoding);
+  sqliteFree(aRoot);
+  break;
+}
+#endif /* SQLITE_OMIT_INTEGRITY_CHECK */
+
+/* Opcode: FifoWrite * * *
+**
+** Write the integer on the top of the stack
+** into the Fifo.
+*/
+case OP_FifoWrite: {        /* no-push */
+  assert( pTos>=p->aStack );
+  sqlite3VdbeMemIntegerify(pTos);
+  sqlite3VdbeFifoPush(&p->sFifo, pTos->u.i);
+  assert( (pTos->flags & MEM_Dyn)==0 );
+  pTos--;
+  break;
+}
+
+/* Opcode: FifoRead * P2 *
+**
+** Attempt to read a single integer from the Fifo
+** and push it onto the stack.  If the Fifo is empty
+** push nothing but instead jump to P2.
+*/
+case OP_FifoRead: {
+  i64 v;
+  CHECK_FOR_INTERRUPT;
+  if( sqlite3VdbeFifoPop(&p->sFifo, &v)==SQLITE_DONE ){
+    pc = pOp->p2 - 1;
+  }else{
+    pTos++;
+    pTos->u.i = v;
+    pTos->flags = MEM_Int;
+  }
+  break;
+}
+
+#ifndef SQLITE_OMIT_TRIGGER
+/* Opcode: ContextPush * * * 
+**
+** Save the current Vdbe context such that it can be restored by a ContextPop
+** opcode. The context stores the last insert row id, the last statement change
+** count, and the current statement change count.
+*/
+case OP_ContextPush: {        /* no-push */
+  int i = p->contextStackTop++;
+  Context *pContext;
+
+  assert( i>=0 );
+  /* FIX ME: This should be allocated as part of the vdbe at compile-time */
+  if( i>=p->contextStackDepth ){
+    p->contextStackDepth = i+1;
+    p->contextStack = sqliteReallocOrFree(p->contextStack,
+                                          sizeof(Context)*(i+1));
+    if( p->contextStack==0 ) goto no_mem;
+  }
+  pContext = &p->contextStack[i];
+  pContext->lastRowid = db->lastRowid;
+  pContext->nChange = p->nChange;
+  pContext->sFifo = p->sFifo;
+  sqlite3VdbeFifoInit(&p->sFifo);
+  break;
+}
+
+/* Opcode: ContextPop * * * 
+**
+** Restore the Vdbe context to the state it was in when contextPush was last
+** executed. The context stores the last insert row id, the last statement
+** change count, and the current statement change count.
+*/
+case OP_ContextPop: {        /* no-push */
+  Context *pContext = &p->contextStack[--p->contextStackTop];
+  assert( p->contextStackTop>=0 );
+  db->lastRowid = pContext->lastRowid;
+  p->nChange = pContext->nChange;
+  sqlite3VdbeFifoClear(&p->sFifo);
+  p->sFifo = pContext->sFifo;
+  break;
+}
+#endif /* #ifndef SQLITE_OMIT_TRIGGER */
+
+/* Opcode: MemStore P1 P2 *
+**
+** Write the top of the stack into memory location P1.
+** P1 should be a small integer since space is allocated
+** for all memory locations between 0 and P1 inclusive.
+**
+** After the data is stored in the memory location, the
+** stack is popped once if P2 is 1.  If P2 is zero, then
+** the original data remains on the stack.
+*/
+case OP_MemStore: {        /* no-push */
+  assert( pTos>=p->aStack );
+  assert( pOp->p1>=0 && pOp->p1<p->nMem );
+  rc = sqlite3VdbeMemMove(&p->aMem[pOp->p1], pTos);
+  pTos--;
+
+  /* If P2 is 0 then fall thru to the next opcode, OP_MemLoad, that will
+  ** restore the top of the stack to its original value.
+  */
+  if( pOp->p2 ){
+    break;
+  }
+}
+/* Opcode: MemLoad P1 * *
+**
+** Push a copy of the value in memory location P1 onto the stack.
+**
+** If the value is a string, then the value pushed is a pointer to
+** the string that is stored in the memory location.  If the memory
+** location is subsequently changed (using OP_MemStore) then the
+** value pushed onto the stack will change too.
+*/
+case OP_MemLoad: {
+  int i = pOp->p1;
+  assert( i>=0 && i<p->nMem );
+  pTos++;
+  sqlite3VdbeMemShallowCopy(pTos, &p->aMem[i], MEM_Ephem);
+  break;
+}
+
+#ifndef SQLITE_OMIT_AUTOINCREMENT
+/* Opcode: MemMax P1 * *
+**
+** Set the value of memory cell P1 to the maximum of its current value
+** and the value on the top of the stack.  The stack is unchanged.
+**
+** This instruction throws an error if the memory cell is not initially
+** an integer.
+*/
+case OP_MemMax: {        /* no-push */
+  int i = pOp->p1;
+  Mem *pMem;
+  assert( pTos>=p->aStack );
+  assert( i>=0 && i<p->nMem );
+  pMem = &p->aMem[i];
+  sqlite3VdbeMemIntegerify(pMem);
+  sqlite3VdbeMemIntegerify(pTos);
+  if( pMem->u.i<pTos->u.i){
+    pMem->u.i = pTos->u.i;
+  }
+  break;
+}
+#endif /* SQLITE_OMIT_AUTOINCREMENT */
+
+/* Opcode: MemIncr P1 P2 *
+**
+** Increment the integer valued memory cell P2 by the value in P1.
+**
+** It is illegal to use this instruction on a memory cell that does
+** not contain an integer.  An assertion fault will result if you try.
+*/
+case OP_MemIncr: {        /* no-push */
+  int i = pOp->p2;
+  Mem *pMem;
+  assert( i>=0 && i<p->nMem );
+  pMem = &p->aMem[i];
+  assert( pMem->flags==MEM_Int );
+  pMem->u.i += pOp->p1;
+  break;
+}
+
+/* Opcode: IfMemPos P1 P2 *
+**
+** If the value of memory cell P1 is 1 or greater, jump to P2.
+**
+** It is illegal to use this instruction on a memory cell that does
+** not contain an integer.  An assertion fault will result if you try.
+*/
+case OP_IfMemPos: {        /* no-push */
+  int i = pOp->p1;
+  Mem *pMem;
+  assert( i>=0 && i<p->nMem );
+  pMem = &p->aMem[i];
+  assert( pMem->flags==MEM_Int );
+  if( pMem->u.i>0 ){
+     pc = pOp->p2 - 1;
+  }
+  break;
+}
+
+/* Opcode: IfMemNeg P1 P2 *
+**
+** If the value of memory cell P1 is less than zero, jump to P2. 
+**
+** It is illegal to use this instruction on a memory cell that does
+** not contain an integer.  An assertion fault will result if you try.
+*/
+case OP_IfMemNeg: {        /* no-push */
+  int i = pOp->p1;
+  Mem *pMem;
+  assert( i>=0 && i<p->nMem );
+  pMem = &p->aMem[i];
+  assert( pMem->flags==MEM_Int );
+  if( pMem->u.i<0 ){
+     pc = pOp->p2 - 1;
+  }
+  break;
+}
+
+/* Opcode: IfMemZero P1 P2 *
+**
+** If the value of memory cell P1 is exactly 0, jump to P2. 
+**
+** It is illegal to use this instruction on a memory cell that does
+** not contain an integer.  An assertion fault will result if you try.
+*/
+case OP_IfMemZero: {        /* no-push */
+  int i = pOp->p1;
+  Mem *pMem;
+  assert( i>=0 && i<p->nMem );
+  pMem = &p->aMem[i];
+  assert( pMem->flags==MEM_Int );
+  if( pMem->u.i==0 ){
+     pc = pOp->p2 - 1;
+  }
+  break;
+}
+
+/* Opcode: MemNull P1 * *
+**
+** Store a NULL in memory cell P1
+*/
+case OP_MemNull: {
+  assert( pOp->p1>=0 && pOp->p1<p->nMem );
+  sqlite3VdbeMemSetNull(&p->aMem[pOp->p1]);
+  break;
+}
+
+/* Opcode: MemInt P1 P2 *
+**
+** Store the integer value P1 in memory cell P2.
+*/
+case OP_MemInt: {
+  assert( pOp->p2>=0 && pOp->p2<p->nMem );
+  sqlite3VdbeMemSetInt64(&p->aMem[pOp->p2], pOp->p1);
+  break;
+}
+
+/* Opcode: MemMove P1 P2 *
+**
+** Move the content of memory cell P2 over to memory cell P1.
+** Any prior content of P1 is erased.  Memory cell P2 is left
+** containing a NULL.
+*/
+case OP_MemMove: {
+  assert( pOp->p1>=0 && pOp->p1<p->nMem );
+  assert( pOp->p2>=0 && pOp->p2<p->nMem );
+  rc = sqlite3VdbeMemMove(&p->aMem[pOp->p1], &p->aMem[pOp->p2]);
+  break;
+}
+
+/* Opcode: AggStep P1 P2 P3
+**
+** Execute the step function for an aggregate.  The
+** function has P2 arguments.  P3 is a pointer to the FuncDef
+** structure that specifies the function.  Use memory location
+** P1 as the accumulator.
+**
+** The P2 arguments are popped from the stack.
+*/
+case OP_AggStep: {        /* no-push */
+  int n = pOp->p2;
+  int i;
+  Mem *pMem, *pRec;
+  sqlite3_context ctx;
+  sqlite3_value **apVal;
+
+  assert( n>=0 );
+  pRec = &pTos[1-n];
+  assert( pRec>=p->aStack );
+  apVal = p->apArg;
+  assert( apVal || n==0 );
+  for(i=0; i<n; i++, pRec++){
+    apVal[i] = pRec;
+    storeTypeInfo(pRec, encoding);
+  }
+  ctx.pFunc = (FuncDef*)pOp->p3;
+  assert( pOp->p1>=0 && pOp->p1<p->nMem );
+  ctx.pMem = pMem = &p->aMem[pOp->p1];
+  pMem->n++;
+  ctx.s.flags = MEM_Null;
+  ctx.s.z = 0;
+  ctx.s.xDel = 0;
+  ctx.isError = 0;
+  ctx.pColl = 0;
+  if( ctx.pFunc->needCollSeq ){
+    assert( pOp>p->aOp );
+    assert( pOp[-1].p3type==P3_COLLSEQ );
+    assert( pOp[-1].opcode==OP_CollSeq );
+    ctx.pColl = (CollSeq *)pOp[-1].p3;
+  }
+  (ctx.pFunc->xStep)(&ctx, n, apVal);
+  popStack(&pTos, n);
+  if( ctx.isError ){
+    sqlite3SetString(&p->zErrMsg, sqlite3_value_text(&ctx.s), (char*)0);
+    rc = SQLITE_ERROR;
+  }
+  sqlite3VdbeMemRelease(&ctx.s);
+  break;
+}
+
+/* Opcode: AggFinal P1 P2 P3
+**
+** Execute the finalizer function for an aggregate.  P1 is
+** the memory location that is the accumulator for the aggregate.
+**
+** P2 is the number of arguments that the step function takes and
+** P3 is a pointer to the FuncDef for this function.  The P2
+** argument is not used by this opcode.  It is only there to disambiguate
+** functions that can take varying numbers of arguments.  The
+** P3 argument is only needed for the degenerate case where
+** the step function was not previously called.
+*/
+case OP_AggFinal: {        /* no-push */
+  Mem *pMem;
+  assert( pOp->p1>=0 && pOp->p1<p->nMem );
+  pMem = &p->aMem[pOp->p1];
+  assert( (pMem->flags & ~(MEM_Null|MEM_Agg))==0 );
+  rc = sqlite3VdbeMemFinalize(pMem, (FuncDef*)pOp->p3);
+  if( rc==SQLITE_ERROR ){
+    sqlite3SetString(&p->zErrMsg, sqlite3_value_text(pMem), (char*)0);
+  }
+  break;
+}
+
+
+#if !defined(SQLITE_OMIT_VACUUM) && !defined(SQLITE_OMIT_ATTACH)
+/* Opcode: Vacuum * * *
+**
+** Vacuum the entire database.  This opcode will cause other virtual
+** machines to be created and run.  It may not be called from within
+** a transaction.
+*/
+case OP_Vacuum: {        /* no-push */
+  if( sqlite3SafetyOff(db) ) goto abort_due_to_misuse; 
+  rc = sqlite3RunVacuum(&p->zErrMsg, db);
+  if( sqlite3SafetyOn(db) ) goto abort_due_to_misuse;
+  break;
+}
+#endif
+
+/* Opcode: Expire P1 * *
+**
+** Cause precompiled statements to become expired. An expired statement
+** fails with an error code of SQLITE_SCHEMA if it is ever executed 
+** (via sqlite3_step()).
+** 
+** If P1 is 0, then all SQL statements become expired. If P1 is non-zero,
+** then only the currently executing statement is affected. 
+*/
+case OP_Expire: {        /* no-push */
+  if( !pOp->p1 ){
+    sqlite3ExpirePreparedStatements(db);
+  }else{
+    p->expired = 1;
+  }
+  break;
+}
+
+#ifndef SQLITE_OMIT_SHARED_CACHE
+/* Opcode: TableLock P1 P2 P3
+**
+** Obtain a lock on a particular table. This instruction is only used when
+** the shared-cache feature is enabled. 
+**
+** If P1 is not negative, then it is the index of the database
+** in sqlite3.aDb[] and a read-lock is required. If P1 is negative, a 
+** write-lock is required. In this case the index of the database is the 
+** absolute value of P1 minus one (iDb = abs(P1) - 1;) and a write-lock is
+** required. 
+**
+** P2 contains the root-page of the table to lock.
+**
+** P3 contains a pointer to the name of the table being locked. This is only
+** used to generate an error message if the lock cannot be obtained.
+*/
+case OP_TableLock: {        /* no-push */
+  int p1 = pOp->p1; 
+  u8 isWriteLock = (p1<0);
+  if( isWriteLock ){
+    p1 = (-1*p1)-1;
+  }
+  rc = sqlite3BtreeLockTable(db->aDb[p1].pBt, pOp->p2, isWriteLock);
+  if( rc==SQLITE_LOCKED ){
+    const char *z = (const char *)pOp->p3;
+    sqlite3SetString(&p->zErrMsg, "database table is locked: ", z, (char*)0);
+  }
+  break;
+}
+#endif /* SQLITE_OMIT_SHARED_CACHE */
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Opcode: VBegin * * P3
+**
+** P3 a pointer to an sqlite3_vtab structure. Call the xBegin method 
+** for that table.
+*/
+case OP_VBegin: {   /* no-push */
+  rc = sqlite3VtabBegin(db, (sqlite3_vtab *)pOp->p3);
+  break;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Opcode: VCreate P1 * P3
+**
+** P3 is the name of a virtual table in database P1. Call the xCreate method
+** for that table.
+*/
+case OP_VCreate: {   /* no-push */
+  rc = sqlite3VtabCallCreate(db, pOp->p1, pOp->p3, &p->zErrMsg);
+  break;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Opcode: VDestroy P1 * P3
+**
+** P3 is the name of a virtual table in database P1.  Call the xDestroy method
+** of that table.
+*/
+case OP_VDestroy: {   /* no-push */
+  p->inVtabMethod = 2;
+  rc = sqlite3VtabCallDestroy(db, pOp->p1, pOp->p3);
+  p->inVtabMethod = 0;
+  break;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Opcode: VOpen P1 * P3
+**
+** P3 is a pointer to a virtual table object, an sqlite3_vtab structure.
+** P1 is a cursor number.  This opcode opens a cursor to the virtual
+** table and stores that cursor in P1.
+*/
+case OP_VOpen: {   /* no-push */
+  Cursor *pCur = 0;
+  sqlite3_vtab_cursor *pVtabCursor = 0;
+
+  sqlite3_vtab *pVtab = (sqlite3_vtab *)(pOp->p3);
+  sqlite3_module *pModule = (sqlite3_module *)pVtab->pModule;
+
+  assert(pVtab && pModule);
+  if( sqlite3SafetyOff(db) ) goto abort_due_to_misuse;
+  rc = pModule->xOpen(pVtab, &pVtabCursor);
+  if( sqlite3SafetyOn(db) ) goto abort_due_to_misuse;
+  if( SQLITE_OK==rc ){
+    /* Initialise sqlite3_vtab_cursor base class */
+    pVtabCursor->pVtab = pVtab;
+
+    /* Initialise vdbe cursor object */
+    pCur = allocateCursor(p, pOp->p1, -1);
+    if( pCur ){
+      pCur->pVtabCursor = pVtabCursor;
+      pCur->pModule = pVtabCursor->pVtab->pModule;
+    }else{
+      pModule->xClose(pVtabCursor);
+    }
+  }
+  break;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Opcode: VFilter P1 P2 P3
+**
+** P1 is a cursor opened using VOpen.  P2 is an address to jump to if
+** the filtered result set is empty.
+**
+** P3 is either NULL or a string that was generated by the xBestIndex
+** method of the module.  The interpretation of the P3 string is left
+** to the module implementation.
+**
+** This opcode invokes the xFilter method on the virtual table specified
+** by P1.  The integer query plan parameter to xFilter is the top of the
+** stack.  Next down on the stack is the argc parameter.  Beneath the
+** next of stack are argc additional parameters which are passed to
+** xFilter as argv. The topmost parameter (i.e. 3rd element popped from
+** the stack) becomes argv[argc-1] when passed to xFilter.
+**
+** The integer query plan parameter, argc, and all argv stack values 
+** are popped from the stack before this instruction completes.
+**
+** A jump is made to P2 if the result set after filtering would be 
+** empty.
+*/
+case OP_VFilter: {   /* no-push */
+  int nArg;
+
+  const sqlite3_module *pModule;
+
+  Cursor *pCur = p->apCsr[pOp->p1];
+  assert( pCur->pVtabCursor );
+  pModule = pCur->pVtabCursor->pVtab->pModule;
+
+  /* Grab the index number and argc parameters off the top of the stack. */
+  assert( (&pTos[-1])>=p->aStack );
+  assert( (pTos[0].flags&MEM_Int)!=0 && pTos[-1].flags==MEM_Int );
+  nArg = pTos[-1].u.i;
+
+  /* Invoke the xFilter method */
+  {
+    int res = 0;
+    int i;
+    Mem **apArg = p->apArg;
+    for(i = 0; i<nArg; i++){
+      apArg[i] = &pTos[i+1-2-nArg];
+      storeTypeInfo(apArg[i], 0);
+    }
+
+    if( sqlite3SafetyOff(db) ) goto abort_due_to_misuse;
+    p->inVtabMethod = 1;
+    rc = pModule->xFilter(pCur->pVtabCursor, pTos->u.i, pOp->p3, nArg, apArg);
+    p->inVtabMethod = 0;
+    if( rc==SQLITE_OK ){
+      res = pModule->xEof(pCur->pVtabCursor);
+    }
+    if( sqlite3SafetyOn(db) ) goto abort_due_to_misuse;
+
+    if( res ){
+      pc = pOp->p2 - 1;
+    }
+  }
+
+  /* Pop the index number, argc value and parameters off the stack */
+  popStack(&pTos, 2+nArg);
+  break;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Opcode: VRowid P1 * *
+**
+** Push an integer onto the stack which is the rowid of
+** the virtual-table that the P1 cursor is pointing to.
+*/
+case OP_VRowid: {
+  const sqlite3_module *pModule;
+
+  Cursor *pCur = p->apCsr[pOp->p1];
+  assert( pCur->pVtabCursor );
+  pModule = pCur->pVtabCursor->pVtab->pModule;
+  if( pModule->xRowid==0 ){
+    sqlite3SetString(&p->zErrMsg, "Unsupported module operation: xRowid", 0);
+    rc = SQLITE_ERROR;
+  } else {
+    sqlite_int64 iRow;
+
+    if( sqlite3SafetyOff(db) ) goto abort_due_to_misuse;
+    rc = pModule->xRowid(pCur->pVtabCursor, &iRow);
+    if( sqlite3SafetyOn(db) ) goto abort_due_to_misuse;
+
+    pTos++;
+    pTos->flags = MEM_Int;
+    pTos->u.i = iRow;
+  }
+
+  break;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Opcode: VColumn P1 P2 *
+**
+** Push onto the stack the value of the P2-th column of
+** the row of the virtual-table that the P1 cursor is pointing to.
+*/
+case OP_VColumn: {
+  const sqlite3_module *pModule;
+
+  Cursor *pCur = p->apCsr[pOp->p1];
+  assert( pCur->pVtabCursor );
+  pModule = pCur->pVtabCursor->pVtab->pModule;
+  if( pModule->xColumn==0 ){
+    sqlite3SetString(&p->zErrMsg, "Unsupported module operation: xColumn", 0);
+    rc = SQLITE_ERROR;
+  } else {
+    sqlite3_context sContext;
+    memset(&sContext, 0, sizeof(sContext));
+    sContext.s.flags = MEM_Null;
+    if( sqlite3SafetyOff(db) ) goto abort_due_to_misuse;
+    rc = pModule->xColumn(pCur->pVtabCursor, &sContext, pOp->p2);
+
+    /* Copy the result of the function to the top of the stack. We
+    ** do this regardless of whether or not an error occured to ensure any
+    ** dynamic allocation in sContext.s (a Mem struct) is  released.
+    */
+    sqlite3VdbeChangeEncoding(&sContext.s, encoding);
+    pTos++;
+    pTos->flags = 0;
+    sqlite3VdbeMemMove(pTos, &sContext.s);
+
+    if( sqlite3SafetyOn(db) ) goto abort_due_to_misuse;
+  }
+  
+  break;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Opcode: VNext P1 P2 *
+**
+** Advance virtual table P1 to the next row in its result set and
+** jump to instruction P2.  Or, if the virtual table has reached
+** the end of its result set, then fall through to the next instruction.
+*/
+case OP_VNext: {   /* no-push */
+  const sqlite3_module *pModule;
+  int res = 0;
+
+  Cursor *pCur = p->apCsr[pOp->p1];
+  assert( pCur->pVtabCursor );
+  pModule = pCur->pVtabCursor->pVtab->pModule;
+  if( pModule->xNext==0 ){
+    sqlite3SetString(&p->zErrMsg, "Unsupported module operation: xNext", 0);
+    rc = SQLITE_ERROR;
+  } else {
+    /* Invoke the xNext() method of the module. There is no way for the
+    ** underlying implementation to return an error if one occurs during
+    ** xNext(). Instead, if an error occurs, true is returned (indicating that 
+    ** data is available) and the error code returned when xColumn or
+    ** some other method is next invoked on the save virtual table cursor.
+    */
+    if( sqlite3SafetyOff(db) ) goto abort_due_to_misuse;
+    p->inVtabMethod = 1;
+    rc = pModule->xNext(pCur->pVtabCursor);
+    p->inVtabMethod = 0;
+    if( rc==SQLITE_OK ){
+      res = pModule->xEof(pCur->pVtabCursor);
+    }
+    if( sqlite3SafetyOn(db) ) goto abort_due_to_misuse;
+
+    if( !res ){
+      /* If there is data, jump to P2 */
+      pc = pOp->p2 - 1;
+    }
+  }
+
+  break;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Opcode: VUpdate P1 P2 P3
+**
+** P3 is a pointer to a virtual table object, an sqlite3_vtab structure.
+** This opcode invokes the corresponding xUpdate method. P2 values
+** are taken from the stack to pass to the xUpdate invocation. The
+** value on the top of the stack corresponds to the p2th element 
+** of the argv array passed to xUpdate.
+**
+** The xUpdate method will do a DELETE or an INSERT or both.
+** The argv[0] element (which corresponds to the P2-th element down
+** on the stack) is the rowid of a row to delete.  If argv[0] is
+** NULL then no deletion occurs.  The argv[1] element is the rowid
+** of the new row.  This can be NULL to have the virtual table
+** select the new rowid for itself.  The higher elements in the
+** stack are the values of columns in the new row.
+**
+** If P2==1 then no insert is performed.  argv[0] is the rowid of
+** a row to delete.
+**
+** P1 is a boolean flag. If it is set to true and the xUpdate call
+** is successful, then the value returned by sqlite3_last_insert_rowid() 
+** is set to the value of the rowid for the row just inserted.
+*/
+case OP_VUpdate: {   /* no-push */
+  sqlite3_vtab *pVtab = (sqlite3_vtab *)(pOp->p3);
+  sqlite3_module *pModule = (sqlite3_module *)pVtab->pModule;
+  int nArg = pOp->p2;
+  assert( pOp->p3type==P3_VTAB );
+  if( pModule->xUpdate==0 ){
+    sqlite3SetString(&p->zErrMsg, "read-only table", 0);
+    rc = SQLITE_ERROR;
+  }else{
+    int i;
+    sqlite_int64 rowid;
+    Mem **apArg = p->apArg;
+    Mem *pX = &pTos[1-nArg];
+    for(i = 0; i<nArg; i++, pX++){
+      storeTypeInfo(pX, 0);
+      apArg[i] = pX;
+    }
+    if( sqlite3SafetyOff(db) ) goto abort_due_to_misuse;
+    sqlite3VtabLock(pVtab);
+    rc = pModule->xUpdate(pVtab, nArg, apArg, &rowid);
+    sqlite3VtabUnlock(db, pVtab);
+    if( sqlite3SafetyOn(db) ) goto abort_due_to_misuse;
+    if( pOp->p1 && rc==SQLITE_OK ){
+      assert( nArg>1 && apArg[0] && (apArg[0]->flags&MEM_Null) );
+      db->lastRowid = rowid;
+    }
+  }
+  popStack(&pTos, nArg);
+  break;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+/* An other opcode is illegal...
+*/
+default: {
+  assert( 0 );
+  break;
+}
+
+/*****************************************************************************
+** The cases of the switch statement above this line should all be indented
+** by 6 spaces.  But the left-most 6 spaces have been removed to improve the
+** readability.  From this point on down, the normal indentation rules are
+** restored.
+*****************************************************************************/
+    }
+
+    /* Make sure the stack limit was not exceeded */
+    assert( pTos<=pStackLimit );
+
+#ifdef VDBE_PROFILE
+    {
+      long long elapse = hwtime() - start;
+      pOp->cycles += elapse;
+      pOp->cnt++;
+#if 0
+        fprintf(stdout, "%10lld ", elapse);
+        sqlite3VdbePrintOp(stdout, origPc, &p->aOp[origPc]);
+#endif
+    }
+#endif
+
+    /* The following code adds nothing to the actual functionality
+    ** of the program.  It is only here for testing and debugging.
+    ** On the other hand, it does burn CPU cycles every time through
+    ** the evaluator loop.  So we can leave it out when NDEBUG is defined.
+    */
+#ifndef NDEBUG
+    /* Sanity checking on the top element of the stack. If the previous
+    ** instruction was VNoChange, then the flags field of the top
+    ** of the stack is set to 0. This is technically invalid for a memory
+    ** cell, so avoid calling MemSanity() in this case.
+    */
+    if( pTos>=p->aStack && pTos->flags ){
+      sqlite3VdbeMemSanity(pTos);
+    }
+    assert( pc>=-1 && pc<p->nOp );
+#ifdef SQLITE_DEBUG
+    /* Code for tracing the vdbe stack. */
+    if( p->trace && pTos>=p->aStack ){
+      int i;
+      fprintf(p->trace, "Stack:");
+      for(i=0; i>-5 && &pTos[i]>=p->aStack; i--){
+        if( pTos[i].flags & MEM_Null ){
+          fprintf(p->trace, " NULL");
+        }else if( (pTos[i].flags & (MEM_Int|MEM_Str))==(MEM_Int|MEM_Str) ){
+          fprintf(p->trace, " si:%lld", pTos[i].u.i);
+        }else if( pTos[i].flags & MEM_Int ){
+          fprintf(p->trace, " i:%lld", pTos[i].u.i);
+        }else if( pTos[i].flags & MEM_Real ){
+          fprintf(p->trace, " r:%g", pTos[i].r);
+        }else{
+          char zBuf[100];
+          sqlite3VdbeMemPrettyPrint(&pTos[i], zBuf);
+          fprintf(p->trace, " ");
+          fprintf(p->trace, "%s", zBuf);
+        }
+      }
+      if( rc!=0 ) fprintf(p->trace," rc=%d",rc);
+      fprintf(p->trace,"\n");
+    }
+#endif  /* SQLITE_DEBUG */
+#endif  /* NDEBUG */
+  }  /* The end of the for(;;) loop the loops through opcodes */
+
+  /* If we reach this point, it means that execution is finished.
+  */
+vdbe_halt:
+  if( rc ){
+    p->rc = rc;
+    rc = SQLITE_ERROR;
+  }else{
+    rc = SQLITE_DONE;
+  }
+  sqlite3VdbeHalt(p);
+  p->pTos = pTos;
+  return rc;
+
+  /* Jump to here if a malloc() fails.  It's hard to get a malloc()
+  ** to fail on a modern VM computer, so this code is untested.
+  */
+no_mem:
+  sqlite3SetString(&p->zErrMsg, "out of memory", (char*)0);
+  rc = SQLITE_NOMEM;
+  goto vdbe_halt;
+
+  /* Jump to here for an SQLITE_MISUSE error.
+  */
+abort_due_to_misuse:
+  rc = SQLITE_MISUSE;
+  /* Fall thru into abort_due_to_error */
+
+  /* Jump to here for any other kind of fatal error.  The "rc" variable
+  ** should hold the error number.
+  */
+abort_due_to_error:
+  if( p->zErrMsg==0 ){
+    if( sqlite3MallocFailed() ) rc = SQLITE_NOMEM;
+    sqlite3SetString(&p->zErrMsg, sqlite3ErrStr(rc), (char*)0);
+  }
+  goto vdbe_halt;
+
+  /* Jump to here if the sqlite3_interrupt() API sets the interrupt
+  ** flag.
+  */
+abort_due_to_interrupt:
+  assert( db->u1.isInterrupted );
+  if( db->magic!=SQLITE_MAGIC_BUSY ){
+    rc = SQLITE_MISUSE;
+  }else{
+    rc = SQLITE_INTERRUPT;
+  }
+  p->rc = rc;
+  sqlite3SetString(&p->zErrMsg, sqlite3ErrStr(rc), (char*)0);
+  goto vdbe_halt;
+}
+
+/************** End of vdbe.c ************************************************/
+/************** Begin file expr.c ********************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains routines used for analyzing expressions and
+** for generating VDBE code that evaluates expressions in SQLite.
+**
+** $Id$
+*/
+
+/*
+** Return the 'affinity' of the expression pExpr if any.
+**
+** If pExpr is a column, a reference to a column via an 'AS' alias,
+** or a sub-select with a column as the return value, then the 
+** affinity of that column is returned. Otherwise, 0x00 is returned,
+** indicating no affinity for the expression.
+**
+** i.e. the WHERE clause expresssions in the following statements all
+** have an affinity:
+**
+** CREATE TABLE t1(a);
+** SELECT * FROM t1 WHERE a;
+** SELECT a AS b FROM t1 WHERE b;
+** SELECT * FROM t1 WHERE (select a from t1);
+*/
+char sqlite3ExprAffinity(Expr *pExpr){
+  int op = pExpr->op;
+  if( op==TK_AS ){
+    return sqlite3ExprAffinity(pExpr->pLeft);
+  }
+  if( op==TK_SELECT ){
+    return sqlite3ExprAffinity(pExpr->pSelect->pEList->a[0].pExpr);
+  }
+#ifndef SQLITE_OMIT_CAST
+  if( op==TK_CAST ){
+    return sqlite3AffinityType(&pExpr->token);
+  }
+#endif
+  return pExpr->affinity;
+}
+
+/*
+** Set the collating sequence for expression pExpr to be the collating
+** sequence named by pToken.   Return a pointer to the revised expression.
+** The collating sequence is marked as "explicit" using the EP_ExpCollate
+** flag.  An explicit collating sequence will override implicit
+** collating sequences.
+*/
+Expr *sqlite3ExprSetColl(Parse *pParse, Expr *pExpr, Token *pName){
+  CollSeq *pColl;
+  if( pExpr==0 ) return 0;
+  pColl = sqlite3LocateCollSeq(pParse, (char*)pName->z, pName->n);
+  if( pColl ){
+    pExpr->pColl = pColl;
+    pExpr->flags |= EP_ExpCollate;
+  }
+  return pExpr;
+}
+
+/*
+** Return the default collation sequence for the expression pExpr. If
+** there is no default collation type, return 0.
+*/
+CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr){
+  CollSeq *pColl = 0;
+  if( pExpr ){
+    pColl = pExpr->pColl;
+    if( (pExpr->op==TK_AS || pExpr->op==TK_CAST) && !pColl ){
+      return sqlite3ExprCollSeq(pParse, pExpr->pLeft);
+    }
+  }
+  if( sqlite3CheckCollSeq(pParse, pColl) ){ 
+    pColl = 0;
+  }
+  return pColl;
+}
+
+/*
+** pExpr is an operand of a comparison operator.  aff2 is the
+** type affinity of the other operand.  This routine returns the
+** type affinity that should be used for the comparison operator.
+*/
+char sqlite3CompareAffinity(Expr *pExpr, char aff2){
+  char aff1 = sqlite3ExprAffinity(pExpr);
+  if( aff1 && aff2 ){
+    /* Both sides of the comparison are columns. If one has numeric
+    ** affinity, use that. Otherwise use no affinity.
+    */
+    if( sqlite3IsNumericAffinity(aff1) || sqlite3IsNumericAffinity(aff2) ){
+      return SQLITE_AFF_NUMERIC;
+    }else{
+      return SQLITE_AFF_NONE;
+    }
+  }else if( !aff1 && !aff2 ){
+    /* Neither side of the comparison is a column.  Compare the
+    ** results directly.
+    */
+    return SQLITE_AFF_NONE;
+  }else{
+    /* One side is a column, the other is not. Use the columns affinity. */
+    assert( aff1==0 || aff2==0 );
+    return (aff1 + aff2);
+  }
+}
+
+/*
+** pExpr is a comparison operator.  Return the type affinity that should
+** be applied to both operands prior to doing the comparison.
+*/
+static char comparisonAffinity(Expr *pExpr){
+  char aff;
+  assert( pExpr->op==TK_EQ || pExpr->op==TK_IN || pExpr->op==TK_LT ||
+          pExpr->op==TK_GT || pExpr->op==TK_GE || pExpr->op==TK_LE ||
+          pExpr->op==TK_NE );
+  assert( pExpr->pLeft );
+  aff = sqlite3ExprAffinity(pExpr->pLeft);
+  if( pExpr->pRight ){
+    aff = sqlite3CompareAffinity(pExpr->pRight, aff);
+  }
+  else if( pExpr->pSelect ){
+    aff = sqlite3CompareAffinity(pExpr->pSelect->pEList->a[0].pExpr, aff);
+  }
+  else if( !aff ){
+    aff = SQLITE_AFF_NONE;
+  }
+  return aff;
+}
+
+/*
+** pExpr is a comparison expression, eg. '=', '<', IN(...) etc.
+** idx_affinity is the affinity of an indexed column. Return true
+** if the index with affinity idx_affinity may be used to implement
+** the comparison in pExpr.
+*/
+int sqlite3IndexAffinityOk(Expr *pExpr, char idx_affinity){
+  char aff = comparisonAffinity(pExpr);
+  switch( aff ){
+    case SQLITE_AFF_NONE:
+      return 1;
+    case SQLITE_AFF_TEXT:
+      return idx_affinity==SQLITE_AFF_TEXT;
+    default:
+      return sqlite3IsNumericAffinity(idx_affinity);
+  }
+}
+
+/*
+** Return the P1 value that should be used for a binary comparison
+** opcode (OP_Eq, OP_Ge etc.) used to compare pExpr1 and pExpr2.
+** If jumpIfNull is true, then set the low byte of the returned
+** P1 value to tell the opcode to jump if either expression
+** evaluates to NULL.
+*/
+static int binaryCompareP1(Expr *pExpr1, Expr *pExpr2, int jumpIfNull){
+  char aff = sqlite3ExprAffinity(pExpr2);
+  return ((int)sqlite3CompareAffinity(pExpr1, aff))+(jumpIfNull?0x100:0);
+}
+
+/*
+** Return a pointer to the collation sequence that should be used by
+** a binary comparison operator comparing pLeft and pRight.
+**
+** If the left hand expression has a collating sequence type, then it is
+** used. Otherwise the collation sequence for the right hand expression
+** is used, or the default (BINARY) if neither expression has a collating
+** type.
+*/
+static CollSeq* binaryCompareCollSeq(Parse *pParse, Expr *pLeft, Expr *pRight){
+  CollSeq *pColl;
+  assert( pLeft );
+  assert( pRight );
+  if( pLeft->flags & EP_ExpCollate ){
+    assert( pLeft->pColl );
+    pColl = pLeft->pColl;
+  }else if( pRight->flags & EP_ExpCollate ){
+    assert( pRight->pColl );
+    pColl = pRight->pColl;
+  }else{
+    pColl = sqlite3ExprCollSeq(pParse, pLeft);
+    if( !pColl ){
+      pColl = sqlite3ExprCollSeq(pParse, pRight);
+    }
+  }
+  return pColl;
+}
+
+/*
+** Generate code for a comparison operator.
+*/
+static int codeCompare(
+  Parse *pParse,    /* The parsing (and code generating) context */
+  Expr *pLeft,      /* The left operand */
+  Expr *pRight,     /* The right operand */
+  int opcode,       /* The comparison opcode */
+  int dest,         /* Jump here if true.  */
+  int jumpIfNull    /* If true, jump if either operand is NULL */
+){
+  int p1 = binaryCompareP1(pLeft, pRight, jumpIfNull);
+  CollSeq *p3 = binaryCompareCollSeq(pParse, pLeft, pRight);
+  return sqlite3VdbeOp3(pParse->pVdbe, opcode, p1, dest, (void*)p3, P3_COLLSEQ);
+}
+
+/*
+** Construct a new expression node and return a pointer to it.  Memory
+** for this node is obtained from sqliteMalloc().  The calling function
+** is responsible for making sure the node eventually gets freed.
+*/
+Expr *sqlite3Expr(int op, Expr *pLeft, Expr *pRight, const Token *pToken){
+  Expr *pNew;
+  pNew = sqliteMalloc( sizeof(Expr) );
+  if( pNew==0 ){
+    /* When malloc fails, delete pLeft and pRight. Expressions passed to 
+    ** this function must always be allocated with sqlite3Expr() for this 
+    ** reason. 
+    */
+    sqlite3ExprDelete(pLeft);
+    sqlite3ExprDelete(pRight);
+    return 0;
+  }
+  pNew->op = op;
+  pNew->pLeft = pLeft;
+  pNew->pRight = pRight;
+  pNew->iAgg = -1;
+  if( pToken ){
+    assert( pToken->dyn==0 );
+    pNew->span = pNew->token = *pToken;
+  }else if( pLeft ){
+    if( pRight ){
+      sqlite3ExprSpan(pNew, &pLeft->span, &pRight->span);
+      if( pRight->flags & EP_ExpCollate ){
+        pNew->flags |= EP_ExpCollate;
+        pNew->pColl = pRight->pColl;
+      }
+    }
+    if( pLeft->flags & EP_ExpCollate ){
+      pNew->flags |= EP_ExpCollate;
+      pNew->pColl = pLeft->pColl;
+    }
+  }
+  return pNew;
+}
+
+/*
+** Works like sqlite3Expr() but frees its pLeft and pRight arguments
+** if it fails due to a malloc problem.
+*/
+Expr *sqlite3ExprOrFree(int op, Expr *pLeft, Expr *pRight, const Token *pToken){
+  Expr *pNew = sqlite3Expr(op, pLeft, pRight, pToken);
+  if( pNew==0 ){
+    sqlite3ExprDelete(pLeft);
+    sqlite3ExprDelete(pRight);
+  }
+  return pNew;
+}
+
+/*
+** When doing a nested parse, you can include terms in an expression
+** that look like this:   #0 #1 #2 ...  These terms refer to elements
+** on the stack.  "#0" means the top of the stack.
+** "#1" means the next down on the stack.  And so forth.
+**
+** This routine is called by the parser to deal with on of those terms.
+** It immediately generates code to store the value in a memory location.
+** The returns an expression that will code to extract the value from
+** that memory location as needed.
+*/
+Expr *sqlite3RegisterExpr(Parse *pParse, Token *pToken){
+  Vdbe *v = pParse->pVdbe;
+  Expr *p;
+  int depth;
+  if( pParse->nested==0 ){
+    sqlite3ErrorMsg(pParse, "near \"%T\": syntax error", pToken);
+    return 0;
+  }
+  if( v==0 ) return 0;
+  p = sqlite3Expr(TK_REGISTER, 0, 0, pToken);
+  if( p==0 ){
+    return 0;  /* Malloc failed */
+  }
+  depth = atoi((char*)&pToken->z[1]);
+  p->iTable = pParse->nMem++;
+  sqlite3VdbeAddOp(v, OP_Dup, depth, 0);
+  sqlite3VdbeAddOp(v, OP_MemStore, p->iTable, 1);
+  return p;
+}
+
+/*
+** Join two expressions using an AND operator.  If either expression is
+** NULL, then just return the other expression.
+*/
+Expr *sqlite3ExprAnd(Expr *pLeft, Expr *pRight){
+  if( pLeft==0 ){
+    return pRight;
+  }else if( pRight==0 ){
+    return pLeft;
+  }else{
+    return sqlite3Expr(TK_AND, pLeft, pRight, 0);
+  }
+}
+
+/*
+** Set the Expr.span field of the given expression to span all
+** text between the two given tokens.
+*/
+void sqlite3ExprSpan(Expr *pExpr, Token *pLeft, Token *pRight){
+  assert( pRight!=0 );
+  assert( pLeft!=0 );
+  if( !sqlite3MallocFailed() && pRight->z && pLeft->z ){
+    assert( pLeft->dyn==0 || pLeft->z[pLeft->n]==0 );
+    if( pLeft->dyn==0 && pRight->dyn==0 ){
+      pExpr->span.z = pLeft->z;
+      pExpr->span.n = pRight->n + (pRight->z - pLeft->z);
+    }else{
+      pExpr->span.z = 0;
+    }
+  }
+}
+
+/*
+** Construct a new expression node for a function with multiple
+** arguments.
+*/
+Expr *sqlite3ExprFunction(ExprList *pList, Token *pToken){
+  Expr *pNew;
+  assert( pToken );
+  pNew = sqliteMalloc( sizeof(Expr) );
+  if( pNew==0 ){
+    sqlite3ExprListDelete(pList); /* Avoid leaking memory when malloc fails */
+    return 0;
+  }
+  pNew->op = TK_FUNCTION;
+  pNew->pList = pList;
+  assert( pToken->dyn==0 );
+  pNew->token = *pToken;
+  pNew->span = pNew->token;
+  return pNew;
+}
+
+/*
+** Assign a variable number to an expression that encodes a wildcard
+** in the original SQL statement.  
+**
+** Wildcards consisting of a single "?" are assigned the next sequential
+** variable number.
+**
+** Wildcards of the form "?nnn" are assigned the number "nnn".  We make
+** sure "nnn" is not too be to avoid a denial of service attack when
+** the SQL statement comes from an external source.
+**
+** Wildcards of the form ":aaa" or "$aaa" are assigned the same number
+** as the previous instance of the same wildcard.  Or if this is the first
+** instance of the wildcard, the next sequenial variable number is
+** assigned.
+*/
+void sqlite3ExprAssignVarNumber(Parse *pParse, Expr *pExpr){
+  Token *pToken;
+  if( pExpr==0 ) return;
+  pToken = &pExpr->token;
+  assert( pToken->n>=1 );
+  assert( pToken->z!=0 );
+  assert( pToken->z[0]!=0 );
+  if( pToken->n==1 ){
+    /* Wildcard of the form "?".  Assign the next variable number */
+    pExpr->iTable = ++pParse->nVar;
+  }else if( pToken->z[0]=='?' ){
+    /* Wildcard of the form "?nnn".  Convert "nnn" to an integer and
+    ** use it as the variable number */
+    int i;
+    pExpr->iTable = i = atoi((char*)&pToken->z[1]);
+    if( i<1 || i>SQLITE_MAX_VARIABLE_NUMBER ){
+      sqlite3ErrorMsg(pParse, "variable number must be between ?1 and ?%d",
+          SQLITE_MAX_VARIABLE_NUMBER);
+    }
+    if( i>pParse->nVar ){
+      pParse->nVar = i;
+    }
+  }else{
+    /* Wildcards of the form ":aaa" or "$aaa".  Reuse the same variable
+    ** number as the prior appearance of the same name, or if the name
+    ** has never appeared before, reuse the same variable number
+    */
+    int i, n;
+    n = pToken->n;
+    for(i=0; i<pParse->nVarExpr; i++){
+      Expr *pE;
+      if( (pE = pParse->apVarExpr[i])!=0
+          && pE->token.n==n
+          && memcmp(pE->token.z, pToken->z, n)==0 ){
+        pExpr->iTable = pE->iTable;
+        break;
+      }
+    }
+    if( i>=pParse->nVarExpr ){
+      pExpr->iTable = ++pParse->nVar;
+      if( pParse->nVarExpr>=pParse->nVarExprAlloc-1 ){
+        pParse->nVarExprAlloc += pParse->nVarExprAlloc + 10;
+        pParse->apVarExpr = sqliteReallocOrFree(pParse->apVarExpr,
+                       pParse->nVarExprAlloc*sizeof(pParse->apVarExpr[0]) );
+      }
+      if( !sqlite3MallocFailed() ){
+        assert( pParse->apVarExpr!=0 );
+        pParse->apVarExpr[pParse->nVarExpr++] = pExpr;
+      }
+    }
+  } 
+}
+
+/*
+** Recursively delete an expression tree.
+*/
+void sqlite3ExprDelete(Expr *p){
+  if( p==0 ) return;
+  if( p->span.dyn ) sqliteFree((char*)p->span.z);
+  if( p->token.dyn ) sqliteFree((char*)p->token.z);
+  sqlite3ExprDelete(p->pLeft);
+  sqlite3ExprDelete(p->pRight);
+  sqlite3ExprListDelete(p->pList);
+  sqlite3SelectDelete(p->pSelect);
+  sqliteFree(p);
+}
+
+/*
+** The Expr.token field might be a string literal that is quoted.
+** If so, remove the quotation marks.
+*/
+void sqlite3DequoteExpr(Expr *p){
+  if( ExprHasAnyProperty(p, EP_Dequoted) ){
+    return;
+  }
+  ExprSetProperty(p, EP_Dequoted);
+  if( p->token.dyn==0 ){
+    sqlite3TokenCopy(&p->token, &p->token);
+  }
+  sqlite3Dequote((char*)p->token.z);
+}
+
+
+/*
+** The following group of routines make deep copies of expressions,
+** expression lists, ID lists, and select statements.  The copies can
+** be deleted (by being passed to their respective ...Delete() routines)
+** without effecting the originals.
+**
+** The expression list, ID, and source lists return by sqlite3ExprListDup(),
+** sqlite3IdListDup(), and sqlite3SrcListDup() can not be further expanded 
+** by subsequent calls to sqlite*ListAppend() routines.
+**
+** Any tables that the SrcList might point to are not duplicated.
+*/
+Expr *sqlite3ExprDup(Expr *p){
+  Expr *pNew;
+  if( p==0 ) return 0;
+  pNew = sqliteMallocRaw( sizeof(*p) );
+  if( pNew==0 ) return 0;
+  memcpy(pNew, p, sizeof(*pNew));
+  if( p->token.z!=0 ){
+    pNew->token.z = (u8*)sqliteStrNDup((char*)p->token.z, p->token.n);
+    pNew->token.dyn = 1;
+  }else{
+    assert( pNew->token.z==0 );
+  }
+  pNew->span.z = 0;
+  pNew->pLeft = sqlite3ExprDup(p->pLeft);
+  pNew->pRight = sqlite3ExprDup(p->pRight);
+  pNew->pList = sqlite3ExprListDup(p->pList);
+  pNew->pSelect = sqlite3SelectDup(p->pSelect);
+  pNew->pTab = p->pTab;
+  return pNew;
+}
+void sqlite3TokenCopy(Token *pTo, Token *pFrom){
+  if( pTo->dyn ) sqliteFree((char*)pTo->z);
+  if( pFrom->z ){
+    pTo->n = pFrom->n;
+    pTo->z = (u8*)sqliteStrNDup((char*)pFrom->z, pFrom->n);
+    pTo->dyn = 1;
+  }else{
+    pTo->z = 0;
+  }
+}
+ExprList *sqlite3ExprListDup(ExprList *p){
+  ExprList *pNew;
+  struct ExprList_item *pItem, *pOldItem;
+  int i;
+  if( p==0 ) return 0;
+  pNew = sqliteMalloc( sizeof(*pNew) );
+  if( pNew==0 ) return 0;
+  pNew->nExpr = pNew->nAlloc = p->nExpr;
+  pNew->a = pItem = sqliteMalloc( p->nExpr*sizeof(p->a[0]) );
+  if( pItem==0 ){
+    sqliteFree(pNew);
+    return 0;
+  } 
+  pOldItem = p->a;
+  for(i=0; i<p->nExpr; i++, pItem++, pOldItem++){
+    Expr *pNewExpr, *pOldExpr;
+    pItem->pExpr = pNewExpr = sqlite3ExprDup(pOldExpr = pOldItem->pExpr);
+    if( pOldExpr->span.z!=0 && pNewExpr ){
+      /* Always make a copy of the span for top-level expressions in the
+      ** expression list.  The logic in SELECT processing that determines
+      ** the names of columns in the result set needs this information */
+      sqlite3TokenCopy(&pNewExpr->span, &pOldExpr->span);
+    }
+    assert( pNewExpr==0 || pNewExpr->span.z!=0 
+            || pOldExpr->span.z==0
+            || sqlite3MallocFailed() );
+    pItem->zName = sqliteStrDup(pOldItem->zName);
+    pItem->sortOrder = pOldItem->sortOrder;
+    pItem->isAgg = pOldItem->isAgg;
+    pItem->done = 0;
+  }
+  return pNew;
+}
+
+/*
+** If cursors, triggers, views and subqueries are all omitted from
+** the build, then none of the following routines, except for 
+** sqlite3SelectDup(), can be called. sqlite3SelectDup() is sometimes
+** called with a NULL argument.
+*/
+#if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_TRIGGER) \
+ || !defined(SQLITE_OMIT_SUBQUERY)
+SrcList *sqlite3SrcListDup(SrcList *p){
+  SrcList *pNew;
+  int i;
+  int nByte;
+  if( p==0 ) return 0;
+  nByte = sizeof(*p) + (p->nSrc>0 ? sizeof(p->a[0]) * (p->nSrc-1) : 0);
+  pNew = sqliteMallocRaw( nByte );
+  if( pNew==0 ) return 0;
+  pNew->nSrc = pNew->nAlloc = p->nSrc;
+  for(i=0; i<p->nSrc; i++){
+    struct SrcList_item *pNewItem = &pNew->a[i];
+    struct SrcList_item *pOldItem = &p->a[i];
+    Table *pTab;
+    pNewItem->zDatabase = sqliteStrDup(pOldItem->zDatabase);
+    pNewItem->zName = sqliteStrDup(pOldItem->zName);
+    pNewItem->zAlias = sqliteStrDup(pOldItem->zAlias);
+    pNewItem->jointype = pOldItem->jointype;
+    pNewItem->iCursor = pOldItem->iCursor;
+    pNewItem->isPopulated = pOldItem->isPopulated;
+    pTab = pNewItem->pTab = pOldItem->pTab;
+    if( pTab ){
+      pTab->nRef++;
+    }
+    pNewItem->pSelect = sqlite3SelectDup(pOldItem->pSelect);
+    pNewItem->pOn = sqlite3ExprDup(pOldItem->pOn);
+    pNewItem->pUsing = sqlite3IdListDup(pOldItem->pUsing);
+    pNewItem->colUsed = pOldItem->colUsed;
+  }
+  return pNew;
+}
+IdList *sqlite3IdListDup(IdList *p){
+  IdList *pNew;
+  int i;
+  if( p==0 ) return 0;
+  pNew = sqliteMallocRaw( sizeof(*pNew) );
+  if( pNew==0 ) return 0;
+  pNew->nId = pNew->nAlloc = p->nId;
+  pNew->a = sqliteMallocRaw( p->nId*sizeof(p->a[0]) );
+  if( pNew->a==0 ){
+    sqliteFree(pNew);
+    return 0;
+  }
+  for(i=0; i<p->nId; i++){
+    struct IdList_item *pNewItem = &pNew->a[i];
+    struct IdList_item *pOldItem = &p->a[i];
+    pNewItem->zName = sqliteStrDup(pOldItem->zName);
+    pNewItem->idx = pOldItem->idx;
+  }
+  return pNew;
+}
+Select *sqlite3SelectDup(Select *p){
+  Select *pNew;
+  if( p==0 ) return 0;
+  pNew = sqliteMallocRaw( sizeof(*p) );
+  if( pNew==0 ) return 0;
+  pNew->isDistinct = p->isDistinct;
+  pNew->pEList = sqlite3ExprListDup(p->pEList);
+  pNew->pSrc = sqlite3SrcListDup(p->pSrc);
+  pNew->pWhere = sqlite3ExprDup(p->pWhere);
+  pNew->pGroupBy = sqlite3ExprListDup(p->pGroupBy);
+  pNew->pHaving = sqlite3ExprDup(p->pHaving);
+  pNew->pOrderBy = sqlite3ExprListDup(p->pOrderBy);
+  pNew->op = p->op;
+  pNew->pPrior = sqlite3SelectDup(p->pPrior);
+  pNew->pLimit = sqlite3ExprDup(p->pLimit);
+  pNew->pOffset = sqlite3ExprDup(p->pOffset);
+  pNew->iLimit = -1;
+  pNew->iOffset = -1;
+  pNew->isResolved = p->isResolved;
+  pNew->isAgg = p->isAgg;
+  pNew->usesEphm = 0;
+  pNew->disallowOrderBy = 0;
+  pNew->pRightmost = 0;
+  pNew->addrOpenEphm[0] = -1;
+  pNew->addrOpenEphm[1] = -1;
+  pNew->addrOpenEphm[2] = -1;
+  return pNew;
+}
+#else
+Select *sqlite3SelectDup(Select *p){
+  assert( p==0 );
+  return 0;
+}
+#endif
+
+
+/*
+** Add a new element to the end of an expression list.  If pList is
+** initially NULL, then create a new expression list.
+*/
+ExprList *sqlite3ExprListAppend(ExprList *pList, Expr *pExpr, Token *pName){
+  if( pList==0 ){
+    pList = sqliteMalloc( sizeof(ExprList) );
+    if( pList==0 ){
+      goto no_mem;
+    }
+    assert( pList->nAlloc==0 );
+  }
+  if( pList->nAlloc<=pList->nExpr ){
+    struct ExprList_item *a;
+    int n = pList->nAlloc*2 + 4;
+    a = sqliteRealloc(pList->a, n*sizeof(pList->a[0]));
+    if( a==0 ){
+      goto no_mem;
+    }
+    pList->a = a;
+    pList->nAlloc = n;
+  }
+  assert( pList->a!=0 );
+  if( pExpr || pName ){
+    struct ExprList_item *pItem = &pList->a[pList->nExpr++];
+    memset(pItem, 0, sizeof(*pItem));
+    pItem->zName = sqlite3NameFromToken(pName);
+    pItem->pExpr = pExpr;
+  }
+  return pList;
+
+no_mem:     
+  /* Avoid leaking memory if malloc has failed. */
+  sqlite3ExprDelete(pExpr);
+  sqlite3ExprListDelete(pList);
+  return 0;
+}
+
+/*
+** Delete an entire expression list.
+*/
+void sqlite3ExprListDelete(ExprList *pList){
+  int i;
+  struct ExprList_item *pItem;
+  if( pList==0 ) return;
+  assert( pList->a!=0 || (pList->nExpr==0 && pList->nAlloc==0) );
+  assert( pList->nExpr<=pList->nAlloc );
+  for(pItem=pList->a, i=0; i<pList->nExpr; i++, pItem++){
+    sqlite3ExprDelete(pItem->pExpr);
+    sqliteFree(pItem->zName);
+  }
+  sqliteFree(pList->a);
+  sqliteFree(pList);
+}
+
+/*
+** Walk an expression tree.  Call xFunc for each node visited.
+**
+** The return value from xFunc determines whether the tree walk continues.
+** 0 means continue walking the tree.  1 means do not walk children
+** of the current node but continue with siblings.  2 means abandon
+** the tree walk completely.
+**
+** The return value from this routine is 1 to abandon the tree walk
+** and 0 to continue.
+**
+** NOTICE:  This routine does *not* descend into subqueries.
+*/
+static int walkExprList(ExprList *, int (*)(void *, Expr*), void *);
+static int walkExprTree(Expr *pExpr, int (*xFunc)(void*,Expr*), void *pArg){
+  int rc;
+  if( pExpr==0 ) return 0;
+  rc = (*xFunc)(pArg, pExpr);
+  if( rc==0 ){
+    if( walkExprTree(pExpr->pLeft, xFunc, pArg) ) return 1;
+    if( walkExprTree(pExpr->pRight, xFunc, pArg) ) return 1;
+    if( walkExprList(pExpr->pList, xFunc, pArg) ) return 1;
+  }
+  return rc>1;
+}
+
+/*
+** Call walkExprTree() for every expression in list p.
+*/
+static int walkExprList(ExprList *p, int (*xFunc)(void *, Expr*), void *pArg){
+  int i;
+  struct ExprList_item *pItem;
+  if( !p ) return 0;
+  for(i=p->nExpr, pItem=p->a; i>0; i--, pItem++){
+    if( walkExprTree(pItem->pExpr, xFunc, pArg) ) return 1;
+  }
+  return 0;
+}
+
+/*
+** Call walkExprTree() for every expression in Select p, not including
+** expressions that are part of sub-selects in any FROM clause or the LIMIT
+** or OFFSET expressions..
+*/
+static int walkSelectExpr(Select *p, int (*xFunc)(void *, Expr*), void *pArg){
+  walkExprList(p->pEList, xFunc, pArg);
+  walkExprTree(p->pWhere, xFunc, pArg);
+  walkExprList(p->pGroupBy, xFunc, pArg);
+  walkExprTree(p->pHaving, xFunc, pArg);
+  walkExprList(p->pOrderBy, xFunc, pArg);
+  return 0;
+}
+
+
+/*
+** This routine is designed as an xFunc for walkExprTree().
+**
+** pArg is really a pointer to an integer.  If we can tell by looking
+** at pExpr that the expression that contains pExpr is not a constant
+** expression, then set *pArg to 0 and return 2 to abandon the tree walk.
+** If pExpr does does not disqualify the expression from being a constant
+** then do nothing.
+**
+** After walking the whole tree, if no nodes are found that disqualify
+** the expression as constant, then we assume the whole expression
+** is constant.  See sqlite3ExprIsConstant() for additional information.
+*/
+static int exprNodeIsConstant(void *pArg, Expr *pExpr){
+  switch( pExpr->op ){
+    /* Consider functions to be constant if all their arguments are constant
+    ** and *pArg==2 */
+    case TK_FUNCTION:
+      if( *((int*)pArg)==2 ) return 0;
+      /* Fall through */
+    case TK_ID:
+    case TK_COLUMN:
+    case TK_DOT:
+    case TK_AGG_FUNCTION:
+    case TK_AGG_COLUMN:
+#ifndef SQLITE_OMIT_SUBQUERY
+    case TK_SELECT:
+    case TK_EXISTS:
+#endif
+      *((int*)pArg) = 0;
+      return 2;
+    case TK_IN:
+      if( pExpr->pSelect ){
+        *((int*)pArg) = 0;
+        return 2;
+      }
+    default:
+      return 0;
+  }
+}
+
+/*
+** Walk an expression tree.  Return 1 if the expression is constant
+** and 0 if it involves variables or function calls.
+**
+** For the purposes of this function, a double-quoted string (ex: "abc")
+** is considered a variable but a single-quoted string (ex: 'abc') is
+** a constant.
+*/
+int sqlite3ExprIsConstant(Expr *p){
+  int isConst = 1;
+  walkExprTree(p, exprNodeIsConstant, &isConst);
+  return isConst;
+}
+
+/*
+** Walk an expression tree.  Return 1 if the expression is constant
+** or a function call with constant arguments.  Return and 0 if there
+** are any variables.
+**
+** For the purposes of this function, a double-quoted string (ex: "abc")
+** is considered a variable but a single-quoted string (ex: 'abc') is
+** a constant.
+*/
+int sqlite3ExprIsConstantOrFunction(Expr *p){
+  int isConst = 2;
+  walkExprTree(p, exprNodeIsConstant, &isConst);
+  return isConst!=0;
+}
+
+/*
+** If the expression p codes a constant integer that is small enough
+** to fit in a 32-bit integer, return 1 and put the value of the integer
+** in *pValue.  If the expression is not an integer or if it is too big
+** to fit in a signed 32-bit integer, return 0 and leave *pValue unchanged.
+*/
+int sqlite3ExprIsInteger(Expr *p, int *pValue){
+  switch( p->op ){
+    case TK_INTEGER: {
+      if( sqlite3GetInt32((char*)p->token.z, pValue) ){
+        return 1;
+      }
+      break;
+    }
+    case TK_UPLUS: {
+      return sqlite3ExprIsInteger(p->pLeft, pValue);
+    }
+    case TK_UMINUS: {
+      int v;
+      if( sqlite3ExprIsInteger(p->pLeft, &v) ){
+        *pValue = -v;
+        return 1;
+      }
+      break;
+    }
+    default: break;
+  }
+  return 0;
+}
+
+/*
+** Return TRUE if the given string is a row-id column name.
+*/
+int sqlite3IsRowid(const char *z){
+  if( sqlite3StrICmp(z, "_ROWID_")==0 ) return 1;
+  if( sqlite3StrICmp(z, "ROWID")==0 ) return 1;
+  if( sqlite3StrICmp(z, "OID")==0 ) return 1;
+  return 0;
+}
+
+/*
+** Given the name of a column of the form X.Y.Z or Y.Z or just Z, look up
+** that name in the set of source tables in pSrcList and make the pExpr 
+** expression node refer back to that source column.  The following changes
+** are made to pExpr:
+**
+**    pExpr->iDb           Set the index in db->aDb[] of the database holding
+**                         the table.
+**    pExpr->iTable        Set to the cursor number for the table obtained
+**                         from pSrcList.
+**    pExpr->iColumn       Set to the column number within the table.
+**    pExpr->op            Set to TK_COLUMN.
+**    pExpr->pLeft         Any expression this points to is deleted
+**    pExpr->pRight        Any expression this points to is deleted.
+**
+** The pDbToken is the name of the database (the "X").  This value may be
+** NULL meaning that name is of the form Y.Z or Z.  Any available database
+** can be used.  The pTableToken is the name of the table (the "Y").  This
+** value can be NULL if pDbToken is also NULL.  If pTableToken is NULL it
+** means that the form of the name is Z and that columns from any table
+** can be used.
+**
+** If the name cannot be resolved unambiguously, leave an error message
+** in pParse and return non-zero.  Return zero on success.
+*/
+static int lookupName(
+  Parse *pParse,       /* The parsing context */
+  Token *pDbToken,     /* Name of the database containing table, or NULL */
+  Token *pTableToken,  /* Name of table containing column, or NULL */
+  Token *pColumnToken, /* Name of the column. */
+  NameContext *pNC,    /* The name context used to resolve the name */
+  Expr *pExpr          /* Make this EXPR node point to the selected column */
+){
+  char *zDb = 0;       /* Name of the database.  The "X" in X.Y.Z */
+  char *zTab = 0;      /* Name of the table.  The "Y" in X.Y.Z or Y.Z */
+  char *zCol = 0;      /* Name of the column.  The "Z" */
+  int i, j;            /* Loop counters */
+  int cnt = 0;         /* Number of matching column names */
+  int cntTab = 0;      /* Number of matching table names */
+  sqlite3 *db = pParse->db;  /* The database */
+  struct SrcList_item *pItem;       /* Use for looping over pSrcList items */
+  struct SrcList_item *pMatch = 0;  /* The matching pSrcList item */
+  NameContext *pTopNC = pNC;        /* First namecontext in the list */
+
+  assert( pColumnToken && pColumnToken->z ); /* The Z in X.Y.Z cannot be NULL */
+  zDb = sqlite3NameFromToken(pDbToken);
+  zTab = sqlite3NameFromToken(pTableToken);
+  zCol = sqlite3NameFromToken(pColumnToken);
+  if( sqlite3MallocFailed() ){
+    goto lookupname_end;
+  }
+
+  pExpr->iTable = -1;
+  while( pNC && cnt==0 ){
+    ExprList *pEList;
+    SrcList *pSrcList = pNC->pSrcList;
+
+    if( pSrcList ){
+      for(i=0, pItem=pSrcList->a; i<pSrcList->nSrc; i++, pItem++){
+        Table *pTab;
+        int iDb;
+        Column *pCol;
+  
+        pTab = pItem->pTab;
+        assert( pTab!=0 );
+        iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
+        assert( pTab->nCol>0 );
+        if( zTab ){
+          if( pItem->zAlias ){
+            char *zTabName = pItem->zAlias;
+            if( sqlite3StrICmp(zTabName, zTab)!=0 ) continue;
+          }else{
+            char *zTabName = pTab->zName;
+            if( zTabName==0 || sqlite3StrICmp(zTabName, zTab)!=0 ) continue;
+            if( zDb!=0 && sqlite3StrICmp(db->aDb[iDb].zName, zDb)!=0 ){
+              continue;
+            }
+          }
+        }
+        if( 0==(cntTab++) ){
+          pExpr->iTable = pItem->iCursor;
+          pExpr->pSchema = pTab->pSchema;
+          pMatch = pItem;
+        }
+        for(j=0, pCol=pTab->aCol; j<pTab->nCol; j++, pCol++){
+          if( sqlite3StrICmp(pCol->zName, zCol)==0 ){
+            const char *zColl = pTab->aCol[j].zColl;
+            IdList *pUsing;
+            cnt++;
+            pExpr->iTable = pItem->iCursor;
+            pMatch = pItem;
+            pExpr->pSchema = pTab->pSchema;
+            /* Substitute the rowid (column -1) for the INTEGER PRIMARY KEY */
+            pExpr->iColumn = j==pTab->iPKey ? -1 : j;
+            pExpr->affinity = pTab->aCol[j].affinity;
+            if( (pExpr->flags & EP_ExpCollate)==0 ){
+              pExpr->pColl = sqlite3FindCollSeq(db, ENC(db), zColl,-1, 0);
+            }
+            if( i<pSrcList->nSrc-1 ){
+              if( pItem[1].jointype & JT_NATURAL ){
+                /* If this match occurred in the left table of a natural join,
+                ** then skip the right table to avoid a duplicate match */
+                pItem++;
+                i++;
+              }else if( (pUsing = pItem[1].pUsing)!=0 ){
+                /* If this match occurs on a column that is in the USING clause
+                ** of a join, skip the search of the right table of the join
+                ** to avoid a duplicate match there. */
+                int k;
+                for(k=0; k<pUsing->nId; k++){
+                  if( sqlite3StrICmp(pUsing->a[k].zName, zCol)==0 ){
+                    pItem++;
+                    i++;
+                    break;
+                  }
+                }
+              }
+            }
+            break;
+          }
+        }
+      }
+    }
+
+#ifndef SQLITE_OMIT_TRIGGER
+    /* If we have not already resolved the name, then maybe 
+    ** it is a new.* or old.* trigger argument reference
+    */
+    if( zDb==0 && zTab!=0 && cnt==0 && pParse->trigStack!=0 ){
+      TriggerStack *pTriggerStack = pParse->trigStack;
+      Table *pTab = 0;
+      if( pTriggerStack->newIdx != -1 && sqlite3StrICmp("new", zTab) == 0 ){
+        pExpr->iTable = pTriggerStack->newIdx;
+        assert( pTriggerStack->pTab );
+        pTab = pTriggerStack->pTab;
+      }else if( pTriggerStack->oldIdx != -1 && sqlite3StrICmp("old", zTab)==0 ){
+        pExpr->iTable = pTriggerStack->oldIdx;
+        assert( pTriggerStack->pTab );
+        pTab = pTriggerStack->pTab;
+      }
+
+      if( pTab ){ 
+        int iCol;
+        Column *pCol = pTab->aCol;
+
+        pExpr->pSchema = pTab->pSchema;
+        cntTab++;
+        for(iCol=0; iCol < pTab->nCol; iCol++, pCol++) {
+          if( sqlite3StrICmp(pCol->zName, zCol)==0 ){
+            const char *zColl = pTab->aCol[iCol].zColl;
+            cnt++;
+            pExpr->iColumn = iCol==pTab->iPKey ? -1 : iCol;
+            pExpr->affinity = pTab->aCol[iCol].affinity;
+            if( (pExpr->flags & EP_ExpCollate)==0 ){
+              pExpr->pColl = sqlite3FindCollSeq(db, ENC(db), zColl,-1, 0);
+            }
+            pExpr->pTab = pTab;
+            break;
+          }
+        }
+      }
+    }
+#endif /* !defined(SQLITE_OMIT_TRIGGER) */
+
+    /*
+    ** Perhaps the name is a reference to the ROWID
+    */
+    if( cnt==0 && cntTab==1 && sqlite3IsRowid(zCol) ){
+      cnt = 1;
+      pExpr->iColumn = -1;
+      pExpr->affinity = SQLITE_AFF_INTEGER;
+    }
+
+    /*
+    ** If the input is of the form Z (not Y.Z or X.Y.Z) then the name Z
+    ** might refer to an result-set alias.  This happens, for example, when
+    ** we are resolving names in the WHERE clause of the following command:
+    **
+    **     SELECT a+b AS x FROM table WHERE x<10;
+    **
+    ** In cases like this, replace pExpr with a copy of the expression that
+    ** forms the result set entry ("a+b" in the example) and return immediately.
+    ** Note that the expression in the result set should have already been
+    ** resolved by the time the WHERE clause is resolved.
+    */
+    if( cnt==0 && (pEList = pNC->pEList)!=0 && zTab==0 ){
+      for(j=0; j<pEList->nExpr; j++){
+        char *zAs = pEList->a[j].zName;
+        if( zAs!=0 && sqlite3StrICmp(zAs, zCol)==0 ){
+          assert( pExpr->pLeft==0 && pExpr->pRight==0 );
+          pExpr->op = TK_AS;
+          pExpr->iColumn = j;
+          pExpr->pLeft = sqlite3ExprDup(pEList->a[j].pExpr);
+          cnt = 1;
+          assert( zTab==0 && zDb==0 );
+          goto lookupname_end_2;
+        }
+      } 
+    }
+
+    /* Advance to the next name context.  The loop will exit when either
+    ** we have a match (cnt>0) or when we run out of name contexts.
+    */
+    if( cnt==0 ){
+      pNC = pNC->pNext;
+    }
+  }
+
+  /*
+  ** If X and Y are NULL (in other words if only the column name Z is
+  ** supplied) and the value of Z is enclosed in double-quotes, then
+  ** Z is a string literal if it doesn't match any column names.  In that
+  ** case, we need to return right away and not make any changes to
+  ** pExpr.
+  **
+  ** Because no reference was made to outer contexts, the pNC->nRef
+  ** fields are not changed in any context.
+  */
+  if( cnt==0 && zTab==0 && pColumnToken->z[0]=='"' ){
+    sqliteFree(zCol);
+    return 0;
+  }
+
+  /*
+  ** cnt==0 means there was not match.  cnt>1 means there were two or
+  ** more matches.  Either way, we have an error.
+  */
+  if( cnt!=1 ){
+    char *z = 0;
+    char *zErr;
+    zErr = cnt==0 ? "no such column: %s" : "ambiguous column name: %s";
+    if( zDb ){
+      sqlite3SetString(&z, zDb, ".", zTab, ".", zCol, (char*)0);
+    }else if( zTab ){
+      sqlite3SetString(&z, zTab, ".", zCol, (char*)0);
+    }else{
+      z = sqliteStrDup(zCol);
+    }
+    sqlite3ErrorMsg(pParse, zErr, z);
+    sqliteFree(z);
+    pTopNC->nErr++;
+  }
+
+  /* If a column from a table in pSrcList is referenced, then record
+  ** this fact in the pSrcList.a[].colUsed bitmask.  Column 0 causes
+  ** bit 0 to be set.  Column 1 sets bit 1.  And so forth.  If the
+  ** column number is greater than the number of bits in the bitmask
+  ** then set the high-order bit of the bitmask.
+  */
+  if( pExpr->iColumn>=0 && pMatch!=0 ){
+    int n = pExpr->iColumn;
+    if( n>=sizeof(Bitmask)*8 ){
+      n = sizeof(Bitmask)*8-1;
+    }
+    assert( pMatch->iCursor==pExpr->iTable );
+    pMatch->colUsed |= ((Bitmask)1)<<n;
+  }
+
+lookupname_end:
+  /* Clean up and return
+  */
+  sqliteFree(zDb);
+  sqliteFree(zTab);
+  sqlite3ExprDelete(pExpr->pLeft);
+  pExpr->pLeft = 0;
+  sqlite3ExprDelete(pExpr->pRight);
+  pExpr->pRight = 0;
+  pExpr->op = TK_COLUMN;
+lookupname_end_2:
+  sqliteFree(zCol);
+  if( cnt==1 ){
+    assert( pNC!=0 );
+    sqlite3AuthRead(pParse, pExpr, pNC->pSrcList);
+    if( pMatch && !pMatch->pSelect ){
+      pExpr->pTab = pMatch->pTab;
+    }
+    /* Increment the nRef value on all name contexts from TopNC up to
+    ** the point where the name matched. */
+    for(;;){
+      assert( pTopNC!=0 );
+      pTopNC->nRef++;
+      if( pTopNC==pNC ) break;
+      pTopNC = pTopNC->pNext;
+    }
+    return 0;
+  } else {
+    return 1;
+  }
+}
+
+/*
+** This routine is designed as an xFunc for walkExprTree().
+**
+** Resolve symbolic names into TK_COLUMN operators for the current
+** node in the expression tree.  Return 0 to continue the search down
+** the tree or 2 to abort the tree walk.
+**
+** This routine also does error checking and name resolution for
+** function names.  The operator for aggregate functions is changed
+** to TK_AGG_FUNCTION.
+*/
+static int nameResolverStep(void *pArg, Expr *pExpr){
+  NameContext *pNC = (NameContext*)pArg;
+  Parse *pParse;
+
+  if( pExpr==0 ) return 1;
+  assert( pNC!=0 );
+  pParse = pNC->pParse;
+
+  if( ExprHasAnyProperty(pExpr, EP_Resolved) ) return 1;
+  ExprSetProperty(pExpr, EP_Resolved);
+#ifndef NDEBUG
+  if( pNC->pSrcList && pNC->pSrcList->nAlloc>0 ){
+    SrcList *pSrcList = pNC->pSrcList;
+    int i;
+    for(i=0; i<pNC->pSrcList->nSrc; i++){
+      assert( pSrcList->a[i].iCursor>=0 && pSrcList->a[i].iCursor<pParse->nTab);
+    }
+  }
+#endif
+  switch( pExpr->op ){
+    /* Double-quoted strings (ex: "abc") are used as identifiers if
+    ** possible.  Otherwise they remain as strings.  Single-quoted
+    ** strings (ex: 'abc') are always string literals.
+    */
+    case TK_STRING: {
+      if( pExpr->token.z[0]=='\'' ) break;
+      /* Fall thru into the TK_ID case if this is a double-quoted string */
+    }
+    /* A lone identifier is the name of a column.
+    */
+    case TK_ID: {
+      lookupName(pParse, 0, 0, &pExpr->token, pNC, pExpr);
+      return 1;
+    }
+  
+    /* A table name and column name:     ID.ID
+    ** Or a database, table and column:  ID.ID.ID
+    */
+    case TK_DOT: {
+      Token *pColumn;
+      Token *pTable;
+      Token *pDb;
+      Expr *pRight;
+
+      /* if( pSrcList==0 ) break; */
+      pRight = pExpr->pRight;
+      if( pRight->op==TK_ID ){
+        pDb = 0;
+        pTable = &pExpr->pLeft->token;
+        pColumn = &pRight->token;
+      }else{
+        assert( pRight->op==TK_DOT );
+        pDb = &pExpr->pLeft->token;
+        pTable = &pRight->pLeft->token;
+        pColumn = &pRight->pRight->token;
+      }
+      lookupName(pParse, pDb, pTable, pColumn, pNC, pExpr);
+      return 1;
+    }
+
+    /* Resolve function names
+    */
+    case TK_CONST_FUNC:
+    case TK_FUNCTION: {
+      ExprList *pList = pExpr->pList;    /* The argument list */
+      int n = pList ? pList->nExpr : 0;  /* Number of arguments */
+      int no_such_func = 0;       /* True if no such function exists */
+      int wrong_num_args = 0;     /* True if wrong number of arguments */
+      int is_agg = 0;             /* True if is an aggregate function */
+      int i;
+      int auth;                   /* Authorization to use the function */
+      int nId;                    /* Number of characters in function name */
+      const char *zId;            /* The function name. */
+      FuncDef *pDef;              /* Information about the function */
+      int enc = ENC(pParse->db);  /* The database encoding */
+
+      zId = (char*)pExpr->token.z;
+      nId = pExpr->token.n;
+      pDef = sqlite3FindFunction(pParse->db, zId, nId, n, enc, 0);
+      if( pDef==0 ){
+        pDef = sqlite3FindFunction(pParse->db, zId, nId, -1, enc, 0);
+        if( pDef==0 ){
+          no_such_func = 1;
+        }else{
+          wrong_num_args = 1;
+        }
+      }else{
+        is_agg = pDef->xFunc==0;
+      }
+#ifndef SQLITE_OMIT_AUTHORIZATION
+      if( pDef ){
+        auth = sqlite3AuthCheck(pParse, SQLITE_FUNCTION, 0, pDef->zName, 0);
+        if( auth!=SQLITE_OK ){
+          if( auth==SQLITE_DENY ){
+            sqlite3ErrorMsg(pParse, "not authorized to use function: %s",
+                                    pDef->zName);
+            pNC->nErr++;
+          }
+          pExpr->op = TK_NULL;
+          return 1;
+        }
+      }
+#endif
+      if( is_agg && !pNC->allowAgg ){
+        sqlite3ErrorMsg(pParse, "misuse of aggregate function %.*s()", nId,zId);
+        pNC->nErr++;
+        is_agg = 0;
+      }else if( no_such_func ){
+        sqlite3ErrorMsg(pParse, "no such function: %.*s", nId, zId);
+        pNC->nErr++;
+      }else if( wrong_num_args ){
+        sqlite3ErrorMsg(pParse,"wrong number of arguments to function %.*s()",
+             nId, zId);
+        pNC->nErr++;
+      }
+      if( is_agg ){
+        pExpr->op = TK_AGG_FUNCTION;
+        pNC->hasAgg = 1;
+      }
+      if( is_agg ) pNC->allowAgg = 0;
+      for(i=0; pNC->nErr==0 && i<n; i++){
+        walkExprTree(pList->a[i].pExpr, nameResolverStep, pNC);
+      }
+      if( is_agg ) pNC->allowAgg = 1;
+      /* FIX ME:  Compute pExpr->affinity based on the expected return
+      ** type of the function 
+      */
+      return is_agg;
+    }
+#ifndef SQLITE_OMIT_SUBQUERY
+    case TK_SELECT:
+    case TK_EXISTS:
+#endif
+    case TK_IN: {
+      if( pExpr->pSelect ){
+        int nRef = pNC->nRef;
+#ifndef SQLITE_OMIT_CHECK
+        if( pNC->isCheck ){
+          sqlite3ErrorMsg(pParse,"subqueries prohibited in CHECK constraints");
+        }
+#endif
+        sqlite3SelectResolve(pParse, pExpr->pSelect, pNC);
+        assert( pNC->nRef>=nRef );
+        if( nRef!=pNC->nRef ){
+          ExprSetProperty(pExpr, EP_VarSelect);
+        }
+      }
+      break;
+    }
+#ifndef SQLITE_OMIT_CHECK
+    case TK_VARIABLE: {
+      if( pNC->isCheck ){
+        sqlite3ErrorMsg(pParse,"parameters prohibited in CHECK constraints");
+      }
+      break;
+    }
+#endif
+  }
+  return 0;
+}
+
+/*
+** This routine walks an expression tree and resolves references to
+** table columns.  Nodes of the form ID.ID or ID resolve into an
+** index to the table in the table list and a column offset.  The 
+** Expr.opcode for such nodes is changed to TK_COLUMN.  The Expr.iTable
+** value is changed to the index of the referenced table in pTabList
+** plus the "base" value.  The base value will ultimately become the
+** VDBE cursor number for a cursor that is pointing into the referenced
+** table.  The Expr.iColumn value is changed to the index of the column 
+** of the referenced table.  The Expr.iColumn value for the special
+** ROWID column is -1.  Any INTEGER PRIMARY KEY column is tried as an
+** alias for ROWID.
+**
+** Also resolve function names and check the functions for proper
+** usage.  Make sure all function names are recognized and all functions
+** have the correct number of arguments.  Leave an error message
+** in pParse->zErrMsg if anything is amiss.  Return the number of errors.
+**
+** If the expression contains aggregate functions then set the EP_Agg
+** property on the expression.
+*/
+int sqlite3ExprResolveNames(
+  NameContext *pNC,       /* Namespace to resolve expressions in. */
+  Expr *pExpr             /* The expression to be analyzed. */
+){
+  int savedHasAgg;
+  if( pExpr==0 ) return 0;
+  savedHasAgg = pNC->hasAgg;
+  pNC->hasAgg = 0;
+  walkExprTree(pExpr, nameResolverStep, pNC);
+  if( pNC->nErr>0 ){
+    ExprSetProperty(pExpr, EP_Error);
+  }
+  if( pNC->hasAgg ){
+    ExprSetProperty(pExpr, EP_Agg);
+  }else if( savedHasAgg ){
+    pNC->hasAgg = 1;
+  }
+  return ExprHasProperty(pExpr, EP_Error);
+}
+
+/*
+** A pointer instance of this structure is used to pass information
+** through walkExprTree into codeSubqueryStep().
+*/
+typedef struct QueryCoder QueryCoder;
+struct QueryCoder {
+  Parse *pParse;       /* The parsing context */
+  NameContext *pNC;    /* Namespace of first enclosing query */
+};
+
+
+/*
+** Generate code for scalar subqueries used as an expression
+** and IN operators.  Examples:
+**
+**     (SELECT a FROM b)          -- subquery
+**     EXISTS (SELECT a FROM b)   -- EXISTS subquery
+**     x IN (4,5,11)              -- IN operator with list on right-hand side
+**     x IN (SELECT a FROM b)     -- IN operator with subquery on the right
+**
+** The pExpr parameter describes the expression that contains the IN
+** operator or subquery.
+*/
+#ifndef SQLITE_OMIT_SUBQUERY
+void sqlite3CodeSubselect(Parse *pParse, Expr *pExpr){
+  int testAddr = 0;                       /* One-time test address */
+  Vdbe *v = sqlite3GetVdbe(pParse);
+  if( v==0 ) return;
+
+  /* This code must be run in its entirety every time it is encountered
+  ** if any of the following is true:
+  **
+  **    *  The right-hand side is a correlated subquery
+  **    *  The right-hand side is an expression list containing variables
+  **    *  We are inside a trigger
+  **
+  ** If all of the above are false, then we can run this code just once
+  ** save the results, and reuse the same result on subsequent invocations.
+  */
+  if( !ExprHasAnyProperty(pExpr, EP_VarSelect) && !pParse->trigStack ){
+    int mem = pParse->nMem++;
+    sqlite3VdbeAddOp(v, OP_MemLoad, mem, 0);
+    testAddr = sqlite3VdbeAddOp(v, OP_If, 0, 0);
+    assert( testAddr>0 || sqlite3MallocFailed() );
+    sqlite3VdbeAddOp(v, OP_MemInt, 1, mem);
+  }
+
+  switch( pExpr->op ){
+    case TK_IN: {
+      char affinity;
+      KeyInfo keyInfo;
+      int addr;        /* Address of OP_OpenEphemeral instruction */
+
+      affinity = sqlite3ExprAffinity(pExpr->pLeft);
+
+      /* Whether this is an 'x IN(SELECT...)' or an 'x IN(<exprlist>)'
+      ** expression it is handled the same way. A virtual table is 
+      ** filled with single-field index keys representing the results
+      ** from the SELECT or the <exprlist>.
+      **
+      ** If the 'x' expression is a column value, or the SELECT...
+      ** statement returns a column value, then the affinity of that
+      ** column is used to build the index keys. If both 'x' and the
+      ** SELECT... statement are columns, then numeric affinity is used
+      ** if either column has NUMERIC or INTEGER affinity. If neither
+      ** 'x' nor the SELECT... statement are columns, then numeric affinity
+      ** is used.
+      */
+      pExpr->iTable = pParse->nTab++;
+      addr = sqlite3VdbeAddOp(v, OP_OpenEphemeral, pExpr->iTable, 0);
+      memset(&keyInfo, 0, sizeof(keyInfo));
+      keyInfo.nField = 1;
+      sqlite3VdbeAddOp(v, OP_SetNumColumns, pExpr->iTable, 1);
+
+      if( pExpr->pSelect ){
+        /* Case 1:     expr IN (SELECT ...)
+        **
+        ** Generate code to write the results of the select into the temporary
+        ** table allocated and opened above.
+        */
+        int iParm = pExpr->iTable +  (((int)affinity)<<16);
+        ExprList *pEList;
+        assert( (pExpr->iTable&0x0000FFFF)==pExpr->iTable );
+        if( sqlite3Select(pParse, pExpr->pSelect, SRT_Set, iParm, 0, 0, 0, 0) ){
+          return;
+        }
+        pEList = pExpr->pSelect->pEList;
+        if( pEList && pEList->nExpr>0 ){ 
+          keyInfo.aColl[0] = binaryCompareCollSeq(pParse, pExpr->pLeft,
+              pEList->a[0].pExpr);
+        }
+      }else if( pExpr->pList ){
+        /* Case 2:     expr IN (exprlist)
+        **
+	** For each expression, build an index key from the evaluation and
+        ** store it in the temporary table. If <expr> is a column, then use
+        ** that columns affinity when building index keys. If <expr> is not
+        ** a column, use numeric affinity.
+        */
+        int i;
+        ExprList *pList = pExpr->pList;
+        struct ExprList_item *pItem;
+
+        if( !affinity ){
+          affinity = SQLITE_AFF_NONE;
+        }
+        keyInfo.aColl[0] = pExpr->pLeft->pColl;
+
+        /* Loop through each expression in <exprlist>. */
+        for(i=pList->nExpr, pItem=pList->a; i>0; i--, pItem++){
+          Expr *pE2 = pItem->pExpr;
+
+          /* If the expression is not constant then we will need to
+          ** disable the test that was generated above that makes sure
+          ** this code only executes once.  Because for a non-constant
+          ** expression we need to rerun this code each time.
+          */
+          if( testAddr>0 && !sqlite3ExprIsConstant(pE2) ){
+            sqlite3VdbeChangeToNoop(v, testAddr-1, 3);
+            testAddr = 0;
+          }
+
+          /* Evaluate the expression and insert it into the temp table */
+          sqlite3ExprCode(pParse, pE2);
+          sqlite3VdbeOp3(v, OP_MakeRecord, 1, 0, &affinity, 1);
+          sqlite3VdbeAddOp(v, OP_IdxInsert, pExpr->iTable, 0);
+        }
+      }
+      sqlite3VdbeChangeP3(v, addr, (void *)&keyInfo, P3_KEYINFO);
+      break;
+    }
+
+    case TK_EXISTS:
+    case TK_SELECT: {
+      /* This has to be a scalar SELECT.  Generate code to put the
+      ** value of this select in a memory cell and record the number
+      ** of the memory cell in iColumn.
+      */
+      static const Token one = { (u8*)"1", 0, 1 };
+      Select *pSel;
+      int iMem;
+      int sop;
+
+      pExpr->iColumn = iMem = pParse->nMem++;
+      pSel = pExpr->pSelect;
+      if( pExpr->op==TK_SELECT ){
+        sop = SRT_Mem;
+        sqlite3VdbeAddOp(v, OP_MemNull, iMem, 0);
+        VdbeComment((v, "# Init subquery result"));
+      }else{
+        sop = SRT_Exists;
+        sqlite3VdbeAddOp(v, OP_MemInt, 0, iMem);
+        VdbeComment((v, "# Init EXISTS result"));
+      }
+      sqlite3ExprDelete(pSel->pLimit);
+      pSel->pLimit = sqlite3Expr(TK_INTEGER, 0, 0, &one);
+      if( sqlite3Select(pParse, pSel, sop, iMem, 0, 0, 0, 0) ){
+        return;
+      }
+      break;
+    }
+  }
+
+  if( testAddr ){
+    sqlite3VdbeJumpHere(v, testAddr);
+  }
+  return;
+}
+#endif /* SQLITE_OMIT_SUBQUERY */
+
+/*
+** Generate an instruction that will put the integer describe by
+** text z[0..n-1] on the stack.
+*/
+static void codeInteger(Vdbe *v, const char *z, int n){
+  int i;
+  if( sqlite3GetInt32(z, &i) ){
+    sqlite3VdbeAddOp(v, OP_Integer, i, 0);
+  }else if( sqlite3FitsIn64Bits(z) ){
+    sqlite3VdbeOp3(v, OP_Int64, 0, 0, z, n);
+  }else{
+    sqlite3VdbeOp3(v, OP_Real, 0, 0, z, n);
+  }
+}
+
+
+/*
+** Generate code that will extract the iColumn-th column from
+** table pTab and push that column value on the stack.  There
+** is an open cursor to pTab in iTable.  If iColumn<0 then
+** code is generated that extracts the rowid.
+*/
+void sqlite3ExprCodeGetColumn(Vdbe *v, Table *pTab, int iColumn, int iTable){
+  if( iColumn<0 ){
+    int op = (pTab && IsVirtual(pTab)) ? OP_VRowid : OP_Rowid;
+    sqlite3VdbeAddOp(v, op, iTable, 0);
+  }else if( pTab==0 ){
+    sqlite3VdbeAddOp(v, OP_Column, iTable, iColumn);
+  }else{
+    int op = IsVirtual(pTab) ? OP_VColumn : OP_Column;
+    sqlite3VdbeAddOp(v, op, iTable, iColumn);
+    sqlite3ColumnDefault(v, pTab, iColumn);
+#ifndef SQLITE_OMIT_FLOATING_POINT
+    if( pTab->aCol[iColumn].affinity==SQLITE_AFF_REAL ){
+      sqlite3VdbeAddOp(v, OP_RealAffinity, 0, 0);
+    }
+#endif
+  }
+}
+
+/*
+** Generate code into the current Vdbe to evaluate the given
+** expression and leave the result on the top of stack.
+**
+** This code depends on the fact that certain token values (ex: TK_EQ)
+** are the same as opcode values (ex: OP_Eq) that implement the corresponding
+** operation.  Special comments in vdbe.c and the mkopcodeh.awk script in
+** the make process cause these values to align.  Assert()s in the code
+** below verify that the numbers are aligned correctly.
+*/
+void sqlite3ExprCode(Parse *pParse, Expr *pExpr){
+  Vdbe *v = pParse->pVdbe;
+  int op;
+  int stackChng = 1;    /* Amount of change to stack depth */
+
+  if( v==0 ) return;
+  if( pExpr==0 ){
+    sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+    return;
+  }
+  op = pExpr->op;
+  switch( op ){
+    case TK_AGG_COLUMN: {
+      AggInfo *pAggInfo = pExpr->pAggInfo;
+      struct AggInfo_col *pCol = &pAggInfo->aCol[pExpr->iAgg];
+      if( !pAggInfo->directMode ){
+        sqlite3VdbeAddOp(v, OP_MemLoad, pCol->iMem, 0);
+        break;
+      }else if( pAggInfo->useSortingIdx ){
+        sqlite3VdbeAddOp(v, OP_Column, pAggInfo->sortingIdx,
+                              pCol->iSorterColumn);
+        break;
+      }
+      /* Otherwise, fall thru into the TK_COLUMN case */
+    }
+    case TK_COLUMN: {
+      if( pExpr->iTable<0 ){
+        /* This only happens when coding check constraints */
+        assert( pParse->ckOffset>0 );
+        sqlite3VdbeAddOp(v, OP_Dup, pParse->ckOffset-pExpr->iColumn-1, 1);
+      }else{
+        sqlite3ExprCodeGetColumn(v, pExpr->pTab, pExpr->iColumn, pExpr->iTable);
+      }
+      break;
+    }
+    case TK_INTEGER: {
+      codeInteger(v, (char*)pExpr->token.z, pExpr->token.n);
+      break;
+    }
+    case TK_FLOAT:
+    case TK_STRING: {
+      assert( TK_FLOAT==OP_Real );
+      assert( TK_STRING==OP_String8 );
+      sqlite3DequoteExpr(pExpr);
+      sqlite3VdbeOp3(v, op, 0, 0, (char*)pExpr->token.z, pExpr->token.n);
+      break;
+    }
+    case TK_NULL: {
+      sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+      break;
+    }
+#ifndef SQLITE_OMIT_BLOB_LITERAL
+    case TK_BLOB: {
+      int n;
+      const char *z;
+      assert( TK_BLOB==OP_HexBlob );
+      n = pExpr->token.n - 3;
+      z = (char*)pExpr->token.z + 2;
+      assert( n>=0 );
+      if( n==0 ){
+        z = "";
+      }
+      sqlite3VdbeOp3(v, op, 0, 0, z, n);
+      break;
+    }
+#endif
+    case TK_VARIABLE: {
+      sqlite3VdbeAddOp(v, OP_Variable, pExpr->iTable, 0);
+      if( pExpr->token.n>1 ){
+        sqlite3VdbeChangeP3(v, -1, (char*)pExpr->token.z, pExpr->token.n);
+      }
+      break;
+    }
+    case TK_REGISTER: {
+      sqlite3VdbeAddOp(v, OP_MemLoad, pExpr->iTable, 0);
+      break;
+    }
+#ifndef SQLITE_OMIT_CAST
+    case TK_CAST: {
+      /* Expressions of the form:   CAST(pLeft AS token) */
+      int aff, to_op;
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      aff = sqlite3AffinityType(&pExpr->token);
+      to_op = aff - SQLITE_AFF_TEXT + OP_ToText;
+      assert( to_op==OP_ToText    || aff!=SQLITE_AFF_TEXT    );
+      assert( to_op==OP_ToBlob    || aff!=SQLITE_AFF_NONE    );
+      assert( to_op==OP_ToNumeric || aff!=SQLITE_AFF_NUMERIC );
+      assert( to_op==OP_ToInt     || aff!=SQLITE_AFF_INTEGER );
+      assert( to_op==OP_ToReal    || aff!=SQLITE_AFF_REAL    );
+      sqlite3VdbeAddOp(v, to_op, 0, 0);
+      stackChng = 0;
+      break;
+    }
+#endif /* SQLITE_OMIT_CAST */
+    case TK_LT:
+    case TK_LE:
+    case TK_GT:
+    case TK_GE:
+    case TK_NE:
+    case TK_EQ: {
+      assert( TK_LT==OP_Lt );
+      assert( TK_LE==OP_Le );
+      assert( TK_GT==OP_Gt );
+      assert( TK_GE==OP_Ge );
+      assert( TK_EQ==OP_Eq );
+      assert( TK_NE==OP_Ne );
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      sqlite3ExprCode(pParse, pExpr->pRight);
+      codeCompare(pParse, pExpr->pLeft, pExpr->pRight, op, 0, 0);
+      stackChng = -1;
+      break;
+    }
+    case TK_AND:
+    case TK_OR:
+    case TK_PLUS:
+    case TK_STAR:
+    case TK_MINUS:
+    case TK_REM:
+    case TK_BITAND:
+    case TK_BITOR:
+    case TK_SLASH:
+    case TK_LSHIFT:
+    case TK_RSHIFT: 
+    case TK_CONCAT: {
+      assert( TK_AND==OP_And );
+      assert( TK_OR==OP_Or );
+      assert( TK_PLUS==OP_Add );
+      assert( TK_MINUS==OP_Subtract );
+      assert( TK_REM==OP_Remainder );
+      assert( TK_BITAND==OP_BitAnd );
+      assert( TK_BITOR==OP_BitOr );
+      assert( TK_SLASH==OP_Divide );
+      assert( TK_LSHIFT==OP_ShiftLeft );
+      assert( TK_RSHIFT==OP_ShiftRight );
+      assert( TK_CONCAT==OP_Concat );
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      sqlite3ExprCode(pParse, pExpr->pRight);
+      sqlite3VdbeAddOp(v, op, 0, 0);
+      stackChng = -1;
+      break;
+    }
+    case TK_UMINUS: {
+      Expr *pLeft = pExpr->pLeft;
+      assert( pLeft );
+      if( pLeft->op==TK_FLOAT || pLeft->op==TK_INTEGER ){
+        Token *p = &pLeft->token;
+        char *z = sqlite3MPrintf("-%.*s", p->n, p->z);
+        if( pLeft->op==TK_FLOAT ){
+          sqlite3VdbeOp3(v, OP_Real, 0, 0, z, p->n+1);
+        }else{
+          codeInteger(v, z, p->n+1);
+        }
+        sqliteFree(z);
+        break;
+      }
+      /* Fall through into TK_NOT */
+    }
+    case TK_BITNOT:
+    case TK_NOT: {
+      assert( TK_BITNOT==OP_BitNot );
+      assert( TK_NOT==OP_Not );
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      sqlite3VdbeAddOp(v, op, 0, 0);
+      stackChng = 0;
+      break;
+    }
+    case TK_ISNULL:
+    case TK_NOTNULL: {
+      int dest;
+      assert( TK_ISNULL==OP_IsNull );
+      assert( TK_NOTNULL==OP_NotNull );
+      sqlite3VdbeAddOp(v, OP_Integer, 1, 0);
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      dest = sqlite3VdbeCurrentAddr(v) + 2;
+      sqlite3VdbeAddOp(v, op, 1, dest);
+      sqlite3VdbeAddOp(v, OP_AddImm, -1, 0);
+      stackChng = 0;
+      break;
+    }
+    case TK_AGG_FUNCTION: {
+      AggInfo *pInfo = pExpr->pAggInfo;
+      if( pInfo==0 ){
+        sqlite3ErrorMsg(pParse, "misuse of aggregate: %T",
+            &pExpr->span);
+      }else{
+        sqlite3VdbeAddOp(v, OP_MemLoad, pInfo->aFunc[pExpr->iAgg].iMem, 0);
+      }
+      break;
+    }
+    case TK_CONST_FUNC:
+    case TK_FUNCTION: {
+      ExprList *pList = pExpr->pList;
+      int nExpr = pList ? pList->nExpr : 0;
+      FuncDef *pDef;
+      int nId;
+      const char *zId;
+      int constMask = 0;
+      int i;
+      u8 enc = ENC(pParse->db);
+      CollSeq *pColl = 0;
+      zId = (char*)pExpr->token.z;
+      nId = pExpr->token.n;
+      pDef = sqlite3FindFunction(pParse->db, zId, nId, nExpr, enc, 0);
+      assert( pDef!=0 );
+      nExpr = sqlite3ExprCodeExprList(pParse, pList);
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+      /* Possibly overload the function if the first argument is
+      ** a virtual table column.
+      **
+      ** For infix functions (LIKE, GLOB, REGEXP, and MATCH) use the
+      ** second argument, not the first, as the argument to test to
+      ** see if it is a column in a virtual table.  This is done because
+      ** the left operand of infix functions (the operand we want to
+      ** control overloading) ends up as the second argument to the
+      ** function.  The expression "A glob B" is equivalent to 
+      ** "glob(B,A).  We want to use the A in "A glob B" to test
+      ** for function overloading.  But we use the B term in "glob(B,A)".
+      */
+      if( nExpr>=2 && (pExpr->flags & EP_InfixFunc) ){
+        pDef = sqlite3VtabOverloadFunction(pDef, nExpr, pList->a[1].pExpr);
+      }else if( nExpr>0 ){
+        pDef = sqlite3VtabOverloadFunction(pDef, nExpr, pList->a[0].pExpr);
+      }
+#endif
+      for(i=0; i<nExpr && i<32; i++){
+        if( sqlite3ExprIsConstant(pList->a[i].pExpr) ){
+          constMask |= (1<<i);
+        }
+        if( pDef->needCollSeq && !pColl ){
+          pColl = sqlite3ExprCollSeq(pParse, pList->a[i].pExpr);
+        }
+      }
+      if( pDef->needCollSeq ){
+        if( !pColl ) pColl = pParse->db->pDfltColl; 
+        sqlite3VdbeOp3(v, OP_CollSeq, 0, 0, (char *)pColl, P3_COLLSEQ);
+      }
+      sqlite3VdbeOp3(v, OP_Function, constMask, nExpr, (char*)pDef, P3_FUNCDEF);
+      stackChng = 1-nExpr;
+      break;
+    }
+#ifndef SQLITE_OMIT_SUBQUERY
+    case TK_EXISTS:
+    case TK_SELECT: {
+      if( pExpr->iColumn==0 ){
+        sqlite3CodeSubselect(pParse, pExpr);
+      }
+      sqlite3VdbeAddOp(v, OP_MemLoad, pExpr->iColumn, 0);
+      VdbeComment((v, "# load subquery result"));
+      break;
+    }
+    case TK_IN: {
+      int addr;
+      char affinity;
+      int ckOffset = pParse->ckOffset;
+      sqlite3CodeSubselect(pParse, pExpr);
+
+      /* Figure out the affinity to use to create a key from the results
+      ** of the expression. affinityStr stores a static string suitable for
+      ** P3 of OP_MakeRecord.
+      */
+      affinity = comparisonAffinity(pExpr);
+
+      sqlite3VdbeAddOp(v, OP_Integer, 1, 0);
+      pParse->ckOffset = ckOffset+1;
+
+      /* Code the <expr> from "<expr> IN (...)". The temporary table
+      ** pExpr->iTable contains the values that make up the (...) set.
+      */
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      addr = sqlite3VdbeCurrentAddr(v);
+      sqlite3VdbeAddOp(v, OP_NotNull, -1, addr+4);            /* addr + 0 */
+      sqlite3VdbeAddOp(v, OP_Pop, 2, 0);
+      sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+      sqlite3VdbeAddOp(v, OP_Goto, 0, addr+7);
+      sqlite3VdbeOp3(v, OP_MakeRecord, 1, 0, &affinity, 1);   /* addr + 4 */
+      sqlite3VdbeAddOp(v, OP_Found, pExpr->iTable, addr+7);
+      sqlite3VdbeAddOp(v, OP_AddImm, -1, 0);                  /* addr + 6 */
+
+      break;
+    }
+#endif
+    case TK_BETWEEN: {
+      Expr *pLeft = pExpr->pLeft;
+      struct ExprList_item *pLItem = pExpr->pList->a;
+      Expr *pRight = pLItem->pExpr;
+      sqlite3ExprCode(pParse, pLeft);
+      sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+      sqlite3ExprCode(pParse, pRight);
+      codeCompare(pParse, pLeft, pRight, OP_Ge, 0, 0);
+      sqlite3VdbeAddOp(v, OP_Pull, 1, 0);
+      pLItem++;
+      pRight = pLItem->pExpr;
+      sqlite3ExprCode(pParse, pRight);
+      codeCompare(pParse, pLeft, pRight, OP_Le, 0, 0);
+      sqlite3VdbeAddOp(v, OP_And, 0, 0);
+      break;
+    }
+    case TK_UPLUS:
+    case TK_AS: {
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      stackChng = 0;
+      break;
+    }
+    case TK_CASE: {
+      int expr_end_label;
+      int jumpInst;
+      int nExpr;
+      int i;
+      ExprList *pEList;
+      struct ExprList_item *aListelem;
+
+      assert(pExpr->pList);
+      assert((pExpr->pList->nExpr % 2) == 0);
+      assert(pExpr->pList->nExpr > 0);
+      pEList = pExpr->pList;
+      aListelem = pEList->a;
+      nExpr = pEList->nExpr;
+      expr_end_label = sqlite3VdbeMakeLabel(v);
+      if( pExpr->pLeft ){
+        sqlite3ExprCode(pParse, pExpr->pLeft);
+      }
+      for(i=0; i<nExpr; i=i+2){
+        sqlite3ExprCode(pParse, aListelem[i].pExpr);
+        if( pExpr->pLeft ){
+          sqlite3VdbeAddOp(v, OP_Dup, 1, 1);
+          jumpInst = codeCompare(pParse, pExpr->pLeft, aListelem[i].pExpr,
+                                 OP_Ne, 0, 1);
+          sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+        }else{
+          jumpInst = sqlite3VdbeAddOp(v, OP_IfNot, 1, 0);
+        }
+        sqlite3ExprCode(pParse, aListelem[i+1].pExpr);
+        sqlite3VdbeAddOp(v, OP_Goto, 0, expr_end_label);
+        sqlite3VdbeJumpHere(v, jumpInst);
+      }
+      if( pExpr->pLeft ){
+        sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+      }
+      if( pExpr->pRight ){
+        sqlite3ExprCode(pParse, pExpr->pRight);
+      }else{
+        sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+      }
+      sqlite3VdbeResolveLabel(v, expr_end_label);
+      break;
+    }
+#ifndef SQLITE_OMIT_TRIGGER
+    case TK_RAISE: {
+      if( !pParse->trigStack ){
+        sqlite3ErrorMsg(pParse,
+                       "RAISE() may only be used within a trigger-program");
+	return;
+      }
+      if( pExpr->iColumn!=OE_Ignore ){
+         assert( pExpr->iColumn==OE_Rollback ||
+                 pExpr->iColumn == OE_Abort ||
+                 pExpr->iColumn == OE_Fail );
+         sqlite3DequoteExpr(pExpr);
+         sqlite3VdbeOp3(v, OP_Halt, SQLITE_CONSTRAINT, pExpr->iColumn,
+                        (char*)pExpr->token.z, pExpr->token.n);
+      } else {
+         assert( pExpr->iColumn == OE_Ignore );
+         sqlite3VdbeAddOp(v, OP_ContextPop, 0, 0);
+         sqlite3VdbeAddOp(v, OP_Goto, 0, pParse->trigStack->ignoreJump);
+         VdbeComment((v, "# raise(IGNORE)"));
+      }
+      stackChng = 0;
+      break;
+    }
+#endif
+  }
+
+  if( pParse->ckOffset ){
+    pParse->ckOffset += stackChng;
+    assert( pParse->ckOffset );
+  }
+}
+
+#ifndef SQLITE_OMIT_TRIGGER
+/*
+** Generate code that evalutes the given expression and leaves the result
+** on the stack.  See also sqlite3ExprCode().
+**
+** This routine might also cache the result and modify the pExpr tree
+** so that it will make use of the cached result on subsequent evaluations
+** rather than evaluate the whole expression again.  Trivial expressions are
+** not cached.  If the expression is cached, its result is stored in a 
+** memory location.
+*/
+void sqlite3ExprCodeAndCache(Parse *pParse, Expr *pExpr){
+  Vdbe *v = pParse->pVdbe;
+  int iMem;
+  int addr1, addr2;
+  if( v==0 ) return;
+  addr1 = sqlite3VdbeCurrentAddr(v);
+  sqlite3ExprCode(pParse, pExpr);
+  addr2 = sqlite3VdbeCurrentAddr(v);
+  if( addr2>addr1+1 || sqlite3VdbeGetOp(v, addr1)->opcode==OP_Function ){
+    iMem = pExpr->iTable = pParse->nMem++;
+    sqlite3VdbeAddOp(v, OP_MemStore, iMem, 0);
+    pExpr->op = TK_REGISTER;
+  }
+}
+#endif
+
+/*
+** Generate code that pushes the value of every element of the given
+** expression list onto the stack.
+**
+** Return the number of elements pushed onto the stack.
+*/
+int sqlite3ExprCodeExprList(
+  Parse *pParse,     /* Parsing context */
+  ExprList *pList    /* The expression list to be coded */
+){
+  struct ExprList_item *pItem;
+  int i, n;
+  if( pList==0 ) return 0;
+  n = pList->nExpr;
+  for(pItem=pList->a, i=n; i>0; i--, pItem++){
+    sqlite3ExprCode(pParse, pItem->pExpr);
+  }
+  return n;
+}
+
+/*
+** Generate code for a boolean expression such that a jump is made
+** to the label "dest" if the expression is true but execution
+** continues straight thru if the expression is false.
+**
+** If the expression evaluates to NULL (neither true nor false), then
+** take the jump if the jumpIfNull flag is true.
+**
+** This code depends on the fact that certain token values (ex: TK_EQ)
+** are the same as opcode values (ex: OP_Eq) that implement the corresponding
+** operation.  Special comments in vdbe.c and the mkopcodeh.awk script in
+** the make process cause these values to align.  Assert()s in the code
+** below verify that the numbers are aligned correctly.
+*/
+void sqlite3ExprIfTrue(Parse *pParse, Expr *pExpr, int dest, int jumpIfNull){
+  Vdbe *v = pParse->pVdbe;
+  int op = 0;
+  int ckOffset = pParse->ckOffset;
+  if( v==0 || pExpr==0 ) return;
+  op = pExpr->op;
+  switch( op ){
+    case TK_AND: {
+      int d2 = sqlite3VdbeMakeLabel(v);
+      sqlite3ExprIfFalse(pParse, pExpr->pLeft, d2, !jumpIfNull);
+      sqlite3ExprIfTrue(pParse, pExpr->pRight, dest, jumpIfNull);
+      sqlite3VdbeResolveLabel(v, d2);
+      break;
+    }
+    case TK_OR: {
+      sqlite3ExprIfTrue(pParse, pExpr->pLeft, dest, jumpIfNull);
+      sqlite3ExprIfTrue(pParse, pExpr->pRight, dest, jumpIfNull);
+      break;
+    }
+    case TK_NOT: {
+      sqlite3ExprIfFalse(pParse, pExpr->pLeft, dest, jumpIfNull);
+      break;
+    }
+    case TK_LT:
+    case TK_LE:
+    case TK_GT:
+    case TK_GE:
+    case TK_NE:
+    case TK_EQ: {
+      assert( TK_LT==OP_Lt );
+      assert( TK_LE==OP_Le );
+      assert( TK_GT==OP_Gt );
+      assert( TK_GE==OP_Ge );
+      assert( TK_EQ==OP_Eq );
+      assert( TK_NE==OP_Ne );
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      sqlite3ExprCode(pParse, pExpr->pRight);
+      codeCompare(pParse, pExpr->pLeft, pExpr->pRight, op, dest, jumpIfNull);
+      break;
+    }
+    case TK_ISNULL:
+    case TK_NOTNULL: {
+      assert( TK_ISNULL==OP_IsNull );
+      assert( TK_NOTNULL==OP_NotNull );
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      sqlite3VdbeAddOp(v, op, 1, dest);
+      break;
+    }
+    case TK_BETWEEN: {
+      /* The expression "x BETWEEN y AND z" is implemented as:
+      **
+      ** 1 IF (x < y) GOTO 3
+      ** 2 IF (x <= z) GOTO <dest>
+      ** 3 ...
+      */
+      int addr;
+      Expr *pLeft = pExpr->pLeft;
+      Expr *pRight = pExpr->pList->a[0].pExpr;
+      sqlite3ExprCode(pParse, pLeft);
+      sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+      sqlite3ExprCode(pParse, pRight);
+      addr = codeCompare(pParse, pLeft, pRight, OP_Lt, 0, !jumpIfNull);
+
+      pRight = pExpr->pList->a[1].pExpr;
+      sqlite3ExprCode(pParse, pRight);
+      codeCompare(pParse, pLeft, pRight, OP_Le, dest, jumpIfNull);
+
+      sqlite3VdbeAddOp(v, OP_Integer, 0, 0);
+      sqlite3VdbeJumpHere(v, addr);
+      sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+      break;
+    }
+    default: {
+      sqlite3ExprCode(pParse, pExpr);
+      sqlite3VdbeAddOp(v, OP_If, jumpIfNull, dest);
+      break;
+    }
+  }
+  pParse->ckOffset = ckOffset;
+}
+
+/*
+** Generate code for a boolean expression such that a jump is made
+** to the label "dest" if the expression is false but execution
+** continues straight thru if the expression is true.
+**
+** If the expression evaluates to NULL (neither true nor false) then
+** jump if jumpIfNull is true or fall through if jumpIfNull is false.
+*/
+void sqlite3ExprIfFalse(Parse *pParse, Expr *pExpr, int dest, int jumpIfNull){
+  Vdbe *v = pParse->pVdbe;
+  int op = 0;
+  int ckOffset = pParse->ckOffset;
+  if( v==0 || pExpr==0 ) return;
+
+  /* The value of pExpr->op and op are related as follows:
+  **
+  **       pExpr->op            op
+  **       ---------          ----------
+  **       TK_ISNULL          OP_NotNull
+  **       TK_NOTNULL         OP_IsNull
+  **       TK_NE              OP_Eq
+  **       TK_EQ              OP_Ne
+  **       TK_GT              OP_Le
+  **       TK_LE              OP_Gt
+  **       TK_GE              OP_Lt
+  **       TK_LT              OP_Ge
+  **
+  ** For other values of pExpr->op, op is undefined and unused.
+  ** The value of TK_ and OP_ constants are arranged such that we
+  ** can compute the mapping above using the following expression.
+  ** Assert()s verify that the computation is correct.
+  */
+  op = ((pExpr->op+(TK_ISNULL&1))^1)-(TK_ISNULL&1);
+
+  /* Verify correct alignment of TK_ and OP_ constants
+  */
+  assert( pExpr->op!=TK_ISNULL || op==OP_NotNull );
+  assert( pExpr->op!=TK_NOTNULL || op==OP_IsNull );
+  assert( pExpr->op!=TK_NE || op==OP_Eq );
+  assert( pExpr->op!=TK_EQ || op==OP_Ne );
+  assert( pExpr->op!=TK_LT || op==OP_Ge );
+  assert( pExpr->op!=TK_LE || op==OP_Gt );
+  assert( pExpr->op!=TK_GT || op==OP_Le );
+  assert( pExpr->op!=TK_GE || op==OP_Lt );
+
+  switch( pExpr->op ){
+    case TK_AND: {
+      sqlite3ExprIfFalse(pParse, pExpr->pLeft, dest, jumpIfNull);
+      sqlite3ExprIfFalse(pParse, pExpr->pRight, dest, jumpIfNull);
+      break;
+    }
+    case TK_OR: {
+      int d2 = sqlite3VdbeMakeLabel(v);
+      sqlite3ExprIfTrue(pParse, pExpr->pLeft, d2, !jumpIfNull);
+      sqlite3ExprIfFalse(pParse, pExpr->pRight, dest, jumpIfNull);
+      sqlite3VdbeResolveLabel(v, d2);
+      break;
+    }
+    case TK_NOT: {
+      sqlite3ExprIfTrue(pParse, pExpr->pLeft, dest, jumpIfNull);
+      break;
+    }
+    case TK_LT:
+    case TK_LE:
+    case TK_GT:
+    case TK_GE:
+    case TK_NE:
+    case TK_EQ: {
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      sqlite3ExprCode(pParse, pExpr->pRight);
+      codeCompare(pParse, pExpr->pLeft, pExpr->pRight, op, dest, jumpIfNull);
+      break;
+    }
+    case TK_ISNULL:
+    case TK_NOTNULL: {
+      sqlite3ExprCode(pParse, pExpr->pLeft);
+      sqlite3VdbeAddOp(v, op, 1, dest);
+      break;
+    }
+    case TK_BETWEEN: {
+      /* The expression is "x BETWEEN y AND z". It is implemented as:
+      **
+      ** 1 IF (x >= y) GOTO 3
+      ** 2 GOTO <dest>
+      ** 3 IF (x > z) GOTO <dest>
+      */
+      int addr;
+      Expr *pLeft = pExpr->pLeft;
+      Expr *pRight = pExpr->pList->a[0].pExpr;
+      sqlite3ExprCode(pParse, pLeft);
+      sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+      sqlite3ExprCode(pParse, pRight);
+      addr = sqlite3VdbeCurrentAddr(v);
+      codeCompare(pParse, pLeft, pRight, OP_Ge, addr+3, !jumpIfNull);
+
+      sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+      sqlite3VdbeAddOp(v, OP_Goto, 0, dest);
+      pRight = pExpr->pList->a[1].pExpr;
+      sqlite3ExprCode(pParse, pRight);
+      codeCompare(pParse, pLeft, pRight, OP_Gt, dest, jumpIfNull);
+      break;
+    }
+    default: {
+      sqlite3ExprCode(pParse, pExpr);
+      sqlite3VdbeAddOp(v, OP_IfNot, jumpIfNull, dest);
+      break;
+    }
+  }
+  pParse->ckOffset = ckOffset;
+}
+
+/*
+** Do a deep comparison of two expression trees.  Return TRUE (non-zero)
+** if they are identical and return FALSE if they differ in any way.
+**
+** Sometimes this routine will return FALSE even if the two expressions
+** really are equivalent.  If we cannot prove that the expressions are
+** identical, we return FALSE just to be safe.  So if this routine
+** returns false, then you do not really know for certain if the two
+** expressions are the same.  But if you get a TRUE return, then you
+** can be sure the expressions are the same.  In the places where
+** this routine is used, it does not hurt to get an extra FALSE - that
+** just might result in some slightly slower code.  But returning
+** an incorrect TRUE could lead to a malfunction.
+*/
+int sqlite3ExprCompare(Expr *pA, Expr *pB){
+  int i;
+  if( pA==0||pB==0 ){
+    return pB==pA;
+  }
+  if( pA->op!=pB->op ) return 0;
+  if( (pA->flags & EP_Distinct)!=(pB->flags & EP_Distinct) ) return 0;
+  if( !sqlite3ExprCompare(pA->pLeft, pB->pLeft) ) return 0;
+  if( !sqlite3ExprCompare(pA->pRight, pB->pRight) ) return 0;
+  if( pA->pList ){
+    if( pB->pList==0 ) return 0;
+    if( pA->pList->nExpr!=pB->pList->nExpr ) return 0;
+    for(i=0; i<pA->pList->nExpr; i++){
+      if( !sqlite3ExprCompare(pA->pList->a[i].pExpr, pB->pList->a[i].pExpr) ){
+        return 0;
+      }
+    }
+  }else if( pB->pList ){
+    return 0;
+  }
+  if( pA->pSelect || pB->pSelect ) return 0;
+  if( pA->iTable!=pB->iTable || pA->iColumn!=pB->iColumn ) return 0;
+  if( pA->op!=TK_COLUMN && pA->token.z ){
+    if( pB->token.z==0 ) return 0;
+    if( pB->token.n!=pA->token.n ) return 0;
+    if( sqlite3StrNICmp((char*)pA->token.z,(char*)pB->token.z,pB->token.n)!=0 ){
+      return 0;
+    }
+  }
+  return 1;
+}
+
+
+/*
+** Add a new element to the pAggInfo->aCol[] array.  Return the index of
+** the new element.  Return a negative number if malloc fails.
+*/
+static int addAggInfoColumn(AggInfo *pInfo){
+  int i;
+  pInfo->aCol = sqlite3ArrayAllocate(
+       pInfo->aCol,
+       sizeof(pInfo->aCol[0]),
+       3,
+       &pInfo->nColumn,
+       &pInfo->nColumnAlloc,
+       &i
+  );
+  return i;
+}    
+
+/*
+** Add a new element to the pAggInfo->aFunc[] array.  Return the index of
+** the new element.  Return a negative number if malloc fails.
+*/
+static int addAggInfoFunc(AggInfo *pInfo){
+  int i;
+  pInfo->aFunc = sqlite3ArrayAllocate(
+       pInfo->aFunc,
+       sizeof(pInfo->aFunc[0]),
+       3,
+       &pInfo->nFunc,
+       &pInfo->nFuncAlloc,
+       &i
+  );
+  return i;
+}    
+
+/*
+** This is an xFunc for walkExprTree() used to implement 
+** sqlite3ExprAnalyzeAggregates().  See sqlite3ExprAnalyzeAggregates
+** for additional information.
+**
+** This routine analyzes the aggregate function at pExpr.
+*/
+static int analyzeAggregate(void *pArg, Expr *pExpr){
+  int i;
+  NameContext *pNC = (NameContext *)pArg;
+  Parse *pParse = pNC->pParse;
+  SrcList *pSrcList = pNC->pSrcList;
+  AggInfo *pAggInfo = pNC->pAggInfo;
+  
+
+  switch( pExpr->op ){
+    case TK_AGG_COLUMN:
+    case TK_COLUMN: {
+      /* Check to see if the column is in one of the tables in the FROM
+      ** clause of the aggregate query */
+      if( pSrcList ){
+        struct SrcList_item *pItem = pSrcList->a;
+        for(i=0; i<pSrcList->nSrc; i++, pItem++){
+          struct AggInfo_col *pCol;
+          if( pExpr->iTable==pItem->iCursor ){
+            /* If we reach this point, it means that pExpr refers to a table
+            ** that is in the FROM clause of the aggregate query.  
+            **
+            ** Make an entry for the column in pAggInfo->aCol[] if there
+            ** is not an entry there already.
+            */
+            int k;
+            pCol = pAggInfo->aCol;
+            for(k=0; k<pAggInfo->nColumn; k++, pCol++){
+              if( pCol->iTable==pExpr->iTable &&
+                  pCol->iColumn==pExpr->iColumn ){
+                break;
+              }
+            }
+            if( k>=pAggInfo->nColumn && (k = addAggInfoColumn(pAggInfo))>=0 ){
+              pCol = &pAggInfo->aCol[k];
+              pCol->pTab = pExpr->pTab;
+              pCol->iTable = pExpr->iTable;
+              pCol->iColumn = pExpr->iColumn;
+              pCol->iMem = pParse->nMem++;
+              pCol->iSorterColumn = -1;
+              pCol->pExpr = pExpr;
+              if( pAggInfo->pGroupBy ){
+                int j, n;
+                ExprList *pGB = pAggInfo->pGroupBy;
+                struct ExprList_item *pTerm = pGB->a;
+                n = pGB->nExpr;
+                for(j=0; j<n; j++, pTerm++){
+                  Expr *pE = pTerm->pExpr;
+                  if( pE->op==TK_COLUMN && pE->iTable==pExpr->iTable &&
+                      pE->iColumn==pExpr->iColumn ){
+                    pCol->iSorterColumn = j;
+                    break;
+                  }
+                }
+              }
+              if( pCol->iSorterColumn<0 ){
+                pCol->iSorterColumn = pAggInfo->nSortingColumn++;
+              }
+            }
+            /* There is now an entry for pExpr in pAggInfo->aCol[] (either
+            ** because it was there before or because we just created it).
+            ** Convert the pExpr to be a TK_AGG_COLUMN referring to that
+            ** pAggInfo->aCol[] entry.
+            */
+            pExpr->pAggInfo = pAggInfo;
+            pExpr->op = TK_AGG_COLUMN;
+            pExpr->iAgg = k;
+            break;
+          } /* endif pExpr->iTable==pItem->iCursor */
+        } /* end loop over pSrcList */
+      }
+      return 1;
+    }
+    case TK_AGG_FUNCTION: {
+      /* The pNC->nDepth==0 test causes aggregate functions in subqueries
+      ** to be ignored */
+      if( pNC->nDepth==0 ){
+        /* Check to see if pExpr is a duplicate of another aggregate 
+        ** function that is already in the pAggInfo structure
+        */
+        struct AggInfo_func *pItem = pAggInfo->aFunc;
+        for(i=0; i<pAggInfo->nFunc; i++, pItem++){
+          if( sqlite3ExprCompare(pItem->pExpr, pExpr) ){
+            break;
+          }
+        }
+        if( i>=pAggInfo->nFunc ){
+          /* pExpr is original.  Make a new entry in pAggInfo->aFunc[]
+          */
+          u8 enc = ENC(pParse->db);
+          i = addAggInfoFunc(pAggInfo);
+          if( i>=0 ){
+            pItem = &pAggInfo->aFunc[i];
+            pItem->pExpr = pExpr;
+            pItem->iMem = pParse->nMem++;
+            pItem->pFunc = sqlite3FindFunction(pParse->db,
+                   (char*)pExpr->token.z, pExpr->token.n,
+                   pExpr->pList ? pExpr->pList->nExpr : 0, enc, 0);
+            if( pExpr->flags & EP_Distinct ){
+              pItem->iDistinct = pParse->nTab++;
+            }else{
+              pItem->iDistinct = -1;
+            }
+          }
+        }
+        /* Make pExpr point to the appropriate pAggInfo->aFunc[] entry
+        */
+        pExpr->iAgg = i;
+        pExpr->pAggInfo = pAggInfo;
+        return 1;
+      }
+    }
+  }
+
+  /* Recursively walk subqueries looking for TK_COLUMN nodes that need
+  ** to be changed to TK_AGG_COLUMN.  But increment nDepth so that
+  ** TK_AGG_FUNCTION nodes in subqueries will be unchanged.
+  */
+  if( pExpr->pSelect ){
+    pNC->nDepth++;
+    walkSelectExpr(pExpr->pSelect, analyzeAggregate, pNC);
+    pNC->nDepth--;
+  }
+  return 0;
+}
+
+/*
+** Analyze the given expression looking for aggregate functions and
+** for variables that need to be added to the pParse->aAgg[] array.
+** Make additional entries to the pParse->aAgg[] array as necessary.
+**
+** This routine should only be called after the expression has been
+** analyzed by sqlite3ExprResolveNames().
+**
+** If errors are seen, leave an error message in zErrMsg and return
+** the number of errors.
+*/
+int sqlite3ExprAnalyzeAggregates(NameContext *pNC, Expr *pExpr){
+  int nErr = pNC->pParse->nErr;
+  walkExprTree(pExpr, analyzeAggregate, pNC);
+  return pNC->pParse->nErr - nErr;
+}
+
+/*
+** Call sqlite3ExprAnalyzeAggregates() for every expression in an
+** expression list.  Return the number of errors.
+**
+** If an error is found, the analysis is cut short.
+*/
+int sqlite3ExprAnalyzeAggList(NameContext *pNC, ExprList *pList){
+  struct ExprList_item *pItem;
+  int i;
+  int nErr = 0;
+  if( pList ){
+    for(pItem=pList->a, i=0; nErr==0 && i<pList->nExpr; i++, pItem++){
+      nErr += sqlite3ExprAnalyzeAggregates(pNC, pItem->pExpr);
+    }
+  }
+  return nErr;
+}
+
+/************** End of expr.c ************************************************/
+/************** Begin file alter.c *******************************************/
+/*
+** 2005 February 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains C code routines that used to generate VDBE code
+** that implements the ALTER TABLE command.
+**
+** $Id$
+*/
+
+/*
+** The code in this file only exists if we are not omitting the
+** ALTER TABLE logic from the build.
+*/
+#ifndef SQLITE_OMIT_ALTERTABLE
+
+
+/*
+** This function is used by SQL generated to implement the 
+** ALTER TABLE command. The first argument is the text of a CREATE TABLE or
+** CREATE INDEX command. The second is a table name. The table name in 
+** the CREATE TABLE or CREATE INDEX statement is replaced with the third
+** argument and the result returned. Examples:
+**
+** sqlite_rename_table('CREATE TABLE abc(a, b, c)', 'def')
+**     -> 'CREATE TABLE def(a, b, c)'
+**
+** sqlite_rename_table('CREATE INDEX i ON abc(a)', 'def')
+**     -> 'CREATE INDEX i ON def(a, b, c)'
+*/
+static void renameTableFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  unsigned char const *zSql = sqlite3_value_text(argv[0]);
+  unsigned char const *zTableName = sqlite3_value_text(argv[1]);
+
+  int token;
+  Token tname;
+  unsigned char const *zCsr = zSql;
+  int len = 0;
+  char *zRet;
+
+  /* The principle used to locate the table name in the CREATE TABLE 
+  ** statement is that the table name is the first token that is immediatedly
+  ** followed by a left parenthesis - TK_LP.
+  */
+  if( zSql ){
+    do {
+      /* Store the token that zCsr points to in tname. */
+      tname.z = zCsr;
+      tname.n = len;
+
+      /* Advance zCsr to the next token. Store that token type in 'token',
+      ** and it's length in 'len' (to be used next iteration of this loop).
+      */
+      do {
+        zCsr += len;
+        len = sqlite3GetToken(zCsr, &token);
+      } while( token==TK_SPACE );
+      assert( len>0 );
+    } while( token!=TK_LP );
+
+    zRet = sqlite3MPrintf("%.*s%Q%s", tname.z - zSql, zSql, 
+       zTableName, tname.z+tname.n);
+    sqlite3_result_text(context, zRet, -1, sqlite3FreeX);
+  }
+}
+
+#ifndef SQLITE_OMIT_TRIGGER
+/* This function is used by SQL generated to implement the
+** ALTER TABLE command. The first argument is the text of a CREATE TRIGGER 
+** statement. The second is a table name. The table name in the CREATE 
+** TRIGGER statement is replaced with the third argument and the result 
+** returned. This is analagous to renameTableFunc() above, except for CREATE
+** TRIGGER, not CREATE INDEX and CREATE TABLE.
+*/
+static void renameTriggerFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  unsigned char const *zSql = sqlite3_value_text(argv[0]);
+  unsigned char const *zTableName = sqlite3_value_text(argv[1]);
+
+  int token;
+  Token tname;
+  int dist = 3;
+  unsigned char const *zCsr = zSql;
+  int len = 0;
+  char *zRet;
+
+  /* The principle used to locate the table name in the CREATE TRIGGER 
+  ** statement is that the table name is the first token that is immediatedly
+  ** preceded by either TK_ON or TK_DOT and immediatedly followed by one
+  ** of TK_WHEN, TK_BEGIN or TK_FOR.
+  */
+  if( zSql ){
+    do {
+      /* Store the token that zCsr points to in tname. */
+      tname.z = zCsr;
+      tname.n = len;
+
+      /* Advance zCsr to the next token. Store that token type in 'token',
+      ** and it's length in 'len' (to be used next iteration of this loop).
+      */
+      do {
+        zCsr += len;
+        len = sqlite3GetToken(zCsr, &token);
+      }while( token==TK_SPACE );
+      assert( len>0 );
+
+      /* Variable 'dist' stores the number of tokens read since the most
+      ** recent TK_DOT or TK_ON. This means that when a WHEN, FOR or BEGIN 
+      ** token is read and 'dist' equals 2, the condition stated above
+      ** to be met.
+      **
+      ** Note that ON cannot be a database, table or column name, so
+      ** there is no need to worry about syntax like 
+      ** "CREATE TRIGGER ... ON ON.ON BEGIN ..." etc.
+      */
+      dist++;
+      if( token==TK_DOT || token==TK_ON ){
+        dist = 0;
+      }
+    } while( dist!=2 || (token!=TK_WHEN && token!=TK_FOR && token!=TK_BEGIN) );
+
+    /* Variable tname now contains the token that is the old table-name
+    ** in the CREATE TRIGGER statement.
+    */
+    zRet = sqlite3MPrintf("%.*s%Q%s", tname.z - zSql, zSql, 
+       zTableName, tname.z+tname.n);
+    sqlite3_result_text(context, zRet, -1, sqlite3FreeX);
+  }
+}
+#endif   /* !SQLITE_OMIT_TRIGGER */
+
+/*
+** Register built-in functions used to help implement ALTER TABLE
+*/
+void sqlite3AlterFunctions(sqlite3 *db){
+  static const struct {
+     char *zName;
+     signed char nArg;
+     void (*xFunc)(sqlite3_context*,int,sqlite3_value **);
+  } aFuncs[] = {
+    { "sqlite_rename_table",    2, renameTableFunc},
+#ifndef SQLITE_OMIT_TRIGGER
+    { "sqlite_rename_trigger",  2, renameTriggerFunc},
+#endif
+  };
+  int i;
+
+  for(i=0; i<sizeof(aFuncs)/sizeof(aFuncs[0]); i++){
+    sqlite3CreateFunc(db, aFuncs[i].zName, aFuncs[i].nArg,
+        SQLITE_UTF8, 0, aFuncs[i].xFunc, 0, 0);
+  }
+}
+
+/*
+** Generate the text of a WHERE expression which can be used to select all
+** temporary triggers on table pTab from the sqlite_temp_master table. If
+** table pTab has no temporary triggers, or is itself stored in the 
+** temporary database, NULL is returned.
+*/
+static char *whereTempTriggers(Parse *pParse, Table *pTab){
+  Trigger *pTrig;
+  char *zWhere = 0;
+  char *tmp = 0;
+  const Schema *pTempSchema = pParse->db->aDb[1].pSchema; /* Temp db schema */
+
+  /* If the table is not located in the temp-db (in which case NULL is 
+  ** returned, loop through the tables list of triggers. For each trigger
+  ** that is not part of the temp-db schema, add a clause to the WHERE 
+  ** expression being built up in zWhere.
+  */
+  if( pTab->pSchema!=pTempSchema ){
+    for( pTrig=pTab->pTrigger; pTrig; pTrig=pTrig->pNext ){
+      if( pTrig->pSchema==pTempSchema ){
+        if( !zWhere ){
+          zWhere = sqlite3MPrintf("name=%Q", pTrig->name);
+        }else{
+          tmp = zWhere;
+          zWhere = sqlite3MPrintf("%s OR name=%Q", zWhere, pTrig->name);
+          sqliteFree(tmp);
+        }
+      }
+    }
+  }
+  return zWhere;
+}
+
+/*
+** Generate code to drop and reload the internal representation of table
+** pTab from the database, including triggers and temporary triggers.
+** Argument zName is the name of the table in the database schema at
+** the time the generated code is executed. This can be different from
+** pTab->zName if this function is being called to code part of an 
+** "ALTER TABLE RENAME TO" statement.
+*/
+static void reloadTableSchema(Parse *pParse, Table *pTab, const char *zName){
+  Vdbe *v;
+  char *zWhere;
+  int iDb;                   /* Index of database containing pTab */
+#ifndef SQLITE_OMIT_TRIGGER
+  Trigger *pTrig;
+#endif
+
+  v = sqlite3GetVdbe(pParse);
+  if( !v ) return;
+  iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+  assert( iDb>=0 );
+
+#ifndef SQLITE_OMIT_TRIGGER
+  /* Drop any table triggers from the internal schema. */
+  for(pTrig=pTab->pTrigger; pTrig; pTrig=pTrig->pNext){
+    int iTrigDb = sqlite3SchemaToIndex(pParse->db, pTrig->pSchema);
+    assert( iTrigDb==iDb || iTrigDb==1 );
+    sqlite3VdbeOp3(v, OP_DropTrigger, iTrigDb, 0, pTrig->name, 0);
+  }
+#endif
+
+  /* Drop the table and index from the internal schema */
+  sqlite3VdbeOp3(v, OP_DropTable, iDb, 0, pTab->zName, 0);
+
+  /* Reload the table, index and permanent trigger schemas. */
+  zWhere = sqlite3MPrintf("tbl_name=%Q", zName);
+  if( !zWhere ) return;
+  sqlite3VdbeOp3(v, OP_ParseSchema, iDb, 0, zWhere, P3_DYNAMIC);
+
+#ifndef SQLITE_OMIT_TRIGGER
+  /* Now, if the table is not stored in the temp database, reload any temp 
+  ** triggers. Don't use IN(...) in case SQLITE_OMIT_SUBQUERY is defined. 
+  */
+  if( (zWhere=whereTempTriggers(pParse, pTab))!=0 ){
+    sqlite3VdbeOp3(v, OP_ParseSchema, 1, 0, zWhere, P3_DYNAMIC);
+  }
+#endif
+}
+
+/*
+** Generate code to implement the "ALTER TABLE xxx RENAME TO yyy" 
+** command. 
+*/
+void sqlite3AlterRenameTable(
+  Parse *pParse,            /* Parser context. */
+  SrcList *pSrc,            /* The table to rename. */
+  Token *pName              /* The new table name. */
+){
+  int iDb;                  /* Database that contains the table */
+  char *zDb;                /* Name of database iDb */
+  Table *pTab;              /* Table being renamed */
+  char *zName = 0;          /* NULL-terminated version of pName */ 
+  sqlite3 *db = pParse->db; /* Database connection */
+  Vdbe *v;
+#ifndef SQLITE_OMIT_TRIGGER
+  char *zWhere = 0;         /* Where clause to locate temp triggers */
+#endif
+  
+  if( sqlite3MallocFailed() ) goto exit_rename_table;
+  assert( pSrc->nSrc==1 );
+
+  pTab = sqlite3LocateTable(pParse, pSrc->a[0].zName, pSrc->a[0].zDatabase);
+  if( !pTab ) goto exit_rename_table;
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  if( IsVirtual(pTab) ){
+    sqlite3ErrorMsg(pParse, "virtual tables may not be altered");
+    goto exit_rename_table;
+  }
+#endif
+  iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+  zDb = db->aDb[iDb].zName;
+
+  /* Get a NULL terminated version of the new table name. */
+  zName = sqlite3NameFromToken(pName);
+  if( !zName ) goto exit_rename_table;
+
+  /* Check that a table or index named 'zName' does not already exist
+  ** in database iDb. If so, this is an error.
+  */
+  if( sqlite3FindTable(db, zName, zDb) || sqlite3FindIndex(db, zName, zDb) ){
+    sqlite3ErrorMsg(pParse, 
+        "there is already another table or index with this name: %s", zName);
+    goto exit_rename_table;
+  }
+
+  /* Make sure it is not a system table being altered, or a reserved name
+  ** that the table is being renamed to.
+  */
+  if( strlen(pTab->zName)>6 && 0==sqlite3StrNICmp(pTab->zName, "sqlite_", 7) ){
+    sqlite3ErrorMsg(pParse, "table %s may not be altered", pTab->zName);
+    goto exit_rename_table;
+  }
+  if( SQLITE_OK!=sqlite3CheckObjectName(pParse, zName) ){
+    goto exit_rename_table;
+  }
+
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  /* Invoke the authorization callback. */
+  if( sqlite3AuthCheck(pParse, SQLITE_ALTER_TABLE, zDb, pTab->zName, 0) ){
+    goto exit_rename_table;
+  }
+#endif
+
+  /* Begin a transaction and code the VerifyCookie for database iDb. 
+  ** Then modify the schema cookie (since the ALTER TABLE modifies the
+  ** schema).
+  */
+  v = sqlite3GetVdbe(pParse);
+  if( v==0 ){
+    goto exit_rename_table;
+  }
+  sqlite3BeginWriteOperation(pParse, 0, iDb);
+  sqlite3ChangeCookie(db, v, iDb);
+
+  /* Modify the sqlite_master table to use the new table name. */
+  sqlite3NestedParse(pParse,
+      "UPDATE %Q.%s SET "
+#ifdef SQLITE_OMIT_TRIGGER
+          "sql = sqlite_rename_table(sql, %Q), "
+#else
+          "sql = CASE "
+            "WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)"
+            "ELSE sqlite_rename_table(sql, %Q) END, "
+#endif
+          "tbl_name = %Q, "
+          "name = CASE "
+            "WHEN type='table' THEN %Q "
+            "WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN "
+              "'sqlite_autoindex_' || %Q || substr(name, %d+18,10) "
+            "ELSE name END "
+      "WHERE tbl_name=%Q AND "
+          "(type='table' OR type='index' OR type='trigger');", 
+      zDb, SCHEMA_TABLE(iDb), zName, zName, zName, 
+#ifndef SQLITE_OMIT_TRIGGER
+      zName,
+#endif
+      zName, strlen(pTab->zName), pTab->zName
+  );
+
+#ifndef SQLITE_OMIT_AUTOINCREMENT
+  /* If the sqlite_sequence table exists in this database, then update 
+  ** it with the new table name.
+  */
+  if( sqlite3FindTable(db, "sqlite_sequence", zDb) ){
+    sqlite3NestedParse(pParse,
+        "UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q",
+        zDb, zName, pTab->zName);
+  }
+#endif
+
+#ifndef SQLITE_OMIT_TRIGGER
+  /* If there are TEMP triggers on this table, modify the sqlite_temp_master
+  ** table. Don't do this if the table being ALTERed is itself located in
+  ** the temp database.
+  */
+  if( (zWhere=whereTempTriggers(pParse, pTab))!=0 ){
+    sqlite3NestedParse(pParse, 
+        "UPDATE sqlite_temp_master SET "
+            "sql = sqlite_rename_trigger(sql, %Q), "
+            "tbl_name = %Q "
+            "WHERE %s;", zName, zName, zWhere);
+    sqliteFree(zWhere);
+  }
+#endif
+
+  /* Drop and reload the internal table schema. */
+  reloadTableSchema(pParse, pTab, zName);
+
+exit_rename_table:
+  sqlite3SrcListDelete(pSrc);
+  sqliteFree(zName);
+}
+
+
+/*
+** This function is called after an "ALTER TABLE ... ADD" statement
+** has been parsed. Argument pColDef contains the text of the new
+** column definition.
+**
+** The Table structure pParse->pNewTable was extended to include
+** the new column during parsing.
+*/
+void sqlite3AlterFinishAddColumn(Parse *pParse, Token *pColDef){
+  Table *pNew;              /* Copy of pParse->pNewTable */
+  Table *pTab;              /* Table being altered */
+  int iDb;                  /* Database number */
+  const char *zDb;          /* Database name */
+  const char *zTab;         /* Table name */
+  char *zCol;               /* Null-terminated column definition */
+  Column *pCol;             /* The new column */
+  Expr *pDflt;              /* Default value for the new column */
+
+  if( pParse->nErr ) return;
+  pNew = pParse->pNewTable;
+  assert( pNew );
+
+  iDb = sqlite3SchemaToIndex(pParse->db, pNew->pSchema);
+  zDb = pParse->db->aDb[iDb].zName;
+  zTab = pNew->zName;
+  pCol = &pNew->aCol[pNew->nCol-1];
+  pDflt = pCol->pDflt;
+  pTab = sqlite3FindTable(pParse->db, zTab, zDb);
+  assert( pTab );
+
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  /* Invoke the authorization callback. */
+  if( sqlite3AuthCheck(pParse, SQLITE_ALTER_TABLE, zDb, pTab->zName, 0) ){
+    return;
+  }
+#endif
+
+  /* If the default value for the new column was specified with a 
+  ** literal NULL, then set pDflt to 0. This simplifies checking
+  ** for an SQL NULL default below.
+  */
+  if( pDflt && pDflt->op==TK_NULL ){
+    pDflt = 0;
+  }
+
+  /* Check that the new column is not specified as PRIMARY KEY or UNIQUE.
+  ** If there is a NOT NULL constraint, then the default value for the
+  ** column must not be NULL.
+  */
+  if( pCol->isPrimKey ){
+    sqlite3ErrorMsg(pParse, "Cannot add a PRIMARY KEY column");
+    return;
+  }
+  if( pNew->pIndex ){
+    sqlite3ErrorMsg(pParse, "Cannot add a UNIQUE column");
+    return;
+  }
+  if( pCol->notNull && !pDflt ){
+    sqlite3ErrorMsg(pParse, 
+        "Cannot add a NOT NULL column with default value NULL");
+    return;
+  }
+
+  /* Ensure the default expression is something that sqlite3ValueFromExpr()
+  ** can handle (i.e. not CURRENT_TIME etc.)
+  */
+  if( pDflt ){
+    sqlite3_value *pVal;
+    if( sqlite3ValueFromExpr(pDflt, SQLITE_UTF8, SQLITE_AFF_NONE, &pVal) ){
+      /* malloc() has failed */
+      return;
+    }
+    if( !pVal ){
+      sqlite3ErrorMsg(pParse, "Cannot add a column with non-constant default");
+      return;
+    }
+    sqlite3ValueFree(pVal);
+  }
+
+  /* Modify the CREATE TABLE statement. */
+  zCol = sqliteStrNDup((char*)pColDef->z, pColDef->n);
+  if( zCol ){
+    char *zEnd = &zCol[pColDef->n-1];
+    while( (zEnd>zCol && *zEnd==';') || isspace(*(unsigned char *)zEnd) ){
+      *zEnd-- = '\0';
+    }
+    sqlite3NestedParse(pParse, 
+        "UPDATE %Q.%s SET "
+          "sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d,length(sql)) "
+        "WHERE type = 'table' AND name = %Q", 
+      zDb, SCHEMA_TABLE(iDb), pNew->addColOffset, zCol, pNew->addColOffset+1,
+      zTab
+    );
+    sqliteFree(zCol);
+  }
+
+  /* If the default value of the new column is NULL, then set the file
+  ** format to 2. If the default value of the new column is not NULL,
+  ** the file format becomes 3.
+  */
+  sqlite3MinimumFileFormat(pParse, iDb, pDflt ? 3 : 2);
+
+  /* Reload the schema of the modified table. */
+  reloadTableSchema(pParse, pTab, pTab->zName);
+}
+
+/*
+** This function is called by the parser after the table-name in
+** an "ALTER TABLE <table-name> ADD" statement is parsed. Argument 
+** pSrc is the full-name of the table being altered.
+**
+** This routine makes a (partial) copy of the Table structure
+** for the table being altered and sets Parse.pNewTable to point
+** to it. Routines called by the parser as the column definition
+** is parsed (i.e. sqlite3AddColumn()) add the new Column data to 
+** the copy. The copy of the Table structure is deleted by tokenize.c 
+** after parsing is finished.
+**
+** Routine sqlite3AlterFinishAddColumn() will be called to complete
+** coding the "ALTER TABLE ... ADD" statement.
+*/
+void sqlite3AlterBeginAddColumn(Parse *pParse, SrcList *pSrc){
+  Table *pNew;
+  Table *pTab;
+  Vdbe *v;
+  int iDb;
+  int i;
+  int nAlloc;
+
+  /* Look up the table being altered. */
+  assert( pParse->pNewTable==0 );
+  if( sqlite3MallocFailed() ) goto exit_begin_add_column;
+  pTab = sqlite3LocateTable(pParse, pSrc->a[0].zName, pSrc->a[0].zDatabase);
+  if( !pTab ) goto exit_begin_add_column;
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  if( IsVirtual(pTab) ){
+    sqlite3ErrorMsg(pParse, "virtual tables may not be altered");
+    goto exit_begin_add_column;
+  }
+#endif
+
+  /* Make sure this is not an attempt to ALTER a view. */
+  if( pTab->pSelect ){
+    sqlite3ErrorMsg(pParse, "Cannot add a column to a view");
+    goto exit_begin_add_column;
+  }
+
+  assert( pTab->addColOffset>0 );
+  iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+
+  /* Put a copy of the Table struct in Parse.pNewTable for the
+  ** sqlite3AddColumn() function and friends to modify.
+  */
+  pNew = (Table *)sqliteMalloc(sizeof(Table));
+  if( !pNew ) goto exit_begin_add_column;
+  pParse->pNewTable = pNew;
+  pNew->nRef = 1;
+  pNew->nCol = pTab->nCol;
+  assert( pNew->nCol>0 );
+  nAlloc = (((pNew->nCol-1)/8)*8)+8;
+  assert( nAlloc>=pNew->nCol && nAlloc%8==0 && nAlloc-pNew->nCol<8 );
+  pNew->aCol = (Column *)sqliteMalloc(sizeof(Column)*nAlloc);
+  pNew->zName = sqliteStrDup(pTab->zName);
+  if( !pNew->aCol || !pNew->zName ){
+    goto exit_begin_add_column;
+  }
+  memcpy(pNew->aCol, pTab->aCol, sizeof(Column)*pNew->nCol);
+  for(i=0; i<pNew->nCol; i++){
+    Column *pCol = &pNew->aCol[i];
+    pCol->zName = sqliteStrDup(pCol->zName);
+    pCol->zColl = 0;
+    pCol->zType = 0;
+    pCol->pDflt = 0;
+  }
+  pNew->pSchema = pParse->db->aDb[iDb].pSchema;
+  pNew->addColOffset = pTab->addColOffset;
+  pNew->nRef = 1;
+
+  /* Begin a transaction and increment the schema cookie.  */
+  sqlite3BeginWriteOperation(pParse, 0, iDb);
+  v = sqlite3GetVdbe(pParse);
+  if( !v ) goto exit_begin_add_column;
+  sqlite3ChangeCookie(pParse->db, v, iDb);
+
+exit_begin_add_column:
+  sqlite3SrcListDelete(pSrc);
+  return;
+}
+#endif  /* SQLITE_ALTER_TABLE */
+
+/************** End of alter.c ***********************************************/
+/************** Begin file analyze.c *****************************************/
+/*
+** 2005 July 8
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains code associated with the ANALYZE command.
+**
+** @(#) $Id$
+*/
+#ifndef SQLITE_OMIT_ANALYZE
+
+/*
+** This routine generates code that opens the sqlite_stat1 table on cursor
+** iStatCur.
+**
+** If the sqlite_stat1 tables does not previously exist, it is created.
+** If it does previously exist, all entires associated with table zWhere
+** are removed.  If zWhere==0 then all entries are removed.
+*/
+static void openStatTable(
+  Parse *pParse,          /* Parsing context */
+  int iDb,                /* The database we are looking in */
+  int iStatCur,           /* Open the sqlite_stat1 table on this cursor */
+  const char *zWhere      /* Delete entries associated with this table */
+){
+  sqlite3 *db = pParse->db;
+  Db *pDb;
+  int iRootPage;
+  Table *pStat;
+  Vdbe *v = sqlite3GetVdbe(pParse);
+
+  pDb = &db->aDb[iDb];
+  if( (pStat = sqlite3FindTable(db, "sqlite_stat1", pDb->zName))==0 ){
+    /* The sqlite_stat1 tables does not exist.  Create it.  
+    ** Note that a side-effect of the CREATE TABLE statement is to leave
+    ** the rootpage of the new table on the top of the stack.  This is
+    ** important because the OpenWrite opcode below will be needing it. */
+    sqlite3NestedParse(pParse,
+      "CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)",
+      pDb->zName
+    );
+    iRootPage = 0;  /* Cause rootpage to be taken from top of stack */
+  }else if( zWhere ){
+    /* The sqlite_stat1 table exists.  Delete all entries associated with
+    ** the table zWhere. */
+    sqlite3NestedParse(pParse,
+       "DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q",
+       pDb->zName, zWhere
+    );
+    iRootPage = pStat->tnum;
+  }else{
+    /* The sqlite_stat1 table already exists.  Delete all rows. */
+    iRootPage = pStat->tnum;
+    sqlite3VdbeAddOp(v, OP_Clear, pStat->tnum, iDb);
+  }
+
+  /* Open the sqlite_stat1 table for writing. Unless it was created
+  ** by this vdbe program, lock it for writing at the shared-cache level. 
+  ** If this vdbe did create the sqlite_stat1 table, then it must have 
+  ** already obtained a schema-lock, making the write-lock redundant.
+  */
+  if( iRootPage>0 ){
+    sqlite3TableLock(pParse, iDb, iRootPage, 1, "sqlite_stat1");
+  }
+  sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+  sqlite3VdbeAddOp(v, OP_OpenWrite, iStatCur, iRootPage);
+  sqlite3VdbeAddOp(v, OP_SetNumColumns, iStatCur, 3);
+}
+
+/*
+** Generate code to do an analysis of all indices associated with
+** a single table.
+*/
+static void analyzeOneTable(
+  Parse *pParse,   /* Parser context */
+  Table *pTab,     /* Table whose indices are to be analyzed */
+  int iStatCur,    /* Cursor that writes to the sqlite_stat1 table */
+  int iMem         /* Available memory locations begin here */
+){
+  Index *pIdx;     /* An index to being analyzed */
+  int iIdxCur;     /* Cursor number for index being analyzed */
+  int nCol;        /* Number of columns in the index */
+  Vdbe *v;         /* The virtual machine being built up */
+  int i;           /* Loop counter */
+  int topOfLoop;   /* The top of the loop */
+  int endOfLoop;   /* The end of the loop */
+  int addr;        /* The address of an instruction */
+  int iDb;         /* Index of database containing pTab */
+
+  v = sqlite3GetVdbe(pParse);
+  if( pTab==0 || pTab->pIndex==0 ){
+    /* Do no analysis for tables that have no indices */
+    return;
+  }
+
+  iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+  assert( iDb>=0 );
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  if( sqlite3AuthCheck(pParse, SQLITE_ANALYZE, pTab->zName, 0,
+      pParse->db->aDb[iDb].zName ) ){
+    return;
+  }
+#endif
+
+  /* Establish a read-lock on the table at the shared-cache level. */
+  sqlite3TableLock(pParse, iDb, pTab->tnum, 0, pTab->zName);
+
+  iIdxCur = pParse->nTab;
+  for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
+    KeyInfo *pKey = sqlite3IndexKeyinfo(pParse, pIdx);
+
+    /* Open a cursor to the index to be analyzed
+    */
+    assert( iDb==sqlite3SchemaToIndex(pParse->db, pIdx->pSchema) );
+    sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+    VdbeComment((v, "# %s", pIdx->zName));
+    sqlite3VdbeOp3(v, OP_OpenRead, iIdxCur, pIdx->tnum,
+        (char *)pKey, P3_KEYINFO_HANDOFF);
+    nCol = pIdx->nColumn;
+    if( iMem+nCol*2>=pParse->nMem ){
+      pParse->nMem = iMem+nCol*2+1;
+    }
+    sqlite3VdbeAddOp(v, OP_SetNumColumns, iIdxCur, nCol+1);
+
+    /* Memory cells are used as follows:
+    **
+    **    mem[iMem]:             The total number of rows in the table.
+    **    mem[iMem+1]:           Number of distinct values in column 1
+    **    ...
+    **    mem[iMem+nCol]:        Number of distinct values in column N
+    **    mem[iMem+nCol+1]       Last observed value of column 1
+    **    ...
+    **    mem[iMem+nCol+nCol]:   Last observed value of column N
+    **
+    ** Cells iMem through iMem+nCol are initialized to 0.  The others
+    ** are initialized to NULL.
+    */
+    for(i=0; i<=nCol; i++){
+      sqlite3VdbeAddOp(v, OP_MemInt, 0, iMem+i);
+    }
+    for(i=0; i<nCol; i++){
+      sqlite3VdbeAddOp(v, OP_MemNull, iMem+nCol+i+1, 0);
+    }
+
+    /* Do the analysis.
+    */
+    endOfLoop = sqlite3VdbeMakeLabel(v);
+    sqlite3VdbeAddOp(v, OP_Rewind, iIdxCur, endOfLoop);
+    topOfLoop = sqlite3VdbeCurrentAddr(v);
+    sqlite3VdbeAddOp(v, OP_MemIncr, 1, iMem);
+    for(i=0; i<nCol; i++){
+      sqlite3VdbeAddOp(v, OP_Column, iIdxCur, i);
+      sqlite3VdbeAddOp(v, OP_MemLoad, iMem+nCol+i+1, 0);
+      sqlite3VdbeAddOp(v, OP_Ne, 0x100, 0);
+    }
+    sqlite3VdbeAddOp(v, OP_Goto, 0, endOfLoop);
+    for(i=0; i<nCol; i++){
+      addr = sqlite3VdbeAddOp(v, OP_MemIncr, 1, iMem+i+1);
+      sqlite3VdbeChangeP2(v, topOfLoop + 3*i + 3, addr);
+      sqlite3VdbeAddOp(v, OP_Column, iIdxCur, i);
+      sqlite3VdbeAddOp(v, OP_MemStore, iMem+nCol+i+1, 1);
+    }
+    sqlite3VdbeResolveLabel(v, endOfLoop);
+    sqlite3VdbeAddOp(v, OP_Next, iIdxCur, topOfLoop);
+    sqlite3VdbeAddOp(v, OP_Close, iIdxCur, 0);
+
+    /* Store the results.  
+    **
+    ** The result is a single row of the sqlite_stmt1 table.  The first
+    ** two columns are the names of the table and index.  The third column
+    ** is a string composed of a list of integer statistics about the
+    ** index.  The first integer in the list is the total number of entires
+    ** in the index.  There is one additional integer in the list for each
+    ** column of the table.  This additional integer is a guess of how many
+    ** rows of the table the index will select.  If D is the count of distinct
+    ** values and K is the total number of rows, then the integer is computed
+    ** as:
+    **
+    **        I = (K+D-1)/D
+    **
+    ** If K==0 then no entry is made into the sqlite_stat1 table.  
+    ** If K>0 then it is always the case the D>0 so division by zero
+    ** is never possible.
+    */
+    sqlite3VdbeAddOp(v, OP_MemLoad, iMem, 0);
+    addr = sqlite3VdbeAddOp(v, OP_IfNot, 0, 0);
+    sqlite3VdbeAddOp(v, OP_NewRowid, iStatCur, 0);
+    sqlite3VdbeOp3(v, OP_String8, 0, 0, pTab->zName, 0);
+    sqlite3VdbeOp3(v, OP_String8, 0, 0, pIdx->zName, 0);
+    sqlite3VdbeAddOp(v, OP_MemLoad, iMem, 0);
+    sqlite3VdbeOp3(v, OP_String8, 0, 0, " ", 0);
+    for(i=0; i<nCol; i++){
+      sqlite3VdbeAddOp(v, OP_MemLoad, iMem, 0);
+      sqlite3VdbeAddOp(v, OP_MemLoad, iMem+i+1, 0);
+      sqlite3VdbeAddOp(v, OP_Add, 0, 0);
+      sqlite3VdbeAddOp(v, OP_AddImm, -1, 0);
+      sqlite3VdbeAddOp(v, OP_MemLoad, iMem+i+1, 0);
+      sqlite3VdbeAddOp(v, OP_Divide, 0, 0);
+      sqlite3VdbeAddOp(v, OP_ToInt, 0, 0);
+      if( i==nCol-1 ){
+        sqlite3VdbeAddOp(v, OP_Concat, nCol*2-1, 0);
+      }else{
+        sqlite3VdbeAddOp(v, OP_Dup, 1, 0);
+      }
+    }
+    sqlite3VdbeOp3(v, OP_MakeRecord, 3, 0, "aaa", 0);
+    sqlite3VdbeAddOp(v, OP_Insert, iStatCur, OPFLAG_APPEND);
+    sqlite3VdbeJumpHere(v, addr);
+  }
+}
+
+/*
+** Generate code that will cause the most recent index analysis to
+** be laoded into internal hash tables where is can be used.
+*/
+static void loadAnalysis(Parse *pParse, int iDb){
+  Vdbe *v = sqlite3GetVdbe(pParse);
+  sqlite3VdbeAddOp(v, OP_LoadAnalysis, iDb, 0);
+}
+
+/*
+** Generate code that will do an analysis of an entire database
+*/
+static void analyzeDatabase(Parse *pParse, int iDb){
+  sqlite3 *db = pParse->db;
+  Schema *pSchema = db->aDb[iDb].pSchema;    /* Schema of database iDb */
+  HashElem *k;
+  int iStatCur;
+  int iMem;
+
+  sqlite3BeginWriteOperation(pParse, 0, iDb);
+  iStatCur = pParse->nTab++;
+  openStatTable(pParse, iDb, iStatCur, 0);
+  iMem = pParse->nMem;
+  for(k=sqliteHashFirst(&pSchema->tblHash); k; k=sqliteHashNext(k)){
+    Table *pTab = (Table*)sqliteHashData(k);
+    analyzeOneTable(pParse, pTab, iStatCur, iMem);
+  }
+  loadAnalysis(pParse, iDb);
+}
+
+/*
+** Generate code that will do an analysis of a single table in
+** a database.
+*/
+static void analyzeTable(Parse *pParse, Table *pTab){
+  int iDb;
+  int iStatCur;
+
+  assert( pTab!=0 );
+  iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+  sqlite3BeginWriteOperation(pParse, 0, iDb);
+  iStatCur = pParse->nTab++;
+  openStatTable(pParse, iDb, iStatCur, pTab->zName);
+  analyzeOneTable(pParse, pTab, iStatCur, pParse->nMem);
+  loadAnalysis(pParse, iDb);
+}
+
+/*
+** Generate code for the ANALYZE command.  The parser calls this routine
+** when it recognizes an ANALYZE command.
+**
+**        ANALYZE                            -- 1
+**        ANALYZE  <database>                -- 2
+**        ANALYZE  ?<database>.?<tablename>  -- 3
+**
+** Form 1 causes all indices in all attached databases to be analyzed.
+** Form 2 analyzes all indices the single database named.
+** Form 3 analyzes all indices associated with the named table.
+*/
+void sqlite3Analyze(Parse *pParse, Token *pName1, Token *pName2){
+  sqlite3 *db = pParse->db;
+  int iDb;
+  int i;
+  char *z, *zDb;
+  Table *pTab;
+  Token *pTableName;
+
+  /* Read the database schema. If an error occurs, leave an error message
+  ** and code in pParse and return NULL. */
+  if( SQLITE_OK!=sqlite3ReadSchema(pParse) ){
+    return;
+  }
+
+  if( pName1==0 ){
+    /* Form 1:  Analyze everything */
+    for(i=0; i<db->nDb; i++){
+      if( i==1 ) continue;  /* Do not analyze the TEMP database */
+      analyzeDatabase(pParse, i);
+    }
+  }else if( pName2==0 || pName2->n==0 ){
+    /* Form 2:  Analyze the database or table named */
+    iDb = sqlite3FindDb(db, pName1);
+    if( iDb>=0 ){
+      analyzeDatabase(pParse, iDb);
+    }else{
+      z = sqlite3NameFromToken(pName1);
+      pTab = sqlite3LocateTable(pParse, z, 0);
+      sqliteFree(z);
+      if( pTab ){
+        analyzeTable(pParse, pTab);
+      }
+    }
+  }else{
+    /* Form 3: Analyze the fully qualified table name */
+    iDb = sqlite3TwoPartName(pParse, pName1, pName2, &pTableName);
+    if( iDb>=0 ){
+      zDb = db->aDb[iDb].zName;
+      z = sqlite3NameFromToken(pTableName);
+      pTab = sqlite3LocateTable(pParse, z, zDb);
+      sqliteFree(z);
+      if( pTab ){
+        analyzeTable(pParse, pTab);
+      }
+    }   
+  }
+}
+
+/*
+** Used to pass information from the analyzer reader through to the
+** callback routine.
+*/
+typedef struct analysisInfo analysisInfo;
+struct analysisInfo {
+  sqlite3 *db;
+  const char *zDatabase;
+};
+
+/*
+** This callback is invoked once for each index when reading the
+** sqlite_stat1 table.  
+**
+**     argv[0] = name of the index
+**     argv[1] = results of analysis - on integer for each column
+*/
+static int analysisLoader(void *pData, int argc, char **argv, char **azNotUsed){
+  analysisInfo *pInfo = (analysisInfo*)pData;
+  Index *pIndex;
+  int i, c;
+  unsigned int v;
+  const char *z;
+
+  assert( argc==2 );
+  if( argv==0 || argv[0]==0 || argv[1]==0 ){
+    return 0;
+  }
+  pIndex = sqlite3FindIndex(pInfo->db, argv[0], pInfo->zDatabase);
+  if( pIndex==0 ){
+    return 0;
+  }
+  z = argv[1];
+  for(i=0; *z && i<=pIndex->nColumn; i++){
+    v = 0;
+    while( (c=z[0])>='0' && c<='9' ){
+      v = v*10 + c - '0';
+      z++;
+    }
+    pIndex->aiRowEst[i] = v;
+    if( *z==' ' ) z++;
+  }
+  return 0;
+}
+
+/*
+** Load the content of the sqlite_stat1 table into the index hash tables.
+*/
+void sqlite3AnalysisLoad(sqlite3 *db, int iDb){
+  analysisInfo sInfo;
+  HashElem *i;
+  char *zSql;
+
+  /* Clear any prior statistics */
+  for(i=sqliteHashFirst(&db->aDb[iDb].pSchema->idxHash);i;i=sqliteHashNext(i)){
+    Index *pIdx = sqliteHashData(i);
+    sqlite3DefaultRowEst(pIdx);
+  }
+
+  /* Check to make sure the sqlite_stat1 table existss */
+  sInfo.db = db;
+  sInfo.zDatabase = db->aDb[iDb].zName;
+  if( sqlite3FindTable(db, "sqlite_stat1", sInfo.zDatabase)==0 ){
+     return;
+  }
+
+
+  /* Load new statistics out of the sqlite_stat1 table */
+  zSql = sqlite3MPrintf("SELECT idx, stat FROM %Q.sqlite_stat1",
+                        sInfo.zDatabase);
+  sqlite3SafetyOff(db);
+  sqlite3_exec(db, zSql, analysisLoader, &sInfo, 0);
+  sqlite3SafetyOn(db);
+  sqliteFree(zSql);
+}
+
+
+#endif /* SQLITE_OMIT_ANALYZE */
+
+/************** End of analyze.c *********************************************/
+/************** Begin file attach.c ******************************************/
+/*
+** 2003 April 6
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains code used to implement the ATTACH and DETACH commands.
+**
+** $Id$
+*/
+
+#ifndef SQLITE_OMIT_ATTACH
+/*
+** Resolve an expression that was part of an ATTACH or DETACH statement. This
+** is slightly different from resolving a normal SQL expression, because simple
+** identifiers are treated as strings, not possible column names or aliases.
+**
+** i.e. if the parser sees:
+**
+**     ATTACH DATABASE abc AS def
+**
+** it treats the two expressions as literal strings 'abc' and 'def' instead of
+** looking for columns of the same name.
+**
+** This only applies to the root node of pExpr, so the statement:
+**
+**     ATTACH DATABASE abc||def AS 'db2'
+**
+** will fail because neither abc or def can be resolved.
+*/
+static int resolveAttachExpr(NameContext *pName, Expr *pExpr)
+{
+  int rc = SQLITE_OK;
+  if( pExpr ){
+    if( pExpr->op!=TK_ID ){
+      rc = sqlite3ExprResolveNames(pName, pExpr);
+    }else{
+      pExpr->op = TK_STRING;
+    }
+  }
+  return rc;
+}
+
+/*
+** An SQL user-function registered to do the work of an ATTACH statement. The
+** three arguments to the function come directly from an attach statement:
+**
+**     ATTACH DATABASE x AS y KEY z
+**
+**     SELECT sqlite_attach(x, y, z)
+**
+** If the optional "KEY z" syntax is omitted, an SQL NULL is passed as the
+** third argument.
+*/
+static void attachFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  int i;
+  int rc = 0;
+  sqlite3 *db = sqlite3_user_data(context);
+  const char *zName;
+  const char *zFile;
+  Db *aNew;
+  char zErr[128];
+  char *zErrDyn = 0;
+
+  zFile = (const char *)sqlite3_value_text(argv[0]);
+  zName = (const char *)sqlite3_value_text(argv[1]);
+  if( zFile==0 ) zFile = "";
+  if( zName==0 ) zName = "";
+
+  /* Check for the following errors:
+  **
+  **     * Too many attached databases,
+  **     * Transaction currently open
+  **     * Specified database name already being used.
+  */
+  if( db->nDb>=MAX_ATTACHED+2 ){
+    sqlite3_snprintf(
+      sizeof(zErr), zErr, "too many attached databases - max %d", MAX_ATTACHED
+    );
+    goto attach_error;
+  }
+  if( !db->autoCommit ){
+    strcpy(zErr, "cannot ATTACH database within transaction");
+    goto attach_error;
+  }
+  for(i=0; i<db->nDb; i++){
+    char *z = db->aDb[i].zName;
+    if( z && zName && sqlite3StrICmp(z, zName)==0 ){
+      sqlite3_snprintf(sizeof(zErr), zErr, "database %s is already in use", zName);
+      goto attach_error;
+    }
+  }
+
+  /* Allocate the new entry in the db->aDb[] array and initialise the schema
+  ** hash tables.
+  */
+  if( db->aDb==db->aDbStatic ){
+    aNew = sqliteMalloc( sizeof(db->aDb[0])*3 );
+    if( aNew==0 ){
+      return;
+    }
+    memcpy(aNew, db->aDb, sizeof(db->aDb[0])*2);
+  }else{
+    aNew = sqliteRealloc(db->aDb, sizeof(db->aDb[0])*(db->nDb+1) );
+    if( aNew==0 ){
+      return;
+    } 
+  }
+  db->aDb = aNew;
+  aNew = &db->aDb[db->nDb++];
+  memset(aNew, 0, sizeof(*aNew));
+
+  /* Open the database file. If the btree is successfully opened, use
+  ** it to obtain the database schema. At this point the schema may
+  ** or may not be initialised.
+  */
+  rc = sqlite3BtreeFactory(db, zFile, 0, MAX_PAGES, &aNew->pBt);
+  if( rc==SQLITE_OK ){
+    aNew->pSchema = sqlite3SchemaGet(aNew->pBt);
+    if( !aNew->pSchema ){
+      rc = SQLITE_NOMEM;
+    }else if( aNew->pSchema->file_format && aNew->pSchema->enc!=ENC(db) ){
+      strcpy(zErr, 
+        "attached databases must use the same text encoding as main database");
+      goto attach_error;
+    }
+    sqlite3PagerLockingMode(sqlite3BtreePager(aNew->pBt), db->dfltLockMode);
+  }
+  aNew->zName = sqliteStrDup(zName);
+  aNew->safety_level = 3;
+
+#if SQLITE_HAS_CODEC
+  {
+    extern int sqlite3CodecAttach(sqlite3*, int, const void*, int);
+    extern void sqlite3CodecGetKey(sqlite3*, int, void**, int*);
+    int nKey;
+    char *zKey;
+    int t = sqlite3_value_type(argv[2]);
+    switch( t ){
+      case SQLITE_INTEGER:
+      case SQLITE_FLOAT:
+        zErrDyn = sqliteStrDup("Invalid key value");
+        rc = SQLITE_ERROR;
+        break;
+        
+      case SQLITE_TEXT:
+      case SQLITE_BLOB:
+        nKey = sqlite3_value_bytes(argv[2]);
+        zKey = (char *)sqlite3_value_blob(argv[2]);
+        sqlite3CodecAttach(db, db->nDb-1, zKey, nKey);
+        break;
+
+      case SQLITE_NULL:
+        /* No key specified.  Use the key from the main database */
+        sqlite3CodecGetKey(db, 0, (void**)&zKey, &nKey);
+        sqlite3CodecAttach(db, db->nDb-1, zKey, nKey);
+        break;
+    }
+  }
+#endif
+
+  /* If the file was opened successfully, read the schema for the new database.
+  ** If this fails, or if opening the file failed, then close the file and 
+  ** remove the entry from the db->aDb[] array. i.e. put everything back the way
+  ** we found it.
+  */
+  if( rc==SQLITE_OK ){
+    sqlite3SafetyOn(db);
+    rc = sqlite3Init(db, &zErrDyn);
+    sqlite3SafetyOff(db);
+  }
+  if( rc ){
+    int iDb = db->nDb - 1;
+    assert( iDb>=2 );
+    if( db->aDb[iDb].pBt ){
+      sqlite3BtreeClose(db->aDb[iDb].pBt);
+      db->aDb[iDb].pBt = 0;
+      db->aDb[iDb].pSchema = 0;
+    }
+    sqlite3ResetInternalSchema(db, 0);
+    db->nDb = iDb;
+    if( rc==SQLITE_NOMEM ){
+      sqlite3FailedMalloc();
+      sqlite3_snprintf(sizeof(zErr),zErr, "out of memory");
+    }else{
+      sqlite3_snprintf(sizeof(zErr),zErr, "unable to open database: %s", zFile);
+    }
+    goto attach_error;
+  }
+  
+  return;
+
+attach_error:
+  /* Return an error if we get here */
+  if( zErrDyn ){
+    sqlite3_result_error(context, zErrDyn, -1);
+    sqliteFree(zErrDyn);
+  }else{
+    zErr[sizeof(zErr)-1] = 0;
+    sqlite3_result_error(context, zErr, -1);
+  }
+}
+
+/*
+** An SQL user-function registered to do the work of an DETACH statement. The
+** three arguments to the function come directly from a detach statement:
+**
+**     DETACH DATABASE x
+**
+**     SELECT sqlite_detach(x)
+*/
+static void detachFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  const char *zName = (const char *)sqlite3_value_text(argv[0]);
+  sqlite3 *db = sqlite3_user_data(context);
+  int i;
+  Db *pDb = 0;
+  char zErr[128];
+
+  if( zName==0 ) zName = "";
+  for(i=0; i<db->nDb; i++){
+    pDb = &db->aDb[i];
+    if( pDb->pBt==0 ) continue;
+    if( sqlite3StrICmp(pDb->zName, zName)==0 ) break;
+  }
+
+  if( i>=db->nDb ){
+    sqlite3_snprintf(sizeof(zErr),zErr, "no such database: %s", zName);
+    goto detach_error;
+  }
+  if( i<2 ){
+    sqlite3_snprintf(sizeof(zErr),zErr, "cannot detach database %s", zName);
+    goto detach_error;
+  }
+  if( !db->autoCommit ){
+    strcpy(zErr, "cannot DETACH database within transaction");
+    goto detach_error;
+  }
+  if( sqlite3BtreeIsInReadTrans(pDb->pBt) ){
+    sqlite3_snprintf(sizeof(zErr),zErr, "database %s is locked", zName);
+    goto detach_error;
+  }
+
+  sqlite3BtreeClose(pDb->pBt);
+  pDb->pBt = 0;
+  pDb->pSchema = 0;
+  sqlite3ResetInternalSchema(db, 0);
+  return;
+
+detach_error:
+  sqlite3_result_error(context, zErr, -1);
+}
+
+/*
+** This procedure generates VDBE code for a single invocation of either the
+** sqlite_detach() or sqlite_attach() SQL user functions.
+*/
+static void codeAttach(
+  Parse *pParse,       /* The parser context */
+  int type,            /* Either SQLITE_ATTACH or SQLITE_DETACH */
+  const char *zFunc,   /* Either "sqlite_attach" or "sqlite_detach */
+  int nFunc,           /* Number of args to pass to zFunc */
+  Expr *pAuthArg,      /* Expression to pass to authorization callback */
+  Expr *pFilename,     /* Name of database file */
+  Expr *pDbname,       /* Name of the database to use internally */
+  Expr *pKey           /* Database key for encryption extension */
+){
+  int rc;
+  NameContext sName;
+  Vdbe *v;
+  FuncDef *pFunc;
+  sqlite3* db = pParse->db;
+
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  assert( sqlite3MallocFailed() || pAuthArg );
+  if( pAuthArg ){
+    char *zAuthArg = sqlite3NameFromToken(&pAuthArg->span);
+    if( !zAuthArg ){
+      goto attach_end;
+    }
+    rc = sqlite3AuthCheck(pParse, type, zAuthArg, 0, 0);
+    sqliteFree(zAuthArg);
+    if(rc!=SQLITE_OK ){
+      goto attach_end;
+    }
+  }
+#endif /* SQLITE_OMIT_AUTHORIZATION */
+
+  memset(&sName, 0, sizeof(NameContext));
+  sName.pParse = pParse;
+
+  if( 
+      SQLITE_OK!=(rc = resolveAttachExpr(&sName, pFilename)) ||
+      SQLITE_OK!=(rc = resolveAttachExpr(&sName, pDbname)) ||
+      SQLITE_OK!=(rc = resolveAttachExpr(&sName, pKey))
+  ){
+    pParse->nErr++;
+    goto attach_end;
+  }
+
+  v = sqlite3GetVdbe(pParse);
+  sqlite3ExprCode(pParse, pFilename);
+  sqlite3ExprCode(pParse, pDbname);
+  sqlite3ExprCode(pParse, pKey);
+
+  assert( v || sqlite3MallocFailed() );
+  if( v ){
+    sqlite3VdbeAddOp(v, OP_Function, 0, nFunc);
+    pFunc = sqlite3FindFunction(db, zFunc, strlen(zFunc), nFunc, SQLITE_UTF8,0);
+    sqlite3VdbeChangeP3(v, -1, (char *)pFunc, P3_FUNCDEF);
+
+    /* Code an OP_Expire. For an ATTACH statement, set P1 to true (expire this
+    ** statement only). For DETACH, set it to false (expire all existing
+    ** statements).
+    */
+    sqlite3VdbeAddOp(v, OP_Expire, (type==SQLITE_ATTACH), 0);
+  }
+  
+attach_end:
+  sqlite3ExprDelete(pFilename);
+  sqlite3ExprDelete(pDbname);
+  sqlite3ExprDelete(pKey);
+}
+
+/*
+** Called by the parser to compile a DETACH statement.
+**
+**     DETACH pDbname
+*/
+void sqlite3Detach(Parse *pParse, Expr *pDbname){
+  codeAttach(pParse, SQLITE_DETACH, "sqlite_detach", 1, pDbname, 0, 0, pDbname);
+}
+
+/*
+** Called by the parser to compile an ATTACH statement.
+**
+**     ATTACH p AS pDbname KEY pKey
+*/
+void sqlite3Attach(Parse *pParse, Expr *p, Expr *pDbname, Expr *pKey){
+  codeAttach(pParse, SQLITE_ATTACH, "sqlite_attach", 3, p, p, pDbname, pKey);
+}
+#endif /* SQLITE_OMIT_ATTACH */
+
+/*
+** Register the functions sqlite_attach and sqlite_detach.
+*/
+void sqlite3AttachFunctions(sqlite3 *db){
+#ifndef SQLITE_OMIT_ATTACH
+  static const int enc = SQLITE_UTF8;
+  sqlite3CreateFunc(db, "sqlite_attach", 3, enc, db, attachFunc, 0, 0);
+  sqlite3CreateFunc(db, "sqlite_detach", 1, enc, db, detachFunc, 0, 0);
+#endif
+}
+
+/*
+** Initialize a DbFixer structure.  This routine must be called prior
+** to passing the structure to one of the sqliteFixAAAA() routines below.
+**
+** The return value indicates whether or not fixation is required.  TRUE
+** means we do need to fix the database references, FALSE means we do not.
+*/
+int sqlite3FixInit(
+  DbFixer *pFix,      /* The fixer to be initialized */
+  Parse *pParse,      /* Error messages will be written here */
+  int iDb,            /* This is the database that must be used */
+  const char *zType,  /* "view", "trigger", or "index" */
+  const Token *pName  /* Name of the view, trigger, or index */
+){
+  sqlite3 *db;
+
+  if( iDb<0 || iDb==1 ) return 0;
+  db = pParse->db;
+  assert( db->nDb>iDb );
+  pFix->pParse = pParse;
+  pFix->zDb = db->aDb[iDb].zName;
+  pFix->zType = zType;
+  pFix->pName = pName;
+  return 1;
+}
+
+/*
+** The following set of routines walk through the parse tree and assign
+** a specific database to all table references where the database name
+** was left unspecified in the original SQL statement.  The pFix structure
+** must have been initialized by a prior call to sqlite3FixInit().
+**
+** These routines are used to make sure that an index, trigger, or
+** view in one database does not refer to objects in a different database.
+** (Exception: indices, triggers, and views in the TEMP database are
+** allowed to refer to anything.)  If a reference is explicitly made
+** to an object in a different database, an error message is added to
+** pParse->zErrMsg and these routines return non-zero.  If everything
+** checks out, these routines return 0.
+*/
+int sqlite3FixSrcList(
+  DbFixer *pFix,       /* Context of the fixation */
+  SrcList *pList       /* The Source list to check and modify */
+){
+  int i;
+  const char *zDb;
+  struct SrcList_item *pItem;
+
+  if( pList==0 ) return 0;
+  zDb = pFix->zDb;
+  for(i=0, pItem=pList->a; i<pList->nSrc; i++, pItem++){
+    if( pItem->zDatabase==0 ){
+      pItem->zDatabase = sqliteStrDup(zDb);
+    }else if( sqlite3StrICmp(pItem->zDatabase,zDb)!=0 ){
+      sqlite3ErrorMsg(pFix->pParse,
+         "%s %T cannot reference objects in database %s",
+         pFix->zType, pFix->pName, pItem->zDatabase);
+      return 1;
+    }
+#if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_TRIGGER)
+    if( sqlite3FixSelect(pFix, pItem->pSelect) ) return 1;
+    if( sqlite3FixExpr(pFix, pItem->pOn) ) return 1;
+#endif
+  }
+  return 0;
+}
+#if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_TRIGGER)
+int sqlite3FixSelect(
+  DbFixer *pFix,       /* Context of the fixation */
+  Select *pSelect      /* The SELECT statement to be fixed to one database */
+){
+  while( pSelect ){
+    if( sqlite3FixExprList(pFix, pSelect->pEList) ){
+      return 1;
+    }
+    if( sqlite3FixSrcList(pFix, pSelect->pSrc) ){
+      return 1;
+    }
+    if( sqlite3FixExpr(pFix, pSelect->pWhere) ){
+      return 1;
+    }
+    if( sqlite3FixExpr(pFix, pSelect->pHaving) ){
+      return 1;
+    }
+    pSelect = pSelect->pPrior;
+  }
+  return 0;
+}
+int sqlite3FixExpr(
+  DbFixer *pFix,     /* Context of the fixation */
+  Expr *pExpr        /* The expression to be fixed to one database */
+){
+  while( pExpr ){
+    if( sqlite3FixSelect(pFix, pExpr->pSelect) ){
+      return 1;
+    }
+    if( sqlite3FixExprList(pFix, pExpr->pList) ){
+      return 1;
+    }
+    if( sqlite3FixExpr(pFix, pExpr->pRight) ){
+      return 1;
+    }
+    pExpr = pExpr->pLeft;
+  }
+  return 0;
+}
+int sqlite3FixExprList(
+  DbFixer *pFix,     /* Context of the fixation */
+  ExprList *pList    /* The expression to be fixed to one database */
+){
+  int i;
+  struct ExprList_item *pItem;
+  if( pList==0 ) return 0;
+  for(i=0, pItem=pList->a; i<pList->nExpr; i++, pItem++){
+    if( sqlite3FixExpr(pFix, pItem->pExpr) ){
+      return 1;
+    }
+  }
+  return 0;
+}
+#endif
+
+#ifndef SQLITE_OMIT_TRIGGER
+int sqlite3FixTriggerStep(
+  DbFixer *pFix,     /* Context of the fixation */
+  TriggerStep *pStep /* The trigger step be fixed to one database */
+){
+  while( pStep ){
+    if( sqlite3FixSelect(pFix, pStep->pSelect) ){
+      return 1;
+    }
+    if( sqlite3FixExpr(pFix, pStep->pWhere) ){
+      return 1;
+    }
+    if( sqlite3FixExprList(pFix, pStep->pExprList) ){
+      return 1;
+    }
+    pStep = pStep->pNext;
+  }
+  return 0;
+}
+#endif
+
+/************** End of attach.c **********************************************/
+/************** Begin file auth.c ********************************************/
+/*
+** 2003 January 11
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains code used to implement the sqlite3_set_authorizer()
+** API.  This facility is an optional feature of the library.  Embedded
+** systems that do not need this facility may omit it by recompiling
+** the library with -DSQLITE_OMIT_AUTHORIZATION=1
+**
+** $Id$
+*/
+
+/*
+** All of the code in this file may be omitted by defining a single
+** macro.
+*/
+#ifndef SQLITE_OMIT_AUTHORIZATION
+
+/*
+** Set or clear the access authorization function.
+**
+** The access authorization function is be called during the compilation
+** phase to verify that the user has read and/or write access permission on
+** various fields of the database.  The first argument to the auth function
+** is a copy of the 3rd argument to this routine.  The second argument
+** to the auth function is one of these constants:
+**
+**       SQLITE_CREATE_INDEX
+**       SQLITE_CREATE_TABLE
+**       SQLITE_CREATE_TEMP_INDEX
+**       SQLITE_CREATE_TEMP_TABLE
+**       SQLITE_CREATE_TEMP_TRIGGER
+**       SQLITE_CREATE_TEMP_VIEW
+**       SQLITE_CREATE_TRIGGER
+**       SQLITE_CREATE_VIEW
+**       SQLITE_DELETE
+**       SQLITE_DROP_INDEX
+**       SQLITE_DROP_TABLE
+**       SQLITE_DROP_TEMP_INDEX
+**       SQLITE_DROP_TEMP_TABLE
+**       SQLITE_DROP_TEMP_TRIGGER
+**       SQLITE_DROP_TEMP_VIEW
+**       SQLITE_DROP_TRIGGER
+**       SQLITE_DROP_VIEW
+**       SQLITE_INSERT
+**       SQLITE_PRAGMA
+**       SQLITE_READ
+**       SQLITE_SELECT
+**       SQLITE_TRANSACTION
+**       SQLITE_UPDATE
+**
+** The third and fourth arguments to the auth function are the name of
+** the table and the column that are being accessed.  The auth function
+** should return either SQLITE_OK, SQLITE_DENY, or SQLITE_IGNORE.  If
+** SQLITE_OK is returned, it means that access is allowed.  SQLITE_DENY
+** means that the SQL statement will never-run - the sqlite3_exec() call
+** will return with an error.  SQLITE_IGNORE means that the SQL statement
+** should run but attempts to read the specified column will return NULL
+** and attempts to write the column will be ignored.
+**
+** Setting the auth function to NULL disables this hook.  The default
+** setting of the auth function is NULL.
+*/
+int sqlite3_set_authorizer(
+  sqlite3 *db,
+  int (*xAuth)(void*,int,const char*,const char*,const char*,const char*),
+  void *pArg
+){
+  db->xAuth = xAuth;
+  db->pAuthArg = pArg;
+  sqlite3ExpirePreparedStatements(db);
+  return SQLITE_OK;
+}
+
+/*
+** Write an error message into pParse->zErrMsg that explains that the
+** user-supplied authorization function returned an illegal value.
+*/
+static void sqliteAuthBadReturnCode(Parse *pParse, int rc){
+  sqlite3ErrorMsg(pParse, "illegal return value (%d) from the "
+    "authorization function - should be SQLITE_OK, SQLITE_IGNORE, "
+    "or SQLITE_DENY", rc);
+  pParse->rc = SQLITE_ERROR;
+}
+
+/*
+** The pExpr should be a TK_COLUMN expression.  The table referred to
+** is in pTabList or else it is the NEW or OLD table of a trigger.  
+** Check to see if it is OK to read this particular column.
+**
+** If the auth function returns SQLITE_IGNORE, change the TK_COLUMN 
+** instruction into a TK_NULL.  If the auth function returns SQLITE_DENY,
+** then generate an error.
+*/
+void sqlite3AuthRead(
+  Parse *pParse,        /* The parser context */
+  Expr *pExpr,          /* The expression to check authorization on */
+  SrcList *pTabList     /* All table that pExpr might refer to */
+){
+  sqlite3 *db = pParse->db;
+  int rc;
+  Table *pTab;          /* The table being read */
+  const char *zCol;     /* Name of the column of the table */
+  int iSrc;             /* Index in pTabList->a[] of table being read */
+  const char *zDBase;   /* Name of database being accessed */
+  TriggerStack *pStack; /* The stack of current triggers */
+  int iDb;              /* The index of the database the expression refers to */
+
+  if( db->xAuth==0 ) return;
+  if( pExpr->op==TK_AS ) return;
+  assert( pExpr->op==TK_COLUMN );
+  iDb = sqlite3SchemaToIndex(pParse->db, pExpr->pSchema);
+  if( iDb<0 ){
+    /* An attempt to read a column out of a subquery or other
+    ** temporary table. */
+    return;
+  }
+  for(iSrc=0; pTabList && iSrc<pTabList->nSrc; iSrc++){
+    if( pExpr->iTable==pTabList->a[iSrc].iCursor ) break;
+  }
+  if( iSrc>=0 && pTabList && iSrc<pTabList->nSrc ){
+    pTab = pTabList->a[iSrc].pTab;
+  }else if( (pStack = pParse->trigStack)!=0 ){
+    /* This must be an attempt to read the NEW or OLD pseudo-tables
+    ** of a trigger.
+    */
+    assert( pExpr->iTable==pStack->newIdx || pExpr->iTable==pStack->oldIdx );
+    pTab = pStack->pTab;
+  }else{
+    return;
+  }
+  if( pTab==0 ) return;
+  if( pExpr->iColumn>=0 ){
+    assert( pExpr->iColumn<pTab->nCol );
+    zCol = pTab->aCol[pExpr->iColumn].zName;
+  }else if( pTab->iPKey>=0 ){
+    assert( pTab->iPKey<pTab->nCol );
+    zCol = pTab->aCol[pTab->iPKey].zName;
+  }else{
+    zCol = "ROWID";
+  }
+  assert( iDb>=0 && iDb<db->nDb );
+  zDBase = db->aDb[iDb].zName;
+  rc = db->xAuth(db->pAuthArg, SQLITE_READ, pTab->zName, zCol, zDBase, 
+                 pParse->zAuthContext);
+  if( rc==SQLITE_IGNORE ){
+    pExpr->op = TK_NULL;
+  }else if( rc==SQLITE_DENY ){
+    if( db->nDb>2 || iDb!=0 ){
+      sqlite3ErrorMsg(pParse, "access to %s.%s.%s is prohibited", 
+         zDBase, pTab->zName, zCol);
+    }else{
+      sqlite3ErrorMsg(pParse, "access to %s.%s is prohibited",pTab->zName,zCol);
+    }
+    pParse->rc = SQLITE_AUTH;
+  }else if( rc!=SQLITE_OK ){
+    sqliteAuthBadReturnCode(pParse, rc);
+  }
+}
+
+/*
+** Do an authorization check using the code and arguments given.  Return
+** either SQLITE_OK (zero) or SQLITE_IGNORE or SQLITE_DENY.  If SQLITE_DENY
+** is returned, then the error count and error message in pParse are
+** modified appropriately.
+*/
+int sqlite3AuthCheck(
+  Parse *pParse,
+  int code,
+  const char *zArg1,
+  const char *zArg2,
+  const char *zArg3
+){
+  sqlite3 *db = pParse->db;
+  int rc;
+
+  /* Don't do any authorization checks if the database is initialising
+  ** or if the parser is being invoked from within sqlite3_declare_vtab.
+  */
+  if( db->init.busy || IN_DECLARE_VTAB ){
+    return SQLITE_OK;
+  }
+
+  if( db->xAuth==0 ){
+    return SQLITE_OK;
+  }
+  rc = db->xAuth(db->pAuthArg, code, zArg1, zArg2, zArg3, pParse->zAuthContext);
+  if( rc==SQLITE_DENY ){
+    sqlite3ErrorMsg(pParse, "not authorized");
+    pParse->rc = SQLITE_AUTH;
+  }else if( rc!=SQLITE_OK && rc!=SQLITE_IGNORE ){
+    rc = SQLITE_DENY;
+    sqliteAuthBadReturnCode(pParse, rc);
+  }
+  return rc;
+}
+
+/*
+** Push an authorization context.  After this routine is called, the
+** zArg3 argument to authorization callbacks will be zContext until
+** popped.  Or if pParse==0, this routine is a no-op.
+*/
+void sqlite3AuthContextPush(
+  Parse *pParse,
+  AuthContext *pContext, 
+  const char *zContext
+){
+  pContext->pParse = pParse;
+  if( pParse ){
+    pContext->zAuthContext = pParse->zAuthContext;
+    pParse->zAuthContext = zContext;
+  }
+}
+
+/*
+** Pop an authorization context that was previously pushed
+** by sqlite3AuthContextPush
+*/
+void sqlite3AuthContextPop(AuthContext *pContext){
+  if( pContext->pParse ){
+    pContext->pParse->zAuthContext = pContext->zAuthContext;
+    pContext->pParse = 0;
+  }
+}
+
+#endif /* SQLITE_OMIT_AUTHORIZATION */
+
+/************** End of auth.c ************************************************/
+/************** Begin file build.c *******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains C code routines that are called by the SQLite parser
+** when syntax rules are reduced.  The routines in this file handle the
+** following kinds of SQL syntax:
+**
+**     CREATE TABLE
+**     DROP TABLE
+**     CREATE INDEX
+**     DROP INDEX
+**     creating ID lists
+**     BEGIN TRANSACTION
+**     COMMIT
+**     ROLLBACK
+**
+** $Id$
+*/
+
+/*
+** This routine is called when a new SQL statement is beginning to
+** be parsed.  Initialize the pParse structure as needed.
+*/
+void sqlite3BeginParse(Parse *pParse, int explainFlag){
+  pParse->explain = explainFlag;
+  pParse->nVar = 0;
+}
+
+#ifndef SQLITE_OMIT_SHARED_CACHE
+/*
+** The TableLock structure is only used by the sqlite3TableLock() and
+** codeTableLocks() functions.
+*/
+struct TableLock {
+  int iDb;             /* The database containing the table to be locked */
+  int iTab;            /* The root page of the table to be locked */
+  u8 isWriteLock;      /* True for write lock.  False for a read lock */
+  const char *zName;   /* Name of the table */
+};
+
+/*
+** Record the fact that we want to lock a table at run-time.  
+**
+** The table to be locked has root page iTab and is found in database iDb.
+** A read or a write lock can be taken depending on isWritelock.
+**
+** This routine just records the fact that the lock is desired.  The
+** code to make the lock occur is generated by a later call to
+** codeTableLocks() which occurs during sqlite3FinishCoding().
+*/
+void sqlite3TableLock(
+  Parse *pParse,     /* Parsing context */
+  int iDb,           /* Index of the database containing the table to lock */
+  int iTab,          /* Root page number of the table to be locked */
+  u8 isWriteLock,    /* True for a write lock */
+  const char *zName  /* Name of the table to be locked */
+){
+  int i;
+  int nBytes;
+  TableLock *p;
+
+  if( 0==sqlite3ThreadDataReadOnly()->useSharedData || iDb<0 ){
+    return;
+  }
+
+  for(i=0; i<pParse->nTableLock; i++){
+    p = &pParse->aTableLock[i];
+    if( p->iDb==iDb && p->iTab==iTab ){
+      p->isWriteLock = (p->isWriteLock || isWriteLock);
+      return;
+    }
+  }
+
+  nBytes = sizeof(TableLock) * (pParse->nTableLock+1);
+  pParse->aTableLock = sqliteReallocOrFree(pParse->aTableLock, nBytes);
+  if( pParse->aTableLock ){
+    p = &pParse->aTableLock[pParse->nTableLock++];
+    p->iDb = iDb;
+    p->iTab = iTab;
+    p->isWriteLock = isWriteLock;
+    p->zName = zName;
+  }
+}
+
+/*
+** Code an OP_TableLock instruction for each table locked by the
+** statement (configured by calls to sqlite3TableLock()).
+*/
+static void codeTableLocks(Parse *pParse){
+  int i;
+  Vdbe *pVdbe; 
+  assert( sqlite3ThreadDataReadOnly()->useSharedData || pParse->nTableLock==0 );
+
+  if( 0==(pVdbe = sqlite3GetVdbe(pParse)) ){
+    return;
+  }
+
+  for(i=0; i<pParse->nTableLock; i++){
+    TableLock *p = &pParse->aTableLock[i];
+    int p1 = p->iDb;
+    if( p->isWriteLock ){
+      p1 = -1*(p1+1);
+    }
+    sqlite3VdbeOp3(pVdbe, OP_TableLock, p1, p->iTab, p->zName, P3_STATIC);
+  }
+}
+#else
+  #define codeTableLocks(x)
+#endif
+
+/*
+** This routine is called after a single SQL statement has been
+** parsed and a VDBE program to execute that statement has been
+** prepared.  This routine puts the finishing touches on the
+** VDBE program and resets the pParse structure for the next
+** parse.
+**
+** Note that if an error occurred, it might be the case that
+** no VDBE code was generated.
+*/
+void sqlite3FinishCoding(Parse *pParse){
+  sqlite3 *db;
+  Vdbe *v;
+
+  if( sqlite3MallocFailed() ) return;
+  if( pParse->nested ) return;
+  if( !pParse->pVdbe ){
+    if( pParse->rc==SQLITE_OK && pParse->nErr ){
+      pParse->rc = SQLITE_ERROR;
+      return;
+    }
+  }
+
+  /* Begin by generating some termination code at the end of the
+  ** vdbe program
+  */
+  db = pParse->db;
+  v = sqlite3GetVdbe(pParse);
+  if( v ){
+    sqlite3VdbeAddOp(v, OP_Halt, 0, 0);
+
+    /* The cookie mask contains one bit for each database file open.
+    ** (Bit 0 is for main, bit 1 is for temp, and so forth.)  Bits are
+    ** set for each database that is used.  Generate code to start a
+    ** transaction on each used database and to verify the schema cookie
+    ** on each used database.
+    */
+    if( pParse->cookieGoto>0 ){
+      u32 mask;
+      int iDb;
+      sqlite3VdbeJumpHere(v, pParse->cookieGoto-1);
+      for(iDb=0, mask=1; iDb<db->nDb; mask<<=1, iDb++){
+        if( (mask & pParse->cookieMask)==0 ) continue;
+        sqlite3VdbeAddOp(v, OP_Transaction, iDb, (mask & pParse->writeMask)!=0);
+        sqlite3VdbeAddOp(v, OP_VerifyCookie, iDb, pParse->cookieValue[iDb]);
+      }
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+      if( pParse->pVirtualLock ){
+        char *vtab = (char *)pParse->pVirtualLock->pVtab;
+        sqlite3VdbeOp3(v, OP_VBegin, 0, 0, vtab, P3_VTAB);
+      }
+#endif
+
+      /* Once all the cookies have been verified and transactions opened, 
+      ** obtain the required table-locks. This is a no-op unless the 
+      ** shared-cache feature is enabled.
+      */
+      codeTableLocks(pParse);
+      sqlite3VdbeAddOp(v, OP_Goto, 0, pParse->cookieGoto);
+    }
+
+#ifndef SQLITE_OMIT_TRACE
+    /* Add a No-op that contains the complete text of the compiled SQL
+    ** statement as its P3 argument.  This does not change the functionality
+    ** of the program. 
+    **
+    ** This is used to implement sqlite3_trace().
+    */
+    sqlite3VdbeOp3(v, OP_Noop, 0, 0, pParse->zSql, pParse->zTail-pParse->zSql);
+#endif /* SQLITE_OMIT_TRACE */
+  }
+
+
+  /* Get the VDBE program ready for execution
+  */
+  if( v && pParse->nErr==0 && !sqlite3MallocFailed() ){
+    FILE *trace = (db->flags & SQLITE_VdbeTrace)!=0 ? stdout : 0;
+    sqlite3VdbeTrace(v, trace);
+    sqlite3VdbeMakeReady(v, pParse->nVar, pParse->nMem+3,
+                         pParse->nTab+3, pParse->explain);
+    pParse->rc = SQLITE_DONE;
+    pParse->colNamesSet = 0;
+  }else if( pParse->rc==SQLITE_OK ){
+    pParse->rc = SQLITE_ERROR;
+  }
+  pParse->nTab = 0;
+  pParse->nMem = 0;
+  pParse->nSet = 0;
+  pParse->nVar = 0;
+  pParse->cookieMask = 0;
+  pParse->cookieGoto = 0;
+}
+
+/*
+** Run the parser and code generator recursively in order to generate
+** code for the SQL statement given onto the end of the pParse context
+** currently under construction.  When the parser is run recursively
+** this way, the final OP_Halt is not appended and other initialization
+** and finalization steps are omitted because those are handling by the
+** outermost parser.
+**
+** Not everything is nestable.  This facility is designed to permit
+** INSERT, UPDATE, and DELETE operations against SQLITE_MASTER.  Use
+** care if you decide to try to use this routine for some other purposes.
+*/
+void sqlite3NestedParse(Parse *pParse, const char *zFormat, ...){
+  va_list ap;
+  char *zSql;
+# define SAVE_SZ  (sizeof(Parse) - offsetof(Parse,nVar))
+  char saveBuf[SAVE_SZ];
+
+  if( pParse->nErr ) return;
+  assert( pParse->nested<10 );  /* Nesting should only be of limited depth */
+  va_start(ap, zFormat);
+  zSql = sqlite3VMPrintf(zFormat, ap);
+  va_end(ap);
+  if( zSql==0 ){
+    return;   /* A malloc must have failed */
+  }
+  pParse->nested++;
+  memcpy(saveBuf, &pParse->nVar, SAVE_SZ);
+  memset(&pParse->nVar, 0, SAVE_SZ);
+  sqlite3RunParser(pParse, zSql, 0);
+  sqliteFree(zSql);
+  memcpy(&pParse->nVar, saveBuf, SAVE_SZ);
+  pParse->nested--;
+}
+
+/*
+** Locate the in-memory structure that describes a particular database
+** table given the name of that table and (optionally) the name of the
+** database containing the table.  Return NULL if not found.
+**
+** If zDatabase is 0, all databases are searched for the table and the
+** first matching table is returned.  (No checking for duplicate table
+** names is done.)  The search order is TEMP first, then MAIN, then any
+** auxiliary databases added using the ATTACH command.
+**
+** See also sqlite3LocateTable().
+*/
+Table *sqlite3FindTable(sqlite3 *db, const char *zName, const char *zDatabase){
+  Table *p = 0;
+  int i;
+  assert( zName!=0 );
+  for(i=OMIT_TEMPDB; i<db->nDb; i++){
+    int j = (i<2) ? i^1 : i;   /* Search TEMP before MAIN */
+    if( zDatabase!=0 && sqlite3StrICmp(zDatabase, db->aDb[j].zName) ) continue;
+    p = sqlite3HashFind(&db->aDb[j].pSchema->tblHash, zName, strlen(zName)+1);
+    if( p ) break;
+  }
+  return p;
+}
+
+/*
+** Locate the in-memory structure that describes a particular database
+** table given the name of that table and (optionally) the name of the
+** database containing the table.  Return NULL if not found.  Also leave an
+** error message in pParse->zErrMsg.
+**
+** The difference between this routine and sqlite3FindTable() is that this
+** routine leaves an error message in pParse->zErrMsg where
+** sqlite3FindTable() does not.
+*/
+Table *sqlite3LocateTable(Parse *pParse, const char *zName, const char *zDbase){
+  Table *p;
+
+  /* Read the database schema. If an error occurs, leave an error message
+  ** and code in pParse and return NULL. */
+  if( SQLITE_OK!=sqlite3ReadSchema(pParse) ){
+    return 0;
+  }
+
+  p = sqlite3FindTable(pParse->db, zName, zDbase);
+  if( p==0 ){
+    if( zDbase ){
+      sqlite3ErrorMsg(pParse, "no such table: %s.%s", zDbase, zName);
+    }else{
+      sqlite3ErrorMsg(pParse, "no such table: %s", zName);
+    }
+    pParse->checkSchema = 1;
+  }
+  return p;
+}
+
+/*
+** Locate the in-memory structure that describes 
+** a particular index given the name of that index
+** and the name of the database that contains the index.
+** Return NULL if not found.
+**
+** If zDatabase is 0, all databases are searched for the
+** table and the first matching index is returned.  (No checking
+** for duplicate index names is done.)  The search order is
+** TEMP first, then MAIN, then any auxiliary databases added
+** using the ATTACH command.
+*/
+Index *sqlite3FindIndex(sqlite3 *db, const char *zName, const char *zDb){
+  Index *p = 0;
+  int i;
+  for(i=OMIT_TEMPDB; i<db->nDb; i++){
+    int j = (i<2) ? i^1 : i;  /* Search TEMP before MAIN */
+    Schema *pSchema = db->aDb[j].pSchema;
+    if( zDb && sqlite3StrICmp(zDb, db->aDb[j].zName) ) continue;
+    assert( pSchema || (j==1 && !db->aDb[1].pBt) );
+    if( pSchema ){
+      p = sqlite3HashFind(&pSchema->idxHash, zName, strlen(zName)+1);
+    }
+    if( p ) break;
+  }
+  return p;
+}
+
+/*
+** Reclaim the memory used by an index
+*/
+static void freeIndex(Index *p){
+  sqliteFree(p->zColAff);
+  sqliteFree(p);
+}
+
+/*
+** Remove the given index from the index hash table, and free
+** its memory structures.
+**
+** The index is removed from the database hash tables but
+** it is not unlinked from the Table that it indexes.
+** Unlinking from the Table must be done by the calling function.
+*/
+static void sqliteDeleteIndex(Index *p){
+  Index *pOld;
+  const char *zName = p->zName;
+
+  pOld = sqlite3HashInsert(&p->pSchema->idxHash, zName, strlen( zName)+1, 0);
+  assert( pOld==0 || pOld==p );
+  freeIndex(p);
+}
+
+/*
+** For the index called zIdxName which is found in the database iDb,
+** unlike that index from its Table then remove the index from
+** the index hash table and free all memory structures associated
+** with the index.
+*/
+void sqlite3UnlinkAndDeleteIndex(sqlite3 *db, int iDb, const char *zIdxName){
+  Index *pIndex;
+  int len;
+  Hash *pHash = &db->aDb[iDb].pSchema->idxHash;
+
+  len = strlen(zIdxName);
+  pIndex = sqlite3HashInsert(pHash, zIdxName, len+1, 0);
+  if( pIndex ){
+    if( pIndex->pTable->pIndex==pIndex ){
+      pIndex->pTable->pIndex = pIndex->pNext;
+    }else{
+      Index *p;
+      for(p=pIndex->pTable->pIndex; p && p->pNext!=pIndex; p=p->pNext){}
+      if( p && p->pNext==pIndex ){
+        p->pNext = pIndex->pNext;
+      }
+    }
+    freeIndex(pIndex);
+  }
+  db->flags |= SQLITE_InternChanges;
+}
+
+/*
+** Erase all schema information from the in-memory hash tables of
+** a single database.  This routine is called to reclaim memory
+** before the database closes.  It is also called during a rollback
+** if there were schema changes during the transaction or if a
+** schema-cookie mismatch occurs.
+**
+** If iDb<=0 then reset the internal schema tables for all database
+** files.  If iDb>=2 then reset the internal schema for only the
+** single file indicated.
+*/
+void sqlite3ResetInternalSchema(sqlite3 *db, int iDb){
+  int i, j;
+
+  assert( iDb>=0 && iDb<db->nDb );
+  for(i=iDb; i<db->nDb; i++){
+    Db *pDb = &db->aDb[i];
+    if( pDb->pSchema ){
+      sqlite3SchemaFree(pDb->pSchema);
+    }
+    if( iDb>0 ) return;
+  }
+  assert( iDb==0 );
+  db->flags &= ~SQLITE_InternChanges;
+
+  /* If one or more of the auxiliary database files has been closed,
+  ** then remove them from the auxiliary database list.  We take the
+  ** opportunity to do this here since we have just deleted all of the
+  ** schema hash tables and therefore do not have to make any changes
+  ** to any of those tables.
+  */
+  for(i=0; i<db->nDb; i++){
+    struct Db *pDb = &db->aDb[i];
+    if( pDb->pBt==0 ){
+      if( pDb->pAux && pDb->xFreeAux ) pDb->xFreeAux(pDb->pAux);
+      pDb->pAux = 0;
+    }
+  }
+  for(i=j=2; i<db->nDb; i++){
+    struct Db *pDb = &db->aDb[i];
+    if( pDb->pBt==0 ){
+      sqliteFree(pDb->zName);
+      pDb->zName = 0;
+      continue;
+    }
+    if( j<i ){
+      db->aDb[j] = db->aDb[i];
+    }
+    j++;
+  }
+  memset(&db->aDb[j], 0, (db->nDb-j)*sizeof(db->aDb[j]));
+  db->nDb = j;
+  if( db->nDb<=2 && db->aDb!=db->aDbStatic ){
+    memcpy(db->aDbStatic, db->aDb, 2*sizeof(db->aDb[0]));
+    sqliteFree(db->aDb);
+    db->aDb = db->aDbStatic;
+  }
+}
+
+/*
+** This routine is called when a commit occurs.
+*/
+void sqlite3CommitInternalChanges(sqlite3 *db){
+  db->flags &= ~SQLITE_InternChanges;
+}
+
+/*
+** Clear the column names from a table or view.
+*/
+static void sqliteResetColumnNames(Table *pTable){
+  int i;
+  Column *pCol;
+  assert( pTable!=0 );
+  if( (pCol = pTable->aCol)!=0 ){
+    for(i=0; i<pTable->nCol; i++, pCol++){
+      sqliteFree(pCol->zName);
+      sqlite3ExprDelete(pCol->pDflt);
+      sqliteFree(pCol->zType);
+      sqliteFree(pCol->zColl);
+    }
+    sqliteFree(pTable->aCol);
+  }
+  pTable->aCol = 0;
+  pTable->nCol = 0;
+}
+
+/*
+** Remove the memory data structures associated with the given
+** Table.  No changes are made to disk by this routine.
+**
+** This routine just deletes the data structure.  It does not unlink
+** the table data structure from the hash table.  Nor does it remove
+** foreign keys from the sqlite.aFKey hash table.  But it does destroy
+** memory structures of the indices and foreign keys associated with 
+** the table.
+*/
+void sqlite3DeleteTable(Table *pTable){
+  Index *pIndex, *pNext;
+  FKey *pFKey, *pNextFKey;
+
+  if( pTable==0 ) return;
+
+  /* Do not delete the table until the reference count reaches zero. */
+  pTable->nRef--;
+  if( pTable->nRef>0 ){
+    return;
+  }
+  assert( pTable->nRef==0 );
+
+  /* Delete all indices associated with this table
+  */
+  for(pIndex = pTable->pIndex; pIndex; pIndex=pNext){
+    pNext = pIndex->pNext;
+    assert( pIndex->pSchema==pTable->pSchema );
+    sqliteDeleteIndex(pIndex);
+  }
+
+#ifndef SQLITE_OMIT_FOREIGN_KEY
+  /* Delete all foreign keys associated with this table.  The keys
+  ** should have already been unlinked from the pSchema->aFKey hash table 
+  */
+  for(pFKey=pTable->pFKey; pFKey; pFKey=pNextFKey){
+    pNextFKey = pFKey->pNextFrom;
+    assert( sqlite3HashFind(&pTable->pSchema->aFKey,
+                           pFKey->zTo, strlen(pFKey->zTo)+1)!=pFKey );
+    sqliteFree(pFKey);
+  }
+#endif
+
+  /* Delete the Table structure itself.
+  */
+  sqliteResetColumnNames(pTable);
+  sqliteFree(pTable->zName);
+  sqliteFree(pTable->zColAff);
+  sqlite3SelectDelete(pTable->pSelect);
+#ifndef SQLITE_OMIT_CHECK
+  sqlite3ExprDelete(pTable->pCheck);
+#endif
+  sqlite3VtabClear(pTable);
+  sqliteFree(pTable);
+}
+
+/*
+** Unlink the given table from the hash tables and the delete the
+** table structure with all its indices and foreign keys.
+*/
+void sqlite3UnlinkAndDeleteTable(sqlite3 *db, int iDb, const char *zTabName){
+  Table *p;
+  FKey *pF1, *pF2;
+  Db *pDb;
+
+  assert( db!=0 );
+  assert( iDb>=0 && iDb<db->nDb );
+  assert( zTabName && zTabName[0] );
+  pDb = &db->aDb[iDb];
+  p = sqlite3HashInsert(&pDb->pSchema->tblHash, zTabName, strlen(zTabName)+1,0);
+  if( p ){
+#ifndef SQLITE_OMIT_FOREIGN_KEY
+    for(pF1=p->pFKey; pF1; pF1=pF1->pNextFrom){
+      int nTo = strlen(pF1->zTo) + 1;
+      pF2 = sqlite3HashFind(&pDb->pSchema->aFKey, pF1->zTo, nTo);
+      if( pF2==pF1 ){
+        sqlite3HashInsert(&pDb->pSchema->aFKey, pF1->zTo, nTo, pF1->pNextTo);
+      }else{
+        while( pF2 && pF2->pNextTo!=pF1 ){ pF2=pF2->pNextTo; }
+        if( pF2 ){
+          pF2->pNextTo = pF1->pNextTo;
+        }
+      }
+    }
+#endif
+    sqlite3DeleteTable(p);
+  }
+  db->flags |= SQLITE_InternChanges;
+}
+
+/*
+** Given a token, return a string that consists of the text of that
+** token with any quotations removed.  Space to hold the returned string
+** is obtained from sqliteMalloc() and must be freed by the calling
+** function.
+**
+** Tokens are often just pointers into the original SQL text and so
+** are not \000 terminated and are not persistent.  The returned string
+** is \000 terminated and is persistent.
+*/
+char *sqlite3NameFromToken(Token *pName){
+  char *zName;
+  if( pName ){
+    zName = sqliteStrNDup((char*)pName->z, pName->n);
+    sqlite3Dequote(zName);
+  }else{
+    zName = 0;
+  }
+  return zName;
+}
+
+/*
+** Open the sqlite_master table stored in database number iDb for
+** writing. The table is opened using cursor 0.
+*/
+void sqlite3OpenMasterTable(Parse *p, int iDb){
+  Vdbe *v = sqlite3GetVdbe(p);
+  sqlite3TableLock(p, iDb, MASTER_ROOT, 1, SCHEMA_TABLE(iDb));
+  sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+  sqlite3VdbeAddOp(v, OP_OpenWrite, 0, MASTER_ROOT);
+  sqlite3VdbeAddOp(v, OP_SetNumColumns, 0, 5); /* sqlite_master has 5 columns */
+}
+
+/*
+** The token *pName contains the name of a database (either "main" or
+** "temp" or the name of an attached db). This routine returns the
+** index of the named database in db->aDb[], or -1 if the named db 
+** does not exist.
+*/
+int sqlite3FindDb(sqlite3 *db, Token *pName){
+  int i = -1;    /* Database number */
+  int n;         /* Number of characters in the name */
+  Db *pDb;       /* A database whose name space is being searched */
+  char *zName;   /* Name we are searching for */
+
+  zName = sqlite3NameFromToken(pName);
+  if( zName ){
+    n = strlen(zName);
+    for(i=(db->nDb-1), pDb=&db->aDb[i]; i>=0; i--, pDb--){
+      if( (!OMIT_TEMPDB || i!=1 ) && n==strlen(pDb->zName) && 
+          0==sqlite3StrICmp(pDb->zName, zName) ){
+        break;
+      }
+    }
+    sqliteFree(zName);
+  }
+  return i;
+}
+
+/* The table or view or trigger name is passed to this routine via tokens
+** pName1 and pName2. If the table name was fully qualified, for example:
+**
+** CREATE TABLE xxx.yyy (...);
+** 
+** Then pName1 is set to "xxx" and pName2 "yyy". On the other hand if
+** the table name is not fully qualified, i.e.:
+**
+** CREATE TABLE yyy(...);
+**
+** Then pName1 is set to "yyy" and pName2 is "".
+**
+** This routine sets the *ppUnqual pointer to point at the token (pName1 or
+** pName2) that stores the unqualified table name.  The index of the
+** database "xxx" is returned.
+*/
+int sqlite3TwoPartName(
+  Parse *pParse,      /* Parsing and code generating context */
+  Token *pName1,      /* The "xxx" in the name "xxx.yyy" or "xxx" */
+  Token *pName2,      /* The "yyy" in the name "xxx.yyy" */
+  Token **pUnqual     /* Write the unqualified object name here */
+){
+  int iDb;                    /* Database holding the object */
+  sqlite3 *db = pParse->db;
+
+  if( pName2 && pName2->n>0 ){
+    assert( !db->init.busy );
+    *pUnqual = pName2;
+    iDb = sqlite3FindDb(db, pName1);
+    if( iDb<0 ){
+      sqlite3ErrorMsg(pParse, "unknown database %T", pName1);
+      pParse->nErr++;
+      return -1;
+    }
+  }else{
+    assert( db->init.iDb==0 || db->init.busy );
+    iDb = db->init.iDb;
+    *pUnqual = pName1;
+  }
+  return iDb;
+}
+
+/*
+** This routine is used to check if the UTF-8 string zName is a legal
+** unqualified name for a new schema object (table, index, view or
+** trigger). All names are legal except those that begin with the string
+** "sqlite_" (in upper, lower or mixed case). This portion of the namespace
+** is reserved for internal use.
+*/
+int sqlite3CheckObjectName(Parse *pParse, const char *zName){
+  if( !pParse->db->init.busy && pParse->nested==0 
+          && (pParse->db->flags & SQLITE_WriteSchema)==0
+          && 0==sqlite3StrNICmp(zName, "sqlite_", 7) ){
+    sqlite3ErrorMsg(pParse, "object name reserved for internal use: %s", zName);
+    return SQLITE_ERROR;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Begin constructing a new table representation in memory.  This is
+** the first of several action routines that get called in response
+** to a CREATE TABLE statement.  In particular, this routine is called
+** after seeing tokens "CREATE" and "TABLE" and the table name. The isTemp
+** flag is true if the table should be stored in the auxiliary database
+** file instead of in the main database file.  This is normally the case
+** when the "TEMP" or "TEMPORARY" keyword occurs in between
+** CREATE and TABLE.
+**
+** The new table record is initialized and put in pParse->pNewTable.
+** As more of the CREATE TABLE statement is parsed, additional action
+** routines will be called to add more information to this record.
+** At the end of the CREATE TABLE statement, the sqlite3EndTable() routine
+** is called to complete the construction of the new table record.
+*/
+void sqlite3StartTable(
+  Parse *pParse,   /* Parser context */
+  Token *pName1,   /* First part of the name of the table or view */
+  Token *pName2,   /* Second part of the name of the table or view */
+  int isTemp,      /* True if this is a TEMP table */
+  int isView,      /* True if this is a VIEW */
+  int isVirtual,   /* True if this is a VIRTUAL table */
+  int noErr        /* Do nothing if table already exists */
+){
+  Table *pTable;
+  char *zName = 0; /* The name of the new table */
+  sqlite3 *db = pParse->db;
+  Vdbe *v;
+  int iDb;         /* Database number to create the table in */
+  Token *pName;    /* Unqualified name of the table to create */
+
+  /* The table or view name to create is passed to this routine via tokens
+  ** pName1 and pName2. If the table name was fully qualified, for example:
+  **
+  ** CREATE TABLE xxx.yyy (...);
+  ** 
+  ** Then pName1 is set to "xxx" and pName2 "yyy". On the other hand if
+  ** the table name is not fully qualified, i.e.:
+  **
+  ** CREATE TABLE yyy(...);
+  **
+  ** Then pName1 is set to "yyy" and pName2 is "".
+  **
+  ** The call below sets the pName pointer to point at the token (pName1 or
+  ** pName2) that stores the unqualified table name. The variable iDb is
+  ** set to the index of the database that the table or view is to be
+  ** created in.
+  */
+  iDb = sqlite3TwoPartName(pParse, pName1, pName2, &pName);
+  if( iDb<0 ) return;
+  if( !OMIT_TEMPDB && isTemp && iDb>1 ){
+    /* If creating a temp table, the name may not be qualified */
+    sqlite3ErrorMsg(pParse, "temporary table name must be unqualified");
+    return;
+  }
+  if( !OMIT_TEMPDB && isTemp ) iDb = 1;
+
+  pParse->sNameToken = *pName;
+  zName = sqlite3NameFromToken(pName);
+  if( zName==0 ) return;
+  if( SQLITE_OK!=sqlite3CheckObjectName(pParse, zName) ){
+    goto begin_table_error;
+  }
+  if( db->init.iDb==1 ) isTemp = 1;
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  assert( (isTemp & 1)==isTemp );
+  {
+    int code;
+    char *zDb = db->aDb[iDb].zName;
+    if( sqlite3AuthCheck(pParse, SQLITE_INSERT, SCHEMA_TABLE(isTemp), 0, zDb) ){
+      goto begin_table_error;
+    }
+    if( isView ){
+      if( !OMIT_TEMPDB && isTemp ){
+        code = SQLITE_CREATE_TEMP_VIEW;
+      }else{
+        code = SQLITE_CREATE_VIEW;
+      }
+    }else{
+      if( !OMIT_TEMPDB && isTemp ){
+        code = SQLITE_CREATE_TEMP_TABLE;
+      }else{
+        code = SQLITE_CREATE_TABLE;
+      }
+    }
+    if( !isVirtual && sqlite3AuthCheck(pParse, code, zName, 0, zDb) ){
+      goto begin_table_error;
+    }
+  }
+#endif
+
+  /* Make sure the new table name does not collide with an existing
+  ** index or table name in the same database.  Issue an error message if
+  ** it does. The exception is if the statement being parsed was passed
+  ** to an sqlite3_declare_vtab() call. In that case only the column names
+  ** and types will be used, so there is no need to test for namespace
+  ** collisions.
+  */
+  if( !IN_DECLARE_VTAB ){
+    if( SQLITE_OK!=sqlite3ReadSchema(pParse) ){
+      goto begin_table_error;
+    }
+    pTable = sqlite3FindTable(db, zName, db->aDb[iDb].zName);
+    if( pTable ){
+      if( !noErr ){
+        sqlite3ErrorMsg(pParse, "table %T already exists", pName);
+      }
+      goto begin_table_error;
+    }
+    if( sqlite3FindIndex(db, zName, 0)!=0 && (iDb==0 || !db->init.busy) ){
+      sqlite3ErrorMsg(pParse, "there is already an index named %s", zName);
+      goto begin_table_error;
+    }
+  }
+
+  pTable = sqliteMalloc( sizeof(Table) );
+  if( pTable==0 ){
+    pParse->rc = SQLITE_NOMEM;
+    pParse->nErr++;
+    goto begin_table_error;
+  }
+  pTable->zName = zName;
+  pTable->iPKey = -1;
+  pTable->pSchema = db->aDb[iDb].pSchema;
+  pTable->nRef = 1;
+  if( pParse->pNewTable ) sqlite3DeleteTable(pParse->pNewTable);
+  pParse->pNewTable = pTable;
+
+  /* If this is the magic sqlite_sequence table used by autoincrement,
+  ** then record a pointer to this table in the main database structure
+  ** so that INSERT can find the table easily.
+  */
+#ifndef SQLITE_OMIT_AUTOINCREMENT
+  if( !pParse->nested && strcmp(zName, "sqlite_sequence")==0 ){
+    pTable->pSchema->pSeqTab = pTable;
+  }
+#endif
+
+  /* Begin generating the code that will insert the table record into
+  ** the SQLITE_MASTER table.  Note in particular that we must go ahead
+  ** and allocate the record number for the table entry now.  Before any
+  ** PRIMARY KEY or UNIQUE keywords are parsed.  Those keywords will cause
+  ** indices to be created and the table record must come before the 
+  ** indices.  Hence, the record number for the table must be allocated
+  ** now.
+  */
+  if( !db->init.busy && (v = sqlite3GetVdbe(pParse))!=0 ){
+    int lbl;
+    int fileFormat;
+    sqlite3BeginWriteOperation(pParse, 0, iDb);
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+    if( isVirtual ){
+      sqlite3VdbeAddOp(v, OP_VBegin, 0, 0);
+    }
+#endif
+
+    /* If the file format and encoding in the database have not been set, 
+    ** set them now.
+    */
+    sqlite3VdbeAddOp(v, OP_ReadCookie, iDb, 1);   /* file_format */
+    lbl = sqlite3VdbeMakeLabel(v);
+    sqlite3VdbeAddOp(v, OP_If, 0, lbl);
+    fileFormat = (db->flags & SQLITE_LegacyFileFmt)!=0 ?
+                  1 : SQLITE_MAX_FILE_FORMAT;
+    sqlite3VdbeAddOp(v, OP_Integer, fileFormat, 0);
+    sqlite3VdbeAddOp(v, OP_SetCookie, iDb, 1);
+    sqlite3VdbeAddOp(v, OP_Integer, ENC(db), 0);
+    sqlite3VdbeAddOp(v, OP_SetCookie, iDb, 4);
+    sqlite3VdbeResolveLabel(v, lbl);
+
+    /* This just creates a place-holder record in the sqlite_master table.
+    ** The record created does not contain anything yet.  It will be replaced
+    ** by the real entry in code generated at sqlite3EndTable().
+    **
+    ** The rowid for the new entry is left on the top of the stack.
+    ** The rowid value is needed by the code that sqlite3EndTable will
+    ** generate.
+    */
+#if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_VIRTUALTABLE)
+    if( isView || isVirtual ){
+      sqlite3VdbeAddOp(v, OP_Integer, 0, 0);
+    }else
+#endif
+    {
+      sqlite3VdbeAddOp(v, OP_CreateTable, iDb, 0);
+    }
+    sqlite3OpenMasterTable(pParse, iDb);
+    sqlite3VdbeAddOp(v, OP_NewRowid, 0, 0);
+    sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+    sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+    sqlite3VdbeAddOp(v, OP_Insert, 0, OPFLAG_APPEND);
+    sqlite3VdbeAddOp(v, OP_Close, 0, 0);
+    sqlite3VdbeAddOp(v, OP_Pull, 1, 0);
+  }
+
+  /* Normal (non-error) return. */
+  return;
+
+  /* If an error occurs, we jump here */
+begin_table_error:
+  sqliteFree(zName);
+  return;
+}
+
+/*
+** This macro is used to compare two strings in a case-insensitive manner.
+** It is slightly faster than calling sqlite3StrICmp() directly, but
+** produces larger code.
+**
+** WARNING: This macro is not compatible with the strcmp() family. It
+** returns true if the two strings are equal, otherwise false.
+*/
+#define STRICMP(x, y) (\
+sqlite3UpperToLower[*(unsigned char *)(x)]==   \
+sqlite3UpperToLower[*(unsigned char *)(y)]     \
+&& sqlite3StrICmp((x)+1,(y)+1)==0 )
+
+/*
+** Add a new column to the table currently being constructed.
+**
+** The parser calls this routine once for each column declaration
+** in a CREATE TABLE statement.  sqlite3StartTable() gets called
+** first to get things going.  Then this routine is called for each
+** column.
+*/
+void sqlite3AddColumn(Parse *pParse, Token *pName){
+  Table *p;
+  int i;
+  char *z;
+  Column *pCol;
+  if( (p = pParse->pNewTable)==0 ) return;
+  z = sqlite3NameFromToken(pName);
+  if( z==0 ) return;
+  for(i=0; i<p->nCol; i++){
+    if( STRICMP(z, p->aCol[i].zName) ){
+      sqlite3ErrorMsg(pParse, "duplicate column name: %s", z);
+      sqliteFree(z);
+      return;
+    }
+  }
+  if( (p->nCol & 0x7)==0 ){
+    Column *aNew;
+    aNew = sqliteRealloc( p->aCol, (p->nCol+8)*sizeof(p->aCol[0]));
+    if( aNew==0 ){
+      sqliteFree(z);
+      return;
+    }
+    p->aCol = aNew;
+  }
+  pCol = &p->aCol[p->nCol];
+  memset(pCol, 0, sizeof(p->aCol[0]));
+  pCol->zName = z;
+ 
+  /* If there is no type specified, columns have the default affinity
+  ** 'NONE'. If there is a type specified, then sqlite3AddColumnType() will
+  ** be called next to set pCol->affinity correctly.
+  */
+  pCol->affinity = SQLITE_AFF_NONE;
+  p->nCol++;
+}
+
+/*
+** This routine is called by the parser while in the middle of
+** parsing a CREATE TABLE statement.  A "NOT NULL" constraint has
+** been seen on a column.  This routine sets the notNull flag on
+** the column currently under construction.
+*/
+void sqlite3AddNotNull(Parse *pParse, int onError){
+  Table *p;
+  int i;
+  if( (p = pParse->pNewTable)==0 ) return;
+  i = p->nCol-1;
+  if( i>=0 ) p->aCol[i].notNull = onError;
+}
+
+/*
+** Scan the column type name zType (length nType) and return the
+** associated affinity type.
+**
+** This routine does a case-independent search of zType for the 
+** substrings in the following table. If one of the substrings is
+** found, the corresponding affinity is returned. If zType contains
+** more than one of the substrings, entries toward the top of 
+** the table take priority. For example, if zType is 'BLOBINT', 
+** SQLITE_AFF_INTEGER is returned.
+**
+** Substring     | Affinity
+** --------------------------------
+** 'INT'         | SQLITE_AFF_INTEGER
+** 'CHAR'        | SQLITE_AFF_TEXT
+** 'CLOB'        | SQLITE_AFF_TEXT
+** 'TEXT'        | SQLITE_AFF_TEXT
+** 'BLOB'        | SQLITE_AFF_NONE
+** 'REAL'        | SQLITE_AFF_REAL
+** 'FLOA'        | SQLITE_AFF_REAL
+** 'DOUB'        | SQLITE_AFF_REAL
+**
+** If none of the substrings in the above table are found,
+** SQLITE_AFF_NUMERIC is returned.
+*/
+char sqlite3AffinityType(const Token *pType){
+  u32 h = 0;
+  char aff = SQLITE_AFF_NUMERIC;
+  const unsigned char *zIn = pType->z;
+  const unsigned char *zEnd = &pType->z[pType->n];
+
+  while( zIn!=zEnd ){
+    h = (h<<8) + sqlite3UpperToLower[*zIn];
+    zIn++;
+    if( h==(('c'<<24)+('h'<<16)+('a'<<8)+'r') ){             /* CHAR */
+      aff = SQLITE_AFF_TEXT; 
+    }else if( h==(('c'<<24)+('l'<<16)+('o'<<8)+'b') ){       /* CLOB */
+      aff = SQLITE_AFF_TEXT;
+    }else if( h==(('t'<<24)+('e'<<16)+('x'<<8)+'t') ){       /* TEXT */
+      aff = SQLITE_AFF_TEXT;
+    }else if( h==(('b'<<24)+('l'<<16)+('o'<<8)+'b')          /* BLOB */
+        && (aff==SQLITE_AFF_NUMERIC || aff==SQLITE_AFF_REAL) ){
+      aff = SQLITE_AFF_NONE;
+#ifndef SQLITE_OMIT_FLOATING_POINT
+    }else if( h==(('r'<<24)+('e'<<16)+('a'<<8)+'l')          /* REAL */
+        && aff==SQLITE_AFF_NUMERIC ){
+      aff = SQLITE_AFF_REAL;
+    }else if( h==(('f'<<24)+('l'<<16)+('o'<<8)+'a')          /* FLOA */
+        && aff==SQLITE_AFF_NUMERIC ){
+      aff = SQLITE_AFF_REAL;
+    }else if( h==(('d'<<24)+('o'<<16)+('u'<<8)+'b')          /* DOUB */
+        && aff==SQLITE_AFF_NUMERIC ){
+      aff = SQLITE_AFF_REAL;
+#endif
+    }else if( (h&0x00FFFFFF)==(('i'<<16)+('n'<<8)+'t') ){    /* INT */
+      aff = SQLITE_AFF_INTEGER;
+      break;
+    }
+  }
+
+  return aff;
+}
+
+/*
+** This routine is called by the parser while in the middle of
+** parsing a CREATE TABLE statement.  The pFirst token is the first
+** token in the sequence of tokens that describe the type of the
+** column currently under construction.   pLast is the last token
+** in the sequence.  Use this information to construct a string
+** that contains the typename of the column and store that string
+** in zType.
+*/ 
+void sqlite3AddColumnType(Parse *pParse, Token *pType){
+  Table *p;
+  int i;
+  Column *pCol;
+
+  if( (p = pParse->pNewTable)==0 ) return;
+  i = p->nCol-1;
+  if( i<0 ) return;
+  pCol = &p->aCol[i];
+  sqliteFree(pCol->zType);
+  pCol->zType = sqlite3NameFromToken(pType);
+  pCol->affinity = sqlite3AffinityType(pType);
+}
+
+/*
+** The expression is the default value for the most recently added column
+** of the table currently under construction.
+**
+** Default value expressions must be constant.  Raise an exception if this
+** is not the case.
+**
+** This routine is called by the parser while in the middle of
+** parsing a CREATE TABLE statement.
+*/
+void sqlite3AddDefaultValue(Parse *pParse, Expr *pExpr){
+  Table *p;
+  Column *pCol;
+  if( (p = pParse->pNewTable)!=0 ){
+    pCol = &(p->aCol[p->nCol-1]);
+    if( !sqlite3ExprIsConstantOrFunction(pExpr) ){
+      sqlite3ErrorMsg(pParse, "default value of column [%s] is not constant",
+          pCol->zName);
+    }else{
+      Expr *pCopy;
+      sqlite3ExprDelete(pCol->pDflt);
+      pCol->pDflt = pCopy = sqlite3ExprDup(pExpr);
+      if( pCopy ){
+        sqlite3TokenCopy(&pCopy->span, &pExpr->span);
+      }
+    }
+  }
+  sqlite3ExprDelete(pExpr);
+}
+
+/*
+** Designate the PRIMARY KEY for the table.  pList is a list of names 
+** of columns that form the primary key.  If pList is NULL, then the
+** most recently added column of the table is the primary key.
+**
+** A table can have at most one primary key.  If the table already has
+** a primary key (and this is the second primary key) then create an
+** error.
+**
+** If the PRIMARY KEY is on a single column whose datatype is INTEGER,
+** then we will try to use that column as the rowid.  Set the Table.iPKey
+** field of the table under construction to be the index of the
+** INTEGER PRIMARY KEY column.  Table.iPKey is set to -1 if there is
+** no INTEGER PRIMARY KEY.
+**
+** If the key is not an INTEGER PRIMARY KEY, then create a unique
+** index for the key.  No index is created for INTEGER PRIMARY KEYs.
+*/
+void sqlite3AddPrimaryKey(
+  Parse *pParse,    /* Parsing context */
+  ExprList *pList,  /* List of field names to be indexed */
+  int onError,      /* What to do with a uniqueness conflict */
+  int autoInc,      /* True if the AUTOINCREMENT keyword is present */
+  int sortOrder     /* SQLITE_SO_ASC or SQLITE_SO_DESC */
+){
+  Table *pTab = pParse->pNewTable;
+  char *zType = 0;
+  int iCol = -1, i;
+  if( pTab==0 || IN_DECLARE_VTAB ) goto primary_key_exit;
+  if( pTab->hasPrimKey ){
+    sqlite3ErrorMsg(pParse, 
+      "table \"%s\" has more than one primary key", pTab->zName);
+    goto primary_key_exit;
+  }
+  pTab->hasPrimKey = 1;
+  if( pList==0 ){
+    iCol = pTab->nCol - 1;
+    pTab->aCol[iCol].isPrimKey = 1;
+  }else{
+    for(i=0; i<pList->nExpr; i++){
+      for(iCol=0; iCol<pTab->nCol; iCol++){
+        if( sqlite3StrICmp(pList->a[i].zName, pTab->aCol[iCol].zName)==0 ){
+          break;
+        }
+      }
+      if( iCol<pTab->nCol ){
+        pTab->aCol[iCol].isPrimKey = 1;
+      }
+    }
+    if( pList->nExpr>1 ) iCol = -1;
+  }
+  if( iCol>=0 && iCol<pTab->nCol ){
+    zType = pTab->aCol[iCol].zType;
+  }
+  if( zType && sqlite3StrICmp(zType, "INTEGER")==0
+        && sortOrder==SQLITE_SO_ASC ){
+    pTab->iPKey = iCol;
+    pTab->keyConf = onError;
+    pTab->autoInc = autoInc;
+  }else if( autoInc ){
+#ifndef SQLITE_OMIT_AUTOINCREMENT
+    sqlite3ErrorMsg(pParse, "AUTOINCREMENT is only allowed on an "
+       "INTEGER PRIMARY KEY");
+#endif
+  }else{
+    sqlite3CreateIndex(pParse, 0, 0, 0, pList, onError, 0, 0, sortOrder, 0);
+    pList = 0;
+  }
+
+primary_key_exit:
+  sqlite3ExprListDelete(pList);
+  return;
+}
+
+/*
+** Add a new CHECK constraint to the table currently under construction.
+*/
+void sqlite3AddCheckConstraint(
+  Parse *pParse,    /* Parsing context */
+  Expr *pCheckExpr  /* The check expression */
+){
+#ifndef SQLITE_OMIT_CHECK
+  Table *pTab = pParse->pNewTable;
+  if( pTab && !IN_DECLARE_VTAB ){
+    /* The CHECK expression must be duplicated so that tokens refer
+    ** to malloced space and not the (ephemeral) text of the CREATE TABLE
+    ** statement */
+    pTab->pCheck = sqlite3ExprAnd(pTab->pCheck, sqlite3ExprDup(pCheckExpr));
+  }
+#endif
+  sqlite3ExprDelete(pCheckExpr);
+}
+
+/*
+** Set the collation function of the most recently parsed table column
+** to the CollSeq given.
+*/
+void sqlite3AddCollateType(Parse *pParse, const char *zType, int nType){
+  Table *p;
+  int i;
+
+  if( (p = pParse->pNewTable)==0 ) return;
+  i = p->nCol-1;
+
+  if( sqlite3LocateCollSeq(pParse, zType, nType) ){
+    Index *pIdx;
+    p->aCol[i].zColl = sqliteStrNDup(zType, nType);
+  
+    /* If the column is declared as "<name> PRIMARY KEY COLLATE <type>",
+    ** then an index may have been created on this column before the
+    ** collation type was added. Correct this if it is the case.
+    */
+    for(pIdx=p->pIndex; pIdx; pIdx=pIdx->pNext){
+      assert( pIdx->nColumn==1 );
+      if( pIdx->aiColumn[0]==i ){
+        pIdx->azColl[0] = p->aCol[i].zColl;
+      }
+    }
+  }
+}
+
+/*
+** This function returns the collation sequence for database native text
+** encoding identified by the string zName, length nName.
+**
+** If the requested collation sequence is not available, or not available
+** in the database native encoding, the collation factory is invoked to
+** request it. If the collation factory does not supply such a sequence,
+** and the sequence is available in another text encoding, then that is
+** returned instead.
+**
+** If no versions of the requested collations sequence are available, or
+** another error occurs, NULL is returned and an error message written into
+** pParse.
+**
+** This routine is a wrapper around sqlite3FindCollSeq().  This routine
+** invokes the collation factory if the named collation cannot be found
+** and generates an error message.
+*/
+CollSeq *sqlite3LocateCollSeq(Parse *pParse, const char *zName, int nName){
+  sqlite3 *db = pParse->db;
+  u8 enc = ENC(db);
+  u8 initbusy = db->init.busy;
+  CollSeq *pColl;
+
+  pColl = sqlite3FindCollSeq(db, enc, zName, nName, initbusy);
+  if( !initbusy && (!pColl || !pColl->xCmp) ){
+    pColl = sqlite3GetCollSeq(db, pColl, zName, nName);
+    if( !pColl ){
+      if( nName<0 ){
+        nName = strlen(zName);
+      }
+      sqlite3ErrorMsg(pParse, "no such collation sequence: %.*s", nName, zName);
+      pColl = 0;
+    }
+  }
+
+  return pColl;
+}
+
+
+/*
+** Generate code that will increment the schema cookie.
+**
+** The schema cookie is used to determine when the schema for the
+** database changes.  After each schema change, the cookie value
+** changes.  When a process first reads the schema it records the
+** cookie.  Thereafter, whenever it goes to access the database,
+** it checks the cookie to make sure the schema has not changed
+** since it was last read.
+**
+** This plan is not completely bullet-proof.  It is possible for
+** the schema to change multiple times and for the cookie to be
+** set back to prior value.  But schema changes are infrequent
+** and the probability of hitting the same cookie value is only
+** 1 chance in 2^32.  So we're safe enough.
+*/
+void sqlite3ChangeCookie(sqlite3 *db, Vdbe *v, int iDb){
+  sqlite3VdbeAddOp(v, OP_Integer, db->aDb[iDb].pSchema->schema_cookie+1, 0);
+  sqlite3VdbeAddOp(v, OP_SetCookie, iDb, 0);
+}
+
+/*
+** Measure the number of characters needed to output the given
+** identifier.  The number returned includes any quotes used
+** but does not include the null terminator.
+**
+** The estimate is conservative.  It might be larger that what is
+** really needed.
+*/
+static int identLength(const char *z){
+  int n;
+  for(n=0; *z; n++, z++){
+    if( *z=='"' ){ n++; }
+  }
+  return n + 2;
+}
+
+/*
+** Write an identifier onto the end of the given string.  Add
+** quote characters as needed.
+*/
+static void identPut(char *z, int *pIdx, char *zSignedIdent){
+  unsigned char *zIdent = (unsigned char*)zSignedIdent;
+  int i, j, needQuote;
+  i = *pIdx;
+  for(j=0; zIdent[j]; j++){
+    if( !isalnum(zIdent[j]) && zIdent[j]!='_' ) break;
+  }
+  needQuote =  zIdent[j]!=0 || isdigit(zIdent[0])
+                  || sqlite3KeywordCode(zIdent, j)!=TK_ID;
+  if( needQuote ) z[i++] = '"';
+  for(j=0; zIdent[j]; j++){
+    z[i++] = zIdent[j];
+    if( zIdent[j]=='"' ) z[i++] = '"';
+  }
+  if( needQuote ) z[i++] = '"';
+  z[i] = 0;
+  *pIdx = i;
+}
+
+/*
+** Generate a CREATE TABLE statement appropriate for the given
+** table.  Memory to hold the text of the statement is obtained
+** from sqliteMalloc() and must be freed by the calling function.
+*/
+static char *createTableStmt(Table *p, int isTemp){
+  int i, k, n;
+  char *zStmt;
+  char *zSep, *zSep2, *zEnd, *z;
+  Column *pCol;
+  n = 0;
+  for(pCol = p->aCol, i=0; i<p->nCol; i++, pCol++){
+    n += identLength(pCol->zName);
+    z = pCol->zType;
+    if( z ){
+      n += (strlen(z) + 1);
+    }
+  }
+  n += identLength(p->zName);
+  if( n<50 ){
+    zSep = "";
+    zSep2 = ",";
+    zEnd = ")";
+  }else{
+    zSep = "\n  ";
+    zSep2 = ",\n  ";
+    zEnd = "\n)";
+  }
+  n += 35 + 6*p->nCol;
+  zStmt = sqliteMallocRaw( n );
+  if( zStmt==0 ) return 0;
+  strcpy(zStmt, !OMIT_TEMPDB&&isTemp ? "CREATE TEMP TABLE ":"CREATE TABLE ");
+  k = strlen(zStmt);
+  identPut(zStmt, &k, p->zName);
+  zStmt[k++] = '(';
+  for(pCol=p->aCol, i=0; i<p->nCol; i++, pCol++){
+    strcpy(&zStmt[k], zSep);
+    k += strlen(&zStmt[k]);
+    zSep = zSep2;
+    identPut(zStmt, &k, pCol->zName);
+    if( (z = pCol->zType)!=0 ){
+      zStmt[k++] = ' ';
+      strcpy(&zStmt[k], z);
+      k += strlen(z);
+    }
+  }
+  strcpy(&zStmt[k], zEnd);
+  return zStmt;
+}
+
+/*
+** This routine is called to report the final ")" that terminates
+** a CREATE TABLE statement.
+**
+** The table structure that other action routines have been building
+** is added to the internal hash tables, assuming no errors have
+** occurred.
+**
+** An entry for the table is made in the master table on disk, unless
+** this is a temporary table or db->init.busy==1.  When db->init.busy==1
+** it means we are reading the sqlite_master table because we just
+** connected to the database or because the sqlite_master table has
+** recently changed, so the entry for this table already exists in
+** the sqlite_master table.  We do not want to create it again.
+**
+** If the pSelect argument is not NULL, it means that this routine
+** was called to create a table generated from a 
+** "CREATE TABLE ... AS SELECT ..." statement.  The column names of
+** the new table will match the result set of the SELECT.
+*/
+void sqlite3EndTable(
+  Parse *pParse,          /* Parse context */
+  Token *pCons,           /* The ',' token after the last column defn. */
+  Token *pEnd,            /* The final ')' token in the CREATE TABLE */
+  Select *pSelect         /* Select from a "CREATE ... AS SELECT" */
+){
+  Table *p;
+  sqlite3 *db = pParse->db;
+  int iDb;
+
+  if( (pEnd==0 && pSelect==0) || pParse->nErr || sqlite3MallocFailed() ) {
+    return;
+  }
+  p = pParse->pNewTable;
+  if( p==0 ) return;
+
+  assert( !db->init.busy || !pSelect );
+
+  iDb = sqlite3SchemaToIndex(db, p->pSchema);
+
+#ifndef SQLITE_OMIT_CHECK
+  /* Resolve names in all CHECK constraint expressions.
+  */
+  if( p->pCheck ){
+    SrcList sSrc;                   /* Fake SrcList for pParse->pNewTable */
+    NameContext sNC;                /* Name context for pParse->pNewTable */
+
+    memset(&sNC, 0, sizeof(sNC));
+    memset(&sSrc, 0, sizeof(sSrc));
+    sSrc.nSrc = 1;
+    sSrc.a[0].zName = p->zName;
+    sSrc.a[0].pTab = p;
+    sSrc.a[0].iCursor = -1;
+    sNC.pParse = pParse;
+    sNC.pSrcList = &sSrc;
+    sNC.isCheck = 1;
+    if( sqlite3ExprResolveNames(&sNC, p->pCheck) ){
+      return;
+    }
+  }
+#endif /* !defined(SQLITE_OMIT_CHECK) */
+
+  /* If the db->init.busy is 1 it means we are reading the SQL off the
+  ** "sqlite_master" or "sqlite_temp_master" table on the disk.
+  ** So do not write to the disk again.  Extract the root page number
+  ** for the table from the db->init.newTnum field.  (The page number
+  ** should have been put there by the sqliteOpenCb routine.)
+  */
+  if( db->init.busy ){
+    p->tnum = db->init.newTnum;
+  }
+
+  /* If not initializing, then create a record for the new table
+  ** in the SQLITE_MASTER table of the database.  The record number
+  ** for the new table entry should already be on the stack.
+  **
+  ** If this is a TEMPORARY table, write the entry into the auxiliary
+  ** file instead of into the main database file.
+  */
+  if( !db->init.busy ){
+    int n;
+    Vdbe *v;
+    char *zType;    /* "view" or "table" */
+    char *zType2;   /* "VIEW" or "TABLE" */
+    char *zStmt;    /* Text of the CREATE TABLE or CREATE VIEW statement */
+
+    v = sqlite3GetVdbe(pParse);
+    if( v==0 ) return;
+
+    sqlite3VdbeAddOp(v, OP_Close, 0, 0);
+
+    /* Create the rootpage for the new table and push it onto the stack.
+    ** A view has no rootpage, so just push a zero onto the stack for
+    ** views.  Initialize zType at the same time.
+    */
+    if( p->pSelect==0 ){
+      /* A regular table */
+      zType = "table";
+      zType2 = "TABLE";
+#ifndef SQLITE_OMIT_VIEW
+    }else{
+      /* A view */
+      zType = "view";
+      zType2 = "VIEW";
+#endif
+    }
+
+    /* If this is a CREATE TABLE xx AS SELECT ..., execute the SELECT
+    ** statement to populate the new table. The root-page number for the
+    ** new table is on the top of the vdbe stack.
+    **
+    ** Once the SELECT has been coded by sqlite3Select(), it is in a
+    ** suitable state to query for the column names and types to be used
+    ** by the new table.
+    **
+    ** A shared-cache write-lock is not required to write to the new table,
+    ** as a schema-lock must have already been obtained to create it. Since
+    ** a schema-lock excludes all other database users, the write-lock would
+    ** be redundant.
+    */
+    if( pSelect ){
+      Table *pSelTab;
+      sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+      sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+      sqlite3VdbeAddOp(v, OP_OpenWrite, 1, 0);
+      pParse->nTab = 2;
+      sqlite3Select(pParse, pSelect, SRT_Table, 1, 0, 0, 0, 0);
+      sqlite3VdbeAddOp(v, OP_Close, 1, 0);
+      if( pParse->nErr==0 ){
+        pSelTab = sqlite3ResultSetOfSelect(pParse, 0, pSelect);
+        if( pSelTab==0 ) return;
+        assert( p->aCol==0 );
+        p->nCol = pSelTab->nCol;
+        p->aCol = pSelTab->aCol;
+        pSelTab->nCol = 0;
+        pSelTab->aCol = 0;
+        sqlite3DeleteTable(pSelTab);
+      }
+    }
+
+    /* Compute the complete text of the CREATE statement */
+    if( pSelect ){
+      zStmt = createTableStmt(p, p->pSchema==pParse->db->aDb[1].pSchema);
+    }else{
+      n = pEnd->z - pParse->sNameToken.z + 1;
+      zStmt = sqlite3MPrintf("CREATE %s %.*s", zType2, n, pParse->sNameToken.z);
+    }
+
+    /* A slot for the record has already been allocated in the 
+    ** SQLITE_MASTER table.  We just need to update that slot with all
+    ** the information we've collected.  The rowid for the preallocated
+    ** slot is the 2nd item on the stack.  The top of the stack is the
+    ** root page for the new table (or a 0 if this is a view).
+    */
+    sqlite3NestedParse(pParse,
+      "UPDATE %Q.%s "
+         "SET type='%s', name=%Q, tbl_name=%Q, rootpage=#0, sql=%Q "
+       "WHERE rowid=#1",
+      db->aDb[iDb].zName, SCHEMA_TABLE(iDb),
+      zType,
+      p->zName,
+      p->zName,
+      zStmt
+    );
+    sqliteFree(zStmt);
+    sqlite3ChangeCookie(db, v, iDb);
+
+#ifndef SQLITE_OMIT_AUTOINCREMENT
+    /* Check to see if we need to create an sqlite_sequence table for
+    ** keeping track of autoincrement keys.
+    */
+    if( p->autoInc ){
+      Db *pDb = &db->aDb[iDb];
+      if( pDb->pSchema->pSeqTab==0 ){
+        sqlite3NestedParse(pParse,
+          "CREATE TABLE %Q.sqlite_sequence(name,seq)",
+          pDb->zName
+        );
+      }
+    }
+#endif
+
+    /* Reparse everything to update our internal data structures */
+    sqlite3VdbeOp3(v, OP_ParseSchema, iDb, 0,
+        sqlite3MPrintf("tbl_name='%q'",p->zName), P3_DYNAMIC);
+  }
+
+
+  /* Add the table to the in-memory representation of the database.
+  */
+  if( db->init.busy && pParse->nErr==0 ){
+    Table *pOld;
+    FKey *pFKey; 
+    Schema *pSchema = p->pSchema;
+    pOld = sqlite3HashInsert(&pSchema->tblHash, p->zName, strlen(p->zName)+1,p);
+    if( pOld ){
+      assert( p==pOld );  /* Malloc must have failed inside HashInsert() */
+      return;
+    }
+#ifndef SQLITE_OMIT_FOREIGN_KEY
+    for(pFKey=p->pFKey; pFKey; pFKey=pFKey->pNextFrom){
+      int nTo = strlen(pFKey->zTo) + 1;
+      pFKey->pNextTo = sqlite3HashFind(&pSchema->aFKey, pFKey->zTo, nTo);
+      sqlite3HashInsert(&pSchema->aFKey, pFKey->zTo, nTo, pFKey);
+    }
+#endif
+    pParse->pNewTable = 0;
+    db->nTable++;
+    db->flags |= SQLITE_InternChanges;
+
+#ifndef SQLITE_OMIT_ALTERTABLE
+    if( !p->pSelect ){
+      const char *zName = (const char *)pParse->sNameToken.z;
+      int nName;
+      assert( !pSelect && pCons && pEnd );
+      if( pCons->z==0 ){
+        pCons = pEnd;
+      }
+      nName = (const char *)pCons->z - zName;
+      p->addColOffset = 13 + sqlite3utf8CharLen(zName, nName);
+    }
+#endif
+  }
+}
+
+#ifndef SQLITE_OMIT_VIEW
+/*
+** The parser calls this routine in order to create a new VIEW
+*/
+void sqlite3CreateView(
+  Parse *pParse,     /* The parsing context */
+  Token *pBegin,     /* The CREATE token that begins the statement */
+  Token *pName1,     /* The token that holds the name of the view */
+  Token *pName2,     /* The token that holds the name of the view */
+  Select *pSelect,   /* A SELECT statement that will become the new view */
+  int isTemp,        /* TRUE for a TEMPORARY view */
+  int noErr          /* Suppress error messages if VIEW already exists */
+){
+  Table *p;
+  int n;
+  const unsigned char *z;
+  Token sEnd;
+  DbFixer sFix;
+  Token *pName;
+  int iDb;
+
+  if( pParse->nVar>0 ){
+    sqlite3ErrorMsg(pParse, "parameters are not allowed in views");
+    sqlite3SelectDelete(pSelect);
+    return;
+  }
+  sqlite3StartTable(pParse, pName1, pName2, isTemp, 1, 0, noErr);
+  p = pParse->pNewTable;
+  if( p==0 || pParse->nErr ){
+    sqlite3SelectDelete(pSelect);
+    return;
+  }
+  sqlite3TwoPartName(pParse, pName1, pName2, &pName);
+  iDb = sqlite3SchemaToIndex(pParse->db, p->pSchema);
+  if( sqlite3FixInit(&sFix, pParse, iDb, "view", pName)
+    && sqlite3FixSelect(&sFix, pSelect)
+  ){
+    sqlite3SelectDelete(pSelect);
+    return;
+  }
+
+  /* Make a copy of the entire SELECT statement that defines the view.
+  ** This will force all the Expr.token.z values to be dynamically
+  ** allocated rather than point to the input string - which means that
+  ** they will persist after the current sqlite3_exec() call returns.
+  */
+  p->pSelect = sqlite3SelectDup(pSelect);
+  sqlite3SelectDelete(pSelect);
+  if( sqlite3MallocFailed() ){
+    return;
+  }
+  if( !pParse->db->init.busy ){
+    sqlite3ViewGetColumnNames(pParse, p);
+  }
+
+  /* Locate the end of the CREATE VIEW statement.  Make sEnd point to
+  ** the end.
+  */
+  sEnd = pParse->sLastToken;
+  if( sEnd.z[0]!=0 && sEnd.z[0]!=';' ){
+    sEnd.z += sEnd.n;
+  }
+  sEnd.n = 0;
+  n = sEnd.z - pBegin->z;
+  z = (const unsigned char*)pBegin->z;
+  while( n>0 && (z[n-1]==';' || isspace(z[n-1])) ){ n--; }
+  sEnd.z = &z[n-1];
+  sEnd.n = 1;
+
+  /* Use sqlite3EndTable() to add the view to the SQLITE_MASTER table */
+  sqlite3EndTable(pParse, 0, &sEnd, 0);
+  return;
+}
+#endif /* SQLITE_OMIT_VIEW */
+
+#if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_VIRTUALTABLE)
+/*
+** The Table structure pTable is really a VIEW.  Fill in the names of
+** the columns of the view in the pTable structure.  Return the number
+** of errors.  If an error is seen leave an error message in pParse->zErrMsg.
+*/
+int sqlite3ViewGetColumnNames(Parse *pParse, Table *pTable){
+  Table *pSelTab;   /* A fake table from which we get the result set */
+  Select *pSel;     /* Copy of the SELECT that implements the view */
+  int nErr = 0;     /* Number of errors encountered */
+  int n;            /* Temporarily holds the number of cursors assigned */
+
+  assert( pTable );
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  if( sqlite3VtabCallConnect(pParse, pTable) ){
+    return SQLITE_ERROR;
+  }
+  if( IsVirtual(pTable) ) return 0;
+#endif
+
+#ifndef SQLITE_OMIT_VIEW
+  /* A positive nCol means the columns names for this view are
+  ** already known.
+  */
+  if( pTable->nCol>0 ) return 0;
+
+  /* A negative nCol is a special marker meaning that we are currently
+  ** trying to compute the column names.  If we enter this routine with
+  ** a negative nCol, it means two or more views form a loop, like this:
+  **
+  **     CREATE VIEW one AS SELECT * FROM two;
+  **     CREATE VIEW two AS SELECT * FROM one;
+  **
+  ** Actually, this error is caught previously and so the following test
+  ** should always fail.  But we will leave it in place just to be safe.
+  */
+  if( pTable->nCol<0 ){
+    sqlite3ErrorMsg(pParse, "view %s is circularly defined", pTable->zName);
+    return 1;
+  }
+  assert( pTable->nCol>=0 );
+
+  /* If we get this far, it means we need to compute the table names.
+  ** Note that the call to sqlite3ResultSetOfSelect() will expand any
+  ** "*" elements in the results set of the view and will assign cursors
+  ** to the elements of the FROM clause.  But we do not want these changes
+  ** to be permanent.  So the computation is done on a copy of the SELECT
+  ** statement that defines the view.
+  */
+  assert( pTable->pSelect );
+  pSel = sqlite3SelectDup(pTable->pSelect);
+  if( pSel ){
+    n = pParse->nTab;
+    sqlite3SrcListAssignCursors(pParse, pSel->pSrc);
+    pTable->nCol = -1;
+    pSelTab = sqlite3ResultSetOfSelect(pParse, 0, pSel);
+    pParse->nTab = n;
+    if( pSelTab ){
+      assert( pTable->aCol==0 );
+      pTable->nCol = pSelTab->nCol;
+      pTable->aCol = pSelTab->aCol;
+      pSelTab->nCol = 0;
+      pSelTab->aCol = 0;
+      sqlite3DeleteTable(pSelTab);
+      pTable->pSchema->flags |= DB_UnresetViews;
+    }else{
+      pTable->nCol = 0;
+      nErr++;
+    }
+    sqlite3SelectDelete(pSel);
+  } else {
+    nErr++;
+  }
+#endif /* SQLITE_OMIT_VIEW */
+  return nErr;  
+}
+#endif /* !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_VIRTUALTABLE) */
+
+#ifndef SQLITE_OMIT_VIEW
+/*
+** Clear the column names from every VIEW in database idx.
+*/
+static void sqliteViewResetAll(sqlite3 *db, int idx){
+  HashElem *i;
+  if( !DbHasProperty(db, idx, DB_UnresetViews) ) return;
+  for(i=sqliteHashFirst(&db->aDb[idx].pSchema->tblHash); i;i=sqliteHashNext(i)){
+    Table *pTab = sqliteHashData(i);
+    if( pTab->pSelect ){
+      sqliteResetColumnNames(pTab);
+    }
+  }
+  DbClearProperty(db, idx, DB_UnresetViews);
+}
+#else
+# define sqliteViewResetAll(A,B)
+#endif /* SQLITE_OMIT_VIEW */
+
+/*
+** This function is called by the VDBE to adjust the internal schema
+** used by SQLite when the btree layer moves a table root page. The
+** root-page of a table or index in database iDb has changed from iFrom
+** to iTo.
+**
+** Ticket #1728:  The symbol table might still contain information
+** on tables and/or indices that are the process of being deleted.
+** If you are unlucky, one of those deleted indices or tables might
+** have the same rootpage number as the real table or index that is
+** being moved.  So we cannot stop searching after the first match 
+** because the first match might be for one of the deleted indices
+** or tables and not the table/index that is actually being moved.
+** We must continue looping until all tables and indices with
+** rootpage==iFrom have been converted to have a rootpage of iTo
+** in order to be certain that we got the right one.
+*/
+#ifndef SQLITE_OMIT_AUTOVACUUM
+void sqlite3RootPageMoved(Db *pDb, int iFrom, int iTo){
+  HashElem *pElem;
+  Hash *pHash;
+
+  pHash = &pDb->pSchema->tblHash;
+  for(pElem=sqliteHashFirst(pHash); pElem; pElem=sqliteHashNext(pElem)){
+    Table *pTab = sqliteHashData(pElem);
+    if( pTab->tnum==iFrom ){
+      pTab->tnum = iTo;
+    }
+  }
+  pHash = &pDb->pSchema->idxHash;
+  for(pElem=sqliteHashFirst(pHash); pElem; pElem=sqliteHashNext(pElem)){
+    Index *pIdx = sqliteHashData(pElem);
+    if( pIdx->tnum==iFrom ){
+      pIdx->tnum = iTo;
+    }
+  }
+}
+#endif
+
+/*
+** Write code to erase the table with root-page iTable from database iDb.
+** Also write code to modify the sqlite_master table and internal schema
+** if a root-page of another table is moved by the btree-layer whilst
+** erasing iTable (this can happen with an auto-vacuum database).
+*/ 
+static void destroyRootPage(Parse *pParse, int iTable, int iDb){
+  Vdbe *v = sqlite3GetVdbe(pParse);
+  sqlite3VdbeAddOp(v, OP_Destroy, iTable, iDb);
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  /* OP_Destroy pushes an integer onto the stack. If this integer
+  ** is non-zero, then it is the root page number of a table moved to
+  ** location iTable. The following code modifies the sqlite_master table to
+  ** reflect this.
+  **
+  ** The "#0" in the SQL is a special constant that means whatever value
+  ** is on the top of the stack.  See sqlite3RegisterExpr().
+  */
+  sqlite3NestedParse(pParse, 
+     "UPDATE %Q.%s SET rootpage=%d WHERE #0 AND rootpage=#0",
+     pParse->db->aDb[iDb].zName, SCHEMA_TABLE(iDb), iTable);
+#endif
+}
+
+/*
+** Write VDBE code to erase table pTab and all associated indices on disk.
+** Code to update the sqlite_master tables and internal schema definitions
+** in case a root-page belonging to another table is moved by the btree layer
+** is also added (this can happen with an auto-vacuum database).
+*/
+static void destroyTable(Parse *pParse, Table *pTab){
+#ifdef SQLITE_OMIT_AUTOVACUUM
+  Index *pIdx;
+  int iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+  destroyRootPage(pParse, pTab->tnum, iDb);
+  for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
+    destroyRootPage(pParse, pIdx->tnum, iDb);
+  }
+#else
+  /* If the database may be auto-vacuum capable (if SQLITE_OMIT_AUTOVACUUM
+  ** is not defined), then it is important to call OP_Destroy on the
+  ** table and index root-pages in order, starting with the numerically 
+  ** largest root-page number. This guarantees that none of the root-pages
+  ** to be destroyed is relocated by an earlier OP_Destroy. i.e. if the
+  ** following were coded:
+  **
+  ** OP_Destroy 4 0
+  ** ...
+  ** OP_Destroy 5 0
+  **
+  ** and root page 5 happened to be the largest root-page number in the
+  ** database, then root page 5 would be moved to page 4 by the 
+  ** "OP_Destroy 4 0" opcode. The subsequent "OP_Destroy 5 0" would hit
+  ** a free-list page.
+  */
+  int iTab = pTab->tnum;
+  int iDestroyed = 0;
+
+  while( 1 ){
+    Index *pIdx;
+    int iLargest = 0;
+
+    if( iDestroyed==0 || iTab<iDestroyed ){
+      iLargest = iTab;
+    }
+    for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
+      int iIdx = pIdx->tnum;
+      assert( pIdx->pSchema==pTab->pSchema );
+      if( (iDestroyed==0 || (iIdx<iDestroyed)) && iIdx>iLargest ){
+        iLargest = iIdx;
+      }
+    }
+    if( iLargest==0 ){
+      return;
+    }else{
+      int iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+      destroyRootPage(pParse, iLargest, iDb);
+      iDestroyed = iLargest;
+    }
+  }
+#endif
+}
+
+/*
+** This routine is called to do the work of a DROP TABLE statement.
+** pName is the name of the table to be dropped.
+*/
+void sqlite3DropTable(Parse *pParse, SrcList *pName, int isView, int noErr){
+  Table *pTab;
+  Vdbe *v;
+  sqlite3 *db = pParse->db;
+  int iDb;
+
+  if( pParse->nErr || sqlite3MallocFailed() ){
+    goto exit_drop_table;
+  }
+  assert( pName->nSrc==1 );
+  pTab = sqlite3LocateTable(pParse, pName->a[0].zName, pName->a[0].zDatabase);
+
+  if( pTab==0 ){
+    if( noErr ){
+      sqlite3ErrorClear(pParse);
+    }
+    goto exit_drop_table;
+  }
+  iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
+  assert( iDb>=0 && iDb<db->nDb );
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  {
+    int code;
+    const char *zTab = SCHEMA_TABLE(iDb);
+    const char *zDb = db->aDb[iDb].zName;
+    const char *zArg2 = 0;
+    if( sqlite3AuthCheck(pParse, SQLITE_DELETE, zTab, 0, zDb)){
+      goto exit_drop_table;
+    }
+    if( isView ){
+      if( !OMIT_TEMPDB && iDb==1 ){
+        code = SQLITE_DROP_TEMP_VIEW;
+      }else{
+        code = SQLITE_DROP_VIEW;
+      }
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+    }else if( IsVirtual(pTab) ){
+      if( sqlite3ViewGetColumnNames(pParse, pTab) ){
+        goto exit_drop_table;
+      }
+      code = SQLITE_DROP_VTABLE;
+      zArg2 = pTab->pMod->zName;
+#endif
+    }else{
+      if( !OMIT_TEMPDB && iDb==1 ){
+        code = SQLITE_DROP_TEMP_TABLE;
+      }else{
+        code = SQLITE_DROP_TABLE;
+      }
+    }
+    if( sqlite3AuthCheck(pParse, code, pTab->zName, zArg2, zDb) ){
+      goto exit_drop_table;
+    }
+    if( sqlite3AuthCheck(pParse, SQLITE_DELETE, pTab->zName, 0, zDb) ){
+      goto exit_drop_table;
+    }
+  }
+#endif
+  if( pTab->readOnly || pTab==db->aDb[iDb].pSchema->pSeqTab ){
+    sqlite3ErrorMsg(pParse, "table %s may not be dropped", pTab->zName);
+    goto exit_drop_table;
+  }
+
+#ifndef SQLITE_OMIT_VIEW
+  /* Ensure DROP TABLE is not used on a view, and DROP VIEW is not used
+  ** on a table.
+  */
+  if( isView && pTab->pSelect==0 ){
+    sqlite3ErrorMsg(pParse, "use DROP TABLE to delete table %s", pTab->zName);
+    goto exit_drop_table;
+  }
+  if( !isView && pTab->pSelect ){
+    sqlite3ErrorMsg(pParse, "use DROP VIEW to delete view %s", pTab->zName);
+    goto exit_drop_table;
+  }
+#endif
+
+  /* Generate code to remove the table from the master table
+  ** on disk.
+  */
+  v = sqlite3GetVdbe(pParse);
+  if( v ){
+    Trigger *pTrigger;
+    Db *pDb = &db->aDb[iDb];
+    sqlite3BeginWriteOperation(pParse, 0, iDb);
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+    if( IsVirtual(pTab) ){
+      Vdbe *v = sqlite3GetVdbe(pParse);
+      if( v ){
+        sqlite3VdbeAddOp(v, OP_VBegin, 0, 0);
+      }
+    }
+#endif
+
+    /* Drop all triggers associated with the table being dropped. Code
+    ** is generated to remove entries from sqlite_master and/or
+    ** sqlite_temp_master if required.
+    */
+    pTrigger = pTab->pTrigger;
+    while( pTrigger ){
+      assert( pTrigger->pSchema==pTab->pSchema || 
+          pTrigger->pSchema==db->aDb[1].pSchema );
+      sqlite3DropTriggerPtr(pParse, pTrigger);
+      pTrigger = pTrigger->pNext;
+    }
+
+#ifndef SQLITE_OMIT_AUTOINCREMENT
+    /* Remove any entries of the sqlite_sequence table associated with
+    ** the table being dropped. This is done before the table is dropped
+    ** at the btree level, in case the sqlite_sequence table needs to
+    ** move as a result of the drop (can happen in auto-vacuum mode).
+    */
+    if( pTab->autoInc ){
+      sqlite3NestedParse(pParse,
+        "DELETE FROM %s.sqlite_sequence WHERE name=%Q",
+        pDb->zName, pTab->zName
+      );
+    }
+#endif
+
+    /* Drop all SQLITE_MASTER table and index entries that refer to the
+    ** table. The program name loops through the master table and deletes
+    ** every row that refers to a table of the same name as the one being
+    ** dropped. Triggers are handled seperately because a trigger can be
+    ** created in the temp database that refers to a table in another
+    ** database.
+    */
+    sqlite3NestedParse(pParse, 
+        "DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'",
+        pDb->zName, SCHEMA_TABLE(iDb), pTab->zName);
+    if( !isView && !IsVirtual(pTab) ){
+      destroyTable(pParse, pTab);
+    }
+
+    /* Remove the table entry from SQLite's internal schema and modify
+    ** the schema cookie.
+    */
+    if( IsVirtual(pTab) ){
+      sqlite3VdbeOp3(v, OP_VDestroy, iDb, 0, pTab->zName, 0);
+    }
+    sqlite3VdbeOp3(v, OP_DropTable, iDb, 0, pTab->zName, 0);
+    sqlite3ChangeCookie(db, v, iDb);
+  }
+  sqliteViewResetAll(db, iDb);
+
+exit_drop_table:
+  sqlite3SrcListDelete(pName);
+}
+
+/*
+** This routine is called to create a new foreign key on the table
+** currently under construction.  pFromCol determines which columns
+** in the current table point to the foreign key.  If pFromCol==0 then
+** connect the key to the last column inserted.  pTo is the name of
+** the table referred to.  pToCol is a list of tables in the other
+** pTo table that the foreign key points to.  flags contains all
+** information about the conflict resolution algorithms specified
+** in the ON DELETE, ON UPDATE and ON INSERT clauses.
+**
+** An FKey structure is created and added to the table currently
+** under construction in the pParse->pNewTable field.  The new FKey
+** is not linked into db->aFKey at this point - that does not happen
+** until sqlite3EndTable().
+**
+** The foreign key is set for IMMEDIATE processing.  A subsequent call
+** to sqlite3DeferForeignKey() might change this to DEFERRED.
+*/
+void sqlite3CreateForeignKey(
+  Parse *pParse,       /* Parsing context */
+  ExprList *pFromCol,  /* Columns in this table that point to other table */
+  Token *pTo,          /* Name of the other table */
+  ExprList *pToCol,    /* Columns in the other table */
+  int flags            /* Conflict resolution algorithms. */
+){
+#ifndef SQLITE_OMIT_FOREIGN_KEY
+  FKey *pFKey = 0;
+  Table *p = pParse->pNewTable;
+  int nByte;
+  int i;
+  int nCol;
+  char *z;
+
+  assert( pTo!=0 );
+  if( p==0 || pParse->nErr || IN_DECLARE_VTAB ) goto fk_end;
+  if( pFromCol==0 ){
+    int iCol = p->nCol-1;
+    if( iCol<0 ) goto fk_end;
+    if( pToCol && pToCol->nExpr!=1 ){
+      sqlite3ErrorMsg(pParse, "foreign key on %s"
+         " should reference only one column of table %T",
+         p->aCol[iCol].zName, pTo);
+      goto fk_end;
+    }
+    nCol = 1;
+  }else if( pToCol && pToCol->nExpr!=pFromCol->nExpr ){
+    sqlite3ErrorMsg(pParse,
+        "number of columns in foreign key does not match the number of "
+        "columns in the referenced table");
+    goto fk_end;
+  }else{
+    nCol = pFromCol->nExpr;
+  }
+  nByte = sizeof(*pFKey) + nCol*sizeof(pFKey->aCol[0]) + pTo->n + 1;
+  if( pToCol ){
+    for(i=0; i<pToCol->nExpr; i++){
+      nByte += strlen(pToCol->a[i].zName) + 1;
+    }
+  }
+  pFKey = sqliteMalloc( nByte );
+  if( pFKey==0 ) goto fk_end;
+  pFKey->pFrom = p;
+  pFKey->pNextFrom = p->pFKey;
+  z = (char*)&pFKey[1];
+  pFKey->aCol = (struct sColMap*)z;
+  z += sizeof(struct sColMap)*nCol;
+  pFKey->zTo = z;
+  memcpy(z, pTo->z, pTo->n);
+  z[pTo->n] = 0;
+  z += pTo->n+1;
+  pFKey->pNextTo = 0;
+  pFKey->nCol = nCol;
+  if( pFromCol==0 ){
+    pFKey->aCol[0].iFrom = p->nCol-1;
+  }else{
+    for(i=0; i<nCol; i++){
+      int j;
+      for(j=0; j<p->nCol; j++){
+        if( sqlite3StrICmp(p->aCol[j].zName, pFromCol->a[i].zName)==0 ){
+          pFKey->aCol[i].iFrom = j;
+          break;
+        }
+      }
+      if( j>=p->nCol ){
+        sqlite3ErrorMsg(pParse, 
+          "unknown column \"%s\" in foreign key definition", 
+          pFromCol->a[i].zName);
+        goto fk_end;
+      }
+    }
+  }
+  if( pToCol ){
+    for(i=0; i<nCol; i++){
+      int n = strlen(pToCol->a[i].zName);
+      pFKey->aCol[i].zCol = z;
+      memcpy(z, pToCol->a[i].zName, n);
+      z[n] = 0;
+      z += n+1;
+    }
+  }
+  pFKey->isDeferred = 0;
+  pFKey->deleteConf = flags & 0xff;
+  pFKey->updateConf = (flags >> 8 ) & 0xff;
+  pFKey->insertConf = (flags >> 16 ) & 0xff;
+
+  /* Link the foreign key to the table as the last step.
+  */
+  p->pFKey = pFKey;
+  pFKey = 0;
+
+fk_end:
+  sqliteFree(pFKey);
+#endif /* !defined(SQLITE_OMIT_FOREIGN_KEY) */
+  sqlite3ExprListDelete(pFromCol);
+  sqlite3ExprListDelete(pToCol);
+}
+
+/*
+** This routine is called when an INITIALLY IMMEDIATE or INITIALLY DEFERRED
+** clause is seen as part of a foreign key definition.  The isDeferred
+** parameter is 1 for INITIALLY DEFERRED and 0 for INITIALLY IMMEDIATE.
+** The behavior of the most recently created foreign key is adjusted
+** accordingly.
+*/
+void sqlite3DeferForeignKey(Parse *pParse, int isDeferred){
+#ifndef SQLITE_OMIT_FOREIGN_KEY
+  Table *pTab;
+  FKey *pFKey;
+  if( (pTab = pParse->pNewTable)==0 || (pFKey = pTab->pFKey)==0 ) return;
+  pFKey->isDeferred = isDeferred;
+#endif
+}
+
+/*
+** Generate code that will erase and refill index *pIdx.  This is
+** used to initialize a newly created index or to recompute the
+** content of an index in response to a REINDEX command.
+**
+** if memRootPage is not negative, it means that the index is newly
+** created.  The memory cell specified by memRootPage contains the
+** root page number of the index.  If memRootPage is negative, then
+** the index already exists and must be cleared before being refilled and
+** the root page number of the index is taken from pIndex->tnum.
+*/
+static void sqlite3RefillIndex(Parse *pParse, Index *pIndex, int memRootPage){
+  Table *pTab = pIndex->pTable;  /* The table that is indexed */
+  int iTab = pParse->nTab;       /* Btree cursor used for pTab */
+  int iIdx = pParse->nTab+1;     /* Btree cursor used for pIndex */
+  int addr1;                     /* Address of top of loop */
+  int tnum;                      /* Root page of index */
+  Vdbe *v;                       /* Generate code into this virtual machine */
+  KeyInfo *pKey;                 /* KeyInfo for index */
+  int iDb = sqlite3SchemaToIndex(pParse->db, pIndex->pSchema);
+
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  if( sqlite3AuthCheck(pParse, SQLITE_REINDEX, pIndex->zName, 0,
+      pParse->db->aDb[iDb].zName ) ){
+    return;
+  }
+#endif
+
+  /* Require a write-lock on the table to perform this operation */
+  sqlite3TableLock(pParse, iDb, pTab->tnum, 1, pTab->zName);
+
+  v = sqlite3GetVdbe(pParse);
+  if( v==0 ) return;
+  if( memRootPage>=0 ){
+    sqlite3VdbeAddOp(v, OP_MemLoad, memRootPage, 0);
+    tnum = 0;
+  }else{
+    tnum = pIndex->tnum;
+    sqlite3VdbeAddOp(v, OP_Clear, tnum, iDb);
+  }
+  sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+  pKey = sqlite3IndexKeyinfo(pParse, pIndex);
+  sqlite3VdbeOp3(v, OP_OpenWrite, iIdx, tnum, (char *)pKey, P3_KEYINFO_HANDOFF);
+  sqlite3OpenTable(pParse, iTab, iDb, pTab, OP_OpenRead);
+  addr1 = sqlite3VdbeAddOp(v, OP_Rewind, iTab, 0);
+  sqlite3GenerateIndexKey(v, pIndex, iTab);
+  if( pIndex->onError!=OE_None ){
+    int curaddr = sqlite3VdbeCurrentAddr(v);
+    int addr2 = curaddr+4;
+    sqlite3VdbeChangeP2(v, curaddr-1, addr2);
+    sqlite3VdbeAddOp(v, OP_Rowid, iTab, 0);
+    sqlite3VdbeAddOp(v, OP_AddImm, 1, 0);
+    sqlite3VdbeAddOp(v, OP_IsUnique, iIdx, addr2);
+    sqlite3VdbeOp3(v, OP_Halt, SQLITE_CONSTRAINT, OE_Abort,
+                    "indexed columns are not unique", P3_STATIC);
+    assert( sqlite3MallocFailed() || addr2==sqlite3VdbeCurrentAddr(v) );
+  }
+  sqlite3VdbeAddOp(v, OP_IdxInsert, iIdx, 0);
+  sqlite3VdbeAddOp(v, OP_Next, iTab, addr1+1);
+  sqlite3VdbeJumpHere(v, addr1);
+  sqlite3VdbeAddOp(v, OP_Close, iTab, 0);
+  sqlite3VdbeAddOp(v, OP_Close, iIdx, 0);
+}
+
+/*
+** Create a new index for an SQL table.  pName1.pName2 is the name of the index 
+** and pTblList is the name of the table that is to be indexed.  Both will 
+** be NULL for a primary key or an index that is created to satisfy a
+** UNIQUE constraint.  If pTable and pIndex are NULL, use pParse->pNewTable
+** as the table to be indexed.  pParse->pNewTable is a table that is
+** currently being constructed by a CREATE TABLE statement.
+**
+** pList is a list of columns to be indexed.  pList will be NULL if this
+** is a primary key or unique-constraint on the most recent column added
+** to the table currently under construction.  
+*/
+void sqlite3CreateIndex(
+  Parse *pParse,     /* All information about this parse */
+  Token *pName1,     /* First part of index name. May be NULL */
+  Token *pName2,     /* Second part of index name. May be NULL */
+  SrcList *pTblName, /* Table to index. Use pParse->pNewTable if 0 */
+  ExprList *pList,   /* A list of columns to be indexed */
+  int onError,       /* OE_Abort, OE_Ignore, OE_Replace, or OE_None */
+  Token *pStart,     /* The CREATE token that begins a CREATE TABLE statement */
+  Token *pEnd,       /* The ")" that closes the CREATE INDEX statement */
+  int sortOrder,     /* Sort order of primary key when pList==NULL */
+  int ifNotExist     /* Omit error if index already exists */
+){
+  Table *pTab = 0;     /* Table to be indexed */
+  Index *pIndex = 0;   /* The index to be created */
+  char *zName = 0;     /* Name of the index */
+  int nName;           /* Number of characters in zName */
+  int i, j;
+  Token nullId;        /* Fake token for an empty ID list */
+  DbFixer sFix;        /* For assigning database names to pTable */
+  int sortOrderMask;   /* 1 to honor DESC in index.  0 to ignore. */
+  sqlite3 *db = pParse->db;
+  Db *pDb;             /* The specific table containing the indexed database */
+  int iDb;             /* Index of the database that is being written */
+  Token *pName = 0;    /* Unqualified name of the index to create */
+  struct ExprList_item *pListItem; /* For looping over pList */
+  int nCol;
+  int nExtra = 0;
+  char *zExtra;
+
+  if( pParse->nErr || sqlite3MallocFailed() || IN_DECLARE_VTAB ){
+    goto exit_create_index;
+  }
+
+  /*
+  ** Find the table that is to be indexed.  Return early if not found.
+  */
+  if( pTblName!=0 ){
+
+    /* Use the two-part index name to determine the database 
+    ** to search for the table. 'Fix' the table name to this db
+    ** before looking up the table.
+    */
+    assert( pName1 && pName2 );
+    iDb = sqlite3TwoPartName(pParse, pName1, pName2, &pName);
+    if( iDb<0 ) goto exit_create_index;
+
+#ifndef SQLITE_OMIT_TEMPDB
+    /* If the index name was unqualified, check if the the table
+    ** is a temp table. If so, set the database to 1.
+    */
+    pTab = sqlite3SrcListLookup(pParse, pTblName);
+    if( pName2 && pName2->n==0 && pTab && pTab->pSchema==db->aDb[1].pSchema ){
+      iDb = 1;
+    }
+#endif
+
+    if( sqlite3FixInit(&sFix, pParse, iDb, "index", pName) &&
+        sqlite3FixSrcList(&sFix, pTblName)
+    ){
+      /* Because the parser constructs pTblName from a single identifier,
+      ** sqlite3FixSrcList can never fail. */
+      assert(0);
+    }
+    pTab = sqlite3LocateTable(pParse, pTblName->a[0].zName, 
+        pTblName->a[0].zDatabase);
+    if( !pTab ) goto exit_create_index;
+    assert( db->aDb[iDb].pSchema==pTab->pSchema );
+  }else{
+    assert( pName==0 );
+    pTab = pParse->pNewTable;
+    if( !pTab ) goto exit_create_index;
+    iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
+  }
+  pDb = &db->aDb[iDb];
+
+  if( pTab==0 || pParse->nErr ) goto exit_create_index;
+  if( pTab->readOnly ){
+    sqlite3ErrorMsg(pParse, "table %s may not be indexed", pTab->zName);
+    goto exit_create_index;
+  }
+#ifndef SQLITE_OMIT_VIEW
+  if( pTab->pSelect ){
+    sqlite3ErrorMsg(pParse, "views may not be indexed");
+    goto exit_create_index;
+  }
+#endif
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  if( IsVirtual(pTab) ){
+    sqlite3ErrorMsg(pParse, "virtual tables may not be indexed");
+    goto exit_create_index;
+  }
+#endif
+
+  /*
+  ** Find the name of the index.  Make sure there is not already another
+  ** index or table with the same name.  
+  **
+  ** Exception:  If we are reading the names of permanent indices from the
+  ** sqlite_master table (because some other process changed the schema) and
+  ** one of the index names collides with the name of a temporary table or
+  ** index, then we will continue to process this index.
+  **
+  ** If pName==0 it means that we are
+  ** dealing with a primary key or UNIQUE constraint.  We have to invent our
+  ** own name.
+  */
+  if( pName ){
+    zName = sqlite3NameFromToken(pName);
+    if( SQLITE_OK!=sqlite3ReadSchema(pParse) ) goto exit_create_index;
+    if( zName==0 ) goto exit_create_index;
+    if( SQLITE_OK!=sqlite3CheckObjectName(pParse, zName) ){
+      goto exit_create_index;
+    }
+    if( !db->init.busy ){
+      if( SQLITE_OK!=sqlite3ReadSchema(pParse) ) goto exit_create_index;
+      if( sqlite3FindTable(db, zName, 0)!=0 ){
+        sqlite3ErrorMsg(pParse, "there is already a table named %s", zName);
+        goto exit_create_index;
+      }
+    }
+    if( sqlite3FindIndex(db, zName, pDb->zName)!=0 ){
+      if( !ifNotExist ){
+        sqlite3ErrorMsg(pParse, "index %s already exists", zName);
+      }
+      goto exit_create_index;
+    }
+  }else{
+    char zBuf[30];
+    int n;
+    Index *pLoop;
+    for(pLoop=pTab->pIndex, n=1; pLoop; pLoop=pLoop->pNext, n++){}
+    sprintf(zBuf,"_%d",n);
+    zName = 0;
+    sqlite3SetString(&zName, "sqlite_autoindex_", pTab->zName, zBuf, (char*)0);
+    if( zName==0 ) goto exit_create_index;
+  }
+
+  /* Check for authorization to create an index.
+  */
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  {
+    const char *zDb = pDb->zName;
+    if( sqlite3AuthCheck(pParse, SQLITE_INSERT, SCHEMA_TABLE(iDb), 0, zDb) ){
+      goto exit_create_index;
+    }
+    i = SQLITE_CREATE_INDEX;
+    if( !OMIT_TEMPDB && iDb==1 ) i = SQLITE_CREATE_TEMP_INDEX;
+    if( sqlite3AuthCheck(pParse, i, zName, pTab->zName, zDb) ){
+      goto exit_create_index;
+    }
+  }
+#endif
+
+  /* If pList==0, it means this routine was called to make a primary
+  ** key out of the last column added to the table under construction.
+  ** So create a fake list to simulate this.
+  */
+  if( pList==0 ){
+    nullId.z = (u8*)pTab->aCol[pTab->nCol-1].zName;
+    nullId.n = strlen((char*)nullId.z);
+    pList = sqlite3ExprListAppend(0, 0, &nullId);
+    if( pList==0 ) goto exit_create_index;
+    pList->a[0].sortOrder = sortOrder;
+  }
+
+  /* Figure out how many bytes of space are required to store explicitly
+  ** specified collation sequence names.
+  */
+  for(i=0; i<pList->nExpr; i++){
+    Expr *pExpr = pList->a[i].pExpr;
+    if( pExpr ){
+      nExtra += (1 + strlen(pExpr->pColl->zName));
+    }
+  }
+
+  /* 
+  ** Allocate the index structure. 
+  */
+  nName = strlen(zName);
+  nCol = pList->nExpr;
+  pIndex = sqliteMalloc( 
+      sizeof(Index) +              /* Index structure  */
+      sizeof(int)*nCol +           /* Index.aiColumn   */
+      sizeof(int)*(nCol+1) +       /* Index.aiRowEst   */
+      sizeof(char *)*nCol +        /* Index.azColl     */
+      sizeof(u8)*nCol +            /* Index.aSortOrder */
+      nName + 1 +                  /* Index.zName      */
+      nExtra                       /* Collation sequence names */
+  );
+  if( sqlite3MallocFailed() ) goto exit_create_index;
+  pIndex->azColl = (char**)(&pIndex[1]);
+  pIndex->aiColumn = (int *)(&pIndex->azColl[nCol]);
+  pIndex->aiRowEst = (unsigned *)(&pIndex->aiColumn[nCol]);
+  pIndex->aSortOrder = (u8 *)(&pIndex->aiRowEst[nCol+1]);
+  pIndex->zName = (char *)(&pIndex->aSortOrder[nCol]);
+  zExtra = (char *)(&pIndex->zName[nName+1]);
+  strcpy(pIndex->zName, zName);
+  pIndex->pTable = pTab;
+  pIndex->nColumn = pList->nExpr;
+  pIndex->onError = onError;
+  pIndex->autoIndex = pName==0;
+  pIndex->pSchema = db->aDb[iDb].pSchema;
+
+  /* Check to see if we should honor DESC requests on index columns
+  */
+  if( pDb->pSchema->file_format>=4 ){
+    sortOrderMask = -1;   /* Honor DESC */
+  }else{
+    sortOrderMask = 0;    /* Ignore DESC */
+  }
+
+  /* Scan the names of the columns of the table to be indexed and
+  ** load the column indices into the Index structure.  Report an error
+  ** if any column is not found.
+  */
+  for(i=0, pListItem=pList->a; i<pList->nExpr; i++, pListItem++){
+    const char *zColName = pListItem->zName;
+    Column *pTabCol;
+    int requestedSortOrder;
+    char *zColl;                   /* Collation sequence name */
+
+    for(j=0, pTabCol=pTab->aCol; j<pTab->nCol; j++, pTabCol++){
+      if( sqlite3StrICmp(zColName, pTabCol->zName)==0 ) break;
+    }
+    if( j>=pTab->nCol ){
+      sqlite3ErrorMsg(pParse, "table %s has no column named %s",
+        pTab->zName, zColName);
+      goto exit_create_index;
+    }
+    /* TODO:  Add a test to make sure that the same column is not named
+    ** more than once within the same index.  Only the first instance of
+    ** the column will ever be used by the optimizer.  Note that using the
+    ** same column more than once cannot be an error because that would 
+    ** break backwards compatibility - it needs to be a warning.
+    */
+    pIndex->aiColumn[i] = j;
+    if( pListItem->pExpr ){
+      assert( pListItem->pExpr->pColl );
+      zColl = zExtra;
+      strcpy(zExtra, pListItem->pExpr->pColl->zName);
+      zExtra += (strlen(zColl) + 1);
+    }else{
+      zColl = pTab->aCol[j].zColl;
+      if( !zColl ){
+        zColl = db->pDfltColl->zName;
+      }
+    }
+    if( !db->init.busy && !sqlite3LocateCollSeq(pParse, zColl, -1) ){
+      goto exit_create_index;
+    }
+    pIndex->azColl[i] = zColl;
+    requestedSortOrder = pListItem->sortOrder & sortOrderMask;
+    pIndex->aSortOrder[i] = requestedSortOrder;
+  }
+  sqlite3DefaultRowEst(pIndex);
+
+  if( pTab==pParse->pNewTable ){
+    /* This routine has been called to create an automatic index as a
+    ** result of a PRIMARY KEY or UNIQUE clause on a column definition, or
+    ** a PRIMARY KEY or UNIQUE clause following the column definitions.
+    ** i.e. one of:
+    **
+    ** CREATE TABLE t(x PRIMARY KEY, y);
+    ** CREATE TABLE t(x, y, UNIQUE(x, y));
+    **
+    ** Either way, check to see if the table already has such an index. If
+    ** so, don't bother creating this one. This only applies to
+    ** automatically created indices. Users can do as they wish with
+    ** explicit indices.
+    */
+    Index *pIdx;
+    for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
+      int k;
+      assert( pIdx->onError!=OE_None );
+      assert( pIdx->autoIndex );
+      assert( pIndex->onError!=OE_None );
+
+      if( pIdx->nColumn!=pIndex->nColumn ) continue;
+      for(k=0; k<pIdx->nColumn; k++){
+        const char *z1 = pIdx->azColl[k];
+        const char *z2 = pIndex->azColl[k];
+        if( pIdx->aiColumn[k]!=pIndex->aiColumn[k] ) break;
+        if( pIdx->aSortOrder[k]!=pIndex->aSortOrder[k] ) break;
+        if( z1!=z2 && sqlite3StrICmp(z1, z2) ) break;
+      }
+      if( k==pIdx->nColumn ){
+        if( pIdx->onError!=pIndex->onError ){
+          /* This constraint creates the same index as a previous
+          ** constraint specified somewhere in the CREATE TABLE statement.
+          ** However the ON CONFLICT clauses are different. If both this 
+          ** constraint and the previous equivalent constraint have explicit
+          ** ON CONFLICT clauses this is an error. Otherwise, use the
+          ** explicitly specified behaviour for the index.
+          */
+          if( !(pIdx->onError==OE_Default || pIndex->onError==OE_Default) ){
+            sqlite3ErrorMsg(pParse, 
+                "conflicting ON CONFLICT clauses specified", 0);
+          }
+          if( pIdx->onError==OE_Default ){
+            pIdx->onError = pIndex->onError;
+          }
+        }
+        goto exit_create_index;
+      }
+    }
+  }
+
+  /* Link the new Index structure to its table and to the other
+  ** in-memory database structures. 
+  */
+  if( db->init.busy ){
+    Index *p;
+    p = sqlite3HashInsert(&pIndex->pSchema->idxHash, 
+                         pIndex->zName, strlen(pIndex->zName)+1, pIndex);
+    if( p ){
+      assert( p==pIndex );  /* Malloc must have failed */
+      goto exit_create_index;
+    }
+    db->flags |= SQLITE_InternChanges;
+    if( pTblName!=0 ){
+      pIndex->tnum = db->init.newTnum;
+    }
+  }
+
+  /* If the db->init.busy is 0 then create the index on disk.  This
+  ** involves writing the index into the master table and filling in the
+  ** index with the current table contents.
+  **
+  ** The db->init.busy is 0 when the user first enters a CREATE INDEX 
+  ** command.  db->init.busy is 1 when a database is opened and 
+  ** CREATE INDEX statements are read out of the master table.  In
+  ** the latter case the index already exists on disk, which is why
+  ** we don't want to recreate it.
+  **
+  ** If pTblName==0 it means this index is generated as a primary key
+  ** or UNIQUE constraint of a CREATE TABLE statement.  Since the table
+  ** has just been created, it contains no data and the index initialization
+  ** step can be skipped.
+  */
+  else if( db->init.busy==0 ){
+    Vdbe *v;
+    char *zStmt;
+    int iMem = pParse->nMem++;
+
+    v = sqlite3GetVdbe(pParse);
+    if( v==0 ) goto exit_create_index;
+
+
+    /* Create the rootpage for the index
+    */
+    sqlite3BeginWriteOperation(pParse, 1, iDb);
+    sqlite3VdbeAddOp(v, OP_CreateIndex, iDb, 0);
+    sqlite3VdbeAddOp(v, OP_MemStore, iMem, 0);
+
+    /* Gather the complete text of the CREATE INDEX statement into
+    ** the zStmt variable
+    */
+    if( pStart && pEnd ){
+      /* A named index with an explicit CREATE INDEX statement */
+      zStmt = sqlite3MPrintf("CREATE%s INDEX %.*s",
+        onError==OE_None ? "" : " UNIQUE",
+        pEnd->z - pName->z + 1,
+        pName->z);
+    }else{
+      /* An automatic index created by a PRIMARY KEY or UNIQUE constraint */
+      /* zStmt = sqlite3MPrintf(""); */
+      zStmt = 0;
+    }
+
+    /* Add an entry in sqlite_master for this index
+    */
+    sqlite3NestedParse(pParse, 
+        "INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);",
+        db->aDb[iDb].zName, SCHEMA_TABLE(iDb),
+        pIndex->zName,
+        pTab->zName,
+        zStmt
+    );
+    sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+    sqliteFree(zStmt);
+
+    /* Fill the index with data and reparse the schema. Code an OP_Expire
+    ** to invalidate all pre-compiled statements.
+    */
+    if( pTblName ){
+      sqlite3RefillIndex(pParse, pIndex, iMem);
+      sqlite3ChangeCookie(db, v, iDb);
+      sqlite3VdbeOp3(v, OP_ParseSchema, iDb, 0,
+         sqlite3MPrintf("name='%q'", pIndex->zName), P3_DYNAMIC);
+      sqlite3VdbeAddOp(v, OP_Expire, 0, 0);
+    }
+  }
+
+  /* When adding an index to the list of indices for a table, make
+  ** sure all indices labeled OE_Replace come after all those labeled
+  ** OE_Ignore.  This is necessary for the correct operation of UPDATE
+  ** and INSERT.
+  */
+  if( db->init.busy || pTblName==0 ){
+    if( onError!=OE_Replace || pTab->pIndex==0
+         || pTab->pIndex->onError==OE_Replace){
+      pIndex->pNext = pTab->pIndex;
+      pTab->pIndex = pIndex;
+    }else{
+      Index *pOther = pTab->pIndex;
+      while( pOther->pNext && pOther->pNext->onError!=OE_Replace ){
+        pOther = pOther->pNext;
+      }
+      pIndex->pNext = pOther->pNext;
+      pOther->pNext = pIndex;
+    }
+    pIndex = 0;
+  }
+
+  /* Clean up before exiting */
+exit_create_index:
+  if( pIndex ){
+    freeIndex(pIndex);
+  }
+  sqlite3ExprListDelete(pList);
+  sqlite3SrcListDelete(pTblName);
+  sqliteFree(zName);
+  return;
+}
+
+/*
+** Generate code to make sure the file format number is at least minFormat.
+** The generated code will increase the file format number if necessary.
+*/
+void sqlite3MinimumFileFormat(Parse *pParse, int iDb, int minFormat){
+  Vdbe *v;
+  v = sqlite3GetVdbe(pParse);
+  if( v ){
+    sqlite3VdbeAddOp(v, OP_ReadCookie, iDb, 1);
+    sqlite3VdbeAddOp(v, OP_Integer, minFormat, 0);
+    sqlite3VdbeAddOp(v, OP_Ge, 0, sqlite3VdbeCurrentAddr(v)+3);
+    sqlite3VdbeAddOp(v, OP_Integer, minFormat, 0);
+    sqlite3VdbeAddOp(v, OP_SetCookie, iDb, 1);
+  }
+}
+
+/*
+** Fill the Index.aiRowEst[] array with default information - information
+** to be used when we have not run the ANALYZE command.
+**
+** aiRowEst[0] is suppose to contain the number of elements in the index.
+** Since we do not know, guess 1 million.  aiRowEst[1] is an estimate of the
+** number of rows in the table that match any particular value of the
+** first column of the index.  aiRowEst[2] is an estimate of the number
+** of rows that match any particular combiniation of the first 2 columns
+** of the index.  And so forth.  It must always be the case that
+*
+**           aiRowEst[N]<=aiRowEst[N-1]
+**           aiRowEst[N]>=1
+**
+** Apart from that, we have little to go on besides intuition as to
+** how aiRowEst[] should be initialized.  The numbers generated here
+** are based on typical values found in actual indices.
+*/
+void sqlite3DefaultRowEst(Index *pIdx){
+  unsigned *a = pIdx->aiRowEst;
+  int i;
+  assert( a!=0 );
+  a[0] = 1000000;
+  for(i=pIdx->nColumn; i>=5; i--){
+    a[i] = 5;
+  }
+  while( i>=1 ){
+    a[i] = 11 - i;
+    i--;
+  }
+  if( pIdx->onError!=OE_None ){
+    a[pIdx->nColumn] = 1;
+  }
+}
+
+/*
+** This routine will drop an existing named index.  This routine
+** implements the DROP INDEX statement.
+*/
+void sqlite3DropIndex(Parse *pParse, SrcList *pName, int ifExists){
+  Index *pIndex;
+  Vdbe *v;
+  sqlite3 *db = pParse->db;
+  int iDb;
+
+  if( pParse->nErr || sqlite3MallocFailed() ){
+    goto exit_drop_index;
+  }
+  assert( pName->nSrc==1 );
+  if( SQLITE_OK!=sqlite3ReadSchema(pParse) ){
+    goto exit_drop_index;
+  }
+  pIndex = sqlite3FindIndex(db, pName->a[0].zName, pName->a[0].zDatabase);
+  if( pIndex==0 ){
+    if( !ifExists ){
+      sqlite3ErrorMsg(pParse, "no such index: %S", pName, 0);
+    }
+    pParse->checkSchema = 1;
+    goto exit_drop_index;
+  }
+  if( pIndex->autoIndex ){
+    sqlite3ErrorMsg(pParse, "index associated with UNIQUE "
+      "or PRIMARY KEY constraint cannot be dropped", 0);
+    goto exit_drop_index;
+  }
+  iDb = sqlite3SchemaToIndex(db, pIndex->pSchema);
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  {
+    int code = SQLITE_DROP_INDEX;
+    Table *pTab = pIndex->pTable;
+    const char *zDb = db->aDb[iDb].zName;
+    const char *zTab = SCHEMA_TABLE(iDb);
+    if( sqlite3AuthCheck(pParse, SQLITE_DELETE, zTab, 0, zDb) ){
+      goto exit_drop_index;
+    }
+    if( !OMIT_TEMPDB && iDb ) code = SQLITE_DROP_TEMP_INDEX;
+    if( sqlite3AuthCheck(pParse, code, pIndex->zName, pTab->zName, zDb) ){
+      goto exit_drop_index;
+    }
+  }
+#endif
+
+  /* Generate code to remove the index and from the master table */
+  v = sqlite3GetVdbe(pParse);
+  if( v ){
+    sqlite3NestedParse(pParse,
+       "DELETE FROM %Q.%s WHERE name=%Q",
+       db->aDb[iDb].zName, SCHEMA_TABLE(iDb),
+       pIndex->zName
+    );
+    sqlite3ChangeCookie(db, v, iDb);
+    destroyRootPage(pParse, pIndex->tnum, iDb);
+    sqlite3VdbeOp3(v, OP_DropIndex, iDb, 0, pIndex->zName, 0);
+  }
+
+exit_drop_index:
+  sqlite3SrcListDelete(pName);
+}
+
+/*
+** pArray is a pointer to an array of objects.  Each object in the
+** array is szEntry bytes in size.  This routine allocates a new
+** object on the end of the array.
+**
+** *pnEntry is the number of entries already in use.  *pnAlloc is
+** the previously allocated size of the array.  initSize is the
+** suggested initial array size allocation.
+**
+** The index of the new entry is returned in *pIdx.
+**
+** This routine returns a pointer to the array of objects.  This
+** might be the same as the pArray parameter or it might be a different
+** pointer if the array was resized.
+*/
+void *sqlite3ArrayAllocate(
+  void *pArray,     /* Array of objects.  Might be reallocated */
+  int szEntry,      /* Size of each object in the array */
+  int initSize,     /* Suggested initial allocation, in elements */
+  int *pnEntry,     /* Number of objects currently in use */
+  int *pnAlloc,     /* Current size of the allocation, in elements */
+  int *pIdx         /* Write the index of a new slot here */
+){
+  char *z;
+  if( *pnEntry >= *pnAlloc ){
+    void *pNew;
+    int newSize;
+    newSize = (*pnAlloc)*2 + initSize;
+    pNew = sqliteRealloc(pArray, newSize*szEntry);
+    if( pNew==0 ){
+      *pIdx = -1;
+      return pArray;
+    }
+    *pnAlloc = newSize;
+    pArray = pNew;
+  }
+  z = (char*)pArray;
+  memset(&z[*pnEntry * szEntry], 0, szEntry);
+  *pIdx = *pnEntry;
+  ++*pnEntry;
+  return pArray;
+}
+
+/*
+** Append a new element to the given IdList.  Create a new IdList if
+** need be.
+**
+** A new IdList is returned, or NULL if malloc() fails.
+*/
+IdList *sqlite3IdListAppend(IdList *pList, Token *pToken){
+  int i;
+  if( pList==0 ){
+    pList = sqliteMalloc( sizeof(IdList) );
+    if( pList==0 ) return 0;
+    pList->nAlloc = 0;
+  }
+  pList->a = sqlite3ArrayAllocate(
+      pList->a,
+      sizeof(pList->a[0]),
+      5,
+      &pList->nId,
+      &pList->nAlloc,
+      &i
+  );
+  if( i<0 ){
+    sqlite3IdListDelete(pList);
+    return 0;
+  }
+  pList->a[i].zName = sqlite3NameFromToken(pToken);
+  return pList;
+}
+
+/*
+** Delete an IdList.
+*/
+void sqlite3IdListDelete(IdList *pList){
+  int i;
+  if( pList==0 ) return;
+  for(i=0; i<pList->nId; i++){
+    sqliteFree(pList->a[i].zName);
+  }
+  sqliteFree(pList->a);
+  sqliteFree(pList);
+}
+
+/*
+** Return the index in pList of the identifier named zId.  Return -1
+** if not found.
+*/
+int sqlite3IdListIndex(IdList *pList, const char *zName){
+  int i;
+  if( pList==0 ) return -1;
+  for(i=0; i<pList->nId; i++){
+    if( sqlite3StrICmp(pList->a[i].zName, zName)==0 ) return i;
+  }
+  return -1;
+}
+
+/*
+** Append a new table name to the given SrcList.  Create a new SrcList if
+** need be.  A new entry is created in the SrcList even if pToken is NULL.
+**
+** A new SrcList is returned, or NULL if malloc() fails.
+**
+** If pDatabase is not null, it means that the table has an optional
+** database name prefix.  Like this:  "database.table".  The pDatabase
+** points to the table name and the pTable points to the database name.
+** The SrcList.a[].zName field is filled with the table name which might
+** come from pTable (if pDatabase is NULL) or from pDatabase.  
+** SrcList.a[].zDatabase is filled with the database name from pTable,
+** or with NULL if no database is specified.
+**
+** In other words, if call like this:
+**
+**         sqlite3SrcListAppend(A,B,0);
+**
+** Then B is a table name and the database name is unspecified.  If called
+** like this:
+**
+**         sqlite3SrcListAppend(A,B,C);
+**
+** Then C is the table name and B is the database name.
+*/
+SrcList *sqlite3SrcListAppend(SrcList *pList, Token *pTable, Token *pDatabase){
+  struct SrcList_item *pItem;
+  if( pList==0 ){
+    pList = sqliteMalloc( sizeof(SrcList) );
+    if( pList==0 ) return 0;
+    pList->nAlloc = 1;
+  }
+  if( pList->nSrc>=pList->nAlloc ){
+    SrcList *pNew;
+    pList->nAlloc *= 2;
+    pNew = sqliteRealloc(pList,
+               sizeof(*pList) + (pList->nAlloc-1)*sizeof(pList->a[0]) );
+    if( pNew==0 ){
+      sqlite3SrcListDelete(pList);
+      return 0;
+    }
+    pList = pNew;
+  }
+  pItem = &pList->a[pList->nSrc];
+  memset(pItem, 0, sizeof(pList->a[0]));
+  if( pDatabase && pDatabase->z==0 ){
+    pDatabase = 0;
+  }
+  if( pDatabase && pTable ){
+    Token *pTemp = pDatabase;
+    pDatabase = pTable;
+    pTable = pTemp;
+  }
+  pItem->zName = sqlite3NameFromToken(pTable);
+  pItem->zDatabase = sqlite3NameFromToken(pDatabase);
+  pItem->iCursor = -1;
+  pItem->isPopulated = 0;
+  pList->nSrc++;
+  return pList;
+}
+
+/*
+** Assign cursors to all tables in a SrcList
+*/
+void sqlite3SrcListAssignCursors(Parse *pParse, SrcList *pList){
+  int i;
+  struct SrcList_item *pItem;
+  assert(pList || sqlite3MallocFailed() );
+  if( pList ){
+    for(i=0, pItem=pList->a; i<pList->nSrc; i++, pItem++){
+      if( pItem->iCursor>=0 ) break;
+      pItem->iCursor = pParse->nTab++;
+      if( pItem->pSelect ){
+        sqlite3SrcListAssignCursors(pParse, pItem->pSelect->pSrc);
+      }
+    }
+  }
+}
+
+/*
+** Delete an entire SrcList including all its substructure.
+*/
+void sqlite3SrcListDelete(SrcList *pList){
+  int i;
+  struct SrcList_item *pItem;
+  if( pList==0 ) return;
+  for(pItem=pList->a, i=0; i<pList->nSrc; i++, pItem++){
+    sqliteFree(pItem->zDatabase);
+    sqliteFree(pItem->zName);
+    sqliteFree(pItem->zAlias);
+    sqlite3DeleteTable(pItem->pTab);
+    sqlite3SelectDelete(pItem->pSelect);
+    sqlite3ExprDelete(pItem->pOn);
+    sqlite3IdListDelete(pItem->pUsing);
+  }
+  sqliteFree(pList);
+}
+
+/*
+** This routine is called by the parser to add a new term to the
+** end of a growing FROM clause.  The "p" parameter is the part of
+** the FROM clause that has already been constructed.  "p" is NULL
+** if this is the first term of the FROM clause.  pTable and pDatabase
+** are the name of the table and database named in the FROM clause term.
+** pDatabase is NULL if the database name qualifier is missing - the
+** usual case.  If the term has a alias, then pAlias points to the
+** alias token.  If the term is a subquery, then pSubquery is the
+** SELECT statement that the subquery encodes.  The pTable and
+** pDatabase parameters are NULL for subqueries.  The pOn and pUsing
+** parameters are the content of the ON and USING clauses.
+**
+** Return a new SrcList which encodes is the FROM with the new
+** term added.
+*/
+SrcList *sqlite3SrcListAppendFromTerm(
+  SrcList *p,             /* The left part of the FROM clause already seen */
+  Token *pTable,          /* Name of the table to add to the FROM clause */
+  Token *pDatabase,       /* Name of the database containing pTable */
+  Token *pAlias,          /* The right-hand side of the AS subexpression */
+  Select *pSubquery,      /* A subquery used in place of a table name */
+  Expr *pOn,              /* The ON clause of a join */
+  IdList *pUsing          /* The USING clause of a join */
+){
+  struct SrcList_item *pItem;
+  p = sqlite3SrcListAppend(p, pTable, pDatabase);
+  if( p==0 || p->nSrc==0 ){
+    sqlite3ExprDelete(pOn);
+    sqlite3IdListDelete(pUsing);
+    sqlite3SelectDelete(pSubquery);
+    return p;
+  }
+  pItem = &p->a[p->nSrc-1];
+  if( pAlias && pAlias->n ){
+    pItem->zAlias = sqlite3NameFromToken(pAlias);
+  }
+  pItem->pSelect = pSubquery;
+  pItem->pOn = pOn;
+  pItem->pUsing = pUsing;
+  return p;
+}
+
+/*
+** When building up a FROM clause in the parser, the join operator
+** is initially attached to the left operand.  But the code generator
+** expects the join operator to be on the right operand.  This routine
+** Shifts all join operators from left to right for an entire FROM
+** clause.
+**
+** Example: Suppose the join is like this:
+**
+**           A natural cross join B
+**
+** The operator is "natural cross join".  The A and B operands are stored
+** in p->a[0] and p->a[1], respectively.  The parser initially stores the
+** operator with A.  This routine shifts that operator over to B.
+*/
+void sqlite3SrcListShiftJoinType(SrcList *p){
+  if( p && p->a ){
+    int i;
+    for(i=p->nSrc-1; i>0; i--){
+      p->a[i].jointype = p->a[i-1].jointype;
+    }
+    p->a[0].jointype = 0;
+  }
+}
+
+/*
+** Begin a transaction
+*/
+void sqlite3BeginTransaction(Parse *pParse, int type){
+  sqlite3 *db;
+  Vdbe *v;
+  int i;
+
+  if( pParse==0 || (db=pParse->db)==0 || db->aDb[0].pBt==0 ) return;
+  if( pParse->nErr || sqlite3MallocFailed() ) return;
+  if( sqlite3AuthCheck(pParse, SQLITE_TRANSACTION, "BEGIN", 0, 0) ) return;
+
+  v = sqlite3GetVdbe(pParse);
+  if( !v ) return;
+  if( type!=TK_DEFERRED ){
+    for(i=0; i<db->nDb; i++){
+      sqlite3VdbeAddOp(v, OP_Transaction, i, (type==TK_EXCLUSIVE)+1);
+    }
+  }
+  sqlite3VdbeAddOp(v, OP_AutoCommit, 0, 0);
+}
+
+/*
+** Commit a transaction
+*/
+void sqlite3CommitTransaction(Parse *pParse){
+  sqlite3 *db;
+  Vdbe *v;
+
+  if( pParse==0 || (db=pParse->db)==0 || db->aDb[0].pBt==0 ) return;
+  if( pParse->nErr || sqlite3MallocFailed() ) return;
+  if( sqlite3AuthCheck(pParse, SQLITE_TRANSACTION, "COMMIT", 0, 0) ) return;
+
+  v = sqlite3GetVdbe(pParse);
+  if( v ){
+    sqlite3VdbeAddOp(v, OP_AutoCommit, 1, 0);
+  }
+}
+
+/*
+** Rollback a transaction
+*/
+void sqlite3RollbackTransaction(Parse *pParse){
+  sqlite3 *db;
+  Vdbe *v;
+
+  if( pParse==0 || (db=pParse->db)==0 || db->aDb[0].pBt==0 ) return;
+  if( pParse->nErr || sqlite3MallocFailed() ) return;
+  if( sqlite3AuthCheck(pParse, SQLITE_TRANSACTION, "ROLLBACK", 0, 0) ) return;
+
+  v = sqlite3GetVdbe(pParse);
+  if( v ){
+    sqlite3VdbeAddOp(v, OP_AutoCommit, 1, 1);
+  }
+}
+
+/*
+** Make sure the TEMP database is open and available for use.  Return
+** the number of errors.  Leave any error messages in the pParse structure.
+*/
+int sqlite3OpenTempDatabase(Parse *pParse){
+  sqlite3 *db = pParse->db;
+  if( db->aDb[1].pBt==0 && !pParse->explain ){
+    int rc = sqlite3BtreeFactory(db, 0, 0, MAX_PAGES, &db->aDb[1].pBt);
+    if( rc!=SQLITE_OK ){
+      sqlite3ErrorMsg(pParse, "unable to open a temporary database "
+        "file for storing temporary tables");
+      pParse->rc = rc;
+      return 1;
+    }
+    if( db->flags & !db->autoCommit ){
+      rc = sqlite3BtreeBeginTrans(db->aDb[1].pBt, 1);
+      if( rc!=SQLITE_OK ){
+        sqlite3ErrorMsg(pParse, "unable to get a write lock on "
+          "the temporary database file");
+        pParse->rc = rc;
+        return 1;
+      }
+    }
+    assert( db->aDb[1].pSchema );
+  }
+  return 0;
+}
+
+/*
+** Generate VDBE code that will verify the schema cookie and start
+** a read-transaction for all named database files.
+**
+** It is important that all schema cookies be verified and all
+** read transactions be started before anything else happens in
+** the VDBE program.  But this routine can be called after much other
+** code has been generated.  So here is what we do:
+**
+** The first time this routine is called, we code an OP_Goto that
+** will jump to a subroutine at the end of the program.  Then we
+** record every database that needs its schema verified in the
+** pParse->cookieMask field.  Later, after all other code has been
+** generated, the subroutine that does the cookie verifications and
+** starts the transactions will be coded and the OP_Goto P2 value
+** will be made to point to that subroutine.  The generation of the
+** cookie verification subroutine code happens in sqlite3FinishCoding().
+**
+** If iDb<0 then code the OP_Goto only - don't set flag to verify the
+** schema on any databases.  This can be used to position the OP_Goto
+** early in the code, before we know if any database tables will be used.
+*/
+void sqlite3CodeVerifySchema(Parse *pParse, int iDb){
+  sqlite3 *db;
+  Vdbe *v;
+  int mask;
+
+  v = sqlite3GetVdbe(pParse);
+  if( v==0 ) return;  /* This only happens if there was a prior error */
+  db = pParse->db;
+  if( pParse->cookieGoto==0 ){
+    pParse->cookieGoto = sqlite3VdbeAddOp(v, OP_Goto, 0, 0)+1;
+  }
+  if( iDb>=0 ){
+    assert( iDb<db->nDb );
+    assert( db->aDb[iDb].pBt!=0 || iDb==1 );
+    assert( iDb<MAX_ATTACHED+2 );
+    mask = 1<<iDb;
+    if( (pParse->cookieMask & mask)==0 ){
+      pParse->cookieMask |= mask;
+      pParse->cookieValue[iDb] = db->aDb[iDb].pSchema->schema_cookie;
+      if( !OMIT_TEMPDB && iDb==1 ){
+        sqlite3OpenTempDatabase(pParse);
+      }
+    }
+  }
+}
+
+/*
+** Generate VDBE code that prepares for doing an operation that
+** might change the database.
+**
+** This routine starts a new transaction if we are not already within
+** a transaction.  If we are already within a transaction, then a checkpoint
+** is set if the setStatement parameter is true.  A checkpoint should
+** be set for operations that might fail (due to a constraint) part of
+** the way through and which will need to undo some writes without having to
+** rollback the whole transaction.  For operations where all constraints
+** can be checked before any changes are made to the database, it is never
+** necessary to undo a write and the checkpoint should not be set.
+**
+** Only database iDb and the temp database are made writable by this call.
+** If iDb==0, then the main and temp databases are made writable.   If
+** iDb==1 then only the temp database is made writable.  If iDb>1 then the
+** specified auxiliary database and the temp database are made writable.
+*/
+void sqlite3BeginWriteOperation(Parse *pParse, int setStatement, int iDb){
+  Vdbe *v = sqlite3GetVdbe(pParse);
+  if( v==0 ) return;
+  sqlite3CodeVerifySchema(pParse, iDb);
+  pParse->writeMask |= 1<<iDb;
+  if( setStatement && pParse->nested==0 ){
+    sqlite3VdbeAddOp(v, OP_Statement, iDb, 0);
+  }
+  if( (OMIT_TEMPDB || iDb!=1) && pParse->db->aDb[1].pBt!=0 ){
+    sqlite3BeginWriteOperation(pParse, setStatement, 1);
+  }
+}
+
+/*
+** Check to see if pIndex uses the collating sequence pColl.  Return
+** true if it does and false if it does not.
+*/
+#ifndef SQLITE_OMIT_REINDEX
+static int collationMatch(const char *zColl, Index *pIndex){
+  int i;
+  for(i=0; i<pIndex->nColumn; i++){
+    const char *z = pIndex->azColl[i];
+    if( z==zColl || (z && zColl && 0==sqlite3StrICmp(z, zColl)) ){
+      return 1;
+    }
+  }
+  return 0;
+}
+#endif
+
+/*
+** Recompute all indices of pTab that use the collating sequence pColl.
+** If pColl==0 then recompute all indices of pTab.
+*/
+#ifndef SQLITE_OMIT_REINDEX
+static void reindexTable(Parse *pParse, Table *pTab, char const *zColl){
+  Index *pIndex;              /* An index associated with pTab */
+
+  for(pIndex=pTab->pIndex; pIndex; pIndex=pIndex->pNext){
+    if( zColl==0 || collationMatch(zColl, pIndex) ){
+      int iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+      sqlite3BeginWriteOperation(pParse, 0, iDb);
+      sqlite3RefillIndex(pParse, pIndex, -1);
+    }
+  }
+}
+#endif
+
+/*
+** Recompute all indices of all tables in all databases where the
+** indices use the collating sequence pColl.  If pColl==0 then recompute
+** all indices everywhere.
+*/
+#ifndef SQLITE_OMIT_REINDEX
+static void reindexDatabases(Parse *pParse, char const *zColl){
+  Db *pDb;                    /* A single database */
+  int iDb;                    /* The database index number */
+  sqlite3 *db = pParse->db;   /* The database connection */
+  HashElem *k;                /* For looping over tables in pDb */
+  Table *pTab;                /* A table in the database */
+
+  for(iDb=0, pDb=db->aDb; iDb<db->nDb; iDb++, pDb++){
+    assert( pDb!=0 );
+    for(k=sqliteHashFirst(&pDb->pSchema->tblHash);  k; k=sqliteHashNext(k)){
+      pTab = (Table*)sqliteHashData(k);
+      reindexTable(pParse, pTab, zColl);
+    }
+  }
+}
+#endif
+
+/*
+** Generate code for the REINDEX command.
+**
+**        REINDEX                            -- 1
+**        REINDEX  <collation>               -- 2
+**        REINDEX  ?<database>.?<tablename>  -- 3
+**        REINDEX  ?<database>.?<indexname>  -- 4
+**
+** Form 1 causes all indices in all attached databases to be rebuilt.
+** Form 2 rebuilds all indices in all databases that use the named
+** collating function.  Forms 3 and 4 rebuild the named index or all
+** indices associated with the named table.
+*/
+#ifndef SQLITE_OMIT_REINDEX
+void sqlite3Reindex(Parse *pParse, Token *pName1, Token *pName2){
+  CollSeq *pColl;             /* Collating sequence to be reindexed, or NULL */
+  char *z;                    /* Name of a table or index */
+  const char *zDb;            /* Name of the database */
+  Table *pTab;                /* A table in the database */
+  Index *pIndex;              /* An index associated with pTab */
+  int iDb;                    /* The database index number */
+  sqlite3 *db = pParse->db;   /* The database connection */
+  Token *pObjName;            /* Name of the table or index to be reindexed */
+
+  /* Read the database schema. If an error occurs, leave an error message
+  ** and code in pParse and return NULL. */
+  if( SQLITE_OK!=sqlite3ReadSchema(pParse) ){
+    return;
+  }
+
+  if( pName1==0 || pName1->z==0 ){
+    reindexDatabases(pParse, 0);
+    return;
+  }else if( pName2==0 || pName2->z==0 ){
+    assert( pName1->z );
+    pColl = sqlite3FindCollSeq(db, ENC(db), (char*)pName1->z, pName1->n, 0);
+    if( pColl ){
+      char *zColl = sqliteStrNDup((const char *)pName1->z, pName1->n);
+      if( zColl ){
+        reindexDatabases(pParse, zColl);
+        sqliteFree(zColl);
+      }
+      return;
+    }
+  }
+  iDb = sqlite3TwoPartName(pParse, pName1, pName2, &pObjName);
+  if( iDb<0 ) return;
+  z = sqlite3NameFromToken(pObjName);
+  zDb = db->aDb[iDb].zName;
+  pTab = sqlite3FindTable(db, z, zDb);
+  if( pTab ){
+    reindexTable(pParse, pTab, 0);
+    sqliteFree(z);
+    return;
+  }
+  pIndex = sqlite3FindIndex(db, z, zDb);
+  sqliteFree(z);
+  if( pIndex ){
+    sqlite3BeginWriteOperation(pParse, 0, iDb);
+    sqlite3RefillIndex(pParse, pIndex, -1);
+    return;
+  }
+  sqlite3ErrorMsg(pParse, "unable to identify the object to be reindexed");
+}
+#endif
+
+/*
+** Return a dynamicly allocated KeyInfo structure that can be used
+** with OP_OpenRead or OP_OpenWrite to access database index pIdx.
+**
+** If successful, a pointer to the new structure is returned. In this case
+** the caller is responsible for calling sqliteFree() on the returned 
+** pointer. If an error occurs (out of memory or missing collation 
+** sequence), NULL is returned and the state of pParse updated to reflect
+** the error.
+*/
+KeyInfo *sqlite3IndexKeyinfo(Parse *pParse, Index *pIdx){
+  int i;
+  int nCol = pIdx->nColumn;
+  int nBytes = sizeof(KeyInfo) + (nCol-1)*sizeof(CollSeq*) + nCol;
+  KeyInfo *pKey = (KeyInfo *)sqliteMalloc(nBytes);
+
+  if( pKey ){
+    pKey->aSortOrder = (u8 *)&(pKey->aColl[nCol]);
+    assert( &pKey->aSortOrder[nCol]==&(((u8 *)pKey)[nBytes]) );
+    for(i=0; i<nCol; i++){
+      char *zColl = pIdx->azColl[i];
+      assert( zColl );
+      pKey->aColl[i] = sqlite3LocateCollSeq(pParse, zColl, -1);
+      pKey->aSortOrder[i] = pIdx->aSortOrder[i];
+    }
+    pKey->nField = nCol;
+  }
+
+  if( pParse->nErr ){
+    sqliteFree(pKey);
+    pKey = 0;
+  }
+  return pKey;
+}
+
+/************** End of build.c ***********************************************/
+/************** Begin file callback.c ****************************************/
+/*
+** 2005 May 23 
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+**
+** This file contains functions used to access the internal hash tables
+** of user defined functions and collation sequences.
+**
+** $Id$
+*/
+
+
+/*
+** Invoke the 'collation needed' callback to request a collation sequence
+** in the database text encoding of name zName, length nName.
+** If the collation sequence
+*/
+static void callCollNeeded(sqlite3 *db, const char *zName, int nName){
+  assert( !db->xCollNeeded || !db->xCollNeeded16 );
+  if( nName<0 ) nName = strlen(zName);
+  if( db->xCollNeeded ){
+    char *zExternal = sqliteStrNDup(zName, nName);
+    if( !zExternal ) return;
+    db->xCollNeeded(db->pCollNeededArg, db, (int)ENC(db), zExternal);
+    sqliteFree(zExternal);
+  }
+#ifndef SQLITE_OMIT_UTF16
+  if( db->xCollNeeded16 ){
+    char const *zExternal;
+    sqlite3_value *pTmp = sqlite3ValueNew();
+    sqlite3ValueSetStr(pTmp, nName, zName, SQLITE_UTF8, SQLITE_STATIC);
+    zExternal = sqlite3ValueText(pTmp, SQLITE_UTF16NATIVE);
+    if( zExternal ){
+      db->xCollNeeded16(db->pCollNeededArg, db, (int)ENC(db), zExternal);
+    }
+    sqlite3ValueFree(pTmp);
+  }
+#endif
+}
+
+/*
+** This routine is called if the collation factory fails to deliver a
+** collation function in the best encoding but there may be other versions
+** of this collation function (for other text encodings) available. Use one
+** of these instead if they exist. Avoid a UTF-8 <-> UTF-16 conversion if
+** possible.
+*/
+static int synthCollSeq(sqlite3 *db, CollSeq *pColl){
+  CollSeq *pColl2;
+  char *z = pColl->zName;
+  int n = strlen(z);
+  int i;
+  static const u8 aEnc[] = { SQLITE_UTF16BE, SQLITE_UTF16LE, SQLITE_UTF8 };
+  for(i=0; i<3; i++){
+    pColl2 = sqlite3FindCollSeq(db, aEnc[i], z, n, 0);
+    if( pColl2->xCmp!=0 ){
+      memcpy(pColl, pColl2, sizeof(CollSeq));
+      return SQLITE_OK;
+    }
+  }
+  return SQLITE_ERROR;
+}
+
+/*
+** This function is responsible for invoking the collation factory callback
+** or substituting a collation sequence of a different encoding when the
+** requested collation sequence is not available in the database native
+** encoding.
+** 
+** If it is not NULL, then pColl must point to the database native encoding 
+** collation sequence with name zName, length nName.
+**
+** The return value is either the collation sequence to be used in database
+** db for collation type name zName, length nName, or NULL, if no collation
+** sequence can be found.
+*/
+CollSeq *sqlite3GetCollSeq(
+  sqlite3* db, 
+  CollSeq *pColl, 
+  const char *zName, 
+  int nName
+){
+  CollSeq *p;
+
+  p = pColl;
+  if( !p ){
+    p = sqlite3FindCollSeq(db, ENC(db), zName, nName, 0);
+  }
+  if( !p || !p->xCmp ){
+    /* No collation sequence of this type for this encoding is registered.
+    ** Call the collation factory to see if it can supply us with one.
+    */
+    callCollNeeded(db, zName, nName);
+    p = sqlite3FindCollSeq(db, ENC(db), zName, nName, 0);
+  }
+  if( p && !p->xCmp && synthCollSeq(db, p) ){
+    p = 0;
+  }
+  assert( !p || p->xCmp );
+  return p;
+}
+
+/*
+** This routine is called on a collation sequence before it is used to
+** check that it is defined. An undefined collation sequence exists when
+** a database is loaded that contains references to collation sequences
+** that have not been defined by sqlite3_create_collation() etc.
+**
+** If required, this routine calls the 'collation needed' callback to
+** request a definition of the collating sequence. If this doesn't work, 
+** an equivalent collating sequence that uses a text encoding different
+** from the main database is substituted, if one is available.
+*/
+int sqlite3CheckCollSeq(Parse *pParse, CollSeq *pColl){
+  if( pColl ){
+    const char *zName = pColl->zName;
+    CollSeq *p = sqlite3GetCollSeq(pParse->db, pColl, zName, -1);
+    if( !p ){
+      if( pParse->nErr==0 ){
+        sqlite3ErrorMsg(pParse, "no such collation sequence: %s", zName);
+      }
+      pParse->nErr++;
+      return SQLITE_ERROR;
+    }
+    assert( p==pColl );
+  }
+  return SQLITE_OK;
+}
+
+
+
+/*
+** Locate and return an entry from the db.aCollSeq hash table. If the entry
+** specified by zName and nName is not found and parameter 'create' is
+** true, then create a new entry. Otherwise return NULL.
+**
+** Each pointer stored in the sqlite3.aCollSeq hash table contains an
+** array of three CollSeq structures. The first is the collation sequence
+** prefferred for UTF-8, the second UTF-16le, and the third UTF-16be.
+**
+** Stored immediately after the three collation sequences is a copy of
+** the collation sequence name. A pointer to this string is stored in
+** each collation sequence structure.
+*/
+static CollSeq *findCollSeqEntry(
+  sqlite3 *db,
+  const char *zName,
+  int nName,
+  int create
+){
+  CollSeq *pColl;
+  if( nName<0 ) nName = strlen(zName);
+  pColl = sqlite3HashFind(&db->aCollSeq, zName, nName);
+
+  if( 0==pColl && create ){
+    pColl = sqliteMalloc( 3*sizeof(*pColl) + nName + 1 );
+    if( pColl ){
+      CollSeq *pDel = 0;
+      pColl[0].zName = (char*)&pColl[3];
+      pColl[0].enc = SQLITE_UTF8;
+      pColl[1].zName = (char*)&pColl[3];
+      pColl[1].enc = SQLITE_UTF16LE;
+      pColl[2].zName = (char*)&pColl[3];
+      pColl[2].enc = SQLITE_UTF16BE;
+      memcpy(pColl[0].zName, zName, nName);
+      pColl[0].zName[nName] = 0;
+      pDel = sqlite3HashInsert(&db->aCollSeq, pColl[0].zName, nName, pColl);
+
+      /* If a malloc() failure occured in sqlite3HashInsert(), it will 
+      ** return the pColl pointer to be deleted (because it wasn't added
+      ** to the hash table).
+      */
+      assert( !pDel || (sqlite3MallocFailed() && pDel==pColl) );
+      if( pDel ){
+        sqliteFree(pDel);
+        pColl = 0;
+      }
+    }
+  }
+  return pColl;
+}
+
+/*
+** Parameter zName points to a UTF-8 encoded string nName bytes long.
+** Return the CollSeq* pointer for the collation sequence named zName
+** for the encoding 'enc' from the database 'db'.
+**
+** If the entry specified is not found and 'create' is true, then create a
+** new entry.  Otherwise return NULL.
+**
+** A separate function sqlite3LocateCollSeq() is a wrapper around
+** this routine.  sqlite3LocateCollSeq() invokes the collation factory
+** if necessary and generates an error message if the collating sequence
+** cannot be found.
+*/
+CollSeq *sqlite3FindCollSeq(
+  sqlite3 *db,
+  u8 enc,
+  const char *zName,
+  int nName,
+  int create
+){
+  CollSeq *pColl;
+  if( zName ){
+    pColl = findCollSeqEntry(db, zName, nName, create);
+  }else{
+    pColl = db->pDfltColl;
+  }
+  assert( SQLITE_UTF8==1 && SQLITE_UTF16LE==2 && SQLITE_UTF16BE==3 );
+  assert( enc>=SQLITE_UTF8 && enc<=SQLITE_UTF16BE );
+  if( pColl ) pColl += enc-1;
+  return pColl;
+}
+
+/*
+** Locate a user function given a name, a number of arguments and a flag
+** indicating whether the function prefers UTF-16 over UTF-8.  Return a
+** pointer to the FuncDef structure that defines that function, or return
+** NULL if the function does not exist.
+**
+** If the createFlag argument is true, then a new (blank) FuncDef
+** structure is created and liked into the "db" structure if a
+** no matching function previously existed.  When createFlag is true
+** and the nArg parameter is -1, then only a function that accepts
+** any number of arguments will be returned.
+**
+** If createFlag is false and nArg is -1, then the first valid
+** function found is returned.  A function is valid if either xFunc
+** or xStep is non-zero.
+**
+** If createFlag is false, then a function with the required name and
+** number of arguments may be returned even if the eTextRep flag does not
+** match that requested.
+*/
+FuncDef *sqlite3FindFunction(
+  sqlite3 *db,       /* An open database */
+  const char *zName, /* Name of the function.  Not null-terminated */
+  int nName,         /* Number of characters in the name */
+  int nArg,          /* Number of arguments.  -1 means any number */
+  u8 enc,            /* Preferred text encoding */
+  int createFlag     /* Create new entry if true and does not otherwise exist */
+){
+  FuncDef *p;         /* Iterator variable */
+  FuncDef *pFirst;    /* First function with this name */
+  FuncDef *pBest = 0; /* Best match found so far */
+  int bestmatch = 0;  
+
+
+  assert( enc==SQLITE_UTF8 || enc==SQLITE_UTF16LE || enc==SQLITE_UTF16BE );
+  if( nArg<-1 ) nArg = -1;
+
+  pFirst = (FuncDef*)sqlite3HashFind(&db->aFunc, zName, nName);
+  for(p=pFirst; p; p=p->pNext){
+    /* During the search for the best function definition, bestmatch is set
+    ** as follows to indicate the quality of the match with the definition
+    ** pointed to by pBest:
+    **
+    ** 0: pBest is NULL. No match has been found.
+    ** 1: A variable arguments function that prefers UTF-8 when a UTF-16
+    **    encoding is requested, or vice versa.
+    ** 2: A variable arguments function that uses UTF-16BE when UTF-16LE is
+    **    requested, or vice versa.
+    ** 3: A variable arguments function using the same text encoding.
+    ** 4: A function with the exact number of arguments requested that
+    **    prefers UTF-8 when a UTF-16 encoding is requested, or vice versa.
+    ** 5: A function with the exact number of arguments requested that
+    **    prefers UTF-16LE when UTF-16BE is requested, or vice versa.
+    ** 6: An exact match.
+    **
+    ** A larger value of 'matchqual' indicates a more desirable match.
+    */
+    if( p->nArg==-1 || p->nArg==nArg || nArg==-1 ){
+      int match = 1;          /* Quality of this match */
+      if( p->nArg==nArg || nArg==-1 ){
+        match = 4;
+      }
+      if( enc==p->iPrefEnc ){
+        match += 2;
+      }
+      else if( (enc==SQLITE_UTF16LE && p->iPrefEnc==SQLITE_UTF16BE) ||
+               (enc==SQLITE_UTF16BE && p->iPrefEnc==SQLITE_UTF16LE) ){
+        match += 1;
+      }
+
+      if( match>bestmatch ){
+        pBest = p;
+        bestmatch = match;
+      }
+    }
+  }
+
+  /* If the createFlag parameter is true, and the seach did not reveal an
+  ** exact match for the name, number of arguments and encoding, then add a
+  ** new entry to the hash table and return it.
+  */
+  if( createFlag && bestmatch<6 && 
+      (pBest = sqliteMalloc(sizeof(*pBest)+nName))!=0 ){
+    pBest->nArg = nArg;
+    pBest->pNext = pFirst;
+    pBest->iPrefEnc = enc;
+    memcpy(pBest->zName, zName, nName);
+    pBest->zName[nName] = 0;
+    if( pBest==sqlite3HashInsert(&db->aFunc,pBest->zName,nName,(void*)pBest) ){
+      sqliteFree(pBest);
+      return 0;
+    }
+  }
+
+  if( pBest && (pBest->xStep || pBest->xFunc || createFlag) ){
+    return pBest;
+  }
+  return 0;
+}
+
+/*
+** Free all resources held by the schema structure. The void* argument points
+** at a Schema struct. This function does not call sqliteFree() on the 
+** pointer itself, it just cleans up subsiduary resources (i.e. the contents
+** of the schema hash tables).
+*/
+void sqlite3SchemaFree(void *p){
+  Hash temp1;
+  Hash temp2;
+  HashElem *pElem;
+  Schema *pSchema = (Schema *)p;
+
+  temp1 = pSchema->tblHash;
+  temp2 = pSchema->trigHash;
+  sqlite3HashInit(&pSchema->trigHash, SQLITE_HASH_STRING, 0);
+  sqlite3HashClear(&pSchema->aFKey);
+  sqlite3HashClear(&pSchema->idxHash);
+  for(pElem=sqliteHashFirst(&temp2); pElem; pElem=sqliteHashNext(pElem)){
+    sqlite3DeleteTrigger((Trigger*)sqliteHashData(pElem));
+  }
+  sqlite3HashClear(&temp2);
+  sqlite3HashInit(&pSchema->tblHash, SQLITE_HASH_STRING, 0);
+  for(pElem=sqliteHashFirst(&temp1); pElem; pElem=sqliteHashNext(pElem)){
+    Table *pTab = sqliteHashData(pElem);
+    sqlite3DeleteTable(pTab);
+  }
+  sqlite3HashClear(&temp1);
+  pSchema->pSeqTab = 0;
+  pSchema->flags &= ~DB_SchemaLoaded;
+}
+
+/*
+** Find and return the schema associated with a BTree.  Create
+** a new one if necessary.
+*/
+Schema *sqlite3SchemaGet(Btree *pBt){
+  Schema * p;
+  if( pBt ){
+    p = (Schema *)sqlite3BtreeSchema(pBt,sizeof(Schema),sqlite3SchemaFree);
+  }else{
+    p = (Schema *)sqliteMalloc(sizeof(Schema));
+  }
+  if( p && 0==p->file_format ){
+    sqlite3HashInit(&p->tblHash, SQLITE_HASH_STRING, 0);
+    sqlite3HashInit(&p->idxHash, SQLITE_HASH_STRING, 0);
+    sqlite3HashInit(&p->trigHash, SQLITE_HASH_STRING, 0);
+    sqlite3HashInit(&p->aFKey, SQLITE_HASH_STRING, 1);
+    p->enc = SQLITE_UTF8;
+  }
+  return p;
+}
+
+/************** End of callback.c ********************************************/
+/************** Begin file complete.c ****************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** An tokenizer for SQL
+**
+** This file contains C code that implements the sqlite3_complete() API.
+** This code used to be part of the tokenizer.c source file.  But by
+** separating it out, the code will be automatically omitted from
+** static links that do not use it.
+**
+** $Id$
+*/
+#ifndef SQLITE_OMIT_COMPLETE
+
+/*
+** This is defined in tokenize.c.  We just have to import the definition.
+*/
+extern const char sqlite3IsIdChar[];
+#define IdChar(C)  (((c=C)&0x80)!=0 || (c>0x1f && sqlite3IsIdChar[c-0x20]))
+
+
+/*
+** Token types used by the sqlite3_complete() routine.  See the header
+** comments on that procedure for additional information.
+*/
+#define tkSEMI    0
+#define tkWS      1
+#define tkOTHER   2
+#define tkEXPLAIN 3
+#define tkCREATE  4
+#define tkTEMP    5
+#define tkTRIGGER 6
+#define tkEND     7
+
+/*
+** Return TRUE if the given SQL string ends in a semicolon.
+**
+** Special handling is require for CREATE TRIGGER statements.
+** Whenever the CREATE TRIGGER keywords are seen, the statement
+** must end with ";END;".
+**
+** This implementation uses a state machine with 7 states:
+**
+**   (0) START     At the beginning or end of an SQL statement.  This routine
+**                 returns 1 if it ends in the START state and 0 if it ends
+**                 in any other state.
+**
+**   (1) NORMAL    We are in the middle of statement which ends with a single
+**                 semicolon.
+**
+**   (2) EXPLAIN   The keyword EXPLAIN has been seen at the beginning of 
+**                 a statement.
+**
+**   (3) CREATE    The keyword CREATE has been seen at the beginning of a
+**                 statement, possibly preceeded by EXPLAIN and/or followed by
+**                 TEMP or TEMPORARY
+**
+**   (4) TRIGGER   We are in the middle of a trigger definition that must be
+**                 ended by a semicolon, the keyword END, and another semicolon.
+**
+**   (5) SEMI      We've seen the first semicolon in the ";END;" that occurs at
+**                 the end of a trigger definition.
+**
+**   (6) END       We've seen the ";END" of the ";END;" that occurs at the end
+**                 of a trigger difinition.
+**
+** Transitions between states above are determined by tokens extracted
+** from the input.  The following tokens are significant:
+**
+**   (0) tkSEMI      A semicolon.
+**   (1) tkWS        Whitespace
+**   (2) tkOTHER     Any other SQL token.
+**   (3) tkEXPLAIN   The "explain" keyword.
+**   (4) tkCREATE    The "create" keyword.
+**   (5) tkTEMP      The "temp" or "temporary" keyword.
+**   (6) tkTRIGGER   The "trigger" keyword.
+**   (7) tkEND       The "end" keyword.
+**
+** Whitespace never causes a state transition and is always ignored.
+**
+** If we compile with SQLITE_OMIT_TRIGGER, all of the computation needed
+** to recognize the end of a trigger can be omitted.  All we have to do
+** is look for a semicolon that is not part of an string or comment.
+*/
+int sqlite3_complete(const char *zSql){
+  u8 state = 0;   /* Current state, using numbers defined in header comment */
+  u8 token;       /* Value of the next token */
+
+#ifndef SQLITE_OMIT_TRIGGER
+  /* A complex statement machine used to detect the end of a CREATE TRIGGER
+  ** statement.  This is the normal case.
+  */
+  static const u8 trans[7][8] = {
+                     /* Token:                                                */
+     /* State:       **  SEMI  WS  OTHER EXPLAIN  CREATE  TEMP  TRIGGER  END  */
+     /* 0   START: */ {    0,  0,     1,      2,      3,    1,       1,   1,  },
+     /* 1  NORMAL: */ {    0,  1,     1,      1,      1,    1,       1,   1,  },
+     /* 2 EXPLAIN: */ {    0,  2,     1,      1,      3,    1,       1,   1,  },
+     /* 3  CREATE: */ {    0,  3,     1,      1,      1,    3,       4,   1,  },
+     /* 4 TRIGGER: */ {    5,  4,     4,      4,      4,    4,       4,   4,  },
+     /* 5    SEMI: */ {    5,  5,     4,      4,      4,    4,       4,   6,  },
+     /* 6     END: */ {    0,  6,     4,      4,      4,    4,       4,   4,  },
+  };
+#else
+  /* If triggers are not suppored by this compile then the statement machine
+  ** used to detect the end of a statement is much simplier
+  */
+  static const u8 trans[2][3] = {
+                     /* Token:           */
+     /* State:       **  SEMI  WS  OTHER */
+     /* 0   START: */ {    0,  0,     1, },
+     /* 1  NORMAL: */ {    0,  1,     1, },
+  };
+#endif /* SQLITE_OMIT_TRIGGER */
+
+  while( *zSql ){
+    switch( *zSql ){
+      case ';': {  /* A semicolon */
+        token = tkSEMI;
+        break;
+      }
+      case ' ':
+      case '\r':
+      case '\t':
+      case '\n':
+      case '\f': {  /* White space is ignored */
+        token = tkWS;
+        break;
+      }
+      case '/': {   /* C-style comments */
+        if( zSql[1]!='*' ){
+          token = tkOTHER;
+          break;
+        }
+        zSql += 2;
+        while( zSql[0] && (zSql[0]!='*' || zSql[1]!='/') ){ zSql++; }
+        if( zSql[0]==0 ) return 0;
+        zSql++;
+        token = tkWS;
+        break;
+      }
+      case '-': {   /* SQL-style comments from "--" to end of line */
+        if( zSql[1]!='-' ){
+          token = tkOTHER;
+          break;
+        }
+        while( *zSql && *zSql!='\n' ){ zSql++; }
+        if( *zSql==0 ) return state==0;
+        token = tkWS;
+        break;
+      }
+      case '[': {   /* Microsoft-style identifiers in [...] */
+        zSql++;
+        while( *zSql && *zSql!=']' ){ zSql++; }
+        if( *zSql==0 ) return 0;
+        token = tkOTHER;
+        break;
+      }
+      case '`':     /* Grave-accent quoted symbols used by MySQL */
+      case '"':     /* single- and double-quoted strings */
+      case '\'': {
+        int c = *zSql;
+        zSql++;
+        while( *zSql && *zSql!=c ){ zSql++; }
+        if( *zSql==0 ) return 0;
+        token = tkOTHER;
+        break;
+      }
+      default: {
+        int c;
+        if( IdChar((u8)*zSql) ){
+          /* Keywords and unquoted identifiers */
+          int nId;
+          for(nId=1; IdChar(zSql[nId]); nId++){}
+#ifdef SQLITE_OMIT_TRIGGER
+          token = tkOTHER;
+#else
+          switch( *zSql ){
+            case 'c': case 'C': {
+              if( nId==6 && sqlite3StrNICmp(zSql, "create", 6)==0 ){
+                token = tkCREATE;
+              }else{
+                token = tkOTHER;
+              }
+              break;
+            }
+            case 't': case 'T': {
+              if( nId==7 && sqlite3StrNICmp(zSql, "trigger", 7)==0 ){
+                token = tkTRIGGER;
+              }else if( nId==4 && sqlite3StrNICmp(zSql, "temp", 4)==0 ){
+                token = tkTEMP;
+              }else if( nId==9 && sqlite3StrNICmp(zSql, "temporary", 9)==0 ){
+                token = tkTEMP;
+              }else{
+                token = tkOTHER;
+              }
+              break;
+            }
+            case 'e':  case 'E': {
+              if( nId==3 && sqlite3StrNICmp(zSql, "end", 3)==0 ){
+                token = tkEND;
+              }else
+#ifndef SQLITE_OMIT_EXPLAIN
+              if( nId==7 && sqlite3StrNICmp(zSql, "explain", 7)==0 ){
+                token = tkEXPLAIN;
+              }else
+#endif
+              {
+                token = tkOTHER;
+              }
+              break;
+            }
+            default: {
+              token = tkOTHER;
+              break;
+            }
+          }
+#endif /* SQLITE_OMIT_TRIGGER */
+          zSql += nId-1;
+        }else{
+          /* Operators and special symbols */
+          token = tkOTHER;
+        }
+        break;
+      }
+    }
+    state = trans[state][token];
+    zSql++;
+  }
+  return state==0;
+}
+
+#ifndef SQLITE_OMIT_UTF16
+/*
+** This routine is the same as the sqlite3_complete() routine described
+** above, except that the parameter is required to be UTF-16 encoded, not
+** UTF-8.
+*/
+int sqlite3_complete16(const void *zSql){
+  sqlite3_value *pVal;
+  char const *zSql8;
+  int rc = 0;
+
+  pVal = sqlite3ValueNew();
+  sqlite3ValueSetStr(pVal, -1, zSql, SQLITE_UTF16NATIVE, SQLITE_STATIC);
+  zSql8 = sqlite3ValueText(pVal, SQLITE_UTF8);
+  if( zSql8 ){
+    rc = sqlite3_complete(zSql8);
+  }
+  sqlite3ValueFree(pVal);
+  return sqlite3ApiExit(0, rc);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+#endif /* SQLITE_OMIT_COMPLETE */
+
+/************** End of complete.c ********************************************/
+/************** Begin file delete.c ******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains C code routines that are called by the parser
+** in order to generate code for DELETE FROM statements.
+**
+** $Id$
+*/
+
+/*
+** Look up every table that is named in pSrc.  If any table is not found,
+** add an error message to pParse->zErrMsg and return NULL.  If all tables
+** are found, return a pointer to the last table.
+*/
+Table *sqlite3SrcListLookup(Parse *pParse, SrcList *pSrc){
+  Table *pTab = 0;
+  int i;
+  struct SrcList_item *pItem;
+  for(i=0, pItem=pSrc->a; i<pSrc->nSrc; i++, pItem++){
+    pTab = sqlite3LocateTable(pParse, pItem->zName, pItem->zDatabase);
+    sqlite3DeleteTable(pItem->pTab);
+    pItem->pTab = pTab;
+    if( pTab ){
+      pTab->nRef++;
+    }
+  }
+  return pTab;
+}
+
+/*
+** Check to make sure the given table is writable.  If it is not
+** writable, generate an error message and return 1.  If it is
+** writable return 0;
+*/
+int sqlite3IsReadOnly(Parse *pParse, Table *pTab, int viewOk){
+  if( (pTab->readOnly && (pParse->db->flags & SQLITE_WriteSchema)==0
+        && pParse->nested==0) 
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+      || (pTab->pMod && pTab->pMod->pModule->xUpdate==0)
+#endif
+  ){
+    sqlite3ErrorMsg(pParse, "table %s may not be modified", pTab->zName);
+    return 1;
+  }
+#ifndef SQLITE_OMIT_VIEW
+  if( !viewOk && pTab->pSelect ){
+    sqlite3ErrorMsg(pParse,"cannot modify %s because it is a view",pTab->zName);
+    return 1;
+  }
+#endif
+  return 0;
+}
+
+/*
+** Generate code that will open a table for reading.
+*/
+void sqlite3OpenTable(
+  Parse *p,       /* Generate code into this VDBE */
+  int iCur,       /* The cursor number of the table */
+  int iDb,        /* The database index in sqlite3.aDb[] */
+  Table *pTab,    /* The table to be opened */
+  int opcode      /* OP_OpenRead or OP_OpenWrite */
+){
+  Vdbe *v;
+  if( IsVirtual(pTab) ) return;
+  v = sqlite3GetVdbe(p);
+  assert( opcode==OP_OpenWrite || opcode==OP_OpenRead );
+  sqlite3TableLock(p, iDb, pTab->tnum, (opcode==OP_OpenWrite), pTab->zName);
+  sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+  VdbeComment((v, "# %s", pTab->zName));
+  sqlite3VdbeAddOp(v, opcode, iCur, pTab->tnum);
+  sqlite3VdbeAddOp(v, OP_SetNumColumns, iCur, pTab->nCol);
+}
+
+
+/*
+** Generate code for a DELETE FROM statement.
+**
+**     DELETE FROM table_wxyz WHERE a<5 AND b NOT NULL;
+**                 \________/       \________________/
+**                  pTabList              pWhere
+*/
+void sqlite3DeleteFrom(
+  Parse *pParse,         /* The parser context */
+  SrcList *pTabList,     /* The table from which we should delete things */
+  Expr *pWhere           /* The WHERE clause.  May be null */
+){
+  Vdbe *v;               /* The virtual database engine */
+  Table *pTab;           /* The table from which records will be deleted */
+  const char *zDb;       /* Name of database holding pTab */
+  int end, addr = 0;     /* A couple addresses of generated code */
+  int i;                 /* Loop counter */
+  WhereInfo *pWInfo;     /* Information about the WHERE clause */
+  Index *pIdx;           /* For looping over indices of the table */
+  int iCur;              /* VDBE Cursor number for pTab */
+  sqlite3 *db;           /* Main database structure */
+  AuthContext sContext;  /* Authorization context */
+  int oldIdx = -1;       /* Cursor for the OLD table of AFTER triggers */
+  NameContext sNC;       /* Name context to resolve expressions in */
+  int iDb;               /* Database number */
+  int memCnt = 0;        /* Memory cell used for change counting */
+
+#ifndef SQLITE_OMIT_TRIGGER
+  int isView;                  /* True if attempting to delete from a view */
+  int triggers_exist = 0;      /* True if any triggers exist */
+#endif
+
+  sContext.pParse = 0;
+  if( pParse->nErr || sqlite3MallocFailed() ){
+    goto delete_from_cleanup;
+  }
+  db = pParse->db;
+  assert( pTabList->nSrc==1 );
+
+  /* Locate the table which we want to delete.  This table has to be
+  ** put in an SrcList structure because some of the subroutines we
+  ** will be calling are designed to work with multiple tables and expect
+  ** an SrcList* parameter instead of just a Table* parameter.
+  */
+  pTab = sqlite3SrcListLookup(pParse, pTabList);
+  if( pTab==0 )  goto delete_from_cleanup;
+
+  /* Figure out if we have any triggers and if the table being
+  ** deleted from is a view
+  */
+#ifndef SQLITE_OMIT_TRIGGER
+  triggers_exist = sqlite3TriggersExist(pParse, pTab, TK_DELETE, 0);
+  isView = pTab->pSelect!=0;
+#else
+# define triggers_exist 0
+# define isView 0
+#endif
+#ifdef SQLITE_OMIT_VIEW
+# undef isView
+# define isView 0
+#endif
+
+  if( sqlite3IsReadOnly(pParse, pTab, triggers_exist) ){
+    goto delete_from_cleanup;
+  }
+  iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
+  assert( iDb<db->nDb );
+  zDb = db->aDb[iDb].zName;
+  if( sqlite3AuthCheck(pParse, SQLITE_DELETE, pTab->zName, 0, zDb) ){
+    goto delete_from_cleanup;
+  }
+
+  /* If pTab is really a view, make sure it has been initialized.
+  */
+  if( sqlite3ViewGetColumnNames(pParse, pTab) ){
+    goto delete_from_cleanup;
+  }
+
+  /* Allocate a cursor used to store the old.* data for a trigger.
+  */
+  if( triggers_exist ){ 
+    oldIdx = pParse->nTab++;
+  }
+
+  /* Resolve the column names in the WHERE clause.
+  */
+  assert( pTabList->nSrc==1 );
+  iCur = pTabList->a[0].iCursor = pParse->nTab++;
+  memset(&sNC, 0, sizeof(sNC));
+  sNC.pParse = pParse;
+  sNC.pSrcList = pTabList;
+  if( sqlite3ExprResolveNames(&sNC, pWhere) ){
+    goto delete_from_cleanup;
+  }
+
+  /* Start the view context
+  */
+  if( isView ){
+    sqlite3AuthContextPush(pParse, &sContext, pTab->zName);
+  }
+
+  /* Begin generating code.
+  */
+  v = sqlite3GetVdbe(pParse);
+  if( v==0 ){
+    goto delete_from_cleanup;
+  }
+  if( pParse->nested==0 ) sqlite3VdbeCountChanges(v);
+  sqlite3BeginWriteOperation(pParse, triggers_exist, iDb);
+
+  /* If we are trying to delete from a view, realize that view into
+  ** a ephemeral table.
+  */
+  if( isView ){
+    Select *pView = sqlite3SelectDup(pTab->pSelect);
+    sqlite3Select(pParse, pView, SRT_EphemTab, iCur, 0, 0, 0, 0);
+    sqlite3SelectDelete(pView);
+  }
+
+  /* Initialize the counter of the number of rows deleted, if
+  ** we are counting rows.
+  */
+  if( db->flags & SQLITE_CountRows ){
+    memCnt = pParse->nMem++;
+    sqlite3VdbeAddOp(v, OP_MemInt, 0, memCnt);
+  }
+
+  /* Special case: A DELETE without a WHERE clause deletes everything.
+  ** It is easier just to erase the whole table.  Note, however, that
+  ** this means that the row change count will be incorrect.
+  */
+  if( pWhere==0 && !triggers_exist && !IsVirtual(pTab) ){
+    if( db->flags & SQLITE_CountRows ){
+      /* If counting rows deleted, just count the total number of
+      ** entries in the table. */
+      int endOfLoop = sqlite3VdbeMakeLabel(v);
+      int addr2;
+      if( !isView ){
+        sqlite3OpenTable(pParse, iCur, iDb, pTab, OP_OpenRead);
+      }
+      sqlite3VdbeAddOp(v, OP_Rewind, iCur, sqlite3VdbeCurrentAddr(v)+2);
+      addr2 = sqlite3VdbeAddOp(v, OP_MemIncr, 1, memCnt);
+      sqlite3VdbeAddOp(v, OP_Next, iCur, addr2);
+      sqlite3VdbeResolveLabel(v, endOfLoop);
+      sqlite3VdbeAddOp(v, OP_Close, iCur, 0);
+    }
+    if( !isView ){
+      sqlite3VdbeAddOp(v, OP_Clear, pTab->tnum, iDb);
+      if( !pParse->nested ){
+        sqlite3VdbeChangeP3(v, -1, pTab->zName, P3_STATIC);
+      }
+      for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
+        assert( pIdx->pSchema==pTab->pSchema );
+        sqlite3VdbeAddOp(v, OP_Clear, pIdx->tnum, iDb);
+      }
+    }
+  } 
+  /* The usual case: There is a WHERE clause so we have to scan through
+  ** the table and pick which records to delete.
+  */
+  else{
+    /* Begin the database scan
+    */
+    pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, 0);
+    if( pWInfo==0 ) goto delete_from_cleanup;
+
+    /* Remember the rowid of every item to be deleted.
+    */
+    sqlite3VdbeAddOp(v, IsVirtual(pTab) ? OP_VRowid : OP_Rowid, iCur, 0);
+    sqlite3VdbeAddOp(v, OP_FifoWrite, 0, 0);
+    if( db->flags & SQLITE_CountRows ){
+      sqlite3VdbeAddOp(v, OP_MemIncr, 1, memCnt);
+    }
+
+    /* End the database scan loop.
+    */
+    sqlite3WhereEnd(pWInfo);
+
+    /* Open the pseudo-table used to store OLD if there are triggers.
+    */
+    if( triggers_exist ){
+      sqlite3VdbeAddOp(v, OP_OpenPseudo, oldIdx, 0);
+      sqlite3VdbeAddOp(v, OP_SetNumColumns, oldIdx, pTab->nCol);
+    }
+
+    /* Delete every item whose key was written to the list during the
+    ** database scan.  We have to delete items after the scan is complete
+    ** because deleting an item can change the scan order.
+    */
+    end = sqlite3VdbeMakeLabel(v);
+
+    /* This is the beginning of the delete loop when there are
+    ** row triggers.
+    */
+    if( triggers_exist ){
+      addr = sqlite3VdbeAddOp(v, OP_FifoRead, 0, end);
+      if( !isView ){
+        sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+        sqlite3OpenTable(pParse, iCur, iDb, pTab, OP_OpenRead);
+      }
+      sqlite3VdbeAddOp(v, OP_MoveGe, iCur, 0);
+      sqlite3VdbeAddOp(v, OP_Rowid, iCur, 0);
+      sqlite3VdbeAddOp(v, OP_RowData, iCur, 0);
+      sqlite3VdbeAddOp(v, OP_Insert, oldIdx, 0);
+      if( !isView ){
+        sqlite3VdbeAddOp(v, OP_Close, iCur, 0);
+      }
+
+      (void)sqlite3CodeRowTrigger(pParse, TK_DELETE, 0, TRIGGER_BEFORE, pTab,
+          -1, oldIdx, (pParse->trigStack)?pParse->trigStack->orconf:OE_Default,
+          addr);
+    }
+
+    if( !isView ){
+      /* Open cursors for the table we are deleting from and all its
+      ** indices.  If there are row triggers, this happens inside the
+      ** OP_FifoRead loop because the cursor have to all be closed
+      ** before the trigger fires.  If there are no row triggers, the
+      ** cursors are opened only once on the outside the loop.
+      */
+      sqlite3OpenTableAndIndices(pParse, pTab, iCur, OP_OpenWrite);
+
+      /* This is the beginning of the delete loop when there are no
+      ** row triggers */
+      if( !triggers_exist ){ 
+        addr = sqlite3VdbeAddOp(v, OP_FifoRead, 0, end);
+      }
+
+      /* Delete the row */
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+      if( IsVirtual(pTab) ){
+        pParse->pVirtualLock = pTab;
+        sqlite3VdbeOp3(v, OP_VUpdate, 0, 1, (const char*)pTab->pVtab, P3_VTAB);
+      }else
+#endif
+      {
+        sqlite3GenerateRowDelete(db, v, pTab, iCur, pParse->nested==0);
+      }
+    }
+
+    /* If there are row triggers, close all cursors then invoke
+    ** the AFTER triggers
+    */
+    if( triggers_exist ){
+      if( !isView ){
+        for(i=1, pIdx=pTab->pIndex; pIdx; i++, pIdx=pIdx->pNext){
+          sqlite3VdbeAddOp(v, OP_Close, iCur + i, pIdx->tnum);
+        }
+        sqlite3VdbeAddOp(v, OP_Close, iCur, 0);
+      }
+      (void)sqlite3CodeRowTrigger(pParse, TK_DELETE, 0, TRIGGER_AFTER, pTab, -1,
+          oldIdx, (pParse->trigStack)?pParse->trigStack->orconf:OE_Default,
+          addr);
+    }
+
+    /* End of the delete loop */
+    sqlite3VdbeAddOp(v, OP_Goto, 0, addr);
+    sqlite3VdbeResolveLabel(v, end);
+
+    /* Close the cursors after the loop if there are no row triggers */
+    if( !triggers_exist && !IsVirtual(pTab) ){
+      for(i=1, pIdx=pTab->pIndex; pIdx; i++, pIdx=pIdx->pNext){
+        sqlite3VdbeAddOp(v, OP_Close, iCur + i, pIdx->tnum);
+      }
+      sqlite3VdbeAddOp(v, OP_Close, iCur, 0);
+    }
+  }
+
+  /*
+  ** Return the number of rows that were deleted. If this routine is 
+  ** generating code because of a call to sqlite3NestedParse(), do not
+  ** invoke the callback function.
+  */
+  if( db->flags & SQLITE_CountRows && pParse->nested==0 && !pParse->trigStack ){
+    sqlite3VdbeAddOp(v, OP_MemLoad, memCnt, 0);
+    sqlite3VdbeAddOp(v, OP_Callback, 1, 0);
+    sqlite3VdbeSetNumCols(v, 1);
+    sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "rows deleted", P3_STATIC);
+  }
+
+delete_from_cleanup:
+  sqlite3AuthContextPop(&sContext);
+  sqlite3SrcListDelete(pTabList);
+  sqlite3ExprDelete(pWhere);
+  return;
+}
+
+/*
+** This routine generates VDBE code that causes a single row of a
+** single table to be deleted.
+**
+** The VDBE must be in a particular state when this routine is called.
+** These are the requirements:
+**
+**   1.  A read/write cursor pointing to pTab, the table containing the row
+**       to be deleted, must be opened as cursor number "base".
+**
+**   2.  Read/write cursors for all indices of pTab must be open as
+**       cursor number base+i for the i-th index.
+**
+**   3.  The record number of the row to be deleted must be on the top
+**       of the stack.
+**
+** This routine pops the top of the stack to remove the record number
+** and then generates code to remove both the table record and all index
+** entries that point to that record.
+*/
+void sqlite3GenerateRowDelete(
+  sqlite3 *db,       /* The database containing the index */
+  Vdbe *v,           /* Generate code into this VDBE */
+  Table *pTab,       /* Table containing the row to be deleted */
+  int iCur,          /* Cursor number for the table */
+  int count          /* Increment the row change counter */
+){
+  int addr;
+  addr = sqlite3VdbeAddOp(v, OP_NotExists, iCur, 0);
+  sqlite3GenerateRowIndexDelete(v, pTab, iCur, 0);
+  sqlite3VdbeAddOp(v, OP_Delete, iCur, (count?OPFLAG_NCHANGE:0));
+  if( count ){
+    sqlite3VdbeChangeP3(v, -1, pTab->zName, P3_STATIC);
+  }
+  sqlite3VdbeJumpHere(v, addr);
+}
+
+/*
+** This routine generates VDBE code that causes the deletion of all
+** index entries associated with a single row of a single table.
+**
+** The VDBE must be in a particular state when this routine is called.
+** These are the requirements:
+**
+**   1.  A read/write cursor pointing to pTab, the table containing the row
+**       to be deleted, must be opened as cursor number "iCur".
+**
+**   2.  Read/write cursors for all indices of pTab must be open as
+**       cursor number iCur+i for the i-th index.
+**
+**   3.  The "iCur" cursor must be pointing to the row that is to be
+**       deleted.
+*/
+void sqlite3GenerateRowIndexDelete(
+  Vdbe *v,           /* Generate code into this VDBE */
+  Table *pTab,       /* Table containing the row to be deleted */
+  int iCur,          /* Cursor number for the table */
+  char *aIdxUsed     /* Only delete if aIdxUsed!=0 && aIdxUsed[i]!=0 */
+){
+  int i;
+  Index *pIdx;
+
+  for(i=1, pIdx=pTab->pIndex; pIdx; i++, pIdx=pIdx->pNext){
+    if( aIdxUsed!=0 && aIdxUsed[i-1]==0 ) continue;
+    sqlite3GenerateIndexKey(v, pIdx, iCur);
+    sqlite3VdbeAddOp(v, OP_IdxDelete, iCur+i, 0);
+  }
+}
+
+/*
+** Generate code that will assemble an index key and put it on the top
+** of the tack.  The key with be for index pIdx which is an index on pTab.
+** iCur is the index of a cursor open on the pTab table and pointing to
+** the entry that needs indexing.
+*/
+void sqlite3GenerateIndexKey(
+  Vdbe *v,           /* Generate code into this VDBE */
+  Index *pIdx,       /* The index for which to generate a key */
+  int iCur           /* Cursor number for the pIdx->pTable table */
+){
+  int j;
+  Table *pTab = pIdx->pTable;
+
+  sqlite3VdbeAddOp(v, OP_Rowid, iCur, 0);
+  for(j=0; j<pIdx->nColumn; j++){
+    int idx = pIdx->aiColumn[j];
+    if( idx==pTab->iPKey ){
+      sqlite3VdbeAddOp(v, OP_Dup, j, 0);
+    }else{
+      sqlite3VdbeAddOp(v, OP_Column, iCur, idx);
+      sqlite3ColumnDefault(v, pTab, idx);
+    }
+  }
+  sqlite3VdbeAddOp(v, OP_MakeIdxRec, pIdx->nColumn, 0);
+  sqlite3IndexAffinityStr(v, pIdx);
+}
+
+/************** End of delete.c **********************************************/
+/************** Begin file func.c ********************************************/
+/*
+** 2002 February 23
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains the C functions that implement various SQL
+** functions of SQLite.  
+**
+** There is only one exported symbol in this file - the function
+** sqliteRegisterBuildinFunctions() found at the bottom of the file.
+** All other code has file scope.
+**
+** $Id$
+*/
+/* #include <math.h> */
+
+/*
+** Return the collating function associated with a function.
+*/
+static CollSeq *sqlite3GetFuncCollSeq(sqlite3_context *context){
+  return context->pColl;
+}
+
+/*
+** Implementation of the non-aggregate min() and max() functions
+*/
+static void minmaxFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  int i;
+  int mask;    /* 0 for min() or 0xffffffff for max() */
+  int iBest;
+  CollSeq *pColl;
+
+  if( argc==0 ) return;
+  mask = sqlite3_user_data(context)==0 ? 0 : -1;
+  pColl = sqlite3GetFuncCollSeq(context);
+  assert( pColl );
+  assert( mask==-1 || mask==0 );
+  iBest = 0;
+  if( sqlite3_value_type(argv[0])==SQLITE_NULL ) return;
+  for(i=1; i<argc; i++){
+    if( sqlite3_value_type(argv[i])==SQLITE_NULL ) return;
+    if( (sqlite3MemCompare(argv[iBest], argv[i], pColl)^mask)>=0 ){
+      iBest = i;
+    }
+  }
+  sqlite3_result_value(context, argv[iBest]);
+}
+
+/*
+** Return the type of the argument.
+*/
+static void typeofFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  const char *z = 0;
+  switch( sqlite3_value_type(argv[0]) ){
+    case SQLITE_NULL:    z = "null";    break;
+    case SQLITE_INTEGER: z = "integer"; break;
+    case SQLITE_TEXT:    z = "text";    break;
+    case SQLITE_FLOAT:   z = "real";    break;
+    case SQLITE_BLOB:    z = "blob";    break;
+  }
+  sqlite3_result_text(context, z, -1, SQLITE_STATIC);
+}
+
+
+/*
+** Implementation of the length() function
+*/
+static void lengthFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  int len;
+
+  assert( argc==1 );
+  switch( sqlite3_value_type(argv[0]) ){
+    case SQLITE_BLOB:
+    case SQLITE_INTEGER:
+    case SQLITE_FLOAT: {
+      sqlite3_result_int(context, sqlite3_value_bytes(argv[0]));
+      break;
+    }
+    case SQLITE_TEXT: {
+      const unsigned char *z = sqlite3_value_text(argv[0]);
+      for(len=0; *z; z++){ if( (0xc0&*z)!=0x80 ) len++; }
+      sqlite3_result_int(context, len);
+      break;
+    }
+    default: {
+      sqlite3_result_null(context);
+      break;
+    }
+  }
+}
+
+/*
+** Implementation of the abs() function
+*/
+static void absFunc(sqlite3_context *context, int argc, sqlite3_value **argv){
+  assert( argc==1 );
+  switch( sqlite3_value_type(argv[0]) ){
+    case SQLITE_INTEGER: {
+      i64 iVal = sqlite3_value_int64(argv[0]);
+      if( iVal<0 ){
+        if( (iVal<<1)==0 ){
+          sqlite3_result_error(context, "integer overflow", -1);
+          return;
+        }
+        iVal = -iVal;
+      } 
+      sqlite3_result_int64(context, iVal);
+      break;
+    }
+    case SQLITE_NULL: {
+      sqlite3_result_null(context);
+      break;
+    }
+    default: {
+      double rVal = sqlite3_value_double(argv[0]);
+      if( rVal<0 ) rVal = -rVal;
+      sqlite3_result_double(context, rVal);
+      break;
+    }
+  }
+}
+
+/*
+** Implementation of the substr() function
+*/
+static void substrFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  const unsigned char *z;
+  const unsigned char *z2;
+  int i;
+  int p1, p2, len;
+
+  assert( argc==3 );
+  z = sqlite3_value_text(argv[0]);
+  if( z==0 ) return;
+  p1 = sqlite3_value_int(argv[1]);
+  p2 = sqlite3_value_int(argv[2]);
+  for(len=0, z2=z; *z2; z2++){ if( (0xc0&*z2)!=0x80 ) len++; }
+  if( p1<0 ){
+    p1 += len;
+    if( p1<0 ){
+      p2 += p1;
+      p1 = 0;
+    }
+  }else if( p1>0 ){
+    p1--;
+  }
+  if( p1+p2>len ){
+    p2 = len-p1;
+  }
+  for(i=0; i<p1 && z[i]; i++){
+    if( (z[i]&0xc0)==0x80 ) p1++;
+  }
+  while( z[i] && (z[i]&0xc0)==0x80 ){ i++; p1++; }
+  for(; i<p1+p2 && z[i]; i++){
+    if( (z[i]&0xc0)==0x80 ) p2++;
+  }
+  while( z[i] && (z[i]&0xc0)==0x80 ){ i++; p2++; }
+  if( p2<0 ) p2 = 0;
+  sqlite3_result_text(context, (char*)&z[p1], p2, SQLITE_TRANSIENT);
+}
+
+/*
+** Implementation of the round() function
+*/
+static void roundFunc(sqlite3_context *context, int argc, sqlite3_value **argv){
+  int n = 0;
+  double r;
+  char zBuf[500];  /* larger than the %f representation of the largest double */
+  assert( argc==1 || argc==2 );
+  if( argc==2 ){
+    if( SQLITE_NULL==sqlite3_value_type(argv[1]) ) return;
+    n = sqlite3_value_int(argv[1]);
+    if( n>30 ) n = 30;
+    if( n<0 ) n = 0;
+  }
+  if( sqlite3_value_type(argv[0])==SQLITE_NULL ) return;
+  r = sqlite3_value_double(argv[0]);
+  sqlite3_snprintf(sizeof(zBuf),zBuf,"%.*f",n,r);
+  sqlite3AtoF(zBuf, &r);
+  sqlite3_result_double(context, r);
+}
+
+/*
+** Implementation of the upper() and lower() SQL functions.
+*/
+static void upperFunc(sqlite3_context *context, int argc, sqlite3_value **argv){
+  unsigned char *z;
+  int i;
+  if( argc<1 || SQLITE_NULL==sqlite3_value_type(argv[0]) ) return;
+  z = sqliteMalloc(sqlite3_value_bytes(argv[0])+1);
+  if( z==0 ) return;
+  strcpy((char*)z, (char*)sqlite3_value_text(argv[0]));
+  for(i=0; z[i]; i++){
+    z[i] = toupper(z[i]);
+  }
+  sqlite3_result_text(context, (char*)z, -1, SQLITE_TRANSIENT);
+  sqliteFree(z);
+}
+static void lowerFunc(sqlite3_context *context, int argc, sqlite3_value **argv){
+  unsigned char *z;
+  int i;
+  if( argc<1 || SQLITE_NULL==sqlite3_value_type(argv[0]) ) return;
+  z = sqliteMalloc(sqlite3_value_bytes(argv[0])+1);
+  if( z==0 ) return;
+  strcpy((char*)z, (char*)sqlite3_value_text(argv[0]));
+  for(i=0; z[i]; i++){
+    z[i] = tolower(z[i]);
+  }
+  sqlite3_result_text(context, (char*)z, -1, SQLITE_TRANSIENT);
+  sqliteFree(z);
+}
+
+/*
+** Implementation of the IFNULL(), NVL(), and COALESCE() functions.  
+** All three do the same thing.  They return the first non-NULL
+** argument.
+*/
+static void ifnullFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  int i;
+  for(i=0; i<argc; i++){
+    if( SQLITE_NULL!=sqlite3_value_type(argv[i]) ){
+      sqlite3_result_value(context, argv[i]);
+      break;
+    }
+  }
+}
+
+/*
+** Implementation of random().  Return a random integer.  
+*/
+static void randomFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  sqlite_int64 r;
+  sqlite3Randomness(sizeof(r), &r);
+  if( (r<<1)==0 ) r = 0;  /* Prevent 0x8000.... as the result so that we */
+                          /* can always do abs() of the result */
+  sqlite3_result_int64(context, r);
+}
+
+/*
+** Implementation of randomblob(N).  Return a random blob
+** that is N bytes long.
+*/
+static void randomBlob(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  int n;
+  unsigned char *p;
+  assert( argc==1 );
+  n = sqlite3_value_int(argv[0]);
+  if( n<1 ) n = 1;
+  p = sqlite3_malloc(n);
+  sqlite3Randomness(n, p);
+  sqlite3_result_blob(context, (char*)p, n, sqlite3_free);
+}
+
+/*
+** Implementation of the last_insert_rowid() SQL function.  The return
+** value is the same as the sqlite3_last_insert_rowid() API function.
+*/
+static void last_insert_rowid(
+  sqlite3_context *context, 
+  int arg, 
+  sqlite3_value **argv
+){
+  sqlite3 *db = sqlite3_user_data(context);
+  sqlite3_result_int64(context, sqlite3_last_insert_rowid(db));
+}
+
+/*
+** Implementation of the changes() SQL function.  The return value is the
+** same as the sqlite3_changes() API function.
+*/
+static void changes(
+  sqlite3_context *context,
+  int arg,
+  sqlite3_value **argv
+){
+  sqlite3 *db = sqlite3_user_data(context);
+  sqlite3_result_int(context, sqlite3_changes(db));
+}
+
+/*
+** Implementation of the total_changes() SQL function.  The return value is
+** the same as the sqlite3_total_changes() API function.
+*/
+static void total_changes(
+  sqlite3_context *context,
+  int arg,
+  sqlite3_value **argv
+){
+  sqlite3 *db = sqlite3_user_data(context);
+  sqlite3_result_int(context, sqlite3_total_changes(db));
+}
+
+/*
+** A structure defining how to do GLOB-style comparisons.
+*/
+struct compareInfo {
+  u8 matchAll;
+  u8 matchOne;
+  u8 matchSet;
+  u8 noCase;
+};
+
+static const struct compareInfo globInfo = { '*', '?', '[', 0 };
+/* The correct SQL-92 behavior is for the LIKE operator to ignore
+** case.  Thus  'a' LIKE 'A' would be true. */
+static const struct compareInfo likeInfoNorm = { '%', '_',   0, 1 };
+/* If SQLITE_CASE_SENSITIVE_LIKE is defined, then the LIKE operator
+** is case sensitive causing 'a' LIKE 'A' to be false */
+static const struct compareInfo likeInfoAlt = { '%', '_',   0, 0 };
+
+/*
+** X is a pointer to the first byte of a UTF-8 character.  Increment
+** X so that it points to the next character.  This only works right
+** if X points to a well-formed UTF-8 string.
+*/
+#define sqliteNextChar(X)  while( (0xc0&*++(X))==0x80 ){}
+#define sqliteCharVal(X)   sqlite3ReadUtf8(X)
+
+
+/*
+** Compare two UTF-8 strings for equality where the first string can
+** potentially be a "glob" expression.  Return true (1) if they
+** are the same and false (0) if they are different.
+**
+** Globbing rules:
+**
+**      '*'       Matches any sequence of zero or more characters.
+**
+**      '?'       Matches exactly one character.
+**
+**     [...]      Matches one character from the enclosed list of
+**                characters.
+**
+**     [^...]     Matches one character not in the enclosed list.
+**
+** With the [...] and [^...] matching, a ']' character can be included
+** in the list by making it the first character after '[' or '^'.  A
+** range of characters can be specified using '-'.  Example:
+** "[a-z]" matches any single lower-case letter.  To match a '-', make
+** it the last character in the list.
+**
+** This routine is usually quick, but can be N**2 in the worst case.
+**
+** Hints: to match '*' or '?', put them in "[]".  Like this:
+**
+**         abc[*]xyz        Matches "abc*xyz" only
+*/
+static int patternCompare(
+  const u8 *zPattern,              /* The glob pattern */
+  const u8 *zString,               /* The string to compare against the glob */
+  const struct compareInfo *pInfo, /* Information about how to do the compare */
+  const int esc                    /* The escape character */
+){
+  register int c;
+  int invert;
+  int seen;
+  int c2;
+  u8 matchOne = pInfo->matchOne;
+  u8 matchAll = pInfo->matchAll;
+  u8 matchSet = pInfo->matchSet;
+  u8 noCase = pInfo->noCase; 
+  int prevEscape = 0;     /* True if the previous character was 'escape' */
+
+  while( (c = *zPattern)!=0 ){
+    if( !prevEscape && c==matchAll ){
+      while( (c=zPattern[1]) == matchAll || c == matchOne ){
+        if( c==matchOne ){
+          if( *zString==0 ) return 0;
+          sqliteNextChar(zString);
+        }
+        zPattern++;
+      }
+      if( c && esc && sqlite3ReadUtf8(&zPattern[1])==esc ){
+        u8 const *zTemp = &zPattern[1];
+        sqliteNextChar(zTemp);
+        c = *zTemp;
+      }
+      if( c==0 ) return 1;
+      if( c==matchSet ){
+        assert( esc==0 );   /* This is GLOB, not LIKE */
+        while( *zString && patternCompare(&zPattern[1],zString,pInfo,esc)==0 ){
+          sqliteNextChar(zString);
+        }
+        return *zString!=0;
+      }else{
+        while( (c2 = *zString)!=0 ){
+          if( noCase ){
+            c2 = sqlite3UpperToLower[c2];
+            c = sqlite3UpperToLower[c];
+            while( c2 != 0 && c2 != c ){ c2 = sqlite3UpperToLower[*++zString]; }
+          }else{
+            while( c2 != 0 && c2 != c ){ c2 = *++zString; }
+          }
+          if( c2==0 ) return 0;
+          if( patternCompare(&zPattern[1],zString,pInfo,esc) ) return 1;
+          sqliteNextChar(zString);
+        }
+        return 0;
+      }
+    }else if( !prevEscape && c==matchOne ){
+      if( *zString==0 ) return 0;
+      sqliteNextChar(zString);
+      zPattern++;
+    }else if( c==matchSet ){
+      int prior_c = 0;
+      assert( esc==0 );    /* This only occurs for GLOB, not LIKE */
+      seen = 0;
+      invert = 0;
+      c = sqliteCharVal(zString);
+      if( c==0 ) return 0;
+      c2 = *++zPattern;
+      if( c2=='^' ){ invert = 1; c2 = *++zPattern; }
+      if( c2==']' ){
+        if( c==']' ) seen = 1;
+        c2 = *++zPattern;
+      }
+      while( (c2 = sqliteCharVal(zPattern))!=0 && c2!=']' ){
+        if( c2=='-' && zPattern[1]!=']' && zPattern[1]!=0 && prior_c>0 ){
+          zPattern++;
+          c2 = sqliteCharVal(zPattern);
+          if( c>=prior_c && c<=c2 ) seen = 1;
+          prior_c = 0;
+        }else if( c==c2 ){
+          seen = 1;
+          prior_c = c2;
+        }else{
+          prior_c = c2;
+        }
+        sqliteNextChar(zPattern);
+      }
+      if( c2==0 || (seen ^ invert)==0 ) return 0;
+      sqliteNextChar(zString);
+      zPattern++;
+    }else if( esc && !prevEscape && sqlite3ReadUtf8(zPattern)==esc){
+      prevEscape = 1;
+      sqliteNextChar(zPattern);
+    }else{
+      if( noCase ){
+        if( sqlite3UpperToLower[c] != sqlite3UpperToLower[*zString] ) return 0;
+      }else{
+        if( c != *zString ) return 0;
+      }
+      zPattern++;
+      zString++;
+      prevEscape = 0;
+    }
+  }
+  return *zString==0;
+}
+
+/*
+** Count the number of times that the LIKE operator (or GLOB which is
+** just a variation of LIKE) gets called.  This is used for testing
+** only.
+*/
+#ifdef SQLITE_TEST
+int sqlite3_like_count = 0;
+#endif
+
+
+/*
+** Implementation of the like() SQL function.  This function implements
+** the build-in LIKE operator.  The first argument to the function is the
+** pattern and the second argument is the string.  So, the SQL statements:
+**
+**       A LIKE B
+**
+** is implemented as like(B,A).
+**
+** This same function (with a different compareInfo structure) computes
+** the GLOB operator.
+*/
+static void likeFunc(
+  sqlite3_context *context, 
+  int argc, 
+  sqlite3_value **argv
+){
+  const unsigned char *zA = sqlite3_value_text(argv[0]);
+  const unsigned char *zB = sqlite3_value_text(argv[1]);
+  int escape = 0;
+  if( argc==3 ){
+    /* The escape character string must consist of a single UTF-8 character.
+    ** Otherwise, return an error.
+    */
+    const unsigned char *zEsc = sqlite3_value_text(argv[2]);
+    if( sqlite3utf8CharLen((char*)zEsc, -1)!=1 ){
+      sqlite3_result_error(context, 
+          "ESCAPE expression must be a single character", -1);
+      return;
+    }
+    escape = sqlite3ReadUtf8(zEsc);
+  }
+  if( zA && zB ){
+    struct compareInfo *pInfo = sqlite3_user_data(context);
+#ifdef SQLITE_TEST
+    sqlite3_like_count++;
+#endif
+    sqlite3_result_int(context, patternCompare(zA, zB, pInfo, escape));
+  }
+}
+
+/*
+** Implementation of the NULLIF(x,y) function.  The result is the first
+** argument if the arguments are different.  The result is NULL if the
+** arguments are equal to each other.
+*/
+static void nullifFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  CollSeq *pColl = sqlite3GetFuncCollSeq(context);
+  if( sqlite3MemCompare(argv[0], argv[1], pColl)!=0 ){
+    sqlite3_result_value(context, argv[0]);
+  }
+}
+
+/*
+** Implementation of the VERSION(*) function.  The result is the version
+** of the SQLite library that is running.
+*/
+static void versionFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  sqlite3_result_text(context, sqlite3_version, -1, SQLITE_STATIC);
+}
+
+/* Array for converting from half-bytes (nybbles) into ASCII hex
+** digits. */
+static const char hexdigits[] = {
+  '0', '1', '2', '3', '4', '5', '6', '7',
+  '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' 
+};
+
+/*
+** EXPERIMENTAL - This is not an official function.  The interface may
+** change.  This function may disappear.  Do not write code that depends
+** on this function.
+**
+** Implementation of the QUOTE() function.  This function takes a single
+** argument.  If the argument is numeric, the return value is the same as
+** the argument.  If the argument is NULL, the return value is the string
+** "NULL".  Otherwise, the argument is enclosed in single quotes with
+** single-quote escapes.
+*/
+static void quoteFunc(sqlite3_context *context, int argc, sqlite3_value **argv){
+  if( argc<1 ) return;
+  switch( sqlite3_value_type(argv[0]) ){
+    case SQLITE_NULL: {
+      sqlite3_result_text(context, "NULL", 4, SQLITE_STATIC);
+      break;
+    }
+    case SQLITE_INTEGER:
+    case SQLITE_FLOAT: {
+      sqlite3_result_value(context, argv[0]);
+      break;
+    }
+    case SQLITE_BLOB: {
+      char *zText = 0;
+      int nBlob = sqlite3_value_bytes(argv[0]);
+      char const *zBlob = sqlite3_value_blob(argv[0]);
+
+      zText = (char *)sqliteMalloc((2*nBlob)+4); 
+      if( !zText ){
+        sqlite3_result_error(context, "out of memory", -1);
+      }else{
+        int i;
+        for(i=0; i<nBlob; i++){
+          zText[(i*2)+2] = hexdigits[(zBlob[i]>>4)&0x0F];
+          zText[(i*2)+3] = hexdigits[(zBlob[i])&0x0F];
+        }
+        zText[(nBlob*2)+2] = '\'';
+        zText[(nBlob*2)+3] = '\0';
+        zText[0] = 'X';
+        zText[1] = '\'';
+        sqlite3_result_text(context, zText, -1, SQLITE_TRANSIENT);
+        sqliteFree(zText);
+      }
+      break;
+    }
+    case SQLITE_TEXT: {
+      int i,j,n;
+      const unsigned char *zArg = sqlite3_value_text(argv[0]);
+      char *z;
+
+      for(i=n=0; zArg[i]; i++){ if( zArg[i]=='\'' ) n++; }
+      z = sqliteMalloc( i+n+3 );
+      if( z==0 ) return;
+      z[0] = '\'';
+      for(i=0, j=1; zArg[i]; i++){
+        z[j++] = zArg[i];
+        if( zArg[i]=='\'' ){
+          z[j++] = '\'';
+        }
+      }
+      z[j++] = '\'';
+      z[j] = 0;
+      sqlite3_result_text(context, z, j, SQLITE_TRANSIENT);
+      sqliteFree(z);
+    }
+  }
+}
+
+/*
+** The hex() function.  Interpret the argument as a blob.  Return
+** a hexadecimal rendering as text.
+*/
+static void hexFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  int i, n;
+  const unsigned char *pBlob;
+  char *zHex, *z;
+  assert( argc==1 );
+  n = sqlite3_value_bytes(argv[0]);
+  pBlob = sqlite3_value_blob(argv[0]);
+  z = zHex = sqlite3_malloc(n*2 + 1);
+  if( zHex==0 ) return;
+  for(i=0; i<n; i++, pBlob++){
+    unsigned char c = *pBlob;
+    *(z++) = hexdigits[(c>>4)&0xf];
+    *(z++) = hexdigits[c&0xf];
+  }
+  *z = 0;
+  sqlite3_result_text(context, zHex, n*2, sqlite3_free);
+}
+
+/*
+** The replace() function.  Three arguments are all strings: call
+** them A, B, and C. The result is also a string which is derived
+** from A by replacing every occurance of B with C.  The match
+** must be exact.  Collating sequences are not used.
+*/
+static void replaceFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  const unsigned char *zStr;        /* The input string A */
+  const unsigned char *zPattern;    /* The pattern string B */
+  const unsigned char *zRep;        /* The replacement string C */
+  unsigned char *zOut;              /* The output */
+  int nStr;                /* Size of zStr */
+  int nPattern;            /* Size of zPattern */
+  int nRep;                /* Size of zRep */
+  int nOut;                /* Maximum size of zOut */
+  int loopLimit;           /* Last zStr[] that might match zPattern[] */
+  int i, j;                /* Loop counters */
+
+  assert( argc==3 );
+  if( sqlite3_value_type(argv[0])==SQLITE_NULL ||
+      sqlite3_value_type(argv[1])==SQLITE_NULL ||
+      sqlite3_value_type(argv[2])==SQLITE_NULL ){
+    return;
+  }
+  zStr = sqlite3_value_text(argv[0]);
+  nStr = sqlite3_value_bytes(argv[0]);
+  zPattern = sqlite3_value_text(argv[1]);
+  nPattern = sqlite3_value_bytes(argv[1]);
+  zRep = sqlite3_value_text(argv[2]);
+  nRep = sqlite3_value_bytes(argv[2]);
+  if( nPattern>=nRep ){
+    nOut = nStr;
+  }else{
+    nOut = (nStr/nPattern + 1)*nRep;
+  }
+  zOut = sqlite3_malloc(nOut+1);
+  if( zOut==0 ) return;
+  loopLimit = nStr - nPattern;  
+  for(i=j=0; i<=loopLimit; i++){
+    if( zStr[i]!=zPattern[0] || memcmp(&zStr[i], zPattern, nPattern) ){
+      zOut[j++] = zStr[i];
+    }else{
+      memcpy(&zOut[j], zRep, nRep);
+      j += nRep;
+      i += nPattern-1;
+    }
+  }
+  memcpy(&zOut[j], &zStr[i], nStr-i);
+  j += nStr - i;
+  assert( j<=nOut );
+  zOut[j] = 0;
+  sqlite3_result_text(context, (char*)zOut, j, sqlite3_free);
+}
+
+/*
+** Implementation of the TRIM(), LTRIM(), and RTRIM() functions.
+** The userdata is 0x1 for left trim, 0x2 for right trim, 0x3 for both.
+*/
+static void trimFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  const unsigned char *zIn;         /* Input string */
+  const unsigned char *zCharSet;    /* Set of characters to trim */
+  int nIn;                          /* Number of bytes in input */
+  int flags;
+  int i;
+  unsigned char cFirst, cNext;
+  if( sqlite3_value_type(argv[0])==SQLITE_NULL ){
+    return;
+  }
+  zIn = sqlite3_value_text(argv[0]);
+  nIn = sqlite3_value_bytes(argv[0]);
+  if( argc==1 ){
+    static const unsigned char zSpace[] = " ";
+    zCharSet = zSpace;
+  }else if( sqlite3_value_type(argv[1])==SQLITE_NULL ){
+    return;
+  }else{
+    zCharSet = sqlite3_value_text(argv[1]);
+  }
+  cFirst = zCharSet[0];
+  if( cFirst ){
+    flags = (int)sqlite3_user_data(context);
+    if( flags & 1 ){
+      for(; nIn>0; nIn--, zIn++){
+        if( cFirst==zIn[0] ) continue;
+        for(i=1; zCharSet[i] && zCharSet[i]!=zIn[0]; i++){}
+        if( zCharSet[i]==0 ) break;
+      }
+    }
+    if( flags & 2 ){
+      for(; nIn>0; nIn--){
+        cNext = zIn[nIn-1];
+        if( cFirst==cNext ) continue;
+        for(i=1; zCharSet[i] && zCharSet[i]!=cNext; i++){}
+        if( zCharSet[i]==0 ) break;
+      }
+    }
+  }
+  sqlite3_result_text(context, (char*)zIn, nIn, SQLITE_TRANSIENT);
+}
+
+#ifdef SQLITE_SOUNDEX
+/*
+** Compute the soundex encoding of a word.
+*/
+static void soundexFunc(
+  sqlite3_context *context,
+  int argc,
+  sqlite3_value **argv
+){
+  char zResult[8];
+  const u8 *zIn;
+  int i, j;
+  static const unsigned char iCode[] = {
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 1, 2, 3, 0, 1, 2, 0, 0, 2, 2, 4, 5, 5, 0,
+    1, 2, 6, 2, 3, 0, 1, 0, 2, 0, 2, 0, 0, 0, 0, 0,
+    0, 0, 1, 2, 3, 0, 1, 2, 0, 0, 2, 2, 4, 5, 5, 0,
+    1, 2, 6, 2, 3, 0, 1, 0, 2, 0, 2, 0, 0, 0, 0, 0,
+  };
+  assert( argc==1 );
+  zIn = (u8*)sqlite3_value_text(argv[0]);
+  if( zIn==0 ) zIn = (u8*)"";
+  for(i=0; zIn[i] && !isalpha(zIn[i]); i++){}
+  if( zIn[i] ){
+    u8 prevcode = iCode[zIn[i]&0x7f];
+    zResult[0] = toupper(zIn[i]);
+    for(j=1; j<4 && zIn[i]; i++){
+      int code = iCode[zIn[i]&0x7f];
+      if( code>0 ){
+        if( code!=prevcode ){
+          prevcode = code;
+          zResult[j++] = code + '0';
+        }
+      }else{
+        prevcode = 0;
+      }
+    }
+    while( j<4 ){
+      zResult[j++] = '0';
+    }
+    zResult[j] = 0;
+    sqlite3_result_text(context, zResult, 4, SQLITE_TRANSIENT);
+  }else{
+    sqlite3_result_text(context, "?000", 4, SQLITE_STATIC);
+  }
+}
+#endif
+
+#ifndef SQLITE_OMIT_LOAD_EXTENSION
+/*
+** A function that loads a shared-library extension then returns NULL.
+*/
+static void loadExt(sqlite3_context *context, int argc, sqlite3_value **argv){
+  const char *zFile = (const char *)sqlite3_value_text(argv[0]);
+  const char *zProc = 0;
+  sqlite3 *db = sqlite3_user_data(context);
+  char *zErrMsg = 0;
+
+  if( argc==2 ){
+    zProc = (const char *)sqlite3_value_text(argv[1]);
+  }
+  if( sqlite3_load_extension(db, zFile, zProc, &zErrMsg) ){
+    sqlite3_result_error(context, zErrMsg, -1);
+    sqlite3_free(zErrMsg);
+  }
+}
+#endif
+
+#ifdef SQLITE_TEST
+/*
+** This function generates a string of random characters.  Used for
+** generating test data.
+*/
+static void randStr(sqlite3_context *context, int argc, sqlite3_value **argv){
+  static const unsigned char zSrc[] = 
+     "abcdefghijklmnopqrstuvwxyz"
+     "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+     "0123456789"
+     ".-!,:*^+=_|?/<> ";
+  int iMin, iMax, n, r, i;
+  unsigned char zBuf[1000];
+  if( argc>=1 ){
+    iMin = sqlite3_value_int(argv[0]);
+    if( iMin<0 ) iMin = 0;
+    if( iMin>=sizeof(zBuf) ) iMin = sizeof(zBuf)-1;
+  }else{
+    iMin = 1;
+  }
+  if( argc>=2 ){
+    iMax = sqlite3_value_int(argv[1]);
+    if( iMax<iMin ) iMax = iMin;
+    if( iMax>=sizeof(zBuf) ) iMax = sizeof(zBuf)-1;
+  }else{
+    iMax = 50;
+  }
+  n = iMin;
+  if( iMax>iMin ){
+    sqlite3Randomness(sizeof(r), &r);
+    r &= 0x7fffffff;
+    n += r%(iMax + 1 - iMin);
+  }
+  assert( n<sizeof(zBuf) );
+  sqlite3Randomness(n, zBuf);
+  for(i=0; i<n; i++){
+    zBuf[i] = zSrc[zBuf[i]%(sizeof(zSrc)-1)];
+  }
+  zBuf[n] = 0;
+  sqlite3_result_text(context, (char*)zBuf, n, SQLITE_TRANSIENT);
+}
+#endif /* SQLITE_TEST */
+
+#ifdef SQLITE_TEST
+/*
+** The following two SQL functions are used to test returning a text
+** result with a destructor. Function 'test_destructor' takes one argument
+** and returns the same argument interpreted as TEXT. A destructor is
+** passed with the sqlite3_result_text() call.
+**
+** SQL function 'test_destructor_count' returns the number of outstanding 
+** allocations made by 'test_destructor';
+**
+** WARNING: Not threadsafe.
+*/
+static int test_destructor_count_var = 0;
+static void destructor(void *p){
+  char *zVal = (char *)p;
+  assert(zVal);
+  zVal--;
+  sqliteFree(zVal);
+  test_destructor_count_var--;
+}
+static void test_destructor(
+  sqlite3_context *pCtx, 
+  int nArg,
+  sqlite3_value **argv
+){
+  char *zVal;
+  int len;
+  sqlite3 *db = sqlite3_user_data(pCtx);
+ 
+  test_destructor_count_var++;
+  assert( nArg==1 );
+  if( sqlite3_value_type(argv[0])==SQLITE_NULL ) return;
+  len = sqlite3ValueBytes(argv[0], ENC(db)); 
+  zVal = sqliteMalloc(len+3);
+  zVal[len] = 0;
+  zVal[len-1] = 0;
+  assert( zVal );
+  zVal++;
+  memcpy(zVal, sqlite3ValueText(argv[0], ENC(db)), len);
+  if( ENC(db)==SQLITE_UTF8 ){
+    sqlite3_result_text(pCtx, zVal, -1, destructor);
+#ifndef SQLITE_OMIT_UTF16
+  }else if( ENC(db)==SQLITE_UTF16LE ){
+    sqlite3_result_text16le(pCtx, zVal, -1, destructor);
+  }else{
+    sqlite3_result_text16be(pCtx, zVal, -1, destructor);
+#endif /* SQLITE_OMIT_UTF16 */
+  }
+}
+static void test_destructor_count(
+  sqlite3_context *pCtx, 
+  int nArg,
+  sqlite3_value **argv
+){
+  sqlite3_result_int(pCtx, test_destructor_count_var);
+}
+#endif /* SQLITE_TEST */
+
+#ifdef SQLITE_TEST
+/*
+** Routines for testing the sqlite3_get_auxdata() and sqlite3_set_auxdata()
+** interface.
+**
+** The test_auxdata() SQL function attempts to register each of its arguments
+** as auxiliary data.  If there are no prior registrations of aux data for
+** that argument (meaning the argument is not a constant or this is its first
+** call) then the result for that argument is 0.  If there is a prior
+** registration, the result for that argument is 1.  The overall result
+** is the individual argument results separated by spaces.
+*/
+static void free_test_auxdata(void *p) {sqliteFree(p);}
+static void test_auxdata(
+  sqlite3_context *pCtx, 
+  int nArg,
+  sqlite3_value **argv
+){
+  int i;
+  char *zRet = sqliteMalloc(nArg*2);
+  if( !zRet ) return;
+  for(i=0; i<nArg; i++){
+    char const *z = (char*)sqlite3_value_text(argv[i]);
+    if( z ){
+      char *zAux = sqlite3_get_auxdata(pCtx, i);
+      if( zAux ){
+        zRet[i*2] = '1';
+        if( strcmp(zAux, z) ){
+          sqlite3_result_error(pCtx, "Auxilary data corruption", -1);
+          return;
+        }
+      }else{
+        zRet[i*2] = '0';
+        zAux = sqliteStrDup(z);
+        sqlite3_set_auxdata(pCtx, i, zAux, free_test_auxdata);
+      }
+      zRet[i*2+1] = ' ';
+    }
+  }
+  sqlite3_result_text(pCtx, zRet, 2*nArg-1, free_test_auxdata);
+}
+#endif /* SQLITE_TEST */
+
+#ifdef SQLITE_TEST
+/*
+** A function to test error reporting from user functions. This function
+** returns a copy of it's first argument as an error.
+*/
+static void test_error(
+  sqlite3_context *pCtx, 
+  int nArg,
+  sqlite3_value **argv
+){
+  sqlite3_result_error(pCtx, (char*)sqlite3_value_text(argv[0]), 0);
+}
+#endif /* SQLITE_TEST */
+
+/*
+** An instance of the following structure holds the context of a
+** sum() or avg() aggregate computation.
+*/
+typedef struct SumCtx SumCtx;
+struct SumCtx {
+  double rSum;      /* Floating point sum */
+  i64 iSum;         /* Integer sum */   
+  i64 cnt;          /* Number of elements summed */
+  u8 overflow;      /* True if integer overflow seen */
+  u8 approx;        /* True if non-integer value was input to the sum */
+};
+
+/*
+** Routines used to compute the sum, average, and total.
+**
+** The SUM() function follows the (broken) SQL standard which means
+** that it returns NULL if it sums over no inputs.  TOTAL returns
+** 0.0 in that case.  In addition, TOTAL always returns a float where
+** SUM might return an integer if it never encounters a floating point
+** value.  TOTAL never fails, but SUM might through an exception if
+** it overflows an integer.
+*/
+static void sumStep(sqlite3_context *context, int argc, sqlite3_value **argv){
+  SumCtx *p;
+  int type;
+  assert( argc==1 );
+  p = sqlite3_aggregate_context(context, sizeof(*p));
+  type = sqlite3_value_numeric_type(argv[0]);
+  if( p && type!=SQLITE_NULL ){
+    p->cnt++;
+    if( type==SQLITE_INTEGER ){
+      i64 v = sqlite3_value_int64(argv[0]);
+      p->rSum += v;
+      if( (p->approx|p->overflow)==0 ){
+        i64 iNewSum = p->iSum + v;
+        int s1 = p->iSum >> (sizeof(i64)*8-1);
+        int s2 = v       >> (sizeof(i64)*8-1);
+        int s3 = iNewSum >> (sizeof(i64)*8-1);
+        p->overflow = (s1&s2&~s3) | (~s1&~s2&s3);
+        p->iSum = iNewSum;
+      }
+    }else{
+      p->rSum += sqlite3_value_double(argv[0]);
+      p->approx = 1;
+    }
+  }
+}
+static void sumFinalize(sqlite3_context *context){
+  SumCtx *p;
+  p = sqlite3_aggregate_context(context, 0);
+  if( p && p->cnt>0 ){
+    if( p->overflow ){
+      sqlite3_result_error(context,"integer overflow",-1);
+    }else if( p->approx ){
+      sqlite3_result_double(context, p->rSum);
+    }else{
+      sqlite3_result_int64(context, p->iSum);
+    }
+  }
+}
+static void avgFinalize(sqlite3_context *context){
+  SumCtx *p;
+  p = sqlite3_aggregate_context(context, 0);
+  if( p && p->cnt>0 ){
+    sqlite3_result_double(context, p->rSum/(double)p->cnt);
+  }
+}
+static void totalFinalize(sqlite3_context *context){
+  SumCtx *p;
+  p = sqlite3_aggregate_context(context, 0);
+  sqlite3_result_double(context, p ? p->rSum : 0.0);
+}
+
+/*
+** The following structure keeps track of state information for the
+** count() aggregate function.
+*/
+typedef struct CountCtx CountCtx;
+struct CountCtx {
+  i64 n;
+};
+
+/*
+** Routines to implement the count() aggregate function.
+*/
+static void countStep(sqlite3_context *context, int argc, sqlite3_value **argv){
+  CountCtx *p;
+  p = sqlite3_aggregate_context(context, sizeof(*p));
+  if( (argc==0 || SQLITE_NULL!=sqlite3_value_type(argv[0])) && p ){
+    p->n++;
+  }
+}   
+static void countFinalize(sqlite3_context *context){
+  CountCtx *p;
+  p = sqlite3_aggregate_context(context, 0);
+  sqlite3_result_int64(context, p ? p->n : 0);
+}
+
+/*
+** Routines to implement min() and max() aggregate functions.
+*/
+static void minmaxStep(sqlite3_context *context, int argc, sqlite3_value **argv){
+  Mem *pArg  = (Mem *)argv[0];
+  Mem *pBest;
+
+  if( sqlite3_value_type(argv[0])==SQLITE_NULL ) return;
+  pBest = (Mem *)sqlite3_aggregate_context(context, sizeof(*pBest));
+  if( !pBest ) return;
+
+  if( pBest->flags ){
+    int max;
+    int cmp;
+    CollSeq *pColl = sqlite3GetFuncCollSeq(context);
+    /* This step function is used for both the min() and max() aggregates,
+    ** the only difference between the two being that the sense of the
+    ** comparison is inverted. For the max() aggregate, the
+    ** sqlite3_user_data() function returns (void *)-1. For min() it
+    ** returns (void *)db, where db is the sqlite3* database pointer.
+    ** Therefore the next statement sets variable 'max' to 1 for the max()
+    ** aggregate, or 0 for min().
+    */
+    max = sqlite3_user_data(context)!=0;
+    cmp = sqlite3MemCompare(pBest, pArg, pColl);
+    if( (max && cmp<0) || (!max && cmp>0) ){
+      sqlite3VdbeMemCopy(pBest, pArg);
+    }
+  }else{
+    sqlite3VdbeMemCopy(pBest, pArg);
+  }
+}
+static void minMaxFinalize(sqlite3_context *context){
+  sqlite3_value *pRes;
+  pRes = (sqlite3_value *)sqlite3_aggregate_context(context, 0);
+  if( pRes ){
+    if( pRes->flags ){
+      sqlite3_result_value(context, pRes);
+    }
+    sqlite3VdbeMemRelease(pRes);
+  }
+}
+
+
+/*
+** This function registered all of the above C functions as SQL
+** functions.  This should be the only routine in this file with
+** external linkage.
+*/
+void sqlite3RegisterBuiltinFunctions(sqlite3 *db){
+  static const struct {
+     char *zName;
+     signed char nArg;
+     u8 argType;           /* ff: db   1: 0, 2: 1, 3: 2,...  N:  N-1. */
+     u8 eTextRep;          /* 1: UTF-16.  0: UTF-8 */
+     u8 needCollSeq;
+     void (*xFunc)(sqlite3_context*,int,sqlite3_value **);
+  } aFuncs[] = {
+    { "min",               -1, 0, SQLITE_UTF8,    1, minmaxFunc },
+    { "min",                0, 0, SQLITE_UTF8,    1, 0          },
+    { "max",               -1, 1, SQLITE_UTF8,    1, minmaxFunc },
+    { "max",                0, 1, SQLITE_UTF8,    1, 0          },
+    { "typeof",             1, 0, SQLITE_UTF8,    0, typeofFunc },
+    { "length",             1, 0, SQLITE_UTF8,    0, lengthFunc },
+    { "substr",             3, 0, SQLITE_UTF8,    0, substrFunc },
+#ifndef SQLITE_OMIT_UTF16
+    { "substr",             3, 0, SQLITE_UTF16LE, 0, sqlite3utf16Substr },
+#endif
+    { "abs",                1, 0, SQLITE_UTF8,    0, absFunc    },
+    { "round",              1, 0, SQLITE_UTF8,    0, roundFunc  },
+    { "round",              2, 0, SQLITE_UTF8,    0, roundFunc  },
+    { "upper",              1, 0, SQLITE_UTF8,    0, upperFunc  },
+    { "lower",              1, 0, SQLITE_UTF8,    0, lowerFunc  },
+    { "coalesce",          -1, 0, SQLITE_UTF8,    0, ifnullFunc },
+    { "coalesce",           0, 0, SQLITE_UTF8,    0, 0          },
+    { "coalesce",           1, 0, SQLITE_UTF8,    0, 0          },
+    { "hex",                1, 0, SQLITE_UTF8,    0, hexFunc    },
+    { "ifnull",             2, 0, SQLITE_UTF8,    1, ifnullFunc },
+    { "random",            -1, 0, SQLITE_UTF8,    0, randomFunc },
+    { "randomblob",         1, 0, SQLITE_UTF8,    0, randomBlob },
+    { "nullif",             2, 0, SQLITE_UTF8,    1, nullifFunc },
+    { "sqlite_version",     0, 0, SQLITE_UTF8,    0, versionFunc},
+    { "quote",              1, 0, SQLITE_UTF8,    0, quoteFunc  },
+    { "last_insert_rowid",  0, 0xff, SQLITE_UTF8, 0, last_insert_rowid },
+    { "changes",            0, 0xff, SQLITE_UTF8, 0, changes           },
+    { "total_changes",      0, 0xff, SQLITE_UTF8, 0, total_changes     },
+    { "replace",            3, 0, SQLITE_UTF8,    0, replaceFunc       },
+    { "ltrim",              1, 1, SQLITE_UTF8,    0, trimFunc          },
+    { "ltrim",              2, 1, SQLITE_UTF8,    0, trimFunc          },
+    { "rtrim",              1, 2, SQLITE_UTF8,    0, trimFunc          },
+    { "rtrim",              2, 2, SQLITE_UTF8,    0, trimFunc          },
+    { "trim",               1, 3, SQLITE_UTF8,    0, trimFunc          },
+    { "trim",               2, 3, SQLITE_UTF8,    0, trimFunc          },
+#ifdef SQLITE_SOUNDEX
+    { "soundex",            1, 0, SQLITE_UTF8,    0, soundexFunc},
+#endif
+#ifndef SQLITE_OMIT_LOAD_EXTENSION
+    { "load_extension",     1, 0xff, SQLITE_UTF8, 0, loadExt },
+    { "load_extension",     2, 0xff, SQLITE_UTF8, 0, loadExt },
+#endif
+#ifdef SQLITE_TEST
+    { "randstr",               2, 0,    SQLITE_UTF8, 0, randStr    },
+    { "test_destructor",       1, 0xff, SQLITE_UTF8, 0, test_destructor},
+    { "test_destructor_count", 0, 0,    SQLITE_UTF8, 0, test_destructor_count},
+    { "test_auxdata",         -1, 0,    SQLITE_UTF8, 0, test_auxdata},
+    { "test_error",            1, 0,    SQLITE_UTF8, 0, test_error},
+#endif
+  };
+  static const struct {
+    char *zName;
+    signed char nArg;
+    u8 argType;
+    u8 needCollSeq;
+    void (*xStep)(sqlite3_context*,int,sqlite3_value**);
+    void (*xFinalize)(sqlite3_context*);
+  } aAggs[] = {
+    { "min",    1, 0, 1, minmaxStep,   minMaxFinalize },
+    { "max",    1, 1, 1, minmaxStep,   minMaxFinalize },
+    { "sum",    1, 0, 0, sumStep,      sumFinalize    },
+    { "total",  1, 0, 0, sumStep,      totalFinalize    },
+    { "avg",    1, 0, 0, sumStep,      avgFinalize    },
+    { "count",  0, 0, 0, countStep,    countFinalize  },
+    { "count",  1, 0, 0, countStep,    countFinalize  },
+  };
+  int i;
+
+  for(i=0; i<sizeof(aFuncs)/sizeof(aFuncs[0]); i++){
+    void *pArg;
+    u8 argType = aFuncs[i].argType;
+    if( argType==0xff ){
+      pArg = db;
+    }else{
+      pArg = (void*)(int)argType;
+    }
+    sqlite3CreateFunc(db, aFuncs[i].zName, aFuncs[i].nArg,
+        aFuncs[i].eTextRep, pArg, aFuncs[i].xFunc, 0, 0);
+    if( aFuncs[i].needCollSeq ){
+      FuncDef *pFunc = sqlite3FindFunction(db, aFuncs[i].zName, 
+          strlen(aFuncs[i].zName), aFuncs[i].nArg, aFuncs[i].eTextRep, 0);
+      if( pFunc && aFuncs[i].needCollSeq ){
+        pFunc->needCollSeq = 1;
+      }
+    }
+  }
+#ifndef SQLITE_OMIT_ALTERTABLE
+  sqlite3AlterFunctions(db);
+#endif
+#ifndef SQLITE_OMIT_PARSER
+  sqlite3AttachFunctions(db);
+#endif
+  for(i=0; i<sizeof(aAggs)/sizeof(aAggs[0]); i++){
+    void *pArg = (void*)(int)aAggs[i].argType;
+    sqlite3CreateFunc(db, aAggs[i].zName, aAggs[i].nArg, SQLITE_UTF8, 
+        pArg, 0, aAggs[i].xStep, aAggs[i].xFinalize);
+    if( aAggs[i].needCollSeq ){
+      FuncDef *pFunc = sqlite3FindFunction( db, aAggs[i].zName,
+          strlen(aAggs[i].zName), aAggs[i].nArg, SQLITE_UTF8, 0);
+      if( pFunc && aAggs[i].needCollSeq ){
+        pFunc->needCollSeq = 1;
+      }
+    }
+  }
+  sqlite3RegisterDateTimeFunctions(db);
+  sqlite3_overload_function(db, "MATCH", 2);
+#ifdef SQLITE_SSE
+  (void)sqlite3SseFunctions(db);
+#endif
+#ifdef SQLITE_CASE_SENSITIVE_LIKE
+  sqlite3RegisterLikeFunctions(db, 1);
+#else
+  sqlite3RegisterLikeFunctions(db, 0);
+#endif
+}
+
+/*
+** Set the LIKEOPT flag on the 2-argument function with the given name.
+*/
+static void setLikeOptFlag(sqlite3 *db, const char *zName, int flagVal){
+  FuncDef *pDef;
+  pDef = sqlite3FindFunction(db, zName, strlen(zName), 2, SQLITE_UTF8, 0);
+  if( pDef ){
+    pDef->flags = flagVal;
+  }
+}
+
+/*
+** Register the built-in LIKE and GLOB functions.  The caseSensitive
+** parameter determines whether or not the LIKE operator is case
+** sensitive.  GLOB is always case sensitive.
+*/
+void sqlite3RegisterLikeFunctions(sqlite3 *db, int caseSensitive){
+  struct compareInfo *pInfo;
+  if( caseSensitive ){
+    pInfo = (struct compareInfo*)&likeInfoAlt;
+  }else{
+    pInfo = (struct compareInfo*)&likeInfoNorm;
+  }
+  sqlite3CreateFunc(db, "like", 2, SQLITE_UTF8, pInfo, likeFunc, 0, 0);
+  sqlite3CreateFunc(db, "like", 3, SQLITE_UTF8, pInfo, likeFunc, 0, 0);
+  sqlite3CreateFunc(db, "glob", 2, SQLITE_UTF8, 
+      (struct compareInfo*)&globInfo, likeFunc, 0,0);
+  setLikeOptFlag(db, "glob", SQLITE_FUNC_LIKE | SQLITE_FUNC_CASE);
+  setLikeOptFlag(db, "like", 
+      caseSensitive ? (SQLITE_FUNC_LIKE | SQLITE_FUNC_CASE) : SQLITE_FUNC_LIKE);
+}
+
+/*
+** pExpr points to an expression which implements a function.  If
+** it is appropriate to apply the LIKE optimization to that function
+** then set aWc[0] through aWc[2] to the wildcard characters and
+** return TRUE.  If the function is not a LIKE-style function then
+** return FALSE.
+*/
+int sqlite3IsLikeFunction(sqlite3 *db, Expr *pExpr, int *pIsNocase, char *aWc){
+  FuncDef *pDef;
+  if( pExpr->op!=TK_FUNCTION ){
+    return 0;
+  }
+  if( pExpr->pList->nExpr!=2 ){
+    return 0;
+  }
+  pDef = sqlite3FindFunction(db, (char*)pExpr->token.z, pExpr->token.n, 2,
+                             SQLITE_UTF8, 0);
+  if( pDef==0 || (pDef->flags & SQLITE_FUNC_LIKE)==0 ){
+    return 0;
+  }
+
+  /* The memcpy() statement assumes that the wildcard characters are
+  ** the first three statements in the compareInfo structure.  The
+  ** asserts() that follow verify that assumption
+  */
+  memcpy(aWc, pDef->pUserData, 3);
+  assert( (char*)&likeInfoAlt == (char*)&likeInfoAlt.matchAll );
+  assert( &((char*)&likeInfoAlt)[1] == (char*)&likeInfoAlt.matchOne );
+  assert( &((char*)&likeInfoAlt)[2] == (char*)&likeInfoAlt.matchSet );
+  *pIsNocase = (pDef->flags & SQLITE_FUNC_CASE)==0;
+  return 1;
+}
+
+/************** End of func.c ************************************************/
+/************** Begin file insert.c ******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains C code routines that are called by the parser
+** to handle INSERT statements in SQLite.
+**
+** $Id$
+*/
+
+/*
+** Set P3 of the most recently inserted opcode to a column affinity
+** string for index pIdx. A column affinity string has one character
+** for each column in the table, according to the affinity of the column:
+**
+**  Character      Column affinity
+**  ------------------------------
+**  'a'            TEXT
+**  'b'            NONE
+**  'c'            NUMERIC
+**  'd'            INTEGER
+**  'e'            REAL
+*/
+void sqlite3IndexAffinityStr(Vdbe *v, Index *pIdx){
+  if( !pIdx->zColAff ){
+    /* The first time a column affinity string for a particular index is
+    ** required, it is allocated and populated here. It is then stored as
+    ** a member of the Index structure for subsequent use.
+    **
+    ** The column affinity string will eventually be deleted by
+    ** sqliteDeleteIndex() when the Index structure itself is cleaned
+    ** up.
+    */
+    int n;
+    Table *pTab = pIdx->pTable;
+    pIdx->zColAff = (char *)sqliteMalloc(pIdx->nColumn+1);
+    if( !pIdx->zColAff ){
+      return;
+    }
+    for(n=0; n<pIdx->nColumn; n++){
+      pIdx->zColAff[n] = pTab->aCol[pIdx->aiColumn[n]].affinity;
+    }
+    pIdx->zColAff[pIdx->nColumn] = '\0';
+  }
+ 
+  sqlite3VdbeChangeP3(v, -1, pIdx->zColAff, 0);
+}
+
+/*
+** Set P3 of the most recently inserted opcode to a column affinity
+** string for table pTab. A column affinity string has one character
+** for each column indexed by the index, according to the affinity of the
+** column:
+**
+**  Character      Column affinity
+**  ------------------------------
+**  'a'            TEXT
+**  'b'            NONE
+**  'c'            NUMERIC
+**  'd'            INTEGER
+**  'e'            REAL
+*/
+void sqlite3TableAffinityStr(Vdbe *v, Table *pTab){
+  /* The first time a column affinity string for a particular table
+  ** is required, it is allocated and populated here. It is then 
+  ** stored as a member of the Table structure for subsequent use.
+  **
+  ** The column affinity string will eventually be deleted by
+  ** sqlite3DeleteTable() when the Table structure itself is cleaned up.
+  */
+  if( !pTab->zColAff ){
+    char *zColAff;
+    int i;
+
+    zColAff = (char *)sqliteMalloc(pTab->nCol+1);
+    if( !zColAff ){
+      return;
+    }
+
+    for(i=0; i<pTab->nCol; i++){
+      zColAff[i] = pTab->aCol[i].affinity;
+    }
+    zColAff[pTab->nCol] = '\0';
+
+    pTab->zColAff = zColAff;
+  }
+
+  sqlite3VdbeChangeP3(v, -1, pTab->zColAff, 0);
+}
+
+/*
+** Return non-zero if SELECT statement p opens the table with rootpage
+** iTab in database iDb.  This is used to see if a statement of the form 
+** "INSERT INTO <iDb, iTab> SELECT ..." can run without using temporary
+** table for the results of the SELECT. 
+**
+** No checking is done for sub-selects that are part of expressions.
+*/
+static int selectReadsTable(Select *p, Schema *pSchema, int iTab){
+  int i;
+  struct SrcList_item *pItem;
+  if( p->pSrc==0 ) return 0;
+  for(i=0, pItem=p->pSrc->a; i<p->pSrc->nSrc; i++, pItem++){
+    if( pItem->pSelect ){
+      if( selectReadsTable(pItem->pSelect, pSchema, iTab) ) return 1;
+    }else{
+      if( pItem->pTab->pSchema==pSchema && pItem->pTab->tnum==iTab ) return 1;
+    }
+  }
+  return 0;
+}
+
+#ifndef SQLITE_OMIT_AUTOINCREMENT
+/*
+** Write out code to initialize the autoincrement logic.  This code
+** looks up the current autoincrement value in the sqlite_sequence
+** table and stores that value in a memory cell.  Code generated by
+** autoIncStep() will keep that memory cell holding the largest
+** rowid value.  Code generated by autoIncEnd() will write the new
+** largest value of the counter back into the sqlite_sequence table.
+**
+** This routine returns the index of the mem[] cell that contains
+** the maximum rowid counter.
+**
+** Two memory cells are allocated.  The next memory cell after the
+** one returned holds the rowid in sqlite_sequence where we will
+** write back the revised maximum rowid.
+*/
+static int autoIncBegin(
+  Parse *pParse,      /* Parsing context */
+  int iDb,            /* Index of the database holding pTab */
+  Table *pTab         /* The table we are writing to */
+){
+  int memId = 0;
+  if( pTab->autoInc ){
+    Vdbe *v = pParse->pVdbe;
+    Db *pDb = &pParse->db->aDb[iDb];
+    int iCur = pParse->nTab;
+    int addr;
+    assert( v );
+    addr = sqlite3VdbeCurrentAddr(v);
+    memId = pParse->nMem+1;
+    pParse->nMem += 2;
+    sqlite3OpenTable(pParse, iCur, iDb, pDb->pSchema->pSeqTab, OP_OpenRead);
+    sqlite3VdbeAddOp(v, OP_Rewind, iCur, addr+13);
+    sqlite3VdbeAddOp(v, OP_Column, iCur, 0);
+    sqlite3VdbeOp3(v, OP_String8, 0, 0, pTab->zName, 0);
+    sqlite3VdbeAddOp(v, OP_Ne, 0x100, addr+12);
+    sqlite3VdbeAddOp(v, OP_Rowid, iCur, 0);
+    sqlite3VdbeAddOp(v, OP_MemStore, memId-1, 1);
+    sqlite3VdbeAddOp(v, OP_Column, iCur, 1);
+    sqlite3VdbeAddOp(v, OP_MemStore, memId, 1);
+    sqlite3VdbeAddOp(v, OP_Goto, 0, addr+13);
+    sqlite3VdbeAddOp(v, OP_Next, iCur, addr+4);
+    sqlite3VdbeAddOp(v, OP_Close, iCur, 0);
+  }
+  return memId;
+}
+
+/*
+** Update the maximum rowid for an autoincrement calculation.
+**
+** This routine should be called when the top of the stack holds a
+** new rowid that is about to be inserted.  If that new rowid is
+** larger than the maximum rowid in the memId memory cell, then the
+** memory cell is updated.  The stack is unchanged.
+*/
+static void autoIncStep(Parse *pParse, int memId){
+  if( memId>0 ){
+    sqlite3VdbeAddOp(pParse->pVdbe, OP_MemMax, memId, 0);
+  }
+}
+
+/*
+** After doing one or more inserts, the maximum rowid is stored
+** in mem[memId].  Generate code to write this value back into the
+** the sqlite_sequence table.
+*/
+static void autoIncEnd(
+  Parse *pParse,     /* The parsing context */
+  int iDb,           /* Index of the database holding pTab */
+  Table *pTab,       /* Table we are inserting into */
+  int memId          /* Memory cell holding the maximum rowid */
+){
+  if( pTab->autoInc ){
+    int iCur = pParse->nTab;
+    Vdbe *v = pParse->pVdbe;
+    Db *pDb = &pParse->db->aDb[iDb];
+    int addr;
+    assert( v );
+    addr = sqlite3VdbeCurrentAddr(v);
+    sqlite3OpenTable(pParse, iCur, iDb, pDb->pSchema->pSeqTab, OP_OpenWrite);
+    sqlite3VdbeAddOp(v, OP_MemLoad, memId-1, 0);
+    sqlite3VdbeAddOp(v, OP_NotNull, -1, addr+7);
+    sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+    sqlite3VdbeAddOp(v, OP_NewRowid, iCur, 0);
+    sqlite3VdbeOp3(v, OP_String8, 0, 0, pTab->zName, 0);
+    sqlite3VdbeAddOp(v, OP_MemLoad, memId, 0);
+    sqlite3VdbeAddOp(v, OP_MakeRecord, 2, 0);
+    sqlite3VdbeAddOp(v, OP_Insert, iCur, OPFLAG_APPEND);
+    sqlite3VdbeAddOp(v, OP_Close, iCur, 0);
+  }
+}
+#else
+/*
+** If SQLITE_OMIT_AUTOINCREMENT is defined, then the three routines
+** above are all no-ops
+*/
+# define autoIncBegin(A,B,C) (0)
+# define autoIncStep(A,B)
+# define autoIncEnd(A,B,C,D)
+#endif /* SQLITE_OMIT_AUTOINCREMENT */
+
+
+/* Forward declaration */
+static int xferOptimization(
+  Parse *pParse,        /* Parser context */
+  Table *pDest,         /* The table we are inserting into */
+  Select *pSelect,      /* A SELECT statement to use as the data source */
+  int onError,          /* How to handle constraint errors */
+  int iDbDest           /* The database of pDest */
+);
+
+/*
+** This routine is call to handle SQL of the following forms:
+**
+**    insert into TABLE (IDLIST) values(EXPRLIST)
+**    insert into TABLE (IDLIST) select
+**
+** The IDLIST following the table name is always optional.  If omitted,
+** then a list of all columns for the table is substituted.  The IDLIST
+** appears in the pColumn parameter.  pColumn is NULL if IDLIST is omitted.
+**
+** The pList parameter holds EXPRLIST in the first form of the INSERT
+** statement above, and pSelect is NULL.  For the second form, pList is
+** NULL and pSelect is a pointer to the select statement used to generate
+** data for the insert.
+**
+** The code generated follows one of four templates.  For a simple
+** select with data coming from a VALUES clause, the code executes
+** once straight down through.  The template looks like this:
+**
+**         open write cursor to <table> and its indices
+**         puts VALUES clause expressions onto the stack
+**         write the resulting record into <table>
+**         cleanup
+**
+** The three remaining templates assume the statement is of the form
+**
+**   INSERT INTO <table> SELECT ...
+**
+** If the SELECT clause is of the restricted form "SELECT * FROM <table2>" -
+** in other words if the SELECT pulls all columns from a single table
+** and there is no WHERE or LIMIT or GROUP BY or ORDER BY clauses, and
+** if <table2> and <table1> are distinct tables but have identical
+** schemas, including all the same indices, then a special optimization
+** is invoked that copies raw records from <table2> over to <table1>.
+** See the xferOptimization() function for the implementation of this
+** template.  This is the second template.
+**
+**         open a write cursor to <table>
+**         open read cursor on <table2>
+**         transfer all records in <table2> over to <table>
+**         close cursors
+**         foreach index on <table>
+**           open a write cursor on the <table> index
+**           open a read cursor on the corresponding <table2> index
+**           transfer all records from the read to the write cursors
+**           close cursors
+**         end foreach
+**
+** The third template is for when the second template does not apply
+** and the SELECT clause does not read from <table> at any time.
+** The generated code follows this template:
+**
+**         goto B
+**      A: setup for the SELECT
+**         loop over the rows in the SELECT
+**           gosub C
+**         end loop
+**         cleanup after the SELECT
+**         goto D
+**      B: open write cursor to <table> and its indices
+**         goto A
+**      C: insert the select result into <table>
+**         return
+**      D: cleanup
+**
+** The fourth template is used if the insert statement takes its
+** values from a SELECT but the data is being inserted into a table
+** that is also read as part of the SELECT.  In the third form,
+** we have to use a intermediate table to store the results of
+** the select.  The template is like this:
+**
+**         goto B
+**      A: setup for the SELECT
+**         loop over the tables in the SELECT
+**           gosub C
+**         end loop
+**         cleanup after the SELECT
+**         goto D
+**      C: insert the select result into the intermediate table
+**         return
+**      B: open a cursor to an intermediate table
+**         goto A
+**      D: open write cursor to <table> and its indices
+**         loop over the intermediate table
+**           transfer values form intermediate table into <table>
+**         end the loop
+**         cleanup
+*/
+void sqlite3Insert(
+  Parse *pParse,        /* Parser context */
+  SrcList *pTabList,    /* Name of table into which we are inserting */
+  ExprList *pList,      /* List of values to be inserted */
+  Select *pSelect,      /* A SELECT statement to use as the data source */
+  IdList *pColumn,      /* Column names corresponding to IDLIST. */
+  int onError           /* How to handle constraint errors */
+){
+  Table *pTab;          /* The table to insert into */
+  char *zTab;           /* Name of the table into which we are inserting */
+  const char *zDb;      /* Name of the database holding this table */
+  int i, j, idx;        /* Loop counters */
+  Vdbe *v;              /* Generate code into this virtual machine */
+  Index *pIdx;          /* For looping over indices of the table */
+  int nColumn;          /* Number of columns in the data */
+  int base = 0;         /* VDBE Cursor number for pTab */
+  int iCont=0,iBreak=0; /* Beginning and end of the loop over srcTab */
+  sqlite3 *db;          /* The main database structure */
+  int keyColumn = -1;   /* Column that is the INTEGER PRIMARY KEY */
+  int endOfLoop;        /* Label for the end of the insertion loop */
+  int useTempTable = 0; /* Store SELECT results in intermediate table */
+  int srcTab = 0;       /* Data comes from this temporary cursor if >=0 */
+  int iSelectLoop = 0;  /* Address of code that implements the SELECT */
+  int iCleanup = 0;     /* Address of the cleanup code */
+  int iInsertBlock = 0; /* Address of the subroutine used to insert data */
+  int iCntMem = 0;      /* Memory cell used for the row counter */
+  int newIdx = -1;      /* Cursor for the NEW table */
+  Db *pDb;              /* The database containing table being inserted into */
+  int counterMem = 0;   /* Memory cell holding AUTOINCREMENT counter */
+  int appendFlag = 0;   /* True if the insert is likely to be an append */
+  int iDb;
+
+#ifndef SQLITE_OMIT_TRIGGER
+  int isView;                 /* True if attempting to insert into a view */
+  int triggers_exist = 0;     /* True if there are FOR EACH ROW triggers */
+#endif
+
+  if( pParse->nErr || sqlite3MallocFailed() ){
+    goto insert_cleanup;
+  }
+  db = pParse->db;
+
+  /* Locate the table into which we will be inserting new information.
+  */
+  assert( pTabList->nSrc==1 );
+  zTab = pTabList->a[0].zName;
+  if( zTab==0 ) goto insert_cleanup;
+  pTab = sqlite3SrcListLookup(pParse, pTabList);
+  if( pTab==0 ){
+    goto insert_cleanup;
+  }
+  iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
+  assert( iDb<db->nDb );
+  pDb = &db->aDb[iDb];
+  zDb = pDb->zName;
+  if( sqlite3AuthCheck(pParse, SQLITE_INSERT, pTab->zName, 0, zDb) ){
+    goto insert_cleanup;
+  }
+
+  /* Figure out if we have any triggers and if the table being
+  ** inserted into is a view
+  */
+#ifndef SQLITE_OMIT_TRIGGER
+  triggers_exist = sqlite3TriggersExist(pParse, pTab, TK_INSERT, 0);
+  isView = pTab->pSelect!=0;
+#else
+# define triggers_exist 0
+# define isView 0
+#endif
+#ifdef SQLITE_OMIT_VIEW
+# undef isView
+# define isView 0
+#endif
+
+  /* Ensure that:
+  *  (a) the table is not read-only, 
+  *  (b) that if it is a view then ON INSERT triggers exist
+  */
+  if( sqlite3IsReadOnly(pParse, pTab, triggers_exist) ){
+    goto insert_cleanup;
+  }
+  assert( pTab!=0 );
+
+  /* If pTab is really a view, make sure it has been initialized.
+  ** ViewGetColumnNames() is a no-op if pTab is not a view (or virtual 
+  ** module table).
+  */
+  if( sqlite3ViewGetColumnNames(pParse, pTab) ){
+    goto insert_cleanup;
+  }
+
+  /* Allocate a VDBE
+  */
+  v = sqlite3GetVdbe(pParse);
+  if( v==0 ) goto insert_cleanup;
+  if( pParse->nested==0 ) sqlite3VdbeCountChanges(v);
+  sqlite3BeginWriteOperation(pParse, pSelect || triggers_exist, iDb);
+
+  /* if there are row triggers, allocate a temp table for new.* references. */
+  if( triggers_exist ){
+    newIdx = pParse->nTab++;
+  }
+
+#ifndef SQLITE_OMIT_XFER_OPT
+  /* If the statement is of the form
+  **
+  **       INSERT INTO <table1> SELECT * FROM <table2>;
+  **
+  ** Then special optimizations can be applied that make the transfer
+  ** very fast and which reduce fragmentation of indices.
+  */
+  if( pColumn==0 && xferOptimization(pParse, pTab, pSelect, onError, iDb) ){
+    assert( !triggers_exist );
+    assert( pList==0 );
+    goto insert_cleanup;
+  }
+#endif /* SQLITE_OMIT_XFER_OPT */
+
+  /* If this is an AUTOINCREMENT table, look up the sequence number in the
+  ** sqlite_sequence table and store it in memory cell counterMem.  Also
+  ** remember the rowid of the sqlite_sequence table entry in memory cell
+  ** counterRowid.
+  */
+  counterMem = autoIncBegin(pParse, iDb, pTab);
+
+  /* Figure out how many columns of data are supplied.  If the data
+  ** is coming from a SELECT statement, then this step also generates
+  ** all the code to implement the SELECT statement and invoke a subroutine
+  ** to process each row of the result. (Template 2.) If the SELECT
+  ** statement uses the the table that is being inserted into, then the
+  ** subroutine is also coded here.  That subroutine stores the SELECT
+  ** results in a temporary table. (Template 3.)
+  */
+  if( pSelect ){
+    /* Data is coming from a SELECT.  Generate code to implement that SELECT
+    */
+    int rc, iInitCode;
+    iInitCode = sqlite3VdbeAddOp(v, OP_Goto, 0, 0);
+    iSelectLoop = sqlite3VdbeCurrentAddr(v);
+    iInsertBlock = sqlite3VdbeMakeLabel(v);
+
+    /* Resolve the expressions in the SELECT statement and execute it. */
+    rc = sqlite3Select(pParse, pSelect, SRT_Subroutine, iInsertBlock,0,0,0,0);
+    if( rc || pParse->nErr || sqlite3MallocFailed() ){
+      goto insert_cleanup;
+    }
+
+    iCleanup = sqlite3VdbeMakeLabel(v);
+    sqlite3VdbeAddOp(v, OP_Goto, 0, iCleanup);
+    assert( pSelect->pEList );
+    nColumn = pSelect->pEList->nExpr;
+
+    /* Set useTempTable to TRUE if the result of the SELECT statement
+    ** should be written into a temporary table.  Set to FALSE if each
+    ** row of the SELECT can be written directly into the result table.
+    **
+    ** A temp table must be used if the table being updated is also one
+    ** of the tables being read by the SELECT statement.  Also use a 
+    ** temp table in the case of row triggers.
+    */
+    if( triggers_exist || selectReadsTable(pSelect,pTab->pSchema,pTab->tnum) ){
+      useTempTable = 1;
+    }
+
+    if( useTempTable ){
+      /* Generate the subroutine that SELECT calls to process each row of
+      ** the result.  Store the result in a temporary table
+      */
+      srcTab = pParse->nTab++;
+      sqlite3VdbeResolveLabel(v, iInsertBlock);
+      sqlite3VdbeAddOp(v, OP_MakeRecord, nColumn, 0);
+      sqlite3VdbeAddOp(v, OP_NewRowid, srcTab, 0);
+      sqlite3VdbeAddOp(v, OP_Pull, 1, 0);
+      sqlite3VdbeAddOp(v, OP_Insert, srcTab, OPFLAG_APPEND);
+      sqlite3VdbeAddOp(v, OP_Return, 0, 0);
+
+      /* The following code runs first because the GOTO at the very top
+      ** of the program jumps to it.  Create the temporary table, then jump
+      ** back up and execute the SELECT code above.
+      */
+      sqlite3VdbeJumpHere(v, iInitCode);
+      sqlite3VdbeAddOp(v, OP_OpenEphemeral, srcTab, 0);
+      sqlite3VdbeAddOp(v, OP_SetNumColumns, srcTab, nColumn);
+      sqlite3VdbeAddOp(v, OP_Goto, 0, iSelectLoop);
+      sqlite3VdbeResolveLabel(v, iCleanup);
+    }else{
+      sqlite3VdbeJumpHere(v, iInitCode);
+    }
+  }else{
+    /* This is the case if the data for the INSERT is coming from a VALUES
+    ** clause
+    */
+    NameContext sNC;
+    memset(&sNC, 0, sizeof(sNC));
+    sNC.pParse = pParse;
+    srcTab = -1;
+    useTempTable = 0;
+    nColumn = pList ? pList->nExpr : 0;
+    for(i=0; i<nColumn; i++){
+      if( sqlite3ExprResolveNames(&sNC, pList->a[i].pExpr) ){
+        goto insert_cleanup;
+      }
+    }
+  }
+
+  /* Make sure the number of columns in the source data matches the number
+  ** of columns to be inserted into the table.
+  */
+  if( pColumn==0 && nColumn && nColumn!=pTab->nCol ){
+    sqlite3ErrorMsg(pParse, 
+       "table %S has %d columns but %d values were supplied",
+       pTabList, 0, pTab->nCol, nColumn);
+    goto insert_cleanup;
+  }
+  if( pColumn!=0 && nColumn!=pColumn->nId ){
+    sqlite3ErrorMsg(pParse, "%d values for %d columns", nColumn, pColumn->nId);
+    goto insert_cleanup;
+  }
+
+  /* If the INSERT statement included an IDLIST term, then make sure
+  ** all elements of the IDLIST really are columns of the table and 
+  ** remember the column indices.
+  **
+  ** If the table has an INTEGER PRIMARY KEY column and that column
+  ** is named in the IDLIST, then record in the keyColumn variable
+  ** the index into IDLIST of the primary key column.  keyColumn is
+  ** the index of the primary key as it appears in IDLIST, not as
+  ** is appears in the original table.  (The index of the primary
+  ** key in the original table is pTab->iPKey.)
+  */
+  if( pColumn ){
+    for(i=0; i<pColumn->nId; i++){
+      pColumn->a[i].idx = -1;
+    }
+    for(i=0; i<pColumn->nId; i++){
+      for(j=0; j<pTab->nCol; j++){
+        if( sqlite3StrICmp(pColumn->a[i].zName, pTab->aCol[j].zName)==0 ){
+          pColumn->a[i].idx = j;
+          if( j==pTab->iPKey ){
+            keyColumn = i;
+          }
+          break;
+        }
+      }
+      if( j>=pTab->nCol ){
+        if( sqlite3IsRowid(pColumn->a[i].zName) ){
+          keyColumn = i;
+        }else{
+          sqlite3ErrorMsg(pParse, "table %S has no column named %s",
+              pTabList, 0, pColumn->a[i].zName);
+          pParse->nErr++;
+          goto insert_cleanup;
+        }
+      }
+    }
+  }
+
+  /* If there is no IDLIST term but the table has an integer primary
+  ** key, the set the keyColumn variable to the primary key column index
+  ** in the original table definition.
+  */
+  if( pColumn==0 && nColumn>0 ){
+    keyColumn = pTab->iPKey;
+  }
+
+  /* Open the temp table for FOR EACH ROW triggers
+  */
+  if( triggers_exist ){
+    sqlite3VdbeAddOp(v, OP_OpenPseudo, newIdx, 0);
+    sqlite3VdbeAddOp(v, OP_SetNumColumns, newIdx, pTab->nCol);
+  }
+    
+  /* Initialize the count of rows to be inserted
+  */
+  if( db->flags & SQLITE_CountRows ){
+    iCntMem = pParse->nMem++;
+    sqlite3VdbeAddOp(v, OP_MemInt, 0, iCntMem);
+  }
+
+  /* Open tables and indices if there are no row triggers */
+  if( !triggers_exist ){
+    base = pParse->nTab;
+    sqlite3OpenTableAndIndices(pParse, pTab, base, OP_OpenWrite);
+  }
+
+  /* If the data source is a temporary table, then we have to create
+  ** a loop because there might be multiple rows of data.  If the data
+  ** source is a subroutine call from the SELECT statement, then we need
+  ** to launch the SELECT statement processing.
+  */
+  if( useTempTable ){
+    iBreak = sqlite3VdbeMakeLabel(v);
+    sqlite3VdbeAddOp(v, OP_Rewind, srcTab, iBreak);
+    iCont = sqlite3VdbeCurrentAddr(v);
+  }else if( pSelect ){
+    sqlite3VdbeAddOp(v, OP_Goto, 0, iSelectLoop);
+    sqlite3VdbeResolveLabel(v, iInsertBlock);
+  }
+
+  /* Run the BEFORE and INSTEAD OF triggers, if there are any
+  */
+  endOfLoop = sqlite3VdbeMakeLabel(v);
+  if( triggers_exist & TRIGGER_BEFORE ){
+
+    /* build the NEW.* reference row.  Note that if there is an INTEGER
+    ** PRIMARY KEY into which a NULL is being inserted, that NULL will be
+    ** translated into a unique ID for the row.  But on a BEFORE trigger,
+    ** we do not know what the unique ID will be (because the insert has
+    ** not happened yet) so we substitute a rowid of -1
+    */
+    if( keyColumn<0 ){
+      sqlite3VdbeAddOp(v, OP_Integer, -1, 0);
+    }else if( useTempTable ){
+      sqlite3VdbeAddOp(v, OP_Column, srcTab, keyColumn);
+    }else{
+      assert( pSelect==0 );  /* Otherwise useTempTable is true */
+      sqlite3ExprCode(pParse, pList->a[keyColumn].pExpr);
+      sqlite3VdbeAddOp(v, OP_NotNull, -1, sqlite3VdbeCurrentAddr(v)+3);
+      sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+      sqlite3VdbeAddOp(v, OP_Integer, -1, 0);
+      sqlite3VdbeAddOp(v, OP_MustBeInt, 0, 0);
+    }
+
+    /* Create the new column data
+    */
+    for(i=0; i<pTab->nCol; i++){
+      if( pColumn==0 ){
+        j = i;
+      }else{
+        for(j=0; j<pColumn->nId; j++){
+          if( pColumn->a[j].idx==i ) break;
+        }
+      }
+      if( pColumn && j>=pColumn->nId ){
+        sqlite3ExprCode(pParse, pTab->aCol[i].pDflt);
+      }else if( useTempTable ){
+        sqlite3VdbeAddOp(v, OP_Column, srcTab, j); 
+      }else{
+        assert( pSelect==0 ); /* Otherwise useTempTable is true */
+        sqlite3ExprCodeAndCache(pParse, pList->a[j].pExpr);
+      }
+    }
+    sqlite3VdbeAddOp(v, OP_MakeRecord, pTab->nCol, 0);
+
+    /* If this is an INSERT on a view with an INSTEAD OF INSERT trigger,
+    ** do not attempt any conversions before assembling the record.
+    ** If this is a real table, attempt conversions as required by the
+    ** table column affinities.
+    */
+    if( !isView ){
+      sqlite3TableAffinityStr(v, pTab);
+    }
+    sqlite3VdbeAddOp(v, OP_Insert, newIdx, 0);
+
+    /* Fire BEFORE or INSTEAD OF triggers */
+    if( sqlite3CodeRowTrigger(pParse, TK_INSERT, 0, TRIGGER_BEFORE, pTab, 
+        newIdx, -1, onError, endOfLoop) ){
+      goto insert_cleanup;
+    }
+  }
+
+  /* If any triggers exists, the opening of tables and indices is deferred
+  ** until now.
+  */
+  if( triggers_exist && !isView ){
+    base = pParse->nTab;
+    sqlite3OpenTableAndIndices(pParse, pTab, base, OP_OpenWrite);
+  }
+
+  /* Push the record number for the new entry onto the stack.  The
+  ** record number is a randomly generate integer created by NewRowid
+  ** except when the table has an INTEGER PRIMARY KEY column, in which
+  ** case the record number is the same as that column. 
+  */
+  if( !isView ){
+    if( IsVirtual(pTab) ){
+      /* The row that the VUpdate opcode will delete:  none */
+      sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+    }
+    if( keyColumn>=0 ){
+      if( useTempTable ){
+        sqlite3VdbeAddOp(v, OP_Column, srcTab, keyColumn);
+      }else if( pSelect ){
+        sqlite3VdbeAddOp(v, OP_Dup, nColumn - keyColumn - 1, 1);
+      }else{
+        VdbeOp *pOp;
+        sqlite3ExprCode(pParse, pList->a[keyColumn].pExpr);
+        pOp = sqlite3VdbeGetOp(v, sqlite3VdbeCurrentAddr(v) - 1);
+        if( pOp && pOp->opcode==OP_Null ){
+          appendFlag = 1;
+          pOp->opcode = OP_NewRowid;
+          pOp->p1 = base;
+          pOp->p2 = counterMem;
+        }
+      }
+      /* If the PRIMARY KEY expression is NULL, then use OP_NewRowid
+      ** to generate a unique primary key value.
+      */
+      if( !appendFlag ){
+        sqlite3VdbeAddOp(v, OP_NotNull, -1, sqlite3VdbeCurrentAddr(v)+3);
+        sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+        sqlite3VdbeAddOp(v, OP_NewRowid, base, counterMem);
+        sqlite3VdbeAddOp(v, OP_MustBeInt, 0, 0);
+      }
+    }else if( IsVirtual(pTab) ){
+      sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+    }else{
+      sqlite3VdbeAddOp(v, OP_NewRowid, base, counterMem);
+      appendFlag = 1;
+    }
+    autoIncStep(pParse, counterMem);
+
+    /* Push onto the stack, data for all columns of the new entry, beginning
+    ** with the first column.
+    */
+    for(i=0; i<pTab->nCol; i++){
+      if( i==pTab->iPKey ){
+        /* The value of the INTEGER PRIMARY KEY column is always a NULL.
+        ** Whenever this column is read, the record number will be substituted
+        ** in its place.  So will fill this column with a NULL to avoid
+        ** taking up data space with information that will never be used. */
+        sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+        continue;
+      }
+      if( pColumn==0 ){
+        j = i;
+      }else{
+        for(j=0; j<pColumn->nId; j++){
+          if( pColumn->a[j].idx==i ) break;
+        }
+      }
+      if( nColumn==0 || (pColumn && j>=pColumn->nId) ){
+        sqlite3ExprCode(pParse, pTab->aCol[i].pDflt);
+      }else if( useTempTable ){
+        sqlite3VdbeAddOp(v, OP_Column, srcTab, j); 
+      }else if( pSelect ){
+        sqlite3VdbeAddOp(v, OP_Dup, i+nColumn-j+IsVirtual(pTab), 1);
+      }else{
+        sqlite3ExprCode(pParse, pList->a[j].pExpr);
+      }
+    }
+
+    /* Generate code to check constraints and generate index keys and
+    ** do the insertion.
+    */
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+    if( IsVirtual(pTab) ){
+      pParse->pVirtualLock = pTab;
+      sqlite3VdbeOp3(v, OP_VUpdate, 1, pTab->nCol+2,
+                     (const char*)pTab->pVtab, P3_VTAB);
+    }else
+#endif
+    {
+      sqlite3GenerateConstraintChecks(pParse, pTab, base, 0, keyColumn>=0,
+                                     0, onError, endOfLoop);
+      sqlite3CompleteInsertion(pParse, pTab, base, 0,0,0,
+                            (triggers_exist & TRIGGER_AFTER)!=0 ? newIdx : -1,
+                            appendFlag);
+    }
+  }
+
+  /* Update the count of rows that are inserted
+  */
+  if( (db->flags & SQLITE_CountRows)!=0 ){
+    sqlite3VdbeAddOp(v, OP_MemIncr, 1, iCntMem);
+  }
+
+  if( triggers_exist ){
+    /* Close all tables opened */
+    if( !isView ){
+      sqlite3VdbeAddOp(v, OP_Close, base, 0);
+      for(idx=1, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, idx++){
+        sqlite3VdbeAddOp(v, OP_Close, idx+base, 0);
+      }
+    }
+
+    /* Code AFTER triggers */
+    if( sqlite3CodeRowTrigger(pParse, TK_INSERT, 0, TRIGGER_AFTER, pTab,
+          newIdx, -1, onError, endOfLoop) ){
+      goto insert_cleanup;
+    }
+  }
+
+  /* The bottom of the loop, if the data source is a SELECT statement
+  */
+  sqlite3VdbeResolveLabel(v, endOfLoop);
+  if( useTempTable ){
+    sqlite3VdbeAddOp(v, OP_Next, srcTab, iCont);
+    sqlite3VdbeResolveLabel(v, iBreak);
+    sqlite3VdbeAddOp(v, OP_Close, srcTab, 0);
+  }else if( pSelect ){
+    sqlite3VdbeAddOp(v, OP_Pop, nColumn, 0);
+    sqlite3VdbeAddOp(v, OP_Return, 0, 0);
+    sqlite3VdbeResolveLabel(v, iCleanup);
+  }
+
+  if( !triggers_exist && !IsVirtual(pTab) ){
+    /* Close all tables opened */
+    sqlite3VdbeAddOp(v, OP_Close, base, 0);
+    for(idx=1, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, idx++){
+      sqlite3VdbeAddOp(v, OP_Close, idx+base, 0);
+    }
+  }
+
+  /* Update the sqlite_sequence table by storing the content of the
+  ** counter value in memory counterMem back into the sqlite_sequence
+  ** table.
+  */
+  autoIncEnd(pParse, iDb, pTab, counterMem);
+
+  /*
+  ** Return the number of rows inserted. If this routine is 
+  ** generating code because of a call to sqlite3NestedParse(), do not
+  ** invoke the callback function.
+  */
+  if( db->flags & SQLITE_CountRows && pParse->nested==0 && !pParse->trigStack ){
+    sqlite3VdbeAddOp(v, OP_MemLoad, iCntMem, 0);
+    sqlite3VdbeAddOp(v, OP_Callback, 1, 0);
+    sqlite3VdbeSetNumCols(v, 1);
+    sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "rows inserted", P3_STATIC);
+  }
+
+insert_cleanup:
+  sqlite3SrcListDelete(pTabList);
+  sqlite3ExprListDelete(pList);
+  sqlite3SelectDelete(pSelect);
+  sqlite3IdListDelete(pColumn);
+}
+
+/*
+** Generate code to do a constraint check prior to an INSERT or an UPDATE.
+**
+** When this routine is called, the stack contains (from bottom to top)
+** the following values:
+**
+**    1.  The rowid of the row to be updated before the update.  This
+**        value is omitted unless we are doing an UPDATE that involves a
+**        change to the record number.
+**
+**    2.  The rowid of the row after the update.
+**
+**    3.  The data in the first column of the entry after the update.
+**
+**    i.  Data from middle columns...
+**
+**    N.  The data in the last column of the entry after the update.
+**
+** The old rowid shown as entry (1) above is omitted unless both isUpdate
+** and rowidChng are 1.  isUpdate is true for UPDATEs and false for
+** INSERTs and rowidChng is true if the record number is being changed.
+**
+** The code generated by this routine pushes additional entries onto
+** the stack which are the keys for new index entries for the new record.
+** The order of index keys is the same as the order of the indices on
+** the pTable->pIndex list.  A key is only created for index i if 
+** aIdxUsed!=0 and aIdxUsed[i]!=0.
+**
+** This routine also generates code to check constraints.  NOT NULL,
+** CHECK, and UNIQUE constraints are all checked.  If a constraint fails,
+** then the appropriate action is performed.  There are five possible
+** actions: ROLLBACK, ABORT, FAIL, REPLACE, and IGNORE.
+**
+**  Constraint type  Action       What Happens
+**  ---------------  ----------   ----------------------------------------
+**  any              ROLLBACK     The current transaction is rolled back and
+**                                sqlite3_exec() returns immediately with a
+**                                return code of SQLITE_CONSTRAINT.
+**
+**  any              ABORT        Back out changes from the current command
+**                                only (do not do a complete rollback) then
+**                                cause sqlite3_exec() to return immediately
+**                                with SQLITE_CONSTRAINT.
+**
+**  any              FAIL         Sqlite_exec() returns immediately with a
+**                                return code of SQLITE_CONSTRAINT.  The
+**                                transaction is not rolled back and any
+**                                prior changes are retained.
+**
+**  any              IGNORE       The record number and data is popped from
+**                                the stack and there is an immediate jump
+**                                to label ignoreDest.
+**
+**  NOT NULL         REPLACE      The NULL value is replace by the default
+**                                value for that column.  If the default value
+**                                is NULL, the action is the same as ABORT.
+**
+**  UNIQUE           REPLACE      The other row that conflicts with the row
+**                                being inserted is removed.
+**
+**  CHECK            REPLACE      Illegal.  The results in an exception.
+**
+** Which action to take is determined by the overrideError parameter.
+** Or if overrideError==OE_Default, then the pParse->onError parameter
+** is used.  Or if pParse->onError==OE_Default then the onError value
+** for the constraint is used.
+**
+** The calling routine must open a read/write cursor for pTab with
+** cursor number "base".  All indices of pTab must also have open
+** read/write cursors with cursor number base+i for the i-th cursor.
+** Except, if there is no possibility of a REPLACE action then
+** cursors do not need to be open for indices where aIdxUsed[i]==0.
+**
+** If the isUpdate flag is true, it means that the "base" cursor is
+** initially pointing to an entry that is being updated.  The isUpdate
+** flag causes extra code to be generated so that the "base" cursor
+** is still pointing at the same entry after the routine returns.
+** Without the isUpdate flag, the "base" cursor might be moved.
+*/
+void sqlite3GenerateConstraintChecks(
+  Parse *pParse,      /* The parser context */
+  Table *pTab,        /* the table into which we are inserting */
+  int base,           /* Index of a read/write cursor pointing at pTab */
+  char *aIdxUsed,     /* Which indices are used.  NULL means all are used */
+  int rowidChng,      /* True if the record number will change */
+  int isUpdate,       /* True for UPDATE, False for INSERT */
+  int overrideError,  /* Override onError to this if not OE_Default */
+  int ignoreDest      /* Jump to this label on an OE_Ignore resolution */
+){
+  int i;
+  Vdbe *v;
+  int nCol;
+  int onError;
+  int addr;
+  int extra;
+  int iCur;
+  Index *pIdx;
+  int seenReplace = 0;
+  int jumpInst1=0, jumpInst2;
+  int hasTwoRowids = (isUpdate && rowidChng);
+
+  v = sqlite3GetVdbe(pParse);
+  assert( v!=0 );
+  assert( pTab->pSelect==0 );  /* This table is not a VIEW */
+  nCol = pTab->nCol;
+
+  /* Test all NOT NULL constraints.
+  */
+  for(i=0; i<nCol; i++){
+    if( i==pTab->iPKey ){
+      continue;
+    }
+    onError = pTab->aCol[i].notNull;
+    if( onError==OE_None ) continue;
+    if( overrideError!=OE_Default ){
+      onError = overrideError;
+    }else if( onError==OE_Default ){
+      onError = OE_Abort;
+    }
+    if( onError==OE_Replace && pTab->aCol[i].pDflt==0 ){
+      onError = OE_Abort;
+    }
+    sqlite3VdbeAddOp(v, OP_Dup, nCol-1-i, 1);
+    addr = sqlite3VdbeAddOp(v, OP_NotNull, 1, 0);
+    assert( onError==OE_Rollback || onError==OE_Abort || onError==OE_Fail
+        || onError==OE_Ignore || onError==OE_Replace );
+    switch( onError ){
+      case OE_Rollback:
+      case OE_Abort:
+      case OE_Fail: {
+        char *zMsg = 0;
+        sqlite3VdbeAddOp(v, OP_Halt, SQLITE_CONSTRAINT, onError);
+        sqlite3SetString(&zMsg, pTab->zName, ".", pTab->aCol[i].zName,
+                        " may not be NULL", (char*)0);
+        sqlite3VdbeChangeP3(v, -1, zMsg, P3_DYNAMIC);
+        break;
+      }
+      case OE_Ignore: {
+        sqlite3VdbeAddOp(v, OP_Pop, nCol+1+hasTwoRowids, 0);
+        sqlite3VdbeAddOp(v, OP_Goto, 0, ignoreDest);
+        break;
+      }
+      case OE_Replace: {
+        sqlite3ExprCode(pParse, pTab->aCol[i].pDflt);
+        sqlite3VdbeAddOp(v, OP_Push, nCol-i, 0);
+        break;
+      }
+    }
+    sqlite3VdbeJumpHere(v, addr);
+  }
+
+  /* Test all CHECK constraints
+  */
+#ifndef SQLITE_OMIT_CHECK
+  if( pTab->pCheck && (pParse->db->flags & SQLITE_IgnoreChecks)==0 ){
+    int allOk = sqlite3VdbeMakeLabel(v);
+    assert( pParse->ckOffset==0 );
+    pParse->ckOffset = nCol;
+    sqlite3ExprIfTrue(pParse, pTab->pCheck, allOk, 1);
+    assert( pParse->ckOffset==nCol );
+    pParse->ckOffset = 0;
+    onError = overrideError!=OE_Default ? overrideError : OE_Abort;
+    if( onError==OE_Ignore || onError==OE_Replace ){
+      sqlite3VdbeAddOp(v, OP_Pop, nCol+1+hasTwoRowids, 0);
+      sqlite3VdbeAddOp(v, OP_Goto, 0, ignoreDest);
+    }else{
+      sqlite3VdbeAddOp(v, OP_Halt, SQLITE_CONSTRAINT, onError);
+    }
+    sqlite3VdbeResolveLabel(v, allOk);
+  }
+#endif /* !defined(SQLITE_OMIT_CHECK) */
+
+  /* If we have an INTEGER PRIMARY KEY, make sure the primary key
+  ** of the new record does not previously exist.  Except, if this
+  ** is an UPDATE and the primary key is not changing, that is OK.
+  */
+  if( rowidChng ){
+    onError = pTab->keyConf;
+    if( overrideError!=OE_Default ){
+      onError = overrideError;
+    }else if( onError==OE_Default ){
+      onError = OE_Abort;
+    }
+    
+    if( isUpdate ){
+      sqlite3VdbeAddOp(v, OP_Dup, nCol+1, 1);
+      sqlite3VdbeAddOp(v, OP_Dup, nCol+1, 1);
+      jumpInst1 = sqlite3VdbeAddOp(v, OP_Eq, 0, 0);
+    }
+    sqlite3VdbeAddOp(v, OP_Dup, nCol, 1);
+    jumpInst2 = sqlite3VdbeAddOp(v, OP_NotExists, base, 0);
+    switch( onError ){
+      default: {
+        onError = OE_Abort;
+        /* Fall thru into the next case */
+      }
+      case OE_Rollback:
+      case OE_Abort:
+      case OE_Fail: {
+        sqlite3VdbeOp3(v, OP_Halt, SQLITE_CONSTRAINT, onError,
+                         "PRIMARY KEY must be unique", P3_STATIC);
+        break;
+      }
+      case OE_Replace: {
+        sqlite3GenerateRowIndexDelete(v, pTab, base, 0);
+        if( isUpdate ){
+          sqlite3VdbeAddOp(v, OP_Dup, nCol+hasTwoRowids, 1);
+          sqlite3VdbeAddOp(v, OP_MoveGe, base, 0);
+        }
+        seenReplace = 1;
+        break;
+      }
+      case OE_Ignore: {
+        assert( seenReplace==0 );
+        sqlite3VdbeAddOp(v, OP_Pop, nCol+1+hasTwoRowids, 0);
+        sqlite3VdbeAddOp(v, OP_Goto, 0, ignoreDest);
+        break;
+      }
+    }
+    sqlite3VdbeJumpHere(v, jumpInst2);
+    if( isUpdate ){
+      sqlite3VdbeJumpHere(v, jumpInst1);
+      sqlite3VdbeAddOp(v, OP_Dup, nCol+1, 1);
+      sqlite3VdbeAddOp(v, OP_MoveGe, base, 0);
+    }
+  }
+
+  /* Test all UNIQUE constraints by creating entries for each UNIQUE
+  ** index and making sure that duplicate entries do not already exist.
+  ** Add the new records to the indices as we go.
+  */
+  extra = -1;
+  for(iCur=0, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, iCur++){
+    if( aIdxUsed && aIdxUsed[iCur]==0 ) continue;  /* Skip unused indices */
+    extra++;
+
+    /* Create a key for accessing the index entry */
+    sqlite3VdbeAddOp(v, OP_Dup, nCol+extra, 1);
+    for(i=0; i<pIdx->nColumn; i++){
+      int idx = pIdx->aiColumn[i];
+      if( idx==pTab->iPKey ){
+        sqlite3VdbeAddOp(v, OP_Dup, i+extra+nCol+1, 1);
+      }else{
+        sqlite3VdbeAddOp(v, OP_Dup, i+extra+nCol-idx, 1);
+      }
+    }
+    jumpInst1 = sqlite3VdbeAddOp(v, OP_MakeIdxRec, pIdx->nColumn, 0);
+    sqlite3IndexAffinityStr(v, pIdx);
+
+    /* Find out what action to take in case there is an indexing conflict */
+    onError = pIdx->onError;
+    if( onError==OE_None ) continue;  /* pIdx is not a UNIQUE index */
+    if( overrideError!=OE_Default ){
+      onError = overrideError;
+    }else if( onError==OE_Default ){
+      onError = OE_Abort;
+    }
+    if( seenReplace ){
+      if( onError==OE_Ignore ) onError = OE_Replace;
+      else if( onError==OE_Fail ) onError = OE_Abort;
+    }
+    
+
+    /* Check to see if the new index entry will be unique */
+    sqlite3VdbeAddOp(v, OP_Dup, extra+nCol+1+hasTwoRowids, 1);
+    jumpInst2 = sqlite3VdbeAddOp(v, OP_IsUnique, base+iCur+1, 0);
+
+    /* Generate code that executes if the new index entry is not unique */
+    assert( onError==OE_Rollback || onError==OE_Abort || onError==OE_Fail
+        || onError==OE_Ignore || onError==OE_Replace );
+    switch( onError ){
+      case OE_Rollback:
+      case OE_Abort:
+      case OE_Fail: {
+        int j, n1, n2;
+        char zErrMsg[200];
+        strcpy(zErrMsg, pIdx->nColumn>1 ? "columns " : "column ");
+        n1 = strlen(zErrMsg);
+        for(j=0; j<pIdx->nColumn && n1<sizeof(zErrMsg)-30; j++){
+          char *zCol = pTab->aCol[pIdx->aiColumn[j]].zName;
+          n2 = strlen(zCol);
+          if( j>0 ){
+            strcpy(&zErrMsg[n1], ", ");
+            n1 += 2;
+          }
+          if( n1+n2>sizeof(zErrMsg)-30 ){
+            strcpy(&zErrMsg[n1], "...");
+            n1 += 3;
+            break;
+          }else{
+            strcpy(&zErrMsg[n1], zCol);
+            n1 += n2;
+          }
+        }
+        strcpy(&zErrMsg[n1], 
+            pIdx->nColumn>1 ? " are not unique" : " is not unique");
+        sqlite3VdbeOp3(v, OP_Halt, SQLITE_CONSTRAINT, onError, zErrMsg, 0);
+        break;
+      }
+      case OE_Ignore: {
+        assert( seenReplace==0 );
+        sqlite3VdbeAddOp(v, OP_Pop, nCol+extra+3+hasTwoRowids, 0);
+        sqlite3VdbeAddOp(v, OP_Goto, 0, ignoreDest);
+        break;
+      }
+      case OE_Replace: {
+        sqlite3GenerateRowDelete(pParse->db, v, pTab, base, 0);
+        if( isUpdate ){
+          sqlite3VdbeAddOp(v, OP_Dup, nCol+extra+1+hasTwoRowids, 1);
+          sqlite3VdbeAddOp(v, OP_MoveGe, base, 0);
+        }
+        seenReplace = 1;
+        break;
+      }
+    }
+#if NULL_DISTINCT_FOR_UNIQUE
+    sqlite3VdbeJumpHere(v, jumpInst1);
+#endif
+    sqlite3VdbeJumpHere(v, jumpInst2);
+  }
+}
+
+/*
+** This routine generates code to finish the INSERT or UPDATE operation
+** that was started by a prior call to sqlite3GenerateConstraintChecks.
+** The stack must contain keys for all active indices followed by data
+** and the rowid for the new entry.  This routine creates the new
+** entries in all indices and in the main table.
+**
+** The arguments to this routine should be the same as the first six
+** arguments to sqlite3GenerateConstraintChecks.
+*/
+void sqlite3CompleteInsertion(
+  Parse *pParse,      /* The parser context */
+  Table *pTab,        /* the table into which we are inserting */
+  int base,           /* Index of a read/write cursor pointing at pTab */
+  char *aIdxUsed,     /* Which indices are used.  NULL means all are used */
+  int rowidChng,      /* True if the record number will change */
+  int isUpdate,       /* True for UPDATE, False for INSERT */
+  int newIdx,         /* Index of NEW table for triggers.  -1 if none */
+  int appendBias      /* True if this is likely to be an append */
+){
+  int i;
+  Vdbe *v;
+  int nIdx;
+  Index *pIdx;
+  int pik_flags;
+
+  v = sqlite3GetVdbe(pParse);
+  assert( v!=0 );
+  assert( pTab->pSelect==0 );  /* This table is not a VIEW */
+  for(nIdx=0, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, nIdx++){}
+  for(i=nIdx-1; i>=0; i--){
+    if( aIdxUsed && aIdxUsed[i]==0 ) continue;
+    sqlite3VdbeAddOp(v, OP_IdxInsert, base+i+1, 0);
+  }
+  sqlite3VdbeAddOp(v, OP_MakeRecord, pTab->nCol, 0);
+  sqlite3TableAffinityStr(v, pTab);
+#ifndef SQLITE_OMIT_TRIGGER
+  if( newIdx>=0 ){
+    sqlite3VdbeAddOp(v, OP_Dup, 1, 0);
+    sqlite3VdbeAddOp(v, OP_Dup, 1, 0);
+    sqlite3VdbeAddOp(v, OP_Insert, newIdx, 0);
+  }
+#endif
+  if( pParse->nested ){
+    pik_flags = 0;
+  }else{
+    pik_flags = OPFLAG_NCHANGE;
+    pik_flags |= (isUpdate?OPFLAG_ISUPDATE:OPFLAG_LASTROWID);
+  }
+  if( appendBias ){
+    pik_flags |= OPFLAG_APPEND;
+  }
+  sqlite3VdbeAddOp(v, OP_Insert, base, pik_flags);
+  if( !pParse->nested ){
+    sqlite3VdbeChangeP3(v, -1, pTab->zName, P3_STATIC);
+  }
+  
+  if( isUpdate && rowidChng ){
+    sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+  }
+}
+
+/*
+** Generate code that will open cursors for a table and for all
+** indices of that table.  The "base" parameter is the cursor number used
+** for the table.  Indices are opened on subsequent cursors.
+*/
+void sqlite3OpenTableAndIndices(
+  Parse *pParse,   /* Parsing context */
+  Table *pTab,     /* Table to be opened */
+  int base,        /* Cursor number assigned to the table */
+  int op           /* OP_OpenRead or OP_OpenWrite */
+){
+  int i;
+  int iDb;
+  Index *pIdx;
+  Vdbe *v;
+
+  if( IsVirtual(pTab) ) return;
+  iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+  v = sqlite3GetVdbe(pParse);
+  assert( v!=0 );
+  sqlite3OpenTable(pParse, base, iDb, pTab, op);
+  for(i=1, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, i++){
+    KeyInfo *pKey = sqlite3IndexKeyinfo(pParse, pIdx);
+    assert( pIdx->pSchema==pTab->pSchema );
+    sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+    VdbeComment((v, "# %s", pIdx->zName));
+    sqlite3VdbeOp3(v, op, i+base, pIdx->tnum, (char*)pKey, P3_KEYINFO_HANDOFF);
+  }
+  if( pParse->nTab<=base+i ){
+    pParse->nTab = base+i;
+  }
+}
+
+
+#ifdef SQLITE_TEST
+/*
+** The following global variable is incremented whenever the
+** transfer optimization is used.  This is used for testing
+** purposes only - to make sure the transfer optimization really
+** is happening when it is suppose to.
+*/
+int sqlite3_xferopt_count;
+#endif /* SQLITE_TEST */
+
+
+#ifndef SQLITE_OMIT_XFER_OPT
+/*
+** Check to collation names to see if they are compatible.
+*/
+static int xferCompatibleCollation(const char *z1, const char *z2){
+  if( z1==0 ){
+    return z2==0;
+  }
+  if( z2==0 ){
+    return 0;
+  }
+  return sqlite3StrICmp(z1, z2)==0;
+}
+
+
+/*
+** Check to see if index pSrc is compatible as a source of data
+** for index pDest in an insert transfer optimization.  The rules
+** for a compatible index:
+**
+**    *   The index is over the same set of columns
+**    *   The same DESC and ASC markings occurs on all columns
+**    *   The same onError processing (OE_Abort, OE_Ignore, etc)
+**    *   The same collating sequence on each column
+*/
+static int xferCompatibleIndex(Index *pDest, Index *pSrc){
+  int i;
+  assert( pDest && pSrc );
+  assert( pDest->pTable!=pSrc->pTable );
+  if( pDest->nColumn!=pSrc->nColumn ){
+    return 0;   /* Different number of columns */
+  }
+  if( pDest->onError!=pSrc->onError ){
+    return 0;   /* Different conflict resolution strategies */
+  }
+  for(i=0; i<pSrc->nColumn; i++){
+    if( pSrc->aiColumn[i]!=pDest->aiColumn[i] ){
+      return 0;   /* Different columns indexed */
+    }
+    if( pSrc->aSortOrder[i]!=pDest->aSortOrder[i] ){
+      return 0;   /* Different sort orders */
+    }
+    if( pSrc->azColl[i]!=pDest->azColl[i] ){
+      return 0;   /* Different sort orders */
+    }
+  }
+
+  /* If no test above fails then the indices must be compatible */
+  return 1;
+}
+
+/*
+** Attempt the transfer optimization on INSERTs of the form
+**
+**     INSERT INTO tab1 SELECT * FROM tab2;
+**
+** This optimization is only attempted if
+**
+**    (1)  tab1 and tab2 have identical schemas including all the
+**         same indices and constraints
+**
+**    (2)  tab1 and tab2 are different tables
+**
+**    (3)  There must be no triggers on tab1
+**
+**    (4)  The result set of the SELECT statement is "*"
+**
+**    (5)  The SELECT statement has no WHERE, HAVING, ORDER BY, GROUP BY,
+**         or LIMIT clause.
+**
+**    (6)  The SELECT statement is a simple (not a compound) select that
+**         contains only tab2 in its FROM clause
+**
+** This method for implementing the INSERT transfers raw records from
+** tab2 over to tab1.  The columns are not decoded.  Raw records from
+** the indices of tab2 are transfered to tab1 as well.  In so doing,
+** the resulting tab1 has much less fragmentation.
+**
+** This routine returns TRUE if the optimization is attempted.  If any
+** of the conditions above fail so that the optimization should not
+** be attempted, then this routine returns FALSE.
+*/
+static int xferOptimization(
+  Parse *pParse,        /* Parser context */
+  Table *pDest,         /* The table we are inserting into */
+  Select *pSelect,      /* A SELECT statement to use as the data source */
+  int onError,          /* How to handle constraint errors */
+  int iDbDest           /* The database of pDest */
+){
+  ExprList *pEList;                /* The result set of the SELECT */
+  Table *pSrc;                     /* The table in the FROM clause of SELECT */
+  Index *pSrcIdx, *pDestIdx;       /* Source and destination indices */
+  struct SrcList_item *pItem;      /* An element of pSelect->pSrc */
+  int i;                           /* Loop counter */
+  int iDbSrc;                      /* The database of pSrc */
+  int iSrc, iDest;                 /* Cursors from source and destination */
+  int addr1, addr2;                /* Loop addresses */
+  int emptyDestTest;               /* Address of test for empty pDest */
+  int emptySrcTest;                /* Address of test for empty pSrc */
+  Vdbe *v;                         /* The VDBE we are building */
+  KeyInfo *pKey;                   /* Key information for an index */
+  int counterMem;                  /* Memory register used by AUTOINC */
+  int destHasUniqueIdx = 0;        /* True if pDest has a UNIQUE index */
+
+  if( pSelect==0 ){
+    return 0;   /* Must be of the form  INSERT INTO ... SELECT ... */
+  }
+  if( pDest->pTrigger ){
+    return 0;   /* tab1 must not have triggers */
+  }
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  if( pDest->isVirtual ){
+    return 0;   /* tab1 must not be a virtual table */
+  }
+#endif
+  if( onError==OE_Default ){
+    onError = OE_Abort;
+  }
+  if( onError!=OE_Abort && onError!=OE_Rollback ){
+    return 0;   /* Cannot do OR REPLACE or OR IGNORE or OR FAIL */
+  }
+  if( pSelect->pSrc==0 ){
+    return 0;   /* SELECT must have a FROM clause */
+  }
+  if( pSelect->pSrc->nSrc!=1 ){
+    return 0;   /* FROM clause must have exactly one term */
+  }
+  if( pSelect->pSrc->a[0].pSelect ){
+    return 0;   /* FROM clause cannot contain a subquery */
+  }
+  if( pSelect->pWhere ){
+    return 0;   /* SELECT may not have a WHERE clause */
+  }
+  if( pSelect->pOrderBy ){
+    return 0;   /* SELECT may not have an ORDER BY clause */
+  }
+  /* Do not need to test for a HAVING clause.  If HAVING is present but
+  ** there is no ORDER BY, we will get an error. */
+  if( pSelect->pGroupBy ){
+    return 0;   /* SELECT may not have a GROUP BY clause */
+  }
+  if( pSelect->pLimit ){
+    return 0;   /* SELECT may not have a LIMIT clause */
+  }
+  assert( pSelect->pOffset==0 );  /* Must be so if pLimit==0 */
+  if( pSelect->pPrior ){
+    return 0;   /* SELECT may not be a compound query */
+  }
+  if( pSelect->isDistinct ){
+    return 0;   /* SELECT may not be DISTINCT */
+  }
+  pEList = pSelect->pEList;
+  assert( pEList!=0 );
+  if( pEList->nExpr!=1 ){
+    return 0;   /* The result set must have exactly one column */
+  }
+  assert( pEList->a[0].pExpr );
+  if( pEList->a[0].pExpr->op!=TK_ALL ){
+    return 0;   /* The result set must be the special operator "*" */
+  }
+
+  /* At this point we have established that the statement is of the
+  ** correct syntactic form to participate in this optimization.  Now
+  ** we have to check the semantics.
+  */
+  pItem = pSelect->pSrc->a;
+  pSrc = sqlite3LocateTable(pParse, pItem->zName, pItem->zDatabase);
+  if( pSrc==0 ){
+    return 0;   /* FROM clause does not contain a real table */
+  }
+  if( pSrc==pDest ){
+    return 0;   /* tab1 and tab2 may not be the same table */
+  }
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  if( pSrc->isVirtual ){
+    return 0;   /* tab2 must not be a virtual table */
+  }
+#endif
+  if( pSrc->pSelect ){
+    return 0;   /* tab2 may not be a view */
+  }
+  if( pDest->nCol!=pSrc->nCol ){
+    return 0;   /* Number of columns must be the same in tab1 and tab2 */
+  }
+  if( pDest->iPKey!=pSrc->iPKey ){
+    return 0;   /* Both tables must have the same INTEGER PRIMARY KEY */
+  }
+  for(i=0; i<pDest->nCol; i++){
+    if( pDest->aCol[i].affinity!=pSrc->aCol[i].affinity ){
+      return 0;    /* Affinity must be the same on all columns */
+    }
+    if( !xferCompatibleCollation(pDest->aCol[i].zColl, pSrc->aCol[i].zColl) ){
+      return 0;    /* Collating sequence must be the same on all columns */
+    }
+    if( pDest->aCol[i].notNull && !pSrc->aCol[i].notNull ){
+      return 0;    /* tab2 must be NOT NULL if tab1 is */
+    }
+  }
+  for(pDestIdx=pDest->pIndex; pDestIdx; pDestIdx=pDestIdx->pNext){
+    if( pDestIdx->onError!=OE_None ){
+      destHasUniqueIdx = 1;
+    }
+    for(pSrcIdx=pSrc->pIndex; pSrcIdx; pSrcIdx=pSrcIdx->pNext){
+      if( xferCompatibleIndex(pDestIdx, pSrcIdx) ) break;
+    }
+    if( pSrcIdx==0 ){
+      return 0;    /* pDestIdx has no corresponding index in pSrc */
+    }
+  }
+#ifndef SQLITE_OMIT_CHECK
+  if( pDest->pCheck && !sqlite3ExprCompare(pSrc->pCheck, pDest->pCheck) ){
+    return 0;   /* Tables have different CHECK constraints.  Ticket #2252 */
+  }
+#endif
+
+  /* If we get this far, it means either:
+  **
+  **    *   We can always do the transfer if the table contains an
+  **        an integer primary key
+  **
+  **    *   We can conditionally do the transfer if the destination
+  **        table is empty.
+  */
+#ifdef SQLITE_TEST
+  sqlite3_xferopt_count++;
+#endif
+  iDbSrc = sqlite3SchemaToIndex(pParse->db, pSrc->pSchema);
+  v = sqlite3GetVdbe(pParse);
+  iSrc = pParse->nTab++;
+  iDest = pParse->nTab++;
+  counterMem = autoIncBegin(pParse, iDbDest, pDest);
+  sqlite3OpenTable(pParse, iDest, iDbDest, pDest, OP_OpenWrite);
+  if( (pDest->iPKey<0 && pDest->pIndex!=0) || destHasUniqueIdx ){
+    /* If tables do not have an INTEGER PRIMARY KEY and there
+    ** are indices to be copied and the destination is not empty,
+    ** we have to disallow the transfer optimization because the
+    ** the rowids might change which will mess up indexing.
+    **
+    ** Or if the destination has a UNIQUE index and is not empty,
+    ** we also disallow the transfer optimization because we cannot
+    ** insure that all entries in the union of DEST and SRC will be
+    ** unique.
+    */
+    addr1 = sqlite3VdbeAddOp(v, OP_Rewind, iDest, 0);
+    emptyDestTest = sqlite3VdbeAddOp(v, OP_Goto, 0, 0);
+    sqlite3VdbeJumpHere(v, addr1);
+  }else{
+    emptyDestTest = 0;
+  }
+  sqlite3OpenTable(pParse, iSrc, iDbSrc, pSrc, OP_OpenRead);
+  emptySrcTest = sqlite3VdbeAddOp(v, OP_Rewind, iSrc, 0);
+  if( pDest->iPKey>=0 ){
+    addr1 = sqlite3VdbeAddOp(v, OP_Rowid, iSrc, 0);
+    sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+    addr2 = sqlite3VdbeAddOp(v, OP_NotExists, iDest, 0);
+    sqlite3VdbeOp3(v, OP_Halt, SQLITE_CONSTRAINT, onError, 
+                      "PRIMARY KEY must be unique", P3_STATIC);
+    sqlite3VdbeJumpHere(v, addr2);
+    autoIncStep(pParse, counterMem);
+  }else if( pDest->pIndex==0 ){
+    addr1 = sqlite3VdbeAddOp(v, OP_NewRowid, iDest, 0);
+  }else{
+    addr1 = sqlite3VdbeAddOp(v, OP_Rowid, iSrc, 0);
+    assert( pDest->autoInc==0 );
+  }
+  sqlite3VdbeAddOp(v, OP_RowData, iSrc, 0);
+  sqlite3VdbeOp3(v, OP_Insert, iDest,
+                    OPFLAG_NCHANGE|OPFLAG_LASTROWID|OPFLAG_APPEND,
+                    pDest->zName, 0);
+  sqlite3VdbeAddOp(v, OP_Next, iSrc, addr1);
+  autoIncEnd(pParse, iDbDest, pDest, counterMem);
+  for(pDestIdx=pDest->pIndex; pDestIdx; pDestIdx=pDestIdx->pNext){
+    for(pSrcIdx=pSrc->pIndex; pSrcIdx; pSrcIdx=pSrcIdx->pNext){
+      if( xferCompatibleIndex(pDestIdx, pSrcIdx) ) break;
+    }
+    assert( pSrcIdx );
+    sqlite3VdbeAddOp(v, OP_Close, iSrc, 0);
+    sqlite3VdbeAddOp(v, OP_Close, iDest, 0);
+    sqlite3VdbeAddOp(v, OP_Integer, iDbSrc, 0);
+    pKey = sqlite3IndexKeyinfo(pParse, pSrcIdx);
+    VdbeComment((v, "# %s", pSrcIdx->zName));
+    sqlite3VdbeOp3(v, OP_OpenRead, iSrc, pSrcIdx->tnum, 
+                   (char*)pKey, P3_KEYINFO_HANDOFF);
+    sqlite3VdbeAddOp(v, OP_Integer, iDbDest, 0);
+    pKey = sqlite3IndexKeyinfo(pParse, pDestIdx);
+    VdbeComment((v, "# %s", pDestIdx->zName));
+    sqlite3VdbeOp3(v, OP_OpenWrite, iDest, pDestIdx->tnum, 
+                   (char*)pKey, P3_KEYINFO_HANDOFF);
+    addr1 = sqlite3VdbeAddOp(v, OP_Rewind, iSrc, 0);
+    sqlite3VdbeAddOp(v, OP_RowKey, iSrc, 0);
+    sqlite3VdbeAddOp(v, OP_IdxInsert, iDest, 1);
+    sqlite3VdbeAddOp(v, OP_Next, iSrc, addr1+1);
+    sqlite3VdbeJumpHere(v, addr1);
+  }
+  sqlite3VdbeJumpHere(v, emptySrcTest);
+  sqlite3VdbeAddOp(v, OP_Close, iSrc, 0);
+  sqlite3VdbeAddOp(v, OP_Close, iDest, 0);
+  if( emptyDestTest ){
+    sqlite3VdbeAddOp(v, OP_Halt, SQLITE_OK, 0);
+    sqlite3VdbeJumpHere(v, emptyDestTest);
+    sqlite3VdbeAddOp(v, OP_Close, iDest, 0);
+    return 0;
+  }else{
+    return 1;
+  }
+}
+#endif /* SQLITE_OMIT_XFER_OPT */
+
+/************** End of insert.c **********************************************/
+/************** Begin file legacy.c ******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** Main file for the SQLite library.  The routines in this file
+** implement the programmer interface to the library.  Routines in
+** other files are for internal use by SQLite and should not be
+** accessed by users of the library.
+**
+** $Id$
+*/
+
+
+/*
+** Execute SQL code.  Return one of the SQLITE_ success/failure
+** codes.  Also write an error message into memory obtained from
+** malloc() and make *pzErrMsg point to that message.
+**
+** If the SQL is a query, then for each row in the query result
+** the xCallback() function is called.  pArg becomes the first
+** argument to xCallback().  If xCallback=NULL then no callback
+** is invoked, even for queries.
+*/
+int sqlite3_exec(
+  sqlite3 *db,                /* The database on which the SQL executes */
+  const char *zSql,           /* The SQL to be executed */
+  sqlite3_callback xCallback, /* Invoke this callback routine */
+  void *pArg,                 /* First argument to xCallback() */
+  char **pzErrMsg             /* Write error messages here */
+){
+  int rc = SQLITE_OK;
+  const char *zLeftover;
+  sqlite3_stmt *pStmt = 0;
+  char **azCols = 0;
+
+  int nRetry = 0;
+  int nCallback;
+
+  if( zSql==0 ) return SQLITE_OK;
+  while( (rc==SQLITE_OK || (rc==SQLITE_SCHEMA && (++nRetry)<2)) && zSql[0] ){
+    int nCol;
+    char **azVals = 0;
+
+    pStmt = 0;
+    rc = sqlite3_prepare(db, zSql, -1, &pStmt, &zLeftover);
+    assert( rc==SQLITE_OK || pStmt==0 );
+    if( rc!=SQLITE_OK ){
+      continue;
+    }
+    if( !pStmt ){
+      /* this happens for a comment or white-space */
+      zSql = zLeftover;
+      continue;
+    }
+
+    nCallback = 0;
+
+    nCol = sqlite3_column_count(pStmt);
+    azCols = sqliteMalloc(2*nCol*sizeof(const char *) + 1);
+    if( azCols==0 ){
+      goto exec_out;
+    }
+
+    while( 1 ){
+      int i;
+      rc = sqlite3_step(pStmt);
+
+      /* Invoke the callback function if required */
+      if( xCallback && (SQLITE_ROW==rc || 
+          (SQLITE_DONE==rc && !nCallback && db->flags&SQLITE_NullCallback)) ){
+        if( 0==nCallback ){
+          for(i=0; i<nCol; i++){
+            azCols[i] = (char *)sqlite3_column_name(pStmt, i);
+          }
+          nCallback++;
+        }
+        if( rc==SQLITE_ROW ){
+          azVals = &azCols[nCol];
+          for(i=0; i<nCol; i++){
+            azVals[i] = (char *)sqlite3_column_text(pStmt, i);
+          }
+        }
+        if( xCallback(pArg, nCol, azVals, azCols) ){
+          rc = SQLITE_ABORT;
+          goto exec_out;
+        }
+      }
+
+      if( rc!=SQLITE_ROW ){
+        rc = sqlite3_finalize(pStmt);
+        pStmt = 0;
+        if( rc!=SQLITE_SCHEMA ){
+          nRetry = 0;
+          zSql = zLeftover;
+          while( isspace((unsigned char)zSql[0]) ) zSql++;
+        }
+        break;
+      }
+    }
+
+    sqliteFree(azCols);
+    azCols = 0;
+  }
+
+exec_out:
+  if( pStmt ) sqlite3_finalize(pStmt);
+  if( azCols ) sqliteFree(azCols);
+
+  rc = sqlite3ApiExit(0, rc);
+  if( rc!=SQLITE_OK && rc==sqlite3_errcode(db) && pzErrMsg ){
+    *pzErrMsg = sqlite3_malloc(1+strlen(sqlite3_errmsg(db)));
+    if( *pzErrMsg ){
+      strcpy(*pzErrMsg, sqlite3_errmsg(db));
+    }
+  }else if( pzErrMsg ){
+    *pzErrMsg = 0;
+  }
+
+  assert( (rc&db->errMask)==rc );
+  return rc;
+}
+
+/************** End of legacy.c **********************************************/
+/************** Begin file loadext.c *****************************************/
+/*
+** 2006 June 7
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains code used to dynamically load extensions into
+** the SQLite library.
+*/
+#ifndef SQLITE_OMIT_LOAD_EXTENSION
+
+#define SQLITE_CORE 1  /* Disable the API redefinition in sqlite3ext.h */
+/************** Include sqlite3ext.h in the middle of loadext.c **************/
+/************** Begin file sqlite3ext.h **************************************/
+/*
+** 2006 June 7
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This header file defines the SQLite interface for use by
+** shared libraries that want to be imported as extensions into
+** an SQLite instance.  Shared libraries that intend to be loaded
+** as extensions by SQLite should #include this file instead of 
+** sqlite3.h.
+**
+** @(#) $Id$
+*/
+#ifndef _SQLITE3EXT_H_
+#define _SQLITE3EXT_H_
+
+typedef struct sqlite3_api_routines sqlite3_api_routines;
+
+/*
+** The following structure hold pointers to all of the SQLite API
+** routines.
+*/
+struct sqlite3_api_routines {
+  void * (*aggregate_context)(sqlite3_context*,int nBytes);
+  int  (*aggregate_count)(sqlite3_context*);
+  int  (*bind_blob)(sqlite3_stmt*,int,const void*,int n,void(*)(void*));
+  int  (*bind_double)(sqlite3_stmt*,int,double);
+  int  (*bind_int)(sqlite3_stmt*,int,int);
+  int  (*bind_int64)(sqlite3_stmt*,int,sqlite_int64);
+  int  (*bind_null)(sqlite3_stmt*,int);
+  int  (*bind_parameter_count)(sqlite3_stmt*);
+  int  (*bind_parameter_index)(sqlite3_stmt*,const char*zName);
+  const char * (*bind_parameter_name)(sqlite3_stmt*,int);
+  int  (*bind_text)(sqlite3_stmt*,int,const char*,int n,void(*)(void*));
+  int  (*bind_text16)(sqlite3_stmt*,int,const void*,int,void(*)(void*));
+  int  (*bind_value)(sqlite3_stmt*,int,const sqlite3_value*);
+  int  (*busy_handler)(sqlite3*,int(*)(void*,int),void*);
+  int  (*busy_timeout)(sqlite3*,int ms);
+  int  (*changes)(sqlite3*);
+  int  (*close)(sqlite3*);
+  int  (*collation_needed)(sqlite3*,void*,void(*)(void*,sqlite3*,int eTextRep,const char*));
+  int  (*collation_needed16)(sqlite3*,void*,void(*)(void*,sqlite3*,int eTextRep,const void*));
+  const void * (*column_blob)(sqlite3_stmt*,int iCol);
+  int  (*column_bytes)(sqlite3_stmt*,int iCol);
+  int  (*column_bytes16)(sqlite3_stmt*,int iCol);
+  int  (*column_count)(sqlite3_stmt*pStmt);
+  const char * (*column_database_name)(sqlite3_stmt*,int);
+  const void * (*column_database_name16)(sqlite3_stmt*,int);
+  const char * (*column_decltype)(sqlite3_stmt*,int i);
+  const void * (*column_decltype16)(sqlite3_stmt*,int);
+  double  (*column_double)(sqlite3_stmt*,int iCol);
+  int  (*column_int)(sqlite3_stmt*,int iCol);
+  sqlite_int64  (*column_int64)(sqlite3_stmt*,int iCol);
+  const char * (*column_name)(sqlite3_stmt*,int);
+  const void * (*column_name16)(sqlite3_stmt*,int);
+  const char * (*column_origin_name)(sqlite3_stmt*,int);
+  const void * (*column_origin_name16)(sqlite3_stmt*,int);
+  const char * (*column_table_name)(sqlite3_stmt*,int);
+  const void * (*column_table_name16)(sqlite3_stmt*,int);
+  const unsigned char * (*column_text)(sqlite3_stmt*,int iCol);
+  const void * (*column_text16)(sqlite3_stmt*,int iCol);
+  int  (*column_type)(sqlite3_stmt*,int iCol);
+  sqlite3_value* (*column_value)(sqlite3_stmt*,int iCol);
+  void * (*commit_hook)(sqlite3*,int(*)(void*),void*);
+  int  (*complete)(const char*sql);
+  int  (*complete16)(const void*sql);
+  int  (*create_collation)(sqlite3*,const char*,int,void*,int(*)(void*,int,const void*,int,const void*));
+  int  (*create_collation16)(sqlite3*,const char*,int,void*,int(*)(void*,int,const void*,int,const void*));
+  int  (*create_function)(sqlite3*,const char*,int,int,void*,void (*xFunc)(sqlite3_context*,int,sqlite3_value**),void (*xStep)(sqlite3_context*,int,sqlite3_value**),void (*xFinal)(sqlite3_context*));
+  int  (*create_function16)(sqlite3*,const void*,int,int,void*,void (*xFunc)(sqlite3_context*,int,sqlite3_value**),void (*xStep)(sqlite3_context*,int,sqlite3_value**),void (*xFinal)(sqlite3_context*));
+  int (*create_module)(sqlite3*,const char*,const sqlite3_module*,void*);
+  int  (*data_count)(sqlite3_stmt*pStmt);
+  sqlite3 * (*db_handle)(sqlite3_stmt*);
+  int (*declare_vtab)(sqlite3*,const char*);
+  int  (*enable_shared_cache)(int);
+  int  (*errcode)(sqlite3*db);
+  const char * (*errmsg)(sqlite3*);
+  const void * (*errmsg16)(sqlite3*);
+  int  (*exec)(sqlite3*,const char*,sqlite3_callback,void*,char**);
+  int  (*expired)(sqlite3_stmt*);
+  int  (*finalize)(sqlite3_stmt*pStmt);
+  void  (*free)(void*);
+  void  (*free_table)(char**result);
+  int  (*get_autocommit)(sqlite3*);
+  void * (*get_auxdata)(sqlite3_context*,int);
+  int  (*get_table)(sqlite3*,const char*,char***,int*,int*,char**);
+  int  (*global_recover)(void);
+  void  (*interruptx)(sqlite3*);
+  sqlite_int64  (*last_insert_rowid)(sqlite3*);
+  const char * (*libversion)(void);
+  int  (*libversion_number)(void);
+  void *(*malloc)(int);
+  char * (*mprintf)(const char*,...);
+  int  (*open)(const char*,sqlite3**);
+  int  (*open16)(const void*,sqlite3**);
+  int  (*prepare)(sqlite3*,const char*,int,sqlite3_stmt**,const char**);
+  int  (*prepare16)(sqlite3*,const void*,int,sqlite3_stmt**,const void**);
+  void * (*profile)(sqlite3*,void(*)(void*,const char*,sqlite_uint64),void*);
+  void  (*progress_handler)(sqlite3*,int,int(*)(void*),void*);
+  void *(*realloc)(void*,int);
+  int  (*reset)(sqlite3_stmt*pStmt);
+  void  (*result_blob)(sqlite3_context*,const void*,int,void(*)(void*));
+  void  (*result_double)(sqlite3_context*,double);
+  void  (*result_error)(sqlite3_context*,const char*,int);
+  void  (*result_error16)(sqlite3_context*,const void*,int);
+  void  (*result_int)(sqlite3_context*,int);
+  void  (*result_int64)(sqlite3_context*,sqlite_int64);
+  void  (*result_null)(sqlite3_context*);
+  void  (*result_text)(sqlite3_context*,const char*,int,void(*)(void*));
+  void  (*result_text16)(sqlite3_context*,const void*,int,void(*)(void*));
+  void  (*result_text16be)(sqlite3_context*,const void*,int,void(*)(void*));
+  void  (*result_text16le)(sqlite3_context*,const void*,int,void(*)(void*));
+  void  (*result_value)(sqlite3_context*,sqlite3_value*);
+  void * (*rollback_hook)(sqlite3*,void(*)(void*),void*);
+  int  (*set_authorizer)(sqlite3*,int(*)(void*,int,const char*,const char*,const char*,const char*),void*);
+  void  (*set_auxdata)(sqlite3_context*,int,void*,void (*)(void*));
+  char * (*snprintf)(int,char*,const char*,...);
+  int  (*step)(sqlite3_stmt*);
+  int  (*table_column_metadata)(sqlite3*,const char*,const char*,const char*,char const**,char const**,int*,int*,int*);
+  void  (*thread_cleanup)(void);
+  int  (*total_changes)(sqlite3*);
+  void * (*trace)(sqlite3*,void(*xTrace)(void*,const char*),void*);
+  int  (*transfer_bindings)(sqlite3_stmt*,sqlite3_stmt*);
+  void * (*update_hook)(sqlite3*,void(*)(void*,int ,char const*,char const*,sqlite_int64),void*);
+  void * (*user_data)(sqlite3_context*);
+  const void * (*value_blob)(sqlite3_value*);
+  int  (*value_bytes)(sqlite3_value*);
+  int  (*value_bytes16)(sqlite3_value*);
+  double  (*value_double)(sqlite3_value*);
+  int  (*value_int)(sqlite3_value*);
+  sqlite_int64  (*value_int64)(sqlite3_value*);
+  int  (*value_numeric_type)(sqlite3_value*);
+  const unsigned char * (*value_text)(sqlite3_value*);
+  const void * (*value_text16)(sqlite3_value*);
+  const void * (*value_text16be)(sqlite3_value*);
+  const void * (*value_text16le)(sqlite3_value*);
+  int  (*value_type)(sqlite3_value*);
+  char *(*vmprintf)(const char*,va_list);
+  int (*overload_function)(sqlite3*, const char *zFuncName, int nArg);
+  int (*prepare_v2)(sqlite3*,const char*,int,sqlite3_stmt**,const char**);
+  int (*prepare16_v2)(sqlite3*,const void*,int,sqlite3_stmt**,const void**);
+  int (*clear_bindings)(sqlite3_stmt*);
+};
+
+/*
+** The following macros redefine the API routines so that they are
+** redirected throught the global sqlite3_api structure.
+**
+** This header file is also used by the loadext.c source file
+** (part of the main SQLite library - not an extension) so that
+** it can get access to the sqlite3_api_routines structure
+** definition.  But the main library does not want to redefine
+** the API.  So the redefinition macros are only valid if the
+** SQLITE_CORE macros is undefined.
+*/
+#ifndef SQLITE_CORE
+#define sqlite3_aggregate_context      sqlite3_api->aggregate_context
+#define sqlite3_aggregate_count        sqlite3_api->aggregate_count
+#define sqlite3_bind_blob              sqlite3_api->bind_blob
+#define sqlite3_bind_double            sqlite3_api->bind_double
+#define sqlite3_bind_int               sqlite3_api->bind_int
+#define sqlite3_bind_int64             sqlite3_api->bind_int64
+#define sqlite3_bind_null              sqlite3_api->bind_null
+#define sqlite3_bind_parameter_count   sqlite3_api->bind_parameter_count
+#define sqlite3_bind_parameter_index   sqlite3_api->bind_parameter_index
+#define sqlite3_bind_parameter_name    sqlite3_api->bind_parameter_name
+#define sqlite3_bind_text              sqlite3_api->bind_text
+#define sqlite3_bind_text16            sqlite3_api->bind_text16
+#define sqlite3_bind_value             sqlite3_api->bind_value
+#define sqlite3_busy_handler           sqlite3_api->busy_handler
+#define sqlite3_busy_timeout           sqlite3_api->busy_timeout
+#define sqlite3_changes                sqlite3_api->changes
+#define sqlite3_close                  sqlite3_api->close
+#define sqlite3_collation_needed       sqlite3_api->collation_needed
+#define sqlite3_collation_needed16     sqlite3_api->collation_needed16
+#define sqlite3_column_blob            sqlite3_api->column_blob
+#define sqlite3_column_bytes           sqlite3_api->column_bytes
+#define sqlite3_column_bytes16         sqlite3_api->column_bytes16
+#define sqlite3_column_count           sqlite3_api->column_count
+#define sqlite3_column_database_name   sqlite3_api->column_database_name
+#define sqlite3_column_database_name16 sqlite3_api->column_database_name16
+#define sqlite3_column_decltype        sqlite3_api->column_decltype
+#define sqlite3_column_decltype16      sqlite3_api->column_decltype16
+#define sqlite3_column_double          sqlite3_api->column_double
+#define sqlite3_column_int             sqlite3_api->column_int
+#define sqlite3_column_int64           sqlite3_api->column_int64
+#define sqlite3_column_name            sqlite3_api->column_name
+#define sqlite3_column_name16          sqlite3_api->column_name16
+#define sqlite3_column_origin_name     sqlite3_api->column_origin_name
+#define sqlite3_column_origin_name16   sqlite3_api->column_origin_name16
+#define sqlite3_column_table_name      sqlite3_api->column_table_name
+#define sqlite3_column_table_name16    sqlite3_api->column_table_name16
+#define sqlite3_column_text            sqlite3_api->column_text
+#define sqlite3_column_text16          sqlite3_api->column_text16
+#define sqlite3_column_type            sqlite3_api->column_type
+#define sqlite3_column_value           sqlite3_api->column_value
+#define sqlite3_commit_hook            sqlite3_api->commit_hook
+#define sqlite3_complete               sqlite3_api->complete
+#define sqlite3_complete16             sqlite3_api->complete16
+#define sqlite3_create_collation       sqlite3_api->create_collation
+#define sqlite3_create_collation16     sqlite3_api->create_collation16
+#define sqlite3_create_function        sqlite3_api->create_function
+#define sqlite3_create_function16      sqlite3_api->create_function16
+#define sqlite3_create_module          sqlite3_api->create_module
+#define sqlite3_data_count             sqlite3_api->data_count
+#define sqlite3_db_handle              sqlite3_api->db_handle
+#define sqlite3_declare_vtab           sqlite3_api->declare_vtab
+#define sqlite3_enable_shared_cache    sqlite3_api->enable_shared_cache
+#define sqlite3_errcode                sqlite3_api->errcode
+#define sqlite3_errmsg                 sqlite3_api->errmsg
+#define sqlite3_errmsg16               sqlite3_api->errmsg16
+#define sqlite3_exec                   sqlite3_api->exec
+#define sqlite3_expired                sqlite3_api->expired
+#define sqlite3_finalize               sqlite3_api->finalize
+#define sqlite3_free                   sqlite3_api->free
+#define sqlite3_free_table             sqlite3_api->free_table
+#define sqlite3_get_autocommit         sqlite3_api->get_autocommit
+#define sqlite3_get_auxdata            sqlite3_api->get_auxdata
+#define sqlite3_get_table              sqlite3_api->get_table
+#define sqlite3_global_recover         sqlite3_api->global_recover
+#define sqlite3_interrupt              sqlite3_api->interruptx
+#define sqlite3_last_insert_rowid      sqlite3_api->last_insert_rowid
+#define sqlite3_libversion             sqlite3_api->libversion
+#define sqlite3_libversion_number      sqlite3_api->libversion_number
+#define sqlite3_malloc                 sqlite3_api->malloc
+#define sqlite3_mprintf                sqlite3_api->mprintf
+#define sqlite3_open                   sqlite3_api->open
+#define sqlite3_open16                 sqlite3_api->open16
+#define sqlite3_prepare                sqlite3_api->prepare
+#define sqlite3_prepare16              sqlite3_api->prepare16
+#define sqlite3_prepare_v2             sqlite3_api->prepare_v2
+#define sqlite3_prepare16_v2           sqlite3_api->prepare16_v2
+#define sqlite3_profile                sqlite3_api->profile
+#define sqlite3_progress_handler       sqlite3_api->progress_handler
+#define sqlite3_realloc                sqlite3_api->realloc
+#define sqlite3_reset                  sqlite3_api->reset
+#define sqlite3_result_blob            sqlite3_api->result_blob
+#define sqlite3_result_double          sqlite3_api->result_double
+#define sqlite3_result_error           sqlite3_api->result_error
+#define sqlite3_result_error16         sqlite3_api->result_error16
+#define sqlite3_result_int             sqlite3_api->result_int
+#define sqlite3_result_int64           sqlite3_api->result_int64
+#define sqlite3_result_null            sqlite3_api->result_null
+#define sqlite3_result_text            sqlite3_api->result_text
+#define sqlite3_result_text16          sqlite3_api->result_text16
+#define sqlite3_result_text16be        sqlite3_api->result_text16be
+#define sqlite3_result_text16le        sqlite3_api->result_text16le
+#define sqlite3_result_value           sqlite3_api->result_value
+#define sqlite3_rollback_hook          sqlite3_api->rollback_hook
+#define sqlite3_set_authorizer         sqlite3_api->set_authorizer
+#define sqlite3_set_auxdata            sqlite3_api->set_auxdata
+#define sqlite3_snprintf               sqlite3_api->snprintf
+#define sqlite3_step                   sqlite3_api->step
+#define sqlite3_table_column_metadata  sqlite3_api->table_column_metadata
+#define sqlite3_thread_cleanup         sqlite3_api->thread_cleanup
+#define sqlite3_total_changes          sqlite3_api->total_changes
+#define sqlite3_trace                  sqlite3_api->trace
+#define sqlite3_transfer_bindings      sqlite3_api->transfer_bindings
+#define sqlite3_update_hook            sqlite3_api->update_hook
+#define sqlite3_user_data              sqlite3_api->user_data
+#define sqlite3_value_blob             sqlite3_api->value_blob
+#define sqlite3_value_bytes            sqlite3_api->value_bytes
+#define sqlite3_value_bytes16          sqlite3_api->value_bytes16
+#define sqlite3_value_double           sqlite3_api->value_double
+#define sqlite3_value_int              sqlite3_api->value_int
+#define sqlite3_value_int64            sqlite3_api->value_int64
+#define sqlite3_value_numeric_type     sqlite3_api->value_numeric_type
+#define sqlite3_value_text             sqlite3_api->value_text
+#define sqlite3_value_text16           sqlite3_api->value_text16
+#define sqlite3_value_text16be         sqlite3_api->value_text16be
+#define sqlite3_value_text16le         sqlite3_api->value_text16le
+#define sqlite3_value_type             sqlite3_api->value_type
+#define sqlite3_vmprintf               sqlite3_api->vmprintf
+#define sqlite3_overload_function      sqlite3_api->overload_function
+#define sqlite3_prepare_v2             sqlite3_api->prepare_v2
+#define sqlite3_prepare16_v2           sqlite3_api->prepare16_v2
+#define sqlite3_clear_bindings         sqlite3_api->clear_bindings
+#endif /* SQLITE_CORE */
+
+#define SQLITE_EXTENSION_INIT1     const sqlite3_api_routines *sqlite3_api;
+#define SQLITE_EXTENSION_INIT2(v)  sqlite3_api = v;
+
+#endif /* _SQLITE3EXT_H_ */
+
+/************** End of sqlite3ext.h ******************************************/
+/************** Continuing where we left off in loadext.c ********************/
+
+/*
+** Some API routines are omitted when various features are
+** excluded from a build of SQLite.  Substitute a NULL pointer
+** for any missing APIs.
+*/
+#ifndef SQLITE_ENABLE_COLUMN_METADATA
+# define sqlite3_column_database_name   0
+# define sqlite3_column_database_name16 0
+# define sqlite3_column_table_name      0
+# define sqlite3_column_table_name16    0
+# define sqlite3_column_origin_name     0
+# define sqlite3_column_origin_name16   0
+# define sqlite3_table_column_metadata  0
+#endif
+
+#ifdef SQLITE_OMIT_AUTHORIZATION
+# define sqlite3_set_authorizer         0
+#endif
+
+#ifdef SQLITE_OMIT_UTF16
+# define sqlite3_bind_text16            0
+# define sqlite3_collation_needed16     0
+# define sqlite3_column_decltype16      0
+# define sqlite3_column_name16          0
+# define sqlite3_column_text16          0
+# define sqlite3_complete16             0
+# define sqlite3_create_collation16     0
+# define sqlite3_create_function16      0
+# define sqlite3_errmsg16               0
+# define sqlite3_open16                 0
+# define sqlite3_prepare16              0
+# define sqlite3_prepare16_v2           0
+# define sqlite3_result_error16         0
+# define sqlite3_result_text16          0
+# define sqlite3_result_text16be        0
+# define sqlite3_result_text16le        0
+# define sqlite3_value_text16           0
+# define sqlite3_value_text16be         0
+# define sqlite3_value_text16le         0
+# define sqlite3_column_database_name16 0
+# define sqlite3_column_table_name16    0
+# define sqlite3_column_origin_name16   0
+#endif
+
+#ifdef SQLITE_OMIT_COMPLETE
+# define sqlite3_complete 0
+# define sqlite3_complete16 0
+#endif
+
+#ifdef SQLITE_OMIT_PROGRESS_CALLBACK
+# define sqlite3_progress_handler 0
+#endif
+
+#ifdef SQLITE_OMIT_VIRTUALTABLE
+# define sqlite3_create_module 0
+# define sqlite3_declare_vtab 0
+#endif
+
+#ifdef SQLITE_OMIT_SHARED_CACHE
+# define sqlite3_enable_shared_cache 0
+#endif
+
+#ifdef SQLITE_OMIT_TRACE
+# define sqlite3_profile       0
+# define sqlite3_trace         0
+#endif
+
+#ifdef SQLITE_OMIT_GET_TABLE
+# define sqlite3_free_table    0
+# define sqlite3_get_table     0
+#endif
+
+/*
+** The following structure contains pointers to all SQLite API routines.
+** A pointer to this structure is passed into extensions when they are
+** loaded so that the extension can make calls back into the SQLite
+** library.
+**
+** When adding new APIs, add them to the bottom of this structure
+** in order to preserve backwards compatibility.
+**
+** Extensions that use newer APIs should first call the
+** sqlite3_libversion_number() to make sure that the API they
+** intend to use is supported by the library.  Extensions should
+** also check to make sure that the pointer to the function is
+** not NULL before calling it.
+*/
+const sqlite3_api_routines sqlite3_apis = {
+  sqlite3_aggregate_context,
+  sqlite3_aggregate_count,
+  sqlite3_bind_blob,
+  sqlite3_bind_double,
+  sqlite3_bind_int,
+  sqlite3_bind_int64,
+  sqlite3_bind_null,
+  sqlite3_bind_parameter_count,
+  sqlite3_bind_parameter_index,
+  sqlite3_bind_parameter_name,
+  sqlite3_bind_text,
+  sqlite3_bind_text16,
+  sqlite3_bind_value,
+  sqlite3_busy_handler,
+  sqlite3_busy_timeout,
+  sqlite3_changes,
+  sqlite3_close,
+  sqlite3_collation_needed,
+  sqlite3_collation_needed16,
+  sqlite3_column_blob,
+  sqlite3_column_bytes,
+  sqlite3_column_bytes16,
+  sqlite3_column_count,
+  sqlite3_column_database_name,
+  sqlite3_column_database_name16,
+  sqlite3_column_decltype,
+  sqlite3_column_decltype16,
+  sqlite3_column_double,
+  sqlite3_column_int,
+  sqlite3_column_int64,
+  sqlite3_column_name,
+  sqlite3_column_name16,
+  sqlite3_column_origin_name,
+  sqlite3_column_origin_name16,
+  sqlite3_column_table_name,
+  sqlite3_column_table_name16,
+  sqlite3_column_text,
+  sqlite3_column_text16,
+  sqlite3_column_type,
+  sqlite3_column_value,
+  sqlite3_commit_hook,
+  sqlite3_complete,
+  sqlite3_complete16,
+  sqlite3_create_collation,
+  sqlite3_create_collation16,
+  sqlite3_create_function,
+  sqlite3_create_function16,
+  sqlite3_create_module,
+  sqlite3_data_count,
+  sqlite3_db_handle,
+  sqlite3_declare_vtab,
+  sqlite3_enable_shared_cache,
+  sqlite3_errcode,
+  sqlite3_errmsg,
+  sqlite3_errmsg16,
+  sqlite3_exec,
+  sqlite3_expired,
+  sqlite3_finalize,
+  sqlite3_free,
+  sqlite3_free_table,
+  sqlite3_get_autocommit,
+  sqlite3_get_auxdata,
+  sqlite3_get_table,
+  0,     /* Was sqlite3_global_recover(), but that function is deprecated */
+  sqlite3_interrupt,
+  sqlite3_last_insert_rowid,
+  sqlite3_libversion,
+  sqlite3_libversion_number,
+  sqlite3_malloc,
+  sqlite3_mprintf,
+  sqlite3_open,
+  sqlite3_open16,
+  sqlite3_prepare,
+  sqlite3_prepare16,
+  sqlite3_profile,
+  sqlite3_progress_handler,
+  sqlite3_realloc,
+  sqlite3_reset,
+  sqlite3_result_blob,
+  sqlite3_result_double,
+  sqlite3_result_error,
+  sqlite3_result_error16,
+  sqlite3_result_int,
+  sqlite3_result_int64,
+  sqlite3_result_null,
+  sqlite3_result_text,
+  sqlite3_result_text16,
+  sqlite3_result_text16be,
+  sqlite3_result_text16le,
+  sqlite3_result_value,
+  sqlite3_rollback_hook,
+  sqlite3_set_authorizer,
+  sqlite3_set_auxdata,
+  sqlite3_snprintf,
+  sqlite3_step,
+  sqlite3_table_column_metadata,
+  sqlite3_thread_cleanup,
+  sqlite3_total_changes,
+  sqlite3_trace,
+  sqlite3_transfer_bindings,
+  sqlite3_update_hook,
+  sqlite3_user_data,
+  sqlite3_value_blob,
+  sqlite3_value_bytes,
+  sqlite3_value_bytes16,
+  sqlite3_value_double,
+  sqlite3_value_int,
+  sqlite3_value_int64,
+  sqlite3_value_numeric_type,
+  sqlite3_value_text,
+  sqlite3_value_text16,
+  sqlite3_value_text16be,
+  sqlite3_value_text16le,
+  sqlite3_value_type,
+  sqlite3_vmprintf,
+  /*
+  ** The original API set ends here.  All extensions can call any
+  ** of the APIs above provided that the pointer is not NULL.  But
+  ** before calling APIs that follow, extension should check the
+  ** sqlite3_libversion_number() to make sure they are dealing with
+  ** a library that is new enough to support that API.
+  *************************************************************************
+  */
+  sqlite3_overload_function,
+
+  /*
+  ** Added after 3.3.13
+  */
+  sqlite3_prepare_v2,
+  sqlite3_prepare16_v2,
+  sqlite3_clear_bindings,
+};
+
+/*
+** Attempt to load an SQLite extension library contained in the file
+** zFile.  The entry point is zProc.  zProc may be 0 in which case a
+** default entry point name (sqlite3_extension_init) is used.  Use
+** of the default name is recommended.
+**
+** Return SQLITE_OK on success and SQLITE_ERROR if something goes wrong.
+**
+** If an error occurs and pzErrMsg is not 0, then fill *pzErrMsg with 
+** error message text.  The calling function should free this memory
+** by calling sqlite3_free().
+*/
+int sqlite3_load_extension(
+  sqlite3 *db,          /* Load the extension into this database connection */
+  const char *zFile,    /* Name of the shared library containing extension */
+  const char *zProc,    /* Entry point.  Use "sqlite3_extension_init" if 0 */
+  char **pzErrMsg       /* Put error message here if not 0 */
+){
+  void *handle;
+  int (*xInit)(sqlite3*,char**,const sqlite3_api_routines*);
+  char *zErrmsg = 0;
+  void **aHandle;
+
+  /* Ticket #1863.  To avoid a creating security problems for older
+  ** applications that relink against newer versions of SQLite, the
+  ** ability to run load_extension is turned off by default.  One
+  ** must call sqlite3_enable_load_extension() to turn on extension
+  ** loading.  Otherwise you get the following error.
+  */
+  if( (db->flags & SQLITE_LoadExtension)==0 ){
+    if( pzErrMsg ){
+      *pzErrMsg = sqlite3_mprintf("not authorized");
+    }
+    return SQLITE_ERROR;
+  }
+
+  if( zProc==0 ){
+    zProc = "sqlite3_extension_init";
+  }
+
+  handle = sqlite3OsDlopen(zFile);
+  if( handle==0 ){
+    if( pzErrMsg ){
+      *pzErrMsg = sqlite3_mprintf("unable to open shared library [%s]", zFile);
+    }
+    return SQLITE_ERROR;
+  }
+  xInit = (int(*)(sqlite3*,char**,const sqlite3_api_routines*))
+                   sqlite3OsDlsym(handle, zProc);
+  if( xInit==0 ){
+    if( pzErrMsg ){
+       *pzErrMsg = sqlite3_mprintf("no entry point [%s] in shared library [%s]",
+                                   zProc, zFile);
+    }
+    sqlite3OsDlclose(handle);
+    return SQLITE_ERROR;
+  }else if( xInit(db, &zErrmsg, &sqlite3_apis) ){
+    if( pzErrMsg ){
+      *pzErrMsg = sqlite3_mprintf("error during initialization: %s", zErrmsg);
+    }
+    sqlite3_free(zErrmsg);
+    sqlite3OsDlclose(handle);
+    return SQLITE_ERROR;
+  }
+
+  /* Append the new shared library handle to the db->aExtension array. */
+  db->nExtension++;
+  aHandle = sqliteMalloc(sizeof(handle)*db->nExtension);
+  if( aHandle==0 ){
+    return SQLITE_NOMEM;
+  }
+  if( db->nExtension>0 ){
+    memcpy(aHandle, db->aExtension, sizeof(handle)*(db->nExtension-1));
+  }
+  sqliteFree(db->aExtension);
+  db->aExtension = aHandle;
+
+  db->aExtension[db->nExtension-1] = handle;
+  return SQLITE_OK;
+}
+
+/*
+** Call this routine when the database connection is closing in order
+** to clean up loaded extensions
+*/
+void sqlite3CloseExtensions(sqlite3 *db){
+  int i;
+  for(i=0; i<db->nExtension; i++){
+    sqlite3OsDlclose(db->aExtension[i]);
+  }
+  sqliteFree(db->aExtension);
+}
+
+/*
+** Enable or disable extension loading.  Extension loading is disabled by
+** default so as not to open security holes in older applications.
+*/
+int sqlite3_enable_load_extension(sqlite3 *db, int onoff){
+  if( onoff ){
+    db->flags |= SQLITE_LoadExtension;
+  }else{
+    db->flags &= ~SQLITE_LoadExtension;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** A list of automatically loaded extensions.
+**
+** This list is shared across threads, so be sure to hold the
+** mutex while accessing or changing it.
+*/
+static int nAutoExtension = 0;
+static void **aAutoExtension = 0;
+
+
+/*
+** Register a statically linked extension that is automatically
+** loaded by every new database connection.
+*/
+int sqlite3_auto_extension(void *xInit){
+  int i;
+  int rc = SQLITE_OK;
+  sqlite3OsEnterMutex();
+  for(i=0; i<nAutoExtension; i++){
+    if( aAutoExtension[i]==xInit ) break;
+  }
+  if( i==nAutoExtension ){
+    nAutoExtension++;
+    aAutoExtension = sqlite3Realloc( aAutoExtension,
+                                     nAutoExtension*sizeof(aAutoExtension[0]) );
+    if( aAutoExtension==0 ){
+      nAutoExtension = 0;
+      rc = SQLITE_NOMEM;
+    }else{
+      aAutoExtension[nAutoExtension-1] = xInit;
+    }
+  }
+  sqlite3OsLeaveMutex();
+  assert( (rc&0xff)==rc );
+  return rc;
+}
+
+/*
+** Reset the automatic extension loading mechanism.
+*/
+void sqlite3_reset_auto_extension(void){
+  sqlite3OsEnterMutex();
+  sqliteFree(aAutoExtension);
+  aAutoExtension = 0;
+  nAutoExtension = 0;
+  sqlite3OsLeaveMutex();
+}
+
+/*
+** Load all automatic extensions.
+*/
+int sqlite3AutoLoadExtensions(sqlite3 *db){
+  int i;
+  int go = 1;
+  int rc = SQLITE_OK;
+  int (*xInit)(sqlite3*,char**,const sqlite3_api_routines*);
+
+  if( nAutoExtension==0 ){
+    /* Common case: early out without every having to acquire a mutex */
+    return SQLITE_OK;
+  }
+  for(i=0; go; i++){
+    char *zErrmsg = 0;
+    sqlite3OsEnterMutex();
+    if( i>=nAutoExtension ){
+      xInit = 0;
+      go = 0;
+    }else{
+      xInit = (int(*)(sqlite3*,char**,const sqlite3_api_routines*))
+              aAutoExtension[i];
+    }
+    sqlite3OsLeaveMutex();
+    if( xInit && xInit(db, &zErrmsg, &sqlite3_apis) ){
+      sqlite3Error(db, SQLITE_ERROR,
+            "automatic extension loading failed: %s", zErrmsg);
+      go = 0;
+      rc = SQLITE_ERROR;
+    }
+  }
+  return rc;
+}
+
+#endif /* SQLITE_OMIT_LOAD_EXTENSION */
+
+/************** End of loadext.c *********************************************/
+/************** Begin file pragma.c ******************************************/
+/*
+** 2003 April 6
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains code used to implement the PRAGMA command.
+**
+** $Id$
+*/
+
+/* Ignore this whole file if pragmas are disabled
+*/
+#if !defined(SQLITE_OMIT_PRAGMA) && !defined(SQLITE_OMIT_PARSER)
+
+#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST)
+#endif
+
+/*
+** Interpret the given string as a safety level.  Return 0 for OFF,
+** 1 for ON or NORMAL and 2 for FULL.  Return 1 for an empty or 
+** unrecognized string argument.
+**
+** Note that the values returned are one less that the values that
+** should be passed into sqlite3BtreeSetSafetyLevel().  The is done
+** to support legacy SQL code.  The safety level used to be boolean
+** and older scripts may have used numbers 0 for OFF and 1 for ON.
+*/
+static int getSafetyLevel(const char *z){
+                             /* 123456789 123456789 */
+  static const char zText[] = "onoffalseyestruefull";
+  static const u8 iOffset[] = {0, 1, 2, 4, 9, 12, 16};
+  static const u8 iLength[] = {2, 2, 3, 5, 3, 4, 4};
+  static const u8 iValue[] =  {1, 0, 0, 0, 1, 1, 2};
+  int i, n;
+  if( isdigit(*z) ){
+    return atoi(z);
+  }
+  n = strlen(z);
+  for(i=0; i<sizeof(iLength); i++){
+    if( iLength[i]==n && sqlite3StrNICmp(&zText[iOffset[i]],z,n)==0 ){
+      return iValue[i];
+    }
+  }
+  return 1;
+}
+
+/*
+** Interpret the given string as a boolean value.
+*/
+static int getBoolean(const char *z){
+  return getSafetyLevel(z)&1;
+}
+
+/*
+** Interpret the given string as a locking mode value.
+*/
+static int getLockingMode(const char *z){
+  if( z ){
+    if( 0==sqlite3StrICmp(z, "exclusive") ) return PAGER_LOCKINGMODE_EXCLUSIVE;
+    if( 0==sqlite3StrICmp(z, "normal") ) return PAGER_LOCKINGMODE_NORMAL;
+  }
+  return PAGER_LOCKINGMODE_QUERY;
+}
+
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+/*
+** Interpret the given string as a temp db location. Return 1 for file
+** backed temporary databases, 2 for the Red-Black tree in memory database
+** and 0 to use the compile-time default.
+*/
+static int getTempStore(const char *z){
+  if( z[0]>='0' && z[0]<='2' ){
+    return z[0] - '0';
+  }else if( sqlite3StrICmp(z, "file")==0 ){
+    return 1;
+  }else if( sqlite3StrICmp(z, "memory")==0 ){
+    return 2;
+  }else{
+    return 0;
+  }
+}
+#endif /* SQLITE_PAGER_PRAGMAS */
+
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+/*
+** Invalidate temp storage, either when the temp storage is changed
+** from default, or when 'file' and the temp_store_directory has changed
+*/
+static int invalidateTempStorage(Parse *pParse){
+  sqlite3 *db = pParse->db;
+  if( db->aDb[1].pBt!=0 ){
+    if( !db->autoCommit ){
+      sqlite3ErrorMsg(pParse, "temporary storage cannot be changed "
+        "from within a transaction");
+      return SQLITE_ERROR;
+    }
+    sqlite3BtreeClose(db->aDb[1].pBt);
+    db->aDb[1].pBt = 0;
+    sqlite3ResetInternalSchema(db, 0);
+  }
+  return SQLITE_OK;
+}
+#endif /* SQLITE_PAGER_PRAGMAS */
+
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+/*
+** If the TEMP database is open, close it and mark the database schema
+** as needing reloading.  This must be done when using the TEMP_STORE
+** or DEFAULT_TEMP_STORE pragmas.
+*/
+static int changeTempStorage(Parse *pParse, const char *zStorageType){
+  int ts = getTempStore(zStorageType);
+  sqlite3 *db = pParse->db;
+  if( db->temp_store==ts ) return SQLITE_OK;
+  if( invalidateTempStorage( pParse ) != SQLITE_OK ){
+    return SQLITE_ERROR;
+  }
+  db->temp_store = ts;
+  return SQLITE_OK;
+}
+#endif /* SQLITE_PAGER_PRAGMAS */
+
+/*
+** Generate code to return a single integer value.
+*/
+static void returnSingleInt(Parse *pParse, const char *zLabel, int value){
+  Vdbe *v = sqlite3GetVdbe(pParse);
+  sqlite3VdbeAddOp(v, OP_Integer, value, 0);
+  if( pParse->explain==0 ){
+    sqlite3VdbeSetNumCols(v, 1);
+    sqlite3VdbeSetColName(v, 0, COLNAME_NAME, zLabel, P3_STATIC);
+  }
+  sqlite3VdbeAddOp(v, OP_Callback, 1, 0);
+}
+
+#ifndef SQLITE_OMIT_FLAG_PRAGMAS
+/*
+** Check to see if zRight and zLeft refer to a pragma that queries
+** or changes one of the flags in db->flags.  Return 1 if so and 0 if not.
+** Also, implement the pragma.
+*/
+static int flagPragma(Parse *pParse, const char *zLeft, const char *zRight){
+  static const struct sPragmaType {
+    const char *zName;  /* Name of the pragma */
+    int mask;           /* Mask for the db->flags value */
+  } aPragma[] = {
+    { "vdbe_trace",               SQLITE_VdbeTrace     },
+    { "sql_trace",                SQLITE_SqlTrace      },
+    { "vdbe_listing",             SQLITE_VdbeListing   },
+    { "full_column_names",        SQLITE_FullColNames  },
+    { "short_column_names",       SQLITE_ShortColNames },
+    { "count_changes",            SQLITE_CountRows     },
+    { "empty_result_callbacks",   SQLITE_NullCallback  },
+    { "legacy_file_format",       SQLITE_LegacyFileFmt },
+    { "fullfsync",                SQLITE_FullFSync     },
+#ifndef SQLITE_OMIT_CHECK
+    { "ignore_check_constraints", SQLITE_IgnoreChecks  },
+#endif
+    /* The following is VERY experimental */
+    { "writable_schema",          SQLITE_WriteSchema|SQLITE_RecoveryMode },
+    { "omit_readlock",            SQLITE_NoReadlock    },
+
+    /* TODO: Maybe it shouldn't be possible to change the ReadUncommitted
+    ** flag if there are any active statements. */
+    { "read_uncommitted",         SQLITE_ReadUncommitted },
+  };
+  int i;
+  const struct sPragmaType *p;
+  for(i=0, p=aPragma; i<sizeof(aPragma)/sizeof(aPragma[0]); i++, p++){
+    if( sqlite3StrICmp(zLeft, p->zName)==0 ){
+      sqlite3 *db = pParse->db;
+      Vdbe *v;
+      v = sqlite3GetVdbe(pParse);
+      if( v ){
+        if( zRight==0 ){
+          returnSingleInt(pParse, p->zName, (db->flags & p->mask)!=0 );
+        }else{
+          if( getBoolean(zRight) ){
+            db->flags |= p->mask;
+          }else{
+            db->flags &= ~p->mask;
+          }
+        }
+      }
+      return 1;
+    }
+  }
+  return 0;
+}
+#endif /* SQLITE_OMIT_FLAG_PRAGMAS */
+
+/*
+** Process a pragma statement.  
+**
+** Pragmas are of this form:
+**
+**      PRAGMA [database.]id [= value]
+**
+** The identifier might also be a string.  The value is a string, and
+** identifier, or a number.  If minusFlag is true, then the value is
+** a number that was preceded by a minus sign.
+**
+** If the left side is "database.id" then pId1 is the database name
+** and pId2 is the id.  If the left side is just "id" then pId1 is the
+** id and pId2 is any empty string.
+*/
+void sqlite3Pragma(
+  Parse *pParse, 
+  Token *pId1,        /* First part of [database.]id field */
+  Token *pId2,        /* Second part of [database.]id field, or NULL */
+  Token *pValue,      /* Token for <value>, or NULL */
+  int minusFlag       /* True if a '-' sign preceded <value> */
+){
+  char *zLeft = 0;       /* Nul-terminated UTF-8 string <id> */
+  char *zRight = 0;      /* Nul-terminated UTF-8 string <value>, or NULL */
+  const char *zDb = 0;   /* The database name */
+  Token *pId;            /* Pointer to <id> token */
+  int iDb;               /* Database index for <database> */
+  sqlite3 *db = pParse->db;
+  Db *pDb;
+  Vdbe *v = sqlite3GetVdbe(pParse);
+  if( v==0 ) return;
+
+  /* Interpret the [database.] part of the pragma statement. iDb is the
+  ** index of the database this pragma is being applied to in db.aDb[]. */
+  iDb = sqlite3TwoPartName(pParse, pId1, pId2, &pId);
+  if( iDb<0 ) return;
+  pDb = &db->aDb[iDb];
+
+  /* If the temp database has been explicitly named as part of the 
+  ** pragma, make sure it is open. 
+  */
+  if( iDb==1 && sqlite3OpenTempDatabase(pParse) ){
+    return;
+  }
+
+  zLeft = sqlite3NameFromToken(pId);
+  if( !zLeft ) return;
+  if( minusFlag ){
+    zRight = sqlite3MPrintf("-%T", pValue);
+  }else{
+    zRight = sqlite3NameFromToken(pValue);
+  }
+
+  zDb = ((iDb>0)?pDb->zName:0);
+  if( sqlite3AuthCheck(pParse, SQLITE_PRAGMA, zLeft, zRight, zDb) ){
+    goto pragma_out;
+  }
+ 
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+  /*
+  **  PRAGMA [database.]default_cache_size
+  **  PRAGMA [database.]default_cache_size=N
+  **
+  ** The first form reports the current persistent setting for the
+  ** page cache size.  The value returned is the maximum number of
+  ** pages in the page cache.  The second form sets both the current
+  ** page cache size value and the persistent page cache size value
+  ** stored in the database file.
+  **
+  ** The default cache size is stored in meta-value 2 of page 1 of the
+  ** database file.  The cache size is actually the absolute value of
+  ** this memory location.  The sign of meta-value 2 determines the
+  ** synchronous setting.  A negative value means synchronous is off
+  ** and a positive value means synchronous is on.
+  */
+  if( sqlite3StrICmp(zLeft,"default_cache_size")==0 ){
+    static const VdbeOpList getCacheSize[] = {
+      { OP_ReadCookie,  0, 2,        0},  /* 0 */
+      { OP_AbsValue,    0, 0,        0},
+      { OP_Dup,         0, 0,        0},
+      { OP_Integer,     0, 0,        0},
+      { OP_Ne,          0, 6,        0},
+      { OP_Integer,     0, 0,        0},  /* 5 */
+      { OP_Callback,    1, 0,        0},
+    };
+    int addr;
+    if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+    if( !zRight ){
+      sqlite3VdbeSetNumCols(v, 1);
+      sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "cache_size", P3_STATIC);
+      addr = sqlite3VdbeAddOpList(v, ArraySize(getCacheSize), getCacheSize);
+      sqlite3VdbeChangeP1(v, addr, iDb);
+      sqlite3VdbeChangeP1(v, addr+5, MAX_PAGES);
+    }else{
+      int size = atoi(zRight);
+      if( size<0 ) size = -size;
+      sqlite3BeginWriteOperation(pParse, 0, iDb);
+      sqlite3VdbeAddOp(v, OP_Integer, size, 0);
+      sqlite3VdbeAddOp(v, OP_ReadCookie, iDb, 2);
+      addr = sqlite3VdbeAddOp(v, OP_Integer, 0, 0);
+      sqlite3VdbeAddOp(v, OP_Ge, 0, addr+3);
+      sqlite3VdbeAddOp(v, OP_Negative, 0, 0);
+      sqlite3VdbeAddOp(v, OP_SetCookie, iDb, 2);
+      pDb->pSchema->cache_size = size;
+      sqlite3BtreeSetCacheSize(pDb->pBt, pDb->pSchema->cache_size);
+    }
+  }else
+
+  /*
+  **  PRAGMA [database.]page_size
+  **  PRAGMA [database.]page_size=N
+  **
+  ** The first form reports the current setting for the
+  ** database page size in bytes.  The second form sets the
+  ** database page size value.  The value can only be set if
+  ** the database has not yet been created.
+  */
+  if( sqlite3StrICmp(zLeft,"page_size")==0 ){
+    Btree *pBt = pDb->pBt;
+    if( !zRight ){
+      int size = pBt ? sqlite3BtreeGetPageSize(pBt) : 0;
+      returnSingleInt(pParse, "page_size", size);
+    }else{
+      sqlite3BtreeSetPageSize(pBt, atoi(zRight), -1);
+    }
+  }else
+
+  /*
+  **  PRAGMA [database.]locking_mode
+  **  PRAGMA [database.]locking_mode = (normal|exclusive)
+  */
+  if( sqlite3StrICmp(zLeft,"locking_mode")==0 ){
+    const char *zRet = "normal";
+    int eMode = getLockingMode(zRight);
+
+    if( pId2->n==0 && eMode==PAGER_LOCKINGMODE_QUERY ){
+      /* Simple "PRAGMA locking_mode;" statement. This is a query for
+      ** the current default locking mode (which may be different to
+      ** the locking-mode of the main database).
+      */
+      eMode = db->dfltLockMode;
+    }else{
+      Pager *pPager;
+      if( pId2->n==0 ){
+        /* This indicates that no database name was specified as part
+        ** of the PRAGMA command. In this case the locking-mode must be
+        ** set on all attached databases, as well as the main db file.
+        **
+        ** Also, the sqlite3.dfltLockMode variable is set so that
+        ** any subsequently attached databases also use the specified
+        ** locking mode.
+        */
+        int ii;
+        assert(pDb==&db->aDb[0]);
+        for(ii=2; ii<db->nDb; ii++){
+          pPager = sqlite3BtreePager(db->aDb[ii].pBt);
+          sqlite3PagerLockingMode(pPager, eMode);
+        }
+        db->dfltLockMode = eMode;
+      }
+      pPager = sqlite3BtreePager(pDb->pBt);
+      eMode = sqlite3PagerLockingMode(pPager, eMode);
+    }
+
+    assert(eMode==PAGER_LOCKINGMODE_NORMAL||eMode==PAGER_LOCKINGMODE_EXCLUSIVE);
+    if( eMode==PAGER_LOCKINGMODE_EXCLUSIVE ){
+      zRet = "exclusive";
+    }
+    sqlite3VdbeSetNumCols(v, 1);
+    sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "locking_mode", P3_STATIC);
+    sqlite3VdbeOp3(v, OP_String8, 0, 0, zRet, 0);
+    sqlite3VdbeAddOp(v, OP_Callback, 1, 0);
+  }else
+#endif /* SQLITE_OMIT_PAGER_PRAGMAS */
+
+  /*
+  **  PRAGMA [database.]auto_vacuum
+  **  PRAGMA [database.]auto_vacuum=N
+  **
+  ** Get or set the (boolean) value of the database 'auto-vacuum' parameter.
+  */
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  if( sqlite3StrICmp(zLeft,"auto_vacuum")==0 ){
+    Btree *pBt = pDb->pBt;
+    if( !zRight ){
+      int auto_vacuum = 
+          pBt ? sqlite3BtreeGetAutoVacuum(pBt) : SQLITE_DEFAULT_AUTOVACUUM;
+      returnSingleInt(pParse, "auto_vacuum", auto_vacuum);
+    }else{
+      sqlite3BtreeSetAutoVacuum(pBt, getBoolean(zRight));
+    }
+  }else
+#endif
+
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+  /*
+  **  PRAGMA [database.]cache_size
+  **  PRAGMA [database.]cache_size=N
+  **
+  ** The first form reports the current local setting for the
+  ** page cache size.  The local setting can be different from
+  ** the persistent cache size value that is stored in the database
+  ** file itself.  The value returned is the maximum number of
+  ** pages in the page cache.  The second form sets the local
+  ** page cache size value.  It does not change the persistent
+  ** cache size stored on the disk so the cache size will revert
+  ** to its default value when the database is closed and reopened.
+  ** N should be a positive integer.
+  */
+  if( sqlite3StrICmp(zLeft,"cache_size")==0 ){
+    if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+    if( !zRight ){
+      returnSingleInt(pParse, "cache_size", pDb->pSchema->cache_size);
+    }else{
+      int size = atoi(zRight);
+      if( size<0 ) size = -size;
+      pDb->pSchema->cache_size = size;
+      sqlite3BtreeSetCacheSize(pDb->pBt, pDb->pSchema->cache_size);
+    }
+  }else
+
+  /*
+  **   PRAGMA temp_store
+  **   PRAGMA temp_store = "default"|"memory"|"file"
+  **
+  ** Return or set the local value of the temp_store flag.  Changing
+  ** the local value does not make changes to the disk file and the default
+  ** value will be restored the next time the database is opened.
+  **
+  ** Note that it is possible for the library compile-time options to
+  ** override this setting
+  */
+  if( sqlite3StrICmp(zLeft, "temp_store")==0 ){
+    if( !zRight ){
+      returnSingleInt(pParse, "temp_store", db->temp_store);
+    }else{
+      changeTempStorage(pParse, zRight);
+    }
+  }else
+
+  /*
+  **   PRAGMA temp_store_directory
+  **   PRAGMA temp_store_directory = ""|"directory_name"
+  **
+  ** Return or set the local value of the temp_store_directory flag.  Changing
+  ** the value sets a specific directory to be used for temporary files.
+  ** Setting to a null string reverts to the default temporary directory search.
+  ** If temporary directory is changed, then invalidateTempStorage.
+  **
+  */
+  if( sqlite3StrICmp(zLeft, "temp_store_directory")==0 ){
+    if( !zRight ){
+      if( sqlite3_temp_directory ){
+        sqlite3VdbeSetNumCols(v, 1);
+        sqlite3VdbeSetColName(v, 0, COLNAME_NAME, 
+            "temp_store_directory", P3_STATIC);
+        sqlite3VdbeOp3(v, OP_String8, 0, 0, sqlite3_temp_directory, 0);
+        sqlite3VdbeAddOp(v, OP_Callback, 1, 0);
+      }
+    }else{
+      if( zRight[0] && !sqlite3OsIsDirWritable(zRight) ){
+        sqlite3ErrorMsg(pParse, "not a writable directory");
+        goto pragma_out;
+      }
+      if( TEMP_STORE==0
+       || (TEMP_STORE==1 && db->temp_store<=1)
+       || (TEMP_STORE==2 && db->temp_store==1)
+      ){
+        invalidateTempStorage(pParse);
+      }
+      sqliteFree(sqlite3_temp_directory);
+      if( zRight[0] ){
+        sqlite3_temp_directory = zRight;
+        zRight = 0;
+      }else{
+        sqlite3_temp_directory = 0;
+      }
+    }
+  }else
+
+  /*
+  **   PRAGMA [database.]synchronous
+  **   PRAGMA [database.]synchronous=OFF|ON|NORMAL|FULL
+  **
+  ** Return or set the local value of the synchronous flag.  Changing
+  ** the local value does not make changes to the disk file and the
+  ** default value will be restored the next time the database is
+  ** opened.
+  */
+  if( sqlite3StrICmp(zLeft,"synchronous")==0 ){
+    if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+    if( !zRight ){
+      returnSingleInt(pParse, "synchronous", pDb->safety_level-1);
+    }else{
+      if( !db->autoCommit ){
+        sqlite3ErrorMsg(pParse, 
+            "Safety level may not be changed inside a transaction");
+      }else{
+        pDb->safety_level = getSafetyLevel(zRight)+1;
+      }
+    }
+  }else
+#endif /* SQLITE_OMIT_PAGER_PRAGMAS */
+
+#ifndef SQLITE_OMIT_FLAG_PRAGMAS
+  if( flagPragma(pParse, zLeft, zRight) ){
+    /* The flagPragma() subroutine also generates any necessary code
+    ** there is nothing more to do here */
+  }else
+#endif /* SQLITE_OMIT_FLAG_PRAGMAS */
+
+#ifndef SQLITE_OMIT_SCHEMA_PRAGMAS
+  /*
+  **   PRAGMA table_info(<table>)
+  **
+  ** Return a single row for each column of the named table. The columns of
+  ** the returned data set are:
+  **
+  ** cid:        Column id (numbered from left to right, starting at 0)
+  ** name:       Column name
+  ** type:       Column declaration type.
+  ** notnull:    True if 'NOT NULL' is part of column declaration
+  ** dflt_value: The default value for the column, if any.
+  */
+  if( sqlite3StrICmp(zLeft, "table_info")==0 && zRight ){
+    Table *pTab;
+    if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+    pTab = sqlite3FindTable(db, zRight, zDb);
+    if( pTab ){
+      int i;
+      Column *pCol;
+      sqlite3VdbeSetNumCols(v, 6);
+      sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "cid", P3_STATIC);
+      sqlite3VdbeSetColName(v, 1, COLNAME_NAME, "name", P3_STATIC);
+      sqlite3VdbeSetColName(v, 2, COLNAME_NAME, "type", P3_STATIC);
+      sqlite3VdbeSetColName(v, 3, COLNAME_NAME, "notnull", P3_STATIC);
+      sqlite3VdbeSetColName(v, 4, COLNAME_NAME, "dflt_value", P3_STATIC);
+      sqlite3VdbeSetColName(v, 5, COLNAME_NAME, "pk", P3_STATIC);
+      sqlite3ViewGetColumnNames(pParse, pTab);
+      for(i=0, pCol=pTab->aCol; i<pTab->nCol; i++, pCol++){
+        const Token *pDflt;
+        sqlite3VdbeAddOp(v, OP_Integer, i, 0);
+        sqlite3VdbeOp3(v, OP_String8, 0, 0, pCol->zName, 0);
+        sqlite3VdbeOp3(v, OP_String8, 0, 0,
+           pCol->zType ? pCol->zType : "", 0);
+        sqlite3VdbeAddOp(v, OP_Integer, pCol->notNull, 0);
+        if( pCol->pDflt && (pDflt = &pCol->pDflt->span)->z ){
+          sqlite3VdbeOp3(v, OP_String8, 0, 0, (char*)pDflt->z, pDflt->n);
+        }else{
+          sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+        }
+        sqlite3VdbeAddOp(v, OP_Integer, pCol->isPrimKey, 0);
+        sqlite3VdbeAddOp(v, OP_Callback, 6, 0);
+      }
+    }
+  }else
+
+  if( sqlite3StrICmp(zLeft, "index_info")==0 && zRight ){
+    Index *pIdx;
+    Table *pTab;
+    if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+    pIdx = sqlite3FindIndex(db, zRight, zDb);
+    if( pIdx ){
+      int i;
+      pTab = pIdx->pTable;
+      sqlite3VdbeSetNumCols(v, 3);
+      sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "seqno", P3_STATIC);
+      sqlite3VdbeSetColName(v, 1, COLNAME_NAME, "cid", P3_STATIC);
+      sqlite3VdbeSetColName(v, 2, COLNAME_NAME, "name", P3_STATIC);
+      for(i=0; i<pIdx->nColumn; i++){
+        int cnum = pIdx->aiColumn[i];
+        sqlite3VdbeAddOp(v, OP_Integer, i, 0);
+        sqlite3VdbeAddOp(v, OP_Integer, cnum, 0);
+        assert( pTab->nCol>cnum );
+        sqlite3VdbeOp3(v, OP_String8, 0, 0, pTab->aCol[cnum].zName, 0);
+        sqlite3VdbeAddOp(v, OP_Callback, 3, 0);
+      }
+    }
+  }else
+
+  if( sqlite3StrICmp(zLeft, "index_list")==0 && zRight ){
+    Index *pIdx;
+    Table *pTab;
+    if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+    pTab = sqlite3FindTable(db, zRight, zDb);
+    if( pTab ){
+      v = sqlite3GetVdbe(pParse);
+      pIdx = pTab->pIndex;
+      if( pIdx ){
+        int i = 0; 
+        sqlite3VdbeSetNumCols(v, 3);
+        sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "seq", P3_STATIC);
+        sqlite3VdbeSetColName(v, 1, COLNAME_NAME, "name", P3_STATIC);
+        sqlite3VdbeSetColName(v, 2, COLNAME_NAME, "unique", P3_STATIC);
+        while(pIdx){
+          sqlite3VdbeAddOp(v, OP_Integer, i, 0);
+          sqlite3VdbeOp3(v, OP_String8, 0, 0, pIdx->zName, 0);
+          sqlite3VdbeAddOp(v, OP_Integer, pIdx->onError!=OE_None, 0);
+          sqlite3VdbeAddOp(v, OP_Callback, 3, 0);
+          ++i;
+          pIdx = pIdx->pNext;
+        }
+      }
+    }
+  }else
+
+  if( sqlite3StrICmp(zLeft, "database_list")==0 ){
+    int i;
+    if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+    sqlite3VdbeSetNumCols(v, 3);
+    sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "seq", P3_STATIC);
+    sqlite3VdbeSetColName(v, 1, COLNAME_NAME, "name", P3_STATIC);
+    sqlite3VdbeSetColName(v, 2, COLNAME_NAME, "file", P3_STATIC);
+    for(i=0; i<db->nDb; i++){
+      if( db->aDb[i].pBt==0 ) continue;
+      assert( db->aDb[i].zName!=0 );
+      sqlite3VdbeAddOp(v, OP_Integer, i, 0);
+      sqlite3VdbeOp3(v, OP_String8, 0, 0, db->aDb[i].zName, 0);
+      sqlite3VdbeOp3(v, OP_String8, 0, 0,
+           sqlite3BtreeGetFilename(db->aDb[i].pBt), 0);
+      sqlite3VdbeAddOp(v, OP_Callback, 3, 0);
+    }
+  }else
+
+  if( sqlite3StrICmp(zLeft, "collation_list")==0 ){
+    int i = 0;
+    HashElem *p;
+    sqlite3VdbeSetNumCols(v, 2);
+    sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "seq", P3_STATIC);
+    sqlite3VdbeSetColName(v, 1, COLNAME_NAME, "name", P3_STATIC);
+    for(p=sqliteHashFirst(&db->aCollSeq); p; p=sqliteHashNext(p)){
+      CollSeq *pColl = (CollSeq *)sqliteHashData(p);
+      sqlite3VdbeAddOp(v, OP_Integer, i++, 0);
+      sqlite3VdbeOp3(v, OP_String8, 0, 0, pColl->zName, 0);
+      sqlite3VdbeAddOp(v, OP_Callback, 2, 0);
+    }
+  }else
+#endif /* SQLITE_OMIT_SCHEMA_PRAGMAS */
+
+#ifndef SQLITE_OMIT_FOREIGN_KEY
+  if( sqlite3StrICmp(zLeft, "foreign_key_list")==0 && zRight ){
+    FKey *pFK;
+    Table *pTab;
+    if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+    pTab = sqlite3FindTable(db, zRight, zDb);
+    if( pTab ){
+      v = sqlite3GetVdbe(pParse);
+      pFK = pTab->pFKey;
+      if( pFK ){
+        int i = 0; 
+        sqlite3VdbeSetNumCols(v, 5);
+        sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "id", P3_STATIC);
+        sqlite3VdbeSetColName(v, 1, COLNAME_NAME, "seq", P3_STATIC);
+        sqlite3VdbeSetColName(v, 2, COLNAME_NAME, "table", P3_STATIC);
+        sqlite3VdbeSetColName(v, 3, COLNAME_NAME, "from", P3_STATIC);
+        sqlite3VdbeSetColName(v, 4, COLNAME_NAME, "to", P3_STATIC);
+        while(pFK){
+          int j;
+          for(j=0; j<pFK->nCol; j++){
+            char *zCol = pFK->aCol[j].zCol;
+            sqlite3VdbeAddOp(v, OP_Integer, i, 0);
+            sqlite3VdbeAddOp(v, OP_Integer, j, 0);
+            sqlite3VdbeOp3(v, OP_String8, 0, 0, pFK->zTo, 0);
+            sqlite3VdbeOp3(v, OP_String8, 0, 0,
+                             pTab->aCol[pFK->aCol[j].iFrom].zName, 0);
+            sqlite3VdbeOp3(v, zCol ? OP_String8 : OP_Null, 0, 0, zCol, 0);
+            sqlite3VdbeAddOp(v, OP_Callback, 5, 0);
+          }
+          ++i;
+          pFK = pFK->pNextFrom;
+        }
+      }
+    }
+  }else
+#endif /* !defined(SQLITE_OMIT_FOREIGN_KEY) */
+
+#ifndef NDEBUG
+  if( sqlite3StrICmp(zLeft, "parser_trace")==0 ){
+    extern void sqlite3ParserTrace(FILE*, char *);
+    if( zRight ){
+      if( getBoolean(zRight) ){
+        sqlite3ParserTrace(stderr, "parser: ");
+      }else{
+        sqlite3ParserTrace(0, 0);
+      }
+    }
+  }else
+#endif
+
+  /* Reinstall the LIKE and GLOB functions.  The variant of LIKE
+  ** used will be case sensitive or not depending on the RHS.
+  */
+  if( sqlite3StrICmp(zLeft, "case_sensitive_like")==0 ){
+    if( zRight ){
+      sqlite3RegisterLikeFunctions(db, getBoolean(zRight));
+    }
+  }else
+
+#ifndef SQLITE_INTEGRITY_CHECK_ERROR_MAX
+# define SQLITE_INTEGRITY_CHECK_ERROR_MAX 100
+#endif
+
+#ifndef SQLITE_OMIT_INTEGRITY_CHECK
+  if( sqlite3StrICmp(zLeft, "integrity_check")==0 ){
+    int i, j, addr, mxErr;
+
+    /* Code that appears at the end of the integrity check.  If no error
+    ** messages have been generated, output OK.  Otherwise output the
+    ** error message
+    */
+    static const VdbeOpList endCode[] = {
+      { OP_MemLoad,     0, 0,        0},
+      { OP_Integer,     0, 0,        0},
+      { OP_Ne,          0, 0,        0},    /* 2 */
+      { OP_String8,     0, 0,        "ok"},
+      { OP_Callback,    1, 0,        0},
+    };
+
+    /* Initialize the VDBE program */
+    if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+    sqlite3VdbeSetNumCols(v, 1);
+    sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "integrity_check", P3_STATIC);
+
+    /* Set the maximum error count */
+    mxErr = SQLITE_INTEGRITY_CHECK_ERROR_MAX;
+    if( zRight ){
+      mxErr = atoi(zRight);
+      if( mxErr<=0 ){
+        mxErr = SQLITE_INTEGRITY_CHECK_ERROR_MAX;
+      }
+    }
+    sqlite3VdbeAddOp(v, OP_MemInt, mxErr, 0);
+
+    /* Do an integrity check on each database file */
+    for(i=0; i<db->nDb; i++){
+      HashElem *x;
+      Hash *pTbls;
+      int cnt = 0;
+
+      if( OMIT_TEMPDB && i==1 ) continue;
+
+      sqlite3CodeVerifySchema(pParse, i);
+      addr = sqlite3VdbeAddOp(v, OP_IfMemPos, 0, 0);
+      sqlite3VdbeAddOp(v, OP_Halt, 0, 0);
+      sqlite3VdbeJumpHere(v, addr);
+
+      /* Do an integrity check of the B-Tree
+      */
+      pTbls = &db->aDb[i].pSchema->tblHash;
+      for(x=sqliteHashFirst(pTbls); x; x=sqliteHashNext(x)){
+        Table *pTab = sqliteHashData(x);
+        Index *pIdx;
+        sqlite3VdbeAddOp(v, OP_Integer, pTab->tnum, 0);
+        cnt++;
+        for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
+          sqlite3VdbeAddOp(v, OP_Integer, pIdx->tnum, 0);
+          cnt++;
+        }
+      }
+      if( cnt==0 ) continue;
+      sqlite3VdbeAddOp(v, OP_IntegrityCk, 0, i);
+      addr = sqlite3VdbeAddOp(v, OP_IsNull, -1, 0);
+      sqlite3VdbeOp3(v, OP_String8, 0, 0,
+         sqlite3MPrintf("*** in database %s ***\n", db->aDb[i].zName),
+         P3_DYNAMIC);
+      sqlite3VdbeAddOp(v, OP_Pull, 1, 0);
+      sqlite3VdbeAddOp(v, OP_Concat, 0, 0);
+      sqlite3VdbeAddOp(v, OP_Callback, 1, 0);
+      sqlite3VdbeJumpHere(v, addr);
+
+      /* Make sure all the indices are constructed correctly.
+      */
+      for(x=sqliteHashFirst(pTbls); x; x=sqliteHashNext(x)){
+        Table *pTab = sqliteHashData(x);
+        Index *pIdx;
+        int loopTop;
+
+        if( pTab->pIndex==0 ) continue;
+        addr = sqlite3VdbeAddOp(v, OP_IfMemPos, 0, 0);
+        sqlite3VdbeAddOp(v, OP_Halt, 0, 0);
+        sqlite3VdbeJumpHere(v, addr);
+        sqlite3OpenTableAndIndices(pParse, pTab, 1, OP_OpenRead);
+        sqlite3VdbeAddOp(v, OP_MemInt, 0, 1);
+        loopTop = sqlite3VdbeAddOp(v, OP_Rewind, 1, 0);
+        sqlite3VdbeAddOp(v, OP_MemIncr, 1, 1);
+        for(j=0, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, j++){
+          int jmp2;
+          static const VdbeOpList idxErr[] = {
+            { OP_MemIncr,    -1,  0,  0},
+            { OP_String8,     0,  0,  "rowid "},
+            { OP_Rowid,       1,  0,  0},
+            { OP_String8,     0,  0,  " missing from index "},
+            { OP_String8,     0,  0,  0},    /* 4 */
+            { OP_Concat,      2,  0,  0},
+            { OP_Callback,    1,  0,  0},
+          };
+          sqlite3GenerateIndexKey(v, pIdx, 1);
+          jmp2 = sqlite3VdbeAddOp(v, OP_Found, j+2, 0);
+          addr = sqlite3VdbeAddOpList(v, ArraySize(idxErr), idxErr);
+          sqlite3VdbeChangeP3(v, addr+4, pIdx->zName, P3_STATIC);
+          sqlite3VdbeJumpHere(v, jmp2);
+        }
+        sqlite3VdbeAddOp(v, OP_Next, 1, loopTop+1);
+        sqlite3VdbeJumpHere(v, loopTop);
+        for(j=0, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, j++){
+          static const VdbeOpList cntIdx[] = {
+             { OP_MemInt,       0,  2,  0},
+             { OP_Rewind,       0,  0,  0},  /* 1 */
+             { OP_MemIncr,      1,  2,  0},
+             { OP_Next,         0,  0,  0},  /* 3 */
+             { OP_MemLoad,      1,  0,  0},
+             { OP_MemLoad,      2,  0,  0},
+             { OP_Eq,           0,  0,  0},  /* 6 */
+             { OP_MemIncr,     -1,  0,  0},
+             { OP_String8,      0,  0,  "wrong # of entries in index "},
+             { OP_String8,      0,  0,  0},  /* 9 */
+             { OP_Concat,       0,  0,  0},
+             { OP_Callback,     1,  0,  0},
+          };
+          if( pIdx->tnum==0 ) continue;
+          addr = sqlite3VdbeAddOp(v, OP_IfMemPos, 0, 0);
+          sqlite3VdbeAddOp(v, OP_Halt, 0, 0);
+          sqlite3VdbeJumpHere(v, addr);
+          addr = sqlite3VdbeAddOpList(v, ArraySize(cntIdx), cntIdx);
+          sqlite3VdbeChangeP1(v, addr+1, j+2);
+          sqlite3VdbeChangeP2(v, addr+1, addr+4);
+          sqlite3VdbeChangeP1(v, addr+3, j+2);
+          sqlite3VdbeChangeP2(v, addr+3, addr+2);
+          sqlite3VdbeJumpHere(v, addr+6);
+          sqlite3VdbeChangeP3(v, addr+9, pIdx->zName, P3_STATIC);
+        }
+      } 
+    }
+    addr = sqlite3VdbeAddOpList(v, ArraySize(endCode), endCode);
+    sqlite3VdbeChangeP1(v, addr+1, mxErr);
+    sqlite3VdbeJumpHere(v, addr+2);
+  }else
+#endif /* SQLITE_OMIT_INTEGRITY_CHECK */
+
+#ifndef SQLITE_OMIT_UTF16
+  /*
+  **   PRAGMA encoding
+  **   PRAGMA encoding = "utf-8"|"utf-16"|"utf-16le"|"utf-16be"
+  **
+  ** In it's first form, this pragma returns the encoding of the main
+  ** database. If the database is not initialized, it is initialized now.
+  **
+  ** The second form of this pragma is a no-op if the main database file
+  ** has not already been initialized. In this case it sets the default
+  ** encoding that will be used for the main database file if a new file
+  ** is created. If an existing main database file is opened, then the
+  ** default text encoding for the existing database is used.
+  ** 
+  ** In all cases new databases created using the ATTACH command are
+  ** created to use the same default text encoding as the main database. If
+  ** the main database has not been initialized and/or created when ATTACH
+  ** is executed, this is done before the ATTACH operation.
+  **
+  ** In the second form this pragma sets the text encoding to be used in
+  ** new database files created using this database handle. It is only
+  ** useful if invoked immediately after the main database i
+  */
+  if( sqlite3StrICmp(zLeft, "encoding")==0 ){
+    static const struct EncName {
+      char *zName;
+      u8 enc;
+    } encnames[] = {
+      { "UTF-8",    SQLITE_UTF8        },
+      { "UTF8",     SQLITE_UTF8        },
+      { "UTF-16le", SQLITE_UTF16LE     },
+      { "UTF16le",  SQLITE_UTF16LE     },
+      { "UTF-16be", SQLITE_UTF16BE     },
+      { "UTF16be",  SQLITE_UTF16BE     },
+      { "UTF-16",   0                  }, /* SQLITE_UTF16NATIVE */
+      { "UTF16",    0                  }, /* SQLITE_UTF16NATIVE */
+      { 0, 0 }
+    };
+    const struct EncName *pEnc;
+    if( !zRight ){    /* "PRAGMA encoding" */
+      if( sqlite3ReadSchema(pParse) ) goto pragma_out;
+      sqlite3VdbeSetNumCols(v, 1);
+      sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "encoding", P3_STATIC);
+      sqlite3VdbeAddOp(v, OP_String8, 0, 0);
+      for(pEnc=&encnames[0]; pEnc->zName; pEnc++){
+        if( pEnc->enc==ENC(pParse->db) ){
+          sqlite3VdbeChangeP3(v, -1, pEnc->zName, P3_STATIC);
+          break;
+        }
+      }
+      sqlite3VdbeAddOp(v, OP_Callback, 1, 0);
+    }else{                        /* "PRAGMA encoding = XXX" */
+      /* Only change the value of sqlite.enc if the database handle is not
+      ** initialized. If the main database exists, the new sqlite.enc value
+      ** will be overwritten when the schema is next loaded. If it does not
+      ** already exists, it will be created to use the new encoding value.
+      */
+      if( 
+        !(DbHasProperty(db, 0, DB_SchemaLoaded)) || 
+        DbHasProperty(db, 0, DB_Empty) 
+      ){
+        for(pEnc=&encnames[0]; pEnc->zName; pEnc++){
+          if( 0==sqlite3StrICmp(zRight, pEnc->zName) ){
+            ENC(pParse->db) = pEnc->enc ? pEnc->enc : SQLITE_UTF16NATIVE;
+            break;
+          }
+        }
+        if( !pEnc->zName ){
+          sqlite3ErrorMsg(pParse, "unsupported encoding: %s", zRight);
+        }
+      }
+    }
+  }else
+#endif /* SQLITE_OMIT_UTF16 */
+
+#ifndef SQLITE_OMIT_SCHEMA_VERSION_PRAGMAS
+  /*
+  **   PRAGMA [database.]schema_version
+  **   PRAGMA [database.]schema_version = <integer>
+  **
+  **   PRAGMA [database.]user_version
+  **   PRAGMA [database.]user_version = <integer>
+  **
+  ** The pragma's schema_version and user_version are used to set or get
+  ** the value of the schema-version and user-version, respectively. Both
+  ** the schema-version and the user-version are 32-bit signed integers
+  ** stored in the database header.
+  **
+  ** The schema-cookie is usually only manipulated internally by SQLite. It
+  ** is incremented by SQLite whenever the database schema is modified (by
+  ** creating or dropping a table or index). The schema version is used by
+  ** SQLite each time a query is executed to ensure that the internal cache
+  ** of the schema used when compiling the SQL query matches the schema of
+  ** the database against which the compiled query is actually executed.
+  ** Subverting this mechanism by using "PRAGMA schema_version" to modify
+  ** the schema-version is potentially dangerous and may lead to program
+  ** crashes or database corruption. Use with caution!
+  **
+  ** The user-version is not used internally by SQLite. It may be used by
+  ** applications for any purpose.
+  */
+  if( sqlite3StrICmp(zLeft, "schema_version")==0 ||
+      sqlite3StrICmp(zLeft, "user_version")==0 ){
+
+    int iCookie;   /* Cookie index. 0 for schema-cookie, 6 for user-cookie. */
+    if( zLeft[0]=='s' || zLeft[0]=='S' ){
+      iCookie = 0;
+    }else{
+      iCookie = 5;
+    }
+
+    if( zRight ){
+      /* Write the specified cookie value */
+      static const VdbeOpList setCookie[] = {
+        { OP_Transaction,    0,  1,  0},    /* 0 */
+        { OP_Integer,        0,  0,  0},    /* 1 */
+        { OP_SetCookie,      0,  0,  0},    /* 2 */
+      };
+      int addr = sqlite3VdbeAddOpList(v, ArraySize(setCookie), setCookie);
+      sqlite3VdbeChangeP1(v, addr, iDb);
+      sqlite3VdbeChangeP1(v, addr+1, atoi(zRight));
+      sqlite3VdbeChangeP1(v, addr+2, iDb);
+      sqlite3VdbeChangeP2(v, addr+2, iCookie);
+    }else{
+      /* Read the specified cookie value */
+      static const VdbeOpList readCookie[] = {
+        { OP_ReadCookie,      0,  0,  0},    /* 0 */
+        { OP_Callback,        1,  0,  0}
+      };
+      int addr = sqlite3VdbeAddOpList(v, ArraySize(readCookie), readCookie);
+      sqlite3VdbeChangeP1(v, addr, iDb);
+      sqlite3VdbeChangeP2(v, addr, iCookie);
+      sqlite3VdbeSetNumCols(v, 1);
+      sqlite3VdbeSetColName(v, 0, COLNAME_NAME, zLeft, P3_TRANSIENT);
+    }
+  }else
+#endif /* SQLITE_OMIT_SCHEMA_VERSION_PRAGMAS */
+
+#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST)
+  /*
+  ** Report the current state of file logs for all databases
+  */
+  if( sqlite3StrICmp(zLeft, "lock_status")==0 ){
+    static const char *const azLockName[] = {
+      "unlocked", "shared", "reserved", "pending", "exclusive"
+    };
+    int i;
+    Vdbe *v = sqlite3GetVdbe(pParse);
+    sqlite3VdbeSetNumCols(v, 2);
+    sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "database", P3_STATIC);
+    sqlite3VdbeSetColName(v, 1, COLNAME_NAME, "status", P3_STATIC);
+    for(i=0; i<db->nDb; i++){
+      Btree *pBt;
+      Pager *pPager;
+      if( db->aDb[i].zName==0 ) continue;
+      sqlite3VdbeOp3(v, OP_String8, 0, 0, db->aDb[i].zName, P3_STATIC);
+      pBt = db->aDb[i].pBt;
+      if( pBt==0 || (pPager = sqlite3BtreePager(pBt))==0 ){
+        sqlite3VdbeOp3(v, OP_String8, 0, 0, "closed", P3_STATIC);
+      }else{
+        int j = sqlite3PagerLockstate(pPager);
+        sqlite3VdbeOp3(v, OP_String8, 0, 0, 
+            (j>=0 && j<=4) ? azLockName[j] : "unknown", P3_STATIC);
+      }
+      sqlite3VdbeAddOp(v, OP_Callback, 2, 0);
+    }
+  }else
+#endif
+
+#ifdef SQLITE_SSE
+  /*
+  ** Check to see if the sqlite_statements table exists.  Create it
+  ** if it does not.
+  */
+  if( sqlite3StrICmp(zLeft, "create_sqlite_statement_table")==0 ){
+    extern int sqlite3CreateStatementsTable(Parse*);
+    sqlite3CreateStatementsTable(pParse);
+  }else
+#endif
+
+#if SQLITE_HAS_CODEC
+  if( sqlite3StrICmp(zLeft, "key")==0 ){
+    sqlite3_key(db, zRight, strlen(zRight));
+  }else
+#endif
+#if SQLITE_HAS_CODEC || defined(SQLITE_ENABLE_CEROD)
+  if( sqlite3StrICmp(zLeft, "activate_extensions")==0 ){
+#if SQLITE_HAS_CODEC
+    if( sqlite3StrNICmp(zRight, "see-", 4)==0 ){
+      extern void sqlite3_activate_see(const char*);
+      sqlite3_activate_see(&zRight[4]);
+    }
+#endif
+#ifdef SQLITE_ENABLE_CEROD
+    if( sqlite3StrNICmp(zRight, "cerod-", 6)==0 ){
+      extern void sqlite3_activate_cerod(const char*);
+      sqlite3_activate_cerod(&zRight[6]);
+    }
+#endif
+  }
+#endif
+
+  {}
+
+  if( v ){
+    /* Code an OP_Expire at the end of each PRAGMA program to cause
+    ** the VDBE implementing the pragma to expire. Most (all?) pragmas
+    ** are only valid for a single execution.
+    */
+    sqlite3VdbeAddOp(v, OP_Expire, 1, 0);
+
+    /*
+    ** Reset the safety level, in case the fullfsync flag or synchronous
+    ** setting changed.
+    */
+#ifndef SQLITE_OMIT_PAGER_PRAGMAS
+    if( db->autoCommit ){
+      sqlite3BtreeSetSafetyLevel(pDb->pBt, pDb->safety_level,
+                 (db->flags&SQLITE_FullFSync)!=0);
+    }
+#endif
+  }
+pragma_out:
+  sqliteFree(zLeft);
+  sqliteFree(zRight);
+}
+
+#endif /* SQLITE_OMIT_PRAGMA || SQLITE_OMIT_PARSER */
+
+/************** End of pragma.c **********************************************/
+/************** Begin file prepare.c *****************************************/
+/*
+** 2005 May 25
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains the implementation of the sqlite3_prepare()
+** interface, and routines that contribute to loading the database schema
+** from disk.
+**
+** $Id$
+*/
+
+/*
+** Fill the InitData structure with an error message that indicates
+** that the database is corrupt.
+*/
+static void corruptSchema(InitData *pData, const char *zExtra){
+  if( !sqlite3MallocFailed() ){
+    sqlite3SetString(pData->pzErrMsg, "malformed database schema",
+       zExtra!=0 && zExtra[0]!=0 ? " - " : (char*)0, zExtra, (char*)0);
+  }
+  pData->rc = SQLITE_CORRUPT;
+}
+
+/*
+** This is the callback routine for the code that initializes the
+** database.  See sqlite3Init() below for additional information.
+** This routine is also called from the OP_ParseSchema opcode of the VDBE.
+**
+** Each callback contains the following information:
+**
+**     argv[0] = name of thing being created
+**     argv[1] = root page number for table or index. 0 for trigger or view.
+**     argv[2] = SQL text for the CREATE statement.
+**
+*/
+int sqlite3InitCallback(void *pInit, int argc, char **argv, char **azColName){
+  InitData *pData = (InitData*)pInit;
+  sqlite3 *db = pData->db;
+  int iDb = pData->iDb;
+
+  pData->rc = SQLITE_OK;
+  DbClearProperty(db, iDb, DB_Empty);
+  if( sqlite3MallocFailed() ){
+    corruptSchema(pData, 0);
+    return SQLITE_NOMEM;
+  }
+
+  assert( argc==3 );
+  if( argv==0 ) return 0;   /* Might happen if EMPTY_RESULT_CALLBACKS are on */
+  if( argv[1]==0 ){
+    corruptSchema(pData, 0);
+    return 1;
+  }
+  assert( iDb>=0 && iDb<db->nDb );
+  if( argv[2] && argv[2][0] ){
+    /* Call the parser to process a CREATE TABLE, INDEX or VIEW.
+    ** But because db->init.busy is set to 1, no VDBE code is generated
+    ** or executed.  All the parser does is build the internal data
+    ** structures that describe the table, index, or view.
+    */
+    char *zErr;
+    int rc;
+    assert( db->init.busy );
+    db->init.iDb = iDb;
+    db->init.newTnum = atoi(argv[1]);
+    rc = sqlite3_exec(db, argv[2], 0, 0, &zErr);
+    db->init.iDb = 0;
+    assert( rc!=SQLITE_OK || zErr==0 );
+    if( SQLITE_OK!=rc ){
+      pData->rc = rc;
+      if( rc==SQLITE_NOMEM ){
+        sqlite3FailedMalloc();
+      }else if( rc!=SQLITE_INTERRUPT ){
+        corruptSchema(pData, zErr);
+      }
+      sqlite3_free(zErr);
+      return 1;
+    }
+  }else{
+    /* If the SQL column is blank it means this is an index that
+    ** was created to be the PRIMARY KEY or to fulfill a UNIQUE
+    ** constraint for a CREATE TABLE.  The index should have already
+    ** been created when we processed the CREATE TABLE.  All we have
+    ** to do here is record the root page number for that index.
+    */
+    Index *pIndex;
+    pIndex = sqlite3FindIndex(db, argv[0], db->aDb[iDb].zName);
+    if( pIndex==0 || pIndex->tnum!=0 ){
+      /* This can occur if there exists an index on a TEMP table which
+      ** has the same name as another index on a permanent index.  Since
+      ** the permanent table is hidden by the TEMP table, we can also
+      ** safely ignore the index on the permanent table.
+      */
+      /* Do Nothing */;
+    }else{
+      pIndex->tnum = atoi(argv[1]);
+    }
+  }
+  return 0;
+}
+
+/*
+** Attempt to read the database schema and initialize internal
+** data structures for a single database file.  The index of the
+** database file is given by iDb.  iDb==0 is used for the main
+** database.  iDb==1 should never be used.  iDb>=2 is used for
+** auxiliary databases.  Return one of the SQLITE_ error codes to
+** indicate success or failure.
+*/
+static int sqlite3InitOne(sqlite3 *db, int iDb, char **pzErrMsg){
+  int rc;
+  BtCursor *curMain;
+  int size;
+  Table *pTab;
+  Db *pDb;
+  char const *azArg[4];
+  int meta[10];
+  InitData initData;
+  char const *zMasterSchema;
+  char const *zMasterName = SCHEMA_TABLE(iDb);
+
+  /*
+  ** The master database table has a structure like this
+  */
+  static const char master_schema[] = 
+     "CREATE TABLE sqlite_master(\n"
+     "  type text,\n"
+     "  name text,\n"
+     "  tbl_name text,\n"
+     "  rootpage integer,\n"
+     "  sql text\n"
+     ")"
+  ;
+#ifndef SQLITE_OMIT_TEMPDB
+  static const char temp_master_schema[] = 
+     "CREATE TEMP TABLE sqlite_temp_master(\n"
+     "  type text,\n"
+     "  name text,\n"
+     "  tbl_name text,\n"
+     "  rootpage integer,\n"
+     "  sql text\n"
+     ")"
+  ;
+#else
+  #define temp_master_schema 0
+#endif
+
+  assert( iDb>=0 && iDb<db->nDb );
+  assert( db->aDb[iDb].pSchema );
+
+  /* zMasterSchema and zInitScript are set to point at the master schema
+  ** and initialisation script appropriate for the database being
+  ** initialised. zMasterName is the name of the master table.
+  */
+  if( !OMIT_TEMPDB && iDb==1 ){
+    zMasterSchema = temp_master_schema;
+  }else{
+    zMasterSchema = master_schema;
+  }
+  zMasterName = SCHEMA_TABLE(iDb);
+
+  /* Construct the schema tables.  */
+  sqlite3SafetyOff(db);
+  azArg[0] = zMasterName;
+  azArg[1] = "1";
+  azArg[2] = zMasterSchema;
+  azArg[3] = 0;
+  initData.db = db;
+  initData.iDb = iDb;
+  initData.pzErrMsg = pzErrMsg;
+  rc = sqlite3InitCallback(&initData, 3, (char **)azArg, 0);
+  if( rc ){
+    sqlite3SafetyOn(db);
+    return initData.rc;
+  }
+  pTab = sqlite3FindTable(db, zMasterName, db->aDb[iDb].zName);
+  if( pTab ){
+    pTab->readOnly = 1;
+  }
+  sqlite3SafetyOn(db);
+
+  /* Create a cursor to hold the database open
+  */
+  pDb = &db->aDb[iDb];
+  if( pDb->pBt==0 ){
+    if( !OMIT_TEMPDB && iDb==1 ){
+      DbSetProperty(db, 1, DB_SchemaLoaded);
+    }
+    return SQLITE_OK;
+  }
+  rc = sqlite3BtreeCursor(pDb->pBt, MASTER_ROOT, 0, 0, 0, &curMain);
+  if( rc!=SQLITE_OK && rc!=SQLITE_EMPTY ){
+    sqlite3SetString(pzErrMsg, sqlite3ErrStr(rc), (char*)0);
+    return rc;
+  }
+
+  /* Get the database meta information.
+  **
+  ** Meta values are as follows:
+  **    meta[0]   Schema cookie.  Changes with each schema change.
+  **    meta[1]   File format of schema layer.
+  **    meta[2]   Size of the page cache.
+  **    meta[3]   Use freelist if 0.  Autovacuum if greater than zero.
+  **    meta[4]   Db text encoding. 1:UTF-8 2:UTF-16LE 3:UTF-16BE
+  **    meta[5]   The user cookie. Used by the application.
+  **    meta[6]   
+  **    meta[7]
+  **    meta[8]
+  **    meta[9]
+  **
+  ** Note: The #defined SQLITE_UTF* symbols in sqliteInt.h correspond to
+  ** the possible values of meta[4].
+  */
+  if( rc==SQLITE_OK ){
+    int i;
+    for(i=0; rc==SQLITE_OK && i<sizeof(meta)/sizeof(meta[0]); i++){
+      rc = sqlite3BtreeGetMeta(pDb->pBt, i+1, (u32 *)&meta[i]);
+    }
+    if( rc ){
+      sqlite3SetString(pzErrMsg, sqlite3ErrStr(rc), (char*)0);
+      sqlite3BtreeCloseCursor(curMain);
+      return rc;
+    }
+  }else{
+    memset(meta, 0, sizeof(meta));
+  }
+  pDb->pSchema->schema_cookie = meta[0];
+
+  /* If opening a non-empty database, check the text encoding. For the
+  ** main database, set sqlite3.enc to the encoding of the main database.
+  ** For an attached db, it is an error if the encoding is not the same
+  ** as sqlite3.enc.
+  */
+  if( meta[4] ){  /* text encoding */
+    if( iDb==0 ){
+      /* If opening the main database, set ENC(db). */
+      ENC(db) = (u8)meta[4];
+      db->pDfltColl = sqlite3FindCollSeq(db, SQLITE_UTF8, "BINARY", 6, 0);
+    }else{
+      /* If opening an attached database, the encoding much match ENC(db) */
+      if( meta[4]!=ENC(db) ){
+        sqlite3BtreeCloseCursor(curMain);
+        sqlite3SetString(pzErrMsg, "attached databases must use the same"
+            " text encoding as main database", (char*)0);
+        return SQLITE_ERROR;
+      }
+    }
+  }else{
+    DbSetProperty(db, iDb, DB_Empty);
+  }
+  pDb->pSchema->enc = ENC(db);
+
+  size = meta[2];
+  if( size==0 ){ size = MAX_PAGES; }
+  pDb->pSchema->cache_size = size;
+  sqlite3BtreeSetCacheSize(pDb->pBt, pDb->pSchema->cache_size);
+
+  /*
+  ** file_format==1    Version 3.0.0.
+  ** file_format==2    Version 3.1.3.  // ALTER TABLE ADD COLUMN
+  ** file_format==3    Version 3.1.4.  // ditto but with non-NULL defaults
+  ** file_format==4    Version 3.3.0.  // DESC indices.  Boolean constants
+  */
+  pDb->pSchema->file_format = meta[1];
+  if( pDb->pSchema->file_format==0 ){
+    pDb->pSchema->file_format = 1;
+  }
+  if( pDb->pSchema->file_format>SQLITE_MAX_FILE_FORMAT ){
+    sqlite3BtreeCloseCursor(curMain);
+    sqlite3SetString(pzErrMsg, "unsupported file format", (char*)0);
+    return SQLITE_ERROR;
+  }
+
+
+  /* Read the schema information out of the schema tables
+  */
+  assert( db->init.busy );
+  if( rc==SQLITE_EMPTY ){
+    /* For an empty database, there is nothing to read */
+    rc = SQLITE_OK;
+  }else{
+    char *zSql;
+    zSql = sqlite3MPrintf(
+        "SELECT name, rootpage, sql FROM '%q'.%s",
+        db->aDb[iDb].zName, zMasterName);
+    sqlite3SafetyOff(db);
+    rc = sqlite3_exec(db, zSql, sqlite3InitCallback, &initData, 0);
+    if( rc==SQLITE_ABORT ) rc = initData.rc;
+    sqlite3SafetyOn(db);
+    sqliteFree(zSql);
+#ifndef SQLITE_OMIT_ANALYZE
+    if( rc==SQLITE_OK ){
+      sqlite3AnalysisLoad(db, iDb);
+    }
+#endif
+    sqlite3BtreeCloseCursor(curMain);
+  }
+  if( sqlite3MallocFailed() ){
+    /* sqlite3SetString(pzErrMsg, "out of memory", (char*)0); */
+    rc = SQLITE_NOMEM;
+    sqlite3ResetInternalSchema(db, 0);
+  }
+  if( rc==SQLITE_OK || (db->flags&SQLITE_RecoveryMode)){
+    /* Black magic: If the SQLITE_RecoveryMode flag is set, then consider
+    ** the schema loaded, even if errors occured. In this situation the 
+    ** current sqlite3_prepare() operation will fail, but the following one
+    ** will attempt to compile the supplied statement against whatever subset
+    ** of the schema was loaded before the error occured. The primary
+    ** purpose of this is to allow access to the sqlite_master table
+    ** even when it's contents have been corrupted.
+    */
+    DbSetProperty(db, iDb, DB_SchemaLoaded);
+    rc = SQLITE_OK;
+  }
+  return rc;
+}
+
+/*
+** Initialize all database files - the main database file, the file
+** used to store temporary tables, and any additional database files
+** created using ATTACH statements.  Return a success code.  If an
+** error occurs, write an error message into *pzErrMsg.
+**
+** After a database is initialized, the DB_SchemaLoaded bit is set
+** bit is set in the flags field of the Db structure. If the database
+** file was of zero-length, then the DB_Empty flag is also set.
+*/
+int sqlite3Init(sqlite3 *db, char **pzErrMsg){
+  int i, rc;
+  int called_initone = 0;
+  
+  if( db->init.busy ) return SQLITE_OK;
+  rc = SQLITE_OK;
+  db->init.busy = 1;
+  for(i=0; rc==SQLITE_OK && i<db->nDb; i++){
+    if( DbHasProperty(db, i, DB_SchemaLoaded) || i==1 ) continue;
+    rc = sqlite3InitOne(db, i, pzErrMsg);
+    if( rc ){
+      sqlite3ResetInternalSchema(db, i);
+    }
+    called_initone = 1;
+  }
+
+  /* Once all the other databases have been initialised, load the schema
+  ** for the TEMP database. This is loaded last, as the TEMP database
+  ** schema may contain references to objects in other databases.
+  */
+#ifndef SQLITE_OMIT_TEMPDB
+  if( rc==SQLITE_OK && db->nDb>1 && !DbHasProperty(db, 1, DB_SchemaLoaded) ){
+    rc = sqlite3InitOne(db, 1, pzErrMsg);
+    if( rc ){
+      sqlite3ResetInternalSchema(db, 1);
+    }
+    called_initone = 1;
+  }
+#endif
+
+  db->init.busy = 0;
+  if( rc==SQLITE_OK && called_initone ){
+    sqlite3CommitInternalChanges(db);
+  }
+
+  return rc; 
+}
+
+/*
+** This routine is a no-op if the database schema is already initialised.
+** Otherwise, the schema is loaded. An error code is returned.
+*/
+int sqlite3ReadSchema(Parse *pParse){
+  int rc = SQLITE_OK;
+  sqlite3 *db = pParse->db;
+  if( !db->init.busy ){
+    rc = sqlite3Init(db, &pParse->zErrMsg);
+  }
+  if( rc!=SQLITE_OK ){
+    pParse->rc = rc;
+    pParse->nErr++;
+  }
+  return rc;
+}
+
+
+/*
+** Check schema cookies in all databases.  If any cookie is out
+** of date, return 0.  If all schema cookies are current, return 1.
+*/
+static int schemaIsValid(sqlite3 *db){
+  int iDb;
+  int rc;
+  BtCursor *curTemp;
+  int cookie;
+  int allOk = 1;
+
+  for(iDb=0; allOk && iDb<db->nDb; iDb++){
+    Btree *pBt;
+    pBt = db->aDb[iDb].pBt;
+    if( pBt==0 ) continue;
+    rc = sqlite3BtreeCursor(pBt, MASTER_ROOT, 0, 0, 0, &curTemp);
+    if( rc==SQLITE_OK ){
+      rc = sqlite3BtreeGetMeta(pBt, 1, (u32 *)&cookie);
+      if( rc==SQLITE_OK && cookie!=db->aDb[iDb].pSchema->schema_cookie ){
+        allOk = 0;
+      }
+      sqlite3BtreeCloseCursor(curTemp);
+    }
+  }
+  return allOk;
+}
+
+/*
+** Convert a schema pointer into the iDb index that indicates
+** which database file in db->aDb[] the schema refers to.
+**
+** If the same database is attached more than once, the first
+** attached database is returned.
+*/
+int sqlite3SchemaToIndex(sqlite3 *db, Schema *pSchema){
+  int i = -1000000;
+
+  /* If pSchema is NULL, then return -1000000. This happens when code in 
+  ** expr.c is trying to resolve a reference to a transient table (i.e. one
+  ** created by a sub-select). In this case the return value of this 
+  ** function should never be used.
+  **
+  ** We return -1000000 instead of the more usual -1 simply because using
+  ** -1000000 as incorrectly using -1000000 index into db->aDb[] is much 
+  ** more likely to cause a segfault than -1 (of course there are assert()
+  ** statements too, but it never hurts to play the odds).
+  */
+  if( pSchema ){
+    for(i=0; i<db->nDb; i++){
+      if( db->aDb[i].pSchema==pSchema ){
+        break;
+      }
+    }
+    assert( i>=0 &&i>=0 &&  i<db->nDb );
+  }
+  return i;
+}
+
+/*
+** Compile the UTF-8 encoded SQL statement zSql into a statement handle.
+*/
+int sqlite3Prepare(
+  sqlite3 *db,              /* Database handle. */
+  const char *zSql,         /* UTF-8 encoded SQL statement. */
+  int nBytes,               /* Length of zSql in bytes. */
+  int saveSqlFlag,          /* True to copy SQL text into the sqlite3_stmt */
+  sqlite3_stmt **ppStmt,    /* OUT: A pointer to the prepared statement */
+  const char **pzTail       /* OUT: End of parsed string */
+){
+  Parse sParse;
+  char *zErrMsg = 0;
+  int rc = SQLITE_OK;
+  int i;
+
+  /* Assert that malloc() has not failed */
+  assert( !sqlite3MallocFailed() );
+
+  assert( ppStmt );
+  *ppStmt = 0;
+  if( sqlite3SafetyOn(db) ){
+    return SQLITE_MISUSE;
+  }
+
+  /* If any attached database schemas are locked, do not proceed with
+  ** compilation. Instead return SQLITE_LOCKED immediately.
+  */
+  for(i=0; i<db->nDb; i++) {
+    Btree *pBt = db->aDb[i].pBt;
+    if( pBt && sqlite3BtreeSchemaLocked(pBt) ){
+      const char *zDb = db->aDb[i].zName;
+      sqlite3Error(db, SQLITE_LOCKED, "database schema is locked: %s", zDb);
+      sqlite3SafetyOff(db);
+      return SQLITE_LOCKED;
+    }
+  }
+  
+  memset(&sParse, 0, sizeof(sParse));
+  sParse.db = db;
+  if( nBytes>=0 && zSql[nBytes]!=0 ){
+    char *zSqlCopy = sqlite3StrNDup(zSql, nBytes);
+    sqlite3RunParser(&sParse, zSqlCopy, &zErrMsg);
+    sParse.zTail += zSql - zSqlCopy;
+    sqliteFree(zSqlCopy);
+  }else{
+    sqlite3RunParser(&sParse, zSql, &zErrMsg);
+  }
+
+  if( sqlite3MallocFailed() ){
+    sParse.rc = SQLITE_NOMEM;
+  }
+  if( sParse.rc==SQLITE_DONE ) sParse.rc = SQLITE_OK;
+  if( sParse.checkSchema && !schemaIsValid(db) ){
+    sParse.rc = SQLITE_SCHEMA;
+  }
+  if( sParse.rc==SQLITE_SCHEMA ){
+    sqlite3ResetInternalSchema(db, 0);
+  }
+  if( sqlite3MallocFailed() ){
+    sParse.rc = SQLITE_NOMEM;
+  }
+  if( pzTail ){
+    *pzTail = sParse.zTail;
+  }
+  rc = sParse.rc;
+
+#ifndef SQLITE_OMIT_EXPLAIN
+  if( rc==SQLITE_OK && sParse.pVdbe && sParse.explain ){
+    if( sParse.explain==2 ){
+      sqlite3VdbeSetNumCols(sParse.pVdbe, 3);
+      sqlite3VdbeSetColName(sParse.pVdbe, 0, COLNAME_NAME, "order", P3_STATIC);
+      sqlite3VdbeSetColName(sParse.pVdbe, 1, COLNAME_NAME, "from", P3_STATIC);
+      sqlite3VdbeSetColName(sParse.pVdbe, 2, COLNAME_NAME, "detail", P3_STATIC);
+    }else{
+      sqlite3VdbeSetNumCols(sParse.pVdbe, 5);
+      sqlite3VdbeSetColName(sParse.pVdbe, 0, COLNAME_NAME, "addr", P3_STATIC);
+      sqlite3VdbeSetColName(sParse.pVdbe, 1, COLNAME_NAME, "opcode", P3_STATIC);
+      sqlite3VdbeSetColName(sParse.pVdbe, 2, COLNAME_NAME, "p1", P3_STATIC);
+      sqlite3VdbeSetColName(sParse.pVdbe, 3, COLNAME_NAME, "p2", P3_STATIC);
+      sqlite3VdbeSetColName(sParse.pVdbe, 4, COLNAME_NAME, "p3", P3_STATIC);
+    }
+  }
+#endif
+
+  if( sqlite3SafetyOff(db) ){
+    rc = SQLITE_MISUSE;
+  }
+
+  if( saveSqlFlag ){
+    sqlite3VdbeSetSql(sParse.pVdbe, zSql, sParse.zTail - zSql);
+  }
+  if( rc!=SQLITE_OK || sqlite3MallocFailed() ){
+    sqlite3_finalize((sqlite3_stmt*)sParse.pVdbe);
+    assert(!(*ppStmt));
+  }else{
+    *ppStmt = (sqlite3_stmt*)sParse.pVdbe;
+  }
+
+  if( zErrMsg ){
+    sqlite3Error(db, rc, "%s", zErrMsg);
+    sqliteFree(zErrMsg);
+  }else{
+    sqlite3Error(db, rc, 0);
+  }
+
+  rc = sqlite3ApiExit(db, rc);
+  sqlite3ReleaseThreadData();
+  assert( (rc&db->errMask)==rc );
+  return rc;
+}
+
+/*
+** Rerun the compilation of a statement after a schema change.
+** Return true if the statement was recompiled successfully.
+** Return false if there is an error of some kind.
+*/
+int sqlite3Reprepare(Vdbe *p){
+  int rc;
+  sqlite3_stmt *pNew;
+  const char *zSql;
+  sqlite3 *db;
+  
+  zSql = sqlite3VdbeGetSql(p);
+  if( zSql==0 ){
+    return 0;
+  }
+  db = sqlite3VdbeDb(p);
+  rc = sqlite3Prepare(db, zSql, -1, 0, &pNew, 0);
+  if( rc ){
+    assert( pNew==0 );
+    return 0;
+  }else{
+    assert( pNew!=0 );
+  }
+  sqlite3VdbeSwap((Vdbe*)pNew, p);
+  sqlite3_transfer_bindings(pNew, (sqlite3_stmt*)p);
+  sqlite3VdbeResetStepResult((Vdbe*)pNew);
+  sqlite3VdbeFinalize((Vdbe*)pNew);
+  return 1;
+}
+
+
+/*
+** Two versions of the official API.  Legacy and new use.  In the legacy
+** version, the original SQL text is not saved in the prepared statement
+** and so if a schema change occurs, SQLITE_SCHEMA is returned by
+** sqlite3_step().  In the new version, the original SQL text is retained
+** and the statement is automatically recompiled if an schema change
+** occurs.
+*/
+int sqlite3_prepare(
+  sqlite3 *db,              /* Database handle. */
+  const char *zSql,         /* UTF-8 encoded SQL statement. */
+  int nBytes,               /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,    /* OUT: A pointer to the prepared statement */
+  const char **pzTail       /* OUT: End of parsed string */
+){
+  return sqlite3Prepare(db,zSql,nBytes,0,ppStmt,pzTail);
+}
+int sqlite3_prepare_v2(
+  sqlite3 *db,              /* Database handle. */
+  const char *zSql,         /* UTF-8 encoded SQL statement. */
+  int nBytes,               /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,    /* OUT: A pointer to the prepared statement */
+  const char **pzTail       /* OUT: End of parsed string */
+){
+  return sqlite3Prepare(db,zSql,nBytes,1,ppStmt,pzTail);
+}
+
+
+#ifndef SQLITE_OMIT_UTF16
+/*
+** Compile the UTF-16 encoded SQL statement zSql into a statement handle.
+*/
+static int sqlite3Prepare16(
+  sqlite3 *db,              /* Database handle. */ 
+  const void *zSql,         /* UTF-8 encoded SQL statement. */
+  int nBytes,               /* Length of zSql in bytes. */
+  int saveSqlFlag,          /* True to save SQL text into the sqlite3_stmt */
+  sqlite3_stmt **ppStmt,    /* OUT: A pointer to the prepared statement */
+  const void **pzTail       /* OUT: End of parsed string */
+){
+  /* This function currently works by first transforming the UTF-16
+  ** encoded string to UTF-8, then invoking sqlite3_prepare(). The
+  ** tricky bit is figuring out the pointer to return in *pzTail.
+  */
+  char *zSql8;
+  const char *zTail8 = 0;
+  int rc = SQLITE_OK;
+
+  if( sqlite3SafetyCheck(db) ){
+    return SQLITE_MISUSE;
+  }
+  zSql8 = sqlite3utf16to8(zSql, nBytes);
+  if( zSql8 ){
+    rc = sqlite3Prepare(db, zSql8, -1, saveSqlFlag, ppStmt, &zTail8);
+  }
+
+  if( zTail8 && pzTail ){
+    /* If sqlite3_prepare returns a tail pointer, we calculate the
+    ** equivalent pointer into the UTF-16 string by counting the unicode
+    ** characters between zSql8 and zTail8, and then returning a pointer
+    ** the same number of characters into the UTF-16 string.
+    */
+    int chars_parsed = sqlite3utf8CharLen(zSql8, zTail8-zSql8);
+    *pzTail = (u8 *)zSql + sqlite3utf16ByteLen(zSql, chars_parsed);
+  }
+  sqliteFree(zSql8); 
+  return sqlite3ApiExit(db, rc);
+}
+
+/*
+** Two versions of the official API.  Legacy and new use.  In the legacy
+** version, the original SQL text is not saved in the prepared statement
+** and so if a schema change occurs, SQLITE_SCHEMA is returned by
+** sqlite3_step().  In the new version, the original SQL text is retained
+** and the statement is automatically recompiled if an schema change
+** occurs.
+*/
+int sqlite3_prepare16(
+  sqlite3 *db,              /* Database handle. */ 
+  const void *zSql,         /* UTF-8 encoded SQL statement. */
+  int nBytes,               /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,    /* OUT: A pointer to the prepared statement */
+  const void **pzTail       /* OUT: End of parsed string */
+){
+  return sqlite3Prepare16(db,zSql,nBytes,0,ppStmt,pzTail);
+}
+int sqlite3_prepare16_v2(
+  sqlite3 *db,              /* Database handle. */ 
+  const void *zSql,         /* UTF-8 encoded SQL statement. */
+  int nBytes,               /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,    /* OUT: A pointer to the prepared statement */
+  const void **pzTail       /* OUT: End of parsed string */
+){
+  return sqlite3Prepare16(db,zSql,nBytes,1,ppStmt,pzTail);
+}
+
+#endif /* SQLITE_OMIT_UTF16 */
+
+/************** End of prepare.c *********************************************/
+/************** Begin file select.c ******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains C code routines that are called by the parser
+** to handle SELECT statements in SQLite.
+**
+** $Id$
+*/
+
+
+/*
+** Delete all the content of a Select structure but do not deallocate
+** the select structure itself.
+*/
+static void clearSelect(Select *p){
+  sqlite3ExprListDelete(p->pEList);
+  sqlite3SrcListDelete(p->pSrc);
+  sqlite3ExprDelete(p->pWhere);
+  sqlite3ExprListDelete(p->pGroupBy);
+  sqlite3ExprDelete(p->pHaving);
+  sqlite3ExprListDelete(p->pOrderBy);
+  sqlite3SelectDelete(p->pPrior);
+  sqlite3ExprDelete(p->pLimit);
+  sqlite3ExprDelete(p->pOffset);
+}
+
+
+/*
+** Allocate a new Select structure and return a pointer to that
+** structure.
+*/
+Select *sqlite3SelectNew(
+  ExprList *pEList,     /* which columns to include in the result */
+  SrcList *pSrc,        /* the FROM clause -- which tables to scan */
+  Expr *pWhere,         /* the WHERE clause */
+  ExprList *pGroupBy,   /* the GROUP BY clause */
+  Expr *pHaving,        /* the HAVING clause */
+  ExprList *pOrderBy,   /* the ORDER BY clause */
+  int isDistinct,       /* true if the DISTINCT keyword is present */
+  Expr *pLimit,         /* LIMIT value.  NULL means not used */
+  Expr *pOffset         /* OFFSET value.  NULL means no offset */
+){
+  Select *pNew;
+  Select standin;
+  pNew = sqliteMalloc( sizeof(*pNew) );
+  assert( !pOffset || pLimit );   /* Can't have OFFSET without LIMIT. */
+  if( pNew==0 ){
+    pNew = &standin;
+    memset(pNew, 0, sizeof(*pNew));
+  }
+  if( pEList==0 ){
+    pEList = sqlite3ExprListAppend(0, sqlite3Expr(TK_ALL,0,0,0), 0);
+  }
+  pNew->pEList = pEList;
+  pNew->pSrc = pSrc;
+  pNew->pWhere = pWhere;
+  pNew->pGroupBy = pGroupBy;
+  pNew->pHaving = pHaving;
+  pNew->pOrderBy = pOrderBy;
+  pNew->isDistinct = isDistinct;
+  pNew->op = TK_SELECT;
+  assert( pOffset==0 || pLimit!=0 );
+  pNew->pLimit = pLimit;
+  pNew->pOffset = pOffset;
+  pNew->iLimit = -1;
+  pNew->iOffset = -1;
+  pNew->addrOpenEphm[0] = -1;
+  pNew->addrOpenEphm[1] = -1;
+  pNew->addrOpenEphm[2] = -1;
+  if( pNew==&standin) {
+    clearSelect(pNew);
+    pNew = 0;
+  }
+  return pNew;
+}
+
+/*
+** Delete the given Select structure and all of its substructures.
+*/
+void sqlite3SelectDelete(Select *p){
+  if( p ){
+    clearSelect(p);
+    sqliteFree(p);
+  }
+}
+
+/*
+** Given 1 to 3 identifiers preceeding the JOIN keyword, determine the
+** type of join.  Return an integer constant that expresses that type
+** in terms of the following bit values:
+**
+**     JT_INNER
+**     JT_CROSS
+**     JT_OUTER
+**     JT_NATURAL
+**     JT_LEFT
+**     JT_RIGHT
+**
+** A full outer join is the combination of JT_LEFT and JT_RIGHT.
+**
+** If an illegal or unsupported join type is seen, then still return
+** a join type, but put an error in the pParse structure.
+*/
+int sqlite3JoinType(Parse *pParse, Token *pA, Token *pB, Token *pC){
+  int jointype = 0;
+  Token *apAll[3];
+  Token *p;
+  static const struct {
+    const char zKeyword[8];
+    u8 nChar;
+    u8 code;
+  } keywords[] = {
+    { "natural", 7, JT_NATURAL },
+    { "left",    4, JT_LEFT|JT_OUTER },
+    { "right",   5, JT_RIGHT|JT_OUTER },
+    { "full",    4, JT_LEFT|JT_RIGHT|JT_OUTER },
+    { "outer",   5, JT_OUTER },
+    { "inner",   5, JT_INNER },
+    { "cross",   5, JT_INNER|JT_CROSS },
+  };
+  int i, j;
+  apAll[0] = pA;
+  apAll[1] = pB;
+  apAll[2] = pC;
+  for(i=0; i<3 && apAll[i]; i++){
+    p = apAll[i];
+    for(j=0; j<sizeof(keywords)/sizeof(keywords[0]); j++){
+      if( p->n==keywords[j].nChar 
+          && sqlite3StrNICmp((char*)p->z, keywords[j].zKeyword, p->n)==0 ){
+        jointype |= keywords[j].code;
+        break;
+      }
+    }
+    if( j>=sizeof(keywords)/sizeof(keywords[0]) ){
+      jointype |= JT_ERROR;
+      break;
+    }
+  }
+  if(
+     (jointype & (JT_INNER|JT_OUTER))==(JT_INNER|JT_OUTER) ||
+     (jointype & JT_ERROR)!=0
+  ){
+    const char *zSp1 = " ";
+    const char *zSp2 = " ";
+    if( pB==0 ){ zSp1++; }
+    if( pC==0 ){ zSp2++; }
+    sqlite3ErrorMsg(pParse, "unknown or unsupported join type: "
+       "%T%s%T%s%T", pA, zSp1, pB, zSp2, pC);
+    jointype = JT_INNER;
+  }else if( jointype & JT_RIGHT ){
+    sqlite3ErrorMsg(pParse, 
+      "RIGHT and FULL OUTER JOINs are not currently supported");
+    jointype = JT_INNER;
+  }
+  return jointype;
+}
+
+/*
+** Return the index of a column in a table.  Return -1 if the column
+** is not contained in the table.
+*/
+static int columnIndex(Table *pTab, const char *zCol){
+  int i;
+  for(i=0; i<pTab->nCol; i++){
+    if( sqlite3StrICmp(pTab->aCol[i].zName, zCol)==0 ) return i;
+  }
+  return -1;
+}
+
+/*
+** Set the value of a token to a '\000'-terminated string.
+*/
+static void setToken(Token *p, const char *z){
+  p->z = (u8*)z;
+  p->n = z ? strlen(z) : 0;
+  p->dyn = 0;
+}
+
+/*
+** Create an expression node for an identifier with the name of zName
+*/
+Expr *sqlite3CreateIdExpr(const char *zName){
+  Token dummy;
+  setToken(&dummy, zName);
+  return sqlite3Expr(TK_ID, 0, 0, &dummy);
+}
+
+
+/*
+** Add a term to the WHERE expression in *ppExpr that requires the
+** zCol column to be equal in the two tables pTab1 and pTab2.
+*/
+static void addWhereTerm(
+  const char *zCol,        /* Name of the column */
+  const Table *pTab1,      /* First table */
+  const char *zAlias1,     /* Alias for first table.  May be NULL */
+  const Table *pTab2,      /* Second table */
+  const char *zAlias2,     /* Alias for second table.  May be NULL */
+  int iRightJoinTable,     /* VDBE cursor for the right table */
+  Expr **ppExpr            /* Add the equality term to this expression */
+){
+  Expr *pE1a, *pE1b, *pE1c;
+  Expr *pE2a, *pE2b, *pE2c;
+  Expr *pE;
+
+  pE1a = sqlite3CreateIdExpr(zCol);
+  pE2a = sqlite3CreateIdExpr(zCol);
+  if( zAlias1==0 ){
+    zAlias1 = pTab1->zName;
+  }
+  pE1b = sqlite3CreateIdExpr(zAlias1);
+  if( zAlias2==0 ){
+    zAlias2 = pTab2->zName;
+  }
+  pE2b = sqlite3CreateIdExpr(zAlias2);
+  pE1c = sqlite3ExprOrFree(TK_DOT, pE1b, pE1a, 0);
+  pE2c = sqlite3ExprOrFree(TK_DOT, pE2b, pE2a, 0);
+  pE = sqlite3ExprOrFree(TK_EQ, pE1c, pE2c, 0);
+  if( pE ){
+    ExprSetProperty(pE, EP_FromJoin);
+    pE->iRightJoinTable = iRightJoinTable;
+  }
+  pE = sqlite3ExprAnd(*ppExpr, pE);
+  if( pE ){
+    *ppExpr = pE;
+  }
+}
+
+/*
+** Set the EP_FromJoin property on all terms of the given expression.
+** And set the Expr.iRightJoinTable to iTable for every term in the
+** expression.
+**
+** The EP_FromJoin property is used on terms of an expression to tell
+** the LEFT OUTER JOIN processing logic that this term is part of the
+** join restriction specified in the ON or USING clause and not a part
+** of the more general WHERE clause.  These terms are moved over to the
+** WHERE clause during join processing but we need to remember that they
+** originated in the ON or USING clause.
+**
+** The Expr.iRightJoinTable tells the WHERE clause processing that the
+** expression depends on table iRightJoinTable even if that table is not
+** explicitly mentioned in the expression.  That information is needed
+** for cases like this:
+**
+**    SELECT * FROM t1 LEFT JOIN t2 ON t1.a=t2.b AND t1.x=5
+**
+** The where clause needs to defer the handling of the t1.x=5
+** term until after the t2 loop of the join.  In that way, a
+** NULL t2 row will be inserted whenever t1.x!=5.  If we do not
+** defer the handling of t1.x=5, it will be processed immediately
+** after the t1 loop and rows with t1.x!=5 will never appear in
+** the output, which is incorrect.
+*/
+static void setJoinExpr(Expr *p, int iTable){
+  while( p ){
+    ExprSetProperty(p, EP_FromJoin);
+    p->iRightJoinTable = iTable;
+    setJoinExpr(p->pLeft, iTable);
+    p = p->pRight;
+  } 
+}
+
+/*
+** This routine processes the join information for a SELECT statement.
+** ON and USING clauses are converted into extra terms of the WHERE clause.
+** NATURAL joins also create extra WHERE clause terms.
+**
+** The terms of a FROM clause are contained in the Select.pSrc structure.
+** The left most table is the first entry in Select.pSrc.  The right-most
+** table is the last entry.  The join operator is held in the entry to
+** the left.  Thus entry 0 contains the join operator for the join between
+** entries 0 and 1.  Any ON or USING clauses associated with the join are
+** also attached to the left entry.
+**
+** This routine returns the number of errors encountered.
+*/
+static int sqliteProcessJoin(Parse *pParse, Select *p){
+  SrcList *pSrc;                  /* All tables in the FROM clause */
+  int i, j;                       /* Loop counters */
+  struct SrcList_item *pLeft;     /* Left table being joined */
+  struct SrcList_item *pRight;    /* Right table being joined */
+
+  pSrc = p->pSrc;
+  pLeft = &pSrc->a[0];
+  pRight = &pLeft[1];
+  for(i=0; i<pSrc->nSrc-1; i++, pRight++, pLeft++){
+    Table *pLeftTab = pLeft->pTab;
+    Table *pRightTab = pRight->pTab;
+
+    if( pLeftTab==0 || pRightTab==0 ) continue;
+
+    /* When the NATURAL keyword is present, add WHERE clause terms for
+    ** every column that the two tables have in common.
+    */
+    if( pRight->jointype & JT_NATURAL ){
+      if( pRight->pOn || pRight->pUsing ){
+        sqlite3ErrorMsg(pParse, "a NATURAL join may not have "
+           "an ON or USING clause", 0);
+        return 1;
+      }
+      for(j=0; j<pLeftTab->nCol; j++){
+        char *zName = pLeftTab->aCol[j].zName;
+        if( columnIndex(pRightTab, zName)>=0 ){
+          addWhereTerm(zName, pLeftTab, pLeft->zAlias, 
+                              pRightTab, pRight->zAlias,
+                              pRight->iCursor, &p->pWhere);
+          
+        }
+      }
+    }
+
+    /* Disallow both ON and USING clauses in the same join
+    */
+    if( pRight->pOn && pRight->pUsing ){
+      sqlite3ErrorMsg(pParse, "cannot have both ON and USING "
+        "clauses in the same join");
+      return 1;
+    }
+
+    /* Add the ON clause to the end of the WHERE clause, connected by
+    ** an AND operator.
+    */
+    if( pRight->pOn ){
+      setJoinExpr(pRight->pOn, pRight->iCursor);
+      p->pWhere = sqlite3ExprAnd(p->pWhere, pRight->pOn);
+      pRight->pOn = 0;
+    }
+
+    /* Create extra terms on the WHERE clause for each column named
+    ** in the USING clause.  Example: If the two tables to be joined are 
+    ** A and B and the USING clause names X, Y, and Z, then add this
+    ** to the WHERE clause:    A.X=B.X AND A.Y=B.Y AND A.Z=B.Z
+    ** Report an error if any column mentioned in the USING clause is
+    ** not contained in both tables to be joined.
+    */
+    if( pRight->pUsing ){
+      IdList *pList = pRight->pUsing;
+      for(j=0; j<pList->nId; j++){
+        char *zName = pList->a[j].zName;
+        if( columnIndex(pLeftTab, zName)<0 || columnIndex(pRightTab, zName)<0 ){
+          sqlite3ErrorMsg(pParse, "cannot join using column %s - column "
+            "not present in both tables", zName);
+          return 1;
+        }
+        addWhereTerm(zName, pLeftTab, pLeft->zAlias, 
+                            pRightTab, pRight->zAlias,
+                            pRight->iCursor, &p->pWhere);
+      }
+    }
+  }
+  return 0;
+}
+
+/*
+** Insert code into "v" that will push the record on the top of the
+** stack into the sorter.
+*/
+static void pushOntoSorter(
+  Parse *pParse,         /* Parser context */
+  ExprList *pOrderBy,    /* The ORDER BY clause */
+  Select *pSelect        /* The whole SELECT statement */
+){
+  Vdbe *v = pParse->pVdbe;
+  sqlite3ExprCodeExprList(pParse, pOrderBy);
+  sqlite3VdbeAddOp(v, OP_Sequence, pOrderBy->iECursor, 0);
+  sqlite3VdbeAddOp(v, OP_Pull, pOrderBy->nExpr + 1, 0);
+  sqlite3VdbeAddOp(v, OP_MakeRecord, pOrderBy->nExpr + 2, 0);
+  sqlite3VdbeAddOp(v, OP_IdxInsert, pOrderBy->iECursor, 0);
+  if( pSelect->iLimit>=0 ){
+    int addr1, addr2;
+    addr1 = sqlite3VdbeAddOp(v, OP_IfMemZero, pSelect->iLimit+1, 0);
+    sqlite3VdbeAddOp(v, OP_MemIncr, -1, pSelect->iLimit+1);
+    addr2 = sqlite3VdbeAddOp(v, OP_Goto, 0, 0);
+    sqlite3VdbeJumpHere(v, addr1);
+    sqlite3VdbeAddOp(v, OP_Last, pOrderBy->iECursor, 0);
+    sqlite3VdbeAddOp(v, OP_Delete, pOrderBy->iECursor, 0);
+    sqlite3VdbeJumpHere(v, addr2);
+    pSelect->iLimit = -1;
+  }
+}
+
+/*
+** Add code to implement the OFFSET
+*/
+static void codeOffset(
+  Vdbe *v,          /* Generate code into this VM */
+  Select *p,        /* The SELECT statement being coded */
+  int iContinue,    /* Jump here to skip the current record */
+  int nPop          /* Number of times to pop stack when jumping */
+){
+  if( p->iOffset>=0 && iContinue!=0 ){
+    int addr;
+    sqlite3VdbeAddOp(v, OP_MemIncr, -1, p->iOffset);
+    addr = sqlite3VdbeAddOp(v, OP_IfMemNeg, p->iOffset, 0);
+    if( nPop>0 ){
+      sqlite3VdbeAddOp(v, OP_Pop, nPop, 0);
+    }
+    sqlite3VdbeAddOp(v, OP_Goto, 0, iContinue);
+    VdbeComment((v, "# skip OFFSET records"));
+    sqlite3VdbeJumpHere(v, addr);
+  }
+}
+
+/*
+** Add code that will check to make sure the top N elements of the
+** stack are distinct.  iTab is a sorting index that holds previously
+** seen combinations of the N values.  A new entry is made in iTab
+** if the current N values are new.
+**
+** A jump to addrRepeat is made and the N+1 values are popped from the
+** stack if the top N elements are not distinct.
+*/
+static void codeDistinct(
+  Vdbe *v,           /* Generate code into this VM */
+  int iTab,          /* A sorting index used to test for distinctness */
+  int addrRepeat,    /* Jump to here if not distinct */
+  int N              /* The top N elements of the stack must be distinct */
+){
+  sqlite3VdbeAddOp(v, OP_MakeRecord, -N, 0);
+  sqlite3VdbeAddOp(v, OP_Distinct, iTab, sqlite3VdbeCurrentAddr(v)+3);
+  sqlite3VdbeAddOp(v, OP_Pop, N+1, 0);
+  sqlite3VdbeAddOp(v, OP_Goto, 0, addrRepeat);
+  VdbeComment((v, "# skip indistinct records"));
+  sqlite3VdbeAddOp(v, OP_IdxInsert, iTab, 0);
+}
+
+
+/*
+** This routine generates the code for the inside of the inner loop
+** of a SELECT.
+**
+** If srcTab and nColumn are both zero, then the pEList expressions
+** are evaluated in order to get the data for this row.  If nColumn>0
+** then data is pulled from srcTab and pEList is used only to get the
+** datatypes for each column.
+*/
+static int selectInnerLoop(
+  Parse *pParse,          /* The parser context */
+  Select *p,              /* The complete select statement being coded */
+  ExprList *pEList,       /* List of values being extracted */
+  int srcTab,             /* Pull data from this table */
+  int nColumn,            /* Number of columns in the source table */
+  ExprList *pOrderBy,     /* If not NULL, sort results using this key */
+  int distinct,           /* If >=0, make sure results are distinct */
+  int eDest,              /* How to dispose of the results */
+  int iParm,              /* An argument to the disposal method */
+  int iContinue,          /* Jump here to continue with next row */
+  int iBreak,             /* Jump here to break out of the inner loop */
+  char *aff               /* affinity string if eDest is SRT_Union */
+){
+  Vdbe *v = pParse->pVdbe;
+  int i;
+  int hasDistinct;        /* True if the DISTINCT keyword is present */
+
+  if( v==0 ) return 0;
+  assert( pEList!=0 );
+
+  /* If there was a LIMIT clause on the SELECT statement, then do the check
+  ** to see if this row should be output.
+  */
+  hasDistinct = distinct>=0 && pEList->nExpr>0;
+  if( pOrderBy==0 && !hasDistinct ){
+    codeOffset(v, p, iContinue, 0);
+  }
+
+  /* Pull the requested columns.
+  */
+  if( nColumn>0 ){
+    for(i=0; i<nColumn; i++){
+      sqlite3VdbeAddOp(v, OP_Column, srcTab, i);
+    }
+  }else{
+    nColumn = pEList->nExpr;
+    sqlite3ExprCodeExprList(pParse, pEList);
+  }
+
+  /* If the DISTINCT keyword was present on the SELECT statement
+  ** and this row has been seen before, then do not make this row
+  ** part of the result.
+  */
+  if( hasDistinct ){
+    assert( pEList!=0 );
+    assert( pEList->nExpr==nColumn );
+    codeDistinct(v, distinct, iContinue, nColumn);
+    if( pOrderBy==0 ){
+      codeOffset(v, p, iContinue, nColumn);
+    }
+  }
+
+  switch( eDest ){
+    /* In this mode, write each query result to the key of the temporary
+    ** table iParm.
+    */
+#ifndef SQLITE_OMIT_COMPOUND_SELECT
+    case SRT_Union: {
+      sqlite3VdbeAddOp(v, OP_MakeRecord, nColumn, 0);
+      if( aff ){
+        sqlite3VdbeChangeP3(v, -1, aff, P3_STATIC);
+      }
+      sqlite3VdbeAddOp(v, OP_IdxInsert, iParm, 0);
+      break;
+    }
+
+    /* Construct a record from the query result, but instead of
+    ** saving that record, use it as a key to delete elements from
+    ** the temporary table iParm.
+    */
+    case SRT_Except: {
+      int addr;
+      addr = sqlite3VdbeAddOp(v, OP_MakeRecord, nColumn, 0);
+      sqlite3VdbeChangeP3(v, -1, aff, P3_STATIC);
+      sqlite3VdbeAddOp(v, OP_NotFound, iParm, addr+3);
+      sqlite3VdbeAddOp(v, OP_Delete, iParm, 0);
+      break;
+    }
+#endif
+
+    /* Store the result as data using a unique key.
+    */
+    case SRT_Table:
+    case SRT_EphemTab: {
+      sqlite3VdbeAddOp(v, OP_MakeRecord, nColumn, 0);
+      if( pOrderBy ){
+        pushOntoSorter(pParse, pOrderBy, p);
+      }else{
+        sqlite3VdbeAddOp(v, OP_NewRowid, iParm, 0);
+        sqlite3VdbeAddOp(v, OP_Pull, 1, 0);
+        sqlite3VdbeAddOp(v, OP_Insert, iParm, OPFLAG_APPEND);
+      }
+      break;
+    }
+
+#ifndef SQLITE_OMIT_SUBQUERY
+    /* If we are creating a set for an "expr IN (SELECT ...)" construct,
+    ** then there should be a single item on the stack.  Write this
+    ** item into the set table with bogus data.
+    */
+    case SRT_Set: {
+      int addr1 = sqlite3VdbeCurrentAddr(v);
+      int addr2;
+
+      assert( nColumn==1 );
+      sqlite3VdbeAddOp(v, OP_NotNull, -1, addr1+3);
+      sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+      addr2 = sqlite3VdbeAddOp(v, OP_Goto, 0, 0);
+      p->affinity = sqlite3CompareAffinity(pEList->a[0].pExpr,(iParm>>16)&0xff);
+      if( pOrderBy ){
+        /* At first glance you would think we could optimize out the
+        ** ORDER BY in this case since the order of entries in the set
+        ** does not matter.  But there might be a LIMIT clause, in which
+        ** case the order does matter */
+        pushOntoSorter(pParse, pOrderBy, p);
+      }else{
+        sqlite3VdbeOp3(v, OP_MakeRecord, 1, 0, &p->affinity, 1);
+        sqlite3VdbeAddOp(v, OP_IdxInsert, (iParm&0x0000FFFF), 0);
+      }
+      sqlite3VdbeJumpHere(v, addr2);
+      break;
+    }
+
+    /* If any row exist in the result set, record that fact and abort.
+    */
+    case SRT_Exists: {
+      sqlite3VdbeAddOp(v, OP_MemInt, 1, iParm);
+      sqlite3VdbeAddOp(v, OP_Pop, nColumn, 0);
+      /* The LIMIT clause will terminate the loop for us */
+      break;
+    }
+
+    /* If this is a scalar select that is part of an expression, then
+    ** store the results in the appropriate memory cell and break out
+    ** of the scan loop.
+    */
+    case SRT_Mem: {
+      assert( nColumn==1 );
+      if( pOrderBy ){
+        pushOntoSorter(pParse, pOrderBy, p);
+      }else{
+        sqlite3VdbeAddOp(v, OP_MemStore, iParm, 1);
+        /* The LIMIT clause will jump out of the loop for us */
+      }
+      break;
+    }
+#endif /* #ifndef SQLITE_OMIT_SUBQUERY */
+
+    /* Send the data to the callback function or to a subroutine.  In the
+    ** case of a subroutine, the subroutine itself is responsible for
+    ** popping the data from the stack.
+    */
+    case SRT_Subroutine:
+    case SRT_Callback: {
+      if( pOrderBy ){
+        sqlite3VdbeAddOp(v, OP_MakeRecord, nColumn, 0);
+        pushOntoSorter(pParse, pOrderBy, p);
+      }else if( eDest==SRT_Subroutine ){
+        sqlite3VdbeAddOp(v, OP_Gosub, 0, iParm);
+      }else{
+        sqlite3VdbeAddOp(v, OP_Callback, nColumn, 0);
+      }
+      break;
+    }
+
+#if !defined(SQLITE_OMIT_TRIGGER)
+    /* Discard the results.  This is used for SELECT statements inside
+    ** the body of a TRIGGER.  The purpose of such selects is to call
+    ** user-defined functions that have side effects.  We do not care
+    ** about the actual results of the select.
+    */
+    default: {
+      assert( eDest==SRT_Discard );
+      sqlite3VdbeAddOp(v, OP_Pop, nColumn, 0);
+      break;
+    }
+#endif
+  }
+
+  /* Jump to the end of the loop if the LIMIT is reached.
+  */
+  if( p->iLimit>=0 && pOrderBy==0 ){
+    sqlite3VdbeAddOp(v, OP_MemIncr, -1, p->iLimit);
+    sqlite3VdbeAddOp(v, OP_IfMemZero, p->iLimit, iBreak);
+  }
+  return 0;
+}
+
+/*
+** Given an expression list, generate a KeyInfo structure that records
+** the collating sequence for each expression in that expression list.
+**
+** If the ExprList is an ORDER BY or GROUP BY clause then the resulting
+** KeyInfo structure is appropriate for initializing a virtual index to
+** implement that clause.  If the ExprList is the result set of a SELECT
+** then the KeyInfo structure is appropriate for initializing a virtual
+** index to implement a DISTINCT test.
+**
+** Space to hold the KeyInfo structure is obtain from malloc.  The calling
+** function is responsible for seeing that this structure is eventually
+** freed.  Add the KeyInfo structure to the P3 field of an opcode using
+** P3_KEYINFO_HANDOFF is the usual way of dealing with this.
+*/
+static KeyInfo *keyInfoFromExprList(Parse *pParse, ExprList *pList){
+  sqlite3 *db = pParse->db;
+  int nExpr;
+  KeyInfo *pInfo;
+  struct ExprList_item *pItem;
+  int i;
+
+  nExpr = pList->nExpr;
+  pInfo = sqliteMalloc( sizeof(*pInfo) + nExpr*(sizeof(CollSeq*)+1) );
+  if( pInfo ){
+    pInfo->aSortOrder = (u8*)&pInfo->aColl[nExpr];
+    pInfo->nField = nExpr;
+    pInfo->enc = ENC(db);
+    for(i=0, pItem=pList->a; i<nExpr; i++, pItem++){
+      CollSeq *pColl;
+      pColl = sqlite3ExprCollSeq(pParse, pItem->pExpr);
+      if( !pColl ){
+        pColl = db->pDfltColl;
+      }
+      pInfo->aColl[i] = pColl;
+      pInfo->aSortOrder[i] = pItem->sortOrder;
+    }
+  }
+  return pInfo;
+}
+
+
+/*
+** If the inner loop was generated using a non-null pOrderBy argument,
+** then the results were placed in a sorter.  After the loop is terminated
+** we need to run the sorter and output the results.  The following
+** routine generates the code needed to do that.
+*/
+static void generateSortTail(
+  Parse *pParse,   /* Parsing context */
+  Select *p,       /* The SELECT statement */
+  Vdbe *v,         /* Generate code into this VDBE */
+  int nColumn,     /* Number of columns of data */
+  int eDest,       /* Write the sorted results here */
+  int iParm        /* Optional parameter associated with eDest */
+){
+  int brk = sqlite3VdbeMakeLabel(v);
+  int cont = sqlite3VdbeMakeLabel(v);
+  int addr;
+  int iTab;
+  int pseudoTab = 0;
+  ExprList *pOrderBy = p->pOrderBy;
+
+  iTab = pOrderBy->iECursor;
+  if( eDest==SRT_Callback || eDest==SRT_Subroutine ){
+    pseudoTab = pParse->nTab++;
+    sqlite3VdbeAddOp(v, OP_OpenPseudo, pseudoTab, 0);
+    sqlite3VdbeAddOp(v, OP_SetNumColumns, pseudoTab, nColumn);
+  }
+  addr = 1 + sqlite3VdbeAddOp(v, OP_Sort, iTab, brk);
+  codeOffset(v, p, cont, 0);
+  if( eDest==SRT_Callback || eDest==SRT_Subroutine ){
+    sqlite3VdbeAddOp(v, OP_Integer, 1, 0);
+  }
+  sqlite3VdbeAddOp(v, OP_Column, iTab, pOrderBy->nExpr + 1);
+  switch( eDest ){
+    case SRT_Table:
+    case SRT_EphemTab: {
+      sqlite3VdbeAddOp(v, OP_NewRowid, iParm, 0);
+      sqlite3VdbeAddOp(v, OP_Pull, 1, 0);
+      sqlite3VdbeAddOp(v, OP_Insert, iParm, OPFLAG_APPEND);
+      break;
+    }
+#ifndef SQLITE_OMIT_SUBQUERY
+    case SRT_Set: {
+      assert( nColumn==1 );
+      sqlite3VdbeAddOp(v, OP_NotNull, -1, sqlite3VdbeCurrentAddr(v)+3);
+      sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+      sqlite3VdbeAddOp(v, OP_Goto, 0, sqlite3VdbeCurrentAddr(v)+3);
+      sqlite3VdbeOp3(v, OP_MakeRecord, 1, 0, &p->affinity, 1);
+      sqlite3VdbeAddOp(v, OP_IdxInsert, (iParm&0x0000FFFF), 0);
+      break;
+    }
+    case SRT_Mem: {
+      assert( nColumn==1 );
+      sqlite3VdbeAddOp(v, OP_MemStore, iParm, 1);
+      /* The LIMIT clause will terminate the loop for us */
+      break;
+    }
+#endif
+    case SRT_Callback:
+    case SRT_Subroutine: {
+      int i;
+      sqlite3VdbeAddOp(v, OP_Insert, pseudoTab, 0);
+      for(i=0; i<nColumn; i++){
+        sqlite3VdbeAddOp(v, OP_Column, pseudoTab, i);
+      }
+      if( eDest==SRT_Callback ){
+        sqlite3VdbeAddOp(v, OP_Callback, nColumn, 0);
+      }else{
+        sqlite3VdbeAddOp(v, OP_Gosub, 0, iParm);
+      }
+      break;
+    }
+    default: {
+      /* Do nothing */
+      break;
+    }
+  }
+
+  /* Jump to the end of the loop when the LIMIT is reached
+  */
+  if( p->iLimit>=0 ){
+    sqlite3VdbeAddOp(v, OP_MemIncr, -1, p->iLimit);
+    sqlite3VdbeAddOp(v, OP_IfMemZero, p->iLimit, brk);
+  }
+
+  /* The bottom of the loop
+  */
+  sqlite3VdbeResolveLabel(v, cont);
+  sqlite3VdbeAddOp(v, OP_Next, iTab, addr);
+  sqlite3VdbeResolveLabel(v, brk);
+  if( eDest==SRT_Callback || eDest==SRT_Subroutine ){
+    sqlite3VdbeAddOp(v, OP_Close, pseudoTab, 0);
+  }
+
+}
+
+/*
+** Return a pointer to a string containing the 'declaration type' of the
+** expression pExpr. The string may be treated as static by the caller.
+**
+** The declaration type is the exact datatype definition extracted from the
+** original CREATE TABLE statement if the expression is a column. The
+** declaration type for a ROWID field is INTEGER. Exactly when an expression
+** is considered a column can be complex in the presence of subqueries. The
+** result-set expression in all of the following SELECT statements is 
+** considered a column by this function.
+**
+**   SELECT col FROM tbl;
+**   SELECT (SELECT col FROM tbl;
+**   SELECT (SELECT col FROM tbl);
+**   SELECT abc FROM (SELECT col AS abc FROM tbl);
+** 
+** The declaration type for any expression other than a column is NULL.
+*/
+static const char *columnType(
+  NameContext *pNC, 
+  Expr *pExpr,
+  const char **pzOriginDb,
+  const char **pzOriginTab,
+  const char **pzOriginCol
+){
+  char const *zType = 0;
+  char const *zOriginDb = 0;
+  char const *zOriginTab = 0;
+  char const *zOriginCol = 0;
+  int j;
+  if( pExpr==0 || pNC->pSrcList==0 ) return 0;
+
+  /* The TK_AS operator can only occur in ORDER BY, GROUP BY, HAVING,
+  ** and LIMIT clauses.  But pExpr originates in the result set of a
+  ** SELECT.  So pExpr can never contain an AS operator.
+  */
+  assert( pExpr->op!=TK_AS );
+
+  switch( pExpr->op ){
+    case TK_AGG_COLUMN:
+    case TK_COLUMN: {
+      /* The expression is a column. Locate the table the column is being
+      ** extracted from in NameContext.pSrcList. This table may be real
+      ** database table or a subquery.
+      */
+      Table *pTab = 0;            /* Table structure column is extracted from */
+      Select *pS = 0;             /* Select the column is extracted from */
+      int iCol = pExpr->iColumn;  /* Index of column in pTab */
+      while( pNC && !pTab ){
+        SrcList *pTabList = pNC->pSrcList;
+        for(j=0;j<pTabList->nSrc && pTabList->a[j].iCursor!=pExpr->iTable;j++);
+        if( j<pTabList->nSrc ){
+          pTab = pTabList->a[j].pTab;
+          pS = pTabList->a[j].pSelect;
+        }else{
+          pNC = pNC->pNext;
+        }
+      }
+
+      if( pTab==0 ){
+        /* FIX ME:
+        ** This can occurs if you have something like "SELECT new.x;" inside
+        ** a trigger.  In other words, if you reference the special "new"
+        ** table in the result set of a select.  We do not have a good way
+        ** to find the actual table type, so call it "TEXT".  This is really
+        ** something of a bug, but I do not know how to fix it.
+        **
+        ** This code does not produce the correct answer - it just prevents
+        ** a segfault.  See ticket #1229.
+        */
+        zType = "TEXT";
+        break;
+      }
+
+      assert( pTab );
+      if( pS ){
+        /* The "table" is actually a sub-select or a view in the FROM clause
+        ** of the SELECT statement. Return the declaration type and origin
+        ** data for the result-set column of the sub-select.
+        */
+        if( iCol>=0 && iCol<pS->pEList->nExpr ){
+          /* If iCol is less than zero, then the expression requests the
+          ** rowid of the sub-select or view. This expression is legal (see 
+          ** test case misc2.2.2) - it always evaluates to NULL.
+          */
+          NameContext sNC;
+          Expr *p = pS->pEList->a[iCol].pExpr;
+          sNC.pSrcList = pS->pSrc;
+          sNC.pNext = 0;
+          sNC.pParse = pNC->pParse;
+          zType = columnType(&sNC, p, &zOriginDb, &zOriginTab, &zOriginCol); 
+        }
+      }else if( pTab->pSchema ){
+        /* A real table */
+        assert( !pS );
+        if( iCol<0 ) iCol = pTab->iPKey;
+        assert( iCol==-1 || (iCol>=0 && iCol<pTab->nCol) );
+        if( iCol<0 ){
+          zType = "INTEGER";
+          zOriginCol = "rowid";
+        }else{
+          zType = pTab->aCol[iCol].zType;
+          zOriginCol = pTab->aCol[iCol].zName;
+        }
+        zOriginTab = pTab->zName;
+        if( pNC->pParse ){
+          int iDb = sqlite3SchemaToIndex(pNC->pParse->db, pTab->pSchema);
+          zOriginDb = pNC->pParse->db->aDb[iDb].zName;
+        }
+      }
+      break;
+    }
+#ifndef SQLITE_OMIT_SUBQUERY
+    case TK_SELECT: {
+      /* The expression is a sub-select. Return the declaration type and
+      ** origin info for the single column in the result set of the SELECT
+      ** statement.
+      */
+      NameContext sNC;
+      Select *pS = pExpr->pSelect;
+      Expr *p = pS->pEList->a[0].pExpr;
+      sNC.pSrcList = pS->pSrc;
+      sNC.pNext = pNC;
+      sNC.pParse = pNC->pParse;
+      zType = columnType(&sNC, p, &zOriginDb, &zOriginTab, &zOriginCol); 
+      break;
+    }
+#endif
+  }
+  
+  if( pzOriginDb ){
+    assert( pzOriginTab && pzOriginCol );
+    *pzOriginDb = zOriginDb;
+    *pzOriginTab = zOriginTab;
+    *pzOriginCol = zOriginCol;
+  }
+  return zType;
+}
+
+/*
+** Generate code that will tell the VDBE the declaration types of columns
+** in the result set.
+*/
+static void generateColumnTypes(
+  Parse *pParse,      /* Parser context */
+  SrcList *pTabList,  /* List of tables */
+  ExprList *pEList    /* Expressions defining the result set */
+){
+  Vdbe *v = pParse->pVdbe;
+  int i;
+  NameContext sNC;
+  sNC.pSrcList = pTabList;
+  sNC.pParse = pParse;
+  for(i=0; i<pEList->nExpr; i++){
+    Expr *p = pEList->a[i].pExpr;
+    const char *zOrigDb = 0;
+    const char *zOrigTab = 0;
+    const char *zOrigCol = 0;
+    const char *zType = columnType(&sNC, p, &zOrigDb, &zOrigTab, &zOrigCol);
+
+    /* The vdbe must make it's own copy of the column-type and other 
+    ** column specific strings, in case the schema is reset before this
+    ** virtual machine is deleted.
+    */
+    sqlite3VdbeSetColName(v, i, COLNAME_DECLTYPE, zType, P3_TRANSIENT);
+    sqlite3VdbeSetColName(v, i, COLNAME_DATABASE, zOrigDb, P3_TRANSIENT);
+    sqlite3VdbeSetColName(v, i, COLNAME_TABLE, zOrigTab, P3_TRANSIENT);
+    sqlite3VdbeSetColName(v, i, COLNAME_COLUMN, zOrigCol, P3_TRANSIENT);
+  }
+}
+
+/*
+** Generate code that will tell the VDBE the names of columns
+** in the result set.  This information is used to provide the
+** azCol[] values in the callback.
+*/
+static void generateColumnNames(
+  Parse *pParse,      /* Parser context */
+  SrcList *pTabList,  /* List of tables */
+  ExprList *pEList    /* Expressions defining the result set */
+){
+  Vdbe *v = pParse->pVdbe;
+  int i, j;
+  sqlite3 *db = pParse->db;
+  int fullNames, shortNames;
+
+#ifndef SQLITE_OMIT_EXPLAIN
+  /* If this is an EXPLAIN, skip this step */
+  if( pParse->explain ){
+    return;
+  }
+#endif
+
+  assert( v!=0 );
+  if( pParse->colNamesSet || v==0 || sqlite3MallocFailed() ) return;
+  pParse->colNamesSet = 1;
+  fullNames = (db->flags & SQLITE_FullColNames)!=0;
+  shortNames = (db->flags & SQLITE_ShortColNames)!=0;
+  sqlite3VdbeSetNumCols(v, pEList->nExpr);
+  for(i=0; i<pEList->nExpr; i++){
+    Expr *p;
+    p = pEList->a[i].pExpr;
+    if( p==0 ) continue;
+    if( pEList->a[i].zName ){
+      char *zName = pEList->a[i].zName;
+      sqlite3VdbeSetColName(v, i, COLNAME_NAME, zName, strlen(zName));
+      continue;
+    }
+    if( p->op==TK_COLUMN && pTabList ){
+      Table *pTab;
+      char *zCol;
+      int iCol = p->iColumn;
+      for(j=0; j<pTabList->nSrc && pTabList->a[j].iCursor!=p->iTable; j++){}
+      assert( j<pTabList->nSrc );
+      pTab = pTabList->a[j].pTab;
+      if( iCol<0 ) iCol = pTab->iPKey;
+      assert( iCol==-1 || (iCol>=0 && iCol<pTab->nCol) );
+      if( iCol<0 ){
+        zCol = "rowid";
+      }else{
+        zCol = pTab->aCol[iCol].zName;
+      }
+      if( !shortNames && !fullNames && p->span.z && p->span.z[0] ){
+        sqlite3VdbeSetColName(v, i, COLNAME_NAME, (char*)p->span.z, p->span.n);
+      }else if( fullNames || (!shortNames && pTabList->nSrc>1) ){
+        char *zName = 0;
+        char *zTab;
+ 
+        zTab = pTabList->a[j].zAlias;
+        if( fullNames || zTab==0 ) zTab = pTab->zName;
+        sqlite3SetString(&zName, zTab, ".", zCol, (char*)0);
+        sqlite3VdbeSetColName(v, i, COLNAME_NAME, zName, P3_DYNAMIC);
+      }else{
+        sqlite3VdbeSetColName(v, i, COLNAME_NAME, zCol, strlen(zCol));
+      }
+    }else if( p->span.z && p->span.z[0] ){
+      sqlite3VdbeSetColName(v, i, COLNAME_NAME, (char*)p->span.z, p->span.n);
+      /* sqlite3VdbeCompressSpace(v, addr); */
+    }else{
+      char zName[30];
+      assert( p->op!=TK_COLUMN || pTabList==0 );
+      sprintf(zName, "column%d", i+1);
+      sqlite3VdbeSetColName(v, i, COLNAME_NAME, zName, 0);
+    }
+  }
+  generateColumnTypes(pParse, pTabList, pEList);
+}
+
+#ifndef SQLITE_OMIT_COMPOUND_SELECT
+/*
+** Name of the connection operator, used for error messages.
+*/
+static const char *selectOpName(int id){
+  char *z;
+  switch( id ){
+    case TK_ALL:       z = "UNION ALL";   break;
+    case TK_INTERSECT: z = "INTERSECT";   break;
+    case TK_EXCEPT:    z = "EXCEPT";      break;
+    default:           z = "UNION";       break;
+  }
+  return z;
+}
+#endif /* SQLITE_OMIT_COMPOUND_SELECT */
+
+/*
+** Forward declaration
+*/
+static int prepSelectStmt(Parse*, Select*);
+
+/*
+** Given a SELECT statement, generate a Table structure that describes
+** the result set of that SELECT.
+*/
+Table *sqlite3ResultSetOfSelect(Parse *pParse, char *zTabName, Select *pSelect){
+  Table *pTab;
+  int i, j;
+  ExprList *pEList;
+  Column *aCol, *pCol;
+
+  while( pSelect->pPrior ) pSelect = pSelect->pPrior;
+  if( prepSelectStmt(pParse, pSelect) ){
+    return 0;
+  }
+  if( sqlite3SelectResolve(pParse, pSelect, 0) ){
+    return 0;
+  }
+  pTab = sqliteMalloc( sizeof(Table) );
+  if( pTab==0 ){
+    return 0;
+  }
+  pTab->nRef = 1;
+  pTab->zName = zTabName ? sqliteStrDup(zTabName) : 0;
+  pEList = pSelect->pEList;
+  pTab->nCol = pEList->nExpr;
+  assert( pTab->nCol>0 );
+  pTab->aCol = aCol = sqliteMalloc( sizeof(pTab->aCol[0])*pTab->nCol );
+  for(i=0, pCol=aCol; i<pTab->nCol; i++, pCol++){
+    Expr *p, *pR;
+    char *zType;
+    char *zName;
+    int nName;
+    CollSeq *pColl;
+    int cnt;
+    NameContext sNC;
+    
+    /* Get an appropriate name for the column
+    */
+    p = pEList->a[i].pExpr;
+    assert( p->pRight==0 || p->pRight->token.z==0 || p->pRight->token.z[0]!=0 );
+    if( (zName = pEList->a[i].zName)!=0 ){
+      /* If the column contains an "AS <name>" phrase, use <name> as the name */
+      zName = sqliteStrDup(zName);
+    }else if( p->op==TK_DOT 
+              && (pR=p->pRight)!=0 && pR->token.z && pR->token.z[0] ){
+      /* For columns of the from A.B use B as the name */
+      zName = sqlite3MPrintf("%T", &pR->token);
+    }else if( p->span.z && p->span.z[0] ){
+      /* Use the original text of the column expression as its name */
+      zName = sqlite3MPrintf("%T", &p->span);
+    }else{
+      /* If all else fails, make up a name */
+      zName = sqlite3MPrintf("column%d", i+1);
+    }
+    sqlite3Dequote(zName);
+    if( sqlite3MallocFailed() ){
+      sqliteFree(zName);
+      sqlite3DeleteTable(pTab);
+      return 0;
+    }
+
+    /* Make sure the column name is unique.  If the name is not unique,
+    ** append a integer to the name so that it becomes unique.
+    */
+    nName = strlen(zName);
+    for(j=cnt=0; j<i; j++){
+      if( sqlite3StrICmp(aCol[j].zName, zName)==0 ){
+        zName[nName] = 0;
+        zName = sqlite3MPrintf("%z:%d", zName, ++cnt);
+        j = -1;
+        if( zName==0 ) break;
+      }
+    }
+    pCol->zName = zName;
+
+    /* Get the typename, type affinity, and collating sequence for the
+    ** column.
+    */
+    memset(&sNC, 0, sizeof(sNC));
+    sNC.pSrcList = pSelect->pSrc;
+    zType = sqliteStrDup(columnType(&sNC, p, 0, 0, 0));
+    pCol->zType = zType;
+    pCol->affinity = sqlite3ExprAffinity(p);
+    pColl = sqlite3ExprCollSeq(pParse, p);
+    if( pColl ){
+      pCol->zColl = sqliteStrDup(pColl->zName);
+    }
+  }
+  pTab->iPKey = -1;
+  return pTab;
+}
+
+/*
+** Prepare a SELECT statement for processing by doing the following
+** things:
+**
+**    (1)  Make sure VDBE cursor numbers have been assigned to every
+**         element of the FROM clause.
+**
+**    (2)  Fill in the pTabList->a[].pTab fields in the SrcList that 
+**         defines FROM clause.  When views appear in the FROM clause,
+**         fill pTabList->a[].pSelect with a copy of the SELECT statement
+**         that implements the view.  A copy is made of the view's SELECT
+**         statement so that we can freely modify or delete that statement
+**         without worrying about messing up the presistent representation
+**         of the view.
+**
+**    (3)  Add terms to the WHERE clause to accomodate the NATURAL keyword
+**         on joins and the ON and USING clause of joins.
+**
+**    (4)  Scan the list of columns in the result set (pEList) looking
+**         for instances of the "*" operator or the TABLE.* operator.
+**         If found, expand each "*" to be every column in every table
+**         and TABLE.* to be every column in TABLE.
+**
+** Return 0 on success.  If there are problems, leave an error message
+** in pParse and return non-zero.
+*/
+static int prepSelectStmt(Parse *pParse, Select *p){
+  int i, j, k, rc;
+  SrcList *pTabList;
+  ExprList *pEList;
+  struct SrcList_item *pFrom;
+
+  if( p==0 || p->pSrc==0 || sqlite3MallocFailed() ){
+    return 1;
+  }
+  pTabList = p->pSrc;
+  pEList = p->pEList;
+
+  /* Make sure cursor numbers have been assigned to all entries in
+  ** the FROM clause of the SELECT statement.
+  */
+  sqlite3SrcListAssignCursors(pParse, p->pSrc);
+
+  /* Look up every table named in the FROM clause of the select.  If
+  ** an entry of the FROM clause is a subquery instead of a table or view,
+  ** then create a transient table structure to describe the subquery.
+  */
+  for(i=0, pFrom=pTabList->a; i<pTabList->nSrc; i++, pFrom++){
+    Table *pTab;
+    if( pFrom->pTab!=0 ){
+      /* This statement has already been prepared.  There is no need
+      ** to go further. */
+      assert( i==0 );
+      return 0;
+    }
+    if( pFrom->zName==0 ){
+#ifndef SQLITE_OMIT_SUBQUERY
+      /* A sub-query in the FROM clause of a SELECT */
+      assert( pFrom->pSelect!=0 );
+      if( pFrom->zAlias==0 ){
+        pFrom->zAlias =
+          sqlite3MPrintf("sqlite_subquery_%p_", (void*)pFrom->pSelect);
+      }
+      assert( pFrom->pTab==0 );
+      pFrom->pTab = pTab = 
+        sqlite3ResultSetOfSelect(pParse, pFrom->zAlias, pFrom->pSelect);
+      if( pTab==0 ){
+        return 1;
+      }
+      /* The isEphem flag indicates that the Table structure has been
+      ** dynamically allocated and may be freed at any time.  In other words,
+      ** pTab is not pointing to a persistent table structure that defines
+      ** part of the schema. */
+      pTab->isEphem = 1;
+#endif
+    }else{
+      /* An ordinary table or view name in the FROM clause */
+      assert( pFrom->pTab==0 );
+      pFrom->pTab = pTab = 
+        sqlite3LocateTable(pParse,pFrom->zName,pFrom->zDatabase);
+      if( pTab==0 ){
+        return 1;
+      }
+      pTab->nRef++;
+#if !defined(SQLITE_OMIT_VIEW) || !defined (SQLITE_OMIT_VIRTUALTABLE)
+      if( pTab->pSelect || IsVirtual(pTab) ){
+        /* We reach here if the named table is a really a view */
+        if( sqlite3ViewGetColumnNames(pParse, pTab) ){
+          return 1;
+        }
+        /* If pFrom->pSelect!=0 it means we are dealing with a
+        ** view within a view.  The SELECT structure has already been
+        ** copied by the outer view so we can skip the copy step here
+        ** in the inner view.
+        */
+        if( pFrom->pSelect==0 ){
+          pFrom->pSelect = sqlite3SelectDup(pTab->pSelect);
+        }
+      }
+#endif
+    }
+  }
+
+  /* Process NATURAL keywords, and ON and USING clauses of joins.
+  */
+  if( sqliteProcessJoin(pParse, p) ) return 1;
+
+  /* For every "*" that occurs in the column list, insert the names of
+  ** all columns in all tables.  And for every TABLE.* insert the names
+  ** of all columns in TABLE.  The parser inserted a special expression
+  ** with the TK_ALL operator for each "*" that it found in the column list.
+  ** The following code just has to locate the TK_ALL expressions and expand
+  ** each one to the list of all columns in all tables.
+  **
+  ** The first loop just checks to see if there are any "*" operators
+  ** that need expanding.
+  */
+  for(k=0; k<pEList->nExpr; k++){
+    Expr *pE = pEList->a[k].pExpr;
+    if( pE->op==TK_ALL ) break;
+    if( pE->op==TK_DOT && pE->pRight && pE->pRight->op==TK_ALL
+         && pE->pLeft && pE->pLeft->op==TK_ID ) break;
+  }
+  rc = 0;
+  if( k<pEList->nExpr ){
+    /*
+    ** If we get here it means the result set contains one or more "*"
+    ** operators that need to be expanded.  Loop through each expression
+    ** in the result set and expand them one by one.
+    */
+    struct ExprList_item *a = pEList->a;
+    ExprList *pNew = 0;
+    int flags = pParse->db->flags;
+    int longNames = (flags & SQLITE_FullColNames)!=0 &&
+                      (flags & SQLITE_ShortColNames)==0;
+
+    for(k=0; k<pEList->nExpr; k++){
+      Expr *pE = a[k].pExpr;
+      if( pE->op!=TK_ALL &&
+           (pE->op!=TK_DOT || pE->pRight==0 || pE->pRight->op!=TK_ALL) ){
+        /* This particular expression does not need to be expanded.
+        */
+        pNew = sqlite3ExprListAppend(pNew, a[k].pExpr, 0);
+        if( pNew ){
+          pNew->a[pNew->nExpr-1].zName = a[k].zName;
+        }else{
+          rc = 1;
+        }
+        a[k].pExpr = 0;
+        a[k].zName = 0;
+      }else{
+        /* This expression is a "*" or a "TABLE.*" and needs to be
+        ** expanded. */
+        int tableSeen = 0;      /* Set to 1 when TABLE matches */
+        char *zTName;            /* text of name of TABLE */
+        if( pE->op==TK_DOT && pE->pLeft ){
+          zTName = sqlite3NameFromToken(&pE->pLeft->token);
+        }else{
+          zTName = 0;
+        }
+        for(i=0, pFrom=pTabList->a; i<pTabList->nSrc; i++, pFrom++){
+          Table *pTab = pFrom->pTab;
+          char *zTabName = pFrom->zAlias;
+          if( zTabName==0 || zTabName[0]==0 ){ 
+            zTabName = pTab->zName;
+          }
+          if( zTName && (zTabName==0 || zTabName[0]==0 || 
+                 sqlite3StrICmp(zTName, zTabName)!=0) ){
+            continue;
+          }
+          tableSeen = 1;
+          for(j=0; j<pTab->nCol; j++){
+            Expr *pExpr, *pRight;
+            char *zName = pTab->aCol[j].zName;
+
+            if( i>0 ){
+              struct SrcList_item *pLeft = &pTabList->a[i-1];
+              if( (pLeft[1].jointype & JT_NATURAL)!=0 &&
+                        columnIndex(pLeft->pTab, zName)>=0 ){
+                /* In a NATURAL join, omit the join columns from the 
+                ** table on the right */
+                continue;
+              }
+              if( sqlite3IdListIndex(pLeft[1].pUsing, zName)>=0 ){
+                /* In a join with a USING clause, omit columns in the
+                ** using clause from the table on the right. */
+                continue;
+              }
+            }
+            pRight = sqlite3Expr(TK_ID, 0, 0, 0);
+            if( pRight==0 ) break;
+            setToken(&pRight->token, zName);
+            if( zTabName && (longNames || pTabList->nSrc>1) ){
+              Expr *pLeft = sqlite3Expr(TK_ID, 0, 0, 0);
+              pExpr = sqlite3Expr(TK_DOT, pLeft, pRight, 0);
+              if( pExpr==0 ) break;
+              setToken(&pLeft->token, zTabName);
+              setToken(&pExpr->span, sqlite3MPrintf("%s.%s", zTabName, zName));
+              pExpr->span.dyn = 1;
+              pExpr->token.z = 0;
+              pExpr->token.n = 0;
+              pExpr->token.dyn = 0;
+            }else{
+              pExpr = pRight;
+              pExpr->span = pExpr->token;
+            }
+            if( longNames ){
+              pNew = sqlite3ExprListAppend(pNew, pExpr, &pExpr->span);
+            }else{
+              pNew = sqlite3ExprListAppend(pNew, pExpr, &pRight->token);
+            }
+          }
+        }
+        if( !tableSeen ){
+          if( zTName ){
+            sqlite3ErrorMsg(pParse, "no such table: %s", zTName);
+          }else{
+            sqlite3ErrorMsg(pParse, "no tables specified");
+          }
+          rc = 1;
+        }
+        sqliteFree(zTName);
+      }
+    }
+    sqlite3ExprListDelete(pEList);
+    p->pEList = pNew;
+  }
+  return rc;
+}
+
+#ifndef SQLITE_OMIT_COMPOUND_SELECT
+/*
+** This routine associates entries in an ORDER BY expression list with
+** columns in a result.  For each ORDER BY expression, the opcode of
+** the top-level node is changed to TK_COLUMN and the iColumn value of
+** the top-level node is filled in with column number and the iTable
+** value of the top-level node is filled with iTable parameter.
+**
+** If there are prior SELECT clauses, they are processed first.  A match
+** in an earlier SELECT takes precedence over a later SELECT.
+**
+** Any entry that does not match is flagged as an error.  The number
+** of errors is returned.
+*/
+static int matchOrderbyToColumn(
+  Parse *pParse,          /* A place to leave error messages */
+  Select *pSelect,        /* Match to result columns of this SELECT */
+  ExprList *pOrderBy,     /* The ORDER BY values to match against columns */
+  int iTable,             /* Insert this value in iTable */
+  int mustComplete        /* If TRUE all ORDER BYs must match */
+){
+  int nErr = 0;
+  int i, j;
+  ExprList *pEList;
+
+  if( pSelect==0 || pOrderBy==0 ) return 1;
+  if( mustComplete ){
+    for(i=0; i<pOrderBy->nExpr; i++){ pOrderBy->a[i].done = 0; }
+  }
+  if( prepSelectStmt(pParse, pSelect) ){
+    return 1;
+  }
+  if( pSelect->pPrior ){
+    if( matchOrderbyToColumn(pParse, pSelect->pPrior, pOrderBy, iTable, 0) ){
+      return 1;
+    }
+  }
+  pEList = pSelect->pEList;
+  for(i=0; i<pOrderBy->nExpr; i++){
+    struct ExprList_item *pItem;
+    Expr *pE = pOrderBy->a[i].pExpr;
+    int iCol = -1;
+    char *zLabel;
+
+    if( pOrderBy->a[i].done ) continue;
+    if( sqlite3ExprIsInteger(pE, &iCol) ){
+      if( iCol<=0 || iCol>pEList->nExpr ){
+        sqlite3ErrorMsg(pParse,
+          "ORDER BY position %d should be between 1 and %d",
+          iCol, pEList->nExpr);
+        nErr++;
+        break;
+      }
+      if( !mustComplete ) continue;
+      iCol--;
+    }
+    if( iCol<0 && (zLabel = sqlite3NameFromToken(&pE->token))!=0 ){
+      for(j=0, pItem=pEList->a; j<pEList->nExpr; j++, pItem++){
+        char *zName;
+        int isMatch;
+        if( pItem->zName ){
+          zName = sqlite3StrDup(pItem->zName);
+        }else{
+          zName = sqlite3NameFromToken(&pItem->pExpr->token);
+        }
+        isMatch = zName && sqlite3StrICmp(zName, zLabel)==0;
+        sqliteFree(zName);
+        if( isMatch ){
+          iCol = j;
+          break;
+        }
+      }
+      sqliteFree(zLabel);
+    }
+    if( iCol>=0 ){
+      pE->op = TK_COLUMN;
+      pE->iColumn = iCol;
+      pE->iTable = iTable;
+      pE->iAgg = -1;
+      pOrderBy->a[i].done = 1;
+    }else if( mustComplete ){
+      sqlite3ErrorMsg(pParse,
+        "ORDER BY term number %d does not match any result column", i+1);
+      nErr++;
+      break;
+    }
+  }
+  return nErr;  
+}
+#endif /* #ifndef SQLITE_OMIT_COMPOUND_SELECT */
+
+/*
+** Get a VDBE for the given parser context.  Create a new one if necessary.
+** If an error occurs, return NULL and leave a message in pParse.
+*/
+Vdbe *sqlite3GetVdbe(Parse *pParse){
+  Vdbe *v = pParse->pVdbe;
+  if( v==0 ){
+    v = pParse->pVdbe = sqlite3VdbeCreate(pParse->db);
+  }
+  return v;
+}
+
+
+/*
+** Compute the iLimit and iOffset fields of the SELECT based on the
+** pLimit and pOffset expressions.  pLimit and pOffset hold the expressions
+** that appear in the original SQL statement after the LIMIT and OFFSET
+** keywords.  Or NULL if those keywords are omitted. iLimit and iOffset 
+** are the integer memory register numbers for counters used to compute 
+** the limit and offset.  If there is no limit and/or offset, then 
+** iLimit and iOffset are negative.
+**
+** This routine changes the values of iLimit and iOffset only if
+** a limit or offset is defined by pLimit and pOffset.  iLimit and
+** iOffset should have been preset to appropriate default values
+** (usually but not always -1) prior to calling this routine.
+** Only if pLimit!=0 or pOffset!=0 do the limit registers get
+** redefined.  The UNION ALL operator uses this property to force
+** the reuse of the same limit and offset registers across multiple
+** SELECT statements.
+*/
+static void computeLimitRegisters(Parse *pParse, Select *p, int iBreak){
+  Vdbe *v = 0;
+  int iLimit = 0;
+  int iOffset;
+  int addr1, addr2;
+
+  /* 
+  ** "LIMIT -1" always shows all rows.  There is some
+  ** contraversy about what the correct behavior should be.
+  ** The current implementation interprets "LIMIT 0" to mean
+  ** no rows.
+  */
+  if( p->pLimit ){
+    p->iLimit = iLimit = pParse->nMem;
+    pParse->nMem += 2;
+    v = sqlite3GetVdbe(pParse);
+    if( v==0 ) return;
+    sqlite3ExprCode(pParse, p->pLimit);
+    sqlite3VdbeAddOp(v, OP_MustBeInt, 0, 0);
+    sqlite3VdbeAddOp(v, OP_MemStore, iLimit, 0);
+    VdbeComment((v, "# LIMIT counter"));
+    sqlite3VdbeAddOp(v, OP_IfMemZero, iLimit, iBreak);
+  }
+  if( p->pOffset ){
+    p->iOffset = iOffset = pParse->nMem++;
+    v = sqlite3GetVdbe(pParse);
+    if( v==0 ) return;
+    sqlite3ExprCode(pParse, p->pOffset);
+    sqlite3VdbeAddOp(v, OP_MustBeInt, 0, 0);
+    sqlite3VdbeAddOp(v, OP_MemStore, iOffset, p->pLimit==0);
+    VdbeComment((v, "# OFFSET counter"));
+    addr1 = sqlite3VdbeAddOp(v, OP_IfMemPos, iOffset, 0);
+    sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+    sqlite3VdbeAddOp(v, OP_Integer, 0, 0);
+    sqlite3VdbeJumpHere(v, addr1);
+    if( p->pLimit ){
+      sqlite3VdbeAddOp(v, OP_Add, 0, 0);
+    }
+  }
+  if( p->pLimit ){
+    addr1 = sqlite3VdbeAddOp(v, OP_IfMemPos, iLimit, 0);
+    sqlite3VdbeAddOp(v, OP_Pop, 1, 0);
+    sqlite3VdbeAddOp(v, OP_MemInt, -1, iLimit+1);
+    addr2 = sqlite3VdbeAddOp(v, OP_Goto, 0, 0);
+    sqlite3VdbeJumpHere(v, addr1);
+    sqlite3VdbeAddOp(v, OP_MemStore, iLimit+1, 1);
+    VdbeComment((v, "# LIMIT+OFFSET"));
+    sqlite3VdbeJumpHere(v, addr2);
+  }
+}
+
+/*
+** Allocate a virtual index to use for sorting.
+*/
+static void createSortingIndex(Parse *pParse, Select *p, ExprList *pOrderBy){
+  if( pOrderBy ){
+    int addr;
+    assert( pOrderBy->iECursor==0 );
+    pOrderBy->iECursor = pParse->nTab++;
+    addr = sqlite3VdbeAddOp(pParse->pVdbe, OP_OpenEphemeral,
+                            pOrderBy->iECursor, pOrderBy->nExpr+1);
+    assert( p->addrOpenEphm[2] == -1 );
+    p->addrOpenEphm[2] = addr;
+  }
+}
+
+#ifndef SQLITE_OMIT_COMPOUND_SELECT
+/*
+** Return the appropriate collating sequence for the iCol-th column of
+** the result set for the compound-select statement "p".  Return NULL if
+** the column has no default collating sequence.
+**
+** The collating sequence for the compound select is taken from the
+** left-most term of the select that has a collating sequence.
+*/
+static CollSeq *multiSelectCollSeq(Parse *pParse, Select *p, int iCol){
+  CollSeq *pRet;
+  if( p->pPrior ){
+    pRet = multiSelectCollSeq(pParse, p->pPrior, iCol);
+  }else{
+    pRet = 0;
+  }
+  if( pRet==0 ){
+    pRet = sqlite3ExprCollSeq(pParse, p->pEList->a[iCol].pExpr);
+  }
+  return pRet;
+}
+#endif /* SQLITE_OMIT_COMPOUND_SELECT */
+
+#ifndef SQLITE_OMIT_COMPOUND_SELECT
+/*
+** This routine is called to process a query that is really the union
+** or intersection of two or more separate queries.
+**
+** "p" points to the right-most of the two queries.  the query on the
+** left is p->pPrior.  The left query could also be a compound query
+** in which case this routine will be called recursively. 
+**
+** The results of the total query are to be written into a destination
+** of type eDest with parameter iParm.
+**
+** Example 1:  Consider a three-way compound SQL statement.
+**
+**     SELECT a FROM t1 UNION SELECT b FROM t2 UNION SELECT c FROM t3
+**
+** This statement is parsed up as follows:
+**
+**     SELECT c FROM t3
+**      |
+**      `----->  SELECT b FROM t2
+**                |
+**                `------>  SELECT a FROM t1
+**
+** The arrows in the diagram above represent the Select.pPrior pointer.
+** So if this routine is called with p equal to the t3 query, then
+** pPrior will be the t2 query.  p->op will be TK_UNION in this case.
+**
+** Notice that because of the way SQLite parses compound SELECTs, the
+** individual selects always group from left to right.
+*/
+static int multiSelect(
+  Parse *pParse,        /* Parsing context */
+  Select *p,            /* The right-most of SELECTs to be coded */
+  int eDest,            /* \___  Store query results as specified */
+  int iParm,            /* /     by these two parameters.         */
+  char *aff             /* If eDest is SRT_Union, the affinity string */
+){
+  int rc = SQLITE_OK;   /* Success code from a subroutine */
+  Select *pPrior;       /* Another SELECT immediately to our left */
+  Vdbe *v;              /* Generate code to this VDBE */
+  int nCol;             /* Number of columns in the result set */
+  ExprList *pOrderBy;   /* The ORDER BY clause on p */
+  int aSetP2[2];        /* Set P2 value of these op to number of columns */
+  int nSetP2 = 0;       /* Number of slots in aSetP2[] used */
+
+  /* Make sure there is no ORDER BY or LIMIT clause on prior SELECTs.  Only
+  ** the last (right-most) SELECT in the series may have an ORDER BY or LIMIT.
+  */
+  if( p==0 || p->pPrior==0 ){
+    rc = 1;
+    goto multi_select_end;
+  }
+  pPrior = p->pPrior;
+  assert( pPrior->pRightmost!=pPrior );
+  assert( pPrior->pRightmost==p->pRightmost );
+  if( pPrior->pOrderBy ){
+    sqlite3ErrorMsg(pParse,"ORDER BY clause should come after %s not before",
+      selectOpName(p->op));
+    rc = 1;
+    goto multi_select_end;
+  }
+  if( pPrior->pLimit ){
+    sqlite3ErrorMsg(pParse,"LIMIT clause should come after %s not before",
+      selectOpName(p->op));
+    rc = 1;
+    goto multi_select_end;
+  }
+
+  /* Make sure we have a valid query engine.  If not, create a new one.
+  */
+  v = sqlite3GetVdbe(pParse);
+  if( v==0 ){
+    rc = 1;
+    goto multi_select_end;
+  }
+
+  /* Create the destination temporary table if necessary
+  */
+  if( eDest==SRT_EphemTab ){
+    assert( p->pEList );
+    assert( nSetP2<sizeof(aSetP2)/sizeof(aSetP2[0]) );
+    aSetP2[nSetP2++] = sqlite3VdbeAddOp(v, OP_OpenEphemeral, iParm, 0);
+    eDest = SRT_Table;
+  }
+
+  /* Generate code for the left and right SELECT statements.
+  */
+  pOrderBy = p->pOrderBy;
+  switch( p->op ){
+    case TK_ALL: {
+      if( pOrderBy==0 ){
+        int addr = 0;
+        assert( !pPrior->pLimit );
+        pPrior->pLimit = p->pLimit;
+        pPrior->pOffset = p->pOffset;
+        rc = sqlite3Select(pParse, pPrior, eDest, iParm, 0, 0, 0, aff);
+        p->pLimit = 0;
+        p->pOffset = 0;
+        if( rc ){
+          goto multi_select_end;
+        }
+        p->pPrior = 0;
+        p->iLimit = pPrior->iLimit;
+        p->iOffset = pPrior->iOffset;
+        if( p->iLimit>=0 ){
+          addr = sqlite3VdbeAddOp(v, OP_IfMemZero, p->iLimit, 0);
+          VdbeComment((v, "# Jump ahead if LIMIT reached"));
+        }
+        rc = sqlite3Select(pParse, p, eDest, iParm, 0, 0, 0, aff);
+        p->pPrior = pPrior;
+        if( rc ){
+          goto multi_select_end;
+        }
+        if( addr ){
+          sqlite3VdbeJumpHere(v, addr);
+        }
+        break;
+      }
+      /* For UNION ALL ... ORDER BY fall through to the next case */
+    }
+    case TK_EXCEPT:
+    case TK_UNION: {
+      int unionTab;    /* Cursor number of the temporary table holding result */
+      int op = 0;      /* One of the SRT_ operations to apply to self */
+      int priorOp;     /* The SRT_ operation to apply to prior selects */
+      Expr *pLimit, *pOffset; /* Saved values of p->nLimit and p->nOffset */
+      int addr;
+
+      priorOp = p->op==TK_ALL ? SRT_Table : SRT_Union;
+      if( eDest==priorOp && pOrderBy==0 && !p->pLimit && !p->pOffset ){
+        /* We can reuse a temporary table generated by a SELECT to our
+        ** right.
+        */
+        unionTab = iParm;
+      }else{
+        /* We will need to create our own temporary table to hold the
+        ** intermediate results.
+        */
+        unionTab = pParse->nTab++;
+        if( pOrderBy && matchOrderbyToColumn(pParse, p, pOrderBy, unionTab,1) ){
+          rc = 1;
+          goto multi_select_end;
+        }
+        addr = sqlite3VdbeAddOp(v, OP_OpenEphemeral, unionTab, 0);
+        if( priorOp==SRT_Table ){
+          assert( nSetP2<sizeof(aSetP2)/sizeof(aSetP2[0]) );
+          aSetP2[nSetP2++] = addr;
+        }else{
+          assert( p->addrOpenEphm[0] == -1 );
+          p->addrOpenEphm[0] = addr;
+          p->pRightmost->usesEphm = 1;
+        }
+        createSortingIndex(pParse, p, pOrderBy);
+        assert( p->pEList );
+      }
+
+      /* Code the SELECT statements to our left
+      */
+      assert( !pPrior->pOrderBy );
+      rc = sqlite3Select(pParse, pPrior, priorOp, unionTab, 0, 0, 0, aff);
+      if( rc ){
+        goto multi_select_end;
+      }
+
+      /* Code the current SELECT statement
+      */
+      switch( p->op ){
+         case TK_EXCEPT:  op = SRT_Except;   break;
+         case TK_UNION:   op = SRT_Union;    break;
+         case TK_ALL:     op = SRT_Table;    break;
+      }
+      p->pPrior = 0;
+      p->pOrderBy = 0;
+      p->disallowOrderBy = pOrderBy!=0;
+      pLimit = p->pLimit;
+      p->pLimit = 0;
+      pOffset = p->pOffset;
+      p->pOffset = 0;
+      rc = sqlite3Select(pParse, p, op, unionTab, 0, 0, 0, aff);
+      p->pPrior = pPrior;
+      p->pOrderBy = pOrderBy;
+      sqlite3ExprDelete(p->pLimit);
+      p->pLimit = pLimit;
+      p->pOffset = pOffset;
+      p->iLimit = -1;
+      p->iOffset = -1;
+      if( rc ){
+        goto multi_select_end;
+      }
+
+
+      /* Convert the data in the temporary table into whatever form
+      ** it is that we currently need.
+      */      
+      if( eDest!=priorOp || unionTab!=iParm ){
+        int iCont, iBreak, iStart;
+        assert( p->pEList );
+        if( eDest==SRT_Callback ){
+          Select *pFirst = p;
+          while( pFirst->pPrior ) pFirst = pFirst->pPrior;
+          generateColumnNames(pParse, 0, pFirst->pEList);
+        }
+        iBreak = sqlite3VdbeMakeLabel(v);
+        iCont = sqlite3VdbeMakeLabel(v);
+        computeLimitRegisters(pParse, p, iBreak);
+        sqlite3VdbeAddOp(v, OP_Rewind, unionTab, iBreak);
+        iStart = sqlite3VdbeCurrentAddr(v);
+        rc = selectInnerLoop(pParse, p, p->pEList, unionTab, p->pEList->nExpr,
+                             pOrderBy, -1, eDest, iParm, 
+                             iCont, iBreak, 0);
+        if( rc ){
+          rc = 1;
+          goto multi_select_end;
+        }
+        sqlite3VdbeResolveLabel(v, iCont);
+        sqlite3VdbeAddOp(v, OP_Next, unionTab, iStart);
+        sqlite3VdbeResolveLabel(v, iBreak);
+        sqlite3VdbeAddOp(v, OP_Close, unionTab, 0);
+      }
+      break;
+    }
+    case TK_INTERSECT: {
+      int tab1, tab2;
+      int iCont, iBreak, iStart;
+      Expr *pLimit, *pOffset;
+      int addr;
+
+      /* INTERSECT is different from the others since it requires
+      ** two temporary tables.  Hence it has its own case.  Begin
+      ** by allocating the tables we will need.
+      */
+      tab1 = pParse->nTab++;
+      tab2 = pParse->nTab++;
+      if( pOrderBy && matchOrderbyToColumn(pParse,p,pOrderBy,tab1,1) ){
+        rc = 1;
+        goto multi_select_end;
+      }
+      createSortingIndex(pParse, p, pOrderBy);
+
+      addr = sqlite3VdbeAddOp(v, OP_OpenEphemeral, tab1, 0);
+      assert( p->addrOpenEphm[0] == -1 );
+      p->addrOpenEphm[0] = addr;
+      p->pRightmost->usesEphm = 1;
+      assert( p->pEList );
+
+      /* Code the SELECTs to our left into temporary table "tab1".
+      */
+      rc = sqlite3Select(pParse, pPrior, SRT_Union, tab1, 0, 0, 0, aff);
+      if( rc ){
+        goto multi_select_end;
+      }
+
+      /* Code the current SELECT into temporary table "tab2"
+      */
+      addr = sqlite3VdbeAddOp(v, OP_OpenEphemeral, tab2, 0);
+      assert( p->addrOpenEphm[1] == -1 );
+      p->addrOpenEphm[1] = addr;
+      p->pPrior = 0;
+      pLimit = p->pLimit;
+      p->pLimit = 0;
+      pOffset = p->pOffset;
+      p->pOffset = 0;
+      rc = sqlite3Select(pParse, p, SRT_Union, tab2, 0, 0, 0, aff);
+      p->pPrior = pPrior;
+      sqlite3ExprDelete(p->pLimit);
+      p->pLimit = pLimit;
+      p->pOffset = pOffset;
+      if( rc ){
+        goto multi_select_end;
+      }
+
+      /* Generate code to take the intersection of the two temporary
+      ** tables.
+      */
+      assert( p->pEList );
+      if( eDest==SRT_Callback ){
+        Select *pFirst = p;
+        while( pFirst->pPrior ) pFirst = pFirst->pPrior;
+        generateColumnNames(pParse, 0, pFirst->pEList);
+      }
+      iBreak = sqlite3VdbeMakeLabel(v);
+      iCont = sqlite3VdbeMakeLabel(v);
+      computeLimitRegisters(pParse, p, iBreak);
+      sqlite3VdbeAddOp(v, OP_Rewind, tab1, iBreak);
+      iStart = sqlite3VdbeAddOp(v, OP_RowKey, tab1, 0);
+      sqlite3VdbeAddOp(v, OP_NotFound, tab2, iCont);
+      rc = selectInnerLoop(pParse, p, p->pEList, tab1, p->pEList->nExpr,
+                             pOrderBy, -1, eDest, iParm, 
+                             iCont, iBreak, 0);
+      if( rc ){
+        rc = 1;
+        goto multi_select_end;
+      }
+      sqlite3VdbeResolveLabel(v, iCont);
+      sqlite3VdbeAddOp(v, OP_Next, tab1, iStart);
+      sqlite3VdbeResolveLabel(v, iBreak);
+      sqlite3VdbeAddOp(v, OP_Close, tab2, 0);
+      sqlite3VdbeAddOp(v, OP_Close, tab1, 0);
+      break;
+    }
+  }
+
+  /* Make sure all SELECTs in the statement have the same number of elements
+  ** in their result sets.
+  */
+  assert( p->pEList && pPrior->pEList );
+  if( p->pEList->nExpr!=pPrior->pEList->nExpr ){
+    sqlite3ErrorMsg(pParse, "SELECTs to the left and right of %s"
+      " do not have the same number of result columns", selectOpName(p->op));
+    rc = 1;
+    goto multi_select_end;
+  }
+
+  /* Set the number of columns in temporary tables
+  */
+  nCol = p->pEList->nExpr;
+  while( nSetP2 ){
+    sqlite3VdbeChangeP2(v, aSetP2[--nSetP2], nCol);
+  }
+
+  /* Compute collating sequences used by either the ORDER BY clause or
+  ** by any temporary tables needed to implement the compound select.
+  ** Attach the KeyInfo structure to all temporary tables.  Invoke the
+  ** ORDER BY processing if there is an ORDER BY clause.
+  **
+  ** This section is run by the right-most SELECT statement only.
+  ** SELECT statements to the left always skip this part.  The right-most
+  ** SELECT might also skip this part if it has no ORDER BY clause and
+  ** no temp tables are required.
+  */
+  if( pOrderBy || p->usesEphm ){
+    int i;                        /* Loop counter */
+    KeyInfo *pKeyInfo;            /* Collating sequence for the result set */
+    Select *pLoop;                /* For looping through SELECT statements */
+    int nKeyCol;                  /* Number of entries in pKeyInfo->aCol[] */
+    CollSeq **apColl;
+    CollSeq **aCopy;
+
+    assert( p->pRightmost==p );
+    nKeyCol = nCol + (pOrderBy ? pOrderBy->nExpr : 0);
+    pKeyInfo = sqliteMalloc(sizeof(*pKeyInfo)+nKeyCol*(sizeof(CollSeq*) + 1));
+    if( !pKeyInfo ){
+      rc = SQLITE_NOMEM;
+      goto multi_select_end;
+    }
+
+    pKeyInfo->enc = ENC(pParse->db);
+    pKeyInfo->nField = nCol;
+
+    for(i=0, apColl=pKeyInfo->aColl; i<nCol; i++, apColl++){
+      *apColl = multiSelectCollSeq(pParse, p, i);
+      if( 0==*apColl ){
+        *apColl = pParse->db->pDfltColl;
+      }
+    }
+
+    for(pLoop=p; pLoop; pLoop=pLoop->pPrior){
+      for(i=0; i<2; i++){
+        int addr = pLoop->addrOpenEphm[i];
+        if( addr<0 ){
+          /* If [0] is unused then [1] is also unused.  So we can
+          ** always safely abort as soon as the first unused slot is found */
+          assert( pLoop->addrOpenEphm[1]<0 );
+          break;
+        }
+        sqlite3VdbeChangeP2(v, addr, nCol);
+        sqlite3VdbeChangeP3(v, addr, (char*)pKeyInfo, P3_KEYINFO);
+        pLoop->addrOpenEphm[i] = -1;
+      }
+    }
+
+    if( pOrderBy ){
+      struct ExprList_item *pOTerm = pOrderBy->a;
+      int nOrderByExpr = pOrderBy->nExpr;
+      int addr;
+      u8 *pSortOrder;
+
+      aCopy = &pKeyInfo->aColl[nOrderByExpr];
+      pSortOrder = pKeyInfo->aSortOrder = (u8*)&aCopy[nCol];
+      memcpy(aCopy, pKeyInfo->aColl, nCol*sizeof(CollSeq*));
+      apColl = pKeyInfo->aColl;
+      for(i=0; i<nOrderByExpr; i++, pOTerm++, apColl++, pSortOrder++){
+        Expr *pExpr = pOTerm->pExpr;
+        if( (pExpr->flags & EP_ExpCollate) ){
+          assert( pExpr->pColl!=0 );
+          *apColl = pExpr->pColl;
+        }else{
+          *apColl = aCopy[pExpr->iColumn];
+        }
+        *pSortOrder = pOTerm->sortOrder;
+      }
+      assert( p->pRightmost==p );
+      assert( p->addrOpenEphm[2]>=0 );
+      addr = p->addrOpenEphm[2];
+      sqlite3VdbeChangeP2(v, addr, p->pEList->nExpr+2);
+      pKeyInfo->nField = nOrderByExpr;
+      sqlite3VdbeChangeP3(v, addr, (char*)pKeyInfo, P3_KEYINFO_HANDOFF);
+      pKeyInfo = 0;
+      generateSortTail(pParse, p, v, p->pEList->nExpr, eDest, iParm);
+    }
+
+    sqliteFree(pKeyInfo);
+  }
+
+multi_select_end:
+  return rc;
+}
+#endif /* SQLITE_OMIT_COMPOUND_SELECT */
+
+#ifndef SQLITE_OMIT_VIEW
+/*
+** Scan through the expression pExpr.  Replace every reference to
+** a column in table number iTable with a copy of the iColumn-th
+** entry in pEList.  (But leave references to the ROWID column 
+** unchanged.)
+**
+** This routine is part of the flattening procedure.  A subquery
+** whose result set is defined by pEList appears as entry in the
+** FROM clause of a SELECT such that the VDBE cursor assigned to that
+** FORM clause entry is iTable.  This routine make the necessary 
+** changes to pExpr so that it refers directly to the source table
+** of the subquery rather the result set of the subquery.
+*/
+static void substExprList(ExprList*,int,ExprList*);  /* Forward Decl */
+static void substSelect(Select *, int, ExprList *);  /* Forward Decl */
+static void substExpr(Expr *pExpr, int iTable, ExprList *pEList){
+  if( pExpr==0 ) return;
+  if( pExpr->op==TK_COLUMN && pExpr->iTable==iTable ){
+    if( pExpr->iColumn<0 ){
+      pExpr->op = TK_NULL;
+    }else{
+      Expr *pNew;
+      assert( pEList!=0 && pExpr->iColumn<pEList->nExpr );
+      assert( pExpr->pLeft==0 && pExpr->pRight==0 && pExpr->pList==0 );
+      pNew = pEList->a[pExpr->iColumn].pExpr;
+      assert( pNew!=0 );
+      pExpr->op = pNew->op;
+      assert( pExpr->pLeft==0 );
+      pExpr->pLeft = sqlite3ExprDup(pNew->pLeft);
+      assert( pExpr->pRight==0 );
+      pExpr->pRight = sqlite3ExprDup(pNew->pRight);
+      assert( pExpr->pList==0 );
+      pExpr->pList = sqlite3ExprListDup(pNew->pList);
+      pExpr->iTable = pNew->iTable;
+      pExpr->pTab = pNew->pTab;
+      pExpr->iColumn = pNew->iColumn;
+      pExpr->iAgg = pNew->iAgg;
+      sqlite3TokenCopy(&pExpr->token, &pNew->token);
+      sqlite3TokenCopy(&pExpr->span, &pNew->span);
+      pExpr->pSelect = sqlite3SelectDup(pNew->pSelect);
+      pExpr->flags = pNew->flags;
+    }
+  }else{
+    substExpr(pExpr->pLeft, iTable, pEList);
+    substExpr(pExpr->pRight, iTable, pEList);
+    substSelect(pExpr->pSelect, iTable, pEList);
+    substExprList(pExpr->pList, iTable, pEList);
+  }
+}
+static void substExprList(ExprList *pList, int iTable, ExprList *pEList){
+  int i;
+  if( pList==0 ) return;
+  for(i=0; i<pList->nExpr; i++){
+    substExpr(pList->a[i].pExpr, iTable, pEList);
+  }
+}
+static void substSelect(Select *p, int iTable, ExprList *pEList){
+  if( !p ) return;
+  substExprList(p->pEList, iTable, pEList);
+  substExprList(p->pGroupBy, iTable, pEList);
+  substExprList(p->pOrderBy, iTable, pEList);
+  substExpr(p->pHaving, iTable, pEList);
+  substExpr(p->pWhere, iTable, pEList);
+}
+#endif /* !defined(SQLITE_OMIT_VIEW) */
+
+#ifndef SQLITE_OMIT_VIEW
+/*
+** This routine attempts to flatten subqueries in order to speed
+** execution.  It returns 1 if it makes changes and 0 if no flattening
+** occurs.
+**
+** To understand the concept of flattening, consider the following
+** query:
+**
+**     SELECT a FROM (SELECT x+y AS a FROM t1 WHERE z<100) WHERE a>5
+**
+** The default way of implementing this query is to execute the
+** subquery first and store the results in a temporary table, then
+** run the outer query on that temporary table.  This requires two
+** passes over the data.  Furthermore, because the temporary table
+** has no indices, the WHERE clause on the outer query cannot be
+** optimized.
+**
+** This routine attempts to rewrite queries such as the above into
+** a single flat select, like this:
+**
+**     SELECT x+y AS a FROM t1 WHERE z<100 AND a>5
+**
+** The code generated for this simpification gives the same result
+** but only has to scan the data once.  And because indices might 
+** exist on the table t1, a complete scan of the data might be
+** avoided.
+**
+** Flattening is only attempted if all of the following are true:
+**
+**   (1)  The subquery and the outer query do not both use aggregates.
+**
+**   (2)  The subquery is not an aggregate or the outer query is not a join.
+**
+**   (3)  The subquery is not the right operand of a left outer join, or
+**        the subquery is not itself a join.  (Ticket #306)
+**
+**   (4)  The subquery is not DISTINCT or the outer query is not a join.
+**
+**   (5)  The subquery is not DISTINCT or the outer query does not use
+**        aggregates.
+**
+**   (6)  The subquery does not use aggregates or the outer query is not
+**        DISTINCT.
+**
+**   (7)  The subquery has a FROM clause.
+**
+**   (8)  The subquery does not use LIMIT or the outer query is not a join.
+**
+**   (9)  The subquery does not use LIMIT or the outer query does not use
+**        aggregates.
+**
+**  (10)  The subquery does not use aggregates or the outer query does not
+**        use LIMIT.
+**
+**  (11)  The subquery and the outer query do not both have ORDER BY clauses.
+**
+**  (12)  The subquery is not the right term of a LEFT OUTER JOIN or the
+**        subquery has no WHERE clause.  (added by ticket #350)
+**
+**  (13)  The subquery and outer query do not both use LIMIT
+**
+**  (14)  The subquery does not use OFFSET
+**
+** In this routine, the "p" parameter is a pointer to the outer query.
+** The subquery is p->pSrc->a[iFrom].  isAgg is true if the outer query
+** uses aggregates and subqueryIsAgg is true if the subquery uses aggregates.
+**
+** If flattening is not attempted, this routine is a no-op and returns 0.
+** If flattening is attempted this routine returns 1.
+**
+** All of the expression analysis must occur on both the outer query and
+** the subquery before this routine runs.
+*/
+static int flattenSubquery(
+  Select *p,           /* The parent or outer SELECT statement */
+  int iFrom,           /* Index in p->pSrc->a[] of the inner subquery */
+  int isAgg,           /* True if outer SELECT uses aggregate functions */
+  int subqueryIsAgg    /* True if the subquery uses aggregate functions */
+){
+  Select *pSub;       /* The inner query or "subquery" */
+  SrcList *pSrc;      /* The FROM clause of the outer query */
+  SrcList *pSubSrc;   /* The FROM clause of the subquery */
+  ExprList *pList;    /* The result set of the outer query */
+  int iParent;        /* VDBE cursor number of the pSub result set temp table */
+  int i;              /* Loop counter */
+  Expr *pWhere;                    /* The WHERE clause */
+  struct SrcList_item *pSubitem;   /* The subquery */
+
+  /* Check to see if flattening is permitted.  Return 0 if not.
+  */
+  if( p==0 ) return 0;
+  pSrc = p->pSrc;
+  assert( pSrc && iFrom>=0 && iFrom<pSrc->nSrc );
+  pSubitem = &pSrc->a[iFrom];
+  pSub = pSubitem->pSelect;
+  assert( pSub!=0 );
+  if( isAgg && subqueryIsAgg ) return 0;                 /* Restriction (1)  */
+  if( subqueryIsAgg && pSrc->nSrc>1 ) return 0;          /* Restriction (2)  */
+  pSubSrc = pSub->pSrc;
+  assert( pSubSrc );
+  /* Prior to version 3.1.2, when LIMIT and OFFSET had to be simple constants,
+  ** not arbitrary expresssions, we allowed some combining of LIMIT and OFFSET
+  ** because they could be computed at compile-time.  But when LIMIT and OFFSET
+  ** became arbitrary expressions, we were forced to add restrictions (13)
+  ** and (14). */
+  if( pSub->pLimit && p->pLimit ) return 0;              /* Restriction (13) */
+  if( pSub->pOffset ) return 0;                          /* Restriction (14) */
+  if( pSubSrc->nSrc==0 ) return 0;                       /* Restriction (7)  */
+  if( (pSub->isDistinct || pSub->pLimit) 
+         && (pSrc->nSrc>1 || isAgg) ){          /* Restrictions (4)(5)(8)(9) */
+     return 0;       
+  }
+  if( p->isDistinct && subqueryIsAgg ) return 0;         /* Restriction (6)  */
+  if( (p->disallowOrderBy || p->pOrderBy) && pSub->pOrderBy ){
+     return 0;                                           /* Restriction (11) */
+  }
+
+  /* Restriction 3:  If the subquery is a join, make sure the subquery is 
+  ** not used as the right operand of an outer join.  Examples of why this
+  ** is not allowed:
+  **
+  **         t1 LEFT OUTER JOIN (t2 JOIN t3)
+  **
+  ** If we flatten the above, we would get
+  **
+  **         (t1 LEFT OUTER JOIN t2) JOIN t3
+  **
+  ** which is not at all the same thing.
+  */
+  if( pSubSrc->nSrc>1 && (pSubitem->jointype & JT_OUTER)!=0 ){
+    return 0;
+  }
+
+  /* Restriction 12:  If the subquery is the right operand of a left outer
+  ** join, make sure the subquery has no WHERE clause.
+  ** An examples of why this is not allowed:
+  **
+  **         t1 LEFT OUTER JOIN (SELECT * FROM t2 WHERE t2.x>0)
+  **
+  ** If we flatten the above, we would get
+  **
+  **         (t1 LEFT OUTER JOIN t2) WHERE t2.x>0
+  **
+  ** But the t2.x>0 test will always fail on a NULL row of t2, which
+  ** effectively converts the OUTER JOIN into an INNER JOIN.
+  */
+  if( (pSubitem->jointype & JT_OUTER)!=0 && pSub->pWhere!=0 ){
+    return 0;
+  }
+
+  /* If we reach this point, it means flattening is permitted for the
+  ** iFrom-th entry of the FROM clause in the outer query.
+  */
+
+  /* Move all of the FROM elements of the subquery into the
+  ** the FROM clause of the outer query.  Before doing this, remember
+  ** the cursor number for the original outer query FROM element in
+  ** iParent.  The iParent cursor will never be used.  Subsequent code
+  ** will scan expressions looking for iParent references and replace
+  ** those references with expressions that resolve to the subquery FROM
+  ** elements we are now copying in.
+  */
+  iParent = pSubitem->iCursor;
+  {
+    int nSubSrc = pSubSrc->nSrc;
+    int jointype = pSubitem->jointype;
+
+    sqlite3DeleteTable(pSubitem->pTab);
+    sqliteFree(pSubitem->zDatabase);
+    sqliteFree(pSubitem->zName);
+    sqliteFree(pSubitem->zAlias);
+    if( nSubSrc>1 ){
+      int extra = nSubSrc - 1;
+      for(i=1; i<nSubSrc; i++){
+        pSrc = sqlite3SrcListAppend(pSrc, 0, 0);
+      }
+      p->pSrc = pSrc;
+      for(i=pSrc->nSrc-1; i-extra>=iFrom; i--){
+        pSrc->a[i] = pSrc->a[i-extra];
+      }
+    }
+    for(i=0; i<nSubSrc; i++){
+      pSrc->a[i+iFrom] = pSubSrc->a[i];
+      memset(&pSubSrc->a[i], 0, sizeof(pSubSrc->a[i]));
+    }
+    pSrc->a[iFrom].jointype = jointype;
+  }
+
+  /* Now begin substituting subquery result set expressions for 
+  ** references to the iParent in the outer query.
+  ** 
+  ** Example:
+  **
+  **   SELECT a+5, b*10 FROM (SELECT x*3 AS a, y+10 AS b FROM t1) WHERE a>b;
+  **   \                     \_____________ subquery __________/          /
+  **    \_____________________ outer query ______________________________/
+  **
+  ** We look at every expression in the outer query and every place we see
+  ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
+  */
+  pList = p->pEList;
+  for(i=0; i<pList->nExpr; i++){
+    Expr *pExpr;
+    if( pList->a[i].zName==0 && (pExpr = pList->a[i].pExpr)->span.z!=0 ){
+      pList->a[i].zName = sqliteStrNDup((char*)pExpr->span.z, pExpr->span.n);
+    }
+  }
+  substExprList(p->pEList, iParent, pSub->pEList);
+  if( isAgg ){
+    substExprList(p->pGroupBy, iParent, pSub->pEList);
+    substExpr(p->pHaving, iParent, pSub->pEList);
+  }
+  if( pSub->pOrderBy ){
+    assert( p->pOrderBy==0 );
+    p->pOrderBy = pSub->pOrderBy;
+    pSub->pOrderBy = 0;
+  }else if( p->pOrderBy ){
+    substExprList(p->pOrderBy, iParent, pSub->pEList);
+  }
+  if( pSub->pWhere ){
+    pWhere = sqlite3ExprDup(pSub->pWhere);
+  }else{
+    pWhere = 0;
+  }
+  if( subqueryIsAgg ){
+    assert( p->pHaving==0 );
+    p->pHaving = p->pWhere;
+    p->pWhere = pWhere;
+    substExpr(p->pHaving, iParent, pSub->pEList);
+    p->pHaving = sqlite3ExprAnd(p->pHaving, sqlite3ExprDup(pSub->pHaving));
+    assert( p->pGroupBy==0 );
+    p->pGroupBy = sqlite3ExprListDup(pSub->pGroupBy);
+  }else{
+    substExpr(p->pWhere, iParent, pSub->pEList);
+    p->pWhere = sqlite3ExprAnd(p->pWhere, pWhere);
+  }
+
+  /* The flattened query is distinct if either the inner or the
+  ** outer query is distinct. 
+  */
+  p->isDistinct = p->isDistinct || pSub->isDistinct;
+
+  /*
+  ** SELECT ... FROM (SELECT ... LIMIT a OFFSET b) LIMIT x OFFSET y;
+  **
+  ** One is tempted to try to add a and b to combine the limits.  But this
+  ** does not work if either limit is negative.
+  */
+  if( pSub->pLimit ){
+    p->pLimit = pSub->pLimit;
+    pSub->pLimit = 0;
+  }
+
+  /* Finially, delete what is left of the subquery and return
+  ** success.
+  */
+  sqlite3SelectDelete(pSub);
+  return 1;
+}
+#endif /* SQLITE_OMIT_VIEW */
+
+/*
+** Analyze the SELECT statement passed in as an argument to see if it
+** is a simple min() or max() query.  If it is and this query can be
+** satisfied using a single seek to the beginning or end of an index,
+** then generate the code for this SELECT and return 1.  If this is not a 
+** simple min() or max() query, then return 0;
+**
+** A simply min() or max() query looks like this:
+**
+**    SELECT min(a) FROM table;
+**    SELECT max(a) FROM table;
+**
+** The query may have only a single table in its FROM argument.  There
+** can be no GROUP BY or HAVING or WHERE clauses.  The result set must
+** be the min() or max() of a single column of the table.  The column
+** in the min() or max() function must be indexed.
+**
+** The parameters to this routine are the same as for sqlite3Select().
+** See the header comment on that routine for additional information.
+*/
+static int simpleMinMaxQuery(Parse *pParse, Select *p, int eDest, int iParm){
+  Expr *pExpr;
+  int iCol;
+  Table *pTab;
+  Index *pIdx;
+  int base;
+  Vdbe *v;
+  int seekOp;
+  ExprList *pEList, *pList, eList;
+  struct ExprList_item eListItem;
+  SrcList *pSrc;
+  int brk;
+  int iDb;
+
+  /* Check to see if this query is a simple min() or max() query.  Return
+  ** zero if it is  not.
+  */
+  if( p->pGroupBy || p->pHaving || p->pWhere ) return 0;
+  pSrc = p->pSrc;
+  if( pSrc->nSrc!=1 ) return 0;
+  pEList = p->pEList;
+  if( pEList->nExpr!=1 ) return 0;
+  pExpr = pEList->a[0].pExpr;
+  if( pExpr->op!=TK_AGG_FUNCTION ) return 0;
+  pList = pExpr->pList;
+  if( pList==0 || pList->nExpr!=1 ) return 0;
+  if( pExpr->token.n!=3 ) return 0;
+  if( sqlite3StrNICmp((char*)pExpr->token.z,"min",3)==0 ){
+    seekOp = OP_Rewind;
+  }else if( sqlite3StrNICmp((char*)pExpr->token.z,"max",3)==0 ){
+    seekOp = OP_Last;
+  }else{
+    return 0;
+  }
+  pExpr = pList->a[0].pExpr;
+  if( pExpr->op!=TK_COLUMN ) return 0;
+  iCol = pExpr->iColumn;
+  pTab = pSrc->a[0].pTab;
+
+  /* This optimization cannot be used with virtual tables. */
+  if( IsVirtual(pTab) ) return 0;
+
+  /* If we get to here, it means the query is of the correct form.
+  ** Check to make sure we have an index and make pIdx point to the
+  ** appropriate index.  If the min() or max() is on an INTEGER PRIMARY
+  ** key column, no index is necessary so set pIdx to NULL.  If no
+  ** usable index is found, return 0.
+  */
+  if( iCol<0 ){
+    pIdx = 0;
+  }else{
+    CollSeq *pColl = sqlite3ExprCollSeq(pParse, pExpr);
+    if( pColl==0 ) return 0;
+    for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
+      assert( pIdx->nColumn>=1 );
+      if( pIdx->aiColumn[0]==iCol && 
+          0==sqlite3StrICmp(pIdx->azColl[0], pColl->zName) ){
+        break;
+      }
+    }
+    if( pIdx==0 ) return 0;
+  }
+
+  /* Identify column types if we will be using the callback.  This
+  ** step is skipped if the output is going to a table or a memory cell.
+  ** The column names have already been generated in the calling function.
+  */
+  v = sqlite3GetVdbe(pParse);
+  if( v==0 ) return 0;
+
+  /* If the output is destined for a temporary table, open that table.
+  */
+  if( eDest==SRT_EphemTab ){
+    sqlite3VdbeAddOp(v, OP_OpenEphemeral, iParm, 1);
+  }
+
+  /* Generating code to find the min or the max.  Basically all we have
+  ** to do is find the first or the last entry in the chosen index.  If
+  ** the min() or max() is on the INTEGER PRIMARY KEY, then find the first
+  ** or last entry in the main table.
+  */
+  iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+  assert( iDb>=0 || pTab->isEphem );
+  sqlite3CodeVerifySchema(pParse, iDb);
+  sqlite3TableLock(pParse, iDb, pTab->tnum, 0, pTab->zName);
+  base = pSrc->a[0].iCursor;
+  brk = sqlite3VdbeMakeLabel(v);
+  computeLimitRegisters(pParse, p, brk);
+  if( pSrc->a[0].pSelect==0 ){
+    sqlite3OpenTable(pParse, base, iDb, pTab, OP_OpenRead);
+  }
+  if( pIdx==0 ){
+    sqlite3VdbeAddOp(v, seekOp, base, 0);
+  }else{
+    /* Even though the cursor used to open the index here is closed
+    ** as soon as a single value has been read from it, allocate it
+    ** using (pParse->nTab++) to prevent the cursor id from being 
+    ** reused. This is important for statements of the form 
+    ** "INSERT INTO x SELECT max() FROM x".
+    */
+    int iIdx;
+    KeyInfo *pKey = sqlite3IndexKeyinfo(pParse, pIdx);
+    iIdx = pParse->nTab++;
+    assert( pIdx->pSchema==pTab->pSchema );
+    sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+    sqlite3VdbeOp3(v, OP_OpenRead, iIdx, pIdx->tnum, 
+        (char*)pKey, P3_KEYINFO_HANDOFF);
+    if( seekOp==OP_Rewind ){
+      sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+      sqlite3VdbeAddOp(v, OP_MakeRecord, 1, 0);
+      seekOp = OP_MoveGt;
+    }
+    sqlite3VdbeAddOp(v, seekOp, iIdx, 0);
+    sqlite3VdbeAddOp(v, OP_IdxRowid, iIdx, 0);
+    sqlite3VdbeAddOp(v, OP_Close, iIdx, 0);
+    sqlite3VdbeAddOp(v, OP_MoveGe, base, 0);
+  }
+  eList.nExpr = 1;
+  memset(&eListItem, 0, sizeof(eListItem));
+  eList.a = &eListItem;
+  eList.a[0].pExpr = pExpr;
+  selectInnerLoop(pParse, p, &eList, 0, 0, 0, -1, eDest, iParm, brk, brk, 0);
+  sqlite3VdbeResolveLabel(v, brk);
+  sqlite3VdbeAddOp(v, OP_Close, base, 0);
+  
+  return 1;
+}
+
+/*
+** Analyze and ORDER BY or GROUP BY clause in a SELECT statement.  Return
+** the number of errors seen.
+**
+** An ORDER BY or GROUP BY is a list of expressions.  If any expression
+** is an integer constant, then that expression is replaced by the
+** corresponding entry in the result set.
+*/
+static int processOrderGroupBy(
+  NameContext *pNC,     /* Name context of the SELECT statement. */
+  ExprList *pOrderBy,   /* The ORDER BY or GROUP BY clause to be processed */
+  const char *zType     /* Either "ORDER" or "GROUP", as appropriate */
+){
+  int i;
+  ExprList *pEList = pNC->pEList;     /* The result set of the SELECT */
+  Parse *pParse = pNC->pParse;     /* The result set of the SELECT */
+  assert( pEList );
+
+  if( pOrderBy==0 ) return 0;
+  for(i=0; i<pOrderBy->nExpr; i++){
+    int iCol;
+    Expr *pE = pOrderBy->a[i].pExpr;
+    if( sqlite3ExprIsInteger(pE, &iCol) ){
+      if( iCol>0 && iCol<=pEList->nExpr ){
+        CollSeq *pColl = pE->pColl;
+        int flags = pE->flags & EP_ExpCollate;
+        sqlite3ExprDelete(pE);
+        pE = pOrderBy->a[i].pExpr = sqlite3ExprDup(pEList->a[iCol-1].pExpr);
+        if( pColl && flags ){
+          pE->pColl = pColl;
+          pE->flags |= flags;
+        }
+      }else{
+        sqlite3ErrorMsg(pParse, 
+           "%s BY column number %d out of range - should be "
+           "between 1 and %d", zType, iCol, pEList->nExpr);
+        return 1;
+      }
+    }
+    if( sqlite3ExprResolveNames(pNC, pE) ){
+      return 1;
+    }
+  }
+  return 0;
+}
+
+/*
+** This routine resolves any names used in the result set of the
+** supplied SELECT statement. If the SELECT statement being resolved
+** is a sub-select, then pOuterNC is a pointer to the NameContext 
+** of the parent SELECT.
+*/
+int sqlite3SelectResolve(
+  Parse *pParse,         /* The parser context */
+  Select *p,             /* The SELECT statement being coded. */
+  NameContext *pOuterNC  /* The outer name context. May be NULL. */
+){
+  ExprList *pEList;          /* Result set. */
+  int i;                     /* For-loop variable used in multiple places */
+  NameContext sNC;           /* Local name-context */
+  ExprList *pGroupBy;        /* The group by clause */
+
+  /* If this routine has run before, return immediately. */
+  if( p->isResolved ){
+    assert( !pOuterNC );
+    return SQLITE_OK;
+  }
+  p->isResolved = 1;
+
+  /* If there have already been errors, do nothing. */
+  if( pParse->nErr>0 ){
+    return SQLITE_ERROR;
+  }
+
+  /* Prepare the select statement. This call will allocate all cursors
+  ** required to handle the tables and subqueries in the FROM clause.
+  */
+  if( prepSelectStmt(pParse, p) ){
+    return SQLITE_ERROR;
+  }
+
+  /* Resolve the expressions in the LIMIT and OFFSET clauses. These
+  ** are not allowed to refer to any names, so pass an empty NameContext.
+  */
+  memset(&sNC, 0, sizeof(sNC));
+  sNC.pParse = pParse;
+  if( sqlite3ExprResolveNames(&sNC, p->pLimit) ||
+      sqlite3ExprResolveNames(&sNC, p->pOffset) ){
+    return SQLITE_ERROR;
+  }
+
+  /* Set up the local name-context to pass to ExprResolveNames() to
+  ** resolve the expression-list.
+  */
+  sNC.allowAgg = 1;
+  sNC.pSrcList = p->pSrc;
+  sNC.pNext = pOuterNC;
+
+  /* Resolve names in the result set. */
+  pEList = p->pEList;
+  if( !pEList ) return SQLITE_ERROR;
+  for(i=0; i<pEList->nExpr; i++){
+    Expr *pX = pEList->a[i].pExpr;
+    if( sqlite3ExprResolveNames(&sNC, pX) ){
+      return SQLITE_ERROR;
+    }
+  }
+
+  /* If there are no aggregate functions in the result-set, and no GROUP BY 
+  ** expression, do not allow aggregates in any of the other expressions.
+  */
+  assert( !p->isAgg );
+  pGroupBy = p->pGroupBy;
+  if( pGroupBy || sNC.hasAgg ){
+    p->isAgg = 1;
+  }else{
+    sNC.allowAgg = 0;
+  }
+
+  /* If a HAVING clause is present, then there must be a GROUP BY clause.
+  */
+  if( p->pHaving && !pGroupBy ){
+    sqlite3ErrorMsg(pParse, "a GROUP BY clause is required before HAVING");
+    return SQLITE_ERROR;
+  }
+
+  /* Add the expression list to the name-context before parsing the
+  ** other expressions in the SELECT statement. This is so that
+  ** expressions in the WHERE clause (etc.) can refer to expressions by
+  ** aliases in the result set.
+  **
+  ** Minor point: If this is the case, then the expression will be
+  ** re-evaluated for each reference to it.
+  */
+  sNC.pEList = p->pEList;
+  if( sqlite3ExprResolveNames(&sNC, p->pWhere) ||
+     sqlite3ExprResolveNames(&sNC, p->pHaving) ){
+    return SQLITE_ERROR;
+  }
+  if( p->pPrior==0 ){
+    if( processOrderGroupBy(&sNC, p->pOrderBy, "ORDER") ||
+        processOrderGroupBy(&sNC, pGroupBy, "GROUP") ){
+      return SQLITE_ERROR;
+    }
+  }
+
+  /* Make sure the GROUP BY clause does not contain aggregate functions.
+  */
+  if( pGroupBy ){
+    struct ExprList_item *pItem;
+  
+    for(i=0, pItem=pGroupBy->a; i<pGroupBy->nExpr; i++, pItem++){
+      if( ExprHasProperty(pItem->pExpr, EP_Agg) ){
+        sqlite3ErrorMsg(pParse, "aggregate functions are not allowed in "
+            "the GROUP BY clause");
+        return SQLITE_ERROR;
+      }
+    }
+  }
+
+  /* If this is one SELECT of a compound, be sure to resolve names
+  ** in the other SELECTs.
+  */
+  if( p->pPrior ){
+    return sqlite3SelectResolve(pParse, p->pPrior, pOuterNC);
+  }else{
+    return SQLITE_OK;
+  }
+}
+
+/*
+** Reset the aggregate accumulator.
+**
+** The aggregate accumulator is a set of memory cells that hold
+** intermediate results while calculating an aggregate.  This
+** routine simply stores NULLs in all of those memory cells.
+*/
+static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){
+  Vdbe *v = pParse->pVdbe;
+  int i;
+  struct AggInfo_func *pFunc;
+  if( pAggInfo->nFunc+pAggInfo->nColumn==0 ){
+    return;
+  }
+  for(i=0; i<pAggInfo->nColumn; i++){
+    sqlite3VdbeAddOp(v, OP_MemNull, pAggInfo->aCol[i].iMem, 0);
+  }
+  for(pFunc=pAggInfo->aFunc, i=0; i<pAggInfo->nFunc; i++, pFunc++){
+    sqlite3VdbeAddOp(v, OP_MemNull, pFunc->iMem, 0);
+    if( pFunc->iDistinct>=0 ){
+      Expr *pE = pFunc->pExpr;
+      if( pE->pList==0 || pE->pList->nExpr!=1 ){
+        sqlite3ErrorMsg(pParse, "DISTINCT in aggregate must be followed "
+           "by an expression");
+        pFunc->iDistinct = -1;
+      }else{
+        KeyInfo *pKeyInfo = keyInfoFromExprList(pParse, pE->pList);
+        sqlite3VdbeOp3(v, OP_OpenEphemeral, pFunc->iDistinct, 0, 
+                          (char*)pKeyInfo, P3_KEYINFO_HANDOFF);
+      }
+    }
+  }
+}
+
+/*
+** Invoke the OP_AggFinalize opcode for every aggregate function
+** in the AggInfo structure.
+*/
+static void finalizeAggFunctions(Parse *pParse, AggInfo *pAggInfo){
+  Vdbe *v = pParse->pVdbe;
+  int i;
+  struct AggInfo_func *pF;
+  for(i=0, pF=pAggInfo->aFunc; i<pAggInfo->nFunc; i++, pF++){
+    ExprList *pList = pF->pExpr->pList;
+    sqlite3VdbeOp3(v, OP_AggFinal, pF->iMem, pList ? pList->nExpr : 0,
+                      (void*)pF->pFunc, P3_FUNCDEF);
+  }
+}
+
+/*
+** Update the accumulator memory cells for an aggregate based on
+** the current cursor position.
+*/
+static void updateAccumulator(Parse *pParse, AggInfo *pAggInfo){
+  Vdbe *v = pParse->pVdbe;
+  int i;
+  struct AggInfo_func *pF;
+  struct AggInfo_col *pC;
+
+  pAggInfo->directMode = 1;
+  for(i=0, pF=pAggInfo->aFunc; i<pAggInfo->nFunc; i++, pF++){
+    int nArg;
+    int addrNext = 0;
+    ExprList *pList = pF->pExpr->pList;
+    if( pList ){
+      nArg = pList->nExpr;
+      sqlite3ExprCodeExprList(pParse, pList);
+    }else{
+      nArg = 0;
+    }
+    if( pF->iDistinct>=0 ){
+      addrNext = sqlite3VdbeMakeLabel(v);
+      assert( nArg==1 );
+      codeDistinct(v, pF->iDistinct, addrNext, 1);
+    }
+    if( pF->pFunc->needCollSeq ){
+      CollSeq *pColl = 0;
+      struct ExprList_item *pItem;
+      int j;
+      assert( pList!=0 );  /* pList!=0 if pF->pFunc->needCollSeq is true */
+      for(j=0, pItem=pList->a; !pColl && j<nArg; j++, pItem++){
+        pColl = sqlite3ExprCollSeq(pParse, pItem->pExpr);
+      }
+      if( !pColl ){
+        pColl = pParse->db->pDfltColl;
+      }
+      sqlite3VdbeOp3(v, OP_CollSeq, 0, 0, (char *)pColl, P3_COLLSEQ);
+    }
+    sqlite3VdbeOp3(v, OP_AggStep, pF->iMem, nArg, (void*)pF->pFunc, P3_FUNCDEF);
+    if( addrNext ){
+      sqlite3VdbeResolveLabel(v, addrNext);
+    }
+  }
+  for(i=0, pC=pAggInfo->aCol; i<pAggInfo->nAccumulator; i++, pC++){
+    sqlite3ExprCode(pParse, pC->pExpr);
+    sqlite3VdbeAddOp(v, OP_MemStore, pC->iMem, 1);
+  }
+  pAggInfo->directMode = 0;
+}
+
+
+/*
+** Generate code for the given SELECT statement.
+**
+** The results are distributed in various ways depending on the
+** value of eDest and iParm.
+**
+**     eDest Value       Result
+**     ------------    -------------------------------------------
+**     SRT_Callback    Invoke the callback for each row of the result.
+**
+**     SRT_Mem         Store first result in memory cell iParm
+**
+**     SRT_Set         Store results as keys of table iParm.
+**
+**     SRT_Union       Store results as a key in a temporary table iParm
+**
+**     SRT_Except      Remove results from the temporary table iParm.
+**
+**     SRT_Table       Store results in temporary table iParm
+**
+** The table above is incomplete.  Additional eDist value have be added
+** since this comment was written.  See the selectInnerLoop() function for
+** a complete listing of the allowed values of eDest and their meanings.
+**
+** This routine returns the number of errors.  If any errors are
+** encountered, then an appropriate error message is left in
+** pParse->zErrMsg.
+**
+** This routine does NOT free the Select structure passed in.  The
+** calling function needs to do that.
+**
+** The pParent, parentTab, and *pParentAgg fields are filled in if this
+** SELECT is a subquery.  This routine may try to combine this SELECT
+** with its parent to form a single flat query.  In so doing, it might
+** change the parent query from a non-aggregate to an aggregate query.
+** For that reason, the pParentAgg flag is passed as a pointer, so it
+** can be changed.
+**
+** Example 1:   The meaning of the pParent parameter.
+**
+**    SELECT * FROM t1 JOIN (SELECT x, count(*) FROM t2) JOIN t3;
+**    \                      \_______ subquery _______/        /
+**     \                                                      /
+**      \____________________ outer query ___________________/
+**
+** This routine is called for the outer query first.   For that call,
+** pParent will be NULL.  During the processing of the outer query, this 
+** routine is called recursively to handle the subquery.  For the recursive
+** call, pParent will point to the outer query.  Because the subquery is
+** the second element in a three-way join, the parentTab parameter will
+** be 1 (the 2nd value of a 0-indexed array.)
+*/
+int sqlite3Select(
+  Parse *pParse,         /* The parser context */
+  Select *p,             /* The SELECT statement being coded. */
+  int eDest,             /* How to dispose of the results */
+  int iParm,             /* A parameter used by the eDest disposal method */
+  Select *pParent,       /* Another SELECT for which this is a sub-query */
+  int parentTab,         /* Index in pParent->pSrc of this query */
+  int *pParentAgg,       /* True if pParent uses aggregate functions */
+  char *aff              /* If eDest is SRT_Union, the affinity string */
+){
+  int i, j;              /* Loop counters */
+  WhereInfo *pWInfo;     /* Return from sqlite3WhereBegin() */
+  Vdbe *v;               /* The virtual machine under construction */
+  int isAgg;             /* True for select lists like "count(*)" */
+  ExprList *pEList;      /* List of columns to extract. */
+  SrcList *pTabList;     /* List of tables to select from */
+  Expr *pWhere;          /* The WHERE clause.  May be NULL */
+  ExprList *pOrderBy;    /* The ORDER BY clause.  May be NULL */
+  ExprList *pGroupBy;    /* The GROUP BY clause.  May be NULL */
+  Expr *pHaving;         /* The HAVING clause.  May be NULL */
+  int isDistinct;        /* True if the DISTINCT keyword is present */
+  int distinct;          /* Table to use for the distinct set */
+  int rc = 1;            /* Value to return from this function */
+  int addrSortIndex;     /* Address of an OP_OpenEphemeral instruction */
+  AggInfo sAggInfo;      /* Information used by aggregate queries */
+  int iEnd;              /* Address of the end of the query */
+
+  if( p==0 || sqlite3MallocFailed() || pParse->nErr ){
+    return 1;
+  }
+  if( sqlite3AuthCheck(pParse, SQLITE_SELECT, 0, 0, 0) ) return 1;
+  memset(&sAggInfo, 0, sizeof(sAggInfo));
+
+#ifndef SQLITE_OMIT_COMPOUND_SELECT
+  /* If there is are a sequence of queries, do the earlier ones first.
+  */
+  if( p->pPrior ){
+    if( p->pRightmost==0 ){
+      Select *pLoop;
+      for(pLoop=p; pLoop; pLoop=pLoop->pPrior){
+        pLoop->pRightmost = p;
+      }
+    }
+    return multiSelect(pParse, p, eDest, iParm, aff);
+  }
+#endif
+
+  pOrderBy = p->pOrderBy;
+  if( IgnorableOrderby(eDest) ){
+    p->pOrderBy = 0;
+  }
+  if( sqlite3SelectResolve(pParse, p, 0) ){
+    goto select_end;
+  }
+  p->pOrderBy = pOrderBy;
+
+  /* Make local copies of the parameters for this query.
+  */
+  pTabList = p->pSrc;
+  pWhere = p->pWhere;
+  pGroupBy = p->pGroupBy;
+  pHaving = p->pHaving;
+  isAgg = p->isAgg;
+  isDistinct = p->isDistinct;
+  pEList = p->pEList;
+  if( pEList==0 ) goto select_end;
+
+  /* 
+  ** Do not even attempt to generate any code if we have already seen
+  ** errors before this routine starts.
+  */
+  if( pParse->nErr>0 ) goto select_end;
+
+  /* If writing to memory or generating a set
+  ** only a single column may be output.
+  */
+#ifndef SQLITE_OMIT_SUBQUERY
+  if( (eDest==SRT_Mem || eDest==SRT_Set) && pEList->nExpr>1 ){
+    sqlite3ErrorMsg(pParse, "only a single result allowed for "
+       "a SELECT that is part of an expression");
+    goto select_end;
+  }
+#endif
+
+  /* ORDER BY is ignored for some destinations.
+  */
+  if( IgnorableOrderby(eDest) ){
+    pOrderBy = 0;
+  }
+
+  /* Begin generating code.
+  */
+  v = sqlite3GetVdbe(pParse);
+  if( v==0 ) goto select_end;
+
+  /* Generate code for all sub-queries in the FROM clause
+  */
+#if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)
+  for(i=0; i<pTabList->nSrc; i++){
+    const char *zSavedAuthContext = 0;
+    int needRestoreContext;
+    struct SrcList_item *pItem = &pTabList->a[i];
+
+    if( pItem->pSelect==0 || pItem->isPopulated ) continue;
+    if( pItem->zName!=0 ){
+      zSavedAuthContext = pParse->zAuthContext;
+      pParse->zAuthContext = pItem->zName;
+      needRestoreContext = 1;
+    }else{
+      needRestoreContext = 0;
+    }
+    sqlite3Select(pParse, pItem->pSelect, SRT_EphemTab, 
+                 pItem->iCursor, p, i, &isAgg, 0);
+    if( needRestoreContext ){
+      pParse->zAuthContext = zSavedAuthContext;
+    }
+    pTabList = p->pSrc;
+    pWhere = p->pWhere;
+    if( !IgnorableOrderby(eDest) ){
+      pOrderBy = p->pOrderBy;
+    }
+    pGroupBy = p->pGroupBy;
+    pHaving = p->pHaving;
+    isDistinct = p->isDistinct;
+  }
+#endif
+
+  /* Check for the special case of a min() or max() function by itself
+  ** in the result set.
+  */
+  if( simpleMinMaxQuery(pParse, p, eDest, iParm) ){
+    rc = 0;
+    goto select_end;
+  }
+
+  /* Check to see if this is a subquery that can be "flattened" into its parent.
+  ** If flattening is a possiblity, do so and return immediately.  
+  */
+#ifndef SQLITE_OMIT_VIEW
+  if( pParent && pParentAgg &&
+      flattenSubquery(pParent, parentTab, *pParentAgg, isAgg) ){
+    if( isAgg ) *pParentAgg = 1;
+    goto select_end;
+  }
+#endif
+
+  /* If there is an ORDER BY clause, then this sorting
+  ** index might end up being unused if the data can be 
+  ** extracted in pre-sorted order.  If that is the case, then the
+  ** OP_OpenEphemeral instruction will be changed to an OP_Noop once
+  ** we figure out that the sorting index is not needed.  The addrSortIndex
+  ** variable is used to facilitate that change.
+  */
+  if( pOrderBy ){
+    KeyInfo *pKeyInfo;
+    if( pParse->nErr ){
+      goto select_end;
+    }
+    pKeyInfo = keyInfoFromExprList(pParse, pOrderBy);
+    pOrderBy->iECursor = pParse->nTab++;
+    p->addrOpenEphm[2] = addrSortIndex =
+      sqlite3VdbeOp3(v, OP_OpenEphemeral, pOrderBy->iECursor, pOrderBy->nExpr+2,                     (char*)pKeyInfo, P3_KEYINFO_HANDOFF);
+  }else{
+    addrSortIndex = -1;
+  }
+
+  /* If the output is destined for a temporary table, open that table.
+  */
+  if( eDest==SRT_EphemTab ){
+    sqlite3VdbeAddOp(v, OP_OpenEphemeral, iParm, pEList->nExpr);
+  }
+
+  /* Set the limiter.
+  */
+  iEnd = sqlite3VdbeMakeLabel(v);
+  computeLimitRegisters(pParse, p, iEnd);
+
+  /* Open a virtual index to use for the distinct set.
+  */
+  if( isDistinct ){
+    KeyInfo *pKeyInfo;
+    distinct = pParse->nTab++;
+    pKeyInfo = keyInfoFromExprList(pParse, p->pEList);
+    sqlite3VdbeOp3(v, OP_OpenEphemeral, distinct, 0, 
+                        (char*)pKeyInfo, P3_KEYINFO_HANDOFF);
+  }else{
+    distinct = -1;
+  }
+
+  /* Aggregate and non-aggregate queries are handled differently */
+  if( !isAgg && pGroupBy==0 ){
+    /* This case is for non-aggregate queries
+    ** Begin the database scan
+    */
+    pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, &pOrderBy);
+    if( pWInfo==0 ) goto select_end;
+
+    /* If sorting index that was created by a prior OP_OpenEphemeral 
+    ** instruction ended up not being needed, then change the OP_OpenEphemeral
+    ** into an OP_Noop.
+    */
+    if( addrSortIndex>=0 && pOrderBy==0 ){
+      sqlite3VdbeChangeToNoop(v, addrSortIndex, 1);
+      p->addrOpenEphm[2] = -1;
+    }
+
+    /* Use the standard inner loop
+    */
+    if( selectInnerLoop(pParse, p, pEList, 0, 0, pOrderBy, distinct, eDest,
+                    iParm, pWInfo->iContinue, pWInfo->iBreak, aff) ){
+       goto select_end;
+    }
+
+    /* End the database scan loop.
+    */
+    sqlite3WhereEnd(pWInfo);
+  }else{
+    /* This is the processing for aggregate queries */
+    NameContext sNC;    /* Name context for processing aggregate information */
+    int iAMem;          /* First Mem address for storing current GROUP BY */
+    int iBMem;          /* First Mem address for previous GROUP BY */
+    int iUseFlag;       /* Mem address holding flag indicating that at least
+                        ** one row of the input to the aggregator has been
+                        ** processed */
+    int iAbortFlag;     /* Mem address which causes query abort if positive */
+    int groupBySort;    /* Rows come from source in GROUP BY order */
+
+
+    /* The following variables hold addresses or labels for parts of the
+    ** virtual machine program we are putting together */
+    int addrOutputRow;      /* Start of subroutine that outputs a result row */
+    int addrSetAbort;       /* Set the abort flag and return */
+    int addrInitializeLoop; /* Start of code that initializes the input loop */
+    int addrTopOfLoop;      /* Top of the input loop */
+    int addrGroupByChange;  /* Code that runs when any GROUP BY term changes */
+    int addrProcessRow;     /* Code to process a single input row */
+    int addrEnd;            /* End of all processing */
+    int addrSortingIdx;     /* The OP_OpenEphemeral for the sorting index */
+    int addrReset;          /* Subroutine for resetting the accumulator */
+
+    addrEnd = sqlite3VdbeMakeLabel(v);
+
+    /* Convert TK_COLUMN nodes into TK_AGG_COLUMN and make entries in
+    ** sAggInfo for all TK_AGG_FUNCTION nodes in expressions of the
+    ** SELECT statement.
+    */
+    memset(&sNC, 0, sizeof(sNC));
+    sNC.pParse = pParse;
+    sNC.pSrcList = pTabList;
+    sNC.pAggInfo = &sAggInfo;
+    sAggInfo.nSortingColumn = pGroupBy ? pGroupBy->nExpr+1 : 0;
+    sAggInfo.pGroupBy = pGroupBy;
+    if( sqlite3ExprAnalyzeAggList(&sNC, pEList) ){
+      goto select_end;
+    }
+    if( sqlite3ExprAnalyzeAggList(&sNC, pOrderBy) ){
+      goto select_end;
+    }
+    if( pHaving && sqlite3ExprAnalyzeAggregates(&sNC, pHaving) ){
+      goto select_end;
+    }
+    sAggInfo.nAccumulator = sAggInfo.nColumn;
+    for(i=0; i<sAggInfo.nFunc; i++){
+      if( sqlite3ExprAnalyzeAggList(&sNC, sAggInfo.aFunc[i].pExpr->pList) ){
+        goto select_end;
+      }
+    }
+    if( sqlite3MallocFailed() ) goto select_end;
+
+    /* Processing for aggregates with GROUP BY is very different and
+    ** much more complex tha aggregates without a GROUP BY.
+    */
+    if( pGroupBy ){
+      KeyInfo *pKeyInfo;  /* Keying information for the group by clause */
+
+      /* Create labels that we will be needing
+      */
+     
+      addrInitializeLoop = sqlite3VdbeMakeLabel(v);
+      addrGroupByChange = sqlite3VdbeMakeLabel(v);
+      addrProcessRow = sqlite3VdbeMakeLabel(v);
+
+      /* If there is a GROUP BY clause we might need a sorting index to
+      ** implement it.  Allocate that sorting index now.  If it turns out
+      ** that we do not need it after all, the OpenEphemeral instruction
+      ** will be converted into a Noop.  
+      */
+      sAggInfo.sortingIdx = pParse->nTab++;
+      pKeyInfo = keyInfoFromExprList(pParse, pGroupBy);
+      addrSortingIdx =
+          sqlite3VdbeOp3(v, OP_OpenEphemeral, sAggInfo.sortingIdx,
+                         sAggInfo.nSortingColumn,
+                         (char*)pKeyInfo, P3_KEYINFO_HANDOFF);
+
+      /* Initialize memory locations used by GROUP BY aggregate processing
+      */
+      iUseFlag = pParse->nMem++;
+      iAbortFlag = pParse->nMem++;
+      iAMem = pParse->nMem;
+      pParse->nMem += pGroupBy->nExpr;
+      iBMem = pParse->nMem;
+      pParse->nMem += pGroupBy->nExpr;
+      sqlite3VdbeAddOp(v, OP_MemInt, 0, iAbortFlag);
+      VdbeComment((v, "# clear abort flag"));
+      sqlite3VdbeAddOp(v, OP_MemInt, 0, iUseFlag);
+      VdbeComment((v, "# indicate accumulator empty"));
+      sqlite3VdbeAddOp(v, OP_Goto, 0, addrInitializeLoop);
+
+      /* Generate a subroutine that outputs a single row of the result
+      ** set.  This subroutine first looks at the iUseFlag.  If iUseFlag
+      ** is less than or equal to zero, the subroutine is a no-op.  If
+      ** the processing calls for the query to abort, this subroutine
+      ** increments the iAbortFlag memory location before returning in
+      ** order to signal the caller to abort.
+      */
+      addrSetAbort = sqlite3VdbeCurrentAddr(v);
+      sqlite3VdbeAddOp(v, OP_MemInt, 1, iAbortFlag);
+      VdbeComment((v, "# set abort flag"));
+      sqlite3VdbeAddOp(v, OP_Return, 0, 0);
+      addrOutputRow = sqlite3VdbeCurrentAddr(v);
+      sqlite3VdbeAddOp(v, OP_IfMemPos, iUseFlag, addrOutputRow+2);
+      VdbeComment((v, "# Groupby result generator entry point"));
+      sqlite3VdbeAddOp(v, OP_Return, 0, 0);
+      finalizeAggFunctions(pParse, &sAggInfo);
+      if( pHaving ){
+        sqlite3ExprIfFalse(pParse, pHaving, addrOutputRow+1, 1);
+      }
+      rc = selectInnerLoop(pParse, p, p->pEList, 0, 0, pOrderBy,
+                           distinct, eDest, iParm, 
+                           addrOutputRow+1, addrSetAbort, aff);
+      if( rc ){
+        goto select_end;
+      }
+      sqlite3VdbeAddOp(v, OP_Return, 0, 0);
+      VdbeComment((v, "# end groupby result generator"));
+
+      /* Generate a subroutine that will reset the group-by accumulator
+      */
+      addrReset = sqlite3VdbeCurrentAddr(v);
+      resetAccumulator(pParse, &sAggInfo);
+      sqlite3VdbeAddOp(v, OP_Return, 0, 0);
+
+      /* Begin a loop that will extract all source rows in GROUP BY order.
+      ** This might involve two separate loops with an OP_Sort in between, or
+      ** it might be a single loop that uses an index to extract information
+      ** in the right order to begin with.
+      */
+      sqlite3VdbeResolveLabel(v, addrInitializeLoop);
+      sqlite3VdbeAddOp(v, OP_Gosub, 0, addrReset);
+      pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, &pGroupBy);
+      if( pWInfo==0 ) goto select_end;
+      if( pGroupBy==0 ){
+        /* The optimizer is able to deliver rows in group by order so
+        ** we do not have to sort.  The OP_OpenEphemeral table will be
+        ** cancelled later because we still need to use the pKeyInfo
+        */
+        pGroupBy = p->pGroupBy;
+        groupBySort = 0;
+      }else{
+        /* Rows are coming out in undetermined order.  We have to push
+        ** each row into a sorting index, terminate the first loop,
+        ** then loop over the sorting index in order to get the output
+        ** in sorted order
+        */
+        groupBySort = 1;
+        sqlite3ExprCodeExprList(pParse, pGroupBy);
+        sqlite3VdbeAddOp(v, OP_Sequence, sAggInfo.sortingIdx, 0);
+        j = pGroupBy->nExpr+1;
+        for(i=0; i<sAggInfo.nColumn; i++){
+          struct AggInfo_col *pCol = &sAggInfo.aCol[i];
+          if( pCol->iSorterColumn<j ) continue;
+          sqlite3ExprCodeGetColumn(v, pCol->pTab, pCol->iColumn, pCol->iTable);
+          j++;
+        }
+        sqlite3VdbeAddOp(v, OP_MakeRecord, j, 0);
+        sqlite3VdbeAddOp(v, OP_IdxInsert, sAggInfo.sortingIdx, 0);
+        sqlite3WhereEnd(pWInfo);
+        sqlite3VdbeAddOp(v, OP_Sort, sAggInfo.sortingIdx, addrEnd);
+        VdbeComment((v, "# GROUP BY sort"));
+        sAggInfo.useSortingIdx = 1;
+      }
+
+      /* Evaluate the current GROUP BY terms and store in b0, b1, b2...
+      ** (b0 is memory location iBMem+0, b1 is iBMem+1, and so forth)
+      ** Then compare the current GROUP BY terms against the GROUP BY terms
+      ** from the previous row currently stored in a0, a1, a2...
+      */
+      addrTopOfLoop = sqlite3VdbeCurrentAddr(v);
+      for(j=0; j<pGroupBy->nExpr; j++){
+        if( groupBySort ){
+          sqlite3VdbeAddOp(v, OP_Column, sAggInfo.sortingIdx, j);
+        }else{
+          sAggInfo.directMode = 1;
+          sqlite3ExprCode(pParse, pGroupBy->a[j].pExpr);
+        }
+        sqlite3VdbeAddOp(v, OP_MemStore, iBMem+j, j<pGroupBy->nExpr-1);
+      }
+      for(j=pGroupBy->nExpr-1; j>=0; j--){
+        if( j<pGroupBy->nExpr-1 ){
+          sqlite3VdbeAddOp(v, OP_MemLoad, iBMem+j, 0);
+        }
+        sqlite3VdbeAddOp(v, OP_MemLoad, iAMem+j, 0);
+        if( j==0 ){
+          sqlite3VdbeAddOp(v, OP_Eq, 0x200, addrProcessRow);
+        }else{
+          sqlite3VdbeAddOp(v, OP_Ne, 0x200, addrGroupByChange);
+        }
+        sqlite3VdbeChangeP3(v, -1, (void*)pKeyInfo->aColl[j], P3_COLLSEQ);
+      }
+
+      /* Generate code that runs whenever the GROUP BY changes.
+      ** Change in the GROUP BY are detected by the previous code
+      ** block.  If there were no changes, this block is skipped.
+      **
+      ** This code copies current group by terms in b0,b1,b2,...
+      ** over to a0,a1,a2.  It then calls the output subroutine
+      ** and resets the aggregate accumulator registers in preparation
+      ** for the next GROUP BY batch.
+      */
+      sqlite3VdbeResolveLabel(v, addrGroupByChange);
+      for(j=0; j<pGroupBy->nExpr; j++){
+        sqlite3VdbeAddOp(v, OP_MemMove, iAMem+j, iBMem+j);
+      }
+      sqlite3VdbeAddOp(v, OP_Gosub, 0, addrOutputRow);
+      VdbeComment((v, "# output one row"));
+      sqlite3VdbeAddOp(v, OP_IfMemPos, iAbortFlag, addrEnd);
+      VdbeComment((v, "# check abort flag"));
+      sqlite3VdbeAddOp(v, OP_Gosub, 0, addrReset);
+      VdbeComment((v, "# reset accumulator"));
+
+      /* Update the aggregate accumulators based on the content of
+      ** the current row
+      */
+      sqlite3VdbeResolveLabel(v, addrProcessRow);
+      updateAccumulator(pParse, &sAggInfo);
+      sqlite3VdbeAddOp(v, OP_MemInt, 1, iUseFlag);
+      VdbeComment((v, "# indicate data in accumulator"));
+
+      /* End of the loop
+      */
+      if( groupBySort ){
+        sqlite3VdbeAddOp(v, OP_Next, sAggInfo.sortingIdx, addrTopOfLoop);
+      }else{
+        sqlite3WhereEnd(pWInfo);
+        sqlite3VdbeChangeToNoop(v, addrSortingIdx, 1);
+      }
+
+      /* Output the final row of result
+      */
+      sqlite3VdbeAddOp(v, OP_Gosub, 0, addrOutputRow);
+      VdbeComment((v, "# output final row"));
+      
+    } /* endif pGroupBy */
+    else {
+      /* This case runs if the aggregate has no GROUP BY clause.  The
+      ** processing is much simpler since there is only a single row
+      ** of output.
+      */
+      resetAccumulator(pParse, &sAggInfo);
+      pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, 0);
+      if( pWInfo==0 ) goto select_end;
+      updateAccumulator(pParse, &sAggInfo);
+      sqlite3WhereEnd(pWInfo);
+      finalizeAggFunctions(pParse, &sAggInfo);
+      pOrderBy = 0;
+      if( pHaving ){
+        sqlite3ExprIfFalse(pParse, pHaving, addrEnd, 1);
+      }
+      selectInnerLoop(pParse, p, p->pEList, 0, 0, 0, -1, 
+                      eDest, iParm, addrEnd, addrEnd, aff);
+    }
+    sqlite3VdbeResolveLabel(v, addrEnd);
+    
+  } /* endif aggregate query */
+
+  /* If there is an ORDER BY clause, then we need to sort the results
+  ** and send them to the callback one by one.
+  */
+  if( pOrderBy ){
+    generateSortTail(pParse, p, v, pEList->nExpr, eDest, iParm);
+  }
+
+#ifndef SQLITE_OMIT_SUBQUERY
+  /* If this was a subquery, we have now converted the subquery into a
+  ** temporary table.  So set the SrcList_item.isPopulated flag to prevent
+  ** this subquery from being evaluated again and to force the use of
+  ** the temporary table.
+  */
+  if( pParent ){
+    assert( pParent->pSrc->nSrc>parentTab );
+    assert( pParent->pSrc->a[parentTab].pSelect==p );
+    pParent->pSrc->a[parentTab].isPopulated = 1;
+  }
+#endif
+
+  /* Jump here to skip this query
+  */
+  sqlite3VdbeResolveLabel(v, iEnd);
+
+  /* The SELECT was successfully coded.   Set the return code to 0
+  ** to indicate no errors.
+  */
+  rc = 0;
+
+  /* Control jumps to here if an error is encountered above, or upon
+  ** successful coding of the SELECT.
+  */
+select_end:
+
+  /* Identify column names if we will be using them in a callback.  This
+  ** step is skipped if the output is going to some other destination.
+  */
+  if( rc==SQLITE_OK && eDest==SRT_Callback ){
+    generateColumnNames(pParse, pTabList, pEList);
+  }
+
+  sqliteFree(sAggInfo.aCol);
+  sqliteFree(sAggInfo.aFunc);
+  return rc;
+}
+
+#if defined(SQLITE_DEBUG)
+/*
+*******************************************************************************
+** The following code is used for testing and debugging only.  The code
+** that follows does not appear in normal builds.
+**
+** These routines are used to print out the content of all or part of a 
+** parse structures such as Select or Expr.  Such printouts are useful
+** for helping to understand what is happening inside the code generator
+** during the execution of complex SELECT statements.
+**
+** These routine are not called anywhere from within the normal
+** code base.  Then are intended to be called from within the debugger
+** or from temporary "printf" statements inserted for debugging.
+*/
+void sqlite3PrintExpr(Expr *p){
+  if( p->token.z && p->token.n>0 ){
+    sqlite3DebugPrintf("(%.*s", p->token.n, p->token.z);
+  }else{
+    sqlite3DebugPrintf("(%d", p->op);
+  }
+  if( p->pLeft ){
+    sqlite3DebugPrintf(" ");
+    sqlite3PrintExpr(p->pLeft);
+  }
+  if( p->pRight ){
+    sqlite3DebugPrintf(" ");
+    sqlite3PrintExpr(p->pRight);
+  }
+  sqlite3DebugPrintf(")");
+}
+void sqlite3PrintExprList(ExprList *pList){
+  int i;
+  for(i=0; i<pList->nExpr; i++){
+    sqlite3PrintExpr(pList->a[i].pExpr);
+    if( i<pList->nExpr-1 ){
+      sqlite3DebugPrintf(", ");
+    }
+  }
+}
+void sqlite3PrintSelect(Select *p, int indent){
+  sqlite3DebugPrintf("%*sSELECT(%p) ", indent, "", p);
+  sqlite3PrintExprList(p->pEList);
+  sqlite3DebugPrintf("\n");
+  if( p->pSrc ){
+    char *zPrefix;
+    int i;
+    zPrefix = "FROM";
+    for(i=0; i<p->pSrc->nSrc; i++){
+      struct SrcList_item *pItem = &p->pSrc->a[i];
+      sqlite3DebugPrintf("%*s ", indent+6, zPrefix);
+      zPrefix = "";
+      if( pItem->pSelect ){
+        sqlite3DebugPrintf("(\n");
+        sqlite3PrintSelect(pItem->pSelect, indent+10);
+        sqlite3DebugPrintf("%*s)", indent+8, "");
+      }else if( pItem->zName ){
+        sqlite3DebugPrintf("%s", pItem->zName);
+      }
+      if( pItem->pTab ){
+        sqlite3DebugPrintf("(table: %s)", pItem->pTab->zName);
+      }
+      if( pItem->zAlias ){
+        sqlite3DebugPrintf(" AS %s", pItem->zAlias);
+      }
+      if( i<p->pSrc->nSrc-1 ){
+        sqlite3DebugPrintf(",");
+      }
+      sqlite3DebugPrintf("\n");
+    }
+  }
+  if( p->pWhere ){
+    sqlite3DebugPrintf("%*s WHERE ", indent, "");
+    sqlite3PrintExpr(p->pWhere);
+    sqlite3DebugPrintf("\n");
+  }
+  if( p->pGroupBy ){
+    sqlite3DebugPrintf("%*s GROUP BY ", indent, "");
+    sqlite3PrintExprList(p->pGroupBy);
+    sqlite3DebugPrintf("\n");
+  }
+  if( p->pHaving ){
+    sqlite3DebugPrintf("%*s HAVING ", indent, "");
+    sqlite3PrintExpr(p->pHaving);
+    sqlite3DebugPrintf("\n");
+  }
+  if( p->pOrderBy ){
+    sqlite3DebugPrintf("%*s ORDER BY ", indent, "");
+    sqlite3PrintExprList(p->pOrderBy);
+    sqlite3DebugPrintf("\n");
+  }
+}
+/* End of the structure debug printing code
+*****************************************************************************/
+#endif /* defined(SQLITE_TEST) || defined(SQLITE_DEBUG) */
+
+/************** End of select.c **********************************************/
+/************** Begin file table.c *******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains the sqlite3_get_table() and sqlite3_free_table()
+** interface routines.  These are just wrappers around the main
+** interface routine of sqlite3_exec().
+**
+** These routines are in a separate files so that they will not be linked
+** if they are not used.
+*/
+
+#ifndef SQLITE_OMIT_GET_TABLE
+
+/*
+** This structure is used to pass data from sqlite3_get_table() through
+** to the callback function is uses to build the result.
+*/
+typedef struct TabResult {
+  char **azResult;
+  char *zErrMsg;
+  int nResult;
+  int nAlloc;
+  int nRow;
+  int nColumn;
+  int nData;
+  int rc;
+} TabResult;
+
+/*
+** This routine is called once for each row in the result table.  Its job
+** is to fill in the TabResult structure appropriately, allocating new
+** memory as necessary.
+*/
+static int sqlite3_get_table_cb(void *pArg, int nCol, char **argv, char **colv){
+  TabResult *p = (TabResult*)pArg;
+  int need;
+  int i;
+  char *z;
+
+  /* Make sure there is enough space in p->azResult to hold everything
+  ** we need to remember from this invocation of the callback.
+  */
+  if( p->nRow==0 && argv!=0 ){
+    need = nCol*2;
+  }else{
+    need = nCol;
+  }
+  if( p->nData + need >= p->nAlloc ){
+    char **azNew;
+    p->nAlloc = p->nAlloc*2 + need + 1;
+    azNew = sqlite3_realloc( p->azResult, sizeof(char*)*p->nAlloc );
+    if( azNew==0 ) goto malloc_failed;
+    p->azResult = azNew;
+  }
+
+  /* If this is the first row, then generate an extra row containing
+  ** the names of all columns.
+  */
+  if( p->nRow==0 ){
+    p->nColumn = nCol;
+    for(i=0; i<nCol; i++){
+      if( colv[i]==0 ){
+        z = sqlite3_mprintf("");
+      }else{
+        z = sqlite3_mprintf("%s", colv[i]);
+      }
+      p->azResult[p->nData++] = z;
+    }
+  }else if( p->nColumn!=nCol ){
+    sqlite3SetString(&p->zErrMsg,
+       "sqlite3_get_table() called with two or more incompatible queries",
+       (char*)0);
+    p->rc = SQLITE_ERROR;
+    return 1;
+  }
+
+  /* Copy over the row data
+  */
+  if( argv!=0 ){
+    for(i=0; i<nCol; i++){
+      if( argv[i]==0 ){
+        z = 0;
+      }else{
+        z = sqlite3_malloc( strlen(argv[i])+1 );
+        if( z==0 ) goto malloc_failed;
+        strcpy(z, argv[i]);
+      }
+      p->azResult[p->nData++] = z;
+    }
+    p->nRow++;
+  }
+  return 0;
+
+malloc_failed:
+  p->rc = SQLITE_NOMEM;
+  return 1;
+}
+
+/*
+** Query the database.  But instead of invoking a callback for each row,
+** malloc() for space to hold the result and return the entire results
+** at the conclusion of the call.
+**
+** The result that is written to ***pazResult is held in memory obtained
+** from malloc().  But the caller cannot free this memory directly.  
+** Instead, the entire table should be passed to sqlite3_free_table() when
+** the calling procedure is finished using it.
+*/
+int sqlite3_get_table(
+  sqlite3 *db,                /* The database on which the SQL executes */
+  const char *zSql,           /* The SQL to be executed */
+  char ***pazResult,          /* Write the result table here */
+  int *pnRow,                 /* Write the number of rows in the result here */
+  int *pnColumn,              /* Write the number of columns of result here */
+  char **pzErrMsg             /* Write error messages here */
+){
+  int rc;
+  TabResult res;
+  if( pazResult==0 ){ return SQLITE_ERROR; }
+  *pazResult = 0;
+  if( pnColumn ) *pnColumn = 0;
+  if( pnRow ) *pnRow = 0;
+  res.zErrMsg = 0;
+  res.nResult = 0;
+  res.nRow = 0;
+  res.nColumn = 0;
+  res.nData = 1;
+  res.nAlloc = 20;
+  res.rc = SQLITE_OK;
+  res.azResult = sqlite3_malloc( sizeof(char*)*res.nAlloc );
+  if( res.azResult==0 ) return SQLITE_NOMEM;
+  res.azResult[0] = 0;
+  rc = sqlite3_exec(db, zSql, sqlite3_get_table_cb, &res, pzErrMsg);
+  if( res.azResult ){
+    assert( sizeof(res.azResult[0])>= sizeof(res.nData) );
+    res.azResult[0] = (char*)res.nData;
+  }
+  if( (rc&0xff)==SQLITE_ABORT ){
+    sqlite3_free_table(&res.azResult[1]);
+    if( res.zErrMsg ){
+      if( pzErrMsg ){
+        sqlite3_free(*pzErrMsg);
+        *pzErrMsg = sqlite3_mprintf("%s",res.zErrMsg);
+      }
+      sqliteFree(res.zErrMsg);
+    }
+    db->errCode = res.rc;
+    return res.rc & db->errMask;
+  }
+  sqliteFree(res.zErrMsg);
+  if( rc!=SQLITE_OK ){
+    sqlite3_free_table(&res.azResult[1]);
+    return rc & db->errMask;
+  }
+  if( res.nAlloc>res.nData ){
+    char **azNew;
+    azNew = sqlite3_realloc( res.azResult, sizeof(char*)*(res.nData+1) );
+    if( azNew==0 ){
+      sqlite3_free_table(&res.azResult[1]);
+      return SQLITE_NOMEM;
+    }
+    res.nAlloc = res.nData+1;
+    res.azResult = azNew;
+  }
+  *pazResult = &res.azResult[1];
+  if( pnColumn ) *pnColumn = res.nColumn;
+  if( pnRow ) *pnRow = res.nRow;
+  return rc & db->errMask;
+}
+
+/*
+** This routine frees the space the sqlite3_get_table() malloced.
+*/
+void sqlite3_free_table(
+  char **azResult            /* Result returned from from sqlite3_get_table() */
+){
+  if( azResult ){
+    int i, n;
+    azResult--;
+    if( azResult==0 ) return;
+    n = (int)azResult[0];
+    for(i=1; i<n; i++){ if( azResult[i] ) sqlite3_free(azResult[i]); }
+    sqlite3_free(azResult);
+  }
+}
+
+#endif /* SQLITE_OMIT_GET_TABLE */
+
+/************** End of table.c ***********************************************/
+/************** Begin file trigger.c *****************************************/
+/*
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+*
+*/
+
+#ifndef SQLITE_OMIT_TRIGGER
+/*
+** Delete a linked list of TriggerStep structures.
+*/
+void sqlite3DeleteTriggerStep(TriggerStep *pTriggerStep){
+  while( pTriggerStep ){
+    TriggerStep * pTmp = pTriggerStep;
+    pTriggerStep = pTriggerStep->pNext;
+
+    if( pTmp->target.dyn ) sqliteFree((char*)pTmp->target.z);
+    sqlite3ExprDelete(pTmp->pWhere);
+    sqlite3ExprListDelete(pTmp->pExprList);
+    sqlite3SelectDelete(pTmp->pSelect);
+    sqlite3IdListDelete(pTmp->pIdList);
+
+    sqliteFree(pTmp);
+  }
+}
+
+/*
+** This is called by the parser when it sees a CREATE TRIGGER statement
+** up to the point of the BEGIN before the trigger actions.  A Trigger
+** structure is generated based on the information available and stored
+** in pParse->pNewTrigger.  After the trigger actions have been parsed, the
+** sqlite3FinishTrigger() function is called to complete the trigger
+** construction process.
+*/
+void sqlite3BeginTrigger(
+  Parse *pParse,      /* The parse context of the CREATE TRIGGER statement */
+  Token *pName1,      /* The name of the trigger */
+  Token *pName2,      /* The name of the trigger */
+  int tr_tm,          /* One of TK_BEFORE, TK_AFTER, TK_INSTEAD */
+  int op,             /* One of TK_INSERT, TK_UPDATE, TK_DELETE */
+  IdList *pColumns,   /* column list if this is an UPDATE OF trigger */
+  SrcList *pTableName,/* The name of the table/view the trigger applies to */
+  Expr *pWhen,        /* WHEN clause */
+  int isTemp,         /* True if the TEMPORARY keyword is present */
+  int noErr           /* Suppress errors if the trigger already exists */
+){
+  Trigger *pTrigger = 0;
+  Table *pTab;
+  char *zName = 0;        /* Name of the trigger */
+  sqlite3 *db = pParse->db;
+  int iDb;                /* The database to store the trigger in */
+  Token *pName;           /* The unqualified db name */
+  DbFixer sFix;
+  int iTabDb;
+
+  assert( pName1!=0 );   /* pName1->z might be NULL, but not pName1 itself */
+  assert( pName2!=0 );
+  if( isTemp ){
+    /* If TEMP was specified, then the trigger name may not be qualified. */
+    if( pName2->n>0 ){
+      sqlite3ErrorMsg(pParse, "temporary trigger may not have qualified name");
+      goto trigger_cleanup;
+    }
+    iDb = 1;
+    pName = pName1;
+  }else{
+    /* Figure out the db that the the trigger will be created in */
+    iDb = sqlite3TwoPartName(pParse, pName1, pName2, &pName);
+    if( iDb<0 ){
+      goto trigger_cleanup;
+    }
+  }
+
+  /* If the trigger name was unqualified, and the table is a temp table,
+  ** then set iDb to 1 to create the trigger in the temporary database.
+  ** If sqlite3SrcListLookup() returns 0, indicating the table does not
+  ** exist, the error is caught by the block below.
+  */
+  if( !pTableName || sqlite3MallocFailed() ){
+    goto trigger_cleanup;
+  }
+  pTab = sqlite3SrcListLookup(pParse, pTableName);
+  if( pName2->n==0 && pTab && pTab->pSchema==db->aDb[1].pSchema ){
+    iDb = 1;
+  }
+
+  /* Ensure the table name matches database name and that the table exists */
+  if( sqlite3MallocFailed() ) goto trigger_cleanup;
+  assert( pTableName->nSrc==1 );
+  if( sqlite3FixInit(&sFix, pParse, iDb, "trigger", pName) && 
+      sqlite3FixSrcList(&sFix, pTableName) ){
+    goto trigger_cleanup;
+  }
+  pTab = sqlite3SrcListLookup(pParse, pTableName);
+  if( !pTab ){
+    /* The table does not exist. */
+    goto trigger_cleanup;
+  }
+  if( IsVirtual(pTab) ){
+    sqlite3ErrorMsg(pParse, "cannot create triggers on virtual tables");
+    goto trigger_cleanup;
+  }
+
+  /* Check that the trigger name is not reserved and that no trigger of the
+  ** specified name exists */
+  zName = sqlite3NameFromToken(pName);
+  if( !zName || SQLITE_OK!=sqlite3CheckObjectName(pParse, zName) ){
+    goto trigger_cleanup;
+  }
+  if( sqlite3HashFind(&(db->aDb[iDb].pSchema->trigHash), zName,strlen(zName)) ){
+    if( !noErr ){
+      sqlite3ErrorMsg(pParse, "trigger %T already exists", pName);
+    }
+    goto trigger_cleanup;
+  }
+
+  /* Do not create a trigger on a system table */
+  if( sqlite3StrNICmp(pTab->zName, "sqlite_", 7)==0 ){
+    sqlite3ErrorMsg(pParse, "cannot create trigger on system table");
+    pParse->nErr++;
+    goto trigger_cleanup;
+  }
+
+  /* INSTEAD of triggers are only for views and views only support INSTEAD
+  ** of triggers.
+  */
+  if( pTab->pSelect && tr_tm!=TK_INSTEAD ){
+    sqlite3ErrorMsg(pParse, "cannot create %s trigger on view: %S", 
+        (tr_tm == TK_BEFORE)?"BEFORE":"AFTER", pTableName, 0);
+    goto trigger_cleanup;
+  }
+  if( !pTab->pSelect && tr_tm==TK_INSTEAD ){
+    sqlite3ErrorMsg(pParse, "cannot create INSTEAD OF"
+        " trigger on table: %S", pTableName, 0);
+    goto trigger_cleanup;
+  }
+  iTabDb = sqlite3SchemaToIndex(db, pTab->pSchema);
+
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  {
+    int code = SQLITE_CREATE_TRIGGER;
+    const char *zDb = db->aDb[iTabDb].zName;
+    const char *zDbTrig = isTemp ? db->aDb[1].zName : zDb;
+    if( iTabDb==1 || isTemp ) code = SQLITE_CREATE_TEMP_TRIGGER;
+    if( sqlite3AuthCheck(pParse, code, zName, pTab->zName, zDbTrig) ){
+      goto trigger_cleanup;
+    }
+    if( sqlite3AuthCheck(pParse, SQLITE_INSERT, SCHEMA_TABLE(iTabDb),0,zDb)){
+      goto trigger_cleanup;
+    }
+  }
+#endif
+
+  /* INSTEAD OF triggers can only appear on views and BEFORE triggers
+  ** cannot appear on views.  So we might as well translate every
+  ** INSTEAD OF trigger into a BEFORE trigger.  It simplifies code
+  ** elsewhere.
+  */
+  if (tr_tm == TK_INSTEAD){
+    tr_tm = TK_BEFORE;
+  }
+
+  /* Build the Trigger object */
+  pTrigger = (Trigger*)sqliteMalloc(sizeof(Trigger));
+  if( pTrigger==0 ) goto trigger_cleanup;
+  pTrigger->name = zName;
+  zName = 0;
+  pTrigger->table = sqliteStrDup(pTableName->a[0].zName);
+  pTrigger->pSchema = db->aDb[iDb].pSchema;
+  pTrigger->pTabSchema = pTab->pSchema;
+  pTrigger->op = op;
+  pTrigger->tr_tm = tr_tm==TK_BEFORE ? TRIGGER_BEFORE : TRIGGER_AFTER;
+  pTrigger->pWhen = sqlite3ExprDup(pWhen);
+  pTrigger->pColumns = sqlite3IdListDup(pColumns);
+  sqlite3TokenCopy(&pTrigger->nameToken,pName);
+  assert( pParse->pNewTrigger==0 );
+  pParse->pNewTrigger = pTrigger;
+
+trigger_cleanup:
+  sqliteFree(zName);
+  sqlite3SrcListDelete(pTableName);
+  sqlite3IdListDelete(pColumns);
+  sqlite3ExprDelete(pWhen);
+  if( !pParse->pNewTrigger ){
+    sqlite3DeleteTrigger(pTrigger);
+  }else{
+    assert( pParse->pNewTrigger==pTrigger );
+  }
+}
+
+/*
+** This routine is called after all of the trigger actions have been parsed
+** in order to complete the process of building the trigger.
+*/
+void sqlite3FinishTrigger(
+  Parse *pParse,          /* Parser context */
+  TriggerStep *pStepList, /* The triggered program */
+  Token *pAll             /* Token that describes the complete CREATE TRIGGER */
+){
+  Trigger *pTrig = 0;     /* The trigger whose construction is finishing up */
+  sqlite3 *db = pParse->db;  /* The database */
+  DbFixer sFix;
+  int iDb;                   /* Database containing the trigger */
+
+  pTrig = pParse->pNewTrigger;
+  pParse->pNewTrigger = 0;
+  if( pParse->nErr || !pTrig ) goto triggerfinish_cleanup;
+  iDb = sqlite3SchemaToIndex(pParse->db, pTrig->pSchema);
+  pTrig->step_list = pStepList;
+  while( pStepList ){
+    pStepList->pTrig = pTrig;
+    pStepList = pStepList->pNext;
+  }
+  if( sqlite3FixInit(&sFix, pParse, iDb, "trigger", &pTrig->nameToken) 
+          && sqlite3FixTriggerStep(&sFix, pTrig->step_list) ){
+    goto triggerfinish_cleanup;
+  }
+
+  /* if we are not initializing, and this trigger is not on a TEMP table, 
+  ** build the sqlite_master entry
+  */
+  if( !db->init.busy ){
+    static const VdbeOpList insertTrig[] = {
+      { OP_NewRowid,   0, 0,  0          },
+      { OP_String8,    0, 0,  "trigger"  },
+      { OP_String8,    0, 0,  0          },  /* 2: trigger name */
+      { OP_String8,    0, 0,  0          },  /* 3: table name */
+      { OP_Integer,    0, 0,  0          },
+      { OP_String8,    0, 0,  "CREATE TRIGGER "},
+      { OP_String8,    0, 0,  0          },  /* 6: SQL */
+      { OP_Concat,     0, 0,  0          }, 
+      { OP_MakeRecord, 5, 0,  "aaada"    },
+      { OP_Insert,     0, 0,  0          },
+    };
+    int addr;
+    Vdbe *v;
+
+    /* Make an entry in the sqlite_master table */
+    v = sqlite3GetVdbe(pParse);
+    if( v==0 ) goto triggerfinish_cleanup;
+    sqlite3BeginWriteOperation(pParse, 0, iDb);
+    sqlite3OpenMasterTable(pParse, iDb);
+    addr = sqlite3VdbeAddOpList(v, ArraySize(insertTrig), insertTrig);
+    sqlite3VdbeChangeP3(v, addr+2, pTrig->name, 0); 
+    sqlite3VdbeChangeP3(v, addr+3, pTrig->table, 0); 
+    sqlite3VdbeChangeP3(v, addr+6, (char*)pAll->z, pAll->n);
+    sqlite3ChangeCookie(db, v, iDb);
+    sqlite3VdbeAddOp(v, OP_Close, 0, 0);
+    sqlite3VdbeOp3(v, OP_ParseSchema, iDb, 0, 
+       sqlite3MPrintf("type='trigger' AND name='%q'", pTrig->name), P3_DYNAMIC);
+  }
+
+  if( db->init.busy ){
+    int n;
+    Table *pTab;
+    Trigger *pDel;
+    pDel = sqlite3HashInsert(&db->aDb[iDb].pSchema->trigHash, 
+                     pTrig->name, strlen(pTrig->name), pTrig);
+    if( pDel ){
+      assert( sqlite3MallocFailed() && pDel==pTrig );
+      goto triggerfinish_cleanup;
+    }
+    n = strlen(pTrig->table) + 1;
+    pTab = sqlite3HashFind(&pTrig->pTabSchema->tblHash, pTrig->table, n);
+    assert( pTab!=0 );
+    pTrig->pNext = pTab->pTrigger;
+    pTab->pTrigger = pTrig;
+    pTrig = 0;
+  }
+
+triggerfinish_cleanup:
+  sqlite3DeleteTrigger(pTrig);
+  assert( !pParse->pNewTrigger );
+  sqlite3DeleteTriggerStep(pStepList);
+}
+
+/*
+** Make a copy of all components of the given trigger step.  This has
+** the effect of copying all Expr.token.z values into memory obtained
+** from sqliteMalloc().  As initially created, the Expr.token.z values
+** all point to the input string that was fed to the parser.  But that
+** string is ephemeral - it will go away as soon as the sqlite3_exec()
+** call that started the parser exits.  This routine makes a persistent
+** copy of all the Expr.token.z strings so that the TriggerStep structure
+** will be valid even after the sqlite3_exec() call returns.
+*/
+static void sqlitePersistTriggerStep(TriggerStep *p){
+  if( p->target.z ){
+    p->target.z = (u8*)sqliteStrNDup((char*)p->target.z, p->target.n);
+    p->target.dyn = 1;
+  }
+  if( p->pSelect ){
+    Select *pNew = sqlite3SelectDup(p->pSelect);
+    sqlite3SelectDelete(p->pSelect);
+    p->pSelect = pNew;
+  }
+  if( p->pWhere ){
+    Expr *pNew = sqlite3ExprDup(p->pWhere);
+    sqlite3ExprDelete(p->pWhere);
+    p->pWhere = pNew;
+  }
+  if( p->pExprList ){
+    ExprList *pNew = sqlite3ExprListDup(p->pExprList);
+    sqlite3ExprListDelete(p->pExprList);
+    p->pExprList = pNew;
+  }
+  if( p->pIdList ){
+    IdList *pNew = sqlite3IdListDup(p->pIdList);
+    sqlite3IdListDelete(p->pIdList);
+    p->pIdList = pNew;
+  }
+}
+
+/*
+** Turn a SELECT statement (that the pSelect parameter points to) into
+** a trigger step.  Return a pointer to a TriggerStep structure.
+**
+** The parser calls this routine when it finds a SELECT statement in
+** body of a TRIGGER.  
+*/
+TriggerStep *sqlite3TriggerSelectStep(Select *pSelect){
+  TriggerStep *pTriggerStep = sqliteMalloc(sizeof(TriggerStep));
+  if( pTriggerStep==0 ) {
+    sqlite3SelectDelete(pSelect);
+    return 0;
+  }
+
+  pTriggerStep->op = TK_SELECT;
+  pTriggerStep->pSelect = pSelect;
+  pTriggerStep->orconf = OE_Default;
+  sqlitePersistTriggerStep(pTriggerStep);
+
+  return pTriggerStep;
+}
+
+/*
+** Build a trigger step out of an INSERT statement.  Return a pointer
+** to the new trigger step.
+**
+** The parser calls this routine when it sees an INSERT inside the
+** body of a trigger.
+*/
+TriggerStep *sqlite3TriggerInsertStep(
+  Token *pTableName,  /* Name of the table into which we insert */
+  IdList *pColumn,    /* List of columns in pTableName to insert into */
+  ExprList *pEList,   /* The VALUE clause: a list of values to be inserted */
+  Select *pSelect,    /* A SELECT statement that supplies values */
+  int orconf          /* The conflict algorithm (OE_Abort, OE_Replace, etc.) */
+){
+  TriggerStep *pTriggerStep = sqliteMalloc(sizeof(TriggerStep));
+
+  assert(pEList == 0 || pSelect == 0);
+  assert(pEList != 0 || pSelect != 0);
+
+  if( pTriggerStep ){
+    pTriggerStep->op = TK_INSERT;
+    pTriggerStep->pSelect = pSelect;
+    pTriggerStep->target  = *pTableName;
+    pTriggerStep->pIdList = pColumn;
+    pTriggerStep->pExprList = pEList;
+    pTriggerStep->orconf = orconf;
+    sqlitePersistTriggerStep(pTriggerStep);
+  }else{
+    sqlite3IdListDelete(pColumn);
+    sqlite3ExprListDelete(pEList);
+    sqlite3SelectDup(pSelect);
+  }
+
+  return pTriggerStep;
+}
+
+/*
+** Construct a trigger step that implements an UPDATE statement and return
+** a pointer to that trigger step.  The parser calls this routine when it
+** sees an UPDATE statement inside the body of a CREATE TRIGGER.
+*/
+TriggerStep *sqlite3TriggerUpdateStep(
+  Token *pTableName,   /* Name of the table to be updated */
+  ExprList *pEList,    /* The SET clause: list of column and new values */
+  Expr *pWhere,        /* The WHERE clause */
+  int orconf           /* The conflict algorithm. (OE_Abort, OE_Ignore, etc) */
+){
+  TriggerStep *pTriggerStep = sqliteMalloc(sizeof(TriggerStep));
+  if( pTriggerStep==0 ){
+     sqlite3ExprListDelete(pEList);
+     sqlite3ExprDelete(pWhere);
+     return 0;
+  }
+
+  pTriggerStep->op = TK_UPDATE;
+  pTriggerStep->target  = *pTableName;
+  pTriggerStep->pExprList = pEList;
+  pTriggerStep->pWhere = pWhere;
+  pTriggerStep->orconf = orconf;
+  sqlitePersistTriggerStep(pTriggerStep);
+
+  return pTriggerStep;
+}
+
+/*
+** Construct a trigger step that implements a DELETE statement and return
+** a pointer to that trigger step.  The parser calls this routine when it
+** sees a DELETE statement inside the body of a CREATE TRIGGER.
+*/
+TriggerStep *sqlite3TriggerDeleteStep(Token *pTableName, Expr *pWhere){
+  TriggerStep *pTriggerStep = sqliteMalloc(sizeof(TriggerStep));
+  if( pTriggerStep==0 ){
+    sqlite3ExprDelete(pWhere);
+    return 0;
+  }
+
+  pTriggerStep->op = TK_DELETE;
+  pTriggerStep->target  = *pTableName;
+  pTriggerStep->pWhere = pWhere;
+  pTriggerStep->orconf = OE_Default;
+  sqlitePersistTriggerStep(pTriggerStep);
+
+  return pTriggerStep;
+}
+
+/* 
+** Recursively delete a Trigger structure
+*/
+void sqlite3DeleteTrigger(Trigger *pTrigger){
+  if( pTrigger==0 ) return;
+  sqlite3DeleteTriggerStep(pTrigger->step_list);
+  sqliteFree(pTrigger->name);
+  sqliteFree(pTrigger->table);
+  sqlite3ExprDelete(pTrigger->pWhen);
+  sqlite3IdListDelete(pTrigger->pColumns);
+  if( pTrigger->nameToken.dyn ) sqliteFree((char*)pTrigger->nameToken.z);
+  sqliteFree(pTrigger);
+}
+
+/*
+** This function is called to drop a trigger from the database schema. 
+**
+** This may be called directly from the parser and therefore identifies
+** the trigger by name.  The sqlite3DropTriggerPtr() routine does the
+** same job as this routine except it takes a pointer to the trigger
+** instead of the trigger name.
+**/
+void sqlite3DropTrigger(Parse *pParse, SrcList *pName, int noErr){
+  Trigger *pTrigger = 0;
+  int i;
+  const char *zDb;
+  const char *zName;
+  int nName;
+  sqlite3 *db = pParse->db;
+
+  if( sqlite3MallocFailed() ) goto drop_trigger_cleanup;
+  if( SQLITE_OK!=sqlite3ReadSchema(pParse) ){
+    goto drop_trigger_cleanup;
+  }
+
+  assert( pName->nSrc==1 );
+  zDb = pName->a[0].zDatabase;
+  zName = pName->a[0].zName;
+  nName = strlen(zName);
+  for(i=OMIT_TEMPDB; i<db->nDb; i++){
+    int j = (i<2) ? i^1 : i;  /* Search TEMP before MAIN */
+    if( zDb && sqlite3StrICmp(db->aDb[j].zName, zDb) ) continue;
+    pTrigger = sqlite3HashFind(&(db->aDb[j].pSchema->trigHash), zName, nName);
+    if( pTrigger ) break;
+  }
+  if( !pTrigger ){
+    if( !noErr ){
+      sqlite3ErrorMsg(pParse, "no such trigger: %S", pName, 0);
+    }
+    goto drop_trigger_cleanup;
+  }
+  sqlite3DropTriggerPtr(pParse, pTrigger);
+
+drop_trigger_cleanup:
+  sqlite3SrcListDelete(pName);
+}
+
+/*
+** Return a pointer to the Table structure for the table that a trigger
+** is set on.
+*/
+static Table *tableOfTrigger(Trigger *pTrigger){
+  int n = strlen(pTrigger->table) + 1;
+  return sqlite3HashFind(&pTrigger->pTabSchema->tblHash, pTrigger->table, n);
+}
+
+
+/*
+** Drop a trigger given a pointer to that trigger. 
+*/
+void sqlite3DropTriggerPtr(Parse *pParse, Trigger *pTrigger){
+  Table   *pTable;
+  Vdbe *v;
+  sqlite3 *db = pParse->db;
+  int iDb;
+
+  iDb = sqlite3SchemaToIndex(pParse->db, pTrigger->pSchema);
+  assert( iDb>=0 && iDb<db->nDb );
+  pTable = tableOfTrigger(pTrigger);
+  assert( pTable );
+  assert( pTable->pSchema==pTrigger->pSchema || iDb==1 );
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  {
+    int code = SQLITE_DROP_TRIGGER;
+    const char *zDb = db->aDb[iDb].zName;
+    const char *zTab = SCHEMA_TABLE(iDb);
+    if( iDb==1 ) code = SQLITE_DROP_TEMP_TRIGGER;
+    if( sqlite3AuthCheck(pParse, code, pTrigger->name, pTable->zName, zDb) ||
+      sqlite3AuthCheck(pParse, SQLITE_DELETE, zTab, 0, zDb) ){
+      return;
+    }
+  }
+#endif
+
+  /* Generate code to destroy the database record of the trigger.
+  */
+  assert( pTable!=0 );
+  if( (v = sqlite3GetVdbe(pParse))!=0 ){
+    int base;
+    static const VdbeOpList dropTrigger[] = {
+      { OP_Rewind,     0, ADDR(9),  0},
+      { OP_String8,    0, 0,        0}, /* 1 */
+      { OP_Column,     0, 1,        0},
+      { OP_Ne,         0, ADDR(8),  0},
+      { OP_String8,    0, 0,        "trigger"},
+      { OP_Column,     0, 0,        0},
+      { OP_Ne,         0, ADDR(8),  0},
+      { OP_Delete,     0, 0,        0},
+      { OP_Next,       0, ADDR(1),  0}, /* 8 */
+    };
+
+    sqlite3BeginWriteOperation(pParse, 0, iDb);
+    sqlite3OpenMasterTable(pParse, iDb);
+    base = sqlite3VdbeAddOpList(v,  ArraySize(dropTrigger), dropTrigger);
+    sqlite3VdbeChangeP3(v, base+1, pTrigger->name, 0);
+    sqlite3ChangeCookie(db, v, iDb);
+    sqlite3VdbeAddOp(v, OP_Close, 0, 0);
+    sqlite3VdbeOp3(v, OP_DropTrigger, iDb, 0, pTrigger->name, 0);
+  }
+}
+
+/*
+** Remove a trigger from the hash tables of the sqlite* pointer.
+*/
+void sqlite3UnlinkAndDeleteTrigger(sqlite3 *db, int iDb, const char *zName){
+  Trigger *pTrigger;
+  int nName = strlen(zName);
+  pTrigger = sqlite3HashInsert(&(db->aDb[iDb].pSchema->trigHash),
+                               zName, nName, 0);
+  if( pTrigger ){
+    Table *pTable = tableOfTrigger(pTrigger);
+    assert( pTable!=0 );
+    if( pTable->pTrigger == pTrigger ){
+      pTable->pTrigger = pTrigger->pNext;
+    }else{
+      Trigger *cc = pTable->pTrigger;
+      while( cc ){ 
+        if( cc->pNext == pTrigger ){
+          cc->pNext = cc->pNext->pNext;
+          break;
+        }
+        cc = cc->pNext;
+      }
+      assert(cc);
+    }
+    sqlite3DeleteTrigger(pTrigger);
+    db->flags |= SQLITE_InternChanges;
+  }
+}
+
+/*
+** pEList is the SET clause of an UPDATE statement.  Each entry
+** in pEList is of the format <id>=<expr>.  If any of the entries
+** in pEList have an <id> which matches an identifier in pIdList,
+** then return TRUE.  If pIdList==NULL, then it is considered a
+** wildcard that matches anything.  Likewise if pEList==NULL then
+** it matches anything so always return true.  Return false only
+** if there is no match.
+*/
+static int checkColumnOverLap(IdList *pIdList, ExprList *pEList){
+  int e;
+  if( !pIdList || !pEList ) return 1;
+  for(e=0; e<pEList->nExpr; e++){
+    if( sqlite3IdListIndex(pIdList, pEList->a[e].zName)>=0 ) return 1;
+  }
+  return 0; 
+}
+
+/*
+** Return a bit vector to indicate what kind of triggers exist for operation
+** "op" on table pTab.  If pChanges is not NULL then it is a list of columns
+** that are being updated.  Triggers only match if the ON clause of the
+** trigger definition overlaps the set of columns being updated.
+**
+** The returned bit vector is some combination of TRIGGER_BEFORE and
+** TRIGGER_AFTER.
+*/
+int sqlite3TriggersExist(
+  Parse *pParse,          /* Used to check for recursive triggers */
+  Table *pTab,            /* The table the contains the triggers */
+  int op,                 /* one of TK_DELETE, TK_INSERT, TK_UPDATE */
+  ExprList *pChanges      /* Columns that change in an UPDATE statement */
+){
+  Trigger *pTrigger;
+  int mask = 0;
+
+  pTrigger = IsVirtual(pTab) ? 0 : pTab->pTrigger;
+  while( pTrigger ){
+    if( pTrigger->op==op && checkColumnOverLap(pTrigger->pColumns, pChanges) ){
+      mask |= pTrigger->tr_tm;
+    }
+    pTrigger = pTrigger->pNext;
+  }
+  return mask;
+}
+
+/*
+** Convert the pStep->target token into a SrcList and return a pointer
+** to that SrcList.
+**
+** This routine adds a specific database name, if needed, to the target when
+** forming the SrcList.  This prevents a trigger in one database from
+** referring to a target in another database.  An exception is when the
+** trigger is in TEMP in which case it can refer to any other database it
+** wants.
+*/
+static SrcList *targetSrcList(
+  Parse *pParse,       /* The parsing context */
+  TriggerStep *pStep   /* The trigger containing the target token */
+){
+  Token sDb;           /* Dummy database name token */
+  int iDb;             /* Index of the database to use */
+  SrcList *pSrc;       /* SrcList to be returned */
+
+  iDb = sqlite3SchemaToIndex(pParse->db, pStep->pTrig->pSchema);
+  if( iDb==0 || iDb>=2 ){
+    assert( iDb<pParse->db->nDb );
+    sDb.z = (u8*)pParse->db->aDb[iDb].zName;
+    sDb.n = strlen((char*)sDb.z);
+    pSrc = sqlite3SrcListAppend(0, &sDb, &pStep->target);
+  } else {
+    pSrc = sqlite3SrcListAppend(0, &pStep->target, 0);
+  }
+  return pSrc;
+}
+
+/*
+** Generate VDBE code for zero or more statements inside the body of a
+** trigger.  
+*/
+static int codeTriggerProgram(
+  Parse *pParse,            /* The parser context */
+  TriggerStep *pStepList,   /* List of statements inside the trigger body */
+  int orconfin              /* Conflict algorithm. (OE_Abort, etc) */  
+){
+  TriggerStep * pTriggerStep = pStepList;
+  int orconf;
+  Vdbe *v = pParse->pVdbe;
+
+  assert( pTriggerStep!=0 );
+  assert( v!=0 );
+  sqlite3VdbeAddOp(v, OP_ContextPush, 0, 0);
+  VdbeComment((v, "# begin trigger %s", pStepList->pTrig->name));
+  while( pTriggerStep ){
+    orconf = (orconfin == OE_Default)?pTriggerStep->orconf:orconfin;
+    pParse->trigStack->orconf = orconf;
+    switch( pTriggerStep->op ){
+      case TK_SELECT: {
+	Select *ss = sqlite3SelectDup(pTriggerStep->pSelect);
+        if( ss ){
+          sqlite3SelectResolve(pParse, ss, 0);
+          sqlite3Select(pParse, ss, SRT_Discard, 0, 0, 0, 0, 0);
+          sqlite3SelectDelete(ss);
+        }
+	break;
+      }
+      case TK_UPDATE: {
+        SrcList *pSrc;
+        pSrc = targetSrcList(pParse, pTriggerStep);
+        sqlite3VdbeAddOp(v, OP_ResetCount, 0, 0);
+        sqlite3Update(pParse, pSrc,
+		sqlite3ExprListDup(pTriggerStep->pExprList), 
+		sqlite3ExprDup(pTriggerStep->pWhere), orconf);
+        sqlite3VdbeAddOp(v, OP_ResetCount, 1, 0);
+        break;
+      }
+      case TK_INSERT: {
+        SrcList *pSrc;
+        pSrc = targetSrcList(pParse, pTriggerStep);
+        sqlite3VdbeAddOp(v, OP_ResetCount, 0, 0);
+        sqlite3Insert(pParse, pSrc,
+          sqlite3ExprListDup(pTriggerStep->pExprList), 
+          sqlite3SelectDup(pTriggerStep->pSelect), 
+          sqlite3IdListDup(pTriggerStep->pIdList), orconf);
+        sqlite3VdbeAddOp(v, OP_ResetCount, 1, 0);
+        break;
+      }
+      case TK_DELETE: {
+        SrcList *pSrc;
+        sqlite3VdbeAddOp(v, OP_ResetCount, 0, 0);
+        pSrc = targetSrcList(pParse, pTriggerStep);
+        sqlite3DeleteFrom(pParse, pSrc, sqlite3ExprDup(pTriggerStep->pWhere));
+        sqlite3VdbeAddOp(v, OP_ResetCount, 1, 0);
+        break;
+      }
+      default:
+        assert(0);
+    } 
+    pTriggerStep = pTriggerStep->pNext;
+  }
+  sqlite3VdbeAddOp(v, OP_ContextPop, 0, 0);
+  VdbeComment((v, "# end trigger %s", pStepList->pTrig->name));
+
+  return 0;
+}
+
+/*
+** This is called to code FOR EACH ROW triggers.
+**
+** When the code that this function generates is executed, the following 
+** must be true:
+**
+** 1. No cursors may be open in the main database.  (But newIdx and oldIdx
+**    can be indices of cursors in temporary tables.  See below.)
+**
+** 2. If the triggers being coded are ON INSERT or ON UPDATE triggers, then
+**    a temporary vdbe cursor (index newIdx) must be open and pointing at
+**    a row containing values to be substituted for new.* expressions in the
+**    trigger program(s).
+**
+** 3. If the triggers being coded are ON DELETE or ON UPDATE triggers, then
+**    a temporary vdbe cursor (index oldIdx) must be open and pointing at
+**    a row containing values to be substituted for old.* expressions in the
+**    trigger program(s).
+**
+*/
+int sqlite3CodeRowTrigger(
+  Parse *pParse,       /* Parse context */
+  int op,              /* One of TK_UPDATE, TK_INSERT, TK_DELETE */
+  ExprList *pChanges,  /* Changes list for any UPDATE OF triggers */
+  int tr_tm,           /* One of TRIGGER_BEFORE, TRIGGER_AFTER */
+  Table *pTab,         /* The table to code triggers from */
+  int newIdx,          /* The indice of the "new" row to access */
+  int oldIdx,          /* The indice of the "old" row to access */
+  int orconf,          /* ON CONFLICT policy */
+  int ignoreJump       /* Instruction to jump to for RAISE(IGNORE) */
+){
+  Trigger *p;
+  TriggerStack trigStackEntry;
+
+  assert(op == TK_UPDATE || op == TK_INSERT || op == TK_DELETE);
+  assert(tr_tm == TRIGGER_BEFORE || tr_tm == TRIGGER_AFTER );
+
+  assert(newIdx != -1 || oldIdx != -1);
+
+  for(p=pTab->pTrigger; p; p=p->pNext){
+    int fire_this = 0;
+
+    /* Determine whether we should code this trigger */
+    if( 
+      p->op==op && 
+      p->tr_tm==tr_tm && 
+      (p->pSchema==p->pTabSchema || p->pSchema==pParse->db->aDb[1].pSchema) &&
+      (op!=TK_UPDATE||!p->pColumns||checkColumnOverLap(p->pColumns,pChanges))
+    ){
+      TriggerStack *pS;      /* Pointer to trigger-stack entry */
+      for(pS=pParse->trigStack; pS && p!=pS->pTrigger; pS=pS->pNext){}
+      if( !pS ){
+        fire_this = 1;
+      }
+#if 0    /* Give no warning for recursive triggers.  Just do not do them */
+      else{
+        sqlite3ErrorMsg(pParse, "recursive triggers not supported (%s)",
+            p->name);
+        return SQLITE_ERROR;
+      }
+#endif
+    }
+ 
+    if( fire_this ){
+      int endTrigger;
+      Expr * whenExpr;
+      AuthContext sContext;
+      NameContext sNC;
+
+      memset(&sNC, 0, sizeof(sNC));
+      sNC.pParse = pParse;
+
+      /* Push an entry on to the trigger stack */
+      trigStackEntry.pTrigger = p;
+      trigStackEntry.newIdx = newIdx;
+      trigStackEntry.oldIdx = oldIdx;
+      trigStackEntry.pTab = pTab;
+      trigStackEntry.pNext = pParse->trigStack;
+      trigStackEntry.ignoreJump = ignoreJump;
+      pParse->trigStack = &trigStackEntry;
+      sqlite3AuthContextPush(pParse, &sContext, p->name);
+
+      /* code the WHEN clause */
+      endTrigger = sqlite3VdbeMakeLabel(pParse->pVdbe);
+      whenExpr = sqlite3ExprDup(p->pWhen);
+      if( sqlite3ExprResolveNames(&sNC, whenExpr) ){
+        pParse->trigStack = trigStackEntry.pNext;
+        sqlite3ExprDelete(whenExpr);
+        return 1;
+      }
+      sqlite3ExprIfFalse(pParse, whenExpr, endTrigger, 1);
+      sqlite3ExprDelete(whenExpr);
+
+      codeTriggerProgram(pParse, p->step_list, orconf); 
+
+      /* Pop the entry off the trigger stack */
+      pParse->trigStack = trigStackEntry.pNext;
+      sqlite3AuthContextPop(&sContext);
+
+      sqlite3VdbeResolveLabel(pParse->pVdbe, endTrigger);
+    }
+  }
+  return 0;
+}
+#endif /* !defined(SQLITE_OMIT_TRIGGER) */
+
+/************** End of trigger.c *********************************************/
+/************** Begin file update.c ******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains C code routines that are called by the parser
+** to handle UPDATE statements.
+**
+** $Id$
+*/
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/* Forward declaration */
+static void updateVirtualTable(
+  Parse *pParse,       /* The parsing context */
+  SrcList *pSrc,       /* The virtual table to be modified */
+  Table *pTab,         /* The virtual table */
+  ExprList *pChanges,  /* The columns to change in the UPDATE statement */
+  Expr *pRowidExpr,    /* Expression used to recompute the rowid */
+  int *aXRef,          /* Mapping from columns of pTab to entries in pChanges */
+  Expr *pWhere         /* WHERE clause of the UPDATE statement */
+);
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+/*
+** The most recently coded instruction was an OP_Column to retrieve the
+** i-th column of table pTab. This routine sets the P3 parameter of the 
+** OP_Column to the default value, if any.
+**
+** The default value of a column is specified by a DEFAULT clause in the 
+** column definition. This was either supplied by the user when the table
+** was created, or added later to the table definition by an ALTER TABLE
+** command. If the latter, then the row-records in the table btree on disk
+** may not contain a value for the column and the default value, taken
+** from the P3 parameter of the OP_Column instruction, is returned instead.
+** If the former, then all row-records are guaranteed to include a value
+** for the column and the P3 value is not required.
+**
+** Column definitions created by an ALTER TABLE command may only have 
+** literal default values specified: a number, null or a string. (If a more
+** complicated default expression value was provided, it is evaluated 
+** when the ALTER TABLE is executed and one of the literal values written
+** into the sqlite_master table.)
+**
+** Therefore, the P3 parameter is only required if the default value for
+** the column is a literal number, string or null. The sqlite3ValueFromExpr()
+** function is capable of transforming these types of expressions into
+** sqlite3_value objects.
+*/
+void sqlite3ColumnDefault(Vdbe *v, Table *pTab, int i){
+  if( pTab && !pTab->pSelect ){
+    sqlite3_value *pValue;
+    u8 enc = ENC(sqlite3VdbeDb(v));
+    Column *pCol = &pTab->aCol[i];
+    sqlite3ValueFromExpr(pCol->pDflt, enc, pCol->affinity, &pValue);
+    if( pValue ){
+      sqlite3VdbeChangeP3(v, -1, (const char *)pValue, P3_MEM);
+    }else{
+      VdbeComment((v, "# %s.%s", pTab->zName, pCol->zName));
+    }
+  }
+}
+
+/*
+** Process an UPDATE statement.
+**
+**   UPDATE OR IGNORE table_wxyz SET a=b, c=d WHERE e<5 AND f NOT NULL;
+**          \_______/ \________/     \______/       \________________/
+*            onError   pTabList      pChanges             pWhere
+*/
+void sqlite3Update(
+  Parse *pParse,         /* The parser context */
+  SrcList *pTabList,     /* The table in which we should change things */
+  ExprList *pChanges,    /* Things to be changed */
+  Expr *pWhere,          /* The WHERE clause.  May be null */
+  int onError            /* How to handle constraint errors */
+){
+  int i, j;              /* Loop counters */
+  Table *pTab;           /* The table to be updated */
+  int addr = 0;          /* VDBE instruction address of the start of the loop */
+  WhereInfo *pWInfo;     /* Information about the WHERE clause */
+  Vdbe *v;               /* The virtual database engine */
+  Index *pIdx;           /* For looping over indices */
+  int nIdx;              /* Number of indices that need updating */
+  int nIdxTotal;         /* Total number of indices */
+  int iCur;              /* VDBE Cursor number of pTab */
+  sqlite3 *db;           /* The database structure */
+  Index **apIdx = 0;     /* An array of indices that need updating too */
+  char *aIdxUsed = 0;    /* aIdxUsed[i]==1 if the i-th index is used */
+  int *aXRef = 0;        /* aXRef[i] is the index in pChanges->a[] of the
+                         ** an expression for the i-th column of the table.
+                         ** aXRef[i]==-1 if the i-th column is not changed. */
+  int chngRowid;         /* True if the record number is being changed */
+  Expr *pRowidExpr = 0;  /* Expression defining the new record number */
+  int openAll = 0;       /* True if all indices need to be opened */
+  AuthContext sContext;  /* The authorization context */
+  NameContext sNC;       /* The name-context to resolve expressions in */
+  int iDb;               /* Database containing the table being updated */
+  int memCnt = 0;        /* Memory cell used for counting rows changed */
+
+#ifndef SQLITE_OMIT_TRIGGER
+  int isView;                  /* Trying to update a view */
+  int triggers_exist = 0;      /* True if any row triggers exist */
+#endif
+
+  int newIdx      = -1;  /* index of trigger "new" temp table       */
+  int oldIdx      = -1;  /* index of trigger "old" temp table       */
+
+  sContext.pParse = 0;
+  if( pParse->nErr || sqlite3MallocFailed() ){
+    goto update_cleanup;
+  }
+  db = pParse->db;
+  assert( pTabList->nSrc==1 );
+
+  /* Locate the table which we want to update. 
+  */
+  pTab = sqlite3SrcListLookup(pParse, pTabList);
+  if( pTab==0 ) goto update_cleanup;
+  iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+
+  /* Figure out if we have any triggers and if the table being
+  ** updated is a view
+  */
+#ifndef SQLITE_OMIT_TRIGGER
+  triggers_exist = sqlite3TriggersExist(pParse, pTab, TK_UPDATE, pChanges);
+  isView = pTab->pSelect!=0;
+#else
+# define triggers_exist 0
+# define isView 0
+#endif
+#ifdef SQLITE_OMIT_VIEW
+# undef isView
+# define isView 0
+#endif
+
+  if( sqlite3IsReadOnly(pParse, pTab, triggers_exist) ){
+    goto update_cleanup;
+  }
+  if( sqlite3ViewGetColumnNames(pParse, pTab) ){
+    goto update_cleanup;
+  }
+  aXRef = sqliteMallocRaw( sizeof(int) * pTab->nCol );
+  if( aXRef==0 ) goto update_cleanup;
+  for(i=0; i<pTab->nCol; i++) aXRef[i] = -1;
+
+  /* If there are FOR EACH ROW triggers, allocate cursors for the
+  ** special OLD and NEW tables
+  */
+  if( triggers_exist ){
+    newIdx = pParse->nTab++;
+    oldIdx = pParse->nTab++;
+  }
+
+  /* Allocate a cursors for the main database table and for all indices.
+  ** The index cursors might not be used, but if they are used they
+  ** need to occur right after the database cursor.  So go ahead and
+  ** allocate enough space, just in case.
+  */
+  pTabList->a[0].iCursor = iCur = pParse->nTab++;
+  for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
+    pParse->nTab++;
+  }
+
+  /* Initialize the name-context */
+  memset(&sNC, 0, sizeof(sNC));
+  sNC.pParse = pParse;
+  sNC.pSrcList = pTabList;
+
+  /* Resolve the column names in all the expressions of the
+  ** of the UPDATE statement.  Also find the column index
+  ** for each column to be updated in the pChanges array.  For each
+  ** column to be updated, make sure we have authorization to change
+  ** that column.
+  */
+  chngRowid = 0;
+  for(i=0; i<pChanges->nExpr; i++){
+    if( sqlite3ExprResolveNames(&sNC, pChanges->a[i].pExpr) ){
+      goto update_cleanup;
+    }
+    for(j=0; j<pTab->nCol; j++){
+      if( sqlite3StrICmp(pTab->aCol[j].zName, pChanges->a[i].zName)==0 ){
+        if( j==pTab->iPKey ){
+          chngRowid = 1;
+          pRowidExpr = pChanges->a[i].pExpr;
+        }
+        aXRef[j] = i;
+        break;
+      }
+    }
+    if( j>=pTab->nCol ){
+      if( sqlite3IsRowid(pChanges->a[i].zName) ){
+        chngRowid = 1;
+        pRowidExpr = pChanges->a[i].pExpr;
+      }else{
+        sqlite3ErrorMsg(pParse, "no such column: %s", pChanges->a[i].zName);
+        goto update_cleanup;
+      }
+    }
+#ifndef SQLITE_OMIT_AUTHORIZATION
+    {
+      int rc;
+      rc = sqlite3AuthCheck(pParse, SQLITE_UPDATE, pTab->zName,
+                           pTab->aCol[j].zName, db->aDb[iDb].zName);
+      if( rc==SQLITE_DENY ){
+        goto update_cleanup;
+      }else if( rc==SQLITE_IGNORE ){
+        aXRef[j] = -1;
+      }
+    }
+#endif
+  }
+
+  /* Allocate memory for the array apIdx[] and fill it with pointers to every
+  ** index that needs to be updated.  Indices only need updating if their
+  ** key includes one of the columns named in pChanges or if the record
+  ** number of the original table entry is changing.
+  */
+  for(nIdx=nIdxTotal=0, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, nIdxTotal++){
+    if( chngRowid ){
+      i = 0;
+    }else {
+      for(i=0; i<pIdx->nColumn; i++){
+        if( aXRef[pIdx->aiColumn[i]]>=0 ) break;
+      }
+    }
+    if( i<pIdx->nColumn ) nIdx++;
+  }
+  if( nIdxTotal>0 ){
+    apIdx = sqliteMallocRaw( sizeof(Index*) * nIdx + nIdxTotal );
+    if( apIdx==0 ) goto update_cleanup;
+    aIdxUsed = (char*)&apIdx[nIdx];
+  }
+  for(nIdx=j=0, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, j++){
+    if( chngRowid ){
+      i = 0;
+    }else{
+      for(i=0; i<pIdx->nColumn; i++){
+        if( aXRef[pIdx->aiColumn[i]]>=0 ) break;
+      }
+    }
+    if( i<pIdx->nColumn ){
+      apIdx[nIdx++] = pIdx;
+      aIdxUsed[j] = 1;
+    }else{
+      aIdxUsed[j] = 0;
+    }
+  }
+
+  /* Begin generating code.
+  */
+  v = sqlite3GetVdbe(pParse);
+  if( v==0 ) goto update_cleanup;
+  if( pParse->nested==0 ) sqlite3VdbeCountChanges(v);
+  sqlite3BeginWriteOperation(pParse, 1, iDb);
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  /* Virtual tables must be handled separately */
+  if( IsVirtual(pTab) ){
+    updateVirtualTable(pParse, pTabList, pTab, pChanges, pRowidExpr, aXRef,
+                       pWhere);
+    pWhere = 0;
+    pTabList = 0;
+    goto update_cleanup;
+  }
+#endif
+
+  /* Resolve the column names in all the expressions in the
+  ** WHERE clause.
+  */
+  if( sqlite3ExprResolveNames(&sNC, pWhere) ){
+    goto update_cleanup;
+  }
+
+  /* Start the view context
+  */
+  if( isView ){
+    sqlite3AuthContextPush(pParse, &sContext, pTab->zName);
+  }
+
+  /* If we are trying to update a view, realize that view into
+  ** a ephemeral table.
+  */
+  if( isView ){
+    Select *pView;
+    pView = sqlite3SelectDup(pTab->pSelect);
+    sqlite3Select(pParse, pView, SRT_EphemTab, iCur, 0, 0, 0, 0);
+    sqlite3SelectDelete(pView);
+  }
+
+  /* Begin the database scan
+  */
+  pWInfo = sqlite3WhereBegin(pParse, pTabList, pWhere, 0);
+  if( pWInfo==0 ) goto update_cleanup;
+
+  /* Remember the rowid of every item to be updated.
+  */
+  sqlite3VdbeAddOp(v, IsVirtual(pTab) ? OP_VRowid : OP_Rowid, iCur, 0);
+  sqlite3VdbeAddOp(v, OP_FifoWrite, 0, 0);
+
+  /* End the database scan loop.
+  */
+  sqlite3WhereEnd(pWInfo);
+
+  /* Initialize the count of updated rows
+  */
+  if( db->flags & SQLITE_CountRows && !pParse->trigStack ){
+    memCnt = pParse->nMem++;
+    sqlite3VdbeAddOp(v, OP_MemInt, 0, memCnt);
+  }
+
+  if( triggers_exist ){
+    /* Create pseudo-tables for NEW and OLD
+    */
+    sqlite3VdbeAddOp(v, OP_OpenPseudo, oldIdx, 0);
+    sqlite3VdbeAddOp(v, OP_SetNumColumns, oldIdx, pTab->nCol);
+    sqlite3VdbeAddOp(v, OP_OpenPseudo, newIdx, 0);
+    sqlite3VdbeAddOp(v, OP_SetNumColumns, newIdx, pTab->nCol);
+
+    /* The top of the update loop for when there are triggers.
+    */
+    addr = sqlite3VdbeAddOp(v, OP_FifoRead, 0, 0);
+
+    if( !isView ){
+      sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+      sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+      /* Open a cursor and make it point to the record that is
+      ** being updated.
+      */
+      sqlite3OpenTable(pParse, iCur, iDb, pTab, OP_OpenRead);
+    }
+    sqlite3VdbeAddOp(v, OP_MoveGe, iCur, 0);
+
+    /* Generate the OLD table
+    */
+    sqlite3VdbeAddOp(v, OP_Rowid, iCur, 0);
+    sqlite3VdbeAddOp(v, OP_RowData, iCur, 0);
+    sqlite3VdbeAddOp(v, OP_Insert, oldIdx, 0);
+
+    /* Generate the NEW table
+    */
+    if( chngRowid ){
+      sqlite3ExprCodeAndCache(pParse, pRowidExpr);
+    }else{
+      sqlite3VdbeAddOp(v, OP_Rowid, iCur, 0);
+    }
+    for(i=0; i<pTab->nCol; i++){
+      if( i==pTab->iPKey ){
+        sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+        continue;
+      }
+      j = aXRef[i];
+      if( j<0 ){
+        sqlite3VdbeAddOp(v, OP_Column, iCur, i);
+        sqlite3ColumnDefault(v, pTab, i);
+      }else{
+        sqlite3ExprCodeAndCache(pParse, pChanges->a[j].pExpr);
+      }
+    }
+    sqlite3VdbeAddOp(v, OP_MakeRecord, pTab->nCol, 0);
+    if( !isView ){
+      sqlite3TableAffinityStr(v, pTab);
+    }
+    if( pParse->nErr ) goto update_cleanup;
+    sqlite3VdbeAddOp(v, OP_Insert, newIdx, 0);
+    if( !isView ){
+      sqlite3VdbeAddOp(v, OP_Close, iCur, 0);
+    }
+
+    /* Fire the BEFORE and INSTEAD OF triggers
+    */
+    if( sqlite3CodeRowTrigger(pParse, TK_UPDATE, pChanges, TRIGGER_BEFORE, pTab,
+          newIdx, oldIdx, onError, addr) ){
+      goto update_cleanup;
+    }
+  }
+
+  if( !isView && !IsVirtual(pTab) ){
+    /* 
+    ** Open every index that needs updating.  Note that if any
+    ** index could potentially invoke a REPLACE conflict resolution 
+    ** action, then we need to open all indices because we might need
+    ** to be deleting some records.
+    */
+    sqlite3OpenTable(pParse, iCur, iDb, pTab, OP_OpenWrite); 
+    if( onError==OE_Replace ){
+      openAll = 1;
+    }else{
+      openAll = 0;
+      for(pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext){
+        if( pIdx->onError==OE_Replace ){
+          openAll = 1;
+          break;
+        }
+      }
+    }
+    for(i=0, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, i++){
+      if( openAll || aIdxUsed[i] ){
+        KeyInfo *pKey = sqlite3IndexKeyinfo(pParse, pIdx);
+        sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+        sqlite3VdbeOp3(v, OP_OpenWrite, iCur+i+1, pIdx->tnum,
+                       (char*)pKey, P3_KEYINFO_HANDOFF);
+        assert( pParse->nTab>iCur+i+1 );
+      }
+    }
+
+    /* Loop over every record that needs updating.  We have to load
+    ** the old data for each record to be updated because some columns
+    ** might not change and we will need to copy the old value.
+    ** Also, the old data is needed to delete the old index entries.
+    ** So make the cursor point at the old record.
+    */
+    if( !triggers_exist ){
+      addr = sqlite3VdbeAddOp(v, OP_FifoRead, 0, 0);
+      sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+    }
+    sqlite3VdbeAddOp(v, OP_NotExists, iCur, addr);
+
+    /* If the record number will change, push the record number as it
+    ** will be after the update. (The old record number is currently
+    ** on top of the stack.)
+    */
+    if( chngRowid ){
+      sqlite3ExprCode(pParse, pRowidExpr);
+      sqlite3VdbeAddOp(v, OP_MustBeInt, 0, 0);
+    }
+
+    /* Compute new data for this record.  
+    */
+    for(i=0; i<pTab->nCol; i++){
+      if( i==pTab->iPKey ){
+        sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+        continue;
+      }
+      j = aXRef[i];
+      if( j<0 ){
+        sqlite3VdbeAddOp(v, OP_Column, iCur, i);
+        sqlite3ColumnDefault(v, pTab, i);
+      }else{
+        sqlite3ExprCode(pParse, pChanges->a[j].pExpr);
+      }
+    }
+
+    /* Do constraint checks
+    */
+    sqlite3GenerateConstraintChecks(pParse, pTab, iCur, aIdxUsed, chngRowid, 1,
+                                   onError, addr);
+
+    /* Delete the old indices for the current record.
+    */
+    sqlite3GenerateRowIndexDelete(v, pTab, iCur, aIdxUsed);
+
+    /* If changing the record number, delete the old record.
+    */
+    if( chngRowid ){
+      sqlite3VdbeAddOp(v, OP_Delete, iCur, 0);
+    }
+
+    /* Create the new index entries and the new record.
+    */
+    sqlite3CompleteInsertion(pParse, pTab, iCur, aIdxUsed, chngRowid, 1, -1, 0);
+  }
+
+  /* Increment the row counter 
+  */
+  if( db->flags & SQLITE_CountRows && !pParse->trigStack){
+    sqlite3VdbeAddOp(v, OP_MemIncr, 1, memCnt);
+  }
+
+  /* If there are triggers, close all the cursors after each iteration
+  ** through the loop.  The fire the after triggers.
+  */
+  if( triggers_exist ){
+    if( !isView ){
+      for(i=0, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, i++){
+        if( openAll || aIdxUsed[i] )
+          sqlite3VdbeAddOp(v, OP_Close, iCur+i+1, 0);
+      }
+      sqlite3VdbeAddOp(v, OP_Close, iCur, 0);
+    }
+    if( sqlite3CodeRowTrigger(pParse, TK_UPDATE, pChanges, TRIGGER_AFTER, pTab, 
+          newIdx, oldIdx, onError, addr) ){
+      goto update_cleanup;
+    }
+  }
+
+  /* Repeat the above with the next record to be updated, until
+  ** all record selected by the WHERE clause have been updated.
+  */
+  sqlite3VdbeAddOp(v, OP_Goto, 0, addr);
+  sqlite3VdbeJumpHere(v, addr);
+
+  /* Close all tables if there were no FOR EACH ROW triggers */
+  if( !triggers_exist ){
+    for(i=0, pIdx=pTab->pIndex; pIdx; pIdx=pIdx->pNext, i++){
+      if( openAll || aIdxUsed[i] ){
+        sqlite3VdbeAddOp(v, OP_Close, iCur+i+1, 0);
+      }
+    }
+    sqlite3VdbeAddOp(v, OP_Close, iCur, 0);
+  }else{
+    sqlite3VdbeAddOp(v, OP_Close, newIdx, 0);
+    sqlite3VdbeAddOp(v, OP_Close, oldIdx, 0);
+  }
+
+  /*
+  ** Return the number of rows that were changed. If this routine is 
+  ** generating code because of a call to sqlite3NestedParse(), do not
+  ** invoke the callback function.
+  */
+  if( db->flags & SQLITE_CountRows && !pParse->trigStack && pParse->nested==0 ){
+    sqlite3VdbeAddOp(v, OP_MemLoad, memCnt, 0);
+    sqlite3VdbeAddOp(v, OP_Callback, 1, 0);
+    sqlite3VdbeSetNumCols(v, 1);
+    sqlite3VdbeSetColName(v, 0, COLNAME_NAME, "rows updated", P3_STATIC);
+  }
+
+update_cleanup:
+  sqlite3AuthContextPop(&sContext);
+  sqliteFree(apIdx);
+  sqliteFree(aXRef);
+  sqlite3SrcListDelete(pTabList);
+  sqlite3ExprListDelete(pChanges);
+  sqlite3ExprDelete(pWhere);
+  return;
+}
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/*
+** Generate code for an UPDATE of a virtual table.
+**
+** The strategy is that we create an ephemerial table that contains
+** for each row to be changed:
+**
+**   (A)  The original rowid of that row.
+**   (B)  The revised rowid for the row. (note1)
+**   (C)  The content of every column in the row.
+**
+** Then we loop over this ephemeral table and for each row in
+** the ephermeral table call VUpdate.
+**
+** When finished, drop the ephemeral table.
+**
+** (note1) Actually, if we know in advance that (A) is always the same
+** as (B) we only store (A), then duplicate (A) when pulling
+** it out of the ephemeral table before calling VUpdate.
+*/
+static void updateVirtualTable(
+  Parse *pParse,       /* The parsing context */
+  SrcList *pSrc,       /* The virtual table to be modified */
+  Table *pTab,         /* The virtual table */
+  ExprList *pChanges,  /* The columns to change in the UPDATE statement */
+  Expr *pRowid,        /* Expression used to recompute the rowid */
+  int *aXRef,          /* Mapping from columns of pTab to entries in pChanges */
+  Expr *pWhere         /* WHERE clause of the UPDATE statement */
+){
+  Vdbe *v = pParse->pVdbe;  /* Virtual machine under construction */
+  ExprList *pEList = 0;     /* The result set of the SELECT statement */
+  Select *pSelect = 0;      /* The SELECT statement */
+  Expr *pExpr;              /* Temporary expression */
+  int ephemTab;             /* Table holding the result of the SELECT */
+  int i;                    /* Loop counter */
+  int addr;                 /* Address of top of loop */
+
+  /* Construct the SELECT statement that will find the new values for
+  ** all updated rows. 
+  */
+  pEList = sqlite3ExprListAppend(0, sqlite3CreateIdExpr("_rowid_"), 0);
+  if( pRowid ){
+    pEList = sqlite3ExprListAppend(pEList, sqlite3ExprDup(pRowid), 0);
+  }
+  assert( pTab->iPKey<0 );
+  for(i=0; i<pTab->nCol; i++){
+    if( aXRef[i]>=0 ){
+      pExpr = sqlite3ExprDup(pChanges->a[aXRef[i]].pExpr);
+    }else{
+      pExpr = sqlite3CreateIdExpr(pTab->aCol[i].zName);
+    }
+    pEList = sqlite3ExprListAppend(pEList, pExpr, 0);
+  }
+  pSelect = sqlite3SelectNew(pEList, pSrc, pWhere, 0, 0, 0, 0, 0, 0);
+  
+  /* Create the ephemeral table into which the update results will
+  ** be stored.
+  */
+  assert( v );
+  ephemTab = pParse->nTab++;
+  sqlite3VdbeAddOp(v, OP_OpenEphemeral, ephemTab, pTab->nCol+1+(pRowid!=0));
+
+  /* fill the ephemeral table 
+  */
+  sqlite3Select(pParse, pSelect, SRT_Table, ephemTab, 0, 0, 0, 0);
+
+  /*
+  ** Generate code to scan the ephemeral table and call VDelete and
+  ** VInsert
+  */
+  sqlite3VdbeAddOp(v, OP_Rewind, ephemTab, 0);
+  addr = sqlite3VdbeCurrentAddr(v);
+  sqlite3VdbeAddOp(v, OP_Column,  ephemTab, 0);
+  if( pRowid ){
+    sqlite3VdbeAddOp(v, OP_Column, ephemTab, 1);
+  }else{
+    sqlite3VdbeAddOp(v, OP_Dup, 0, 0);
+  }
+  for(i=0; i<pTab->nCol; i++){
+    sqlite3VdbeAddOp(v, OP_Column, ephemTab, i+1+(pRowid!=0));
+  }
+  pParse->pVirtualLock = pTab;
+  sqlite3VdbeOp3(v, OP_VUpdate, 0, pTab->nCol+2, 
+                     (const char*)pTab->pVtab, P3_VTAB);
+  sqlite3VdbeAddOp(v, OP_Next, ephemTab, addr);
+  sqlite3VdbeJumpHere(v, addr-1);
+  sqlite3VdbeAddOp(v, OP_Close, ephemTab, 0);
+
+  /* Cleanup */
+  sqlite3SelectDelete(pSelect);  
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+/************** End of update.c **********************************************/
+/************** Begin file vacuum.c ******************************************/
+/*
+** 2003 April 6
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains code used to implement the VACUUM command.
+**
+** Most of the code in this file may be omitted by defining the
+** SQLITE_OMIT_VACUUM macro.
+**
+** $Id$
+*/
+
+#if !defined(SQLITE_OMIT_VACUUM) && !defined(SQLITE_OMIT_ATTACH)
+/*
+** Execute zSql on database db. Return an error code.
+*/
+static int execSql(sqlite3 *db, const char *zSql){
+  sqlite3_stmt *pStmt;
+  if( SQLITE_OK!=sqlite3_prepare(db, zSql, -1, &pStmt, 0) ){
+    return sqlite3_errcode(db);
+  }
+  while( SQLITE_ROW==sqlite3_step(pStmt) ){}
+  return sqlite3_finalize(pStmt);
+}
+
+/*
+** Execute zSql on database db. The statement returns exactly
+** one column. Execute this as SQL on the same database.
+*/
+static int execExecSql(sqlite3 *db, const char *zSql){
+  sqlite3_stmt *pStmt;
+  int rc;
+
+  rc = sqlite3_prepare(db, zSql, -1, &pStmt, 0);
+  if( rc!=SQLITE_OK ) return rc;
+
+  while( SQLITE_ROW==sqlite3_step(pStmt) ){
+    rc = execSql(db, (char*)sqlite3_column_text(pStmt, 0));
+    if( rc!=SQLITE_OK ){
+      sqlite3_finalize(pStmt);
+      return rc;
+    }
+  }
+
+  return sqlite3_finalize(pStmt);
+}
+
+/*
+** The non-standard VACUUM command is used to clean up the database,
+** collapse free space, etc.  It is modelled after the VACUUM command
+** in PostgreSQL.
+**
+** In version 1.0.x of SQLite, the VACUUM command would call
+** gdbm_reorganize() on all the database tables.  But beginning
+** with 2.0.0, SQLite no longer uses GDBM so this command has
+** become a no-op.
+*/
+void sqlite3Vacuum(Parse *pParse){
+  Vdbe *v = sqlite3GetVdbe(pParse);
+  if( v ){
+    sqlite3VdbeAddOp(v, OP_Vacuum, 0, 0);
+  }
+  return;
+}
+
+/*
+** This routine implements the OP_Vacuum opcode of the VDBE.
+*/
+int sqlite3RunVacuum(char **pzErrMsg, sqlite3 *db){
+  int rc = SQLITE_OK;     /* Return code from service routines */
+  Btree *pMain;           /* The database being vacuumed */
+  Btree *pTemp;           /* The temporary database we vacuum into */
+  char *zSql = 0;         /* SQL statements */
+  int saved_flags;        /* Saved value of the db->flags */
+  Db *pDb = 0;            /* Database to detach at end of vacuum */
+
+  /* Save the current value of the write-schema flag before setting it. */
+  saved_flags = db->flags;
+  db->flags |= SQLITE_WriteSchema | SQLITE_IgnoreChecks;
+
+  if( !db->autoCommit ){
+    sqlite3SetString(pzErrMsg, "cannot VACUUM from within a transaction", 
+       (char*)0);
+    rc = SQLITE_ERROR;
+    goto end_of_vacuum;
+  }
+  pMain = db->aDb[0].pBt;
+
+  /* Attach the temporary database as 'vacuum_db'. The synchronous pragma
+  ** can be set to 'off' for this file, as it is not recovered if a crash
+  ** occurs anyway. The integrity of the database is maintained by a
+  ** (possibly synchronous) transaction opened on the main database before
+  ** sqlite3BtreeCopyFile() is called.
+  **
+  ** An optimisation would be to use a non-journaled pager.
+  */
+  zSql = "ATTACH '' AS vacuum_db;";
+  rc = execSql(db, zSql);
+  if( rc!=SQLITE_OK ) goto end_of_vacuum;
+  pDb = &db->aDb[db->nDb-1];
+  assert( strcmp(db->aDb[db->nDb-1].zName,"vacuum_db")==0 );
+  pTemp = db->aDb[db->nDb-1].pBt;
+  sqlite3BtreeSetPageSize(pTemp, sqlite3BtreeGetPageSize(pMain),
+     sqlite3BtreeGetReserve(pMain));
+  if( sqlite3MallocFailed() ){
+    rc = SQLITE_NOMEM;
+    goto end_of_vacuum;
+  }
+  assert( sqlite3BtreeGetPageSize(pTemp)==sqlite3BtreeGetPageSize(pMain) );
+  rc = execSql(db, "PRAGMA vacuum_db.synchronous=OFF");
+  if( rc!=SQLITE_OK ){
+    goto end_of_vacuum;
+  }
+
+#ifndef SQLITE_OMIT_AUTOVACUUM
+  sqlite3BtreeSetAutoVacuum(pTemp, sqlite3BtreeGetAutoVacuum(pMain));
+#endif
+
+  /* Begin a transaction */
+  rc = execSql(db, "BEGIN EXCLUSIVE;");
+  if( rc!=SQLITE_OK ) goto end_of_vacuum;
+
+  /* Query the schema of the main database. Create a mirror schema
+  ** in the temporary database.
+  */
+  rc = execExecSql(db, 
+      "SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14,100000000) "
+      "  FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'"
+      "   AND rootpage>0"
+  );
+  if( rc!=SQLITE_OK ) goto end_of_vacuum;
+  rc = execExecSql(db, 
+      "SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14,100000000)"
+      "  FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' ");
+  if( rc!=SQLITE_OK ) goto end_of_vacuum;
+  rc = execExecSql(db, 
+      "SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21,100000000) "
+      "  FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'");
+  if( rc!=SQLITE_OK ) goto end_of_vacuum;
+
+  /* Loop through the tables in the main database. For each, do
+  ** an "INSERT INTO vacuum_db.xxx SELECT * FROM xxx;" to copy
+  ** the contents to the temporary database.
+  */
+  rc = execExecSql(db, 
+      "SELECT 'INSERT INTO vacuum_db.' || quote(name) "
+      "|| ' SELECT * FROM ' || quote(name) || ';'"
+      "FROM sqlite_master "
+      "WHERE type = 'table' AND name!='sqlite_sequence' "
+      "  AND rootpage>0"
+
+  );
+  if( rc!=SQLITE_OK ) goto end_of_vacuum;
+
+  /* Copy over the sequence table
+  */
+  rc = execExecSql(db, 
+      "SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' "
+      "FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' "
+  );
+  if( rc!=SQLITE_OK ) goto end_of_vacuum;
+  rc = execExecSql(db, 
+      "SELECT 'INSERT INTO vacuum_db.' || quote(name) "
+      "|| ' SELECT * FROM ' || quote(name) || ';' "
+      "FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';"
+  );
+  if( rc!=SQLITE_OK ) goto end_of_vacuum;
+
+
+  /* Copy the triggers, views, and virtual tables from the main database
+  ** over to the temporary database.  None of these objects has any
+  ** associated storage, so all we have to do is copy their entries
+  ** from the SQLITE_MASTER table.
+  */
+  rc = execSql(db,
+      "INSERT INTO vacuum_db.sqlite_master "
+      "  SELECT type, name, tbl_name, rootpage, sql"
+      "    FROM sqlite_master"
+      "   WHERE type='view' OR type='trigger'"
+      "      OR (type='table' AND rootpage=0)"
+  );
+  if( rc ) goto end_of_vacuum;
+
+  /* At this point, unless the main db was completely empty, there is now a
+  ** transaction open on the vacuum database, but not on the main database.
+  ** Open a btree level transaction on the main database. This allows a
+  ** call to sqlite3BtreeCopyFile(). The main database btree level
+  ** transaction is then committed, so the SQL level never knows it was
+  ** opened for writing. This way, the SQL transaction used to create the
+  ** temporary database never needs to be committed.
+  */
+  if( rc==SQLITE_OK ){
+    u32 meta;
+    int i;
+
+    /* This array determines which meta meta values are preserved in the
+    ** vacuum.  Even entries are the meta value number and odd entries
+    ** are an increment to apply to the meta value after the vacuum.
+    ** The increment is used to increase the schema cookie so that other
+    ** connections to the same database will know to reread the schema.
+    */
+    static const unsigned char aCopy[] = {
+       1, 1,    /* Add one to the old schema cookie */
+       3, 0,    /* Preserve the default page cache size */
+       5, 0,    /* Preserve the default text encoding */
+       6, 0,    /* Preserve the user version */
+    };
+
+    assert( 1==sqlite3BtreeIsInTrans(pTemp) );
+    assert( 1==sqlite3BtreeIsInTrans(pMain) );
+
+    /* Copy Btree meta values */
+    for(i=0; i<sizeof(aCopy)/sizeof(aCopy[0]); i+=2){
+      rc = sqlite3BtreeGetMeta(pMain, aCopy[i], &meta);
+      if( rc!=SQLITE_OK ) goto end_of_vacuum;
+      rc = sqlite3BtreeUpdateMeta(pTemp, aCopy[i], meta+aCopy[i+1]);
+      if( rc!=SQLITE_OK ) goto end_of_vacuum;
+    }
+
+    rc = sqlite3BtreeCopyFile(pMain, pTemp);
+    if( rc!=SQLITE_OK ) goto end_of_vacuum;
+    rc = sqlite3BtreeCommit(pTemp);
+    if( rc!=SQLITE_OK ) goto end_of_vacuum;
+    rc = sqlite3BtreeCommit(pMain);
+  }
+
+end_of_vacuum:
+  /* Restore the original value of db->flags */
+  db->flags = saved_flags;
+
+  /* Currently there is an SQL level transaction open on the vacuum
+  ** database. No locks are held on any other files (since the main file
+  ** was committed at the btree level). So it safe to end the transaction
+  ** by manually setting the autoCommit flag to true and detaching the
+  ** vacuum database. The vacuum_db journal file is deleted when the pager
+  ** is closed by the DETACH.
+  */
+  db->autoCommit = 1;
+
+  if( pDb ){
+    sqlite3MallocDisallow();
+    sqlite3BtreeClose(pDb->pBt);
+    sqlite3MallocAllow();
+    pDb->pBt = 0;
+    pDb->pSchema = 0;
+  }
+
+  sqlite3ResetInternalSchema(db, 0);
+
+  return rc;
+}
+#endif  /* SQLITE_OMIT_VACUUM && SQLITE_OMIT_ATTACH */
+
+/************** End of vacuum.c **********************************************/
+/************** Begin file vtab.c ********************************************/
+/*
+** 2006 June 10
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This file contains code used to help implement virtual tables.
+**
+** $Id$
+*/
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+
+/*
+** External API function used to create a new virtual-table module.
+*/
+int sqlite3_create_module(
+  sqlite3 *db,                    /* Database in which module is registered */
+  const char *zName,              /* Name assigned to this module */
+  const sqlite3_module *pModule,  /* The definition of the module */
+  void *pAux                      /* Context pointer for xCreate/xConnect */
+){
+  int nName = strlen(zName);
+  Module *pMod = (Module *)sqliteMallocRaw(sizeof(Module) + nName + 1);
+  if( pMod ){
+    char *zCopy = (char *)(&pMod[1]);
+    strcpy(zCopy, zName);
+    pMod->zName = zCopy;
+    pMod->pModule = pModule;
+    pMod->pAux = pAux;
+    pMod = (Module *)sqlite3HashInsert(&db->aModule, zCopy, nName, (void*)pMod);
+    sqliteFree(pMod);
+    sqlite3ResetInternalSchema(db, 0);
+  }
+  return sqlite3ApiExit(db, SQLITE_OK);
+}
+
+/*
+** Lock the virtual table so that it cannot be disconnected.
+** Locks nest.  Every lock should have a corresponding unlock.
+** If an unlock is omitted, resources leaks will occur.  
+**
+** If a disconnect is attempted while a virtual table is locked,
+** the disconnect is deferred until all locks have been removed.
+*/
+void sqlite3VtabLock(sqlite3_vtab *pVtab){
+  pVtab->nRef++;
+}
+
+/*
+** Unlock a virtual table.  When the last lock is removed,
+** disconnect the virtual table.
+*/
+void sqlite3VtabUnlock(sqlite3 *db, sqlite3_vtab *pVtab){
+  pVtab->nRef--;
+  assert(db);
+  assert(!sqlite3SafetyCheck(db));
+  if( pVtab->nRef==0 ){
+    if( db->magic==SQLITE_MAGIC_BUSY ){
+      sqlite3SafetyOff(db);
+      pVtab->pModule->xDisconnect(pVtab);
+      sqlite3SafetyOn(db);
+    } else {
+      pVtab->pModule->xDisconnect(pVtab);
+    }
+  }
+}
+
+/*
+** Clear any and all virtual-table information from the Table record.
+** This routine is called, for example, just before deleting the Table
+** record.
+*/
+void sqlite3VtabClear(Table *p){
+  sqlite3_vtab *pVtab = p->pVtab;
+  if( pVtab ){
+    assert( p->pMod && p->pMod->pModule );
+    sqlite3VtabUnlock(p->pSchema->db, pVtab);
+    p->pVtab = 0;
+  }
+  if( p->azModuleArg ){
+    int i;
+    for(i=0; i<p->nModuleArg; i++){
+      sqliteFree(p->azModuleArg[i]);
+    }
+    sqliteFree(p->azModuleArg);
+  }
+}
+
+/*
+** Add a new module argument to pTable->azModuleArg[].
+** The string is not copied - the pointer is stored.  The
+** string will be freed automatically when the table is
+** deleted.
+*/
+static void addModuleArgument(Table *pTable, char *zArg){
+  int i = pTable->nModuleArg++;
+  int nBytes = sizeof(char *)*(1+pTable->nModuleArg);
+  char **azModuleArg;
+  azModuleArg = sqliteRealloc(pTable->azModuleArg, nBytes);
+  if( azModuleArg==0 ){
+    int j;
+    for(j=0; j<i; j++){
+      sqliteFree(pTable->azModuleArg[j]);
+    }
+    sqliteFree(zArg);
+    sqliteFree(pTable->azModuleArg);
+    pTable->nModuleArg = 0;
+  }else{
+    azModuleArg[i] = zArg;
+    azModuleArg[i+1] = 0;
+  }
+  pTable->azModuleArg = azModuleArg;
+}
+
+/*
+** The parser calls this routine when it first sees a CREATE VIRTUAL TABLE
+** statement.  The module name has been parsed, but the optional list
+** of parameters that follow the module name are still pending.
+*/
+void sqlite3VtabBeginParse(
+  Parse *pParse,        /* Parsing context */
+  Token *pName1,        /* Name of new table, or database name */
+  Token *pName2,        /* Name of new table or NULL */
+  Token *pModuleName    /* Name of the module for the virtual table */
+){
+  int iDb;              /* The database the table is being created in */
+  Table *pTable;        /* The new virtual table */
+
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  if( sqlite3ThreadDataReadOnly()->useSharedData ){
+    sqlite3ErrorMsg(pParse, "Cannot use virtual tables in shared-cache mode");
+    return;
+  }
+#endif
+
+  sqlite3StartTable(pParse, pName1, pName2, 0, 0, 1, 0);
+  pTable = pParse->pNewTable;
+  if( pTable==0 || pParse->nErr ) return;
+  assert( 0==pTable->pIndex );
+
+  iDb = sqlite3SchemaToIndex(pParse->db, pTable->pSchema);
+  assert( iDb>=0 );
+
+  pTable->isVirtual = 1;
+  pTable->nModuleArg = 0;
+  addModuleArgument(pTable, sqlite3NameFromToken(pModuleName));
+  addModuleArgument(pTable, sqlite3StrDup(pParse->db->aDb[iDb].zName));
+  addModuleArgument(pTable, sqlite3StrDup(pTable->zName));
+  pParse->sNameToken.n = pModuleName->z + pModuleName->n - pName1->z;
+
+#ifndef SQLITE_OMIT_AUTHORIZATION
+  /* Creating a virtual table invokes the authorization callback twice.
+  ** The first invocation, to obtain permission to INSERT a row into the
+  ** sqlite_master table, has already been made by sqlite3StartTable().
+  ** The second call, to obtain permission to create the table, is made now.
+  */
+  if( pTable->azModuleArg ){
+    sqlite3AuthCheck(pParse, SQLITE_CREATE_VTABLE, pTable->zName, 
+            pTable->azModuleArg[0], pParse->db->aDb[iDb].zName);
+  }
+#endif
+}
+
+/*
+** This routine takes the module argument that has been accumulating
+** in pParse->zArg[] and appends it to the list of arguments on the
+** virtual table currently under construction in pParse->pTable.
+*/
+static void addArgumentToVtab(Parse *pParse){
+  if( pParse->sArg.z && pParse->pNewTable ){
+    const char *z = (const char*)pParse->sArg.z;
+    int n = pParse->sArg.n;
+    addModuleArgument(pParse->pNewTable, sqliteStrNDup(z, n));
+  }
+}
+
+/*
+** The parser calls this routine after the CREATE VIRTUAL TABLE statement
+** has been completely parsed.
+*/
+void sqlite3VtabFinishParse(Parse *pParse, Token *pEnd){
+  Table *pTab;        /* The table being constructed */
+  sqlite3 *db;        /* The database connection */
+  char *zModule;      /* The module name of the table: USING modulename */
+  Module *pMod = 0;
+
+  addArgumentToVtab(pParse);
+  pParse->sArg.z = 0;
+
+  /* Lookup the module name. */
+  pTab = pParse->pNewTable;
+  if( pTab==0 ) return;
+  db = pParse->db;
+  if( pTab->nModuleArg<1 ) return;
+  zModule = pTab->azModuleArg[0];
+  pMod = (Module *)sqlite3HashFind(&db->aModule, zModule, strlen(zModule));
+  pTab->pMod = pMod;
+  
+  /* If the CREATE VIRTUAL TABLE statement is being entered for the
+  ** first time (in other words if the virtual table is actually being
+  ** created now instead of just being read out of sqlite_master) then
+  ** do additional initialization work and store the statement text
+  ** in the sqlite_master table.
+  */
+  if( !db->init.busy ){
+    char *zStmt;
+    char *zWhere;
+    int iDb;
+    Vdbe *v;
+
+    /* Compute the complete text of the CREATE VIRTUAL TABLE statement */
+    if( pEnd ){
+      pParse->sNameToken.n = pEnd->z - pParse->sNameToken.z + pEnd->n;
+    }
+    zStmt = sqlite3MPrintf("CREATE VIRTUAL TABLE %T", &pParse->sNameToken);
+
+    /* A slot for the record has already been allocated in the 
+    ** SQLITE_MASTER table.  We just need to update that slot with all
+    ** the information we've collected.  
+    **
+    ** The top of the stack is the rootpage allocated by sqlite3StartTable().
+    ** This value is always 0 and is ignored, a virtual table does not have a
+    ** rootpage. The next entry on the stack is the rowid of the record
+    ** in the sqlite_master table.
+    */
+    iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
+    sqlite3NestedParse(pParse,
+      "UPDATE %Q.%s "
+         "SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q "
+       "WHERE rowid=#1",
+      db->aDb[iDb].zName, SCHEMA_TABLE(iDb),
+      pTab->zName,
+      pTab->zName,
+      zStmt
+    );
+    sqliteFree(zStmt);
+    v = sqlite3GetVdbe(pParse);
+    sqlite3ChangeCookie(db, v, iDb);
+
+    sqlite3VdbeAddOp(v, OP_Expire, 0, 0);
+    zWhere = sqlite3MPrintf("name='%q'", pTab->zName);
+    sqlite3VdbeOp3(v, OP_ParseSchema, iDb, 1, zWhere, P3_DYNAMIC);
+    sqlite3VdbeOp3(v, OP_VCreate, iDb, 0, pTab->zName, strlen(pTab->zName) + 1);
+  }
+
+  /* If we are rereading the sqlite_master table create the in-memory
+  ** record of the table. If the module has already been registered,
+  ** also call the xConnect method here.
+  */
+  else {
+    Table *pOld;
+    Schema *pSchema = pTab->pSchema;
+    const char *zName = pTab->zName;
+    int nName = strlen(zName) + 1;
+    pOld = sqlite3HashInsert(&pSchema->tblHash, zName, nName, pTab);
+    if( pOld ){
+      assert( pTab==pOld );  /* Malloc must have failed inside HashInsert() */
+      return;
+    }
+    pSchema->db = pParse->db;
+    pParse->pNewTable = 0;
+  }
+}
+
+/*
+** The parser calls this routine when it sees the first token
+** of an argument to the module name in a CREATE VIRTUAL TABLE statement.
+*/
+void sqlite3VtabArgInit(Parse *pParse){
+  addArgumentToVtab(pParse);
+  pParse->sArg.z = 0;
+  pParse->sArg.n = 0;
+}
+
+/*
+** The parser calls this routine for each token after the first token
+** in an argument to the module name in a CREATE VIRTUAL TABLE statement.
+*/
+void sqlite3VtabArgExtend(Parse *pParse, Token *p){
+  Token *pArg = &pParse->sArg;
+  if( pArg->z==0 ){
+    pArg->z = p->z;
+    pArg->n = p->n;
+  }else{
+    assert(pArg->z < p->z);
+    pArg->n = (p->z + p->n - pArg->z);
+  }
+}
+
+/*
+** Invoke a virtual table constructor (either xCreate or xConnect). The
+** pointer to the function to invoke is passed as the fourth parameter
+** to this procedure.
+*/
+static int vtabCallConstructor(
+  sqlite3 *db, 
+  Table *pTab,
+  Module *pMod,
+  int (*xConstruct)(sqlite3*,void*,int,const char*const*,sqlite3_vtab**,char**),
+  char **pzErr
+){
+  int rc;
+  int rc2;
+  sqlite3_vtab *pVtab;
+  const char *const*azArg = (const char *const*)pTab->azModuleArg;
+  int nArg = pTab->nModuleArg;
+  char *zErr = 0;
+  char *zModuleName = sqlite3MPrintf("%s", pTab->zName);
+
+  if( !zModuleName ){
+    return SQLITE_NOMEM;
+  }
+
+  assert( !db->pVTab );
+  assert( xConstruct );
+
+  db->pVTab = pTab;
+  rc = sqlite3SafetyOff(db);
+  assert( rc==SQLITE_OK );
+  rc = xConstruct(db, pMod->pAux, nArg, azArg, &pTab->pVtab, &zErr);
+  rc2 = sqlite3SafetyOn(db);
+  pVtab = pTab->pVtab;
+  if( rc==SQLITE_OK && pVtab ){
+    pVtab->pModule = pMod->pModule;
+    pVtab->nRef = 1;
+  }
+
+  if( SQLITE_OK!=rc ){
+    if( zErr==0 ){
+      *pzErr = sqlite3MPrintf("vtable constructor failed: %s", zModuleName);
+    }else {
+      *pzErr = sqlite3MPrintf("%s", zErr);
+      sqlite3_free(zErr);
+    }
+  }else if( db->pVTab ){
+    const char *zFormat = "vtable constructor did not declare schema: %s";
+    *pzErr = sqlite3MPrintf(zFormat, pTab->zName);
+    rc = SQLITE_ERROR;
+  } 
+  if( rc==SQLITE_OK ){
+    rc = rc2;
+  }
+  db->pVTab = 0;
+  sqliteFree(zModuleName);
+  return rc;
+}
+
+/*
+** This function is invoked by the parser to call the xConnect() method
+** of the virtual table pTab. If an error occurs, an error code is returned 
+** and an error left in pParse.
+**
+** This call is a no-op if table pTab is not a virtual table.
+*/
+int sqlite3VtabCallConnect(Parse *pParse, Table *pTab){
+  Module *pMod;
+  int rc = SQLITE_OK;
+
+  if( !pTab || !pTab->isVirtual || pTab->pVtab ){
+    return SQLITE_OK;
+  }
+
+  pMod = pTab->pMod;
+  if( !pMod ){
+    const char *zModule = pTab->azModuleArg[0];
+    sqlite3ErrorMsg(pParse, "no such module: %s", zModule);
+    rc = SQLITE_ERROR;
+  } else {
+    char *zErr = 0;
+    sqlite3 *db = pParse->db;
+    rc = vtabCallConstructor(db, pTab, pMod, pMod->pModule->xConnect, &zErr);
+    if( rc!=SQLITE_OK ){
+      sqlite3ErrorMsg(pParse, "%s", zErr);
+    }
+    sqliteFree(zErr);
+  }
+
+  return rc;
+}
+
+/*
+** Add the virtual table pVtab to the array sqlite3.aVTrans[].
+*/
+static int addToVTrans(sqlite3 *db, sqlite3_vtab *pVtab){
+  const int ARRAY_INCR = 5;
+
+  /* Grow the sqlite3.aVTrans array if required */
+  if( (db->nVTrans%ARRAY_INCR)==0 ){
+    sqlite3_vtab **aVTrans;
+    int nBytes = sizeof(sqlite3_vtab *) * (db->nVTrans + ARRAY_INCR);
+    aVTrans = sqliteRealloc((void *)db->aVTrans, nBytes);
+    if( !aVTrans ){
+      return SQLITE_NOMEM;
+    }
+    memset(&aVTrans[db->nVTrans], 0, sizeof(sqlite3_vtab *)*ARRAY_INCR);
+    db->aVTrans = aVTrans;
+  }
+
+  /* Add pVtab to the end of sqlite3.aVTrans */
+  db->aVTrans[db->nVTrans++] = pVtab;
+  sqlite3VtabLock(pVtab);
+  return SQLITE_OK;
+}
+
+/*
+** This function is invoked by the vdbe to call the xCreate method
+** of the virtual table named zTab in database iDb. 
+**
+** If an error occurs, *pzErr is set to point an an English language
+** description of the error and an SQLITE_XXX error code is returned.
+** In this case the caller must call sqliteFree() on *pzErr.
+*/
+int sqlite3VtabCallCreate(sqlite3 *db, int iDb, const char *zTab, char **pzErr){
+  int rc = SQLITE_OK;
+  Table *pTab;
+  Module *pMod;
+  const char *zModule;
+
+  pTab = sqlite3FindTable(db, zTab, db->aDb[iDb].zName);
+  assert(pTab && pTab->isVirtual && !pTab->pVtab);
+  pMod = pTab->pMod;
+  zModule = pTab->azModuleArg[0];
+
+  /* If the module has been registered and includes a Create method, 
+  ** invoke it now. If the module has not been registered, return an 
+  ** error. Otherwise, do nothing.
+  */
+  if( !pMod ){
+    *pzErr = sqlite3MPrintf("no such module: %s", zModule);
+    rc = SQLITE_ERROR;
+  }else{
+    rc = vtabCallConstructor(db, pTab, pMod, pMod->pModule->xCreate, pzErr);
+  }
+
+  if( rc==SQLITE_OK && pTab->pVtab ){
+      rc = addToVTrans(db, pTab->pVtab);
+  }
+
+  return rc;
+}
+
+/*
+** This function is used to set the schema of a virtual table.  It is only
+** valid to call this function from within the xCreate() or xConnect() of a
+** virtual table module.
+*/
+int sqlite3_declare_vtab(sqlite3 *db, const char *zCreateTable){
+  Parse sParse;
+
+  int rc = SQLITE_OK;
+  Table *pTab = db->pVTab;
+  char *zErr = 0;
+
+  if( !pTab ){
+    sqlite3Error(db, SQLITE_MISUSE, 0);
+    return SQLITE_MISUSE;
+  }
+  assert(pTab->isVirtual && pTab->nCol==0 && pTab->aCol==0);
+
+  memset(&sParse, 0, sizeof(Parse));
+  sParse.declareVtab = 1;
+  sParse.db = db;
+
+  if( 
+      SQLITE_OK == sqlite3RunParser(&sParse, zCreateTable, &zErr) && 
+      sParse.pNewTable && 
+      !sParse.pNewTable->pSelect && 
+      !sParse.pNewTable->isVirtual 
+  ){
+    pTab->aCol = sParse.pNewTable->aCol;
+    pTab->nCol = sParse.pNewTable->nCol;
+    sParse.pNewTable->nCol = 0;
+    sParse.pNewTable->aCol = 0;
+    db->pVTab = 0;
+  } else {
+    sqlite3Error(db, SQLITE_ERROR, zErr);
+    sqliteFree(zErr);
+    rc = SQLITE_ERROR;
+  }
+  sParse.declareVtab = 0;
+
+  sqlite3_finalize((sqlite3_stmt*)sParse.pVdbe);
+  sqlite3DeleteTable(sParse.pNewTable);
+  sParse.pNewTable = 0;
+
+  assert( (rc&0xff)==rc );
+  return sqlite3ApiExit(db, rc);
+}
+
+/*
+** This function is invoked by the vdbe to call the xDestroy method
+** of the virtual table named zTab in database iDb. This occurs
+** when a DROP TABLE is mentioned.
+**
+** This call is a no-op if zTab is not a virtual table.
+*/
+int sqlite3VtabCallDestroy(sqlite3 *db, int iDb, const char *zTab)
+{
+  int rc = SQLITE_OK;
+  Table *pTab;
+
+  pTab = sqlite3FindTable(db, zTab, db->aDb[iDb].zName);
+  assert(pTab);
+  if( pTab->pVtab ){
+    int (*xDestroy)(sqlite3_vtab *pVTab) = pTab->pMod->pModule->xDestroy;
+    rc = sqlite3SafetyOff(db);
+    assert( rc==SQLITE_OK );
+    if( xDestroy ){
+      rc = xDestroy(pTab->pVtab);
+    }
+    sqlite3SafetyOn(db);
+    if( rc==SQLITE_OK ){
+      pTab->pVtab = 0;
+    }
+  }
+
+  return rc;
+}
+
+/*
+** This function invokes either the xRollback or xCommit method
+** of each of the virtual tables in the sqlite3.aVTrans array. The method
+** called is identified by the second argument, "offset", which is
+** the offset of the method to call in the sqlite3_module structure.
+**
+** The array is cleared after invoking the callbacks. 
+*/
+static void callFinaliser(sqlite3 *db, int offset){
+  int i;
+  if( db->aVTrans ){
+    for(i=0; i<db->nVTrans && db->aVTrans[i]; i++){
+      sqlite3_vtab *pVtab = db->aVTrans[i];
+      int (*x)(sqlite3_vtab *);
+      x = *(int (**)(sqlite3_vtab *))((char *)pVtab->pModule + offset);
+      if( x ) x(pVtab);
+      sqlite3VtabUnlock(db, pVtab);
+    }
+    sqliteFree(db->aVTrans);
+    db->nVTrans = 0;
+    db->aVTrans = 0;
+  }
+}
+
+/*
+** If argument rc2 is not SQLITE_OK, then return it and do nothing. 
+** Otherwise, invoke the xSync method of all virtual tables in the 
+** sqlite3.aVTrans array. Return the error code for the first error 
+** that occurs, or SQLITE_OK if all xSync operations are successful.
+*/
+int sqlite3VtabSync(sqlite3 *db, int rc2){
+  int i;
+  int rc = SQLITE_OK;
+  int rcsafety;
+  sqlite3_vtab **aVTrans = db->aVTrans;
+  if( rc2!=SQLITE_OK ) return rc2;
+
+  rc = sqlite3SafetyOff(db);
+  db->aVTrans = 0;
+  for(i=0; rc==SQLITE_OK && i<db->nVTrans && aVTrans[i]; i++){
+    sqlite3_vtab *pVtab = aVTrans[i];
+    int (*x)(sqlite3_vtab *);
+    x = pVtab->pModule->xSync;
+    if( x ){
+      rc = x(pVtab);
+    }
+  }
+  db->aVTrans = aVTrans;
+  rcsafety = sqlite3SafetyOn(db);
+
+  if( rc==SQLITE_OK ){
+    rc = rcsafety;
+  }
+  return rc;
+}
+
+/*
+** Invoke the xRollback method of all virtual tables in the 
+** sqlite3.aVTrans array. Then clear the array itself.
+*/
+int sqlite3VtabRollback(sqlite3 *db){
+  callFinaliser(db, (int)(&((sqlite3_module *)0)->xRollback));
+  return SQLITE_OK;
+}
+
+/*
+** Invoke the xCommit method of all virtual tables in the 
+** sqlite3.aVTrans array. Then clear the array itself.
+*/
+int sqlite3VtabCommit(sqlite3 *db){
+  callFinaliser(db, (int)(&((sqlite3_module *)0)->xCommit));
+  return SQLITE_OK;
+}
+
+/*
+** If the virtual table pVtab supports the transaction interface
+** (xBegin/xRollback/xCommit and optionally xSync) and a transaction is
+** not currently open, invoke the xBegin method now.
+**
+** If the xBegin call is successful, place the sqlite3_vtab pointer
+** in the sqlite3.aVTrans array.
+*/
+int sqlite3VtabBegin(sqlite3 *db, sqlite3_vtab *pVtab){
+  int rc = SQLITE_OK;
+  const sqlite3_module *pModule;
+
+  /* Special case: If db->aVTrans is NULL and db->nVTrans is greater
+  ** than zero, then this function is being called from within a
+  ** virtual module xSync() callback. It is illegal to write to 
+  ** virtual module tables in this case, so return SQLITE_LOCKED.
+  */
+  if( 0==db->aVTrans && db->nVTrans>0 ){
+    return SQLITE_LOCKED;
+  }
+  if( !pVtab ){
+    return SQLITE_OK;
+  } 
+  pModule = pVtab->pModule;
+
+  if( pModule->xBegin ){
+    int i;
+
+
+    /* If pVtab is already in the aVTrans array, return early */
+    for(i=0; (i<db->nVTrans) && 0!=db->aVTrans[i]; i++){
+      if( db->aVTrans[i]==pVtab ){
+        return SQLITE_OK;
+      }
+    }
+
+    /* Invoke the xBegin method */
+    rc = pModule->xBegin(pVtab);
+    if( rc!=SQLITE_OK ){
+      return rc;
+    }
+
+    rc = addToVTrans(db, pVtab);
+  }
+  return rc;
+}
+
+/*
+** The first parameter (pDef) is a function implementation.  The
+** second parameter (pExpr) is the first argument to this function.
+** If pExpr is a column in a virtual table, then let the virtual
+** table implementation have an opportunity to overload the function.
+**
+** This routine is used to allow virtual table implementations to
+** overload MATCH, LIKE, GLOB, and REGEXP operators.
+**
+** Return either the pDef argument (indicating no change) or a 
+** new FuncDef structure that is marked as ephemeral using the
+** SQLITE_FUNC_EPHEM flag.
+*/
+FuncDef *sqlite3VtabOverloadFunction(
+  FuncDef *pDef,  /* Function to possibly overload */
+  int nArg,       /* Number of arguments to the function */
+  Expr *pExpr     /* First argument to the function */
+){
+  Table *pTab;
+  sqlite3_vtab *pVtab;
+  sqlite3_module *pMod;
+  void (*xFunc)(sqlite3_context*,int,sqlite3_value**);
+  void *pArg;
+  FuncDef *pNew;
+  int rc;
+  char *zLowerName;
+  unsigned char *z;
+
+
+  /* Check to see the left operand is a column in a virtual table */
+  if( pExpr==0 ) return pDef;
+  if( pExpr->op!=TK_COLUMN ) return pDef;
+  pTab = pExpr->pTab;
+  if( pTab==0 ) return pDef;
+  if( !pTab->isVirtual ) return pDef;
+  pVtab = pTab->pVtab;
+  assert( pVtab!=0 );
+  assert( pVtab->pModule!=0 );
+  pMod = (sqlite3_module *)pVtab->pModule;
+  if( pMod->xFindFunction==0 ) return pDef;
+ 
+  /* Call the xFuncFunction method on the virtual table implementation
+  ** to see if the implementation wants to overload this function 
+  */
+  zLowerName = sqlite3StrDup(pDef->zName);
+  for(z=(unsigned char*)zLowerName; *z; z++){
+    *z = sqlite3UpperToLower[*z];
+  }
+  rc = pMod->xFindFunction(pVtab, nArg, zLowerName, &xFunc, &pArg);
+  sqliteFree(zLowerName);
+  if( rc==0 ){
+    return pDef;
+  }
+
+  /* Create a new ephemeral function definition for the overloaded
+  ** function */
+  pNew = sqliteMalloc( sizeof(*pNew) + strlen(pDef->zName) );
+  if( pNew==0 ){
+    return pDef;
+  }
+  *pNew = *pDef;
+  strcpy(pNew->zName, pDef->zName);
+  pNew->xFunc = xFunc;
+  pNew->pUserData = pArg;
+  pNew->flags |= SQLITE_FUNC_EPHEM;
+  return pNew;
+}
+
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+/************** End of vtab.c ************************************************/
+/************** Begin file where.c *******************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This module contains C code that generates VDBE code used to process
+** the WHERE clause of SQL statements.  This module is reponsible for
+** generating the code that loops through a table looking for applicable
+** rows.  Indices are selected and used to speed the search when doing
+** so is applicable.  Because this module is responsible for selecting
+** indices, you might also think of this module as the "query optimizer".
+**
+** $Id$
+*/
+
+/*
+** The number of bits in a Bitmask.  "BMS" means "BitMask Size".
+*/
+#define BMS  (sizeof(Bitmask)*8)
+
+/*
+** Trace output macros
+*/
+#if defined(SQLITE_TEST) || defined(SQLITE_DEBUG)
+int sqlite3_where_trace = 0;
+# define WHERETRACE(X)  if(sqlite3_where_trace) sqlite3DebugPrintf X
+#else
+# define WHERETRACE(X)
+#endif
+
+/* Forward reference
+*/
+typedef struct WhereClause WhereClause;
+typedef struct ExprMaskSet ExprMaskSet;
+
+/*
+** The query generator uses an array of instances of this structure to
+** help it analyze the subexpressions of the WHERE clause.  Each WHERE
+** clause subexpression is separated from the others by an AND operator.
+**
+** All WhereTerms are collected into a single WhereClause structure.  
+** The following identity holds:
+**
+**        WhereTerm.pWC->a[WhereTerm.idx] == WhereTerm
+**
+** When a term is of the form:
+**
+**              X <op> <expr>
+**
+** where X is a column name and <op> is one of certain operators,
+** then WhereTerm.leftCursor and WhereTerm.leftColumn record the
+** cursor number and column number for X.  WhereTerm.operator records
+** the <op> using a bitmask encoding defined by WO_xxx below.  The
+** use of a bitmask encoding for the operator allows us to search
+** quickly for terms that match any of several different operators.
+**
+** prereqRight and prereqAll record sets of cursor numbers,
+** but they do so indirectly.  A single ExprMaskSet structure translates
+** cursor number into bits and the translated bit is stored in the prereq
+** fields.  The translation is used in order to maximize the number of
+** bits that will fit in a Bitmask.  The VDBE cursor numbers might be
+** spread out over the non-negative integers.  For example, the cursor
+** numbers might be 3, 8, 9, 10, 20, 23, 41, and 45.  The ExprMaskSet
+** translates these sparse cursor numbers into consecutive integers
+** beginning with 0 in order to make the best possible use of the available
+** bits in the Bitmask.  So, in the example above, the cursor numbers
+** would be mapped into integers 0 through 7.
+*/
+typedef struct WhereTerm WhereTerm;
+struct WhereTerm {
+  Expr *pExpr;            /* Pointer to the subexpression */
+  i16 iParent;            /* Disable pWC->a[iParent] when this term disabled */
+  i16 leftCursor;         /* Cursor number of X in "X <op> <expr>" */
+  i16 leftColumn;         /* Column number of X in "X <op> <expr>" */
+  u16 eOperator;          /* A WO_xx value describing <op> */
+  u8 flags;               /* Bit flags.  See below */
+  u8 nChild;              /* Number of children that must disable us */
+  WhereClause *pWC;       /* The clause this term is part of */
+  Bitmask prereqRight;    /* Bitmask of tables used by pRight */
+  Bitmask prereqAll;      /* Bitmask of tables referenced by p */
+};
+
+/*
+** Allowed values of WhereTerm.flags
+*/
+#define TERM_DYNAMIC    0x01   /* Need to call sqlite3ExprDelete(pExpr) */
+#define TERM_VIRTUAL    0x02   /* Added by the optimizer.  Do not code */
+#define TERM_CODED      0x04   /* This term is already coded */
+#define TERM_COPIED     0x08   /* Has a child */
+#define TERM_OR_OK      0x10   /* Used during OR-clause processing */
+
+/*
+** An instance of the following structure holds all information about a
+** WHERE clause.  Mostly this is a container for one or more WhereTerms.
+*/
+struct WhereClause {
+  Parse *pParse;           /* The parser context */
+  ExprMaskSet *pMaskSet;   /* Mapping of table indices to bitmasks */
+  int nTerm;               /* Number of terms */
+  int nSlot;               /* Number of entries in a[] */
+  WhereTerm *a;            /* Each a[] describes a term of the WHERE cluase */
+  WhereTerm aStatic[10];   /* Initial static space for a[] */
+};
+
+/*
+** An instance of the following structure keeps track of a mapping
+** between VDBE cursor numbers and bits of the bitmasks in WhereTerm.
+**
+** The VDBE cursor numbers are small integers contained in 
+** SrcList_item.iCursor and Expr.iTable fields.  For any given WHERE 
+** clause, the cursor numbers might not begin with 0 and they might
+** contain gaps in the numbering sequence.  But we want to make maximum
+** use of the bits in our bitmasks.  This structure provides a mapping
+** from the sparse cursor numbers into consecutive integers beginning
+** with 0.
+**
+** If ExprMaskSet.ix[A]==B it means that The A-th bit of a Bitmask
+** corresponds VDBE cursor number B.  The A-th bit of a bitmask is 1<<A.
+**
+** For example, if the WHERE clause expression used these VDBE
+** cursors:  4, 5, 8, 29, 57, 73.  Then the  ExprMaskSet structure
+** would map those cursor numbers into bits 0 through 5.
+**
+** Note that the mapping is not necessarily ordered.  In the example
+** above, the mapping might go like this:  4->3, 5->1, 8->2, 29->0,
+** 57->5, 73->4.  Or one of 719 other combinations might be used. It
+** does not really matter.  What is important is that sparse cursor
+** numbers all get mapped into bit numbers that begin with 0 and contain
+** no gaps.
+*/
+struct ExprMaskSet {
+  int n;                        /* Number of assigned cursor values */
+  int ix[sizeof(Bitmask)*8];    /* Cursor assigned to each bit */
+};
+
+
+/*
+** Bitmasks for the operators that indices are able to exploit.  An
+** OR-ed combination of these values can be used when searching for
+** terms in the where clause.
+*/
+#define WO_IN     1
+#define WO_EQ     2
+#define WO_LT     (WO_EQ<<(TK_LT-TK_EQ))
+#define WO_LE     (WO_EQ<<(TK_LE-TK_EQ))
+#define WO_GT     (WO_EQ<<(TK_GT-TK_EQ))
+#define WO_GE     (WO_EQ<<(TK_GE-TK_EQ))
+#define WO_MATCH  64
+#define WO_ISNULL 128
+
+/*
+** Value for flags returned by bestIndex().  
+**
+** The least significant byte is reserved as a mask for WO_ values above.
+** The WhereLevel.flags field is usually set to WO_IN|WO_EQ|WO_ISNULL.
+** But if the table is the right table of a left join, WhereLevel.flags
+** is set to WO_IN|WO_EQ.  The WhereLevel.flags field can then be used as
+** the "op" parameter to findTerm when we are resolving equality constraints.
+** ISNULL constraints will then not be used on the right table of a left
+** join.  Tickets #2177 and #2189.
+*/
+#define WHERE_ROWID_EQ     0x000100   /* rowid=EXPR or rowid IN (...) */
+#define WHERE_ROWID_RANGE  0x000200   /* rowid<EXPR and/or rowid>EXPR */
+#define WHERE_COLUMN_EQ    0x001000   /* x=EXPR or x IN (...) */
+#define WHERE_COLUMN_RANGE 0x002000   /* x<EXPR and/or x>EXPR */
+#define WHERE_COLUMN_IN    0x004000   /* x IN (...) */
+#define WHERE_TOP_LIMIT    0x010000   /* x<EXPR or x<=EXPR constraint */
+#define WHERE_BTM_LIMIT    0x020000   /* x>EXPR or x>=EXPR constraint */
+#define WHERE_IDX_ONLY     0x080000   /* Use index only - omit table */
+#define WHERE_ORDERBY      0x100000   /* Output will appear in correct order */
+#define WHERE_REVERSE      0x200000   /* Scan in reverse order */
+#define WHERE_UNIQUE       0x400000   /* Selects no more than one row */
+#define WHERE_VIRTUALTABLE 0x800000   /* Use virtual-table processing */
+
+/*
+** Initialize a preallocated WhereClause structure.
+*/
+static void whereClauseInit(
+  WhereClause *pWC,        /* The WhereClause to be initialized */
+  Parse *pParse,           /* The parsing context */
+  ExprMaskSet *pMaskSet    /* Mapping from table indices to bitmasks */
+){
+  pWC->pParse = pParse;
+  pWC->pMaskSet = pMaskSet;
+  pWC->nTerm = 0;
+  pWC->nSlot = ArraySize(pWC->aStatic);
+  pWC->a = pWC->aStatic;
+}
+
+/*
+** Deallocate a WhereClause structure.  The WhereClause structure
+** itself is not freed.  This routine is the inverse of whereClauseInit().
+*/
+static void whereClauseClear(WhereClause *pWC){
+  int i;
+  WhereTerm *a;
+  for(i=pWC->nTerm-1, a=pWC->a; i>=0; i--, a++){
+    if( a->flags & TERM_DYNAMIC ){
+      sqlite3ExprDelete(a->pExpr);
+    }
+  }
+  if( pWC->a!=pWC->aStatic ){
+    sqliteFree(pWC->a);
+  }
+}
+
+/*
+** Add a new entries to the WhereClause structure.  Increase the allocated
+** space as necessary.
+**
+** If the flags argument includes TERM_DYNAMIC, then responsibility
+** for freeing the expression p is assumed by the WhereClause object.
+**
+** WARNING:  This routine might reallocate the space used to store
+** WhereTerms.  All pointers to WhereTerms should be invalided after
+** calling this routine.  Such pointers may be reinitialized by referencing
+** the pWC->a[] array.
+*/
+static int whereClauseInsert(WhereClause *pWC, Expr *p, int flags){
+  WhereTerm *pTerm;
+  int idx;
+  if( pWC->nTerm>=pWC->nSlot ){
+    WhereTerm *pOld = pWC->a;
+    pWC->a = sqliteMalloc( sizeof(pWC->a[0])*pWC->nSlot*2 );
+    if( pWC->a==0 ){
+      if( flags & TERM_DYNAMIC ){
+        sqlite3ExprDelete(p);
+      }
+      return 0;
+    }
+    memcpy(pWC->a, pOld, sizeof(pWC->a[0])*pWC->nTerm);
+    if( pOld!=pWC->aStatic ){
+      sqliteFree(pOld);
+    }
+    pWC->nSlot *= 2;
+  }
+  pTerm = &pWC->a[idx = pWC->nTerm];
+  pWC->nTerm++;
+  pTerm->pExpr = p;
+  pTerm->flags = flags;
+  pTerm->pWC = pWC;
+  pTerm->iParent = -1;
+  return idx;
+}
+
+/*
+** This routine identifies subexpressions in the WHERE clause where
+** each subexpression is separated by the AND operator or some other
+** operator specified in the op parameter.  The WhereClause structure
+** is filled with pointers to subexpressions.  For example:
+**
+**    WHERE  a=='hello' AND coalesce(b,11)<10 AND (c+12!=d OR c==22)
+**           \________/     \_______________/     \________________/
+**            slot[0]            slot[1]               slot[2]
+**
+** The original WHERE clause in pExpr is unaltered.  All this routine
+** does is make slot[] entries point to substructure within pExpr.
+**
+** In the previous sentence and in the diagram, "slot[]" refers to
+** the WhereClause.a[] array.  This array grows as needed to contain
+** all terms of the WHERE clause.
+*/
+static void whereSplit(WhereClause *pWC, Expr *pExpr, int op){
+  if( pExpr==0 ) return;
+  if( pExpr->op!=op ){
+    whereClauseInsert(pWC, pExpr, 0);
+  }else{
+    whereSplit(pWC, pExpr->pLeft, op);
+    whereSplit(pWC, pExpr->pRight, op);
+  }
+}
+
+/*
+** Initialize an expression mask set
+*/
+#define initMaskSet(P)  memset(P, 0, sizeof(*P))
+
+/*
+** Return the bitmask for the given cursor number.  Return 0 if
+** iCursor is not in the set.
+*/
+static Bitmask getMask(ExprMaskSet *pMaskSet, int iCursor){
+  int i;
+  for(i=0; i<pMaskSet->n; i++){
+    if( pMaskSet->ix[i]==iCursor ){
+      return ((Bitmask)1)<<i;
+    }
+  }
+  return 0;
+}
+
+/*
+** Create a new mask for cursor iCursor.
+**
+** There is one cursor per table in the FROM clause.  The number of
+** tables in the FROM clause is limited by a test early in the
+** sqlite3WhereBegin() routine.  So we know that the pMaskSet->ix[]
+** array will never overflow.
+*/
+static void createMask(ExprMaskSet *pMaskSet, int iCursor){
+  assert( pMaskSet->n < ArraySize(pMaskSet->ix) );
+  pMaskSet->ix[pMaskSet->n++] = iCursor;
+}
+
+/*
+** This routine walks (recursively) an expression tree and generates
+** a bitmask indicating which tables are used in that expression
+** tree.
+**
+** In order for this routine to work, the calling function must have
+** previously invoked sqlite3ExprResolveNames() on the expression.  See
+** the header comment on that routine for additional information.
+** The sqlite3ExprResolveNames() routines looks for column names and
+** sets their opcodes to TK_COLUMN and their Expr.iTable fields to
+** the VDBE cursor number of the table.  This routine just has to
+** translate the cursor numbers into bitmask values and OR all
+** the bitmasks together.
+*/
+static Bitmask exprListTableUsage(ExprMaskSet*, ExprList*);
+static Bitmask exprSelectTableUsage(ExprMaskSet*, Select*);
+static Bitmask exprTableUsage(ExprMaskSet *pMaskSet, Expr *p){
+  Bitmask mask = 0;
+  if( p==0 ) return 0;
+  if( p->op==TK_COLUMN ){
+    mask = getMask(pMaskSet, p->iTable);
+    return mask;
+  }
+  mask = exprTableUsage(pMaskSet, p->pRight);
+  mask |= exprTableUsage(pMaskSet, p->pLeft);
+  mask |= exprListTableUsage(pMaskSet, p->pList);
+  mask |= exprSelectTableUsage(pMaskSet, p->pSelect);
+  return mask;
+}
+static Bitmask exprListTableUsage(ExprMaskSet *pMaskSet, ExprList *pList){
+  int i;
+  Bitmask mask = 0;
+  if( pList ){
+    for(i=0; i<pList->nExpr; i++){
+      mask |= exprTableUsage(pMaskSet, pList->a[i].pExpr);
+    }
+  }
+  return mask;
+}
+static Bitmask exprSelectTableUsage(ExprMaskSet *pMaskSet, Select *pS){
+  Bitmask mask;
+  if( pS==0 ){
+    mask = 0;
+  }else{
+    mask = exprListTableUsage(pMaskSet, pS->pEList);
+    mask |= exprListTableUsage(pMaskSet, pS->pGroupBy);
+    mask |= exprListTableUsage(pMaskSet, pS->pOrderBy);
+    mask |= exprTableUsage(pMaskSet, pS->pWhere);
+    mask |= exprTableUsage(pMaskSet, pS->pHaving);
+  }
+  return mask;
+}
+
+/*
+** Return TRUE if the given operator is one of the operators that is
+** allowed for an indexable WHERE clause term.  The allowed operators are
+** "=", "<", ">", "<=", ">=", and "IN".
+*/
+static int allowedOp(int op){
+  assert( TK_GT>TK_EQ && TK_GT<TK_GE );
+  assert( TK_LT>TK_EQ && TK_LT<TK_GE );
+  assert( TK_LE>TK_EQ && TK_LE<TK_GE );
+  assert( TK_GE==TK_EQ+4 );
+  return op==TK_IN || (op>=TK_EQ && op<=TK_GE) || op==TK_ISNULL;
+}
+
+/*
+** Swap two objects of type T.
+*/
+#define SWAP(TYPE,A,B) {TYPE t=A; A=B; B=t;}
+
+/*
+** Commute a comparision operator.  Expressions of the form "X op Y"
+** are converted into "Y op X".
+*/
+static void exprCommute(Expr *pExpr){
+  assert( allowedOp(pExpr->op) && pExpr->op!=TK_IN );
+  SWAP(CollSeq*,pExpr->pRight->pColl,pExpr->pLeft->pColl);
+  SWAP(Expr*,pExpr->pRight,pExpr->pLeft);
+  if( pExpr->op>=TK_GT ){
+    assert( TK_LT==TK_GT+2 );
+    assert( TK_GE==TK_LE+2 );
+    assert( TK_GT>TK_EQ );
+    assert( TK_GT<TK_LE );
+    assert( pExpr->op>=TK_GT && pExpr->op<=TK_GE );
+    pExpr->op = ((pExpr->op-TK_GT)^2)+TK_GT;
+  }
+}
+
+/*
+** Translate from TK_xx operator to WO_xx bitmask.
+*/
+static int operatorMask(int op){
+  int c;
+  assert( allowedOp(op) );
+  if( op==TK_IN ){
+    c = WO_IN;
+  }else if( op==TK_ISNULL ){
+    c = WO_ISNULL;
+  }else{
+    c = WO_EQ<<(op-TK_EQ);
+  }
+  assert( op!=TK_ISNULL || c==WO_ISNULL );
+  assert( op!=TK_IN || c==WO_IN );
+  assert( op!=TK_EQ || c==WO_EQ );
+  assert( op!=TK_LT || c==WO_LT );
+  assert( op!=TK_LE || c==WO_LE );
+  assert( op!=TK_GT || c==WO_GT );
+  assert( op!=TK_GE || c==WO_GE );
+  return c;
+}
+
+/*
+** Search for a term in the WHERE clause that is of the form "X <op> <expr>"
+** where X is a reference to the iColumn of table iCur and <op> is one of
+** the WO_xx operator codes specified by the op parameter.
+** Return a pointer to the term.  Return 0 if not found.
+*/
+static WhereTerm *findTerm(
+  WhereClause *pWC,     /* The WHERE clause to be searched */
+  int iCur,             /* Cursor number of LHS */
+  int iColumn,          /* Column number of LHS */
+  Bitmask notReady,     /* RHS must not overlap with this mask */
+  u16 op,               /* Mask of WO_xx values describing operator */
+  Index *pIdx           /* Must be compatible with this index, if not NULL */
+){
+  WhereTerm *pTerm;
+  int k;
+  for(pTerm=pWC->a, k=pWC->nTerm; k; k--, pTerm++){
+    if( pTerm->leftCursor==iCur
+       && (pTerm->prereqRight & notReady)==0
+       && pTerm->leftColumn==iColumn
+       && (pTerm->eOperator & op)!=0
+    ){
+      if( iCur>=0 && pIdx && pTerm->eOperator!=WO_ISNULL ){
+        Expr *pX = pTerm->pExpr;
+        CollSeq *pColl;
+        char idxaff;
+        int j;
+        Parse *pParse = pWC->pParse;
+
+        idxaff = pIdx->pTable->aCol[iColumn].affinity;
+        if( !sqlite3IndexAffinityOk(pX, idxaff) ) continue;
+        pColl = sqlite3ExprCollSeq(pParse, pX->pLeft);
+        if( !pColl ){
+          if( pX->pRight ){
+            pColl = sqlite3ExprCollSeq(pParse, pX->pRight);
+          }
+          if( !pColl ){
+            pColl = pParse->db->pDfltColl;
+          }
+        }
+        for(j=0; j<pIdx->nColumn && pIdx->aiColumn[j]!=iColumn; j++){}
+        assert( j<pIdx->nColumn );
+        if( sqlite3StrICmp(pColl->zName, pIdx->azColl[j]) ) continue;
+      }
+      return pTerm;
+    }
+  }
+  return 0;
+}
+
+/* Forward reference */
+static void exprAnalyze(SrcList*, WhereClause*, int);
+
+/*
+** Call exprAnalyze on all terms in a WHERE clause.  
+**
+**
+*/
+static void exprAnalyzeAll(
+  SrcList *pTabList,       /* the FROM clause */
+  WhereClause *pWC         /* the WHERE clause to be analyzed */
+){
+  int i;
+  for(i=pWC->nTerm-1; i>=0; i--){
+    exprAnalyze(pTabList, pWC, i);
+  }
+}
+
+#ifndef SQLITE_OMIT_LIKE_OPTIMIZATION
+/*
+** Check to see if the given expression is a LIKE or GLOB operator that
+** can be optimized using inequality constraints.  Return TRUE if it is
+** so and false if not.
+**
+** In order for the operator to be optimizible, the RHS must be a string
+** literal that does not begin with a wildcard.  
+*/
+static int isLikeOrGlob(
+  sqlite3 *db,      /* The database */
+  Expr *pExpr,      /* Test this expression */
+  int *pnPattern,   /* Number of non-wildcard prefix characters */
+  int *pisComplete  /* True if the only wildcard is % in the last character */
+){
+  const char *z;
+  Expr *pRight, *pLeft;
+  ExprList *pList;
+  int c, cnt;
+  int noCase;
+  char wc[3];
+  CollSeq *pColl;
+
+  if( !sqlite3IsLikeFunction(db, pExpr, &noCase, wc) ){
+    return 0;
+  }
+  pList = pExpr->pList;
+  pRight = pList->a[0].pExpr;
+  if( pRight->op!=TK_STRING ){
+    return 0;
+  }
+  pLeft = pList->a[1].pExpr;
+  if( pLeft->op!=TK_COLUMN ){
+    return 0;
+  }
+  pColl = pLeft->pColl;
+  if( pColl==0 ){
+    /* TODO: Coverage testing doesn't get this case. Is it actually possible
+    ** for an expression of type TK_COLUMN to not have an assigned collation 
+    ** sequence at this point?
+    */
+    pColl = db->pDfltColl;
+  }
+  if( (pColl->type!=SQLITE_COLL_BINARY || noCase) &&
+      (pColl->type!=SQLITE_COLL_NOCASE || !noCase) ){
+    return 0;
+  }
+  sqlite3DequoteExpr(pRight);
+  z = (char *)pRight->token.z;
+  for(cnt=0; (c=z[cnt])!=0 && c!=wc[0] && c!=wc[1] && c!=wc[2]; cnt++){}
+  if( cnt==0 || 255==(u8)z[cnt] ){
+    return 0;
+  }
+  *pisComplete = z[cnt]==wc[0] && z[cnt+1]==0;
+  *pnPattern = cnt;
+  return 1;
+}
+#endif /* SQLITE_OMIT_LIKE_OPTIMIZATION */
+
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/*
+** Check to see if the given expression is of the form
+**
+**         column MATCH expr
+**
+** If it is then return TRUE.  If not, return FALSE.
+*/
+static int isMatchOfColumn(
+  Expr *pExpr      /* Test this expression */
+){
+  ExprList *pList;
+
+  if( pExpr->op!=TK_FUNCTION ){
+    return 0;
+  }
+  if( pExpr->token.n!=5 ||
+       sqlite3StrNICmp((const char*)pExpr->token.z,"match",5)!=0 ){
+    return 0;
+  }
+  pList = pExpr->pList;
+  if( pList->nExpr!=2 ){
+    return 0;
+  }
+  if( pList->a[1].pExpr->op != TK_COLUMN ){
+    return 0;
+  }
+  return 1;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+/*
+** If the pBase expression originated in the ON or USING clause of
+** a join, then transfer the appropriate markings over to derived.
+*/
+static void transferJoinMarkings(Expr *pDerived, Expr *pBase){
+  pDerived->flags |= pBase->flags & EP_FromJoin;
+  pDerived->iRightJoinTable = pBase->iRightJoinTable;
+}
+
+#if !defined(SQLITE_OMIT_OR_OPTIMIZATION) && !defined(SQLITE_OMIT_SUBQUERY)
+/*
+** Return TRUE if the given term of an OR clause can be converted
+** into an IN clause.  The iCursor and iColumn define the left-hand
+** side of the IN clause.
+**
+** The context is that we have multiple OR-connected equality terms
+** like this:
+**
+**           a=<expr1> OR  a=<expr2> OR b=<expr3>  OR ...
+**
+** The pOrTerm input to this routine corresponds to a single term of
+** this OR clause.  In order for the term to be a condidate for
+** conversion to an IN operator, the following must be true:
+**
+**     *  The left-hand side of the term must be the column which
+**        is identified by iCursor and iColumn.
+**
+**     *  If the right-hand side is also a column, then the affinities
+**        of both right and left sides must be such that no type
+**        conversions are required on the right.  (Ticket #2249)
+**
+** If both of these conditions are true, then return true.  Otherwise
+** return false.
+*/
+static int orTermIsOptCandidate(WhereTerm *pOrTerm, int iCursor, int iColumn){
+  int affLeft, affRight;
+  assert( pOrTerm->eOperator==WO_EQ );
+  if( pOrTerm->leftCursor!=iCursor ){
+    return 0;
+  }
+  if( pOrTerm->leftColumn!=iColumn ){
+    return 0;
+  }
+  affRight = sqlite3ExprAffinity(pOrTerm->pExpr->pRight);
+  if( affRight==0 ){
+    return 1;
+  }
+  affLeft = sqlite3ExprAffinity(pOrTerm->pExpr->pLeft);
+  if( affRight!=affLeft ){
+    return 0;
+  }
+  return 1;
+}
+
+/*
+** Return true if the given term of an OR clause can be ignored during
+** a check to make sure all OR terms are candidates for optimization.
+** In other words, return true if a call to the orTermIsOptCandidate()
+** above returned false but it is not necessary to disqualify the
+** optimization.
+**
+** Suppose the original OR phrase was this:
+**
+**           a=4  OR  a=11  OR  a=b
+**
+** During analysis, the third term gets flipped around and duplicate
+** so that we are left with this:
+**
+**           a=4  OR  a=11  OR  a=b  OR  b=a
+**
+** Since the last two terms are duplicates, only one of them
+** has to qualify in order for the whole phrase to qualify.  When
+** this routine is called, we know that pOrTerm did not qualify.
+** This routine merely checks to see if pOrTerm has a duplicate that
+** might qualify.  If there is a duplicate that has not yet been
+** disqualified, then return true.  If there are no duplicates, or
+** the duplicate has also been disqualifed, return false.
+*/
+static int orTermHasOkDuplicate(WhereClause *pOr, WhereTerm *pOrTerm){
+  if( pOrTerm->flags & TERM_COPIED ){
+    /* This is the original term.  The duplicate is to the left had
+    ** has not yet been analyzed and thus has not yet been disqualified. */
+    return 1;
+  }
+  if( (pOrTerm->flags & TERM_VIRTUAL)!=0
+     && (pOr->a[pOrTerm->iParent].flags & TERM_OR_OK)!=0 ){
+    /* This is a duplicate term.  The original qualified so this one
+    ** does not have to. */
+    return 1;
+  }
+  /* This is either a singleton term or else it is a duplicate for
+  ** which the original did not qualify.  Either way we are done for. */
+  return 0;
+}
+#endif /* !SQLITE_OMIT_OR_OPTIMIZATION && !SQLITE_OMIT_SUBQUERY */
+
+/*
+** The input to this routine is an WhereTerm structure with only the
+** "pExpr" field filled in.  The job of this routine is to analyze the
+** subexpression and populate all the other fields of the WhereTerm
+** structure.
+**
+** If the expression is of the form "<expr> <op> X" it gets commuted
+** to the standard form of "X <op> <expr>".  If the expression is of
+** the form "X <op> Y" where both X and Y are columns, then the original
+** expression is unchanged and a new virtual expression of the form
+** "Y <op> X" is added to the WHERE clause and analyzed separately.
+*/
+static void exprAnalyze(
+  SrcList *pSrc,            /* the FROM clause */
+  WhereClause *pWC,         /* the WHERE clause */
+  int idxTerm               /* Index of the term to be analyzed */
+){
+  WhereTerm *pTerm = &pWC->a[idxTerm];
+  ExprMaskSet *pMaskSet = pWC->pMaskSet;
+  Expr *pExpr = pTerm->pExpr;
+  Bitmask prereqLeft;
+  Bitmask prereqAll;
+  int nPattern;
+  int isComplete;
+  int op;
+
+  if( sqlite3MallocFailed() ) return;
+  prereqLeft = exprTableUsage(pMaskSet, pExpr->pLeft);
+  op = pExpr->op;
+  if( op==TK_IN ){
+    assert( pExpr->pRight==0 );
+    pTerm->prereqRight = exprListTableUsage(pMaskSet, pExpr->pList)
+                          | exprSelectTableUsage(pMaskSet, pExpr->pSelect);
+  }else if( op==TK_ISNULL ){
+    pTerm->prereqRight = 0;
+  }else{
+    pTerm->prereqRight = exprTableUsage(pMaskSet, pExpr->pRight);
+  }
+  prereqAll = exprTableUsage(pMaskSet, pExpr);
+  if( ExprHasProperty(pExpr, EP_FromJoin) ){
+    prereqAll |= getMask(pMaskSet, pExpr->iRightJoinTable);
+  }
+  pTerm->prereqAll = prereqAll;
+  pTerm->leftCursor = -1;
+  pTerm->iParent = -1;
+  pTerm->eOperator = 0;
+  if( allowedOp(op) && (pTerm->prereqRight & prereqLeft)==0 ){
+    Expr *pLeft = pExpr->pLeft;
+    Expr *pRight = pExpr->pRight;
+    if( pLeft->op==TK_COLUMN ){
+      pTerm->leftCursor = pLeft->iTable;
+      pTerm->leftColumn = pLeft->iColumn;
+      pTerm->eOperator = operatorMask(op);
+    }
+    if( pRight && pRight->op==TK_COLUMN ){
+      WhereTerm *pNew;
+      Expr *pDup;
+      if( pTerm->leftCursor>=0 ){
+        int idxNew;
+        pDup = sqlite3ExprDup(pExpr);
+        if( sqlite3MallocFailed() ){
+          sqlite3ExprDelete(pDup);
+          return;
+        }
+        idxNew = whereClauseInsert(pWC, pDup, TERM_VIRTUAL|TERM_DYNAMIC);
+        if( idxNew==0 ) return;
+        pNew = &pWC->a[idxNew];
+        pNew->iParent = idxTerm;
+        pTerm = &pWC->a[idxTerm];
+        pTerm->nChild = 1;
+        pTerm->flags |= TERM_COPIED;
+      }else{
+        pDup = pExpr;
+        pNew = pTerm;
+      }
+      exprCommute(pDup);
+      pLeft = pDup->pLeft;
+      pNew->leftCursor = pLeft->iTable;
+      pNew->leftColumn = pLeft->iColumn;
+      pNew->prereqRight = prereqLeft;
+      pNew->prereqAll = prereqAll;
+      pNew->eOperator = operatorMask(pDup->op);
+    }
+  }
+
+#ifndef SQLITE_OMIT_BETWEEN_OPTIMIZATION
+  /* If a term is the BETWEEN operator, create two new virtual terms
+  ** that define the range that the BETWEEN implements.
+  */
+  else if( pExpr->op==TK_BETWEEN ){
+    ExprList *pList = pExpr->pList;
+    int i;
+    static const u8 ops[] = {TK_GE, TK_LE};
+    assert( pList!=0 );
+    assert( pList->nExpr==2 );
+    for(i=0; i<2; i++){
+      Expr *pNewExpr;
+      int idxNew;
+      pNewExpr = sqlite3Expr(ops[i], sqlite3ExprDup(pExpr->pLeft),
+                             sqlite3ExprDup(pList->a[i].pExpr), 0);
+      idxNew = whereClauseInsert(pWC, pNewExpr, TERM_VIRTUAL|TERM_DYNAMIC);
+      exprAnalyze(pSrc, pWC, idxNew);
+      pTerm = &pWC->a[idxTerm];
+      pWC->a[idxNew].iParent = idxTerm;
+    }
+    pTerm->nChild = 2;
+  }
+#endif /* SQLITE_OMIT_BETWEEN_OPTIMIZATION */
+
+#if !defined(SQLITE_OMIT_OR_OPTIMIZATION) && !defined(SQLITE_OMIT_SUBQUERY)
+  /* Attempt to convert OR-connected terms into an IN operator so that
+  ** they can make use of indices.  Example:
+  **
+  **      x = expr1  OR  expr2 = x  OR  x = expr3
+  **
+  ** is converted into
+  **
+  **      x IN (expr1,expr2,expr3)
+  **
+  ** This optimization must be omitted if OMIT_SUBQUERY is defined because
+  ** the compiler for the the IN operator is part of sub-queries.
+  */
+  else if( pExpr->op==TK_OR ){
+    int ok;
+    int i, j;
+    int iColumn, iCursor;
+    WhereClause sOr;
+    WhereTerm *pOrTerm;
+
+    assert( (pTerm->flags & TERM_DYNAMIC)==0 );
+    whereClauseInit(&sOr, pWC->pParse, pMaskSet);
+    whereSplit(&sOr, pExpr, TK_OR);
+    exprAnalyzeAll(pSrc, &sOr);
+    assert( sOr.nTerm>=2 );
+    j = 0;
+    do{
+      assert( j<sOr.nTerm );
+      iColumn = sOr.a[j].leftColumn;
+      iCursor = sOr.a[j].leftCursor;
+      ok = iCursor>=0;
+      for(i=sOr.nTerm-1, pOrTerm=sOr.a; i>=0 && ok; i--, pOrTerm++){
+        if( pOrTerm->eOperator!=WO_EQ ){
+          goto or_not_possible;
+        }
+        if( orTermIsOptCandidate(pOrTerm, iCursor, iColumn) ){
+          pOrTerm->flags |= TERM_OR_OK;
+        }else if( orTermHasOkDuplicate(&sOr, pOrTerm) ){
+          pOrTerm->flags &= ~TERM_OR_OK;
+        }else{
+          ok = 0;
+        }
+      }
+    }while( !ok && (sOr.a[j++].flags & TERM_COPIED)!=0 && j<2 );
+    if( ok ){
+      ExprList *pList = 0;
+      Expr *pNew, *pDup;
+      Expr *pLeft = 0;
+      for(i=sOr.nTerm-1, pOrTerm=sOr.a; i>=0 && ok; i--, pOrTerm++){
+        if( (pOrTerm->flags & TERM_OR_OK)==0 ) continue;
+        pDup = sqlite3ExprDup(pOrTerm->pExpr->pRight);
+        pList = sqlite3ExprListAppend(pList, pDup, 0);
+        pLeft = pOrTerm->pExpr->pLeft;
+      }
+      assert( pLeft!=0 );
+      pDup = sqlite3ExprDup(pLeft);
+      pNew = sqlite3Expr(TK_IN, pDup, 0, 0);
+      if( pNew ){
+        int idxNew;
+        transferJoinMarkings(pNew, pExpr);
+        pNew->pList = pList;
+        idxNew = whereClauseInsert(pWC, pNew, TERM_VIRTUAL|TERM_DYNAMIC);
+        exprAnalyze(pSrc, pWC, idxNew);
+        pTerm = &pWC->a[idxTerm];
+        pWC->a[idxNew].iParent = idxTerm;
+        pTerm->nChild = 1;
+      }else{
+        sqlite3ExprListDelete(pList);
+      }
+    }
+or_not_possible:
+    whereClauseClear(&sOr);
+  }
+#endif /* SQLITE_OMIT_OR_OPTIMIZATION */
+
+#ifndef SQLITE_OMIT_LIKE_OPTIMIZATION
+  /* Add constraints to reduce the search space on a LIKE or GLOB
+  ** operator.
+  */
+  if( isLikeOrGlob(pWC->pParse->db, pExpr, &nPattern, &isComplete) ){
+    Expr *pLeft, *pRight;
+    Expr *pStr1, *pStr2;
+    Expr *pNewExpr1, *pNewExpr2;
+    int idxNew1, idxNew2;
+
+    pLeft = pExpr->pList->a[1].pExpr;
+    pRight = pExpr->pList->a[0].pExpr;
+    pStr1 = sqlite3Expr(TK_STRING, 0, 0, 0);
+    if( pStr1 ){
+      sqlite3TokenCopy(&pStr1->token, &pRight->token);
+      pStr1->token.n = nPattern;
+    }
+    pStr2 = sqlite3ExprDup(pStr1);
+    if( pStr2 ){
+      assert( pStr2->token.dyn );
+      ++*(u8*)&pStr2->token.z[nPattern-1];
+    }
+    pNewExpr1 = sqlite3Expr(TK_GE, sqlite3ExprDup(pLeft), pStr1, 0);
+    idxNew1 = whereClauseInsert(pWC, pNewExpr1, TERM_VIRTUAL|TERM_DYNAMIC);
+    exprAnalyze(pSrc, pWC, idxNew1);
+    pNewExpr2 = sqlite3Expr(TK_LT, sqlite3ExprDup(pLeft), pStr2, 0);
+    idxNew2 = whereClauseInsert(pWC, pNewExpr2, TERM_VIRTUAL|TERM_DYNAMIC);
+    exprAnalyze(pSrc, pWC, idxNew2);
+    pTerm = &pWC->a[idxTerm];
+    if( isComplete ){
+      pWC->a[idxNew1].iParent = idxTerm;
+      pWC->a[idxNew2].iParent = idxTerm;
+      pTerm->nChild = 2;
+    }
+  }
+#endif /* SQLITE_OMIT_LIKE_OPTIMIZATION */
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  /* Add a WO_MATCH auxiliary term to the constraint set if the
+  ** current expression is of the form:  column MATCH expr.
+  ** This information is used by the xBestIndex methods of
+  ** virtual tables.  The native query optimizer does not attempt
+  ** to do anything with MATCH functions.
+  */
+  if( isMatchOfColumn(pExpr) ){
+    int idxNew;
+    Expr *pRight, *pLeft;
+    WhereTerm *pNewTerm;
+    Bitmask prereqColumn, prereqExpr;
+
+    pRight = pExpr->pList->a[0].pExpr;
+    pLeft = pExpr->pList->a[1].pExpr;
+    prereqExpr = exprTableUsage(pMaskSet, pRight);
+    prereqColumn = exprTableUsage(pMaskSet, pLeft);
+    if( (prereqExpr & prereqColumn)==0 ){
+      Expr *pNewExpr;
+      pNewExpr = sqlite3Expr(TK_MATCH, 0, sqlite3ExprDup(pRight), 0);
+      idxNew = whereClauseInsert(pWC, pNewExpr, TERM_VIRTUAL|TERM_DYNAMIC);
+      pNewTerm = &pWC->a[idxNew];
+      pNewTerm->prereqRight = prereqExpr;
+      pNewTerm->leftCursor = pLeft->iTable;
+      pNewTerm->leftColumn = pLeft->iColumn;
+      pNewTerm->eOperator = WO_MATCH;
+      pNewTerm->iParent = idxTerm;
+      pTerm = &pWC->a[idxTerm];
+      pTerm->nChild = 1;
+      pTerm->flags |= TERM_COPIED;
+      pNewTerm->prereqAll = pTerm->prereqAll;
+    }
+  }
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+}
+
+/*
+** Return TRUE if any of the expressions in pList->a[iFirst...] contain
+** a reference to any table other than the iBase table.
+*/
+static int referencesOtherTables(
+  ExprList *pList,          /* Search expressions in ths list */
+  ExprMaskSet *pMaskSet,    /* Mapping from tables to bitmaps */
+  int iFirst,               /* Be searching with the iFirst-th expression */
+  int iBase                 /* Ignore references to this table */
+){
+  Bitmask allowed = ~getMask(pMaskSet, iBase);
+  while( iFirst<pList->nExpr ){
+    if( (exprTableUsage(pMaskSet, pList->a[iFirst++].pExpr)&allowed)!=0 ){
+      return 1;
+    }
+  }
+  return 0;
+}
+
+
+/*
+** This routine decides if pIdx can be used to satisfy the ORDER BY
+** clause.  If it can, it returns 1.  If pIdx cannot satisfy the
+** ORDER BY clause, this routine returns 0.
+**
+** pOrderBy is an ORDER BY clause from a SELECT statement.  pTab is the
+** left-most table in the FROM clause of that same SELECT statement and
+** the table has a cursor number of "base".  pIdx is an index on pTab.
+**
+** nEqCol is the number of columns of pIdx that are used as equality
+** constraints.  Any of these columns may be missing from the ORDER BY
+** clause and the match can still be a success.
+**
+** All terms of the ORDER BY that match against the index must be either
+** ASC or DESC.  (Terms of the ORDER BY clause past the end of a UNIQUE
+** index do not need to satisfy this constraint.)  The *pbRev value is
+** set to 1 if the ORDER BY clause is all DESC and it is set to 0 if
+** the ORDER BY clause is all ASC.
+*/
+static int isSortingIndex(
+  Parse *pParse,          /* Parsing context */
+  ExprMaskSet *pMaskSet,  /* Mapping from table indices to bitmaps */
+  Index *pIdx,            /* The index we are testing */
+  int base,               /* Cursor number for the table to be sorted */
+  ExprList *pOrderBy,     /* The ORDER BY clause */
+  int nEqCol,             /* Number of index columns with == constraints */
+  int *pbRev              /* Set to 1 if ORDER BY is DESC */
+){
+  int i, j;                       /* Loop counters */
+  int sortOrder = 0;              /* XOR of index and ORDER BY sort direction */
+  int nTerm;                      /* Number of ORDER BY terms */
+  struct ExprList_item *pTerm;    /* A term of the ORDER BY clause */
+  sqlite3 *db = pParse->db;
+
+  assert( pOrderBy!=0 );
+  nTerm = pOrderBy->nExpr;
+  assert( nTerm>0 );
+
+  /* Match terms of the ORDER BY clause against columns of
+  ** the index.
+  **
+  ** Note that indices have pIdx->nColumn regular columns plus
+  ** one additional column containing the rowid.  The rowid column
+  ** of the index is also allowed to match against the ORDER BY
+  ** clause.
+  */
+  for(i=j=0, pTerm=pOrderBy->a; j<nTerm && i<=pIdx->nColumn; i++){
+    Expr *pExpr;       /* The expression of the ORDER BY pTerm */
+    CollSeq *pColl;    /* The collating sequence of pExpr */
+    int termSortOrder; /* Sort order for this term */
+    int iColumn;       /* The i-th column of the index.  -1 for rowid */
+    int iSortOrder;    /* 1 for DESC, 0 for ASC on the i-th index term */
+    const char *zColl; /* Name of the collating sequence for i-th index term */
+
+    pExpr = pTerm->pExpr;
+    if( pExpr->op!=TK_COLUMN || pExpr->iTable!=base ){
+      /* Can not use an index sort on anything that is not a column in the
+      ** left-most table of the FROM clause */
+      break;
+    }
+    pColl = sqlite3ExprCollSeq(pParse, pExpr);
+    if( !pColl ){
+      pColl = db->pDfltColl;
+    }
+    if( i<pIdx->nColumn ){
+      iColumn = pIdx->aiColumn[i];
+      if( iColumn==pIdx->pTable->iPKey ){
+        iColumn = -1;
+      }
+      iSortOrder = pIdx->aSortOrder[i];
+      zColl = pIdx->azColl[i];
+    }else{
+      iColumn = -1;
+      iSortOrder = 0;
+      zColl = pColl->zName;
+    }
+    if( pExpr->iColumn!=iColumn || sqlite3StrICmp(pColl->zName, zColl) ){
+      /* Term j of the ORDER BY clause does not match column i of the index */
+      if( i<nEqCol ){
+        /* If an index column that is constrained by == fails to match an
+        ** ORDER BY term, that is OK.  Just ignore that column of the index
+        */
+        continue;
+      }else{
+        /* If an index column fails to match and is not constrained by ==
+        ** then the index cannot satisfy the ORDER BY constraint.
+        */
+        return 0;
+      }
+    }
+    assert( pIdx->aSortOrder!=0 );
+    assert( pTerm->sortOrder==0 || pTerm->sortOrder==1 );
+    assert( iSortOrder==0 || iSortOrder==1 );
+    termSortOrder = iSortOrder ^ pTerm->sortOrder;
+    if( i>nEqCol ){
+      if( termSortOrder!=sortOrder ){
+        /* Indices can only be used if all ORDER BY terms past the
+        ** equality constraints are all either DESC or ASC. */
+        return 0;
+      }
+    }else{
+      sortOrder = termSortOrder;
+    }
+    j++;
+    pTerm++;
+    if( iColumn<0 && !referencesOtherTables(pOrderBy, pMaskSet, j, base) ){
+      /* If the indexed column is the primary key and everything matches
+      ** so far and none of the ORDER BY terms to the right reference other
+      ** tables in the join, then we are assured that the index can be used 
+      ** to sort because the primary key is unique and so none of the other
+      ** columns will make any difference
+      */
+      j = nTerm;
+    }
+  }
+
+  *pbRev = sortOrder!=0;
+  if( j>=nTerm ){
+    /* All terms of the ORDER BY clause are covered by this index so
+    ** this index can be used for sorting. */
+    return 1;
+  }
+  if( pIdx->onError!=OE_None && i==pIdx->nColumn
+      && !referencesOtherTables(pOrderBy, pMaskSet, j, base) ){
+    /* All terms of this index match some prefix of the ORDER BY clause
+    ** and the index is UNIQUE and no terms on the tail of the ORDER BY
+    ** clause reference other tables in a join.  If this is all true then
+    ** the order by clause is superfluous. */
+    return 1;
+  }
+  return 0;
+}
+
+/*
+** Check table to see if the ORDER BY clause in pOrderBy can be satisfied
+** by sorting in order of ROWID.  Return true if so and set *pbRev to be
+** true for reverse ROWID and false for forward ROWID order.
+*/
+static int sortableByRowid(
+  int base,               /* Cursor number for table to be sorted */
+  ExprList *pOrderBy,     /* The ORDER BY clause */
+  ExprMaskSet *pMaskSet,  /* Mapping from tables to bitmaps */
+  int *pbRev              /* Set to 1 if ORDER BY is DESC */
+){
+  Expr *p;
+
+  assert( pOrderBy!=0 );
+  assert( pOrderBy->nExpr>0 );
+  p = pOrderBy->a[0].pExpr;
+  if( p->op==TK_COLUMN && p->iTable==base && p->iColumn==-1
+    && !referencesOtherTables(pOrderBy, pMaskSet, 1, base) ){
+    *pbRev = pOrderBy->a[0].sortOrder;
+    return 1;
+  }
+  return 0;
+}
+
+/*
+** Prepare a crude estimate of the logarithm of the input value.
+** The results need not be exact.  This is only used for estimating
+** the total cost of performing operatings with O(logN) or O(NlogN)
+** complexity.  Because N is just a guess, it is no great tragedy if
+** logN is a little off.
+*/
+static double estLog(double N){
+  double logN = 1;
+  double x = 10;
+  while( N>x ){
+    logN += 1;
+    x *= 10;
+  }
+  return logN;
+}
+
+/*
+** Two routines for printing the content of an sqlite3_index_info
+** structure.  Used for testing and debugging only.  If neither
+** SQLITE_TEST or SQLITE_DEBUG are defined, then these routines
+** are no-ops.
+*/
+#if !defined(SQLITE_OMIT_VIRTUALTABLE) && defined(SQLITE_DEBUG)
+static void TRACE_IDX_INPUTS(sqlite3_index_info *p){
+  int i;
+  if( !sqlite3_where_trace ) return;
+  for(i=0; i<p->nConstraint; i++){
+    sqlite3DebugPrintf("  constraint[%d]: col=%d termid=%d op=%d usabled=%d\n",
+       i,
+       p->aConstraint[i].iColumn,
+       p->aConstraint[i].iTermOffset,
+       p->aConstraint[i].op,
+       p->aConstraint[i].usable);
+  }
+  for(i=0; i<p->nOrderBy; i++){
+    sqlite3DebugPrintf("  orderby[%d]: col=%d desc=%d\n",
+       i,
+       p->aOrderBy[i].iColumn,
+       p->aOrderBy[i].desc);
+  }
+}
+static void TRACE_IDX_OUTPUTS(sqlite3_index_info *p){
+  int i;
+  if( !sqlite3_where_trace ) return;
+  for(i=0; i<p->nConstraint; i++){
+    sqlite3DebugPrintf("  usage[%d]: argvIdx=%d omit=%d\n",
+       i,
+       p->aConstraintUsage[i].argvIndex,
+       p->aConstraintUsage[i].omit);
+  }
+  sqlite3DebugPrintf("  idxNum=%d\n", p->idxNum);
+  sqlite3DebugPrintf("  idxStr=%s\n", p->idxStr);
+  sqlite3DebugPrintf("  orderByConsumed=%d\n", p->orderByConsumed);
+  sqlite3DebugPrintf("  estimatedCost=%g\n", p->estimatedCost);
+}
+#else
+#define TRACE_IDX_INPUTS(A)
+#define TRACE_IDX_OUTPUTS(A)
+#endif
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+/*
+** Compute the best index for a virtual table.
+**
+** The best index is computed by the xBestIndex method of the virtual
+** table module.  This routine is really just a wrapper that sets up
+** the sqlite3_index_info structure that is used to communicate with
+** xBestIndex.
+**
+** In a join, this routine might be called multiple times for the
+** same virtual table.  The sqlite3_index_info structure is created
+** and initialized on the first invocation and reused on all subsequent
+** invocations.  The sqlite3_index_info structure is also used when
+** code is generated to access the virtual table.  The whereInfoDelete() 
+** routine takes care of freeing the sqlite3_index_info structure after
+** everybody has finished with it.
+*/
+static double bestVirtualIndex(
+  Parse *pParse,                 /* The parsing context */
+  WhereClause *pWC,              /* The WHERE clause */
+  struct SrcList_item *pSrc,     /* The FROM clause term to search */
+  Bitmask notReady,              /* Mask of cursors that are not available */
+  ExprList *pOrderBy,            /* The order by clause */
+  int orderByUsable,             /* True if we can potential sort */
+  sqlite3_index_info **ppIdxInfo /* Index information passed to xBestIndex */
+){
+  Table *pTab = pSrc->pTab;
+  sqlite3_index_info *pIdxInfo;
+  struct sqlite3_index_constraint *pIdxCons;
+  struct sqlite3_index_orderby *pIdxOrderBy;
+  struct sqlite3_index_constraint_usage *pUsage;
+  WhereTerm *pTerm;
+  int i, j;
+  int nOrderBy;
+  int rc;
+
+  /* If the sqlite3_index_info structure has not been previously
+  ** allocated and initialized for this virtual table, then allocate
+  ** and initialize it now
+  */
+  pIdxInfo = *ppIdxInfo;
+  if( pIdxInfo==0 ){
+    WhereTerm *pTerm;
+    int nTerm;
+    WHERETRACE(("Recomputing index info for %s...\n", pTab->zName));
+
+    /* Count the number of possible WHERE clause constraints referring
+    ** to this virtual table */
+    for(i=nTerm=0, pTerm=pWC->a; i<pWC->nTerm; i++, pTerm++){
+      if( pTerm->leftCursor != pSrc->iCursor ) continue;
+      if( pTerm->eOperator==WO_IN ) continue;
+      nTerm++;
+    }
+
+    /* If the ORDER BY clause contains only columns in the current 
+    ** virtual table then allocate space for the aOrderBy part of
+    ** the sqlite3_index_info structure.
+    */
+    nOrderBy = 0;
+    if( pOrderBy ){
+      for(i=0; i<pOrderBy->nExpr; i++){
+        Expr *pExpr = pOrderBy->a[i].pExpr;
+        if( pExpr->op!=TK_COLUMN || pExpr->iTable!=pSrc->iCursor ) break;
+      }
+      if( i==pOrderBy->nExpr ){
+        nOrderBy = pOrderBy->nExpr;
+      }
+    }
+
+    /* Allocate the sqlite3_index_info structure
+    */
+    pIdxInfo = sqliteMalloc( sizeof(*pIdxInfo)
+                             + (sizeof(*pIdxCons) + sizeof(*pUsage))*nTerm
+                             + sizeof(*pIdxOrderBy)*nOrderBy );
+    if( pIdxInfo==0 ){
+      sqlite3ErrorMsg(pParse, "out of memory");
+      return 0.0;
+    }
+    *ppIdxInfo = pIdxInfo;
+
+    /* Initialize the structure.  The sqlite3_index_info structure contains
+    ** many fields that are declared "const" to prevent xBestIndex from
+    ** changing them.  We have to do some funky casting in order to
+    ** initialize those fields.
+    */
+    pIdxCons = (struct sqlite3_index_constraint*)&pIdxInfo[1];
+    pIdxOrderBy = (struct sqlite3_index_orderby*)&pIdxCons[nTerm];
+    pUsage = (struct sqlite3_index_constraint_usage*)&pIdxOrderBy[nOrderBy];
+    *(int*)&pIdxInfo->nConstraint = nTerm;
+    *(int*)&pIdxInfo->nOrderBy = nOrderBy;
+    *(struct sqlite3_index_constraint**)&pIdxInfo->aConstraint = pIdxCons;
+    *(struct sqlite3_index_orderby**)&pIdxInfo->aOrderBy = pIdxOrderBy;
+    *(struct sqlite3_index_constraint_usage**)&pIdxInfo->aConstraintUsage =
+                                                                     pUsage;
+
+    for(i=j=0, pTerm=pWC->a; i<pWC->nTerm; i++, pTerm++){
+      if( pTerm->leftCursor != pSrc->iCursor ) continue;
+      if( pTerm->eOperator==WO_IN ) continue;
+      pIdxCons[j].iColumn = pTerm->leftColumn;
+      pIdxCons[j].iTermOffset = i;
+      pIdxCons[j].op = pTerm->eOperator;
+      /* The direct assignment in the previous line is possible only because
+      ** the WO_ and SQLITE_INDEX_CONSTRAINT_ codes are identical.  The
+      ** following asserts verify this fact. */
+      assert( WO_EQ==SQLITE_INDEX_CONSTRAINT_EQ );
+      assert( WO_LT==SQLITE_INDEX_CONSTRAINT_LT );
+      assert( WO_LE==SQLITE_INDEX_CONSTRAINT_LE );
+      assert( WO_GT==SQLITE_INDEX_CONSTRAINT_GT );
+      assert( WO_GE==SQLITE_INDEX_CONSTRAINT_GE );
+      assert( WO_MATCH==SQLITE_INDEX_CONSTRAINT_MATCH );
+      assert( pTerm->eOperator & (WO_EQ|WO_LT|WO_LE|WO_GT|WO_GE|WO_MATCH) );
+      j++;
+    }
+    for(i=0; i<nOrderBy; i++){
+      Expr *pExpr = pOrderBy->a[i].pExpr;
+      pIdxOrderBy[i].iColumn = pExpr->iColumn;
+      pIdxOrderBy[i].desc = pOrderBy->a[i].sortOrder;
+    }
+  }
+
+  /* At this point, the sqlite3_index_info structure that pIdxInfo points
+  ** to will have been initialized, either during the current invocation or
+  ** during some prior invocation.  Now we just have to customize the
+  ** details of pIdxInfo for the current invocation and pass it to
+  ** xBestIndex.
+  */
+
+  /* The module name must be defined. Also, by this point there must
+  ** be a pointer to an sqlite3_vtab structure. Otherwise
+  ** sqlite3ViewGetColumnNames() would have picked up the error. 
+  */
+  assert( pTab->azModuleArg && pTab->azModuleArg[0] );
+  assert( pTab->pVtab );
+#if 0
+  if( pTab->pVtab==0 ){
+    sqlite3ErrorMsg(pParse, "undefined module %s for table %s",
+        pTab->azModuleArg[0], pTab->zName);
+    return 0.0;
+  }
+#endif
+
+  /* Set the aConstraint[].usable fields and initialize all 
+  ** output variables to zero.
+  **
+  ** aConstraint[].usable is true for constraints where the right-hand
+  ** side contains only references to tables to the left of the current
+  ** table.  In other words, if the constraint is of the form:
+  **
+  **           column = expr
+  **
+  ** and we are evaluating a join, then the constraint on column is 
+  ** only valid if all tables referenced in expr occur to the left
+  ** of the table containing column.
+  **
+  ** The aConstraints[] array contains entries for all constraints
+  ** on the current table.  That way we only have to compute it once
+  ** even though we might try to pick the best index multiple times.
+  ** For each attempt at picking an index, the order of tables in the
+  ** join might be different so we have to recompute the usable flag
+  ** each time.
+  */
+  pIdxCons = *(struct sqlite3_index_constraint**)&pIdxInfo->aConstraint;
+  pUsage = pIdxInfo->aConstraintUsage;
+  for(i=0; i<pIdxInfo->nConstraint; i++, pIdxCons++){
+    j = pIdxCons->iTermOffset;
+    pTerm = &pWC->a[j];
+    pIdxCons->usable =  (pTerm->prereqRight & notReady)==0;
+  }
+  memset(pUsage, 0, sizeof(pUsage[0])*pIdxInfo->nConstraint);
+  if( pIdxInfo->needToFreeIdxStr ){
+    sqlite3_free(pIdxInfo->idxStr);
+  }
+  pIdxInfo->idxStr = 0;
+  pIdxInfo->idxNum = 0;
+  pIdxInfo->needToFreeIdxStr = 0;
+  pIdxInfo->orderByConsumed = 0;
+  pIdxInfo->estimatedCost = SQLITE_BIG_DBL / 2.0;
+  nOrderBy = pIdxInfo->nOrderBy;
+  if( pIdxInfo->nOrderBy && !orderByUsable ){
+    *(int*)&pIdxInfo->nOrderBy = 0;
+  }
+
+  sqlite3SafetyOff(pParse->db);
+  WHERETRACE(("xBestIndex for %s\n", pTab->zName));
+  TRACE_IDX_INPUTS(pIdxInfo);
+  rc = pTab->pVtab->pModule->xBestIndex(pTab->pVtab, pIdxInfo);
+  TRACE_IDX_OUTPUTS(pIdxInfo);
+  if( rc!=SQLITE_OK ){
+    if( rc==SQLITE_NOMEM ){
+      sqlite3FailedMalloc();
+    }else {
+      sqlite3ErrorMsg(pParse, "%s", sqlite3ErrStr(rc));
+    }
+    sqlite3SafetyOn(pParse->db);
+  }else{
+    rc = sqlite3SafetyOn(pParse->db);
+  }
+  *(int*)&pIdxInfo->nOrderBy = nOrderBy;
+
+  return pIdxInfo->estimatedCost;
+}
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+/*
+** Find the best index for accessing a particular table.  Return a pointer
+** to the index, flags that describe how the index should be used, the
+** number of equality constraints, and the "cost" for this index.
+**
+** The lowest cost index wins.  The cost is an estimate of the amount of
+** CPU and disk I/O need to process the request using the selected index.
+** Factors that influence cost include:
+**
+**    *  The estimated number of rows that will be retrieved.  (The
+**       fewer the better.)
+**
+**    *  Whether or not sorting must occur.
+**
+**    *  Whether or not there must be separate lookups in the
+**       index and in the main table.
+**
+*/
+static double bestIndex(
+  Parse *pParse,              /* The parsing context */
+  WhereClause *pWC,           /* The WHERE clause */
+  struct SrcList_item *pSrc,  /* The FROM clause term to search */
+  Bitmask notReady,           /* Mask of cursors that are not available */
+  ExprList *pOrderBy,         /* The order by clause */
+  Index **ppIndex,            /* Make *ppIndex point to the best index */
+  int *pFlags,                /* Put flags describing this choice in *pFlags */
+  int *pnEq                   /* Put the number of == or IN constraints here */
+){
+  WhereTerm *pTerm;
+  Index *bestIdx = 0;         /* Index that gives the lowest cost */
+  double lowestCost;          /* The cost of using bestIdx */
+  int bestFlags = 0;          /* Flags associated with bestIdx */
+  int bestNEq = 0;            /* Best value for nEq */
+  int iCur = pSrc->iCursor;   /* The cursor of the table to be accessed */
+  Index *pProbe;              /* An index we are evaluating */
+  int rev;                    /* True to scan in reverse order */
+  int flags;                  /* Flags associated with pProbe */
+  int nEq;                    /* Number of == or IN constraints */
+  int eqTermMask;             /* Mask of valid equality operators */
+  double cost;                /* Cost of using pProbe */
+
+  WHERETRACE(("bestIndex: tbl=%s notReady=%x\n", pSrc->pTab->zName, notReady));
+  lowestCost = SQLITE_BIG_DBL;
+  pProbe = pSrc->pTab->pIndex;
+
+  /* If the table has no indices and there are no terms in the where
+  ** clause that refer to the ROWID, then we will never be able to do
+  ** anything other than a full table scan on this table.  We might as
+  ** well put it first in the join order.  That way, perhaps it can be
+  ** referenced by other tables in the join.
+  */
+  if( pProbe==0 &&
+     findTerm(pWC, iCur, -1, 0, WO_EQ|WO_IN|WO_LT|WO_LE|WO_GT|WO_GE,0)==0 &&
+     (pOrderBy==0 || !sortableByRowid(iCur, pOrderBy, pWC->pMaskSet, &rev)) ){
+    *pFlags = 0;
+    *ppIndex = 0;
+    *pnEq = 0;
+    return 0.0;
+  }
+
+  /* Check for a rowid=EXPR or rowid IN (...) constraints
+  */
+  pTerm = findTerm(pWC, iCur, -1, notReady, WO_EQ|WO_IN, 0);
+  if( pTerm ){
+    Expr *pExpr;
+    *ppIndex = 0;
+    bestFlags = WHERE_ROWID_EQ;
+    if( pTerm->eOperator & WO_EQ ){
+      /* Rowid== is always the best pick.  Look no further.  Because only
+      ** a single row is generated, output is always in sorted order */
+      *pFlags = WHERE_ROWID_EQ | WHERE_UNIQUE;
+      *pnEq = 1;
+      WHERETRACE(("... best is rowid\n"));
+      return 0.0;
+    }else if( (pExpr = pTerm->pExpr)->pList!=0 ){
+      /* Rowid IN (LIST): cost is NlogN where N is the number of list
+      ** elements.  */
+      lowestCost = pExpr->pList->nExpr;
+      lowestCost *= estLog(lowestCost);
+    }else{
+      /* Rowid IN (SELECT): cost is NlogN where N is the number of rows
+      ** in the result of the inner select.  We have no way to estimate
+      ** that value so make a wild guess. */
+      lowestCost = 200;
+    }
+    WHERETRACE(("... rowid IN cost: %.9g\n", lowestCost));
+  }
+
+  /* Estimate the cost of a table scan.  If we do not know how many
+  ** entries are in the table, use 1 million as a guess.
+  */
+  cost = pProbe ? pProbe->aiRowEst[0] : 1000000;
+  WHERETRACE(("... table scan base cost: %.9g\n", cost));
+  flags = WHERE_ROWID_RANGE;
+
+  /* Check for constraints on a range of rowids in a table scan.
+  */
+  pTerm = findTerm(pWC, iCur, -1, notReady, WO_LT|WO_LE|WO_GT|WO_GE, 0);
+  if( pTerm ){
+    if( findTerm(pWC, iCur, -1, notReady, WO_LT|WO_LE, 0) ){
+      flags |= WHERE_TOP_LIMIT;
+      cost /= 3;  /* Guess that rowid<EXPR eliminates two-thirds or rows */
+    }
+    if( findTerm(pWC, iCur, -1, notReady, WO_GT|WO_GE, 0) ){
+      flags |= WHERE_BTM_LIMIT;
+      cost /= 3;  /* Guess that rowid>EXPR eliminates two-thirds of rows */
+    }
+    WHERETRACE(("... rowid range reduces cost to %.9g\n", cost));
+  }else{
+    flags = 0;
+  }
+
+  /* If the table scan does not satisfy the ORDER BY clause, increase
+  ** the cost by NlogN to cover the expense of sorting. */
+  if( pOrderBy ){
+    if( sortableByRowid(iCur, pOrderBy, pWC->pMaskSet, &rev) ){
+      flags |= WHERE_ORDERBY|WHERE_ROWID_RANGE;
+      if( rev ){
+        flags |= WHERE_REVERSE;
+      }
+    }else{
+      cost += cost*estLog(cost);
+      WHERETRACE(("... sorting increases cost to %.9g\n", cost));
+    }
+  }
+  if( cost<lowestCost ){
+    lowestCost = cost;
+    bestFlags = flags;
+  }
+
+  /* If the pSrc table is the right table of a LEFT JOIN then we may not
+  ** use an index to satisfy IS NULL constraints on that table.  This is
+  ** because columns might end up being NULL if the table does not match -
+  ** a circumstance which the index cannot help us discover.  Ticket #2177.
+  */
+  if( (pSrc->jointype & JT_LEFT)!=0 ){
+    eqTermMask = WO_EQ|WO_IN;
+  }else{
+    eqTermMask = WO_EQ|WO_IN|WO_ISNULL;
+  }
+
+  /* Look at each index.
+  */
+  for(; pProbe; pProbe=pProbe->pNext){
+    int i;                       /* Loop counter */
+    double inMultiplier = 1;
+
+    WHERETRACE(("... index %s:\n", pProbe->zName));
+
+    /* Count the number of columns in the index that are satisfied
+    ** by x=EXPR constraints or x IN (...) constraints.
+    */
+    flags = 0;
+    for(i=0; i<pProbe->nColumn; i++){
+      int j = pProbe->aiColumn[i];
+      pTerm = findTerm(pWC, iCur, j, notReady, eqTermMask, pProbe);
+      if( pTerm==0 ) break;
+      flags |= WHERE_COLUMN_EQ;
+      if( pTerm->eOperator & WO_IN ){
+        Expr *pExpr = pTerm->pExpr;
+        flags |= WHERE_COLUMN_IN;
+        if( pExpr->pSelect!=0 ){
+          inMultiplier *= 25;
+        }else if( pExpr->pList!=0 ){
+          inMultiplier *= pExpr->pList->nExpr + 1;
+        }
+      }
+    }
+    cost = pProbe->aiRowEst[i] * inMultiplier * estLog(inMultiplier);
+    nEq = i;
+    if( pProbe->onError!=OE_None && (flags & WHERE_COLUMN_IN)==0
+         && nEq==pProbe->nColumn ){
+      flags |= WHERE_UNIQUE;
+    }
+    WHERETRACE(("...... nEq=%d inMult=%.9g cost=%.9g\n", nEq, inMultiplier, cost));
+
+    /* Look for range constraints
+    */
+    if( nEq<pProbe->nColumn ){
+      int j = pProbe->aiColumn[nEq];
+      pTerm = findTerm(pWC, iCur, j, notReady, WO_LT|WO_LE|WO_GT|WO_GE, pProbe);
+      if( pTerm ){
+        flags |= WHERE_COLUMN_RANGE;
+        if( findTerm(pWC, iCur, j, notReady, WO_LT|WO_LE, pProbe) ){
+          flags |= WHERE_TOP_LIMIT;
+          cost /= 3;
+        }
+        if( findTerm(pWC, iCur, j, notReady, WO_GT|WO_GE, pProbe) ){
+          flags |= WHERE_BTM_LIMIT;
+          cost /= 3;
+        }
+        WHERETRACE(("...... range reduces cost to %.9g\n", cost));
+      }
+    }
+
+    /* Add the additional cost of sorting if that is a factor.
+    */
+    if( pOrderBy ){
+      if( (flags & WHERE_COLUMN_IN)==0 &&
+           isSortingIndex(pParse,pWC->pMaskSet,pProbe,iCur,pOrderBy,nEq,&rev) ){
+        if( flags==0 ){
+          flags = WHERE_COLUMN_RANGE;
+        }
+        flags |= WHERE_ORDERBY;
+        if( rev ){
+          flags |= WHERE_REVERSE;
+        }
+      }else{
+        cost += cost*estLog(cost);
+        WHERETRACE(("...... orderby increases cost to %.9g\n", cost));
+      }
+    }
+
+    /* Check to see if we can get away with using just the index without
+    ** ever reading the table.  If that is the case, then halve the
+    ** cost of this index.
+    */
+    if( flags && pSrc->colUsed < (((Bitmask)1)<<(BMS-1)) ){
+      Bitmask m = pSrc->colUsed;
+      int j;
+      for(j=0; j<pProbe->nColumn; j++){
+        int x = pProbe->aiColumn[j];
+        if( x<BMS-1 ){
+          m &= ~(((Bitmask)1)<<x);
+        }
+      }
+      if( m==0 ){
+        flags |= WHERE_IDX_ONLY;
+        cost /= 2;
+        WHERETRACE(("...... idx-only reduces cost to %.9g\n", cost));
+      }
+    }
+
+    /* If this index has achieved the lowest cost so far, then use it.
+    */
+    if( cost < lowestCost ){
+      bestIdx = pProbe;
+      lowestCost = cost;
+      assert( flags!=0 );
+      bestFlags = flags;
+      bestNEq = nEq;
+    }
+  }
+
+  /* Report the best result
+  */
+  *ppIndex = bestIdx;
+  WHERETRACE(("best index is %s, cost=%.9g, flags=%x, nEq=%d\n",
+        bestIdx ? bestIdx->zName : "(none)", lowestCost, bestFlags, bestNEq));
+  *pFlags = bestFlags | eqTermMask;
+  *pnEq = bestNEq;
+  return lowestCost;
+}
+
+
+/*
+** Disable a term in the WHERE clause.  Except, do not disable the term
+** if it controls a LEFT OUTER JOIN and it did not originate in the ON
+** or USING clause of that join.
+**
+** Consider the term t2.z='ok' in the following queries:
+**
+**   (1)  SELECT * FROM t1 LEFT JOIN t2 ON t1.a=t2.x WHERE t2.z='ok'
+**   (2)  SELECT * FROM t1 LEFT JOIN t2 ON t1.a=t2.x AND t2.z='ok'
+**   (3)  SELECT * FROM t1, t2 WHERE t1.a=t2.x AND t2.z='ok'
+**
+** The t2.z='ok' is disabled in the in (2) because it originates
+** in the ON clause.  The term is disabled in (3) because it is not part
+** of a LEFT OUTER JOIN.  In (1), the term is not disabled.
+**
+** Disabling a term causes that term to not be tested in the inner loop
+** of the join.  Disabling is an optimization.  When terms are satisfied
+** by indices, we disable them to prevent redundant tests in the inner
+** loop.  We would get the correct results if nothing were ever disabled,
+** but joins might run a little slower.  The trick is to disable as much
+** as we can without disabling too much.  If we disabled in (1), we'd get
+** the wrong answer.  See ticket #813.
+*/
+static void disableTerm(WhereLevel *pLevel, WhereTerm *pTerm){
+  if( pTerm
+      && (pTerm->flags & TERM_CODED)==0
+      && (pLevel->iLeftJoin==0 || ExprHasProperty(pTerm->pExpr, EP_FromJoin))
+  ){
+    pTerm->flags |= TERM_CODED;
+    if( pTerm->iParent>=0 ){
+      WhereTerm *pOther = &pTerm->pWC->a[pTerm->iParent];
+      if( (--pOther->nChild)==0 ){
+        disableTerm(pLevel, pOther);
+      }
+    }
+  }
+}
+
+/*
+** Generate code that builds a probe for an index.
+**
+** There should be nColumn values on the stack.  The index
+** to be probed is pIdx.  Pop the values from the stack and
+** replace them all with a single record that is the index
+** problem.
+*/
+static void buildIndexProbe(
+  Vdbe *v,        /* Generate code into this VM */
+  int nColumn,    /* The number of columns to check for NULL */
+  Index *pIdx     /* Index that we will be searching */
+){
+  sqlite3VdbeAddOp(v, OP_MakeRecord, nColumn, 0);
+  sqlite3IndexAffinityStr(v, pIdx);
+}
+
+
+/*
+** Generate code for a single equality term of the WHERE clause.  An equality
+** term can be either X=expr or X IN (...).   pTerm is the term to be 
+** coded.
+**
+** The current value for the constraint is left on the top of the stack.
+**
+** For a constraint of the form X=expr, the expression is evaluated and its
+** result is left on the stack.  For constraints of the form X IN (...)
+** this routine sets up a loop that will iterate over all values of X.
+*/
+static void codeEqualityTerm(
+  Parse *pParse,      /* The parsing context */
+  WhereTerm *pTerm,   /* The term of the WHERE clause to be coded */
+  WhereLevel *pLevel  /* When level of the FROM clause we are working on */
+){
+  Expr *pX = pTerm->pExpr;
+  Vdbe *v = pParse->pVdbe;
+  if( pX->op==TK_EQ ){
+    sqlite3ExprCode(pParse, pX->pRight);
+  }else if( pX->op==TK_ISNULL ){
+    sqlite3VdbeAddOp(v, OP_Null, 0, 0);
+#ifndef SQLITE_OMIT_SUBQUERY
+  }else{
+    int iTab;
+    struct InLoop *pIn;
+
+    assert( pX->op==TK_IN );
+    sqlite3CodeSubselect(pParse, pX);
+    iTab = pX->iTable;
+    sqlite3VdbeAddOp(v, OP_Rewind, iTab, 0);
+    VdbeComment((v, "# %.*s", pX->span.n, pX->span.z));
+    if( pLevel->nIn==0 ){
+      pLevel->nxt = sqlite3VdbeMakeLabel(v);
+    }
+    pLevel->nIn++;
+    pLevel->aInLoop = sqliteReallocOrFree(pLevel->aInLoop,
+                                    sizeof(pLevel->aInLoop[0])*pLevel->nIn);
+    pIn = pLevel->aInLoop;
+    if( pIn ){
+      pIn += pLevel->nIn - 1;
+      pIn->iCur = iTab;
+      pIn->topAddr = sqlite3VdbeAddOp(v, OP_Column, iTab, 0);
+      sqlite3VdbeAddOp(v, OP_IsNull, -1, 0);
+    }else{
+      pLevel->nIn = 0;
+    }
+#endif
+  }
+  disableTerm(pLevel, pTerm);
+}
+
+/*
+** Generate code that will evaluate all == and IN constraints for an
+** index.  The values for all constraints are left on the stack.
+**
+** For example, consider table t1(a,b,c,d,e,f) with index i1(a,b,c).
+** Suppose the WHERE clause is this:  a==5 AND b IN (1,2,3) AND c>5 AND c<10
+** The index has as many as three equality constraints, but in this
+** example, the third "c" value is an inequality.  So only two 
+** constraints are coded.  This routine will generate code to evaluate
+** a==5 and b IN (1,2,3).  The current values for a and b will be left
+** on the stack - a is the deepest and b the shallowest.
+**
+** In the example above nEq==2.  But this subroutine works for any value
+** of nEq including 0.  If nEq==0, this routine is nearly a no-op.
+** The only thing it does is allocate the pLevel->iMem memory cell.
+**
+** This routine always allocates at least one memory cell and puts
+** the address of that memory cell in pLevel->iMem.  The code that
+** calls this routine will use pLevel->iMem to store the termination
+** key value of the loop.  If one or more IN operators appear, then
+** this routine allocates an additional nEq memory cells for internal
+** use.
+*/
+static void codeAllEqualityTerms(
+  Parse *pParse,        /* Parsing context */
+  WhereLevel *pLevel,   /* Which nested loop of the FROM we are coding */
+  WhereClause *pWC,     /* The WHERE clause */
+  Bitmask notReady      /* Which parts of FROM have not yet been coded */
+){
+  int nEq = pLevel->nEq;        /* The number of == or IN constraints to code */
+  int termsInMem = 0;           /* If true, store value in mem[] cells */
+  Vdbe *v = pParse->pVdbe;      /* The virtual machine under construction */
+  Index *pIdx = pLevel->pIdx;   /* The index being used for this loop */
+  int iCur = pLevel->iTabCur;   /* The cursor of the table */
+  WhereTerm *pTerm;             /* A single constraint term */
+  int j;                        /* Loop counter */
+
+  /* Figure out how many memory cells we will need then allocate them.
+  ** We always need at least one used to store the loop terminator
+  ** value.  If there are IN operators we'll need one for each == or
+  ** IN constraint.
+  */
+  pLevel->iMem = pParse->nMem++;
+  if( pLevel->flags & WHERE_COLUMN_IN ){
+    pParse->nMem += pLevel->nEq;
+    termsInMem = 1;
+  }
+
+  /* Evaluate the equality constraints
+  */
+  assert( pIdx->nColumn>=nEq );
+  for(j=0; j<nEq; j++){
+    int k = pIdx->aiColumn[j];
+    pTerm = findTerm(pWC, iCur, k, notReady, pLevel->flags, pIdx);
+    if( pTerm==0 ) break;
+    assert( (pTerm->flags & TERM_CODED)==0 );
+    codeEqualityTerm(pParse, pTerm, pLevel);
+    if( (pTerm->eOperator & (WO_ISNULL|WO_IN))==0 ){
+      sqlite3VdbeAddOp(v, OP_IsNull, termsInMem ? -1 : -(j+1), pLevel->brk);
+    }
+    if( termsInMem ){
+      sqlite3VdbeAddOp(v, OP_MemStore, pLevel->iMem+j+1, 1);
+    }
+  }
+
+  /* Make sure all the constraint values are on the top of the stack
+  */
+  if( termsInMem ){
+    for(j=0; j<nEq; j++){
+      sqlite3VdbeAddOp(v, OP_MemLoad, pLevel->iMem+j+1, 0);
+    }
+  }
+}
+
+#if defined(SQLITE_TEST)
+/*
+** The following variable holds a text description of query plan generated
+** by the most recent call to sqlite3WhereBegin().  Each call to WhereBegin
+** overwrites the previous.  This information is used for testing and
+** analysis only.
+*/
+char sqlite3_query_plan[BMS*2*40];  /* Text of the join */
+static int nQPlan = 0;              /* Next free slow in _query_plan[] */
+
+#endif /* SQLITE_TEST */
+
+
+/*
+** Free a WhereInfo structure
+*/
+static void whereInfoFree(WhereInfo *pWInfo){
+  if( pWInfo ){
+    int i;
+    for(i=0; i<pWInfo->nLevel; i++){
+      sqlite3_index_info *pInfo = pWInfo->a[i].pIdxInfo;
+      if( pInfo ){
+        if( pInfo->needToFreeIdxStr ){
+          /* Coverage: Don't think this can be reached. By the time this
+          ** function is called, the index-strings have been passed
+          ** to the vdbe layer for deletion.
+          */
+          sqlite3_free(pInfo->idxStr);
+        }
+        sqliteFree(pInfo);
+      }
+    }
+    sqliteFree(pWInfo);
+  }
+}
+
+
+/*
+** Generate the beginning of the loop used for WHERE clause processing.
+** The return value is a pointer to an opaque structure that contains
+** information needed to terminate the loop.  Later, the calling routine
+** should invoke sqlite3WhereEnd() with the return value of this function
+** in order to complete the WHERE clause processing.
+**
+** If an error occurs, this routine returns NULL.
+**
+** The basic idea is to do a nested loop, one loop for each table in
+** the FROM clause of a select.  (INSERT and UPDATE statements are the
+** same as a SELECT with only a single table in the FROM clause.)  For
+** example, if the SQL is this:
+**
+**       SELECT * FROM t1, t2, t3 WHERE ...;
+**
+** Then the code generated is conceptually like the following:
+**
+**      foreach row1 in t1 do       \    Code generated
+**        foreach row2 in t2 do      |-- by sqlite3WhereBegin()
+**          foreach row3 in t3 do   /
+**            ...
+**          end                     \    Code generated
+**        end                        |-- by sqlite3WhereEnd()
+**      end                         /
+**
+** Note that the loops might not be nested in the order in which they
+** appear in the FROM clause if a different order is better able to make
+** use of indices.  Note also that when the IN operator appears in
+** the WHERE clause, it might result in additional nested loops for
+** scanning through all values on the right-hand side of the IN.
+**
+** There are Btree cursors associated with each table.  t1 uses cursor
+** number pTabList->a[0].iCursor.  t2 uses the cursor pTabList->a[1].iCursor.
+** And so forth.  This routine generates code to open those VDBE cursors
+** and sqlite3WhereEnd() generates the code to close them.
+**
+** The code that sqlite3WhereBegin() generates leaves the cursors named
+** in pTabList pointing at their appropriate entries.  The [...] code
+** can use OP_Column and OP_Rowid opcodes on these cursors to extract
+** data from the various tables of the loop.
+**
+** If the WHERE clause is empty, the foreach loops must each scan their
+** entire tables.  Thus a three-way join is an O(N^3) operation.  But if
+** the tables have indices and there are terms in the WHERE clause that
+** refer to those indices, a complete table scan can be avoided and the
+** code will run much faster.  Most of the work of this routine is checking
+** to see if there are indices that can be used to speed up the loop.
+**
+** Terms of the WHERE clause are also used to limit which rows actually
+** make it to the "..." in the middle of the loop.  After each "foreach",
+** terms of the WHERE clause that use only terms in that loop and outer
+** loops are evaluated and if false a jump is made around all subsequent
+** inner loops (or around the "..." if the test occurs within the inner-
+** most loop)
+**
+** OUTER JOINS
+**
+** An outer join of tables t1 and t2 is conceptally coded as follows:
+**
+**    foreach row1 in t1 do
+**      flag = 0
+**      foreach row2 in t2 do
+**        start:
+**          ...
+**          flag = 1
+**      end
+**      if flag==0 then
+**        move the row2 cursor to a null row
+**        goto start
+**      fi
+**    end
+**
+** ORDER BY CLAUSE PROCESSING
+**
+** *ppOrderBy is a pointer to the ORDER BY clause of a SELECT statement,
+** if there is one.  If there is no ORDER BY clause or if this routine
+** is called from an UPDATE or DELETE statement, then ppOrderBy is NULL.
+**
+** If an index can be used so that the natural output order of the table
+** scan is correct for the ORDER BY clause, then that index is used and
+** *ppOrderBy is set to NULL.  This is an optimization that prevents an
+** unnecessary sort of the result set if an index appropriate for the
+** ORDER BY clause already exists.
+**
+** If the where clause loops cannot be arranged to provide the correct
+** output order, then the *ppOrderBy is unchanged.
+*/
+WhereInfo *sqlite3WhereBegin(
+  Parse *pParse,        /* The parser context */
+  SrcList *pTabList,    /* A list of all tables to be scanned */
+  Expr *pWhere,         /* The WHERE clause */
+  ExprList **ppOrderBy  /* An ORDER BY clause, or NULL */
+){
+  int i;                     /* Loop counter */
+  WhereInfo *pWInfo;         /* Will become the return value of this function */
+  Vdbe *v = pParse->pVdbe;   /* The virtual database engine */
+  int brk, cont = 0;         /* Addresses used during code generation */
+  Bitmask notReady;          /* Cursors that are not yet positioned */
+  WhereTerm *pTerm;          /* A single term in the WHERE clause */
+  ExprMaskSet maskSet;       /* The expression mask set */
+  WhereClause wc;            /* The WHERE clause is divided into these terms */
+  struct SrcList_item *pTabItem;  /* A single entry from pTabList */
+  WhereLevel *pLevel;             /* A single level in the pWInfo list */
+  int iFrom;                      /* First unused FROM clause element */
+  int andFlags;              /* AND-ed combination of all wc.a[].flags */
+
+  /* The number of tables in the FROM clause is limited by the number of
+  ** bits in a Bitmask 
+  */
+  if( pTabList->nSrc>BMS ){
+    sqlite3ErrorMsg(pParse, "at most %d tables in a join", BMS);
+    return 0;
+  }
+
+  /* Split the WHERE clause into separate subexpressions where each
+  ** subexpression is separated by an AND operator.
+  */
+  initMaskSet(&maskSet);
+  whereClauseInit(&wc, pParse, &maskSet);
+  whereSplit(&wc, pWhere, TK_AND);
+    
+  /* Allocate and initialize the WhereInfo structure that will become the
+  ** return value.
+  */
+  pWInfo = sqliteMalloc( sizeof(WhereInfo) + pTabList->nSrc*sizeof(WhereLevel));
+  if( sqlite3MallocFailed() ){
+    goto whereBeginNoMem;
+  }
+  pWInfo->nLevel = pTabList->nSrc;
+  pWInfo->pParse = pParse;
+  pWInfo->pTabList = pTabList;
+  pWInfo->iBreak = sqlite3VdbeMakeLabel(v);
+
+  /* Special case: a WHERE clause that is constant.  Evaluate the
+  ** expression and either jump over all of the code or fall thru.
+  */
+  if( pWhere && (pTabList->nSrc==0 || sqlite3ExprIsConstant(pWhere)) ){
+    sqlite3ExprIfFalse(pParse, pWhere, pWInfo->iBreak, 1);
+    pWhere = 0;
+  }
+
+  /* Analyze all of the subexpressions.  Note that exprAnalyze() might
+  ** add new virtual terms onto the end of the WHERE clause.  We do not
+  ** want to analyze these virtual terms, so start analyzing at the end
+  ** and work forward so that the added virtual terms are never processed.
+  */
+  for(i=0; i<pTabList->nSrc; i++){
+    createMask(&maskSet, pTabList->a[i].iCursor);
+  }
+  exprAnalyzeAll(pTabList, &wc);
+  if( sqlite3MallocFailed() ){
+    goto whereBeginNoMem;
+  }
+
+  /* Chose the best index to use for each table in the FROM clause.
+  **
+  ** This loop fills in the following fields:
+  **
+  **   pWInfo->a[].pIdx      The index to use for this level of the loop.
+  **   pWInfo->a[].flags     WHERE_xxx flags associated with pIdx
+  **   pWInfo->a[].nEq       The number of == and IN constraints
+  **   pWInfo->a[].iFrom     When term of the FROM clause is being coded
+  **   pWInfo->a[].iTabCur   The VDBE cursor for the database table
+  **   pWInfo->a[].iIdxCur   The VDBE cursor for the index
+  **
+  ** This loop also figures out the nesting order of tables in the FROM
+  ** clause.
+  */
+  notReady = ~(Bitmask)0;
+  pTabItem = pTabList->a;
+  pLevel = pWInfo->a;
+  andFlags = ~0;
+  WHERETRACE(("*** Optimizer Start ***\n"));
+  for(i=iFrom=0, pLevel=pWInfo->a; i<pTabList->nSrc; i++, pLevel++){
+    Index *pIdx;                /* Index for FROM table at pTabItem */
+    int flags;                  /* Flags asssociated with pIdx */
+    int nEq;                    /* Number of == or IN constraints */
+    double cost;                /* The cost for pIdx */
+    int j;                      /* For looping over FROM tables */
+    Index *pBest = 0;           /* The best index seen so far */
+    int bestFlags = 0;          /* Flags associated with pBest */
+    int bestNEq = 0;            /* nEq associated with pBest */
+    double lowestCost;          /* Cost of the pBest */
+    int bestJ = 0;              /* The value of j */
+    Bitmask m;                  /* Bitmask value for j or bestJ */
+    int once = 0;               /* True when first table is seen */
+    sqlite3_index_info *pIndex; /* Current virtual index */
+
+    lowestCost = SQLITE_BIG_DBL;
+    for(j=iFrom, pTabItem=&pTabList->a[j]; j<pTabList->nSrc; j++, pTabItem++){
+      int doNotReorder;  /* True if this table should not be reordered */
+
+      doNotReorder =  (pTabItem->jointype & (JT_LEFT|JT_CROSS))!=0;
+      if( once && doNotReorder ) break;
+      m = getMask(&maskSet, pTabItem->iCursor);
+      if( (m & notReady)==0 ){
+        if( j==iFrom ) iFrom++;
+        continue;
+      }
+      assert( pTabItem->pTab );
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+      if( IsVirtual(pTabItem->pTab) ){
+        sqlite3_index_info **ppIdxInfo = &pWInfo->a[j].pIdxInfo;
+        cost = bestVirtualIndex(pParse, &wc, pTabItem, notReady,
+                                ppOrderBy ? *ppOrderBy : 0, i==0,
+                                ppIdxInfo);
+        flags = WHERE_VIRTUALTABLE;
+        pIndex = *ppIdxInfo;
+        if( pIndex && pIndex->orderByConsumed ){
+          flags = WHERE_VIRTUALTABLE | WHERE_ORDERBY;
+        }
+        pIdx = 0;
+        nEq = 0;
+        if( (SQLITE_BIG_DBL/2.0)<cost ){
+          /* The cost is not allowed to be larger than SQLITE_BIG_DBL (the
+          ** inital value of lowestCost in this loop. If it is, then
+          ** the (cost<lowestCost) test below will never be true and
+          ** pLevel->pBestIdx never set.
+          */ 
+          cost = (SQLITE_BIG_DBL/2.0);
+        }
+      }else 
+#endif
+      {
+        cost = bestIndex(pParse, &wc, pTabItem, notReady,
+                         (i==0 && ppOrderBy) ? *ppOrderBy : 0,
+                         &pIdx, &flags, &nEq);
+        pIndex = 0;
+      }
+      if( cost<lowestCost ){
+        once = 1;
+        lowestCost = cost;
+        pBest = pIdx;
+        bestFlags = flags;
+        bestNEq = nEq;
+        bestJ = j;
+        pLevel->pBestIdx = pIndex;
+      }
+      if( doNotReorder ) break;
+    }
+    WHERETRACE(("*** Optimizer choose table %d for loop %d\n", bestJ,
+           pLevel-pWInfo->a));
+    if( (bestFlags & WHERE_ORDERBY)!=0 ){
+      *ppOrderBy = 0;
+    }
+    andFlags &= bestFlags;
+    pLevel->flags = bestFlags;
+    pLevel->pIdx = pBest;
+    pLevel->nEq = bestNEq;
+    pLevel->aInLoop = 0;
+    pLevel->nIn = 0;
+    if( pBest ){
+      pLevel->iIdxCur = pParse->nTab++;
+    }else{
+      pLevel->iIdxCur = -1;
+    }
+    notReady &= ~getMask(&maskSet, pTabList->a[bestJ].iCursor);
+    pLevel->iFrom = bestJ;
+  }
+  WHERETRACE(("*** Optimizer Finished ***\n"));
+
+  /* If the total query only selects a single row, then the ORDER BY
+  ** clause is irrelevant.
+  */
+  if( (andFlags & WHERE_UNIQUE)!=0 && ppOrderBy ){
+    *ppOrderBy = 0;
+  }
+
+  /* Open all tables in the pTabList and any indices selected for
+  ** searching those tables.
+  */
+  sqlite3CodeVerifySchema(pParse, -1); /* Insert the cookie verifier Goto */
+  for(i=0, pLevel=pWInfo->a; i<pTabList->nSrc; i++, pLevel++){
+    Table *pTab;     /* Table to open */
+    Index *pIx;      /* Index used to access pTab (if any) */
+    int iDb;         /* Index of database containing table/index */
+    int iIdxCur = pLevel->iIdxCur;
+
+#ifndef SQLITE_OMIT_EXPLAIN
+    if( pParse->explain==2 ){
+      char *zMsg;
+      struct SrcList_item *pItem = &pTabList->a[pLevel->iFrom];
+      zMsg = sqlite3MPrintf("TABLE %s", pItem->zName);
+      if( pItem->zAlias ){
+        zMsg = sqlite3MPrintf("%z AS %s", zMsg, pItem->zAlias);
+      }
+      if( (pIx = pLevel->pIdx)!=0 ){
+        zMsg = sqlite3MPrintf("%z WITH INDEX %s", zMsg, pIx->zName);
+      }else if( pLevel->flags & (WHERE_ROWID_EQ|WHERE_ROWID_RANGE) ){
+        zMsg = sqlite3MPrintf("%z USING PRIMARY KEY", zMsg);
+      }
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+      else if( pLevel->pBestIdx ){
+        sqlite3_index_info *pBestIdx = pLevel->pBestIdx;
+        zMsg = sqlite3MPrintf("%z VIRTUAL TABLE INDEX %d:%s", zMsg,
+                    pBestIdx->idxNum, pBestIdx->idxStr);
+      }
+#endif
+      if( pLevel->flags & WHERE_ORDERBY ){
+        zMsg = sqlite3MPrintf("%z ORDER BY", zMsg);
+      }
+      sqlite3VdbeOp3(v, OP_Explain, i, pLevel->iFrom, zMsg, P3_DYNAMIC);
+    }
+#endif /* SQLITE_OMIT_EXPLAIN */
+    pTabItem = &pTabList->a[pLevel->iFrom];
+    pTab = pTabItem->pTab;
+    iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
+    if( pTab->isEphem || pTab->pSelect ) continue;
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+    if( pLevel->pBestIdx ){
+      int iCur = pTabItem->iCursor;
+      sqlite3VdbeOp3(v, OP_VOpen, iCur, 0, (const char*)pTab->pVtab, P3_VTAB);
+    }else
+#endif
+    if( (pLevel->flags & WHERE_IDX_ONLY)==0 ){
+      sqlite3OpenTable(pParse, pTabItem->iCursor, iDb, pTab, OP_OpenRead);
+      if( pTab->nCol<(sizeof(Bitmask)*8) ){
+        Bitmask b = pTabItem->colUsed;
+        int n = 0;
+        for(; b; b=b>>1, n++){}
+        sqlite3VdbeChangeP2(v, sqlite3VdbeCurrentAddr(v)-1, n);
+        assert( n<=pTab->nCol );
+      }
+    }else{
+      sqlite3TableLock(pParse, iDb, pTab->tnum, 0, pTab->zName);
+    }
+    pLevel->iTabCur = pTabItem->iCursor;
+    if( (pIx = pLevel->pIdx)!=0 ){
+      KeyInfo *pKey = sqlite3IndexKeyinfo(pParse, pIx);
+      assert( pIx->pSchema==pTab->pSchema );
+      sqlite3VdbeAddOp(v, OP_Integer, iDb, 0);
+      VdbeComment((v, "# %s", pIx->zName));
+      sqlite3VdbeOp3(v, OP_OpenRead, iIdxCur, pIx->tnum,
+                     (char*)pKey, P3_KEYINFO_HANDOFF);
+    }
+    if( (pLevel->flags & (WHERE_IDX_ONLY|WHERE_COLUMN_RANGE))!=0 ){
+      /* Only call OP_SetNumColumns on the index if we might later use
+      ** OP_Column on the index. */
+      sqlite3VdbeAddOp(v, OP_SetNumColumns, iIdxCur, pIx->nColumn+1);
+    }
+    sqlite3CodeVerifySchema(pParse, iDb);
+  }
+  pWInfo->iTop = sqlite3VdbeCurrentAddr(v);
+
+  /* Generate the code to do the search.  Each iteration of the for
+  ** loop below generates code for a single nested loop of the VM
+  ** program.
+  */
+  notReady = ~(Bitmask)0;
+  for(i=0, pLevel=pWInfo->a; i<pTabList->nSrc; i++, pLevel++){
+    int j;
+    int iCur = pTabItem->iCursor;  /* The VDBE cursor for the table */
+    Index *pIdx;       /* The index we will be using */
+    int nxt;           /* Where to jump to continue with the next IN case */
+    int iIdxCur;       /* The VDBE cursor for the index */
+    int omitTable;     /* True if we use the index only */
+    int bRev;          /* True if we need to scan in reverse order */
+
+    pTabItem = &pTabList->a[pLevel->iFrom];
+    iCur = pTabItem->iCursor;
+    pIdx = pLevel->pIdx;
+    iIdxCur = pLevel->iIdxCur;
+    bRev = (pLevel->flags & WHERE_REVERSE)!=0;
+    omitTable = (pLevel->flags & WHERE_IDX_ONLY)!=0;
+
+    /* Create labels for the "break" and "continue" instructions
+    ** for the current loop.  Jump to brk to break out of a loop.
+    ** Jump to cont to go immediately to the next iteration of the
+    ** loop.
+    **
+    ** When there is an IN operator, we also have a "nxt" label that
+    ** means to continue with the next IN value combination.  When
+    ** there are no IN operators in the constraints, the "nxt" label
+    ** is the same as "brk".
+    */
+    brk = pLevel->brk = pLevel->nxt = sqlite3VdbeMakeLabel(v);
+    cont = pLevel->cont = sqlite3VdbeMakeLabel(v);
+
+    /* If this is the right table of a LEFT OUTER JOIN, allocate and
+    ** initialize a memory cell that records if this table matches any
+    ** row of the left table of the join.
+    */
+    if( pLevel->iFrom>0 && (pTabItem[0].jointype & JT_LEFT)!=0 ){
+      if( !pParse->nMem ) pParse->nMem++;
+      pLevel->iLeftJoin = pParse->nMem++;
+      sqlite3VdbeAddOp(v, OP_MemInt, 0, pLevel->iLeftJoin);
+      VdbeComment((v, "# init LEFT JOIN no-match flag"));
+    }
+
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+    if( pLevel->pBestIdx ){
+      /* Case 0:  The table is a virtual-table.  Use the VFilter and VNext
+      **          to access the data.
+      */
+      int j;
+      sqlite3_index_info *pBestIdx = pLevel->pBestIdx;
+      int nConstraint = pBestIdx->nConstraint;
+      struct sqlite3_index_constraint_usage *aUsage =
+                                                  pBestIdx->aConstraintUsage;
+      const struct sqlite3_index_constraint *aConstraint =
+                                                  pBestIdx->aConstraint;
+
+      for(j=1; j<=nConstraint; j++){
+        int k;
+        for(k=0; k<nConstraint; k++){
+          if( aUsage[k].argvIndex==j ){
+            int iTerm = aConstraint[k].iTermOffset;
+            sqlite3ExprCode(pParse, wc.a[iTerm].pExpr->pRight);
+            break;
+          }
+        }
+        if( k==nConstraint ) break;
+      }
+      sqlite3VdbeAddOp(v, OP_Integer, j-1, 0);
+      sqlite3VdbeAddOp(v, OP_Integer, pBestIdx->idxNum, 0);
+      sqlite3VdbeOp3(v, OP_VFilter, iCur, brk, pBestIdx->idxStr,
+                      pBestIdx->needToFreeIdxStr ? P3_MPRINTF : P3_STATIC);
+      pBestIdx->needToFreeIdxStr = 0;
+      for(j=0; j<pBestIdx->nConstraint; j++){
+        if( aUsage[j].omit ){
+          int iTerm = aConstraint[j].iTermOffset;
+          disableTerm(pLevel, &wc.a[iTerm]);
+        }
+      }
+      pLevel->op = OP_VNext;
+      pLevel->p1 = iCur;
+      pLevel->p2 = sqlite3VdbeCurrentAddr(v);
+    }else
+#endif /* SQLITE_OMIT_VIRTUALTABLE */
+
+    if( pLevel->flags & WHERE_ROWID_EQ ){
+      /* Case 1:  We can directly reference a single row using an
+      **          equality comparison against the ROWID field.  Or
+      **          we reference multiple rows using a "rowid IN (...)"
+      **          construct.
+      */
+      pTerm = findTerm(&wc, iCur, -1, notReady, WO_EQ|WO_IN, 0);
+      assert( pTerm!=0 );
+      assert( pTerm->pExpr!=0 );
+      assert( pTerm->leftCursor==iCur );
+      assert( omitTable==0 );
+      codeEqualityTerm(pParse, pTerm, pLevel);
+      nxt = pLevel->nxt;
+      sqlite3VdbeAddOp(v, OP_MustBeInt, 1, nxt);
+      sqlite3VdbeAddOp(v, OP_NotExists, iCur, nxt);
+      VdbeComment((v, "pk"));
+      pLevel->op = OP_Noop;
+    }else if( pLevel->flags & WHERE_ROWID_RANGE ){
+      /* Case 2:  We have an inequality comparison against the ROWID field.
+      */
+      int testOp = OP_Noop;
+      int start;
+      WhereTerm *pStart, *pEnd;
+
+      assert( omitTable==0 );
+      pStart = findTerm(&wc, iCur, -1, notReady, WO_GT|WO_GE, 0);
+      pEnd = findTerm(&wc, iCur, -1, notReady, WO_LT|WO_LE, 0);
+      if( bRev ){
+        pTerm = pStart;
+        pStart = pEnd;
+        pEnd = pTerm;
+      }
+      if( pStart ){
+        Expr *pX;
+        pX = pStart->pExpr;
+        assert( pX!=0 );
+        assert( pStart->leftCursor==iCur );
+        sqlite3ExprCode(pParse, pX->pRight);
+        sqlite3VdbeAddOp(v, OP_ForceInt, pX->op==TK_LE || pX->op==TK_GT, brk);
+        sqlite3VdbeAddOp(v, bRev ? OP_MoveLt : OP_MoveGe, iCur, brk);
+        VdbeComment((v, "pk"));
+        disableTerm(pLevel, pStart);
+      }else{
+        sqlite3VdbeAddOp(v, bRev ? OP_Last : OP_Rewind, iCur, brk);
+      }
+      if( pEnd ){
+        Expr *pX;
+        pX = pEnd->pExpr;
+        assert( pX!=0 );
+        assert( pEnd->leftCursor==iCur );
+        sqlite3ExprCode(pParse, pX->pRight);
+        pLevel->iMem = pParse->nMem++;
+        sqlite3VdbeAddOp(v, OP_MemStore, pLevel->iMem, 1);
+        if( pX->op==TK_LT || pX->op==TK_GT ){
+          testOp = bRev ? OP_Le : OP_Ge;
+        }else{
+          testOp = bRev ? OP_Lt : OP_Gt;
+        }
+        disableTerm(pLevel, pEnd);
+      }
+      start = sqlite3VdbeCurrentAddr(v);
+      pLevel->op = bRev ? OP_Prev : OP_Next;
+      pLevel->p1 = iCur;
+      pLevel->p2 = start;
+      if( testOp!=OP_Noop ){
+        sqlite3VdbeAddOp(v, OP_Rowid, iCur, 0);
+        sqlite3VdbeAddOp(v, OP_MemLoad, pLevel->iMem, 0);
+        sqlite3VdbeAddOp(v, testOp, SQLITE_AFF_NUMERIC, brk);
+      }
+    }else if( pLevel->flags & WHERE_COLUMN_RANGE ){
+      /* Case 3: The WHERE clause term that refers to the right-most
+      **         column of the index is an inequality.  For example, if
+      **         the index is on (x,y,z) and the WHERE clause is of the
+      **         form "x=5 AND y<10" then this case is used.  Only the
+      **         right-most column can be an inequality - the rest must
+      **         use the "==" and "IN" operators.
+      **
+      **         This case is also used when there are no WHERE clause
+      **         constraints but an index is selected anyway, in order
+      **         to force the output order to conform to an ORDER BY.
+      */
+      int start;
+      int nEq = pLevel->nEq;
+      int topEq=0;        /* True if top limit uses ==. False is strictly < */
+      int btmEq=0;        /* True if btm limit uses ==. False if strictly > */
+      int topOp, btmOp;   /* Operators for the top and bottom search bounds */
+      int testOp;
+      int topLimit = (pLevel->flags & WHERE_TOP_LIMIT)!=0;
+      int btmLimit = (pLevel->flags & WHERE_BTM_LIMIT)!=0;
+
+      /* Generate code to evaluate all constraint terms using == or IN
+      ** and level the values of those terms on the stack.
+      */
+      codeAllEqualityTerms(pParse, pLevel, &wc, notReady);
+
+      /* Duplicate the equality term values because they will all be
+      ** used twice: once to make the termination key and once to make the
+      ** start key.
+      */
+      for(j=0; j<nEq; j++){
+        sqlite3VdbeAddOp(v, OP_Dup, nEq-1, 0);
+      }
+
+      /* Figure out what comparison operators to use for top and bottom 
+      ** search bounds. For an ascending index, the bottom bound is a > or >=
+      ** operator and the top bound is a < or <= operator.  For a descending
+      ** index the operators are reversed.
+      */
+      if( pIdx->aSortOrder[nEq]==SQLITE_SO_ASC ){
+        topOp = WO_LT|WO_LE;
+        btmOp = WO_GT|WO_GE;
+      }else{
+        topOp = WO_GT|WO_GE;
+        btmOp = WO_LT|WO_LE;
+        SWAP(int, topLimit, btmLimit);
+      }
+
+      /* Generate the termination key.  This is the key value that
+      ** will end the search.  There is no termination key if there
+      ** are no equality terms and no "X<..." term.
+      **
+      ** 2002-Dec-04: On a reverse-order scan, the so-called "termination"
+      ** key computed here really ends up being the start key.
+      */
+      nxt = pLevel->nxt;
+      if( topLimit ){
+        Expr *pX;
+        int k = pIdx->aiColumn[j];
+        pTerm = findTerm(&wc, iCur, k, notReady, topOp, pIdx);
+        assert( pTerm!=0 );
+        pX = pTerm->pExpr;
+        assert( (pTerm->flags & TERM_CODED)==0 );
+        sqlite3ExprCode(pParse, pX->pRight);
+        sqlite3VdbeAddOp(v, OP_IsNull, -(nEq+1), nxt);
+        topEq = pTerm->eOperator & (WO_LE|WO_GE);
+        disableTerm(pLevel, pTerm);
+        testOp = OP_IdxGE;
+      }else{
+        testOp = nEq>0 ? OP_IdxGE : OP_Noop;
+        topEq = 1;
+      }
+      if( testOp!=OP_Noop ){
+        int nCol = nEq + topLimit;
+        pLevel->iMem = pParse->nMem++;
+        buildIndexProbe(v, nCol, pIdx);
+        if( bRev ){
+          int op = topEq ? OP_MoveLe : OP_MoveLt;
+          sqlite3VdbeAddOp(v, op, iIdxCur, nxt);
+        }else{
+          sqlite3VdbeAddOp(v, OP_MemStore, pLevel->iMem, 1);
+        }
+      }else if( bRev ){
+        sqlite3VdbeAddOp(v, OP_Last, iIdxCur, brk);
+      }
+
+      /* Generate the start key.  This is the key that defines the lower
+      ** bound on the search.  There is no start key if there are no
+      ** equality terms and if there is no "X>..." term.  In
+      ** that case, generate a "Rewind" instruction in place of the
+      ** start key search.
+      **
+      ** 2002-Dec-04: In the case of a reverse-order search, the so-called
+      ** "start" key really ends up being used as the termination key.
+      */
+      if( btmLimit ){
+        Expr *pX;
+        int k = pIdx->aiColumn[j];
+        pTerm = findTerm(&wc, iCur, k, notReady, btmOp, pIdx);
+        assert( pTerm!=0 );
+        pX = pTerm->pExpr;
+        assert( (pTerm->flags & TERM_CODED)==0 );
+        sqlite3ExprCode(pParse, pX->pRight);
+        sqlite3VdbeAddOp(v, OP_IsNull, -(nEq+1), nxt);
+        btmEq = pTerm->eOperator & (WO_LE|WO_GE);
+        disableTerm(pLevel, pTerm);
+      }else{
+        btmEq = 1;
+      }
+      if( nEq>0 || btmLimit ){
+        int nCol = nEq + btmLimit;
+        buildIndexProbe(v, nCol, pIdx);
+        if( bRev ){
+          pLevel->iMem = pParse->nMem++;
+          sqlite3VdbeAddOp(v, OP_MemStore, pLevel->iMem, 1);
+          testOp = OP_IdxLT;
+        }else{
+          int op = btmEq ? OP_MoveGe : OP_MoveGt;
+          sqlite3VdbeAddOp(v, op, iIdxCur, nxt);
+        }
+      }else if( bRev ){
+        testOp = OP_Noop;
+      }else{
+        sqlite3VdbeAddOp(v, OP_Rewind, iIdxCur, brk);
+      }
+
+      /* Generate the the top of the loop.  If there is a termination
+      ** key we have to test for that key and abort at the top of the
+      ** loop.
+      */
+      start = sqlite3VdbeCurrentAddr(v);
+      if( testOp!=OP_Noop ){
+        sqlite3VdbeAddOp(v, OP_MemLoad, pLevel->iMem, 0);
+        sqlite3VdbeAddOp(v, testOp, iIdxCur, nxt);
+        if( (topEq && !bRev) || (!btmEq && bRev) ){
+          sqlite3VdbeChangeP3(v, -1, "+", P3_STATIC);
+        }
+      }
+      if( topLimit | btmLimit ){
+        sqlite3VdbeAddOp(v, OP_Column, iIdxCur, nEq);
+        sqlite3VdbeAddOp(v, OP_IsNull, 1, cont);
+      }
+      if( !omitTable ){
+        sqlite3VdbeAddOp(v, OP_IdxRowid, iIdxCur, 0);
+        sqlite3VdbeAddOp(v, OP_MoveGe, iCur, 0);
+      }
+
+      /* Record the instruction used to terminate the loop.
+      */
+      pLevel->op = bRev ? OP_Prev : OP_Next;
+      pLevel->p1 = iIdxCur;
+      pLevel->p2 = start;
+    }else if( pLevel->flags & WHERE_COLUMN_EQ ){
+      /* Case 4:  There is an index and all terms of the WHERE clause that
+      **          refer to the index using the "==" or "IN" operators.
+      */
+      int start;
+      int nEq = pLevel->nEq;
+
+      /* Generate code to evaluate all constraint terms using == or IN
+      ** and leave the values of those terms on the stack.
+      */
+      codeAllEqualityTerms(pParse, pLevel, &wc, notReady);
+      nxt = pLevel->nxt;
+
+      /* Generate a single key that will be used to both start and terminate
+      ** the search
+      */
+      buildIndexProbe(v, nEq, pIdx);
+      sqlite3VdbeAddOp(v, OP_MemStore, pLevel->iMem, 0);
+
+      /* Generate code (1) to move to the first matching element of the table.
+      ** Then generate code (2) that jumps to "nxt" after the cursor is past
+      ** the last matching element of the table.  The code (1) is executed
+      ** once to initialize the search, the code (2) is executed before each
+      ** iteration of the scan to see if the scan has finished. */
+      if( bRev ){
+        /* Scan in reverse order */
+        sqlite3VdbeAddOp(v, OP_MoveLe, iIdxCur, nxt);
+        start = sqlite3VdbeAddOp(v, OP_MemLoad, pLevel->iMem, 0);
+        sqlite3VdbeAddOp(v, OP_IdxLT, iIdxCur, nxt);
+        pLevel->op = OP_Prev;
+      }else{
+        /* Scan in the forward order */
+        sqlite3VdbeAddOp(v, OP_MoveGe, iIdxCur, nxt);
+        start = sqlite3VdbeAddOp(v, OP_MemLoad, pLevel->iMem, 0);
+        sqlite3VdbeOp3(v, OP_IdxGE, iIdxCur, nxt, "+", P3_STATIC);
+        pLevel->op = OP_Next;
+      }
+      if( !omitTable ){
+        sqlite3VdbeAddOp(v, OP_IdxRowid, iIdxCur, 0);
+        sqlite3VdbeAddOp(v, OP_MoveGe, iCur, 0);
+      }
+      pLevel->p1 = iIdxCur;
+      pLevel->p2 = start;
+    }else{
+      /* Case 5:  There is no usable index.  We must do a complete
+      **          scan of the entire table.
+      */
+      assert( omitTable==0 );
+      assert( bRev==0 );
+      pLevel->op = OP_Next;
+      pLevel->p1 = iCur;
+      pLevel->p2 = 1 + sqlite3VdbeAddOp(v, OP_Rewind, iCur, brk);
+    }
+    notReady &= ~getMask(&maskSet, iCur);
+
+    /* Insert code to test every subexpression that can be completely
+    ** computed using the current set of tables.
+    */
+    for(pTerm=wc.a, j=wc.nTerm; j>0; j--, pTerm++){
+      Expr *pE;
+      if( pTerm->flags & (TERM_VIRTUAL|TERM_CODED) ) continue;
+      if( (pTerm->prereqAll & notReady)!=0 ) continue;
+      pE = pTerm->pExpr;
+      assert( pE!=0 );
+      if( pLevel->iLeftJoin && !ExprHasProperty(pE, EP_FromJoin) ){
+        continue;
+      }
+      sqlite3ExprIfFalse(pParse, pE, cont, 1);
+      pTerm->flags |= TERM_CODED;
+    }
+
+    /* For a LEFT OUTER JOIN, generate code that will record the fact that
+    ** at least one row of the right table has matched the left table.  
+    */
+    if( pLevel->iLeftJoin ){
+      pLevel->top = sqlite3VdbeCurrentAddr(v);
+      sqlite3VdbeAddOp(v, OP_MemInt, 1, pLevel->iLeftJoin);
+      VdbeComment((v, "# record LEFT JOIN hit"));
+      for(pTerm=wc.a, j=0; j<wc.nTerm; j++, pTerm++){
+        if( pTerm->flags & (TERM_VIRTUAL|TERM_CODED) ) continue;
+        if( (pTerm->prereqAll & notReady)!=0 ) continue;
+        assert( pTerm->pExpr );
+        sqlite3ExprIfFalse(pParse, pTerm->pExpr, cont, 1);
+        pTerm->flags |= TERM_CODED;
+      }
+    }
+  }
+
+#ifdef SQLITE_TEST  /* For testing and debugging use only */
+  /* Record in the query plan information about the current table
+  ** and the index used to access it (if any).  If the table itself
+  ** is not used, its name is just '{}'.  If no index is used
+  ** the index is listed as "{}".  If the primary key is used the
+  ** index name is '*'.
+  */
+  for(i=0; i<pTabList->nSrc; i++){
+    char *z;
+    int n;
+    pLevel = &pWInfo->a[i];
+    pTabItem = &pTabList->a[pLevel->iFrom];
+    z = pTabItem->zAlias;
+    if( z==0 ) z = pTabItem->pTab->zName;
+    n = strlen(z);
+    if( n+nQPlan < sizeof(sqlite3_query_plan)-10 ){
+      if( pLevel->flags & WHERE_IDX_ONLY ){
+        strcpy(&sqlite3_query_plan[nQPlan], "{}");
+        nQPlan += 2;
+      }else{
+        strcpy(&sqlite3_query_plan[nQPlan], z);
+        nQPlan += n;
+      }
+      sqlite3_query_plan[nQPlan++] = ' ';
+    }
+    if( pLevel->flags & (WHERE_ROWID_EQ|WHERE_ROWID_RANGE) ){
+      strcpy(&sqlite3_query_plan[nQPlan], "* ");
+      nQPlan += 2;
+    }else if( pLevel->pIdx==0 ){
+      strcpy(&sqlite3_query_plan[nQPlan], "{} ");
+      nQPlan += 3;
+    }else{
+      n = strlen(pLevel->pIdx->zName);
+      if( n+nQPlan < sizeof(sqlite3_query_plan)-2 ){
+        strcpy(&sqlite3_query_plan[nQPlan], pLevel->pIdx->zName);
+        nQPlan += n;
+        sqlite3_query_plan[nQPlan++] = ' ';
+      }
+    }
+  }
+  while( nQPlan>0 && sqlite3_query_plan[nQPlan-1]==' ' ){
+    sqlite3_query_plan[--nQPlan] = 0;
+  }
+  sqlite3_query_plan[nQPlan] = 0;
+  nQPlan = 0;
+#endif /* SQLITE_TEST // Testing and debugging use only */
+
+  /* Record the continuation address in the WhereInfo structure.  Then
+  ** clean up and return.
+  */
+  pWInfo->iContinue = cont;
+  whereClauseClear(&wc);
+  return pWInfo;
+
+  /* Jump here if malloc fails */
+whereBeginNoMem:
+  whereClauseClear(&wc);
+  whereInfoFree(pWInfo);
+  return 0;
+}
+
+/*
+** Generate the end of the WHERE loop.  See comments on 
+** sqlite3WhereBegin() for additional information.
+*/
+void sqlite3WhereEnd(WhereInfo *pWInfo){
+  Vdbe *v = pWInfo->pParse->pVdbe;
+  int i;
+  WhereLevel *pLevel;
+  SrcList *pTabList = pWInfo->pTabList;
+
+  /* Generate loop termination code.
+  */
+  for(i=pTabList->nSrc-1; i>=0; i--){
+    pLevel = &pWInfo->a[i];
+    sqlite3VdbeResolveLabel(v, pLevel->cont);
+    if( pLevel->op!=OP_Noop ){
+      sqlite3VdbeAddOp(v, pLevel->op, pLevel->p1, pLevel->p2);
+    }
+    if( pLevel->nIn ){
+      struct InLoop *pIn;
+      int j;
+      sqlite3VdbeResolveLabel(v, pLevel->nxt);
+      for(j=pLevel->nIn, pIn=&pLevel->aInLoop[j-1]; j>0; j--, pIn--){
+        sqlite3VdbeJumpHere(v, pIn->topAddr+1);
+        sqlite3VdbeAddOp(v, OP_Next, pIn->iCur, pIn->topAddr);
+        sqlite3VdbeJumpHere(v, pIn->topAddr-1);
+      }
+      sqliteFree(pLevel->aInLoop);
+    }
+    sqlite3VdbeResolveLabel(v, pLevel->brk);
+    if( pLevel->iLeftJoin ){
+      int addr;
+      addr = sqlite3VdbeAddOp(v, OP_IfMemPos, pLevel->iLeftJoin, 0);
+      sqlite3VdbeAddOp(v, OP_NullRow, pTabList->a[i].iCursor, 0);
+      if( pLevel->iIdxCur>=0 ){
+        sqlite3VdbeAddOp(v, OP_NullRow, pLevel->iIdxCur, 0);
+      }
+      sqlite3VdbeAddOp(v, OP_Goto, 0, pLevel->top);
+      sqlite3VdbeJumpHere(v, addr);
+    }
+  }
+
+  /* The "break" point is here, just past the end of the outer loop.
+  ** Set it.
+  */
+  sqlite3VdbeResolveLabel(v, pWInfo->iBreak);
+
+  /* Close all of the cursors that were opened by sqlite3WhereBegin.
+  */
+  for(i=0, pLevel=pWInfo->a; i<pTabList->nSrc; i++, pLevel++){
+    struct SrcList_item *pTabItem = &pTabList->a[pLevel->iFrom];
+    Table *pTab = pTabItem->pTab;
+    assert( pTab!=0 );
+    if( pTab->isEphem || pTab->pSelect ) continue;
+    if( (pLevel->flags & WHERE_IDX_ONLY)==0 ){
+      sqlite3VdbeAddOp(v, OP_Close, pTabItem->iCursor, 0);
+    }
+    if( pLevel->pIdx!=0 ){
+      sqlite3VdbeAddOp(v, OP_Close, pLevel->iIdxCur, 0);
+    }
+
+    /* Make cursor substitutions for cases where we want to use
+    ** just the index and never reference the table.
+    ** 
+    ** Calls to the code generator in between sqlite3WhereBegin and
+    ** sqlite3WhereEnd will have created code that references the table
+    ** directly.  This loop scans all that code looking for opcodes
+    ** that reference the table and converts them into opcodes that
+    ** reference the index.
+    */
+    if( pLevel->flags & WHERE_IDX_ONLY ){
+      int k, j, last;
+      VdbeOp *pOp;
+      Index *pIdx = pLevel->pIdx;
+
+      assert( pIdx!=0 );
+      pOp = sqlite3VdbeGetOp(v, pWInfo->iTop);
+      last = sqlite3VdbeCurrentAddr(v);
+      for(k=pWInfo->iTop; k<last; k++, pOp++){
+        if( pOp->p1!=pLevel->iTabCur ) continue;
+        if( pOp->opcode==OP_Column ){
+          pOp->p1 = pLevel->iIdxCur;
+          for(j=0; j<pIdx->nColumn; j++){
+            if( pOp->p2==pIdx->aiColumn[j] ){
+              pOp->p2 = j;
+              break;
+            }
+          }
+        }else if( pOp->opcode==OP_Rowid ){
+          pOp->p1 = pLevel->iIdxCur;
+          pOp->opcode = OP_IdxRowid;
+        }else if( pOp->opcode==OP_NullRow ){
+          pOp->opcode = OP_Noop;
+        }
+      }
+    }
+  }
+
+  /* Final cleanup
+  */
+  whereInfoFree(pWInfo);
+  return;
+}
+
+/************** End of where.c ***********************************************/
+/************** Begin file parse.c *******************************************/
+/* Driver template for the LEMON parser generator.
+** The author disclaims copyright to this source code.
+*/
+/* First off, code is include which follows the "include" declaration
+** in the input file. */
+
+
+/*
+** An instance of this structure holds information about the
+** LIMIT clause of a SELECT statement.
+*/
+struct LimitVal {
+  Expr *pLimit;    /* The LIMIT expression.  NULL if there is no limit */
+  Expr *pOffset;   /* The OFFSET expression.  NULL if there is none */
+};
+
+/*
+** An instance of this structure is used to store the LIKE,
+** GLOB, NOT LIKE, and NOT GLOB operators.
+*/
+struct LikeOp {
+  Token eOperator;  /* "like" or "glob" or "regexp" */
+  int not;         /* True if the NOT keyword is present */
+};
+
+/*
+** An instance of the following structure describes the event of a
+** TRIGGER.  "a" is the event type, one of TK_UPDATE, TK_INSERT,
+** TK_DELETE, or TK_INSTEAD.  If the event is of the form
+**
+**      UPDATE ON (a,b,c)
+**
+** Then the "b" IdList records the list "a,b,c".
+*/
+struct TrigEvent { int a; IdList * b; };
+
+/*
+** An instance of this structure holds the ATTACH key and the key type.
+*/
+struct AttachKey { int type;  Token key; };
+
+/* Next is all token values, in a form suitable for use by makeheaders.
+** This section will be null unless lemon is run with the -m switch.
+*/
+/* 
+** These constants (all generated automatically by the parser generator)
+** specify the various kinds of tokens (terminals) that the parser
+** understands. 
+**
+** Each symbol here is a terminal symbol in the grammar.
+*/
+/* Make sure the INTERFACE macro is defined.
+*/
+#ifndef INTERFACE
+# define INTERFACE 1
+#endif
+/* The next thing included is series of defines which control
+** various aspects of the generated parser.
+**    YYCODETYPE         is the data type used for storing terminal
+**                       and nonterminal numbers.  "unsigned char" is
+**                       used if there are fewer than 250 terminals
+**                       and nonterminals.  "int" is used otherwise.
+**    YYNOCODE           is a number of type YYCODETYPE which corresponds
+**                       to no legal terminal or nonterminal number.  This
+**                       number is used to fill in empty slots of the hash 
+**                       table.
+**    YYFALLBACK         If defined, this indicates that one or more tokens
+**                       have fall-back values which should be used if the
+**                       original value of the token will not parse.
+**    YYACTIONTYPE       is the data type used for storing terminal
+**                       and nonterminal numbers.  "unsigned char" is
+**                       used if there are fewer than 250 rules and
+**                       states combined.  "int" is used otherwise.
+**    sqlite3ParserTOKENTYPE     is the data type used for minor tokens given 
+**                       directly to the parser from the tokenizer.
+**    YYMINORTYPE        is the data type used for all minor tokens.
+**                       This is typically a union of many types, one of
+**                       which is sqlite3ParserTOKENTYPE.  The entry in the union
+**                       for base tokens is called "yy0".
+**    YYSTACKDEPTH       is the maximum depth of the parser's stack.  If
+**                       zero the stack is dynamically sized using realloc()
+**    sqlite3ParserARG_SDECL     A static variable declaration for the %extra_argument
+**    sqlite3ParserARG_PDECL     A parameter declaration for the %extra_argument
+**    sqlite3ParserARG_STORE     Code to store %extra_argument into yypParser
+**    sqlite3ParserARG_FETCH     Code to extract %extra_argument from yypParser
+**    YYNSTATE           the combined number of states.
+**    YYNRULE            the number of rules in the grammar
+**    YYERRORSYMBOL      is the code number of the error symbol.  If not
+**                       defined, then do no error processing.
+*/
+#define YYCODETYPE unsigned char
+#define YYNOCODE 248
+#define YYACTIONTYPE unsigned short int
+#define YYWILDCARD 59
+#define sqlite3ParserTOKENTYPE Token
+typedef union {
+  sqlite3ParserTOKENTYPE yy0;
+  int yy46;
+  struct LikeOp yy72;
+  Expr* yy172;
+  ExprList* yy174;
+  Select* yy219;
+  struct LimitVal yy234;
+  TriggerStep* yy243;
+  struct TrigEvent yy370;
+  SrcList* yy373;
+  Expr * yy386;
+  struct {int value; int mask;} yy405;
+  Token yy410;
+  IdList* yy432;
+  int yy495;
+} YYMINORTYPE;
+#ifndef YYSTACKDEPTH
+#define YYSTACKDEPTH 100
+#endif
+#define sqlite3ParserARG_SDECL Parse *pParse;
+#define sqlite3ParserARG_PDECL ,Parse *pParse
+#define sqlite3ParserARG_FETCH Parse *pParse = yypParser->pParse
+#define sqlite3ParserARG_STORE yypParser->pParse = pParse
+#define YYNSTATE 586
+#define YYNRULE 311
+#define YYERRORSYMBOL 138
+#define YYERRSYMDT yy495
+#define YYFALLBACK 1
+#define YY_NO_ACTION      (YYNSTATE+YYNRULE+2)
+#define YY_ACCEPT_ACTION  (YYNSTATE+YYNRULE+1)
+#define YY_ERROR_ACTION   (YYNSTATE+YYNRULE)
+
+/* Next are that tables used to determine what action to take based on the
+** current state and lookahead token.  These tables are used to implement
+** functions that take a state number and lookahead value and return an
+** action integer.  
+**
+** Suppose the action integer is N.  Then the action is determined as
+** follows
+**
+**   0 <= N < YYNSTATE                  Shift N.  That is, push the lookahead
+**                                      token onto the stack and goto state N.
+**
+**   YYNSTATE <= N < YYNSTATE+YYNRULE   Reduce by rule N-YYNSTATE.
+**
+**   N == YYNSTATE+YYNRULE              A syntax error has occurred.
+**
+**   N == YYNSTATE+YYNRULE+1            The parser accepts its input.
+**
+**   N == YYNSTATE+YYNRULE+2            No such action.  Denotes unused
+**                                      slots in the yy_action[] table.
+**
+** The action table is constructed as a single large table named yy_action[].
+** Given state S and lookahead X, the action is computed as
+**
+**      yy_action[ yy_shift_ofst[S] + X ]
+**
+** If the index value yy_shift_ofst[S]+X is out of range or if the value
+** yy_lookahead[yy_shift_ofst[S]+X] is not equal to X or if yy_shift_ofst[S]
+** is equal to YY_SHIFT_USE_DFLT, it means that the action is not in the table
+** and that yy_default[S] should be used instead.  
+**
+** The formula above is for computing the action when the lookahead is
+** a terminal symbol.  If the lookahead is a non-terminal (as occurs after
+** a reduce action) then the yy_reduce_ofst[] array is used in place of
+** the yy_shift_ofst[] array and YY_REDUCE_USE_DFLT is used in place of
+** YY_SHIFT_USE_DFLT.
+**
+** The following are the tables generated in this section:
+**
+**  yy_action[]        A single table containing all actions.
+**  yy_lookahead[]     A table containing the lookahead for each entry in
+**                     yy_action.  Used to detect hash collisions.
+**  yy_shift_ofst[]    For each state, the offset into yy_action for
+**                     shifting terminals.
+**  yy_reduce_ofst[]   For each state, the offset into yy_action for
+**                     shifting non-terminals after a reduce.
+**  yy_default[]       Default action for each state.
+*/
+static const YYACTIONTYPE yy_action[] = {
+ /*     0 */   289,  898,  121,  585,  405,  169,    2,  435,   61,   61,
+ /*    10 */    61,   61,  517,   63,   63,   63,   63,   64,   64,   65,
+ /*    20 */    65,   65,   66,  230,  387,  384,  420,  426,   68,   63,
+ /*    30 */    63,   63,   63,   64,   64,   65,   65,   65,   66,  230,
+ /*    40 */   443,  208,  392,  447,   60,   59,  294,  430,  431,  427,
+ /*    50 */   427,   62,   62,   61,   61,   61,   61,  205,   63,   63,
+ /*    60 */    63,   63,   64,   64,   65,   65,   65,   66,  230,  289,
+ /*    70 */   368,  316,  435,  487,  205,   80,   67,  415,   69,  151,
+ /*    80 */    63,   63,   63,   63,   64,   64,   65,   65,   65,   66,
+ /*    90 */   230,  515,  162,  410,   35,  420,  426,  443,  571,   58,
+ /*   100 */    64,   64,   65,   65,   65,   66,  230,  393,  394,  417,
+ /*   110 */   417,  417,  289,   60,   59,  294,  430,  431,  427,  427,
+ /*   120 */    62,   62,   61,   61,   61,   61,  302,   63,   63,   63,
+ /*   130 */    63,   64,   64,   65,   65,   65,   66,  230,  420,  426,
+ /*   140 */    92,   65,   65,   65,   66,  230,  392,  456,  472,   67,
+ /*   150 */    56,   69,  151,  169,  406,  435,   60,   59,  294,  430,
+ /*   160 */   431,  427,  427,   62,   62,   61,   61,   61,   61,  247,
+ /*   170 */    63,   63,   63,   63,   64,   64,   65,   65,   65,   66,
+ /*   180 */   230,  289,  569,  522,  292,  620,  111,  478,  515,  447,
+ /*   190 */   230,  316,  403,   21,   67,  460,   69,  151,   66,  230,
+ /*   200 */   568,  443,  208,   67,  224,   69,  151,  420,  426,  146,
+ /*   210 */   147,  393,  394,  410,   41,  386,  148,  531,    2,  487,
+ /*   220 */   435,  566,  232,  415,  289,   60,   59,  294,  430,  431,
+ /*   230 */   427,  427,   62,   62,   61,   61,   61,   61,  316,   63,
+ /*   240 */    63,   63,   63,   64,   64,   65,   65,   65,   66,  230,
+ /*   250 */   420,  426,  486,  330,  211,  417,  417,  417,  359,  270,
+ /*   260 */   410,   41,  378,  207,  362,  542,  245,  289,   60,   59,
+ /*   270 */   294,  430,  431,  427,  427,   62,   62,   61,   61,   61,
+ /*   280 */    61,  392,   63,   63,   63,   63,   64,   64,   65,   65,
+ /*   290 */    65,   66,  230,  420,  426,  260,  299,  273,  522,  271,
+ /*   300 */   522,  210,  370,  319,  223,  433,  433,  532,   21,  576,
+ /*   310 */    21,   60,   59,  294,  430,  431,  427,  427,   62,   62,
+ /*   320 */    61,   61,   61,   61,  191,   63,   63,   63,   63,   64,
+ /*   330 */    64,   65,   65,   65,   66,  230,  261,  316,  239,   76,
+ /*   340 */   289,  544,  299,  149,  482,  150,  393,  394,  178,  240,
+ /*   350 */   569,  341,  344,  345,  404,  520,  445,  322,  165,  410,
+ /*   360 */    28,  540,  346,  517,  248,  539,  420,  426,  568,  567,
+ /*   370 */   161,  115,  238,  339,  243,  340,  173,  358,  272,  411,
+ /*   380 */   821,  488,   79,  249,   60,   59,  294,  430,  431,  427,
+ /*   390 */   427,   62,   62,   61,   61,   61,   61,  530,   63,   63,
+ /*   400 */    63,   63,   64,   64,   65,   65,   65,   66,  230,  289,
+ /*   410 */   248,  178,  465,  485,  341,  344,  345,  115,  238,  339,
+ /*   420 */   243,  340,  173,   82,  316,  346,  316,  491,  492,  249,
+ /*   430 */   565,  207,  152,  523,  489,  420,  426,  178,  529,  503,
+ /*   440 */   341,  344,  345,  407,  472,  528,  410,   35,  410,   35,
+ /*   450 */   171,  346,  198,   60,   59,  294,  430,  431,  427,  427,
+ /*   460 */    62,   62,   61,   61,   61,   61,  411,   63,   63,   63,
+ /*   470 */    63,   64,   64,   65,   65,   65,   66,  230,  289,  548,
+ /*   480 */   579,  288,  502,  234,  411,  316,  411,  316,  296,  283,
+ /*   490 */   298,  316,  445,  521,  165,  476,  172,  157,  421,  422,
+ /*   500 */   457,  335,  457,  144,  420,  426,  366,  410,   35,  410,
+ /*   510 */    36,  435,    1,  410,   49,  327,  392,  547,  193,  424,
+ /*   520 */   425,  156,   60,   59,  294,  430,  431,  427,  427,   62,
+ /*   530 */    62,   61,   61,   61,   61,  333,   63,   63,   63,   63,
+ /*   540 */    64,   64,   65,   65,   65,   66,  230,  289,  423,  332,
+ /*   550 */   452,  252,  411,  295,  438,  439,  297,  316,  349,  307,
+ /*   560 */   231,  457,  453,  321,  438,  439,  392,  369,  266,  265,
+ /*   570 */   189,  217,  392,  420,  426,  454,  435,  493,  205,  410,
+ /*   580 */    49,  393,  394,  583,  889,  174,  889,  494,  545,  492,
+ /*   590 */   392,   60,   59,  294,  430,  431,  427,  427,   62,   62,
+ /*   600 */    61,   61,   61,   61,  411,   63,   63,   63,   63,   64,
+ /*   610 */    64,   65,   65,   65,   66,  230,  289,  207,  586,  387,
+ /*   620 */   384,   91,   10,  580,  336,  308,  392,  207,  367,  480,
+ /*   630 */   316,  393,  394,  583,  888,  219,  888,  393,  394,  476,
+ /*   640 */   291,  233,  420,  426,  481,  249,  410,    3,  434,  260,
+ /*   650 */   317,  363,  410,   29,  448,  393,  394,  468,  260,  289,
+ /*   660 */    60,   59,  294,  430,  431,  427,  427,   62,   62,   61,
+ /*   670 */    61,   61,   61,  580,   63,   63,   63,   63,   64,   64,
+ /*   680 */    65,   65,   65,   66,  230,  420,  426,  391,  312,  388,
+ /*   690 */   555,  393,  394,   75,  204,   77,  395,  396,  397,  557,
+ /*   700 */   357,  197,  289,   60,   59,  294,  430,  431,  427,  427,
+ /*   710 */    62,   62,   61,   61,   61,   61,  316,   63,   63,   63,
+ /*   720 */    63,   64,   64,   65,   65,   65,   66,  230,  420,  426,
+ /*   730 */   319,  116,  433,  433,  319,  411,  433,  433,  410,   24,
+ /*   740 */   319,  515,  433,  433,  515,  289,   60,   70,  294,  430,
+ /*   750 */   431,  427,  427,   62,   62,   61,   61,   61,   61,  375,
+ /*   760 */    63,   63,   63,   63,   64,   64,   65,   65,   65,   66,
+ /*   770 */   230,  420,  426,  538,  356,  538,  216,  260,  472,  303,
+ /*   780 */   175,  176,  177,  254,  476,  515,  260,  383,  289,    5,
+ /*   790 */    59,  294,  430,  431,  427,  427,   62,   62,   61,   61,
+ /*   800 */    61,   61,  316,   63,   63,   63,   63,   64,   64,   65,
+ /*   810 */    65,   65,   66,  230,  420,  426,  392,  236,  380,  247,
+ /*   820 */   304,  258,  247,  256,  410,   33,  260,  558,  125,  467,
+ /*   830 */   515,  416,  168,  157,  294,  430,  431,  427,  427,   62,
+ /*   840 */    62,   61,   61,   61,   61,  306,   63,   63,   63,   63,
+ /*   850 */    64,   64,   65,   65,   65,   66,  230,   72,  323,  452,
+ /*   860 */     4,  153,   22,  247,  293,  305,  435,  559,  316,  382,
+ /*   870 */   316,  453,  320,   72,  323,  316,    4,  366,  316,  180,
+ /*   880 */   293,  393,  394,   20,  454,  141,  326,  316,  320,  325,
+ /*   890 */   410,   53,  410,   52,  316,  411,  155,  410,   96,  447,
+ /*   900 */   410,   94,  316,  500,  316,  325,  328,  469,  247,  410,
+ /*   910 */    99,  444,  260,  411,  318,  447,  410,  100,  316,   74,
+ /*   920 */    73,  467,  183,  260,  410,  110,  410,  112,   72,  314,
+ /*   930 */   315,  435,  337,  415,  458,   74,   73,  479,  316,  377,
+ /*   940 */   410,   17,  218,   19,   72,  314,  315,   72,  323,  415,
+ /*   950 */     4,  205,  316,  274,  293,  316,  411,  466,  205,  409,
+ /*   960 */   410,   97,  320,  408,  374,  417,  417,  417,  418,  419,
+ /*   970 */    12,  376,  316,  206,  410,   34,  174,  410,   95,  325,
+ /*   980 */    55,  417,  417,  417,  418,  419,   12,  310,  120,  447,
+ /*   990 */   428,  159,    9,  260,  410,   25,  220,  221,  222,  102,
+ /*  1000 */   441,  441,  316,  471,  409,  316,  475,  316,  408,   74,
+ /*  1010 */    73,  436,  202,   23,  278,  455,  244,   13,   72,  314,
+ /*  1020 */   315,  279,  316,  415,  410,   54,  316,  410,  113,  410,
+ /*  1030 */   114,  291,  581,  200,  276,  547,  462,  497,  498,  199,
+ /*  1040 */   316,  504,  201,  463,  410,   26,  316,  524,  410,   37,
+ /*  1050 */   316,  474,  316,  170,  253,  417,  417,  417,  418,  419,
+ /*  1060 */    12,  505,  410,   38,  510,  483,  316,   13,  410,   27,
+ /*  1070 */   508,  582,  410,   39,  410,   40,  316,  255,  507,  506,
+ /*  1080 */   512,  316,  125,  316,  511,  373,  275,  265,  410,   42,
+ /*  1090 */   509,  290,  316,  251,  316,  125,  205,  257,  410,   43,
+ /*  1100 */   316,  259,  316,  410,   44,  410,   30,  348,  316,  125,
+ /*  1110 */   316,  353,  186,  316,  410,   31,  410,   45,  316,  543,
+ /*  1120 */   379,  125,  410,   46,  410,   47,  316,  551,  264,  170,
+ /*  1130 */   410,   48,  410,   32,  401,  410,   11,  552,  440,   89,
+ /*  1140 */   410,   50,  301,  562,  578,   89,  287,  361,  410,   51,
+ /*  1150 */   364,  365,  267,  268,  269,  554,  143,  564,  277,  324,
+ /*  1160 */   280,  281,  575,  225,  442,  461,  464,  503,  241,  513,
+ /*  1170 */   516,  550,  343,  160,  561,  390,    8,  313,  398,  399,
+ /*  1180 */   400,  412,   82,  226,  331,  329,   81,  406,   57,   78,
+ /*  1190 */   209,  167,   83,  459,  122,  414,  227,  334,  228,  338,
+ /*  1200 */   300,  500,  103,  496,  246,  519,  514,  490,  495,  242,
+ /*  1210 */   214,  518,  499,  229,  501,  413,  350,  533,  284,  525,
+ /*  1220 */   526,  527,  235,  181,  473,  237,  285,  477,  182,  354,
+ /*  1230 */   352,  184,   86,  185,  118,  535,  187,  546,  360,  190,
+ /*  1240 */   129,  553,  139,  371,  372,  130,  215,  309,  560,  131,
+ /*  1250 */   132,  133,  572,  577,  135,  573,   98,  574,  389,  262,
+ /*  1260 */   402,  621,  536,  213,  101,  622,  432,  163,  164,  429,
+ /*  1270 */   138,   71,  449,  437,  446,  140,  470,  154,    6,  450,
+ /*  1280 */     7,  158,  166,  451,   14,  123,   13,  124,  484,  212,
+ /*  1290 */    84,  342,  104,  105,   90,  250,   85,  117,  106,  347,
+ /*  1300 */   179,  240,  351,  142,  534,  126,   18,  170,   93,  263,
+ /*  1310 */   188,  107,  355,  286,  109,  127,  549,  541,  128,  119,
+ /*  1320 */   537,  192,   15,  194,  195,  136,  196,  134,  556,  563,
+ /*  1330 */   311,  137,   16,  108,  570,  203,  145,  385,  381,  282,
+ /*  1340 */   584,  899,  899,  899,  899,  899,   87,  899,   88,
+};
+static const YYCODETYPE yy_lookahead[] = {
+ /*     0 */    16,  139,  140,  141,  168,   21,  144,   23,   69,   70,
+ /*    10 */    71,   72,  176,   74,   75,   76,   77,   78,   79,   80,
+ /*    20 */    81,   82,   83,   84,    1,    2,   42,   43,   73,   74,
+ /*    30 */    75,   76,   77,   78,   79,   80,   81,   82,   83,   84,
+ /*    40 */    78,   79,   23,   58,   60,   61,   62,   63,   64,   65,
+ /*    50 */    66,   67,   68,   69,   70,   71,   72,  110,   74,   75,
+ /*    60 */    76,   77,   78,   79,   80,   81,   82,   83,   84,   16,
+ /*    70 */   123,  147,   88,   88,  110,   22,  216,   92,  218,  219,
+ /*    80 */    74,   75,   76,   77,   78,   79,   80,   81,   82,   83,
+ /*    90 */    84,  147,   19,  169,  170,   42,   43,   78,  238,   46,
+ /*   100 */    78,   79,   80,   81,   82,   83,   84,   88,   89,  124,
+ /*   110 */   125,  126,   16,   60,   61,   62,   63,   64,   65,   66,
+ /*   120 */    67,   68,   69,   70,   71,   72,  182,   74,   75,   76,
+ /*   130 */    77,   78,   79,   80,   81,   82,   83,   84,   42,   43,
+ /*   140 */    44,   80,   81,   82,   83,   84,   23,  223,  161,  216,
+ /*   150 */    19,  218,  219,   21,   23,   23,   60,   61,   62,   63,
+ /*   160 */    64,   65,   66,   67,   68,   69,   70,   71,   72,  225,
+ /*   170 */    74,   75,   76,   77,   78,   79,   80,   81,   82,   83,
+ /*   180 */    84,   16,  147,  147,  150,  112,   21,  200,  147,   58,
+ /*   190 */    84,  147,  156,  157,  216,  217,  218,  219,   83,   84,
+ /*   200 */   165,   78,   79,  216,  190,  218,  219,   42,   43,   78,
+ /*   210 */    79,   88,   89,  169,  170,  141,  180,  181,  144,   88,
+ /*   220 */    88,   98,  147,   92,   16,   60,   61,   62,   63,   64,
+ /*   230 */    65,   66,   67,   68,   69,   70,   71,   72,  147,   74,
+ /*   240 */    75,   76,   77,   78,   79,   80,   81,   82,   83,   84,
+ /*   250 */    42,   43,  169,  209,  210,  124,  125,  126,  224,   14,
+ /*   260 */   169,  170,  227,  228,  230,   18,  225,   16,   60,   61,
+ /*   270 */    62,   63,   64,   65,   66,   67,   68,   69,   70,   71,
+ /*   280 */    72,   23,   74,   75,   76,   77,   78,   79,   80,   81,
+ /*   290 */    82,   83,   84,   42,   43,  147,   16,   52,  147,   54,
+ /*   300 */   147,  210,   55,  106,  153,  108,  109,  156,  157,  156,
+ /*   310 */   157,   60,   61,   62,   63,   64,   65,   66,   67,   68,
+ /*   320 */    69,   70,   71,   72,   22,   74,   75,   76,   77,   78,
+ /*   330 */    79,   80,   81,   82,   83,   84,  188,  147,   92,  131,
+ /*   340 */    16,   94,   16,   22,   20,  155,   88,   89,   90,  103,
+ /*   350 */   147,   93,   94,   95,  167,  168,  161,  162,  163,  169,
+ /*   360 */   170,   25,  104,  176,   84,   29,   42,   43,  165,  166,
+ /*   370 */    90,   91,   92,   93,   94,   95,   96,   41,  133,  189,
+ /*   380 */   133,  169,  131,  103,   60,   61,   62,   63,   64,   65,
+ /*   390 */    66,   67,   68,   69,   70,   71,   72,  181,   74,   75,
+ /*   400 */    76,   77,   78,   79,   80,   81,   82,   83,   84,   16,
+ /*   410 */    84,   90,   22,   20,   93,   94,   95,   91,   92,   93,
+ /*   420 */    94,   95,   96,  121,  147,  104,  147,  185,  186,  103,
+ /*   430 */   227,  228,  155,  181,  160,   42,   43,   90,  176,  177,
+ /*   440 */    93,   94,   95,  169,  161,  183,  169,  170,  169,  170,
+ /*   450 */   155,  104,  155,   60,   61,   62,   63,   64,   65,   66,
+ /*   460 */    67,   68,   69,   70,   71,   72,  189,   74,   75,   76,
+ /*   470 */    77,   78,   79,   80,   81,   82,   83,   84,   16,   11,
+ /*   480 */   244,  245,   20,  200,  189,  147,  189,  147,  211,  158,
+ /*   490 */   211,  147,  161,  162,  163,  147,  201,  202,   42,   43,
+ /*   500 */   223,  206,  223,  113,   42,   43,  147,  169,  170,  169,
+ /*   510 */   170,   23,   19,  169,  170,  186,   23,   49,  155,   63,
+ /*   520 */    64,  147,   60,   61,   62,   63,   64,   65,   66,   67,
+ /*   530 */    68,   69,   70,   71,   72,  147,   74,   75,   76,   77,
+ /*   540 */    78,   79,   80,   81,   82,   83,   84,   16,   92,  211,
+ /*   550 */    12,   20,  189,  164,  165,  166,  208,  147,   16,  215,
+ /*   560 */   220,  223,   24,  164,  165,  166,   23,   99,  100,  101,
+ /*   570 */   155,  212,   23,   42,   43,   37,   88,   39,  110,  169,
+ /*   580 */   170,   88,   89,   19,   20,   43,   22,   49,  185,  186,
+ /*   590 */    23,   60,   61,   62,   63,   64,   65,   66,   67,   68,
+ /*   600 */    69,   70,   71,   72,  189,   74,   75,   76,   77,   78,
+ /*   610 */    79,   80,   81,   82,   83,   84,   16,  228,    0,    1,
+ /*   620 */     2,   21,   19,   59,  147,  215,   23,  228,  213,   80,
+ /*   630 */   147,   88,   89,   19,   20,  145,   22,   88,   89,  147,
+ /*   640 */    98,  147,   42,   43,   20,  103,  169,  170,   20,  147,
+ /*   650 */   147,  236,  169,  170,   20,   88,   89,  114,  147,   16,
+ /*   660 */    60,   61,   62,   63,   64,   65,   66,   67,   68,   69,
+ /*   670 */    70,   71,   72,   59,   74,   75,   76,   77,   78,   79,
+ /*   680 */    80,   81,   82,   83,   84,   42,   43,  147,  142,  143,
+ /*   690 */   188,   88,   89,  130,  148,  132,    7,    8,    9,  188,
+ /*   700 */   208,  155,   16,   60,   61,   62,   63,   64,   65,   66,
+ /*   710 */    67,   68,   69,   70,   71,   72,  147,   74,   75,   76,
+ /*   720 */    77,   78,   79,   80,   81,   82,   83,   84,   42,   43,
+ /*   730 */   106,  147,  108,  109,  106,  189,  108,  109,  169,  170,
+ /*   740 */   106,  147,  108,  109,  147,   16,   60,   61,   62,   63,
+ /*   750 */    64,   65,   66,   67,   68,   69,   70,   71,   72,  213,
+ /*   760 */    74,   75,   76,   77,   78,   79,   80,   81,   82,   83,
+ /*   770 */    84,   42,   43,   99,  100,  101,  182,  147,  161,  182,
+ /*   780 */    99,  100,  101,   14,  147,  147,  147,  241,   16,  191,
+ /*   790 */    61,   62,   63,   64,   65,   66,   67,   68,   69,   70,
+ /*   800 */    71,   72,  147,   74,   75,   76,   77,   78,   79,   80,
+ /*   810 */    81,   82,   83,   84,   42,   43,   23,  200,  188,  225,
+ /*   820 */   182,   52,  225,   54,  169,  170,  147,  188,   22,   22,
+ /*   830 */   147,  147,  201,  202,   62,   63,   64,   65,   66,   67,
+ /*   840 */    68,   69,   70,   71,   72,  208,   74,   75,   76,   77,
+ /*   850 */    78,   79,   80,   81,   82,   83,   84,   16,   17,   12,
+ /*   860 */    19,  155,   19,  225,   23,  182,   23,  188,  147,  239,
+ /*   870 */   147,   24,   31,   16,   17,  147,   19,  147,  147,  155,
+ /*   880 */    23,   88,   89,   19,   37,   21,   39,  147,   31,   48,
+ /*   890 */   169,  170,  169,  170,  147,  189,   89,  169,  170,   58,
+ /*   900 */   169,  170,  147,   97,  147,   48,  147,  114,  225,  169,
+ /*   910 */   170,  161,  147,  189,   16,   58,  169,  170,  147,   78,
+ /*   920 */    79,  114,  155,  147,  169,  170,  169,  170,   87,   88,
+ /*   930 */    89,   88,   80,   92,  147,   78,   79,   80,  147,   91,
+ /*   940 */   169,  170,  212,   19,   87,   88,   89,   16,   17,   92,
+ /*   950 */    19,  110,  147,  188,   23,  147,  189,  203,  110,  107,
+ /*   960 */   169,  170,   31,  111,  188,  124,  125,  126,  127,  128,
+ /*   970 */   129,  123,  147,  192,  169,  170,   43,  169,  170,   48,
+ /*   980 */   199,  124,  125,  126,  127,  128,  129,  242,  243,   58,
+ /*   990 */    92,    5,   68,  147,  169,  170,   10,   11,   12,   13,
+ /*  1000 */   124,  125,  147,  147,  107,  147,  147,  147,  111,   78,
+ /*  1010 */    79,   20,   26,   22,   28,   20,  147,   22,   87,   88,
+ /*  1020 */    89,   35,  147,   92,  169,  170,  147,  169,  170,  169,
+ /*  1030 */   170,   98,   20,   47,  188,   49,   27,    7,    8,   53,
+ /*  1040 */   147,  147,   56,   34,  169,  170,  147,  147,  169,  170,
+ /*  1050 */   147,   20,  147,   22,  147,  124,  125,  126,  127,  128,
+ /*  1060 */   129,  178,  169,  170,  178,   20,  147,   22,  169,  170,
+ /*  1070 */    30,   59,  169,  170,  169,  170,  147,  147,   91,   92,
+ /*  1080 */    20,  147,   22,  147,  178,   99,  100,  101,  169,  170,
+ /*  1090 */    50,  105,  147,   20,  147,   22,  110,  147,  169,  170,
+ /*  1100 */   147,  147,  147,  169,  170,  169,  170,   20,  147,   22,
+ /*  1110 */   147,  233,  232,  147,  169,  170,  169,  170,  147,   20,
+ /*  1120 */   134,   22,  169,  170,  169,  170,  147,   20,  147,   22,
+ /*  1130 */   169,  170,  169,  170,  149,  169,  170,   20,  229,   22,
+ /*  1140 */   169,  170,  102,   20,   20,   22,   22,  147,  169,  170,
+ /*  1150 */   147,  147,  147,  147,  147,  147,  191,  147,  147,  222,
+ /*  1160 */   147,  147,  147,  193,  229,  172,  172,  177,  172,  172,
+ /*  1170 */   172,  194,  173,    6,  194,  146,   22,  154,  146,  146,
+ /*  1180 */   146,  189,  121,  194,  118,  116,  119,   23,  120,  130,
+ /*  1190 */   221,  112,   98,  152,  152,  160,  195,  115,  196,   98,
+ /*  1200 */    40,   97,   19,  179,   84,  179,  160,  171,  171,  171,
+ /*  1210 */   226,  160,  173,  197,  171,  198,   15,  152,  174,  171,
+ /*  1220 */   171,  171,  204,  151,  205,  204,  174,  205,  151,   38,
+ /*  1230 */   152,  151,  130,  152,   60,  152,  151,  184,  152,  184,
+ /*  1240 */    19,  194,  214,  152,   15,  187,  226,  152,  194,  187,
+ /*  1250 */   187,  187,   33,  137,  184,  152,  159,  152,    1,  234,
+ /*  1260 */    20,  112,  235,  175,  175,  112,  107,  112,  112,   92,
+ /*  1270 */   214,   19,   11,   20,   20,   19,  114,   19,  117,   20,
+ /*  1280 */   117,  112,   22,   20,   22,   19,   22,   20,   20,   44,
+ /*  1290 */    19,   44,   19,   19,  237,   20,   19,   32,   19,   44,
+ /*  1300 */    96,  103,   16,   21,   17,   98,  231,   22,  237,  133,
+ /*  1310 */    98,   19,   36,    5,  240,   45,    1,   45,  102,  243,
+ /*  1320 */    51,  122,   19,  113,   14,  102,  115,  113,   17,  123,
+ /*  1330 */   246,  122,   19,   14,   20,  135,   19,    3,   57,  136,
+ /*  1340 */     4,  247,  247,  247,  247,  247,   68,  247,   68,
+};
+#define YY_SHIFT_USE_DFLT (-62)
+#define YY_SHIFT_MAX 385
+static const short yy_shift_ofst[] = {
+ /*     0 */    23,  841,  986,  -16,  841,  931,  931,  931,  258,  123,
+ /*    10 */   -36,   96,  931,  931,  931,  931,  931,  -45,  468,   19,
+ /*    20 */   567,  488,  -38,  -38,   53,  165,  208,  251,  324,  393,
+ /*    30 */   462,  531,  600,  643,  686,  643,  643,  643,  643,  643,
+ /*    40 */   643,  643,  643,  643,  643,  643,  643,  643,  643,  643,
+ /*    50 */   643,  643,  729,  772,  772,  857,  931,  931,  931,  931,
+ /*    60 */   931,  931,  931,  931,  931,  931,  931,  931,  931,  931,
+ /*    70 */   931,  931,  931,  931,  931,  931,  931,  931,  931,  931,
+ /*    80 */   931,  931,  931,  931,  931,  931,  931,  931,  931,  931,
+ /*    90 */   931,  931,  931,  931,  -61,  -61,    6,    6,  280,   22,
+ /*   100 */    61,  542,  247,  567,  567,  567,  567,  567,  567,  567,
+ /*   110 */   115,  488,  106,  -62,  -62,  131,  326,  538,  538,  564,
+ /*   120 */   614,  618,  132,  567,  132,  567,  567,  567,  567,  567,
+ /*   130 */   567,  567,  567,  567,  567,  567,  567,  567,  848,  -53,
+ /*   140 */   -36,  -36,  -36,  -62,  -62,  -62,  -15,  -15,  321,  347,
+ /*   150 */   624,  493,  628,  634,  847,  543,  793,  603,  549,  689,
+ /*   160 */   567,  567,  852,  567,  567,  843,  567,  567,  807,  567,
+ /*   170 */   567,  197,  807,  567,  567, 1040, 1040, 1040,  567,  567,
+ /*   180 */   197,  567,  567,  197,  567,  336,  674,  567,  567,  197,
+ /*   190 */   567,  567,  567,  197,  567,  567,  567,  197,  197,  567,
+ /*   200 */   567,  567,  567,  567,  864,  897,  390,  876,  876,  563,
+ /*   210 */  1009, 1009, 1009,  933, 1009, 1009,  806,  302,  302, 1167,
+ /*   220 */  1167, 1167, 1167, 1154,  -36, 1061, 1066, 1067, 1069, 1068,
+ /*   230 */  1164, 1059, 1079, 1079, 1094, 1082, 1094, 1082, 1101, 1101,
+ /*   240 */  1160, 1101, 1104, 1101, 1183, 1120, 1164, 1120, 1164, 1160,
+ /*   250 */  1101, 1101, 1101, 1183, 1201, 1079, 1201, 1079, 1201, 1079,
+ /*   260 */  1079, 1191, 1102, 1201, 1079, 1174, 1174, 1221, 1061, 1079,
+ /*   270 */  1229, 1229, 1229, 1229, 1061, 1174, 1221, 1079, 1219, 1219,
+ /*   280 */  1079, 1079, 1116,  -62,  -62,  -62,  -62,  -62,  -62,  456,
+ /*   290 */   245,  681,  769,   73,  898,  991,  995, 1031, 1045,  246,
+ /*   300 */  1030,  987, 1060, 1073, 1087, 1099, 1107, 1117, 1123,  924,
+ /*   310 */  1124, 1012, 1257, 1240, 1149, 1153, 1155, 1156, 1177, 1159,
+ /*   320 */  1252, 1253, 1254, 1256, 1261, 1258, 1259, 1260, 1263, 1161,
+ /*   330 */  1262, 1163, 1264, 1162, 1266, 1267, 1169, 1268, 1265, 1245,
+ /*   340 */  1271, 1247, 1273, 1275, 1274, 1277, 1255, 1279, 1204, 1198,
+ /*   350 */  1286, 1287, 1282, 1207, 1276, 1269, 1270, 1285, 1272, 1176,
+ /*   360 */  1212, 1292, 1308, 1315, 1216, 1278, 1280, 1199, 1303, 1210,
+ /*   370 */  1310, 1211, 1311, 1214, 1223, 1209, 1313, 1206, 1314, 1319,
+ /*   380 */  1281, 1200, 1203, 1317, 1334, 1336,
+};
+#define YY_REDUCE_USE_DFLT (-165)
+#define YY_REDUCE_MAX 288
+static const short yy_reduce_ofst[] = {
+ /*     0 */  -138,  277,  546,  -13,  190,  279,   44,  338,   36,  203,
+ /*    10 */   295, -140,  340,  -76,   91,  344,  410,  -22,  415,   35,
+ /*    20 */   151,  331,  389,  399,  -67,  -67,  -67,  -67,  -67,  -67,
+ /*    30 */   -67,  -67,  -67,  -67,  -67,  -67,  -67,  -67,  -67,  -67,
+ /*    40 */   -67,  -67,  -67,  -67,  -67,  -67,  -67,  -67,  -67,  -67,
+ /*    50 */   -67,  -67,  -67,  -67,  -67,  477,  483,  569,  655,  721,
+ /*    60 */   723,  728,  731,  740,  747,  755,  757,  771,  791,  805,
+ /*    70 */   808,  825,  855,  858,  860,  875,  879,  893,  899,  903,
+ /*    80 */   905,  919,  929,  934,  936,  945,  947,  953,  955,  961,
+ /*    90 */   963,  966,  971,  979,  -67,  -67,  -67,  -67,  187,  -67,
+ /*   100 */   -67,  262,   34,  -56,  594,  597,  638,  683,  630,  153,
+ /*   110 */   -67,  195,  -67,  -67,  -67,  274, -164,  242,  403,  236,
+ /*   120 */   236,   74,  283,  348,  617,   41,  148,  492,  359,  637,
+ /*   130 */   502,  511,  639,  679,  765,  776,  730,  846,  297,  363,
+ /*   140 */   706,  724,  767,  781,  631,  745,   83,  212,  216,  252,
+ /*   150 */    14,   75,   14,   14,  329,  374,  388,  494,  503,  490,
+ /*   160 */   540,  584,  598,  503,  684,  750,  759,  787,  754,  856,
+ /*   170 */   859,   14,  754,  869,  894,  883,  886,  906,  900,  907,
+ /*   180 */    14,  930,  950,   14,  954,  880,  878,  981, 1000,   14,
+ /*   190 */  1003, 1004, 1005,   14, 1006, 1007, 1008,   14,   14, 1010,
+ /*   200 */  1011, 1013, 1014, 1015,  985,  965,  970,  909,  935,  937,
+ /*   210 */   993,  994,  996,  990,  997,  998,  999,  977,  980, 1029,
+ /*   220 */  1032, 1033, 1034, 1023,  992,  989, 1001, 1002, 1016, 1017,
+ /*   230 */  1035,  969, 1041, 1042, 1018, 1019, 1021, 1022, 1036, 1037,
+ /*   240 */  1024, 1038, 1039, 1043, 1044,  984, 1046, 1020, 1051, 1026,
+ /*   250 */  1048, 1049, 1050, 1052, 1072, 1065, 1077, 1078, 1080, 1081,
+ /*   260 */  1083, 1025, 1027, 1085, 1086, 1053, 1055, 1028, 1047, 1091,
+ /*   270 */  1058, 1062, 1063, 1064, 1054, 1070, 1056, 1095, 1057, 1071,
+ /*   280 */  1103, 1105, 1074, 1097, 1088, 1089, 1075, 1076, 1084,
+};
+static const YYACTIONTYPE yy_default[] = {
+ /*     0 */   592,  818,  897,  707,  897,  818,  897,  818,  897,  843,
+ /*    10 */   711,  872,  814,  818,  897,  897,  897,  789,  897,  843,
+ /*    20 */   897,  623,  843,  843,  740,  897,  897,  897,  897,  897,
+ /*    30 */   897,  897,  897,  741,  897,  817,  813,  809,  811,  810,
+ /*    40 */   742,  731,  738,  745,  723,  856,  747,  748,  754,  755,
+ /*    50 */   873,  871,  777,  776,  795,  897,  897,  897,  897,  897,
+ /*    60 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  897,
+ /*    70 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  897,
+ /*    80 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  897,
+ /*    90 */   897,  897,  897,  897,  779,  800,  778,  788,  616,  780,
+ /*   100 */   781,  676,  611,  897,  897,  897,  897,  897,  897,  897,
+ /*   110 */   782,  897,  783,  796,  797,  897,  897,  897,  897,  897,
+ /*   120 */   897,  592,  707,  897,  707,  897,  897,  897,  897,  897,
+ /*   130 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  897,
+ /*   140 */   897,  897,  897,  701,  711,  890,  897,  897,  667,  897,
+ /*   150 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  599,
+ /*   160 */   597,  897,  699,  897,  897,  625,  897,  897,  709,  897,
+ /*   170 */   897,  714,  715,  897,  897,  897,  897,  897,  897,  897,
+ /*   180 */   613,  897,  897,  688,  897,  849,  897,  897,  897,  863,
+ /*   190 */   897,  897,  897,  861,  897,  897,  897,  690,  750,  830,
+ /*   200 */   897,  876,  878,  897,  897,  699,  708,  897,  897,  812,
+ /*   210 */   734,  734,  734,  646,  734,  734,  649,  744,  744,  596,
+ /*   220 */   596,  596,  596,  666,  897,  744,  735,  737,  727,  739,
+ /*   230 */   897,  897,  716,  716,  724,  726,  724,  726,  678,  678,
+ /*   240 */   663,  678,  649,  678,  822,  827,  897,  827,  897,  663,
+ /*   250 */   678,  678,  678,  822,  608,  716,  608,  716,  608,  716,
+ /*   260 */   716,  853,  855,  608,  716,  680,  680,  756,  744,  716,
+ /*   270 */   687,  687,  687,  687,  744,  680,  756,  716,  875,  875,
+ /*   280 */   716,  716,  883,  633,  651,  651,  858,  890,  895,  897,
+ /*   290 */   897,  897,  897,  763,  897,  897,  897,  897,  897,  897,
+ /*   300 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  836,
+ /*   310 */   897,  897,  897,  897,  768,  764,  897,  765,  897,  693,
+ /*   320 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  897,
+ /*   330 */   728,  897,  736,  897,  897,  897,  897,  897,  897,  897,
+ /*   340 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  897,
+ /*   350 */   897,  897,  897,  897,  897,  897,  851,  852,  897,  897,
+ /*   360 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  897,
+ /*   370 */   897,  897,  897,  897,  897,  897,  897,  897,  897,  897,
+ /*   380 */   882,  897,  897,  885,  593,  897,  587,  590,  589,  591,
+ /*   390 */   595,  598,  620,  621,  622,  600,  601,  602,  603,  604,
+ /*   400 */   605,  606,  612,  614,  632,  634,  618,  636,  697,  698,
+ /*   410 */   760,  691,  692,  696,  771,  762,  766,  767,  769,  770,
+ /*   420 */   784,  785,  787,  793,  799,  802,  786,  791,  792,  794,
+ /*   430 */   798,  801,  694,  695,  805,  619,  626,  627,  630,  631,
+ /*   440 */   839,  841,  840,  842,  629,  628,  772,  775,  807,  808,
+ /*   450 */   864,  865,  866,  867,  868,  803,  815,  816,  717,  806,
+ /*   460 */   790,  729,  732,  733,  730,  700,  710,  719,  720,  721,
+ /*   470 */   722,  705,  706,  712,  725,  758,  759,  713,  702,  703,
+ /*   480 */   704,  804,  761,  773,  774,  637,  638,  768,  639,  640,
+ /*   490 */   641,  679,  682,  683,  684,  642,  661,  664,  665,  643,
+ /*   500 */   650,  644,  645,  652,  653,  654,  657,  658,  659,  660,
+ /*   510 */   655,  656,  823,  824,  828,  826,  825,  647,  648,  662,
+ /*   520 */   635,  624,  617,  668,  671,  672,  673,  674,  675,  677,
+ /*   530 */   669,  670,  615,  607,  609,  718,  845,  854,  850,  846,
+ /*   540 */   847,  848,  610,  819,  820,  681,  752,  753,  844,  857,
+ /*   550 */   859,  757,  860,  862,  887,  685,  686,  689,  829,  869,
+ /*   560 */   743,  746,  749,  751,  831,  832,  833,  834,  837,  838,
+ /*   570 */   835,  870,  874,  877,  879,  880,  881,  884,  886,  891,
+ /*   580 */   892,  893,  896,  894,  594,  588,
+};
+#define YY_SZ_ACTTAB (int)(sizeof(yy_action)/sizeof(yy_action[0]))
+
+/* The next table maps tokens into fallback tokens.  If a construct
+** like the following:
+** 
+**      %fallback ID X Y Z.
+**
+** appears in the grammer, then ID becomes a fallback token for X, Y,
+** and Z.  Whenever one of the tokens X, Y, or Z is input to the parser
+** but it does not parse, the type of the token is changed to ID and
+** the parse is retried before an error is thrown.
+*/
+#ifdef YYFALLBACK
+static const YYCODETYPE yyFallback[] = {
+    0,  /*          $ => nothing */
+    0,  /*       SEMI => nothing */
+   23,  /*    EXPLAIN => ID */
+   23,  /*      QUERY => ID */
+   23,  /*       PLAN => ID */
+   23,  /*      BEGIN => ID */
+    0,  /* TRANSACTION => nothing */
+   23,  /*   DEFERRED => ID */
+   23,  /*  IMMEDIATE => ID */
+   23,  /*  EXCLUSIVE => ID */
+    0,  /*     COMMIT => nothing */
+   23,  /*        END => ID */
+    0,  /*   ROLLBACK => nothing */
+    0,  /*     CREATE => nothing */
+    0,  /*      TABLE => nothing */
+   23,  /*         IF => ID */
+    0,  /*        NOT => nothing */
+    0,  /*     EXISTS => nothing */
+   23,  /*       TEMP => ID */
+    0,  /*         LP => nothing */
+    0,  /*         RP => nothing */
+    0,  /*         AS => nothing */
+    0,  /*      COMMA => nothing */
+    0,  /*         ID => nothing */
+   23,  /*      ABORT => ID */
+   23,  /*      AFTER => ID */
+   23,  /*    ANALYZE => ID */
+   23,  /*        ASC => ID */
+   23,  /*     ATTACH => ID */
+   23,  /*     BEFORE => ID */
+   23,  /*    CASCADE => ID */
+   23,  /*       CAST => ID */
+   23,  /*   CONFLICT => ID */
+   23,  /*   DATABASE => ID */
+   23,  /*       DESC => ID */
+   23,  /*     DETACH => ID */
+   23,  /*       EACH => ID */
+   23,  /*       FAIL => ID */
+   23,  /*        FOR => ID */
+   23,  /*     IGNORE => ID */
+   23,  /*  INITIALLY => ID */
+   23,  /*    INSTEAD => ID */
+   23,  /*    LIKE_KW => ID */
+   23,  /*      MATCH => ID */
+   23,  /*        KEY => ID */
+   23,  /*         OF => ID */
+   23,  /*     OFFSET => ID */
+   23,  /*     PRAGMA => ID */
+   23,  /*      RAISE => ID */
+   23,  /*    REPLACE => ID */
+   23,  /*   RESTRICT => ID */
+   23,  /*        ROW => ID */
+   23,  /*    TRIGGER => ID */
+   23,  /*     VACUUM => ID */
+   23,  /*       VIEW => ID */
+   23,  /*    VIRTUAL => ID */
+   23,  /*    REINDEX => ID */
+   23,  /*     RENAME => ID */
+   23,  /*   CTIME_KW => ID */
+    0,  /*        ANY => nothing */
+    0,  /*         OR => nothing */
+    0,  /*        AND => nothing */
+    0,  /*         IS => nothing */
+    0,  /*    BETWEEN => nothing */
+    0,  /*         IN => nothing */
+    0,  /*     ISNULL => nothing */
+    0,  /*    NOTNULL => nothing */
+    0,  /*         NE => nothing */
+    0,  /*         EQ => nothing */
+    0,  /*         GT => nothing */
+    0,  /*         LE => nothing */
+    0,  /*         LT => nothing */
+    0,  /*         GE => nothing */
+    0,  /*     ESCAPE => nothing */
+    0,  /*     BITAND => nothing */
+    0,  /*      BITOR => nothing */
+    0,  /*     LSHIFT => nothing */
+    0,  /*     RSHIFT => nothing */
+    0,  /*       PLUS => nothing */
+    0,  /*      MINUS => nothing */
+    0,  /*       STAR => nothing */
+    0,  /*      SLASH => nothing */
+    0,  /*        REM => nothing */
+    0,  /*     CONCAT => nothing */
+    0,  /*    COLLATE => nothing */
+    0,  /*     UMINUS => nothing */
+    0,  /*      UPLUS => nothing */
+    0,  /*     BITNOT => nothing */
+    0,  /*     STRING => nothing */
+    0,  /*    JOIN_KW => nothing */
+    0,  /* CONSTRAINT => nothing */
+    0,  /*    DEFAULT => nothing */
+    0,  /*       NULL => nothing */
+    0,  /*    PRIMARY => nothing */
+    0,  /*     UNIQUE => nothing */
+    0,  /*      CHECK => nothing */
+    0,  /* REFERENCES => nothing */
+    0,  /*   AUTOINCR => nothing */
+    0,  /*         ON => nothing */
+    0,  /*     DELETE => nothing */
+    0,  /*     UPDATE => nothing */
+    0,  /*     INSERT => nothing */
+    0,  /*        SET => nothing */
+    0,  /* DEFERRABLE => nothing */
+    0,  /*    FOREIGN => nothing */
+    0,  /*       DROP => nothing */
+    0,  /*      UNION => nothing */
+    0,  /*        ALL => nothing */
+    0,  /*     EXCEPT => nothing */
+    0,  /*  INTERSECT => nothing */
+    0,  /*     SELECT => nothing */
+    0,  /*   DISTINCT => nothing */
+    0,  /*        DOT => nothing */
+    0,  /*       FROM => nothing */
+    0,  /*       JOIN => nothing */
+    0,  /*      USING => nothing */
+    0,  /*      ORDER => nothing */
+    0,  /*         BY => nothing */
+    0,  /*      GROUP => nothing */
+    0,  /*     HAVING => nothing */
+    0,  /*      LIMIT => nothing */
+    0,  /*      WHERE => nothing */
+    0,  /*       INTO => nothing */
+    0,  /*     VALUES => nothing */
+    0,  /*    INTEGER => nothing */
+    0,  /*      FLOAT => nothing */
+    0,  /*       BLOB => nothing */
+    0,  /*   REGISTER => nothing */
+    0,  /*   VARIABLE => nothing */
+    0,  /*       CASE => nothing */
+    0,  /*       WHEN => nothing */
+    0,  /*       THEN => nothing */
+    0,  /*       ELSE => nothing */
+    0,  /*      INDEX => nothing */
+    0,  /*      ALTER => nothing */
+    0,  /*         TO => nothing */
+    0,  /*        ADD => nothing */
+    0,  /*   COLUMNKW => nothing */
+};
+#endif /* YYFALLBACK */
+
+/* The following structure represents a single element of the
+** parser's stack.  Information stored includes:
+**
+**   +  The state number for the parser at this level of the stack.
+**
+**   +  The value of the token stored at this level of the stack.
+**      (In other words, the "major" token.)
+**
+**   +  The semantic value stored at this level of the stack.  This is
+**      the information used by the action routines in the grammar.
+**      It is sometimes called the "minor" token.
+*/
+struct yyStackEntry {
+  int stateno;       /* The state-number */
+  int major;         /* The major token value.  This is the code
+                     ** number for the token at this stack level */
+  YYMINORTYPE minor; /* The user-supplied minor token value.  This
+                     ** is the value of the token  */
+};
+typedef struct yyStackEntry yyStackEntry;
+
+/* The state of the parser is completely contained in an instance of
+** the following structure */
+struct yyParser {
+  int yyidx;                    /* Index of top element in stack */
+  int yyerrcnt;                 /* Shifts left before out of the error */
+  sqlite3ParserARG_SDECL                /* A place to hold %extra_argument */
+#if YYSTACKDEPTH<=0
+  int yystksz;                  /* Current side of the stack */
+  yyStackEntry *yystack;        /* The parser's stack */
+#else
+  yyStackEntry yystack[YYSTACKDEPTH];  /* The parser's stack */
+#endif
+};
+typedef struct yyParser yyParser;
+
+#ifndef NDEBUG
+static FILE *yyTraceFILE = 0;
+static char *yyTracePrompt = 0;
+#endif /* NDEBUG */
+
+#ifndef NDEBUG
+/* 
+** Turn parser tracing on by giving a stream to which to write the trace
+** and a prompt to preface each trace message.  Tracing is turned off
+** by making either argument NULL 
+**
+** Inputs:
+** <ul>
+** <li> A FILE* to which trace output should be written.
+**      If NULL, then tracing is turned off.
+** <li> A prefix string written at the beginning of every
+**      line of trace output.  If NULL, then tracing is
+**      turned off.
+** </ul>
+**
+** Outputs:
+** None.
+*/
+void sqlite3ParserTrace(FILE *TraceFILE, char *zTracePrompt){
+  yyTraceFILE = TraceFILE;
+  yyTracePrompt = zTracePrompt;
+  if( yyTraceFILE==0 ) yyTracePrompt = 0;
+  else if( yyTracePrompt==0 ) yyTraceFILE = 0;
+}
+#endif /* NDEBUG */
+
+#ifndef NDEBUG
+/* For tracing shifts, the names of all terminals and nonterminals
+** are required.  The following table supplies these names */
+static const char *const yyTokenName[] = { 
+  "$",             "SEMI",          "EXPLAIN",       "QUERY",       
+  "PLAN",          "BEGIN",         "TRANSACTION",   "DEFERRED",    
+  "IMMEDIATE",     "EXCLUSIVE",     "COMMIT",        "END",         
+  "ROLLBACK",      "CREATE",        "TABLE",         "IF",          
+  "NOT",           "EXISTS",        "TEMP",          "LP",          
+  "RP",            "AS",            "COMMA",         "ID",          
+  "ABORT",         "AFTER",         "ANALYZE",       "ASC",         
+  "ATTACH",        "BEFORE",        "CASCADE",       "CAST",        
+  "CONFLICT",      "DATABASE",      "DESC",          "DETACH",      
+  "EACH",          "FAIL",          "FOR",           "IGNORE",      
+  "INITIALLY",     "INSTEAD",       "LIKE_KW",       "MATCH",       
+  "KEY",           "OF",            "OFFSET",        "PRAGMA",      
+  "RAISE",         "REPLACE",       "RESTRICT",      "ROW",         
+  "TRIGGER",       "VACUUM",        "VIEW",          "VIRTUAL",     
+  "REINDEX",       "RENAME",        "CTIME_KW",      "ANY",         
+  "OR",            "AND",           "IS",            "BETWEEN",     
+  "IN",            "ISNULL",        "NOTNULL",       "NE",          
+  "EQ",            "GT",            "LE",            "LT",          
+  "GE",            "ESCAPE",        "BITAND",        "BITOR",       
+  "LSHIFT",        "RSHIFT",        "PLUS",          "MINUS",       
+  "STAR",          "SLASH",         "REM",           "CONCAT",      
+  "COLLATE",       "UMINUS",        "UPLUS",         "BITNOT",      
+  "STRING",        "JOIN_KW",       "CONSTRAINT",    "DEFAULT",     
+  "NULL",          "PRIMARY",       "UNIQUE",        "CHECK",       
+  "REFERENCES",    "AUTOINCR",      "ON",            "DELETE",      
+  "UPDATE",        "INSERT",        "SET",           "DEFERRABLE",  
+  "FOREIGN",       "DROP",          "UNION",         "ALL",         
+  "EXCEPT",        "INTERSECT",     "SELECT",        "DISTINCT",    
+  "DOT",           "FROM",          "JOIN",          "USING",       
+  "ORDER",         "BY",            "GROUP",         "HAVING",      
+  "LIMIT",         "WHERE",         "INTO",          "VALUES",      
+  "INTEGER",       "FLOAT",         "BLOB",          "REGISTER",    
+  "VARIABLE",      "CASE",          "WHEN",          "THEN",        
+  "ELSE",          "INDEX",         "ALTER",         "TO",          
+  "ADD",           "COLUMNKW",      "error",         "input",       
+  "cmdlist",       "ecmd",          "cmdx",          "cmd",         
+  "explain",       "transtype",     "trans_opt",     "nm",          
+  "create_table",  "create_table_args",  "temp",          "ifnotexists", 
+  "dbnm",          "columnlist",    "conslist_opt",  "select",      
+  "column",        "columnid",      "type",          "carglist",    
+  "id",            "ids",           "typetoken",     "typename",    
+  "signed",        "plus_num",      "minus_num",     "carg",        
+  "ccons",         "term",          "expr",          "onconf",      
+  "sortorder",     "autoinc",       "idxlist_opt",   "refargs",     
+  "defer_subclause",  "refarg",        "refact",        "init_deferred_pred_opt",
+  "conslist",      "tcons",         "idxlist",       "defer_subclause_opt",
+  "orconf",        "resolvetype",   "raisetype",     "ifexists",    
+  "fullname",      "oneselect",     "multiselect_op",  "distinct",    
+  "selcollist",    "from",          "where_opt",     "groupby_opt", 
+  "having_opt",    "orderby_opt",   "limit_opt",     "sclp",        
+  "as",            "seltablist",    "stl_prefix",    "joinop",      
+  "on_opt",        "using_opt",     "seltablist_paren",  "joinop2",     
+  "inscollist",    "sortlist",      "sortitem",      "exprlist",    
+  "setlist",       "insert_cmd",    "inscollist_opt",  "itemlist",    
+  "likeop",        "escape",        "between_op",    "in_op",       
+  "case_operand",  "case_exprlist",  "case_else",     "expritem",    
+  "uniqueflag",    "idxitem",       "collate",       "nmnum",       
+  "plus_opt",      "number",        "trigger_decl",  "trigger_cmd_list",
+  "trigger_time",  "trigger_event",  "foreach_clause",  "when_clause", 
+  "trigger_cmd",   "database_kw_opt",  "key_opt",       "add_column_fullname",
+  "kwcolumn_opt",  "create_vtab",   "vtabarglist",   "vtabarg",     
+  "vtabargtoken",  "lp",            "anylist",     
+};
+#endif /* NDEBUG */
+
+#ifndef NDEBUG
+/* For tracing reduce actions, the names of all rules are required.
+*/
+static const char *const yyRuleName[] = {
+ /*   0 */ "input ::= cmdlist",
+ /*   1 */ "cmdlist ::= cmdlist ecmd",
+ /*   2 */ "cmdlist ::= ecmd",
+ /*   3 */ "cmdx ::= cmd",
+ /*   4 */ "ecmd ::= SEMI",
+ /*   5 */ "ecmd ::= explain cmdx SEMI",
+ /*   6 */ "explain ::=",
+ /*   7 */ "explain ::= EXPLAIN",
+ /*   8 */ "explain ::= EXPLAIN QUERY PLAN",
+ /*   9 */ "cmd ::= BEGIN transtype trans_opt",
+ /*  10 */ "trans_opt ::=",
+ /*  11 */ "trans_opt ::= TRANSACTION",
+ /*  12 */ "trans_opt ::= TRANSACTION nm",
+ /*  13 */ "transtype ::=",
+ /*  14 */ "transtype ::= DEFERRED",
+ /*  15 */ "transtype ::= IMMEDIATE",
+ /*  16 */ "transtype ::= EXCLUSIVE",
+ /*  17 */ "cmd ::= COMMIT trans_opt",
+ /*  18 */ "cmd ::= END trans_opt",
+ /*  19 */ "cmd ::= ROLLBACK trans_opt",
+ /*  20 */ "cmd ::= create_table create_table_args",
+ /*  21 */ "create_table ::= CREATE temp TABLE ifnotexists nm dbnm",
+ /*  22 */ "ifnotexists ::=",
+ /*  23 */ "ifnotexists ::= IF NOT EXISTS",
+ /*  24 */ "temp ::= TEMP",
+ /*  25 */ "temp ::=",
+ /*  26 */ "create_table_args ::= LP columnlist conslist_opt RP",
+ /*  27 */ "create_table_args ::= AS select",
+ /*  28 */ "columnlist ::= columnlist COMMA column",
+ /*  29 */ "columnlist ::= column",
+ /*  30 */ "column ::= columnid type carglist",
+ /*  31 */ "columnid ::= nm",
+ /*  32 */ "id ::= ID",
+ /*  33 */ "ids ::= ID|STRING",
+ /*  34 */ "nm ::= ID",
+ /*  35 */ "nm ::= STRING",
+ /*  36 */ "nm ::= JOIN_KW",
+ /*  37 */ "type ::=",
+ /*  38 */ "type ::= typetoken",
+ /*  39 */ "typetoken ::= typename",
+ /*  40 */ "typetoken ::= typename LP signed RP",
+ /*  41 */ "typetoken ::= typename LP signed COMMA signed RP",
+ /*  42 */ "typename ::= ids",
+ /*  43 */ "typename ::= typename ids",
+ /*  44 */ "signed ::= plus_num",
+ /*  45 */ "signed ::= minus_num",
+ /*  46 */ "carglist ::= carglist carg",
+ /*  47 */ "carglist ::=",
+ /*  48 */ "carg ::= CONSTRAINT nm ccons",
+ /*  49 */ "carg ::= ccons",
+ /*  50 */ "ccons ::= DEFAULT term",
+ /*  51 */ "ccons ::= DEFAULT LP expr RP",
+ /*  52 */ "ccons ::= DEFAULT PLUS term",
+ /*  53 */ "ccons ::= DEFAULT MINUS term",
+ /*  54 */ "ccons ::= DEFAULT id",
+ /*  55 */ "ccons ::= NULL onconf",
+ /*  56 */ "ccons ::= NOT NULL onconf",
+ /*  57 */ "ccons ::= PRIMARY KEY sortorder onconf autoinc",
+ /*  58 */ "ccons ::= UNIQUE onconf",
+ /*  59 */ "ccons ::= CHECK LP expr RP",
+ /*  60 */ "ccons ::= REFERENCES nm idxlist_opt refargs",
+ /*  61 */ "ccons ::= defer_subclause",
+ /*  62 */ "ccons ::= COLLATE id",
+ /*  63 */ "autoinc ::=",
+ /*  64 */ "autoinc ::= AUTOINCR",
+ /*  65 */ "refargs ::=",
+ /*  66 */ "refargs ::= refargs refarg",
+ /*  67 */ "refarg ::= MATCH nm",
+ /*  68 */ "refarg ::= ON DELETE refact",
+ /*  69 */ "refarg ::= ON UPDATE refact",
+ /*  70 */ "refarg ::= ON INSERT refact",
+ /*  71 */ "refact ::= SET NULL",
+ /*  72 */ "refact ::= SET DEFAULT",
+ /*  73 */ "refact ::= CASCADE",
+ /*  74 */ "refact ::= RESTRICT",
+ /*  75 */ "defer_subclause ::= NOT DEFERRABLE init_deferred_pred_opt",
+ /*  76 */ "defer_subclause ::= DEFERRABLE init_deferred_pred_opt",
+ /*  77 */ "init_deferred_pred_opt ::=",
+ /*  78 */ "init_deferred_pred_opt ::= INITIALLY DEFERRED",
+ /*  79 */ "init_deferred_pred_opt ::= INITIALLY IMMEDIATE",
+ /*  80 */ "conslist_opt ::=",
+ /*  81 */ "conslist_opt ::= COMMA conslist",
+ /*  82 */ "conslist ::= conslist COMMA tcons",
+ /*  83 */ "conslist ::= conslist tcons",
+ /*  84 */ "conslist ::= tcons",
+ /*  85 */ "tcons ::= CONSTRAINT nm",
+ /*  86 */ "tcons ::= PRIMARY KEY LP idxlist autoinc RP onconf",
+ /*  87 */ "tcons ::= UNIQUE LP idxlist RP onconf",
+ /*  88 */ "tcons ::= CHECK LP expr RP onconf",
+ /*  89 */ "tcons ::= FOREIGN KEY LP idxlist RP REFERENCES nm idxlist_opt refargs defer_subclause_opt",
+ /*  90 */ "defer_subclause_opt ::=",
+ /*  91 */ "defer_subclause_opt ::= defer_subclause",
+ /*  92 */ "onconf ::=",
+ /*  93 */ "onconf ::= ON CONFLICT resolvetype",
+ /*  94 */ "orconf ::=",
+ /*  95 */ "orconf ::= OR resolvetype",
+ /*  96 */ "resolvetype ::= raisetype",
+ /*  97 */ "resolvetype ::= IGNORE",
+ /*  98 */ "resolvetype ::= REPLACE",
+ /*  99 */ "cmd ::= DROP TABLE ifexists fullname",
+ /* 100 */ "ifexists ::= IF EXISTS",
+ /* 101 */ "ifexists ::=",
+ /* 102 */ "cmd ::= CREATE temp VIEW ifnotexists nm dbnm AS select",
+ /* 103 */ "cmd ::= DROP VIEW ifexists fullname",
+ /* 104 */ "cmd ::= select",
+ /* 105 */ "select ::= oneselect",
+ /* 106 */ "select ::= select multiselect_op oneselect",
+ /* 107 */ "multiselect_op ::= UNION",
+ /* 108 */ "multiselect_op ::= UNION ALL",
+ /* 109 */ "multiselect_op ::= EXCEPT|INTERSECT",
+ /* 110 */ "oneselect ::= SELECT distinct selcollist from where_opt groupby_opt having_opt orderby_opt limit_opt",
+ /* 111 */ "distinct ::= DISTINCT",
+ /* 112 */ "distinct ::= ALL",
+ /* 113 */ "distinct ::=",
+ /* 114 */ "sclp ::= selcollist COMMA",
+ /* 115 */ "sclp ::=",
+ /* 116 */ "selcollist ::= sclp expr as",
+ /* 117 */ "selcollist ::= sclp STAR",
+ /* 118 */ "selcollist ::= sclp nm DOT STAR",
+ /* 119 */ "as ::= AS nm",
+ /* 120 */ "as ::= ids",
+ /* 121 */ "as ::=",
+ /* 122 */ "from ::=",
+ /* 123 */ "from ::= FROM seltablist",
+ /* 124 */ "stl_prefix ::= seltablist joinop",
+ /* 125 */ "stl_prefix ::=",
+ /* 126 */ "seltablist ::= stl_prefix nm dbnm as on_opt using_opt",
+ /* 127 */ "seltablist ::= stl_prefix LP seltablist_paren RP as on_opt using_opt",
+ /* 128 */ "seltablist_paren ::= select",
+ /* 129 */ "seltablist_paren ::= seltablist",
+ /* 130 */ "dbnm ::=",
+ /* 131 */ "dbnm ::= DOT nm",
+ /* 132 */ "fullname ::= nm dbnm",
+ /* 133 */ "joinop ::= COMMA|JOIN",
+ /* 134 */ "joinop ::= JOIN_KW JOIN",
+ /* 135 */ "joinop ::= JOIN_KW nm JOIN",
+ /* 136 */ "joinop ::= JOIN_KW nm nm JOIN",
+ /* 137 */ "on_opt ::= ON expr",
+ /* 138 */ "on_opt ::=",
+ /* 139 */ "using_opt ::= USING LP inscollist RP",
+ /* 140 */ "using_opt ::=",
+ /* 141 */ "orderby_opt ::=",
+ /* 142 */ "orderby_opt ::= ORDER BY sortlist",
+ /* 143 */ "sortlist ::= sortlist COMMA sortitem sortorder",
+ /* 144 */ "sortlist ::= sortitem sortorder",
+ /* 145 */ "sortitem ::= expr",
+ /* 146 */ "sortorder ::= ASC",
+ /* 147 */ "sortorder ::= DESC",
+ /* 148 */ "sortorder ::=",
+ /* 149 */ "groupby_opt ::=",
+ /* 150 */ "groupby_opt ::= GROUP BY exprlist",
+ /* 151 */ "having_opt ::=",
+ /* 152 */ "having_opt ::= HAVING expr",
+ /* 153 */ "limit_opt ::=",
+ /* 154 */ "limit_opt ::= LIMIT expr",
+ /* 155 */ "limit_opt ::= LIMIT expr OFFSET expr",
+ /* 156 */ "limit_opt ::= LIMIT expr COMMA expr",
+ /* 157 */ "cmd ::= DELETE FROM fullname where_opt",
+ /* 158 */ "where_opt ::=",
+ /* 159 */ "where_opt ::= WHERE expr",
+ /* 160 */ "cmd ::= UPDATE orconf fullname SET setlist where_opt",
+ /* 161 */ "setlist ::= setlist COMMA nm EQ expr",
+ /* 162 */ "setlist ::= nm EQ expr",
+ /* 163 */ "cmd ::= insert_cmd INTO fullname inscollist_opt VALUES LP itemlist RP",
+ /* 164 */ "cmd ::= insert_cmd INTO fullname inscollist_opt select",
+ /* 165 */ "cmd ::= insert_cmd INTO fullname inscollist_opt DEFAULT VALUES",
+ /* 166 */ "insert_cmd ::= INSERT orconf",
+ /* 167 */ "insert_cmd ::= REPLACE",
+ /* 168 */ "itemlist ::= itemlist COMMA expr",
+ /* 169 */ "itemlist ::= expr",
+ /* 170 */ "inscollist_opt ::=",
+ /* 171 */ "inscollist_opt ::= LP inscollist RP",
+ /* 172 */ "inscollist ::= inscollist COMMA nm",
+ /* 173 */ "inscollist ::= nm",
+ /* 174 */ "expr ::= term",
+ /* 175 */ "expr ::= LP expr RP",
+ /* 176 */ "term ::= NULL",
+ /* 177 */ "expr ::= ID",
+ /* 178 */ "expr ::= JOIN_KW",
+ /* 179 */ "expr ::= nm DOT nm",
+ /* 180 */ "expr ::= nm DOT nm DOT nm",
+ /* 181 */ "term ::= INTEGER|FLOAT|BLOB",
+ /* 182 */ "term ::= STRING",
+ /* 183 */ "expr ::= REGISTER",
+ /* 184 */ "expr ::= VARIABLE",
+ /* 185 */ "expr ::= expr COLLATE id",
+ /* 186 */ "expr ::= CAST LP expr AS typetoken RP",
+ /* 187 */ "expr ::= ID LP distinct exprlist RP",
+ /* 188 */ "expr ::= ID LP STAR RP",
+ /* 189 */ "term ::= CTIME_KW",
+ /* 190 */ "expr ::= expr AND expr",
+ /* 191 */ "expr ::= expr OR expr",
+ /* 192 */ "expr ::= expr LT|GT|GE|LE expr",
+ /* 193 */ "expr ::= expr EQ|NE expr",
+ /* 194 */ "expr ::= expr BITAND|BITOR|LSHIFT|RSHIFT expr",
+ /* 195 */ "expr ::= expr PLUS|MINUS expr",
+ /* 196 */ "expr ::= expr STAR|SLASH|REM expr",
+ /* 197 */ "expr ::= expr CONCAT expr",
+ /* 198 */ "likeop ::= LIKE_KW",
+ /* 199 */ "likeop ::= NOT LIKE_KW",
+ /* 200 */ "likeop ::= MATCH",
+ /* 201 */ "likeop ::= NOT MATCH",
+ /* 202 */ "escape ::= ESCAPE expr",
+ /* 203 */ "escape ::=",
+ /* 204 */ "expr ::= expr likeop expr escape",
+ /* 205 */ "expr ::= expr ISNULL|NOTNULL",
+ /* 206 */ "expr ::= expr IS NULL",
+ /* 207 */ "expr ::= expr NOT NULL",
+ /* 208 */ "expr ::= expr IS NOT NULL",
+ /* 209 */ "expr ::= NOT|BITNOT expr",
+ /* 210 */ "expr ::= MINUS expr",
+ /* 211 */ "expr ::= PLUS expr",
+ /* 212 */ "between_op ::= BETWEEN",
+ /* 213 */ "between_op ::= NOT BETWEEN",
+ /* 214 */ "expr ::= expr between_op expr AND expr",
+ /* 215 */ "in_op ::= IN",
+ /* 216 */ "in_op ::= NOT IN",
+ /* 217 */ "expr ::= expr in_op LP exprlist RP",
+ /* 218 */ "expr ::= LP select RP",
+ /* 219 */ "expr ::= expr in_op LP select RP",
+ /* 220 */ "expr ::= expr in_op nm dbnm",
+ /* 221 */ "expr ::= EXISTS LP select RP",
+ /* 222 */ "expr ::= CASE case_operand case_exprlist case_else END",
+ /* 223 */ "case_exprlist ::= case_exprlist WHEN expr THEN expr",
+ /* 224 */ "case_exprlist ::= WHEN expr THEN expr",
+ /* 225 */ "case_else ::= ELSE expr",
+ /* 226 */ "case_else ::=",
+ /* 227 */ "case_operand ::= expr",
+ /* 228 */ "case_operand ::=",
+ /* 229 */ "exprlist ::= exprlist COMMA expritem",
+ /* 230 */ "exprlist ::= expritem",
+ /* 231 */ "expritem ::= expr",
+ /* 232 */ "expritem ::=",
+ /* 233 */ "cmd ::= CREATE uniqueflag INDEX ifnotexists nm dbnm ON nm LP idxlist RP",
+ /* 234 */ "uniqueflag ::= UNIQUE",
+ /* 235 */ "uniqueflag ::=",
+ /* 236 */ "idxlist_opt ::=",
+ /* 237 */ "idxlist_opt ::= LP idxlist RP",
+ /* 238 */ "idxlist ::= idxlist COMMA idxitem collate sortorder",
+ /* 239 */ "idxlist ::= idxitem collate sortorder",
+ /* 240 */ "idxitem ::= nm",
+ /* 241 */ "collate ::=",
+ /* 242 */ "collate ::= COLLATE id",
+ /* 243 */ "cmd ::= DROP INDEX ifexists fullname",
+ /* 244 */ "cmd ::= VACUUM",
+ /* 245 */ "cmd ::= VACUUM nm",
+ /* 246 */ "cmd ::= PRAGMA nm dbnm EQ nmnum",
+ /* 247 */ "cmd ::= PRAGMA nm dbnm EQ ON",
+ /* 248 */ "cmd ::= PRAGMA nm dbnm EQ minus_num",
+ /* 249 */ "cmd ::= PRAGMA nm dbnm LP nmnum RP",
+ /* 250 */ "cmd ::= PRAGMA nm dbnm",
+ /* 251 */ "nmnum ::= plus_num",
+ /* 252 */ "nmnum ::= nm",
+ /* 253 */ "plus_num ::= plus_opt number",
+ /* 254 */ "minus_num ::= MINUS number",
+ /* 255 */ "number ::= INTEGER|FLOAT",
+ /* 256 */ "plus_opt ::= PLUS",
+ /* 257 */ "plus_opt ::=",
+ /* 258 */ "cmd ::= CREATE trigger_decl BEGIN trigger_cmd_list END",
+ /* 259 */ "trigger_decl ::= temp TRIGGER ifnotexists nm dbnm trigger_time trigger_event ON fullname foreach_clause when_clause",
+ /* 260 */ "trigger_time ::= BEFORE",
+ /* 261 */ "trigger_time ::= AFTER",
+ /* 262 */ "trigger_time ::= INSTEAD OF",
+ /* 263 */ "trigger_time ::=",
+ /* 264 */ "trigger_event ::= DELETE|INSERT",
+ /* 265 */ "trigger_event ::= UPDATE",
+ /* 266 */ "trigger_event ::= UPDATE OF inscollist",
+ /* 267 */ "foreach_clause ::=",
+ /* 268 */ "foreach_clause ::= FOR EACH ROW",
+ /* 269 */ "when_clause ::=",
+ /* 270 */ "when_clause ::= WHEN expr",
+ /* 271 */ "trigger_cmd_list ::= trigger_cmd_list trigger_cmd SEMI",
+ /* 272 */ "trigger_cmd_list ::=",
+ /* 273 */ "trigger_cmd ::= UPDATE orconf nm SET setlist where_opt",
+ /* 274 */ "trigger_cmd ::= insert_cmd INTO nm inscollist_opt VALUES LP itemlist RP",
+ /* 275 */ "trigger_cmd ::= insert_cmd INTO nm inscollist_opt select",
+ /* 276 */ "trigger_cmd ::= DELETE FROM nm where_opt",
+ /* 277 */ "trigger_cmd ::= select",
+ /* 278 */ "expr ::= RAISE LP IGNORE RP",
+ /* 279 */ "expr ::= RAISE LP raisetype COMMA nm RP",
+ /* 280 */ "raisetype ::= ROLLBACK",
+ /* 281 */ "raisetype ::= ABORT",
+ /* 282 */ "raisetype ::= FAIL",
+ /* 283 */ "cmd ::= DROP TRIGGER ifexists fullname",
+ /* 284 */ "cmd ::= ATTACH database_kw_opt expr AS expr key_opt",
+ /* 285 */ "cmd ::= DETACH database_kw_opt expr",
+ /* 286 */ "key_opt ::=",
+ /* 287 */ "key_opt ::= KEY expr",
+ /* 288 */ "database_kw_opt ::= DATABASE",
+ /* 289 */ "database_kw_opt ::=",
+ /* 290 */ "cmd ::= REINDEX",
+ /* 291 */ "cmd ::= REINDEX nm dbnm",
+ /* 292 */ "cmd ::= ANALYZE",
+ /* 293 */ "cmd ::= ANALYZE nm dbnm",
+ /* 294 */ "cmd ::= ALTER TABLE fullname RENAME TO nm",
+ /* 295 */ "cmd ::= ALTER TABLE add_column_fullname ADD kwcolumn_opt column",
+ /* 296 */ "add_column_fullname ::= fullname",
+ /* 297 */ "kwcolumn_opt ::=",
+ /* 298 */ "kwcolumn_opt ::= COLUMNKW",
+ /* 299 */ "cmd ::= create_vtab",
+ /* 300 */ "cmd ::= create_vtab LP vtabarglist RP",
+ /* 301 */ "create_vtab ::= CREATE VIRTUAL TABLE nm dbnm USING nm",
+ /* 302 */ "vtabarglist ::= vtabarg",
+ /* 303 */ "vtabarglist ::= vtabarglist COMMA vtabarg",
+ /* 304 */ "vtabarg ::=",
+ /* 305 */ "vtabarg ::= vtabarg vtabargtoken",
+ /* 306 */ "vtabargtoken ::= ANY",
+ /* 307 */ "vtabargtoken ::= lp anylist RP",
+ /* 308 */ "lp ::= LP",
+ /* 309 */ "anylist ::=",
+ /* 310 */ "anylist ::= anylist ANY",
+};
+#endif /* NDEBUG */
+
+
+#if YYSTACKDEPTH<=0
+/*
+** Try to increase the size of the parser stack.
+*/
+static void yyGrowStack(yyParser *p){
+  int newSize;
+  yyStackEntry *pNew;
+
+  newSize = p->yystksz*2 + 100;
+  pNew = realloc(p->yystack, newSize*sizeof(pNew[0]));
+  if( pNew ){
+    p->yystack = pNew;
+    p->yystksz = newSize;
+#ifndef NDEBUG
+    if( yyTraceFILE ){
+      fprintf(yyTraceFILE,"%sStack grows to %d entries!\n",
+              yyTracePrompt, p->yystksz);
+    }
+#endif
+  }
+}
+#endif
+
+/* 
+** This function allocates a new parser.
+** The only argument is a pointer to a function which works like
+** malloc.
+**
+** Inputs:
+** A pointer to the function used to allocate memory.
+**
+** Outputs:
+** A pointer to a parser.  This pointer is used in subsequent calls
+** to sqlite3Parser and sqlite3ParserFree.
+*/
+void *sqlite3ParserAlloc(void *(*mallocProc)(size_t)){
+  yyParser *pParser;
+  pParser = (yyParser*)(*mallocProc)( (size_t)sizeof(yyParser) );
+  if( pParser ){
+    pParser->yyidx = -1;
+#if YYSTACKDEPTH<=0
+    yyGrowStack(pParser);
+#endif
+  }
+  return pParser;
+}
+
+/* The following function deletes the value associated with a
+** symbol.  The symbol can be either a terminal or nonterminal.
+** "yymajor" is the symbol code, and "yypminor" is a pointer to
+** the value.
+*/
+static void yy_destructor(YYCODETYPE yymajor, YYMINORTYPE *yypminor){
+  switch( yymajor ){
+    /* Here is inserted the actions which take place when a
+    ** terminal or non-terminal is destroyed.  This can happen
+    ** when the symbol is popped from the stack during a
+    ** reduce or during error processing or when a parser is 
+    ** being destroyed before it is finished parsing.
+    **
+    ** Note: during a reduce, the only symbols destroyed are those
+    ** which appear on the RHS of the rule, but which are not used
+    ** inside the C code.
+    */
+    case 155:
+    case 189:
+    case 206:
+{sqlite3SelectDelete((yypminor->yy219));}
+      break;
+    case 169:
+    case 170:
+    case 194:
+    case 196:
+    case 204:
+    case 210:
+    case 217:
+    case 220:
+    case 222:
+    case 223:
+    case 235:
+{sqlite3ExprDelete((yypminor->yy172));}
+      break;
+    case 174:
+    case 182:
+    case 192:
+    case 195:
+    case 197:
+    case 199:
+    case 209:
+    case 211:
+    case 212:
+    case 215:
+    case 221:
+{sqlite3ExprListDelete((yypminor->yy174));}
+      break;
+    case 188:
+    case 193:
+    case 201:
+    case 202:
+{sqlite3SrcListDelete((yypminor->yy373));}
+      break;
+    case 205:
+    case 208:
+    case 214:
+{sqlite3IdListDelete((yypminor->yy432));}
+      break;
+    case 231:
+    case 236:
+{sqlite3DeleteTriggerStep((yypminor->yy243));}
+      break;
+    case 233:
+{sqlite3IdListDelete((yypminor->yy370).b);}
+      break;
+    case 238:
+{sqlite3ExprDelete((yypminor->yy386));}
+      break;
+    default:  break;   /* If no destructor action specified: do nothing */
+  }
+}
+
+/*
+** Pop the parser's stack once.
+**
+** If there is a destructor routine associated with the token which
+** is popped from the stack, then call it.
+**
+** Return the major token number for the symbol popped.
+*/
+static int yy_pop_parser_stack(yyParser *pParser){
+  YYCODETYPE yymajor;
+  yyStackEntry *yytos = &pParser->yystack[pParser->yyidx];
+
+  if( pParser->yyidx<0 ) return 0;
+#ifndef NDEBUG
+  if( yyTraceFILE && pParser->yyidx>=0 ){
+    fprintf(yyTraceFILE,"%sPopping %s\n",
+      yyTracePrompt,
+      yyTokenName[yytos->major]);
+  }
+#endif
+  yymajor = yytos->major;
+  yy_destructor( yymajor, &yytos->minor);
+  pParser->yyidx--;
+  return yymajor;
+}
+
+/* 
+** Deallocate and destroy a parser.  Destructors are all called for
+** all stack elements before shutting the parser down.
+**
+** Inputs:
+** <ul>
+** <li>  A pointer to the parser.  This should be a pointer
+**       obtained from sqlite3ParserAlloc.
+** <li>  A pointer to a function used to reclaim memory obtained
+**       from malloc.
+** </ul>
+*/
+void sqlite3ParserFree(
+  void *p,                    /* The parser to be deleted */
+  void (*freeProc)(void*)     /* Function used to reclaim memory */
+){
+  yyParser *pParser = (yyParser*)p;
+  if( pParser==0 ) return;
+  while( pParser->yyidx>=0 ) yy_pop_parser_stack(pParser);
+#if YYSTACKDEPTH<=0
+  free(pParser->yystack);
+#endif
+  (*freeProc)((void*)pParser);
+}
+
+/*
+** Find the appropriate action for a parser given the terminal
+** look-ahead token iLookAhead.
+**
+** If the look-ahead token is YYNOCODE, then check to see if the action is
+** independent of the look-ahead.  If it is, return the action, otherwise
+** return YY_NO_ACTION.
+*/
+static int yy_find_shift_action(
+  yyParser *pParser,        /* The parser */
+  YYCODETYPE iLookAhead     /* The look-ahead token */
+){
+  int i;
+  int stateno = pParser->yystack[pParser->yyidx].stateno;
+ 
+  if( stateno>YY_SHIFT_MAX || (i = yy_shift_ofst[stateno])==YY_SHIFT_USE_DFLT ){
+    return yy_default[stateno];
+  }
+  if( iLookAhead==YYNOCODE ){
+    return YY_NO_ACTION;
+  }
+  i += iLookAhead;
+  if( i<0 || i>=YY_SZ_ACTTAB || yy_lookahead[i]!=iLookAhead ){
+    if( iLookAhead>0 ){
+#ifdef YYFALLBACK
+      int iFallback;            /* Fallback token */
+      if( iLookAhead<sizeof(yyFallback)/sizeof(yyFallback[0])
+             && (iFallback = yyFallback[iLookAhead])!=0 ){
+#ifndef NDEBUG
+        if( yyTraceFILE ){
+          fprintf(yyTraceFILE, "%sFALLBACK %s => %s\n",
+             yyTracePrompt, yyTokenName[iLookAhead], yyTokenName[iFallback]);
+        }
+#endif
+        return yy_find_shift_action(pParser, iFallback);
+      }
+#endif
+#ifdef YYWILDCARD
+      {
+        int j = i - iLookAhead + YYWILDCARD;
+        if( j>=0 && j<YY_SZ_ACTTAB && yy_lookahead[j]==YYWILDCARD ){
+#ifndef NDEBUG
+          if( yyTraceFILE ){
+            fprintf(yyTraceFILE, "%sWILDCARD %s => %s\n",
+               yyTracePrompt, yyTokenName[iLookAhead], yyTokenName[YYWILDCARD]);
+          }
+#endif /* NDEBUG */
+          return yy_action[j];
+        }
+      }
+#endif /* YYWILDCARD */
+    }
+    return yy_default[stateno];
+  }else{
+    return yy_action[i];
+  }
+}
+
+/*
+** Find the appropriate action for a parser given the non-terminal
+** look-ahead token iLookAhead.
+**
+** If the look-ahead token is YYNOCODE, then check to see if the action is
+** independent of the look-ahead.  If it is, return the action, otherwise
+** return YY_NO_ACTION.
+*/
+static int yy_find_reduce_action(
+  int stateno,              /* Current state number */
+  YYCODETYPE iLookAhead     /* The look-ahead token */
+){
+  int i;
+  /* int stateno = pParser->yystack[pParser->yyidx].stateno; */
+ 
+  if( stateno>YY_REDUCE_MAX ||
+      (i = yy_reduce_ofst[stateno])==YY_REDUCE_USE_DFLT ){
+    return yy_default[stateno];
+  }
+  if( iLookAhead==YYNOCODE ){
+    return YY_NO_ACTION;
+  }
+  i += iLookAhead;
+  if( i<0 || i>=YY_SZ_ACTTAB || yy_lookahead[i]!=iLookAhead ){
+    return yy_default[stateno];
+  }else{
+    return yy_action[i];
+  }
+}
+
+/*
+** The following routine is called if the stack overflows.
+*/
+static void yyStackOverflow(yyParser *yypParser, YYMINORTYPE *yypMinor){
+   sqlite3ParserARG_FETCH;
+   yypParser->yyidx--;
+#ifndef NDEBUG
+   if( yyTraceFILE ){
+     fprintf(yyTraceFILE,"%sStack Overflow!\n",yyTracePrompt);
+   }
+#endif
+   while( yypParser->yyidx>=0 ) yy_pop_parser_stack(yypParser);
+   /* Here code is inserted which will execute if the parser
+   ** stack every overflows */
+
+  sqlite3ErrorMsg(pParse, "parser stack overflow");
+  pParse->parseError = 1;
+   sqlite3ParserARG_STORE; /* Suppress warning about unused %extra_argument var */
+}
+
+/*
+** Perform a shift action.
+*/
+static void yy_shift(
+  yyParser *yypParser,          /* The parser to be shifted */
+  int yyNewState,               /* The new state to shift in */
+  int yyMajor,                  /* The major token to shift in */
+  YYMINORTYPE *yypMinor         /* Pointer ot the minor token to shift in */
+){
+  yyStackEntry *yytos;
+  yypParser->yyidx++;
+#if YYSTACKDEPTH>0 
+  if( yypParser->yyidx>=YYSTACKDEPTH ){
+    yyStackOverflow(yypParser, yypMinor);
+    return;
+  }
+#else
+  if( yypParser->yyidx>=yypParser->yystksz ){
+    yyGrowStack(yypParser);
+    if( yypParser->yyidx>=yypParser->yystksz ){
+      yyStackOverflow(yypParser, yypMinor);
+      return;
+    }
+  }
+#endif
+  yytos = &yypParser->yystack[yypParser->yyidx];
+  yytos->stateno = yyNewState;
+  yytos->major = yyMajor;
+  yytos->minor = *yypMinor;
+#ifndef NDEBUG
+  if( yyTraceFILE && yypParser->yyidx>0 ){
+    int i;
+    fprintf(yyTraceFILE,"%sShift %d\n",yyTracePrompt,yyNewState);
+    fprintf(yyTraceFILE,"%sStack:",yyTracePrompt);
+    for(i=1; i<=yypParser->yyidx; i++)
+      fprintf(yyTraceFILE," %s",yyTokenName[yypParser->yystack[i].major]);
+    fprintf(yyTraceFILE,"\n");
+  }
+#endif
+}
+
+/* The following table contains information about every rule that
+** is used during the reduce.
+*/
+static const struct {
+  YYCODETYPE lhs;         /* Symbol on the left-hand side of the rule */
+  unsigned char nrhs;     /* Number of right-hand side symbols in the rule */
+} yyRuleInfo[] = {
+  { 139, 1 },
+  { 140, 2 },
+  { 140, 1 },
+  { 142, 1 },
+  { 141, 1 },
+  { 141, 3 },
+  { 144, 0 },
+  { 144, 1 },
+  { 144, 3 },
+  { 143, 3 },
+  { 146, 0 },
+  { 146, 1 },
+  { 146, 2 },
+  { 145, 0 },
+  { 145, 1 },
+  { 145, 1 },
+  { 145, 1 },
+  { 143, 2 },
+  { 143, 2 },
+  { 143, 2 },
+  { 143, 2 },
+  { 148, 6 },
+  { 151, 0 },
+  { 151, 3 },
+  { 150, 1 },
+  { 150, 0 },
+  { 149, 4 },
+  { 149, 2 },
+  { 153, 3 },
+  { 153, 1 },
+  { 156, 3 },
+  { 157, 1 },
+  { 160, 1 },
+  { 161, 1 },
+  { 147, 1 },
+  { 147, 1 },
+  { 147, 1 },
+  { 158, 0 },
+  { 158, 1 },
+  { 162, 1 },
+  { 162, 4 },
+  { 162, 6 },
+  { 163, 1 },
+  { 163, 2 },
+  { 164, 1 },
+  { 164, 1 },
+  { 159, 2 },
+  { 159, 0 },
+  { 167, 3 },
+  { 167, 1 },
+  { 168, 2 },
+  { 168, 4 },
+  { 168, 3 },
+  { 168, 3 },
+  { 168, 2 },
+  { 168, 2 },
+  { 168, 3 },
+  { 168, 5 },
+  { 168, 2 },
+  { 168, 4 },
+  { 168, 4 },
+  { 168, 1 },
+  { 168, 2 },
+  { 173, 0 },
+  { 173, 1 },
+  { 175, 0 },
+  { 175, 2 },
+  { 177, 2 },
+  { 177, 3 },
+  { 177, 3 },
+  { 177, 3 },
+  { 178, 2 },
+  { 178, 2 },
+  { 178, 1 },
+  { 178, 1 },
+  { 176, 3 },
+  { 176, 2 },
+  { 179, 0 },
+  { 179, 2 },
+  { 179, 2 },
+  { 154, 0 },
+  { 154, 2 },
+  { 180, 3 },
+  { 180, 2 },
+  { 180, 1 },
+  { 181, 2 },
+  { 181, 7 },
+  { 181, 5 },
+  { 181, 5 },
+  { 181, 10 },
+  { 183, 0 },
+  { 183, 1 },
+  { 171, 0 },
+  { 171, 3 },
+  { 184, 0 },
+  { 184, 2 },
+  { 185, 1 },
+  { 185, 1 },
+  { 185, 1 },
+  { 143, 4 },
+  { 187, 2 },
+  { 187, 0 },
+  { 143, 8 },
+  { 143, 4 },
+  { 143, 1 },
+  { 155, 1 },
+  { 155, 3 },
+  { 190, 1 },
+  { 190, 2 },
+  { 190, 1 },
+  { 189, 9 },
+  { 191, 1 },
+  { 191, 1 },
+  { 191, 0 },
+  { 199, 2 },
+  { 199, 0 },
+  { 192, 3 },
+  { 192, 2 },
+  { 192, 4 },
+  { 200, 2 },
+  { 200, 1 },
+  { 200, 0 },
+  { 193, 0 },
+  { 193, 2 },
+  { 202, 2 },
+  { 202, 0 },
+  { 201, 6 },
+  { 201, 7 },
+  { 206, 1 },
+  { 206, 1 },
+  { 152, 0 },
+  { 152, 2 },
+  { 188, 2 },
+  { 203, 1 },
+  { 203, 2 },
+  { 203, 3 },
+  { 203, 4 },
+  { 204, 2 },
+  { 204, 0 },
+  { 205, 4 },
+  { 205, 0 },
+  { 197, 0 },
+  { 197, 3 },
+  { 209, 4 },
+  { 209, 2 },
+  { 210, 1 },
+  { 172, 1 },
+  { 172, 1 },
+  { 172, 0 },
+  { 195, 0 },
+  { 195, 3 },
+  { 196, 0 },
+  { 196, 2 },
+  { 198, 0 },
+  { 198, 2 },
+  { 198, 4 },
+  { 198, 4 },
+  { 143, 4 },
+  { 194, 0 },
+  { 194, 2 },
+  { 143, 6 },
+  { 212, 5 },
+  { 212, 3 },
+  { 143, 8 },
+  { 143, 5 },
+  { 143, 6 },
+  { 213, 2 },
+  { 213, 1 },
+  { 215, 3 },
+  { 215, 1 },
+  { 214, 0 },
+  { 214, 3 },
+  { 208, 3 },
+  { 208, 1 },
+  { 170, 1 },
+  { 170, 3 },
+  { 169, 1 },
+  { 170, 1 },
+  { 170, 1 },
+  { 170, 3 },
+  { 170, 5 },
+  { 169, 1 },
+  { 169, 1 },
+  { 170, 1 },
+  { 170, 1 },
+  { 170, 3 },
+  { 170, 6 },
+  { 170, 5 },
+  { 170, 4 },
+  { 169, 1 },
+  { 170, 3 },
+  { 170, 3 },
+  { 170, 3 },
+  { 170, 3 },
+  { 170, 3 },
+  { 170, 3 },
+  { 170, 3 },
+  { 170, 3 },
+  { 216, 1 },
+  { 216, 2 },
+  { 216, 1 },
+  { 216, 2 },
+  { 217, 2 },
+  { 217, 0 },
+  { 170, 4 },
+  { 170, 2 },
+  { 170, 3 },
+  { 170, 3 },
+  { 170, 4 },
+  { 170, 2 },
+  { 170, 2 },
+  { 170, 2 },
+  { 218, 1 },
+  { 218, 2 },
+  { 170, 5 },
+  { 219, 1 },
+  { 219, 2 },
+  { 170, 5 },
+  { 170, 3 },
+  { 170, 5 },
+  { 170, 4 },
+  { 170, 4 },
+  { 170, 5 },
+  { 221, 5 },
+  { 221, 4 },
+  { 222, 2 },
+  { 222, 0 },
+  { 220, 1 },
+  { 220, 0 },
+  { 211, 3 },
+  { 211, 1 },
+  { 223, 1 },
+  { 223, 0 },
+  { 143, 11 },
+  { 224, 1 },
+  { 224, 0 },
+  { 174, 0 },
+  { 174, 3 },
+  { 182, 5 },
+  { 182, 3 },
+  { 225, 1 },
+  { 226, 0 },
+  { 226, 2 },
+  { 143, 4 },
+  { 143, 1 },
+  { 143, 2 },
+  { 143, 5 },
+  { 143, 5 },
+  { 143, 5 },
+  { 143, 6 },
+  { 143, 3 },
+  { 227, 1 },
+  { 227, 1 },
+  { 165, 2 },
+  { 166, 2 },
+  { 229, 1 },
+  { 228, 1 },
+  { 228, 0 },
+  { 143, 5 },
+  { 230, 11 },
+  { 232, 1 },
+  { 232, 1 },
+  { 232, 2 },
+  { 232, 0 },
+  { 233, 1 },
+  { 233, 1 },
+  { 233, 3 },
+  { 234, 0 },
+  { 234, 3 },
+  { 235, 0 },
+  { 235, 2 },
+  { 231, 3 },
+  { 231, 0 },
+  { 236, 6 },
+  { 236, 8 },
+  { 236, 5 },
+  { 236, 4 },
+  { 236, 1 },
+  { 170, 4 },
+  { 170, 6 },
+  { 186, 1 },
+  { 186, 1 },
+  { 186, 1 },
+  { 143, 4 },
+  { 143, 6 },
+  { 143, 3 },
+  { 238, 0 },
+  { 238, 2 },
+  { 237, 1 },
+  { 237, 0 },
+  { 143, 1 },
+  { 143, 3 },
+  { 143, 1 },
+  { 143, 3 },
+  { 143, 6 },
+  { 143, 6 },
+  { 239, 1 },
+  { 240, 0 },
+  { 240, 1 },
+  { 143, 1 },
+  { 143, 4 },
+  { 241, 7 },
+  { 242, 1 },
+  { 242, 3 },
+  { 243, 0 },
+  { 243, 2 },
+  { 244, 1 },
+  { 244, 3 },
+  { 245, 1 },
+  { 246, 0 },
+  { 246, 2 },
+};
+
+static void yy_accept(yyParser*);  /* Forward Declaration */
+
+/*
+** Perform a reduce action and the shift that must immediately
+** follow the reduce.
+*/
+static void yy_reduce(
+  yyParser *yypParser,         /* The parser */
+  int yyruleno                 /* Number of the rule by which to reduce */
+){
+  int yygoto;                     /* The next state */
+  int yyact;                      /* The next action */
+  YYMINORTYPE yygotominor;        /* The LHS of the rule reduced */
+  yyStackEntry *yymsp;            /* The top of the parser's stack */
+  int yysize;                     /* Amount to pop the stack */
+  sqlite3ParserARG_FETCH;
+  yymsp = &yypParser->yystack[yypParser->yyidx];
+#ifndef NDEBUG
+  if( yyTraceFILE && yyruleno>=0 
+        && yyruleno<(int)(sizeof(yyRuleName)/sizeof(yyRuleName[0])) ){
+    fprintf(yyTraceFILE, "%sReduce [%s].\n", yyTracePrompt,
+      yyRuleName[yyruleno]);
+  }
+#endif /* NDEBUG */
+
+  /* Silence complaints from purify about yygotominor being uninitialized
+  ** in some cases when it is copied into the stack after the following
+  ** switch.  yygotominor is uninitialized when a rule reduces that does
+  ** not set the value of its left-hand side nonterminal.  Leaving the
+  ** value of the nonterminal uninitialized is utterly harmless as long
+  ** as the value is never used.  So really the only thing this code
+  ** accomplishes is to quieten purify.  
+  **
+  ** 2007-01-16:  The wireshark project (www.wireshark.org) reports that
+  ** without this code, their parser segfaults.  I'm not sure what there
+  ** parser is doing to make this happen.  This is the second bug report
+  ** from wireshark this week.  Clearly they are stressing Lemon in ways
+  ** that it has not been previously stressed...  (SQLite ticket #2172)
+  */
+  memset(&yygotominor, 0, sizeof(yygotominor));
+
+
+  switch( yyruleno ){
+  /* Beginning here are the reduction cases.  A typical example
+  ** follows:
+  **   case 0:
+  **  #line <lineno> <grammarfile>
+  **     { ... }           // User supplied code
+  **  #line <lineno> <thisfile>
+  **     break;
+  */
+      case 0:
+      case 1:
+      case 2:
+      case 4:
+      case 5:
+      case 10:
+      case 11:
+      case 12:
+      case 20:
+      case 28:
+      case 29:
+      case 37:
+      case 44:
+      case 45:
+      case 46:
+      case 47:
+      case 48:
+      case 49:
+      case 55:
+      case 82:
+      case 83:
+      case 84:
+      case 85:
+      case 256:
+      case 257:
+      case 267:
+      case 268:
+      case 288:
+      case 289:
+      case 297:
+      case 298:
+      case 302:
+      case 303:
+      case 305:
+      case 309:
+{
+}
+        break;
+      case 3:
+{ sqlite3FinishCoding(pParse); }
+        break;
+      case 6:
+{ sqlite3BeginParse(pParse, 0); }
+        break;
+      case 7:
+{ sqlite3BeginParse(pParse, 1); }
+        break;
+      case 8:
+{ sqlite3BeginParse(pParse, 2); }
+        break;
+      case 9:
+{sqlite3BeginTransaction(pParse, yymsp[-1].minor.yy46);}
+        break;
+      case 13:
+{yygotominor.yy46 = TK_DEFERRED;}
+        break;
+      case 14:
+      case 15:
+      case 16:
+      case 107:
+      case 109:
+{yygotominor.yy46 = yymsp[0].major;}
+        break;
+      case 17:
+      case 18:
+{sqlite3CommitTransaction(pParse);}
+        break;
+      case 19:
+{sqlite3RollbackTransaction(pParse);}
+        break;
+      case 21:
+{
+   sqlite3StartTable(pParse,&yymsp[-1].minor.yy410,&yymsp[0].minor.yy410,yymsp[-4].minor.yy46,0,0,yymsp[-2].minor.yy46);
+}
+        break;
+      case 22:
+      case 25:
+      case 63:
+      case 77:
+      case 79:
+      case 90:
+      case 101:
+      case 112:
+      case 113:
+      case 212:
+      case 215:
+{yygotominor.yy46 = 0;}
+        break;
+      case 23:
+      case 24:
+      case 64:
+      case 78:
+      case 100:
+      case 111:
+      case 213:
+      case 216:
+{yygotominor.yy46 = 1;}
+        break;
+      case 26:
+{
+  sqlite3EndTable(pParse,&yymsp[-1].minor.yy410,&yymsp[0].minor.yy0,0);
+}
+        break;
+      case 27:
+{
+  sqlite3EndTable(pParse,0,0,yymsp[0].minor.yy219);
+  sqlite3SelectDelete(yymsp[0].minor.yy219);
+}
+        break;
+      case 30:
+{
+  yygotominor.yy410.z = yymsp[-2].minor.yy410.z;
+  yygotominor.yy410.n = (pParse->sLastToken.z-yymsp[-2].minor.yy410.z) + pParse->sLastToken.n;
+}
+        break;
+      case 31:
+{
+  sqlite3AddColumn(pParse,&yymsp[0].minor.yy410);
+  yygotominor.yy410 = yymsp[0].minor.yy410;
+}
+        break;
+      case 32:
+      case 33:
+      case 34:
+      case 35:
+      case 36:
+      case 255:
+{yygotominor.yy410 = yymsp[0].minor.yy0;}
+        break;
+      case 38:
+{sqlite3AddColumnType(pParse,&yymsp[0].minor.yy410);}
+        break;
+      case 39:
+      case 42:
+      case 119:
+      case 120:
+      case 131:
+      case 240:
+      case 242:
+      case 251:
+      case 252:
+      case 253:
+      case 254:
+{yygotominor.yy410 = yymsp[0].minor.yy410;}
+        break;
+      case 40:
+{
+  yygotominor.yy410.z = yymsp[-3].minor.yy410.z;
+  yygotominor.yy410.n = &yymsp[0].minor.yy0.z[yymsp[0].minor.yy0.n] - yymsp[-3].minor.yy410.z;
+}
+        break;
+      case 41:
+{
+  yygotominor.yy410.z = yymsp[-5].minor.yy410.z;
+  yygotominor.yy410.n = &yymsp[0].minor.yy0.z[yymsp[0].minor.yy0.n] - yymsp[-5].minor.yy410.z;
+}
+        break;
+      case 43:
+{yygotominor.yy410.z=yymsp[-1].minor.yy410.z; yygotominor.yy410.n=yymsp[0].minor.yy410.n+(yymsp[0].minor.yy410.z-yymsp[-1].minor.yy410.z);}
+        break;
+      case 50:
+      case 52:
+{sqlite3AddDefaultValue(pParse,yymsp[0].minor.yy172);}
+        break;
+      case 51:
+{sqlite3AddDefaultValue(pParse,yymsp[-1].minor.yy172);}
+        break;
+      case 53:
+{
+  Expr *p = sqlite3Expr(TK_UMINUS, yymsp[0].minor.yy172, 0, 0);
+  sqlite3AddDefaultValue(pParse,p);
+}
+        break;
+      case 54:
+{
+  Expr *p = sqlite3Expr(TK_STRING, 0, 0, &yymsp[0].minor.yy410);
+  sqlite3AddDefaultValue(pParse,p);
+}
+        break;
+      case 56:
+{sqlite3AddNotNull(pParse, yymsp[0].minor.yy46);}
+        break;
+      case 57:
+{sqlite3AddPrimaryKey(pParse,0,yymsp[-1].minor.yy46,yymsp[0].minor.yy46,yymsp[-2].minor.yy46);}
+        break;
+      case 58:
+{sqlite3CreateIndex(pParse,0,0,0,0,yymsp[0].minor.yy46,0,0,0,0);}
+        break;
+      case 59:
+{sqlite3AddCheckConstraint(pParse,yymsp[-1].minor.yy172);}
+        break;
+      case 60:
+{sqlite3CreateForeignKey(pParse,0,&yymsp[-2].minor.yy410,yymsp[-1].minor.yy174,yymsp[0].minor.yy46);}
+        break;
+      case 61:
+{sqlite3DeferForeignKey(pParse,yymsp[0].minor.yy46);}
+        break;
+      case 62:
+{sqlite3AddCollateType(pParse, (char*)yymsp[0].minor.yy410.z, yymsp[0].minor.yy410.n);}
+        break;
+      case 65:
+{ yygotominor.yy46 = OE_Restrict * 0x010101; }
+        break;
+      case 66:
+{ yygotominor.yy46 = (yymsp[-1].minor.yy46 & yymsp[0].minor.yy405.mask) | yymsp[0].minor.yy405.value; }
+        break;
+      case 67:
+{ yygotominor.yy405.value = 0;     yygotominor.yy405.mask = 0x000000; }
+        break;
+      case 68:
+{ yygotominor.yy405.value = yymsp[0].minor.yy46;     yygotominor.yy405.mask = 0x0000ff; }
+        break;
+      case 69:
+{ yygotominor.yy405.value = yymsp[0].minor.yy46<<8;  yygotominor.yy405.mask = 0x00ff00; }
+        break;
+      case 70:
+{ yygotominor.yy405.value = yymsp[0].minor.yy46<<16; yygotominor.yy405.mask = 0xff0000; }
+        break;
+      case 71:
+{ yygotominor.yy46 = OE_SetNull; }
+        break;
+      case 72:
+{ yygotominor.yy46 = OE_SetDflt; }
+        break;
+      case 73:
+{ yygotominor.yy46 = OE_Cascade; }
+        break;
+      case 74:
+{ yygotominor.yy46 = OE_Restrict; }
+        break;
+      case 75:
+      case 76:
+      case 91:
+      case 93:
+      case 95:
+      case 96:
+      case 166:
+{yygotominor.yy46 = yymsp[0].minor.yy46;}
+        break;
+      case 80:
+{yygotominor.yy410.n = 0; yygotominor.yy410.z = 0;}
+        break;
+      case 81:
+{yygotominor.yy410 = yymsp[-1].minor.yy0;}
+        break;
+      case 86:
+{sqlite3AddPrimaryKey(pParse,yymsp[-3].minor.yy174,yymsp[0].minor.yy46,yymsp[-2].minor.yy46,0);}
+        break;
+      case 87:
+{sqlite3CreateIndex(pParse,0,0,0,yymsp[-2].minor.yy174,yymsp[0].minor.yy46,0,0,0,0);}
+        break;
+      case 88:
+{sqlite3AddCheckConstraint(pParse,yymsp[-2].minor.yy172);}
+        break;
+      case 89:
+{
+    sqlite3CreateForeignKey(pParse, yymsp[-6].minor.yy174, &yymsp[-3].minor.yy410, yymsp[-2].minor.yy174, yymsp[-1].minor.yy46);
+    sqlite3DeferForeignKey(pParse, yymsp[0].minor.yy46);
+}
+        break;
+      case 92:
+      case 94:
+{yygotominor.yy46 = OE_Default;}
+        break;
+      case 97:
+{yygotominor.yy46 = OE_Ignore;}
+        break;
+      case 98:
+      case 167:
+{yygotominor.yy46 = OE_Replace;}
+        break;
+      case 99:
+{
+  sqlite3DropTable(pParse, yymsp[0].minor.yy373, 0, yymsp[-1].minor.yy46);
+}
+        break;
+      case 102:
+{
+  sqlite3CreateView(pParse, &yymsp[-7].minor.yy0, &yymsp[-3].minor.yy410, &yymsp[-2].minor.yy410, yymsp[0].minor.yy219, yymsp[-6].minor.yy46, yymsp[-4].minor.yy46);
+}
+        break;
+      case 103:
+{
+  sqlite3DropTable(pParse, yymsp[0].minor.yy373, 1, yymsp[-1].minor.yy46);
+}
+        break;
+      case 104:
+{
+  sqlite3Select(pParse, yymsp[0].minor.yy219, SRT_Callback, 0, 0, 0, 0, 0);
+  sqlite3SelectDelete(yymsp[0].minor.yy219);
+}
+        break;
+      case 105:
+      case 128:
+{yygotominor.yy219 = yymsp[0].minor.yy219;}
+        break;
+      case 106:
+{
+  if( yymsp[0].minor.yy219 ){
+    yymsp[0].minor.yy219->op = yymsp[-1].minor.yy46;
+    yymsp[0].minor.yy219->pPrior = yymsp[-2].minor.yy219;
+  }
+  yygotominor.yy219 = yymsp[0].minor.yy219;
+}
+        break;
+      case 108:
+{yygotominor.yy46 = TK_ALL;}
+        break;
+      case 110:
+{
+  yygotominor.yy219 = sqlite3SelectNew(yymsp[-6].minor.yy174,yymsp[-5].minor.yy373,yymsp[-4].minor.yy172,yymsp[-3].minor.yy174,yymsp[-2].minor.yy172,yymsp[-1].minor.yy174,yymsp[-7].minor.yy46,yymsp[0].minor.yy234.pLimit,yymsp[0].minor.yy234.pOffset);
+}
+        break;
+      case 114:
+      case 237:
+{yygotominor.yy174 = yymsp[-1].minor.yy174;}
+        break;
+      case 115:
+      case 141:
+      case 149:
+      case 236:
+{yygotominor.yy174 = 0;}
+        break;
+      case 116:
+{
+   yygotominor.yy174 = sqlite3ExprListAppend(yymsp[-2].minor.yy174,yymsp[-1].minor.yy172,yymsp[0].minor.yy410.n?&yymsp[0].minor.yy410:0);
+}
+        break;
+      case 117:
+{
+  yygotominor.yy174 = sqlite3ExprListAppend(yymsp[-1].minor.yy174, sqlite3Expr(TK_ALL, 0, 0, 0), 0);
+}
+        break;
+      case 118:
+{
+  Expr *pRight = sqlite3Expr(TK_ALL, 0, 0, 0);
+  Expr *pLeft = sqlite3Expr(TK_ID, 0, 0, &yymsp[-2].minor.yy410);
+  yygotominor.yy174 = sqlite3ExprListAppend(yymsp[-3].minor.yy174, sqlite3Expr(TK_DOT, pLeft, pRight, 0), 0);
+}
+        break;
+      case 121:
+{yygotominor.yy410.n = 0;}
+        break;
+      case 122:
+{yygotominor.yy373 = sqliteMalloc(sizeof(*yygotominor.yy373));}
+        break;
+      case 123:
+{
+  yygotominor.yy373 = yymsp[0].minor.yy373;
+  sqlite3SrcListShiftJoinType(yygotominor.yy373);
+}
+        break;
+      case 124:
+{
+   yygotominor.yy373 = yymsp[-1].minor.yy373;
+   if( yygotominor.yy373 && yygotominor.yy373->nSrc>0 ) yygotominor.yy373->a[yygotominor.yy373->nSrc-1].jointype = yymsp[0].minor.yy46;
+}
+        break;
+      case 125:
+{yygotominor.yy373 = 0;}
+        break;
+      case 126:
+{
+  yygotominor.yy373 = sqlite3SrcListAppendFromTerm(yymsp[-5].minor.yy373,&yymsp[-4].minor.yy410,&yymsp[-3].minor.yy410,&yymsp[-2].minor.yy410,0,yymsp[-1].minor.yy172,yymsp[0].minor.yy432);
+}
+        break;
+      case 127:
+{
+    yygotominor.yy373 = sqlite3SrcListAppendFromTerm(yymsp[-6].minor.yy373,0,0,&yymsp[-2].minor.yy410,yymsp[-4].minor.yy219,yymsp[-1].minor.yy172,yymsp[0].minor.yy432);
+  }
+        break;
+      case 129:
+{
+     sqlite3SrcListShiftJoinType(yymsp[0].minor.yy373);
+     yygotominor.yy219 = sqlite3SelectNew(0,yymsp[0].minor.yy373,0,0,0,0,0,0,0);
+  }
+        break;
+      case 130:
+{yygotominor.yy410.z=0; yygotominor.yy410.n=0;}
+        break;
+      case 132:
+{yygotominor.yy373 = sqlite3SrcListAppend(0,&yymsp[-1].minor.yy410,&yymsp[0].minor.yy410);}
+        break;
+      case 133:
+{ yygotominor.yy46 = JT_INNER; }
+        break;
+      case 134:
+{ yygotominor.yy46 = sqlite3JoinType(pParse,&yymsp[-1].minor.yy0,0,0); }
+        break;
+      case 135:
+{ yygotominor.yy46 = sqlite3JoinType(pParse,&yymsp[-2].minor.yy0,&yymsp[-1].minor.yy410,0); }
+        break;
+      case 136:
+{ yygotominor.yy46 = sqlite3JoinType(pParse,&yymsp[-3].minor.yy0,&yymsp[-2].minor.yy410,&yymsp[-1].minor.yy410); }
+        break;
+      case 137:
+      case 145:
+      case 152:
+      case 159:
+      case 174:
+      case 202:
+      case 225:
+      case 227:
+      case 231:
+{yygotominor.yy172 = yymsp[0].minor.yy172;}
+        break;
+      case 138:
+      case 151:
+      case 158:
+      case 203:
+      case 226:
+      case 228:
+      case 232:
+{yygotominor.yy172 = 0;}
+        break;
+      case 139:
+      case 171:
+{yygotominor.yy432 = yymsp[-1].minor.yy432;}
+        break;
+      case 140:
+      case 170:
+{yygotominor.yy432 = 0;}
+        break;
+      case 142:
+      case 150:
+{yygotominor.yy174 = yymsp[0].minor.yy174;}
+        break;
+      case 143:
+{
+  yygotominor.yy174 = sqlite3ExprListAppend(yymsp[-3].minor.yy174,yymsp[-1].minor.yy172,0);
+  if( yygotominor.yy174 ) yygotominor.yy174->a[yygotominor.yy174->nExpr-1].sortOrder = yymsp[0].minor.yy46;
+}
+        break;
+      case 144:
+{
+  yygotominor.yy174 = sqlite3ExprListAppend(0,yymsp[-1].minor.yy172,0);
+  if( yygotominor.yy174 && yygotominor.yy174->a ) yygotominor.yy174->a[0].sortOrder = yymsp[0].minor.yy46;
+}
+        break;
+      case 146:
+      case 148:
+{yygotominor.yy46 = SQLITE_SO_ASC;}
+        break;
+      case 147:
+{yygotominor.yy46 = SQLITE_SO_DESC;}
+        break;
+      case 153:
+{yygotominor.yy234.pLimit = 0; yygotominor.yy234.pOffset = 0;}
+        break;
+      case 154:
+{yygotominor.yy234.pLimit = yymsp[0].minor.yy172; yygotominor.yy234.pOffset = 0;}
+        break;
+      case 155:
+{yygotominor.yy234.pLimit = yymsp[-2].minor.yy172; yygotominor.yy234.pOffset = yymsp[0].minor.yy172;}
+        break;
+      case 156:
+{yygotominor.yy234.pOffset = yymsp[-2].minor.yy172; yygotominor.yy234.pLimit = yymsp[0].minor.yy172;}
+        break;
+      case 157:
+{sqlite3DeleteFrom(pParse,yymsp[-1].minor.yy373,yymsp[0].minor.yy172);}
+        break;
+      case 160:
+{sqlite3Update(pParse,yymsp[-3].minor.yy373,yymsp[-1].minor.yy174,yymsp[0].minor.yy172,yymsp[-4].minor.yy46);}
+        break;
+      case 161:
+{yygotominor.yy174 = sqlite3ExprListAppend(yymsp[-4].minor.yy174,yymsp[0].minor.yy172,&yymsp[-2].minor.yy410);}
+        break;
+      case 162:
+{yygotominor.yy174 = sqlite3ExprListAppend(0,yymsp[0].minor.yy172,&yymsp[-2].minor.yy410);}
+        break;
+      case 163:
+{sqlite3Insert(pParse, yymsp[-5].minor.yy373, yymsp[-1].minor.yy174, 0, yymsp[-4].minor.yy432, yymsp[-7].minor.yy46);}
+        break;
+      case 164:
+{sqlite3Insert(pParse, yymsp[-2].minor.yy373, 0, yymsp[0].minor.yy219, yymsp[-1].minor.yy432, yymsp[-4].minor.yy46);}
+        break;
+      case 165:
+{sqlite3Insert(pParse, yymsp[-3].minor.yy373, 0, 0, yymsp[-2].minor.yy432, yymsp[-5].minor.yy46);}
+        break;
+      case 168:
+      case 229:
+{yygotominor.yy174 = sqlite3ExprListAppend(yymsp[-2].minor.yy174,yymsp[0].minor.yy172,0);}
+        break;
+      case 169:
+      case 230:
+{yygotominor.yy174 = sqlite3ExprListAppend(0,yymsp[0].minor.yy172,0);}
+        break;
+      case 172:
+{yygotominor.yy432 = sqlite3IdListAppend(yymsp[-2].minor.yy432,&yymsp[0].minor.yy410);}
+        break;
+      case 173:
+{yygotominor.yy432 = sqlite3IdListAppend(0,&yymsp[0].minor.yy410);}
+        break;
+      case 175:
+{yygotominor.yy172 = yymsp[-1].minor.yy172; sqlite3ExprSpan(yygotominor.yy172,&yymsp[-2].minor.yy0,&yymsp[0].minor.yy0); }
+        break;
+      case 176:
+      case 181:
+      case 182:
+{yygotominor.yy172 = sqlite3Expr(yymsp[0].major, 0, 0, &yymsp[0].minor.yy0);}
+        break;
+      case 177:
+      case 178:
+{yygotominor.yy172 = sqlite3Expr(TK_ID, 0, 0, &yymsp[0].minor.yy0);}
+        break;
+      case 179:
+{
+  Expr *temp1 = sqlite3Expr(TK_ID, 0, 0, &yymsp[-2].minor.yy410);
+  Expr *temp2 = sqlite3Expr(TK_ID, 0, 0, &yymsp[0].minor.yy410);
+  yygotominor.yy172 = sqlite3Expr(TK_DOT, temp1, temp2, 0);
+}
+        break;
+      case 180:
+{
+  Expr *temp1 = sqlite3Expr(TK_ID, 0, 0, &yymsp[-4].minor.yy410);
+  Expr *temp2 = sqlite3Expr(TK_ID, 0, 0, &yymsp[-2].minor.yy410);
+  Expr *temp3 = sqlite3Expr(TK_ID, 0, 0, &yymsp[0].minor.yy410);
+  Expr *temp4 = sqlite3Expr(TK_DOT, temp2, temp3, 0);
+  yygotominor.yy172 = sqlite3Expr(TK_DOT, temp1, temp4, 0);
+}
+        break;
+      case 183:
+{yygotominor.yy172 = sqlite3RegisterExpr(pParse, &yymsp[0].minor.yy0);}
+        break;
+      case 184:
+{
+  Token *pToken = &yymsp[0].minor.yy0;
+  Expr *pExpr = yygotominor.yy172 = sqlite3Expr(TK_VARIABLE, 0, 0, pToken);
+  sqlite3ExprAssignVarNumber(pParse, pExpr);
+}
+        break;
+      case 185:
+{
+  yygotominor.yy172 = sqlite3ExprSetColl(pParse, yymsp[-2].minor.yy172, &yymsp[0].minor.yy410);
+}
+        break;
+      case 186:
+{
+  yygotominor.yy172 = sqlite3Expr(TK_CAST, yymsp[-3].minor.yy172, 0, &yymsp[-1].minor.yy410);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-5].minor.yy0,&yymsp[0].minor.yy0);
+}
+        break;
+      case 187:
+{
+  yygotominor.yy172 = sqlite3ExprFunction(yymsp[-1].minor.yy174, &yymsp[-4].minor.yy0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-4].minor.yy0,&yymsp[0].minor.yy0);
+  if( yymsp[-2].minor.yy46 && yygotominor.yy172 ){
+    yygotominor.yy172->flags |= EP_Distinct;
+  }
+}
+        break;
+      case 188:
+{
+  yygotominor.yy172 = sqlite3ExprFunction(0, &yymsp[-3].minor.yy0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-3].minor.yy0,&yymsp[0].minor.yy0);
+}
+        break;
+      case 189:
+{
+  /* The CURRENT_TIME, CURRENT_DATE, and CURRENT_TIMESTAMP values are
+  ** treated as functions that return constants */
+  yygotominor.yy172 = sqlite3ExprFunction(0,&yymsp[0].minor.yy0);
+  if( yygotominor.yy172 ){
+    yygotominor.yy172->op = TK_CONST_FUNC;  
+    yygotominor.yy172->span = yymsp[0].minor.yy0;
+  }
+}
+        break;
+      case 190:
+      case 191:
+      case 192:
+      case 193:
+      case 194:
+      case 195:
+      case 196:
+      case 197:
+{yygotominor.yy172 = sqlite3Expr(yymsp[-1].major, yymsp[-2].minor.yy172, yymsp[0].minor.yy172, 0);}
+        break;
+      case 198:
+      case 200:
+{yygotominor.yy72.eOperator = yymsp[0].minor.yy0; yygotominor.yy72.not = 0;}
+        break;
+      case 199:
+      case 201:
+{yygotominor.yy72.eOperator = yymsp[0].minor.yy0; yygotominor.yy72.not = 1;}
+        break;
+      case 204:
+{
+  ExprList *pList;
+  pList = sqlite3ExprListAppend(0, yymsp[-1].minor.yy172, 0);
+  pList = sqlite3ExprListAppend(pList, yymsp[-3].minor.yy172, 0);
+  if( yymsp[0].minor.yy172 ){
+    pList = sqlite3ExprListAppend(pList, yymsp[0].minor.yy172, 0);
+  }
+  yygotominor.yy172 = sqlite3ExprFunction(pList, &yymsp[-2].minor.yy72.eOperator);
+  if( yymsp[-2].minor.yy72.not ) yygotominor.yy172 = sqlite3Expr(TK_NOT, yygotominor.yy172, 0, 0);
+  sqlite3ExprSpan(yygotominor.yy172, &yymsp[-3].minor.yy172->span, &yymsp[-1].minor.yy172->span);
+  if( yygotominor.yy172 ) yygotominor.yy172->flags |= EP_InfixFunc;
+}
+        break;
+      case 205:
+{
+  yygotominor.yy172 = sqlite3Expr(yymsp[0].major, yymsp[-1].minor.yy172, 0, 0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-1].minor.yy172->span,&yymsp[0].minor.yy0);
+}
+        break;
+      case 206:
+{
+  yygotominor.yy172 = sqlite3Expr(TK_ISNULL, yymsp[-2].minor.yy172, 0, 0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-2].minor.yy172->span,&yymsp[0].minor.yy0);
+}
+        break;
+      case 207:
+{
+  yygotominor.yy172 = sqlite3Expr(TK_NOTNULL, yymsp[-2].minor.yy172, 0, 0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-2].minor.yy172->span,&yymsp[0].minor.yy0);
+}
+        break;
+      case 208:
+{
+  yygotominor.yy172 = sqlite3Expr(TK_NOTNULL, yymsp[-3].minor.yy172, 0, 0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-3].minor.yy172->span,&yymsp[0].minor.yy0);
+}
+        break;
+      case 209:
+{
+  yygotominor.yy172 = sqlite3Expr(yymsp[-1].major, yymsp[0].minor.yy172, 0, 0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-1].minor.yy0,&yymsp[0].minor.yy172->span);
+}
+        break;
+      case 210:
+{
+  yygotominor.yy172 = sqlite3Expr(TK_UMINUS, yymsp[0].minor.yy172, 0, 0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-1].minor.yy0,&yymsp[0].minor.yy172->span);
+}
+        break;
+      case 211:
+{
+  yygotominor.yy172 = sqlite3Expr(TK_UPLUS, yymsp[0].minor.yy172, 0, 0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-1].minor.yy0,&yymsp[0].minor.yy172->span);
+}
+        break;
+      case 214:
+{
+  ExprList *pList = sqlite3ExprListAppend(0, yymsp[-2].minor.yy172, 0);
+  pList = sqlite3ExprListAppend(pList, yymsp[0].minor.yy172, 0);
+  yygotominor.yy172 = sqlite3Expr(TK_BETWEEN, yymsp[-4].minor.yy172, 0, 0);
+  if( yygotominor.yy172 ){
+    yygotominor.yy172->pList = pList;
+  }else{
+    sqlite3ExprListDelete(pList);
+  } 
+  if( yymsp[-3].minor.yy46 ) yygotominor.yy172 = sqlite3Expr(TK_NOT, yygotominor.yy172, 0, 0);
+  sqlite3ExprSpan(yygotominor.yy172,&yymsp[-4].minor.yy172->span,&yymsp[0].minor.yy172->span);
+}
+        break;
+      case 217:
+{
+    yygotominor.yy172 = sqlite3Expr(TK_IN, yymsp[-4].minor.yy172, 0, 0);
+    if( yygotominor.yy172 ){
+      yygotominor.yy172->pList = yymsp[-1].minor.yy174;
+    }else{
+      sqlite3ExprListDelete(yymsp[-1].minor.yy174);
+    }
+    if( yymsp[-3].minor.yy46 ) yygotominor.yy172 = sqlite3Expr(TK_NOT, yygotominor.yy172, 0, 0);
+    sqlite3ExprSpan(yygotominor.yy172,&yymsp[-4].minor.yy172->span,&yymsp[0].minor.yy0);
+  }
+        break;
+      case 218:
+{
+    yygotominor.yy172 = sqlite3Expr(TK_SELECT, 0, 0, 0);
+    if( yygotominor.yy172 ){
+      yygotominor.yy172->pSelect = yymsp[-1].minor.yy219;
+    }else{
+      sqlite3SelectDelete(yymsp[-1].minor.yy219);
+    }
+    sqlite3ExprSpan(yygotominor.yy172,&yymsp[-2].minor.yy0,&yymsp[0].minor.yy0);
+  }
+        break;
+      case 219:
+{
+    yygotominor.yy172 = sqlite3Expr(TK_IN, yymsp[-4].minor.yy172, 0, 0);
+    if( yygotominor.yy172 ){
+      yygotominor.yy172->pSelect = yymsp[-1].minor.yy219;
+    }else{
+      sqlite3SelectDelete(yymsp[-1].minor.yy219);
+    }
+    if( yymsp[-3].minor.yy46 ) yygotominor.yy172 = sqlite3Expr(TK_NOT, yygotominor.yy172, 0, 0);
+    sqlite3ExprSpan(yygotominor.yy172,&yymsp[-4].minor.yy172->span,&yymsp[0].minor.yy0);
+  }
+        break;
+      case 220:
+{
+    SrcList *pSrc = sqlite3SrcListAppend(0,&yymsp[-1].minor.yy410,&yymsp[0].minor.yy410);
+    yygotominor.yy172 = sqlite3Expr(TK_IN, yymsp[-3].minor.yy172, 0, 0);
+    if( yygotominor.yy172 ){
+      yygotominor.yy172->pSelect = sqlite3SelectNew(0,pSrc,0,0,0,0,0,0,0);
+    }else{
+      sqlite3SrcListDelete(pSrc);
+    }
+    if( yymsp[-2].minor.yy46 ) yygotominor.yy172 = sqlite3Expr(TK_NOT, yygotominor.yy172, 0, 0);
+    sqlite3ExprSpan(yygotominor.yy172,&yymsp[-3].minor.yy172->span,yymsp[0].minor.yy410.z?&yymsp[0].minor.yy410:&yymsp[-1].minor.yy410);
+  }
+        break;
+      case 221:
+{
+    Expr *p = yygotominor.yy172 = sqlite3Expr(TK_EXISTS, 0, 0, 0);
+    if( p ){
+      p->pSelect = yymsp[-1].minor.yy219;
+      sqlite3ExprSpan(p,&yymsp[-3].minor.yy0,&yymsp[0].minor.yy0);
+    }else{
+      sqlite3SelectDelete(yymsp[-1].minor.yy219);
+    }
+  }
+        break;
+      case 222:
+{
+  yygotominor.yy172 = sqlite3Expr(TK_CASE, yymsp[-3].minor.yy172, yymsp[-1].minor.yy172, 0);
+  if( yygotominor.yy172 ){
+    yygotominor.yy172->pList = yymsp[-2].minor.yy174;
+  }else{
+    sqlite3ExprListDelete(yymsp[-2].minor.yy174);
+  }
+  sqlite3ExprSpan(yygotominor.yy172, &yymsp[-4].minor.yy0, &yymsp[0].minor.yy0);
+}
+        break;
+      case 223:
+{
+  yygotominor.yy174 = sqlite3ExprListAppend(yymsp[-4].minor.yy174, yymsp[-2].minor.yy172, 0);
+  yygotominor.yy174 = sqlite3ExprListAppend(yygotominor.yy174, yymsp[0].minor.yy172, 0);
+}
+        break;
+      case 224:
+{
+  yygotominor.yy174 = sqlite3ExprListAppend(0, yymsp[-2].minor.yy172, 0);
+  yygotominor.yy174 = sqlite3ExprListAppend(yygotominor.yy174, yymsp[0].minor.yy172, 0);
+}
+        break;
+      case 233:
+{
+  sqlite3CreateIndex(pParse, &yymsp[-6].minor.yy410, &yymsp[-5].minor.yy410, sqlite3SrcListAppend(0,&yymsp[-3].minor.yy410,0), yymsp[-1].minor.yy174, yymsp[-9].minor.yy46,
+                      &yymsp[-10].minor.yy0, &yymsp[0].minor.yy0, SQLITE_SO_ASC, yymsp[-7].minor.yy46);
+}
+        break;
+      case 234:
+      case 281:
+{yygotominor.yy46 = OE_Abort;}
+        break;
+      case 235:
+{yygotominor.yy46 = OE_None;}
+        break;
+      case 238:
+{
+  Expr *p = 0;
+  if( yymsp[-1].minor.yy410.n>0 ){
+    p = sqlite3Expr(TK_COLUMN, 0, 0, 0);
+    if( p ) p->pColl = sqlite3LocateCollSeq(pParse, (char*)yymsp[-1].minor.yy410.z, yymsp[-1].minor.yy410.n);
+  }
+  yygotominor.yy174 = sqlite3ExprListAppend(yymsp[-4].minor.yy174, p, &yymsp[-2].minor.yy410);
+  if( yygotominor.yy174 ) yygotominor.yy174->a[yygotominor.yy174->nExpr-1].sortOrder = yymsp[0].minor.yy46;
+}
+        break;
+      case 239:
+{
+  Expr *p = 0;
+  if( yymsp[-1].minor.yy410.n>0 ){
+    p = sqlite3Expr(TK_COLUMN, 0, 0, 0);
+    if( p ) p->pColl = sqlite3LocateCollSeq(pParse, (char*)yymsp[-1].minor.yy410.z, yymsp[-1].minor.yy410.n);
+  }
+  yygotominor.yy174 = sqlite3ExprListAppend(0, p, &yymsp[-2].minor.yy410);
+  if( yygotominor.yy174 ) yygotominor.yy174->a[yygotominor.yy174->nExpr-1].sortOrder = yymsp[0].minor.yy46;
+}
+        break;
+      case 241:
+{yygotominor.yy410.z = 0; yygotominor.yy410.n = 0;}
+        break;
+      case 243:
+{sqlite3DropIndex(pParse, yymsp[0].minor.yy373, yymsp[-1].minor.yy46);}
+        break;
+      case 244:
+      case 245:
+{sqlite3Vacuum(pParse);}
+        break;
+      case 246:
+{sqlite3Pragma(pParse,&yymsp[-3].minor.yy410,&yymsp[-2].minor.yy410,&yymsp[0].minor.yy410,0);}
+        break;
+      case 247:
+{sqlite3Pragma(pParse,&yymsp[-3].minor.yy410,&yymsp[-2].minor.yy410,&yymsp[0].minor.yy0,0);}
+        break;
+      case 248:
+{
+  sqlite3Pragma(pParse,&yymsp[-3].minor.yy410,&yymsp[-2].minor.yy410,&yymsp[0].minor.yy410,1);
+}
+        break;
+      case 249:
+{sqlite3Pragma(pParse,&yymsp[-4].minor.yy410,&yymsp[-3].minor.yy410,&yymsp[-1].minor.yy410,0);}
+        break;
+      case 250:
+{sqlite3Pragma(pParse,&yymsp[-1].minor.yy410,&yymsp[0].minor.yy410,0,0);}
+        break;
+      case 258:
+{
+  Token all;
+  all.z = yymsp[-3].minor.yy410.z;
+  all.n = (yymsp[0].minor.yy0.z - yymsp[-3].minor.yy410.z) + yymsp[0].minor.yy0.n;
+  sqlite3FinishTrigger(pParse, yymsp[-1].minor.yy243, &all);
+}
+        break;
+      case 259:
+{
+  sqlite3BeginTrigger(pParse, &yymsp[-7].minor.yy410, &yymsp[-6].minor.yy410, yymsp[-5].minor.yy46, yymsp[-4].minor.yy370.a, yymsp[-4].minor.yy370.b, yymsp[-2].minor.yy373, yymsp[0].minor.yy172, yymsp[-10].minor.yy46, yymsp[-8].minor.yy46);
+  yygotominor.yy410 = (yymsp[-6].minor.yy410.n==0?yymsp[-7].minor.yy410:yymsp[-6].minor.yy410);
+}
+        break;
+      case 260:
+      case 263:
+{ yygotominor.yy46 = TK_BEFORE; }
+        break;
+      case 261:
+{ yygotominor.yy46 = TK_AFTER;  }
+        break;
+      case 262:
+{ yygotominor.yy46 = TK_INSTEAD;}
+        break;
+      case 264:
+      case 265:
+{yygotominor.yy370.a = yymsp[0].major; yygotominor.yy370.b = 0;}
+        break;
+      case 266:
+{yygotominor.yy370.a = TK_UPDATE; yygotominor.yy370.b = yymsp[0].minor.yy432;}
+        break;
+      case 269:
+{ yygotominor.yy172 = 0; }
+        break;
+      case 270:
+{ yygotominor.yy172 = yymsp[0].minor.yy172; }
+        break;
+      case 271:
+{
+  if( yymsp[-2].minor.yy243 ){
+    yymsp[-2].minor.yy243->pLast->pNext = yymsp[-1].minor.yy243;
+  }else{
+    yymsp[-2].minor.yy243 = yymsp[-1].minor.yy243;
+  }
+  yymsp[-2].minor.yy243->pLast = yymsp[-1].minor.yy243;
+  yygotominor.yy243 = yymsp[-2].minor.yy243;
+}
+        break;
+      case 272:
+{ yygotominor.yy243 = 0; }
+        break;
+      case 273:
+{ yygotominor.yy243 = sqlite3TriggerUpdateStep(&yymsp[-3].minor.yy410, yymsp[-1].minor.yy174, yymsp[0].minor.yy172, yymsp[-4].minor.yy46); }
+        break;
+      case 274:
+{yygotominor.yy243 = sqlite3TriggerInsertStep(&yymsp[-5].minor.yy410, yymsp[-4].minor.yy432, yymsp[-1].minor.yy174, 0, yymsp[-7].minor.yy46);}
+        break;
+      case 275:
+{yygotominor.yy243 = sqlite3TriggerInsertStep(&yymsp[-2].minor.yy410, yymsp[-1].minor.yy432, 0, yymsp[0].minor.yy219, yymsp[-4].minor.yy46);}
+        break;
+      case 276:
+{yygotominor.yy243 = sqlite3TriggerDeleteStep(&yymsp[-1].minor.yy410, yymsp[0].minor.yy172);}
+        break;
+      case 277:
+{yygotominor.yy243 = sqlite3TriggerSelectStep(yymsp[0].minor.yy219); }
+        break;
+      case 278:
+{
+  yygotominor.yy172 = sqlite3Expr(TK_RAISE, 0, 0, 0); 
+  if( yygotominor.yy172 ){
+    yygotominor.yy172->iColumn = OE_Ignore;
+    sqlite3ExprSpan(yygotominor.yy172, &yymsp[-3].minor.yy0, &yymsp[0].minor.yy0);
+  }
+}
+        break;
+      case 279:
+{
+  yygotominor.yy172 = sqlite3Expr(TK_RAISE, 0, 0, &yymsp[-1].minor.yy410); 
+  if( yygotominor.yy172 ) {
+    yygotominor.yy172->iColumn = yymsp[-3].minor.yy46;
+    sqlite3ExprSpan(yygotominor.yy172, &yymsp[-5].minor.yy0, &yymsp[0].minor.yy0);
+  }
+}
+        break;
+      case 280:
+{yygotominor.yy46 = OE_Rollback;}
+        break;
+      case 282:
+{yygotominor.yy46 = OE_Fail;}
+        break;
+      case 283:
+{
+  sqlite3DropTrigger(pParse,yymsp[0].minor.yy373,yymsp[-1].minor.yy46);
+}
+        break;
+      case 284:
+{
+  sqlite3Attach(pParse, yymsp[-3].minor.yy172, yymsp[-1].minor.yy172, yymsp[0].minor.yy386);
+}
+        break;
+      case 285:
+{
+  sqlite3Detach(pParse, yymsp[0].minor.yy172);
+}
+        break;
+      case 286:
+{ yygotominor.yy386 = 0; }
+        break;
+      case 287:
+{ yygotominor.yy386 = yymsp[0].minor.yy172; }
+        break;
+      case 290:
+{sqlite3Reindex(pParse, 0, 0);}
+        break;
+      case 291:
+{sqlite3Reindex(pParse, &yymsp[-1].minor.yy410, &yymsp[0].minor.yy410);}
+        break;
+      case 292:
+{sqlite3Analyze(pParse, 0, 0);}
+        break;
+      case 293:
+{sqlite3Analyze(pParse, &yymsp[-1].minor.yy410, &yymsp[0].minor.yy410);}
+        break;
+      case 294:
+{
+  sqlite3AlterRenameTable(pParse,yymsp[-3].minor.yy373,&yymsp[0].minor.yy410);
+}
+        break;
+      case 295:
+{
+  sqlite3AlterFinishAddColumn(pParse, &yymsp[0].minor.yy410);
+}
+        break;
+      case 296:
+{
+  sqlite3AlterBeginAddColumn(pParse, yymsp[0].minor.yy373);
+}
+        break;
+      case 299:
+{sqlite3VtabFinishParse(pParse,0);}
+        break;
+      case 300:
+{sqlite3VtabFinishParse(pParse,&yymsp[0].minor.yy0);}
+        break;
+      case 301:
+{
+    sqlite3VtabBeginParse(pParse, &yymsp[-3].minor.yy410, &yymsp[-2].minor.yy410, &yymsp[0].minor.yy410);
+}
+        break;
+      case 304:
+{sqlite3VtabArgInit(pParse);}
+        break;
+      case 306:
+      case 307:
+      case 308:
+      case 310:
+{sqlite3VtabArgExtend(pParse,&yymsp[0].minor.yy0);}
+        break;
+  };
+  yygoto = yyRuleInfo[yyruleno].lhs;
+  yysize = yyRuleInfo[yyruleno].nrhs;
+  yypParser->yyidx -= yysize;
+  yyact = yy_find_reduce_action(yymsp[-yysize].stateno,yygoto);
+  if( yyact < YYNSTATE ){
+#ifdef NDEBUG
+    /* If we are not debugging and the reduce action popped at least
+    ** one element off the stack, then we can push the new element back
+    ** onto the stack here, and skip the stack overflow test in yy_shift().
+    ** That gives a significant speed improvement. */
+    if( yysize ){
+      yypParser->yyidx++;
+      yymsp -= yysize-1;
+      yymsp->stateno = yyact;
+      yymsp->major = yygoto;
+      yymsp->minor = yygotominor;
+    }else
+#endif
+    {
+      yy_shift(yypParser,yyact,yygoto,&yygotominor);
+    }
+  }else if( yyact == YYNSTATE + YYNRULE + 1 ){
+    yy_accept(yypParser);
+  }
+}
+
+/*
+** The following code executes when the parse fails
+*/
+static void yy_parse_failed(
+  yyParser *yypParser           /* The parser */
+){
+  sqlite3ParserARG_FETCH;
+#ifndef NDEBUG
+  if( yyTraceFILE ){
+    fprintf(yyTraceFILE,"%sFail!\n",yyTracePrompt);
+  }
+#endif
+  while( yypParser->yyidx>=0 ) yy_pop_parser_stack(yypParser);
+  /* Here code is inserted which will be executed whenever the
+  ** parser fails */
+  sqlite3ParserARG_STORE; /* Suppress warning about unused %extra_argument variable */
+}
+
+/*
+** The following code executes when a syntax error first occurs.
+*/
+static void yy_syntax_error(
+  yyParser *yypParser,           /* The parser */
+  int yymajor,                   /* The major type of the error token */
+  YYMINORTYPE yyminor            /* The minor type of the error token */
+){
+  sqlite3ParserARG_FETCH;
+#define TOKEN (yyminor.yy0)
+
+  if( !pParse->parseError ){
+    if( TOKEN.z[0] ){
+      sqlite3ErrorMsg(pParse, "near \"%T\": syntax error", &TOKEN);
+    }else{
+      sqlite3ErrorMsg(pParse, "incomplete SQL statement");
+    }
+    pParse->parseError = 1;
+  }
+  sqlite3ParserARG_STORE; /* Suppress warning about unused %extra_argument variable */
+}
+
+/*
+** The following is executed when the parser accepts
+*/
+static void yy_accept(
+  yyParser *yypParser           /* The parser */
+){
+  sqlite3ParserARG_FETCH;
+#ifndef NDEBUG
+  if( yyTraceFILE ){
+    fprintf(yyTraceFILE,"%sAccept!\n",yyTracePrompt);
+  }
+#endif
+  while( yypParser->yyidx>=0 ) yy_pop_parser_stack(yypParser);
+  /* Here code is inserted which will be executed whenever the
+  ** parser accepts */
+  sqlite3ParserARG_STORE; /* Suppress warning about unused %extra_argument variable */
+}
+
+/* The main parser program.
+** The first argument is a pointer to a structure obtained from
+** "sqlite3ParserAlloc" which describes the current state of the parser.
+** The second argument is the major token number.  The third is
+** the minor token.  The fourth optional argument is whatever the
+** user wants (and specified in the grammar) and is available for
+** use by the action routines.
+**
+** Inputs:
+** <ul>
+** <li> A pointer to the parser (an opaque structure.)
+** <li> The major token number.
+** <li> The minor token number.
+** <li> An option argument of a grammar-specified type.
+** </ul>
+**
+** Outputs:
+** None.
+*/
+void sqlite3Parser(
+  void *yyp,                   /* The parser */
+  int yymajor,                 /* The major token code number */
+  sqlite3ParserTOKENTYPE yyminor       /* The value for the token */
+  sqlite3ParserARG_PDECL               /* Optional %extra_argument parameter */
+){
+  YYMINORTYPE yyminorunion;
+  int yyact;            /* The parser action. */
+  int yyendofinput;     /* True if we are at the end of input */
+  int yyerrorhit = 0;   /* True if yymajor has invoked an error */
+  yyParser *yypParser;  /* The parser */
+
+  /* (re)initialize the parser, if necessary */
+  yypParser = (yyParser*)yyp;
+  if( yypParser->yyidx<0 ){
+#if YYSTACKDEPTH<=0
+    if( yypParser->yystksz <=0 ){
+      memset(&yyminorunion, 0, sizeof(yyminorunion));
+      yyStackOverflow(yypParser, &yyminorunion);
+      return;
+    }
+#endif
+    yypParser->yyidx = 0;
+    yypParser->yyerrcnt = -1;
+    yypParser->yystack[0].stateno = 0;
+    yypParser->yystack[0].major = 0;
+  }
+  yyminorunion.yy0 = yyminor;
+  yyendofinput = (yymajor==0);
+  sqlite3ParserARG_STORE;
+
+#ifndef NDEBUG
+  if( yyTraceFILE ){
+    fprintf(yyTraceFILE,"%sInput %s\n",yyTracePrompt,yyTokenName[yymajor]);
+  }
+#endif
+
+  do{
+    yyact = yy_find_shift_action(yypParser,yymajor);
+    if( yyact<YYNSTATE ){
+      yy_shift(yypParser,yyact,yymajor,&yyminorunion);
+      yypParser->yyerrcnt--;
+      if( yyendofinput && yypParser->yyidx>=0 ){
+        yymajor = 0;
+      }else{
+        yymajor = YYNOCODE;
+      }
+    }else if( yyact < YYNSTATE + YYNRULE ){
+      yy_reduce(yypParser,yyact-YYNSTATE);
+    }else if( yyact == YY_ERROR_ACTION ){
+      int yymx;
+#ifndef NDEBUG
+      if( yyTraceFILE ){
+        fprintf(yyTraceFILE,"%sSyntax Error!\n",yyTracePrompt);
+      }
+#endif
+#ifdef YYERRORSYMBOL
+      /* A syntax error has occurred.
+      ** The response to an error depends upon whether or not the
+      ** grammar defines an error token "ERROR".  
+      **
+      ** This is what we do if the grammar does define ERROR:
+      **
+      **  * Call the %syntax_error function.
+      **
+      **  * Begin popping the stack until we enter a state where
+      **    it is legal to shift the error symbol, then shift
+      **    the error symbol.
+      **
+      **  * Set the error count to three.
+      **
+      **  * Begin accepting and shifting new tokens.  No new error
+      **    processing will occur until three tokens have been
+      **    shifted successfully.
+      **
+      */
+      if( yypParser->yyerrcnt<0 ){
+        yy_syntax_error(yypParser,yymajor,yyminorunion);
+      }
+      yymx = yypParser->yystack[yypParser->yyidx].major;
+      if( yymx==YYERRORSYMBOL || yyerrorhit ){
+#ifndef NDEBUG
+        if( yyTraceFILE ){
+          fprintf(yyTraceFILE,"%sDiscard input token %s\n",
+             yyTracePrompt,yyTokenName[yymajor]);
+        }
+#endif
+        yy_destructor(yymajor,&yyminorunion);
+        yymajor = YYNOCODE;
+      }else{
+         while(
+          yypParser->yyidx >= 0 &&
+          yymx != YYERRORSYMBOL &&
+          (yyact = yy_find_reduce_action(
+                        yypParser->yystack[yypParser->yyidx].stateno,
+                        YYERRORSYMBOL)) >= YYNSTATE
+        ){
+          yy_pop_parser_stack(yypParser);
+        }
+        if( yypParser->yyidx < 0 || yymajor==0 ){
+          yy_destructor(yymajor,&yyminorunion);
+          yy_parse_failed(yypParser);
+          yymajor = YYNOCODE;
+        }else if( yymx!=YYERRORSYMBOL ){
+          YYMINORTYPE u2;
+          u2.YYERRSYMDT = 0;
+          yy_shift(yypParser,yyact,YYERRORSYMBOL,&u2);
+        }
+      }
+      yypParser->yyerrcnt = 3;
+      yyerrorhit = 1;
+#else  /* YYERRORSYMBOL is not defined */
+      /* This is what we do if the grammar does not define ERROR:
+      **
+      **  * Report an error message, and throw away the input token.
+      **
+      **  * If the input token is $, then fail the parse.
+      **
+      ** As before, subsequent error messages are suppressed until
+      ** three input tokens have been successfully shifted.
+      */
+      if( yypParser->yyerrcnt<=0 ){
+        yy_syntax_error(yypParser,yymajor,yyminorunion);
+      }
+      yypParser->yyerrcnt = 3;
+      yy_destructor(yymajor,&yyminorunion);
+      if( yyendofinput ){
+        yy_parse_failed(yypParser);
+      }
+      yymajor = YYNOCODE;
+#endif
+    }else{
+      yy_accept(yypParser);
+      yymajor = YYNOCODE;
+    }
+  }while( yymajor!=YYNOCODE && yypParser->yyidx>=0 );
+  return;
+}
+
+/************** End of parse.c ***********************************************/
+/************** Begin file tokenize.c ****************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** An tokenizer for SQL
+**
+** This file contains C code that splits an SQL input string up into
+** individual tokens and sends those tokens one-by-one over to the
+** parser for analysis.
+**
+** $Id$
+*/
+
+/*
+** The charMap() macro maps alphabetic characters into their
+** lower-case ASCII equivalent.  On ASCII machines, this is just
+** an upper-to-lower case map.  On EBCDIC machines we also need
+** to adjust the encoding.  Only alphabetic characters and underscores
+** need to be translated.
+*/
+#ifdef SQLITE_ASCII
+# define charMap(X) sqlite3UpperToLower[(unsigned char)X]
+#endif
+#ifdef SQLITE_EBCDIC
+# define charMap(X) ebcdicToAscii[(unsigned char)X]
+const unsigned char ebcdicToAscii[] = {
+/* 0   1   2   3   4   5   6   7   8   9   A   B   C   D   E   F */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  /* 0x */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  /* 1x */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  /* 2x */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  /* 3x */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  /* 4x */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  /* 5x */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0, 95,  0,  0,  /* 6x */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  /* 7x */
+   0, 97, 98, 99,100,101,102,103,104,105,  0,  0,  0,  0,  0,  0,  /* 8x */
+   0,106,107,108,109,110,111,112,113,114,  0,  0,  0,  0,  0,  0,  /* 9x */
+   0,  0,115,116,117,118,119,120,121,122,  0,  0,  0,  0,  0,  0,  /* Ax */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  /* Bx */
+   0, 97, 98, 99,100,101,102,103,104,105,  0,  0,  0,  0,  0,  0,  /* Cx */
+   0,106,107,108,109,110,111,112,113,114,  0,  0,  0,  0,  0,  0,  /* Dx */
+   0,  0,115,116,117,118,119,120,121,122,  0,  0,  0,  0,  0,  0,  /* Ex */
+   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  /* Fx */
+};
+#endif
+
+/*
+** The sqlite3KeywordCode function looks up an identifier to determine if
+** it is a keyword.  If it is a keyword, the token code of that keyword is 
+** returned.  If the input is not a keyword, TK_ID is returned.
+**
+** The implementation of this routine was generated by a program,
+** mkkeywordhash.h, located in the tool subdirectory of the distribution.
+** The output of the mkkeywordhash.c program is written into a file
+** named keywordhash.h and then included into this source file by
+** the #include below.
+*/
+/************** Include keywordhash.h in the middle of tokenize.c ************/
+/************** Begin file keywordhash.h *************************************/
+/***** This file contains automatically generated code ******
+**
+** The code in this file has been automatically generated by
+**
+**     $Header$
+**
+** The code in this file implements a function that determines whether
+** or not a given identifier is really an SQL keyword.  The same thing
+** might be implemented more directly using a hand-written hash table.
+** But by using this automatically generated code, the size of the code
+** is substantially reduced.  This is important for embedded applications
+** on platforms with limited memory.
+*/
+/* Hash score: 165 */
+static int keywordCode(const char *z, int n){
+  static const char zText[536] =
+    "ABORTABLEFTEMPORARYADDATABASELECTHENDEFAULTRANSACTIONATURALTER"
+    "AISEACHECKEYAFTEREFERENCESCAPELSEXCEPTRIGGEREGEXPLAINITIALLYANALYZE"
+    "XCLUSIVEXISTSANDEFERRABLEATTACHAVINGLOBEFOREIGNOREINDEXAUTOINCREMENT"
+    "BEGINNERENAMEBETWEENOTNULLIKEBYCASCADEFERREDELETECASECASTCOLLATE"
+    "COLUMNCOMMITCONFLICTCONSTRAINTERSECTCREATECROSSCURRENT_DATECURRENT_TIMESTAMP"
+    "LANDESCDETACHDISTINCTDROPRAGMATCHFAILIMITFROMFULLGROUPDATEIFIMMEDIATE"
+    "INSERTINSTEADINTOFFSETISNULLJOINORDEREPLACEOUTERESTRICTPRIMARY"
+    "QUERYRIGHTROLLBACKROWHENUNIONUNIQUEUSINGVACUUMVALUESVIEWHEREVIRTUAL"
+  ;
+  static const unsigned char aHash[127] = {
+      91,  79, 106,  90,   0,   4,   0,   0, 113,   0,  82,   0,   0,
+      94,  43,  75,  92,   0, 105, 108,  96,  89,   0,  10,   0,   0,
+     112,   0, 116, 102,   0,  28,  47,   0,  40,   0,   0,  64,  70,
+       0,  62,  19,   0, 104,  35, 103,   0, 107,  73,   0,   0,  33,
+       0,  60,  36,   0,   8,   0, 114,  37,  12,   0,  76,  39,  25,
+      65,   0,   0,  31,  80,  52,  30,  49,  20,  87,   0,  34,   0,
+      74,  26,   0,  71,   0,   0,   0,  63,  46,  66,  22,  86,  29,
+      68,  85,   0,   1,   0,   9, 100,  57,  18,   0, 111,  81,  98,
+      53,   6,  84,   0,   0,  48,  93,   0, 101,   0,  69,   0,   0,
+      15,   0, 115,  50,  55,   0,   2,  54,   0, 110,
+  };
+  static const unsigned char aNext[116] = {
+       0,   0,   0,   0,   0,   3,   0,   0,   0,   0,   0,   0,   0,
+       0,   0,   0,   0,   0,   0,   0,   0,  17,   0,   0,   0,   0,
+       0,  11,   0,   0,   0,   0,   5,  13,   7,   0,   0,   0,   0,
+       0,   0,   0,   0,   0,   0,  42,   0,   0,   0,   0,   0,   0,
+       0,  16,   0,  23,  51,   0,   0,   0,   0,  44,   0,  58,   0,
+       0,   0,   0,   0,   0,   0,   0,  72,  41,   0,  24,  59,  21,
+       0,  78,   0,   0,  67,   0,   0,  83,  45,   0,   0,   0,   0,
+       0,   0,   0,   0,  38,  95,  97,   0,   0,  99,   0,  32,   0,
+      14,  27,  77,   0,  56,  88,   0,   0,   0,  61,   0, 109,
+  };
+  static const unsigned char aLen[116] = {
+       5,   5,   4,   4,   9,   2,   3,   8,   2,   6,   4,   3,   7,
+      11,   2,   7,   5,   5,   4,   5,   3,   5,  10,   6,   4,   6,
+       7,   6,   7,   9,   3,   7,   9,   6,   3,  10,   6,   6,   4,
+       6,   3,   7,   6,   7,   5,  13,   2,   2,   5,   5,   6,   7,
+       3,   7,   4,   4,   2,   7,   3,   8,   6,   4,   4,   7,   6,
+       6,   8,  10,   9,   6,   5,  12,  12,  17,   4,   4,   6,   8,
+       2,   4,   6,   5,   4,   5,   4,   4,   5,   6,   2,   9,   6,
+       7,   4,   2,   6,   3,   6,   4,   5,   7,   5,   8,   7,   5,
+       5,   8,   3,   4,   5,   6,   5,   6,   6,   4,   5,   7,
+  };
+  static const unsigned short int aOffset[116] = {
+       0,   4,   7,  10,  10,  14,  19,  21,  26,  27,  32,  34,  36,
+      42,  51,  52,  57,  61,  65,  67,  71,  74,  78,  86,  91,  94,
+      99, 105, 108, 113, 118, 122, 128, 136, 142, 144, 154, 159, 164,
+     167, 169, 169, 173, 177, 179, 184, 186, 188, 197, 200, 204, 210,
+     216, 216, 219, 222, 226, 228, 229, 233, 240, 246, 250, 254, 261,
+     267, 273, 281, 288, 297, 303, 308, 320, 320, 336, 340, 344, 350,
+     351, 358, 361, 365, 370, 373, 378, 382, 386, 389, 395, 397, 406,
+     412, 419, 422, 422, 425, 428, 434, 438, 442, 449, 453, 461, 468,
+     473, 478, 486, 488, 492, 497, 503, 508, 514, 520, 523, 528,
+  };
+  static const unsigned char aCode[116] = {
+    TK_ABORT,      TK_TABLE,      TK_JOIN_KW,    TK_TEMP,       TK_TEMP,       
+    TK_OR,         TK_ADD,        TK_DATABASE,   TK_AS,         TK_SELECT,     
+    TK_THEN,       TK_END,        TK_DEFAULT,    TK_TRANSACTION,TK_ON,         
+    TK_JOIN_KW,    TK_ALTER,      TK_RAISE,      TK_EACH,       TK_CHECK,      
+    TK_KEY,        TK_AFTER,      TK_REFERENCES, TK_ESCAPE,     TK_ELSE,       
+    TK_EXCEPT,     TK_TRIGGER,    TK_LIKE_KW,    TK_EXPLAIN,    TK_INITIALLY,  
+    TK_ALL,        TK_ANALYZE,    TK_EXCLUSIVE,  TK_EXISTS,     TK_AND,        
+    TK_DEFERRABLE, TK_ATTACH,     TK_HAVING,     TK_LIKE_KW,    TK_BEFORE,     
+    TK_FOR,        TK_FOREIGN,    TK_IGNORE,     TK_REINDEX,    TK_INDEX,      
+    TK_AUTOINCR,   TK_TO,         TK_IN,         TK_BEGIN,      TK_JOIN_KW,    
+    TK_RENAME,     TK_BETWEEN,    TK_NOT,        TK_NOTNULL,    TK_NULL,       
+    TK_LIKE_KW,    TK_BY,         TK_CASCADE,    TK_ASC,        TK_DEFERRED,   
+    TK_DELETE,     TK_CASE,       TK_CAST,       TK_COLLATE,    TK_COLUMNKW,   
+    TK_COMMIT,     TK_CONFLICT,   TK_CONSTRAINT, TK_INTERSECT,  TK_CREATE,     
+    TK_JOIN_KW,    TK_CTIME_KW,   TK_CTIME_KW,   TK_CTIME_KW,   TK_PLAN,       
+    TK_DESC,       TK_DETACH,     TK_DISTINCT,   TK_IS,         TK_DROP,       
+    TK_PRAGMA,     TK_MATCH,      TK_FAIL,       TK_LIMIT,      TK_FROM,       
+    TK_JOIN_KW,    TK_GROUP,      TK_UPDATE,     TK_IF,         TK_IMMEDIATE,  
+    TK_INSERT,     TK_INSTEAD,    TK_INTO,       TK_OF,         TK_OFFSET,     
+    TK_SET,        TK_ISNULL,     TK_JOIN,       TK_ORDER,      TK_REPLACE,    
+    TK_JOIN_KW,    TK_RESTRICT,   TK_PRIMARY,    TK_QUERY,      TK_JOIN_KW,    
+    TK_ROLLBACK,   TK_ROW,        TK_WHEN,       TK_UNION,      TK_UNIQUE,     
+    TK_USING,      TK_VACUUM,     TK_VALUES,     TK_VIEW,       TK_WHERE,      
+    TK_VIRTUAL,    
+  };
+  int h, i;
+  if( n<2 ) return TK_ID;
+  h = ((charMap(z[0])*4) ^
+      (charMap(z[n-1])*3) ^
+      n) % 127;
+  for(i=((int)aHash[h])-1; i>=0; i=((int)aNext[i])-1){
+    if( aLen[i]==n && sqlite3StrNICmp(&zText[aOffset[i]],z,n)==0 ){
+      return aCode[i];
+    }
+  }
+  return TK_ID;
+}
+int sqlite3KeywordCode(const unsigned char *z, int n){
+  return keywordCode((char*)z, n);
+}
+
+/************** End of keywordhash.h *****************************************/
+/************** Continuing where we left off in tokenize.c *******************/
+
+
+/*
+** If X is a character that can be used in an identifier then
+** IdChar(X) will be true.  Otherwise it is false.
+**
+** For ASCII, any character with the high-order bit set is
+** allowed in an identifier.  For 7-bit characters, 
+** sqlite3IsIdChar[X] must be 1.
+**
+** For EBCDIC, the rules are more complex but have the same
+** end result.
+**
+** Ticket #1066.  the SQL standard does not allow '$' in the
+** middle of identfiers.  But many SQL implementations do. 
+** SQLite will allow '$' in identifiers for compatibility.
+** But the feature is undocumented.
+*/
+#ifdef SQLITE_ASCII
+const char sqlite3IsIdChar[] = {
+/* x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF */
+    0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  /* 2x */
+    1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0,  /* 3x */
+    0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,  /* 4x */
+    1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1,  /* 5x */
+    0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,  /* 6x */
+    1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0,  /* 7x */
+};
+#define IdChar(C)  (((c=C)&0x80)!=0 || (c>0x1f && sqlite3IsIdChar[c-0x20]))
+#endif
+#ifdef SQLITE_EBCDIC
+const char sqlite3IsIdChar[] = {
+/* x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF */
+    0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0,  /* 4x */
+    0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0,  /* 5x */
+    0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0,  /* 6x */
+    0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0,  /* 7x */
+    0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0,  /* 8x */
+    0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0,  /* 9x */
+    1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0,  /* Ax */
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  /* Bx */
+    0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1,  /* Cx */
+    0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1,  /* Dx */
+    0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1,  /* Ex */
+    1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0,  /* Fx */
+};
+#define IdChar(C)  (((c=C)>=0x42 && sqlite3IsIdChar[c-0x40]))
+#endif
+
+
+/*
+** Return the length of the token that begins at z[0]. 
+** Store the token type in *tokenType before returning.
+*/
+static int getToken(const unsigned char *z, int *tokenType){
+  int i, c;
+  switch( *z ){
+    case ' ': case '\t': case '\n': case '\f': case '\r': {
+      for(i=1; isspace(z[i]); i++){}
+      *tokenType = TK_SPACE;
+      return i;
+    }
+    case '-': {
+      if( z[1]=='-' ){
+        for(i=2; (c=z[i])!=0 && c!='\n'; i++){}
+        *tokenType = TK_COMMENT;
+        return i;
+      }
+      *tokenType = TK_MINUS;
+      return 1;
+    }
+    case '(': {
+      *tokenType = TK_LP;
+      return 1;
+    }
+    case ')': {
+      *tokenType = TK_RP;
+      return 1;
+    }
+    case ';': {
+      *tokenType = TK_SEMI;
+      return 1;
+    }
+    case '+': {
+      *tokenType = TK_PLUS;
+      return 1;
+    }
+    case '*': {
+      *tokenType = TK_STAR;
+      return 1;
+    }
+    case '/': {
+      if( z[1]!='*' || z[2]==0 ){
+        *tokenType = TK_SLASH;
+        return 1;
+      }
+      for(i=3, c=z[2]; (c!='*' || z[i]!='/') && (c=z[i])!=0; i++){}
+      if( c ) i++;
+      *tokenType = TK_COMMENT;
+      return i;
+    }
+    case '%': {
+      *tokenType = TK_REM;
+      return 1;
+    }
+    case '=': {
+      *tokenType = TK_EQ;
+      return 1 + (z[1]=='=');
+    }
+    case '<': {
+      if( (c=z[1])=='=' ){
+        *tokenType = TK_LE;
+        return 2;
+      }else if( c=='>' ){
+        *tokenType = TK_NE;
+        return 2;
+      }else if( c=='<' ){
+        *tokenType = TK_LSHIFT;
+        return 2;
+      }else{
+        *tokenType = TK_LT;
+        return 1;
+      }
+    }
+    case '>': {
+      if( (c=z[1])=='=' ){
+        *tokenType = TK_GE;
+        return 2;
+      }else if( c=='>' ){
+        *tokenType = TK_RSHIFT;
+        return 2;
+      }else{
+        *tokenType = TK_GT;
+        return 1;
+      }
+    }
+    case '!': {
+      if( z[1]!='=' ){
+        *tokenType = TK_ILLEGAL;
+        return 2;
+      }else{
+        *tokenType = TK_NE;
+        return 2;
+      }
+    }
+    case '|': {
+      if( z[1]!='|' ){
+        *tokenType = TK_BITOR;
+        return 1;
+      }else{
+        *tokenType = TK_CONCAT;
+        return 2;
+      }
+    }
+    case ',': {
+      *tokenType = TK_COMMA;
+      return 1;
+    }
+    case '&': {
+      *tokenType = TK_BITAND;
+      return 1;
+    }
+    case '~': {
+      *tokenType = TK_BITNOT;
+      return 1;
+    }
+    case '`':
+    case '\'':
+    case '"': {
+      int delim = z[0];
+      for(i=1; (c=z[i])!=0; i++){
+        if( c==delim ){
+          if( z[i+1]==delim ){
+            i++;
+          }else{
+            break;
+          }
+        }
+      }
+      if( c ){
+        *tokenType = TK_STRING;
+        return i+1;
+      }else{
+        *tokenType = TK_ILLEGAL;
+        return i;
+      }
+    }
+    case '.': {
+#ifndef SQLITE_OMIT_FLOATING_POINT
+      if( !isdigit(z[1]) )
+#endif
+      {
+        *tokenType = TK_DOT;
+        return 1;
+      }
+      /* If the next character is a digit, this is a floating point
+      ** number that begins with ".".  Fall thru into the next case */
+    }
+    case '0': case '1': case '2': case '3': case '4':
+    case '5': case '6': case '7': case '8': case '9': {
+      *tokenType = TK_INTEGER;
+      for(i=0; isdigit(z[i]); i++){}
+#ifndef SQLITE_OMIT_FLOATING_POINT
+      if( z[i]=='.' ){
+        i++;
+        while( isdigit(z[i]) ){ i++; }
+        *tokenType = TK_FLOAT;
+      }
+      if( (z[i]=='e' || z[i]=='E') &&
+           ( isdigit(z[i+1]) 
+            || ((z[i+1]=='+' || z[i+1]=='-') && isdigit(z[i+2]))
+           )
+      ){
+        i += 2;
+        while( isdigit(z[i]) ){ i++; }
+        *tokenType = TK_FLOAT;
+      }
+#endif
+      while( IdChar(z[i]) ){
+        *tokenType = TK_ILLEGAL;
+        i++;
+      }
+      return i;
+    }
+    case '[': {
+      for(i=1, c=z[0]; c!=']' && (c=z[i])!=0; i++){}
+      *tokenType = TK_ID;
+      return i;
+    }
+    case '?': {
+      *tokenType = TK_VARIABLE;
+      for(i=1; isdigit(z[i]); i++){}
+      return i;
+    }
+    case '#': {
+      for(i=1; isdigit(z[i]); i++){}
+      if( i>1 ){
+        /* Parameters of the form #NNN (where NNN is a number) are used
+        ** internally by sqlite3NestedParse.  */
+        *tokenType = TK_REGISTER;
+        return i;
+      }
+      /* Fall through into the next case if the '#' is not followed by
+      ** a digit. Try to match #AAAA where AAAA is a parameter name. */
+    }
+#ifndef SQLITE_OMIT_TCL_VARIABLE
+    case '$':
+#endif
+    case '@':  /* For compatibility with MS SQL Server */
+    case ':': {
+      int n = 0;
+      *tokenType = TK_VARIABLE;
+      for(i=1; (c=z[i])!=0; i++){
+        if( IdChar(c) ){
+          n++;
+#ifndef SQLITE_OMIT_TCL_VARIABLE
+        }else if( c=='(' && n>0 ){
+          do{
+            i++;
+          }while( (c=z[i])!=0 && !isspace(c) && c!=')' );
+          if( c==')' ){
+            i++;
+          }else{
+            *tokenType = TK_ILLEGAL;
+          }
+          break;
+        }else if( c==':' && z[i+1]==':' ){
+          i++;
+#endif
+        }else{
+          break;
+        }
+      }
+      if( n==0 ) *tokenType = TK_ILLEGAL;
+      return i;
+    }
+#ifndef SQLITE_OMIT_BLOB_LITERAL
+    case 'x': case 'X': {
+      if( (c=z[1])=='\'' || c=='"' ){
+        int delim = c;
+        *tokenType = TK_BLOB;
+        for(i=2; (c=z[i])!=0; i++){
+          if( c==delim ){
+            if( i%2 ) *tokenType = TK_ILLEGAL;
+            break;
+          }
+          if( !isxdigit(c) ){
+            *tokenType = TK_ILLEGAL;
+            return i;
+          }
+        }
+        if( c ) i++;
+        return i;
+      }
+      /* Otherwise fall through to the next case */
+    }
+#endif
+    default: {
+      if( !IdChar(*z) ){
+        break;
+      }
+      for(i=1; IdChar(z[i]); i++){}
+      *tokenType = keywordCode((char*)z, i);
+      return i;
+    }
+  }
+  *tokenType = TK_ILLEGAL;
+  return 1;
+}
+int sqlite3GetToken(const unsigned char *z, int *tokenType){
+  return getToken(z, tokenType);
+}
+
+/*
+** Run the parser on the given SQL string.  The parser structure is
+** passed in.  An SQLITE_ status code is returned.  If an error occurs
+** and pzErrMsg!=NULL then an error message might be written into 
+** memory obtained from malloc() and *pzErrMsg made to point to that
+** error message.  Or maybe not.
+*/
+int sqlite3RunParser(Parse *pParse, const char *zSql, char **pzErrMsg){
+  int nErr = 0;
+  int i;
+  void *pEngine;
+  int tokenType;
+  int lastTokenParsed = -1;
+  sqlite3 *db = pParse->db;
+  extern void *sqlite3ParserAlloc(void*(*)(size_t));
+  extern void sqlite3ParserFree(void*, void(*)(void*));
+  extern void sqlite3Parser(void*, int, Token, Parse*);
+
+  if( db->activeVdbeCnt==0 ){
+    db->u1.isInterrupted = 0;
+  }
+  pParse->rc = SQLITE_OK;
+  i = 0;
+  pEngine = sqlite3ParserAlloc((void*(*)(size_t))sqlite3MallocX);
+  if( pEngine==0 ){
+    return SQLITE_NOMEM;
+  }
+  assert( pParse->sLastToken.dyn==0 );
+  assert( pParse->pNewTable==0 );
+  assert( pParse->pNewTrigger==0 );
+  assert( pParse->nVar==0 );
+  assert( pParse->nVarExpr==0 );
+  assert( pParse->nVarExprAlloc==0 );
+  assert( pParse->apVarExpr==0 );
+  pParse->zTail = pParse->zSql = zSql;
+  while( !sqlite3MallocFailed() && zSql[i]!=0 ){
+    assert( i>=0 );
+    pParse->sLastToken.z = (u8*)&zSql[i];
+    assert( pParse->sLastToken.dyn==0 );
+    pParse->sLastToken.n = getToken((unsigned char*)&zSql[i],&tokenType);
+    i += pParse->sLastToken.n;
+    switch( tokenType ){
+      case TK_SPACE:
+      case TK_COMMENT: {
+        if( db->u1.isInterrupted ){
+          pParse->rc = SQLITE_INTERRUPT;
+          sqlite3SetString(pzErrMsg, "interrupt", (char*)0);
+          goto abort_parse;
+        }
+        break;
+      }
+      case TK_ILLEGAL: {
+        if( pzErrMsg ){
+          sqliteFree(*pzErrMsg);
+          *pzErrMsg = sqlite3MPrintf("unrecognized token: \"%T\"",
+                          &pParse->sLastToken);
+        }
+        nErr++;
+        goto abort_parse;
+      }
+      case TK_SEMI: {
+        pParse->zTail = &zSql[i];
+        /* Fall thru into the default case */
+      }
+      default: {
+        sqlite3Parser(pEngine, tokenType, pParse->sLastToken, pParse);
+        lastTokenParsed = tokenType;
+        if( pParse->rc!=SQLITE_OK ){
+          goto abort_parse;
+        }
+        break;
+      }
+    }
+  }
+abort_parse:
+  if( zSql[i]==0 && nErr==0 && pParse->rc==SQLITE_OK ){
+    if( lastTokenParsed!=TK_SEMI ){
+      sqlite3Parser(pEngine, TK_SEMI, pParse->sLastToken, pParse);
+      pParse->zTail = &zSql[i];
+    }
+    sqlite3Parser(pEngine, 0, pParse->sLastToken, pParse);
+  }
+  sqlite3ParserFree(pEngine, sqlite3FreeX);
+  if( sqlite3MallocFailed() ){
+    pParse->rc = SQLITE_NOMEM;
+  }
+  if( pParse->rc!=SQLITE_OK && pParse->rc!=SQLITE_DONE && pParse->zErrMsg==0 ){
+    sqlite3SetString(&pParse->zErrMsg, sqlite3ErrStr(pParse->rc), (char*)0);
+  }
+  if( pParse->zErrMsg ){
+    if( pzErrMsg && *pzErrMsg==0 ){
+      *pzErrMsg = pParse->zErrMsg;
+    }else{
+      sqliteFree(pParse->zErrMsg);
+    }
+    pParse->zErrMsg = 0;
+    if( !nErr ) nErr++;
+  }
+  if( pParse->pVdbe && pParse->nErr>0 && pParse->nested==0 ){
+    sqlite3VdbeDelete(pParse->pVdbe);
+    pParse->pVdbe = 0;
+  }
+#ifndef SQLITE_OMIT_SHARED_CACHE
+  if( pParse->nested==0 ){
+    sqliteFree(pParse->aTableLock);
+    pParse->aTableLock = 0;
+    pParse->nTableLock = 0;
+  }
+#endif
+
+  if( !IN_DECLARE_VTAB ){
+    /* If the pParse->declareVtab flag is set, do not delete any table 
+    ** structure built up in pParse->pNewTable. The calling code (see vtab.c)
+    ** will take responsibility for freeing the Table structure.
+    */
+    sqlite3DeleteTable(pParse->pNewTable);
+  }
+
+  sqlite3DeleteTrigger(pParse->pNewTrigger);
+  sqliteFree(pParse->apVarExpr);
+  if( nErr>0 && (pParse->rc==SQLITE_OK || pParse->rc==SQLITE_DONE) ){
+    pParse->rc = SQLITE_ERROR;
+  }
+  return nErr;
+}
+
+/************** End of tokenize.c ********************************************/
+/************** Begin file main.c ********************************************/
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** Main file for the SQLite library.  The routines in this file
+** implement the programmer interface to the library.  Routines in
+** other files are for internal use by SQLite and should not be
+** accessed by users of the library.
+**
+** $Id$
+*/
+
+/*
+** The version of the library
+*/
+const char sqlite3_version[] = SQLITE_VERSION;
+const char *sqlite3_libversion(void){ return sqlite3_version; }
+int sqlite3_libversion_number(void){ return SQLITE_VERSION_NUMBER; }
+
+/*
+** If the following function pointer is not NULL and if
+** SQLITE_ENABLE_IOTRACE is enabled, then messages describing
+** I/O active are written using this function.  These messages
+** are intended for debugging activity only.
+*/
+void (*sqlite3_io_trace)(const char*, ...) = 0;
+
+/*
+** If the following global variable points to a string which is the
+** name of a directory, then that directory will be used to store
+** temporary files.
+**
+** See also the "PRAGMA temp_store_directory" SQL command.
+*/
+char *sqlite3_temp_directory = 0;
+
+
+/*
+** This is the default collating function named "BINARY" which is always
+** available.
+*/
+static int binCollFunc(
+  void *NotUsed,
+  int nKey1, const void *pKey1,
+  int nKey2, const void *pKey2
+){
+  int rc, n;
+  n = nKey1<nKey2 ? nKey1 : nKey2;
+  rc = memcmp(pKey1, pKey2, n);
+  if( rc==0 ){
+    rc = nKey1 - nKey2;
+  }
+  return rc;
+}
+
+/*
+** Another built-in collating sequence: NOCASE. 
+**
+** This collating sequence is intended to be used for "case independant
+** comparison". SQLite's knowledge of upper and lower case equivalents
+** extends only to the 26 characters used in the English language.
+**
+** At the moment there is only a UTF-8 implementation.
+*/
+static int nocaseCollatingFunc(
+  void *NotUsed,
+  int nKey1, const void *pKey1,
+  int nKey2, const void *pKey2
+){
+  int r = sqlite3StrNICmp(
+      (const char *)pKey1, (const char *)pKey2, (nKey1<nKey2)?nKey1:nKey2);
+  if( 0==r ){
+    r = nKey1-nKey2;
+  }
+  return r;
+}
+
+/*
+** Return the ROWID of the most recent insert
+*/
+sqlite_int64 sqlite3_last_insert_rowid(sqlite3 *db){
+  return db->lastRowid;
+}
+
+/*
+** Return the number of changes in the most recent call to sqlite3_exec().
+*/
+int sqlite3_changes(sqlite3 *db){
+  return db->nChange;
+}
+
+/*
+** Return the number of changes since the database handle was opened.
+*/
+int sqlite3_total_changes(sqlite3 *db){
+  return db->nTotalChange;
+}
+
+/*
+** Close an existing SQLite database
+*/
+int sqlite3_close(sqlite3 *db){
+  HashElem *i;
+  int j;
+
+  if( !db ){
+    return SQLITE_OK;
+  }
+  if( sqlite3SafetyCheck(db) ){
+    return SQLITE_MISUSE;
+  }
+
+#ifdef SQLITE_SSE
+  {
+    extern void sqlite3SseCleanup(sqlite3*);
+    sqlite3SseCleanup(db);
+  }
+#endif 
+
+  sqlite3ResetInternalSchema(db, 0);
+
+  /* If a transaction is open, the ResetInternalSchema() call above
+  ** will not have called the xDisconnect() method on any virtual
+  ** tables in the db->aVTrans[] array. The following sqlite3VtabRollback()
+  ** call will do so. We need to do this before the check for active
+  ** SQL statements below, as the v-table implementation may be storing
+  ** some prepared statements internally.
+  */
+  sqlite3VtabRollback(db);
+
+  /* If there are any outstanding VMs, return SQLITE_BUSY. */
+  if( db->pVdbe ){
+    sqlite3Error(db, SQLITE_BUSY, 
+        "Unable to close due to unfinalised statements");
+    return SQLITE_BUSY;
+  }
+  assert( !sqlite3SafetyCheck(db) );
+
+  /* FIX ME: db->magic may be set to SQLITE_MAGIC_CLOSED if the database
+  ** cannot be opened for some reason. So this routine needs to run in
+  ** that case. But maybe there should be an extra magic value for the
+  ** "failed to open" state.
+  **
+  ** TODO: Coverage tests do not test the case where this condition is
+  ** true. It's hard to see how to cause it without messing with threads.
+  */
+  if( db->magic!=SQLITE_MAGIC_CLOSED && sqlite3SafetyOn(db) ){
+    /* printf("DID NOT CLOSE\n"); fflush(stdout); */
+    return SQLITE_ERROR;
+  }
+
+  for(j=0; j<db->nDb; j++){
+    struct Db *pDb = &db->aDb[j];
+    if( pDb->pBt ){
+      sqlite3BtreeClose(pDb->pBt);
+      pDb->pBt = 0;
+      if( j!=1 ){
+        pDb->pSchema = 0;
+      }
+    }
+  }
+  sqlite3ResetInternalSchema(db, 0);
+  assert( db->nDb<=2 );
+  assert( db->aDb==db->aDbStatic );
+  for(i=sqliteHashFirst(&db->aFunc); i; i=sqliteHashNext(i)){
+    FuncDef *pFunc, *pNext;
+    for(pFunc = (FuncDef*)sqliteHashData(i); pFunc; pFunc=pNext){
+      pNext = pFunc->pNext;
+      sqliteFree(pFunc);
+    }
+  }
+
+  for(i=sqliteHashFirst(&db->aCollSeq); i; i=sqliteHashNext(i)){
+    CollSeq *pColl = (CollSeq *)sqliteHashData(i);
+    sqliteFree(pColl);
+  }
+  sqlite3HashClear(&db->aCollSeq);
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  for(i=sqliteHashFirst(&db->aModule); i; i=sqliteHashNext(i)){
+    Module *pMod = (Module *)sqliteHashData(i);
+    sqliteFree(pMod);
+  }
+  sqlite3HashClear(&db->aModule);
+#endif
+
+  sqlite3HashClear(&db->aFunc);
+  sqlite3Error(db, SQLITE_OK, 0); /* Deallocates any cached error strings. */
+  if( db->pErr ){
+    sqlite3ValueFree(db->pErr);
+  }
+  sqlite3CloseExtensions(db);
+
+  db->magic = SQLITE_MAGIC_ERROR;
+
+  /* The temp-database schema is allocated differently from the other schema
+  ** objects (using sqliteMalloc() directly, instead of sqlite3BtreeSchema()).
+  ** So it needs to be freed here. Todo: Why not roll the temp schema into
+  ** the same sqliteMalloc() as the one that allocates the database 
+  ** structure?
+  */
+  sqliteFree(db->aDb[1].pSchema);
+  sqliteFree(db);
+  sqlite3ReleaseThreadData();
+  return SQLITE_OK;
+}
+
+/*
+** Rollback all database files.
+*/
+void sqlite3RollbackAll(sqlite3 *db){
+  int i;
+  int inTrans = 0;
+  for(i=0; i<db->nDb; i++){
+    if( db->aDb[i].pBt ){
+      if( sqlite3BtreeIsInTrans(db->aDb[i].pBt) ){
+        inTrans = 1;
+      }
+      sqlite3BtreeRollback(db->aDb[i].pBt);
+      db->aDb[i].inTrans = 0;
+    }
+  }
+  sqlite3VtabRollback(db);
+  if( db->flags&SQLITE_InternChanges ){
+    sqlite3ResetInternalSchema(db, 0);
+  }
+
+  /* If one has been configured, invoke the rollback-hook callback */
+  if( db->xRollbackCallback && (inTrans || !db->autoCommit) ){
+    db->xRollbackCallback(db->pRollbackArg);
+  }
+}
+
+/*
+** Return a static string that describes the kind of error specified in the
+** argument.
+*/
+const char *sqlite3ErrStr(int rc){
+  const char *z;
+  switch( rc & 0xff ){
+    case SQLITE_ROW:
+    case SQLITE_DONE:
+    case SQLITE_OK:         z = "not an error";                          break;
+    case SQLITE_ERROR:      z = "SQL logic error or missing database";   break;
+    case SQLITE_PERM:       z = "access permission denied";              break;
+    case SQLITE_ABORT:      z = "callback requested query abort";        break;
+    case SQLITE_BUSY:       z = "database is locked";                    break;
+    case SQLITE_LOCKED:     z = "database table is locked";              break;
+    case SQLITE_NOMEM:      z = "out of memory";                         break;
+    case SQLITE_READONLY:   z = "attempt to write a readonly database";  break;
+    case SQLITE_INTERRUPT:  z = "interrupted";                           break;
+    case SQLITE_IOERR:      z = "disk I/O error";                        break;
+    case SQLITE_CORRUPT:    z = "database disk image is malformed";      break;
+    case SQLITE_FULL:       z = "database or disk is full";              break;
+    case SQLITE_CANTOPEN:   z = "unable to open database file";          break;
+    case SQLITE_EMPTY:      z = "table contains no data";                break;
+    case SQLITE_SCHEMA:     z = "database schema has changed";           break;
+    case SQLITE_CONSTRAINT: z = "constraint failed";                     break;
+    case SQLITE_MISMATCH:   z = "datatype mismatch";                     break;
+    case SQLITE_MISUSE:     z = "library routine called out of sequence";break;
+    case SQLITE_NOLFS:      z = "kernel lacks large file support";       break;
+    case SQLITE_AUTH:       z = "authorization denied";                  break;
+    case SQLITE_FORMAT:     z = "auxiliary database format error";       break;
+    case SQLITE_RANGE:      z = "bind or column index out of range";     break;
+    case SQLITE_NOTADB:     z = "file is encrypted or is not a database";break;
+    default:                z = "unknown error";                         break;
+  }
+  return z;
+}
+
+/*
+** This routine implements a busy callback that sleeps and tries
+** again until a timeout value is reached.  The timeout value is
+** an integer number of milliseconds passed in as the first
+** argument.
+*/
+static int sqliteDefaultBusyCallback(
+ void *ptr,               /* Database connection */
+ int count                /* Number of times table has been busy */
+){
+#if OS_WIN || (defined(HAVE_USLEEP) && HAVE_USLEEP)
+  static const u8 delays[] =
+     { 1, 2, 5, 10, 15, 20, 25, 25,  25,  50,  50, 100 };
+  static const u8 totals[] =
+     { 0, 1, 3,  8, 18, 33, 53, 78, 103, 128, 178, 228 };
+# define NDELAY (sizeof(delays)/sizeof(delays[0]))
+  int timeout = ((sqlite3 *)ptr)->busyTimeout;
+  int delay, prior;
+
+  assert( count>=0 );
+  if( count < NDELAY ){
+    delay = delays[count];
+    prior = totals[count];
+  }else{
+    delay = delays[NDELAY-1];
+    prior = totals[NDELAY-1] + delay*(count-(NDELAY-1));
+  }
+  if( prior + delay > timeout ){
+    delay = timeout - prior;
+    if( delay<=0 ) return 0;
+  }
+  sqlite3OsSleep(delay);
+  return 1;
+#else
+  int timeout = ((sqlite3 *)ptr)->busyTimeout;
+  if( (count+1)*1000 > timeout ){
+    return 0;
+  }
+  sqlite3OsSleep(1000);
+  return 1;
+#endif
+}
+
+/*
+** Invoke the given busy handler.
+**
+** This routine is called when an operation failed with a lock.
+** If this routine returns non-zero, the lock is retried.  If it
+** returns 0, the operation aborts with an SQLITE_BUSY error.
+*/
+int sqlite3InvokeBusyHandler(BusyHandler *p){
+  int rc;
+  if( p==0 || p->xFunc==0 || p->nBusy<0 ) return 0;
+  rc = p->xFunc(p->pArg, p->nBusy);
+  if( rc==0 ){
+    p->nBusy = -1;
+  }else{
+    p->nBusy++;
+  }
+  return rc; 
+}
+
+/*
+** This routine sets the busy callback for an Sqlite database to the
+** given callback function with the given argument.
+*/
+int sqlite3_busy_handler(
+  sqlite3 *db,
+  int (*xBusy)(void*,int),
+  void *pArg
+){
+  if( sqlite3SafetyCheck(db) ){
+    return SQLITE_MISUSE;
+  }
+  db->busyHandler.xFunc = xBusy;
+  db->busyHandler.pArg = pArg;
+  db->busyHandler.nBusy = 0;
+  return SQLITE_OK;
+}
+
+#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
+/*
+** This routine sets the progress callback for an Sqlite database to the
+** given callback function with the given argument. The progress callback will
+** be invoked every nOps opcodes.
+*/
+void sqlite3_progress_handler(
+  sqlite3 *db, 
+  int nOps,
+  int (*xProgress)(void*), 
+  void *pArg
+){
+  if( !sqlite3SafetyCheck(db) ){
+    if( nOps>0 ){
+      db->xProgress = xProgress;
+      db->nProgressOps = nOps;
+      db->pProgressArg = pArg;
+    }else{
+      db->xProgress = 0;
+      db->nProgressOps = 0;
+      db->pProgressArg = 0;
+    }
+  }
+}
+#endif
+
+
+/*
+** This routine installs a default busy handler that waits for the
+** specified number of milliseconds before returning 0.
+*/
+int sqlite3_busy_timeout(sqlite3 *db, int ms){
+  if( sqlite3SafetyCheck(db) ){
+    return SQLITE_MISUSE;
+  }
+  if( ms>0 ){
+    db->busyTimeout = ms;
+    sqlite3_busy_handler(db, sqliteDefaultBusyCallback, (void*)db);
+  }else{
+    sqlite3_busy_handler(db, 0, 0);
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Cause any pending operation to stop at its earliest opportunity.
+*/
+void sqlite3_interrupt(sqlite3 *db){
+  if( db && (db->magic==SQLITE_MAGIC_OPEN || db->magic==SQLITE_MAGIC_BUSY) ){
+    db->u1.isInterrupted = 1;
+  }
+}
+
+/*
+** Memory allocation routines that use SQLites internal memory
+** memory allocator.  Depending on how SQLite is compiled, the
+** internal memory allocator might be just an alias for the
+** system default malloc/realloc/free.  Or the built-in allocator
+** might do extra stuff like put sentinals around buffers to 
+** check for overruns or look for memory leaks.
+**
+** Use sqlite3_free() to free memory returned by sqlite3_mprintf().
+*/
+void sqlite3_free(void *p){ if( p ) sqlite3OsFree(p); }
+void *sqlite3_malloc(int nByte){ return nByte>0 ? sqlite3OsMalloc(nByte) : 0; }
+void *sqlite3_realloc(void *pOld, int nByte){ 
+  if( pOld ){
+    if( nByte>0 ){
+      return sqlite3OsRealloc(pOld, nByte);
+    }else{
+      sqlite3OsFree(pOld);
+      return 0;
+    }
+  }else{
+    return sqlite3_malloc(nByte);
+  }
+}
+
+/*
+** This function is exactly the same as sqlite3_create_function(), except
+** that it is designed to be called by internal code. The difference is
+** that if a malloc() fails in sqlite3_create_function(), an error code
+** is returned and the mallocFailed flag cleared. 
+*/
+int sqlite3CreateFunc(
+  sqlite3 *db,
+  const char *zFunctionName,
+  int nArg,
+  int enc,
+  void *pUserData,
+  void (*xFunc)(sqlite3_context*,int,sqlite3_value **),
+  void (*xStep)(sqlite3_context*,int,sqlite3_value **),
+  void (*xFinal)(sqlite3_context*)
+){
+  FuncDef *p;
+  int nName;
+
+  if( sqlite3SafetyCheck(db) ){
+    return SQLITE_MISUSE;
+  }
+  if( zFunctionName==0 ||
+      (xFunc && (xFinal || xStep)) || 
+      (!xFunc && (xFinal && !xStep)) ||
+      (!xFunc && (!xFinal && xStep)) ||
+      (nArg<-1 || nArg>127) ||
+      (255<(nName = strlen(zFunctionName))) ){
+    sqlite3Error(db, SQLITE_ERROR, "bad parameters");
+    return SQLITE_ERROR;
+  }
+  
+#ifndef SQLITE_OMIT_UTF16
+  /* If SQLITE_UTF16 is specified as the encoding type, transform this
+  ** to one of SQLITE_UTF16LE or SQLITE_UTF16BE using the
+  ** SQLITE_UTF16NATIVE macro. SQLITE_UTF16 is not used internally.
+  **
+  ** If SQLITE_ANY is specified, add three versions of the function
+  ** to the hash table.
+  */
+  if( enc==SQLITE_UTF16 ){
+    enc = SQLITE_UTF16NATIVE;
+  }else if( enc==SQLITE_ANY ){
+    int rc;
+    rc = sqlite3CreateFunc(db, zFunctionName, nArg, SQLITE_UTF8,
+         pUserData, xFunc, xStep, xFinal);
+    if( rc!=SQLITE_OK ) return rc;
+    rc = sqlite3CreateFunc(db, zFunctionName, nArg, SQLITE_UTF16LE,
+        pUserData, xFunc, xStep, xFinal);
+    if( rc!=SQLITE_OK ) return rc;
+    enc = SQLITE_UTF16BE;
+  }
+#else
+  enc = SQLITE_UTF8;
+#endif
+  
+  /* Check if an existing function is being overridden or deleted. If so,
+  ** and there are active VMs, then return SQLITE_BUSY. If a function
+  ** is being overridden/deleted but there are no active VMs, allow the
+  ** operation to continue but invalidate all precompiled statements.
+  */
+  p = sqlite3FindFunction(db, zFunctionName, nName, nArg, enc, 0);
+  if( p && p->iPrefEnc==enc && p->nArg==nArg ){
+    if( db->activeVdbeCnt ){
+      sqlite3Error(db, SQLITE_BUSY, 
+        "Unable to delete/modify user-function due to active statements");
+      assert( !sqlite3MallocFailed() );
+      return SQLITE_BUSY;
+    }else{
+      sqlite3ExpirePreparedStatements(db);
+    }
+  }
+
+  p = sqlite3FindFunction(db, zFunctionName, nName, nArg, enc, 1);
+  if( p ){
+    p->flags = 0;
+    p->xFunc = xFunc;
+    p->xStep = xStep;
+    p->xFinalize = xFinal;
+    p->pUserData = pUserData;
+    p->nArg = nArg;
+  }
+  return SQLITE_OK;
+}
+
+/*
+** Create new user functions.
+*/
+int sqlite3_create_function(
+  sqlite3 *db,
+  const char *zFunctionName,
+  int nArg,
+  int enc,
+  void *p,
+  void (*xFunc)(sqlite3_context*,int,sqlite3_value **),
+  void (*xStep)(sqlite3_context*,int,sqlite3_value **),
+  void (*xFinal)(sqlite3_context*)
+){
+  int rc;
+  assert( !sqlite3MallocFailed() );
+  rc = sqlite3CreateFunc(db, zFunctionName, nArg, enc, p, xFunc, xStep, xFinal);
+
+  return sqlite3ApiExit(db, rc);
+}
+
+#ifndef SQLITE_OMIT_UTF16
+int sqlite3_create_function16(
+  sqlite3 *db,
+  const void *zFunctionName,
+  int nArg,
+  int eTextRep,
+  void *p,
+  void (*xFunc)(sqlite3_context*,int,sqlite3_value**),
+  void (*xStep)(sqlite3_context*,int,sqlite3_value**),
+  void (*xFinal)(sqlite3_context*)
+){
+  int rc;
+  char *zFunc8;
+  assert( !sqlite3MallocFailed() );
+
+  zFunc8 = sqlite3utf16to8(zFunctionName, -1);
+  rc = sqlite3CreateFunc(db, zFunc8, nArg, eTextRep, p, xFunc, xStep, xFinal);
+  sqliteFree(zFunc8);
+
+  return sqlite3ApiExit(db, rc);
+}
+#endif
+
+
+/*
+** Declare that a function has been overloaded by a virtual table.
+**
+** If the function already exists as a regular global function, then
+** this routine is a no-op.  If the function does not exist, then create
+** a new one that always throws a run-time error.  
+**
+** When virtual tables intend to provide an overloaded function, they
+** should call this routine to make sure the global function exists.
+** A global function must exist in order for name resolution to work
+** properly.
+*/
+int sqlite3_overload_function(
+  sqlite3 *db,
+  const char *zName,
+  int nArg
+){
+  int nName = strlen(zName);
+  if( sqlite3FindFunction(db, zName, nName, nArg, SQLITE_UTF8, 0)==0 ){
+    sqlite3CreateFunc(db, zName, nArg, SQLITE_UTF8,
+                      0, sqlite3InvalidFunction, 0, 0);
+  }
+  return sqlite3ApiExit(db, SQLITE_OK);
+}
+
+#ifndef SQLITE_OMIT_TRACE
+/*
+** Register a trace function.  The pArg from the previously registered trace
+** is returned.  
+**
+** A NULL trace function means that no tracing is executes.  A non-NULL
+** trace is a pointer to a function that is invoked at the start of each
+** SQL statement.
+*/
+void *sqlite3_trace(sqlite3 *db, void (*xTrace)(void*,const char*), void *pArg){
+  void *pOld = db->pTraceArg;
+  db->xTrace = xTrace;
+  db->pTraceArg = pArg;
+  return pOld;
+}
+/*
+** Register a profile function.  The pArg from the previously registered 
+** profile function is returned.  
+**
+** A NULL profile function means that no profiling is executes.  A non-NULL
+** profile is a pointer to a function that is invoked at the conclusion of
+** each SQL statement that is run.
+*/
+void *sqlite3_profile(
+  sqlite3 *db,
+  void (*xProfile)(void*,const char*,sqlite_uint64),
+  void *pArg
+){
+  void *pOld = db->pProfileArg;
+  db->xProfile = xProfile;
+  db->pProfileArg = pArg;
+  return pOld;
+}
+#endif /* SQLITE_OMIT_TRACE */
+
+/*** EXPERIMENTAL ***
+**
+** Register a function to be invoked when a transaction comments.
+** If the invoked function returns non-zero, then the commit becomes a
+** rollback.
+*/
+void *sqlite3_commit_hook(
+  sqlite3 *db,              /* Attach the hook to this database */
+  int (*xCallback)(void*),  /* Function to invoke on each commit */
+  void *pArg                /* Argument to the function */
+){
+  void *pOld = db->pCommitArg;
+  db->xCommitCallback = xCallback;
+  db->pCommitArg = pArg;
+  return pOld;
+}
+
+/*
+** Register a callback to be invoked each time a row is updated,
+** inserted or deleted using this database connection.
+*/
+void *sqlite3_update_hook(
+  sqlite3 *db,              /* Attach the hook to this database */
+  void (*xCallback)(void*,int,char const *,char const *,sqlite_int64),
+  void *pArg                /* Argument to the function */
+){
+  void *pRet = db->pUpdateArg;
+  db->xUpdateCallback = xCallback;
+  db->pUpdateArg = pArg;
+  return pRet;
+}
+
+/*
+** Register a callback to be invoked each time a transaction is rolled
+** back by this database connection.
+*/
+void *sqlite3_rollback_hook(
+  sqlite3 *db,              /* Attach the hook to this database */
+  void (*xCallback)(void*), /* Callback function */
+  void *pArg                /* Argument to the function */
+){
+  void *pRet = db->pRollbackArg;
+  db->xRollbackCallback = xCallback;
+  db->pRollbackArg = pArg;
+  return pRet;
+}
+
+/*
+** This routine is called to create a connection to a database BTree
+** driver.  If zFilename is the name of a file, then that file is
+** opened and used.  If zFilename is the magic name ":memory:" then
+** the database is stored in memory (and is thus forgotten as soon as
+** the connection is closed.)  If zFilename is NULL then the database
+** is a "virtual" database for transient use only and is deleted as
+** soon as the connection is closed.
+**
+** A virtual database can be either a disk file (that is automatically
+** deleted when the file is closed) or it an be held entirely in memory,
+** depending on the values of the TEMP_STORE compile-time macro and the
+** db->temp_store variable, according to the following chart:
+**
+**       TEMP_STORE     db->temp_store     Location of temporary database
+**       ----------     --------------     ------------------------------
+**           0               any             file
+**           1                1              file
+**           1                2              memory
+**           1                0              file
+**           2                1              file
+**           2                2              memory
+**           2                0              memory
+**           3               any             memory
+*/
+int sqlite3BtreeFactory(
+  const sqlite3 *db,        /* Main database when opening aux otherwise 0 */
+  const char *zFilename,    /* Name of the file containing the BTree database */
+  int omitJournal,          /* if TRUE then do not journal this file */
+  int nCache,               /* How many pages in the page cache */
+  Btree **ppBtree           /* Pointer to new Btree object written here */
+){
+  int btree_flags = 0;
+  int rc;
+  
+  assert( ppBtree != 0);
+  if( omitJournal ){
+    btree_flags |= BTREE_OMIT_JOURNAL;
+  }
+  if( db->flags & SQLITE_NoReadlock ){
+    btree_flags |= BTREE_NO_READLOCK;
+  }
+  if( zFilename==0 ){
+#if TEMP_STORE==0
+    /* Do nothing */
+#endif
+#ifndef SQLITE_OMIT_MEMORYDB
+#if TEMP_STORE==1
+    if( db->temp_store==2 ) zFilename = ":memory:";
+#endif
+#if TEMP_STORE==2
+    if( db->temp_store!=1 ) zFilename = ":memory:";
+#endif
+#if TEMP_STORE==3
+    zFilename = ":memory:";
+#endif
+#endif /* SQLITE_OMIT_MEMORYDB */
+  }
+
+  rc = sqlite3BtreeOpen(zFilename, (sqlite3 *)db, ppBtree, btree_flags);
+  if( rc==SQLITE_OK ){
+    sqlite3BtreeSetBusyHandler(*ppBtree, (void*)&db->busyHandler);
+    sqlite3BtreeSetCacheSize(*ppBtree, nCache);
+  }
+  return rc;
+}
+
+/*
+** Return UTF-8 encoded English language explanation of the most recent
+** error.
+*/
+const char *sqlite3_errmsg(sqlite3 *db){
+  const char *z;
+  assert( !sqlite3MallocFailed() );
+  if( !db ){
+    return sqlite3ErrStr(SQLITE_NOMEM);
+  }
+  if( sqlite3SafetyCheck(db) || db->errCode==SQLITE_MISUSE ){
+    return sqlite3ErrStr(SQLITE_MISUSE);
+  }
+  z = (char*)sqlite3_value_text(db->pErr);
+  if( z==0 ){
+    z = sqlite3ErrStr(db->errCode);
+  }
+  return z;
+}
+
+#ifndef SQLITE_OMIT_UTF16
+/*
+** Return UTF-16 encoded English language explanation of the most recent
+** error.
+*/
+const void *sqlite3_errmsg16(sqlite3 *db){
+  /* Because all the characters in the string are in the unicode
+  ** range 0x00-0xFF, if we pad the big-endian string with a 
+  ** zero byte, we can obtain the little-endian string with
+  ** &big_endian[1].
+  */
+  static const char outOfMemBe[] = {
+    0, 'o', 0, 'u', 0, 't', 0, ' ', 
+    0, 'o', 0, 'f', 0, ' ', 
+    0, 'm', 0, 'e', 0, 'm', 0, 'o', 0, 'r', 0, 'y', 0, 0, 0
+  };
+  static const char misuseBe [] = {
+    0, 'l', 0, 'i', 0, 'b', 0, 'r', 0, 'a', 0, 'r', 0, 'y', 0, ' ', 
+    0, 'r', 0, 'o', 0, 'u', 0, 't', 0, 'i', 0, 'n', 0, 'e', 0, ' ', 
+    0, 'c', 0, 'a', 0, 'l', 0, 'l', 0, 'e', 0, 'd', 0, ' ', 
+    0, 'o', 0, 'u', 0, 't', 0, ' ', 
+    0, 'o', 0, 'f', 0, ' ', 
+    0, 's', 0, 'e', 0, 'q', 0, 'u', 0, 'e', 0, 'n', 0, 'c', 0, 'e', 0, 0, 0
+  };
+
+  const void *z;
+  assert( !sqlite3MallocFailed() );
+  if( !db ){
+    return (void *)(&outOfMemBe[SQLITE_UTF16NATIVE==SQLITE_UTF16LE?1:0]);
+  }
+  if( sqlite3SafetyCheck(db) || db->errCode==SQLITE_MISUSE ){
+    return (void *)(&misuseBe[SQLITE_UTF16NATIVE==SQLITE_UTF16LE?1:0]);
+  }
+  z = sqlite3_value_text16(db->pErr);
+  if( z==0 ){
+    sqlite3ValueSetStr(db->pErr, -1, sqlite3ErrStr(db->errCode),
+         SQLITE_UTF8, SQLITE_STATIC);
+    z = sqlite3_value_text16(db->pErr);
+  }
+  sqlite3ApiExit(0, 0);
+  return z;
+}
+#endif /* SQLITE_OMIT_UTF16 */
+
+/*
+** Return the most recent error code generated by an SQLite routine. If NULL is
+** passed to this function, we assume a malloc() failed during sqlite3_open().
+*/
+int sqlite3_errcode(sqlite3 *db){
+  if( !db || sqlite3MallocFailed() ){
+    return SQLITE_NOMEM;
+  }
+  if( sqlite3SafetyCheck(db) ){
+    return SQLITE_MISUSE;
+  }
+  return db->errCode & db->errMask;
+}
+
+/*
+** Create a new collating function for database "db".  The name is zName
+** and the encoding is enc.
+*/
+static int createCollation(
+  sqlite3* db, 
+  const char *zName, 
+  int enc, 
+  void* pCtx,
+  int(*xCompare)(void*,int,const void*,int,const void*)
+){
+  CollSeq *pColl;
+  int enc2;
+  
+  if( sqlite3SafetyCheck(db) ){
+    return SQLITE_MISUSE;
+  }
+
+  /* If SQLITE_UTF16 is specified as the encoding type, transform this
+  ** to one of SQLITE_UTF16LE or SQLITE_UTF16BE using the
+  ** SQLITE_UTF16NATIVE macro. SQLITE_UTF16 is not used internally.
+  */
+  enc2 = enc & ~SQLITE_UTF16_ALIGNED;
+  if( enc2==SQLITE_UTF16 ){
+    enc2 = SQLITE_UTF16NATIVE;
+  }
+
+  if( (enc2&~3)!=0 ){
+    sqlite3Error(db, SQLITE_ERROR, "unknown encoding");
+    return SQLITE_ERROR;
+  }
+
+  /* Check if this call is removing or replacing an existing collation 
+  ** sequence. If so, and there are active VMs, return busy. If there
+  ** are no active VMs, invalidate any pre-compiled statements.
+  */
+  pColl = sqlite3FindCollSeq(db, (u8)enc2, zName, strlen(zName), 0);
+  if( pColl && pColl->xCmp ){
+    if( db->activeVdbeCnt ){
+      sqlite3Error(db, SQLITE_BUSY, 
+        "Unable to delete/modify collation sequence due to active statements");
+      return SQLITE_BUSY;
+    }
+    sqlite3ExpirePreparedStatements(db);
+  }
+
+  pColl = sqlite3FindCollSeq(db, (u8)enc2, zName, strlen(zName), 1);
+  if( pColl ){
+    pColl->xCmp = xCompare;
+    pColl->pUser = pCtx;
+    pColl->enc = enc2 | (enc & SQLITE_UTF16_ALIGNED);
+  }
+  sqlite3Error(db, SQLITE_OK, 0);
+  return SQLITE_OK;
+}
+
+
+/*
+** This routine does the work of opening a database on behalf of
+** sqlite3_open() and sqlite3_open16(). The database filename "zFilename"  
+** is UTF-8 encoded.
+*/
+static int openDatabase(
+  const char *zFilename, /* Database filename UTF-8 encoded */
+  sqlite3 **ppDb         /* OUT: Returned database handle */
+){
+  sqlite3 *db;
+  int rc;
+  CollSeq *pColl;
+
+  assert( !sqlite3MallocFailed() );
+
+  /* Allocate the sqlite data structure */
+  db = sqliteMalloc( sizeof(sqlite3) );
+  if( db==0 ) goto opendb_out;
+  db->errMask = 0xff;
+  db->priorNewRowid = 0;
+  db->magic = SQLITE_MAGIC_BUSY;
+  db->nDb = 2;
+  db->aDb = db->aDbStatic;
+  db->autoCommit = 1;
+  db->flags |= SQLITE_ShortColNames
+#if SQLITE_DEFAULT_FILE_FORMAT<4
+                 | SQLITE_LegacyFileFmt
+#endif
+#ifdef SQLITE_ENABLE_LOAD_EXTENSION
+                 | SQLITE_LoadExtension
+#endif
+      ;
+  sqlite3HashInit(&db->aFunc, SQLITE_HASH_STRING, 0);
+  sqlite3HashInit(&db->aCollSeq, SQLITE_HASH_STRING, 0);
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  sqlite3HashInit(&db->aModule, SQLITE_HASH_STRING, 0);
+#endif
+
+  /* Add the default collation sequence BINARY. BINARY works for both UTF-8
+  ** and UTF-16, so add a version for each to avoid any unnecessary
+  ** conversions. The only error that can occur here is a malloc() failure.
+  */
+  if( createCollation(db, "BINARY", SQLITE_UTF8, 0, binCollFunc) ||
+      createCollation(db, "BINARY", SQLITE_UTF16BE, 0, binCollFunc) ||
+      createCollation(db, "BINARY", SQLITE_UTF16LE, 0, binCollFunc) ||
+      (db->pDfltColl = sqlite3FindCollSeq(db, SQLITE_UTF8, "BINARY", 6, 0))==0 
+  ){
+    assert( sqlite3MallocFailed() );
+    db->magic = SQLITE_MAGIC_CLOSED;
+    goto opendb_out;
+  }
+
+  /* Also add a UTF-8 case-insensitive collation sequence. */
+  createCollation(db, "NOCASE", SQLITE_UTF8, 0, nocaseCollatingFunc);
+
+  /* Set flags on the built-in collating sequences */
+  db->pDfltColl->type = SQLITE_COLL_BINARY;
+  pColl = sqlite3FindCollSeq(db, SQLITE_UTF8, "NOCASE", 6, 0);
+  if( pColl ){
+    pColl->type = SQLITE_COLL_NOCASE;
+  }
+
+  /* Open the backend database driver */
+  rc = sqlite3BtreeFactory(db, zFilename, 0, MAX_PAGES, &db->aDb[0].pBt);
+  if( rc!=SQLITE_OK ){
+    sqlite3Error(db, rc, 0);
+    db->magic = SQLITE_MAGIC_CLOSED;
+    goto opendb_out;
+  }
+  db->aDb[0].pSchema = sqlite3SchemaGet(db->aDb[0].pBt);
+  db->aDb[1].pSchema = sqlite3SchemaGet(0);
+
+
+  /* The default safety_level for the main database is 'full'; for the temp
+  ** database it is 'NONE'. This matches the pager layer defaults.  
+  */
+  db->aDb[0].zName = "main";
+  db->aDb[0].safety_level = 3;
+#ifndef SQLITE_OMIT_TEMPDB
+  db->aDb[1].zName = "temp";
+  db->aDb[1].safety_level = 1;
+#endif
+
+  /* Register all built-in functions, but do not attempt to read the
+  ** database schema yet. This is delayed until the first time the database
+  ** is accessed.
+  */
+  if( !sqlite3MallocFailed() ){
+    sqlite3Error(db, SQLITE_OK, 0);
+    sqlite3RegisterBuiltinFunctions(db);
+  }
+  db->magic = SQLITE_MAGIC_OPEN;
+
+  /* Load automatic extensions - extensions that have been registered
+  ** using the sqlite3_automatic_extension() API.
+  */
+  (void)sqlite3AutoLoadExtensions(db);
+
+#ifdef SQLITE_ENABLE_FTS1
+  {
+    extern int sqlite3Fts1Init(sqlite3*);
+    sqlite3Fts1Init(db);
+  }
+#endif
+
+#ifdef SQLITE_ENABLE_FTS2
+  {
+    extern int sqlite3Fts2Init(sqlite3*);
+    sqlite3Fts2Init(db);
+  }
+#endif
+
+  /* -DSQLITE_DEFAULT_LOCKING_MODE=1 makes EXCLUSIVE the default locking
+  ** mode.  -DSQLITE_DEFAULT_LOCKING_MODE=0 make NORMAL the default locking
+  ** mode.  Doing nothing at all also makes NORMAL the default.
+  */
+#ifdef SQLITE_DEFAULT_LOCKING_MODE
+  db->dfltLockMode = SQLITE_DEFAULT_LOCKING_MODE;
+  sqlite3PagerLockingMode(sqlite3BtreePager(db->aDb[0].pBt),
+                          SQLITE_DEFAULT_LOCKING_MODE);
+#endif
+
+opendb_out:
+  if( SQLITE_NOMEM==(rc = sqlite3_errcode(db)) ){
+    sqlite3_close(db);
+    db = 0;
+  }
+  *ppDb = db;
+  return sqlite3ApiExit(0, rc);
+}
+
+/*
+** Open a new database handle.
+*/
+int sqlite3_open(
+  const char *zFilename, 
+  sqlite3 **ppDb 
+){
+  return openDatabase(zFilename, ppDb);
+}
+
+#ifndef SQLITE_OMIT_UTF16
+/*
+** Open a new database handle.
+*/
+int sqlite3_open16(
+  const void *zFilename, 
+  sqlite3 **ppDb
+){
+  char const *zFilename8;   /* zFilename encoded in UTF-8 instead of UTF-16 */
+  int rc = SQLITE_OK;
+  sqlite3_value *pVal;
+
+  assert( zFilename );
+  assert( ppDb );
+  *ppDb = 0;
+  pVal = sqlite3ValueNew();
+  sqlite3ValueSetStr(pVal, -1, zFilename, SQLITE_UTF16NATIVE, SQLITE_STATIC);
+  zFilename8 = sqlite3ValueText(pVal, SQLITE_UTF8);
+  if( zFilename8 ){
+    rc = openDatabase(zFilename8, ppDb);
+    if( rc==SQLITE_OK && *ppDb ){
+      rc = sqlite3_exec(*ppDb, "PRAGMA encoding = 'UTF-16'", 0, 0, 0);
+      if( rc!=SQLITE_OK ){
+        sqlite3_close(*ppDb);
+        *ppDb = 0;
+      }
+    }
+  }
+  sqlite3ValueFree(pVal);
+
+  return sqlite3ApiExit(0, rc);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+
+/*
+** The following routine destroys a virtual machine that is created by
+** the sqlite3_compile() routine. The integer returned is an SQLITE_
+** success/failure code that describes the result of executing the virtual
+** machine.
+**
+** This routine sets the error code and string returned by
+** sqlite3_errcode(), sqlite3_errmsg() and sqlite3_errmsg16().
+*/
+int sqlite3_finalize(sqlite3_stmt *pStmt){
+  int rc;
+  if( pStmt==0 ){
+    rc = SQLITE_OK;
+  }else{
+    rc = sqlite3VdbeFinalize((Vdbe*)pStmt);
+  }
+  return rc;
+}
+
+/*
+** Terminate the current execution of an SQL statement and reset it
+** back to its starting state so that it can be reused. A success code from
+** the prior execution is returned.
+**
+** This routine sets the error code and string returned by
+** sqlite3_errcode(), sqlite3_errmsg() and sqlite3_errmsg16().
+*/
+int sqlite3_reset(sqlite3_stmt *pStmt){
+  int rc;
+  if( pStmt==0 ){
+    rc = SQLITE_OK;
+  }else{
+    rc = sqlite3VdbeReset((Vdbe*)pStmt);
+    sqlite3VdbeMakeReady((Vdbe*)pStmt, -1, 0, 0, 0);
+    assert( (rc & (sqlite3_db_handle(pStmt)->errMask))==rc );
+  }
+  return rc;
+}
+
+/*
+** Register a new collation sequence with the database handle db.
+*/
+int sqlite3_create_collation(
+  sqlite3* db, 
+  const char *zName, 
+  int enc, 
+  void* pCtx,
+  int(*xCompare)(void*,int,const void*,int,const void*)
+){
+  int rc;
+  assert( !sqlite3MallocFailed() );
+  rc = createCollation(db, zName, enc, pCtx, xCompare);
+  return sqlite3ApiExit(db, rc);
+}
+
+#ifndef SQLITE_OMIT_UTF16
+/*
+** Register a new collation sequence with the database handle db.
+*/
+int sqlite3_create_collation16(
+  sqlite3* db, 
+  const char *zName, 
+  int enc, 
+  void* pCtx,
+  int(*xCompare)(void*,int,const void*,int,const void*)
+){
+  int rc = SQLITE_OK;
+  char *zName8; 
+  assert( !sqlite3MallocFailed() );
+  zName8 = sqlite3utf16to8(zName, -1);
+  if( zName8 ){
+    rc = createCollation(db, zName8, enc, pCtx, xCompare);
+    sqliteFree(zName8);
+  }
+  return sqlite3ApiExit(db, rc);
+}
+#endif /* SQLITE_OMIT_UTF16 */
+
+/*
+** Register a collation sequence factory callback with the database handle
+** db. Replace any previously installed collation sequence factory.
+*/
+int sqlite3_collation_needed(
+  sqlite3 *db, 
+  void *pCollNeededArg, 
+  void(*xCollNeeded)(void*,sqlite3*,int eTextRep,const char*)
+){
+  if( sqlite3SafetyCheck(db) ){
+    return SQLITE_MISUSE;
+  }
+  db->xCollNeeded = xCollNeeded;
+  db->xCollNeeded16 = 0;
+  db->pCollNeededArg = pCollNeededArg;
+  return SQLITE_OK;
+}
+
+#ifndef SQLITE_OMIT_UTF16
+/*
+** Register a collation sequence factory callback with the database handle
+** db. Replace any previously installed collation sequence factory.
+*/
+int sqlite3_collation_needed16(
+  sqlite3 *db, 
+  void *pCollNeededArg, 
+  void(*xCollNeeded16)(void*,sqlite3*,int eTextRep,const void*)
+){
+  if( sqlite3SafetyCheck(db) ){
+    return SQLITE_MISUSE;
+  }
+  db->xCollNeeded = 0;
+  db->xCollNeeded16 = xCollNeeded16;
+  db->pCollNeededArg = pCollNeededArg;
+  return SQLITE_OK;
+}
+#endif /* SQLITE_OMIT_UTF16 */
+
+#ifndef SQLITE_OMIT_GLOBALRECOVER
+/*
+** This function is now an anachronism. It used to be used to recover from a
+** malloc() failure, but SQLite now does this automatically.
+*/
+int sqlite3_global_recover(){
+  return SQLITE_OK;
+}
+#endif
+
+/*
+** Test to see whether or not the database connection is in autocommit
+** mode.  Return TRUE if it is and FALSE if not.  Autocommit mode is on
+** by default.  Autocommit is disabled by a BEGIN statement and reenabled
+** by the next COMMIT or ROLLBACK.
+**
+******* THIS IS AN EXPERIMENTAL API AND IS SUBJECT TO CHANGE ******
+*/
+int sqlite3_get_autocommit(sqlite3 *db){
+  return db->autoCommit;
+}
+
+#ifdef SQLITE_DEBUG
+/*
+** The following routine is subtituted for constant SQLITE_CORRUPT in
+** debugging builds.  This provides a way to set a breakpoint for when
+** corruption is first detected.
+*/
+int sqlite3Corrupt(void){
+  return SQLITE_CORRUPT;
+}
+#endif
+
+
+#ifndef SQLITE_OMIT_SHARED_CACHE
+/*
+** Enable or disable the shared pager and schema features for the
+** current thread.
+**
+** This routine should only be called when there are no open
+** database connections.
+*/
+int sqlite3_enable_shared_cache(int enable){
+  ThreadData *pTd = sqlite3ThreadData();
+  if( pTd ){
+    /* It is only legal to call sqlite3_enable_shared_cache() when there
+    ** are no currently open b-trees that were opened by the calling thread.
+    ** This condition is only easy to detect if the shared-cache were 
+    ** previously enabled (and is being disabled). 
+    */
+    if( pTd->pBtree && !enable ){
+      assert( pTd->useSharedData );
+      return SQLITE_MISUSE;
+    }
+
+    pTd->useSharedData = enable;
+    sqlite3ReleaseThreadData();
+  }
+  return sqlite3ApiExit(0, SQLITE_OK);
+}
+#endif
+
+/*
+** This is a convenience routine that makes sure that all thread-specific
+** data for this thread has been deallocated.
+*/
+void sqlite3_thread_cleanup(void){
+  ThreadData *pTd = sqlite3OsThreadSpecificData(0);
+  if( pTd ){
+    memset(pTd, 0, sizeof(*pTd));
+    sqlite3OsThreadSpecificData(-1);
+  }
+}
+
+/*
+** Return meta information about a specific column of a database table.
+** See comment in sqlite3.h (sqlite.h.in) for details.
+*/
+#ifdef SQLITE_ENABLE_COLUMN_METADATA
+int sqlite3_table_column_metadata(
+  sqlite3 *db,                /* Connection handle */
+  const char *zDbName,        /* Database name or NULL */
+  const char *zTableName,     /* Table name */
+  const char *zColumnName,    /* Column name */
+  char const **pzDataType,    /* OUTPUT: Declared data type */
+  char const **pzCollSeq,     /* OUTPUT: Collation sequence name */
+  int *pNotNull,              /* OUTPUT: True if NOT NULL constraint exists */
+  int *pPrimaryKey,           /* OUTPUT: True if column part of PK */
+  int *pAutoinc               /* OUTPUT: True if colums is auto-increment */
+){
+  int rc;
+  char *zErrMsg = 0;
+  Table *pTab = 0;
+  Column *pCol = 0;
+  int iCol;
+
+  char const *zDataType = 0;
+  char const *zCollSeq = 0;
+  int notnull = 0;
+  int primarykey = 0;
+  int autoinc = 0;
+
+  /* Ensure the database schema has been loaded */
+  if( sqlite3SafetyOn(db) ){
+    return SQLITE_MISUSE;
+  }
+  rc = sqlite3Init(db, &zErrMsg);
+  if( SQLITE_OK!=rc ){
+    goto error_out;
+  }
+
+  /* Locate the table in question */
+  pTab = sqlite3FindTable(db, zTableName, zDbName);
+  if( !pTab || pTab->pSelect ){
+    pTab = 0;
+    goto error_out;
+  }
+
+  /* Find the column for which info is requested */
+  if( sqlite3IsRowid(zColumnName) ){
+    iCol = pTab->iPKey;
+    if( iCol>=0 ){
+      pCol = &pTab->aCol[iCol];
+    }
+  }else{
+    for(iCol=0; iCol<pTab->nCol; iCol++){
+      pCol = &pTab->aCol[iCol];
+      if( 0==sqlite3StrICmp(pCol->zName, zColumnName) ){
+        break;
+      }
+    }
+    if( iCol==pTab->nCol ){
+      pTab = 0;
+      goto error_out;
+    }
+  }
+
+  /* The following block stores the meta information that will be returned
+  ** to the caller in local variables zDataType, zCollSeq, notnull, primarykey
+  ** and autoinc. At this point there are two possibilities:
+  ** 
+  **     1. The specified column name was rowid", "oid" or "_rowid_" 
+  **        and there is no explicitly declared IPK column. 
+  **
+  **     2. The table is not a view and the column name identified an 
+  **        explicitly declared column. Copy meta information from *pCol.
+  */ 
+  if( pCol ){
+    zDataType = pCol->zType;
+    zCollSeq = pCol->zColl;
+    notnull = (pCol->notNull?1:0);
+    primarykey  = (pCol->isPrimKey?1:0);
+    autoinc = ((pTab->iPKey==iCol && pTab->autoInc)?1:0);
+  }else{
+    zDataType = "INTEGER";
+    primarykey = 1;
+  }
+  if( !zCollSeq ){
+    zCollSeq = "BINARY";
+  }
+
+error_out:
+  if( sqlite3SafetyOff(db) ){
+    rc = SQLITE_MISUSE;
+  }
+
+  /* Whether the function call succeeded or failed, set the output parameters
+  ** to whatever their local counterparts contain. If an error did occur,
+  ** this has the effect of zeroing all output parameters.
+  */
+  if( pzDataType ) *pzDataType = zDataType;
+  if( pzCollSeq ) *pzCollSeq = zCollSeq;
+  if( pNotNull ) *pNotNull = notnull;
+  if( pPrimaryKey ) *pPrimaryKey = primarykey;
+  if( pAutoinc ) *pAutoinc = autoinc;
+
+  if( SQLITE_OK==rc && !pTab ){
+    sqlite3SetString(&zErrMsg, "no such table column: ", zTableName, ".", 
+        zColumnName, 0);
+    rc = SQLITE_ERROR;
+  }
+  sqlite3Error(db, rc, (zErrMsg?"%s":0), zErrMsg);
+  sqliteFree(zErrMsg);
+  return sqlite3ApiExit(db, rc);
+}
+#endif
+
+/*
+** Set all the parameters in the compiled SQL statement to NULL.
+*/
+int sqlite3_clear_bindings(sqlite3_stmt *pStmt){
+  int i;
+  int rc = SQLITE_OK;
+  for(i=1; rc==SQLITE_OK && i<=sqlite3_bind_parameter_count(pStmt); i++){
+    rc = sqlite3_bind_null(pStmt, i);
+  }
+  return rc;
+}
+
+/*
+** Sleep for a little while.  Return the amount of time slept.
+*/
+int sqlite3_sleep(int ms){
+  return sqlite3OsSleep(ms);
+}
+
+/*
+** Enable or disable the extended result codes.
+*/
+int sqlite3_extended_result_codes(sqlite3 *db, int onoff){
+  db->errMask = onoff ? 0xffffffff : 0xff;
+  return SQLITE_OK;
+}
+
+/************** End of main.c ************************************************/
diff --git a/security/nss/lib/sqlite/sqlite3.h b/security/nss/lib/sqlite/sqlite3.h
new file mode 100644
index 000000000..e1f969efb
--- /dev/null
+++ b/security/nss/lib/sqlite/sqlite3.h
@@ -0,0 +1,1885 @@
+/*
+** 2001 September 15
+**
+** The author disclaims copyright to this source code.  In place of
+** a legal notice, here is a blessing:
+**
+**    May you do good and not evil.
+**    May you find forgiveness for yourself and forgive others.
+**    May you share freely, never taking more than you give.
+**
+*************************************************************************
+** This header file defines the interface that the SQLite library
+** presents to client programs.
+**
+** @(#) $Id$
+*/
+#ifndef _SQLITE3_H_
+#define _SQLITE3_H_
+#include <stdarg.h>     /* Needed for the definition of va_list */
+
+/*
+** Make sure we can call this stuff from C++.
+*/
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+** The version of the SQLite library.
+*/
+#ifdef SQLITE_VERSION
+# undef SQLITE_VERSION
+#endif
+#define SQLITE_VERSION         "3.3.17"
+
+/*
+** The format of the version string is "X.Y.Z<trailing string>", where
+** X is the major version number, Y is the minor version number and Z
+** is the release number. The trailing string is often "alpha" or "beta".
+** For example "3.1.1beta".
+**
+** The SQLITE_VERSION_NUMBER is an integer with the value 
+** (X*100000 + Y*1000 + Z). For example, for version "3.1.1beta", 
+** SQLITE_VERSION_NUMBER is set to 3001001. To detect if they are using 
+** version 3.1.1 or greater at compile time, programs may use the test 
+** (SQLITE_VERSION_NUMBER>=3001001).
+*/
+#ifdef SQLITE_VERSION_NUMBER
+# undef SQLITE_VERSION_NUMBER
+#endif
+#define SQLITE_VERSION_NUMBER 3003017
+
+/*
+** The version string is also compiled into the library so that a program
+** can check to make sure that the lib*.a file and the *.h file are from
+** the same version.  The sqlite3_libversion() function returns a pointer
+** to the sqlite3_version variable - useful in DLLs which cannot access
+** global variables.
+*/
+extern const char sqlite3_version[];
+const char *sqlite3_libversion(void);
+
+/*
+** Return the value of the SQLITE_VERSION_NUMBER macro when the
+** library was compiled.
+*/
+int sqlite3_libversion_number(void);
+
+/*
+** Each open sqlite database is represented by an instance of the
+** following opaque structure.
+*/
+typedef struct sqlite3 sqlite3;
+
+
+/*
+** Some compilers do not support the "long long" datatype.  So we have
+** to do a typedef that for 64-bit integers that depends on what compiler
+** is being used.
+*/
+#ifdef SQLITE_INT64_TYPE
+  typedef SQLITE_INT64_TYPE sqlite_int64;
+  typedef unsigned SQLITE_INT64_TYPE sqlite_uint64;
+#elif defined(_MSC_VER) || defined(__BORLANDC__)
+  typedef __int64 sqlite_int64;
+  typedef unsigned __int64 sqlite_uint64;
+#else
+  typedef long long int sqlite_int64;
+  typedef unsigned long long int sqlite_uint64;
+#endif
+
+/*
+** If compiling for a processor that lacks floating point support,
+** substitute integer for floating-point
+*/
+#ifdef SQLITE_OMIT_FLOATING_POINT
+# define double sqlite_int64
+#endif
+
+/*
+** A function to close the database.
+**
+** Call this function with a pointer to a structure that was previously
+** returned from sqlite3_open() and the corresponding database will by closed.
+**
+** All SQL statements prepared using sqlite3_prepare() or
+** sqlite3_prepare16() must be deallocated using sqlite3_finalize() before
+** this routine is called. Otherwise, SQLITE_BUSY is returned and the
+** database connection remains open.
+*/
+int sqlite3_close(sqlite3 *);
+
+/*
+** The type for a callback function.
+*/
+typedef int (*sqlite3_callback)(void*,int,char**, char**);
+
+/*
+** A function to executes one or more statements of SQL.
+**
+** If one or more of the SQL statements are queries, then
+** the callback function specified by the 3rd parameter is
+** invoked once for each row of the query result.  This callback
+** should normally return 0.  If the callback returns a non-zero
+** value then the query is aborted, all subsequent SQL statements
+** are skipped and the sqlite3_exec() function returns the SQLITE_ABORT.
+**
+** The 1st parameter is an arbitrary pointer that is passed
+** to the callback function as its first parameter.
+**
+** The 2nd parameter to the callback function is the number of
+** columns in the query result.  The 3rd parameter to the callback
+** is an array of strings holding the values for each column.
+** The 4th parameter to the callback is an array of strings holding
+** the names of each column.
+**
+** The callback function may be NULL, even for queries.  A NULL
+** callback is not an error.  It just means that no callback
+** will be invoked.
+**
+** If an error occurs while parsing or evaluating the SQL (but
+** not while executing the callback) then an appropriate error
+** message is written into memory obtained from malloc() and
+** *errmsg is made to point to that message.  The calling function
+** is responsible for freeing the memory that holds the error
+** message.   Use sqlite3_free() for this.  If errmsg==NULL,
+** then no error message is ever written.
+**
+** The return value is is SQLITE_OK if there are no errors and
+** some other return code if there is an error.  The particular
+** return value depends on the type of error. 
+**
+** If the query could not be executed because a database file is
+** locked or busy, then this function returns SQLITE_BUSY.  (This
+** behavior can be modified somewhat using the sqlite3_busy_handler()
+** and sqlite3_busy_timeout() functions below.)
+*/
+int sqlite3_exec(
+  sqlite3*,                     /* An open database */
+  const char *sql,              /* SQL to be executed */
+  sqlite3_callback,             /* Callback function */
+  void *,                       /* 1st argument to callback function */
+  char **errmsg                 /* Error msg written here */
+);
+
+/*
+** Return values for sqlite3_exec() and sqlite3_step()
+*/
+#define SQLITE_OK           0   /* Successful result */
+/* beginning-of-error-codes */
+#define SQLITE_ERROR        1   /* SQL error or missing database */
+#define SQLITE_INTERNAL     2   /* NOT USED. Internal logic error in SQLite */
+#define SQLITE_PERM         3   /* Access permission denied */
+#define SQLITE_ABORT        4   /* Callback routine requested an abort */
+#define SQLITE_BUSY         5   /* The database file is locked */
+#define SQLITE_LOCKED       6   /* A table in the database is locked */
+#define SQLITE_NOMEM        7   /* A malloc() failed */
+#define SQLITE_READONLY     8   /* Attempt to write a readonly database */
+#define SQLITE_INTERRUPT    9   /* Operation terminated by sqlite3_interrupt()*/
+#define SQLITE_IOERR       10   /* Some kind of disk I/O error occurred */
+#define SQLITE_CORRUPT     11   /* The database disk image is malformed */
+#define SQLITE_NOTFOUND    12   /* NOT USED. Table or record not found */
+#define SQLITE_FULL        13   /* Insertion failed because database is full */
+#define SQLITE_CANTOPEN    14   /* Unable to open the database file */
+#define SQLITE_PROTOCOL    15   /* NOT USED. Database lock protocol error */
+#define SQLITE_EMPTY       16   /* Database is empty */
+#define SQLITE_SCHEMA      17   /* The database schema changed */
+#define SQLITE_TOOBIG      18   /* NOT USED. Too much data for one row */
+#define SQLITE_CONSTRAINT  19   /* Abort due to contraint violation */
+#define SQLITE_MISMATCH    20   /* Data type mismatch */
+#define SQLITE_MISUSE      21   /* Library used incorrectly */
+#define SQLITE_NOLFS       22   /* Uses OS features not supported on host */
+#define SQLITE_AUTH        23   /* Authorization denied */
+#define SQLITE_FORMAT      24   /* Auxiliary database format error */
+#define SQLITE_RANGE       25   /* 2nd parameter to sqlite3_bind out of range */
+#define SQLITE_NOTADB      26   /* File opened that is not a database file */
+#define SQLITE_ROW         100  /* sqlite3_step() has another row ready */
+#define SQLITE_DONE        101  /* sqlite3_step() has finished executing */
+/* end-of-error-codes */
+
+/*
+** Using the sqlite3_extended_result_codes() API, you can cause
+** SQLite to return result codes with additional information in
+** their upper bits.  The lower 8 bits will be the same as the
+** primary result codes above.  But the upper bits might contain
+** more specific error information.
+**
+** To extract the primary result code from an extended result code,
+** simply mask off the lower 8 bits.
+**
+**        primary = extended & 0xff;
+**
+** New result error codes may be added from time to time.  Software
+** that uses the extended result codes should plan accordingly and be
+** sure to always handle new unknown codes gracefully.
+**
+** The SQLITE_OK result code will never be extended.  It will always
+** be exactly zero.
+**
+** The extended result codes always have the primary result code
+** as a prefix.  Primary result codes only contain a single "_"
+** character.  Extended result codes contain two or more "_" characters.
+*/
+#define SQLITE_IOERR_READ          (SQLITE_IOERR | (1<<8))
+#define SQLITE_IOERR_SHORT_READ    (SQLITE_IOERR | (2<<8))
+#define SQLITE_IOERR_WRITE         (SQLITE_IOERR | (3<<8))
+#define SQLITE_IOERR_FSYNC         (SQLITE_IOERR | (4<<8))
+#define SQLITE_IOERR_DIR_FSYNC     (SQLITE_IOERR | (5<<8))
+#define SQLITE_IOERR_TRUNCATE      (SQLITE_IOERR | (6<<8))
+#define SQLITE_IOERR_FSTAT         (SQLITE_IOERR | (7<<8))
+#define SQLITE_IOERR_UNLOCK        (SQLITE_IOERR | (8<<8))
+#define SQLITE_IOERR_RDLOCK        (SQLITE_IOERR | (9<<8))
+#define SQLITE_IOERR_DELETE        (SQLITE_IOERR | (10<<8))
+
+/*
+** Enable or disable the extended result codes.
+*/
+int sqlite3_extended_result_codes(sqlite3*, int onoff);
+
+/*
+** Each entry in an SQLite table has a unique integer key.  (The key is
+** the value of the INTEGER PRIMARY KEY column if there is such a column,
+** otherwise the key is generated automatically.  The unique key is always
+** available as the ROWID, OID, or _ROWID_ column.)  The following routine
+** returns the integer key of the most recent insert in the database.
+*/
+sqlite_int64 sqlite3_last_insert_rowid(sqlite3*);
+
+/*
+** This function returns the number of database rows that were changed
+** (or inserted or deleted) by the most recent SQL statement.  Only
+** changes that are directly specified by the INSERT, UPDATE, or
+** DELETE statement are counted.  Auxiliary changes caused by
+** triggers are not counted.   Within the body of a trigger, however,
+** the sqlite3_changes() API can be called to find the number of
+** changes in the most recently completed INSERT, UPDATE, or DELETE
+** statement within the body of the trigger.
+**
+** All changes are counted, even if they were later undone by a
+** ROLLBACK or ABORT.  Except, changes associated with creating and
+** dropping tables are not counted.
+**
+** If a callback invokes sqlite3_exec() or sqlite3_step() recursively,
+** then the changes in the inner, recursive call are counted together
+** with the changes in the outer call.
+**
+** SQLite implements the command "DELETE FROM table" without a WHERE clause
+** by dropping and recreating the table.  (This is much faster than going
+** through and deleting individual elements form the table.)  Because of
+** this optimization, the change count for "DELETE FROM table" will be
+** zero regardless of the number of elements that were originally in the
+** table. To get an accurate count of the number of rows deleted, use
+** "DELETE FROM table WHERE 1" instead.
+*/
+int sqlite3_changes(sqlite3*);
+
+/*
+** This function returns the number of database rows that have been
+** modified by INSERT, UPDATE or DELETE statements since the database handle
+** was opened. This includes UPDATE, INSERT and DELETE statements executed
+** as part of trigger programs. All changes are counted as soon as the
+** statement that makes them is completed (when the statement handle is
+** passed to sqlite3_reset() or sqlite_finalise()).
+**
+** SQLite implements the command "DELETE FROM table" without a WHERE clause
+** by dropping and recreating the table.  (This is much faster than going
+** through and deleting individual elements form the table.)  Because of
+** this optimization, the change count for "DELETE FROM table" will be
+** zero regardless of the number of elements that were originally in the
+** table. To get an accurate count of the number of rows deleted, use
+** "DELETE FROM table WHERE 1" instead.
+*/
+int sqlite3_total_changes(sqlite3*);
+
+/* This function causes any pending database operation to abort and
+** return at its earliest opportunity.  This routine is typically
+** called in response to a user action such as pressing "Cancel"
+** or Ctrl-C where the user wants a long query operation to halt
+** immediately.
+**
+** It is safe to call this routine from a different thread that the
+** thread that is currently running the database operation. 
+*/
+void sqlite3_interrupt(sqlite3*);
+
+
+/* These functions return true if the given input string comprises
+** one or more complete SQL statements. For the sqlite3_complete() call,
+** the parameter must be a nul-terminated UTF-8 string. For
+** sqlite3_complete16(), a nul-terminated machine byte order UTF-16 string
+** is required.
+**
+** This routine is useful for command-line input to see of the user has
+** entered a complete statement of SQL or if the current statement needs
+** to be continued on the next line.  The algorithm is simple.  If the 
+** last token other than spaces and comments is a semicolon, then return 
+** true.  Actually, the algorithm is a little more complicated than that
+** in order to deal with triggers, but the basic idea is the same:  the
+** statement is not complete unless it ends in a semicolon.
+*/
+int sqlite3_complete(const char *sql);
+int sqlite3_complete16(const void *sql);
+
+/*
+** This routine identifies a callback function that is invoked
+** whenever an attempt is made to open a database table that is
+** currently locked by another process or thread.  If the busy callback
+** is NULL, then sqlite3_exec() returns SQLITE_BUSY immediately if
+** it finds a locked table.  If the busy callback is not NULL, then
+** sqlite3_exec() invokes the callback with two arguments.  The
+** first argument to the handler is a copy of the void* pointer which
+** is the third argument to this routine.  The second argument to
+** the handler is the number of times that the busy handler has
+** been invoked for this locking event.  If the
+** busy callback returns 0, then sqlite3_exec() immediately returns
+** SQLITE_BUSY.  If the callback returns non-zero, then sqlite3_exec()
+** tries to open the table again and the cycle repeats.
+**
+** The presence of a busy handler does not guarantee that
+** it will be invoked when there is lock contention.
+** If SQLite determines that invoking the busy handler could result in
+** a deadlock, it will return SQLITE_BUSY instead.
+** Consider a scenario where one process is holding a read lock that
+** it is trying to promote to a reserved lock and
+** a second process is holding a reserved lock that it is trying
+** to promote to an exclusive lock.  The first process cannot proceed
+** because it is blocked by the second and the second process cannot
+** proceed because it is blocked by the first.  If both processes
+** invoke the busy handlers, neither will make any progress.  Therefore,
+** SQLite returns SQLITE_BUSY for the first process, hoping that this
+** will induce the first process to release its read lock and allow
+** the second process to proceed.
+**
+** The default busy callback is NULL.
+**
+** Sqlite is re-entrant, so the busy handler may start a new query. 
+** (It is not clear why anyone would every want to do this, but it
+** is allowed, in theory.)  But the busy handler may not close the
+** database.  Closing the database from a busy handler will delete 
+** data structures out from under the executing query and will 
+** probably result in a coredump.
+*/
+int sqlite3_busy_handler(sqlite3*, int(*)(void*,int), void*);
+
+/*
+** This routine sets a busy handler that sleeps for a while when a
+** table is locked.  The handler will sleep multiple times until 
+** at least "ms" milleseconds of sleeping have been done.  After
+** "ms" milleseconds of sleeping, the handler returns 0 which
+** causes sqlite3_exec() to return SQLITE_BUSY.
+**
+** Calling this routine with an argument less than or equal to zero
+** turns off all busy handlers.
+*/
+int sqlite3_busy_timeout(sqlite3*, int ms);
+
+/*
+** This next routine is really just a wrapper around sqlite3_exec().
+** Instead of invoking a user-supplied callback for each row of the
+** result, this routine remembers each row of the result in memory
+** obtained from malloc(), then returns all of the result after the
+** query has finished. 
+**
+** As an example, suppose the query result where this table:
+**
+**        Name        | Age
+**        -----------------------
+**        Alice       | 43
+**        Bob         | 28
+**        Cindy       | 21
+**
+** If the 3rd argument were &azResult then after the function returns
+** azResult will contain the following data:
+**
+**        azResult[0] = "Name";
+**        azResult[1] = "Age";
+**        azResult[2] = "Alice";
+**        azResult[3] = "43";
+**        azResult[4] = "Bob";
+**        azResult[5] = "28";
+**        azResult[6] = "Cindy";
+**        azResult[7] = "21";
+**
+** Notice that there is an extra row of data containing the column
+** headers.  But the *nrow return value is still 3.  *ncolumn is
+** set to 2.  In general, the number of values inserted into azResult
+** will be ((*nrow) + 1)*(*ncolumn).
+**
+** After the calling function has finished using the result, it should 
+** pass the result data pointer to sqlite3_free_table() in order to 
+** release the memory that was malloc-ed.  Because of the way the 
+** malloc() happens, the calling function must not try to call 
+** free() directly.  Only sqlite3_free_table() is able to release 
+** the memory properly and safely.
+**
+** The return value of this routine is the same as from sqlite3_exec().
+*/
+int sqlite3_get_table(
+  sqlite3*,               /* An open database */
+  const char *sql,       /* SQL to be executed */
+  char ***resultp,       /* Result written to a char *[]  that this points to */
+  int *nrow,             /* Number of result rows written here */
+  int *ncolumn,          /* Number of result columns written here */
+  char **errmsg          /* Error msg written here */
+);
+
+/*
+** Call this routine to free the memory that sqlite3_get_table() allocated.
+*/
+void sqlite3_free_table(char **result);
+
+/*
+** The following routines are variants of the "sprintf()" from the
+** standard C library.  The resulting string is written into memory
+** obtained from malloc() so that there is never a possiblity of buffer
+** overflow.  These routines also implement some additional formatting
+** options that are useful for constructing SQL statements.
+**
+** The strings returned by these routines should be freed by calling
+** sqlite3_free().
+**
+** All of the usual printf formatting options apply.  In addition, there
+** is a "%q" option.  %q works like %s in that it substitutes a null-terminated
+** string from the argument list.  But %q also doubles every '\'' character.
+** %q is designed for use inside a string literal.  By doubling each '\''
+** character it escapes that character and allows it to be inserted into
+** the string.
+**
+** For example, so some string variable contains text as follows:
+**
+**      char *zText = "It's a happy day!";
+**
+** We can use this text in an SQL statement as follows:
+**
+**      char *z = sqlite3_mprintf("INSERT INTO TABLES('%q')", zText);
+**      sqlite3_exec(db, z, callback1, 0, 0);
+**      sqlite3_free(z);
+**
+** Because the %q format string is used, the '\'' character in zText
+** is escaped and the SQL generated is as follows:
+**
+**      INSERT INTO table1 VALUES('It''s a happy day!')
+**
+** This is correct.  Had we used %s instead of %q, the generated SQL
+** would have looked like this:
+**
+**      INSERT INTO table1 VALUES('It's a happy day!');
+**
+** This second example is an SQL syntax error.  As a general rule you
+** should always use %q instead of %s when inserting text into a string 
+** literal.
+*/
+char *sqlite3_mprintf(const char*,...);
+char *sqlite3_vmprintf(const char*, va_list);
+char *sqlite3_snprintf(int,char*,const char*, ...);
+
+/*
+** SQLite uses its own memory allocator.  On many installations, this
+** memory allocator is identical to the standard malloc()/realloc()/free()
+** and can be used interchangable.  On others, the implementations are
+** different.  For maximum portability, it is best not to mix calls
+** to the standard malloc/realloc/free with the sqlite versions.
+*/
+void *sqlite3_malloc(int);
+void *sqlite3_realloc(void*, int);
+void sqlite3_free(void*);
+
+#ifndef SQLITE_OMIT_AUTHORIZATION
+/*
+** This routine registers a callback with the SQLite library.  The
+** callback is invoked (at compile-time, not at run-time) for each
+** attempt to access a column of a table in the database.  The callback
+** returns SQLITE_OK if access is allowed, SQLITE_DENY if the entire
+** SQL statement should be aborted with an error and SQLITE_IGNORE
+** if the column should be treated as a NULL value.
+*/
+int sqlite3_set_authorizer(
+  sqlite3*,
+  int (*xAuth)(void*,int,const char*,const char*,const char*,const char*),
+  void *pUserData
+);
+#endif
+
+/*
+** The second parameter to the access authorization function above will
+** be one of the values below.  These values signify what kind of operation
+** is to be authorized.  The 3rd and 4th parameters to the authorization
+** function will be parameters or NULL depending on which of the following
+** codes is used as the second parameter.  The 5th parameter is the name
+** of the database ("main", "temp", etc.) if applicable.  The 6th parameter
+** is the name of the inner-most trigger or view that is responsible for
+** the access attempt or NULL if this access attempt is directly from 
+** input SQL code.
+**
+**                                          Arg-3           Arg-4
+*/
+#define SQLITE_COPY                  0   /* Table Name      File Name       */
+#define SQLITE_CREATE_INDEX          1   /* Index Name      Table Name      */
+#define SQLITE_CREATE_TABLE          2   /* Table Name      NULL            */
+#define SQLITE_CREATE_TEMP_INDEX     3   /* Index Name      Table Name      */
+#define SQLITE_CREATE_TEMP_TABLE     4   /* Table Name      NULL            */
+#define SQLITE_CREATE_TEMP_TRIGGER   5   /* Trigger Name    Table Name      */
+#define SQLITE_CREATE_TEMP_VIEW      6   /* View Name       NULL            */
+#define SQLITE_CREATE_TRIGGER        7   /* Trigger Name    Table Name      */
+#define SQLITE_CREATE_VIEW           8   /* View Name       NULL            */
+#define SQLITE_DELETE                9   /* Table Name      NULL            */
+#define SQLITE_DROP_INDEX           10   /* Index Name      Table Name      */
+#define SQLITE_DROP_TABLE           11   /* Table Name      NULL            */
+#define SQLITE_DROP_TEMP_INDEX      12   /* Index Name      Table Name      */
+#define SQLITE_DROP_TEMP_TABLE      13   /* Table Name      NULL            */
+#define SQLITE_DROP_TEMP_TRIGGER    14   /* Trigger Name    Table Name      */
+#define SQLITE_DROP_TEMP_VIEW       15   /* View Name       NULL            */
+#define SQLITE_DROP_TRIGGER         16   /* Trigger Name    Table Name      */
+#define SQLITE_DROP_VIEW            17   /* View Name       NULL            */
+#define SQLITE_INSERT               18   /* Table Name      NULL            */
+#define SQLITE_PRAGMA               19   /* Pragma Name     1st arg or NULL */
+#define SQLITE_READ                 20   /* Table Name      Column Name     */
+#define SQLITE_SELECT               21   /* NULL            NULL            */
+#define SQLITE_TRANSACTION          22   /* NULL            NULL            */
+#define SQLITE_UPDATE               23   /* Table Name      Column Name     */
+#define SQLITE_ATTACH               24   /* Filename        NULL            */
+#define SQLITE_DETACH               25   /* Database Name   NULL            */
+#define SQLITE_ALTER_TABLE          26   /* Database Name   Table Name      */
+#define SQLITE_REINDEX              27   /* Index Name      NULL            */
+#define SQLITE_ANALYZE              28   /* Table Name      NULL            */
+#define SQLITE_CREATE_VTABLE        29   /* Table Name      Module Name     */
+#define SQLITE_DROP_VTABLE          30   /* Table Name      Module Name     */
+#define SQLITE_FUNCTION             31   /* Function Name   NULL            */
+
+/*
+** The return value of the authorization function should be one of the
+** following constants:
+*/
+/* #define SQLITE_OK  0   // Allow access (This is actually defined above) */
+#define SQLITE_DENY   1   /* Abort the SQL statement with an error */
+#define SQLITE_IGNORE 2   /* Don't allow access, but don't generate an error */
+
+/*
+** Register a function for tracing SQL command evaluation.  The function
+** registered by sqlite3_trace() is invoked at the first sqlite3_step()
+** for the evaluation of an SQL statement.  The function registered by
+** sqlite3_profile() runs at the end of each SQL statement and includes
+** information on how long that statement ran.
+**
+** The sqlite3_profile() API is currently considered experimental and
+** is subject to change.
+*/
+void *sqlite3_trace(sqlite3*, void(*xTrace)(void*,const char*), void*);
+void *sqlite3_profile(sqlite3*,
+   void(*xProfile)(void*,const char*,sqlite_uint64), void*);
+
+/*
+** This routine configures a callback function - the progress callback - that
+** is invoked periodically during long running calls to sqlite3_exec(),
+** sqlite3_step() and sqlite3_get_table(). An example use for this API is to 
+** keep a GUI updated during a large query.
+**
+** The progress callback is invoked once for every N virtual machine opcodes,
+** where N is the second argument to this function. The progress callback
+** itself is identified by the third argument to this function. The fourth
+** argument to this function is a void pointer passed to the progress callback
+** function each time it is invoked.
+**
+** If a call to sqlite3_exec(), sqlite3_step() or sqlite3_get_table() results 
+** in less than N opcodes being executed, then the progress callback is not
+** invoked.
+** 
+** To remove the progress callback altogether, pass NULL as the third
+** argument to this function.
+**
+** If the progress callback returns a result other than 0, then the current 
+** query is immediately terminated and any database changes rolled back. If the
+** query was part of a larger transaction, then the transaction is not rolled
+** back and remains active. The sqlite3_exec() call returns SQLITE_ABORT. 
+**
+******* THIS IS AN EXPERIMENTAL API AND IS SUBJECT TO CHANGE ******
+*/
+void sqlite3_progress_handler(sqlite3*, int, int(*)(void*), void*);
+
+/*
+** Register a callback function to be invoked whenever a new transaction
+** is committed.  The pArg argument is passed through to the callback.
+** callback.  If the callback function returns non-zero, then the commit
+** is converted into a rollback.
+**
+** If another function was previously registered, its pArg value is returned.
+** Otherwise NULL is returned.
+**
+** Registering a NULL function disables the callback.
+**
+******* THIS IS AN EXPERIMENTAL API AND IS SUBJECT TO CHANGE ******
+*/
+void *sqlite3_commit_hook(sqlite3*, int(*)(void*), void*);
+
+/*
+** Open the sqlite database file "filename".  The "filename" is UTF-8
+** encoded for sqlite3_open() and UTF-16 encoded in the native byte order
+** for sqlite3_open16().  An sqlite3* handle is returned in *ppDb, even
+** if an error occurs. If the database is opened (or created) successfully,
+** then SQLITE_OK is returned. Otherwise an error code is returned. The
+** sqlite3_errmsg() or sqlite3_errmsg16()  routines can be used to obtain
+** an English language description of the error.
+**
+** If the database file does not exist, then a new database is created.
+** The encoding for the database is UTF-8 if sqlite3_open() is called and
+** UTF-16 if sqlite3_open16 is used.
+**
+** Whether or not an error occurs when it is opened, resources associated
+** with the sqlite3* handle should be released by passing it to
+** sqlite3_close() when it is no longer required.
+*/
+int sqlite3_open(
+  const char *filename,   /* Database filename (UTF-8) */
+  sqlite3 **ppDb          /* OUT: SQLite db handle */
+);
+int sqlite3_open16(
+  const void *filename,   /* Database filename (UTF-16) */
+  sqlite3 **ppDb          /* OUT: SQLite db handle */
+);
+
+/*
+** Return the error code for the most recent sqlite3_* API call associated
+** with sqlite3 handle 'db'. SQLITE_OK is returned if the most recent 
+** API call was successful.
+**
+** Calls to many sqlite3_* functions set the error code and string returned
+** by sqlite3_errcode(), sqlite3_errmsg() and sqlite3_errmsg16()
+** (overwriting the previous values). Note that calls to sqlite3_errcode(),
+** sqlite3_errmsg() and sqlite3_errmsg16() themselves do not affect the
+** results of future invocations.
+**
+** Assuming no other intervening sqlite3_* API calls are made, the error
+** code returned by this function is associated with the same error as
+** the strings  returned by sqlite3_errmsg() and sqlite3_errmsg16().
+*/
+int sqlite3_errcode(sqlite3 *db);
+
+/*
+** Return a pointer to a UTF-8 encoded string describing in english the
+** error condition for the most recent sqlite3_* API call. The returned
+** string is always terminated by an 0x00 byte.
+**
+** The string "not an error" is returned when the most recent API call was
+** successful.
+*/
+const char *sqlite3_errmsg(sqlite3*);
+
+/*
+** Return a pointer to a UTF-16 native byte order encoded string describing
+** in english the error condition for the most recent sqlite3_* API call.
+** The returned string is always terminated by a pair of 0x00 bytes.
+**
+** The string "not an error" is returned when the most recent API call was
+** successful.
+*/
+const void *sqlite3_errmsg16(sqlite3*);
+
+/*
+** An instance of the following opaque structure is used to represent
+** a compiled SQL statment.
+*/
+typedef struct sqlite3_stmt sqlite3_stmt;
+
+/*
+** To execute an SQL query, it must first be compiled into a byte-code
+** program using one of the following routines. The only difference between
+** them is that the second argument, specifying the SQL statement to
+** compile, is assumed to be encoded in UTF-8 for the sqlite3_prepare()
+** function and UTF-16 for sqlite3_prepare16().
+**
+** The first parameter "db" is an SQLite database handle. The second
+** parameter "zSql" is the statement to be compiled, encoded as either
+** UTF-8 or UTF-16 (see above). If the next parameter, "nBytes", is less
+** than zero, then zSql is read up to the first nul terminator.  If
+** "nBytes" is not less than zero, then it is the length of the string zSql
+** in bytes (not characters).
+**
+** *pzTail is made to point to the first byte past the end of the first
+** SQL statement in zSql.  This routine only compiles the first statement
+** in zSql, so *pzTail is left pointing to what remains uncompiled.
+**
+** *ppStmt is left pointing to a compiled SQL statement that can be
+** executed using sqlite3_step().  Or if there is an error, *ppStmt may be
+** set to NULL.  If the input text contained no SQL (if the input is and
+** empty string or a comment) then *ppStmt is set to NULL.
+**
+** On success, SQLITE_OK is returned.  Otherwise an error code is returned.
+*/
+int sqlite3_prepare(
+  sqlite3 *db,            /* Database handle */
+  const char *zSql,       /* SQL statement, UTF-8 encoded */
+  int nBytes,             /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,  /* OUT: Statement handle */
+  const char **pzTail     /* OUT: Pointer to unused portion of zSql */
+);
+int sqlite3_prepare16(
+  sqlite3 *db,            /* Database handle */
+  const void *zSql,       /* SQL statement, UTF-16 encoded */
+  int nBytes,             /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,  /* OUT: Statement handle */
+  const void **pzTail     /* OUT: Pointer to unused portion of zSql */
+);
+
+/*
+** Newer versions of the prepare API work just like the legacy versions
+** but with one exception:  The a copy of the SQL text is saved in the
+** sqlite3_stmt structure that is returned.  If this copy exists, it
+** modifieds the behavior of sqlite3_step() slightly.  First, sqlite3_step()
+** will no longer return an SQLITE_SCHEMA error but will instead automatically
+** rerun the compiler to rebuild the prepared statement.  Secondly, 
+** sqlite3_step() now turns a full result code - the result code that
+** use used to have to call sqlite3_reset() to get.
+*/
+int sqlite3_prepare_v2(
+  sqlite3 *db,            /* Database handle */
+  const char *zSql,       /* SQL statement, UTF-8 encoded */
+  int nBytes,             /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,  /* OUT: Statement handle */
+  const char **pzTail     /* OUT: Pointer to unused portion of zSql */
+);
+int sqlite3_prepare16_v2(
+  sqlite3 *db,            /* Database handle */
+  const void *zSql,       /* SQL statement, UTF-16 encoded */
+  int nBytes,             /* Length of zSql in bytes. */
+  sqlite3_stmt **ppStmt,  /* OUT: Statement handle */
+  const void **pzTail     /* OUT: Pointer to unused portion of zSql */
+);
+
+/*
+** Pointers to the following two opaque structures are used to communicate
+** with the implementations of user-defined functions.
+*/
+typedef struct sqlite3_context sqlite3_context;
+typedef struct Mem sqlite3_value;
+
+/*
+** In the SQL strings input to sqlite3_prepare() and sqlite3_prepare16(),
+** one or more literals can be replace by parameters "?" or "?NNN" or 
+** ":AAA" or "@AAA" or "$VVV" where NNN is a integer, AAA is an identifer,
+** and VVV is a variable name according  to the syntax rules of the
+** TCL programming language.  The value of these parameters (also called
+** "host parameter names") can be set using the routines listed below.
+**
+** In every case, the first argument is a pointer to the sqlite3_stmt
+** structure returned from sqlite3_prepare().  The second argument is the
+** index of the host parameter name.  The first host parameter as an index 
+** of 1.  For named host parameters (":AAA" or "$VVV") you can use 
+** sqlite3_bind_parameter_index() to get the correct index value given
+** the parameter name.  If the same named parameter occurs more than
+** once, it is assigned the same index each time.
+**
+** The fifth argument to sqlite3_bind_blob(), sqlite3_bind_text(), and
+** sqlite3_bind_text16() is a destructor used to dispose of the BLOB or
+** text after SQLite has finished with it.  If the fifth argument is the
+** special value SQLITE_STATIC, then the library assumes that the information
+** is in static, unmanaged space and does not need to be freed.  If the
+** fifth argument has the value SQLITE_TRANSIENT, then SQLite makes its
+** own private copy of the data before the sqlite3_bind_* routine returns.
+**
+** The sqlite3_bind_* routine must be called before sqlite3_step() and after
+** an sqlite3_prepare() or sqlite3_reset().  Bindings persist across
+** multiple calls to sqlite3_reset() and sqlite3_step().  Unbound parameters 
+** are interpreted as NULL.
+*/
+int sqlite3_bind_blob(sqlite3_stmt*, int, const void*, int n, void(*)(void*));
+int sqlite3_bind_double(sqlite3_stmt*, int, double);
+int sqlite3_bind_int(sqlite3_stmt*, int, int);
+int sqlite3_bind_int64(sqlite3_stmt*, int, sqlite_int64);
+int sqlite3_bind_null(sqlite3_stmt*, int);
+int sqlite3_bind_text(sqlite3_stmt*, int, const char*, int n, void(*)(void*));
+int sqlite3_bind_text16(sqlite3_stmt*, int, const void*, int, void(*)(void*));
+int sqlite3_bind_value(sqlite3_stmt*, int, const sqlite3_value*);
+
+/*
+** Return the number of host parameters in a compiled SQL statement.  This
+** routine was added to support DBD::SQLite.
+*/
+int sqlite3_bind_parameter_count(sqlite3_stmt*);
+
+/*
+** Return the name of the i-th name parameter.  Ordinary parameters "?" are
+** nameless and a NULL is returned.  For parameters of the form :AAA or
+** $VVV the complete text of the parameter name is returned, including
+** the initial ":" or "$".  NULL is returned if the index is out of range.
+*/
+const char *sqlite3_bind_parameter_name(sqlite3_stmt*, int);
+
+/*
+** Return the index of a parameter with the given name.  The name
+** must match exactly.  If no parameter with the given name is found,
+** return 0.
+*/
+int sqlite3_bind_parameter_index(sqlite3_stmt*, const char *zName);
+
+/*
+** Set all the parameters in the compiled SQL statement to NULL.
+*/
+int sqlite3_clear_bindings(sqlite3_stmt*);
+
+/*
+** Return the number of columns in the result set returned by the compiled
+** SQL statement. This routine returns 0 if pStmt is an SQL statement
+** that does not return data (for example an UPDATE).
+*/
+int sqlite3_column_count(sqlite3_stmt *pStmt);
+
+/*
+** The first parameter is a compiled SQL statement. This function returns
+** the column heading for the Nth column of that statement, where N is the
+** second function parameter.  The string returned is UTF-8 for
+** sqlite3_column_name() and UTF-16 for sqlite3_column_name16().
+*/
+const char *sqlite3_column_name(sqlite3_stmt*,int);
+const void *sqlite3_column_name16(sqlite3_stmt*,int);
+
+/*
+** The first argument to the following calls is a compiled SQL statement.
+** These functions return information about the Nth column returned by 
+** the statement, where N is the second function argument.
+**
+** If the Nth column returned by the statement is not a column value,
+** then all of the functions return NULL. Otherwise, the return the 
+** name of the attached database, table and column that the expression
+** extracts a value from.
+**
+** As with all other SQLite APIs, those postfixed with "16" return UTF-16
+** encoded strings, the other functions return UTF-8. The memory containing
+** the returned strings is valid until the statement handle is finalized().
+**
+** These APIs are only available if the library was compiled with the 
+** SQLITE_ENABLE_COLUMN_METADATA preprocessor symbol defined.
+*/
+const char *sqlite3_column_database_name(sqlite3_stmt*,int);
+const void *sqlite3_column_database_name16(sqlite3_stmt*,int);
+const char *sqlite3_column_table_name(sqlite3_stmt*,int);
+const void *sqlite3_column_table_name16(sqlite3_stmt*,int);
+const char *sqlite3_column_origin_name(sqlite3_stmt*,int);
+const void *sqlite3_column_origin_name16(sqlite3_stmt*,int);
+
+/*
+** The first parameter is a compiled SQL statement. If this statement
+** is a SELECT statement, the Nth column of the returned result set 
+** of the SELECT is a table column then the declared type of the table
+** column is returned. If the Nth column of the result set is not at table
+** column, then a NULL pointer is returned. The returned string is always
+** UTF-8 encoded. For example, in the database schema:
+**
+** CREATE TABLE t1(c1 VARIANT);
+**
+** And the following statement compiled:
+**
+** SELECT c1 + 1, c1 FROM t1;
+**
+** Then this routine would return the string "VARIANT" for the second
+** result column (i==1), and a NULL pointer for the first result column
+** (i==0).
+*/
+const char *sqlite3_column_decltype(sqlite3_stmt *, int i);
+
+/*
+** The first parameter is a compiled SQL statement. If this statement
+** is a SELECT statement, the Nth column of the returned result set 
+** of the SELECT is a table column then the declared type of the table
+** column is returned. If the Nth column of the result set is not at table
+** column, then a NULL pointer is returned. The returned string is always
+** UTF-16 encoded. For example, in the database schema:
+**
+** CREATE TABLE t1(c1 INTEGER);
+**
+** And the following statement compiled:
+**
+** SELECT c1 + 1, c1 FROM t1;
+**
+** Then this routine would return the string "INTEGER" for the second
+** result column (i==1), and a NULL pointer for the first result column
+** (i==0).
+*/
+const void *sqlite3_column_decltype16(sqlite3_stmt*,int);
+
+/* 
+** After an SQL query has been compiled with a call to either
+** sqlite3_prepare() or sqlite3_prepare16(), then this function must be
+** called one or more times to execute the statement.
+**
+** The return value will be either SQLITE_BUSY, SQLITE_DONE, 
+** SQLITE_ROW, SQLITE_ERROR, or SQLITE_MISUSE.
+**
+** SQLITE_BUSY means that the database engine attempted to open
+** a locked database and there is no busy callback registered.
+** Call sqlite3_step() again to retry the open.
+**
+** SQLITE_DONE means that the statement has finished executing
+** successfully.  sqlite3_step() should not be called again on this virtual
+** machine.
+**
+** If the SQL statement being executed returns any data, then 
+** SQLITE_ROW is returned each time a new row of data is ready
+** for processing by the caller. The values may be accessed using
+** the sqlite3_column_*() functions described below. sqlite3_step()
+** is called again to retrieve the next row of data.
+** 
+** SQLITE_ERROR means that a run-time error (such as a constraint
+** violation) has occurred.  sqlite3_step() should not be called again on
+** the VM. More information may be found by calling sqlite3_errmsg().
+**
+** SQLITE_MISUSE means that the this routine was called inappropriately.
+** Perhaps it was called on a virtual machine that had already been
+** finalized or on one that had previously returned SQLITE_ERROR or
+** SQLITE_DONE.  Or it could be the case the the same database connection
+** is being used simulataneously by two or more threads.
+*/
+int sqlite3_step(sqlite3_stmt*);
+
+/*
+** Return the number of values in the current row of the result set.
+**
+** After a call to sqlite3_step() that returns SQLITE_ROW, this routine
+** will return the same value as the sqlite3_column_count() function.
+** After sqlite3_step() has returned an SQLITE_DONE, SQLITE_BUSY or
+** error code, or before sqlite3_step() has been called on a 
+** compiled SQL statement, this routine returns zero.
+*/
+int sqlite3_data_count(sqlite3_stmt *pStmt);
+
+/*
+** Values are stored in the database in one of the following fundamental
+** types.
+*/
+#define SQLITE_INTEGER  1
+#define SQLITE_FLOAT    2
+/* #define SQLITE_TEXT  3  // See below */
+#define SQLITE_BLOB     4
+#define SQLITE_NULL     5
+
+/*
+** SQLite version 2 defines SQLITE_TEXT differently.  To allow both
+** version 2 and version 3 to be included, undefine them both if a
+** conflict is seen.  Define SQLITE3_TEXT to be the version 3 value.
+*/
+#ifdef SQLITE_TEXT
+# undef SQLITE_TEXT
+#else
+# define SQLITE_TEXT     3
+#endif
+#define SQLITE3_TEXT     3
+
+/*
+** The next group of routines returns information about the information
+** in a single column of the current result row of a query.  In every
+** case the first parameter is a pointer to the SQL statement that is being
+** executed (the sqlite_stmt* that was returned from sqlite3_prepare()) and
+** the second argument is the index of the column for which information 
+** should be returned.  iCol is zero-indexed.  The left-most column as an
+** index of 0.
+**
+** If the SQL statement is not currently point to a valid row, or if the
+** the colulmn index is out of range, the result is undefined.
+**
+** These routines attempt to convert the value where appropriate.  For
+** example, if the internal representation is FLOAT and a text result
+** is requested, sprintf() is used internally to do the conversion
+** automatically.  The following table details the conversions that
+** are applied:
+**
+**    Internal Type    Requested Type     Conversion
+**    -------------    --------------    --------------------------
+**       NULL             INTEGER         Result is 0
+**       NULL             FLOAT           Result is 0.0
+**       NULL             TEXT            Result is an empty string
+**       NULL             BLOB            Result is a zero-length BLOB
+**       INTEGER          FLOAT           Convert from integer to float
+**       INTEGER          TEXT            ASCII rendering of the integer
+**       INTEGER          BLOB            Same as for INTEGER->TEXT
+**       FLOAT            INTEGER         Convert from float to integer
+**       FLOAT            TEXT            ASCII rendering of the float
+**       FLOAT            BLOB            Same as FLOAT->TEXT
+**       TEXT             INTEGER         Use atoi()
+**       TEXT             FLOAT           Use atof()
+**       TEXT             BLOB            No change
+**       BLOB             INTEGER         Convert to TEXT then use atoi()
+**       BLOB             FLOAT           Convert to TEXT then use atof()
+**       BLOB             TEXT            Add a \000 terminator if needed
+**
+** The following access routines are provided:
+**
+** _type()     Return the datatype of the result.  This is one of
+**             SQLITE_INTEGER, SQLITE_FLOAT, SQLITE_TEXT, SQLITE_BLOB,
+**             or SQLITE_NULL.
+** _blob()     Return the value of a BLOB.
+** _bytes()    Return the number of bytes in a BLOB value or the number
+**             of bytes in a TEXT value represented as UTF-8.  The \000
+**             terminator is included in the byte count for TEXT values.
+** _bytes16()  Return the number of bytes in a BLOB value or the number
+**             of bytes in a TEXT value represented as UTF-16.  The \u0000
+**             terminator is included in the byte count for TEXT values.
+** _double()   Return a FLOAT value.
+** _int()      Return an INTEGER value in the host computer's native
+**             integer representation.  This might be either a 32- or 64-bit
+**             integer depending on the host.
+** _int64()    Return an INTEGER value as a 64-bit signed integer.
+** _text()     Return the value as UTF-8 text.
+** _text16()   Return the value as UTF-16 text.
+*/
+const void *sqlite3_column_blob(sqlite3_stmt*, int iCol);
+int sqlite3_column_bytes(sqlite3_stmt*, int iCol);
+int sqlite3_column_bytes16(sqlite3_stmt*, int iCol);
+double sqlite3_column_double(sqlite3_stmt*, int iCol);
+int sqlite3_column_int(sqlite3_stmt*, int iCol);
+sqlite_int64 sqlite3_column_int64(sqlite3_stmt*, int iCol);
+const unsigned char *sqlite3_column_text(sqlite3_stmt*, int iCol);
+const void *sqlite3_column_text16(sqlite3_stmt*, int iCol);
+int sqlite3_column_type(sqlite3_stmt*, int iCol);
+int sqlite3_column_numeric_type(sqlite3_stmt*, int iCol);
+sqlite3_value *sqlite3_column_value(sqlite3_stmt*, int iCol);
+
+/*
+** The sqlite3_finalize() function is called to delete a compiled
+** SQL statement obtained by a previous call to sqlite3_prepare()
+** or sqlite3_prepare16(). If the statement was executed successfully, or
+** not executed at all, then SQLITE_OK is returned. If execution of the
+** statement failed then an error code is returned. 
+**
+** This routine can be called at any point during the execution of the
+** virtual machine.  If the virtual machine has not completed execution
+** when this routine is called, that is like encountering an error or
+** an interrupt.  (See sqlite3_interrupt().)  Incomplete updates may be
+** rolled back and transactions cancelled,  depending on the circumstances,
+** and the result code returned will be SQLITE_ABORT.
+*/
+int sqlite3_finalize(sqlite3_stmt *pStmt);
+
+/*
+** The sqlite3_reset() function is called to reset a compiled SQL
+** statement obtained by a previous call to sqlite3_prepare() or
+** sqlite3_prepare16() back to it's initial state, ready to be re-executed.
+** Any SQL statement variables that had values bound to them using
+** the sqlite3_bind_*() API retain their values.
+*/
+int sqlite3_reset(sqlite3_stmt *pStmt);
+
+/*
+** The following two functions are used to add user functions or aggregates
+** implemented in C to the SQL langauge interpreted by SQLite. The
+** difference only between the two is that the second parameter, the
+** name of the (scalar) function or aggregate, is encoded in UTF-8 for
+** sqlite3_create_function() and UTF-16 for sqlite3_create_function16().
+**
+** The first argument is the database handle that the new function or
+** aggregate is to be added to. If a single program uses more than one
+** database handle internally, then user functions or aggregates must 
+** be added individually to each database handle with which they will be
+** used.
+**
+** The third parameter is the number of arguments that the function or
+** aggregate takes. If this parameter is negative, then the function or
+** aggregate may take any number of arguments.
+**
+** The fourth parameter is one of SQLITE_UTF* values defined below,
+** indicating the encoding that the function is most likely to handle
+** values in.  This does not change the behaviour of the programming
+** interface. However, if two versions of the same function are registered
+** with different encoding values, SQLite invokes the version likely to
+** minimize conversions between text encodings.
+**
+** The seventh, eighth and ninth parameters, xFunc, xStep and xFinal, are
+** pointers to user implemented C functions that implement the user
+** function or aggregate. A scalar function requires an implementation of
+** the xFunc callback only, NULL pointers should be passed as the xStep
+** and xFinal parameters. An aggregate function requires an implementation
+** of xStep and xFinal, but NULL should be passed for xFunc. To delete an
+** existing user function or aggregate, pass NULL for all three function
+** callback. Specifying an inconstent set of callback values, such as an
+** xFunc and an xFinal, or an xStep but no xFinal, SQLITE_ERROR is
+** returned.
+*/
+int sqlite3_create_function(
+  sqlite3 *,
+  const char *zFunctionName,
+  int nArg,
+  int eTextRep,
+  void*,
+  void (*xFunc)(sqlite3_context*,int,sqlite3_value**),
+  void (*xStep)(sqlite3_context*,int,sqlite3_value**),
+  void (*xFinal)(sqlite3_context*)
+);
+int sqlite3_create_function16(
+  sqlite3*,
+  const void *zFunctionName,
+  int nArg,
+  int eTextRep,
+  void*,
+  void (*xFunc)(sqlite3_context*,int,sqlite3_value**),
+  void (*xStep)(sqlite3_context*,int,sqlite3_value**),
+  void (*xFinal)(sqlite3_context*)
+);
+
+/*
+** This function is deprecated.  Do not use it.  It continues to exist
+** so as not to break legacy code.  But new code should avoid using it.
+*/
+int sqlite3_aggregate_count(sqlite3_context*);
+
+/*
+** The next group of routines returns information about parameters to
+** a user-defined function.  Function implementations use these routines
+** to access their parameters.  These routines are the same as the
+** sqlite3_column_* routines except that these routines take a single
+** sqlite3_value* pointer instead of an sqlite3_stmt* and an integer
+** column number.
+*/
+const void *sqlite3_value_blob(sqlite3_value*);
+int sqlite3_value_bytes(sqlite3_value*);
+int sqlite3_value_bytes16(sqlite3_value*);
+double sqlite3_value_double(sqlite3_value*);
+int sqlite3_value_int(sqlite3_value*);
+sqlite_int64 sqlite3_value_int64(sqlite3_value*);
+const unsigned char *sqlite3_value_text(sqlite3_value*);
+const void *sqlite3_value_text16(sqlite3_value*);
+const void *sqlite3_value_text16le(sqlite3_value*);
+const void *sqlite3_value_text16be(sqlite3_value*);
+int sqlite3_value_type(sqlite3_value*);
+int sqlite3_value_numeric_type(sqlite3_value*);
+
+/*
+** Aggregate functions use the following routine to allocate
+** a structure for storing their state.  The first time this routine
+** is called for a particular aggregate, a new structure of size nBytes
+** is allocated, zeroed, and returned.  On subsequent calls (for the
+** same aggregate instance) the same buffer is returned.  The implementation
+** of the aggregate can use the returned buffer to accumulate data.
+**
+** The buffer allocated is freed automatically by SQLite.
+*/
+void *sqlite3_aggregate_context(sqlite3_context*, int nBytes);
+
+/*
+** The pUserData parameter to the sqlite3_create_function()
+** routine used to register user functions is available to
+** the implementation of the function using this call.
+*/
+void *sqlite3_user_data(sqlite3_context*);
+
+/*
+** The following two functions may be used by scalar user functions to
+** associate meta-data with argument values. If the same value is passed to
+** multiple invocations of the user-function during query execution, under
+** some circumstances the associated meta-data may be preserved. This may
+** be used, for example, to add a regular-expression matching scalar
+** function. The compiled version of the regular expression is stored as
+** meta-data associated with the SQL value passed as the regular expression
+** pattern.
+**
+** Calling sqlite3_get_auxdata() returns a pointer to the meta data
+** associated with the Nth argument value to the current user function
+** call, where N is the second parameter. If no meta-data has been set for
+** that value, then a NULL pointer is returned.
+**
+** The sqlite3_set_auxdata() is used to associate meta data with a user
+** function argument. The third parameter is a pointer to the meta data
+** to be associated with the Nth user function argument value. The fourth
+** parameter specifies a 'delete function' that will be called on the meta
+** data pointer to release it when it is no longer required. If the delete
+** function pointer is NULL, it is not invoked.
+**
+** In practice, meta-data is preserved between function calls for
+** expressions that are constant at compile time. This includes literal
+** values and SQL variables.
+*/
+void *sqlite3_get_auxdata(sqlite3_context*, int);
+void sqlite3_set_auxdata(sqlite3_context*, int, void*, void (*)(void*));
+
+
+/*
+** These are special value for the destructor that is passed in as the
+** final argument to routines like sqlite3_result_blob().  If the destructor
+** argument is SQLITE_STATIC, it means that the content pointer is constant
+** and will never change.  It does not need to be destroyed.  The 
+** SQLITE_TRANSIENT value means that the content will likely change in
+** the near future and that SQLite should make its own private copy of
+** the content before returning.
+**
+** The typedef is necessary to work around problems in certain
+** C++ compilers.  See ticket #2191.
+*/
+typedef void (*sqlite3_destructor_type)(void*);
+#define SQLITE_STATIC      ((sqlite3_destructor_type)0)
+#define SQLITE_TRANSIENT   ((sqlite3_destructor_type)-1)
+
+/*
+** User-defined functions invoke the following routines in order to
+** set their return value.
+*/
+void sqlite3_result_blob(sqlite3_context*, const void*, int, void(*)(void*));
+void sqlite3_result_double(sqlite3_context*, double);
+void sqlite3_result_error(sqlite3_context*, const char*, int);
+void sqlite3_result_error16(sqlite3_context*, const void*, int);
+void sqlite3_result_int(sqlite3_context*, int);
+void sqlite3_result_int64(sqlite3_context*, sqlite_int64);
+void sqlite3_result_null(sqlite3_context*);
+void sqlite3_result_text(sqlite3_context*, const char*, int, void(*)(void*));
+void sqlite3_result_text16(sqlite3_context*, const void*, int, void(*)(void*));
+void sqlite3_result_text16le(sqlite3_context*, const void*, int,void(*)(void*));
+void sqlite3_result_text16be(sqlite3_context*, const void*, int,void(*)(void*));
+void sqlite3_result_value(sqlite3_context*, sqlite3_value*);
+
+/*
+** These are the allowed values for the eTextRep argument to
+** sqlite3_create_collation and sqlite3_create_function.
+*/
+#define SQLITE_UTF8           1
+#define SQLITE_UTF16LE        2
+#define SQLITE_UTF16BE        3
+#define SQLITE_UTF16          4    /* Use native byte order */
+#define SQLITE_ANY            5    /* sqlite3_create_function only */
+#define SQLITE_UTF16_ALIGNED  8    /* sqlite3_create_collation only */
+
+/*
+** These two functions are used to add new collation sequences to the
+** sqlite3 handle specified as the first argument. 
+**
+** The name of the new collation sequence is specified as a UTF-8 string
+** for sqlite3_create_collation() and a UTF-16 string for
+** sqlite3_create_collation16(). In both cases the name is passed as the
+** second function argument.
+**
+** The third argument must be one of the constants SQLITE_UTF8,
+** SQLITE_UTF16LE or SQLITE_UTF16BE, indicating that the user-supplied
+** routine expects to be passed pointers to strings encoded using UTF-8,
+** UTF-16 little-endian or UTF-16 big-endian respectively.
+**
+** A pointer to the user supplied routine must be passed as the fifth
+** argument. If it is NULL, this is the same as deleting the collation
+** sequence (so that SQLite cannot call it anymore). Each time the user
+** supplied function is invoked, it is passed a copy of the void* passed as
+** the fourth argument to sqlite3_create_collation() or
+** sqlite3_create_collation16() as its first parameter.
+**
+** The remaining arguments to the user-supplied routine are two strings,
+** each represented by a [length, data] pair and encoded in the encoding
+** that was passed as the third argument when the collation sequence was
+** registered. The user routine should return negative, zero or positive if
+** the first string is less than, equal to, or greater than the second
+** string. i.e. (STRING1 - STRING2).
+*/
+int sqlite3_create_collation(
+  sqlite3*, 
+  const char *zName, 
+  int eTextRep, 
+  void*,
+  int(*xCompare)(void*,int,const void*,int,const void*)
+);
+int sqlite3_create_collation16(
+  sqlite3*, 
+  const char *zName, 
+  int eTextRep, 
+  void*,
+  int(*xCompare)(void*,int,const void*,int,const void*)
+);
+
+/*
+** To avoid having to register all collation sequences before a database
+** can be used, a single callback function may be registered with the
+** database handle to be called whenever an undefined collation sequence is
+** required.
+**
+** If the function is registered using the sqlite3_collation_needed() API,
+** then it is passed the names of undefined collation sequences as strings
+** encoded in UTF-8. If sqlite3_collation_needed16() is used, the names
+** are passed as UTF-16 in machine native byte order. A call to either
+** function replaces any existing callback.
+**
+** When the user-function is invoked, the first argument passed is a copy
+** of the second argument to sqlite3_collation_needed() or
+** sqlite3_collation_needed16(). The second argument is the database
+** handle. The third argument is one of SQLITE_UTF8, SQLITE_UTF16BE or
+** SQLITE_UTF16LE, indicating the most desirable form of the collation
+** sequence function required. The fourth parameter is the name of the
+** required collation sequence.
+**
+** The collation sequence is returned to SQLite by a collation-needed
+** callback using the sqlite3_create_collation() or
+** sqlite3_create_collation16() APIs, described above.
+*/
+int sqlite3_collation_needed(
+  sqlite3*, 
+  void*, 
+  void(*)(void*,sqlite3*,int eTextRep,const char*)
+);
+int sqlite3_collation_needed16(
+  sqlite3*, 
+  void*,
+  void(*)(void*,sqlite3*,int eTextRep,const void*)
+);
+
+/*
+** Specify the key for an encrypted database.  This routine should be
+** called right after sqlite3_open().
+**
+** The code to implement this API is not available in the public release
+** of SQLite.
+*/
+int sqlite3_key(
+  sqlite3 *db,                   /* Database to be rekeyed */
+  const void *pKey, int nKey     /* The key */
+);
+
+/*
+** Change the key on an open database.  If the current database is not
+** encrypted, this routine will encrypt it.  If pNew==0 or nNew==0, the
+** database is decrypted.
+**
+** The code to implement this API is not available in the public release
+** of SQLite.
+*/
+int sqlite3_rekey(
+  sqlite3 *db,                   /* Database to be rekeyed */
+  const void *pKey, int nKey     /* The new key */
+);
+
+/*
+** Sleep for a little while. The second parameter is the number of
+** miliseconds to sleep for. 
+**
+** If the operating system does not support sleep requests with 
+** milisecond time resolution, then the time will be rounded up to 
+** the nearest second. The number of miliseconds of sleep actually 
+** requested from the operating system is returned.
+*/
+int sqlite3_sleep(int);
+
+/*
+** Return TRUE (non-zero) if the statement supplied as an argument needs
+** to be recompiled.  A statement needs to be recompiled whenever the
+** execution environment changes in a way that would alter the program
+** that sqlite3_prepare() generates.  For example, if new functions or
+** collating sequences are registered or if an authorizer function is
+** added or changed.
+**
+*/
+int sqlite3_expired(sqlite3_stmt*);
+
+/*
+** Move all bindings from the first prepared statement over to the second.
+** This routine is useful, for example, if the first prepared statement
+** fails with an SQLITE_SCHEMA error.  The same SQL can be prepared into
+** the second prepared statement then all of the bindings transfered over
+** to the second statement before the first statement is finalized.
+*/
+int sqlite3_transfer_bindings(sqlite3_stmt*, sqlite3_stmt*);
+
+/*
+** If the following global variable is made to point to a
+** string which is the name of a directory, then all temporary files
+** created by SQLite will be placed in that directory.  If this variable
+** is NULL pointer, then SQLite does a search for an appropriate temporary
+** file directory.
+**
+** Once sqlite3_open() has been called, changing this variable will invalidate
+** the current temporary database, if any.
+*/
+extern char *sqlite3_temp_directory;
+
+/*
+** This function is called to recover from a malloc() failure that occured
+** within the SQLite library. Normally, after a single malloc() fails the 
+** library refuses to function (all major calls return SQLITE_NOMEM).
+** This function restores the library state so that it can be used again.
+**
+** All existing statements (sqlite3_stmt pointers) must be finalized or
+** reset before this call is made. Otherwise, SQLITE_BUSY is returned.
+** If any in-memory databases are in use, either as a main or TEMP
+** database, SQLITE_ERROR is returned. In either of these cases, the 
+** library is not reset and remains unusable.
+**
+** This function is *not* threadsafe. Calling this from within a threaded
+** application when threads other than the caller have used SQLite is
+** dangerous and will almost certainly result in malfunctions.
+**
+** This functionality can be omitted from a build by defining the 
+** SQLITE_OMIT_GLOBALRECOVER at compile time.
+*/
+int sqlite3_global_recover(void);
+
+/*
+** Test to see whether or not the database connection is in autocommit
+** mode.  Return TRUE if it is and FALSE if not.  Autocommit mode is on
+** by default.  Autocommit is disabled by a BEGIN statement and reenabled
+** by the next COMMIT or ROLLBACK.
+*/
+int sqlite3_get_autocommit(sqlite3*);
+
+/*
+** Return the sqlite3* database handle to which the prepared statement given
+** in the argument belongs.  This is the same database handle that was
+** the first argument to the sqlite3_prepare() that was used to create
+** the statement in the first place.
+*/
+sqlite3 *sqlite3_db_handle(sqlite3_stmt*);
+
+/*
+** Register a callback function with the database connection identified by the 
+** first argument to be invoked whenever a row is updated, inserted or deleted.
+** Any callback set by a previous call to this function for the same 
+** database connection is overridden.
+**
+** The second argument is a pointer to the function to invoke when a 
+** row is updated, inserted or deleted. The first argument to the callback is
+** a copy of the third argument to sqlite3_update_hook. The second callback 
+** argument is one of SQLITE_INSERT, SQLITE_DELETE or SQLITE_UPDATE, depending
+** on the operation that caused the callback to be invoked. The third and 
+** fourth arguments to the callback contain pointers to the database and 
+** table name containing the affected row. The final callback parameter is 
+** the rowid of the row. In the case of an update, this is the rowid after 
+** the update takes place.
+**
+** The update hook is not invoked when internal system tables are
+** modified (i.e. sqlite_master and sqlite_sequence).
+**
+** If another function was previously registered, its pArg value is returned.
+** Otherwise NULL is returned.
+*/
+void *sqlite3_update_hook(
+  sqlite3*, 
+  void(*)(void *,int ,char const *,char const *,sqlite_int64),
+  void*
+);
+
+/*
+** Register a callback to be invoked whenever a transaction is rolled
+** back. 
+**
+** The new callback function overrides any existing rollback-hook
+** callback. If there was an existing callback, then it's pArg value 
+** (the third argument to sqlite3_rollback_hook() when it was registered) 
+** is returned. Otherwise, NULL is returned.
+**
+** For the purposes of this API, a transaction is said to have been 
+** rolled back if an explicit "ROLLBACK" statement is executed, or
+** an error or constraint causes an implicit rollback to occur. The 
+** callback is not invoked if a transaction is automatically rolled
+** back because the database connection is closed.
+*/
+void *sqlite3_rollback_hook(sqlite3*, void(*)(void *), void*);
+
+/*
+** This function is only available if the library is compiled without
+** the SQLITE_OMIT_SHARED_CACHE macro defined. It is used to enable or
+** disable (if the argument is true or false, respectively) the 
+** "shared pager" feature.
+*/
+int sqlite3_enable_shared_cache(int);
+
+/*
+** Attempt to free N bytes of heap memory by deallocating non-essential
+** memory allocations held by the database library (example: memory 
+** used to cache database pages to improve performance).
+**
+** This function is not a part of standard builds.  It is only created
+** if SQLite is compiled with the SQLITE_ENABLE_MEMORY_MANAGEMENT macro.
+*/
+int sqlite3_release_memory(int);
+
+/*
+** Place a "soft" limit on the amount of heap memory that may be allocated by
+** SQLite within the current thread. If an internal allocation is requested 
+** that would exceed the specified limit, sqlite3_release_memory() is invoked
+** one or more times to free up some space before the allocation is made.
+**
+** The limit is called "soft", because if sqlite3_release_memory() cannot free
+** sufficient memory to prevent the limit from being exceeded, the memory is
+** allocated anyway and the current operation proceeds.
+**
+** This function is only available if the library was compiled with the 
+** SQLITE_ENABLE_MEMORY_MANAGEMENT option set.
+** memory-management has been enabled.
+*/
+void sqlite3_soft_heap_limit(int);
+
+/*
+** This routine makes sure that all thread-local storage has been
+** deallocated for the current thread.
+**
+** This routine is not technically necessary.  All thread-local storage
+** will be automatically deallocated once memory-management and
+** shared-cache are disabled and the soft heap limit has been set
+** to zero.  This routine is provided as a convenience for users who
+** want to make absolutely sure they have not forgotten something
+** prior to killing off a thread.
+*/
+void sqlite3_thread_cleanup(void);
+
+/*
+** Return meta information about a specific column of a specific database
+** table accessible using the connection handle passed as the first function 
+** argument.
+**
+** The column is identified by the second, third and fourth parameters to 
+** this function. The second parameter is either the name of the database
+** (i.e. "main", "temp" or an attached database) containing the specified
+** table or NULL. If it is NULL, then all attached databases are searched
+** for the table using the same algorithm as the database engine uses to 
+** resolve unqualified table references.
+**
+** The third and fourth parameters to this function are the table and column 
+** name of the desired column, respectively. Neither of these parameters 
+** may be NULL.
+**
+** Meta information is returned by writing to the memory locations passed as
+** the 5th and subsequent parameters to this function. Any of these 
+** arguments may be NULL, in which case the corresponding element of meta 
+** information is ommitted.
+**
+** Parameter     Output Type      Description
+** -----------------------------------
+**
+**   5th         const char*      Data type
+**   6th         const char*      Name of the default collation sequence 
+**   7th         int              True if the column has a NOT NULL constraint
+**   8th         int              True if the column is part of the PRIMARY KEY
+**   9th         int              True if the column is AUTOINCREMENT
+**
+**
+** The memory pointed to by the character pointers returned for the 
+** declaration type and collation sequence is valid only until the next 
+** call to any sqlite API function.
+**
+** If the specified table is actually a view, then an error is returned.
+**
+** If the specified column is "rowid", "oid" or "_rowid_" and an 
+** INTEGER PRIMARY KEY column has been explicitly declared, then the output 
+** parameters are set for the explicitly declared column. If there is no
+** explicitly declared IPK column, then the output parameters are set as 
+** follows:
+**
+**     data type: "INTEGER"
+**     collation sequence: "BINARY"
+**     not null: 0
+**     primary key: 1
+**     auto increment: 0
+**
+** This function may load one or more schemas from database files. If an
+** error occurs during this process, or if the requested table or column
+** cannot be found, an SQLITE error code is returned and an error message
+** left in the database handle (to be retrieved using sqlite3_errmsg()).
+**
+** This API is only available if the library was compiled with the
+** SQLITE_ENABLE_COLUMN_METADATA preprocessor symbol defined.
+*/
+int sqlite3_table_column_metadata(
+  sqlite3 *db,                /* Connection handle */
+  const char *zDbName,        /* Database name or NULL */
+  const char *zTableName,     /* Table name */
+  const char *zColumnName,    /* Column name */
+  char const **pzDataType,    /* OUTPUT: Declared data type */
+  char const **pzCollSeq,     /* OUTPUT: Collation sequence name */
+  int *pNotNull,              /* OUTPUT: True if NOT NULL constraint exists */
+  int *pPrimaryKey,           /* OUTPUT: True if column part of PK */
+  int *pAutoinc               /* OUTPUT: True if colums is auto-increment */
+);
+
+/*
+****** EXPERIMENTAL - subject to change without notice **************
+**
+** Attempt to load an SQLite extension library contained in the file
+** zFile.  The entry point is zProc.  zProc may be 0 in which case the
+** name of the entry point defaults to "sqlite3_extension_init".
+**
+** Return SQLITE_OK on success and SQLITE_ERROR if something goes wrong.
+**
+** If an error occurs and pzErrMsg is not 0, then fill *pzErrMsg with 
+** error message text.  The calling function should free this memory
+** by calling sqlite3_free().
+**
+** Extension loading must be enabled using sqlite3_enable_load_extension()
+** prior to calling this API or an error will be returned.
+**
+****** EXPERIMENTAL - subject to change without notice **************
+*/
+int sqlite3_load_extension(
+  sqlite3 *db,          /* Load the extension into this database connection */
+  const char *zFile,    /* Name of the shared library containing extension */
+  const char *zProc,    /* Entry point.  Derived from zFile if 0 */
+  char **pzErrMsg       /* Put error message here if not 0 */
+);
+
+/*
+** So as not to open security holes in older applications that are
+** unprepared to deal with extension load, and as a means of disabling
+** extension loading while executing user-entered SQL, the following
+** API is provided to turn the extension loading mechanism on and
+** off.  It is off by default.  See ticket #1863.
+**
+** Call this routine with onoff==1 to turn extension loading on
+** and call it with onoff==0 to turn it back off again.
+*/
+int sqlite3_enable_load_extension(sqlite3 *db, int onoff);
+
+/*
+****** EXPERIMENTAL - subject to change without notice **************
+**
+** Register an extension entry point that is automatically invoked
+** whenever a new database connection is opened.
+**
+** This API can be invoked at program startup in order to register
+** one or more statically linked extensions that will be available
+** to all new database connections.
+**
+** Duplicate extensions are detected so calling this routine multiple
+** times with the same extension is harmless.
+**
+** This routine stores a pointer to the extension in an array
+** that is obtained from malloc().  If you run a memory leak
+** checker on your program and it reports a leak because of this
+** array, then invoke sqlite3_automatic_extension_reset() prior
+** to shutdown to free the memory.
+**
+** Automatic extensions apply across all threads.
+*/
+int sqlite3_auto_extension(void *xEntryPoint);
+
+
+/*
+****** EXPERIMENTAL - subject to change without notice **************
+**
+** Disable all previously registered automatic extensions.  This
+** routine undoes the effect of all prior sqlite3_automatic_extension()
+** calls.
+**
+** This call disabled automatic extensions in all threads.
+*/
+void sqlite3_reset_auto_extension(void);
+
+
+/*
+****** EXPERIMENTAL - subject to change without notice **************
+**
+** The interface to the virtual-table mechanism is currently considered
+** to be experimental.  The interface might change in incompatible ways.
+** If this is a problem for you, do not use the interface at this time.
+**
+** When the virtual-table mechanism stablizes, we will declare the
+** interface fixed, support it indefinitely, and remove this comment.
+*/
+
+/*
+** Structures used by the virtual table interface
+*/
+typedef struct sqlite3_vtab sqlite3_vtab;
+typedef struct sqlite3_index_info sqlite3_index_info;
+typedef struct sqlite3_vtab_cursor sqlite3_vtab_cursor;
+typedef struct sqlite3_module sqlite3_module;
+
+/*
+** A module is a class of virtual tables.  Each module is defined
+** by an instance of the following structure.  This structure consists
+** mostly of methods for the module.
+*/
+struct sqlite3_module {
+  int iVersion;
+  int (*xCreate)(sqlite3*, void *pAux,
+               int argc, const char *const*argv,
+               sqlite3_vtab **ppVTab, char**);
+  int (*xConnect)(sqlite3*, void *pAux,
+               int argc, const char *const*argv,
+               sqlite3_vtab **ppVTab, char**);
+  int (*xBestIndex)(sqlite3_vtab *pVTab, sqlite3_index_info*);
+  int (*xDisconnect)(sqlite3_vtab *pVTab);
+  int (*xDestroy)(sqlite3_vtab *pVTab);
+  int (*xOpen)(sqlite3_vtab *pVTab, sqlite3_vtab_cursor **ppCursor);
+  int (*xClose)(sqlite3_vtab_cursor*);
+  int (*xFilter)(sqlite3_vtab_cursor*, int idxNum, const char *idxStr,
+                int argc, sqlite3_value **argv);
+  int (*xNext)(sqlite3_vtab_cursor*);
+  int (*xEof)(sqlite3_vtab_cursor*);
+  int (*xColumn)(sqlite3_vtab_cursor*, sqlite3_context*, int);
+  int (*xRowid)(sqlite3_vtab_cursor*, sqlite_int64 *pRowid);
+  int (*xUpdate)(sqlite3_vtab *, int, sqlite3_value **, sqlite_int64 *);
+  int (*xBegin)(sqlite3_vtab *pVTab);
+  int (*xSync)(sqlite3_vtab *pVTab);
+  int (*xCommit)(sqlite3_vtab *pVTab);
+  int (*xRollback)(sqlite3_vtab *pVTab);
+  int (*xFindFunction)(sqlite3_vtab *pVtab, int nArg, const char *zName,
+                       void (**pxFunc)(sqlite3_context*,int,sqlite3_value**),
+                       void **ppArg);
+};
+
+/*
+** The sqlite3_index_info structure and its substructures is used to
+** pass information into and receive the reply from the xBestIndex
+** method of an sqlite3_module.  The fields under **Inputs** are the
+** inputs to xBestIndex and are read-only.  xBestIndex inserts its
+** results into the **Outputs** fields.
+**
+** The aConstraint[] array records WHERE clause constraints of the
+** form:
+**
+**         column OP expr
+**
+** Where OP is =, <, <=, >, or >=.  The particular operator is stored
+** in aConstraint[].op.  The index of the column is stored in 
+** aConstraint[].iColumn.  aConstraint[].usable is TRUE if the
+** expr on the right-hand side can be evaluated (and thus the constraint
+** is usable) and false if it cannot.
+**
+** The optimizer automatically inverts terms of the form "expr OP column"
+** and makes other simplificatinos to the WHERE clause in an attempt to
+** get as many WHERE clause terms into the form shown above as possible.
+** The aConstraint[] array only reports WHERE clause terms in the correct
+** form that refer to the particular virtual table being queried.
+**
+** Information about the ORDER BY clause is stored in aOrderBy[].
+** Each term of aOrderBy records a column of the ORDER BY clause.
+**
+** The xBestIndex method must fill aConstraintUsage[] with information
+** about what parameters to pass to xFilter.  If argvIndex>0 then
+** the right-hand side of the corresponding aConstraint[] is evaluated
+** and becomes the argvIndex-th entry in argv.  If aConstraintUsage[].omit
+** is true, then the constraint is assumed to be fully handled by the
+** virtual table and is not checked again by SQLite.
+**
+** The idxNum and idxPtr values are recorded and passed into xFilter.
+** sqlite3_free() is used to free idxPtr if needToFreeIdxPtr is true.
+**
+** The orderByConsumed means that output from xFilter will occur in
+** the correct order to satisfy the ORDER BY clause so that no separate
+** sorting step is required.
+**
+** The estimatedCost value is an estimate of the cost of doing the
+** particular lookup.  A full scan of a table with N entries should have
+** a cost of N.  A binary search of a table of N entries should have a
+** cost of approximately log(N).
+*/
+struct sqlite3_index_info {
+  /* Inputs */
+  const int nConstraint;     /* Number of entries in aConstraint */
+  const struct sqlite3_index_constraint {
+     int iColumn;              /* Column on left-hand side of constraint */
+     unsigned char op;         /* Constraint operator */
+     unsigned char usable;     /* True if this constraint is usable */
+     int iTermOffset;          /* Used internally - xBestIndex should ignore */
+  } *const aConstraint;      /* Table of WHERE clause constraints */
+  const int nOrderBy;        /* Number of terms in the ORDER BY clause */
+  const struct sqlite3_index_orderby {
+     int iColumn;              /* Column number */
+     unsigned char desc;       /* True for DESC.  False for ASC. */
+  } *const aOrderBy;         /* The ORDER BY clause */
+
+  /* Outputs */
+  struct sqlite3_index_constraint_usage {
+    int argvIndex;           /* if >0, constraint is part of argv to xFilter */
+    unsigned char omit;      /* Do not code a test for this constraint */
+  } *const aConstraintUsage;
+  int idxNum;                /* Number used to identify the index */
+  char *idxStr;              /* String, possibly obtained from sqlite3_malloc */
+  int needToFreeIdxStr;      /* Free idxStr using sqlite3_free() if true */
+  int orderByConsumed;       /* True if output is already ordered */
+  double estimatedCost;      /* Estimated cost of using this index */
+};
+#define SQLITE_INDEX_CONSTRAINT_EQ    2
+#define SQLITE_INDEX_CONSTRAINT_GT    4
+#define SQLITE_INDEX_CONSTRAINT_LE    8
+#define SQLITE_INDEX_CONSTRAINT_LT    16
+#define SQLITE_INDEX_CONSTRAINT_GE    32
+#define SQLITE_INDEX_CONSTRAINT_MATCH 64
+
+/*
+** This routine is used to register a new module name with an SQLite
+** connection.  Module names must be registered before creating new
+** virtual tables on the module, or before using preexisting virtual
+** tables of the module.
+*/
+int sqlite3_create_module(
+  sqlite3 *db,               /* SQLite connection to register module with */
+  const char *zName,         /* Name of the module */
+  const sqlite3_module *,    /* Methods for the module */
+  void *                     /* Client data for xCreate/xConnect */
+);
+
+/*
+** Every module implementation uses a subclass of the following structure
+** to describe a particular instance of the module.  Each subclass will
+** be taylored to the specific needs of the module implementation.   The
+** purpose of this superclass is to define certain fields that are common
+** to all module implementations.
+**
+** Virtual tables methods can set an error message by assigning a
+** string obtained from sqlite3_mprintf() to zErrMsg.  The method should
+** take care that any prior string is freed by a call to sqlite3_free()
+** prior to assigning a new string to zErrMsg.  After the error message
+** is delivered up to the client application, the string will be automatically
+** freed by sqlite3_free() and the zErrMsg field will be zeroed.  Note
+** that sqlite3_mprintf() and sqlite3_free() are used on the zErrMsg field
+** since virtual tables are commonly implemented in loadable extensions which
+** do not have access to sqlite3MPrintf() or sqlite3Free().
+*/
+struct sqlite3_vtab {
+  const sqlite3_module *pModule;  /* The module for this virtual table */
+  int nRef;                       /* Used internally */
+  char *zErrMsg;                  /* Error message from sqlite3_mprintf() */
+  /* Virtual table implementations will typically add additional fields */
+};
+
+/* Every module implementation uses a subclass of the following structure
+** to describe cursors that point into the virtual table and are used
+** to loop through the virtual table.  Cursors are created using the
+** xOpen method of the module.  Each module implementation will define
+** the content of a cursor structure to suit its own needs.
+**
+** This superclass exists in order to define fields of the cursor that
+** are common to all implementations.
+*/
+struct sqlite3_vtab_cursor {
+  sqlite3_vtab *pVtab;      /* Virtual table of this cursor */
+  /* Virtual table implementations will typically add additional fields */
+};
+
+/*
+** The xCreate and xConnect methods of a module use the following API
+** to declare the format (the names and datatypes of the columns) of
+** the virtual tables they implement.
+*/
+int sqlite3_declare_vtab(sqlite3*, const char *zCreateTable);
+
+/*
+** Virtual tables can provide alternative implementations of functions
+** using the xFindFunction method.  But global versions of those functions
+** must exist in order to be overloaded.
+**
+** This API makes sure a global version of a function with a particular
+** name and number of parameters exists.  If no such function exists
+** before this API is called, a new function is created.  The implementation
+** of the new function always causes an exception to be thrown.  So
+** the new function is not good for anything by itself.  Its only
+** purpose is to be a place-holder function that can be overloaded
+** by virtual tables.
+**
+** This API should be considered part of the virtual table interface,
+** which is experimental and subject to change.
+*/
+int sqlite3_overload_function(sqlite3*, const char *zFuncName, int nArg);
+
+/*
+** The interface to the virtual-table mechanism defined above (back up
+** to a comment remarkably similar to this one) is currently considered
+** to be experimental.  The interface might change in incompatible ways.
+** If this is a problem for you, do not use the interface at this time.
+**
+** When the virtual-table mechanism stablizes, we will declare the
+** interface fixed, support it indefinitely, and remove this comment.
+**
+****** EXPERIMENTAL - subject to change without notice **************
+*/
+
+/*
+** Undo the hack that converts floating point types to integer for
+** builds on processors without floating point support.
+*/
+#ifdef SQLITE_OMIT_FLOATING_POINT
+# undef double
+#endif
+
+#ifdef __cplusplus
+}  /* End of the 'extern "C"' block */
+#endif
+#endif
diff --git a/security/nss/lib/ssl/Makefile b/security/nss/lib/ssl/Makefile
new file mode 100644
index 000000000..a777569c2
--- /dev/null
+++ b/security/nss/lib/ssl/Makefile
@@ -0,0 +1,93 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+CSRCS	+= win32err.c
+DEFINES += -DIN_LIBSSL
+else
+ifeq ($(OS_TARGET),OS2)
+CSRCS	+= os2_err.c
+else
+CSRCS	+= unix_err.c
+endif
+endif
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+# indicates dependency on freebl static lib
+$(SHARED_LIBRARY): $(CRYPTOLIB)
diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c
new file mode 100644
index 000000000..0e02c15fa
--- /dev/null
+++ b/security/nss/lib/ssl/authcert.c
@@ -0,0 +1,122 @@
+/*
+ * NSS utility functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <string.h>
+#include "prerror.h"
+#include "secitem.h"
+#include "prnetdb.h"
+#include "cert.h"
+#include "nspr.h"
+#include "secder.h"
+#include "key.h"
+#include "nss.h"
+#include "ssl.h"
+#include "pk11func.h"	/* for PK11_ function calls */
+
+/*
+ * This callback used by SSL to pull client sertificate upon
+ * server request
+ */
+SECStatus 
+NSS_GetClientAuthData(void *                       arg, 
+                      PRFileDesc *                 socket, 
+		      struct CERTDistNamesStr *    caNames, 
+		      struct CERTCertificateStr ** pRetCert, 
+		      struct SECKEYPrivateKeyStr **pRetKey)
+{
+  CERTCertificate *  cert = NULL;
+  SECKEYPrivateKey * privkey = NULL;
+  char *             chosenNickName = (char *)arg;    /* CONST */
+  void *             proto_win  = NULL;
+  SECStatus          rv         = SECFailure;
+  
+  proto_win = SSL_RevealPinArg(socket);
+  
+  if (chosenNickName) {
+    cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
+                                    chosenNickName, certUsageSSLClient,
+                                    PR_FALSE, proto_win);	
+    if ( cert ) {
+      privkey = PK11_FindKeyByAnyCert(cert, proto_win);
+      if ( privkey ) {
+	rv = SECSuccess;
+      } else {
+	CERT_DestroyCertificate(cert);
+      }
+    }
+  } else { /* no name given, automatically find the right cert. */
+    CERTCertNicknames * names;
+    int                 i;
+      
+    names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
+				  SEC_CERT_NICKNAMES_USER, proto_win);
+    if (names != NULL) {
+      for (i = 0; i < names->numnicknames; i++) {
+	cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
+                            names->nicknames[i], certUsageSSLClient,
+                            PR_FALSE, proto_win);	
+	if ( !cert )
+	  continue;
+	/* Only check unexpired certs */
+	if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != 
+	    secCertTimeValid ) {
+	  CERT_DestroyCertificate(cert);
+	  continue;
+	}
+	rv = NSS_CmpCertChainWCANames(cert, caNames);
+	if ( rv == SECSuccess ) {
+	  privkey = PK11_FindKeyByAnyCert(cert, proto_win);
+	  if ( privkey )
+	    break;
+	}
+	rv = SECFailure;
+	CERT_DestroyCertificate(cert);
+      } 
+      CERT_FreeNicknames(names);
+    }
+  }
+  if (rv == SECSuccess) {
+    *pRetCert = cert;
+    *pRetKey  = privkey;
+  }
+  return rv;
+}
+
diff --git a/security/nss/lib/ssl/cmpcert.c b/security/nss/lib/ssl/cmpcert.c
new file mode 100644
index 000000000..493766237
--- /dev/null
+++ b/security/nss/lib/ssl/cmpcert.c
@@ -0,0 +1,123 @@
+/*
+ * NSS utility functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include <stdio.h>
+#include <string.h>
+#include "prerror.h"
+#include "secitem.h"
+#include "prnetdb.h"
+#include "cert.h"
+#include "nspr.h"
+#include "secder.h"
+#include "key.h"
+#include "nss.h"
+
+/*
+ * Look to see if any of the signers in the cert chain for "cert" are found
+ * in the list of caNames.  
+ * Returns SECSuccess if so, SECFailure if not.
+ */
+SECStatus
+NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
+{
+  SECItem *         caname;
+  CERTCertificate * curcert;
+  CERTCertificate * oldcert;
+  PRInt32           contentlen;
+  int               j;
+  int               headerlen;
+  int               depth;
+  SECStatus         rv;
+  SECItem           issuerName;
+  SECItem           compatIssuerName;
+
+  if (!cert || !caNames || !caNames->nnames || !caNames->names ||
+      !caNames->names->data)
+    return SECFailure;
+  depth=0;
+  curcert = CERT_DupCertificate(cert);
+  
+  while( curcert ) {
+    issuerName = curcert->derIssuer;
+    
+    /* compute an alternate issuer name for compatibility with 2.0
+     * enterprise server, which send the CA names without
+     * the outer layer of DER header
+     */
+    rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
+    if ( rv == SECSuccess ) {
+      compatIssuerName.data = &issuerName.data[headerlen];
+      compatIssuerName.len = issuerName.len - headerlen;
+    } else {
+      compatIssuerName.data = NULL;
+      compatIssuerName.len = 0;
+    }
+    
+    for (j = 0; j < caNames->nnames; j++) {
+      caname = &caNames->names[j];
+      if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
+	rv = SECSuccess;
+	CERT_DestroyCertificate(curcert);
+	goto done;
+      } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
+	rv = SECSuccess;
+	CERT_DestroyCertificate(curcert);
+	goto done;
+      }
+    }
+    if ( ( depth <= 20 ) &&
+	 ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject)
+	   != SECEqual ) ) {
+      oldcert = curcert;
+      curcert = CERT_FindCertByName(curcert->dbhandle,
+				    &curcert->derIssuer);
+      CERT_DestroyCertificate(oldcert);
+      depth++;
+    } else {
+      CERT_DestroyCertificate(curcert);
+      curcert = NULL;
+    }
+  }
+  rv = SECFailure;
+  
+done:
+  return rv;
+}
+
diff --git a/security/nss/lib/ssl/config.mk b/security/nss/lib/ssl/config.mk
new file mode 100644
index 000000000..a161675b1
--- /dev/null
+++ b/security/nss/lib/ssl/config.mk
@@ -0,0 +1,124 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+ifdef NISCC_TEST
+DEFINES += -DNISCC_TEST
+endif
+
+ifdef NSS_SURVIVE_DOUBLE_BYPASS_FAILURE
+DEFINES += -DNSS_SURVIVE_DOUBLE_BYPASS_FAILURE
+endif
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+RES = $(OBJDIR)/ssl.res
+RESNAME = ssl.rc
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnss3 \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/nss3.lib \
+	$(DIST)/lib/nssutil3.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+CRYPTODIR=../freebl
+ifdef MOZILLA_SECURITY_BUILD
+	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
+	CRYPTODIR=../crypto
+endif
+
+EXTRA_LIBS += \
+	$(CRYPTOLIB) \
+	$(NULL)
+
+else
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+CRYPTODIR=../freebl
+ifdef MOZILLA_SECURITY_BUILD
+	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
+	CRYPTODIR=../crypto
+endif
+
+EXTRA_LIBS += \
+	$(CRYPTOLIB) \
+	$(NULL)
+
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-lnss3 \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+
+ifeq ($(OS_ARCH), BeOS)
+EXTRA_SHARED_LIBS += -lbe
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+endif
+
+endif
diff --git a/security/nss/lib/ssl/derive.c b/security/nss/lib/ssl/derive.c
new file mode 100644
index 000000000..e200f4b84
--- /dev/null
+++ b/security/nss/lib/ssl/derive.c
@@ -0,0 +1,853 @@
+/*
+ * Key Derivation that doesn't use PKCS11
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "ssl.h" 	/* prereq to sslimpl.h */
+#include "certt.h"	/* prereq to sslimpl.h */
+#include "keythi.h"	/* prereq to sslimpl.h */
+#include "sslimpl.h"
+#include "blapi.h"
+
+#include "keyhi.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "secmodt.h"
+
+#include "sslproto.h"
+#include "sslerr.h"
+
+/* make this a macro! */
+#ifdef NOT_A_MACRO
+static void
+buildSSLKey(unsigned char * keyBlock, unsigned int keyLen, SECItem * result,
+            const char * label)
+{
+    result->type = siBuffer;
+    result->data = keyBlock;
+    result->len  = keyLen;
+    PRINT_BUF(100, (NULL, label, keyBlock, keyLen));
+}
+#else
+#define buildSSLKey(keyBlock, keyLen, result, label) \
+{ \
+    (result)->type = siBuffer; \
+    (result)->data = keyBlock; \
+    (result)->len  = keyLen; \
+    PRINT_BUF(100, (NULL, label, keyBlock, keyLen)); \
+}
+#endif
+
+/*
+ * SSL Key generation given pre master secret
+ */
+#ifndef NUM_MIXERS
+#define NUM_MIXERS 9
+#endif
+static const char * const mixers[NUM_MIXERS] = { 
+    "A", 
+    "BB", 
+    "CCC", 
+    "DDDD", 
+    "EEEEE", 
+    "FFFFFF", 
+    "GGGGGGG",
+    "HHHHHHHH",
+    "IIIIIIIII" 
+};
+
+
+SECStatus
+ssl3_KeyAndMacDeriveBypass(
+    ssl3CipherSpec *      pwSpec,
+    const unsigned char * cr,
+    const unsigned char * sr,
+    PRBool                isTLS,
+    PRBool                isExport)
+{
+    const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
+    unsigned char * key_block    = pwSpec->key_block;
+    unsigned char * key_block2   = NULL;
+    unsigned int    block_bytes  = 0;
+    unsigned int    block_needed = 0;
+    unsigned int    i;
+    unsigned int    keySize;            /* actual    size of cipher keys */
+    unsigned int    effKeySize;		/* effective size of cipher keys */
+    unsigned int    macSize;		/* size of MAC secret */
+    unsigned int    IVSize;		/* size of IV */
+    SECStatus       rv    = SECFailure;
+    SECStatus       status = SECSuccess;
+    PRBool          isFIPS = PR_FALSE;
+
+    SECItem         srcr;
+    SECItem         crsr;
+
+    unsigned char     srcrdata[SSL3_RANDOM_LENGTH * 2];
+    unsigned char     crsrdata[SSL3_RANDOM_LENGTH * 2];
+    PRUint64          md5buf[22];
+    PRUint64          shabuf[40];
+
+#define md5Ctx ((MD5Context *)md5buf)
+#define shaCtx ((SHA1Context *)shabuf)
+
+    static const SECItem zed  = { siBuffer, NULL, 0 };
+
+    if (pwSpec->msItem.data == NULL ||
+        pwSpec->msItem.len  != SSL3_MASTER_SECRET_LENGTH) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return rv;
+    }
+
+    PRINT_BUF(100, (NULL, "Master Secret", pwSpec->msItem.data, 
+                                           pwSpec->msItem.len));
+
+    /* figure out how much is needed */
+    macSize    = pwSpec->mac_size;
+    keySize    = cipher_def->key_size;
+    effKeySize = cipher_def->secret_key_size;
+    IVSize     = cipher_def->iv_size;
+    if (keySize == 0) {
+	effKeySize = IVSize = 0; /* only MACing */
+    }
+    block_needed = 2 * (macSize + effKeySize + ((!isExport) * IVSize));
+
+    /*
+     * clear out our returned keys so we can recover on failure
+     */
+    pwSpec->client.write_key_item     = zed;
+    pwSpec->client.write_mac_key_item = zed;
+    pwSpec->server.write_key_item     = zed;
+    pwSpec->server.write_mac_key_item = zed;
+
+    /* initialize the server random, client random block */
+    srcr.type   = siBuffer;
+    srcr.data   = srcrdata;
+    srcr.len    = sizeof srcrdata;
+    PORT_Memcpy(srcrdata, sr, SSL3_RANDOM_LENGTH);
+    PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH, cr, SSL3_RANDOM_LENGTH);
+
+    /* initialize the client random, server random block */
+    crsr.type   = siBuffer;
+    crsr.data   = crsrdata;
+    crsr.len    = sizeof crsrdata;
+    PORT_Memcpy(crsrdata, cr, SSL3_RANDOM_LENGTH);
+    PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, sr, SSL3_RANDOM_LENGTH);
+    PRINT_BUF(100, (NULL, "Key & MAC CRSR", crsr.data, crsr.len));
+
+    /*
+     * generate the key material:
+     */
+    if (isTLS) {
+	SECItem       keyblk;
+
+	keyblk.type = siBuffer;
+	keyblk.data = key_block;
+	keyblk.len  = block_needed;
+
+	status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk,
+			  isFIPS);
+	if (status != SECSuccess) {
+	    goto key_and_mac_derive_fail;
+	}
+	block_bytes = keyblk.len;
+    } else {
+	/* key_block = 
+	 *     MD5(master_secret + SHA('A' + master_secret + 
+	 *                      ServerHello.random + ClientHello.random)) +
+	 *     MD5(master_secret + SHA('BB' + master_secret + 
+	 *                      ServerHello.random + ClientHello.random)) +
+	 *     MD5(master_secret + SHA('CCC' + master_secret + 
+	 *                      ServerHello.random + ClientHello.random)) +
+	 *     [...];
+	 */
+	unsigned int made = 0;
+	for (i = 0; made < block_needed && i < NUM_MIXERS; ++i) {
+	    unsigned int    outLen;
+	    unsigned char   sha_out[SHA1_LENGTH];
+
+	    SHA1_Begin(shaCtx);
+	    SHA1_Update(shaCtx, (unsigned char*)(mixers[i]), i+1);
+	    SHA1_Update(shaCtx, pwSpec->msItem.data, pwSpec->msItem.len);
+	    SHA1_Update(shaCtx, srcr.data, srcr.len);
+	    SHA1_End(shaCtx, sha_out, &outLen, SHA1_LENGTH);
+	    PORT_Assert(outLen == SHA1_LENGTH);
+
+	    MD5_Begin(md5Ctx);
+	    MD5_Update(md5Ctx, pwSpec->msItem.data, pwSpec->msItem.len);
+	    MD5_Update(md5Ctx, sha_out, outLen);
+	    MD5_End(md5Ctx, key_block + made, &outLen, MD5_LENGTH);
+	    PORT_Assert(outLen == MD5_LENGTH);
+	    made += MD5_LENGTH;
+	}
+	block_bytes = made;
+    }
+    PORT_Assert(block_bytes >= block_needed);
+    PORT_Assert(block_bytes <= sizeof pwSpec->key_block);
+    PRINT_BUF(100, (NULL, "key block", key_block, block_bytes));
+
+    /*
+     * Put the key material where it goes.
+     */
+    key_block2 = key_block + block_bytes;
+    i = 0;			/* now shows how much consumed */
+
+    /* 
+     * The key_block is partitioned as follows:
+     * client_write_MAC_secret[CipherSpec.hash_size]
+     */
+    buildSSLKey(&key_block[i],macSize, &pwSpec->client.write_mac_key_item, \
+                "Client Write MAC Secret");
+    i += macSize;
+
+    /* 
+     * server_write_MAC_secret[CipherSpec.hash_size]
+     */
+    buildSSLKey(&key_block[i],macSize, &pwSpec->server.write_mac_key_item, \
+                "Server Write MAC Secret");
+    i += macSize;
+
+    if (!keySize) {
+	/* only MACing */
+	buildSSLKey(NULL, 0, &pwSpec->client.write_key_item, \
+	            "Client Write Key (MAC only)");
+	buildSSLKey(NULL, 0, &pwSpec->server.write_key_item, \
+	            "Server Write Key (MAC only)");
+	buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item, \
+	            "Client Write IV (MAC only)");
+	buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item, \
+	            "Server Write IV (MAC only)");
+    } else if (!isExport) {
+	/* 
+	** Generate Domestic write keys and IVs.
+	** client_write_key[CipherSpec.key_material]
+	*/
+	buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item, \
+	            "Domestic Client Write Key");
+	i += keySize;
+
+	/* 
+	** server_write_key[CipherSpec.key_material]
+	*/
+	buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item, \
+	            "Domestic Server Write Key");
+	i += keySize;
+
+	if (IVSize > 0) {
+	    /* 
+	    ** client_write_IV[CipherSpec.IV_size]
+	    */
+	    buildSSLKey(&key_block[i], IVSize, &pwSpec->client.write_iv_item, \
+	                "Domestic Client Write IV");
+	    i += IVSize;
+
+	    /* 
+	    ** server_write_IV[CipherSpec.IV_size]
+	    */
+	    buildSSLKey(&key_block[i], IVSize, &pwSpec->server.write_iv_item, \
+	                "Domestic Server Write IV");
+	    i += IVSize;
+	}
+	PORT_Assert(i <= block_bytes);
+
+    } else if (!isTLS) { 
+	/*
+	** Generate SSL3 Export write keys and IVs.
+	*/
+	unsigned int    outLen;
+
+	/*
+	** client_write_key[CipherSpec.key_material]
+	** final_client_write_key = MD5(client_write_key +
+	**                   ClientHello.random + ServerHello.random);
+	*/
+	MD5_Begin(md5Ctx);
+	MD5_Update(md5Ctx, &key_block[i], effKeySize);
+	MD5_Update(md5Ctx, crsr.data, crsr.len);
+	MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
+	i += effKeySize;
+	buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, \
+	            "SSL3 Export Client Write Key");
+	key_block2 += keySize;
+
+	/*
+	** server_write_key[CipherSpec.key_material]
+	** final_server_write_key = MD5(server_write_key +
+	**                    ServerHello.random + ClientHello.random);
+	*/
+	MD5_Begin(md5Ctx);
+	MD5_Update(md5Ctx, &key_block[i], effKeySize);
+	MD5_Update(md5Ctx, srcr.data, srcr.len);
+	MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
+	i += effKeySize;
+	buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, \
+	            "SSL3 Export Server Write Key");
+	key_block2 += keySize;
+	PORT_Assert(i <= block_bytes);
+
+	if (IVSize) {
+	    /*
+	    ** client_write_IV = 
+	    **	MD5(ClientHello.random + ServerHello.random);
+	    */
+	    MD5_Begin(md5Ctx);
+	    MD5_Update(md5Ctx, crsr.data, crsr.len);
+	    MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
+	    buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item, \
+	                "SSL3 Export Client Write IV");
+	    key_block2 += IVSize;
+
+	    /*
+	    ** server_write_IV = 
+	    **	MD5(ServerHello.random + ClientHello.random);
+	    */
+	    MD5_Begin(md5Ctx);
+	    MD5_Update(md5Ctx, srcr.data, srcr.len);
+	    MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
+	    buildSSLKey(key_block2, IVSize, &pwSpec->server.write_iv_item, \
+	                "SSL3 Export Server Write IV");
+	    key_block2 += IVSize;
+	}
+
+	PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);
+    } else {
+	/*
+	** Generate TLS Export write keys and IVs.
+	*/
+	SECItem       secret ;
+	SECItem       keyblk ;
+
+	secret.type = siBuffer;
+	keyblk.type = siBuffer;
+	/*
+	** client_write_key[CipherSpec.key_material]
+	** final_client_write_key = PRF(client_write_key, 
+	**                              "client write key",
+	**                              client_random + server_random);
+	*/
+	secret.data = &key_block[i];
+	secret.len  = effKeySize;
+	i          += effKeySize;
+	keyblk.data = key_block2;
+	keyblk.len  = keySize;
+	status = TLS_PRF(&secret, "client write key", &crsr, &keyblk, isFIPS);
+	if (status != SECSuccess) {
+	    goto key_and_mac_derive_fail;
+	}
+	buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, \
+	            "TLS Export Client Write Key");
+	key_block2 += keySize;
+
+	/*
+	** server_write_key[CipherSpec.key_material]
+	** final_server_write_key = PRF(server_write_key,
+	**                              "server write key",
+	**                              client_random + server_random);
+	*/
+	secret.data = &key_block[i];
+	secret.len  = effKeySize;
+	i          += effKeySize;
+	keyblk.data = key_block2;
+	keyblk.len  = keySize;
+	status = TLS_PRF(&secret, "server write key", &crsr, &keyblk, isFIPS);
+	if (status != SECSuccess) {
+	    goto key_and_mac_derive_fail;
+	}
+	buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, \
+	            "TLS Export Server Write Key");
+	key_block2 += keySize;
+
+	/*
+	** iv_block = PRF("", "IV block", client_random + server_random);
+	** client_write_IV[SecurityParameters.IV_size]
+	** server_write_IV[SecurityParameters.IV_size]
+	*/
+	if (IVSize) {
+	    secret.data = NULL;
+	    secret.len  = 0;
+	    keyblk.data = key_block2;
+	    keyblk.len  = 2 * IVSize;
+	    status = TLS_PRF(&secret, "IV block", &crsr, &keyblk, isFIPS);
+	    if (status != SECSuccess) {
+		goto key_and_mac_derive_fail;
+	    }
+	    buildSSLKey(key_block2,          IVSize, \
+	                &pwSpec->client.write_iv_item, \
+			"TLS Export Client Write IV");
+	    buildSSLKey(key_block2 + IVSize, IVSize, \
+	                &pwSpec->server.write_iv_item, \
+			"TLS Export Server Write IV");
+	    key_block2 += 2 * IVSize;
+	}
+	PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);
+    }
+    rv = SECSuccess;
+
+key_and_mac_derive_fail:
+
+    MD5_DestroyContext(md5Ctx, PR_FALSE);
+    SHA1_DestroyContext(shaCtx, PR_FALSE);
+
+    if (rv != SECSuccess) {
+	PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+    }
+
+    return rv;
+}
+
+
+/* derive the Master Secret from the PMS */
+/* Presently, this is only done wtih RSA PMS, and only on the server side,
+ * so isRSA is always true. 
+ */
+SECStatus
+ssl3_MasterKeyDeriveBypass( 
+    ssl3CipherSpec *      pwSpec,
+    const unsigned char * cr,
+    const unsigned char * sr,
+    const SECItem *       pms,
+    PRBool                isTLS,
+    PRBool                isRSA)
+{
+    unsigned char * key_block    = pwSpec->key_block;
+    SECStatus       rv    = SECSuccess;
+    PRBool          isFIPS = PR_FALSE;
+
+    SECItem         crsr;
+
+    unsigned char     crsrdata[SSL3_RANDOM_LENGTH * 2];
+    PRUint64          md5buf[22];
+    PRUint64          shabuf[40];
+
+#define md5Ctx ((MD5Context *)md5buf)
+#define shaCtx ((SHA1Context *)shabuf)
+
+    /* first do the consistancy checks */
+    if (isRSA) { 
+	PORT_Assert(pms->len == SSL3_RSA_PMS_LENGTH);
+	if (pms->len != SSL3_RSA_PMS_LENGTH) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	/* caller must test PMS version for rollback */
+    }
+
+    /* initialize the client random, server random block */
+    crsr.type   = siBuffer;
+    crsr.data   = crsrdata;
+    crsr.len    = sizeof crsrdata;
+    PORT_Memcpy(crsrdata, cr, SSL3_RANDOM_LENGTH);
+    PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, sr, SSL3_RANDOM_LENGTH);
+    PRINT_BUF(100, (NULL, "Master Secret CRSR", crsr.data, crsr.len));
+
+    /* finally do the key gen */
+    if (isTLS) {
+	SECItem master = { siBuffer, NULL, 0 };
+
+	master.data = key_block;
+	master.len = SSL3_MASTER_SECRET_LENGTH;
+
+	rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS);
+	if (rv != SECSuccess) {
+	    PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+	}
+    } else {
+	int i;
+	unsigned int made = 0;
+	for (i = 0; i < 3; i++) {
+	    unsigned int    outLen;
+	    unsigned char   sha_out[SHA1_LENGTH];
+
+	    SHA1_Begin(shaCtx);
+	    SHA1_Update(shaCtx, (unsigned char*) mixers[i], i+1);
+	    SHA1_Update(shaCtx, pms->data, pms->len);
+	    SHA1_Update(shaCtx, crsr.data, crsr.len);
+	    SHA1_End(shaCtx, sha_out, &outLen, SHA1_LENGTH);
+	    PORT_Assert(outLen == SHA1_LENGTH);
+
+	    MD5_Begin(md5Ctx);
+	    MD5_Update(md5Ctx, pms->data, pms->len);
+	    MD5_Update(md5Ctx, sha_out, outLen);
+	    MD5_End(md5Ctx, key_block + made, &outLen, MD5_LENGTH);
+	    PORT_Assert(outLen == MD5_LENGTH);
+	    made += outLen;
+	}
+    }
+
+    /* store the results */
+    PORT_Memcpy(pwSpec->raw_master_secret, key_block, 
+		SSL3_MASTER_SECRET_LENGTH);
+    pwSpec->msItem.data = pwSpec->raw_master_secret;
+    pwSpec->msItem.len  = SSL3_MASTER_SECRET_LENGTH;
+    PRINT_BUF(100, (NULL, "Master Secret", pwSpec->msItem.data, 
+                                           pwSpec->msItem.len));
+
+    return rv;
+}
+
+static SECStatus
+ssl_canExtractMS(PK11SymKey *pms, PRBool isTLS, PRBool isDH, PRBool *pcbp)
+{   SECStatus	      rv;
+    PK11SymKey *    ms = NULL;
+    SECItem         params = {siBuffer, NULL, 0};
+    CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
+    unsigned char   rand[SSL3_RANDOM_LENGTH];
+    CK_VERSION      pms_version;
+    CK_MECHANISM_TYPE master_derive;
+    CK_MECHANISM_TYPE key_derive;
+    CK_FLAGS          keyFlags;
+    
+    if (pms == NULL)
+	return(SECFailure);
+
+    PORT_Memset(rand, 0, SSL3_RANDOM_LENGTH);
+
+    if (isTLS) {
+	if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
+	else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
+	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
+	keyFlags      = CKF_SIGN | CKF_VERIFY;
+    } else {
+	if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+	else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
+	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
+	keyFlags      = 0;
+    }
+
+    master_params.pVersion                     = &pms_version;
+    master_params.RandomInfo.pClientRandom     = rand;
+    master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
+    master_params.RandomInfo.pServerRandom     = rand;
+    master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
+
+    params.data = (unsigned char *) &master_params;
+    params.len  = sizeof master_params;
+
+    ms = PK11_DeriveWithFlags(pms, master_derive, &params, key_derive,
+			      CKA_DERIVE, 0, keyFlags);
+    if (ms == NULL)
+	return(SECFailure);
+
+    rv = PK11_ExtractKeyValue(ms);
+    *pcbp = (rv == SECSuccess);
+    PK11_FreeSymKey(ms);
+    
+    return(rv);
+
+}
+
+/* Check the key exchange algorithm for each cipher in the list to see if
+ * a master secret key can be extracted. If the KEA will use keys from the 
+ * specified cert make sure the extract operation is attempted from the slot
+ * where the private key resides.
+ * If MS can be extracted for all ciphers, (*pcanbypass) is set to TRUE and
+ * SECSuccess is returned. In all other cases but one (*pcanbypass) is
+ * set to FALSE and SECFailure is returned.
+ * In that last case Derive() has been called successfully but the MS is null, 
+ * CanBypass sets (*pcanbypass) to FALSE and returns SECSuccess indicating the
+ * arguments were all valid but the slot cannot be bypassed.
+ */
+
+SECStatus 
+SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
+	      PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites,
+              PRBool *pcanbypass, void *pwArg)
+{   SECStatus	      rv;
+    int		      i;
+    PRUint16	      suite;
+    PK11SymKey *      pms = NULL;
+    SECKEYPublicKey * srvPubkey = NULL;
+    KeyType	      privKeytype;
+    PK11SlotInfo *    slot = NULL;
+    SECItem           param;
+    CK_VERSION 	      version;
+    CK_MECHANISM_TYPE mechanism_array[2];
+    SECItem           enc_pms = {siBuffer, NULL, 0};
+    PRBool	      isTLS = PR_FALSE;
+    SSLCipherSuiteInfo csdef;
+    PRBool	      testrsa = PR_FALSE;
+    PRBool	      testrsa_export = PR_FALSE;
+    PRBool	      testecdh = PR_FALSE;
+    PRBool	      testecdhe = PR_FALSE;
+
+    if (!cert || !srvPrivkey || !ciphersuites || !pcanbypass) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    
+    srvPubkey = CERT_ExtractPublicKey(cert);
+    if (!srvPubkey)
+        return SECFailure;
+	
+    *pcanbypass = PR_TRUE;
+    rv = SECFailure;
+    
+    /* determine which KEAs to test */
+    /* 0 (SSL_NULL_WITH_NULL_NULL) is used as a list terminator because
+     * SSL3 and TLS specs forbid negotiating that cipher suite number.
+     */
+    for (i=0; i < nsuites && (suite = *ciphersuites++) != 0; i++) {
+	/* skip SSL2 cipher suites and ones NSS doesn't support */
+	if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess
+	    || SSL_IS_SSL2_CIPHER(suite) )
+	    continue;
+	switch (csdef.keaType) {
+	case ssl_kea_rsa:
+	    switch (csdef.cipherSuite) {
+	    case TLS_RSA_EXPORT1024_WITH_RC4_56_SHA:
+	    case TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA:
+	    case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
+	    case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
+		testrsa_export = PR_TRUE;
+	    }
+	    if (!testrsa_export)
+		testrsa = PR_TRUE;
+	    break;
+	case ssl_kea_ecdh:
+	    if (strcmp(csdef.keaTypeName, "ECDHE") == 0) /* ephemeral? */
+		testecdhe = PR_TRUE;
+	    else
+		testecdh = PR_TRUE;
+	    break;
+	case ssl_kea_dh:
+	    /* this is actually DHE */
+	default:
+	    continue;
+	}
+    }
+    
+    /* For each protocol try to derive and extract an MS.
+     * Failure of function any function except MS extract means
+     * continue with the next cipher test. Stop testing when the list is
+     * exhausted or when the first MS extract--not derive--fails.
+     */
+    privKeytype = SECKEY_GetPrivateKeyType(srvPrivkey);
+    protocolmask &= SSL_CBP_SSL3|SSL_CBP_TLS1_0;
+    while (protocolmask) {
+	if (protocolmask & SSL_CBP_SSL3) {
+	    isTLS = PR_FALSE;
+	    protocolmask ^= SSL_CBP_SSL3;
+	} else {
+	    isTLS = PR_TRUE;
+	    protocolmask ^= SSL_CBP_TLS1_0;
+	}
+
+	if (privKeytype == rsaKey && testrsa_export) {
+	    if (PK11_GetPrivateModulusLen(srvPrivkey) > EXPORT_RSA_KEY_LENGTH) {
+		*pcanbypass = PR_FALSE;
+		rv = SECSuccess;
+		break;
+	    } else
+		testrsa = PR_TRUE;
+	}
+	for (; privKeytype == rsaKey && testrsa; ) {
+	    /* TLS_RSA */
+	    unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
+	    unsigned int      outLen = 0;
+	    CK_MECHANISM_TYPE target;
+	    SECStatus	      irv;
+	    
+	    mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
+	    mechanism_array[1] = CKM_RSA_PKCS;
+
+	    slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
+	    if (slot == NULL) {
+		PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
+		break;
+	    }
+
+	    /* Generate the pre-master secret ...  (client side) */
+	    version.major = 3 /*MSB(clientHelloVersion)*/;
+	    version.minor = 0 /*LSB(clientHelloVersion)*/;
+	    param.data = (unsigned char *)&version;
+	    param.len  = sizeof version;
+	    pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
+	    PK11_FreeSlot(slot);
+	    if (!pms)
+		break;
+	    /* now wrap it */
+	    enc_pms.len  = SECKEY_PublicKeyStrength(srvPubkey);
+	    enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
+	    irv = PK11_PubWrapSymKey(CKM_RSA_PKCS, srvPubkey, pms, &enc_pms);
+	    if (irv != SECSuccess) 
+		break;
+	    PK11_FreeSymKey(pms);
+	    /* now do the server side--check the triple bypass first */
+	    rv = PK11_PrivDecryptPKCS1(srvPrivkey, rsaPmsBuf, &outLen,
+				       sizeof rsaPmsBuf,
+				       (unsigned char *)enc_pms.data,
+				       enc_pms.len);
+	    /* if decrypt worked we're done with the RSA test */
+	    if (rv == SECSuccess) {
+		*pcanbypass = PR_TRUE;
+		break;
+	    }
+	    /* check for fallback to double bypass */
+	    target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE
+			: CKM_SSL3_MASTER_KEY_DERIVE;
+	    pms = PK11_PubUnwrapSymKey(srvPrivkey, &enc_pms,
+				       target, CKA_DERIVE, 0);
+	    rv = ssl_canExtractMS(pms, isTLS, PR_FALSE, pcanbypass);
+	    if (rv == SECSuccess && *pcanbypass == PR_FALSE)
+		goto done;
+	    break;
+	}
+#ifdef NSS_ENABLE_ECC
+	for (; (privKeytype == ecKey && ( testecdh || testecdhe)) ||
+	       (privKeytype == rsaKey && testecdhe); ) {
+	    CK_MECHANISM_TYPE target;
+	    SECKEYPublicKey  *keapub = NULL;
+	    SECKEYPrivateKey *keapriv;
+	    SECKEYPublicKey  *cpub = NULL; /* client's ephemeral ECDH keys */
+	    SECKEYPrivateKey *cpriv = NULL;
+	    SECKEYECParams    ecParams = { siBuffer, NULL, 0 },
+			      *pecParams;
+
+	    if (privKeytype == ecKey && testecdhe) {
+		/* TLS_ECDHE_ECDSA */
+		pecParams = &srvPubkey->u.ec.DEREncodedParams;
+	    } else if (privKeytype == rsaKey && testecdhe) {
+		/* TLS_ECDHE_RSA */
+		ECName       ec_curve;
+		int		 serverKeyStrengthInBits;
+		int		 signatureKeyStrength;
+		int		 requiredECCbits;
+
+		/* find a curve of equivalent strength to the RSA key's */
+		requiredECCbits = PK11_GetPrivateModulusLen(srvPrivkey);
+		if (requiredECCbits < 0)
+		    break;
+		requiredECCbits *= BPB;
+		serverKeyStrengthInBits = srvPubkey->u.rsa.modulus.len;
+		if (srvPubkey->u.rsa.modulus.data[0] == 0) {
+		    serverKeyStrengthInBits--;
+		}
+		/* convert to strength in bits */
+		serverKeyStrengthInBits *= BPB;
+
+		signatureKeyStrength =
+		    SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
+
+		if ( requiredECCbits > signatureKeyStrength ) 
+		     requiredECCbits = signatureKeyStrength;
+
+		ec_curve =
+		    ssl3_GetCurveWithECKeyStrength(SSL3_SUPPORTED_CURVES_MASK,
+						   requiredECCbits);
+		rv = ssl3_ECName2Params(NULL, ec_curve, &ecParams);
+		if (rv == SECFailure) {
+		    break;
+		}
+		pecParams = &ecParams;
+	    }
+
+	    if (testecdhe) {
+		/* generate server's ephemeral keys */
+		keapriv = SECKEY_CreateECPrivateKey(pecParams, &keapub, NULL); 
+		if (!keapriv || !keapub) {
+		    if (keapriv)
+			SECKEY_DestroyPrivateKey(keapriv);
+		    if (keapub)
+			SECKEY_DestroyPublicKey(keapub);
+		    PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
+		    rv = SECFailure;
+		    break;
+		}
+	    } else {
+		/* TLS_ECDH_ECDSA */
+		keapub = srvPubkey;
+		keapriv = srvPrivkey;
+		pecParams = &srvPubkey->u.ec.DEREncodedParams;
+	    }
+
+	    /* perform client side ops */
+	    /* generate a pair of ephemeral keys using server's parms */
+	    cpriv = SECKEY_CreateECPrivateKey(pecParams, &cpub, NULL);
+	    if (!cpriv || !cpub) {
+		if (testecdhe) {
+		    SECKEY_DestroyPrivateKey(keapriv);
+		    SECKEY_DestroyPublicKey(keapub);
+		}
+		PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
+		rv = SECFailure;
+		break;
+	    }
+	    /* now do the server side */
+	    /* determine the PMS using client's public value */
+	    target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE_DH
+			   : CKM_SSL3_MASTER_KEY_DERIVE_DH;
+	    pms = PK11_PubDeriveWithKDF(keapriv, cpub, PR_FALSE, NULL, NULL,
+				    CKM_ECDH1_DERIVE,
+				    target,
+				    CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
+	    rv = ssl_canExtractMS(pms, isTLS, PR_TRUE, pcanbypass);
+	    SECKEY_DestroyPrivateKey(cpriv);
+	    SECKEY_DestroyPublicKey(cpub);
+	    if (testecdhe) {
+		SECKEY_DestroyPrivateKey(keapriv);
+		SECKEY_DestroyPublicKey(keapub);
+		if (privKeytype == rsaKey)
+		    PORT_Free(ecParams.data);
+	    }
+	    if (rv == SECSuccess && *pcanbypass == PR_FALSE)
+		goto done;
+	    break;
+	}
+#endif /* NSS_ENABLE_ECC */
+	if (pms)
+	    PK11_FreeSymKey(pms);
+    }
+
+    /* *pcanbypass has been set */
+    rv = SECSuccess;
+    
+  done:
+    if (pms)
+	PK11_FreeSymKey(pms);
+
+    SECITEM_FreeItem(&enc_pms, PR_FALSE);
+
+    if (srvPubkey) {
+    	SECKEY_DestroyPublicKey(srvPubkey);
+	srvPubkey = NULL;
+    }
+
+
+    return rv;
+}
+
diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn
new file mode 100644
index 000000000..84512296d
--- /dev/null
+++ b/security/nss/lib/ssl/manifest.mn
@@ -0,0 +1,83 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+# DEFINES = -DTRACE
+
+EXPORTS = \
+	ssl.h \
+	sslt.h \
+	sslerr.h \
+	sslproto.h \
+	preenc.h \
+	$(NULL)
+
+MODULE = nss
+MAPFILE = $(OBJDIR)/ssl.def
+
+CSRCS = \
+	derive.c \
+	prelib.c \
+	ssl3con.c \
+	ssl3gthr.c \
+	sslauth.c \
+	sslcon.c \
+	ssldef.c \
+	sslenum.c \
+	sslerr.c \
+	ssl3ext.c \
+	sslgathr.c \
+	sslmutex.c \
+	sslnonce.c \
+	sslreveal.c \
+	sslsecur.c \
+	sslsnce.c \
+	sslsock.c \
+	ssltrace.c \
+	sslver.c \
+	authcert.c \
+	cmpcert.c \
+	nsskea.c \
+	sslinfo.c \
+	ssl3ecc.c \
+	$(NULL)
+
+LIBRARY_NAME = ssl
+LIBRARY_VERSION = 3
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/ssl/notes.txt b/security/nss/lib/ssl/notes.txt
new file mode 100644
index 000000000..772da4d58
--- /dev/null
+++ b/security/nss/lib/ssl/notes.txt
@@ -0,0 +1,166 @@
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version 
+1.1 (the "License"); you may not use this file except in compliance with 
+the License. You may obtain a copy of the License at 
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the Netscape security libraries.
+
+The Initial Developer of the Original Code is
+Netscape Communications Corporation.
+Portions created by the Initial Developer are Copyright (C) 1994-2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+SSL's Buffers: enumerated and explained.
+
+---------------------------------------------------------------------------
+incoming:
+
+gs = ss->gather
+hs = ss->ssl3->hs
+
+gs->inbuf	SSL3 only: incoming (encrypted) ssl records are placed here,
+		and then decrypted (or copied) to gs->buf.
+
+gs->buf		SSL2: incoming SSL records are put here, and then decrypted
+		in place.
+		SSL3: ssl3_HandleHandshake puts decrypted ssl records here.
+
+hs.msg_body	(SSL3 only) When an incoming handshake message spans more 
+		than one ssl record, the first part(s) of it are accumulated 
+		here until it all arrives.
+
+hs.msgState	(SSL3 only) an alternative set of pointers/lengths for gs->buf.
+		Used only when a handleHandshake function returns SECWouldBlock.
+		ssl3_HandleHandshake remembers how far it previously got by
+		using these pointers instead of gs->buf when it is called 
+		after a previous SECWouldBlock return.
+
+---------------------------------------------------------------------------
+outgoing:
+
+sec = ss->sec
+ci  = ss->sec->ci	/* connect info */
+
+ci->sendBuf	Outgoing handshake messages are appended to this buffer.
+		This buffer will then be sent as a single SSL record.
+
+sec->writeBuf	outgoing ssl records are constructed here and encrypted in 
+		place before being written or copied to pendingBuf.
+
+ss->pendingBuf	contains outgoing ciphertext that was saved after a write
+		attempt to the socket failed, e.g. EWouldBlock. 
+		Generally empty with blocking sockets (should be no incomplete
+		writes).
+
+ss->saveBuf	Used only by socks code.  Intended to be used to buffer 
+		outgoing data until a socks handshake completes.  However,
+		this buffer is always empty.  There is no code to put 
+		anything into it.
+
+---------------------------------------------------------------------------
+
+SECWouldBlock means that the function cannot make progress because it is 
+waiting for some event OTHER THAN socket I/O completion (e.g. waiting for 
+user dialog to finish).  It is not the same as EWOULDBLOCK.
+
+---------------------------------------------------------------------------
+
+Rank (order) of locks
+
+[ReadLock ->]\ [firstHandshake ->] [ssl3Handshake ->] recvbuf \ -> "spec"
+[WriteLock->]/                                        xmitbuf /
+
+crypto and hash Data that must be protected while turning plaintext into
+ciphertext:
+
+SSL2: 	(in ssl2_Send*)
+	sec->hash*
+	sec->hashcx 	(ptr and data)
+	sec->enc
+	sec->writecx*	(ptr and content)
+	sec->sendSecret*(ptr and content)
+	sec->sendSequence		locked by xmitBufLock
+	sec->blockSize
+	sec->writeBuf*  (ptr & content)	locked by xmitBufLock
+	"in"				locked by xmitBufLock
+
+SSl3:	(in ssl3_SendPlainText)
+	ss->ssl3		    (the pointer)
+	ss->ssl3->current_write*    (the pointer and the data in the spec
+				     and any data referenced by the spec.
+
+	ss->sec->isServer
+	ss->sec->writebuf* (ptr & content) locked by xmitBufLock
+	"buf" 				   locked by xmitBufLock
+
+crypto and hash data that must be protected while turning ciphertext into 
+plaintext:
+
+SSL2:	(in ssl2_GatherData)
+	gs->*				(locked by recvBufLock )
+	sec->dec
+	sec->readcx
+	sec->hash* 		(ptr and data)
+	sec->hashcx 		(ptr and data)
+
+SSL3:	(in ssl3_HandleRecord )
+	ssl3->current_read*	(the pointer and all data refernced)
+	ss->sec->isServer
+
+
+Data that must be protected while being used by a "writer":
+
+ss->pendingBuf.*
+ss->saveBuf.*		(which is dead)
+
+in ssl3_sendPlainText
+
+ss->ssl3->current_write-> (spec)
+ss->sec->writeBuf.*
+ss->sec->isServer 
+
+in SendBlock
+
+ss->sec->hash->length
+ss->sec->blockSize
+ss->sec->writeBuf.*
+ss->sec->sendSecret
+ss->sec->sendSequence
+ss->sec->writecx	*
+ss->pendingBuf
+
+--------------------------------------------------------------------------
+
+Data variables (not const) protected by the "sslGlobalDataLock".  
+Note, this really should be a reader/writer lock.
+
+allowedByPolicy		sslcon.c
+maybeAllowedByPolicy	sslcon.c
+chosenPreference	sslcon.c
+policyWasSet		sslcon.c
+
+cipherSuites[] 		ssl3con.c
diff --git a/security/nss/lib/ssl/nsskea.c b/security/nss/lib/ssl/nsskea.c
new file mode 100644
index 000000000..beafc506e
--- /dev/null
+++ b/security/nss/lib/ssl/nsskea.c
@@ -0,0 +1,78 @@
+/*
+ * Return SSLKEAType derived from cert's Public Key algorithm info.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "cert.h"
+#include "ssl.h"	/* for SSLKEAType */
+#include "secoid.h"
+
+SSLKEAType
+NSS_FindCertKEAType(CERTCertificate * cert)
+{
+  SSLKEAType keaType = kt_null; 
+  int tag;
+  
+  if (!cert) goto loser;
+  
+  tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+  
+  switch (tag) {
+  case SEC_OID_X500_RSA_ENCRYPTION:
+  case SEC_OID_PKCS1_RSA_ENCRYPTION:
+    keaType = kt_rsa;
+    break;
+  case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+    keaType = kt_dh;
+    break;
+#ifdef NSS_ENABLE_ECC
+  case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+    keaType = kt_ecdh;
+    break;
+#endif /* NSS_ENABLE_ECC */
+  default:
+    keaType = kt_null;
+  }
+  
+ loser:
+  
+  return keaType;
+
+}
+
diff --git a/security/nss/lib/ssl/os2_err.c b/security/nss/lib/ssl/os2_err.c
new file mode 100644
index 000000000..0274676c0
--- /dev/null
+++ b/security/nss/lib/ssl/os2_err.c
@@ -0,0 +1,313 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * this code will continue to need to be replicated.
+ * 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "prerror.h"
+#include "prlog.h"
+#include <errno.h>
+
+
+/*
+ * Based on win32err.c
+ * OS2TODO Stub everything for now to build. HCT
+ */
+
+/* forward declaration. */
+void nss_MD_os2_map_default_error(PRInt32 err);
+
+void nss_MD_os2_map_opendir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_closedir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_readdir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_delete_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+/* The error code for stat() is in errno. */
+void nss_MD_os2_map_stat_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_fstat_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_rename_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+/* The error code for access() is in errno. */
+void nss_MD_os2_map_access_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_mkdir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_rmdir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_read_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_transmitfile_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_write_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_lseek_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_fsync_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+/*
+ * For both CloseHandle() and closesocket().
+ */
+void nss_MD_os2_map_close_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_socket_error(PRInt32 err)
+{
+//  PR_ASSERT(err != WSANOTINITIALISED);
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_recv_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_recvfrom_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_send_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//     case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_sendto_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_accept_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
+//    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_acceptex_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_connect_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEWOULDBLOCK: prError = PR_IN_PROGRESS_ERROR; break;
+//    case WSAEINVAL: 	prError = PR_ALREADY_INITIATED_ERROR; break;
+//    case WSAETIMEDOUT: 	prError = PR_IO_TIMEOUT_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_bind_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//  case WSAEINVAL: 	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_listen_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
+//    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_shutdown_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_getsockname_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_getpeername_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_getsockopt_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_setsockopt_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_open_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_gethostname_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+/* Win32 select() only works on sockets.  So in this
+** context, WSAENOTSOCK is equivalent to EBADF on Unix.  
+*/
+void nss_MD_os2_map_select_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAENOTSOCK:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_lockf_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+
+
+void nss_MD_os2_map_default_error(PRInt32 err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+//    case ENOENT: 		prError = PR_FILE_NOT_FOUND_ERROR; break;
+//    case ERROR_ACCESS_DENIED: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+//    case ERROR_ALREADY_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
+//    case ERROR_DISK_CORRUPT: 	prError = PR_IO_ERROR; break;
+//    case ERROR_DISK_FULL: 	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+//    case ERROR_DISK_OPERATION_FAILED: prError = PR_IO_ERROR; break;
+//    case ERROR_DRIVE_LOCKED: 	prError = PR_FILE_IS_LOCKED_ERROR; break;
+//    case ERROR_FILENAME_EXCED_RANGE: prError = PR_NAME_TOO_LONG_ERROR; break;
+//    case ERROR_FILE_CORRUPT: 	prError = PR_IO_ERROR; break;
+//    case ERROR_FILE_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
+//    case ERROR_FILE_INVALID: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+#if ERROR_FILE_NOT_FOUND != ENOENT
+//    case ERROR_FILE_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
+#endif
+    default: 			prError = PR_UNKNOWN_ERROR; break;
+    }
+    PR_SetError(prError, err);
+}
+
diff --git a/security/nss/lib/ssl/os2_err.h b/security/nss/lib/ssl/os2_err.h
new file mode 100644
index 000000000..151932132
--- /dev/null
+++ b/security/nss/lib/ssl/os2_err.h
@@ -0,0 +1,86 @@
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * This code will continue to need to be replicated.
+ * 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/*  NSPR doesn't make these functions public, so we have to duplicate
+**  them in NSS.
+*/
+
+//HCT  Based on Win32err.h
+extern void nss_MD_os2_map_accept_error(PRInt32 err);
+extern void nss_MD_os2_map_acceptex_error(PRInt32 err);
+extern void nss_MD_os2_map_access_error(PRInt32 err);
+extern void nss_MD_os2_map_bind_error(PRInt32 err);
+extern void nss_MD_os2_map_close_error(PRInt32 err);
+extern void nss_MD_os2_map_closedir_error(PRInt32 err);
+extern void nss_MD_os2_map_connect_error(PRInt32 err);
+extern void nss_MD_os2_map_default_error(PRInt32 err);
+extern void nss_MD_os2_map_delete_error(PRInt32 err);
+extern void nss_MD_os2_map_fstat_error(PRInt32 err);
+extern void nss_MD_os2_map_fsync_error(PRInt32 err);
+extern void nss_MD_os2_map_gethostname_error(PRInt32 err);
+extern void nss_MD_os2_map_getpeername_error(PRInt32 err);
+extern void nss_MD_os2_map_getsockname_error(PRInt32 err);
+extern void nss_MD_os2_map_getsockopt_error(PRInt32 err);
+extern void nss_MD_os2_map_listen_error(PRInt32 err);
+extern void nss_MD_os2_map_lockf_error(PRInt32 err);
+extern void nss_MD_os2_map_lseek_error(PRInt32 err);
+extern void nss_MD_os2_map_mkdir_error(PRInt32 err);
+extern void nss_MD_os2_map_open_error(PRInt32 err);
+extern void nss_MD_os2_map_opendir_error(PRInt32 err);
+extern void nss_MD_os2_map_read_error(PRInt32 err);
+extern void nss_MD_os2_map_readdir_error(PRInt32 err);
+extern void nss_MD_os2_map_recv_error(PRInt32 err);
+extern void nss_MD_os2_map_recvfrom_error(PRInt32 err);
+extern void nss_MD_os2_map_rename_error(PRInt32 err);
+extern void nss_MD_os2_map_rmdir_error(PRInt32 err);
+extern void nss_MD_os2_map_select_error(PRInt32 err);
+extern void nss_MD_os2_map_send_error(PRInt32 err);
+extern void nss_MD_os2_map_sendto_error(PRInt32 err);
+extern void nss_MD_os2_map_setsockopt_error(PRInt32 err);
+extern void nss_MD_os2_map_shutdown_error(PRInt32 err);
+extern void nss_MD_os2_map_socket_error(PRInt32 err);
+extern void nss_MD_os2_map_stat_error(PRInt32 err);
+extern void nss_MD_os2_map_transmitfile_error(PRInt32 err);
+extern void nss_MD_os2_map_write_error(PRInt32 err);
diff --git a/security/nss/lib/ssl/preenc.h b/security/nss/lib/ssl/preenc.h
new file mode 100644
index 000000000..f7c9093cb
--- /dev/null
+++ b/security/nss/lib/ssl/preenc.h
@@ -0,0 +1,146 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */
+
+/*
+ * Fortezza support is removed.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/* Fortezza support is removed.
+ * This file remains so that old programs will continue to compile,
+ * But this functionality is no longer supported or implemented.
+ */
+
+#include "seccomon.h"
+#include "prio.h"
+
+typedef struct PEHeaderStr PEHeader;
+
+#define PE_MIME_TYPE "application/pre-encrypted"
+
+typedef struct PEFortezzaHeaderStr PEFortezzaHeader;
+typedef struct PEFortezzaGeneratedHeaderStr PEFortezzaGeneratedHeader;
+typedef struct PEFixedKeyHeaderStr PEFixedKeyHeader;
+typedef struct PERSAKeyHeaderStr PERSAKeyHeader;
+
+struct PEFortezzaHeaderStr {
+    unsigned char key[12];      
+    unsigned char iv[24];       
+    unsigned char hash[20];     
+    unsigned char serial[8];    
+};
+
+struct PEFortezzaGeneratedHeaderStr {
+    unsigned char key[12];      
+    unsigned char iv[24];       
+    unsigned char hash[20];     
+    unsigned char Ra[128];      
+    unsigned char Y[128];       
+};
+
+struct PEFixedKeyHeaderStr {
+    unsigned char pkcs11Mech[4];  
+    unsigned char labelLen[2];	  
+    unsigned char keyIDLen[2];	  
+    unsigned char ivLen[2];	  
+    unsigned char keyLen[2];	  
+    unsigned char data[1];	  
+};
+
+struct PERSAKeyHeaderStr {
+    unsigned char pkcs11Mech[4];  
+    unsigned char issuerLen[2];	  
+    unsigned char serialLen[2];	  
+    unsigned char ivLen[2];	  
+    unsigned char keyLen[2];	  
+    unsigned char data[1];	  
+};
+
+#define PEFIXED_Label(header) (header->data)
+#define PEFIXED_KeyID(header) (&header->data[GetInt2(header->labelLen)])
+#define PEFIXED_IV(header) (&header->data[GetInt2(header->labelLen)\
+						+GetInt2(header->keyIDLen)])
+#define PEFIXED_Key(header) (&header->data[GetInt2(header->labelLen)\
+			+GetInt2(header->keyIDLen)+GetInt2(header->keyLen)])
+#define PERSA_Issuer(header) (header->data)
+#define PERSA_Serial(header) (&header->data[GetInt2(header->issuerLen)])
+#define PERSA_IV(header) (&header->data[GetInt2(header->issuerLen)\
+						+GetInt2(header->serialLen)])
+#define PERSA_Key(header) (&header->data[GetInt2(header->issuerLen)\
+			+GetInt2(header->serialLen)+GetInt2(header->keyLen)])
+struct PEHeaderStr {
+    unsigned char magic  [2];		
+    unsigned char len    [2];		
+    unsigned char type   [2];		
+    unsigned char version[2];		
+    union {
+        PEFortezzaHeader          fortezza;
+        PEFortezzaGeneratedHeader g_fortezza;
+	PEFixedKeyHeader          fixed;
+	PERSAKeyHeader            rsa;
+    } u;
+};
+
+#define PE_CRYPT_INTRO_LEN 8
+#define PE_INTRO_LEN 4
+#define PE_BASE_HEADER_LEN  8
+
+#define PRE_BLOCK_SIZE 8         
+
+
+#define GetInt2(c) ((c[0] << 8) | c[1])
+#define GetInt4(c) (((unsigned long)c[0] << 24)|((unsigned long)c[1] << 16)\
+			|((unsigned long)c[2] << 8)| ((unsigned long)c[3]))
+#define PutInt2(c,i) ((c[1] = (i) & 0xff), (c[0] = ((i) >> 8) & 0xff))
+#define PutInt4(c,i) ((c[0]=((i) >> 24) & 0xff),(c[1]=((i) >> 16) & 0xff),\
+			(c[2] = ((i) >> 8) & 0xff), (c[3] = (i) & 0xff))
+
+#define PRE_MAGIC		0xc0de
+#define PRE_VERSION		0x1010
+#define PRE_FORTEZZA_FILE	0x00ff  
+#define PRE_FORTEZZA_STREAM	0x00f5  
+#define PRE_FORTEZZA_GEN_STREAM	0x00f6  
+#define PRE_FIXED_FILE		0x000f  
+#define PRE_RSA_FILE		0x001f  
+#define PRE_FIXED_STREAM	0x0005  
+
+PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *,
+				       int *headerSize);
+
+PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *,
+				       int *headerSize);
+
diff --git a/security/nss/lib/ssl/prelib.c b/security/nss/lib/ssl/prelib.c
new file mode 100644
index 000000000..c63483924
--- /dev/null
+++ b/security/nss/lib/ssl/prelib.c
@@ -0,0 +1,67 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */
+
+/*
+ * Functions used by https servers to send (download) pre-encrypted files
+ * over SSL connections that use Fortezza ciphersuites.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "cert.h"
+#include "ssl.h"
+#include "keyhi.h"
+#include "secitem.h"
+#include "sslimpl.h"
+#include "pkcs11t.h"
+#include "preenc.h"
+#include "pk11func.h"
+
+PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *inHeader, 
+				       int *headerSize)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+}
+
+PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *header, 
+							int *headerSize)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+}
+
+
diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def
new file mode 100644
index 000000000..e4d4d1dc0
--- /dev/null
+++ b/security/nss/lib/ssl/ssl.def
@@ -0,0 +1,141 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2000
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#     line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSS_3.2 {       # NSS 3.2 release
+;+    global:
+LIBRARY ssl3 ;-
+EXPORTS ;-
+SSL_ImplementedCiphers DATA ;
+SSL_NumImplementedCiphers DATA ;
+NSS_CmpCertChainWCANames;
+NSS_FindCertKEAType;
+NSS_GetClientAuthData;
+NSS_SetDomesticPolicy;
+NSS_SetExportPolicy;
+NSS_SetFrancePolicy;
+SSL_AuthCertificate;
+SSL_AuthCertificateHook;
+SSL_BadCertHook;
+SSL_CertDBHandleSet;
+SSL_CipherPolicyGet;
+SSL_CipherPolicySet;
+SSL_CipherPrefGet;
+SSL_CipherPrefGetDefault;
+SSL_CipherPrefSet;
+SSL_CipherPrefSetDefault;
+SSL_ClearSessionCache;
+SSL_ConfigMPServerSIDCache;
+SSL_ConfigSecureServer;
+SSL_ConfigServerSessionIDCache;
+SSL_DataPending;
+SSL_ForceHandshake;
+SSL_GetClientAuthDataHook;
+SSL_GetSessionID;
+SSL_GetStatistics;
+SSL_HandshakeCallback;
+SSL_ImportFD;
+SSL_InheritMPServerSIDCache;
+SSL_InvalidateSession;
+SSL_OptionGet;
+SSL_OptionGetDefault;
+SSL_OptionSet;
+SSL_OptionSetDefault;
+SSL_PeerCertificate;
+SSL_PreencryptedFileToStream;
+SSL_PreencryptedStreamToFile;
+SSL_ReHandshake;
+SSL_ResetHandshake;
+SSL_RestartHandshakeAfterCertReq;
+SSL_RestartHandshakeAfterServerCert;
+SSL_RevealCert;
+SSL_RevealPinArg;
+SSL_RevealURL;
+SSL_SecurityStatus;
+SSL_SetPKCS11PinArg;
+SSL_SetSockPeerID;
+SSL_SetURL;
+;+    local:
+;+*;
+;+};
+;+NSS_3.2.1 {       # NSS 3.2.1 release
+;+    global:
+NSSSSL_VersionCheck;
+;+    local:
+;+*;
+;+};
+;+NSS_3.4 {         # NSS 3.4   release
+;+    global:
+SSL_GetChannelInfo;
+SSL_GetCipherSuiteInfo;
+SSL_GetMaxServerCacheLocks;
+SSL_LocalCertificate;
+SSL_SetMaxServerCacheLocks;
+;+    local:
+;+*;
+;+};
+;+NSS_3.7.4 {       # NSS 3.7.4 release
+;+    global:
+SSL_ShutdownServerSessionIDCache;
+;+    local:
+;+*;
+;+};
+;+NSS_3.11.4 {      # NSS 3.11.4 release
+;+    global:
+SSL_ForceHandshakeWithTimeout;
+SSL_ReHandshakeWithTimeout;
+;+    local:
+;+*;
+;+};
+;+NSS_3.11.8 {      # NSS 3.11.8 release
+;+    global:
+SSL_CanBypass;
+;+    local:
+;+*;
+;+};
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
new file mode 100644
index 000000000..aca8cf8b4
--- /dev/null
+++ b/security/nss/lib/ssl/ssl.h
@@ -0,0 +1,512 @@
+/*
+ * This file contains prototypes for the public SSL functions.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef __ssl_h_
+#define __ssl_h_
+
+#include "prtypes.h"
+#include "prerror.h"
+#include "prio.h"
+#include "seccomon.h"
+#include "cert.h"
+#include "keyt.h"
+
+#include "sslt.h"  /* public ssl data types */
+
+#if defined(_WIN32) && !defined(IN_LIBSSL) && !defined(NSS_USE_STATIC_LIBS)
+#define SSL_IMPORT extern __declspec(dllimport)
+#else
+#define SSL_IMPORT extern
+#endif
+
+SEC_BEGIN_PROTOS
+
+/* constant table enumerating all implemented SSL 2 and 3 cipher suites. */
+SSL_IMPORT const PRUint16 SSL_ImplementedCiphers[];
+
+/* number of entries in the above table. */
+SSL_IMPORT const PRUint16 SSL_NumImplementedCiphers;
+
+/* Macro to tell which ciphers in table are SSL2 vs SSL3/TLS. */
+#define SSL_IS_SSL2_CIPHER(which) (((which) & 0xfff0) == 0xff00)
+
+/*
+** Imports fd into SSL, returning a new socket.  Copies SSL configuration
+** from model.
+*/
+SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
+
+/*
+** Enable/disable an ssl mode
+**
+** 	SSL_SECURITY:
+** 		enable/disable use of SSL security protocol before connect
+**
+** 	SSL_SOCKS:
+** 		enable/disable use of socks before connect
+**		(No longer supported).
+**
+** 	SSL_REQUEST_CERTIFICATE:
+** 		require a certificate during secure connect
+*/
+/* options */
+#define SSL_SECURITY			1 /* (on by default) */
+#define SSL_SOCKS			2 /* (off by default) */
+#define SSL_REQUEST_CERTIFICATE		3 /* (off by default) */
+#define SSL_HANDSHAKE_AS_CLIENT		5 /* force accept to hs as client */
+                               		  /* (off by default) */
+#define SSL_HANDSHAKE_AS_SERVER		6 /* force connect to hs as server */
+                               		  /* (off by default) */
+#define SSL_ENABLE_SSL2			7 /* enable ssl v2 (on by default) */
+#define SSL_ENABLE_SSL3		        8 /* enable ssl v3 (on by default) */
+#define SSL_NO_CACHE		        9 /* don't use the session cache */
+                    		          /* (off by default) */
+#define SSL_REQUIRE_CERTIFICATE        10 /* (SSL_REQUIRE_FIRST_HANDSHAKE */
+                                          /* by default) */
+#define SSL_ENABLE_FDX                 11 /* permit simultaneous read/write */
+                                          /* (off by default) */
+#define SSL_V2_COMPATIBLE_HELLO        12 /* send v3 client hello in v2 fmt */
+                                          /* (on by default) */
+#define SSL_ENABLE_TLS		       13 /* enable TLS (on by default) */
+#define SSL_ROLLBACK_DETECTION         14 /* for compatibility, default: on */
+#define SSL_NO_STEP_DOWN               15 /* Disable export cipher suites   */
+                                          /* if step-down keys are needed.  */
+					  /* default: off, generate         */
+					  /* step-down keys if needed.      */
+#define SSL_BYPASS_PKCS11              16 /* use PKCS#11 for pub key only   */
+#define SSL_NO_LOCKS                   17 /* Don't use locks for protection */
+#define SSL_ENABLE_SESSION_TICKETS     18 /* Enable TLS SessionTicket       */
+                                          /* extension (off by default)     */
+
+#ifdef SSL_DEPRECATED_FUNCTION 
+/* Old deprecated function names */
+SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on);
+SSL_IMPORT SECStatus SSL_EnableDefault(int option, PRBool on);
+#endif
+
+/* New function names */
+SSL_IMPORT SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on);
+SSL_IMPORT SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 option, PRBool *on);
+SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
+SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on);
+SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle);
+
+/*
+** Control ciphers that SSL uses. If on is non-zero then the named cipher
+** is enabled, otherwise it is disabled. 
+** The "cipher" values are defined in sslproto.h (the SSL_EN_* values).
+** EnableCipher records user preferences.
+** SetPolicy sets the policy according to the policy module.
+*/
+#ifdef SSL_DEPRECATED_FUNCTION 
+/* Old deprecated function names */
+SSL_IMPORT SECStatus SSL_EnableCipher(long which, PRBool enabled);
+SSL_IMPORT SECStatus SSL_SetPolicy(long which, int policy);
+#endif
+
+/* New function names */
+SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool enabled);
+SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled);
+SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled);
+SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled);
+SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
+SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
+
+/* Values for "policy" argument to SSL_PolicySet */
+/* Values returned by SSL_CipherPolicyGet. */
+#define SSL_NOT_ALLOWED		 0	      /* or invalid or unimplemented */
+#define SSL_ALLOWED		 1
+#define SSL_RESTRICTED		 2	      /* only with "Step-Up" certs. */
+
+/* Values for "on" with SSL_REQUIRE_CERTIFICATE. */
+#define SSL_REQUIRE_NEVER           ((PRBool)0)
+#define SSL_REQUIRE_ALWAYS          ((PRBool)1)
+#define SSL_REQUIRE_FIRST_HANDSHAKE ((PRBool)2)
+#define SSL_REQUIRE_NO_ERROR        ((PRBool)3)
+
+/*
+** Reset the handshake state for fd. This will make the complete SSL
+** handshake protocol execute from the ground up on the next i/o
+** operation.
+*/
+SSL_IMPORT SECStatus SSL_ResetHandshake(PRFileDesc *fd, PRBool asServer);
+
+/*
+** Force the handshake for fd to complete immediately.  This blocks until
+** the complete SSL handshake protocol is finished.
+*/
+SSL_IMPORT SECStatus SSL_ForceHandshake(PRFileDesc *fd);
+
+/*
+** Same as above, but with an I/O timeout.
+ */
+SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
+                                                   PRIntervalTime timeout);
+
+/*
+** Query security status of socket. *on is set to one if security is
+** enabled. *keySize will contain the stream key size used. *issuer will
+** contain the RFC1485 verison of the name of the issuer of the
+** certificate at the other end of the connection. For a client, this is
+** the issuer of the server's certificate; for a server, this is the
+** issuer of the client's certificate (if any). Subject is the subject of
+** the other end's certificate. The pointers can be zero if the desired
+** data is not needed.  All strings returned by this function are owned
+** by the caller, and need to be freed with PORT_Free.
+*/
+SSL_IMPORT SECStatus SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher,
+			                int *keySize, int *secretKeySize,
+			                char **issuer, char **subject);
+
+/* Values for "on" */
+#define SSL_SECURITY_STATUS_NOOPT	-1
+#define SSL_SECURITY_STATUS_OFF		0
+#define SSL_SECURITY_STATUS_ON_HIGH	1
+#define SSL_SECURITY_STATUS_ON_LOW	2
+#define SSL_SECURITY_STATUS_FORTEZZA	3 /* NO LONGER SUPPORTED */
+
+/*
+** Return the certificate for our SSL peer. If the client calls this
+** it will always return the server's certificate. If the server calls
+** this, it may return NULL if client authentication is not enabled or
+** if the client had no certificate when asked.
+**	"fd" the socket "file" descriptor
+*/
+SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
+
+/*
+** Authenticate certificate hook. Called when a certificate comes in
+** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
+** certificate.
+*/
+typedef SECStatus (PR_CALLBACK *SSLAuthCertificate)(void *arg, PRFileDesc *fd, 
+                                                    PRBool checkSig,
+                                                    PRBool isServer);
+
+SSL_IMPORT SECStatus SSL_AuthCertificateHook(PRFileDesc *fd, 
+					     SSLAuthCertificate f,
+				             void *arg);
+
+/* An implementation of the certificate authentication hook */
+SSL_IMPORT SECStatus SSL_AuthCertificate(void *arg, PRFileDesc *fd, 
+					 PRBool checkSig, PRBool isServer);
+
+/*
+ * Prototype for SSL callback to get client auth data from the application.
+ *	arg - application passed argument
+ *	caNames - pointer to distinguished names of CAs that the server likes
+ *	pRetCert - pointer to pointer to cert, for return of cert
+ *	pRetKey - pointer to key pointer, for return of key
+ */
+typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg,
+                                PRFileDesc *fd,
+                                CERTDistNames *caNames,
+                                CERTCertificate **pRetCert,/*return */
+                                SECKEYPrivateKey **pRetKey);/* return */
+
+/*
+ * Set the client side callback for SSL to retrieve user's private key
+ * and certificate.
+ *	fd - the file descriptor for the connection in question
+ *	f - the application's callback that delivers the key and cert
+ *	a - application specific data
+ */
+SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, 
+			                       SSLGetClientAuthData f, void *a);
+
+
+/*
+ * Set the client side argument for SSL to retrieve PKCS #11 pin.
+ *	fd - the file descriptor for the connection in question
+ *	a - pkcs11 application specific data
+ */
+SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a);
+
+/*
+** This is a callback for dealing with server certs that are not authenticated
+** by the client.  The client app can decide that it actually likes the
+** cert by some external means and restart the connection.
+*/
+typedef SECStatus (PR_CALLBACK *SSLBadCertHandler)(void *arg, PRFileDesc *fd);
+SSL_IMPORT SECStatus SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, 
+				     void *arg);
+
+/*
+** Configure ssl for running a secure server. Needs the
+** certificate for the server and the servers private key. The arguments
+** are copied.
+*/
+SSL_IMPORT SECStatus SSL_ConfigSecureServer(
+				PRFileDesc *fd, CERTCertificate *cert,
+				SECKEYPrivateKey *key, SSLKEAType kea);
+
+/*
+** Configure a secure servers session-id cache. Define the maximum number
+** of entries in the cache, the longevity of the entires, and the directory
+** where the cache files will be placed.  These values can be zero, and 
+** if so, the implementation will choose defaults.
+** This version of the function is for use in applications that have only one 
+** process that uses the cache (even if that process has multiple threads).
+*/
+SSL_IMPORT SECStatus SSL_ConfigServerSessionIDCache(int      maxCacheEntries,
+					            PRUint32 timeout,
+					            PRUint32 ssl3_timeout,
+				              const char *   directory);
+/*
+** Like SSL_ConfigServerSessionIDCache, with one important difference.
+** If the application will run multiple processes (as opposed to, or in 
+** addition to multiple threads), then it must call this function, instead
+** of calling SSL_ConfigServerSessionIDCache().
+** This has nothing to do with the number of processORs, only processEs.
+** This function sets up a Server Session ID (SID) cache that is safe for
+** access by multiple processes on the same system.
+*/
+SSL_IMPORT SECStatus SSL_ConfigMPServerSIDCache(int      maxCacheEntries, 
+				                PRUint32 timeout,
+			       	                PRUint32 ssl3_timeout, 
+		                          const char *   directory);
+
+/* Get and set the configured maximum number of mutexes used for the 
+** server's store of SSL sessions.  This value is used by the server 
+** session ID cache initialization functions shown above.  Note that on 
+** some platforms, these mutexes are actually implemented with POSIX 
+** semaphores, or with unnamed pipes.  The default value varies by platform.
+** An attempt to set a too-low maximum will return an error and the 
+** configured value will not be changed.
+*/
+SSL_IMPORT PRUint32  SSL_GetMaxServerCacheLocks(void);
+SSL_IMPORT SECStatus SSL_SetMaxServerCacheLocks(PRUint32 maxLocks);
+
+/* environment variable set by SSL_ConfigMPServerSIDCache, and queried by
+ * SSL_InheritMPServerSIDCache when envString is NULL.
+ */
+#define SSL_ENV_VAR_NAME            "SSL_INHERITANCE"
+
+/* called in child to inherit SID Cache variables. 
+ * If envString is NULL, this function will use the value of the environment
+ * variable "SSL_INHERITANCE", otherwise the string value passed in will be 
+ * used.
+ */
+SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
+
+/*
+** Set the callback on a particular socket that gets called when we finish
+** performing a handshake.
+*/
+typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
+                                                 void *client_data);
+SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd, 
+			          SSLHandshakeCallback cb, void *client_data);
+
+/*
+** For the server, request a new handshake.  For the client, begin a new
+** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
+** flushed first, ensuring that a full SSL handshake will be done.
+** If flushCache is zero, and an SSL connection is established, it will 
+** do the much faster session restart handshake.  This will change the 
+** session keys without doing another private key operation.
+*/
+SSL_IMPORT SECStatus SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache);
+
+/*
+** Same as above, but with an I/O timeout.
+ */
+SSL_IMPORT SECStatus SSL_ReHandshakeWithTimeout(PRFileDesc *fd,
+                                                PRBool flushCache,
+                                                PRIntervalTime timeout);
+
+
+#ifdef SSL_DEPRECATED_FUNCTION 
+/* deprecated!
+** For the server, request a new handshake.  For the client, begin a new
+** handshake.  Flushes SSL3 session cache entry first, ensuring that a 
+** full handshake will be done.  
+** This call is equivalent to SSL_ReHandshake(fd, PR_TRUE)
+*/
+SSL_IMPORT SECStatus SSL_RedoHandshake(PRFileDesc *fd);
+#endif
+
+/*
+ * Allow the application to pass a URL or hostname into the SSL library
+ */
+SSL_IMPORT SECStatus SSL_SetURL(PRFileDesc *fd, const char *url);
+
+/*
+** Return the number of bytes that SSL has waiting in internal buffers.
+** Return 0 if security is not enabled.
+*/
+SSL_IMPORT int SSL_DataPending(PRFileDesc *fd);
+
+/*
+** Invalidate the SSL session associated with fd.
+*/
+SSL_IMPORT SECStatus SSL_InvalidateSession(PRFileDesc *fd);
+
+/*
+** Return a SECItem containing the SSL session ID associated with the fd.
+*/
+SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd);
+
+/*
+** Clear out the client's SSL session cache, not the server's session cache.
+*/
+SSL_IMPORT void SSL_ClearSessionCache(void);
+
+/*
+** Close the server's SSL session cache.
+*/
+SSL_IMPORT SECStatus SSL_ShutdownServerSessionIDCache(void);
+
+/*
+** Set peer information so we can correctly look up SSL session later.
+** You only have to do this if you're tunneling through a proxy.
+*/
+SSL_IMPORT SECStatus SSL_SetSockPeerID(PRFileDesc *fd, char *peerID);
+
+/*
+** Reveal the security information for the peer. 
+*/
+SSL_IMPORT CERTCertificate * SSL_RevealCert(PRFileDesc * socket);
+SSL_IMPORT void * SSL_RevealPinArg(PRFileDesc * socket);
+SSL_IMPORT char * SSL_RevealURL(PRFileDesc * socket);
+
+
+/* This callback may be passed to the SSL library via a call to
+ * SSL_GetClientAuthDataHook() for each SSL client socket.
+ * It will be invoked when SSL needs to know what certificate and private key
+ * (if any) to use to respond to a request for client authentication.
+ * If arg is non-NULL, it is a pointer to a NULL-terminated string containing
+ * the nickname of the cert/key pair to use.
+ * If arg is NULL, this function will search the cert and key databases for 
+ * a suitable match and send it if one is found.
+ */
+SSL_IMPORT SECStatus
+NSS_GetClientAuthData(void *                       arg,
+                      PRFileDesc *                 socket,
+                      struct CERTDistNamesStr *    caNames,
+                      struct CERTCertificateStr ** pRetCert,
+                      struct SECKEYPrivateKeyStr **pRetKey);
+
+/*
+ * Look to see if any of the signers in the cert chain for "cert" are found
+ * in the list of caNames.  
+ * Returns SECSuccess if so, SECFailure if not.
+ * Used by NSS_GetClientAuthData.  May be used by other callback functions.
+ */
+SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, 
+                                          CERTDistNames *caNames);
+
+/* 
+ * Returns key exchange type of the keys in an SSL server certificate.
+ */
+SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert);
+
+/* Set cipher policies to a predefined Domestic (U.S.A.) policy.
+ * This essentially enables all supported ciphers.
+ */
+SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void);
+
+/* Set cipher policies to a predefined Policy that is exportable from the USA
+ *   according to present U.S. policies as we understand them.
+ * See documentation for the list.
+ * Note that your particular application program may be able to obtain
+ *   an export license with more or fewer capabilities than those allowed
+ *   by this function.  In that case, you should use SSL_SetPolicy()
+ *   to explicitly allow those ciphers you may legally export.
+ */
+SSL_IMPORT SECStatus NSS_SetExportPolicy(void);
+
+/* Set cipher policies to a predefined Policy that is exportable from the USA
+ *   according to present U.S. policies as we understand them, and that the 
+ *   nation of France will permit to be imported into their country.
+ * See documentation for the list.
+ */
+SSL_IMPORT SECStatus NSS_SetFrancePolicy(void);
+
+SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void);
+
+/* Report more information than SSL_SecurityStatus.
+** Caller supplies the info struct.  Function fills it in.
+*/
+SSL_IMPORT SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info,
+                                        PRUintn len);
+SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, 
+                                        SSLCipherSuiteInfo *info, PRUintn len);
+
+/*
+** Return a new reference to the certificate that was most recently sent
+** to the peer on this SSL/TLS connection, or NULL if none has been sent.
+*/
+SSL_IMPORT CERTCertificate * SSL_LocalCertificate(PRFileDesc *fd);
+
+/* Test an SSL configuration to see if  SSL_BYPASS_PKCS11 can be turned on.
+** Check the key exchange algorithm for each cipher in the list to see if
+** a master secret key can be extracted after being derived with the mechanism
+** required by the protocolmask argument. If the KEA will use keys from the
+** specified cert make sure the extract operation is attempted from the slot
+** where the private key resides.
+** If MS can be extracted for all ciphers, (*pcanbypass) is set to TRUE and
+** SECSuccess is returned. In all other cases but one (*pcanbypass) is
+** set to FALSE and SECFailure is returned.
+** In that last case Derive() has been called successfully but the MS is null,
+** CanBypass sets (*pcanbypass) to FALSE and returns SECSuccess indicating the
+** arguments were all valid but the slot cannot be bypassed.
+**
+** Note: A TRUE return code from CanBypass means "Your configuration will perform
+** NO WORSE with the bypass enabled than without"; it does NOT mean that every
+** cipher suite listed will work properly with the selected protocols.
+**
+** Caveat: If export cipher suites are included in the argument list Canbypass
+** will return FALSE.
+**/
+
+/* protocol mask bits */
+#define SSL_CBP_SSL3	0x0001	        /* test SSL v3 mechanisms */
+#define SSL_CBP_TLS1_0	0x0002		/* test TLS v1.0 mechanisms */
+
+SSL_IMPORT SECStatus SSL_CanBypass(CERTCertificate *cert,
+                                   SECKEYPrivateKey *privKey,
+				   PRUint32 protocolmask,
+				   PRUint16 *ciphers, int nciphers,
+                                   PRBool *pcanbypass, void *pwArg);
+
+SEC_END_PROTOS
+
+#endif /* __ssl_h_ */
diff --git a/security/nss/lib/ssl/ssl.rc b/security/nss/lib/ssl/ssl.rc
new file mode 100644
index 000000000..b7d827de7
--- /dev/null
+++ b/security/nss/lib/ssl/ssl.rc
@@ -0,0 +1,100 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nss.h"
+#include <winver.h>
+
+#define MY_LIBNAME "ssl"
+#define MY_FILEDESCRIPTION "NSS SSL Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
new file mode 100644
index 000000000..9bf6dd7b5
--- /dev/null
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -0,0 +1,8742 @@
+/*
+ * SSL3 Protocol
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "cert.h"
+#include "ssl.h"
+#include "cryptohi.h"	/* for DSAU_ stuff */
+#include "keyhi.h"
+#include "secder.h"
+#include "secitem.h"
+
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "sslerr.h"
+#include "prtime.h"
+#include "prinrval.h"
+#include "prerror.h"
+#include "pratom.h"
+#include "prthread.h"
+
+#include "pk11func.h"
+#include "secmod.h"
+#include "blapi.h"
+
+#include <stdio.h>
+
+#ifndef PK11_SETATTRS
+#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
+		(x)->pValue=(v); (x)->ulValueLen = (l);
+#endif
+
+static void      ssl3_CleanupPeerCerts(sslSocket *ss);
+static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
+                                       PK11SlotInfo * serverKeySlot);
+static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
+static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
+static SECStatus ssl3_HandshakeFailure(      sslSocket *ss);
+static SECStatus ssl3_InitState(             sslSocket *ss);
+static SECStatus ssl3_SendCertificate(       sslSocket *ss);
+static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
+static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
+static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
+static SECStatus ssl3_SendServerHello(       sslSocket *ss);
+static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
+static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
+static SECStatus ssl3_NewHandshakeHashes(    sslSocket *ss);
+static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, unsigned char *b, 
+                                             unsigned int l);
+
+static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
+			     int maxOutputLen, const unsigned char *input,
+			     int inputLen);
+
+#define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
+#define MIN_SEND_BUF_LENGTH  4000
+
+#define MAX_CIPHER_SUITES 20
+
+/* This list of SSL3 cipher suites is sorted in descending order of
+ * precedence (desirability).  It only includes cipher suites we implement.
+ * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
+ * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
+ */
+static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+   /*      cipher_suite                         policy      enabled is_present*/
+#ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+#endif /* NSS_ENABLE_ECC */
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+#ifdef NSS_ENABLE_ECC
+ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+#endif /* NSS_ENABLE_ECC */
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,  	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+
+#ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA,         SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+#endif /* NSS_ENABLE_ECC */
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+#ifdef NSS_ENABLE_ECC
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+#endif /* NSS_ENABLE_ECC */
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,  	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_MD5,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_SHA,               SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+
+#ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+#endif /* NSS_ENABLE_ECC */
+ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+#ifdef NSS_ENABLE_ECC
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+#endif /* NSS_ENABLE_ECC */
+ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_WITH_3DES_EDE_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+
+
+ { SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_RSA_FIPS_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_WITH_DES_CBC_SHA,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+
+ { SSL_RSA_EXPORT_WITH_RC4_40_MD5,         SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+
+#ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_NULL_SHA,          SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_NULL_SHA,            SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+#endif /* NSS_ENABLE_ECC */
+ { SSL_RSA_WITH_NULL_SHA,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_RSA_WITH_NULL_MD5,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+
+};
+
+static const /*SSL3CompressionMethod*/ uint8 compressions [] = {
+    compression_null
+};
+
+static const int compressionMethodsCount =
+		sizeof(compressions) / sizeof(compressions[0]);
+
+static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
+    ct_RSA_sign,
+    ct_DSS_sign,
+#ifdef NSS_ENABLE_ECC
+    ct_ECDSA_sign,
+#endif /* NSS_ENABLE_ECC */
+};
+
+
+/*
+ * make sure there is room in the write buffer for padding and
+ * other compression and cryptographic expansions
+ */
+#define SSL3_BUFFER_FUDGE     100
+
+#define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
+
+
+/* This is a hack to make sure we don't do double handshakes for US policy */
+PRBool ssl3_global_policy_some_restricted = PR_FALSE;
+
+/* This global item is used only in servers.  It is is initialized by
+** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
+*/
+CERTDistNames *ssl3_server_ca_list = NULL;
+static SSL3Statistics ssl3stats;
+
+/* indexed by SSL3BulkCipher */
+static const ssl3BulkCipherDef bulk_cipher_defs[] = {
+    /* cipher          calg        keySz secretSz  type  ivSz BlkSz keygen */
+    {cipher_null,      calg_null,      0,  0, type_stream,  0, 0, kg_null},
+    {cipher_rc4,       calg_rc4,      16, 16, type_stream,  0, 0, kg_strong},
+    {cipher_rc4_40,    calg_rc4,      16,  5, type_stream,  0, 0, kg_export},
+    {cipher_rc4_56,    calg_rc4,      16,  7, type_stream,  0, 0, kg_export},
+    {cipher_rc2,       calg_rc2,      16, 16, type_block,   8, 8, kg_strong},
+    {cipher_rc2_40,    calg_rc2,      16,  5, type_block,   8, 8, kg_export},
+    {cipher_des,       calg_des,       8,  8, type_block,   8, 8, kg_strong},
+    {cipher_3des,      calg_3des,     24, 24, type_block,   8, 8, kg_strong},
+    {cipher_des40,     calg_des,       8,  5, type_block,   8, 8, kg_export},
+    {cipher_idea,      calg_idea,     16, 16, type_block,   8, 8, kg_strong},
+    {cipher_aes_128,   calg_aes,      16, 16, type_block,  16,16, kg_strong},
+    {cipher_aes_256,   calg_aes,      32, 32, type_block,  16,16, kg_strong},
+    {cipher_camellia_128, calg_camellia,16, 16, type_block,  16,16, kg_strong},
+    {cipher_camellia_256, calg_camellia,32, 32, type_block,  16,16, kg_strong},
+    {cipher_missing,   calg_null,      0,  0, type_stream,  0, 0, kg_null},
+};
+
+static const ssl3KEADef kea_defs[] = 
+{ /* indexed by SSL3KeyExchangeAlgorithm */
+    /* kea              exchKeyType signKeyType is_limited limit  tls_keygen */
+    {kea_null,           kt_null,     sign_null, PR_FALSE,   0, PR_FALSE},
+    {kea_rsa,            kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_rsa_export,     kt_rsa,      sign_rsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_rsa_export_1024,kt_rsa,      sign_rsa,  PR_TRUE, 1024, PR_FALSE},
+    {kea_dh_dss,         kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_dh_dss_export,  kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_dh_rsa,         kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_dh_rsa_export,  kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_dhe_dss,        kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_dhe_dss_export, kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_dhe_rsa,        kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_dhe_rsa_export, kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_dh_anon,        kt_dh,       sign_null, PR_FALSE,   0, PR_FALSE},
+    {kea_dh_anon_export, kt_dh,       sign_null, PR_TRUE,  512, PR_FALSE},
+    {kea_rsa_fips,       kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_TRUE },
+#ifdef NSS_ENABLE_ECC
+    {kea_ecdh_ecdsa,     kt_ecdh,     sign_ecdsa,  PR_FALSE, 0, PR_FALSE},
+    {kea_ecdhe_ecdsa,    kt_ecdh,     sign_ecdsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_ecdh_rsa,       kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_ecdhe_rsa,      kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_ecdh_anon,      kt_ecdh,     sign_null,  PR_FALSE,   0, PR_FALSE},
+#endif /* NSS_ENABLE_ECC */
+};
+
+/* must use ssl_LookupCipherSuiteDef to access */
+static const ssl3CipherSuiteDef cipher_suite_defs[] = 
+{
+/*  cipher_suite                    bulk_cipher_alg mac_alg key_exchange_alg */
+
+    {SSL_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null},
+    {SSL_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa},
+    {SSL_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa},
+    {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
+    {SSL_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa},
+    {SSL_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa},
+    {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+                                    cipher_rc2_40, mac_md5, kea_rsa_export},
+#if 0 /* not implemented */
+    {SSL_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa},
+    {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_rsa_export},
+#endif
+    {SSL_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa},
+    {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa},
+    {SSL_DHE_DSS_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_dss},
+    {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+                                    cipher_3des,   mac_sha, kea_dhe_dss},
+    {TLS_DHE_DSS_WITH_RC4_128_SHA,  cipher_rc4,    mac_sha, kea_dhe_dss},
+#if 0 /* not implemented */
+    {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_dss_export},
+    {SSL_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss},
+    {SSL_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss},
+    {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
+    {SSL_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa},
+    {SSL_DH_RSA_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_rsa},
+    {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_dss_export},
+    {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
+#endif
+    {SSL_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa},
+    {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+                                    cipher_3des,   mac_sha, kea_dhe_rsa},
+#if 0
+    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
+    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4,    mac_md5, kea_dh_anon_export},
+    {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_anon_export},
+    {SSL_DH_ANON_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_anon},
+    {SSL_DH_ANON_3DES_CBC_SHA,      cipher_3des,   mac_sha, kea_dh_anon},
+#endif
+
+
+/* New TLS cipher suites */
+    {TLS_RSA_WITH_AES_128_CBC_SHA,     	cipher_aes_128, mac_sha, kea_rsa},
+    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_dss},
+    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_rsa},
+    {TLS_RSA_WITH_AES_256_CBC_SHA,     	cipher_aes_256, mac_sha, kea_rsa},
+    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_dss},
+    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_rsa},
+#if 0
+    {TLS_DH_DSS_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_dss},
+    {TLS_DH_RSA_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_rsa},
+    {TLS_DH_ANON_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dh_anon},
+    {TLS_DH_DSS_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_dss},
+    {TLS_DH_RSA_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_rsa},
+    {TLS_DH_ANON_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dh_anon},
+#endif
+
+    {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
+    {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+     cipher_camellia_128, mac_sha, kea_dhe_dss},
+    {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+     cipher_camellia_128, mac_sha, kea_dhe_rsa},
+    {TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,	cipher_camellia_256, mac_sha, kea_rsa},
+    {TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+     cipher_camellia_256, mac_sha, kea_dhe_dss},
+    {TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+     cipher_camellia_256, mac_sha, kea_dhe_rsa},
+
+    {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+                                    cipher_des,    mac_sha,kea_rsa_export_1024},
+    {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+                                    cipher_rc4_56, mac_sha,kea_rsa_export_1024},
+
+    {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
+    {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
+
+#ifdef NSS_ENABLE_ECC
+    {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
+    {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
+    {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
+    {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
+    {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
+
+    {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdhe_ecdsa},
+
+    {TLS_ECDH_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_rsa},
+    {TLS_ECDH_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_rsa},
+    {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_rsa},
+    {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_rsa},
+    {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_rsa},
+
+    {TLS_ECDHE_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdhe_rsa},
+    {TLS_ECDHE_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdhe_rsa},
+    {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdhe_rsa},
+    {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdhe_rsa},
+    {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdhe_rsa},
+
+#if 0
+    {TLS_ECDH_anon_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_anon},
+    {TLS_ECDH_anon_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_anon},
+    {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_anon},
+    {TLS_ECDH_anon_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_anon},
+    {TLS_ECDH_anon_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_anon},
+#endif
+#endif /* NSS_ENABLE_ECC */
+};
+
+static const CK_MECHANISM_TYPE kea_alg_defs[] = {
+    0x80000000L,
+    CKM_RSA_PKCS,
+    CKM_DH_PKCS_DERIVE,
+    CKM_KEA_KEY_DERIVE,
+    CKM_ECDH1_DERIVE
+};
+
+typedef struct SSLCipher2MechStr {
+    SSLCipherAlgorithm  calg;
+    CK_MECHANISM_TYPE   cmech;
+} SSLCipher2Mech;
+
+/* indexed by type SSLCipherAlgorithm */
+static const SSLCipher2Mech alg2Mech[] = {
+    /* calg,          cmech  */
+    { calg_null     , (CK_MECHANISM_TYPE)0x80000000L	},
+    { calg_rc4      , CKM_RC4				},
+    { calg_rc2      , CKM_RC2_CBC			},
+    { calg_des      , CKM_DES_CBC			},
+    { calg_3des     , CKM_DES3_CBC			},
+    { calg_idea     , CKM_IDEA_CBC			},
+    { calg_fortezza , CKM_SKIPJACK_CBC64                },
+    { calg_aes      , CKM_AES_CBC			},
+    { calg_camellia , CKM_CAMELLIA_CBC			},
+/*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
+};
+
+#define mmech_null     (CK_MECHANISM_TYPE)0x80000000L
+#define mmech_md5      CKM_SSL3_MD5_MAC
+#define mmech_sha      CKM_SSL3_SHA1_MAC
+#define mmech_md5_hmac CKM_MD5_HMAC
+#define mmech_sha_hmac CKM_SHA_1_HMAC
+
+static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
+    /* mac      mmech       pad_size  mac_size                       */
+    { mac_null, mmech_null,       0,  0          },
+    { mac_md5,  mmech_md5,       48,  MD5_LENGTH },
+    { mac_sha,  mmech_sha,       40,  SHA1_LENGTH},
+    {hmac_md5,  mmech_md5_hmac,  48,  MD5_LENGTH },
+    {hmac_sha,  mmech_sha_hmac,  40,  SHA1_LENGTH},
+};
+
+/* indexed by SSL3BulkCipher */
+const char * const ssl3_cipherName[] = {
+    "NULL",
+    "RC4",
+    "RC4-40",
+    "RC4-56",
+    "RC2-CBC",
+    "RC2-CBC-40",
+    "DES-CBC",
+    "3DES-EDE-CBC",
+    "DES-CBC-40",
+    "IDEA-CBC",
+    "AES-128",
+    "AES-256",
+    "Camellia-128",
+    "Camellia-256",
+    "missing"
+};
+
+#ifdef NSS_ENABLE_ECC
+/* The ECCWrappedKeyInfo structure defines how various pieces of 
+ * information are laid out within wrappedSymmetricWrappingkey 
+ * for ECDH key exchange. Since wrappedSymmetricWrappingkey is 
+ * a 512-byte buffer (see sslimpl.h), the variable length field 
+ * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
+ *
+ * XXX For now, NSS only supports named elliptic curves of size 571 bits 
+ * or smaller. The public value will fit within 145 bytes and EC params
+ * will fit within 12 bytes. We'll need to revisit this when NSS
+ * supports arbitrary curves.
+ */
+#define MAX_EC_WRAPPED_KEY_BUFLEN  504
+
+typedef struct ECCWrappedKeyInfoStr {
+    PRUint16 size;            /* EC public key size in bits */
+    PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */
+    PRUint16 pubValueLen;     /* length (in bytes) of EC public value */
+    PRUint16 wrappedKeyLen;   /* length (in bytes) of the wrapped key */
+    PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */
+    /* EC public-key params, the EC public value and the wrapped key  */
+} ECCWrappedKeyInfo;
+#endif /* NSS_ENABLE_ECC */
+
+#if defined(TRACE)
+
+static char *
+ssl3_DecodeHandshakeType(int msgType)
+{
+    char * rv;
+    static char line[40];
+
+    switch(msgType) {
+    case hello_request:	        rv = "hello_request (0)";               break;
+    case client_hello:	        rv = "client_hello  (1)";               break;
+    case server_hello:	        rv = "server_hello  (2)";               break;
+    case certificate:	        rv = "certificate  (11)";               break;
+    case server_key_exchange:	rv = "server_key_exchange (12)";        break;
+    case certificate_request:	rv = "certificate_request (13)";        break;
+    case server_hello_done:	rv = "server_hello_done   (14)";        break;
+    case certificate_verify:	rv = "certificate_verify  (15)";        break;
+    case client_key_exchange:	rv = "client_key_exchange (16)";        break;
+    case finished:	        rv = "finished     (20)";               break;
+    default:
+        sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
+	rv = line;
+    }
+    return rv;
+}
+
+static char *
+ssl3_DecodeContentType(int msgType)
+{
+    char * rv;
+    static char line[40];
+
+    switch(msgType) {
+    case content_change_cipher_spec:
+                                rv = "change_cipher_spec (20)";         break;
+    case content_alert:	        rv = "alert      (21)";                 break;
+    case content_handshake:	rv = "handshake  (22)";                 break;
+    case content_application_data:
+                                rv = "application_data (23)";           break;
+    default:
+        sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
+	rv = line;
+    }
+    return rv;
+}
+
+#endif
+
+SSL3Statistics * 
+SSL_GetStatistics(void)
+{
+    return &ssl3stats;
+}
+
+typedef struct tooLongStr {
+#if defined(IS_LITTLE_ENDIAN)
+    PRInt32 low;
+    PRInt32 high;
+#else
+    PRInt32 high;
+    PRInt32 low;
+#endif
+} tooLong;
+
+void SSL_AtomicIncrementLong(long * x)
+{
+    if ((sizeof *x) == sizeof(PRInt32)) {
+        PR_AtomicIncrement((PRInt32 *)x);
+    } else {
+    	tooLong * tl = (tooLong *)x;
+	if (PR_AtomicIncrement(&tl->low) == 0)
+	    PR_AtomicIncrement(&tl->high);
+    }
+}
+
+/* return pointer to ssl3CipherSuiteDef for suite, or NULL */
+/* XXX This does a linear search.  A binary search would be better. */
+static const ssl3CipherSuiteDef *
+ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
+{
+    int cipher_suite_def_len =
+	sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
+    int i;
+
+    for (i = 0; i < cipher_suite_def_len; i++) {
+	if (cipher_suite_defs[i].cipher_suite == suite)
+	    return &cipher_suite_defs[i];
+    }
+    PORT_Assert(PR_FALSE);  /* We should never get here. */
+    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    return NULL;
+}
+
+/* Find the cipher configuration struct associate with suite */
+/* XXX This does a linear search.  A binary search would be better. */
+static ssl3CipherSuiteCfg *
+ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
+{
+    int i;
+
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	if (suites[i].cipher_suite == suite)
+	    return &suites[i];
+    }
+    /* return NULL and let the caller handle it.  */
+    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    return NULL;
+}
+
+
+/* Initialize the suite->isPresent value for config_match
+ * Returns count of enabled ciphers supported by extant tokens,
+ * regardless of policy or user preference.
+ * If this returns zero, the user cannot do SSL v3.
+ */
+int
+ssl3_config_match_init(sslSocket *ss)
+{
+    ssl3CipherSuiteCfg *      suite;
+    const ssl3CipherSuiteDef *cipher_def;
+    SSLCipherAlgorithm        cipher_alg;
+    CK_MECHANISM_TYPE         cipher_mech;
+    SSL3KEAType               exchKeyType;
+    int                       i;
+    int                       numPresent		= 0;
+    int                       numEnabled		= 0;
+    PRBool                    isServer;
+    sslServerCerts           *svrAuth;
+
+    PORT_Assert(ss);
+    if (!ss) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return 0;
+    }
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
+    	return 0;
+    }
+    isServer = (PRBool)(ss->sec.isServer != 0);
+
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	suite = &ss->cipherSuites[i];
+	if (suite->enabled) {
+	    ++numEnabled;
+	    /* We need the cipher defs to see if we have a token that can handle
+	     * this cipher.  It isn't part of the static definition.
+	     */
+	    cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
+	    if (!cipher_def) {
+	    	suite->isPresent = PR_FALSE;
+		continue;
+	    }
+	    cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg;
+	    PORT_Assert(  alg2Mech[cipher_alg].calg == cipher_alg);
+	    cipher_mech = alg2Mech[cipher_alg].cmech;
+	    exchKeyType =
+	    	    kea_defs[cipher_def->key_exchange_alg].exchKeyType;
+#ifndef NSS_ENABLE_ECC
+	    svrAuth = ss->serverCerts + exchKeyType;
+#else
+	    /* XXX SSLKEAType isn't really a good choice for 
+	     * indexing certificates. It doesn't work for
+	     * (EC)DHE-* ciphers. Here we use a hack to ensure
+	     * that the server uses an RSA cert for (EC)DHE-RSA.
+	     */
+	    switch (cipher_def->key_exchange_alg) {
+	    case kea_ecdhe_rsa:
+#if NSS_SERVER_DHE_IMPLEMENTED
+	    /* XXX NSS does not yet implement the server side of _DHE_
+	     * cipher suites.  Correcting the computation for svrAuth,
+	     * as the case below does, causes NSS SSL servers to begin to
+	     * negotiate cipher suites they do not implement.  So, until
+	     * server side _DHE_ is implemented, keep this disabled.
+	     */
+	    case kea_dhe_rsa:
+#endif
+		svrAuth = ss->serverCerts + kt_rsa;
+		break;
+	    case kea_ecdh_ecdsa:
+	    case kea_ecdh_rsa:
+	        /* 
+		 * XXX We ought to have different indices for 
+		 * ECDSA- and RSA-signed EC certificates so
+		 * we could support both key exchange mechanisms
+		 * simultaneously. For now, both of them use
+		 * whatever is in the certificate slot for kt_ecdh
+		 */
+	    default:
+		svrAuth = ss->serverCerts + exchKeyType;
+		break;
+	    }
+#endif /* NSS_ENABLE_ECC */
+
+	    /* Mark the suites that are backed by real tokens, certs and keys */
+	    suite->isPresent = (PRBool)
+		(((exchKeyType == kt_null) ||
+		   ((!isServer || (svrAuth->serverKeyPair &&
+		                   svrAuth->SERVERKEY &&
+				   svrAuth->serverCertChain)) &&
+		    PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
+		((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
+	    if (suite->isPresent)
+	    	++numPresent;
+	}
+    }
+    PORT_Assert(numPresent > 0 || numEnabled == 0);
+    if (numPresent <= 0) {
+	PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
+    }
+    return numPresent;
+}
+
+
+/* return PR_TRUE if suite matches policy and enabled state */
+/* It would be a REALLY BAD THING (tm) if we ever permitted the use
+** of a cipher that was NOT_ALLOWED.  So, if this is ever called with
+** policy == SSL_NOT_ALLOWED, report no match.
+*/
+/* adjust suite enabled to the availability of a token that can do the
+ * cipher suite. */
+static PRBool
+config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
+{
+    PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
+    if (policy == SSL_NOT_ALLOWED || !enabled)
+    	return PR_FALSE;
+    return (PRBool)(suite->enabled &&
+                    suite->isPresent &&
+	            suite->policy != SSL_NOT_ALLOWED &&
+		    suite->policy <= policy);
+}
+
+/* return number of cipher suites that match policy and enabled state */
+/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
+static int
+count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
+{
+    int i, count = 0;
+
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
+    	return 0;
+    }
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	if (config_match(&ss->cipherSuites[i], policy, enabled))
+	    count++;
+    }
+    if (count <= 0) {
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+    }
+    return count;
+}
+
+static PRBool
+anyRestrictedEnabled(sslSocket *ss)
+{
+    int i;
+
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
+    	return PR_FALSE;
+    }
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+	if (suite->policy == SSL_RESTRICTED &&
+	    suite->enabled &&
+	    suite->isPresent)
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+/*
+ * Null compression, mac and encryption functions
+ */
+
+static SECStatus
+Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
+	    const unsigned char *input, int inputLen)
+{
+    *outputLen = inputLen;
+    if (input != output)
+	PORT_Memcpy(output, input, inputLen);
+    return SECSuccess;
+}
+
+/*
+ * SSL3 Utility functions
+ */
+
+SECStatus
+ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion)
+{
+    SSL3ProtocolVersion version;
+    SSL3ProtocolVersion maxVersion;
+
+    if (ss->opt.enableTLS) {
+	maxVersion = SSL_LIBRARY_VERSION_3_1_TLS;
+    } else if (ss->opt.enableSSL3) {
+	maxVersion = SSL_LIBRARY_VERSION_3_0;
+    } else {
+    	/* what are we doing here? */
+	PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+	return SECFailure;
+    }
+
+    ss->version = version = PR_MIN(maxVersion, peerVersion);
+
+    if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->opt.enableTLS) ||
+    	(version == SSL_LIBRARY_VERSION_3_0     && ss->opt.enableSSL3)) {
+	return SECSuccess;
+    }
+
+    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+    return SECFailure;
+
+}
+
+static SECStatus
+ssl3_GetNewRandom(SSL3Random *random)
+{
+    PRUint32 gmt = ssl_Time();
+    SECStatus rv;
+
+    random->rand[0] = (unsigned char)(gmt >> 24);
+    random->rand[1] = (unsigned char)(gmt >> 16);
+    random->rand[2] = (unsigned char)(gmt >>  8);
+    random->rand[3] = (unsigned char)(gmt);
+
+    /* first 4 bytes are reserverd for time */
+    rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
+    }
+    return rv;
+}
+
+/* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
+SECStatus
+ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, 
+                PRBool isTLS)
+{
+    SECStatus rv		= SECFailure;
+    PRBool    doDerEncode       = PR_FALSE;
+    int       signatureLen;
+    SECItem   hashItem;
+
+    buf->data    = NULL;
+    signatureLen = PK11_SignatureLen(key);
+    if (signatureLen <= 0) {
+	PORT_SetError(SEC_ERROR_INVALID_KEY);
+        goto done;
+    }
+
+    buf->len  = (unsigned)signatureLen;
+    buf->data = (unsigned char *)PORT_Alloc(signatureLen);
+    if (!buf->data)
+        goto done;	/* error code was set. */
+
+    switch (key->keyType) {
+    case rsaKey:
+    	hashItem.data = hash->md5;
+    	hashItem.len = sizeof(SSL3Hashes);
+	break;
+    case dsaKey:
+	doDerEncode = isTLS;
+	hashItem.data = hash->sha;
+	hashItem.len = sizeof(hash->sha);
+	break;
+#ifdef NSS_ENABLE_ECC
+    case ecKey:
+	doDerEncode = PR_TRUE;
+	hashItem.data = hash->sha;
+	hashItem.len = sizeof(hash->sha);
+	break;
+#endif /* NSS_ENABLE_ECC */
+    default:
+	PORT_SetError(SEC_ERROR_INVALID_KEY);
+	goto done;
+    }
+    PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
+
+    rv = PK11_Sign(key, buf, &hashItem);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
+    } else if (doDerEncode) {
+	SECItem   derSig	= {siBuffer, NULL, 0};
+
+	/* This also works for an ECDSA signature */
+	rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
+	if (rv == SECSuccess) {
+	    PORT_Free(buf->data);	/* discard unencoded signature. */
+	    *buf = derSig;		/* give caller encoded signature. */
+	} else if (derSig.data) {
+	    PORT_Free(derSig.data);
+	}
+    }
+
+    PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
+done:
+    if (rv != SECSuccess && buf->data) {
+	PORT_Free(buf->data);
+	buf->data = NULL;
+    }
+    return rv;
+}
+
+/* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
+SECStatus
+ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, 
+                        SECItem *buf, PRBool isTLS, void *pwArg)
+{
+    SECKEYPublicKey * key;
+    SECItem *         signature	= NULL;
+    SECStatus         rv;
+    SECItem           hashItem;
+#ifdef NSS_ENABLE_ECC
+    unsigned int      len;
+#endif /* NSS_ENABLE_ECC */
+
+
+    PRINT_BUF(60, (NULL, "check signed hashes",
+                  buf->data, buf->len));
+
+    key = CERT_ExtractPublicKey(cert);
+    if (key == NULL) {
+	/* CERT_ExtractPublicKey doesn't set error code */
+	PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+    	return SECFailure;
+    }
+
+    switch (key->keyType) {
+    case rsaKey:
+    	hashItem.data = hash->md5;
+    	hashItem.len = sizeof(SSL3Hashes);
+	break;
+    case dsaKey:
+	hashItem.data = hash->sha;
+	hashItem.len = sizeof(hash->sha);
+	if (isTLS) {
+	    signature = DSAU_DecodeDerSig(buf);
+	    if (!signature) {
+	    	PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+		return SECFailure;
+	    }
+	    buf = signature;
+	}
+	break;
+
+#ifdef NSS_ENABLE_ECC
+    case ecKey:
+	hashItem.data = hash->sha;
+	hashItem.len = sizeof(hash->sha);
+	/*
+	 * ECDSA signatures always encode the integers r and s 
+	 * using ASN (unlike DSA where ASN encoding is used
+	 * with TLS but not with SSL3)
+	 */
+	len = SECKEY_SignatureLen(key);
+	if (len == 0) {
+	    SECKEY_DestroyPublicKey(key);
+	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	    return SECFailure;
+	}
+	signature = DSAU_DecodeDerSigToLen(buf, len);
+	if (!signature) {
+	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+	    return SECFailure;
+	}
+	buf = signature;
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+    	SECKEY_DestroyPublicKey(key);
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	return SECFailure;
+    }
+
+    PRINT_BUF(60, (NULL, "hash(es) to be verified",
+                  hashItem.data, hashItem.len));
+
+    rv = PK11_Verify(key, buf, &hashItem, pwArg);
+    SECKEY_DestroyPublicKey(key);
+    if (signature) {
+    	SECITEM_FreeItem(signature, PR_TRUE);
+    }
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+    }
+    return rv;
+}
+
+
+/* Caller must set hiLevel error code. */
+/* Called from ssl3_ComputeExportRSAKeyHash
+ *             ssl3_ComputeDHKeyHash
+ * which are called from ssl3_HandleServerKeyExchange. 
+ */
+SECStatus
+ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen,
+			     SSL3Hashes *hashes, PRBool bypassPKCS11)
+{
+    SECStatus     rv 		= SECSuccess;
+
+    if (bypassPKCS11) {
+	MD5_HashBuf (hashes->md5, hashBuf, bufLen);
+	SHA1_HashBuf(hashes->sha, hashBuf, bufLen);
+    } else {
+	rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	    rv = SECFailure;
+	    goto done;
+	}
+
+	rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	    rv = SECFailure;
+	}
+    }
+done:
+    return rv;
+}
+
+/* Caller must set hiLevel error code. 
+** Called from ssl3_SendServerKeyExchange and 
+**             ssl3_HandleServerKeyExchange.
+*/
+static SECStatus
+ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent,
+			     SSL3Random *client_rand, SSL3Random *server_rand,
+			     SSL3Hashes *hashes, PRBool bypassPKCS11)
+{
+    PRUint8     * hashBuf;
+    PRUint8     * pBuf;
+    SECStatus     rv 		= SECSuccess;
+    unsigned int  bufLen;
+    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
+
+    bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
+    if (bufLen <= sizeof buf) {
+    	hashBuf = buf;
+    } else {
+    	hashBuf = PORT_Alloc(bufLen);
+	if (!hashBuf) {
+	    return SECFailure;
+	}
+    }
+
+    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
+    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
+    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
+    	pBuf += SSL3_RANDOM_LENGTH;
+    pBuf[0]  = (PRUint8)(modulus.len >> 8);
+    pBuf[1]  = (PRUint8)(modulus.len);
+    	pBuf += 2;
+    memcpy(pBuf, modulus.data, modulus.len);
+    	pBuf += modulus.len;
+    pBuf[0] = (PRUint8)(publicExponent.len >> 8);
+    pBuf[1] = (PRUint8)(publicExponent.len);
+    	pBuf += 2;
+    memcpy(pBuf, publicExponent.data, publicExponent.len);
+    	pBuf += publicExponent.len;
+    PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
+
+    rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
+
+    PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
+    PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH));
+    PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
+
+    if (hashBuf != buf && hashBuf != NULL)
+    	PORT_Free(hashBuf);
+    return rv;
+}
+
+/* Caller must set hiLevel error code. */
+/* Called from ssl3_HandleServerKeyExchange. */
+static SECStatus
+ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
+			     SSL3Random *client_rand, SSL3Random *server_rand,
+			     SSL3Hashes *hashes, PRBool bypassPKCS11)
+{
+    PRUint8     * hashBuf;
+    PRUint8     * pBuf;
+    SECStatus     rv 		= SECSuccess;
+    unsigned int  bufLen;
+    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
+
+    bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
+    if (bufLen <= sizeof buf) {
+    	hashBuf = buf;
+    } else {
+    	hashBuf = PORT_Alloc(bufLen);
+	if (!hashBuf) {
+	    return SECFailure;
+	}
+    }
+
+    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
+    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
+    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
+    	pBuf += SSL3_RANDOM_LENGTH;
+    pBuf[0]  = (PRUint8)(dh_p.len >> 8);
+    pBuf[1]  = (PRUint8)(dh_p.len);
+    	pBuf += 2;
+    memcpy(pBuf, dh_p.data, dh_p.len);
+    	pBuf += dh_p.len;
+    pBuf[0] = (PRUint8)(dh_g.len >> 8);
+    pBuf[1] = (PRUint8)(dh_g.len);
+    	pBuf += 2;
+    memcpy(pBuf, dh_g.data, dh_g.len);
+    	pBuf += dh_g.len;
+    pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
+    pBuf[1] = (PRUint8)(dh_Ys.len);
+    	pBuf += 2;
+    memcpy(pBuf, dh_Ys.data, dh_Ys.len);
+    	pBuf += dh_Ys.len;
+    PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
+
+    rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
+
+    PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
+    PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH));
+    PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
+
+    if (hashBuf != buf && hashBuf != NULL)
+    	PORT_Free(hashBuf);
+    return rv;
+}
+
+static void
+ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
+{
+    num->low++;
+    if (num->low == 0)
+	num->high++;
+}
+
+/* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */
+static void
+ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
+{
+    if (mat->write_key != NULL) {
+	PK11_FreeSymKey(mat->write_key);
+	mat->write_key = NULL;
+    }
+    if (mat->write_mac_key != NULL) {
+	PK11_FreeSymKey(mat->write_mac_key);
+	mat->write_mac_key = NULL;
+    }
+    if (mat->write_mac_context != NULL) {
+	PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
+	mat->write_mac_context = NULL;
+    }
+}
+
+/* Called from ssl3_SendChangeCipherSpecs() and 
+**	       ssl3_HandleChangeCipherSpecs()
+**             ssl3_DestroySSL3Info
+** Caller must hold SpecWriteLock.
+*/
+static void
+ssl3_DestroyCipherSpec(ssl3CipherSpec *spec)
+{
+    PRBool freeit = (PRBool)(!spec->bypassCiphers);
+/*  PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
+    if (spec->destroy) {
+	spec->destroy(spec->encodeContext, freeit);
+	spec->destroy(spec->decodeContext, freeit);
+	spec->encodeContext = NULL; /* paranoia */
+	spec->decodeContext = NULL;
+    }
+    if (spec->master_secret != NULL) {
+	PK11_FreeSymKey(spec->master_secret);
+	spec->master_secret = NULL;
+    }
+    spec->msItem.data = NULL;
+    spec->msItem.len  = 0;
+    ssl3_CleanupKeyMaterial(&spec->client);
+    ssl3_CleanupKeyMaterial(&spec->server);
+    spec->bypassCiphers = PR_FALSE;
+    spec->destroy=NULL;
+}
+
+/* Fill in the pending cipher spec with info from the selected ciphersuite.
+** This is as much initialization as we can do without having key material.
+** Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
+** Caller must hold the ssl3 handshake lock.
+** Acquires & releases SpecWriteLock.
+*/
+static SECStatus
+ssl3_SetupPendingCipherSpec(sslSocket *ss)
+{
+    ssl3CipherSpec *          pwSpec;
+    ssl3CipherSpec *          cwSpec;
+    ssl3CipherSuite           suite     = ss->ssl3.hs.cipher_suite;
+    SSL3MACAlgorithm          mac;
+    SSL3BulkCipher            cipher;
+    SSL3KeyExchangeAlgorithm  kea;
+    const ssl3CipherSuiteDef *suite_def;
+    PRBool                    isTLS;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    ssl_GetSpecWriteLock(ss);  /*******************************/
+
+    pwSpec = ss->ssl3.pwSpec;
+    PORT_Assert(pwSpec == ss->ssl3.prSpec);
+
+    /* This hack provides maximal interoperability with SSL 3 servers. */
+    cwSpec = ss->ssl3.cwSpec;
+    if (cwSpec->mac_def->mac == mac_null) {
+	/* SSL records are not being MACed. */
+	cwSpec->version = ss->version;
+    }
+
+    pwSpec->version  = ss->version;
+    isTLS  = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
+		SSL_GETPID(), ss->fd, suite));
+
+    suite_def = ssl_LookupCipherSuiteDef(suite);
+    if (suite_def == NULL) {
+	ssl_ReleaseSpecWriteLock(ss);
+	return SECFailure;	/* error code set by ssl_LookupCipherSuiteDef */
+    }
+
+
+    cipher = suite_def->bulk_cipher_alg;
+    kea    = suite_def->key_exchange_alg;
+    mac    = suite_def->mac_alg;
+    if (isTLS)
+	mac += 2;
+
+    ss->ssl3.hs.suite_def = suite_def;
+    ss->ssl3.hs.kea_def   = &kea_defs[kea];
+    PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
+
+    pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
+    PORT_Assert(pwSpec->cipher_def->cipher == cipher);
+
+    pwSpec->mac_def = &mac_defs[mac];
+    PORT_Assert(pwSpec->mac_def->mac == mac);
+
+    ss->sec.keyBits       = pwSpec->cipher_def->key_size        * BPB;
+    ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
+    ss->sec.cipherType    = cipher;
+
+    pwSpec->encodeContext = NULL;
+    pwSpec->decodeContext = NULL;
+
+    pwSpec->mac_size = pwSpec->mac_def->mac_size;
+
+    ssl_ReleaseSpecWriteLock(ss);  /*******************************/
+    return SECSuccess;
+}
+
+/* Initialize encryption and MAC contexts for pending spec.
+ * Master Secret already is derived in spec->msItem
+ * Caller holds Spec write lock.
+ */
+static SECStatus
+ssl3_InitPendingContextsBypass(sslSocket *ss)
+{
+      ssl3CipherSpec  *  pwSpec;
+const ssl3BulkCipherDef *cipher_def;
+      void *             serverContext = NULL;
+      void *             clientContext = NULL;
+      BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
+      int                mode     = 0;
+      unsigned int       optArg1  = 0;
+      unsigned int       optArg2  = 0;
+      PRBool             server_encrypts = ss->sec.isServer;
+      CK_ULONG           macLength;
+      SSLCipherAlgorithm calg;
+      SECStatus          rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
+
+    pwSpec        = ss->ssl3.pwSpec;
+    cipher_def    = pwSpec->cipher_def;
+    macLength     = pwSpec->mac_size;
+
+    /* MAC setup is done when computing the mac, not here.
+     * Now setup the crypto contexts.
+     */
+
+    calg = cipher_def->calg;
+
+    serverContext = pwSpec->server.cipher_context;
+    clientContext = pwSpec->client.cipher_context;
+
+    switch (calg) {
+    case ssl_calg_null:
+	pwSpec->encode  = Null_Cipher;
+	pwSpec->decode  = Null_Cipher;
+        pwSpec->destroy = NULL;
+	goto success;
+
+    case ssl_calg_rc4:
+      	initFn = (BLapiInitContextFunc)RC4_InitContext;
+	pwSpec->encode  = (SSLCipher) RC4_Encrypt;
+	pwSpec->decode  = (SSLCipher) RC4_Decrypt;
+	pwSpec->destroy = (SSLDestroy) RC4_DestroyContext;
+	break;
+    case ssl_calg_rc2:
+      	initFn = (BLapiInitContextFunc)RC2_InitContext;
+	mode = NSS_RC2_CBC;
+	optArg1 = cipher_def->key_size;
+	pwSpec->encode  = (SSLCipher) RC2_Encrypt;
+	pwSpec->decode  = (SSLCipher) RC2_Decrypt;
+	pwSpec->destroy = (SSLDestroy) RC2_DestroyContext;
+	break;
+    case ssl_calg_des:
+      	initFn = (BLapiInitContextFunc)DES_InitContext;
+	mode = NSS_DES_CBC;
+	optArg1 = server_encrypts;
+	pwSpec->encode  = (SSLCipher) DES_Encrypt;
+	pwSpec->decode  = (SSLCipher) DES_Decrypt;
+	pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
+	break;
+    case ssl_calg_3des:
+      	initFn = (BLapiInitContextFunc)DES_InitContext;
+	mode = NSS_DES_EDE3_CBC;
+	optArg1 = server_encrypts;
+	pwSpec->encode  = (SSLCipher) DES_Encrypt;
+	pwSpec->decode  = (SSLCipher) DES_Decrypt;
+	pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
+	break;
+    case ssl_calg_aes:
+      	initFn = (BLapiInitContextFunc)AES_InitContext;
+	mode = NSS_AES_CBC;
+	optArg1 = server_encrypts;
+	optArg2 = AES_BLOCK_SIZE;
+	pwSpec->encode  = (SSLCipher) AES_Encrypt;
+	pwSpec->decode  = (SSLCipher) AES_Decrypt;
+	pwSpec->destroy = (SSLDestroy) AES_DestroyContext;
+	break;
+
+    case ssl_calg_camellia:
+      	initFn = (BLapiInitContextFunc)Camellia_InitContext;
+	mode = NSS_CAMELLIA_CBC;
+	optArg1 = server_encrypts;
+	optArg2 = CAMELLIA_BLOCK_SIZE;
+	pwSpec->encode  = (SSLCipher) Camellia_Encrypt;
+	pwSpec->decode  = (SSLCipher) Camellia_Decrypt;
+	pwSpec->destroy = (SSLDestroy) Camellia_DestroyContext;
+	break;
+
+    case ssl_calg_idea:
+    case ssl_calg_fortezza :
+    default:
+	PORT_Assert(0);
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	goto bail_out;
+    }
+    rv = (*initFn)(serverContext,
+		   pwSpec->server.write_key_item.data,
+		   pwSpec->server.write_key_item.len,
+		   pwSpec->server.write_iv_item.data,
+		   mode, optArg1, optArg2);
+    if (rv != SECSuccess) {
+	PORT_Assert(0);
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	goto bail_out;
+    }
+
+    if (calg == ssl_calg_des || calg == ssl_calg_3des || calg == ssl_calg_aes
+	|| calg == ssl_calg_camellia) {
+	/* For block ciphers, if the server is encrypting, then the client
+	 * is decrypting, and vice versa.
+	 */
+	optArg1 = !optArg1;
+    }
+
+    rv = (*initFn)(clientContext,
+		   pwSpec->client.write_key_item.data,
+		   pwSpec->client.write_key_item.len,
+		   pwSpec->client.write_iv_item.data,
+		   mode, optArg1, optArg2);
+    if (rv != SECSuccess) {
+	PORT_Assert(0);
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	goto bail_out;
+    }
+
+    pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
+    pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
+
+success:
+    return SECSuccess;
+
+bail_out:
+    return SECFailure;
+}
+
+/* This function should probably be moved to pk11wrap and be named 
+ * PK11_ParamFromIVAndEffectiveKeyBits
+ */
+static SECItem *
+ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
+{
+    SECItem * param = PK11_ParamFromIV(mtype, iv);
+    if (param && param->data  && param->len >= sizeof(CK_RC2_PARAMS)) {
+	switch (mtype) {
+	case CKM_RC2_KEY_GEN:
+	case CKM_RC2_ECB:
+	case CKM_RC2_CBC:
+	case CKM_RC2_MAC:
+	case CKM_RC2_MAC_GENERAL:
+	case CKM_RC2_CBC_PAD:
+	    *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
+	default: break;
+	}
+    }
+    return param;
+}
+
+/* Initialize encryption and MAC contexts for pending spec.
+ * Master Secret already is derived.
+ * Caller holds Spec write lock.
+ */
+static SECStatus
+ssl3_InitPendingContextsPKCS11(sslSocket *ss)
+{
+      ssl3CipherSpec  *  pwSpec;
+const ssl3BulkCipherDef *cipher_def;
+      PK11Context *      serverContext = NULL;
+      PK11Context *      clientContext = NULL;
+      SECItem *          param;
+      CK_MECHANISM_TYPE  mechanism;
+      CK_MECHANISM_TYPE  mac_mech;
+      CK_ULONG           macLength;
+      CK_ULONG           effKeyBits;
+      SECItem            iv;
+      SECItem            mac_param;
+      SSLCipherAlgorithm calg;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
+
+    pwSpec        = ss->ssl3.pwSpec;
+    cipher_def    = pwSpec->cipher_def;
+    macLength     = pwSpec->mac_size;
+
+    /* 
+    ** Now setup the MAC contexts, 
+    **   crypto contexts are setup below.
+    */
+
+    pwSpec->client.write_mac_context = NULL;
+    pwSpec->server.write_mac_context = NULL;
+    mac_mech       = pwSpec->mac_def->mmech;
+    mac_param.data = (unsigned char *)&macLength;
+    mac_param.len  = sizeof(macLength);
+    mac_param.type = 0;
+
+    pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
+	    mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
+    if (pwSpec->client.write_mac_context == NULL)  {
+	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+	goto fail;
+    }
+    pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
+	    mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
+    if (pwSpec->server.write_mac_context == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+	goto fail;
+    }
+
+    /* 
+    ** Now setup the crypto contexts.
+    */
+
+    calg = cipher_def->calg;
+    PORT_Assert(alg2Mech[calg].calg == calg);
+
+    if (calg == calg_null) {
+	pwSpec->encode  = Null_Cipher;
+	pwSpec->decode  = Null_Cipher;
+	pwSpec->destroy = NULL;
+	return SECSuccess;
+    }
+    mechanism = alg2Mech[calg].cmech;
+    effKeyBits = cipher_def->key_size * BPB;
+
+    /*
+     * build the server context
+     */
+    iv.data = pwSpec->server.write_iv;
+    iv.len  = cipher_def->iv_size;
+    param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
+    if (param == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
+    	goto fail;
+    }
+    serverContext = PK11_CreateContextBySymKey(mechanism,
+				(ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT),
+				pwSpec->server.write_key, param);
+    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
+    if (iv.data)
+    	PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
+    SECITEM_FreeItem(param, PR_TRUE);
+    if (serverContext == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+    	goto fail;
+    }
+
+    /*
+     * build the client context
+     */
+    iv.data = pwSpec->client.write_iv;
+    iv.len  = cipher_def->iv_size;
+
+    param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
+    if (param == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
+    	goto fail;
+    }
+    clientContext = PK11_CreateContextBySymKey(mechanism,
+				(ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT),
+				pwSpec->client.write_key, param);
+    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
+    if (iv.data)
+    	PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
+    SECITEM_FreeItem(param,PR_TRUE);
+    if (clientContext == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+    	goto fail;
+    }
+    pwSpec->encode  = (SSLCipher) PK11_CipherOp;
+    pwSpec->decode  = (SSLCipher) PK11_CipherOp;
+    pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
+
+    pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
+    pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
+
+    serverContext = NULL;
+    clientContext = NULL;
+
+    return SECSuccess;
+
+fail:
+    if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
+    if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
+    if (pwSpec->client.write_mac_context != NULL) {
+    	PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
+	pwSpec->client.write_mac_context = NULL;
+    }
+    if (pwSpec->server.write_mac_context != NULL) {
+    	PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
+	pwSpec->server.write_mac_context = NULL;
+    }
+
+    return SECFailure;
+}
+
+/* Complete the initialization of all keys, ciphers, MACs and their contexts
+ * for the pending Cipher Spec.
+ * Called from: ssl3_SendClientKeyExchange 	(for Full handshake)
+ *              ssl3_HandleRSAClientKeyExchange	(for Full handshake)
+ *              ssl3_HandleServerHello		(for session restart)
+ *              ssl3_HandleClientHello		(for session restart)
+ * Sets error code, but caller probably should override to disambiguate.
+ * NULL pms means re-use old master_secret.
+ *
+ * This code is common to the bypass and PKCS11 execution paths.
+ * For the bypass case,  pms is NULL.
+ */
+SECStatus
+ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
+{
+    ssl3CipherSpec  *  pwSpec;
+    SECStatus          rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    ssl_GetSpecWriteLock(ss);	/**************************************/
+
+    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
+
+    pwSpec        = ss->ssl3.pwSpec;
+
+    if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
+	rv = ssl3_DeriveMasterSecret(ss, pms);
+	if (rv != SECSuccess) {
+	    goto done;  /* err code set by ssl3_DeriveMasterSecret */
+	}
+    }
+    if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
+	/* Double Bypass succeeded in extracting the master_secret */
+	const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
+	PRBool             isTLS   = (PRBool)(kea_def->tls_keygen ||
+                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
+	pwSpec->bypassCiphers = PR_TRUE;
+	rv = ssl3_KeyAndMacDeriveBypass( pwSpec, 
+			     (const unsigned char *)&ss->ssl3.hs.client_random,
+			     (const unsigned char *)&ss->ssl3.hs.server_random,
+			     isTLS, 
+			     (PRBool)(kea_def->is_limited));
+	if (rv == SECSuccess) {
+	    rv = ssl3_InitPendingContextsBypass(ss);
+	}
+    } else if (pwSpec->master_secret) {
+	rv = ssl3_DeriveConnectionKeysPKCS11(ss);
+	if (rv == SECSuccess) {
+	    rv = ssl3_InitPendingContextsPKCS11(ss);
+	}
+    } else {
+	PORT_Assert(pwSpec->master_secret);
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	rv = SECFailure;
+    }
+
+done:
+    ssl_ReleaseSpecWriteLock(ss);	/******************************/
+    if (rv != SECSuccess)
+	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+    return rv;
+}
+
+/*
+ * 60 bytes is 3 times the maximum length MAC size that is supported.
+ */
+static const unsigned char mac_pad_1 [60] = {
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36
+};
+static const unsigned char mac_pad_2 [60] = {
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c
+};
+
+/* Called from: ssl3_SendRecord()
+**		ssl3_HandleRecord()
+** Caller must already hold the SpecReadLock. (wish we could assert that!)
+*/
+static SECStatus
+ssl3_ComputeRecordMAC(
+    ssl3CipherSpec *   spec,
+    PRBool             useServerMacKey,
+    SSL3ContentType    type,
+    SSL3ProtocolVersion version,
+    SSL3SequenceNumber seq_num,
+    const SSL3Opaque * input,
+    int                inputLength,
+    unsigned char *    outbuf,
+    unsigned int *     outLength)
+{
+    const ssl3MACDef * mac_def;
+    SECStatus          rv;
+    PRBool             isTLS;
+    unsigned int       tempLen;
+    unsigned char      temp[MAX_MAC_LENGTH];
+
+    temp[0] = (unsigned char)(seq_num.high >> 24);
+    temp[1] = (unsigned char)(seq_num.high >> 16);
+    temp[2] = (unsigned char)(seq_num.high >>  8);
+    temp[3] = (unsigned char)(seq_num.high >>  0);
+    temp[4] = (unsigned char)(seq_num.low  >> 24);
+    temp[5] = (unsigned char)(seq_num.low  >> 16);
+    temp[6] = (unsigned char)(seq_num.low  >>  8);
+    temp[7] = (unsigned char)(seq_num.low  >>  0);
+    temp[8] = type;
+
+    /* TLS MAC includes the record's version field, SSL's doesn't.
+    ** We decide which MAC defintiion to use based on the version of 
+    ** the protocol that was negotiated when the spec became current,
+    ** NOT based on the version value in the record itself.
+    ** But, we use the record'v version value in the computation.
+    */
+    if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
+	temp[9]  = MSB(inputLength);
+	temp[10] = LSB(inputLength);
+	tempLen  = 11;
+	isTLS    = PR_FALSE;
+    } else {
+    	/* New TLS hash includes version. */
+	temp[9]  = MSB(version);
+	temp[10] = LSB(version);
+	temp[11] = MSB(inputLength);
+	temp[12] = LSB(inputLength);
+	tempLen  = 13;
+	isTLS    = PR_TRUE;
+    }
+
+    PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
+    PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
+
+    mac_def = spec->mac_def;
+    if (mac_def->mac == mac_null) {
+	*outLength = 0;
+	return SECSuccess;
+    }
+    if (! spec->bypassCiphers) {
+	PK11Context *mac_context = 
+	    (useServerMacKey ? spec->server.write_mac_context
+	                     : spec->client.write_mac_context);
+	rv  = PK11_DigestBegin(mac_context);
+	rv |= PK11_DigestOp(mac_context, temp, tempLen);
+	rv |= PK11_DigestOp(mac_context, input, inputLength);
+	rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
+    } else {
+	/* bypass version */
+	const SECHashObject *hashObj = NULL;
+	unsigned int       pad_bytes = 0;
+	PRUint64           write_mac_context[MAX_MAC_CONTEXT_LLONGS];
+
+	switch (mac_def->mac) {
+	case ssl_mac_null:
+	    *outLength = 0;
+	    return SECSuccess;
+	case ssl_mac_md5:
+	    pad_bytes = 48;
+	    hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
+	    break;
+	case ssl_mac_sha:
+	    pad_bytes = 40;
+	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
+	    break;
+	case ssl_hmac_md5: /* used with TLS */
+	    hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
+	    break;
+	case ssl_hmac_sha: /* used with TLS */
+	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
+	    break;
+	default:
+	    break;
+	}
+	if (!hashObj) {
+	    PORT_Assert(0);
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return SECFailure;
+	}
+
+	if (!isTLS) {
+	    /* compute "inner" part of SSL3 MAC */
+	    hashObj->begin(write_mac_context);
+	    if (useServerMacKey)
+		hashObj->update(write_mac_context, 
+				spec->server.write_mac_key_item.data,
+				spec->server.write_mac_key_item.len);
+	    else
+		hashObj->update(write_mac_context, 
+				spec->client.write_mac_key_item.data,
+				spec->client.write_mac_key_item.len);
+	    hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
+	    hashObj->update(write_mac_context, temp,  tempLen);
+	    hashObj->update(write_mac_context, input, inputLength);
+	    hashObj->end(write_mac_context,    temp, &tempLen, sizeof temp);
+
+	    /* compute "outer" part of SSL3 MAC */
+	    hashObj->begin(write_mac_context);
+	    if (useServerMacKey)
+		hashObj->update(write_mac_context, 
+				spec->server.write_mac_key_item.data,
+				spec->server.write_mac_key_item.len);
+	    else
+		hashObj->update(write_mac_context, 
+				spec->client.write_mac_key_item.data,
+				spec->client.write_mac_key_item.len);
+	    hashObj->update(write_mac_context, mac_pad_2, pad_bytes);
+	    hashObj->update(write_mac_context, temp, tempLen);
+	    hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size);
+	    rv = SECSuccess;
+	} else { /* is TLS */
+#define cx ((HMACContext *)write_mac_context)
+	    if (useServerMacKey) {
+		rv = HMAC_Init(cx, hashObj, 
+			       spec->server.write_mac_key_item.data,
+			       spec->server.write_mac_key_item.len, PR_FALSE);
+	    } else {
+		rv = HMAC_Init(cx, hashObj, 
+			       spec->client.write_mac_key_item.data,
+			       spec->client.write_mac_key_item.len, PR_FALSE);
+	    }
+	    if (rv == SECSuccess) {
+		HMAC_Begin(cx);
+		HMAC_Update(cx, temp, tempLen);
+		HMAC_Update(cx, input, inputLength);
+		rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
+		HMAC_Destroy(cx, PR_FALSE);
+	    }
+#undef cx
+	}
+    }
+
+    PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
+
+    PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
+
+    if (rv != SECSuccess) {
+    	rv = SECFailure;
+	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+    }
+    return rv;
+}
+
+static PRBool
+ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
+    PK11SlotInfo *slot = NULL;
+    PRBool isPresent = PR_TRUE;
+
+    /* we only care if we are doing client auth */
+    if (!sid || !sid->u.ssl3.clAuthValid) {
+	return PR_TRUE;
+    }
+
+    /* get the slot */
+    slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
+	                     sid->u.ssl3.clAuthSlotID);
+    if (slot == NULL ||
+	!PK11_IsPresent(slot) ||
+	sid->u.ssl3.clAuthSeries     != PK11_GetSlotSeries(slot) ||
+	sid->u.ssl3.clAuthSlotID     != PK11_GetSlotID(slot)     ||
+	sid->u.ssl3.clAuthModuleID   != PK11_GetModuleID(slot)   ||
+	(PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
+	isPresent = PR_FALSE;
+    } 
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    return isPresent;
+}
+
+static SECStatus
+ssl3_CompressMACEncryptRecord(sslSocket *        ss,
+                              SSL3ContentType    type,
+		              const SSL3Opaque * pIn,
+		              PRUint32           contentLen)
+{
+    ssl3CipherSpec *          cwSpec;
+    const ssl3BulkCipherDef * cipher_def;
+    sslBuffer      *          wrBuf 	  = &ss->sec.writeBuf;
+    SECStatus                 rv;
+    PRUint32                  macLen      = 0;
+    PRUint32                  fragLen;
+    PRUint32  p1Len, p2Len, oddLen = 0;
+    PRInt32   cipherBytes =  0;
+
+    /*
+     * null compression is easy to do
+    PORT_Memcpy(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, pIn, contentLen);
+     */
+
+    ssl_GetSpecReadLock(ss);	/********************************/
+
+    cwSpec = ss->ssl3.cwSpec;
+    cipher_def = cwSpec->cipher_def;
+    /*
+     * Add the MAC
+     */
+    rv = ssl3_ComputeRecordMAC( cwSpec, (PRBool)(ss->sec.isServer),
+	type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
+	wrBuf->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+	goto spec_locked_loser;
+    }
+    p1Len   = contentLen;
+    p2Len   = macLen;
+    fragLen = contentLen + macLen;	/* needs to be encrypted */
+    PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
+
+    /*
+     * Pad the text (if we're doing a block cipher)
+     * then Encrypt it
+     */
+    if (cipher_def->type == type_block) {
+	unsigned char * pBuf;
+	int             padding_length;
+	int             i;
+
+	oddLen = contentLen % cipher_def->block_size;
+	/* Assume blockSize is a power of two */
+	padding_length = cipher_def->block_size - 1 -
+			((fragLen) & (cipher_def->block_size - 1));
+	fragLen += padding_length + 1;
+	PORT_Assert((fragLen % cipher_def->block_size) == 0);
+
+	/* Pad according to TLS rules (also acceptable to SSL3). */
+	pBuf = &wrBuf->buf[fragLen + SSL3_RECORD_HEADER_LENGTH - 1];
+	for (i = padding_length + 1; i > 0; --i) {
+	    *pBuf-- = padding_length;
+	}
+	/* now, if contentLen is not a multiple of block size, fix it */
+	p2Len = fragLen - p1Len;
+    }
+    if (p1Len < 256) {
+	oddLen = p1Len;
+	p1Len = 0;
+    } else {
+	p1Len -= oddLen;
+    }
+    if (oddLen) {
+	p2Len += oddLen;
+	PORT_Assert( (cipher_def->block_size < 2) || \
+		     (p2Len % cipher_def->block_size) == 0);
+	memcpy(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
+	       pIn + p1Len, oddLen);
+    }
+    if (p1Len > 0) {
+	rv = cwSpec->encode( cwSpec->encodeContext, 
+	    wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, /* output */
+	    &cipherBytes,                           /* actual outlen */
+	    p1Len,                                  /* max outlen */
+	    pIn, p1Len);                      /* input, and inputlen */
+	PORT_Assert(rv == SECSuccess && cipherBytes == p1Len);
+	if (rv != SECSuccess || cipherBytes != p1Len) {
+	    PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
+	    goto spec_locked_loser;
+	}
+    }
+    if (p2Len > 0) {
+	PRInt32 cipherBytesPart2 = -1;
+	rv = cwSpec->encode( cwSpec->encodeContext, 
+	    wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
+	    &cipherBytesPart2,          /* output and actual outLen */
+	    p2Len,                             /* max outlen */
+	    wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
+	    p2Len);                            /* input and inputLen*/
+	PORT_Assert(rv == SECSuccess && cipherBytesPart2 == p2Len);
+	if (rv != SECSuccess || cipherBytesPart2 != p2Len) {
+	    PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
+	    goto spec_locked_loser;
+	}
+	cipherBytes += cipherBytesPart2;
+    }	
+    PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
+
+    ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
+
+    wrBuf->len    = cipherBytes + SSL3_RECORD_HEADER_LENGTH;
+    wrBuf->buf[0] = type;
+    wrBuf->buf[1] = MSB(cwSpec->version);
+    wrBuf->buf[2] = LSB(cwSpec->version);
+    wrBuf->buf[3] = MSB(cipherBytes);
+    wrBuf->buf[4] = LSB(cipherBytes);
+
+    ssl_ReleaseSpecReadLock(ss); /************************************/
+
+    return SECSuccess;
+
+spec_locked_loser:
+    ssl_ReleaseSpecReadLock(ss);
+    return SECFailure;
+}
+
+/* Process the plain text before sending it.
+ * Returns the number of bytes of plaintext that were succesfully sent
+ * 	plus the number of bytes of plaintext that were copied into the
+ *	output (write) buffer.
+ * Returns SECFailure on a hard IO error, memory error, or crypto error.
+ * Does NOT return SECWouldBlock.
+ *
+ * Notes on the use of the private ssl flags:
+ * (no private SSL flags)
+ *    Attempt to make and send SSL records for all plaintext
+ *    If non-blocking and a send gets WOULD_BLOCK,
+ *    or if the pending (ciphertext) buffer is not empty,
+ *    then buffer remaining bytes of ciphertext into pending buf,
+ *    and continue to do that for all succssive records until all
+ *    bytes are used.
+ * ssl_SEND_FLAG_FORCE_INTO_BUFFER
+ *    As above, except this suppresses all write attempts, and forces
+ *    all ciphertext into the pending ciphertext buffer.
+ *
+ */
+static PRInt32
+ssl3_SendRecord(   sslSocket *        ss,
+                   SSL3ContentType    type,
+		   const SSL3Opaque * pIn,   /* input buffer */
+		   PRInt32            nIn,   /* bytes of input */
+		   PRInt32            flags)
+{
+    sslBuffer      *          wrBuf 	  = &ss->sec.writeBuf;
+    SECStatus                 rv;
+    PRInt32                   totalSent   = 0;
+
+    SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
+		SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
+		nIn));
+    PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+
+    if (ss->ssl3.initialized == PR_FALSE) {
+	/* This can happen on a server if the very first incoming record
+	** looks like a defective ssl3 record (e.g. too long), and we're
+	** trying to send an alert.
+	*/
+	PR_ASSERT(type == content_alert);
+	rv = ssl3_InitState(ss);
+	if (rv != SECSuccess) {
+	    return SECFailure;	/* ssl3_InitState has set the error code. */
+    	}
+    }
+
+    /* check for Token Presence */
+    if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
+	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
+	return SECFailure;
+    }
+
+    while (nIn > 0) {
+	PRUint32  contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
+
+	if (wrBuf->space < contentLen + SSL3_BUFFER_FUDGE) {
+	    PRInt32 newSpace = PR_MAX(wrBuf->space * 2, contentLen);
+	    newSpace = PR_MIN(newSpace, MAX_FRAGMENT_LENGTH);
+	    newSpace += SSL3_BUFFER_FUDGE;
+	    rv = sslBuffer_Grow(wrBuf, newSpace);
+	    if (rv != SECSuccess) {
+		SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
+			 SSL_GETPID(), ss->fd, newSpace));
+		return SECFailure; /* sslBuffer_Grow set a memory error code. */
+	    }
+	}
+
+	rv = ssl3_CompressMACEncryptRecord( ss, type, pIn, contentLen);
+	if (rv != SECSuccess)
+	    return SECFailure;
+
+	pIn += contentLen;
+	nIn -= contentLen;
+	PORT_Assert( nIn >= 0 );
+
+	PRINT_BUF(50, (ss, "send (encrypted) record data:", wrBuf->buf, wrBuf->len));
+
+	/* If there's still some previously saved ciphertext,
+	 * or the caller doesn't want us to send the data yet,
+	 * then add all our new ciphertext to the amount previously saved.
+	 */
+	if ((ss->pendingBuf.len > 0) ||
+	    (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
+
+	    rv = ssl_SaveWriteData(ss, wrBuf->buf, wrBuf->len);
+	    if (rv != SECSuccess) {
+		/* presumably a memory error, SEC_ERROR_NO_MEMORY */
+		return SECFailure;
+	    }
+	    wrBuf->len = 0;	/* All cipher text is saved away. */
+
+	    if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
+		PRInt32   sent;
+		ss->handshakeBegun = 1;
+		sent = ssl_SendSavedWriteData(ss);
+		if (sent < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
+		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
+		    return SECFailure;
+		}
+		if (ss->pendingBuf.len) {
+		    flags |= ssl_SEND_FLAG_FORCE_INTO_BUFFER;
+		}
+	    }
+	} else if (wrBuf->len > 0) {
+	    PRInt32   sent;
+	    ss->handshakeBegun = 1;
+	    sent = ssl_DefSend(ss, wrBuf->buf, wrBuf->len,
+			       flags & ~ssl_SEND_FLAG_MASK);
+	    if (sent < 0) {
+		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
+		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
+		    return SECFailure;
+		}
+		/* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
+		sent = 0;
+	    }
+	    wrBuf->len -= sent;
+	    if (wrBuf->len) {
+		/* now take all the remaining unsent new ciphertext and 
+		 * append it to the buffer of previously unsent ciphertext.
+		 */
+		rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
+		if (rv != SECSuccess) {
+		    /* presumably a memory error, SEC_ERROR_NO_MEMORY */
+		    return SECFailure;
+		}
+	    }
+	}
+	totalSent += contentLen;
+    }
+    return totalSent;
+}
+
+#define SSL3_PENDING_HIGH_WATER 1024
+
+/* Attempt to send the content of "in" in an SSL application_data record.
+ * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
+ */
+int
+ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
+			 PRInt32 len, PRInt32 flags)
+{
+    PRInt32   totalSent	= 0;
+    PRInt32   discarded = 0;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    if (len < 0 || !in) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+
+    if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
+        !ssl_SocketIsBlocking(ss)) {
+	PORT_Assert(!ssl_SocketIsBlocking(ss));
+	PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	return SECFailure;
+    }
+
+    if (ss->appDataBuffered && len) {
+	PORT_Assert (in[0] == (unsigned char)(ss->appDataBuffered));
+	if (in[0] != (unsigned char)(ss->appDataBuffered)) {
+	    PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	    return SECFailure;
+	}
+    	in++;
+	len--;
+	discarded = 1;
+    }
+    while (len > totalSent) {
+	PRInt32   sent, toSend;
+
+	if (totalSent > 0) {
+	    /*
+	     * The thread yield is intended to give the reader thread a
+	     * chance to get some cycles while the writer thread is in
+	     * the middle of a large application data write.  (See
+	     * Bugzilla bug 127740, comment #1.)
+	     */
+	    ssl_ReleaseXmitBufLock(ss);
+	    PR_Sleep(PR_INTERVAL_NO_WAIT);	/* PR_Yield(); */
+	    ssl_GetXmitBufLock(ss);
+	}
+	toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
+	sent = ssl3_SendRecord(ss, content_application_data, 
+	                       in + totalSent, toSend, flags);
+	if (sent < 0) {
+	    if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
+		PORT_Assert(ss->lastWriteBlocked);
+	    	break;
+	    }
+	    return SECFailure; /* error code set by ssl3_SendRecord */
+	}
+	totalSent += sent;
+	if (ss->pendingBuf.len) {
+	    /* must be a non-blocking socket */
+	    PORT_Assert(!ssl_SocketIsBlocking(ss));
+	    PORT_Assert(ss->lastWriteBlocked);
+	    break;	
+	}
+    }
+    if (ss->pendingBuf.len) {
+	/* Must be non-blocking. */
+	PORT_Assert(!ssl_SocketIsBlocking(ss));
+	if (totalSent > 0) {
+	    ss->appDataBuffered = 0x100 | in[totalSent - 1];
+	}
+
+	totalSent = totalSent + discarded - 1;
+	if (totalSent <= 0) {
+	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	    totalSent = SECFailure;
+	}
+	return totalSent;
+    } 
+    ss->appDataBuffered = 0;
+    return totalSent + discarded;
+}
+
+/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
+ * This function returns SECSuccess or SECFailure, never SECWouldBlock.
+ * Always set sendBuf.len to 0, even when returning SECFailure.
+ *
+ * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
+ *             ssl3_AppendHandshake(), ssl3_SendClientHello(),
+ *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
+ *             ssl3_SendFinished(),
+ */
+static SECStatus
+ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
+{
+    PRInt32 rv = SECSuccess;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+
+    if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
+	return rv;
+
+    /* only this flag is allowed */
+    PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER));
+    if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    } else {
+	rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf,
+			     ss->sec.ci.sendBuf.len, flags);
+    }
+    if (rv < 0) { 
+    	int err = PORT_GetError();
+	PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
+	if (err == PR_WOULD_BLOCK_ERROR) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	}
+    } else if (rv < ss->sec.ci.sendBuf.len) {
+    	/* short write should never happen */
+	PORT_Assert(rv >= ss->sec.ci.sendBuf.len);
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	rv = SECFailure;
+    } else {
+	rv = SECSuccess;
+    }
+
+    /* Whether we succeeded or failed, toss the old handshake data. */
+    ss->sec.ci.sendBuf.len = 0;
+    return rv;
+}
+
+/*
+ * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when
+ * the remote client sends a negative response to our certificate request.
+ * Returns SECFailure if the application has required client auth.
+ *         SECSuccess otherwise.
+ */
+static SECStatus
+ssl3_HandleNoCertificate(sslSocket *ss)
+{
+    if (ss->sec.peerCert != NULL) {
+	if (ss->sec.peerKey != NULL) {
+	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
+	    ss->sec.peerKey = NULL;
+	}
+	CERT_DestroyCertificate(ss->sec.peerCert);
+	ss->sec.peerCert = NULL;
+    }
+    ssl3_CleanupPeerCerts(ss);
+
+    /* If the server has required client-auth blindly but doesn't
+     * actually look at the certificate it won't know that no
+     * certificate was presented so we shutdown the socket to ensure
+     * an error.  We only do this if we haven't already completed the
+     * first handshake because if we're redoing the handshake we 
+     * know the server is paying attention to the certificate.
+     */
+    if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
+	(!ss->firstHsDone && 
+	 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
+	PRFileDesc * lower;
+
+	ss->sec.uncache(ss->sec.ci.sid);
+	SSL3_SendAlert(ss, alert_fatal, bad_certificate);
+
+	lower = ss->fd->lower;
+#ifdef _WIN32
+	lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
+#else
+	lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
+#endif
+	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/************************************************************************
+ * Alerts
+ */
+
+/*
+** Acquires both handshake and XmitBuf locks.
+** Called from: ssl3_IllegalParameter	<-
+**              ssl3_HandshakeFailure	<-
+**              ssl3_HandleAlert	<- ssl3_HandleRecord.
+**              ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
+**              ssl3_ConsumeHandshakeVariable <-
+**              ssl3_HandleHelloRequest	<-
+**              ssl3_HandleServerHello	<-
+**              ssl3_HandleServerKeyExchange <-
+**              ssl3_HandleCertificateRequest <-
+**              ssl3_HandleServerHelloDone <-
+**              ssl3_HandleClientHello	<-
+**              ssl3_HandleV2ClientHello <-
+**              ssl3_HandleCertificateVerify <-
+**              ssl3_HandleClientKeyExchange <-
+**              ssl3_HandleCertificate	<-
+**              ssl3_HandleFinished	<-
+**              ssl3_HandleHandshakeMessage <-
+**              ssl3_HandleRecord	<-
+**
+*/
+SECStatus
+SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
+{
+    uint8 	bytes[2];
+    SECStatus	rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
+		SSL_GETPID(), ss->fd, level, desc));
+
+    bytes[0] = level;
+    bytes[1] = desc;
+
+    ssl_GetSSL3HandshakeLock(ss);
+    if (level == alert_fatal) {
+	if (ss->sec.ci.sid) {
+	    ss->sec.uncache(ss->sec.ci.sid);
+	}
+    }
+    ssl_GetXmitBufLock(ss);
+    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+    if (rv == SECSuccess) {
+	PRInt32 sent;
+	sent = ssl3_SendRecord(ss, content_alert, bytes, 2, 
+			       desc == no_certificate 
+			       ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
+	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+    }
+    ssl_ReleaseXmitBufLock(ss);
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    return rv;	/* error set by ssl3_FlushHandshake or ssl3_SendRecord */
+}
+
+/*
+ * Send illegal_parameter alert.  Set generic error number.
+ */
+static SECStatus
+ssl3_IllegalParameter(sslSocket *ss)
+{
+    PRBool isTLS;
+
+    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+    (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+    PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
+                                   : SSL_ERROR_BAD_SERVER );
+    return SECFailure;
+}
+
+/*
+ * Send handshake_Failure alert.  Set generic error number.
+ */
+static SECStatus
+ssl3_HandshakeFailure(sslSocket *ss)
+{
+    (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
+    PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
+                                    : SSL_ERROR_BAD_SERVER );
+    return SECFailure;
+}
+
+/*
+ * Send handshake_Failure alert.  Set generic error number.
+ */
+static SECStatus
+ssl3_DecodeError(sslSocket *ss)
+{
+    (void)SSL3_SendAlert(ss, alert_fatal, 
+		  ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 
+							: illegal_parameter);
+    PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
+                                    : SSL_ERROR_BAD_SERVER );
+    return SECFailure;
+}
+
+/* Called from ssl3_HandleRecord.
+** Caller must hold both RecvBuf and Handshake locks.
+*/
+static SECStatus
+ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
+{
+    SSL3AlertLevel       level;
+    SSL3AlertDescription desc;
+    int                  error;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
+
+    if (buf->len != 2) {
+	(void)ssl3_DecodeError(ss);
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
+	return SECFailure;
+    }
+    level = (SSL3AlertLevel)buf->buf[0];
+    desc  = (SSL3AlertDescription)buf->buf[1];
+    buf->len = 0;
+    SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
+        SSL_GETPID(), ss->fd, level, desc));
+
+    switch (desc) {
+    case close_notify:		ss->recvdCloseNotify = 1;
+		        	error = SSL_ERROR_CLOSE_NOTIFY_ALERT;     break;
+    case unexpected_message: 	error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
+									  break;
+    case bad_record_mac: 	error = SSL_ERROR_BAD_MAC_ALERT; 	  break;
+    case decryption_failed: 	error = SSL_ERROR_DECRYPTION_FAILED_ALERT; 
+    									  break;
+    case record_overflow: 	error = SSL_ERROR_RECORD_OVERFLOW_ALERT;  break;
+    case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
+									  break;
+    case handshake_failure: 	error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
+			        					  break;
+    case no_certificate: 	error = SSL_ERROR_NO_CERTIFICATE;	  break;
+    case bad_certificate: 	error = SSL_ERROR_BAD_CERT_ALERT; 	  break;
+    case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
+    case certificate_revoked: 	error = SSL_ERROR_REVOKED_CERT_ALERT; 	  break;
+    case certificate_expired: 	error = SSL_ERROR_EXPIRED_CERT_ALERT; 	  break;
+    case certificate_unknown: 	error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
+			        					  break;
+    case illegal_parameter: 	error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
+
+    /* All alerts below are TLS only. */
+    case unknown_ca: 		error = SSL_ERROR_UNKNOWN_CA_ALERT;       break;
+    case access_denied: 	error = SSL_ERROR_ACCESS_DENIED_ALERT;    break;
+    case decode_error: 		error = SSL_ERROR_DECODE_ERROR_ALERT;     break;
+    case decrypt_error: 	error = SSL_ERROR_DECRYPT_ERROR_ALERT;    break;
+    case export_restriction: 	error = SSL_ERROR_EXPORT_RESTRICTION_ALERT; 
+    									  break;
+    case protocol_version: 	error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
+    case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT; 
+    									  break;
+    case internal_error: 	error = SSL_ERROR_INTERNAL_ERROR_ALERT;   break;
+    case user_canceled: 	error = SSL_ERROR_USER_CANCELED_ALERT;    break;
+    case no_renegotiation: 	error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
+
+    /* Alerts for TLS client hello extensions */
+    case unsupported_extension: 
+			error = SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT;    break;
+    case certificate_unobtainable: 
+			error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
+    case unrecognized_name: 
+			error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;        break;
+    case bad_certificate_status_response: 
+			error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
+    case bad_certificate_hash_value: 
+			error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT;      break;
+    default: 		error = SSL_ERROR_RX_UNKNOWN_ALERT;               break;
+    }
+    if (level == alert_fatal) {
+	ss->sec.uncache(ss->sec.ci.sid);
+	if ((ss->ssl3.hs.ws == wait_server_hello) &&
+	    (desc == handshake_failure)) {
+	    /* XXX This is a hack.  We're assuming that any handshake failure
+	     * XXX on the client hello is a failure to match ciphers.
+	     */
+	    error = SSL_ERROR_NO_CYPHER_OVERLAP;
+	}
+	PORT_SetError(error);
+	return SECFailure;
+    }
+    if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) {
+    	/* I'm a server. I've requested a client cert. He hasn't got one. */
+	SECStatus rv;
+
+	PORT_Assert(ss->sec.isServer);
+	ss->ssl3.hs.ws = wait_client_key;
+	rv = ssl3_HandleNoCertificate(ss);
+	return rv;
+    }
+    return SECSuccess;
+}
+
+/*
+ * Change Cipher Specs
+ * Called from ssl3_HandleServerHelloDone,
+ *             ssl3_HandleClientHello,
+ * and         ssl3_HandleFinished
+ *
+ * Acquires and releases spec write lock, to protect switching the current
+ * and pending write spec pointers.
+ */
+
+static SECStatus
+ssl3_SendChangeCipherSpecs(sslSocket *ss)
+{
+    uint8             change = change_cipher_spec_choice;
+    ssl3CipherSpec *  pwSpec;
+    SECStatus         rv;
+    PRInt32           sent;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by ssl3_FlushHandshake */
+    }
+    sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
+                              ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+    if (sent < 0) {
+	return (SECStatus)sent;	/* error code set by ssl3_SendRecord */
+    }
+
+    /* swap the pending and current write specs. */
+    ssl_GetSpecWriteLock(ss);	/**************************************/
+    pwSpec                     = ss->ssl3.pwSpec;
+    pwSpec->write_seq_num.high = 0;
+    pwSpec->write_seq_num.low  = 0;
+
+    ss->ssl3.pwSpec = ss->ssl3.cwSpec;
+    ss->ssl3.cwSpec = pwSpec;
+
+    SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
+		SSL_GETPID(), ss->fd ));
+
+    /* We need to free up the contexts, keys and certs ! */
+    /* If we are really through with the old cipher spec
+     * (Both the read and write sides have changed) destroy it.
+     */
+    if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
+    	ssl3_DestroyCipherSpec(ss->ssl3.pwSpec);
+    }
+    ssl_ReleaseSpecWriteLock(ss); /**************************************/
+
+    return SECSuccess;
+}
+
+/* Called from ssl3_HandleRecord.
+** Caller must hold both RecvBuf and Handshake locks.
+ *
+ * Acquires and releases spec write lock, to protect switching the current
+ * and pending write spec pointers.
+*/
+static SECStatus
+ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
+{
+    ssl3CipherSpec *           prSpec;
+    SSL3WaitState              ws      = ss->ssl3.hs.ws;
+    SSL3ChangeCipherSpecChoice change;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
+		SSL_GETPID(), ss->fd));
+
+    if (ws != wait_change_cipher) {
+	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
+	return SECFailure;
+    }
+
+    if(buf->len != 1) {
+	(void)ssl3_DecodeError(ss);
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+	return SECFailure;
+    }
+    change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
+    if (change != change_cipher_spec_choice) {
+	/* illegal_parameter is correct here for both SSL3 and TLS. */
+	(void)ssl3_IllegalParameter(ss);
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+	return SECFailure;
+    }
+    buf->len = 0;
+
+    /* Swap the pending and current read specs. */
+    ssl_GetSpecWriteLock(ss);   /*************************************/
+    prSpec                    = ss->ssl3.prSpec;
+    prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0;
+
+    ss->ssl3.prSpec  = ss->ssl3.crSpec;
+    ss->ssl3.crSpec  = prSpec;
+    ss->ssl3.hs.ws   = wait_finished;
+
+    SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
+		SSL_GETPID(), ss->fd ));
+
+    /* If we are really through with the old cipher prSpec
+     * (Both the read and write sides have changed) destroy it.
+     */
+    if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
+    	ssl3_DestroyCipherSpec(ss->ssl3.prSpec);
+    }
+    ssl_ReleaseSpecWriteLock(ss);   /*************************************/
+    return SECSuccess;
+}
+
+/* This method uses PKCS11 to derive the MS from the PMS, where PMS 
+** is a PKCS11 symkey. This is used in all cases except the 
+** "triple bypass" with RSA key exchange.
+** Called from ssl3_InitPendingCipherSpec.   prSpec is pwSpec.
+*/
+static SECStatus
+ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
+{
+    ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
+    const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
+    unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
+    unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
+    PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
+                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
+    /* 
+     * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
+     * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
+     * data into a 48-byte value. 
+     */
+    PRBool    isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
+	                       (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
+    SECStatus         rv = SECFailure;
+    CK_MECHANISM_TYPE master_derive;
+    CK_MECHANISM_TYPE key_derive;
+    SECItem           params;
+    CK_FLAGS          keyFlags;
+    CK_VERSION        pms_version;
+    CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
+    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
+    if (isTLS) {
+	if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
+	else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
+	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
+	keyFlags      = CKF_SIGN | CKF_VERIFY;
+    } else {
+	if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+	else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
+	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
+	keyFlags      = 0;
+    }
+
+    if (pms || !pwSpec->master_secret) {
+	master_params.pVersion                     = &pms_version;
+	master_params.RandomInfo.pClientRandom     = cr;
+	master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
+	master_params.RandomInfo.pServerRandom     = sr;
+	master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
+
+	params.data = (unsigned char *) &master_params;
+	params.len  = sizeof master_params;
+    }
+
+    if (pms != NULL) {
+#if defined(TRACE)
+	if (ssl_trace >= 100) {
+	    SECStatus extractRV = PK11_ExtractKeyValue(pms);
+	    if (extractRV == SECSuccess) {
+		SECItem * keyData = PK11_GetKeyData(pms);
+		if (keyData && keyData->data && keyData->len) {
+		    ssl_PrintBuf(ss, "Pre-Master Secret", 
+				 keyData->data, keyData->len);
+		}
+	    }
+	}
+#endif
+	pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, 
+				&params, key_derive, CKA_DERIVE, 0, keyFlags);
+	if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
+	    SSL3ProtocolVersion client_version;
+	    client_version = pms_version.major << 8 | pms_version.minor;
+	    if (client_version != ss->clientHelloVersion) {
+		/* Destroy it.  Version roll-back detected. */
+		PK11_FreeSymKey(pwSpec->master_secret);
+	    	pwSpec->master_secret = NULL;
+	    }
+	}
+	if (pwSpec->master_secret == NULL) {
+	    /* Generate a faux master secret in the same slot as the old one. */
+	    PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
+	    PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
+
+	    PK11_FreeSlot(slot);
+	    if (fpms != NULL) {
+		pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
+					master_derive, &params, key_derive, 
+					CKA_DERIVE, 0, keyFlags);
+		PK11_FreeSymKey(fpms);
+	    }
+	}
+    }
+    if (pwSpec->master_secret == NULL) {
+	/* Generate a faux master secret from the internal slot. */
+	PK11SlotInfo *  slot = PK11_GetInternalSlot();
+	PK11SymKey *    fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
+
+	PK11_FreeSlot(slot);
+	if (fpms != NULL) {
+	    pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
+					master_derive, &params, key_derive, 
+					CKA_DERIVE, 0, keyFlags);
+	    if (pwSpec->master_secret == NULL) {
+	    	pwSpec->master_secret = fpms; /* use the fpms as the master. */
+		fpms = NULL;
+	    }
+	}
+	if (fpms) {
+	    PK11_FreeSymKey(fpms);
+    	}
+    }
+    if (pwSpec->master_secret == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+	return rv;
+    }
+    if (ss->opt.bypassPKCS11) {
+	SECItem * keydata;
+	/* In hope of doing a "double bypass", 
+	 * need to extract the master secret's value from the key object 
+	 * and store it raw in the sslSocket struct.
+	 */
+	rv = PK11_ExtractKeyValue(pwSpec->master_secret);
+	if (rv != SECSuccess) {
+#if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
+	    /* The double bypass failed.  
+	     * Attempt to revert to an all PKCS#11, non-bypass method.
+	     * Do we need any unacquired locks here?
+	     */
+	    ss->opt.bypassPKCS11 = 0;
+	    rv = ssl3_NewHandshakeHashes(ss);
+	    if (rv == SECSuccess) {
+		rv = ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, 
+		                                    ss->ssl3.hs.messages.len);
+	    }
+#endif
+	    return rv;
+	} 
+	/* This returns the address of the secItem inside the key struct,
+	 * not a copy or a reference.  So, there's no need to free it.
+	 */
+	keydata = PK11_GetKeyData(pwSpec->master_secret);
+	if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
+	    memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
+	    pwSpec->msItem.data = pwSpec->raw_master_secret;
+	    pwSpec->msItem.len  = keydata->len;
+	} else {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+
+/* 
+ * Derive encryption and MAC Keys (and IVs) from master secret
+ * Sets a useful error code when returning SECFailure.
+ *
+ * Called only from ssl3_InitPendingCipherSpec(),
+ * which in turn is called from
+ *              sendRSAClientKeyExchange        (for Full handshake)
+ *              sendDHClientKeyExchange         (for Full handshake)
+ *              ssl3_HandleClientKeyExchange    (for Full handshake)
+ *              ssl3_HandleServerHello          (for session restart)
+ *              ssl3_HandleClientHello          (for session restart)
+ * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
+ * ssl3_InitPendingCipherSpec does that.
+ *
+ */
+static SECStatus
+ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
+{
+    ssl3CipherSpec *         pwSpec     = ss->ssl3.pwSpec;
+    const ssl3KEADef *       kea_def    = ss->ssl3.hs.kea_def;
+    unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
+    unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
+    PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
+                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
+    /* following variables used in PKCS11 path */
+    const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
+    PK11SlotInfo *         slot   = NULL;
+    PK11SymKey *           symKey = NULL;
+    void *                 pwArg  = ss->pkcs11PinArg;
+    int                    keySize;
+    CK_SSL3_KEY_MAT_PARAMS key_material_params;
+    CK_SSL3_KEY_MAT_OUT    returnedKeys;
+    CK_MECHANISM_TYPE      key_derive;
+    CK_MECHANISM_TYPE      bulk_mechanism;
+    SSLCipherAlgorithm     calg;
+    SECItem                params;
+    PRBool         skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
+    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
+
+    if (!pwSpec->master_secret) {
+	PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+	return SECFailure;
+    }
+    /*
+     * generate the key material
+     */
+    key_material_params.ulMacSizeInBits = pwSpec->mac_size           * BPB;
+    key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
+    key_material_params.ulIVSizeInBits  = cipher_def->iv_size        * BPB;
+
+    key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
+    /* was:	(CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
+
+    key_material_params.RandomInfo.pClientRandom     = cr;
+    key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
+    key_material_params.RandomInfo.pServerRandom     = sr;
+    key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
+    key_material_params.pReturnedKeyMaterial         = &returnedKeys;
+
+    returnedKeys.pIVClient = pwSpec->client.write_iv;
+    returnedKeys.pIVServer = pwSpec->server.write_iv;
+    keySize                = cipher_def->key_size;
+
+    if (skipKeysAndIVs) {
+	keySize                             = 0;
+        key_material_params.ulKeySizeInBits = 0;
+        key_material_params.ulIVSizeInBits  = 0;
+    	returnedKeys.pIVClient              = NULL;
+    	returnedKeys.pIVServer              = NULL;
+    }
+
+    calg = cipher_def->calg;
+    PORT_Assert(     alg2Mech[calg].calg == calg);
+    bulk_mechanism = alg2Mech[calg].cmech;
+
+    params.data    = (unsigned char *)&key_material_params;
+    params.len     = sizeof(key_material_params);
+
+    if (isTLS) {
+	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
+    } else {
+	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
+    }
+
+    /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
+     * DERIVE by DEFAULT */
+    symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
+                         bulk_mechanism, CKA_ENCRYPT, keySize);
+    if (!symKey) {
+	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+	return SECFailure;
+    }
+    /* we really should use the actual mac'ing mechanism here, but we
+     * don't because these types are used to map keytype anyway and both
+     * mac's map to the same keytype.
+     */
+    slot  = PK11_GetSlotFromKey(symKey);
+
+    PK11_FreeSlot(slot); /* slot is held until the key is freed */
+    pwSpec->client.write_mac_key =
+    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
+	    CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
+    if (pwSpec->client.write_mac_key == NULL ) {
+	goto loser;	/* loser sets err */
+    }
+    pwSpec->server.write_mac_key =
+    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
+	    CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
+    if (pwSpec->server.write_mac_key == NULL ) {
+	goto loser;	/* loser sets err */
+    }
+    if (!skipKeysAndIVs) {
+	pwSpec->client.write_key =
+		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
+		     bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
+	if (pwSpec->client.write_key == NULL ) {
+	    goto loser;	/* loser sets err */
+	}
+	pwSpec->server.write_key =
+		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
+		     bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
+	if (pwSpec->server.write_key == NULL ) {
+	    goto loser;	/* loser sets err */
+	}
+    }
+    PK11_FreeSymKey(symKey);
+    return SECSuccess;
+
+
+loser:
+    if (symKey) PK11_FreeSymKey(symKey);
+    ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+    return SECFailure;
+}
+
+static SECStatus 
+ssl3_RestartHandshakeHashes(sslSocket *ss)
+{
+    SECStatus rv = SECSuccess;
+
+    if (ss->opt.bypassPKCS11) {
+	ss->ssl3.hs.messages.len = 0;
+	MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
+	SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
+    } else {
+	rv = PK11_DigestBegin(ss->ssl3.hs.md5);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	    return rv;
+	}
+	rv = PK11_DigestBegin(ss->ssl3.hs.sha);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	    return rv;
+	}
+    }
+    return rv;
+}
+
+static SECStatus
+ssl3_NewHandshakeHashes(sslSocket *ss)
+{
+    PK11Context *md5  = NULL;
+    PK11Context *sha  = NULL;
+
+    /*
+     * note: We should probably lookup an SSL3 slot for these
+     * handshake hashes in hopes that we wind up with the same slots
+     * that the master secret will wind up in ...
+     */
+    SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
+    if (ss->opt.bypassPKCS11) {
+	PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
+	ss->ssl3.hs.messages.buf = NULL;
+	ss->ssl3.hs.messages.space = 0;
+    } else {
+	ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
+	ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1);
+	if (md5 == NULL) {
+	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	    goto loser;
+	}
+	if (sha == NULL) {
+	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	    goto loser;
+	}
+    }
+    if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) {
+	return SECSuccess;
+    }
+
+loser:
+    if (md5 != NULL) {
+    	PK11_DestroyContext(md5, PR_TRUE);
+	ss->ssl3.hs.md5 = NULL;
+    }
+    if (sha != NULL) {
+    	PK11_DestroyContext(sha, PR_TRUE);
+	ss->ssl3.hs.sha = NULL;
+    }
+    return SECFailure;
+
+}
+
+/*
+ * Handshake messages
+ */
+/* Called from	ssl3_AppendHandshake()
+**		ssl3_StartHandshakeHash()
+**		ssl3_HandleV2ClientHello()
+**		ssl3_HandleHandshakeMessage()
+** Caller must hold the ssl3Handshake lock.
+*/
+static SECStatus
+ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l)
+{
+    SECStatus  rv = SECSuccess;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
+
+    if (ss->opt.bypassPKCS11) {
+	MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
+	SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
+#if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
+	rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
+#endif
+	return rv;
+    }
+    rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	return rv;
+    }
+    rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	return rv;
+    }
+    return rv;
+}
+
+/**************************************************************************
+ * Append Handshake functions.
+ * All these functions set appropriate error codes.
+ * Most rely on ssl3_AppendHandshake to set the error code.
+ **************************************************************************/
+SECStatus
+ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
+{
+    unsigned char *  src  = (unsigned char *)void_src;
+    int              room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
+    SECStatus        rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
+
+    if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
+	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
+		 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
+	if (rv != SECSuccess)
+	    return rv;	/* sslBuffer_Grow has set a memory error code. */
+	room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
+    }
+
+    PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
+    rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
+    if (rv != SECSuccess)
+	return rv;	/* error code set by ssl3_UpdateHandshakeHashes */
+
+    while (bytes > room) {
+	if (room > 0)
+	    PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, 
+	                room);
+	ss->sec.ci.sendBuf.len += room;
+	rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+	if (rv != SECSuccess) {
+	    return rv;	/* error code set by ssl3_FlushHandshake */
+	}
+	bytes -= room;
+	src += room;
+	room = ss->sec.ci.sendBuf.space;
+	PORT_Assert(ss->sec.ci.sendBuf.len == 0);
+    }
+    PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes);
+    ss->sec.ci.sendBuf.len += bytes;
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
+{
+    SECStatus rv;
+    uint8     b[4];
+    uint8 *   p = b;
+
+    switch (lenSize) {
+      case 4:
+	*p++ = (num >> 24) & 0xff;
+      case 3:
+	*p++ = (num >> 16) & 0xff;
+      case 2:
+	*p++ = (num >> 8) & 0xff;
+      case 1:
+	*p = num & 0xff;
+    }
+    SSL_TRC(60, ("%d: number:", SSL_GETPID()));
+    rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
+    return rv;	/* error code set by AppendHandshake, if applicable. */
+}
+
+SECStatus
+ssl3_AppendHandshakeVariable(
+    sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
+{
+    SECStatus rv;
+
+    PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
+	      (bytes < (1L<<16) && lenSize == 2) ||
+	      (bytes < (1L<<24) && lenSize == 3));
+
+    SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
+    rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by AppendHandshake, if applicable. */
+    }
+    SSL_TRC(60, ("data:"));
+    rv = ssl3_AppendHandshake(ss, src, bytes);
+    return rv;	/* error code set by AppendHandshake, if applicable. */
+}
+
+SECStatus
+ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
+{
+    SECStatus rv;
+
+    SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
+    	SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
+    PRINT_BUF(60, (ss, "MD5 handshake hash:",
+    	          (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
+    PRINT_BUF(95, (ss, "SHA handshake hash:",
+    	          (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
+
+    rv = ssl3_AppendHandshakeNumber(ss, t, 1);
+    if (rv != SECSuccess) {
+    	return rv;	/* error code set by AppendHandshake, if applicable. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, length, 3);
+    return rv;		/* error code set by AppendHandshake, if applicable. */
+}
+
+/**************************************************************************
+ * Consume Handshake functions.
+ *
+ * All data used in these functions is protected by two locks,
+ * the RecvBufLock and the SSL3HandshakeLock
+ **************************************************************************/
+
+/* Read up the next "bytes" number of bytes from the (decrypted) input
+ * stream "b" (which is *length bytes long). Copy them into buffer "v".
+ * Reduces *length by bytes.  Advances *b by bytes.
+ *
+ * If this function returns SECFailure, it has already sent an alert,
+ * and has set a generic error code.  The caller should probably
+ * override the generic error code by setting another.
+ */
+SECStatus
+ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
+		      PRUint32 *length)
+{
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if ((PRUint32)bytes > *length) {
+	return ssl3_DecodeError(ss);
+    }
+    PORT_Memcpy(v, *b, bytes);
+    PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
+    *b      += bytes;
+    *length -= bytes;
+    return SECSuccess;
+}
+
+/* Read up the next "bytes" number of bytes from the (decrypted) input
+ * stream "b" (which is *length bytes long), and interpret them as an
+ * integer in network byte order.  Returns the received value.
+ * Reduces *length by bytes.  Advances *b by bytes.
+ *
+ * Returns SECFailure (-1) on failure.
+ * This value is indistinguishable from the equivalent received value.
+ * Only positive numbers are to be received this way.
+ * Thus, the largest value that may be sent this way is 0x7fffffff.
+ * On error, an alert has been sent, and a generic error code has been set.
+ */
+PRInt32
+ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
+			    PRUint32 *length)
+{
+    uint8     *buf = *b;
+    int       i;
+    PRInt32   num = 0;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( bytes <= sizeof num);
+
+    if ((PRUint32)bytes > *length) {
+	return ssl3_DecodeError(ss);
+    }
+    PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
+
+    for (i = 0; i < bytes; i++)
+	num = (num << 8) + buf[i];
+    *b      += bytes;
+    *length -= bytes;
+    return num;
+}
+
+/* Read in two values from the incoming decrypted byte stream "b", which is
+ * *length bytes long.  The first value is a number whose size is "bytes"
+ * bytes long.  The second value is a byte-string whose size is the value
+ * of the first number received.  The latter byte-string, and its length,
+ * is returned in the SECItem i.
+ *
+ * Returns SECFailure (-1) on failure.
+ * On error, an alert has been sent, and a generic error code has been set.
+ *
+ * RADICAL CHANGE for NSS 3.11.  All callers of this function make copies 
+ * of the data returned in the SECItem *i, so making a copy of it here
+ * is simply wasteful.  So, This function now just sets SECItem *i to 
+ * point to the values in the buffer **b.
+ */
+SECStatus
+ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
+			      SSL3Opaque **b, PRUint32 *length)
+{
+    PRInt32   count;
+
+    PORT_Assert(bytes <= 3);
+    i->len  = 0;
+    i->data = NULL;
+    count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
+    if (count < 0) { 		/* Can't test for SECSuccess here. */
+    	return SECFailure;
+    }
+    if (count > 0) {
+	if ((PRUint32)count > *length) {
+	    return ssl3_DecodeError(ss);
+	}
+	i->data = *b;
+	i->len  = count;
+	*b      += count;
+	*length -= count;
+    }
+    return SECSuccess;
+}
+
+/**************************************************************************
+ * end of Consume Handshake functions.
+ **************************************************************************/
+
+/* Extract the hashes of handshake messages to this point.
+ * Called from ssl3_SendCertificateVerify
+ *             ssl3_SendFinished
+ *             ssl3_HandleHandshakeMessage
+ *
+ * Caller must hold the SSL3HandshakeLock.
+ * Caller must hold a read or write lock on the Spec R/W lock.
+ *	(There is presently no way to assert on a Read lock.)
+ */
+static SECStatus
+ssl3_ComputeHandshakeHashes(sslSocket *     ss,
+                            ssl3CipherSpec *spec,   /* uses ->master_secret */
+			    SSL3Hashes *    hashes, /* output goes here. */
+			    PRUint32        sender)
+{
+    SECStatus     rv        = SECSuccess;
+    PRBool        isTLS     = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
+    unsigned int  outLength;
+    SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
+    SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->opt.bypassPKCS11) {
+	/* compute them without PKCS11 */
+	PRUint64      md5_cx[MAX_MAC_CONTEXT_LLONGS];
+	PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
+
+#define md5cx ((MD5Context *)md5_cx)
+#define shacx ((SHA1Context *)sha_cx)
+
+	if (!spec->msItem.data) {
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
+	    return SECFailure;
+	}
+
+	MD5_Clone (md5cx,  (MD5Context *)ss->ssl3.hs.md5_cx);
+	SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx);
+
+	if (!isTLS) {
+	    /* compute hashes for SSL3. */
+	    unsigned char s[4];
+
+	    s[0] = (unsigned char)(sender >> 24);
+	    s[1] = (unsigned char)(sender >> 16);
+	    s[2] = (unsigned char)(sender >> 8);
+	    s[3] = (unsigned char)sender;
+
+	    if (sender != 0) {
+		MD5_Update(md5cx, s, 4);
+		PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
+	    }
+
+	    PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, 
+			    mac_defs[mac_md5].pad_size));
+
+	    MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
+	    MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size);
+	    MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH);
+
+	    PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
+
+	    if (sender != 0) {
+		SHA1_Update(shacx, s, 4);
+		PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
+	    }
+
+	    PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, 
+			    mac_defs[mac_sha].pad_size));
+
+	    SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
+	    SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size);
+	    SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH);
+
+	    PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
+	    PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 
+			    mac_defs[mac_md5].pad_size));
+	    PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
+
+	    MD5_Begin(md5cx);
+	    MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
+	    MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
+	    MD5_Update(md5cx, md5_inner, MD5_LENGTH);
+	}
+	MD5_End(md5cx, hashes->md5, &outLength, MD5_LENGTH);
+
+	PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
+
+	if (!isTLS) {
+	    PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 
+			    mac_defs[mac_sha].pad_size));
+	    PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
+
+	    SHA1_Begin(shacx);
+	    SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
+	    SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
+	    SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
+	}
+	SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH);
+
+	PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
+
+	rv = SECSuccess;
+#undef md5cx
+#undef shacx
+    } else {
+	/* compute hases with PKCS11 */
+	PK11Context * md5;
+	PK11Context * sha       = NULL;
+	unsigned char *md5StateBuf = NULL;
+	unsigned char *shaStateBuf = NULL;
+	unsigned int  md5StateLen, shaStateLen;
+	unsigned char md5StackBuf[256];
+	unsigned char shaStackBuf[512];
+
+	if (!spec->master_secret) {
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
+	    return SECFailure;
+	}
+
+	md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
+					    sizeof md5StackBuf, &md5StateLen);
+	if (md5StateBuf == NULL) {
+	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	    goto loser;
+	}
+	md5 = ss->ssl3.hs.md5;
+
+	shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf,
+					    sizeof shaStackBuf, &shaStateLen);
+	if (shaStateBuf == NULL) {
+	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	    goto loser;
+	}
+	sha = ss->ssl3.hs.sha;
+
+	if (!isTLS) {
+	    /* compute hashes for SSL3. */
+	    unsigned char s[4];
+
+	    s[0] = (unsigned char)(sender >> 24);
+	    s[1] = (unsigned char)(sender >> 16);
+	    s[2] = (unsigned char)(sender >> 8);
+	    s[3] = (unsigned char)sender;
+
+	    if (sender != 0) {
+		rv |= PK11_DigestOp(md5, s, 4);
+		PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
+	    }
+
+	    PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, 
+			  mac_defs[mac_md5].pad_size));
+
+	    rv |= PK11_DigestKey(md5,spec->master_secret);
+	    rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
+	    rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
+	    PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
+	    if (rv != SECSuccess) {
+		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+		rv = SECFailure;
+		goto loser;
+	    }
+
+	    PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
+
+	    if (sender != 0) {
+		rv |= PK11_DigestOp(sha, s, 4);
+		PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
+	    }
+
+	    PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, 
+			  mac_defs[mac_sha].pad_size));
+
+	    rv |= PK11_DigestKey(sha, spec->master_secret);
+	    rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
+	    rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
+	    PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
+	    if (rv != SECSuccess) {
+		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+		rv = SECFailure;
+		goto loser;
+	    }
+
+	    PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
+
+	    PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 
+			  mac_defs[mac_md5].pad_size));
+	    PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
+
+	    rv |= PK11_DigestBegin(md5);
+	    rv |= PK11_DigestKey(md5, spec->master_secret);
+	    rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
+	    rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
+	}
+	rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH);
+	PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
+
+	if (!isTLS) {
+	    PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 
+			  mac_defs[mac_sha].pad_size));
+	    PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
+
+	    rv |= PK11_DigestBegin(sha);
+	    rv |= PK11_DigestKey(sha,spec->master_secret);
+	    rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
+	    rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
+	}
+	rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH);
+	PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
+
+	rv = SECSuccess;
+
+    loser:
+	if (md5StateBuf) {
+	    if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
+		 != SECSuccess) 
+	    {
+		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+		rv = SECFailure;
+	    }
+	    if (md5StateBuf != md5StackBuf) {
+		PORT_ZFree(md5StateBuf, md5StateLen);
+	    }
+	}
+	if (shaStateBuf) {
+	    if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen)
+		 != SECSuccess) 
+	    {
+		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+		rv = SECFailure;
+	    }
+	    if (shaStateBuf != shaStackBuf) {
+		PORT_ZFree(shaStateBuf, shaStateLen);
+	    }
+	}
+    }
+    return rv;
+}
+
+/*
+ * SSL 2 based implementations pass in the initial outbound buffer
+ * so that the handshake hash can contain the included information.
+ *
+ * Called from ssl2_BeginClientHandshake() in sslcon.c
+ */
+SECStatus
+ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
+{
+    SECStatus rv;
+
+    ssl_GetSSL3HandshakeLock(ss);  /**************************************/
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	goto done;		/* ssl3_InitState has set the error code. */
+    }
+
+    PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
+    PORT_Memcpy(
+	&ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES],
+	&ss->sec.ci.clientChallenge,
+	SSL_CHALLENGE_BYTES);
+
+    rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
+    /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
+
+done:
+    ssl_ReleaseSSL3HandshakeLock(ss);  /**************************************/
+    return rv;
+}
+
+/**************************************************************************
+ * end of Handshake Hash functions.
+ * Begin Send and Handle functions for handshakes.
+ **************************************************************************/
+
+/* Called from ssl3_HandleHelloRequest(),
+ *             ssl3_HandleFinished() (for step-up)
+ *             ssl3_RedoHandshake()
+ *             ssl2_BeginClientHandshake (when resuming ssl3 session)
+ */
+SECStatus
+ssl3_SendClientHello(sslSocket *ss)
+{
+    sslSessionID *   sid;
+    ssl3CipherSpec * cwSpec;
+    SECStatus        rv;
+    int              i;
+    int              length;
+    int              num_suites;
+    int              actual_count = 0;
+    PRInt32          total_exten_len = 0;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
+		ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	return rv;		/* ssl3_InitState has set the error code. */
+    }
+
+    /* We might be starting a session renegotiation in which case we should
+     * clear previous state.
+     */
+    PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
+
+    SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
+	    SSL_GETPID(), ss->fd ));
+    rv = ssl3_RestartHandshakeHashes(ss);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
+     * handles expired entries and other details.
+     * XXX If we've been called from ssl2_BeginClientHandshake, then
+     * this lookup is duplicative and wasteful.
+     */
+    sid = (ss->opt.noCache) ? NULL
+	    : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url);
+
+    /* We can't resume based on a different token. If the sid exists,
+     * make sure the token that holds the master secret still exists ...
+     * If we previously did client-auth, make sure that the token that holds
+     * the private key still exists, is logged in, hasn't been removed, etc.
+     */
+    if (sid) {
+	PRBool sidOK = PR_TRUE;
+	if (sid->u.ssl3.keys.msIsWrapped) {
+	    /* Session key was wrapped, which means it was using PKCS11, */
+	    PK11SlotInfo *slot = NULL;
+	    if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) {
+		slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
+					 sid->u.ssl3.masterSlotID);
+	    }
+	    if (slot == NULL) {
+	       sidOK = PR_FALSE;
+	    } else {
+		PK11SymKey *wrapKey = NULL;
+		if (!PK11_IsPresent(slot) ||
+		    ((wrapKey = PK11_GetWrapKey(slot, 
+						sid->u.ssl3.masterWrapIndex,
+						sid->u.ssl3.masterWrapMech,
+						sid->u.ssl3.masterWrapSeries,
+						ss->pkcs11PinArg)) == NULL) ) {
+		    sidOK = PR_FALSE;
+		}
+		if (wrapKey) PK11_FreeSymKey(wrapKey);
+		PK11_FreeSlot(slot);
+		slot = NULL;
+	    }
+	}
+	/* If we previously did client-auth, make sure that the token that
+	** holds the private key still exists, is logged in, hasn't been
+	** removed, etc.
+	*/
+	if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
+	    sidOK = PR_FALSE;
+	}
+
+	if (!sidOK) {
+	    SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_not_ok );
+	    (*ss->sec.uncache)(sid);
+	    ssl_FreeSID(sid);
+	    sid = NULL;
+	}
+    }
+
+    if (sid) {
+	SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
+
+	/* Are we attempting a stateless session resume? */
+	if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
+	    sid->u.ssl3.sessionTicket.ticket.data)
+	    SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
+
+	rv = ssl3_NegotiateVersion(ss, sid->version);
+	if (rv != SECSuccess)
+	    return rv;	/* error code was set */
+
+	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
+		      sid->u.ssl3.sessionIDLength));
+
+	ss->ssl3.policy = sid->u.ssl3.policy;
+    } else {
+	SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
+
+	rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_3_1_TLS);
+	if (rv != SECSuccess)
+	    return rv;	/* error code was set */
+
+	sid = ssl3_NewSessionID(ss, PR_FALSE);
+	if (!sid) {
+	    return SECFailure;	/* memory error is set */
+        }
+    }
+
+    ssl_GetSpecWriteLock(ss);
+    cwSpec = ss->ssl3.cwSpec;
+    if (cwSpec->mac_def->mac == mac_null) {
+	/* SSL records are not being MACed. */
+	cwSpec->version = ss->version;
+    }
+    ssl_ReleaseSpecWriteLock(ss);
+
+    if (ss->sec.ci.sid != NULL) {
+	ssl_FreeSID(ss->sec.ci.sid);	/* decrement ref count, free if zero */
+    }
+    ss->sec.ci.sid = sid;
+
+    ss->sec.send = ssl3_SendApplicationData;
+
+    /* shouldn't get here if SSL3 is disabled, but ... */
+    PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+    	return SECFailure;
+    }
+
+    /* how many suites does our PKCS11 support (regardless of policy)? */
+    num_suites = ssl3_config_match_init(ss);
+    if (!num_suites)
+    	return SECFailure;	/* ssl3_config_match_init has set error code. */
+
+    if (ss->opt.enableTLS && ss->version > SSL_LIBRARY_VERSION_3_0) {
+	PRUint32 maxBytes = 65535; /* 2^16 - 1 */
+	PRInt32  extLen;
+
+	extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
+	if (extLen < 0) {
+	    return SECFailure;
+	}
+	maxBytes        -= extLen;
+	total_exten_len += extLen;
+
+	if (total_exten_len > 0)
+	    total_exten_len += 2;
+    }
+#if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
+    else { /* SSL3 only */
+    	ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
+    }
+#endif
+
+    /* how many suites are permitted by policy and user preference? */
+    num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
+    if (!num_suites)
+    	return SECFailure;	/* count_cipher_suites has set error code. */
+
+    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
+	1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
+	2 + num_suites*sizeof(ssl3CipherSuite) +
+	1 + compressionMethodsCount + total_exten_len;
+
+    rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    ss->clientHelloVersion = ss->version;
+    rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+    rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by GetNewRandom. */
+    }
+    rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
+                              SSL3_RANDOM_LENGTH);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    if (sid)
+	rv = ssl3_AppendHandshakeVariable(
+	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
+    else
+	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+
+
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+	if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
+	    actual_count++;
+	    if (actual_count > num_suites) {
+		/* set error card removal/insertion error */
+		PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
+		return SECFailure;
+	    }
+	    rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
+					    sizeof(ssl3CipherSuite));
+	    if (rv != SECSuccess) {
+		return rv;	/* err set by ssl3_AppendHandshake* */
+	    }
+	}
+    }
+
+    /* if cards were removed or inserted between count_cipher_suites and
+     * generating our list, detect the error here rather than send it off to
+     * the server.. */
+    if (actual_count != num_suites) {
+	/* Card removal/insertion error */
+	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
+	return SECFailure;
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, compressionMethodsCount, 1);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+    for (i = 0; i < compressionMethodsCount; i++) {
+	rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
+	if (rv != SECSuccess) {
+	    return rv;	/* err set by ssl3_AppendHandshake* */
+	}
+    }
+
+    if (total_exten_len) {
+	PRUint32 maxBytes = total_exten_len - 2;
+	PRInt32  extLen;
+
+	rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
+	if (rv != SECSuccess) {
+	    return rv;	/* err set by AppendHandshake. */
+	}
+
+	extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
+	if (extLen < 0) {
+	    return SECFailure;
+	}
+	maxBytes -= extLen;
+	PORT_Assert(!maxBytes);
+    }
+
+
+    rv = ssl3_FlushHandshake(ss, 0);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by ssl3_FlushHandshake */
+    }
+
+    ss->ssl3.hs.ws = wait_server_hello;
+    return rv;
+}
+
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Hello Request.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleHelloRequest(sslSocket *ss)
+{
+    sslSessionID *sid = ss->sec.ci.sid;
+    SECStatus     rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3.hs.ws == wait_server_hello)
+	return SECSuccess;
+    if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) {
+	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
+	return SECFailure;
+    }
+    if (sid) {
+	ss->sec.uncache(sid);
+	ssl_FreeSID(sid);
+	ss->sec.ci.sid = NULL;
+    }
+
+    ssl_GetXmitBufLock(ss);
+    rv = ssl3_SendClientHello(ss);
+    ssl_ReleaseXmitBufLock(ss);
+
+    return rv;
+}
+
+#define UNKNOWN_WRAP_MECHANISM 0x7fffffff
+
+static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
+    CKM_DES3_ECB,
+    CKM_CAST5_ECB,
+    CKM_DES_ECB,
+    CKM_KEY_WRAP_LYNKS,
+    CKM_IDEA_ECB,
+    CKM_CAST3_ECB,
+    CKM_CAST_ECB,
+    CKM_RC5_ECB,
+    CKM_RC2_ECB,
+    CKM_CDMF_ECB,
+    CKM_SKIPJACK_WRAP,
+    CKM_SKIPJACK_CBC64,
+    CKM_AES_ECB,
+    CKM_CAMELLIA_ECB,
+    UNKNOWN_WRAP_MECHANISM
+};
+
+static int
+ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
+{
+    const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
+
+    while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
+    	++pMech;
+    }
+    return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
+                                              : (pMech - wrapMechanismList);
+}
+
+static PK11SymKey *
+ssl_UnwrapSymWrappingKey(
+	SSLWrappedSymWrappingKey *pWswk,
+	SECKEYPrivateKey *        svrPrivKey,
+	SSL3KEAType               exchKeyType,
+	CK_MECHANISM_TYPE         masterWrapMech,
+	void *                    pwArg)
+{
+    PK11SymKey *             unwrappedWrappingKey  = NULL;
+    SECItem                  wrappedKey;
+#ifdef NSS_ENABLE_ECC
+    PK11SymKey *             Ks;
+    SECKEYPublicKey          pubWrapKey;
+    ECCWrappedKeyInfo        *ecWrapped;
+#endif /* NSS_ENABLE_ECC */
+
+    /* found the wrapping key on disk. */
+    PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
+    PORT_Assert(pWswk->exchKeyType      == exchKeyType);
+    if (pWswk->symWrapMechanism != masterWrapMech ||
+	pWswk->exchKeyType      != exchKeyType) {
+	goto loser;
+    }
+    wrappedKey.type = siBuffer;
+    wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
+    wrappedKey.len  = pWswk->wrappedSymKeyLen;
+    PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
+
+    switch (exchKeyType) {
+
+    case kt_rsa:
+	unwrappedWrappingKey =
+	    PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
+				 masterWrapMech, CKA_UNWRAP, 0);
+	break;
+
+#ifdef NSS_ENABLE_ECC
+    case kt_ecdh:
+        /* 
+         * For kt_ecdh, we first create an EC public key based on
+         * data stored with the wrappedSymmetricWrappingkey. Next,
+         * we do an ECDH computation involving this public key and
+         * the SSL server's (long-term) EC private key. The resulting
+         * shared secret is treated the same way as Fortezza's Ks, i.e.,
+         * it is used to recover the symmetric wrapping key.
+         *
+         * The data in wrappedSymmetricWrappingkey is laid out as defined
+         * in the ECCWrappedKeyInfo structure.
+         */
+        ecWrapped = (ECCWrappedKeyInfo *) pWswk->wrappedSymmetricWrappingkey;
+
+        PORT_Assert(ecWrapped->encodedParamLen + ecWrapped->pubValueLen + 
+            ecWrapped->wrappedKeyLen <= MAX_EC_WRAPPED_KEY_BUFLEN);
+
+        if (ecWrapped->encodedParamLen + ecWrapped->pubValueLen + 
+            ecWrapped->wrappedKeyLen > MAX_EC_WRAPPED_KEY_BUFLEN) {
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            goto loser;
+        }
+
+        pubWrapKey.keyType = ecKey;
+        pubWrapKey.u.ec.size = ecWrapped->size;
+        pubWrapKey.u.ec.DEREncodedParams.len = ecWrapped->encodedParamLen;
+        pubWrapKey.u.ec.DEREncodedParams.data = ecWrapped->var;
+        pubWrapKey.u.ec.publicValue.len = ecWrapped->pubValueLen;
+        pubWrapKey.u.ec.publicValue.data = ecWrapped->var + 
+            ecWrapped->encodedParamLen;
+
+        wrappedKey.len  = ecWrapped->wrappedKeyLen;
+        wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen + 
+            ecWrapped->pubValueLen;
+        
+        /* Derive Ks using ECDH */
+        Ks = PK11_PubDeriveWithKDF(svrPrivKey, &pubWrapKey, PR_FALSE, NULL,
+				   NULL, CKM_ECDH1_DERIVE, masterWrapMech, 
+				   CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
+        if (Ks == NULL) {
+            goto loser;
+        }
+
+        /*  Use Ks to unwrap the wrapping key */
+        unwrappedWrappingKey = PK11_UnwrapSymKey(Ks, masterWrapMech, NULL, 
+						 &wrappedKey, masterWrapMech, 
+						 CKA_UNWRAP, 0);
+        PK11_FreeSymKey(Ks);
+        
+        break;
+#endif
+
+    default:
+	/* Assert? */
+	SET_ERROR_CODE
+	goto loser;
+    }
+loser:
+    return unwrappedWrappingKey;
+}
+
+/* Each process sharing the server session ID cache has its own array of
+ * SymKey pointers for the symmetric wrapping keys that are used to wrap
+ * the master secrets.  There is one key for each KEA type.  These Symkeys
+ * correspond to the wrapped SymKeys kept in the server session cache.
+ */
+
+typedef struct {
+    PK11SymKey *      symWrapKey[kt_kea_size];
+} ssl3SymWrapKey;
+
+static PZLock *          symWrapKeysLock = NULL;
+static ssl3SymWrapKey    symWrapKeys[SSL_NUM_WRAP_MECHS];
+
+SECStatus ssl_FreeSymWrapKeysLock(void)
+{
+    if (symWrapKeysLock) {
+        PZ_DestroyLock(symWrapKeysLock);
+        symWrapKeysLock = NULL;
+        return SECSuccess;
+    }
+    PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+    return SECFailure;
+}
+
+SECStatus
+SSL3_ShutdownServerCache(void)
+{
+    int             i, j;
+
+    if (!symWrapKeysLock)
+    	return SECSuccess;	/* lock was never initialized */
+    PZ_Lock(symWrapKeysLock);
+    /* get rid of all symWrapKeys */
+    for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
+    	for (j = 0; j < kt_kea_size; ++j) {
+	    PK11SymKey **   pSymWrapKey;
+	    pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
+	    if (*pSymWrapKey) {
+		PK11_FreeSymKey(*pSymWrapKey);
+	    	*pSymWrapKey = NULL;
+	    }
+	}
+    }
+
+    PZ_Unlock(symWrapKeysLock);
+    ssl_FreeSessionCacheLocks();
+    return SECSuccess;
+}
+
+SECStatus ssl_InitSymWrapKeysLock(void)
+{
+    symWrapKeysLock = PZ_NewLock(nssILockOther);
+    return symWrapKeysLock ? SECSuccess : SECFailure;
+}
+
+/* Try to get wrapping key for mechanism from in-memory array.
+ * If that fails, look for one on disk.
+ * If that fails, generate a new one, put the new one on disk,
+ * Put the new key in the in-memory array.
+ */
+static PK11SymKey *
+getWrappingKey( sslSocket *       ss,
+		PK11SlotInfo *    masterSecretSlot,
+		SSL3KEAType       exchKeyType,
+                CK_MECHANISM_TYPE masterWrapMech,
+	        void *            pwArg)
+{
+    SECKEYPrivateKey *       svrPrivKey;
+    SECKEYPublicKey *        svrPubKey             = NULL;
+    PK11SymKey *             unwrappedWrappingKey  = NULL;
+    PK11SymKey **            pSymWrapKey;
+    CK_MECHANISM_TYPE        asymWrapMechanism = CKM_INVALID_MECHANISM;
+    int                      length;
+    int                      symWrapMechIndex;
+    SECStatus                rv;
+    SECItem                  wrappedKey;
+    SSLWrappedSymWrappingKey wswk;
+
+    svrPrivKey  = ss->serverCerts[exchKeyType].SERVERKEY;
+    PORT_Assert(svrPrivKey != NULL);
+    if (!svrPrivKey) {
+    	return NULL;	/* why are we here?!? */
+    }
+
+    symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
+    PORT_Assert(symWrapMechIndex >= 0);
+    if (symWrapMechIndex < 0)
+    	return NULL;	/* invalid masterWrapMech. */
+
+    pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
+
+    ssl_InitSessionCacheLocks(PR_TRUE);
+
+    PZ_Lock(symWrapKeysLock);
+
+    unwrappedWrappingKey = *pSymWrapKey;
+    if (unwrappedWrappingKey != NULL) {
+	if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
+	    unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
+	    goto done;
+	}
+	/* slot series has changed, so this key is no good any more. */
+	PK11_FreeSymKey(unwrappedWrappingKey);
+	*pSymWrapKey = unwrappedWrappingKey = NULL;
+    }
+
+    /* Try to get wrapped SymWrapping key out of the (disk) cache. */
+    /* Following call fills in wswk on success. */
+    if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
+    	/* found the wrapped sym wrapping key on disk. */
+	unwrappedWrappingKey =
+	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
+                                     masterWrapMech, pwArg);
+	if (unwrappedWrappingKey) {
+	    goto install;
+	}
+    }
+
+    if (!masterSecretSlot) 	/* caller doesn't want to create a new one. */
+    	goto loser;
+
+    length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
+    /* Zero length means fixed key length algorithm, or error.
+     * It's ambiguous.
+     */
+    unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
+                                       length, pwArg);
+    if (!unwrappedWrappingKey) {
+    	goto loser;
+    }
+
+    /* Prepare the buffer to receive the wrappedWrappingKey,
+     * the symmetric wrapping key wrapped using the server's pub key.
+     */
+    PORT_Memset(&wswk, 0, sizeof wswk);	/* eliminate UMRs. */
+
+    if (ss->serverCerts[exchKeyType].serverKeyPair) {
+	svrPubKey = ss->serverCerts[exchKeyType].serverKeyPair->pubKey;
+    }
+    if (svrPubKey == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	goto loser;
+    }
+    wrappedKey.type = siBuffer;
+    wrappedKey.len  = SECKEY_PublicKeyStrength(svrPubKey);
+    wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
+
+    PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
+    if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
+    	goto loser;
+
+    /* wrap symmetric wrapping key in server's public key. */
+    switch (exchKeyType) {
+#ifdef NSS_ENABLE_ECC
+    PK11SymKey *      Ks = NULL;
+    SECKEYPublicKey   *pubWrapKey = NULL;
+    SECKEYPrivateKey  *privWrapKey = NULL;
+    ECCWrappedKeyInfo *ecWrapped;
+#endif /* NSS_ENABLE_ECC */
+
+    case kt_rsa:
+	asymWrapMechanism = CKM_RSA_PKCS;
+	rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
+	                        unwrappedWrappingKey, &wrappedKey);
+	break;
+
+#ifdef NSS_ENABLE_ECC
+    case kt_ecdh:
+	/*
+	 * We generate an ephemeral EC key pair. Perform an ECDH
+	 * computation involving this ephemeral EC public key and
+	 * the SSL server's (long-term) EC private key. The resulting
+	 * shared secret is treated in the same way as Fortezza's Ks, 
+	 * i.e., it is used to wrap the wrapping key. To facilitate
+	 * unwrapping in ssl_UnwrapWrappingKey, we also store all
+	 * relevant info about the ephemeral EC public key in
+	 * wswk.wrappedSymmetricWrappingkey and lay it out as 
+	 * described in the ECCWrappedKeyInfo structure.
+	 */
+	PORT_Assert(svrPubKey->keyType == ecKey);
+	if (svrPubKey->keyType != ecKey) {
+	    /* something is wrong in sslsecur.c if this isn't an ecKey */
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    rv = SECFailure;
+	    goto ec_cleanup;
+	}
+
+	privWrapKey = SECKEY_CreateECPrivateKey(
+	    &svrPubKey->u.ec.DEREncodedParams, &pubWrapKey, NULL);
+	if ((privWrapKey == NULL) || (pubWrapKey == NULL)) {
+	    rv = SECFailure;
+	    goto ec_cleanup;
+	}
+	
+	/* Set the key size in bits */
+	if (pubWrapKey->u.ec.size == 0) {
+	    pubWrapKey->u.ec.size = SECKEY_PublicKeyStrengthInBits(svrPubKey);
+	}
+
+	PORT_Assert(pubWrapKey->u.ec.DEREncodedParams.len + 
+	    pubWrapKey->u.ec.publicValue.len < MAX_EC_WRAPPED_KEY_BUFLEN);
+	if (pubWrapKey->u.ec.DEREncodedParams.len + 
+	    pubWrapKey->u.ec.publicValue.len >= MAX_EC_WRAPPED_KEY_BUFLEN) {
+	    PORT_SetError(SEC_ERROR_INVALID_KEY);
+	    rv = SECFailure;
+	    goto ec_cleanup;
+	}
+
+	/* Derive Ks using ECDH */
+	Ks = PK11_PubDeriveWithKDF(svrPrivKey, pubWrapKey, PR_FALSE, NULL,
+				   NULL, CKM_ECDH1_DERIVE, masterWrapMech, 
+				   CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
+	if (Ks == NULL) {
+	    rv = SECFailure;
+	    goto ec_cleanup;
+	}
+
+	ecWrapped = (ECCWrappedKeyInfo *) (wswk.wrappedSymmetricWrappingkey);
+	ecWrapped->size = pubWrapKey->u.ec.size;
+	ecWrapped->encodedParamLen = pubWrapKey->u.ec.DEREncodedParams.len;
+	PORT_Memcpy(ecWrapped->var, pubWrapKey->u.ec.DEREncodedParams.data, 
+	    pubWrapKey->u.ec.DEREncodedParams.len);
+
+	ecWrapped->pubValueLen = pubWrapKey->u.ec.publicValue.len;
+	PORT_Memcpy(ecWrapped->var + ecWrapped->encodedParamLen, 
+		    pubWrapKey->u.ec.publicValue.data, 
+		    pubWrapKey->u.ec.publicValue.len);
+
+	wrappedKey.len = MAX_EC_WRAPPED_KEY_BUFLEN - 
+	    (ecWrapped->encodedParamLen + ecWrapped->pubValueLen);
+	wrappedKey.data = ecWrapped->var + ecWrapped->encodedParamLen +
+	    ecWrapped->pubValueLen;
+
+	/* wrap symmetricWrapping key with the local Ks */
+	rv = PK11_WrapSymKey(masterWrapMech, NULL, Ks,
+			     unwrappedWrappingKey, &wrappedKey);
+
+	if (rv != SECSuccess) {
+	    goto ec_cleanup;
+	}
+
+	/* Write down the length of wrapped key in the buffer
+	 * wswk.wrappedSymmetricWrappingkey at the appropriate offset
+	 */
+	ecWrapped->wrappedKeyLen = wrappedKey.len;
+
+ec_cleanup:
+	if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey);
+	if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey);
+	if (Ks) PK11_FreeSymKey(Ks);
+	asymWrapMechanism = masterWrapMech;
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+	rv = SECFailure;
+	break;
+    }
+
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
+
+    wswk.symWrapMechanism  = masterWrapMech;
+    wswk.symWrapMechIndex  = symWrapMechIndex;
+    wswk.asymWrapMechanism = asymWrapMechanism;
+    wswk.exchKeyType       = exchKeyType;
+    wswk.wrappedSymKeyLen  = wrappedKey.len;
+
+    /* put it on disk. */
+    /* If the wrapping key for this KEA type has already been set, 
+     * then abandon the value we just computed and 
+     * use the one we got from the disk.
+     */
+    if (ssl_SetWrappingKey(&wswk)) {
+    	/* somebody beat us to it.  The original contents of our wswk
+	 * has been replaced with the content on disk.  Now, discard
+	 * the key we just created and unwrap this new one.
+	 */
+    	PK11_FreeSymKey(unwrappedWrappingKey);
+
+	unwrappedWrappingKey =
+	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
+                                     masterWrapMech, pwArg);
+    }
+
+install:
+    if (unwrappedWrappingKey) {
+	*pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
+    }
+
+loser:
+done:
+    PZ_Unlock(symWrapKeysLock);
+    return unwrappedWrappingKey;
+}
+
+
+/* Called from ssl3_SendClientKeyExchange(). */
+/* Presently, this always uses PKCS11.  There is no bypass for this. */
+static SECStatus
+sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
+{
+    PK11SymKey *	pms 		= NULL;
+    SECStatus           rv    		= SECFailure;
+    SECItem 		enc_pms 	= {siBuffer, NULL, 0};
+    PRBool              isTLS;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+
+    /* Generate the pre-master secret ...  */
+    ssl_GetSpecWriteLock(ss);
+    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL);
+    ssl_ReleaseSpecWriteLock(ss);
+    if (pms == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+#if defined(TRACE)
+    if (ssl_trace >= 100) {
+	SECStatus extractRV = PK11_ExtractKeyValue(pms);
+	if (extractRV == SECSuccess) {
+	    SECItem * keyData = PK11_GetKeyData(pms);
+	    if (keyData && keyData->data && keyData->len) {
+		ssl_PrintBuf(ss, "Pre-Master Secret", 
+			     keyData->data, keyData->len);
+	    }
+    	}
+    }
+#endif
+
+    /* Get the wrapped (encrypted) pre-master secret, enc_pms */
+    enc_pms.len  = SECKEY_PublicKeyStrength(svrPubKey);
+    enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
+    if (enc_pms.data == NULL) {
+	goto loser;	/* err set by PORT_Alloc */
+    }
+
+    /* wrap pre-master secret in server's public key. */
+    rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms); pms = NULL;
+
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
+				    isTLS ? enc_pms.len + 2 : enc_pms.len);
+    if (rv != SECSuccess) {
+	goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+    if (isTLS) {
+    	rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
+    } else {
+	rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
+    }
+    if (rv != SECSuccess) {
+	goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    rv = SECSuccess;
+
+loser:
+    if (enc_pms.data != NULL) {
+	PORT_Free(enc_pms.data);
+    }
+    if (pms != NULL) {
+    	PK11_FreeSymKey(pms);
+    }
+    return rv;
+}
+
+/* Called from ssl3_SendClientKeyExchange(). */
+/* Presently, this always uses PKCS11.  There is no bypass for this. */
+static SECStatus
+sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
+{
+    PK11SymKey *	pms 		= NULL;
+    SECStatus           rv    		= SECFailure;
+    PRBool              isTLS;
+    CK_MECHANISM_TYPE	target;
+
+    SECKEYDHParams	dhParam;		/* DH parameters */
+    SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral DH key */
+    SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral DH key */
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+
+    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    /* Copy DH parameters from server key */
+
+    if (svrPubKey->keyType != dhKey) {
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	goto loser;
+    }
+    dhParam.prime.data = svrPubKey->u.dh.prime.data;
+    dhParam.prime.len = svrPubKey->u.dh.prime.len;
+    dhParam.base.data = svrPubKey->u.dh.base.data;
+    dhParam.base.len = svrPubKey->u.dh.base.len;
+
+    /* Generate ephemeral DH keypair */
+    privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
+    if (!privKey || !pubKey) {
+	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+	    rv = SECFailure;
+	    goto loser;
+    }
+    PRINT_BUF(50, (ss, "DH public value:",
+					pubKey->u.dh.publicValue.data,
+					pubKey->u.dh.publicValue.len));
+
+    if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+    else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+
+    /* Determine the PMS */
+
+    pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL,
+			    CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
+
+    if (pms == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    SECKEY_DestroyPrivateKey(privKey);
+    privKey = NULL;
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms); pms = NULL;
+
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
+					pubKey->u.dh.publicValue.len + 2);
+    if (rv != SECSuccess) {
+	goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+    rv = ssl3_AppendHandshakeVariable(ss, 
+					pubKey->u.dh.publicValue.data,
+					pubKey->u.dh.publicValue.len, 2);
+    SECKEY_DestroyPublicKey(pubKey);
+    pubKey = NULL;
+
+    if (rv != SECSuccess) {
+	goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    rv = SECSuccess;
+
+
+loser:
+
+    if(pms) PK11_FreeSymKey(pms);
+    if(privKey) SECKEY_DestroyPrivateKey(privKey);
+    if(pubKey) SECKEY_DestroyPublicKey(pubKey);
+    return rv;
+}
+
+
+
+
+
+/* Called from ssl3_HandleServerHelloDone(). */
+static SECStatus
+ssl3_SendClientKeyExchange(sslSocket *ss)
+{
+    SECKEYPublicKey *	serverKey 	= NULL;
+    SECStatus 		rv 		= SECFailure;
+    PRBool              isTLS;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    if (ss->sec.peerKey == NULL) {
+	serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
+	if (serverKey == NULL) {
+	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+	    return SECFailure;
+	}
+    } else {
+	serverKey = ss->sec.peerKey;
+	ss->sec.peerKey = NULL; /* we're done with it now */
+    }
+
+    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+    /* enforce limits on kea key sizes. */
+    if (ss->ssl3.hs.kea_def->is_limited) {
+	int keyLen = SECKEY_PublicKeyStrength(serverKey);	/* bytes */
+
+	if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) {
+	    if (isTLS)
+		(void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
+	    else
+		(void)ssl3_HandshakeFailure(ss);
+	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
+	    goto loser;
+	}
+    }
+
+    ss->sec.keaType    = ss->ssl3.hs.kea_def->exchKeyType;
+    ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
+
+    switch (ss->ssl3.hs.kea_def->exchKeyType) {
+    case kt_rsa:
+	rv = sendRSAClientKeyExchange(ss, serverKey);
+	break;
+
+    case kt_dh:
+	rv = sendDHClientKeyExchange(ss, serverKey);
+	break;
+
+#ifdef NSS_ENABLE_ECC
+    case kt_ecdh:
+	rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+	/* got an unknown or unsupported Key Exchange Algorithm.  */
+	SEND_ALERT
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	break;
+    }
+
+    SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
+		SSL_GETPID(), ss->fd));
+
+loser:
+    if (serverKey) 
+    	SECKEY_DestroyPublicKey(serverKey);
+    return rv;	/* err code already set. */
+}
+
+/* Called from ssl3_HandleServerHelloDone(). */
+static SECStatus
+ssl3_SendCertificateVerify(sslSocket *ss)
+{
+    SECStatus     rv		= SECFailure;
+    PRBool        isTLS;
+    SECItem       buf           = {siBuffer, NULL, 0};
+    SSL3Hashes    hashes;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
+		SSL_GETPID(), ss->fd));
+
+    ssl_GetSpecReadLock(ss);
+    rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
+    ssl_ReleaseSpecReadLock(ss);
+    if (rv != SECSuccess) {
+	goto done;	/* err code was set by ssl3_ComputeHandshakeHashes */
+    }
+
+    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+    rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
+    if (rv == SECSuccess) {
+	PK11SlotInfo * slot;
+	sslSessionID * sid   = ss->sec.ci.sid;
+
+    	/* Remember the info about the slot that did the signing.
+	** Later, when doing an SSL restart handshake, verify this.
+	** These calls are mere accessors, and can't fail.
+	*/
+	slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
+	sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
+	sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
+	sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
+	sid->u.ssl3.clAuthValid      = PR_TRUE;
+	PK11_FreeSlot(slot);
+    }
+    /* If we're doing RSA key exchange, we're all done with the private key
+     * here.  Diffie-Hellman key exchanges need the client's
+     * private key for the key exchange.
+     */
+    if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
+	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+	ss->ssl3.clientPrivateKey = NULL;
+    }
+    if (rv != SECSuccess) {
+	goto done;	/* err code was set by ssl3_SignHashes */
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2);
+    if (rv != SECSuccess) {
+	goto done;	/* error code set by AppendHandshake */
+    }
+    rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
+    if (rv != SECSuccess) {
+	goto done;	/* error code set by AppendHandshake */
+    }
+
+done:
+    if (buf.data)
+	PORT_Free(buf.data);
+    return rv;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 ServerHello message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    sslSessionID *sid		= ss->sec.ci.sid;
+    PRInt32       temp;		/* allow for consume number failure */
+    PRBool        suite_found   = PR_FALSE;
+    int           i;
+    int           errCode	= SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
+    SECStatus     rv;
+    SECItem       sidBytes 	= {siBuffer, NULL, 0};
+    PRBool        sid_match;
+    PRBool        isTLS		= PR_FALSE;
+    SSL3AlertDescription desc   = illegal_parameter;
+    SSL3ProtocolVersion version;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
+    	SSL_GETPID(), ss->fd));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */
+	goto alert_loser;
+    }
+    if (ss->ssl3.hs.ws != wait_server_hello) {
+        errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
+	desc    = unexpected_message;
+	goto alert_loser;
+    }
+
+    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+    if (temp < 0) {
+    	goto loser; 	/* alert has been sent */
+    }
+    version = (SSL3ProtocolVersion)temp;
+
+    /* this is appropriate since the negotiation is complete, and we only
+    ** know SSL 3.x.
+    */
+    if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
+						   : handshake_failure;
+	goto alert_loser;
+    }
+
+    rv = ssl3_NegotiateVersion(ss, version);
+    if (rv != SECSuccess) {
+    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
+						   : handshake_failure;
+	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	goto alert_loser;
+    }
+    isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
+
+    rv = ssl3_ConsumeHandshake(
+	ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
+    if (rv != SECSuccess) {
+    	goto loser; 	/* alert has been sent */
+    }
+
+    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
+    if (rv != SECSuccess) {
+    	goto loser; 	/* alert has been sent */
+    }
+    if (sidBytes.len > SSL3_SESSIONID_BYTES) {
+	if (isTLS)
+	    desc = decode_error;
+	goto alert_loser;	/* malformed. */
+    }
+
+    /* find selected cipher suite in our list. */
+    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+    if (temp < 0) {
+    	goto loser; 	/* alert has been sent */
+    }
+    ssl3_config_match_init(ss);
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+	if ((temp == suite->cipher_suite) &&
+	    (config_match(suite, ss->ssl3.policy, PR_TRUE))) {
+	    suite_found = PR_TRUE;
+	    break;	/* success */
+	}
+    }
+    if (!suite_found) {
+    	desc    = handshake_failure;
+	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	goto alert_loser;
+    }
+    ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
+    ss->ssl3.hs.suite_def    = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
+    PORT_Assert(ss->ssl3.hs.suite_def);
+    if (!ss->ssl3.hs.suite_def) {
+    	PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
+	goto loser;	/* we don't send alerts for our screw-ups. */
+    }
+
+    /* find selected compression method in our list. */
+    temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
+    if (temp < 0) {
+    	goto loser; 	/* alert has been sent */
+    }
+    suite_found = PR_FALSE;
+    for (i = 0; i < compressionMethodsCount; i++) {
+	if (temp == compressions[i])  {
+	    suite_found = PR_TRUE;
+	    break;	/* success */
+    	}
+    }
+    if (!suite_found) {
+    	desc    = handshake_failure;
+	errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
+	goto alert_loser;
+    }
+    ss->ssl3.hs.compression = (SSL3CompressionMethod)temp;
+
+    /* Note that if !isTLS && length != 0, we do NOT goto alert_loser.
+     * There are some old SSL 3.0 implementations that do send stuff
+     * after the end of the server hello, and we deliberately ignore
+     * such stuff in the interest of maximal interoperability (being
+     * "generous in what you accept").
+     */
+    if (isTLS && length != 0) {
+	SECItem extensions;
+	rv = ssl3_ConsumeHandshakeVariable(ss, &extensions, 2, &b, &length);
+	if (rv != SECSuccess || length != 0)
+	    goto alert_loser;
+	rv = ssl3_HandleHelloExtensions(ss, &extensions.data, &extensions.len);
+	if (rv != SECSuccess)
+	    goto alert_loser;
+    }
+
+    /* Any errors after this point are not "malformed" errors. */
+    desc    = handshake_failure;
+
+    /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
+     * key exchange algorithm. */
+    rv = ssl3_SetupPendingCipherSpec(ss);
+    if (rv != SECSuccess) {
+	goto alert_loser;	/* error code is set. */
+    }
+
+    /* We may or may not have sent a session id, we may get one back or
+     * not and if so it may match the one we sent.
+     * Attempt to restore the master secret to see if this is so...
+     * Don't consider failure to find a matching SID an error.
+     */
+    sid_match = (PRBool)(sidBytes.len > 0 &&
+	sidBytes.len == sid->u.ssl3.sessionIDLength &&
+	!PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
+
+    if (sid_match &&
+	sid->version == ss->version &&
+	sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do {
+	ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
+
+	SECItem       wrappedMS;   /* wrapped master secret. */
+
+	ss->sec.authAlgorithm = sid->authAlgorithm;
+	ss->sec.authKeyBits   = sid->authKeyBits;
+	ss->sec.keaType       = sid->keaType;
+	ss->sec.keaKeyBits    = sid->keaKeyBits;
+
+	/* 3 cases here:
+	 * a) key is wrapped (implies using PKCS11)
+	 * b) key is unwrapped, but we're still using PKCS11
+	 * c) key is unwrapped, and we're bypassing PKCS11.
+	 */
+	if (sid->u.ssl3.keys.msIsWrapped) {
+	    PK11SlotInfo *slot;
+	    PK11SymKey *  wrapKey;     /* wrapping key */
+	    CK_FLAGS      keyFlags      = 0;
+
+	    if (ss->opt.bypassPKCS11) {
+		/* we cannot restart a non-bypass session in a 
+		** bypass socket.
+		*/
+		break;  
+	    }
+	    /* unwrap master secret with PKCS11 */
+	    slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
+				     sid->u.ssl3.masterSlotID);
+	    if (slot == NULL) {
+		break;		/* not considered an error. */
+	    }
+	    if (!PK11_IsPresent(slot)) {
+		PK11_FreeSlot(slot);
+		break;		/* not considered an error. */
+	    }
+	    wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
+				      sid->u.ssl3.masterWrapMech,
+				      sid->u.ssl3.masterWrapSeries,
+				      ss->pkcs11PinArg);
+	    PK11_FreeSlot(slot);
+	    if (wrapKey == NULL) {
+		break;		/* not considered an error. */
+	    }
+
+	    if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
+		keyFlags = CKF_SIGN | CKF_VERIFY;
+	    }
+
+	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
+	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
+	    pwSpec->master_secret =
+		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
+			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
+			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
+	    errCode = PORT_GetError();
+	    PK11_FreeSymKey(wrapKey);
+	    if (pwSpec->master_secret == NULL) {
+		break;	/* errorCode set just after call to UnwrapSymKey. */
+	    }
+	} else if (ss->opt.bypassPKCS11) {
+	    /* MS is not wrapped */
+	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
+	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
+	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
+	    pwSpec->msItem.data = pwSpec->raw_master_secret;
+	    pwSpec->msItem.len  = wrappedMS.len;
+	} else {
+	    /* We CAN restart a bypass session in a non-bypass socket. */
+	    /* need to import the raw master secret to session object */
+	    PK11SlotInfo *slot = PK11_GetInternalSlot();
+	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
+	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
+	    pwSpec->master_secret =  
+		PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 
+				  PK11_OriginUnwrap, CKA_ENCRYPT, 
+				  &wrappedMS, NULL);
+	    PK11_FreeSlot(slot);
+	    if (pwSpec->master_secret == NULL) {
+		break; 
+	    }
+	}
+
+	/* Got a Match */
+	SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
+
+	/* If we sent a session ticket, then this is a stateless resume. */
+	if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
+	    sid->u.ssl3.sessionTicket.ticket.data != NULL)
+	    SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
+
+	if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn))
+	    ss->ssl3.hs.ws = wait_new_session_ticket;
+	else
+	    ss->ssl3.hs.ws = wait_change_cipher;
+
+	ss->ssl3.hs.isResuming = PR_TRUE;
+
+	/* copy the peer cert from the SID */
+	if (sid->peerCert != NULL) {
+	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
+	}
+
+
+	/* NULL value for PMS signifies re-use of the old MS */
+	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
+	if (rv != SECSuccess) {
+	    goto alert_loser;	/* err code was set */
+	}
+	return SECSuccess;
+    } while (0);
+
+    if (sid_match)
+	SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
+    else
+	SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses );
+
+    /* throw the old one away */
+    sid->u.ssl3.keys.resumable = PR_FALSE;
+    (*ss->sec.uncache)(sid);
+    ssl_FreeSID(sid);
+
+    /* get a new sid */
+    ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
+    if (sid == NULL) {
+	goto alert_loser;	/* memory error is set. */
+    }
+
+    sid->version = ss->version;
+    sid->u.ssl3.sessionIDLength = sidBytes.len;
+    PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
+
+    ss->ssl3.hs.isResuming = PR_FALSE;
+    ss->ssl3.hs.ws         = wait_server_cert;
+    return SECSuccess;
+
+alert_loser:
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+
+loser:
+    errCode = ssl_MapLowLevelError(errCode);
+    return SECFailure;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 ServerKeyExchange message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    PRArenaPool *    arena     = NULL;
+    SECKEYPublicKey *peerKey   = NULL;
+    PRBool           isTLS;
+    SECStatus        rv;
+    int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
+    SSL3AlertDescription desc  = illegal_parameter;
+    SSL3Hashes       hashes;
+    SECItem          signature = {siBuffer, NULL, 0};
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3.hs.ws != wait_server_key &&
+	ss->ssl3.hs.ws != wait_server_cert) {
+	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
+	desc    = unexpected_message;
+	goto alert_loser;
+    }
+    if (ss->sec.peerCert == NULL) {
+	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
+	desc    = unexpected_message;
+	goto alert_loser;
+    }
+
+    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    switch (ss->ssl3.hs.kea_def->exchKeyType) {
+
+    case kt_rsa: {
+	SECItem          modulus   = {siBuffer, NULL, 0};
+	SECItem          exponent  = {siBuffer, NULL, 0};
+
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	if (length != 0) {
+	    if (isTLS)
+		desc = decode_error;
+	    goto alert_loser;		/* malformed. */
+	}
+
+	/* failures after this point are not malformed handshakes. */
+	/* TLS: send decrypt_error if signature failed. */
+    	desc = isTLS ? decrypt_error : handshake_failure;
+
+    	/*
+     	 *  check to make sure the hash is signed by right guy
+     	 */
+    	rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent,
+					  &ss->ssl3.hs.client_random,
+					  &ss->ssl3.hs.server_random, 
+					  &hashes, ss->opt.bypassPKCS11);
+        if (rv != SECSuccess) {
+	    errCode =
+	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto alert_loser;
+	}
+        rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
+				    isTLS, ss->pkcs11PinArg);
+	if (rv != SECSuccess)  {
+	    errCode =
+	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto alert_loser;
+	}
+
+	/*
+	 * we really need to build a new key here because we can no longer
+	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
+	 * pkcs11 slots and ID's.
+	 */
+    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (arena == NULL) {
+	    goto no_memory;
+	}
+
+    	peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
+    	if (peerKey == NULL) {
+            PORT_FreeArena(arena, PR_FALSE);
+	    goto no_memory;
+	}
+
+	peerKey->arena              = arena;
+	peerKey->keyType            = rsaKey;
+	peerKey->pkcs11Slot         = NULL;
+	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
+	if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus,        &modulus) ||
+	    SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
+	{
+            PORT_FreeArena(arena, PR_FALSE);
+	    goto no_memory;
+        }
+    	ss->sec.peerKey = peerKey;
+    	ss->ssl3.hs.ws = wait_cert_request;
+    	return SECSuccess;
+    }
+
+    case kt_dh: {
+	SECItem          dh_p      = {siBuffer, NULL, 0};
+	SECItem          dh_g      = {siBuffer, NULL, 0};
+	SECItem          dh_Ys     = {siBuffer, NULL, 0};
+
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	if (length != 0) {
+	    if (isTLS)
+		desc = decode_error;
+	    goto alert_loser;		/* malformed. */
+	}
+
+	PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
+	PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
+	PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
+
+	/* failures after this point are not malformed handshakes. */
+	/* TLS: send decrypt_error if signature failed. */
+    	desc = isTLS ? decrypt_error : handshake_failure;
+
+    	/*
+     	 *  check to make sure the hash is signed by right guy
+     	 */
+    	rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys,
+					  &ss->ssl3.hs.client_random,
+					  &ss->ssl3.hs.server_random, 
+					  &hashes, ss->opt.bypassPKCS11);
+        if (rv != SECSuccess) {
+	    errCode =
+	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto alert_loser;
+	}
+        rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
+				    isTLS, ss->pkcs11PinArg);
+	if (rv != SECSuccess)  {
+	    errCode =
+	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto alert_loser;
+	}
+
+	/*
+	 * we really need to build a new key here because we can no longer
+	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
+	 * pkcs11 slots and ID's.
+	 */
+    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (arena == NULL) {
+	    goto no_memory;
+	}
+
+    	ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
+    	if (peerKey == NULL) {
+	    goto no_memory;
+	}
+
+	peerKey->arena              = arena;
+	peerKey->keyType            = dhKey;
+	peerKey->pkcs11Slot         = NULL;
+	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
+
+	if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime,        &dh_p) ||
+	    SECITEM_CopyItem(arena, &peerKey->u.dh.base,         &dh_g) ||
+	    SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue,  &dh_Ys))
+	{
+            PORT_FreeArena(arena, PR_FALSE);
+	    goto no_memory;
+        }
+    	ss->sec.peerKey = peerKey;
+    	ss->ssl3.hs.ws = wait_cert_request;
+    	return SECSuccess;
+    }
+
+#ifdef NSS_ENABLE_ECC
+    case kt_ecdh:
+	rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
+	return rv;
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+    	desc    = handshake_failure;
+	errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
+	break;		/* goto alert_loser; */
+    }
+
+alert_loser:
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+loser:
+    PORT_SetError( errCode );
+    return SECFailure;
+
+no_memory:	/* no-memory error has already been set. */
+    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+    return SECFailure;
+}
+
+
+typedef struct dnameNode {
+    struct dnameNode *next;
+    SECItem           name;
+} dnameNode;
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Certificate Request message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    PRArenaPool *        arena       = NULL;
+    dnameNode *          node;
+    PRInt32              remaining;
+    PRBool               isTLS       = PR_FALSE;
+    int                  i;
+    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
+    int                  nnames      = 0;
+    SECStatus            rv;
+    SSL3AlertDescription desc        = illegal_parameter;
+    SECItem              cert_types  = {siBuffer, NULL, 0};
+    CERTDistNames        ca_list;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3.hs.ws != wait_cert_request &&
+    	ss->ssl3.hs.ws != wait_server_key) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
+	goto alert_loser;
+    }
+
+    /* clean up anything left from previous handshake. */
+    if (ss->ssl3.clientCertChain != NULL) {
+       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
+       ss->ssl3.clientCertChain = NULL;
+    }
+    if (ss->ssl3.clientCertificate != NULL) {
+       CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+       ss->ssl3.clientCertificate = NULL;
+    }
+    if (ss->ssl3.clientPrivateKey != NULL) {
+       SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+       ss->ssl3.clientPrivateKey = NULL;
+    }
+
+    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+    rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
+    if (rv != SECSuccess)
+    	goto loser;		/* malformed, alert has been sent */
+
+    arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+    	goto no_mem;
+
+    remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+    if (remaining < 0)
+    	goto loser;	 	/* malformed, alert has been sent */
+
+    if ((PRUint32)remaining > length)
+	goto alert_loser;
+
+    ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
+    if (node == NULL)
+    	goto no_mem;
+
+    while (remaining > 0) {
+	PRInt32 len;
+
+	if (remaining < 2)
+	    goto alert_loser;	/* malformed */
+
+	node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+	if (len <= 0)
+	    goto loser;		/* malformed, alert has been sent */
+
+	remaining -= 2;
+	if (remaining < len)
+	    goto alert_loser;	/* malformed */
+
+	node->name.data = b;
+	b         += len;
+	length    -= len;
+	remaining -= len;
+	nnames++;
+	if (remaining <= 0)
+	    break;		/* success */
+
+	node->next = PORT_ArenaZNew(arena, dnameNode);
+	node = node->next;
+	if (node == NULL)
+	    goto no_mem;
+    }
+
+    ca_list.nnames = nnames;
+    ca_list.names  = PORT_ArenaNewArray(arena, SECItem, nnames);
+    if (nnames > 0 && ca_list.names == NULL)
+        goto no_mem;
+
+    for(i = 0, node = (dnameNode*)ca_list.head;
+	i < nnames;
+	i++, node = node->next) {
+	ca_list.names[i] = node->name;
+    }
+
+    if (length != 0)
+        goto alert_loser;   	/* malformed */
+
+    desc = no_certificate;
+    ss->ssl3.hs.ws = wait_hello_done;
+
+    if (ss->getClientAuthData == NULL) {
+	rv = SECFailure; /* force it to send a no_certificate alert */
+    } else {
+	/* XXX Should pass cert_types in this call!! */
+	rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
+						 ss->fd, &ca_list,
+						 &ss->ssl3.clientCertificate,
+						 &ss->ssl3.clientPrivateKey);
+    }
+    switch (rv) {
+    case SECWouldBlock:	/* getClientAuthData has put up a dialog box. */
+	ssl_SetAlwaysBlock(ss);
+	break;	/* not an error */
+
+    case SECSuccess:
+        /* check what the callback function returned */
+        if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
+            /* we are missing either the key or cert */
+            if (ss->ssl3.clientCertificate) {
+                /* got a cert, but no key - free it */
+                CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+                ss->ssl3.clientCertificate = NULL;
+            }
+            if (ss->ssl3.clientPrivateKey) {
+                /* got a key, but no cert - free it */
+                SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+                ss->ssl3.clientPrivateKey = NULL;
+            }
+            goto send_no_certificate;
+        }
+	/* Setting ssl3.clientCertChain non-NULL will cause
+	 * ssl3_HandleServerHelloDone to call SendCertificate.
+	 */
+	ss->ssl3.clientCertChain = CERT_CertChainFromCert(
+					ss->ssl3.clientCertificate,
+					certUsageSSLClient, PR_FALSE);
+	if (ss->ssl3.clientCertChain == NULL) {
+	    if (ss->ssl3.clientCertificate != NULL) {
+		CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+		ss->ssl3.clientCertificate = NULL;
+	    }
+	    if (ss->ssl3.clientPrivateKey != NULL) {
+		SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+		ss->ssl3.clientPrivateKey = NULL;
+	    }
+	    goto send_no_certificate;
+	}
+	break;	/* not an error */
+
+    case SECFailure:
+    default:
+send_no_certificate:
+	if (isTLS) {
+	    ss->ssl3.sendEmptyCert = PR_TRUE;
+	} else {
+	    (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
+	}
+	rv = SECSuccess;
+	break;
+    }
+    goto done;
+
+no_mem:
+    rv = SECFailure;
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    goto done;
+
+alert_loser:
+    if (isTLS && desc == illegal_parameter)
+    	desc = decode_error;
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+loser:
+    PORT_SetError(errCode);
+    rv = SECFailure;
+done:
+    if (arena != NULL)
+    	PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
+/*
+ * attempt to restart the handshake after asynchronously handling
+ * a request for the client's certificate.
+ *
+ * inputs:
+ *	cert	Client cert chosen by application.
+ *		Note: ssl takes this reference, and does not bump the
+ *		reference count.  The caller should drop its reference
+ *		without calling CERT_DestroyCert after calling this function.
+ *
+ *	key	Private key associated with cert.  This function makes a
+ *		copy of the private key, so the caller remains responsible
+ *		for destroying its copy after this function returns.
+ *
+ *	certChain  DER-encoded certs, client cert and its signers.
+ *		Note: ssl takes this reference, and does not copy the chain.
+ *		The caller should drop its reference without destroying the
+ *		chain.  SSL will free the chain when it is done with it.
+ *
+ * Return value: XXX
+ *
+ * XXX This code only works on the initial handshake on a connection, XXX
+ *     It does not work on a subsequent handshake (redo).
+ *
+ * Caller holds 1stHandshakeLock.
+ */
+SECStatus
+ssl3_RestartHandshakeAfterCertReq(sslSocket *         ss,
+				CERTCertificate *    cert,
+				SECKEYPrivateKey *   key,
+				CERTCertificateList *certChain)
+{
+    SECStatus        rv          = SECSuccess;
+
+    if (MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)) {
+	/* XXX This code only works on the initial handshake on a connection,
+	** XXX It does not work on a subsequent handshake (redo).
+	*/
+	if (ss->handshake != 0) {
+	    ss->handshake               = ssl_GatherRecord1stHandshake;
+	    ss->ssl3.clientCertificate = cert;
+	    ss->ssl3.clientCertChain   = certChain;
+	    if (key == NULL) {
+		(void)SSL3_SendAlert(ss, alert_warning, no_certificate);
+		ss->ssl3.clientPrivateKey = NULL;
+	    } else {
+		ss->ssl3.clientPrivateKey = SECKEY_CopyPrivateKey(key);
+	    }
+	    ssl_GetRecvBufLock(ss);
+	    if (ss->ssl3.hs.msgState.buf != NULL) {
+		rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
+	    }
+	    ssl_ReleaseRecvBufLock(ss);
+	}
+    }
+    return rv;
+}
+
+
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Server Hello Done message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleServerHelloDone(sslSocket *ss)
+{
+    SECStatus     rv;
+    SSL3WaitState ws          = ss->ssl3.hs.ws;
+    PRBool        send_verify = PR_FALSE;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ws != wait_hello_done  &&
+        ws != wait_server_cert &&
+	ws != wait_server_key  &&
+	ws != wait_cert_request) {
+	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
+	return SECFailure;
+    }
+
+    ssl_GetXmitBufLock(ss);		/*******************************/
+
+    if (ss->ssl3.sendEmptyCert) {
+	ss->ssl3.sendEmptyCert = PR_FALSE;
+	rv = ssl3_SendEmptyCertificate(ss);
+	/* Don't send verify */
+	if (rv != SECSuccess) {
+	    goto loser;	/* error code is set. */
+    	}
+    } else
+    if (ss->ssl3.clientCertChain  != NULL &&
+	ss->ssl3.clientPrivateKey != NULL) {
+	send_verify = PR_TRUE;
+	rv = ssl3_SendCertificate(ss);
+	if (rv != SECSuccess) {
+	    goto loser;	/* error code is set. */
+    	}
+    }
+
+    rv = ssl3_SendClientKeyExchange(ss);
+    if (rv != SECSuccess) {
+    	goto loser;	/* err is set. */
+    }
+
+    if (send_verify) {
+	rv = ssl3_SendCertificateVerify(ss);
+	if (rv != SECSuccess) {
+	    goto loser;	/* err is set. */
+        }
+    }
+    rv = ssl3_SendChangeCipherSpecs(ss);
+    if (rv != SECSuccess) {
+	goto loser;	/* err code was set. */
+    }
+    rv = ssl3_SendFinished(ss, 0);
+    if (rv != SECSuccess) {
+	goto loser;	/* err code was set. */
+    }
+
+    ssl_ReleaseXmitBufLock(ss);		/*******************************/
+
+    if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn))
+	ss->ssl3.hs.ws = wait_new_session_ticket;
+    else
+	ss->ssl3.hs.ws = wait_change_cipher;
+    return SECSuccess;
+
+loser:
+    ssl_ReleaseXmitBufLock(ss);
+    return rv;
+}
+
+/*
+ * Routines used by servers
+ */
+static SECStatus
+ssl3_SendHelloRequest(sslSocket *ss)
+{
+    SECStatus rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
+		ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+
+    rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake */
+    }
+    rv = ssl3_FlushHandshake(ss, 0);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by ssl3_FlushHandshake */
+    }
+    ss->ssl3.hs.ws = wait_client_hello;
+    return SECSuccess;
+}
+
+/* Sets memory error when returning NULL.
+ * Called from:
+ *	ssl3_SendClientHello()
+ *	ssl3_HandleServerHello()
+ *	ssl3_HandleClientHello()
+ *	ssl3_HandleV2ClientHello()
+ */
+sslSessionID *
+ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
+{
+    sslSessionID *sid;
+
+    sid = PORT_ZNew(sslSessionID);
+    if (sid == NULL)
+    	return sid;
+
+    sid->peerID		= (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
+    sid->urlSvrName	= (ss->url    == NULL) ? NULL : PORT_Strdup(ss->url);
+    sid->addr           = ss->sec.ci.peer;
+    sid->port           = ss->sec.ci.port;
+    sid->references     = 1;
+    sid->cached         = never_cached;
+    sid->version        = ss->version;
+
+    sid->u.ssl3.keys.resumable = PR_TRUE;
+    sid->u.ssl3.policy         = SSL_ALLOWED;
+    sid->u.ssl3.clientWriteKey = NULL;
+    sid->u.ssl3.serverWriteKey = NULL;
+
+    if (is_server) {
+	SECStatus rv;
+	int       pid = SSL_GETPID();
+
+	sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
+	sid->u.ssl3.sessionID[0]    = (pid >> 8) & 0xff;
+	sid->u.ssl3.sessionID[1]    =  pid       & 0xff;
+	rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
+	                         SSL3_SESSIONID_BYTES -2);
+	if (rv != SECSuccess) {
+	    ssl_FreeSID(sid);
+	    ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
+	    return NULL;
+    	}
+    }
+    return sid;
+}
+
+/* Called from:  ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
+static SECStatus
+ssl3_SendServerHelloSequence(sslSocket *ss)
+{
+    const ssl3KEADef *kea_def;
+    SECStatus         rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+
+    rv = ssl3_SendServerHello(ss);
+    if (rv != SECSuccess) {
+	return rv;	/* err code is set. */
+    }
+    rv = ssl3_SendCertificate(ss);
+    if (rv != SECSuccess) {
+	return rv;	/* error code is set. */
+    }
+    /* We have to do this after the call to ssl3_SendServerHello,
+     * because kea_def is set up by ssl3_SendServerHello().
+     */
+    kea_def = ss->ssl3.hs.kea_def;
+    ss->ssl3.hs.usedStepDownKey = PR_FALSE;
+
+    if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
+	/* see if we can legally use the key in the cert. */
+	int keyLen;  /* bytes */
+
+	keyLen = PK11_GetPrivateModulusLen(
+			    ss->serverCerts[kea_def->exchKeyType].SERVERKEY);
+
+	if (keyLen > 0 &&
+	    keyLen * BPB <= kea_def->key_size_limit ) {
+	    /* XXX AND cert is not signing only!! */
+	    /* just fall through and use it. */
+	} else if (ss->stepDownKeyPair != NULL) {
+	    ss->ssl3.hs.usedStepDownKey = PR_TRUE;
+	    rv = ssl3_SendServerKeyExchange(ss);
+	    if (rv != SECSuccess) {
+		return rv;	/* err code was set. */
+	    }
+	} else {
+#ifndef HACKED_EXPORT_SERVER
+	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
+	    return rv;
+#endif
+	}
+#ifdef NSS_ENABLE_ECC
+    } else if ((kea_def->kea == kea_ecdhe_rsa) ||
+	       (kea_def->kea == kea_ecdhe_ecdsa)) {
+	rv = ssl3_SendServerKeyExchange(ss);
+	if (rv != SECSuccess) {
+	    return rv;	/* err code was set. */
+	}
+#endif /* NSS_ENABLE_ECC */
+    }
+
+    if (ss->opt.requestCertificate) {
+	rv = ssl3_SendCertificateRequest(ss);
+	if (rv != SECSuccess) {
+	    return rv;		/* err code is set. */
+	}
+    }
+    rv = ssl3_SendServerHelloDone(ss);
+    if (rv != SECSuccess) {
+	return rv;		/* err code is set. */
+    }
+
+    ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
+                                               : wait_client_key;
+    return SECSuccess;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Client Hello message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    sslSessionID *      sid      = NULL;
+    PRInt32		tmp;
+    unsigned int        i;
+    int                 j;
+    SECStatus           rv;
+    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
+    SSL3AlertDescription desc    = illegal_parameter;
+    SSL3ProtocolVersion version;
+    SECItem             sidBytes = {siBuffer, NULL, 0};
+    SECItem             suites   = {siBuffer, NULL, 0};
+    SECItem             comps    = {siBuffer, NULL, 0};
+    PRBool              haveSpecWriteLock = PR_FALSE;
+    PRBool              haveXmitBufLock   = PR_FALSE;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
+    	SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    /* Get peer name of client */
+    rv = ssl_GetPeerInfo(ss);
+    if (rv != SECSuccess) {
+	return rv;		/* error code is set. */
+    }
+
+    /* We might be starting session renegotiation in which case we should
+     * clear previous state.
+     */
+    PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
+    ss->statelessResume = PR_FALSE;
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	return rv;		/* ssl3_InitState has set the error code. */
+    }
+
+    if ((ss->ssl3.hs.ws != wait_client_hello) &&
+	(ss->ssl3.hs.ws != idle_handshake)) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
+	goto alert_loser;
+    }
+
+    tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+    if (tmp < 0)
+	goto loser;		/* malformed, alert already sent */
+    ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
+    rv = ssl3_NegotiateVersion(ss, version);
+    if (rv != SECSuccess) {
+    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
+	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	goto alert_loser;
+    }
+
+    /* grab the client random data. */
+    rv = ssl3_ConsumeHandshake(
+	ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed */
+    }
+
+    /* grab the client's SID, if present. */
+    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed */
+    }
+
+    /* grab the list of cipher suites. */
+    rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed */
+    }
+
+    /* grab the list of compression methods. */
+    rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed */
+    }
+
+    desc = handshake_failure;
+
+    /* Handle TLS hello extensions for SSL3 & TLS. We do not know if
+     * we are restarting a previous session until extensions have been
+     * parsed, since we might have received a SessionTicket extension.
+     * Note: we allow extensions even when negotiating SSL3 for the sake
+     * of interoperability (and backwards compatibility).
+     */
+
+    if (length) {
+	/* Get length of hello extensions */
+	PRInt32 extension_length;
+	extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+	if (extension_length < 0) {
+	    goto loser;				/* alert already sent */
+	}
+	if (extension_length != length) {
+	    ssl3_DecodeError(ss);		/* send alert */
+	    goto loser;
+	}
+	rv = ssl3_HandleHelloExtensions(ss, &b, &length);
+	if (rv != SECSuccess) {
+	    goto loser;		/* malformed */
+	}
+    }
+
+    /* We do stateful resumes only if either of the following
+     * conditions are satisfied: (1) the client does not support the
+     * session ticket extension, or (2) the client support the session
+     * ticket extension, but sent an empty ticket.
+     */
+    if (!ssl3_ExtensionNegotiated(ss, session_ticket_xtn) ||
+	ss->xtnData.emptySessionTicket) {
+	if (sidBytes.len > 0 && !ss->opt.noCache) {
+	    SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
+			SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
+			ss->sec.ci.peer.pr_s6_addr32[1], 
+			ss->sec.ci.peer.pr_s6_addr32[2],
+			ss->sec.ci.peer.pr_s6_addr32[3]));
+	    if (ssl_sid_lookup) {
+		sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data, 
+					sidBytes.len, ss->dbHandle);
+	    } else {
+		errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED;
+		goto loser;
+	    }
+	}
+    } else if (ss->statelessResume) {
+	/* Fill in the client's session ID if doing a stateless resume.
+	 * (When doing stateless resumes, server echos client's SessionID.)
+	 */
+	sid = ss->sec.ci.sid;
+	PORT_Assert(sid != NULL);  /* Should have already been filled in.*/
+
+	if (sidBytes.len > 0 && sidBytes.len <= SSL3_SESSIONID_BYTES) {
+	    sid->u.ssl3.sessionIDLength = sidBytes.len;
+	    PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data,
+		sidBytes.len);
+	    sid->u.ssl3.sessionIDLength = sidBytes.len;
+	} else {
+	    sid->u.ssl3.sessionIDLength = 0;
+	}
+	ss->sec.ci.sid = NULL;
+    }
+
+    /* We only send a session ticket extension if the client supports
+     * the extension and we are unable to do either a stateful or
+     * stateless resume.
+     *
+     * TODO: send a session ticket if performing a stateful
+     * resumption.  (As per RFC4507, a server may issue a session
+     * ticket while doing a (stateless or stateful) session resume,
+     * but OpenSSL-0.9.8g does not accept session tickets while
+     * resuming.)
+     */
+    if (ssl3_ExtensionNegotiated(ss, session_ticket_xtn) && sid == NULL) {
+	ssl3_RegisterServerHelloExtensionSender(ss,
+	    session_ticket_xtn, ssl3_SendSessionTicketXtn);
+    }
+
+    if (sid != NULL) {
+	/* We've found a session cache entry for this client.
+	 * Now, if we're going to require a client-auth cert,
+	 * and we don't already have this client's cert in the session cache,
+	 * and this is the first handshake on this connection (not a redo),
+	 * then drop this old cache entry and start a new session.
+	 */
+	if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
+	    ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
+	     (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) ||
+	     ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE) 
+	      && !ss->firstHsDone))) {
+
+	    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
+	    ss->sec.uncache(sid);
+	    ssl_FreeSID(sid);
+	    sid = NULL;
+	}
+    }
+
+#ifdef NSS_ENABLE_ECC
+    /* Disable any ECC cipher suites for which we have no cert. */
+    ssl3_FilterECCipherSuitesByServerCerts(ss);
+#endif
+
+#ifdef PARANOID
+    /* Look for a matching cipher suite. */
+    j = ssl3_config_match_init(ss);
+    if (j <= 0) {		/* no ciphers are working/supported by PK11 */
+    	errCode = PORT_GetError();	/* error code is already set. */
+	goto alert_loser;
+    }
+#endif
+
+    /* If we already have a session for this client, be sure to pick the
+    ** same cipher suite we picked before.
+    ** This is not a loop, despite appearances.
+    */
+    if (sid) do {
+	ssl3CipherSuiteCfg *suite = ss->cipherSuites;
+	/* Find the entry for the cipher suite used in the cached session. */
+	for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
+	    if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
+		break;
+	}
+	PORT_Assert(j > 0);
+	if (j <= 0)
+	    break;
+#ifdef PARANOID
+	/* Double check that the cached cipher suite is still enabled,
+	 * implemented, and allowed by policy.  Might have been disabled.
+	 * The product policy won't change during the process lifetime.  
+	 * Implemented ("isPresent") shouldn't change for servers.
+	 */
+	if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
+	    break;
+#else
+	if (!suite->enabled)
+	    break;
+#endif
+	/* Double check that the cached cipher suite is in the client's list */
+	for (i = 0; i < suites.len; i += 2) {
+	    if ((suites.data[i]     == MSB(suite->cipher_suite)) &&
+	        (suites.data[i + 1] == LSB(suite->cipher_suite))) {
+
+		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
+		ss->ssl3.hs.suite_def =
+		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
+		goto suite_found;
+	    }
+	}
+    } while (0);
+
+    /* START A NEW SESSION */
+
+#ifndef PARANOID
+    /* Look for a matching cipher suite. */
+    j = ssl3_config_match_init(ss);
+    if (j <= 0) {		/* no ciphers are working/supported by PK11 */
+    	errCode = PORT_GetError();	/* error code is already set. */
+	goto alert_loser;
+    }
+#endif
+
+    /* Select a cipher suite.
+    ** NOTE: This suite selection algorithm should be the same as the one in
+    ** ssl3_HandleV2ClientHello().  
+    */
+    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+	if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
+	    continue;
+	for (i = 0; i < suites.len; i += 2) {
+	    if ((suites.data[i]     == MSB(suite->cipher_suite)) &&
+	        (suites.data[i + 1] == LSB(suite->cipher_suite))) {
+
+		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
+		ss->ssl3.hs.suite_def =
+		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
+		goto suite_found;
+	    }
+	}
+    }
+    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+    goto alert_loser;
+
+suite_found:
+    /* Look for a matching compression algorithm. */
+    for (i = 0; i < comps.len; i++) {
+	for (j = 0; j < compressionMethodsCount; j++) {
+	    if (comps.data[i] == compressions[j]) {
+		ss->ssl3.hs.compression = 
+					(SSL3CompressionMethod)compressions[j];
+		goto compression_found;
+	    }
+	}
+    }
+    errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
+    				/* null compression must be supported */
+    goto alert_loser;
+
+compression_found:
+    suites.data = NULL;
+    comps.data = NULL;
+
+    ss->sec.send = ssl3_SendApplicationData;
+
+    /* If there are any failures while processing the old sid,
+     * we don't consider them to be errors.  Instead, We just behave
+     * as if the client had sent us no sid to begin with, and make a new one.
+     */
+    if (sid != NULL) do {
+	ssl3CipherSpec *pwSpec;
+	SECItem         wrappedMS;  	/* wrapped key */
+
+	if (sid->version != ss->version  ||
+	    sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite) {
+	    break;	/* not an error */
+	}
+
+	if (ss->sec.ci.sid) {
+	    ss->sec.uncache(ss->sec.ci.sid);
+	    PORT_Assert(ss->sec.ci.sid != sid);  /* should be impossible, but ... */
+	    if (ss->sec.ci.sid != sid) {
+		ssl_FreeSID(ss->sec.ci.sid);
+	    }
+	    ss->sec.ci.sid = NULL;
+	}
+	/* we need to resurrect the master secret.... */
+
+	ssl_GetSpecWriteLock(ss);  haveSpecWriteLock = PR_TRUE;
+	pwSpec = ss->ssl3.pwSpec;
+	if (sid->u.ssl3.keys.msIsWrapped) {
+	    PK11SymKey *    wrapKey; 	/* wrapping key */
+	    CK_FLAGS        keyFlags      = 0;
+	    if (ss->opt.bypassPKCS11) {
+		/* we cannot restart a non-bypass session in a 
+		** bypass socket.
+		*/
+		break;  
+	    }
+
+	    wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
+				     sid->u.ssl3.masterWrapMech, 
+				     ss->pkcs11PinArg);
+	    if (!wrapKey) {
+		/* we have a SID cache entry, but no wrapping key for it??? */
+		break;
+	    }
+
+	    if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
+		keyFlags = CKF_SIGN | CKF_VERIFY;
+	    }
+
+	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
+	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
+
+	    /* unwrap the master secret. */
+	    pwSpec->master_secret =
+		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
+			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
+			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
+	    PK11_FreeSymKey(wrapKey);
+	    if (pwSpec->master_secret == NULL) {
+		break;	/* not an error */
+	    }
+	} else if (ss->opt.bypassPKCS11) {
+	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
+	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
+	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
+	    pwSpec->msItem.data = pwSpec->raw_master_secret;
+	    pwSpec->msItem.len  = wrappedMS.len;
+	} else {
+	    /* We CAN restart a bypass session in a non-bypass socket. */
+	    /* need to import the raw master secret to session object */
+	    PK11SlotInfo * slot;
+	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
+	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
+	    slot = PK11_GetInternalSlot();
+	    pwSpec->master_secret =  
+		PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 
+				  PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS, 
+				  NULL);
+	    PK11_FreeSlot(slot);
+	    if (pwSpec->master_secret == NULL) {
+		break;	/* not an error */
+	    }
+	}
+	ss->sec.ci.sid = sid;
+	if (sid->peerCert != NULL) {
+	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
+	}
+
+	/*
+	 * Old SID passed all tests, so resume this old session.
+	 *
+	 * XXX make sure compression still matches
+	 */
+	SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_hits );
+	if (ss->statelessResume)
+	    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_stateless_resumes );
+	ss->ssl3.hs.isResuming = PR_TRUE;
+
+        ss->sec.authAlgorithm = sid->authAlgorithm;
+	ss->sec.authKeyBits   = sid->authKeyBits;
+	ss->sec.keaType       = sid->keaType;
+	ss->sec.keaKeyBits    = sid->keaKeyBits;
+
+	/* server sids don't remember the server cert we previously sent,
+	** but they do remember the kea type we originally used, so we
+	** can locate it again, provided that the current ssl socket
+	** has had its server certs configured the same as the previous one.
+	*/
+	ss->sec.localCert     = 
+		CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert);
+
+	ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
+
+	rv = ssl3_SendServerHello(ss);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+
+	if (haveSpecWriteLock) {
+	    ssl_ReleaseSpecWriteLock(ss);
+	    haveSpecWriteLock = PR_FALSE;
+	}
+
+	/* NULL value for PMS signifies re-use of the old MS */
+	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+
+	rv = ssl3_SendChangeCipherSpecs(ss);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+	rv = ssl3_SendFinished(ss, 0);
+	ss->ssl3.hs.ws = wait_change_cipher;
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+
+	if (haveXmitBufLock) {
+	    ssl_ReleaseXmitBufLock(ss);
+	    haveXmitBufLock = PR_FALSE;
+	}
+
+        return SECSuccess;
+    } while (0);
+
+    if (haveSpecWriteLock) {
+	ssl_ReleaseSpecWriteLock(ss);
+	haveSpecWriteLock = PR_FALSE;
+    }
+
+    if (sid) { 	/* we had a sid, but it's no longer valid, free it */
+	SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
+	ss->sec.uncache(sid);
+	ssl_FreeSID(sid);
+	sid = NULL;
+    }
+    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
+
+    sid = ssl3_NewSessionID(ss, PR_TRUE);
+    if (sid == NULL) {
+	errCode = PORT_GetError();
+	goto loser;	/* memory error is set. */
+    }
+    ss->sec.ci.sid = sid;
+
+    ss->ssl3.hs.isResuming = PR_FALSE;
+    ssl_GetXmitBufLock(ss);
+    rv = ssl3_SendServerHelloSequence(ss);
+    ssl_ReleaseXmitBufLock(ss);
+    if (rv != SECSuccess) {
+	errCode = PORT_GetError();
+	goto loser;
+    }
+
+    if (haveXmitBufLock) {
+	ssl_ReleaseXmitBufLock(ss);
+	haveXmitBufLock = PR_FALSE;
+    }
+
+    return SECSuccess;
+
+alert_loser:
+    if (haveSpecWriteLock) {
+	ssl_ReleaseSpecWriteLock(ss);
+	haveSpecWriteLock = PR_FALSE;
+    }
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+    /* FALLTHRU */
+loser:
+    if (haveSpecWriteLock) {
+	ssl_ReleaseSpecWriteLock(ss);
+	haveSpecWriteLock = PR_FALSE;
+    }
+
+    if (haveXmitBufLock) {
+	ssl_ReleaseXmitBufLock(ss);
+	haveXmitBufLock = PR_FALSE;
+    }
+
+    PORT_SetError(errCode);
+    return SECFailure;
+}
+
+/*
+ * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
+ * in asking to use the V3 handshake.
+ * Called from ssl2_HandleClientHelloMessage() in sslcon.c
+ */
+SECStatus
+ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
+{
+    sslSessionID *      sid 		= NULL;
+    unsigned char *     suites;
+    unsigned char *     random;
+    SSL3ProtocolVersion version;
+    SECStatus           rv;
+    int                 i;
+    int                 j;
+    int                 sid_length;
+    int                 suite_length;
+    int                 rand_length;
+    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
+    SSL3AlertDescription desc    = handshake_failure;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+
+    ssl_GetSSL3HandshakeLock(ss);
+
+    PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	return rv;		/* ssl3_InitState has set the error code. */
+    }
+
+    if (ss->ssl3.hs.ws != wait_client_hello) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
+	goto loser;	/* alert_loser */
+    }
+
+    version      = (buffer[1] << 8) | buffer[2];
+    suite_length = (buffer[3] << 8) | buffer[4];
+    sid_length   = (buffer[5] << 8) | buffer[6];
+    rand_length  = (buffer[7] << 8) | buffer[8];
+    ss->clientHelloVersion = version;
+
+    rv = ssl3_NegotiateVersion(ss, version);
+    if (rv != SECSuccess) {
+	/* send back which ever alert client will understand. */
+    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
+	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	goto alert_loser;
+    }
+
+    /* if we get a non-zero SID, just ignore it. */
+    if (length !=
+        SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
+	SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
+		 SSL_GETPID(), ss->fd, length,
+		 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
+		 rand_length));
+	goto loser;	/* malformed */	/* alert_loser */
+    }
+
+    suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
+    random = suites + suite_length + sid_length;
+
+    if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
+	rand_length > SSL_MAX_CHALLENGE_BYTES) {
+	goto loser;	/* malformed */	/* alert_loser */
+    }
+
+    PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
+
+    PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
+    PORT_Memcpy(
+	&ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
+	random, rand_length);
+
+    PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
+		   SSL3_RANDOM_LENGTH));
+#ifdef NSS_ENABLE_ECC
+    /* Disable any ECC cipher suites for which we have no cert. */
+    ssl3_FilterECCipherSuitesByServerCerts(ss);
+#endif
+    i = ssl3_config_match_init(ss);
+    if (i <= 0) {
+    	errCode = PORT_GetError();	/* error code is already set. */
+	goto alert_loser;
+    }
+
+    /* Select a cipher suite.
+    ** NOTE: This suite selection algorithm should be the same as the one in
+    ** ssl3_HandleClientHello().  
+    */
+    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+	if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
+	    continue;
+	for (i = 0; i < suite_length; i += 3) {
+	    if ((suites[i]   == 0) &&
+		(suites[i+1] == MSB(suite->cipher_suite)) &&
+		(suites[i+2] == LSB(suite->cipher_suite))) {
+
+		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
+		ss->ssl3.hs.suite_def =
+		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
+		goto suite_found;
+	    }
+	}
+    }
+    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+    goto alert_loser;
+
+suite_found:
+
+    ss->ssl3.hs.compression = compression_null;
+    ss->sec.send            = ssl3_SendApplicationData;
+
+    /* we don't even search for a cache hit here.  It's just a miss. */
+    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
+    sid = ssl3_NewSessionID(ss, PR_TRUE);
+    if (sid == NULL) {
+    	errCode = PORT_GetError();
+	goto loser;	/* memory error is set. */
+    }
+    ss->sec.ci.sid = sid;
+    /* do not worry about memory leak of sid since it now belongs to ci */
+
+    /* We have to update the handshake hashes before we can send stuff */
+    rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
+    if (rv != SECSuccess) {
+    	errCode = PORT_GetError();
+	goto loser;
+    }
+
+    ssl_GetXmitBufLock(ss);
+    rv = ssl3_SendServerHelloSequence(ss);
+    ssl_ReleaseXmitBufLock(ss);
+    if (rv != SECSuccess) {
+    	errCode = PORT_GetError();
+	goto loser;
+    }
+
+    /* XXX_1 	The call stack to here is:
+     * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
+     * ssl2_HandleClientHelloMessage returns whatever we return here.
+     * ssl_Do1stHandshake will continue looping if it gets back either
+     *		SECSuccess or SECWouldBlock.
+     * SECSuccess is preferable here.  See XXX_1 in sslgathr.c.
+     */
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    return SECSuccess;
+
+alert_loser:
+    SSL3_SendAlert(ss, alert_fatal, desc);
+loser:
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    PORT_SetError(errCode);
+    return SECFailure;
+}
+
+/* The negotiated version number has been already placed in ss->version.
+**
+** Called from:  ssl3_HandleClientHello                     (resuming session),
+** 	ssl3_SendServerHelloSequence <- ssl3_HandleClientHello   (new session),
+** 	ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
+*/
+static SECStatus
+ssl3_SendServerHello(sslSocket *ss)
+{
+    sslSessionID *sid;
+    SECStatus     rv;
+    PRUint32      maxBytes = 65535;
+    PRUint32      length;
+    PRInt32       extensions_len = 0;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
+		ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
+
+    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	return SECFailure;
+    }
+
+    sid = ss->sec.ci.sid;
+
+    extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
+					       &ss->xtnData.serverSenders[0]);
+    if (extensions_len > 0)
+    	extensions_len += 2; /* Add sizeof total extension length */
+
+    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
+             ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
+	     sizeof(ssl3CipherSuite) + 1 + extensions_len;
+    rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+    rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
+	return rv;
+    }
+    rv = ssl3_AppendHandshake(
+	ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+
+    if (sid)
+	rv = ssl3_AppendHandshakeVariable(
+	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
+    else
+	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+    if (extensions_len) {
+	PRInt32 sent_len;
+
+    	extensions_len -= 2;
+	rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
+	if (rv != SECSuccess) 
+	    return rv;	/* err set by ssl3_SetupPendingCipherSpec */
+	sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
+					   &ss->xtnData.serverSenders[0]);
+        PORT_Assert(sent_len == extensions_len);
+	if (sent_len != extensions_len) {
+	    if (sent_len >= 0)
+	    	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return SECFailure;
+	}
+    }
+    rv = ssl3_SetupPendingCipherSpec(ss);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_SetupPendingCipherSpec */
+    }
+
+    return SECSuccess;
+}
+
+
+static SECStatus
+ssl3_SendServerKeyExchange(sslSocket *ss)
+{
+const ssl3KEADef *     kea_def     = ss->ssl3.hs.kea_def;
+    SECStatus          rv          = SECFailure;
+    int                length;
+    PRBool             isTLS;
+    SECItem            signed_hash = {siBuffer, NULL, 0};
+    SSL3Hashes         hashes;
+    SECKEYPublicKey *  sdPub;	/* public key for step-down */
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    switch (kea_def->exchKeyType) {
+    case kt_rsa:
+	/* Perform SSL Step-Down here. */
+	sdPub = ss->stepDownKeyPair->pubKey;
+	PORT_Assert(sdPub != NULL);
+	if (!sdPub) {
+	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    return SECFailure;
+	}
+    	rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus,
+					  sdPub->u.rsa.publicExponent,
+	                                  &ss->ssl3.hs.client_random,
+	                                  &ss->ssl3.hs.server_random,
+					  &hashes, ss->opt.bypassPKCS11);
+        if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    return rv;
+	}
+
+	isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+	rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY, 
+	                     &signed_hash, isTLS);
+        if (rv != SECSuccess) {
+	    goto loser;		/* ssl3_SignHashes has set err. */
+	}
+	if (signed_hash.data == NULL) {
+	    /* how can this happen and rv == SECSuccess ?? */
+	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto loser;
+	}
+	length = 2 + sdPub->u.rsa.modulus.len +
+	         2 + sdPub->u.rsa.publicExponent.len +
+	         2 + signed_hash.len;
+
+	rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+
+	rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
+					  sdPub->u.rsa.modulus.len, 2);
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+
+	rv = ssl3_AppendHandshakeVariable(
+				ss, sdPub->u.rsa.publicExponent.data,
+				sdPub->u.rsa.publicExponent.len, 2);
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+
+	rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
+	                                  signed_hash.len, 2);
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+	PORT_Free(signed_hash.data);
+	return SECSuccess;
+
+#ifdef NSS_ENABLE_ECC
+    case kt_ecdh: {
+	rv = ssl3_SendECDHServerKeyExchange(ss);
+	return rv;
+    }
+#endif /* NSS_ENABLE_ECC */
+
+    case kt_dh:
+    case kt_null:
+    default:
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	break;
+    }
+loser:
+    if (signed_hash.data != NULL) 
+    	PORT_Free(signed_hash.data);
+    return SECFailure;
+}
+
+
+static SECStatus
+ssl3_SendCertificateRequest(sslSocket *ss)
+{
+    SECItem *      name;
+    CERTDistNames *ca_list;
+const uint8 *      certTypes;
+    SECItem *      names	= NULL;
+    SECStatus      rv;
+    int            length;
+    int            i;
+    int            calen	= 0;
+    int            nnames	= 0;
+    int            certTypesLength;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    /* ssl3.ca_list is initialized to NULL, and never changed. */
+    ca_list = ss->ssl3.ca_list;
+    if (!ca_list) {
+	ca_list = ssl3_server_ca_list;
+    }
+
+    if (ca_list != NULL) {
+	names = ca_list->names;
+	nnames = ca_list->nnames;
+    }
+
+    if (!nnames) {
+	PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA);
+	return SECFailure;
+    }
+
+    for (i = 0, name = names; i < nnames; i++, name++) {
+	calen += 2 + name->len;
+    }
+
+    certTypes       = certificate_types;
+    certTypesLength = sizeof certificate_types;
+
+    length = 1 + certTypesLength + 2 + calen;
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    for (i = 0, name = names; i < nnames; i++, name++) {
+	rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
+	if (rv != SECSuccess) {
+	    return rv; 		/* err set by AppendHandshake. */
+	}
+    }
+
+    return SECSuccess;
+}
+
+static SECStatus
+ssl3_SendServerHelloDone(sslSocket *ss)
+{
+    SECStatus rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_FlushHandshake(ss, 0);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by ssl3_FlushHandshake */
+    }
+    return SECSuccess;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Certificate Verify message
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
+			     SSL3Hashes *hashes)
+{
+    SECItem              signed_hash = {siBuffer, NULL, 0};
+    SECStatus            rv;
+    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
+    SSL3AlertDescription desc        = handshake_failure;
+    PRBool               isTLS;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
+	goto alert_loser;
+    }
+
+    rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed. */
+    }
+
+    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    /* XXX verify that the key & kea match */
+    rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
+				 isTLS, ss->pkcs11PinArg);
+    if (rv != SECSuccess) {
+    	errCode = PORT_GetError();
+	desc = isTLS ? decrypt_error : handshake_failure;
+	goto alert_loser;
+    }
+
+    signed_hash.data = NULL;
+
+    if (length != 0) {
+	desc    = isTLS ? decode_error : illegal_parameter;
+	goto alert_loser;	/* malformed */
+    }
+    ss->ssl3.hs.ws = wait_change_cipher;
+    return SECSuccess;
+
+alert_loser:
+    SSL3_SendAlert(ss, alert_fatal, desc);
+loser:
+    PORT_SetError(errCode);
+    return SECFailure;
+}
+
+
+/* find a slot that is able to generate a PMS and wrap it with RSA.
+ * Then generate and return the PMS.
+ * If the serverKeySlot parameter is non-null, this function will use
+ * that slot to do the job, otherwise it will find a slot.
+ *
+ * Called from  ssl3_DeriveConnectionKeysPKCS11()  (above)
+ *		sendRSAClientKeyExchange()         (above)
+ *		ssl3_HandleRSAClientKeyExchange()  (below)
+ * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
+ */
+static PK11SymKey *
+ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
+                    PK11SlotInfo * serverKeySlot)
+{
+    PK11SymKey *      pms		= NULL;
+    PK11SlotInfo *    slot		= serverKeySlot;
+    void *	      pwArg 		= ss->pkcs11PinArg;
+    SECItem           param;
+    CK_VERSION 	      version;
+    CK_MECHANISM_TYPE mechanism_array[3];
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (slot == NULL) {
+	SSLCipherAlgorithm calg;
+	/* The specReadLock would suffice here, but we cannot assert on
+	** read locks.  Also, all the callers who call with a non-null
+	** slot already hold the SpecWriteLock.
+	*/
+	PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
+	PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
+
+        calg = spec->cipher_def->calg;
+	PORT_Assert(alg2Mech[calg].calg == calg);
+
+	/* First get an appropriate slot.  */
+	mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
+	mechanism_array[1] = CKM_RSA_PKCS;
+	mechanism_array[2] = alg2Mech[calg].cmech;
+
+	slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
+	if (slot == NULL) {
+	   /* can't find a slot with all three, find a slot with the minimum */
+	    slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
+	    if (slot == NULL) {
+		PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
+		return pms;	/* which is NULL */
+	    }
+	}
+    }
+
+    /* Generate the pre-master secret ...  */
+    version.major = MSB(ss->clientHelloVersion);
+    version.minor = LSB(ss->clientHelloVersion);
+
+    param.data = (unsigned char *)&version;
+    param.len  = sizeof version;
+
+    pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
+    if (!serverKeySlot)
+	PK11_FreeSlot(slot);
+    if (pms == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+    }
+    return pms;
+}
+
+/* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
+ * return any indication of failure of the Client Key Exchange message,
+ * where that failure is caused by the content of the client's message.
+ * This function must not return SECFailure for any reason that is directly
+ * or indirectly caused by the content of the client's encrypted PMS.
+ * We must not send an alert and also not drop the connection.
+ * Instead, we generate a random PMS.  This will cause a failure
+ * in the processing the finished message, which is exactly where
+ * the failure must occur.
+ *
+ * Called from ssl3_HandleClientKeyExchange
+ */
+static SECStatus
+ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
+                                SSL3Opaque *b,
+				PRUint32 length,
+				SECKEYPrivateKey *serverKey)
+{
+    PK11SymKey *      pms;
+    unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
+    unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
+    ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
+    unsigned int      outLen = 0;
+    PRBool            isTLS  = PR_FALSE;
+    SECStatus         rv;
+    SECItem           enc_pms;
+    unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
+    SECItem           pmsItem = {siBuffer, NULL, 0};
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    enc_pms.data = b;
+    enc_pms.len  = length;
+    pmsItem.data = rsaPmsBuf;
+    pmsItem.len  = sizeof rsaPmsBuf;
+
+    if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
+	PRInt32 kLen;
+	kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
+	if (kLen < 0) {
+	    PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    return SECFailure;
+	}
+	if ((unsigned)kLen < enc_pms.len) {
+	    enc_pms.len = kLen;
+	}
+	isTLS = PR_TRUE;
+    } else {
+	isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
+    }
+
+    if (ss->opt.bypassPKCS11) {
+	/* TRIPLE BYPASS, get PMS directly from RSA decryption.
+	 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, 
+	 * then, check for version rollback attack, then 
+	 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in 
+	 * pwSpec->msItem.  Finally call ssl3_InitPendingCipherSpec with 
+	 * ss and NULL, so that it will use the MS we've already derived here. 
+	 */
+
+	rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 
+				   sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
+	if (rv != SECSuccess) {
+	    /* triple bypass failed.  Let's try for a double bypass. */
+	    goto double_bypass;
+	} else if (ss->opt.detectRollBack) {
+	    SSL3ProtocolVersion client_version = 
+					 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
+	    if (client_version != ss->clientHelloVersion) {
+		/* Version roll-back detected. ensure failure.  */
+		rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
+	    }
+	}
+	/* have PMS, build MS without PKCS11 */
+	rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 
+					PR_TRUE);
+	if (rv != SECSuccess) {
+	    pwSpec->msItem.data = pwSpec->raw_master_secret;
+	    pwSpec->msItem.len  = SSL3_MASTER_SECRET_LENGTH;
+	    PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
+	}
+	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
+    } else {
+double_bypass:
+	/*
+	 * unwrap pms out of the incoming buffer
+	 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do 
+	 *	the unwrap.  Rather, it is the mechanism with which the 
+	 *      unwrapped pms will be used.
+	 */
+	pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
+				   CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
+	if (pms != NULL) {
+	    PRINT_BUF(60, (ss, "decrypted premaster secret:",
+			   PK11_GetKeyData(pms)->data,
+			   PK11_GetKeyData(pms)->len));
+	} else {
+	    /* unwrap failed. Generate a bogus PMS and carry on. */
+	    PK11SlotInfo *  slot   = PK11_GetSlotFromPrivateKey(serverKey);
+
+	    ssl_GetSpecWriteLock(ss);
+	    pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
+	    ssl_ReleaseSpecWriteLock(ss);
+	    PK11_FreeSlot(slot);
+	}
+
+	if (pms == NULL) {
+	    /* last gasp.  */
+	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    return SECFailure;
+	}
+
+	/* This step will derive the MS from the PMS, among other things. */
+	rv = ssl3_InitPendingCipherSpec(ss,  pms);
+	PK11_FreeSymKey(pms);
+    }
+
+    if (rv != SECSuccess) {
+	SEND_ALERT
+	return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
+    }
+    return SECSuccess;
+}
+
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 ClientKeyExchange message from the remote client
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    SECKEYPrivateKey *serverKey         = NULL;
+    SECStatus         rv;
+const ssl3KEADef *    kea_def;
+    ssl3KeyPair     *serverKeyPair      = NULL;
+#ifdef NSS_ENABLE_ECC
+    SECKEYPublicKey *serverPubKey       = NULL;
+#endif /* NSS_ENABLE_ECC */
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3.hs.ws != wait_client_key) {
+	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
+	return SECFailure;
+    }
+
+    kea_def   = ss->ssl3.hs.kea_def;
+
+    if (ss->ssl3.hs.usedStepDownKey) {
+	 PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */
+		 && kea_def->exchKeyType == kt_rsa 
+		 && ss->stepDownKeyPair != NULL);
+	 if (!kea_def->is_limited  ||
+	      kea_def->exchKeyType != kt_rsa ||
+	      ss->stepDownKeyPair == NULL) {
+	 	/* shouldn't happen, don't use step down if it does */
+		goto skip;
+	 }
+    	serverKeyPair = ss->stepDownKeyPair;
+	ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
+    } else 
+skip:
+#ifdef NSS_ENABLE_ECC
+    /* XXX Using SSLKEAType to index server certifiates
+     * does not work for (EC)DHE ciphers. Until we have
+     * an indexing mechanism general enough for all key
+     * exchange algorithms, we'll need to deal with each
+     * one seprately.
+     */
+    if ((kea_def->kea == kea_ecdhe_rsa) ||
+               (kea_def->kea == kea_ecdhe_ecdsa)) {
+	if (ss->ephemeralECDHKeyPair != NULL) {
+	   serverKeyPair = ss->ephemeralECDHKeyPair;
+	   if (serverKeyPair->pubKey) {
+		ss->sec.keaKeyBits = 
+		    SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey);
+	   }
+	}
+    } else 
+#endif
+    {
+	sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType;
+	serverKeyPair = sc->serverKeyPair;
+	ss->sec.keaKeyBits = sc->serverKeyBits;
+    }
+
+    if (serverKeyPair) {
+	serverKey = serverKeyPair->privKey;
+    }
+
+    if (serverKey == NULL) {
+    	SEND_ALERT
+	PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
+	return SECFailure;
+    }
+
+    ss->sec.keaType    = kea_def->exchKeyType;
+
+    switch (kea_def->exchKeyType) {
+    case kt_rsa:
+	rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
+	if (rv != SECSuccess) {
+	    SEND_ALERT
+	    return SECFailure;	/* error code set */
+	}
+	break;
+
+
+#ifdef NSS_ENABLE_ECC
+    case kt_ecdh:
+	/* XXX We really ought to be able to store multiple
+	 * EC certs (a requirement if we wish to support both
+	 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
+	 * When we make that change, we'll need an index other
+	 * than kt_ecdh to pick the right EC certificate.
+	 */
+	if (serverKeyPair) {
+	    serverPubKey = serverKeyPair->pubKey;
+        }
+	if (serverPubKey == NULL) {
+	    /* XXX Is this the right error code? */
+	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleECDHClientKeyExchange(ss, b, length, 
+					      serverPubKey, serverKey);
+	if (rv != SECSuccess) {
+	    return SECFailure;	/* error code set */
+	}
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+	(void) ssl3_HandshakeFailure(ss);
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	return SECFailure;
+    }
+    ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
+    return SECSuccess;
+
+}
+
+/* This is TLS's equivalent of sending a no_certificate alert. */
+static SECStatus
+ssl3_SendEmptyCertificate(sslSocket *ss)
+{
+    SECStatus            rv;
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
+    if (rv == SECSuccess) {
+	rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
+    }
+    return rv;	/* error, if any, set by functions called above. */
+}
+
+SECStatus
+ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    SECStatus         rv;
+    NewSessionTicket  session_ticket;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3.hs.ws != wait_new_session_ticket) {
+	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
+	return SECFailure;
+    }
+
+    session_ticket.received_timestamp = ssl_Time();
+    if (length < 4) {
+	(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
+	return SECFailure;
+    }
+    session_ticket.ticket_lifetime_hint =
+	(PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
+
+    rv = ssl3_ConsumeHandshakeVariable(ss, &session_ticket.ticket, 2,
+	&b, &length);
+    if (length != 0 || rv != SECSuccess) {
+	(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
+	return SECFailure;  /* malformed */
+    }
+
+    rv = ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &session_ticket);
+    if (rv != SECSuccess) {
+	(void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
+	PORT_SetError(SSL_ERROR_INTERNAL_ERROR_ALERT);
+	return SECFailure;
+    }
+    ss->ssl3.hs.ws = wait_change_cipher;
+    return SECSuccess;
+}
+
+#ifdef NISCC_TEST
+static PRInt32 connNum = 0;
+
+static SECStatus 
+get_fake_cert(SECItem *pCertItem, int *pIndex)
+{
+    PRFileDesc *cf;
+    char *      testdir;
+    char *      startat;
+    char *      stopat;
+    const char *extension;
+    int         fileNum;
+    PRInt32     numBytes   = 0;
+    PRStatus    prStatus;
+    PRFileInfo  info;
+    char        cfn[100];
+
+    pCertItem->data = 0;
+    if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) {
+	return SECSuccess;
+    }
+    *pIndex   = (NULL != strstr(testdir, "root"));
+    extension = (strstr(testdir, "simple") ? "" : ".der");
+    fileNum     = PR_AtomicIncrement(&connNum) - 1;
+    if ((startat = PR_GetEnv("START_AT")) != NULL) {
+	fileNum += atoi(startat);
+    }
+    if ((stopat = PR_GetEnv("STOP_AT")) != NULL && 
+	fileNum >= atoi(stopat)) {
+	*pIndex = -1;
+	return SECSuccess;
+    }
+    sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension);
+    cf = PR_Open(cfn, PR_RDONLY, 0);
+    if (!cf) {
+	goto loser;
+    }
+    prStatus = PR_GetOpenFileInfo(cf, &info);
+    if (prStatus != PR_SUCCESS) {
+	PR_Close(cf);
+	goto loser;
+    }
+    pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size);
+    if (pCertItem) {
+	numBytes = PR_Read(cf, pCertItem->data, info.size);
+    }
+    PR_Close(cf);
+    if (numBytes != info.size) {
+	SECITEM_FreeItem(pCertItem, PR_FALSE);
+	PORT_SetError(SEC_ERROR_IO);
+	goto loser;
+    }
+    fprintf(stderr, "using %s\n", cfn);
+    return SECSuccess;
+
+loser:
+    fprintf(stderr, "failed to use %s\n", cfn);
+    *pIndex = -1;
+    return SECFailure;
+}
+#endif
+
+/*
+ * Used by both client and server.
+ * Called from HandleServerHelloDone and from SendServerHelloSequence.
+ */
+static SECStatus
+ssl3_SendCertificate(sslSocket *ss)
+{
+    SECStatus            rv;
+    CERTCertificateList *certChain;
+    int                  len 		= 0;
+    int                  i;
+    SSL3KEAType          certIndex;
+#ifdef NISCC_TEST
+    SECItem              fakeCert;
+    int                  ndex           = -1;
+#endif
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    if (ss->sec.localCert)
+    	CERT_DestroyCertificate(ss->sec.localCert);
+    if (ss->sec.isServer) {
+	sslServerCerts * sc = NULL;
+
+	/* XXX SSLKEAType isn't really a good choice for 
+	 * indexing certificates (it breaks when we deal
+	 * with (EC)DHE-* cipher suites. This hack ensures
+	 * the RSA cert is picked for (EC)DHE-RSA.
+	 * Revisit this when we add server side support
+	 * for ECDHE-ECDSA or client-side authentication
+	 * using EC certificates.
+	 */
+	if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
+	    (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
+	    certIndex = kt_rsa;
+	} else {
+	    certIndex = ss->ssl3.hs.kea_def->exchKeyType;
+	}
+	sc                    = ss->serverCerts + certIndex;
+	certChain             = sc->serverCertChain;
+	ss->sec.authKeyBits   = sc->serverKeyBits;
+	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
+	ss->sec.localCert     = CERT_DupCertificate(sc->serverCert);
+    } else {
+	certChain          = ss->ssl3.clientCertChain;
+	ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate);
+    }
+
+#ifdef NISCC_TEST
+    rv = get_fake_cert(&fakeCert, &ndex);
+#endif
+
+    if (certChain) {
+	for (i = 0; i < certChain->len; i++) {
+#ifdef NISCC_TEST
+	    if (fakeCert.len > 0 && i == ndex) {
+		len += fakeCert.len + 3;
+	    } else {
+		len += certChain->certs[i].len + 3;
+	    }
+#else
+	    len += certChain->certs[i].len + 3;
+#endif
+	}
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, len, 3);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    if (certChain) {
+        for (i = 0; i < certChain->len; i++) {
+#ifdef NISCC_TEST
+            if (fakeCert.len > 0 && i == ndex) {
+                rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data,
+                                                  fakeCert.len, 3);
+                SECITEM_FreeItem(&fakeCert, PR_FALSE);
+            } else {
+                rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
+                                                  certChain->certs[i].len, 3);
+            }
+#else
+            rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
+                                              certChain->certs[i].len, 3);
+#endif
+            if (rv != SECSuccess) {
+                return rv; 		/* err set by AppendHandshake. */
+            }
+        }
+    }
+
+    return SECSuccess;
+}
+
+/* This is used to delete the CA certificates in the peer certificate chain
+ * from the cert database after they've been validated.
+ */
+static void
+ssl3_CleanupPeerCerts(sslSocket *ss)
+{
+    PRArenaPool * arena = ss->ssl3.peerCertArena;
+    ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
+
+    for (; certs; certs = certs->next) {
+	CERT_DestroyCertificate(certs->cert);
+    }
+    if (arena) PORT_FreeArena(arena, PR_FALSE);
+    ss->ssl3.peerCertArena = NULL;
+    ss->ssl3.peerCertChain = NULL;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Certificate message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    ssl3CertNode *   c;
+    ssl3CertNode *   certs 	= NULL;
+    PRArenaPool *    arena 	= NULL;
+    CERTCertificate *cert;
+    PRInt32          remaining  = 0;
+    PRInt32          size;
+    SECStatus        rv;
+    PRBool           isServer	= (PRBool)(!!ss->sec.isServer);
+    PRBool           trusted 	= PR_FALSE;
+    PRBool           isTLS;
+    SSL3AlertDescription desc	= bad_certificate;
+    int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
+    SECItem          certItem;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if ((ss->ssl3.hs.ws != wait_server_cert) &&
+	(ss->ssl3.hs.ws != wait_client_cert)) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
+	goto alert_loser;
+    }
+
+    if (ss->sec.peerCert != NULL) {
+	if (ss->sec.peerKey) {
+	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
+	    ss->sec.peerKey = NULL;
+	}
+	CERT_DestroyCertificate(ss->sec.peerCert);
+	ss->sec.peerCert = NULL;
+    }
+
+    ssl3_CleanupPeerCerts(ss);
+    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    /* It is reported that some TLS client sends a Certificate message
+    ** with a zero-length message body.  We'll treat that case like a
+    ** normal no_certificates message to maximize interoperability.
+    */
+    if (length) {
+	remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
+	if (remaining < 0)
+	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
+	if ((PRUint32)remaining > length)
+	    goto decode_loser;
+    }
+
+    if (!remaining) {
+	if (!(isTLS && isServer))
+	    goto alert_loser;
+    	/* This is TLS's version of a no_certificate alert. */
+    	/* I'm a server. I've requested a client cert. He hasn't got one. */
+	rv = ssl3_HandleNoCertificate(ss);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+	goto cert_block;
+    }
+
+    ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;	/* don't send alerts on memory errors */
+    }
+
+    /* First get the peer cert. */
+    remaining -= 3;
+    if (remaining < 0)
+	goto decode_loser;
+
+    size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
+    if (size <= 0)
+	goto loser;	/* fatal alert already sent by ConsumeHandshake. */
+
+    if (remaining < size)
+	goto decode_loser;
+
+    certItem.data = b;
+    certItem.len = size;
+    b      += size;
+    length -= size;
+    remaining -= size;
+
+    ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
+                                            PR_FALSE, PR_TRUE);
+    if (ss->sec.peerCert == NULL) {
+	/* We should report an alert if the cert was bad, but not if the
+	 * problem was just some local problem, like memory error.
+	 */
+	goto ambiguous_err;
+    }
+
+    /* Now get all of the CA certs. */
+    while (remaining > 0) {
+	remaining -= 3;
+	if (remaining < 0)
+	    goto decode_loser;
+
+	size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
+	if (size <= 0)
+	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
+
+	if (remaining < size)
+	    goto decode_loser;
+
+	certItem.data = b;
+	certItem.len = size;
+	b      += size;
+	length -= size;
+	remaining -= size;
+
+	c = PORT_ArenaNew(arena, ssl3CertNode);
+	if (c == NULL) {
+	    goto loser;	/* don't send alerts on memory errors */
+	}
+
+	c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
+	                                  PR_FALSE, PR_TRUE);
+	if (c->cert == NULL) {
+	    goto ambiguous_err;
+	}
+
+	if (c->cert->trust)
+	    trusted = PR_TRUE;
+
+	c->next = certs;
+	certs = c;
+    }
+
+    if (remaining != 0)
+        goto decode_loser;
+
+    SECKEY_UpdateCertPQG(ss->sec.peerCert);
+
+    /*
+     * Ask caller-supplied callback function to validate cert chain.
+     */
+    rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
+					   PR_TRUE, isServer);
+    if (rv) {
+	errCode = PORT_GetError();
+	if (!ss->handleBadCert) {
+	    goto bad_cert;
+	}
+	rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd);
+	if ( rv ) {
+	    if ( rv == SECWouldBlock ) {
+		/* someone will handle this connection asynchronously*/
+		SSL_DBG(("%d: SSL3[%d]: go to async cert handler",
+			 SSL_GETPID(), ss->fd));
+		ss->ssl3.peerCertChain = certs;
+		certs               = NULL;
+		ssl_SetAlwaysBlock(ss);
+		goto cert_block;
+	    }
+	    /* cert is bad */
+	    goto bad_cert;
+	}
+	/* cert is good */
+    }
+
+    /* start SSL Step Up, if appropriate */
+    cert = ss->sec.peerCert;
+    if (!isServer &&
+    	ssl3_global_policy_some_restricted &&
+        ss->ssl3.policy == SSL_ALLOWED &&
+	anyRestrictedEnabled(ss) &&
+	SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
+	                                 PR_FALSE, /* checkSig */
+				         certUsageSSLServerWithStepUp,
+/*XXX*/				         ss->authCertificateArg) ) {
+	ss->ssl3.policy         = SSL_RESTRICTED;
+	ss->ssl3.hs.rehandshake = PR_TRUE;
+    }
+
+    ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
+
+    if (!ss->sec.isServer) {
+	/* set the server authentication and key exchange types and sizes
+	** from the value in the cert.  If the key exchange key is different,
+	** it will get fixed when we handle the server key exchange message.
+	*/
+	SECKEYPublicKey * pubKey  = CERT_ExtractPublicKey(cert);
+	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
+	ss->sec.keaType       = ss->ssl3.hs.kea_def->exchKeyType;
+	if (pubKey) {
+	    ss->sec.keaKeyBits = ss->sec.authKeyBits =
+		SECKEY_PublicKeyStrengthInBits(pubKey);
+#ifdef NSS_ENABLE_ECC
+	    if (ss->sec.keaType == kt_ecdh) {
+		/* Get authKeyBits from signing key.
+		 * XXX The code below uses a quick approximation of
+		 * key size based on cert->signatureWrap.signature.data
+		 * (which contains the DER encoded signature). The field
+		 * cert->signatureWrap.signature.len contains the
+		 * length of the encoded signature in bits.
+		 */
+		if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
+		    ss->sec.authKeyBits = 
+			cert->signatureWrap.signature.data[3]*8;
+		    if (cert->signatureWrap.signature.data[4] == 0x00)
+			    ss->sec.authKeyBits -= 8;
+		    /* 
+		     * XXX: if cert is not signed by ecdsa we should
+		     * destroy pubKey and goto bad_cert
+		     */
+		} else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
+		    ss->sec.authKeyBits = cert->signatureWrap.signature.len;
+		    /* 
+		     * XXX: if cert is not signed by rsa we should
+		     * destroy pubKey and goto bad_cert
+		     */
+		}
+	    }
+#endif /* NSS_ENABLE_ECC */
+	    SECKEY_DestroyPublicKey(pubKey); 
+	    pubKey = NULL;
+    	}
+    }
+
+    ss->ssl3.peerCertChain = certs;  certs = NULL;  arena = NULL;
+
+cert_block:
+    if (ss->sec.isServer) {
+	ss->ssl3.hs.ws = wait_client_key;
+    } else {
+	ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
+	if (ss->ssl3.hs.kea_def->is_limited ||
+	    /* XXX OR server cert is signing only. */
+#ifdef NSS_ENABLE_ECC
+	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
+#endif /* NSS_ENABLE_ECC */
+	    ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
+	    ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
+	}
+    }
+
+    /* rv must normally be equal to SECSuccess here.  If we called
+     * handleBadCert, it can also be SECWouldBlock.
+     */
+    return rv;
+
+ambiguous_err:
+    errCode = PORT_GetError();
+    switch (errCode) {
+    case PR_OUT_OF_MEMORY_ERROR:
+    case SEC_ERROR_BAD_DATABASE:
+    case SEC_ERROR_NO_MEMORY:
+	if (isTLS) {
+	    desc = internal_error;
+	    goto alert_loser;
+	}
+	goto loser;
+    }
+    /* fall through to bad_cert. */
+
+bad_cert:	/* caller has set errCode. */
+    switch (errCode) {
+    case SEC_ERROR_LIBRARY_FAILURE:     desc = unsupported_certificate; break;
+    case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired;     break;
+    case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked;     break;
+    case SEC_ERROR_INADEQUATE_KEY_USAGE:
+    case SEC_ERROR_INADEQUATE_CERT_TYPE:
+		                        desc = certificate_unknown;     break;
+    case SEC_ERROR_UNTRUSTED_CERT:
+		    desc = isTLS ? access_denied : certificate_unknown; break;
+    case SEC_ERROR_UNKNOWN_ISSUER:      
+    case SEC_ERROR_UNTRUSTED_ISSUER:    
+		    desc = isTLS ? unknown_ca : certificate_unknown; break;
+    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+		    desc = isTLS ? unknown_ca : certificate_expired; break;
+
+    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
+    case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
+    case SEC_ERROR_CA_CERT_INVALID:
+    case SEC_ERROR_BAD_SIGNATURE:
+    default:                            desc = bad_certificate;     break;
+    }
+    SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
+	     SSL_GETPID(), ss->fd, errCode));
+
+    goto alert_loser;
+
+decode_loser:
+    desc = isTLS ? decode_error : bad_certificate;
+
+alert_loser:
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+
+loser:
+    ss->ssl3.peerCertChain = certs;  certs = NULL;  arena = NULL;
+    ssl3_CleanupPeerCerts(ss);
+
+    if (ss->sec.peerCert != NULL) {
+	CERT_DestroyCertificate(ss->sec.peerCert);
+	ss->sec.peerCert = NULL;
+    }
+    (void)ssl_MapLowLevelError(errCode);
+    return SECFailure;
+}
+
+
+/* restart an SSL connection that we stopped to run certificate dialogs
+** XXX	Need to document here how an application marks a cert to show that
+**	the application has accepted it (overridden CERT_VerifyCert).
+ *
+ * XXX This code only works on the initial handshake on a connection, XXX
+ *     It does not work on a subsequent handshake (redo).
+ *
+ * Return value: XXX
+ *
+ * Caller holds 1stHandshakeLock.
+*/
+int
+ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
+{
+    CERTCertificate * cert;
+    int               rv	= SECSuccess;
+
+    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+	SET_ERROR_CODE
+    	return SECFailure;
+    }
+    if (!ss->ssl3.initialized) {
+	SET_ERROR_CODE
+    	return SECFailure;
+    }
+
+    cert = ss->sec.peerCert;
+
+    /* Permit step up if user decided to accept the cert */
+    if (!ss->sec.isServer &&
+    	ssl3_global_policy_some_restricted &&
+        ss->ssl3.policy == SSL_ALLOWED &&
+	anyRestrictedEnabled(ss) &&
+	(SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
+	                                  PR_FALSE, /* checksig */
+				          certUsageSSLServerWithStepUp,
+/*XXX*/				          ss->authCertificateArg) )) {
+	ss->ssl3.policy         = SSL_RESTRICTED;
+	ss->ssl3.hs.rehandshake = PR_TRUE;
+    }
+
+    if (ss->handshake != NULL) {
+	ss->handshake = ssl_GatherRecord1stHandshake;
+	ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
+
+	ssl_GetRecvBufLock(ss);
+	if (ss->ssl3.hs.msgState.buf != NULL) {
+	    rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
+	}
+	ssl_ReleaseRecvBufLock(ss);
+    }
+
+    return rv;
+}
+
+static SECStatus
+ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
+			PRBool          isServer,
+                const   SSL3Finished *  hashes,
+                        TLSFinished  *  tlsFinished)
+{
+    const char * label;
+    unsigned int len;
+    SECStatus    rv;
+
+    label = isServer ? "server finished" : "client finished";
+    len   = 15;
+
+    if (spec->master_secret && !spec->bypassCiphers) {
+	SECItem      param       = {siBuffer, NULL, 0};
+	PK11Context *prf_context =
+	    PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, 
+				       spec->master_secret, &param);
+	if (!prf_context)
+	    return SECFailure;
+
+	rv  = PK11_DigestBegin(prf_context);
+	rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len);
+	rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes);
+	rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, 
+			       &len, sizeof tlsFinished->verify_data);
+	PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished);
+
+	PK11_DestroyContext(prf_context, PR_TRUE);
+    } else {
+	/* bypass PKCS11 */
+	SECItem inData  = { siBuffer, };
+	SECItem outData = { siBuffer, };
+	PRBool isFIPS   = PR_FALSE;
+
+	inData.data  = (unsigned char *)hashes->md5;
+	inData.len   = sizeof hashes[0];
+	outData.data = tlsFinished->verify_data;
+	outData.len  = sizeof tlsFinished->verify_data;
+	rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
+	PORT_Assert(rv != SECSuccess || \
+		    outData.len == sizeof tlsFinished->verify_data);
+    }
+    return rv;
+}
+
+/* called from ssl3_HandleServerHelloDone
+ *             ssl3_HandleClientHello
+ *             ssl3_HandleFinished
+ */
+static SECStatus
+ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
+{
+    ssl3CipherSpec *cwSpec;
+    PRBool          isTLS;
+    PRBool          isServer = ss->sec.isServer;
+    SECStatus       rv;
+    SSL3Sender      sender = isServer ? sender_server : sender_client;
+    SSL3Finished    hashes;
+    TLSFinished     tlsFinished;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    ssl_GetSpecReadLock(ss);
+    cwSpec = ss->ssl3.cwSpec;
+    isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
+    rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
+    if (isTLS && rv == SECSuccess) {
+	rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
+    }
+    ssl_ReleaseSpecReadLock(ss);
+    if (rv != SECSuccess) {
+	goto fail;	/* err code was set by ssl3_ComputeHandshakeHashes */
+    }
+
+    if (isTLS) {
+	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
+	if (rv != SECSuccess) 
+	    goto fail; 		/* err set by AppendHandshake. */
+	rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
+	if (rv != SECSuccess) 
+	    goto fail; 		/* err set by AppendHandshake. */
+    } else {
+	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes);
+	if (rv != SECSuccess) 
+	    goto fail; 		/* err set by AppendHandshake. */
+	rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes);
+	if (rv != SECSuccess) 
+	    goto fail; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_FlushHandshake(ss, flags);
+    if (rv != SECSuccess) {
+	goto fail;	/* error code set by ssl3_FlushHandshake */
+    }
+    return SECSuccess;
+
+fail:
+    return rv;
+}
+
+/* wrap the master secret, and put it into the SID.
+ * Caller holds the Spec read lock.
+ */
+SECStatus
+ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid,
+    ssl3CipherSpec *spec, SSL3KEAType effectiveExchKeyType)
+{
+    PK11SymKey *      wrappingKey  = NULL;
+    PK11SlotInfo *    symKeySlot;
+    void *            pwArg        = ss->pkcs11PinArg;
+    SECStatus         rv           = SECFailure;
+    PRBool            isServer     = ss->sec.isServer;
+    CK_MECHANISM_TYPE mechanism    = CKM_INVALID_MECHANISM;
+    symKeySlot = PK11_GetSlotFromKey(spec->master_secret);
+    if (!isServer) {
+	int  wrapKeyIndex;
+	int  incarnation;
+
+	/* these next few functions are mere accessors and don't fail. */
+	sid->u.ssl3.masterWrapIndex  = wrapKeyIndex =
+				       PK11_GetCurrentWrapIndex(symKeySlot);
+	PORT_Assert(wrapKeyIndex == 0);	/* array has only one entry! */
+
+	sid->u.ssl3.masterWrapSeries = incarnation =
+				       PK11_GetSlotSeries(symKeySlot);
+	sid->u.ssl3.masterSlotID   = PK11_GetSlotID(symKeySlot);
+	sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
+	sid->u.ssl3.masterValid    = PR_TRUE;
+	/* Get the default wrapping key, for wrapping the master secret before
+	 * placing it in the SID cache entry. */
+	wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
+				      CKM_INVALID_MECHANISM, incarnation,
+				      pwArg);
+	if (wrappingKey) {
+	    mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
+	} else {
+	    int keyLength;
+	    /* if the wrappingKey doesn't exist, attempt to create it.
+	     * Note: we intentionally ignore errors here.  If we cannot
+	     * generate a wrapping key, it is not fatal to this SSL connection,
+	     * but we will not be able to restart this session.
+	     */
+	    mechanism = PK11_GetBestWrapMechanism(symKeySlot);
+	    keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
+	    /* Zero length means fixed key length algorithm, or error.
+	     * It's ambiguous.
+	     */
+	    wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
+				      keyLength, pwArg);
+	    if (wrappingKey) {
+		PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
+	    }
+	}
+    } else {
+	/* server socket using session cache. */
+	mechanism = PK11_GetBestWrapMechanism(symKeySlot);
+	if (mechanism != CKM_INVALID_MECHANISM) {
+	    wrappingKey =
+		getWrappingKey(ss, symKeySlot, effectiveExchKeyType,
+			       mechanism, pwArg);
+	    if (wrappingKey) {
+		mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
+	    }
+	}
+    }
+
+    sid->u.ssl3.masterWrapMech = mechanism;
+    PK11_FreeSlot(symKeySlot);
+
+    if (wrappingKey) {
+	SECItem wmsItem;
+
+	wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret;
+	wmsItem.len  = sizeof sid->u.ssl3.keys.wrapped_master_secret;
+	rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
+			     spec->master_secret, &wmsItem);
+	/* rv is examined below. */
+	sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len;
+	PK11_FreeSymKey(wrappingKey);
+    }
+    return rv;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Finished message from the peer.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
+		    const SSL3Hashes *hashes)
+{
+    sslSessionID *    sid	   = ss->sec.ci.sid;
+    SECStatus         rv           = SECSuccess;
+    PRBool            isServer     = ss->sec.isServer;
+    PRBool            isTLS;
+    PRBool            doStepUp;
+    SSL3KEAType       effectiveExchKeyType;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
+    	SSL_GETPID(), ss->fd));
+
+    if (ss->ssl3.hs.ws != wait_finished) {
+	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
+	return SECFailure;
+    }
+
+    isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
+    if (isTLS) {
+	TLSFinished tlsFinished;
+
+	if (length != sizeof tlsFinished) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
+	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
+	    return SECFailure;
+	}
+	rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, 
+	                             hashes, &tlsFinished);
+	if (rv != SECSuccess ||
+	    0 != PORT_Memcmp(&tlsFinished, b, length)) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
+	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+	    return SECFailure;
+	}
+    } else {
+	if (length != sizeof(SSL3Hashes)) {
+	    (void)ssl3_IllegalParameter(ss);
+	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
+	    return SECFailure;
+	}
+
+	if (0 != PORT_Memcmp(hashes, b, length)) {
+	    (void)ssl3_HandshakeFailure(ss);
+	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+	    return SECFailure;
+	}
+    }
+
+    doStepUp = (PRBool)(!isServer && ss->ssl3.hs.rehandshake);
+
+    ssl_GetXmitBufLock(ss);	/*************************************/
+
+    if ((isServer && !ss->ssl3.hs.isResuming) ||
+	(!isServer && ss->ssl3.hs.isResuming)) {
+	PRInt32 flags = 0;
+
+	/* Send a NewSessionTicket message if the client sent us
+	 * either an empty session ticket, or one that did not verify.
+	 * (Note that if either of these conditions was met, then the
+	 * server has sent a SessionTicket extension in the
+	 * ServerHello message.)
+	 */
+	if (isServer && !ss->ssl3.hs.isResuming &&
+	    ssl3_ExtensionNegotiated(ss, session_ticket_xtn)) {
+	    rv = ssl3_SendNewSessionTicket(ss);
+	    if (rv != SECSuccess) {
+		goto xmit_loser;
+	    }
+	}
+
+	rv = ssl3_SendChangeCipherSpecs(ss);
+	if (rv != SECSuccess) {
+	    goto xmit_loser;	/* err is set. */
+	}
+	/* If this thread is in SSL_SecureSend (trying to write some data) 
+	** or if it is going to step up, 
+	** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the 
+	** last two handshake messages (change cipher spec and finished) 
+	** will be sent in the same send/write call as the application data.
+	*/
+	if (doStepUp || ss->writerThread == PR_GetCurrentThread()) {
+	    flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
+	}
+	rv = ssl3_SendFinished(ss, flags);
+	if (rv != SECSuccess) {
+	    goto xmit_loser;	/* err is set. */
+	}
+    }
+
+    /* Optimization: don't cache this connection if we're going to step up. */
+    if (doStepUp) {
+	ssl_FreeSID(sid);
+	ss->sec.ci.sid     = sid = NULL;
+	ss->ssl3.hs.rehandshake = PR_FALSE;
+	rv = ssl3_SendClientHello(ss);
+xmit_loser:
+	ssl_ReleaseXmitBufLock(ss);
+	return rv;	/* err code is set if appropriate. */
+    }
+
+    ssl_ReleaseXmitBufLock(ss);	/*************************************/
+
+    /* The first handshake is now completed. */
+    ss->handshake           = NULL;
+    ss->firstHsDone         = PR_TRUE;
+    ss->gs.writeOffset = 0;
+    ss->gs.readOffset  = 0;
+
+    if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
+	effectiveExchKeyType = kt_rsa;
+    } else {
+	effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
+    }
+
+    if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
+	/* fill in the sid */
+	sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
+	sid->u.ssl3.compression = ss->ssl3.hs.compression;
+	sid->u.ssl3.policy      = ss->ssl3.policy;
+#ifdef NSS_ENABLE_ECC
+	sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
+#endif
+	sid->u.ssl3.exchKeyType = effectiveExchKeyType;
+	sid->version            = ss->version;
+	sid->authAlgorithm      = ss->sec.authAlgorithm;
+	sid->authKeyBits        = ss->sec.authKeyBits;
+	sid->keaType            = ss->sec.keaType;
+	sid->keaKeyBits         = ss->sec.keaKeyBits;
+	sid->lastAccessTime     = sid->creationTime = ssl_Time();
+	sid->expirationTime     = sid->creationTime + ssl3_sid_timeout;
+	sid->localCert          = CERT_DupCertificate(ss->sec.localCert);
+
+	ssl_GetSpecReadLock(ss);	/*************************************/
+
+	/* Copy the master secret (wrapped or unwrapped) into the sid */
+	if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) {
+	    sid->u.ssl3.keys.wrapped_master_secret_len = 
+			    ss->ssl3.crSpec->msItem.len;
+	    memcpy(sid->u.ssl3.keys.wrapped_master_secret, 
+		   ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len);
+	    sid->u.ssl3.masterValid    = PR_TRUE;
+	    sid->u.ssl3.keys.msIsWrapped = PR_FALSE;
+	    rv = SECSuccess;
+	} else {
+	    rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid,
+					       ss->ssl3.crSpec,
+					       effectiveExchKeyType);
+	    sid->u.ssl3.keys.msIsWrapped = PR_TRUE;
+	}
+	ssl_ReleaseSpecReadLock(ss);  /*************************************/
+
+	/* If the wrap failed, we don't cache the sid.
+	 * The connection continues normally however.
+	 */
+	if (rv == SECSuccess) {
+	    (*ss->sec.cache)(sid);
+	}
+    }
+    ss->ssl3.hs.ws = idle_handshake;
+
+    /* Do the handshake callback for sslv3 here. */
+    if (ss->handshakeCallback != NULL) {
+	(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+    }
+
+    return SECSuccess;
+}
+
+/* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
+ * hanshake message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    SECStatus         rv 	= SECSuccess;
+    SSL3HandshakeType type 	= ss->ssl3.hs.msg_type;
+    SSL3Hashes        hashes;	/* computed hashes are put here. */
+    PRUint8           hdr[4];
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    /*
+     * We have to compute the hashes before we update them with the
+     * current message.
+     */
+    ssl_GetSpecReadLock(ss);	/************************************/
+    if((type == finished) || (type == certificate_verify)) {
+	SSL3Sender      sender = (SSL3Sender)0;
+	ssl3CipherSpec *rSpec  = ss->ssl3.prSpec;
+
+	if (type == finished) {
+	    sender = ss->sec.isServer ? sender_client : sender_server;
+	    rSpec  = ss->ssl3.crSpec;
+	}
+	rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
+    }
+    ssl_ReleaseSpecReadLock(ss); /************************************/
+    if (rv != SECSuccess) {
+	return rv;	/* error code was set by ssl3_ComputeHandshakeHashes*/
+    }
+    SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
+		ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
+    PRINT_BUF(60, (ss, "MD5 handshake hash:",
+    	      (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
+    PRINT_BUF(95, (ss, "SHA handshake hash:",
+    	      (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
+
+    hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
+    hdr[1] = (PRUint8)(length >> 16);
+    hdr[2] = (PRUint8)(length >>  8);
+    hdr[3] = (PRUint8)(length      );
+
+    /* Start new handshake hashes when we start a new handshake */
+    if (ss->ssl3.hs.msg_type == client_hello) {
+	SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
+		SSL_GETPID(), ss->fd ));
+	rv = ssl3_RestartHandshakeHashes(ss);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+    }
+    /* We should not include hello_request messages in the handshake hashes */
+    if (ss->ssl3.hs.msg_type != hello_request) {
+	rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
+	if (rv != SECSuccess) return rv;	/* err code already set. */
+	rv = ssl3_UpdateHandshakeHashes(ss, b, length);
+	if (rv != SECSuccess) return rv;	/* err code already set. */
+    }
+
+    PORT_SetError(0);	/* each message starts with no error. */
+    switch (ss->ssl3.hs.msg_type) {
+    case hello_request:
+	if (length != 0) {
+	    (void)ssl3_DecodeError(ss);
+	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
+	    return SECFailure;
+	}
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleHelloRequest(ss);
+	break;
+    case client_hello:
+	if (!ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleClientHello(ss, b, length);
+	break;
+    case server_hello:
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleServerHello(ss, b, length);
+	break;
+    case certificate:
+	rv = ssl3_HandleCertificate(ss, b, length);
+	break;
+    case server_key_exchange:
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleServerKeyExchange(ss, b, length);
+	break;
+    case certificate_request:
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleCertificateRequest(ss, b, length);
+	break;
+    case server_hello_done:
+	if (length != 0) {
+	    (void)ssl3_DecodeError(ss);
+	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
+	    return SECFailure;
+	}
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleServerHelloDone(ss);
+	break;
+    case certificate_verify:
+	if (!ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
+	break;
+    case client_key_exchange:
+	if (!ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleClientKeyExchange(ss, b, length);
+	break;
+    case new_session_ticket:
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleNewSessionTicket(ss, b, length);
+	break;
+    case finished:
+        rv = ssl3_HandleFinished(ss, b, length, &hashes);
+	break;
+    default:
+	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
+ * origBuf is the decrypted ssl record content.
+ * Caller must hold the handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
+{
+    /*
+     * There may be a partial handshake message already in the handshake
+     * state. The incoming buffer may contain another portion, or a
+     * complete message or several messages followed by another portion.
+     *
+     * Each message is made contiguous before being passed to the actual
+     * message parser.
+     */
+    sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer pointer */
+    SECStatus rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (buf->buf == NULL) {
+	*buf = *origBuf;
+    }
+    while (buf->len > 0) {
+	if (ss->ssl3.hs.header_bytes < 4) {
+	    uint8 t;
+	    t = *(buf->buf++);
+	    buf->len--;
+	    if (ss->ssl3.hs.header_bytes++ == 0)
+		ss->ssl3.hs.msg_type = (SSL3HandshakeType)t;
+	    else
+		ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
+	    if (ss->ssl3.hs.header_bytes < 4)
+	    	continue;
+
+#define MAX_HANDSHAKE_MSG_LEN 0x1ffff	/* 128k - 1 */
+	    if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
+		(void)ssl3_DecodeError(ss);
+		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+		return SECFailure;
+	    }
+#undef MAX_HANDSHAKE_MSG_LEN
+
+	    /* If msg_len is zero, be sure we fall through, 
+	    ** even if buf->len is zero. 
+	    */
+	    if (ss->ssl3.hs.msg_len > 0) 
+	    	continue;
+	}
+
+	/*
+	 * Header has been gathered and there is at least one byte of new
+	 * data available for this message. If it can be done right out
+	 * of the original buffer, then use it from there.
+	 */
+	if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) {
+	    /* handle it from input buffer */
+	    rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len);
+	    if (rv == SECFailure) {
+		/* This test wants to fall through on either
+		 * SECSuccess or SECWouldBlock.
+		 * ssl3_HandleHandshakeMessage MUST set the error code.
+		 */
+		return rv;
+	    }
+	    buf->buf += ss->ssl3.hs.msg_len;
+	    buf->len -= ss->ssl3.hs.msg_len;
+	    ss->ssl3.hs.msg_len = 0;
+	    ss->ssl3.hs.header_bytes = 0;
+	    if (rv != SECSuccess) { /* return if SECWouldBlock. */
+		return rv;
+	    }
+	} else {
+	    /* must be copied to msg_body and dealt with from there */
+	    unsigned int bytes;
+
+	    PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
+	    bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len);
+
+	    /* Grow the buffer if needed */
+	    rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
+	    if (rv != SECSuccess) {
+		/* sslBuffer_Grow has set a memory error code. */
+		return SECFailure;
+	    }
+
+	    PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
+		        buf->buf, bytes);
+	    ss->ssl3.hs.msg_body.len += bytes;
+	    buf->buf += bytes;
+	    buf->len -= bytes;
+
+	    PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
+
+	    /* if we have a whole message, do it */
+	    if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
+		rv = ssl3_HandleHandshakeMessage(
+		    ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len);
+		/*
+		 * XXX This appears to be wrong.  This error handling
+		 * should clean up after a SECWouldBlock return, like the
+		 * error handling used 40 lines before/above this one,
+		 */
+		if (rv != SECSuccess) {
+		    /* ssl3_HandleHandshakeMessage MUST set error code. */
+		    return rv;
+		}
+		ss->ssl3.hs.msg_body.len = 0;
+		ss->ssl3.hs.msg_len      = 0;
+		ss->ssl3.hs.header_bytes = 0;
+	    } else {
+		PORT_Assert(buf->len == 0);
+		break;
+	    }
+	}
+    }	/* end loop */
+
+    origBuf->len = 0;	/* So ssl3_GatherAppDataRecord will keep looping. */
+    buf->buf = NULL;	/* not a leak. */
+    return SECSuccess;
+}
+
+/* if cText is non-null, then decipher, check MAC, and decompress the
+ * SSL record from cText->buf (typically gs->inbuf)
+ * into databuf (typically gs->buf), and any previous contents of databuf
+ * is lost.  Then handle databuf according to its SSL record type,
+ * unless it's an application record.
+ *
+ * If cText is NULL, then the ciphertext has previously been deciphered and
+ * checked, and is already sitting in databuf.  It is processed as an SSL
+ * Handshake message.
+ *
+ * DOES NOT process the decrypted/decompressed application data.
+ * On return, databuf contains the decrypted/decompressed record.
+ *
+ * Called from ssl3_GatherCompleteHandshake
+ *             ssl3_RestartHandshakeAfterCertReq
+ *             ssl3_RestartHandshakeAfterServerCert
+ *
+ * Caller must hold the RecvBufLock.
+ *
+ * This function aquires and releases the SSL3Handshake Lock, holding the
+ * lock around any calls to functions that handle records other than
+ * Application Data records.
+ */
+SECStatus
+ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
+{
+const ssl3BulkCipherDef *cipher_def;
+    ssl3CipherSpec *     crSpec;
+    SECStatus            rv;
+    unsigned int         hashBytes		= MAX_MAC_LENGTH + 1;
+    unsigned int         padding_length;
+    PRBool               isTLS;
+    PRBool               padIsBad               = PR_FALSE;
+    SSL3ContentType      rType;
+    SSL3Opaque           hash[MAX_MAC_LENGTH];
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+
+    if (!ss->ssl3.initialized) {
+	ssl_GetSSL3HandshakeLock(ss);
+	rv = ssl3_InitState(ss);
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	if (rv != SECSuccess) {
+	    return rv;		/* ssl3_InitState has set the error code. */
+    	}
+    }
+
+    /* check for Token Presence */
+    if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
+	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
+	return SECFailure;
+    }
+
+    /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
+     * This implies that databuf holds a previously deciphered SSL Handshake
+     * message.
+     */
+    if (cText == NULL) {
+	SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
+		 SSL_GETPID(), ss->fd));
+	rType = content_handshake;
+	goto process_it;
+    }
+
+    databuf->len = 0; /* filled in by decode call below. */
+    if (databuf->space < MAX_FRAGMENT_LENGTH) {
+	rv = sslBuffer_Grow(databuf, MAX_FRAGMENT_LENGTH + 2048);
+	if (rv != SECSuccess) {
+	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
+		     SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
+	    /* sslBuffer_Grow has set a memory error code. */
+	    /* Perhaps we should send an alert. (but we have no memory!) */
+	    return SECFailure;
+	}
+    }
+
+    PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf, cText->buf->len));
+
+    ssl_GetSpecReadLock(ss); /******************************************/
+
+    crSpec = ss->ssl3.crSpec;
+    cipher_def = crSpec->cipher_def;
+    isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    if (isTLS && cText->buf->len > (MAX_FRAGMENT_LENGTH + 2048)) {
+	ssl_ReleaseSpecReadLock(ss);
+	SSL3_SendAlert(ss, alert_fatal, record_overflow);
+	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+	return SECFailure;
+    }
+    /* decrypt from cText buf to databuf. */
+    rv = crSpec->decode(
+	crSpec->decodeContext, databuf->buf, (int *)&databuf->len,
+	databuf->space, cText->buf->buf, cText->buf->len);
+
+    PRINT_BUF(80, (ss, "cleartext:", databuf->buf, databuf->len));
+    if (rv != SECSuccess) {
+	int err = ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE);
+	ssl_ReleaseSpecReadLock(ss);
+	SSL3_SendAlert(ss, alert_fatal,
+	               isTLS ? decryption_failed : bad_record_mac);
+	PORT_SetError(err);
+	return SECFailure;
+    }
+
+    /* If it's a block cipher, check and strip the padding. */
+    if (cipher_def->type == type_block) {
+	padding_length = *(databuf->buf + databuf->len - 1);
+	/* TLS permits padding to exceed the block size, up to 255 bytes. */
+	if (padding_length + 1 + crSpec->mac_size > databuf->len)
+	    padIsBad = PR_TRUE;
+	/* if TLS, check value of first padding byte. */
+	else if (padding_length && isTLS && 
+	         padding_length != 
+	                 *(databuf->buf + databuf->len - (padding_length + 1)))
+	    padIsBad = PR_TRUE;
+	else
+	    databuf->len -= padding_length + 1;
+    }
+
+    /* Remove the MAC. */
+    if (databuf->len >= crSpec->mac_size)
+	databuf->len -= crSpec->mac_size;
+    else
+    	padIsBad = PR_TRUE;	/* really macIsBad */
+
+    /* compute the MAC */
+    rType = cText->type;
+    rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer),
+	rType, cText->version, crSpec->read_seq_num, 
+	databuf->buf, databuf->len, hash, &hashBytes);
+    if (rv != SECSuccess) {
+	int err = ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+	ssl_ReleaseSpecReadLock(ss);
+	SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+	PORT_SetError(err);
+	return rv;
+    }
+
+    /* Check the MAC */
+    if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || 
+	PORT_Memcmp(databuf->buf + databuf->len, hash, crSpec->mac_size) != 0) {
+	/* must not hold spec lock when calling SSL3_SendAlert. */
+	ssl_ReleaseSpecReadLock(ss);
+	SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+	/* always log mac error, in case attacker can read server logs. */
+	PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+
+	SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
+
+	return SECFailure;
+    }
+
+    ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
+
+    ssl_ReleaseSpecReadLock(ss); /*****************************************/
+
+    /*
+     * The decrypted data is now in databuf.
+     *
+     * the null decompression routine is right here
+     */
+
+    /*
+    ** Having completed the decompression, check the length again. 
+    */
+    if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
+	SSL3_SendAlert(ss, alert_fatal, record_overflow);
+	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+	return SECFailure;
+    }
+
+    /* Application data records are processed by the caller of this
+    ** function, not by this function.
+    */
+    if (rType == content_application_data) {
+    	return SECSuccess;
+    }
+
+    /* It's a record that must be handled by ssl itself, not the application.
+    */
+process_it:
+    /* XXX  Get the xmit lock here.  Odds are very high that we'll be xmiting
+     * data ang getting the xmit lock here prevents deadlocks.
+     */
+    ssl_GetSSL3HandshakeLock(ss);
+
+    /* All the functions called in this switch MUST set error code if
+    ** they return SECFailure or SECWouldBlock.
+    */
+    switch (rType) {
+    case content_change_cipher_spec:
+	rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
+	break;
+    case content_alert:
+	rv = ssl3_HandleAlert(ss, databuf);
+	break;
+    case content_handshake:
+	rv = ssl3_HandleHandshake(ss, databuf);
+	break;
+    /*
+    case content_application_data is handled before this switch
+    */
+    default:
+	SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
+		 SSL_GETPID(), ss->fd, cText->type));
+	/* XXX Send an alert ???  */
+	PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
+	rv = SECFailure;
+	break;
+    }
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    return rv;
+
+}
+
+/*
+ * Initialization functions
+ */
+
+/* Called from ssl3_InitState, immediately below. */
+/* Caller must hold the SpecWriteLock. */
+static void
+ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
+{
+    spec->cipher_def               = &bulk_cipher_defs[cipher_null];
+    PORT_Assert(spec->cipher_def->cipher == cipher_null);
+    spec->mac_def                  = &mac_defs[mac_null];
+    PORT_Assert(spec->mac_def->mac == mac_null);
+    spec->encode                   = Null_Cipher;
+    spec->decode                   = Null_Cipher;
+    spec->destroy                  = NULL;
+    spec->mac_size                 = 0;
+    spec->master_secret            = NULL;
+    spec->bypassCiphers            = PR_FALSE;
+
+    spec->msItem.data              = NULL;
+    spec->msItem.len               = 0;
+
+    spec->client.write_key         = NULL;
+    spec->client.write_mac_key     = NULL;
+    spec->client.write_mac_context = NULL;
+
+    spec->server.write_key         = NULL;
+    spec->server.write_mac_key     = NULL;
+    spec->server.write_mac_context = NULL;
+
+    spec->write_seq_num.high       = 0;
+    spec->write_seq_num.low        = 0;
+
+    spec->read_seq_num.high        = 0;
+    spec->read_seq_num.low         = 0;
+
+    spec->version                  = ss->opt.enableTLS
+                                          ? SSL_LIBRARY_VERSION_3_1_TLS
+                                          : SSL_LIBRARY_VERSION_3_0;
+}
+
+/* Called from:	ssl3_SendRecord
+**		ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
+**		ssl3_SendClientHello()
+**		ssl3_HandleServerHello()
+**		ssl3_HandleClientHello()
+**		ssl3_HandleV2ClientHello()
+**		ssl3_HandleRecord()
+**
+** This function should perhaps acquire and release the SpecWriteLock.
+**
+**
+*/
+static SECStatus
+ssl3_InitState(sslSocket *ss)
+{
+    SECStatus    rv;
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    if (ss->ssl3.initialized)
+    	return SECSuccess;	/* Function should be idempotent */
+
+    ss->ssl3.policy = SSL_ALLOWED;
+
+    ssl_GetSpecWriteLock(ss);
+    ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
+    ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
+    ss->ssl3.hs.rehandshake = PR_FALSE;
+    ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
+    ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
+
+    ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
+#ifdef NSS_ENABLE_ECC
+    ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
+#endif
+    ssl_ReleaseSpecWriteLock(ss);
+
+    PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
+
+    rv = ssl3_NewHandshakeHashes(ss);
+    if (rv == SECSuccess) {
+	ss->ssl3.initialized = PR_TRUE;
+    }
+
+    return rv;
+}
+
+/* Returns a reference counted object that contains a key pair.
+ * Or NULL on failure.  Initial ref count is 1.
+ * Uses the keys in the pair as input.
+ */
+ssl3KeyPair *
+ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
+{
+    ssl3KeyPair * pair;
+
+    if (!privKey || !pubKey) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+    	return NULL;
+    }
+    pair = PORT_ZNew(ssl3KeyPair);
+    if (!pair)
+    	return NULL;			/* error code is set. */
+    pair->refCount = 1;
+    pair->privKey  = privKey;
+    pair->pubKey   = pubKey;
+    return pair;			/* success */
+}
+
+ssl3KeyPair *
+ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
+{
+    PR_AtomicIncrement(&keyPair->refCount);
+    return keyPair;
+}
+
+void
+ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
+{
+    PRInt32 newCount =  PR_AtomicDecrement(&keyPair->refCount);
+    if (!newCount) {
+	if (keyPair->privKey)
+	    SECKEY_DestroyPrivateKey(keyPair->privKey);
+	if (keyPair->pubKey)
+	    SECKEY_DestroyPublicKey( keyPair->pubKey);
+    	PORT_Free(keyPair);
+    }
+}
+
+
+
+/*
+ * Creates the public and private RSA keys for SSL Step down.
+ * Called from SSL_ConfigSecureServer in sslsecur.c
+ */
+SECStatus
+ssl3_CreateRSAStepDownKeys(sslSocket *ss)
+{
+    SECStatus             rv  	 = SECSuccess;
+    SECKEYPrivateKey *    privKey;		/* RSA step down key */
+    SECKEYPublicKey *     pubKey;		/* RSA step down key */
+
+    if (ss->stepDownKeyPair)
+	ssl3_FreeKeyPair(ss->stepDownKeyPair);
+    ss->stepDownKeyPair = NULL;
+#ifndef HACKED_EXPORT_SERVER
+    /* Sigh, should have a get key strength call for private keys */
+    if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) >
+                                                     EXPORT_RSA_KEY_LENGTH) {
+	/* need to ask for the key size in bits */
+	privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
+					     &pubKey, NULL);
+    	if (!privKey || !pubKey ||
+	    !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
+	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+	    rv = SECFailure;
+	}
+    }
+#endif
+    return rv;
+}
+
+
+/* record the export policy for this cipher suite */
+SECStatus
+ssl3_SetPolicy(ssl3CipherSuite which, int policy)
+{
+    ssl3CipherSuiteCfg *suite;
+
+    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+    if (suite == NULL) {
+	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
+    }
+    suite->policy = policy;
+
+    if (policy == SSL_RESTRICTED) {
+	ssl3_global_policy_some_restricted = PR_TRUE;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
+{
+    ssl3CipherSuiteCfg *suite;
+    PRInt32             policy;
+    SECStatus           rv;
+
+    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+    if (suite) {
+    	policy = suite->policy;
+	rv     = SECSuccess;
+    } else {
+    	policy = SSL_NOT_ALLOWED;
+	rv     = SECFailure;	/* err code was set by Lookup. */
+    }
+    *oPolicy = policy;
+    return rv;
+}
+
+/* record the user preference for this suite */
+SECStatus
+ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
+{
+    ssl3CipherSuiteCfg *suite;
+
+    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+    if (suite == NULL) {
+	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
+    }
+    suite->enabled = enabled;
+    return SECSuccess;
+}
+
+/* return the user preference for this suite */
+SECStatus
+ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
+{
+    ssl3CipherSuiteCfg *suite;
+    PRBool              pref;
+    SECStatus           rv;
+
+    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+    if (suite) {
+    	pref   = suite->enabled;
+	rv     = SECSuccess;
+    } else {
+    	pref   = SSL_NOT_ALLOWED;
+	rv     = SECFailure;	/* err code was set by Lookup. */
+    }
+    *enabled = pref;
+    return rv;
+}
+
+SECStatus
+ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
+{
+    ssl3CipherSuiteCfg *suite;
+
+    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
+    if (suite == NULL) {
+	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
+    }
+    suite->enabled = enabled;
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
+{
+    ssl3CipherSuiteCfg *suite;
+    PRBool              pref;
+    SECStatus           rv;
+
+    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
+    if (suite) {
+    	pref   = suite->enabled;
+	rv     = SECSuccess;
+    } else {
+    	pref   = SSL_NOT_ALLOWED;
+	rv     = SECFailure;	/* err code was set by Lookup. */
+    }
+    *enabled = pref;
+    return rv;
+}
+
+/* copy global default policy into socket. */
+void
+ssl3_InitSocketPolicy(sslSocket *ss)
+{
+    PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
+}
+
+/* ssl3_config_match_init must have already been called by
+ * the caller of this function.
+ */
+SECStatus
+ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
+{
+    int i, count = 0;
+
+    PORT_Assert(ss != 0);
+    if (!ss) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
+    	*size = 0;
+	return SECSuccess;
+    }
+    if (cs == NULL) {
+	*size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
+	return SECSuccess;
+    }
+
+    /* ssl3_config_match_init was called by the caller of this function. */
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+	if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
+	    if (cs != NULL) {
+		*cs++ = 0x00;
+		*cs++ = (suite->cipher_suite >> 8) & 0xFF;
+		*cs++ =  suite->cipher_suite       & 0xFF;
+	    }
+	    count++;
+	}
+    }
+    *size = count;
+    return SECSuccess;
+}
+
+/*
+** If ssl3 socket has completed the first handshake, and is in idle state, 
+** then start a new handshake.
+** If flushCache is true, the SID cache will be flushed first, forcing a
+** "Full" handshake (not a session restart handshake), to be done.
+**
+** called from SSL_RedoHandshake(), which already holds the handshake locks.
+*/
+SECStatus
+ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
+{
+    sslSessionID *   sid = ss->sec.ci.sid;
+    SECStatus        rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (!ss->firstHsDone ||
+        ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
+	 ss->ssl3.initialized && 
+	 (ss->ssl3.hs.ws != idle_handshake))) {
+	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
+	return SECFailure;
+    }
+    if (sid && flushCache) {
+	ss->sec.uncache(sid);	/* remove it from whichever cache it's in. */
+	ssl_FreeSID(sid);	/* dec ref count and free if zero. */
+	ss->sec.ci.sid = NULL;
+    }
+
+    ssl_GetXmitBufLock(ss);	/**************************************/
+
+    /* start off a new handshake. */
+    rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
+                            : ssl3_SendClientHello(ss);
+
+    ssl_ReleaseXmitBufLock(ss);	/**************************************/
+    return rv;
+}
+
+/* Called from ssl_DestroySocketContents() in sslsock.c */
+void
+ssl3_DestroySSL3Info(sslSocket *ss)
+{
+
+    if (ss->ssl3.clientCertificate != NULL)
+	CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+
+    if (ss->ssl3.clientPrivateKey != NULL)
+	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+
+    if (ss->ssl3.peerCertArena != NULL)
+	ssl3_CleanupPeerCerts(ss);
+
+    if (ss->ssl3.clientCertChain != NULL) {
+       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
+       ss->ssl3.clientCertChain = NULL;
+    }
+
+    /* clean up handshake */
+    if (ss->opt.bypassPKCS11) {
+	SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
+	MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
+    } 
+    if (ss->ssl3.hs.md5) {
+	PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
+    }
+    if (ss->ssl3.hs.sha) {
+	PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
+    }
+    if (ss->ssl3.hs.messages.buf) {
+    	PORT_Free(ss->ssl3.hs.messages.buf);
+	ss->ssl3.hs.messages.buf = NULL;
+	ss->ssl3.hs.messages.len = 0;
+	ss->ssl3.hs.messages.space = 0;
+    }
+
+    /* free the SSL3Buffer (msg_body) */
+    PORT_Free(ss->ssl3.hs.msg_body.buf);
+
+    /* free up the CipherSpecs */
+    ssl3_DestroyCipherSpec(&ss->ssl3.specs[0]);
+    ssl3_DestroyCipherSpec(&ss->ssl3.specs[1]);
+
+    ss->ssl3.initialized = PR_FALSE;
+}
+
+/* End of ssl3con.c */
diff --git a/security/nss/lib/ssl/ssl3ecc.c b/security/nss/lib/ssl/ssl3ecc.c
new file mode 100644
index 000000000..af0e2c9b6
--- /dev/null
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -0,0 +1,1193 @@
+/*
+ * SSL3 Protocol
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* ECC code moved here from ssl3con.c */
+/* $Id$ */
+
+#include "nss.h"
+#include "cert.h"
+#include "ssl.h"
+#include "cryptohi.h"	/* for DSAU_ stuff */
+#include "keyhi.h"
+#include "secder.h"
+#include "secitem.h"
+
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "sslerr.h"
+#include "prtime.h"
+#include "prinrval.h"
+#include "prerror.h"
+#include "pratom.h"
+#include "prthread.h"
+#include "prinit.h"
+
+#include "pk11func.h"
+#include "secmod.h"
+#include "ec.h"
+#include "blapi.h"
+
+#include <stdio.h>
+
+#ifdef NSS_ENABLE_ECC
+
+#ifndef PK11_SETATTRS
+#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
+		(x)->pValue=(v); (x)->ulValueLen = (l);
+#endif
+
+#define SSL_GET_SERVER_PUBLIC_KEY(sock, type) \
+    (ss->serverCerts[type].serverKeyPair ? \
+    ss->serverCerts[type].serverKeyPair->pubKey : NULL)
+
+#define SSL_IS_CURVE_NEGOTIATED(curvemsk, curveName) \
+    ((curveName > ec_noName) && \
+     (curveName < ec_pastLastName) && \
+     ((1UL << curveName) & curvemsk) != 0)
+
+
+
+static SECStatus ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve);
+
+#define supportedCurve(x) (((x) > ec_noName) && ((x) < ec_pastLastName))
+
+/* Table containing OID tags for elliptic curves named in the
+ * ECC-TLS IETF draft.
+ */
+static const SECOidTag ecName2OIDTag[] = {
+	0,  
+	SEC_OID_SECG_EC_SECT163K1,  /*  1 */
+	SEC_OID_SECG_EC_SECT163R1,  /*  2 */
+	SEC_OID_SECG_EC_SECT163R2,  /*  3 */
+	SEC_OID_SECG_EC_SECT193R1,  /*  4 */
+	SEC_OID_SECG_EC_SECT193R2,  /*  5 */
+	SEC_OID_SECG_EC_SECT233K1,  /*  6 */
+	SEC_OID_SECG_EC_SECT233R1,  /*  7 */
+	SEC_OID_SECG_EC_SECT239K1,  /*  8 */
+	SEC_OID_SECG_EC_SECT283K1,  /*  9 */
+	SEC_OID_SECG_EC_SECT283R1,  /* 10 */
+	SEC_OID_SECG_EC_SECT409K1,  /* 11 */
+	SEC_OID_SECG_EC_SECT409R1,  /* 12 */
+	SEC_OID_SECG_EC_SECT571K1,  /* 13 */
+	SEC_OID_SECG_EC_SECT571R1,  /* 14 */
+	SEC_OID_SECG_EC_SECP160K1,  /* 15 */
+	SEC_OID_SECG_EC_SECP160R1,  /* 16 */
+	SEC_OID_SECG_EC_SECP160R2,  /* 17 */
+	SEC_OID_SECG_EC_SECP192K1,  /* 18 */
+	SEC_OID_SECG_EC_SECP192R1,  /* 19 */
+	SEC_OID_SECG_EC_SECP224K1,  /* 20 */
+	SEC_OID_SECG_EC_SECP224R1,  /* 21 */
+	SEC_OID_SECG_EC_SECP256K1,  /* 22 */
+	SEC_OID_SECG_EC_SECP256R1,  /* 23 */
+	SEC_OID_SECG_EC_SECP384R1,  /* 24 */
+	SEC_OID_SECG_EC_SECP521R1,  /* 25 */
+};
+
+static const PRUint16 curve2bits[] = {
+	  0, /*  ec_noName     = 0,   */
+	163, /*  ec_sect163k1  = 1,   */
+	163, /*  ec_sect163r1  = 2,   */
+	163, /*  ec_sect163r2  = 3,   */
+	193, /*  ec_sect193r1  = 4,   */
+	193, /*  ec_sect193r2  = 5,   */
+	233, /*  ec_sect233k1  = 6,   */
+	233, /*  ec_sect233r1  = 7,   */
+	239, /*  ec_sect239k1  = 8,   */
+	283, /*  ec_sect283k1  = 9,   */
+	283, /*  ec_sect283r1  = 10,  */
+	409, /*  ec_sect409k1  = 11,  */
+	409, /*  ec_sect409r1  = 12,  */
+	571, /*  ec_sect571k1  = 13,  */
+	571, /*  ec_sect571r1  = 14,  */
+	160, /*  ec_secp160k1  = 15,  */
+	160, /*  ec_secp160r1  = 16,  */
+	160, /*  ec_secp160r2  = 17,  */
+	192, /*  ec_secp192k1  = 18,  */
+	192, /*  ec_secp192r1  = 19,  */
+	224, /*  ec_secp224k1  = 20,  */
+	224, /*  ec_secp224r1  = 21,  */
+	256, /*  ec_secp256k1  = 22,  */
+	256, /*  ec_secp256r1  = 23,  */
+	384, /*  ec_secp384r1  = 24,  */
+	521, /*  ec_secp521r1  = 25,  */
+      65535  /*  ec_pastLastName      */
+};
+
+typedef struct Bits2CurveStr {
+    PRUint16    bits;
+    ECName      curve;
+} Bits2Curve;
+
+static const Bits2Curve bits2curve [] = {
+   {	192,     ec_secp192r1    /*  = 19,  fast */  },
+   {	160,     ec_secp160r2    /*  = 17,  fast */  },
+   {	160,     ec_secp160k1    /*  = 15,  */       },
+   {	160,     ec_secp160r1    /*  = 16,  */       },
+   {	163,     ec_sect163k1    /*  = 1,   */       },
+   {	163,     ec_sect163r1    /*  = 2,   */       },
+   {	163,     ec_sect163r2    /*  = 3,   */       },
+   {	192,     ec_secp192k1    /*  = 18,  */       },
+   {	193,     ec_sect193r1    /*  = 4,   */       },
+   {	193,     ec_sect193r2    /*  = 5,   */       },
+   {	224,     ec_secp224r1    /*  = 21,  fast */  },
+   {	224,     ec_secp224k1    /*  = 20,  */       },
+   {	233,     ec_sect233k1    /*  = 6,   */       },
+   {	233,     ec_sect233r1    /*  = 7,   */       },
+   {	239,     ec_sect239k1    /*  = 8,   */       },
+   {	256,     ec_secp256r1    /*  = 23,  fast */  },
+   {	256,     ec_secp256k1    /*  = 22,  */       },
+   {	283,     ec_sect283k1    /*  = 9,   */       },
+   {	283,     ec_sect283r1    /*  = 10,  */       },
+   {	384,     ec_secp384r1    /*  = 24,  fast */  },
+   {	409,     ec_sect409k1    /*  = 11,  */       },
+   {	409,     ec_sect409r1    /*  = 12,  */       },
+   {	521,     ec_secp521r1    /*  = 25,  fast */  },
+   {	571,     ec_sect571k1    /*  = 13,  */       },
+   {	571,     ec_sect571r1    /*  = 14,  */       },
+   {  65535,     ec_noName    }
+};
+
+typedef struct ECDHEKeyPairStr {
+    ssl3KeyPair *  pair;
+    int            error;  /* error code of the call-once function */
+    PRCallOnceType once;
+} ECDHEKeyPair;
+
+/* arrays of ECDHE KeyPairs */
+static ECDHEKeyPair gECDHEKeyPairs[ec_pastLastName];
+
+SECStatus 
+ssl3_ECName2Params(PRArenaPool * arena, ECName curve, SECKEYECParams * params)
+{
+    SECOidData *oidData = NULL;
+
+    if ((curve <= ec_noName) || (curve >= ec_pastLastName) ||
+	((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) {
+        PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	return SECFailure;
+    }
+
+    SECITEM_AllocItem(arena, params, (2 + oidData->oid.len));
+    /* 
+     * params->data needs to contain the ASN encoding of an object ID (OID)
+     * representing the named curve. The actual OID is in 
+     * oidData->oid.data so we simply prepend 0x06 and OID length
+     */
+    params->data[0] = SEC_ASN1_OBJECT_ID;
+    params->data[1] = oidData->oid.len;
+    memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
+
+    return SECSuccess;
+}
+
+static ECName 
+params2ecName(SECKEYECParams * params)
+{
+    SECItem oid = { siBuffer, NULL, 0};
+    SECOidData *oidData = NULL;
+    ECName i;
+
+    /* 
+     * params->data needs to contain the ASN encoding of an object ID (OID)
+     * representing a named curve. Here, we strip away everything
+     * before the actual OID and use the OID to look up a named curve.
+     */
+    if (params->data[0] != SEC_ASN1_OBJECT_ID) return ec_noName;
+    oid.len = params->len - 2;
+    oid.data = params->data + 2;
+    if ((oidData = SECOID_FindOID(&oid)) == NULL) return ec_noName;
+    for (i = ec_noName + 1; i < ec_pastLastName; i++) {
+	if (ecName2OIDTag[i] == oidData->offset)
+	    return i;
+    }
+
+    return ec_noName;
+}
+
+/* Caller must set hiLevel error code. */
+static SECStatus
+ssl3_ComputeECDHKeyHash(SECItem ec_params, SECItem server_ecpoint,
+			     SSL3Random *client_rand, SSL3Random *server_rand,
+			     SSL3Hashes *hashes, PRBool bypassPKCS11)
+{
+    PRUint8     * hashBuf;
+    PRUint8     * pBuf;
+    SECStatus     rv 		= SECSuccess;
+    unsigned int  bufLen;
+    /*
+     * XXX For now, we only support named curves (the appropriate
+     * checks are made before this method is called) so ec_params
+     * takes up only two bytes. ECPoint needs to fit in 256 bytes
+     * (because the spec says the length must fit in one byte)
+     */
+    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 1 + 256];
+
+    bufLen = 2*SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len;
+    if (bufLen <= sizeof buf) {
+    	hashBuf = buf;
+    } else {
+    	hashBuf = PORT_Alloc(bufLen);
+	if (!hashBuf) {
+	    return SECFailure;
+	}
+    }
+
+    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
+    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
+    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
+    	pBuf += SSL3_RANDOM_LENGTH;
+    memcpy(pBuf, ec_params.data, ec_params.len);
+    	pBuf += ec_params.len;
+    pBuf[0] = (PRUint8)(server_ecpoint.len);
+    pBuf += 1;
+    memcpy(pBuf, server_ecpoint.data, server_ecpoint.len);
+    	pBuf += server_ecpoint.len;
+    PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
+
+    rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
+
+    PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen));
+    PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", hashes->md5, MD5_LENGTH));
+    PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
+
+    if (hashBuf != buf && hashBuf != NULL)
+    	PORT_Free(hashBuf);
+    return rv;
+}
+
+
+/* Called from ssl3_SendClientKeyExchange(). */
+SECStatus
+ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
+{
+    PK11SymKey *	pms 		= NULL;
+    SECStatus           rv    		= SECFailure;
+    PRBool              isTLS;
+    CK_MECHANISM_TYPE	target;
+    SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral ECDH key */
+    SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral ECDH key */
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+
+    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    /* Generate ephemeral EC keypair */
+    if (svrPubKey->keyType != ecKey) {
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	goto loser;
+    }
+    /* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */
+    privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams, 
+	                                &pubKey, NULL);
+    if (!privKey || !pubKey) {
+	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+	    rv = SECFailure;
+	    goto loser;
+    }
+    PRINT_BUF(50, (ss, "ECDH public value:",
+					pubKey->u.ec.publicValue.data,
+					pubKey->u.ec.publicValue.len));
+
+    if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+    else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+
+    /*  Determine the PMS */
+    pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL,
+			    CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
+			    CKD_NULL, NULL, NULL);
+
+    if (pms == NULL) {
+	SSL3AlertDescription desc  = illegal_parameter;
+	(void)SSL3_SendAlert(ss, alert_fatal, desc);
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    SECKEY_DestroyPrivateKey(privKey);
+    privKey = NULL;
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms); pms = NULL;
+
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
+					pubKey->u.ec.publicValue.len + 1);
+    if (rv != SECSuccess) {
+        goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    rv = ssl3_AppendHandshakeVariable(ss, 
+					pubKey->u.ec.publicValue.data,
+					pubKey->u.ec.publicValue.len, 1);
+    SECKEY_DestroyPublicKey(pubKey);
+    pubKey = NULL;
+
+    if (rv != SECSuccess) {
+        goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    rv = SECSuccess;
+
+loser:
+    if(pms) PK11_FreeSymKey(pms);
+    if(privKey) SECKEY_DestroyPrivateKey(privKey);
+    if(pubKey) SECKEY_DestroyPublicKey(pubKey);
+    return rv;
+}
+
+
+/*
+** Called from ssl3_HandleClientKeyExchange()
+*/
+SECStatus
+ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
+				     PRUint32 length,
+                                     SECKEYPublicKey *srvrPubKey,
+                                     SECKEYPrivateKey *srvrPrivKey)
+{
+    PK11SymKey *      pms;
+    SECStatus         rv;
+    SECKEYPublicKey   clntPubKey;
+    CK_MECHANISM_TYPE	target;
+    PRBool isTLS;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    clntPubKey.keyType = ecKey;
+    clntPubKey.u.ec.DEREncodedParams.len = 
+	srvrPubKey->u.ec.DEREncodedParams.len;
+    clntPubKey.u.ec.DEREncodedParams.data = 
+	srvrPubKey->u.ec.DEREncodedParams.data;
+
+    rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, 
+	                               1, &b, &length);
+    if (rv != SECSuccess) {
+	SEND_ALERT
+	return SECFailure;	/* XXX Who sets the error code?? */
+    }
+
+    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+    else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+
+    /*  Determine the PMS */
+    pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL,
+			    CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
+			    CKD_NULL, NULL, NULL);
+
+    if (pms == NULL) {
+	/* last gasp.  */
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	return SECFailure;
+    }
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms);
+    if (rv != SECSuccess) {
+	SEND_ALERT
+	return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
+    }
+    return SECSuccess;
+}
+
+ECName
+ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits)
+{
+    int    i;
+    
+    for ( i = 0; bits2curve[i].curve != ec_noName; i++) {
+	if (bits2curve[i].bits < requiredECCbits)
+	    continue;
+    	if (SSL_IS_CURVE_NEGOTIATED(curvemsk, bits2curve[i].curve)) {
+	    return bits2curve[i].curve;
+	}
+    }
+    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+    return ec_noName;
+}
+
+/* find the "weakest link".  Get strength of signature key and of sym key.
+ * choose curve for the weakest of those two.
+ */
+ECName
+ssl3_GetCurveNameForServerSocket(sslSocket *ss)
+{
+    SECKEYPublicKey * svrPublicKey = NULL;
+    ECName ec_curve = ec_noName;
+    int    signatureKeyStrength = 521;
+    int    requiredECCbits = ss->sec.secretKeyBits * 2;
+
+    if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa) {
+	svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_ecdh);
+	if (svrPublicKey)
+	    ec_curve = params2ecName(&svrPublicKey->u.ec.DEREncodedParams);
+	if (!SSL_IS_CURVE_NEGOTIATED(ss->ssl3.hs.negotiatedECCurves, ec_curve)) {
+	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	    return ec_noName;
+	}
+	signatureKeyStrength = curve2bits[ ec_curve ];
+    } else {
+        /* RSA is our signing cert */
+        int serverKeyStrengthInBits;
+ 
+        svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_rsa);
+        if (!svrPublicKey) {
+            PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+            return ec_noName;
+        }
+ 
+        /* currently strength in bytes */
+        serverKeyStrengthInBits = svrPublicKey->u.rsa.modulus.len;
+        if (svrPublicKey->u.rsa.modulus.data[0] == 0) {
+            serverKeyStrengthInBits--;
+        }
+        /* convert to strength in bits */
+        serverKeyStrengthInBits *= BPB;
+ 
+        signatureKeyStrength =
+	    SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
+    }
+    if ( requiredECCbits > signatureKeyStrength ) 
+         requiredECCbits = signatureKeyStrength;
+
+    return ssl3_GetCurveWithECKeyStrength(ss->ssl3.hs.negotiatedECCurves,
+					  requiredECCbits);
+}
+
+/* function to clear out the lists */
+static SECStatus 
+ssl3_ShutdownECDHECurves(void *appData, void *nssData)
+{
+    int i;
+    ECDHEKeyPair *keyPair = &gECDHEKeyPairs[0];
+
+    for (i=0; i < ec_pastLastName; i++, keyPair++) {
+	if (keyPair->pair) {
+	    ssl3_FreeKeyPair(keyPair->pair);
+	}
+    }
+    memset(gECDHEKeyPairs, 0, sizeof gECDHEKeyPairs);
+    return SECSuccess;
+}
+
+static PRStatus
+ssl3_ECRegister(void)
+{
+    SECStatus rv;
+    rv = NSS_RegisterShutdown(ssl3_ShutdownECDHECurves, gECDHEKeyPairs);
+    if (rv != SECSuccess) {
+	gECDHEKeyPairs[ec_noName].error = PORT_GetError();
+    }
+    return (PRStatus)rv;
+}
+
+/* CallOnce function, called once for each named curve. */
+static PRStatus 
+ssl3_CreateECDHEphemeralKeyPair(void * arg)
+{
+    SECKEYPrivateKey *    privKey  = NULL;
+    SECKEYPublicKey *     pubKey   = NULL;
+    ssl3KeyPair *	  keyPair  = NULL;
+    ECName                ec_curve = (ECName)arg;
+    SECKEYECParams        ecParams = { siBuffer, NULL, 0 };
+
+    PORT_Assert(gECDHEKeyPairs[ec_curve].pair == NULL);
+
+    /* ok, no one has generated a global key for this curve yet, do so */
+    if (ssl3_ECName2Params(NULL, ec_curve, &ecParams) != SECSuccess) {
+	gECDHEKeyPairs[ec_curve].error = PORT_GetError();
+	return PR_FAILURE;
+    }
+
+    privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL);    
+    SECITEM_FreeItem(&ecParams, PR_FALSE);
+
+    if (!privKey || !pubKey || !(keyPair = ssl3_NewKeyPair(privKey, pubKey))) {
+	if (privKey) {
+	    SECKEY_DestroyPrivateKey(privKey);
+	}
+	if (pubKey) {
+	    SECKEY_DestroyPublicKey(pubKey);
+	}
+	ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+	gECDHEKeyPairs[ec_curve].error = PORT_GetError();
+	return PR_FAILURE;
+    }
+
+    gECDHEKeyPairs[ec_curve].pair = keyPair;
+    return PR_SUCCESS;
+}
+
+/*
+ * Creates the ephemeral public and private ECDH keys used by
+ * server in ECDHE_RSA and ECDHE_ECDSA handshakes.
+ * For now, the elliptic curve is chosen to be the same
+ * strength as the signing certificate (ECC or RSA).
+ * We need an API to specify the curve. This won't be a real
+ * issue until we further develop server-side support for ECC
+ * cipher suites.
+ */
+static SECStatus
+ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve)
+{
+    ssl3KeyPair *	  keyPair        = NULL;
+
+    /* if there's no global key for this curve, make one. */
+    if (gECDHEKeyPairs[ec_curve].pair == NULL) {
+	PRStatus status;
+
+	status = PR_CallOnce(&gECDHEKeyPairs[ec_noName].once, ssl3_ECRegister);
+        if (status != PR_SUCCESS) {
+	    PORT_SetError(gECDHEKeyPairs[ec_noName].error);
+	    return SECFailure;
+    	}
+	status = PR_CallOnceWithArg(&gECDHEKeyPairs[ec_curve].once,
+	                            ssl3_CreateECDHEphemeralKeyPair,
+				    (void *)ec_curve);
+        if (status != PR_SUCCESS) {
+	    PORT_SetError(gECDHEKeyPairs[ec_curve].error);
+	    return SECFailure;
+    	}
+    }
+
+    keyPair = gECDHEKeyPairs[ec_curve].pair;
+    PORT_Assert(keyPair != NULL);
+    if (!keyPair) 
+    	return SECFailure;
+    ss->ephemeralECDHKeyPair = ssl3_GetKeyPairRef(keyPair);
+
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    PRArenaPool *    arena     = NULL;
+    SECKEYPublicKey *peerKey   = NULL;
+    PRBool           isTLS;
+    SECStatus        rv;
+    int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
+    SSL3AlertDescription desc  = illegal_parameter;
+    SSL3Hashes       hashes;
+    SECItem          signature = {siBuffer, NULL, 0};
+
+    SECItem          ec_params = {siBuffer, NULL, 0};
+    SECItem          ec_point  = {siBuffer, NULL, 0};
+    unsigned char    paramBuf[3]; /* only for curve_type == named_curve */
+
+    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    /* XXX This works only for named curves, revisit this when
+     * we support generic curves.
+     */
+    ec_params.len  = sizeof paramBuf;
+    ec_params.data = paramBuf;
+    rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed. */
+    }
+
+    /* Fail if the curve is not a named curve */
+    if ((ec_params.data[0] != ec_type_named) || 
+	(ec_params.data[1] != 0) ||
+	!supportedCurve(ec_params.data[2])) {
+	    errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+	    desc = handshake_failure;
+	    goto alert_loser;
+    }
+
+    rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed. */
+    }
+    /* Fail if the ec point uses compressed representation */
+    if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+	    errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM;
+	    desc = handshake_failure;
+	    goto alert_loser;
+    }
+
+    rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed. */
+    }
+
+    if (length != 0) {
+	if (isTLS)
+	    desc = decode_error;
+	goto alert_loser;		/* malformed. */
+    }
+
+    PRINT_BUF(60, (NULL, "Server EC params", ec_params.data, 
+	ec_params.len));
+    PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len));
+
+    /* failures after this point are not malformed handshakes. */
+    /* TLS: send decrypt_error if signature failed. */
+    desc = isTLS ? decrypt_error : handshake_failure;
+
+    /*
+     *  check to make sure the hash is signed by right guy
+     */
+    rv = ssl3_ComputeECDHKeyHash(ec_params, ec_point,
+				      &ss->ssl3.hs.client_random,
+				      &ss->ssl3.hs.server_random, 
+				      &hashes, ss->opt.bypassPKCS11);
+
+    if (rv != SECSuccess) {
+	errCode =
+	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	goto alert_loser;
+    }
+    rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
+				isTLS, ss->pkcs11PinArg);
+    if (rv != SECSuccess)  {
+	errCode =
+	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	goto alert_loser;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto no_memory;
+    }
+
+    ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
+    if (peerKey == NULL) {
+	goto no_memory;
+    }
+
+    peerKey->arena                 = arena;
+    peerKey->keyType               = ecKey;
+
+    /* set up EC parameters in peerKey */
+    if (ssl3_ECName2Params(arena, ec_params.data[2], 
+	    &peerKey->u.ec.DEREncodedParams) != SECSuccess) {
+	/* we should never get here since we already 
+	 * checked that we are dealing with a supported curve
+	 */
+	errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+	goto alert_loser;
+    }
+
+    /* copy publicValue in peerKey */
+    if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue,  &ec_point))
+    {
+	PORT_FreeArena(arena, PR_FALSE);
+	goto no_memory;
+    }
+    peerKey->pkcs11Slot         = NULL;
+    peerKey->pkcs11ID           = CK_INVALID_HANDLE;
+
+    ss->sec.peerKey = peerKey;
+    ss->ssl3.hs.ws = wait_cert_request;
+
+    return SECSuccess;
+
+alert_loser:
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+loser:
+    PORT_SetError( errCode );
+    return SECFailure;
+
+no_memory:	/* no-memory error has already been set. */
+    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+    return SECFailure;
+}
+
+SECStatus
+ssl3_SendECDHServerKeyExchange(sslSocket *ss)
+{
+const ssl3KEADef *     kea_def     = ss->ssl3.hs.kea_def;
+    SECStatus          rv          = SECFailure;
+    int                length;
+    PRBool             isTLS;
+    SECItem            signed_hash = {siBuffer, NULL, 0};
+    SSL3Hashes         hashes;
+
+    SECKEYPublicKey *  ecdhePub;
+    SECItem            ec_params = {siBuffer, NULL, 0};
+    unsigned char      paramBuf[3];
+    ECName             curve;
+    SSL3KEAType        certIndex;
+
+
+    /* Generate ephemeral ECDH key pair and send the public key */
+    curve = ssl3_GetCurveNameForServerSocket(ss);
+    if (curve == ec_noName) {
+    	goto loser;
+    }
+    rv = ssl3_CreateECDHEphemeralKeys(ss, curve);
+    if (rv != SECSuccess) {
+	goto loser; 	/* err set by AppendHandshake. */
+    }	    
+    ecdhePub = ss->ephemeralECDHKeyPair->pubKey;
+    PORT_Assert(ecdhePub != NULL);
+    if (!ecdhePub) {
+	PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	return SECFailure;
+    }	
+    
+    ec_params.len  = sizeof paramBuf;
+    ec_params.data = paramBuf;
+    curve = params2ecName(&ecdhePub->u.ec.DEREncodedParams);
+    if (curve != ec_noName) {
+	ec_params.data[0] = ec_type_named;
+	ec_params.data[1] = 0x00;
+	ec_params.data[2] = curve;
+    } else {
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	goto loser;
+    }		
+
+    rv = ssl3_ComputeECDHKeyHash(ec_params, ecdhePub->u.ec.publicValue,
+				      &ss->ssl3.hs.client_random,
+				      &ss->ssl3.hs.server_random,
+				      &hashes, ss->opt.bypassPKCS11);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    /* XXX SSLKEAType isn't really a good choice for 
+     * indexing certificates but that's all we have
+     * for now.
+     */
+    if (kea_def->kea == kea_ecdhe_rsa)
+	certIndex = kt_rsa;
+    else /* kea_def->kea == kea_ecdhe_ecdsa */
+	certIndex = kt_ecdh;
+
+    rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, 
+			 &signed_hash, isTLS);
+    if (rv != SECSuccess) {
+	goto loser;		/* ssl3_SignHashes has set err. */
+    }
+    if (signed_hash.data == NULL) {
+	/* how can this happen and rv == SECSuccess ?? */
+	PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    length = ec_params.len + 
+	     1 + ecdhePub->u.ec.publicValue.len + 
+	     2 + signed_hash.len;
+
+    rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
+    if (rv != SECSuccess) {
+	goto loser; 	/* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len);
+    if (rv != SECSuccess) {
+	goto loser; 	/* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data,
+				      ecdhePub->u.ec.publicValue.len, 1);
+    if (rv != SECSuccess) {
+	goto loser; 	/* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
+				      signed_hash.len, 2);
+    if (rv != SECSuccess) {
+	goto loser; 	/* err set by AppendHandshake. */
+    }
+
+    PORT_Free(signed_hash.data);
+    return SECSuccess;
+
+loser:
+    if (signed_hash.data != NULL) 
+    	PORT_Free(signed_hash.data);
+    return SECFailure;
+}
+
+/* Lists of ECC cipher suites for searching and disabling. */
+
+static const ssl3CipherSuite ecdh_suites[] = {
+    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_NULL_SHA,
+    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_RSA_WITH_NULL_SHA,
+    TLS_ECDH_RSA_WITH_RC4_128_SHA,
+    0 /* end of list marker */
+};
+
+static const ssl3CipherSuite ecdh_ecdsa_suites[] = {
+    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_NULL_SHA,
+    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+    0 /* end of list marker */
+};
+
+static const ssl3CipherSuite ecdh_rsa_suites[] = {
+    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_RSA_WITH_NULL_SHA,
+    TLS_ECDH_RSA_WITH_RC4_128_SHA,
+    0 /* end of list marker */
+};
+
+static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    0 /* end of list marker */
+};
+
+static const ssl3CipherSuite ecdhe_rsa_suites[] = {
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_NULL_SHA,
+    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    0 /* end of list marker */
+};
+
+/* List of all ECC cipher suites */
+static const ssl3CipherSuite ecSuites[] = {
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_NULL_SHA,
+    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_NULL_SHA,
+    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_RSA_WITH_NULL_SHA,
+    TLS_ECDH_RSA_WITH_RC4_128_SHA,
+    0 /* end of list marker */
+};
+
+/* On this socket, Disable the ECC cipher suites in the argument's list */
+SECStatus
+ssl3_DisableECCSuites(sslSocket * ss, const ssl3CipherSuite * suite)
+{
+    if (!suite)
+    	suite = ecSuites;
+    for (; *suite; ++suite) {
+	SECStatus rv      = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);
+
+	PORT_Assert(rv == SECSuccess); /* else is coding error */
+    }
+    return SECSuccess;
+}
+
+/* Look at the server certs configured on this socket, and disable any
+ * ECC cipher suites that are not supported by those certs.
+ */
+void
+ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss)
+{
+    CERTCertificate * svrCert;
+
+    svrCert = ss->serverCerts[kt_rsa].serverCert;
+    if (!svrCert) {
+	ssl3_DisableECCSuites(ss, ecdhe_rsa_suites);
+    }
+
+    svrCert = ss->serverCerts[kt_ecdh].serverCert;
+    if (!svrCert) {
+	ssl3_DisableECCSuites(ss, ecdh_suites);
+	ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
+    } else {
+	SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature);
+
+	switch (sigTag) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+	    ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
+	    break;
+	case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+	case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
+	case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+	case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
+	case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
+	case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
+	case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
+	    ssl3_DisableECCSuites(ss, ecdh_rsa_suites);
+	    break;
+	default:
+	    ssl3_DisableECCSuites(ss, ecdh_suites);
+	    break;
+	}
+    }
+}
+
+/* Ask: is ANY ECC cipher suite enabled on this socket? */
+/* Order(N^2).  Yuk.  Also, this ignores export policy. */
+PRBool
+ssl3_IsECCEnabled(sslSocket * ss)
+{
+    const ssl3CipherSuite * suite;
+
+    for (suite = ecSuites; *suite; ++suite) {
+	PRBool    enabled = PR_FALSE;
+	SECStatus rv      = ssl3_CipherPrefGet(ss, *suite, &enabled);
+
+	PORT_Assert(rv == SECSuccess); /* else is coding error */
+	if (rv == SECSuccess && enabled)
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+#define BE(n) 0, n
+
+#ifndef NSS_ECC_MORE_THAN_SUITE_B
+/* Prefabricated TLS client hello extension, Elliptic Curves List,
+ * offers only 3 curves, the Suite B curves, 23-25 
+ */
+static const PRUint8 EClist[12] = {
+    BE(10),         /* Extension type */
+    BE( 8),         /* octets that follow ( 3 pairs + 1 length pair) */
+    BE( 6),         /* octets that follow ( 3 pairs) */
+    BE(23), BE(24), BE(25)
+};
+#else
+/* Prefabricated TLS client hello extension, Elliptic Curves List,
+ * offers curves 1-25.
+ */
+static const PRUint8 EClist[56] = {
+    BE(10),         /* Extension type */
+    BE(52),         /* octets that follow (25 pairs + 1 length pair) */
+    BE(50),         /* octets that follow (25 pairs) */
+            BE( 1), BE( 2), BE( 3), BE( 4), BE( 5), BE( 6), BE( 7), 
+    BE( 8), BE( 9), BE(10), BE(11), BE(12), BE(13), BE(14), BE(15), 
+    BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23), 
+    BE(24), BE(25)
+};
+#endif
+
+static const PRUint8 ECPtFmt[6] = {
+    BE(11),         /* Extension type */
+    BE( 2),         /* octets that follow */
+             1,     /* octets that follow */
+                 0  /* uncompressed type only */
+};
+
+/* Send our "canned" (precompiled) Supported Elliptic Curves extension,
+ * which says that we support all TLS-defined named curves.
+ */
+PRInt32
+ssl3_SendSupportedCurvesXtn(
+			sslSocket * ss,
+			PRBool      append,
+			PRUint32    maxBytes)
+{
+    if (!ss || !ssl3_IsECCEnabled(ss))
+    	return 0;
+    if (append && maxBytes >= (sizeof EClist)) {
+	SECStatus rv = ssl3_AppendHandshake(ss, EClist, (sizeof EClist));
+	if (rv != SECSuccess)
+	    return -1;
+	if (!ss->sec.isServer) {
+	    TLSExtensionData *xtnData = &ss->xtnData;
+	    xtnData->advertised[xtnData->numAdvertised++] =
+		elliptic_curves_xtn;
+	}
+    }
+    return (sizeof EClist);
+}
+
+/* Send our "canned" (precompiled) Supported Point Formats extension,
+ * which says that we only support uncompressed points.
+ */
+PRInt32
+ssl3_SendSupportedPointFormatsXtn(
+			sslSocket * ss,
+			PRBool      append,
+			PRUint32    maxBytes)
+{
+    if (!ss || !ssl3_IsECCEnabled(ss))
+    	return 0;
+    if (append && maxBytes >= (sizeof ECPtFmt)) {
+	SECStatus rv = ssl3_AppendHandshake(ss, ECPtFmt, (sizeof ECPtFmt));
+	if (rv != SECSuccess)
+	    return -1;
+	if (!ss->sec.isServer) {
+	    TLSExtensionData *xtnData = &ss->xtnData;
+	    xtnData->advertised[xtnData->numAdvertised++] =
+		ec_point_formats_xtn;
+	}
+    }
+    return (sizeof ECPtFmt);
+}
+
+/* Just make sure that the remote client supports uncompressed points,
+ * Since that is all we support.  Disable ECC cipher suites if it doesn't.
+ */
+SECStatus
+ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss, PRUint16 ex_type,
+                                    SECItem *data)
+{
+    int i;
+
+    if (data->len < 2 || data->len > 255 || !data->data ||
+        data->len != (unsigned int)data->data[0] + 1) {
+    	/* malformed */
+	goto loser;
+    }
+    for (i = data->len; --i > 0; ) {
+    	if (data->data[i] == 0) {
+	    /* indicate that we should send a reply */
+	    SECStatus rv;
+	    rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
+			      &ssl3_SendSupportedPointFormatsXtn);
+	    return rv;
+	}
+    }
+loser:
+    /* evil client doesn't support uncompressed */
+    ssl3_DisableECCSuites(ss, ecSuites);
+    return SECFailure;
+}
+
+
+#define SSL3_GET_SERVER_PUBLICKEY(sock, type) \
+    (ss->serverCerts[type].serverKeyPair ? \
+    ss->serverCerts[type].serverKeyPair->pubKey : NULL)
+
+/* Extract the TLS curve name for the public key in our EC server cert. */
+ECName ssl3_GetSvrCertCurveName(sslSocket *ss) 
+{
+    SECKEYPublicKey       *srvPublicKey; 
+    ECName		  ec_curve       = ec_noName;
+
+    srvPublicKey = SSL3_GET_SERVER_PUBLICKEY(ss, kt_ecdh);
+    if (srvPublicKey) {
+	ec_curve = params2ecName(&srvPublicKey->u.ec.DEREncodedParams);
+    }
+    return ec_curve;
+}
+
+/* Ensure that the curve in our server cert is one of the ones suppored
+ * by the remote client, and disable all ECC cipher suites if not.
+ */
+SECStatus
+ssl3_HandleSupportedCurvesXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
+{
+    PRInt32  list_len;
+    PRUint32 peerCurves   = 0;
+    PRUint32 mutualCurves = 0;
+    PRUint16 svrCertCurveName;
+
+    if (!data->data || data->len < 4 || data->len > 65535)
+    	goto loser;
+    /* get the length of elliptic_curve_list */
+    list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+    if (list_len < 0 || data->len != list_len || (data->len % 2) != 0) {
+    	/* malformed */
+	goto loser;
+    }
+    /* build bit vector of peer's supported curve names */
+    while (data->len) {
+	PRInt32  curve_name = 
+		 ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+	if (curve_name > ec_noName && curve_name < ec_pastLastName) {
+	    peerCurves |= (1U << curve_name);
+	}
+    }
+    /* What curves do we support in common? */
+    mutualCurves = ss->ssl3.hs.negotiatedECCurves &= peerCurves;
+    if (!mutualCurves) { /* no mutually supported EC Curves */
+    	goto loser;
+    }
+
+    /* if our ECC cert doesn't use one of these supported curves, 
+     * disable ECC cipher suites that require an ECC cert. 
+     */
+    svrCertCurveName = ssl3_GetSvrCertCurveName(ss);
+    if (svrCertCurveName != ec_noName &&
+        (mutualCurves & (1U << svrCertCurveName)) != 0) {
+	return SECSuccess;
+    }
+    /* Our EC cert doesn't contain a mutually supported curve.
+     * Disable all ECC cipher suites that require an EC cert 
+     */
+    ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
+    ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
+    return SECFailure;
+
+loser:
+    /* no common curve supported */
+    ssl3_DisableECCSuites(ss, ecSuites);
+    return SECFailure;
+}
+
+#endif /* NSS_ENABLE_ECC */
diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c
new file mode 100644
index 000000000..c4a7b151e
--- /dev/null
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -0,0 +1,1268 @@
+/*
+ * SSL3 Protocol
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *   Nagendra Modadugu <ngm@google.com>, Google Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* TLS extension code moved here from ssl3ecc.c */
+/* $Id$ */
+
+#include "nssrenam.h"
+#include "nss.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "pk11pub.h"
+#include "blapi.h"
+#include "prinit.h"
+
+static unsigned char  key_name[SESS_TICKET_KEY_NAME_LEN];
+static PK11SymKey    *session_ticket_enc_key_pkcs11 = NULL;
+static PK11SymKey    *session_ticket_mac_key_pkcs11 = NULL;
+
+static unsigned char  session_ticket_enc_key[32];
+static unsigned char  session_ticket_mac_key[SHA256_LENGTH];
+
+static PRBool         session_ticket_keys_initialized = PR_FALSE;
+static PRCallOnceType generate_session_keys_once;
+
+static PRInt32 ssl3_SendServerNameXtn(sslSocket * ss,
+    PRBool append, PRUint32 maxBytes);
+static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss,
+    SECItem *data, EncryptedSessionTicket *enc_session_ticket);
+static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf,
+    PRUint32 bytes);
+static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num,
+    PRInt32 lenSize);
+static SECStatus ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss,
+    PK11SymKey **aes_key, PK11SymKey **mac_key);
+static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
+    PRUint32 *aes_key_length, const unsigned char **mac_key,
+    PRUint32 *mac_key_length);
+
+/*
+ * Write bytes.  Using this function means the SECItem structure
+ * cannot be freed.  The caller is expected to call this function
+ * on a shallow copy of the structure.
+ */
+static SECStatus
+ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
+{
+    if (bytes > item->len)
+	return SECFailure;
+
+    PORT_Memcpy(item->data, buf, bytes);
+    item->data += bytes;
+    item->len -= bytes;
+    return SECSuccess;
+}
+
+/*
+ * Write a number in network byte order. Using this function means the
+ * SECItem structure cannot be freed.  The caller is expected to call
+ * this function on a shallow copy of the structure.
+ */
+static SECStatus
+ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize)
+{
+    SECStatus rv;
+    uint8     b[4];
+    uint8 *   p = b;
+
+    switch (lenSize) {
+    case 4:
+	*p++ = (uint8) (num >> 24);
+    case 3:
+	*p++ = (uint8) (num >> 16);
+    case 2:
+	*p++ = (uint8) (num >> 8);
+    case 1:
+	*p = (uint8) num;
+    }
+    rv = ssl3_AppendToItem(item, &b[0], lenSize);
+    return rv;
+}
+
+static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData)
+{
+    if (session_ticket_enc_key_pkcs11) {
+	PK11_FreeSymKey(session_ticket_enc_key_pkcs11);
+	session_ticket_enc_key_pkcs11 = NULL;
+    }
+    if (session_ticket_mac_key_pkcs11) {
+	PK11_FreeSymKey(session_ticket_mac_key_pkcs11);
+	session_ticket_mac_key_pkcs11 = NULL;
+    }
+    PORT_Memset(&generate_session_keys_once, 0,
+	sizeof(generate_session_keys_once));
+    return SECSuccess;
+}
+
+
+static PRStatus
+ssl3_GenerateSessionTicketKeysPKCS11(void *data)
+{
+    SECStatus rv;
+    sslSocket *ss = (sslSocket *)data;
+    SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY;
+    SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey;
+
+    if (svrPrivKey == NULL || svrPubKey == NULL) {
+	SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+			SSL_GETPID(), ss->fd));
+	goto loser;
+    }
+
+    /* Get a copy of the session keys from shared memory. */
+    PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
+	sizeof(SESS_TICKET_KEY_NAME_PREFIX));
+    if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey,
+	    ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
+	    &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11))
+	return PR_FAILURE;
+
+    rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL);
+    if (rv != SECSuccess)
+	goto loser;
+
+    return PR_SUCCESS;
+
+loser:
+    ssl3_SessionTicketShutdown(NULL, NULL);
+    return PR_FAILURE;
+}
+
+static SECStatus
+ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key,
+                                PK11SymKey **mac_key)
+{
+    if (PR_CallOnceWithArg(&generate_session_keys_once,
+	    ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS)
+	return SECFailure;
+
+    if (session_ticket_enc_key_pkcs11 == NULL ||
+	session_ticket_mac_key_pkcs11 == NULL)
+	return SECFailure;
+
+    *aes_key = session_ticket_enc_key_pkcs11;
+    *mac_key = session_ticket_mac_key_pkcs11;
+    return SECSuccess;
+}
+
+static PRStatus
+ssl3_GenerateSessionTicketKeys(void)
+{
+    PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
+	sizeof(SESS_TICKET_KEY_NAME_PREFIX));
+
+    if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
+	    session_ticket_enc_key, session_ticket_mac_key))
+	return PR_FAILURE;
+
+    session_ticket_keys_initialized = PR_TRUE;
+    return PR_SUCCESS;
+}
+
+static SECStatus
+ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
+    PRUint32 *aes_key_length, const unsigned char **mac_key,
+    PRUint32 *mac_key_length)
+{
+    if (PR_CallOnce(&generate_session_keys_once,
+	    ssl3_GenerateSessionTicketKeys) != SECSuccess)
+	return SECFailure;
+
+    if (!session_ticket_keys_initialized)
+	return SECFailure;
+
+    *aes_key = session_ticket_enc_key;
+    *aes_key_length = sizeof(session_ticket_enc_key);
+    *mac_key = session_ticket_mac_key;
+    *mac_key_length = sizeof(session_ticket_mac_key);
+
+    return SECSuccess;
+}
+
+/* Table of handlers for received TLS hello extensions, one per extension.
+ * In the second generation, this table will be dynamic, and functions
+ * will be registered here.
+ */
+static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
+    { server_name_xtn, &ssl3_HandleServerNameXtn },
+#ifdef NSS_ENABLE_ECC
+    { elliptic_curves_xtn, &ssl3_HandleSupportedCurvesXtn },
+    { ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
+#endif
+    { session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
+    { -1, NULL }
+};
+
+static const ssl3HelloExtensionHandler serverHelloHandlers[] = {
+    { server_name_xtn, &ssl3_HandleServerNameXtn },
+    /* TODO: add a handler for ec_point_formats_xtn */
+    { session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
+    { -1, NULL }
+};
+
+/* Table of functions to format TLS hello extensions, one per extension.
+ * This static table is for the formatting of client hello extensions.
+ * The server's table of hello senders is dynamic, in the socket struct,
+ * and sender functions are registered there.
+ */
+static const 
+ssl3HelloExtensionSender clientHelloSenders[MAX_EXTENSIONS] = {
+    { server_name_xtn, &ssl3_SendServerNameXtn },
+#ifdef NSS_ENABLE_ECC
+    { elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
+    { ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
+#else
+    { -1, NULL },
+    { -1, NULL },
+#endif
+    { session_ticket_xtn, ssl3_SendSessionTicketXtn }
+};
+
+static PRBool
+arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type)
+{
+    int i;
+    for (i = 0; i < len; i++) {
+	if (ex_type == array[i])
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+PRBool
+ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) {
+    TLSExtensionData *xtnData = &ss->xtnData;
+    return arrayContainsExtension(xtnData->negotiated,
+	                          xtnData->numNegotiated, ex_type);
+}
+
+static PRBool
+ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) {
+    TLSExtensionData *xtnData = &ss->xtnData;
+    return arrayContainsExtension(xtnData->advertised,
+	                          xtnData->numAdvertised, ex_type);
+}
+
+/* Format an SNI extension, using the name from the socket's URL,
+ * unless that name is a dotted decimal string.
+ */
+static PRInt32 
+ssl3_SendServerNameXtn(
+			sslSocket * ss,
+			PRBool      append,
+			PRUint32    maxBytes)
+{
+    PRUint32 len;
+    PRNetAddr netAddr;
+
+    /* must have a hostname */
+    if (!ss || !ss->url || !ss->url[0])
+    	return 0;
+    /* must not be an IPv4 or IPv6 address */
+    if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) {
+        /* is an IP address (v4 or v6) */
+        return 0;
+    }
+    len  = PORT_Strlen(ss->url);
+    if (append && maxBytes >= len + 9) {
+	SECStatus rv;
+	/* extension_type */
+	rv = ssl3_AppendHandshakeNumber(ss, server_name_xtn, 2); 
+	if (rv != SECSuccess) return -1;
+	/* length of extension_data */
+	rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); 
+	if (rv != SECSuccess) return -1;
+	/* length of server_name_list */
+	rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2);
+	if (rv != SECSuccess) return -1;
+	/* Name Type (host_name) */
+	rv = ssl3_AppendHandshake(ss,       "\0",    1);
+	if (rv != SECSuccess) return -1;
+	/* HostName (length and value) */
+	rv = ssl3_AppendHandshakeVariable(ss, (unsigned char *)ss->url, len, 2);
+	if (rv != SECSuccess) return -1;
+	if (!ss->sec.isServer) {
+	    TLSExtensionData *xtnData = &ss->xtnData;
+	    xtnData->advertised[xtnData->numAdvertised++] = server_name_xtn;
+	}
+    }
+    return len + 9;
+}
+
+/* handle an incoming SNI extension, by ignoring it. */
+SECStatus
+ssl3_HandleServerNameXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
+{
+    /* TODO: if client, should verify extension_data is empty. */
+    /* TODO: if server, should send empty extension_data. */
+    /* For now, we ignore this, as if we didn't understand it. :-)  */
+    return SECSuccess;
+}
+
+/* Called by both clients and servers.
+ * Clients sends a filled in session ticket if one is available, and otherwise
+ * sends an empty ticket.  Servers always send empty tickets.
+ */
+PRInt32
+ssl3_SendSessionTicketXtn(
+			sslSocket * ss,
+			PRBool      append,
+			PRUint32    maxBytes)
+{
+    PRInt32 extension_length;
+    NewSessionTicket *session_ticket = NULL;
+
+    /* Ignore the SessionTicket extension if processing is disabled. */
+    if (!ss->opt.enableSessionTickets)
+	return 0;
+
+    /* Empty extension length = extension_type (2-bytes) +
+     * length(extension_data) (2-bytes)
+     */
+    extension_length = 4;
+
+    /* If we are a client then send a session ticket if one is availble.
+     * Servers that support the extension and are willing to negotiate the
+     * the extension always respond with an empty extension.
+     */
+    if (!ss->sec.isServer) {
+	sslSessionID *sid = ss->sec.ci.sid;
+	session_ticket = &sid->u.ssl3.sessionTicket;
+	if (session_ticket->ticket.data) {
+	    if (ss->xtnData.ticketTimestampVerified) {
+		extension_length += session_ticket->ticket.len;
+	    } else if (!append &&
+		(session_ticket->ticket_lifetime_hint == 0 ||
+		(session_ticket->ticket_lifetime_hint +
+		    session_ticket->received_timestamp > ssl_Time()))) {
+		extension_length += session_ticket->ticket.len;
+		ss->xtnData.ticketTimestampVerified = PR_TRUE;
+	    }
+	}
+    }
+
+    if (append && maxBytes >= extension_length) {
+	SECStatus rv;
+	/* extension_type */
+        rv = ssl3_AppendHandshakeNumber(ss, session_ticket_xtn, 2);
+        if (rv != SECSuccess)
+	    goto loser;
+	if (session_ticket && session_ticket->ticket.data &&
+	    ss->xtnData.ticketTimestampVerified) {
+	    rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
+		session_ticket->ticket.len, 2);
+	    ss->xtnData.ticketTimestampVerified = PR_FALSE;
+	} else {
+	    rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+	}
+        if (rv != SECSuccess)
+	    goto loser;
+
+	if (!ss->sec.isServer) {
+	    TLSExtensionData *xtnData = &ss->xtnData;
+	    xtnData->advertised[xtnData->numAdvertised++] = session_ticket_xtn;
+	}
+    } else if (maxBytes < extension_length) {
+	PORT_Assert(0);
+        return 0;
+    }
+    return extension_length;
+
+ loser:
+    ss->xtnData.ticketTimestampVerified = PR_FALSE;
+    return -1;
+}
+
+/*
+ * NewSessionTicket
+ * Called from ssl3_HandleFinished
+ */
+SECStatus
+ssl3_SendNewSessionTicket(sslSocket *ss)
+{
+    int                  i;
+    SECStatus            rv;
+    NewSessionTicket     ticket;
+    SECItem              plaintext;
+    SECItem              plaintext_item = {0, NULL, 0};
+    SECItem              ciphertext     = {0, NULL, 0};
+    PRUint32             ciphertext_length;
+    PRBool               ms_is_wrapped;
+    unsigned char        wrapped_ms[SSL3_MASTER_SECRET_LENGTH];
+    SECItem              ms_item = {0, NULL, 0};
+    SSL3KEAType          effectiveExchKeyType = ssl_kea_null;
+    PRUint32             padding_length;
+    PRUint32             message_length;
+    PRUint32             cert_length;
+    uint8                length_buf[4];
+    PRUint32             now;
+    PK11SymKey          *aes_key_pkcs11;
+    PK11SymKey          *mac_key_pkcs11;
+    const unsigned char *aes_key;
+    const unsigned char *mac_key;
+    PRUint32             aes_key_length;
+    PRUint32             mac_key_length;
+    PRUint64             aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
+    AESContext          *aes_ctx;
+    CK_MECHANISM_TYPE    cipherMech = CKM_AES_CBC;
+    PK11Context         *aes_ctx_pkcs11;
+    const SECHashObject *hashObj = NULL;
+    PRUint64             hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
+    HMACContext         *hmac_ctx;
+    CK_MECHANISM_TYPE    macMech = CKM_SHA256_HMAC;
+    PK11Context         *hmac_ctx_pkcs11;
+    unsigned char        computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
+    unsigned int         computed_mac_length;
+    unsigned char        iv[AES_BLOCK_SIZE];
+    SECItem              ivItem;
+    CK_MECHANISM_TYPE    msWrapMech = 0; /* dummy default value,
+                                          * must be >= 0 */
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT;
+    cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ?
+	3 + ss->sec.ci.sid->peerCert->derCert.len : 0;
+
+    /* Get IV and encryption keys */
+    ivItem.data = iv;
+    ivItem.len = sizeof(iv);
+    rv = PK11_GenerateRandom(iv, sizeof(iv));
+    if (rv != SECSuccess) goto loser;
+
+    if (ss->opt.bypassPKCS11) {
+	rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
+	    &mac_key, &mac_key_length);
+    } else {
+	rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
+	    &mac_key_pkcs11);
+    }
+    if (rv != SECSuccess) goto loser;
+
+    if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) {
+	/* The master secret is available unwrapped. */
+	ms_item.data = ss->ssl3.pwSpec->msItem.data;
+	ms_item.len = ss->ssl3.pwSpec->msItem.len;
+	ms_is_wrapped = PR_FALSE;
+    } else {
+	/* Extract the master secret wrapped. */
+	sslSessionID sid;
+	PORT_Memset(&sid, 0, sizeof(sslSessionID));
+
+	if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
+	    effectiveExchKeyType = kt_rsa;
+	} else {
+	    effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
+	}
+
+	rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec,
+	    effectiveExchKeyType);
+	if (rv == SECSuccess) {
+	    if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
+		goto loser;
+	    memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
+		sid.u.ssl3.keys.wrapped_master_secret_len);
+	    ms_item.data = wrapped_ms;
+	    ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
+	    msWrapMech = sid.u.ssl3.masterWrapMech;
+	} else {
+	    /* TODO: else send an empty ticket. */
+	    goto loser;
+	}
+	ms_is_wrapped = PR_TRUE;
+    }
+
+    ciphertext_length = 
+	sizeof(PRUint16)                     /* ticket_version */
+	+ sizeof(SSL3ProtocolVersion)        /* ssl_version */
+	+ sizeof(ssl3CipherSuite)            /* ciphersuite */
+	+ 1                                  /* compression */
+	+ 10                                 /* cipher spec parameters */
+	+ 1                                  /* SessionTicket.ms_is_wrapped */
+	+ 1                                  /* effectiveExchKeyType */
+	+ 4                                  /* msWrapMech */
+	+ 2                                  /* master_secret.length */
+	+ ms_item.len                        /* master_secret */
+	+ 1                                  /* client_auth_type */
+	+ cert_length                        /* cert */
+	+ sizeof(ticket.ticket_lifetime_hint);
+    padding_length =  AES_BLOCK_SIZE -
+	(ciphertext_length % AES_BLOCK_SIZE);
+    ciphertext_length += padding_length;
+
+    message_length =
+	sizeof(ticket.ticket_lifetime_hint)    /* ticket_lifetime_hint */
+	+ 2 /* length field for NewSessionTicket.ticket */
+	+ SESS_TICKET_KEY_NAME_LEN             /* key_name */
+	+ AES_BLOCK_SIZE                       /* iv */
+	+ 2 /* length field for NewSessionTicket.ticket.encrypted_state */
+	+ ciphertext_length                    /* encrypted_state */
+	+ TLS_EX_SESS_TICKET_MAC_LENGTH;       /* mac */
+
+    if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL)
+	goto loser;
+
+    plaintext = plaintext_item;
+
+    /* ticket_version */
+    rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION,
+	sizeof(PRUint16));
+    if (rv != SECSuccess) goto loser;
+
+    /* ssl_version */
+    rv = ssl3_AppendNumberToItem(&plaintext, ss->version,
+	sizeof(SSL3ProtocolVersion));
+    if (rv != SECSuccess) goto loser;
+
+    /* ciphersuite */
+    rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, 
+	sizeof(ssl3CipherSuite));
+    if (rv != SECSuccess) goto loser;
+    
+    /* compression */
+    rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1);
+    if (rv != SECSuccess) goto loser;
+
+    /* cipher spec parameters */
+    rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1);
+    if (rv != SECSuccess) goto loser;
+    rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4);
+    if (rv != SECSuccess) goto loser;
+    rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaType, 1);
+    if (rv != SECSuccess) goto loser;
+    rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.keaKeyBits, 4);
+    if (rv != SECSuccess) goto loser;
+
+    /* master_secret */
+    rv = ssl3_AppendNumberToItem(&plaintext, ms_is_wrapped, 1);
+    if (rv != SECSuccess) goto loser;
+    rv = ssl3_AppendNumberToItem(&plaintext, effectiveExchKeyType, 1);
+    if (rv != SECSuccess) goto loser;
+    rv = ssl3_AppendNumberToItem(&plaintext, msWrapMech, 4);
+    if (rv != SECSuccess) goto loser;
+    rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2);
+    if (rv != SECSuccess) goto loser;
+    rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len);
+    if (rv != SECSuccess) goto loser;
+
+    /* client_identity */
+    if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
+	rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
+	if (rv != SECSuccess) goto loser;
+	rv = ssl3_AppendNumberToItem(&plaintext,
+	    ss->sec.ci.sid->peerCert->derCert.len, 3);
+	if (rv != SECSuccess) goto loser;
+	rv = ssl3_AppendToItem(&plaintext,
+	    ss->sec.ci.sid->peerCert->derCert.data,
+	    ss->sec.ci.sid->peerCert->derCert.len);
+	if (rv != SECSuccess) goto loser;
+    } else {
+	rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
+	if (rv != SECSuccess) goto loser;
+    }
+
+    /* timestamp */
+    now = ssl_Time();
+    rv = ssl3_AppendNumberToItem(&plaintext, now,
+	sizeof(ticket.ticket_lifetime_hint));
+    if (rv != SECSuccess) goto loser;
+
+    PORT_Assert(plaintext.len == padding_length);
+    for (i = 0; i < padding_length; i++)
+	plaintext.data[i] = (unsigned char)padding_length;
+
+    if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    /* Generate encrypted portion of ticket. */
+    if (ss->opt.bypassPKCS11) {
+	aes_ctx = (AESContext *)aes_ctx_buf;
+	rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, 
+	    NSS_AES_CBC, 1, AES_BLOCK_SIZE);
+	if (rv != SECSuccess) goto loser;
+
+	rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len,
+	    ciphertext.len, plaintext_item.data,
+	    plaintext_item.len);
+	if (rv != SECSuccess) goto loser;
+    } else {
+	aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
+	    CKA_ENCRYPT, aes_key_pkcs11, &ivItem);
+	if (!aes_ctx_pkcs11) 
+	    goto loser;
+
+	rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data,
+	    (int *)&ciphertext.len, ciphertext.len,
+	    plaintext_item.data, plaintext_item.len);
+	PK11_Finalize(aes_ctx_pkcs11);
+	PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
+	if (rv != SECSuccess) goto loser;
+    }
+
+    /* Convert ciphertext length to network order. */
+    length_buf[0] = (ciphertext.len >> 8) & 0xff;
+    length_buf[1] = (ciphertext.len     ) & 0xff;
+
+    /* Compute MAC. */
+    if (ss->opt.bypassPKCS11) {
+	hmac_ctx = (HMACContext *)hmac_ctx_buf;
+	hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
+	if (HMAC_Init(hmac_ctx, hashObj, mac_key,
+		mac_key_length, PR_FALSE) != SECSuccess)
+	    goto loser;
+
+	HMAC_Begin(hmac_ctx);
+	HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
+	HMAC_Update(hmac_ctx, iv, sizeof(iv));
+	HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2);
+	HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
+	HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
+	    sizeof(computed_mac));
+    } else {
+	SECItem macParam;
+	macParam.data = NULL;
+	macParam.len = 0;
+	hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
+	    CKA_SIGN, mac_key_pkcs11, &macParam);
+	if (!hmac_ctx_pkcs11)
+	    goto loser;
+
+	rv = PK11_DigestBegin(hmac_ctx_pkcs11);
+	rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name,
+	    SESS_TICKET_KEY_NAME_LEN);
+	rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv));
+	rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2);
+	rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len);
+	rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
+	    &computed_mac_length, sizeof(computed_mac));
+	PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
+	if (rv != SECSuccess) goto loser;
+    }
+
+    /* Serialize the handshake message. */
+    rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length);
+    if (rv != SECSuccess) goto loser;
+
+    rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint,
+	sizeof(ticket.ticket_lifetime_hint));
+    if (rv != SECSuccess) goto loser;
+
+    rv = ssl3_AppendHandshakeNumber(ss,
+	message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2);
+    if (rv != SECSuccess) goto loser;
+
+    rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN);
+    if (rv != SECSuccess) goto loser;
+
+    rv = ssl3_AppendHandshake(ss, iv, sizeof(iv));
+    if (rv != SECSuccess) goto loser;
+
+    rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2);
+    if (rv != SECSuccess) goto loser;
+
+    rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length);
+    if (rv != SECSuccess) goto loser;
+
+loser:
+    if (plaintext_item.data)
+	SECITEM_FreeItem(&plaintext_item, PR_FALSE);
+    if (ciphertext.data)
+	SECITEM_FreeItem(&ciphertext, PR_FALSE);
+
+    return rv;
+}
+
+/* When a client receives a SessionTicket extension a NewSessionTicket
+ * message is expected during the handshake.
+ */
+SECStatus
+ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
+                                  SECItem *data)
+{
+    if (data->len != 0)
+	return SECFailure;
+
+    /* Keep track of negotiated extensions. */
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
+                                  SECItem *data)
+{
+    SECStatus rv;
+    SECItem *decrypted_state = NULL;
+    SessionTicket *parsed_session_ticket = NULL;
+    sslSessionID *sid = NULL;
+    SSL3Statistics *ssl3stats;
+
+    /* Ignore the SessionTicket extension if processing is disabled. */
+    if (!ss->opt.enableSessionTickets)
+	return SECSuccess;
+
+    /* Keep track of negotiated extensions. */
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+
+    /* Parse the received ticket sent in by the client.  We are
+     * lenient about some parse errors, falling back to a fullshake
+     * instead of terminating the current connection.
+     */
+    if (data->len == 0) {
+	ss->xtnData.emptySessionTicket = PR_TRUE;
+    } else {
+	int                    i;
+	SECItem                extension_data;
+	EncryptedSessionTicket enc_session_ticket;
+	unsigned char          computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
+	unsigned int           computed_mac_length;
+	const SECHashObject   *hashObj;
+	const unsigned char   *aes_key;
+	const unsigned char   *mac_key;
+	PK11SymKey            *aes_key_pkcs11;
+	PK11SymKey            *mac_key_pkcs11;
+	PRUint32               aes_key_length;
+	PRUint32               mac_key_length;
+	PRUint64               hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
+	HMACContext           *hmac_ctx;
+	PK11Context           *hmac_ctx_pkcs11;
+	CK_MECHANISM_TYPE      macMech = CKM_SHA256_HMAC;
+	PRUint64               aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
+	AESContext            *aes_ctx;
+	PK11Context           *aes_ctx_pkcs11;
+	CK_MECHANISM_TYPE      cipherMech = CKM_AES_CBC;
+	unsigned char *        padding;
+	PRUint32               padding_length;
+	unsigned char         *buffer;
+	unsigned int           buffer_len;
+	PRInt32                temp;
+	SECItem                cert_item;
+
+	/* Turn off stateless session resumption if the client sends a
+	 * SessionTicket extension, even if the extension turns out to be
+	 * malformed (ss->sec.ci.sid is non-NULL when doing session
+	 * renegotiation.)
+	 */
+	if (ss->sec.ci.sid != NULL) {
+	    ss->sec.uncache(ss->sec.ci.sid);
+	    ssl_FreeSID(ss->sec.ci.sid);
+	    ss->sec.ci.sid = NULL;
+	}
+
+	extension_data.data = data->data; /* Keep a copy for future use. */
+	extension_data.len = data->len;
+
+	if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket)
+	    != SECSuccess)
+	    return SECFailure;
+
+	/* Get session ticket keys. */
+	if (ss->opt.bypassPKCS11) {
+	    rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
+		&mac_key, &mac_key_length);
+	} else {
+	    rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
+		&mac_key_pkcs11);
+	}
+	if (rv != SECSuccess) {
+	    SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
+			SSL_GETPID(), ss->fd));
+	    goto loser;
+	}
+
+	/* If the ticket sent by the client was generated under a key different
+	 * from the one we have, bypass ticket processing.
+	 */
+	if (PORT_Memcmp(enc_session_ticket.key_name, key_name,
+		SESS_TICKET_KEY_NAME_LEN) != 0) {
+	    SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.",
+			SSL_GETPID(), ss->fd));
+	    goto no_ticket;
+	}
+
+	/* Verify the MAC on the ticket.  MAC verification may also
+	 * fail if the MAC key has been recently refreshed.
+	 */
+	if (ss->opt.bypassPKCS11) {
+	    hmac_ctx = (HMACContext *)hmac_ctx_buf;
+	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
+	    if (HMAC_Init(hmac_ctx, hashObj, mac_key,
+		    sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess)
+		goto no_ticket;
+	    HMAC_Begin(hmac_ctx);
+	    HMAC_Update(hmac_ctx, extension_data.data,
+		extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
+	    if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
+		    sizeof(computed_mac)) != SECSuccess)
+		goto no_ticket;
+	} else {
+	    SECItem macParam;
+	    macParam.data = NULL;
+	    macParam.len = 0;
+	    hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
+		CKA_SIGN, mac_key_pkcs11, &macParam);
+	    if (!hmac_ctx_pkcs11) {
+		SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
+			    SSL_GETPID(), ss->fd, PORT_GetError()));
+		goto no_ticket;
+	    } else {
+		SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
+			    SSL_GETPID(), ss->fd));
+	    }
+	    rv = PK11_DigestBegin(hmac_ctx_pkcs11);
+	    rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data,
+		extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
+	    if (rv != SECSuccess) {
+		PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
+		goto no_ticket;
+	    }
+	    rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
+		&computed_mac_length, sizeof(computed_mac));
+	    PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
+	    if (rv != SECSuccess)
+		goto no_ticket;
+	}
+	if (PORT_Memcmp(computed_mac, enc_session_ticket.mac,
+		computed_mac_length) != 0) {
+	    SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
+			SSL_GETPID(), ss->fd));
+	    goto no_ticket;
+	}
+
+	/* We ignore key_name for now.
+	 * This is ok as MAC verification succeeded.
+	 */
+
+	/* Decrypt the ticket. */
+
+	/* Plaintext is shorter than the ciphertext due to padding. */
+	decrypted_state = SECITEM_AllocItem(NULL, NULL,
+	    enc_session_ticket.encrypted_state.len);
+
+	if (ss->opt.bypassPKCS11) {
+	    aes_ctx = (AESContext *)aes_ctx_buf;
+	    rv = AES_InitContext(aes_ctx, aes_key,
+		sizeof(session_ticket_enc_key), enc_session_ticket.iv,
+		NSS_AES_CBC, 0,AES_BLOCK_SIZE);
+	    if (rv != SECSuccess) {
+		SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
+			    SSL_GETPID(), ss->fd));
+		goto no_ticket;
+	    }
+
+	    rv = AES_Decrypt(aes_ctx, decrypted_state->data,
+		&decrypted_state->len, decrypted_state->len,
+		enc_session_ticket.encrypted_state.data,
+		enc_session_ticket.encrypted_state.len);
+	    if (rv != SECSuccess)
+		goto no_ticket;
+	} else {
+	    SECItem ivItem;
+	    ivItem.data = enc_session_ticket.iv;
+	    ivItem.len = AES_BLOCK_SIZE;
+	    aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
+		CKA_DECRYPT, aes_key_pkcs11, &ivItem);
+	    if (!aes_ctx_pkcs11) {
+		SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
+			    SSL_GETPID(), ss->fd));
+		goto no_ticket;
+	    }
+
+	    rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data,
+		(int *)&decrypted_state->len, decrypted_state->len,
+		enc_session_ticket.encrypted_state.data,
+		enc_session_ticket.encrypted_state.len);
+	    PK11_Finalize(aes_ctx_pkcs11);
+	    PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
+	    if (rv != SECSuccess)
+		goto no_ticket;
+	}
+
+	/* Check padding. */
+	padding_length = 
+	    (PRUint32)decrypted_state->data[decrypted_state->len - 1];
+	if (padding_length == 0 || padding_length > AES_BLOCK_SIZE)
+	    goto no_ticket;
+
+	padding = &decrypted_state->data[decrypted_state->len - padding_length];
+	for (i = 0; i < padding_length; i++, padding++) {
+	    if (padding_length != (PRUint32)*padding)
+		goto no_ticket;
+	}
+
+	/* Deserialize session state. */
+	buffer = decrypted_state->data;
+	buffer_len = decrypted_state->len;
+
+	parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket));
+	if (parsed_session_ticket == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* Read ticket_version (which is ignored for now.) */
+	temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
+
+	/* Read SSLVersion. */
+	temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
+
+	/* Read cipher_suite. */
+	temp =  ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
+
+	/* Read compression_method. */
+	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->compression_method = (SSL3CompressionMethod)temp;
+
+	/* Read cipher spec parameters. */
+	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->authAlgorithm = (SSLSignType)temp;
+	temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->authKeyBits = (PRUint32)temp;
+	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->keaType = (SSLKEAType)temp;
+	temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->keaKeyBits = (PRUint32)temp;
+
+	/* Read wrapped master_secret. */
+	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
+
+	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->exchKeyType = (SSL3KEAType)temp;
+
+	temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
+
+	temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+	if (temp < 0) goto no_ticket;
+	parsed_session_ticket->ms_length = (PRUint16)temp;
+	if (parsed_session_ticket->ms_length == 0 ||  /* sanity check MS. */
+	    parsed_session_ticket->ms_length >
+	    sizeof(parsed_session_ticket->master_secret))
+	    goto no_ticket;
+	
+	/* Allow for the wrapped master secret to be longer. */
+	if (buffer_len < sizeof(SSL3_MASTER_SECRET_LENGTH))
+	    goto no_ticket;
+	PORT_Memcpy(parsed_session_ticket->master_secret, buffer,
+	    parsed_session_ticket->ms_length);
+	buffer += parsed_session_ticket->ms_length;
+	buffer_len -= parsed_session_ticket->ms_length;
+
+	/* Read client_identity */
+	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+	if (temp < 0)
+	    goto no_ticket;
+	parsed_session_ticket->client_identity.client_auth_type = 
+	    (ClientAuthenticationType)temp;
+	switch(parsed_session_ticket->client_identity.client_auth_type) {
+            case CLIENT_AUTH_ANONYMOUS:
+		break;
+            case CLIENT_AUTH_CERTIFICATE:
+		rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3,
+		    &buffer, &buffer_len);
+		if (rv != SECSuccess) goto no_ticket;
+		rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
+		    &cert_item);
+		if (rv != SECSuccess) goto no_ticket;
+		break;
+            default:
+		goto no_ticket;
+	}
+	/* Read timestamp. */
+	temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+	if (temp < 0)
+	    goto no_ticket;
+	parsed_session_ticket->timestamp = (PRUint32)temp;
+
+	/* Done parsing.  Check that all bytes have been consumed. */
+	if (buffer_len != padding_length)
+	    goto no_ticket;
+
+	/* Use the ticket if it has not expired, otherwise free the allocated
+	 * memory since the ticket is of no use.
+	 */
+	if (parsed_session_ticket->timestamp != 0 &&
+	    parsed_session_ticket->timestamp +
+	    TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) {
+
+	    sid = ssl3_NewSessionID(ss, PR_TRUE);
+	    if (sid == NULL) {
+		rv = SECFailure;
+		goto loser;
+	    }
+
+	    /* Copy over parameters. */
+	    sid->version = parsed_session_ticket->ssl_version;
+	    sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite;
+	    sid->u.ssl3.compression = parsed_session_ticket->compression_method;
+	    sid->authAlgorithm = parsed_session_ticket->authAlgorithm;
+	    sid->authKeyBits = parsed_session_ticket->authKeyBits;
+	    sid->keaType = parsed_session_ticket->keaType;
+	    sid->keaKeyBits = parsed_session_ticket->keaKeyBits;
+
+	    /* Copy master secret. */
+	    if (ss->opt.bypassPKCS11 &&
+		    parsed_session_ticket->ms_is_wrapped)
+		goto no_ticket;
+	    if (parsed_session_ticket->ms_length >
+		    sizeof(sid->u.ssl3.keys.wrapped_master_secret))
+		goto no_ticket;
+	    PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
+		parsed_session_ticket->master_secret,
+		parsed_session_ticket->ms_length);
+	    sid->u.ssl3.keys.wrapped_master_secret_len =
+		parsed_session_ticket->ms_length;
+	    sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType;
+	    sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech;
+	    sid->u.ssl3.keys.msIsWrapped =
+		parsed_session_ticket->ms_is_wrapped;
+	    sid->u.ssl3.masterValid    = PR_TRUE;
+	    sid->u.ssl3.keys.resumable = PR_TRUE;
+
+	    /* Copy over client cert from session ticket if there is one. */
+	    if (parsed_session_ticket->peer_cert.data != NULL) {
+		if (sid->peerCert != NULL)
+		    CERT_DestroyCertificate(sid->peerCert);
+		sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
+		    &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE);
+		if (sid->peerCert == NULL) {
+		    rv = SECFailure;
+		    goto loser;
+		}
+	    }
+	    ss->statelessResume = PR_TRUE;
+	    ss->sec.ci.sid = sid;
+	}
+    }
+
+    if (0) {
+no_ticket:
+	SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
+			SSL_GETPID(), ss->fd));
+	ssl3stats = SSL_GetStatistics();
+	SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures );
+	if (sid) {
+	    ssl_FreeSID(sid);
+	    sid = NULL;
+	}
+    }
+    rv = SECSuccess;
+
+loser:
+    if (decrypted_state != NULL) {
+	SECITEM_FreeItem(decrypted_state, PR_TRUE);
+	decrypted_state = NULL;
+    }
+
+    if (parsed_session_ticket != NULL) {
+	if (parsed_session_ticket->peer_cert.data) {
+	    SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE);
+	}
+	PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket));
+    }
+
+    return rv;
+}
+
+/*
+ * Read bytes.  Using this function means the SECItem structure
+ * cannot be freed.  The caller is expected to call this function
+ * on a shallow copy of the structure.
+ */
+static SECStatus 
+ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes)
+{
+    if (bytes > item->len)
+	return SECFailure;
+
+    *buf = item->data;
+    item->data += bytes;
+    item->len -= bytes;
+    return SECSuccess;
+}
+
+static SECStatus
+ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data,
+                                 EncryptedSessionTicket *enc_session_ticket)
+{
+    if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name,
+	    SESS_TICKET_KEY_NAME_LEN) != SECSuccess)
+	return SECFailure;
+    if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv,
+	    AES_BLOCK_SIZE) != SECSuccess)
+	return SECFailure;
+    if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state,
+	    2, &data->data, &data->len) != SECSuccess)
+	return SECFailure;
+    if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac,
+	    TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess)
+	return SECFailure;
+    if (data->len != 0)  /* Make sure that we have consumed all bytes. */
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+/* go through hello extensions in buffer "b".
+ * For each one, find the extension handler in the table, and 
+ * if present, invoke that handler.  
+ * Servers ignore any extensions with unknown extension types.
+ * Clients reject any extensions with unadvertised extension types.
+ */
+SECStatus 
+ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length)
+{
+    const ssl3HelloExtensionHandler * handlers =
+	ss->sec.isServer ? clientHelloHandlers : serverHelloHandlers;
+
+    while (*length) {
+	const ssl3HelloExtensionHandler * handler;
+	SECStatus rv;
+	PRInt32   extension_type;
+	SECItem   extension_data;
+
+	/* Get the extension's type field */
+	extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length);
+	if (extension_type < 0)  /* failure to decode extension_type */
+	    return SECFailure;   /* alert already sent */
+
+	/* get the data for this extension, so we can pass it or skip it. */
+	rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/* Check whether the server sent an extension which was not advertised
+	 * in the ClientHello.
+	 */
+	if (!ss->sec.isServer &&
+	    !ssl3_ClientExtensionAdvertised(ss, extension_type))
+	    return SECFailure;  /* TODO: send unsupported_extension alert */
+
+	/* Check whether an extension has been sent multiple times. */
+	if (ssl3_ExtensionNegotiated(ss, extension_type))
+	    return SECFailure;
+
+	/* find extension_type in table of Hello Extension Handlers */
+	for (handler = handlers; handler->ex_type >= 0; handler++) {
+	    /* if found, call this handler */
+	    if (handler->ex_type == extension_type) {
+		rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, 
+	                                         	&extension_data);
+		/* Ignore this result */
+		/* Treat all bad extensions as unrecognized types. */
+	        break;
+	    }
+	}
+    }
+    return SECSuccess;
+}
+
+/* Add a callback function to the table of senders of server hello extensions.
+ */
+SECStatus 
+ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
+				        ssl3HelloExtensionSenderFunc cb)
+{
+    int i;
+    ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0];
+
+    for (i = 0; i < MAX_EXTENSIONS; ++i, ++sender) {
+        if (!sender->ex_sender) {
+	    sender->ex_type   = ex_type;
+	    sender->ex_sender = cb;
+	    return SECSuccess;
+	}
+	/* detect duplicate senders */
+	PORT_Assert(sender->ex_type != ex_type);
+	if (sender->ex_type == ex_type) {
+	    /* duplicate */
+	    break;
+	}
+    }
+    PORT_Assert(i < MAX_EXTENSIONS); /* table needs to grow */
+    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+    return SECFailure;
+}
+
+/* call each of the extension senders and return the accumulated length */
+PRInt32
+ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
+                               const ssl3HelloExtensionSender *sender)
+{
+    PRInt32 total_exten_len = 0;
+    int i;
+
+    if (!sender)
+    	sender = &clientHelloSenders[0];
+
+    for (i = 0; i < MAX_EXTENSIONS; ++i, ++sender) {
+	if (sender->ex_sender) {
+	    PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes);
+	    if (extLen < 0)
+	    	return -1;
+	    maxBytes        -= extLen;
+	    total_exten_len += extLen;
+	}
+    }
+    return total_exten_len;
+}
diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
new file mode 100644
index 000000000..4465c4359
--- /dev/null
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -0,0 +1,239 @@
+/*
+ * Gather (Read) entire SSL3 records from socket into buffer.  
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "ssl3prot.h"
+
+/* 
+ * Attempt to read in an entire SSL3 record.
+ * Blocks here for blocking sockets, otherwise returns -1 with 
+ * 	PR_WOULD_BLOCK_ERROR when socket would block.
+ *
+ * returns  1 if received a complete SSL3 record.
+ * returns  0 if recv returns EOF
+ * returns -1 if recv returns <0  
+ *	(The error value may have already been set to PR_WOULD_BLOCK_ERROR)
+ *
+ * Caller must hold the recv buf lock.
+ *
+ * The Gather state machine has 3 states:  GS_INIT, GS_HEADER, GS_DATA.
+ * GS_HEADER: waiting for the 5-byte SSL3 record header to come in.
+ * GS_DATA:   waiting for the body of the SSL3 record   to come in.
+ *
+ * This loop returns when either (a) an error or EOF occurs, 
+ *	(b) PR_WOULD_BLOCK_ERROR,
+ * 	(c) data (entire SSL3 record) has been received.
+ */
+static int
+ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
+{
+    unsigned char *bp;
+    unsigned char *lbp;
+    int            nb;
+    int            err;
+    int            rv		= 1;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    if (gs->state == GS_INIT) {
+	gs->state       = GS_HEADER;
+	gs->remainder   = 5;
+	gs->offset      = 0;
+	gs->writeOffset = 0;
+	gs->readOffset  = 0;
+	gs->inbuf.len   = 0;
+    }
+    
+    lbp = gs->inbuf.buf;
+    for(;;) {
+	SSL_TRC(30, ("%d: SSL3[%d]: gather state %d (need %d more)",
+		SSL_GETPID(), ss->fd, gs->state, gs->remainder));
+	bp = ((gs->state != GS_HEADER) ? lbp : gs->hdr) + gs->offset;
+	nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
+
+	if (nb > 0) {
+	    PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
+	} else if (nb == 0) {
+	    /* EOF */
+	    SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd));
+	    rv = 0;
+	    break;
+	} else /* if (nb < 0) */ {
+	    SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd,
+		     PR_GetError()));
+	    rv = SECFailure;
+	    break;
+	}
+
+	PORT_Assert( nb <= gs->remainder );
+	if (nb > gs->remainder) {
+	    /* ssl_DefRecv is misbehaving!  this error is fatal to SSL. */
+	    gs->state = GS_INIT;         /* so we don't crash next time */
+	    rv = SECFailure;
+	    break;
+	}
+
+	gs->offset    += nb;
+	gs->remainder -= nb;
+	if (gs->state == GS_DATA)
+	    gs->inbuf.len += nb;
+
+	/* if there's more to go, read some more. */
+	if (gs->remainder > 0) {
+	    continue;
+	}
+
+	/* have received entire record header, or entire record. */
+	switch (gs->state) {
+	case GS_HEADER:
+	    /*
+	    ** Have received SSL3 record header in gs->hdr.
+	    ** Now extract the length of the following encrypted data, 
+	    ** and then read in the rest of the SSL3 record into gs->inbuf.
+	    */
+	    gs->remainder = (gs->hdr[3] << 8) | gs->hdr[4];
+
+	    /* This is the max fragment length for an encrypted fragment
+	    ** plus the size of the record header.
+	    */
+	    if(gs->remainder > (MAX_FRAGMENT_LENGTH + 2048 + 5)) {
+		SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+		gs->state = GS_INIT;
+		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+		return SECFailure;
+	    }
+
+	    gs->state     = GS_DATA;
+	    gs->offset    = 0;
+	    gs->inbuf.len = 0;
+
+	    if (gs->remainder > gs->inbuf.space) {
+		err = sslBuffer_Grow(&gs->inbuf, gs->remainder);
+		if (err) {	/* realloc has set error code to no mem. */
+		    return err;
+		}
+		lbp = gs->inbuf.buf;
+	    }
+	    break;	/* End this case.  Continue around the loop. */
+
+
+	case GS_DATA:
+	    /* 
+	    ** SSL3 record has been completely received.
+	    */
+	    gs->state = GS_INIT;
+	    return 1;
+	}
+    }
+
+    return rv;
+}
+
+/* Gather in a record and when complete, Handle that record.
+ * Repeat this until the handshake is complete, 
+ * or until application data is available.
+ *
+ * Returns  1 when the handshake is completed without error, or 
+ *                 application data is available.
+ * Returns  0 if ssl3_GatherData hits EOF.
+ * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
+ * Returns -2 on SECWouldBlock return from ssl3_HandleRecord.
+ *
+ * Called from ssl_GatherRecord1stHandshake       in sslcon.c, 
+ *    and from SSL_ForceHandshake in sslsecur.c
+ *    and from ssl3_GatherAppDataRecord below (<- DoRecv in sslsecur.c).
+ *
+ * Caller must hold the recv buf lock.
+ */
+int
+ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
+{
+    SSL3Ciphertext cText;
+    int            rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    do {
+	/* bring in the next sslv3 record. */
+	rv = ssl3_GatherData(ss, &ss->gs, flags);
+	if (rv <= 0) {
+	    return rv;
+	}
+	
+	/* decipher it, and handle it if it's a handshake. 
+	 * If it's application data, ss->gs.buf will not be empty upon return. 
+	 */
+	cText.type    = (SSL3ContentType)ss->gs.hdr[0];
+	cText.version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
+	cText.buf     = &ss->gs.inbuf;
+	rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf);
+	if (rv < 0) {
+	    return ss->recvdCloseNotify ? 0 : rv;
+	}
+    } while (ss->ssl3.hs.ws != idle_handshake && ss->gs.buf.len == 0);
+
+    ss->gs.readOffset = 0;
+    ss->gs.writeOffset = ss->gs.buf.len;
+    return 1;
+}
+
+/* Repeatedly gather in a record and when complete, Handle that record.
+ * Repeat this until some application data is received.
+ *
+ * Returns  1 when application data is available.
+ * Returns  0 if ssl3_GatherData hits EOF.
+ * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
+ * Returns -2 on SECWouldBlock return from ssl3_HandleRecord.
+ *
+ * Called from DoRecv in sslsecur.c
+ * Caller must hold the recv buf lock.
+ */
+int
+ssl3_GatherAppDataRecord(sslSocket *ss, int flags)
+{
+    int            rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    do {
+	rv = ssl3_GatherCompleteHandshake(ss, flags);
+    } while (rv > 0 && ss->gs.buf.len == 0);
+
+    return rv;
+}
diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h
new file mode 100644
index 000000000..e410b1cfd
--- /dev/null
+++ b/security/nss/lib/ssl/ssl3prot.h
@@ -0,0 +1,363 @@
+/* Private header file of libSSL.
+ * Various and sundry protocol constants. DON'T CHANGE THESE. These
+ * values are defined by the SSL 3.0 protocol specification.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef __ssl3proto_h_
+#define __ssl3proto_h_
+
+typedef uint8 SSL3Opaque;
+
+typedef uint16 SSL3ProtocolVersion;
+/* version numbers are defined in sslproto.h */
+
+typedef uint16 ssl3CipherSuite;
+/* The cipher suites are defined in sslproto.h */
+
+#define MAX_CERT_TYPES			10
+#define MAX_COMPRESSION_METHODS		10
+#define MAX_MAC_LENGTH			64
+#define MAX_PADDING_LENGTH		64
+#define MAX_KEY_LENGTH			64
+#define EXPORT_KEY_LENGTH		 5
+#define SSL3_RANDOM_LENGTH		32
+
+#define SSL3_RECORD_HEADER_LENGTH	 5
+
+#define MAX_FRAGMENT_LENGTH		16384
+     
+typedef enum {
+    content_change_cipher_spec = 20, 
+    content_alert              = 21,
+    content_handshake          = 22, 
+    content_application_data   = 23
+} SSL3ContentType;
+
+typedef struct {
+    SSL3ContentType     type;
+    SSL3ProtocolVersion version;
+    uint16              length;
+    SECItem             fragment;
+} SSL3Plaintext;
+
+typedef struct {
+    SSL3ContentType     type;
+    SSL3ProtocolVersion version;
+    uint16              length;
+    SECItem             fragment;
+} SSL3Compressed;
+
+typedef struct {
+    SECItem    content;
+    SSL3Opaque MAC[MAX_MAC_LENGTH];
+} SSL3GenericStreamCipher;
+
+typedef struct {
+    SECItem    content;
+    SSL3Opaque MAC[MAX_MAC_LENGTH];
+    uint8      padding[MAX_PADDING_LENGTH];
+    uint8      padding_length;
+} SSL3GenericBlockCipher;
+
+typedef enum { change_cipher_spec_choice = 1 } SSL3ChangeCipherSpecChoice;
+
+typedef struct {
+    SSL3ChangeCipherSpecChoice choice;
+} SSL3ChangeCipherSpec;
+
+typedef enum { alert_warning = 1, alert_fatal = 2 } SSL3AlertLevel;
+
+typedef enum {
+    close_notify            = 0,
+    unexpected_message      = 10,
+    bad_record_mac          = 20,
+    decryption_failed       = 21,	/* TLS only */
+    record_overflow         = 22,	/* TLS only */
+    decompression_failure   = 30,
+    handshake_failure       = 40,
+    no_certificate          = 41,	/* SSL3 only, NOT TLS */
+    bad_certificate         = 42,
+    unsupported_certificate = 43,
+    certificate_revoked     = 44,
+    certificate_expired     = 45,
+    certificate_unknown     = 46,
+    illegal_parameter       = 47,
+
+/* All alerts below are TLS only. */
+    unknown_ca              = 48,
+    access_denied           = 49,
+    decode_error            = 50,
+    decrypt_error           = 51,
+    export_restriction      = 60,
+    protocol_version        = 70,
+    insufficient_security   = 71,
+    internal_error          = 80,
+    user_canceled           = 90,
+    no_renegotiation        = 100,
+
+/* Alerts for client hello extensions */
+    unsupported_extension           = 110,
+    certificate_unobtainable        = 111,
+    unrecognized_name               = 112,
+    bad_certificate_status_response = 113,
+    bad_certificate_hash_value      = 114
+
+} SSL3AlertDescription;
+
+typedef struct {
+    SSL3AlertLevel       level;
+    SSL3AlertDescription description;
+} SSL3Alert;
+
+typedef enum {
+    hello_request	= 0, 
+    client_hello	= 1, 
+    server_hello	= 2,
+    new_session_ticket	= 4,
+    certificate 	= 11, 
+    server_key_exchange = 12,
+    certificate_request	= 13, 
+    server_hello_done	= 14,
+    certificate_verify	= 15, 
+    client_key_exchange	= 16, 
+    finished		= 20
+} SSL3HandshakeType;
+
+typedef struct {
+    uint8 empty;
+} SSL3HelloRequest;
+     
+typedef struct {
+    SSL3Opaque rand[SSL3_RANDOM_LENGTH];
+} SSL3Random;
+     
+typedef struct {
+    SSL3Opaque id[32];
+    uint8 length;
+} SSL3SessionID;
+     
+typedef enum { compression_null = 0 } SSL3CompressionMethod;
+     
+typedef struct {
+    SSL3ProtocolVersion   client_version;
+    SSL3Random            random;
+    SSL3SessionID         session_id;
+    SECItem               cipher_suites;
+    uint8                 cm_count;
+    SSL3CompressionMethod compression_methods[MAX_COMPRESSION_METHODS];
+} SSL3ClientHello;
+     
+typedef struct  {
+    SSL3ProtocolVersion   server_version;
+    SSL3Random            random;
+    SSL3SessionID         session_id;
+    ssl3CipherSuite       cipher_suite;
+    SSL3CompressionMethod compression_method;
+} SSL3ServerHello;
+     
+typedef struct {
+    SECItem list;
+} SSL3Certificate;
+
+/* SSL3SignType moved to ssl.h */
+
+/* The SSL key exchange method used */     
+typedef enum {
+    kea_null, 
+    kea_rsa, 
+    kea_rsa_export,
+    kea_rsa_export_1024,
+    kea_dh_dss, 
+    kea_dh_dss_export, 
+    kea_dh_rsa, 
+    kea_dh_rsa_export,
+    kea_dhe_dss, 
+    kea_dhe_dss_export, 
+    kea_dhe_rsa, 
+    kea_dhe_rsa_export,
+    kea_dh_anon, 
+    kea_dh_anon_export, 
+    kea_rsa_fips,
+    kea_ecdh_ecdsa,
+    kea_ecdhe_ecdsa,
+    kea_ecdh_rsa,
+    kea_ecdhe_rsa,
+    kea_ecdh_anon
+} SSL3KeyExchangeAlgorithm;
+     
+typedef struct {
+    SECItem modulus;
+    SECItem exponent;
+} SSL3ServerRSAParams;
+
+typedef struct {
+    SECItem p;
+    SECItem g;
+    SECItem Ys;
+} SSL3ServerDHParams;
+
+typedef struct {
+    union {
+	SSL3ServerDHParams dh;
+	SSL3ServerRSAParams rsa;
+    } u;
+} SSL3ServerParams;
+
+typedef struct {
+    uint8 md5[16];
+    uint8 sha[20];
+} SSL3Hashes;
+     
+typedef struct {
+    union {
+	SSL3Opaque anonymous;
+	SSL3Hashes certified;
+    } u;
+} SSL3ServerKeyExchange;
+     
+typedef enum {
+    ct_RSA_sign 	=  1, 
+    ct_DSS_sign 	=  2, 
+    ct_RSA_fixed_DH 	=  3,
+    ct_DSS_fixed_DH 	=  4, 
+    ct_RSA_ephemeral_DH =  5, 
+    ct_DSS_ephemeral_DH =  6,
+    ct_ECDSA_sign	=  64, 
+    ct_RSA_fixed_ECDH	=  65, 
+    ct_ECDSA_fixed_ECDH	=  66 
+
+} SSL3ClientCertificateType;
+     
+typedef SECItem *SSL3DistinquishedName;
+
+typedef struct {
+    SSL3Opaque client_version[2];
+    SSL3Opaque random[46];
+} SSL3RSAPreMasterSecret;
+     
+typedef SECItem SSL3EncryptedPreMasterSecret;
+
+
+typedef SSL3Opaque SSL3MasterSecret[48];
+
+typedef enum { implicit, explicit } SSL3PublicValueEncoding;
+     
+typedef struct {
+    union {
+	SSL3Opaque implicit;
+	SECItem    explicit;
+    } dh_public;
+} SSL3ClientDiffieHellmanPublic;
+     
+typedef struct {
+    union {
+	SSL3EncryptedPreMasterSecret  rsa;
+	SSL3ClientDiffieHellmanPublic diffie_helman;
+    } exchange_keys;
+} SSL3ClientKeyExchange;
+
+typedef SSL3Hashes SSL3PreSignedCertificateVerify;
+
+typedef SECItem SSL3CertificateVerify;
+
+typedef enum {
+    sender_client = 0x434c4e54,
+    sender_server = 0x53525652
+} SSL3Sender;
+
+typedef SSL3Hashes SSL3Finished;   
+
+typedef struct {
+    SSL3Opaque verify_data[12];
+} TLSFinished;
+
+/*
+ * TLS extension related data structures and constants.
+ */ 
+
+/* SessionTicket extension related data structures. */
+
+/* NewSessionTicket handshake message. */
+typedef struct {
+    uint32  received_timestamp;
+    uint32  ticket_lifetime_hint;
+    SECItem ticket;
+} NewSessionTicket;
+
+typedef enum {
+    CLIENT_AUTH_ANONYMOUS   = 0,
+    CLIENT_AUTH_CERTIFICATE = 1
+} ClientAuthenticationType;
+
+typedef struct {
+    ClientAuthenticationType client_auth_type;
+    union {
+	SSL3Opaque *certificate_list;
+    } identity;
+} ClientIdentity;
+
+#define SESS_TICKET_KEY_NAME_LEN       16
+#define SESS_TICKET_KEY_NAME_PREFIX    "NSS!"
+#define SESS_TICKET_KEY_NAME_PREFIX_LEN 4
+#define SESS_TICKET_KEY_VAR_NAME_LEN   12
+
+typedef struct {
+    unsigned char *key_name;
+    unsigned char *iv;
+    SECItem encrypted_state;
+    unsigned char *mac;
+} EncryptedSessionTicket;
+
+/* Supported extensions. */
+/* Update MAX_EXTENSIONS whenever a new extension type is added. */
+typedef enum {
+    server_name_xtn              = 0,
+#ifdef NSS_ENABLE_ECC
+    elliptic_curves_xtn          = 10,
+    ec_point_formats_xtn         = 11,
+#endif
+    session_ticket_xtn           = 35
+} ExtensionType;
+
+#define MAX_EXTENSIONS             4
+
+#define TLS_EX_SESS_TICKET_MAC_LENGTH       32
+
+#endif /* __ssl3proto_h_ */
diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c
new file mode 100644
index 000000000..45108afd7
--- /dev/null
+++ b/security/nss/lib/ssl/sslauth.c
@@ -0,0 +1,273 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#include "cert.h"
+#include "secitem.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "pk11func.h"
+
+/* NEED LOCKS IN HERE.  */
+CERTCertificate *
+SSL_PeerCertificate(PRFileDesc *fd)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
+		 SSL_GETPID(), fd));
+	return 0;
+    }
+    if (ss->opt.useSecurity && ss->sec.peerCert) {
+	return CERT_DupCertificate(ss->sec.peerCert);
+    }
+    return 0;
+}
+
+/* NEED LOCKS IN HERE.  */
+CERTCertificate *
+SSL_LocalCertificate(PRFileDesc *fd)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
+		 SSL_GETPID(), fd));
+	return NULL;
+    }
+    if (ss->opt.useSecurity) {
+    	if (ss->sec.localCert) {
+	    return CERT_DupCertificate(ss->sec.localCert);
+	}
+	if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
+	    return CERT_DupCertificate(ss->sec.ci.sid->localCert);
+	}
+    }
+    return NULL;
+}
+
+
+
+/* NEED LOCKS IN HERE.  */
+SECStatus
+SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
+		   char **ip, char **sp)
+{
+    sslSocket *ss;
+    const char *cipherName;
+    PRBool isDes = PR_FALSE;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    if (cp) *cp = 0;
+    if (kp0) *kp0 = 0;
+    if (kp1) *kp1 = 0;
+    if (ip) *ip = 0;
+    if (sp) *sp = 0;
+    if (op) {
+	*op = SSL_SECURITY_STATUS_OFF;
+    }
+
+    if (ss->opt.useSecurity && ss->firstHsDone) {
+
+	if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+	    cipherName = ssl_cipherName[ss->sec.cipherType];
+	} else {
+	    cipherName = ssl3_cipherName[ss->sec.cipherType];
+	}
+	PORT_Assert(cipherName);
+	if (cipherName) {
+            if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
+
+            if (cp) {
+                *cp = PORT_Strdup(cipherName);
+            }
+        }
+
+	if (kp0) {
+	    *kp0 = ss->sec.keyBits;
+	    if (isDes) *kp0 = (*kp0 * 7) / 8;
+	}
+	if (kp1) {
+	    *kp1 = ss->sec.secretKeyBits;
+	    if (isDes) *kp1 = (*kp1 * 7) / 8;
+	}
+	if (op) {
+	    if (ss->sec.keyBits == 0) {
+		*op = SSL_SECURITY_STATUS_OFF;
+	    } else if (ss->sec.secretKeyBits < 90) {
+		*op = SSL_SECURITY_STATUS_ON_LOW;
+
+	    } else {
+		*op = SSL_SECURITY_STATUS_ON_HIGH;
+	    }
+	}
+
+	if (ip || sp) {
+	    CERTCertificate *cert;
+
+	    cert = ss->sec.peerCert;
+	    if (cert) {
+		if (ip) {
+		    *ip = CERT_NameToAscii(&cert->issuer);
+		}
+		if (sp) {
+		    *sp = CERT_NameToAscii(&cert->subject);
+		}
+	    } else {
+		if (ip) {
+		    *ip = PORT_Strdup("no certificate");
+		}
+		if (sp) {
+		    *sp = PORT_Strdup("no certificate");
+		}
+	    }
+	}
+    }
+
+    return SECSuccess;
+}
+
+/************************************************************************/
+
+/* NEED LOCKS IN HERE.  */
+SECStatus
+SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(s);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
+		 SSL_GETPID(), s));
+	return SECFailure;
+    }
+
+    ss->authCertificate = func;
+    ss->authCertificateArg = arg;
+
+    return SECSuccess;
+}
+
+/* NEED LOCKS IN HERE.  */
+SECStatus 
+SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
+			      void *arg)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(s);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
+		 SSL_GETPID(), s));
+	return SECFailure;
+    }
+
+    ss->getClientAuthData = func;
+    ss->getClientAuthDataArg = arg;
+    return SECSuccess;
+}
+
+/* NEED LOCKS IN HERE.  */
+SECStatus 
+SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(s);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
+		 SSL_GETPID(), s));
+	return SECFailure;
+    }
+
+    ss->pkcs11PinArg = arg;
+    return SECSuccess;
+}
+
+
+/* This is the "default" authCert callback function.  It is called when a 
+ * certificate message is received from the peer and the local application
+ * has not registered an authCert callback function.
+ */
+SECStatus
+SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
+{
+    SECStatus          rv;
+    CERTCertDBHandle * handle;
+    sslSocket *        ss;
+    SECCertUsage       certUsage;
+    const char *             hostname    = NULL;
+    
+    ss = ssl_FindSocket(fd);
+    PORT_Assert(ss != NULL);
+    if (!ss) {
+	return SECFailure;
+    }
+
+    handle = (CERTCertDBHandle *)arg;
+
+    /* this may seem backwards, but isn't. */
+    certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
+
+    rv = CERT_VerifyCertNow(handle, ss->sec.peerCert, checkSig, certUsage,
+			    ss->pkcs11PinArg);
+
+    if ( rv != SECSuccess || isServer )
+	return rv;
+  
+    /* cert is OK.  This is the client side of an SSL connection.
+     * Now check the name field in the cert against the desired hostname.
+     * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
+     */
+    hostname = ss->url;
+    if (hostname && hostname[0])
+	rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
+    else 
+	rv = SECFailure;
+    if (rv != SECSuccess)
+	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+
+    return rv;
+}
diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c
new file mode 100644
index 000000000..5edcd36af
--- /dev/null
+++ b/security/nss/lib/ssl/sslcon.c
@@ -0,0 +1,3832 @@
+/* 
+ * SSL v2 handshake functions, and functions common to SSL2 and SSL3.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "nssrenam.h"
+#include "cert.h"
+#include "secitem.h"
+#include "sechash.h"
+#include "cryptohi.h"		/* for SGN_ funcs */
+#include "keyhi.h" 		/* for SECKEY_ high level functions. */
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "ssl3prot.h"
+#include "sslerr.h"
+#include "pk11func.h"
+#include "prinit.h"
+#include "prtime.h" 	/* for PR_Now() */
+
+#define XXX
+static PRBool policyWasSet;
+
+/* This ordered list is indexed by (SSL_CK_xx * 3)   */
+/* Second and third bytes are MSB and LSB of master key length. */
+static const PRUint8 allCipherSuites[] = {
+    0,						0,    0,
+    SSL_CK_RC4_128_WITH_MD5,			0x00, 0x80,
+    SSL_CK_RC4_128_EXPORT40_WITH_MD5,		0x00, 0x80,
+    SSL_CK_RC2_128_CBC_WITH_MD5,		0x00, 0x80,
+    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,	0x00, 0x80,
+    SSL_CK_IDEA_128_CBC_WITH_MD5,		0x00, 0x80,
+    SSL_CK_DES_64_CBC_WITH_MD5,			0x00, 0x40,
+    SSL_CK_DES_192_EDE3_CBC_WITH_MD5,		0x00, 0xC0,
+    0,						0,    0
+};
+
+#define ssl2_NUM_SUITES_IMPLEMENTED 6
+
+/* This list is sent back to the client when the client-hello message 
+ * contains no overlapping ciphers, so the client can report what ciphers
+ * are supported by the server.  Unlike allCipherSuites (above), this list
+ * is sorted by descending preference, not by cipherSuite number. 
+ */
+static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] = {
+    SSL_CK_RC4_128_WITH_MD5,			0x00, 0x80,
+    SSL_CK_RC2_128_CBC_WITH_MD5,		0x00, 0x80,
+    SSL_CK_DES_192_EDE3_CBC_WITH_MD5,		0x00, 0xC0,
+    SSL_CK_DES_64_CBC_WITH_MD5,			0x00, 0x40,
+    SSL_CK_RC4_128_EXPORT40_WITH_MD5,		0x00, 0x80,
+    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,	0x00, 0x80
+};
+
+typedef struct ssl2SpecsStr {
+    PRUint8           nkm; /* do this many hashes to generate key material. */
+    PRUint8           nkd; /* size of readKey and writeKey in bytes. */
+    PRUint8           blockSize;
+    PRUint8           blockShift;
+    CK_MECHANISM_TYPE mechanism;
+    PRUint8           keyLen;	/* cipher symkey size in bytes. */
+    PRUint8           pubLen;	/* publicly reveal this many bytes of key. */
+    PRUint8           ivLen;	/* length of IV data at *ca.	*/
+} ssl2Specs;
+
+static const ssl2Specs ssl_Specs[] = {
+/* NONE                                 */ 
+				{  0,  0, 0, 0, },
+/* SSL_CK_RC4_128_WITH_MD5		*/ 
+				{  2, 16, 1, 0, CKM_RC4,       16,   0, 0, },
+/* SSL_CK_RC4_128_EXPORT40_WITH_MD5	*/ 
+				{  2, 16, 1, 0, CKM_RC4,       16,  11, 0, },
+/* SSL_CK_RC2_128_CBC_WITH_MD5		*/ 
+				{  2, 16, 8, 3, CKM_RC2_CBC,   16,   0, 8, },
+/* SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5	*/ 
+				{  2, 16, 8, 3, CKM_RC2_CBC,   16,  11, 8, },
+/* SSL_CK_IDEA_128_CBC_WITH_MD5		*/ 
+				{  0,  0, 0, 0, },
+/* SSL_CK_DES_64_CBC_WITH_MD5		*/ 
+				{  1,  8, 8, 3, CKM_DES_CBC,    8,   0, 8, },
+/* SSL_CK_DES_192_EDE3_CBC_WITH_MD5	*/ 
+				{  3, 24, 8, 3, CKM_DES3_CBC,  24,   0, 8, },
+};
+
+#define SET_ERROR_CODE	  /* reminder */
+#define TEST_FOR_FAILURE  /* reminder */
+
+/*
+** Put a string tag in the library so that we can examine an executable
+** and see what kind of security it supports.
+*/
+const char *ssl_version = "SECURITY_VERSION:"
+			" +us"
+			" +export"
+#ifdef TRACE
+			" +trace"
+#endif
+#ifdef DEBUG
+			" +debug"
+#endif
+			;
+
+const char * const ssl_cipherName[] = {
+    "unknown",
+    "RC4",
+    "RC4-Export",
+    "RC2-CBC",
+    "RC2-CBC-Export",
+    "IDEA-CBC",
+    "DES-CBC",
+    "DES-EDE3-CBC",
+    "unknown",
+    "unknown", /* was fortezza, NO LONGER USED */
+};
+
+
+/* bit-masks, showing which SSLv2 suites are allowed.
+ * lsb corresponds to first cipher suite in allCipherSuites[].
+ */
+static PRUint16	allowedByPolicy;          /* all off by default */
+static PRUint16	maybeAllowedByPolicy;     /* all off by default */
+static PRUint16	chosenPreference = 0xff;  /* all on  by default */
+
+/* bit values for the above two bit masks */
+#define SSL_CB_RC4_128_WITH_MD5              (1 << SSL_CK_RC4_128_WITH_MD5)
+#define SSL_CB_RC4_128_EXPORT40_WITH_MD5     (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5)
+#define SSL_CB_RC2_128_CBC_WITH_MD5          (1 << SSL_CK_RC2_128_CBC_WITH_MD5)
+#define SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)
+#define SSL_CB_IDEA_128_CBC_WITH_MD5         (1 << SSL_CK_IDEA_128_CBC_WITH_MD5)
+#define SSL_CB_DES_64_CBC_WITH_MD5           (1 << SSL_CK_DES_64_CBC_WITH_MD5)
+#define SSL_CB_DES_192_EDE3_CBC_WITH_MD5     (1 << SSL_CK_DES_192_EDE3_CBC_WITH_MD5)
+#define SSL_CB_IMPLEMENTED \
+   (SSL_CB_RC4_128_WITH_MD5              | \
+    SSL_CB_RC4_128_EXPORT40_WITH_MD5     | \
+    SSL_CB_RC2_128_CBC_WITH_MD5          | \
+    SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 | \
+    SSL_CB_DES_64_CBC_WITH_MD5           | \
+    SSL_CB_DES_192_EDE3_CBC_WITH_MD5)
+
+
+/* Construct a socket's list of cipher specs from the global default values.
+ */
+static SECStatus
+ssl2_ConstructCipherSpecs(sslSocket *ss) 
+{
+    PRUint8 *	        cs		= NULL;
+    unsigned int	allowed;
+    unsigned int	count;
+    int 		ssl3_count	= 0;
+    int 		final_count;
+    int 		i;
+    SECStatus 		rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    count = 0;
+    PORT_Assert(ss != 0);
+    allowed = !ss->opt.enableSSL2 ? 0 :
+    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
+    while (allowed) {
+    	if (allowed & 1) 
+	    ++count;
+	allowed >>= 1;
+    }
+
+    /* Call ssl3_config_match_init() once here, 
+     * instead of inside ssl3_ConstructV2CipherSpecsHack(),
+     * because the latter gets called twice below, 
+     * and then again in ssl2_BeginClientHandshake().
+     */
+    ssl3_config_match_init(ss);
+
+    /* ask SSL3 how many cipher suites it has. */
+    rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
+    if (rv < 0) 
+	return rv;
+    count += ssl3_count;
+
+    /* Allocate memory to hold cipher specs */
+    if (count > 0)
+	cs = (PRUint8*) PORT_Alloc(count * 3);
+    else
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+    if (cs == NULL)
+    	return SECFailure;
+
+    if (ss->cipherSpecs != NULL) {
+	PORT_Free(ss->cipherSpecs);
+    }
+    ss->cipherSpecs     = cs;
+    ss->sizeCipherSpecs = count * 3;
+
+    /* fill in cipher specs for SSL2 cipher suites */
+    allowed = !ss->opt.enableSSL2 ? 0 :
+    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
+    for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
+	const PRUint8 * hs = implementedCipherSuites + i;
+	int             ok = allowed & (1U << hs[0]);
+	if (ok) {
+	    cs[0] = hs[0];
+	    cs[1] = hs[1];
+	    cs[2] = hs[2];
+	    cs += 3;
+	}
+    }
+
+    /* now have SSL3 add its suites onto the end */
+    rv = ssl3_ConstructV2CipherSpecsHack(ss, cs, &final_count);
+    
+    /* adjust for any difference between first pass and second pass */
+    ss->sizeCipherSpecs -= (ssl3_count - final_count) * 3;
+
+    return rv;
+}
+
+/* This function is called immediately after ssl2_ConstructCipherSpecs()
+** at the beginning of a handshake.  It detects cases where a protocol
+** (e.g. SSL2 or SSL3) is logically enabled, but all its cipher suites
+** for that protocol have been disabled.  If such cases, it clears the 
+** enable bit for the protocol.  If no protocols remain enabled, or
+** if no cipher suites are found, it sets the error code and returns
+** SECFailure, otherwise it returns SECSuccess.
+*/
+static SECStatus
+ssl2_CheckConfigSanity(sslSocket *ss)
+{
+    unsigned int      allowed;
+    int               ssl3CipherCount = 0;
+    SECStatus         rv;
+
+    /* count the SSL2 and SSL3 enabled ciphers.
+     * if either is zero, clear the socket's enable for that protocol.
+     */
+    if (!ss->cipherSpecs)
+    	goto disabled;
+
+    allowed = ss->allowedByPolicy & ss->chosenPreference;
+    if (! allowed)
+	ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */
+
+    /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
+    /* Ask how many ssl3 CipherSuites were enabled. */
+    rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
+    if (rv != SECSuccess || ssl3CipherCount <= 0) {
+	ss->opt.enableSSL3 = PR_FALSE; /* not really enabled if no ciphers */
+	ss->opt.enableTLS  = PR_FALSE;
+    }
+
+    if (!ss->opt.enableSSL2 && !ss->opt.enableSSL3 && !ss->opt.enableTLS) {
+	SSL_DBG(("%d: SSL[%d]: Can't handshake! both v2 and v3 disabled.",
+		 SSL_GETPID(), ss->fd));
+disabled:
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* 
+ * Since this is a global (not per-socket) setting, we cannot use the
+ * HandshakeLock to protect this.  Probably want a global lock.
+ */
+SECStatus
+ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
+{
+    PRUint32  bitMask;
+    SECStatus rv       = SECSuccess;
+
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    	return SECFailure;
+    }
+
+    if (policy == SSL_ALLOWED) {
+	allowedByPolicy 	|= bitMask;
+	maybeAllowedByPolicy 	|= bitMask;
+    } else if (policy == SSL_RESTRICTED) {
+    	allowedByPolicy 	&= ~bitMask;
+	maybeAllowedByPolicy 	|= bitMask;
+    } else {
+    	allowedByPolicy 	&= ~bitMask;
+    	maybeAllowedByPolicy 	&= ~bitMask;
+    }
+    allowedByPolicy 		&= SSL_CB_IMPLEMENTED;
+    maybeAllowedByPolicy 	&= SSL_CB_IMPLEMENTED;
+
+    policyWasSet = PR_TRUE;
+    return rv;
+}
+
+SECStatus
+ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
+{
+    PRUint32     bitMask;
+    PRInt32      policy;
+
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    /* Caller assures oPolicy is not null. */
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+	*oPolicy = SSL_NOT_ALLOWED;
+    	return SECFailure;
+    }
+
+    if (maybeAllowedByPolicy & bitMask) {
+    	policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
+    } else {
+	policy = SSL_NOT_ALLOWED;
+    }
+
+    *oPolicy = policy;
+    return SECSuccess;
+}
+
+/* 
+ * Since this is a global (not per-socket) setting, we cannot use the
+ * HandshakeLock to protect this.  Probably want a global lock.
+ * Called from SSL_CipherPrefSetDefault in sslsock.c
+ * These changes have no effect on any sslSockets already created. 
+ */
+SECStatus
+ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
+{
+    PRUint32     bitMask;
+    
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    	return SECFailure;
+    }
+
+    if (enabled)
+	chosenPreference |= bitMask;
+    else
+    	chosenPreference &= ~bitMask;
+    chosenPreference &= SSL_CB_IMPLEMENTED;
+
+    return SECSuccess;
+}
+
+SECStatus 
+ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
+{
+    PRBool       rv       = PR_FALSE;
+    PRUint32     bitMask;
+
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+	*enabled = PR_FALSE;
+    	return SECFailure;
+    }
+
+    rv = (PRBool)((chosenPreference & bitMask) != 0);
+    *enabled = rv;
+    return SECSuccess;
+}
+
+SECStatus 
+ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled)
+{
+    PRUint32     bitMask;
+    
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    	return SECFailure;
+    }
+
+    if (enabled)
+	ss->chosenPreference |= bitMask;
+    else
+    	ss->chosenPreference &= ~bitMask;
+    ss->chosenPreference &= SSL_CB_IMPLEMENTED;
+
+    return SECSuccess;
+}
+
+SECStatus 
+ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
+{
+    PRBool       rv       = PR_FALSE;
+    PRUint32     bitMask;
+
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+	*enabled = PR_FALSE;
+    	return SECFailure;
+    }
+
+    rv = (PRBool)((ss->chosenPreference & bitMask) != 0);
+    *enabled = rv;
+    return SECSuccess;
+}
+
+
+/* copy global default policy into socket. */
+void      
+ssl2_InitSocketPolicy(sslSocket *ss)
+{
+    ss->allowedByPolicy		= allowedByPolicy;
+    ss->maybeAllowedByPolicy	= maybeAllowedByPolicy;
+    ss->chosenPreference 	= chosenPreference;
+}
+
+
+/************************************************************************/
+
+/* Called from ssl2_CreateSessionCypher(), which already holds handshake lock.
+ */
+static SECStatus
+ssl2_CreateMAC(sslSecurityInfo *sec, SECItem *readKey, SECItem *writeKey, 
+          int cipherChoice)
+{
+    switch (cipherChoice) {
+
+      case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
+      case SSL_CK_RC2_128_CBC_WITH_MD5:
+      case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
+      case SSL_CK_RC4_128_WITH_MD5:
+      case SSL_CK_DES_64_CBC_WITH_MD5:
+      case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
+	sec->hash = HASH_GetHashObject(HASH_AlgMD5);
+	SECITEM_CopyItem(0, &sec->sendSecret, writeKey);
+	SECITEM_CopyItem(0, &sec->rcvSecret, readKey);
+	break;
+
+      default:
+	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	return SECFailure;
+    }
+    sec->hashcx = (*sec->hash->create)();
+    if (sec->hashcx == NULL)
+	return SECFailure;
+    return SECSuccess;
+}
+
+/************************************************************************
+ * All the Send functions below must acquire and release the socket's 
+ * xmitBufLock.
+ */
+
+/* Called from all the Send* functions below. */
+static SECStatus
+ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
+
+    if (len < 128) {
+	len = 128;
+    }
+    if (len > ss->sec.ci.sendBuf.space) {
+	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, len);
+	if (rv != SECSuccess) {
+	    SSL_DBG(("%d: SSL[%d]: ssl2_GetSendBuffer failed, tried to get %d bytes",
+		     SSL_GETPID(), ss->fd, len));
+	    rv = SECFailure;
+	}
+    }
+    return rv;
+}
+
+/* Called from:
+ * ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
+ * ssl2_HandleRequestCertificate()     <- ssl2_HandleMessage() <- 
+ 					ssl_Do1stHandshake()
+ * ssl2_HandleMessage()                <- ssl_Do1stHandshake()
+ * ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake()
+                                     after ssl2_BeginClientHandshake()
+ * ssl2_RestartHandshakeAfterCertReq() <- Called from certdlgs.c in nav.
+ * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake() 
+                                     after ssl2_BeginServerHandshake()
+ * 
+ * Acquires and releases the socket's xmitBufLock.
+ */	
+int
+ssl2_SendErrorMessage(sslSocket *ss, int error)
+{
+    int rv;
+    PRUint8 msg[SSL_HL_ERROR_HBYTES];
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    msg[0] = SSL_MT_ERROR;
+    msg[1] = MSB(error);
+    msg[2] = LSB(error);
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending error %d", SSL_GETPID(), ss->fd, error));
+
+    ss->handshakeBegun = 1;
+    rv = (*ss->sec.send)(ss, msg, sizeof(msg), 0);
+    if (rv >= 0) {
+	rv = SECSuccess;
+    }
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_TryToFinish().  
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendClientFinishedMessage(sslSocket *ss)
+{
+    SECStatus        rv    = SECSuccess;
+    int              sent;
+    PRUint8    msg[1 + SSL_CONNECTIONID_BYTES];
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    if (ss->sec.ci.sentFinished == 0) {
+	ss->sec.ci.sentFinished = 1;
+
+	SSL_TRC(3, ("%d: SSL[%d]: sending client-finished",
+		    SSL_GETPID(), ss->fd));
+
+	msg[0] = SSL_MT_CLIENT_FINISHED;
+	PORT_Memcpy(msg+1, ss->sec.ci.connectionID, 
+	            sizeof(ss->sec.ci.connectionID));
+
+	DUMP_MSG(29, (ss, msg, 1 + sizeof(ss->sec.ci.connectionID)));
+	sent = (*ss->sec.send)(ss, msg, 1 + sizeof(ss->sec.ci.connectionID), 0);
+	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+    }
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from 
+ * ssl2_HandleClientSessionKeyMessage() <- ssl2_HandleClientHelloMessage()
+ * ssl2_HandleClientHelloMessage()  <- ssl_Do1stHandshake() 
+                                      after ssl2_BeginServerHandshake()
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendServerVerifyMessage(sslSocket *ss)
+{
+    PRUint8 *        msg;
+    int              sendLen;
+    int              sent;
+    SECStatus        rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    sendLen = 1 + SSL_CHALLENGE_BYTES;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_SERVER_VERIFY;
+    PORT_Memcpy(msg+1, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+
+    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_TryToFinish(). 
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendServerFinishedMessage(sslSocket *ss)
+{
+    sslSessionID *   sid;
+    PRUint8 *        msg;
+    int              sendLen, sent;
+    SECStatus        rv    = SECSuccess;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    if (ss->sec.ci.sentFinished == 0) {
+	ss->sec.ci.sentFinished = 1;
+	PORT_Assert(ss->sec.ci.sid != 0);
+	sid = ss->sec.ci.sid;
+
+	SSL_TRC(3, ("%d: SSL[%d]: sending server-finished",
+		    SSL_GETPID(), ss->fd));
+
+	sendLen = 1 + sizeof(sid->u.ssl2.sessionID);
+	rv = ssl2_GetSendBuffer(ss, sendLen);
+	if (rv != SECSuccess) {
+	    goto done;
+	}
+
+	msg = ss->sec.ci.sendBuf.buf;
+	msg[0] = SSL_MT_SERVER_FINISHED;
+	PORT_Memcpy(msg+1, sid->u.ssl2.sessionID,
+		    sizeof(sid->u.ssl2.sessionID));
+
+	DUMP_MSG(29, (ss, msg, sendLen));
+	sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+
+	if (sent < 0) {
+	    /* If send failed, it is now a bogus  session-id */
+	    (*ss->sec.uncache)(sid);
+	    rv = (SECStatus)sent;
+	} else if (!ss->opt.noCache) {
+	    /* Put the sid in session-id cache, (may already be there) */
+	    (*ss->sec.cache)(sid);
+	    rv = SECSuccess;
+	}
+	ssl_FreeSID(sid);
+	ss->sec.ci.sid = 0;
+    }
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_ClientSetupSessionCypher() <- 
+ *						ssl2_HandleServerHelloMessage() 
+ *                                           after ssl2_BeginClientHandshake()
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendSessionKeyMessage(sslSocket *ss, int cipher, int keySize,
+		      PRUint8 *ca, int caLen,
+		      PRUint8 *ck, int ckLen,
+		      PRUint8 *ek, int ekLen)
+{
+    PRUint8 *        msg;
+    int              sendLen;
+    int              sent;
+    SECStatus        rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    sendLen = SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv != SECSuccess) 
+	goto done;
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending client-session-key",
+		SSL_GETPID(), ss->fd));
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_CLIENT_MASTER_KEY;
+    msg[1] = cipher;
+    msg[2] = MSB(keySize);
+    msg[3] = LSB(keySize);
+    msg[4] = MSB(ckLen);
+    msg[5] = LSB(ckLen);
+    msg[6] = MSB(ekLen);
+    msg[7] = LSB(ekLen);
+    msg[8] = MSB(caLen);
+    msg[9] = LSB(caLen);
+    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES, ck, ckLen);
+    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen, ek, ekLen);
+    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen+ekLen, ca, caLen);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_TriggerNextMessage() <- ssl2_HandleMessage() 
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendCertificateRequestMessage(sslSocket *ss)
+{
+    PRUint8 *        msg;
+    int              sent;
+    int              sendLen;
+    SECStatus        rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    sendLen = SSL_HL_REQUEST_CERTIFICATE_HBYTES + SSL_CHALLENGE_BYTES;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv != SECSuccess) 
+	goto done;
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending certificate request",
+		SSL_GETPID(), ss->fd));
+
+    /* Generate random challenge for client to encrypt */
+    PK11_GenerateRandom(ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_REQUEST_CERTIFICATE;
+    msg[1] = SSL_AT_MD5_WITH_RSA_ENCRYPTION;
+    PORT_Memcpy(msg + SSL_HL_REQUEST_CERTIFICATE_HBYTES, 
+                ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage()
+ *             ssl2_RestartHandshakeAfterCertReq() <- (application)
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static int
+ssl2_SendCertificateResponseMessage(sslSocket *ss, SECItem *cert, 
+                                    SECItem *encCode)
+{
+    PRUint8 *msg;
+    int rv, sendLen;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    sendLen = SSL_HL_CLIENT_CERTIFICATE_HBYTES + encCode->len + cert->len;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv) 
+    	goto done;
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending certificate response",
+		SSL_GETPID(), ss->fd));
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_CLIENT_CERTIFICATE;
+    msg[1] = SSL_CT_X509_CERTIFICATE;
+    msg[2] = MSB(cert->len);
+    msg[3] = LSB(cert->len);
+    msg[4] = MSB(encCode->len);
+    msg[5] = LSB(encCode->len);
+    PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES, cert->data, cert->len);
+    PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES + cert->len,
+	      encCode->data, encCode->len);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+    rv = (*ss->sec.send)(ss, msg, sendLen, 0);
+    if (rv >= 0) {
+	rv = SECSuccess;
+    }
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/********************************************************************
+**  Send functions above this line must aquire & release the socket's   
+**	xmitBufLock.  
+** All the ssl2_Send functions below this line are called vis ss->sec.send
+**	and require that the caller hold the xmitBufLock.
+*/
+
+/*
+** Called from ssl2_SendStream, ssl2_SendBlock, but not from ssl2_SendClear.
+*/
+static SECStatus
+ssl2_CalcMAC(PRUint8             * result, 
+	     sslSecurityInfo     * sec,
+	     const PRUint8       * data, 
+	     unsigned int          dataLen,
+	     unsigned int          paddingLen)
+{
+    const PRUint8 *      secret		= sec->sendSecret.data;
+    unsigned int         secretLen	= sec->sendSecret.len;
+    unsigned long        sequenceNumber = sec->sendSequence;
+    unsigned int         nout;
+    PRUint8              seq[4];
+    PRUint8              padding[32];/* XXX max blocksize? */
+
+    if (!sec->hash || !sec->hash->length)
+    	return SECSuccess;
+    if (!sec->hashcx)
+    	return SECFailure;
+
+    /* Reset hash function */
+    (*sec->hash->begin)(sec->hashcx);
+
+    /* Feed hash the data */
+    (*sec->hash->update)(sec->hashcx, secret, secretLen);
+    (*sec->hash->update)(sec->hashcx, data, dataLen);
+    PORT_Memset(padding, paddingLen, paddingLen);
+    (*sec->hash->update)(sec->hashcx, padding, paddingLen);
+
+    seq[0] = (PRUint8) (sequenceNumber >> 24);
+    seq[1] = (PRUint8) (sequenceNumber >> 16);
+    seq[2] = (PRUint8) (sequenceNumber >> 8);
+    seq[3] = (PRUint8) (sequenceNumber);
+
+    PRINT_BUF(60, (0, "calc-mac secret:", secret, secretLen));
+    PRINT_BUF(60, (0, "calc-mac data:", data, dataLen));
+    PRINT_BUF(60, (0, "calc-mac padding:", padding, paddingLen));
+    PRINT_BUF(60, (0, "calc-mac seq:", seq, 4));
+
+    (*sec->hash->update)(sec->hashcx, seq, 4);
+
+    /* Get result */
+    (*sec->hash->end)(sec->hashcx, result, &nout, sec->hash->length);
+
+    return SECSuccess;
+}
+
+/*
+** Maximum transmission amounts. These are tiny bit smaller than they
+** need to be (they account for the MAC length plus some padding),
+** assuming the MAC is 16 bytes long and the padding is a max of 7 bytes
+** long. This gives an additional 9 bytes of slop to work within.
+*/
+#define MAX_STREAM_CYPHER_LEN	0x7fe0
+#define MAX_BLOCK_CYPHER_LEN	0x3fe0
+
+/*
+** Send some data in the clear. 
+** Package up data with the length header and send it.
+**
+** Return count of bytes succesfully written, or negative number (failure).
+*/
+static PRInt32 
+ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
+{
+    PRUint8         * out;
+    int               rv;
+    int               amount;
+    int               count	= 0;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+
+    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes in the clear",
+		 SSL_GETPID(), ss->fd, len));
+    PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
+
+    while (len) {
+	amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
+	if (amount + 2 > ss->sec.writeBuf.space) {
+	    rv = sslBuffer_Grow(&ss->sec.writeBuf, amount + 2);
+	    if (rv != SECSuccess) {
+		count = rv;
+		break;
+	    }
+	}
+	out = ss->sec.writeBuf.buf;
+
+	/*
+	** Construct message.
+	*/
+	out[0] = 0x80 | MSB(amount);
+	out[1] = LSB(amount);
+	PORT_Memcpy(&out[2], in, amount);
+
+	/* Now send the data */
+	rv = ssl_DefSend(ss, out, amount + 2, flags & ~ssl_SEND_FLAG_MASK);
+	if (rv < 0) {
+	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
+		rv = 0;
+	    } else {
+		/* Return short write if some data already went out... */
+		if (count == 0)
+		    count = rv;
+		break;
+	    }
+	}
+
+	if ((unsigned)rv < (amount + 2)) {
+	    /* Short write.  Save the data and return. */
+	    if (ssl_SaveWriteData(ss, out + rv, amount + 2 - rv) 
+	        == SECFailure) {
+		count = SECFailure;
+	    } else {
+		count += amount;
+		ss->sec.sendSequence++;
+	    }
+	    break;
+	}
+
+	ss->sec.sendSequence++;
+	in    += amount;
+	count += amount;
+	len   -= amount;
+    }
+
+    return count;
+}
+
+/*
+** Send some data, when using a stream cipher. Stream ciphers have a
+** block size of 1. Package up the data with the length header
+** and send it.
+*/
+static PRInt32 
+ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
+{
+    PRUint8       *  out;
+    int              rv;
+    int              count	= 0;
+
+    int              amount;
+    PRUint8          macLen;
+    int              nout;
+    int              buflen;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+
+    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using stream cipher",
+		 SSL_GETPID(), ss->fd, len));
+    PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
+
+    while (len) {
+	ssl_GetSpecReadLock(ss);  /*************************************/
+
+	macLen = ss->sec.hash->length;
+	amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
+	buflen = amount + 2 + macLen;
+	if (buflen > ss->sec.writeBuf.space) {
+	    rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+	}
+	out    = ss->sec.writeBuf.buf;
+	nout   = amount + macLen;
+	out[0] = 0x80 | MSB(nout);
+	out[1] = LSB(nout);
+
+	/* Calculate MAC */
+	rv = ssl2_CalcMAC(out+2, 		/* put MAC here */
+	                  &ss->sec, 
+		          in, amount, 		/* input addr & length */
+			  0); 			/* no padding */
+	if (rv != SECSuccess) 
+	    goto loser;
+
+	/* Encrypt MAC */
+	rv = (*ss->sec.enc)(ss->sec.writecx, out+2, &nout, macLen, out+2, macLen);
+	if (rv) goto loser;
+
+	/* Encrypt data from caller */
+	rv = (*ss->sec.enc)(ss->sec.writecx, out+2+macLen, &nout, amount, in, amount);
+	if (rv) goto loser;
+
+	ssl_ReleaseSpecReadLock(ss);  /*************************************/
+
+	PRINT_BUF(50, (ss, "encrypted data:", out, buflen));
+
+	rv = ssl_DefSend(ss, out, buflen, flags & ~ssl_SEND_FLAG_MASK);
+	if (rv < 0) {
+	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
+		SSL_TRC(50, ("%d: SSL[%d]: send stream would block, "
+			     "saving data", SSL_GETPID(), ss->fd));
+		rv = 0;
+	    } else {
+		SSL_TRC(10, ("%d: SSL[%d]: send stream error %d",
+			     SSL_GETPID(), ss->fd, PORT_GetError()));
+		/* Return short write if some data already went out... */
+		if (count == 0)
+		    count = rv;
+		goto done;
+	    }
+	}
+
+	if ((unsigned)rv < buflen) {
+	    /* Short write.  Save the data and return. */
+	    if (ssl_SaveWriteData(ss, out + rv, buflen - rv) == SECFailure) {
+		count = SECFailure;
+	    } else {
+	    	count += amount;
+		ss->sec.sendSequence++;
+	    }
+	    goto done;
+	}
+
+	ss->sec.sendSequence++;
+	in    += amount;
+	count += amount;
+	len   -= amount;
+    }
+
+done:
+    return count;
+
+loser:
+    ssl_ReleaseSpecReadLock(ss);
+    return SECFailure;
+}
+
+/*
+** Send some data, when using a block cipher. Package up the data with
+** the length header and send it.
+*/
+/* XXX assumes blocksize is > 7 */
+static PRInt32
+ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
+{
+    PRUint8       *  out;  		    /* begining of output buffer.    */
+    PRUint8       *  op;		    /* next output byte goes here.   */
+    int              rv;		    /* value from funcs we called.   */
+    int              count	= 0;        /* this function's return value. */
+
+    unsigned int     hlen;		    /* output record hdr len, 2 or 3 */
+    unsigned int     macLen;		    /* MAC is this many bytes long.  */
+    int              amount;		    /* of plaintext to go in record. */
+    unsigned int     padding;		    /* add this many padding byte.   */
+    int              nout;		    /* ciphertext size after header. */
+    int              buflen;		    /* size of generated record.     */
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+
+    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using block cipher",
+		 SSL_GETPID(), ss->fd, len));
+    PRINT_BUF(50, (ss, "clear data:", in, len));
+
+    while (len) {
+	ssl_GetSpecReadLock(ss);  /*************************************/
+
+	macLen = ss->sec.hash->length;
+	/* Figure out how much to send, including mac and padding */
+	amount  = PR_MIN( len, MAX_BLOCK_CYPHER_LEN );
+	nout    = amount + macLen;
+	padding = nout & (ss->sec.blockSize - 1);
+	if (padding) {
+	    hlen    = 3;
+	    padding = ss->sec.blockSize - padding;
+	    nout   += padding;
+	} else {
+	    hlen = 2;
+	}
+	buflen = hlen + nout;
+	if (buflen > ss->sec.writeBuf.space) {
+	    rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+	}
+	out = ss->sec.writeBuf.buf;
+
+	/* Construct header */
+	op = out;
+	if (padding) {
+	    *op++ = MSB(nout);
+	    *op++ = LSB(nout);
+	    *op++ = padding;
+	} else {
+	    *op++ = 0x80 | MSB(nout);
+	    *op++ = LSB(nout);
+	}
+
+	/* Calculate MAC */
+	rv = ssl2_CalcMAC(op, 		/* MAC goes here. */
+	                  &ss->sec, 
+		          in, amount, 	/* intput addr, len */
+			  padding);
+	if (rv != SECSuccess) 
+	    goto loser;
+	op += macLen;
+
+	/* Copy in the input data */
+	/* XXX could eliminate the copy by folding it into the encryption */
+	PORT_Memcpy(op, in, amount);
+	op += amount;
+	if (padding) {
+	    PORT_Memset(op, padding, padding);
+	    op += padding;
+	}
+
+	/* Encrypt result */
+	rv = (*ss->sec.enc)(ss->sec.writecx, out+hlen, &nout, buflen-hlen,
+			 out+hlen, op - (out + hlen));
+	if (rv) 
+	    goto loser;
+
+	ssl_ReleaseSpecReadLock(ss);  /*************************************/
+
+	PRINT_BUF(50, (ss, "final xmit data:", out, op - out));
+
+	rv = ssl_DefSend(ss, out, op - out, flags & ~ssl_SEND_FLAG_MASK);
+	if (rv < 0) {
+	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
+		rv = 0;
+	    } else {
+		SSL_TRC(10, ("%d: SSL[%d]: send block error %d",
+			     SSL_GETPID(), ss->fd, PORT_GetError()));
+		/* Return short write if some data already went out... */
+		if (count == 0)
+		    count = rv;
+		goto done;
+	    }
+	}
+
+	if (rv < (op - out)) {
+	    /* Short write.  Save the data and return. */
+	    if (ssl_SaveWriteData(ss, out + rv, op - out - rv) == SECFailure) {
+		count = SECFailure;
+	    } else {
+		count += amount;
+		ss->sec.sendSequence++;
+	    }
+	    goto done;
+	}
+
+	ss->sec.sendSequence++;
+	in    += amount;
+	count += amount;
+	len   -= amount;
+    }
+
+done:
+    return count;
+
+loser:
+    ssl_ReleaseSpecReadLock(ss);
+    return SECFailure;
+}
+
+/*
+** Called from: ssl2_HandleServerHelloMessage,
+**              ssl2_HandleClientSessionKeyMessage,
+**              ssl2_RestartHandshakeAfterServerCert,
+**              ssl2_HandleClientHelloMessage,
+**              
+*/
+static void
+ssl2_UseEncryptedSendFunc(sslSocket *ss)
+{
+    ssl_GetXmitBufLock(ss);
+    PORT_Assert(ss->sec.hashcx != 0);
+
+    ss->gs.encrypted = 1;
+    ss->sec.send = (ss->sec.blockSize > 1) ? ssl2_SendBlock : ssl2_SendStream;
+    ssl_ReleaseXmitBufLock(ss);
+}
+
+/* Called while initializing socket in ssl_CreateSecurityInfo().
+** This function allows us to keep the name of ssl2_SendClear static.
+*/
+void
+ssl2_UseClearSendFunc(sslSocket *ss)
+{
+    ss->sec.send = ssl2_SendClear;
+}
+
+/************************************************************************
+** 			END of Send functions.                          * 
+*************************************************************************/
+
+/***********************************************************************
+ * For SSL3, this gathers in and handles records/messages until either 
+ *	the handshake is complete or application data is available.
+ *
+ * For SSL2, this gathers in only the next SSLV2 record.
+ *
+ * Called from ssl_Do1stHandshake() via function pointer ss->handshake.
+ * Caller must hold handshake lock.
+ * This function acquires and releases the RecvBufLock.
+ *
+ * returns SECSuccess for success.
+ * returns SECWouldBlock when that value is returned by ssl2_GatherRecord() or
+ *	ssl3_GatherCompleteHandshake().
+ * returns SECFailure on all other errors.
+ *
+ * The gather functions called by ssl_GatherRecord1stHandshake are expected 
+ * 	to return values interpreted as follows:
+ *  1 : the function completed without error.
+ *  0 : the function read EOF.
+ * -1 : read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
+ * -2 : the function wants ssl_GatherRecord1stHandshake to be called again 
+ *	immediately, by ssl_Do1stHandshake.
+ *
+ * This code is similar to, and easily confused with, DoRecv() in sslsecur.c
+ *
+ * This function is called from ssl_Do1stHandshake().  
+ * The following functions put ssl_GatherRecord1stHandshake into ss->handshake:
+ *	ssl2_HandleMessage
+ *	ssl2_HandleVerifyMessage
+ *	ssl2_HandleServerHelloMessage
+ *	ssl2_BeginClientHandshake	
+ *	ssl2_HandleClientSessionKeyMessage
+ *	ssl2_RestartHandshakeAfterCertReq 
+ *	ssl3_RestartHandshakeAfterCertReq 
+ *	ssl2_RestartHandshakeAfterServerCert 
+ *	ssl3_RestartHandshakeAfterServerCert 
+ *	ssl2_HandleClientHelloMessage
+ *	ssl2_BeginServerHandshake
+ */
+SECStatus
+ssl_GatherRecord1stHandshake(sslSocket *ss)
+{
+    int rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetRecvBufLock(ss);
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	/* Wait for handshake to complete, or application data to arrive.  */
+	rv = ssl3_GatherCompleteHandshake(ss, 0);
+    } else {
+	/* See if we have a complete record */
+	rv = ssl2_GatherRecord(ss, 0);
+    }
+    SSL_TRC(10, ("%d: SSL[%d]: handshake gathering, rv=%d",
+		 SSL_GETPID(), ss->fd, rv));
+
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (rv <= 0) {
+	if (rv == SECWouldBlock) {
+	    /* Progress is blocked waiting for callback completion.  */
+	    SSL_TRC(10, ("%d: SSL[%d]: handshake blocked (need %d)",
+			 SSL_GETPID(), ss->fd, ss->gs.remainder));
+	    return SECWouldBlock;
+	}
+	if (rv == 0) {
+	    /* EOF. Loser  */
+	    PORT_SetError(PR_END_OF_FILE_ERROR);
+	}
+	return SECFailure;	/* rv is < 0 here. */
+    }
+
+    SSL_TRC(10, ("%d: SSL[%d]: got handshake record of %d bytes",
+		 SSL_GETPID(), ss->fd, ss->gs.recordLen));
+
+    ss->handshake = 0;	/* makes ssl_Do1stHandshake call ss->nextHandshake.*/
+    return SECSuccess;
+}
+
+/************************************************************************/
+
+/* Called from ssl2_ServerSetupSessionCypher()
+ *             ssl2_ClientSetupSessionCypher()
+ */
+static SECStatus
+ssl2_FillInSID(sslSessionID * sid, 
+          int            cipher,
+	  PRUint8       *keyData, 
+	  int            keyLen,
+	  PRUint8       *ca, 
+	  int            caLen,
+	  int            keyBits, 
+	  int            secretKeyBits,
+	  SSLSignType    authAlgorithm,
+	  PRUint32       authKeyBits,
+	  SSLKEAType     keaType,
+	  PRUint32       keaKeyBits)
+{
+    PORT_Assert(sid->references == 1);
+    PORT_Assert(sid->cached == never_cached);
+    PORT_Assert(sid->u.ssl2.masterKey.data == 0);
+    PORT_Assert(sid->u.ssl2.cipherArg.data == 0);
+
+    sid->version = SSL_LIBRARY_VERSION_2;
+
+    sid->u.ssl2.cipherType = cipher;
+    sid->u.ssl2.masterKey.data = (PRUint8*) PORT_Alloc(keyLen);
+    if (!sid->u.ssl2.masterKey.data) {
+	return SECFailure;
+    }
+    PORT_Memcpy(sid->u.ssl2.masterKey.data, keyData, keyLen);
+    sid->u.ssl2.masterKey.len = keyLen;
+    sid->u.ssl2.keyBits       = keyBits;
+    sid->u.ssl2.secretKeyBits = secretKeyBits;
+    sid->authAlgorithm        = authAlgorithm;
+    sid->authKeyBits          = authKeyBits;
+    sid->keaType              = keaType;
+    sid->keaKeyBits           = keaKeyBits;
+    sid->lastAccessTime = sid->creationTime = ssl_Time();
+    sid->expirationTime = sid->creationTime + ssl_sid_timeout;
+
+    if (caLen) {
+	sid->u.ssl2.cipherArg.data = (PRUint8*) PORT_Alloc(caLen);
+	if (!sid->u.ssl2.cipherArg.data) {
+	    return SECFailure;
+	}
+	sid->u.ssl2.cipherArg.len = caLen;
+	PORT_Memcpy(sid->u.ssl2.cipherArg.data, ca, caLen);
+    }
+    return SECSuccess;
+}
+
+/*
+** Construct session keys given the masterKey (tied to the session-id),
+** the client's challenge and the server's nonce.
+**
+** Called from ssl2_CreateSessionCypher() <-
+*/
+static SECStatus
+ssl2_ProduceKeys(sslSocket *    ss, 
+            SECItem *      readKey, 
+	    SECItem *      writeKey,
+	    SECItem *      masterKey, 
+	    PRUint8 *      challenge,
+	    PRUint8 *      nonce, 
+	    int            cipherType)
+{
+    PK11Context * cx        = 0;
+    unsigned      nkm       = 0; /* number of hashes to generate key mat. */
+    unsigned      nkd       = 0; /* size of readKey and writeKey. */
+    unsigned      part;
+    unsigned      i;
+    unsigned      off;
+    SECStatus     rv;
+    PRUint8       countChar;
+    PRUint8       km[3*16];	/* buffer for key material. */
+
+    readKey->data = 0;
+    writeKey->data = 0;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    rv = SECSuccess;
+    cx = PK11_CreateDigestContext(SEC_OID_MD5);
+    if (cx == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	return SECFailure;
+    }
+
+    nkm = ssl_Specs[cipherType].nkm;
+    nkd = ssl_Specs[cipherType].nkd;
+
+    readKey->data = (PRUint8*) PORT_Alloc(nkd);
+    if (!readKey->data) 
+    	goto loser;
+    readKey->len = nkd;
+
+    writeKey->data = (PRUint8*) PORT_Alloc(nkd);
+    if (!writeKey->data) 
+    	goto loser;
+    writeKey->len = nkd;
+
+    /* Produce key material */
+    countChar = '0';
+    for (i = 0, off = 0; i < nkm; i++, off += 16) {
+	rv  = PK11_DigestBegin(cx);
+	rv |= PK11_DigestOp(cx, masterKey->data, masterKey->len);
+	rv |= PK11_DigestOp(cx, &countChar,      1);
+	rv |= PK11_DigestOp(cx, challenge,       SSL_CHALLENGE_BYTES);
+	rv |= PK11_DigestOp(cx, nonce,           SSL_CONNECTIONID_BYTES);
+	rv |= PK11_DigestFinal(cx, km+off, &part, MD5_LENGTH);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	    rv = SECFailure;
+	    goto loser;
+	}
+	countChar++;
+    }
+
+    /* Produce keys */
+    PORT_Memcpy(readKey->data,  km,       nkd);
+    PORT_Memcpy(writeKey->data, km + nkd, nkd);
+
+loser:
+    PK11_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+/* Called from ssl2_ServerSetupSessionCypher() 
+**                  <- ssl2_HandleClientSessionKeyMessage()
+**                          <- ssl2_HandleClientHelloMessage()
+** and from    ssl2_ClientSetupSessionCypher() 
+**                  <- ssl2_HandleServerHelloMessage()
+*/
+static SECStatus
+ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
+{
+    SECItem         * rk = NULL;
+    SECItem         * wk = NULL;
+    SECItem *         param;
+    SECStatus         rv;
+    int               cipherType  = sid->u.ssl2.cipherType;
+    PK11SlotInfo *    slot        = NULL;
+    CK_MECHANISM_TYPE mechanism;
+    SECItem           readKey;
+    SECItem           writeKey;
+
+    void *readcx = 0;
+    void *writecx = 0;
+    readKey.data = 0;
+    writeKey.data = 0;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    if((ss->sec.ci.sid == 0))
+    	goto sec_loser;	/* don't crash if asserts are off */
+
+    /* Trying to cut down on all these switch statements that should be tables.
+     * So, test cipherType once, here, and then use tables below. 
+     */
+    switch (cipherType) {
+    case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
+    case SSL_CK_RC4_128_WITH_MD5:
+    case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
+    case SSL_CK_RC2_128_CBC_WITH_MD5:
+    case SSL_CK_DES_64_CBC_WITH_MD5:
+    case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
+	break;
+
+    default:
+	SSL_DBG(("%d: SSL[%d]: ssl2_CreateSessionCypher: unknown cipher=%d",
+		 SSL_GETPID(), ss->fd, cipherType));
+	PORT_SetError(isClient ? SSL_ERROR_BAD_SERVER : SSL_ERROR_BAD_CLIENT);
+	goto sec_loser;
+    }
+ 
+    rk = isClient ? &readKey  : &writeKey;
+    wk = isClient ? &writeKey : &readKey;
+
+    /* Produce the keys for this session */
+    rv = ssl2_ProduceKeys(ss, &readKey, &writeKey, &sid->u.ssl2.masterKey,
+		     ss->sec.ci.clientChallenge, ss->sec.ci.connectionID,
+		     cipherType);
+    if (rv != SECSuccess) 
+	goto loser;
+    PRINT_BUF(7, (ss, "Session read-key: ", rk->data, rk->len));
+    PRINT_BUF(7, (ss, "Session write-key: ", wk->data, wk->len));
+
+    PORT_Memcpy(ss->sec.ci.readKey, readKey.data, readKey.len);
+    PORT_Memcpy(ss->sec.ci.writeKey, writeKey.data, writeKey.len);
+    ss->sec.ci.keySize = readKey.len;
+
+    /* Setup the MAC */
+    rv = ssl2_CreateMAC(&ss->sec, rk, wk, cipherType);
+    if (rv != SECSuccess) 
+    	goto loser;
+
+    /* First create the session key object */
+    SSL_TRC(3, ("%d: SSL[%d]: using %s", SSL_GETPID(), ss->fd,
+	    ssl_cipherName[cipherType]));
+
+
+    mechanism  = ssl_Specs[cipherType].mechanism;
+
+    /* set destructer before we call loser... */
+    ss->sec.destroy = (void (*)(void*, PRBool)) PK11_DestroyContext;
+    slot = PK11_GetBestSlot(mechanism, ss->pkcs11PinArg);
+    if (slot == NULL)
+	goto loser;
+
+    param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
+    if (param == NULL)
+	goto loser;
+    readcx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
+					CKA_DECRYPT, rk, param,
+					ss->pkcs11PinArg);
+    SECITEM_FreeItem(param, PR_TRUE);
+    if (readcx == NULL)
+	goto loser;
+
+    /* build the client context */
+    param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
+    if (param == NULL)
+	goto loser;
+    writecx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
+					 CKA_ENCRYPT, wk, param,
+					 ss->pkcs11PinArg);
+    SECITEM_FreeItem(param,PR_TRUE);
+    if (writecx == NULL)
+	goto loser;
+    PK11_FreeSlot(slot);
+
+    rv = SECSuccess;
+    ss->sec.enc           = (SSLCipher) PK11_CipherOp;
+    ss->sec.dec           = (SSLCipher) PK11_CipherOp;
+    ss->sec.readcx        = (void *) readcx;
+    ss->sec.writecx       = (void *) writecx;
+    ss->sec.blockSize     = ssl_Specs[cipherType].blockSize;
+    ss->sec.blockShift    = ssl_Specs[cipherType].blockShift;
+    ss->sec.cipherType    = sid->u.ssl2.cipherType;
+    ss->sec.keyBits       = sid->u.ssl2.keyBits;
+    ss->sec.secretKeyBits = sid->u.ssl2.secretKeyBits;
+    goto done;
+
+  loser:
+    if (ss->sec.destroy) {
+	if (readcx)  (*ss->sec.destroy)(readcx, PR_TRUE);
+	if (writecx) (*ss->sec.destroy)(writecx, PR_TRUE);
+    }
+    ss->sec.destroy = NULL;
+    if (slot) PK11_FreeSlot(slot);
+
+  sec_loser:
+    rv = SECFailure;
+
+  done:
+    if (rk) {
+	SECITEM_ZfreeItem(rk, PR_FALSE);
+    }
+    if (wk) {
+	SECITEM_ZfreeItem(wk, PR_FALSE);
+    }
+    return rv;
+}
+
+/*
+** Setup the server ciphers given information from a CLIENT-MASTER-KEY
+** message.
+** 	"ss"      pointer to the ssl-socket object
+** 	"cipher"  the cipher type to use
+** 	"keyBits" the size of the final cipher key
+** 	"ck"      the clear-key data
+** 	"ckLen"   the number of bytes of clear-key data
+** 	"ek"      the encrypted-key data
+** 	"ekLen"   the number of bytes of encrypted-key data
+** 	"ca"      the cipher-arg data
+** 	"caLen"   the number of bytes of cipher-arg data
+**
+** The MASTER-KEY is constructed by first decrypting the encrypted-key
+** data. This produces the SECRET-KEY-DATA. The MASTER-KEY is composed by
+** concatenating the clear-key data with the SECRET-KEY-DATA. This code
+** checks to make sure that the client didn't send us an improper amount
+** of SECRET-KEY-DATA (it restricts the length of that data to match the
+** spec).
+**
+** Called from ssl2_HandleClientSessionKeyMessage().
+*/
+static SECStatus
+ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
+			 PRUint8 *ck, unsigned int ckLen,
+			 PRUint8 *ek, unsigned int ekLen,
+			 PRUint8 *ca, unsigned int caLen)
+{
+    PRUint8      *    dk   = NULL; /* decrypted master key */
+    sslSessionID *    sid;
+    sslServerCerts *  sc   = ss->serverCerts + kt_rsa;
+    PRUint8       *   kbuf = 0;	/* buffer for RSA decrypted data. */
+    unsigned int      ddLen;	/* length of RSA decrypted data in kbuf */
+    unsigned int      keySize;
+    unsigned int      dkLen;    /* decrypted key length in bytes */
+    int               modulusLen;
+    SECStatus         rv;
+    PRUint16          allowed;  /* cipher kinds enabled and allowed by policy */
+    PRUint8           mkbuf[SSL_MAX_MASTER_KEY_BYTES];
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
+    PORT_Assert((sc->SERVERKEY != 0));
+    PORT_Assert((ss->sec.ci.sid != 0));
+    sid = ss->sec.ci.sid;
+
+    /* Trying to cut down on all these switch statements that should be tables.
+     * So, test cipherType once, here, and then use tables below. 
+     */
+    switch (cipher) {
+    case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
+    case SSL_CK_RC4_128_WITH_MD5:
+    case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
+    case SSL_CK_RC2_128_CBC_WITH_MD5:
+    case SSL_CK_DES_64_CBC_WITH_MD5:
+    case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
+	break;
+
+    default:
+	SSL_DBG(("%d: SSL[%d]: ssl2_ServerSetupSessionCypher: unknown cipher=%d",
+		 SSL_GETPID(), ss->fd, cipher));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto loser;
+    }
+
+    allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED;
+    if (!(allowed & (1 << cipher))) {
+    	/* client chose a kind we don't allow! */
+	SSL_DBG(("%d: SSL[%d]: disallowed cipher=%d",
+		 SSL_GETPID(), ss->fd, cipher));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto loser;
+    }
+
+    keySize = ssl_Specs[cipher].keyLen;
+    if (keyBits != keySize * BPB) {
+	SSL_DBG(("%d: SSL[%d]: invalid master secret key length=%d (bits)!",
+		 SSL_GETPID(), ss->fd, keyBits));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto loser;
+    }
+
+    if (ckLen != ssl_Specs[cipher].pubLen) {
+	SSL_DBG(("%d: SSL[%d]: invalid clear key length, ckLen=%d (bytes)!",
+		 SSL_GETPID(), ss->fd, ckLen));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto loser;
+    }
+
+    if (caLen != ssl_Specs[cipher].ivLen) {
+	SSL_DBG(("%d: SSL[%d]: invalid key args length, caLen=%d (bytes)!",
+		 SSL_GETPID(), ss->fd, caLen));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto loser;
+    }
+
+    modulusLen = PK11_GetPrivateModulusLen(sc->SERVERKEY);
+    if (modulusLen == -1) {
+	/* XXX If the key is bad, then PK11_PubDecryptRaw will fail below. */
+	modulusLen = ekLen;
+    }
+    if (ekLen > modulusLen || ekLen + ckLen < keySize) {
+	SSL_DBG(("%d: SSL[%d]: invalid encrypted key length, ekLen=%d (bytes)!",
+		 SSL_GETPID(), ss->fd, ekLen));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto loser;
+    }
+
+    /* allocate the buffer to hold the decrypted portion of the key. */
+    kbuf = (PRUint8*)PORT_Alloc(modulusLen);
+    if (!kbuf) {
+	goto loser;
+    }
+    dkLen = keySize - ckLen;
+    dk    = kbuf + modulusLen - dkLen;
+
+    /* Decrypt encrypted half of the key. 
+    ** NOTE: PK11_PubDecryptRaw will barf on a non-RSA key. This is
+    ** desired behavior here.
+    */
+    rv = PK11_PubDecryptRaw(sc->SERVERKEY, kbuf, &ddLen, modulusLen, ek, ekLen);
+    if (rv != SECSuccess) 
+	goto hide_loser;
+
+    /* Is the length of the decrypted data (ddLen) the expected value? */
+    if (modulusLen != ddLen) 
+	goto hide_loser;
+
+    /* Cheaply verify that PKCS#1 was used to format the encryption block */
+    if ((kbuf[0] != 0x00) || (kbuf[1] != 0x02) || (dk[-1] != 0x00)) {
+	SSL_DBG(("%d: SSL[%d]: strange encryption block",
+		 SSL_GETPID(), ss->fd));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto hide_loser;
+    }
+
+    /* Make sure we're not subject to a version rollback attack. */
+    if (ss->opt.enableSSL3 || ss->opt.enableTLS) {
+	static const PRUint8 threes[8] = { 0x03, 0x03, 0x03, 0x03,
+			                   0x03, 0x03, 0x03, 0x03 };
+	
+	if (PORT_Memcmp(dk - 8 - 1, threes, 8) == 0) {
+	    PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	    goto hide_loser;
+	}
+    }
+    if (0) {
+hide_loser:
+	/* Defense against the Bleichenbacher attack.
+	 * Provide the client with NO CLUES that the decrypted master key
+	 * was erroneous.  Don't send any error messages.
+	 * Instead, Generate a completely bogus master key .
+	 */
+	PK11_GenerateRandom(dk, dkLen);
+    }
+
+    /*
+    ** Construct master key out of the pieces.
+    */
+    if (ckLen) {
+	PORT_Memcpy(mkbuf, ck, ckLen);
+    }
+    PORT_Memcpy(mkbuf + ckLen, dk, dkLen);
+
+    /* Fill in session-id */
+    rv = ssl2_FillInSID(sid, cipher, mkbuf, keySize, ca, caLen,
+		   keyBits, keyBits - (ckLen<<3),
+		   ss->sec.authAlgorithm, ss->sec.authKeyBits,
+		   ss->sec.keaType,       ss->sec.keaKeyBits);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* Create session ciphers */
+    rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    SSL_TRC(1, ("%d: SSL[%d]: server, using %s cipher, clear=%d total=%d",
+		SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
+		ckLen<<3, keySize<<3));
+    rv = SECSuccess;
+    goto done;
+
+  loser:
+    rv = SECFailure;
+
+  done:
+    PORT_Free(kbuf);
+    return rv;
+}
+
+/************************************************************************/
+
+/*
+** Rewrite the incoming cipher specs, comparing to list of specs we support,
+** (ss->cipherSpecs) and eliminating anything we don't support
+**
+*  Note: Our list may contain SSL v3 ciphers.  
+*  We MUST NOT match on any of those.  
+*  Fortunately, this is easy to detect because SSLv3 ciphers have zero
+*  in the first byte, and none of the SSLv2 ciphers do.
+*
+*  Called from ssl2_HandleClientHelloMessage().
+*  Returns the number of bytes of "qualified cipher specs", 
+*  which is typically a multiple of 3, but will be zero if there are none.
+*/
+static int
+ssl2_QualifyCypherSpecs(sslSocket *ss, 
+                        PRUint8 *  cs, /* cipher specs in client hello msg. */
+		        int        csLen)
+{
+    PRUint8 *    ms;
+    PRUint8 *    hs;
+    PRUint8 *    qs;
+    int          mc;
+    int          hc;
+    PRUint8      qualifiedSpecs[ssl2_NUM_SUITES_IMPLEMENTED * 3];
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
+
+    if (!ss->cipherSpecs) {
+	SECStatus rv = ssl2_ConstructCipherSpecs(ss);
+	if (rv != SECSuccess || !ss->cipherSpecs) 
+	    return 0;
+    }
+
+    PRINT_BUF(10, (ss, "specs from client:", cs, csLen));
+    qs = qualifiedSpecs;
+    ms = ss->cipherSpecs;
+    for (mc = ss->sizeCipherSpecs; mc > 0; mc -= 3, ms += 3) {
+	if (ms[0] == 0)
+	    continue;
+	for (hs = cs, hc = csLen; hc > 0; hs += 3, hc -= 3) {
+	    if ((hs[0] == ms[0]) &&
+		(hs[1] == ms[1]) &&
+		(hs[2] == ms[2])) {
+		/* Copy this cipher spec into the "keep" section */
+		qs[0] = hs[0];
+		qs[1] = hs[1];
+		qs[2] = hs[2];
+		qs   += 3;
+		break;
+	    }
+	}
+    }
+    hc = qs - qualifiedSpecs;
+    PRINT_BUF(10, (ss, "qualified specs from client:", qualifiedSpecs, hc));
+    PORT_Memcpy(cs, qualifiedSpecs, hc);
+    return hc;
+}
+
+/*
+** Pick the best cipher we can find, given the array of server cipher
+** specs.  Returns cipher number (e.g. SSL_CK_*), or -1 for no overlap.
+** If succesful, stores the master key size (bytes) in *pKeyLen.
+**
+** This is correct only for the client side, but presently
+** this function is only called from 
+**	ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
+**
+** Note that most servers only return a single cipher suite in their 
+** ServerHello messages.  So, the code below for finding the "best" cipher
+** suite usually has only one choice.  The client and server should send 
+** their cipher suite lists sorted in descending order by preference.
+*/
+static int
+ssl2_ChooseSessionCypher(sslSocket *ss, 
+                         int        hc,    /* number of cs's in hs. */
+		         PRUint8 *  hs,    /* server hello's cipher suites. */
+		         int *      pKeyLen) /* out: sym key size in bytes. */
+{
+    PRUint8 *       ms;
+    unsigned int    i;
+    int             bestKeySize;
+    int             bestRealKeySize;
+    int             bestCypher;
+    int             keySize;
+    int             realKeySize;
+    PRUint8 *       ohs               = hs;
+    const PRUint8 * preferred;
+    static const PRUint8 noneSuch[3] = { 0, 0, 0 };
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
+
+    if (!ss->cipherSpecs) {
+	SECStatus rv = ssl2_ConstructCipherSpecs(ss);
+	if (rv != SECSuccess || !ss->cipherSpecs) 
+	    goto loser;
+    }
+
+    if (!ss->preferredCipher) {
+    	unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference &
+	                       SSL_CB_IMPLEMENTED;
+	if (allowed) {
+	    preferred = implementedCipherSuites;
+	    for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
+		if (0 != (allowed & (1U << preferred[0]))) {
+		    ss->preferredCipher = preferred;
+		    break;
+		}
+		preferred += 3;
+	    }
+	}
+    }
+    preferred = ss->preferredCipher ? ss->preferredCipher : noneSuch;
+    /*
+    ** Scan list of ciphers recieved from peer and look for a match in
+    ** our list.  
+    *  Note: Our list may contain SSL v3 ciphers.  
+    *  We MUST NOT match on any of those.  
+    *  Fortunately, this is easy to detect because SSLv3 ciphers have zero
+    *  in the first byte, and none of the SSLv2 ciphers do.
+    */
+    bestKeySize = bestRealKeySize = 0;
+    bestCypher = -1;
+    while (--hc >= 0) {
+	for (i = 0, ms = ss->cipherSpecs; i < ss->sizeCipherSpecs; i += 3, ms += 3) {
+	    if ((hs[0] == preferred[0]) &&
+		(hs[1] == preferred[1]) &&
+		(hs[2] == preferred[2]) &&
+		 hs[0] != 0) {
+		/* Pick this cipher immediately! */
+		*pKeyLen = (((hs[1] << 8) | hs[2]) + 7) >> 3;
+		return hs[0];
+	    }
+	    if ((hs[0] == ms[0]) && (hs[1] == ms[1]) && (hs[2] == ms[2]) &&
+	         hs[0] != 0) {
+		/* Found a match */
+
+		/* Use secret keySize to determine which cipher is best */
+		realKeySize = (hs[1] << 8) | hs[2];
+		switch (hs[0]) {
+		  case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
+		  case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
+		    keySize = 40;
+		    break;
+		  default:
+		    keySize = realKeySize;
+		    break;
+		}
+		if (keySize > bestKeySize) {
+		    bestCypher = hs[0];
+		    bestKeySize = keySize;
+		    bestRealKeySize = realKeySize;
+		}
+	    }
+	}
+	hs += 3;
+    }
+    if (bestCypher < 0) {
+	/*
+	** No overlap between server and client. Re-examine server list
+	** to see what kind of ciphers it does support so that we can set
+	** the error code appropriately.
+	*/
+	if ((ohs[0] == SSL_CK_RC4_128_WITH_MD5) ||
+	    (ohs[0] == SSL_CK_RC2_128_CBC_WITH_MD5)) {
+	    PORT_SetError(SSL_ERROR_US_ONLY_SERVER);
+	} else if ((ohs[0] == SSL_CK_RC4_128_EXPORT40_WITH_MD5) ||
+		   (ohs[0] == SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)) {
+	    PORT_SetError(SSL_ERROR_EXPORT_ONLY_SERVER);
+	} else {
+	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	}
+	SSL_DBG(("%d: SSL[%d]: no cipher overlap", SSL_GETPID(), ss->fd));
+	goto loser;
+    }
+    *pKeyLen = (bestRealKeySize + 7) >> 3;
+    return bestCypher;
+
+  loser:
+    return -1;
+}
+
+static SECStatus
+ssl2_ClientHandleServerCert(sslSocket *ss, PRUint8 *certData, int certLen)
+{
+    CERTCertificate *cert      = NULL;
+    SECItem          certItem;
+
+    certItem.data = certData;
+    certItem.len  = certLen;
+
+    /* decode the certificate */
+    cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
+				   PR_FALSE, PR_TRUE);
+    
+    if (cert == NULL) {
+	SSL_DBG(("%d: SSL[%d]: decode of server certificate fails",
+		 SSL_GETPID(), ss->fd));
+	PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+	return SECFailure;
+    }
+
+#ifdef TRACE
+    {
+	if (ssl_trace >= 1) {
+	    char *issuer;
+	    char *subject;
+	    issuer = CERT_NameToAscii(&cert->issuer);
+	    subject = CERT_NameToAscii(&cert->subject);
+	    SSL_TRC(1,("%d: server certificate issuer: '%s'",
+		       SSL_GETPID(), issuer ? issuer : "OOPS"));
+	    SSL_TRC(1,("%d: server name: '%s'",
+		       SSL_GETPID(), subject ? subject : "OOPS"));
+	    PORT_Free(issuer);
+	    PORT_Free(subject);
+	}
+    }
+#endif
+
+    ss->sec.peerCert = cert;
+    return SECSuccess;
+}
+
+
+/*
+ * Format one block of data for public/private key encryption using
+ * the rules defined in PKCS #1. SSL2 does this itself to handle the
+ * rollback detection.
+ */
+#define RSA_BLOCK_MIN_PAD_LEN           8
+#define RSA_BLOCK_FIRST_OCTET           0x00
+#define RSA_BLOCK_AFTER_PAD_OCTET       0x00
+#define RSA_BLOCK_PUBLIC_OCTET       	0x02
+unsigned char *
+ssl_FormatSSL2Block(unsigned modulusLen, SECItem *data)
+{
+    unsigned char *block;
+    unsigned char *bp;
+    int padLen;
+    SECStatus rv;
+    int i;
+
+    if (modulusLen < data->len + (3 + RSA_BLOCK_MIN_PAD_LEN)) {
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+    	return NULL;
+    }
+    block = (unsigned char *) PORT_Alloc(modulusLen);
+    if (block == NULL)
+	return NULL;
+
+    bp = block;
+
+    /*
+     * All RSA blocks start with two octets:
+     *	0x00 || BlockType
+     */
+    *bp++ = RSA_BLOCK_FIRST_OCTET;
+    *bp++ = RSA_BLOCK_PUBLIC_OCTET;
+
+    /*
+     * 0x00 || BT || Pad || 0x00 || ActualData
+     *   1      1   padLen    1      data->len
+     * Pad is all non-zero random bytes.
+     */
+    padLen = modulusLen - data->len - 3;
+    PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+    rv = PK11_GenerateRandom(bp, padLen);
+    if (rv == SECFailure) goto loser;
+    /* replace all the 'zero' bytes */
+    for (i = 0; i < padLen; i++) {
+	while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
+    	    rv = PK11_GenerateRandom(bp+i, 1);
+	    if (rv == SECFailure) goto loser;
+	}
+    }
+    bp += padLen;
+    *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+    PORT_Memcpy (bp, data->data, data->len);
+
+    return block;
+loser:
+    if (block) PORT_Free(block);
+    return NULL;
+}
+
+/*
+** Given the server's public key and cipher specs, generate a session key
+** that is ready to use for encrypting/decrypting the byte stream. At
+** the same time, generate the SSL_MT_CLIENT_MASTER_KEY message and
+** send it to the server.
+**
+** Called from ssl2_HandleServerHelloMessage()
+*/
+static SECStatus
+ssl2_ClientSetupSessionCypher(sslSocket *ss, PRUint8 *cs, int csLen)
+{
+    sslSessionID *    sid;
+    PRUint8 *         ca;	/* points to iv data, or NULL if none. */
+    PRUint8 *         ekbuf 		= 0;
+    CERTCertificate * cert 		= 0;
+    SECKEYPublicKey * serverKey 	= 0;
+    unsigned          modulusLen 	= 0;
+    SECStatus         rv;
+    int               cipher;
+    int               keyLen;	/* cipher symkey size in bytes. */
+    int               ckLen;	/* publicly reveal this many bytes of key. */
+    int               caLen;	/* length of IV data at *ca.	*/
+    int               nc;
+
+    unsigned char *eblock;	/* holds unencrypted PKCS#1 formatted key. */
+    SECItem           rek;	/* holds portion of symkey to be encrypted. */
+
+    PRUint8           keyData[SSL_MAX_MASTER_KEY_BYTES];
+    PRUint8           iv     [8];
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    eblock = NULL;
+
+    sid = ss->sec.ci.sid;
+    PORT_Assert(sid != 0);
+
+    cert = ss->sec.peerCert;
+    
+    serverKey = CERT_ExtractPublicKey(cert);
+    if (!serverKey) {
+	SSL_DBG(("%d: SSL[%d]: extract public key failed: error=%d",
+		 SSL_GETPID(), ss->fd, PORT_GetError()));
+	PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+	rv = SECFailure;
+	goto loser2;
+    }
+
+    ss->sec.authAlgorithm = ssl_sign_rsa;
+    ss->sec.keaType       = ssl_kea_rsa;
+    ss->sec.keaKeyBits    = \
+    ss->sec.authKeyBits   = SECKEY_PublicKeyStrengthInBits(serverKey);
+
+    /* Choose a compatible cipher with the server */
+    nc = csLen / 3;
+    cipher = ssl2_ChooseSessionCypher(ss, nc, cs, &keyLen);
+    if (cipher < 0) {
+	/* ssl2_ChooseSessionCypher has set error code. */
+	ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
+	goto loser;
+    }
+
+    /* Generate the random keys */
+    PK11_GenerateRandom(keyData, sizeof(keyData));
+
+    /*
+    ** Next, carve up the keys into clear and encrypted portions. The
+    ** clear data is taken from the start of keyData and the encrypted
+    ** portion from the remainder. Note that each of these portions is
+    ** carved in half, one half for the read-key and one for the
+    ** write-key.
+    */
+    ca = 0;
+
+    /* We know that cipher is a legit value here, because 
+     * ssl2_ChooseSessionCypher doesn't return bogus values.
+     */
+    ckLen = ssl_Specs[cipher].pubLen;	/* cleartext key length. */
+    caLen = ssl_Specs[cipher].ivLen;	/* IV length.		*/
+    if (caLen) {
+	PORT_Assert(sizeof iv >= caLen);
+    	PK11_GenerateRandom(iv, caLen);
+	ca = iv;
+    }
+
+    /* Fill in session-id */
+    rv = ssl2_FillInSID(sid, cipher, keyData, keyLen,
+		   ca, caLen, keyLen << 3, (keyLen - ckLen) << 3,
+		   ss->sec.authAlgorithm, ss->sec.authKeyBits,
+		   ss->sec.keaType,       ss->sec.keaKeyBits);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    SSL_TRC(1, ("%d: SSL[%d]: client, using %s cipher, clear=%d total=%d",
+		SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
+		ckLen<<3, keyLen<<3));
+
+    /* Now setup read and write ciphers */
+    rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /*
+    ** Fill in the encryption buffer with some random bytes. Then 
+    ** copy in the portion of the session key we are encrypting.
+    */
+    modulusLen = SECKEY_PublicKeyStrength(serverKey);
+    rek.data   = keyData + ckLen;
+    rek.len    = keyLen  - ckLen;
+    eblock = ssl_FormatSSL2Block(modulusLen, &rek);
+    if (eblock == NULL) 
+    	goto loser;
+
+    /* Set up the padding for version 2 rollback detection. */
+    /* XXX We should really use defines here */
+    if (ss->opt.enableSSL3 || ss->opt.enableTLS) {
+	PORT_Assert((modulusLen - rek.len) > 12);
+	PORT_Memset(eblock + modulusLen - rek.len - 8 - 1, 0x03, 8);
+    }
+    ekbuf = (PRUint8*) PORT_Alloc(modulusLen);
+    if (!ekbuf) 
+	goto loser;
+    PRINT_BUF(10, (ss, "master key encryption block:",
+		   eblock, modulusLen));
+
+    /* Encrypt ekitem */
+    rv = PK11_PubEncryptRaw(serverKey, ekbuf, eblock, modulusLen,
+						ss->pkcs11PinArg);
+    if (rv) 
+    	goto loser;
+
+    /*  Now we have everything ready to send */
+    rv = ssl2_SendSessionKeyMessage(ss, cipher, keyLen << 3, ca, caLen,
+			       keyData, ckLen, ekbuf, modulusLen);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECSuccess;
+    goto done;
+
+  loser:
+    rv = SECFailure;
+
+  loser2:
+  done:
+    PORT_Memset(keyData, 0, sizeof(keyData));
+    PORT_ZFree(ekbuf, modulusLen);
+    PORT_ZFree(eblock, modulusLen);
+    SECKEY_DestroyPublicKey(serverKey);
+    return rv;
+}
+
+/************************************************************************/
+
+/* 
+ * Called from ssl2_HandleMessage in response to SSL_MT_SERVER_FINISHED message.
+ * Caller holds recvBufLock and handshakeLock
+ */
+static void
+ssl2_ClientRegSessionID(sslSocket *ss, PRUint8 *s)
+{
+    sslSessionID *sid = ss->sec.ci.sid;
+
+    /* Record entry in nonce cache */
+    if (sid->peerCert == NULL) {
+	PORT_Memcpy(sid->u.ssl2.sessionID, s, sizeof(sid->u.ssl2.sessionID));
+	sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
+
+    }
+    if (!ss->opt.noCache)
+	(*ss->sec.cache)(sid);
+}
+
+/* Called from ssl2_HandleMessage() */
+static SECStatus
+ssl2_TriggerNextMessage(sslSocket *ss)
+{
+    SECStatus        rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    if ((ss->sec.ci.requiredElements & CIS_HAVE_CERTIFICATE) &&
+	!(ss->sec.ci.sentElements & CIS_HAVE_CERTIFICATE)) {
+	ss->sec.ci.sentElements |= CIS_HAVE_CERTIFICATE;
+	rv = ssl2_SendCertificateRequestMessage(ss);
+	return rv;
+    }
+    return SECSuccess;
+}
+
+/* See if it's time to send our finished message, or if the handshakes are
+** complete.  Send finished message if appropriate.
+** Returns SECSuccess unless anything goes wrong.
+**
+** Called from ssl2_HandleMessage,
+**             ssl2_HandleVerifyMessage 
+**             ssl2_HandleServerHelloMessage
+**             ssl2_HandleClientSessionKeyMessage
+**             ssl2_RestartHandshakeAfterCertReq
+**             ssl2_RestartHandshakeAfterServerCert
+*/
+static SECStatus
+ssl2_TryToFinish(sslSocket *ss)
+{
+    SECStatus        rv;
+    char             e, ef;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    e = ss->sec.ci.elements;
+    ef = e | CIS_HAVE_FINISHED;
+    if ((ef & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
+	if (ss->sec.isServer) {
+	    /* Send server finished message if we already didn't */
+	    rv = ssl2_SendServerFinishedMessage(ss);
+	} else {
+	    /* Send client finished message if we already didn't */
+	    rv = ssl2_SendClientFinishedMessage(ss);
+	}
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+	if ((e & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
+	    /* Totally finished */
+	    ss->handshake = 0;
+	    return SECSuccess;
+	}
+    }
+    return SECSuccess;
+}
+
+/*
+** Called from ssl2_HandleRequestCertificate
+**             ssl2_RestartHandshakeAfterCertReq
+*/
+static SECStatus
+ssl2_SignResponse(sslSocket *ss,
+	     SECKEYPrivateKey *key,
+	     SECItem *response)
+{
+    SGNContext *     sgn = NULL;
+    PRUint8 *        challenge;
+    unsigned int     len;
+    SECStatus        rv		= SECFailure;
+    
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    challenge = ss->sec.ci.serverChallenge;
+    len = ss->sec.ci.serverChallengeLen;
+    
+    /* Sign the expected data... */
+    sgn = SGN_NewContext(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,key);
+    if (!sgn) 
+    	goto done;
+    rv = SGN_Begin(sgn);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_Update(sgn, ss->sec.ci.readKey, ss->sec.ci.keySize);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_Update(sgn, ss->sec.ci.writeKey, ss->sec.ci.keySize);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_Update(sgn, challenge, len);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_Update(sgn, ss->sec.peerCert->derCert.data, 
+                         ss->sec.peerCert->derCert.len);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_End(sgn, response);
+    if (rv != SECSuccess) 
+    	goto done;
+
+done:
+    SGN_DestroyContext(sgn, PR_TRUE);
+    return rv == SECSuccess ? SECSuccess : SECFailure;
+}
+
+/*
+** Try to handle a request-certificate message. Get client's certificate
+** and private key and sign a message for the server to see.
+** Caller must hold handshakeLock 
+**
+** Called from ssl2_HandleMessage().
+*/
+static int
+ssl2_HandleRequestCertificate(sslSocket *ss)
+{
+    CERTCertificate * cert	= NULL;	/* app-selected client cert. */
+    SECKEYPrivateKey *key	= NULL;	/* priv key for cert. */
+    SECStatus         rv;
+    SECItem           response;
+    int               ret	= 0;
+    PRUint8           authType;
+
+
+    /*
+     * These things all need to be initialized before we can "goto loser".
+     */
+    response.data = NULL;
+
+    /* get challenge info from connectionInfo */
+    authType = ss->sec.ci.authType;
+
+    if (authType != SSL_AT_MD5_WITH_RSA_ENCRYPTION) {
+	SSL_TRC(7, ("%d: SSL[%d]: unsupported auth type 0x%x", SSL_GETPID(),
+		    ss->fd, authType));
+	goto no_cert_error;
+    }
+
+    /* Get certificate and private-key from client */
+    if (!ss->getClientAuthData) {
+	SSL_TRC(7, ("%d: SSL[%d]: client doesn't support client-auth",
+		    SSL_GETPID(), ss->fd));
+	goto no_cert_error;
+    }
+    ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd,
+				   NULL, &cert, &key);
+    if ( ret == SECWouldBlock ) {
+	ssl_SetAlwaysBlock(ss);
+	goto done;
+    }
+
+    if (ret) {
+	goto no_cert_error;
+    }
+
+    /* check what the callback function returned */
+    if ((!cert) || (!key)) {
+        /* we are missing either the key or cert */
+        if (cert) {
+            /* got a cert, but no key - free it */
+            CERT_DestroyCertificate(cert);
+            cert = NULL;
+        }
+        if (key) {
+            /* got a key, but no cert - free it */
+            SECKEY_DestroyPrivateKey(key);
+            key = NULL;
+        }
+        goto no_cert_error;
+    }
+
+    rv = ssl2_SignResponse(ss, key, &response);
+    if ( rv != SECSuccess ) {
+	ret = -1;
+	goto loser;
+    }
+
+    /* Send response message */
+    ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
+
+    /* Now, remember the cert we sent. But first, forget any previous one. */
+    if (ss->sec.localCert) {
+	CERT_DestroyCertificate(ss->sec.localCert);
+    }
+    ss->sec.localCert = CERT_DupCertificate(cert);
+    PORT_Assert(!ss->sec.ci.sid->localCert);
+    if (ss->sec.ci.sid->localCert) {
+	CERT_DestroyCertificate(ss->sec.ci.sid->localCert);
+    }
+    ss->sec.ci.sid->localCert = cert;
+    cert = NULL;
+
+    goto done;
+
+  no_cert_error:
+    SSL_TRC(7, ("%d: SSL[%d]: no certificate (ret=%d)", SSL_GETPID(),
+		ss->fd, ret));
+    ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
+
+  loser:
+  done:
+    if ( cert ) {
+	CERT_DestroyCertificate(cert);
+    }
+    if ( key ) {
+	SECKEY_DestroyPrivateKey(key);
+    }
+    if ( response.data ) {
+	PORT_Free(response.data);
+    }
+    
+    return ret;
+}
+
+/*
+** Called from ssl2_HandleMessage for SSL_MT_CLIENT_CERTIFICATE message.
+** Caller must hold HandshakeLock and RecvBufLock, since cd and response
+** are contained in the gathered input data.
+*/
+static SECStatus
+ssl2_HandleClientCertificate(sslSocket *    ss, 
+                             PRUint8        certType,	/* XXX unused */
+			     PRUint8 *      cd, 
+			     unsigned int   cdLen,
+			     PRUint8 *      response,
+			     unsigned int   responseLen)
+{
+    CERTCertificate *cert	= NULL;
+    SECKEYPublicKey *pubKey	= NULL;
+    VFYContext *     vfy	= NULL;
+    SECItem *        derCert;
+    SECStatus        rv		= SECFailure;
+    SECItem          certItem;
+    SECItem          rep;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
+
+    /* Extract the certificate */
+    certItem.data = cd;
+    certItem.len  = cdLen;
+
+    cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
+			 	   PR_FALSE, PR_TRUE);
+    if (cert == NULL) {
+	goto loser;
+    }
+
+    /* save the certificate, since the auth routine will need it */
+    ss->sec.peerCert = cert;
+
+    /* Extract the public key */
+    pubKey = CERT_ExtractPublicKey(cert);
+    if (!pubKey) 
+    	goto loser;
+    
+    /* Verify the response data... */
+    rep.data = response;
+    rep.len = responseLen;
+    /* SSL 2.0 only supports RSA certs, so we don't have to worry about
+     * DSA here. */
+    vfy = VFY_CreateContext(pubKey, &rep, SEC_OID_PKCS1_RSA_ENCRYPTION,
+			    ss->pkcs11PinArg);
+    if (!vfy) 
+    	goto loser;
+    rv = VFY_Begin(vfy);
+    if (rv) 
+    	goto loser;
+
+    rv = VFY_Update(vfy, ss->sec.ci.readKey, ss->sec.ci.keySize);
+    if (rv) 
+    	goto loser;
+    rv = VFY_Update(vfy, ss->sec.ci.writeKey, ss->sec.ci.keySize);
+    if (rv) 
+    	goto loser;
+    rv = VFY_Update(vfy, ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
+    if (rv) 
+    	goto loser;
+
+    derCert = &ss->serverCerts[kt_rsa].serverCert->derCert;
+    rv = VFY_Update(vfy, derCert->data, derCert->len);
+    if (rv) 
+    	goto loser;
+    rv = VFY_End(vfy);
+    if (rv) 
+    	goto loser;
+
+    /* Now ask the server application if it likes the certificate... */
+    rv = (SECStatus) (*ss->authCertificate)(ss->authCertificateArg,
+					    ss->fd, PR_TRUE, PR_TRUE);
+    /* Hey, it liked it. */
+    if (SECSuccess == rv) 
+	goto done;
+
+loser:
+    ss->sec.peerCert = NULL;
+    CERT_DestroyCertificate(cert);
+
+done:
+    VFY_DestroyContext(vfy, PR_TRUE);
+    SECKEY_DestroyPublicKey(pubKey);
+    return rv;
+}
+
+/*
+** Handle remaining messages between client/server. Process finished
+** messages from either side and any authentication requests.
+** This should only be called for SSLv2 handshake messages, 
+** not for application data records.
+** Caller must hold handshake lock.
+**
+** Called from ssl_Do1stHandshake().
+** 
+*/
+static SECStatus
+ssl2_HandleMessage(sslSocket *ss)
+{
+    PRUint8 *        data;
+    PRUint8 *        cid;
+    unsigned         len, certType, certLen, responseLen;
+    int              rv;
+    int              rv2;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetRecvBufLock(ss);
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+
+    if (ss->gs.recordLen < 1) {
+	goto bad_peer;
+    }
+    SSL_TRC(3, ("%d: SSL[%d]: received %d message",
+		SSL_GETPID(), ss->fd, data[0]));
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+
+    switch (data[0]) {
+    case SSL_MT_CLIENT_FINISHED:
+	if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
+	    SSL_DBG(("%d: SSL[%d]: dup client-finished message",
+		     SSL_GETPID(), ss->fd));
+	    goto bad_peer;
+	}
+
+	/* See if nonce matches */
+	len = ss->gs.recordLen - 1;
+	cid = data + 1;
+	if ((len != sizeof(ss->sec.ci.connectionID)) ||
+	    (PORT_Memcmp(ss->sec.ci.connectionID, cid, len) != 0)) {
+	    SSL_DBG(("%d: SSL[%d]: bad connection-id", SSL_GETPID(), ss->fd));
+	    PRINT_BUF(5, (ss, "sent connection-id",
+			  ss->sec.ci.connectionID, 
+			  sizeof(ss->sec.ci.connectionID)));
+	    PRINT_BUF(5, (ss, "rcvd connection-id", cid, len));
+	    goto bad_peer;
+	}
+
+	SSL_TRC(5, ("%d: SSL[%d]: got client finished, waiting for 0x%d",
+		    SSL_GETPID(), ss->fd, 
+		    ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
+	ss->sec.ci.elements |= CIS_HAVE_FINISHED;
+	break;
+
+    case SSL_MT_SERVER_FINISHED:
+	if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
+	    SSL_DBG(("%d: SSL[%d]: dup server-finished message",
+		     SSL_GETPID(), ss->fd));
+	    goto bad_peer;
+	}
+
+	if (ss->gs.recordLen - 1 != SSL2_SESSIONID_BYTES) {
+	    SSL_DBG(("%d: SSL[%d]: bad server-finished message, len=%d",
+		     SSL_GETPID(), ss->fd, ss->gs.recordLen));
+	    goto bad_peer;
+	}
+	ssl2_ClientRegSessionID(ss, data+1);
+	SSL_TRC(5, ("%d: SSL[%d]: got server finished, waiting for 0x%d",
+		    SSL_GETPID(), ss->fd, 
+		    ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
+	ss->sec.ci.elements |= CIS_HAVE_FINISHED;
+	break;
+
+    case SSL_MT_REQUEST_CERTIFICATE:
+	len = ss->gs.recordLen - 2;
+	if ((len < SSL_MIN_CHALLENGE_BYTES) ||
+	    (len > SSL_MAX_CHALLENGE_BYTES)) {
+	    /* Bad challenge */
+	    SSL_DBG(("%d: SSL[%d]: bad cert request message: code len=%d",
+		     SSL_GETPID(), ss->fd, len));
+	    goto bad_peer;
+	}
+	
+	/* save auth request info */
+	ss->sec.ci.authType           = data[1];
+	ss->sec.ci.serverChallengeLen = len;
+	PORT_Memcpy(ss->sec.ci.serverChallenge, data + 2, len);
+	
+	rv = ssl2_HandleRequestCertificate(ss);
+	if (rv == SECWouldBlock) {
+	    SSL_TRC(3, ("%d: SSL[%d]: async cert request",
+			SSL_GETPID(), ss->fd));
+	    /* someone is handling this asynchronously */
+	    ssl_ReleaseRecvBufLock(ss);
+	    return SECWouldBlock;
+	}
+	if (rv) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+	break;
+
+    case SSL_MT_CLIENT_CERTIFICATE:
+	if (!ss->authCertificate) {
+	    /* Server asked for authentication and can't handle it */
+	    PORT_SetError(SSL_ERROR_BAD_SERVER);
+	    goto loser;
+	}
+	if (ss->gs.recordLen < SSL_HL_CLIENT_CERTIFICATE_HBYTES) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+	certType    = data[1];
+	certLen     = (data[2] << 8) | data[3];
+	responseLen = (data[4] << 8) | data[5];
+	if (certType != SSL_CT_X509_CERTIFICATE) {
+	    PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
+	    goto loser;
+	}
+	if (certLen + responseLen + SSL_HL_CLIENT_CERTIFICATE_HBYTES 
+	    > ss->gs.recordLen) {
+	    /* prevent overflow crash. */
+	    rv = SECFailure;
+	} else
+	rv = ssl2_HandleClientCertificate(ss, data[1],
+		data + SSL_HL_CLIENT_CERTIFICATE_HBYTES,
+		certLen,
+		data + SSL_HL_CLIENT_CERTIFICATE_HBYTES + certLen,
+		responseLen);
+	if (rv) {
+	    rv2 = ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+	ss->sec.ci.elements |= CIS_HAVE_CERTIFICATE;
+	break;
+
+    case SSL_MT_ERROR:
+	rv = (data[1] << 8) | data[2];
+	SSL_TRC(2, ("%d: SSL[%d]: got error message, error=0x%x",
+		    SSL_GETPID(), ss->fd, rv));
+
+	/* Convert protocol error number into API error number */
+	switch (rv) {
+	  case SSL_PE_NO_CYPHERS:
+	    rv = SSL_ERROR_NO_CYPHER_OVERLAP;
+	    break;
+	  case SSL_PE_NO_CERTIFICATE:
+	    rv = SSL_ERROR_NO_CERTIFICATE;
+	    break;
+	  case SSL_PE_BAD_CERTIFICATE:
+	    rv = SSL_ERROR_BAD_CERTIFICATE;
+	    break;
+	  case SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE:
+	    rv = SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
+	    break;
+	  default:
+	    goto bad_peer;
+	}
+	/* XXX make certificate-request optionally fail... */
+	PORT_SetError(rv);
+	goto loser;
+
+    default:
+	SSL_DBG(("%d: SSL[%d]: unknown message %d",
+		 SSL_GETPID(), ss->fd, data[0]));
+	goto loser;
+    }
+
+    SSL_TRC(3, ("%d: SSL[%d]: handled %d message, required=0x%x got=0x%x",
+		SSL_GETPID(), ss->fd, data[0],
+		ss->sec.ci.requiredElements, ss->sec.ci.elements));
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv != SECSuccess) 
+	goto loser;
+
+    ss->gs.recordLen = 0;
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (ss->handshake == 0) {
+	return SECSuccess;
+    }
+
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleMessage;
+    return ssl2_TriggerNextMessage(ss);
+
+  bad_peer:
+    PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT : SSL_ERROR_BAD_SERVER);
+    /* FALL THROUGH */
+
+  loser:
+    ssl_ReleaseRecvBufLock(ss);
+    return SECFailure;
+}
+
+/************************************************************************/
+
+/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage or 
+** ssl2_RestartHandshakeAfterServerCert.
+*/
+static SECStatus
+ssl2_HandleVerifyMessage(sslSocket *ss)
+{
+    PRUint8 *        data;
+    SECStatus        rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+    ssl_GetRecvBufLock(ss);
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+    if ((ss->gs.recordLen != 1 + SSL_CHALLENGE_BYTES) ||
+	(data[0] != SSL_MT_SERVER_VERIFY) ||
+	PORT_Memcmp(data+1, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES)) {
+	/* Bad server */
+	PORT_SetError(SSL_ERROR_BAD_SERVER);
+	goto loser;
+    }
+    ss->sec.ci.elements |= CIS_HAVE_VERIFY;
+
+    SSL_TRC(5, ("%d: SSL[%d]: got server-verify, required=0x%d got=0x%x",
+		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
+		ss->sec.ci.elements));
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv) 
+	goto loser;
+
+    ss->gs.recordLen = 0;
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (ss->handshake == 0) {
+	return SECSuccess;
+    }
+    ss->handshake         = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake     = ssl2_HandleMessage;
+    return SECSuccess;
+
+
+  loser:
+    ssl_ReleaseRecvBufLock(ss);
+    return SECFailure;
+}
+
+/* Not static because ssl2_GatherData() tests ss->nextHandshake for this value.
+ * ICK! 
+ * Called from ssl_Do1stHandshake after ssl2_BeginClientHandshake()
+ */
+SECStatus
+ssl2_HandleServerHelloMessage(sslSocket *ss)
+{
+    sslSessionID *   sid;
+    PRUint8 *        cert;
+    PRUint8 *        cs;
+    PRUint8 *        data;
+    SECStatus        rv; 
+    int              needed, sidHit, certLen, csLen, cidLen, certType, err;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    if (!ss->opt.enableSSL2) {
+	PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+	return SECFailure;
+    }
+
+    ssl_GetRecvBufLock(ss);
+
+    PORT_Assert(ss->sec.ci.sid != 0);
+    sid = ss->sec.ci.sid;
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+
+    /* Make sure first message has some data and is the server hello message */
+    if ((ss->gs.recordLen < SSL_HL_SERVER_HELLO_HBYTES)
+	|| (data[0] != SSL_MT_SERVER_HELLO)) {
+	if ((data[0] == SSL_MT_ERROR) && (ss->gs.recordLen == 3)) {
+	    err = (data[1] << 8) | data[2];
+	    if (err == SSL_PE_NO_CYPHERS) {
+		PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+		goto loser;
+	    }
+	}
+	goto bad_server;
+    }
+
+    sidHit      = data[1];
+    certType    = data[2];
+    ss->version = (data[3] << 8) | data[4];
+    certLen     = (data[5] << 8) | data[6];
+    csLen       = (data[7] << 8) | data[8];
+    cidLen      = (data[9] << 8) | data[10];
+    cert        = data + SSL_HL_SERVER_HELLO_HBYTES;
+    cs          = cert + certLen;
+
+    SSL_TRC(5,
+	    ("%d: SSL[%d]: server-hello, hit=%d vers=%x certLen=%d csLen=%d cidLen=%d",
+	     SSL_GETPID(), ss->fd, sidHit, ss->version, certLen,
+	     csLen, cidLen));
+    if (ss->version != SSL_LIBRARY_VERSION_2) {
+        if (ss->version < SSL_LIBRARY_VERSION_2) {
+	  SSL_TRC(3, ("%d: SSL[%d]: demoting self (%x) to server version (%x)",
+		      SSL_GETPID(), ss->fd, SSL_LIBRARY_VERSION_2,
+		      ss->version));
+	} else {
+	  SSL_TRC(1, ("%d: SSL[%d]: server version is %x (we are %x)",
+		    SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
+	  /* server claims to be newer but does not follow protocol */
+	  PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
+	  goto loser;
+	}
+    }
+
+    if ((SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen + cidLen 
+                                                  > ss->gs.recordLen)
+	|| (csLen % 3) != 0   
+	/* || cidLen < SSL_CONNECTIONID_BYTES || cidLen > 32  */
+	) {
+	goto bad_server;
+    }
+
+    /* Save connection-id.
+    ** This code only saves the first 16 byte of the connectionID.
+    ** If the connectionID is shorter than 16 bytes, it is zero-padded.
+    */
+    if (cidLen < sizeof ss->sec.ci.connectionID)
+	memset(ss->sec.ci.connectionID, 0, sizeof ss->sec.ci.connectionID);
+    cidLen = PR_MIN(cidLen, sizeof ss->sec.ci.connectionID);
+    PORT_Memcpy(ss->sec.ci.connectionID, cs + csLen, cidLen);
+
+    /* See if session-id hit */
+    needed = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED | CIS_HAVE_VERIFY;
+    if (sidHit) {
+	if (certLen || csLen) {
+	    /* Uh oh - bogus server */
+	    SSL_DBG(("%d: SSL[%d]: client, huh? hit=%d certLen=%d csLen=%d",
+		     SSL_GETPID(), ss->fd, sidHit, certLen, csLen));
+	    goto bad_server;
+	}
+
+	/* Total winner. */
+	SSL_TRC(1, ("%d: SSL[%d]: client, using nonce for peer=0x%08x "
+		    "port=0x%04x",
+		    SSL_GETPID(), ss->fd, ss->sec.ci.peer, ss->sec.ci.port));
+	ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
+        ss->sec.authAlgorithm = sid->authAlgorithm;
+	ss->sec.authKeyBits   = sid->authKeyBits;
+	ss->sec.keaType       = sid->keaType;
+	ss->sec.keaKeyBits    = sid->keaKeyBits;
+	rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	if (certType != SSL_CT_X509_CERTIFICATE) {
+	    PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
+	    goto loser;
+	}
+	if (csLen == 0) {
+	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	    SSL_DBG(("%d: SSL[%d]: no cipher overlap",
+		     SSL_GETPID(), ss->fd));
+	    goto loser;
+	}
+	if (certLen == 0) {
+	    SSL_DBG(("%d: SSL[%d]: client, huh? certLen=%d csLen=%d",
+		     SSL_GETPID(), ss->fd, certLen, csLen));
+	    goto bad_server;
+	}
+
+	if (sid->cached != never_cached) {
+	    /* Forget our session-id - server didn't like it */
+	    SSL_TRC(7, ("%d: SSL[%d]: server forgot me, uncaching session-id",
+			SSL_GETPID(), ss->fd));
+	    (*ss->sec.uncache)(sid);
+	    ssl_FreeSID(sid);
+	    ss->sec.ci.sid = sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
+	    if (!sid) {
+		goto loser;
+	    }
+	    sid->references = 1;
+	    sid->addr = ss->sec.ci.peer;
+	    sid->port = ss->sec.ci.port;
+	}
+
+	/* decode the server's certificate */
+	rv = ssl2_ClientHandleServerCert(ss, cert, certLen);
+	if (rv != SECSuccess) {
+	    if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
+		(void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
+	    }
+	    goto loser;
+	}
+
+	/* Setup new session cipher */
+	rv = ssl2_ClientSetupSessionCypher(ss, cs, csLen);
+	if (rv != SECSuccess) {
+	    if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
+		(void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
+	    }
+	    goto loser;
+	}
+    }
+
+    /* Build up final list of required elements */
+    ss->sec.ci.elements         = CIS_HAVE_MASTER_KEY;
+    ss->sec.ci.requiredElements = needed;
+
+  if (!sidHit) {
+    /* verify the server's certificate. if sidHit, don't check signatures */
+    rv = (* ss->authCertificate)(ss->authCertificateArg, ss->fd, 
+				 (PRBool)(!sidHit), PR_FALSE);
+    if (rv) {
+	if (ss->handleBadCert) {
+	    rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
+	    if ( rv ) {
+		if ( rv == SECWouldBlock ) {
+		    /* someone will handle this connection asynchronously*/
+
+		    SSL_DBG(("%d: SSL[%d]: go to async cert handler",
+			     SSL_GETPID(), ss->fd));
+		    ssl_ReleaseRecvBufLock(ss);
+		    ssl_SetAlwaysBlock(ss);
+		    return SECWouldBlock;
+		}
+		/* cert is bad */
+		SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
+			 SSL_GETPID(), ss->fd, PORT_GetError()));
+		goto loser;
+
+	    }
+	    /* cert is good */
+	} else {
+	    SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
+		     SSL_GETPID(), ss->fd, PORT_GetError()));
+	    goto loser;
+	}
+    }
+  }
+    /*
+    ** At this point we have a completed session key and our session
+    ** cipher is setup and ready to go. Switch to encrypted write routine
+    ** as all future message data is to be encrypted.
+    */
+    ssl2_UseEncryptedSendFunc(ss);
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv != SECSuccess) 
+	goto loser;
+
+    ss->gs.recordLen = 0;
+
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (ss->handshake == 0) {
+	return SECSuccess;
+    }
+
+    SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
+		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements, 
+		ss->sec.ci.elements));
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleVerifyMessage;
+    return SECSuccess;
+
+  bad_server:
+    PORT_SetError(SSL_ERROR_BAD_SERVER);
+    /* FALL THROUGH */
+
+  loser:
+    ssl_ReleaseRecvBufLock(ss);
+    return SECFailure;
+}
+
+/* Sends out the initial client Hello message on the connection.
+ * Acquires and releases the socket's xmitBufLock.
+ */
+SECStatus
+ssl2_BeginClientHandshake(sslSocket *ss)
+{
+    sslSessionID      *sid;
+    PRUint8           *msg;
+    PRUint8           *cp;
+    PRUint8           *localCipherSpecs = NULL;
+    unsigned int      localCipherSize;
+    unsigned int      i;
+    int               sendLen, sidLen = 0;
+    SECStatus         rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    ss->sec.isServer     = 0;
+    ss->sec.sendSequence = 0;
+    ss->sec.rcvSequence  = 0;
+    ssl_ChooseSessionIDProcs(&ss->sec);
+
+    if (!ss->cipherSpecs) {
+	rv = ssl2_ConstructCipherSpecs(ss);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    /* count the SSL2 and SSL3 enabled ciphers.
+     * if either is zero, clear the socket's enable for that protocol.
+     */
+    rv = ssl2_CheckConfigSanity(ss);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /* Get peer name of server */
+    rv = ssl_GetPeerInfo(ss);
+    if (rv < 0) {
+#ifdef HPUX11
+        /*
+         * On some HP-UX B.11.00 systems, getpeername() occasionally
+         * fails with ENOTCONN after a successful completion of
+         * non-blocking connect.  I found that if we do a write()
+         * and then retry getpeername(), it will work.
+         */
+        if (PR_GetError() == PR_NOT_CONNECTED_ERROR) {
+            char dummy;
+            (void) PR_Write(ss->fd->lower, &dummy, 0);
+            rv = ssl_GetPeerInfo(ss);
+            if (rv < 0) {
+                goto loser;
+            }
+        }
+#else
+	goto loser;
+#endif
+    }
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
+
+    /* Try to find server in our session-id cache */
+    if (ss->opt.noCache) {
+	sid = NULL;
+    } else {
+	sid = ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, 
+	                    ss->url);
+    }
+    while (sid) {  /* this isn't really a loop */
+	/* if we're not doing this SID's protocol any more, drop it. */
+	if (((sid->version  < SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableSSL2) ||
+	    ((sid->version == SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableSSL3) ||
+	    ((sid->version >  SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableTLS)) {
+	    ss->sec.uncache(sid);
+	    ssl_FreeSID(sid);
+	    sid = NULL;
+	    break;
+	}
+	if (ss->opt.enableSSL2 && sid->version < SSL_LIBRARY_VERSION_3_0) {
+	    /* If the cipher in this sid is not enabled, drop it. */
+	    for (i = 0; i < ss->sizeCipherSpecs; i += 3) {
+		if (ss->cipherSpecs[i] == sid->u.ssl2.cipherType)
+		    break;
+	    }
+	    if (i >= ss->sizeCipherSpecs) {
+		ss->sec.uncache(sid);
+		ssl_FreeSID(sid);
+		sid = NULL;
+		break;
+	    }
+	}
+	sidLen = sizeof(sid->u.ssl2.sessionID);
+	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl2.sessionID,
+		      sidLen));
+	ss->version = sid->version;
+	PORT_Assert(!ss->sec.localCert);
+	if (ss->sec.localCert) {
+	    CERT_DestroyCertificate(ss->sec.localCert);
+	}
+	ss->sec.localCert     = CERT_DupCertificate(sid->localCert);
+	break;  /* this isn't really a loop */
+    } 
+    if (!sid) {
+	sidLen = 0;
+	sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
+	if (!sid) {
+	    goto loser;
+	}
+	sid->references = 1;
+	sid->cached     = never_cached;
+	sid->addr       = ss->sec.ci.peer;
+	sid->port       = ss->sec.ci.port;
+	if (ss->peerID != NULL) {
+	    sid->peerID = PORT_Strdup(ss->peerID);
+	}
+	if (ss->url != NULL) {
+	    sid->urlSvrName = PORT_Strdup(ss->url);
+	}
+    }
+    ss->sec.ci.sid = sid;
+
+    PORT_Assert(sid != NULL);
+
+    if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->opt.v2CompatibleHello) &&
+        (ss->opt.enableSSL3 || ss->opt.enableTLS)) {
+
+	ss->gs.state      = GS_INIT;
+	ss->handshake     = ssl_GatherRecord1stHandshake;
+
+	/* ssl3_SendClientHello will override this if it succeeds. */
+	ss->version       = SSL_LIBRARY_VERSION_3_0;
+
+	ssl_GetXmitBufLock(ss);    /***************************************/
+	ssl_GetSSL3HandshakeLock(ss);
+	rv =  ssl3_SendClientHello(ss);
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	ssl_ReleaseXmitBufLock(ss); /***************************************/
+
+	return rv;
+    }
+#if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
+    /* ensure we don't neogtiate ECC cipher suites with SSL2 hello */
+    ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
+    if (ss->cipherSpecs != NULL) {
+	PORT_Free(ss->cipherSpecs);
+	ss->cipherSpecs     = NULL;
+	ss->sizeCipherSpecs = 0;
+    }
+#endif
+
+    if (!ss->cipherSpecs) {
+        rv = ssl2_ConstructCipherSpecs(ss);
+	if (rv < 0) {
+	    return rv;
+    	}
+    }
+    localCipherSpecs = ss->cipherSpecs;
+    localCipherSize  = ss->sizeCipherSpecs;
+
+    sendLen = SSL_HL_CLIENT_HELLO_HBYTES + localCipherSize + sidLen +
+	SSL_CHALLENGE_BYTES;
+
+    /* Generate challenge bytes for server */
+    PK11_GenerateRandom(ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv) 
+    	goto unlock_loser;
+
+    /* Construct client-hello message */
+    cp = msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_CLIENT_HELLO;
+    if ( ss->opt.enableTLS ) {
+	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_1_TLS;
+    } else if ( ss->opt.enableSSL3 ) {
+	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_0;
+    } else {
+	ss->clientHelloVersion = SSL_LIBRARY_VERSION_2;
+    }
+    
+    msg[1] = MSB(ss->clientHelloVersion);
+    msg[2] = LSB(ss->clientHelloVersion);
+    msg[3] = MSB(localCipherSize);
+    msg[4] = LSB(localCipherSize);
+    msg[5] = MSB(sidLen);
+    msg[6] = LSB(sidLen);
+    msg[7] = MSB(SSL_CHALLENGE_BYTES);
+    msg[8] = LSB(SSL_CHALLENGE_BYTES);
+    cp += SSL_HL_CLIENT_HELLO_HBYTES;
+    PORT_Memcpy(cp, localCipherSpecs, localCipherSize);
+    cp += localCipherSize;
+    if (sidLen) {
+	PORT_Memcpy(cp, sid->u.ssl2.sessionID, sidLen);
+	cp += sidLen;
+    }
+    PORT_Memcpy(cp, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
+
+    /* Send it to the server */
+    DUMP_MSG(29, (ss, msg, sendLen));
+    ss->handshakeBegun = 1;
+    rv = (*ss->sec.send)(ss, msg, sendLen, 0);
+
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+
+    if (rv < 0) {
+	goto loser;
+    }
+
+    rv = ssl3_StartHandshakeHash(ss, msg, sendLen);
+    if (rv < 0) {
+	goto loser;
+    }
+
+    /* Setup to receive servers hello message */
+    ssl_GetRecvBufLock(ss);
+    ss->gs.recordLen = 0;
+    ssl_ReleaseRecvBufLock(ss);
+
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleServerHelloMessage;
+    return SECSuccess;
+
+unlock_loser:
+    ssl_ReleaseXmitBufLock(ss);
+loser:
+    return SECFailure;
+}
+
+/************************************************************************/
+
+/* Handle the CLIENT-MASTER-KEY message. 
+** Acquires and releases RecvBufLock.
+** Called from ssl2_HandleClientHelloMessage(). 
+*/
+static SECStatus
+ssl2_HandleClientSessionKeyMessage(sslSocket *ss)
+{
+    PRUint8 *        data;
+    unsigned int     caLen;
+    unsigned int     ckLen;
+    unsigned int     ekLen;
+    unsigned int     keyBits;
+    int              cipher;
+    SECStatus        rv;
+
+
+    ssl_GetRecvBufLock(ss);
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+
+    if ((ss->gs.recordLen < SSL_HL_CLIENT_MASTER_KEY_HBYTES)
+	|| (data[0] != SSL_MT_CLIENT_MASTER_KEY)) {
+	goto bad_client;
+    }
+    cipher  = data[1];
+    keyBits = (data[2] << 8) | data[3];
+    ckLen   = (data[4] << 8) | data[5];
+    ekLen   = (data[6] << 8) | data[7];
+    caLen   = (data[8] << 8) | data[9];
+
+    SSL_TRC(5, ("%d: SSL[%d]: session-key, cipher=%d keyBits=%d ckLen=%d ekLen=%d caLen=%d",
+		SSL_GETPID(), ss->fd, cipher, keyBits, ckLen, ekLen, caLen));
+
+    if (ss->gs.recordLen < 
+    	    SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen) {
+	SSL_DBG(("%d: SSL[%d]: protocol size mismatch dataLen=%d",
+		 SSL_GETPID(), ss->fd, ss->gs.recordLen));
+	goto bad_client;
+    }
+
+    /* Use info from client to setup session key */
+    rv = ssl2_ServerSetupSessionCypher(ss, cipher, keyBits,
+		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES,                 ckLen,
+		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen,         ekLen,
+		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen, caLen);
+    ss->gs.recordLen = 0;	/* we're done with this record. */
+
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    ss->sec.ci.elements |= CIS_HAVE_MASTER_KEY;
+    ssl2_UseEncryptedSendFunc(ss);
+
+    /* Send server verify message now that keys are established */
+    rv = ssl2_SendServerVerifyMessage(ss);
+    if (rv != SECSuccess) 
+	goto loser;
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv != SECSuccess) 
+	goto loser;
+    if (ss->handshake == 0) {
+	return SECSuccess;
+    }
+
+    SSL_TRC(5, ("%d: SSL[%d]: server: waiting for elements=0x%d",
+		SSL_GETPID(), ss->fd, 
+		ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
+    ss->handshake         = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake     = ssl2_HandleMessage;
+
+    return ssl2_TriggerNextMessage(ss);
+
+bad_client:
+    ssl_ReleaseRecvBufLock(ss);
+    PORT_SetError(SSL_ERROR_BAD_CLIENT);
+    /* FALLTHROUGH */
+
+loser:
+    return SECFailure;
+}
+
+/*
+ * attempt to restart the handshake after asynchronously handling
+ * a request for the client's certificate.
+ *
+ * inputs:  
+ *	cert	Client cert chosen by application.
+ *	key	Private key associated with cert.  
+ *
+ * XXX: need to make ssl2 and ssl3 versions of this function agree on whether
+ *	they take the reference, or bump the ref count!
+ *
+ * Return value: XXX
+ *
+ * Caller holds 1stHandshakeLock.
+ */
+int
+ssl2_RestartHandshakeAfterCertReq(sslSocket *          ss,
+				  CERTCertificate *    cert, 
+				  SECKEYPrivateKey *   key)
+{
+    int              ret;
+    SECStatus        rv          = SECSuccess;
+    SECItem          response;
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
+    	return SECFailure;
+
+    response.data = NULL;
+
+    /* generate error if no cert or key */
+    if ( ( cert == NULL ) || ( key == NULL ) ) {
+	goto no_cert;
+    }
+    
+    /* generate signed response to the challenge */
+    rv = ssl2_SignResponse(ss, key, &response);
+    if ( rv != SECSuccess ) {
+	goto no_cert;
+    }
+    
+    /* Send response message */
+    ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
+    if (ret) {
+	goto no_cert;
+    }
+
+    /* try to finish the handshake */
+    ret = ssl2_TryToFinish(ss);
+    if (ret) {
+	goto loser;
+    }
+    
+    /* done with handshake */
+    if (ss->handshake == 0) {
+	ret = SECSuccess;
+	goto done;
+    }
+
+    /* continue handshake */
+    ssl_GetRecvBufLock(ss);
+    ss->gs.recordLen = 0;
+    ssl_ReleaseRecvBufLock(ss);
+
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleMessage;
+    ret = ssl2_TriggerNextMessage(ss);
+    goto done;
+    
+no_cert:
+    /* no cert - send error */
+    ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
+    goto done;
+    
+loser:
+    ret = SECFailure;
+done:
+    /* free allocated data */
+    if ( response.data ) {
+	PORT_Free(response.data);
+    }
+    
+    return ret;
+}
+
+
+/* restart an SSL connection that we stopped to run certificate dialogs 
+** XXX	Need to document here how an application marks a cert to show that
+**	the application has accepted it (overridden CERT_VerifyCert).
+ *
+ * Return value: XXX
+ *
+ * Caller holds 1stHandshakeLock.
+*/
+int
+ssl2_RestartHandshakeAfterServerCert(sslSocket *ss)
+{
+    int rv	= SECSuccess;
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
+	return SECFailure;
+
+    /* SSL 2
+    ** At this point we have a completed session key and our session
+    ** cipher is setup and ready to go. Switch to encrypted write routine
+    ** as all future message data is to be encrypted.
+    */
+    ssl2_UseEncryptedSendFunc(ss);
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv == SECSuccess && ss->handshake != NULL) {	
+	/* handshake is not yet finished. */
+
+	SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
+		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
+		ss->sec.ci.elements));
+
+	ssl_GetRecvBufLock(ss);
+	ss->gs.recordLen = 0;	/* mark it all used up. */
+	ssl_ReleaseRecvBufLock(ss);
+
+	ss->handshake     = ssl_GatherRecord1stHandshake;
+	ss->nextHandshake = ssl2_HandleVerifyMessage;
+    }
+
+    return rv;
+}
+
+/*
+** Handle the initial hello message from the client
+**
+** not static because ssl2_GatherData() tests ss->nextHandshake for this value.
+*/
+SECStatus
+ssl2_HandleClientHelloMessage(sslSocket *ss)
+{
+    sslSessionID    *sid;
+    sslServerCerts * sc;
+    CERTCertificate *serverCert;
+    PRUint8         *msg;
+    PRUint8         *data;
+    PRUint8         *cs;
+    PRUint8         *sd;
+    PRUint8         *cert = NULL;
+    PRUint8         *challenge;
+    unsigned int    challengeLen;
+    SECStatus       rv; 
+    int             csLen;
+    int             sendLen;
+    int             sdLen;
+    int             certLen;
+    int             pid;
+    int             sent;
+    int             gotXmitBufLock = 0;
+#if defined(SOLARIS) && defined(i386)
+    volatile PRUint8 hit;
+#else
+    int             hit;
+#endif
+    PRUint8         csImpl[sizeof implementedCipherSuites];
+
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    sc = ss->serverCerts + kt_rsa;
+    serverCert = sc->serverCert;
+
+    ssl_GetRecvBufLock(ss);
+
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+
+    /* Make sure first message has some data and is the client hello message */
+    if ((ss->gs.recordLen < SSL_HL_CLIENT_HELLO_HBYTES)
+	|| (data[0] != SSL_MT_CLIENT_HELLO)) {
+	goto bad_client;
+    }
+
+    /* Get peer name of client */
+    rv = ssl_GetPeerInfo(ss);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* Examine version information */
+    /*
+     * See if this might be a V2 client hello asking to use the V3 protocol
+     */
+    if ((data[0] == SSL_MT_CLIENT_HELLO) && 
+        (data[1] >= MSB(SSL_LIBRARY_VERSION_3_0)) && 
+	(ss->opt.enableSSL3 || ss->opt.enableTLS)) {
+	rv = ssl3_HandleV2ClientHello(ss, data, ss->gs.recordLen);
+	if (rv != SECFailure) { /* Success */
+	    ss->handshake             = NULL;
+	    ss->nextHandshake         = ssl_GatherRecord1stHandshake;
+	    ss->securityHandshake     = NULL;
+	    ss->gs.state              = GS_INIT;
+
+	    /* ssl3_HandleV3ClientHello has set ss->version,
+	    ** and has gotten us a brand new sid.  
+	    */
+	    ss->sec.ci.sid->version  = ss->version;
+	}
+	ssl_ReleaseRecvBufLock(ss);
+	return rv;
+    }
+    /* Previously, there was a test here to see if SSL2 was enabled.
+    ** If not, an error code was set, and SECFailure was returned,
+    ** without sending any error code to the other end of the connection.
+    ** That test has been removed.  If SSL2 has been disabled, there
+    ** should be no SSL2 ciphers enabled, and consequently, the code
+    ** below should send the ssl2 error message SSL_PE_NO_CYPHERS.
+    ** We now believe this is the correct thing to do, even when SSL2
+    ** has been explicitly disabled by the application.
+    */
+
+    /* Extract info from message */
+    ss->version = (data[1] << 8) | data[2];
+
+    /* If some client thinks ssl v2 is 2.0 instead of 0.2, we'll allow it.  */
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	ss->version = SSL_LIBRARY_VERSION_2;
+    }
+    
+    csLen        = (data[3] << 8) | data[4];
+    sdLen        = (data[5] << 8) | data[6];
+    challengeLen = (data[7] << 8) | data[8];
+    cs           = data + SSL_HL_CLIENT_HELLO_HBYTES;
+    sd           = cs + csLen;
+    challenge    = sd + sdLen;
+    PRINT_BUF(7, (ss, "server, client session-id value:", sd, sdLen));
+
+    if (!csLen || (csLen % 3) != 0 || 
+        (sdLen != 0 && sdLen != SSL2_SESSIONID_BYTES) ||
+	challengeLen < SSL_MIN_CHALLENGE_BYTES || 
+	challengeLen > SSL_MAX_CHALLENGE_BYTES ||
+        (unsigned)ss->gs.recordLen != 
+            SSL_HL_CLIENT_HELLO_HBYTES + csLen + sdLen + challengeLen) {
+	SSL_DBG(("%d: SSL[%d]: bad client hello message, len=%d should=%d",
+		 SSL_GETPID(), ss->fd, ss->gs.recordLen,
+		 SSL_HL_CLIENT_HELLO_HBYTES+csLen+sdLen+challengeLen));
+	goto bad_client;
+    }
+
+    SSL_TRC(3, ("%d: SSL[%d]: client version is %x",
+		SSL_GETPID(), ss->fd, ss->version));
+    if (ss->version != SSL_LIBRARY_VERSION_2) {
+	if (ss->version > SSL_LIBRARY_VERSION_2) {
+	    /*
+	    ** Newer client than us. Things are ok because new clients
+	    ** are required to be backwards compatible with old servers.
+	    ** Change version number to our version number so that client
+	    ** knows whats up.
+	    */
+	    ss->version = SSL_LIBRARY_VERSION_2;
+	} else {
+	    SSL_TRC(1, ("%d: SSL[%d]: client version is %x (we are %x)",
+		SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
+	    PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
+	    goto loser;
+	}
+    }
+
+    /* Qualify cipher specs before returning them to client */
+    csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
+    if (csLen == 0) {
+	/* no overlap, send client our list of supported SSL v2 ciphers. */
+        cs    = csImpl;
+	csLen = sizeof implementedCipherSuites;
+    	PORT_Memcpy(cs, implementedCipherSuites, csLen);
+	csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
+	if (csLen == 0) {
+	  /* We don't support any SSL v2 ciphers! */
+	  ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
+	  PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	  goto loser;
+	}
+	/* Since this handhsake is going to fail, don't cache it. */
+	ss->opt.noCache = 1; 
+    }
+
+    /* Squirrel away the challenge for later */
+    PORT_Memcpy(ss->sec.ci.clientChallenge, challenge, challengeLen);
+
+    /* Examine message and see if session-id is good */
+    ss->sec.ci.elements = 0;
+    if (sdLen > 0 && !ss->opt.noCache) {
+	SSL_TRC(7, ("%d: SSL[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
+		    SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
+		    ss->sec.ci.peer.pr_s6_addr32[1], 
+		    ss->sec.ci.peer.pr_s6_addr32[2],
+		    ss->sec.ci.peer.pr_s6_addr32[3]));
+	sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sd, sdLen, ss->dbHandle);
+    } else {
+	sid = NULL;
+    }
+    if (sid) {
+	/* Got a good session-id. Short cut! */
+	SSL_TRC(1, ("%d: SSL[%d]: server, using session-id for 0x%08x (age=%d)",
+		    SSL_GETPID(), ss->fd, ss->sec.ci.peer, 
+		    ssl_Time() - sid->creationTime));
+	PRINT_BUF(1, (ss, "session-id value:", sd, sdLen));
+	ss->sec.ci.sid = sid;
+	ss->sec.ci.elements = CIS_HAVE_MASTER_KEY;
+	hit = 1;
+	certLen = 0;
+	csLen = 0;
+
+        ss->sec.authAlgorithm = sid->authAlgorithm;
+	ss->sec.authKeyBits   = sid->authKeyBits;
+	ss->sec.keaType       = sid->keaType;
+	ss->sec.keaKeyBits    = sid->keaKeyBits;
+
+	rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	SECItem * derCert   = &serverCert->derCert;
+
+	SSL_TRC(7, ("%d: SSL[%d]: server, lookup nonce missed",
+		    SSL_GETPID(), ss->fd));
+	if (!serverCert) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+	hit = 0;
+	sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
+	if (!sid) {
+	    goto loser;
+	}
+	sid->references = 1;
+	sid->addr = ss->sec.ci.peer;
+	sid->port = ss->sec.ci.port;
+
+	/* Invent a session-id */
+	ss->sec.ci.sid = sid;
+	PK11_GenerateRandom(sid->u.ssl2.sessionID+2, SSL2_SESSIONID_BYTES-2);
+
+	pid = SSL_GETPID();
+	sid->u.ssl2.sessionID[0] = MSB(pid);
+	sid->u.ssl2.sessionID[1] = LSB(pid);
+	cert    = derCert->data;
+	certLen = derCert->len;
+
+	/* pretend that server sids remember the local cert. */
+	PORT_Assert(!sid->localCert);
+	if (sid->localCert) {
+	    CERT_DestroyCertificate(sid->localCert);
+	}
+	sid->localCert     = CERT_DupCertificate(serverCert);
+
+	ss->sec.authAlgorithm = ssl_sign_rsa;
+	ss->sec.keaType       = ssl_kea_rsa;
+	ss->sec.keaKeyBits    = \
+	ss->sec.authKeyBits   = ss->serverCerts[kt_rsa].serverKeyBits;
+    }
+
+    /* server sids don't remember the local cert, so whether we found
+    ** a sid or not, just "remember" we used the rsa server cert.
+    */
+    if (ss->sec.localCert) {
+	CERT_DestroyCertificate(ss->sec.localCert);
+    }
+    ss->sec.localCert     = CERT_DupCertificate(serverCert);
+
+    /* Build up final list of required elements */
+    ss->sec.ci.requiredElements = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED;
+    if (ss->opt.requestCertificate) {
+	ss->sec.ci.requiredElements |= CIS_HAVE_CERTIFICATE;
+    }
+    ss->sec.ci.sentElements = 0;
+
+    /* Send hello message back to client */
+    sendLen = SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen
+	    + SSL_CONNECTIONID_BYTES;
+
+    ssl_GetXmitBufLock(ss); gotXmitBufLock = 1;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending server-hello (%d)",
+		SSL_GETPID(), ss->fd, sendLen));
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_SERVER_HELLO;
+    msg[1] = hit;
+    msg[2] = SSL_CT_X509_CERTIFICATE;
+    msg[3] = MSB(ss->version);
+    msg[4] = LSB(ss->version);
+    msg[5] = MSB(certLen);
+    msg[6] = LSB(certLen);
+    msg[7] = MSB(csLen);
+    msg[8] = LSB(csLen);
+    msg[9] = MSB(SSL_CONNECTIONID_BYTES);
+    msg[10] = LSB(SSL_CONNECTIONID_BYTES);
+    if (certLen) {
+	PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES, cert, certLen);
+    }
+    if (csLen) {
+	PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen, cs, csLen);
+    }
+    PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen+csLen, 
+                ss->sec.ci.connectionID, SSL_CONNECTIONID_BYTES);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+
+    ss->handshakeBegun = 1;
+    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+    if (sent < 0) {
+	goto loser;
+    }
+    ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
+
+    ss->gs.recordLen = 0;
+    ss->handshake = ssl_GatherRecord1stHandshake;
+    if (hit) {
+	/* Old SID Session key is good. Go encrypted */
+	ssl2_UseEncryptedSendFunc(ss);
+
+	/* Send server verify message now that keys are established */
+	rv = ssl2_SendServerVerifyMessage(ss);
+	if (rv != SECSuccess) 
+	    goto loser;
+
+	ss->nextHandshake = ssl2_HandleMessage;
+	ssl_ReleaseRecvBufLock(ss);
+	rv = ssl2_TriggerNextMessage(ss);
+	return rv;
+    }
+    ss->nextHandshake = ssl2_HandleClientSessionKeyMessage;
+    ssl_ReleaseRecvBufLock(ss);
+    return SECSuccess;
+
+  bad_client:
+    PORT_SetError(SSL_ERROR_BAD_CLIENT);
+    /* FALLTHROUGH */
+
+  loser:
+    if (gotXmitBufLock) {
+    	ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
+    }
+    SSL_TRC(10, ("%d: SSL[%d]: server, wait for client-hello lossage",
+		 SSL_GETPID(), ss->fd));
+    ssl_ReleaseRecvBufLock(ss);
+    return SECFailure;
+}
+
+SECStatus
+ssl2_BeginServerHandshake(sslSocket *ss)
+{
+    SECStatus        rv;
+    sslServerCerts * rsaAuth = ss->serverCerts + kt_rsa;
+
+    ss->sec.isServer = 1;
+    ssl_ChooseSessionIDProcs(&ss->sec);
+    ss->sec.sendSequence = 0;
+    ss->sec.rcvSequence = 0;
+
+    /* don't turn on SSL2 if we don't have an RSA key and cert */
+    if (!rsaAuth->serverKeyPair || !rsaAuth->SERVERKEY || 
+        !rsaAuth->serverCert) {
+	ss->opt.enableSSL2 = PR_FALSE;
+    }
+
+    if (!ss->cipherSpecs) {
+	rv = ssl2_ConstructCipherSpecs(ss);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    /* count the SSL2 and SSL3 enabled ciphers.
+     * if either is zero, clear the socket's enable for that protocol.
+     */
+    rv = ssl2_CheckConfigSanity(ss);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+    ** Generate connection-id. Always do this, even if things fail
+    ** immediately. This way the random number generator is always
+    ** rolling around, every time we get a connection.
+    */
+    PK11_GenerateRandom(ss->sec.ci.connectionID, 
+                        sizeof(ss->sec.ci.connectionID));
+
+    ss->gs.recordLen = 0;
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleClientHelloMessage;
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+
+/* This function doesn't really belong in this file.
+** It's here to keep AIX compilers from optimizing it away, 
+** and not including it in the DSO.
+*/
+
+#include "nss.h"
+extern const char __nss_ssl_rcsid[];
+extern const char __nss_ssl_sccsid[];
+
+PRBool
+NSSSSL_VersionCheck(const char *importedVersion)
+{
+    /*
+     * This is the secret handshake algorithm.
+     *
+     * This release has a simple version compatibility
+     * check algorithm.  This release is not backward
+     * compatible with previous major releases.  It is
+     * not compatible with future major, minor, or
+     * patch releases.
+     */
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0]; 
+    return NSS_VersionCheck(importedVersion);
+}
diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c
new file mode 100644
index 000000000..9a473380e
--- /dev/null
+++ b/security/nss/lib/ssl/ssldef.c
@@ -0,0 +1,238 @@
+/*
+ * "Default" SSLSocket methods, used by sockets that do neither SSL nor socks.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+
+#if defined(WIN32)
+#define MAP_ERROR(from,to) if (err == from) { PORT_SetError(to); }
+#define DEFINE_ERROR       PRErrorCode err = PR_GetError();
+#else
+#define MAP_ERROR(from,to)
+#define DEFINE_ERROR
+#endif
+
+int ssl_DefConnect(sslSocket *ss, const PRNetAddr *sa)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->connect(lower, sa, ss->cTimeout);
+    return rv;
+}
+
+int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->bind(lower, addr);
+    return rv;
+}
+
+int ssl_DefListen(sslSocket *ss, int backlog)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->listen(lower, backlog);
+    return rv;
+}
+
+int ssl_DefShutdown(sslSocket *ss, int how)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->shutdown(lower, how);
+    return rv;
+}
+
+int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout);
+    if (rv < 0) {
+	DEFINE_ERROR
+	MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
+    } else if (rv > len) {
+	PORT_Assert(rv <= len);
+	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/* Default (unencrypted) send.
+ * For blocking sockets, always returns len or SECFailure, no short writes.
+ * For non-blocking sockets:
+ *   Returns positive count if any data was written, else returns SECFailure. 
+ *   Short writes may occur.  Does not return SECWouldBlock.
+ */
+int ssl_DefSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int sent = 0;
+
+#if NSS_DISABLE_NAGLE_DELAYS
+    /* Although this is overkill, we disable Nagle delays completely for 
+    ** SSL sockets.
+    */
+    if (ss->opt.useSecurity && !ss->delayDisabled) {
+	ssl_EnableNagleDelay(ss, PR_FALSE);   /* ignore error */
+    	ss->delayDisabled = 1;
+    }
+#endif
+    do {
+	int rv = lower->methods->send(lower, (const void *)(buf + sent), 
+	                              len - sent, flags, ss->wTimeout);
+	if (rv < 0) {
+	    PRErrorCode err = PR_GetError();
+	    if (err == PR_WOULD_BLOCK_ERROR) {
+		ss->lastWriteBlocked = 1;
+		return sent ? sent : SECFailure;
+	    }
+	    ss->lastWriteBlocked = 0;
+	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
+	    /* Loser */
+	    return rv;
+	}
+	sent += rv;
+    } while (len > sent);
+    ss->lastWriteBlocked = 0;
+    return sent;
+}
+
+int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->read(lower, (void *)buf, len);
+    if (rv < 0) {
+	DEFINE_ERROR
+	MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
+    }
+    return rv;
+}
+
+int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int sent = 0;
+
+    do {
+	int rv = lower->methods->write(lower, (const void *)(buf + sent), 
+	                               len - sent);
+	if (rv < 0) {
+	    PRErrorCode err = PR_GetError();
+	    if (err == PR_WOULD_BLOCK_ERROR) {
+		ss->lastWriteBlocked = 1;
+		return sent ? sent : SECFailure;
+	    }
+	    ss->lastWriteBlocked = 0;
+	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
+	    /* Loser */
+	    return rv;
+	}
+	sent += rv;
+    } while (len > sent);
+    ss->lastWriteBlocked = 0;
+    return sent;
+}
+
+int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->getpeername(lower, name);
+    return rv;
+}
+
+int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->getsockname(lower, name);
+    return rv;
+}
+
+int ssl_DefClose(sslSocket *ss)
+{
+    PRFileDesc *fd;
+    PRFileDesc *popped;
+    int         rv;
+
+    fd    = ss->fd;
+
+    /* First, remove the SSL layer PRFileDesc from the socket's stack, 
+    ** then invoke the SSL layer's PRFileDesc destructor.
+    ** This must happen before the next layer down is closed.
+    */
+    PORT_Assert(fd->higher == NULL);
+    if (fd->higher) {
+	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
+	return SECFailure;
+    }
+    ss->fd = NULL;
+
+    /* PR_PopIOLayer will swap the contents of the top two PRFileDescs on
+    ** the stack, and then remove the second one.  This way, the address
+    ** of the PRFileDesc on the top of the stack doesn't change.
+    */
+    popped = PR_PopIOLayer(fd, PR_TOP_IO_LAYER); 
+    popped->dtor(popped);
+
+    /* fd is now the PRFileDesc for the next layer down.
+    ** Now close the underlying socket. 
+    */
+    rv = fd->methods->close(fd);
+
+    ssl_FreeSocket(ss);
+
+    SSL_TRC(5, ("%d: SSL[%d]: closing, rv=%d errno=%d",
+		SSL_GETPID(), fd, rv, PORT_GetError()));
+    return rv;
+}
diff --git a/security/nss/lib/ssl/sslenum.c b/security/nss/lib/ssl/sslenum.c
new file mode 100644
index 000000000..85ac19c6e
--- /dev/null
+++ b/security/nss/lib/ssl/sslenum.c
@@ -0,0 +1,151 @@
+/*
+ * Table enumerating all implemented cipher suites
+ * Part of public API.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "ssl.h"
+#include "sslproto.h"
+
+/*
+ * The ciphers are listed in the following order:
+ * - stronger ciphers before weaker ciphers
+ * - national ciphers before international ciphers
+ * - faster ciphers before slower ciphers
+ *
+ * National ciphers such as Camellia are listed before international ciphers
+ * such as AES and RC4 to allow servers that prefer Camellia to negotiate
+ * Camellia without having to disable AES and RC4, which are needed for
+ * interoperability with clients that don't yet implement Camellia.
+ */
+const PRUint16 SSL_ImplementedCiphers[] = {
+
+    /* 256-bit */
+#ifdef NSS_ENABLE_ECC
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+#endif /* NSS_ENABLE_ECC */
+    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+#ifdef NSS_ENABLE_ECC
+    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+#endif /* NSS_ENABLE_ECC */
+    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+
+    /* 128-bit */
+#ifdef NSS_ENABLE_ECC
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+#endif /* NSS_ENABLE_ECC */
+    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+    TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+    TLS_DHE_DSS_WITH_RC4_128_SHA,
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+#ifdef NSS_ENABLE_ECC
+    TLS_ECDH_RSA_WITH_RC4_128_SHA,
+    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+#endif /* NSS_ENABLE_ECC */
+    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+    SSL_RSA_WITH_RC4_128_MD5,
+    SSL_RSA_WITH_RC4_128_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+
+    /* 112-bit 3DES */
+#ifdef NSS_ENABLE_ECC
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+#endif /* NSS_ENABLE_ECC */
+    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+#ifdef NSS_ENABLE_ECC
+    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+#endif /* NSS_ENABLE_ECC */
+    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+
+    /* 56-bit DES "domestic" cipher suites */
+    SSL_DHE_RSA_WITH_DES_CBC_SHA,
+    SSL_DHE_DSS_WITH_DES_CBC_SHA,
+    SSL_RSA_FIPS_WITH_DES_CBC_SHA,
+    SSL_RSA_WITH_DES_CBC_SHA,
+
+    /* export ciphersuites with 1024-bit public key exchange keys */
+    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+
+    /* export ciphersuites with 512-bit public key exchange keys */
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5,
+    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+
+    /* ciphersuites with no encryption */
+#ifdef NSS_ENABLE_ECC
+    TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+    TLS_ECDHE_RSA_WITH_NULL_SHA,
+    TLS_ECDH_RSA_WITH_NULL_SHA,
+    TLS_ECDH_ECDSA_WITH_NULL_SHA,
+#endif /* NSS_ENABLE_ECC */
+    SSL_RSA_WITH_NULL_SHA,
+    SSL_RSA_WITH_NULL_MD5,
+
+    /* SSL2 cipher suites. */
+    SSL_EN_RC4_128_WITH_MD5,
+    SSL_EN_RC2_128_CBC_WITH_MD5,
+    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,  /* actually 112, not 192 */
+    SSL_EN_DES_64_CBC_WITH_MD5,
+    SSL_EN_RC4_128_EXPORT40_WITH_MD5,
+    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
+
+    0
+
+};
+
+const PRUint16 SSL_NumImplementedCiphers = 
+    (sizeof SSL_ImplementedCiphers) / (sizeof SSL_ImplementedCiphers[0]) - 1;
+
diff --git a/security/nss/lib/ssl/sslerr.c b/security/nss/lib/ssl/sslerr.c
new file mode 100644
index 000000000..d619bbfb0
--- /dev/null
+++ b/security/nss/lib/ssl/sslerr.c
@@ -0,0 +1,74 @@
+/*
+ * Function to set error code only when meaningful error has not already 
+ * been set.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "prerror.h"
+#include "secerr.h"
+#include "sslerr.h"
+#include "seccomon.h"
+
+/* look at the current value of PR_GetError, and evaluate it to see
+ * if it is meaningful or meaningless (out of context). 
+ * If it is meaningless, replace it with the hiLevelError.
+ * Returns the chosen error value.
+ */
+int
+ssl_MapLowLevelError(int hiLevelError)
+{
+    int oldErr	= PORT_GetError();
+
+    switch (oldErr) {
+
+    case 0:
+    case PR_IO_ERROR:
+    case SEC_ERROR_IO:
+    case SEC_ERROR_BAD_DATA:
+    case SEC_ERROR_LIBRARY_FAILURE:
+    case SEC_ERROR_EXTENSION_NOT_FOUND:
+    case SSL_ERROR_BAD_CLIENT:
+    case SSL_ERROR_BAD_SERVER:
+    case SSL_ERROR_SESSION_NOT_FOUND:
+    	PORT_SetError(hiLevelError);
+	return hiLevelError;
+
+    default:	/* leave the majority of error codes alone. */
+	return oldErr;
+    }
+}
diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h
new file mode 100644
index 000000000..3c38fbefa
--- /dev/null
+++ b/security/nss/lib/ssl/sslerr.h
@@ -0,0 +1,202 @@
+/*
+ * Enumeration of all SSL-specific error codes.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#ifndef __SSL_ERR_H_
+#define __SSL_ERR_H_
+
+
+#define SSL_ERROR_BASE				(-0x3000)
+#define SSL_ERROR_LIMIT				(SSL_ERROR_BASE + 1000)
+
+#define IS_SSL_ERROR(code) \
+    (((code) >= SSL_ERROR_BASE) && ((code) < SSL_ERROR_LIMIT))
+
+#ifndef NO_SECURITY_ERROR_ENUM
+typedef enum {
+SSL_ERROR_EXPORT_ONLY_SERVER 		= (SSL_ERROR_BASE +  0),
+SSL_ERROR_US_ONLY_SERVER 		= (SSL_ERROR_BASE +  1),
+SSL_ERROR_NO_CYPHER_OVERLAP 		= (SSL_ERROR_BASE +  2),
+/* 
+ * Received an alert reporting what we did wrong.  (more alerts below)
+ */
+SSL_ERROR_NO_CERTIFICATE /*_ALERT */	= (SSL_ERROR_BASE +  3),
+SSL_ERROR_BAD_CERTIFICATE            	= (SSL_ERROR_BASE +  4),
+					/* error 5 is obsolete */
+SSL_ERROR_BAD_CLIENT 			= (SSL_ERROR_BASE +  6),
+SSL_ERROR_BAD_SERVER 			= (SSL_ERROR_BASE +  7),
+SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	= (SSL_ERROR_BASE +  8),
+SSL_ERROR_UNSUPPORTED_VERSION 		= (SSL_ERROR_BASE +  9),
+					/* error 10 is obsolete */
+SSL_ERROR_WRONG_CERTIFICATE		= (SSL_ERROR_BASE + 11),
+SSL_ERROR_BAD_CERT_DOMAIN 		= (SSL_ERROR_BASE + 12),
+SSL_ERROR_POST_WARNING 			= (SSL_ERROR_BASE + 13),
+SSL_ERROR_SSL2_DISABLED 		= (SSL_ERROR_BASE + 14),
+SSL_ERROR_BAD_MAC_READ 			= (SSL_ERROR_BASE + 15),
+/* 
+ * Received an alert reporting what we did wrong.
+ * (two more alerts above, and many more below)
+ */
+SSL_ERROR_BAD_MAC_ALERT 		= (SSL_ERROR_BASE + 16),
+SSL_ERROR_BAD_CERT_ALERT                = (SSL_ERROR_BASE + 17),
+SSL_ERROR_REVOKED_CERT_ALERT 		= (SSL_ERROR_BASE + 18),
+SSL_ERROR_EXPIRED_CERT_ALERT 		= (SSL_ERROR_BASE + 19),
+
+SSL_ERROR_SSL_DISABLED 			= (SSL_ERROR_BASE + 20),
+SSL_ERROR_FORTEZZA_PQG 			= (SSL_ERROR_BASE + 21),
+SSL_ERROR_UNKNOWN_CIPHER_SUITE		= (SSL_ERROR_BASE + 22),
+SSL_ERROR_NO_CIPHERS_SUPPORTED		= (SSL_ERROR_BASE + 23),
+SSL_ERROR_BAD_BLOCK_PADDING		= (SSL_ERROR_BASE + 24),
+SSL_ERROR_RX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 25),
+SSL_ERROR_TX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 26),
+/* 
+ * Received a malformed (too long or short) SSL handshake.
+ */
+SSL_ERROR_RX_MALFORMED_HELLO_REQUEST	= (SSL_ERROR_BASE + 27),
+SSL_ERROR_RX_MALFORMED_CLIENT_HELLO	= (SSL_ERROR_BASE + 28),
+SSL_ERROR_RX_MALFORMED_SERVER_HELLO	= (SSL_ERROR_BASE + 29),
+SSL_ERROR_RX_MALFORMED_CERTIFICATE	= (SSL_ERROR_BASE + 30),
+SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 31),
+SSL_ERROR_RX_MALFORMED_CERT_REQUEST	= (SSL_ERROR_BASE + 32),
+SSL_ERROR_RX_MALFORMED_HELLO_DONE	= (SSL_ERROR_BASE + 33),
+SSL_ERROR_RX_MALFORMED_CERT_VERIFY	= (SSL_ERROR_BASE + 34),
+SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 35),
+SSL_ERROR_RX_MALFORMED_FINISHED 	= (SSL_ERROR_BASE + 36),
+/* 
+ * Received a malformed (too long or short) SSL record.
+ */
+SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 37),
+SSL_ERROR_RX_MALFORMED_ALERT	 	= (SSL_ERROR_BASE + 38),
+SSL_ERROR_RX_MALFORMED_HANDSHAKE 	= (SSL_ERROR_BASE + 39),
+SSL_ERROR_RX_MALFORMED_APPLICATION_DATA	= (SSL_ERROR_BASE + 40),
+/*
+ * Received an SSL handshake that was inappropriate for the state we're in.
+ * E.g. Server received message from server, or wrong state in state machine.
+ */
+SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST	= (SSL_ERROR_BASE + 41),
+SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO	= (SSL_ERROR_BASE + 42),
+SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO	= (SSL_ERROR_BASE + 43),
+SSL_ERROR_RX_UNEXPECTED_CERTIFICATE	= (SSL_ERROR_BASE + 44),
+SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 45),
+SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST	= (SSL_ERROR_BASE + 46),
+SSL_ERROR_RX_UNEXPECTED_HELLO_DONE	= (SSL_ERROR_BASE + 47),
+SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY	= (SSL_ERROR_BASE + 48),
+SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 49),
+SSL_ERROR_RX_UNEXPECTED_FINISHED 	= (SSL_ERROR_BASE + 50),
+/*
+ * Received an SSL record that was inappropriate for the state we're in.
+ */
+SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 51),
+SSL_ERROR_RX_UNEXPECTED_ALERT	 	= (SSL_ERROR_BASE + 52),
+SSL_ERROR_RX_UNEXPECTED_HANDSHAKE 	= (SSL_ERROR_BASE + 53),
+SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA= (SSL_ERROR_BASE + 54),
+/*
+ * Received record/message with unknown discriminant.
+ */
+SSL_ERROR_RX_UNKNOWN_RECORD_TYPE	= (SSL_ERROR_BASE + 55),
+SSL_ERROR_RX_UNKNOWN_HANDSHAKE 		= (SSL_ERROR_BASE + 56),
+SSL_ERROR_RX_UNKNOWN_ALERT 		= (SSL_ERROR_BASE + 57),
+/* 
+ * Received an alert reporting what we did wrong.  (more alerts above)
+ */
+SSL_ERROR_CLOSE_NOTIFY_ALERT 		= (SSL_ERROR_BASE + 58),
+SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT 	= (SSL_ERROR_BASE + 59),
+SSL_ERROR_DECOMPRESSION_FAILURE_ALERT 	= (SSL_ERROR_BASE + 60),
+SSL_ERROR_HANDSHAKE_FAILURE_ALERT 	= (SSL_ERROR_BASE + 61),
+SSL_ERROR_ILLEGAL_PARAMETER_ALERT 	= (SSL_ERROR_BASE + 62),
+SSL_ERROR_UNSUPPORTED_CERT_ALERT 	= (SSL_ERROR_BASE + 63),
+SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT 	= (SSL_ERROR_BASE + 64),
+
+SSL_ERROR_GENERATE_RANDOM_FAILURE	= (SSL_ERROR_BASE + 65),
+SSL_ERROR_SIGN_HASHES_FAILURE		= (SSL_ERROR_BASE + 66),
+SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE	= (SSL_ERROR_BASE + 67),
+SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 68),
+SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 69),
+
+SSL_ERROR_ENCRYPTION_FAILURE		= (SSL_ERROR_BASE + 70),
+SSL_ERROR_DECRYPTION_FAILURE		= (SSL_ERROR_BASE + 71),
+SSL_ERROR_SOCKET_WRITE_FAILURE		= (SSL_ERROR_BASE + 72),
+
+SSL_ERROR_MD5_DIGEST_FAILURE		= (SSL_ERROR_BASE + 73),
+SSL_ERROR_SHA_DIGEST_FAILURE		= (SSL_ERROR_BASE + 74),
+SSL_ERROR_MAC_COMPUTATION_FAILURE	= (SSL_ERROR_BASE + 75),
+SSL_ERROR_SYM_KEY_CONTEXT_FAILURE	= (SSL_ERROR_BASE + 76),
+SSL_ERROR_SYM_KEY_UNWRAP_FAILURE	= (SSL_ERROR_BASE + 77),
+SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED	= (SSL_ERROR_BASE + 78),
+SSL_ERROR_IV_PARAM_FAILURE		= (SSL_ERROR_BASE + 79),
+SSL_ERROR_INIT_CIPHER_SUITE_FAILURE	= (SSL_ERROR_BASE + 80),
+SSL_ERROR_SESSION_KEY_GEN_FAILURE	= (SSL_ERROR_BASE + 81),
+SSL_ERROR_NO_SERVER_KEY_FOR_ALG		= (SSL_ERROR_BASE + 82),
+SSL_ERROR_TOKEN_INSERTION_REMOVAL	= (SSL_ERROR_BASE + 83),
+SSL_ERROR_TOKEN_SLOT_NOT_FOUND		= (SSL_ERROR_BASE + 84),
+SSL_ERROR_NO_COMPRESSION_OVERLAP	= (SSL_ERROR_BASE + 85),
+SSL_ERROR_HANDSHAKE_NOT_COMPLETED	= (SSL_ERROR_BASE + 86),
+SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE	= (SSL_ERROR_BASE + 87),
+SSL_ERROR_CERT_KEA_MISMATCH		= (SSL_ERROR_BASE + 88),
+SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	= (SSL_ERROR_BASE + 89),
+SSL_ERROR_SESSION_NOT_FOUND		= (SSL_ERROR_BASE + 90),
+
+SSL_ERROR_DECRYPTION_FAILED_ALERT	= (SSL_ERROR_BASE + 91),
+SSL_ERROR_RECORD_OVERFLOW_ALERT		= (SSL_ERROR_BASE + 92),
+SSL_ERROR_UNKNOWN_CA_ALERT		= (SSL_ERROR_BASE + 93),
+SSL_ERROR_ACCESS_DENIED_ALERT		= (SSL_ERROR_BASE + 94),
+SSL_ERROR_DECODE_ERROR_ALERT		= (SSL_ERROR_BASE + 95),
+SSL_ERROR_DECRYPT_ERROR_ALERT		= (SSL_ERROR_BASE + 96),
+SSL_ERROR_EXPORT_RESTRICTION_ALERT	= (SSL_ERROR_BASE + 97),
+SSL_ERROR_PROTOCOL_VERSION_ALERT	= (SSL_ERROR_BASE + 98),
+SSL_ERROR_INSUFFICIENT_SECURITY_ALERT	= (SSL_ERROR_BASE + 99),
+SSL_ERROR_INTERNAL_ERROR_ALERT		= (SSL_ERROR_BASE + 100),
+SSL_ERROR_USER_CANCELED_ALERT		= (SSL_ERROR_BASE + 101),
+SSL_ERROR_NO_RENEGOTIATION_ALERT	= (SSL_ERROR_BASE + 102),
+
+SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED	= (SSL_ERROR_BASE + 103),
+
+SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT		= (SSL_ERROR_BASE + 104),
+SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT	= (SSL_ERROR_BASE + 105),
+SSL_ERROR_UNRECOGNIZED_NAME_ALERT		= (SSL_ERROR_BASE + 106),
+SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT	= (SSL_ERROR_BASE + 107),
+SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT		= (SSL_ERROR_BASE + 108),
+
+SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET = (SSL_ERROR_BASE + 109),
+SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET  = (SSL_ERROR_BASE + 110),
+
+SSL_ERROR_END_OF_LIST	/* let the c compiler determine the value of this. */
+} SSLErrorCodes;
+#endif /* NO_SECURITY_ERROR_ENUM */
+
+#endif /* __SSL_ERR_H_ */
diff --git a/security/nss/lib/ssl/sslgathr.c b/security/nss/lib/ssl/sslgathr.c
new file mode 100644
index 000000000..4d7db0bc4
--- /dev/null
+++ b/security/nss/lib/ssl/sslgathr.c
@@ -0,0 +1,483 @@
+/*
+ * Gather (Read) entire SSL2 records from socket into buffer.  
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+
+/* Forward static declarations */
+static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss);
+
+/*
+** Gather a single record of data from the receiving stream. This code
+** first gathers the header (2 or 3 bytes long depending on the value of
+** the most significant bit in the first byte) then gathers up the data
+** for the record into gs->buf. This code handles non-blocking I/O
+** and is to be called multiple times until ss->sec.recordLen != 0.
+** This function decrypts the gathered record in place, in gs_buf.
+ *
+ * Caller must hold RecvBufLock. 
+ *
+ * Returns +1 when it has gathered a complete SSLV2 record.
+ * Returns  0 if it hits EOF.
+ * Returns -1 (SECFailure)    on any error
+ * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header.
+**
+** The SSL2 Gather State machine has 4 states:
+** GS_INIT   - Done reading in previous record.  Haven't begun to read in
+**             next record.  When ssl2_GatherData is called with the machine
+**             in this state, the machine will attempt to read the first 3
+**             bytes of the SSL2 record header, and will advance the state
+**             to GS_HEADER.
+**
+** GS_HEADER - The machine is in this state while waiting for the completion
+**             of the first 3 bytes of the SSL2 record.  When complete, the
+**             machine will compute the remaining unread length of this record
+**             and will initiate a read of that many bytes.  The machine will
+**             advance to one of two states, depending on whether the record
+**             is encrypted (GS_MAC), or unencrypted (GS_DATA).
+**
+** GS_MAC    - The machine is in this state while waiting for the remainder 
+**             of the SSL2 record to be read in.  When the read is completed,
+**             the machine checks the record for valid length, decrypts it,
+**             and checks and discards the MAC, then advances to GS_INIT.
+**
+** GS_DATA   - The machine is in this state while waiting for the remainder
+**             of the unencrypted SSL2 record to be read in.  Upon completion,
+**             the machine advances to the GS_INIT state and returns the data.
+*/
+int 
+ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
+{
+    unsigned char *  bp;
+    unsigned char *  pBuf;
+    int              nb, err, rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+
+    if (gs->state == GS_INIT) {
+	/* Initialize gathering engine */
+	gs->state         = GS_HEADER;
+	gs->remainder     = 3;
+	gs->count         = 3;
+	gs->offset        = 0;
+	gs->recordLen     = 0;
+	gs->recordPadding = 0;
+	gs->hdr[2]        = 0;
+
+	gs->writeOffset   = 0;
+	gs->readOffset    = 0;
+    }
+    if (gs->encrypted) {
+	PORT_Assert(ss->sec.hash != 0);
+    }
+
+    pBuf = gs->buf.buf;
+    for (;;) {
+	SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)",
+		     SSL_GETPID(), ss->fd, gs->state, gs->remainder));
+	bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset;
+	nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
+	if (nb > 0) {
+	    PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
+	}
+	if (nb == 0) {
+	    /* EOF */
+	    SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd));
+	    rv = 0;
+	    break;
+	}
+	if (nb < 0) {
+	    SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd,
+		     PR_GetError()));
+	    rv = SECFailure;
+	    break;
+	}
+
+	gs->offset    += nb;
+	gs->remainder -= nb;
+
+	if (gs->remainder > 0) {
+	    continue;
+	}
+
+	/* Probably finished this piece */
+	switch (gs->state) {
+	case GS_HEADER: 
+	    if ((ss->opt.enableSSL3 || ss->opt.enableTLS) && !ss->firstHsDone) {
+
+		PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+		/* If this looks like an SSL3 handshake record, 
+		** and we're expecting an SSL2 Hello message from our peer, 
+		** handle it here.
+		*/
+		if (gs->hdr[0] == content_handshake) {
+		    if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) ||
+			(ss->nextHandshake == ssl2_HandleServerHelloMessage)) {
+			rv = ssl2_HandleV3HandshakeRecord(ss);
+			if (rv == SECFailure) {
+			    return SECFailure;
+			}
+		    }
+		    /* XXX_1	The call stack to here is:
+		     * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake -> 
+		     *			ssl2_GatherRecord -> here.
+		     * We want to return all the way out to ssl_Do1stHandshake,
+		     * and have it call ssl_GatherRecord1stHandshake again. 
+		     * ssl_GatherRecord1stHandshake will call 
+		     * ssl3_GatherCompleteHandshake when it is called again.
+		     *
+		     * Returning SECWouldBlock here causes 
+		     * ssl_GatherRecord1stHandshake to return without clearing 
+		     * ss->handshake, ensuring that ssl_Do1stHandshake will 
+		     * call it again immediately.
+		     * 
+		     * If we return 1 here, ssl_GatherRecord1stHandshake will 
+		     * clear ss->handshake before returning, and thus will not 
+		     * be called again by ssl_Do1stHandshake.  
+		     */
+		    return SECWouldBlock;
+		} else if (gs->hdr[0] == content_alert) {
+		    if (ss->nextHandshake == ssl2_HandleServerHelloMessage) {
+			/* XXX This is a hack.  We're assuming that any failure
+			 * XXX on the client hello is a failure to match
+			 * XXX ciphers.
+			 */
+			PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+			return SECFailure;
+		    }
+		}
+	    }	/* ((ss->opt.enableSSL3 || ss->opt.enableTLS) && !ss->firstHsDone) */
+
+	    /* we've got the first 3 bytes.  The header may be two or three. */
+	    if (gs->hdr[0] & 0x80) {
+		/* This record has a 2-byte header, and no padding */
+		gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1];
+		gs->recordPadding = 0;
+	    } else {
+		/* This record has a 3-byte header that is all read in now. */
+		gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1];
+	    /*  is_escape =  (gs->hdr[0] & 0x40) != 0; */
+		gs->recordPadding = gs->hdr[2];
+	    }
+	    if (!gs->count) {
+		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+		goto cleanup;
+	    }
+
+	    if (gs->count > gs->buf.space) {
+		err = sslBuffer_Grow(&gs->buf, gs->count);
+		if (err) {
+		    return err;
+		}
+		pBuf = gs->buf.buf;
+	    }
+
+
+	    if (gs->hdr[0] & 0x80) {
+	    	/* we've already read in the first byte of the body.
+		** Put it into the buffer.
+		*/
+		pBuf[0]        = gs->hdr[2];
+		gs->offset    = 1;
+		gs->remainder = gs->count - 1;
+	    } else {
+		gs->offset    = 0;
+		gs->remainder = gs->count;
+	    }
+
+	    if (gs->encrypted) {
+		gs->state     = GS_MAC;
+		gs->recordLen = gs->count - gs->recordPadding
+		                          - ss->sec.hash->length;
+	    } else {
+		gs->state     = GS_DATA;
+		gs->recordLen = gs->count;
+	    }
+
+	    break;
+
+
+	case GS_MAC:
+	    /* Have read in entire rest of the ciphertext.  
+	    ** Check for valid length.
+	    ** Decrypt it.
+	    ** Check the MAC.
+	    */
+	    PORT_Assert(gs->encrypted);
+
+	  {
+	    unsigned int     macLen;
+	    int              nout;
+	    unsigned char    mac[SSL_MAX_MAC_BYTES];
+
+	    ssl_GetSpecReadLock(ss); /**********************************/
+
+	    /* If this is a stream cipher, blockSize will be 1,
+	     * and this test will always be false.
+	     * If this is a block cipher, this will detect records
+	     * that are not a multiple of the blocksize in length.
+	     */
+	    if (gs->count & (ss->sec.blockSize - 1)) {
+		/* This is an error. Sender is misbehaving */
+		SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d",
+			 SSL_GETPID(), ss->fd, gs->count,
+			 ss->sec.blockSize));
+		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
+		rv = SECFailure;
+		goto spec_locked_done;
+	    }
+	    PORT_Assert(gs->count == gs->offset);
+
+	    if (gs->offset == 0) {
+		rv = 0;			/* means EOF. */
+		goto spec_locked_done;
+	    }
+
+	    /* Decrypt the portion of data that we just recieved.
+	    ** Decrypt it in place.
+	    */
+	    rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset,
+			     pBuf, gs->offset);
+	    if (rv != SECSuccess) {
+		goto spec_locked_done;
+	    }
+
+
+	    /* Have read in all the MAC portion of record 
+	    **
+	    ** Prepare MAC by resetting it and feeding it the shared secret
+	    */
+	    macLen = ss->sec.hash->length;
+	    if (gs->offset >= macLen) {
+		PRUint32           sequenceNumber = ss->sec.rcvSequence++;
+		unsigned char    seq[4];
+
+		seq[0] = (unsigned char) (sequenceNumber >> 24);
+		seq[1] = (unsigned char) (sequenceNumber >> 16);
+		seq[2] = (unsigned char) (sequenceNumber >> 8);
+		seq[3] = (unsigned char) (sequenceNumber);
+
+		(*ss->sec.hash->begin)(ss->sec.hashcx);
+		(*ss->sec.hash->update)(ss->sec.hashcx, ss->sec.rcvSecret.data,
+				        ss->sec.rcvSecret.len);
+		(*ss->sec.hash->update)(ss->sec.hashcx, pBuf + macLen, 
+				        gs->offset - macLen);
+		(*ss->sec.hash->update)(ss->sec.hashcx, seq, 4);
+		(*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLen);
+	    }
+
+	    PORT_Assert(macLen == ss->sec.hash->length);
+
+	    ssl_ReleaseSpecReadLock(ss);  /******************************/
+
+	    if (PORT_Memcmp(mac, pBuf, macLen) != 0) {
+		/* MAC's didn't match... */
+		SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d",
+			 SSL_GETPID(), ss->fd, ss->sec.rcvSequence));
+		PRINT_BUF(1, (ss, "computed mac:", mac, macLen));
+		PRINT_BUF(1, (ss, "received mac:", pBuf, macLen));
+		PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+		rv = SECFailure;
+		goto cleanup;
+	    }
+
+
+	    PORT_Assert(gs->recordPadding + macLen <= gs->offset);
+	    if (gs->recordPadding + macLen <= gs->offset) {
+		gs->recordOffset  = macLen;
+		gs->readOffset    = macLen;
+		gs->writeOffset   = gs->offset - gs->recordPadding;
+		rv = 1;
+	    } else {
+		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
+cleanup:
+		/* nothing in the buffer any more. */
+		gs->recordOffset  = 0;
+		gs->readOffset    = 0;
+	    	gs->writeOffset   = 0;
+		rv = SECFailure;
+	    }
+
+	    gs->recordLen     = gs->writeOffset - gs->readOffset;
+	    gs->recordPadding = 0;	/* forget we did any padding. */
+	    gs->state = GS_INIT;
+
+
+	    if (rv > 0) {
+		PRINT_BUF(50, (ss, "recv clear record:", 
+		               pBuf + gs->recordOffset, gs->recordLen));
+	    }
+	    return rv;
+
+spec_locked_done:
+	    ssl_ReleaseSpecReadLock(ss);
+	    return rv;
+	  }
+
+	case GS_DATA:
+	    /* Have read in all the DATA portion of record */
+
+	    gs->recordOffset  = 0;
+	    gs->readOffset    = 0;
+	    gs->writeOffset   = gs->offset;
+	    PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset);
+	    gs->recordLen     = gs->offset;
+	    gs->recordPadding = 0;
+	    gs->state         = GS_INIT;
+
+	    ++ss->sec.rcvSequence;
+
+	    PRINT_BUF(50, (ss, "recv clear record:", 
+	                   pBuf + gs->recordOffset, gs->recordLen));
+	    return 1;
+
+	}	/* end switch gs->state */
+    }		/* end gather loop. */
+    return rv;
+}
+
+/*
+** Gather a single record of data from the receiving stream. This code
+** first gathers the header (2 or 3 bytes long depending on the value of
+** the most significant bit in the first byte) then gathers up the data
+** for the record into the readBuf. This code handles non-blocking I/O
+** and is to be called multiple times until ss->sec.recordLen != 0.
+ *
+ * Returns +1 when it has gathered a complete SSLV2 record.
+ * Returns  0 if it hits EOF.
+ * Returns -1 (SECFailure)    on any error
+ * Returns -2 (SECWouldBlock) 
+ *
+ * Called by ssl_GatherRecord1stHandshake in sslcon.c, 
+ * and by DoRecv in sslsecur.c
+ * Caller must hold RecvBufLock.
+ */
+int 
+ssl2_GatherRecord(sslSocket *ss, int flags)
+{
+    return ssl2_GatherData(ss, &ss->gs, flags);
+}
+
+/*
+ * Returns +1 when it has gathered a complete SSLV2 record.
+ * Returns  0 if it hits EOF.
+ * Returns -1 (SECFailure)    on any error
+ * Returns -2 (SECWouldBlock) 
+ *
+ * Called from SocksStartGather in sslsocks.c
+ * Caller must hold RecvBufLock. 
+ */
+int 
+ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, unsigned int count)
+{
+    int rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    gs->state     = GS_DATA;
+    gs->remainder = count;
+    gs->count     = count;
+    gs->offset    = 0;
+    if (count > gs->buf.space) {
+	rv = sslBuffer_Grow(&gs->buf, count);
+	if (rv) {
+	    return rv;
+	}
+    }
+    return ssl2_GatherData(ss, gs, 0);
+}
+
+/* Caller should hold RecvBufLock. */
+SECStatus
+ssl_InitGather(sslGather *gs)
+{
+    SECStatus status;
+
+    gs->state = GS_INIT;
+    gs->writeOffset = 0;
+    gs->readOffset  = 0;
+    status = sslBuffer_Grow(&gs->buf, 4096);
+    return status;
+}
+
+/* Caller must hold RecvBufLock. */
+void 
+ssl_DestroyGather(sslGather *gs)
+{
+    if (gs) {	/* the PORT_*Free functions check for NULL pointers. */
+	PORT_ZFree(gs->buf.buf, gs->buf.space);
+	PORT_Free(gs->inbuf.buf);
+    }
+}
+
+/* Caller must hold RecvBufLock. */
+static SECStatus
+ssl2_HandleV3HandshakeRecord(sslSocket *ss)
+{
+    SECStatus           rv;
+    SSL3ProtocolVersion version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+
+    /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */
+    ss->gs.remainder         = 2;
+    ss->gs.count             = 0;
+
+    /* Clearing these handshake pointers ensures that 
+     * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return.
+     */
+    ss->nextHandshake     = 0;
+    ss->securityHandshake = 0;
+
+    /* Setting ss->version to an SSL 3.x value will cause 
+    ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake() 
+    ** the next time it is called.
+    **/
+    rv = ssl3_NegotiateVersion(ss, version);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    ss->sec.send         = ssl3_SendApplicationData;
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
new file mode 100644
index 000000000..e1e2c2131
--- /dev/null
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -0,0 +1,1575 @@
+/*
+ * This file is PRIVATE to SSL and should be the first thing included by
+ * any SSL implementation file.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef __sslimpl_h_
+#define __sslimpl_h_
+
+#ifdef DEBUG
+#undef NDEBUG
+#else
+#undef NDEBUG
+#define NDEBUG
+#endif
+#include "secport.h"
+#include "secerr.h"
+#include "sslerr.h"
+#include "ssl3prot.h"
+#include "hasht.h"
+#include "nssilock.h"
+#include "pkcs11t.h"
+#if defined(XP_UNIX) || defined(XP_BEOS)
+#include "unistd.h"
+#endif
+#include "nssrwlk.h"
+#include "prthread.h"
+
+#include "sslt.h" /* for some formerly private types, now public */
+
+/* to make some of these old enums public without namespace pollution,
+** it was necessary to prepend ssl_ to the names.
+** These #defines preserve compatibility with the old code here in libssl.
+*/
+typedef SSLKEAType      SSL3KEAType;
+typedef SSLMACAlgorithm SSL3MACAlgorithm;
+typedef SSLSignType     SSL3SignType;
+
+#define sign_null	ssl_sign_null
+#define sign_rsa	ssl_sign_rsa
+#define sign_dsa	ssl_sign_dsa
+#define sign_ecdsa	ssl_sign_ecdsa
+
+#define calg_null	ssl_calg_null
+#define calg_rc4	ssl_calg_rc4
+#define calg_rc2	ssl_calg_rc2
+#define calg_des	ssl_calg_des
+#define calg_3des	ssl_calg_3des
+#define calg_idea	ssl_calg_idea
+#define calg_fortezza	ssl_calg_fortezza /* deprecated, must preserve */
+#define calg_aes	ssl_calg_aes
+#define calg_camellia	ssl_calg_camellia
+
+#define mac_null	ssl_mac_null
+#define mac_md5 	ssl_mac_md5
+#define mac_sha 	ssl_mac_sha
+#define hmac_md5	ssl_hmac_md5
+#define hmac_sha	ssl_hmac_sha
+
+#define SET_ERROR_CODE		/* reminder */
+#define SEND_ALERT		/* reminder */
+#define TEST_FOR_FAILURE	/* reminder */
+#define DEAL_WITH_FAILURE	/* reminder */
+
+#if defined(DEBUG) || defined(TRACE)
+#ifdef __cplusplus
+#define Debug 1
+#else
+extern int Debug;
+#endif
+#else
+#undef Debug
+#endif
+
+#if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST)
+#define TRACE
+#endif
+
+#ifdef TRACE
+#define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
+#define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
+#define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
+#else
+#define SSL_TRC(a,b)
+#define PRINT_BUF(a,b)
+#define DUMP_MSG(a,b)
+#endif
+
+#ifdef DEBUG
+#define SSL_DBG(b) if (ssl_debug) ssl_Trace b
+#else
+#define SSL_DBG(b)
+#endif
+
+#ifdef macintosh
+#include "pprthred.h"
+#else
+#include "private/pprthred.h"	/* for PR_InMonitor() */
+#endif
+#define ssl_InMonitor(m) PZ_InMonitor(m)
+
+#define LSB(x) ((unsigned char) (x & 0xff))
+#define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
+
+/************************************************************************/
+
+typedef enum { SSLAppOpRead = 0,
+	       SSLAppOpWrite,
+	       SSLAppOpRDWR,
+	       SSLAppOpPost,
+	       SSLAppOpHeader
+} SSLAppOperation;
+
+#define SSL_MIN_MASTER_KEY_BYTES	5
+#define SSL_MAX_MASTER_KEY_BYTES	64
+
+#define SSL2_SESSIONID_BYTES		16
+#define SSL3_SESSIONID_BYTES		32
+
+#define SSL_MIN_CHALLENGE_BYTES		16
+#define SSL_MAX_CHALLENGE_BYTES		32
+#define SSL_CHALLENGE_BYTES		16
+
+#define SSL_CONNECTIONID_BYTES		16
+
+#define SSL_MIN_CYPHER_ARG_BYTES	0
+#define SSL_MAX_CYPHER_ARG_BYTES	32
+
+#define SSL_MAX_MAC_BYTES		16
+
+#define SSL3_RSA_PMS_LENGTH 48
+#define SSL3_MASTER_SECRET_LENGTH 48
+
+/* number of wrap mechanisms potentially used to wrap master secrets. */
+#define SSL_NUM_WRAP_MECHS              15
+
+/* This makes the cert cache entry exactly 4k. */
+#define SSL_MAX_CACHED_CERT_LEN		4060
+
+#define NUM_MIXERS                      9
+
+/* Mask of the 25 named curves we support. */
+#ifndef NSS_ECC_MORE_THAN_SUITE_B
+#define SSL3_SUPPORTED_CURVES_MASK 0x3800000	/* only 3 curves, suite B*/
+#else
+#define SSL3_SUPPORTED_CURVES_MASK 0x3fffffe
+#endif
+
+#ifndef BPB
+#define BPB 8 /* Bits Per Byte */
+#endif
+
+#define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
+
+typedef struct sslBufferStr             sslBuffer;
+typedef struct sslConnectInfoStr        sslConnectInfo;
+typedef struct sslGatherStr             sslGather;
+typedef struct sslSecurityInfoStr       sslSecurityInfo;
+typedef struct sslSessionIDStr          sslSessionID;
+typedef struct sslSocketStr             sslSocket;
+typedef struct sslSocketOpsStr          sslSocketOps;
+
+typedef struct ssl3StateStr             ssl3State;
+typedef struct ssl3CertNodeStr          ssl3CertNode;
+typedef struct ssl3BulkCipherDefStr     ssl3BulkCipherDef;
+typedef struct ssl3MACDefStr            ssl3MACDef;
+typedef struct ssl3KeyPairStr		ssl3KeyPair;
+
+struct ssl3CertNodeStr {
+    struct ssl3CertNodeStr *next;
+    CERTCertificate *       cert;
+};
+
+typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss);
+
+/* This type points to the low layer send func, 
+** e.g. ssl2_SendStream or ssl3_SendPlainText.
+** These functions return the same values as PR_Send, 
+** i.e.  >= 0 means number of bytes sent, < 0 means error.
+*/
+typedef PRInt32       (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
+			             PRInt32 n, PRInt32 flags);
+
+typedef void          (*sslSessionIDCacheFunc)  (sslSessionID *sid);
+typedef void          (*sslSessionIDUncacheFunc)(sslSessionID *sid);
+typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr    *addr,
+						unsigned char* sid,
+						unsigned int   sidLen,
+                                                CERTCertDBHandle * dbHandle);
+
+/* registerable callback function that either appends extension to buffer
+ * or returns length of data that it would have appended.
+ */
+typedef PRInt32 (*ssl3HelloExtensionSenderFunc)(sslSocket *ss, PRBool append,
+						PRUint32 maxBytes);
+
+/* registerable callback function that handles a received extension, 
+ * of the given type.
+ */
+typedef SECStatus (* ssl3HelloExtensionHandlerFunc)(sslSocket *ss,
+						    PRUint16   ex_type,
+                                                    SECItem *  data);
+
+/* row in a table of hello extension senders */
+typedef struct {
+    PRInt32                      ex_type;
+    ssl3HelloExtensionSenderFunc ex_sender;
+} ssl3HelloExtensionSender;
+
+/* row in a table of hello extension handlers */
+typedef struct {
+    PRInt32                       ex_type;
+    ssl3HelloExtensionHandlerFunc ex_handler;
+} ssl3HelloExtensionHandler;
+
+extern SECStatus 
+ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
+				        ssl3HelloExtensionSenderFunc cb);
+
+extern PRInt32
+ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
+                               const ssl3HelloExtensionSender *sender);
+
+/* Socket ops */
+struct sslSocketOpsStr {
+    int         (*connect) (sslSocket *, const PRNetAddr *);
+    PRFileDesc *(*accept)  (sslSocket *, PRNetAddr *);
+    int         (*bind)    (sslSocket *, const PRNetAddr *);
+    int         (*listen)  (sslSocket *, int);
+    int         (*shutdown)(sslSocket *, int);
+    int         (*close)   (sslSocket *);
+
+    int         (*recv)    (sslSocket *, unsigned char *, int, int);
+
+    /* points to the higher-layer send func, e.g. ssl_SecureSend. */
+    int         (*send)    (sslSocket *, const unsigned char *, int, int);
+    int         (*read)    (sslSocket *, unsigned char *, int);
+    int         (*write)   (sslSocket *, const unsigned char *, int);
+
+    int         (*getpeername)(sslSocket *, PRNetAddr *);
+    int         (*getsockname)(sslSocket *, PRNetAddr *);
+};
+
+/* Flags interpreted by ssl send functions. */
+#define ssl_SEND_FLAG_FORCE_INTO_BUFFER	0x40000000
+#define ssl_SEND_FLAG_NO_BUFFER		0x20000000
+#define ssl_SEND_FLAG_MASK		0x7f000000
+
+/*
+** A buffer object.
+*/
+struct sslBufferStr {
+    unsigned char *	buf;
+    unsigned int 	len;
+    unsigned int 	space;
+};
+
+/*
+** SSL3 cipher suite policy and preference struct.
+*/
+typedef struct {
+#if !defined(_WIN32)
+    unsigned int    cipher_suite : 16;
+    unsigned int    policy       :  8;
+    unsigned int    enabled      :  1;
+    unsigned int    isPresent    :  1;
+#else
+    ssl3CipherSuite cipher_suite;
+    PRUint8         policy;
+    unsigned char   enabled   : 1;
+    unsigned char   isPresent : 1;
+#endif
+} ssl3CipherSuiteCfg;
+
+#ifdef NSS_ENABLE_ECC
+#define ssl_V3_SUITES_IMPLEMENTED 49
+#else
+#define ssl_V3_SUITES_IMPLEMENTED 29
+#endif /* NSS_ENABLE_ECC */
+
+typedef struct sslOptionsStr {
+    unsigned int useSecurity		: 1;  /*  1 */
+    unsigned int useSocks		: 1;  /*  2 */
+    unsigned int requestCertificate	: 1;  /*  3 */
+    unsigned int requireCertificate	: 2;  /*  4-5 */
+    unsigned int handshakeAsClient	: 1;  /*  6 */
+    unsigned int handshakeAsServer	: 1;  /*  7 */
+    unsigned int enableSSL2		: 1;  /*  8 */
+    unsigned int enableSSL3		: 1;  /*  9 */
+    unsigned int enableTLS		: 1;  /* 10 */
+    unsigned int noCache		: 1;  /* 11 */
+    unsigned int fdx			: 1;  /* 12 */
+    unsigned int v2CompatibleHello	: 1;  /* 13 */
+    unsigned int detectRollBack  	: 1;  /* 14 */
+    unsigned int noStepDown             : 1;  /* 15 */
+    unsigned int bypassPKCS11           : 1;  /* 16 */
+    unsigned int noLocks                : 1;  /* 17 */
+    unsigned int enableSessionTickets   : 1;  /* 18 */
+} sslOptions;
+
+typedef enum { sslHandshakingUndetermined = 0,
+	       sslHandshakingAsClient,
+	       sslHandshakingAsServer 
+} sslHandshakingType;
+
+typedef struct sslServerCertsStr {
+    /* Configuration state for server sockets */
+    CERTCertificate *     serverCert;
+    CERTCertificateList * serverCertChain;
+    ssl3KeyPair *         serverKeyPair;
+    unsigned int          serverKeyBits;
+} sslServerCerts;
+
+#define SERVERKEY serverKeyPair->privKey
+
+#define SSL_LOCK_RANK_SPEC 	255
+#define SSL_LOCK_RANK_GLOBAL 	NSS_RWLOCK_RANK_NONE
+
+/* These are the valid values for shutdownHow. 
+** These values are each 1 greater than the NSPR values, and the code
+** depends on that relation to efficiently convert PR_SHUTDOWN values 
+** into ssl_SHUTDOWN values.  These values use one bit for read, and 
+** another bit for write, and can be used as bitmasks.
+*/
+#define ssl_SHUTDOWN_NONE	0	/* NOT shutdown at all */
+#define ssl_SHUTDOWN_RCV	1	/* PR_SHUTDOWN_RCV  +1 */
+#define ssl_SHUTDOWN_SEND	2	/* PR_SHUTDOWN_SEND +1 */
+#define ssl_SHUTDOWN_BOTH	3	/* PR_SHUTDOWN_BOTH +1 */
+
+/*
+** A gather object. Used to read some data until a count has been
+** satisfied. Primarily for support of async sockets.
+** Everything in here is protected by the recvBufLock.
+*/
+struct sslGatherStr {
+    int           state;	/* see GS_ values below. */     /* ssl 2 & 3 */
+
+    /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
+     * SSL2: recv'd ciphertext records are put here, then decrypted in place.
+     * SSL3: recv'd ciphertext records are put in inbuf (see below), then 
+     *       decrypted into buf.
+     */
+    sslBuffer     buf;				/*recvBufLock*/	/* ssl 2 & 3 */
+
+    /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3). 
+    ** (offset - writeOffset) is the number of ciphertext bytes read in but 
+    **     not yet deciphered.
+    */
+    unsigned int  offset;                                       /* ssl 2 & 3 */
+
+    /* number of bytes to read in next call to ssl_DefRecv (recv) */
+    unsigned int  remainder;                                    /* ssl 2 & 3 */
+
+    /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
+    unsigned int  count;					/* ssl2 only */
+
+    /* size of the final plaintext record. 
+    ** == count - (recordPadding + MAC size)
+    */
+    unsigned int  recordLen;					/* ssl2 only */
+
+    /* number of bytes of padding to be removed after decrypting. */
+    /* This value is taken from the record's hdr[2], which means a too large
+     * value could crash us.
+     */
+    unsigned int  recordPadding;				/* ssl2 only */
+
+    /* plaintext DATA begins this many bytes into "buf".  */
+    unsigned int  recordOffset;					/* ssl2 only */
+
+    int           encrypted;    /* SSL2 session is now encrypted.  ssl2 only */
+
+    /* These next two values are used by SSL2 and SSL3.  
+    ** DoRecv uses them to extract application data.
+    ** The difference between writeOffset and readOffset is the amount of 
+    ** data available to the application.   Note that the actual offset of 
+    ** the data in "buf" is recordOffset (above), not readOffset.
+    ** In the current implementation, this is made available before the 
+    ** MAC is checked!!
+    */
+    unsigned int  readOffset;  /* Spot where DATA reader (e.g. application
+                               ** or handshake code) will read next.
+                               ** Always zero for SSl3 application data.
+			       */
+    /* offset in buf/inbuf/hdr into which new data will be read from socket. */
+    unsigned int  writeOffset; 
+
+    /* Buffer for ssl3 to read (encrypted) data from the socket */
+    sslBuffer     inbuf;			/*recvBufLock*/	/* ssl3 only */
+
+    /* The ssl[23]_GatherData functions read data into this buffer, rather
+    ** than into buf or inbuf, while in the GS_HEADER state.  
+    ** The portion of the SSL record header put here always comes off the wire 
+    ** as plaintext, never ciphertext.
+    ** For SSL2, the plaintext portion is two bytes long.  For SSl3 it is 5.
+    */
+    unsigned char hdr[5];					/* ssl 2 & 3 */
+};
+
+/* sslGather.state */
+#define GS_INIT		0
+#define GS_HEADER	1
+#define GS_MAC		2
+#define GS_DATA		3
+#define GS_PAD		4
+
+typedef SECStatus (*SSLCipher)(void *               context, 
+                               unsigned char *      out,
+			       int *                outlen, 
+			       int                  maxout, 
+			       const unsigned char *in,
+			       int                  inlen);
+typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
+
+
+
+/*
+** ssl3State and CipherSpec structs
+*/
+
+/* The SSL bulk cipher definition */
+typedef enum {
+    cipher_null,
+    cipher_rc4, 
+    cipher_rc4_40,
+    cipher_rc4_56,
+    cipher_rc2, 
+    cipher_rc2_40,
+    cipher_des, 
+    cipher_3des, 
+    cipher_des40,
+    cipher_idea, 
+    cipher_aes_128,
+    cipher_aes_256,
+    cipher_camellia_128,
+    cipher_camellia_256,
+    cipher_missing              /* reserved for no such supported cipher */
+    /* This enum must match ssl3_cipherName[] in ssl3con.c.  */
+} SSL3BulkCipher;
+
+typedef enum { type_stream, type_block } CipherType;
+
+#define MAX_IV_LENGTH 64
+
+/*
+ * Do not depend upon 64 bit arithmetic in the underlying machine. 
+ */
+typedef struct {
+    PRUint32         high;
+    PRUint32         low;
+} SSL3SequenceNumber;
+
+#define MAX_MAC_CONTEXT_BYTES 400
+#define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8)
+
+#define MAX_CIPHER_CONTEXT_BYTES 2080
+#define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8)
+
+typedef struct {
+    SSL3Opaque        client_write_iv         [24];
+    SSL3Opaque        server_write_iv         [24];
+    SSL3Opaque        wrapped_master_secret   [48];
+    PRUint16          wrapped_master_secret_len;
+    PRUint8           msIsWrapped;
+    PRUint8           resumable;
+} ssl3SidKeys; /* 100 bytes */
+
+typedef struct {
+    PK11SymKey  *write_key;
+    PK11SymKey  *write_mac_key;
+    PK11Context *write_mac_context;
+    SECItem     write_key_item;
+    SECItem     write_iv_item;
+    SECItem     write_mac_key_item;
+    SSL3Opaque  write_iv[MAX_IV_LENGTH];
+    PRUint64    cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
+} ssl3KeyMaterial;
+
+/*
+** These are the "specs" in the "ssl3" struct.
+** Access to the pointers to these specs, and all the specs' contents
+** (direct and indirect) is protected by the reader/writer lock ss->specLock.
+*/
+typedef struct {
+    const ssl3BulkCipherDef *cipher_def;
+    const ssl3MACDef * mac_def;
+    int                mac_size;
+    SSLCipher          encode;
+    SSLCipher          decode;
+    SSLDestroy         destroy;
+    void *             encodeContext;
+    void *             decodeContext;
+    PRBool             bypassCiphers;	/* did double bypass (at least) */
+    PK11SymKey *       master_secret;
+    SSL3SequenceNumber write_seq_num;
+    SSL3SequenceNumber read_seq_num;
+    SSL3ProtocolVersion version;
+    ssl3KeyMaterial    client;
+    ssl3KeyMaterial    server;
+    SECItem            msItem;
+    unsigned char      key_block[NUM_MIXERS * MD5_LENGTH];
+    unsigned char      raw_master_secret[56];
+} ssl3CipherSpec;
+
+typedef enum {	never_cached, 
+		in_client_cache, 
+		in_server_cache, 
+		invalid_cache		/* no longer in any cache. */
+} Cached;
+
+struct sslSessionIDStr {
+    sslSessionID *        next;   /* chain used for client sockets, only */
+
+    CERTCertificate *     peerCert;
+    const char *          peerID;     /* client only */
+    const char *          urlSvrName; /* client only */
+    CERTCertificate *     localCert;
+
+    PRIPv6Addr            addr;
+    PRUint16              port;
+
+    SSL3ProtocolVersion   version;
+
+    PRUint32              creationTime;		/* seconds since Jan 1, 1970 */
+    PRUint32              lastAccessTime;	/* seconds since Jan 1, 1970 */
+    PRUint32              expirationTime;	/* seconds since Jan 1, 1970 */
+    Cached                cached;
+    int                   references;
+
+    SSLSignType           authAlgorithm;
+    PRUint32              authKeyBits;
+    SSLKEAType            keaType;
+    PRUint32              keaKeyBits;
+
+    union {
+	struct {
+	    /* the V2 code depends upon the size of sessionID.  */
+	    unsigned char         sessionID[SSL2_SESSIONID_BYTES];
+
+	    /* Stuff used to recreate key and read/write cipher objects */
+	    SECItem               masterKey;        /* never wrapped */
+	    int                   cipherType;
+	    SECItem               cipherArg;
+	    int                   keyBits;
+	    int                   secretKeyBits;
+	} ssl2;
+	struct {
+	    /* values that are copied into the server's on-disk SID cache. */
+	    uint8                 sessionIDLength;
+	    SSL3Opaque            sessionID[SSL3_SESSIONID_BYTES];
+
+	    ssl3CipherSuite       cipherSuite;
+	    SSL3CompressionMethod compression;
+	    int                   policy;
+	    ssl3SidKeys           keys;
+	    CK_MECHANISM_TYPE     masterWrapMech;
+				  /* mechanism used to wrap master secret */
+            SSL3KEAType           exchKeyType;
+				  /* key type used in exchange algorithm,
+				   * and to wrap the sym wrapping key. */
+#ifdef NSS_ENABLE_ECC
+	    PRUint32              negotiatedECCurves;
+#endif /* NSS_ENABLE_ECC */
+
+	    /* The following values are NOT restored from the server's on-disk
+	     * session cache, but are restored from the client's cache.
+	     */
+ 	    PK11SymKey *      clientWriteKey;
+	    PK11SymKey *      serverWriteKey;
+
+	    /* The following values pertain to the slot that wrapped the 
+	    ** master secret. (used only in client)
+	    */
+	    SECMODModuleID    masterModuleID;
+				    /* what module wrapped the master secret */
+	    CK_SLOT_ID        masterSlotID;
+	    PRUint16	      masterWrapIndex;
+				/* what's the key index for the wrapping key */
+	    PRUint16          masterWrapSeries;
+	                        /* keep track of the slot series, so we don't 
+				 * accidently try to use new keys after the 
+				 * card gets removed and replaced.*/
+
+	    /* The following values pertain to the slot that did the signature
+	    ** for client auth.   (used only in client)
+	    */
+	    SECMODModuleID    clAuthModuleID;
+	    CK_SLOT_ID        clAuthSlotID;
+	    PRUint16          clAuthSeries;
+
+            char              masterValid;
+	    char              clAuthValid;
+
+	    /* Session ticket if we have one, is sent as an extension in the
+	     * ClientHello message.  This field is used by clients.
+	     */
+	    NewSessionTicket  sessionTicket;
+	} ssl3;
+    } u;
+};
+
+
+typedef struct ssl3CipherSuiteDefStr {
+    ssl3CipherSuite          cipher_suite;
+    SSL3BulkCipher           bulk_cipher_alg;
+    SSL3MACAlgorithm         mac_alg;
+    SSL3KeyExchangeAlgorithm key_exchange_alg;
+} ssl3CipherSuiteDef;
+
+/*
+** There are tables of these, all const.
+*/
+typedef struct {
+    SSL3KeyExchangeAlgorithm kea;
+    SSL3KEAType              exchKeyType;
+    SSL3SignType             signKeyType;
+    PRBool                   is_limited;
+    int                      key_size_limit;
+    PRBool                   tls_keygen;
+} ssl3KEADef;
+
+typedef enum { kg_null, kg_strong, kg_export } SSL3KeyGenMode;
+
+/*
+** There are tables of these, all const.
+*/
+struct ssl3BulkCipherDefStr {
+    SSL3BulkCipher  cipher;
+    SSLCipherAlgorithm calg;
+    int             key_size;
+    int             secret_key_size;
+    CipherType      type;
+    int             iv_size;
+    int             block_size;
+    SSL3KeyGenMode  keygen_mode;
+};
+
+/*
+** There are tables of these, all const.
+*/
+struct ssl3MACDefStr {
+    SSL3MACAlgorithm mac;
+    CK_MECHANISM_TYPE mmech;
+    int              pad_size;
+    int              mac_size;
+};
+
+typedef enum {
+    wait_client_hello, 
+    wait_client_cert, 
+    wait_client_key,
+    wait_cert_verify, 
+    wait_change_cipher, 
+    wait_finished,
+    wait_server_hello, 
+    wait_server_cert, 
+    wait_server_key,
+    wait_cert_request, 
+    wait_hello_done,
+    wait_new_session_ticket,
+    idle_handshake
+} SSL3WaitState;
+
+/*
+ * TLS extension related constants and data structures.
+ */
+typedef struct TLSExtensionDataStr       TLSExtensionData;
+typedef struct SessionTicketDataStr      SessionTicketData;
+
+struct TLSExtensionDataStr {
+    /* registered callbacks that send server hello extensions */
+    ssl3HelloExtensionSender serverSenders[MAX_EXTENSIONS];
+    /* Keep track of the extensions that are negotiated. */
+    PRUint16 numAdvertised;
+    PRUint16 numNegotiated;
+    PRUint16 advertised[MAX_EXTENSIONS];
+    PRUint16 negotiated[MAX_EXTENSIONS];
+
+    /* SessionTicket Extension related data. */
+    PRBool ticketTimestampVerified;
+    PRBool emptySessionTicket;
+};
+
+/*
+** This is the "hs" member of the "ssl3" struct.
+** This entire struct is protected by ssl3HandshakeLock
+*/
+typedef struct SSL3HandshakeStateStr {
+    SSL3Random            server_random;
+    SSL3Random            client_random;
+    SSL3WaitState         ws;
+    PRUint64              md5_cx[MAX_MAC_CONTEXT_LLONGS];
+    PRUint64              sha_cx[MAX_MAC_CONTEXT_LLONGS];
+    PK11Context *         md5;            /* handshake running hashes */
+    PK11Context *         sha;
+const ssl3KEADef *        kea_def;
+    ssl3CipherSuite       cipher_suite;
+const ssl3CipherSuiteDef *suite_def;
+    SSL3CompressionMethod compression;
+    sslBuffer             msg_body;    /* protected by recvBufLock */
+                               /* partial handshake message from record layer */
+    unsigned int          header_bytes; 
+                               /* number of bytes consumed from handshake */
+                               /* message for message type and header length */
+    SSL3HandshakeType     msg_type;
+    unsigned long         msg_len;
+    SECItem               ca_list;     /* used only by client */
+    PRBool                isResuming;  /* are we resuming a session */
+    PRBool                rehandshake; /* immediately start another handshake 
+                                        * when this one finishes */
+    PRBool                usedStepDownKey;  /* we did a server key exchange. */
+    sslBuffer             msgState;    /* current state for handshake messages*/
+                                       /* protected by recvBufLock */
+    sslBuffer             messages;    /* Accumulated handshake messages */
+#ifdef NSS_ENABLE_ECC
+    PRUint32              negotiatedECCurves; /* bit mask */
+#endif /* NSS_ENABLE_ECC */
+} SSL3HandshakeState;
+
+
+
+/*
+** This is the "ssl3" struct, as in "ss->ssl3".
+** note:
+** usually,   crSpec == cwSpec and prSpec == pwSpec.  
+** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
+** But there are never more than 2 actual specs.  
+** No spec must ever be modified if either "current" pointer points to it.
+*/
+struct ssl3StateStr {
+
+    /*
+    ** The following Specs and Spec pointers must be protected using the 
+    ** Spec Lock.
+    */
+    ssl3CipherSpec *     crSpec; 	/* current read spec. */
+    ssl3CipherSpec *     prSpec; 	/* pending read spec. */
+    ssl3CipherSpec *     cwSpec; 	/* current write spec. */
+    ssl3CipherSpec *     pwSpec; 	/* pending write spec. */
+
+    CERTCertificate *    clientCertificate;  /* used by client */
+    SECKEYPrivateKey *   clientPrivateKey;   /* used by client */
+    CERTCertificateList *clientCertChain;    /* used by client */
+    PRBool               sendEmptyCert;      /* used by client */
+
+    int                  policy;
+			/* This says what cipher suites we can do, and should 
+			 * be either SSL_ALLOWED or SSL_RESTRICTED 
+			 */
+    PRArenaPool *        peerCertArena;  
+			    /* These are used to keep track of the peer CA */
+    void *               peerCertChain;     
+			    /* chain while we are trying to validate it.   */
+    CERTDistNames *      ca_list; 
+			    /* used by server.  trusted CAs for this socket. */
+    PRBool               initialized;
+    SSL3HandshakeState   hs;
+    ssl3CipherSpec       specs[2];	/* one is current, one is pending. */
+};
+
+typedef struct {
+    SSL3ContentType      type;
+    SSL3ProtocolVersion  version;
+    sslBuffer *          buf;
+} SSL3Ciphertext;
+
+struct ssl3KeyPairStr {
+    SECKEYPrivateKey *    privKey;
+    SECKEYPublicKey *     pubKey;
+    PRInt32               refCount;	/* use PR_Atomic calls for this. */
+};
+
+typedef struct SSLWrappedSymWrappingKeyStr {
+    SSL3Opaque        wrappedSymmetricWrappingkey[512];
+    SSL3Opaque        wrapIV[24];
+    CK_MECHANISM_TYPE symWrapMechanism;  
+		    /* unwrapped symmetric wrapping key uses this mechanism */
+    CK_MECHANISM_TYPE asymWrapMechanism; 
+		    /* mechanism used to wrap the SymmetricWrappingKey using
+		     * server's public and/or private keys. */
+    SSL3KEAType       exchKeyType;   /* type of keys used to wrap SymWrapKey*/
+    PRInt32           symWrapMechIndex;
+    PRUint16          wrappedSymKeyLen;
+    PRUint16          wrapIVLen;
+} SSLWrappedSymWrappingKey;
+
+typedef struct SessionTicketStr {
+    uint16                ticket_version;
+    SSL3ProtocolVersion   ssl_version;
+    ssl3CipherSuite       cipher_suite;
+    SSL3CompressionMethod compression_method;
+    SSLSignType           authAlgorithm;
+    uint32                authKeyBits;
+    SSLKEAType            keaType;
+    uint32                keaKeyBits;
+    /*
+     * exchKeyType and msWrapMech contain meaningful values only if
+     * ms_is_wrapped is true.
+     */
+    uint8                 ms_is_wrapped;
+    SSLKEAType            exchKeyType; /* XXX(wtc): same as keaType above? */
+    CK_MECHANISM_TYPE     msWrapMech;
+    uint16                ms_length;
+    SSL3Opaque            master_secret[48];
+    ClientIdentity        client_identity;
+    SECItem               peer_cert;
+    uint32                timestamp;
+}  SessionTicket;
+
+/*
+ * SSL2 buffers used in SSL3.
+ *     writeBuf in the SecurityInfo maintained by sslsecur.c is used
+ *              to hold the data just about to be passed to the kernel
+ *     sendBuf in the ConnectInfo maintained by sslcon.c is used
+ *              to hold handshake messages as they are accumulated
+ */
+
+/*
+** This is "ci", as in "ss->sec.ci".
+**
+** Protection:  All the variables in here are protected by 
+** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock 
+*/
+struct sslConnectInfoStr {
+    /* outgoing handshakes appended to this. */
+    sslBuffer       sendBuf;	                /*xmitBufLock*/ /* ssl 2 & 3 */
+
+    PRIPv6Addr      peer;                                       /* ssl 2 & 3 */
+    unsigned short  port;                                       /* ssl 2 & 3 */
+
+    sslSessionID   *sid;                                        /* ssl 2 & 3 */
+
+    /* see CIS_HAVE defines below for the bit values in *elements. */
+    char            elements;					/* ssl2 only */
+    char            requiredElements;				/* ssl2 only */
+    char            sentElements;                               /* ssl2 only */
+
+    char            sentFinished;                               /* ssl2 only */
+
+    /* Length of server challenge.  Used by client when saving challenge */
+    int             serverChallengeLen;                         /* ssl2 only */
+    /* type of authentication requested by server */
+    unsigned char   authType;                                   /* ssl2 only */
+
+    /* Challenge sent by client to server in client-hello message */
+    /* SSL3 gets a copy of this.  See ssl3_StartHandshakeHash().  */
+    unsigned char   clientChallenge[SSL_MAX_CHALLENGE_BYTES];   /* ssl 2 & 3 */
+
+    /* Connection-id sent by server to client in server-hello message */
+    unsigned char   connectionID[SSL_CONNECTIONID_BYTES];	/* ssl2 only */
+
+    /* Challenge sent by server to client in request-certificate message */
+    unsigned char   serverChallenge[SSL_MAX_CHALLENGE_BYTES];	/* ssl2 only */
+
+    /* Information kept to handle a request-certificate message */
+    unsigned char   readKey[SSL_MAX_MASTER_KEY_BYTES];		/* ssl2 only */
+    unsigned char   writeKey[SSL_MAX_MASTER_KEY_BYTES];		/* ssl2 only */
+    unsigned        keySize;					/* ssl2 only */
+};
+
+/* bit values for ci->elements, ci->requiredElements, sentElements. */
+#define CIS_HAVE_MASTER_KEY		0x01
+#define CIS_HAVE_CERTIFICATE		0x02
+#define CIS_HAVE_FINISHED		0x04
+#define CIS_HAVE_VERIFY			0x08
+
+/* Note: The entire content of this struct and whatever it points to gets
+ * blown away by SSL_ResetHandshake().  This is "sec" as in "ss->sec".
+ *
+ * Unless otherwise specified below, the contents of this struct are 
+ * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
+ */
+struct sslSecurityInfoStr {
+    sslSendFunc      send;			/*xmitBufLock*/	/* ssl 2 & 3 */
+    int              isServer;			/* Spec Lock?*/	/* ssl 2 & 3 */
+    sslBuffer        writeBuf;			/*xmitBufLock*/	/* ssl 2 & 3 */
+
+    int              cipherType;				/* ssl 2 & 3 */
+    int              keyBits;					/* ssl 2 & 3 */
+    int              secretKeyBits;				/* ssl 2 & 3 */
+    CERTCertificate *localCert;					/* ssl 2 & 3 */
+    CERTCertificate *peerCert;					/* ssl 2 & 3 */
+    SECKEYPublicKey *peerKey;					/* ssl3 only */
+
+    SSLSignType      authAlgorithm;
+    PRUint32         authKeyBits;
+    SSLKEAType       keaType;
+    PRUint32         keaKeyBits;
+
+    /*
+    ** Procs used for SID cache (nonce) management. 
+    ** Different implementations exist for clients/servers 
+    ** The lookup proc is only used for servers.  Baloney!
+    */
+    sslSessionIDCacheFunc     cache;				/* ssl 2 & 3 */
+    sslSessionIDUncacheFunc   uncache;				/* ssl 2 & 3 */
+
+    /*
+    ** everything below here is for ssl2 only.
+    ** This stuff is equivalent to SSL3's "spec", and is protected by the 
+    ** same "Spec Lock" as used for SSL3's specs.
+    */
+    PRUint32           sendSequence;		/*xmitBufLock*/	/* ssl2 only */
+    PRUint32           rcvSequence;		/*recvBufLock*/	/* ssl2 only */
+
+    /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
+    const SECHashObject   *hash;		/* Spec Lock */ /* ssl2 only */
+    void            *hashcx;			/* Spec Lock */	/* ssl2 only */
+
+    SECItem          sendSecret;		/* Spec Lock */	/* ssl2 only */
+    SECItem          rcvSecret;			/* Spec Lock */	/* ssl2 only */
+
+    /* Session cypher contexts; one for each direction */
+    void            *readcx;			/* Spec Lock */	/* ssl2 only */
+    void            *writecx;			/* Spec Lock */	/* ssl2 only */
+    SSLCipher        enc;			/* Spec Lock */	/* ssl2 only */
+    SSLCipher        dec;			/* Spec Lock */	/* ssl2 only */
+    void           (*destroy)(void *, PRBool);	/* Spec Lock */	/* ssl2 only */
+
+    /* Blocking information for the session cypher */
+    int              blockShift;		/* Spec Lock */	/* ssl2 only */
+    int              blockSize;			/* Spec Lock */	/* ssl2 only */
+
+    /* These are used during a connection handshake */
+    sslConnectInfo   ci;					/* ssl 2 & 3 */
+
+};
+
+
+/*
+** SSL Socket struct
+**
+** Protection:  XXX
+*/
+struct sslSocketStr {
+    PRFileDesc *	fd;
+
+    /* Pointer to operations vector for this socket */
+    const sslSocketOps * ops;
+
+    /* SSL socket options */
+    sslOptions       opt;
+
+    /* State flags */
+    unsigned long    clientAuthRequested;
+    unsigned long    delayDisabled;       /* Nagle delay disabled */
+    unsigned long    firstHsDone;         /* first handshake is complete. */
+    unsigned long    handshakeBegun;     
+    unsigned long    lastWriteBlocked;   
+    unsigned long    recvdCloseNotify;    /* received SSL EOF. */
+    unsigned long    TCPconnected;       
+    unsigned long    appDataBuffered;
+
+    /* version of the protocol to use */
+    SSL3ProtocolVersion version;
+    SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
+
+    sslSecurityInfo  sec;		/* not a pointer any more */
+
+    /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
+    const char      *url;				/* ssl 2 & 3 */
+
+    sslHandshakeFunc handshake;				/*firstHandshakeLock*/
+    sslHandshakeFunc nextHandshake;			/*firstHandshakeLock*/
+    sslHandshakeFunc securityHandshake;			/*firstHandshakeLock*/
+
+    /* the following variable is only used with socks or other proxies. */
+    char *           peerID;	/* String uniquely identifies target server. */
+
+    unsigned char *  cipherSpecs;
+    unsigned int     sizeCipherSpecs;
+const unsigned char *  preferredCipher;
+
+    ssl3KeyPair *         stepDownKeyPair;	/* RSA step down keys */
+
+    /* Callbacks */
+    SSLAuthCertificate        authCertificate;
+    void                     *authCertificateArg;
+    SSLGetClientAuthData      getClientAuthData;
+    void                     *getClientAuthDataArg;
+    SSLBadCertHandler         handleBadCert;
+    void                     *badCertArg;
+    SSLHandshakeCallback      handshakeCallback;
+    void                     *handshakeCallbackData;
+    void                     *pkcs11PinArg;
+
+    PRIntervalTime            rTimeout; /* timeout for NSPR I/O */
+    PRIntervalTime            wTimeout; /* timeout for NSPR I/O */
+    PRIntervalTime            cTimeout; /* timeout for NSPR I/O */
+
+    PZLock *      recvLock;	/* lock against multiple reader threads. */
+    PZLock *      sendLock;	/* lock against multiple sender threads. */
+
+    PZMonitor *   recvBufLock;	/* locks low level recv buffers. */
+    PZMonitor *   xmitBufLock;	/* locks low level xmit buffers. */
+
+    /* Only one thread may operate on the socket until the initial handshake
+    ** is complete.  This Monitor ensures that.  Since SSL2 handshake is
+    ** only done once, this is also effectively the SSL2 handshake lock.
+    */
+    PZMonitor *   firstHandshakeLock; 
+
+    /* This monitor protects the ssl3 handshake state machine data.
+    ** Only one thread (reader or writer) may be in the ssl3 handshake state
+    ** machine at any time.  */
+    PZMonitor *   ssl3HandshakeLock;
+
+    /* reader/writer lock, protects the secret data needed to encrypt and MAC
+    ** outgoing records, and to decrypt and MAC check incoming ciphertext 
+    ** records.  */
+    NSSRWLock *   specLock;
+
+    /* handle to perm cert db (and implicitly to the temp cert db) used 
+    ** with this socket. 
+    */
+    CERTCertDBHandle * dbHandle;
+
+    PRThread *  writerThread;   /* thread holds SSL_LOCK_WRITER lock */
+
+    PRUint16	shutdownHow; 	/* See ssl_SHUTDOWN defines below. */
+
+    PRUint16	allowedByPolicy;          /* copy of global policy bits. */
+    PRUint16	maybeAllowedByPolicy;     /* copy of global policy bits. */
+    PRUint16	chosenPreference;         /* SSL2 cipher preferences. */
+
+    sslHandshakingType handshaking;
+
+    /* Gather object used for gathering data */
+    sslGather        gs;				/*recvBufLock*/
+
+    sslBuffer        saveBuf;				/*xmitBufLock*/
+    sslBuffer        pendingBuf;			/*xmitBufLock*/
+
+    /* Configuration state for server sockets */
+    /* server cert and key for each KEA type */
+    sslServerCerts        serverCerts[kt_kea_size];
+
+    ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
+    ssl3KeyPair *         ephemeralECDHKeyPair; /* for ECDHE-* handshake */
+
+    /* SSL3 state info.  Formerly was a pointer */
+    ssl3State        ssl3;
+
+    /*
+     * TLS extension related data.
+     */
+    /* True when the current session is a stateless resume. */
+    PRBool               statelessResume;
+    TLSExtensionData     xtnData;
+};
+
+
+
+/* All the global data items declared here should be protected using the 
+** ssl_global_data_lock, which is a reader/writer lock.
+*/
+extern NSSRWLock *             ssl_global_data_lock;
+extern char                    ssl_debug;
+extern char                    ssl_trace;
+extern FILE *                  ssl_trace_iob;
+extern CERTDistNames *         ssl3_server_ca_list;
+extern PRUint32                ssl_sid_timeout;
+extern PRUint32                ssl3_sid_timeout;
+extern PRBool                  ssl3_global_policy_some_restricted;
+
+extern const char * const      ssl_cipherName[];
+extern const char * const      ssl3_cipherName[];
+
+extern sslSessionIDLookupFunc  ssl_sid_lookup;
+extern sslSessionIDCacheFunc   ssl_sid_cache;
+extern sslSessionIDUncacheFunc ssl_sid_uncache;
+
+/************************************************************************/
+
+SEC_BEGIN_PROTOS
+
+/* Implementation of ops for default (non socks, non secure) case */
+extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
+extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
+extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
+extern int ssl_DefListen(sslSocket *ss, int backlog);
+extern int ssl_DefShutdown(sslSocket *ss, int how);
+extern int ssl_DefClose(sslSocket *ss);
+extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
+extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf,
+		       int len, int flags);
+extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len);
+extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len);
+extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name);
+extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name);
+extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
+			     void *optval, PRInt32 *optlen);
+extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
+			     const void *optval, PRInt32 optlen);
+
+/* Implementation of ops for socks only case */
+extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr);
+extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr);
+extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr);
+extern int ssl_SocksListen(sslSocket *ss, int backlog);
+extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name);
+extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
+extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf,
+			 int len, int flags);
+extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len);
+extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len);
+
+/* Implementation of ops for secure only case */
+extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr);
+extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr);
+extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf,
+			  int len, int flags);
+extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf,
+			  int len, int flags);
+extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len);
+extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len);
+extern int ssl_SecureShutdown(sslSocket *ss, int how);
+extern int ssl_SecureClose(sslSocket *ss);
+
+/* Implementation of ops for secure socks case */
+extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr);
+extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr);
+extern PRFileDesc *ssl_FindTop(sslSocket *ss);
+
+/* Gather funcs. */
+extern sslGather * ssl_NewGather(void);
+extern SECStatus   ssl_InitGather(sslGather *gs);
+extern void        ssl_DestroyGather(sslGather *gs);
+extern int         ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
+extern int         ssl2_GatherRecord(sslSocket *ss, int flags);
+extern SECStatus   ssl_GatherRecord1stHandshake(sslSocket *ss);
+
+extern SECStatus   ssl2_HandleClientHelloMessage(sslSocket *ss);
+extern SECStatus   ssl2_HandleServerHelloMessage(sslSocket *ss);
+extern int         ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, 
+                                         unsigned int count);
+
+extern SECStatus   ssl_CreateSecurityInfo(sslSocket *ss);
+extern SECStatus   ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
+extern void        ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
+extern void        ssl_DestroySecurityInfo(sslSecurityInfo *sec);
+
+extern sslSocket * ssl_DupSocket(sslSocket *old);
+
+extern void        ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
+extern void        ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
+
+extern int         ssl_SendSavedWriteData(sslSocket *ss);
+extern SECStatus ssl_SaveWriteData(sslSocket *ss, 
+                                   const void* p, unsigned int l);
+extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
+extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
+extern int       ssl_Do1stHandshake(sslSocket *ss);
+
+extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
+extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data, 
+		                  unsigned int len);
+
+extern void      ssl2_UseClearSendFunc(sslSocket *ss);
+extern void      ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
+
+extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
+extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, 
+                                   const char *peerID, const char *urlSvrName);
+extern void      ssl_FreeSID(sslSessionID *sid);
+
+extern int       ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
+				          int len, int flags);
+
+extern PRBool    ssl_FdIsBlocking(PRFileDesc *fd);
+
+extern PRBool    ssl_SocketIsBlocking(sslSocket *ss);
+
+extern void      ssl_SetAlwaysBlock(sslSocket *ss);
+
+extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
+
+#define SSL_LOCK_READER(ss)		if (ss->recvLock) PZ_Lock(ss->recvLock)
+#define SSL_UNLOCK_READER(ss)		if (ss->recvLock) PZ_Unlock(ss->recvLock)
+#define SSL_LOCK_WRITER(ss)		if (ss->sendLock) PZ_Lock(ss->sendLock)
+#define SSL_UNLOCK_WRITER(ss)		if (ss->sendLock) PZ_Unlock(ss->sendLock)
+
+#define ssl_Get1stHandshakeLock(ss)     \
+    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->firstHandshakeLock); }
+#define ssl_Release1stHandshakeLock(ss) \
+    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
+#define ssl_Have1stHandshakeLock(ss)    \
+    (PZ_InMonitor((ss)->firstHandshakeLock))
+
+#define ssl_GetSSL3HandshakeLock(ss)	\
+    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->ssl3HandshakeLock); }
+#define ssl_ReleaseSSL3HandshakeLock(ss) \
+    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
+#define ssl_HaveSSL3HandshakeLock(ss)	\
+    (PZ_InMonitor((ss)->ssl3HandshakeLock))
+
+#define ssl_GetSpecReadLock(ss)		\
+    { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
+#define ssl_ReleaseSpecReadLock(ss)	\
+    { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
+
+#define ssl_GetSpecWriteLock(ss)	\
+    { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
+#define ssl_ReleaseSpecWriteLock(ss)	\
+    { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
+#define ssl_HaveSpecWriteLock(ss)	\
+    (NSSRWLock_HaveWriteLock((ss)->specLock))
+
+#define ssl_GetRecvBufLock(ss)		\
+    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->recvBufLock); }
+#define ssl_ReleaseRecvBufLock(ss)	\
+    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
+#define ssl_HaveRecvBufLock(ss)		\
+    (PZ_InMonitor((ss)->recvBufLock))
+
+#define ssl_GetXmitBufLock(ss)		\
+    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
+#define ssl_ReleaseXmitBufLock(ss)	\
+    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
+#define ssl_HaveXmitBufLock(ss)		\
+    (PZ_InMonitor((ss)->xmitBufLock))
+
+
+extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec * pwSpec,
+		    const unsigned char * cr, const unsigned char * sr,
+		    PRBool isTLS, PRBool isExport);
+extern  SECStatus ssl3_MasterKeyDeriveBypass( ssl3CipherSpec * pwSpec,
+		    const unsigned char * cr, const unsigned char * sr,
+		    const SECItem * pms, PRBool isTLS, PRBool isRSA);
+
+/* These functions are called from secnav, even though they're "private". */
+
+extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
+extern int SSL_RestartHandshakeAfterServerCert(struct sslSocketStr *ss);
+extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss,
+					    CERTCertificate *cert,
+					    SECKEYPrivateKey *key,
+					    CERTCertificateList *certChain);
+extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
+extern void ssl_FreeSocket(struct sslSocketStr *ssl);
+extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
+				SSL3AlertDescription desc);
+
+extern int ssl2_RestartHandshakeAfterCertReq(sslSocket *          ss,
+					     CERTCertificate *    cert, 
+					     SECKEYPrivateKey *   key);
+
+extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket *    ss,
+					     CERTCertificate *    cert, 
+					     SECKEYPrivateKey *   key,
+					     CERTCertificateList *certChain);
+
+extern int ssl2_RestartHandshakeAfterServerCert(sslSocket *ss);
+extern int ssl3_RestartHandshakeAfterServerCert(sslSocket *ss);
+
+/*
+ * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
+ */
+extern SECStatus ssl3_HandleV2ClientHello(
+    sslSocket *ss, unsigned char *buffer, int length);
+extern SECStatus ssl3_StartHandshakeHash(
+    sslSocket *ss, unsigned char *buf, int length);
+
+/*
+ * SSL3 specific routines
+ */
+SECStatus ssl3_SendClientHello(sslSocket *ss);
+
+/*
+ * input into the SSL3 machinery from the actualy network reading code
+ */
+SECStatus ssl3_HandleRecord(
+    sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
+
+int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
+int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
+/*
+ * When talking to export clients or using export cipher suites, servers 
+ * with public RSA keys larger than 512 bits need to use a 512-bit public
+ * key, signed by the larger key.  The smaller key is a "step down" key.
+ * Generate that key pair and keep it around.
+ */
+extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
+
+#ifdef NSS_ENABLE_ECC
+extern void      ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
+extern PRBool    ssl3_IsECCEnabled(sslSocket *ss);
+extern SECStatus ssl3_DisableECCSuites(sslSocket * ss, 
+                                       const ssl3CipherSuite * suite);
+
+/* Macro for finding a curve equivalent in strength to RSA key's */
+#define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \
+        ((s <= 1024) ? 160 \
+	  : ((s <= 2048) ? 224 \
+	    : ((s <= 3072) ? 256 \
+	      : ((s <= 7168) ? 384 : 521 ) ) ) )
+
+/* Types and names of elliptic curves used in TLS */
+typedef enum { ec_type_explicitPrime      = 1,
+	       ec_type_explicitChar2Curve = 2,
+	       ec_type_named
+} ECType;
+
+typedef enum { ec_noName     = 0,
+	       ec_sect163k1  = 1, 
+	       ec_sect163r1  = 2, 
+	       ec_sect163r2  = 3,
+	       ec_sect193r1  = 4, 
+	       ec_sect193r2  = 5, 
+	       ec_sect233k1  = 6,
+	       ec_sect233r1  = 7, 
+	       ec_sect239k1  = 8, 
+	       ec_sect283k1  = 9,
+	       ec_sect283r1  = 10, 
+	       ec_sect409k1  = 11, 
+	       ec_sect409r1  = 12,
+	       ec_sect571k1  = 13, 
+	       ec_sect571r1  = 14, 
+	       ec_secp160k1  = 15,
+	       ec_secp160r1  = 16, 
+	       ec_secp160r2  = 17, 
+	       ec_secp192k1  = 18,
+	       ec_secp192r1  = 19, 
+	       ec_secp224k1  = 20, 
+	       ec_secp224r1  = 21,
+	       ec_secp256k1  = 22, 
+	       ec_secp256r1  = 23, 
+	       ec_secp384r1  = 24,
+	       ec_secp521r1  = 25,
+	       ec_pastLastName
+} ECName;
+
+extern SECStatus ssl3_ECName2Params(PRArenaPool *arena, ECName curve,
+				   SECKEYECParams *params);
+ECName	ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits);
+
+
+#endif /* NSS_ENABLE_ECC */
+
+extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
+extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
+extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
+extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
+
+extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
+extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
+extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
+extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
+
+extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
+extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
+extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
+extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
+
+extern void      ssl2_InitSocketPolicy(sslSocket *ss);
+extern void      ssl3_InitSocketPolicy(sslSocket *ss);
+
+extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
+						 unsigned char *cs, int *size);
+
+extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
+
+extern void ssl3_DestroySSL3Info(sslSocket *ss);
+
+extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, 
+                                       SSL3ProtocolVersion peerVersion);
+
+extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
+
+#ifdef NSS_ENABLE_ECC
+/* ECDH functions */
+extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket * ss, 
+			     SECKEYPublicKey * svrPubKey);
+extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss, 
+					SSL3Opaque *b, PRUint32 length);
+extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss, 
+				     SSL3Opaque *b, PRUint32 length,
+                                     SECKEYPublicKey *srvrPubKey,
+                                     SECKEYPrivateKey *srvrPrivKey);
+extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss);
+#endif
+
+extern SECStatus ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, 
+				unsigned int bufLen, SSL3Hashes *hashes, 
+				PRBool bypassPKCS11);
+extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms);
+extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src, 
+			PRInt32 bytes);
+extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss, 
+			SSL3HandshakeType t, PRUint32 length);
+extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, 
+			PRInt32 lenSize);
+extern SECStatus ssl3_AppendHandshakeVariable( sslSocket *ss, 
+			const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize);
+extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, 
+			SSL3Opaque **b, PRUint32 *length);
+extern PRInt32   ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, 
+			SSL3Opaque **b, PRUint32 *length);
+extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, 
+			PRInt32 bytes, SSL3Opaque **b, PRUint32 *length);
+extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, 
+			SECItem *buf, PRBool isTLS);
+extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash, 
+			CERTCertificate *cert, SECItem *buf, PRBool isTLS, 
+			void *pwArg);
+extern SECStatus ssl3_CacheWrappedMasterSecret(sslSocket *ss,
+			sslSessionID *sid, ssl3CipherSpec *spec,
+			SSL3KEAType effectiveExchKeyType);
+
+/* Functions that handle ClientHello and ServerHello extensions. */
+extern SECStatus ssl3_HandleServerNameXtn(sslSocket * ss,
+			PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_HandleSupportedCurvesXtn(sslSocket * ss,
+			PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
+			PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
+			PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
+			PRUint16 ex_type, SECItem *data);
+
+/* ClientHello and ServerHello extension senders.
+ * Note that not all extension senders are exposed here; only those that
+ * that need exposure.
+ */
+extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
+			PRUint32 maxBytes);
+#ifdef NSS_ENABLE_ECC
+extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
+			PRBool append, PRUint32 maxBytes);
+extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
+			PRBool append, PRUint32 maxBytes);
+#endif
+
+/* call the registered extension handlers. */
+extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, 
+			SSL3Opaque **b, PRUint32 *length);
+
+/* Hello Extension related routines. */
+extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type);
+extern SECStatus ssl3_SetSIDSessionTicket(sslSessionID *sid,
+			NewSessionTicket *session_ticket);
+extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss);
+extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName,
+			unsigned char *encKey, unsigned char *macKey);
+extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
+			SECKEYPublicKey *svrPubKey, void *pwArg,
+			unsigned char *keyName, PK11SymKey **aesKey,
+			PK11SymKey **macKey);
+
+/* Tell clients to consider tickets valid for this long. */
+#define TLS_EX_SESS_TICKET_LIFETIME_HINT    (2 * 24 * 60 * 60) /* 2 days */
+#define TLS_EX_SESS_TICKET_VERSION          (0x0100)
+
+/* Construct a new NSPR socket for the app to use */
+extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
+extern void ssl_FreePRSocket(PRFileDesc *fd);
+
+/* Internal config function so SSL2 can initialize the present state of 
+ * various ciphers */
+extern int ssl3_config_match_init(sslSocket *);
+
+
+/* Create a new ref counted key pair object from two keys. */
+extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, 
+                                      SECKEYPublicKey * pubKey);
+
+/* get a new reference (bump ref count) to an ssl3KeyPair. */
+extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
+
+/* Decrement keypair's ref count and free if zero. */
+extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair);
+
+/* calls for accessing wrapping keys across processes. */
+extern PRBool
+ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
+                    SSL3KEAType               exchKeyType, 
+		    SSLWrappedSymWrappingKey *wswk);
+
+/* The caller passes in the new value it wants
+ * to set.  This code tests the wrapped sym key entry in the file on disk.  
+ * If it is uninitialized, this function writes the caller's value into 
+ * the disk entry, and returns false.  
+ * Otherwise, it overwrites the caller's wswk with the value obtained from 
+ * the disk, and returns PR_TRUE.  
+ * This is all done while holding the locks/semaphores necessary to make 
+ * the operation atomic.
+ */
+extern PRBool
+ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
+
+/* get rid of the symmetric wrapping key references. */
+extern SECStatus SSL3_ShutdownServerCache(void);
+
+extern SECStatus ssl_InitSymWrapKeysLock(void);
+
+extern SECStatus ssl_FreeSymWrapKeysLock(void);
+
+extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
+
+extern SECStatus ssl_FreeSessionCacheLocks(void);
+
+
+/********************** misc calls *********************/
+
+extern int ssl_MapLowLevelError(int hiLevelError);
+
+extern PRUint32 ssl_Time(void);
+
+extern void SSL_AtomicIncrementLong(long * x);
+
+SECStatus SSL_DisableDefaultExportCipherSuites(void);
+SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
+PRBool    SSL_IsExportCipherSuite(PRUint16 cipherSuite);
+
+
+#ifdef TRACE
+#define SSL_TRACE(msg) ssl_Trace msg
+#else
+#define SSL_TRACE(msg)
+#endif
+
+void ssl_Trace(const char *format, ...);
+
+SEC_END_PROTOS
+
+#if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
+#define SSL_GETPID getpid
+#elif defined(_WIN32_WCE)
+#define SSL_GETPID GetCurrentProcessId
+#elif defined(WIN32)
+extern int __cdecl _getpid(void);
+#define SSL_GETPID _getpid
+#else
+#define SSL_GETPID() 0
+#endif
+
+#endif /* __sslimpl_h_ */
diff --git a/security/nss/lib/ssl/sslinfo.c b/security/nss/lib/ssl/sslinfo.c
new file mode 100644
index 000000000..7151d0bde
--- /dev/null
+++ b/security/nss/lib/ssl/sslinfo.c
@@ -0,0 +1,283 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+
+SECStatus 
+SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
+{
+    sslSocket *      ss;
+    SSLChannelInfo   inf;
+    sslSessionID *   sid;
+
+    if (!info || len < sizeof inf.length) { 
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelInfo",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    memset(&inf, 0, sizeof inf);
+    inf.length = PR_MIN(sizeof inf, len);
+
+    if (ss->opt.useSecurity && ss->firstHsDone) {
+        sid = ss->sec.ci.sid;
+	inf.protocolVersion  = ss->version;
+	inf.authKeyBits      = ss->sec.authKeyBits;
+	inf.keaKeyBits       = ss->sec.keaKeyBits;
+	if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
+	    inf.cipherSuite      = ss->sec.cipherType | 0xff00;
+	} else if (ss->ssl3.initialized) { 	/* SSL3 and TLS */
+
+	    /* XXX  These should come from crSpec */
+	    inf.cipherSuite      = ss->ssl3.hs.cipher_suite;
+	}
+	if (sid) {
+	    inf.creationTime   = sid->creationTime;
+	    inf.lastAccessTime = sid->lastAccessTime;
+	    inf.expirationTime = sid->expirationTime;
+	    if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
+	        inf.sessionIDLength = SSL2_SESSIONID_BYTES;
+		memcpy(inf.sessionID, sid->u.ssl2.sessionID, 
+		       SSL2_SESSIONID_BYTES);
+	    } else {
+		unsigned int sidLen = sid->u.ssl3.sessionIDLength;
+	        sidLen = PR_MIN(sidLen, sizeof inf.sessionID);
+	        inf.sessionIDLength = sidLen;
+		memcpy(inf.sessionID, sid->u.ssl3.sessionID, sidLen);
+	    }
+	}
+    }
+
+    memcpy(info, &inf, inf.length);
+
+    return SECSuccess;
+}
+
+
+#define CS(x) x, #x
+#define CK(x) x | 0xff00, #x
+
+#define S_DSA   "DSA", ssl_auth_dsa
+#define S_RSA	"RSA", ssl_auth_rsa
+#define S_KEA   "KEA", ssl_auth_kea
+#define S_ECDSA "ECDSA", ssl_auth_ecdsa
+
+#define K_DHE	"DHE", kt_dh
+#define K_RSA	"RSA", kt_rsa
+#define K_KEA	"KEA", kt_kea
+#define K_ECDH	"ECDH", kt_ecdh
+#define K_ECDHE	"ECDHE", kt_ecdh
+
+#define C_CAMELLIA	"CAMELLIA", calg_camellia
+#define C_AES	"AES", calg_aes
+#define C_RC4	"RC4", calg_rc4
+#define C_RC2	"RC2", calg_rc2
+#define C_DES	"DES", calg_des
+#define C_3DES	"3DES", calg_3des
+#define C_NULL  "NULL", calg_null
+#define C_SJ 	"SKIPJACK", calg_sj
+
+#define B_256	256, 256, 256
+#define B_128	128, 128, 128
+#define B_3DES  192, 156, 112
+#define B_SJ     96,  80,  80
+#define B_DES    64,  56,  56
+#define B_56    128,  56,  56
+#define B_40    128,  40,  40
+#define B_0  	  0,   0,   0
+
+#define M_SHA	"SHA1", ssl_mac_sha, 160
+#define M_MD5	"MD5",  ssl_mac_md5, 128
+
+static const SSLCipherSuiteInfo suiteInfo[] = {
+/* <------ Cipher suite --------------------> <auth> <KEA>  <bulk cipher> <MAC> <FIPS> */
+{0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA),      S_RSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA),      S_DSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, },
+{0,CS(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA),     S_RSA, K_RSA, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
+{0,CS(TLS_RSA_WITH_AES_256_CBC_SHA),          S_RSA, K_RSA, C_AES, B_256, M_SHA, 1, 0, 0, },
+
+{0,CS(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA),          S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA),      S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA),      S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
+{0,CS(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA),     S_RSA, K_RSA, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
+{0,CS(SSL_RSA_WITH_RC4_128_MD5),              S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
+{0,CS(SSL_RSA_WITH_RC4_128_SHA),              S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_RSA_WITH_AES_128_CBC_SHA),          S_RSA, K_RSA, C_AES, B_128, M_SHA, 1, 0, 0, },
+
+{0,CS(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA),     S_RSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
+{0,CS(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA),     S_DSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
+{0,CS(SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA),    S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 1, },
+{0,CS(SSL_RSA_WITH_3DES_EDE_CBC_SHA),         S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
+
+{0,CS(SSL_DHE_RSA_WITH_DES_CBC_SHA),          S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
+{0,CS(SSL_DHE_DSS_WITH_DES_CBC_SHA),          S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
+{0,CS(SSL_RSA_FIPS_WITH_DES_CBC_SHA),         S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 1, },
+{0,CS(SSL_RSA_WITH_DES_CBC_SHA),              S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 0, },
+
+{0,CS(TLS_RSA_EXPORT1024_WITH_RC4_56_SHA),    S_RSA, K_RSA, C_RC4, B_56,  M_SHA, 0, 1, 0, },
+{0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA),   S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 1, 0, },
+{0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5),        S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0, },
+{0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5),    S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0, },
+{0,CS(SSL_RSA_WITH_NULL_SHA),                 S_RSA, K_RSA, C_NULL,B_0,   M_SHA, 0, 1, 0, },
+{0,CS(SSL_RSA_WITH_NULL_MD5),                 S_RSA, K_RSA, C_NULL,B_0,   M_MD5, 0, 1, 0, },
+
+#ifdef NSS_ENABLE_ECC
+/* ECC cipher suites */
+{0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA),          S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
+{0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA),       S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA),  S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
+{0,CS(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA),   S_ECDSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, },
+{0,CS(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA),   S_ECDSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, },
+
+{0,CS(TLS_ECDHE_ECDSA_WITH_NULL_SHA),         S_ECDSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, },
+{0,CS(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA),      S_ECDSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDHE, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
+
+{0,CS(TLS_ECDH_RSA_WITH_NULL_SHA),            S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
+{0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA),         S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA),    S_RSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
+{0,CS(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, },
+{0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, },
+
+{0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA),           S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, },
+{0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA),        S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA),   S_RSA, K_ECDHE, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
+{0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA),    S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
+{0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA),    S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
+#endif /* NSS_ENABLE_ECC */
+
+/* SSL 2 table */
+{0,CK(SSL_CK_RC4_128_WITH_MD5),               S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
+{0,CK(SSL_CK_RC2_128_CBC_WITH_MD5),           S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, },
+{0,CK(SSL_CK_DES_192_EDE3_CBC_WITH_MD5),      S_RSA, K_RSA, C_3DES,B_3DES,M_MD5, 0, 0, 0, },
+{0,CK(SSL_CK_DES_64_CBC_WITH_MD5),            S_RSA, K_RSA, C_DES, B_DES, M_MD5, 0, 0, 0, },
+{0,CK(SSL_CK_RC4_128_EXPORT40_WITH_MD5),      S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0, },
+{0,CK(SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5),  S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0, }
+};
+
+#define NUM_SUITEINFOS ((sizeof suiteInfo) / (sizeof suiteInfo[0]))
+
+
+SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, 
+                                 SSLCipherSuiteInfo *info, PRUintn len)
+{
+    unsigned int i;
+
+    len = PR_MIN(len, sizeof suiteInfo[0]);
+    if (!info || len < sizeof suiteInfo[0].length) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    	return SECFailure;
+    }
+    for (i = 0; i < NUM_SUITEINFOS; i++) {
+    	if (suiteInfo[i].cipherSuite == cipherSuite) {
+	    memcpy(info, &suiteInfo[i], len);
+	    info->length = len;
+	    return SECSuccess;
+	}
+    }
+    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    return SECFailure;
+}
+
+/* This function might be a candidate to be public. 
+ * Disables all export ciphers in the default set of enabled ciphers.
+ */
+SECStatus 
+SSL_DisableDefaultExportCipherSuites(void)
+{
+    const SSLCipherSuiteInfo * pInfo = suiteInfo;
+    unsigned int i;
+    SECStatus rv;
+
+    for (i = 0; i < NUM_SUITEINFOS; ++i, ++pInfo) {
+    	if (pInfo->isExportable) {
+	    rv = SSL_CipherPrefSetDefault(pInfo->cipherSuite, PR_FALSE);
+	    PORT_Assert(rv == SECSuccess);
+	}
+    }
+    return SECSuccess;
+}
+
+/* This function might be a candidate to be public, 
+ * except that it takes an sslSocket pointer as an argument.
+ * A Public version would take a PRFileDesc pointer.
+ * Disables all export ciphers in the default set of enabled ciphers.
+ */
+SECStatus 
+SSL_DisableExportCipherSuites(PRFileDesc * fd)
+{
+    const SSLCipherSuiteInfo * pInfo = suiteInfo;
+    unsigned int i;
+    SECStatus rv;
+
+    for (i = 0; i < NUM_SUITEINFOS; ++i, ++pInfo) {
+    	if (pInfo->isExportable) {
+	    rv = SSL_CipherPrefSet(fd, pInfo->cipherSuite, PR_FALSE);
+	    PORT_Assert(rv == SECSuccess);
+	}
+    }
+    return SECSuccess;
+}
+
+/* Tells us if the named suite is exportable 
+ * returns false for unknown suites.
+ */
+PRBool
+SSL_IsExportCipherSuite(PRUint16 cipherSuite)
+{
+    unsigned int i;
+    for (i = 0; i < NUM_SUITEINFOS; i++) {
+    	if (suiteInfo[i].cipherSuite == cipherSuite) {
+	    return (PRBool)(suiteInfo[i].isExportable);
+	}
+    }
+    return PR_FALSE;
+}
diff --git a/security/nss/lib/ssl/sslmutex.c b/security/nss/lib/ssl/sslmutex.c
new file mode 100644
index 000000000..77860b3fa
--- /dev/null
+++ b/security/nss/lib/ssl/sslmutex.c
@@ -0,0 +1,662 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "seccomon.h"
+/* This ifdef should match the one in sslsnce.c */
+#if (defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+
+#include "sslmutex.h"
+#include "prerr.h"
+
+static SECStatus single_process_sslMutex_Init(sslMutex* pMutex)
+{
+    PR_ASSERT(pMutex != 0 && pMutex->u.sslLock == 0 );
+    
+    pMutex->u.sslLock = PR_NewLock();
+    if (!pMutex->u.sslLock) {
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static SECStatus single_process_sslMutex_Destroy(sslMutex* pMutex)
+{
+    PR_ASSERT(pMutex != 0);
+    PR_ASSERT(pMutex->u.sslLock!= 0);
+    if (!pMutex->u.sslLock) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    PR_DestroyLock(pMutex->u.sslLock);
+    return SECSuccess;
+}
+
+static SECStatus single_process_sslMutex_Unlock(sslMutex* pMutex)
+{
+    PR_ASSERT(pMutex != 0 );
+    PR_ASSERT(pMutex->u.sslLock !=0);
+    if (!pMutex->u.sslLock) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    PR_Unlock(pMutex->u.sslLock);
+    return SECSuccess;
+}
+
+static SECStatus single_process_sslMutex_Lock(sslMutex* pMutex)
+{
+    PR_ASSERT(pMutex != 0);
+    PR_ASSERT(pMutex->u.sslLock != 0 );
+    if (!pMutex->u.sslLock) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    PR_Lock(pMutex->u.sslLock);
+    return SECSuccess;
+}
+
+#if defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI) || defined(NETBSD) || defined(OPENBSD)
+
+#include <unistd.h>
+#include <fcntl.h>
+#include <string.h>
+#include <errno.h>
+#include "unix_err.h"
+#include "pratom.h"
+
+#define SSL_MUTEX_MAGIC 0xfeedfd
+#define NONBLOCKING_POSTS 1	/* maybe this is faster */
+
+#if NONBLOCKING_POSTS
+
+#ifndef FNONBLOCK
+#define FNONBLOCK O_NONBLOCK
+#endif
+
+static int
+setNonBlocking(int fd, int nonBlocking)
+{
+    int flags;
+    int err;
+
+    flags = fcntl(fd, F_GETFL, 0);
+    if (0 > flags)
+	return flags;
+    if (nonBlocking)
+	flags |= FNONBLOCK;
+    else
+	flags &= ~FNONBLOCK;
+    err = fcntl(fd, F_SETFL, flags);
+    return err;
+}
+#endif
+
+SECStatus
+sslMutex_Init(sslMutex *pMutex, int shared)
+{
+    int  err;
+    PR_ASSERT(pMutex);
+    pMutex->isMultiProcess = (PRBool)(shared != 0);
+    if (!shared) {
+        return single_process_sslMutex_Init(pMutex);
+    }
+    pMutex->u.pipeStr.mPipes[0] = -1;
+    pMutex->u.pipeStr.mPipes[1] = -1;
+    pMutex->u.pipeStr.mPipes[2] = -1;
+    pMutex->u.pipeStr.nWaiters  =  0;
+
+    err = pipe(pMutex->u.pipeStr.mPipes);
+    if (err) {
+	return err;
+    }
+#if NONBLOCKING_POSTS
+    err = setNonBlocking(pMutex->u.pipeStr.mPipes[1], 1);
+    if (err)
+	goto loser;
+#endif
+
+    pMutex->u.pipeStr.mPipes[2] = SSL_MUTEX_MAGIC;
+
+#if defined(LINUX) && defined(i386)
+    /* Pipe starts out empty */
+    return SECSuccess;
+#else
+    /* Pipe starts with one byte. */
+    return sslMutex_Unlock(pMutex);
+#endif
+
+loser:
+    nss_MD_unix_map_default_error(errno);
+    close(pMutex->u.pipeStr.mPipes[0]);
+    close(pMutex->u.pipeStr.mPipes[1]);
+    return SECFailure;
+}
+
+SECStatus
+sslMutex_Destroy(sslMutex *pMutex)
+{
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Destroy(pMutex);
+    }
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    close(pMutex->u.pipeStr.mPipes[0]);
+    close(pMutex->u.pipeStr.mPipes[1]);
+
+    pMutex->u.pipeStr.mPipes[0] = -1;
+    pMutex->u.pipeStr.mPipes[1] = -1;
+    pMutex->u.pipeStr.mPipes[2] = -1;
+    pMutex->u.pipeStr.nWaiters  =  0;
+
+    return SECSuccess;
+}
+
+#if defined(LINUX) && defined(i386)
+/* No memory barrier needed for this platform */
+
+/* nWaiters includes the holder of the lock (if any) and the number
+** threads waiting for it.  After incrementing nWaiters, if the count
+** is exactly 1, then you have the lock and may proceed.  If the 
+** count is greater than 1, then you must wait on the pipe.
+*/ 
+
+
+SECStatus 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    PRInt32 newValue;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    /* Do Memory Barrier here. */
+    newValue = PR_AtomicDecrement(&pMutex->u.pipeStr.nWaiters);
+    if (newValue > 0) {
+	int  cc;
+	char c  = 1;
+	do {
+	    cc = write(pMutex->u.pipeStr.mPipes[1], &c, 1);
+	} while (cc < 0 && (errno == EINTR || errno == EAGAIN));
+	if (cc != 1) {
+	    if (cc < 0)
+		nss_MD_unix_map_default_error(errno);
+	    else
+		PORT_SetError(PR_UNKNOWN_ERROR);
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    PRInt32 newValue;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    newValue = PR_AtomicIncrement(&pMutex->u.pipeStr.nWaiters);
+    /* Do Memory Barrier here. */
+    if (newValue > 1) {
+	int   cc;
+	char  c;
+	do {
+	    cc = read(pMutex->u.pipeStr.mPipes[0], &c, 1);
+	} while (cc < 0 && errno == EINTR);
+	if (cc != 1) {
+	    if (cc < 0)
+		nss_MD_unix_map_default_error(errno);
+	    else
+		PORT_SetError(PR_UNKNOWN_ERROR);
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+#else
+
+/* Using Atomic operations requires the use of a memory barrier instruction 
+** on PowerPC, Sparc, and Alpha.  NSPR's PR_Atomic functions do not perform
+** them, and NSPR does not provide a function that does them (e.g. PR_Barrier).
+** So, we don't use them on those platforms. 
+*/
+
+SECStatus 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    int  cc;
+    char c  = 1;
+
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    do {
+	cc = write(pMutex->u.pipeStr.mPipes[1], &c, 1);
+    } while (cc < 0 && (errno == EINTR || errno == EAGAIN));
+    if (cc != 1) {
+	if (cc < 0)
+	    nss_MD_unix_map_default_error(errno);
+	else
+	    PORT_SetError(PR_UNKNOWN_ERROR);
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    int   cc;
+    char  c;
+
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+ 
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+
+    do {
+	cc = read(pMutex->u.pipeStr.mPipes[0], &c, 1);
+    } while (cc < 0 && errno == EINTR);
+    if (cc != 1) {
+	if (cc < 0)
+	    nss_MD_unix_map_default_error(errno);
+	else
+	    PORT_SetError(PR_UNKNOWN_ERROR);
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+#endif
+
+#elif defined(WIN32)
+
+#include "win32err.h"
+
+/* on Windows, we need to find the optimal type of locking mechanism to use
+ for the sslMutex.
+
+ There are 3 cases :
+ 1) single-process, use a PRLock, as for all other platforms
+ 2) Win95 multi-process, use a Win32 mutex
+ 3) on WINNT multi-process, use a PRLock + a Win32 mutex
+
+*/
+
+#ifdef WINNT
+
+SECStatus sslMutex_2LevelInit(sslMutex *sem)
+{
+    /*  the following adds a PRLock to sslMutex . This is done in each
+        process of a multi-process server and is only needed on WINNT, if
+        using fibers. We can't tell if native threads or fibers are used, so
+        we always do it on WINNT
+    */
+    PR_ASSERT(sem);
+    if (sem) {
+        /* we need to reset the sslLock in the children or the single_process init
+           function below will assert */
+        sem->u.sslLock = NULL;
+    }
+    return single_process_sslMutex_Init(sem);
+}
+
+static SECStatus sslMutex_2LevelDestroy(sslMutex *sem)
+{
+    return single_process_sslMutex_Destroy(sem);
+}
+
+#endif
+
+SECStatus
+sslMutex_Init(sslMutex *pMutex, int shared)
+{
+#ifdef WINNT
+    SECStatus retvalue;
+#endif
+    HANDLE hMutex;
+    SECURITY_ATTRIBUTES attributes =
+                                { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
+
+    PR_ASSERT(pMutex != 0 && (pMutex->u.sslMutx == 0 || 
+              pMutex->u.sslMutx == INVALID_HANDLE_VALUE) );
+    
+    pMutex->isMultiProcess = (PRBool)(shared != 0);
+    
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Init(pMutex);
+    }
+    
+#ifdef WINNT
+    /*  we need a lock on WINNT for fibers in the parent process */
+    retvalue = sslMutex_2LevelInit(pMutex);
+    if (SECSuccess != retvalue)
+        return SECFailure;
+#endif
+    
+    if (!pMutex || ((hMutex = pMutex->u.sslMutx) != 0 && 
+        hMutex != INVALID_HANDLE_VALUE)) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    attributes.bInheritHandle = (shared ? TRUE : FALSE);
+    hMutex = CreateMutex(&attributes, FALSE, NULL);
+    if (hMutex == NULL) {
+        hMutex = INVALID_HANDLE_VALUE;
+        nss_MD_win32_map_default_error(GetLastError());
+        return SECFailure;
+    }
+    pMutex->u.sslMutx = hMutex;
+    return SECSuccess;
+}
+
+SECStatus
+sslMutex_Destroy(sslMutex *pMutex)
+{
+    HANDLE hMutex;
+    int    rv;
+    int retvalue = SECSuccess;
+
+    PR_ASSERT(pMutex != 0);
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Destroy(pMutex);
+    }
+
+    /*  multi-process mode */    
+#ifdef WINNT
+    /* on NT, get rid of the PRLock used for fibers within a process */
+    retvalue = sslMutex_2LevelDestroy(pMutex);
+#endif
+    
+    PR_ASSERT( pMutex->u.sslMutx != 0 && 
+               pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
+    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 
+        || hMutex == INVALID_HANDLE_VALUE) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    
+    rv = CloseHandle(hMutex); /* ignore error */
+    if (rv) {
+        pMutex->u.sslMutx = hMutex = INVALID_HANDLE_VALUE;
+    } else {
+        nss_MD_win32_map_default_error(GetLastError());
+        retvalue = SECFailure;
+    }
+    return retvalue;
+}
+
+int 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    BOOL   success = FALSE;
+    HANDLE hMutex;
+
+    PR_ASSERT(pMutex != 0 );
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+    
+    PR_ASSERT(pMutex->u.sslMutx != 0 && 
+              pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
+    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 ||
+        hMutex == INVALID_HANDLE_VALUE) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    success = ReleaseMutex(hMutex);
+    if (!success) {
+        nss_MD_win32_map_default_error(GetLastError());
+        return SECFailure;
+    }
+#ifdef WINNT
+    return single_process_sslMutex_Unlock(pMutex);
+    /* release PRLock for other fibers in the process */
+#else
+    return SECSuccess;
+#endif
+}
+
+int 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    HANDLE    hMutex;
+    DWORD     event;
+    DWORD     lastError;
+    SECStatus rv;
+    SECStatus retvalue = SECSuccess;
+    PR_ASSERT(pMutex != 0);
+
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+#ifdef WINNT
+    /* lock first to preserve from other threads/fibers
+       in the same process */
+    retvalue = single_process_sslMutex_Lock(pMutex);
+#endif
+    PR_ASSERT(pMutex->u.sslMutx != 0 && 
+              pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
+    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 || 
+        hMutex == INVALID_HANDLE_VALUE) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;      /* what else ? */
+    }
+    /* acquire the mutex to be the only owner accross all other processes */
+    event = WaitForSingleObject(hMutex, INFINITE);
+    switch (event) {
+    case WAIT_OBJECT_0:
+    case WAIT_ABANDONED:
+        rv = SECSuccess;
+        break;
+
+    case WAIT_TIMEOUT:
+#if defined(WAIT_IO_COMPLETION)
+    case WAIT_IO_COMPLETION:
+#endif
+    default:            /* should never happen. nothing we can do. */
+        PR_ASSERT(!("WaitForSingleObject returned invalid value."));
+	PORT_SetError(PR_UNKNOWN_ERROR);
+	rv = SECFailure;
+	break;
+
+    case WAIT_FAILED:           /* failure returns this */
+        rv = SECFailure;
+        lastError = GetLastError();     /* for debugging */
+        nss_MD_win32_map_default_error(lastError);
+        break;
+    }
+
+    if (! (SECSuccess == retvalue && SECSuccess == rv)) {
+        return SECFailure;
+    }
+    
+    return SECSuccess;
+}
+
+#elif defined(XP_UNIX)
+
+#include <errno.h>
+#include "unix_err.h"
+
+SECStatus 
+sslMutex_Init(sslMutex *pMutex, int shared)
+{
+    int rv;
+    PR_ASSERT(pMutex);
+    pMutex->isMultiProcess = (PRBool)(shared != 0);
+    if (!shared) {
+        return single_process_sslMutex_Init(pMutex);
+    }
+    do {
+        rv = sem_init(&pMutex->u.sem, shared, 1);
+    } while (rv < 0 && errno == EINTR);
+    if (rv < 0) {
+        nss_MD_unix_map_default_error(errno);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Destroy(sslMutex *pMutex)
+{
+    int rv;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Destroy(pMutex);
+    }
+    do {
+	rv = sem_destroy(&pMutex->u.sem);
+    } while (rv < 0 && errno == EINTR);
+    if (rv < 0) {
+	nss_MD_unix_map_default_error(errno);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    int rv;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+    do {
+	rv = sem_post(&pMutex->u.sem);
+    } while (rv < 0 && errno == EINTR);
+    if (rv < 0) {
+	nss_MD_unix_map_default_error(errno);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    int rv;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+    do {
+	rv = sem_wait(&pMutex->u.sem);
+    } while (rv < 0 && errno == EINTR);
+    if (rv < 0) {
+	nss_MD_unix_map_default_error(errno);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+#else
+
+SECStatus 
+sslMutex_Init(sslMutex *pMutex, int shared)
+{
+    PR_ASSERT(pMutex);
+    pMutex->isMultiProcess = (PRBool)(shared != 0);
+    if (!shared) {
+        return single_process_sslMutex_Init(pMutex);
+    }
+    PORT_Assert(!("sslMutex_Init not implemented for multi-process applications !"));
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+SECStatus 
+sslMutex_Destroy(sslMutex *pMutex)
+{
+    PR_ASSERT(pMutex);
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Destroy(pMutex);
+    }
+    PORT_Assert(!("sslMutex_Destroy not implemented for multi-process applications !"));
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+SECStatus 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    PR_ASSERT(pMutex);
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+    PORT_Assert(!("sslMutex_Unlock not implemented for multi-process applications !"));
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+SECStatus 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    PR_ASSERT(pMutex);
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+    PORT_Assert(!("sslMutex_Lock not implemented for multi-process applications !"));
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+#endif
+
+#endif
diff --git a/security/nss/lib/ssl/sslmutex.h b/security/nss/lib/ssl/sslmutex.h
new file mode 100644
index 000000000..645b6c5bd
--- /dev/null
+++ b/security/nss/lib/ssl/sslmutex.h
@@ -0,0 +1,151 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#ifndef __SSLMUTEX_H_
+#define __SSLMUTEX_H_ 1
+
+/* What SSL really wants is portable process-shared unnamed mutexes in 
+ * shared memory, that have the property that if the process that holds
+ * them dies, they are released automatically, and that (unlike fcntl 
+ * record locking) lock to the thread, not to the process.  
+ * NSPR doesn't provide that.  
+ * Windows has mutexes that meet that description, but they're not portable.  
+ * POSIX mutexes are not automatically released when the holder dies, 
+ * and other processes/threads cannot release the mutex on behalf of the 
+ * dead holder.  
+ * POSIX semaphores can be used to accomplish this on systems that implement 
+ * process-shared unnamed POSIX semaphores, because a watchdog thread can 
+ * discover and release semaphores that were held by a dead process.  
+ * On systems that do not support process-shared POSIX unnamed semaphores, 
+ * they can be emulated using pipes.  
+ * The performance cost of doing that is not yet measured.
+ *
+ * So, this API looks a lot like POSIX pthread mutexes.
+ */
+
+#include "prtypes.h"
+#include "prlock.h"
+
+#if defined(WIN32)
+
+#include <wtypes.h>
+
+typedef struct 
+{
+    PRBool isMultiProcess;
+#ifdef WINNT
+    /* on WINNT we need both the PRLock and the Win32 mutex for fibers */
+    struct {
+#else
+    union {
+#endif
+        PRLock* sslLock;
+        HANDLE sslMutx;
+    } u;
+} sslMutex;
+
+typedef int    sslPID;
+
+#elif defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI) || defined(NETBSD) || defined(OPENBSD)
+
+#include <sys/types.h>
+#include "prtypes.h"
+
+typedef struct { 
+    PRBool isMultiProcess;
+    union {
+        PRLock* sslLock;
+        struct {
+            int      mPipes[3]; 
+            PRInt32  nWaiters;
+        } pipeStr;
+    } u;
+} sslMutex;
+typedef pid_t sslPID;
+
+#elif defined(XP_UNIX) /* other types of Unix */
+
+#include <sys/types.h>	/* for pid_t */
+#include <semaphore.h>  /* for sem_t, and sem_* functions */
+
+typedef struct
+{
+    PRBool isMultiProcess;
+    union {
+        PRLock* sslLock;
+        sem_t  sem;
+    } u;
+} sslMutex;
+
+typedef pid_t sslPID;
+
+#else
+
+/* what platform is this ?? */
+
+typedef struct { 
+    PRBool isMultiProcess;
+    union {
+        PRLock* sslLock;
+        /* include cross-process locking mechanism here */
+    } u;
+} sslMutex;
+
+typedef int sslPID;
+
+#endif
+
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+extern SECStatus sslMutex_Init(sslMutex *sem, int shared);
+
+extern SECStatus sslMutex_Destroy(sslMutex *sem);
+
+extern SECStatus sslMutex_Unlock(sslMutex *sem);
+
+extern SECStatus sslMutex_Lock(sslMutex *sem);
+
+#ifdef WINNT
+
+extern SECStatus sslMutex_2LevelInit(sslMutex *sem);
+
+#endif
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c
new file mode 100644
index 000000000..8c097f8d4
--- /dev/null
+++ b/security/nss/lib/ssl/sslnonce.c
@@ -0,0 +1,530 @@
+/* 
+ * This file implements the CLIENT Session ID cache.  
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "cert.h"
+#include "pk11pub.h"
+#include "secitem.h"
+#include "ssl.h"
+#include "nss.h"
+
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "nssilock.h"
+#if (defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+#include <time.h>
+#endif
+
+PRUint32 ssl_sid_timeout = 100;
+PRUint32 ssl3_sid_timeout = 86400L; /* 24 hours */
+
+static sslSessionID *cache = NULL;
+static PZLock *      cacheLock = NULL;
+
+/* sids can be in one of 4 states:
+ *
+ * never_cached, 	created, but not yet put into cache. 
+ * in_client_cache, 	in the client cache's linked list.
+ * in_server_cache, 	entry came from the server's cache file.
+ * invalid_cache	has been removed from the cache. 
+ */
+
+#define LOCK_CACHE 	lock_cache()
+#define UNLOCK_CACHE	PZ_Unlock(cacheLock)
+
+static SECStatus
+ssl_InitClientSessionCacheLock(void)
+{
+    cacheLock = PZ_NewLock(nssILockCache);
+    return cacheLock ? SECSuccess : SECFailure;
+}
+
+static SECStatus
+ssl_FreeClientSessionCacheLock(void)
+{
+    if (cacheLock) {
+        PZ_DestroyLock(cacheLock);
+        cacheLock = NULL;
+        return SECSuccess;
+    }
+    PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+    return SECFailure;
+}
+
+static PRBool LocksInitializedEarly = PR_FALSE;
+
+static SECStatus
+FreeSessionCacheLocks()
+{
+    SECStatus rv1, rv2;
+    rv1 = ssl_FreeSymWrapKeysLock();
+    rv2 = ssl_FreeClientSessionCacheLock();
+    if ( (SECSuccess == rv1) && (SECSuccess == rv2) ) {
+        return SECSuccess;
+    }
+    return SECFailure;
+}
+
+static SECStatus
+InitSessionCacheLocks(void)
+{
+    SECStatus rv1, rv2;
+    PRErrorCode rc;
+    rv1 = ssl_InitSymWrapKeysLock();
+    rv2 = ssl_InitClientSessionCacheLock();
+    if ( (SECSuccess == rv1) && (SECSuccess == rv2) ) {
+        return SECSuccess;
+    }
+    rc = PORT_GetError();
+    FreeSessionCacheLocks();
+    PORT_SetError(rc);
+    return SECFailure;
+}
+
+/* free the session cache locks if they were initialized early */
+SECStatus
+ssl_FreeSessionCacheLocks()
+{
+    PORT_Assert(PR_TRUE == LocksInitializedEarly);
+    if (!LocksInitializedEarly) {
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
+    }
+    FreeSessionCacheLocks();
+    LocksInitializedEarly = PR_FALSE;
+    return SECSuccess;
+}
+
+static PRCallOnceType lockOnce;
+
+/* free the session cache locks if they were initialized lazily */
+static SECStatus ssl_ShutdownLocks(void* appData, void* nssData)
+{
+    PORT_Assert(PR_FALSE == LocksInitializedEarly);
+    if (LocksInitializedEarly) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    FreeSessionCacheLocks();
+    memset(&lockOnce, 0, sizeof(lockOnce));
+    return SECSuccess;
+}
+
+static PRStatus initSessionCacheLocksLazily(void)
+{
+    SECStatus rv = InitSessionCacheLocks();
+    if (SECSuccess != rv) {
+        return PR_FAILURE;
+    }
+    rv = NSS_RegisterShutdown(ssl_ShutdownLocks, NULL);
+    PORT_Assert(SECSuccess == rv);
+    if (SECSuccess != rv) {
+        return PR_FAILURE;
+    }
+    return PR_SUCCESS;
+}
+
+/* lazyInit means that the call is not happening during a 1-time
+ * initialization function, but rather during dynamic, lazy initialization
+ */
+SECStatus
+ssl_InitSessionCacheLocks(PRBool lazyInit)
+{
+    if (LocksInitializedEarly) {
+        return SECSuccess;
+    }
+
+    if (lazyInit) {
+        return (PR_SUCCESS ==
+                PR_CallOnce(&lockOnce, initSessionCacheLocksLazily)) ?
+               SECSuccess : SECFailure;
+    }
+     
+    if (SECSuccess == InitSessionCacheLocks()) {
+        LocksInitializedEarly = PR_TRUE;
+        return SECSuccess;
+    }
+
+    return SECFailure;
+}
+
+static void 
+lock_cache(void)
+{
+    ssl_InitSessionCacheLocks(PR_TRUE);
+    PZ_Lock(cacheLock);
+}
+
+/* BEWARE: This function gets called for both client and server SIDs !!
+ * If the unreferenced sid is not in the cache, Free sid and its contents.
+ */
+static void
+ssl_DestroySID(sslSessionID *sid)
+{
+    SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
+    PORT_Assert((sid->references == 0));
+
+    if (sid->cached == in_client_cache)
+    	return;	/* it will get taken care of next time cache is traversed. */
+
+    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+	SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
+	SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
+    }
+    if (sid->peerID != NULL)
+	PORT_Free((void *)sid->peerID);		/* CONST */
+
+    if (sid->urlSvrName != NULL)
+	PORT_Free((void *)sid->urlSvrName);	/* CONST */
+
+    if ( sid->peerCert ) {
+	CERT_DestroyCertificate(sid->peerCert);
+    }
+    if ( sid->localCert ) {
+	CERT_DestroyCertificate(sid->localCert);
+    }
+    if (sid->u.ssl3.sessionTicket.ticket.data) {
+	SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
+    }
+    
+    PORT_ZFree(sid, sizeof(sslSessionID));
+}
+
+/* BEWARE: This function gets called for both client and server SIDs !!
+ * Decrement reference count, and 
+ *    free sid if ref count is zero, and sid is not in the cache. 
+ * Does NOT remove from the cache first.  
+ * If the sid is still in the cache, it is left there until next time
+ * the cache list is traversed.
+ */
+static void 
+ssl_FreeLockedSID(sslSessionID *sid)
+{
+    PORT_Assert(sid->references >= 1);
+    if (--sid->references == 0) {
+	ssl_DestroySID(sid);
+    }
+}
+
+/* BEWARE: This function gets called for both client and server SIDs !!
+ * Decrement reference count, and 
+ *    free sid if ref count is zero, and sid is not in the cache. 
+ * Does NOT remove from the cache first.  
+ * These locks are necessary because the sid _might_ be in the cache list.
+ */
+void
+ssl_FreeSID(sslSessionID *sid)
+{
+    LOCK_CACHE;
+    ssl_FreeLockedSID(sid);
+    UNLOCK_CACHE;
+}
+
+/************************************************************************/
+
+/*
+**  Lookup sid entry in cache by Address, port, and peerID string.
+**  If found, Increment reference count, and return pointer to caller.
+**  If it has timed out or ref count is zero, remove from list and free it.
+*/
+
+sslSessionID *
+ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID, 
+              const char * urlSvrName)
+{
+    sslSessionID **sidp;
+    sslSessionID * sid;
+    PRUint32       now;
+
+    if (!urlSvrName)
+    	return NULL;
+    now = ssl_Time();
+    LOCK_CACHE;
+    sidp = &cache;
+    while ((sid = *sidp) != 0) {
+	PORT_Assert(sid->cached == in_client_cache);
+	PORT_Assert(sid->references >= 1);
+
+	SSL_TRC(8, ("SSL: Lookup1: sid=0x%x", sid));
+
+	if (sid->expirationTime < now || !sid->references) {
+	    /*
+	    ** This session-id timed out, or was orphaned.
+	    ** Don't even care who it belongs to, blow it out of our cache.
+	    */
+	    SSL_TRC(7, ("SSL: lookup1, throwing sid out, age=%d refs=%d",
+			now - sid->creationTime, sid->references));
+
+	    *sidp = sid->next; 			/* delink it from the list. */
+	    sid->cached = invalid_cache;	/* mark not on list. */
+	    if (!sid->references)
+	    	ssl_DestroySID(sid);
+	    else
+		ssl_FreeLockedSID(sid);		/* drop ref count, free. */
+
+	} else if (!memcmp(&sid->addr, addr, sizeof(PRIPv6Addr)) && /* server IP addr matches */
+	           (sid->port == port) && /* server port matches */
+		   /* proxy (peerID) matches */
+		   (((peerID == NULL) && (sid->peerID == NULL)) ||
+		    ((peerID != NULL) && (sid->peerID != NULL) &&
+		     PORT_Strcmp(sid->peerID, peerID) == 0)) &&
+		   /* is cacheable */
+		   (sid->version < SSL_LIBRARY_VERSION_3_0 ||
+		    sid->u.ssl3.keys.resumable) &&
+		   /* server hostname matches. */
+	           (sid->urlSvrName != NULL) &&
+		   ((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) ||
+		    ((sid->peerCert != NULL) && (SECSuccess == 
+		      CERT_VerifyCertName(sid->peerCert, urlSvrName))) )
+		  ) {
+	    /* Hit */
+	    sid->lastAccessTime = now;
+	    sid->references++;
+	    break;
+	} else {
+	    sidp = &sid->next;
+	}
+    }
+    UNLOCK_CACHE;
+    return sid;
+}
+
+/*
+** Add an sid to the cache or return a previously cached entry to the cache.
+** Although this is static, it is called via ss->sec.cache().
+*/
+static void 
+CacheSID(sslSessionID *sid)
+{
+    PRUint32  expirationPeriod;
+    SSL_TRC(8, ("SSL: Cache: sid=0x%x cached=%d addr=0x%08x%08x%08x%08x port=0x%04x "
+		"time=%x cached=%d",
+		sid, sid->cached, sid->addr.pr_s6_addr32[0], 
+		sid->addr.pr_s6_addr32[1], sid->addr.pr_s6_addr32[2],
+		sid->addr.pr_s6_addr32[3],  sid->port, sid->creationTime,
+		sid->cached));
+
+    if (sid->cached == in_client_cache)
+	return;
+
+    if (!sid->urlSvrName) {
+        /* don't cache this SID because it can never be matched */
+        return;
+    }
+
+    /* XXX should be different trace for version 2 vs. version 3 */
+    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+	expirationPeriod = ssl_sid_timeout;
+	PRINT_BUF(8, (0, "sessionID:",
+		  sid->u.ssl2.sessionID, sizeof(sid->u.ssl2.sessionID)));
+	PRINT_BUF(8, (0, "masterKey:",
+		  sid->u.ssl2.masterKey.data, sid->u.ssl2.masterKey.len));
+	PRINT_BUF(8, (0, "cipherArg:",
+		  sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len));
+    } else {
+	if (sid->u.ssl3.sessionIDLength == 0 &&
+	    sid->u.ssl3.sessionTicket.ticket.data == NULL)
+	    return;
+	/* Client generates the SessionID if this was a stateless resume. */
+	if (sid->u.ssl3.sessionIDLength == 0) {
+	    SECStatus rv;
+	    rv = PK11_GenerateRandom(sid->u.ssl3.sessionID,
+		SSL3_SESSIONID_BYTES);
+	    if (rv != SECSuccess)
+		return;
+	    sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
+	}
+	expirationPeriod = ssl3_sid_timeout;
+	PRINT_BUF(8, (0, "sessionID:",
+		      sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength));
+    }
+    PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
+    if (!sid->creationTime)
+	sid->lastAccessTime = sid->creationTime = ssl_Time();
+    if (!sid->expirationTime)
+	sid->expirationTime = sid->creationTime + expirationPeriod;
+
+    /*
+     * Put sid into the cache.  Bump reference count to indicate that
+     * cache is holding a reference. Uncache will reduce the cache
+     * reference.
+     */
+    LOCK_CACHE;
+    sid->references++;
+    sid->cached = in_client_cache;
+    sid->next   = cache;
+    cache       = sid;
+    UNLOCK_CACHE;
+}
+
+/* 
+ * If sid "zap" is in the cache,
+ *    removes sid from cache, and decrements reference count.
+ * Caller must hold cache lock.
+ */
+static void
+UncacheSID(sslSessionID *zap)
+{
+    sslSessionID **sidp = &cache;
+    sslSessionID *sid;
+
+    if (zap->cached != in_client_cache) {
+	return;
+    }
+
+    SSL_TRC(8,("SSL: Uncache: zap=0x%x cached=%d addr=0x%08x%08x%08x%08x port=0x%04x "
+	       "time=%x cipher=%d",
+	       zap, zap->cached, zap->addr.pr_s6_addr32[0],
+	       zap->addr.pr_s6_addr32[1], zap->addr.pr_s6_addr32[2],
+	       zap->addr.pr_s6_addr32[3], zap->port, zap->creationTime,
+	       zap->u.ssl2.cipherType));
+    if (zap->version < SSL_LIBRARY_VERSION_3_0) {
+	PRINT_BUF(8, (0, "sessionID:",
+		      zap->u.ssl2.sessionID, sizeof(zap->u.ssl2.sessionID)));
+	PRINT_BUF(8, (0, "masterKey:",
+		      zap->u.ssl2.masterKey.data, zap->u.ssl2.masterKey.len));
+	PRINT_BUF(8, (0, "cipherArg:",
+		      zap->u.ssl2.cipherArg.data, zap->u.ssl2.cipherArg.len));
+    }
+
+    /* See if it's in the cache, if so nuke it */
+    while ((sid = *sidp) != 0) {
+	if (sid == zap) {
+	    /*
+	    ** Bingo. Reduce reference count by one so that when
+	    ** everyone is done with the sid we can free it up.
+	    */
+	    *sidp = zap->next;
+	    zap->cached = invalid_cache;
+	    ssl_FreeLockedSID(zap);
+	    return;
+	}
+	sidp = &sid->next;
+    }
+}
+
+/* If sid "zap" is in the cache,
+ *    removes sid from cache, and decrements reference count.
+ * Although this function is static, it is called externally via 
+ *    ss->sec.uncache().
+ */
+static void
+LockAndUncacheSID(sslSessionID *zap)
+{
+    LOCK_CACHE;
+    UncacheSID(zap);
+    UNLOCK_CACHE;
+
+}
+
+/* choose client or server cache functions for this sslsocket. */
+void 
+ssl_ChooseSessionIDProcs(sslSecurityInfo *sec)
+{
+    if (sec->isServer) {
+	sec->cache   = ssl_sid_cache;
+	sec->uncache = ssl_sid_uncache;
+    } else {
+	sec->cache   = CacheSID;
+	sec->uncache = LockAndUncacheSID;
+    }
+}
+
+/* wipe out the entire client session cache. */
+void
+SSL_ClearSessionCache(void)
+{
+    LOCK_CACHE;
+    while(cache != NULL)
+	UncacheSID(cache);
+    UNLOCK_CACHE;
+}
+
+/* returns an unsigned int containing the number of seconds in PR_Now() */
+PRUint32
+ssl_Time(void)
+{
+    PRUint32 myTime;
+#if (defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+    myTime = time(NULL);	/* accurate until the year 2038. */
+#else
+    /* portable, but possibly slower */
+    PRTime now;
+    PRInt64 ll;
+
+    now = PR_Now();
+    LL_I2L(ll, 1000000L);
+    LL_DIV(now, now, ll);
+    LL_L2UI(myTime, now);
+#endif
+    return myTime;
+}
+
+SECStatus
+ssl3_SetSIDSessionTicket(sslSessionID *sid, NewSessionTicket *session_ticket)
+{
+    SECStatus rv;
+
+    /* We need to lock the cache, as this sid might already be in the cache. */
+    LOCK_CACHE;
+
+    /* A server might have sent us an empty ticket, which has the
+     * effect of clearing the previously known ticket.
+     */
+    if (sid->u.ssl3.sessionTicket.ticket.data)
+	SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
+    if (session_ticket->ticket.len > 0) {
+	rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.sessionTicket.ticket,
+	    &session_ticket->ticket);
+	if (rv != SECSuccess) {
+	    UNLOCK_CACHE;
+	    return rv;
+	}
+    } else {
+	sid->u.ssl3.sessionTicket.ticket.data = NULL;
+	sid->u.ssl3.sessionTicket.ticket.len = 0;
+    }
+    sid->u.ssl3.sessionTicket.received_timestamp =
+	session_ticket->received_timestamp;
+    sid->u.ssl3.sessionTicket.ticket_lifetime_hint =
+	session_ticket->ticket_lifetime_hint;
+
+    UNLOCK_CACHE;
+    return SECSuccess;
+}
diff --git a/security/nss/lib/ssl/sslproto.h b/security/nss/lib/ssl/sslproto.h
new file mode 100644
index 000000000..6ca18eea8
--- /dev/null
+++ b/security/nss/lib/ssl/sslproto.h
@@ -0,0 +1,220 @@
+/*
+ * Various and sundry protocol constants. DON'T CHANGE THESE. These values 
+ * are mostly defined by the SSL2, SSL3, or TLS protocol specifications.
+ * Cipher kinds and ciphersuites are part of the public API.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef __sslproto_h_
+#define __sslproto_h_
+
+/* All versions less than 3_0 are treated as SSL version 2 */
+#define SSL_LIBRARY_VERSION_2			0x0002
+#define SSL_LIBRARY_VERSION_3_0			0x0300
+#define SSL_LIBRARY_VERSION_3_1_TLS		0x0301
+
+/* Header lengths of some of the messages */
+#define SSL_HL_ERROR_HBYTES			3
+#define SSL_HL_CLIENT_HELLO_HBYTES		9
+#define SSL_HL_CLIENT_MASTER_KEY_HBYTES		10
+#define SSL_HL_CLIENT_FINISHED_HBYTES		1
+#define SSL_HL_SERVER_HELLO_HBYTES		11
+#define SSL_HL_SERVER_VERIFY_HBYTES		1
+#define SSL_HL_SERVER_FINISHED_HBYTES		1
+#define SSL_HL_REQUEST_CERTIFICATE_HBYTES	2
+#define SSL_HL_CLIENT_CERTIFICATE_HBYTES	6
+
+/* Security handshake protocol codes */
+#define SSL_MT_ERROR				0
+#define SSL_MT_CLIENT_HELLO			1
+#define SSL_MT_CLIENT_MASTER_KEY		2
+#define SSL_MT_CLIENT_FINISHED			3
+#define SSL_MT_SERVER_HELLO			4
+#define SSL_MT_SERVER_VERIFY			5
+#define SSL_MT_SERVER_FINISHED			6
+#define SSL_MT_REQUEST_CERTIFICATE		7
+#define SSL_MT_CLIENT_CERTIFICATE		8
+
+/* Certificate types */
+#define SSL_CT_X509_CERTIFICATE			0x01
+#if 0 /* XXX Not implemented yet */
+#define SSL_PKCS6_CERTIFICATE			0x02
+#endif
+#define SSL_AT_MD5_WITH_RSA_ENCRYPTION		0x01
+
+/* Error codes */
+#define SSL_PE_NO_CYPHERS			0x0001
+#define SSL_PE_NO_CERTIFICATE			0x0002
+#define SSL_PE_BAD_CERTIFICATE			0x0004
+#define SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE	0x0006
+
+/* Cypher kinds (not the spec version!) */
+#define SSL_CK_RC4_128_WITH_MD5			0x01
+#define SSL_CK_RC4_128_EXPORT40_WITH_MD5	0x02
+#define SSL_CK_RC2_128_CBC_WITH_MD5		0x03
+#define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5	0x04
+#define SSL_CK_IDEA_128_CBC_WITH_MD5		0x05
+#define SSL_CK_DES_64_CBC_WITH_MD5		0x06
+#define SSL_CK_DES_192_EDE3_CBC_WITH_MD5	0x07
+
+/* Cipher enables.  These are used only for SSL_EnableCipher 
+ * These values define the SSL2 suites, and do not colide with the 
+ * SSL3 Cipher suites defined below.
+ */
+#define SSL_EN_RC4_128_WITH_MD5			0xFF01
+#define SSL_EN_RC4_128_EXPORT40_WITH_MD5	0xFF02
+#define SSL_EN_RC2_128_CBC_WITH_MD5		0xFF03
+#define SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5	0xFF04
+#define SSL_EN_IDEA_128_CBC_WITH_MD5		0xFF05
+#define SSL_EN_DES_64_CBC_WITH_MD5		0xFF06
+#define SSL_EN_DES_192_EDE3_CBC_WITH_MD5	0xFF07
+
+/* SSL v3 Cipher Suites */
+#define SSL_NULL_WITH_NULL_NULL			0x0000
+
+#define SSL_RSA_WITH_NULL_MD5			0x0001
+#define SSL_RSA_WITH_NULL_SHA			0x0002
+#define SSL_RSA_EXPORT_WITH_RC4_40_MD5		0x0003
+#define SSL_RSA_WITH_RC4_128_MD5		0x0004
+#define SSL_RSA_WITH_RC4_128_SHA		0x0005
+#define SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0x0006
+#define SSL_RSA_WITH_IDEA_CBC_SHA		0x0007
+#define SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0008
+#define SSL_RSA_WITH_DES_CBC_SHA		0x0009
+#define SSL_RSA_WITH_3DES_EDE_CBC_SHA		0x000a
+						       
+#define SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA	0x000b
+#define SSL_DH_DSS_WITH_DES_CBC_SHA		0x000c
+#define SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA	0x000d
+#define SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA	0x000e
+#define SSL_DH_RSA_WITH_DES_CBC_SHA		0x000f
+#define SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA	0x0010
+						       
+#define SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA	0x0011
+#define SSL_DHE_DSS_WITH_DES_CBC_SHA		0x0012
+#define SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA	0x0013
+#define SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0014
+#define SSL_DHE_RSA_WITH_DES_CBC_SHA		0x0015
+#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA	0x0016
+						       
+#define SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5	0x0017
+#define SSL_DH_ANON_WITH_RC4_128_MD5		0x0018
+#define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA	0x0019
+#define SSL_DH_ANON_WITH_DES_CBC_SHA		0x001a
+#define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA	0x001b
+
+#define SSL_FORTEZZA_DMS_WITH_NULL_SHA		0x001c /* deprecated */
+#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA	0x001d /* deprecated */
+#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA	0x001e /* deprecated */
+
+/* New TLS cipher suites */
+#define TLS_RSA_WITH_AES_128_CBC_SHA      	0x002F
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA   	0x0030
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA   	0x0031
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA  	0x0032
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA  	0x0033
+#define TLS_DH_ANON_WITH_AES_128_CBC_SHA  	0x0034
+
+#define TLS_RSA_WITH_AES_256_CBC_SHA      	0x0035
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA   	0x0036
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA   	0x0037
+#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA  	0x0038
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA  	0x0039
+#define TLS_DH_ANON_WITH_AES_256_CBC_SHA  	0x003A
+
+#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      	0x0041
+#define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA   	0x0042
+#define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA   	0x0043
+#define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  	0x0044
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  	0x0045
+#define TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA  	0x0046
+
+#define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     0x0062
+#define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      0x0064
+
+#define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063
+#define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  0x0065
+#define TLS_DHE_DSS_WITH_RC4_128_SHA            0x0066
+
+#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA      	0x0084
+#define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA   	0x0085
+#define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA   	0x0086
+#define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  	0x0087
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  	0x0088
+#define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA  	0x0089
+
+#define TLS_ECDH_ECDSA_WITH_NULL_SHA            0xC001
+#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA         0xC002
+#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA    0xC003
+#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA     0xC004
+#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA     0xC005
+
+#define TLS_ECDHE_ECDSA_WITH_NULL_SHA           0xC006
+#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        0xC007
+#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   0xC008
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    0xC009
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    0xC00A
+
+#define TLS_ECDH_RSA_WITH_NULL_SHA              0xC00B
+#define TLS_ECDH_RSA_WITH_RC4_128_SHA           0xC00C
+#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA      0xC00D
+#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA       0xC00E
+#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA       0xC00F
+
+#define TLS_ECDHE_RSA_WITH_NULL_SHA             0xC010
+#define TLS_ECDHE_RSA_WITH_RC4_128_SHA          0xC011
+#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     0xC012
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      0xC013
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      0xC014
+
+#define TLS_ECDH_anon_WITH_NULL_SHA             0xC015
+#define TLS_ECDH_anon_WITH_RC4_128_SHA          0xC016
+#define TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA     0xC017
+#define TLS_ECDH_anon_WITH_AES_128_CBC_SHA      0xC018
+#define TLS_ECDH_anon_WITH_AES_256_CBC_SHA      0xC019
+
+/* Netscape "experimental" cipher suites. */
+#define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA	0xffe0
+#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA	0xffe1
+
+/* New non-experimental openly spec'ed versions of those cipher suites. */
+#define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 	0xfeff
+#define SSL_RSA_FIPS_WITH_DES_CBC_SHA      	0xfefe
+
+#endif /* __sslproto_h_ */
diff --git a/security/nss/lib/ssl/sslreveal.c b/security/nss/lib/ssl/sslreveal.c
new file mode 100644
index 000000000..09d20d496
--- /dev/null
+++ b/security/nss/lib/ssl/sslreveal.c
@@ -0,0 +1,100 @@
+/* 
+ * Accessor functions for SSLSocket private members.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#include "cert.h"
+#include "ssl.h"
+#include "certt.h"
+#include "sslimpl.h"
+
+/* given PRFileDesc, returns a copy of certificate associated with the socket
+ * the caller should delete the cert when done with SSL_DestroyCertificate
+ */
+CERTCertificate * 
+SSL_RevealCert(PRFileDesc * fd)
+{
+  CERTCertificate * cert = NULL;
+  sslSocket * sslsocket = NULL;
+
+  sslsocket = ssl_FindSocket(fd);
+  
+  /* CERT_DupCertificate increases reference count and returns pointer to 
+   * the same cert
+   */
+  if (sslsocket && sslsocket->sec.peerCert)
+    cert = CERT_DupCertificate(sslsocket->sec.peerCert);
+  
+  return cert;
+}
+
+/* given PRFileDesc, returns a pointer to PinArg associated with the socket
+ */
+void * 
+SSL_RevealPinArg(PRFileDesc * fd)
+{
+  sslSocket * sslsocket = NULL;
+  void * PinArg = NULL;
+  
+  sslsocket = ssl_FindSocket(fd);
+  
+  /* is pkcs11PinArg part of the sslSocket or sslSecurityInfo ? */
+  if (sslsocket)
+    PinArg = sslsocket->pkcs11PinArg;
+  
+  return PinArg;
+}
+
+
+/* given PRFileDesc, returns a pointer to the URL associated with the socket
+ * the caller should free url when done  
+ */
+char * 
+SSL_RevealURL(PRFileDesc * fd)
+{
+  sslSocket * sslsocket = NULL;
+  char * url = NULL;
+
+  sslsocket = ssl_FindSocket(fd);
+  
+  if (sslsocket && sslsocket->url)
+    url = PL_strdup(sslsocket->url);
+  
+  return url;
+}
+
diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c
new file mode 100644
index 000000000..c2bbadbc2
--- /dev/null
+++ b/security/nss/lib/ssl/sslsecur.c
@@ -0,0 +1,1442 @@
+/*
+ * Various SSL functions.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#include "cert.h"
+#include "secitem.h"
+#include "keyhi.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "secoid.h"	/* for SECOID_GetALgorithmTag */
+#include "pk11func.h"	/* for PK11_GenerateRandom */
+#include "nss.h"        /* for NSS_RegisterShutdown */
+#include "prinit.h"     /* for PR_CallOnceWithArg */
+
+#define MAX_BLOCK_CYPHER_SIZE	32
+
+#define TEST_FOR_FAILURE	/* reminder */
+#define SET_ERROR_CODE		/* reminder */
+
+/* Returns a SECStatus: SECSuccess or SECFailure, NOT SECWouldBlock. 
+ * 
+ * Currently, the list of functions called through ss->handshake is:
+ * 
+ * In sslsocks.c:
+ *  SocksGatherRecord
+ *  SocksHandleReply	
+ *  SocksStartGather
+ *
+ * In sslcon.c:
+ *  ssl_GatherRecord1stHandshake
+ *  ssl2_HandleClientSessionKeyMessage
+ *  ssl2_HandleMessage
+ *  ssl2_HandleVerifyMessage
+ *  ssl2_BeginClientHandshake
+ *  ssl2_BeginServerHandshake
+ *  ssl2_HandleClientHelloMessage
+ *  ssl2_HandleServerHelloMessage
+ * 
+ * The ss->handshake function returns SECWouldBlock under these conditions:
+ * 1.	ssl_GatherRecord1stHandshake called ssl2_GatherData which read in 
+ *	the beginning of an SSL v3 hello message and returned SECWouldBlock 
+ *	to switch to SSL v3 handshake processing.
+ *
+ * 2.	ssl2_HandleClientHelloMessage discovered version 3.0 in the incoming
+ *	v2 client hello msg, and called ssl3_HandleV2ClientHello which 
+ *	returned SECWouldBlock.
+ *
+ * 3.   SECWouldBlock was returned by one of the callback functions, via
+ *	one of these paths:
+ * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData()
+ *
+ * -	ssl2_HandleServerHelloMessage() -> ss->handleBadCert()
+ *
+ * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
+ *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
+ *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificate() -> 
+ *	ss->handleBadCert()
+ *
+ * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
+ *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
+ *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificateRequest() -> 
+ *	ss->getClientAuthData()
+ *
+ * Called from: SSL_ForceHandshake	(below), 
+ *              ssl_SecureRecv 		(below) and
+ *              ssl_SecureSend		(below)
+ *	  from: WaitForResponse 	in sslsocks.c
+ *	        ssl_SocksRecv   	in sslsocks.c
+ *              ssl_SocksSend   	in sslsocks.c
+ *
+ * Caller must hold the (write) handshakeLock.
+ */
+int 
+ssl_Do1stHandshake(sslSocket *ss)
+{
+    int rv        = SECSuccess;
+    int loopCount = 0;
+
+    do {
+	PORT_Assert(ss->opt.noLocks ||  ssl_Have1stHandshakeLock(ss) );
+	PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
+	PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
+
+	if (ss->handshake == 0) {
+	    /* Previous handshake finished. Switch to next one */
+	    ss->handshake = ss->nextHandshake;
+	    ss->nextHandshake = 0;
+	}
+	if (ss->handshake == 0) {
+	    /* Previous handshake finished. Switch to security handshake */
+	    ss->handshake = ss->securityHandshake;
+	    ss->securityHandshake = 0;
+	}
+	if (ss->handshake == 0) {
+	    ssl_GetRecvBufLock(ss);
+	    ss->gs.recordLen = 0;
+	    ssl_ReleaseRecvBufLock(ss);
+
+	    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
+			SSL_GETPID(), ss->fd));
+            /* call handshake callback for ssl v2 */
+	    /* for v3 this is done in ssl3_HandleFinished() */
+	    if ((ss->handshakeCallback != NULL) && /* has callback */
+		(!ss->firstHsDone) &&              /* only first time */
+		(ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
+		ss->firstHsDone     = PR_TRUE;
+		(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+	    }
+	    ss->firstHsDone         = PR_TRUE;
+	    ss->gs.writeOffset = 0;
+	    ss->gs.readOffset  = 0;
+	    break;
+	}
+	rv = (*ss->handshake)(ss);
+	++loopCount;
+    /* This code must continue to loop on SECWouldBlock, 
+     * or any positive value.	See XXX_1 comments.
+     */
+    } while (rv != SECFailure);  	/* was (rv >= 0); XXX_1 */
+
+    PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
+    PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
+
+    if (rv == SECWouldBlock) {
+	PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+ * Handshake function that blocks.  Used to force a
+ * retry on a connection on the next read/write.
+ */
+static SECStatus
+AlwaysBlock(sslSocket *ss)
+{
+    PORT_SetError(PR_WOULD_BLOCK_ERROR);	/* perhaps redundant. */
+    return SECWouldBlock;
+}
+
+/*
+ * set the initial handshake state machine to block
+ */
+void
+ssl_SetAlwaysBlock(sslSocket *ss)
+{
+    if (!ss->firstHsDone) {
+	ss->handshake = AlwaysBlock;
+	ss->nextHandshake = 0;
+    }
+}
+
+static SECStatus 
+ssl_SetTimeout(PRFileDesc *fd, PRIntervalTime timeout)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SetTimeout", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    SSL_LOCK_READER(ss);
+    ss->rTimeout = timeout;
+    if (ss->opt.fdx) {
+        SSL_LOCK_WRITER(ss);
+    }
+    ss->wTimeout = timeout;
+    if (ss->opt.fdx) {
+        SSL_UNLOCK_WRITER(ss);
+    }
+    SSL_UNLOCK_READER(ss);
+    return SECSuccess;
+}
+
+/* Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
+{
+    sslSocket *ss;
+    SECStatus status;
+    PRNetAddr addr;
+
+    ss = ssl_FindSocket(s);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in ResetHandshake", SSL_GETPID(), s));
+	return SECFailure;
+    }
+
+    /* Don't waste my time */
+    if (!ss->opt.useSecurity)
+	return SECSuccess;
+
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    /* Reset handshake state */
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    ss->firstHsDone = PR_FALSE;
+    if ( asServer ) {
+	ss->handshake = ssl2_BeginServerHandshake;
+	ss->handshaking = sslHandshakingAsServer;
+    } else {
+	ss->handshake = ssl2_BeginClientHandshake;
+	ss->handshaking = sslHandshakingAsClient;
+    }
+    ss->nextHandshake       = 0;
+    ss->securityHandshake   = 0;
+
+    ssl_GetRecvBufLock(ss);
+    status = ssl_InitGather(&ss->gs);
+    ssl_ReleaseRecvBufLock(ss);
+
+    /*
+    ** Blow away old security state and get a fresh setup.
+    */
+    ssl_GetXmitBufLock(ss); 
+    ssl_ResetSecurityInfo(&ss->sec, PR_TRUE);
+    status = ssl_CreateSecurityInfo(ss);
+    ssl_ReleaseXmitBufLock(ss); 
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    if (!ss->TCPconnected)
+	ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
+
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);
+
+    return status;
+}
+
+/* For SSLv2, does nothing but return an error.
+** For SSLv3, flushes SID cache entry (if requested),
+** and then starts new client hello or hello request.
+** Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache)
+{
+    sslSocket *ss;
+    SECStatus  rv;
+    
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in RedoHandshake", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    if (!ss->opt.useSecurity)
+	return SECSuccess;
+    
+    ssl_Get1stHandshakeLock(ss);
+
+    /* SSL v2 protocol does not support subsequent handshakes. */
+    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    } else {
+	ssl_GetSSL3HandshakeLock(ss);
+	rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */
+	ssl_ReleaseSSL3HandshakeLock(ss);
+    }
+
+    ssl_Release1stHandshakeLock(ss);
+
+    return rv;
+}
+
+/*
+** Same as above, but with an I/O timeout.
+ */
+SSL_IMPORT SECStatus SSL_ReHandshakeWithTimeout(PRFileDesc *fd,
+                                                PRBool flushCache,
+                                                PRIntervalTime timeout)
+{
+    if (SECSuccess != ssl_SetTimeout(fd, timeout)) {
+        return SECFailure;
+    }
+    return SSL_ReHandshake(fd, flushCache);
+}
+
+SECStatus
+SSL_RedoHandshake(PRFileDesc *fd)
+{
+    return SSL_ReHandshake(fd, PR_TRUE);
+}
+
+/* Register an application callback to be called when SSL handshake completes.
+** Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,
+		      void *client_data)
+{
+    sslSocket *ss;
+    
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeCallback",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    if (!ss->opt.useSecurity) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    ss->handshakeCallback     = cb;
+    ss->handshakeCallbackData = client_data;
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    return SECSuccess;
+}
+
+/* Try to make progress on an SSL handshake by attempting to read the 
+** next handshake from the peer, and sending any responses.
+** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
+** read the next handshake from the underlying socket.
+** For SSLv2, returns when handshake is complete or fatal error occurs.
+** For SSLv3, returns when handshake is complete, or application data has
+** arrived that must be taken by application before handshake can continue, 
+** or a fatal error occurs.
+** Application should use handshake completion callback to tell which. 
+*/
+SECStatus
+SSL_ForceHandshake(PRFileDesc *fd)
+{
+    sslSocket *ss;
+    SECStatus  rv = SECFailure;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in ForceHandshake",
+		 SSL_GETPID(), fd));
+	return rv;
+    }
+
+    /* Don't waste my time */
+    if (!ss->opt.useSecurity) 
+    	return SECSuccess;
+
+    ssl_Get1stHandshakeLock(ss);
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	int gatherResult;
+
+    	ssl_GetRecvBufLock(ss);
+	gatherResult = ssl3_GatherCompleteHandshake(ss, 0);
+	ssl_ReleaseRecvBufLock(ss);
+	if (gatherResult > 0) {
+	    rv = SECSuccess;
+	} else if (gatherResult == 0) {
+	    PORT_SetError(PR_END_OF_FILE_ERROR);
+	} else if (gatherResult == SECWouldBlock) {
+	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	}
+    } else if (!ss->firstHsDone) {
+	rv = ssl_Do1stHandshake(ss);
+    } else {
+	/* tried to force handshake on an SSL 2 socket that has 
+	** already completed the handshake. */
+    	rv = SECSuccess;	/* just pretend we did it. */
+    }
+
+    ssl_Release1stHandshakeLock(ss);
+
+    return rv;
+}
+
+/*
+ ** Same as above, but with an I/O timeout.
+ */
+SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
+                                                   PRIntervalTime timeout)
+{
+    if (SECSuccess != ssl_SetTimeout(fd, timeout)) {
+        return SECFailure;
+    }
+    return SSL_ForceHandshake(fd);
+}
+
+
+/************************************************************************/
+
+/*
+** Grow a buffer to hold newLen bytes of data.
+** Called for both recv buffers and xmit buffers.
+** Caller must hold xmitBufLock or recvBufLock, as appropriate.
+*/
+SECStatus
+sslBuffer_Grow(sslBuffer *b, unsigned int newLen)
+{
+    newLen = PR_MAX(newLen, MAX_FRAGMENT_LENGTH + 2048);
+    if (newLen > b->space) {
+	unsigned char *newBuf;
+	if (b->buf) {
+	    newBuf = (unsigned char *) PORT_Realloc(b->buf, newLen);
+	} else {
+	    newBuf = (unsigned char *) PORT_Alloc(newLen);
+	}
+	if (!newBuf) {
+	    return SECFailure;
+	}
+	SSL_TRC(10, ("%d: SSL: grow buffer from %d to %d",
+		     SSL_GETPID(), b->space, newLen));
+	b->buf = newBuf;
+	b->space = newLen;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+sslBuffer_Append(sslBuffer *b, const void * data, unsigned int len)
+{
+    unsigned int newLen = b->len + len;
+    SECStatus rv;
+
+    rv = sslBuffer_Grow(b, newLen);
+    if (rv != SECSuccess)
+    	return rv;
+    PORT_Memcpy(b->buf + b->len, data, len);
+    b->len += len;
+    return SECSuccess;
+}
+
+/*
+** Save away write data that is trying to be written before the security
+** handshake has been completed. When the handshake is completed, we will
+** flush this data out.
+** Caller must hold xmitBufLock
+*/
+SECStatus 
+ssl_SaveWriteData(sslSocket *ss, const void *data, unsigned int len)
+{
+    SECStatus    rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    rv = sslBuffer_Append(&ss->pendingBuf, data, len);
+    SSL_TRC(5, ("%d: SSL[%d]: saving %u bytes of data (%u total saved so far)",
+		 SSL_GETPID(), ss->fd, len, ss->pendingBuf.len));
+    return rv;
+}
+
+/*
+** Send saved write data. This will flush out data sent prior to a
+** complete security handshake. Hopefully there won't be too much of it.
+** Returns count of the bytes sent, NOT a SECStatus.
+** Caller must hold xmitBufLock
+*/
+int 
+ssl_SendSavedWriteData(sslSocket *ss)
+{
+    int rv	= 0;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    if (ss->pendingBuf.len != 0) {
+	SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data",
+		     SSL_GETPID(), ss->fd, ss->pendingBuf.len));
+	rv = ssl_DefSend(ss, ss->pendingBuf.buf, ss->pendingBuf.len, 0);
+	if (rv < 0) {
+	    return rv;
+	} 
+	ss->pendingBuf.len -= rv;
+	if (ss->pendingBuf.len > 0 && rv > 0) {
+	    /* UGH !! This shifts the whole buffer down by copying it */
+	    PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv, 
+	                 ss->pendingBuf.len);
+    	}
+    }
+    return rv;
+}
+
+/************************************************************************/
+
+/*
+** Receive some application data on a socket.  Reads SSL records from the input
+** stream, decrypts them and then copies them to the output buffer.
+** Called from ssl_SecureRecv() below.
+**
+** Caller does NOT hold 1stHandshakeLock because that handshake is over.
+** Caller doesn't call this until initial handshake is complete.
+** For SSLv2, there is no subsequent handshake.
+** For SSLv3, the call to ssl3_GatherAppDataRecord may encounter handshake
+** messages from a subsequent handshake.
+**
+** This code is similar to, and easily confused with, 
+**   ssl_GatherRecord1stHandshake() in sslcon.c
+*/
+static int 
+DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
+{
+    int              rv;
+    int              amount;
+    int              available;
+
+    ssl_GetRecvBufLock(ss);
+
+    available = ss->gs.writeOffset - ss->gs.readOffset;
+    if (available == 0) {
+	/* Get some more data */
+	if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	    /* Wait for application data to arrive.  */
+	    rv = ssl3_GatherAppDataRecord(ss, 0);
+	} else {
+	    /* See if we have a complete record */
+	    rv = ssl2_GatherRecord(ss, 0);
+	}
+	if (rv <= 0) {
+	    if (rv == 0) {
+		/* EOF */
+		SSL_TRC(10, ("%d: SSL[%d]: ssl_recv EOF",
+			     SSL_GETPID(), ss->fd));
+		goto done;
+	    }
+	    if ((rv != SECWouldBlock) && 
+	        (PR_GetError() != PR_WOULD_BLOCK_ERROR)) {
+		/* Some random error */
+		goto done;
+	    }
+
+	    /*
+	    ** Gather record is blocked waiting for more record data to
+	    ** arrive. Try to process what we have already received
+	    */
+	} else {
+	    /* Gather record has finished getting a complete record */
+	}
+
+	/* See if any clear data is now available */
+	available = ss->gs.writeOffset - ss->gs.readOffset;
+	if (available == 0) {
+	    /*
+	    ** No partial data is available. Force error code to
+	    ** EWOULDBLOCK so that caller will try again later. Note
+	    ** that the error code is probably EWOULDBLOCK already,
+	    ** but if it isn't (for example, if we received a zero
+	    ** length record) then this will force it to be correct.
+	    */
+	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	    rv = SECFailure;
+	    goto done;
+	}
+	SSL_TRC(30, ("%d: SSL[%d]: partial data ready, available=%d",
+		     SSL_GETPID(), ss->fd, available));
+    }
+
+    /* Dole out clear data to reader */
+    amount = PR_MIN(len, available);
+    PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount);
+    if (!(flags & PR_MSG_PEEK)) {
+	ss->gs.readOffset += amount;
+    }
+    rv = amount;
+
+    SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d",
+		 SSL_GETPID(), ss->fd, amount, available));
+    PRINT_BUF(4, (ss, "DoRecv receiving plaintext:", out, amount));
+
+done:
+    ssl_ReleaseRecvBufLock(ss);
+    return rv;
+}
+
+/************************************************************************/
+
+SSLKEAType
+ssl_FindCertKEAType(CERTCertificate * cert)
+{
+  SSLKEAType keaType = kt_null; 
+  int tag;
+  
+  if (!cert) goto loser;
+  
+  tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+  
+  switch (tag) {
+  case SEC_OID_X500_RSA_ENCRYPTION:
+  case SEC_OID_PKCS1_RSA_ENCRYPTION:
+    keaType = kt_rsa;
+    break;
+
+  case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+    keaType = kt_dh;
+    break;
+#ifdef NSS_ENABLE_ECC
+  case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+    keaType = kt_ecdh;
+    break;
+#endif /* NSS_ENABLE_ECC */
+  default:
+    keaType = kt_null;
+  }
+  
+ loser:
+  
+  return keaType;
+
+}
+
+static const PRCallOnceType pristineCallOnce;
+static       PRCallOnceType setupServerCAListOnce;
+
+static SECStatus serverCAListShutdown(void* appData, void* nssData)
+{
+    PORT_Assert(ssl3_server_ca_list);
+    if (ssl3_server_ca_list) {
+	CERT_FreeDistNames(ssl3_server_ca_list);
+	ssl3_server_ca_list = NULL;
+    }
+    setupServerCAListOnce = pristineCallOnce;
+    return SECSuccess;
+}
+
+static PRStatus serverCAListSetup(void *arg)
+{
+    CERTCertDBHandle *dbHandle = (CERTCertDBHandle *)arg;
+    SECStatus rv = NSS_RegisterShutdown(serverCAListShutdown, NULL);
+    PORT_Assert(SECSuccess == rv);
+    if (SECSuccess == rv) {
+	ssl3_server_ca_list = CERT_GetSSLCACerts(dbHandle);
+	return PR_SUCCESS;
+    }
+    return PR_FAILURE;
+}
+
+
+/* XXX need to protect the data that gets changed here.!! */
+
+SECStatus
+SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
+		       SECKEYPrivateKey *key, SSL3KEAType kea)
+{
+    SECStatus rv;
+    sslSocket *ss;
+    sslServerCerts  *sc;
+    SECKEYPublicKey * pubKey = NULL;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	return SECFailure;
+    }
+
+    /* Both key and cert must have a value or be NULL */
+    /* Passing a value of NULL will turn off key exchange algorithms that were
+     * previously turned on */
+    if (!cert != !key) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* make sure the key exchange is recognized */
+    if ((kea >= kt_kea_size) || (kea < kt_null)) {
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	return SECFailure;
+    }
+
+    if (kea != ssl_FindCertKEAType(cert)) {
+    	PORT_SetError(SSL_ERROR_CERT_KEA_MISMATCH);
+	return SECFailure;
+    }
+
+    sc = ss->serverCerts + kea;
+    /* load the server certificate */
+    if (sc->serverCert != NULL) {
+	CERT_DestroyCertificate(sc->serverCert);
+    	sc->serverCert = NULL;
+    }
+    if (cert) {
+	sc->serverCert = CERT_DupCertificate(cert);
+	if (!sc->serverCert)
+	    goto loser;
+    	/* get the size of the cert's public key, and remember it */
+	pubKey = CERT_ExtractPublicKey(cert);
+	if (!pubKey) 
+	    goto loser;
+	sc->serverKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
+    }
+
+
+    /* load the server cert chain */
+    if (sc->serverCertChain != NULL) {
+	CERT_DestroyCertificateList(sc->serverCertChain);
+    	sc->serverCertChain = NULL;
+    }
+    if (cert) {
+	sc->serverCertChain = CERT_CertChainFromCert(
+			    sc->serverCert, certUsageSSLServer, PR_TRUE);
+	if (sc->serverCertChain == NULL)
+	     goto loser;
+    }
+
+    /* load the private key */
+    if (sc->serverKeyPair != NULL) {
+        ssl3_FreeKeyPair(sc->serverKeyPair);
+        sc->serverKeyPair = NULL;
+    }
+    if (key) {
+	SECKEYPrivateKey * keyCopy	= NULL;
+	CK_MECHANISM_TYPE  keyMech	= CKM_INVALID_MECHANISM;
+
+	if (key->pkcs11Slot) {
+	    PK11SlotInfo * bestSlot;
+	    bestSlot = PK11_ReferenceSlot(key->pkcs11Slot);
+	    if (bestSlot) {
+		keyCopy = PK11_CopyTokenPrivKeyToSessionPrivKey(bestSlot, key);
+		PK11_FreeSlot(bestSlot);
+	    }
+	}
+	if (keyCopy == NULL)
+	    keyMech = PK11_MapSignKeyType(key->keyType);
+	if (keyMech != CKM_INVALID_MECHANISM) {
+	    PK11SlotInfo * bestSlot;
+	    /* XXX Maybe should be bestSlotMultiple? */
+	    bestSlot = PK11_GetBestSlot(keyMech, NULL /* wincx */);
+	    if (bestSlot) {
+		keyCopy = PK11_CopyTokenPrivKeyToSessionPrivKey(bestSlot, key);
+		PK11_FreeSlot(bestSlot);
+	    }
+	}
+	if (keyCopy == NULL)
+	    keyCopy = SECKEY_CopyPrivateKey(key);
+	if (keyCopy == NULL)
+	    goto loser;
+	SECKEY_CacheStaticFlags(keyCopy);
+        sc->serverKeyPair = ssl3_NewKeyPair(keyCopy, pubKey);
+        if (sc->serverKeyPair == NULL) {
+            SECKEY_DestroyPrivateKey(keyCopy);
+            goto loser;
+        }
+	pubKey = NULL; /* adopted by serverKeyPair */
+    }
+
+    if (kea == kt_rsa && cert && sc->serverKeyBits > 512) {
+	if (ss->opt.noStepDown) {
+	    /* disable all export ciphersuites */
+	} else {
+	    rv = ssl3_CreateRSAStepDownKeys(ss);
+	    if (rv != SECSuccess) {
+		return SECFailure; /* err set by ssl3_CreateRSAStepDownKeys */
+	    }
+	}
+    }
+
+    /* Only do this once because it's global. */
+    if (PR_SUCCESS == PR_CallOnceWithArg(&setupServerCAListOnce, 
+                                         &serverCAListSetup,
+                                         (void *)(ss->dbHandle))) {
+	return SECSuccess;
+    }
+
+loser:
+    if (pubKey) {
+	SECKEY_DestroyPublicKey(pubKey); 
+	pubKey = NULL;
+    }
+    if (sc->serverCert != NULL) {
+	CERT_DestroyCertificate(sc->serverCert);
+	sc->serverCert = NULL;
+    }
+    if (sc->serverCertChain != NULL) {
+	CERT_DestroyCertificateList(sc->serverCertChain);
+	sc->serverCertChain = NULL;
+    }
+    if (sc->serverKeyPair != NULL) {
+	ssl3_FreeKeyPair(sc->serverKeyPair);
+	sc->serverKeyPair = NULL;
+    }
+    return SECFailure;
+}
+
+/************************************************************************/
+
+SECStatus
+ssl_CreateSecurityInfo(sslSocket *ss)
+{
+    SECStatus status;
+
+    /* initialize sslv2 socket to send data in the clear. */
+    ssl2_UseClearSendFunc(ss);
+
+    ss->sec.blockSize  = 1;
+    ss->sec.blockShift = 0;
+
+    ssl_GetXmitBufLock(ss); 
+    status = sslBuffer_Grow(&ss->sec.writeBuf, 4096);
+    ssl_ReleaseXmitBufLock(ss); 
+
+    return status;
+}
+
+SECStatus
+ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os)
+{
+    ss->sec.send 		= os->sec.send;
+    ss->sec.isServer 		= os->sec.isServer;
+    ss->sec.keyBits    		= os->sec.keyBits;
+    ss->sec.secretKeyBits 	= os->sec.secretKeyBits;
+
+    ss->sec.peerCert   		= CERT_DupCertificate(os->sec.peerCert);
+    if (os->sec.peerCert && !ss->sec.peerCert)
+    	goto loser;
+
+    ss->sec.cache      		= os->sec.cache;
+    ss->sec.uncache    		= os->sec.uncache;
+
+    /* we don't dup the connection info. */
+
+    ss->sec.sendSequence 	= os->sec.sendSequence;
+    ss->sec.rcvSequence 	= os->sec.rcvSequence;
+
+    if (os->sec.hash && os->sec.hashcx) {
+	ss->sec.hash 		= os->sec.hash;
+	ss->sec.hashcx 		= os->sec.hash->clone(os->sec.hashcx);
+	if (os->sec.hashcx && !ss->sec.hashcx)
+	    goto loser;
+    } else {
+	ss->sec.hash 		= NULL;
+	ss->sec.hashcx 		= NULL;
+    }
+
+    SECITEM_CopyItem(0, &ss->sec.sendSecret, &os->sec.sendSecret);
+    if (os->sec.sendSecret.data && !ss->sec.sendSecret.data)
+    	goto loser;
+    SECITEM_CopyItem(0, &ss->sec.rcvSecret,  &os->sec.rcvSecret);
+    if (os->sec.rcvSecret.data && !ss->sec.rcvSecret.data)
+    	goto loser;
+
+    /* XXX following code is wrong if either cx != 0 */
+    PORT_Assert(os->sec.readcx  == 0);
+    PORT_Assert(os->sec.writecx == 0);
+    ss->sec.readcx     		= os->sec.readcx;
+    ss->sec.writecx    		= os->sec.writecx;
+    ss->sec.destroy    		= 0;	
+
+    ss->sec.enc        		= os->sec.enc;
+    ss->sec.dec        		= os->sec.dec;
+
+    ss->sec.blockShift 		= os->sec.blockShift;
+    ss->sec.blockSize  		= os->sec.blockSize;
+
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+
+/* Reset sec back to its initial state.
+** Caller holds any relevant locks.
+*/
+void 
+ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset)
+{
+    /* Destroy MAC */
+    if (sec->hash && sec->hashcx) {
+	(*sec->hash->destroy)(sec->hashcx, PR_TRUE);
+	sec->hashcx = NULL;
+	sec->hash = NULL;
+    }
+    SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE);
+    SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE);
+
+    /* Destroy ciphers */
+    if (sec->destroy) {
+	(*sec->destroy)(sec->readcx, PR_TRUE);
+	(*sec->destroy)(sec->writecx, PR_TRUE);
+	sec->readcx = NULL;
+	sec->writecx = NULL;
+    } else {
+	PORT_Assert(sec->readcx == 0);
+	PORT_Assert(sec->writecx == 0);
+    }
+    sec->readcx = 0;
+    sec->writecx = 0;
+
+    if (sec->localCert) {
+	CERT_DestroyCertificate(sec->localCert);
+	sec->localCert = NULL;
+    }
+    if (sec->peerCert) {
+	CERT_DestroyCertificate(sec->peerCert);
+	sec->peerCert = NULL;
+    }
+    if (sec->peerKey) {
+	SECKEY_DestroyPublicKey(sec->peerKey);
+	sec->peerKey = NULL;
+    }
+
+    /* cleanup the ci */
+    if (sec->ci.sid != NULL) {
+	ssl_FreeSID(sec->ci.sid);
+    }
+    PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);
+    if (doMemset) {
+        memset(&sec->ci, 0, sizeof sec->ci);
+    }
+    
+}
+
+/*
+** Called from SSL_ResetHandshake (above), and 
+**        from ssl_FreeSocket     in sslsock.c
+** Caller should hold relevant locks (e.g. XmitBufLock)
+*/
+void 
+ssl_DestroySecurityInfo(sslSecurityInfo *sec)
+{
+    ssl_ResetSecurityInfo(sec, PR_FALSE);
+
+    PORT_ZFree(sec->writeBuf.buf, sec->writeBuf.space);
+    sec->writeBuf.buf = 0;
+
+    memset(sec, 0, sizeof *sec);
+}
+
+/************************************************************************/
+
+int 
+ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
+{
+    PRFileDesc *osfd = ss->fd->lower;
+    int rv;
+
+    if ( ss->opt.handshakeAsServer ) {
+	ss->securityHandshake = ssl2_BeginServerHandshake;
+	ss->handshaking = sslHandshakingAsServer;
+    } else {
+	ss->securityHandshake = ssl2_BeginClientHandshake;
+	ss->handshaking = sslHandshakingAsClient;
+    }
+
+    /* connect to server */
+    rv = osfd->methods->connect(osfd, sa, ss->cTimeout);
+    if (rv == PR_SUCCESS) {
+	ss->TCPconnected = 1;
+    } else {
+	int err = PR_GetError();
+	SSL_DBG(("%d: SSL[%d]: connect failed, errno=%d",
+		 SSL_GETPID(), ss->fd, err));
+	if (err == PR_IS_CONNECTED_ERROR) {
+	    ss->TCPconnected = 1;
+	} 
+    }
+
+    SSL_TRC(5, ("%d: SSL[%d]: secure connect completed, rv == %d",
+		SSL_GETPID(), ss->fd, rv));
+    return rv;
+}
+
+/*
+ * The TLS 1.2 RFC 5246, Section 7.2.1 says:
+ *
+ *     Unless some other fatal alert has been transmitted, each party is
+ *     required to send a close_notify alert before closing the write side
+ *     of the connection.  The other party MUST respond with a close_notify
+ *     alert of its own and close down the connection immediately,
+ *     discarding any pending writes.  It is not required for the initiator
+ *     of the close to wait for the responding close_notify alert before
+ *     closing the read side of the connection.
+ *
+ * The second sentence requires that we send a close_notify alert when we
+ * have received a close_notify alert.  In practice, all SSL implementations
+ * close the socket immediately after sending a close_notify alert (which is
+ * allowed by the third sentence), so responding with a close_notify alert
+ * would result in a write failure with the ECONNRESET error.  This is why
+ * we don't respond with a close_notify alert.
+ *
+ * Also, in the unlikely event that the TCP pipe is full and the peer stops
+ * reading, the SSL3_SendAlert call in ssl_SecureClose and ssl_SecureShutdown
+ * may block indefinitely in blocking mode, and may fail (without retrying)
+ * in non-blocking mode.
+ */
+
+int
+ssl_SecureClose(sslSocket *ss)
+{
+    int rv;
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0 	&&
+	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)	&&
+    	ss->firstHsDone 			&& 
+	!ss->recvdCloseNotify                   &&
+	ss->ssl3.initialized) {
+
+	/* We don't want the final alert to be Nagle delayed. */
+	if (!ss->delayDisabled) {
+	    ssl_EnableNagleDelay(ss, PR_FALSE);
+	    ss->delayDisabled = 1;
+	}
+
+	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
+    }
+    rv = ssl_DefClose(ss);
+    return rv;
+}
+
+/* Caller handles all locking */
+int
+ssl_SecureShutdown(sslSocket *ss, int nsprHow)
+{
+    PRFileDesc *osfd = ss->fd->lower;
+    int 	rv;
+    PRIntn	sslHow	= nsprHow + 1;
+
+    if ((unsigned)nsprHow > PR_SHUTDOWN_BOTH) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+    	return PR_FAILURE;
+    }
+
+    if ((sslHow & ssl_SHUTDOWN_SEND) != 0 		&&
+    	ss->version >= SSL_LIBRARY_VERSION_3_0		&&
+	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)		&&
+	ss->firstHsDone 				&& 
+	!ss->recvdCloseNotify                   	&&
+	ss->ssl3.initialized) {
+
+	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
+    }
+
+    rv = osfd->methods->shutdown(osfd, nsprHow);
+
+    ss->shutdownHow |= sslHow;
+
+    return rv;
+}
+
+/************************************************************************/
+
+
+int
+ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
+{
+    sslSecurityInfo *sec;
+    int              rv   = 0;
+
+    sec = &ss->sec;
+
+    if (ss->shutdownHow & ssl_SHUTDOWN_RCV) {
+	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
+    	return PR_FAILURE;
+    }
+    if (flags & ~PR_MSG_PEEK) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+    	return PR_FAILURE;
+    }
+
+    if (!ssl_SocketIsBlocking(ss) && !ss->opt.fdx) {
+	ssl_GetXmitBufLock(ss);
+	if (ss->pendingBuf.len != 0) {
+	    rv = ssl_SendSavedWriteData(ss);
+	    if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) {
+		ssl_ReleaseXmitBufLock(ss);
+		return SECFailure;
+	    }
+	    /* XXX short write? */
+	}
+	ssl_ReleaseXmitBufLock(ss);
+    }
+    
+    rv = 0;
+    /* If any of these is non-zero, the initial handshake is not done. */
+    if (!ss->firstHsDone) {
+	ssl_Get1stHandshakeLock(ss);
+	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
+	    rv = ssl_Do1stHandshake(ss);
+	}
+	ssl_Release1stHandshakeLock(ss);
+    }
+    if (rv < 0) {
+	return rv;
+    }
+
+    if (len == 0) return 0;
+
+    rv = DoRecv(ss, (unsigned char*) buf, len, flags);
+    SSL_TRC(2, ("%d: SSL[%d]: recving %d bytes securely (errno=%d)",
+		SSL_GETPID(), ss->fd, rv, PORT_GetError()));
+    return rv;
+}
+
+int
+ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len)
+{
+    return ssl_SecureRecv(ss, buf, len, 0);
+}
+
+/* Caller holds the SSL Socket's write lock. SSL_LOCK_WRITER(ss) */
+int
+ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
+{
+    int              rv		= 0;
+
+    SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
+		SSL_GETPID(), ss->fd, len));
+
+    if (ss->shutdownHow & ssl_SHUTDOWN_SEND) {
+	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
+    	rv = PR_FAILURE;
+	goto done;
+    }
+    if (flags) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+    	rv = PR_FAILURE;
+	goto done;
+    }
+
+    ssl_GetXmitBufLock(ss);
+    if (ss->pendingBuf.len != 0) {
+	PORT_Assert(ss->pendingBuf.len > 0);
+	rv = ssl_SendSavedWriteData(ss);
+	if (rv >= 0 && ss->pendingBuf.len != 0) {
+	    PORT_Assert(ss->pendingBuf.len > 0);
+	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	    rv = SECFailure;
+	}
+    }
+    ssl_ReleaseXmitBufLock(ss);
+    if (rv < 0) {
+	goto done;
+    }
+
+    if (len > 0) 
+    	ss->writerThread = PR_GetCurrentThread();
+    /* If any of these is non-zero, the initial handshake is not done. */
+    if (!ss->firstHsDone) {
+	ssl_Get1stHandshakeLock(ss);
+	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
+	    rv = ssl_Do1stHandshake(ss);
+	}
+	ssl_Release1stHandshakeLock(ss);
+    }
+    if (rv < 0) {
+    	ss->writerThread = NULL;
+	goto done;
+    }
+
+    /* Check for zero length writes after we do housekeeping so we make forward
+     * progress.
+     */
+    if (len == 0) {
+    	rv = 0;
+	goto done;
+    }
+    PORT_Assert(buf != NULL);
+    if (!buf) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+    	rv = PR_FAILURE;
+	goto done;
+    }
+
+    /* Send out the data using one of these functions:
+     *	ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock, 
+     *  ssl3_SendApplicationData
+     */
+    ssl_GetXmitBufLock(ss);
+    rv = (*ss->sec.send)(ss, buf, len, flags);
+    ssl_ReleaseXmitBufLock(ss);
+    ss->writerThread = NULL;
+done:
+    if (rv < 0) {
+	SSL_TRC(2, ("%d: SSL[%d]: SecureSend: returning %d count, error %d",
+		    SSL_GETPID(), ss->fd, rv, PORT_GetError()));
+    } else {
+	SSL_TRC(2, ("%d: SSL[%d]: SecureSend: returning %d count",
+		    SSL_GETPID(), ss->fd, rv));
+    }
+    return rv;
+}
+
+int
+ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len)
+{
+    return ssl_SecureSend(ss, buf, len, 0);
+}
+
+SECStatus
+SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg)
+{
+    sslSocket *ss;
+    
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSLBadCertHook",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    ss->handleBadCert = f;
+    ss->badCertArg = arg;
+
+    return SECSuccess;
+}
+
+/*
+ * Allow the application to pass the url or hostname into the SSL library
+ * so that we can do some checking on it.
+ */
+SECStatus
+SSL_SetURL(PRFileDesc *fd, const char *url)
+{
+    sslSocket *   ss = ssl_FindSocket(fd);
+    SECStatus     rv = SECSuccess;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSLSetURL",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    if ( ss->url ) {
+	PORT_Free((void *)ss->url);	/* CONST */
+    }
+
+    ss->url = (const char *)PORT_Strdup(url);
+    if ( ss->url == NULL ) {
+	rv = SECFailure;
+    }
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    return rv;
+}
+
+/*
+** Returns Negative number on error, zero or greater on success.
+** Returns the amount of data immediately available to be read.
+*/
+int
+SSL_DataPending(PRFileDesc *fd)
+{
+    sslSocket *ss;
+    int        rv  = 0;
+
+    ss = ssl_FindSocket(fd);
+
+    if (ss && ss->opt.useSecurity) {
+
+	ssl_Get1stHandshakeLock(ss);
+	ssl_GetSSL3HandshakeLock(ss);
+
+	ssl_GetRecvBufLock(ss);
+	rv = ss->gs.writeOffset - ss->gs.readOffset;
+	ssl_ReleaseRecvBufLock(ss);
+
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	ssl_Release1stHandshakeLock(ss);
+    }
+
+    return rv;
+}
+
+SECStatus
+SSL_InvalidateSession(PRFileDesc *fd)
+{
+    sslSocket *   ss = ssl_FindSocket(fd);
+    SECStatus     rv = SECFailure;
+
+    if (ss) {
+	ssl_Get1stHandshakeLock(ss);
+	ssl_GetSSL3HandshakeLock(ss);
+
+	if (ss->sec.ci.sid) {
+	    ss->sec.uncache(ss->sec.ci.sid);
+	    rv = SECSuccess;
+	}
+
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	ssl_Release1stHandshakeLock(ss);
+    }
+    return rv;
+}
+
+SECItem *
+SSL_GetSessionID(PRFileDesc *fd)
+{
+    sslSocket *    ss;
+    SECItem *      item = NULL;
+
+    ss = ssl_FindSocket(fd);
+    if (ss) {
+	ssl_Get1stHandshakeLock(ss);
+	ssl_GetSSL3HandshakeLock(ss);
+
+	if (ss->opt.useSecurity && ss->firstHsDone && ss->sec.ci.sid) {
+	    item = (SECItem *)PORT_Alloc(sizeof(SECItem));
+	    if (item) {
+		sslSessionID * sid = ss->sec.ci.sid;
+		if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+		    item->len = SSL2_SESSIONID_BYTES;
+		    item->data = (unsigned char*)PORT_Alloc(item->len);
+		    PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len);
+		} else {
+		    item->len = sid->u.ssl3.sessionIDLength;
+		    item->data = (unsigned char*)PORT_Alloc(item->len);
+		    PORT_Memcpy(item->data, sid->u.ssl3.sessionID, item->len);
+		}
+	    }
+	}
+
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	ssl_Release1stHandshakeLock(ss);
+    }
+    return item;
+}
+
+SECStatus
+SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle)
+{
+    sslSocket *    ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss)
+    	return SECFailure;
+    if (!dbHandle) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    ss->dbHandle = dbHandle;
+    return SECSuccess;
+}
+
+/*
+ * attempt to restart the handshake after asynchronously handling
+ * a request for the client's certificate.
+ *
+ * inputs:  
+ *	cert	Client cert chosen by application.
+ *		Note: ssl takes this reference, and does not bump the 
+ *		reference count.  The caller should drop its reference
+ *		without calling CERT_DestroyCert after calling this function.
+ *
+ *	key	Private key associated with cert.  This function makes a 
+ *		copy of the private key, so the caller remains responsible 
+ *		for destroying its copy after this function returns.
+ *
+ *	certChain  Chain of signers for cert.  
+ *		Note: ssl takes this reference, and does not copy the chain.
+ *		The caller should drop its reference without destroying the 
+ *		chain.  SSL will free the chain when it is done with it.
+ *
+ * Return value: XXX
+ *
+ * XXX This code only works on the initial handshake on a connection, XXX
+ *     It does not work on a subsequent handshake (redo).
+ */
+int
+SSL_RestartHandshakeAfterCertReq(sslSocket *         ss,
+				CERTCertificate *    cert, 
+				SECKEYPrivateKey *   key,
+				CERTCertificateList *certChain)
+{
+    int              ret;
+
+    ssl_Get1stHandshakeLock(ss);   /************************************/
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain);
+    } else {
+    	ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
+    }
+
+    ssl_Release1stHandshakeLock(ss);  /************************************/
+    return ret;
+}
+
+
+/* restart an SSL connection that we stopped to run certificate dialogs 
+** XXX	Need to document here how an application marks a cert to show that
+**	the application has accepted it (overridden CERT_VerifyCert).
+ *
+ * XXX This code only works on the initial handshake on a connection, XXX
+ *     It does not work on a subsequent handshake (redo).
+ *
+ * Return value: XXX
+*/
+int
+SSL_RestartHandshakeAfterServerCert(sslSocket *ss)
+{
+    int rv	= SECSuccess;
+
+    ssl_Get1stHandshakeLock(ss); 
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	rv = ssl3_RestartHandshakeAfterServerCert(ss);
+    } else {
+	rv = ssl2_RestartHandshakeAfterServerCert(ss);
+    }
+
+    ssl_Release1stHandshakeLock(ss);
+    return rv;
+}
diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c
new file mode 100644
index 000000000..6de5f428c
--- /dev/null
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -0,0 +1,1952 @@
+/* This file implements the SERVER Session ID cache. 
+ * NOTE:  The contents of this file are NOT used by the client.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 
+ * cache sids!
+ *
+ * About record locking among different server processes:
+ *
+ * All processes that are part of the same conceptual server (serving on 
+ * the same address and port) MUST share a common SSL session cache. 
+ * This code makes the content of the shared cache accessible to all
+ * processes on the same "server".  This code works on Unix and Win32 only.
+ *
+ * We use NSPR anonymous shared memory and move data to & from shared memory.
+ * We must do explicit locking of the records for all reads and writes.
+ * The set of Cache entries are divided up into "sets" of 128 entries. 
+ * Each set is protected by a lock.  There may be one or more sets protected
+ * by each lock.  That is, locks to sets are 1:N.
+ * There is one lock for the entire cert cache.
+ * There is one lock for the set of wrapped sym wrap keys.
+ *
+ * The anonymous shared memory is laid out as if it were declared like this:
+ *
+ * struct {
+ *     cacheDescriptor          desc;
+ *     sidCacheLock             sidCacheLocks[ numSIDCacheLocks];
+ *     sidCacheLock             keyCacheLock;
+ *     sidCacheLock             certCacheLock;
+ *     sidCacheSet              sidCacheSets[ numSIDCacheSets ];
+ *     sidCacheEntry            sidCacheData[ numSIDCacheEntries];
+ *     certCacheEntry           certCacheData[numCertCacheEntries];
+ *     SSLWrappedSymWrappingKey keyCacheData[kt_kea_size][SSL_NUM_WRAP_MECHS];
+ *     uint8                    keyNameSuffix[SESS_TICKET_KEY_VAR_NAME_LEN]
+ *     encKeyCacheEntry         ticketEncKey; // Wrapped in non-bypass mode
+ *     encKeyCacheEntry         ticketMacKey; // Wrapped in non-bypass mode
+ *     PRBool                   ticketKeysValid;
+ * } cacheMemCacheData;
+ */
+#include "seccomon.h"
+
+#if (defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "pk11func.h"
+#include "base64.h"
+#include "keyhi.h"
+
+#include <stdio.h>
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+
+#include <syslog.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <signal.h>
+#include "unix_err.h"
+
+#else
+
+#ifdef XP_WIN32
+#include <wtypes.h>
+#include "win32err.h"
+#endif
+
+#endif 
+#include <sys/types.h>
+
+#define SET_ERROR_CODE /* reminder */
+
+#include "nspr.h"
+#include "sslmutex.h"
+
+/*
+** Format of a cache entry in the shared memory.
+*/ 
+struct sidCacheEntryStr {
+/* 16 */    PRIPv6Addr  addr;	/* client's IP address */
+/*  4 */    PRUint32    creationTime;
+/*  4 */    PRUint32    lastAccessTime;	
+/*  4 */    PRUint32    expirationTime;
+/*  2 */    PRUint16	version;
+/*  1 */    PRUint8	valid;
+/*  1 */    PRUint8     sessionIDLength;
+/* 32 */    PRUint8     sessionID[SSL3_SESSIONID_BYTES];
+/*  2 */    PRUint16    authAlgorithm;
+/*  2 */    PRUint16    authKeyBits;
+/*  2 */    PRUint16    keaType;
+/*  2 */    PRUint16    keaKeyBits;
+/* 72  - common header total */
+
+    union {
+	struct {
+/* 64 */    PRUint8	masterKey[SSL_MAX_MASTER_KEY_BYTES];
+/* 32 */    PRUint8	cipherArg[SSL_MAX_CYPHER_ARG_BYTES];
+
+/*  1 */    PRUint8	cipherType;
+/*  1 */    PRUint8	masterKeyLen;
+/*  1 */    PRUint8	keyBits;
+/*  1 */    PRUint8	secretKeyBits;
+/*  1 */    PRUint8	cipherArgLen;
+/*101 */} ssl2;
+
+	struct {
+/*  2 */    ssl3CipherSuite  cipherSuite;
+/*  2 */    PRUint16    compression; 	/* SSL3CompressionMethod */
+
+/*100 */    ssl3SidKeys keys;	/* keys and ivs, wrapped as needed. */
+
+/*  4 */    PRUint32    masterWrapMech; 
+/*  4 */    SSL3KEAType exchKeyType;
+/*  4 */    PRInt32     certIndex;
+/*116 */} ssl3;
+/* force sizeof(sidCacheEntry) to be a multiple of cache line size */
+        struct {
+/*120 */    PRUint8     filler[120]; /* 72+120==196, a multiple of 16 */
+	} forceSize;
+    } u;
+};
+typedef struct sidCacheEntryStr sidCacheEntry;
+
+/* The length of this struct is supposed to be a power of 2, e.g. 4KB */
+struct certCacheEntryStr {
+    PRUint16    certLength;				/*    2 */
+    PRUint16    sessionIDLength;			/*    2 */
+    PRUint8 	sessionID[SSL3_SESSIONID_BYTES];	/*   32 */
+    PRUint8 	cert[SSL_MAX_CACHED_CERT_LEN];		/* 4060 */
+};						/* total   4096 */
+typedef struct certCacheEntryStr certCacheEntry;
+
+struct sidCacheLockStr {
+    PRUint32	timeStamp;
+    sslMutex	mutex;
+    sslPID	pid;
+};
+typedef struct sidCacheLockStr sidCacheLock;
+
+struct sidCacheSetStr {
+    PRIntn	next;
+};
+typedef struct sidCacheSetStr sidCacheSet;
+
+struct encKeyCacheEntryStr {
+    PRUint8	bytes[512];
+    PRInt32	length;
+};
+typedef struct encKeyCacheEntryStr encKeyCacheEntry;
+
+struct cacheDescStr {
+
+    PRUint32            cacheMemSize;
+
+    PRUint32		numSIDCacheLocks;
+    PRUint32		numSIDCacheSets;
+    PRUint32		numSIDCacheSetsPerLock;
+
+    PRUint32            numSIDCacheEntries; 
+    PRUint32            sidCacheSize;
+
+    PRUint32            numCertCacheEntries;
+    PRUint32            certCacheSize;
+
+    PRUint32            numKeyCacheEntries;
+    PRUint32            keyCacheSize;
+
+    PRUint32		ssl2Timeout;
+    PRUint32		ssl3Timeout;
+
+    PRUint32            numSIDCacheLocksInitialized;
+
+    /* These values are volatile, and are accessed through sharedCache-> */
+    PRUint32		nextCertCacheEntry;	/* certCacheLock protects */
+    PRBool      	stopPolling;
+    PRBool		everInherited;
+
+    /* The private copies of these values are pointers into shared mem */
+    /* The copies of these values in shared memory are merely offsets */
+    sidCacheLock    *          sidCacheLocks;
+    sidCacheLock    *          keyCacheLock;
+    sidCacheLock    *          certCacheLock;
+    sidCacheSet     *          sidCacheSets;
+    sidCacheEntry   *          sidCacheData;
+    certCacheEntry  *          certCacheData;
+    SSLWrappedSymWrappingKey * keyCacheData;
+    uint8           *          ticketKeyNameSuffix;
+    encKeyCacheEntry         * ticketEncKey;
+    encKeyCacheEntry         * ticketMacKey;
+    PRUint32        *          ticketKeysValid;
+
+    /* Only the private copies of these pointers are valid */
+    char *                     cacheMem;
+    struct cacheDescStr *      sharedCache;  /* shared copy of this struct */
+    PRFileMap *                cacheMemMap;
+    PRThread  *                poller;
+    PRUint32                   mutexTimeout;
+    PRBool                     shared;
+};
+typedef struct cacheDescStr cacheDesc;
+
+static cacheDesc globalCache;
+
+static const char envVarName[] = { SSL_ENV_VAR_NAME };
+
+static PRBool isMultiProcess  = PR_FALSE;
+
+
+#define DEF_SID_CACHE_ENTRIES  10000
+#define DEF_CERT_CACHE_ENTRIES 250
+#define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */
+#define DEF_KEY_CACHE_ENTRIES  250
+
+#define SID_CACHE_ENTRIES_PER_SET  128
+#define SID_ALIGNMENT          16
+
+#define DEF_SSL2_TIMEOUT	100   /* seconds */
+#define MAX_SSL2_TIMEOUT	100   /* seconds */
+#define MIN_SSL2_TIMEOUT	  5   /* seconds */
+
+#define DEF_SSL3_TIMEOUT      86400L  /* 24 hours */
+#define MAX_SSL3_TIMEOUT      86400L  /* 24 hours */
+#define MIN_SSL3_TIMEOUT          5   /* seconds  */
+
+#if defined(AIX) || defined(LINUX) || defined(VMS)
+#define MAX_SID_CACHE_LOCKS 8	/* two FDs per lock */
+#elif defined(OSF1)
+#define MAX_SID_CACHE_LOCKS 16	/* one FD per lock */
+#else
+#define MAX_SID_CACHE_LOCKS 256
+#endif
+
+#define SID_HOWMANY(val, size) (((val) + ((size) - 1)) / (size))
+#define SID_ROUNDUP(val, size) ((size) * SID_HOWMANY((val), (size)))
+
+
+static sslPID myPid;
+static PRUint32  ssl_max_sid_cache_locks = MAX_SID_CACHE_LOCKS;
+
+/* forward static function declarations */
+static PRUint32 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, 
+                         unsigned nl);
+static SECStatus LaunchLockPoller(cacheDesc *cache);
+static SECStatus StopLockPoller(cacheDesc *cache);
+
+
+struct inheritanceStr {
+    PRUint32 cacheMemSize;
+    PRUint32 fmStrLen;
+};
+
+typedef struct inheritanceStr inheritance;
+
+#if defined(_WIN32) || defined(XP_OS2)
+
+#define DEFAULT_CACHE_DIRECTORY "\\temp"
+
+#endif /* _win32 */
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+
+#define DEFAULT_CACHE_DIRECTORY "/tmp"
+
+#endif /* XP_UNIX || XP_BEOS */
+
+
+/************************************************************************/
+
+static PRUint32
+LockSidCacheLock(sidCacheLock *lock, PRUint32 now)
+{
+    SECStatus      rv      = sslMutex_Lock(&lock->mutex);
+    if (rv != SECSuccess)
+    	return 0;
+    if (!now)
+	now  = ssl_Time();
+    lock->timeStamp = now;
+    lock->pid       = myPid;
+    return now;
+}
+
+static SECStatus
+UnlockSidCacheLock(sidCacheLock *lock)
+{
+    SECStatus      rv;
+
+    lock->pid = 0;
+    rv        = sslMutex_Unlock(&lock->mutex);
+    return rv;
+}
+
+/* returns the value of ssl_Time on success, zero on failure. */
+static PRUint32
+LockSet(cacheDesc *cache, PRUint32 set, PRUint32 now)
+{
+    PRUint32       lockNum = set % cache->numSIDCacheLocks;
+    sidCacheLock * lock    = cache->sidCacheLocks + lockNum;
+
+    return LockSidCacheLock(lock, now);
+}
+
+static SECStatus
+UnlockSet(cacheDesc *cache, PRUint32 set)
+{
+    PRUint32       lockNum = set % cache->numSIDCacheLocks;
+    sidCacheLock * lock    = cache->sidCacheLocks + lockNum;
+
+    return UnlockSidCacheLock(lock);
+}
+
+/************************************************************************/
+
+
+/* Put a certificate in the cache.  Update the cert index in the sce.
+*/
+static PRUint32
+CacheCert(cacheDesc * cache, CERTCertificate *cert, sidCacheEntry *sce)
+{
+    PRUint32        now;
+    certCacheEntry  cce;
+
+    if ((cert->derCert.len > SSL_MAX_CACHED_CERT_LEN) ||
+        (cert->derCert.len <= 0) ||
+	(cert->derCert.data == NULL)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return 0;
+    }
+
+    cce.sessionIDLength = sce->sessionIDLength;
+    PORT_Memcpy(cce.sessionID, sce->sessionID, cce.sessionIDLength);
+
+    cce.certLength = cert->derCert.len;
+    PORT_Memcpy(cce.cert, cert->derCert.data, cce.certLength);
+
+    /* get lock on cert cache */
+    now = LockSidCacheLock(cache->certCacheLock, 0);
+    if (now) {
+
+	/* Find where to place the next cert cache entry. */
+	cacheDesc * sharedCache = cache->sharedCache;
+	PRUint32    ndx         = sharedCache->nextCertCacheEntry;
+
+	/* write the entry */
+	cache->certCacheData[ndx] = cce;
+
+	/* remember where we put it. */
+	sce->u.ssl3.certIndex = ndx;
+
+	/* update the "next" cache entry index */
+	sharedCache->nextCertCacheEntry = 
+					(ndx + 1) % cache->numCertCacheEntries;
+
+	UnlockSidCacheLock(cache->certCacheLock);
+    }
+    return now;
+
+}
+
+/*
+** Convert local SID to shared memory one
+*/
+static void 
+ConvertFromSID(sidCacheEntry *to, sslSessionID *from)
+{
+    to->valid   = 1;
+    to->version = from->version;
+    to->addr    = from->addr;
+    to->creationTime    = from->creationTime;
+    to->lastAccessTime  = from->lastAccessTime;
+    to->expirationTime  = from->expirationTime;
+    to->authAlgorithm	= from->authAlgorithm;
+    to->authKeyBits	= from->authKeyBits;
+    to->keaType		= from->keaType;
+    to->keaKeyBits	= from->keaKeyBits;
+
+    if (from->version < SSL_LIBRARY_VERSION_3_0) {
+	if ((from->u.ssl2.masterKey.len > SSL_MAX_MASTER_KEY_BYTES) ||
+	    (from->u.ssl2.cipherArg.len > SSL_MAX_CYPHER_ARG_BYTES)) {
+	    SSL_DBG(("%d: SSL: masterKeyLen=%d cipherArgLen=%d",
+		     myPid, from->u.ssl2.masterKey.len,
+		     from->u.ssl2.cipherArg.len));
+	    to->valid = 0;
+	    return;
+	}
+
+	to->u.ssl2.cipherType    = from->u.ssl2.cipherType;
+	to->u.ssl2.masterKeyLen  = from->u.ssl2.masterKey.len;
+	to->u.ssl2.cipherArgLen  = from->u.ssl2.cipherArg.len;
+	to->u.ssl2.keyBits       = from->u.ssl2.keyBits;
+	to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
+	to->sessionIDLength      = SSL2_SESSIONID_BYTES;
+	PORT_Memcpy(to->sessionID, from->u.ssl2.sessionID, SSL2_SESSIONID_BYTES);
+	PORT_Memcpy(to->u.ssl2.masterKey, from->u.ssl2.masterKey.data,
+		  from->u.ssl2.masterKey.len);
+	PORT_Memcpy(to->u.ssl2.cipherArg, from->u.ssl2.cipherArg.data,
+		  from->u.ssl2.cipherArg.len);
+#ifdef DEBUG
+	PORT_Memset(to->u.ssl2.masterKey+from->u.ssl2.masterKey.len, 0,
+		  sizeof(to->u.ssl2.masterKey) - from->u.ssl2.masterKey.len);
+	PORT_Memset(to->u.ssl2.cipherArg+from->u.ssl2.cipherArg.len, 0,
+		  sizeof(to->u.ssl2.cipherArg) - from->u.ssl2.cipherArg.len);
+#endif
+	SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d "
+		    "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", myPid,
+		    to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen,
+		    to->creationTime, to->addr.pr_s6_addr32[0],
+		    to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
+		    to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType));
+    } else {
+	/* This is an SSL v3 session */
+
+	to->u.ssl3.cipherSuite      = from->u.ssl3.cipherSuite;
+	to->u.ssl3.compression      = (uint16)from->u.ssl3.compression;
+	to->u.ssl3.keys             = from->u.ssl3.keys;
+	to->u.ssl3.masterWrapMech   = from->u.ssl3.masterWrapMech;
+	to->u.ssl3.exchKeyType      = from->u.ssl3.exchKeyType;
+	to->sessionIDLength         = from->u.ssl3.sessionIDLength;
+	to->u.ssl3.certIndex        = -1;
+
+	PORT_Memcpy(to->sessionID, from->u.ssl3.sessionID,
+		    to->sessionIDLength);
+
+	SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x "
+	            "cipherSuite=%d",
+		    myPid, to->creationTime, to->addr.pr_s6_addr32[0],
+		    to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
+		    to->addr.pr_s6_addr32[3], to->u.ssl3.cipherSuite));
+    }
+}
+
+/*
+** Convert shared memory cache-entry to local memory based one
+** This is only called from ServerSessionIDLookup().
+** Caller must hold cache lock when calling this.
+*/
+static sslSessionID *
+ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, 
+             CERTCertDBHandle * dbHandle)
+{
+    sslSessionID *to;
+    uint16 version = from->version;
+
+    to = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
+    if (!to) {
+	return 0;
+    }
+
+    if (version < SSL_LIBRARY_VERSION_3_0) {
+	/* This is an SSL v2 session */
+	to->u.ssl2.masterKey.data =
+	    (unsigned char*) PORT_Alloc(from->u.ssl2.masterKeyLen);
+	if (!to->u.ssl2.masterKey.data) {
+	    goto loser;
+	}
+	if (from->u.ssl2.cipherArgLen) {
+	    to->u.ssl2.cipherArg.data = 
+	    	(unsigned char*)PORT_Alloc(from->u.ssl2.cipherArgLen);
+	    if (!to->u.ssl2.cipherArg.data) {
+		goto loser;
+	    }
+	    PORT_Memcpy(to->u.ssl2.cipherArg.data, from->u.ssl2.cipherArg,
+		        from->u.ssl2.cipherArgLen);
+	}
+
+	to->u.ssl2.cipherType    = from->u.ssl2.cipherType;
+	to->u.ssl2.masterKey.len = from->u.ssl2.masterKeyLen;
+	to->u.ssl2.cipherArg.len = from->u.ssl2.cipherArgLen;
+	to->u.ssl2.keyBits       = from->u.ssl2.keyBits;
+	to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
+/*	to->sessionIDLength      = SSL2_SESSIONID_BYTES; */
+	PORT_Memcpy(to->u.ssl2.sessionID, from->sessionID, SSL2_SESSIONID_BYTES);
+	PORT_Memcpy(to->u.ssl2.masterKey.data, from->u.ssl2.masterKey,
+		    from->u.ssl2.masterKeyLen);
+
+	SSL_TRC(8, ("%d: SSL: ConvertToSID: masterKeyLen=%d cipherArgLen=%d "
+		    "time=%d addr=0x%08x%08x%08x%08x cipherType=%d",
+		    myPid, to->u.ssl2.masterKey.len,
+		    to->u.ssl2.cipherArg.len, to->creationTime,
+		    to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1],
+		    to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3],
+		    to->u.ssl2.cipherType));
+    } else {
+	/* This is an SSL v3 session */
+
+	to->u.ssl3.sessionIDLength  = from->sessionIDLength;
+	to->u.ssl3.cipherSuite      = from->u.ssl3.cipherSuite;
+	to->u.ssl3.compression      = (SSL3CompressionMethod)from->u.ssl3.compression;
+	to->u.ssl3.keys             = from->u.ssl3.keys;
+	to->u.ssl3.masterWrapMech   = from->u.ssl3.masterWrapMech;
+	to->u.ssl3.exchKeyType      = from->u.ssl3.exchKeyType;
+
+	PORT_Memcpy(to->u.ssl3.sessionID, from->sessionID, from->sessionIDLength);
+
+	/* the portions of the SID that are only restored on the client
+	 * are set to invalid values on the server.
+	 */
+	to->u.ssl3.clientWriteKey   = NULL;
+	to->u.ssl3.serverWriteKey   = NULL;
+
+	to->urlSvrName              = NULL;
+
+	to->u.ssl3.masterModuleID   = (SECMODModuleID)-1; /* invalid value */
+	to->u.ssl3.masterSlotID     = (CK_SLOT_ID)-1;     /* invalid value */
+	to->u.ssl3.masterWrapIndex  = 0;
+	to->u.ssl3.masterWrapSeries = 0;
+	to->u.ssl3.masterValid      = PR_FALSE;
+
+	to->u.ssl3.clAuthModuleID   = (SECMODModuleID)-1; /* invalid value */
+	to->u.ssl3.clAuthSlotID     = (CK_SLOT_ID)-1;     /* invalid value */
+	to->u.ssl3.clAuthSeries     = 0;
+	to->u.ssl3.clAuthValid      = PR_FALSE;
+
+	if (from->u.ssl3.certIndex != -1 && pcce) {
+	    SECItem          derCert;
+
+	    derCert.len  = pcce->certLength;
+	    derCert.data = pcce->cert;
+
+	    to->peerCert = CERT_NewTempCertificate(dbHandle, &derCert, NULL,
+					           PR_FALSE, PR_TRUE);
+	    if (to->peerCert == NULL)
+		goto loser;
+	}
+    }
+
+    to->version         = from->version;
+    to->creationTime    = from->creationTime;
+    to->lastAccessTime  = from->lastAccessTime;
+    to->expirationTime  = from->expirationTime;
+    to->cached          = in_server_cache;
+    to->addr            = from->addr;
+    to->references      = 1;
+    to->authAlgorithm	= from->authAlgorithm;
+    to->authKeyBits	= from->authKeyBits;
+    to->keaType		= from->keaType;
+    to->keaKeyBits	= from->keaKeyBits;
+    
+    return to;
+
+  loser:
+    if (to) {
+	if (version < SSL_LIBRARY_VERSION_3_0) {
+	    if (to->u.ssl2.masterKey.data)
+		PORT_Free(to->u.ssl2.masterKey.data);
+	    if (to->u.ssl2.cipherArg.data)
+		PORT_Free(to->u.ssl2.cipherArg.data);
+	}
+	PORT_Free(to);
+    }
+    return NULL;
+}
+
+
+
+/*
+** Perform some mumbo jumbo on the ip-address and the session-id value to
+** compute a hash value.
+*/
+static PRUint32 
+SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl)
+{
+    PRUint32 rv;
+    PRUint32 x[8];
+
+    memset(x, 0, sizeof x);
+    if (nl > sizeof x)
+    	nl = sizeof x;
+    memcpy(x, s, nl);
+
+    rv = (addr->pr_s6_addr32[0] ^ addr->pr_s6_addr32[1] ^
+	  addr->pr_s6_addr32[2] ^ addr->pr_s6_addr32[3] ^
+          x[0] ^ x[1] ^ x[2] ^ x[3] ^ x[4] ^ x[5] ^ x[6] ^ x[7])
+	  % cache->numSIDCacheSets;
+    return rv;
+}
+
+
+
+/*
+** Look something up in the cache. This will invalidate old entries
+** in the process. Caller has locked the cache set!
+** Returns PR_TRUE if found a valid match.  PR_FALSE otherwise.
+*/
+static sidCacheEntry *
+FindSID(cacheDesc *cache, PRUint32 setNum, PRUint32 now,
+        const PRIPv6Addr *addr, unsigned char *sessionID,
+	unsigned sessionIDLength)
+{
+    PRUint32      ndx   = cache->sidCacheSets[setNum].next;
+    int           i;
+
+    sidCacheEntry * set = cache->sidCacheData + 
+    			 (setNum * SID_CACHE_ENTRIES_PER_SET);
+
+    for (i = SID_CACHE_ENTRIES_PER_SET; i > 0; --i) {
+	sidCacheEntry * sce;
+
+	ndx  = (ndx - 1) % SID_CACHE_ENTRIES_PER_SET;
+	sce = set + ndx;
+
+	if (!sce->valid)
+	    continue;
+
+	if (now > sce->expirationTime) {
+	    /* SessionID has timed out. Invalidate the entry. */
+	    SSL_TRC(7, ("%d: timed out sid entry addr=%08x%08x%08x%08x now=%x "
+			"time+=%x",
+			myPid, sce->addr.pr_s6_addr32[0],
+			sce->addr.pr_s6_addr32[1], sce->addr.pr_s6_addr32[2],
+			sce->addr.pr_s6_addr32[3], now,
+			sce->expirationTime ));
+	    sce->valid = 0;
+	    continue;
+	}
+
+	/*
+	** Next, examine specific session-id/addr data to see if the cache
+	** entry matches our addr+session-id value
+	*/
+	if (sessionIDLength == sce->sessionIDLength      &&
+	    !memcmp(&sce->addr, addr, sizeof(PRIPv6Addr)) &&
+	    !memcmp(sce->sessionID, sessionID, sessionIDLength)) {
+	    /* Found it */
+	    return sce;
+	}
+    }
+
+    PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND);
+    return NULL;
+}
+
+/************************************************************************/
+
+/* This is the primary function for finding entries in the server's sid cache.
+ * Although it is static, this function is called via the global function 
+ * pointer ssl_sid_lookup.
+ */
+static sslSessionID *
+ServerSessionIDLookup(const PRIPv6Addr *addr,
+			unsigned char *sessionID,
+			unsigned int   sessionIDLength,
+                        CERTCertDBHandle * dbHandle)
+{
+    sslSessionID *  sid      = 0;
+    sidCacheEntry * psce;
+    certCacheEntry *pcce     = 0;
+    cacheDesc *     cache    = &globalCache;
+    PRUint32        now;
+    PRUint32        set;
+    PRInt32         cndx;
+    sidCacheEntry   sce;
+    certCacheEntry  cce;
+
+    set = SIDindex(cache, addr, sessionID, sessionIDLength);
+    now = LockSet(cache, set, 0);
+    if (!now)
+    	return NULL;
+
+    psce = FindSID(cache, set, now, addr, sessionID, sessionIDLength);
+    if (psce) {
+	if (psce->version >= SSL_LIBRARY_VERSION_3_0 && 
+	    (cndx = psce->u.ssl3.certIndex) != -1) {
+
+	    PRUint32 gotLock = LockSidCacheLock(cache->certCacheLock, now);
+	    if (gotLock) {
+		pcce = &cache->certCacheData[cndx];
+
+		/* See if the cert's session ID matches the sce cache. */
+		if ((pcce->sessionIDLength == psce->sessionIDLength) &&
+		    !PORT_Memcmp(pcce->sessionID, psce->sessionID, 
+		                 pcce->sessionIDLength)) {
+		    cce = *pcce;
+		} else {
+		    /* The cert doesen't match the SID cache entry, 
+		    ** so invalidate the SID cache entry. 
+		    */
+		    psce->valid = 0;
+		    psce = 0;
+		    pcce = 0;
+		}
+		UnlockSidCacheLock(cache->certCacheLock);
+	    } else {
+		/* what the ??.  Didn't get the cert cache lock.
+		** Don't invalidate the SID cache entry, but don't find it.
+		*/
+		PORT_Assert(!("Didn't get cert Cache Lock!"));
+		psce = 0;
+		pcce = 0;
+	    }
+	}
+	if (psce) {
+	    psce->lastAccessTime = now;
+	    sce = *psce;	/* grab a copy while holding the lock */
+    	}
+    }
+    UnlockSet(cache, set);
+    if (psce) {
+	/* sce conains a copy of the cache entry.
+	** Convert shared memory format to local format 
+	*/
+	sid = ConvertToSID(&sce, pcce ? &cce : 0, dbHandle);
+    }
+    return sid;
+}
+
+/*
+** Place a sid into the cache, if it isn't already there. 
+*/
+static void 
+ServerSessionIDCache(sslSessionID *sid)
+{
+    sidCacheEntry sce;
+    PRUint32      now     = 0;
+    uint16        version = sid->version;
+    cacheDesc *   cache   = &globalCache;
+
+    if ((version >= SSL_LIBRARY_VERSION_3_0) &&
+	(sid->u.ssl3.sessionIDLength == 0)) {
+	return;
+    }
+
+    if (sid->cached == never_cached || sid->cached == invalid_cache) {
+	PRUint32 set;
+
+	PORT_Assert(sid->creationTime != 0);
+	if (!sid->creationTime)
+	    sid->lastAccessTime = sid->creationTime = ssl_Time();
+	if (version < SSL_LIBRARY_VERSION_3_0) {
+	    /* override caller's expiration time, which uses client timeout
+	     * duration, not server timeout duration.
+	     */
+	    sid->expirationTime = sid->creationTime + cache->ssl2Timeout;
+	    SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
+			"cipher=%d", myPid, sid->cached,
+			sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
+			sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
+			sid->creationTime, sid->u.ssl2.cipherType));
+	    PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID,
+			  SSL2_SESSIONID_BYTES));
+	    PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
+			  sid->u.ssl2.masterKey.len));
+	    PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
+			  sid->u.ssl2.cipherArg.len));
+
+	} else {
+	    /* override caller's expiration time, which uses client timeout
+	     * duration, not server timeout duration.
+	     */
+	    sid->expirationTime = sid->creationTime + cache->ssl3Timeout;
+	    SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
+			"cipherSuite=%d", myPid, sid->cached,
+			sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
+			sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
+			sid->creationTime, sid->u.ssl3.cipherSuite));
+	    PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID,
+			  sid->u.ssl3.sessionIDLength));
+	}
+
+	ConvertFromSID(&sce, sid);
+
+	if ((version >= SSL_LIBRARY_VERSION_3_0) && 
+	    (sid->peerCert != NULL)) {
+	    now = CacheCert(cache, sid->peerCert, &sce);
+	}
+
+	set = SIDindex(cache, &sce.addr, sce.sessionID, sce.sessionIDLength);
+	now = LockSet(cache, set, now);
+	if (now) {
+	    PRUint32  next = cache->sidCacheSets[set].next;
+	    PRUint32  ndx  = set * SID_CACHE_ENTRIES_PER_SET + next;
+
+	    /* Write out new cache entry */
+	    cache->sidCacheData[ndx] = sce;
+
+	    cache->sidCacheSets[set].next = 
+	    				(next + 1) % SID_CACHE_ENTRIES_PER_SET;
+
+	    UnlockSet(cache, set);
+	    sid->cached = in_server_cache;
+	}
+    }
+}
+
+/*
+** Although this is static, it is called from ssl via global function pointer
+**	ssl_sid_uncache.  This invalidates the referenced cache entry.
+*/
+static void 
+ServerSessionIDUncache(sslSessionID *sid)
+{
+    cacheDesc *    cache   = &globalCache;
+    PRUint8 *      sessionID;
+    unsigned int   sessionIDLength;
+    PRErrorCode    err;
+    PRUint32       set;
+    PRUint32       now;
+    sidCacheEntry *psce;
+
+    if (sid == NULL) 
+    	return;
+    
+    /* Uncaching a SID should never change the error code. 
+    ** So save it here and restore it before exiting.
+    */
+    err = PR_GetError();
+
+    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+	sessionID       = sid->u.ssl2.sessionID;
+	sessionIDLength = SSL2_SESSIONID_BYTES;
+	SSL_TRC(8, ("%d: SSL: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x "
+		    "cipher=%d", myPid, sid->cached,
+		    sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
+		    sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
+		    sid->creationTime, sid->u.ssl2.cipherType));
+	PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
+	PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
+		      sid->u.ssl2.masterKey.len));
+	PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
+		      sid->u.ssl2.cipherArg.len));
+    } else {
+	sessionID       = sid->u.ssl3.sessionID;
+	sessionIDLength = sid->u.ssl3.sessionIDLength;
+	SSL_TRC(8, ("%d: SSL3: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x "
+		    "cipherSuite=%d", myPid, sid->cached,
+		    sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
+		    sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
+		    sid->creationTime, sid->u.ssl3.cipherSuite));
+	PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
+    }
+    set = SIDindex(cache, &sid->addr, sessionID, sessionIDLength);
+    now = LockSet(cache, set, 0);
+    if (now) {
+	psce = FindSID(cache, set, now, &sid->addr, sessionID, sessionIDLength);
+	if (psce) {
+	    psce->valid = 0;
+	}
+	UnlockSet(cache, set);
+    }
+    sid->cached = invalid_cache;
+    PORT_SetError(err);
+}
+
+#ifdef XP_OS2
+
+#define INCL_DOSPROCESS
+#include <os2.h>
+
+long gettid(void)
+{
+    PTIB ptib;
+    PPIB ppib;
+    DosGetInfoBlocks(&ptib, &ppib);
+    return ((long)ptib->tib_ordinal); /* thread id */
+}
+#endif
+
+static void
+CloseCache(cacheDesc *cache)
+{
+    int locks_initialized = cache->numSIDCacheLocksInitialized;
+
+    if (cache->cacheMem) {
+	/* If everInherited is true, this shared cache was (and may still
+	** be) in use by multiple processes.  We do not wish to destroy
+	** the mutexes while they are still in use.  
+	*/
+	if (cache->sharedCache &&
+            PR_FALSE == cache->sharedCache->everInherited) {
+	    sidCacheLock *pLock = cache->sidCacheLocks;
+	    for (; locks_initialized > 0; --locks_initialized, ++pLock ) {
+		sslMutex_Destroy(&pLock->mutex);
+	    }
+	}
+	if (cache->shared) {
+	    PR_MemUnmap(cache->cacheMem, cache->cacheMemSize);
+	} else {
+	    PORT_Free(cache->cacheMem);
+	}
+	cache->cacheMem = NULL;
+    }
+    if (cache->cacheMemMap) {
+	PR_CloseFileMap(cache->cacheMemMap);
+	cache->cacheMemMap = NULL;
+    }
+    memset(cache, 0, sizeof *cache);
+}
+
+static SECStatus
+InitCache(cacheDesc *cache, int maxCacheEntries, PRUint32 ssl2_timeout, 
+          PRUint32 ssl3_timeout, const char *directory, PRBool shared)
+{
+    ptrdiff_t     ptr;
+    sidCacheLock *pLock;
+    char *        cacheMem;
+    PRFileMap *   cacheMemMap;
+    char *        cfn = NULL;	/* cache file name */
+    int           locks_initialized = 0;
+    int           locks_to_initialize = 0;
+    PRUint32      init_time;
+
+    if ( (!cache) || (maxCacheEntries < 0) || (!directory) ) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (cache->cacheMem) {
+	/* Already done */
+	return SECSuccess;
+    }
+
+    /* make sure loser can clean up properly */
+    cache->shared = shared;
+    cache->cacheMem    = cacheMem    = NULL;
+    cache->cacheMemMap = cacheMemMap = NULL;
+    cache->sharedCache = (cacheDesc *)0;
+
+    cache->numSIDCacheLocksInitialized = 0;
+    cache->nextCertCacheEntry = 0;
+    cache->stopPolling = PR_FALSE;
+    cache->everInherited = PR_FALSE;
+    cache->poller = NULL;
+    cache->mutexTimeout = 0;
+
+    cache->numSIDCacheEntries = maxCacheEntries ? maxCacheEntries 
+                                                : DEF_SID_CACHE_ENTRIES;
+    cache->numSIDCacheSets    = 
+    	SID_HOWMANY(cache->numSIDCacheEntries, SID_CACHE_ENTRIES_PER_SET);
+
+    cache->numSIDCacheEntries = 
+    	cache->numSIDCacheSets * SID_CACHE_ENTRIES_PER_SET;
+
+    cache->numSIDCacheLocks   = 
+    	PR_MIN(cache->numSIDCacheSets, ssl_max_sid_cache_locks);
+
+    cache->numSIDCacheSetsPerLock = 
+    	SID_HOWMANY(cache->numSIDCacheSets, cache->numSIDCacheLocks);
+
+    /* compute size of shared memory, and offsets of all pointers */
+    ptr = 0;
+    cache->cacheMem     = (char *)ptr;
+    ptr += SID_ROUNDUP(sizeof(cacheDesc), SID_ALIGNMENT);
+
+    cache->sidCacheLocks = (sidCacheLock *)ptr;
+    cache->keyCacheLock  = cache->sidCacheLocks + cache->numSIDCacheLocks;
+    cache->certCacheLock = cache->keyCacheLock  + 1;
+    ptr = (ptrdiff_t)(cache->certCacheLock + 1);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->sidCacheSets  = (sidCacheSet *)ptr;
+    ptr = (ptrdiff_t)(cache->sidCacheSets + cache->numSIDCacheSets);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->sidCacheData  = (sidCacheEntry *)ptr;
+    ptr = (ptrdiff_t)(cache->sidCacheData + cache->numSIDCacheEntries);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->certCacheData = (certCacheEntry *)ptr;
+    cache->sidCacheSize  = 
+    	(char *)cache->certCacheData - (char *)cache->sidCacheData;
+
+    /* This is really a poor way to computer this! */
+    cache->numCertCacheEntries = cache->sidCacheSize / sizeof(certCacheEntry);
+    if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES)
+    	cache->numCertCacheEntries = MIN_CERT_CACHE_ENTRIES;
+    ptr = (ptrdiff_t)(cache->certCacheData + cache->numCertCacheEntries);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->keyCacheData  = (SSLWrappedSymWrappingKey *)ptr;
+    cache->certCacheSize = 
+    	(char *)cache->keyCacheData - (char *)cache->certCacheData;
+
+    cache->numKeyCacheEntries = kt_kea_size * SSL_NUM_WRAP_MECHS;
+    ptr = (ptrdiff_t)(cache->keyCacheData + cache->numKeyCacheEntries);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->keyCacheSize  = (char *)ptr - (char *)cache->keyCacheData;
+
+    cache->ticketKeyNameSuffix = (uint8 *)ptr;
+    ptr = (ptrdiff_t)(cache->ticketKeyNameSuffix +
+	SESS_TICKET_KEY_VAR_NAME_LEN);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->ticketEncKey = (encKeyCacheEntry *)ptr;
+    ptr = (ptrdiff_t)(cache->ticketEncKey + 1);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->ticketMacKey = (encKeyCacheEntry *)ptr;
+    ptr = (ptrdiff_t)(cache->ticketMacKey + 1);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->ticketKeysValid = (PRUint32 *)ptr;
+    ptr = (ptrdiff_t)(cache->ticketKeysValid + 1);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->cacheMemSize = ptr;
+
+    if (ssl2_timeout) {   
+	if (ssl2_timeout > MAX_SSL2_TIMEOUT) {
+	    ssl2_timeout = MAX_SSL2_TIMEOUT;
+	}
+	if (ssl2_timeout < MIN_SSL2_TIMEOUT) {
+	    ssl2_timeout = MIN_SSL2_TIMEOUT;
+	}
+	cache->ssl2Timeout = ssl2_timeout;
+    } else {
+	cache->ssl2Timeout = DEF_SSL2_TIMEOUT;
+    }
+
+    if (ssl3_timeout) {   
+	if (ssl3_timeout > MAX_SSL3_TIMEOUT) {
+	    ssl3_timeout = MAX_SSL3_TIMEOUT;
+	}
+	if (ssl3_timeout < MIN_SSL3_TIMEOUT) {
+	    ssl3_timeout = MIN_SSL3_TIMEOUT;
+	}
+	cache->ssl3Timeout = ssl3_timeout;
+    } else {
+	cache->ssl3Timeout = DEF_SSL3_TIMEOUT;
+    }
+
+    if (shared) {
+	/* Create file names */
+#if defined(XP_UNIX) || defined(XP_BEOS)
+	/* there's some confusion here about whether PR_OpenAnonFileMap wants
+	** a directory name or a file name for its first argument.
+	cfn = PR_smprintf("%s/.sslsvrcache.%d", directory, myPid);
+	*/
+	cfn = PR_smprintf("%s", directory);
+#elif defined(XP_WIN32)
+	cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, 
+			    GetCurrentThreadId());
+#elif defined(XP_OS2)
+	cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, 
+			    gettid());
+#else
+#error "Don't know how to create file name for this platform!"
+#endif
+	if (!cfn) {
+	    goto loser;
+	}
+
+	/* Create cache */
+	cacheMemMap = PR_OpenAnonFileMap(cfn, cache->cacheMemSize, 
+					 PR_PROT_READWRITE);
+
+	PR_smprintf_free(cfn);
+	if(!cacheMemMap) {
+	    goto loser;
+	}
+
+        cacheMem = PR_MemMap(cacheMemMap, 0, cache->cacheMemSize);
+    } else {
+        cacheMem = PORT_Alloc(cache->cacheMemSize);
+    }
+    
+    if (! cacheMem) {
+        goto loser;
+    }
+
+    /* Initialize shared memory. This may not be necessary on all platforms */
+    memset(cacheMem, 0, cache->cacheMemSize);
+
+    /* Copy cache descriptor header into shared memory */
+    memcpy(cacheMem, cache, sizeof *cache);
+
+    /* save private copies of these values */
+    cache->cacheMemMap = cacheMemMap;
+    cache->cacheMem    = cacheMem;
+    cache->sharedCache = (cacheDesc *)cacheMem;
+
+    /* Fix pointers in our private copy of cache descriptor to point to 
+    ** spaces in shared memory 
+    */
+    ptr = (ptrdiff_t)cache->cacheMem;
+    *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr;
+    *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr;
+    *(ptrdiff_t *)(&cache->certCacheLock) += ptr;
+    *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr;
+    *(ptrdiff_t *)(&cache->sidCacheData ) += ptr;
+    *(ptrdiff_t *)(&cache->certCacheData) += ptr;
+    *(ptrdiff_t *)(&cache->keyCacheData ) += ptr;
+    *(ptrdiff_t *)(&cache->ticketKeyNameSuffix) += ptr;
+    *(ptrdiff_t *)(&cache->ticketEncKey ) += ptr;
+    *(ptrdiff_t *)(&cache->ticketMacKey ) += ptr;
+    *(ptrdiff_t *)(&cache->ticketKeysValid) += ptr;
+
+    /* initialize the locks */
+    init_time = ssl_Time();
+    pLock = cache->sidCacheLocks;
+    for (locks_to_initialize = cache->numSIDCacheLocks + 2;
+         locks_initialized < locks_to_initialize; 
+	 ++locks_initialized, ++pLock ) {
+
+	SECStatus err = sslMutex_Init(&pLock->mutex, shared);
+	if (err) {
+	    cache->numSIDCacheLocksInitialized = locks_initialized;
+	    goto loser;
+	}
+        pLock->timeStamp = init_time;
+	pLock->pid       = 0;
+    }
+    cache->numSIDCacheLocksInitialized = locks_initialized;
+
+    return SECSuccess;
+
+loser:
+    CloseCache(cache);
+    return SECFailure;
+}
+
+PRUint32
+SSL_GetMaxServerCacheLocks(void)
+{
+    return ssl_max_sid_cache_locks + 2;
+    /* The extra two are the cert cache lock and the key cache lock. */
+}
+
+SECStatus
+SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
+{
+    /* Minimum is 1 sid cache lock, 1 cert cache lock and 1 key cache lock.
+    ** We'd like to test for a maximum value, but not all platforms' header
+    ** files provide a symbol or function or other means of determining
+    ** the maximum, other than trial and error.
+    */
+    if (maxLocks < 3) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    ssl_max_sid_cache_locks = maxLocks - 2;
+    /* The extra two are the cert cache lock and the key cache lock. */
+    return SECSuccess;
+}
+
+SECStatus
+SSL_ConfigServerSessionIDCacheInstance(	cacheDesc *cache,
+                                int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+			  const char *   directory, PRBool shared)
+{
+    SECStatus rv;
+
+    PORT_Assert(sizeof(sidCacheEntry) == 192);
+    PORT_Assert(sizeof(certCacheEntry) == 4096);
+
+    myPid = SSL_GETPID();
+    if (!directory) {
+	directory = DEFAULT_CACHE_DIRECTORY;
+    }
+    rv = InitCache(cache, maxCacheEntries, ssl2_timeout, ssl3_timeout, 
+                   directory, shared);
+    if (rv) {
+	SET_ERROR_CODE
+    	return SECFailure;
+    }
+
+    ssl_sid_lookup  = ServerSessionIDLookup;
+    ssl_sid_cache   = ServerSessionIDCache;
+    ssl_sid_uncache = ServerSessionIDUncache;
+    return SECSuccess;
+}
+
+SECStatus
+SSL_ConfigServerSessionIDCache(	int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+			  const char *   directory)
+{
+    ssl_InitSessionCacheLocks(PR_FALSE);
+    return SSL_ConfigServerSessionIDCacheInstance(&globalCache, 
+    		maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE);
+}
+
+SECStatus
+SSL_ShutdownServerSessionIDCacheInstance(cacheDesc *cache)
+{
+    CloseCache(cache);
+    return SECSuccess;
+}
+
+SECStatus
+SSL_ShutdownServerSessionIDCache(void)
+{
+#if defined(XP_UNIX) || defined(XP_BEOS)
+    /* Stop the thread that polls cache for expired locks on Unix */
+    StopLockPoller(&globalCache);
+#endif
+    SSL3_ShutdownServerCache();
+    return SSL_ShutdownServerSessionIDCacheInstance(&globalCache);
+}
+
+/* Use this function, instead of SSL_ConfigServerSessionIDCache,
+ * if the cache will be shared by multiple processes.
+ */
+SECStatus
+SSL_ConfigMPServerSIDCache(	int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+		          const char *   directory)
+{
+    char *	envValue;
+    char *	inhValue;
+    cacheDesc * cache         = &globalCache;
+    PRUint32    fmStrLen;
+    SECStatus 	result;
+    PRStatus 	prStatus;
+    SECStatus	putEnvFailed;
+    inheritance inherit;
+    char        fmString[PR_FILEMAP_STRING_BUFSIZE];
+
+    isMultiProcess = PR_TRUE;
+    result = SSL_ConfigServerSessionIDCacheInstance(cache, maxCacheEntries, 
+			ssl2_timeout, ssl3_timeout, directory, PR_TRUE);
+    if (result != SECSuccess) 
+        return result;
+
+    prStatus = PR_ExportFileMapAsString(cache->cacheMemMap, 
+                                        sizeof fmString, fmString);
+    if ((prStatus != PR_SUCCESS) || !(fmStrLen = strlen(fmString))) {
+	SET_ERROR_CODE
+	return SECFailure;
+    }
+
+    inherit.cacheMemSize	= cache->cacheMemSize;
+    inherit.fmStrLen            = fmStrLen;
+
+    inhValue = BTOA_DataToAscii((unsigned char *)&inherit, sizeof inherit);
+    if (!inhValue || !strlen(inhValue)) {
+	SET_ERROR_CODE
+	return SECFailure;
+    }
+    envValue = PR_smprintf("%s,%s", inhValue, fmString);
+    if (!envValue || !strlen(envValue)) {
+	SET_ERROR_CODE
+	return SECFailure;
+    }
+    PORT_Free(inhValue);
+
+    putEnvFailed = (SECStatus)NSS_PutEnv(envVarName, envValue);
+    PR_smprintf_free(envValue);
+    if (putEnvFailed) {
+        SET_ERROR_CODE
+        result = SECFailure;
+    }
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+    /* Launch thread to poll cache for expired locks on Unix */
+    LaunchLockPoller(cache);
+#endif
+    return result;
+}
+
+SECStatus
+SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString)
+{
+    unsigned char * decoString = NULL;
+    char *          fmString   = NULL;
+    char *          myEnvString = NULL;
+    unsigned int    decoLen;
+    ptrdiff_t       ptr;
+    inheritance     inherit;
+    cacheDesc       my;
+#ifdef WINNT
+    sidCacheLock* newLocks;
+    int           locks_initialized = 0;
+    int           locks_to_initialize = 0;
+#endif
+
+    myPid = SSL_GETPID();
+
+    /* If this child was created by fork(), and not by exec() on unix,
+    ** then isMultiProcess will already be set.
+    ** If not, we'll set it below.
+    */
+    if (isMultiProcess) {
+	if (cache && cache->sharedCache) {
+	    cache->sharedCache->everInherited = PR_TRUE;
+	}
+    	return SECSuccess;	/* already done. */
+    }
+
+    ssl_InitSessionCacheLocks(PR_FALSE);
+
+    ssl_sid_lookup  = ServerSessionIDLookup;
+    ssl_sid_cache   = ServerSessionIDCache;
+    ssl_sid_uncache = ServerSessionIDUncache;
+
+    if (!envString) {
+    	envString  = getenv(envVarName);
+	if (!envString) {
+	    SET_ERROR_CODE
+	    return SECFailure;
+	}
+    }
+    myEnvString = PORT_Strdup(envString);
+    if (!myEnvString) 
+	return SECFailure;
+    fmString = strchr(myEnvString, ',');
+    if (!fmString) 
+    	goto loser;
+    *fmString++ = 0;
+
+    decoString = ATOB_AsciiToData(myEnvString, &decoLen);
+    if (!decoString) {
+    	SET_ERROR_CODE
+	goto loser;
+    }
+    if (decoLen != sizeof inherit) {
+    	SET_ERROR_CODE
+    	goto loser;
+    }
+
+    PORT_Memcpy(&inherit, decoString, sizeof inherit);
+
+    if (strlen(fmString)  != inherit.fmStrLen ) {
+    	goto loser;
+    }
+
+    memset(cache, 0, sizeof *cache);
+    cache->cacheMemSize	= inherit.cacheMemSize;
+
+    /* Create cache */
+    cache->cacheMemMap = PR_ImportFileMapFromString(fmString);
+    if(! cache->cacheMemMap) {
+	goto loser;
+    }
+    cache->cacheMem = PR_MemMap(cache->cacheMemMap, 0, cache->cacheMemSize);
+    if (! cache->cacheMem) {
+	goto loser;
+    }
+    cache->sharedCache   = (cacheDesc *)cache->cacheMem;
+
+    if (cache->sharedCache->cacheMemSize != cache->cacheMemSize) {
+	SET_ERROR_CODE
+    	goto loser;
+    }
+
+    /* We're now going to overwrite the local cache instance with the 
+    ** shared copy of the cache struct, then update several values in 
+    ** the local cache using the values for cache->cacheMemMap and 
+    ** cache->cacheMem computed just above.  So, we copy cache into 
+    ** the automatic variable "my", to preserve the variables while
+    ** cache is overwritten.
+    */
+    my = *cache;  /* save values computed above. */
+    memcpy(cache, cache->sharedCache, sizeof *cache); /* overwrite */
+
+    /* Fix pointers in our private copy of cache descriptor to point to 
+    ** spaces in shared memory, whose address is now in "my".
+    */
+    ptr = (ptrdiff_t)my.cacheMem;
+    *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr;
+    *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr;
+    *(ptrdiff_t *)(&cache->certCacheLock) += ptr;
+    *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr;
+    *(ptrdiff_t *)(&cache->sidCacheData ) += ptr;
+    *(ptrdiff_t *)(&cache->certCacheData) += ptr;
+    *(ptrdiff_t *)(&cache->keyCacheData ) += ptr;
+    *(ptrdiff_t *)(&cache->ticketKeyNameSuffix) += ptr;
+    *(ptrdiff_t *)(&cache->ticketEncKey ) += ptr;
+    *(ptrdiff_t *)(&cache->ticketMacKey ) += ptr;
+    *(ptrdiff_t *)(&cache->ticketKeysValid) += ptr;
+
+    cache->cacheMemMap = my.cacheMemMap;
+    cache->cacheMem    = my.cacheMem;
+    cache->sharedCache = (cacheDesc *)cache->cacheMem;
+
+#ifdef WINNT
+    /*  On Windows NT we need to "fix" the sidCacheLocks here to support fibers
+    **  When NT fibers are used in a multi-process server, a second level of
+    **  locking is needed to prevent a deadlock, in case a fiber acquires the
+    **  cross-process mutex, yields, and another fiber is later scheduled on
+    **  the same native thread and tries to acquire the cross-process mutex.
+    **  We do this by using a PRLock in the sslMutex. However, it is stored in
+    **  shared memory as part of sidCacheLocks, and we don't want to overwrite
+    **  the PRLock of the parent process. So we need to make new, private
+    **  copies of sidCacheLocks before modifying the sslMutex with our own
+    **  PRLock
+    */
+    
+    /* note from jpierre : this should be free'd in child processes when
+    ** a function is added to delete the SSL session cache in the future. 
+    */
+    locks_to_initialize = cache->numSIDCacheLocks + 2;
+    newLocks = PORT_NewArray(sidCacheLock, locks_to_initialize);
+    if (!newLocks)
+    	goto loser;
+    /* copy the old locks */
+    memcpy(newLocks, cache->sidCacheLocks, 
+           locks_to_initialize * sizeof(sidCacheLock));
+    cache->sidCacheLocks = newLocks;
+    /* fix the locks */		
+    for (; locks_initialized < locks_to_initialize; ++locks_initialized) {
+        /* now, make a local PRLock in this sslMutex for this child process */
+	SECStatus err;
+        err = sslMutex_2LevelInit(&newLocks[locks_initialized].mutex);
+	if (err != SECSuccess) {
+	    cache->numSIDCacheLocksInitialized = locks_initialized;
+	    goto loser;
+    	}
+    }
+    cache->numSIDCacheLocksInitialized = locks_initialized;
+
+    /* also fix the key and cert cache which use the last 2 lock entries */
+    cache->keyCacheLock  = cache->sidCacheLocks + cache->numSIDCacheLocks;
+    cache->certCacheLock = cache->keyCacheLock  + 1;
+#endif
+
+    PORT_Free(myEnvString);
+    PORT_Free(decoString);
+
+    /* mark that we have inherited this. */
+    cache->sharedCache->everInherited = PR_TRUE;
+    isMultiProcess = PR_TRUE;
+
+    return SECSuccess;
+
+loser:
+    PORT_Free(myEnvString);
+    if (decoString) 
+	PORT_Free(decoString);
+    CloseCache(cache);
+    return SECFailure;
+}
+
+SECStatus
+SSL_InheritMPServerSIDCache(const char * envString)
+{
+    return SSL_InheritMPServerSIDCacheInstance(&globalCache, envString);
+}
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+
+#define SID_LOCK_EXPIRATION_TIMEOUT  30 /* seconds */
+
+static void
+LockPoller(void * arg)
+{
+    cacheDesc *    cache         = (cacheDesc *)arg;
+    cacheDesc *    sharedCache   = cache->sharedCache;
+    sidCacheLock * pLock;
+    PRIntervalTime timeout;
+    PRUint32       now;
+    PRUint32       then;
+    int            locks_polled  = 0;
+    int            locks_to_poll = cache->numSIDCacheLocks + 2;
+    PRUint32       expiration    = cache->mutexTimeout;
+
+    timeout = PR_SecondsToInterval(expiration);
+    while(!sharedCache->stopPolling) {
+    	PR_Sleep(timeout);
+	if (sharedCache->stopPolling)
+	    break;
+
+	now   = ssl_Time();
+	then  = now - expiration;
+	for (pLock = cache->sidCacheLocks, locks_polled = 0;
+	     locks_to_poll > locks_polled && !sharedCache->stopPolling; 
+	     ++locks_polled, ++pLock ) {
+	    pid_t pid;
+
+	    if (pLock->timeStamp   < then && 
+	        pLock->timeStamp   != 0 && 
+		(pid = pLock->pid) != 0) {
+
+	    	/* maybe we should try the lock? */
+		int result = kill(pid, 0);
+		if (result < 0 && errno == ESRCH) {
+		    SECStatus rv;
+		    /* No process exists by that pid any more.
+		    ** Treat this mutex as abandoned.
+		    */
+		    pLock->timeStamp = now;
+		    pLock->pid       = 0;
+		    rv = sslMutex_Unlock(&pLock->mutex);
+		    if (rv != SECSuccess) {
+		    	/* Now what? */
+		    }
+		}
+	    }
+	} /* end of loop over locks */
+    } /* end of entire polling loop */
+}
+
+/* Launch thread to poll cache for expired locks */
+static SECStatus 
+LaunchLockPoller(cacheDesc *cache)
+{
+    const char * timeoutString;
+    PRThread *   pollerThread;
+
+    cache->mutexTimeout = SID_LOCK_EXPIRATION_TIMEOUT;
+    timeoutString       = getenv("NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT");
+    if (timeoutString) {
+	long newTime = strtol(timeoutString, 0, 0);
+	if (newTime == 0) 
+	    return SECSuccess;  /* application doesn't want poller thread */
+	if (newTime > 0)
+	    cache->mutexTimeout = (PRUint32)newTime;
+	/* if error (newTime < 0) ignore it and use default */
+    }
+
+    pollerThread = 
+	PR_CreateThread(PR_USER_THREAD, LockPoller, cache, PR_PRIORITY_NORMAL, 
+	                PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0);
+    if (!pollerThread) {
+    	return SECFailure;
+    }
+    cache->poller = pollerThread;
+    return SECSuccess;
+}
+
+/* Stop the thread that polls cache for expired locks */
+static SECStatus 
+StopLockPoller(cacheDesc *cache)
+{
+    if (!cache->poller) {
+	return SECSuccess;
+    }
+    cache->sharedCache->stopPolling = PR_TRUE;
+    if (PR_Interrupt(cache->poller) != PR_SUCCESS) {
+	return SECFailure;
+    }
+    if (PR_JoinThread(cache->poller) != PR_SUCCESS) {
+	return SECFailure;
+    }
+    cache->poller = NULL;
+    return SECSuccess;
+}
+#endif
+
+/************************************************************************
+ *  Code dealing with shared wrapped symmetric wrapping keys below      *
+ ************************************************************************/
+
+/* If now is zero, it implies that the lock is not held, and must be 
+** aquired here.  
+*/
+static PRBool
+getSvrWrappingKey(PRInt32                symWrapMechIndex,
+               SSL3KEAType               exchKeyType, 
+               SSLWrappedSymWrappingKey *wswk, 
+	       cacheDesc *               cache,
+	       PRUint32                  lockTime)
+{
+    PRUint32  ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
+    SSLWrappedSymWrappingKey * pwswk = cache->keyCacheData + ndx;
+    PRUint32  now = 0;
+    PRBool    rv  = PR_FALSE;
+
+    if (!cache->cacheMem) { /* cache is uninitialized */
+	PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED);
+	return rv;
+    }
+    if (!lockTime) {
+	lockTime = now = LockSidCacheLock(cache->keyCacheLock, now);
+	if (!lockTime) {
+	    return rv;
+	}
+    }
+    if (pwswk->exchKeyType      == exchKeyType && 
+	pwswk->symWrapMechIndex == symWrapMechIndex &&
+	pwswk->wrappedSymKeyLen != 0) {
+	*wswk = *pwswk;
+	rv = PR_TRUE;
+    }
+    if (now) {
+	UnlockSidCacheLock(cache->keyCacheLock);
+    }
+    return rv;
+}
+
+PRBool
+ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
+                    SSL3KEAType               exchKeyType, 
+		    SSLWrappedSymWrappingKey *wswk)
+{
+    PRBool rv;
+
+    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
+    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
+    if ((unsigned)exchKeyType < kt_kea_size &&
+        (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) {
+	rv = getSvrWrappingKey(symWrapMechIndex, exchKeyType, wswk, 
+	                       &globalCache, 0);
+    } else {
+    	rv = PR_FALSE;
+    }
+
+    return rv;
+}
+
+/* Wrap and cache a session ticket key. */
+static PRBool
+WrapTicketKey(SECKEYPublicKey *svrPubKey, PK11SymKey *symKey,
+              const char *keyName, encKeyCacheEntry* cacheEntry)
+{
+    SECItem wrappedKey = {siBuffer, NULL, 0};
+
+    wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey);
+    PORT_Assert(wrappedKey.len <= sizeof(cacheEntry->bytes));
+    if (wrappedKey.len > sizeof(cacheEntry->bytes))
+	return PR_FALSE;
+    wrappedKey.data = cacheEntry->bytes;
+
+    if (PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, symKey, &wrappedKey)
+	    != SECSuccess) {
+	SSL_DBG(("%d: SSL[%s]: Unable to wrap session ticket %s.",
+		    SSL_GETPID(), "unknown", keyName));
+	return PR_FALSE;
+    }
+    cacheEntry->length = wrappedKey.len;
+    return PR_TRUE;
+}
+
+static PRBool
+GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg,
+                          unsigned char *keyName, PK11SymKey **aesKey,
+                          PK11SymKey **macKey)
+{
+    PK11SlotInfo *slot;
+    CK_MECHANISM_TYPE mechanismArray[2];
+    PK11SymKey *aesKeyTmp = NULL;
+    PK11SymKey *macKeyTmp = NULL;
+    cacheDesc *cache = &globalCache;
+
+    if (PK11_GenerateRandom(cache->ticketKeyNameSuffix,
+	    SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess) {
+	SSL_DBG(("%d: SSL[%s]: Unable to generate random key name bytes.",
+		    SSL_GETPID(), "unknown"));
+	goto loser;
+    }
+
+    mechanismArray[0] = CKM_AES_CBC;
+    mechanismArray[1] = CKM_SHA256_HMAC;
+
+    slot = PK11_GetBestSlotMultiple(mechanismArray, 2, pwArg);
+    if (slot) {
+	aesKeyTmp = PK11_KeyGen(slot, mechanismArray[0], NULL, 32, pwArg);
+	macKeyTmp = PK11_KeyGen(slot, mechanismArray[1], NULL, SHA256_LENGTH,
+				pwArg);
+	PK11_FreeSlot(slot);
+    }
+
+    if (aesKeyTmp == NULL || macKeyTmp == NULL) {
+	SSL_DBG(("%d: SSL[%s]: Unable to generate session ticket keys.",
+		    SSL_GETPID(), "unknown"));
+	goto loser;
+    }
+
+    /* Export the keys to the shared cache in wrapped form. */
+    if (!WrapTicketKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey))
+	goto loser;
+    if (!WrapTicketKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey))
+	goto loser;
+
+    PORT_Memcpy(keyName, cache->ticketKeyNameSuffix,
+	SESS_TICKET_KEY_VAR_NAME_LEN);
+    *aesKey = aesKeyTmp;
+    *macKey = macKeyTmp;
+    return PR_TRUE;
+
+loser:
+    if (aesKeyTmp)
+	PK11_FreeSymKey(aesKeyTmp);
+    if (macKeyTmp)
+	PK11_FreeSymKey(macKeyTmp);
+    return PR_FALSE;
+}
+
+static PRBool
+UnwrapCachedTicketKeys(SECKEYPrivateKey *svrPrivKey, unsigned char *keyName,
+                       PK11SymKey **aesKey, PK11SymKey **macKey)
+{
+    SECItem wrappedKey = {siBuffer, NULL, 0};
+    PK11SymKey *aesKeyTmp = NULL;
+    PK11SymKey *macKeyTmp = NULL;
+    cacheDesc *cache = &globalCache;
+
+    wrappedKey.data = cache->ticketEncKey->bytes;
+    wrappedKey.len = cache->ticketEncKey->length;
+    PORT_Assert(wrappedKey.len <= sizeof(cache->ticketEncKey->bytes));
+    aesKeyTmp = PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
+	CKM_AES_CBC, CKA_DECRYPT, 0);
+
+    wrappedKey.data = cache->ticketMacKey->bytes;
+    wrappedKey.len = cache->ticketMacKey->length;
+    PORT_Assert(wrappedKey.len <= sizeof(cache->ticketMacKey->bytes));
+    macKeyTmp = PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
+	CKM_SHA256_HMAC, CKA_SIGN, 0);
+
+    if (aesKeyTmp == NULL || macKeyTmp == NULL) {
+	SSL_DBG(("%d: SSL[%s]: Unable to unwrap session ticket keys.",
+		    SSL_GETPID(), "unknown"));
+	goto loser;
+    }
+    SSL_DBG(("%d: SSL[%s]: Successfully unwrapped session ticket keys.",
+		SSL_GETPID(), "unknown"));
+
+    PORT_Memcpy(keyName, cache->ticketKeyNameSuffix,
+	SESS_TICKET_KEY_VAR_NAME_LEN);
+    *aesKey = aesKeyTmp;
+    *macKey = macKeyTmp;
+    return PR_TRUE;
+
+loser:
+    if (aesKeyTmp)
+	PK11_FreeSymKey(aesKeyTmp);
+    if (macKeyTmp)
+	PK11_FreeSymKey(macKeyTmp);
+    return PR_FALSE;
+}
+
+PRBool
+ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
+                               SECKEYPublicKey *svrPubKey, void *pwArg,
+                               unsigned char *keyName, PK11SymKey **aesKey,
+                               PK11SymKey **macKey)
+{
+    PRUint32 now = 0;
+    PRBool rv = PR_FALSE;
+    PRBool keysGenerated = PR_FALSE;
+    cacheDesc *cache = &globalCache;
+
+    now = LockSidCacheLock(cache->keyCacheLock, now);
+    if (!now)
+	return rv;
+
+    if (!*(cache->ticketKeysValid)) {
+	/* Keys do not exist, create them. */
+	if (!GenerateAndWrapTicketKeys(svrPubKey, pwArg, keyName,
+		aesKey, macKey))
+	    goto loser;
+	keysGenerated = PR_TRUE;
+	*(cache->ticketKeysValid) = 1;
+    }
+
+    rv = PR_TRUE;
+
+ loser:
+    UnlockSidCacheLock(cache->keyCacheLock);
+    if (rv && !keysGenerated)
+	rv = UnwrapCachedTicketKeys(svrPrivKey, keyName, aesKey, macKey);
+    return rv;
+}
+
+PRBool
+ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey,
+                         unsigned char *macKey)
+{
+    PRBool rv = PR_FALSE;
+    PRUint32 now = 0;
+    cacheDesc *cache = &globalCache;
+
+    /* Grab lock. */
+    now = LockSidCacheLock(cache->keyCacheLock, now);
+    if (!now)
+	return rv;
+
+    if (!*(cache->ticketKeysValid)) {
+	if (PK11_GenerateRandom(cache->ticketKeyNameSuffix,
+		SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess)
+	    goto loser;
+	if (PK11_GenerateRandom(cache->ticketEncKey->bytes, 32) != SECSuccess)
+	    goto loser;
+	if (PK11_GenerateRandom(cache->ticketMacKey->bytes,
+		SHA256_LENGTH) != SECSuccess)
+	    goto loser;
+	*(cache->ticketKeysValid) = 1;
+    }
+
+    rv = PR_TRUE;
+
+ loser:
+    UnlockSidCacheLock(cache->keyCacheLock);
+    if (rv) {
+	PORT_Memcpy(keyName, cache->ticketKeyNameSuffix,
+	    SESS_TICKET_KEY_VAR_NAME_LEN);
+	PORT_Memcpy(encKey, cache->ticketEncKey->bytes, 32);
+	PORT_Memcpy(macKey, cache->ticketMacKey->bytes, SHA256_LENGTH);
+    }
+    return rv;
+}
+
+/* The caller passes in the new value it wants
+ * to set.  This code tests the wrapped sym key entry in the shared memory.
+ * If it is uninitialized, this function writes the caller's value into 
+ * the disk entry, and returns false.  
+ * Otherwise, it overwrites the caller's wswk with the value obtained from 
+ * the disk, and returns PR_TRUE.  
+ * This is all done while holding the locks/mutexes necessary to make 
+ * the operation atomic.
+ */
+PRBool
+ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
+{
+    cacheDesc *   cache            = &globalCache;
+    PRBool        rv               = PR_FALSE;
+    SSL3KEAType   exchKeyType      = wswk->exchKeyType;   
+                                /* type of keys used to wrap SymWrapKey*/
+    PRInt32       symWrapMechIndex = wswk->symWrapMechIndex;
+    PRUint32      ndx;
+    PRUint32      now = 0;
+    SSLWrappedSymWrappingKey myWswk;
+
+    if (!cache->cacheMem) { /* cache is uninitialized */
+	PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED);
+	return 0;
+    }
+
+    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
+    if ((unsigned)exchKeyType >= kt_kea_size)
+    	return 0;
+
+    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
+    if ((unsigned)symWrapMechIndex >=  SSL_NUM_WRAP_MECHS)
+    	return 0;
+
+    ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
+    PORT_Memset(&myWswk, 0, sizeof myWswk);	/* eliminate UMRs. */
+
+    now = LockSidCacheLock(cache->keyCacheLock, now);
+    if (now) {
+	rv = getSvrWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType, 
+	                       &myWswk, cache, now);
+	if (rv) {
+	    /* we found it on disk, copy it out to the caller. */
+	    PORT_Memcpy(wswk, &myWswk, sizeof *wswk);
+	} else {
+	    /* Wasn't on disk, and we're still holding the lock, so write it. */
+	    cache->keyCacheData[ndx] = *wswk;
+	}
+	UnlockSidCacheLock(cache->keyCacheLock);
+    }
+    return rv;
+}
+
+#else  /* MAC version or other platform */
+
+#include "seccomon.h"
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+
+SECStatus
+SSL_ConfigServerSessionIDCache(	int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+			  const char *   directory)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigServerSessionIDCache)");    
+    return SECFailure;
+}
+
+SECStatus
+SSL_ConfigMPServerSIDCache(	int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+		          const char *   directory)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigMPServerSIDCache)");    
+    return SECFailure;
+}
+
+SECStatus
+SSL_InheritMPServerSIDCache(const char * envString)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_InheritMPServerSIDCache)");    
+    return SECFailure;
+}
+
+PRBool
+ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
+                    SSL3KEAType               exchKeyType, 
+		    SSLWrappedSymWrappingKey *wswk)
+{
+    PRBool rv = PR_FALSE;
+    PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_GetWrappingKey)");    
+    return rv;
+}
+
+/* This is a kind of test-and-set.  The caller passes in the new value it wants
+ * to set.  This code tests the wrapped sym key entry in the shared memory.
+ * If it is uninitialized, this function writes the caller's value into 
+ * the disk entry, and returns false.  
+ * Otherwise, it overwrites the caller's wswk with the value obtained from 
+ * the disk, and returns PR_TRUE.  
+ * This is all done while holding the locks/mutexes necessary to make 
+ * the operation atomic.
+ */
+PRBool
+ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
+{
+    PRBool        rv = PR_FALSE;
+    PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_SetWrappingKey)");
+    return rv;
+}
+
+PRUint32  
+SSL_GetMaxServerCacheLocks(void)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_GetMaxServerCacheLocks)");
+    return -1;
+}
+
+SECStatus 
+SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_SetMaxServerCacheLocks)");
+    return SECFailure;
+}
+
+#endif /* XP_UNIX || XP_WIN32 */
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
new file mode 100644
index 000000000..98db73a79
--- /dev/null
+++ b/security/nss/lib/ssl/sslsock.c
@@ -0,0 +1,2194 @@
+/*
+ * vtables (and methods that call through them) for the 4 types of 
+ * SSLSockets supported.  Only one type is still supported.
+ * Various other functions.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#include "seccomon.h"
+#include "cert.h"
+#include "keyhi.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "nspr.h"
+#include "private/pprio.h"
+#include "blapi.h"
+#include "nss.h"
+
+#define SET_ERROR_CODE   /* reminder */
+
+struct cipherPolicyStr {
+	int		cipher;
+	unsigned char 	export;	/* policy value for export policy */
+	unsigned char 	france;	/* policy value for france policy */
+};
+
+typedef struct cipherPolicyStr cipherPolicy;
+
+/* This table contains two preconfigured policies: Export and France.
+** It is used only by the functions SSL_SetDomesticPolicy, 
+** SSL_SetExportPolicy, and SSL_SetFrancyPolicy.
+** Order of entries is not important.
+*/
+static cipherPolicy ssl_ciphers[] = {	   /*   Export           France   */
+ {  SSL_EN_RC4_128_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_EN_RC4_128_EXPORT40_WITH_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
+ {  SSL_EN_RC2_128_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,   SSL_ALLOWED,     SSL_ALLOWED },
+ {  SSL_EN_DES_64_CBC_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_EN_DES_192_EDE3_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_RC4_128_MD5,		    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_RC4_128_SHA,		    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
+ {  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_3DES_EDE_CBC_SHA,	    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
+ {  SSL_RSA_FIPS_WITH_DES_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_DES_CBC_SHA,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_EXPORT_WITH_RC4_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
+ {  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
+ {  SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_NULL_SHA,		    SSL_ALLOWED,     SSL_ALLOWED },
+ {  SSL_RSA_WITH_NULL_MD5,		    SSL_ALLOWED,     SSL_ALLOWED },
+ {  TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_RSA_WITH_AES_128_CBC_SHA,     	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_RSA_WITH_AES_256_CBC_SHA,     	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_ALLOWED,     SSL_NOT_ALLOWED },
+ {  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_ALLOWED,     SSL_NOT_ALLOWED },
+#ifdef NSS_ENABLE_ECC
+ {  TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED,     SSL_ALLOWED },
+ {  TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDHE_ECDSA_WITH_NULL_SHA,          SSL_ALLOWED,     SSL_ALLOWED },
+ {  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_ALLOWED,     SSL_ALLOWED },
+ {  TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDHE_RSA_WITH_NULL_SHA,            SSL_ALLOWED,     SSL_ALLOWED },
+ {  TLS_ECDHE_RSA_WITH_RC4_128_SHA,         SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+#endif /* NSS_ENABLE_ECC */
+ {  0,					    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
+};
+
+static const sslSocketOps ssl_default_ops = {	/* No SSL. */
+    ssl_DefConnect,
+    NULL,
+    ssl_DefBind,
+    ssl_DefListen,
+    ssl_DefShutdown,
+    ssl_DefClose,
+    ssl_DefRecv,
+    ssl_DefSend,
+    ssl_DefRead,
+    ssl_DefWrite,
+    ssl_DefGetpeername,
+    ssl_DefGetsockname
+};
+
+static const sslSocketOps ssl_secure_ops = {	/* SSL. */
+    ssl_SecureConnect,
+    NULL,
+    ssl_DefBind,
+    ssl_DefListen,
+    ssl_SecureShutdown,
+    ssl_SecureClose,
+    ssl_SecureRecv,
+    ssl_SecureSend,
+    ssl_SecureRead,
+    ssl_SecureWrite,
+    ssl_DefGetpeername,
+    ssl_DefGetsockname
+};
+
+/*
+** default settings for socket enables
+*/
+static sslOptions ssl_defaults = {
+    PR_TRUE, 	/* useSecurity        */
+    PR_FALSE,	/* useSocks           */
+    PR_FALSE,	/* requestCertificate */
+    2,	        /* requireCertificate */
+    PR_FALSE,	/* handshakeAsClient  */
+    PR_FALSE,	/* handshakeAsServer  */
+    PR_TRUE,	/* enableSSL2         */
+    PR_TRUE,	/* enableSSL3         */
+    PR_TRUE, 	/* enableTLS          */ /* now defaults to on in NSS 3.0 */
+    PR_FALSE,	/* noCache            */
+    PR_FALSE,	/* fdx                */
+    PR_TRUE,	/* v2CompatibleHello  */
+    PR_TRUE,	/* detectRollBack     */
+    PR_FALSE,   /* noStepDown         */
+    PR_FALSE,   /* bypassPKCS11       */
+    PR_FALSE,   /* noLocks            */
+    PR_FALSE,   /* enableSessionTickets */
+};
+
+sslSessionIDLookupFunc  ssl_sid_lookup;
+sslSessionIDCacheFunc   ssl_sid_cache;
+sslSessionIDUncacheFunc ssl_sid_uncache;
+
+static PRBool ssl_inited = PR_FALSE;
+static PRDescIdentity ssl_layer_id;
+
+PRBool                  locksEverDisabled; 	/* implicitly PR_FALSE */
+PRBool			ssl_force_locks;  	/* implicitly PR_FALSE */
+int                     ssl_lock_readers	= 1;	/* default true. */
+char                    ssl_debug;
+char                    ssl_trace;
+FILE *                  ssl_trace_iob;
+char lockStatus[] = "Locks are ENABLED.  ";
+#define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */
+
+/* forward declarations. */
+static sslSocket *ssl_NewSocket(PRBool makeLocks);
+static SECStatus  ssl_MakeLocks(sslSocket *ss);
+static PRStatus   ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, 
+                                  PRDescIdentity id);
+
+/************************************************************************/
+
+/*
+** Lookup a socket structure from a file descriptor.
+** Only functions called through the PRIOMethods table should use this.
+** Other app-callable functions should use ssl_FindSocket.
+*/
+static sslSocket *
+ssl_GetPrivate(PRFileDesc *fd)
+{
+    sslSocket *ss;
+
+    PORT_Assert(fd != NULL);
+    PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED);
+    PORT_Assert(fd->identity == ssl_layer_id);
+
+    if (fd->methods->file_type != PR_DESC_LAYERED ||
+        fd->identity != ssl_layer_id) {
+	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
+	return NULL;
+    }
+
+    ss = (sslSocket *)fd->secret;
+    ss->fd = fd;
+    return ss;
+}
+
+/* This function tries to find the SSL layer in the stack. 
+ * It searches for the first SSL layer at or below the argument fd,
+ * and failing that, it searches for the nearest SSL layer above the 
+ * argument fd.  It returns the private sslSocket from the found layer.
+ */
+sslSocket *
+ssl_FindSocket(PRFileDesc *fd)
+{
+    PRFileDesc *layer;
+    sslSocket *ss;
+
+    PORT_Assert(fd != NULL);
+    PORT_Assert(ssl_layer_id != 0);
+
+    layer = PR_GetIdentitiesLayer(fd, ssl_layer_id);
+    if (layer == NULL) {
+	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
+	return NULL;
+    }
+
+    ss = (sslSocket *)layer->secret;
+    ss->fd = layer;
+    return ss;
+}
+
+sslSocket *
+ssl_DupSocket(sslSocket *os)
+{
+    sslSocket *ss;
+    SECStatus rv;
+
+    ss = ssl_NewSocket((PRBool)(!os->opt.noLocks));
+    if (ss) {
+	ss->opt                = os->opt;
+	ss->opt.useSocks       = PR_FALSE;
+
+	ss->peerID             = !os->peerID ? NULL : PORT_Strdup(os->peerID);
+	ss->url                = !os->url    ? NULL : PORT_Strdup(os->url);
+
+	ss->ops      = os->ops;
+	ss->rTimeout = os->rTimeout;
+	ss->wTimeout = os->wTimeout;
+	ss->cTimeout = os->cTimeout;
+	ss->dbHandle = os->dbHandle;
+
+	/* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
+	ss->allowedByPolicy	= os->allowedByPolicy;
+	ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
+	ss->chosenPreference 	= os->chosenPreference;
+	PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
+
+	if (os->cipherSpecs) {
+	    ss->cipherSpecs  = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
+	    if (ss->cipherSpecs) 
+	    	PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, 
+		            os->sizeCipherSpecs);
+	    ss->sizeCipherSpecs    = os->sizeCipherSpecs;
+	    ss->preferredCipher    = os->preferredCipher;
+	} else {
+	    ss->cipherSpecs        = NULL;  /* produced lazily */
+	    ss->sizeCipherSpecs    = 0;
+	    ss->preferredCipher    = NULL;
+	}
+	if (ss->opt.useSecurity) {
+	    /* This int should be SSLKEAType, but CC on Irix complains,
+	     * during the for loop.
+	     */
+	    int i;
+	    sslServerCerts * oc = os->serverCerts;
+	    sslServerCerts * sc = ss->serverCerts;
+
+	    for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) {
+		if (oc->serverCert && oc->serverCertChain) {
+		    sc->serverCert      = CERT_DupCertificate(oc->serverCert);
+		    sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
+		    if (!sc->serverCertChain) 
+		    	goto loser;
+		} else {
+		    sc->serverCert      = NULL;
+		    sc->serverCertChain = NULL;
+		}
+		sc->serverKeyPair = oc->serverKeyPair ?
+				ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL;
+		if (oc->serverKeyPair && !sc->serverKeyPair)
+		    goto loser;
+	        sc->serverKeyBits = oc->serverKeyBits;
+	    }
+	    ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
+		                  ssl3_GetKeyPairRef(os->stepDownKeyPair);
+	    ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL :
+		                  ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
+/*
+ * XXX the preceeding CERT_ and SECKEY_ functions can fail and return NULL.
+ * XXX We should detect this, and not just march on with NULL pointers.
+ */
+	    ss->authCertificate       = os->authCertificate;
+	    ss->authCertificateArg    = os->authCertificateArg;
+	    ss->getClientAuthData     = os->getClientAuthData;
+	    ss->getClientAuthDataArg  = os->getClientAuthDataArg;
+	    ss->handleBadCert         = os->handleBadCert;
+	    ss->badCertArg            = os->badCertArg;
+	    ss->handshakeCallback     = os->handshakeCallback;
+	    ss->handshakeCallbackData = os->handshakeCallbackData;
+	    ss->pkcs11PinArg          = os->pkcs11PinArg;
+    
+	    /* Create security data */
+	    rv = ssl_CopySecurityInfo(ss, os);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+	}
+    }
+    return ss;
+
+loser:
+    ssl_FreeSocket(ss);
+    return NULL;
+}
+
+static void
+ssl_DestroyLocks(sslSocket *ss)
+{
+    /* Destroy locks. */
+    if (ss->firstHandshakeLock) {
+    	PZ_DestroyMonitor(ss->firstHandshakeLock);
+	ss->firstHandshakeLock = NULL;
+    }
+    if (ss->ssl3HandshakeLock) {
+    	PZ_DestroyMonitor(ss->ssl3HandshakeLock);
+	ss->ssl3HandshakeLock = NULL;
+    }
+    if (ss->specLock) {
+    	NSSRWLock_Destroy(ss->specLock);
+	ss->specLock = NULL;
+    }
+
+    if (ss->recvLock) {
+    	PZ_DestroyLock(ss->recvLock);
+	ss->recvLock = NULL;
+    }
+    if (ss->sendLock) {
+    	PZ_DestroyLock(ss->sendLock);
+	ss->sendLock = NULL;
+    }
+    if (ss->xmitBufLock) {
+    	PZ_DestroyMonitor(ss->xmitBufLock);
+	ss->xmitBufLock = NULL;
+    }
+    if (ss->recvBufLock) {
+    	PZ_DestroyMonitor(ss->recvBufLock);
+	ss->recvBufLock = NULL;
+    }
+}
+
+/* Caller holds any relevant locks */
+static void
+ssl_DestroySocketContents(sslSocket *ss)
+{
+    /* "i" should be of type SSLKEAType, but CC on IRIX complains during
+     * the for loop.
+     */
+    int        i;
+
+    /* Free up socket */
+    ssl_DestroySecurityInfo(&ss->sec);
+
+    ssl3_DestroySSL3Info(ss);
+
+    PORT_Free(ss->saveBuf.buf);
+    PORT_Free(ss->pendingBuf.buf);
+    ssl_DestroyGather(&ss->gs);
+
+    if (ss->peerID != NULL)
+	PORT_Free(ss->peerID);
+    if (ss->url != NULL)
+	PORT_Free((void *)ss->url);	/* CONST */
+    if (ss->cipherSpecs) {
+	PORT_Free(ss->cipherSpecs);
+	ss->cipherSpecs     = NULL;
+	ss->sizeCipherSpecs = 0;
+    }
+
+    /* Clean up server configuration */
+    for (i=kt_null; i < kt_kea_size; i++) {
+	sslServerCerts * sc = ss->serverCerts + i;
+	if (sc->serverCert != NULL)
+	    CERT_DestroyCertificate(sc->serverCert);
+	if (sc->serverCertChain != NULL)
+	    CERT_DestroyCertificateList(sc->serverCertChain);
+	if (sc->serverKeyPair != NULL)
+	    ssl3_FreeKeyPair(sc->serverKeyPair);
+    }
+    if (ss->stepDownKeyPair) {
+	ssl3_FreeKeyPair(ss->stepDownKeyPair);
+	ss->stepDownKeyPair = NULL;
+    }
+    if (ss->ephemeralECDHKeyPair) {
+	ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
+	ss->ephemeralECDHKeyPair = NULL;
+    }
+}
+
+/*
+ * free an sslSocket struct, and all the stuff that hangs off of it
+ */
+void
+ssl_FreeSocket(sslSocket *ss)
+{
+#ifdef DEBUG
+    sslSocket *fs;
+    sslSocket  lSock;
+#endif
+
+/* Get every lock you can imagine!
+** Caller already holds these:
+**  SSL_LOCK_READER(ss);
+**  SSL_LOCK_WRITER(ss);
+*/
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetRecvBufLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+    ssl_GetXmitBufLock(ss);
+    ssl_GetSpecWriteLock(ss);
+
+#ifdef DEBUG
+    fs = &lSock;
+    *fs = *ss;				/* Copy the old socket structure, */
+    PORT_Memset(ss, 0x1f, sizeof *ss);  /* then blast the old struct ASAP. */
+#else
+#define fs ss
+#endif
+
+    ssl_DestroySocketContents(fs);
+
+    /* Release all the locks acquired above.  */
+    SSL_UNLOCK_READER(fs);
+    SSL_UNLOCK_WRITER(fs);
+    ssl_Release1stHandshakeLock(fs);
+    ssl_ReleaseRecvBufLock(fs);
+    ssl_ReleaseSSL3HandshakeLock(fs);
+    ssl_ReleaseXmitBufLock(fs);
+    ssl_ReleaseSpecWriteLock(fs);
+
+    ssl_DestroyLocks(fs);
+
+    PORT_Free(ss);	/* free the caller's copy, not ours. */
+    return;
+}
+#undef fs
+
+/************************************************************************/
+SECStatus 
+ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled)
+{
+    PRFileDesc *       osfd = ss->fd->lower;
+    SECStatus         rv = SECFailure;
+    PRSocketOptionData opt;
+
+    opt.option         = PR_SockOpt_NoDelay;
+    opt.value.no_delay = (PRBool)!enabled;
+
+    if (osfd->methods->setsocketoption) {
+        rv = (SECStatus) osfd->methods->setsocketoption(osfd, &opt);
+    } else {
+        PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    }
+
+    return rv;
+}
+
+static void
+ssl_ChooseOps(sslSocket *ss)
+{
+    ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops;
+}
+
+/* Called from SSL_Enable (immediately below) */
+static SECStatus
+PrepareSocket(sslSocket *ss)
+{
+    SECStatus     rv = SECSuccess;
+
+    ssl_ChooseOps(ss);
+    return rv;
+}
+
+SECStatus
+SSL_Enable(PRFileDesc *fd, int which, PRBool on)
+{
+    return SSL_OptionSet(fd, which, on);
+}
+
+static const PRCallOnceType pristineCallOnce;
+static PRCallOnceType setupBypassOnce;
+
+static SECStatus SSL_BypassShutdown(void* appData, void* nssData)
+{
+    /* unload freeBL shared library from memory */
+    BL_Unload();
+    setupBypassOnce = pristineCallOnce;
+    return SECSuccess;
+}
+
+static PRStatus SSL_BypassRegisterShutdown(void)
+{
+    SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL);
+    PORT_Assert(SECSuccess == rv);
+    return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE;
+}
+
+static PRStatus SSL_BypassSetup(void)
+{
+    return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
+}
+
+SECStatus
+SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
+{
+    sslSocket *ss = ssl_FindSocket(fd);
+    SECStatus  rv = SECSuccess;
+    PRBool     holdingLocks;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    holdingLocks = (!ss->opt.noLocks);
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    switch (which) {
+      case SSL_SOCKS:
+	ss->opt.useSocks = PR_FALSE;
+	rv = PrepareSocket(ss);
+	if (on) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	}
+	break;
+
+      case SSL_SECURITY:
+	ss->opt.useSecurity = on;
+	rv = PrepareSocket(ss);
+	break;
+
+      case SSL_REQUEST_CERTIFICATE:
+	ss->opt.requestCertificate = on;
+	break;
+
+      case SSL_REQUIRE_CERTIFICATE:
+	ss->opt.requireCertificate = on;
+	break;
+
+      case SSL_HANDSHAKE_AS_CLIENT:
+	if ( ss->opt.handshakeAsServer && on ) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	    break;
+	}
+	ss->opt.handshakeAsClient = on;
+	break;
+
+      case SSL_HANDSHAKE_AS_SERVER:
+	if ( ss->opt.handshakeAsClient && on ) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	    break;
+	}
+	ss->opt.handshakeAsServer = on;
+	break;
+
+      case SSL_ENABLE_TLS:
+	ss->opt.enableTLS       = on;
+	ss->preferredCipher     = NULL;
+	if (ss->cipherSpecs) {
+	    PORT_Free(ss->cipherSpecs);
+	    ss->cipherSpecs     = NULL;
+	    ss->sizeCipherSpecs = 0;
+	}
+	break;
+
+      case SSL_ENABLE_SSL3:
+	ss->opt.enableSSL3      = on;
+	ss->preferredCipher     = NULL;
+	if (ss->cipherSpecs) {
+	    PORT_Free(ss->cipherSpecs);
+	    ss->cipherSpecs     = NULL;
+	    ss->sizeCipherSpecs = 0;
+	}
+	break;
+
+      case SSL_ENABLE_SSL2:
+	ss->opt.enableSSL2       = on;
+	if (on) {
+	    ss->opt.v2CompatibleHello = on;
+	}
+	ss->preferredCipher     = NULL;
+	if (ss->cipherSpecs) {
+	    PORT_Free(ss->cipherSpecs);
+	    ss->cipherSpecs     = NULL;
+	    ss->sizeCipherSpecs = 0;
+	}
+	break;
+
+      case SSL_NO_CACHE:
+	ss->opt.noCache = on;
+	break;
+
+      case SSL_ENABLE_FDX:
+	if (on && ss->opt.noLocks) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	}
+      	ss->opt.fdx = on;
+	break;
+
+      case SSL_V2_COMPATIBLE_HELLO:
+      	ss->opt.v2CompatibleHello = on;
+	if (!on) {
+	    ss->opt.enableSSL2    = on;
+	}
+	break;
+
+      case SSL_ROLLBACK_DETECTION:  
+	ss->opt.detectRollBack = on;
+        break;
+
+      case SSL_NO_STEP_DOWN:        
+	ss->opt.noStepDown     = on;         
+	if (on) 
+	    SSL_DisableExportCipherSuites(fd);
+	break;
+
+      case SSL_BYPASS_PKCS11:
+	if (ss->handshakeBegun) {
+	    PORT_SetError(PR_INVALID_STATE_ERROR);
+	    rv = SECFailure;
+	} else {
+            if (PR_FALSE != on) {
+                if (PR_SUCCESS == SSL_BypassSetup() ) {
+                    ss->opt.bypassPKCS11   = on;
+                } else {
+                    rv = SECFailure;
+                }
+            } else {
+                ss->opt.bypassPKCS11   = PR_FALSE;
+            }
+	}
+	break;
+
+      case SSL_NO_LOCKS:
+	if (on && ss->opt.fdx) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	}
+	if (on && ssl_force_locks) 
+	    on = PR_FALSE;	/* silent override */
+	ss->opt.noLocks   = on;
+	if (on) {
+	    locksEverDisabled = PR_TRUE;
+	    strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
+	} else if (!holdingLocks) {
+	    rv = ssl_MakeLocks(ss);
+	    if (rv != SECSuccess) {
+		ss->opt.noLocks   = PR_TRUE;
+	    }
+	}
+	break;
+
+      case SSL_ENABLE_SESSION_TICKETS:
+	ss->opt.enableSessionTickets = on;
+	break;
+
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    }
+
+    /* We can't use the macros for releasing the locks here,
+     * because ss->opt.noLocks might have changed just above.
+     * We must release these locks (monitors) here, if we aquired them above,
+     * regardless of the current value of ss->opt.noLocks.
+     */
+    if (holdingLocks) {
+	PZ_ExitMonitor((ss)->ssl3HandshakeLock);
+	PZ_ExitMonitor((ss)->firstHandshakeLock);
+    }
+
+    return rv;
+}
+
+SECStatus
+SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
+{
+    sslSocket *ss = ssl_FindSocket(fd);
+    SECStatus  rv = SECSuccess;
+    PRBool     on = PR_FALSE;
+
+    if (!pOn) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
+	*pOn = PR_FALSE;
+	return SECFailure;
+    }
+
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    switch (which) {
+    case SSL_SOCKS:               on = PR_FALSE;               break;
+    case SSL_SECURITY:            on = ss->opt.useSecurity;        break;
+    case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break;
+    case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break;
+    case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient;  break;
+    case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer;  break;
+    case SSL_ENABLE_TLS:          on = ss->opt.enableTLS;          break;
+    case SSL_ENABLE_SSL3:         on = ss->opt.enableSSL3;         break;
+    case SSL_ENABLE_SSL2:         on = ss->opt.enableSSL2;         break;
+    case SSL_NO_CACHE:            on = ss->opt.noCache;            break;
+    case SSL_ENABLE_FDX:          on = ss->opt.fdx;                break;
+    case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello;  break;
+    case SSL_ROLLBACK_DETECTION:  on = ss->opt.detectRollBack;     break;
+    case SSL_NO_STEP_DOWN:        on = ss->opt.noStepDown;         break;
+    case SSL_BYPASS_PKCS11:       on = ss->opt.bypassPKCS11;       break;
+    case SSL_NO_LOCKS:            on = ss->opt.noLocks;            break;
+    case SSL_ENABLE_SESSION_TICKETS:
+	on = ss->opt.enableSessionTickets;
+	break;
+
+    default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    }
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    *pOn = on;
+    return rv;
+}
+
+SECStatus
+SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
+{
+    SECStatus  rv = SECSuccess;
+    PRBool     on = PR_FALSE;
+
+    if (!pOn) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    switch (which) {
+    case SSL_SOCKS:               on = PR_FALSE;                        break;
+    case SSL_SECURITY:            on = ssl_defaults.useSecurity;        break;
+    case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
+    case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
+    case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient;  break;
+    case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer;  break;
+    case SSL_ENABLE_TLS:          on = ssl_defaults.enableTLS;          break;
+    case SSL_ENABLE_SSL3:         on = ssl_defaults.enableSSL3;         break;
+    case SSL_ENABLE_SSL2:         on = ssl_defaults.enableSSL2;         break;
+    case SSL_NO_CACHE:            on = ssl_defaults.noCache;		break;
+    case SSL_ENABLE_FDX:          on = ssl_defaults.fdx;                break;
+    case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello;  break;
+    case SSL_ROLLBACK_DETECTION:  on = ssl_defaults.detectRollBack;     break;
+    case SSL_NO_STEP_DOWN:        on = ssl_defaults.noStepDown;         break;
+    case SSL_BYPASS_PKCS11:       on = ssl_defaults.bypassPKCS11;       break;
+    case SSL_NO_LOCKS:            on = ssl_defaults.noLocks;            break;
+    case SSL_ENABLE_SESSION_TICKETS:
+	on = ssl_defaults.enableSessionTickets;
+	break;
+
+    default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    }
+
+    *pOn = on;
+    return rv;
+}
+
+/* XXX Use Global Lock to protect this stuff. */
+SECStatus
+SSL_EnableDefault(int which, PRBool on)
+{
+    return SSL_OptionSetDefault(which, on);
+}
+
+SECStatus
+SSL_OptionSetDefault(PRInt32 which, PRBool on)
+{
+    switch (which) {
+      case SSL_SOCKS:
+	ssl_defaults.useSocks = PR_FALSE;
+	if (on) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	break;
+
+      case SSL_SECURITY:
+	ssl_defaults.useSecurity = on;
+	break;
+
+      case SSL_REQUEST_CERTIFICATE:
+	ssl_defaults.requestCertificate = on;
+	break;
+
+      case SSL_REQUIRE_CERTIFICATE:
+	ssl_defaults.requireCertificate = on;
+	break;
+
+      case SSL_HANDSHAKE_AS_CLIENT:
+	if ( ssl_defaults.handshakeAsServer && on ) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	ssl_defaults.handshakeAsClient = on;
+	break;
+
+      case SSL_HANDSHAKE_AS_SERVER:
+	if ( ssl_defaults.handshakeAsClient && on ) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	ssl_defaults.handshakeAsServer = on;
+	break;
+
+      case SSL_ENABLE_TLS:
+	ssl_defaults.enableTLS = on;
+	break;
+
+      case SSL_ENABLE_SSL3:
+	ssl_defaults.enableSSL3 = on;
+	break;
+
+      case SSL_ENABLE_SSL2:
+	ssl_defaults.enableSSL2 = on;
+	if (on) {
+	    ssl_defaults.v2CompatibleHello = on;
+	}
+	break;
+
+      case SSL_NO_CACHE:
+	ssl_defaults.noCache = on;
+	break;
+
+      case SSL_ENABLE_FDX:
+	if (on && ssl_defaults.noLocks) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+      	ssl_defaults.fdx = on;
+	break;
+
+      case SSL_V2_COMPATIBLE_HELLO:
+      	ssl_defaults.v2CompatibleHello = on;
+	if (!on) {
+	    ssl_defaults.enableSSL2    = on;
+	}
+	break;
+
+      case SSL_ROLLBACK_DETECTION:  
+	ssl_defaults.detectRollBack = on;
+	break;
+
+      case SSL_NO_STEP_DOWN:        
+	ssl_defaults.noStepDown     = on;         
+	if (on)
+	    SSL_DisableDefaultExportCipherSuites();
+	break;
+
+      case SSL_BYPASS_PKCS11:
+        if (PR_FALSE != on) {
+            if (PR_SUCCESS == SSL_BypassSetup()) {
+                ssl_defaults.bypassPKCS11   = on;
+            } else {
+                return SECFailure;
+            }
+        } else {
+            ssl_defaults.bypassPKCS11   = PR_FALSE;
+        }
+	break;
+
+      case SSL_NO_LOCKS:
+	if (on && ssl_defaults.fdx) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	if (on && ssl_force_locks) 
+	    on = PR_FALSE;		/* silent override */
+	ssl_defaults.noLocks        = on;
+	if (on) {
+	    locksEverDisabled = PR_TRUE;
+	    strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
+	}
+	break;
+
+      case SSL_ENABLE_SESSION_TICKETS:
+	ssl_defaults.enableSessionTickets = on;
+	break;
+
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* function tells us if the cipher suite is one that we no longer support. */
+static PRBool 
+ssl_IsRemovedCipherSuite(PRInt32 suite)
+{
+    switch (suite) {
+    case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+    case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
+    case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
+    	return PR_TRUE;
+    default:
+    	return PR_FALSE;
+    }
+}
+
+/* Part of the public NSS API.
+ * Since this is a global (not per-socket) setting, we cannot use the
+ * HandshakeLock to protect this.  Probably want a global lock.
+ */
+SECStatus
+SSL_SetPolicy(long which, int policy)
+{
+    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
+    	/* one of the two old FIPS ciphers */
+	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
+	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
+	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
+	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
+    }
+    if (ssl_IsRemovedCipherSuite(which))
+    	return SECSuccess;
+    return SSL_CipherPolicySet(which, policy);
+}
+
+SECStatus
+SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
+{
+    SECStatus rv;
+
+    if (ssl_IsRemovedCipherSuite(which)) {
+    	rv = SECSuccess;
+    } else if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_SetPolicy(which, policy);
+    } else {
+	rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+    }
+    return rv;
+}
+
+SECStatus
+SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
+{
+    SECStatus rv;
+
+    if (!oPolicy) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (ssl_IsRemovedCipherSuite(which)) {
+	*oPolicy = SSL_NOT_ALLOWED;
+    	rv = SECSuccess;
+    } else if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_GetPolicy(which, oPolicy);
+    } else {
+	rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
+    }
+    return rv;
+}
+
+/* Part of the public NSS API.
+ * Since this is a global (not per-socket) setting, we cannot use the
+ * HandshakeLock to protect this.  Probably want a global lock.
+ * These changes have no effect on any sslSockets already created. 
+ */
+SECStatus
+SSL_EnableCipher(long which, PRBool enabled)
+{
+    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
+    	/* one of the two old FIPS ciphers */
+	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
+	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
+	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
+	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
+    }
+    if (ssl_IsRemovedCipherSuite(which))
+    	return SECSuccess;
+    return SSL_CipherPrefSetDefault(which, enabled);
+}
+
+SECStatus
+SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
+{
+    SECStatus rv;
+
+    if (ssl_IsRemovedCipherSuite(which))
+    	return SECSuccess;
+    if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) {
+    	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+    if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_CipherPrefSetDefault(which, enabled);
+    } else {
+	rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
+    }
+    return rv;
+}
+
+SECStatus 
+SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
+{
+    SECStatus  rv;
+    
+    if (!enabled) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (ssl_IsRemovedCipherSuite(which)) {
+	*enabled = PR_FALSE;
+    	rv = SECSuccess;
+    } else if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_CipherPrefGetDefault(which, enabled);
+    } else {
+	rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled);
+    }
+    return rv;
+}
+
+SECStatus
+SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
+{
+    SECStatus rv;
+    sslSocket *ss = ssl_FindSocket(fd);
+    
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    if (ssl_IsRemovedCipherSuite(which))
+    	return SECSuccess;
+    if (enabled && ss->opt.noStepDown && SSL_IsExportCipherSuite(which)) {
+    	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+    if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_CipherPrefSet(ss, which, enabled);
+    } else {
+	rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
+    }
+    return rv;
+}
+
+SECStatus 
+SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
+{
+    SECStatus  rv;
+    sslSocket *ss = ssl_FindSocket(fd);
+    
+    if (!enabled) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd));
+	*enabled = PR_FALSE;
+	return SECFailure;
+    }
+    if (ssl_IsRemovedCipherSuite(which)) {
+	*enabled = PR_FALSE;
+    	rv = SECSuccess;
+    } else if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_CipherPrefGet(ss, which, enabled);
+    } else {
+	rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
+    }
+    return rv;
+}
+
+SECStatus
+NSS_SetDomesticPolicy(void)
+{
+#ifndef EXPORT_VERSION
+    SECStatus      status = SECSuccess;
+    cipherPolicy * policy;
+
+    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
+	status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
+	if (status != SECSuccess)
+	    break;
+    }
+    return status;
+#else
+    return NSS_SetExportPolicy();
+#endif
+}
+
+SECStatus
+NSS_SetExportPolicy(void)
+{
+    SECStatus      status = SECSuccess;
+    cipherPolicy * policy;
+
+    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
+	status = SSL_SetPolicy(policy->cipher, policy->export);
+	if (status != SECSuccess)
+	    break;
+    }
+    return status;
+}
+
+SECStatus
+NSS_SetFrancePolicy(void)
+{
+    SECStatus      status = SECSuccess;
+    cipherPolicy * policy;
+
+    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
+	status = SSL_SetPolicy(policy->cipher, policy->france);
+	if (status != SECSuccess)
+	    break;
+    }
+    return status;
+}
+
+
+
+/* LOCKS ??? XXX */
+PRFileDesc *
+SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
+{
+    sslSocket * ns = NULL;
+    PRStatus    rv;
+    PRNetAddr   addr;
+
+    if (model == NULL) {
+	/* Just create a default socket if we're given NULL for the model */
+	ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks));
+    } else {
+	sslSocket * ss = ssl_FindSocket(model);
+	if (ss == NULL) {
+	    SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", 
+	    	      SSL_GETPID(), model));
+	    return NULL;
+	}
+	ns = ssl_DupSocket(ss);
+    }
+    if (ns == NULL)
+    	return NULL;
+
+    rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
+    if (rv != PR_SUCCESS) {
+	ssl_FreeSocket(ns);
+	SET_ERROR_CODE
+	return NULL;
+    }
+#ifdef _WIN32
+    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
+#endif
+    ns = ssl_FindSocket(fd);
+    PORT_Assert(ns);
+    if (ns)
+	ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
+    return fd;
+}
+
+/************************************************************************/
+/* The following functions are the TOP LEVEL SSL functions.
+** They all get called through the NSPRIOMethods table below.
+*/
+
+static PRFileDesc * PR_CALLBACK
+ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
+{
+    sslSocket  *ss;
+    sslSocket  *ns 	= NULL;
+    PRFileDesc *newfd 	= NULL;
+    PRFileDesc *osfd;
+    PRStatus    status;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd));
+	return NULL;
+    }
+
+    /* IF this is a listen socket, there shouldn't be any I/O going on */
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    ss->cTimeout = timeout;
+
+    osfd = ss->fd->lower;
+
+    /* First accept connection */
+    newfd = osfd->methods->accept(osfd, sockaddr, timeout);
+    if (newfd == NULL) {
+	SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
+		 SSL_GETPID(), ss->fd, PORT_GetError()));
+    } else {
+	/* Create ssl module */
+	ns = ssl_DupSocket(ss);
+    }
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);			/* ss isn't used below here. */
+
+    if (ns == NULL)
+	goto loser;
+
+    /* push ssl module onto the new socket */
+    status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER);
+    if (status != PR_SUCCESS)
+	goto loser;
+
+    /* Now start server connection handshake with client.
+    ** Don't need locks here because nobody else has a reference to ns yet.
+    */
+    if ( ns->opt.useSecurity ) {
+	if ( ns->opt.handshakeAsClient ) {
+	    ns->handshake = ssl2_BeginClientHandshake;
+	    ss->handshaking = sslHandshakingAsClient;
+	} else {
+	    ns->handshake = ssl2_BeginServerHandshake;
+	    ss->handshaking = sslHandshakingAsServer;
+	}
+    }
+    ns->TCPconnected = 1;
+    return newfd;
+
+loser:
+    if (ns != NULL)
+	ssl_FreeSocket(ns);
+    if (newfd != NULL)
+	PR_Close(newfd);
+    return NULL;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
+{
+    sslSocket *ss;
+    PRStatus   rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+
+    /* IF this is a listen socket, there shouldn't be any I/O going on */
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    ss->cTimeout = timeout;
+    rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr);
+#ifdef _WIN32
+    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
+#endif
+
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);
+
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
+{
+    sslSocket * ss = ssl_GetPrivate(fd);
+    PRStatus    rv;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    rv = (PRStatus)(*ss->ops->bind)(ss, addr);
+
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Listen(PRFileDesc *fd, PRIntn backlog)
+{
+    sslSocket * ss = ssl_GetPrivate(fd);
+    PRStatus    rv;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    rv = (PRStatus)(*ss->ops->listen)(ss, backlog);
+
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Shutdown(PRFileDesc *fd, PRIntn how)
+{
+    sslSocket * ss = ssl_GetPrivate(fd);
+    PRStatus    rv;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
+    	SSL_LOCK_READER(ss);
+    }
+    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
+    	SSL_LOCK_WRITER(ss);
+    }
+
+    rv = (PRStatus)(*ss->ops->shutdown)(ss, how);
+
+    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
+    	SSL_UNLOCK_WRITER(ss);
+    }
+    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
+    	SSL_UNLOCK_READER(ss);
+    }
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Close(PRFileDesc *fd)
+{
+    sslSocket *ss;
+    PRStatus   rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+
+    /* There must not be any I/O going on */
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    /* By the time this function returns, 
+    ** ss is an invalid pointer, and the locks to which it points have 
+    ** been unlocked and freed.  So, this is the ONE PLACE in all of SSL
+    ** where the LOCK calls and the corresponding UNLOCK calls are not in
+    ** the same function scope.  The unlock calls are in ssl_FreeSocket().
+    */
+    rv = (PRStatus)(*ss->ops->close)(ss);
+
+    return rv;
+}
+
+static int PR_CALLBACK
+ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
+	 PRIntervalTime timeout)
+{
+    sslSocket *ss;
+    int        rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    SSL_LOCK_READER(ss);
+    ss->rTimeout = timeout;
+    if (!ss->opt.fdx)
+	ss->wTimeout = timeout;
+    rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags);
+    SSL_UNLOCK_READER(ss);
+    return rv;
+}
+
+static int PR_CALLBACK
+ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
+	 PRIntervalTime timeout)
+{
+    sslSocket *ss;
+    int        rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    SSL_LOCK_WRITER(ss);
+    ss->wTimeout = timeout;
+    if (!ss->opt.fdx)
+	ss->rTimeout = timeout;
+    rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags);
+    SSL_UNLOCK_WRITER(ss);
+    return rv;
+}
+
+static int PR_CALLBACK
+ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
+{
+    sslSocket *ss;
+    int        rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    SSL_LOCK_READER(ss);
+    ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
+    if (!ss->opt.fdx)
+	ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
+    rv = (*ss->ops->read)(ss, (unsigned char*)buf, len);
+    SSL_UNLOCK_READER(ss);
+    return rv;
+}
+
+static int PR_CALLBACK
+ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
+{
+    sslSocket *ss;
+    int        rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    SSL_LOCK_WRITER(ss);
+    ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
+    if (!ss->opt.fdx)
+	ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
+    rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len);
+    SSL_UNLOCK_WRITER(ss);
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
+{
+    sslSocket *ss;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    return (PRStatus)(*ss->ops->getpeername)(ss, addr);
+}
+
+/*
+*/
+SECStatus
+ssl_GetPeerInfo(sslSocket *ss)
+{
+    PRFileDesc *      osfd;
+    int               rv;
+    PRNetAddr         sin;
+
+    osfd = ss->fd->lower;
+
+    PORT_Memset(&sin, 0, sizeof(sin));
+    rv = osfd->methods->getpeername(osfd, &sin);
+    if (rv < 0) {
+	return SECFailure;
+    }
+    ss->TCPconnected = 1;
+    if (sin.inet.family == PR_AF_INET) {
+        PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer);
+	ss->sec.ci.port = sin.inet.port;
+    } else if (sin.ipv6.family == PR_AF_INET6) {
+	ss->sec.ci.peer = sin.ipv6.ip;
+	ss->sec.ci.port = sin.ipv6.port;
+    } else {
+	PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR);
+    	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static PRStatus PR_CALLBACK
+ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name)
+{
+    sslSocket *ss;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    return (PRStatus)(*ss->ops->getsockname)(ss, name);
+}
+
+SECStatus PR_CALLBACK
+SSL_SetSockPeerID(PRFileDesc *fd, char *peerID)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCacheIndex",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    ss->peerID = PORT_Strdup(peerID);
+    return SECSuccess;
+}
+
+#define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ)
+
+static PRInt16 PR_CALLBACK
+ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
+{
+    sslSocket *ss;
+    PRInt16    new_flags = how_flags;	/* should select on these flags. */
+    PRNetAddr  addr;
+
+    *p_out_flags = 0;
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
+		 SSL_GETPID(), fd));
+	return 0;	/* don't poll on this socket */
+    }
+
+    if (ss->opt.useSecurity && 
+	ss->handshaking != sslHandshakingUndetermined &&
+        !ss->firstHsDone &&
+	(how_flags & PR_POLL_RW)) {
+	if (!ss->TCPconnected) {
+	    ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
+	}
+	/* If it's not connected, then presumably the application is polling
+	** on read or write appropriately, so don't change it. 
+	*/
+	if (ss->TCPconnected) {
+	    if (!ss->handshakeBegun) {
+		/* If the handshake has not begun, poll on read or write 
+		** based on the local application's role in the handshake,
+		** not based on what the application requested.
+		*/
+		new_flags &= ~PR_POLL_RW;
+		if (ss->handshaking == sslHandshakingAsClient) {
+		    new_flags |= PR_POLL_WRITE;
+		} else { /* handshaking as server */
+		    new_flags |= PR_POLL_READ;
+		}
+	    } else 
+	    /* First handshake is in progress */
+	    if (ss->lastWriteBlocked) {
+		if (new_flags & PR_POLL_READ) {
+		    /* The caller is waiting for data to be received, 
+		    ** but the initial handshake is blocked on write, or the 
+		    ** client's first handshake record has not been written.
+		    ** The code should select on write, not read.
+		    */
+		    new_flags ^=  PR_POLL_READ;	   /* don't select on read. */
+		    new_flags |=  PR_POLL_WRITE;   /* do    select on write. */
+		}
+	    } else if (new_flags & PR_POLL_WRITE) {
+		    /* The caller is trying to write, but the handshake is 
+		    ** blocked waiting for data to read, and the first 
+		    ** handshake has been sent.  so do NOT to poll on write.
+		    */
+		    new_flags ^=  PR_POLL_WRITE;   /* don't select on write. */
+		    new_flags |=  PR_POLL_READ;	   /* do    select on read. */
+	    }
+	}
+    } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
+	*p_out_flags = PR_POLL_READ;	/* it's ready already. */
+	return new_flags;
+    } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
+	       (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
+	new_flags |=  PR_POLL_WRITE;   /* also select on write. */
+    } 
+    if (new_flags && (fd->lower->methods->poll != NULL)) {
+	PRInt16    lower_out_flags = 0;
+	PRInt16    lower_new_flags;
+        lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, 
+					           &lower_out_flags);
+	if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) {
+	    PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW;
+	    if (lower_out_flags & PR_POLL_READ) 
+		out_flags |= PR_POLL_WRITE;
+	    if (lower_out_flags & PR_POLL_WRITE) 
+		out_flags |= PR_POLL_READ;
+	    *p_out_flags = out_flags;
+	    new_flags = how_flags;
+	} else {
+	    *p_out_flags = lower_out_flags;
+	    new_flags    = lower_new_flags;
+	}
+    }
+
+    return new_flags;
+}
+
+static PRInt32 PR_CALLBACK
+ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd,
+		 const void *headers, PRInt32 hlen,
+		 PRTransmitFileFlags flags, PRIntervalTime timeout)
+{
+    PRSendFileData sfd;
+
+    sfd.fd = fd;
+    sfd.file_offset = 0;
+    sfd.file_nbytes = 0;
+    sfd.header = headers;
+    sfd.hlen = hlen;
+    sfd.trailer = NULL;
+    sfd.tlen = 0;
+
+    return sd->methods->sendfile(sd, &sfd, flags, timeout);
+}
+
+
+PRBool
+ssl_FdIsBlocking(PRFileDesc *fd)
+{
+    PRSocketOptionData opt;
+    PRStatus           status;
+
+    opt.option             = PR_SockOpt_Nonblocking;
+    opt.value.non_blocking = PR_FALSE;
+    status = PR_GetSocketOption(fd, &opt);
+    if (status != PR_SUCCESS)
+	return PR_FALSE;
+    return (PRBool)!opt.value.non_blocking;
+}
+
+PRBool
+ssl_SocketIsBlocking(sslSocket *ss)
+{
+    return ssl_FdIsBlocking(ss->fd);
+}
+
+PRInt32  sslFirstBufSize = 8 * 1024;
+PRInt32  sslCopyLimit    = 1024;
+
+static PRInt32 PR_CALLBACK
+ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, 
+           PRIntervalTime timeout)
+{
+    PRInt32            bufLen;
+    PRInt32            left;
+    PRInt32            rv;
+    PRInt32            sent      =  0;
+    const PRInt32      first_len = sslFirstBufSize;
+    const PRInt32      limit     = sslCopyLimit;
+    PRBool             blocking;
+    PRIOVec            myIov	 = { 0, 0 };
+    char               buf[MAX_FRAGMENT_LENGTH];
+
+    if (vectors > PR_MAX_IOVECTOR_SIZE) {
+    	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
+	return -1;
+    }
+    blocking = ssl_FdIsBlocking(fd);
+
+#define K16 sizeof(buf)
+#define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; }
+#define GET_VECTOR   do { myIov = *iov++; --vectors; KILL_VECTORS } while (0)
+#define HANDLE_ERR(rv, len) \
+    if (rv != len) { \
+	if (rv < 0) { \
+	    if (!blocking \
+		&& (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
+		&& (sent > 0)) { \
+		return sent; \
+	    } else { \
+		return -1; \
+	    } \
+	} \
+	/* Only a nonblocking socket can have partial sends */ \
+	PR_ASSERT(!blocking); \
+	return sent + rv; \
+    } 
+#define SEND(bfr, len) \
+    do { \
+	rv = ssl_Send(fd, bfr, len, 0, timeout); \
+	HANDLE_ERR(rv, len) \
+	sent += len; \
+    } while (0)
+
+    /* Make sure the first write is at least 8 KB, if possible. */
+    KILL_VECTORS
+    if (!vectors)
+	return ssl_Send(fd, 0, 0, 0, timeout);
+    GET_VECTOR;
+    if (!vectors) {
+	return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout);
+    }
+    if (myIov.iov_len < first_len) {
+	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
+	bufLen = myIov.iov_len;
+	left = first_len - bufLen;
+	while (vectors && left) {
+	    int toCopy;
+	    GET_VECTOR;
+	    toCopy = PR_MIN(left, myIov.iov_len);
+	    PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
+	    bufLen         += toCopy;
+	    left           -= toCopy;
+	    myIov.iov_base += toCopy;
+	    myIov.iov_len  -= toCopy;
+	}
+	SEND( buf, bufLen );
+    }
+
+    while (vectors || myIov.iov_len) {
+	PRInt32   addLen;
+	if (!myIov.iov_len) {
+	    GET_VECTOR;
+	}
+	while (myIov.iov_len >= K16) {
+	    SEND(myIov.iov_base, K16);
+	    myIov.iov_base += K16;
+	    myIov.iov_len  -= K16;
+	}
+	if (!myIov.iov_len)
+	    continue;
+
+	if (!vectors || myIov.iov_len > limit) {
+	    addLen = 0;
+	} else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
+	    /* Addlen is already computed. */;
+	} else if (vectors > 1 && 
+	     iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
+	     addLen = limit - myIov.iov_len;
+	} else 
+	    addLen = 0;
+
+	if (!addLen) {
+	    SEND( myIov.iov_base, myIov.iov_len );
+	    myIov.iov_len = 0;
+	    continue;
+	}
+	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
+	bufLen = myIov.iov_len;
+	do {
+	    GET_VECTOR;
+	    PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
+	    myIov.iov_base += addLen;
+	    myIov.iov_len  -= addLen;
+	    bufLen         += addLen;
+
+	    left = PR_MIN( limit, K16 - bufLen);
+	    if (!vectors 		/* no more left */
+	    ||  myIov.iov_len > 0	/* we didn't use that one all up */
+	    ||  bufLen >= K16		/* it's full. */
+	    ) {
+		addLen = 0;
+	    } else if ((addLen = iov->iov_len % K16) <= left) {
+		/* Addlen is already computed. */;
+	    } else if (vectors > 1 && 
+		 iov[1].iov_len % K16 + addLen <= left + limit) {
+		 addLen = left;
+	    } else 
+		addLen = 0;
+
+	} while (addLen);
+	SEND( buf, bufLen );
+    } 
+    return sent;
+}
+
+/*
+ * These functions aren't implemented.
+ */
+
+static PRInt32 PR_CALLBACK
+ssl_Available(PRFileDesc *fd)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return SECFailure;
+}
+
+static PRInt64 PR_CALLBACK
+ssl_Available64(PRFileDesc *fd)
+{
+    PRInt64 res;
+
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    LL_I2L(res, -1L);
+    return res;
+}
+
+static PRStatus PR_CALLBACK
+ssl_FSync(PRFileDesc *fd)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return PR_FAILURE;
+}
+
+static PRInt32 PR_CALLBACK
+ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) {
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return SECFailure;
+}
+
+static PRInt64 PR_CALLBACK
+ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) {
+    PRInt64 res;
+
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    LL_I2L(res, -1L);
+    return res;
+}
+
+static PRStatus PR_CALLBACK
+ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return PR_FAILURE;
+}
+
+static PRStatus PR_CALLBACK
+ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return PR_FAILURE;
+}
+
+static PRInt32 PR_CALLBACK
+ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags,
+	     PRNetAddr *addr, PRIntervalTime timeout)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return SECFailure;
+}
+
+static PRInt32 PR_CALLBACK
+ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
+	   const PRNetAddr *addr, PRIntervalTime timeout)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return SECFailure;
+}
+
+static const PRIOMethods ssl_methods = {
+    PR_DESC_LAYERED,
+    ssl_Close,           	/* close        */
+    ssl_Read,            	/* read         */
+    ssl_Write,           	/* write        */
+    ssl_Available,       	/* available    */
+    ssl_Available64,     	/* available64  */
+    ssl_FSync,           	/* fsync        */
+    ssl_Seek,            	/* seek         */
+    ssl_Seek64,          	/* seek64       */
+    ssl_FileInfo,        	/* fileInfo     */
+    ssl_FileInfo64,      	/* fileInfo64   */
+    ssl_WriteV,          	/* writev       */
+    ssl_Connect,         	/* connect      */
+    ssl_Accept,          	/* accept       */
+    ssl_Bind,            	/* bind         */
+    ssl_Listen,          	/* listen       */
+    ssl_Shutdown,        	/* shutdown     */
+    ssl_Recv,            	/* recv         */
+    ssl_Send,            	/* send         */
+    ssl_RecvFrom,        	/* recvfrom     */
+    ssl_SendTo,          	/* sendto       */
+    ssl_Poll,            	/* poll         */
+    PR_EmulateAcceptRead,       /* acceptread   */
+    ssl_TransmitFile,           /* transmitfile */
+    ssl_GetSockName,     	/* getsockname  */
+    ssl_GetPeerName,     	/* getpeername  */
+    NULL,                	/* getsockopt   OBSOLETE */
+    NULL,                	/* setsockopt   OBSOLETE */
+    NULL,                	/* getsocketoption   */
+    NULL,                	/* setsocketoption   */
+    PR_EmulateSendFile, 	/* Send a (partial) file with header/trailer*/
+    NULL,                	/* reserved for future use */
+    NULL,                	/* reserved for future use */
+    NULL,                	/* reserved for future use */
+    NULL,                	/* reserved for future use */
+    NULL                 	/* reserved for future use */
+};
+
+
+static PRIOMethods combined_methods;
+
+static void
+ssl_SetupIOMethods(void)
+{
+          PRIOMethods *new_methods  = &combined_methods;
+    const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods();
+    const PRIOMethods *my_methods   = &ssl_methods;
+
+    *new_methods = *nspr_methods;
+
+    new_methods->file_type         = my_methods->file_type;
+    new_methods->close             = my_methods->close;
+    new_methods->read              = my_methods->read;
+    new_methods->write             = my_methods->write;
+    new_methods->available         = my_methods->available;
+    new_methods->available64       = my_methods->available64;
+    new_methods->fsync             = my_methods->fsync;
+    new_methods->seek              = my_methods->seek;
+    new_methods->seek64            = my_methods->seek64;
+    new_methods->fileInfo          = my_methods->fileInfo;
+    new_methods->fileInfo64        = my_methods->fileInfo64;
+    new_methods->writev            = my_methods->writev;
+    new_methods->connect           = my_methods->connect;
+    new_methods->accept            = my_methods->accept;
+    new_methods->bind              = my_methods->bind;
+    new_methods->listen            = my_methods->listen;
+    new_methods->shutdown          = my_methods->shutdown;
+    new_methods->recv              = my_methods->recv;
+    new_methods->send              = my_methods->send;
+    new_methods->recvfrom          = my_methods->recvfrom;
+    new_methods->sendto            = my_methods->sendto;
+    new_methods->poll              = my_methods->poll;
+    new_methods->acceptread        = my_methods->acceptread;
+    new_methods->transmitfile      = my_methods->transmitfile;
+    new_methods->getsockname       = my_methods->getsockname;
+    new_methods->getpeername       = my_methods->getpeername;
+/*  new_methods->getsocketoption   = my_methods->getsocketoption;	*/
+/*  new_methods->setsocketoption   = my_methods->setsocketoption;	*/
+    new_methods->sendfile          = my_methods->sendfile;
+
+}
+
+static PRCallOnceType initIoLayerOnce;
+
+static PRStatus  
+ssl_InitIOLayer(void)
+{
+    ssl_layer_id = PR_GetUniqueIdentity("SSL");
+    ssl_SetupIOMethods();
+    ssl_inited = PR_TRUE;
+    return PR_SUCCESS;
+}
+
+static PRStatus
+ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
+{
+    PRFileDesc *layer	= NULL;
+    PRStatus    status;
+
+    if (!ssl_inited) {
+	PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
+    }
+
+    if (ns == NULL)
+	goto loser;
+
+    layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods);
+    if (layer == NULL)
+	goto loser;
+    layer->secret = (PRFilePrivate *)ns;
+
+    /* Here, "stack" points to the PRFileDesc on the top of the stack.
+    ** "layer" points to a new FD that is to be inserted into the stack.
+    ** If layer is being pushed onto the top of the stack, then 
+    ** PR_PushIOLayer switches the contents of stack and layer, and then
+    ** puts stack on top of layer, so that after it is done, the top of 
+    ** stack is the same "stack" as it was before, and layer is now the 
+    ** FD for the former top of stack.
+    ** After this call, stack always points to the top PRFD on the stack.
+    ** If this function fails, the contents of stack and layer are as 
+    ** they were before the call.
+    */
+    status = PR_PushIOLayer(stack, id, layer);
+    if (status != PR_SUCCESS)
+	goto loser;
+
+    ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer;
+    return PR_SUCCESS;
+
+loser:
+    if (layer) {
+	layer->dtor(layer); /* free layer */
+    }
+    return PR_FAILURE;
+}
+
+/* if this fails, caller must destroy socket. */
+static SECStatus
+ssl_MakeLocks(sslSocket *ss)
+{
+    ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL);
+    if (!ss->firstHandshakeLock) 
+	goto loser;
+    ss->ssl3HandshakeLock  = PZ_NewMonitor(nssILockSSL);
+    if (!ss->ssl3HandshakeLock) 
+	goto loser;
+    ss->specLock           = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
+    if (!ss->specLock) 
+	goto loser;
+    ss->recvBufLock        = PZ_NewMonitor(nssILockSSL);
+    if (!ss->recvBufLock) 
+	goto loser;
+    ss->xmitBufLock        = PZ_NewMonitor(nssILockSSL);
+    if (!ss->xmitBufLock) 
+	goto loser;
+    ss->writerThread       = NULL;
+    if (ssl_lock_readers) {
+	ss->recvLock       = PZ_NewLock(nssILockSSL);
+	if (!ss->recvLock) 
+	    goto loser;
+	ss->sendLock       = PZ_NewLock(nssILockSSL);
+	if (!ss->sendLock) 
+	    goto loser;
+    }
+    return SECSuccess;
+loser:
+    ssl_DestroyLocks(ss);
+    return SECFailure;
+}
+
+#if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
+#define NSS_HAVE_GETENV 1
+#endif
+
+/*
+** Create a newsocket structure for a file descriptor.
+*/
+static sslSocket *
+ssl_NewSocket(PRBool makeLocks)
+{
+    sslSocket *ss;
+#if defined( NSS_HAVE_GETENV )
+    static int firsttime = 1;
+
+    if (firsttime) {
+	char * ev;
+	firsttime = 0;
+#ifdef DEBUG
+	ev = getenv("SSLDEBUGFILE");
+	if (ev && ev[0]) {
+	    ssl_trace_iob = fopen(ev, "w");
+	}
+	if (!ssl_trace_iob) {
+	    ssl_trace_iob = stderr;
+	}
+#ifdef TRACE
+	ev = getenv("SSLTRACE");
+	if (ev && ev[0]) {
+	    ssl_trace = atoi(ev);
+	    SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
+	}
+#endif /* TRACE */
+	ev = getenv("SSLDEBUG");
+	if (ev && ev[0]) {
+	    ssl_debug = atoi(ev);
+	    SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
+	}
+#endif /* DEBUG */
+	ev = getenv("SSLBYPASS");
+	if (ev && ev[0]) {
+	    ssl_defaults.bypassPKCS11 = (ev[0] == '1');
+	    SSL_TRACE(("SSL: bypass default set to %d", \
+		      ssl_defaults.bypassPKCS11));
+	}
+	ev = getenv("SSLFORCELOCKS");
+	if (ev && ev[0] == '1') {
+	    ssl_force_locks = PR_TRUE;
+	    ssl_defaults.noLocks = 0;
+	    strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED.  ");
+	    SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
+	}
+    }
+#endif /* NSS_HAVE_GETENV */
+    if (ssl_force_locks)
+	makeLocks = PR_TRUE;
+
+    /* Make a new socket and get it ready */
+    ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket));
+    if (ss) {
+        /* This should be of type SSLKEAType, but CC on IRIX
+	 * complains during the for loop.
+	 */
+	int i;
+	SECStatus status;
+ 
+	ss->opt                = ssl_defaults;
+	ss->opt.useSocks       = PR_FALSE;
+	ss->opt.noLocks        = !makeLocks;
+
+	ss->peerID             = NULL;
+	ss->rTimeout	       = PR_INTERVAL_NO_TIMEOUT;
+	ss->wTimeout	       = PR_INTERVAL_NO_TIMEOUT;
+	ss->cTimeout	       = PR_INTERVAL_NO_TIMEOUT;
+	ss->cipherSpecs        = NULL;
+        ss->sizeCipherSpecs    = 0;  /* produced lazily */
+        ss->preferredCipher    = NULL;
+        ss->url                = NULL;
+
+	for (i=kt_null; i < kt_kea_size; i++) {
+	    sslServerCerts * sc = ss->serverCerts + i;
+	    sc->serverCert      = NULL;
+	    sc->serverCertChain = NULL;
+	    sc->serverKeyPair   = NULL;
+	    sc->serverKeyBits   = 0;
+	}
+	ss->stepDownKeyPair    = NULL;
+	ss->dbHandle           = CERT_GetDefaultCertDB();
+
+	/* Provide default implementation of hooks */
+	ss->authCertificate    = SSL_AuthCertificate;
+	ss->authCertificateArg = (void *)ss->dbHandle;
+	ss->getClientAuthData  = NULL;
+	ss->handleBadCert      = NULL;
+	ss->badCertArg         = NULL;
+	ss->pkcs11PinArg       = NULL;
+
+	ssl_ChooseOps(ss);
+	ssl2_InitSocketPolicy(ss);
+	ssl3_InitSocketPolicy(ss);
+
+	if (makeLocks) {
+	    status = ssl_MakeLocks(ss);
+	    if (status != SECSuccess)
+		goto loser;
+	}
+	status = ssl_CreateSecurityInfo(ss);
+	if (status != SECSuccess) 
+	    goto loser;
+	status = ssl_InitGather(&ss->gs);
+	if (status != SECSuccess) {
+loser:
+	    ssl_DestroySocketContents(ss);
+	    ssl_DestroyLocks(ss);
+	    PORT_Free(ss);
+	    ss = NULL;
+	}
+    }
+    return ss;
+}
+
diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h
new file mode 100644
index 000000000..59de25955
--- /dev/null
+++ b/security/nss/lib/ssl/sslt.h
@@ -0,0 +1,180 @@
+/*
+ * This file contains prototypes for the public SSL functions.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef __sslt_h_
+#define __sslt_h_
+
+#include "prtypes.h"
+
+typedef struct SSL3StatisticsStr {
+    /* statistics from ssl3_SendClientHello (sch) */
+    long sch_sid_cache_hits;
+    long sch_sid_cache_misses;
+    long sch_sid_cache_not_ok;
+
+    /* statistics from ssl3_HandleServerHello (hsh) */
+    long hsh_sid_cache_hits;
+    long hsh_sid_cache_misses;
+    long hsh_sid_cache_not_ok;
+
+    /* statistics from ssl3_HandleClientHello (hch) */
+    long hch_sid_cache_hits;
+    long hch_sid_cache_misses;
+    long hch_sid_cache_not_ok;
+
+    /* statistics related to stateless resume */
+    long sch_sid_stateless_resumes;
+    long hsh_sid_stateless_resumes;
+    long hch_sid_stateless_resumes;
+    long hch_sid_ticket_parse_failures;
+} SSL3Statistics;
+
+/* Key Exchange algorithm values */
+typedef enum {
+    ssl_kea_null     = 0,
+    ssl_kea_rsa      = 1,
+    ssl_kea_dh       = 2,
+    ssl_kea_fortezza = 3,       /* deprecated, now unused */
+    ssl_kea_ecdh     = 4,
+    ssl_kea_size		/* number of ssl_kea_ algorithms */
+} SSLKEAType;
+
+/* The following defines are for backwards compatibility.
+** They will be removed in a forthcoming release to reduce namespace pollution.
+** programs that use the kt_ symbols should convert to the ssl_kt_ symbols
+** soon.
+*/
+#define kt_null   	ssl_kea_null
+#define kt_rsa   	ssl_kea_rsa
+#define kt_dh   	ssl_kea_dh
+#define kt_fortezza	ssl_kea_fortezza       /* deprecated, now unused */
+#define kt_ecdh   	ssl_kea_ecdh
+#define kt_kea_size	ssl_kea_size
+
+typedef enum {
+    ssl_sign_null   = 0, 
+    ssl_sign_rsa    = 1,
+    ssl_sign_dsa    = 2,
+    ssl_sign_ecdsa  = 3
+} SSLSignType;
+
+typedef enum {
+    ssl_auth_null   = 0, 
+    ssl_auth_rsa    = 1,
+    ssl_auth_dsa    = 2,
+    ssl_auth_kea    = 3,
+    ssl_auth_ecdsa  = 4
+} SSLAuthType;
+
+typedef enum {
+    ssl_calg_null     = 0,
+    ssl_calg_rc4      = 1,
+    ssl_calg_rc2      = 2,
+    ssl_calg_des      = 3,
+    ssl_calg_3des     = 4,
+    ssl_calg_idea     = 5,
+    ssl_calg_fortezza = 6,      /* deprecated, now unused */
+    ssl_calg_aes      = 7,      /* coming soon */
+    ssl_calg_camellia = 8
+} SSLCipherAlgorithm;
+
+typedef enum { 
+    ssl_mac_null      = 0, 
+    ssl_mac_md5       = 1, 
+    ssl_mac_sha       = 2, 
+    ssl_hmac_md5      = 3, 	/* TLS HMAC version of mac_md5 */
+    ssl_hmac_sha      = 4 	/* TLS HMAC version of mac_sha */
+} SSLMACAlgorithm;
+
+typedef struct SSLChannelInfoStr {
+    PRUint32             length;
+    PRUint16             protocolVersion;
+    PRUint16             cipherSuite;
+
+    /* server authentication info */
+    PRUint32             authKeyBits;
+
+    /* key exchange algorithm info */
+    PRUint32             keaKeyBits;
+
+    /* session info */
+    PRUint32             creationTime;		/* seconds since Jan 1, 1970 */
+    PRUint32             lastAccessTime;	/* seconds since Jan 1, 1970 */
+    PRUint32             expirationTime;	/* seconds since Jan 1, 1970 */
+    PRUint32             sessionIDLength;	/* up to 32 */
+    PRUint8              sessionID    [32];
+} SSLChannelInfo;
+
+typedef struct SSLCipherSuiteInfoStr {
+    PRUint16             length;
+    PRUint16             cipherSuite;
+
+    /* Cipher Suite Name */
+    const char *         cipherSuiteName;
+
+    /* server authentication info */
+    const char *         authAlgorithmName;
+    SSLAuthType          authAlgorithm;
+
+    /* key exchange algorithm info */
+    const char *         keaTypeName;
+    SSLKEAType           keaType;
+
+    /* symmetric encryption info */
+    const char *         symCipherName;
+    SSLCipherAlgorithm   symCipher;
+    PRUint16             symKeyBits;
+    PRUint16             symKeySpace;
+    PRUint16             effectiveKeyBits;
+
+    /* MAC info */
+    const char *         macAlgorithmName;
+    SSLMACAlgorithm      macAlgorithm;
+    PRUint16             macBits;
+
+    PRUintn              isFIPS       : 1;
+    PRUintn              isExportable : 1;
+    PRUintn              nonStandard  : 1;
+    PRUintn              reservedBits :29;
+
+} SSLCipherSuiteInfo;
+
+#endif /* __sslt_h_ */
diff --git a/security/nss/lib/ssl/ssltrace.c b/security/nss/lib/ssl/ssltrace.c
new file mode 100644
index 000000000..30d25f2f9
--- /dev/null
+++ b/security/nss/lib/ssl/ssltrace.c
@@ -0,0 +1,276 @@
+/*
+ * Functions to trace SSL protocol behavior in DEBUG builds.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#include <stdarg.h>
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "prprf.h"
+
+#if defined(DEBUG) || defined(TRACE)
+static const char *hex = "0123456789abcdef";
+
+static const char printable[257] = {
+	"................"	/* 0x */
+	"................"	/* 1x */
+	" !\"#$%&'()*+,-./"	/* 2x */
+	"0123456789:;<=>?"	/* 3x */
+	"@ABCDEFGHIJKLMNO"	/* 4x */
+	"PQRSTUVWXYZ[\\]^_"	/* 5x */
+	"`abcdefghijklmno"	/* 6x */
+	"pqrstuvwxyz{|}~."	/* 7x */
+	"................"	/* 8x */
+	"................"	/* 9x */
+	"................"	/* ax */
+	"................"	/* bx */
+	"................"	/* cx */
+	"................"	/* dx */
+	"................"	/* ex */
+	"................"	/* fx */
+};
+
+void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *vp, int len)
+{
+    const unsigned char *cp = (const unsigned char *)vp;
+    char buf[80];
+    char *bp;
+    char *ap;
+
+    if (ss) {
+	SSL_TRACE(("%d: SSL[%d]: %s [Len: %d]", SSL_GETPID(), ss->fd,
+		   msg, len));
+    } else {
+	SSL_TRACE(("%d: SSL: %s [Len: %d]", SSL_GETPID(), msg, len));
+    }
+    memset(buf, ' ', sizeof buf);
+    bp = buf;
+    ap = buf + 50;
+    while (--len >= 0) {
+	unsigned char ch = *cp++;
+	*bp++ = hex[(ch >> 4) & 0xf];
+	*bp++ = hex[ch & 0xf];
+	*bp++ = ' ';
+	*ap++ = printable[ch];
+	if (ap - buf >= 66) {
+	    *ap = 0;
+	    SSL_TRACE(("   %s", buf));
+	    memset(buf, ' ', sizeof buf);
+	    bp = buf;
+	    ap = buf + 50;
+	}
+    }
+    if (bp > buf) {
+	*ap = 0;
+	SSL_TRACE(("   %s", buf));
+    }
+}
+
+#define LEN(cp)		(((cp)[0] << 8) | ((cp)[1]))
+
+static void PrintType(sslSocket *ss, char *msg)
+{
+    if (ss) {
+	SSL_TRACE(("%d: SSL[%d]: dump-msg: %s", SSL_GETPID(), ss->fd,
+		   msg));
+    } else {
+	SSL_TRACE(("%d: SSL: dump-msg: %s", SSL_GETPID(), msg));
+    }
+}
+
+static void PrintInt(sslSocket *ss, char *msg, unsigned v)
+{
+    if (ss) {
+	SSL_TRACE(("%d: SSL[%d]:           %s=%u", SSL_GETPID(), ss->fd,
+		   msg, v));
+    } else {
+	SSL_TRACE(("%d: SSL:           %s=%u", SSL_GETPID(), msg, v));
+    }
+}
+
+/* PrintBuf is just like ssl_PrintBuf above, except that:
+ * a) It prefixes each line of the buffer with "XX: SSL[xxx]           "
+ * b) It dumps only hex, not ASCII.
+ */
+static void PrintBuf(sslSocket *ss, char *msg, unsigned char *cp, int len)
+{
+    char buf[80];
+    char *bp;
+
+    if (ss) {
+	SSL_TRACE(("%d: SSL[%d]:           %s [Len: %d]", 
+		   SSL_GETPID(), ss->fd, msg, len));
+    } else {
+	SSL_TRACE(("%d: SSL:           %s [Len: %d]", 
+		   SSL_GETPID(), msg, len));
+    }
+    bp = buf;
+    while (--len >= 0) {
+	unsigned char ch = *cp++;
+	*bp++ = hex[(ch >> 4) & 0xf];
+	*bp++ = hex[ch & 0xf];
+	*bp++ = ' ';
+	if (bp + 4 > buf + 50) {
+	    *bp = 0;
+	    if (ss) {
+		SSL_TRACE(("%d: SSL[%d]:             %s",
+			   SSL_GETPID(), ss->fd, buf));
+	    } else {
+		SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
+	    }
+	    bp = buf;
+	}
+    }
+    if (bp > buf) {
+	*bp = 0;
+	if (ss) {
+	    SSL_TRACE(("%d: SSL[%d]:             %s",
+		       SSL_GETPID(), ss->fd, buf));
+	} else {
+	    SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
+	}
+    }
+}
+
+void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
+{
+    switch (bp[0]) {
+      case SSL_MT_ERROR:
+	PrintType(ss, "Error");
+	PrintInt(ss, "error", LEN(bp+1));
+	break;
+
+      case SSL_MT_CLIENT_HELLO:
+	{
+	    unsigned lcs = LEN(bp+3);
+	    unsigned ls  = LEN(bp+5);
+	    unsigned lc  = LEN(bp+7);
+
+	    PrintType(ss, "Client-Hello");
+
+	    PrintInt(ss, "version (Major)",                   bp[1]);
+	    PrintInt(ss, "version (minor)",                   bp[2]);
+
+	    PrintBuf(ss, "cipher-specs",         bp+9,        lcs);
+	    PrintBuf(ss, "session-id",           bp+9+lcs,    ls);
+	    PrintBuf(ss, "challenge",            bp+9+lcs+ls, lc);
+	}
+	break;
+      case SSL_MT_CLIENT_MASTER_KEY:
+	{
+	    unsigned lck = LEN(bp+4);
+	    unsigned lek = LEN(bp+6);
+	    unsigned lka = LEN(bp+8);
+
+	    PrintType(ss, "Client-Master-Key");
+
+	    PrintInt(ss, "cipher-choice",                       bp[1]);
+	    PrintInt(ss, "key-length",                          LEN(bp+2));
+
+	    PrintBuf(ss, "clear-key",            bp+10,         lck);
+	    PrintBuf(ss, "encrypted-key",        bp+10+lck,     lek);
+	    PrintBuf(ss, "key-arg",              bp+10+lck+lek, lka);
+	}
+	break;
+      case SSL_MT_CLIENT_FINISHED:
+	PrintType(ss, "Client-Finished");
+	PrintBuf(ss, "connection-id",            bp+1,          len-1);
+	break;
+      case SSL_MT_SERVER_HELLO:
+	{
+	    unsigned lc = LEN(bp+5);
+	    unsigned lcs = LEN(bp+7);
+	    unsigned lci = LEN(bp+9);
+
+	    PrintType(ss, "Server-Hello");
+
+	    PrintInt(ss, "session-id-hit",                     bp[1]);
+	    PrintInt(ss, "certificate-type",                   bp[2]);
+	    PrintInt(ss, "version (Major)",                    bp[3]);
+	    PrintInt(ss, "version (minor)",                    bp[3]);
+	    PrintBuf(ss, "certificate",          bp+11,        lc);
+	    PrintBuf(ss, "cipher-specs",         bp+11+lc,     lcs);
+	    PrintBuf(ss, "connection-id",        bp+11+lc+lcs, lci);
+	}
+	break;
+      case SSL_MT_SERVER_VERIFY:
+	PrintType(ss, "Server-Verify");
+	PrintBuf(ss, "challenge",                bp+1,         len-1);
+	break;
+      case SSL_MT_SERVER_FINISHED:
+	PrintType(ss, "Server-Finished");
+	PrintBuf(ss, "session-id",               bp+1,         len-1);
+	break;
+      case SSL_MT_REQUEST_CERTIFICATE:
+	PrintType(ss, "Request-Certificate");
+	PrintInt(ss, "authentication-type",                    bp[1]);
+	PrintBuf(ss, "certificate-challenge",    bp+2,         len-2);
+	break;
+      case SSL_MT_CLIENT_CERTIFICATE:
+	{
+	    unsigned lc = LEN(bp+2);
+	    unsigned lr = LEN(bp+4);
+	    PrintType(ss, "Client-Certificate");
+	    PrintInt(ss, "certificate-type",                   bp[1]);
+	    PrintBuf(ss, "certificate",          bp+6,         lc);
+	    PrintBuf(ss, "response",             bp+6+lc,      lr);
+	}
+	break;
+      default:
+	ssl_PrintBuf(ss, "sending *unknown* message type", bp, len);
+	return;
+    }
+}
+
+void
+ssl_Trace(const char *format, ... )
+{
+    char buf[2000]; 
+    va_list args;
+
+    if (ssl_trace_iob) {
+	va_start(args, format);
+	PR_vsnprintf(buf, sizeof(buf), format, args);
+	va_end(args);
+
+	fputs(buf,  ssl_trace_iob);
+	fputs("\n", ssl_trace_iob);
+    }
+}
+#endif
diff --git a/security/nss/lib/ssl/sslver.c b/security/nss/lib/ssl/sslver.c
new file mode 100644
index 000000000..782048fd8
--- /dev/null
+++ b/security/nss/lib/ssl/sslver.c
@@ -0,0 +1,56 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Library identity and versioning */
+
+#include "nss.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_ssl_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_ssl_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/ssl/unix_err.c b/security/nss/lib/ssl/unix_err.c
new file mode 100644
index 000000000..6fb2583ef
--- /dev/null
+++ b/security/nss/lib/ssl/unix_err.c
@@ -0,0 +1,550 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * this code will continue to need to be replicated.
+ * 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#if 0
+#include "primpl.h"
+#else
+#define _PR_POLL_AVAILABLE 1
+#include "prerror.h"
+#endif
+
+#if defined (__bsdi__) || defined(NTO) || defined(DARWIN) || defined(BEOS)
+#undef _PR_POLL_AVAILABLE
+#endif
+
+#if defined(_PR_POLL_AVAILABLE)
+#include <poll.h>
+#endif
+#include <errno.h>
+
+/* forward declarations. */
+void nss_MD_unix_map_default_error(int err);
+
+void nss_MD_unix_map_opendir_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_closedir_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_readdir_error(int err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case ENOENT:	prError = PR_NO_MORE_FILES_ERROR; break;
+#ifdef EOVERFLOW
+    case EOVERFLOW:	prError = PR_IO_ERROR; break;
+#endif
+    case EINVAL:	prError = PR_IO_ERROR; break;
+    case ENXIO:		prError = PR_IO_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_unlink_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EPERM:		prError = PR_IS_DIRECTORY_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_stat_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_fstat_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_rename_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_access_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_mkdir_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_rmdir_error(int err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
+    case EINVAL:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_read_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
+    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_write_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
+    case ENXIO:		prError = PR_INVALID_METHOD_ERROR; break;
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_lseek_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_fsync_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_close_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_socket_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_socketavailable_error(int err)
+{
+    PR_SetError(PR_BAD_DESCRIPTOR_ERROR, err);
+}
+
+void nss_MD_unix_map_recv_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_recvfrom_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_send_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_sendto_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_writev_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_accept_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ENODEV:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_connect_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EACCES:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+#if defined(UNIXWARE) || defined(SNI) || defined(NEC)
+    /*
+     * On some platforms, if we connect to a port on the local host 
+     * (the loopback address) that no process is listening on, we get 
+     * EIO instead of ECONNREFUSED.
+     */
+    case EIO:		prError = PR_CONNECT_REFUSED_ERROR; break;
+#endif
+    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ENXIO:		prError = PR_IO_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_bind_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
+        /*
+         * UNIX domain sockets are not supported in NSPR
+         */
+    case EIO:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case EISDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ENOTDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case EROFS:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_listen_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_shutdown_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_socketpair_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_getsockname_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_getpeername_error(int err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_getsockopt_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_setsockopt_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_open_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case EBUSY:		prError = PR_IO_ERROR; break;
+    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_mmap_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case EMFILE:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ENODEV:	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
+    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_gethostname_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_select_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+#ifdef _PR_POLL_AVAILABLE
+void nss_MD_unix_map_poll_error(int err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_poll_revents_error(int err)
+{
+    if (err & POLLNVAL)
+        PR_SetError(PR_BAD_DESCRIPTOR_ERROR, EBADF);
+    else if (err & POLLHUP)
+        PR_SetError(PR_CONNECT_RESET_ERROR, EPIPE);
+    else if (err & POLLERR)
+        PR_SetError(PR_IO_ERROR, EIO);
+    else
+        PR_SetError(PR_UNKNOWN_ERROR, err);
+}
+#endif /* _PR_POLL_AVAILABLE */
+
+
+void nss_MD_unix_map_flock_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    case EWOULDBLOCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_lockf_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EACCES:	prError = PR_FILE_IS_LOCKED_ERROR; break;
+    case EDEADLK:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+#ifdef HPUX11
+void nss_MD_hpux_map_sendfile_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+#endif /* HPUX11 */
+
+
+void nss_MD_unix_map_default_error(int err)
+{
+    PRErrorCode prError;
+    switch (err ) {
+    case EACCES:	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case EADDRINUSE:	prError = PR_ADDRESS_IN_USE_ERROR; break;
+    case EADDRNOTAVAIL:	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
+    case EAFNOSUPPORT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case EAGAIN:	prError = PR_WOULD_BLOCK_ERROR; break;
+    /*
+     * On QNX and Neutrino, EALREADY is defined as EBUSY.
+     */
+#if EALREADY != EBUSY
+    case EALREADY:	prError = PR_ALREADY_INITIATED_ERROR; break;
+#endif
+    case EBADF:		prError = PR_BAD_DESCRIPTOR_ERROR; break;
+#ifdef EBADMSG
+    case EBADMSG:	prError = PR_IO_ERROR; break;
+#endif
+    case EBUSY:		prError = PR_FILESYSTEM_MOUNTED_ERROR; break;
+    case ECONNREFUSED:	prError = PR_CONNECT_REFUSED_ERROR; break;
+    case ECONNRESET:	prError = PR_CONNECT_RESET_ERROR; break;
+    case EDEADLK:	prError = PR_DEADLOCK_ERROR; break;
+#ifdef EDIRCORRUPTED
+    case EDIRCORRUPTED:	prError = PR_DIRECTORY_CORRUPTED_ERROR; break;
+#endif
+#ifdef EDQUOT
+    case EDQUOT:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+#endif
+    case EEXIST:	prError = PR_FILE_EXISTS_ERROR; break;
+    case EFAULT:	prError = PR_ACCESS_FAULT_ERROR; break;
+    case EFBIG:		prError = PR_FILE_TOO_BIG_ERROR; break;
+    case EINPROGRESS:	prError = PR_IN_PROGRESS_ERROR; break;
+    case EINTR:		prError = PR_PENDING_INTERRUPT_ERROR; break;
+    case EINVAL:	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case EIO:		prError = PR_IO_ERROR; break;
+    case EISCONN:	prError = PR_IS_CONNECTED_ERROR; break;
+    case EISDIR:	prError = PR_IS_DIRECTORY_ERROR; break;
+    case ELOOP:		prError = PR_LOOP_ERROR; break;
+    case EMFILE:	prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
+    case EMLINK:	prError = PR_MAX_DIRECTORY_ENTRIES_ERROR; break;
+    case EMSGSIZE:	prError = PR_INVALID_ARGUMENT_ERROR; break;
+#ifdef EMULTIHOP
+    case EMULTIHOP:	prError = PR_REMOTE_FILE_ERROR; break;
+#endif
+    case ENAMETOOLONG:	prError = PR_NAME_TOO_LONG_ERROR; break;
+    case ENETUNREACH:	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
+    case ENFILE:	prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
+#if !defined(SCO)
+    case ENOBUFS:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+#endif
+    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ENOENT:	prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ENOLCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
+#ifdef ENOLINK 
+    case ENOLINK:	prError = PR_REMOTE_FILE_ERROR; break;
+#endif
+    case ENOMEM:	prError = PR_OUT_OF_MEMORY_ERROR; break;
+    case ENOPROTOOPT:	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case ENOSPC:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+#ifdef ENOSR 
+    case ENOSR:		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+#endif
+    case ENOTCONN:	prError = PR_NOT_CONNECTED_ERROR; break;
+    case ENOTDIR:	prError = PR_NOT_DIRECTORY_ERROR; break;
+    case ENOTSOCK:	prError = PR_NOT_SOCKET_ERROR; break;
+    case ENXIO:		prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case EOPNOTSUPP:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
+#ifdef EOVERFLOW
+    case EOVERFLOW:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
+#endif
+    case EPERM:		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case EPIPE:		prError = PR_CONNECT_RESET_ERROR; break;
+#ifdef EPROTO
+    case EPROTO:	prError = PR_IO_ERROR; break;
+#endif
+    case EPROTONOSUPPORT: prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
+    case EPROTOTYPE:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ERANGE:	prError = PR_INVALID_METHOD_ERROR; break;
+    case EROFS:		prError = PR_READ_ONLY_FILESYSTEM_ERROR; break;
+    case ESPIPE:	prError = PR_INVALID_METHOD_ERROR; break;
+    case ETIMEDOUT:	prError = PR_IO_TIMEOUT_ERROR; break;
+#if EWOULDBLOCK != EAGAIN
+    case EWOULDBLOCK:	prError = PR_WOULD_BLOCK_ERROR; break;
+#endif
+    case EXDEV:		prError = PR_NOT_SAME_DEVICE_ERROR; break;
+
+    default:		prError = PR_UNKNOWN_ERROR; break;
+    }
+    PR_SetError(prError, err);
+}
diff --git a/security/nss/lib/ssl/unix_err.h b/security/nss/lib/ssl/unix_err.h
new file mode 100644
index 000000000..628b856a9
--- /dev/null
+++ b/security/nss/lib/ssl/unix_err.h
@@ -0,0 +1,90 @@
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * this code will continue to need to be replicated.
+ * 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/*  NSPR doesn't make these functions public, so we have to duplicate
+**  them in NSS.
+*/
+extern void nss_MD_hpux_map_sendfile_error(int err);
+extern void nss_MD_unix_map_accept_error(int err);
+extern void nss_MD_unix_map_access_error(int err);
+extern void nss_MD_unix_map_bind_error(int err);
+extern void nss_MD_unix_map_close_error(int err);
+extern void nss_MD_unix_map_closedir_error(int err);
+extern void nss_MD_unix_map_connect_error(int err);
+extern void nss_MD_unix_map_default_error(int err);
+extern void nss_MD_unix_map_flock_error(int err);
+extern void nss_MD_unix_map_fstat_error(int err);
+extern void nss_MD_unix_map_fsync_error(int err);
+extern void nss_MD_unix_map_gethostname_error(int err);
+extern void nss_MD_unix_map_getpeername_error(int err);
+extern void nss_MD_unix_map_getsockname_error(int err);
+extern void nss_MD_unix_map_getsockopt_error(int err);
+extern void nss_MD_unix_map_listen_error(int err);
+extern void nss_MD_unix_map_lockf_error(int err);
+extern void nss_MD_unix_map_lseek_error(int err);
+extern void nss_MD_unix_map_mkdir_error(int err);
+extern void nss_MD_unix_map_mmap_error(int err);
+extern void nss_MD_unix_map_open_error(int err);
+extern void nss_MD_unix_map_opendir_error(int err);
+extern void nss_MD_unix_map_poll_error(int err);
+extern void nss_MD_unix_map_poll_revents_error(int err);
+extern void nss_MD_unix_map_read_error(int err);
+extern void nss_MD_unix_map_readdir_error(int err);
+extern void nss_MD_unix_map_recv_error(int err);
+extern void nss_MD_unix_map_recvfrom_error(int err);
+extern void nss_MD_unix_map_rename_error(int err);
+extern void nss_MD_unix_map_rmdir_error(int err);
+extern void nss_MD_unix_map_select_error(int err);
+extern void nss_MD_unix_map_send_error(int err);
+extern void nss_MD_unix_map_sendto_error(int err);
+extern void nss_MD_unix_map_setsockopt_error(int err);
+extern void nss_MD_unix_map_shutdown_error(int err);
+extern void nss_MD_unix_map_socket_error(int err);
+extern void nss_MD_unix_map_socketavailable_error(int err);
+extern void nss_MD_unix_map_socketpair_error(int err);
+extern void nss_MD_unix_map_stat_error(int err);
+extern void nss_MD_unix_map_unlink_error(int err);
+extern void nss_MD_unix_map_write_error(int err);
+extern void nss_MD_unix_map_writev_error(int err);
diff --git a/security/nss/lib/ssl/win32err.c b/security/nss/lib/ssl/win32err.c
new file mode 100644
index 000000000..b2662816d
--- /dev/null
+++ b/security/nss/lib/ssl/win32err.c
@@ -0,0 +1,379 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * this code will continue to need to be replicated.
+ * 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#if !defined(_WIN32_WCE)
+
+#include "prerror.h"
+#include "prlog.h"
+#include <errno.h>
+#include <windows.h>
+
+/*
+ * On Win32, we map three kinds of error codes:
+ * - GetLastError(): for Win32 functions
+ * - WSAGetLastError(): for Winsock functions
+ * - errno: for standard C library functions
+ *
+ * We do not check for WSAEINPROGRESS and WSAEINTR because we do not
+ * use blocking Winsock 1.1 calls.
+ *
+ * Except for the 'socket' call, we do not check for WSAEINITIALISED.
+ * It is assumed that if Winsock is not initialized, that fact will
+ * be detected at the time we create new sockets.
+ */
+
+/* forward declaration. */
+void nss_MD_win32_map_default_error(PRInt32 err);
+
+void nss_MD_win32_map_opendir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_closedir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_readdir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_delete_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+/* The error code for stat() is in errno. */
+void nss_MD_win32_map_stat_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_fstat_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_rename_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+/* The error code for access() is in errno. */
+void nss_MD_win32_map_access_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_mkdir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_rmdir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_read_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_transmitfile_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_write_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_lseek_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_fsync_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+/*
+ * For both CloseHandle() and closesocket().
+ */
+void nss_MD_win32_map_close_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_socket_error(PRInt32 err)
+{
+    PR_ASSERT(err != WSANOTINITIALISED);
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_recv_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_recvfrom_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_send_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_sendto_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_accept_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
+    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_acceptex_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_connect_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEWOULDBLOCK: prError = PR_IN_PROGRESS_ERROR; break;
+    case WSAEINVAL: 	prError = PR_ALREADY_INITIATED_ERROR; break;
+    case WSAETIMEDOUT: 	prError = PR_IO_TIMEOUT_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_bind_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEINVAL: 	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_listen_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
+    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_shutdown_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_getsockname_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_getpeername_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_getsockopt_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_setsockopt_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_open_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_gethostname_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+/* Win32 select() only works on sockets.  So in this
+** context, WSAENOTSOCK is equivalent to EBADF on Unix.  
+*/
+void nss_MD_win32_map_select_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAENOTSOCK:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_lockf_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+
+
+void nss_MD_win32_map_default_error(PRInt32 err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case EACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case ENOENT: 		prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ERROR_ACCESS_DENIED: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case ERROR_ALREADY_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
+    case ERROR_DISK_CORRUPT: 	prError = PR_IO_ERROR; break;
+    case ERROR_DISK_FULL: 	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+    case ERROR_DISK_OPERATION_FAILED: prError = PR_IO_ERROR; break;
+    case ERROR_DRIVE_LOCKED: 	prError = PR_FILE_IS_LOCKED_ERROR; break;
+    case ERROR_FILENAME_EXCED_RANGE: prError = PR_NAME_TOO_LONG_ERROR; break;
+    case ERROR_FILE_CORRUPT: 	prError = PR_IO_ERROR; break;
+    case ERROR_FILE_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
+    case ERROR_FILE_INVALID: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+#if ERROR_FILE_NOT_FOUND != ENOENT
+    case ERROR_FILE_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
+#endif
+    case ERROR_HANDLE_DISK_FULL: prError = PR_NO_DEVICE_SPACE_ERROR; break;
+    case ERROR_INVALID_ADDRESS: prError = PR_ACCESS_FAULT_ERROR; break;
+    case ERROR_INVALID_HANDLE: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    case ERROR_INVALID_NAME: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case ERROR_INVALID_PARAMETER: prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case ERROR_INVALID_USER_BUFFER: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ERROR_LOCKED:	 	prError = PR_FILE_IS_LOCKED_ERROR; break;
+    case ERROR_NETNAME_DELETED: prError = PR_CONNECT_RESET_ERROR; break;
+    case ERROR_NOACCESS: 	prError = PR_ACCESS_FAULT_ERROR; break;
+    case ERROR_NOT_ENOUGH_MEMORY: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ERROR_NOT_ENOUGH_QUOTA: prError = PR_OUT_OF_MEMORY_ERROR; break;
+    case ERROR_NOT_READY: 	prError = PR_IO_ERROR; break;
+    case ERROR_NO_MORE_FILES: 	prError = PR_NO_MORE_FILES_ERROR; break;
+    case ERROR_OPEN_FAILED: 	prError = PR_IO_ERROR; break;
+    case ERROR_OPEN_FILES: 	prError = PR_IO_ERROR; break;
+    case ERROR_OUTOFMEMORY: 	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ERROR_PATH_BUSY: 	prError = PR_IO_ERROR; break;
+    case ERROR_PATH_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ERROR_SEEK_ON_DEVICE: 	prError = PR_IO_ERROR; break;
+    case ERROR_SHARING_VIOLATION: prError = PR_FILE_IS_BUSY_ERROR; break;
+    case ERROR_STACK_OVERFLOW: 	prError = PR_ACCESS_FAULT_ERROR; break;
+    case ERROR_TOO_MANY_OPEN_FILES: prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
+    case ERROR_WRITE_PROTECT: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case WSAEACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case WSAEADDRINUSE: 	prError = PR_ADDRESS_IN_USE_ERROR; break;
+    case WSAEADDRNOTAVAIL: 	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
+    case WSAEAFNOSUPPORT: 	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case WSAEALREADY: 		prError = PR_ALREADY_INITIATED_ERROR; break;
+    case WSAEBADF: 		prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    case WSAECONNABORTED: 	prError = PR_CONNECT_ABORTED_ERROR; break;
+    case WSAECONNREFUSED: 	prError = PR_CONNECT_REFUSED_ERROR; break;
+    case WSAECONNRESET: 	prError = PR_CONNECT_RESET_ERROR; break;
+    case WSAEDESTADDRREQ: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAEFAULT: 		prError = PR_ACCESS_FAULT_ERROR; break;
+    case WSAEHOSTUNREACH: 	prError = PR_HOST_UNREACHABLE_ERROR; break;
+    case WSAEINVAL: 		prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAEISCONN: 		prError = PR_IS_CONNECTED_ERROR; break;
+    case WSAEMFILE: 		prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
+    case WSAEMSGSIZE: 		prError = PR_BUFFER_OVERFLOW_ERROR; break;
+    case WSAENETDOWN: 		prError = PR_NETWORK_DOWN_ERROR; break;
+    case WSAENETRESET: 		prError = PR_CONNECT_ABORTED_ERROR; break;
+    case WSAENETUNREACH: 	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
+    case WSAENOBUFS: 		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case WSAENOPROTOOPT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAENOTCONN: 		prError = PR_NOT_CONNECTED_ERROR; break;
+    case WSAENOTSOCK: 		prError = PR_NOT_SOCKET_ERROR; break;
+    case WSAEOPNOTSUPP: 	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
+    case WSAEPROTONOSUPPORT: 	prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
+    case WSAEPROTOTYPE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAESHUTDOWN: 		prError = PR_SOCKET_SHUTDOWN_ERROR; break;
+    case WSAESOCKTNOSUPPORT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAETIMEDOUT: 		prError = PR_CONNECT_ABORTED_ERROR; break;
+    case WSAEWOULDBLOCK: 	prError = PR_WOULD_BLOCK_ERROR; break;
+    default: 			prError = PR_UNKNOWN_ERROR; break;
+    }
+    PR_SetError(prError, err);
+}
+
+#endif
diff --git a/security/nss/lib/ssl/win32err.h b/security/nss/lib/ssl/win32err.h
new file mode 100644
index 000000000..84fa4d6a4
--- /dev/null
+++ b/security/nss/lib/ssl/win32err.h
@@ -0,0 +1,84 @@
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * This code will continue to need to be replicated.
+ * 
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+/*  NSPR doesn't make these functions public, so we have to duplicate
+**  them in NSS.
+*/
+extern void nss_MD_win32_map_accept_error(PRInt32 err);
+extern void nss_MD_win32_map_acceptex_error(PRInt32 err);
+extern void nss_MD_win32_map_access_error(PRInt32 err);
+extern void nss_MD_win32_map_bind_error(PRInt32 err);
+extern void nss_MD_win32_map_close_error(PRInt32 err);
+extern void nss_MD_win32_map_closedir_error(PRInt32 err);
+extern void nss_MD_win32_map_connect_error(PRInt32 err);
+extern void nss_MD_win32_map_default_error(PRInt32 err);
+extern void nss_MD_win32_map_delete_error(PRInt32 err);
+extern void nss_MD_win32_map_fstat_error(PRInt32 err);
+extern void nss_MD_win32_map_fsync_error(PRInt32 err);
+extern void nss_MD_win32_map_gethostname_error(PRInt32 err);
+extern void nss_MD_win32_map_getpeername_error(PRInt32 err);
+extern void nss_MD_win32_map_getsockname_error(PRInt32 err);
+extern void nss_MD_win32_map_getsockopt_error(PRInt32 err);
+extern void nss_MD_win32_map_listen_error(PRInt32 err);
+extern void nss_MD_win32_map_lockf_error(PRInt32 err);
+extern void nss_MD_win32_map_lseek_error(PRInt32 err);
+extern void nss_MD_win32_map_mkdir_error(PRInt32 err);
+extern void nss_MD_win32_map_open_error(PRInt32 err);
+extern void nss_MD_win32_map_opendir_error(PRInt32 err);
+extern void nss_MD_win32_map_read_error(PRInt32 err);
+extern void nss_MD_win32_map_readdir_error(PRInt32 err);
+extern void nss_MD_win32_map_recv_error(PRInt32 err);
+extern void nss_MD_win32_map_recvfrom_error(PRInt32 err);
+extern void nss_MD_win32_map_rename_error(PRInt32 err);
+extern void nss_MD_win32_map_rmdir_error(PRInt32 err);
+extern void nss_MD_win32_map_select_error(PRInt32 err);
+extern void nss_MD_win32_map_send_error(PRInt32 err);
+extern void nss_MD_win32_map_sendto_error(PRInt32 err);
+extern void nss_MD_win32_map_setsockopt_error(PRInt32 err);
+extern void nss_MD_win32_map_shutdown_error(PRInt32 err);
+extern void nss_MD_win32_map_socket_error(PRInt32 err);
+extern void nss_MD_win32_map_stat_error(PRInt32 err);
+extern void nss_MD_win32_map_transmitfile_error(PRInt32 err);
+extern void nss_MD_win32_map_write_error(PRInt32 err);
diff --git a/security/nss/lib/util/Makefile b/security/nss/lib/util/Makefile
new file mode 100644
index 000000000..afe353d31
--- /dev/null
+++ b/security/nss/lib/util/Makefile
@@ -0,0 +1,88 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+# include $(CORE_DEPTH)/coreconf/arch.mk
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+export:: private_export
+
+test: $(OBJDIR)/test_utf8
+
+$(OBJDIR)/test_utf8: utf8.c
+	@$(MAKE_OBJDIR)
+	$(CCF) -o $(OBJDIR)/test_utf8 -DTEST_UTF8 utf8.c $(OS_LIBS)
diff --git a/security/nss/lib/util/base64.h b/security/nss/lib/util/base64.h
new file mode 100644
index 000000000..e025844c3
--- /dev/null
+++ b/security/nss/lib/util/base64.h
@@ -0,0 +1,75 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * base64.h - prototypes for base64 encoding/decoding
+ * Note: These functions are deprecated; see nssb64.h for new routines.
+ *
+ * $Id$
+ */
+#ifndef _BASE64_H_
+#define _BASE64_H_
+
+#include "utilrename.h"
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** Return an PORT_Alloc'd ascii string which is the base64 encoded
+** version of the input string.
+*/
+extern char *BTOA_DataToAscii(const unsigned char *data, unsigned int len);
+
+/*
+** Return an PORT_Alloc'd string which is the base64 decoded version
+** of the input string; set *lenp to the length of the returned data.
+*/
+extern unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp);
+ 
+/*
+** Convert from ascii to binary encoding of an item.
+*/
+extern SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii);
+
+/*
+** Convert from binary encoding of an item to ascii.
+*/
+extern char *BTOA_ConvertItemToAscii(SECItem *binary_item);
+
+SEC_END_PROTOS
+
+#endif /* _BASE64_H_ */
diff --git a/security/nss/lib/util/ciferfam.h b/security/nss/lib/util/ciferfam.h
new file mode 100644
index 000000000..74b6adaee
--- /dev/null
+++ b/security/nss/lib/util/ciferfam.h
@@ -0,0 +1,92 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * ciferfam.h - cipher familie IDs used for configuring ciphers for export
+ *              control
+ *
+ * $Id$
+ */
+
+#ifndef _CIFERFAM_H_
+#define _CIFERFAM_H_
+
+#include "utilrename.h"
+/* Cipher Suite "Families" */
+#define CIPHER_FAMILY_PKCS12			"PKCS12"
+#define CIPHER_FAMILY_SMIME			"SMIME"
+#define CIPHER_FAMILY_SSL2			"SSLv2"
+#define CIPHER_FAMILY_SSL3			"SSLv3"
+#define CIPHER_FAMILY_SSL			"SSL"
+#define CIPHER_FAMILY_ALL			""
+#define CIPHER_FAMILY_UNKNOWN			"UNKNOWN"
+
+#define CIPHER_FAMILYID_MASK			0xFFFF0000L
+#define CIPHER_FAMILYID_SSL			0x00000000L
+#define CIPHER_FAMILYID_SMIME			0x00010000L
+#define CIPHER_FAMILYID_PKCS12			0x00020000L
+
+/* SMIME "Cipher Suites" */
+/*
+ * Note that it is assumed that the cipher number itself can be used
+ * as a bit position in a mask, and that mask is currently 32 bits wide.
+ * So, if you want to add a cipher that is greater than 0037, secmime.c
+ * needs to be made smarter at the same time.
+ */
+#define	SMIME_RC2_CBC_40		(CIPHER_FAMILYID_SMIME | 0001)
+#define	SMIME_RC2_CBC_64		(CIPHER_FAMILYID_SMIME | 0002)
+#define	SMIME_RC2_CBC_128		(CIPHER_FAMILYID_SMIME | 0003)
+#define	SMIME_DES_CBC_56		(CIPHER_FAMILYID_SMIME | 0011)
+#define	SMIME_DES_EDE3_168		(CIPHER_FAMILYID_SMIME | 0012)
+#define	SMIME_AES_CBC_128		(CIPHER_FAMILYID_SMIME | 0013)
+#define	SMIME_RC5PAD_64_16_40		(CIPHER_FAMILYID_SMIME | 0021)
+#define	SMIME_RC5PAD_64_16_64		(CIPHER_FAMILYID_SMIME | 0022)
+#define	SMIME_RC5PAD_64_16_128		(CIPHER_FAMILYID_SMIME | 0023)
+#define	SMIME_FORTEZZA			(CIPHER_FAMILYID_SMIME | 0031)
+
+/* PKCS12 "Cipher Suites" */
+
+#define	PKCS12_RC2_CBC_40		(CIPHER_FAMILYID_PKCS12 | 0001)
+#define	PKCS12_RC2_CBC_128		(CIPHER_FAMILYID_PKCS12 | 0002)
+#define	PKCS12_RC4_40			(CIPHER_FAMILYID_PKCS12 | 0011)
+#define	PKCS12_RC4_128			(CIPHER_FAMILYID_PKCS12 | 0012)
+#define	PKCS12_DES_56			(CIPHER_FAMILYID_PKCS12 | 0021)
+#define	PKCS12_DES_EDE3_168		(CIPHER_FAMILYID_PKCS12 | 0022)
+
+/* SMIME version numbers are negative, to avoid colliding with SSL versions */
+#define SMIME_LIBRARY_VERSION_1_0			-0x0100
+
+#endif /* _CIFERFAM_H_ */
diff --git a/security/nss/lib/util/config.mk b/security/nss/lib/util/config.mk
new file mode 100644
index 000000000..b51f3db58
--- /dev/null
+++ b/security/nss/lib/util/config.mk
@@ -0,0 +1,104 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+RES = $(OBJDIR)/$(LIBRARY_NAME).res
+RESNAME = $(LIBRARY_NAME).rc
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4\
+	$(NULL)
+else # ! NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+else
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+ifeq ($(BUILD_SUN_PKG), 1)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+ifeq ($(USE_64), 1)
+MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
+else
+MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps'
+endif
+else
+MKSHLIB += -R '$$ORIGIN'
+endif
+endif
+
+ifeq ($(OS_ARCH), HP-UX) 
+ifneq ($(OS_TEST), ia64)
+# pa-risc
+ifeq ($(USE_64), 1)
+MKSHLIB += +b '$$ORIGIN'
+endif
+endif
+endif
diff --git a/security/nss/lib/util/derdec.c b/security/nss/lib/util/derdec.c
new file mode 100644
index 000000000..4faa680cf
--- /dev/null
+++ b/security/nss/lib/util/derdec.c
@@ -0,0 +1,221 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secder.h"
+#include "secerr.h"
+
+static PRUint32
+der_indefinite_length(unsigned char *buf, unsigned char *end)
+{
+    PRUint32 len, ret, dataLen;
+    unsigned char tag, lenCode;
+    int dataLenLen;
+
+    len = 0;
+    while ( 1 ) {
+	if ((buf + 2) > end) {
+	    return(0);
+	}
+	
+	tag = *buf++;
+	lenCode = *buf++;
+	len += 2;
+	
+	if ( ( tag == 0 ) && ( lenCode == 0 ) ) {
+	    return(len);
+	}
+	
+	if ( lenCode == 0x80 ) {	/* indefinite length */
+	    ret = der_indefinite_length(buf, end); /* recurse to find length */
+	    if (ret == 0)
+		return 0;
+	    len += ret;
+	    buf += ret;
+	} else {			/* definite length */
+	    if (lenCode & 0x80) {
+		/* Length of data is in multibyte format */
+		dataLenLen = lenCode & 0x7f;
+		switch (dataLenLen) {
+		  case 1:
+		    dataLen = buf[0];
+		    break;
+		  case 2:
+		    dataLen = (buf[0]<<8)|buf[1];
+		    break;
+		  case 3:
+		    dataLen = ((unsigned long)buf[0]<<16)|(buf[1]<<8)|buf[2];
+		    break;
+		  case 4:
+		    dataLen = ((unsigned long)buf[0]<<24)|
+			((unsigned long)buf[1]<<16)|(buf[2]<<8)|buf[3];
+		    break;
+		  default:
+		    PORT_SetError(SEC_ERROR_BAD_DER);
+		    return SECFailure;
+		}
+	    } else {
+		/* Length of data is in single byte */
+		dataLen = lenCode;
+		dataLenLen = 0;
+	    }
+
+	    /* skip this item */
+	    buf = buf + dataLenLen + dataLen;
+	    len = len + dataLenLen + dataLen;
+	}
+    }
+}
+
+/*
+** Capture the next thing in the buffer.
+** Returns the length of the header and the length of the contents.
+*/
+static SECStatus
+der_capture(unsigned char *buf, unsigned char *end,
+	    int *header_len_p, PRUint32 *contents_len_p)
+{
+    unsigned char *bp;
+    unsigned char whole_tag;
+    PRUint32 contents_len;
+    int tag_number;
+
+    if ((buf + 2) > end) {
+	*header_len_p = 0;
+	*contents_len_p = 0;
+	if (buf == end)
+	    return SECSuccess;
+	return SECFailure;
+    }
+
+    bp = buf;
+
+    /* Get tag and verify that it is ok. */
+    whole_tag = *bp++;
+    tag_number = whole_tag & DER_TAGNUM_MASK;
+
+    /*
+     * XXX This code does not (yet) handle the high-tag-number form!
+     */
+    if (tag_number == DER_HIGH_TAG_NUMBER) {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return SECFailure;
+    }
+
+    if ((whole_tag & DER_CLASS_MASK) == DER_UNIVERSAL) {
+	/* Check that the universal tag number is one we implement.  */
+	switch (tag_number) {
+	  case DER_BOOLEAN:
+	  case DER_INTEGER:
+	  case DER_BIT_STRING:
+	  case DER_OCTET_STRING:
+	  case DER_NULL:
+	  case DER_OBJECT_ID:
+	  case DER_SEQUENCE:
+	  case DER_SET:
+	  case DER_PRINTABLE_STRING:
+	  case DER_T61_STRING:
+	  case DER_IA5_STRING:
+	  case DER_VISIBLE_STRING:
+	  case DER_UTC_TIME:
+	  case 0:			/* end-of-contents tag */
+	    break;
+	  default:
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return SECFailure;
+	}
+    }
+
+    /*
+     * Get first byte of length code (might contain entire length, might not).
+     */
+    contents_len = *bp++;
+
+    /*
+     * If the high bit is set, then the length is in multibyte format,
+     * or the thing has an indefinite-length.
+     */
+    if (contents_len & 0x80) {
+	int bytes_of_encoded_len;
+
+	bytes_of_encoded_len = contents_len & 0x7f;
+	contents_len = 0;
+
+	switch (bytes_of_encoded_len) {
+	  case 4:
+	    contents_len |= *bp++;
+	    contents_len <<= 8;
+	    /* fallthru */
+	  case 3:
+	    contents_len |= *bp++;
+	    contents_len <<= 8;
+	    /* fallthru */
+	  case 2:
+	    contents_len |= *bp++;
+	    contents_len <<= 8;
+	    /* fallthru */
+	  case 1:
+	    contents_len |= *bp++;
+	    break;
+
+	  case 0:
+	    contents_len = der_indefinite_length (bp, end);
+	    if (contents_len)
+		break;
+	    /* fallthru */
+	  default:
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return SECFailure;
+	}
+    }
+
+    if ((bp + contents_len) > end) {
+	/* Ran past end of buffer */
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return SECFailure;
+    }
+
+    *header_len_p = bp - buf;
+    *contents_len_p = contents_len;
+
+    return SECSuccess;
+}
+
+SECStatus
+DER_Lengths(SECItem *item, int *header_len_p, PRUint32 *contents_len_p)
+{
+    return(der_capture(item->data, &item->data[item->len], header_len_p,
+		       contents_len_p));
+}
diff --git a/security/nss/lib/util/derenc.c b/security/nss/lib/util/derenc.c
new file mode 100644
index 000000000..c14c6a80b
--- /dev/null
+++ b/security/nss/lib/util/derenc.c
@@ -0,0 +1,505 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secder.h"
+#include "secerr.h"
+
+#if 0
+/*
+ * Generic templates for individual/simple items.
+ */
+
+DERTemplate SECAnyTemplate[] = {
+    { DER_ANY,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECBitStringTemplate[] = {
+    { DER_BIT_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECBooleanTemplate[] = {
+    { DER_BOOLEAN,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECIA5StringTemplate[] = {
+    { DER_IA5_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECIntegerTemplate[] = {
+    { DER_INTEGER,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECNullTemplate[] = {
+    { DER_NULL,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECObjectIDTemplate[] = {
+    { DER_OBJECT_ID,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECOctetStringTemplate[] = {
+    { DER_OCTET_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECPrintableStringTemplate[] = {
+    { DER_PRINTABLE_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECT61StringTemplate[] = {
+    { DER_T61_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECUTCTimeTemplate[] = {
+    { DER_UTC_TIME,
+	  0, NULL, sizeof(SECItem) }
+};
+
+#endif
+
+static int
+header_length(DERTemplate *dtemplate, PRUint32 contents_len)
+{
+    PRUint32 len;
+    unsigned long encode_kind, under_kind;
+    PRBool explicit, optional, universal;
+
+    encode_kind = dtemplate->kind;
+
+    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    PORT_Assert (!(explicit && universal));	/* bad templates */
+
+    if (encode_kind & DER_POINTER) {
+	if (dtemplate->sub != NULL) {
+	    under_kind = dtemplate->sub->kind;
+	    if (universal) {
+		encode_kind = under_kind;
+	    }
+	} else if (universal) {
+	    under_kind = encode_kind & ~DER_POINTER;
+	} else {
+	    under_kind = dtemplate->arg;
+	}
+    } else if (encode_kind & DER_INLINE) {
+	PORT_Assert (dtemplate->sub != NULL);
+	under_kind = dtemplate->sub->kind;
+	if (universal) {
+	    encode_kind = under_kind;
+	}
+    } else if (universal) {
+	under_kind = encode_kind;
+    } else {
+	under_kind = dtemplate->arg;
+    }
+
+    /* This is only used in decoding; it plays no part in encoding.  */
+    if (under_kind & DER_DERPTR)
+	return 0;
+
+    /* No header at all for an "empty" optional.  */
+    if ((contents_len == 0) && optional)
+	return 0;
+
+    /* And no header for a full DER_ANY.  */
+    if (encode_kind & DER_ANY)
+	return 0;
+
+    /*
+     * The common case: one octet for identifier and as many octets
+     * as necessary to hold the content length.
+     */
+    len = 1 + DER_LengthLength(contents_len);
+
+    /* Account for the explicit wrapper, if necessary.  */
+    if (explicit) {
+#if 0		/*
+		 * Well, I was trying to do something useful, but these
+		 * assertions are too restrictive on valid templates.
+		 * I wanted to make sure that the top-level "kind" of
+		 * a template does not also specify DER_EXPLICIT, which
+		 * should only modify a component field.  Maybe later
+		 * I can figure out a better way to detect such a problem,
+		 * but for now I must remove these checks altogether.
+		 */
+	/*
+	 * This modifier applies only to components of a set or sequence;
+	 * it should never be used on a set/sequence itself -- confirm.
+	 */
+	PORT_Assert (under_kind != DER_SEQUENCE);
+	PORT_Assert (under_kind != DER_SET);
+#endif
+
+	len += 1 + DER_LengthLength(len + contents_len);
+    }
+
+    return len;
+}
+
+
+static PRUint32
+contents_length(DERTemplate *dtemplate, void *src)
+{
+    PRUint32 len;
+    unsigned long encode_kind, under_kind;
+    PRBool universal;
+
+
+    PORT_Assert (src != NULL);
+
+    encode_kind = dtemplate->kind;
+
+    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+    encode_kind &= ~DER_OPTIONAL;
+
+    if (encode_kind & DER_POINTER) {
+	src = *(void **)src;
+	if (src == NULL) {
+	    return 0;
+	}
+	if (dtemplate->sub != NULL) {
+	    dtemplate = dtemplate->sub;
+	    under_kind = dtemplate->kind;
+	    src = (void *)((char *)src + dtemplate->offset);
+	} else if (universal) {
+	    under_kind = encode_kind & ~DER_POINTER;
+	} else {
+	    under_kind = dtemplate->arg;
+	}
+    } else if (encode_kind & DER_INLINE) {
+	PORT_Assert (dtemplate->sub != NULL);
+	dtemplate = dtemplate->sub;
+	under_kind = dtemplate->kind;
+	src = (void *)((char *)src + dtemplate->offset);
+    } else if (universal) {
+	under_kind = encode_kind;
+    } else {
+	under_kind = dtemplate->arg;
+    }
+
+    /* Having any of these bits is not expected here...  */
+    PORT_Assert ((under_kind & (DER_EXPLICIT | DER_INLINE | DER_OPTIONAL
+				| DER_POINTER | DER_SKIP)) == 0);
+
+    /* This is only used in decoding; it plays no part in encoding.  */
+    if (under_kind & DER_DERPTR)
+	return 0;
+
+    if (under_kind & DER_INDEFINITE) {
+	PRUint32 sub_len;
+	void   **indp = *(void ***)src;
+
+	if (indp == NULL)
+	    return 0;
+
+	len = 0;
+	under_kind &= ~DER_INDEFINITE;
+
+	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
+	    DERTemplate *tmpt = dtemplate->sub;
+	    PORT_Assert (tmpt != NULL);
+
+	    for (; *indp != NULL; indp++) {
+		void *sub_src = (void *)((char *)(*indp) + tmpt->offset);
+		sub_len = contents_length (tmpt, sub_src);
+		len += sub_len + header_length (tmpt, sub_len);
+	    }
+	} else {
+	    /*
+	     * XXX Lisa is not sure this code (for handling, for example,
+	     * DER_INDEFINITE | DER_OCTET_STRING) is right.
+	     */
+	    for (; *indp != NULL; indp++) {
+		SECItem *item = (SECItem *)(*indp);
+		sub_len = item->len;
+		if (under_kind == DER_BIT_STRING) {
+		    sub_len = (sub_len + 7) >> 3;
+		    /* bit string contents involve an extra octet */
+		    if (sub_len)
+			sub_len++;
+		}
+		if (under_kind != DER_ANY)
+		    len += 1 + DER_LengthLength (sub_len);
+	    }
+	}
+
+	return len;
+    }
+
+    switch (under_kind) {
+      case DER_SEQUENCE:
+      case DER_SET:
+	{
+	    DERTemplate *tmpt;
+	    void *sub_src;
+	    PRUint32 sub_len;
+
+	    len = 0;
+	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
+		sub_src = (void *)((char *)src + tmpt->offset);
+		sub_len = contents_length (tmpt, sub_src);
+		len += sub_len + header_length (tmpt, sub_len);
+	    }
+	}
+	break;
+
+      case DER_BIT_STRING:
+	len = (((SECItem *)src)->len + 7) >> 3;
+	/* bit string contents involve an extra octet */
+	if (len)
+	    len++;
+	break;
+
+      default:
+	len = ((SECItem *)src)->len;
+	break;
+    }
+
+    return len;
+}
+
+
+static unsigned char *
+der_encode(unsigned char *buf, DERTemplate *dtemplate, void *src)
+{
+    int header_len;
+    PRUint32 contents_len;
+    unsigned long encode_kind, under_kind;
+    PRBool explicit, optional, universal;
+
+
+    /*
+     * First figure out how long the encoding will be.  Do this by
+     * traversing the template from top to bottom and accumulating
+     * the length of each leaf item.
+     */
+    contents_len = contents_length (dtemplate, src);
+    header_len = header_length (dtemplate, contents_len);
+
+    /*
+     * Enough smarts was involved already, so that if both the
+     * header and the contents have a length of zero, then we
+     * are not doing any encoding for this element.
+     */
+    if (header_len == 0 && contents_len == 0)
+	return buf;
+
+    encode_kind = dtemplate->kind;
+
+    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~DER_OPTIONAL;
+    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    if (encode_kind & DER_POINTER) {
+	if (contents_len) {
+	    src = *(void **)src;
+	    PORT_Assert (src != NULL);
+	}
+	if (dtemplate->sub != NULL) {
+	    dtemplate = dtemplate->sub;
+	    under_kind = dtemplate->kind;
+	    if (universal) {
+		encode_kind = under_kind;
+	    }
+	    src = (void *)((char *)src + dtemplate->offset);
+	} else if (universal) {
+	    under_kind = encode_kind & ~DER_POINTER;
+	} else {
+	    under_kind = dtemplate->arg;
+	}
+    } else if (encode_kind & DER_INLINE) {
+	dtemplate = dtemplate->sub;
+	under_kind = dtemplate->kind;
+	if (universal) {
+	    encode_kind = under_kind;
+	}
+	src = (void *)((char *)src + dtemplate->offset);
+    } else if (universal) {
+	under_kind = encode_kind;
+    } else {
+	under_kind = dtemplate->arg;
+    }
+
+    if (explicit) {
+	buf = DER_StoreHeader (buf, encode_kind,
+			       (1 + DER_LengthLength(contents_len)
+				+ contents_len));
+	encode_kind = under_kind;
+    }
+
+    if ((encode_kind & DER_ANY) == 0) {	/* DER_ANY already contains header */
+	buf = DER_StoreHeader (buf, encode_kind, contents_len);
+    }
+
+    /* If no real contents to encode, then we are done.  */
+    if (contents_len == 0)
+	return buf;
+
+    if (under_kind & DER_INDEFINITE) {
+	void **indp;
+
+	indp = *(void ***)src;
+	PORT_Assert (indp != NULL);
+
+	under_kind &= ~DER_INDEFINITE;
+	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
+	    DERTemplate *tmpt = dtemplate->sub;
+	    PORT_Assert (tmpt != NULL);
+	    for (; *indp != NULL; indp++) {
+		void *sub_src = (void *)((char *)(*indp) + tmpt->offset);
+		buf = der_encode (buf, tmpt, sub_src);
+	    }
+	} else {
+	    for (; *indp != NULL; indp++) {
+		SECItem *item;
+		int sub_len;
+
+		item = (SECItem *)(*indp);
+		sub_len = item->len;
+		if (under_kind == DER_BIT_STRING) {
+		    if (sub_len) {
+			int rem;
+
+			sub_len = (sub_len + 7) >> 3;
+			buf = DER_StoreHeader (buf, under_kind, sub_len + 1);
+			rem = (sub_len << 3) - item->len;
+			*buf++ = rem;		/* remaining bits */
+		    } else {
+			buf = DER_StoreHeader (buf, under_kind, 0);
+		    }
+		} else if (under_kind != DER_ANY) {
+		    buf = DER_StoreHeader (buf, under_kind, sub_len);
+		}
+		PORT_Memcpy (buf, item->data, sub_len);
+		buf += sub_len;
+	    }
+	}
+	return buf;
+    }
+
+    switch (under_kind) {
+      case DER_SEQUENCE:
+      case DER_SET:
+	{
+	    DERTemplate *tmpt;
+	    void *sub_src;
+
+	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
+		sub_src = (void *)((char *)src + tmpt->offset);
+		buf = der_encode (buf, tmpt, sub_src);
+	    }
+	}
+	break;
+
+      case DER_BIT_STRING:
+	{
+	    SECItem *item;
+	    int rem;
+
+	    /*
+	     * The contents length includes our extra octet; subtract
+	     * it off so we just have the real string length there.
+	     */
+	    contents_len--;
+	    item = (SECItem *)src;
+	    PORT_Assert (contents_len == ((item->len + 7) >> 3));
+	    rem = (contents_len << 3) - item->len;
+	    *buf++ = rem;		/* remaining bits */
+	    PORT_Memcpy (buf, item->data, contents_len);
+	    buf += contents_len;
+	}
+	break;
+
+      default:
+	{
+	    SECItem *item;
+
+	    item = (SECItem *)src;
+	    PORT_Assert (contents_len == item->len);
+	    PORT_Memcpy (buf, item->data, contents_len);
+	    buf += contents_len;
+	}
+	break;
+    }
+
+    return buf;
+}
+
+
+SECStatus
+DER_Encode(PRArenaPool *arena, SECItem *dest, DERTemplate *dtemplate, void *src)
+{
+    unsigned int contents_len, header_len;
+
+    src = (void **)((char *)src + dtemplate->offset);
+
+    /*
+     * First figure out how long the encoding will be. Do this by
+     * traversing the template from top to bottom and accumulating
+     * the length of each leaf item.
+     */
+    contents_len = contents_length (dtemplate, src);
+    header_len = header_length (dtemplate, contents_len);
+
+    dest->len = contents_len + header_len;
+
+    /* Allocate storage to hold the encoding */
+    dest->data = (unsigned char*) PORT_ArenaAlloc(arena, dest->len);
+    if (dest->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    /* Now encode into the buffer */
+    (void) der_encode (dest->data, dtemplate, src);
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/util/dersubr.c b/security/nss/lib/util/dersubr.c
new file mode 100644
index 000000000..3aa0db8f1
--- /dev/null
+++ b/security/nss/lib/util/dersubr.c
@@ -0,0 +1,266 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secder.h"
+#include <limits.h>
+#include "secerr.h"
+
+int
+DER_LengthLength(PRUint32 len)
+{
+    if (len > 127) {
+	if (len > 255) {
+	    if (len > 65535L) {
+		if (len > 16777215L) {
+		    return 5;
+		} else {
+		    return 4;
+		}
+	    } else {
+		return 3;
+	    }
+	} else {
+	    return 2;
+	}
+    } else {
+	return 1;
+    }
+}
+
+unsigned char *
+DER_StoreHeader(unsigned char *buf, unsigned int code, PRUint32 len)
+{
+    unsigned char b[4];
+
+    b[0] = (unsigned char)(len >> 24);
+    b[1] = (unsigned char)(len >> 16);
+    b[2] = (unsigned char)(len >> 8);
+    b[3] = (unsigned char)len;
+    if ((code & DER_TAGNUM_MASK) == DER_SET
+	|| (code & DER_TAGNUM_MASK) == DER_SEQUENCE)
+	code |= DER_CONSTRUCTED;
+    *buf++ = code;
+    if (len > 127) {
+	if (len > 255) {
+	    if (len > 65535) {
+		if (len > 16777215) {
+		    *buf++ = 0x84;
+		    *buf++ = b[0];
+		    *buf++ = b[1];
+		    *buf++ = b[2];
+		    *buf++ = b[3];
+		} else {
+		    *buf++ = 0x83;
+		    *buf++ = b[1];
+		    *buf++ = b[2];
+		    *buf++ = b[3];
+		}
+	    } else {
+		*buf++ = 0x82;
+		*buf++ = b[2];
+		*buf++ = b[3];
+	    }
+	} else {
+	    *buf++ = 0x81;
+	    *buf++ = b[3];
+	}
+    } else {
+	*buf++ = b[3];
+    }
+    return buf;
+}
+
+/*
+ * XXX This should be rewritten, generalized, to take a long instead
+ * of a PRInt32.
+ */
+SECStatus
+DER_SetInteger(PRArenaPool *arena, SECItem *it, PRInt32 i)
+{
+    unsigned char bb[4];
+    unsigned len;
+
+    bb[0] = (unsigned char) (i >> 24);
+    bb[1] = (unsigned char) (i >> 16);
+    bb[2] = (unsigned char) (i >> 8);
+    bb[3] = (unsigned char) (i);
+
+    /*
+    ** Small integers are encoded in a single byte. Larger integers
+    ** require progressively more space.
+    */
+    if (i < -128) {
+	if (i < -32768L) {
+	    if (i < -8388608L) {
+		len = 4;
+	    } else {
+		len = 3;
+	    }
+	} else {
+	    len = 2;
+	}
+    } else if (i > 127) {
+	if (i > 32767L) {
+	    if (i > 8388607L) {
+		len = 4;
+	    } else {
+		len = 3;
+	    }
+	} else {
+	    len = 2;
+	}
+    } else {
+	len = 1;
+    }
+    it->data = (unsigned char*) PORT_ArenaAlloc(arena, len);
+    if (!it->data) {
+	return SECFailure;
+    }
+    it->len = len;
+    PORT_Memcpy(it->data, bb + (4 - len), len);
+    return SECSuccess;
+}
+
+/*
+ * XXX This should be rewritten, generalized, to take an unsigned long instead
+ * of a PRUint32.
+ */
+SECStatus
+DER_SetUInteger(PRArenaPool *arena, SECItem *it, PRUint32 ui)
+{
+    unsigned char bb[5];
+    int len;
+
+    bb[0] = 0;
+    bb[1] = (unsigned char) (ui >> 24);
+    bb[2] = (unsigned char) (ui >> 16);
+    bb[3] = (unsigned char) (ui >> 8);
+    bb[4] = (unsigned char) (ui);
+
+    /*
+    ** Small integers are encoded in a single byte. Larger integers
+    ** require progressively more space.
+    */
+    if (ui > 0x7f) {
+	if (ui > 0x7fff) {
+	    if (ui > 0x7fffffL) {
+		if (ui >= 0x80000000L) {
+		    len = 5;
+		} else {
+		    len = 4;
+		}
+	    } else {
+		len = 3;
+	    }
+	} else {
+	    len = 2;
+	}
+    } else {
+	len = 1;
+    }
+
+    it->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
+    if (it->data == NULL) {
+	return SECFailure;
+    }
+
+    it->len = len;
+    PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len);
+
+    return SECSuccess;
+}
+
+/*
+** Convert a der encoded *signed* integer into a machine integral value.
+** If an underflow/overflow occurs, sets error code and returns min/max.
+*/
+long
+DER_GetInteger(SECItem *it)
+{
+    long ival = 0;
+    unsigned len = it->len;
+    unsigned char *cp = it->data;
+    unsigned long overflow = 0x1ffUL << (((sizeof(ival) - 1) * 8) - 1);
+    unsigned long ofloinit;
+
+    if (*cp & 0x80)
+    	ival = -1L;
+    ofloinit = ival & overflow;
+
+    while (len) {
+	if ((ival & overflow) != ofloinit) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    if (ival < 0) {
+		return LONG_MIN;
+	    }
+	    return LONG_MAX;
+	}
+	ival = ival << 8;
+	ival |= *cp++;
+	--len;
+    }
+    return ival;
+}
+
+/*
+** Convert a der encoded *unsigned* integer into a machine integral value.
+** If an underflow/overflow occurs, sets error code and returns min/max.
+*/
+unsigned long
+DER_GetUInteger(SECItem *it)
+{
+    unsigned long ival = 0;
+    unsigned len = it->len;
+    unsigned char *cp = it->data;
+    unsigned long overflow = 0xffUL << ((sizeof(ival) - 1) * 8);
+
+    /* Cannot put a negative value into an unsigned container. */
+    if (*cp & 0x80) {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return 0;
+    }
+
+    while (len) {
+	if (ival & overflow) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return ULONG_MAX;
+	}
+	ival = ival << 8;
+	ival |= *cp++;
+	--len;
+    }
+    return ival;
+}
diff --git a/security/nss/lib/util/dertime.c b/security/nss/lib/util/dertime.c
new file mode 100644
index 000000000..0dc3625da
--- /dev/null
+++ b/security/nss/lib/util/dertime.c
@@ -0,0 +1,317 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "prtypes.h"
+#include "prtime.h"
+#include "secder.h"
+#include "prlong.h"
+#include "secerr.h"
+
+#define HIDIGIT(v) (((v) / 10) + '0')
+#define LODIGIT(v) (((v) % 10) + '0')
+
+#define ISDIGIT(dig) (((dig) >= '0') && ((dig) <= '9'))
+#define CAPTURE(var,p,label)				  \
+{							  \
+    if (!ISDIGIT((p)[0]) || !ISDIGIT((p)[1])) goto label; \
+    (var) = ((p)[0] - '0') * 10 + ((p)[1] - '0');	  \
+    p += 2; \
+}
+
+static const PRTime January1st1     = (PRTime) LL_INIT(0xff234001U, 0x00d44000U);
+static const PRTime January1st1950  = (PRTime) LL_INIT(0xfffdc1f8U, 0x793da000U);
+static const PRTime January1st2050  = LL_INIT(0x0008f81e, 0x1b098000);
+static const PRTime January1st10000 = LL_INIT(0x0384440c, 0xcc736000);
+
+/* gmttime must contains UTC time in micro-seconds unit */
+SECStatus
+DER_TimeToUTCTimeArena(PRArenaPool* arenaOpt, SECItem *dst, int64 gmttime)
+{
+    PRExplodedTime printableTime;
+    unsigned char *d;
+
+    if ( (gmttime < January1st1950) || (gmttime >= January1st2050) ) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    dst->len = 13;
+    if (arenaOpt) {
+        dst->data = d = (unsigned char*) PORT_ArenaAlloc(arenaOpt, dst->len);
+    } else {
+        dst->data = d = (unsigned char*) PORT_Alloc(dst->len);
+    }
+    dst->type = siUTCTime;
+    if (!d) {
+	return SECFailure;
+    }
+
+    /* Convert an int64 time to a printable format.  */
+    PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
+
+    /* The month in UTC time is base one */
+    printableTime.tm_month++;
+
+    /* remove the century since it's added to the tm_year by the 
+       PR_ExplodeTime routine, but is not needed for UTC time */
+    printableTime.tm_year %= 100; 
+
+    d[0] = HIDIGIT(printableTime.tm_year);
+    d[1] = LODIGIT(printableTime.tm_year);
+    d[2] = HIDIGIT(printableTime.tm_month);
+    d[3] = LODIGIT(printableTime.tm_month);
+    d[4] = HIDIGIT(printableTime.tm_mday);
+    d[5] = LODIGIT(printableTime.tm_mday);
+    d[6] = HIDIGIT(printableTime.tm_hour);
+    d[7] = LODIGIT(printableTime.tm_hour);
+    d[8] = HIDIGIT(printableTime.tm_min);
+    d[9] = LODIGIT(printableTime.tm_min);
+    d[10] = HIDIGIT(printableTime.tm_sec);
+    d[11] = LODIGIT(printableTime.tm_sec);
+    d[12] = 'Z';
+    return SECSuccess;
+}
+
+SECStatus
+DER_TimeToUTCTime(SECItem *dst, int64 gmttime)
+{
+    return DER_TimeToUTCTimeArena(NULL, dst, gmttime);
+}
+
+static SECStatus /* forward */
+der_TimeStringToTime(PRTime *dst, const char * string, int generalized);
+
+#define GEN_STRING 2 /* TimeString is a GeneralizedTime */
+#define UTC_STRING 0 /* TimeString is a UTCTime         */
+
+/* The caller of DER_AsciiToItem MUST ENSURE that either
+** a) "string" points to a null-terminated ASCII string, or
+** b) "string" points to a buffer containing a valid UTCTime, 
+**     whether null terminated or not, or
+** c) "string" contains at least 19 characters, with or without null char.
+** otherwise, this function may UMR and/or crash.
+** It suffices to ensure that the input "string" is at least 17 bytes long.
+*/
+SECStatus
+DER_AsciiToTime(int64 *dst, const char *string)
+{
+    return der_TimeStringToTime(dst, string, UTC_STRING);
+}
+
+SECStatus
+DER_UTCTimeToTime(int64 *dst, const SECItem *time)
+{
+    /* Minimum valid UTCTime is yymmddhhmmZ       which is 11 bytes. 
+    ** Maximum valid UTCTime is yymmddhhmmss+0000 which is 17 bytes.
+    ** 20 should be large enough for all valid encoded times. 
+    */
+    int  len;
+    char localBuf[20];
+
+    if (!time || !time->data || time->len < 11) {
+	PORT_SetError(SEC_ERROR_INVALID_TIME);
+	return SECFailure;
+    }
+
+    len = PR_MIN(time->len, sizeof localBuf);
+    memcpy(localBuf, time->data, len);
+    while (len < sizeof localBuf) {
+        localBuf[len++] = '\0';
+    }
+
+    return der_TimeStringToTime(dst, localBuf, UTC_STRING);
+}
+
+/*
+   gmttime must contains UTC time in micro-seconds unit.
+   Note: the caller should make sure that Generalized time
+   should only be used for certifiate validities after the
+   year 2049.  Otherwise, UTC time should be used.  This routine
+   does not check this case, since it can be used to encode
+   certificate extension, which does not have this restriction. 
+ */
+SECStatus
+DER_TimeToGeneralizedTimeArena(PRArenaPool* arenaOpt, SECItem *dst, int64 gmttime)
+{
+    PRExplodedTime printableTime;
+    unsigned char *d;
+
+    if ( (gmttime<January1st1) || (gmttime>=January1st10000) ) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    dst->len = 15;
+    if (arenaOpt) {
+        dst->data = d = (unsigned char*) PORT_ArenaAlloc(arenaOpt, dst->len);
+    } else {
+        dst->data = d = (unsigned char*) PORT_Alloc(dst->len);
+    }
+    dst->type = siGeneralizedTime;
+    if (!d) {
+	return SECFailure;
+    }
+
+    /* Convert an int64 time to a printable format.  */
+    PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
+
+    /* The month in Generalized time is base one */
+    printableTime.tm_month++;
+
+    d[0] = (printableTime.tm_year /1000) + '0';
+    d[1] = ((printableTime.tm_year % 1000) / 100) + '0';
+    d[2] = ((printableTime.tm_year % 100) / 10) + '0';
+    d[3] = (printableTime.tm_year % 10) + '0';
+    d[4] = HIDIGIT(printableTime.tm_month);
+    d[5] = LODIGIT(printableTime.tm_month);
+    d[6] = HIDIGIT(printableTime.tm_mday);
+    d[7] = LODIGIT(printableTime.tm_mday);
+    d[8] = HIDIGIT(printableTime.tm_hour);
+    d[9] = LODIGIT(printableTime.tm_hour);
+    d[10] = HIDIGIT(printableTime.tm_min);
+    d[11] = LODIGIT(printableTime.tm_min);
+    d[12] = HIDIGIT(printableTime.tm_sec);
+    d[13] = LODIGIT(printableTime.tm_sec);
+    d[14] = 'Z';
+    return SECSuccess;
+}
+
+SECStatus
+DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime)
+{
+    return DER_TimeToGeneralizedTimeArena(NULL, dst, gmttime);
+}
+
+
+SECStatus
+DER_GeneralizedTimeToTime(int64 *dst, const SECItem *time)
+{
+    /* Minimum valid GeneralizedTime is ccyymmddhhmmZ       which is 13 bytes.
+    ** Maximum valid GeneralizedTime is ccyymmddhhmmss+0000 which is 19 bytes.
+    ** 20 should be large enough for all valid encoded times. 
+    */
+    int  len;
+    char localBuf[20];
+
+    if (!time || !time->data || time->len < 13) {
+	PORT_SetError(SEC_ERROR_INVALID_TIME);
+	return SECFailure;
+    }
+
+    len = PR_MIN(time->len, sizeof localBuf);
+    memcpy(localBuf, time->data, len);
+    while (len < sizeof localBuf) {
+        localBuf[len++] = '\0';
+    }
+
+    return der_TimeStringToTime(dst, localBuf, GEN_STRING);
+}
+
+static SECStatus
+der_TimeStringToTime(PRTime *dst, const char * string, int generalized)
+{
+    PRExplodedTime genTime;
+    long hourOff = 0, minOff = 0;
+    uint16 century;
+    char signum;
+
+    if (string == NULL || dst == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* Verify time is formatted properly and capture information */
+    memset(&genTime, 0, sizeof genTime);
+
+    if (generalized == UTC_STRING) {
+	CAPTURE(genTime.tm_year, string, loser);
+	century = (genTime.tm_year < 50) ? 20 : 19;
+    } else {
+	CAPTURE(century, string, loser);
+	CAPTURE(genTime.tm_year, string, loser);
+    }
+    genTime.tm_year += century * 100;
+
+    CAPTURE(genTime.tm_month, string, loser);
+    if ((genTime.tm_month == 0) || (genTime.tm_month > 12)) 
+    	goto loser;
+
+    /* NSPR month base is 0 */
+    --genTime.tm_month;
+    
+    CAPTURE(genTime.tm_mday, string, loser);
+    if ((genTime.tm_mday == 0) || (genTime.tm_mday > 31)) 
+    	goto loser;
+    
+    CAPTURE(genTime.tm_hour, string, loser);
+    if (genTime.tm_hour > 23) 
+    	goto loser;
+    
+    CAPTURE(genTime.tm_min, string, loser);
+    if (genTime.tm_min > 59) 
+    	goto loser;
+    
+    if (ISDIGIT(string[0])) {
+	CAPTURE(genTime.tm_sec, string, loser);
+	if (genTime.tm_sec > 59) 
+	    goto loser;
+    }
+    signum = *string++;
+    if (signum == '+' || signum == '-') {
+	CAPTURE(hourOff, string, loser);
+	if (hourOff > 23) 
+	    goto loser;
+	CAPTURE(minOff, string, loser);
+	if (minOff > 59) 
+	    goto loser;
+	if (signum == '-') {
+	    hourOff = -hourOff;
+	    minOff  = -minOff;
+	}
+    } else if (signum != 'Z') {
+	goto loser;
+    }
+
+    /* Convert the GMT offset to seconds and save it in genTime
+     * for the implode time call.
+     */
+    genTime.tm_params.tp_gmt_offset = (PRInt32)((hourOff * 60L + minOff) * 60L);
+    *dst = PR_ImplodeTime(&genTime);
+    return SECSuccess;
+
+loser:
+    PORT_SetError(SEC_ERROR_INVALID_TIME);
+    return SECFailure;
+}
diff --git a/security/nss/lib/util/manifest.mn b/security/nss/lib/util/manifest.mn
new file mode 100644
index 000000000..3b332529d
--- /dev/null
+++ b/security/nss/lib/util/manifest.mn
@@ -0,0 +1,105 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	base64.h \
+	ciferfam.h \
+	nssb64.h \
+	nssb64t.h \
+	nsslocks.h \
+	nssilock.h \
+	nssilckt.h \
+	nssrwlk.h \
+	nssrwlkt.h \
+	portreg.h \
+	secasn1.h \
+	secasn1t.h \
+	seccomon.h \
+	secder.h \
+	secdert.h \
+	secdig.h \
+	secdigt.h \
+	secitem.h \
+	secoid.h \
+	secoidt.h \
+	secport.h \
+	secerr.h \
+	utilrename.h \
+	watcomfx.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	templates.c \
+	$(NULL)
+
+CSRCS = \
+	quickder.c \
+	secdig.c \
+	derdec.c \
+	derenc.c \
+	dersubr.c \
+	dertime.c \
+	nssb64d.c \
+	nssb64e.c \
+	nssrwlk.c \
+	nssilock.c \
+	oidstring.c \
+	portreg.c \
+	secalgid.c \
+	secasn1d.c \
+	secasn1e.c \
+	secasn1u.c \
+	secitem.c \
+	secoid.c \
+	sectime.c \
+	secport.c \
+	secinit.c \
+	templates.c \
+	utf8.c \
+	$(NULL)
+
+MODULE = nss
+
+# don't duplicate module name in REQUIRES
+MAPFILE = $(OBJDIR)/nssutil.def
+
+LIBRARY_NAME = nssutil
+LIBRARY_VERSION = 3
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/util/nssb64.h b/security/nss/lib/util/nssb64.h
new file mode 100644
index 000000000..0b9d4adf2
--- /dev/null
+++ b/security/nss/lib/util/nssb64.h
@@ -0,0 +1,128 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Public prototypes for base64 encoding/decoding.
+ *
+ * $Id$
+ */
+#ifndef _NSSB64_H_
+#define _NSSB64_H_
+
+#include "utilrename.h"
+#include "seccomon.h"
+#include "nssb64t.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * Functions to start a base64 decoding/encoding context.
+ */
+
+extern NSSBase64Decoder *
+NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
+					       PRInt32),
+			 void *output_arg);
+
+extern NSSBase64Encoder *
+NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
+			 void *output_arg);
+
+/*
+ * Push data through the decoder/encoder, causing the output_fn (provided
+ * to Create) to be called with the decoded/encoded data.
+ */
+
+extern SECStatus
+NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
+			 PRUint32 size);
+
+extern SECStatus
+NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
+			 PRUint32 size);
+
+/*
+ * When you're done processing, call this to close the context.
+ * If "abort_p" is false, then calling this may cause the output_fn
+ * to be called one last time (as the last buffered data is flushed out).
+ */
+
+extern SECStatus
+NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p);
+
+extern SECStatus
+NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p);
+
+/*
+ * Perform base64 decoding from an ascii string "inStr" to an Item.
+ * The length of the input must be provided as "inLen".  The Item
+ * may be provided (as "outItemOpt"); you can also pass in a NULL
+ * and the Item will be allocated for you.
+ *
+ * In any case, the data within the Item will be allocated for you.
+ * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
+ * If "arenaOpt" is NULL, standard allocation (heap) will be used and
+ * you will want to free the result via SECITEM_FreeItem.
+ *
+ * Return value is NULL on error, the Item (allocated or provided) otherwise.
+ */
+extern SECItem *
+NSSBase64_DecodeBuffer (PLArenaPool *arenaOpt, SECItem *outItemOpt,
+			const char *inStr, unsigned int inLen);
+
+/*
+ * Perform base64 encoding of binary data "inItem" to an ascii string.
+ * The output buffer may be provided (as "outStrOpt"); you can also pass
+ * in a NULL and the buffer will be allocated for you.  The result will
+ * be null-terminated, and if the buffer is provided, "maxOutLen" must
+ * specify the maximum length of the buffer and will be checked to
+ * supply sufficient space space for the encoded result.  (If "outStrOpt"
+ * is NULL, "maxOutLen" is ignored.)
+ *
+ * If "outStrOpt" is NULL, allocation will happen out of the passed-in
+ * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
+ * will be used.
+ *
+ * Return value is NULL on error, the output buffer (allocated or provided)
+ * otherwise.
+ */
+extern char *
+NSSBase64_EncodeItem (PLArenaPool *arenaOpt, char *outStrOpt,
+		      unsigned int maxOutLen, SECItem *inItem);
+
+SEC_END_PROTOS
+
+#endif /* _NSSB64_H_ */
diff --git a/security/nss/lib/util/nssb64d.c b/security/nss/lib/util/nssb64d.c
new file mode 100644
index 000000000..42b1ca684
--- /dev/null
+++ b/security/nss/lib/util/nssb64d.c
@@ -0,0 +1,864 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Base64 decoding (ascii to binary).
+ *
+ * $Id$
+ */
+
+#include "nssb64.h"
+#include "nspr.h"
+#include "secitem.h"
+#include "secerr.h"
+
+/*
+ * XXX We want this basic support to go into NSPR (the PL part).
+ * Until that can happen, the PL interface is going to be kept entirely
+ * internal here -- all static functions and opaque data structures.
+ * When someone can get it moved over into NSPR, that should be done:
+ *    - giving everything names that are accepted by the NSPR module owners
+ *	(though I tried to choose ones that would work without modification)
+ *    - exporting the functions (remove static declarations and add
+ *	to nssutil.def as necessary)
+ *    - put prototypes into appropriate header file (probably replacing
+ *	the entire current lib/libc/include/plbase64.h in NSPR)
+ *	along with a typedef for the context structure (which should be
+ *	kept opaque -- definition in the source file only, but typedef
+ *	ala "typedef struct PLBase64FooStr PLBase64Foo;" in header file)
+ *    - modify anything else as necessary to conform to NSPR required style
+ *	(I looked but found no formatting guide to follow)
+ *
+ * You will want to move over everything from here down to the comment
+ * which says "XXX End of base64 decoding code to be moved into NSPR",
+ * into a new file in NSPR.
+ */
+
+/*
+ **************************************************************
+ * XXX Beginning of base64 decoding code to be moved into NSPR.
+ */
+
+/*
+ * This typedef would belong in the NSPR header file (i.e. plbase64.h).
+ */
+typedef struct PLBase64DecoderStr PLBase64Decoder;
+
+/*
+ * The following implementation of base64 decoding was based on code
+ * found in libmime (specifically, in mimeenc.c).  It has been adapted to
+ * use PR types and naming as well as to provide other necessary semantics
+ * (like buffer-in/buffer-out in addition to "streaming" without undue
+ * performance hit of extra copying if you made the buffer versions
+ * use the output_fn).  It also incorporates some aspects of the current
+ * NSPR base64 decoding code.  As such, you may find similarities to
+ * both of those implementations.  I tried to use names that reflected
+ * the original code when possible.  For this reason you may find some
+ * inconsistencies -- libmime used lots of "in" and "out" whereas the
+ * NSPR version uses "src" and "dest"; sometimes I changed one to the other
+ * and sometimes I left them when I thought the subroutines were at least
+ * self-consistent.
+ */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * Opaque object used by the decoder to store state.
+ */
+struct PLBase64DecoderStr {
+    /* Current token (or portion, if token_size < 4) being decoded. */
+    unsigned char token[4];
+    int token_size;
+
+    /*
+     * Where to write the decoded data (used when streaming, not when
+     * doing all in-memory (buffer) operations).
+     *
+     * Note that this definition is chosen to be compatible with PR_Write.
+     */
+    PRInt32 (*output_fn) (void *output_arg, const unsigned char *buf,
+			  PRInt32 size);
+    void *output_arg;
+
+    /*
+     * Where the decoded output goes -- either temporarily (in the streaming
+     * case, staged here before it goes to the output function) or what will
+     * be the entire buffered result for users of the buffer version.
+     */
+    unsigned char *output_buffer;
+    PRUint32 output_buflen;	/* the total length of allocated buffer */
+    PRUint32 output_length;	/* the length that is currently populated */
+};
+
+PR_END_EXTERN_C
+
+
+/*
+ * Table to convert an ascii "code" to its corresponding binary value.
+ * For ease of use, the binary values in the table are the actual values
+ * PLUS ONE.  This is so that the special value of zero can denote an
+ * invalid mapping; that was much easier than trying to fill in the other
+ * values with some value other than zero, and to check for it.
+ * Just remember to SUBTRACT ONE when using the value retrieved.
+ */
+static unsigned char base64_codetovaluep1[256] = {
+/*   0: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*   8: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  16: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  24: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  32: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  40: */	  0,	  0,	  0,	 63,	  0,	  0,	  0,	 64,
+/*  48: */	 53,	 54,	 55,	 56,	 57,	 58,	 59,	 60,
+/*  56: */	 61,	 62,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  64: */	  0,	  1,	  2,	  3,	  4,	  5,	  6,	  7,
+/*  72: */	  8,	  9,	 10,	 11,	 12,	 13,	 14,	 15,
+/*  80: */	 16,	 17,	 18,	 19,	 20,	 21,	 22,	 23,
+/*  88: */	 24,	 25,	 26,	  0,	  0,	  0,	  0,	  0,
+/*  96: */	  0,	 27,	 28,	 29,	 30,	 31,	 32,	 33,
+/* 104: */	 34,	 35,	 36,	 37,	 38,	 39,	 40,	 41,
+/* 112: */	 42,	 43,	 44,	 45,	 46,	 47,	 48,	 49,
+/* 120: */	 50,	 51,	 52,	  0,	  0,	  0,	  0,	  0,
+/* 128: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0
+/* and rest are all zero as well */
+};
+
+#define B64_PAD	'='
+
+
+/*
+ * Reads 4; writes 3 (known, or expected, to have no trailing padding).
+ * Returns bytes written; -1 on error (unexpected character).
+ */
+static int
+pl_base64_decode_4to3 (const unsigned char *in, unsigned char *out)
+{
+    int j;
+    PRUint32 num = 0;
+    unsigned char bits;
+
+    for (j = 0; j < 4; j++) {
+	bits = base64_codetovaluep1[in[j]];
+	if (bits == 0)
+	    return -1;
+	num = (num << 6) | (bits - 1);
+    }
+
+    out[0] = (unsigned char) (num >> 16);
+    out[1] = (unsigned char) ((num >> 8) & 0xFF);
+    out[2] = (unsigned char) (num & 0xFF);
+
+    return 3;
+}
+
+/*
+ * Reads 3; writes 2 (caller already confirmed EOF or trailing padding).
+ * Returns bytes written; -1 on error (unexpected character).
+ */
+static int
+pl_base64_decode_3to2 (const unsigned char *in, unsigned char *out)
+{
+    PRUint32 num = 0;
+    unsigned char bits1, bits2, bits3;
+
+    bits1 = base64_codetovaluep1[in[0]];
+    bits2 = base64_codetovaluep1[in[1]];
+    bits3 = base64_codetovaluep1[in[2]];
+
+    if ((bits1 == 0) || (bits2 == 0) || (bits3 == 0))
+	return -1;
+
+    num = ((PRUint32)(bits1 - 1)) << 10;
+    num |= ((PRUint32)(bits2 - 1)) << 4;
+    num |= ((PRUint32)(bits3 - 1)) >> 2;
+
+    out[0] = (unsigned char) (num >> 8);
+    out[1] = (unsigned char) (num & 0xFF);
+
+    return 2;
+}
+
+/*
+ * Reads 2; writes 1 (caller already confirmed EOF or trailing padding).
+ * Returns bytes written; -1 on error (unexpected character).
+ */
+static int
+pl_base64_decode_2to1 (const unsigned char *in, unsigned char *out)
+{
+    PRUint32 num = 0;
+    unsigned char bits1, bits2;
+
+    bits1 = base64_codetovaluep1[in[0]];
+    bits2 = base64_codetovaluep1[in[1]];
+
+    if ((bits1 == 0) || (bits2 == 0))
+	return -1;
+
+    num = ((PRUint32)(bits1 - 1)) << 2;
+    num |= ((PRUint32)(bits2 - 1)) >> 4;
+
+    out[0] = (unsigned char) num;
+
+    return 1;
+}
+
+/*
+ * Reads 4; writes 0-3.  Returns bytes written or -1 on error.
+ * (Writes less than 3 only at (presumed) EOF.)
+ */
+static int
+pl_base64_decode_token (const unsigned char *in, unsigned char *out)
+{
+    if (in[3] != B64_PAD)
+	return pl_base64_decode_4to3 (in, out);
+
+    if (in[2] == B64_PAD)
+	return pl_base64_decode_2to1 (in, out);
+
+    return pl_base64_decode_3to2 (in, out);
+}
+
+static PRStatus
+pl_base64_decode_buffer (PLBase64Decoder *data, const unsigned char *in,
+			 PRUint32 length)
+{
+    unsigned char *out = data->output_buffer;
+    unsigned char *token = data->token;
+    int i, n = 0;
+
+    i = data->token_size;
+    data->token_size = 0;
+
+    while (length > 0) {
+	while (i < 4 && length > 0) {
+	    /*
+	     * XXX Note that the following simply ignores any unexpected
+	     * characters.  This is exactly what the original code in
+	     * libmime did, and I am leaving it.  We certainly want to skip
+	     * over whitespace (we must); this does much more than that.
+	     * I am not confident changing it, and I don't want to slow
+	     * the processing down doing more complicated checking, but
+	     * someone else might have different ideas in the future.
+	     */
+	    if (base64_codetovaluep1[*in] > 0 || *in == B64_PAD)
+		token[i++] = *in;
+	    in++;
+	    length--;
+	}
+
+	if (i < 4) {
+	    /* Didn't get enough for a complete token. */
+	    data->token_size = i;
+	    break;
+	}
+	i = 0;
+
+	PR_ASSERT((out - data->output_buffer + 3) <= data->output_buflen);
+
+	/*
+	 * Assume we are not at the end; the following function only works
+	 * for an internal token (no trailing padding characters) but is
+	 * faster that way.  If it hits an invalid character (padding) it
+	 * will return an error; we break out of the loop and try again
+	 * calling the routine that will handle a final token.
+	 * Note that we intentionally do it this way rather than explicitly
+	 * add a check for padding here (because that would just slow down
+	 * the normal case) nor do we rely on checking whether we have more
+	 * input to process (because that would also slow it down but also
+	 * because we want to allow trailing garbage, especially white space
+	 * and cannot tell that without read-ahead, also a slow proposition).
+	 * Whew.  Understand?
+	 */
+	n = pl_base64_decode_4to3 (token, out);
+	if (n < 0)
+	    break;
+
+	/* Advance "out" by the number of bytes just written to it. */
+	out += n;
+	n = 0;
+    }
+
+    /*
+     * See big comment above, before call to pl_base64_decode_4to3.
+     * Here we check if we error'd out of loop, and allow for the case
+     * that we are processing the last interesting token.  If the routine
+     * which should handle padding characters also fails, then we just
+     * have bad input and give up.
+     */
+    if (n < 0) {
+	n = pl_base64_decode_token (token, out);
+	if (n < 0)
+	    return PR_FAILURE;
+
+	out += n;
+    }
+
+    /*
+     * As explained above, we can get here with more input remaining, but
+     * it should be all characters we do not care about (i.e. would be
+     * ignored when transferring from "in" to "token" in loop above,
+     * except here we choose to ignore extraneous pad characters, too).
+     * Swallow it, performing that check.  If we find more characters that
+     * we would expect to decode, something is wrong.
+     */
+    while (length > 0) {
+	if (base64_codetovaluep1[*in] > 0)
+	    return PR_FAILURE;
+	in++;
+	length--;
+    }
+
+    /* Record the length of decoded data we have left in output_buffer. */
+    data->output_length = (PRUint32) (out - data->output_buffer);
+    return PR_SUCCESS;
+}
+
+/*
+ * Flush any remaining buffered characters.  Given well-formed input,
+ * this will have nothing to do.  If the input was missing the padding
+ * characters at the end, though, there could be 1-3 characters left
+ * behind -- we will tolerate that by adding the padding for them.
+ */
+static PRStatus
+pl_base64_decode_flush (PLBase64Decoder *data)
+{
+    int count;
+
+    /*
+     * If no remaining characters, or all are padding (also not well-formed
+     * input, but again, be tolerant), then nothing more to do.  (And, that
+     * is considered successful.)
+     */
+    if (data->token_size == 0 || data->token[0] == B64_PAD)
+	return PR_SUCCESS;
+
+    /*
+     * Assume we have all the interesting input except for some expected
+     * padding characters.  Add them and decode the resulting token.
+     */
+    while (data->token_size < 4)
+	data->token[data->token_size++] = B64_PAD;
+
+    data->token_size = 0;	/* so a subsequent flush call is a no-op */
+
+    count = pl_base64_decode_token (data->token,
+				    data->output_buffer + data->output_length);
+    if (count < 0)
+	return PR_FAILURE;
+
+    /*
+     * If there is an output function, call it with this last bit of data.
+     * Otherwise we are doing all buffered output, and the decoded bytes
+     * are now there, we just need to reflect that in the length.
+     */
+    if (data->output_fn != NULL) {
+	PRInt32 output_result;
+
+	PR_ASSERT(data->output_length == 0);
+	output_result = data->output_fn (data->output_arg,
+					 data->output_buffer,
+					 (PRInt32) count);
+	if (output_result < 0)
+	    return  PR_FAILURE;
+    } else {
+	data->output_length += count;
+    }
+
+    return PR_SUCCESS;
+}
+
+
+/*
+ * The maximum space needed to hold the output of the decoder given
+ * input data of length "size".
+ */
+static PRUint32
+PL_Base64MaxDecodedLength (PRUint32 size)
+{
+    return ((size * 3) / 4);
+}
+
+
+/*
+ * A distinct internal creation function for the buffer version to use.
+ * (It does not want to specify an output_fn, and we want the normal
+ * Create function to require that.)  If more common initialization
+ * of the decoding context needs to be done, it should be done *here*.
+ */
+static PLBase64Decoder *
+pl_base64_create_decoder (void)
+{
+    return PR_NEWZAP(PLBase64Decoder);
+}
+
+/*
+ * Function to start a base64 decoding context.
+ * An "output_fn" is required; the "output_arg" parameter to that is optional.
+ */
+static PLBase64Decoder *
+PL_CreateBase64Decoder (PRInt32 (*output_fn) (void *, const unsigned char *,
+					      PRInt32),
+			void *output_arg)
+{
+    PLBase64Decoder *data;
+
+    if (output_fn == NULL) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return NULL;
+    }
+
+    data = pl_base64_create_decoder ();
+    if (data != NULL) {
+	data->output_fn = output_fn;
+	data->output_arg = output_arg;
+    }
+    return data;
+}
+
+
+/*
+ * Push data through the decoder, causing the output_fn (provided to Create)
+ * to be called with the decoded data.
+ */
+static PRStatus
+PL_UpdateBase64Decoder (PLBase64Decoder *data, const char *buffer,
+			PRUint32 size)
+{
+    PRUint32 need_length;
+    PRStatus status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL || buffer == NULL || size == 0) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return PR_FAILURE;
+    }
+
+    /*
+     * How much space could this update need for decoding?
+     */
+    need_length = PL_Base64MaxDecodedLength (size + data->token_size);
+
+    /*
+     * Make sure we have at least that much.  If not, (re-)allocate.
+     */
+    if (need_length > data->output_buflen) {
+	unsigned char *output_buffer = data->output_buffer;
+
+	if (output_buffer != NULL)
+	    output_buffer = (unsigned char *) PR_Realloc(output_buffer,
+							 need_length);
+	else
+	    output_buffer = (unsigned char *) PR_Malloc(need_length);
+
+	if (output_buffer == NULL)
+	    return PR_FAILURE;
+
+	data->output_buffer = output_buffer;
+	data->output_buflen = need_length;
+    }
+
+    /* There should not have been any leftover output data in the buffer. */
+    PR_ASSERT(data->output_length == 0);
+    data->output_length = 0;
+
+    status = pl_base64_decode_buffer (data, (const unsigned char *) buffer,
+				      size);
+
+    /* Now that we have some decoded data, write it. */
+    if (status == PR_SUCCESS && data->output_length > 0) {
+	PRInt32 output_result;
+
+	PR_ASSERT(data->output_fn != NULL);
+	output_result = data->output_fn (data->output_arg,
+					 data->output_buffer,
+					 (PRInt32) data->output_length);
+	if (output_result < 0)
+	    status = PR_FAILURE;
+    }
+
+    data->output_length = 0;
+    return status;
+}
+
+
+/*
+ * When you're done decoding, call this to free the data.  If "abort_p"
+ * is false, then calling this may cause the output_fn to be called
+ * one last time (as the last buffered data is flushed out).
+ */
+static PRStatus
+PL_DestroyBase64Decoder (PLBase64Decoder *data, PRBool abort_p)
+{
+    PRStatus status = PR_SUCCESS;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return PR_FAILURE;
+    }
+
+    /* Flush out the last few buffered characters. */
+    if (!abort_p)
+	status = pl_base64_decode_flush (data);
+
+    if (data->output_buffer != NULL)
+	PR_Free(data->output_buffer);
+    PR_Free(data);
+
+    return status;
+}
+
+
+/*
+ * Perform base64 decoding from an input buffer to an output buffer.
+ * The output buffer can be provided (as "dest"); you can also pass in
+ * a NULL and this function will allocate a buffer large enough for you,
+ * and return it.  If you do provide the output buffer, you must also
+ * provide the maximum length of that buffer (as "maxdestlen").
+ * The actual decoded length of output will be returned to you in
+ * "output_destlen".
+ *
+ * Return value is NULL on error, the output buffer (allocated or provided)
+ * otherwise.
+ */
+static unsigned char *
+PL_Base64DecodeBuffer (const char *src, PRUint32 srclen, unsigned char *dest,
+		       PRUint32 maxdestlen, PRUint32 *output_destlen)
+{
+    PRUint32 need_length;
+    unsigned char *output_buffer = NULL;
+    PLBase64Decoder *data = NULL;
+    PRStatus status;
+
+    PR_ASSERT(srclen > 0);
+    if (srclen == 0)
+	return dest;
+
+    /*
+     * How much space could we possibly need for decoding this input?
+     */
+    need_length = PL_Base64MaxDecodedLength (srclen);
+
+    /*
+     * Make sure we have at least that much, if output buffer provided.
+     * If no output buffer provided, then we allocate that much.
+     */
+    if (dest != NULL) {
+	PR_ASSERT(maxdestlen >= need_length);
+	if (maxdestlen < need_length) {
+	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
+	    goto loser;
+	}
+	output_buffer = dest;
+    } else {
+	output_buffer = (unsigned char *) PR_Malloc(need_length);
+	if (output_buffer == NULL)
+	    goto loser;
+	maxdestlen = need_length;
+    }
+
+    data = pl_base64_create_decoder();
+    if (data == NULL)
+	goto loser;
+
+    data->output_buflen = maxdestlen;
+    data->output_buffer = output_buffer;
+
+    status = pl_base64_decode_buffer (data, (const unsigned char *) src,
+				      srclen);
+
+    /*
+     * We do not wait for Destroy to flush, because Destroy will also
+     * get rid of our decoder context, which we need to look at first!
+     */
+    if (status == PR_SUCCESS)
+	status = pl_base64_decode_flush (data);
+
+    /* Must clear this or Destroy will free it. */
+    data->output_buffer = NULL;
+
+    if (status == PR_SUCCESS) {
+	*output_destlen = data->output_length;
+	status = PL_DestroyBase64Decoder (data, PR_FALSE);
+	data = NULL;
+	if (status == PR_FAILURE)
+	    goto loser;
+	return output_buffer;
+    }
+
+loser:
+    if (dest == NULL && output_buffer != NULL)
+	PR_Free(output_buffer);
+    if (data != NULL)
+	(void) PL_DestroyBase64Decoder (data, PR_TRUE);
+    return NULL;
+}
+
+
+/*
+ * XXX End of base64 decoding code to be moved into NSPR.
+ ********************************************************
+ */
+
+/*
+ * This is the beginning of the NSS cover functions.  These will
+ * provide the interface we want to expose as NSS-ish.  For example,
+ * they will operate on our Items, do any special handling or checking
+ * we want to do, etc.
+ */
+
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * A boring cover structure for now.  Perhaps someday it will include
+ * some more interesting fields.
+ */
+struct NSSBase64DecoderStr {
+    PLBase64Decoder *pl_data;
+};
+
+PR_END_EXTERN_C
+
+
+/*
+ * Function to start a base64 decoding context.
+ */
+NSSBase64Decoder *
+NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
+					       PRInt32),
+			 void *output_arg)
+{
+    PLBase64Decoder *pl_data;
+    NSSBase64Decoder *nss_data;
+
+    nss_data = PORT_ZNew(NSSBase64Decoder);
+    if (nss_data == NULL)
+	return NULL;
+
+    pl_data = PL_CreateBase64Decoder (output_fn, output_arg);
+    if (pl_data == NULL) {
+	PORT_Free(nss_data);
+	return NULL;
+    }
+
+    nss_data->pl_data = pl_data;
+    return nss_data;
+}
+
+
+/*
+ * Push data through the decoder, causing the output_fn (provided to Create)
+ * to be called with the decoded data.
+ */
+SECStatus
+NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
+			 PRUint32 size)
+{
+    PRStatus pr_status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    pr_status = PL_UpdateBase64Decoder (data->pl_data, buffer, size);
+    if (pr_status == PR_FAILURE)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+
+/*
+ * When you're done decoding, call this to free the data.  If "abort_p"
+ * is false, then calling this may cause the output_fn to be called
+ * one last time (as the last buffered data is flushed out).
+ */
+SECStatus
+NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p)
+{
+    PRStatus pr_status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    pr_status = PL_DestroyBase64Decoder (data->pl_data, abort_p);
+
+    PORT_Free(data);
+
+    if (pr_status == PR_FAILURE)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Perform base64 decoding from an ascii string "inStr" to an Item.
+ * The length of the input must be provided as "inLen".  The Item
+ * may be provided (as "outItemOpt"); you can also pass in a NULL
+ * and the Item will be allocated for you.
+ *
+ * In any case, the data within the Item will be allocated for you.
+ * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
+ * If "arenaOpt" is NULL, standard allocation (heap) will be used and
+ * you will want to free the result via SECITEM_FreeItem.
+ *
+ * Return value is NULL on error, the Item (allocated or provided) otherwise.
+ */
+SECItem *
+NSSBase64_DecodeBuffer (PRArenaPool *arenaOpt, SECItem *outItemOpt,
+			const char *inStr, unsigned int inLen)
+{
+    SECItem *out_item = outItemOpt;
+    PRUint32 max_out_len = PL_Base64MaxDecodedLength (inLen);
+    PRUint32 out_len;
+    void *mark = NULL;
+    unsigned char *dummy;
+
+    PORT_Assert(outItemOpt == NULL || outItemOpt->data == NULL);
+
+    if (arenaOpt != NULL)
+	mark = PORT_ArenaMark (arenaOpt);
+
+    out_item = SECITEM_AllocItem (arenaOpt, outItemOpt, max_out_len);
+    if (out_item == NULL) {
+	if (arenaOpt != NULL)
+	    PORT_ArenaRelease (arenaOpt, mark);
+	return NULL;
+    }
+
+    dummy = PL_Base64DecodeBuffer (inStr, inLen, out_item->data,
+				   max_out_len, &out_len);
+    if (dummy == NULL) {
+	if (arenaOpt != NULL) {
+	    PORT_ArenaRelease (arenaOpt, mark);
+	    if (outItemOpt != NULL) {
+		outItemOpt->data = NULL;
+		outItemOpt->len = 0;
+	    }
+	} else {
+	    SECITEM_FreeItem (out_item,
+			      (outItemOpt == NULL) ? PR_TRUE : PR_FALSE);
+	}
+	return NULL;
+    }
+
+    if (arenaOpt != NULL)
+	PORT_ArenaUnmark (arenaOpt, mark);
+    out_item->len = out_len;
+    return out_item;
+}
+
+
+/*
+ * XXX Everything below is deprecated.  If you add new stuff, put it
+ * *above*, not below.
+ */
+
+/*
+ * XXX The following "ATOB" functions are provided for backward compatibility
+ * with current code.  They should be considered strongly deprecated.
+ * When we can convert all our code over to using the new NSSBase64Decoder_
+ * functions defined above, we should get rid of these altogether.  (Remove
+ * protoypes from base64.h as well -- actually, remove that file completely).
+ * If someone thinks either of these functions provides such a very useful
+ * interface (though, as shown, the same functionality can already be
+ * obtained by calling NSSBase64_DecodeBuffer directly), fine -- but then
+ * that API should be provided with a nice new NSSFoo name and using
+ * appropriate types, etc.
+ */
+
+#include "base64.h"
+
+/*
+** Return an PORT_Alloc'd string which is the base64 decoded version
+** of the input string; set *lenp to the length of the returned data.
+*/
+unsigned char *
+ATOB_AsciiToData(const char *string, unsigned int *lenp)
+{
+    SECItem binary_item, *dummy;
+
+    binary_item.data = NULL;
+    binary_item.len = 0;
+
+    dummy = NSSBase64_DecodeBuffer (NULL, &binary_item, string,
+				    (PRUint32) PORT_Strlen(string));
+    if (dummy == NULL)
+	return NULL;
+
+    PORT_Assert(dummy == &binary_item);
+
+    *lenp = dummy->len;
+    return dummy->data;
+}
+ 
+/*
+** Convert from ascii to binary encoding of an item.
+*/
+SECStatus
+ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii)
+{
+    SECItem *dummy;
+
+    if (binary_item == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /*
+     * XXX Would prefer to assert here if data is non-null (actually,
+     * don't need to, just let NSSBase64_DecodeBuffer do it), so as to
+     * to catch unintended memory leaks, but callers are not clean in
+     * this respect so we need to explicitly clear here to avoid the
+     * assert in NSSBase64_DecodeBuffer.
+     */
+    binary_item->data = NULL;
+    binary_item->len = 0;
+
+    dummy = NSSBase64_DecodeBuffer (NULL, binary_item, ascii,
+				    (PRUint32) PORT_Strlen(ascii));
+
+    if (dummy == NULL)
+	return SECFailure;
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/util/nssb64e.c b/security/nss/lib/util/nssb64e.c
new file mode 100644
index 000000000..71cf05373
--- /dev/null
+++ b/security/nss/lib/util/nssb64e.c
@@ -0,0 +1,765 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Base64 encoding (binary to ascii).
+ *
+ * $Id$
+ */
+
+#include "nssb64.h"
+#include "nspr.h"
+#include "secitem.h"
+#include "secerr.h"
+
+/*
+ * XXX See the big comment at the top of nssb64d.c about moving the
+ * bulk of this code over into NSPR (the PL part).  It all applies
+ * here but I didn't want to duplicate it, to avoid divergence problems.
+ */ 
+
+/*
+ **************************************************************
+ * XXX Beginning of base64 encoding code to be moved into NSPR.
+ */
+
+
+struct PLBase64EncodeStateStr {
+    unsigned chunks;
+    unsigned saved;
+    unsigned char buf[3];
+};
+
+/*
+ * This typedef would belong in the NSPR header file (i.e. plbase64.h).
+ */
+typedef struct PLBase64EncoderStr PLBase64Encoder;
+
+/*
+ * The following implementation of base64 encoding was based on code
+ * found in libmime (specifically, in mimeenc.c).  It has been adapted to
+ * use PR types and naming as well as to provide other necessary semantics
+ * (like buffer-in/buffer-out in addition to "streaming" without undue
+ * performance hit of extra copying if you made the buffer versions
+ * use the output_fn).  It also incorporates some aspects of the current
+ * NSPR base64 encoding code.  As such, you may find similarities to
+ * both of those implementations.  I tried to use names that reflected
+ * the original code when possible.  For this reason you may find some
+ * inconsistencies -- libmime used lots of "in" and "out" whereas the
+ * NSPR version uses "src" and "dest"; sometimes I changed one to the other
+ * and sometimes I left them when I thought the subroutines were at least
+ * self-consistent.
+ */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * Opaque object used by the encoder to store state.
+ */
+struct PLBase64EncoderStr {
+    /*
+     * The one or two bytes pending.  (We need 3 to create a "token",
+     * and hold the leftovers here.  in_buffer_count is *only* ever
+     * 0, 1, or 2.
+     */
+    unsigned char in_buffer[2];
+    int in_buffer_count;
+
+    /*
+     * If the caller wants linebreaks added, line_length specifies
+     * where they come out.  It must be a multiple of 4; if the caller
+     * provides one that isn't, we round it down to the nearest
+     * multiple of 4.
+     *
+     * The value of current_column counts how many characters have been
+     * added since the last linebreaks (or since the beginning, on the
+     * first line).  It is also always a multiple of 4; it is unused when
+     * line_length is 0.
+     */ 
+    PRUint32 line_length;
+    PRUint32 current_column;
+
+    /*
+     * Where to write the encoded data (used when streaming, not when
+     * doing all in-memory (buffer) operations).
+     *
+     * Note that this definition is chosen to be compatible with PR_Write.
+     */
+    PRInt32 (*output_fn) (void *output_arg, const char *buf, PRInt32 size);
+    void *output_arg;
+
+    /*
+     * Where the encoded output goes -- either temporarily (in the streaming
+     * case, staged here before it goes to the output function) or what will
+     * be the entire buffered result for users of the buffer version.
+     */
+    char *output_buffer;
+    PRUint32 output_buflen;	/* the total length of allocated buffer */
+    PRUint32 output_length;	/* the length that is currently populated */
+};
+
+PR_END_EXTERN_C
+
+
+/*
+ * Table to convert a binary value to its corresponding ascii "code".
+ */
+static unsigned char base64_valuetocode[64] =
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+#define B64_PAD	'='
+#define B64_CR	'\r'
+#define B64_LF	'\n'
+
+static PRStatus
+pl_base64_encode_buffer (PLBase64Encoder *data, const unsigned char *in,
+			 PRUint32 size)
+{
+    const unsigned char *end = in + size;
+    char *out = data->output_buffer + data->output_length;
+    unsigned int i = data->in_buffer_count;
+    PRUint32 n = 0;
+    int off;
+    PRUint32 output_threshold;
+
+    /* If this input buffer is too small, wait until next time. */
+    if (size < (3 - i)) {
+	data->in_buffer[i++] = in[0];
+	if (size > 1)
+	    data->in_buffer[i++] = in[1];
+	PR_ASSERT(i < 3);
+	data->in_buffer_count = i;
+	return PR_SUCCESS;
+    }
+
+    /* If there are bytes that were put back last time, take them now. */
+    if (i > 0) {
+	n = data->in_buffer[0];
+	if (i > 1)
+	    n = (n << 8) | data->in_buffer[1];
+	data->in_buffer_count = 0;
+    }
+
+    /* If our total is not a multiple of three, put one or two bytes back. */
+    off = (size + i) % 3;
+    if (off > 0) {
+	size -= off;
+	data->in_buffer[0] = in[size];
+	if (off > 1)
+	    data->in_buffer[1] = in[size + 1];
+	data->in_buffer_count = off;
+	end -= off;
+    }
+
+    output_threshold = data->output_buflen - 3;
+
+    /*
+     * Populate the output buffer with base64 data, one line (or buffer)
+     * at a time.
+     */
+    while (in < end) {
+	int j, k;
+
+	while (i < 3) {
+	    n = (n << 8) | *in++;
+	    i++;
+	}
+	i = 0;
+
+	if (data->line_length > 0) {
+	    if (data->current_column >= data->line_length) {
+		data->current_column = 0;
+		*out++ = B64_CR;
+		*out++ = B64_LF;
+		data->output_length += 2;
+	    }
+	    data->current_column += 4;	/* the bytes we are about to add */
+	}
+
+	for (j = 18; j >= 0; j -= 6) {
+	    k = (n >> j) & 0x3F;
+	    *out++ = base64_valuetocode[k];
+	}
+	n = 0;
+	data->output_length += 4;
+
+	if (data->output_length >= output_threshold) {
+	    PR_ASSERT(data->output_length <= data->output_buflen);
+	    if (data->output_fn != NULL) {
+		PRInt32 output_result;
+
+		output_result = data->output_fn (data->output_arg,
+						 data->output_buffer,
+						 (PRInt32) data->output_length);
+		if (output_result < 0)
+		    return PR_FAILURE;
+
+		out = data->output_buffer;
+		data->output_length = 0;
+	    } else {
+		/*
+		 * Check that we are about to exit the loop.  (Since we
+		 * are over the threshold, there isn't enough room in the
+		 * output buffer for another trip around.)
+		 */
+		PR_ASSERT(in == end);
+		if (in < end) {
+		    PR_SetError (PR_BUFFER_OVERFLOW_ERROR, 0);
+		    return PR_FAILURE;
+		}
+	    }
+	}
+    }
+
+    return PR_SUCCESS;
+}
+
+static PRStatus
+pl_base64_encode_flush (PLBase64Encoder *data)
+{
+    int i = data->in_buffer_count;
+
+    if (i == 0 && data->output_length == 0)
+	return PR_SUCCESS;
+
+    if (i > 0) {
+	char *out = data->output_buffer + data->output_length;
+	PRUint32 n;
+	int j, k;
+
+	n = ((PRUint32) data->in_buffer[0]) << 16;
+	if (i > 1)
+	    n |= ((PRUint32) data->in_buffer[1] << 8);
+
+	data->in_buffer_count = 0;
+
+	if (data->line_length > 0) {
+	    if (data->current_column >= data->line_length) {
+		data->current_column = 0;
+		*out++ = B64_CR;
+		*out++ = B64_LF;
+		data->output_length += 2;
+	    }
+	}
+
+	/*
+	 * This will fill in more than we really have data for, but the
+	 * valid parts will end up in the correct position and the extras
+	 * will be over-written with pad characters below.
+	 */
+	for (j = 18; j >= 0; j -= 6) {
+	    k = (n >> j) & 0x3F;
+	    *out++ = base64_valuetocode[k];
+	}
+
+	/* Pad with equal-signs. */
+	if (i == 1)
+	    out[-2] = B64_PAD;
+	out[-1] = B64_PAD;
+
+	data->output_length += 4;
+    }
+
+    if (data->output_fn != NULL) {
+	PRInt32 output_result;
+
+	output_result = data->output_fn (data->output_arg, data->output_buffer,
+					 (PRInt32) data->output_length);
+	data->output_length = 0;
+
+	if (output_result < 0)
+	    return PR_FAILURE;
+    }
+
+    return PR_SUCCESS;
+}
+
+
+/*
+ * The maximum space needed to hold the output of the encoder given input
+ * data of length "size", and allowing for CRLF added at least every
+ * line_length bytes (we will add it at nearest lower multiple of 4).
+ * There is no trailing CRLF.
+ */
+static PRUint32
+PL_Base64MaxEncodedLength (PRUint32 size, PRUint32 line_length)
+{
+    PRUint32 tokens, tokens_per_line, full_lines, line_break_chars, remainder;
+
+    tokens = (size + 2) / 3;
+
+    if (line_length == 0)
+	return tokens * 4;
+
+    if (line_length < 4)	/* too small! */
+	line_length = 4;
+
+    tokens_per_line = line_length / 4;
+    full_lines = tokens / tokens_per_line;
+    remainder = (tokens - (full_lines * tokens_per_line)) * 4;
+    line_break_chars = full_lines * 2;
+    if (remainder == 0)
+	line_break_chars -= 2;
+
+    return (full_lines * tokens_per_line * 4) + line_break_chars + remainder;
+}
+
+
+/*
+ * A distinct internal creation function for the buffer version to use.
+ * (It does not want to specify an output_fn, and we want the normal
+ * Create function to require that.)  All common initialization of the
+ * encoding context should be done *here*.
+ *
+ * Save "line_length", rounded down to nearest multiple of 4 (if not
+ * already even multiple).  Allocate output_buffer, if not provided --
+ * based on given size if specified, otherwise based on line_length.
+ */
+static PLBase64Encoder *
+pl_base64_create_encoder (PRUint32 line_length, char *output_buffer,
+			  PRUint32 output_buflen)
+{
+    PLBase64Encoder *data;
+    PRUint32 line_tokens;
+
+    data = PR_NEWZAP(PLBase64Encoder);
+    if (data == NULL)
+	return NULL;
+
+    if (line_length > 0 && line_length < 4)	/* too small! */
+	line_length = 4;
+
+    line_tokens = line_length / 4;
+    data->line_length = line_tokens * 4;
+
+    if (output_buffer == NULL) {
+	if (output_buflen == 0) {
+	    if (data->line_length > 0)	/* need to include room for CRLF */
+		output_buflen = data->line_length + 2;
+	    else
+		output_buflen = 64;		/* XXX what is a good size? */
+	}
+
+	output_buffer = (char *) PR_Malloc(output_buflen);
+	if (output_buffer == NULL) {
+	    PR_Free(data);
+	    return NULL;
+	}
+    }
+
+    data->output_buffer = output_buffer;
+    data->output_buflen = output_buflen;
+    return data;
+}
+
+/*
+ * Function to start a base64 encoding context.
+ * An "output_fn" is required; the "output_arg" parameter to that is optional.
+ * If linebreaks in the encoded output are desired, "line_length" specifies
+ * where to place them -- it will be rounded down to the nearest multiple of 4
+ * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
+ * will be added.  (FYI, a linebreak is CRLF -- two characters.)
+ */
+static PLBase64Encoder *
+PL_CreateBase64Encoder (PRInt32 (*output_fn) (void *, const char *, PRInt32),
+			void *output_arg, PRUint32 line_length)
+{
+    PLBase64Encoder *data;
+
+    if (output_fn == NULL) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return NULL;
+    }
+
+    data = pl_base64_create_encoder (line_length, NULL, 0);
+    if (data == NULL)
+	return NULL;
+
+    data->output_fn = output_fn;
+    data->output_arg = output_arg;
+
+    return data;
+}
+
+
+/*
+ * Push data through the encoder, causing the output_fn (provided to Create)
+ * to be called with the encoded data.
+ */
+static PRStatus
+PL_UpdateBase64Encoder (PLBase64Encoder *data, const unsigned char *buffer,
+			PRUint32 size)
+{
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL || buffer == NULL || size == 0) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return PR_FAILURE;
+    }
+
+    return pl_base64_encode_buffer (data, buffer, size);
+}
+
+
+/*
+ * When you're done encoding, call this to free the data.  If "abort_p"
+ * is false, then calling this may cause the output_fn to be called
+ * one last time (as the last buffered data is flushed out).
+ */
+static PRStatus
+PL_DestroyBase64Encoder (PLBase64Encoder *data, PRBool abort_p)
+{
+    PRStatus status = PR_SUCCESS;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return PR_FAILURE;
+    }
+
+    /* Flush out the last few buffered characters. */
+    if (!abort_p)
+	status = pl_base64_encode_flush (data);
+
+    if (data->output_buffer != NULL)
+	PR_Free(data->output_buffer);
+    PR_Free(data);
+
+    return status;
+}
+
+
+/*
+ * Perform base64 encoding from an input buffer to an output buffer.
+ * The output buffer can be provided (as "dest"); you can also pass in
+ * a NULL and this function will allocate a buffer large enough for you,
+ * and return it.  If you do provide the output buffer, you must also
+ * provide the maximum length of that buffer (as "maxdestlen").
+ * The actual encoded length of output will be returned to you in
+ * "output_destlen".
+ *
+ * If linebreaks in the encoded output are desired, "line_length" specifies
+ * where to place them -- it will be rounded down to the nearest multiple of 4
+ * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
+ * will be added.  (FYI, a linebreak is CRLF -- two characters.)
+ *
+ * Return value is NULL on error, the output buffer (allocated or provided)
+ * otherwise.
+ */
+static char *
+PL_Base64EncodeBuffer (const unsigned char *src, PRUint32 srclen,
+		       PRUint32 line_length, char *dest, PRUint32 maxdestlen,
+		       PRUint32 *output_destlen)
+{
+    PRUint32 need_length;
+    PLBase64Encoder *data = NULL;
+    PRStatus status;
+
+    PR_ASSERT(srclen > 0);
+    if (srclen == 0)
+	return dest;
+
+    /*
+     * How much space could we possibly need for encoding this input?
+     */
+    need_length = PL_Base64MaxEncodedLength (srclen, line_length);
+
+    /*
+     * Make sure we have at least that much, if output buffer provided.
+     */
+    if (dest != NULL) {
+	PR_ASSERT(maxdestlen >= need_length);
+	if (maxdestlen < need_length) {
+	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
+	    return NULL;
+	}
+    } else {
+	maxdestlen = need_length;
+    }
+
+    data = pl_base64_create_encoder(line_length, dest, maxdestlen);
+    if (data == NULL)
+	return NULL;
+
+    status = pl_base64_encode_buffer (data, src, srclen);
+
+    /*
+     * We do not wait for Destroy to flush, because Destroy will also
+     * get rid of our encoder context, which we need to look at first!
+     */
+    if (status == PR_SUCCESS)
+	status = pl_base64_encode_flush (data);
+
+    if (status != PR_SUCCESS) {
+	(void) PL_DestroyBase64Encoder (data, PR_TRUE);
+	return NULL;
+    }
+
+    dest = data->output_buffer;
+
+    /* Must clear this or Destroy will free it. */
+    data->output_buffer = NULL;
+
+    *output_destlen = data->output_length;
+    status = PL_DestroyBase64Encoder (data, PR_FALSE);
+    if (status == PR_FAILURE) {
+	PR_Free(dest);
+	return NULL;
+    }
+
+    return dest;
+}
+
+/*
+ * XXX End of base64 encoding code to be moved into NSPR.
+ ********************************************************
+ */
+
+/*
+ * This is the beginning of the NSS cover functions.  These will
+ * provide the interface we want to expose as NSS-ish.  For example,
+ * they will operate on our Items, do any special handling or checking
+ * we want to do, etc.
+ */
+
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * A boring cover structure for now.  Perhaps someday it will include
+ * some more interesting fields.
+ */
+struct NSSBase64EncoderStr {
+    PLBase64Encoder *pl_data;
+};
+
+PR_END_EXTERN_C
+
+
+/*
+ * Function to start a base64 encoding context.
+ */
+NSSBase64Encoder *
+NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
+			 void *output_arg)
+{
+    PLBase64Encoder *pl_data;
+    NSSBase64Encoder *nss_data;
+
+    nss_data = PORT_ZNew(NSSBase64Encoder);
+    if (nss_data == NULL)
+	return NULL;
+
+    pl_data = PL_CreateBase64Encoder (output_fn, output_arg, 64);
+    if (pl_data == NULL) {
+	PORT_Free(nss_data);
+	return NULL;
+    }
+
+    nss_data->pl_data = pl_data;
+    return nss_data;
+}
+
+
+/*
+ * Push data through the encoder, causing the output_fn (provided to Create)
+ * to be called with the encoded data.
+ */
+SECStatus
+NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
+			 PRUint32 size)
+{
+    PRStatus pr_status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    pr_status = PL_UpdateBase64Encoder (data->pl_data, buffer, size);
+    if (pr_status == PR_FAILURE)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+
+/*
+ * When you're done encoding, call this to free the data.  If "abort_p"
+ * is false, then calling this may cause the output_fn to be called
+ * one last time (as the last buffered data is flushed out).
+ */
+SECStatus
+NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p)
+{
+    PRStatus pr_status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    pr_status = PL_DestroyBase64Encoder (data->pl_data, abort_p);
+
+    PORT_Free(data);
+
+    if (pr_status == PR_FAILURE)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Perform base64 encoding of binary data "inItem" to an ascii string.
+ * The output buffer may be provided (as "outStrOpt"); you can also pass
+ * in a NULL and the buffer will be allocated for you.  The result will
+ * be null-terminated, and if the buffer is provided, "maxOutLen" must
+ * specify the maximum length of the buffer and will be checked to
+ * supply sufficient space space for the encoded result.  (If "outStrOpt"
+ * is NULL, "maxOutLen" is ignored.)
+ *
+ * If "outStrOpt" is NULL, allocation will happen out of the passed-in
+ * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
+ * will be used.
+ *
+ * Return value is NULL on error, the output buffer (allocated or provided)
+ * otherwise.
+ */
+char *
+NSSBase64_EncodeItem (PRArenaPool *arenaOpt, char *outStrOpt,
+		      unsigned int maxOutLen, SECItem *inItem)
+{
+    char *out_string = outStrOpt;
+    PRUint32 max_out_len;
+    PRUint32 out_len;
+    void *mark = NULL;
+    char *dummy;
+
+    PORT_Assert(inItem != NULL && inItem->data != NULL && inItem->len != 0);
+    if (inItem == NULL || inItem->data == NULL || inItem->len == 0) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    max_out_len = PL_Base64MaxEncodedLength (inItem->len, 64);
+
+    if (arenaOpt != NULL)
+	mark = PORT_ArenaMark (arenaOpt);
+
+    if (out_string == NULL) {
+	if (arenaOpt != NULL)
+	    out_string = PORT_ArenaAlloc (arenaOpt, max_out_len + 1);
+	else
+	    out_string = PORT_Alloc (max_out_len + 1);
+
+	if (out_string == NULL) {
+	    if (arenaOpt != NULL)
+		PORT_ArenaRelease (arenaOpt, mark);
+	    return NULL;
+	}
+    } else {
+	if ((max_out_len + 1) > maxOutLen) {
+	    PORT_SetError (SEC_ERROR_OUTPUT_LEN);
+	    return NULL;
+	}
+	max_out_len = maxOutLen;
+    }
+
+
+    dummy = PL_Base64EncodeBuffer (inItem->data, inItem->len, 64,
+				   out_string, max_out_len, &out_len);
+    if (dummy == NULL) {
+	if (arenaOpt != NULL) {
+	    PORT_ArenaRelease (arenaOpt, mark);
+	} else {
+	    PORT_Free (out_string);
+	}
+	return NULL;
+    }
+
+    if (arenaOpt != NULL)
+	PORT_ArenaUnmark (arenaOpt, mark);
+
+    out_string[out_len] = '\0';
+    return out_string;
+}
+
+
+/*
+ * XXX Everything below is deprecated.  If you add new stuff, put it
+ * *above*, not below.
+ */
+
+/*
+ * XXX The following "BTOA" functions are provided for backward compatibility
+ * with current code.  They should be considered strongly deprecated.
+ * When we can convert all our code over to using the new NSSBase64Encoder_
+ * functions defined above, we should get rid of these altogether.  (Remove
+ * protoypes from base64.h as well -- actually, remove that file completely).
+ * If someone thinks either of these functions provides such a very useful
+ * interface (though, as shown, the same functionality can already be
+ * obtained by calling NSSBase64_EncodeItem directly), fine -- but then
+ * that API should be provided with a nice new NSSFoo name and using
+ * appropriate types, etc.
+ */
+
+#include "base64.h"
+
+/*
+** Return an PORT_Alloc'd ascii string which is the base64 encoded
+** version of the input string.
+*/
+char *
+BTOA_DataToAscii(const unsigned char *data, unsigned int len)
+{
+    SECItem binary_item;
+
+    binary_item.data = (unsigned char *)data;
+    binary_item.len = len;
+
+    return NSSBase64_EncodeItem (NULL, NULL, 0, &binary_item);
+}
+
+/*
+** Convert from binary encoding of an item to ascii.
+*/
+char *
+BTOA_ConvertItemToAscii (SECItem *binary_item)
+{
+    return NSSBase64_EncodeItem (NULL, NULL, 0, binary_item);
+}
diff --git a/security/nss/lib/util/nssb64t.h b/security/nss/lib/util/nssb64t.h
new file mode 100644
index 000000000..3ca930c7c
--- /dev/null
+++ b/security/nss/lib/util/nssb64t.h
@@ -0,0 +1,49 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Public data structures for base64 encoding/decoding.
+ *
+ * $Id$
+ */
+#ifndef _NSSB64T_H_
+#define _NSSB64T_H_
+
+#include "utilrename.h"
+typedef struct NSSBase64DecoderStr NSSBase64Decoder;
+typedef struct NSSBase64EncoderStr NSSBase64Encoder;
+
+#endif /* _NSSB64T_H_ */
diff --git a/security/nss/lib/util/nssilckt.h b/security/nss/lib/util/nssilckt.h
new file mode 100644
index 000000000..797b4e123
--- /dev/null
+++ b/security/nss/lib/util/nssilckt.h
@@ -0,0 +1,223 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** nssilock.h - Instrumented locking functions for NSS
+**
+** Description:
+**    nssilock provides instrumentation for locks and monitors in
+**    the NSS libraries. The instrumentation, when enabled, causes
+**    each call to the instrumented function to record data about
+**    the call to an external file. The external file
+**    subsequently used to extract performance data and other
+**    statistical information about the operation of locks used in
+**    the nss library.
+**     
+**    To enable compilation with instrumentation, build NSS with 
+**    the compile time switch NEED_NSS_ILOCK defined.
+**
+**    say:  "gmake OS_CFLAGS+=-DNEED_NSS_ILOCK" at make time.
+**
+**    At runtime, to enable recording from nssilock, one or more
+**    environment variables must be set. For each nssILockType to
+**    be recorded, an environment variable of the form NSS_ILOCK_x
+**    must be set to 1. For example:
+**
+**       set NSS_ILOCK_Cert=1
+**
+**    nssilock uses PRLOG is used to record to trace data. The
+**    PRLogModule name associated with nssilock data is: "nssilock".
+**    To enable recording of nssilock data you will need to set the
+**    environment variable NSPR_LOG_MODULES to enable
+**    recording for the nssilock log module. Similarly, you will
+**    need to set the environment variable NSPR_LOG_FILE to specify
+**    the filename to receive the recorded data. See prlog.h for usage.
+**    Example:
+**
+**        export NSPR_LOG_MODULES=nssilock:6
+**        export NSPR_LOG_FILE=xxxLogfile
+**
+** Operation:
+**    nssilock wraps calls to NSPR's PZLock and PZMonitor functions
+**    with similarly named functions: PZ_NewLock(), etc. When NSS is
+**    built with lock instrumentation enabled, the PZ* functions are
+**    compiled into NSS; when lock instrumentation is disabled,
+**    calls to PZ* functions are directly mapped to PR* functions
+**    and the instrumentation arguments to the PZ* functions are
+**    compiled away.
+**
+**
+** File Format:
+**    The format of the external file is implementation
+**    dependent. Where NSPR's PR_LOG() function is used, the file
+**    contains data defined for PR_LOG() plus the data written by
+**    the wrapped function. On some platforms and under some
+**    circumstances, platform dependent logging or
+**    instrumentation probes may be used. In any case, the
+**    relevant data provided by the lock instrumentation is:
+**    
+**      lockType, func, address, duration, line, file [heldTime]
+** 
+**    where:
+**    
+**       lockType: a character representation of nssILockType for the
+**       call. e.g. ... "cert"
+**    
+**       func: the function doing the tracing. e.g. "NewLock"
+**    
+**       address: address of the instrumented lock or monitor
+**    
+**       duration: is how long was spent in the instrumented function,
+**       in PRIntervalTime "ticks".
+**    
+**       line: the line number within the calling function
+**    
+**       file: the file from which the call was made
+**    
+**       heldTime: how long the lock/monitor was held. field
+**       present only for PZ_Unlock() and PZ_ExitMonitor().
+**    
+** Design Notes:
+**    The design for lock instrumentation was influenced by the
+**    need to gather performance data on NSS 3.x. It is intended
+**    that the effort to modify NSS to use lock instrumentation
+**    be minimized. Existing calls to locking functions need only
+**    have their names changed to the instrumentation function
+**    names.
+**    
+** Private NSS Interface:
+**    nssilock.h defines a private interface for use by NSS.
+**    nssilock.h is experimental in nature and is subject to
+**    change or revocation without notice. ... Don't mess with
+**    it.
+**    
+*/
+
+/*
+ * $Id:
+ */
+
+#ifndef _NSSILCKT_H_
+#define _NSSILCKT_H_
+
+#include "utilrename.h"
+#include "prtypes.h"
+#include "prmon.h"
+#include "prlock.h"
+#include "prcvar.h"
+
+typedef enum {
+    nssILockArena = 0,
+    nssILockSession = 1,
+    nssILockObject = 2,
+    nssILockRefLock = 3,
+    nssILockCert = 4,
+    nssILockCertDB = 5,
+    nssILockDBM = 6,
+    nssILockCache = 7,
+    nssILockSSL = 8,
+    nssILockList = 9,
+    nssILockSlot = 10,
+    nssILockFreelist = 11,
+    nssILockOID = 12,
+    nssILockAttribute = 13,
+    nssILockPK11cxt = 14,  /* pk11context */
+    nssILockRWLock = 15,
+    nssILockOther = 16,
+    nssILockSelfServ = 17,
+    nssILockKeyDB = 18,
+    nssILockLast  /* don't use this one! */
+} nssILockType;
+
+/*
+** conditionally compile in nssilock features
+*/
+#if defined(NEED_NSS_ILOCK)
+
+/*
+** Declare operation type enumerator
+** enumerations identify the function being performed
+*/
+typedef enum  {
+    FlushTT = 0,
+    NewLock = 1,
+    Lock = 2,
+    Unlock = 3,
+    DestroyLock = 4,
+    NewCondVar = 5,
+    WaitCondVar = 6,
+    NotifyCondVar = 7,
+    NotifyAllCondVar = 8,
+    DestroyCondVar = 9,
+    NewMonitor = 10,
+    EnterMonitor = 11,
+    ExitMonitor = 12,
+    Notify = 13,
+    NotifyAll = 14,
+    Wait = 15,
+    DestroyMonitor = 16
+} nssILockOp;
+
+/*
+** Declare the trace record
+*/
+struct pzTrace_s {
+    PRUint32        threadID; /* PR_GetThreadID() */
+    nssILockOp      op;       /* operation being performed */
+    nssILockType    ltype;    /* lock type identifier */
+    PRIntervalTime  callTime; /* time spent in function */
+    PRIntervalTime  heldTime; /* lock held time, or -1 */
+    void            *lock;    /* address of lock structure */    
+    PRIntn          line;     /* line number */
+    char            file[24]; /* filename */
+};
+
+/*
+** declare opaque types. See: nssilock.c
+*/
+typedef struct pzlock_s PZLock;
+typedef struct pzcondvar_s PZCondVar;
+typedef struct pzmonitor_s PZMonitor;
+
+#else /* NEED_NSS_ILOCK */
+
+#define PZLock                  PRLock
+#define PZCondVar               PRCondVar
+#define PZMonitor               PRMonitor
+    
+#endif /* NEED_NSS_ILOCK */
+
+#endif /* _NSSILCKT_H_ */
diff --git a/security/nss/lib/util/nssilock.c b/security/nss/lib/util/nssilock.c
new file mode 100644
index 000000000..afeb8ddb5
--- /dev/null
+++ b/security/nss/lib/util/nssilock.c
@@ -0,0 +1,530 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * nssilock.c - NSS lock instrumentation wrapper functions
+ *
+ * NOTE - These are not public interfaces
+ *
+ * Implementation Notes:
+ * I've tried to make the instrumentation relatively non-intrusive.
+ * To do this, I have used a single PR_LOG() call in each
+ * instrumented function. There's room for improvement.
+ *
+ *
+ */
+
+#include "prinit.h"
+#include "prerror.h"
+#include "prlock.h"
+#include "prmem.h"
+#include "prenv.h"
+#include "prcvar.h"
+#include "prio.h"
+
+#if defined(NEED_NSS_ILOCK)
+#include "prlog.h"
+#include "nssilock.h"
+
+/*
+** Declare the instrumented PZLock 
+*/
+struct pzlock_s {
+    PRLock *lock;  /* the PZLock to be instrumented */
+    PRIntervalTime time; /* timestamp when the lock was aquired */
+    nssILockType ltype;
+};
+
+/*
+** Declare the instrumented PZMonitor 
+*/
+struct pzmonitor_s {
+    PRMonitor *mon;   /* the PZMonitor to be instrumented */
+    PRIntervalTime time; /* timestamp when the monitor was aquired */
+    nssILockType ltype;
+};
+
+/*
+** Declare the instrumented PZCondVar
+*/
+struct pzcondvar_s  {
+    PRCondVar   *cvar;  /* the PZCondVar to be instrumented */
+    nssILockType ltype;
+};
+
+
+/*
+** Define a CallOnce type to ensure serialized self-initialization
+*/
+static PRCallOnceType coNssILock;     /* CallOnce type */
+static PRIntn  nssILockInitialized;   /* initialization done when 1 */
+static PRLogModuleInfo *nssILog;      /* Log instrumentation to this handle */
+
+
+#define NUM_TT_ENTRIES 6000000
+static PRInt32  traceIndex = -1;      /* index into trace table */
+static struct pzTrace_s *tt;          /* pointer to trace table */
+static PRInt32  ttBufSize = (NUM_TT_ENTRIES * sizeof(struct pzTrace_s ));
+static PRCondVar *ttCVar;
+static PRLock    *ttLock;
+static PRFileDesc *ttfd;              /* trace table file */
+
+/*
+** Vtrace() -- Trace events, write events to external media
+**
+** Vtrace() records traced events in an in-memory trace table
+** when the trace table fills, Vtrace writes the entire table
+** to a file.
+**
+** data can be lost!
+**
+*/
+static void Vtrace(
+    nssILockOp      op,
+    nssILockType    ltype,
+    PRIntervalTime  callTime,
+    PRIntervalTime  heldTime,
+    void            *lock,
+    PRIntn          line,
+    char            *file
+)  {
+    PRInt32 idx;
+    struct pzTrace_s *tp;
+
+RetryTrace:
+    idx = PR_AtomicIncrement( &traceIndex );
+    while( NUM_TT_ENTRIES <= idx || op == FlushTT ) {
+        if( NUM_TT_ENTRIES == idx  || op == FlushTT )  {
+            int writeSize = idx * sizeof(struct pzTrace_s);
+            PR_Lock(ttLock);
+            PR_Write( ttfd, tt, writeSize );
+            traceIndex = -1;
+            PR_NotifyAllCondVar( ttCVar );
+            PR_Unlock(ttLock);
+            goto RetryTrace;
+        } else {
+            PR_Lock(ttLock);
+            while( NUM_TT_ENTRIES < idx )
+                PR_WaitCondVar(ttCVar, PR_INTERVAL_NO_WAIT);
+            PR_Unlock(ttLock);
+            goto RetryTrace;
+        }
+    } /* end while() */
+
+    /* create the trace entry */
+    tp = tt + idx;
+    tp->threadID = PR_GetThreadID(PR_GetCurrentThread());
+    tp->op = op;
+    tp->ltype = ltype;
+    tp->callTime = callTime;
+    tp->heldTime = heldTime;
+    tp->lock = lock;
+    tp ->line = line;
+    strcpy(tp->file, file );
+    return;
+} /* --- end Vtrace() --- */
+
+/*
+** pz_TraceFlush() -- Force trace table write to file
+**
+*/
+extern void pz_TraceFlush( void )
+{
+    Vtrace( FlushTT, nssILockSelfServ, 0, 0, NULL, 0, "" );
+    return;
+} /* --- end pz_TraceFlush() --- */
+
+/*
+** nssILockInit() -- Initialization for nssilock
+**
+** This function is called from the CallOnce mechanism.
+*/
+static PRStatus
+    nssILockInit( void ) 
+{   
+    int i;
+    nssILockInitialized = 1;
+
+    /* new log module */
+    nssILog = PR_NewLogModule("nssilock");
+    if ( NULL == nssILog )  {
+        return(PR_FAILURE);
+    }
+
+    tt = PR_Calloc( NUM_TT_ENTRIES, sizeof(struct pzTrace_s));
+    if (NULL == tt ) {
+        fprintf(stderr, "nssilock: can't allocate trace table\n");
+        exit(1);
+    }
+
+    ttfd = PR_Open( "xxxTTLog", PR_CREATE_FILE | PR_WRONLY, 0666 );
+    if ( NULL == ttfd )  {
+        fprintf( stderr, "Oh Drat! Can't open 'xxxTTLog'\n");
+        exit(1);
+    }
+
+    ttLock = PR_NewLock();
+    ttCVar = PR_NewCondVar(ttLock);
+
+    return(PR_SUCCESS);
+} /* --- end nssILockInit() --- */
+
+extern PZLock * pz_NewLock( 
+    nssILockType ltype,
+    char *file,  
+    PRIntn line )
+{
+    PRStatus rc;
+    PZLock  *lock;
+    
+    /* Self Initialize the nssILock feature */
+    if (!nssILockInitialized)  {
+        rc = PR_CallOnce( &coNssILock, nssILockInit );
+        if ( PR_FAILURE == rc ) {
+            PR_SetError( PR_UNKNOWN_ERROR, 0 );
+            return( NULL );
+        }
+    }
+
+    lock = PR_NEWZAP( PZLock );
+    if ( NULL != lock )  {
+        lock->ltype = ltype;
+        lock->lock = PR_NewLock();
+        if ( NULL == lock->lock )  {
+            PR_DELETE( lock );
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+        }
+    } else {
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    Vtrace( NewLock, ltype, 0, 0, lock, line, file );
+    return(lock);
+} /* --- end pz_NewLock() --- */
+
+extern void
+    pz_Lock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    )
+{            
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    PR_Lock( lock->lock );
+    lock->time = PR_IntervalNow();
+    callTime = lock->time - callTime;
+
+    Vtrace( Lock, lock->ltype, callTime, 0, lock, line, file );
+    return;
+} /* --- end  pz_Lock() --- */
+
+extern PRStatus
+    pz_Unlock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    ) 
+{
+    PRStatus rc;
+    PRIntervalTime callTime, now, heldTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_Unlock( lock->lock );
+    now = PR_IntervalNow(); 
+    callTime = now - callTime;
+    heldTime = now - lock->time;
+    Vtrace( Unlock, lock->ltype, callTime, heldTime, lock, line, file );
+    return( rc );
+} /* --- end  pz_Unlock() --- */
+
+extern void
+    pz_DestroyLock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    )
+{
+    Vtrace( DestroyLock, lock->ltype, 0, 0, lock, line, file );
+    PR_DestroyLock( lock->lock );
+    PR_DELETE( lock );
+    return;
+} /* --- end  pz_DestroyLock() --- */
+
+
+
+extern PZCondVar *
+    pz_NewCondVar(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    )
+{
+    PZCondVar *cvar;
+
+    cvar = PR_NEWZAP( PZCondVar );
+    if ( NULL == cvar ) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+    } else {
+        cvar->ltype = lock->ltype; 
+        cvar->cvar = PR_NewCondVar( lock->lock );
+        if ( NULL == cvar->cvar )  {
+            PR_DELETE( cvar );
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+        }
+
+    }
+    Vtrace( NewCondVar, lock->ltype, 0, 0, cvar, line, file );
+    return( cvar );
+} /* --- end  pz_NewCondVar() --- */
+
+extern void
+    pz_DestroyCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    )
+{
+    Vtrace( DestroyCondVar, cvar->ltype, 0, 0, cvar, line, file );
+    PR_DestroyCondVar( cvar->cvar );
+    PR_DELETE( cvar );
+} /* --- end  pz_DestroyCondVar() --- */
+
+extern PRStatus
+    pz_WaitCondVar(
+        PZCondVar *cvar,
+        PRIntervalTime timeout,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus    rc;
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_WaitCondVar( cvar->cvar, timeout );
+    callTime = PR_IntervalNow() - callTime;
+    
+    Vtrace( WaitCondVar, cvar->ltype, callTime, 0, cvar, line, file );
+    return(rc);
+} /* --- end  pz_WaitCondVar() --- */
+
+extern PRStatus
+    pz_NotifyCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus    rc;
+    
+    rc = PR_NotifyCondVar( cvar->cvar );
+    
+    Vtrace( NotifyCondVar, cvar->ltype, 0, 0, cvar, line, file );
+    return(rc);
+} /* --- end  pz_NotifyCondVar() --- */
+
+extern PRStatus
+    pz_NotifyAllCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus    rc;
+    
+    rc = PR_NotifyAllCondVar( cvar->cvar );
+    
+    Vtrace( NotifyAllCondVar, cvar->ltype, 0, 0, cvar, line, file );
+    return(rc);
+} /* --- end  pz_NotifyAllCondVar() --- */
+
+extern PZMonitor *
+    pz_NewMonitor( 
+        nssILockType ltype,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PZMonitor   *mon;
+
+    /* Self Initialize the nssILock feature */
+    if (!nssILockInitialized)  {
+        rc = PR_CallOnce( &coNssILock, nssILockInit );
+        if ( PR_FAILURE == rc ) {
+            PR_SetError( PR_UNKNOWN_ERROR, 0 );
+            return( NULL );
+        }
+    }
+
+    mon = PR_NEWZAP( PZMonitor );
+    if ( NULL != mon )  {
+        mon->ltype = ltype;
+        mon->mon = PR_NewMonitor();
+        if ( NULL == mon->mon )  {
+            PR_DELETE( mon );
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+        }
+    } else {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    Vtrace( NewMonitor, ltype, 0, 0, mon, line, file );
+    return(mon);
+} /* --- end  pz_NewMonitor() --- */
+
+extern void
+    pz_DestroyMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    Vtrace( DestroyMonitor, mon->ltype, 0, 0, mon, line, file );
+    PR_DestroyMonitor( mon->mon );
+    PR_DELETE( mon );
+    return;                
+} /* --- end  pz_DestroyMonitor() --- */
+
+extern void
+    pz_EnterMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    PRIntervalTime callTime, now;
+
+    callTime = PR_IntervalNow();
+    PR_EnterMonitor( mon->mon );
+    now = PR_IntervalNow();
+    callTime = now - callTime;
+    if ( PR_GetMonitorEntryCount(mon->mon) == 1 )  {
+        mon->time = now;
+    }
+    Vtrace( EnterMonitor, mon->ltype, callTime, 0, mon, line, file );
+    return;
+} /* --- end  pz_EnterMonitor() --- */
+
+extern PRStatus
+    pz_ExitMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PRIntervalTime callTime, now, heldTime;
+    PRIntn  mec = PR_GetMonitorEntryCount( mon->mon );
+   
+    heldTime = (PRIntervalTime)-1; 
+    callTime = PR_IntervalNow();
+    rc = PR_ExitMonitor( mon->mon );
+    now = PR_IntervalNow();
+    callTime = now - callTime;
+    if ( mec == 1 )
+        heldTime = now - mon->time;
+    Vtrace( ExitMonitor, mon->ltype, callTime, heldTime, mon, line, file );
+    return( rc );
+} /* --- end  pz_ExitMonitor() --- */
+
+extern PRIntn
+    pz_GetMonitorEntryCount(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    return( PR_GetMonitorEntryCount(mon->mon));
+} /* --- end pz_GetMonitorEntryCount() --- */
+
+
+extern PRStatus
+    pz_Wait(
+        PZMonitor *mon,
+        PRIntervalTime ticks,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_Wait( mon->mon, ticks );
+    callTime = PR_IntervalNow() - callTime;
+    Vtrace( Wait, mon->ltype, callTime, 0, mon, line, file );
+    return( rc );
+} /* --- end  pz_Wait() --- */
+
+extern PRStatus
+    pz_Notify(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_Notify( mon->mon );
+    callTime = PR_IntervalNow() - callTime;
+    Vtrace( Notify, mon->ltype, callTime, 0, mon, line, file );
+    return( rc );
+} /* --- end  pz_Notify() --- */
+
+extern PRStatus
+    pz_NotifyAll(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_NotifyAll( mon->mon );
+    callTime = PR_IntervalNow() - callTime;
+    Vtrace( NotifyAll, mon->ltype, callTime, 0, mon, line, file );
+    return( rc );
+} /* --- end  pz_NotifyAll() --- */
+
+#endif /* NEED_NSS_ILOCK */
+/* --- end nssilock.c --------------------------------- */
diff --git a/security/nss/lib/util/nssilock.h b/security/nss/lib/util/nssilock.h
new file mode 100644
index 000000000..c99abf245
--- /dev/null
+++ b/security/nss/lib/util/nssilock.h
@@ -0,0 +1,320 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** nssilock.h - Instrumented locking functions for NSS
+**
+** Description:
+**    nssilock provides instrumentation for locks and monitors in
+**    the NSS libraries. The instrumentation, when enabled, causes
+**    each call to the instrumented function to record data about
+**    the call to an external file. The external file
+**    subsequently used to extract performance data and other
+**    statistical information about the operation of locks used in
+**    the nss library.
+**     
+**    To enable compilation with instrumentation, build NSS with 
+**    the compile time switch NEED_NSS_ILOCK defined.
+**
+**    say:  "gmake OS_CFLAGS+=-DNEED_NSS_ILOCK" at make time.
+**
+**    At runtime, to enable recording from nssilock, one or more
+**    environment variables must be set. For each nssILockType to
+**    be recorded, an environment variable of the form NSS_ILOCK_x
+**    must be set to 1. For example:
+**
+**       set NSS_ILOCK_Cert=1
+**
+**    nssilock uses PRLOG is used to record to trace data. The
+**    PRLogModule name associated with nssilock data is: "nssilock".
+**    To enable recording of nssilock data you will need to set the
+**    environment variable NSPR_LOG_MODULES to enable
+**    recording for the nssilock log module. Similarly, you will
+**    need to set the environment variable NSPR_LOG_FILE to specify
+**    the filename to receive the recorded data. See prlog.h for usage.
+**    Example:
+**
+**        export NSPR_LOG_MODULES=nssilock:6
+**        export NSPR_LOG_FILE=xxxLogfile
+**
+** Operation:
+**    nssilock wraps calls to NSPR's PZLock and PZMonitor functions
+**    with similarly named functions: PZ_NewLock(), etc. When NSS is
+**    built with lock instrumentation enabled, the PZ* functions are
+**    compiled into NSS; when lock instrumentation is disabled,
+**    calls to PZ* functions are directly mapped to PR* functions
+**    and the instrumentation arguments to the PZ* functions are
+**    compiled away.
+**
+**
+** File Format:
+**    The format of the external file is implementation
+**    dependent. Where NSPR's PR_LOG() function is used, the file
+**    contains data defined for PR_LOG() plus the data written by
+**    the wrapped function. On some platforms and under some
+**    circumstances, platform dependent logging or
+**    instrumentation probes may be used. In any case, the
+**    relevant data provided by the lock instrumentation is:
+**    
+**      lockType, func, address, duration, line, file [heldTime]
+** 
+**    where:
+**    
+**       lockType: a character representation of nssILockType for the
+**       call. e.g. ... "cert"
+**    
+**       func: the function doing the tracing. e.g. "NewLock"
+**    
+**       address: address of the instrumented lock or monitor
+**    
+**       duration: is how long was spent in the instrumented function,
+**       in PRIntervalTime "ticks".
+**    
+**       line: the line number within the calling function
+**    
+**       file: the file from which the call was made
+**    
+**       heldTime: how long the lock/monitor was held. field
+**       present only for PZ_Unlock() and PZ_ExitMonitor().
+**    
+** Design Notes:
+**    The design for lock instrumentation was influenced by the
+**    need to gather performance data on NSS 3.x. It is intended
+**    that the effort to modify NSS to use lock instrumentation
+**    be minimized. Existing calls to locking functions need only
+**    have their names changed to the instrumentation function
+**    names.
+**    
+** Private NSS Interface:
+**    nssilock.h defines a private interface for use by NSS.
+**    nssilock.h is experimental in nature and is subject to
+**    change or revocation without notice. ... Don't mess with
+**    it.
+**    
+*/
+
+/*
+ * $Id:
+ */
+
+#ifndef _NSSILOCK_H_
+#define _NSSILOCK_H_
+
+#include "utilrename.h"
+#include "prtypes.h"
+#include "prmon.h"
+#include "prlock.h"
+#include "prcvar.h"
+
+#include "nssilckt.h"
+
+PR_BEGIN_EXTERN_C
+
+#if defined(NEED_NSS_ILOCK)
+
+#define PZ_NewLock(t) pz_NewLock((t),__FILE__,__LINE__)
+extern PZLock * 
+    pz_NewLock(
+        nssILockType ltype,
+        char *file,
+        PRIntn  line
+    );
+
+#define PZ_Lock(k)  pz_Lock((k),__FILE__,__LINE__)
+extern void
+    pz_Lock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_Unlock(k) pz_Unlock((k),__FILE__,__LINE__)
+extern PRStatus
+    pz_Unlock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_DestroyLock(k) pz_DestroyLock((k),__FILE__,__LINE__)
+extern void
+    pz_DestroyLock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    );
+
+
+#define PZ_NewCondVar(l)        pz_NewCondVar((l),__FILE__,__LINE__)
+extern PZCondVar *
+    pz_NewCondVar(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_DestroyCondVar(v)    pz_DestroyCondVar((v),__FILE__,__LINE__)
+extern void
+    pz_DestroyCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_WaitCondVar(v,t)       pz_WaitCondVar((v),(t),__FILE__,__LINE__)
+extern PRStatus
+    pz_WaitCondVar(
+        PZCondVar *cvar,
+        PRIntervalTime timeout,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_NotifyCondVar(v)     pz_NotifyCondVar((v),__FILE__,__LINE__)
+extern PRStatus
+    pz_NotifyCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_NotifyAllCondVar(v)  pz_NotifyAllCondVar((v),__FILE__,__LINE__)
+extern PRStatus
+    pz_NotifyAllCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    );
+
+
+#define PZ_NewMonitor(t) pz_NewMonitor((t),__FILE__,__LINE__)
+extern PZMonitor *
+    pz_NewMonitor( 
+        nssILockType ltype,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_DestroyMonitor(m) pz_DestroyMonitor((m),__FILE__,__LINE__)
+extern void
+    pz_DestroyMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_EnterMonitor(m) pz_EnterMonitor((m),__FILE__,__LINE__)
+extern void
+    pz_EnterMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+
+#define PZ_ExitMonitor(m) pz_ExitMonitor((m),__FILE__,__LINE__)
+extern PRStatus
+    pz_ExitMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_InMonitor(m)  (PZ_GetMonitorEntryCount(m) > 0 )
+#define PZ_GetMonitorEntryCount(m) pz_GetMonitorEntryCount((m),__FILE__,__LINE__)
+extern PRIntn
+    pz_GetMonitorEntryCount(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_Wait(m,i) pz_Wait((m),((i)),__FILE__,__LINE__)
+extern PRStatus
+    pz_Wait(
+        PZMonitor *mon,
+        PRIntervalTime ticks,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_Notify(m) pz_Notify((m),__FILE__,__LINE__)
+extern PRStatus
+    pz_Notify(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_NotifyAll(m) pz_NotifyAll((m),__FILE__,__LINE__)
+extern PRStatus
+    pz_NotifyAll(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_TraceFlush() pz_TraceFlush()
+extern void pz_TraceFlush( void );
+
+#else /* NEED_NSS_ILOCK */
+
+#define PZ_NewLock(t)           PR_NewLock()
+#define PZ_DestroyLock(k)       PR_DestroyLock((k))
+#define PZ_Lock(k)              PR_Lock((k))
+#define PZ_Unlock(k)            PR_Unlock((k))
+
+#define PZ_NewCondVar(l)        PR_NewCondVar((l))
+#define PZ_DestroyCondVar(v)    PR_DestroyCondVar((v))
+#define PZ_WaitCondVar(v,t)     PR_WaitCondVar((v),(t))
+#define PZ_NotifyCondVar(v)     PR_NotifyCondVar((v))
+#define PZ_NotifyAllCondVar(v)  PR_NotifyAllCondVar((v))
+
+#define PZ_NewMonitor(t)        PR_NewMonitor()
+#define PZ_DestroyMonitor(m)    PR_DestroyMonitor((m))
+#define PZ_EnterMonitor(m)      PR_EnterMonitor((m))
+#define PZ_ExitMonitor(m)       PR_ExitMonitor((m))
+#define PZ_InMonitor(m)         PR_InMonitor((m))
+#define PZ_Wait(m,t)            PR_Wait(((m)),((t)))
+#define PZ_Notify(m)            PR_Notify((m))
+#define PZ_NotifyAll(m)         PR_Notify((m))
+#define PZ_TraceFlush()         /* nothing */
+
+    
+#endif /* NEED_NSS_ILOCK */
+
+PR_END_EXTERN_C
+#endif /* _NSSILOCK_H_ */
diff --git a/security/nss/lib/util/nsslocks.h b/security/nss/lib/util/nsslocks.h
new file mode 100644
index 000000000..c78850ae9
--- /dev/null
+++ b/security/nss/lib/util/nsslocks.h
@@ -0,0 +1,45 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * nsslocks.h - threadsafe functions to initialize lock pointers.
+ *
+ * NOTE - The interfaces formerly in this header were private and are now all
+ *        obsolete.
+ *
+ * $Id$
+ */
+
diff --git a/security/nss/lib/util/nssrwlk.c b/security/nss/lib/util/nssrwlk.c
new file mode 100644
index 000000000..c46e36617
--- /dev/null
+++ b/security/nss/lib/util/nssrwlk.c
@@ -0,0 +1,479 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nssrwlk.h"
+#include "nspr.h"
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * Reader-writer lock
+ */
+struct nssRWLockStr {
+    PZLock *        rw_lock;
+    char   *        rw_name;            /* lock name                    */
+    PRUint32        rw_rank;            /* rank of the lock             */
+    PRInt32         rw_writer_locks;    /* ==  0, if unlocked           */
+    PRInt32         rw_reader_locks;    /* ==  0, if unlocked           */
+                                        /* > 0  , # of read locks       */
+    PRUint32        rw_waiting_readers; /* number of waiting readers    */
+    PRUint32        rw_waiting_writers; /* number of waiting writers    */
+    PZCondVar *     rw_reader_waitq;    /* cvar for readers             */
+    PZCondVar *     rw_writer_waitq;    /* cvar for writers             */
+    PRThread  *     rw_owner;           /* lock owner for write-lock    */
+                                        /* Non-null if write lock held. */
+};
+
+PR_END_EXTERN_C
+
+#include <string.h>
+
+#ifdef DEBUG_RANK_ORDER
+#define NSS_RWLOCK_RANK_ORDER_DEBUG /* enable deadlock detection using
+                                       rank-order for locks
+                                    */
+#endif
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+
+static PRUintn  nss_thread_rwlock_initialized;
+static PRUintn  nss_thread_rwlock;               /* TPD key for lock stack */
+static PRUintn  nss_thread_rwlock_alloc_failed;
+
+#define _NSS_RWLOCK_RANK_ORDER_LIMIT 10
+
+typedef struct thread_rwlock_stack {
+    PRInt32     trs_index;                                  /* top of stack */
+    NSSRWLock    *trs_stack[_NSS_RWLOCK_RANK_ORDER_LIMIT];  /* stack of lock
+                                                               pointers */
+} thread_rwlock_stack;
+
+/* forward static declarations. */
+static PRUint32 nssRWLock_GetThreadRank(PRThread *me);
+static void     nssRWLock_SetThreadRank(PRThread *me, NSSRWLock *rwlock);
+static void     nssRWLock_UnsetThreadRank(PRThread *me, NSSRWLock *rwlock);
+static void     nssRWLock_ReleaseLockStack(void *lock_stack);
+
+#endif
+
+#define UNTIL(x) while(!(x))
+
+/*
+ * Reader/Writer Locks
+ */
+
+/*
+ * NSSRWLock_New
+ *      Create a reader-writer lock, with the given lock rank and lock name
+ *
+ */
+
+NSSRWLock *
+NSSRWLock_New(PRUint32 lock_rank, const char *lock_name)
+{
+    NSSRWLock *rwlock;
+
+    rwlock = PR_NEWZAP(NSSRWLock);
+    if (rwlock == NULL)
+        return NULL;
+
+    rwlock->rw_lock = PZ_NewLock(nssILockRWLock);
+    if (rwlock->rw_lock == NULL) {
+	goto loser;
+    }
+    rwlock->rw_reader_waitq = PZ_NewCondVar(rwlock->rw_lock);
+    if (rwlock->rw_reader_waitq == NULL) {
+	goto loser;
+    }
+    rwlock->rw_writer_waitq = PZ_NewCondVar(rwlock->rw_lock);
+    if (rwlock->rw_writer_waitq == NULL) {
+	goto loser;
+    }
+    if (lock_name != NULL) {
+        rwlock->rw_name = (char*) PR_Malloc(strlen(lock_name) + 1);
+        if (rwlock->rw_name == NULL) {
+	    goto loser;
+        }
+        strcpy(rwlock->rw_name, lock_name);
+    } else {
+        rwlock->rw_name = NULL;
+    }
+    rwlock->rw_rank            = lock_rank;
+    rwlock->rw_waiting_readers = 0;
+    rwlock->rw_waiting_writers = 0;
+    rwlock->rw_reader_locks    = 0;
+    rwlock->rw_writer_locks    = 0;
+
+    return rwlock;
+
+loser:
+    NSSRWLock_Destroy(rwlock);
+    return(NULL);
+}
+
+/*
+** Destroy the given RWLock "lock".
+*/
+void
+NSSRWLock_Destroy(NSSRWLock *rwlock)
+{
+    PR_ASSERT(rwlock != NULL);
+    PR_ASSERT(rwlock->rw_waiting_readers == 0);
+
+    /* XXX Shouldn't we lock the PZLock before destroying this?? */
+
+    if (rwlock->rw_name)
+    	PR_Free(rwlock->rw_name);
+    if (rwlock->rw_reader_waitq)
+    	PZ_DestroyCondVar(rwlock->rw_reader_waitq);
+    if (rwlock->rw_writer_waitq)
+	PZ_DestroyCondVar(rwlock->rw_writer_waitq);
+    if (rwlock->rw_lock)
+	PZ_DestroyLock(rwlock->rw_lock);
+    PR_DELETE(rwlock);
+}
+
+/*
+** Read-lock the RWLock.
+*/
+void
+NSSRWLock_LockRead(NSSRWLock *rwlock)
+{
+    PRThread *me = PR_GetCurrentThread();
+
+    PZ_Lock(rwlock->rw_lock);
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+
+    /*
+     * assert that rank ordering is not violated; the rank of 'rwlock' should
+     * be equal to or greater than the highest rank of all the locks held by
+     * the thread.
+     */
+    PR_ASSERT((rwlock->rw_rank == NSS_RWLOCK_RANK_NONE) ||
+              (rwlock->rw_rank >= nssRWLock_GetThreadRank(me)));
+#endif
+    /*
+     * wait if write-locked or if a writer is waiting; preference for writers
+     */
+    UNTIL ( (rwlock->rw_owner == me) ||		  /* I own it, or        */
+	   ((rwlock->rw_owner == NULL) &&	  /* no-one owns it, and */
+	    (rwlock->rw_waiting_writers == 0))) { /* no-one is waiting to own */
+
+	rwlock->rw_waiting_readers++;
+	PZ_WaitCondVar(rwlock->rw_reader_waitq, PR_INTERVAL_NO_TIMEOUT);
+	rwlock->rw_waiting_readers--;
+    }
+    rwlock->rw_reader_locks++; 		/* Increment read-lock count */
+
+    PZ_Unlock(rwlock->rw_lock);
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    nssRWLock_SetThreadRank(me, rwlock);/* update thread's lock rank */
+#endif
+}
+
+/* Unlock a Read lock held on this RW lock.
+*/
+void
+NSSRWLock_UnlockRead(NSSRWLock *rwlock)
+{
+    PZ_Lock(rwlock->rw_lock);
+
+    PR_ASSERT(rwlock->rw_reader_locks > 0); /* lock must be read locked */
+
+    if ((  rwlock->rw_reader_locks  > 0)  &&	/* caller isn't screwey */
+        (--rwlock->rw_reader_locks == 0)  &&	/* not read locked any more */
+	(  rwlock->rw_owner        == NULL) &&	/* not write locked */
+	(  rwlock->rw_waiting_writers > 0)) {	/* someone's waiting. */
+
+	PZ_NotifyCondVar(rwlock->rw_writer_waitq); /* wake him up. */
+    }
+
+    PZ_Unlock(rwlock->rw_lock);
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    /*
+     * update thread's lock rank
+     */
+    nssRWLock_UnsetThreadRank(me, rwlock);
+#endif
+    return;
+}
+
+/*
+** Write-lock the RWLock.
+*/
+void
+NSSRWLock_LockWrite(NSSRWLock *rwlock)
+{
+    PRThread *me = PR_GetCurrentThread();
+
+    PZ_Lock(rwlock->rw_lock);
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    /*
+     * assert that rank ordering is not violated; the rank of 'rwlock' should
+     * be equal to or greater than the highest rank of all the locks held by
+     * the thread.
+     */
+    PR_ASSERT((rwlock->rw_rank == NSS_RWLOCK_RANK_NONE) ||
+                    (rwlock->rw_rank >= nssRWLock_GetThreadRank(me)));
+#endif
+    /*
+     * wait if read locked or write locked.
+     */
+    PR_ASSERT(rwlock->rw_reader_locks >= 0);
+    PR_ASSERT(me != NULL);
+
+    UNTIL ( (rwlock->rw_owner == me) ||           /* I own write lock, or */
+	   ((rwlock->rw_owner == NULL) &&	  /* no writer   and */
+	    (rwlock->rw_reader_locks == 0))) {    /* no readers, either. */
+
+        rwlock->rw_waiting_writers++;
+        PZ_WaitCondVar(rwlock->rw_writer_waitq, PR_INTERVAL_NO_TIMEOUT);
+        rwlock->rw_waiting_writers--;
+	PR_ASSERT(rwlock->rw_reader_locks >= 0);
+    }
+
+    PR_ASSERT(rwlock->rw_reader_locks == 0);
+    /*
+     * apply write lock
+     */
+    rwlock->rw_owner = me;
+    rwlock->rw_writer_locks++; 		/* Increment write-lock count */
+
+    PZ_Unlock(rwlock->rw_lock);
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    /*
+     * update thread's lock rank
+     */
+    nssRWLock_SetThreadRank(me,rwlock);
+#endif
+}
+
+/* Unlock a Read lock held on this RW lock.
+*/
+void
+NSSRWLock_UnlockWrite(NSSRWLock *rwlock)
+{
+    PRThread *me = PR_GetCurrentThread();
+
+    PZ_Lock(rwlock->rw_lock);
+    PR_ASSERT(rwlock->rw_owner == me); /* lock must be write-locked by me.  */
+    PR_ASSERT(rwlock->rw_writer_locks > 0); /* lock must be write locked */
+
+    if (  rwlock->rw_owner        == me  &&	/* I own it, and            */
+          rwlock->rw_writer_locks  > 0   &&	/* I own it, and            */
+        --rwlock->rw_writer_locks == 0) {	/* I'm all done with it     */
+
+	rwlock->rw_owner = NULL;		/* I don't own it any more. */
+
+	/* Give preference to waiting writers. */
+	if (rwlock->rw_waiting_writers > 0) {
+	    if (rwlock->rw_reader_locks == 0)
+		PZ_NotifyCondVar(rwlock->rw_writer_waitq);
+	} else if (rwlock->rw_waiting_readers > 0) {
+	    PZ_NotifyAllCondVar(rwlock->rw_reader_waitq);
+	}
+    }
+    PZ_Unlock(rwlock->rw_lock);
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    /*
+     * update thread's lock rank
+     */
+    nssRWLock_UnsetThreadRank(me, rwlock);
+#endif
+    return;
+}
+
+/* This is primarily for debugging, i.e. for inclusion in ASSERT calls. */
+PRBool
+NSSRWLock_HaveWriteLock(NSSRWLock *rwlock) {
+    PRBool ownWriteLock;
+    PRThread *me = PR_GetCurrentThread();
+
+    /* This lock call isn't really necessary.
+    ** If this thread is the owner, that fact cannot change during this call,
+    ** because this thread is in this call.
+    ** If this thread is NOT the owner, the owner could change, but it 
+    ** could not become this thread.  
+    */
+#if UNNECESSARY
+    PZ_Lock(rwlock->rw_lock);	
+#endif
+    ownWriteLock = (PRBool)(me == rwlock->rw_owner);
+#if UNNECESSARY
+    PZ_Unlock(rwlock->rw_lock);
+#endif
+    return ownWriteLock;
+}
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+
+/*
+ * nssRWLock_SetThreadRank
+ *      Set a thread's lock rank, which is the highest of the ranks of all
+ *      the locks held by the thread. Pointers to the locks are added to a
+ *      per-thread list, which is anchored off a thread-private data key.
+ */
+
+static void
+nssRWLock_SetThreadRank(PRThread *me, NSSRWLock *rwlock)
+{
+    thread_rwlock_stack *lock_stack;
+    PRStatus rv;
+
+    /*
+     * allocated thread-private-data for rwlock list, if not already allocated
+     */
+    if (!nss_thread_rwlock_initialized) {
+        /*
+         * allocate tpd, only if not failed already
+         */
+        if (!nss_thread_rwlock_alloc_failed) {
+            if (PR_NewThreadPrivateIndex(&nss_thread_rwlock,
+                                        nssRWLock_ReleaseLockStack)
+                                                == PR_FAILURE) {
+                nss_thread_rwlock_alloc_failed = 1;
+                return;
+            }
+        } else
+            return;
+    }
+    /*
+     * allocate a lock stack
+     */
+    if ((lock_stack = PR_GetThreadPrivate(nss_thread_rwlock)) == NULL) {
+        lock_stack = (thread_rwlock_stack *)
+                        PR_CALLOC(1 * sizeof(thread_rwlock_stack));
+        if (lock_stack) {
+            rv = PR_SetThreadPrivate(nss_thread_rwlock, lock_stack);
+            if (rv == PR_FAILURE) {
+                PR_DELETE(lock_stack);
+                nss_thread_rwlock_alloc_failed = 1;
+                return;
+            }
+        } else {
+            nss_thread_rwlock_alloc_failed = 1;
+            return;
+        }
+    }
+    /*
+     * add rwlock to lock stack, if limit is not exceeded
+     */
+    if (lock_stack) {
+        if (lock_stack->trs_index < _NSS_RWLOCK_RANK_ORDER_LIMIT)
+            lock_stack->trs_stack[lock_stack->trs_index++] = rwlock;
+    }
+    nss_thread_rwlock_initialized = 1;
+}
+
+static void
+nssRWLock_ReleaseLockStack(void *lock_stack)
+{
+    PR_ASSERT(lock_stack);
+    PR_DELETE(lock_stack);
+}
+
+/*
+ * nssRWLock_GetThreadRank
+ *
+ *      return thread's lock rank. If thread-private-data for the lock
+ *      stack is not allocated, return NSS_RWLOCK_RANK_NONE.
+ */
+
+static PRUint32
+nssRWLock_GetThreadRank(PRThread *me)
+{
+    thread_rwlock_stack *lock_stack;
+
+    if (nss_thread_rwlock_initialized) {
+        if ((lock_stack = PR_GetThreadPrivate(nss_thread_rwlock)) == NULL)
+            return (NSS_RWLOCK_RANK_NONE);
+        else
+            return(lock_stack->trs_stack[lock_stack->trs_index - 1]->rw_rank);
+
+    } else
+            return (NSS_RWLOCK_RANK_NONE);
+}
+
+/*
+ * nssRWLock_UnsetThreadRank
+ *
+ *      remove the rwlock from the lock stack. Since locks may not be
+ *      unlocked in a FIFO order, the entire lock stack is searched.
+ */
+
+static void
+nssRWLock_UnsetThreadRank(PRThread *me, NSSRWLock *rwlock)
+{
+    thread_rwlock_stack *lock_stack;
+    int new_index = 0, index, done = 0;
+
+    if (!nss_thread_rwlock_initialized)
+        return;
+
+    lock_stack = PR_GetThreadPrivate(nss_thread_rwlock);
+
+    PR_ASSERT(lock_stack != NULL);
+
+    index = lock_stack->trs_index - 1;
+    while (index-- >= 0) {
+        if ((lock_stack->trs_stack[index] == rwlock) && !done)  {
+            /*
+             * reset the slot for rwlock
+             */
+            lock_stack->trs_stack[index] = NULL;
+            done = 1;
+        }
+        /*
+         * search for the lowest-numbered empty slot, above which there are
+         * no non-empty slots
+         */
+        if ((lock_stack->trs_stack[index] != NULL) && !new_index)
+            new_index = index + 1;
+        if (done && new_index)
+            break;
+    }
+    /*
+     * set top of stack to highest numbered empty slot
+     */
+    lock_stack->trs_index = new_index;
+
+}
+
+#endif  /* NSS_RWLOCK_RANK_ORDER_DEBUG */
diff --git a/security/nss/lib/util/nssrwlk.h b/security/nss/lib/util/nssrwlk.h
new file mode 100644
index 000000000..914bf3a8a
--- /dev/null
+++ b/security/nss/lib/util/nssrwlk.h
@@ -0,0 +1,164 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+** File:		nsrwlock.h
+** Description:	API to basic reader-writer lock functions of NSS.
+**	These are re-entrant reader writer locks; that is,
+**	If I hold the write lock, I can ask for it and get it again.
+**	If I hold the write lock, I can also ask for and get a read lock.
+**      I can then release the locks in any order (read or write).
+**	I must release each lock type as many times as I acquired it.
+**	Otherwise, these are normal reader/writer locks.
+**
+** For deadlock detection, locks should be ranked, and no lock may be aquired
+** while I hold a lock of higher rank number.
+** If you don't want that feature, always use NSS_RWLOCK_RANK_NONE.
+** Lock name is for debugging, and is optional (may be NULL)
+**/
+
+#ifndef nssrwlk_h___
+#define nssrwlk_h___
+
+#include "utilrename.h"
+#include "prtypes.h"
+#include "nssrwlkt.h"
+
+#define	NSS_RWLOCK_RANK_NONE	0
+
+/* SEC_BEGIN_PROTOS */
+PR_BEGIN_EXTERN_C
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_New
+** DESCRIPTION:
+**  Returns a pointer to a newly created reader-writer lock object.
+** INPUTS:      Lock rank
+**		Lock name
+** OUTPUTS:     void
+** RETURN:      NSSRWLock*
+**   If the lock cannot be created because of resource constraints, NULL
+**   is returned.
+**  
+***********************************************************************/
+extern NSSRWLock* NSSRWLock_New(PRUint32 lock_rank, const char *lock_name);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_AtomicCreate
+** DESCRIPTION:
+**  Given the address of a NULL pointer to a NSSRWLock, 
+**  atomically initializes that pointer to a newly created NSSRWLock.
+**  Returns the value placed into that pointer, or NULL.
+**
+** INPUTS:      address of NSRWLock pointer
+**              Lock rank
+**		Lock name
+** OUTPUTS:     NSSRWLock*
+** RETURN:      NSSRWLock*
+**   If the lock cannot be created because of resource constraints, 
+**   the pointer will be left NULL.
+**  
+***********************************************************************/
+extern NSSRWLock *
+nssRWLock_AtomicCreate( NSSRWLock  ** prwlock, 
+			PRUint32      lock_rank, 
+			const char *  lock_name);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_Destroy
+** DESCRIPTION:
+**  Destroys a given RW lock object.
+** INPUTS:      NSSRWLock *lock - Lock to be freed.
+** OUTPUTS:     void
+** RETURN:      None
+***********************************************************************/
+extern void NSSRWLock_Destroy(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_LockRead
+** DESCRIPTION:
+**  Apply a read lock (non-exclusive) on a RWLock
+** INPUTS:      NSSRWLock *lock - Lock to be read-locked.
+** OUTPUTS:     void
+** RETURN:      None
+***********************************************************************/
+extern void NSSRWLock_LockRead(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_LockWrite
+** DESCRIPTION:
+**  Apply a write lock (exclusive) on a RWLock
+** INPUTS:      NSSRWLock *lock - Lock to write-locked.
+** OUTPUTS:     void
+** RETURN:      None
+***********************************************************************/
+extern void NSSRWLock_LockWrite(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_UnlockRead
+** DESCRIPTION:
+**  Release a Read lock. Unlocking an unlocked lock has undefined results.
+** INPUTS:      NSSRWLock *lock - Lock to unlocked.
+** OUTPUTS:     void
+** RETURN:      void
+***********************************************************************/
+extern void NSSRWLock_UnlockRead(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_UnlockWrite
+** DESCRIPTION:
+**  Release a Write lock. Unlocking an unlocked lock has undefined results.
+** INPUTS:      NSSRWLock *lock - Lock to unlocked.
+** OUTPUTS:     void
+** RETURN:      void
+***********************************************************************/
+extern void NSSRWLock_UnlockWrite(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_HaveWriteLock
+** DESCRIPTION:
+**  Tells caller whether the current thread holds the write lock, or not.
+** INPUTS:      NSSRWLock *lock - Lock to test.
+** OUTPUTS:     void
+** RETURN:      PRBool	PR_TRUE IFF the current thread holds the write lock.
+***********************************************************************/
+
+extern PRBool NSSRWLock_HaveWriteLock(NSSRWLock *rwlock);
+
+/* SEC_END_PROTOS */
+PR_END_EXTERN_C
+
+#endif /* nsrwlock_h___ */
diff --git a/security/nss/lib/util/nssrwlkt.h b/security/nss/lib/util/nssrwlkt.h
new file mode 100644
index 000000000..bb98c0e3c
--- /dev/null
+++ b/security/nss/lib/util/nssrwlkt.h
@@ -0,0 +1,52 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef nssrwlkt_h___
+#define nssrwlkt_h___
+
+#include "utilrename.h"
+#include "nssilock.h"
+/*
+ * NSSRWLock --
+ *
+ *	The reader writer lock, NSSRWLock, is an opaque object to the clients
+ *	of NSS.  All routines operate on a pointer to this opaque entity.
+ */
+
+typedef struct nssRWLockStr NSSRWLock;
+
+
+#endif /* nsrwlock_h___ */
diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def
new file mode 100644
index 000000000..e3b568915
--- /dev/null
+++ b/security/nss/lib/util/nssutil.def
@@ -0,0 +1,234 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Network Security Services libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Sun Microsystems, Inc.
+;+# Portions created by the Initial Developer are Copyright (C) 2007
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+NSSUTIL_3.12 {       # NSS Utilities 3.12 release
+;+    global:
+LIBRARY nssutil3	;-
+EXPORTS		;-
+ATOB_AsciiToData_Util;
+ATOB_ConvertAsciiToItem_Util;
+BTOA_ConvertItemToAscii_Util;
+BTOA_DataToAscii_Util;
+CERT_GenTime2FormattedAscii_Util;
+DER_AsciiToTime_Util;
+DER_DecodeTimeChoice_Util;
+DER_Encode_Util;
+DER_EncodeTimeChoice_Util;
+DER_GeneralizedDayToAscii_Util;
+DER_GeneralizedTimeToTime_Util;
+DER_GetInteger_Util;
+DER_GetUInteger;
+DER_LengthLength;
+DER_Lengths_Util;
+DER_SetUInteger;
+DER_StoreHeader;
+DER_TimeChoiceDayToAscii_Util;
+DER_TimeToGeneralizedTime_Util;
+DER_TimeToGeneralizedTimeArena_Util;
+DER_TimeToUTCTime_Util;
+DER_UTCDayToAscii_Util;
+DER_UTCTimeToAscii_Util;
+DER_UTCTimeToTime_Util;
+NSS_PutEnv_Util;
+NSSBase64_DecodeBuffer_Util;
+NSSBase64_EncodeItem_Util;
+NSSBase64Decoder_Create_Util;
+NSSBase64Decoder_Destroy_Util;
+NSSBase64Decoder_Update_Util;
+NSSBase64Encoder_Create_Util;
+NSSBase64Encoder_Destroy_Util;
+NSSBase64Encoder_Update_Util;
+NSSRWLock_Destroy_Util;
+NSSRWLock_HaveWriteLock_Util;
+NSSRWLock_LockRead_Util;
+NSSRWLock_LockWrite_Util;
+NSSRWLock_New_Util;
+NSSRWLock_UnlockRead_Util;
+NSSRWLock_UnlockWrite_Util;
+PORT_Alloc_Util;
+PORT_ArenaAlloc_Util;
+PORT_ArenaGrow_Util;
+PORT_ArenaMark_Util;
+PORT_ArenaRelease_Util;
+PORT_ArenaStrdup_Util;
+PORT_ArenaUnmark_Util;
+PORT_ArenaZAlloc_Util;
+PORT_Free_Util;
+PORT_FreeArena_Util;
+PORT_GetError_Util;
+PORT_ISO88591_UTF8Conversion;
+PORT_NewArena_Util;
+PORT_Realloc_Util;
+PORT_RegExpCaseSearch;
+PORT_RegExpValid;
+PORT_SetError_Util;
+PORT_SetUCS2_ASCIIConversionFunction_Util;
+PORT_SetUCS2_UTF8ConversionFunction_Util;
+PORT_SetUCS4_UTF8ConversionFunction_Util;
+PORT_Strdup_Util;
+PORT_UCS2_ASCIIConversion_Util;
+PORT_UCS2_UTF8Conversion_Util;
+PORT_UCS4_UTF8Conversion;
+PORT_ZAlloc_Util;
+PORT_ZFree_Util;
+SEC_ASN1Decode_Util;
+SEC_ASN1DecodeInteger_Util;
+SEC_ASN1DecodeItem_Util;
+SEC_ASN1DecoderAbort_Util;
+SEC_ASN1DecoderClearFilterProc_Util;
+SEC_ASN1DecoderClearNotifyProc_Util;
+SEC_ASN1DecoderFinish_Util;
+SEC_ASN1DecoderSetFilterProc_Util;
+SEC_ASN1DecoderSetNotifyProc_Util;
+SEC_ASN1DecoderStart_Util;
+SEC_ASN1DecoderUpdate_Util;
+SEC_ASN1Encode_Util;
+SEC_ASN1EncodeInteger_Util;
+SEC_ASN1EncodeItem_Util;
+SEC_ASN1EncoderAbort_Util;
+SEC_ASN1EncoderClearNotifyProc_Util;
+SEC_ASN1EncoderClearStreaming_Util;
+SEC_ASN1EncoderClearTakeFromBuf_Util;
+SEC_ASN1EncoderFinish_Util;
+SEC_ASN1EncoderSetNotifyProc_Util;
+SEC_ASN1EncoderSetStreaming_Util;
+SEC_ASN1EncoderSetTakeFromBuf_Util;
+SEC_ASN1EncoderStart_Util;
+SEC_ASN1EncoderUpdate_Util;
+SEC_ASN1EncodeUnsignedInteger_Util;
+SEC_ASN1LengthLength_Util;
+SEC_QuickDERDecodeItem_Util;
+SEC_StringToOID;
+SECITEM_AllocItem_Util;
+SECITEM_ArenaDupItem_Util;
+SECITEM_CompareItem_Util;
+SECITEM_CopyItem_Util;
+SECITEM_DupItem_Util;
+SECITEM_FreeItem_Util;
+SECITEM_Hash;
+SECITEM_HashCompare;
+SECITEM_ItemsAreEqual_Util;
+SECITEM_ZfreeItem_Util;
+SECOID_AddEntry_Util;
+SECOID_CompareAlgorithmID_Util;
+SECOID_CopyAlgorithmID_Util;
+SECOID_DestroyAlgorithmID_Util;
+SECOID_FindOID_Util;
+SECOID_FindOIDByMechanism;
+SECOID_FindOIDByTag_Util;
+SECOID_FindOIDTag_Util;
+SECOID_FindOIDTagDescription_Util;
+SECOID_GetAlgorithmTag_Util;
+SECOID_Init;
+SECOID_KnownCertExtenOID;
+SECOID_SetAlgorithmID_Util;
+SECOID_Shutdown;
+SGN_CompareDigestInfo_Util;
+SGN_CopyDigestInfo_Util;
+SGN_CreateDigestInfo_Util;
+SGN_DecodeDigestInfo;
+SGN_DestroyDigestInfo_Util;
+;+#
+;+# Data objects
+;+#
+;+# Don't export these DATA symbols on Windows because they don't work right.
+;+# Use the SEC_ASN1_GET / SEC_ASN1_SUB / SEC_ASN1_XTRN macros to access them.
+;;SEC_AnyTemplate_Util DATA ;
+;;SEC_BitStringTemplate_Util DATA ;
+;;SEC_BMPStringTemplate_Util DATA ;
+;;SEC_BooleanTemplate_Util DATA ;
+;;SEC_EnumeratedTemplate DATA ;
+;;SEC_GeneralizedTimeTemplate_Util DATA ;
+;;SEC_IA5StringTemplate_Util DATA ;
+;;SEC_IntegerTemplate_Util DATA ;
+;;SEC_NullTemplate_Util DATA ;
+;;SEC_ObjectIDTemplate_Util DATA ;
+;;SEC_OctetStringTemplate_Util DATA ;
+;;SEC_PointerToAnyTemplate_Util DATA ;
+;;SEC_PointerToEnumeratedTemplate DATA ;
+;;SEC_PointerToGeneralizedTimeTemplate DATA ;
+;;SEC_PointerToOctetStringTemplate_Util DATA ;
+;;SEC_PrintableStringTemplate DATA ;
+;;SEC_SequenceOfAnyTemplate DATA ;
+;;SEC_SequenceOfObjectIDTemplate DATA ;
+;;SEC_SetOfAnyTemplate_Util DATA ;
+;;SEC_SkipTemplate DATA ;
+;;SEC_T61StringTemplate DATA ;
+;;SEC_UniversalStringTemplate DATA ;
+;;SEC_UTF8StringTemplate_Util DATA ;
+;;SECOID_AlgorithmIDTemplate_Util DATA ;
+;;sgn_DigestInfoTemplate_Util DATA ;
+NSS_Get_SEC_AnyTemplate_Util;
+NSS_Get_SEC_BitStringTemplate_Util;
+NSS_Get_SEC_BMPStringTemplate_Util;
+NSS_Get_SEC_BooleanTemplate_Util;
+NSS_Get_SEC_EnumeratedTemplate;
+NSS_Get_SEC_GeneralizedTimeTemplate_Util;
+NSS_Get_SEC_IA5StringTemplate_Util;
+NSS_Get_SEC_IntegerTemplate_Util;
+NSS_Get_SEC_NullTemplate_Util;
+NSS_Get_SEC_ObjectIDTemplate_Util;
+NSS_Get_SEC_OctetStringTemplate_Util;
+NSS_Get_SEC_PointerToAnyTemplate_Util;
+NSS_Get_SEC_PointerToEnumeratedTemplate;
+NSS_Get_SEC_PointerToGeneralizedTimeTemplate;
+NSS_Get_SEC_PointerToOctetStringTemplate_Util;
+NSS_Get_SEC_PrintableStringTemplate;
+NSS_Get_SEC_SequenceOfAnyTemplate;
+NSS_Get_SEC_SequenceOfObjectIDTemplate;
+NSS_Get_SEC_SetOfAnyTemplate_Util;
+NSS_Get_SEC_SkipTemplate;
+NSS_Get_SEC_T61StringTemplate;
+NSS_Get_SEC_UniversalStringTemplate;
+NSS_Get_SEC_UTF8StringTemplate_Util;
+NSS_Get_SECOID_AlgorithmIDTemplate_Util;
+NSS_Get_sgn_DigestInfoTemplate_Util;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/util/nssutil.rc b/security/nss/lib/util/nssutil.rc
new file mode 100644
index 000000000..46a285cc5
--- /dev/null
+++ b/security/nss/lib/util/nssutil.rc
@@ -0,0 +1,100 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Network Security Services libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nss.h"
+#include <winver.h>
+
+#define MY_LIBNAME "nssutil"
+#define MY_FILEDESCRIPTION "NSS Utility Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/util/oidstring.c b/security/nss/lib/util/oidstring.c
new file mode 100644
index 000000000..c7ad090cc
--- /dev/null
+++ b/security/nss/lib/util/oidstring.c
@@ -0,0 +1,145 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Network Security Services.
+ *
+ * The Initial Developer of the Original Code is Nelson B Bolyard
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include <string.h>
+#include "secitem.h"
+#include "secport.h"
+#include "secerr.h"
+
+/* if to->data is not NULL, and to->len is large enough to hold the result,
+ * then the resultant OID will be copyed into to->data, and to->len will be
+ * changed to show the actual OID length.
+ * Otherwise, memory for the OID will be allocated (from the caller's 
+ * PLArenaPool, if pool is non-NULL) and to->data will receive the address
+ * of the allocated data, and to->len will receive the OID length.
+ * The original value of to->data is not freed when a new buffer is allocated.
+ * 
+ * The input string may begin with "OID." and this still be ignored.
+ * The length of the input string is given in len.  If len == 0, then 
+ * len will be computed as strlen(from), meaning it must be NUL terminated.
+ * It is an error if from == NULL, or if *from == '\0'.
+ */
+
+SECStatus
+SEC_StringToOID(PLArenaPool *pool, SECItem *to, const char *from, PRUint32 len)
+{
+    PRUint32 decimal_numbers = 0;
+    PRUint32 result_bytes = 0;
+    SECStatus rv;
+    PRUint8 result[1024];
+
+    static const PRUint32 max_decimal = (0xffffffff / 10);
+    static const char OIDstring[] = {"OID."};
+
+    if (!from || !to) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (!len) {
+    	len = PL_strlen(from);
+    }
+    if (len >= 4 && !PL_strncasecmp(from, OIDstring, 4)) {
+    	from += 4; /* skip leading "OID." if present */
+	len  -= 4;
+    }
+    if (!len) {
+bad_data:
+    	PORT_SetError(SEC_ERROR_BAD_DATA);
+	return SECFailure;
+    }
+    do {
+	PRUint32 decimal = 0;
+        while (len > 0 && isdigit(*from)) {
+	    PRUint32 addend = (*from++ - '0');
+	    --len;
+	    if (decimal > max_decimal)  /* overflow */
+		goto bad_data;
+	    decimal = (decimal * 10) + addend;
+	    if (decimal < addend)	/* overflow */
+		goto bad_data;
+	}
+	if (len != 0 && *from != '.') {
+	    goto bad_data;
+	}
+	if (decimal_numbers == 0) {
+	    if (decimal > 2)
+	    	goto bad_data;
+	    result[0] = decimal * 40;
+	    result_bytes = 1;
+	} else if (decimal_numbers == 1) {
+	    if (decimal > 40)
+	    	goto bad_data;
+	    result[0] += decimal;
+	} else {
+	    /* encode the decimal number,  */
+	    PRUint8 * rp;
+	    PRUint32 num_bytes = 0;
+	    PRUint32 tmp = decimal;
+	    while (tmp) {
+	        num_bytes++;
+		tmp >>= 7;
+	    }
+	    if (!num_bytes )
+	    	++num_bytes;  /* use one byte for a zero value */
+	    if (num_bytes + result_bytes > sizeof result)
+	    	goto bad_data;
+	    tmp = num_bytes;
+	    rp = result + result_bytes - 1;
+	    rp[tmp] = (PRUint8)(decimal & 0x7f);
+	    decimal >>= 7;
+	    while (--tmp > 0) {
+		rp[tmp] = (PRUint8)(decimal | 0x80);
+		decimal >>= 7;
+	    }
+	    result_bytes += num_bytes;
+	}
+	++decimal_numbers;
+	if (len > 0) { /* skip trailing '.' */
+	    ++from;
+	    --len;
+	}
+    } while (len > 0);
+    /* now result contains result_bytes of data */
+    if (to->data && to->len >= result_bytes) {
+    	PORT_Memcpy(to->data, result, to->len = result_bytes);
+	rv = SECSuccess;
+    } else {
+    	SECItem result_item = {siBuffer, NULL, 0 };
+	result_item.data = result;
+	result_item.len  = result_bytes;
+	rv = SECITEM_CopyItem(pool, to, &result_item);
+    }
+    return rv;
+}
diff --git a/security/nss/lib/util/portreg.c b/security/nss/lib/util/portreg.c
new file mode 100644
index 000000000..869dab10a
--- /dev/null
+++ b/security/nss/lib/util/portreg.c
@@ -0,0 +1,321 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ * 	Ken Key <key+mozilla@ksquared.net>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* 
+ * shexp.c: shell-like wildcard match routines
+ *
+ *
+ * See shexp.h for public documentation.
+ *
+ */
+
+#include "seccomon.h"
+#include "portreg.h"
+
+/* ----------------------------- shexp_valid ------------------------------ */
+
+
+static int 
+_valid_subexp(const char *exp, char stop) 
+{
+    register int x,y,t;
+    int nsc,np,tld;
+
+    x=0;nsc=0;tld=0;
+
+    while(exp[x] && (exp[x] != stop)) {
+        switch(exp[x]) {
+          case '~':
+            if(tld) return INVALID_SXP;
+            else ++tld;
+          case '*':
+          case '?':
+          case '^':
+          case '$':
+            ++nsc;
+            break;
+          case '[':
+            ++nsc;
+            if((!exp[++x]) || (exp[x] == ']'))
+                return INVALID_SXP;
+            for(++x;exp[x] && (exp[x] != ']');++x)
+                if(exp[x] == '\\')
+                    if(!exp[++x])
+                        return INVALID_SXP;
+            if(!exp[x])
+                return INVALID_SXP;
+            break;
+          case '(':
+            ++nsc;np = 0;
+            while(1) {
+                if(exp[++x] == ')')
+                    return INVALID_SXP;
+                for(y=x;(exp[y]) && (exp[y] != '|') && (exp[y] != ')');++y)
+                    if(exp[y] == '\\')
+                        if(!exp[++y])
+                            return INVALID_SXP;
+                if(!exp[y])
+                    return INVALID_SXP;
+                if(exp[y] == '|')
+                    ++np;
+                t = _valid_subexp(&exp[x],exp[y]);
+                if(t == INVALID_SXP)
+                    return INVALID_SXP;
+                x+=t;
+                if(exp[x] == ')') {
+                    if(!np)
+                        return INVALID_SXP;
+                    break;
+                }
+            }
+            break;
+          case ')':
+          case ']':
+            return INVALID_SXP;
+          case '\\':
+            if(!exp[++x])
+                return INVALID_SXP;
+          default:
+            break;
+        }
+        ++x;
+    }
+    if((!stop) && (!nsc))
+        return NON_SXP;
+    return ((exp[x] == stop) ? x : INVALID_SXP);
+}
+
+int 
+PORT_RegExpValid(const char *exp) 
+{
+    int x;
+
+    x = _valid_subexp(exp, '\0');
+    return (x < 0 ? x : VALID_SXP);
+}
+
+
+/* ----------------------------- shexp_match ----------------------------- */
+
+
+#define MATCH 0
+#define NOMATCH 1
+#define ABORTED -1
+
+static int _shexp_match(const char *str, const char *exp, PRBool case_insensitive);
+
+static int 
+_handle_union(const char *str, const char *exp, PRBool case_insensitive) 
+{
+    char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
+    register int t,p2,p1 = 1;
+    int cp;
+
+    while(1) {
+        for(cp=1;exp[cp] != ')';cp++)
+            if(exp[cp] == '\\')
+                ++cp;
+        for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
+            if(exp[p1] == '\\')
+                e2[p2++] = exp[p1++];
+            e2[p2] = exp[p1];
+        }
+        for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
+        if(_shexp_match(str,e2, case_insensitive) == MATCH) {
+            PORT_Free(e2);
+            return MATCH;
+        }
+        if(p1 == cp) {
+            PORT_Free(e2);
+            return NOMATCH;
+        }
+        else ++p1;
+    }
+}
+
+
+static int 
+_shexp_match(const char *str, const char *exp, PRBool case_insensitive) 
+{
+    register int x,y;
+    int ret,neg;
+
+    ret = 0;
+    for(x=0,y=0;exp[y];++y,++x) {
+        if((!str[x]) && (exp[y] != '(') && (exp[y] != '$') && (exp[y] != '*'))
+            ret = ABORTED;
+        else {
+            switch(exp[y]) {
+              case '$':
+                if( (str[x]) )
+                    ret = NOMATCH;
+                else
+                    --x;             /* we don't want loop to increment x */
+                break;
+              case '*':
+                while(exp[++y] == '*'){}
+                if(!exp[y])
+                    return MATCH;
+                while(str[x]) {
+                    switch(_shexp_match(&str[x++],&exp[y], case_insensitive)) {
+                    case NOMATCH:
+                        continue;
+                    case ABORTED:
+                        ret = ABORTED;
+                        break;
+                    default:
+                        return MATCH;
+                    }
+                    break;
+                }
+                if((exp[y] == '$') && (exp[y+1] == '\0') && (!str[x]))
+                    return MATCH;
+                else
+                    ret = ABORTED;
+                break;
+              case '[':
+              	neg = ((exp[++y] == '^') && (exp[y+1] != ']'));
+                if (neg)
+                    ++y;
+                
+                if ((isalnum(exp[y])) && (exp[y+1] == '-') && 
+                   (isalnum(exp[y+2])) && (exp[y+3] == ']'))
+                    {
+                        int start = exp[y], end = exp[y+2];
+                        
+                        /* no safeguards here */
+                        if(neg ^ ((str[x] < start) || (str[x] > end))) {
+                            ret = NOMATCH;
+                            break;
+                        }
+                        y+=3;
+                    }
+                else {
+                    int matched;
+                    
+                    for (matched=0;exp[y] != ']';y++)
+                        matched |= (str[x] == exp[y]);
+                    if (neg ^ (!matched))
+                        ret = NOMATCH;
+                }
+                break;
+              case '(':
+                return _handle_union(&str[x],&exp[y], case_insensitive);
+                break;
+              case '?':
+                break;
+              case '\\':
+                ++y;
+              default:
+		if(case_insensitive)
+		  {
+                    if(toupper(str[x]) != toupper(exp[y]))
+                        ret = NOMATCH;
+		  }
+		else
+		  {
+                    if(str[x] != exp[y])
+                        ret = NOMATCH;
+		  }
+                break;
+            }
+        }
+        if(ret)
+            break;
+    }
+    return (ret ? ret : (str[x] ? NOMATCH : MATCH));
+}
+
+static int 
+port_RegExpMatch(const char *str, const char *xp, PRBool case_insensitive) {
+    register int x;
+    char *exp = 0;
+
+    exp = PORT_Strdup(xp);
+
+    if(!exp)
+	return 1;
+
+    for(x=strlen(exp)-1;x;--x) {
+        if((exp[x] == '~') && (exp[x-1] != '\\')) {
+            exp[x] = '\0';
+            if(_shexp_match(str,&exp[++x], case_insensitive) == MATCH)
+                goto punt;
+            break;
+        }
+    }
+    if(_shexp_match(str,exp, case_insensitive) == MATCH) {
+        PORT_Free(exp);
+        return 0;
+    }
+
+  punt:
+    PORT_Free(exp);
+    return 1;
+}
+
+
+/* ------------------------------ shexp_cmp ------------------------------- */
+
+int 
+PORT_RegExpSearch(const char *str, const char *exp)
+{
+    switch(PORT_RegExpValid(exp)) 
+	  {
+        case INVALID_SXP:
+            return -1;
+        case NON_SXP:
+            return (strcmp(exp,str) ? 1 : 0);
+        default:
+            return port_RegExpMatch(str, exp, PR_FALSE);
+      }
+}
+
+int
+PORT_RegExpCaseSearch(const char *str, const char *exp)
+{
+    switch(PORT_RegExpValid(exp))
+      {
+        case INVALID_SXP:
+            return -1;
+        case NON_SXP:
+            return (PORT_Strcasecmp(exp,str) ? 1 : 0);
+        default:
+            return port_RegExpMatch(str, exp, PR_TRUE);
+      }
+}
+
diff --git a/security/nss/lib/util/portreg.h b/security/nss/lib/util/portreg.h
new file mode 100644
index 000000000..4304acc68
--- /dev/null
+++ b/security/nss/lib/util/portreg.h
@@ -0,0 +1,97 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * shexp.h: Defines and prototypes for shell exp. match routines
+ * 
+ *
+ * This routine will match a string with a shell expression. The expressions
+ * accepted are based loosely on the expressions accepted by zsh.
+ * 
+ * o * matches anything
+ * o ? matches one character
+ * o \ will escape a special character
+ * o $ matches the end of the string
+ * o [abc] matches one occurence of a, b, or c. The only character that needs
+ *         to be escaped in this is ], all others are not special.
+ * o [a-z] matches any character between a and z
+ * o [^az] matches any character except a or z
+ * o ~ followed by another shell expression will remove any pattern
+ *     matching the shell expression from the match list
+ * o (foo|bar) will match either the substring foo, or the substring bar.
+ *             These can be shell expressions as well.
+ * 
+ * The public interface to these routines is documented below.
+ * 
+ */
+ 
+#ifndef SHEXP_H
+#define SHEXP_H
+
+#include "utilrename.h"
+/*
+ * Requires that the macro MALLOC be set to a "safe" malloc that will 
+ * exit if no memory is available. 
+ */
+
+
+/* --------------------------- Public routines ---------------------------- */
+
+
+/*
+ * shexp_valid takes a shell expression exp as input. It returns:
+ * 
+ *  NON_SXP      if exp is a standard string
+ *  INVALID_SXP  if exp is a shell expression, but invalid
+ *  VALID_SXP    if exp is a valid shell expression
+ */
+
+#define NON_SXP -1
+#define INVALID_SXP -2
+#define VALID_SXP 1
+
+SEC_BEGIN_PROTOS
+
+extern int PORT_RegExpValid(const char *exp);
+
+extern int PORT_RegExpSearch(const char *str, const char *exp);
+
+/* same as above but uses case insensitive search */
+extern int PORT_RegExpCaseSearch(const char *str, const char *exp);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/util/quickder.c b/security/nss/lib/util/quickder.c
new file mode 100644
index 000000000..29a582147
--- /dev/null
+++ b/security/nss/lib/util/quickder.c
@@ -0,0 +1,912 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+    Optimized ASN.1 DER decoder
+    
+*/
+
+#include "secerr.h"
+#include "secasn1.h" /* for SEC_ASN1GetSubtemplate */
+#include "secitem.h"
+
+/*
+ * simple definite-length ASN.1 decoder
+ */
+
+static unsigned char* definite_length_decoder(const unsigned char *buf,
+                                              const unsigned int length,
+                                              unsigned int *data_length,
+                                              PRBool includeTag)
+{
+    unsigned char tag;
+    unsigned int used_length= 0;
+    unsigned int data_len;
+
+    if (used_length >= length)
+    {
+        return NULL;
+    }
+    tag = buf[used_length++];
+
+    /* blow out when we come to the end */
+    if (tag == 0)
+    {
+        return NULL;
+    }
+
+    if (used_length >= length)
+    {
+        return NULL;
+    }
+    data_len = buf[used_length++];
+
+    if (data_len&0x80)
+    {
+        int  len_count = data_len & 0x7f;
+
+        data_len = 0;
+
+        while (len_count-- > 0)
+        {
+            if (used_length >= length)
+            {
+                return NULL;
+            }
+            data_len = (data_len << 8) | buf[used_length++];
+        }
+    }
+
+    if (data_len > (length-used_length) )
+    {
+        return NULL;
+    }
+    if (includeTag) data_len += used_length;
+
+    *data_length = data_len;
+    return ((unsigned char*)buf + (includeTag ? 0 : used_length));
+}
+
+static SECStatus GetItem(SECItem* src, SECItem* dest, PRBool includeTag)
+{
+    if ( (!src) || (!dest) || (!src->data) )
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (!src->len)
+    {
+        /* reaching the end of the buffer is not an error */
+        dest->data = NULL;
+        dest->len = 0;
+        return SECSuccess;
+    }
+
+    dest->data = definite_length_decoder(src->data,  src->len, &dest->len,
+        includeTag);
+    if (dest->data == NULL)
+    {
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        return SECFailure;
+    }
+    src->len -= (dest->data - src->data) + dest->len;
+    src->data = dest->data + dest->len;
+    return SECSuccess;
+}
+
+/* check if the actual component's type matches the type in the template */
+
+static SECStatus MatchComponentType(const SEC_ASN1Template* templateEntry,
+                                    SECItem* item, PRBool* match, void* dest)
+{
+    unsigned long kind = 0;
+    unsigned char tag = 0;
+
+    if ( (!item) || (!templateEntry) || (!match) )
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (!item->len || !item->data)
+    {
+        *match = PR_FALSE;
+        return SECSuccess;
+    }
+
+    kind = templateEntry->kind;
+    tag = *(unsigned char*) item->data;
+
+    if ( ( (kind & SEC_ASN1_INLINE) ||
+           (kind & SEC_ASN1_POINTER) ) &&
+           (0 == (kind & SEC_ASN1_TAG_MASK) ) )
+    {
+        /* These cases are special because the template's "kind" does not
+           give us the information for the ASN.1 tag of the next item. It can
+           only be figured out from the subtemplate. */
+        if (!(kind & SEC_ASN1_OPTIONAL))
+        {
+            /* This is a required component. If there is a type mismatch,
+               the decoding of the subtemplate will fail, so assume this
+               is a match at the parent level and let it fail later. This
+               avoids a redundant check in matching cases */
+            *match = PR_TRUE;
+            return SECSuccess;
+        }
+        else
+        {
+            /* optional component. This is the hard case. Now we need to
+               look at the subtemplate to get the expected kind */
+            const SEC_ASN1Template* subTemplate = 
+                SEC_ASN1GetSubtemplate (templateEntry, dest, PR_FALSE);
+            if (!subTemplate)
+            {
+                PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
+                return SECFailure;
+            }
+            if ( (subTemplate->kind & SEC_ASN1_INLINE) ||
+                 (subTemplate->kind & SEC_ASN1_POINTER) )
+            {
+                /* disallow nesting SEC_ASN1_POINTER and SEC_ASN1_INLINE,
+                   otherwise you may get a false positive due to the recursion
+                   optimization above that always matches the type if the
+                   component is required . Nesting these should never be
+                   required, so that no one should miss this ability */
+                PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
+                return SECFailure;
+            }
+            return MatchComponentType(subTemplate, item, match,
+                                      (void*)((char*)dest + templateEntry->offset));
+        }
+    }
+
+    if (kind & SEC_ASN1_CHOICE)
+    {
+        /* we need to check the component's tag against each choice's tag */
+        /* XXX it would be nice to save the index of the choice here so that
+           DecodeChoice wouldn't have to do this again. However, due to the
+           recursivity of MatchComponentType, we don't know if we are in a
+           required or optional component, so we can't write anywhere in
+           the destination within this function */
+        unsigned choiceIndex = 1;
+        const SEC_ASN1Template* choiceEntry;
+        while ( (choiceEntry = &templateEntry[choiceIndex++]) && (choiceEntry->kind))
+        {
+            if ( (SECSuccess == MatchComponentType(choiceEntry, item, match,
+                                (void*)((char*)dest + choiceEntry->offset))) &&
+                 (PR_TRUE == *match) )
+            {
+                return SECSuccess;
+            }
+        }
+	/* no match, caller must decide if this is BAD DER, or not. */
+        *match = PR_FALSE;
+        return SECSuccess;
+    }
+
+    if (kind & SEC_ASN1_ANY)
+    {
+        /* SEC_ASN1_ANY always matches */
+        *match = PR_TRUE;
+        return SECSuccess;
+    }
+
+    if ( (0 == ((unsigned char)kind & SEC_ASN1_TAGNUM_MASK)) &&
+         (!(kind & SEC_ASN1_EXPLICIT)) &&
+         ( ( (kind & SEC_ASN1_SAVE) ||
+             (kind & SEC_ASN1_SKIP) ) &&
+           (!(kind & SEC_ASN1_OPTIONAL)) 
+         )
+       )
+    {
+        /* when saving or skipping a required component,  a type is not
+           required in the template. This is for legacy support of
+           SEC_ASN1_SAVE and SEC_ASN1_SKIP only. XXX I would like to
+           deprecate these usages and always require a type, as this
+           disables type checking, and effectively forbids us from
+           transparently ignoring optional components we aren't aware of */
+        *match = PR_TRUE;
+        return SECSuccess;
+    }
+
+    /* first, do a class check */
+    if ( (tag & SEC_ASN1_CLASS_MASK) !=
+         (((unsigned char)kind) & SEC_ASN1_CLASS_MASK) )
+    {
+#ifdef DEBUG
+        /* this is only to help debugging of the decoder in case of problems */
+        unsigned char tagclass = tag & SEC_ASN1_CLASS_MASK;
+        unsigned char expectedclass = (unsigned char)kind & SEC_ASN1_CLASS_MASK;
+        tagclass = tagclass;
+        expectedclass = expectedclass;
+#endif
+        *match = PR_FALSE;
+        return SECSuccess;
+    }
+
+    /* now do a tag check */
+    if ( ((unsigned char)kind & SEC_ASN1_TAGNUM_MASK) !=
+         (tag & SEC_ASN1_TAGNUM_MASK))
+    {
+        *match = PR_FALSE;
+        return SECSuccess;
+    }
+
+    /* now, do a method check. This depends on the class */
+    switch (tag & SEC_ASN1_CLASS_MASK)
+    {
+    case SEC_ASN1_UNIVERSAL:
+        /* For types of the SEC_ASN1_UNIVERSAL class, we know which must be
+           primitive or constructed based on the tag */
+        switch (tag & SEC_ASN1_TAGNUM_MASK)
+        {
+        case SEC_ASN1_SEQUENCE:
+        case SEC_ASN1_SET:
+        case SEC_ASN1_EMBEDDED_PDV:
+            /* this component must be a constructed type */
+            /* XXX add any new universal constructed type here */
+            if (tag & SEC_ASN1_CONSTRUCTED)
+            {
+                *match = PR_TRUE;
+                return SECSuccess;
+            }
+            break;
+
+        default:
+            /* this component must be a primitive type */
+            if (! (tag & SEC_ASN1_CONSTRUCTED))
+            {
+                *match = PR_TRUE;
+                return SECSuccess;
+            }
+            break;
+        }
+        break;
+
+    default:
+        /* for all other classes, we check the method based on the template */
+        if ( (unsigned char)(kind & SEC_ASN1_METHOD_MASK) ==
+             (tag & SEC_ASN1_METHOD_MASK) )
+        {
+            *match = PR_TRUE;
+            return SECSuccess;
+        }
+        /* method does not match between template and component */
+        break;
+    }
+
+    *match = PR_FALSE;
+    return SECSuccess;
+}
+
+#ifdef DEBUG
+
+static SECStatus CheckSequenceTemplate(const SEC_ASN1Template* sequenceTemplate)
+{
+    SECStatus rv = SECSuccess;
+    const SEC_ASN1Template* sequenceEntry = NULL;
+    unsigned long seqIndex = 0;
+    unsigned long lastEntryIndex = 0;
+    unsigned long ambiguityIndex = 0;
+    PRBool foundAmbiguity = PR_FALSE;
+
+    do
+    {
+        sequenceEntry = &sequenceTemplate[seqIndex++];
+        if (sequenceEntry->kind)
+        {
+            /* ensure that we don't have an optional component of SEC_ASN1_ANY
+               in the middle of the sequence, since we could not handle it */
+            /* XXX this function needs to dig into the subtemplates to find
+               the next tag */
+            if ( (PR_FALSE == foundAmbiguity) &&
+                 (sequenceEntry->kind & SEC_ASN1_OPTIONAL) &&
+                 (sequenceEntry->kind & SEC_ASN1_ANY) )
+            {
+                foundAmbiguity = PR_TRUE;
+                ambiguityIndex = seqIndex - 1;
+            }
+        }
+    } while (sequenceEntry->kind);
+
+    lastEntryIndex = seqIndex - 2;
+
+    if (PR_FALSE != foundAmbiguity)
+    {
+        if (ambiguityIndex < lastEntryIndex)
+        {
+            /* ambiguity can only be tolerated on the last entry */
+            PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
+            rv = SECFailure;
+        }
+    }
+
+    /* XXX also enforce ASN.1 requirement that tags be
+       distinct for consecutive optional components */
+
+    return rv;
+}
+
+#endif
+
+static SECStatus DecodeItem(void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     SECItem* src, PRArenaPool* arena, PRBool checkTag);
+
+static SECStatus DecodeSequence(void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     SECItem* src, PRArenaPool* arena)
+{
+    SECStatus rv = SECSuccess;
+    SECItem source;
+    SECItem sequence;
+    const SEC_ASN1Template* sequenceTemplate = &(templateEntry[1]);
+    const SEC_ASN1Template* sequenceEntry = NULL;
+    unsigned long seqindex = 0;
+
+#ifdef DEBUG
+    /* for a sequence, we need to validate the template. */
+    rv = CheckSequenceTemplate(sequenceTemplate);
+#endif
+
+    source = *src;
+
+    /* get the sequence */
+    if (SECSuccess == rv)
+    {
+        rv = GetItem(&source, &sequence, PR_FALSE);
+    }
+
+    /* process it */
+    if (SECSuccess == rv)
+    do
+    {
+        sequenceEntry = &sequenceTemplate[seqindex++];
+        if ( (sequenceEntry && sequenceEntry->kind) &&
+             (sequenceEntry->kind != SEC_ASN1_SKIP_REST) )
+        {
+            rv = DecodeItem(dest, sequenceEntry, &sequence, arena, PR_TRUE);
+        }
+    } while ( (SECSuccess == rv) &&
+              (sequenceEntry->kind &&
+               sequenceEntry->kind != SEC_ASN1_SKIP_REST) );
+    /* we should have consumed all the bytes in the sequence by now
+       unless the caller doesn't care about the rest of the sequence */
+    if (SECSuccess == rv && sequence.len &&
+        sequenceEntry && sequenceEntry->kind != SEC_ASN1_SKIP_REST)
+    {
+        /* it isn't 100% clear whether this is a bad DER or a bad template.
+           The problem is that logically, they don't match - there is extra
+           data in the DER that the template doesn't know about */
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        rv = SECFailure;
+    }
+
+    return rv;
+}
+
+static SECStatus DecodeInline(void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     SECItem* src, PRArenaPool* arena, PRBool checkTag)
+{
+    const SEC_ASN1Template* inlineTemplate = 
+        SEC_ASN1GetSubtemplate (templateEntry, dest, PR_FALSE);
+    return DecodeItem((void*)((char*)dest + templateEntry->offset),
+                            inlineTemplate, src, arena, checkTag);
+}
+
+static SECStatus DecodePointer(void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     SECItem* src, PRArenaPool* arena, PRBool checkTag)
+{
+    const SEC_ASN1Template* ptrTemplate = 
+        SEC_ASN1GetSubtemplate (templateEntry, dest, PR_FALSE);
+    void* subdata = PORT_ArenaZAlloc(arena, ptrTemplate->size);
+    *(void**)((char*)dest + templateEntry->offset) = subdata;
+    if (subdata)
+    {
+        return DecodeItem(subdata, ptrTemplate, src, arena, checkTag);
+    }
+    else
+    {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+}
+
+static SECStatus DecodeImplicit(void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     SECItem* src, PRArenaPool* arena)
+{
+    if (templateEntry->kind & SEC_ASN1_POINTER)
+    {
+        return DecodePointer((void*)((char*)dest ),
+                             templateEntry, src, arena, PR_FALSE);
+    }
+    else
+    {
+        return DecodeInline((void*)((char*)dest ),
+                             templateEntry, src, arena, PR_FALSE);
+    }
+}
+
+static SECStatus DecodeChoice(void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     SECItem* src, PRArenaPool* arena)
+{
+    SECStatus rv = SECSuccess;
+    SECItem choice;
+    const SEC_ASN1Template* choiceTemplate = &(templateEntry[1]);
+    const SEC_ASN1Template* choiceEntry = NULL;
+    unsigned long choiceindex = 0;
+
+    /* XXX for a choice component, we should validate the template to make
+       sure the tags are distinct, in debug builds. This hasn't been
+       implemented yet */
+    /* rv = CheckChoiceTemplate(sequenceTemplate); */
+
+    /* process it */
+    do
+    {
+        choice = *src;
+        choiceEntry = &choiceTemplate[choiceindex++];
+        if (choiceEntry->kind)
+        {
+            rv = DecodeItem(dest, choiceEntry, &choice, arena, PR_TRUE);
+        }
+    } while ( (SECFailure == rv) && (choiceEntry->kind));
+
+    if (SECFailure == rv)
+    {
+        /* the component didn't match any of the choices */
+        PORT_SetError(SEC_ERROR_BAD_DER);
+    }
+    else
+    {
+        /* set the type in the union here */
+        int *which = (int *)((char *)dest + templateEntry->offset);
+        *which = (int)choiceEntry->size;
+    }
+
+    /* we should have consumed all the bytes by now */
+    /* fail if we have not */
+    if (SECSuccess == rv && choice.len)
+    {
+        /* there is extra data that isn't listed in the template */
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+static SECStatus DecodeGroup(void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     SECItem* src, PRArenaPool* arena)
+{
+    SECStatus rv = SECSuccess;
+    SECItem source;
+    SECItem group;
+    PRUint32 totalEntries = 0;
+    PRUint32 entryIndex = 0;
+    void** entries = NULL;
+
+    const SEC_ASN1Template* subTemplate =
+        SEC_ASN1GetSubtemplate (templateEntry, dest, PR_FALSE);
+
+    source = *src;
+
+    /* get the group */
+    if (SECSuccess == rv)
+    {
+        rv = GetItem(&source, &group, PR_FALSE);
+    }
+
+    /* XXX we should check the subtemplate in debug builds */
+    if (SECSuccess == rv)
+    {
+        /* first, count the number of entries. Benchmarking showed that this
+           counting pass is more efficient than trying to allocate entries as
+           we read the DER, even if allocating many entries at a time
+        */
+        SECItem counter = group;
+        do
+        {
+            SECItem anitem;
+            rv = GetItem(&counter, &anitem, PR_TRUE);
+            if (SECSuccess == rv && (anitem.len) )
+            {
+                totalEntries++;
+            }
+        }  while ( (SECSuccess == rv) && (counter.len) );
+
+        if (SECSuccess == rv)
+        {
+            /* allocate room for pointer array and entries */
+            /* we want to allocate the array even if there is 0 entry */
+            entries = (void**)PORT_ArenaZAlloc(arena, sizeof(void*)*
+                                          (totalEntries + 1 ) + /* the extra one is for NULL termination */
+                                          subTemplate->size*totalEntries); 
+
+            if (entries)
+            {
+                entries[totalEntries] = NULL; /* terminate the array */
+            }
+            else
+            {
+                PORT_SetError(SEC_ERROR_NO_MEMORY);
+                rv = SECFailure;
+            }
+            if (SECSuccess == rv)
+            {
+                void* entriesData = (unsigned char*)entries + (unsigned long)(sizeof(void*)*(totalEntries + 1 ));
+                /* and fix the pointers in the array */
+                PRUint32 entriesIndex = 0;
+                for (entriesIndex = 0;entriesIndex<totalEntries;entriesIndex++)
+                {
+                    entries[entriesIndex] =
+                        (char*)entriesData + (subTemplate->size*entriesIndex);
+                }
+            }
+        }
+    }
+
+    if (SECSuccess == rv && totalEntries)
+    do
+    {
+        if (!(entryIndex<totalEntries))
+        {
+            rv = SECFailure;
+            break;
+        }
+        rv = DecodeItem(entries[entryIndex++], subTemplate, &group, arena, PR_TRUE);
+    } while ( (SECSuccess == rv) && (group.len) );
+    /* we should be at the end of the set by now */    
+    /* save the entries where requested */
+    memcpy(((char*)dest + templateEntry->offset), &entries, sizeof(void**));
+
+    return rv;
+}
+
+static SECStatus DecodeExplicit(void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     SECItem* src, PRArenaPool* arena)
+{
+    SECStatus rv = SECSuccess;
+    SECItem subItem;
+    SECItem constructed = *src;
+
+    rv = GetItem(&constructed, &subItem, PR_FALSE);
+
+    if (SECSuccess == rv)
+    {
+        if (templateEntry->kind & SEC_ASN1_POINTER)
+        {
+            rv = DecodePointer(dest, templateEntry, &subItem, arena, PR_TRUE);
+        }
+        else
+        {
+            rv = DecodeInline(dest, templateEntry, &subItem, arena, PR_TRUE);
+        }
+    }
+
+    return rv;
+}
+
+/* new decoder implementation. This is a recursive function */
+
+static SECStatus DecodeItem(void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     SECItem* src, PRArenaPool* arena, PRBool checkTag)
+{
+    SECStatus rv = SECSuccess;
+    SECItem temp;
+    SECItem mark;
+    PRBool pop = PR_FALSE;
+    PRBool decode = PR_TRUE;
+    PRBool save = PR_FALSE;
+    unsigned long kind;
+    PRBool match = PR_TRUE;
+    PRBool optional = PR_FALSE;
+
+    PR_ASSERT(src && dest && templateEntry && arena);
+#if 0
+    if (!src || !dest || !templateEntry || !arena)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        rv = SECFailure;
+    }
+#endif
+
+    if (SECSuccess == rv)
+    {
+        /* do the template validation */
+        kind = templateEntry->kind;
+        optional = (0 != (kind & SEC_ASN1_OPTIONAL));
+        if (!kind)
+        {
+            PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
+            rv = SECFailure;
+        }
+    }
+
+    if (SECSuccess == rv)
+    {
+#ifdef DEBUG
+        if (kind & SEC_ASN1_DEBUG_BREAK)
+        {
+            /* when debugging the decoder or a template that fails to
+            decode, put SEC_ASN1_DEBUG in the component that gives you
+            trouble. The decoder will then get to this block and assert.
+            If you want to debug the rest of the code, you can set a
+            breakpoint and set dontassert to PR_TRUE, which will let
+            you skip over the assert and continue the debugging session
+            past it. */
+            PRBool dontassert = PR_FALSE;
+            PR_ASSERT(dontassert); /* set bkpoint here & set dontassert*/
+        }
+#endif
+
+        if ((kind & SEC_ASN1_SKIP) ||
+            (kind & SEC_ASN1_SAVE))
+        {
+            /* if skipping or saving this component, don't decode it */
+            decode = PR_FALSE;
+        }
+    
+        if (kind & (SEC_ASN1_SAVE | SEC_ASN1_OPTIONAL))
+        {
+            /* if saving this component, or if it is optional, we may not want to
+               move past it, so save the position in case we have to rewind */
+            mark = *src;
+            if (kind & SEC_ASN1_SAVE)
+            {
+                save = PR_TRUE;
+                if (0 == (kind & SEC_ASN1_SKIP))
+                {
+                    /* we will for sure have to rewind when saving this
+                       component and not skipping it. This is true for all
+                       legacy uses of SEC_ASN1_SAVE where the following entry
+                       in the template would causes the same component to be
+                       processed again */
+                    pop = PR_TRUE;
+                }
+            }
+        }
+
+        rv = GetItem(src, &temp, PR_TRUE);
+    }
+
+    if (SECSuccess == rv)
+    {
+        /* now check if the component matches what we expect in the template */
+
+        if (PR_TRUE == checkTag)
+
+        {
+            rv = MatchComponentType(templateEntry, &temp, &match, dest);
+        }
+
+        if ( (SECSuccess == rv) && (PR_TRUE != match) )
+        {
+            if (kind & SEC_ASN1_OPTIONAL)
+            {
+
+                /* the optional component is missing. This is not fatal. */
+                /* Rewind, don't decode, and don't save */
+                pop = PR_TRUE;
+                decode = PR_FALSE;
+                save = PR_FALSE;
+            }
+            else
+            {
+                /* a required component is missing. abort */
+                PORT_SetError(SEC_ERROR_BAD_DER);
+                rv = SECFailure;
+            }
+        }
+    }
+
+    if ((SECSuccess == rv) && (PR_TRUE == decode))
+    {
+        /* the order of processing here is is the tricky part */
+        /* we start with our special cases */
+        /* first, check the component class */
+        if (kind & SEC_ASN1_INLINE)
+        {
+            /* decode inline template */
+            rv = DecodeInline(dest, templateEntry, &temp , arena, PR_TRUE);
+        }
+
+        else
+        if (kind & SEC_ASN1_EXPLICIT)
+        {
+            rv = DecodeExplicit(dest, templateEntry, &temp, arena);
+        }
+        else
+        if ( (SEC_ASN1_UNIVERSAL != (kind & SEC_ASN1_CLASS_MASK)) &&
+
+              (!(kind & SEC_ASN1_EXPLICIT)))
+        {
+
+            /* decode implicitly tagged components */
+            rv = DecodeImplicit(dest, templateEntry, &temp , arena);
+        }
+        else
+        if (kind & SEC_ASN1_POINTER)
+        {
+            rv = DecodePointer(dest, templateEntry, &temp, arena, PR_TRUE);
+        }
+        else
+        if (kind & SEC_ASN1_CHOICE)
+        {
+            rv = DecodeChoice(dest, templateEntry, &temp, arena);
+        }
+        else
+        if (kind & SEC_ASN1_ANY)
+        {
+            /* catch-all ANY type, don't decode */
+            save = PR_TRUE;
+            if (kind & SEC_ASN1_INNER)
+            {
+                /* skip the tag and length */
+                SECItem newtemp = temp;
+                rv = GetItem(&newtemp, &temp, PR_FALSE);
+            }
+        }
+        else
+        if (kind & SEC_ASN1_GROUP)
+        {
+            if ( (SEC_ASN1_SEQUENCE == (kind & SEC_ASN1_TAGNUM_MASK)) ||
+                 (SEC_ASN1_SET == (kind & SEC_ASN1_TAGNUM_MASK)) )
+            {
+                rv = DecodeGroup(dest, templateEntry, &temp , arena);
+            }
+            else
+            {
+                /* a group can only be a SET OF or SEQUENCE OF */
+                PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
+                rv = SECFailure;
+            }
+        }
+        else
+        if (SEC_ASN1_SEQUENCE == (kind & SEC_ASN1_TAGNUM_MASK))
+        {
+            /* plain SEQUENCE */
+            rv = DecodeSequence(dest, templateEntry, &temp , arena);
+        }
+        else
+        {
+            /* handle all other types as "save" */
+            /* we should only get here for primitive universal types */
+            SECItem newtemp = temp;
+            rv = GetItem(&newtemp, &temp, PR_FALSE);
+            save = PR_TRUE;
+            if ((SECSuccess == rv) && SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK))
+            switch (kind & SEC_ASN1_TAGNUM_MASK)
+            {
+            /* special cases of primitive types */
+            case SEC_ASN1_INTEGER:
+                {
+                    /* remove leading zeroes if the caller requested siUnsignedInteger
+                       This is to allow RSA key operations to work */
+                    SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset);
+                    if (destItem && (siUnsignedInteger == destItem->type))
+                    {
+                        while (temp.len > 1 && temp.data[0] == 0)
+                        {              /* leading 0 */
+                            temp.data++;
+                            temp.len--;
+                        }
+                    }
+                    break;
+                }
+
+            case SEC_ASN1_BIT_STRING:
+                {
+                    /* change the length in the SECItem to be the number of bits */
+                    if (temp.len && temp.data)
+                    {
+                        temp.len = (temp.len-1)*8 - ((*(unsigned char*)temp.data) & 0x7);
+                        temp.data = (unsigned char*)(temp.data+1);
+                    }
+                    break;
+                }
+
+            default:
+                {
+                    break;
+                }
+            }
+        }
+    }
+
+    if ((SECSuccess == rv) && (PR_TRUE == save))
+    {
+        SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset);
+        if (destItem)
+        {
+            /* we leave the type alone in the destination SECItem.
+               If part of the destination was allocated by the decoder, in
+               cases of POINTER, SET OF and SEQUENCE OF, then type is set to
+               siBuffer due to the use of PORT_ArenaZAlloc*/
+            destItem->data = temp.data;
+            destItem->len = temp.len;
+        }
+        else
+        {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            rv = SECFailure;
+        }
+    }
+
+    if (PR_TRUE == pop)
+    {
+        /* we don't want to move ahead, so restore the position */
+        *src = mark;
+    }
+    return rv;
+}
+
+/* the function below is the public one */
+
+SECStatus SEC_QuickDERDecodeItem(PRArenaPool* arena, void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     const SECItem* src)
+{
+    SECStatus rv = SECSuccess;
+    SECItem newsrc;
+
+    if (!arena || !templateEntry || !src)
+    {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        rv = SECFailure;
+    }
+
+    if (SECSuccess == rv)
+    {
+        newsrc = *src;
+        rv = DecodeItem(dest, templateEntry, &newsrc, arena, PR_TRUE);
+        if (SECSuccess == rv && newsrc.len)
+        {
+            rv = SECFailure;
+            PORT_SetError(SEC_ERROR_EXTRA_INPUT);
+        }
+    }
+
+    return rv;
+}
+
diff --git a/security/nss/lib/util/secalgid.c b/security/nss/lib/util/secalgid.c
new file mode 100644
index 000000000..dc6c56396
--- /dev/null
+++ b/security/nss/lib/util/secalgid.c
@@ -0,0 +1,157 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secoid.h"
+#include "secder.h"	/* XXX remove this when remove the DERTemplate */
+#include "secasn1.h"
+#include "secitem.h"
+#include "secerr.h"
+
+SECOidTag
+SECOID_GetAlgorithmTag(SECAlgorithmID *id)
+{
+    if (id == NULL || id->algorithm.data == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return SECOID_FindOIDTag (&(id->algorithm));
+}
+
+SECStatus
+SECOID_SetAlgorithmID(PRArenaPool *arena, SECAlgorithmID *id, SECOidTag which,
+		      SECItem *params)
+{
+    SECOidData *oiddata;
+    PRBool add_null_param;
+
+    oiddata = SECOID_FindOIDByTag(which);
+    if ( !oiddata ) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+
+    if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
+	return SECFailure;
+
+    switch (which) {
+      case SEC_OID_MD2:
+      case SEC_OID_MD4:
+      case SEC_OID_MD5:
+      case SEC_OID_SHA1:
+      case SEC_OID_SHA256:
+      case SEC_OID_SHA384:
+      case SEC_OID_SHA512:
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+	add_null_param = PR_TRUE;
+	break;
+      default:
+	add_null_param = PR_FALSE;
+	break;
+    }
+
+    if (params) {
+	/*
+	 * I am specifically *not* enforcing the following assertion
+	 * (by following it up with an error and a return of failure)
+	 * because I do not want to introduce any change in the current
+	 * behavior.  But I do want for us to notice if the following is
+	 * ever true, because I do not think it should be so and probably
+	 * signifies an error/bug somewhere.
+	 */
+	PORT_Assert(!add_null_param || (params->len == 2
+					&& params->data[0] == SEC_ASN1_NULL
+					&& params->data[1] == 0)); 
+	if (SECITEM_CopyItem(arena, &id->parameters, params)) {
+	    return SECFailure;
+	}
+    } else {
+	/*
+	 * Again, this is not considered an error.  But if we assume
+	 * that nobody tries to set the parameters field themselves
+	 * (but always uses this routine to do that), then we should
+	 * not hit the following assertion.  Unless they forgot to zero
+	 * the structure, which could also be a bad (and wrong) thing.
+	 */
+	PORT_Assert(id->parameters.data == NULL);
+
+	if (add_null_param) {
+	    (void) SECITEM_AllocItem(arena, &id->parameters, 2);
+	    if (id->parameters.data == NULL) {
+		return SECFailure;
+	    }
+	    id->parameters.data[0] = SEC_ASN1_NULL;
+	    id->parameters.data[1] = 0;
+	}
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+SECOID_CopyAlgorithmID(PRArenaPool *arena, SECAlgorithmID *to, SECAlgorithmID *from)
+{
+    SECStatus rv;
+
+    rv = SECITEM_CopyItem(arena, &to->algorithm, &from->algorithm);
+    if (rv) return rv;
+    rv = SECITEM_CopyItem(arena, &to->parameters, &from->parameters);
+    return rv;
+}
+
+void SECOID_DestroyAlgorithmID(SECAlgorithmID *algid, PRBool freeit)
+{
+    SECITEM_FreeItem(&algid->parameters, PR_FALSE);
+    SECITEM_FreeItem(&algid->algorithm, PR_FALSE);
+    if(freeit == PR_TRUE)
+        PORT_Free(algid);
+}
+
+SECComparison
+SECOID_CompareAlgorithmID(SECAlgorithmID *a, SECAlgorithmID *b)
+{
+    SECComparison rv;
+
+    rv = SECITEM_CompareItem(&a->algorithm, &b->algorithm);
+    if (rv) return rv;
+    rv = SECITEM_CompareItem(&a->parameters, &b->parameters);
+    return rv;
+}
diff --git a/security/nss/lib/util/secasn1.h b/security/nss/lib/util/secasn1.h
new file mode 100644
index 000000000..bda6cdd8a
--- /dev/null
+++ b/security/nss/lib/util/secasn1.h
@@ -0,0 +1,320 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Support for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
+ * Encoding Rules).  The routines are found in and used extensively by the
+ * security library, but exported for other use.
+ *
+ * $Id$
+ */
+
+#ifndef _SECASN1_H_
+#define _SECASN1_H_
+
+#include "utilrename.h"
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secasn1t.h"
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * XXX These function prototypes need full, explanatory comments.
+ */
+
+/*
+** Decoding.
+*/
+
+extern SEC_ASN1DecoderContext *SEC_ASN1DecoderStart(PLArenaPool *pool,
+						    void *dest,
+						    const SEC_ASN1Template *t);
+
+/* XXX char or unsigned char? */
+extern SECStatus SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
+				       const char *buf,
+				       unsigned long len);
+
+extern SECStatus SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx);
+
+/* Higher level code detected an error, abort the rest of the processing */
+extern void SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error);
+
+extern void SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx,
+					 SEC_ASN1WriteProc fn,
+					 void *arg, PRBool no_store);
+
+extern void SEC_ASN1DecoderClearFilterProc(SEC_ASN1DecoderContext *cx);
+
+extern void SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx,
+					 SEC_ASN1NotifyProc fn,
+					 void *arg);
+
+extern void SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx);
+
+extern SECStatus SEC_ASN1Decode(PLArenaPool *pool, void *dest,
+				const SEC_ASN1Template *t,
+				const char *buf, long len);
+
+/* Both classic ASN.1 and QuickDER have a feature that removes leading zeroes
+   out of SEC_ASN1_INTEGER if the caller sets siUnsignedInteger in the type
+   field of the target SECItem prior to calling the decoder. Otherwise, the
+   type field is ignored and untouched. For SECItem that are dynamically
+   allocated (from POINTER, SET OF, SEQUENCE OF) the decoder sets the type
+   field to siBuffer. */
+
+extern SECStatus SEC_ASN1DecodeItem(PLArenaPool *pool, void *dest,
+				    const SEC_ASN1Template *t,
+				    const SECItem *src);
+
+extern SECStatus SEC_QuickDERDecodeItem(PLArenaPool* arena, void* dest,
+                     const SEC_ASN1Template* templateEntry,
+                     const SECItem* src);
+
+/*
+** Encoding.
+*/
+
+extern SEC_ASN1EncoderContext *SEC_ASN1EncoderStart(const void *src,
+						    const SEC_ASN1Template *t,
+						    SEC_ASN1WriteProc fn,
+						    void *output_arg);
+
+/* XXX char or unsigned char? */
+extern SECStatus SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx,
+				       const char *buf,
+				       unsigned long len);
+
+extern void SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx);
+
+/* Higher level code detected an error, abort the rest of the processing */
+extern void SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error);
+
+extern void SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx,
+					 SEC_ASN1NotifyProc fn,
+					 void *arg);
+
+extern void SEC_ASN1EncoderClearNotifyProc(SEC_ASN1EncoderContext *cx);
+
+extern void SEC_ASN1EncoderSetStreaming(SEC_ASN1EncoderContext *cx);
+
+extern void SEC_ASN1EncoderClearStreaming(SEC_ASN1EncoderContext *cx);
+
+extern void sec_ASN1EncoderSetDER(SEC_ASN1EncoderContext *cx);
+
+extern void sec_ASN1EncoderClearDER(SEC_ASN1EncoderContext *cx);
+
+extern void SEC_ASN1EncoderSetTakeFromBuf(SEC_ASN1EncoderContext *cx);
+
+extern void SEC_ASN1EncoderClearTakeFromBuf(SEC_ASN1EncoderContext *cx);
+
+extern SECStatus SEC_ASN1Encode(const void *src, const SEC_ASN1Template *t,
+				SEC_ASN1WriteProc output_proc,
+				void *output_arg);
+
+extern SECItem * SEC_ASN1EncodeItem(PLArenaPool *pool, SECItem *dest,
+				    const void *src, const SEC_ASN1Template *t);
+
+extern SECItem * SEC_ASN1EncodeInteger(PLArenaPool *pool,
+				       SECItem *dest, long value);
+
+extern SECItem * SEC_ASN1EncodeUnsignedInteger(PLArenaPool *pool,
+					       SECItem *dest,
+					       unsigned long value);
+
+extern SECStatus SEC_ASN1DecodeInteger(SECItem *src,
+				       unsigned long *value);
+
+/*
+** Utilities.
+*/
+
+/*
+ * We have a length that needs to be encoded; how many bytes will the
+ * encoding take?
+ */
+extern int SEC_ASN1LengthLength (unsigned long len);
+
+/* encode the length and return the number of bytes we encoded. Buffer
+ * must be pre allocated  */
+extern int SEC_ASN1EncodeLength(unsigned char *buf,int value);
+
+/*
+ * Find the appropriate subtemplate for the given template.
+ * This may involve calling a "chooser" function, or it may just
+ * be right there.  In either case, it is expected to *have* a
+ * subtemplate; this is asserted in debug builds (in non-debug
+ * builds, NULL will be returned).
+ *
+ * "thing" is a pointer to the structure being encoded/decoded
+ * "encoding", when true, means that we are in the process of encoding
+ *	(as opposed to in the process of decoding)
+ */
+extern const SEC_ASN1Template *
+SEC_ASN1GetSubtemplate (const SEC_ASN1Template *inTemplate, void *thing,
+			PRBool encoding);
+
+/* whether the template is for a primitive type or a choice of
+ * primitive types
+ */
+extern PRBool SEC_ASN1IsTemplateSimple(const SEC_ASN1Template *theTemplate);
+
+/************************************************************************/
+
+/*
+ * Generic Templates
+ * One for each of the simple types, plus a special one for ANY, plus:
+ *	- a pointer to each one of those
+ *	- a set of each one of those
+ *	- a sequence of each one of those
+ *
+ * Note that these are alphabetical (case insensitive); please add new
+ * ones in the appropriate place.
+ */
+
+extern const SEC_ASN1Template SEC_AnyTemplate[];
+extern const SEC_ASN1Template SEC_BitStringTemplate[];
+extern const SEC_ASN1Template SEC_BMPStringTemplate[];
+extern const SEC_ASN1Template SEC_BooleanTemplate[];
+extern const SEC_ASN1Template SEC_EnumeratedTemplate[];
+extern const SEC_ASN1Template SEC_GeneralizedTimeTemplate[];
+extern const SEC_ASN1Template SEC_IA5StringTemplate[];
+extern const SEC_ASN1Template SEC_IntegerTemplate[];
+extern const SEC_ASN1Template SEC_NullTemplate[];
+extern const SEC_ASN1Template SEC_ObjectIDTemplate[];
+extern const SEC_ASN1Template SEC_OctetStringTemplate[];
+extern const SEC_ASN1Template SEC_PrintableStringTemplate[];
+extern const SEC_ASN1Template SEC_T61StringTemplate[];
+extern const SEC_ASN1Template SEC_UniversalStringTemplate[];
+extern const SEC_ASN1Template SEC_UTCTimeTemplate[];
+extern const SEC_ASN1Template SEC_UTF8StringTemplate[];
+extern const SEC_ASN1Template SEC_VisibleStringTemplate[];
+
+extern const SEC_ASN1Template SEC_PointerToAnyTemplate[];
+extern const SEC_ASN1Template SEC_PointerToBitStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToBMPStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToBooleanTemplate[];
+extern const SEC_ASN1Template SEC_PointerToEnumeratedTemplate[];
+extern const SEC_ASN1Template SEC_PointerToGeneralizedTimeTemplate[];
+extern const SEC_ASN1Template SEC_PointerToIA5StringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToIntegerTemplate[];
+extern const SEC_ASN1Template SEC_PointerToNullTemplate[];
+extern const SEC_ASN1Template SEC_PointerToObjectIDTemplate[];
+extern const SEC_ASN1Template SEC_PointerToOctetStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPrintableStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToT61StringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToUniversalStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToUTCTimeTemplate[];
+extern const SEC_ASN1Template SEC_PointerToUTF8StringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToVisibleStringTemplate[];
+
+extern const SEC_ASN1Template SEC_SequenceOfAnyTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfBitStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfBMPStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfBooleanTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfEnumeratedTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfGeneralizedTimeTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfIA5StringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfIntegerTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfNullTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfObjectIDTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfOctetStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfPrintableStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfT61StringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfUniversalStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfUTCTimeTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfUTF8StringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfVisibleStringTemplate[];
+
+extern const SEC_ASN1Template SEC_SetOfAnyTemplate[];
+extern const SEC_ASN1Template SEC_SetOfBitStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfBMPStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfBooleanTemplate[];
+extern const SEC_ASN1Template SEC_SetOfEnumeratedTemplate[];
+extern const SEC_ASN1Template SEC_SetOfGeneralizedTimeTemplate[];
+extern const SEC_ASN1Template SEC_SetOfIA5StringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfIntegerTemplate[];
+extern const SEC_ASN1Template SEC_SetOfNullTemplate[];
+extern const SEC_ASN1Template SEC_SetOfObjectIDTemplate[];
+extern const SEC_ASN1Template SEC_SetOfOctetStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfPrintableStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfT61StringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfUniversalStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfUTCTimeTemplate[];
+extern const SEC_ASN1Template SEC_SetOfUTF8StringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[];
+
+/*
+ * Template for skipping a subitem; this only makes sense when decoding.
+ */
+extern const SEC_ASN1Template SEC_SkipTemplate[];
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_DECLARE(SEC_AnyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_BMPStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_BooleanTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_BitStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_GeneralizedTimeTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_IA5StringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_IntegerTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_NullTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_ObjectIDTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_OctetStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_UTCTimeTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_UTF8StringTemplate)
+
+SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToAnyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToOctetStringTemplate)
+
+SEC_ASN1_CHOOSER_DECLARE(SEC_SetOfAnyTemplate)
+
+SEC_ASN1_CHOOSER_DECLARE(SEC_EnumeratedTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToEnumeratedTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_SequenceOfAnyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_SequenceOfObjectIDTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_SkipTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_UniversalStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_PrintableStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_T61StringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToGeneralizedTimeTemplate)
+SEC_END_PROTOS
+#endif /* _SECASN1_H_ */
diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c
new file mode 100644
index 000000000..8f9364318
--- /dev/null
+++ b/security/nss/lib/util/secasn1d.c
@@ -0,0 +1,3273 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Support for DEcoding ASN.1 data based on BER/DER (Basic/Distinguished
+ * Encoding Rules).
+ *
+ * $Id$
+ */
+
+/* #define DEBUG_ASN1D_STATES 1 */
+
+#ifdef DEBUG_ASN1D_STATES
+#include <stdio.h>
+#define PR_Assert sec_asn1d_Assert
+#endif
+
+#include "secasn1.h"
+#include "secerr.h"
+
+typedef enum {
+    beforeIdentifier,
+    duringIdentifier,
+    afterIdentifier,
+    beforeLength,
+    duringLength,
+    afterLength,
+    beforeBitString,
+    duringBitString,
+    duringConstructedString,
+    duringGroup,
+    duringLeaf,
+    duringSaveEncoding,
+    duringSequence,
+    afterConstructedString,
+    afterGroup,
+    afterExplicit,
+    afterImplicit,
+    afterInline,
+    afterPointer,
+    afterSaveEncoding,
+    beforeEndOfContents,
+    duringEndOfContents,
+    afterEndOfContents,
+    beforeChoice,
+    duringChoice,
+    afterChoice,
+    notInUse
+} sec_asn1d_parse_place;
+
+#ifdef DEBUG_ASN1D_STATES
+static const char * const place_names[] = {
+    "beforeIdentifier",
+    "duringIdentifier",
+    "afterIdentifier",
+    "beforeLength",
+    "duringLength",
+    "afterLength",
+    "beforeBitString",
+    "duringBitString",
+    "duringConstructedString",
+    "duringGroup",
+    "duringLeaf",
+    "duringSaveEncoding",
+    "duringSequence",
+    "afterConstructedString",
+    "afterGroup",
+    "afterExplicit",
+    "afterImplicit",
+    "afterInline",
+    "afterPointer",
+    "afterSaveEncoding",
+    "beforeEndOfContents",
+    "duringEndOfContents",
+    "afterEndOfContents",
+    "beforeChoice",
+    "duringChoice",
+    "afterChoice",
+    "notInUse"
+};
+
+static const char * const class_names[] = {
+    "UNIVERSAL",
+    "APPLICATION",
+    "CONTEXT_SPECIFIC",
+    "PRIVATE"
+};
+
+static const char * const method_names[] = { "PRIMITIVE", "CONSTRUCTED" };
+
+static const char * const type_names[] = {
+    "END_OF_CONTENTS",
+    "BOOLEAN",
+    "INTEGER",
+    "BIT_STRING",
+    "OCTET_STRING",
+    "NULL",
+    "OBJECT_ID",
+    "OBJECT_DESCRIPTOR",
+    "(type 08)",
+    "REAL",
+    "ENUMERATED",
+    "EMBEDDED",
+    "UTF8_STRING",
+    "(type 0d)",
+    "(type 0e)",
+    "(type 0f)",
+    "SEQUENCE",
+    "SET",
+    "NUMERIC_STRING",
+    "PRINTABLE_STRING",
+    "T61_STRING",
+    "VIDEOTEXT_STRING",
+    "IA5_STRING",
+    "UTC_TIME",
+    "GENERALIZED_TIME",
+    "GRAPHIC_STRING",
+    "VISIBLE_STRING",
+    "GENERAL_STRING",
+    "UNIVERSAL_STRING",
+    "(type 1d)",
+    "BMP_STRING",
+    "HIGH_TAG_VALUE"
+};
+
+static const char * const flag_names[] = { /* flags, right to left */
+    "OPTIONAL",
+    "EXPLICIT",
+    "ANY",
+    "INLINE",
+    "POINTER",
+    "GROUP",
+    "DYNAMIC",
+    "SKIP",
+    "INNER",
+    "SAVE",
+    "",            /* decoder ignores "MAY_STREAM", */
+    "SKIP_REST",
+    "CHOICE",
+    "NO_STREAM",
+    "DEBUG_BREAK",
+    "unknown 08",
+    "unknown 10",
+    "unknown 20",
+    "unknown 40",
+    "unknown 80"
+};
+
+static int /* bool */
+formatKind(unsigned long kind, char * buf)
+{
+    int i;
+    unsigned long k = kind & SEC_ASN1_TAGNUM_MASK;
+    unsigned long notag = kind & (SEC_ASN1_CHOICE | SEC_ASN1_POINTER |
+        SEC_ASN1_INLINE | SEC_ASN1_ANY | SEC_ASN1_SAVE);
+
+    buf[0] = 0;
+    if ((kind & SEC_ASN1_CLASS_MASK) != SEC_ASN1_UNIVERSAL) {
+        sprintf(buf, " %s", class_names[(kind & SEC_ASN1_CLASS_MASK) >> 6] );
+        buf += strlen(buf);
+    }
+    if (kind & SEC_ASN1_METHOD_MASK) {
+        sprintf(buf, " %s", method_names[1]);
+        buf += strlen(buf);
+    }
+    if ((kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL) {
+        if (k || !notag) {
+            sprintf(buf, " %s", type_names[k] );
+            if ((k == SEC_ASN1_SET || k == SEC_ASN1_SEQUENCE) &&
+                (kind & SEC_ASN1_GROUP)) {
+                buf += strlen(buf);
+                sprintf(buf, "_OF");
+            }
+        }
+    } else {
+        sprintf(buf, " [%d]", k);
+    }
+    buf += strlen(buf);
+
+    for (k = kind >> 8, i = 0; k; k >>= 1, ++i) {
+        if (k & 1) {
+            sprintf(buf, " %s", flag_names[i]);
+            buf += strlen(buf);
+        }
+    }
+    return notag != 0;
+}
+
+#endif /* DEBUG_ASN1D_STATES */
+
+typedef enum {
+    allDone,
+    decodeError,
+    keepGoing,
+    needBytes
+} sec_asn1d_parse_status;
+
+struct subitem {
+    const void *data;
+    unsigned long len;		/* only used for substrings */
+    struct subitem *next;
+};
+
+typedef struct sec_asn1d_state_struct {
+    SEC_ASN1DecoderContext *top;
+    const SEC_ASN1Template *theTemplate;
+    void *dest;
+
+    void *our_mark;	/* free on completion */
+
+    struct sec_asn1d_state_struct *parent;	/* aka prev */
+    struct sec_asn1d_state_struct *child;	/* aka next */
+
+    sec_asn1d_parse_place place;
+
+    /*
+     * XXX explain the next fields as clearly as possible...
+     */
+    unsigned char found_tag_modifiers;
+    unsigned char expect_tag_modifiers;
+    unsigned long check_tag_mask;
+    unsigned long found_tag_number;
+    unsigned long expect_tag_number;
+    unsigned long underlying_kind;
+
+    unsigned long contents_length;
+    unsigned long pending;
+    unsigned long consumed;
+
+    int depth;
+
+    /*
+     * Bit strings have their length adjusted -- the first octet of the
+     * contents contains a value between 0 and 7 which says how many bits
+     * at the end of the octets are not actually part of the bit string;
+     * when parsing bit strings we put that value here because we need it
+     * later, for adjustment of the length (when the whole string is done).
+     */
+    unsigned int bit_string_unused_bits;
+
+    /*
+     * The following are used for indefinite-length constructed strings.
+     */
+    struct subitem *subitems_head;
+    struct subitem *subitems_tail;
+
+    PRPackedBool
+	allocate,	/* when true, need to allocate the destination */
+	endofcontents,	/* this state ended up parsing end-of-contents octets */
+	explicit,	/* we are handling an explicit header */
+	indefinite,	/* the current item has indefinite-length encoding */
+	missing,	/* an optional field that was not present */
+	optional,	/* the template says this field may be omitted */
+	substring;	/* this is a substring of a constructed string */
+
+} sec_asn1d_state;
+
+#define IS_HIGH_TAG_NUMBER(n)	((n) == SEC_ASN1_HIGH_TAG_NUMBER)
+#define LAST_TAG_NUMBER_BYTE(b)	(((b) & 0x80) == 0)
+#define TAG_NUMBER_BITS		7
+#define TAG_NUMBER_MASK		0x7f
+
+#define LENGTH_IS_SHORT_FORM(b)	(((b) & 0x80) == 0)
+#define LONG_FORM_LENGTH(b)	((b) & 0x7f)
+
+#define HIGH_BITS(field,cnt)	((field) >> ((sizeof(field) * 8) - (cnt)))
+
+
+/*
+ * An "outsider" will have an opaque pointer to this, created by calling
+ * SEC_ASN1DecoderStart().  It will be passed back in to all subsequent
+ * calls to SEC_ASN1DecoderUpdate(), and when done it is passed to
+ * SEC_ASN1DecoderFinish().
+ */
+struct sec_DecoderContext_struct {
+    PRArenaPool *our_pool;		/* for our internal allocs */
+    PRArenaPool *their_pool;		/* for destination structure allocs */
+#ifdef SEC_ASN1D_FREE_ON_ERROR		/*
+					 * XXX see comment below (by same
+					 * ifdef) that explains why this
+					 * does not work (need more smarts
+					 * in order to free back to mark)
+					 */
+    /*
+     * XXX how to make their_mark work in the case where they do NOT
+     * give us a pool pointer?
+     */
+    void *their_mark;			/* free on error */
+#endif
+
+    sec_asn1d_state *current;
+    sec_asn1d_parse_status status;
+
+    SEC_ASN1NotifyProc notify_proc;	/* call before/after handling field */
+    void *notify_arg;			/* argument to notify_proc */
+    PRBool during_notify;		/* true during call to notify_proc */
+
+    SEC_ASN1WriteProc filter_proc;	/* pass field bytes to this  */
+    void *filter_arg;			/* argument to that function */
+    PRBool filter_only;			/* do not allocate/store fields */
+};
+
+
+/*
+ * XXX this is a fairly generic function that may belong elsewhere
+ */
+static void *
+sec_asn1d_alloc (PRArenaPool *poolp, unsigned long len)
+{
+    void *thing;
+
+    if (poolp != NULL) {
+	/*
+	 * Allocate from the pool.
+	 */
+	thing = PORT_ArenaAlloc (poolp, len);
+    } else {
+	/*
+	 * Allocate generically.
+	 */
+	thing = PORT_Alloc (len);
+    }
+
+    return thing;
+}
+
+
+/*
+ * XXX this is a fairly generic function that may belong elsewhere
+ */
+static void *
+sec_asn1d_zalloc (PRArenaPool *poolp, unsigned long len)
+{
+    void *thing;
+
+    thing = sec_asn1d_alloc (poolp, len);
+    if (thing != NULL)
+	PORT_Memset (thing, 0, len);
+    return thing;
+}
+
+
+static sec_asn1d_state *
+sec_asn1d_push_state (SEC_ASN1DecoderContext *cx,
+		      const SEC_ASN1Template *theTemplate,
+		      void *dest, PRBool new_depth)
+{
+    sec_asn1d_state *state, *new_state;
+
+    state = cx->current;
+
+    PORT_Assert (state == NULL || state->child == NULL);
+
+    if (state != NULL) {
+	PORT_Assert (state->our_mark == NULL);
+	state->our_mark = PORT_ArenaMark (cx->our_pool);
+    }
+
+    new_state = (sec_asn1d_state*)sec_asn1d_zalloc (cx->our_pool, 
+						    sizeof(*new_state));
+    if (new_state == NULL) {
+	goto loser;
+    }
+
+    new_state->top         = cx;
+    new_state->parent      = state;
+    new_state->theTemplate = theTemplate;
+    new_state->place       = notInUse;
+    if (dest != NULL)
+	new_state->dest = (char *)dest + theTemplate->offset;
+
+    if (state != NULL) {
+	new_state->depth = state->depth;
+	if (new_depth) {
+	    if (++new_state->depth > SEC_ASN1D_MAX_DEPTH) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		goto loser;
+	    }
+	}
+	state->child = new_state;
+    }
+
+    cx->current = new_state;
+    return new_state;
+
+loser:
+    cx->status = decodeError;
+    if (state != NULL) {
+	PORT_ArenaRelease(cx->our_pool, state->our_mark);
+	state->our_mark = NULL;
+    }
+    return NULL;
+}
+
+
+static void
+sec_asn1d_scrub_state (sec_asn1d_state *state)
+{
+    /*
+     * Some default "scrubbing".
+     * XXX right set of initializations?
+     */
+    state->place = beforeIdentifier;
+    state->endofcontents = PR_FALSE;
+    state->indefinite = PR_FALSE;
+    state->missing = PR_FALSE;
+    PORT_Assert (state->consumed == 0);
+}
+
+
+static void
+sec_asn1d_notify_before (SEC_ASN1DecoderContext *cx, void *dest, int depth)
+{
+    if (cx->notify_proc == NULL)
+	return;
+
+    cx->during_notify = PR_TRUE;
+    (* cx->notify_proc) (cx->notify_arg, PR_TRUE, dest, depth);
+    cx->during_notify = PR_FALSE;
+}
+
+
+static void
+sec_asn1d_notify_after (SEC_ASN1DecoderContext *cx, void *dest, int depth)
+{
+    if (cx->notify_proc == NULL)
+	return;
+
+    cx->during_notify = PR_TRUE;
+    (* cx->notify_proc) (cx->notify_arg, PR_FALSE, dest, depth);
+    cx->during_notify = PR_FALSE;
+}
+
+
+static sec_asn1d_state *
+sec_asn1d_init_state_based_on_template (sec_asn1d_state *state)
+{
+    PRBool explicit, optional, universal;
+    unsigned char expect_tag_modifiers;
+    unsigned long encode_kind, under_kind;
+    unsigned long check_tag_mask, expect_tag_number;
+
+
+    /* XXX Check that both of these tests are really needed/appropriate. */
+    if (state == NULL || state->top->status == decodeError)
+	return state;
+
+    encode_kind = state->theTemplate->kind;
+
+    if (encode_kind & SEC_ASN1_SAVE) {
+	/*
+	 * This is a "magic" field that saves away all bytes, allowing
+	 * the immediately following field to still be decoded from this
+	 * same spot -- sort of a fork.
+	 */
+	/* check that there are no extraneous bits */
+	PORT_Assert (encode_kind == SEC_ASN1_SAVE);
+	if (state->top->filter_only) {
+	    /*
+	     * If we are not storing, then we do not do the SAVE field
+	     * at all.  Just move ahead to the "real" field instead,
+	     * doing the appropriate notify calls before and after.
+	     */
+	    sec_asn1d_notify_after (state->top, state->dest, state->depth);
+	    /*
+	     * Since we are not storing, allow for our current dest value
+	     * to be NULL.  (This might not actually occur, but right now I
+	     * cannot convince myself one way or the other.)  If it is NULL,
+	     * assume that our parent dest can help us out.
+	     */
+	    if (state->dest == NULL)
+		state->dest = state->parent->dest;
+	    else
+		state->dest = (char *)state->dest - state->theTemplate->offset;
+	    state->theTemplate++;
+	    if (state->dest != NULL)
+		state->dest = (char *)state->dest + state->theTemplate->offset;
+	    sec_asn1d_notify_before (state->top, state->dest, state->depth);
+	    encode_kind = state->theTemplate->kind;
+	    PORT_Assert ((encode_kind & SEC_ASN1_SAVE) == 0);
+	} else {
+	    sec_asn1d_scrub_state (state);
+	    state->place = duringSaveEncoding;
+	    state = sec_asn1d_push_state (state->top, SEC_AnyTemplate,
+					  state->dest, PR_FALSE);
+	    if (state != NULL)
+		state = sec_asn1d_init_state_based_on_template (state);
+	    return state;
+	}
+    }
+
+
+    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_EXPLICIT;
+
+    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_OPTIONAL;
+
+    PORT_Assert (!(explicit && universal));	/* bad templates */
+
+    encode_kind &= ~SEC_ASN1_DYNAMIC;
+    encode_kind &= ~SEC_ASN1_MAY_STREAM;
+
+    if (encode_kind & SEC_ASN1_CHOICE) {
+#if 0	/* XXX remove? */
+      sec_asn1d_state *child = sec_asn1d_push_state(state->top, state->theTemplate, state->dest, PR_FALSE);
+      if ((sec_asn1d_state *)NULL == child) {
+        return (sec_asn1d_state *)NULL;
+      }
+
+      child->allocate = state->allocate;
+      child->place = beforeChoice;
+      return child;
+#else
+      state->place = beforeChoice;
+      return state;
+#endif
+    }
+
+    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || (!universal
+							      && !explicit)) {
+	const SEC_ASN1Template *subt;
+	void *dest;
+	PRBool child_allocate;
+
+	PORT_Assert ((encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) == 0);
+
+	sec_asn1d_scrub_state (state);
+	child_allocate = PR_FALSE;
+
+	if (encode_kind & SEC_ASN1_POINTER) {
+	    /*
+	     * A POINTER means we need to allocate the destination for
+	     * this field.  But, since it may also be an optional field,
+	     * we defer the allocation until later; we just record that
+	     * it needs to be done.
+	     *
+	     * There are two possible scenarios here -- one is just a
+	     * plain POINTER (kind of like INLINE, except with allocation)
+	     * and the other is an implicitly-tagged POINTER.  We don't
+	     * need to do anything special here for the two cases, but
+	     * since the template definition can be tricky, we do check
+	     * that there are no extraneous bits set in encode_kind.
+	     *
+	     * XXX The same conditions which assert should set an error.
+	     */
+	    if (universal) {
+		/*
+		 * "universal" means this entry is a standalone POINTER;
+		 * there should be no other bits set in encode_kind.
+		 */
+		PORT_Assert (encode_kind == SEC_ASN1_POINTER);
+	    } else {
+		/*
+		 * If we get here we have an implicitly-tagged field
+		 * that needs to be put into a POINTER.  The subtemplate
+		 * will determine how to decode the field, but encode_kind
+		 * describes the (implicit) tag we are looking for.
+		 * The non-tag bits of encode_kind will be ignored by
+		 * the code below; none of them should be set, however,
+		 * except for the POINTER bit itself -- so check that.
+		 */
+		PORT_Assert ((encode_kind & ~SEC_ASN1_TAG_MASK)
+			     == SEC_ASN1_POINTER);
+	    }
+	    if (!state->top->filter_only)
+		child_allocate = PR_TRUE;
+	    dest = NULL;
+	    state->place = afterPointer;
+	} else {
+	    dest = state->dest;
+	    if (encode_kind & SEC_ASN1_INLINE) {
+		/* check that there are no extraneous bits */
+		PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
+		state->place = afterInline;
+	    } else {
+		state->place = afterImplicit;
+	    }
+	}
+
+	state->optional = optional;
+	subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->dest, PR_FALSE);
+	state = sec_asn1d_push_state (state->top, subt, dest, PR_FALSE);
+	if (state == NULL)
+	    return NULL;
+
+	state->allocate = child_allocate;
+
+	if (universal) {
+	    state = sec_asn1d_init_state_based_on_template (state);
+	    if (state != NULL) {
+		/*
+		 * If this field is optional, we need to record that on
+		 * the pushed child so it won't fail if the field isn't
+		 * found.  I can't think of a way that this new state
+		 * could already have optional set (which we would wipe
+		 * out below if our local optional is not set) -- but
+		 * just to be sure, assert that it isn't set.
+		 */
+		PORT_Assert (!state->optional);
+		state->optional = optional;
+	    }
+	    return state;
+	}
+
+	under_kind = state->theTemplate->kind;
+	under_kind &= ~SEC_ASN1_MAY_STREAM;
+    } else if (explicit) {
+	/*
+	 * For explicit, we only need to match the encoding tag next,
+	 * then we will push another state to handle the entire inner
+	 * part.  In this case, there is no underlying kind which plays
+	 * any part in the determination of the outer, explicit tag.
+	 * So we just set under_kind to 0, which is not a valid tag,
+	 * and the rest of the tag matching stuff should be okay.
+	 */
+	under_kind = 0;
+    } else {
+	/*
+	 * Nothing special; the underlying kind and the given encoding
+	 * information are the same.
+	 */
+	under_kind = encode_kind;
+    }
+
+    /* XXX is this the right set of bits to test here? */
+    PORT_Assert ((under_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL
+				| SEC_ASN1_MAY_STREAM
+				| SEC_ASN1_INLINE | SEC_ASN1_POINTER)) == 0);
+
+    if (encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) {
+	PORT_Assert (encode_kind == under_kind);
+	if (encode_kind & SEC_ASN1_SKIP) {
+	    PORT_Assert (!optional);
+	    PORT_Assert (encode_kind == SEC_ASN1_SKIP);
+	    state->dest = NULL;
+	}
+	check_tag_mask = 0;
+	expect_tag_modifiers = 0;
+	expect_tag_number = 0;
+    } else {
+	check_tag_mask = SEC_ASN1_TAG_MASK;
+	expect_tag_modifiers = (unsigned char)encode_kind & SEC_ASN1_TAG_MASK
+				& ~SEC_ASN1_TAGNUM_MASK;
+	/*
+	 * XXX This assumes only single-octet identifiers.  To handle
+	 * the HIGH TAG form we would need to do some more work, especially
+	 * in how to specify them in the template, because right now we
+	 * do not provide a way to specify more *tag* bits in encode_kind.
+	 */
+	expect_tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
+
+	switch (under_kind & SEC_ASN1_TAGNUM_MASK) {
+	  case SEC_ASN1_SET:
+	    /*
+	     * XXX A plain old SET (as opposed to a SET OF) is not implemented.
+	     * If it ever is, remove this assert...
+	     */
+	    PORT_Assert ((under_kind & SEC_ASN1_GROUP) != 0);
+	    /* fallthru */
+	  case SEC_ASN1_SEQUENCE:
+	    expect_tag_modifiers |= SEC_ASN1_CONSTRUCTED;
+	    break;
+	  case SEC_ASN1_BIT_STRING:
+	  case SEC_ASN1_BMP_STRING:
+	  case SEC_ASN1_GENERALIZED_TIME:
+	  case SEC_ASN1_IA5_STRING:
+	  case SEC_ASN1_OCTET_STRING:
+	  case SEC_ASN1_PRINTABLE_STRING:
+	  case SEC_ASN1_T61_STRING:
+	  case SEC_ASN1_UNIVERSAL_STRING:
+	  case SEC_ASN1_UTC_TIME:
+	  case SEC_ASN1_UTF8_STRING:
+	  case SEC_ASN1_VISIBLE_STRING:
+	    check_tag_mask &= ~SEC_ASN1_CONSTRUCTED;
+	    break;
+	}
+    }
+
+    state->check_tag_mask = check_tag_mask;
+    state->expect_tag_modifiers = expect_tag_modifiers;
+    state->expect_tag_number = expect_tag_number;
+    state->underlying_kind = under_kind;
+    state->explicit = explicit;
+    state->optional = optional;
+
+    sec_asn1d_scrub_state (state);
+
+    return state;
+}
+
+static sec_asn1d_state *
+sec_asn1d_get_enclosing_construct(sec_asn1d_state *state)
+{
+    for (state = state->parent; state; state = state->parent) {
+	sec_asn1d_parse_place place = state->place;
+	if (place != afterImplicit      &&
+	    place != afterPointer       &&
+	    place != afterInline        &&
+	    place != afterSaveEncoding  &&
+	    place != duringSaveEncoding &&
+	    place != duringChoice) {
+
+            /* we've walked up the stack to a state that represents
+            ** the enclosing construct.  
+	    */
+            break;
+	}
+    }
+    return state;
+}
+
+static PRBool
+sec_asn1d_parent_allows_EOC(sec_asn1d_state *state)
+{
+    /* get state of enclosing construct. */
+    state = sec_asn1d_get_enclosing_construct(state);
+    if (state) {
+	sec_asn1d_parse_place place = state->place;
+        /* Is it one of the types that permits an unexpected EOC? */
+	int eoc_permitted = 
+	    (place == duringGroup ||
+	     place == duringConstructedString ||
+	     state->child->optional);
+	return (state->indefinite && eoc_permitted) ? PR_TRUE : PR_FALSE;
+    }
+    return PR_FALSE;
+}
+
+static unsigned long
+sec_asn1d_parse_identifier (sec_asn1d_state *state,
+			    const char *buf, unsigned long len)
+{
+    unsigned char byte;
+    unsigned char tag_number;
+
+    PORT_Assert (state->place == beforeIdentifier);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    byte = (unsigned char) *buf;
+#ifdef DEBUG_ASN1D_STATES
+    {
+        char kindBuf[256];
+        formatKind(byte, kindBuf);
+        printf("Found tag %02x %s\n", byte, kindBuf);
+    }
+#endif
+    tag_number = byte & SEC_ASN1_TAGNUM_MASK;
+
+    if (IS_HIGH_TAG_NUMBER (tag_number)) {
+	state->place = duringIdentifier;
+	state->found_tag_number = 0;
+	/*
+	 * Actually, we have no idea how many bytes are pending, but we
+	 * do know that it is at least 1.  That is all we know; we have
+	 * to look at each byte to know if there is another, etc.
+	 */
+	state->pending = 1;
+    } else {
+	if (byte == 0 && sec_asn1d_parent_allows_EOC(state)) {
+	    /*
+	     * Our parent has indefinite-length encoding, and the
+	     * entire tag found is 0, so it seems that we have hit the
+	     * end-of-contents octets.  To handle this, we just change
+	     * our state to that which expects to get the bytes of the
+	     * end-of-contents octets and let that code re-read this byte
+	     * so that our categorization of field types is correct.
+	     * After that, our parent will then deal with everything else.
+	     */
+	    state->place = duringEndOfContents;
+	    state->pending = 2;
+	    state->found_tag_number = 0;
+	    state->found_tag_modifiers = 0;
+	    /*
+	     * We might be an optional field that is, as we now find out,
+	     * missing.  Give our parent a clue that this happened.
+	     */
+	    if (state->optional)
+		state->missing = PR_TRUE;
+	    return 0;
+	}
+	state->place = afterIdentifier;
+	state->found_tag_number = tag_number;
+    }
+    state->found_tag_modifiers = byte & ~SEC_ASN1_TAGNUM_MASK;
+
+    return 1;
+}
+
+
+static unsigned long
+sec_asn1d_parse_more_identifier (sec_asn1d_state *state,
+				 const char *buf, unsigned long len)
+{
+    unsigned char byte;
+    int count;
+
+    PORT_Assert (state->pending == 1);
+    PORT_Assert (state->place == duringIdentifier);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    count = 0;
+
+    while (len && state->pending) {
+	if (HIGH_BITS (state->found_tag_number, TAG_NUMBER_BITS) != 0) {
+	    /*
+	     * The given high tag number overflows our container;
+	     * just give up.  This is not likely to *ever* happen.
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return 0;
+	}
+
+	state->found_tag_number <<= TAG_NUMBER_BITS;
+
+	byte = (unsigned char) buf[count++];
+	state->found_tag_number |= (byte & TAG_NUMBER_MASK);
+
+	len--;
+	if (LAST_TAG_NUMBER_BYTE (byte))
+	    state->pending = 0;
+    }
+
+    if (state->pending == 0)
+	state->place = afterIdentifier;
+
+    return count;
+}
+
+
+static void
+sec_asn1d_confirm_identifier (sec_asn1d_state *state)
+{
+    PRBool match;
+
+    PORT_Assert (state->place == afterIdentifier);
+
+    match = (PRBool)(((state->found_tag_modifiers & state->check_tag_mask)
+	     == state->expect_tag_modifiers)
+	    && ((state->found_tag_number & state->check_tag_mask)
+		== state->expect_tag_number));
+    if (match) {
+	state->place = beforeLength;
+    } else {
+	if (state->optional) {
+	    state->missing = PR_TRUE;
+	    state->place = afterEndOfContents;
+	} else {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	}
+    }
+}
+
+
+static unsigned long
+sec_asn1d_parse_length (sec_asn1d_state *state,
+			const char *buf, unsigned long len)
+{
+    unsigned char byte;
+
+    PORT_Assert (state->place == beforeLength);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    /*
+     * The default/likely outcome.  It may get adjusted below.
+     */
+    state->place = afterLength;
+
+    byte = (unsigned char) *buf;
+
+    if (LENGTH_IS_SHORT_FORM (byte)) {
+	state->contents_length = byte;
+    } else {
+	state->contents_length = 0;
+	state->pending = LONG_FORM_LENGTH (byte);
+	if (state->pending == 0) {
+	    state->indefinite = PR_TRUE;
+	} else {
+	    state->place = duringLength;
+	}
+    }
+
+    /* If we're parsing an ANY, SKIP, or SAVE template, and 
+    ** the object being saved is definite length encoded and constructed, 
+    ** there's no point in decoding that construct's members.
+    ** So, just forget it's constructed and treat it as primitive.
+    ** (SAVE appears as an ANY at this point)
+    */
+    if (!state->indefinite &&
+	(state->underlying_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP))) {
+	state->found_tag_modifiers &= ~SEC_ASN1_CONSTRUCTED;
+    }
+
+    return 1;
+}
+
+
+static unsigned long
+sec_asn1d_parse_more_length (sec_asn1d_state *state,
+			     const char *buf, unsigned long len)
+{
+    int count;
+
+    PORT_Assert (state->pending > 0);
+    PORT_Assert (state->place == duringLength);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    count = 0;
+
+    while (len && state->pending) {
+	if (HIGH_BITS (state->contents_length, 9) != 0) {
+	    /*
+	     * The given full content length overflows our container;
+	     * just give up.
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return 0;
+	}
+
+	state->contents_length <<= 8;
+	state->contents_length |= (unsigned char) buf[count++];
+
+	len--;
+	state->pending--;
+    }
+
+    if (state->pending == 0)
+	state->place = afterLength;
+
+    return count;
+}
+
+
+static void
+sec_asn1d_prepare_for_contents (sec_asn1d_state *state)
+{
+    SECItem *item;
+    PRArenaPool *poolp;
+    unsigned long alloc_len;
+
+#ifdef DEBUG_ASN1D_STATES
+    {
+        printf("Found Length %d %s\n", state->contents_length,
+               state->indefinite ? "indefinite" : "");
+    }
+#endif
+
+    /*
+     * XXX I cannot decide if this allocation should exclude the case
+     *     where state->endofcontents is true -- figure it out!
+     */
+    if (state->allocate) {
+	void *dest;
+
+	PORT_Assert (state->dest == NULL);
+	/*
+	 * We are handling a POINTER or a member of a GROUP, and need to
+	 * allocate for the data structure.
+	 */
+	dest = sec_asn1d_zalloc (state->top->their_pool,
+				 state->theTemplate->size);
+	if (dest == NULL) {
+	    state->top->status = decodeError;
+	    return;
+	}
+	state->dest = (char *)dest + state->theTemplate->offset;
+
+	/*
+	 * For a member of a GROUP, our parent will later put the
+	 * pointer wherever it belongs.  But for a POINTER, we need
+	 * to record the destination now, in case notify or filter
+	 * procs need access to it -- they cannot find it otherwise,
+	 * until it is too late (for one-pass processing).
+	 */
+	if (state->parent->place == afterPointer) {
+	    void **placep;
+
+	    placep = state->parent->dest;
+	    *placep = dest;
+	}
+    }
+
+    /*
+     * Remember, length may be indefinite here!  In that case,
+     * both contents_length and pending will be zero.
+     */
+    state->pending = state->contents_length;
+
+    /* If this item has definite length encoding, and 
+    ** is enclosed by a definite length constructed type,
+    ** make sure it isn't longer than the remaining space in that 
+    ** constructed type.  
+    */
+    if (state->contents_length > 0) {
+	sec_asn1d_state *parent = sec_asn1d_get_enclosing_construct(state);
+	if (parent && !parent->indefinite && 
+	    state->consumed + state->contents_length > parent->pending) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return;
+	}
+    }
+
+    /*
+     * An EXPLICIT is nothing but an outer header, which we have
+     * already parsed and accepted.  Now we need to do the inner
+     * header and its contents.
+     */
+    if (state->explicit) {
+	state->place = afterExplicit;
+	state = sec_asn1d_push_state (state->top,
+				      SEC_ASN1GetSubtemplate(state->theTemplate,
+							     state->dest,
+							     PR_FALSE),
+				      state->dest, PR_TRUE);
+	if (state != NULL)
+	    state = sec_asn1d_init_state_based_on_template (state);
+	return;
+    }
+
+    /*
+     * For GROUP (SET OF, SEQUENCE OF), even if we know the length here
+     * we cannot tell how many items we will end up with ... so push a
+     * state that can keep track of "children" (the individual members
+     * of the group; we will allocate as we go and put them all together
+     * at the end.
+     */
+    if (state->underlying_kind & SEC_ASN1_GROUP) {
+	/* XXX If this assertion holds (should be able to confirm it via
+	 * inspection, too) then move this code into the switch statement
+	 * below under cases SET_OF and SEQUENCE_OF; it will be cleaner.
+	 */
+	PORT_Assert (state->underlying_kind == SEC_ASN1_SET_OF
+	   || state->underlying_kind == SEC_ASN1_SEQUENCE_OF
+	   || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF|SEC_ASN1_DYNAMIC)
+	   || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF|SEC_ASN1_DYNAMIC)
+		     );
+	if (state->contents_length != 0 || state->indefinite) {
+	    const SEC_ASN1Template *subt;
+
+	    state->place = duringGroup;
+	    subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->dest,
+					   PR_FALSE);
+	    state = sec_asn1d_push_state (state->top, subt, NULL, PR_TRUE);
+	    if (state != NULL) {
+		if (!state->top->filter_only)
+		    state->allocate = PR_TRUE;	/* XXX propogate this? */
+		/*
+		 * Do the "before" field notification for next in group.
+		 */
+		sec_asn1d_notify_before (state->top, state->dest, state->depth);
+		state = sec_asn1d_init_state_based_on_template (state);
+	    }
+	} else {
+	    /*
+	     * A group of zero; we are done.
+	     * Set state to afterGroup and let that code plant the NULL.
+	     */
+	    state->place = afterGroup;
+	}
+	return;
+    }
+
+    switch (state->underlying_kind) {
+      case SEC_ASN1_SEQUENCE:
+	/*
+	 * We need to push a child to handle the individual fields.
+	 */
+	state->place = duringSequence;
+	state = sec_asn1d_push_state (state->top, state->theTemplate + 1,
+				      state->dest, PR_TRUE);
+	if (state != NULL) {
+	    /*
+	     * Do the "before" field notification.
+	     */
+	    sec_asn1d_notify_before (state->top, state->dest, state->depth);
+	    state = sec_asn1d_init_state_based_on_template (state);
+	}
+	break;
+
+      case SEC_ASN1_SET:	/* XXX SET is not really implemented */
+	/*
+	 * XXX A plain SET requires special handling; scanning of a
+	 * template to see where a field should go (because by definition,
+	 * they are not in any particular order, and you have to look at
+	 * each tag to disambiguate what the field is).  We may never
+	 * implement this because in practice, it seems to be unused.
+	 */
+	PORT_Assert(0);
+	PORT_SetError (SEC_ERROR_BAD_DER); /* XXX */
+	state->top->status = decodeError;
+	break;
+
+      case SEC_ASN1_NULL:
+	/*
+	 * The NULL type, by definition, is "nothing", content length of zero.
+	 * An indefinite-length encoding is not alloweed.
+	 */
+	if (state->contents_length || state->indefinite) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    break;
+	}
+	if (state->dest != NULL) {
+	    item = (SECItem *)(state->dest);
+	    item->data = NULL;
+	    item->len = 0;
+	}
+	state->place = afterEndOfContents;
+	break;
+
+      case SEC_ASN1_BMP_STRING:
+	/* Error if length is not divisable by 2 */
+	if (state->contents_length % 2) {
+	   PORT_SetError (SEC_ERROR_BAD_DER);
+	   state->top->status = decodeError;
+	   break;
+	}   
+	/* otherwise, handle as other string types */
+	goto regular_string_type;
+
+      case SEC_ASN1_UNIVERSAL_STRING:
+	/* Error if length is not divisable by 4 */
+	if (state->contents_length % 4) {
+	   PORT_SetError (SEC_ERROR_BAD_DER);
+	   state->top->status = decodeError;
+	   break;
+	}   
+	/* otherwise, handle as other string types */
+	goto regular_string_type;
+
+      case SEC_ASN1_SKIP:
+      case SEC_ASN1_ANY:
+      case SEC_ASN1_ANY_CONTENTS:
+	/*
+	 * These are not (necessarily) strings, but they need nearly
+	 * identical handling (especially when we need to deal with
+	 * constructed sub-pieces), so we pretend they are.
+	 */
+	/* fallthru */
+regular_string_type:
+      case SEC_ASN1_BIT_STRING:
+      case SEC_ASN1_IA5_STRING:
+      case SEC_ASN1_OCTET_STRING:
+      case SEC_ASN1_PRINTABLE_STRING:
+      case SEC_ASN1_T61_STRING:
+      case SEC_ASN1_UTC_TIME:
+      case SEC_ASN1_UTF8_STRING:
+      case SEC_ASN1_VISIBLE_STRING:
+	/*
+	 * We are allocating for a primitive or a constructed string.
+	 * If it is a constructed string, it may also be indefinite-length.
+	 * If it is primitive, the length can (legally) be zero.
+	 * Our first order of business is to allocate the memory for
+	 * the string, if we can (if we know the length).
+	 */
+	item = (SECItem *)(state->dest);
+
+	/*
+	 * If the item is a definite-length constructed string, then
+	 * the contents_length is actually larger than what we need
+	 * (because it also counts each intermediate header which we
+	 * will be throwing away as we go), but it is a perfectly good
+	 * upper bound that we just allocate anyway, and then concat
+	 * as we go; we end up wasting a few extra bytes but save a
+	 * whole other copy.
+	 */
+	alloc_len = state->contents_length;
+	poolp = NULL;	/* quiet compiler warnings about unused... */
+
+	if (item == NULL || state->top->filter_only) {
+	    if (item != NULL) {
+		item->data = NULL;
+		item->len = 0;
+	    }
+	    alloc_len = 0;
+	} else if (state->substring) {
+	    /*
+	     * If we are a substring of a constructed string, then we may
+	     * not have to allocate anything (because our parent, the
+	     * actual constructed string, did it for us).  If we are a
+	     * substring and we *do* have to allocate, that means our
+	     * parent is an indefinite-length, so we allocate from our pool;
+	     * later our parent will copy our string into the aggregated
+	     * whole and free our pool allocation.
+	     */
+	    if (item->data == NULL) {
+		PORT_Assert (item->len == 0);
+		poolp = state->top->our_pool;
+	    } else {
+		alloc_len = 0;
+	    }
+	} else {
+	    item->len = 0;
+	    item->data = NULL;
+	    poolp = state->top->their_pool;
+	}
+
+	if (alloc_len || ((! state->indefinite)
+			  && (state->subitems_head != NULL))) {
+	    struct subitem *subitem;
+	    int len;
+
+	    PORT_Assert (item);
+	    if (!item) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+		return;
+	    }
+	    PORT_Assert (item->len == 0 && item->data == NULL);
+	    /*
+	     * Check for and handle an ANY which has stashed aside the
+	     * header (identifier and length) bytes for us to include
+	     * in the saved contents.
+	     */
+	    if (state->subitems_head != NULL) {
+		PORT_Assert (state->underlying_kind == SEC_ASN1_ANY);
+		for (subitem = state->subitems_head;
+		     subitem != NULL; subitem = subitem->next)
+		    alloc_len += subitem->len;
+	    }
+
+	    item->data = (unsigned char*)sec_asn1d_zalloc (poolp, alloc_len);
+	    if (item->data == NULL) {
+		state->top->status = decodeError;
+		break;
+	    }
+
+	    len = 0;
+	    for (subitem = state->subitems_head;
+		 subitem != NULL; subitem = subitem->next) {
+		PORT_Memcpy (item->data + len, subitem->data, subitem->len);
+		len += subitem->len;
+	    }
+	    item->len = len;
+
+	    /*
+	     * Because we use arenas and have a mark set, we later free
+	     * everything we have allocated, so this does *not* present
+	     * a memory leak (it is just temporarily left dangling).
+	     */
+	    state->subitems_head = state->subitems_tail = NULL;
+	}
+
+	if (state->contents_length == 0 && (! state->indefinite)) {
+	    /*
+	     * A zero-length simple or constructed string; we are done.
+	     */
+	    state->place = afterEndOfContents;
+	} else if (state->found_tag_modifiers & SEC_ASN1_CONSTRUCTED) {
+	    const SEC_ASN1Template *sub;
+
+	    switch (state->underlying_kind) {
+	      case SEC_ASN1_ANY:
+	      case SEC_ASN1_ANY_CONTENTS:
+		sub = SEC_AnyTemplate;
+		break;
+	      case SEC_ASN1_BIT_STRING:
+		sub = SEC_BitStringTemplate;
+		break;
+	      case SEC_ASN1_BMP_STRING:
+		sub = SEC_BMPStringTemplate;
+		break;
+	      case SEC_ASN1_GENERALIZED_TIME:
+		sub = SEC_GeneralizedTimeTemplate;
+		break;
+	      case SEC_ASN1_IA5_STRING:
+		sub = SEC_IA5StringTemplate;
+		break;
+	      case SEC_ASN1_OCTET_STRING:
+		sub = SEC_OctetStringTemplate;
+		break;
+	      case SEC_ASN1_PRINTABLE_STRING:
+		sub = SEC_PrintableStringTemplate;
+		break;
+	      case SEC_ASN1_T61_STRING:
+		sub = SEC_T61StringTemplate;
+		break;
+	      case SEC_ASN1_UNIVERSAL_STRING:
+		sub = SEC_UniversalStringTemplate;
+		break;
+	      case SEC_ASN1_UTC_TIME:
+		sub = SEC_UTCTimeTemplate;
+		break;
+	      case SEC_ASN1_UTF8_STRING:
+		sub = SEC_UTF8StringTemplate;
+		break;
+	      case SEC_ASN1_VISIBLE_STRING:
+		sub = SEC_VisibleStringTemplate;
+		break;
+	      case SEC_ASN1_SKIP:
+		sub = SEC_SkipTemplate;
+		break;
+	      default:		/* redundant given outer switch cases, but */
+		PORT_Assert(0);	/* the compiler does not seem to know that, */
+		sub = NULL;	/* so just do enough to quiet it. */
+		break;
+	    }
+
+	    state->place = duringConstructedString;
+	    state = sec_asn1d_push_state (state->top, sub, item, PR_TRUE);
+	    if (state != NULL) {
+		state->substring = PR_TRUE;	/* XXX propogate? */
+		state = sec_asn1d_init_state_based_on_template (state);
+	    }
+	} else if (state->indefinite) {
+	    /*
+	     * An indefinite-length string *must* be constructed!
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	} else {
+	    /*
+	     * A non-zero-length simple string.
+	     */
+	    if (state->underlying_kind == SEC_ASN1_BIT_STRING)
+		state->place = beforeBitString;
+	    else
+		state->place = duringLeaf;
+	}
+	break;
+
+      default:
+	/*
+	 * We are allocating for a simple leaf item.
+	 */
+	if (state->contents_length) {
+	    if (state->dest != NULL) {
+		item = (SECItem *)(state->dest);
+		item->len = 0;
+		if (state->top->filter_only) {
+		    item->data = NULL;
+		} else {
+		    item->data = (unsigned char*)
+		                  sec_asn1d_zalloc (state->top->their_pool,
+						   state->contents_length);
+		    if (item->data == NULL) {
+			state->top->status = decodeError;
+			return;
+		    }
+		}
+	    }
+	    state->place = duringLeaf;
+	} else {
+	    /*
+	     * An indefinite-length or zero-length item is not allowed.
+	     * (All legal cases of such were handled above.)
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	}
+    }
+}
+
+
+static void
+sec_asn1d_free_child (sec_asn1d_state *state, PRBool error)
+{
+    if (state->child != NULL) {
+	PORT_Assert (error || state->child->consumed == 0);
+	PORT_Assert (state->our_mark != NULL);
+	PORT_ArenaZRelease (state->top->our_pool, state->our_mark);
+	if (error && state->top->their_pool == NULL) {
+	    /*
+	     * XXX We need to free anything allocated.
+             * At this point, we failed in the middle of decoding. But we
+             * can't free the data we previously allocated with PR_Malloc
+             * unless we keep track of every pointer. So instead we have a
+             * memory leak when decoding fails half-way, unless an arena is
+             * used. See bug 95311 .
+	     */
+	}
+	state->child = NULL;
+	state->our_mark = NULL;
+    } else {
+	/*
+	 * It is important that we do not leave a mark unreleased/unmarked.
+	 * But I do not think we should ever have one set in this case, only
+	 * if we had a child (handled above).  So check for that.  If this
+	 * assertion should ever get hit, then we probably need to add code
+	 * here to release back to our_mark (and then set our_mark to NULL).
+	 */
+	PORT_Assert (state->our_mark == NULL);
+    }
+    state->place = beforeEndOfContents;
+}
+
+/* We have just saved an entire encoded ASN.1 object (type) for a SAVE 
+** template, and now in the next template, we are going to decode that 
+** saved data  by calling SEC_ASN1DecoderUpdate recursively.
+** If that recursive call fails with needBytes, it is a fatal error,
+** because the encoded object should have been complete.
+** If that recursive call fails with decodeError, it will have already
+** cleaned up the state stack, so we must bail out quickly.
+**
+** These checks of the status returned by the recursive call are now
+** done in the caller of this function, immediately after it returns.
+*/
+static void
+sec_asn1d_reuse_encoding (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child;
+    unsigned long consumed;
+    SECItem *item;
+    void *dest;
+
+
+    child = state->child;
+    PORT_Assert (child != NULL);
+
+    consumed = child->consumed;
+    child->consumed = 0;
+
+    item = (SECItem *)(state->dest);
+    PORT_Assert (item != NULL);
+
+    PORT_Assert (item->len == consumed);
+
+    /*
+     * Free any grandchild.
+     */
+    sec_asn1d_free_child (child, PR_FALSE);
+
+    /*
+     * Notify after the SAVE field.
+     */
+    sec_asn1d_notify_after (state->top, state->dest, state->depth);
+
+    /*
+     * Adjust to get new dest and move forward.
+     */
+    dest = (char *)state->dest - state->theTemplate->offset;
+    state->theTemplate++;
+    child->dest = (char *)dest + state->theTemplate->offset;
+    child->theTemplate = state->theTemplate;
+
+    /*
+     * Notify before the "real" field.
+     */
+    PORT_Assert (state->depth == child->depth);
+    sec_asn1d_notify_before (state->top, child->dest, child->depth);
+
+    /*
+     * This will tell DecoderUpdate to return when it is done.
+     */
+    state->place = afterSaveEncoding;
+
+    /*
+     * We already have a child; "push" it by making it current.
+     */
+    state->top->current = child;
+
+    /*
+     * And initialize it so it is ready to parse.
+     */
+    (void) sec_asn1d_init_state_based_on_template(child);
+
+    /*
+     * Now parse that out of our data.
+     */
+    if (SEC_ASN1DecoderUpdate (state->top,
+			       (char *) item->data, item->len) != SECSuccess)
+	return;
+    if (state->top->status == needBytes) {
+	return;
+    }
+
+    PORT_Assert (state->top->current == state);
+    PORT_Assert (state->child == child);
+
+    /*
+     * That should have consumed what we consumed before.
+     */
+    PORT_Assert (consumed == child->consumed);
+    child->consumed = 0;
+
+    /*
+     * Done.
+     */
+    state->consumed += consumed;
+    child->place = notInUse;
+    state->place = afterEndOfContents;
+}
+
+
+static unsigned long
+sec_asn1d_parse_leaf (sec_asn1d_state *state,
+		      const char *buf, unsigned long len)
+{
+    SECItem *item;
+    unsigned long bufLen;
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    if (state->pending < len)
+	len = state->pending;
+
+    bufLen = len;
+
+    item = (SECItem *)(state->dest);
+    if (item != NULL && item->data != NULL) {
+	/* Strip leading zeroes when target is unsigned integer */
+	if (state->underlying_kind == SEC_ASN1_INTEGER && /* INTEGER   */
+	    item->len == 0 &&                             /* MSB       */
+	    item->type == siUnsignedInteger)              /* unsigned  */
+	{
+	    while (len > 1 && buf[0] == 0) {              /* leading 0 */
+		buf++;
+		len--;
+	    }
+	}
+	PORT_Memcpy (item->data + item->len, buf, len);
+	item->len += len;
+    }
+    state->pending -= bufLen;
+    if (state->pending == 0)
+	state->place = beforeEndOfContents;
+
+    return bufLen;
+}
+
+
+static unsigned long
+sec_asn1d_parse_bit_string (sec_asn1d_state *state,
+			    const char *buf, unsigned long len)
+{
+    unsigned char byte;
+
+    /*PORT_Assert (state->pending > 0); */
+    PORT_Assert (state->place == beforeBitString);
+
+    if (state->pending == 0) {
+	if (state->dest != NULL) {
+	    SECItem *item = (SECItem *)(state->dest);
+	    item->data = NULL;
+	    item->len = 0;
+	    state->place = beforeEndOfContents;
+	    return 0;
+	}
+    }
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    byte = (unsigned char) *buf;
+    if (byte > 7) {
+	PORT_SetError (SEC_ERROR_BAD_DER);
+	state->top->status = decodeError;
+	return 0;
+    }
+
+    state->bit_string_unused_bits = byte;
+    state->place = duringBitString;
+    state->pending -= 1;
+
+    return 1;
+}
+
+
+static unsigned long
+sec_asn1d_parse_more_bit_string (sec_asn1d_state *state,
+				 const char *buf, unsigned long len)
+{
+    PORT_Assert (state->place == duringBitString);
+    if (state->pending == 0) {
+	/* An empty bit string with some unused bits is invalid. */
+	if (state->bit_string_unused_bits) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	} else {
+	    /* An empty bit string with no unused bits is OK. */
+	    state->place = beforeEndOfContents;
+	}
+	return 0;
+    }
+
+    len = sec_asn1d_parse_leaf (state, buf, len);
+    if (state->place == beforeEndOfContents && state->dest != NULL) {
+	SECItem *item;
+
+	item = (SECItem *)(state->dest);
+	if (item->len)
+	    item->len = (item->len << 3) - state->bit_string_unused_bits;
+    }
+
+    return len;
+}
+
+
+/*
+ * XXX All callers should be looking at return value to detect
+ * out-of-memory errors (and stop!).
+ */
+static struct subitem *
+sec_asn1d_add_to_subitems (sec_asn1d_state *state,
+			   const void *data, unsigned long len,
+			   PRBool copy_data)
+{
+    struct subitem *thing;
+
+    thing = (struct subitem*)sec_asn1d_zalloc (state->top->our_pool,
+				sizeof (struct subitem));
+    if (thing == NULL) {
+	state->top->status = decodeError;
+	return NULL;
+    }
+
+    if (copy_data) {
+	void *copy;
+	copy = sec_asn1d_alloc (state->top->our_pool, len);
+	if (copy == NULL) {
+	    state->top->status = decodeError;
+	    if (!state->top->our_pool)
+	    	PORT_Free(thing);
+	    return NULL;
+	}
+	PORT_Memcpy (copy, data, len);
+	thing->data = copy;
+    } else {
+	thing->data = data;
+    }
+    thing->len = len;
+    thing->next = NULL;
+
+    if (state->subitems_head == NULL) {
+	PORT_Assert (state->subitems_tail == NULL);
+	state->subitems_head = state->subitems_tail = thing;
+    } else {
+	state->subitems_tail->next = thing;
+	state->subitems_tail = thing;
+    }
+
+    return thing;
+}
+
+
+static void
+sec_asn1d_record_any_header (sec_asn1d_state *state,
+			     const char *buf,
+			     unsigned long len)
+{
+    SECItem *item;
+
+    item = (SECItem *)(state->dest);
+    if (item != NULL && item->data != NULL) {
+	PORT_Assert (state->substring);
+	PORT_Memcpy (item->data + item->len, buf, len);
+	item->len += len;
+    } else {
+	sec_asn1d_add_to_subitems (state, buf, len, PR_TRUE);
+    }
+}
+
+
+/*
+ * We are moving along through the substrings of a constructed string,
+ * and have just finished parsing one -- we need to save our child data
+ * (if the child was not already writing directly into the destination)
+ * and then move forward by one.
+ *
+ * We also have to detect when we are done:
+ *	- a definite-length encoding stops when our pending value hits 0
+ *	- an indefinite-length encoding stops when our child is empty
+ *	  (which means it was the end-of-contents octets)
+ */
+static void
+sec_asn1d_next_substring (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child;
+    SECItem *item;
+    unsigned long child_consumed;
+    PRBool done;
+
+    PORT_Assert (state->place == duringConstructedString);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    child_consumed = child->consumed;
+    child->consumed = 0;
+    state->consumed += child_consumed;
+
+    done = PR_FALSE;
+
+    if (state->pending) {
+	PORT_Assert (!state->indefinite);
+	if (child_consumed > state->pending) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return;
+	}
+
+	state->pending -= child_consumed;
+	if (state->pending == 0)
+	    done = PR_TRUE;
+    } else {
+	PORT_Assert (state->indefinite);
+
+	item = (SECItem *)(child->dest);
+	if (item != NULL && item->data != NULL) {
+	    /*
+	     * Save the string away for later concatenation.
+	     */
+	    PORT_Assert (item->data != NULL);
+	    sec_asn1d_add_to_subitems (state, item->data, item->len, PR_FALSE);
+	    /*
+	     * Clear the child item for the next round.
+	     */
+	    item->data = NULL;
+	    item->len = 0;
+	}
+
+	/*
+	 * If our child was just our end-of-contents octets, we are done.
+	 */
+	if (child->endofcontents)
+	    done = PR_TRUE;
+    }
+
+    /*
+     * Stop or do the next one.
+     */
+    if (done) {
+	child->place = notInUse;
+	state->place = afterConstructedString;
+    } else {
+	sec_asn1d_scrub_state (child);
+	state->top->current = child;
+    }
+}
+
+
+/*
+ * We are doing a SET OF or SEQUENCE OF, and have just finished an item.
+ */
+static void
+sec_asn1d_next_in_group (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child;
+    unsigned long child_consumed;
+
+    PORT_Assert (state->place == duringGroup);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    child_consumed = child->consumed;
+    child->consumed = 0;
+    state->consumed += child_consumed;
+
+    /*
+     * If our child was just our end-of-contents octets, we are done.
+     */
+    if (child->endofcontents) {
+	/* XXX I removed the PORT_Assert (child->dest == NULL) because there
+	 * was a bug in that a template that was a sequence of which also had
+	 * a child of a sequence of, in an indefinite group was not working 
+	 * properly.  This fix seems to work, (added the if statement below),
+	 * and nothing appears broken, but I am putting this note here just
+	 * in case. */
+	/*
+	 * XXX No matter how many times I read that comment,
+	 * I cannot figure out what case he was fixing.  I believe what he
+	 * did was deliberate, so I am loathe to touch it.  I need to
+	 * understand how it could ever be that child->dest != NULL but
+	 * child->endofcontents is true, and why it is important to check
+	 * that state->subitems_head is NULL.  This really needs to be
+	 * figured out, as I am not sure if the following code should be
+	 * compensating for "offset", as is done a little farther below
+	 * in the more normal case.
+	 */
+	PORT_Assert (state->indefinite);
+	PORT_Assert (state->pending == 0);
+	if(child->dest && !state->subitems_head) {
+	    sec_asn1d_add_to_subitems (state, child->dest, 0, PR_FALSE);
+	    child->dest = NULL;
+	}
+
+	child->place = notInUse;
+	state->place = afterGroup;
+	return;
+    }
+
+    /* 
+     * Do the "after" field notification for next in group.
+     */
+    sec_asn1d_notify_after (state->top, child->dest, child->depth);
+
+    /*
+     * Save it away (unless we are not storing).
+     */
+    if (child->dest != NULL) {
+	void *dest;
+
+	dest = child->dest;
+	dest = (char *)dest - child->theTemplate->offset;
+	sec_asn1d_add_to_subitems (state, dest, 0, PR_FALSE);
+	child->dest = NULL;
+    }
+
+    /*
+     * Account for those bytes; see if we are done.
+     */
+    if (state->pending) {
+	PORT_Assert (!state->indefinite);
+	if (child_consumed > state->pending) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return;
+	}
+
+	state->pending -= child_consumed;
+	if (state->pending == 0) {
+	    child->place = notInUse;
+	    state->place = afterGroup;
+	    return;
+	}
+    }
+
+    /*
+     * Do the "before" field notification for next item in group.
+     */
+    sec_asn1d_notify_before (state->top, child->dest, child->depth);
+
+    /*
+     * Now we do the next one.
+     */
+    sec_asn1d_scrub_state (child);
+
+    /* Initialize child state from the template */
+    sec_asn1d_init_state_based_on_template(child);
+
+    state->top->current = child;
+}
+
+
+/*
+ * We are moving along through a sequence; move forward by one,
+ * (detecting end-of-sequence when it happens).
+ * XXX The handling of "missing" is ugly.  Fix it.
+ */
+static void
+sec_asn1d_next_in_sequence (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child;
+    unsigned long child_consumed;
+    PRBool child_missing;
+
+    PORT_Assert (state->place == duringSequence);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    /*
+     * Do the "after" field notification.
+     */
+    sec_asn1d_notify_after (state->top, child->dest, child->depth);
+
+    child_missing = (PRBool) child->missing;
+    child_consumed = child->consumed;
+    child->consumed = 0;
+
+    /*
+     * Take care of accounting.
+     */
+    if (child_missing) {
+	PORT_Assert (child->optional);
+    } else {
+	state->consumed += child_consumed;
+	/*
+	 * Free any grandchild.
+	 */
+	sec_asn1d_free_child (child, PR_FALSE);
+	if (state->pending) {
+	    PORT_Assert (!state->indefinite);
+	    if (child_consumed > state->pending) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+		return;
+	    }
+	    state->pending -= child_consumed;
+	    if (state->pending == 0) {
+		child->theTemplate++;
+		while (child->theTemplate->kind != 0) {
+		    if ((child->theTemplate->kind & SEC_ASN1_OPTIONAL) == 0) {
+			PORT_SetError (SEC_ERROR_BAD_DER);
+			state->top->status = decodeError;
+			return;
+		    }
+		    child->theTemplate++;
+		}
+		child->place = notInUse;
+		state->place = afterEndOfContents;
+		return;
+	    }
+	}
+    }
+
+    /*
+     * Move forward.
+     */
+    child->theTemplate++;
+    if (child->theTemplate->kind == 0) {
+	/*
+	 * We are done with this sequence.
+	 */
+	child->place = notInUse;
+	if (state->pending) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	} else if (child_missing) {
+	    /*
+	     * We got to the end, but have a child that started parsing
+	     * and ended up "missing".  The only legitimate reason for
+	     * this is that we had one or more optional fields at the
+	     * end of our sequence, and we were encoded indefinite-length,
+	     * so when we went looking for those optional fields we
+	     * found our end-of-contents octets instead.
+	     * (Yes, this is ugly; dunno a better way to handle it.)
+	     * So, first confirm the situation, and then mark that we
+	     * are done.
+	     */
+	    if (state->indefinite && child->endofcontents) {
+		PORT_Assert (child_consumed == 2);
+		if (child_consumed != 2) {
+		    PORT_SetError (SEC_ERROR_BAD_DER);
+		    state->top->status = decodeError;
+		} else {
+		    state->consumed += child_consumed;
+		    state->place = afterEndOfContents;
+		}
+	    } else {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+	    }
+	} else {
+	    /*
+	     * We have to finish out, maybe reading end-of-contents octets;
+	     * let the normal logic do the right thing.
+	     */
+	    state->place = beforeEndOfContents;
+	}
+    } else {
+	unsigned char child_found_tag_modifiers = 0;
+	unsigned long child_found_tag_number = 0;
+
+	/*
+	 * Reset state and push.
+	 */
+	if (state->dest != NULL)
+	    child->dest = (char *)state->dest + child->theTemplate->offset;
+
+	/*
+	 * Do the "before" field notification.
+	 */
+	sec_asn1d_notify_before (state->top, child->dest, child->depth);
+
+	if (child_missing) { /* if previous child was missing, copy the tag data we already have */
+	    child_found_tag_modifiers = child->found_tag_modifiers;
+	    child_found_tag_number = child->found_tag_number;
+	}
+	state->top->current = child;
+	child = sec_asn1d_init_state_based_on_template (child);
+	if (child_missing && child) {
+	    child->place = afterIdentifier;
+	    child->found_tag_modifiers = child_found_tag_modifiers;
+	    child->found_tag_number = child_found_tag_number;
+	    child->consumed = child_consumed;
+	    if (child->underlying_kind == SEC_ASN1_ANY
+		&& !child->top->filter_only) {
+		/*
+		 * If the new field is an ANY, and we are storing, then
+		 * we need to save the tag out.  We would have done this
+		 * already in the normal case, but since we were looking
+		 * for an optional field, and we did not find it, we only
+		 * now realize we need to save the tag.
+		 */
+		unsigned char identifier;
+
+		/*
+		 * Check that we did not end up with a high tag; for that
+		 * we need to re-encode the tag into multiple bytes in order
+		 * to store it back to look like what we parsed originally.
+		 * In practice this does not happen, but for completeness
+		 * sake it should probably be made to work at some point.
+		 */
+		PORT_Assert (child_found_tag_number < SEC_ASN1_HIGH_TAG_NUMBER);
+		identifier = (unsigned char)(child_found_tag_modifiers | child_found_tag_number);
+		sec_asn1d_record_any_header (child, (char *) &identifier, 1);
+	    }
+	}
+    }
+}
+
+
+static void
+sec_asn1d_concat_substrings (sec_asn1d_state *state)
+{
+    PORT_Assert (state->place == afterConstructedString);
+
+    if (state->subitems_head != NULL) {
+	struct subitem *substring;
+	unsigned long alloc_len, item_len;
+	unsigned char *where;
+	SECItem *item;
+	PRBool is_bit_string;
+
+	item_len = 0;
+	is_bit_string = (state->underlying_kind == SEC_ASN1_BIT_STRING)
+			? PR_TRUE : PR_FALSE;
+
+	substring = state->subitems_head;
+	while (substring != NULL) {
+	    /*
+	     * All bit-string substrings except the last one should be
+	     * a clean multiple of 8 bits.
+	     */
+	    if (is_bit_string && (substring->next == NULL)
+			      && (substring->len & 0x7)) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+		return;
+	    }
+	    item_len += substring->len;
+	    substring = substring->next;
+	}
+
+	if (is_bit_string) {
+#ifdef XP_WIN16		/* win16 compiler gets an internal error otherwise */
+	    alloc_len = (((long)item_len + 7) / 8);
+#else
+	    alloc_len = ((item_len + 7) >> 3);
+#endif
+	} else {
+	    /*
+	     * Add 2 for the end-of-contents octets of an indefinite-length
+	     * ANY that is *not* also an INNER.  Because we zero-allocate
+	     * below, all we need to do is increase the length here.
+	     */
+	    if (state->underlying_kind == SEC_ASN1_ANY && state->indefinite)
+		item_len += 2; 
+	    alloc_len = item_len;
+	}
+
+	item = (SECItem *)(state->dest);
+	PORT_Assert (item != NULL);
+	PORT_Assert (item->data == NULL);
+	item->data = (unsigned char*)sec_asn1d_zalloc (state->top->their_pool, 
+						       alloc_len);
+	if (item->data == NULL) {
+	    state->top->status = decodeError;
+	    return;
+	}
+	item->len = item_len;
+
+	where = item->data;
+	substring = state->subitems_head;
+	while (substring != NULL) {
+	    if (is_bit_string)
+		item_len = (substring->len + 7) >> 3;
+	    else
+		item_len = substring->len;
+	    PORT_Memcpy (where, substring->data, item_len);
+	    where += item_len;
+	    substring = substring->next;
+	}
+
+	/*
+	 * Because we use arenas and have a mark set, we later free
+	 * everything we have allocated, so this does *not* present
+	 * a memory leak (it is just temporarily left dangling).
+	 */
+	state->subitems_head = state->subitems_tail = NULL;
+    }
+
+    state->place = afterEndOfContents;
+}
+
+
+static void
+sec_asn1d_concat_group (sec_asn1d_state *state)
+{
+    const void ***placep;
+
+    PORT_Assert (state->place == afterGroup);
+
+    placep = (const void***)state->dest;
+    PORT_Assert(state->subitems_head == NULL || placep != NULL);
+    if (placep != NULL) {
+	struct subitem *item;
+	const void **group;
+	int count;
+
+	count = 0;
+	item = state->subitems_head;
+	while (item != NULL) {
+	    PORT_Assert (item->next != NULL || item == state->subitems_tail);
+	    count++;
+	    item = item->next;
+	}
+
+	group = (const void**)sec_asn1d_zalloc (state->top->their_pool,
+				  (count + 1) * (sizeof(void *)));
+	if (group == NULL) {
+	    state->top->status = decodeError;
+	    return;
+	}
+
+	*placep = group;
+
+	item = state->subitems_head;
+	while (item != NULL) {
+	    *group++ = item->data;
+	    item = item->next;
+	}
+	*group = NULL;
+
+	/*
+	 * Because we use arenas and have a mark set, we later free
+	 * everything we have allocated, so this does *not* present
+	 * a memory leak (it is just temporarily left dangling).
+	 */
+	state->subitems_head = state->subitems_tail = NULL;
+    }
+
+    state->place = afterEndOfContents;
+}
+
+
+/*
+ * For those states that push a child to handle a subtemplate,
+ * "absorb" that child (transfer necessary information).
+ */
+static void
+sec_asn1d_absorb_child (sec_asn1d_state *state)
+{
+    /*
+     * There is absolutely supposed to be a child there.
+     */
+    PORT_Assert (state->child != NULL);
+
+    /*
+     * Inherit the missing status of our child, and do the ugly
+     * backing-up if necessary.
+     */
+    state->missing = state->child->missing;
+    if (state->missing) {
+	state->found_tag_number = state->child->found_tag_number;
+	state->found_tag_modifiers = state->child->found_tag_modifiers;
+	state->endofcontents = state->child->endofcontents;
+    }
+
+    /*
+     * Add in number of bytes consumed by child.
+     * (Only EXPLICIT should have already consumed bytes itself.)
+     */
+    PORT_Assert (state->place == afterExplicit || state->consumed == 0);
+    state->consumed += state->child->consumed;
+
+    /*
+     * Subtract from bytes pending; this only applies to a definite-length
+     * EXPLICIT field.
+     */
+    if (state->pending) {
+	PORT_Assert (!state->indefinite);
+	PORT_Assert (state->place == afterExplicit);
+
+	/*
+	 * If we had a definite-length explicit, then what the child
+	 * consumed should be what was left pending.
+	 */
+	if (state->pending != state->child->consumed) {
+	    if (state->pending < state->child->consumed) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+		return;
+	    }
+	    /*
+	     * Okay, this is a hack.  It *should* be an error whether
+	     * pending is too big or too small, but it turns out that
+	     * we had a bug in our *old* DER encoder that ended up
+	     * counting an explicit header twice in the case where
+	     * the underlying type was an ANY.  So, because we cannot
+	     * prevent receiving these (our own certificate server can
+	     * send them to us), we need to be lenient and accept them.
+	     * To do so, we need to pretend as if we read all of the
+	     * bytes that the header said we would find, even though
+	     * we actually came up short.
+	     */
+	    state->consumed += (state->pending - state->child->consumed);
+	}
+	state->pending = 0;
+    }
+
+    /*
+     * Indicate that we are done with child.
+     */
+    state->child->consumed = 0;
+
+    /*
+     * And move on to final state.
+     * (Technically everybody could move to afterEndOfContents except
+     * for an indefinite-length EXPLICIT; for simplicity though we assert
+     * that but let the end-of-contents code do the real determination.)
+     */
+    PORT_Assert (state->place == afterExplicit || (! state->indefinite));
+    state->place = beforeEndOfContents;
+}
+
+
+static void
+sec_asn1d_prepare_for_end_of_contents (sec_asn1d_state *state)
+{
+    PORT_Assert (state->place == beforeEndOfContents);
+
+    if (state->indefinite) {
+	state->place = duringEndOfContents;
+	state->pending = 2;
+    } else {
+	state->place = afterEndOfContents;
+    }
+}
+
+
+static unsigned long
+sec_asn1d_parse_end_of_contents (sec_asn1d_state *state,
+				 const char *buf, unsigned long len)
+{
+    unsigned int i;
+
+    PORT_Assert (state->pending <= 2);
+    PORT_Assert (state->place == duringEndOfContents);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    if (state->pending < len)
+	len = state->pending;
+
+    for (i = 0; i < len; i++) {
+	if (buf[i] != 0) {
+	    /*
+	     * We expect to find only zeros; if not, just give up.
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return 0;
+	}
+    }
+
+    state->pending -= len;
+
+    if (state->pending == 0) {
+	state->place = afterEndOfContents;
+	state->endofcontents = PR_TRUE;
+    }
+
+    return len;
+}
+
+
+static void
+sec_asn1d_pop_state (sec_asn1d_state *state)
+{
+#if 0	/* XXX I think this should always be handled explicitly by parent? */
+    /*
+     * Account for our child.
+     */
+    if (state->child != NULL) {
+	state->consumed += state->child->consumed;
+	if (state->pending) {
+	    PORT_Assert (!state->indefinite);
+	    if (state->child->consumed > state->pending) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+	    } else {
+		state->pending -= state->child->consumed;
+	    }
+	}
+	state->child->consumed = 0;
+    }
+#endif	/* XXX */
+
+    /*
+     * Free our child.
+     */
+    sec_asn1d_free_child (state, PR_FALSE);
+
+    /*
+     * Just make my parent be the current state.  It will then clean
+     * up after me and free me (or reuse me).
+     */
+    state->top->current = state->parent;
+}
+
+static sec_asn1d_state *
+sec_asn1d_before_choice (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child;
+
+    if (state->allocate) {
+	void *dest;
+
+	dest = sec_asn1d_zalloc(state->top->their_pool, state->theTemplate->size);
+	if ((void *)NULL == dest) {
+	    state->top->status = decodeError;
+	    return (sec_asn1d_state *)NULL;
+	}
+
+	state->dest = (char *)dest + state->theTemplate->offset;
+    }
+
+    child = sec_asn1d_push_state(state->top, state->theTemplate + 1, 
+				 (char *)state->dest - state->theTemplate->offset, 
+				 PR_FALSE);
+    if ((sec_asn1d_state *)NULL == child) {
+	return (sec_asn1d_state *)NULL;
+    }
+
+    sec_asn1d_scrub_state(child);
+    child = sec_asn1d_init_state_based_on_template(child);
+    if ((sec_asn1d_state *)NULL == child) {
+	return (sec_asn1d_state *)NULL;
+    }
+
+    child->optional = PR_TRUE;
+
+    state->place = duringChoice;
+
+    return child;
+}
+
+static sec_asn1d_state *
+sec_asn1d_during_choice (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child = state->child;
+    
+    PORT_Assert((sec_asn1d_state *)NULL != child);
+
+    if (child->missing) {
+	unsigned char child_found_tag_modifiers = 0;
+	unsigned long child_found_tag_number = 0;
+	void *        dest;
+
+	state->consumed += child->consumed;
+
+	if (child->endofcontents) {
+	    /* This choice is probably the first item in a GROUP
+	    ** (e.g. SET_OF) that was indefinite-length encoded.
+	    ** We're actually at the end of that GROUP.
+	    ** We look up the stack to be sure that we find
+	    ** a state with indefinite length encoding before we
+	    ** find a state (like a SEQUENCE) that is definite.
+	    */
+	    child->place = notInUse;
+	    state->place = afterChoice;
+	    state->endofcontents = PR_TRUE;  /* propagate this up */
+	    if (sec_asn1d_parent_allows_EOC(state))
+		return state;
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return NULL;
+	}
+
+	dest = (char *)child->dest - child->theTemplate->offset;
+	child->theTemplate++;
+
+	if (0 == child->theTemplate->kind) {
+	    /* Ran out of choices */
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return (sec_asn1d_state *)NULL;
+	}
+	child->dest = (char *)dest + child->theTemplate->offset;
+
+	/* cargo'd from next_in_sequence innards */
+	if (state->pending) {
+	    PORT_Assert(!state->indefinite);
+	    if (child->consumed > state->pending) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+		return NULL;
+	    }
+	    state->pending -= child->consumed;
+	    if (0 == state->pending) {
+		/* XXX uh.. not sure if I should have stopped this
+		 * from happening before. */
+		PORT_Assert(0);
+		PORT_SetError(SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+		return (sec_asn1d_state *)NULL;
+	    }
+	}
+
+	child->consumed = 0;
+	sec_asn1d_scrub_state(child);
+
+	/* move it on top again */
+	state->top->current = child;
+
+	child_found_tag_modifiers = child->found_tag_modifiers;
+	child_found_tag_number = child->found_tag_number;
+
+	child = sec_asn1d_init_state_based_on_template(child);
+	if ((sec_asn1d_state *)NULL == child) {
+	    return (sec_asn1d_state *)NULL;
+	}
+
+	/* copy our findings to the new top */
+	child->found_tag_modifiers = child_found_tag_modifiers;
+	child->found_tag_number = child_found_tag_number;
+
+	child->optional = PR_TRUE;
+	child->place = afterIdentifier;
+
+	return child;
+    } 
+    if ((void *)NULL != state->dest) {
+	/* Store the enum */
+	int *which = (int *)state->dest;
+	*which = (int)child->theTemplate->size;
+    }
+
+    child->place = notInUse;
+
+    state->place = afterChoice;
+    return state;
+}
+
+static void
+sec_asn1d_after_choice (sec_asn1d_state *state)
+{
+    state->consumed += state->child->consumed;
+    state->child->consumed = 0;
+    state->place = afterEndOfContents;
+    sec_asn1d_pop_state(state);
+}
+
+unsigned long
+sec_asn1d_uinteger(SECItem *src)
+{
+    unsigned long value;
+    int len;
+
+    if (src->len > 5 || (src->len > 4 && src->data[0] == 0))
+	return 0;
+
+    value = 0;
+    len = src->len;
+    while (len) {
+	value <<= 8;
+	value |= src->data[--len];
+    }
+    return value;
+}
+
+SECStatus
+SEC_ASN1DecodeInteger(SECItem *src, unsigned long *value)
+{
+    unsigned long v;
+    unsigned int i;
+    
+    if (src == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (src->len > sizeof(unsigned long)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (src->data == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    	return SECFailure;
+    }
+
+    if (src->data[0] & 0x80)
+	v = -1;		/* signed and negative - start with all 1's */
+    else
+	v = 0;
+
+    for (i= 0; i < src->len; i++) {
+	/* shift in next byte */
+	v <<= 8;
+	v |= src->data[i];
+    }
+    *value = v;
+    return SECSuccess;
+}
+
+#ifdef DEBUG_ASN1D_STATES
+static void
+dump_states(SEC_ASN1DecoderContext *cx)
+{
+    sec_asn1d_state *state;
+    char kindBuf[256];
+
+    for (state = cx->current; state->parent; state = state->parent) {
+        ;
+    }
+
+    for (; state; state = state->child) {
+        int i;
+        for (i = 0; i < state->depth; i++) {
+            printf("  ");
+        }
+
+        i = formatKind(state->theTemplate->kind, kindBuf);
+        printf("%s: tmpl %08x, kind%s",
+               (state == cx->current) ? "STATE" : "State",
+               state->theTemplate,
+               kindBuf);
+        printf(" %s", (state->place >= 0 && state->place <= notInUse)
+                       ? place_names[ state->place ]
+                       : "(undefined)");
+        if (!i)
+            printf(", expect 0x%02x",
+                   state->expect_tag_number | state->expect_tag_modifiers);
+
+        printf("%s%s%s %d\n",
+               state->indefinite    ? ", indef"   : "",
+               state->missing       ? ", miss"    : "",
+               state->endofcontents ? ", EOC"     : "",
+               state->pending
+               );
+    }
+
+    return;
+}
+#endif /* DEBUG_ASN1D_STATES */
+
+SECStatus
+SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx,
+		       const char *buf, unsigned long len)
+{
+    sec_asn1d_state *state = NULL;
+    unsigned long consumed;
+    SEC_ASN1EncodingPart what;
+    sec_asn1d_state *stateEnd = cx->current;
+
+    if (cx->status == needBytes)
+	cx->status = keepGoing;
+
+    while (cx->status == keepGoing) {
+	state = cx->current;
+	what = SEC_ASN1_Contents;
+	consumed = 0;
+#ifdef DEBUG_ASN1D_STATES
+        printf("\nPLACE = %s, next byte = 0x%02x, %08x[%d]\n",
+               (state->place >= 0 && state->place <= notInUse) ?
+               place_names[ state->place ] : "(undefined)",
+               (unsigned int)((unsigned char *)buf)[ consumed ],
+               buf, consumed);
+        dump_states(cx);
+#endif /* DEBUG_ASN1D_STATES */
+	switch (state->place) {
+	  case beforeIdentifier:
+	    consumed = sec_asn1d_parse_identifier (state, buf, len);
+	    what = SEC_ASN1_Identifier;
+	    break;
+	  case duringIdentifier:
+	    consumed = sec_asn1d_parse_more_identifier (state, buf, len);
+	    what = SEC_ASN1_Identifier;
+	    break;
+	  case afterIdentifier:
+	    sec_asn1d_confirm_identifier (state);
+	    break;
+	  case beforeLength:
+	    consumed = sec_asn1d_parse_length (state, buf, len);
+	    what = SEC_ASN1_Length;
+	    break;
+	  case duringLength:
+	    consumed = sec_asn1d_parse_more_length (state, buf, len);
+	    what = SEC_ASN1_Length;
+	    break;
+	  case afterLength:
+	    sec_asn1d_prepare_for_contents (state);
+	    break;
+	  case beforeBitString:
+	    consumed = sec_asn1d_parse_bit_string (state, buf, len);
+	    break;
+	  case duringBitString:
+	    consumed = sec_asn1d_parse_more_bit_string (state, buf, len);
+	    break;
+	  case duringConstructedString:
+	    sec_asn1d_next_substring (state);
+	    break;
+	  case duringGroup:
+	    sec_asn1d_next_in_group (state);
+	    break;
+	  case duringLeaf:
+	    consumed = sec_asn1d_parse_leaf (state, buf, len);
+	    break;
+	  case duringSaveEncoding:
+	    sec_asn1d_reuse_encoding (state);
+	    if (cx->status == decodeError) {
+		/* recursive call has already popped all states from stack.
+		** Bail out quickly.
+		*/
+		return SECFailure;
+	    }
+	    if (cx->status == needBytes) {
+		/* recursive call wanted more data. Fatal. Clean up below. */
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		cx->status = decodeError;
+	    }
+	    break;
+	  case duringSequence:
+	    sec_asn1d_next_in_sequence (state);
+	    break;
+	  case afterConstructedString:
+	    sec_asn1d_concat_substrings (state);
+	    break;
+	  case afterExplicit:
+	  case afterImplicit:
+	  case afterInline:
+	  case afterPointer:
+	    sec_asn1d_absorb_child (state);
+	    break;
+	  case afterGroup:
+	    sec_asn1d_concat_group (state);
+	    break;
+	  case afterSaveEncoding:
+	    /* SEC_ASN1DecoderUpdate has called itself recursively to 
+	    ** decode SAVEd encoded data, and now is done decoding that.
+	    ** Return to the calling copy of SEC_ASN1DecoderUpdate.
+	    */
+	    return SECSuccess;
+	  case beforeEndOfContents:
+	    sec_asn1d_prepare_for_end_of_contents (state);
+	    break;
+	  case duringEndOfContents:
+	    consumed = sec_asn1d_parse_end_of_contents (state, buf, len);
+	    what = SEC_ASN1_EndOfContents;
+	    break;
+	  case afterEndOfContents:
+	    sec_asn1d_pop_state (state);
+	    break;
+          case beforeChoice:
+            state = sec_asn1d_before_choice(state);
+            break;
+          case duringChoice:
+            state = sec_asn1d_during_choice(state);
+            break;
+          case afterChoice:
+            sec_asn1d_after_choice(state);
+            break;
+	  case notInUse:
+	  default:
+	    /* This is not an error, but rather a plain old BUG! */
+	    PORT_Assert (0);
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    cx->status = decodeError;
+	    break;
+	}
+
+	if (cx->status == decodeError)
+	    break;
+
+	/* We should not consume more than we have.  */
+	PORT_Assert (consumed <= len);
+	if (consumed > len) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    cx->status = decodeError;
+	    break;
+	}
+
+	/* It might have changed, so we have to update our local copy.  */
+	state = cx->current;
+
+	/* If it is NULL, we have popped all the way to the top.  */
+	if (state == NULL) {
+	    PORT_Assert (consumed == 0);
+#if 0	/* XXX I want this here, but it seems that we have situations (like
+	 * downloading a pkcs7 cert chain from some issuers) that give us a
+	 * length which is greater than the entire encoding.  So, we cannot
+	 * have this be an error.
+	 */
+	    if (len > 0) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		cx->status = decodeError;
+	    } else
+#endif
+		cx->status = allDone;
+	    break;
+	}
+	else if (state->theTemplate->kind == SEC_ASN1_SKIP_REST) {
+	    cx->status = allDone;
+	    break;
+	}
+	  
+	if (consumed == 0)
+	    continue;
+
+	/*
+	 * The following check is specifically looking for an ANY
+	 * that is *not* also an INNER, because we need to save aside
+	 * all bytes in that case -- the contents parts will get
+	 * handled like all other contents, and the end-of-contents
+	 * bytes are added by the concat code, but the outer header
+	 * bytes need to get saved too, so we do them explicitly here.
+	 */
+	if (state->underlying_kind == SEC_ASN1_ANY
+	    && !cx->filter_only && (what == SEC_ASN1_Identifier
+				    || what == SEC_ASN1_Length)) {
+	    sec_asn1d_record_any_header (state, buf, consumed);
+	}
+
+	/*
+	 * We had some number of good, accepted bytes.  If the caller
+	 * has registered to see them, pass them along.
+	 */
+	if (state->top->filter_proc != NULL) {
+	    int depth;
+
+	    depth = state->depth;
+	    if (what == SEC_ASN1_EndOfContents && !state->indefinite) {
+		PORT_Assert (state->parent != NULL
+			     && state->parent->indefinite);
+		depth--;
+		PORT_Assert (depth == state->parent->depth);
+	    }
+	    (* state->top->filter_proc) (state->top->filter_arg,
+					 buf, consumed, depth, what);
+	}
+
+	state->consumed += consumed;
+	buf += consumed;
+	len -= consumed;
+    }
+
+    if (cx->status == decodeError) {
+	while (state != NULL && stateEnd->parent!=state) {
+	    sec_asn1d_free_child (state, PR_TRUE);
+	    state = state->parent;
+	}
+#ifdef SEC_ASN1D_FREE_ON_ERROR	/*
+				 * XXX This does not work because we can
+				 * end up leaving behind dangling pointers
+				 * to stuff that was allocated.  In order
+				 * to make this really work (which would
+				 * be a good thing, I think), we need to
+				 * keep track of every place/pointer that
+				 * was allocated and make sure to NULL it
+				 * out before we then free back to the mark.	
+				 */
+	if (cx->their_pool != NULL) {
+	    PORT_Assert (cx->their_mark != NULL);
+	    PORT_ArenaRelease (cx->their_pool, cx->their_mark);
+	}
+#endif
+	return SECFailure;
+    }
+
+#if 0	/* XXX This is what I want, but cannot have because it seems we
+	 * have situations (like when downloading a pkcs7 cert chain from
+	 * some issuers) that give us a total length which is greater than
+	 * the entire encoding.  So, we have to allow allDone to have a
+	 * remaining length greater than zero.  I wanted to catch internal
+	 * bugs with this, noticing when we do not have the right length.
+	 * Oh well.
+	 */
+    PORT_Assert (len == 0
+		 && (cx->status == needBytes || cx->status == allDone));
+#else
+    PORT_Assert ((len == 0 && cx->status == needBytes)
+		 || cx->status == allDone);
+#endif
+    return SECSuccess;
+}
+
+
+SECStatus
+SEC_ASN1DecoderFinish (SEC_ASN1DecoderContext *cx)
+{
+    SECStatus rv;
+
+    if (cx->status == needBytes) {
+	PORT_SetError (SEC_ERROR_BAD_DER);
+	rv = SECFailure;
+    } else {
+	rv = SECSuccess;
+    }
+
+    /*
+     * XXX anything else that needs to be finished?
+     */
+
+    PORT_FreeArena (cx->our_pool, PR_TRUE);
+
+    return rv;
+}
+
+
+SEC_ASN1DecoderContext *
+SEC_ASN1DecoderStart (PRArenaPool *their_pool, void *dest,
+		      const SEC_ASN1Template *theTemplate)
+{
+    PRArenaPool *our_pool;
+    SEC_ASN1DecoderContext *cx;
+
+    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (our_pool == NULL)
+	return NULL;
+
+    cx = (SEC_ASN1DecoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
+    if (cx == NULL) {
+	PORT_FreeArena (our_pool, PR_FALSE);
+	return NULL;
+    }
+
+    cx->our_pool = our_pool;
+    if (their_pool != NULL) {
+	cx->their_pool = their_pool;
+#ifdef SEC_ASN1D_FREE_ON_ERROR
+	cx->their_mark = PORT_ArenaMark (their_pool);
+#endif
+    }
+
+    cx->status = needBytes;
+
+    if (sec_asn1d_push_state(cx, theTemplate, dest, PR_FALSE) == NULL
+	|| sec_asn1d_init_state_based_on_template (cx->current) == NULL) {
+	/*
+	 * Trouble initializing (probably due to failed allocations)
+	 * requires that we just give up.
+	 */
+	PORT_FreeArena (our_pool, PR_FALSE);
+	return NULL;
+    }
+
+    return cx;
+}
+
+
+void
+SEC_ASN1DecoderSetFilterProc (SEC_ASN1DecoderContext *cx,
+			      SEC_ASN1WriteProc fn, void *arg,
+			      PRBool only)
+{
+    /* check that we are "between" fields here */
+    PORT_Assert (cx->during_notify);
+
+    cx->filter_proc = fn;
+    cx->filter_arg = arg;
+    cx->filter_only = only;
+}
+
+
+void
+SEC_ASN1DecoderClearFilterProc (SEC_ASN1DecoderContext *cx)
+{
+    /* check that we are "between" fields here */
+    PORT_Assert (cx->during_notify);
+
+    cx->filter_proc = NULL;
+    cx->filter_arg = NULL;
+    cx->filter_only = PR_FALSE;
+}
+
+
+void
+SEC_ASN1DecoderSetNotifyProc (SEC_ASN1DecoderContext *cx,
+			      SEC_ASN1NotifyProc fn, void *arg)
+{
+    cx->notify_proc = fn;
+    cx->notify_arg = arg;
+}
+
+
+void
+SEC_ASN1DecoderClearNotifyProc (SEC_ASN1DecoderContext *cx)
+{
+    cx->notify_proc = NULL;
+    cx->notify_arg = NULL;	/* not necessary; just being clean */
+}
+
+void
+SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error)
+{
+    PORT_Assert(cx);
+    PORT_SetError(error);
+    cx->status = decodeError;
+}
+
+
+SECStatus
+SEC_ASN1Decode (PRArenaPool *poolp, void *dest,
+		const SEC_ASN1Template *theTemplate,
+		const char *buf, long len)
+{
+    SEC_ASN1DecoderContext *dcx;
+    SECStatus urv, frv;
+
+    dcx = SEC_ASN1DecoderStart (poolp, dest, theTemplate);
+    if (dcx == NULL)
+	return SECFailure;
+
+    urv = SEC_ASN1DecoderUpdate (dcx, buf, len);
+    frv = SEC_ASN1DecoderFinish (dcx);
+
+    if (urv != SECSuccess)
+	return urv;
+
+    return frv;
+}
+
+
+SECStatus
+SEC_ASN1DecodeItem (PRArenaPool *poolp, void *dest,
+		    const SEC_ASN1Template *theTemplate,
+		    const SECItem *src)
+{
+    return SEC_ASN1Decode (poolp, dest, theTemplate,
+			   (const char *)src->data, src->len);
+}
+
+#ifdef DEBUG_ASN1D_STATES
+void sec_asn1d_Assert(const char *s, const char *file, PRIntn ln)
+{
+    printf("Assertion failed, \"%s\", file %s, line %d\n", s, file, ln);
+    fflush(stdout);
+}
+#endif
+
+/*
+ * Generic templates for individual/simple items and pointers to
+ * and sets of same.
+ *
+ * If you need to add a new one, please note the following:
+ *	 - For each new basic type you should add *four* templates:
+ *	one plain, one PointerTo, one SequenceOf and one SetOf.
+ *	 - If the new type can be constructed (meaning, it is a
+ *	*string* type according to BER/DER rules), then you should
+ *	or-in SEC_ASN1_MAY_STREAM to the type in the basic template.
+ *	See the definition of the OctetString template for an example.
+ *	 - It may not be obvious, but these are in *alphabetical*
+ *	order based on the SEC_ASN1_XXX name; so put new ones in
+ *	the appropriate place.
+ */
+
+const SEC_ASN1Template SEC_SequenceOfAnyTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
+};
+
+#if 0
+
+const SEC_ASN1Template SEC_PointerToBitStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_BitStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfBitStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BitStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfBitStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_BitStringTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToBMPStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_BMPStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfBMPStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BMPStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfBMPStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_BMPStringTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToBooleanTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_BooleanTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfBooleanTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BooleanTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfBooleanTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_BooleanTemplate }
+};
+
+#endif
+
+const SEC_ASN1Template SEC_EnumeratedTemplate[] = {
+    { SEC_ASN1_ENUMERATED, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToEnumeratedTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_EnumeratedTemplate }
+};
+
+#if 0
+
+const SEC_ASN1Template SEC_SequenceOfEnumeratedTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_EnumeratedTemplate }
+};
+
+#endif
+
+const SEC_ASN1Template SEC_SetOfEnumeratedTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_EnumeratedTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToGeneralizedTimeTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_GeneralizedTimeTemplate }
+};
+
+#if 0
+
+const SEC_ASN1Template SEC_SequenceOfGeneralizedTimeTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_GeneralizedTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfGeneralizedTimeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_GeneralizedTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToIA5StringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_IA5StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfIA5StringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_IA5StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfIA5StringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_IA5StringTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToIntegerTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_IntegerTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfIntegerTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_IntegerTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfIntegerTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_IntegerTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToNullTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_NullTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfNullTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_NullTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfNullTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_NullTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToObjectIDTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_ObjectIDTemplate }
+};
+
+#endif
+
+const SEC_ASN1Template SEC_SequenceOfObjectIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_ObjectIDTemplate }
+};
+
+#if 0
+
+const SEC_ASN1Template SEC_SetOfObjectIDTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_ObjectIDTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfOctetStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_OctetStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfOctetStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_OctetStringTemplate }
+};
+
+#endif
+
+const SEC_ASN1Template SEC_PrintableStringTemplate[] = {
+    { SEC_ASN1_PRINTABLE_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+};
+
+#if 0
+
+const SEC_ASN1Template SEC_PointerToPrintableStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PrintableStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfPrintableStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_PrintableStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfPrintableStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_PrintableStringTemplate }
+};
+
+#endif
+
+const SEC_ASN1Template SEC_T61StringTemplate[] = {
+    { SEC_ASN1_T61_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+#if 0
+
+const SEC_ASN1Template SEC_PointerToT61StringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_T61StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfT61StringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_T61StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfT61StringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_T61StringTemplate }
+};
+
+#endif
+
+const SEC_ASN1Template SEC_UniversalStringTemplate[] = {
+    { SEC_ASN1_UNIVERSAL_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+};
+
+#if 0
+
+const SEC_ASN1Template SEC_PointerToUniversalStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_UniversalStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfUniversalStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UniversalStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfUniversalStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_UniversalStringTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToUTCTimeTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_UTCTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfUTCTimeTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UTCTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfUTCTimeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_UTCTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToUTF8StringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_UTF8StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfUTF8StringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UTF8StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfUTF8StringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_UTF8StringTemplate }
+};
+
+#endif
+
+const SEC_ASN1Template SEC_VisibleStringTemplate[] = {
+    { SEC_ASN1_VISIBLE_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+#if 0
+
+const SEC_ASN1Template SEC_PointerToVisibleStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_VisibleStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfVisibleStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_VisibleStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_VisibleStringTemplate }
+};
+
+#endif
+
+/*
+ * Template for skipping a subitem.
+ *
+ * Note that it only makes sense to use this for decoding (when you want
+ * to decode something where you are only interested in one or two of
+ * the fields); you cannot encode a SKIP!
+ */
+const SEC_ASN1Template SEC_SkipTemplate[] = {
+    { SEC_ASN1_SKIP }
+};
+
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_EnumeratedTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToEnumeratedTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SequenceOfAnyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SequenceOfObjectIDTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SkipTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_UniversalStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PrintableStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_T61StringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToGeneralizedTimeTemplate)
+
diff --git a/security/nss/lib/util/secasn1e.c b/security/nss/lib/util/secasn1e.c
new file mode 100644
index 000000000..2300060df
--- /dev/null
+++ b/security/nss/lib/util/secasn1e.c
@@ -0,0 +1,1647 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Support for ENcoding ASN.1 data based on BER/DER (Basic/Distinguished
+ * Encoding Rules).
+ *
+ * $Id$
+ */
+
+#include "secasn1.h"
+
+typedef enum {
+    beforeHeader,
+    duringContents,
+    duringGroup,
+    duringSequence,
+    afterContents,
+    afterImplicit,
+    afterInline,
+    afterPointer,
+    afterChoice,
+    notInUse
+} sec_asn1e_parse_place;
+
+typedef enum {
+    allDone,
+    encodeError,
+    keepGoing,
+    needBytes
+} sec_asn1e_parse_status;
+
+typedef enum {
+    hdr_normal      = 0,  /* encode header normally */
+    hdr_any         = 1,  /* header already encoded in content */
+    hdr_decoder     = 2,  /* template only used by decoder. skip it. */
+    hdr_optional    = 3,  /* optional component, to be omitted */
+    hdr_placeholder = 4   /* place holder for from_buf content */
+} sec_asn1e_hdr_encoding;
+
+typedef struct sec_asn1e_state_struct {
+    SEC_ASN1EncoderContext *top;
+    const SEC_ASN1Template *theTemplate;
+    void *src;
+
+    struct sec_asn1e_state_struct *parent;	/* aka prev */
+    struct sec_asn1e_state_struct *child;	/* aka next */
+
+    sec_asn1e_parse_place place;	/* where we are in encoding process */
+
+    /*
+     * XXX explain the next fields as clearly as possible...
+     */
+    unsigned char tag_modifiers;
+    unsigned char tag_number;
+    unsigned long underlying_kind;
+
+    int depth;
+
+    PRBool isExplicit,		/* we are handling an isExplicit header */
+	   indefinite,		/* need end-of-contents */
+	   is_string,		/* encoding a simple string or an ANY */
+	   may_stream,		/* when streaming, do indefinite encoding */
+	   optional,		/* omit field if it has no contents */
+	   disallowStreaming;	/* disallow streaming in all sub-templates */	
+} sec_asn1e_state;
+
+/*
+ * An "outsider" will have an opaque pointer to this, created by calling
+ * SEC_ASN1EncoderStart().  It will be passed back in to all subsequent
+ * calls to SEC_ASN1EncoderUpdate() and related routines, and when done
+ * it is passed to SEC_ASN1EncoderFinish().
+ */
+struct sec_EncoderContext_struct {
+    PRArenaPool *our_pool;		/* for our internal allocs */
+
+    sec_asn1e_state *current;
+    sec_asn1e_parse_status status;
+
+    PRBool streaming;
+    PRBool from_buf;
+
+    SEC_ASN1NotifyProc notify_proc;	/* call before/after handling field */
+    void *notify_arg;			/* argument to notify_proc */
+    PRBool during_notify;		/* true during call to notify_proc */
+
+    SEC_ASN1WriteProc output_proc;	/* pass encoded bytes to this  */
+    void *output_arg;			/* argument to that function */
+};
+
+
+static sec_asn1e_state *
+sec_asn1e_push_state (SEC_ASN1EncoderContext *cx,
+		      const SEC_ASN1Template *theTemplate,
+		      const void *src, PRBool new_depth)
+{
+    sec_asn1e_state *state, *new_state;
+
+    state = cx->current;
+
+    new_state = (sec_asn1e_state*)PORT_ArenaZAlloc (cx->our_pool, 
+						    sizeof(*new_state));
+    if (new_state == NULL) {
+	cx->status = encodeError;
+	return NULL;
+    }
+
+    new_state->top = cx;
+    new_state->parent = state;
+    new_state->theTemplate = theTemplate;
+    new_state->place = notInUse;
+    if (src != NULL)
+	new_state->src = (char *)src + theTemplate->offset;
+
+    if (state != NULL) {
+	new_state->depth = state->depth;
+	if (new_depth)
+	    new_state->depth++;
+	state->child = new_state;
+    }
+
+    cx->current = new_state;
+    return new_state;
+}
+
+
+static void
+sec_asn1e_scrub_state (sec_asn1e_state *state)
+{
+    /*
+     * Some default "scrubbing".
+     * XXX right set of initializations?
+     */
+    state->place = beforeHeader;
+    state->indefinite = PR_FALSE;
+}
+
+
+static void
+sec_asn1e_notify_before (SEC_ASN1EncoderContext *cx, void *src, int depth)
+{
+    if (cx->notify_proc == NULL)
+	return;
+
+    cx->during_notify = PR_TRUE;
+    (* cx->notify_proc) (cx->notify_arg, PR_TRUE, src, depth);
+    cx->during_notify = PR_FALSE;
+}
+
+
+static void
+sec_asn1e_notify_after (SEC_ASN1EncoderContext *cx, void *src, int depth)
+{
+    if (cx->notify_proc == NULL)
+	return;
+
+    cx->during_notify = PR_TRUE;
+    (* cx->notify_proc) (cx->notify_arg, PR_FALSE, src, depth);
+    cx->during_notify = PR_FALSE;
+}
+
+
+static sec_asn1e_state *
+sec_asn1e_init_state_based_on_template (sec_asn1e_state *state)
+{
+    PRBool isExplicit, is_string, may_stream, optional, universal; 
+    PRBool disallowStreaming;
+    unsigned char tag_modifiers;
+    unsigned long encode_kind, under_kind;
+    unsigned long tag_number;
+    PRBool isInline = PR_FALSE;
+
+
+    encode_kind = state->theTemplate->kind;
+
+    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    isExplicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_EXPLICIT;
+
+    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_OPTIONAL;
+
+    PORT_Assert (!(isExplicit && universal));	/* bad templates */
+
+    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_MAY_STREAM;
+
+    disallowStreaming = (encode_kind & SEC_ASN1_NO_STREAM) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_NO_STREAM;
+
+    /* Just clear this to get it out of the way; we do not need it here */
+    encode_kind &= ~SEC_ASN1_DYNAMIC;
+
+    if( encode_kind & SEC_ASN1_CHOICE ) {
+      under_kind = SEC_ASN1_CHOICE;
+    } else if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || 
+        (!universal && !isExplicit)) {
+	const SEC_ASN1Template *subt;
+	void *src = NULL;
+
+	PORT_Assert ((encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) == 0);
+
+	sec_asn1e_scrub_state (state);
+
+	if (encode_kind & SEC_ASN1_POINTER) {
+	    src = *(void **)state->src;
+	    state->place = afterPointer;
+
+	    if (src == NULL) {
+		/*
+		 * If this is optional, but NULL, then the field does
+		 * not need to be encoded.  In this case we are done;
+		 * we do not want to push a subtemplate.
+		 */
+		if (optional)
+		    return state;
+
+		/*
+		 * XXX this is an error; need to figure out
+		 * how to handle this
+		 */
+	    }
+	} else {
+	    src = state->src;
+	    if (encode_kind & SEC_ASN1_INLINE) {
+		/* check that there are no extraneous bits */
+		/* PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional); */
+		state->place = afterInline;
+		isInline = PR_TRUE;
+	    } else {
+		/*
+		 * Save the tag modifiers and tag number here before moving
+		 * on to the next state in case this is a member of a
+		 * SEQUENCE OF
+		 */
+		state->tag_modifiers = (unsigned char)
+		    (encode_kind & (SEC_ASN1_TAG_MASK & ~SEC_ASN1_TAGNUM_MASK));
+		state->tag_number = (unsigned char)
+		    (encode_kind & SEC_ASN1_TAGNUM_MASK);
+		
+		state->place = afterImplicit;
+		state->optional = optional;
+	    }
+	}
+
+	subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src, PR_TRUE);
+	if (isInline && optional) {
+	    /* we only handle a very limited set of optional inline cases at
+	       this time */
+	    if (PR_FALSE != SEC_ASN1IsTemplateSimple(subt)) {
+		/* we now know that the target is a SECItem*, so we can check
+		   if the source contains one */
+		SECItem* target = (SECItem*)state->src;
+		if (!target || !target->data || !target->len) {
+		    /* no valid data to encode subtemplate */
+		    return state;
+		}
+	    } else {
+		PORT_Assert(0); /* complex templates are not handled as
+				   inline optional */
+	    }
+	}
+	state = sec_asn1e_push_state (state->top, subt, src, PR_FALSE);
+	if (state == NULL)
+	    return state;
+
+	if (universal) {
+	    /*
+	     * This is a POINTER or INLINE; just init based on that
+	     * and we are done.
+	     */
+	    return sec_asn1e_init_state_based_on_template (state);
+	}
+
+	/*
+	 * This is an implicit, non-universal (meaning, application-private
+	 * or context-specific) field.  This results in a "magic" tag but
+	 * encoding based on the underlying type.  We pushed a new state
+	 * that is based on the subtemplate (the underlying type), but
+	 * now we will sort of alias it to give it some of our properties
+	 * (tag, optional status, etc.).
+	 *
+	 * NB: ALL the following flags in the subtemplate are disallowed
+	 *     and/or ignored: EXPLICIT, OPTIONAL, INNER, INLINE, POINTER.
+	 */
+
+	under_kind = state->theTemplate->kind;
+	if ((under_kind & SEC_ASN1_MAY_STREAM) && !disallowStreaming) {
+	    may_stream = PR_TRUE;
+	}
+	under_kind &= ~(SEC_ASN1_MAY_STREAM | SEC_ASN1_DYNAMIC);
+    } else {
+	under_kind = encode_kind;
+    }
+
+    /*
+     * Sanity check that there are no unwanted bits marked in under_kind.
+     * These bits were either removed above (after we recorded them) or
+     * they simply should not be found (signalling a bad/broken template).
+     * XXX is this the right set of bits to test here? (i.e. need to add
+     * or remove any?)
+     */
+#define UNEXPECTED_FLAGS \
+ (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_SKIP | SEC_ASN1_INNER | \
+  SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM | SEC_ASN1_INLINE | SEC_ASN1_POINTER)
+
+    PORT_Assert ((under_kind & UNEXPECTED_FLAGS) == 0);
+    under_kind &= ~UNEXPECTED_FLAGS;
+#undef UNEXPECTED_FLAGS
+
+    if (encode_kind & SEC_ASN1_ANY) {
+	PORT_Assert (encode_kind == under_kind);
+	tag_modifiers = 0;
+	tag_number = 0;
+	is_string = PR_TRUE;
+    } else {
+	tag_modifiers = (unsigned char)
+		(encode_kind & (SEC_ASN1_TAG_MASK & ~SEC_ASN1_TAGNUM_MASK));
+	/*
+	 * XXX This assumes only single-octet identifiers.  To handle
+	 * the HIGH TAG form we would need to do some more work, especially
+	 * in how to specify them in the template, because right now we
+	 * do not provide a way to specify more *tag* bits in encode_kind.
+	 */
+	tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
+
+	is_string = PR_FALSE;
+	switch (under_kind & SEC_ASN1_TAGNUM_MASK) {
+	  case SEC_ASN1_SET:
+	    /*
+	     * XXX A plain old SET (as opposed to a SET OF) is not implemented.
+	     * If it ever is, remove this assert...
+	     */
+	    PORT_Assert ((under_kind & SEC_ASN1_GROUP) != 0);
+	    /* fallthru */
+	  case SEC_ASN1_SEQUENCE:
+	    tag_modifiers |= SEC_ASN1_CONSTRUCTED;
+	    break;
+	  case SEC_ASN1_BIT_STRING:
+	  case SEC_ASN1_BMP_STRING: 
+	  case SEC_ASN1_GENERALIZED_TIME:
+	  case SEC_ASN1_IA5_STRING:
+	  case SEC_ASN1_OCTET_STRING:
+	  case SEC_ASN1_PRINTABLE_STRING:
+	  case SEC_ASN1_T61_STRING:
+	  case SEC_ASN1_UNIVERSAL_STRING: 
+	  case SEC_ASN1_UTC_TIME:
+	  case SEC_ASN1_UTF8_STRING:
+	  case SEC_ASN1_VISIBLE_STRING: 
+	    /*
+	     * We do not yet know if we will be constructing the string,
+	     * so we have to wait to do this final tag modification.
+	     */
+	    is_string = PR_TRUE;
+	    break;
+	}
+    }
+
+    state->tag_modifiers = tag_modifiers;
+    state->tag_number = (unsigned char)tag_number;
+    state->underlying_kind = under_kind;
+    state->isExplicit = isExplicit;
+    state->may_stream = may_stream;
+    state->is_string = is_string;
+    state->optional = optional;
+    state->disallowStreaming = disallowStreaming;
+
+    sec_asn1e_scrub_state (state);
+
+    return state;
+}
+
+
+static void
+sec_asn1e_write_part (sec_asn1e_state *state,
+		      const char *buf, unsigned long len,
+		      SEC_ASN1EncodingPart part)
+{
+    SEC_ASN1EncoderContext *cx;
+
+    cx = state->top;
+    (* cx->output_proc) (cx->output_arg, buf, len, state->depth, part);
+}
+
+
+/*
+ * XXX This assumes only single-octet identifiers.  To handle
+ * the HIGH TAG form we would need to modify this interface and
+ * teach it to properly encode the special form.
+ */
+static void
+sec_asn1e_write_identifier_bytes (sec_asn1e_state *state, unsigned char value)
+{
+    char byte;
+
+    byte = (char) value;
+    sec_asn1e_write_part (state, &byte, 1, SEC_ASN1_Identifier);
+}
+
+int
+SEC_ASN1EncodeLength(unsigned char *buf,int value) {
+    int lenlen;
+
+    lenlen = SEC_ASN1LengthLength (value);
+    if (lenlen == 1) {
+	buf[0] = value;
+    } else {
+	int i;
+
+	i = lenlen - 1;
+	buf[0] = 0x80 | i;
+	while (i) {
+	    buf[i--] = value;
+	    value >>= 8;
+	}
+        PORT_Assert (value == 0);
+    }
+    return lenlen;
+}
+
+static void
+sec_asn1e_write_length_bytes (sec_asn1e_state *state, unsigned long value,
+			      PRBool indefinite)
+{
+    int lenlen;
+    unsigned char buf[sizeof(unsigned long) + 1];
+
+    if (indefinite) {
+	PORT_Assert (value == 0);
+	buf[0] = 0x80;
+	lenlen = 1;
+    } else {
+	lenlen = SEC_ASN1EncodeLength(buf,value);
+    }
+
+    sec_asn1e_write_part (state, (char *) buf, lenlen, SEC_ASN1_Length);
+}
+
+
+static void
+sec_asn1e_write_contents_bytes (sec_asn1e_state *state,
+				const char *buf, unsigned long len)
+{
+    sec_asn1e_write_part (state, buf, len, SEC_ASN1_Contents);
+}
+
+
+static void
+sec_asn1e_write_end_of_contents_bytes (sec_asn1e_state *state)
+{
+    const char eoc[2] = {0, 0};
+
+    sec_asn1e_write_part (state, eoc, 2, SEC_ASN1_EndOfContents);
+}
+
+static int
+sec_asn1e_which_choice
+(
+  void *src,
+  const SEC_ASN1Template *theTemplate
+)
+{
+  int rv;
+  unsigned int which = *(unsigned int *)src;
+
+  for( rv = 1, theTemplate++; theTemplate->kind != 0; rv++, theTemplate++ ) {
+    if( which == theTemplate->size ) {
+      return rv;
+    }
+  }
+
+  return 0;
+}
+
+static unsigned long
+sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src,
+			   PRBool disallowStreaming, PRBool insideIndefinite,
+			   sec_asn1e_hdr_encoding *pHdrException)
+{
+    unsigned long encode_kind, underlying_kind;
+    PRBool isExplicit, optional, universal, may_stream;
+    unsigned long len;
+
+    /*
+     * This function currently calculates the length in all cases
+     * except the following: when writing out the contents of a 
+     * template that belongs to a state where it was a sub-template
+     * with the SEC_ASN1_MAY_STREAM bit set and it's parent had the
+     * optional bit set.  The information that the parent is optional
+     * and that we should return the length of 0 when that length is 
+     * present since that means the optional field is no longer present.
+     * So we add the disallowStreaming flag which is passed in when
+     * writing the contents, but for all recursive calls to 
+     * sec_asn1e_contents_length, we pass PR_FALSE, because this
+     * function correctly calculates the length for children templates
+     * from that point on.  Confused yet?  At least you didn't have
+     * to figure it out.  ;)  -javi
+     */
+    encode_kind = theTemplate->kind;
+
+    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    isExplicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_EXPLICIT;
+
+    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_OPTIONAL;
+
+    PORT_Assert (!(isExplicit && universal));	/* bad templates */
+
+    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_MAY_STREAM;
+
+    /* Just clear this to get it out of the way; we do not need it here */
+    encode_kind &= ~SEC_ASN1_DYNAMIC;
+
+    if (encode_kind & SEC_ASN1_NO_STREAM) {
+	disallowStreaming = PR_TRUE;
+    }
+    encode_kind &= ~SEC_ASN1_NO_STREAM;
+
+    if (encode_kind & SEC_ASN1_CHOICE) {
+	void *src2;
+	int indx = sec_asn1e_which_choice(src, theTemplate);
+	if (0 == indx) {
+	    /* XXX set an error? "choice not found" */
+	    /* state->top->status = encodeError; */
+	    return 0;
+	}
+
+        src2 = (void *)
+	        ((char *)src - theTemplate->offset + theTemplate[indx].offset);
+
+        return sec_asn1e_contents_length(&theTemplate[indx], src2, 
+					 disallowStreaming, insideIndefinite,
+					 pHdrException);
+    }
+
+    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || !universal) {
+	/* XXX any bits we want to disallow (PORT_Assert against) here? */
+	theTemplate = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE);
+	if (encode_kind & SEC_ASN1_POINTER) {
+	    src = *(void **)src;
+	    if (src == NULL) {
+		*pHdrException = optional ? hdr_optional : hdr_normal;
+		return 0;
+	    }
+	} else if (encode_kind & SEC_ASN1_INLINE) {
+	    /* check that there are no extraneous bits */
+	    if (optional) {
+		if (PR_FALSE != SEC_ASN1IsTemplateSimple(theTemplate)) {
+		    /* we now know that the target is a SECItem*, so we can check
+		       if the source contains one */
+		    SECItem* target = (SECItem*)src;
+		    if (!target || !target->data || !target->len) {
+			/* no valid data to encode subtemplate */
+			*pHdrException = hdr_optional;
+			return 0;
+		    }
+		} else {
+		    PORT_Assert(0); /* complex templates not handled as inline
+                                       optional */
+		}
+	    }
+	}
+
+	src = (char *)src + theTemplate->offset;
+
+	/* recurse to find the length of the subtemplate */
+	len = sec_asn1e_contents_length (theTemplate, src, disallowStreaming, 
+	                                 insideIndefinite, pHdrException);
+	if (len == 0 && optional) {
+	    *pHdrException = hdr_optional;
+	} else if (isExplicit) {
+	    if (*pHdrException == hdr_any) {
+		/* *we* do not want to add in a header, 
+		** but our caller still does. 
+		*/
+		*pHdrException = hdr_normal;
+	    } else if (*pHdrException == hdr_normal) {
+		/* if the inner content exists, our length is
+		 * len(identifier) + len(length) + len(innercontent)
+		 * XXX we currently assume len(identifier) == 1;
+		 * to support a high-tag-number this would need to be smarter.
+		 */
+		len += 1 + SEC_ASN1LengthLength (len);
+	    }
+	}
+	return len;
+    }
+    underlying_kind = encode_kind;
+
+    /* This is only used in decoding; it plays no part in encoding.  */
+    if (underlying_kind & SEC_ASN1_SAVE) {
+	/* check that there are no extraneous bits */
+	PORT_Assert (underlying_kind == SEC_ASN1_SAVE);
+	*pHdrException = hdr_decoder;
+	return 0;
+    }
+
+#define UNEXPECTED_FLAGS \
+ (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_INLINE | SEC_ASN1_POINTER |\
+  SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM | SEC_ASN1_SAVE | SEC_ASN1_SKIP)
+
+    /* Having any of these bits is not expected here...  */
+    PORT_Assert ((underlying_kind & UNEXPECTED_FLAGS) == 0);
+    underlying_kind &= ~UNEXPECTED_FLAGS;
+#undef UNEXPECTED_FLAGS
+
+    if (underlying_kind & SEC_ASN1_CHOICE) {
+	void *src2;
+	int indx = sec_asn1e_which_choice(src, theTemplate);
+	if (0 == indx) {
+	    /* XXX set an error? "choice not found" */
+	    /* state->top->status = encodeError; */
+	    return 0;
+	}
+
+        src2 = (void *)
+		((char *)src - theTemplate->offset + theTemplate[indx].offset);
+        len = sec_asn1e_contents_length(&theTemplate[indx], src2, 
+	                                disallowStreaming, insideIndefinite, 
+					pHdrException);
+    } else {
+      switch (underlying_kind) {
+      case SEC_ASN1_SEQUENCE_OF:
+      case SEC_ASN1_SET_OF:
+	{
+	    const SEC_ASN1Template *tmpt;
+	    void *sub_src;
+	    unsigned long sub_len;
+	    void **group;
+
+	    len = 0;
+
+	    group = *(void ***)src;
+	    if (group == NULL)
+		break;
+
+	    tmpt = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE);
+
+	    for (; *group != NULL; group++) {
+		sub_src = (char *)(*group) + tmpt->offset;
+		sub_len = sec_asn1e_contents_length (tmpt, sub_src, 
+		                                     disallowStreaming,
+						     insideIndefinite,
+                                                     pHdrException);
+		len += sub_len;
+		/*
+		 * XXX The 1 below is the presumed length of the identifier;
+		 * to support a high-tag-number this would need to be smarter.
+		 */
+		if (*pHdrException == hdr_normal)
+		    len += 1 + SEC_ASN1LengthLength (sub_len);
+	    }
+	}
+	break;
+
+      case SEC_ASN1_SEQUENCE:
+      case SEC_ASN1_SET:
+	{
+	    const SEC_ASN1Template *tmpt;
+	    void *sub_src;
+	    unsigned long sub_len;
+
+	    len = 0;
+	    for (tmpt = theTemplate + 1; tmpt->kind; tmpt++) {
+		sub_src = (char *)src + tmpt->offset;
+		sub_len = sec_asn1e_contents_length (tmpt, sub_src, 
+		                                     disallowStreaming,
+						     insideIndefinite,
+                                                     pHdrException);
+		len += sub_len;
+		/*
+		 * XXX The 1 below is the presumed length of the identifier;
+		 * to support a high-tag-number this would need to be smarter.
+		 */
+		if (*pHdrException == hdr_normal)
+		    len += 1 + SEC_ASN1LengthLength (sub_len);
+	    }
+	}
+	break;
+
+      case SEC_ASN1_BIT_STRING:
+	/* convert bit length to byte */
+	len = (((SECItem *)src)->len + 7) >> 3;
+	/* bit string contents involve an extra octet */
+	if (len)
+	    len++;
+	break;
+
+      case SEC_ASN1_INTEGER:
+	/* ASN.1 INTEGERs are signed.
+	 * If the source is an unsigned integer, the encoder will need 
+	 * to handle the conversion here.
+	 */
+	{
+	    unsigned char *buf = ((SECItem *)src)->data;
+	    SECItemType integerType = ((SECItem *)src)->type;
+	    len = ((SECItem *)src)->len;
+	    while (len > 0) {
+		if (*buf != 0) {
+		    if (*buf & 0x80 && integerType == siUnsignedInteger) {
+			len++; /* leading zero needed to make number signed */
+		    }
+		    break; /* reached beginning of number */
+		}
+		if (len == 1) {
+		    break; /* the number 0 */
+		}
+		if (buf[1] & 0x80) {
+		    break; /* leading zero already present */
+		} 
+		/* extraneous leading zero, keep going */
+		buf++;
+		len--;
+	    }
+	}
+	break;
+
+      default:
+	len = ((SECItem *)src)->len;
+	break;
+      }  /* end switch */
+
+#ifndef WHAT_PROBLEM_DOES_THIS_SOLVE
+      /* if we're streaming, we may have a secitem w/len 0 as placeholder */
+      if (!len && insideIndefinite && may_stream && !disallowStreaming) {
+	  len = 1;
+      }
+#endif
+    }    /* end else */
+
+    if (len == 0 && optional)
+	*pHdrException = hdr_optional;
+    else if (underlying_kind == SEC_ASN1_ANY)
+	*pHdrException = hdr_any;
+    else 
+	*pHdrException = hdr_normal;
+
+    return len;
+}
+
+
+static void
+sec_asn1e_write_header (sec_asn1e_state *state)
+{
+    unsigned long contents_length;
+    unsigned char tag_number, tag_modifiers;
+    sec_asn1e_hdr_encoding hdrException = hdr_normal;
+    PRBool indefinite = PR_FALSE;
+
+    PORT_Assert (state->place == beforeHeader);
+
+    tag_number = state->tag_number;
+    tag_modifiers = state->tag_modifiers;
+
+    if (state->underlying_kind == SEC_ASN1_ANY) {
+	state->place = duringContents;
+	return;
+    }
+
+    if (state->underlying_kind & SEC_ASN1_CHOICE) {
+	int indx = sec_asn1e_which_choice(state->src, state->theTemplate);
+	if( 0 == indx ) {
+	    /* XXX set an error? "choice not found" */
+	    state->top->status = encodeError;
+	    return;
+	}
+	state->place = afterChoice;
+	state = sec_asn1e_push_state(state->top, &state->theTemplate[indx],
+			       (char *)state->src - state->theTemplate->offset, 
+			       PR_TRUE);
+	if (state) {
+	    /*
+	     * Do the "before" field notification.
+	     */
+	    sec_asn1e_notify_before (state->top, state->src, state->depth);
+	    state = sec_asn1e_init_state_based_on_template (state);
+	}
+	return;
+    }
+
+    /* The !isString test below is apparently intended to ensure that all 
+    ** constructed types receive indefinite length encoding.
+    */
+   indefinite = (PRBool) 
+	(state->top->streaming && state->may_stream && 
+	 (state->top->from_buf || !state->is_string));
+
+    /*
+     * If we are doing a definite-length encoding, first we have to
+     * walk the data structure to calculate the entire contents length.
+     * If we are doing an indefinite-length encoding, we still need to 
+     * know if the contents is:
+     *    optional and to be omitted, or 
+     *    an ANY (header is pre-encoded), or 
+     *    a SAVE or some other kind of template used only by the decoder.
+     * So, we call this function either way.
+     */
+    contents_length = sec_asn1e_contents_length (state->theTemplate,
+						 state->src, 
+                                                 state->disallowStreaming,
+						 indefinite,
+                                                 &hdrException);
+    /*
+     * We might be told explicitly not to put out a header.
+     * But it can also be the case, via a pushed subtemplate, that
+     * sec_asn1e_contents_length could not know that this field is
+     * really optional.  So check for that explicitly, too.
+     */
+    if (hdrException != hdr_normal || 
+	(contents_length == 0 && state->optional)) {
+	state->place = afterContents;
+	if (state->top->streaming && 
+	    state->may_stream && 
+	    state->top->from_buf) {
+	    /* we did not find an optional indefinite string, so we 
+	     * don't encode it.  However, if TakeFromBuf is on, we stop 
+	     * here anyway to give our caller a chance to intercept at the 
+	     * same point where we would stop if the field were present. 
+	     */
+	    state->top->status = needBytes;
+	}
+	return;
+    }
+
+    if (indefinite) {
+	/*
+	 * We need to put out an indefinite-length encoding.
+	 * The only universal types that can be constructed are SETs,
+	 * SEQUENCEs, and strings; so check that it is one of those,
+	 * or that it is not universal (e.g. context-specific).
+	 */
+	state->indefinite = PR_TRUE;
+	PORT_Assert ((tag_number == SEC_ASN1_SET)
+		     || (tag_number == SEC_ASN1_SEQUENCE)
+		     || ((tag_modifiers & SEC_ASN1_CLASS_MASK) != 0)
+		     || state->is_string);
+	tag_modifiers |= SEC_ASN1_CONSTRUCTED;
+	contents_length = 0;
+    }
+
+    sec_asn1e_write_identifier_bytes (state, 
+                                (unsigned char)(tag_number | tag_modifiers));
+    sec_asn1e_write_length_bytes (state, contents_length, state->indefinite);
+
+    if (contents_length == 0 && !state->indefinite) {
+	/*
+	 * If no real contents to encode, then we are done with this field.
+	 */
+	state->place = afterContents;
+	return;
+    }
+
+    /*
+     * An EXPLICIT is nothing but an outer header, which we have already
+     * written.  Now we need to do the inner header and contents.
+     */
+    if (state->isExplicit) {
+	const SEC_ASN1Template *subt =
+	      SEC_ASN1GetSubtemplate(state->theTemplate, state->src, PR_TRUE);
+	state->place = afterContents;
+	state = sec_asn1e_push_state (state->top, subt, state->src, PR_TRUE);
+	if (state != NULL)
+	    state = sec_asn1e_init_state_based_on_template (state);
+	return;
+    }
+
+    switch (state->underlying_kind) {
+      case SEC_ASN1_SET_OF:
+      case SEC_ASN1_SEQUENCE_OF:
+	/*
+	 * We need to push a child to handle each member.
+	 */
+	{
+	    void **group;
+	    const SEC_ASN1Template *subt;
+
+	    group = *(void ***)state->src;
+	    if (group == NULL || *group == NULL) {
+		/*
+		 * Group is empty; we are done.
+		 */
+		state->place = afterContents;
+		return;
+	    }
+	    state->place = duringGroup;
+	    subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src,
+					   PR_TRUE);
+	    state = sec_asn1e_push_state (state->top, subt, *group, PR_TRUE);
+	    if (state != NULL)
+		state = sec_asn1e_init_state_based_on_template (state);
+	}
+	break;
+
+      case SEC_ASN1_SEQUENCE:
+      case SEC_ASN1_SET:
+	/*
+	 * We need to push a child to handle the individual fields.
+	 */
+	state->place = duringSequence;
+	state = sec_asn1e_push_state (state->top, state->theTemplate + 1,
+				      state->src, PR_TRUE);
+	if (state != NULL) {
+	    /*
+	     * Do the "before" field notification.
+	     */
+	    sec_asn1e_notify_before (state->top, state->src, state->depth);
+	    state = sec_asn1e_init_state_based_on_template (state);
+	}
+	break;
+
+      default:
+	/*
+	 * I think we do not need to do anything else.
+	 * XXX Correct?
+	 */
+	state->place = duringContents;
+	break;
+    }
+}
+
+
+static void
+sec_asn1e_write_contents_from_buf (sec_asn1e_state *state,
+			  const char *buf, unsigned long len)
+{
+    PORT_Assert (state->place == duringContents);
+    PORT_Assert (state->top->from_buf);
+    PORT_Assert (state->may_stream && !state->disallowStreaming);
+
+    /*
+     * Probably they just turned on "take from buf", but have not
+     * yet given us any bytes.  If there is nothing in the buffer
+     * then we have nothing to do but return and wait.
+     */
+    if (buf == NULL || len == 0) {
+	state->top->status = needBytes;
+	return;
+    }
+    /*
+     * We are streaming, reading from a passed-in buffer.
+     * This means we are encoding a simple string or an ANY.
+     * For the former, we need to put out a substring, with its
+     * own identifier and length.  For an ANY, we just write it
+     * out as is (our caller is required to ensure that it
+     * is a properly encoded entity).
+     */
+    PORT_Assert (state->is_string);		/* includes ANY */
+    if (state->underlying_kind != SEC_ASN1_ANY) {
+	unsigned char identifier;
+
+	/*
+	 * Create the identifier based on underlying_kind.  We cannot
+	 * use tag_number and tag_modifiers because this can be an
+	 * implicitly encoded field.  In that case, the underlying
+	 * substrings *are* encoded with their real tag.
+	 */
+	identifier = (unsigned char)
+	                    (state->underlying_kind & SEC_ASN1_TAG_MASK);
+	/*
+	 * The underlying kind should just be a simple string; there
+	 * should be no bits like CONTEXT_SPECIFIC or CONSTRUCTED set.
+	 */
+	PORT_Assert ((identifier & SEC_ASN1_TAGNUM_MASK) == identifier);
+	/*
+	 * Write out the tag and length for the substring.
+	 */
+	sec_asn1e_write_identifier_bytes (state, identifier);
+	if (state->underlying_kind == SEC_ASN1_BIT_STRING) {
+	    char byte;
+	    /*
+	     * Assume we have a length in bytes but we need to output
+	     * a proper bit string.  This interface only works for bit
+	     * strings that are full multiples of 8.  If support for
+	     * real, variable length bit strings is needed then the
+	     * caller will have to know to pass in a bit length instead
+	     * of a byte length and then this code will have to
+	     * perform the encoding necessary (length written is length
+	     * in bytes plus 1, and the first octet of string is the
+	     * number of bits remaining between the end of the bit
+	     * string and the next byte boundary).
+	     */
+	    sec_asn1e_write_length_bytes (state, len + 1, PR_FALSE);
+	    byte = 0;
+	    sec_asn1e_write_contents_bytes (state, &byte, 1);
+	} else {
+	    sec_asn1e_write_length_bytes (state, len, PR_FALSE);
+	}
+    }
+    sec_asn1e_write_contents_bytes (state, buf, len);
+    state->top->status = needBytes;
+}
+
+static void
+sec_asn1e_write_contents (sec_asn1e_state *state)
+{
+    unsigned long len = 0;
+
+    PORT_Assert (state->place == duringContents);
+
+    switch (state->underlying_kind) {
+      case SEC_ASN1_SET:
+      case SEC_ASN1_SEQUENCE:
+	PORT_Assert (0);
+	break;
+
+      case SEC_ASN1_BIT_STRING:
+	{
+	    SECItem *item;
+	    char rem;
+
+	    item = (SECItem *)state->src;
+	    len = (item->len + 7) >> 3;
+	    rem = (unsigned char)((len << 3) - item->len); /* remaining bits */
+	    sec_asn1e_write_contents_bytes (state, &rem, 1);
+	    sec_asn1e_write_contents_bytes (state, (char *) item->data, len);
+	}
+	break;
+
+      case SEC_ASN1_BMP_STRING:
+	/* The number of bytes must be divisable by 2 */
+	if ((((SECItem *)state->src)->len) % 2) {
+	    SEC_ASN1EncoderContext *cx;
+
+	    cx = state->top;
+	    cx->status = encodeError;
+	    break;
+	}
+	/* otherwise, fall through to write the content */
+	goto process_string;
+
+      case SEC_ASN1_UNIVERSAL_STRING:
+	/* The number of bytes must be divisable by 4 */
+	if ((((SECItem *)state->src)->len) % 4) {
+	    SEC_ASN1EncoderContext *cx;
+
+	    cx = state->top;
+	    cx->status = encodeError;
+	    break;
+	}
+	/* otherwise, fall through to write the content */
+	goto process_string;
+
+      case SEC_ASN1_INTEGER:
+       /* ASN.1 INTEGERs are signed.  If the source is an unsigned
+	* integer, the encoder will need to handle the conversion here.
+	*/
+	{
+	    unsigned int blen;
+	    unsigned char *buf;
+	    SECItemType integerType;
+	    blen = ((SECItem *)state->src)->len;
+	    buf = ((SECItem *)state->src)->data;
+	    integerType = ((SECItem *)state->src)->type;
+	    while (blen > 0) {
+		if (*buf & 0x80 && integerType == siUnsignedInteger) {
+		    char zero = 0; /* write a leading 0 */
+		    sec_asn1e_write_contents_bytes(state, &zero, 1);
+		    /* and then the remaining buffer */
+		    sec_asn1e_write_contents_bytes(state, 
+						   (char *)buf, blen); 
+		    break;
+		} 
+		/* Check three possibilities:
+		 * 1.  No leading zeros, msb of MSB is not 1;
+		 * 2.  The number is zero itself;
+		 * 3.  Encoding a signed integer with a leading zero,
+		 *     keep the zero so that the number is positive.
+		 */
+		if (*buf != 0 || 
+		     blen == 1 || 
+		     (buf[1] & 0x80 && integerType != siUnsignedInteger) ) 
+		{
+		    sec_asn1e_write_contents_bytes(state, 
+						   (char *)buf, blen); 
+		    break;
+		}
+		/* byte is 0, continue */
+		buf++;
+		blen--;
+	    }
+	}
+	/* done with this content */
+	break;
+			
+process_string:			
+      default:
+	{
+	    SECItem *item;
+
+	    item = (SECItem *)state->src;
+	    sec_asn1e_write_contents_bytes (state, (char *) item->data,
+					    item->len);
+	}
+	break;
+    }
+    state->place = afterContents;
+}
+
+/*
+ * We are doing a SET OF or SEQUENCE OF, and have just finished an item.
+ */
+static void
+sec_asn1e_next_in_group (sec_asn1e_state *state)
+{
+    sec_asn1e_state *child;
+    void **group;
+    void *member;
+
+    PORT_Assert (state->place == duringGroup);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    group = *(void ***)state->src;
+
+    /*
+     * Find placement of current item.
+     */
+    member = (char *)(state->child->src) - child->theTemplate->offset;
+    while (*group != member)
+	group++;
+
+    /*
+     * Move forward to next item.
+     */
+    group++;
+    if (*group == NULL) {
+	/*
+	 * That was our last one; we are done now.
+	 */
+	child->place = notInUse;
+	state->place = afterContents;
+	return;
+    }
+    child->src = (char *)(*group) + child->theTemplate->offset;
+
+    /*
+     * Re-"push" child.
+     */
+    sec_asn1e_scrub_state (child);
+    state->top->current = child;
+}
+
+
+/*
+ * We are moving along through a sequence; move forward by one,
+ * (detecting end-of-sequence when it happens).
+ */
+static void
+sec_asn1e_next_in_sequence (sec_asn1e_state *state)
+{
+    sec_asn1e_state *child;
+
+    PORT_Assert (state->place == duringSequence);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    /*
+     * Do the "after" field notification.
+     */
+    sec_asn1e_notify_after (state->top, child->src, child->depth);
+
+    /*
+     * Move forward.
+     */
+    child->theTemplate++;
+    if (child->theTemplate->kind == 0) {
+	/*
+	 * We are done with this sequence.
+	 */
+	child->place = notInUse;
+	state->place = afterContents;
+	return;
+    }
+
+    /*
+     * Reset state and push.
+     */
+
+    child->src = (char *)state->src + child->theTemplate->offset;
+
+    /*
+     * Do the "before" field notification.
+     */
+    sec_asn1e_notify_before (state->top, child->src, child->depth);
+
+    state->top->current = child;
+    (void) sec_asn1e_init_state_based_on_template (child);
+}
+
+
+static void
+sec_asn1e_after_contents (sec_asn1e_state *state)
+{
+    PORT_Assert (state->place == afterContents);
+
+    if (state->indefinite)
+	sec_asn1e_write_end_of_contents_bytes (state);
+
+    /*
+     * Just make my parent be the current state.  It will then clean
+     * up after me and free me (or reuse me).
+     */
+    state->top->current = state->parent;
+}
+
+
+/*
+ * This function is called whether or not we are streaming; if we
+ * *are* streaming, our caller can also instruct us to take bytes
+ * from the passed-in buffer (at buf, for length len, which is likely
+ * bytes but could even mean bits if the current field is a bit string).
+ * If we have been so instructed, we will gobble up bytes from there
+ * (rather than from our src structure) and output them, and then
+ * we will just return, expecting to be called again -- either with
+ * more bytes or after our caller has instructed us that we are done
+ * (for now) with the buffer.
+ */
+SECStatus
+SEC_ASN1EncoderUpdate (SEC_ASN1EncoderContext *cx,
+		       const char *buf, unsigned long len)
+{
+    sec_asn1e_state *state;
+
+    if (cx->status == needBytes) {
+	cx->status = keepGoing;
+    }
+
+    while (cx->status == keepGoing) {
+	state = cx->current;
+	switch (state->place) {
+	  case beforeHeader:
+	    sec_asn1e_write_header (state);
+	    break;
+	  case duringContents:
+	    if (cx->from_buf)
+		sec_asn1e_write_contents_from_buf (state, buf, len);
+	    else
+		sec_asn1e_write_contents (state);
+	    break;
+	  case duringGroup:
+	    sec_asn1e_next_in_group (state);
+	    break;
+	  case duringSequence:
+	    sec_asn1e_next_in_sequence (state);
+	    break;
+	  case afterContents:
+	    sec_asn1e_after_contents (state);
+	    break;
+	  case afterImplicit:
+	  case afterInline:
+	  case afterPointer:
+	  case afterChoice:
+	    /*
+	     * These states are more documentation than anything.
+	     * They just need to force a pop.
+	     */
+	    PORT_Assert (!state->indefinite);
+	    state->place = afterContents;
+	    break;
+	  case notInUse:
+	  default:
+	    /* This is not an error, but rather a plain old BUG! */
+	    PORT_Assert (0);
+	    cx->status = encodeError;
+	    break;
+	}
+
+	if (cx->status == encodeError)
+	    break;
+
+	/* It might have changed, so we have to update our local copy.  */
+	state = cx->current;
+
+	/* If it is NULL, we have popped all the way to the top.  */
+	if (state == NULL) {
+	    cx->status = allDone;
+	    break;
+	}
+    }
+
+    if (cx->status == encodeError) {
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+void
+SEC_ASN1EncoderFinish (SEC_ASN1EncoderContext *cx)
+{
+    /*
+     * XXX anything else that needs to be finished?
+     */
+
+    PORT_FreeArena (cx->our_pool, PR_FALSE);
+}
+
+
+SEC_ASN1EncoderContext *
+SEC_ASN1EncoderStart (const void *src, const SEC_ASN1Template *theTemplate,
+		      SEC_ASN1WriteProc output_proc, void *output_arg)
+{
+    PRArenaPool *our_pool;
+    SEC_ASN1EncoderContext *cx;
+
+    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (our_pool == NULL)
+	return NULL;
+
+    cx = (SEC_ASN1EncoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
+    if (cx == NULL) {
+	PORT_FreeArena (our_pool, PR_FALSE);
+	return NULL;
+    }
+
+    cx->our_pool = our_pool;
+    cx->output_proc = output_proc;
+    cx->output_arg = output_arg;
+
+    cx->status = keepGoing;
+
+    if (sec_asn1e_push_state(cx, theTemplate, src, PR_FALSE) == NULL
+	|| sec_asn1e_init_state_based_on_template (cx->current) == NULL) {
+	/*
+	 * Trouble initializing (probably due to failed allocations)
+	 * requires that we just give up.
+	 */
+	PORT_FreeArena (our_pool, PR_FALSE);
+	return NULL;
+    }
+
+    return cx;
+}
+
+
+/*
+ * XXX Do we need a FilterProc, too?
+ */
+
+
+void
+SEC_ASN1EncoderSetNotifyProc (SEC_ASN1EncoderContext *cx,
+			      SEC_ASN1NotifyProc fn, void *arg)
+{
+    cx->notify_proc = fn;
+    cx->notify_arg = arg;
+}
+
+
+void
+SEC_ASN1EncoderClearNotifyProc (SEC_ASN1EncoderContext *cx)
+{
+    cx->notify_proc = NULL;
+    cx->notify_arg = NULL;	/* not necessary; just being clean */
+}
+
+void
+SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error)
+{
+    PORT_Assert(cx);
+    PORT_SetError(error);
+    cx->status = encodeError;
+}
+
+void
+SEC_ASN1EncoderSetStreaming (SEC_ASN1EncoderContext *cx)
+{
+    /* XXX is there a way to check that we are "between" fields here? */
+
+    cx->streaming = PR_TRUE;
+}
+
+
+void
+SEC_ASN1EncoderClearStreaming (SEC_ASN1EncoderContext *cx)
+{
+    /* XXX is there a way to check that we are "between" fields here? */
+
+    cx->streaming = PR_FALSE;
+}
+
+
+void
+SEC_ASN1EncoderSetTakeFromBuf (SEC_ASN1EncoderContext *cx)
+{
+    /* 
+     * XXX is there a way to check that we are "between" fields here?  this
+     * needs to include a check for being in between groups of items in
+     * a SET_OF or SEQUENCE_OF.
+     */
+    PORT_Assert (cx->streaming);
+
+    cx->from_buf = PR_TRUE;
+}
+
+
+void
+SEC_ASN1EncoderClearTakeFromBuf (SEC_ASN1EncoderContext *cx)
+{
+    /* we should actually be taking from buf *now* */
+    PORT_Assert (cx->from_buf);
+    if (! cx->from_buf)		/* if not, just do nothing */
+	return;
+
+    cx->from_buf = PR_FALSE;
+
+    if (cx->status == needBytes) {
+	cx->status = keepGoing;
+	cx->current->place = afterContents;
+    }
+}
+
+
+SECStatus
+SEC_ASN1Encode (const void *src, const SEC_ASN1Template *theTemplate,
+		SEC_ASN1WriteProc output_proc, void *output_arg)
+{
+    SEC_ASN1EncoderContext *ecx;
+    SECStatus rv;
+
+    ecx = SEC_ASN1EncoderStart (src, theTemplate, output_proc, output_arg);
+    if (ecx == NULL)
+	return SECFailure;
+
+    rv = SEC_ASN1EncoderUpdate (ecx, NULL, 0);
+
+    SEC_ASN1EncoderFinish (ecx);
+    return rv;
+}
+
+
+/*
+ * XXX depth and data_kind are unused; is there a PC way to silence warnings?
+ * (I mean "politically correct", not anything to do with intel/win platform) 
+ */
+static void
+sec_asn1e_encode_item_count (void *arg, const char *buf, unsigned long len,
+			     int depth, SEC_ASN1EncodingPart data_kind)
+{
+    unsigned long *count;
+
+    count = (unsigned long*)arg;
+    PORT_Assert (count != NULL);
+
+    *count += len;
+}
+
+
+/* XXX depth and data_kind are unused; is there a PC way to silence warnings? */
+static void
+sec_asn1e_encode_item_store (void *arg, const char *buf, unsigned long len,
+			     int depth, SEC_ASN1EncodingPart data_kind)
+{
+    SECItem *dest;
+
+    dest = (SECItem*)arg;
+    PORT_Assert (dest != NULL);
+
+    PORT_Memcpy (dest->data + dest->len, buf, len);
+    dest->len += len;
+}
+
+
+/*
+ * Allocate an entire SECItem, or just the data part of it, to hold
+ * "len" bytes of stuff.  Allocate from the given pool, if specified,
+ * otherwise just do a vanilla PORT_Alloc.
+ *
+ * XXX This seems like a reasonable general-purpose function (for SECITEM_)?
+ */
+static SECItem *
+sec_asn1e_allocate_item (PRArenaPool *poolp, SECItem *dest, unsigned long len)
+{
+    if (poolp != NULL) {
+	void *release;
+
+	release = PORT_ArenaMark (poolp);
+	if (dest == NULL)
+	    dest = (SECItem*)PORT_ArenaAlloc (poolp, sizeof(SECItem));
+	if (dest != NULL) {
+	    dest->data = (unsigned char*)PORT_ArenaAlloc (poolp, len);
+	    if (dest->data == NULL) {
+		dest = NULL;
+	    }
+	}
+	if (dest == NULL) {
+	    /* one or both allocations failed; release everything */
+	    PORT_ArenaRelease (poolp, release);
+	} else {
+	    /* everything okay; unmark the arena */
+	    PORT_ArenaUnmark (poolp, release);
+	}
+    } else {
+	SECItem *indest;
+
+	indest = dest;
+	if (dest == NULL)
+	    dest = (SECItem*)PORT_Alloc (sizeof(SECItem));
+	if (dest != NULL) {
+	    dest->type = siBuffer;
+	    dest->data = (unsigned char*)PORT_Alloc (len);
+	    if (dest->data == NULL) {
+		if (indest == NULL)
+		    PORT_Free (dest);
+		dest = NULL;
+	    }
+	}
+    }
+
+    return dest;
+}
+
+
+SECItem *
+SEC_ASN1EncodeItem (PRArenaPool *poolp, SECItem *dest, const void *src,
+		    const SEC_ASN1Template *theTemplate)
+{
+    unsigned long encoding_length;
+    SECStatus rv;
+
+    PORT_Assert (dest == NULL || dest->data == NULL);
+
+    encoding_length = 0;
+    rv = SEC_ASN1Encode (src, theTemplate,
+			 sec_asn1e_encode_item_count, &encoding_length);
+    if (rv != SECSuccess)
+	return NULL;
+
+    dest = sec_asn1e_allocate_item (poolp, dest, encoding_length);
+    if (dest == NULL)
+	return NULL;
+
+    /* XXX necessary?  This really just checks for a bug in the allocate fn */
+    PORT_Assert (dest->data != NULL);
+    if (dest->data == NULL)
+	return NULL;
+
+    dest->len = 0;
+    (void) SEC_ASN1Encode (src, theTemplate, sec_asn1e_encode_item_store, dest);
+
+    PORT_Assert (encoding_length == dest->len);
+    return dest;
+}
+
+
+static SECItem *
+sec_asn1e_integer(PRArenaPool *poolp, SECItem *dest, unsigned long value,
+		  PRBool make_unsigned)
+{
+    unsigned long copy;
+    unsigned char sign;
+    int len = 0;
+
+    /*
+     * Determine the length of the encoded value (minimum of 1).
+     */
+    copy = value;
+    do {
+	len++;
+	sign = (unsigned char)(copy & 0x80);
+	copy >>= 8;
+    } while (copy);
+
+    /*
+     * If this is an unsigned encoding, and the high bit of the last
+     * byte we counted was set, we need to add one to the length so
+     * we put a high-order zero byte in the encoding.
+     */
+    if (sign && make_unsigned)
+	len++;
+
+    /*
+     * Allocate the item (if necessary) and the data pointer within.
+     */
+    dest = sec_asn1e_allocate_item (poolp, dest, len);
+    if (dest == NULL)
+	return NULL;
+
+    /*
+     * Store the value, byte by byte, in the item.
+     */
+    dest->len = len;
+    while (len) {
+	dest->data[--len] = (unsigned char)value;
+	value >>= 8;
+    }
+    PORT_Assert (value == 0);
+
+    return dest;
+}
+
+
+SECItem *
+SEC_ASN1EncodeInteger(PRArenaPool *poolp, SECItem *dest, long value)
+{
+    return sec_asn1e_integer (poolp, dest, (unsigned long) value, PR_FALSE);
+}
+
+
+SECItem *
+SEC_ASN1EncodeUnsignedInteger(PRArenaPool *poolp,
+			      SECItem *dest, unsigned long value)
+{
+    return sec_asn1e_integer (poolp, dest, value, PR_TRUE);
+}
diff --git a/security/nss/lib/util/secasn1t.h b/security/nss/lib/util/secasn1t.h
new file mode 100644
index 000000000..3b3036f30
--- /dev/null
+++ b/security/nss/lib/util/secasn1t.h
@@ -0,0 +1,302 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
+ * Encoding Rules).
+ *
+ * $Id$
+ */
+
+#ifndef _SECASN1T_H_
+#define _SECASN1T_H_
+
+#include "utilrename.h"
+
+/*
+** An array of these structures defines a BER/DER encoding for an object.
+**
+** The array usually starts with a dummy entry whose kind is SEC_ASN1_SEQUENCE;
+** such an array is terminated with an entry where kind == 0.  (An array
+** which consists of a single component does not require a second dummy
+** entry -- the array is only searched as long as previous component(s)
+** instruct it.)
+*/
+typedef struct sec_ASN1Template_struct {
+    /*
+    ** Kind of item being decoded/encoded, including tags and modifiers.
+    */
+    unsigned long kind;
+
+    /*
+    ** The value is the offset from the base of the structure to the
+    ** field that holds the value being decoded/encoded.
+    */
+    unsigned long offset;
+
+    /*
+    ** When kind suggests it (SEC_ASN1_POINTER, SEC_ASN1_GROUP, SEC_ASN1_INLINE,
+    ** or a component that is *not* a SEC_ASN1_UNIVERSAL), this points to
+    ** a sub-template for nested encoding/decoding,
+    ** OR, iff SEC_ASN1_DYNAMIC is set, then this is a pointer to a pointer
+    ** to a function which will return the appropriate template when called
+    ** at runtime.  NOTE! that explicit level of indirection, which is
+    ** necessary because ANSI does not allow you to store a function
+    ** pointer directly as a "void *" so we must store it separately and
+    ** dereference it to get at the function pointer itself.
+    */
+    const void *sub;
+
+    /*
+    ** In the first element of a template array, the value is the size
+    ** of the structure to allocate when this template is being referenced
+    ** by another template via SEC_ASN1_POINTER or SEC_ASN1_GROUP.
+    ** In all other cases, the value is ignored.
+    */
+    unsigned int size;
+} SEC_ASN1Template;
+
+
+/* default size used for allocation of encoding/decoding stuff */
+/* XXX what is the best value here? */
+#define SEC_ASN1_DEFAULT_ARENA_SIZE	(2048)
+
+/*
+** BER/DER values for ASN.1 identifier octets.
+*/
+#define SEC_ASN1_TAG_MASK		0xff
+
+/*
+ * BER/DER universal type tag numbers.
+ * The values are defined by the X.208 standard; do not change them!
+ * NOTE: if you add anything to this list, you must add code to secasn1d.c
+ * to accept the tag, and probably also to secasn1e.c to encode it.
+ * XXX It appears some have been added recently without being added to
+ * the code; so need to go through the list now and double-check them all.
+ * (Look especially at those added in revision 1.10.)
+ */
+#define SEC_ASN1_TAGNUM_MASK		0x1f
+#define SEC_ASN1_BOOLEAN		0x01
+#define SEC_ASN1_INTEGER		0x02
+#define SEC_ASN1_BIT_STRING		0x03
+#define SEC_ASN1_OCTET_STRING		0x04
+#define SEC_ASN1_NULL			0x05
+#define SEC_ASN1_OBJECT_ID		0x06
+#define SEC_ASN1_OBJECT_DESCRIPTOR      0x07
+/* External type and instance-of type   0x08 */
+#define SEC_ASN1_REAL                   0x09
+#define SEC_ASN1_ENUMERATED		0x0a
+#define SEC_ASN1_EMBEDDED_PDV           0x0b
+#define SEC_ASN1_UTF8_STRING		0x0c
+/*                                      0x0d */
+/*                                      0x0e */
+/*                                      0x0f */
+#define SEC_ASN1_SEQUENCE		0x10
+#define SEC_ASN1_SET			0x11
+#define SEC_ASN1_NUMERIC_STRING         0x12
+#define SEC_ASN1_PRINTABLE_STRING	0x13
+#define SEC_ASN1_T61_STRING		0x14
+#define SEC_ASN1_VIDEOTEX_STRING        0x15
+#define SEC_ASN1_IA5_STRING		0x16
+#define SEC_ASN1_UTC_TIME		0x17
+#define SEC_ASN1_GENERALIZED_TIME	0x18
+#define SEC_ASN1_GRAPHIC_STRING         0x19
+#define SEC_ASN1_VISIBLE_STRING		0x1a
+#define SEC_ASN1_GENERAL_STRING         0x1b
+#define SEC_ASN1_UNIVERSAL_STRING	0x1c
+/*                                      0x1d */
+#define SEC_ASN1_BMP_STRING		0x1e
+#define SEC_ASN1_HIGH_TAG_NUMBER	0x1f
+#define SEC_ASN1_TELETEX_STRING 	SEC_ASN1_T61_STRING
+
+/*
+** Modifiers to type tags.  These are also specified by a/the
+** standard, and must not be changed.
+*/
+
+#define SEC_ASN1_METHOD_MASK		0x20
+#define SEC_ASN1_PRIMITIVE		0x00
+#define SEC_ASN1_CONSTRUCTED		0x20
+
+#define SEC_ASN1_CLASS_MASK		0xc0
+#define SEC_ASN1_UNIVERSAL		0x00
+#define SEC_ASN1_APPLICATION		0x40
+#define SEC_ASN1_CONTEXT_SPECIFIC	0x80
+#define SEC_ASN1_PRIVATE		0xc0
+
+/*
+** Our additions, used for templates.
+** These are not defined by any standard; the values are used internally only.
+** Just be careful to keep them out of the low 8 bits.
+** XXX finish comments
+*/
+#define SEC_ASN1_OPTIONAL	0x00100
+#define SEC_ASN1_EXPLICIT	0x00200
+#define SEC_ASN1_ANY		0x00400
+#define SEC_ASN1_INLINE		0x00800
+#define SEC_ASN1_POINTER	0x01000
+#define SEC_ASN1_GROUP		0x02000	/* with SET or SEQUENCE means
+					 * SET OF or SEQUENCE OF */
+#define SEC_ASN1_DYNAMIC	0x04000 /* subtemplate is found by calling
+					 * a function at runtime */
+#define SEC_ASN1_SKIP		0x08000 /* skip a field; only for decoding */
+#define SEC_ASN1_INNER		0x10000	/* with ANY means capture the
+					 * contents only (not the id, len,
+					 * or eoc); only for decoding */
+#define SEC_ASN1_SAVE		0x20000 /* stash away the encoded bytes first;
+					 * only for decoding */
+#define SEC_ASN1_MAY_STREAM	0x40000	/* field or one of its sub-fields may
+					 * stream in and so should encode as
+					 * indefinite-length when streaming
+					 * has been indicated; only for
+					 * encoding */
+#define SEC_ASN1_SKIP_REST	0x80000	/* skip all following fields;
+					   only for decoding */
+#define SEC_ASN1_CHOICE        0x100000 /* pick one from a template */
+#define SEC_ASN1_NO_STREAM     0X200000 /* This entry will not stream
+                                           even if the sub-template says
+                                           streaming is possible.  Helps
+                                           to solve ambiguities with potential
+                                           streaming entries that are 
+                                           optional */
+#define SEC_ASN1_DEBUG_BREAK   0X400000 /* put this in your template and the
+                                           decoder will assert when it
+                                           processes it. Only for use with
+                                           SEC_QuickDERDecodeItem */
+
+                                          
+
+/* Shorthand/Aliases */
+#define SEC_ASN1_SEQUENCE_OF	(SEC_ASN1_GROUP | SEC_ASN1_SEQUENCE)
+#define SEC_ASN1_SET_OF		(SEC_ASN1_GROUP | SEC_ASN1_SET)
+#define SEC_ASN1_ANY_CONTENTS	(SEC_ASN1_ANY | SEC_ASN1_INNER)
+
+/* Maximum depth of nested SEQUENCEs and SETs */
+#define SEC_ASN1D_MAX_DEPTH 32
+
+/*
+** Function used for SEC_ASN1_DYNAMIC.
+** "arg" is a pointer to the structure being encoded/decoded
+** "enc", when true, means that we are encoding (false means decoding)
+*/
+typedef const SEC_ASN1Template * SEC_ASN1TemplateChooser(void *arg, PRBool enc);
+typedef SEC_ASN1TemplateChooser * SEC_ASN1TemplateChooserPtr;
+
+#if defined(_WIN32)
+#define SEC_ASN1_GET(x)        NSS_Get_##x(NULL, PR_FALSE)
+#define SEC_ASN1_SUB(x)        &p_NSS_Get_##x
+#define SEC_ASN1_XTRN          SEC_ASN1_DYNAMIC
+#define SEC_ASN1_MKSUB(x) \
+static const SEC_ASN1TemplateChooserPtr p_NSS_Get_##x = &NSS_Get_##x;
+#else
+#define SEC_ASN1_GET(x)        x
+#define SEC_ASN1_SUB(x)        x
+#define SEC_ASN1_XTRN          0
+#define SEC_ASN1_MKSUB(x) 
+#endif
+
+#define SEC_ASN1_CHOOSER_DECLARE(x) \
+extern const SEC_ASN1Template * NSS_Get_##x (void *arg, PRBool enc);
+
+#define SEC_ASN1_CHOOSER_IMPLEMENT(x) \
+const SEC_ASN1Template * NSS_Get_##x(void * arg, PRBool enc) \
+{ return x; }
+
+/*
+** Opaque object used by the decoder to store state.
+*/
+typedef struct sec_DecoderContext_struct SEC_ASN1DecoderContext;
+
+/*
+** Opaque object used by the encoder to store state.
+*/
+typedef struct sec_EncoderContext_struct SEC_ASN1EncoderContext;
+
+/*
+ * This is used to describe to a filter function the bytes that are
+ * being passed to it.  This is only useful when the filter is an "outer"
+ * one, meaning it expects to get *all* of the bytes not just the
+ * contents octets.
+ */
+typedef enum {
+    SEC_ASN1_Identifier = 0,
+    SEC_ASN1_Length = 1,
+    SEC_ASN1_Contents = 2,
+    SEC_ASN1_EndOfContents = 3
+} SEC_ASN1EncodingPart;
+
+/*
+ * Type of the function pointer used either for decoding or encoding,
+ * when doing anything "funny" (e.g. manipulating the data stream)
+ */ 
+typedef void (* SEC_ASN1NotifyProc)(void *arg, PRBool before,
+				    void *dest, int real_depth);
+
+/*
+ * Type of the function pointer used for grabbing encoded bytes.
+ * This can be used during either encoding or decoding, as follows...
+ *
+ * When decoding, this can be used to filter the encoded bytes as they
+ * are parsed.  This is what you would do if you wanted to process the data
+ * along the way (like to decrypt it, or to perform a hash on it in order
+ * to do a signature check later).  See SEC_ASN1DecoderSetFilterProc().
+ * When processing only part of the encoded bytes is desired, you "watch"
+ * for the field(s) you are interested in with a "notify proc" (see
+ * SEC_ASN1DecoderSetNotifyProc()) and for even finer granularity (e.g. to
+ * ignore all by the contents bytes) you pay attention to the "data_kind"
+ * parameter.
+ *
+ * When encoding, this is the specification for the output function which
+ * will receive the bytes as they are encoded.  The output function can
+ * perform any postprocessing necessary (like hashing (some of) the data
+ * to create a digest that gets included at the end) as well as shoving
+ * the data off wherever it needs to go.  (In order to "tune" any processing,
+ * you can set a "notify proc" as described above in the decoding case.)
+ *
+ * The parameters:
+ * - "arg" is an opaque pointer that you provided at the same time you
+ *   specified a function of this type
+ * - "data" is a buffer of length "len", containing the encoded bytes
+ * - "depth" is how deep in a nested encoding we are (it is not usually
+ *   valuable, but can be useful sometimes so I included it)
+ * - "data_kind" tells you if these bytes are part of the ASN.1 encoded
+ *   octets for identifier, length, contents, or end-of-contents
+ */ 
+typedef void (* SEC_ASN1WriteProc)(void *arg,
+				   const char *data, unsigned long len,
+				   int depth, SEC_ASN1EncodingPart data_kind);
+
+#endif /* _SECASN1T_H_ */
diff --git a/security/nss/lib/util/secasn1u.c b/security/nss/lib/util/secasn1u.c
new file mode 100644
index 000000000..1514bd7ed
--- /dev/null
+++ b/security/nss/lib/util/secasn1u.c
@@ -0,0 +1,131 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Utility routines to complement the ASN.1 encoding and decoding functions.
+ *
+ * $Id$
+ */
+
+#include "secasn1.h"
+
+
+/*
+ * We have a length that needs to be encoded; how many bytes will the
+ * encoding take?
+ *
+ * The rules are that 0 - 0x7f takes one byte (the length itself is the
+ * entire encoding); everything else takes one plus the number of bytes
+ * in the length.
+ */
+int
+SEC_ASN1LengthLength (unsigned long len)
+{
+    int lenlen = 1;
+
+    if (len > 0x7f) {
+	do {
+	    lenlen++;
+	    len >>= 8;
+	} while (len);
+    }
+
+    return lenlen;
+}
+
+
+/*
+ * XXX Move over (and rewrite as appropriate) the rest of the
+ * stuff in dersubr.c!
+ */
+
+
+/*
+ * Find the appropriate subtemplate for the given template.
+ * This may involve calling a "chooser" function, or it may just
+ * be right there.  In either case, it is expected to *have* a
+ * subtemplate; this is asserted in debug builds (in non-debug
+ * builds, NULL will be returned).
+ *
+ * "thing" is a pointer to the structure being encoded/decoded
+ * "encoding", when true, means that we are in the process of encoding
+ *	(as opposed to in the process of decoding)
+ */
+const SEC_ASN1Template *
+SEC_ASN1GetSubtemplate (const SEC_ASN1Template *theTemplate, void *thing,
+			PRBool encoding)
+{
+    const SEC_ASN1Template *subt = NULL;
+
+    PORT_Assert (theTemplate->sub != NULL);
+    if (theTemplate->sub != NULL) {
+	if (theTemplate->kind & SEC_ASN1_DYNAMIC) {
+	    SEC_ASN1TemplateChooserPtr chooserp;
+
+	    chooserp = *(SEC_ASN1TemplateChooserPtr *) theTemplate->sub;
+	    if (chooserp) {
+		if (thing != NULL)
+		    thing = (char *)thing - theTemplate->offset;
+		subt = (* chooserp)(thing, encoding);
+	    }
+	} else {
+	    subt = (SEC_ASN1Template*)theTemplate->sub;
+	}
+    }
+    return subt;
+}
+
+PRBool SEC_ASN1IsTemplateSimple(const SEC_ASN1Template *theTemplate)
+{
+    if (!theTemplate) {
+	return PR_TRUE; /* it doesn't get any simpler than NULL */
+    }
+    /* only templates made of one primitive type or a choice of primitive
+       types are considered simple */
+    if (! (theTemplate->kind & (~SEC_ASN1_TAGNUM_MASK))) {
+	return PR_TRUE; /* primitive type */
+    }
+    if (!theTemplate->kind & SEC_ASN1_CHOICE) {
+	return PR_FALSE; /* no choice means not simple */
+    }
+    while (++theTemplate && theTemplate->kind) {
+	if (theTemplate->kind & (~SEC_ASN1_TAGNUM_MASK)) {
+	    return PR_FALSE; /* complex type */
+	}
+    }
+    return PR_TRUE; /* choice of primitive types */
+}
+
diff --git a/security/nss/lib/util/seccomon.h b/security/nss/lib/util/seccomon.h
new file mode 100644
index 000000000..1ba9a656e
--- /dev/null
+++ b/security/nss/lib/util/seccomon.h
@@ -0,0 +1,119 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * seccomon.h - common data structures for security libraries
+ *
+ * This file should have lowest-common-denominator datastructures
+ * for security libraries.  It should not be dependent on any other
+ * headers, and should not require linking with any libraries.
+ *
+ * $Id$
+ */
+
+#ifndef _SECCOMMON_H_
+#define _SECCOMMON_H_
+
+#include "utilrename.h"
+#include "prtypes.h"
+
+
+#ifdef __cplusplus 
+# define SEC_BEGIN_PROTOS extern "C" {
+# define SEC_END_PROTOS }
+#else
+# define SEC_BEGIN_PROTOS
+# define SEC_END_PROTOS
+#endif
+
+#include "secport.h"
+
+typedef enum {
+    siBuffer = 0,
+    siClearDataBuffer = 1,
+    siCipherDataBuffer = 2,
+    siDERCertBuffer = 3,
+    siEncodedCertBuffer = 4,
+    siDERNameBuffer = 5,
+    siEncodedNameBuffer = 6,
+    siAsciiNameString = 7,
+    siAsciiString = 8,
+    siDEROID = 9,
+    siUnsignedInteger = 10,
+    siUTCTime = 11,
+    siGeneralizedTime = 12,
+    siVisibleString = 13,
+    siUTF8String = 14,
+    siBMPString = 15
+} SECItemType;
+
+typedef struct SECItemStr SECItem;
+
+struct SECItemStr {
+    SECItemType type;
+    unsigned char *data;
+    unsigned int len;
+};
+
+/*
+** A status code. Status's are used by procedures that return status
+** values. Again the motivation is so that a compiler can generate
+** warnings when return values are wrong. Correct testing of status codes:
+**
+**	SECStatus rv;
+**	rv = some_function (some_argument);
+**	if (rv != SECSuccess)
+**		do_an_error_thing();
+**
+*/
+typedef enum _SECStatus {
+    SECWouldBlock = -2,
+    SECFailure = -1,
+    SECSuccess = 0
+} SECStatus;
+
+/*
+** A comparison code. Used for procedures that return comparision
+** values. Again the motivation is so that a compiler can generate
+** warnings when return values are wrong.
+*/
+typedef enum _SECComparison {
+    SECLessThan = -1,
+    SECEqual = 0,
+    SECGreaterThan = 1
+} SECComparison;
+
+#endif /* _SECCOMMON_H_ */
diff --git a/security/nss/lib/util/secder.h b/security/nss/lib/util/secder.h
new file mode 100644
index 000000000..b227227b9
--- /dev/null
+++ b/security/nss/lib/util/secder.h
@@ -0,0 +1,211 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SECDER_H_
+#define _SECDER_H_
+
+#include "utilrename.h"
+
+/*
+ * secder.h - public data structures and prototypes for the DER encoding and
+ *	      decoding utilities library
+ *
+ * $Id$
+ */
+
+#if defined(_WIN32_WCE)
+#else
+#include <time.h>
+#endif
+
+#include "plarena.h"
+#include "prlong.h"
+
+#include "seccomon.h"
+#include "secdert.h"
+#include "prtime.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** Encode a data structure into DER.
+**	"dest" will be filled in (and memory allocated) to hold the der
+**	   encoded structure in "src"
+**	"t" is a template structure which defines the shape of the
+**	   stored data
+**	"src" is a pointer to the structure that will be encoded
+*/
+extern SECStatus DER_Encode(PLArenaPool *arena, SECItem *dest, DERTemplate *t,
+			   void *src);
+
+extern SECStatus DER_Lengths(SECItem *item, int *header_len_p,
+                             PRUint32 *contents_len_p);
+
+/*
+** Lower level der subroutine that stores the standard header into "to".
+** The header is of variable length, based on encodingLen.
+** The return value is the new value of "to" after skipping over the header.
+**	"to" is where the header will be stored
+**	"code" is the der code to write
+**	"encodingLen" is the number of bytes of data that will follow
+**	   the header
+*/
+extern unsigned char *DER_StoreHeader(unsigned char *to, unsigned int code,
+				      PRUint32 encodingLen);
+
+/*
+** Return the number of bytes it will take to hold a der encoded length.
+*/
+extern int DER_LengthLength(PRUint32 len);
+
+/*
+** Store a der encoded *signed* integer (whose value is "src") into "dst".
+** XXX This should really be enhanced to take a long.
+*/
+extern SECStatus DER_SetInteger(PLArenaPool *arena, SECItem *dst, PRInt32 src);
+
+/*
+** Store a der encoded *unsigned* integer (whose value is "src") into "dst".
+** XXX This should really be enhanced to take an unsigned long.
+*/
+extern SECStatus DER_SetUInteger(PLArenaPool *arena, SECItem *dst, PRUint32 src);
+
+/*
+** Decode a der encoded *signed* integer that is stored in "src".
+** If "-1" is returned, then the caller should check the error in
+** XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
+*/
+extern long DER_GetInteger(SECItem *src);
+
+/*
+** Decode a der encoded *unsigned* integer that is stored in "src".
+** If the ULONG_MAX is returned, then the caller should check the error
+** in XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
+*/
+extern unsigned long DER_GetUInteger(SECItem *src);
+
+/*
+** Convert an NSPR time value to a der encoded time value.
+**	"result" is the der encoded time (memory is allocated)
+**	"time" is the NSPR time value (Since Jan 1st, 1970).
+**      time must be on or after January 1, 1950, and
+**      before January 1, 2050
+** The caller is responsible for freeing up the buffer which
+** result->data points to upon a successful operation.
+*/
+extern SECStatus DER_TimeToUTCTime(SECItem *result, PRTime time);
+extern SECStatus DER_TimeToUTCTimeArena(PLArenaPool* arenaOpt,
+                                        SECItem *dst, PRTime gmttime);
+
+
+/*
+** Convert an ascii encoded time value (according to DER rules) into
+** an NSPR time value.
+**	"result" the resulting NSPR time
+**	"string" the der notation ascii value to decode
+*/
+extern SECStatus DER_AsciiToTime(PRTime *result, const char *string);
+
+/*
+** Same as DER_AsciiToTime except takes an SECItem instead of a string
+*/
+extern SECStatus DER_UTCTimeToTime(PRTime *result, const SECItem *time);
+
+/*
+** Convert a DER encoded UTC time to an ascii time representation
+** "utctime" is the DER encoded UTC time to be converted. The
+** caller is responsible for deallocating the returned buffer.
+*/
+extern char *DER_UTCTimeToAscii(SECItem *utcTime);
+
+/*
+** Convert a DER encoded UTC time to an ascii time representation, but only
+** include the day, not the time.
+**	"utctime" is the DER encoded UTC time to be converted.
+** The caller is responsible for deallocating the returned buffer.
+*/
+extern char *DER_UTCDayToAscii(SECItem *utctime);
+/* same thing for DER encoded GeneralizedTime */
+extern char *DER_GeneralizedDayToAscii(SECItem *gentime);
+/* same thing for either DER UTCTime or GeneralizedTime */
+extern char *DER_TimeChoiceDayToAscii(SECItem *timechoice);
+
+/*
+** Convert a PRTime time to a DER encoded Generalized time
+** gmttime must be on or after January 1, year 1 and
+** before January 1, 10000.
+*/
+extern SECStatus DER_TimeToGeneralizedTime(SECItem *dst, PRTime gmttime);
+extern SECStatus DER_TimeToGeneralizedTimeArena(PLArenaPool* arenaOpt,
+                                                SECItem *dst, PRTime gmttime);
+
+/*
+** Convert a DER encoded Generalized time value into an NSPR time value.
+**	"dst" the resulting NSPR time
+**	"string" the der notation ascii value to decode
+*/
+extern SECStatus DER_GeneralizedTimeToTime(PRTime *dst, const SECItem *time);
+
+/*
+** Convert from a PRTime UTC time value to a formatted ascii value. The
+** caller is responsible for deallocating the returned buffer.
+*/
+extern char *CERT_UTCTime2FormattedAscii (PRTime utcTime, char *format);
+#define CERT_GeneralizedTime2FormattedAscii CERT_UTCTime2FormattedAscii
+
+/*
+** Convert from a PRTime Generalized time value to a formatted ascii value. The
+** caller is responsible for deallocating the returned buffer.
+*/
+extern char *CERT_GenTime2FormattedAscii (PRTime genTime, char *format);
+
+/*
+** decode a SECItem containing either a SEC_ASN1_GENERALIZED_TIME 
+** or a SEC_ASN1_UTC_TIME
+*/
+
+extern SECStatus DER_DecodeTimeChoice(PRTime* output, const SECItem* input);
+
+/* encode a PRTime to an ASN.1 DER SECItem containing either a
+   SEC_ASN1_GENERALIZED_TIME or a SEC_ASN1_UTC_TIME */
+
+extern SECStatus DER_EncodeTimeChoice(PLArenaPool* arena, SECItem* output,
+                                       PRTime input);
+
+SEC_END_PROTOS
+
+#endif /* _SECDER_H_ */
+
diff --git a/security/nss/lib/util/secdert.h b/security/nss/lib/util/secdert.h
new file mode 100644
index 000000000..d7aba05ee
--- /dev/null
+++ b/security/nss/lib/util/secdert.h
@@ -0,0 +1,163 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SECDERT_H_
+#define _SECDERT_H_
+/*
+ * secdert.h - public data structures for the DER encoding and
+ *	       decoding utilities library
+ *
+ * $Id$
+ */
+
+#include "utilrename.h"
+#include "seccomon.h"
+
+typedef struct DERTemplateStr DERTemplate;
+
+/*
+** An array of these structures defines an encoding for an object using DER.
+** The array usually starts with a dummy entry whose kind is DER_SEQUENCE;
+** such an array is terminated with an entry where kind == 0.  (An array
+** which consists of a single component does not require a second dummy
+** entry -- the array is only searched as long as previous component(s)
+** instruct it.)
+*/
+struct DERTemplateStr {
+    /*
+    ** Kind of item being decoded/encoded, including tags and modifiers.
+    */
+    unsigned long kind;
+
+    /*
+    ** Offset from base of structure to field that holds the value
+    ** being decoded/encoded.
+    */
+    unsigned int offset;
+
+    /*
+    ** When kind suggests it (DER_POINTER, DER_INDEFINITE, DER_INLINE),
+    ** this points to a sub-template for nested encoding/decoding.
+    */
+    DERTemplate *sub;
+
+    /*
+    ** Argument value, dependent on "kind" and/or template placement
+    ** within an array of templates:
+    **	- In the first element of a template array, the value is the
+    **	  size of the structure to allocate when this template is being
+    **	  referenced by another template via DER_POINTER or DER_INDEFINITE.
+    **  - In a component of a DER_SET or DER_SEQUENCE which is *not* a
+    **	  DER_UNIVERSAL type (that is, it has a class tag for either
+    **	  DER_APPLICATION, DER_CONTEXT_SPECIFIC, or DER_PRIVATE), the
+    **	  value is the underlying type of item being decoded/encoded.
+    */
+    unsigned long arg;
+};
+
+/************************************************************************/
+
+/* default chunksize for arenas used for DER stuff */
+#define DER_DEFAULT_CHUNKSIZE (2048)
+
+/*
+** BER/DER values for ASN.1 identifier octets.
+*/
+#define DER_TAG_MASK		0xff
+
+/*
+ * BER/DER universal type tag numbers.
+ * The values are defined by the X.208 standard; do not change them!
+ * NOTE: if you add anything to this list, you must add code to derdec.c
+ * to accept the tag, and probably also to derenc.c to encode it.
+ */
+#define DER_TAGNUM_MASK		0x1f
+#define DER_BOOLEAN		0x01
+#define DER_INTEGER		0x02
+#define DER_BIT_STRING		0x03
+#define DER_OCTET_STRING	0x04
+#define DER_NULL		0x05
+#define DER_OBJECT_ID		0x06
+#define DER_SEQUENCE		0x10
+#define DER_SET			0x11
+#define DER_PRINTABLE_STRING	0x13
+#define DER_T61_STRING		0x14
+#define DER_IA5_STRING		0x16
+#define DER_UTC_TIME		0x17
+#define DER_VISIBLE_STRING	0x1a
+#define DER_HIGH_TAG_NUMBER	0x1f
+
+/*
+** Modifiers to type tags.  These are also specified by a/the
+** standard, and must not be changed.
+*/
+
+#define DER_METHOD_MASK		0x20
+#define DER_PRIMITIVE		0x00
+#define DER_CONSTRUCTED		0x20
+
+#define DER_CLASS_MASK		0xc0
+#define DER_UNIVERSAL		0x00
+#define DER_APPLICATION		0x40
+#define DER_CONTEXT_SPECIFIC	0x80
+#define DER_PRIVATE		0xc0
+
+/*
+** Our additions, used for templates.
+** These are not defined by any standard; the values are used internally only.
+** Just be careful to keep them out of the low 8 bits.
+*/
+#define DER_OPTIONAL		0x00100
+#define DER_EXPLICIT		0x00200
+#define DER_ANY			0x00400
+#define DER_INLINE		0x00800
+#define DER_POINTER		0x01000
+#define DER_INDEFINITE		0x02000
+#define DER_DERPTR		0x04000
+#define DER_SKIP		0x08000
+#define DER_FORCE		0x10000
+#define DER_OUTER		0x40000 /* for DER_DERPTR */
+
+/*
+** Macro to convert der decoded bit string into a decoded octet
+** string. All it needs to do is fiddle with the length code.
+*/
+#define DER_ConvertBitString(item)	  \
+{					  \
+    (item)->len = ((item)->len + 7) >> 3; \
+}
+
+#endif /* _SECDERT_H_ */
diff --git a/security/nss/lib/util/secdig.c b/security/nss/lib/util/secdig.c
new file mode 100644
index 000000000..815c5a7c4
--- /dev/null
+++ b/security/nss/lib/util/secdig.c
@@ -0,0 +1,212 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+#include "secdig.h"
+
+#include "secoid.h"
+#include "secasn1.h" 
+#include "secerr.h"
+
+/*
+ * XXX Want to have a SGN_DecodeDigestInfo, like:
+ *	SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
+ * that creates a pool and allocates from it and decodes didata into
+ * the newly allocated DigestInfo structure.  Then fix secvfy.c (it
+ * will no longer need an arena itself) to call this and then call
+ * DestroyDigestInfo when it is done, then can remove the old template
+ * above and keep our new template static and "hidden".
+ */
+
+/*
+ * XXX It might be nice to combine the following two functions (create
+ * and encode).  I think that is all anybody ever wants to do anyway.
+ */
+
+SECItem *
+SGN_EncodeDigestInfo(PRArenaPool *poolp, SECItem *dest, SGNDigestInfo *diginfo)
+{
+    return SEC_ASN1EncodeItem (poolp, dest, diginfo, sgn_DigestInfoTemplate);
+}
+
+SGNDigestInfo *
+SGN_CreateDigestInfo(SECOidTag algorithm, unsigned char *sig, unsigned len)
+{
+    SGNDigestInfo *di;
+    SECStatus rv;
+    PRArenaPool *arena;
+    SECItem *null_param;
+    SECItem dummy_value;
+
+    switch (algorithm) {
+      case SEC_OID_MD2:
+      case SEC_OID_MD5:
+      case SEC_OID_SHA1:
+      case SEC_OID_SHA256:
+      case SEC_OID_SHA384:
+      case SEC_OID_SHA512:
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return NULL;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    di = (SGNDigestInfo *) PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
+    if (di == NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return NULL;
+    }
+
+    di->arena = arena;
+
+    /*
+     * PKCS #1 specifies that the AlgorithmID must have a NULL parameter
+     * (as opposed to no parameter at all).
+     */
+    dummy_value.data = NULL;
+    dummy_value.len = 0;
+    null_param = SEC_ASN1EncodeItem(NULL, NULL, &dummy_value, SEC_NullTemplate);
+    if (null_param == NULL) {
+	goto loser;
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &di->digestAlgorithm, algorithm,
+			       null_param);
+
+    SECITEM_FreeItem(null_param, PR_TRUE);
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    di->digest.data = (unsigned char *) PORT_ArenaAlloc(arena, len);
+    if (di->digest.data == NULL) {
+	goto loser;
+    }
+
+    di->digest.len = len;
+    PORT_Memcpy(di->digest.data, sig, len);
+    return di;
+
+  loser:
+    SGN_DestroyDigestInfo(di);
+    return NULL;
+}
+
+SGNDigestInfo *
+SGN_DecodeDigestInfo(SECItem *didata)
+{
+    PRArenaPool *arena;
+    SGNDigestInfo *di;
+    SECStatus rv = SECFailure;
+    SECItem      diCopy   = {siBuffer, NULL, 0};
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(arena == NULL)
+	return NULL;
+
+    rv = SECITEM_CopyItem(arena, &diCopy, didata);
+    if (rv != SECSuccess) {
+	PORT_FreeArena(arena, PR_FALSE);
+    	return NULL;
+    }
+
+    di = (SGNDigestInfo *)PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
+    if (di != NULL) {
+	di->arena = arena;
+	rv = SEC_QuickDERDecodeItem(arena, di, sgn_DigestInfoTemplate, &diCopy);
+    }
+	
+    if ((di == NULL) || (rv != SECSuccess)) {
+	PORT_FreeArena(arena, PR_FALSE);
+	di = NULL;
+    }
+
+    return di;
+}
+
+void
+SGN_DestroyDigestInfo(SGNDigestInfo *di)
+{
+    if (di && di->arena) {
+	PORT_FreeArena(di->arena, PR_FALSE);
+    }
+
+    return;
+}
+
+SECStatus 
+SGN_CopyDigestInfo(PRArenaPool *poolp, SGNDigestInfo *a, SGNDigestInfo *b)
+{
+    SECStatus rv;
+    void *mark;
+
+    if((poolp == NULL) || (a == NULL) || (b == NULL))
+	return SECFailure;
+
+    mark = PORT_ArenaMark(poolp);
+    a->arena = poolp;
+    rv = SECOID_CopyAlgorithmID(poolp, &a->digestAlgorithm, 
+	&b->digestAlgorithm);
+    if (rv == SECSuccess)
+	rv = SECITEM_CopyItem(poolp, &a->digest, &b->digest);
+
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease(poolp, mark);
+    } else {
+	PORT_ArenaUnmark(poolp, mark);
+    }
+
+    return rv;
+}
+
+SECComparison
+SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b)
+{
+    SECComparison rv;
+
+    /* Check signature algorithm's */
+    rv = SECOID_CompareAlgorithmID(&a->digestAlgorithm, &b->digestAlgorithm);
+    if (rv) return rv;
+
+    /* Compare signature block length's */
+    rv = SECITEM_CompareItem(&a->digest, &b->digest);
+    return rv;
+}
diff --git a/security/nss/lib/util/secdig.h b/security/nss/lib/util/secdig.h
new file mode 100644
index 000000000..1319abdb2
--- /dev/null
+++ b/security/nss/lib/util/secdig.h
@@ -0,0 +1,136 @@
+/*
+ * crypto.h - public data structures and prototypes for the crypto library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _SECDIG_H_
+#define _SECDIG_H_
+
+#include "utilrename.h"
+#include "secdigt.h"
+
+#include "seccomon.h"
+#include "secasn1t.h" 
+#include "secdert.h"
+
+SEC_BEGIN_PROTOS
+
+
+extern const SEC_ASN1Template sgn_DigestInfoTemplate[];
+
+SEC_ASN1_CHOOSER_DECLARE(sgn_DigestInfoTemplate)
+
+/****************************************/
+/*
+** Digest-info functions
+*/
+
+/*
+** Create a new digest-info object
+** 	"algorithm" one of SEC_OID_MD2, SEC_OID_MD5, or SEC_OID_SHA1
+** 	"sig" the raw signature data (from MD2 or MD5)
+** 	"sigLen" the length of the signature data
+**
+** NOTE: this is a low level routine used to prepare some data for PKCS#1
+** digital signature formatting.
+**
+** XXX It might be nice to combine the create and encode functions.
+** I think that is all anybody ever wants to do anyway.
+*/
+extern SGNDigestInfo *SGN_CreateDigestInfo(SECOidTag algorithm,
+					   unsigned char *sig,
+					   unsigned int sigLen);
+
+/*
+** Destroy a digest-info object
+*/
+extern void SGN_DestroyDigestInfo(SGNDigestInfo *info);
+
+/*
+** Encode a digest-info object
+**	"poolp" is where to allocate the result from; it can be NULL in
+**		which case generic heap allocation (XP_ALLOC) will be used
+**	"dest" is where to store the result; it can be NULL, in which case
+**		it will be allocated (from poolp or heap, as explained above)
+**	"diginfo" is the object to be encoded
+** The return value is NULL if any error occurred, otherwise it is the
+** resulting SECItem (either allocated or the same as the "dest" parameter).
+**
+** XXX It might be nice to combine the create and encode functions.
+** I think that is all anybody ever wants to do anyway.
+*/
+extern SECItem *SGN_EncodeDigestInfo(PLArenaPool *poolp, SECItem *dest,
+				     SGNDigestInfo *diginfo);
+
+/*
+** Decode a DER encoded digest info objct.
+**  didata is thr source of the encoded digest.  
+** The return value is NULL if an error occurs.  Otherwise, a
+** digest info object which is allocated within it's own
+** pool is returned.  The digest info should be deleted
+** by later calling SGN_DestroyDigestInfo.
+*/
+extern SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
+
+
+/*
+** Copy digest info.
+**  poolp is the arena to which the digest will be copied.
+**  a is the destination digest, it must be non-NULL.
+**  b is the source digest
+** This function is for copying digests.  It allows digests
+** to be copied into a specified pool.  If the digest is in
+** the same pool as other data, you do not want to delete
+** the digest by calling SGN_DestroyDigestInfo.  
+** A return value of SECFailure indicates an error.  A return
+** of SECSuccess indicates no error occured.
+*/
+extern SECStatus  SGN_CopyDigestInfo(PLArenaPool *poolp,
+					SGNDigestInfo *a, 
+					SGNDigestInfo *b);
+
+/*
+** Compare two digest-info objects, returning the difference between
+** them.
+*/
+extern SECComparison SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b);
+
+
+SEC_END_PROTOS
+
+#endif /* _SECDIG_H_ */
diff --git a/security/nss/lib/util/secdigt.h b/security/nss/lib/util/secdigt.h
new file mode 100644
index 000000000..aee02d793
--- /dev/null
+++ b/security/nss/lib/util/secdigt.h
@@ -0,0 +1,61 @@
+/*
+ * secdigt.h - public data structures for digestinfos from the util lib.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id$ */
+
+#ifndef _SECDIGT_H_
+#define _SECDIGT_H_
+
+#include "utilrename.h"
+#include "plarena.h"
+#include "secoidt.h"
+#include "secitem.h"
+
+/*
+** A PKCS#1 digest-info object
+*/
+struct SGNDigestInfoStr {
+    PLArenaPool *  arena;
+    SECAlgorithmID digestAlgorithm;
+    SECItem        digest;
+};
+typedef struct SGNDigestInfoStr SGNDigestInfo;
+
+
+
+#endif /* _SECDIGT_H_ */
diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h
new file mode 100644
index 000000000..0c29838cc
--- /dev/null
+++ b/security/nss/lib/util/secerr.h
@@ -0,0 +1,233 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __SEC_ERR_H_
+#define __SEC_ERR_H_
+
+#include "utilrename.h"
+
+#define SEC_ERROR_BASE				(-0x2000)
+#define SEC_ERROR_LIMIT				(SEC_ERROR_BASE + 1000)
+
+#define IS_SEC_ERROR(code) \
+    (((code) >= SEC_ERROR_BASE) && ((code) < SEC_ERROR_LIMIT))
+
+#ifndef NO_SECURITY_ERROR_ENUM
+typedef enum {
+SEC_ERROR_IO 				    =	SEC_ERROR_BASE + 0,
+SEC_ERROR_LIBRARY_FAILURE 		    =	SEC_ERROR_BASE + 1,
+SEC_ERROR_BAD_DATA 			    =	SEC_ERROR_BASE + 2,
+SEC_ERROR_OUTPUT_LEN 			    =	SEC_ERROR_BASE + 3,
+SEC_ERROR_INPUT_LEN 			    =	SEC_ERROR_BASE + 4,
+SEC_ERROR_INVALID_ARGS 			    =	SEC_ERROR_BASE + 5,
+SEC_ERROR_INVALID_ALGORITHM 		    =	SEC_ERROR_BASE + 6,
+SEC_ERROR_INVALID_AVA 			    =	SEC_ERROR_BASE + 7,
+SEC_ERROR_INVALID_TIME 			    =	SEC_ERROR_BASE + 8,
+SEC_ERROR_BAD_DER 			    =	SEC_ERROR_BASE + 9,
+SEC_ERROR_BAD_SIGNATURE 		    =	SEC_ERROR_BASE + 10,
+SEC_ERROR_EXPIRED_CERTIFICATE 		    =	SEC_ERROR_BASE + 11,
+SEC_ERROR_REVOKED_CERTIFICATE 		    =	SEC_ERROR_BASE + 12,
+SEC_ERROR_UNKNOWN_ISSUER 		    =	SEC_ERROR_BASE + 13,
+SEC_ERROR_BAD_KEY 			    =	SEC_ERROR_BASE + 14,
+SEC_ERROR_BAD_PASSWORD 			    =	SEC_ERROR_BASE + 15,
+SEC_ERROR_RETRY_PASSWORD 		    =	SEC_ERROR_BASE + 16,
+SEC_ERROR_NO_NODELOCK 			    =	SEC_ERROR_BASE + 17,
+SEC_ERROR_BAD_DATABASE 			    =	SEC_ERROR_BASE + 18,
+SEC_ERROR_NO_MEMORY 			    =	SEC_ERROR_BASE + 19,
+SEC_ERROR_UNTRUSTED_ISSUER 		    =	SEC_ERROR_BASE + 20,
+SEC_ERROR_UNTRUSTED_CERT 		    =	SEC_ERROR_BASE + 21,
+SEC_ERROR_DUPLICATE_CERT 		    =	(SEC_ERROR_BASE + 22),
+SEC_ERROR_DUPLICATE_CERT_NAME 		    =	(SEC_ERROR_BASE + 23),
+SEC_ERROR_ADDING_CERT 			    =	(SEC_ERROR_BASE + 24),
+SEC_ERROR_FILING_KEY 			    =	(SEC_ERROR_BASE + 25),
+SEC_ERROR_NO_KEY 			    =	(SEC_ERROR_BASE + 26),
+SEC_ERROR_CERT_VALID 			    =	(SEC_ERROR_BASE + 27),
+SEC_ERROR_CERT_NOT_VALID 		    =	(SEC_ERROR_BASE + 28),
+SEC_ERROR_CERT_NO_RESPONSE 		    =	(SEC_ERROR_BASE + 29),
+SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE 	    =	(SEC_ERROR_BASE + 30),
+SEC_ERROR_CRL_EXPIRED 			    =	(SEC_ERROR_BASE + 31),
+SEC_ERROR_CRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 32),
+SEC_ERROR_CRL_INVALID 			    =	(SEC_ERROR_BASE + 33),
+SEC_ERROR_EXTENSION_VALUE_INVALID 	    = 	(SEC_ERROR_BASE + 34),
+SEC_ERROR_EXTENSION_NOT_FOUND 		    = 	(SEC_ERROR_BASE + 35),
+SEC_ERROR_CA_CERT_INVALID 		    = 	(SEC_ERROR_BASE + 36),
+SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID 	    = 	(SEC_ERROR_BASE + 37),
+SEC_ERROR_CERT_USAGES_INVALID 		    = 	(SEC_ERROR_BASE + 38),
+SEC_INTERNAL_ONLY 			    =	(SEC_ERROR_BASE + 39),
+SEC_ERROR_INVALID_KEY 			    =	(SEC_ERROR_BASE + 40),
+SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION 	    = 	(SEC_ERROR_BASE + 41),
+SEC_ERROR_OLD_CRL 			    =	(SEC_ERROR_BASE + 42),
+SEC_ERROR_NO_EMAIL_CERT 		    =	(SEC_ERROR_BASE + 43),
+SEC_ERROR_NO_RECIPIENT_CERTS_QUERY 	    =	(SEC_ERROR_BASE + 44),
+SEC_ERROR_NOT_A_RECIPIENT 		    =	(SEC_ERROR_BASE + 45),
+SEC_ERROR_PKCS7_KEYALG_MISMATCH 	    =	(SEC_ERROR_BASE + 46),
+SEC_ERROR_PKCS7_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 47),
+SEC_ERROR_UNSUPPORTED_KEYALG 		    =	(SEC_ERROR_BASE + 48),
+SEC_ERROR_DECRYPTION_DISALLOWED 	    =	(SEC_ERROR_BASE + 49),
+/* Fortezza Alerts */
+XP_SEC_FORTEZZA_BAD_CARD 		    =	(SEC_ERROR_BASE + 50),
+XP_SEC_FORTEZZA_NO_CARD 		    =	(SEC_ERROR_BASE + 51),
+XP_SEC_FORTEZZA_NONE_SELECTED 		    =	(SEC_ERROR_BASE + 52),
+XP_SEC_FORTEZZA_MORE_INFO 		    =	(SEC_ERROR_BASE + 53),
+XP_SEC_FORTEZZA_PERSON_NOT_FOUND 	    =	(SEC_ERROR_BASE + 54),
+XP_SEC_FORTEZZA_NO_MORE_INFO 		    =	(SEC_ERROR_BASE + 55),
+XP_SEC_FORTEZZA_BAD_PIN 		    =	(SEC_ERROR_BASE + 56),
+XP_SEC_FORTEZZA_PERSON_ERROR 		    =	(SEC_ERROR_BASE + 57),
+SEC_ERROR_NO_KRL 			    =	(SEC_ERROR_BASE + 58),
+SEC_ERROR_KRL_EXPIRED 			    =	(SEC_ERROR_BASE + 59),
+SEC_ERROR_KRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 60),
+SEC_ERROR_REVOKED_KEY 			    =	(SEC_ERROR_BASE + 61),
+SEC_ERROR_KRL_INVALID 			    =	(SEC_ERROR_BASE + 62),
+SEC_ERROR_NEED_RANDOM 			    =	(SEC_ERROR_BASE + 63),
+SEC_ERROR_NO_MODULE 			    =	(SEC_ERROR_BASE + 64),
+SEC_ERROR_NO_TOKEN 			    =	(SEC_ERROR_BASE + 65),
+SEC_ERROR_READ_ONLY 			    =	(SEC_ERROR_BASE + 66),
+SEC_ERROR_NO_SLOT_SELECTED 		    =	(SEC_ERROR_BASE + 67),
+SEC_ERROR_CERT_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 68),
+SEC_ERROR_KEY_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 69),
+SEC_ERROR_SAFE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 70),
+SEC_ERROR_BAGGAGE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 71),
+XP_JAVA_REMOVE_PRINCIPAL_ERROR 		    =	(SEC_ERROR_BASE + 72),
+XP_JAVA_DELETE_PRIVILEGE_ERROR 		    =	(SEC_ERROR_BASE + 73),
+XP_JAVA_CERT_NOT_EXISTS_ERROR 		    =	(SEC_ERROR_BASE + 74),
+SEC_ERROR_BAD_EXPORT_ALGORITHM 		    =	(SEC_ERROR_BASE + 75),
+SEC_ERROR_EXPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 76),
+SEC_ERROR_IMPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 77),
+SEC_ERROR_PKCS12_DECODING_PFX 		    =	(SEC_ERROR_BASE + 78),
+SEC_ERROR_PKCS12_INVALID_MAC 		    =	(SEC_ERROR_BASE + 79),
+SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM  =	(SEC_ERROR_BASE + 80),
+SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE =	(SEC_ERROR_BASE + 81),
+SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE 	    =	(SEC_ERROR_BASE + 82),
+SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM  = 	(SEC_ERROR_BASE + 83),
+SEC_ERROR_PKCS12_UNSUPPORTED_VERSION 	    =	(SEC_ERROR_BASE + 84),
+SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT =	(SEC_ERROR_BASE + 85),
+SEC_ERROR_PKCS12_CERT_COLLISION 	    =	(SEC_ERROR_BASE + 86),
+SEC_ERROR_USER_CANCELLED 		    =	(SEC_ERROR_BASE + 87),
+SEC_ERROR_PKCS12_DUPLICATE_DATA 	    =	(SEC_ERROR_BASE + 88),
+SEC_ERROR_MESSAGE_SEND_ABORTED 		    =	(SEC_ERROR_BASE + 89),
+SEC_ERROR_INADEQUATE_KEY_USAGE 		    =	(SEC_ERROR_BASE + 90),
+SEC_ERROR_INADEQUATE_CERT_TYPE 		    =	(SEC_ERROR_BASE + 91),
+SEC_ERROR_CERT_ADDR_MISMATCH 		    =	(SEC_ERROR_BASE + 92),
+SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY 	    =	(SEC_ERROR_BASE + 93),
+SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN 	    =	(SEC_ERROR_BASE + 94),
+SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME = (SEC_ERROR_BASE + 95),
+SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY 	    =	(SEC_ERROR_BASE + 96),
+SEC_ERROR_PKCS12_UNABLE_TO_WRITE 	    = 	(SEC_ERROR_BASE + 97),
+SEC_ERROR_PKCS12_UNABLE_TO_READ 	    =	(SEC_ERROR_BASE + 98),
+SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED 	 = (SEC_ERROR_BASE + 99),
+SEC_ERROR_KEYGEN_FAIL 			    =	(SEC_ERROR_BASE + 100),
+SEC_ERROR_INVALID_PASSWORD 		    =	(SEC_ERROR_BASE + 101),
+SEC_ERROR_RETRY_OLD_PASSWORD 		    =	(SEC_ERROR_BASE + 102),
+SEC_ERROR_BAD_NICKNAME 			    =	(SEC_ERROR_BASE + 103),
+SEC_ERROR_NOT_FORTEZZA_ISSUER 		    = 	(SEC_ERROR_BASE + 104),
+SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY         =   (SEC_ERROR_BASE + 105),
+SEC_ERROR_JS_INVALID_MODULE_NAME 	    =	(SEC_ERROR_BASE + 106),
+SEC_ERROR_JS_INVALID_DLL 		    =	(SEC_ERROR_BASE + 107),
+SEC_ERROR_JS_ADD_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 108),
+SEC_ERROR_JS_DEL_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 109),
+SEC_ERROR_OLD_KRL 			    =	(SEC_ERROR_BASE + 110),
+SEC_ERROR_CKL_CONFLICT 			    =	(SEC_ERROR_BASE + 111),
+SEC_ERROR_CERT_NOT_IN_NAME_SPACE 	    =	(SEC_ERROR_BASE + 112),
+SEC_ERROR_KRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 113),
+SEC_ERROR_CRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 114),
+SEC_ERROR_UNKNOWN_CERT 			    =	(SEC_ERROR_BASE + 115),
+SEC_ERROR_UNKNOWN_SIGNER 		    =	(SEC_ERROR_BASE + 116),
+SEC_ERROR_CERT_BAD_ACCESS_LOCATION 	    =	(SEC_ERROR_BASE + 117),
+SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE 	    =	(SEC_ERROR_BASE + 118),
+SEC_ERROR_OCSP_BAD_HTTP_RESPONSE 	    =	(SEC_ERROR_BASE + 119),
+SEC_ERROR_OCSP_MALFORMED_REQUEST 	    =	(SEC_ERROR_BASE + 120),
+SEC_ERROR_OCSP_SERVER_ERROR 		    =	(SEC_ERROR_BASE + 121),
+SEC_ERROR_OCSP_TRY_SERVER_LATER 	    =	(SEC_ERROR_BASE + 122),
+SEC_ERROR_OCSP_REQUEST_NEEDS_SIG 	    =	(SEC_ERROR_BASE + 123),
+SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST 	    =	(SEC_ERROR_BASE + 124),
+SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS 	    =	(SEC_ERROR_BASE + 125),
+SEC_ERROR_OCSP_UNKNOWN_CERT 		    =	(SEC_ERROR_BASE + 126),
+SEC_ERROR_OCSP_NOT_ENABLED 		    =	(SEC_ERROR_BASE + 127),
+SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER 	    =	(SEC_ERROR_BASE + 128),
+SEC_ERROR_OCSP_MALFORMED_RESPONSE 	    =	(SEC_ERROR_BASE + 129),
+SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE 	    =	(SEC_ERROR_BASE + 130),
+SEC_ERROR_OCSP_FUTURE_RESPONSE 		    =	(SEC_ERROR_BASE + 131),
+SEC_ERROR_OCSP_OLD_RESPONSE 		    =	(SEC_ERROR_BASE + 132),
+/* smime stuff */
+SEC_ERROR_DIGEST_NOT_FOUND		    =	(SEC_ERROR_BASE + 133),
+SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE	    =	(SEC_ERROR_BASE + 134),
+SEC_ERROR_MODULE_STUCK			    =	(SEC_ERROR_BASE + 135),
+SEC_ERROR_BAD_TEMPLATE			    =	(SEC_ERROR_BASE + 136),
+SEC_ERROR_CRL_NOT_FOUND 		    =	(SEC_ERROR_BASE + 137),
+SEC_ERROR_REUSED_ISSUER_AND_SERIAL          =   (SEC_ERROR_BASE + 138),
+SEC_ERROR_BUSY                              =   (SEC_ERROR_BASE + 139),
+SEC_ERROR_EXTRA_INPUT                       =   (SEC_ERROR_BASE + 140),
+/* error codes used by elliptic curve code */
+SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE	    =	(SEC_ERROR_BASE + 141),
+SEC_ERROR_UNSUPPORTED_EC_POINT_FORM	    =	(SEC_ERROR_BASE + 142),
+SEC_ERROR_UNRECOGNIZED_OID		    =	(SEC_ERROR_BASE + 143),
+SEC_ERROR_OCSP_INVALID_SIGNING_CERT	    =   (SEC_ERROR_BASE + 144),
+/* new revocation errors */
+SEC_ERROR_REVOKED_CERTIFICATE_CRL	    =	(SEC_ERROR_BASE + 145),
+SEC_ERROR_REVOKED_CERTIFICATE_OCSP	    =	(SEC_ERROR_BASE + 146),
+SEC_ERROR_CRL_INVALID_VERSION               =	(SEC_ERROR_BASE + 147),
+SEC_ERROR_CRL_V1_CRITICAL_EXTENSION         =	(SEC_ERROR_BASE + 148),
+SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION    =	(SEC_ERROR_BASE + 149),
+SEC_ERROR_UNKNOWN_OBJECT_TYPE               =	(SEC_ERROR_BASE + 150),
+SEC_ERROR_INCOMPATIBLE_PKCS11               =	(SEC_ERROR_BASE + 151),
+SEC_ERROR_NO_EVENT                          = 	(SEC_ERROR_BASE + 152),
+SEC_ERROR_CRL_ALREADY_EXISTS                = 	(SEC_ERROR_BASE + 153),
+SEC_ERROR_NOT_INITIALIZED                   = 	(SEC_ERROR_BASE + 154),
+SEC_ERROR_TOKEN_NOT_LOGGED_IN               = 	(SEC_ERROR_BASE + 155),
+SEC_ERROR_OCSP_RESPONDER_CERT_INVALID      =	(SEC_ERROR_BASE + 156),
+SEC_ERROR_OCSP_BAD_SIGNATURE               =	(SEC_ERROR_BASE + 157),
+
+SEC_ERROR_OUT_OF_SEARCH_LIMITS             =	(SEC_ERROR_BASE + 158),
+SEC_ERROR_INVALID_POLICY_MAPPING           =	(SEC_ERROR_BASE + 159),
+SEC_ERROR_POLICY_VALIDATION_FAILED         =	(SEC_ERROR_BASE + 160),
+SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE        =	(SEC_ERROR_BASE + 161),
+SEC_ERROR_BAD_HTTP_RESPONSE                =	(SEC_ERROR_BASE + 162),
+SEC_ERROR_BAD_LDAP_RESPONSE                =	(SEC_ERROR_BASE + 163),
+SEC_ERROR_FAILED_TO_ENCODE_DATA            =	(SEC_ERROR_BASE + 164),
+SEC_ERROR_BAD_INFO_ACCESS_LOCATION         =	(SEC_ERROR_BASE + 165), 
+
+SEC_ERROR_LIBPKIX_INTERNAL                 =	(SEC_ERROR_BASE + 166),
+
+SEC_ERROR_PKCS11_GENERAL_ERROR             =	(SEC_ERROR_BASE + 167),
+SEC_ERROR_PKCS11_FUNCTION_FAILED           =	(SEC_ERROR_BASE + 168),
+SEC_ERROR_PKCS11_DEVICE_ERROR              =	(SEC_ERROR_BASE + 169),
+
+/* Add new error codes above here. */
+SEC_ERROR_END_OF_LIST 
+} SECErrorCodes;
+#endif /* NO_SECURITY_ERROR_ENUM */
+
+#endif /* __SEC_ERR_H_ */
diff --git a/security/nss/lib/util/secinit.c b/security/nss/lib/util/secinit.c
new file mode 100644
index 000000000..c62d83a80
--- /dev/null
+++ b/security/nss/lib/util/secinit.c
@@ -0,0 +1,53 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nspr.h"
+#include "secport.h"
+
+static int sec_inited = 0;
+
+void 
+SEC_Init(void)
+{
+    /* PR_Init() must be called before SEC_Init() */
+#if !defined(SERVER_BUILD)
+    PORT_Assert(PR_Initialized() == PR_TRUE);
+#endif
+    if (sec_inited)
+	return;
+
+    sec_inited = 1;
+}
diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
new file mode 100644
index 000000000..74396571b
--- /dev/null
+++ b/security/nss/lib/util/secitem.c
@@ -0,0 +1,322 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Support routines for SECItem data structure.
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "base64.h"
+#include "secerr.h"
+
+SECItem *
+SECITEM_AllocItem(PRArenaPool *arena, SECItem *item, unsigned int len)
+{
+    SECItem *result = NULL;
+    void *mark = NULL;
+
+    if (arena != NULL) {
+	mark = PORT_ArenaMark(arena);
+    }
+
+    if (item == NULL) {
+	if (arena != NULL) {
+	    result = PORT_ArenaZAlloc(arena, sizeof(SECItem));
+	} else {
+	    result = PORT_ZAlloc(sizeof(SECItem));
+	}
+	if (result == NULL) {
+	    goto loser;
+	}
+    } else {
+	PORT_Assert(item->data == NULL);
+	result = item;
+    }
+
+    result->len = len;
+    if (len) {
+	if (arena != NULL) {
+	    result->data = PORT_ArenaAlloc(arena, len);
+	} else {
+	    result->data = PORT_Alloc(len);
+	}
+	if (result->data == NULL) {
+	    goto loser;
+	}
+    } else {
+	result->data = NULL;
+    }
+
+    if (mark) {
+	PORT_ArenaUnmark(arena, mark);
+    }
+    return(result);
+
+loser:
+    if ( arena != NULL ) {
+	if (mark) {
+	    PORT_ArenaRelease(arena, mark);
+	}
+	if (item != NULL) {
+	    item->data = NULL;
+	    item->len = 0;
+	}
+    } else {
+	if (result != NULL) {
+	    SECITEM_FreeItem(result, (item == NULL) ? PR_TRUE : PR_FALSE);
+	}
+	/*
+	 * If item is not NULL, the above has set item->data and
+	 * item->len to 0.
+	 */
+    }
+    return(NULL);
+}
+
+SECStatus
+SECITEM_ReallocItem(PRArenaPool *arena, SECItem *item, unsigned int oldlen,
+		    unsigned int newlen)
+{
+    PORT_Assert(item != NULL);
+    if (item == NULL) {
+	/* XXX Set error.  But to what? */
+	return SECFailure;
+    }
+
+    /*
+     * If no old length, degenerate to just plain alloc.
+     */
+    if (oldlen == 0) {
+	PORT_Assert(item->data == NULL || item->len == 0);
+	if (newlen == 0) {
+	    /* Nothing to do.  Weird, but not a failure.  */
+	    return SECSuccess;
+	}
+	item->len = newlen;
+	if (arena != NULL) {
+	    item->data = PORT_ArenaAlloc(arena, newlen);
+	} else {
+	    item->data = PORT_Alloc(newlen);
+	}
+    } else {
+	if (arena != NULL) {
+	    item->data = PORT_ArenaGrow(arena, item->data, oldlen, newlen);
+	} else {
+	    item->data = PORT_Realloc(item->data, newlen);
+	}
+    }
+
+    if (item->data == NULL) {
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+SECComparison
+SECITEM_CompareItem(const SECItem *a, const SECItem *b)
+{
+    unsigned m;
+    SECComparison rv;
+
+    if (!a || !a->len || !a->data) 
+        return (!b || !b->len || !b->data) ? SECEqual : SECLessThan;
+    if (!b || !b->len || !b->data) 
+    	return SECGreaterThan;
+
+    m = ( ( a->len < b->len ) ? a->len : b->len );
+    
+    rv = (SECComparison) PORT_Memcmp(a->data, b->data, m);
+    if (rv) {
+	return rv;
+    }
+    if (a->len < b->len) {
+	return SECLessThan;
+    }
+    if (a->len == b->len) {
+	return SECEqual;
+    }
+    return SECGreaterThan;
+}
+
+PRBool
+SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b)
+{
+    if (a->len != b->len)
+        return PR_FALSE;
+    if (!a->len)
+    	return PR_TRUE;
+    if (!a->data || !b->data) {
+        /* avoid null pointer crash. */
+	return (PRBool)(a->data == b->data);
+    }
+    return (PRBool)!PORT_Memcmp(a->data, b->data, a->len);
+}
+
+SECItem *
+SECITEM_DupItem(const SECItem *from)
+{
+    return SECITEM_ArenaDupItem(NULL, from);
+}
+
+SECItem *
+SECITEM_ArenaDupItem(PRArenaPool *arena, const SECItem *from)
+{
+    SECItem *to;
+    
+    if ( from == NULL ) {
+	return(NULL);
+    }
+    
+    if ( arena != NULL ) {
+	to = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+    } else {
+	to = (SECItem *)PORT_Alloc(sizeof(SECItem));
+    }
+    if ( to == NULL ) {
+	return(NULL);
+    }
+
+    if ( arena != NULL ) {
+	to->data = (unsigned char *)PORT_ArenaAlloc(arena, from->len);
+    } else {
+	to->data = (unsigned char *)PORT_Alloc(from->len);
+    }
+    if ( to->data == NULL ) {
+	PORT_Free(to);
+	return(NULL);
+    }
+
+    to->len = from->len;
+    to->type = from->type;
+    if ( to->len ) {
+	PORT_Memcpy(to->data, from->data, to->len);
+    }
+    
+    return(to);
+}
+
+SECStatus
+SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, const SECItem *from)
+{
+    to->type = from->type;
+    if (from->data && from->len) {
+	if ( arena ) {
+	    to->data = (unsigned char*) PORT_ArenaAlloc(arena, from->len);
+	} else {
+	    to->data = (unsigned char*) PORT_Alloc(from->len);
+	}
+	
+	if (!to->data) {
+	    return SECFailure;
+	}
+	PORT_Memcpy(to->data, from->data, from->len);
+	to->len = from->len;
+    } else {
+	to->data = 0;
+	to->len = 0;
+    }
+    return SECSuccess;
+}
+
+void
+SECITEM_FreeItem(SECItem *zap, PRBool freeit)
+{
+    if (zap) {
+	PORT_Free(zap->data);
+	zap->data = 0;
+	zap->len = 0;
+	if (freeit) {
+	    PORT_Free(zap);
+	}
+    }
+}
+
+void
+SECITEM_ZfreeItem(SECItem *zap, PRBool freeit)
+{
+    if (zap) {
+	PORT_ZFree(zap->data, zap->len);
+	zap->data = 0;
+	zap->len = 0;
+	if (freeit) {
+	    PORT_ZFree(zap, sizeof(SECItem));
+	}
+    }
+}
+/* these reroutines were taken from pkix oid.c, which is supposed to
+ * replace this file some day */
+/*
+ * This is the hash function.  We simply XOR the encoded form with
+ * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
+ * routine is left as an excercise for the more mathematically
+ * inclined student.
+ */
+PLHashNumber PR_CALLBACK
+SECITEM_Hash ( const void *key)
+{
+    const SECItem *item = (const SECItem *)key;
+    PLHashNumber rv = 0;
+
+    PRUint8 *data = (PRUint8 *)item->data;
+    PRUint32 i;
+    PRUint8 *rvc = (PRUint8 *)&rv;
+
+    for( i = 0; i < item->len; i++ ) {
+        rvc[ i % sizeof(rv) ] ^= *data;
+        data++;
+    }
+
+    return rv;
+}
+
+/*
+ * This is the key-compare function.  It simply does a lexical
+ * comparison on the item data.  This does not result in
+ * quite the same ordering as the "sequence of numbers" order,
+ * but heck it's only used internally by the hash table anyway.
+ */
+PRIntn PR_CALLBACK
+SECITEM_HashCompare ( const void *k1, const void *k2)
+{
+    const SECItem *i1 = (const SECItem *)k1;
+    const SECItem *i2 = (const SECItem *)k2;
+
+    return SECITEM_ItemsAreEqual(i1,i2);
+}
diff --git a/security/nss/lib/util/secitem.h b/security/nss/lib/util/secitem.h
new file mode 100644
index 000000000..de3df877f
--- /dev/null
+++ b/security/nss/lib/util/secitem.h
@@ -0,0 +1,128 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SECITEM_H_
+#define _SECITEM_H_
+
+#include "utilrename.h"
+
+/*
+ * secitem.h - public data structures and prototypes for handling
+ *	       SECItems
+ *
+ * $Id$
+ */
+
+#include "plarena.h"
+#include "plhash.h"
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** Allocate an item.  If "arena" is not NULL, then allocate from there,
+** otherwise allocate from the heap.  If "item" is not NULL, allocate
+** only the data buffer for the item, not the item itself.  If "len" is
+** 0, do not allocate the data buffer for the item; simply set the data
+** field to NULL and the len field to 0.  The item structure is allocated
+** zero-filled; the data buffer is not zeroed.  The caller is responsible
+** for initializing the type field of the item.
+**
+** The resulting item is returned; NULL if any error occurs.
+**
+** XXX This probably should take a SECItemType, but since that is mostly
+** unused and our improved APIs (aka Stan) are looming, I left it out.
+*/
+extern SECItem *SECITEM_AllocItem(PLArenaPool *arena, SECItem *item,
+				  unsigned int len);
+
+/*
+** Reallocate the data for the specified "item".  If "arena" is not NULL,
+** then reallocate from there, otherwise reallocate from the heap.
+** In the case where oldlen is 0, the data is allocated (not reallocated).
+** In any case, "item" is expected to be a valid SECItem pointer;
+** SECFailure is returned if it is not.  If the allocation succeeds,
+** SECSuccess is returned.
+*/
+extern SECStatus SECITEM_ReallocItem(PLArenaPool *arena, SECItem *item,
+				     unsigned int oldlen, unsigned int newlen);
+
+/*
+** Compare two items returning the difference between them.
+*/
+extern SECComparison SECITEM_CompareItem(const SECItem *a, const SECItem *b);
+
+/*
+** Compare two items -- if they are the same, return true; otherwise false.
+*/
+extern PRBool SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b);
+
+/*
+** Copy "from" to "to"
+*/
+extern SECStatus SECITEM_CopyItem(PLArenaPool *arena, SECItem *to, 
+                                  const SECItem *from);
+
+/*
+** Allocate an item and copy "from" into it.
+*/
+extern SECItem *SECITEM_DupItem(const SECItem *from);
+
+/*
+** Allocate an item and copy "from" into it.  The item itself and the 
+** data it points to are both allocated from the arena.  If arena is
+** NULL, this function is equivalent to SECITEM_DupItem.
+*/
+extern SECItem *SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from);
+
+/*
+** Free "zap". If freeit is PR_TRUE then "zap" itself is freed.
+*/
+extern void SECITEM_FreeItem(SECItem *zap, PRBool freeit);
+
+/*
+** Zero and then free "zap". If freeit is PR_TRUE then "zap" itself is freed.
+*/
+extern void SECITEM_ZfreeItem(SECItem *zap, PRBool freeit);
+
+PLHashNumber PR_CALLBACK SECITEM_Hash ( const void *key);
+
+PRIntn PR_CALLBACK SECITEM_HashCompare ( const void *k1, const void *k2);
+
+
+SEC_END_PROTOS
+
+#endif /* _SECITEM_H_ */
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
new file mode 100644
index 000000000..16389e553
--- /dev/null
+++ b/security/nss/lib/util/secoid.c
@@ -0,0 +1,1976 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secoid.h"
+#include "pkcs11t.h"
+#include "secitem.h"
+#include "secerr.h"
+#include "plhash.h"
+#include "nssrwlk.h"
+
+/* MISSI Mosaic Object ID space */
+#define USGOV                   0x60, 0x86, 0x48, 0x01, 0x65
+#define MISSI	                USGOV, 0x02, 0x01, 0x01
+#define MISSI_OLD_KEA_DSS	MISSI, 0x0c
+#define MISSI_OLD_DSS		MISSI, 0x02
+#define MISSI_KEA_DSS		MISSI, 0x14
+#define MISSI_DSS		MISSI, 0x13
+#define MISSI_KEA               MISSI, 0x0a
+#define MISSI_ALT_KEA           MISSI, 0x16
+
+#define NISTALGS    USGOV, 3, 4
+#define AES         NISTALGS, 1
+#define SHAXXX      NISTALGS, 2
+
+/**
+ ** The Netscape OID space is allocated by Terry Hayes.  If you need
+ ** a piece of the space, contact him at thayes@netscape.com.
+ **/
+
+/* Netscape Communications Corporation Object ID space */
+/* { 2 16 840 1 113730 } */
+#define NETSCAPE_OID	          0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42
+#define NETSCAPE_CERT_EXT 	  NETSCAPE_OID, 0x01
+#define NETSCAPE_DATA_TYPE 	  NETSCAPE_OID, 0x02
+/* netscape directory oid - owned by Mark Smith (mcs@netscape.com) */
+#define NETSCAPE_DIRECTORY 	  NETSCAPE_OID, 0x03
+#define NETSCAPE_POLICY 	  NETSCAPE_OID, 0x04
+#define NETSCAPE_CERT_SERVER 	  NETSCAPE_OID, 0x05
+#define NETSCAPE_ALGS 		  NETSCAPE_OID, 0x06 /* algorithm OIDs */
+#define NETSCAPE_NAME_COMPONENTS  NETSCAPE_OID, 0x07
+
+#define NETSCAPE_CERT_EXT_AIA     NETSCAPE_CERT_EXT, 0x10
+#define NETSCAPE_CERT_SERVER_CRMF NETSCAPE_CERT_SERVER, 0x01
+
+/* these are old and should go away soon */
+#define OLD_NETSCAPE		0x60, 0x86, 0x48, 0xd8, 0x6a
+#define NS_CERT_EXT		OLD_NETSCAPE, 0x01
+#define NS_FILE_TYPE		OLD_NETSCAPE, 0x02
+#define NS_IMAGE_TYPE		OLD_NETSCAPE, 0x03
+
+/* RSA OID name space */
+#define RSADSI			0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d
+#define PKCS			RSADSI, 0x01
+#define DIGEST			RSADSI, 0x02
+#define CIPHER			RSADSI, 0x03
+#define PKCS1			PKCS, 0x01
+#define PKCS5			PKCS, 0x05
+#define PKCS7			PKCS, 0x07
+#define PKCS9			PKCS, 0x09
+#define PKCS12			PKCS, 0x0c
+
+/* Fortezza algorithm OID space: { 2 16 840 1 101 2 1 1 } */
+/* ### mwelch -- Is this just for algorithms, or all of Fortezza? */
+#define FORTEZZA_ALG 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01
+
+/* Other OID name spaces */
+#define ALGORITHM		0x2b, 0x0e, 0x03, 0x02
+#define X500			0x55
+#define X520_ATTRIBUTE_TYPE	X500, 0x04
+#define X500_ALG		X500, 0x08
+#define X500_ALG_ENCRYPTION	X500_ALG, 0x01
+
+/** X.509 v3 Extension OID 
+ ** {joint-iso-ccitt (2) ds(5) 29}
+ **/
+#define	ID_CE_OID 		X500, 0x1d
+
+#define RFC1274_ATTR_TYPE  0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
+/* #define RFC2247_ATTR_TYPE  0x09, 0x92, 0x26, 0xf5, 0x98, 0x1e, 0x64, 0x1 this is WRONG! */
+
+/* PKCS #12 name spaces */
+#define PKCS12_MODE_IDS		PKCS12, 0x01
+#define PKCS12_ESPVK_IDS	PKCS12, 0x02
+#define PKCS12_BAG_IDS		PKCS12, 0x03
+#define PKCS12_CERT_BAG_IDS	PKCS12, 0x04
+#define PKCS12_OIDS		PKCS12, 0x05
+#define PKCS12_PBE_IDS		PKCS12_OIDS, 0x01
+#define PKCS12_ENVELOPING_IDS	PKCS12_OIDS, 0x02
+#define PKCS12_SIGNATURE_IDS	PKCS12_OIDS, 0x03
+#define PKCS12_V2_PBE_IDS	PKCS12, 0x01
+#define PKCS9_CERT_TYPES	PKCS9, 0x16
+#define PKCS9_CRL_TYPES		PKCS9, 0x17
+#define PKCS9_SMIME_IDS		PKCS9, 0x10
+#define PKCS9_SMIME_ATTRS	PKCS9_SMIME_IDS, 2
+#define PKCS9_SMIME_ALGS	PKCS9_SMIME_IDS, 3
+#define PKCS12_VERSION1		PKCS12, 0x0a
+#define PKCS12_V1_BAG_IDS	PKCS12_VERSION1, 1
+
+/* for DSA algorithm */
+/* { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) } */
+#define ANSI_X9_ALGORITHM  0x2a, 0x86, 0x48, 0xce, 0x38, 0x4
+
+/* for DH algorithm */
+/* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */
+/* need real OID person to look at this, copied the above line
+ * and added 6 to second to last value (and changed '4' to '2' */
+#define ANSI_X942_ALGORITHM  0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2
+
+#define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
+
+#define PKIX 			0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
+#define PKIX_CERT_EXTENSIONS    PKIX, 1
+#define PKIX_POLICY_QUALIFIERS  PKIX, 2
+#define PKIX_KEY_USAGE 		PKIX, 3
+#define PKIX_ACCESS_DESCRIPTION PKIX, 0x30
+#define PKIX_OCSP 		PKIX_ACCESS_DESCRIPTION, 1
+#define PKIX_CA_ISSUERS		PKIX_ACCESS_DESCRIPTION, 2
+
+#define PKIX_ID_PKIP     	PKIX, 5
+#define PKIX_ID_REGCTRL  	PKIX_ID_PKIP, 1 
+#define PKIX_ID_REGINFO  	PKIX_ID_PKIP, 2
+
+/* Microsoft Object ID space */
+/* { 1.3.6.1.4.1.311 } */
+#define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37
+
+#define CERTICOM_OID            0x2b, 0x81, 0x04
+#define SECG_OID                CERTICOM_OID, 0x00
+
+#define ANSI_X962_OID           0x2a, 0x86, 0x48, 0xce, 0x3d
+#define ANSI_X962_CURVE_OID     ANSI_X962_OID, 0x03
+#define ANSI_X962_GF2m_OID      ANSI_X962_CURVE_OID, 0x00
+#define ANSI_X962_GFp_OID       ANSI_X962_CURVE_OID, 0x01
+#define ANSI_X962_SIGNATURE_OID ANSI_X962_OID, 0x04
+#define ANSI_X962_SPECIFY_OID   ANSI_X962_SIGNATURE_OID, 0x03
+
+/* for Camellia: iso(1) member-body(2) jisc(392)
+ *    mitsubishi(200011) isl(61) security(1) algorithm(1)
+ */
+#define MITSUBISHI_ALG 0x2a,0x83,0x08,0x8c,0x9a,0x4b,0x3d,0x01,0x01
+#define CAMELLIA_ENCRYPT_OID MITSUBISHI_ALG,1
+#define CAMELLIA_WRAP_OID    MITSUBISHI_ALG,3
+
+#define CONST_OID static const unsigned char
+
+CONST_OID md2[]        				= { DIGEST, 0x02 };
+CONST_OID md4[]        				= { DIGEST, 0x04 };
+CONST_OID md5[]        				= { DIGEST, 0x05 };
+CONST_OID hmac_sha1[]   			= { DIGEST, 7 };
+CONST_OID hmac_sha224[]				= { DIGEST, 8 };
+CONST_OID hmac_sha256[]				= { DIGEST, 9 };
+CONST_OID hmac_sha384[]				= { DIGEST, 10 };
+CONST_OID hmac_sha512[]				= { DIGEST, 11 };
+
+CONST_OID rc2cbc[]     				= { CIPHER, 0x02 };
+CONST_OID rc4[]        				= { CIPHER, 0x04 };
+CONST_OID desede3cbc[] 				= { CIPHER, 0x07 };
+CONST_OID rc5cbcpad[]  				= { CIPHER, 0x09 };
+
+CONST_OID desecb[]                           = { ALGORITHM, 0x06 };
+CONST_OID descbc[]                           = { ALGORITHM, 0x07 };
+CONST_OID desofb[]                           = { ALGORITHM, 0x08 };
+CONST_OID descfb[]                           = { ALGORITHM, 0x09 };
+CONST_OID desmac[]                           = { ALGORITHM, 0x0a };
+CONST_OID sdn702DSASignature[]               = { ALGORITHM, 0x0c };
+CONST_OID isoSHAWithRSASignature[]           = { ALGORITHM, 0x0f };
+CONST_OID desede[]                           = { ALGORITHM, 0x11 };
+CONST_OID sha1[]                             = { ALGORITHM, 0x1a };
+CONST_OID bogusDSASignaturewithSHA1Digest[]  = { ALGORITHM, 0x1b };
+CONST_OID isoSHA1WithRSASignature[]          = { ALGORITHM, 0x1d };
+
+CONST_OID pkcs1RSAEncryption[]         		= { PKCS1, 0x01 };
+CONST_OID pkcs1MD2WithRSAEncryption[]  		= { PKCS1, 0x02 };
+CONST_OID pkcs1MD4WithRSAEncryption[]  		= { PKCS1, 0x03 };
+CONST_OID pkcs1MD5WithRSAEncryption[]  		= { PKCS1, 0x04 };
+CONST_OID pkcs1SHA1WithRSAEncryption[] 		= { PKCS1, 0x05 };
+CONST_OID pkcs1SHA256WithRSAEncryption[] 	= { PKCS1, 11 };
+CONST_OID pkcs1SHA384WithRSAEncryption[] 	= { PKCS1, 12 };
+CONST_OID pkcs1SHA512WithRSAEncryption[] 	= { PKCS1, 13 };
+
+CONST_OID pkcs5PbeWithMD2AndDEScbc[]  		= { PKCS5, 0x01 };
+CONST_OID pkcs5PbeWithMD5AndDEScbc[]  		= { PKCS5, 0x03 };
+CONST_OID pkcs5PbeWithSha1AndDEScbc[] 		= { PKCS5, 0x0a };
+CONST_OID pkcs5Pbkdf2[]  			= { PKCS5, 12 };
+CONST_OID pkcs5Pbes2[]  			= { PKCS5, 13 };
+CONST_OID pkcs5Pbmac1[]				= { PKCS5, 14 };
+
+CONST_OID pkcs7[]                     		= { PKCS7 };
+CONST_OID pkcs7Data[]                 		= { PKCS7, 0x01 };
+CONST_OID pkcs7SignedData[]           		= { PKCS7, 0x02 };
+CONST_OID pkcs7EnvelopedData[]        		= { PKCS7, 0x03 };
+CONST_OID pkcs7SignedEnvelopedData[]  		= { PKCS7, 0x04 };
+CONST_OID pkcs7DigestedData[]         		= { PKCS7, 0x05 };
+CONST_OID pkcs7EncryptedData[]        		= { PKCS7, 0x06 };
+
+CONST_OID pkcs9EmailAddress[]                  = { PKCS9, 0x01 };
+CONST_OID pkcs9UnstructuredName[]              = { PKCS9, 0x02 };
+CONST_OID pkcs9ContentType[]                   = { PKCS9, 0x03 };
+CONST_OID pkcs9MessageDigest[]                 = { PKCS9, 0x04 };
+CONST_OID pkcs9SigningTime[]                   = { PKCS9, 0x05 };
+CONST_OID pkcs9CounterSignature[]              = { PKCS9, 0x06 };
+CONST_OID pkcs9ChallengePassword[]             = { PKCS9, 0x07 };
+CONST_OID pkcs9UnstructuredAddress[]           = { PKCS9, 0x08 };
+CONST_OID pkcs9ExtendedCertificateAttributes[] = { PKCS9, 0x09 };
+CONST_OID pkcs9ExtensionRequest[]              = { PKCS9, 14 };
+CONST_OID pkcs9SMIMECapabilities[]             = { PKCS9, 15 };
+CONST_OID pkcs9FriendlyName[]                  = { PKCS9, 20 };
+CONST_OID pkcs9LocalKeyID[]                    = { PKCS9, 21 };
+
+CONST_OID pkcs9X509Certificate[]        	= { PKCS9_CERT_TYPES, 1 };
+CONST_OID pkcs9SDSICertificate[]        	= { PKCS9_CERT_TYPES, 2 };
+CONST_OID pkcs9X509CRL[]                	= { PKCS9_CRL_TYPES, 1 };
+
+/* RFC2630 (CMS) OIDs */
+CONST_OID cmsESDH[]     			= { PKCS9_SMIME_ALGS, 5 };
+CONST_OID cms3DESwrap[] 			= { PKCS9_SMIME_ALGS, 6 };
+CONST_OID cmsRC2wrap[]  			= { PKCS9_SMIME_ALGS, 7 };
+
+/* RFC2633 SMIME message attributes */
+CONST_OID smimeEncryptionKeyPreference[] 	= { PKCS9_SMIME_ATTRS, 11 };
+CONST_OID ms_smimeEncryptionKeyPreference[] 	= { MICROSOFT_OID, 0x10, 0x4 };
+
+CONST_OID x520CommonName[]                      = { X520_ATTRIBUTE_TYPE, 3 };
+CONST_OID x520SurName[]                         = { X520_ATTRIBUTE_TYPE, 4 };
+CONST_OID x520SerialNumber[]                    = { X520_ATTRIBUTE_TYPE, 5 };
+CONST_OID x520CountryName[]                     = { X520_ATTRIBUTE_TYPE, 6 };
+CONST_OID x520LocalityName[]                    = { X520_ATTRIBUTE_TYPE, 7 };
+CONST_OID x520StateOrProvinceName[]             = { X520_ATTRIBUTE_TYPE, 8 };
+CONST_OID x520StreetAddress[]                   = { X520_ATTRIBUTE_TYPE, 9 };
+CONST_OID x520OrgName[]                         = { X520_ATTRIBUTE_TYPE, 10 };
+CONST_OID x520OrgUnitName[]                     = { X520_ATTRIBUTE_TYPE, 11 };
+CONST_OID x520Title[]                           = { X520_ATTRIBUTE_TYPE, 12 };
+CONST_OID x520PostalAddress[]                   = { X520_ATTRIBUTE_TYPE, 16 };
+CONST_OID x520PostalCode[]                      = { X520_ATTRIBUTE_TYPE, 17 };
+CONST_OID x520PostOfficeBox[]                   = { X520_ATTRIBUTE_TYPE, 18 };
+CONST_OID x520GivenName[]                       = { X520_ATTRIBUTE_TYPE, 42 };
+CONST_OID x520Initials[]                        = { X520_ATTRIBUTE_TYPE, 43 };
+CONST_OID x520GenerationQualifier[]             = { X520_ATTRIBUTE_TYPE, 44 };
+CONST_OID x520DnQualifier[]                     = { X520_ATTRIBUTE_TYPE, 46 };
+CONST_OID x520HouseIdentifier[]                 = { X520_ATTRIBUTE_TYPE, 51 };
+CONST_OID x520Pseudonym[]                       = { X520_ATTRIBUTE_TYPE, 65 };
+
+CONST_OID nsTypeGIF[]          			= { NETSCAPE_DATA_TYPE, 0x01 };
+CONST_OID nsTypeJPEG[]         			= { NETSCAPE_DATA_TYPE, 0x02 };
+CONST_OID nsTypeURL[]          			= { NETSCAPE_DATA_TYPE, 0x03 };
+CONST_OID nsTypeHTML[]         			= { NETSCAPE_DATA_TYPE, 0x04 };
+CONST_OID nsTypeCertSeq[]      			= { NETSCAPE_DATA_TYPE, 0x05 };
+
+CONST_OID missiCertKEADSSOld[] 			= { MISSI_OLD_KEA_DSS };
+CONST_OID missiCertDSSOld[]    			= { MISSI_OLD_DSS };
+CONST_OID missiCertKEADSS[]    			= { MISSI_KEA_DSS };
+CONST_OID missiCertDSS[]       			= { MISSI_DSS };
+CONST_OID missiCertKEA[]       			= { MISSI_KEA };
+CONST_OID missiCertAltKEA[]    			= { MISSI_ALT_KEA };
+CONST_OID x500RSAEncryption[]  			= { X500_ALG_ENCRYPTION, 0x01 };
+
+/* added for alg 1485 */
+CONST_OID rfc1274Uid[]             		= { RFC1274_ATTR_TYPE, 1 };
+CONST_OID rfc1274Mail[]            		= { RFC1274_ATTR_TYPE, 3 };
+CONST_OID rfc2247DomainComponent[] 		= { RFC1274_ATTR_TYPE, 25 };
+
+/* Netscape private certificate extensions */
+CONST_OID nsCertExtNetscapeOK[]  		= { NS_CERT_EXT, 1 };
+CONST_OID nsCertExtIssuerLogo[]  		= { NS_CERT_EXT, 2 };
+CONST_OID nsCertExtSubjectLogo[] 		= { NS_CERT_EXT, 3 };
+CONST_OID nsExtCertType[]        		= { NETSCAPE_CERT_EXT, 0x01 };
+CONST_OID nsExtBaseURL[]         		= { NETSCAPE_CERT_EXT, 0x02 };
+CONST_OID nsExtRevocationURL[]   		= { NETSCAPE_CERT_EXT, 0x03 };
+CONST_OID nsExtCARevocationURL[] 		= { NETSCAPE_CERT_EXT, 0x04 };
+CONST_OID nsExtCACRLURL[]        		= { NETSCAPE_CERT_EXT, 0x05 };
+CONST_OID nsExtCACertURL[]       		= { NETSCAPE_CERT_EXT, 0x06 };
+CONST_OID nsExtCertRenewalURL[]  		= { NETSCAPE_CERT_EXT, 0x07 };
+CONST_OID nsExtCAPolicyURL[]     		= { NETSCAPE_CERT_EXT, 0x08 };
+CONST_OID nsExtHomepageURL[]     		= { NETSCAPE_CERT_EXT, 0x09 };
+CONST_OID nsExtEntityLogo[]      		= { NETSCAPE_CERT_EXT, 0x0a };
+CONST_OID nsExtUserPicture[]     		= { NETSCAPE_CERT_EXT, 0x0b };
+CONST_OID nsExtSSLServerName[]   		= { NETSCAPE_CERT_EXT, 0x0c };
+CONST_OID nsExtComment[]         		= { NETSCAPE_CERT_EXT, 0x0d };
+
+/* the following 2 extensions are defined for and used by Cartman(NSM) */
+CONST_OID nsExtLostPasswordURL[] 		= { NETSCAPE_CERT_EXT, 0x0e };
+CONST_OID nsExtCertRenewalTime[] 		= { NETSCAPE_CERT_EXT, 0x0f };
+
+CONST_OID nsExtAIACertRenewal[]    	= { NETSCAPE_CERT_EXT_AIA, 0x01 };
+CONST_OID nsExtCertScopeOfUse[]    	= { NETSCAPE_CERT_EXT, 0x11 };
+/* Reserved Netscape (2 16 840 1 113730 1 18) = { NETSCAPE_CERT_EXT, 0x12 }; */
+
+/* Netscape policy values */
+CONST_OID nsKeyUsageGovtApproved[] 	= { NETSCAPE_POLICY, 0x01 };
+
+/* Netscape other name types */
+CONST_OID netscapeNickname[] 		= { NETSCAPE_NAME_COMPONENTS, 0x01 };
+CONST_OID netscapeAOLScreenname[] 	= { NETSCAPE_NAME_COMPONENTS, 0x02 };
+
+/* OIDs needed for cert server */
+CONST_OID netscapeRecoveryRequest[] 	= { NETSCAPE_CERT_SERVER_CRMF, 0x01 };
+
+
+/* Standard x.509 v3 Certificate & CRL Extensions */
+CONST_OID x509SubjectDirectoryAttr[]  		= { ID_CE_OID,  9 };
+CONST_OID x509SubjectKeyID[]          		= { ID_CE_OID, 14 };
+CONST_OID x509KeyUsage[]              		= { ID_CE_OID, 15 };
+CONST_OID x509PrivateKeyUsagePeriod[] 		= { ID_CE_OID, 16 };
+CONST_OID x509SubjectAltName[]        		= { ID_CE_OID, 17 };
+CONST_OID x509IssuerAltName[]         		= { ID_CE_OID, 18 };
+CONST_OID x509BasicConstraints[]      		= { ID_CE_OID, 19 };
+CONST_OID x509CRLNumber[]                    	= { ID_CE_OID, 20 };
+CONST_OID x509ReasonCode[]                   	= { ID_CE_OID, 21 };
+CONST_OID x509HoldInstructionCode[]             = { ID_CE_OID, 23 };
+CONST_OID x509InvalidDate[]                     = { ID_CE_OID, 24 };
+CONST_OID x509DeltaCRLIndicator[]               = { ID_CE_OID, 27 };
+CONST_OID x509IssuingDistributionPoint[]        = { ID_CE_OID, 28 };
+CONST_OID x509CertIssuer[]                      = { ID_CE_OID, 29 };
+CONST_OID x509NameConstraints[]       		= { ID_CE_OID, 30 };
+CONST_OID x509CRLDistPoints[]         		= { ID_CE_OID, 31 };
+CONST_OID x509CertificatePolicies[]   		= { ID_CE_OID, 32 };
+CONST_OID x509PolicyMappings[]        		= { ID_CE_OID, 33 };
+CONST_OID x509AuthKeyID[]             		= { ID_CE_OID, 35 };
+CONST_OID x509PolicyConstraints[]     		= { ID_CE_OID, 36 };
+CONST_OID x509ExtKeyUsage[]           		= { ID_CE_OID, 37 };
+CONST_OID x509FreshestCRL[]           		= { ID_CE_OID, 46 };
+CONST_OID x509InhibitAnyPolicy[]           	= { ID_CE_OID, 54 };
+
+CONST_OID x509AuthInfoAccess[]        		= { PKIX_CERT_EXTENSIONS,  1 };
+CONST_OID x509SubjectInfoAccess[]               = { PKIX_CERT_EXTENSIONS, 11 };
+
+CONST_OID x509SIATimeStamping[]                 = {PKIX_ACCESS_DESCRIPTION, 0x03};
+CONST_OID x509SIACaRepository[]                 = {PKIX_ACCESS_DESCRIPTION, 0x05};
+
+/* pkcs 12 additions */
+CONST_OID pkcs12[]                           = { PKCS12 };
+CONST_OID pkcs12ModeIDs[]                    = { PKCS12_MODE_IDS };
+CONST_OID pkcs12ESPVKIDs[]                   = { PKCS12_ESPVK_IDS };
+CONST_OID pkcs12BagIDs[]                     = { PKCS12_BAG_IDS };
+CONST_OID pkcs12CertBagIDs[]                 = { PKCS12_CERT_BAG_IDS };
+CONST_OID pkcs12OIDs[]                       = { PKCS12_OIDS };
+CONST_OID pkcs12PBEIDs[]                     = { PKCS12_PBE_IDS };
+CONST_OID pkcs12EnvelopingIDs[]              = { PKCS12_ENVELOPING_IDS };
+CONST_OID pkcs12SignatureIDs[]               = { PKCS12_SIGNATURE_IDS };
+CONST_OID pkcs12PKCS8KeyShrouding[]          = { PKCS12_ESPVK_IDS, 0x01 };
+CONST_OID pkcs12KeyBagID[]                   = { PKCS12_BAG_IDS, 0x01 };
+CONST_OID pkcs12CertAndCRLBagID[]            = { PKCS12_BAG_IDS, 0x02 };
+CONST_OID pkcs12SecretBagID[]                = { PKCS12_BAG_IDS, 0x03 };
+CONST_OID pkcs12X509CertCRLBag[]             = { PKCS12_CERT_BAG_IDS, 0x01 };
+CONST_OID pkcs12SDSICertBag[]                = { PKCS12_CERT_BAG_IDS, 0x02 };
+CONST_OID pkcs12PBEWithSha1And128BitRC4[]    = { PKCS12_PBE_IDS, 0x01 };
+CONST_OID pkcs12PBEWithSha1And40BitRC4[]     = { PKCS12_PBE_IDS, 0x02 };
+CONST_OID pkcs12PBEWithSha1AndTripleDESCBC[] = { PKCS12_PBE_IDS, 0x03 };
+CONST_OID pkcs12PBEWithSha1And128BitRC2CBC[] = { PKCS12_PBE_IDS, 0x04 };
+CONST_OID pkcs12PBEWithSha1And40BitRC2CBC[]  = { PKCS12_PBE_IDS, 0x05 };
+CONST_OID pkcs12RSAEncryptionWith128BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x01 };
+CONST_OID pkcs12RSAEncryptionWith40BitRC4[]  = { PKCS12_ENVELOPING_IDS, 0x02 };
+CONST_OID pkcs12RSAEncryptionWithTripleDES[] = { PKCS12_ENVELOPING_IDS, 0x03 }; 
+CONST_OID pkcs12RSASignatureWithSHA1Digest[] = { PKCS12_SIGNATURE_IDS, 0x01 };
+
+/* pkcs 12 version 1.0 ids */
+CONST_OID pkcs12V2PBEWithSha1And128BitRC4[]       = { PKCS12_V2_PBE_IDS, 0x01 };
+CONST_OID pkcs12V2PBEWithSha1And40BitRC4[]        = { PKCS12_V2_PBE_IDS, 0x02 };
+CONST_OID pkcs12V2PBEWithSha1And3KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x03 };
+CONST_OID pkcs12V2PBEWithSha1And2KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x04 };
+CONST_OID pkcs12V2PBEWithSha1And128BitRC2cbc[]    = { PKCS12_V2_PBE_IDS, 0x05 };
+CONST_OID pkcs12V2PBEWithSha1And40BitRC2cbc[]     = { PKCS12_V2_PBE_IDS, 0x06 };
+
+CONST_OID pkcs12SafeContentsID[]                  = { PKCS12_BAG_IDS, 0x04 };
+CONST_OID pkcs12PKCS8ShroudedKeyBagID[]           = { PKCS12_BAG_IDS, 0x05 };
+
+CONST_OID pkcs12V1KeyBag[]              	= { PKCS12_V1_BAG_IDS, 0x01 };
+CONST_OID pkcs12V1PKCS8ShroudedKeyBag[] 	= { PKCS12_V1_BAG_IDS, 0x02 };
+CONST_OID pkcs12V1CertBag[]             	= { PKCS12_V1_BAG_IDS, 0x03 };
+CONST_OID pkcs12V1CRLBag[]              	= { PKCS12_V1_BAG_IDS, 0x04 };
+CONST_OID pkcs12V1SecretBag[]           	= { PKCS12_V1_BAG_IDS, 0x05 };
+CONST_OID pkcs12V1SafeContentsBag[]     	= { PKCS12_V1_BAG_IDS, 0x06 };
+
+/* The following encoding is INCORRECT, but correcting it would create a
+ * duplicate OID in the table.  So, we will leave it alone.
+ */
+CONST_OID pkcs12KeyUsageAttr[]          	= { 2, 5, 29, 15 };
+
+CONST_OID ansix9DSASignature[]               	= { ANSI_X9_ALGORITHM, 0x01 };
+CONST_OID ansix9DSASignaturewithSHA1Digest[] 	= { ANSI_X9_ALGORITHM, 0x03 };
+
+/* verisign OIDs */
+CONST_OID verisignUserNotices[]     		= { VERISIGN, 1, 7, 1, 1 };
+
+/* pkix OIDs */
+CONST_OID pkixCPSPointerQualifier[] 		= { PKIX_POLICY_QUALIFIERS, 1 };
+CONST_OID pkixUserNoticeQualifier[] 		= { PKIX_POLICY_QUALIFIERS, 2 };
+
+CONST_OID pkixOCSP[]				= { PKIX_OCSP };
+CONST_OID pkixOCSPBasicResponse[]		= { PKIX_OCSP, 1 };
+CONST_OID pkixOCSPNonce[]			= { PKIX_OCSP, 2 };
+CONST_OID pkixOCSPCRL[] 			= { PKIX_OCSP, 3 };
+CONST_OID pkixOCSPResponse[]			= { PKIX_OCSP, 4 };
+CONST_OID pkixOCSPNoCheck[]			= { PKIX_OCSP, 5 };
+CONST_OID pkixOCSPArchiveCutoff[]		= { PKIX_OCSP, 6 };
+CONST_OID pkixOCSPServiceLocator[]		= { PKIX_OCSP, 7 };
+
+CONST_OID pkixCAIssuers[]			= { PKIX_CA_ISSUERS };
+
+CONST_OID pkixRegCtrlRegToken[]       		= { PKIX_ID_REGCTRL, 1};
+CONST_OID pkixRegCtrlAuthenticator[]  		= { PKIX_ID_REGCTRL, 2};
+CONST_OID pkixRegCtrlPKIPubInfo[]     		= { PKIX_ID_REGCTRL, 3};
+CONST_OID pkixRegCtrlPKIArchOptions[] 		= { PKIX_ID_REGCTRL, 4};
+CONST_OID pkixRegCtrlOldCertID[]      		= { PKIX_ID_REGCTRL, 5};
+CONST_OID pkixRegCtrlProtEncKey[]     		= { PKIX_ID_REGCTRL, 6};
+CONST_OID pkixRegInfoUTF8Pairs[]      		= { PKIX_ID_REGINFO, 1};
+CONST_OID pkixRegInfoCertReq[]        		= { PKIX_ID_REGINFO, 2};
+
+CONST_OID pkixExtendedKeyUsageServerAuth[]    	= { PKIX_KEY_USAGE, 1 };
+CONST_OID pkixExtendedKeyUsageClientAuth[]    	= { PKIX_KEY_USAGE, 2 };
+CONST_OID pkixExtendedKeyUsageCodeSign[]      	= { PKIX_KEY_USAGE, 3 };
+CONST_OID pkixExtendedKeyUsageEMailProtect[]  	= { PKIX_KEY_USAGE, 4 };
+CONST_OID pkixExtendedKeyUsageTimeStamp[]     	= { PKIX_KEY_USAGE, 8 };
+CONST_OID pkixOCSPResponderExtendedKeyUsage[] 	= { PKIX_KEY_USAGE, 9 };
+
+/* OIDs for Netscape defined algorithms */
+CONST_OID netscapeSMimeKEA[] 			= { NETSCAPE_ALGS, 0x01 };
+
+/* Fortezza algorithm OIDs */
+CONST_OID skipjackCBC[] 			= { FORTEZZA_ALG, 0x04 };
+CONST_OID dhPublicKey[] 			= { ANSI_X942_ALGORITHM, 0x1 };
+
+CONST_OID aes128_ECB[] 				= { AES, 1 };
+CONST_OID aes128_CBC[] 				= { AES, 2 };
+#ifdef DEFINE_ALL_AES_CIPHERS
+CONST_OID aes128_OFB[] 				= { AES, 3 };
+CONST_OID aes128_CFB[] 				= { AES, 4 };
+#endif
+CONST_OID aes128_KEY_WRAP[]			= { AES, 5 };
+
+CONST_OID aes192_ECB[] 				= { AES, 21 };
+CONST_OID aes192_CBC[] 				= { AES, 22 };
+#ifdef DEFINE_ALL_AES_CIPHERS
+CONST_OID aes192_OFB[] 				= { AES, 23 };
+CONST_OID aes192_CFB[] 				= { AES, 24 };
+#endif
+CONST_OID aes192_KEY_WRAP[]			= { AES, 25 };
+
+CONST_OID aes256_ECB[] 				= { AES, 41 };
+CONST_OID aes256_CBC[] 				= { AES, 42 };
+#ifdef DEFINE_ALL_AES_CIPHERS
+CONST_OID aes256_OFB[] 				= { AES, 43 };
+CONST_OID aes256_CFB[] 				= { AES, 44 };
+#endif
+CONST_OID aes256_KEY_WRAP[]			= { AES, 45 };
+
+CONST_OID camellia128_CBC[]			= { CAMELLIA_ENCRYPT_OID, 2};
+CONST_OID camellia192_CBC[]			= { CAMELLIA_ENCRYPT_OID, 3};
+CONST_OID camellia256_CBC[]			= { CAMELLIA_ENCRYPT_OID, 4};
+CONST_OID camellia128_KEY_WRAP[]		= { CAMELLIA_WRAP_OID, 2};
+CONST_OID camellia192_KEY_WRAP[]		= { CAMELLIA_WRAP_OID, 3};
+CONST_OID camellia256_KEY_WRAP[]		= { CAMELLIA_WRAP_OID, 4};
+
+CONST_OID sha256[]                              = { SHAXXX, 1 };
+CONST_OID sha384[]                              = { SHAXXX, 2 };
+CONST_OID sha512[]                              = { SHAXXX, 3 };
+
+CONST_OID ansix962ECPublicKey[]             = { ANSI_X962_OID, 0x02, 0x01 };
+CONST_OID ansix962SignaturewithSHA1Digest[] = { ANSI_X962_SIGNATURE_OID, 0x01 };
+CONST_OID ansix962SignatureRecommended[]    = { ANSI_X962_SIGNATURE_OID, 0x02 };
+CONST_OID ansix962SignatureSpecified[]      = { ANSI_X962_SPECIFY_OID };
+CONST_OID ansix962SignaturewithSHA224Digest[] = { ANSI_X962_SPECIFY_OID, 0x01 };
+CONST_OID ansix962SignaturewithSHA256Digest[] = { ANSI_X962_SPECIFY_OID, 0x02 };
+CONST_OID ansix962SignaturewithSHA384Digest[] = { ANSI_X962_SPECIFY_OID, 0x03 };
+CONST_OID ansix962SignaturewithSHA512Digest[] = { ANSI_X962_SPECIFY_OID, 0x04 };
+
+/* ANSI X9.62 prime curve OIDs */
+/* NOTE: prime192v1 is the same as secp192r1, prime256v1 is the
+ * same as secp256r1
+ */
+CONST_OID ansiX962prime192v1[] = { ANSI_X962_GFp_OID, 0x01 };
+CONST_OID ansiX962prime192v2[] = { ANSI_X962_GFp_OID, 0x02 };
+CONST_OID ansiX962prime192v3[] = { ANSI_X962_GFp_OID, 0x03 };
+CONST_OID ansiX962prime239v1[] = { ANSI_X962_GFp_OID, 0x04 };
+CONST_OID ansiX962prime239v2[] = { ANSI_X962_GFp_OID, 0x05 };
+CONST_OID ansiX962prime239v3[] = { ANSI_X962_GFp_OID, 0x06 };
+CONST_OID ansiX962prime256v1[] = { ANSI_X962_GFp_OID, 0x07 };
+
+/* SECG prime curve OIDs */
+CONST_OID secgECsecp112r1[] = { SECG_OID, 0x06 };
+CONST_OID secgECsecp112r2[] = { SECG_OID, 0x07 };
+CONST_OID secgECsecp128r1[] = { SECG_OID, 0x1c };
+CONST_OID secgECsecp128r2[] = { SECG_OID, 0x1d };
+CONST_OID secgECsecp160k1[] = { SECG_OID, 0x09 };
+CONST_OID secgECsecp160r1[] = { SECG_OID, 0x08 };
+CONST_OID secgECsecp160r2[] = { SECG_OID, 0x1e };
+CONST_OID secgECsecp192k1[] = { SECG_OID, 0x1f };
+CONST_OID secgECsecp224k1[] = { SECG_OID, 0x20 };
+CONST_OID secgECsecp224r1[] = { SECG_OID, 0x21 };
+CONST_OID secgECsecp256k1[] = { SECG_OID, 0x0a };
+CONST_OID secgECsecp384r1[] = { SECG_OID, 0x22 };
+CONST_OID secgECsecp521r1[] = { SECG_OID, 0x23 };
+
+/* ANSI X9.62 characteristic two curve OIDs */
+CONST_OID ansiX962c2pnb163v1[] = { ANSI_X962_GF2m_OID, 0x01 };
+CONST_OID ansiX962c2pnb163v2[] = { ANSI_X962_GF2m_OID, 0x02 };
+CONST_OID ansiX962c2pnb163v3[] = { ANSI_X962_GF2m_OID, 0x03 };
+CONST_OID ansiX962c2pnb176v1[] = { ANSI_X962_GF2m_OID, 0x04 };
+CONST_OID ansiX962c2tnb191v1[] = { ANSI_X962_GF2m_OID, 0x05 };
+CONST_OID ansiX962c2tnb191v2[] = { ANSI_X962_GF2m_OID, 0x06 };
+CONST_OID ansiX962c2tnb191v3[] = { ANSI_X962_GF2m_OID, 0x07 };
+CONST_OID ansiX962c2onb191v4[] = { ANSI_X962_GF2m_OID, 0x08 };
+CONST_OID ansiX962c2onb191v5[] = { ANSI_X962_GF2m_OID, 0x09 };
+CONST_OID ansiX962c2pnb208w1[] = { ANSI_X962_GF2m_OID, 0x0a };
+CONST_OID ansiX962c2tnb239v1[] = { ANSI_X962_GF2m_OID, 0x0b };
+CONST_OID ansiX962c2tnb239v2[] = { ANSI_X962_GF2m_OID, 0x0c };
+CONST_OID ansiX962c2tnb239v3[] = { ANSI_X962_GF2m_OID, 0x0d };
+CONST_OID ansiX962c2onb239v4[] = { ANSI_X962_GF2m_OID, 0x0e };
+CONST_OID ansiX962c2onb239v5[] = { ANSI_X962_GF2m_OID, 0x0f };
+CONST_OID ansiX962c2pnb272w1[] = { ANSI_X962_GF2m_OID, 0x10 };
+CONST_OID ansiX962c2pnb304w1[] = { ANSI_X962_GF2m_OID, 0x11 };
+CONST_OID ansiX962c2tnb359v1[] = { ANSI_X962_GF2m_OID, 0x12 };
+CONST_OID ansiX962c2pnb368w1[] = { ANSI_X962_GF2m_OID, 0x13 };
+CONST_OID ansiX962c2tnb431r1[] = { ANSI_X962_GF2m_OID, 0x14 };
+
+/* SECG characterisitic two curve OIDs */
+CONST_OID secgECsect113r1[] = {SECG_OID, 0x04 };
+CONST_OID secgECsect113r2[] = {SECG_OID, 0x05 };
+CONST_OID secgECsect131r1[] = {SECG_OID, 0x16 };
+CONST_OID secgECsect131r2[] = {SECG_OID, 0x17 };
+CONST_OID secgECsect163k1[] = {SECG_OID, 0x01 };
+CONST_OID secgECsect163r1[] = {SECG_OID, 0x02 };
+CONST_OID secgECsect163r2[] = {SECG_OID, 0x0f };
+CONST_OID secgECsect193r1[] = {SECG_OID, 0x18 };
+CONST_OID secgECsect193r2[] = {SECG_OID, 0x19 };
+CONST_OID secgECsect233k1[] = {SECG_OID, 0x1a };
+CONST_OID secgECsect233r1[] = {SECG_OID, 0x1b };
+CONST_OID secgECsect239k1[] = {SECG_OID, 0x03 };
+CONST_OID secgECsect283k1[] = {SECG_OID, 0x10 };
+CONST_OID secgECsect283r1[] = {SECG_OID, 0x11 };
+CONST_OID secgECsect409k1[] = {SECG_OID, 0x24 };
+CONST_OID secgECsect409r1[] = {SECG_OID, 0x25 };
+CONST_OID secgECsect571k1[] = {SECG_OID, 0x26 };
+CONST_OID secgECsect571r1[] = {SECG_OID, 0x27 };
+
+#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
+#ifndef SECOID_NO_STRINGS
+#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext }
+#else
+#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, 0, mech, ext }
+#endif
+
+#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
+#define FAKE_SUPPORTED_CERT_EXTENSION   SUPPORTED_CERT_EXTENSION
+#else
+#define FAKE_SUPPORTED_CERT_EXTENSION UNSUPPORTED_CERT_EXTENSION
+#endif
+
+/*
+ * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
+ */
+const static SECOidData oids[] = {
+    { { siDEROID, NULL, 0 }, SEC_OID_UNKNOWN,
+	"Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
+    OD( md2, SEC_OID_MD2, "MD2", CKM_MD2, INVALID_CERT_EXTENSION ),
+    OD( md4, SEC_OID_MD4,
+	"MD4", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( md5, SEC_OID_MD5, "MD5", CKM_MD5, INVALID_CERT_EXTENSION ),
+    OD( sha1, SEC_OID_SHA1, "SHA-1", CKM_SHA_1, INVALID_CERT_EXTENSION ),
+    OD( rc2cbc, SEC_OID_RC2_CBC,
+	"RC2-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION ),
+    OD( rc4, SEC_OID_RC4, "RC4", CKM_RC4, INVALID_CERT_EXTENSION ),
+    OD( desede3cbc, SEC_OID_DES_EDE3_CBC,
+	"DES-EDE3-CBC", CKM_DES3_CBC, INVALID_CERT_EXTENSION ),
+    OD( rc5cbcpad, SEC_OID_RC5_CBC_PAD,
+	"RC5-CBCPad", CKM_RC5_CBC, INVALID_CERT_EXTENSION ),
+    OD( desecb, SEC_OID_DES_ECB,
+	"DES-ECB", CKM_DES_ECB, INVALID_CERT_EXTENSION ),
+    OD( descbc, SEC_OID_DES_CBC,
+	"DES-CBC", CKM_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( desofb, SEC_OID_DES_OFB,
+	"DES-OFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( descfb, SEC_OID_DES_CFB,
+	"DES-CFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( desmac, SEC_OID_DES_MAC,
+	"DES-MAC", CKM_DES_MAC, INVALID_CERT_EXTENSION ),
+    OD( desede, SEC_OID_DES_EDE,
+	"DES-EDE", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( isoSHAWithRSASignature, SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE,
+	"ISO SHA with RSA Signature", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs1RSAEncryption, SEC_OID_PKCS1_RSA_ENCRYPTION,
+	"PKCS #1 RSA Encryption", CKM_RSA_PKCS, INVALID_CERT_EXTENSION ),
+
+    /* the following Signing mechanisms should get new CKM_ values when
+     * values for CKM_RSA_WITH_MDX and CKM_RSA_WITH_SHA_1 get defined in
+     * PKCS #11.
+     */
+    OD( pkcs1MD2WithRSAEncryption, SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION,
+	"PKCS #1 MD2 With RSA Encryption", CKM_MD2_RSA_PKCS,
+	INVALID_CERT_EXTENSION ),
+    OD( pkcs1MD4WithRSAEncryption, SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION,
+	"PKCS #1 MD4 With RSA Encryption", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs1MD5WithRSAEncryption, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
+	"PKCS #1 MD5 With RSA Encryption", CKM_MD5_RSA_PKCS,
+	INVALID_CERT_EXTENSION ),
+    OD( pkcs1SHA1WithRSAEncryption, SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
+	"PKCS #1 SHA-1 With RSA Encryption", CKM_SHA1_RSA_PKCS,
+	INVALID_CERT_EXTENSION ),
+
+    OD( pkcs5PbeWithMD2AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC,
+	"PKCS #5 Password Based Encryption with MD2 and DES CBC",
+	CKM_PBE_MD2_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs5PbeWithMD5AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
+	"PKCS #5 Password Based Encryption with MD5 and DES CBC",
+	CKM_PBE_MD5_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs5PbeWithSha1AndDEScbc, SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
+	"PKCS #5 Password Based Encryption with SHA1 and DES CBC", 
+	CKM_NETSCAPE_PBE_SHA1_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs7, SEC_OID_PKCS7,
+	"PKCS #7", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7Data, SEC_OID_PKCS7_DATA,
+	"PKCS #7 Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7SignedData, SEC_OID_PKCS7_SIGNED_DATA,
+	"PKCS #7 Signed Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7EnvelopedData, SEC_OID_PKCS7_ENVELOPED_DATA,
+	"PKCS #7 Enveloped Data", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7SignedEnvelopedData, SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA,
+	"PKCS #7 Signed And Enveloped Data", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7DigestedData, SEC_OID_PKCS7_DIGESTED_DATA,
+	"PKCS #7 Digested Data", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7EncryptedData, SEC_OID_PKCS7_ENCRYPTED_DATA,
+	"PKCS #7 Encrypted Data", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9EmailAddress, SEC_OID_PKCS9_EMAIL_ADDRESS,
+	"PKCS #9 Email Address", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9UnstructuredName, SEC_OID_PKCS9_UNSTRUCTURED_NAME,
+	"PKCS #9 Unstructured Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9ContentType, SEC_OID_PKCS9_CONTENT_TYPE,
+	"PKCS #9 Content Type", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9MessageDigest, SEC_OID_PKCS9_MESSAGE_DIGEST,
+	"PKCS #9 Message Digest", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9SigningTime, SEC_OID_PKCS9_SIGNING_TIME,
+	"PKCS #9 Signing Time", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9CounterSignature, SEC_OID_PKCS9_COUNTER_SIGNATURE,
+	"PKCS #9 Counter Signature", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9ChallengePassword, SEC_OID_PKCS9_CHALLENGE_PASSWORD,
+	"PKCS #9 Challenge Password", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9UnstructuredAddress, SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS,
+	"PKCS #9 Unstructured Address", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9ExtendedCertificateAttributes,
+	SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES,
+	"PKCS #9 Extended Certificate Attributes", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9SMIMECapabilities, SEC_OID_PKCS9_SMIME_CAPABILITIES,
+	"PKCS #9 S/MIME Capabilities", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520CommonName, SEC_OID_AVA_COMMON_NAME,
+	"X520 Common Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520CountryName, SEC_OID_AVA_COUNTRY_NAME,
+	"X520 Country Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520LocalityName, SEC_OID_AVA_LOCALITY,
+	"X520 Locality Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520StateOrProvinceName, SEC_OID_AVA_STATE_OR_PROVINCE,
+	"X520 State Or Province Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520OrgName, SEC_OID_AVA_ORGANIZATION_NAME,
+	"X520 Organization Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520OrgUnitName, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
+	"X520 Organizational Unit Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520DnQualifier, SEC_OID_AVA_DN_QUALIFIER,
+	"X520 DN Qualifier", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( rfc2247DomainComponent, SEC_OID_AVA_DC,
+	"RFC 2247 Domain Component", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( nsTypeGIF, SEC_OID_NS_TYPE_GIF,
+	"GIF", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( nsTypeJPEG, SEC_OID_NS_TYPE_JPEG,
+	"JPEG", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( nsTypeURL, SEC_OID_NS_TYPE_URL,
+	"URL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( nsTypeHTML, SEC_OID_NS_TYPE_HTML,
+	"HTML", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( nsTypeCertSeq, SEC_OID_NS_TYPE_CERT_SEQUENCE,
+	"Certificate Sequence", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertKEADSSOld, SEC_OID_MISSI_KEA_DSS_OLD, 
+	"MISSI KEA and DSS Algorithm (Old)",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertDSSOld, SEC_OID_MISSI_DSS_OLD, 
+	"MISSI DSS Algorithm (Old)",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertKEADSS, SEC_OID_MISSI_KEA_DSS, 
+	"MISSI KEA and DSS Algorithm",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertDSS, SEC_OID_MISSI_DSS, 
+	"MISSI DSS Algorithm",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertKEA, SEC_OID_MISSI_KEA, 
+	"MISSI KEA Algorithm",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertAltKEA, SEC_OID_MISSI_ALT_KEA, 
+	"MISSI Alternate KEA Algorithm",
+          CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* Netscape private extensions */
+    OD( nsCertExtNetscapeOK, SEC_OID_NS_CERT_EXT_NETSCAPE_OK,
+	"Netscape says this cert is OK",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsCertExtIssuerLogo, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
+	"Certificate Issuer Logo",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsCertExtSubjectLogo, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
+	"Certificate Subject Logo",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCertType, SEC_OID_NS_CERT_EXT_CERT_TYPE,
+	"Certificate Type",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtBaseURL, SEC_OID_NS_CERT_EXT_BASE_URL,
+	"Certificate Extension Base URL",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtRevocationURL, SEC_OID_NS_CERT_EXT_REVOCATION_URL,
+	"Certificate Revocation URL",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCARevocationURL, SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL,
+	"Certificate Authority Revocation URL",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCACRLURL, SEC_OID_NS_CERT_EXT_CA_CRL_URL,
+	"Certificate Authority CRL Download URL",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCACertURL, SEC_OID_NS_CERT_EXT_CA_CERT_URL,
+	"Certificate Authority Certificate Download URL",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCertRenewalURL, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL,
+	"Certificate Renewal URL", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), 
+    OD( nsExtCAPolicyURL, SEC_OID_NS_CERT_EXT_CA_POLICY_URL,
+	"Certificate Authority Policy URL",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtHomepageURL, SEC_OID_NS_CERT_EXT_HOMEPAGE_URL,
+	"Certificate Homepage URL", 
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtEntityLogo, SEC_OID_NS_CERT_EXT_ENTITY_LOGO,
+	"Certificate Entity Logo", 
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtUserPicture, SEC_OID_NS_CERT_EXT_USER_PICTURE,
+	"Certificate User Picture", 
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtSSLServerName, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME,
+	"Certificate SSL Server Name", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtComment, SEC_OID_NS_CERT_EXT_COMMENT,
+	"Certificate Comment", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtLostPasswordURL, SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL,
+        "Lost Password URL", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCertRenewalTime, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME, 
+	"Certificate Renewal Time", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsKeyUsageGovtApproved, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED,
+	"Strong Crypto Export Approved",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+
+
+    /* x.509 v3 certificate extensions */
+    OD( x509SubjectDirectoryAttr, SEC_OID_X509_SUBJECT_DIRECTORY_ATTR,
+	"Certificate Subject Directory Attributes",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
+    OD( x509SubjectKeyID, SEC_OID_X509_SUBJECT_KEY_ID, 
+	"Certificate Subject Key ID",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509KeyUsage, SEC_OID_X509_KEY_USAGE, 
+	"Certificate Key Usage",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509PrivateKeyUsagePeriod, SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD,
+	"Certificate Private Key Usage Period",
+        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509SubjectAltName, SEC_OID_X509_SUBJECT_ALT_NAME, 
+	"Certificate Subject Alt Name",
+        CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME, 
+	"Certificate Issuer Alt Name",
+        CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS, 
+	"Certificate Basic Constraints",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509NameConstraints, SEC_OID_X509_NAME_CONSTRAINTS, 
+	"Certificate Name Constraints",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS, 
+	"CRL Distribution Points",
+	CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES,
+ 	"Certificate Policies",
+        CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS, 
+ 	"Certificate Policy Mappings",
+        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS, 
+ 	"Certificate Policy Constraints",
+        CKM_INVALID_MECHANISM, FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID, 
+	"Certificate Authority Key Identifier",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509ExtKeyUsage, SEC_OID_X509_EXT_KEY_USAGE, 
+	"Extended Key Usage",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509AuthInfoAccess, SEC_OID_X509_AUTH_INFO_ACCESS, 
+	"Authority Information Access",
+        CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+
+    /* x.509 v3 CRL extensions */
+    OD( x509CRLNumber, SEC_OID_X509_CRL_NUMBER, 
+	"CRL Number", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509ReasonCode, SEC_OID_X509_REASON_CODE, 
+	"CRL reason code", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509InvalidDate, SEC_OID_X509_INVALID_DATE, 
+	"Invalid Date", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+	
+    OD( x500RSAEncryption, SEC_OID_X500_RSA_ENCRYPTION,
+	"X500 RSA Encryption", CKM_RSA_X_509, INVALID_CERT_EXTENSION ),
+
+    /* added for alg 1485 */
+    OD( rfc1274Uid, SEC_OID_RFC1274_UID,
+	"RFC1274 User Id", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( rfc1274Mail, SEC_OID_RFC1274_MAIL,
+	"RFC1274 E-mail Address", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* pkcs 12 additions */
+    OD( pkcs12, SEC_OID_PKCS12,
+	"PKCS #12", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12ModeIDs, SEC_OID_PKCS12_MODE_IDS,
+	"PKCS #12 Mode IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12ESPVKIDs, SEC_OID_PKCS12_ESPVK_IDS,
+	"PKCS #12 ESPVK IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12BagIDs, SEC_OID_PKCS12_BAG_IDS,
+	"PKCS #12 Bag IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12CertBagIDs, SEC_OID_PKCS12_CERT_BAG_IDS,
+	"PKCS #12 Cert Bag IDs", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12OIDs, SEC_OID_PKCS12_OIDS,
+	"PKCS #12 OIDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEIDs, SEC_OID_PKCS12_PBE_IDS,
+	"PKCS #12 PBE IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12SignatureIDs, SEC_OID_PKCS12_SIGNATURE_IDS,
+	"PKCS #12 Signature IDs", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12EnvelopingIDs, SEC_OID_PKCS12_ENVELOPING_IDS,
+	"PKCS #12 Enveloping IDs", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PKCS8KeyShrouding, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING,
+	"PKCS #12 Key Shrouding", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12KeyBagID, SEC_OID_PKCS12_KEY_BAG_ID,
+	"PKCS #12 Key Bag ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12CertAndCRLBagID, SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
+	"PKCS #12 Cert And CRL Bag ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12SecretBagID, SEC_OID_PKCS12_SECRET_BAG_ID,
+	"PKCS #12 Secret Bag ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12X509CertCRLBag, SEC_OID_PKCS12_X509_CERT_CRL_BAG,
+	"PKCS #12 X509 Cert CRL Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12SDSICertBag, SEC_OID_PKCS12_SDSI_CERT_BAG,
+	"PKCS #12 SDSI Cert Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1And128BitRC4,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4,
+	"PKCS #12 PBE With Sha1 and 128 Bit RC4", 
+	CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1And40BitRC4,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4,
+	"PKCS #12 PBE With Sha1 and 40 Bit RC4", 
+	CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1AndTripleDESCBC,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC,
+	"PKCS #12 PBE With Sha1 and Triple DES CBC", 
+	CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1And128BitRC2CBC,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
+	"PKCS #12 PBE With Sha1 and 128 Bit RC2 CBC", 
+	CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1And40BitRC2CBC,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
+	"PKCS #12 PBE With Sha1 and 40 Bit RC2 CBC", 
+	CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12RSAEncryptionWith128BitRC4,
+	SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4,
+	"PKCS #12 RSA Encryption with 128 Bit RC4",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12RSAEncryptionWith40BitRC4,
+	SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4,
+	"PKCS #12 RSA Encryption with 40 Bit RC4",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12RSAEncryptionWithTripleDES,
+	SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES,
+	"PKCS #12 RSA Encryption with Triple DES",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12RSASignatureWithSHA1Digest,
+	SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST,
+	"PKCS #12 RSA Encryption with Triple DES",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* DSA signatures */
+    OD( ansix9DSASignature, SEC_OID_ANSIX9_DSA_SIGNATURE,
+	"ANSI X9.57 DSA Signature", CKM_DSA, INVALID_CERT_EXTENSION ),
+    OD( ansix9DSASignaturewithSHA1Digest,
+        SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST,
+	"ANSI X9.57 DSA Signature with SHA1 Digest", 
+	CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
+    OD( bogusDSASignaturewithSHA1Digest,
+        SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST,
+	"FORTEZZA DSA Signature with SHA1 Digest", 
+	CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
+
+    /* verisign oids */
+    OD( verisignUserNotices, SEC_OID_VERISIGN_USER_NOTICES,
+	"Verisign User Notices", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* pkix oids */
+    OD( pkixCPSPointerQualifier, SEC_OID_PKIX_CPS_POINTER_QUALIFIER,
+	"PKIX CPS Pointer Qualifier", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixUserNoticeQualifier, SEC_OID_PKIX_USER_NOTICE_QUALIFIER,
+	"PKIX User Notice Qualifier", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( pkixOCSP, SEC_OID_PKIX_OCSP,
+	"PKIX Online Certificate Status Protocol", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPBasicResponse, SEC_OID_PKIX_OCSP_BASIC_RESPONSE,
+	"OCSP Basic Response", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPNonce, SEC_OID_PKIX_OCSP_NONCE,
+	"OCSP Nonce Extension", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPCRL, SEC_OID_PKIX_OCSP_CRL,
+	"OCSP CRL Reference Extension", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPResponse, SEC_OID_PKIX_OCSP_RESPONSE,
+	"OCSP Response Types Extension", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPNoCheck, SEC_OID_PKIX_OCSP_NO_CHECK,
+	"OCSP No Check Extension", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( pkixOCSPArchiveCutoff, SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF,
+	"OCSP Archive Cutoff Extension", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPServiceLocator, SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
+	"OCSP Service Locator Extension", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( pkixRegCtrlRegToken, SEC_OID_PKIX_REGCTRL_REGTOKEN,
+        "PKIX CRMF Registration Control, Registration Token", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixRegCtrlAuthenticator, SEC_OID_PKIX_REGCTRL_AUTHENTICATOR,
+        "PKIX CRMF Registration Control, Registration Authenticator", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixRegCtrlPKIPubInfo, SEC_OID_PKIX_REGCTRL_PKIPUBINFO,
+        "PKIX CRMF Registration Control, PKI Publication Info", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegCtrlPKIArchOptions,
+        SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
+        "PKIX CRMF Registration Control, PKI Archive Options", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegCtrlOldCertID, SEC_OID_PKIX_REGCTRL_OLD_CERT_ID,
+        "PKIX CRMF Registration Control, Old Certificate ID", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegCtrlProtEncKey, SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY,
+        "PKIX CRMF Registration Control, Protocol Encryption Key", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegInfoUTF8Pairs, SEC_OID_PKIX_REGINFO_UTF8_PAIRS,
+        "PKIX CRMF Registration Info, UTF8 Pairs", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegInfoCertReq, SEC_OID_PKIX_REGINFO_CERT_REQUEST,
+        "PKIX CRMF Registration Info, Certificate Request", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageServerAuth,
+        SEC_OID_EXT_KEY_USAGE_SERVER_AUTH,
+        "TLS Web Server Authentication Certificate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageClientAuth,
+        SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH,
+        "TLS Web Client Authentication Certificate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageCodeSign, SEC_OID_EXT_KEY_USAGE_CODE_SIGN,
+        "Code Signing Certificate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageEMailProtect,
+        SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT,
+        "E-Mail Protection Certificate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageTimeStamp,
+        SEC_OID_EXT_KEY_USAGE_TIME_STAMP,
+        "Time Stamping Certifcate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixOCSPResponderExtendedKeyUsage, SEC_OID_OCSP_RESPONDER,
+          "OCSP Responder Certificate",
+          CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
+    /* Netscape Algorithm OIDs */
+
+    OD( netscapeSMimeKEA, SEC_OID_NETSCAPE_SMIME_KEA,
+	"Netscape S/MIME KEA", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+      /* Skipjack OID -- ### mwelch temporary */
+    OD( skipjackCBC, SEC_OID_FORTEZZA_SKIPJACK,
+	"Skipjack CBC64", CKM_SKIPJACK_CBC64, INVALID_CERT_EXTENSION ),
+
+    /* pkcs12 v2 oids */
+    OD( pkcs12V2PBEWithSha1And128BitRC4,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4,
+	"PKCS12 V2 PBE With SHA1 And 128 Bit RC4", 
+	CKM_PBE_SHA1_RC4_128, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And40BitRC4,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4,
+	"PKCS12 V2 PBE With SHA1 And 40 Bit RC4", 
+	CKM_PBE_SHA1_RC4_40, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And3KeyTripleDEScbc,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
+	"PKCS12 V2 PBE With SHA1 And 3KEY Triple DES-cbc", 
+	CKM_PBE_SHA1_DES3_EDE_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And2KeyTripleDEScbc,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC,
+	"PKCS12 V2 PBE With SHA1 And 2KEY Triple DES-cbc", 
+	CKM_PBE_SHA1_DES2_EDE_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And128BitRC2cbc,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
+	"PKCS12 V2 PBE With SHA1 And 128 Bit RC2 CBC", 
+	CKM_PBE_SHA1_RC2_128_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And40BitRC2cbc,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
+	"PKCS12 V2 PBE With SHA1 And 40 Bit RC2 CBC", 
+	CKM_PBE_SHA1_RC2_40_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12SafeContentsID, SEC_OID_PKCS12_SAFE_CONTENTS_ID,
+	"PKCS #12 Safe Contents ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PKCS8ShroudedKeyBagID,
+	SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID,
+	"PKCS #12 Safe Contents ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1KeyBag, SEC_OID_PKCS12_V1_KEY_BAG_ID,
+	"PKCS #12 V1 Key Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1PKCS8ShroudedKeyBag,
+	SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID,
+	"PKCS #12 V1 PKCS8 Shrouded Key Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1CertBag, SEC_OID_PKCS12_V1_CERT_BAG_ID,
+	"PKCS #12 V1 Cert Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1CRLBag, SEC_OID_PKCS12_V1_CRL_BAG_ID,
+	"PKCS #12 V1 CRL Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1SecretBag, SEC_OID_PKCS12_V1_SECRET_BAG_ID,
+	"PKCS #12 V1 Secret Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1SafeContentsBag, SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
+	"PKCS #12 V1 Safe Contents Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( pkcs9X509Certificate, SEC_OID_PKCS9_X509_CERT,
+	"PKCS #9 X509 Certificate", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9SDSICertificate, SEC_OID_PKCS9_SDSI_CERT,
+	"PKCS #9 SDSI Certificate", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9X509CRL, SEC_OID_PKCS9_X509_CRL,
+	"PKCS #9 X509 CRL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9FriendlyName, SEC_OID_PKCS9_FRIENDLY_NAME,
+	"PKCS #9 Friendly Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9LocalKeyID, SEC_OID_PKCS9_LOCAL_KEY_ID,
+	"PKCS #9 Local Key ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), 
+    OD( pkcs12KeyUsageAttr, SEC_OID_BOGUS_KEY_USAGE,
+	"Bogus Key Usage", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( dhPublicKey, SEC_OID_X942_DIFFIE_HELMAN_KEY,
+	"Diffie-Helman Public Key", CKM_DH_PKCS_DERIVE,
+	INVALID_CERT_EXTENSION ),
+    OD( netscapeNickname, SEC_OID_NETSCAPE_NICKNAME,
+	"Netscape Nickname", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* Cert Server specific OIDs */
+    OD( netscapeRecoveryRequest, SEC_OID_NETSCAPE_RECOVERY_REQUEST,
+        "Recovery Request OID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( nsExtAIACertRenewal, SEC_OID_CERT_RENEWAL_LOCATOR,
+        "Certificate Renewal Locator OID", CKM_INVALID_MECHANISM,
+        INVALID_CERT_EXTENSION ), 
+
+    OD( nsExtCertScopeOfUse, SEC_OID_NS_CERT_EXT_SCOPE_OF_USE,
+        "Certificate Scope-of-Use Extension", CKM_INVALID_MECHANISM,
+        SUPPORTED_CERT_EXTENSION ),
+
+    /* CMS stuff */
+    OD( cmsESDH, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN,
+        "Ephemeral-Static Diffie-Hellman", CKM_INVALID_MECHANISM /* XXX */,
+        INVALID_CERT_EXTENSION ),
+    OD( cms3DESwrap, SEC_OID_CMS_3DES_KEY_WRAP,
+        "CMS 3DES Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
+        INVALID_CERT_EXTENSION ),
+    OD( cmsRC2wrap, SEC_OID_CMS_RC2_KEY_WRAP,
+        "CMS RC2 Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
+        INVALID_CERT_EXTENSION ),
+    OD( smimeEncryptionKeyPreference, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE,
+	"S/MIME Encryption Key Preference", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* AES algorithm OIDs */
+    OD( aes128_ECB, SEC_OID_AES_128_ECB,
+	"AES-128-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
+    OD( aes128_CBC, SEC_OID_AES_128_CBC,
+	"AES-128-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
+    OD( aes192_ECB, SEC_OID_AES_192_ECB,
+	"AES-192-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
+    OD( aes192_CBC, SEC_OID_AES_192_CBC,
+	"AES-192-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
+    OD( aes256_ECB, SEC_OID_AES_256_ECB,
+	"AES-256-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
+    OD( aes256_CBC, SEC_OID_AES_256_CBC,
+	"AES-256-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
+
+    /* More bogus DSA OIDs */
+    OD( sdn702DSASignature, SEC_OID_SDN702_DSA_SIGNATURE, 
+	"SDN.702 DSA Signature", CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
+
+    OD( ms_smimeEncryptionKeyPreference, 
+        SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE,
+	"Microsoft S/MIME Encryption Key Preference", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( sha256, SEC_OID_SHA256, "SHA-256", CKM_SHA256, INVALID_CERT_EXTENSION),
+    OD( sha384, SEC_OID_SHA384, "SHA-384", CKM_SHA384, INVALID_CERT_EXTENSION),
+    OD( sha512, SEC_OID_SHA512, "SHA-512", CKM_SHA512, INVALID_CERT_EXTENSION),
+
+    OD( pkcs1SHA256WithRSAEncryption, SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
+	"PKCS #1 SHA-256 With RSA Encryption", CKM_SHA256_RSA_PKCS,
+	INVALID_CERT_EXTENSION ),
+    OD( pkcs1SHA384WithRSAEncryption, SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION,
+	"PKCS #1 SHA-384 With RSA Encryption", CKM_SHA384_RSA_PKCS,
+	INVALID_CERT_EXTENSION ),
+    OD( pkcs1SHA512WithRSAEncryption, SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION,
+	"PKCS #1 SHA-512 With RSA Encryption", CKM_SHA512_RSA_PKCS,
+	INVALID_CERT_EXTENSION ),
+
+    OD( aes128_KEY_WRAP, SEC_OID_AES_128_KEY_WRAP,
+	"AES-128 Key Wrap", CKM_NETSCAPE_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
+    OD( aes192_KEY_WRAP, SEC_OID_AES_192_KEY_WRAP,
+	"AES-192 Key Wrap", CKM_NETSCAPE_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
+    OD( aes256_KEY_WRAP, SEC_OID_AES_256_KEY_WRAP,
+	"AES-256 Key Wrap", CKM_NETSCAPE_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
+
+    /* Elliptic Curve Cryptography (ECC) OIDs */
+    OD( ansix962ECPublicKey, SEC_OID_ANSIX962_EC_PUBLIC_KEY,
+	"X9.62 elliptic curve public key", CKM_ECDH1_DERIVE,
+	INVALID_CERT_EXTENSION ),
+    OD( ansix962SignaturewithSHA1Digest, 
+	SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE,
+	"X9.62 ECDSA signature with SHA1", CKM_ECDSA_SHA1,
+	INVALID_CERT_EXTENSION ),
+
+    /* Named curves */
+
+    /* ANSI X9.62 named elliptic curves (prime field) */
+    OD( ansiX962prime192v1, SEC_OID_ANSIX962_EC_PRIME192V1,
+	"ANSI X9.62 elliptic curve prime192v1 (aka secp192r1, NIST P-192)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962prime192v2, SEC_OID_ANSIX962_EC_PRIME192V2,
+	"ANSI X9.62 elliptic curve prime192v2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962prime192v3, SEC_OID_ANSIX962_EC_PRIME192V3,
+	"ANSI X9.62 elliptic curve prime192v3", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962prime239v1, SEC_OID_ANSIX962_EC_PRIME239V1,
+	"ANSI X9.62 elliptic curve prime239v1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962prime239v2, SEC_OID_ANSIX962_EC_PRIME239V2,
+	"ANSI X9.62 elliptic curve prime239v2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962prime239v3, SEC_OID_ANSIX962_EC_PRIME239V3,
+	"ANSI X9.62 elliptic curve prime239v3", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962prime256v1, SEC_OID_ANSIX962_EC_PRIME256V1,
+	"ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+
+    /* SECG named elliptic curves (prime field) */
+    OD( secgECsecp112r1, SEC_OID_SECG_EC_SECP112R1,
+	"SECG elliptic curve secp112r1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp112r2, SEC_OID_SECG_EC_SECP112R2,
+	"SECG elliptic curve secp112r2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp128r1, SEC_OID_SECG_EC_SECP128R1,
+	"SECG elliptic curve secp128r1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp128r2, SEC_OID_SECG_EC_SECP128R2,
+	"SECG elliptic curve secp128r2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp160k1, SEC_OID_SECG_EC_SECP160K1,
+	"SECG elliptic curve secp160k1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp160r1, SEC_OID_SECG_EC_SECP160R1,
+	"SECG elliptic curve secp160r1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp160r2, SEC_OID_SECG_EC_SECP160R2,
+	"SECG elliptic curve secp160r2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp192k1, SEC_OID_SECG_EC_SECP192K1,
+	"SECG elliptic curve secp192k1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp224k1, SEC_OID_SECG_EC_SECP224K1,
+	"SECG elliptic curve secp224k1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp224r1, SEC_OID_SECG_EC_SECP224R1,
+	"SECG elliptic curve secp224r1 (aka NIST P-224)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp256k1, SEC_OID_SECG_EC_SECP256K1,
+	"SECG elliptic curve secp256k1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp384r1, SEC_OID_SECG_EC_SECP384R1,
+	"SECG elliptic curve secp384r1 (aka NIST P-384)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsecp521r1, SEC_OID_SECG_EC_SECP521R1,
+	"SECG elliptic curve secp521r1 (aka NIST P-521)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+
+    /* ANSI X9.62 named elliptic curves (characteristic two field) */
+    OD( ansiX962c2pnb163v1, SEC_OID_ANSIX962_EC_C2PNB163V1,
+	"ANSI X9.62 elliptic curve c2pnb163v1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2pnb163v2, SEC_OID_ANSIX962_EC_C2PNB163V2,
+	"ANSI X9.62 elliptic curve c2pnb163v2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2pnb163v3, SEC_OID_ANSIX962_EC_C2PNB163V3,
+	"ANSI X9.62 elliptic curve c2pnb163v3", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2pnb176v1, SEC_OID_ANSIX962_EC_C2PNB176V1,
+	"ANSI X9.62 elliptic curve c2pnb176v1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2tnb191v1, SEC_OID_ANSIX962_EC_C2TNB191V1,
+	"ANSI X9.62 elliptic curve c2tnb191v1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2tnb191v2, SEC_OID_ANSIX962_EC_C2TNB191V2,
+	"ANSI X9.62 elliptic curve c2tnb191v2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2tnb191v3, SEC_OID_ANSIX962_EC_C2TNB191V3,
+	"ANSI X9.62 elliptic curve c2tnb191v3", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2onb191v4, SEC_OID_ANSIX962_EC_C2ONB191V4,
+	"ANSI X9.62 elliptic curve c2onb191v4", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2onb191v5, SEC_OID_ANSIX962_EC_C2ONB191V5,
+	"ANSI X9.62 elliptic curve c2onb191v5", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2pnb208w1, SEC_OID_ANSIX962_EC_C2PNB208W1,
+	"ANSI X9.62 elliptic curve c2pnb208w1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2tnb239v1, SEC_OID_ANSIX962_EC_C2TNB239V1,
+	"ANSI X9.62 elliptic curve c2tnb239v1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2tnb239v2, SEC_OID_ANSIX962_EC_C2TNB239V2,
+	"ANSI X9.62 elliptic curve c2tnb239v2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2tnb239v3, SEC_OID_ANSIX962_EC_C2TNB239V3,
+	"ANSI X9.62 elliptic curve c2tnb239v3", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2onb239v4, SEC_OID_ANSIX962_EC_C2ONB239V4,
+	"ANSI X9.62 elliptic curve c2onb239v4", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2onb239v5, SEC_OID_ANSIX962_EC_C2ONB239V5,
+	"ANSI X9.62 elliptic curve c2onb239v5", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2pnb272w1, SEC_OID_ANSIX962_EC_C2PNB272W1,
+	"ANSI X9.62 elliptic curve c2pnb272w1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2pnb304w1, SEC_OID_ANSIX962_EC_C2PNB304W1,
+	"ANSI X9.62 elliptic curve c2pnb304w1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2tnb359v1, SEC_OID_ANSIX962_EC_C2TNB359V1,
+	"ANSI X9.62 elliptic curve c2tnb359v1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2pnb368w1, SEC_OID_ANSIX962_EC_C2PNB368W1,
+	"ANSI X9.62 elliptic curve c2pnb368w1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansiX962c2tnb431r1, SEC_OID_ANSIX962_EC_C2TNB431R1,
+	"ANSI X9.62 elliptic curve c2tnb431r1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+
+    /* SECG named elliptic curves (characterisitic two field) */
+    OD( secgECsect113r1, SEC_OID_SECG_EC_SECT113R1,
+	"SECG elliptic curve sect113r1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect113r2, SEC_OID_SECG_EC_SECT113R2,
+	"SECG elliptic curve sect113r2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect131r1, SEC_OID_SECG_EC_SECT131R1,
+	"SECG elliptic curve sect131r1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect131r2, SEC_OID_SECG_EC_SECT131R2,
+	"SECG elliptic curve sect131r2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect163k1, SEC_OID_SECG_EC_SECT163K1,
+	"SECG elliptic curve sect163k1 (aka NIST K-163)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect163r1, SEC_OID_SECG_EC_SECT163R1,
+	"SECG elliptic curve sect163r1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect163r2, SEC_OID_SECG_EC_SECT163R2,
+	"SECG elliptic curve sect163r2 (aka NIST B-163)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect193r1, SEC_OID_SECG_EC_SECT193R1,
+	"SECG elliptic curve sect193r1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect193r2, SEC_OID_SECG_EC_SECT193R2,
+	"SECG elliptic curve sect193r2", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect233k1, SEC_OID_SECG_EC_SECT233K1,
+	"SECG elliptic curve sect233k1 (aka NIST K-233)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect233r1, SEC_OID_SECG_EC_SECT233R1,
+	"SECG elliptic curve sect233r1 (aka NIST B-233)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect239k1, SEC_OID_SECG_EC_SECT239K1,
+	"SECG elliptic curve sect239k1", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect283k1, SEC_OID_SECG_EC_SECT283K1,
+	"SECG elliptic curve sect283k1 (aka NIST K-283)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect283r1, SEC_OID_SECG_EC_SECT283R1,
+	"SECG elliptic curve sect283r1 (aka NIST B-283)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect409k1, SEC_OID_SECG_EC_SECT409K1,
+	"SECG elliptic curve sect409k1 (aka NIST K-409)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect409r1, SEC_OID_SECG_EC_SECT409R1,
+	"SECG elliptic curve sect409r1 (aka NIST B-409)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect571k1, SEC_OID_SECG_EC_SECT571K1,
+	"SECG elliptic curve sect571k1 (aka NIST K-571)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( secgECsect571r1, SEC_OID_SECG_EC_SECT571R1,
+	"SECG elliptic curve sect571r1 (aka NIST B-571)", 
+	CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+
+    OD( netscapeAOLScreenname, SEC_OID_NETSCAPE_AOLSCREENNAME,
+	"AOL Screenname", CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+
+    OD( x520SurName, SEC_OID_AVA_SURNAME,
+    	"X520 Title",         CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520SerialNumber, SEC_OID_AVA_SERIAL_NUMBER,
+        "X520 Serial Number", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520StreetAddress, SEC_OID_AVA_STREET_ADDRESS,
+        "X520 Street Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520Title, SEC_OID_AVA_TITLE, 
+    	"X520 Title",         CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520PostalAddress, SEC_OID_AVA_POSTAL_ADDRESS,
+    	"X520 Postal Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520PostalCode, SEC_OID_AVA_POSTAL_CODE,
+    	"X520 Postal Code",   CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520PostOfficeBox, SEC_OID_AVA_POST_OFFICE_BOX,
+    	"X520 Post Office Box", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520GivenName, SEC_OID_AVA_GIVEN_NAME,
+    	"X520 Given Name",    CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520Initials, SEC_OID_AVA_INITIALS,
+    	"X520 Initials",      CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520GenerationQualifier, SEC_OID_AVA_GENERATION_QUALIFIER,
+    	"X520 Generation Qualifier", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520HouseIdentifier, SEC_OID_AVA_HOUSE_IDENTIFIER,
+    	"X520 House Identifier", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520Pseudonym, SEC_OID_AVA_PSEUDONYM,
+    	"X520 Pseudonym",     CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* More OIDs */
+    OD( pkixCAIssuers, SEC_OID_PKIX_CA_ISSUERS,
+        "PKIX CA issuers access method", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9ExtensionRequest, SEC_OID_PKCS9_EXTENSION_REQUEST,
+    	"PKCS #9 Extension Request",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* more ECC Signature Oids */
+    OD( ansix962SignatureRecommended,
+	SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST,
+	"X9.62 ECDSA signature with recommended digest", CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansix962SignatureSpecified,
+	SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST,
+	"X9.62 ECDSA signature with specified digest", CKM_ECDSA,
+	INVALID_CERT_EXTENSION ),
+    OD( ansix962SignaturewithSHA224Digest,
+	SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE,
+	"X9.62 ECDSA signature with SHA224", CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansix962SignaturewithSHA256Digest,
+	SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE,
+	"X9.62 ECDSA signature with SHA256", CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansix962SignaturewithSHA384Digest,
+	SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE,
+	"X9.62 ECDSA signature with SHA384", CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( ansix962SignaturewithSHA512Digest,
+	SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE,
+	"X9.62 ECDSA signature with SHA512", CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+
+    /* More id-ce and id-pe OIDs from RFC 3280 */
+    OD( x509HoldInstructionCode,      SEC_OID_X509_HOLD_INSTRUCTION_CODE,
+        "CRL Hold Instruction Code",  CKM_INVALID_MECHANISM,
+	UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509DeltaCRLIndicator,        SEC_OID_X509_DELTA_CRL_INDICATOR,
+        "Delta CRL Indicator",        CKM_INVALID_MECHANISM,
+	FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509IssuingDistributionPoint, SEC_OID_X509_ISSUING_DISTRIBUTION_POINT,
+        "Issuing Distribution Point", CKM_INVALID_MECHANISM,
+	FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509CertIssuer,               SEC_OID_X509_CERT_ISSUER,
+        "Certificate Issuer Extension",CKM_INVALID_MECHANISM,
+	FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509FreshestCRL,              SEC_OID_X509_FRESHEST_CRL,
+        "Freshest CRL",               CKM_INVALID_MECHANISM,
+	UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509InhibitAnyPolicy,         SEC_OID_X509_INHIBIT_ANY_POLICY,
+        "Inhibit Any Policy",         CKM_INVALID_MECHANISM,
+	FAKE_SUPPORTED_CERT_EXTENSION ),
+    OD( x509SubjectInfoAccess,        SEC_OID_X509_SUBJECT_INFO_ACCESS,
+        "Subject Info Access",        CKM_INVALID_MECHANISM,
+	UNSUPPORTED_CERT_EXTENSION ),
+
+    /* Camellia algorithm OIDs */
+    OD( camellia128_CBC, SEC_OID_CAMELLIA_128_CBC,
+	"CAMELLIA-128-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION ),
+    OD( camellia192_CBC, SEC_OID_CAMELLIA_192_CBC,
+	"CAMELLIA-192-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION ),
+    OD( camellia256_CBC, SEC_OID_CAMELLIA_256_CBC,
+	"CAMELLIA-256-CBC", CKM_CAMELLIA_CBC, INVALID_CERT_EXTENSION ),
+
+    /* PKCS 5 v2 OIDS */
+    OD( pkcs5Pbkdf2, SEC_OID_PKCS5_PBKDF2,
+	"PKCS #5 Password Based Key Dervive Function v2 ", 
+	CKM_PKCS5_PBKD2, INVALID_CERT_EXTENSION ),
+    OD( pkcs5Pbes2, SEC_OID_PKCS5_PBES2,
+	"PKCS #5 Password Based Encryption v2 ", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs5Pbmac1, SEC_OID_PKCS5_PBMAC1,
+	"PKCS #5 Password Based Authentication v1 ", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( hmac_sha1, SEC_OID_HMAC_SHA1, "HMAC SHA-1", 
+	CKM_SHA_1_HMAC, INVALID_CERT_EXTENSION ),
+    OD( hmac_sha224, SEC_OID_HMAC_SHA224, "HMAC SHA-224", 
+	CKM_SHA224_HMAC, INVALID_CERT_EXTENSION ),
+    OD( hmac_sha256, SEC_OID_HMAC_SHA256, "HMAC SHA-256", 
+	CKM_SHA256_HMAC, INVALID_CERT_EXTENSION ),
+    OD( hmac_sha384, SEC_OID_HMAC_SHA384, "HMAC SHA-384", 
+	CKM_SHA384_HMAC, INVALID_CERT_EXTENSION ),
+    OD( hmac_sha512, SEC_OID_HMAC_SHA512, "HMAC SHA-512", 
+	CKM_SHA512_HMAC, INVALID_CERT_EXTENSION ),
+
+    /* SIA extension OIDs */
+    OD( x509SIATimeStamping,          SEC_OID_PKIX_TIMESTAMPING,
+        "SIA Time Stamping",          CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+    OD( x509SIACaRepository,          SEC_OID_PKIX_CA_REPOSITORY,
+        "SIA CA Repository",          CKM_INVALID_MECHANISM,
+	INVALID_CERT_EXTENSION ),
+
+    OD( isoSHA1WithRSASignature, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE,
+	"ISO SHA1 with RSA Signature", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+};
+
+/*
+ * now the dynamic table. The dynamic table gets build at init time.
+ * and conceivably gets modified if the user loads new crypto modules.
+ * All this static data, and the allocated data to which it points,
+ * is protected by a global reader/writer lock.  
+ * The c language guarantees that global and static data that is not 
+ * explicitly initialized will be initialized with zeros.  If we 
+ * initialize it with zeros, the data goes into the initialized data
+ * secment, and increases the size of the library.  By leaving it 
+ * uninitialized, it is allocated in BSS, and does NOT increase the 
+ * library size. 
+ */
+static NSSRWLock   * dynOidLock;
+static PLArenaPool * dynOidPool;
+static PLHashTable * dynOidHash;
+static SECOidData ** dynOidTable;	/* not in the pool */
+static int           dynOidEntriesAllocated;
+static int           dynOidEntriesUsed;
+
+/* Creates NSSRWLock and dynOidPool at initialization time.
+*/
+static SECStatus
+secoid_InitDynOidData(void)
+{
+    SECStatus   rv = SECSuccess;
+
+    dynOidLock = NSSRWLock_New(1, "dynamic OID data");
+    if (!dynOidLock) {
+    	return SECFailure; /* Error code should already be set. */
+    }
+    dynOidPool = PORT_NewArena(2048);
+    if (!dynOidPool) {
+        rv = SECFailure /* Error code should already be set. */;
+    }
+    return rv;
+}
+
+/* Add oidData to hash table.  Caller holds write lock dynOidLock. */
+static SECStatus
+secoid_HashDynamicOiddata(const SECOidData * oid)
+{
+    PLHashEntry *entry;
+
+    if (!dynOidHash) {
+        dynOidHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
+			PL_CompareValues, NULL, NULL);
+	if ( !dynOidHash ) {
+	    return SECFailure;
+	}
+    }
+
+    entry = PL_HashTableAdd( dynOidHash, &oid->oid, (void *)oid );
+    return entry ? SECSuccess : SECFailure;
+}
+
+
+/*
+ * Lookup a Dynamic OID. Dynamic OID's still change slowly, so it's
+ * cheaper to rehash the table when it changes than it is to do the loop
+ * each time. 
+ */
+static SECOidData *
+secoid_FindDynamic(const SECItem *key) 
+{
+    SECOidData *ret = NULL;
+
+    if (dynOidHash) {
+	NSSRWLock_LockRead(dynOidLock);
+	if (dynOidHash) { /* must check it again with lock held. */
+	    ret = (SECOidData *)PL_HashTableLookup(dynOidHash, key);
+	}
+	NSSRWLock_UnlockRead(dynOidLock);
+    }
+    if (ret == NULL) {
+	PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
+    }
+    return ret;
+}
+
+static SECOidData *
+secoid_FindDynamicByTag(SECOidTag tagnum)
+{
+    SECOidData *data = NULL;
+    int tagNumDiff;
+
+    if (tagnum < SEC_OID_TOTAL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+    }
+    tagNumDiff = tagnum - SEC_OID_TOTAL;
+
+    if (dynOidTable) {
+	NSSRWLock_LockRead(dynOidLock);
+	if (dynOidTable != NULL && /* must check it again with lock held. */
+	    tagNumDiff < dynOidEntriesUsed) {
+	    data = dynOidTable[tagNumDiff];
+	}
+	NSSRWLock_UnlockRead(dynOidLock);
+    }
+    if (data == NULL) {
+	PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
+    }
+    return data;
+}
+
+/*
+ * This routine is thread safe now.
+ */
+SECOidTag
+SECOID_AddEntry(const SECOidData * src)
+{
+    SECOidData * dst;
+    SECOidData **table;
+    SECOidTag    ret         = SEC_OID_UNKNOWN;
+    SECStatus    rv;
+    int          tableEntries;
+    int          used;
+
+    if (!src || !src->oid.data || !src->oid.len || \
+        !src->desc || !strlen(src->desc)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return ret;
+    }
+    if (src->supportedExtension != INVALID_CERT_EXTENSION     &&
+    	src->supportedExtension != UNSUPPORTED_CERT_EXTENSION &&
+    	src->supportedExtension != SUPPORTED_CERT_EXTENSION     ) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return ret;
+    }
+
+    if (!dynOidPool || !dynOidLock) {
+	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+    	return ret;
+    }
+
+    NSSRWLock_LockWrite(dynOidLock);
+
+    /* We've just acquired the write lock, and now we call FindOIDTag
+    ** which will acquire and release the read lock.  NSSRWLock has been
+    ** designed to allow this very case without deadlock.  This approach 
+    ** makes the test for the presence of the OID, and the subsequent 
+    ** addition of the OID to the table a single atomic write operation.
+    */
+    ret = SECOID_FindOIDTag(&src->oid);
+    if (ret != SEC_OID_UNKNOWN) {
+    	/* we could return an error here, but I chose not to do that.
+	** This way, if we add an OID to the shared library's built in
+	** list of OIDs in some future release, and that OID is the same
+	** as some OID that a program has been adding, the program will
+	** not suddenly stop working.
+	*/
+	goto done;
+    }
+
+    table        = dynOidTable;
+    tableEntries = dynOidEntriesAllocated;
+    used         = dynOidEntriesUsed;
+
+    if (used + 1 > tableEntries) {
+	SECOidData **newTable;
+	int          newTableEntries = tableEntries + 16;
+
+	newTable = (SECOidData **)PORT_Realloc(table, 
+				       newTableEntries * sizeof(SECOidData *));
+	if (newTable == NULL) {
+	    goto done;
+	}
+	dynOidTable            = table        = newTable;
+	dynOidEntriesAllocated = tableEntries = newTableEntries;
+    }
+
+    /* copy oid structure */
+    dst = PORT_ArenaNew(dynOidPool, SECOidData);
+    if (!dst) {
+    	goto done;
+    }
+    rv  = SECITEM_CopyItem(dynOidPool, &dst->oid, &src->oid);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+    dst->desc = PORT_ArenaStrdup(dynOidPool, src->desc);
+    if (!dst->desc) {
+	goto done;
+    }
+    dst->offset             = (SECOidTag)(used + SEC_OID_TOTAL);
+    dst->mechanism          = src->mechanism;
+    dst->supportedExtension = src->supportedExtension;
+
+    rv = secoid_HashDynamicOiddata(dst);
+    if ( rv == SECSuccess ) {
+	table[used++] = dst;
+	dynOidEntriesUsed = used;
+	ret = dst->offset;
+    }
+done:
+    NSSRWLock_UnlockWrite(dynOidLock);
+    return ret;
+}
+
+
+/* normal static table processing */
+static PLHashTable *oidhash     = NULL;
+static PLHashTable *oidmechhash = NULL;
+
+static PLHashNumber
+secoid_HashNumber(const void *key)
+{
+    return (PLHashNumber) key;
+}
+
+
+SECStatus
+SECOID_Init(void)
+{
+    PLHashEntry *entry;
+    const SECOidData *oid;
+    int i;
+
+    if (oidhash) {
+	return SECSuccess; /* already initialized */
+    }
+
+    if (secoid_InitDynOidData() != SECSuccess) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        PORT_Assert(0); /* this function should never fail */
+    	return SECFailure;
+    }
+    
+    oidhash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
+			PL_CompareValues, NULL, NULL);
+    oidmechhash = PL_NewHashTable(0, secoid_HashNumber, PL_CompareValues,
+			PL_CompareValues, NULL, NULL);
+
+    if ( !oidhash || !oidmechhash) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ 	PORT_Assert(0); /*This function should never fail. */
+	return(SECFailure);
+    }
+
+    for ( i = 0; i < ( sizeof(oids) / sizeof(SECOidData) ); i++ ) {
+	oid = &oids[i];
+
+	PORT_Assert ( oid->offset == i );
+
+	entry = PL_HashTableAdd( oidhash, &oid->oid, (void *)oid );
+	if ( entry == NULL ) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            PORT_Assert(0); /*This function should never fail. */
+	    return(SECFailure);
+	}
+
+	if ( oid->mechanism != CKM_INVALID_MECHANISM ) {
+	    entry = PL_HashTableAdd( oidmechhash, 
+					(void *)oid->mechanism, (void *)oid );
+	    if ( entry == NULL ) {
+	        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+                PORT_Assert(0); /* This function should never fail. */
+		return(SECFailure);
+	    }
+	}
+    }
+
+    PORT_Assert (i == SEC_OID_TOTAL);
+
+    return(SECSuccess);
+}
+
+SECOidData *
+SECOID_FindOIDByMechanism(unsigned long mechanism)
+{
+    SECOidData *ret;
+
+    PR_ASSERT(oidhash != NULL);
+
+    ret = PL_HashTableLookupConst ( oidmechhash, (void *)mechanism);
+    if ( ret == NULL ) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+    }
+
+    return (ret);
+}
+
+SECOidData *
+SECOID_FindOID(const SECItem *oid)
+{
+    SECOidData *ret;
+
+    PR_ASSERT(oidhash != NULL);
+    
+    ret = PL_HashTableLookupConst ( oidhash, oid );
+    if ( ret == NULL ) {
+	ret  = secoid_FindDynamic(oid);
+	if (ret == NULL) {
+	    PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
+	}
+    }
+
+    return(ret);
+}
+
+SECOidTag
+SECOID_FindOIDTag(const SECItem *oid)
+{
+    SECOidData *oiddata;
+
+    oiddata = SECOID_FindOID (oid);
+    if (oiddata == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return oiddata->offset;
+}
+
+/* This really should return const. */
+SECOidData *
+SECOID_FindOIDByTag(SECOidTag tagnum)
+{
+
+    if (tagnum >= SEC_OID_TOTAL) {
+	return secoid_FindDynamicByTag(tagnum);
+    }
+
+    PORT_Assert((unsigned int)tagnum < (sizeof(oids) / sizeof(SECOidData)));
+    return (SECOidData *)(&oids[tagnum]);
+}
+
+PRBool SECOID_KnownCertExtenOID (SECItem *extenOid)
+{
+    SECOidData * oidData;
+
+    oidData = SECOID_FindOID (extenOid);
+    if (oidData == (SECOidData *)NULL)
+	return (PR_FALSE);
+    return ((oidData->supportedExtension == SUPPORTED_CERT_EXTENSION) ?
+            PR_TRUE : PR_FALSE);
+}
+
+
+const char *
+SECOID_FindOIDTagDescription(SECOidTag tagnum)
+{
+  const SECOidData *oidData = SECOID_FindOIDByTag(tagnum);
+  return oidData ? oidData->desc : 0;
+}
+
+/*
+ * free up the oid tables.
+ */
+SECStatus
+SECOID_Shutdown(void)
+{
+    if (oidhash) {
+	PL_HashTableDestroy(oidhash);
+	oidhash = NULL;
+    }
+    if (oidmechhash) {
+	PL_HashTableDestroy(oidmechhash);
+	oidmechhash = NULL;
+    }
+    /* Have to handle the case where the lock was created, but
+    ** the pool wasn't. 
+    ** I'm not going to attempt to create the lock, just to protect
+    ** the destruction of data that probably isn't initialized anyway.
+    */
+    if (dynOidLock) {
+	NSSRWLock_LockWrite(dynOidLock);
+	if (dynOidHash) {
+	    PL_HashTableDestroy(dynOidHash);
+	    dynOidHash = NULL;
+	}
+	if (dynOidPool) {
+	    PORT_FreeArena(dynOidPool, PR_FALSE);
+	    dynOidPool = NULL;
+	}
+	if (dynOidTable) {
+	    PORT_Free(dynOidTable);
+	    dynOidTable = NULL;
+	}
+	dynOidEntriesAllocated = 0;
+	dynOidEntriesUsed = 0;
+
+	NSSRWLock_UnlockWrite(dynOidLock);
+	NSSRWLock_Destroy(dynOidLock);
+	dynOidLock = NULL;
+    } else {
+    	/* Since dynOidLock doesn't exist, then all the data it protects
+	** should be uninitialized.  We'll check that (in DEBUG builds),
+	** and then make sure it is so, in case NSS is reinitialized.
+	*/
+	PORT_Assert(!dynOidHash && !dynOidPool && !dynOidTable && \
+	            !dynOidEntriesAllocated && !dynOidEntriesUsed);
+	dynOidHash = NULL;
+	dynOidPool = NULL;
+	dynOidTable = NULL;
+	dynOidEntriesAllocated = 0;
+	dynOidEntriesUsed = 0;
+    }
+    return SECSuccess;
+}
diff --git a/security/nss/lib/util/secoid.h b/security/nss/lib/util/secoid.h
new file mode 100644
index 000000000..7f37e737c
--- /dev/null
+++ b/security/nss/lib/util/secoid.h
@@ -0,0 +1,152 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SECOID_H_
+#define _SECOID_H_
+
+#include "utilrename.h"
+
+/*
+ * secoid.h - public data structures and prototypes for ASN.1 OID functions
+ *
+ * $Id$
+ */
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template SECOID_AlgorithmIDTemplate[];
+
+/* This functions simply returns the address of the above-declared template. */
+SEC_ASN1_CHOOSER_DECLARE(SECOID_AlgorithmIDTemplate)
+
+/*
+ * OID handling routines
+ */
+extern SECOidData *SECOID_FindOID( const SECItem *oid);
+extern SECOidTag SECOID_FindOIDTag(const SECItem *oid);
+extern SECOidData *SECOID_FindOIDByTag(SECOidTag tagnum);
+extern SECOidData *SECOID_FindOIDByMechanism(unsigned long mechanism);
+
+/****************************************/
+/*
+** Algorithm id handling operations
+*/
+
+/*
+** Fill in an algorithm-ID object given a tag and some parameters.
+** 	"aid" where the DER encoded algorithm info is stored (memory
+**	   is allocated)
+**	"tag" the tag number defining the algorithm 
+**	"params" if not NULL, the parameters to go with the algorithm
+*/
+extern SECStatus SECOID_SetAlgorithmID(PLArenaPool *arena, SECAlgorithmID *aid,
+				   SECOidTag tag, SECItem *params);
+
+/*
+** Copy the "src" object to "dest". Memory is allocated in "dest" for
+** each of the appropriate sub-objects. Memory in "dest" is not freed
+** before memory is allocated (use SECOID_DestroyAlgorithmID(dest, PR_FALSE)
+** to do that).
+*/
+extern SECStatus SECOID_CopyAlgorithmID(PLArenaPool *arena, SECAlgorithmID *dest,
+				    SECAlgorithmID *src);
+
+/*
+** Get the tag number for the given algorithm-id object.
+*/
+extern SECOidTag SECOID_GetAlgorithmTag(SECAlgorithmID *aid);
+
+/*
+** Destroy an algorithm-id object.
+**	"aid" the certificate-request to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void SECOID_DestroyAlgorithmID(SECAlgorithmID *aid, PRBool freeit);
+
+/*
+** Compare two algorithm-id objects, returning the difference between
+** them.
+*/
+extern SECComparison SECOID_CompareAlgorithmID(SECAlgorithmID *a,
+					   SECAlgorithmID *b);
+
+extern PRBool SECOID_KnownCertExtenOID (SECItem *extenOid);
+
+/* Given a tag number, return a string describing it.
+ */
+extern const char *SECOID_FindOIDTagDescription(SECOidTag tagnum);
+
+/* Add a dynamic SECOidData to the dynamic OID table.
+** Routine copies the src entry, and returns the new SECOidTag.
+** Returns SEC_OID_INVALID if failed to add for some reason.
+*/
+extern SECOidTag SECOID_AddEntry(const SECOidData * src);
+
+/*
+ * initialize the oid data structures.
+ */
+extern SECStatus SECOID_Init(void);
+
+/*
+ * free up the oid data structures.
+ */
+extern SECStatus SECOID_Shutdown(void);
+
+/* if to->data is not NULL, and to->len is large enough to hold the result,
+ * then the resultant OID will be copyed into to->data, and to->len will be
+ * changed to show the actual OID length.
+ * Otherwise, memory for the OID will be allocated (from the caller's 
+ * PLArenaPool, if pool is non-NULL) and to->data will receive the address
+ * of the allocated data, and to->len will receive the OID length.
+ * The original value of to->data is not freed when a new buffer is allocated.
+ * 
+ * The input string may begin with "OID." and this still be ignored.
+ * The length of the input string is given in len.  If len == 0, then 
+ * len will be computed as strlen(from), meaning it must be NUL terminated.
+ * It is an error if from == NULL, or if *from == '\0'.
+ */
+extern SECStatus SEC_StringToOID(PLArenaPool *pool, SECItem *to, 
+                                 const char *from, PRUint32 len);
+
+SEC_END_PROTOS
+
+#endif /* _SECOID_H_ */
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
new file mode 100644
index 000000000..9591a9e5c
--- /dev/null
+++ b/security/nss/lib/util/secoidt.h
@@ -0,0 +1,476 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SECOIDT_H_
+#define _SECOIDT_H_
+
+#include "utilrename.h"
+
+/*
+ * secoidt.h - public data structures for ASN.1 OID functions
+ *
+ * $Id$
+ */
+
+#include "secitem.h"
+
+typedef struct SECOidDataStr SECOidData;
+typedef struct SECAlgorithmIDStr SECAlgorithmID;
+
+/*
+** An X.500 algorithm identifier
+*/
+struct SECAlgorithmIDStr {
+    SECItem algorithm;
+    SECItem parameters;
+};
+
+/*
+ * Misc object IDs - these numbers are for convenient handling.
+ * They are mapped into real object IDs
+ *
+ * NOTE: the order of these entries must mach the array "oids" of SECOidData
+ * in util/secoid.c.
+ */
+typedef enum {
+    SEC_OID_UNKNOWN = 0,
+    SEC_OID_MD2 = 1,
+    SEC_OID_MD4 = 2,
+    SEC_OID_MD5 = 3,
+    SEC_OID_SHA1 = 4,
+    SEC_OID_RC2_CBC = 5,
+    SEC_OID_RC4 = 6,
+    SEC_OID_DES_EDE3_CBC = 7,
+    SEC_OID_RC5_CBC_PAD = 8,
+    SEC_OID_DES_ECB = 9,
+    SEC_OID_DES_CBC = 10,
+    SEC_OID_DES_OFB = 11,
+    SEC_OID_DES_CFB = 12,
+    SEC_OID_DES_MAC = 13,
+    SEC_OID_DES_EDE = 14,
+    SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE = 15,
+    SEC_OID_PKCS1_RSA_ENCRYPTION = 16,
+    SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION = 17,
+    SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION = 18,
+    SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION = 19,
+    SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION = 20,
+    SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC = 21,
+    SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC = 22,
+    SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC = 23,
+    SEC_OID_PKCS7 = 24,
+    SEC_OID_PKCS7_DATA = 25,
+    SEC_OID_PKCS7_SIGNED_DATA = 26,
+    SEC_OID_PKCS7_ENVELOPED_DATA = 27,
+    SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA = 28,
+    SEC_OID_PKCS7_DIGESTED_DATA = 29,
+    SEC_OID_PKCS7_ENCRYPTED_DATA = 30,
+    SEC_OID_PKCS9_EMAIL_ADDRESS = 31,
+    SEC_OID_PKCS9_UNSTRUCTURED_NAME = 32,
+    SEC_OID_PKCS9_CONTENT_TYPE = 33,
+    SEC_OID_PKCS9_MESSAGE_DIGEST = 34,
+    SEC_OID_PKCS9_SIGNING_TIME = 35,
+    SEC_OID_PKCS9_COUNTER_SIGNATURE = 36,
+    SEC_OID_PKCS9_CHALLENGE_PASSWORD = 37,
+    SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS = 38,
+    SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES = 39,
+    SEC_OID_PKCS9_SMIME_CAPABILITIES = 40,
+    SEC_OID_AVA_COMMON_NAME = 41,
+    SEC_OID_AVA_COUNTRY_NAME = 42,
+    SEC_OID_AVA_LOCALITY = 43,
+    SEC_OID_AVA_STATE_OR_PROVINCE = 44,
+    SEC_OID_AVA_ORGANIZATION_NAME = 45,
+    SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME = 46,
+    SEC_OID_AVA_DN_QUALIFIER = 47,
+    SEC_OID_AVA_DC = 48,
+
+    SEC_OID_NS_TYPE_GIF = 49,
+    SEC_OID_NS_TYPE_JPEG = 50,
+    SEC_OID_NS_TYPE_URL = 51,
+    SEC_OID_NS_TYPE_HTML = 52,
+    SEC_OID_NS_TYPE_CERT_SEQUENCE = 53,
+    SEC_OID_MISSI_KEA_DSS_OLD = 54,
+    SEC_OID_MISSI_DSS_OLD = 55,
+    SEC_OID_MISSI_KEA_DSS = 56,
+    SEC_OID_MISSI_DSS = 57,
+    SEC_OID_MISSI_KEA = 58,
+    SEC_OID_MISSI_ALT_KEA = 59,
+
+    /* Netscape private certificate extensions */
+    SEC_OID_NS_CERT_EXT_NETSCAPE_OK = 60,
+    SEC_OID_NS_CERT_EXT_ISSUER_LOGO = 61,
+    SEC_OID_NS_CERT_EXT_SUBJECT_LOGO = 62,
+    SEC_OID_NS_CERT_EXT_CERT_TYPE = 63,
+    SEC_OID_NS_CERT_EXT_BASE_URL = 64,
+    SEC_OID_NS_CERT_EXT_REVOCATION_URL = 65,
+    SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL = 66,
+    SEC_OID_NS_CERT_EXT_CA_CRL_URL = 67,
+    SEC_OID_NS_CERT_EXT_CA_CERT_URL = 68,
+    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL = 69,
+    SEC_OID_NS_CERT_EXT_CA_POLICY_URL = 70,
+    SEC_OID_NS_CERT_EXT_HOMEPAGE_URL = 71,
+    SEC_OID_NS_CERT_EXT_ENTITY_LOGO = 72,
+    SEC_OID_NS_CERT_EXT_USER_PICTURE = 73,
+    SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME = 74,
+    SEC_OID_NS_CERT_EXT_COMMENT = 75,
+    SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL = 76,
+    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME = 77,
+    SEC_OID_NS_KEY_USAGE_GOVT_APPROVED = 78,
+
+    /* x.509 v3 Extensions */
+    SEC_OID_X509_SUBJECT_DIRECTORY_ATTR = 79,
+    SEC_OID_X509_SUBJECT_KEY_ID = 80,
+    SEC_OID_X509_KEY_USAGE = 81,
+    SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD = 82,
+    SEC_OID_X509_SUBJECT_ALT_NAME = 83,
+    SEC_OID_X509_ISSUER_ALT_NAME = 84,
+    SEC_OID_X509_BASIC_CONSTRAINTS = 85,
+    SEC_OID_X509_NAME_CONSTRAINTS = 86,
+    SEC_OID_X509_CRL_DIST_POINTS = 87,
+    SEC_OID_X509_CERTIFICATE_POLICIES = 88,
+    SEC_OID_X509_POLICY_MAPPINGS = 89,
+    SEC_OID_X509_POLICY_CONSTRAINTS = 90,
+    SEC_OID_X509_AUTH_KEY_ID = 91,
+    SEC_OID_X509_EXT_KEY_USAGE = 92,
+    SEC_OID_X509_AUTH_INFO_ACCESS = 93,
+
+    SEC_OID_X509_CRL_NUMBER = 94,
+    SEC_OID_X509_REASON_CODE = 95,
+    SEC_OID_X509_INVALID_DATE = 96,
+    /* End of x.509 v3 Extensions */    
+
+    SEC_OID_X500_RSA_ENCRYPTION = 97,
+
+    /* alg 1485 additions */
+    SEC_OID_RFC1274_UID = 98,
+    SEC_OID_RFC1274_MAIL = 99,
+
+    /* PKCS 12 additions */
+    SEC_OID_PKCS12 = 100,
+    SEC_OID_PKCS12_MODE_IDS = 101,
+    SEC_OID_PKCS12_ESPVK_IDS = 102,
+    SEC_OID_PKCS12_BAG_IDS = 103,
+    SEC_OID_PKCS12_CERT_BAG_IDS = 104,
+    SEC_OID_PKCS12_OIDS = 105,
+    SEC_OID_PKCS12_PBE_IDS = 106,
+    SEC_OID_PKCS12_SIGNATURE_IDS = 107,
+    SEC_OID_PKCS12_ENVELOPING_IDS = 108,
+   /* SEC_OID_PKCS12_OFFLINE_TRANSPORT_MODE,
+    SEC_OID_PKCS12_ONLINE_TRANSPORT_MODE, */
+    SEC_OID_PKCS12_PKCS8_KEY_SHROUDING = 109,
+    SEC_OID_PKCS12_KEY_BAG_ID = 110,
+    SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID = 111,
+    SEC_OID_PKCS12_SECRET_BAG_ID = 112,
+    SEC_OID_PKCS12_X509_CERT_CRL_BAG = 113,
+    SEC_OID_PKCS12_SDSI_CERT_BAG = 114,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4 = 115,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4 = 116,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC = 117,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 118,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 119,
+    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4 = 120,
+    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4 = 121,
+    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES = 122,
+    SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST = 123,
+    /* end of PKCS 12 additions */
+
+    /* DSA signatures */
+    SEC_OID_ANSIX9_DSA_SIGNATURE = 124,
+    SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST = 125,
+    SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST = 126,
+
+    /* Verisign OIDs */
+    SEC_OID_VERISIGN_USER_NOTICES = 127,
+
+    /* PKIX OIDs */
+    SEC_OID_PKIX_CPS_POINTER_QUALIFIER = 128,
+    SEC_OID_PKIX_USER_NOTICE_QUALIFIER = 129,
+    SEC_OID_PKIX_OCSP = 130,
+    SEC_OID_PKIX_OCSP_BASIC_RESPONSE = 131,
+    SEC_OID_PKIX_OCSP_NONCE = 132,
+    SEC_OID_PKIX_OCSP_CRL = 133,
+    SEC_OID_PKIX_OCSP_RESPONSE = 134,
+    SEC_OID_PKIX_OCSP_NO_CHECK = 135,
+    SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF = 136,
+    SEC_OID_PKIX_OCSP_SERVICE_LOCATOR = 137,
+    SEC_OID_PKIX_REGCTRL_REGTOKEN = 138,
+    SEC_OID_PKIX_REGCTRL_AUTHENTICATOR = 139,
+    SEC_OID_PKIX_REGCTRL_PKIPUBINFO = 140,
+    SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS = 141,
+    SEC_OID_PKIX_REGCTRL_OLD_CERT_ID = 142,
+    SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY = 143,
+    SEC_OID_PKIX_REGINFO_UTF8_PAIRS = 144,
+    SEC_OID_PKIX_REGINFO_CERT_REQUEST = 145,
+    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH = 146,
+    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH = 147,
+    SEC_OID_EXT_KEY_USAGE_CODE_SIGN = 148,
+    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT = 149,
+    SEC_OID_EXT_KEY_USAGE_TIME_STAMP = 150,
+    SEC_OID_OCSP_RESPONDER = 151,
+
+    /* Netscape Algorithm OIDs */
+    SEC_OID_NETSCAPE_SMIME_KEA = 152,
+
+    /* Skipjack OID -- ### mwelch temporary */
+    SEC_OID_FORTEZZA_SKIPJACK = 153,
+
+    /* PKCS 12 V2 oids */
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4 = 154,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4 = 155,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC = 156,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC = 157,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 158,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 159,
+    SEC_OID_PKCS12_SAFE_CONTENTS_ID = 160,
+    SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID = 161,
+
+    SEC_OID_PKCS12_V1_KEY_BAG_ID = 162,
+    SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID = 163,
+    SEC_OID_PKCS12_V1_CERT_BAG_ID = 164,
+    SEC_OID_PKCS12_V1_CRL_BAG_ID = 165,
+    SEC_OID_PKCS12_V1_SECRET_BAG_ID = 166,
+    SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID = 167,
+    SEC_OID_PKCS9_X509_CERT = 168,
+    SEC_OID_PKCS9_SDSI_CERT = 169,
+    SEC_OID_PKCS9_X509_CRL = 170,
+    SEC_OID_PKCS9_FRIENDLY_NAME = 171,
+    SEC_OID_PKCS9_LOCAL_KEY_ID = 172,
+    SEC_OID_BOGUS_KEY_USAGE = 173,
+
+    /*Diffe Helman OIDS */
+    SEC_OID_X942_DIFFIE_HELMAN_KEY = 174,
+
+    /* Netscape other name types */
+    SEC_OID_NETSCAPE_NICKNAME = 175,
+
+    /* Cert Server OIDS */
+    SEC_OID_NETSCAPE_RECOVERY_REQUEST = 176,
+
+    /* New PSM certificate management OIDs */
+    SEC_OID_CERT_RENEWAL_LOCATOR = 177,
+    SEC_OID_NS_CERT_EXT_SCOPE_OF_USE = 178,
+    
+    /* CMS (RFC2630) OIDs */
+    SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN = 179,
+    SEC_OID_CMS_3DES_KEY_WRAP = 180,
+    SEC_OID_CMS_RC2_KEY_WRAP = 181,
+
+    /* SMIME attributes */
+    SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE = 182,
+
+    /* AES OIDs */
+    SEC_OID_AES_128_ECB 	= 183,
+    SEC_OID_AES_128_CBC 	= 184,
+    SEC_OID_AES_192_ECB 	= 185,
+    SEC_OID_AES_192_CBC 	= 186,
+    SEC_OID_AES_256_ECB 	= 187,
+    SEC_OID_AES_256_CBC 	= 188,
+
+    SEC_OID_SDN702_DSA_SIGNATURE = 189,
+
+    SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE = 190,
+
+    SEC_OID_SHA256              = 191,
+    SEC_OID_SHA384              = 192,
+    SEC_OID_SHA512              = 193,
+
+    SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION = 194,
+    SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION = 195,
+    SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION = 196,
+
+    SEC_OID_AES_128_KEY_WRAP	= 197,
+    SEC_OID_AES_192_KEY_WRAP	= 198,
+    SEC_OID_AES_256_KEY_WRAP	= 199,
+
+    /* Elliptic Curve Cryptography (ECC) OIDs */
+    SEC_OID_ANSIX962_EC_PUBLIC_KEY  = 200,
+    SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE = 201,
+
+#define SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST \
+	SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE
+
+    /* ANSI X9.62 named elliptic curves (prime field) */
+    SEC_OID_ANSIX962_EC_PRIME192V1  = 202,
+    SEC_OID_ANSIX962_EC_PRIME192V2  = 203,
+    SEC_OID_ANSIX962_EC_PRIME192V3  = 204,
+    SEC_OID_ANSIX962_EC_PRIME239V1  = 205,
+    SEC_OID_ANSIX962_EC_PRIME239V2  = 206,
+    SEC_OID_ANSIX962_EC_PRIME239V3  = 207,
+    SEC_OID_ANSIX962_EC_PRIME256V1  = 208,
+
+    /* SECG named elliptic curves (prime field) */
+    SEC_OID_SECG_EC_SECP112R1       = 209,
+    SEC_OID_SECG_EC_SECP112R2       = 210,
+    SEC_OID_SECG_EC_SECP128R1       = 211,
+    SEC_OID_SECG_EC_SECP128R2       = 212,
+    SEC_OID_SECG_EC_SECP160K1       = 213,
+    SEC_OID_SECG_EC_SECP160R1       = 214, 
+    SEC_OID_SECG_EC_SECP160R2       = 215,
+    SEC_OID_SECG_EC_SECP192K1       = 216,
+    /* SEC_OID_SECG_EC_SECP192R1 is SEC_OID_ANSIX962_EC_PRIME192V1 */
+    SEC_OID_SECG_EC_SECP224K1       = 217,
+    SEC_OID_SECG_EC_SECP224R1       = 218,
+    SEC_OID_SECG_EC_SECP256K1       = 219,
+    /* SEC_OID_SECG_EC_SECP256R1 is SEC_OID_ANSIX962_EC_PRIME256V1 */
+    SEC_OID_SECG_EC_SECP384R1       = 220,
+    SEC_OID_SECG_EC_SECP521R1       = 221,
+
+    /* ANSI X9.62 named elliptic curves (characteristic two field) */
+    SEC_OID_ANSIX962_EC_C2PNB163V1  = 222,
+    SEC_OID_ANSIX962_EC_C2PNB163V2  = 223,
+    SEC_OID_ANSIX962_EC_C2PNB163V3  = 224,
+    SEC_OID_ANSIX962_EC_C2PNB176V1  = 225,
+    SEC_OID_ANSIX962_EC_C2TNB191V1  = 226,
+    SEC_OID_ANSIX962_EC_C2TNB191V2  = 227,
+    SEC_OID_ANSIX962_EC_C2TNB191V3  = 228,
+    SEC_OID_ANSIX962_EC_C2ONB191V4  = 229,
+    SEC_OID_ANSIX962_EC_C2ONB191V5  = 230,
+    SEC_OID_ANSIX962_EC_C2PNB208W1  = 231,
+    SEC_OID_ANSIX962_EC_C2TNB239V1  = 232,
+    SEC_OID_ANSIX962_EC_C2TNB239V2  = 233,
+    SEC_OID_ANSIX962_EC_C2TNB239V3  = 234,
+    SEC_OID_ANSIX962_EC_C2ONB239V4  = 235,
+    SEC_OID_ANSIX962_EC_C2ONB239V5  = 236,
+    SEC_OID_ANSIX962_EC_C2PNB272W1  = 237,
+    SEC_OID_ANSIX962_EC_C2PNB304W1  = 238,
+    SEC_OID_ANSIX962_EC_C2TNB359V1  = 239,
+    SEC_OID_ANSIX962_EC_C2PNB368W1  = 240,
+    SEC_OID_ANSIX962_EC_C2TNB431R1  = 241,
+
+    /* SECG named elliptic curves (characteristic two field) */
+    SEC_OID_SECG_EC_SECT113R1       = 242,
+    SEC_OID_SECG_EC_SECT113R2       = 243,
+    SEC_OID_SECG_EC_SECT131R1       = 244,
+    SEC_OID_SECG_EC_SECT131R2       = 245,
+    SEC_OID_SECG_EC_SECT163K1       = 246,
+    SEC_OID_SECG_EC_SECT163R1       = 247,
+    SEC_OID_SECG_EC_SECT163R2       = 248,
+    SEC_OID_SECG_EC_SECT193R1       = 249,
+    SEC_OID_SECG_EC_SECT193R2       = 250,
+    SEC_OID_SECG_EC_SECT233K1       = 251,
+    SEC_OID_SECG_EC_SECT233R1       = 252,
+    SEC_OID_SECG_EC_SECT239K1       = 253,
+    SEC_OID_SECG_EC_SECT283K1       = 254,
+    SEC_OID_SECG_EC_SECT283R1       = 255,
+    SEC_OID_SECG_EC_SECT409K1       = 256,
+    SEC_OID_SECG_EC_SECT409R1       = 257,
+    SEC_OID_SECG_EC_SECT571K1       = 258,
+    SEC_OID_SECG_EC_SECT571R1       = 259,
+
+    SEC_OID_NETSCAPE_AOLSCREENNAME  = 260,
+
+    SEC_OID_AVA_SURNAME              = 261,
+    SEC_OID_AVA_SERIAL_NUMBER        = 262,
+    SEC_OID_AVA_STREET_ADDRESS       = 263,
+    SEC_OID_AVA_TITLE                = 264,
+    SEC_OID_AVA_POSTAL_ADDRESS       = 265,
+    SEC_OID_AVA_POSTAL_CODE          = 266,
+    SEC_OID_AVA_POST_OFFICE_BOX      = 267,
+    SEC_OID_AVA_GIVEN_NAME           = 268,
+    SEC_OID_AVA_INITIALS             = 269,
+    SEC_OID_AVA_GENERATION_QUALIFIER = 270,
+    SEC_OID_AVA_HOUSE_IDENTIFIER     = 271,
+    SEC_OID_AVA_PSEUDONYM            = 272,
+
+    /* More OIDs */
+    SEC_OID_PKIX_CA_ISSUERS          = 273,
+    SEC_OID_PKCS9_EXTENSION_REQUEST  = 274,
+
+    /* new EC Signature oids */
+    SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST = 275,
+    SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST = 276,
+    SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE = 277,
+    SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE = 278,
+    SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE = 279,
+    SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE = 280,
+
+    /* More id-ce and id-pe OIDs from RFC 3280 */
+    SEC_OID_X509_HOLD_INSTRUCTION_CODE      = 281,
+    SEC_OID_X509_DELTA_CRL_INDICATOR        = 282,
+    SEC_OID_X509_ISSUING_DISTRIBUTION_POINT = 283,
+    SEC_OID_X509_CERT_ISSUER                = 284,
+    SEC_OID_X509_FRESHEST_CRL               = 285,
+    SEC_OID_X509_INHIBIT_ANY_POLICY         = 286,
+    SEC_OID_X509_SUBJECT_INFO_ACCESS        = 287,
+
+    /* Camellia OIDs (RFC3657)*/
+    SEC_OID_CAMELLIA_128_CBC                = 288,
+    SEC_OID_CAMELLIA_192_CBC                = 289,
+    SEC_OID_CAMELLIA_256_CBC                = 290,
+
+    /* PKCS 5 V2 OIDS */
+    SEC_OID_PKCS5_PBKDF2                    = 291,
+    SEC_OID_PKCS5_PBES2                     = 292,
+    SEC_OID_PKCS5_PBMAC1                    = 293,
+    SEC_OID_HMAC_SHA1                       = 294,
+    SEC_OID_HMAC_SHA224                     = 295,
+    SEC_OID_HMAC_SHA256                     = 296,
+    SEC_OID_HMAC_SHA384                     = 297,
+    SEC_OID_HMAC_SHA512                     = 298,
+
+    SEC_OID_PKIX_TIMESTAMPING               = 299,
+    SEC_OID_PKIX_CA_REPOSITORY              = 300,
+
+    SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE     = 301,
+
+    SEC_OID_TOTAL
+} SECOidTag;
+
+#define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1
+#define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1
+#define SEC_OID_PKCS12_KEY_USAGE  SEC_OID_X509_KEY_USAGE
+
+/* fake OID for DSS sign/verify */
+#define SEC_OID_SHA SEC_OID_MISS_DSS
+
+typedef enum {
+    INVALID_CERT_EXTENSION = 0,
+    UNSUPPORTED_CERT_EXTENSION = 1,
+    SUPPORTED_CERT_EXTENSION = 2
+} SECSupportExtenTag;
+
+struct SECOidDataStr {
+    SECItem            oid;
+    SECOidTag          offset;
+    const char *       desc;
+    unsigned long      mechanism;
+    SECSupportExtenTag supportedExtension;	
+    				/* only used for x.509 v3 extensions, so
+				   that we can print the names of those
+				   extensions that we don't even support */
+};
+
+#endif /* _SECOIDT_H_ */
diff --git a/security/nss/lib/util/secplcy.c b/security/nss/lib/util/secplcy.c
new file mode 100644
index 000000000..f2b66fb53
--- /dev/null
+++ b/security/nss/lib/util/secplcy.c
@@ -0,0 +1,117 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "secplcy.h"
+#include "prmem.h"
+
+SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
+				  secCPStruct *policy,
+				  long *ciphers)
+{
+  SECCipherFind *find = PR_NEWZAP(SECCipherFind);
+  if (find)
+    {
+      find->policy = policy;
+      find->ciphers = ciphers;
+      find->onlyAllowed = onlyAllowed;
+      find->index = -1;
+    }
+  return find;
+}
+
+long sec_CipherFindNext(SECCipherFind *find)
+{
+  char *policy;
+  long rv = -1;
+  secCPStruct *policies = (secCPStruct *) find->policy;
+  long *ciphers = (long *) find->ciphers;
+  long numCiphers = policies->num_ciphers;
+
+  find->index++;
+  while((find->index < numCiphers) && (rv == -1))
+    {
+      /* Translate index to cipher. */
+      rv = ciphers[find->index];
+
+      /* If we're only looking for allowed ciphers, and if this
+	 cipher isn't allowed, loop around.*/
+      if (find->onlyAllowed)
+	{
+	  /* Find the appropriate policy flag. */
+	  policy = (&(policies->begin_ciphers)) + find->index + 1;
+
+	  /* If this cipher isn't allowed by policy, continue. */
+	  if (! (*policy))
+	    {
+	      rv = -1;
+	      find->index++;
+	    }
+	}
+    }
+
+  return rv;
+}
+
+char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
+			 long *ciphers)
+{
+  char result = SEC_CIPHER_NOT_ALLOWED; /* our default answer */
+  long numCiphers = policies->num_ciphers;
+  char *policy;
+  int i;
+  
+  /* Convert the cipher number into a policy flag location. */
+  for (i=0, policy=(&(policies->begin_ciphers) + 1);
+       i<numCiphers;
+       i++, policy++)
+    {
+      if (cipher == ciphers[i])
+	break;
+    }
+
+  if (i < numCiphers)
+    {
+      /* Found the cipher, get the policy value. */
+      result = *policy;
+    }
+
+  return result;
+}
+
+void sec_CipherFindEnd(SECCipherFind *find)
+{
+  PR_FREEIF(find);
+}
diff --git a/security/nss/lib/util/secplcy.h b/security/nss/lib/util/secplcy.h
new file mode 100644
index 000000000..758ee13f7
--- /dev/null
+++ b/security/nss/lib/util/secplcy.h
@@ -0,0 +1,138 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __secplcy_h__
+#define __secplcy_h__
+
+#include "utilrename.h"
+
+#include "prtypes.h"
+
+/*
+** Cipher policy enforcement. This code isn't very pretty, but it accomplishes
+** the purpose of obscuring policy information from potential fortifiers. :-)
+**
+** The following routines are generic and intended for anywhere where cipher
+** policy enforcement is to be done, e.g. SSL and PKCS7&12.
+*/
+
+#define SEC_CIPHER_NOT_ALLOWED 0
+#define SEC_CIPHER_ALLOWED 1
+#define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases 
+				   e.g. step-up */
+
+/* The length of the header string for each cipher table. 
+   (It's the same regardless of whether we're using md5 strings or not.) */
+#define SEC_POLICY_HEADER_LENGTH 48
+
+/* If we're testing policy stuff, we may want to use the plaintext version */
+#define SEC_POLICY_USE_MD5_STRINGS 1
+
+#define SEC_POLICY_THIS_IS_THE \
+    "\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f"
+#define SEC_POLICY_STRING_FOR_THE \
+    "\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6"
+#define SEC_POLICY_SSL_TAIL \
+    "\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca"
+#define SEC_POLICY_SMIME_TAIL \
+    "\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9"
+#define SEC_POLICY_PKCS12_TAIL \
+    "\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8"
+
+#if defined(SEC_POLICY_USE_MD5_STRINGS)
+
+/* We're not testing. 
+   Use md5 checksums of the strings. */
+
+#define SEC_POLICY_SSL_HEADER \
+    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL
+
+#define SEC_POLICY_SMIME_HEADER \
+    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL
+
+#define SEC_POLICY_PKCS12_HEADER \
+    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL
+
+#else
+
+/* We're testing. 
+   Use plaintext versions of the strings, for testing purposes. */
+#define SEC_POLICY_SSL_HEADER \
+    "This is the string for the SSL policy table.    "
+#define SEC_POLICY_SMIME_HEADER \
+    "This is the string for the PKCS7 policy table.  "
+#define SEC_POLICY_PKCS12_HEADER \
+    "This is the string for the PKCS12 policy table. "
+
+#endif
+
+/* Local cipher tables have to have these members at the top. */
+typedef struct _sec_cp_struct
+{
+  char policy_string[SEC_POLICY_HEADER_LENGTH];
+  long unused; /* placeholder for max keybits in pkcs12 struct */
+  char num_ciphers;
+  char begin_ciphers;
+  /* cipher policy settings follow. each is a char. */
+} secCPStruct;
+
+struct SECCipherFindStr
+{
+  /* (policy) and (ciphers) are opaque to the outside world */
+  void *policy;
+  void *ciphers;
+  long index;
+  PRBool onlyAllowed;
+};
+
+typedef struct SECCipherFindStr SECCipherFind;
+
+SEC_BEGIN_PROTOS
+
+SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
+				  secCPStruct *policy,
+				  long *ciphers);
+
+long sec_CipherFindNext(SECCipherFind *find);
+
+char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
+			 long *ciphers);
+
+void sec_CipherFindEnd(SECCipherFind *find);
+
+SEC_END_PROTOS
+
+#endif /* __SECPLCY_H__ */
diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c
new file mode 100644
index 000000000..430b1ca17
--- /dev/null
+++ b/security/nss/lib/util/secport.c
@@ -0,0 +1,667 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * secport.c - portability interfaces for security libraries
+ *
+ * This file abstracts out libc functionality that libsec depends on
+ * 
+ * NOTE - These are not public interfaces
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "prmem.h"
+#include "prerror.h"
+#include "plarena.h"
+#include "secerr.h"
+#include "prmon.h"
+#include "nssilock.h"
+#include "secport.h"
+#include "prvrsion.h"
+#include "prenv.h"
+
+#ifdef DEBUG
+#define THREADMARK
+#endif /* DEBUG */
+
+#ifdef THREADMARK
+#include "prthread.h"
+#endif /* THREADMARK */
+
+#if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
+#include <stdlib.h>
+#else
+#include "wtypes.h"
+#endif
+
+#define SET_ERROR_CODE	/* place holder for code to set PR error code. */
+
+#ifdef THREADMARK
+typedef struct threadmark_mark_str {
+  struct threadmark_mark_str *next;
+  void *mark;
+} threadmark_mark;
+
+#endif /* THREADMARK */
+
+/* The value of this magic must change each time PORTArenaPool changes. */
+#define ARENAPOOL_MAGIC 0xB8AC9BDF 
+
+typedef struct PORTArenaPool_str {
+  PLArenaPool arena;
+  PRUint32    magic;
+  PRLock *    lock;
+#ifdef THREADMARK
+  PRThread *marking_thread;
+  threadmark_mark *first_mark;
+#endif
+} PORTArenaPool;
+
+
+/* count of allocation failures. */
+unsigned long port_allocFailures;
+
+/* locations for registering Unicode conversion functions.  
+ * XXX is this the appropriate location?  or should they be
+ *     moved to client/server specific locations?
+ */
+PORTCharConversionFunc ucs4Utf8ConvertFunc;
+PORTCharConversionFunc ucs2Utf8ConvertFunc;
+PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
+
+void *
+PORT_Alloc(size_t bytes)
+{
+    void *rv;
+
+    /* Always allocate a non-zero amount of bytes */
+    rv = (void *)PR_Malloc(bytes ? bytes : 1);
+    if (!rv) {
+	++port_allocFailures;
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+    return rv;
+}
+
+void *
+PORT_Realloc(void *oldptr, size_t bytes)
+{
+    void *rv;
+
+    rv = (void *)PR_Realloc(oldptr, bytes);
+    if (!rv) {
+	++port_allocFailures;
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+    return rv;
+}
+
+void *
+PORT_ZAlloc(size_t bytes)
+{
+    void *rv;
+
+    /* Always allocate a non-zero amount of bytes */
+    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
+    if (!rv) {
+	++port_allocFailures;
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+    return rv;
+}
+
+void
+PORT_Free(void *ptr)
+{
+    if (ptr) {
+	PR_Free(ptr);
+    }
+}
+
+void
+PORT_ZFree(void *ptr, size_t len)
+{
+    if (ptr) {
+	memset(ptr, 0, len);
+	PR_Free(ptr);
+    }
+}
+
+char *
+PORT_Strdup(const char *str)
+{
+    size_t len = PORT_Strlen(str)+1;
+    char *newstr;
+
+    newstr = (char *)PORT_Alloc(len);
+    if (newstr) {
+        PORT_Memcpy(newstr, str, len);
+    }
+    return newstr;
+}
+
+void
+PORT_SetError(int value)
+{	
+#ifdef DEBUG_jp96085
+    PORT_Assert(value != SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
+#endif
+    PR_SetError(value, 0);
+    return;
+}
+
+int
+PORT_GetError(void)
+{
+    return(PR_GetError());
+}
+
+/********************* Arena code follows *****************************/
+
+PLArenaPool *
+PORT_NewArena(unsigned long chunksize)
+{
+    PORTArenaPool *pool;
+    
+    pool = PORT_ZNew(PORTArenaPool);
+    if (!pool) {
+	return NULL;
+    }
+    pool->magic = ARENAPOOL_MAGIC;
+    pool->lock = PZ_NewLock(nssILockArena);
+    if (!pool->lock) {
+	++port_allocFailures;
+	PORT_Free(pool);
+	return NULL;
+    }
+    PL_InitArenaPool(&pool->arena, "security", chunksize, sizeof(double));
+    return(&pool->arena);
+}
+
+#define MAX_SIZE 0x7fffffffUL
+
+void *
+PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+{
+    void *p = NULL;
+
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+
+    if (size <= 0) {
+	size = 1;
+    }
+
+    if (size > MAX_SIZE) {
+	/* you lose. */
+    } else 
+    /* Is it one of ours?  Assume so and check the magic */
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	PZ_Lock(pool->lock);
+#ifdef THREADMARK
+        /* Most likely one of ours.  Is there a thread id? */
+	if (pool->marking_thread  &&
+	    pool->marking_thread != PR_GetCurrentThread() ) {
+	    /* Another thread holds a mark in this arena */
+	    PZ_Unlock(pool->lock);
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    PORT_Assert(0);
+	    return NULL;
+	} /* tid != null */
+#endif /* THREADMARK */
+	PL_ARENA_ALLOCATE(p, arena, size);
+	PZ_Unlock(pool->lock);
+    } else {
+	PL_ARENA_ALLOCATE(p, arena, size);
+    }
+
+    if (!p) {
+	++port_allocFailures;
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    return(p);
+}
+
+void *
+PORT_ArenaZAlloc(PLArenaPool *arena, size_t size)
+{
+    void *p;
+
+    if (size <= 0)
+        size = 1;
+
+    p = PORT_ArenaAlloc(arena, size);
+
+    if (p) {
+	PORT_Memset(p, 0, size);
+    }
+
+    return(p);
+}
+
+/*
+ * If zero is true, zeroize the arena memory before freeing it.
+ */
+void
+PORT_FreeArena(PLArenaPool *arena, PRBool zero)
+{
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    PRLock *       lock = (PRLock *)0;
+    size_t         len  = sizeof *arena;
+    extern const PRVersionDescription * libVersionPoint(void);
+    static const PRVersionDescription * pvd;
+    static PRBool  doFreeArenaPool = PR_FALSE;
+
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	len  = sizeof *pool;
+	lock = pool->lock;
+	PZ_Lock(lock);
+    }
+    if (!pvd) {
+	/* Each of NSPR's DLLs has a function libVersionPoint().
+	** We could do a lot of extra work to be sure we're calling the
+	** one in the DLL that holds PR_FreeArenaPool, but instead we
+	** rely on the fact that ALL NSPR DLLs in the same directory
+	** must be from the same release, and we call which ever one we get. 
+	*/
+	/* no need for thread protection here */
+	pvd = libVersionPoint();
+	if ((pvd->vMajor > 4) || 
+	    (pvd->vMajor == 4 && pvd->vMinor > 1) ||
+	    (pvd->vMajor == 4 && pvd->vMinor == 1 && pvd->vPatch >= 1)) {
+	    const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
+	    if (!ev) doFreeArenaPool = PR_TRUE;
+	}
+    }
+    if (zero) {
+	PLArena *a;
+	for (a = arena->first.next; a; a = a->next) {
+	    PR_ASSERT(a->base <= a->avail && a->avail <= a->limit);
+	    memset((void *)a->base, 0, a->avail - a->base);
+	}
+    }
+    if (doFreeArenaPool) {
+	PL_FreeArenaPool(arena);
+    } else {
+	PL_FinishArenaPool(arena);
+    }
+    PORT_ZFree(arena, len);
+    if (lock) {
+	PZ_Unlock(lock);
+	PZ_DestroyLock(lock);
+    }
+}
+
+void *
+PORT_ArenaGrow(PLArenaPool *arena, void *ptr, size_t oldsize, size_t newsize)
+{
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    PORT_Assert(newsize >= oldsize);
+    
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	PZ_Lock(pool->lock);
+	/* Do we do a THREADMARK check here? */
+	PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
+	PZ_Unlock(pool->lock);
+    } else {
+	PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
+    }
+    
+    return(ptr);
+}
+
+void *
+PORT_ArenaMark(PLArenaPool *arena)
+{
+    void * result;
+
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	PZ_Lock(pool->lock);
+#ifdef THREADMARK
+	{
+	  threadmark_mark *tm, **pw;
+	  PRThread * currentThread = PR_GetCurrentThread();
+
+	    if (! pool->marking_thread ) {
+		/* First mark */
+		pool->marking_thread = currentThread;
+	    } else if (currentThread != pool->marking_thread ) {
+		PZ_Unlock(pool->lock);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		PORT_Assert(0);
+		return NULL;
+	    }
+
+	    result = PL_ARENA_MARK(arena);
+	    PL_ARENA_ALLOCATE(tm, arena, sizeof(threadmark_mark));
+	    if (!tm) {
+		PZ_Unlock(pool->lock);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		return NULL;
+	    }
+
+	    tm->mark = result;
+	    tm->next = (threadmark_mark *)NULL;
+
+	    pw = &pool->first_mark;
+	    while( *pw ) {
+		 pw = &(*pw)->next;
+	    }
+
+	    *pw = tm;
+	}
+#else /* THREADMARK */
+	result = PL_ARENA_MARK(arena);
+#endif /* THREADMARK */
+	PZ_Unlock(pool->lock);
+    } else {
+	/* a "pure" NSPR arena */
+	result = PL_ARENA_MARK(arena);
+    }
+    return result;
+}
+
+static void
+port_ArenaZeroAfterMark(PLArenaPool *arena, void *mark)
+{
+    PLArena *a = arena->current;
+    if (a->base <= (PRUword)mark && (PRUword)mark <= a->avail) {
+	/* fast path: mark falls in the current arena */
+	memset(mark, 0, a->avail - (PRUword)mark);
+    } else {
+	/* slow path: need to find the arena that mark falls in */
+	for (a = arena->first.next; a; a = a->next) {
+	    PR_ASSERT(a->base <= a->avail && a->avail <= a->limit);
+	    if (a->base <= (PRUword)mark && (PRUword)mark <= a->avail) {
+		memset(mark, 0, a->avail - (PRUword)mark);
+		a = a->next;
+		break;
+	    }
+	}
+	for (; a; a = a->next) {
+	    PR_ASSERT(a->base <= a->avail && a->avail <= a->limit);
+	    memset((void *)a->base, 0, a->avail - a->base);
+	}
+    }
+}
+
+static void
+port_ArenaRelease(PLArenaPool *arena, void *mark, PRBool zero)
+{
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	PZ_Lock(pool->lock);
+#ifdef THREADMARK
+	{
+	    threadmark_mark **pw, *tm;
+
+	    if (PR_GetCurrentThread() != pool->marking_thread ) {
+		PZ_Unlock(pool->lock);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		PORT_Assert(0);
+		return /* no error indication available */ ;
+	    }
+
+	    pw = &pool->first_mark;
+	    while( *pw && (mark != (*pw)->mark) ) {
+		pw = &(*pw)->next;
+	    }
+
+	    if (! *pw ) {
+		/* bad mark */
+		PZ_Unlock(pool->lock);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		PORT_Assert(0);
+		return /* no error indication available */ ;
+	    }
+
+	    tm = *pw;
+	    *pw = (threadmark_mark *)NULL;
+
+	    if (zero) {
+		port_ArenaZeroAfterMark(arena, mark);
+	    }
+	    PL_ARENA_RELEASE(arena, mark);
+
+	    if (! pool->first_mark ) {
+		pool->marking_thread = (PRThread *)NULL;
+	    }
+	}
+#else /* THREADMARK */
+	if (zero) {
+	    port_ArenaZeroAfterMark(arena, mark);
+	}
+	PL_ARENA_RELEASE(arena, mark);
+#endif /* THREADMARK */
+	PZ_Unlock(pool->lock);
+    } else {
+	if (zero) {
+	    port_ArenaZeroAfterMark(arena, mark);
+	}
+	PL_ARENA_RELEASE(arena, mark);
+    }
+}
+
+void
+PORT_ArenaRelease(PLArenaPool *arena, void *mark)
+{
+    port_ArenaRelease(arena, mark, PR_FALSE);
+}
+
+/*
+ * Zeroize the arena memory before releasing it.
+ */
+void
+PORT_ArenaZRelease(PLArenaPool *arena, void *mark)
+{
+    port_ArenaRelease(arena, mark, PR_TRUE);
+}
+
+void
+PORT_ArenaUnmark(PLArenaPool *arena, void *mark)
+{
+#ifdef THREADMARK
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	threadmark_mark **pw, *tm;
+
+	PZ_Lock(pool->lock);
+
+	if (PR_GetCurrentThread() != pool->marking_thread ) {
+	    PZ_Unlock(pool->lock);
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    PORT_Assert(0);
+	    return /* no error indication available */ ;
+	}
+
+	pw = &pool->first_mark;
+	while( ((threadmark_mark *)NULL != *pw) && (mark != (*pw)->mark) ) {
+	    pw = &(*pw)->next;
+	}
+
+	if ((threadmark_mark *)NULL == *pw ) {
+	    /* bad mark */
+	    PZ_Unlock(pool->lock);
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    PORT_Assert(0);
+	    return /* no error indication available */ ;
+	}
+
+	tm = *pw;
+	*pw = (threadmark_mark *)NULL;
+
+	if (! pool->first_mark ) {
+	    pool->marking_thread = (PRThread *)NULL;
+	}
+
+	PZ_Unlock(pool->lock);
+    }
+#endif /* THREADMARK */
+}
+
+char *
+PORT_ArenaStrdup(PLArenaPool *arena, const char *str) {
+    int len = PORT_Strlen(str)+1;
+    char *newstr;
+
+    newstr = (char*)PORT_ArenaAlloc(arena,len);
+    if (newstr) {
+        PORT_Memcpy(newstr,str,len);
+    }
+    return newstr;
+}
+
+/********************** end of arena functions ***********************/
+
+/****************** unicode conversion functions ***********************/
+/*
+ * NOTE: These conversion functions all assume that the multibyte
+ * characters are going to be in NETWORK BYTE ORDER, not host byte
+ * order.  This is because the only time we deal with UCS-2 and UCS-4
+ * are when the data was received from or is going to be sent out
+ * over the wire (in, e.g. certificates).
+ */
+
+void
+PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
+{ 
+    ucs4Utf8ConvertFunc = convFunc;
+}
+
+void
+PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc)
+{ 
+    ucs2AsciiConvertFunc = convFunc;
+}
+
+void
+PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
+{ 
+    ucs2Utf8ConvertFunc = convFunc;
+}
+
+PRBool 
+PORT_UCS4_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
+			 unsigned int inBufLen, unsigned char *outBuf,
+			 unsigned int maxOutBufLen, unsigned int *outBufLen)
+{
+    if(!ucs4Utf8ConvertFunc) {
+      return sec_port_ucs4_utf8_conversion_function(toUnicode,
+        inBuf, inBufLen, outBuf, maxOutBufLen, outBufLen);
+    }
+
+    return (*ucs4Utf8ConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
+				  maxOutBufLen, outBufLen);
+}
+
+PRBool 
+PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
+			 unsigned int inBufLen, unsigned char *outBuf,
+			 unsigned int maxOutBufLen, unsigned int *outBufLen)
+{
+    if(!ucs2Utf8ConvertFunc) {
+      return sec_port_ucs2_utf8_conversion_function(toUnicode,
+        inBuf, inBufLen, outBuf, maxOutBufLen, outBufLen);
+    }
+
+    return (*ucs2Utf8ConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
+				  maxOutBufLen, outBufLen);
+}
+
+PRBool 
+PORT_ISO88591_UTF8Conversion(const unsigned char *inBuf,
+			 unsigned int inBufLen, unsigned char *outBuf,
+			 unsigned int maxOutBufLen, unsigned int *outBufLen)
+{
+    return sec_port_iso88591_utf8_conversion_function(inBuf, inBufLen,
+      outBuf, maxOutBufLen, outBufLen);
+}
+
+PRBool 
+PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
+			  unsigned int inBufLen, unsigned char *outBuf,
+			  unsigned int maxOutBufLen, unsigned int *outBufLen,
+			  PRBool swapBytes)
+{
+    if(!ucs2AsciiConvertFunc) {
+	return PR_FALSE;
+    }
+
+    return (*ucs2AsciiConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
+				  maxOutBufLen, outBufLen, swapBytes);
+}
+
+
+/* Portable putenv.  Creates/replaces an environment variable of the form
+ *  envVarName=envValue
+ */
+int
+NSS_PutEnv(const char * envVarName, const char * envValue)
+{
+#ifdef _WIN32_WCE
+    return SECFailure;
+#else
+    SECStatus result = SECSuccess;
+    char *    encoded;
+    int       putEnvFailed;
+#ifdef _WIN32
+    PRBool      setOK;
+
+    setOK = SetEnvironmentVariable(envVarName, envValue);
+    if (!setOK) {
+        SET_ERROR_CODE
+        return SECFailure;
+    }
+#endif
+
+    encoded = (char *)PORT_ZAlloc(strlen(envVarName) + 2 + strlen(envValue));
+    strcpy(encoded, envVarName);
+    strcat(encoded, "=");
+    strcat(encoded, envValue);
+
+    putEnvFailed = putenv(encoded); /* adopt. */
+    if (putEnvFailed) {
+        SET_ERROR_CODE
+        result = SECFailure;
+        PORT_Free(encoded);
+    }
+    return result;
+#endif
+}
+
diff --git a/security/nss/lib/util/secport.h b/security/nss/lib/util/secport.h
new file mode 100644
index 000000000..923c09b0f
--- /dev/null
+++ b/security/nss/lib/util/secport.h
@@ -0,0 +1,253 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * secport.h - portability interfaces for security libraries
+ *
+ * $Id$
+ */
+
+#ifndef _SECPORT_H_
+#define _SECPORT_H_
+
+#include "utilrename.h"
+
+/*
+ * define XP_WIN, XP_BEOS, or XP_UNIX, in case they are not defined
+ * by anyone else
+ */
+#ifdef _WINDOWS
+# ifndef XP_WIN
+# define XP_WIN
+# endif
+#if defined(_WIN32) || defined(WIN32)
+# ifndef XP_WIN32
+# define XP_WIN32
+# endif
+#else
+# ifndef XP_WIN16
+# define XP_WIN16
+# endif
+#endif
+#endif
+
+#ifdef __BEOS__
+# ifndef XP_BEOS
+# define XP_BEOS
+# endif
+#endif
+
+#ifdef unix
+# ifndef XP_UNIX
+# define XP_UNIX
+# endif
+#endif
+
+#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
+#include "watcomfx.h"
+#endif
+
+#if defined(_WIN32_WCE)
+#include <windef.h>
+#include <types.h>
+#else
+#include <sys/types.h>
+#endif
+
+#include <ctype.h>
+#include <string.h>
+#if defined(_WIN32_WCE)
+#include <stdlib.h>	/* WinCE puts some stddef symbols here. */
+#else
+#include <stddef.h>
+#endif
+#include <stdlib.h>
+#include "prtypes.h"
+#include "prlog.h"	/* for PR_ASSERT */
+#include "plarena.h"
+#include "plstr.h"
+
+/*
+ * HACK for NSS 2.8 to allow Admin to compile without source changes.
+ */
+#ifndef SEC_BEGIN_PROTOS
+#include "seccomon.h"
+#endif
+
+SEC_BEGIN_PROTOS
+
+extern void *PORT_Alloc(size_t len);
+extern void *PORT_Realloc(void *old, size_t len);
+extern void *PORT_AllocBlock(size_t len);
+extern void *PORT_ReallocBlock(void *old, size_t len);
+extern void PORT_FreeBlock(void *ptr);
+extern void *PORT_ZAlloc(size_t len);
+extern void PORT_Free(void *ptr);
+extern void PORT_ZFree(void *ptr, size_t len);
+extern char *PORT_Strdup(const char *s);
+extern time_t PORT_Time(void);
+extern void PORT_SetError(int value);
+extern int PORT_GetError(void);
+
+extern PLArenaPool *PORT_NewArena(unsigned long chunksize);
+extern void *PORT_ArenaAlloc(PLArenaPool *arena, size_t size);
+extern void *PORT_ArenaZAlloc(PLArenaPool *arena, size_t size);
+extern void PORT_FreeArena(PLArenaPool *arena, PRBool zero);
+extern void *PORT_ArenaGrow(PLArenaPool *arena, void *ptr,
+			    size_t oldsize, size_t newsize);
+extern void *PORT_ArenaMark(PLArenaPool *arena);
+extern void PORT_ArenaRelease(PLArenaPool *arena, void *mark);
+extern void PORT_ArenaZRelease(PLArenaPool *arena, void *mark);
+extern void PORT_ArenaUnmark(PLArenaPool *arena, void *mark);
+extern char *PORT_ArenaStrdup(PLArenaPool *arena, const char *str);
+
+SEC_END_PROTOS
+
+#define PORT_Assert PR_ASSERT
+#define PORT_ZNew(type) (type*)PORT_ZAlloc(sizeof(type))
+#define PORT_New(type) (type*)PORT_Alloc(sizeof(type))
+#define PORT_ArenaNew(poolp, type)	\
+		(type*) PORT_ArenaAlloc(poolp, sizeof(type))
+#define PORT_ArenaZNew(poolp, type)	\
+		(type*) PORT_ArenaZAlloc(poolp, sizeof(type))
+#define PORT_NewArray(type, num)	\
+		(type*) PORT_Alloc (sizeof(type)*(num))
+#define PORT_ZNewArray(type, num)	\
+		(type*) PORT_ZAlloc (sizeof(type)*(num))
+#define PORT_ArenaNewArray(poolp, type, num)	\
+		(type*) PORT_ArenaAlloc (poolp, sizeof(type)*(num))
+#define PORT_ArenaZNewArray(poolp, type, num)	\
+		(type*) PORT_ArenaZAlloc (poolp, sizeof(type)*(num))
+
+/* Please, keep these defines sorted alphabetically.  Thanks! */
+
+#define PORT_Atoi 	atoi
+
+#define PORT_Memcmp 	memcmp
+#define PORT_Memcpy 	memcpy
+#ifndef SUNOS4
+#define PORT_Memmove 	memmove
+#else /*SUNOS4*/
+#define PORT_Memmove(s,ct,n)    bcopy ((ct), (s), (n))
+#endif/*SUNOS4*/
+#define PORT_Memset 	memset
+
+#define PORT_Strcasecmp PL_strcasecmp
+#define PORT_Strcat 	strcat
+#define PORT_Strchr 	strchr
+#define PORT_Strrchr    strrchr
+#define PORT_Strcmp 	strcmp
+#define PORT_Strcpy 	strcpy
+#define PORT_Strlen(s) 	strlen(s)
+#define PORT_Strncasecmp PL_strncasecmp
+#define PORT_Strncat 	strncat
+#define PORT_Strncmp 	strncmp
+#define PORT_Strncpy 	strncpy
+#define PORT_Strpbrk    strpbrk
+#define PORT_Strstr 	strstr
+#define PORT_Strtok 	strtok
+
+#define PORT_Tolower 	tolower
+
+typedef PRBool (PR_CALLBACK * PORTCharConversionWSwapFunc) (PRBool toUnicode,
+			unsigned char *inBuf, unsigned int inBufLen,
+			unsigned char *outBuf, unsigned int maxOutBufLen,
+			unsigned int *outBufLen, PRBool swapBytes);
+
+typedef PRBool (PR_CALLBACK * PORTCharConversionFunc) (PRBool toUnicode,
+			unsigned char *inBuf, unsigned int inBufLen,
+			unsigned char *outBuf, unsigned int maxOutBufLen,
+			unsigned int *outBufLen);
+
+SEC_BEGIN_PROTOS
+
+void PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
+void PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc);
+PRBool PORT_UCS4_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
+			unsigned int inBufLen, unsigned char *outBuf,
+			unsigned int maxOutBufLen, unsigned int *outBufLen);
+PRBool PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
+			unsigned int inBufLen, unsigned char *outBuf,
+			unsigned int maxOutBufLen, unsigned int *outBufLen,
+			PRBool swapBytes);
+void PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
+PRBool PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
+			unsigned int inBufLen, unsigned char *outBuf,
+			unsigned int maxOutBufLen, unsigned int *outBufLen);
+
+/* One-way conversion from ISO-8859-1 to UTF-8 */
+PRBool PORT_ISO88591_UTF8Conversion(const unsigned char *inBuf,
+			unsigned int inBufLen, unsigned char *outBuf,
+			unsigned int maxOutBufLen, unsigned int *outBufLen);
+
+extern PRBool
+sec_port_ucs4_utf8_conversion_function
+(
+  PRBool toUnicode,
+  unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+);
+
+extern PRBool
+sec_port_ucs2_utf8_conversion_function
+(
+  PRBool toUnicode,
+  unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+);
+
+/* One-way conversion from ISO-8859-1 to UTF-8 */
+extern PRBool
+sec_port_iso88591_utf8_conversion_function
+(
+  const unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+);
+
+extern int NSS_PutEnv(const char * envVarName, const char * envValue);
+
+SEC_END_PROTOS
+
+#endif /* _SECPORT_H_ */
diff --git a/security/nss/lib/util/sectime.c b/security/nss/lib/util/sectime.c
new file mode 100644
index 000000000..cf4c526fb
--- /dev/null
+++ b/security/nss/lib/util/sectime.c
@@ -0,0 +1,194 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "prlong.h"
+#include "prtime.h"
+#include "secder.h"
+#include "secitem.h"
+#include "secerr.h"
+
+static const PRTime January1st2050  = LL_INIT(0x0008f81e, 0x1b098000);
+
+static char *DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER, char *format);
+static char *DecodeGeneralizedTime2FormattedAscii (SECItem *generalizedTimeDER, char *format);
+
+/* convert DER utc time to ascii time string */
+char *
+DER_UTCTimeToAscii(SECItem *utcTime)
+{
+    return (DecodeUTCTime2FormattedAscii (utcTime, "%a %b %d %H:%M:%S %Y"));
+}
+
+/* convert DER utc time to ascii time string, only include day, not time */
+char *
+DER_UTCDayToAscii(SECItem *utctime)
+{
+    return (DecodeUTCTime2FormattedAscii (utctime, "%a %b %d, %Y"));
+}
+
+/* convert DER generalized time to ascii time string, only include day,
+   not time */
+char *
+DER_GeneralizedDayToAscii(SECItem *gentime)
+{
+    return (DecodeGeneralizedTime2FormattedAscii (gentime, "%a %b %d, %Y"));
+}
+
+/* convert DER generalized or UTC time to ascii time string, only include
+   day, not time */
+char *
+DER_TimeChoiceDayToAscii(SECItem *timechoice)
+{
+    switch (timechoice->type) {
+
+    case siUTCTime:
+        return DER_UTCDayToAscii(timechoice);
+
+    case siGeneralizedTime:
+        return DER_GeneralizedDayToAscii(timechoice);
+
+    default:
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
+}
+
+char *
+CERT_UTCTime2FormattedAscii (int64 utcTime, char *format)
+{
+    PRExplodedTime printableTime; 
+    char *timeString;
+   
+    /* Converse time to local time and decompose it into components */
+    PR_ExplodeTime(utcTime, PR_LocalTimeParameters, &printableTime);
+    
+    timeString = (char *)PORT_Alloc(256);
+
+    if ( timeString ) {
+        if ( ! PR_FormatTime( timeString, 256, format, &printableTime )) {
+            PORT_Free(timeString);
+            timeString = NULL;
+        }
+    }
+    
+    return (timeString);
+}
+
+char *CERT_GenTime2FormattedAscii (int64 genTime, char *format)
+{
+    PRExplodedTime printableTime; 
+    char *timeString;
+   
+    /* Decompose time into components */
+    PR_ExplodeTime(genTime, PR_GMTParameters, &printableTime);
+    
+    timeString = (char *)PORT_Alloc(256);
+
+    if ( timeString ) {
+        if ( ! PR_FormatTime( timeString, 256, format, &printableTime )) {
+            PORT_Free(timeString);
+            timeString = NULL;
+            PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        }
+    }
+    
+    return (timeString);
+}
+
+
+/* convert DER utc time to ascii time string, The format of the time string
+   depends on the input "format"
+ */
+static char *
+DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER,  char *format)
+{
+    int64 utcTime;
+    int rv;
+   
+    rv = DER_UTCTimeToTime(&utcTime, utcTimeDER);
+    if (rv) {
+        return(NULL);
+    }
+    return (CERT_UTCTime2FormattedAscii (utcTime, format));
+}
+
+/* convert DER utc time to ascii time string, The format of the time string
+   depends on the input "format"
+ */
+static char *
+DecodeGeneralizedTime2FormattedAscii (SECItem *generalizedTimeDER,  char *format)
+{
+    PRTime generalizedTime;
+    int rv;
+   
+    rv = DER_GeneralizedTimeToTime(&generalizedTime, generalizedTimeDER);
+    if (rv) {
+        return(NULL);
+    }
+    return (CERT_GeneralizedTime2FormattedAscii (generalizedTime, format));
+}
+
+/* decode a SECItem containing either a SEC_ASN1_GENERALIZED_TIME 
+   or a SEC_ASN1_UTC_TIME */
+
+SECStatus DER_DecodeTimeChoice(PRTime* output, const SECItem* input)
+{
+    switch (input->type) {
+        case siGeneralizedTime:
+            return DER_GeneralizedTimeToTime(output, input);
+
+        case siUTCTime:
+            return DER_UTCTimeToTime(output, input);
+
+        default:
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            PORT_Assert(0);
+            return SECFailure;
+    }
+}
+
+/* encode a PRTime to an ASN.1 DER SECItem containing either a
+   SEC_ASN1_GENERALIZED_TIME or a SEC_ASN1_UTC_TIME */
+
+SECStatus DER_EncodeTimeChoice(PRArenaPool* arena, SECItem* output, PRTime input)
+{
+    if (LL_CMP(input, >, January1st2050)) {
+        return DER_TimeToGeneralizedTimeArena(arena, output, input);
+    } else {
+        return DER_TimeToUTCTimeArena(arena, output, input);
+    }
+}
diff --git a/security/nss/lib/util/templates.c b/security/nss/lib/util/templates.c
new file mode 100644
index 000000000..a8dd9f726
--- /dev/null
+++ b/security/nss/lib/util/templates.c
@@ -0,0 +1,168 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Network Security Services libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Templates that are compiled and exported from both libnss3 and libnssutil3.
+ * They have to be, because they were previously exported from libnss3, and
+ * there is no way to create data forwarder symbols on Unix.
+ *
+ * Please do not add to this file. New shared templates should be exported
+ * from libnssutil3 only.
+ *
+ */
+
+#include "utilrename.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "secoid.h"
+#include "secdig.h"
+
+const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECAlgorithmID) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SECAlgorithmID,algorithm), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(SECAlgorithmID,parameters), },
+    { 0, }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SECOID_AlgorithmIDTemplate)
+
+const SEC_ASN1Template SEC_AnyTemplate[] = {
+    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_AnyTemplate)
+
+const SEC_ASN1Template SEC_BMPStringTemplate[] = {
+    { SEC_ASN1_BMP_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BMPStringTemplate)
+
+const SEC_ASN1Template SEC_BitStringTemplate[] = {
+    { SEC_ASN1_BIT_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BitStringTemplate)
+
+const SEC_ASN1Template SEC_BooleanTemplate[] = {
+    { SEC_ASN1_BOOLEAN, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BooleanTemplate)
+
+const SEC_ASN1Template SEC_GeneralizedTimeTemplate[] = {
+    { SEC_ASN1_GENERALIZED_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_GeneralizedTimeTemplate)
+
+const SEC_ASN1Template SEC_IA5StringTemplate[] = {
+    { SEC_ASN1_IA5_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_IA5StringTemplate)
+
+const SEC_ASN1Template SEC_IntegerTemplate[] = {
+    { SEC_ASN1_INTEGER, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_IntegerTemplate)
+
+const SEC_ASN1Template SEC_NullTemplate[] = {
+    { SEC_ASN1_NULL, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_NullTemplate)
+
+const SEC_ASN1Template SEC_ObjectIDTemplate[] = {
+    { SEC_ASN1_OBJECT_ID, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_ObjectIDTemplate)
+
+const SEC_ASN1Template SEC_OctetStringTemplate[] = {
+    { SEC_ASN1_OCTET_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_OctetStringTemplate)
+
+const SEC_ASN1Template SEC_PointerToAnyTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_AnyTemplate }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToAnyTemplate)
+
+const SEC_ASN1Template SEC_PointerToOctetStringTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM, 0, SEC_OctetStringTemplate }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToOctetStringTemplate)
+
+const SEC_ASN1Template SEC_SetOfAnyTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_AnyTemplate }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SetOfAnyTemplate)
+
+const SEC_ASN1Template SEC_UTCTimeTemplate[] = {
+    { SEC_ASN1_UTC_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_UTCTimeTemplate)
+
+const SEC_ASN1Template SEC_UTF8StringTemplate[] = {
+    { SEC_ASN1_UTF8_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_UTF8StringTemplate)
+
+/* XXX See comment below about SGN_DecodeDigestInfo -- keep this static! */
+/* XXX Changed from static -- need to change name? */
+const SEC_ASN1Template sgn_DigestInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SGNDigestInfo) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SGNDigestInfo,digestAlgorithm),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(SGNDigestInfo,digest) },
+    { 0 }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(sgn_DigestInfoTemplate)
diff --git a/security/nss/lib/util/utf8.c b/security/nss/lib/util/utf8.c
new file mode 100644
index 000000000..a50eee923
--- /dev/null
+++ b/security/nss/lib/util/utf8.c
@@ -0,0 +1,1833 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   John Gardiner Myers <jgmyers@speakeasy.net>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "seccomon.h"
+#include "secport.h"
+
+#ifdef TEST_UTF8
+#include <assert.h>
+#undef PORT_Assert
+#define PORT_Assert assert
+#endif
+
+/*
+ * From RFC 2044:
+ *
+ * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
+ * 0000 0000-0000 007F   0xxxxxxx
+ * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
+ * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
+ * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+ * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+ * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
+ */  
+
+/*
+ * From http://www.imc.org/draft-hoffman-utf16
+ *
+ * For U on [0x00010000,0x0010FFFF]:  Let U' = U - 0x00010000
+ *
+ * U' = yyyyyyyyyyxxxxxxxxxx
+ * W1 = 110110yyyyyyyyyy
+ * W2 = 110111xxxxxxxxxx
+ */
+
+/*
+ * This code is assuming NETWORK BYTE ORDER for the 16- and 32-bit
+ * character values.  If you wish to use this code for working with
+ * host byte order values, define the following:
+ *
+ * #if IS_BIG_ENDIAN
+ * #define L_0 0
+ * #define L_1 1
+ * #define L_2 2
+ * #define L_3 3
+ * #define H_0 0
+ * #define H_1 1
+ * #else / * not everyone has elif * /
+ * #if IS_LITTLE_ENDIAN
+ * #define L_0 3
+ * #define L_1 2
+ * #define L_2 1
+ * #define L_3 0
+ * #define H_0 1
+ * #define H_1 0
+ * #else
+ * #error "PDP and NUXI support deferred"
+ * #endif / * IS_LITTLE_ENDIAN * /
+ * #endif / * IS_BIG_ENDIAN * /
+ */
+
+#define L_0 0
+#define L_1 1
+#define L_2 2
+#define L_3 3
+#define H_0 0
+#define H_1 1
+
+#define BAD_UTF8 ((PRUint32)-1)
+
+/*
+ * Parse a single UTF-8 character per the spec. in section 3.9 (D36)
+ * of Unicode 4.0.0.
+ *
+ * Parameters:
+ * index - Points to the byte offset in inBuf of character to read.  On success,
+ *         updated to the offset of the following character.
+ * inBuf - Input buffer, UTF-8 encoded
+ * inbufLen - Length of input buffer, in bytes.
+ *
+ * Returns:
+ * Success - The UCS4 encoded character
+ * Failure - BAD_UTF8
+ */
+static PRUint32
+sec_port_read_utf8(unsigned int *index, unsigned char *inBuf, unsigned int inBufLen)
+{
+  PRUint32 result;
+  unsigned int i = *index;
+  int bytes_left;
+  PRUint32 min_value;
+
+  PORT_Assert(i < inBufLen);
+
+  if ( (inBuf[i] & 0x80) == 0x00 ) {
+    result = inBuf[i++];
+    bytes_left = 0;
+    min_value = 0;
+  } else if ( (inBuf[i] & 0xE0) == 0xC0 ) {
+    result = inBuf[i++] & 0x1F;
+    bytes_left = 1;
+    min_value = 0x80;
+  } else if ( (inBuf[i] & 0xF0) == 0xE0) {
+    result = inBuf[i++] & 0x0F;
+    bytes_left = 2;
+    min_value = 0x800;
+  } else if ( (inBuf[i] & 0xF8) == 0xF0) {
+    result = inBuf[i++] & 0x07;
+    bytes_left = 3;
+    min_value = 0x10000;
+  } else {
+    return BAD_UTF8;
+  }
+
+  while (bytes_left--) {
+    if (i >= inBufLen || (inBuf[i] & 0xC0) != 0x80) return BAD_UTF8;
+    result = (result << 6) | (inBuf[i++] & 0x3F);
+  }
+
+  /* Check for overlong sequences, surrogates, and outside unicode range */
+  if (result < min_value || (result & 0xFFFFF800) == 0xD800 || result > 0x10FFFF) {
+    return BAD_UTF8;
+  }
+
+  *index = i;
+  return result;
+}
+
+PRBool
+sec_port_ucs4_utf8_conversion_function
+(
+  PRBool toUnicode,
+  unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+)
+{
+  PORT_Assert((unsigned int *)NULL != outBufLen);
+
+  if( toUnicode ) {
+    unsigned int i, len = 0;
+
+    for( i = 0; i < inBufLen; ) {
+      if( (inBuf[i] & 0x80) == 0x00 ) i += 1;
+      else if( (inBuf[i] & 0xE0) == 0xC0 ) i += 2;
+      else if( (inBuf[i] & 0xF0) == 0xE0 ) i += 3;
+      else if( (inBuf[i] & 0xF8) == 0xF0 ) i += 4;
+      else return PR_FALSE;
+
+      len += 4;
+    }
+
+    if( len > maxOutBufLen ) {
+      *outBufLen = len;
+      return PR_FALSE;
+    }
+
+    len = 0;
+
+    for( i = 0; i < inBufLen; ) {
+      PRUint32 ucs4 = sec_port_read_utf8(&i, inBuf, inBufLen);
+
+      if (ucs4 == BAD_UTF8) return PR_FALSE;
+           
+      outBuf[len+L_0] = 0x00;
+      outBuf[len+L_1] = (unsigned char)(ucs4 >> 16);
+      outBuf[len+L_2] = (unsigned char)(ucs4 >> 8);
+      outBuf[len+L_3] = (unsigned char)ucs4;
+
+      len += 4;
+    }
+
+    *outBufLen = len;
+    return PR_TRUE;
+  } else {
+    unsigned int i, len = 0;
+    PORT_Assert((inBufLen % 4) == 0);
+    if ((inBufLen % 4) != 0) {
+      *outBufLen = 0;
+      return PR_FALSE;
+    }
+
+    for( i = 0; i < inBufLen; i += 4 ) {
+      if( (inBuf[i+L_0] > 0x00) || (inBuf[i+L_1] > 0x10) ) {
+	*outBufLen = 0;
+	return PR_FALSE;
+      } else if( inBuf[i+L_1] >= 0x01 ) len += 4;
+      else if( inBuf[i+L_2] >= 0x08 ) len += 3;
+      else if( (inBuf[i+L_2] > 0x00) || (inBuf[i+L_3] >= 0x80) ) len += 2;
+      else len += 1;
+    }
+
+    if( len > maxOutBufLen ) {
+      *outBufLen = len;
+      return PR_FALSE;
+    }
+
+    len = 0;
+
+    for( i = 0; i < inBufLen; i += 4 ) {
+      if( inBuf[i+L_1] >= 0x01 ) {
+        /* 0001 0000-001F FFFF -> 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
+        /* 00000000 000abcde fghijklm nopqrstu ->
+           11110abc 10defghi 10jklmno 10pqrstu */
+
+        outBuf[len+0] = 0xF0 | ((inBuf[i+L_1] & 0x1C) >> 2);
+        outBuf[len+1] = 0x80 | ((inBuf[i+L_1] & 0x03) << 4)
+                             | ((inBuf[i+L_2] & 0xF0) >> 4);
+        outBuf[len+2] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
+                             | ((inBuf[i+L_3] & 0xC0) >> 6);
+        outBuf[len+3] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
+
+        len += 4;
+      } else if( inBuf[i+L_2] >= 0x08 ) {
+        /* 0000 0800-0000 FFFF -> 1110xxxx 10xxxxxx 10xxxxxx */
+        /* 00000000 00000000 abcdefgh ijklmnop ->
+           1110abcd 10efghij 10klmnop */
+
+        outBuf[len+0] = 0xE0 | ((inBuf[i+L_2] & 0xF0) >> 4);
+        outBuf[len+1] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
+                             | ((inBuf[i+L_3] & 0xC0) >> 6);
+        outBuf[len+2] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
+
+        len += 3;
+      } else if( (inBuf[i+L_2] > 0x00) || (inBuf[i+L_3] >= 0x80) ) {
+        /* 0000 0080-0000 07FF -> 110xxxxx 10xxxxxx */
+        /* 00000000 00000000 00000abc defghijk ->
+           110abcde 10fghijk */
+
+        outBuf[len+0] = 0xC0 | ((inBuf[i+L_2] & 0x07) << 2)
+                             | ((inBuf[i+L_3] & 0xC0) >> 6);
+        outBuf[len+1] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
+
+        len += 2;
+      } else {
+        /* 0000 0000-0000 007F -> 0xxxxxx */
+        /* 00000000 00000000 00000000 0abcdefg ->
+           0abcdefg */
+
+        outBuf[len+0] = (inBuf[i+L_3] & 0x7F);
+
+        len += 1;
+      }
+    }
+                            
+    *outBufLen = len;
+    return PR_TRUE;
+  }
+}
+
+PRBool
+sec_port_ucs2_utf8_conversion_function
+(
+  PRBool toUnicode,
+  unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+)
+{
+  PORT_Assert((unsigned int *)NULL != outBufLen);
+
+  if( toUnicode ) {
+    unsigned int i, len = 0;
+
+    for( i = 0; i < inBufLen; ) {
+      if( (inBuf[i] & 0x80) == 0x00 ) {
+        i += 1;
+        len += 2;
+      } else if( (inBuf[i] & 0xE0) == 0xC0 ) {
+        i += 2;
+        len += 2;
+      } else if( (inBuf[i] & 0xF0) == 0xE0 ) {
+        i += 3;
+        len += 2;
+      } else if( (inBuf[i] & 0xF8) == 0xF0 ) { 
+        i += 4;
+        len += 4;
+      } else return PR_FALSE;
+    }
+
+    if( len > maxOutBufLen ) {
+      *outBufLen = len;
+      return PR_FALSE;
+    }
+
+    len = 0;
+
+    for( i = 0; i < inBufLen; ) {
+      PRUint32 ucs4 = sec_port_read_utf8(&i, inBuf, inBufLen);
+
+      if (ucs4 == BAD_UTF8) return PR_FALSE;
+
+      if( ucs4 < 0x10000) {
+        outBuf[len+H_0] = (unsigned char)(ucs4 >> 8);
+        outBuf[len+H_1] = (unsigned char)ucs4;
+        len += 2;
+      } else {
+	ucs4 -= 0x10000;
+        outBuf[len+0+H_0] = (unsigned char)(0xD8 | ((ucs4 >> 18) & 0x3));
+        outBuf[len+0+H_1] = (unsigned char)(ucs4 >> 10);
+        outBuf[len+2+H_0] = (unsigned char)(0xDC | ((ucs4 >> 8) & 0x3));
+        outBuf[len+2+H_1] = (unsigned char)ucs4;
+	len += 4;
+      }
+    }
+
+    *outBufLen = len;
+    return PR_TRUE;
+  } else {
+    unsigned int i, len = 0;
+    PORT_Assert((inBufLen % 2) == 0);
+    if ((inBufLen % 2) != 0) {
+      *outBufLen = 0;
+      return PR_FALSE;
+    }
+
+    for( i = 0; i < inBufLen; i += 2 ) {
+      if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_0] & 0x80) == 0x00) ) len += 1;
+      else if( inBuf[i+H_0] < 0x08 ) len += 2;
+      else if( ((inBuf[i+0+H_0] & 0xDC) == 0xD8) ) {
+        if( ((inBuf[i+2+H_0] & 0xDC) == 0xDC) && ((inBufLen - i) > 2) ) {
+          i += 2;
+          len += 4;
+        } else {
+          return PR_FALSE;
+        }
+      }
+      else len += 3;
+    }
+
+    if( len > maxOutBufLen ) {
+      *outBufLen = len;
+      return PR_FALSE;
+    }
+
+    len = 0;
+
+    for( i = 0; i < inBufLen; i += 2 ) {
+      if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_1] & 0x80) == 0x00) ) {
+        /* 0000-007F -> 0xxxxxx */
+        /* 00000000 0abcdefg -> 0abcdefg */
+
+        outBuf[len] = inBuf[i+H_1] & 0x7F;
+
+        len += 1;
+      } else if( inBuf[i+H_0] < 0x08 ) {
+        /* 0080-07FF -> 110xxxxx 10xxxxxx */
+        /* 00000abc defghijk -> 110abcde 10fghijk */
+
+        outBuf[len+0] = 0xC0 | ((inBuf[i+H_0] & 0x07) << 2) 
+                             | ((inBuf[i+H_1] & 0xC0) >> 6);
+        outBuf[len+1] = 0x80 | ((inBuf[i+H_1] & 0x3F) >> 0);
+
+        len += 2;
+      } else if( (inBuf[i+H_0] & 0xDC) == 0xD8 ) {
+        int abcde, BCDE;
+
+        PORT_Assert(((inBuf[i+2+H_0] & 0xDC) == 0xDC) && ((inBufLen - i) > 2));
+
+        /* D800-DBFF DC00-DFFF -> 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
+        /* 110110BC DEfghijk 110111lm nopqrstu ->
+           { Let abcde = BCDE + 1 }
+           11110abc 10defghi 10jklmno 10pqrstu */
+
+        BCDE = ((inBuf[i+H_0] & 0x03) << 2) | ((inBuf[i+H_1] & 0xC0) >> 6);
+        abcde = BCDE + 1;
+
+        outBuf[len+0] = 0xF0 | ((abcde & 0x1C) >> 2);
+        outBuf[len+1] = 0x80 | ((abcde & 0x03) << 4) 
+                             | ((inBuf[i+0+H_1] & 0x3C) >> 2);
+        outBuf[len+2] = 0x80 | ((inBuf[i+0+H_1] & 0x03) << 4)
+                             | ((inBuf[i+2+H_0] & 0x03) << 2)
+                             | ((inBuf[i+2+H_1] & 0xC0) >> 6);
+        outBuf[len+3] = 0x80 | ((inBuf[i+2+H_1] & 0x3F) >> 0);
+
+        i += 2;
+        len += 4;
+      } else {
+        /* 0800-FFFF -> 1110xxxx 10xxxxxx 10xxxxxx */
+        /* abcdefgh ijklmnop -> 1110abcd 10efghij 10klmnop */
+
+        outBuf[len+0] = 0xE0 | ((inBuf[i+H_0] & 0xF0) >> 4);
+        outBuf[len+1] = 0x80 | ((inBuf[i+H_0] & 0x0F) << 2) 
+                             | ((inBuf[i+H_1] & 0xC0) >> 6);
+        outBuf[len+2] = 0x80 | ((inBuf[i+H_1] & 0x3F) >> 0);
+
+        len += 3;
+      }
+    }
+
+    *outBufLen = len;
+    return PR_TRUE;
+  }
+}
+
+PRBool
+sec_port_iso88591_utf8_conversion_function
+(
+  const unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+)
+{
+  unsigned int i, len = 0;
+
+  PORT_Assert((unsigned int *)NULL != outBufLen);
+
+  for( i = 0; i < inBufLen; i++) {
+    if( (inBuf[i] & 0x80) == 0x00 ) len += 1;
+    else len += 2;
+  }
+
+  if( len > maxOutBufLen ) {
+    *outBufLen = len;
+    return PR_FALSE;
+  }
+
+  len = 0;
+
+  for( i = 0; i < inBufLen; i++) {
+    if( (inBuf[i] & 0x80) == 0x00 ) {
+      /* 00-7F -> 0xxxxxxx */
+      /* 0abcdefg -> 0abcdefg */
+
+      outBuf[len] = inBuf[i];
+      len += 1;
+    } else {
+      /* 80-FF <- 110xxxxx 10xxxxxx */
+      /* 00000000 abcdefgh -> 110000ab 10cdefgh */
+
+      outBuf[len+0] = 0xC0 | ((inBuf[i] & 0xC0) >> 6);
+      outBuf[len+1] = 0x80 | ((inBuf[i] & 0x3F) >> 0);
+
+      len += 2;
+    }
+  }
+
+  *outBufLen = len;
+  return PR_TRUE;
+}
+
+#ifdef TEST_UTF8
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <netinet/in.h> /* for htonl and htons */
+
+/*
+ * UCS-4 vectors
+ */
+
+struct ucs4 {
+  PRUint32 c;
+  char *utf8;
+};
+
+/*
+ * UCS-2 vectors
+ */
+
+struct ucs2 {
+  PRUint16 c;
+  char *utf8;
+};
+
+/*
+ * UTF-16 vectors
+ */
+
+struct utf16 {
+  PRUint32 c;
+  PRUint16 w[2];
+};
+
+
+/*
+ * UCS-4 vectors
+ */
+
+struct ucs4 ucs4[] = {
+  { 0x00000001, "\x01" },
+  { 0x00000002, "\x02" },
+  { 0x00000003, "\x03" },
+  { 0x00000004, "\x04" },
+  { 0x00000007, "\x07" },
+  { 0x00000008, "\x08" },
+  { 0x0000000F, "\x0F" },
+  { 0x00000010, "\x10" },
+  { 0x0000001F, "\x1F" },
+  { 0x00000020, "\x20" },
+  { 0x0000003F, "\x3F" },
+  { 0x00000040, "\x40" },
+  { 0x0000007F, "\x7F" },
+          
+  { 0x00000080, "\xC2\x80" },
+  { 0x00000081, "\xC2\x81" },
+  { 0x00000082, "\xC2\x82" },
+  { 0x00000084, "\xC2\x84" },
+  { 0x00000088, "\xC2\x88" },
+  { 0x00000090, "\xC2\x90" },
+  { 0x000000A0, "\xC2\xA0" },
+  { 0x000000C0, "\xC3\x80" },
+  { 0x000000FF, "\xC3\xBF" },
+  { 0x00000100, "\xC4\x80" },
+  { 0x00000101, "\xC4\x81" },
+  { 0x00000102, "\xC4\x82" },
+  { 0x00000104, "\xC4\x84" },
+  { 0x00000108, "\xC4\x88" },
+  { 0x00000110, "\xC4\x90" },
+  { 0x00000120, "\xC4\xA0" },
+  { 0x00000140, "\xC5\x80" },
+  { 0x00000180, "\xC6\x80" },
+  { 0x000001FF, "\xC7\xBF" },
+  { 0x00000200, "\xC8\x80" },
+  { 0x00000201, "\xC8\x81" },
+  { 0x00000202, "\xC8\x82" },
+  { 0x00000204, "\xC8\x84" },
+  { 0x00000208, "\xC8\x88" },
+  { 0x00000210, "\xC8\x90" },
+  { 0x00000220, "\xC8\xA0" },
+  { 0x00000240, "\xC9\x80" },
+  { 0x00000280, "\xCA\x80" },
+  { 0x00000300, "\xCC\x80" },
+  { 0x000003FF, "\xCF\xBF" },
+  { 0x00000400, "\xD0\x80" },
+  { 0x00000401, "\xD0\x81" },
+  { 0x00000402, "\xD0\x82" },
+  { 0x00000404, "\xD0\x84" },
+  { 0x00000408, "\xD0\x88" },
+  { 0x00000410, "\xD0\x90" },
+  { 0x00000420, "\xD0\xA0" },
+  { 0x00000440, "\xD1\x80" },
+  { 0x00000480, "\xD2\x80" },
+  { 0x00000500, "\xD4\x80" },
+  { 0x00000600, "\xD8\x80" },
+  { 0x000007FF, "\xDF\xBF" },
+          
+  { 0x00000800, "\xE0\xA0\x80" },
+  { 0x00000801, "\xE0\xA0\x81" },
+  { 0x00000802, "\xE0\xA0\x82" },
+  { 0x00000804, "\xE0\xA0\x84" },
+  { 0x00000808, "\xE0\xA0\x88" },
+  { 0x00000810, "\xE0\xA0\x90" },
+  { 0x00000820, "\xE0\xA0\xA0" },
+  { 0x00000840, "\xE0\xA1\x80" },
+  { 0x00000880, "\xE0\xA2\x80" },
+  { 0x00000900, "\xE0\xA4\x80" },
+  { 0x00000A00, "\xE0\xA8\x80" },
+  { 0x00000C00, "\xE0\xB0\x80" },
+  { 0x00000FFF, "\xE0\xBF\xBF" },
+  { 0x00001000, "\xE1\x80\x80" },
+  { 0x00001001, "\xE1\x80\x81" },
+  { 0x00001002, "\xE1\x80\x82" },
+  { 0x00001004, "\xE1\x80\x84" },
+  { 0x00001008, "\xE1\x80\x88" },
+  { 0x00001010, "\xE1\x80\x90" },
+  { 0x00001020, "\xE1\x80\xA0" },
+  { 0x00001040, "\xE1\x81\x80" },
+  { 0x00001080, "\xE1\x82\x80" },
+  { 0x00001100, "\xE1\x84\x80" },
+  { 0x00001200, "\xE1\x88\x80" },
+  { 0x00001400, "\xE1\x90\x80" },
+  { 0x00001800, "\xE1\xA0\x80" },
+  { 0x00001FFF, "\xE1\xBF\xBF" },
+  { 0x00002000, "\xE2\x80\x80" },
+  { 0x00002001, "\xE2\x80\x81" },
+  { 0x00002002, "\xE2\x80\x82" },
+  { 0x00002004, "\xE2\x80\x84" },
+  { 0x00002008, "\xE2\x80\x88" },
+  { 0x00002010, "\xE2\x80\x90" },
+  { 0x00002020, "\xE2\x80\xA0" },
+  { 0x00002040, "\xE2\x81\x80" },
+  { 0x00002080, "\xE2\x82\x80" },
+  { 0x00002100, "\xE2\x84\x80" },
+  { 0x00002200, "\xE2\x88\x80" },
+  { 0x00002400, "\xE2\x90\x80" },
+  { 0x00002800, "\xE2\xA0\x80" },
+  { 0x00003000, "\xE3\x80\x80" },
+  { 0x00003FFF, "\xE3\xBF\xBF" },
+  { 0x00004000, "\xE4\x80\x80" },
+  { 0x00004001, "\xE4\x80\x81" },
+  { 0x00004002, "\xE4\x80\x82" },
+  { 0x00004004, "\xE4\x80\x84" },
+  { 0x00004008, "\xE4\x80\x88" },
+  { 0x00004010, "\xE4\x80\x90" },
+  { 0x00004020, "\xE4\x80\xA0" },
+  { 0x00004040, "\xE4\x81\x80" },
+  { 0x00004080, "\xE4\x82\x80" },
+  { 0x00004100, "\xE4\x84\x80" },
+  { 0x00004200, "\xE4\x88\x80" },
+  { 0x00004400, "\xE4\x90\x80" },
+  { 0x00004800, "\xE4\xA0\x80" },
+  { 0x00005000, "\xE5\x80\x80" },
+  { 0x00006000, "\xE6\x80\x80" },
+  { 0x00007FFF, "\xE7\xBF\xBF" },
+  { 0x00008000, "\xE8\x80\x80" },
+  { 0x00008001, "\xE8\x80\x81" },
+  { 0x00008002, "\xE8\x80\x82" },
+  { 0x00008004, "\xE8\x80\x84" },
+  { 0x00008008, "\xE8\x80\x88" },
+  { 0x00008010, "\xE8\x80\x90" },
+  { 0x00008020, "\xE8\x80\xA0" },
+  { 0x00008040, "\xE8\x81\x80" },
+  { 0x00008080, "\xE8\x82\x80" },
+  { 0x00008100, "\xE8\x84\x80" },
+  { 0x00008200, "\xE8\x88\x80" },
+  { 0x00008400, "\xE8\x90\x80" },
+  { 0x00008800, "\xE8\xA0\x80" },
+  { 0x00009000, "\xE9\x80\x80" },
+  { 0x0000A000, "\xEA\x80\x80" },
+  { 0x0000C000, "\xEC\x80\x80" },
+  { 0x0000FFFF, "\xEF\xBF\xBF" },
+          
+  { 0x00010000, "\xF0\x90\x80\x80" },
+  { 0x00010001, "\xF0\x90\x80\x81" },
+  { 0x00010002, "\xF0\x90\x80\x82" },
+  { 0x00010004, "\xF0\x90\x80\x84" },
+  { 0x00010008, "\xF0\x90\x80\x88" },
+  { 0x00010010, "\xF0\x90\x80\x90" },
+  { 0x00010020, "\xF0\x90\x80\xA0" },
+  { 0x00010040, "\xF0\x90\x81\x80" },
+  { 0x00010080, "\xF0\x90\x82\x80" },
+  { 0x00010100, "\xF0\x90\x84\x80" },
+  { 0x00010200, "\xF0\x90\x88\x80" },
+  { 0x00010400, "\xF0\x90\x90\x80" },
+  { 0x00010800, "\xF0\x90\xA0\x80" },
+  { 0x00011000, "\xF0\x91\x80\x80" },
+  { 0x00012000, "\xF0\x92\x80\x80" },
+  { 0x00014000, "\xF0\x94\x80\x80" },
+  { 0x00018000, "\xF0\x98\x80\x80" },
+  { 0x0001FFFF, "\xF0\x9F\xBF\xBF" },
+  { 0x00020000, "\xF0\xA0\x80\x80" },
+  { 0x00020001, "\xF0\xA0\x80\x81" },
+  { 0x00020002, "\xF0\xA0\x80\x82" },
+  { 0x00020004, "\xF0\xA0\x80\x84" },
+  { 0x00020008, "\xF0\xA0\x80\x88" },
+  { 0x00020010, "\xF0\xA0\x80\x90" },
+  { 0x00020020, "\xF0\xA0\x80\xA0" },
+  { 0x00020040, "\xF0\xA0\x81\x80" },
+  { 0x00020080, "\xF0\xA0\x82\x80" },
+  { 0x00020100, "\xF0\xA0\x84\x80" },
+  { 0x00020200, "\xF0\xA0\x88\x80" },
+  { 0x00020400, "\xF0\xA0\x90\x80" },
+  { 0x00020800, "\xF0\xA0\xA0\x80" },
+  { 0x00021000, "\xF0\xA1\x80\x80" },
+  { 0x00022000, "\xF0\xA2\x80\x80" },
+  { 0x00024000, "\xF0\xA4\x80\x80" },
+  { 0x00028000, "\xF0\xA8\x80\x80" },
+  { 0x00030000, "\xF0\xB0\x80\x80" },
+  { 0x0003FFFF, "\xF0\xBF\xBF\xBF" },
+  { 0x00040000, "\xF1\x80\x80\x80" },
+  { 0x00040001, "\xF1\x80\x80\x81" },
+  { 0x00040002, "\xF1\x80\x80\x82" },
+  { 0x00040004, "\xF1\x80\x80\x84" },
+  { 0x00040008, "\xF1\x80\x80\x88" },
+  { 0x00040010, "\xF1\x80\x80\x90" },
+  { 0x00040020, "\xF1\x80\x80\xA0" },
+  { 0x00040040, "\xF1\x80\x81\x80" },
+  { 0x00040080, "\xF1\x80\x82\x80" },
+  { 0x00040100, "\xF1\x80\x84\x80" },
+  { 0x00040200, "\xF1\x80\x88\x80" },
+  { 0x00040400, "\xF1\x80\x90\x80" },
+  { 0x00040800, "\xF1\x80\xA0\x80" },
+  { 0x00041000, "\xF1\x81\x80\x80" },
+  { 0x00042000, "\xF1\x82\x80\x80" },
+  { 0x00044000, "\xF1\x84\x80\x80" },
+  { 0x00048000, "\xF1\x88\x80\x80" },
+  { 0x00050000, "\xF1\x90\x80\x80" },
+  { 0x00060000, "\xF1\xA0\x80\x80" },
+  { 0x0007FFFF, "\xF1\xBF\xBF\xBF" },
+  { 0x00080000, "\xF2\x80\x80\x80" },
+  { 0x00080001, "\xF2\x80\x80\x81" },
+  { 0x00080002, "\xF2\x80\x80\x82" },
+  { 0x00080004, "\xF2\x80\x80\x84" },
+  { 0x00080008, "\xF2\x80\x80\x88" },
+  { 0x00080010, "\xF2\x80\x80\x90" },
+  { 0x00080020, "\xF2\x80\x80\xA0" },
+  { 0x00080040, "\xF2\x80\x81\x80" },
+  { 0x00080080, "\xF2\x80\x82\x80" },
+  { 0x00080100, "\xF2\x80\x84\x80" },
+  { 0x00080200, "\xF2\x80\x88\x80" },
+  { 0x00080400, "\xF2\x80\x90\x80" },
+  { 0x00080800, "\xF2\x80\xA0\x80" },
+  { 0x00081000, "\xF2\x81\x80\x80" },
+  { 0x00082000, "\xF2\x82\x80\x80" },
+  { 0x00084000, "\xF2\x84\x80\x80" },
+  { 0x00088000, "\xF2\x88\x80\x80" },
+  { 0x00090000, "\xF2\x90\x80\x80" },
+  { 0x000A0000, "\xF2\xA0\x80\x80" },
+  { 0x000C0000, "\xF3\x80\x80\x80" },
+  { 0x000FFFFF, "\xF3\xBF\xBF\xBF" },
+  { 0x00100000, "\xF4\x80\x80\x80" },
+  { 0x00100001, "\xF4\x80\x80\x81" },
+  { 0x00100002, "\xF4\x80\x80\x82" },
+  { 0x00100004, "\xF4\x80\x80\x84" },
+  { 0x00100008, "\xF4\x80\x80\x88" },
+  { 0x00100010, "\xF4\x80\x80\x90" },
+  { 0x00100020, "\xF4\x80\x80\xA0" },
+  { 0x00100040, "\xF4\x80\x81\x80" },
+  { 0x00100080, "\xF4\x80\x82\x80" },
+  { 0x00100100, "\xF4\x80\x84\x80" },
+  { 0x00100200, "\xF4\x80\x88\x80" },
+  { 0x00100400, "\xF4\x80\x90\x80" },
+  { 0x00100800, "\xF4\x80\xA0\x80" },
+  { 0x00101000, "\xF4\x81\x80\x80" },
+  { 0x00102000, "\xF4\x82\x80\x80" },
+  { 0x00104000, "\xF4\x84\x80\x80" },
+  { 0x00108000, "\xF4\x88\x80\x80" },
+  { 0x0010FFFF, "\xF4\x8F\xBF\xBF" },
+};
+
+/*
+ * UCS-2 vectors
+ */
+
+struct ucs2 ucs2[] = {
+  { 0x0001, "\x01" },
+  { 0x0002, "\x02" },
+  { 0x0003, "\x03" },
+  { 0x0004, "\x04" },
+  { 0x0007, "\x07" },
+  { 0x0008, "\x08" },
+  { 0x000F, "\x0F" },
+  { 0x0010, "\x10" },
+  { 0x001F, "\x1F" },
+  { 0x0020, "\x20" },
+  { 0x003F, "\x3F" },
+  { 0x0040, "\x40" },
+  { 0x007F, "\x7F" },
+          
+  { 0x0080, "\xC2\x80" },
+  { 0x0081, "\xC2\x81" },
+  { 0x0082, "\xC2\x82" },
+  { 0x0084, "\xC2\x84" },
+  { 0x0088, "\xC2\x88" },
+  { 0x0090, "\xC2\x90" },
+  { 0x00A0, "\xC2\xA0" },
+  { 0x00C0, "\xC3\x80" },
+  { 0x00FF, "\xC3\xBF" },
+  { 0x0100, "\xC4\x80" },
+  { 0x0101, "\xC4\x81" },
+  { 0x0102, "\xC4\x82" },
+  { 0x0104, "\xC4\x84" },
+  { 0x0108, "\xC4\x88" },
+  { 0x0110, "\xC4\x90" },
+  { 0x0120, "\xC4\xA0" },
+  { 0x0140, "\xC5\x80" },
+  { 0x0180, "\xC6\x80" },
+  { 0x01FF, "\xC7\xBF" },
+  { 0x0200, "\xC8\x80" },
+  { 0x0201, "\xC8\x81" },
+  { 0x0202, "\xC8\x82" },
+  { 0x0204, "\xC8\x84" },
+  { 0x0208, "\xC8\x88" },
+  { 0x0210, "\xC8\x90" },
+  { 0x0220, "\xC8\xA0" },
+  { 0x0240, "\xC9\x80" },
+  { 0x0280, "\xCA\x80" },
+  { 0x0300, "\xCC\x80" },
+  { 0x03FF, "\xCF\xBF" },
+  { 0x0400, "\xD0\x80" },
+  { 0x0401, "\xD0\x81" },
+  { 0x0402, "\xD0\x82" },
+  { 0x0404, "\xD0\x84" },
+  { 0x0408, "\xD0\x88" },
+  { 0x0410, "\xD0\x90" },
+  { 0x0420, "\xD0\xA0" },
+  { 0x0440, "\xD1\x80" },
+  { 0x0480, "\xD2\x80" },
+  { 0x0500, "\xD4\x80" },
+  { 0x0600, "\xD8\x80" },
+  { 0x07FF, "\xDF\xBF" },
+          
+  { 0x0800, "\xE0\xA0\x80" },
+  { 0x0801, "\xE0\xA0\x81" },
+  { 0x0802, "\xE0\xA0\x82" },
+  { 0x0804, "\xE0\xA0\x84" },
+  { 0x0808, "\xE0\xA0\x88" },
+  { 0x0810, "\xE0\xA0\x90" },
+  { 0x0820, "\xE0\xA0\xA0" },
+  { 0x0840, "\xE0\xA1\x80" },
+  { 0x0880, "\xE0\xA2\x80" },
+  { 0x0900, "\xE0\xA4\x80" },
+  { 0x0A00, "\xE0\xA8\x80" },
+  { 0x0C00, "\xE0\xB0\x80" },
+  { 0x0FFF, "\xE0\xBF\xBF" },
+  { 0x1000, "\xE1\x80\x80" },
+  { 0x1001, "\xE1\x80\x81" },
+  { 0x1002, "\xE1\x80\x82" },
+  { 0x1004, "\xE1\x80\x84" },
+  { 0x1008, "\xE1\x80\x88" },
+  { 0x1010, "\xE1\x80\x90" },
+  { 0x1020, "\xE1\x80\xA0" },
+  { 0x1040, "\xE1\x81\x80" },
+  { 0x1080, "\xE1\x82\x80" },
+  { 0x1100, "\xE1\x84\x80" },
+  { 0x1200, "\xE1\x88\x80" },
+  { 0x1400, "\xE1\x90\x80" },
+  { 0x1800, "\xE1\xA0\x80" },
+  { 0x1FFF, "\xE1\xBF\xBF" },
+  { 0x2000, "\xE2\x80\x80" },
+  { 0x2001, "\xE2\x80\x81" },
+  { 0x2002, "\xE2\x80\x82" },
+  { 0x2004, "\xE2\x80\x84" },
+  { 0x2008, "\xE2\x80\x88" },
+  { 0x2010, "\xE2\x80\x90" },
+  { 0x2020, "\xE2\x80\xA0" },
+  { 0x2040, "\xE2\x81\x80" },
+  { 0x2080, "\xE2\x82\x80" },
+  { 0x2100, "\xE2\x84\x80" },
+  { 0x2200, "\xE2\x88\x80" },
+  { 0x2400, "\xE2\x90\x80" },
+  { 0x2800, "\xE2\xA0\x80" },
+  { 0x3000, "\xE3\x80\x80" },
+  { 0x3FFF, "\xE3\xBF\xBF" },
+  { 0x4000, "\xE4\x80\x80" },
+  { 0x4001, "\xE4\x80\x81" },
+  { 0x4002, "\xE4\x80\x82" },
+  { 0x4004, "\xE4\x80\x84" },
+  { 0x4008, "\xE4\x80\x88" },
+  { 0x4010, "\xE4\x80\x90" },
+  { 0x4020, "\xE4\x80\xA0" },
+  { 0x4040, "\xE4\x81\x80" },
+  { 0x4080, "\xE4\x82\x80" },
+  { 0x4100, "\xE4\x84\x80" },
+  { 0x4200, "\xE4\x88\x80" },
+  { 0x4400, "\xE4\x90\x80" },
+  { 0x4800, "\xE4\xA0\x80" },
+  { 0x5000, "\xE5\x80\x80" },
+  { 0x6000, "\xE6\x80\x80" },
+  { 0x7FFF, "\xE7\xBF\xBF" },
+  { 0x8000, "\xE8\x80\x80" },
+  { 0x8001, "\xE8\x80\x81" },
+  { 0x8002, "\xE8\x80\x82" },
+  { 0x8004, "\xE8\x80\x84" },
+  { 0x8008, "\xE8\x80\x88" },
+  { 0x8010, "\xE8\x80\x90" },
+  { 0x8020, "\xE8\x80\xA0" },
+  { 0x8040, "\xE8\x81\x80" },
+  { 0x8080, "\xE8\x82\x80" },
+  { 0x8100, "\xE8\x84\x80" },
+  { 0x8200, "\xE8\x88\x80" },
+  { 0x8400, "\xE8\x90\x80" },
+  { 0x8800, "\xE8\xA0\x80" },
+  { 0x9000, "\xE9\x80\x80" },
+  { 0xA000, "\xEA\x80\x80" },
+  { 0xC000, "\xEC\x80\x80" },
+  { 0xFFFF, "\xEF\xBF\xBF" }
+
+};
+
+/*
+ * UTF-16 vectors
+ */
+
+struct utf16 utf16[] = {
+  { 0x00010000, { 0xD800, 0xDC00 } },
+  { 0x00010001, { 0xD800, 0xDC01 } },
+  { 0x00010002, { 0xD800, 0xDC02 } },
+  { 0x00010003, { 0xD800, 0xDC03 } },
+  { 0x00010004, { 0xD800, 0xDC04 } },
+  { 0x00010007, { 0xD800, 0xDC07 } },
+  { 0x00010008, { 0xD800, 0xDC08 } },
+  { 0x0001000F, { 0xD800, 0xDC0F } },
+  { 0x00010010, { 0xD800, 0xDC10 } },
+  { 0x0001001F, { 0xD800, 0xDC1F } },
+  { 0x00010020, { 0xD800, 0xDC20 } },
+  { 0x0001003F, { 0xD800, 0xDC3F } },
+  { 0x00010040, { 0xD800, 0xDC40 } },
+  { 0x0001007F, { 0xD800, 0xDC7F } },
+  { 0x00010080, { 0xD800, 0xDC80 } },
+  { 0x00010081, { 0xD800, 0xDC81 } },
+  { 0x00010082, { 0xD800, 0xDC82 } },
+  { 0x00010084, { 0xD800, 0xDC84 } },
+  { 0x00010088, { 0xD800, 0xDC88 } },
+  { 0x00010090, { 0xD800, 0xDC90 } },
+  { 0x000100A0, { 0xD800, 0xDCA0 } },
+  { 0x000100C0, { 0xD800, 0xDCC0 } },
+  { 0x000100FF, { 0xD800, 0xDCFF } },
+  { 0x00010100, { 0xD800, 0xDD00 } },
+  { 0x00010101, { 0xD800, 0xDD01 } },
+  { 0x00010102, { 0xD800, 0xDD02 } },
+  { 0x00010104, { 0xD800, 0xDD04 } },
+  { 0x00010108, { 0xD800, 0xDD08 } },
+  { 0x00010110, { 0xD800, 0xDD10 } },
+  { 0x00010120, { 0xD800, 0xDD20 } },
+  { 0x00010140, { 0xD800, 0xDD40 } },
+  { 0x00010180, { 0xD800, 0xDD80 } },
+  { 0x000101FF, { 0xD800, 0xDDFF } },
+  { 0x00010200, { 0xD800, 0xDE00 } },
+  { 0x00010201, { 0xD800, 0xDE01 } },
+  { 0x00010202, { 0xD800, 0xDE02 } },
+  { 0x00010204, { 0xD800, 0xDE04 } },
+  { 0x00010208, { 0xD800, 0xDE08 } },
+  { 0x00010210, { 0xD800, 0xDE10 } },
+  { 0x00010220, { 0xD800, 0xDE20 } },
+  { 0x00010240, { 0xD800, 0xDE40 } },
+  { 0x00010280, { 0xD800, 0xDE80 } },
+  { 0x00010300, { 0xD800, 0xDF00 } },
+  { 0x000103FF, { 0xD800, 0xDFFF } },
+  { 0x00010400, { 0xD801, 0xDC00 } },
+  { 0x00010401, { 0xD801, 0xDC01 } },
+  { 0x00010402, { 0xD801, 0xDC02 } },
+  { 0x00010404, { 0xD801, 0xDC04 } },
+  { 0x00010408, { 0xD801, 0xDC08 } },
+  { 0x00010410, { 0xD801, 0xDC10 } },
+  { 0x00010420, { 0xD801, 0xDC20 } },
+  { 0x00010440, { 0xD801, 0xDC40 } },
+  { 0x00010480, { 0xD801, 0xDC80 } },
+  { 0x00010500, { 0xD801, 0xDD00 } },
+  { 0x00010600, { 0xD801, 0xDE00 } },
+  { 0x000107FF, { 0xD801, 0xDFFF } },
+  { 0x00010800, { 0xD802, 0xDC00 } },
+  { 0x00010801, { 0xD802, 0xDC01 } },
+  { 0x00010802, { 0xD802, 0xDC02 } },
+  { 0x00010804, { 0xD802, 0xDC04 } },
+  { 0x00010808, { 0xD802, 0xDC08 } },
+  { 0x00010810, { 0xD802, 0xDC10 } },
+  { 0x00010820, { 0xD802, 0xDC20 } },
+  { 0x00010840, { 0xD802, 0xDC40 } },
+  { 0x00010880, { 0xD802, 0xDC80 } },
+  { 0x00010900, { 0xD802, 0xDD00 } },
+  { 0x00010A00, { 0xD802, 0xDE00 } },
+  { 0x00010C00, { 0xD803, 0xDC00 } },
+  { 0x00010FFF, { 0xD803, 0xDFFF } },
+  { 0x00011000, { 0xD804, 0xDC00 } },
+  { 0x00011001, { 0xD804, 0xDC01 } },
+  { 0x00011002, { 0xD804, 0xDC02 } },
+  { 0x00011004, { 0xD804, 0xDC04 } },
+  { 0x00011008, { 0xD804, 0xDC08 } },
+  { 0x00011010, { 0xD804, 0xDC10 } },
+  { 0x00011020, { 0xD804, 0xDC20 } },
+  { 0x00011040, { 0xD804, 0xDC40 } },
+  { 0x00011080, { 0xD804, 0xDC80 } },
+  { 0x00011100, { 0xD804, 0xDD00 } },
+  { 0x00011200, { 0xD804, 0xDE00 } },
+  { 0x00011400, { 0xD805, 0xDC00 } },
+  { 0x00011800, { 0xD806, 0xDC00 } },
+  { 0x00011FFF, { 0xD807, 0xDFFF } },
+  { 0x00012000, { 0xD808, 0xDC00 } },
+  { 0x00012001, { 0xD808, 0xDC01 } },
+  { 0x00012002, { 0xD808, 0xDC02 } },
+  { 0x00012004, { 0xD808, 0xDC04 } },
+  { 0x00012008, { 0xD808, 0xDC08 } },
+  { 0x00012010, { 0xD808, 0xDC10 } },
+  { 0x00012020, { 0xD808, 0xDC20 } },
+  { 0x00012040, { 0xD808, 0xDC40 } },
+  { 0x00012080, { 0xD808, 0xDC80 } },
+  { 0x00012100, { 0xD808, 0xDD00 } },
+  { 0x00012200, { 0xD808, 0xDE00 } },
+  { 0x00012400, { 0xD809, 0xDC00 } },
+  { 0x00012800, { 0xD80A, 0xDC00 } },
+  { 0x00013000, { 0xD80C, 0xDC00 } },
+  { 0x00013FFF, { 0xD80F, 0xDFFF } },
+  { 0x00014000, { 0xD810, 0xDC00 } },
+  { 0x00014001, { 0xD810, 0xDC01 } },
+  { 0x00014002, { 0xD810, 0xDC02 } },
+  { 0x00014004, { 0xD810, 0xDC04 } },
+  { 0x00014008, { 0xD810, 0xDC08 } },
+  { 0x00014010, { 0xD810, 0xDC10 } },
+  { 0x00014020, { 0xD810, 0xDC20 } },
+  { 0x00014040, { 0xD810, 0xDC40 } },
+  { 0x00014080, { 0xD810, 0xDC80 } },
+  { 0x00014100, { 0xD810, 0xDD00 } },
+  { 0x00014200, { 0xD810, 0xDE00 } },
+  { 0x00014400, { 0xD811, 0xDC00 } },
+  { 0x00014800, { 0xD812, 0xDC00 } },
+  { 0x00015000, { 0xD814, 0xDC00 } },
+  { 0x00016000, { 0xD818, 0xDC00 } },
+  { 0x00017FFF, { 0xD81F, 0xDFFF } },
+  { 0x00018000, { 0xD820, 0xDC00 } },
+  { 0x00018001, { 0xD820, 0xDC01 } },
+  { 0x00018002, { 0xD820, 0xDC02 } },
+  { 0x00018004, { 0xD820, 0xDC04 } },
+  { 0x00018008, { 0xD820, 0xDC08 } },
+  { 0x00018010, { 0xD820, 0xDC10 } },
+  { 0x00018020, { 0xD820, 0xDC20 } },
+  { 0x00018040, { 0xD820, 0xDC40 } },
+  { 0x00018080, { 0xD820, 0xDC80 } },
+  { 0x00018100, { 0xD820, 0xDD00 } },
+  { 0x00018200, { 0xD820, 0xDE00 } },
+  { 0x00018400, { 0xD821, 0xDC00 } },
+  { 0x00018800, { 0xD822, 0xDC00 } },
+  { 0x00019000, { 0xD824, 0xDC00 } },
+  { 0x0001A000, { 0xD828, 0xDC00 } },
+  { 0x0001C000, { 0xD830, 0xDC00 } },
+  { 0x0001FFFF, { 0xD83F, 0xDFFF } },
+  { 0x00020000, { 0xD840, 0xDC00 } },
+  { 0x00020001, { 0xD840, 0xDC01 } },
+  { 0x00020002, { 0xD840, 0xDC02 } },
+  { 0x00020004, { 0xD840, 0xDC04 } },
+  { 0x00020008, { 0xD840, 0xDC08 } },
+  { 0x00020010, { 0xD840, 0xDC10 } },
+  { 0x00020020, { 0xD840, 0xDC20 } },
+  { 0x00020040, { 0xD840, 0xDC40 } },
+  { 0x00020080, { 0xD840, 0xDC80 } },
+  { 0x00020100, { 0xD840, 0xDD00 } },
+  { 0x00020200, { 0xD840, 0xDE00 } },
+  { 0x00020400, { 0xD841, 0xDC00 } },
+  { 0x00020800, { 0xD842, 0xDC00 } },
+  { 0x00021000, { 0xD844, 0xDC00 } },
+  { 0x00022000, { 0xD848, 0xDC00 } },
+  { 0x00024000, { 0xD850, 0xDC00 } },
+  { 0x00028000, { 0xD860, 0xDC00 } },
+  { 0x0002FFFF, { 0xD87F, 0xDFFF } },
+  { 0x00030000, { 0xD880, 0xDC00 } },
+  { 0x00030001, { 0xD880, 0xDC01 } },
+  { 0x00030002, { 0xD880, 0xDC02 } },
+  { 0x00030004, { 0xD880, 0xDC04 } },
+  { 0x00030008, { 0xD880, 0xDC08 } },
+  { 0x00030010, { 0xD880, 0xDC10 } },
+  { 0x00030020, { 0xD880, 0xDC20 } },
+  { 0x00030040, { 0xD880, 0xDC40 } },
+  { 0x00030080, { 0xD880, 0xDC80 } },
+  { 0x00030100, { 0xD880, 0xDD00 } },
+  { 0x00030200, { 0xD880, 0xDE00 } },
+  { 0x00030400, { 0xD881, 0xDC00 } },
+  { 0x00030800, { 0xD882, 0xDC00 } },
+  { 0x00031000, { 0xD884, 0xDC00 } },
+  { 0x00032000, { 0xD888, 0xDC00 } },
+  { 0x00034000, { 0xD890, 0xDC00 } },
+  { 0x00038000, { 0xD8A0, 0xDC00 } },
+  { 0x0003FFFF, { 0xD8BF, 0xDFFF } },
+  { 0x00040000, { 0xD8C0, 0xDC00 } },
+  { 0x00040001, { 0xD8C0, 0xDC01 } },
+  { 0x00040002, { 0xD8C0, 0xDC02 } },
+  { 0x00040004, { 0xD8C0, 0xDC04 } },
+  { 0x00040008, { 0xD8C0, 0xDC08 } },
+  { 0x00040010, { 0xD8C0, 0xDC10 } },
+  { 0x00040020, { 0xD8C0, 0xDC20 } },
+  { 0x00040040, { 0xD8C0, 0xDC40 } },
+  { 0x00040080, { 0xD8C0, 0xDC80 } },
+  { 0x00040100, { 0xD8C0, 0xDD00 } },
+  { 0x00040200, { 0xD8C0, 0xDE00 } },
+  { 0x00040400, { 0xD8C1, 0xDC00 } },
+  { 0x00040800, { 0xD8C2, 0xDC00 } },
+  { 0x00041000, { 0xD8C4, 0xDC00 } },
+  { 0x00042000, { 0xD8C8, 0xDC00 } },
+  { 0x00044000, { 0xD8D0, 0xDC00 } },
+  { 0x00048000, { 0xD8E0, 0xDC00 } },
+  { 0x0004FFFF, { 0xD8FF, 0xDFFF } },
+  { 0x00050000, { 0xD900, 0xDC00 } },
+  { 0x00050001, { 0xD900, 0xDC01 } },
+  { 0x00050002, { 0xD900, 0xDC02 } },
+  { 0x00050004, { 0xD900, 0xDC04 } },
+  { 0x00050008, { 0xD900, 0xDC08 } },
+  { 0x00050010, { 0xD900, 0xDC10 } },
+  { 0x00050020, { 0xD900, 0xDC20 } },
+  { 0x00050040, { 0xD900, 0xDC40 } },
+  { 0x00050080, { 0xD900, 0xDC80 } },
+  { 0x00050100, { 0xD900, 0xDD00 } },
+  { 0x00050200, { 0xD900, 0xDE00 } },
+  { 0x00050400, { 0xD901, 0xDC00 } },
+  { 0x00050800, { 0xD902, 0xDC00 } },
+  { 0x00051000, { 0xD904, 0xDC00 } },
+  { 0x00052000, { 0xD908, 0xDC00 } },
+  { 0x00054000, { 0xD910, 0xDC00 } },
+  { 0x00058000, { 0xD920, 0xDC00 } },
+  { 0x00060000, { 0xD940, 0xDC00 } },
+  { 0x00070000, { 0xD980, 0xDC00 } },
+  { 0x0007FFFF, { 0xD9BF, 0xDFFF } },
+  { 0x00080000, { 0xD9C0, 0xDC00 } },
+  { 0x00080001, { 0xD9C0, 0xDC01 } },
+  { 0x00080002, { 0xD9C0, 0xDC02 } },
+  { 0x00080004, { 0xD9C0, 0xDC04 } },
+  { 0x00080008, { 0xD9C0, 0xDC08 } },
+  { 0x00080010, { 0xD9C0, 0xDC10 } },
+  { 0x00080020, { 0xD9C0, 0xDC20 } },
+  { 0x00080040, { 0xD9C0, 0xDC40 } },
+  { 0x00080080, { 0xD9C0, 0xDC80 } },
+  { 0x00080100, { 0xD9C0, 0xDD00 } },
+  { 0x00080200, { 0xD9C0, 0xDE00 } },
+  { 0x00080400, { 0xD9C1, 0xDC00 } },
+  { 0x00080800, { 0xD9C2, 0xDC00 } },
+  { 0x00081000, { 0xD9C4, 0xDC00 } },
+  { 0x00082000, { 0xD9C8, 0xDC00 } },
+  { 0x00084000, { 0xD9D0, 0xDC00 } },
+  { 0x00088000, { 0xD9E0, 0xDC00 } },
+  { 0x0008FFFF, { 0xD9FF, 0xDFFF } },
+  { 0x00090000, { 0xDA00, 0xDC00 } },
+  { 0x00090001, { 0xDA00, 0xDC01 } },
+  { 0x00090002, { 0xDA00, 0xDC02 } },
+  { 0x00090004, { 0xDA00, 0xDC04 } },
+  { 0x00090008, { 0xDA00, 0xDC08 } },
+  { 0x00090010, { 0xDA00, 0xDC10 } },
+  { 0x00090020, { 0xDA00, 0xDC20 } },
+  { 0x00090040, { 0xDA00, 0xDC40 } },
+  { 0x00090080, { 0xDA00, 0xDC80 } },
+  { 0x00090100, { 0xDA00, 0xDD00 } },
+  { 0x00090200, { 0xDA00, 0xDE00 } },
+  { 0x00090400, { 0xDA01, 0xDC00 } },
+  { 0x00090800, { 0xDA02, 0xDC00 } },
+  { 0x00091000, { 0xDA04, 0xDC00 } },
+  { 0x00092000, { 0xDA08, 0xDC00 } },
+  { 0x00094000, { 0xDA10, 0xDC00 } },
+  { 0x00098000, { 0xDA20, 0xDC00 } },
+  { 0x000A0000, { 0xDA40, 0xDC00 } },
+  { 0x000B0000, { 0xDA80, 0xDC00 } },
+  { 0x000C0000, { 0xDAC0, 0xDC00 } },
+  { 0x000D0000, { 0xDB00, 0xDC00 } },
+  { 0x000FFFFF, { 0xDBBF, 0xDFFF } },
+  { 0x0010FFFF, { 0xDBFF, 0xDFFF } }
+
+};
+
+/* illegal utf8 sequences */
+char *utf8_bad[] = {
+  "\xC0\x80",
+  "\xC1\xBF",
+  "\xE0\x80\x80",
+  "\xE0\x9F\xBF",
+  "\xF0\x80\x80\x80",
+  "\xF0\x8F\xBF\xBF",
+  "\xF4\x90\x80\x80",
+  "\xF7\xBF\xBF\xBF",
+  "\xF8\x80\x80\x80\x80",
+  "\xF8\x88\x80\x80\x80",
+  "\xF8\x92\x80\x80\x80",
+  "\xF8\x9F\xBF\xBF\xBF",
+  "\xF8\xA0\x80\x80\x80",
+  "\xF8\xA8\x80\x80\x80",
+  "\xF8\xB0\x80\x80\x80",
+  "\xF8\xBF\xBF\xBF\xBF",
+  "\xF9\x80\x80\x80\x88",
+  "\xF9\x84\x80\x80\x80",
+  "\xF9\xBF\xBF\xBF\xBF",
+  "\xFA\x80\x80\x80\x80",
+  "\xFA\x90\x80\x80\x80",
+  "\xFB\xBF\xBF\xBF\xBF",
+  "\xFC\x84\x80\x80\x80\x81",
+  "\xFC\x85\x80\x80\x80\x80",
+  "\xFC\x86\x80\x80\x80\x80",
+  "\xFC\x87\xBF\xBF\xBF\xBF",
+  "\xFC\x88\xA0\x80\x80\x80",
+  "\xFC\x89\x80\x80\x80\x80",
+  "\xFC\x8A\x80\x80\x80\x80",
+  "\xFC\x90\x80\x80\x80\x82",
+  "\xFD\x80\x80\x80\x80\x80",
+  "\xFD\xBF\xBF\xBF\xBF\xBF",
+  "\x80",
+  "\xC3",
+  "\xC3\xC3\x80",
+  "\xED\xA0\x80",
+  "\xED\xBF\x80",
+  "\xED\xBF\xBF",
+  "\xED\xA0\x80\xE0\xBF\xBF",
+};
+
+static void
+dump_utf8
+(
+  char *word,
+  unsigned char *utf8,
+  char *end
+)
+{
+  fprintf(stdout, "%s ", word);
+  for( ; *utf8; utf8++ ) {
+    fprintf(stdout, "%02.2x ", (unsigned int)*utf8);
+  }
+  fprintf(stdout, "%s", end);
+}
+
+static PRBool
+test_ucs4_chars
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  int i;
+
+  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
+    struct ucs4 *e = &ucs4[i];
+    PRBool result;
+    unsigned char utf8[8];
+    unsigned int len = 0;
+    PRUint32 back = 0;
+
+    (void)memset(utf8, 0, sizeof(utf8));
+    
+    result = sec_port_ucs4_utf8_conversion_function(PR_FALSE, 
+      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
+
+    if( !result ) {
+      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8\n", e->c);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (len >= sizeof(utf8)) ||
+        (strlen(e->utf8) != len) ||
+        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
+      fprintf(stdout, "Wrong conversion of UCS-4 0x%08.8x to UTF-8: ", e->c);
+      dump_utf8("expected", e->utf8, ", ");
+      dump_utf8("received", utf8, "\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
+      utf8, len, (unsigned char *)&back, sizeof(back), &len);
+
+    if( !result ) {
+      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-4\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (sizeof(back) != len) || (e->c != back) ) {
+      dump_utf8("Wrong conversion of UTF-8", utf8, " to UCS-4:");
+      fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back);
+      rv = PR_FALSE;
+      continue;
+    }
+  }
+
+  return rv;
+}
+
+static PRBool
+test_ucs2_chars
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  int i;
+
+  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
+    struct ucs2 *e = &ucs2[i];
+    PRBool result;
+    unsigned char utf8[8];
+    unsigned int len = 0;
+    PRUint16 back = 0;
+
+    (void)memset(utf8, 0, sizeof(utf8));
+    
+    result = sec_port_ucs2_utf8_conversion_function(PR_FALSE,
+      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
+
+    if( !result ) {
+      fprintf(stdout, "Failed to convert UCS-2 0x%04.4x to UTF-8\n", e->c);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (len >= sizeof(utf8)) ||
+        (strlen(e->utf8) != len) ||
+        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
+      fprintf(stdout, "Wrong conversion of UCS-2 0x%04.4x to UTF-8: ", e->c);
+      dump_utf8("expected", e->utf8, ", ");
+      dump_utf8("received", utf8, "\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
+      utf8, len, (unsigned char *)&back, sizeof(back), &len);
+
+    if( !result ) {
+      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-2\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (sizeof(back) != len) || (e->c != back) ) {
+      dump_utf8("Wrong conversion of UTF-8", utf8, "to UCS-2:");
+      fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back);
+      rv = PR_FALSE;
+      continue;
+    }
+  }
+
+  return rv;
+}
+
+static PRBool
+test_utf16_chars
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  int i;
+
+  for( i = 0; i < sizeof(utf16)/sizeof(utf16[0]); i++ ) {
+    struct utf16 *e = &utf16[i];
+    PRBool result;
+    unsigned char utf8[8];
+    unsigned int len = 0;
+    PRUint32 back32 = 0;
+    PRUint16 back[2];
+
+    (void)memset(utf8, 0, sizeof(utf8));
+    
+    result = sec_port_ucs2_utf8_conversion_function(PR_FALSE, 
+      (unsigned char *)&e->w[0], sizeof(e->w), utf8, sizeof(utf8), &len);
+
+    if( !result ) {
+      fprintf(stdout, "Failed to convert UTF-16 0x%04.4x 0x%04.4x to UTF-8\n", 
+              e->w[0], e->w[1]);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
+      utf8, len, (unsigned char *)&back32, sizeof(back32), &len);
+
+    if( 4 != len ) {
+      fprintf(stdout, "Failed to convert UTF-16 0x%04.4x 0x%04.4x to UTF-8: "
+              "unexpected len %d\n", e->w[0], e->w[1], len);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    utf8[len] = '\0'; /* null-terminate for printing */
+
+    if( !result ) {
+      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-4 (utf-16 test)\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (sizeof(back32) != len) || (e->c != back32) ) {
+      fprintf(stdout, "Wrong conversion of UTF-16 0x%04.4x 0x%04.4x ", 
+              e->w[0], e->w[1]);
+      dump_utf8("to UTF-8", utf8, "and then to UCS-4: ");
+      if( sizeof(back32) != len ) {
+        fprintf(stdout, "len is %d\n", len);
+      } else {
+        fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back32);
+      }
+      rv = PR_FALSE;
+      continue;
+    }
+
+    (void)memset(utf8, 0, sizeof(utf8));
+    back[0] = back[1] = 0;
+
+    result = sec_port_ucs4_utf8_conversion_function(PR_FALSE,
+      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
+
+    if( !result ) {
+      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8 (utf-16 test)\n",
+              e->c);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
+      utf8, len, (unsigned char *)&back[0], sizeof(back), &len);
+
+    if( 4 != len ) {
+      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8: "
+              "unexpected len %d\n", e->c, len);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    utf8[len] = '\0'; /* null-terminate for printing */
+
+    if( !result ) {
+      dump_utf8("Failed to convert UTF-8", utf8, "to UTF-16\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (sizeof(back) != len) || (e->w[0] != back[0]) || (e->w[1] != back[1]) ) {
+      fprintf(stdout, "Wrong conversion of UCS-4 0x%08.8x to UTF-8", e->c);
+      dump_utf8("", utf8, "and then to UTF-16:");
+      if( sizeof(back) != len ) {
+        fprintf(stdout, "len is %d\n", len);
+      } else {
+        fprintf(stdout, "expected 0x%04.4x 0x%04.4x, received 0x%04.4x 0x%04.4xx\n",
+                e->w[0], e->w[1], back[0], back[1]);
+      }
+      rv = PR_FALSE;
+      continue;
+    }
+  }
+
+  return rv;
+}
+
+static PRBool
+test_utf8_bad_chars
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  int i;
+
+  for( i = 0; i < sizeof(utf8_bad)/sizeof(utf8_bad[0]); i++ ) {
+    PRBool result;
+    unsigned char destbuf[30];
+    unsigned int len = 0;
+
+    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
+      (unsigned char *)utf8_bad[i], strlen(utf8_bad[i]), destbuf, sizeof(destbuf), &len);
+
+    if( result ) {
+      dump_utf8("Failed to detect bad UTF-8 string converting to UCS2: ", utf8_bad[i], "\n");
+      rv = PR_FALSE;
+      continue;
+    }
+    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
+      (unsigned char *)utf8_bad[i], strlen(utf8_bad[i]), destbuf, sizeof(destbuf), &len);
+
+    if( result ) {
+      dump_utf8("Failed to detect bad UTF-8 string converting to UCS4: ", utf8_bad[i], "\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+  }
+
+  return rv;
+}
+
+static PRBool
+test_iso88591_chars
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  int i;
+
+  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
+    struct ucs2 *e = &ucs2[i];
+    PRBool result;
+    unsigned char iso88591;
+    unsigned char utf8[3];
+    unsigned int len = 0;
+
+    if (ntohs(e->c) > 0xFF) continue;
+
+    (void)memset(utf8, 0, sizeof(utf8));
+    iso88591 = ntohs(e->c);
+    
+    result = sec_port_iso88591_utf8_conversion_function(&iso88591,
+      1, utf8, sizeof(utf8), &len);
+
+    if( !result ) {
+      fprintf(stdout, "Failed to convert ISO-8859-1 0x%02.2x to UTF-8\n", iso88591);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (len >= sizeof(utf8)) ||
+        (strlen(e->utf8) != len) ||
+        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
+      fprintf(stdout, "Wrong conversion of ISO-8859-1 0x%02.2x to UTF-8: ", iso88591);
+      dump_utf8("expected", e->utf8, ", ");
+      dump_utf8("received", utf8, "\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+  }
+
+  return rv;
+}
+
+static PRBool
+test_zeroes
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  PRBool result;
+  PRUint32 lzero = 0;
+  PRUint16 szero = 0;
+  unsigned char utf8[8];
+  unsigned int len = 0;
+  PRUint32 lback = 1;
+  PRUint16 sback = 1;
+
+  (void)memset(utf8, 1, sizeof(utf8));
+
+  result = sec_port_ucs4_utf8_conversion_function(PR_FALSE, 
+    (unsigned char *)&lzero, sizeof(lzero), utf8, sizeof(utf8), &len);
+
+  if( !result ) {
+    fprintf(stdout, "Failed to convert UCS-4 0x00000000 to UTF-8\n");
+    rv = PR_FALSE;
+  } else if( 1 != len ) {
+    fprintf(stdout, "Wrong conversion of UCS-4 0x00000000: len = %d\n", len);
+    rv = PR_FALSE;
+  } else if( '\0' != *utf8 ) {
+    fprintf(stdout, "Wrong conversion of UCS-4 0x00000000: expected 00 ,"
+            "received %02.2x\n", (unsigned int)*utf8);
+    rv = PR_FALSE;
+  }
+
+  result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
+    "", 1, (unsigned char *)&lback, sizeof(lback), &len);
+
+  if( !result ) {
+    fprintf(stdout, "Failed to convert UTF-8 00 to UCS-4\n");
+    rv = PR_FALSE;
+  } else if( 4 != len ) {
+    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-4: len = %d\n", len);
+    rv = PR_FALSE;
+  } else if( 0 != lback ) {
+    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-4: "
+            "expected 0x00000000, received 0x%08.8x\n", lback);
+    rv = PR_FALSE;
+  }
+
+  (void)memset(utf8, 1, sizeof(utf8));
+
+  result = sec_port_ucs2_utf8_conversion_function(PR_FALSE, 
+    (unsigned char *)&szero, sizeof(szero), utf8, sizeof(utf8), &len);
+
+  if( !result ) {
+    fprintf(stdout, "Failed to convert UCS-2 0x0000 to UTF-8\n");
+    rv = PR_FALSE;
+  } else if( 1 != len ) {
+    fprintf(stdout, "Wrong conversion of UCS-2 0x0000: len = %d\n", len);
+    rv = PR_FALSE;
+  } else if( '\0' != *utf8 ) {
+    fprintf(stdout, "Wrong conversion of UCS-2 0x0000: expected 00 ,"
+            "received %02.2x\n", (unsigned int)*utf8);
+    rv = PR_FALSE;
+  }
+
+  result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
+    "", 1, (unsigned char *)&sback, sizeof(sback), &len);
+
+  if( !result ) {
+    fprintf(stdout, "Failed to convert UTF-8 00 to UCS-2\n");
+    rv = PR_FALSE;
+  } else if( 2 != len ) {
+    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-2: len = %d\n", len);
+    rv = PR_FALSE;
+  } else if( 0 != sback ) {
+    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-2: "
+            "expected 0x0000, received 0x%04.4x\n", sback);
+    rv = PR_FALSE;
+  }
+
+  return rv;
+}
+
+static PRBool
+test_multichars
+(
+  void
+)
+{
+  int i;
+  unsigned int len, lenout;
+  PRUint32 *ucs4s;
+  char *ucs4_utf8;
+  PRUint16 *ucs2s;
+  char *ucs2_utf8;
+  void *tmp;
+  PRBool result;
+
+  ucs4s = (PRUint32 *)calloc(sizeof(ucs4)/sizeof(ucs4[0]), sizeof(PRUint32));
+  ucs2s = (PRUint16 *)calloc(sizeof(ucs2)/sizeof(ucs2[0]), sizeof(PRUint16));
+
+  if( ((PRUint32 *)NULL == ucs4s) || ((PRUint16 *)NULL == ucs2s) ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  len = 0;
+  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
+    ucs4s[i] = ucs4[i].c;
+    len += strlen(ucs4[i].utf8);
+  }
+
+  ucs4_utf8 = (char *)malloc(len);
+
+  len = 0;
+  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
+    ucs2s[i] = ucs2[i].c;
+    len += strlen(ucs2[i].utf8);
+  }
+
+  ucs2_utf8 = (char *)malloc(len);
+
+  if( ((char *)NULL == ucs4_utf8) || ((char *)NULL == ucs2_utf8) ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  *ucs4_utf8 = '\0';
+  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
+    strcat(ucs4_utf8, ucs4[i].utf8);
+  }
+
+  *ucs2_utf8 = '\0';
+  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
+    strcat(ucs2_utf8, ucs2[i].utf8);
+  }
+
+  /* UTF-8 -> UCS-4 */
+  len = sizeof(ucs4)/sizeof(ucs4[0]) * sizeof(PRUint32);
+  tmp = calloc(len, 1);
+  if( (void *)NULL == tmp ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
+    ucs4_utf8, strlen(ucs4_utf8), tmp, len, &lenout);
+  if( !result ) {
+    fprintf(stdout, "Failed to convert much UTF-8 to UCS-4\n");
+    goto done;
+  }
+
+  if( lenout != len ) {
+    fprintf(stdout, "Unexpected length converting much UTF-8 to UCS-4\n");
+    goto loser;
+  }
+
+  if( 0 != memcmp(ucs4s, tmp, len) ) {
+    fprintf(stdout, "Wrong conversion of much UTF-8 to UCS-4\n");
+    goto loser;
+  }
+
+  free(tmp); tmp = (void *)NULL;
+
+  /* UCS-4 -> UTF-8 */
+  len = strlen(ucs4_utf8);
+  tmp = calloc(len, 1);
+  if( (void *)NULL == tmp ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  result = sec_port_ucs4_utf8_conversion_function(PR_FALSE,
+    (unsigned char *)ucs4s, sizeof(ucs4)/sizeof(ucs4[0]) * sizeof(PRUint32), 
+    tmp, len, &lenout);
+  if( !result ) {
+    fprintf(stdout, "Failed to convert much UCS-4 to UTF-8\n");
+    goto done;
+  }
+
+  if( lenout != len ) {
+    fprintf(stdout, "Unexpected length converting much UCS-4 to UTF-8\n");
+    goto loser;
+  }
+
+  if( 0 != strncmp(ucs4_utf8, tmp, len) ) {
+    fprintf(stdout, "Wrong conversion of much UCS-4 to UTF-8\n");
+    goto loser;
+  }
+
+  free(tmp); tmp = (void *)NULL;
+
+  /* UTF-8 -> UCS-2 */
+  len = sizeof(ucs2)/sizeof(ucs2[0]) * sizeof(PRUint16);
+  tmp = calloc(len, 1);
+  if( (void *)NULL == tmp ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
+    ucs2_utf8, strlen(ucs2_utf8), tmp, len, &lenout);
+  if( !result ) {
+    fprintf(stdout, "Failed to convert much UTF-8 to UCS-2\n");
+    goto done;
+  }
+
+  if( lenout != len ) {
+    fprintf(stdout, "Unexpected length converting much UTF-8 to UCS-2\n");
+    goto loser;
+  }
+
+  if( 0 != memcmp(ucs2s, tmp, len) ) {
+    fprintf(stdout, "Wrong conversion of much UTF-8 to UCS-2\n");
+    goto loser;
+  }
+
+  free(tmp); tmp = (void *)NULL;
+
+  /* UCS-2 -> UTF-8 */
+  len = strlen(ucs2_utf8);
+  tmp = calloc(len, 1);
+  if( (void *)NULL == tmp ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  result = sec_port_ucs2_utf8_conversion_function(PR_FALSE,
+    (unsigned char *)ucs2s, sizeof(ucs2)/sizeof(ucs2[0]) * sizeof(PRUint16), 
+    tmp, len, &lenout);
+  if( !result ) {
+    fprintf(stdout, "Failed to convert much UCS-2 to UTF-8\n");
+    goto done;
+  }
+
+  if( lenout != len ) {
+    fprintf(stdout, "Unexpected length converting much UCS-2 to UTF-8\n");
+    goto loser;
+  }
+
+  if( 0 != strncmp(ucs2_utf8, tmp, len) ) {
+    fprintf(stdout, "Wrong conversion of much UCS-2 to UTF-8\n");
+    goto loser;
+  }
+
+  /* implement UTF16 */
+
+  result = PR_TRUE;
+  goto done;
+
+ loser:
+  result = PR_FALSE;
+ done:
+  free(ucs4s);
+  free(ucs4_utf8);
+  free(ucs2s);
+  free(ucs2_utf8);
+  if( (void *)NULL != tmp ) free(tmp);
+  return result;
+}
+
+void
+byte_order
+(
+  void
+)
+{
+  /*
+   * The implementation (now) expects the 16- and 32-bit characters
+   * to be in network byte order, not host byte order.  Therefore I
+   * have to byteswap all those test vectors above.  hton[ls] may be
+   * functions, so I have to do this dynamically.  If you want to 
+   * use this code to do host byte order conversions, just remove
+   * the call in main() to this function.
+   */
+
+  int i;
+
+  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
+    struct ucs4 *e = &ucs4[i];
+    e->c = htonl(e->c);
+  }
+
+  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
+    struct ucs2 *e = &ucs2[i];
+    e->c = htons(e->c);
+  }
+
+  for( i = 0; i < sizeof(utf16)/sizeof(utf16[0]); i++ ) {
+    struct utf16 *e = &utf16[i];
+    e->c = htonl(e->c);
+    e->w[0] = htons(e->w[0]);
+    e->w[1] = htons(e->w[1]);
+  }
+
+  return;
+}
+
+int
+main
+(
+  int argc,
+  char *argv[]
+)
+{
+  byte_order();
+
+  if( test_ucs4_chars() &&
+      test_ucs2_chars() &&
+      test_utf16_chars() &&
+      test_utf8_bad_chars() &&
+      test_iso88591_chars() &&
+      test_zeroes() &&
+      test_multichars() &&
+      PR_TRUE ) {
+    fprintf(stderr, "PASS\n");
+    return 1;
+  } else {
+    fprintf(stderr, "FAIL\n");
+    return 0;
+  }
+}
+
+#endif /* TEST_UTF8 */
diff --git a/security/nss/lib/util/utilrename.h b/security/nss/lib/util/utilrename.h
new file mode 100644
index 000000000..ee5ae6733
--- /dev/null
+++ b/security/nss/lib/util/utilrename.h
@@ -0,0 +1,194 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License") you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Network Security Services libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * utilrename.h - rename symbols moved from libnss3 to libnssutil3
+ *
+ */
+
+#ifndef _LIBUTIL_H_
+#define _LIBUTIL_H_ _LIBUTIL_H__Util
+
+#ifdef USE_UTIL_DIRECTLY
+
+/* functions moved from libnss3 */
+#define ATOB_AsciiToData ATOB_AsciiToData_Util
+#define ATOB_ConvertAsciiToItem ATOB_ConvertAsciiToItem_Util
+#define BTOA_ConvertItemToAscii BTOA_ConvertItemToAscii_Util
+#define BTOA_DataToAscii BTOA_DataToAscii_Util
+#define CERT_GenTime2FormattedAscii CERT_GenTime2FormattedAscii_Util
+#define DER_AsciiToTime DER_AsciiToTime_Util
+#define DER_DecodeTimeChoice DER_DecodeTimeChoice_Util
+#define DER_Encode DER_Encode_Util
+#define DER_EncodeTimeChoice DER_EncodeTimeChoice_Util
+#define DER_GeneralizedDayToAscii DER_GeneralizedDayToAscii_Util
+#define DER_GeneralizedTimeToTime DER_GeneralizedTimeToTime_Util
+#define DER_GetInteger DER_GetInteger_Util
+#define DER_Lengths DER_Lengths_Util
+#define DER_TimeChoiceDayToAscii DER_TimeChoiceDayToAscii_Util
+#define DER_TimeToGeneralizedTime DER_TimeToGeneralizedTime_Util
+#define DER_TimeToGeneralizedTimeArena DER_TimeToGeneralizedTimeArena_Util
+#define DER_TimeToUTCTime DER_TimeToUTCTime_Util
+#define DER_UTCDayToAscii DER_UTCDayToAscii_Util
+#define DER_UTCTimeToAscii DER_UTCTimeToAscii_Util
+#define DER_UTCTimeToTime DER_UTCTimeToTime_Util
+#define NSS_PutEnv NSS_PutEnv_Util
+#define NSSBase64_DecodeBuffer NSSBase64_DecodeBuffer_Util
+#define NSSBase64_EncodeItem NSSBase64_EncodeItem_Util
+#define NSSBase64Decoder_Create NSSBase64Decoder_Create_Util
+#define NSSBase64Decoder_Destroy NSSBase64Decoder_Destroy_Util
+#define NSSBase64Decoder_Update NSSBase64Decoder_Update_Util
+#define NSSBase64Encoder_Create NSSBase64Encoder_Create_Util
+#define NSSBase64Encoder_Destroy NSSBase64Encoder_Destroy_Util
+#define NSSBase64Encoder_Update NSSBase64Encoder_Update_Util
+#define NSSRWLock_Destroy NSSRWLock_Destroy_Util
+#define NSSRWLock_HaveWriteLock NSSRWLock_HaveWriteLock_Util
+#define NSSRWLock_LockRead NSSRWLock_LockRead_Util
+#define NSSRWLock_LockWrite NSSRWLock_LockWrite_Util
+#define NSSRWLock_New NSSRWLock_New_Util
+#define NSSRWLock_UnlockRead NSSRWLock_UnlockRead_Util
+#define NSSRWLock_UnlockWrite NSSRWLock_UnlockWrite_Util
+#define PORT_Alloc PORT_Alloc_Util
+#define PORT_ArenaAlloc PORT_ArenaAlloc_Util
+#define PORT_ArenaGrow PORT_ArenaGrow_Util
+#define PORT_ArenaMark PORT_ArenaMark_Util
+#define PORT_ArenaRelease PORT_ArenaRelease_Util
+#define PORT_ArenaStrdup PORT_ArenaStrdup_Util
+#define PORT_ArenaUnmark PORT_ArenaUnmark_Util
+#define PORT_ArenaZAlloc PORT_ArenaZAlloc_Util
+#define PORT_Free PORT_Free_Util
+#define PORT_FreeArena PORT_FreeArena_Util
+#define PORT_GetError PORT_GetError_Util
+#define PORT_NewArena PORT_NewArena_Util
+#define PORT_Realloc PORT_Realloc_Util
+#define PORT_SetError PORT_SetError_Util
+#define PORT_SetUCS2_ASCIIConversionFunction PORT_SetUCS2_ASCIIConversionFunction_Util
+#define PORT_SetUCS2_UTF8ConversionFunction PORT_SetUCS2_UTF8ConversionFunction_Util
+#define PORT_SetUCS4_UTF8ConversionFunction PORT_SetUCS4_UTF8ConversionFunction_Util
+#define PORT_Strdup PORT_Strdup_Util
+#define PORT_UCS2_ASCIIConversion PORT_UCS2_ASCIIConversion_Util
+#define PORT_UCS2_UTF8Conversion PORT_UCS2_UTF8Conversion_Util
+#define PORT_ZAlloc PORT_ZAlloc_Util
+#define PORT_ZFree PORT_ZFree_Util
+#define SEC_ASN1Decode SEC_ASN1Decode_Util
+#define SEC_ASN1DecodeInteger SEC_ASN1DecodeInteger_Util
+#define SEC_ASN1DecodeItem SEC_ASN1DecodeItem_Util
+#define SEC_ASN1DecoderAbort SEC_ASN1DecoderAbort_Util
+#define SEC_ASN1DecoderClearFilterProc SEC_ASN1DecoderClearFilterProc_Util
+#define SEC_ASN1DecoderClearNotifyProc SEC_ASN1DecoderClearNotifyProc_Util
+#define SEC_ASN1DecoderFinish SEC_ASN1DecoderFinish_Util
+#define SEC_ASN1DecoderSetFilterProc SEC_ASN1DecoderSetFilterProc_Util
+#define SEC_ASN1DecoderSetNotifyProc SEC_ASN1DecoderSetNotifyProc_Util
+#define SEC_ASN1DecoderStart SEC_ASN1DecoderStart_Util
+#define SEC_ASN1DecoderUpdate SEC_ASN1DecoderUpdate_Util
+#define SEC_ASN1Encode SEC_ASN1Encode_Util
+#define SEC_ASN1EncodeInteger SEC_ASN1EncodeInteger_Util
+#define SEC_ASN1EncodeItem SEC_ASN1EncodeItem_Util
+#define SEC_ASN1EncoderAbort SEC_ASN1EncoderAbort_Util
+#define SEC_ASN1EncoderClearNotifyProc SEC_ASN1EncoderClearNotifyProc_Util
+#define SEC_ASN1EncoderClearStreaming SEC_ASN1EncoderClearStreaming_Util
+#define SEC_ASN1EncoderClearTakeFromBuf SEC_ASN1EncoderClearTakeFromBuf_Util
+#define SEC_ASN1EncoderFinish SEC_ASN1EncoderFinish_Util
+#define SEC_ASN1EncoderSetNotifyProc SEC_ASN1EncoderSetNotifyProc_Util
+#define SEC_ASN1EncoderSetStreaming SEC_ASN1EncoderSetStreaming_Util
+#define SEC_ASN1EncoderSetTakeFromBuf SEC_ASN1EncoderSetTakeFromBuf_Util
+#define SEC_ASN1EncoderStart SEC_ASN1EncoderStart_Util
+#define SEC_ASN1EncoderUpdate SEC_ASN1EncoderUpdate_Util
+#define SEC_ASN1EncodeUnsignedInteger SEC_ASN1EncodeUnsignedInteger_Util
+#define SEC_ASN1LengthLength SEC_ASN1LengthLength_Util
+#define SEC_QuickDERDecodeItem SEC_QuickDERDecodeItem_Util
+#define SECITEM_AllocItem SECITEM_AllocItem_Util
+#define SECITEM_ArenaDupItem SECITEM_ArenaDupItem_Util
+#define SECITEM_CompareItem SECITEM_CompareItem_Util
+#define SECITEM_CopyItem SECITEM_CopyItem_Util
+#define SECITEM_DupItem SECITEM_DupItem_Util
+#define SECITEM_FreeItem SECITEM_FreeItem_Util
+#define SECITEM_ItemsAreEqual SECITEM_ItemsAreEqual_Util
+#define SECITEM_ZfreeItem SECITEM_ZfreeItem_Util
+#define SECOID_AddEntry SECOID_AddEntry_Util
+#define SECOID_CompareAlgorithmID SECOID_CompareAlgorithmID_Util
+#define SECOID_CopyAlgorithmID SECOID_CopyAlgorithmID_Util
+#define SECOID_DestroyAlgorithmID SECOID_DestroyAlgorithmID_Util
+#define SECOID_FindOID SECOID_FindOID_Util
+#define SECOID_FindOIDByTag SECOID_FindOIDByTag_Util
+#define SECOID_FindOIDTag SECOID_FindOIDTag_Util
+#define SECOID_FindOIDTagDescription SECOID_FindOIDTagDescription_Util
+#define SECOID_GetAlgorithmTag SECOID_GetAlgorithmTag_Util
+#define SECOID_SetAlgorithmID SECOID_SetAlgorithmID_Util
+#define SGN_CompareDigestInfo SGN_CompareDigestInfo_Util
+#define SGN_CopyDigestInfo SGN_CopyDigestInfo_Util
+#define SGN_CreateDigestInfo SGN_CreateDigestInfo_Util
+#define SGN_DestroyDigestInfo SGN_DestroyDigestInfo_Util
+
+/* templates moved from libnss3 */
+#define NSS_Get_SEC_AnyTemplate NSS_Get_SEC_AnyTemplate_Util
+#define NSS_Get_SEC_BitStringTemplate NSS_Get_SEC_BitStringTemplate_Util
+#define NSS_Get_SEC_BMPStringTemplate NSS_Get_SEC_BMPStringTemplate_Util
+#define NSS_Get_SEC_BooleanTemplate NSS_Get_SEC_BooleanTemplate_Util
+#define NSS_Get_SEC_GeneralizedTimeTemplate NSS_Get_SEC_GeneralizedTimeTemplate_Util
+#define NSS_Get_SEC_IA5StringTemplate NSS_Get_SEC_IA5StringTemplate_Util
+#define NSS_Get_SEC_IntegerTemplate NSS_Get_SEC_IntegerTemplate_Util
+#define NSS_Get_SEC_NullTemplate NSS_Get_SEC_NullTemplate_Util
+#define NSS_Get_SEC_ObjectIDTemplate NSS_Get_SEC_ObjectIDTemplate_Util
+#define NSS_Get_SEC_OctetStringTemplate NSS_Get_SEC_OctetStringTemplate_Util
+#define NSS_Get_SEC_PointerToAnyTemplate NSS_Get_SEC_PointerToAnyTemplate_Util
+#define NSS_Get_SEC_PointerToOctetStringTemplate NSS_Get_SEC_PointerToOctetStringTemplate_Util
+#define NSS_Get_SEC_SetOfAnyTemplate NSS_Get_SEC_SetOfAnyTemplate_Util
+#define NSS_Get_SEC_UTCTimeTemplate NSS_Get_SEC_UTCTimeTemplate_Util
+#define NSS_Get_SEC_UTF8StringTemplate NSS_Get_SEC_UTF8StringTemplate_Util
+#define NSS_Get_SECOID_AlgorithmIDTemplate NSS_Get_SECOID_AlgorithmIDTemplate_Util
+#define NSS_Get_sgn_DigestInfoTemplate NSS_Get_sgn_DigestInfoTemplate_Util
+#define SEC_AnyTemplate SEC_AnyTemplate_Util
+#define SEC_BitStringTemplate SEC_BitStringTemplate_Util
+#define SEC_BMPStringTemplate SEC_BMPStringTemplate_Util
+#define SEC_BooleanTemplate SEC_BooleanTemplate_Util
+#define SEC_GeneralizedTimeTemplate SEC_GeneralizedTimeTemplate_Util
+#define SEC_IA5StringTemplate SEC_IA5StringTemplate_Util
+#define SEC_IntegerTemplate SEC_IntegerTemplate_Util
+#define SEC_NullTemplate SEC_NullTemplate_Util
+#define SEC_ObjectIDTemplate SEC_ObjectIDTemplate_Util
+#define SEC_OctetStringTemplate SEC_OctetStringTemplate_Util
+#define SEC_PointerToAnyTemplate SEC_PointerToAnyTemplate_Util
+#define SEC_PointerToOctetStringTemplate SEC_PointerToOctetStringTemplate_Util
+#define SEC_SetOfAnyTemplate SEC_SetOfAnyTemplate_Util
+#define SEC_UTCTimeTemplate SEC_UTCTimeTemplate_Util
+#define SEC_UTF8StringTemplate SEC_UTF8StringTemplate_Util
+#define SECOID_AlgorithmIDTemplate SECOID_AlgorithmIDTemplate_Util
+#define sgn_DigestInfoTemplate sgn_DigestInfoTemplate_Util
+
+#endif /* USE_UTIL_DIRECTLY */
+
+#endif /* _LIBUTIL_H_ */
diff --git a/security/nss/lib/util/watcomfx.h b/security/nss/lib/util/watcomfx.h
new file mode 100644
index 000000000..d0b6fc5d3
--- /dev/null
+++ b/security/nss/lib/util/watcomfx.h
@@ -0,0 +1,62 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
+#ifndef __WATCOM_FIX_H__
+#define __WATCOM_FIX_H__ 1
+/*
+ * WATCOM's C compiler doesn't default to "__cdecl" conventions for external
+ * symbols and functions.  Rather than adding an explicit __cdecl modifier to 
+ * every external symbol and function declaration and definition, we use the 
+ * following pragma to (attempt to) change WATCOM c's default to __cdecl.
+ * These pragmas were taken from pages 180-181, 266 & 269 of the 
+ * Watcom C/C++ version 11 User's Guide, 3rd edition.
+ */
+#if defined(XP_WIN16) || defined(WIN16) 
+#pragma aux default "_*" \
+	parm caller [] \
+	value struct float struct routine [ax] \
+	modify [ax bx cx dx es]
+#else
+#pragma aux default "_*" \
+	parm caller [] \
+	value struct float struct routine [eax] \
+	modify [eax ecx edx]
+#endif
+#pragma aux default far
+
+#endif /* once */
+#endif /* WATCOM compiler */
diff --git a/security/nss/manifest.mn b/security/nss/manifest.mn
new file mode 100644
index 000000000..e20badc40
--- /dev/null
+++ b/security/nss/manifest.mn
@@ -0,0 +1,47 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ..
+DEPTH      = ..
+
+IMPORTS =	nspr20/v4.7 \
+		$(NULL)
+
+RELEASE = nss
+
+DIRS = lib cmd
+
+
diff --git a/security/nss/pkg/Makefile b/security/nss/pkg/Makefile
new file mode 100644
index 000000000..07f165f50
--- /dev/null
+++ b/security/nss/pkg/Makefile
@@ -0,0 +1,59 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH = ../..
+DEPTH      = ../..
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+publish:
+ifeq ($(OS_TARGET),Linux)
+	rm -rf $(OBJDIR)
+	cp -r linux $(OBJDIR)
+	$(MAKE) -C $(OBJDIR) publish
+endif
+ifeq ($(OS_TARGET),SunOS)
+	rm -rf $(OBJDIR)
+	cp -r solaris $(OBJDIR)
+	$(MAKE) -C $(OBJDIR) publish
+endif
+
+clean::
+	rm -rf $(OBJDIR)
+
+include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/pkg/linux/Makefile b/security/nss/pkg/linux/Makefile
new file mode 100644
index 000000000..13e34131f
--- /dev/null
+++ b/security/nss/pkg/linux/Makefile
@@ -0,0 +1,122 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+CORE_DEPTH = ../../..
+
+NAME        = sun-nss
+ifndef RPM_RELEASE
+RPM_RELEASE = 1
+endif
+VERSION     = `grep NSS_VERSION $(CORE_DEPTH)/../dist/public/nss/nss.h \
+		| head -1 \
+		| sed -e 's/[^"]*"//' -e 's/".*//' -e 's/ .*//'`
+PWD         = `pwd`
+BUILDROOT   = $(PWD)\/$(NAME)-root
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+# Force i386 for non 64 bit build
+ifneq ($(USE_64),1)
+	RPMTARGET = "--target=i386"
+	RPMLIBDIR = lib
+else
+	RPMLIBDIR = lib64
+endif
+
+
+publish:
+	$(MAKE) clean
+	mkdir -p SOURCES SRPMS RPMS BUILD
+	mkdir -p opt/sun/private/$(RPMLIBDIR) 
+	find $(CORE_DEPTH)/../dist/$(OBJDIR)/lib -type l \
+		\( -name "*.so" -o -name "*.chk" \) \
+	-exec cp {} opt/sun/private/$(RPMLIBDIR) \;
+	rm -f opt/sun/private/$(RPMLIBDIR)/libnspr4.so \
+	   opt/sun/private/$(RPMLIBDIR)/libplc4.so \
+	   opt/sun/private/$(RPMLIBDIR)/libplds4.so \
+	   opt/sun/private/$(RPMLIBDIR)/libjss*.so
+	mkdir -p opt/sun/private/bin
+	(cd $(CORE_DEPTH)/../dist/$(OBJDIR)/bin && tar cphf - \
+		certutil cmsutil crlutil modutil pk12util signtool \
+		signver ssltap addbuiltin ) | (cd opt/sun/private/bin && tar xvfBp -)
+	(cd $(CORE_DEPTH)/../dist/public && tar cphf - .) \
+		| (mkdir -p opt/sun/private/include && cd opt/sun/private/include && tar xvfBp -)
+	rm -rf opt/sun/private/include/seccmd
+	rm -rf opt/sun/private/include/dbm
+
+	tar czvf $(NAME)-$(VERSION).tar.gz opt 
+	echo "%define _topdir `pwd`" >temp.spec
+	sed -e "s/NAME_REPLACE/$(NAME)/" \
+		-e "s/VERSION_REPLACE/$(VERSION)/" \
+		-e "s/RELEASE_REPLACE/$(RPM_RELEASE)/" \
+	<$(NAME).spec >>temp.spec
+	echo "" >>temp.spec
+	echo "%files" >>temp.spec
+	echo "%defattr(-,root,root)" >>temp.spec
+	echo "%dir /opt" >>temp.spec
+	echo "%dir /opt/sun" >>temp.spec
+	echo "%dir /opt/sun/private" >>temp.spec
+	echo "%dir /opt/sun/private/$(RPMLIBDIR)" >>temp.spec
+	echo "%dir /opt/sun/private/bin" >>temp.spec
+	find opt \( -name "*.so" -o -name "*.chk" -o -type f \
+		-perm u=rwx,g=rx,o=rx \) | sed -e "s-^-/-" >>temp.spec
+	echo "" >>temp.spec
+	echo "%files devel" >>temp.spec
+	echo "%defattr(-,root,root)" >>temp.spec
+	echo "%dir /opt" >>temp.spec
+	echo "%dir /opt/sun" >>temp.spec
+	echo "%dir /opt/sun/private" >>temp.spec
+	echo "%dir /opt/sun/private/include" >>temp.spec
+	echo "%dir /opt/sun/private/include/nss" >>temp.spec
+	find opt -type f \( -name "*.h" \) \
+		| sed -e "s-^-/-" >>temp.spec
+	cp $(NAME)-$(VERSION).tar.gz SOURCES
+	rpmbuild $(RPMTARGET) -bb temp.spec
+
+clean::
+	rm -rf SOURCES SRPMS RPMS BUILD
+	rm -rf opt 
+	rm -f temp.spec
+	rm -f $(NAME)-$(VERSION).tar.gz
+
+include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/pkg/linux/sun-nss.spec b/security/nss/pkg/linux/sun-nss.spec
new file mode 100644
index 000000000..13b5b26db
--- /dev/null
+++ b/security/nss/pkg/linux/sun-nss.spec
@@ -0,0 +1,84 @@
+Summary: Network Security Services
+Name: NAME_REPLACE
+Vendor: Sun Microsystems, Inc.
+Version: VERSION_REPLACE
+Release: RELEASE_REPLACE
+Copyright: Copyright 2005 Sun Microsystems, Inc.  All rights reserved.  Use is subject to license terms.  Also under other license(s) as shown at the Description field.
+Distribution: Sun Java(TM) Enterprise System
+URL: http://www.sun.com
+Group: System Environment/Base
+Source: %{name}-%{version}.tar.gz
+ExclusiveOS: Linux
+BuildRoot: %_topdir/%{name}-root
+
+Requires: sun-nspr >= 4.1.2
+        
+%description
+Network Security Services (NSS) is a set of libraries designed
+to support cross-platform development of security-enabled server
+applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
+X.509 v3 certificates, and other security standards.  See:
+http://www.mozilla.org/projects/security/pki/nss/overview.html
+
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this file are subject to the Mozilla Public License Version
+1.1 (the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the Netscape security libraries.
+
+The Initial Developer of the Original Code is
+Netscape Communications Corporation.
+Portions created by the Initial Developer are Copyright (C) 1994-2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
+
+%package devel
+Summary: Development Libraries for Network Security Services
+Group: Development/Libraries
+Requires: %{name} = %{version}-%{release}
+
+%define _unpackaged_files_terminate_build 0
+
+%description devel
+Header files for doing development with Network Security Services.
+
+Under "MPL/GPL" license.
+
+%prep
+%setup -c
+
+%build
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir $RPM_BUILD_ROOT
+cd $RPM_BUILD_ROOT
+tar xvzf $RPM_SOURCE_DIR/%{name}-%{version}.tar.gz
+
+%clean
+rm -rf $RPM_BUILD_ROOT
diff --git a/security/nss/pkg/solaris/Makefile b/security/nss/pkg/solaris/Makefile
new file mode 100644
index 000000000..8487abeb2
--- /dev/null
+++ b/security/nss/pkg/solaris/Makefile
@@ -0,0 +1,125 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+CORE_DEPTH = ../../..
+
+%: %.ksh
+	$(RM) $@
+	cp $< $@
+	chmod +x $@
+
+HEADER_DIR = public/nss
+
+DIRS = \
+	SUNWtls \
+	SUNWtlsu \
+	SUNWtlsd
+
+include Makefile.com
+
+PROTO = \
+	$(ROOT) \
+	$(ROOT)/usr/lib/mps \
+	$(ROOT)/usr/include/mps \
+	$(ROOT)/usr/sfw/bin
+
+ifeq ($(MACH), sparc)
+	PROTO += $(ROOT)/usr/lib/mps/sparcv9 \
+	$(ROOT)/usr/sfw/bin/sparcv9
+endif
+
+ifeq ($(USE_64), 1)
+ifeq ($(MACH), sparc)
+# Sparc
+	PROTO += $(ROOT)/usr/lib/mps/sparcv9 \
+	$(ROOT)/usr/sfw/bin/sparcv9
+else
+# AMD64
+	PROTO += $(ROOT)/usr/lib/mps/amd64 \
+	$(ROOT)/usr/sfw/bin/amd64
+endif
+	DIST64 = $(DIST)
+	DIST32 = $(shell echo $(DIST) | sed -e "s|_64_OPT|_OPT|g" -e "s|_64_DBG|_DBG|g")
+else
+	DIST32 = $(DIST)
+	DIST64 = $(shell echo $(DIST) | sed -e "s|_OPT|_64_OPT|g" -e "s|_DBG|_64_DBG|g")
+endif
+
+awk_pkginfo: bld_awk_pkginfo
+	./bld_awk_pkginfo -m $(MACH) -p "$(PRODUCT_VERSION)" -o $@ -v $(PRODUCT_VERSION)
+
+all:: awk_pkginfo $(PROTO)
+publish: awk_pkginfo $(PROTO)
+	+$(LOOP_OVER_DIRS)
+
+clean clobber::
+	$(RM) awk_pkginfo bld_awk_pkginfo
+	$(RM) -r $(ROOT)
+
+$(ROOT):
+	mkdir -p $@
+
+$(ROOT)/usr/lib/mps:
+	mkdir -p $@
+	$(CP) -r $(DIST32)/lib/*.so $@
+	$(CP) -r $(DIST32)/lib/*.chk $@
+$(ROOT)/usr/sfw/bin:
+	mkdir -p $@
+	-$(CP) -r $(DIST32)/bin/* $@
+$(ROOT)/usr/include/mps:
+	mkdir -p $@
+	$(CP) -r $(SOURCE_PREFIX)/$(HEADER_DIR)/*.h $@
+$(ROOT)/usr/lib/mps/sparcv9:
+	mkdir -p $@
+	$(CP) -r $(DIST64)/lib/*.so $@
+	$(CP) -r $(DIST64)/lib/*.chk $@
+$(ROOT)/usr/sfw/bin/sparcv9:
+	mkdir -p $@
+	$(CP) -r $(DIST64)/bin/* $@
+$(ROOT)/usr/lib/mps/amd64:
+	mkdir -p $@
+	$(CP) -r $(DIST64)/lib/*.so $@
+	$(CP) -r $(DIST64)/lib/*.chk $@
+$(ROOT)/usr/sfw/bin/amd64:
+	mkdir -p $@
+	$(CP) -r $(DIST64)/bin/* $@
diff --git a/security/nss/pkg/solaris/Makefile-devl.com b/security/nss/pkg/solaris/Makefile-devl.com
new file mode 100755
index 000000000..d7093b122
--- /dev/null
+++ b/security/nss/pkg/solaris/Makefile-devl.com
@@ -0,0 +1,71 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+MACH = $(shell mach)
+
+PUBLISH_ROOT = $(DIST)
+ifeq ($(CORE_DEPTH),../../..)
+ROOT = ROOT
+else
+ROOT = $(subst ../../../,,$(CORE_DEPTH))/ROOT
+endif
+
+PKGARCHIVE = $(PUBLISH_ROOT)/pkgarchive
+DATAFILES = copyright
+FILES = $(DATAFILES) pkginfo
+
+
+PACKAGE = $(shell basename `pwd`)
+
+PRODUCT_VERSION = $(shell grep NSS_VERSION $(CORE_DEPTH)/nss/lib/nss/nss.h \
+    | head -1 \
+    | sed -e 's/"$$//' -e 's/.*"//' -e 's/ .*//')
+
+LN = /usr/bin/ln
+
+CLOBBERFILES = $(FILES)
+
+include $(CORE_DEPTH)/coreconf/config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# vim: ft=make
diff --git a/security/nss/pkg/solaris/Makefile-devl.targ b/security/nss/pkg/solaris/Makefile-devl.targ
new file mode 100755
index 000000000..baaa0c075
--- /dev/null
+++ b/security/nss/pkg/solaris/Makefile-devl.targ
@@ -0,0 +1,62 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+pkginfo: pkginfo.tmpl ../awk_pkginfo
+	$(RM) $@; nawk -f ../awk_pkginfo $@.tmpl > $@
+
+pkg: $(PKGARCHIVE) prototype
+	pkgmk -f prototype -d $(PKGARCHIVE) -r $(ROOT) -o $(PACKAGE)
+
+$(PKGARCHIVE):
+	[ -d $(PKGARCHIVE) ] || mkdir -p $(PKGARCHIVE)
+
+$(DATAFILES):: %: ../common_files/%
+	$(RM) $@; cp ../common_files/$@ $@
+
+$(MACHDATAFILES): %: ../common_files/%_$(MACH)
+	$(RM) $@; cp ../common_files/$@_$(MACH) $@
+
+clobber clean::
+	-$(RM) $(CLOBBERFILES) $(CLEANFILES)
+
+.PHONY: pkg
diff --git a/security/nss/pkg/solaris/Makefile-tlsu.com b/security/nss/pkg/solaris/Makefile-tlsu.com
new file mode 100755
index 000000000..d7093b122
--- /dev/null
+++ b/security/nss/pkg/solaris/Makefile-tlsu.com
@@ -0,0 +1,71 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+MACH = $(shell mach)
+
+PUBLISH_ROOT = $(DIST)
+ifeq ($(CORE_DEPTH),../../..)
+ROOT = ROOT
+else
+ROOT = $(subst ../../../,,$(CORE_DEPTH))/ROOT
+endif
+
+PKGARCHIVE = $(PUBLISH_ROOT)/pkgarchive
+DATAFILES = copyright
+FILES = $(DATAFILES) pkginfo
+
+
+PACKAGE = $(shell basename `pwd`)
+
+PRODUCT_VERSION = $(shell grep NSS_VERSION $(CORE_DEPTH)/nss/lib/nss/nss.h \
+    | head -1 \
+    | sed -e 's/"$$//' -e 's/.*"//' -e 's/ .*//')
+
+LN = /usr/bin/ln
+
+CLOBBERFILES = $(FILES)
+
+include $(CORE_DEPTH)/coreconf/config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# vim: ft=make
diff --git a/security/nss/pkg/solaris/Makefile-tlsu.targ b/security/nss/pkg/solaris/Makefile-tlsu.targ
new file mode 100755
index 000000000..ed3956e85
--- /dev/null
+++ b/security/nss/pkg/solaris/Makefile-tlsu.targ
@@ -0,0 +1,70 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+include ../proto64.mk
+
+pkginfo: pkginfo.tmpl ../awk_pkginfo
+	$(RM) $@; nawk -f ../awk_pkginfo $@.tmpl > $@
+
+prototype:  prototype_com prototype_$(MACH)
+	cat prototype_$(MACH) |  sed -e \
+'/^!include[    ][  ]*prototype_com/ r ./prototype_com' \
+-e 's/^!include[    ][  ]*prototype_com//g' \
+ | sed $(sed_proto64) >prototype
+
+pkg: $(PKGARCHIVE) prototype
+	pkgmk -f prototype -d $(PKGARCHIVE) -r $(ROOT) -o $(PACKAGE)
+
+$(PKGARCHIVE):
+	[ -d $(PKGARCHIVE) ] || mkdir -p $(PKGARCHIVE)
+
+$(DATAFILES):: %: ../common_files/%
+	$(RM) $@; cp ../common_files/$@ $@
+
+$(MACHDATAFILES): %: ../common_files/%_$(MACH)
+	$(RM) $@; cp ../common_files/$@_$(MACH) $@
+
+clobber clean::
+	-$(RM) $(CLOBBERFILES) $(CLEANFILES)
+
+.PHONY: pkg
diff --git a/security/nss/pkg/solaris/Makefile.com b/security/nss/pkg/solaris/Makefile.com
new file mode 100644
index 000000000..0478ac1e3
--- /dev/null
+++ b/security/nss/pkg/solaris/Makefile.com
@@ -0,0 +1,71 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+MACH = $(shell mach)
+
+PUBLISH_ROOT = $(DIST)
+ifeq ($(CORE_DEPTH),../../..)
+ROOT = ROOT
+else
+ROOT = $(subst ../../../,,$(CORE_DEPTH))/ROOT
+endif
+
+PKGARCHIVE = $(PUBLISH_ROOT)/pkgarchive
+DATAFILES = copyright
+FILES = $(DATAFILES) pkginfo prototype
+
+PACKAGE = $(shell basename `pwd`)
+
+PRODUCT_VERSION = $(shell grep NSS_VERSION $(CORE_DEPTH)/../dist/public/nss/nss.h \
+	| head -1 \
+	| sed -e 's/[^"]*"//' -e 's/".*//' -e 's/ .*//')
+
+LN = /usr/bin/ln
+CP = /usr/bin/cp
+
+CLOBBERFILES = $(FILES)
+
+include $(CORE_DEPTH)/coreconf/config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# vim: ft=make
diff --git a/security/nss/pkg/solaris/Makefile.targ b/security/nss/pkg/solaris/Makefile.targ
new file mode 100644
index 000000000..ed3956e85
--- /dev/null
+++ b/security/nss/pkg/solaris/Makefile.targ
@@ -0,0 +1,70 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+include ../proto64.mk
+
+pkginfo: pkginfo.tmpl ../awk_pkginfo
+	$(RM) $@; nawk -f ../awk_pkginfo $@.tmpl > $@
+
+prototype:  prototype_com prototype_$(MACH)
+	cat prototype_$(MACH) |  sed -e \
+'/^!include[    ][  ]*prototype_com/ r ./prototype_com' \
+-e 's/^!include[    ][  ]*prototype_com//g' \
+ | sed $(sed_proto64) >prototype
+
+pkg: $(PKGARCHIVE) prototype
+	pkgmk -f prototype -d $(PKGARCHIVE) -r $(ROOT) -o $(PACKAGE)
+
+$(PKGARCHIVE):
+	[ -d $(PKGARCHIVE) ] || mkdir -p $(PKGARCHIVE)
+
+$(DATAFILES):: %: ../common_files/%
+	$(RM) $@; cp ../common_files/$@ $@
+
+$(MACHDATAFILES): %: ../common_files/%_$(MACH)
+	$(RM) $@; cp ../common_files/$@_$(MACH) $@
+
+clobber clean::
+	-$(RM) $(CLOBBERFILES) $(CLEANFILES)
+
+.PHONY: pkg
diff --git a/security/nss/pkg/solaris/SUNWtls/Makefile b/security/nss/pkg/solaris/SUNWtls/Makefile
new file mode 100644
index 000000000..4922061ae
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtls/Makefile
@@ -0,0 +1,52 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+CORE_DEPTH = ../../../..
+include ../Makefile.com
+
+DATAFILES +=
+
+all:: $(FILES)
+publish:: all pkg
+
+include ../Makefile.targ
diff --git a/security/nss/pkg/solaris/SUNWtls/pkgdepend b/security/nss/pkg/solaris/SUNWtls/pkgdepend
new file mode 100644
index 000000000..5a157a17f
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtls/pkgdepend
@@ -0,0 +1,64 @@
+# Copyright 2005 Microsystems, Inc.  All Rights Reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#	$Id$
+#
+# This package information file defines software dependencies associated
+# with the pkg.  You can define three types of pkg dependencies with this file:
+#	 P indicates a prerequisite for installation
+#	 I indicates an incompatible package
+#	 R indicates a reverse dependency
+# <pkg.abbr> see pkginfo(4), PKG parameter
+# <name> see pkginfo(4), NAME parameter
+# <version> see pkginfo(4), VERSION parameter
+# <arch> see pkginfo(4), ARCH parameter
+# <type> <pkg.abbr> <name>
+# 	(<arch>)<version>
+# 	(<arch>)<version>
+# 	...
+# <type> <pkg.abbr> <name>
+# ...
+
+P SUNWcar	Core Architecture, (Root)
+P SUNWkvm	Core Architecture, (Kvm)
+P SUNWcsr	Core Solaris, (Root)
+P SUNWcsu	Core Solaris, (Usr)
+P SUNWcsd	Core Solaris Devices
+P SUNWcsl	Core Solaris Libraries
+P SUNWpr	Netscape Portable Runtime
diff --git a/security/nss/pkg/solaris/SUNWtls/pkginfo.tmpl b/security/nss/pkg/solaris/SUNWtls/pkginfo.tmpl
new file mode 100644
index 000000000..019fd9e3c
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtls/pkginfo.tmpl
@@ -0,0 +1,70 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+#
+# This required package information file describes characteristics of the
+# package, such as package abbreviation, full package name, package version,
+# and package architecture.
+#
+PKG="SUNWtls"
+NAME="Network Security Services"
+ARCH="ISA"
+VERSION="NSSVERS,REV=0.0.0"
+SUNW_PRODNAME="Network Security Services"
+SUNW_PRODVERS="RELEASE/VERSION"
+SUNW_PKGTYPE="usr"
+MAXINST="1000"
+CATEGORY="system"
+DESC="Network Security Services"
+VENDOR="Sun Microsystems, Inc."
+HOTLINE="Please contact your local service provider"
+EMAIL=""
+CLASSES="none"
+BASEDIR=/
+SUNW_PKGVERS="1.0"
+#VSTOCK="<reserved by Release Engineering for package part #>"
+#ISTATES="<developer defined>"
+#RSTATES='<developer defined>'
+#ULIMIT="<developer defined>"
+#ORDER="<developer defined>"
+#PSTAMP="<developer defined>"
+#INTONLY="<developer defined>"
diff --git a/security/nss/pkg/solaris/SUNWtls/prototype_com b/security/nss/pkg/solaris/SUNWtls/prototype_com
new file mode 100644
index 000000000..eed814f8e
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtls/prototype_com
@@ -0,0 +1,77 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+# This required package information file contains a list of package contents.
+# The 'pkgmk' command uses this file to identify the contents of a package
+# and their location on the development machine when building the package.
+# Can be created via a text editor or through use of the 'pkgproto' command.
+
+#!search <pathname pathname ...>	# where to find pkg objects
+#!include <filename>			# include another 'prototype' file
+#!default <mode> <owner> <group>	# default used if not specified on entry
+#!<param>=<value>			# puts parameter in pkg environment
+
+# packaging files
+i copyright
+i pkginfo
+i depend=pkgdepend
+#
+# source locations relative to the prototype file
+#
+# SUNWtls
+#
+d none usr 755 root sys
+d none usr/lib 755 root bin
+d none usr/lib/mps 755 root bin
+d none usr/lib/mps/secv1 755 root bin
+f none usr/lib/mps/libnss3.so 755 root bin
+f none usr/lib/mps/libsmime3.so 755 root bin
+f none usr/lib/mps/libssl3.so 755 root bin
+f none usr/lib/mps/libnssckbi.so 755 root bin
+f none usr/lib/mps/libsoftokn3.chk 755 root bin
+f none usr/lib/mps/libsoftokn3.so 755 root bin
+s none usr/lib/mps/secv1/libnss3.so=../libnss3.so
+s none usr/lib/mps/secv1/libsmime3.so=../libsmime3.so
+s none usr/lib/mps/secv1/libssl3.so=../libssl3.so
+s none usr/lib/mps/secv1/libnssckbi.so=../libnssckbi.so
+s none usr/lib/mps/secv1/libsoftokn3.chk=../libsoftokn3.chk
+s none usr/lib/mps/secv1/libsoftokn3.so=../libsoftokn3.so
diff --git a/security/nss/pkg/solaris/SUNWtls/prototype_i386 b/security/nss/pkg/solaris/SUNWtls/prototype_i386
new file mode 100644
index 000000000..0b55f3009
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtls/prototype_i386
@@ -0,0 +1,90 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+# This required package information file contains a list of package contents.
+# The 'pkgmk' command uses this file to identify the contents of a package
+# and their location on the development machine when building the package.
+# Can be created via a text editor or through use of the 'pkgproto' command.
+
+#!search <pathname pathname ...>	# where to find pkg objects
+#!include <filename>			# include another 'prototype' file
+#!default <mode> <owner> <group>	# default used if not specified on entry
+#!<param>=<value>			# puts parameter in pkg environment
+
+#
+# Include ISA independent files (prototype_com)
+#
+!include prototype_com
+#
+#
+#
+# List files which are i386 specific here
+#
+# source locations relative to the prototype file
+#
+#
+# SUNWtls
+#
+f none usr/lib/mps/libfreebl3.chk 755 root bin
+f none usr/lib/mps/libfreebl3.so 755 root bin
+s none usr/lib/mps/secv1/libfreebl3.chk=../libfreebl3.chk
+s none usr/lib/mps/secv1/libfreebl3.so=../libfreebl3.so
+#64#s none usr/lib/mps/64=amd64
+#64#s none usr/lib/mps/secv1/64=amd64
+#64#d none usr/lib/mps/amd64 755 root bin
+#64#d none usr/lib/mps/secv1/amd64 755 root bin
+#64#f none usr/lib/mps/amd64/libnss3.so 755 root bin
+#64#f none usr/lib/mps/amd64/libsmime3.so 755 root bin
+#64#f none usr/lib/mps/amd64/libssl3.so 755 root bin
+#64#f none usr/lib/mps/amd64/libnssckbi.so 755 root bin
+#64#f none usr/lib/mps/amd64/libsoftokn3.chk 755 root bin
+#64#f none usr/lib/mps/amd64/libsoftokn3.so 755 root bin
+#64#f none usr/lib/mps/amd64/libfreebl3.chk 755 root bin
+#64#f none usr/lib/mps/amd64/libfreebl3.so 755 root bin
+#64#s none usr/lib/mps/secv1/amd64/libnss3.so=../../amd64/libnss3.so
+#64#s none usr/lib/mps/secv1/amd64/libsmime3.so=../../amd64/libsmime3.so
+#64#s none usr/lib/mps/secv1/amd64/libssl3.so=../../amd64/libssl3.so
+#64#s none usr/lib/mps/secv1/amd64/libnssckbi.so=../../amd64/libnssckbi.so
+#64#s none usr/lib/mps/secv1/amd64/libsoftokn3.chk=../../amd64/libsoftokn3.chk
+#64#s none usr/lib/mps/secv1/amd64/libsoftokn3.so=../../amd64/libsoftokn3.so
+#64#s none usr/lib/mps/secv1/amd64/libfreebl3.chk=../../amd64/libfreebl3.chk
+#64#s none usr/lib/mps/secv1/amd64/libfreebl3.so=../../amd64/libfreebl3.so
diff --git a/security/nss/pkg/solaris/SUNWtls/prototype_sparc b/security/nss/pkg/solaris/SUNWtls/prototype_sparc
new file mode 100644
index 000000000..e7b487ac0
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtls/prototype_sparc
@@ -0,0 +1,103 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+# This required package information file contains a list of package contents.
+# The 'pkgmk' command uses this file to identify the contents of a package
+# and their location on the development machine when building the package.
+# Can be created via a text editor or through use of the 'pkgproto' command.
+
+#!search <pathname pathname ...>	# where to find pkg objects
+#!include <filename>			# include another 'prototype' file
+#!default <mode> <owner> <group>	# default used if not specified on entry
+#!<param>=<value>			# puts parameter in pkg environment
+
+#
+# Include ISA independent files (prototype_com)
+#
+!include prototype_com
+#
+#
+#
+# List files which are SPARC specific here
+#
+# source locations relative to the prototype file
+#
+#
+# SUNWtls
+#
+f none usr/lib/mps/libfreebl_32fpu_3.chk 755 root bin
+f none usr/lib/mps/libfreebl_32fpu_3.so 755 root bin
+f none usr/lib/mps/libfreebl_32int64_3.chk 755 root bin
+f none usr/lib/mps/libfreebl_32int64_3.so 755 root bin
+f none usr/lib/mps/libfreebl_32int_3.chk 755 root bin
+f none usr/lib/mps/libfreebl_32int_3.so 755 root bin
+s none usr/lib/mps/secv1/libfreebl_32fpu_3.chk=../libfreebl_32fpu_3.chk
+s none usr/lib/mps/secv1/libfreebl_32fpu_3.so=../libfreebl_32fpu_3.so
+s none usr/lib/mps/secv1/libfreebl_32int64_3.chk=../libfreebl_32int64_3.chk
+s none usr/lib/mps/secv1/libfreebl_32int64_3.so=../libfreebl_32int64_3.so
+s none usr/lib/mps/secv1/libfreebl_32int_3.chk=../libfreebl_32int_3.chk
+s none usr/lib/mps/secv1/libfreebl_32int_3.so=../libfreebl_32int_3.so
+#64#s none usr/lib/mps/64=sparcv9
+#64#s none usr/lib/mps/secv1/64=sparcv9
+#64#d none usr/lib/mps/sparcv9 755 root bin
+#64#d none usr/lib/mps/secv1/sparcv9 755 root bin
+#64#f none usr/lib/mps/sparcv9/libnss3.so 755 root bin
+#64#f none usr/lib/mps/sparcv9/libsmime3.so 755 root bin
+#64#f none usr/lib/mps/sparcv9/libssl3.so 755 root bin
+#64#f none usr/lib/mps/sparcv9/libnssckbi.so 755 root bin
+#64#f none usr/lib/mps/sparcv9/libsoftokn3.chk 755 root bin
+#64#f none usr/lib/mps/sparcv9/libsoftokn3.so 755 root bin
+#64#f none usr/lib/mps/sparcv9/libfreebl_64fpu_3.chk 755 root bin
+#64#f none usr/lib/mps/sparcv9/libfreebl_64fpu_3.so 755 root bin
+#64#f none usr/lib/mps/sparcv9/libfreebl_64int_3.chk 755 root bin
+#64#f none usr/lib/mps/sparcv9/libfreebl_64int_3.so 755 root bin
+#64#s none usr/lib/mps/secv1/sparcv9/libnss3.so=../../sparcv9/libnss3.so
+#64#s none usr/lib/mps/secv1/sparcv9/libsmime3.so=../../sparcv9/libsmime3.so
+#64#s none usr/lib/mps/secv1/sparcv9/libssl3.so=../../sparcv9/libssl3.so
+#64#s none usr/lib/mps/secv1/sparcv9/libnssckbi.so=../../sparcv9/libnssckbi.so
+#64#s none usr/lib/mps/secv1/sparcv9/libsoftokn3.chk=../../sparcv9/libsoftokn3.chk
+#64#s none usr/lib/mps/secv1/sparcv9/libsoftokn3.so=../../sparcv9/libsoftokn3.so
+#64#s none usr/lib/mps/secv1/sparcv9/libfreebl_64fpu_3.chk=../../sparcv9/libfreebl_64fpu_3.chk
+#64#s none usr/lib/mps/secv1/sparcv9/libfreebl_64fpu_3.so=../../sparcv9/libfreebl_64fpu_3.so
+#64#s none usr/lib/mps/secv1/sparcv9/libfreebl_64int_3.chk=../../sparcv9/libfreebl_64int_3.chk
+#64#s none usr/lib/mps/secv1/sparcv9/libfreebl_64int_3.so=../../sparcv9/libfreebl_64int_3.so
+
diff --git a/security/nss/pkg/solaris/SUNWtlsd/Makefile b/security/nss/pkg/solaris/SUNWtlsd/Makefile
new file mode 100755
index 000000000..d95411771
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsd/Makefile
@@ -0,0 +1,52 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+CORE_DEPTH = ../../../..
+include ../Makefile-devl.com
+
+DATAFILES +=
+
+all:: $(FILES)
+publish:: all pkg
+
+include ../Makefile-devl.targ
diff --git a/security/nss/pkg/solaris/SUNWtlsd/pkgdepend b/security/nss/pkg/solaris/SUNWtlsd/pkgdepend
new file mode 100755
index 000000000..129a16b07
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsd/pkgdepend
@@ -0,0 +1,59 @@
+# Copyright 2005 Microsystems, Inc.  All Rights Reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#	$Id$
+#
+# This package information file defines software dependencies associated
+# with the pkg.  You can define three types of pkg dependencies with this file:
+#	 P indicates a prerequisite for installation
+#	 I indicates an incompatible package
+#	 R indicates a reverse dependency
+# <pkg.abbr> see pkginfo(4), PKG parameter
+# <name> see pkginfo(4), NAME parameter
+# <version> see pkginfo(4), VERSION parameter
+# <arch> see pkginfo(4), ARCH parameter
+# <type> <pkg.abbr> <name>
+# 	(<arch>)<version>
+# 	(<arch>)<version>
+# 	...
+# <type> <pkg.abbr> <name>
+# ...
+
+P SUNWprd	Netscape Portable Runtime Development 
+P SUNWtls	Netscape Security Services 
diff --git a/security/nss/pkg/solaris/SUNWtlsd/pkginfo.tmpl b/security/nss/pkg/solaris/SUNWtlsd/pkginfo.tmpl
new file mode 100755
index 000000000..077730ab8
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsd/pkginfo.tmpl
@@ -0,0 +1,70 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+#
+# This required package information file describes characteristics of the
+# package, such as package abbreviation, full package name, package version,
+# and package architecture.
+#
+PKG="SUNWtlsd"
+NAME="Network Security Services Development"
+ARCH="ISA"
+VERSION="NSSVERS,REV=0.0.0"
+SUNW_PRODNAME="Network Security Services Development"
+SUNW_PRODVERS="RELEASE/VERSION"
+SUNW_PKGTYPE="usr"
+MAXINST="1000"
+CATEGORY="system"
+DESC="Network Security Services Files for Development"
+VENDOR="Sun Microsystems, Inc."
+HOTLINE="Please contact your local service provider"
+EMAIL=""
+CLASSES="none"
+BASEDIR=/
+SUNW_PKGVERS="1.0"
+#VSTOCK="<reserved by Release Engineering for package part #>"
+#ISTATES="<developer defined>"
+#RSTATES='<developer defined>'
+#ULIMIT="<developer defined>"
+#ORDER="<developer defined>"
+#PSTAMP="<developer defined>"
+#INTONLY="<developer defined>"
diff --git a/security/nss/pkg/solaris/SUNWtlsd/prototype b/security/nss/pkg/solaris/SUNWtlsd/prototype
new file mode 100755
index 000000000..502d448ca
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsd/prototype
@@ -0,0 +1,162 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+# This required package information file contains a list of package contents.
+# The 'pkgmk' command uses this file to identify the contents of a package
+# and their location on the development machine when building the package.
+# Can be created via a text editor or through use of the 'pkgproto' command.
+
+#!search <pathname pathname ...>	# where to find pkg objects
+#!include <filename>			# include another 'prototype' file
+#!default <mode> <owner> <group>	# default used if not specified on entry
+#!<param>=<value>			# puts parameter in pkg environment
+
+# packaging files
+i copyright
+i pkginfo
+i depend=pkgdepend
+#
+# source locations relative to the prototype file
+#
+# SUNWtlsd
+#
+d none usr 0755 root sys
+d none usr/include 0755 root bin
+d none usr/include/mps 0755 root bin
+f none usr/include/mps/base64.h 0644 root bin
+#f none usr/include/mps/blapi.h 0644 root bin
+f none usr/include/mps/blapit.h 0644 root bin
+f none usr/include/mps/cert.h 0644 root bin
+f none usr/include/mps/certdb.h 0644 root bin
+f none usr/include/mps/certt.h 0644 root bin
+f none usr/include/mps/ciferfam.h 0644 root bin
+f none usr/include/mps/cmmf.h 0644 root bin
+f none usr/include/mps/cmmft.h 0644 root bin
+f none usr/include/mps/cms.h 0644 root bin
+f none usr/include/mps/cmsreclist.h 0644 root bin
+f none usr/include/mps/cmst.h 0644 root bin
+f none usr/include/mps/crmf.h 0644 root bin
+f none usr/include/mps/crmft.h 0644 root bin
+f none usr/include/mps/cryptohi.h 0644 root bin
+f none usr/include/mps/cryptoht.h 0644 root bin
+f none usr/include/mps/ecl-exp.h 0644 root bin
+f none usr/include/mps/hasht.h 0644 root bin
+f none usr/include/mps/jar-ds.h 0644 root bin
+f none usr/include/mps/jar.h 0644 root bin
+f none usr/include/mps/jarfile.h 0644 root bin
+f none usr/include/mps/key.h 0644 root bin
+#f none usr/include/mps/keydbt.h 0644 root bin
+f none usr/include/mps/keyhi.h 0644 root bin
+#f none usr/include/mps/keylow.h 0644 root bin
+f none usr/include/mps/keyt.h 0644 root bin
+#f none usr/include/mps/keytboth.h 0644 root bin
+f none usr/include/mps/keythi.h 0644 root bin
+#f none usr/include/mps/keytlow.h 0644 root bin
+f none usr/include/mps/nss.h 0644 root bin
+f none usr/include/mps/nssb64.h 0644 root bin
+f none usr/include/mps/nssb64t.h 0644 root bin
+f none usr/include/mps/nssbase.h 0644 root bin
+f none usr/include/mps/nssbaset.h 0644 root bin
+f none usr/include/mps/nssckepv.h 0644 root bin
+f none usr/include/mps/nssckbi.h 0644 root bin
+f none usr/include/mps/nssckft.h 0644 root bin
+f none usr/include/mps/nssckfw.h 0644 root bin
+f none usr/include/mps/nssckfwc.h 0644 root bin
+f none usr/include/mps/nssckfwt.h 0644 root bin
+f none usr/include/mps/nssckg.h 0644 root bin
+f none usr/include/mps/nssckmdt.h 0644 root bin
+#f none usr/include/mps/nssckp.h 0644 root bin
+f none usr/include/mps/nssckt.h 0644 root bin
+#f none usr/include/mps/nsscku.h 0644 root bin
+f none usr/include/mps/nssilckt.h 0644 root bin
+f none usr/include/mps/nssilock.h 0644 root bin
+f none usr/include/mps/nsslocks.h 0644 root bin
+f none usr/include/mps/nssrwlk.h 0644 root bin
+f none usr/include/mps/nssrwlkt.h 0644 root bin
+f none usr/include/mps/ocsp.h 0644 root bin
+f none usr/include/mps/ocspt.h 0644 root bin
+f none usr/include/mps/p12.h 0644 root bin
+f none usr/include/mps/p12plcy.h 0644 root bin
+f none usr/include/mps/p12t.h 0644 root bin
+f none usr/include/mps/pk11func.h 0644 root bin
+f none usr/include/mps/pk11pqg.h 0644 root bin
+f none usr/include/mps/pk11sdr.h 0644 root bin
+f none usr/include/mps/pk11priv.h 0644 root bin
+f none usr/include/mps/pk11pub.h 0644 root bin
+f none usr/include/mps/pkcs11.h 0644 root bin
+f none usr/include/mps/pkcs11f.h 0644 root bin
+f none usr/include/mps/pkcs11p.h 0644 root bin
+f none usr/include/mps/pkcs11t.h 0644 root bin
+f none usr/include/mps/pkcs11u.h 0644 root bin
+f none usr/include/mps/pkcs11n.h 0644 root bin
+f none usr/include/mps/pkcs12.h 0644 root bin
+f none usr/include/mps/pkcs12t.h 0644 root bin
+f none usr/include/mps/pkcs7t.h 0644 root bin
+f none usr/include/mps/portreg.h 0644 root bin
+f none usr/include/mps/preenc.h 0644 root bin
+f none usr/include/mps/secasn1.h 0644 root bin
+f none usr/include/mps/secasn1t.h 0644 root bin
+f none usr/include/mps/seccomon.h 0644 root bin
+f none usr/include/mps/secder.h 0644 root bin
+f none usr/include/mps/secdert.h 0644 root bin
+f none usr/include/mps/secdig.h 0644 root bin
+f none usr/include/mps/secdigt.h 0644 root bin
+f none usr/include/mps/secerr.h 0644 root bin
+f none usr/include/mps/sechash.h 0644 root bin
+f none usr/include/mps/secitem.h 0644 root bin
+f none usr/include/mps/secmime.h 0644 root bin
+f none usr/include/mps/secmod.h 0644 root bin
+f none usr/include/mps/secmodt.h 0644 root bin
+f none usr/include/mps/secoid.h 0644 root bin
+f none usr/include/mps/secoidt.h 0644 root bin
+f none usr/include/mps/secpkcs5.h 0644 root bin
+f none usr/include/mps/secpkcs7.h 0644 root bin
+f none usr/include/mps/secport.h 0644 root bin
+#f none usr/include/mps/secrng.h 0644 root bin
+#f none usr/include/mps/secrngt.h 0644 root bin
+f none usr/include/mps/shsign.h 0644 root bin
+f none usr/include/mps/smime.h 0644 root bin
+f none usr/include/mps/ssl.h 0644 root bin
+f none usr/include/mps/sslerr.h 0644 root bin
+f none usr/include/mps/sslproto.h 0644 root bin
+f none usr/include/mps/sslt.h 0644 root bin
+f none usr/include/mps/watcomfx.h 0644 root bin
diff --git a/security/nss/pkg/solaris/SUNWtlsu/Makefile b/security/nss/pkg/solaris/SUNWtlsu/Makefile
new file mode 100755
index 000000000..42c166bd2
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsu/Makefile
@@ -0,0 +1,52 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+
+CORE_DEPTH = ../../../..
+include ../Makefile-tlsu.com
+
+DATAFILES +=
+
+all:: $(FILES)
+publish:: all pkg
+
+include ../Makefile-tlsu.targ
diff --git a/security/nss/pkg/solaris/SUNWtlsu/pkgdepend b/security/nss/pkg/solaris/SUNWtlsu/pkgdepend
new file mode 100755
index 000000000..7d2fd9582
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsu/pkgdepend
@@ -0,0 +1,58 @@
+# Copyright 2005 Microsystems, Inc.  All Rights Reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#	$Id$
+#
+# This package information file defines software dependencies associated
+# with the pkg.  You can define three types of pkg dependencies with this file:
+#	 P indicates a prerequisite for installation
+#	 I indicates an incompatible package
+#	 R indicates a reverse dependency
+# <pkg.abbr> see pkginfo(4), PKG parameter
+# <name> see pkginfo(4), NAME parameter
+# <version> see pkginfo(4), VERSION parameter
+# <arch> see pkginfo(4), ARCH parameter
+# <type> <pkg.abbr> <name>
+# 	(<arch>)<version>
+# 	(<arch>)<version>
+# 	...
+# <type> <pkg.abbr> <name>
+# ...
+
+P SUNWtls	Netscape Security Services 
diff --git a/security/nss/pkg/solaris/SUNWtlsu/pkginfo.tmpl b/security/nss/pkg/solaris/SUNWtlsu/pkginfo.tmpl
new file mode 100755
index 000000000..d8b434482
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsu/pkginfo.tmpl
@@ -0,0 +1,70 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+#
+# This required package information file describes characteristics of the
+# package, such as package abbreviation, full package name, package version,
+# and package architecture.
+#
+PKG="SUNWtlsu"
+NAME="Network Security Services Utilities"
+ARCH="ISA"
+VERSION="NSSVERS,REV=0.0.0"
+SUNW_PRODNAME="Network Security Services Utilities"
+SUNW_PRODVERS="RELEASE/VERSION"
+SUNW_PKGTYPE="usr"
+MAXINST="1000"
+CATEGORY="system"
+DESC="Network Security Services Utilities Programs"
+VENDOR="Sun Microsystems, Inc."
+HOTLINE="Please contact your local service provider"
+EMAIL=""
+CLASSES="none"
+BASEDIR=/
+SUNW_PKGVERS="1.0"
+#VSTOCK="<reserved by Release Engineering for package part #>"
+#ISTATES="<developer defined>"
+#RSTATES='<developer defined>'
+#ULIMIT="<developer defined>"
+#ORDER="<developer defined>"
+#PSTAMP="<developer defined>"
+#INTONLY="<developer defined>"
diff --git a/security/nss/pkg/solaris/SUNWtlsu/prototype_com b/security/nss/pkg/solaris/SUNWtlsu/prototype_com
new file mode 100755
index 000000000..72bbd7ed2
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsu/prototype_com
@@ -0,0 +1,73 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+# This required package information file contains a list of package contents.
+# The 'pkgmk' command uses this file to identify the contents of a package
+# and their location on the development machine when building the package.
+# Can be created via a text editor or through use of the 'pkgproto' command.
+
+#!search <pathname pathname ...>	# where to find pkg objects
+#!include <filename>			# include another 'prototype' file
+#!default <mode> <owner> <group>	# default used if not specified on entry
+#!<param>=<value>			# puts parameter in pkg environment
+
+# packaging files
+i copyright
+i pkginfo
+i depend=pkgdepend
+#
+# source locations relative to the prototype file
+#
+# SUNWtlsu
+#
+d none usr 0755 root sys
+d none usr/sfw 0755 root bin
+d none usr/sfw/bin 0755 root bin
+f none usr/sfw/bin/certutil 0755 root bin
+f none usr/sfw/bin/crlutil 0755 root bin
+f none usr/sfw/bin/cmsutil 0755 root bin
+f none usr/sfw/bin/modutil 0755 root bin
+f none usr/sfw/bin/pk12util 0755 root bin
+f none usr/sfw/bin/signtool 0755 root bin
+f none usr/sfw/bin/signver 0755 root bin
+f none usr/sfw/bin/ssltap 0755 root bin
+f none usr/sfw/bin/addbuiltin 0755 root bin
diff --git a/security/nss/pkg/solaris/SUNWtlsu/prototype_i386 b/security/nss/pkg/solaris/SUNWtlsu/prototype_i386
new file mode 100644
index 000000000..b684849bb
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsu/prototype_i386
@@ -0,0 +1,78 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident  "$Id$"
+#
+# This required package information file contains a list of package contents.
+# The 'pkgmk' command uses this file to identify the contents of a package
+# and their location on the development machine when building the package.
+# Can be created via a text editor or through use of the 'pkgproto' command.
+
+#!search <pathname pathname ...>        # where to find pkg objects
+#!include <filename>                    # include another 'prototype' file
+#!default <mode> <owner> <group>        # default used if not specified on entry
+#!<param>=<value>                       # puts parameter in pkg environment
+
+#
+# Include ISA independent files (prototype_com)
+#
+!include prototype_com
+#
+#
+#
+# List files which are i386 specific here
+#
+# source locations relative to the prototype file
+#
+#
+# SUNWtlsu
+#
+#64#s none usr/sfw/bin/64=amd64
+#64#d none usr/sfw/bin/amd64 0755 root bin
+#64#f none usr/sfw/bin/amd64/certutil 0755 root bin
+#64#f none usr/sfw/bin/amd64/crlutil 0755 root bin
+#64#f none usr/sfw/bin/amd64/cmsutil 0755 root bin
+#64#f none usr/sfw/bin/amd64/modutil 0755 root bin
+#64#f none usr/sfw/bin/amd64/pk12util 0755 root bin
+#64#f none usr/sfw/bin/amd64/signtool 0755 root bin
+#64#f none usr/sfw/bin/amd64/signver 0755 root bin
+#64#f none usr/sfw/bin/amd64/ssltap 0755 root bin
+#64#f none usr/sfw/bin/amd64/addbuiltin 0755 root bin
+
diff --git a/security/nss/pkg/solaris/SUNWtlsu/prototype_sparc b/security/nss/pkg/solaris/SUNWtlsu/prototype_sparc
new file mode 100644
index 000000000..99c244d82
--- /dev/null
+++ b/security/nss/pkg/solaris/SUNWtlsu/prototype_sparc
@@ -0,0 +1,78 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident  "$Id$"
+#
+# This required package information file contains a list of package contents.
+# The 'pkgmk' command uses this file to identify the contents of a package
+# and their location on the development machine when building the package.
+# Can be created via a text editor or through use of the 'pkgproto' command.
+
+#!search <pathname pathname ...>        # where to find pkg objects
+#!include <filename>                    # include another 'prototype' file
+#!default <mode> <owner> <group>        # default used if not specified on entry
+#!<param>=<value>                       # puts parameter in pkg environment
+
+#
+# Include ISA independent files (prototype_com)
+#
+!include prototype_com
+#
+#
+#
+# List files which are SPARC specific here
+#
+# source locations relative to the prototype file
+#
+#
+# SUNWtlsu
+#
+#64#s none usr/sfw/bin/64=sparcv9
+#64#d none usr/sfw/bin/sparcv9 0755 root bin
+#64#f none usr/sfw/bin/sparcv9/certutil 0755 root bin
+#64#f none usr/sfw/bin/sparcv9/crlutil 0755 root bin
+#64#f none usr/sfw/bin/sparcv9/cmsutil 0755 root bin
+#64#f none usr/sfw/bin/sparcv9/modutil 0755 root bin
+#64#f none usr/sfw/bin/sparcv9/pk12util 0755 root bin
+#64#f none usr/sfw/bin/sparcv9/signtool 0755 root bin
+#64#f none usr/sfw/bin/sparcv9/signver 0755 root bin
+#64#f none usr/sfw/bin/sparcv9/ssltap 0755 root bin
+#64#f none usr/sfw/bin/sparcv9/addbuiltin 0755 root bin
+
diff --git a/security/nss/pkg/solaris/bld_awk_pkginfo.ksh b/security/nss/pkg/solaris/bld_awk_pkginfo.ksh
new file mode 100644
index 000000000..fff09df26
--- /dev/null
+++ b/security/nss/pkg/solaris/bld_awk_pkginfo.ksh
@@ -0,0 +1,141 @@
+#!/usr/bin/ksh -p
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident	"$Id$"
+#
+# Simple script which builds the awk_pkginfo awk script.  This awk script
+# is used to convert the pkginfo.tmpl files into pkginfo files
+# for the build.
+#
+
+usage()
+{
+   cat <<-EOF
+usage: bld_awk_pkginfo -p <prodver> -m <mach> -o <awk_script> [-v <version>]
+EOF
+}
+
+#
+# Awk strings
+#
+# two VERSION patterns: one for Dewey decimal, one for Dewey plus ,REV=n
+# the first has one '=' the second has two or more '='
+#
+VERSION1="VERSION=[^=]*$"
+VERSION2="VERSION=[^=]*=.*$"
+PRODVERS="^SUNW_PRODVERS="
+ARCH='ARCH=\"ISA\"'
+
+#
+# parse command line
+#
+mach=""
+prodver=""
+awk_script=""
+version="NSSVERS"
+
+while getopts o:p:m:v: c
+do
+   case $c in
+   o)
+      awk_script=$OPTARG
+      ;;
+   m)
+      mach=$OPTARG
+      ;;
+   p)
+      prodver=$OPTARG
+      ;;
+   v)
+      version=$OPTARG
+      ;;
+   \?)
+      usage
+      exit 1
+      ;;
+   esac
+done
+
+if [[ ( -z $prodver ) || ( -z $mach ) || ( -z $awk_script ) ]]
+then
+   usage
+   exit 1
+fi
+
+if [[ -f $awk_script ]]
+then
+	rm -f $awk_script
+fi
+
+#
+# Build REV= field based on date
+#
+rev=$(date "+%Y.%m.%d.%H.%M")
+
+#
+# Build awk script which will process all the
+# pkginfo.tmpl files.
+#
+# the first VERSION pattern is replaced with a leading quotation mark
+#
+rm -f $awk_script
+cat << EOF > $awk_script
+/$VERSION1/ {
+      sub(/\=[^=]*$/,"=\"$rev\"")
+      print
+      next
+   }
+/$VERSION2/ {
+      sub(/\=[^=]*$/,"=$rev\"")
+      sub(/NSSVERS/,"$version")
+      print
+      next
+   }
+/$PRODVERS/ { 
+      printf "SUNW_PRODVERS=\"%s\"\n", "$prodver" 
+      next
+   }
+/$ARCH/ {
+      printf "ARCH=\"%s\"\n", "$mach"
+      next
+   }
+{ print }
+EOF
diff --git a/security/nss/pkg/solaris/common_files/copyright b/security/nss/pkg/solaris/common_files/copyright
new file mode 100644
index 000000000..988939bb1
--- /dev/null
+++ b/security/nss/pkg/solaris/common_files/copyright
@@ -0,0 +1,38 @@
+Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+Use is subject to license terms.
+
+***** BEGIN LICENSE BLOCK *****
+Version: MPL 1.1/GPL 2.0/LGPL 2.1
+
+The contents of this package are subject to the Mozilla Public License Version
+1.1 (the "License"); you may not use this package except in compliance with
+the License. You may obtain a copy of the License at
+http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS" basis,
+WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+for the specific language governing rights and limitations under the
+License.
+
+The Original Code is the Netscape Portable Runtime (NSPR).
+
+The Initial Developer of the Original Code is
+Netscape Communications Corporation.
+Portions created by the Initial Developer are Copyright (C) 1998-2000
+the Initial Developer. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the terms of
+either the GNU General Public License Version 2 or later (the "GPL"), or
+the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+in which case the provisions of the GPL or the LGPL are applicable instead
+of those above. If you wish to allow use of your version of this file only
+under the terms of either the GPL or the LGPL, and not to allow others to
+use your version of this file under the terms of the MPL, indicate your
+decision by deleting the provisions above and replace them with the notice
+and other provisions required by the GPL or the LGPL. If you do not delete
+the provisions above, a recipient may use your version of this file under
+the terms of any one of the MPL, the GPL or the LGPL.
+
+***** END LICENSE BLOCK *****
diff --git a/security/nss/pkg/solaris/proto64.mk b/security/nss/pkg/solaris/proto64.mk
new file mode 100644
index 000000000..91d94b9d7
--- /dev/null
+++ b/security/nss/pkg/solaris/proto64.mk
@@ -0,0 +1,50 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+#ident  "$Id$"
+#
+
+ifeq ($(USE_64), 1)
+  # Remove 64 tag
+  sed_proto64='s/\#64\#//g'
+else
+  # Strip 64 lines
+  sed_proto64='/\#64\#/d'
+endif
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh
new file mode 100755
index 000000000..288ecb9de
--- /dev/null
+++ b/security/nss/tests/all.sh
@@ -0,0 +1,362 @@
+#!/bin/bash
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/all.sh
+#
+# Script to start selected available NSS QA suites on one machine
+# this script is called or sourced by NSS QA which runs on all required 
+# platforms
+#
+# Needs to work on all Unix and Windows platforms
+#
+# Currently available NSS QA suites:
+# ----------------------------------
+#   cipher.sh    - tests NSS ciphers
+#   libpkix.sh   - tests PKIX functionality
+#   cert.sh      - exercises certutil and creates certs necessary for 
+#                  all other tests
+#   dbtests.sh   - tests related to certificate databases
+#   tools.sh     - tests the majority of the NSS tools
+#   fips.sh      - tests basic functionallity of NSS in FIPS-compliant 
+#                - mode
+#   sdr.sh       - tests NSS SDR
+#   crmf.sh      - CRMF/CMMF testing
+#   smime.sh     - S/MIME testing
+#   ssl.sh       - tests SSL V2 SSL V3 and TLS
+#   ocsp.sh      - OCSP testing
+#   merge.sh     - tests merging old and new shareable databases
+#   pkits.sh     - NIST/PKITS tests 
+#   dbupgrade.sh - upgrade databases to new shareable version (used
+#                  only in upgrade test cycle)
+#   memleak.sh   - memory leak testing (optional)
+#
+# NSS testing is now devided to 4 cycles:
+# ---------------------------------------
+#   standard     - run test suites with defaults settings
+#   pkix         - run test suites with PKIX enabled
+#   upgradedb    - upgrade existing certificate databases to shareable 
+#                  format (creates them if doesn't exist yet) and run 
+#                  test suites with those databases
+#   sharedb      - run test suites with shareable database format 
+#                  enabled (databases are created directly to this 
+#                  format)
+#
+# Mandatory environment variables (to be set before testing):
+# -----------------------------------------------------------
+#   HOST         - test machine host name
+#   DOMSUF       - test machine domain name
+#
+# Optional environment variables to specify build to use:
+# -------------------------------------------------------
+#   BUILT_OPT    - use optimized/debug build 
+#   USE_64       - use 64bit/32bit build
+#
+# Optional environment variables to enable specific NSS features:
+# ---------------------------------------------------------------
+#   NSS_ENABLE_ECC              - enable ECC
+#   NSS_ECC_MORE_THAN_SUITE_B   - enable extended ECC
+#
+# Optional environment variables to select which cycles/suites to test:
+# ---------------------------------------------------------------------
+#   NSS_CYCLES     - list of cycles to run (separated by space 
+#                    character)
+#                  - by default all cycles are tested
+#
+#   NSS_TESTS      - list of all test suites to run (separated by space
+#                    character, without trailing .sh) 
+#                  - this list can be reduced for individual test cycles
+#
+#   NSS_SSL_TESTS  - list of ssl tests to run (see ssl.sh)
+#   NSS_SSL_RUN    - list of sss sub-tests to run (see ssl.sh)
+#
+# Testing schema:
+# ---------------
+#                           all.sh                       ~  (main) 
+#                              |                               |
+#          +------------+------------+-----------+       ~  run_cycles
+#          |            |            |           |             |
+#      standard       pkix       upgradedb     sharedb   ~  run_cycle_*
+#                       |                                      |
+#                +------+------+------+----->            ~  run_tests
+#                |      |      |      |                        |
+#              cert   tools   fips   ssl   ...           ~  . *.sh
+#
+# Special strings:
+# ----------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# NOTE:
+# -----
+#   Unlike the old QA this is based on files sourcing each other
+#   This is done to save time, since a great portion of time is lost
+#   in calling and sourcing the same things multiple times over the
+#   network. Also, this way all scripts have all shell function 
+#   available and a completely common environment
+#
+########################################################################
+
+############################## run_tests ###############################
+# run test suites defined in TESTS variable, skip scripts defined in
+# TESTS_SKIP variable
+########################################################################
+run_tests()
+{
+    for TEST in ${TESTS}
+    do
+        echo "${TESTS_SKIP}" | grep "${TEST}" > /dev/null
+        if [ $? -eq 0 ]; then
+            continue
+        fi
+
+        SCRIPTNAME=${TEST}.sh
+        echo "Running tests for ${TEST}"
+        echo "TIMESTAMP ${TEST} BEGIN: `date`" 
+        (cd ${QADIR}/${TEST}; . ./${SCRIPTNAME} 2>&1)
+        echo "TIMESTAMP ${TEST} END: `date`"
+    done
+}
+
+########################## run_cycle_standard ##########################
+# run test suites with defaults settings (no PKIX, no sharedb)
+########################################################################
+run_cycle_standard()
+{
+    TEST_MODE=STANDARD
+
+    TESTS="${ALL_TESTS}"
+    TESTS_SKIP=
+
+    run_tests
+}
+
+############################ run_cycle_pkix ############################
+# run test suites with PKIX enabled
+########################################################################
+run_cycle_pkix()
+{
+    TEST_MODE=PKIX
+
+    TABLE_ARGS="bgcolor=cyan"
+    html_head "Testing with PKIX"
+    html "</TABLE><BR>"
+
+    HOSTDIR="${HOSTDIR}/pkix"
+    mkdir -p "${HOSTDIR}"
+    init_directories
+
+    NSS_ENABLE_PKIX_VERIFY="1"
+    export NSS_ENABLE_PKIX_VERIFY
+
+    TESTS="${ALL_TESTS}"
+    TESTS_SKIP="cipher dbtests sdr crmf smime merge"
+
+    echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null
+    RET=$?
+    NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/bypass//g" -e "s/fips//g" -e "s/_//g"`
+    [ ${RET} -eq 0 ] && NSS_SSL_TESTS="${NSS_SSL_TESTS} bypass_bypass"
+
+    run_tests
+}
+
+######################### run_cycle_upgrade_db #########################
+# upgrades certificate database to shareable format and run test suites
+# with those databases
+########################################################################
+run_cycle_upgrade_db()
+{
+    TEST_MODE=UPGRADE_DB
+
+    TABLE_ARGS="bgcolor=pink"
+    html_head "Testing with upgraded library"
+    html "</TABLE><BR>"
+
+    OLDHOSTDIR="${HOSTDIR}"
+    HOSTDIR="${HOSTDIR}/upgradedb"
+    mkdir -p "${HOSTDIR}"
+    init_directories
+
+    if [ -r "${OLDHOSTDIR}/cert.log" ]; then
+        DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA tools/copydir cert.log cert.done tests.*"
+        for i in $DIRS
+        do
+            cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null
+        done
+    fi
+
+    # upgrade certs dbs to shared db 
+    TESTS="dbupgrade"
+    TESTS_SKIP=
+
+    run_tests
+
+    NSS_DEFAULT_DB_TYPE="sql"
+    export NSS_DEFAULT_DB_TYPE
+
+    # run the subset of tests with the upgraded database
+    TESTS="${ALL_TESTS}"
+    TESTS_SKIP="cipher libpkix cert dbtests sdr ocsp pkits"
+
+    echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null
+    RET=$?
+    NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/bypass//g" -e "s/fips//g" -e "s/_//g"`
+    [ ${RET} -eq 0 ] && NSS_SSL_TESTS="${NSS_SSL_TESTS} bypass_bypass"
+    NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
+
+    run_tests
+}
+
+########################## run_cycle_shared_db #########################
+# run test suites with certificate databases set to shareable format
+########################################################################
+run_cycle_shared_db()
+{
+    TEST_MODE=SHARED_DB
+
+    TABLE_ARGS="bgcolor=yellow"
+    html_head "Testing with shared library"
+    html "</TABLE><BR>"
+
+    HOSTDIR="${HOSTDIR}/sharedb"
+    mkdir -p "${HOSTDIR}"
+    init_directories
+
+    NSS_DEFAULT_DB_TYPE="sql"
+    export NSS_DEFAULT_DB_TYPE
+
+    # run the tests for native sharedb support
+    TESTS="${ALL_TESTS}"
+    TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits"
+
+    echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null
+    RET=$?
+    NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/bypass//g" -e "s/fips//g" -e "s/_//g"`
+    [ ${RET} -eq 0 ] && NSS_SSL_TESTS="${NSS_SSL_TESTS} bypass_bypass"
+    NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
+
+    run_tests
+}
+
+############################# run_cycles ###############################
+# run test cycles defined in CYCLES variable
+########################################################################
+run_cycles()
+{
+    for CYCLE in ${CYCLES}
+    do
+        case "${CYCLE}" in 
+        "standard")
+            run_cycle_standard
+            ;;
+        "pkix")
+            run_cycle_pkix
+            ;;
+        "upgradedb")
+            run_cycle_upgrade_db
+            ;;
+        "sharedb")
+            run_cycle_shared_db
+            ;;
+        esac  
+        . ${ENV_BACKUP}
+    done
+}
+
+############################## main code ###############################
+
+cycles="standard pkix upgradedb sharedb"
+CYCLES=${NSS_CYCLES:-$cycles}
+
+tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits"
+TESTS=${NSS_TESTS:-$tests}
+
+# FIXME: move check for ${BUILD_LIBPKIX_TESTS} to libpkix.sh
+if [ -z "${BUILD_LIBPKIX_TESTS}" ] ; then
+    TESTS=`echo "${TESTS}" | sed -e "s/libpkix//"`
+fi
+ALL_TESTS=${TESTS}
+
+nss_ssl_tests="crl bypass_normal normal_bypass fips_normal normal_fips iopr"
+NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
+
+nss_ssl_run="cov auth stress"
+NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
+
+SCRIPTNAME=all.sh
+CLEANUP="${SCRIPTNAME}"
+cd `dirname $0`
+
+# all.sh should be the first one to try to source the init 
+if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+    cd common
+    . ./init.sh
+fi
+
+# NOTE:
+# Since in make at the top level, modutil is the last file
+# created, we check for modutil to know whether the build
+# is complete. If a new file is created after that, the 
+# following test for modutil should check for that instead.
+
+if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a  \
+     ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
+    echo "Build Incomplete. Aborting test." >> ${LOGFILE}
+    html_head "Testing Initialization"
+    Exit "Checking for build"
+fi
+
+# NOTE:
+# Lists of enabled tests and other settings are stored to ${ENV_BACKUP}
+# file and are are restored after every test cycle.
+
+ENV_BACKUP=${HOSTDIR}/env.sh
+env_backup > ${ENV_BACKUP}
+
+if [ "${O_CRON}" = "ON" ]; then
+    run_cycles >> ${LOGFILE}
+else 
+    run_cycles | tee -a ${LOGFILE}
+fi
+
+SCRIPTNAME=all.sh
+
+. ${QADIR}/common/cleanup.sh
+
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
new file mode 100755
index 000000000..b033f1176
--- /dev/null
+++ b/security/nss/tests/cert/cert.sh
@@ -0,0 +1,1430 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+#   Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/cert/rcert.sh
+#
+# Certificate generating and handeling for NSS QA, can be included 
+# multiple times from all.sh and the individual scripts
+#
+# needs to work on all Unix and Windows platforms
+#
+# included from (don't expect this to be up to date)
+# --------------------------------------------------
+#   all.sh
+#   ssl.sh
+#   smime.sh
+#   tools.sh
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# FIXME - Netscape - NSS
+########################################################################
+
+############################## cert_init ###############################
+# local shell function to initialize this script
+########################################################################
+cert_init()
+{
+  SCRIPTNAME="cert.sh"
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  if [ -z "${INIT_SOURCED}" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ -z "${IOPR_CERT_SOURCED}" ]; then
+       . ../iopr/cert_iopr.sh
+  fi
+  SCRIPTNAME="cert.sh"
+  CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      html_head "Certutil and Crlutil Tests with ECC"
+  else
+      html_head "Certutil and Crlutil Tests"
+  fi
+
+  LIBDIR="${DIST}/${OBJDIR}/lib"
+
+  ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
+  if [ ! "${ROOTCERTSFILE}" ] ; then
+      html_failed "Looking for root certs module." 
+      cert_log "ERROR: Root certs module not found."
+      Exit 5 "Fatal - Root certs module not found."
+  else
+      html_passed "Looking for root certs module."
+  fi
+
+  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+	ROOTCERTSFILE=`cygpath -m ${ROOTCERTSFILE}`
+  fi
+}
+
+cert_log() ######################    write the cert_status file
+{
+    echo "$SCRIPTNAME $*"
+    echo $* >>${CERT_LOG_FILE}
+}
+
+################################ certu #################################
+# local shell function to call certutil, also: writes action and options to
+# stdout, sets variable RET and writes results to the html file results
+########################################################################
+certu()
+{
+    echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+
+    if [ -n "${CU_SUBJECT}" ]; then
+        #the subject of the cert contains blanks, and the shell 
+        #will strip the quotes off the string, if called otherwise...
+        echo "certutil -s \"${CU_SUBJECT}\" $*"
+        ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $*
+        RET=$?
+        CU_SUBJECT=""
+    else
+        echo "certutil $*"
+        ${PROFTOOL} ${BINDIR}/certutil $*
+        RET=$?
+    fi
+    if [ "$RET" -ne 0 ]; then
+        CERTFAILED=$RET
+        html_failed "${CU_ACTION} ($RET) " 
+        cert_log "ERROR: ${CU_ACTION} failed $RET"
+    else
+        html_passed "${CU_ACTION}"
+    fi
+
+    return $RET
+}
+
+################################ crlu #################################
+# local shell function to call crlutil, also: writes action and options to
+# stdout, sets variable RET and writes results to the html file results
+########################################################################
+crlu()
+{
+    echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+    
+    CRLUTIL="crlutil -q"
+    echo "$CRLUTIL $*"
+    ${PROFTOOL} ${BINDIR}/$CRLUTIL $*
+    RET=$?
+    if [ "$RET" -ne 0 ]; then
+        CRLFAILED=$RET
+        html_failed "${CU_ACTION} ($RET) " 
+        cert_log "ERROR: ${CU_ACTION} failed $RET"
+    else
+        html_passed "${CU_ACTION}"
+    fi
+
+    return $RET
+}
+
+modu()
+{
+    echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+
+    MODUTIL="modutil"
+    echo "$MODUTIL $*"
+    # echo is used to press Enter expected by modutil
+    echo | ${BINDIR}/$MODUTIL $*
+    RET=$?
+    if [ "$RET" -ne 0 ]; then
+        MODFAILED=$RET
+        html_failed "${CU_ACTION} ($RET) " 
+        cert_log "ERROR: ${CU_ACTION} failed $RET"
+    else
+        html_passed "${CU_ACTION}"
+    fi
+
+    return $RET
+}
+
+############################# cert_init_cert ##########################
+# local shell function to initialize creation of client and server certs
+########################################################################
+cert_init_cert()
+{
+    CERTDIR="$1"
+    CERTNAME="$2"
+    CERTSERIAL="$3"
+    DOMAIN="$4"
+
+    if [ ! -d "${CERTDIR}" ]; then
+        mkdir -p "${CERTDIR}"
+    else
+        echo "$SCRIPTNAME: WARNING - ${CERTDIR} exists"
+    fi
+    cd "${CERTDIR}"
+    CERTDIR="."
+
+    PROFILEDIR=`cd ${CERTDIR}; pwd`
+    if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+        PROFILEDIR=`cygpath -m ${PROFILEDIR}`
+    fi
+    if [ -n "${MULTIACCESS_DBM}" ]; then
+	PROFILEDIR="multiaccess:${DOMAIN}"
+    fi
+
+    noise
+}
+
+############################# hw_acc #################################
+# local shell function to add hw accelerator modules to the db
+########################################################################
+hw_acc()
+{
+    HW_ACC_RET=0
+    HW_ACC_ERR=""
+    if [ -n "$O_HWACC" -a "$O_HWACC" = ON -a -z "$USE_64" ] ; then
+        echo "creating $CERTNAME s cert with hwaccelerator..."
+        #case $ACCELERATOR in
+        #rainbow)
+
+        echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so "
+        echo "         -dbdir ${PROFILEDIR} 2>&1 "
+        echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \
+            -dbdir ${PROFILEDIR} 2>&1 
+        if [ "$?" -ne 0 ]; then
+            echo "modutil -add rainbow failed in `pwd`"
+            HW_ACC_RET=1
+            HW_ACC_ERR="modutil -add rainbow"
+        fi
+    
+        echo "modutil -add ncipher "
+        echo "         -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so "
+        echo "         -dbdir ${PROFILEDIR} 2>&1 "
+        echo | ${BINDIR}/modutil -add ncipher \
+            -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \
+            -dbdir ${PROFILEDIR} 2>&1 
+        if [ "$?" -ne 0 ]; then
+            echo "modutil -add ncipher failed in `pwd`"
+            HW_ACC_RET=`expr $HW_ACC_RET + 2`
+            HW_ACC_ERR="$HW_ACC_ERR,modutil -add ncipher"
+        fi
+        if [ "$HW_ACC_RET" -ne 0 ]; then
+            html_failed "Adding HW accelerators to certDB for ${CERTNAME} ($HW_ACC_RET) " 
+        else
+            html_passed "Adding HW accelerators to certDB for ${CERTNAME}"
+        fi
+
+    fi
+    return $HW_ACC_RET
+}
+
+############################# cert_create_cert #########################
+# local shell function to create client certs 
+#     initialize DB, import
+#     root cert
+#     add cert to DB
+########################################################################
+cert_create_cert()
+{
+    cert_init_cert "$1" "$2" "$3" "$4"
+
+    CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
+    certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB"
+    modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1   
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    hw_acc
+
+    CU_ACTION="Import Root CA for $CERTNAME"
+    certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${R_CADIR}/root.cert" 2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    if [ -n "$NSS_ENABLE_ECC" ] ; then
+	CU_ACTION="Import EC Root CA for $CERTNAME"
+	certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
+	    -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+    fi
+
+    cert_add_cert "$5"
+    return $?
+}
+
+############################# cert_add_cert ############################
+# local shell function to add client certs to an existing CERT DB
+#     generate request
+#     sign request
+#     import Cert
+#
+########################################################################
+cert_add_cert()
+{
+    CU_ACTION="Generate Cert Request for $CERTNAME"
+    CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    CU_ACTION="Sign ${CERTNAME}'s Request"
+    certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+          -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    CU_ACTION="Import $CERTNAME's Cert"
+    certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+          -i "${CERTNAME}.cert" 2>&1
+    if [ "$RET" -ne 0 ]; then
+        return $RET
+    fi
+
+    cert_log "SUCCESS: $CERTNAME's Cert Created"
+
+#
+#   Generate and add EC cert
+#
+    if [ -n "$NSS_ENABLE_ECC" ] ; then
+	CURVE="secp384r1"
+	CU_ACTION="Generate EC Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+	    -z "${R_NOISE_FILE}" -o req  2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Sign ${CERTNAME}'s EC Request"
+	certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+            -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Import $CERTNAME's EC Cert"
+	certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+	    -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+	cert_log "SUCCESS: $CERTNAME's EC Cert Created"
+
+#    Generate EC certificate signed with RSA
+	CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+	    -z "${R_NOISE_FILE}" -o req  2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
+# Avoid conflicting serial numbers with TestCA issuer by keeping
+# this set far away. A smaller number risks colliding with the
+# extended ssl user certificates.
+	NEWSERIAL=`expr ${CERTSERIAL} + 10000`
+        certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
+            -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" "$1" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+
+	CU_ACTION="Import $CERTNAME's mixed EC Cert"
+	certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+	    -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
+	if [ "$RET" -ne 0 ]; then
+            return $RET
+	fi
+	cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
+    fi
+
+    return 0
+}
+
+################################# cert_all_CA ################################
+# local shell function to build the additional Temp. Certificate Authority (CA)
+# used for the "real life" ssl test with 2 different CA's in the
+# client and in teh server's dir
+##########################################################################
+cert_all_CA()
+{
+    echo nss > ${PWFILE}
+
+    ALL_CU_SUBJECT="CN=NSS Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    cert_CA $CADIR TestCA -x "CTu,CTu,CTu" ${D_CA} "1"
+
+    ALL_CU_SUBJECT="CN=NSS Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $SERVER_CADIR serverCA -x "Cu,Cu,Cu" ${D_SERVER_CA} "2"
+    ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $SERVER_CADIR chain-1-serverCA "-c serverCA" "u,u,u" ${D_SERVER_CA} "3"
+    ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 
+    cert_CA $SERVER_CADIR chain-2-serverCA "-c chain-1-serverCA" "u,u,u" ${D_SERVER_CA} "4"
+
+
+
+    ALL_CU_SUBJECT="CN=NSS Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $CLIENT_CADIR clientCA -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5"
+    ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $CLIENT_CADIR chain-1-clientCA "-c clientCA" "u,u,u" ${D_CLIENT_CA} "6"
+    ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+    cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
+
+    rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
+
+    # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
+    # in the chain
+
+    if [ -n "$NSS_ENABLE_ECC" ] ; then
+#
+#       Create EC version of TestCA
+	CA_CURVE="secp521r1"
+	ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
+#
+#       Create EC versions of the intermediate CA certs
+	ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $SERVER_CADIR serverCA-ec -x "Cu,Cu,Cu" ${D_SERVER_CA} "2" ${CA_CURVE}
+	ALL_CU_SUBJECT="CN=NSS Chain1 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $SERVER_CADIR chain-1-serverCA-ec "-c serverCA-ec" "u,u,u" ${D_SERVER_CA} "3" ${CA_CURVE}
+	ALL_CU_SUBJECT="CN=NSS Chain2 Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US" 
+	cert_ec_CA $SERVER_CADIR chain-2-serverCA-ec "-c chain-1-serverCA-ec" "u,u,u" ${D_SERVER_CA} "4" ${CA_CURVE}
+
+	ALL_CU_SUBJECT="CN=NSS Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $CLIENT_CADIR clientCA-ec -x "Tu,Cu,Cu" ${D_CLIENT_CA} "5" ${CA_CURVE}
+	ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
+	ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
+	cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
+
+	rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
+#	ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
+#	in the chain
+
+    fi
+}
+
+################################# cert_CA ################################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating  a CA Certificate and a root cert
+##########################################################################
+cert_CA()
+{
+  CUR_CADIR=$1
+  NICKNAME=$2
+  SIGNER=$3
+  TRUSTARG=$4
+  DOMAIN=$5
+  CERTSERIAL=$6
+
+  echo "$SCRIPTNAME: Creating a CA Certificate $NICKNAME =========================="
+
+  if [ ! -d "${CUR_CADIR}" ]; then
+      mkdir -p "${CUR_CADIR}"
+  fi
+  cd ${CUR_CADIR}
+  pwd
+
+  LPROFILE=`pwd`
+  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+     LPROFILE=`cygpath -m ${LPROFILE}`
+  fi
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+	LPROFILE="multiaccess:${DOMAIN}"
+  fi
+
+  if [ "$SIGNER" = "-x" ] ; then # self signed -> create DB
+      CU_ACTION="Creating CA Cert DB"
+      certu -N -d "${LPROFILE}" -f ${R_PWFILE} 2>&1
+      if [ "$RET" -ne 0 ]; then
+          Exit 5 "Fatal - failed to create CA $NICKNAME "
+      fi
+
+      CU_ACTION="Loading root cert module to CA Cert DB"
+      modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${LPROFILE}" 2>&1   
+      if [ "$RET" -ne 0 ]; then
+          return $RET
+      fi
+
+      echo "$SCRIPTNAME: Certificate initialized ----------"
+  fi
+
+
+  ################# Creating CA Cert ######################################
+  #
+  CU_ACTION="Creating CA Cert $NICKNAME "
+  CU_SUBJECT=$ALL_CU_SUBJECT
+  certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \
+        -f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+  if [ "$RET" -ne 0 ]; then
+      echo "return value is $RET"
+      Exit 6 "Fatal - failed to create CA cert"
+  fi
+
+  ################# Exporting Root Cert ###################################
+  #
+  CU_ACTION="Exporting Root Cert"
+  certu -L -n  $NICKNAME -r -d ${LPROFILE} -o root.cert 
+  if [ "$RET" -ne 0 ]; then
+      Exit 7 "Fatal - failed to export root cert"
+  fi
+  cp root.cert ${NICKNAME}.ca.cert
+}
+
+################################ cert_ec_CA ##############################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating  a CA Certificate and a root cert
+# This is the ECC version of cert_CA.
+##########################################################################
+cert_ec_CA()
+{
+  CUR_CADIR=$1
+  NICKNAME=$2
+  SIGNER=$3
+  TRUSTARG=$4
+  DOMAIN=$5
+  CERTSERIAL=$6
+  CURVE=$7
+
+  echo "$SCRIPTNAME: Creating an EC CA Certificate $NICKNAME =========================="
+
+  if [ ! -d "${CUR_CADIR}" ]; then
+      mkdir -p "${CUR_CADIR}"
+  fi
+  cd ${CUR_CADIR}
+  pwd
+
+  LPROFILE=.
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+	LPROFILE="multiaccess:${DOMAIN}"
+  fi
+
+  ################# Creating an EC CA Cert ################################
+  #
+  CU_ACTION="Creating EC CA Cert $NICKNAME "
+  CU_SUBJECT=$ALL_CU_SUBJECT
+  certu -S -n $NICKNAME -k ec -q $CURVE -t $TRUSTARG -v 600 $SIGNER \
+    -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
+    -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+  if [ "$RET" -ne 0 ]; then
+      echo "return value is $RET"
+      Exit 6 "Fatal - failed to create EC CA cert"
+  fi
+
+  ################# Exporting EC Root Cert ################################
+  #
+  CU_ACTION="Exporting EC Root Cert"
+  certu -L -n  $NICKNAME -r -d ${LPROFILE} -o ecroot.cert 
+  if [ "$RET" -ne 0 ]; then
+      Exit 7 "Fatal - failed to export ec root cert"
+  fi
+  cp ecroot.cert ${NICKNAME}.ca.cert
+}
+
+############################## cert_smime_client #############################
+# local shell function to create client Certificates for S/MIME tests 
+##############################################################################
+cert_smime_client()
+{
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating Client CA Issued Certificates =============="
+
+  cert_create_cert ${ALICEDIR} "Alice" 30 ${D_ALICE}
+  cert_create_cert ${BOBDIR} "Bob" 40  ${D_BOB}
+
+  echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
+  cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
+
+## XXX With this new script merging ECC and non-ECC tests, the
+## call to cert_create_cert ends up creating two separate certs
+## one for Eve and another for Eve-ec but they both end up with
+## the same Subject Alt Name Extension, i.e., both the cert for
+## Eve@bogus.com and the cert for Eve-ec@bogus.com end up 
+## listing eve@bogus.net in the Certificate Subject Alt Name extension. 
+## This can cause a problem later when cmsutil attempts to create
+## enveloped data and accidently picks up the ECC cert (NSS currently
+## does not support ECC for enveloped data creation). This script
+## avoids the problem by ensuring that these conflicting certs are
+## never added to the same cert database (see comment marked XXXX).
+  echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
+  cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
+
+  #echo "************* Copying CA files to ${SERVERDIR}"
+  #cp ${CADIR}/*.db .
+  #hw_acc
+
+  #########################################################################
+  #
+  #cd ${CERTDIR}
+  #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
+  #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
+  #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
+  #	-d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
+
+  #CU_ACTION="Export Dave's Cert"
+  #cd ${DAVEDIR}
+  #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
+
+  ################# Importing Certificates for S/MIME tests ###############
+  #
+  echo "$SCRIPTNAME: Importing Certificates =============================="
+  CU_ACTION="Import Bob's cert into Alice's db"
+  certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+        -i ${R_BOBDIR}/Bob.cert 2>&1
+
+  CU_ACTION="Import Dave's cert into Alice's DB"
+  certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+        -i ${R_DAVEDIR}/Dave.cert 2>&1
+
+  CU_ACTION="Import Dave's cert into Bob's DB"
+  certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+        -i ${R_DAVEDIR}/Dave.cert 2>&1
+
+  CU_ACTION="Import Eve's cert into Alice's DB"
+  certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+        -i ${R_EVEDIR}/Eve.cert 2>&1
+
+  CU_ACTION="Import Eve's cert into Bob's DB"
+  certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+        -i ${R_EVEDIR}/Eve.cert 2>&1
+
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      echo "$SCRIPTNAME: Importing EC Certificates =============================="
+      CU_ACTION="Import Bob's EC cert into Alice's db"
+      certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+          -i ${R_BOBDIR}/Bob-ec.cert 2>&1
+
+      CU_ACTION="Import Dave's EC cert into Alice's DB"
+      certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+          -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
+
+      CU_ACTION="Import Dave's EC cert into Bob's DB"
+      certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+          -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
+
+## XXXX Do not import Eve's EC cert until we can make sure that
+## the email addresses listed in the Subject Alt Name Extension 
+## inside Eve's ECC and non-ECC certs are different.
+#     CU_ACTION="Import Eve's EC cert into Alice's DB"
+#     certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+#         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
+
+#     CU_ACTION="Import Eve's EC cert into Bob's DB"
+#     certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+#         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
+  fi
+
+  if [ "$CERTFAILED" != 0 ] ; then
+      cert_log "ERROR: SMIME failed $RET"
+  else
+      cert_log "SUCCESS: SMIME passed"
+  fi
+}
+
+############################## cert_extended_ssl #######################
+# local shell function to create client + server certs for extended SSL test
+########################################################################
+cert_extended_ssl()
+{
+
+  ################# Creating Certs for extended SSL test ####################
+  #
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating Certificates, issued by the last ==============="
+  echo "     of a chain of CA's which are not in the same database============"
+
+  echo "Server Cert"
+  cert_init_cert ${EXT_SERVERDIR} "${HOSTADDR}" 1 ${D_EXT_SERVER}
+
+  CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
+  certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+  CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+  modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+  CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
+  cp ${CERTDIR}/req ${SERVER_CADIR}
+  certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
+
+  CU_ACTION="Import $CERTNAME's Cert  -t u,u,u (ext)"
+  certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${CERTNAME}.cert" 2>&1
+
+  CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
+  certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
+
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+#
+#     Repeat the above for EC certs
+#
+      EC_CURVE="secp256r1"
+      CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
+      cp ${CERTDIR}/req ${SERVER_CADIR}
+      certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
+          -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's EC Cert  -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+
+      CU_ACTION="Import Client EC Root CA -t T,, for $CERTNAME (ext.)"
+      certu -A -n "clientCA-ec" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
+#
+#     done with EC certs
+#
+#     Repeat again for mixed EC certs
+#
+      EC_CURVE="secp256r1"
+      CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
+      cp ${CERTDIR}/req ${SERVER_CADIR}
+      certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
+          -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's mixed EC Cert  -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
+
+#      CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
+#      certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
+#	  -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
+#	  2>&1
+  fi
+
+  echo "Importing all the server's own CA chain into the servers DB"
+  for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
+  do
+      N=`basename $CA | sed -e "s/.ca.cert//"`
+      if [ $N = "serverCA" -o $N = "serverCA-ec" ] ; then
+          T="-t C,C,C"
+      else
+          T="-t u,u,u"
+      fi
+      CU_ACTION="Import $N CA $T for $CERTNAME (ext.) "
+      certu -A -n $N  $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${CA}" 2>&1
+  done
+#============
+  echo "Client Cert"
+  cert_init_cert ${EXT_CLIENTDIR} ExtendedSSLUser 1 ${D_EXT_CLIENT}
+
+  CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
+  certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+  CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+  modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+  CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
+      -o req 2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
+  cp ${CERTDIR}/req ${CLIENT_CADIR}
+  certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
+
+  CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
+  certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${CERTNAME}.cert" 2>&1
+  CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
+  certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
+
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+#
+#     Repeat the above for EC certs
+#
+      CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
+      cp ${CERTDIR}/req ${CLIENT_CADIR}
+      certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
+          -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's EC Cert -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+
+      CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
+      certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
+	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
+#
+# done with EC certs
+#
+#
+#     Repeat the above for mixed EC certs
+#
+      CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
+	  -z "${R_NOISE_FILE}" -o req 2>&1
+
+      CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
+      cp ${CERTDIR}/req ${CLIENT_CADIR}
+      certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
+          -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
+
+      CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
+      certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+	  -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
+
+#      CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
+#      certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
+#	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
+#
+# done with mixed EC certs
+#
+  fi
+
+  echo "Importing all the client's own CA chain into the servers DB"
+  for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
+  do
+      N=`basename $CA | sed -e "s/.ca.cert//"`
+      if [ $N = "clientCA" -o $N = "clientCA-ec" ] ; then
+          T="-t T,C,C"
+      else
+          T="-t u,u,u"
+      fi
+      CU_ACTION="Import $N CA $T for $CERTNAME (ext.)"
+      certu -A -n $N  $T -f "${R_PWFILE}" -d "${PROFILEDIR}" \
+          -i "${CA}" 2>&1
+  done
+  if [ "$CERTFAILED" != 0 ] ; then
+      cert_log "ERROR: EXT failed $RET"
+  else
+      cert_log "SUCCESS: EXT passed"
+  fi
+}
+
+############################## cert_ssl ################################
+# local shell function to create client + server certs for SSL test
+########################################################################
+cert_ssl()
+{
+  ################# Creating Certs for SSL test ###########################
+  #
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
+  cert_create_cert ${CLIENTDIR} "TestUser" 70 ${D_CLIENT}
+
+  echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
+  echo "             ${HOSTADDR} ------------------------------------"
+  cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
+  CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
+  certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
+      certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+  fi
+#  cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
+#  echo "************* Copying CA files to ${SERVERDIR}"
+#  cp ${CADIR}/*.db .
+#  hw_acc
+#  CU_ACTION="Creating ${CERTNAME}'s Server Cert"
+#  CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
+#  certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
+#	 -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
+
+  if [ "$CERTFAILED" != 0 ] ; then
+      cert_log "ERROR: SSL failed $RET"
+  else
+      cert_log "SUCCESS: SSL passed"
+  fi
+}
+############################## cert_stresscerts ################################
+# local shell function to create client certs for SSL stresstest
+########################################################################
+cert_stresscerts()
+{
+
+  ############### Creating Certs for SSL stress test #######################
+  #
+  CERTDIR="$CLIENTDIR"
+  cd "${CERTDIR}"
+
+  PROFILEDIR=`cd ${CERTDIR}; pwd`
+  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+     PROFILEDIR=`cygpath -m ${PROFILEDIR}`
+  fi  
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     PROFILEDIR="multiaccess:${D_CLIENT}"
+  fi
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating Client CA Issued Certificates ==============="
+
+  CONTINUE=$GLOB_MAX_CERT
+  CERTSERIAL=10
+
+  while [ $CONTINUE -ge $GLOB_MIN_CERT ]
+  do
+      CERTNAME="TestUser$CONTINUE"
+#      cert_add_cert ${CLIENTDIR} "TestUser$CONTINUE" $CERTSERIAL
+      cert_add_cert 
+      CERTSERIAL=`expr $CERTSERIAL + 1 `
+      CONTINUE=`expr $CONTINUE - 1 `
+  done
+  if [ "$CERTFAILED" != 0 ] ; then
+      cert_log "ERROR: StressCert failed $RET"
+  else
+      cert_log "SUCCESS: StressCert passed"
+  fi
+}
+
+############################## cert_fips #####################################
+# local shell function to create certificates for FIPS tests 
+##############################################################################
+cert_fips()
+{
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
+  cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
+
+  CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
+  certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
+
+  CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
+  modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+  echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
+  CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
+  echo "modutil -dbdir ${PROFILEDIR} -fips true "
+  ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
+y
+MODSCRIPT
+  RET=$?
+  if [ "$RET" -ne 0 ]; then
+    html_failed "${CU_ACTION} ($RET) " 
+    cert_log "ERROR: ${CU_ACTION} failed $RET"
+  else
+    html_passed "${CU_ACTION}"
+  fi
+
+  CU_ACTION="Generate Certificate for ${CERTNAME}"
+  CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
+  certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
+  if [ "$RET" -eq 0 ]; then
+    cert_log "SUCCESS: FIPS passed"
+  fi
+}
+
+############################## cert_eccurves ###########################
+# local shell function to create server certs for all EC curves
+########################################################################
+cert_eccurves()
+{
+  ################# Creating Certs for EC curves test ########################
+  #
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+    echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
+    echo "             EC Curves Test Certificates ------------------------------------"
+
+    cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
+
+    CU_ACTION="Initializing EC Curve's Cert DB"
+    certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+
+    CU_ACTION="Loading root cert module to EC Curve's Cert DB"
+    modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
+
+    CU_ACTION="Import EC Root CA for $CERTNAME"
+    certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
+        -d "${PROFILEDIR}" -i "${R_CADIR}/ecroot.cert" 2>&1
+
+    if [ -n "${NSS_ECC_MORE_THAN_SUITE_B}" ] ; then
+      CURVE_LIST="c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 \
+	c2pnb208w1 c2pnb272w1 c2pnb304w1 c2pnb368w1 \
+	c2tnb191v1 c2tnb191v2 c2tnb191v3 c2tnb239v1 \
+	c2tnb239v2 c2tnb239v3 c2tnb359v1 c2tnb431r1 \
+	nistb163 nistb233 nistb283 nistb409 nistb571 \
+	nistk163 nistk233 nistk283 nistk409 nistk571 \
+	nistp192 nistp224 nistp256 nistp384 nistp521 \
+	prime192v1 prime192v2 prime192v3 \
+	prime239v1 prime239v2 prime239v3 \
+	secp112r1 secp112r2 secp128r1 secp128r2 secp160k1 \
+	secp160r1 secp160r2 secp192k1 secp192r1 secp224k1 \
+	secp224r1 secp256k1 secp256r1 secp384r1 secp521r1 \
+	sect113r1 sect113r2 sect131r1 sect131r2 sect163k1 sect163r1 \
+	sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 \
+	sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1"
+    else
+      CURVE_LIST="nistp256 nistp384 nistp521"
+    fi
+    CERTSERIAL=2000
+
+    for CURVE in ${CURVE_LIST}
+    do
+	CERTFAILED=0
+	CERTNAME="Curve-${CURVE}"
+	CERTSERIAL=`expr $CERTSERIAL + 1 `
+	CU_ACTION="Generate EC Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+		-z "${R_NOISE_FILE}" -o req  2>&1
+	
+	if [ $RET -eq 0 ] ; then
+	  CU_ACTION="Sign ${CERTNAME}'s EC Request"
+	  certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
+		-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
+	fi
+	
+	if [ $RET -eq 0 ] ; then
+	  CU_ACTION="Import $CERTNAME's EC Cert"
+	  certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
+		-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
+	fi
+    done
+
+  fi # if NSS_ENABLE_ECC=1
+}
+
+########################### cert_extensions_test #############################
+# local shell function to test cert extensions generation
+##############################################################################
+cert_extensions_test()
+{
+    COUNT=`expr ${COUNT} + 1`
+    CERTNAME=TestExt${COUNT}
+    CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+
+    echo
+    echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
+        -t "u,u,u" -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
+        -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
+    echo "certutil options:"
+    cat ${TARG_FILE}
+    ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
+        -t "u,u,u" -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
+        -z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE}
+    RET=$?
+    if [ "${RET}" -ne 0 ]; then
+        CERTFAILED=1
+        html_failed "${TESTNAME} (${COUNT}) - Create and Add Certificate" 
+        cert_log "ERROR: ${TESTNAME} - Create and Add Certificate failed" 
+        return 1
+    fi
+
+    echo certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME} 
+    EXTLIST=`${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n ${CERTNAME}`
+    RET=$?
+    echo "${EXTLIST}"
+    if [ "${RET}" -ne 0 ]; then
+        CERTFAILED=1
+        html_failed "${TESTNAME} (${COUNT}) - List Certificate" 
+        cert_log "ERROR: ${TESTNAME} - List Certificate failed" 
+        return 1
+    fi
+
+    for FL in `echo ${FILTERLIST} | tr \| ' '`; do
+        FL="`echo ${FL} | tr _ ' '`"
+        EXPSTAT=0
+        if [ X`echo "${FL}" | cut -c 1` = 'X!' ]; then
+            EXPSTAT=1
+            FL=`echo ${FL} | tr -d '!'`
+        fi
+        echo "${EXTLIST}" | grep "${FL}" >/dev/null 2>&1
+        RET=$?
+        if [ "${RET}" -ne "${EXPSTAT}" ]; then
+            CERTFAILED=1
+            html_failed "${TESTNAME} (${COUNT}) - Looking for ${FL}" "returned ${RET}, expected is ${EXPSTAT}" 
+            cert_log "ERROR: ${TESTNAME} - Looking for ${FL} failed"
+            return 1
+        fi
+    done
+
+    html_passed "${TESTNAME} (${COUNT})"
+    return 0
+}
+
+############################## cert_extensions ###############################
+# local shell function to run cert extensions tests
+##############################################################################
+cert_extensions()
+{
+    CERTNAME=TestExt
+    cert_create_cert ${CERT_EXTENSIONS_DIR} ${CERTNAME} 90 ${D_CERT_EXTENSTIONS}
+    TARG_FILE=${CERT_EXTENSIONS_DIR}/test.args
+
+    COUNT=0
+    while read ARG OPT FILTERLIST; do
+        if [ X"`echo ${ARG} | cut -c 1`" = "X#" ]; then
+            continue
+        fi
+        if [ X"`echo ${ARG} | cut -c 1`" = "X!" ]; then
+            TESTNAME="${FILTERLIST}"
+            continue
+        fi
+        if [ X"${ARG}" = "X=" ]; then
+            cert_extensions_test
+            rm -f ${TARG_FILE}
+        else
+            echo ${ARG} >> ${TARG_FILE}
+        fi
+    done < ${QADIR}/cert/certext.txt
+}
+
+############################## cert_crl_ssl ############################
+# local shell function to generate certs and crls for SSL tests
+########################################################################
+cert_crl_ssl()
+{
+    
+  ################# Creating Certs ###################################
+  #
+  CERTFAILED=0
+  CERTSERIAL=${CRL_GRP_1_BEGIN}
+
+  cd $CADIR
+  
+  PROFILEDIR=`cd ${CLIENTDIR}; pwd`
+  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+     PROFILEDIR=`cygpath -m ${PROFILEDIR}`
+  fi
+  CRL_GRPS_END=`expr ${CRL_GRP_1_BEGIN} + ${TOTAL_CRL_RANGE} - 1`
+  echo "$SCRIPTNAME: Creating Client CA Issued Certificates Range $CRL_GRP_1_BEGIN - $CRL_GRPS_END ==="
+  CU_ACTION="Creating client test certs"
+
+  while [ $CERTSERIAL -le $CRL_GRPS_END ]
+  do
+      CERTNAME="TestUser$CERTSERIAL"
+      cert_add_cert 
+      CERTSERIAL=`expr $CERTSERIAL + 1 `
+  done
+
+  #################### CRL Creation ##############################
+  CRL_GEN_RES=0
+  echo "$SCRIPTNAME: Creating CA CRL ====================================="
+
+  CRL_GRP_END=`expr ${CRL_GRP_1_BEGIN} + ${CRL_GRP_1_RANGE} - 1`
+  CRL_FILE_GRP_1=${R_SERVERDIR}/root.crl_${CRL_GRP_1_BEGIN}-${CRL_GRP_END}
+  CRL_FILE=${CRL_FILE_GRP_1}
+  
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CU_ACTION="Generating CRL for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA authority"
+  CRL_GRP_END_=`expr ${CRL_GRP_END} - 1`
+  crlu -d $CADIR -G -n "TestCA" -f ${R_PWFILE} \
+      -o ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
+addext reasonCode 0 4
+addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA"
+EOF_CRLINI
+# This extension should be added to the list, but currently nss has bug
+#addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  chmod 600 ${CRL_FILE_GRP_1}_or
+
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
+
+#     Until Bug 292285 is resolved, do not encode x400 Addresses. After
+#     the bug is resolved, reintroduce "x400Address:x400Address" within
+#     addext issuerAltNames ...
+      crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
+	  -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
+addext reasonCode 0 4
+addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
+EOF_CRLINI
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+      chmod 600 ${CRL_FILE_GRP_1}_or-ec
+  fi
+
+  echo test > file
+  ############################# Modification ##################################
+
+  echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
+  sleep 2
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CU_ACTION="Modify CRL by adding one more cert"
+  crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
+      -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_END} $CRL_GRP_DATE
+EOF_CRLINI
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  chmod 600 ${CRL_FILE_GRP_1}_or1
+  TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      CU_ACTION="Modify CRL (ECC) by adding one more cert"
+      crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
+	  -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_END} $CRL_GRP_DATE
+EOF_CRLINI
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+      chmod 600 ${CRL_FILE_GRP_1}_or1-ec
+      TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
+  fi
+
+  ########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
+  echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
+  CU_ACTION="Modify CRL by removing one cert"
+  sleep 2
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
+      -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
+update=$CRLUPDATE
+rmcert  ${UNREVOKED_CERT_GRP_1}
+EOF_CRLINI
+  chmod 600 ${CRL_FILE_GRP_1}
+  TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      CU_ACTION="Modify CRL (ECC) by removing one cert"
+      crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
+	  -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
+update=$CRLUPDATE
+rmcert  ${UNREVOKED_CERT_GRP_1}
+EOF_CRLINI
+      chmod 600 ${CRL_FILE_GRP_1}-ec
+      TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
+  fi
+
+  ########### Creating second CRL which includes groups 1 and 2 ##############
+  CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
+  CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
+
+  echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2  ==============="
+  sleep 2
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CU_ACTION="Creating CRL for groups 1 and 2"
+  crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2} \
+          -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+addext invalidityDate 0 $CRLUPDATE
+rmcert  ${UNREVOKED_CERT_GRP_2}
+EOF_CRLINI
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  chmod 600 ${CRL_FILE_GRP_2}
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
+      crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
+          -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+addext invalidityDate 0 $CRLUPDATE
+rmcert  ${UNREVOKED_CERT_GRP_2}
+EOF_CRLINI
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+      chmod 600 ${CRL_FILE_GRP_2}-ec
+  fi
+
+  ########### Creating second CRL which includes groups 1, 2 and 3 ##############
+  CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
+  CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
+
+
+
+  echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3  ==============="
+  sleep 2
+  CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
+  CU_ACTION="Creating CRL for groups 1, 2 and 3"
+  crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3} \
+            -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+rmcert  ${UNREVOKED_CERT_GRP_3}
+addext crlNumber 0 2
+EOF_CRLINI
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  chmod 600 ${CRL_FILE_GRP_3}
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
+      crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
+          -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
+update=$CRLUPDATE
+addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
+rmcert  ${UNREVOKED_CERT_GRP_3}
+addext crlNumber 0 2
+EOF_CRLINI
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+      chmod 600 ${CRL_FILE_GRP_3}-ec
+  fi
+
+  ############ Importing Server CA Issued CRL for certs of first group #######
+
+  echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
+  CU_ACTION="Importing CRL for groups 1"
+  crlu -D -n TestCA  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
+  crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
+  CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      CU_ACTION="Importing CRL (ECC) for groups 1"
+      crlu -D -n TestCA-ec  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
+      crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
+	  -d "${R_SERVERDIR}"
+      CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
+  fi
+
+  if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
+      cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
+  else
+      cert_log "SUCCESS: SSL CRL prep passed"
+  fi
+}
+
+#################
+# Verify the we can successfully change the password on the database
+#
+cert_test_password()
+{
+  CERTFAILED=0
+  echo "$SCRIPTNAME: Create A Password Test Cert  =============="
+  cert_init_cert "${DBPASSDIR}" "Password Test Cert" 1000 "${D_DBPASSDIR}"
+
+  echo "$SCRIPTNAME: Create A Password Test Ca  --------"
+  ALL_CU_SUBJECT="CN=NSS Password Test CA, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1"
+
+  # now change the password
+  CU_ACTION="Changing password on ${CERTNAME}'s Cert DB"
+  certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1
+
+  # finally make sure we can use the old key with the new password
+  CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
+  CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
+  if [ "$RET" -eq 0 ]; then
+    cert_log "SUCCESS: PASSWORD passed"
+  fi
+  CU_ACTION="Verify Certificate for ${CERTNAME} with new password"
+  certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
+}
+
+############################## cert_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+cert_cleanup()
+{
+  cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
+  html "</TABLE><BR>" 
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+cert_init 
+cert_all_CA
+cert_extended_ssl 
+cert_ssl 
+cert_smime_client        
+cert_fips
+cert_eccurves
+cert_extensions
+cert_test_password
+
+if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+    cert_crl_ssl
+else
+    echo "$SCRIPTNAME: Skipping CRL Tests"
+fi
+
+if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+    cert_stresscerts 
+fi
+
+cert_iopr_setup
+
+cert_cleanup
diff --git a/security/nss/tests/cert/certext.txt b/security/nss/tests/cert/certext.txt
new file mode 100644
index 000000000..c166297b7
--- /dev/null
+++ b/security/nss/tests/cert/certext.txt
@@ -0,0 +1,126 @@
+# File syntax:
+# '#' comments.
+# If the line starts from '!'('! TEST_N Test Name String'),
+# then  'Test Name String' will be the name of a test(starting
+# from second space till the rest of the line).
+# All uncommented lines are hard codded answers to certutil
+# extension questions.
+# Line '= N string1|string2|string3': '=' is a stop sign
+# of certutil inputs and start of the test. 'N' is the number
+# of extension that will be tested. 'string1|string2|string3'
+# are grep patterns for test result verification. '_' in stringN
+# will be replaced to a space.
+# ################################################################
+! TEST_1 Certificate Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+n
+= 1 Certificate_Key_Usage|Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing
+# ################################################################
+! TEST_2 Certificate Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+y
+= 1 Certificate_Key_Usage|Digital_Signature|Critical:_True
+# ################################################################
+! TEST_3 Certificate Basic Constraints Extension
+y
+-1
+n
+= 2 Name:_Certificate_Basic_Constraints|Data:_Is_a_CA_with_no_maximum
+# ################################################################
+! TEST_4 Certificate Basic Constraints Extension
+n
+-1
+y
+= 2 Name:_Certificate_Basic_Constraints|Data:_Is_not_a_CA|Critical:_True
+# ################################################################
+! TEST_5 Certificate Authority Key Identifier Extension
+y
+12341235123
+
+
+y
+= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Key_ID:|12341235123
+# ################################################################
+! TEST_6 Certificate Authority Key Identifier Extension
+y
+
+3
+test.com
+
+214123
+y
+= 3 Name:_Certificate_Authority_Key_Identifier|Critical:_True|Issuer:|DNS_name:_"test.com"|Serial_Number:|214123
+# ################################################################
+! TEST_7 CRL Distribution Points Extension
+1
+2
+rfc822@name.tld
+3
+test.com
+8
+1.2.3.4
+9
+OID.0.2.213
+10
+0
+10
+n
+n
+= 4 Name:_CRL_Distribution_Points|rfc822@name.tld
+# #################################################################
+! TEST_8 CRL Distribution Points Extension
+2
+SN=asdfsdf
+4
+3
+test.com
+10
+n
+n
+= 4 Name:_CRL_Distribution_Points|asdfsdf|Reasons:|DNS_name:_"test.com"
+# ################################################################
+! TEST_9 Certificate Type Extension
+0
+1
+2
+10
+n
+= 5 Name:_Certificate_Type|Data:_<SSL_Client,SSL_Server,S/MIME>
+# ################################################################
+! TEST_10 Extended Key Usage Extension
+0
+1
+2
+3
+4
+5
+6
+10
+y
+= 6 Name:_Extended_Key_Usage|Critical:_True|TLS_Web_Server_Authentication_Certificate|TLS_Web_Client_Authentication_Certificate|Code_Signing_Certificate|E-Mail_Protection_Certificate|Time_Stamping_Certifcate|OCSP_Responder_Certificate|Strong_Crypto_Export_Approved
+# ################################################################
+! TEST_11 Certificate Key Usage Extension
+
+1
+2
+3
+4
+5
+6
+10
+n
+= 1 Certificate_Key_Usage|!Digital_Signature|Non-Repudiation|Key_Encipherment|Data_Encipherment|Key_Agreement|Certificate_Signing|CRL_Signing
diff --git a/security/nss/tests/cipher/cipher.sh b/security/nss/tests/cipher/cipher.sh
new file mode 100755
index 000000000..7abc5f997
--- /dev/null
+++ b/security/nss/tests/cipher/cipher.sh
@@ -0,0 +1,138 @@
+#! /bin/sh  
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/cipher/cipher.sh
+#
+# Script to test NSS ciphers
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## cipher_init #############################
+# local shell function to initialize this script
+########################################################################
+cipher_init()
+{
+  SCRIPTNAME="cipher.sh"
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  if [ -z "${INIT_SOURCED}" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  SCRIPTNAME="cipher.sh"
+  html_head "Cipher Tests"
+
+  CIPHERDIR=${HOSTDIR}/cipher
+  CIPHERTESTDIR=${QADIR}/../cmd/bltest
+  D_CIPHER="Cipher.$version"
+
+  CIPHER_TXT=${QADIR}/cipher/cipher.txt
+
+  mkdir -p ${CIPHERDIR}
+
+  cd ${CIPHERDIR}
+  P_CIPHER=.
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+    P_CIPHER="multiaccess:${D_CIPHER}"
+  fi
+}
+
+############################## cipher_main #############################
+# local shell function to test NSS ciphers
+########################################################################
+cipher_main()
+{
+  while read EXP_RET PARAM TESTNAME
+  do
+      if [ -n "$EXP_RET" -a "$EXP_RET" != "#" ] ; then
+          PARAM=`echo $PARAM | sed -e "s/_-/ -/g"`
+          TESTNAME=`echo $TESTNAME | sed -e "s/_/ /g"`
+          echo "$SCRIPTNAME: $TESTNAME --------------------------------"
+          failedStr=""
+          inOff=0
+          res=0
+          while [ $inOff -lt 8 ]
+          do
+             outOff=0
+             while [ $outOff -lt 8 ]
+             do
+                 echo "bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff"
+                 ${PROFTOOL} ${BINDIR}/bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff
+                 if [ $? -ne 0 ]; then
+                     failedStr="$failedStr[$inOff:$outOff]"
+                 fi
+                 outOff=`expr $outOff + 1`
+             done
+             inOff=`expr $inOff + 1`
+          done
+          if [ -n "$failedStr" ]; then
+              html_msg 1 $EXP_RET "$TESTNAME (Failed in/out offset pairs:" \
+                        " $failedStr)"
+          else
+              html_msg $res $EXP_RET "$TESTNAME"
+          fi
+      fi
+  done < ${CIPHER_TXT}
+}
+
+############################## cipher_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+cipher_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+cipher_init
+cipher_main
+cipher_cleanup
diff --git a/security/nss/tests/cipher/cipher.txt b/security/nss/tests/cipher/cipher.txt
new file mode 100644
index 000000000..5565e5299
--- /dev/null
+++ b/security/nss/tests/cipher/cipher.txt
@@ -0,0 +1,39 @@
+#
+# This file defines the cipher tests
+#
+# expected
+#   return	bltest		Test Case name
+#    value	params
+#  -------	----------	---------------
+	0	des_ecb_-E	DES_ECB_Encrypt
+	0	des_ecb_-D	DES_ECB_Decrypt
+	0	des_cbc_-E	DES_CBC_Encrypt
+	0	des_cbc_-D	DES_CBC_Decrypt
+	0	des3_ecb_-E	DES3_ECB_Encrypt
+	0	des3_ecb_-D	DES3_ECB_Decrypt
+	0	des3_cbc_-E	DES3_CBC_Encrypt
+	0	des3_cbc_-D	DES3_CBC_Decrypt
+	0	aes_ecb_-E	AES_ECB_Encrypt
+	0	aes_ecb_-D	AES_ECB_Decrypt
+	0	aes_cbc_-E	AES_CBC_Encrypt
+	0	aes_cbc_-D	AES_CBC_Decrypt
+	0	camellia_ecb_-E	Camellia_ECB_Encrypt
+	0	camellia_ecb_-D	Camellia_ECB_Decrypt
+	0	camellia_cbc_-E	Camellia_CBC_Encrypt
+	0	camellia_cbc_-D	Camellia_CBC_Decrypt
+	0	rc2_ecb_-E	RC2_ECB_Encrypt
+	0	rc2_ecb_-D	RC2_ECB_Decrypt
+	0	rc2_cbc_-E	RC2_CBC_Encrypt
+	0	rc2_cbc_-D	RC2_CBC_Decrypt
+	0	rc4_-E		RC4_Encrypt
+	0	rc4_-D		RC4_Decrypt
+	0	rsa_-E		RSA_Encrypt
+	0	rsa_-D		RSA_Decrypt
+	0	dsa_-S		DSA_Sign
+	0	dsa_-V		DSA_Verify
+	0	md2_-H		MD2_Hash
+	0	md5_-H		MD5_Hash
+	0	sha1_-H		SHA1_Hash
+	0	sha256_-H	SHA256_Hash
+	0	sha384_-H	SHA384_Hash
+	0	sha512_-H	SHA512_Hash
diff --git a/security/nss/tests/cipher/dsa.txt b/security/nss/tests/cipher/dsa.txt
new file mode 100644
index 000000000..257d7ffe0
--- /dev/null
+++ b/security/nss/tests/cipher/dsa.txt
@@ -0,0 +1,8 @@
+#
+# This file enables test coverage of the dsa performance tests
+#
+#
+# mode     keysize   bufsize   repetitions cxrepetitions
+  dsa        64         20         200         5
+  dsa        96         20         200         3
+  dsa       128         20         200         3
diff --git a/security/nss/tests/cipher/hash.txt b/security/nss/tests/cipher/hash.txt
new file mode 100644
index 000000000..6a785640b
--- /dev/null
+++ b/security/nss/tests/cipher/hash.txt
@@ -0,0 +1,8 @@
+#
+# This file enables test coverage of the cryptographic hash performance tests
+#
+#
+# mode      bufsize   repetitions
+  md2        10240        5000
+  md5        10240        100000
+  sha1       10240        100000
diff --git a/security/nss/tests/cipher/performance.sh b/security/nss/tests/cipher/performance.sh
new file mode 100755
index 000000000..82b7e832b
--- /dev/null
+++ b/security/nss/tests/cipher/performance.sh
@@ -0,0 +1,151 @@
+#!/bin/sh  
+#
+# This is just a quick script so we can still run our testcases.
+# Longer term we need a scriptable test environment..
+#
+. ../common/init.sh
+CURDIR=`pwd`
+if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+	CURDIR=`cygpath -m ${CURDIR}`
+fi
+
+CIPHERDIR=${HOSTDIR}/cipher
+SKTESTS=${CURDIR}/symmkey.txt
+RSATESTS=${CURDIR}/rsa.txt
+DSATESTS=${CURDIR}/dsa.txt
+HASHTESTS=${CURDIR}/hash.txt
+SKPERFOUT=${CIPHERDIR}/skperfout.data
+RSAPERFOUT=${CIPHERDIR}/rsaperfout.data
+DSAPERFOUT=${CIPHERDIR}/dsaperfout.data
+HASHPERFOUT=${CIPHERDIR}/hashperfout.data
+PERFRESULTS=${HOSTDIR}/performance.html
+
+echo "<HTML><BODY>" >> ${PERFRESULTS}
+
+mkdir -p ${CIPHERDIR}
+cd ${CIPHERDIR}
+
+if [ -z $1 ]; then
+    TESTSET="all"
+else
+    TESTSET=$1
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "symmkey" ]; then
+echo "<TABLE BORDER=1><TR><TH COLSPAN=6>Symmetric Key Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>SYMMETRIC KEY SIZE (bits)</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read mode keysize bufsize reps cxreps
+do
+    if [ $mode != "#" ]; then
+	echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps"
+	${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${SKPERFOUT}
+	mv "tmp.in.0" "$mode.in"
+	mv tmp.key $mode.key
+	if [ -f tmp.iv ]; then
+	    mv tmp.iv $mode.iv
+	fi
+	echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out >> ${SKPERFOUT}
+	echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv"
+	${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv >> ${SKPERFOUT}
+    fi
+done < ${SKTESTS} 
+
+while read md buf sk rps cxrps cx op
+do
+    if [ $md != "#" ]; then
+	echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$sk</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+    fi
+done < ${SKPERFOUT} 
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "rsa" ]; then
+while read mode keysize bufsize exp reps cxreps
+do
+    if [ $mode != "#" ]; then
+	echo "bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps"
+	${BINDIR}/bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps >> ${RSAPERFOUT}
+	mv "tmp.in.0" "$mode.in"
+	mv tmp.key $mode.key
+	echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${RSAPERFOUT}
+	echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv"
+	${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv >> ${RSAPERFOUT}
+    fi
+done < ${RSATESTS} 
+
+echo "<TABLE BORDER=1><TR><TH COLSPAN=7>RSA Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>KEY SIZE (bits)</TH><TH>PUBLIC EXPONENT</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read md buf mod pe rps cxrps cx op
+do
+    if [ $md != "#" ]; then
+	echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$mod</TD><TD align=right>$pe</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+    fi
+done < ${RSAPERFOUT} 
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "dsa" ]; then
+
+while read mode keysize bufsize reps cxreps
+do
+    if [ $mode != "#" ]; then
+	echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps"
+	${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${DSAPERFOUT}
+	mv "tmp.in.0" "$mode.in"
+	mv tmp.key $mode.key
+	echo "bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT}
+	echo "bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT}
+    fi
+done < ${DSATESTS} 
+
+echo "<TABLE BORDER=1><TR><TH COLSPAN=6>DSA Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>KEY SIZE (bits)</TH><TH>REPETITIONS (cx/op)</TH><TH>CONTEXT CREATION TIME (ms)</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read md buf mod rps cxrps cx op
+do
+    if [ $md != "#" ]; then
+	echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$mod</TD><TD align=right>$cxrps/$rps</TD><TD align=right>$cx</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+    fi
+done < ${DSAPERFOUT} 
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+fi
+
+if [ $TESTSET = "all" -o $TESTSET = "hash" ]; then
+while read mode bufsize reps
+do
+    if [ $mode != "#" ]; then
+	echo "bltest -N -m $mode -b $bufsize"
+	${BINDIR}/bltest -N -m $mode -b $bufsize
+	mv "tmp.in.0" "$mode.in"
+	echo "bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out"
+	${BINDIR}/bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out >> ${HASHPERFOUT}
+    fi
+done < ${HASHTESTS} 
+
+echo "<TABLE BORDER=1><TR><TH COLSPAN=6>Hash Cipher Performance</TH></TR>" >> ${PERFRESULTS}
+echo "<TR bgcolor=lightGreen><TH>MODE</TH><TH>INPUT SIZE (bytes)</TH><TH>REPETITIONS</TH><TH>OPERATION TIME (ms)</TH></TR>" >> ${PERFRESULTS}
+
+while read md buf rps cxrps cx op
+do
+    if [ $md != "#" ]; then
+	echo "<TR><TH>$md</TH><TD align=right>$buf</TD><TD align=right>$rps</TD><TD align=right>$op</TD></TR>" >> ${PERFRESULTS}
+    fi
+done < ${HASHPERFOUT} 
+
+echo "</TABLE><BR>" >> ${PERFRESULTS}
+fi
+
+#rm -f ${TEMPFILES}
+cd ${CURDIR}
+
+echo "</BODY></HTML>" >> ${PERFRESULTS}
diff --git a/security/nss/tests/cipher/rsa.txt b/security/nss/tests/cipher/rsa.txt
new file mode 100644
index 000000000..5508971e9
--- /dev/null
+++ b/security/nss/tests/cipher/rsa.txt
@@ -0,0 +1,8 @@
+#
+# This file enables test coverage of the rsa performance tests
+#
+#
+# mode     keysize   bufsize   exponent  repetitions cxrepetitions
+  rsa        32         32       17          1000        5 
+  rsa        64         64        3          500         3 
+  rsa       128        128      65537        200         3 
diff --git a/security/nss/tests/cipher/symmkey.txt b/security/nss/tests/cipher/symmkey.txt
new file mode 100644
index 000000000..095668a7c
--- /dev/null
+++ b/security/nss/tests/cipher/symmkey.txt
@@ -0,0 +1,27 @@
+#
+# This file enables test coverage of the symmetric key performance tests
+#
+#
+# mode     keysize   bufsize   repetitions cxrepetitions
+ des_ecb      8       8192       1000         100000
+ des_cbc      8       8192       1000         100000
+ des3_ecb    24       8192       1000         100000
+ des3_cbc    24       8192       1000         100000
+ rc2_ecb      5       8192       1000         100000
+ rc2_ecb      8       8192       1000         100000
+ rc2_ecb     16       8192       1000         100000
+ rc2_cbc      5       8192       1000         100000
+ rc2_cbc      8       8192       1000         100000
+ rc2_cbc     16       8192       1000         100000
+ rc4          5       8192       10000        100000
+ rc4          8       8192       10000        100000
+ rc4         16       8192       10000        100000
+ rc4         24       8192       10000        100000
+ aes_ecb     16       8192       10000        100000
+ aes_cbc     16       8192       10000        100000
+ aes_ecb     32       8192       10000        100000
+ aes_cbc     32       8192       10000        100000
+ camellia_ecb     16       8192       10000        100000
+ camellia_cbc     16       8192       10000        100000
+ camellia_ecb     32       8192       10000        100000
+ camellia_cbc     32       8192       10000        100000
diff --git a/security/nss/tests/clean_tbx b/security/nss/tests/clean_tbx
new file mode 100755
index 000000000..4de955576
--- /dev/null
+++ b/security/nss/tests/clean_tbx
@@ -0,0 +1,172 @@
+#! /bin/perl
+
+#######################################################################
+#
+# /u/sonmi/bin/clean_tbx.pl
+#
+# this script is supposed to remove tinderbox  QA if:
+# QA has passed, there are 2+ newer QA dirs of the same machine and 
+#     platform (32/64) and it is older than 2 hours
+# QA has failed, there are 2+ newer QA dirsof the same machine and 
+#     platform (32/64) with _identical failures and it is older than 
+#     2 hours
+# directory is older than 48 hours
+#
+#######################################################################
+
+use Time::Local;
+
+$ANY_TBX_KEEP_HOURS=48;
+$NOT_FAILED_TBX_KEEP_HOURS=24;
+$PASSED_TBX_KEEP_HOURS=2;
+$IF_TBX_KEEP_HOURS=2;
+$PASSED_NEWER_DIRS=2;
+$IF_NEWER_DIRS=2;
+$verbose = 1;
+
+$TBX_TESTDIR="/share/builds/mccrel3/nss/nsstip/tinderbox/tests_results/security";
+$FTP_STAGE="/u/sonmi/tmp/ftp_stage/tinderbox";
+
+@tbx_dirs = ();  
+
+$eANY_TBX_KEEP=$ANY_TBX_KEEP_HOURS*60*60;
+$ePASSED_TBX_KEEP=$PASSED_TBX_KEEP_HOURS*60*60;
+$eIF_TBX_KEEP=$IF_TBX_KEEP_HOURS*60*60;
+$eNOT_FAILED_TBX_KEEP=$NOT_FAILED_TBX_KEEP_HOURS*60*60;
+
+$year, $month, $days, $hours, $minutes, $seconds;
+$efulldate=0;
+
+$fulldate=0;
+
+$no_bits="";
+$last_no_bits="";
+
+$host="";
+$last_host="";
+
+@tbx_dirs = `ls -r $TBX_TESTDIR`; #sort first by host, 
+                               #then 64, 
+                               #then newest - oldest
+debug ("found $#tbx_dirs directories ");
+
+($seconds, $minutes, $hours, $days, $month, $year) = localtime; 
+
+debug ("$seconds, $minutes, $hours, $days, $month, $year");
+
+$enow = timelocal(localtime);
+
+sub debug;
+sub warning;
+sub error;
+sub msg;
+sub init;
+sub check_tbx_dirs;
+
+sub check_tbx_dirs
+{
+    my $platform_idx=0; # counts directories per platform, newest 
+                        # to oldest (ignores incomplete)
+    my $passed_idx=0;   # counts passed  directories newest to oldest
+    my $QAstatus="unknown";
+    foreach $tbx_dir  (@tbx_dirs) {
+        $tbx_dir =~ s/\n//g;
+        $fulldate = $tbx_dir;
+        $fulldate =~ s/^.*-(20.*-..\...$)/$1/;
+        $day = $month = $year = $hour = $min = $fulldate;
+        $host = $tbx_dir;
+        $host =~ s/-20.*//;
+        $no_bits = $host;
+        $host =~ s/64$//;
+        $no_bits =~ s/.*64$/64/;
+        $no_bits =~ s/^[^6].*/other/;
+        $year =~ s/(....).*/$1/;
+        $month =~ s/....(..).*/$1/;
+        $day =~ s/......(..).*/$1/;
+        $hour =~ s/........-(..).*/$1/;
+        $min =~ s/.*\.(..)$/$1/;
+        
+
+        if ( -f "$TBX_TESTDIR/$tbx_dir/QAstatus" ) {
+            $QAstatus=`cat $TBX_TESTDIR/$tbx_dir/QAstatus 2>/dev/null`;
+            $QAstatus =~ s/\n$//g;
+        } else {
+            $QAstatus="unknown";
+        }
+
+        $efulldate = timelocal( 0, $min, $hour, $day, $month-1, $year-1900);
+        if ( "$host" !~ "$last_host" || "$no_bits" !~ "$last_no_bits" ) {
+            if ( $QAstatus !~ "QA running" ) {
+                $platform_idx = 0;
+            } else {
+                $platform_idx = -1;
+            }
+            $passed_idx = 0;
+
+            $last_host = $host;
+            $last_no_bits = $no_bits;
+        } else {
+            $platform_idx ++;
+            $passed_idx++ if ( $QAstatus =~ "QA passed" ) ;
+        }
+
+        debug ("$tbx_dir host $host date $fulldate bits $no_bits $year/$month/$day  $hour:$min QAstatus $QAstatus pli $platform_idx pai $passed_idx");
+
+        if ( $passed_idx > $PASSED_NEWER_DIRS && $QAstatus =~ "QA passed" ) {
+            $ekeeptime=$efulldate + $ePASSED_TBX_KEEP;
+            #($s, $m, $h, $d, $mo, $y) = localtime($ekeeptime);
+            #debug ("$passed_idx > $PASSED_NEWER_DIRS ekeeptime ($s, $m, $h, $d, $mo, $y) == $ekeeptime");
+             rm_tbx ("Passed $PASSED_TBX_KEEP_HOURS +  hours old") if ( $ekeeptime <= $enow );
+        } elsif ( $QAstatus !~ "QA failed" ) {
+            $ekeeptime=$efulldate + $eNOT_FAILED_TBX_KEEP;
+            rm_tbx ("Not failed $NOT_FAILED_TBX_KEEP_HOURS + hours old") if ( $ekeeptime <= $enow );
+	} else {
+            $ekeeptime=$efulldate + $eANY_TBX_KEEP;
+             rm_tbx ("Passed 2+ hours old") if ( $ekeeptime <= $enow );
+        }
+        if  ( $QAstatus =~ "QA failed" ) {
+            $ekeeptime=$efulldate + $eIF_TBX_KEEP;
+            #FIXME - compare to the previous failure by filtering and 
+            #FIXME diffing the results.html files (first grep failed)
+        }
+    }
+
+}
+
+sub rm_tbx()
+{
+
+debug ("DELETING $tbx_dir... (@_[0]) ");
+system("rm -rf $TBX_TESTDIR/$tbx_dir");
+#debug ("rm -rf $TBX_TESTDIR/$tbx_dir");
+
+}
+
+sub msg
+{
+    my $i;
+    for ($i = 0; $i <= $#_ ; $i++ ) {
+        print "@_[$i] ";
+    }
+    print "\n";
+
+}
+sub error
+{
+    msg ("ERROR:  " ,@_ );
+}
+
+sub warning
+{
+    msg ("WARNING:" ,@_ );
+}
+sub debug
+{
+    if ( $verbose == 1 ) {
+        msg ("DEBUG:  " ,@_ );
+    } elsif ( $verbose == 2 ) {
+        msg (@_ );
+    }
+}
+
+check_tbx_dirs;
diff --git a/security/nss/tests/cmdtests/cmdtests.sh b/security/nss/tests/cmdtests/cmdtests.sh
new file mode 100644
index 000000000..765d8ac84
--- /dev/null
+++ b/security/nss/tests/cmdtests/cmdtests.sh
@@ -0,0 +1,133 @@
+#! /bin/sh  
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+# Script to run small tests to test specific crashes of NSS
+#
+# needs to work on all Unix and Windows platforms
+#
+# included from 
+# --------------
+#   all.sh
+#
+# tests implemented:
+# vercrt (verify encryption cert - bugzilla bug 119059)
+# vercrtfps (verify encryption cert in fips mode - bugzilla bug 119214)
+# test3 (CERT_FindUserCertByUsage called 2nd time - bug 118864)
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+############################## cmdtests_init ###########################
+# local shell function to initialize this script 
+########################################################################
+cmdtests_init()
+{
+  SCRIPTNAME=cmdtests.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=cmdtests.sh
+  html_head "Tests in cmd/tests"
+
+# grep "SUCCESS: cmd/tests passed" $CERT_LOG_FILE >/dev/null || {
+#     Exit 15 "Fatal - cert.sh needs to pass first"
+# }
+
+  CMDTESTSDIR=${HOSTDIR}/cmd/tests
+  COPYDIR=${CMDTESTSDIR}/copydir
+
+  R_CMDTESTSDIR=../cmd/tests
+  R_COPYDIR=../cmd/tests/copydir
+  P_R_COPYDIR=${R_COPYDIR}
+
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     P_R_COPYDIR="multiaccess:Cmdtests.$version"
+  fi
+
+  mkdir -p ${CMDTESTSDIR}
+  mkdir -p ${COPYDIR}
+  mkdir -p ${CMDTESTSDIR}/html
+
+  cd ${CMDTESTSDIR}
+}
+
+############################## ct_vercrt ##################################
+# CERT_VerifyCert should not fail when verifying encryption cert 
+# Bugzilla Bug 119059
+########################################################################
+#ct_vercrt()
+#{
+ # echo "$SCRIPTNAME: Verify encryption certificate ----------------------"
+ # echo "vercrt"
+ # vercrt
+ # ret=$?
+ # html_msg $ret 0 "Verify encryption certificate (vercrt)"
+#
+#}
+
+
+############################## cmdtests_cleanup ########################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+cmdtests_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+cmdtests_init
+
+#ct_vercrt
+cmdtests_cleanup
diff --git a/security/nss/tests/common/Makefile b/security/nss/tests/common/Makefile
new file mode 100644
index 000000000..e99783748
--- /dev/null
+++ b/security/nss/tests/common/Makefile
@@ -0,0 +1,53 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH	= ../../..
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+objdir_name:
+	@echo $(OBJDIR_NAME)
+
+os_arch:
+	@echo $(OS_ARCH)
+
+dll_prefix:
+	@echo $(DLL_PREFIX)
+
+dll_suffix:
+	@echo $(DLL_SUFFIX)
diff --git a/security/nss/tests/common/cleanup.sh b/security/nss/tests/common/cleanup.sh
new file mode 100755
index 000000000..a68f97b10
--- /dev/null
+++ b/security/nss/tests/common/cleanup.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+if [ -z "${CLEANUP}" -o "${CLEANUP}" = "${SCRIPTNAME}" ]; then
+    html "END_OF_TEST<BR>"
+    html "</BODY></HTML>" 
+    rm -f ${TEMPFILES} 2>/dev/null
+fi
diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh
new file mode 100644
index 000000000..12be76841
--- /dev/null
+++ b/security/nss/tests/common/init.sh
@@ -0,0 +1,647 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/common/init.sh
+#
+# initialization for NSS QA, can be included multiple times
+# from all.sh and the individual scripts
+#
+# variables, utilities and shellfunctions global to NSS QA
+# needs to work on all Unix and Windows platforms
+#
+# included from 
+# -------------
+#   all.sh
+#   ssl.sh
+#   sdr.sh
+#   cipher.sh
+#   perf.sh
+#   cert.sh
+#   smime.sh
+#   tools.sh
+#   fips.sh
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# NOTE:
+# -----
+#    Unlike the old QA this is based on files sourcing each other
+#    This is done to save time, since a great portion of time is lost
+#    in calling and sourcing the same things multiple times over the
+#    network. Also, this way all scripts have all shell function  available
+#    and a completely common environment
+#
+########################################################################
+
+NSS_STRICT_SHUTDOWN=1
+export NSS_STRICT_SHUTDOWN
+
+# Init directories based on HOSTDIR variable
+if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+    init_directories()
+    {
+        TMP=${HOSTDIR}      #TMP=${TMP-/tmp}
+        TEMP=${TMP}
+        TMPDIR=${TMP}
+
+        CADIR=${HOSTDIR}/CA
+        SERVERDIR=${HOSTDIR}/server
+        CLIENTDIR=${HOSTDIR}/client
+        ALICEDIR=${HOSTDIR}/alicedir
+        BOBDIR=${HOSTDIR}/bobdir
+        DAVEDIR=${HOSTDIR}/dave
+        EVEDIR=${HOSTDIR}/eve
+        FIPSDIR=${HOSTDIR}/fips
+        DBPASSDIR=${HOSTDIR}/dbpass
+        ECCURVES_DIR=${HOSTDIR}/eccurves
+
+        SERVER_CADIR=${HOSTDIR}/serverCA
+        CLIENT_CADIR=${HOSTDIR}/clientCA
+        EXT_SERVERDIR=${HOSTDIR}/ext_server
+        EXT_CLIENTDIR=${HOSTDIR}/ext_client
+
+        IOPR_CADIR=${HOSTDIR}/CA_iopr
+        IOPR_SSL_SERVERDIR=${HOSTDIR}/server_ssl_iopr
+        IOPR_SSL_CLIENTDIR=${HOSTDIR}/client_ssl_iopr
+        IOPR_OCSP_CLIENTDIR=${HOSTDIR}/client_ocsp_iopr
+
+        CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
+
+        PWFILE=${HOSTDIR}/tests.pw.$$
+        NOISE_FILE=${HOSTDIR}/tests_noise.$$
+        CORELIST_FILE=${HOSTDIR}/clist.$$
+
+        FIPSPWFILE=${HOSTDIR}/tests.fipspw.$$
+        FIPSBADPWFILE=${HOSTDIR}/tests.fipsbadpw.$$
+        FIPSP12PWFILE=${HOSTDIR}/tests.fipsp12pw.$$
+
+        echo "fIps140" > ${FIPSPWFILE}
+        echo "fips104" > ${FIPSBADPWFILE}
+        echo "pKcs12fips140" > ${FIPSP12PWFILE}
+
+        noise
+
+        P_SERVER_CADIR=${SERVER_CADIR}
+        P_CLIENT_CADIR=${CLIENT_CADIR}
+    
+        if [ -n "${MULTIACCESS_DBM}" ]; then
+            P_SERVER_CADIR="multiaccess:${D_SERVER_CA}"
+            P_CLIENT_CADIR="multiaccess:${D_CLIENT_CA}"
+        fi
+
+
+        # a new log file, short - fast to search, mostly for tools to
+        # see if their portion of the cert has succeeded, also for me -
+        CERT_LOG_FILE=${HOSTDIR}/cert.log      #the output.log is so crowded...
+
+        TEMPFILES="${PWFILE} ${NOISE_FILE}"
+
+        export HOSTDIR
+    }
+
+# Generate noise file
+    noise()
+    {
+        # NOTE: these keys are only suitable for testing, as this whole thing 
+        # bypasses the entropy gathering. Don't use this method to generate 
+        # keys and certs for product use or deployment.
+        ps -efl > ${NOISE_FILE} 2>&1
+        ps aux >> ${NOISE_FILE} 2>&1
+        date >> ${NOISE_FILE} 2>&1
+    }
+
+# Print selected environment variable (used for backup)
+    env_backup()
+    {
+        echo "HOSTDIR=\"${HOSTDIR}\""
+        echo "TABLE_ARGS="
+        echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
+        echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
+        echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
+        echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
+        echo "export NSS_DEFAULT_DB_TYPE"
+        echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
+        echo "export NSS_ENABLE_PKIX_VERIFY"
+        echo "init_directories"
+    }
+
+# Exit shellfunction to clean up at exit (error, regular or signal)
+    Exit()
+    {
+        if [ -n "$1" ] ; then
+            echo "$SCRIPTNAME: Exit: $* - FAILED"
+            html_failed "$*"
+        fi
+        echo "</TABLE><BR>" >> ${RESULTS}
+        if [ -n "${SERVERPID}" -a -f "${SERVERPID}" ]; then
+            ${KILL} `cat ${SERVERPID}`
+        fi
+        cd ${QADIR}
+        . common/cleanup.sh
+        case $1 in
+            [0-4][0-9]|[0-9])
+                exit $1;
+                ;;
+            *)
+                exit 1
+                ;;
+        esac
+    }
+
+    detect_core()
+    {
+        [ ! -f $CORELIST_FILE ] && touch $CORELIST_FILE
+        mv $CORELIST_FILE ${CORELIST_FILE}.old
+        coreStr=`find $HOSTDIR -type f -name '*core*'`
+        res=0
+        if [ -n "$coreStr" ]; then
+            sum $coreStr > $CORELIST_FILE
+            res=`cat $CORELIST_FILE ${CORELIST_FILE}.old | sort | uniq -u | wc -l`
+        fi
+        return $res
+    }
+
+#html functions to give the resultfiles a consistant look
+    html() #########################    write the results.html file
+    {      # 3 functions so we can put targets in the output.log easier
+        echo $* >>${RESULTS}
+    }
+    html_passed()
+    {
+        html_detect_core "$@" || return
+        MSG_ID=`cat ${MSG_ID_FILE}`
+        MSG_ID=`expr ${MSG_ID} + 1`
+        echo ${MSG_ID} > ${MSG_ID_FILE}
+        html "<TR><TD>#${MSG_ID}: $1 ${HTML_PASSED}"
+        echo "${SCRIPTNAME}: #${MSG_ID}: $* - PASSED"
+    }
+    html_failed()
+    {
+        html_detect_core "$@" || return
+        MSG_ID=`cat ${MSG_ID_FILE}`
+        MSG_ID=`expr ${MSG_ID} + 1`
+        echo ${MSG_ID} > ${MSG_ID_FILE}
+        html "<TR><TD>#${MSG_ID}: $1 ${HTML_FAILED}"
+        echo "${SCRIPTNAME}: #${MSG_ID}: $* - FAILED"
+    }
+    html_detect_core()
+    {
+        detect_core
+        if [ $? -ne 0 ]; then
+            MSG_ID=`cat ${MSG_ID_FILE}`
+            MSG_ID=`expr ${MSG_ID} + 1`
+            echo ${MSG_ID} > ${MSG_ID_FILE}
+            html "<TR><TD>#${MSG_ID}: $* ${HTML_FAILED_CORE}"
+            echo "${SCRIPTNAME}: #${MSG_ID}: $* - Core file is detected - FAILED"
+            return 1
+        fi
+        return 0
+    }
+    html_head()
+    {
+	
+        html "<TABLE BORDER=1 ${TABLE_ARGS}><TR><TH COLSPAN=3>$*</TH></TR>"
+        html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" 
+        echo "$SCRIPTNAME: $* ==============================="
+    }
+    html_msg()
+    {
+        if [ "$1" -ne "$2" ] ; then
+            html_failed "$3" "$4"
+        else
+            html_passed "$3" "$4"
+        fi
+    }
+    HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
+    HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>'
+    HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
+    TABLE_ARGS=
+
+
+#directory name init
+    SCRIPTNAME=init.sh
+
+    mozilla_root=`(cd ../../../..; pwd)`
+    MOZILLA_ROOT=${MOZILLA_ROOT-$mozilla_root}
+
+    qadir=`(cd ..; pwd)`
+    QADIR=${QADIR-$qadir}
+
+    common=${QADIR}/common
+    COMMON=${TEST_COMMON-$common}
+    export COMMON
+
+    MAKE=gmake
+    $MAKE -v >/dev/null 2>&1 || MAKE=make
+    $MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; }
+    MAKE="$MAKE --no-print-directory"
+
+    DIST=${DIST-${MOZILLA_ROOT}/dist}
+    SECURITY_ROOT=${SECURITY_ROOT-${MOZILLA_ROOT}/security/nss}
+    TESTDIR=${TESTDIR-${MOZILLA_ROOT}/tests_results/security}
+    OBJDIR=`(cd $COMMON; $MAKE objdir_name)`
+    OS_ARCH=`(cd $COMMON; $MAKE os_arch)`
+    DLL_PREFIX=`(cd $COMMON; $MAKE dll_prefix)`
+    DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)`
+    OS_NAME=`uname -s | sed -e "s/-[0-9]*\.[0-9]*//" | sed -e "s/-WOW64//"`
+
+    BINDIR="${DIST}/${OBJDIR}/bin"
+
+    # Pathnames constructed from ${TESTDIR} are passed to NSS tools
+    # such as certutil, which don't understand Cygwin pathnames.
+    # So we need to convert ${TESTDIR} to a Windows pathname (with
+    # regular slashes).
+    if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+        TESTDIR=`cygpath -m ${TESTDIR}`
+        QADIR=`cygpath -m ${QADIR}`
+    fi
+
+    # Same problem with MSYS/Mingw, except we need to start over with pwd -W
+    if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "MINGW32_NT" ]; then
+		mingw_mozilla_root=`(cd ../../../..; pwd -W)`
+		MINGW_MOZILLA_ROOT=${MINGW_MOZILLA_ROOT-$mingw_mozilla_root}
+		TESTDIR=${MINGW_TESTDIR-${MINGW_MOZILLA_ROOT}/tests_results/security}
+    fi
+
+    # Same problem with MSYS/Mingw, except we need to start over with pwd -W
+    if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "MINGW32_NT" ]; then
+		mingw_mozilla_root=`(cd ../../../..; pwd -W)`
+		MINGW_MOZILLA_ROOT=${MINGW_MOZILLA_ROOT-$mingw_mozilla_root}
+		TESTDIR=${MINGW_TESTDIR-${MINGW_MOZILLA_ROOT}/tests_results/security}
+    fi
+    echo testdir is $TESTDIR
+
+#in case of backward comp. tests the calling scripts set the
+#PATH and LD_LIBRARY_PATH and do not want them to be changed
+    if [ -z "${DON_T_SET_PATHS}" -o "${DON_T_SET_PATHS}" != "TRUE" ] ; then
+        if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME"  != "CYGWIN_NT" -a "$OS_NAME" != "MINGW32_NT" ]; then
+            PATH=.\;${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH
+            PATH=`perl ../path_uniq -d ';' "$PATH"`
+        else
+            PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:/bin:/usr/bin:$PATH
+            # added /bin and /usr/bin in the beginning so a local perl will 
+            # be used
+            PATH=`perl ../path_uniq -d ':' "$PATH"`
+        fi
+
+        LD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib:$LD_LIBRARY_PATH
+        SHLIB_PATH=${DIST}/${OBJDIR}/lib:$SHLIB_PATH
+        LIBPATH=${DIST}/${OBJDIR}/lib:$LIBPATH
+        DYLD_LIBRARY_PATH=${DIST}/${OBJDIR}/lib:$DYLD_LIBRARY_PATH
+    fi
+
+    if [ ! -d "${TESTDIR}" ]; then
+        echo "$SCRIPTNAME init: Creating ${TESTDIR}"
+        mkdir -p ${TESTDIR}
+    fi
+
+#HOST and DOMSUF are needed for the server cert
+
+    DOMAINNAME=`which domainname`
+    if [ -z "${DOMSUF}" -a $? -eq 0 -a -n "${DOMAINNAME}" ]; then
+        DOMSUF=`domainname`
+    fi
+
+    case $HOST in
+        *\.*)
+            if [ -z "${DOMSUF}" ]; then
+                DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
+            fi
+            HOST=`echo $HOST | sed -e "s/\..*//"`
+            ;;
+        ?*)
+            ;;
+        *)
+            HOST=`uname -n`
+            case $HOST in
+                *\.*)
+                    if [ -z "${DOMSUF}" ]; then
+                        DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
+                    fi
+                    HOST=`echo $HOST | sed -e "s/\..*//"`
+                    ;;
+                ?*)
+                    ;;
+                *)
+                    echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
+                    exit 1 #does not need to be Exit, very early in script
+                    ;;
+            esac
+            ;;
+    esac
+
+    if [ -z "${DOMSUF}" ]; then
+        echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined."
+        exit 1 #does not need to be Exit, very early in script
+    fi
+
+#HOSTADDR was a workaround for the dist. stress test, and is probably 
+#not needed anymore (purpose: be able to use IP address for the server 
+#cert instead of PC name which was not in the DNS because of dyn IP address
+    if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then
+        HOSTADDR=${HOST}.${DOMSUF}
+    else
+        HOSTADDR=${IP_ADDRESS}
+    fi
+
+#if running remote side of the distributed stress test we need to use 
+#the files that the server side gives us...
+    if [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+        for w in `ls -rtd ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null |
+            sed -e "s/.*${HOST}.//"` ; do
+                version=$w
+        done
+        HOSTDIR=${TESTDIR}/${HOST}.$version
+        echo "$SCRIPTNAME init: HOSTDIR $HOSTDIR"
+        echo $HOSTDIR
+        if [ ! -d $HOSTDIR ] ; then
+            echo "$SCRIPTNAME: Fatal: Remote side of dist. stress test "
+            echo "       - server HOSTDIR $HOSTDIR does not exist"
+            exit 1 #does not need to be Exit, very early in script
+        fi
+    fi
+
+#find the HOSTDIR, where the results are supposed to go
+    if [ -n "${HOSTDIR}" ]; then
+        version=`echo $HOSTDIR | sed  -e "s/.*${HOST}.//"` 
+    else
+        if [ -f "${TESTDIR}/${HOST}" ]; then
+            version=`cat ${TESTDIR}/${HOST}`
+        else
+            version=1
+        fi
+#file has a tendency to disappear, messing up the rest of QA - 
+#workaround to find the next higher number if version file is not there
+        if [ -z "${version}" ]; then    # for some strange reason this file
+                                        # gets truncated at times... Windos
+            for w in `ls -d ${TESTDIR}/${HOST}.[0-9]* 2>/dev/null |
+                sort -t '.' -n | sed -e "s/.*${HOST}.//"` ; do
+                version=`expr $w + 1`
+            done
+            if [ -z "${version}" ]; then
+                version=1
+            fi
+        fi
+        expr $version + 1 > ${TESTDIR}/${HOST}
+
+        HOSTDIR=${TESTDIR}/${HOST}'.'$version
+
+        mkdir -p ${HOSTDIR}
+    fi
+
+#result and log file and filename init,
+    if [ -z "${LOGFILE}" ]; then
+        LOGFILE=${HOSTDIR}/output.log
+    fi
+    if [ ! -f "${LOGFILE}" ]; then
+        touch ${LOGFILE}
+    fi
+    if [ -z "${RESULTS}" ]; then
+        RESULTS=${HOSTDIR}/results.html
+    fi
+    if [ ! -f "${RESULTS}" ]; then
+        cp ${COMMON}/results_header.html ${RESULTS}
+        html "<H4>Platform: ${OBJDIR}<BR>" 
+        html "Test Run: ${HOST}.$version</H4>" 
+        html "${BC_ACTION}"
+        html "<HR><BR>" 
+        html "<HTML><BODY>" 
+
+        echo "********************************************" | tee -a ${LOGFILE}
+        echo "   Platform: ${OBJDIR}"                       | tee -a ${LOGFILE}
+        echo "   Results: ${HOST}.$version"                 | tee -a ${LOGFILE}
+        echo "********************************************" | tee -a ${LOGFILE}
+	echo "$BC_ACTION"                                   | tee -a ${LOGFILE}
+#if running remote side of the distributed stress test 
+# let the user know who it is...
+    elif [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+        echo "********************************************" | tee -a ${LOGFILE}
+        echo "   Platform: ${OBJDIR}"                       | tee -a ${LOGFILE}
+        echo "   Results: ${HOST}.$version"                 | tee -a ${LOGFILE}
+        echo "   remote side of distributed stress test "   | tee -a ${LOGFILE}
+        echo "   `uname -n -s`"                             | tee -a ${LOGFILE}
+        echo "********************************************" | tee -a ${LOGFILE}
+    fi
+
+    echo "$SCRIPTNAME init: Testing PATH $PATH against LIB $LD_LIBRARY_PATH" |\
+        tee -a ${LOGFILE}
+
+    KILL="kill"
+
+    if [ `uname -s` = "SunOS" ]; then
+        PS="/usr/5bin/ps"
+    else
+        PS="ps"
+    fi
+#found 3 rsh's so far that do not work as expected - cygnus mks6 
+#(restricted sh) and mks 7 - if it is not in c:/winnt/system32 it
+#needs to be set in the environ.ksh
+    if [ -z "$RSH" ]; then
+        if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME"  = "CYGWIN_NT" ]; then
+            RSH=/cygdrive/c/winnt/system32/rsh
+        elif [ "${OS_ARCH}" = "WINNT" ]; then
+            RSH=c:/winnt/system32/rsh
+        else
+            RSH=rsh
+        fi
+    fi
+   
+
+#more filename and directoryname init
+    CURDIR=`pwd`
+
+    CU_ACTION='Unknown certutil action'
+
+    # would like to preserve some tmp files, also easier to see if there 
+    # are "leftovers" - another possibility ${HOSTDIR}/tmp
+
+    init_directories
+
+    FIPSCERTNICK="FIPS_PUB_140_Test_Certificate"
+
+    # domains to handle ipc based access to databases
+    D_CA="TestCA.$version"
+    D_ALICE="Alice.$version"
+    D_BOB="Bob.$version"
+    D_DAVE="Dave.$version"
+    D_EVE="Eve.$version"
+    D_SERVER_CA="ServerCA.$version"
+    D_CLIENT_CA="ClientCA.$version"
+    D_SERVER="Server.$version"
+    D_CLIENT="Client.$version"
+    D_FIPS="FIPS.$version"
+    D_DBPASS="DBPASS.$version"
+    D_ECCURVES="ECCURVES.$version"
+    D_EXT_SERVER="ExtendedServer.$version"
+    D_EXT_CLIENT="ExtendedClient.$version"
+    D_CERT_EXTENSTIONS="CertExtensions.$version"
+
+    # we need relative pathnames of these files abd directories, since our 
+    # tools can't handle the unix style absolut pathnames on cygnus
+
+    R_CADIR=../CA
+    R_SERVERDIR=../server
+    R_CLIENTDIR=../client
+    R_IOPR_CADIR=../CA_iopr
+    R_IOPR_SSL_SERVERDIR=../server_ssl_iopr
+    R_IOPR_SSL_CLIENTDIR=../client_ssl_iopr
+    R_IOPR_OCSP_CLIENTDIR=../client_ocsp_iopr
+    R_ALICEDIR=../alicedir
+    R_BOBDIR=../bobdir
+    R_DAVEDIR=../dave
+    R_EVEDIR=../eve
+    R_EXT_SERVERDIR=../ext_server
+    R_EXT_CLIENTDIR=../ext_client
+    R_CERT_EXT=../cert_extensions
+
+    #
+    # profiles are either paths or domains depending on the setting of
+    # MULTIACCESS_DBM
+    #
+    P_R_CADIR=${R_CADIR}
+    P_R_ALICEDIR=${R_ALICEDIR}
+    P_R_BOBDIR=${R_BOBDIR}
+    P_R_DAVEDIR=${R_DAVEDIR}
+    P_R_EVEDIR=${R_EVEDIR}
+    P_R_SERVERDIR=${R_SERVERDIR}
+    P_R_CLIENTDIR=${R_CLIENTDIR}
+    P_R_EXT_SERVERDIR=${R_EXT_SERVERDIR}
+    P_R_EXT_CLIENTDIR=${R_EXT_CLIENTDIR}
+    if [ -n "${MULTIACCESS_DBM}" ]; then
+	P_R_CADIR="multiaccess:${D_CA}"
+	P_R_ALICEDIR="multiaccess:${D_ALICE}"
+	P_R_BOBDIR="multiaccess:${D_BOB}"
+	P_R_DAVEDIR="multiaccess:${D_DAVE}"
+	P_R_EVEDIR="multiaccess:${D_EVE}"
+	P_R_SERVERDIR="multiaccess:${D_SERVER}"
+	P_R_CLIENTDIR="multiaccess:${D_CLIENT}"
+	P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
+	P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
+    fi
+
+    R_PWFILE=../tests.pw.$$
+    R_NOISE_FILE=../tests_noise.$$
+
+    R_FIPSPWFILE=../tests.fipspw.$$
+    R_FIPSBADPWFILE=../tests.fipsbadpw.$$
+    R_FIPSP12PWFILE=../tests.fipsp12pw.$$
+
+    trap "Exit $0 Signal_caught" 2 3
+
+    export PATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH DYLD_LIBRARY_PATH
+    export DOMSUF HOSTADDR
+    export KILL PS
+    export MOZILLA_ROOT SECURITY_ROOT DIST TESTDIR OBJDIR QADIR
+    export LOGFILE SCRIPTNAME
+
+#used for the distributed stress test, the server generates certificates 
+#from GLOB_MIN_CERT to GLOB_MAX_CERT 
+# NOTE - this variable actually gets initialized by directly by the 
+# ssl_dist_stress.shs sl_ds_init() before init is called - need to change 
+# in  both places. speaking of data encapsulatioN...
+
+    if [ -z "$GLOB_MIN_CERT" ] ; then
+        GLOB_MIN_CERT=0
+    fi
+    if [ -z "$GLOB_MAX_CERT" ] ; then
+        GLOB_MAX_CERT=200
+    fi
+    if [ -z "$MIN_CERT" ] ; then
+        MIN_CERT=$GLOB_MIN_CERT
+    fi
+    if [ -z "$MAX_CERT" ] ; then
+        MAX_CERT=$GLOB_MAX_CERT
+    fi
+
+    #################################################
+    # CRL SSL testing constatnts
+    #
+
+
+    CRL_GRP_1_BEGIN=40
+    CRL_GRP_1_RANGE=3
+    UNREVOKED_CERT_GRP_1=41
+
+    CRL_GRP_2_BEGIN=43
+    CRL_GRP_2_RANGE=6
+    UNREVOKED_CERT_GRP_2=46
+
+    CRL_GRP_3_BEGIN=49
+    CRL_GRP_3_RANGE=4
+    UNREVOKED_CERT_GRP_3=51
+
+    TOTAL_CRL_RANGE=`expr ${CRL_GRP_1_RANGE} + ${CRL_GRP_2_RANGE} + \
+                     ${CRL_GRP_3_RANGE}`
+
+    TOTAL_GRP_NUM=3
+    
+    RELOAD_CRL=1
+
+    NSS_DEFAULT_DB_TYPE="dbm"
+    export NSS_DEFAULT_DB_TYPE
+
+    MSG_ID_FILE="${HOSTDIR}/id"
+    MSG_ID=0
+    echo ${MSG_ID} > ${MSG_ID_FILE}
+
+    #################################################
+    # Interoperability testing constatnts
+    #
+    # if suite is setup for testing, IOPR_HOSTADDR_LIST should have
+    # at least one host name(FQDN)
+    # Example   IOPR_HOSTADDR_LIST="goa1.SFBay.Sun.COM"
+
+    if [ -z "`echo ${IOPR_HOSTADDR_LIST} | grep '[A-Za-z]'`" ]; then
+        IOPR=0
+    else
+        IOPR=1
+    fi
+    #################################################
+
+    if [ "${OS_ARCH}" != "WINNT" ]; then
+        ulimit -c unlimited
+    fi 
+
+    SCRIPTNAME=$0
+    INIT_SOURCED=TRUE   #whatever one does - NEVER export this one please
+fi
diff --git a/security/nss/tests/common/results_header.html b/security/nss/tests/common/results_header.html
new file mode 100644
index 000000000..c09685b11
--- /dev/null
+++ b/security/nss/tests/common/results_header.html
@@ -0,0 +1,6 @@
+<HTML>
+<HEAD>
+<TITLE>Test Report for NSS</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF">
+<CENTER><H3>Test Report for NSS</H3></CENTER>
diff --git a/security/nss/tests/core_watch b/security/nss/tests/core_watch
new file mode 100755
index 000000000..a627983a3
--- /dev/null
+++ b/security/nss/tests/core_watch
@@ -0,0 +1,45 @@
+#############################################################
+# script to watch for cores during QA runs, so they won't overwrite one
+# another
+# Not activated for efficiency reasons, and problems on MKS, us
+# only when needed and remember to remove afterwards
+#############################################################
+
+#############################################################
+# to activate put the following into all.sh (after the HOSTDIR 
+# has been exported
+#############################################################
+# sh `dirname $0`/core_watch $HOSTDIR ${HOSTDIR} &    
+# CORE_WATCH_PID=$!
+# if [ -n "${KILLPIDS}" ]
+# then
+#     echo $CORE_WATCH_PID >>"${KILLPIDS}"            
+# fi
+#############################################################
+
+#############################################################
+# or put the following into nssqa to watch the whole RESULTDIR
+# start it shortly before run_all
+#
+# NOTE: the more efficient way is above, this is potentially going
+# thru 1000ds of files every 30 seconds
+#############################################################
+# sh `dirname $0`/core_watch $RESULTDIR &    
+# echo $! >>"${KILLPIDS}"        #so Exit() can hopefully kill the core_watch
+#############################################################
+
+# in both cases remember to kill the process when done, since 
+# the PIDs that end up in ${KILLPIDS} might not work for all OS
+# something like "kill_by_name core_watch
+
+echo $$ >>"${KILLPIDS}"     #so Exit() can hopefully kill this shell
+while [ 1 ]
+do
+    for w in `find $1 -name "core" -print`
+    do
+        echo "Found core $w"
+        mv $w $w.`date +%H%M%S`
+    done
+    sleep 30
+done
+
diff --git a/security/nss/tests/crmf/crmf.sh b/security/nss/tests/crmf/crmf.sh
new file mode 100644
index 000000000..f61569c97
--- /dev/null
+++ b/security/nss/tests/crmf/crmf.sh
@@ -0,0 +1,121 @@
+#! /bin/sh  
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/crmf/crmf.sh
+#
+# Script to test NSS crmf library (a static library) 
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## smime_init ##############################
+# local shell function to initialize this script
+########################################################################
+crmf_init()
+{
+  SCRIPTNAME=crmf.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  html_head "CRMF/CMMF Tests"
+
+  # cmrf uses the S/MIME certs to test with
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+
+  CRMFDIR=${HOSTDIR}/crmf
+  R_CRMFDIR=../crmf
+  mkdir -p ${CRMFDIR}
+  cd ${CRMFDIR}
+}
+
+############################## crmf_main ##############################
+# local shell function to test basic CRMF request and CMMF responses
+# from 1 --> 2"
+########################################################################
+crmf_main()
+{
+  echo "$SCRIPTNAME: CRMF/CMMF Tests ------------------------------"
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode
+  html_msg $? 0 "CRMF test" "."
+
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf 
+  html_msg $? 0 "CMMF test" "."
+
+# Add tests for key recovery and challange as crmftest's capabilities increase
+
+}
+  
+############################## crmf_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+crmf_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+crmf_init
+crmf_main
+crmf_cleanup
+
diff --git a/security/nss/tests/dbtests/dbtests.sh b/security/nss/tests/dbtests/dbtests.sh
new file mode 100755
index 000000000..3db294fd5
--- /dev/null
+++ b/security/nss/tests/dbtests/dbtests.sh
@@ -0,0 +1,248 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Sonja Mirtitsch Sun Microsystems
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/dbtest/dbtest.sh
+#
+# Certificate generating and handeling for NSS QA, can be included 
+# multiple times from all.sh and the individual scripts
+#
+# needs to work on all Unix and Windows platforms
+#
+# included from (don't expect this to be up to date)
+# --------------------------------------------------
+#   all.sh
+#   ssl.sh
+#   smime.sh
+#   tools.sh
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# FIXME - Netscape - NSS
+########################################################################
+
+############################## dbtest_init ###############################
+# local shell function to initialize this script
+########################################################################
+dbtest_init()
+{
+  SCRIPTNAME="dbtests.sh"
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  if [ -z "${INIT_SOURCED}" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+
+  SCRIPTNAME="dbtests.sh"
+  DBTEST_LOG=${HOSTDIR}/dbtest.log    #we don't want all the errormessages 
+         # in the output.log, otherwise we can't tell what's a real error
+  RONLY_DIR=${HOSTDIR}/ronlydir
+  EMPTY_DIR=${HOSTDIR}/emptydir
+
+  html_head "CERT and Key DB Tests"
+
+}
+
+############################## dbtest_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+dbtest_cleanup()
+{
+  html "</TABLE><BR>" 
+  cd ${QADIR}
+  chmod a+rw $RONLY_DIR
+  . common/cleanup.sh
+}
+
+Echo()
+{
+    echo
+    echo "---------------------------------------------------------------"
+    echo "| $*"
+    echo "---------------------------------------------------------------"
+}
+dbtest_main()
+{
+    cd ${HOSTDIR}
+
+    
+    Echo "test opening the database read/write in a nonexisting directory"
+    ${BINDIR}/certutil -L -X -d ./non_existant_dir
+    ret=$?
+    if [ $ret -ne 255 ]; then
+      html_failed "Certutil succeeded in a nonexisting directory $ret"
+    else
+      html_passed "Certutil didn't work in a nonexisting dir $ret" 
+    fi
+    ${BINDIR}/dbtest -r -d ./non_existant_dir
+    ret=$?
+    if [ $ret -ne 46 ]; then
+      html_failed "Dbtest readonly succeeded in a nonexisting directory $ret"
+    else
+      html_passed "Dbtest readonly didn't work in a nonexisting dir $ret" 
+    fi
+
+    Echo "test force opening the database in a nonexisting directory"
+    ${BINDIR}/dbtest -f -d ./non_existant_dir
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest force failed in a nonexisting directory $ret"
+    else
+      html_passed "Dbtest force succeeded in a nonexisting dir $ret"
+    fi
+
+    Echo "test opening the database readonly in an empty directory"
+    mkdir $EMPTY_DIR
+    ${BINDIR}/tstclnt -h  ${HOST}  -d $EMPTY_DIR 
+    ret=$?
+    if [ $ret -ne 1 ]; then
+      html_failed "Tstclnt succeded in an empty directory $ret"
+    else
+      html_passed "Tstclnt didn't work in an empty dir $ret"
+    fi
+    ${BINDIR}/dbtest -r -d $EMPTY_DIR
+    ret=$?
+    if [ $ret -ne 46 ]; then
+      html_failed "Dbtest readonly succeeded in an empty directory $ret"
+    else
+      html_passed "Dbtest readonly didn't work in an empty dir $ret" 
+    fi
+    rm -rf $EMPTY_DIR/* 2>/dev/null
+    ${BINDIR}/dbtest -i -d $EMPTY_DIR
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest logout after empty DB Init looses key $ret"
+    else
+      html_passed "Dbtest logout after empty DB Init has key" 
+    fi
+    rm -rf $EMPTY_DIR/* 2>/dev/null
+    ${BINDIR}/dbtest -i -p pass -d $EMPTY_DIR
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest password DB Init looses needlogin state $ret"
+    else
+      html_passed "Dbtest password DB Init maintains needlogin state" 
+    fi
+    rm -rf $EMPTY_DIR/* 2>/dev/null
+    ${BINDIR}/certutil -D -n xxxx -d $EMPTY_DIR #created DB
+    ret=$?
+    if [ $ret -ne 255 ]; then 
+        html_failed "Certutil succeeded in deleting a cert in an empty directory $ret"
+    else
+        html_passed "Certutil didn't work in an empty dir $ret"
+    fi
+    rm -rf $EMPTY_DIR/* 2>/dev/null
+    Echo "test force opening the database  readonly in a empty directory"
+    ${BINDIR}/dbtest -r -f -d $EMPTY_DIR
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest force readonly failed in an empty directory $ret"
+    else
+      html_passed "Dbtest force readonly succeeded in an empty dir $ret"
+    fi
+
+    Echo "test opening the database r/w in a readonly directory"
+    mkdir $RONLY_DIR
+    cp -r ${CLIENTDIR}/* $RONLY_DIR
+    chmod -w $RONLY_DIR $RONLY_DIR/*
+
+    # On Mac OS X 10.1, if we do a "chmod -w" on files in an
+    # NFS-mounted directory, it takes several seconds for the
+    # first open to see the files are readonly, but subsequent
+    # opens immediately see the files are readonly.  As a
+    # workaround we open the files once first.  (Bug 185074)
+    if [ "${OS_ARCH}" = "Darwin" ]; then
+        cat $RONLY_DIR/* > /dev/null
+    fi
+
+    ${BINDIR}/dbtest -d $RONLY_DIR
+    ret=$?
+    if [ $ret -ne 46 ]; then
+      html_failed "Dbtest r/w succeeded in an readonly directory $ret"
+    else
+      html_passed "Dbtest r/w didn't work in an readonly dir $ret" 
+    fi
+    ${BINDIR}/certutil -D -n "TestUser" -d .
+    ret=$?
+    if [ $ret -ne 255 ]; then
+      html_failed "Certutil succeeded in deleting a cert in an readonly directory $ret"
+    else
+        html_passed "Certutil didn't work in an readonly dir $ret"
+    fi
+    
+    Echo "test opening the database ronly in a readonly directory"
+
+    ${BINDIR}/dbtest -d $RONLY_DIR -r
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest readonly failed in a readonly directory $ret"
+    else
+      html_passed "Dbtest readonly succeeded in a readonly dir $ret" 
+    fi
+
+    Echo "test force opening the database  r/w in a readonly directory"
+    ${BINDIR}/dbtest -d $RONLY_DIR -f
+    ret=$?
+    if [ $ret -ne 0 ]; then
+      html_failed "Dbtest force failed in a readonly directory $ret"
+    else
+      html_passed "Dbtest force succeeded in a readonly dir $ret"
+    fi
+
+    Echo "ls -l $RONLY_DIR"
+    ls -ld $RONLY_DIR $RONLY_DIR/*
+
+}
+
+################## main #################################################
+
+dbtest_init 
+dbtest_main >$DBTEST_LOG 2>&1
+dbtest_cleanup
diff --git a/security/nss/tests/dbupgrade/dbupgrade.sh b/security/nss/tests/dbupgrade/dbupgrade.sh
new file mode 100755
index 000000000..c74d34297
--- /dev/null
+++ b/security/nss/tests/dbupgrade/dbupgrade.sh
@@ -0,0 +1,138 @@
+#!/bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/dbupgrade/dbupgrade.sh
+#
+# Script to upgrade databases to Shared DB
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################ dbupgrade_init ############################
+# local shell function to initialize this script
+########################################################################
+dbupgrade_init()
+{
+	if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then 
+		cd ${QADIR}/common
+		. ./init.sh
+	fi
+	
+	if [ ! -r "${CERT_LOG_FILE}" ]; then  # we need certificates here
+		cd ${QADIR}/cert 
+		. ./cert.sh
+	fi
+
+	if [ ! -d ${HOSTDIR}/SDR ]; then  # we also need sdr as well
+		cd ${QADIR}/sdr
+		. ./sdr.sh
+	fi
+	
+	SCRIPTNAME=dbupgrade.sh
+	if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+		CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+	fi
+	
+	echo "$SCRIPTNAME: DB upgrade tests ==============================="
+}
+
+############################ dbupgrade_main ############################
+# local shell function to upgrade certificate databases
+########################################################################
+dbupgrade_main()
+{
+	# 'reset' the databases to initial values
+	echo "Reset databases to their initial values:"
+	cd ${HOSTDIR}
+	${BINDIR}/certutil -D -n objsigner -d alicedir 2>&1
+	${BINDIR}/certutil -M -n FIPS_PUB_140_Test_Certificate -t "C,C,C" -d fips -f ${FIPSPWFILE} 2>&1
+	${BINDIR}/certutil -L -d fips 2>&1
+	rm -f smime/alicehello.env
+	
+	# test upgrade to the new database
+	echo "nss" > ${PWFILE}
+	html_head "Legacy to shared Library update"
+	dirs="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server SDR server serverCA tools/copydir"
+	for i in $dirs
+	do
+		echo $i
+		if [ -d $i ]; then
+			echo "upgrading db $i"
+			${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
+			html_msg $? 0 "Upgrading $i"
+		else
+			echo "skipping db $i"
+			html_msg 0 0 "No directory $i"
+		fi
+	done
+	
+	if [ -d fips ]; then
+		echo "upgrading db fips"
+		${BINDIR}/certutil -S -g 512 -n tmprsa -t "u,u,u" -s "CN=tmprsa, C=US" -x -d sql:fips -f ${FIPSPWFILE} -z ${NOISE_FILE} 2>&1
+		html_msg $? 0 "Upgrading fips"
+		# remove our temp certificate we created in the fist token
+		${BINDIR}/certutil -F -n tmprsa -d sql:fips -f ${FIPSPWFILE} 2>&1
+		${BINDIR}/certutil -L -d sql:fips 2>&1
+	fi
+	
+	html "</TABLE><BR>"
+}
+
+########################## dbupgrade_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+dbupgrade_cleanup()
+{
+	cd ${QADIR}
+	. common/cleanup.sh
+}
+
+################################# main #################################
+
+dbupgrade_init
+dbupgrade_main
+dbupgrade_cleanup
diff --git a/security/nss/tests/dll_version.sh b/security/nss/tests/dll_version.sh
new file mode 100755
index 000000000..79a128585
--- /dev/null
+++ b/security/nss/tests/dll_version.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# version controll for DLLs
+# ToDo: make version parameter or find version from first occurance of 3.x
+# make the 3 a variable..., include the header
+
+#OS=`uname -s`
+#DSO_SUFFIX=so
+#if [ "$OS" = "HP-UX" ]; then
+    #DSO_SUFFIX=sl
+#fi
+#what libnss3.$DSO_SUFFIX | grep NSS
+#what libsmime3.$DSO_SUFFIX | grep NSS
+#what libssl3.$DSO_SUFFIX | grep NSS
+#ident libnss3.$DSO_SUFFIX | grep NSS
+#ident libsmime3.$DSO_SUFFIX | grep NSS
+#ident libssl3.$DSO_SUFFIX | grep NSS
+
+for w in `find . -name "libnss3.s[ol]" ; find . -name "libsmime3.s[ol]"; find .  -name "libssl3.s[ol]"`
+do
+        NOWHAT=FALSE
+        NOIDENT=FALSE
+        echo $w
+        what $w | grep NSS || NOWHAT=TRUE
+        ident $w | grep NSS || NOIDENT=TRUE
+        if [ $NOWHAT = TRUE ]
+        then
+                echo "ERROR what $w does not contain NSS"
+        fi
+        if [ $NOIDENT = TRUE ]
+        then
+                echo "ERROR ident $w does not contain NSS"
+        fi
+done
+#for w in `find . -name "libnss3.s[ol]" ; find . -name "libsmime3.s[ol]"; find .
+#-name "libssl3.s[ol]"`
+#do
+        #NOWHAT=FALSE
+        #NOIDENT=FALSE
+        #echo $w
+        #what $w | grep NSS || NOWHAT=TRUE
+        #ident $w | grep NSS || NOIDENT=TRUE
+        #if [ $NOWHAT = TRUE -a $NOIDENT = TRUE ]
+        #then
+                #echo "WARNING what and ident $w does not contain NSS"
+                #strings $w  | grep NSS | grep '3.2' || echo "ERROR strings does
+#not either..."
+        #fi
+#done
+
diff --git a/security/nss/tests/doc/clean.gif b/security/nss/tests/doc/clean.gif
new file mode 100644
index 000000000..08781cb2b
--- /dev/null
+++ b/security/nss/tests/doc/clean.gif
diff --git a/security/nss/tests/doc/nssqa.txt b/security/nss/tests/doc/nssqa.txt
new file mode 100755
index 000000000..34fa0955b
--- /dev/null
+++ b/security/nss/tests/doc/nssqa.txt
@@ -0,0 +1,108 @@
+The new QA wrapper consistst mainly of 2 scripts, nssqa and qa_stat, both 
+include a common header (header) and a common environment (set_environment). 
+Also used is mksymlinks and path_uniq.
+
+The scripts that are used on a daily basis are located in /u/sonmi/bin. 
+
+Parameters and Options are the same for both scripts.
+
+Parameters
+----------
+	nssversion (supported: 30b, 31, tip)
+	builddate (default - today, format mmdd)
+
+Options
+-------
+	-y answer all questions with y - use at your own risk... ignores warnings 
+	-s silent (only usefull with -y)
+	-h, -? -help you guessed right - displays the usage
+	-d debug 
+	-f <filename> - write the (error)output to filename
+	-m <mailinglist> - send filename to mailinglist (csl) only useful
+		with -f on nssqa
+	-l <mozroot> run on a local build - does not work at this time
+	-cron equivalient to -y -s -d -f $RESULTDIR/$HOST.<scriptname>
+
+nssqa and qa_stat are Beta at the most
+--------------------------
+Please be aware that 
+
+-) machinenames are still hardcoded --FIXED
+-) other very iPlanet specific environments and features are being used.
+
+-d Debug option will be removed from cron in a few weeks - or maybe not
+-l QA on local build is not fully implemented yet
+
+Please do not use on Windows 95 and 98, ME platforms yet. 
+
+use -d if script behaves strange or exits unexpectedly
+
+How to use QA
+-------------
+To test a build, first run nssqa on the required QA platforms (some 
+buildplatforms require QA to be run on additional platforms - for 
+example Solaris 2.6 has to be tested on 2.8 32 and 64bit) If QA has 
+been run on multiple or all required platforms it makes sense to run 
+qa_stat on the output of nssqa as well.
+Before used on a new system (even if the same platform has been 
+tested before) please use completely interactive, to see what the 
+variables are being initialized to, and read the warnings. Same is 
+true if being run from a different user account than svbld.
+
+In any case, if you are using it, please let me know the results.
+
+Pseudocode Description of nssqa:
+--------------------------------
+not quite up to date
+
+	header:init (global)
+		set flags and variables to default values
+		signal trap (for interupts and kills)
+		set HOST and DOMSUF variables if running from cron
+		parse parameters and options
+		determine os and set up the environment (espec. PATH)
+		set the directories to run in (influenced by parameters and -l option)
+		set and initialize the tmp / debugging / output files
+
+	nssqa:init (local)
+		locking: if nssqa is already running on this systems (yes-exit, 
+			no-lockfile)
+		set HOST and DOMSUF variables if running interavtively
+		set flag to kill remaining selfserv processes during cleanup
+		if QA platform different from build platform create neccessary 
+			symbolic links
+		wait for the build to finish (max of 5h)
+
+	main:
+		repeated per test (optimized, debug, 32, 64 bit)
+			set flags for this run of all.sh (optimized, debug, 32, 64 bit)
+			set the DIST directory (where the binaries reside)
+			kill running selfservers (sorry - just don't use the svbld 
+				account if you need to do your own testing... I will fix 
+				selfserv as soon as I can - but it hangs too often and 
+				disturbs all following QA)
+			run all.sh 
+		
+	header:exit (global)
+		remove temporary files
+		kill remaining selfservers
+		send email to the list
+		
+		
+	errorhandling
+		Option / Parameter errors: Exit with usage information
+
+		Severe errors: Exit wit errormessage 
+			example: directory in which all.sh resides does not exist
+				can't create files or directories
+				build not done after 5 hours
+				is already running
+				
+		Other errors: User is prompted with the "errormessage - continue (y/n)?"
+			example: local DIST dir does not exist (continues with next all.sh)
+				outputdirectory does not exist (user can specify other)
+
+		Signals 2, 3, 15 are treated as severe errors
+		
+	
+
diff --git a/security/nss/tests/doc/platform_specific_problems b/security/nss/tests/doc/platform_specific_problems
new file mode 100644
index 000000000..92a22ca03
--- /dev/null
+++ b/security/nss/tests/doc/platform_specific_problems
@@ -0,0 +1,110 @@
+I will, eventually convert all files here to html - just right now I have no
+time to do it. Anyone who'd like to - please feel free, mail me the file and 
+I will check it in 
+sonmi@netscape.com
+
+
+The NSS 3.1 SSL Stress Tests fail for me on FreeBSD 3.5.  The end of the output
+of './ssl.sh stress' looks like this:
+
+********************* Stress Test  ****************************
+********************* Stress SSL2 RC4 128 with MD5 ****************************
+selfserv -p 8443 -d
+/local/llennox/NSS-PSM/mozilla/tests_results/security/conrail.20/server -n
+conrail.cs.columbia.edu -w nss   -i /tmp/tests_pid.5505  & strsclnt -p 8443 -d . -w nss -c 1000 -C A  conrail.cs.columbia.edu 
+strsclnt: -- SSL: Server Certificate Validated.
+strsclnt: PR_NewTCPSocket returned error -5974:
+Insufficient system resources.
+Terminated 
+********************* Stress SSL3 RC4 128 with MD5 ****************************
+selfserv -p 8443 -d
+/local/llennox/NSS-PSM/mozilla/tests_results/security/conrail.20/server -n
+conrail.cs.columbia.edu -w nss   -i /tmp/tests_pid.5505  & strsclnt -p 8443 -d . -w nss -c 1000 -C c  conrail.cs.columbia.edu 
+strsclnt: -- SSL: Server Certificate Validated.
+strsclnt: PR_NewTCPSocket returned error -5974:
+Insufficient system resources.
+Terminated 
+
+Running ktrace on the process (ktrace is a system-call tracer, the equivalent of
+Linux's strace) reveals that socket() failed with ENOBUFS after it was called
+for the 953rd time for the first test, and it failed after the 27th time it was
+called for the second test.
+
+The failure is consistent, both for debug and optimized builds; I haven't tested
+to see whether the count of socket() failures is consistent.
+
+All the other NSS tests pass successfully.
+
+
+------- Additional Comments From Nelson Bolyard 2000-11-01 23:08 -------
+
+I see no indication of any error on NSS's part from this description.
+It sounds like an OS kernel configuration problem on the 
+submittor's system.  The stress test is just that.  It stresses
+the server by pounding it with SSL connections.  Apparently this 
+test exhausts some kernel resource on the submittor's system.
+
+The only change to NSS that might be beneficial to this test 
+would be to respond to this error by waiting and trying again
+for some limited number of times, rather than immediately 
+treating it as a fatal error.  
+
+However, while such a change might make the test appear to pass,
+it would merely be hiding a very serious problem, namely,
+chronic system resource exhaustion.
+
+So, I suggest that, in this case, the failure serves the useful
+purpose of revealing the system problem, which needs to be 
+cured apart from any changes to NSS.
+
+I'll leave this bug open for a few more days, to give others
+a chance to persuade me that some NSS change would and should
+solve this problem.  
+
+
+------- Additional Comments From Jonathan Lennox 2000-11-02 13:13 -------
+
+Okay, some more investigation leads me to agree with you.  What's happening is
+that the TCP connections from the stress test stick around in TIME_WAIT for two
+minutes; my kernel is only configured to support 1064 simultaneous open sockets,
+which isn't enough for the 2K sockets opened by the stress test plus the 100 or
+so normally in use on my system.
+
+So I'd just suggest adding a note to the NSS test webpage to the effect of "The
+SSL stress test opens 2,048 TCP connections in quick succession.  Kernel data
+structures may remain allocated for these connections for up to two minutes. 
+Some systems may not be configured to allow this many simulatenous connections
+by default; if the stress tests fail, try increasing the number of simultaneous
+sockets supported."
+
+On FreeBSD, you can display the number of simultaneous sockets with the command
+	sysctl kern.ipc.maxsockets
+which on my system returns 1064.
+
+It looks like this can be fixed with the kernel config option
+	options NMBCLUSTERS=[something-large]
+or by increasing the 'maxusers' parameter.
+
+It looks like more recent FreeBSD implementations still have this limitation,
+and the same solutions apply, plus you can alternatively specify the maxsockets
+parameter in the boot loader.
+
+
+---------------------------------
+
+hpux HP-UX hp64 B.11.00 A 9000/800 2014971275 two-user license
+
+we had to change following kernelparameters to make our tests pass
+
+1. maxfiles.  old value = 60.  new value = 100.
+2. nkthread.  old value = 499.  new value = 1328.
+3. max_thread_proc.  old value = 64.  new value = 512.
+4. maxusers.  old value = 32.  new value = 64.
+5. maxuprc.  old value = 75.  new value = 512.
+6. nproc.  old formula = 20+8*MAXUSERS, which evaluated to 276.
+   new value (note: not a formula) = 750.
+
+A few other kernel parameters were also changed automatically
+as a result of the above changes.
+
+
diff --git a/security/nss/tests/doc/qa_wrapper.html b/security/nss/tests/doc/qa_wrapper.html
new file mode 100755
index 000000000..755cca236
--- /dev/null
+++ b/security/nss/tests/doc/qa_wrapper.html
@@ -0,0 +1,269 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+   <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; U; SunOS 5.8 sun4u) [Netscape]">
+</head>
+<body text="#000000" bgcolor="#FFFFFF" link="#0000EE" vlink="#551A8B" alink="#FF0000">
+
+<h3>
+<b><font face="Times New Roman,Times">Author Sonja Mirtitsch</font></b></h3>
+
+<h3>
+<b><font face="Times New Roman,Times">Last updated: 4/4/2001</font></b></h3>
+
+<h1>
+<b><font face="Times New Roman,Times">NSS 3.2.QA Wrapper</font></b></h1>
+
+<p><br>The QA&nbsp; wrapper tests the nightly builds of NSS. The actual
+tests are being run are called from the QA script all.sh. I will add documentation
+for the actual QA soon. The main purpose of the wrapper is: find out which
+build (NSS version, date, Build Platform) to test on which machine (OS,
+OS version) and construct a summary report, which is then mailed to the
+nss developers (aka mailing list nss-qa-report@netscape.com). Please see
+also the <a href="#advertisement">feature</a> section.
+<p><a href="#nssqa">nssqa</a>&nbsp; - the script that calls the actual
+qa script all.sh
+<br><a href="#qa_stat">qa_stat</a> - sends out status reports
+<br><a href="#qaclean">qaclean</a>&nbsp; - if everything else fails
+<p>Sample <a href="/u/sonmi/doc/publish/glob_result.html">global result</a>,
+<a href="/u/sonmi/doc/publish/results.html">individual result </a>and <a href="/u/sonmi/doc/publish/output.log">log
+files</a>
+<p>The QA wrapper consistst mainly of scripts, most located in security/nss/tests
+and subdirectories, but run from /u/sonmi/bin
+<p>nssqa and qa_stat, the main scripts both include a common header (<a href="../header">header</a>)
+and a common environment (<a href="../set_environment">set_environment</a>).
+<br>Also used is <a href="../mksymlinks">mksymlinks</a> and <a href="../path_uniq">path_uniq</a>
+and <a href="#qaclean">qaclean</a>.
+<p>The scripts that are used on a daily basis are located in /u/sonmi/bin
+and checked into security/nss/tests
+<p>Parameters and Options are the same for most scripts.
+<p><a NAME="Parameters"></a><b><u><font size=+1>Parameters</font></u></b>
+<br>&nbsp;&nbsp;&nbsp; nssversion (supported: 30b, 31, tip, default tip)
+<br>&nbsp;&nbsp;&nbsp; builddate (default - today, format mmdd)
+<p><a NAME="Options"></a><b><u><font size=+1>Options</font></u></b>
+<br>&nbsp;&nbsp;&nbsp; -y answer all questions with y - use at your own
+risk... ignores warnings
+<br>&nbsp;&nbsp;&nbsp; -s silent (only usefull with -y)
+<br>&nbsp;&nbsp;&nbsp; -h, -? -help you guessed right - displays the usage
+<br>&nbsp;&nbsp;&nbsp; -d debug
+<br>&nbsp;&nbsp;&nbsp; -f &lt;filename> - write the (error)output to filename
+<br>&nbsp;&nbsp;&nbsp; -fcron writes resultfile in the same location as
+would the -cron
+<br>&nbsp;&nbsp;&nbsp; -m &lt;mailinglist> - send filename to mailinglist
+(csl) only useful
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; with -f on nssqa
+<br>&nbsp;&nbsp;&nbsp; -l &lt;mozroot> run on a local build - does not
+work at this time
+<br>&nbsp;&nbsp;&nbsp; -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.&lt;scriptname>
+<br>&nbsp;
+<p>Please be aware that some iPlanet specific environments and features
+are being used.
+<p>-d Debug option might be removed from cron in a few weeks - or maybe
+not
+<br>-l QA on local build is not fully implemented yet - will not be implemented,
+all.sh can be called directly instead
+<p>Please do not use on Windows 95 and 98, ME platforms yet.
+<p>use -d if script behaves strange or exits unexpectedly
+<p><b><font size=+1>How to use the QA-wrapper</font></b>
+<br>To test a build, first run nssqa on the required QA platforms (some
+buildplatforms require QA to be run on additional platforms - for example
+Solaris 2.6 has to be tested on 2.8 32 and 64bit) If QA has been run on
+multiple or all required platforms it makes sense to run qa_stat on the
+output of nssqa as well.
+<br>Before used on a new system (even if the same platform has been tested
+before) please use completely interactive, to see what the variables are
+being initialized to, and read the warnings. Same is true if being run
+from a different user account than svbld.
+<p>In any case, if you are using it, please let me know the results.
+<p><a NAME="nssqa"></a><b><u><font size=+1>nssqa:</font></u></b>
+<p>the script that calls the actual qa script all.sh
+<p>nssqa <a href="#Parameters">parameters</a> and&nbsp; <a href="#Options">options</a>
+<p><a href="../nssqa">view the script</a>
+<p><b><u><font size=+1>Pseudocode Description of nssqa</font></u></b>
+<br>not quite up to date
+<p>&nbsp;&nbsp;&nbsp; header:init (global)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set flags and variables
+to default values
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; signal trap (for interupts
+and kills)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set HOST and DOMSUF variables
+if running from cron
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; parse parameters and options
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; determine os and set up
+the environment (espec. PATH)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set the directories to run
+in (influenced by parameters and -l option)<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set the directories for backward
+compatibility testing
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set and initialize the tmp
+/ debugging / output files
+<p>&nbsp;&nbsp;&nbsp; nssqa:init (local)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; locking: if nssqa is already
+running on this systems (yes-exit,
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+no-lockfile)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set HOST and DOMSUF variables
+if running interavtively
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set flag to kill remaining
+selfserv processes during cleanup
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if QA platform different
+from build platform create neccessary
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+symbolic links
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wait for the build to finish
+(max of 5h)
+<p>&nbsp;&nbsp;&nbsp; main:
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; repeated per test (optimized,
+debug, 32, 64 bit)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+set flags for this run of all.sh (optimized, debug, 32, 64 bit)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+set the DIST directory (where the binaries reside)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+kill running selfservers (sorry - just don't use the svbld
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+account if you need to do your own testing... I will fix
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+selfserv as soon as I can - but it hangs too often and
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+disturbs all following QA)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+run all.sh
+<p>&nbsp;&nbsp;&nbsp; header:exit (global)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; remove temporary files
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; kill remaining selfservers
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; send email to the list
+<br>&nbsp;
+<p>&nbsp;&nbsp;&nbsp; errorhandling
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Option / Parameter errors:
+Exit with usage information
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Severe errors: Exit wit errormessage
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+example: directory in which all.sh resides does not exist
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+can't create files or directories
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+build not done after 5 hours
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+is already running
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Other errors: User is prompted
+with the "errormessage - continue (y/n)?"
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+example: local DIST dir does not exist (continues with next all.sh)
+<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+outputdirectory does not exist (user can specify other)
+<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Signals 2, 3, 15 are treated
+as severe errors
+<br>&nbsp;
+<br>&nbsp;
+<br>&nbsp;
+<p><img SRC="clean.gif" height=129 width=92 align=LEFT><a NAME="qaclean"></a><b><u><font size=+2>qaclean:</font></u></b>/u/sonmi/bin/qaclean
+<br>&nbsp;
+<p>Use qaclean as user "svbld" to get the propper permissions. It is supposed
+to clean up after a "hanging" QA and will also brutally kill, interupt
+and disturb any other nss related test or performance meassurement on the
+named machine. NT and 2000 might require an additional reboot, since the
+ps is not so good about telling us the actual programmname - so we can't
+kill them... Please note that this is a brute force script, it should not
+be used on a regular basis, file a bug whenever you have to use it, since
+hanging QA is nothing that should occur frequently
+<p>&nbsp;<a href="../qaclean">view the script</a>
+<p>What it does:
+<ol>
+<li>
+see if there is a lockfile (/tmp/nssqa.$$ or $TMP/nssqa.$$)</li>
+
+<br>if yes:
+<ol>kill the process of the lockfile <font color="#666666">(future expansion
+and if possible it's children )</font>
+<br>rm the lockfile</ol>
+
+<li>
+kill selfservers</li>
+
+<li>
+kill whatever other qa related processes might be hanging</li>
+
+<li>
+clean up tmp files</li>
+</ol>
+<b>QAClean Parameters:</b>
+<br>&nbsp;&nbsp;&nbsp; machinename.
+<br>&nbsp;&nbsp;&nbsp; for example
+<br>&nbsp;&nbsp;&nbsp; qaclean kentuckyderby
+<br>&nbsp;&nbsp;&nbsp; started on any machine, will clean up on kentuckyderby
+<p><a NAME="qa_stat"></a><b><u><font size=+2>qa_stat</font></u></b>
+<p>qa_stat is the script that is being started from the svbld cron on kentuckyderby
+every morning at 10:00 and runs some (very primitive) analysis on the qa
+results.
+<br>I'd like to rewrite the whole thing in perl, and in a few weeks I might
+just do this...
+<p>&nbsp;<a href="../qa_stat">view the script</a>
+<p>qa_stat <a href="#Parameters">parameters</a> and&nbsp; <a href="#Options">options</a>
+<p><a NAME="advertisement"></a><b><u><font size=+1>Why we need the QA wrapper</font></u></b>
+<p>We need the new QA wrapper, because we have to test on so many platforms,
+that running the tests and evaluating the results for the nightly builds
+took about an average workday.
+<p><b><font size=+1>New Features:</font></b>
+<ul>
+<li>
+runs from <b>cron</b> / rsh or <b>interactive</b> if desired</li>
+
+<li>
+generates <b>summary</b> (no need to look through 60-90 directories)</li>
+
+<li>
+sends <b>email</b> about results</li>
+
+<li>
+automatically <b>recognizes common errors</b> and problems and conflicts
+and corrects them</li>
+
+<br>(or attempts to correct them :-)
+<li>
+automatically determines <b>which build </b>to test (waits if build in
+progress, exits if no build)</li>
+
+<li>
+runs on <b>all required platforms</b> (Windows 98 and before not functional
+yet)</li>
+
+<li>
+Windows version runs on <b>free Cygnus</b> as well as on MKS</li>
+
+<li>
+debug mode, normal mode and silent mode</li>
+
+<li>
+<b>locking</b> mechanism so it won't run twice</li>
+
+<li>
+<b>cleanup</b> after being killed and most errors (no remaining selfservers,
+tmpfiles, lock files)</li>
+</ul>
+The 1st script is started via cron between 5:00 and 8:00 am on different
+systems, and starts QA on the nightly build. At 10:00 the next script is
+started, and sends a QA summary to the nss developers.
+<p><b>Cygnus Advantages</b>:
+<ul>
+<li>
+<b>free</b></li>
+
+<li>
+better handling of <b>processes</b> (background, processIDs, Signals)</li>
+
+<li>
+Unix / Linux <b>compatible</b> sh / bash</li>
+</ul>
+<b>Disadvantages</b>
+<ul>
+<li>
+MKS functionality needs to be preserved (makes <b>8 Windows platforms</b>
+instead of 4 for the QA suites - makes 32 testruns on Windows alone)</li>
+
+<br>In certain functionality's <b>slow</b>
+<br><b></b>&nbsp;</ul>
+<b>Porting the windows QA&nbsp;to Uwin as well is also being considered</b>
+</body>
+</html>
diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh
new file mode 100755
index 000000000..1950d76b0
--- /dev/null
+++ b/security/nss/tests/fips/fips.sh
@@ -0,0 +1,319 @@
+#! /bin/sh  
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+# mozilla/security/nss/tests/fips/fips.sh
+#
+# Script to test basic functionallity of NSS in FIPS-compliant mode
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+############################## fips_init ##############################
+# local shell function to initialize this script 
+########################################################################
+fips_init()
+{
+  SCRIPTNAME=fips.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=fips.sh
+  html_head "FIPS 140 Compliance Tests"
+
+  grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
+  }
+
+  COPYDIR=${FIPSDIR}/copydir
+
+  R_FIPSDIR=../fips
+  P_R_FIPSDIR=../fips
+  R_COPYDIR=../fips/copydir
+
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     P_R_FIPSDIR="multiaccess:${D_FIPS}"
+  fi
+
+  mkdir -p ${FIPSDIR}
+  mkdir -p ${COPYDIR}
+
+  cd ${FIPSDIR}
+}
+
+############################## fips_140 ##############################
+# local shell function to test basic functionality of NSS while in
+# FIPS 140 compliant mode
+########################################################################
+fips_140()
+{
+  echo "$SCRIPTNAME: Verify this module is in FIPS mode  -----------------"
+  echo "modutil -dbdir ${P_R_FIPSDIR} -list"
+  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
+  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
+  html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
+  html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+  echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
+  RET=$?
+  html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
+  echo "certutil -K returned $RET"
+
+  echo "$SCRIPTNAME: Validate the certificate --------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
+  html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
+
+  echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
+  echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
+
+  echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
+  echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
+  html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    ret=$?
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+
+  echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
+  echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    if [ $? -eq 0 ]; then
+      ret=255
+    fi
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys."
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  # certutil -K now returns a failure if no keys are found. This verifies that
+  # our delete succeded.
+  html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
+
+
+  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
+  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    ret=$?
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+
+  echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
+  echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
+  html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    if [ $? -eq 0 ]; then
+      ret=255
+    fi
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+
+  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
+  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    ret=$?
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+
+  echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE  -----------------"
+  echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
+  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}  2>&1
+  html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
+
+  echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE  -----------------"
+  echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
+  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
+  html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
+
+  LIBDIR="${DIST}/${OBJDIR}/lib"
+  MANGLEDIR="${FIPSDIR}/mangle"
+   
+  # There are different versions of cp command on different systems, some of them 
+  # copies only symlinks, others doesn't have option to disable links, so there
+  # is needed to copy files one by one. 
+  echo "mkdir ${MANGLEDIR}"
+  mkdir ${MANGLEDIR}
+  for lib in `ls ${LIBDIR}`; do
+    echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
+    cp ${LIBDIR}/${lib} ${MANGLEDIR}
+  done
+    
+  echo "$SCRIPTNAME: Detect mangled database --------------------------"
+  SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
+
+  echo "mangling ${SOFTOKEN}"
+  echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
+  ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
+  if [ $? -eq 0 ]; then
+    if [ "${OS_ARCH}" = "WINNT" ]; then
+      DBTEST=`which dbtest`
+	  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+		DBTEST=`cygpath -m ${DBTEST}`
+		MANGLEDIR=`cygpath -u ${MANGLEDIR}`
+	  fi
+      echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
+      PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    elif [ "${OS_ARCH}" = "HP-UX" ]; then
+      echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    elif [ "${OS_ARCH}" = "AIX" ]; then
+      echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    elif [ "${OS_ARCH}" = "Darwin" ]; then
+      echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    else
+      echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    fi  
+
+    html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
+  else
+    html_msg 0 0 "Skipping corruption test, can't open ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
+  fi
+}
+
+############################## fips_cleanup ############################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+fips_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+fips_init
+fips_140
+fips_cleanup
+echo "fips.sh done"
diff --git a/security/nss/tests/header b/security/nss/tests/header
new file mode 100644
index 000000000..5a1dead72
--- /dev/null
+++ b/security/nss/tests/header
@@ -0,0 +1,1636 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/header - /u/svbld/bin/init/nss/header
+#
+# variables, utilities and shellfunctions global to NSS QA
+# needs to work on all Unix platforms
+#
+# included from (don't expect this to be up to date)
+# --------------------------------------------------
+#   qa_stat
+#   mksymlinks 
+#   nssqa 
+#
+# parameters
+# ----------
+#   nssversion (supported: 30b, 31, 332, tip 32)
+#   builddate (default - today)
+#
+# options
+# -------
+#   -y answer all questions with y - use at your own risk... ignores warnings 
+#   -s silent (only usefull with -y)
+#   -h, -? - you guessed right - displays this text
+#   -d debug
+#   -f <filename> - write the (error)output to filename
+#   -fcronfile produces the resultfiles in the same locations
+#       as would have been produced with -cron
+#   -m <mailinglist> - send filename to mailinglist (csl) only useful
+#       with -f
+#   -ml <mailinglist> - send link to filename to mailinglist (csl) 
+#       only useful with -f
+#   -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.<scriptname>
+#   -t  run on a tinderbox build that means: local, from the startlocation
+#   -l <mozroot directory>  run on a local build mozroot
+#   -ln <mozroot> copy a networkbuild to a local directory mozroot, 
+#        used for networkindipendend QA
+#   -lt try to copy a networkbuild to a local directory, if not possible
+#        run on the network
+#        used for networkindipendend QA
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# moduls (not yet)
+# ----------------
+#   --# INIT
+#   --# USERCOM
+#   --# UTILS
+#
+# FIXME - split in init / usercom / utils
+#
+########################################################################
+
+#------------------------------# INIT #------------------------------
+
+# below the option flags get initialized
+
+if [ -z "$QASCRIPT_DIR" ]
+then
+    QASCRIPT_DIR=`dirname $0`
+    if [ "$QASCRIPT_DIR" = '.' ]
+    then
+        QASCRIPT_DIR=`pwd`
+    fi
+fi
+export QASCRIPT_DIR
+
+O_HWACC=OFF
+if [ -z "$O_ALWAYS_YES" ] ; then
+    O_ALWAYS_YES=OFF    # turned on by -y answer all questions with y 
+fi
+
+if [ -z "$O_INIT" ] # header is global, some including scripts may not
+then                # want the init to run, the others don't need to bother
+    O_INIT=ON
+fi
+if [ -z "$O_PARAM" ] # header is global, some including scripts may not
+then                 # require parameters, the others don't need to bother
+    O_PARAM=ON
+fi
+if [ -z "$O_OPTIONS" ] # header is global, some including scripts may not
+then                # permit options, they don't need to bother
+    O_OPTIONS=OFF
+fi
+O_SILENT=OFF        # turned on by -s silent (only usefull with -y)
+if  [ -z "$O_DEBUG" ] ; then
+    O_DEBUG=OFF     # turned on by -d - calls to Debug produce output when ON
+fi
+O_FILE=OFF          # turned on by -f echo all output to a file $FILENAME
+O_CRON=OFF          # turned on by -cron cron use only
+O_CRONFILE=OFF      # turned on by -cron cron and -fcron
+O_LOCAL=OFF         # turned on by -l* run on a local build in $LOCAL_MOZROOT
+O_LN=OFF            # turned on by -ln and -lt, test a networkbuild locally
+O_MAIL=OFF          # turned on by -m - sends email
+O_MAIL_LINK=OFF     # turned on by -ml - sends email
+O_TBX=OFF           # turned on by -t run on a tinderbox build
+                    # that means: local, from the startlocation
+
+if  [ -z "$DOMSUF" ]
+then
+    
+    DOMSUF=red.iplanet.com
+    DS_WAS_SET=FALSE
+else
+    DS_WAS_SET=TRUE
+fi
+
+TMPFILES=""
+
+WAIT_FOR=600  # if waiting for an event sleep n seconds before rechecking 
+              # recomended value 10 minutes 600
+WAIT_TIMES=30 # recheck n times before giving up - recomended 30 - total of 5h
+
+if [ -z "$QAYEAR" ]   # may I introduce - the y2k+1 bug? QA for last year 
+then                  # might not work
+    QAYEAR=`date +%Y`
+fi
+
+if [ -z "$TMP" ]        
+then
+    if [  -z "$TEMP" ]
+    then
+        TMP="/tmp"
+    else
+        TMP=$TEMP
+    fi
+fi
+if [ ! -w "$TMP" ]        
+then
+    echo "Can't write to tmp directory $TMP - exiting"
+    echo "Can't write to tmp directory $TMP - exiting" >&2
+    exit 1
+fi
+
+KILLPIDS="$TMP/killpids.$$"
+export KILLERPIDS
+TMPFILES="$TMPFILES $KILLPIDS"
+
+KILL_SELFSERV=OFF   # if sourcing script sets this to on cleanup will also 
+                    # kill the running selfserv processes
+
+                    # Set the masterbuilds 
+if [ -z "$UX_MASTERBUILD" ]
+then                     
+    UX_MASTERBUILD=booboo_Solaris8
+    #if [ ! -d $UX_MASTERBUILD ] ; then
+        #UX_MASTERBUILD=booboo_Solaris8_forte6
+    #fi
+    UX_MB_WAS_SET=FALSE
+else
+    UX_MB_WAS_SET=TRUE
+fi
+if [ -z "$NT_MASTERBUILD" ]
+then                     
+    NT_MASTERBUILD=blowfish_NT4.0_Win95
+    NT_MB_WAS_SET=FALSE      # in this case later functions can override if
+                             # they find a different build that looks like NT
+else
+    NT_MB_WAS_SET=TRUE
+fi
+if [ -z "$MASTERBUILD" ]    
+then
+    MASTERBUILD=$UX_MASTERBUILD
+fi
+
+                    # Set the default build
+if [ -z "$BUILDNUMBER" ]    
+then
+    BUILDNUMBER=1
+fi
+export BUILDNUMBER
+O_LDIR=OFF          #local QA dir for NT, temporary
+
+if [ -z "$WIN_WAIT_FOREVER" ]    # header is global, some including scripts 
+then                # want the init to wait forever for directories to
+                    # appear (windows only) if OFF exit, if ON wait forever
+    WIN_WAIT_FOREVER=OFF
+fi
+
+                          # NOTE: following variables have to change 
+                          # from release to release
+if [ -z "$BC_MASTER" ]    # master directory for backwardscompatibility testing
+then
+    RH="NO"
+    grep 7.1 /etc/redhat-release > /dev/null 2>/dev/null && RH="YES"
+    grep 7.2 /etc/redhat-release > /dev/null 2>/dev/null && RH="YES"
+
+    if [ "$RH" = "YES" ] 
+    then                      # NSS-3-3-1RTM
+        BC_UX_MASTER=nss331/builds/20010928.2.331-RTM/booboo_Solaris8
+        BC_NT_MASTER=nss331/builds/20010928.2.331-RTM/blowfish_NT4.0_Win95
+    else                      # NSS-3-2-2RTM
+        BC_UX_MASTER=nss322/builds/20010820.1/y2sun2_Solaris8
+        BC_NT_MASTER=nss322/builds/20010820.1/blowfish_NT4.0_Win95
+    fi
+    BC_MASTER=$BC_UX_MASTER
+    BC_MASTER_WAS_SET=FALSE
+else
+    BC_MASTER_WAS_SET=TRUE
+fi
+BC_RELEASE=3.2
+export BC_RELEASE
+
+EARLY_EXIT=TRUE     #before the report file has been created, causes Exit to 
+                    #create it
+
+UX_D0=/share/builds/mccrel3/nss
+
+################################### glob_init ##########################
+# global shell function, main initialisation function
+########################################################################
+glob_init()
+{
+    if [ $O_PARAM = "ON" ] ; then
+        eval_opts $*    # parse parameters and options - set flags
+    fi
+                        # if running from cron HOST needs to be known early, 
+    init_host            # so the output file name can be constructed. 
+    Debug "Setting up environment...( $QASCRIPT_DIR/set_environment) "
+    . $QASCRIPT_DIR/set_environment #finds out if we are running on Windows
+    Debug "OPerating system: $os_name $os_full"
+    umask 0    
+    init_dirs
+    init_files
+    init_vars
+}
+
+################################### init_vars ###########################
+# global shell function, sets the environment variables, part of init 
+########################################################################
+init_vars()
+{
+    if [ -z "$LOGNAME" ]
+    then
+        if [ $O_WIN = "ON" ]
+        then
+            LOGNAME=$USERNAME
+        else
+            LOGNAME=$USER
+        fi
+        if [ -z "$LOGNAME" ]
+        then
+            LOGNAME=$UNAME
+            if [ -z "$LOGNAME" ]
+            then
+                LOGNAME=`basename $HOME`
+            fi
+        fi
+    fi
+    if [ -z "$LOGNAME" ]
+    then
+        Exit "Can't determine current user"
+    fi
+    case $HOST in
+        iws-perf)
+            O_HWACC=ON
+            HWACC_LIST="rainbow ncipher"
+            #MODUTIL="-add rainbow -libfile /usr/lib/libcryptoki22.so"
+            export HWACC_LIST
+            ;;
+        *)
+            O_HWACC=OFF
+            ;;
+    esac
+   export O_HWACC
+}
+
+########################################################################
+# functions below deal with setting up the directories and PATHs for
+# all different flavors of OS (Unix, Linux, NT MKS, NT Cygnus) and QA
+# (Standard, local tinderbox)
+########################################################################
+
+########################## find_nt_masterbuild #########################
+# global shell function, sets the nt masterbuild directories, part of init 
+########################################################################
+find_nt_masterbuild()
+{
+    NT_MASTERDIR=${DAILY_BUILD}/${NT_MASTERBUILD}
+    if [ "${NT_MB_WAS_SET}" = "FALSE" -a ! -d $NT_MASTERDIR ] ; then
+        if [ -d ${DAILY_BUILD}/*NT4* ] ; then
+            NT_MASTERBUILD=` cd ${DAILY_BUILD}; ls -d *NT4* `
+            Debug "NT_MASTERBUILD $NT_MASTERBUILD"
+            NT_MASTERDIR=${DAILY_BUILD}/${NT_MASTERBUILD}
+        fi
+    fi
+    Debug "NT_MASTERDIR $NT_MASTERDIR"
+}
+
+################################### set_daily_build_dirs ###########################
+# global shell function, sets directories 
+########################################################################
+set_daily_build_dirs()
+{
+    if [ "$O_LOCAL" = "ON" -a "$O_LN" = "OFF" ] ; then
+        DAILY_BUILD=${LOCAL_MOZROOT}        # on local builds NSS_VER_DIR and DAILY_BUILD are 
+                             # set to the LOCAL_MOZROOT, since it is not sure
+                             # if ../.. (DAILY_BUILD) even exists
+        LOCALDIST=${LOCAL_MOZROOT}/dist
+    elif [ "$O_TBX" = "ON" ] ; then
+        DAILY_BUILD="$TBX_DAILY_BUILD"
+        LOCALDIST=${UXDIST}
+    else
+        DAILY_BUILD=${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.${BUILDNUMBER}
+        LOCALDIST=${DAILY_BUILD}/${MASTERBUILD}/mozilla/dist
+    fi
+}
+
+map_os64()
+{
+  IS_64=""
+  case `uname -s` in
+      #OSF1) has been done already - always 64 bit
+      SunOS)
+          MAPPED_OS=Solaris*8
+          IS_64=`(isainfo -v | grep 64)>/dev/null 2>/dev/null && echo 64 bit`
+          if [ "$O_TBX" = "OFF" ] ; then
+              set_osdir
+              if [ -n "$IS_64" ]
+              then #Wait for the 64 bit build to finish...
+                  Debug Testing build for $MAPPED_OS in $OSDIR
+                  Wait ${OSDIR}/SVbuild.InProgress.1 0
+              fi
+          fi
+          ;;
+      AIX)
+          IS_64=`lslpp -l | grep "bos.64bit"> /dev/null && echo 64 bit`
+          ;;
+      HP-UX)
+          IS_64=`getconf KERNEL_BITS | grep 64 >/dev/null && echo 64 bit`
+          ;;
+  esac
+  Debug "Mapped OS to $MAPPED_OS"
+}
+
+
+
+################################### copy_to_local ########################
+# global shell function, copies the necessary directories from the 
+# daily build aerea to the local disk
+########################################################################
+copy_to_local()
+{
+    Debug "Copy network directories to local directories"
+    C2L_ERROR=0
+    if [ ! -d ${LOCAL_MOZROOT}/dist ] ; then
+        mkdir -p ${LOCAL_MOZROOT}/dist || C2L_ERROR=1
+    fi
+    if [ ! -d ${LOCAL_MOZROOT}/security/nss ] ; then
+        mkdir -p ${LOCAL_MOZROOT}/security/nss || C2L_ERROR=2
+    fi
+    if [ $C2L_ERROR != 0 ] ; then
+        Exit "copy_to_local: Can t make necesssary directories ($C2L_ERROR ) "
+    fi
+    if [ ! -d ${LOCAL_MOZROOT}/security/nss/tests ] ; then
+        cp -r ${TESTSCRIPTDIR} ${LOCAL_MOZROOT}/security/nss || C2L_ERROR=1
+    fi
+    if [ ! -d ${LOCAL_MOZROOT}/security/coreconf ] ; then
+        cp -r ${MOZILLA_ROOT}/security/coreconf ${LOCAL_MOZROOT}/security || C2L_ERROR=2
+    fi
+    
+    NO_DIRS=0;
+    if [ "$O_WIN" = "ON" ] ; then
+        OS_TARGET=WINNT;export OS_TARGET
+    fi
+    unset BUILD_OPT;export BUILD_OPT;
+    unset USE_64;export USE_64;
+#FIXME only tested on 64 bit Solaris and only got 32 bit builds
+    while [ $NO_DIRS -lt 4 ] ; do
+                                                  # first time thru: Debug 32 bit NT
+        set_objdir
+        Debug "Copying ${OBJDIR}..."
+        if [ ! -d ${LOCAL_MOZROOT}/dist/${OBJDIR} ] ; then
+            cp -r ${LOCALDIST}/${OBJDIR} ${LOCAL_MOZROOT}/dist || C2L_ERROR=3
+        fi
+        NO_DIRS=`expr $NO_DIRS + 1`
+        if [ $NO_DIRS = 1 ] ; then                # 2nd time: OPT 32 bit NT
+            BUILD_OPT=1; export BUILD_OPT;
+        elif [ $NO_DIRS = 2 ] ; then              # 3rd time: OPT, either 64 bit or Win95 or force exit
+            if [ "$O_WIN" = "ON" ] ; then
+                OS_TARGET=WIN95;export OS_TARGET
+            else
+                map_os64
+                if [ -z "$IS_64" ] ; then #32 bit platform
+                    NO_DIRS=4
+                else
+                    USE_64=1; export USE_64
+                fi
+            fi
+        elif [ $NO_DIRS = 3 ] ; then              # 4th time:  Debug either 64 bit or Win95
+            unset BUILD_OPT;export BUILD_OPT;
+        fi
+     
+            
+    done
+    if [ $C2L_ERROR != 0 ] ; then
+        Exit "copy_to_local: Can t copy necesssary directories ($C2L_ERROR ) "
+    fi
+    unset TESTSCRIPTDIR
+    unset TESTDIR
+    unset RESULTDIR
+    O_LN=OFF       #from here on pretend it is regular -l local QA FIXME, might cause 
+                   #problems with the backwardcompatibility tests
+    Debug "Successfully copied network directories to local directories"
+}
+
+################################### local_dirs ###########################
+# global shell function, sets the directories for local QA
+########################################################################
+local_dirs()
+{
+    Debug "Set directories for local QA"
+    #if [ "$O_WIN" = "ON" ] ; then
+        #win_set_tmp
+    #fi
+    NSS_VER_DIR=${LOCAL_MOZROOT}        # on local builds NSS_VER_DIR and DAILY_BUILD are 
+                         # set to the LOCAL_MOZROOT, since it is not sure
+                         # if ../../../.. (NSS_VER_DIR) even exists
+    if [ -z "${RESULTDIR}" ] ; then # needs to be local as well
+        Debug "Setting RESULTDIR for local QA"
+        RESULTDIR="${LOCAL_MOZROOT}/tests_results/security/${HOST}-`date +%Y%m%d-%H.%M`"
+    fi
+    set_daily_build_dirs
+    UX_MASTERDIR=`dirname ${LOCAL_MOZROOT}`
+    NT_MASTERDIR=$UX_MASTERDIR
+    MOZILLA_ROOT=${LOCAL_MOZROOT}
+
+    UXDIST=${MOZILLA_ROOT}/dist
+    NTDIST=${UXDIST}
+
+    if [ -z "${TESTDIR}" ] ; then 
+        Debug "Setting TESTDIR for local QA"
+        TESTDIR=${RESULTDIR}
+    fi
+    if [ -n "$TESTDIR" ] ; then
+        if [ ! -d $TESTDIR ] ; then
+            Debug "Making TESTDIR for local QA"
+            mkdir -p $TESTDIR
+        fi
+    fi
+    export TESTDIR
+    Debug "RESULTDIR $RESULTDIR TESTDIR $TESTDIR"
+
+    TESTSCRIPTDIR=${LOCAL_MOZROOT}/security/nss/tests
+    COMMON=${TESTSCRIPTDIR}/common
+
+    set_objdir
+    debug_dirs
+    export_dirs
+}
+
+
+################################### tbx_dirs ###########################
+# global shell function, sets the directories for tinderbox QA
+########################################################################
+tbx_dirs()
+{
+    Debug "Set directories for tinderbox"
+    if [ "$O_WIN" = "ON" ] ; then
+        win_set_d1 # we need the NSS_VER_DIR later
+    else
+        NSS_VER_DIR="$UX_D0"/nss$NSSVER
+    fi
+    if [ -z "${RESULTDIR}" ] ; then # needs to be different for tinderbox
+        Debug "Setting RESULTDIR for tinderbox"
+        TBX_NOBITS=""
+        echo $QASCRIPT_DIR | grep 64  >/dev/null && TBX_NOBITS=64
+        TRD="${HOST}${TBX_NOBITS}-`date +%Y%m%d-%H.%M`"
+        RESULTDIR="${NSS_VER_DIR}/tinderbox/tests_results/security/${TRD}"
+        if [ ${DOMSUF} = "mcom.com" -o  ${DOMSUF} = "netscape.com" -o ${DOMSUF} = "nscp.aoltw.net" ] ; then
+            URL="sbs-rel.nscp.aoltw.net"
+        else
+            URL="cindercone.red.iplanet.com"
+        fi
+        if [ "$O_WIN" = "ON" ] ; then
+            RESULTDIRURL="<a title=\"QA Results\" href=\"http://${URL}${UX_D0}/nsstip/tinderbox/tests_results/security/${TRD}\">QA</a>"
+        else
+            RESULTDIRURL="<a title=\"QA Results\" href=\"http://${URL}${RESULTDIR}\">QA</a>"
+        fi
+        Debug "RESULTDIRURL TinderboxPrint:$RESULTDIRURL"
+    fi
+    TBX_DAILY_BUILD=`cd ../../../../..;pwd`
+    NSS_VER_DIR="${TBX_DAILY_BUILD}/../.." 
+    TBX_LOGFILE_DIR=`ls ${NSS_VER_DIR}/logs/tinderbox | sed -e 's/ .*//g'`
+    if [ -z "$TBX_LOGFILE_DIR" ] ; then
+        TBX_LOGFILE_DIR=`ls ${NSS_VER_DIR}/logs/tbx | sed -e 's/ .*//g'`
+        TBX_LOGFILE_DIR="${NSS_VER_DIR}/logs/tbx/${TBX_LOGFILE_DIR}"
+    else
+        TBX_LOGFILE_DIR="${NSS_VER_DIR}/logs/tinderbox/${TBX_LOGFILE_DIR}"
+    fi
+    Debug "Set TBX_LOGFILE_DIR ${TBX_LOGFILE_DIR}"
+    
+    set_daily_build_dirs
+    UX_MASTERDIR=`cd ../../../..;pwd`
+    NT_MASTERDIR=$UX_MASTERDIR
+    MOZILLA_ROOT=$UX_MASTERDIR/mozilla
+
+    UXDIST=${MOZILLA_ROOT}/dist
+    NTDIST=${UXDIST}
+
+    if [ -z "${TESTDIR}" ] ; then 
+        Debug "Setting TESTDIR for tinderbox"
+        TESTDIR=${RESULTDIR}
+    fi
+    if [ -n "$TESTDIR" ] ; then
+        if [ ! -d $TESTDIR ] ; then
+            Debug "Making TESTDIR for tinderbox"
+            mkdir -p $TESTDIR
+        fi
+    fi
+    Debug "Making QAstatus file"
+    echo "QA running" >${TESTDIR}/QAstatus
+    export TESTDIR
+    Debug "RESULTDIR $RESULTDIR TESTDIR $TESTDIR"
+
+    TESTSCRIPTDIR=`pwd`
+    COMMON=${TESTSCRIPTDIR}/common
+
+    set_objdir
+    debug_dirs
+    export_dirs
+}
+
+################################### init_mcom ###########################
+# global shell function, sets domain specific variables for AOL's 
+# domains according to Bishakha's instructions
+########################################################################
+init_mcom()
+{
+    Debug "Running in mcom or netscape domain - changing directories..."
+    if [ "${UX_MB_WAS_SET}" = "FALSE" ] ; then #in case it was set
+        # before script was called use these values 
+        UX_MASTERBUILD=spd04_Solaris8
+    fi
+    if [ "${NT_MB_WAS_SET}" = "FALSE" ] ; then 
+        NT_MASTERBUILD=spd06_NT4
+    fi
+ 
+    MASTERBUILD=$UX_MASTERBUILD
+    if [ "${BC_MASTER_WAS_SET}" = "FALSE" ] ; then
+        BC_UX_MASTER=nss322/builds/20010820.1/y2sun2_Solaris8
+        BC_NT_MASTER=nss322/builds/20010820.1/blowfish_NT4.0_Win95
+        BC_MASTER=$BC_UX_MASTER
+    fi
+    UX_D0=/share/builds/sbsrel2/nss
+    URL="sbs-rel.nscp.aoltw.net"
+}
+################################### init_dirs ###########################
+# global shell function, sets the directories for standard QA
+# calls special functions for tinderbox, windows or local QA, part of init 
+########################################################################
+init_dirs()
+{
+    if [ ${DOMSUF} = "mcom.com" -o  ${DOMSUF} = "netscape.com" -o ${DOMSUF} = "nscp.aoltw.net" ] ; then
+        init_mcom
+    fi
+    if [ $O_WIN = "ON" ] ; then
+        win_set_tmp
+        write_to_tmpfile
+        MASTERBUILD=$NT_MASTERBUILD
+        BC_MASTER=$BC_NT_MASTER
+    fi
+    if [ "$O_LOCAL" = "ON" -a $O_LN = "OFF" ] ; then  # if it is a LN we need to know
+                       # all the directories off the network first to copy them
+        local_dirs     # O_LOCAL alone assumes that all the directories are already there 
+        return
+    elif [ "$O_TBX" = "ON" ] ; then
+        tbx_dirs
+        return
+    elif [ "$O_WIN" = "ON" ] ; then
+        win_set_d1
+    else
+        NSS_VER_DIR="$UX_D0"/nss$NSSVER
+    fi
+    #set -x
+
+    set_daily_build_dirs
+
+    if [ -z "${BCDIST}" ] ; then
+        #BCDIST=/share/builds/mccrel3/nss/${BC_MASTER}/mozilla/dist
+        BCDIST=${NSS_VER_DIR}/../${BC_MASTER}/mozilla/dist
+        if [ ! -d $BCDIST -a `basename $0` != jssqa ] ; then
+            ask "Backward compatibility directory $BCDIST does not exist, continue" "y" "n" || Exit
+        fi
+    fi
+
+    UX_MASTERDIR=${DAILY_BUILD}/${UX_MASTERBUILD}
+    find_nt_masterbuild
+
+    if [ "$O_WIN" = "ON" ]
+    then
+        MOZILLA_ROOT=${NT_MASTERDIR}/mozilla
+    else
+        MOZILLA_ROOT=${UX_MASTERDIR}/mozilla
+    fi
+
+    UXDIST=${UX_MASTERDIR}/mozilla/dist
+    NTDIST=${NT_MASTERDIR}/mozilla/dist
+
+    if [ -z "${RESULTDIR}" ] ; then 
+        RESULTDIR=${UX_MASTERDIR}/mozilla/tests_results/security
+    fi
+
+    if [ -n "$PRODUCT_TO_TEST" -a "$PRODUCT_TO_TEST" = "JSS" ] ; then
+
+        if [ "$O_WIN" = "ON" ] ; then
+            JSS_NSS_SRC_DIR=$JSS_NSS_NT_SRC_DIR
+        fi
+        TESTSCRIPTDIR=${NSS_VER_DIR}/../${JSS_NSS_SRC_DIR}/mozilla/security/nss/tests
+    else
+        TESTSCRIPTDIR=${MOZILLA_ROOT}/security/nss/tests
+    fi
+
+    if [ ! -d $TESTSCRIPTDIR -a `basename $0` != jssqa ] ; then
+        if [ "$O_WIN" = "ON" -a "$WIN_WAIT_FOREVER" = "ON" ]
+        then
+            WaitForever $TESTSCRIPTDIR/all.sh 1
+        else
+            Exit "Test directory $TESTSCRIPTDIR does not exist"
+        fi
+    fi
+
+    COMMON=${TESTSCRIPTDIR}/common
+    if [ "$O_LOCAL" = "ON" -a $O_LN = "ON" ] ; then  # if it is a LN we need to know
+                       # all the directories off the network first to copy them
+        copy_to_local
+        local_dirs     
+    fi
+    #set +x
+
+
+    set_objdir
+    debug_dirs
+    export_dirs
+}
+
+debug_dirs()
+{
+    Debug "NTDIST $NTDIST"
+    Debug "UXDIST $UXDIST"
+    Debug "TESTSCRIPTDIR $TESTSCRIPTDIR"
+    Debug "RESULTDIR $RESULTDIR"
+    Debug "TMP $TMP"
+    Debug "LOCALDIST_BIN $LOCALDIST_BIN"
+    Debug "COMMON $COMMON"
+    Debug "MOZILLA_ROOT $MOZILLA_ROOT"
+    Debug "BCDIST $BCDIST"
+}
+
+export_dirs()
+{
+    export NSS_VER_DIR DAILY_BUILD NTDIST UXDIST RESULTDIR TESTSCRIPTDIR BCDIST
+    export UX_MASTERDIR NT_MASTERDIR COMMON MOZILLA_ROOT
+}
+
+set_osdir()
+{
+    OSDIR=${DAILY_BUILD}/*${MAPPED_OS}*
+}
+
+################################### init_files ###########################
+# global shell function, sets filenames, initializes files, part of init 
+########################################################################
+init_files()
+{
+    if [ $O_CRONFILE = "ON" ]
+    then
+        Debug "attempting to create resultfiles"
+        if [ "$O_TBX" = "ON" ] ; then
+            NEWFILENAME=${TBX_LOGFILE_DIR}/qa.log
+            if [ ! -w ${TBX_LOGFILE_DIR} ] ; then
+                Exit "can't touch $NEWFILENAME"
+            fi
+        else
+            NEWFILENAME=$RESULTDIR/$HOST.`basename $0`
+        fi
+        if [ ! -d $RESULTDIR ]
+        then
+            mkdir -p $RESULTDIR || Exit "Error: can't make $RESULTDIR"
+        fi
+        if [ ! -w $RESULTDIR ] ; then
+            Exit "can't touch $NEWFILENAME"
+        fi
+        Debug "About to touch $NEWFILENAME "
+        touch $NEWFILENAME || Exit "Error: can't touch $NEWFILENAME"
+        if [ "$O_TBX" = "ON" ] ; then
+             echo "QA results in $RESULTDIR" >>$NEWFILENAME || Exit "Error: can't write to $NEWFILENAME"
+        fi
+        Debug "About to cat $FILENAME >>$NEWFILENAME "
+        cat $FILENAME >>$NEWFILENAME || Exit "Error: can't append $FILENAME to $NEWFILENAME"
+        TMPFILES="$TMPFILES $FILENAME"
+        FILENAME=$NEWFILENAME
+        Debug "Writing output to $FILENAME"
+    fi
+
+}
+
+################################### write_to_tmpfile ##########################
+# global shell function, for NT and cron operation, first a tmpfile 
+# needs to be created
+########################################################################
+write_to_tmpfile()
+{
+    O_CRONFILE=ON
+    O_FILE=ON
+    FILENAME=${TMP}/nsstmp.$$    # for now write to the temporary file
+                                 # since we don't know the hostname yet
+                                 # will be inserted to the real file later
+    TMPFILES="$TMPFILES nsstmp.$$"        
+    touch $FILENAME || Exit "Error: can't touch $FILENAME"
+    Debug "Writing output to $FILENAME"
+}
+
+############################# turn_on_cronoptions ######################
+# global shell function, turns on options needed for cron and tinderbox
+########################################################################
+turn_on_cronoptions()
+{
+    O_CRON=ON
+    O_SILENT=ON
+    O_DEBUG=ON                # FIXME take out!
+    O_ALWAYS_YES=ON
+    write_to_tmpfile
+}
+
+########################## test_mozroot ##########################
+# global shell function, determines if the variable LOCAL_MOZROOT is set, 
+# and is usable as mozilla root diretory for a local QA
+###################################################################
+test_mozroot()
+{
+  PWD=`pwd`
+  Debug "LOCAL_MOZROOT = $LOCAL_MOZROOT"
+  case "$LOCAL_MOZROOT" in
+      [0-9-]*|tip)
+          glob_usage "Error: -"$1" requires a directoryname to follow (start with a letter) "
+          ;;
+      \.\.)
+          LOCAL_MOZROOT=`dirname $PWD`
+          ;;
+      \.)
+          LOCAL_MOZROOT=$PWD
+          ;;
+      \.\/*)
+          LOCAL_MOZROOT=`echo $LOCAL_MOZROOT | sed -e "s/^\.//"`
+          LOCAL_MOZROOT="${PWD}${LOCAL_MOZROOT}"
+          ;;
+      \.\.\/*)
+          LOCAL_MOZROOT="${PWD}/${LOCAL_MOZROOT}"
+          ;;
+      \/*|[a-zA-Z]:\/*)
+          ;;
+      ?*)
+          LOCAL_MOZROOT="${PWD}/${LOCAL_MOZROOT}"
+          ;;
+      *)
+          glob_usage "Error: -"$1" requires a directoryname to follow"
+          ;;
+  esac
+  Debug "Reformated MOZROOT to $LOCAL_MOZROOT"
+  if [ "$1" = "ln" ] ; then
+      LOCAL_MOZROOT_PARENT=`dirname $LOCAL_MOZROOT`
+      if [ ! -d $LOCAL_MOZROOT_PARENT -o ! -w $LOCAL_MOZROOT_PARENT -o \
+           ! -x $LOCAL_MOZROOT_PARENT ] ; then
+              Exit "Error: Can't create $LOCAL_MOZROOT (permissions)"
+      fi
+      if [ ! -d "$LOCAL_MOZROOT" ] ; then
+          mkdir $LOCAL_MOZROOT ||
+              Exit "Error: Can't create mozroot $LOCAL_MOZROOT (mkdir failed)"
+      else
+          ask "mozroot $LOCAL_MOZROOT exists - continue (y will remove dir) ?" \
+               "y" "n" || Exit
+          rm -rf $LOCAL_MOZROOT/dist $LOCAL_MOZROOT/security $LOCAL_MOZROOT/tests_results ||
+              Exit "Error: Can't clean mozroot $LOCAL_MOZROOT"
+      fi
+  fi
+  if [ ! -d "$LOCAL_MOZROOT" ] ; then
+      glob_usage "Error: mozilla root $LOCAL_MOZROOT not a valid directory"
+  fi
+}
+
+################################### eval_opts ##########################
+# global shell function, evapuates options and parameters, sets flags
+# variables and defaults
+########################################################################
+eval_opts()
+{
+  while [ -n "$1" ]
+  do
+    case $1 in
+        -cron)
+            turn_on_cronoptions
+            ;;
+        -T*|-t*)
+            O_TBX=ON
+            turn_on_cronoptions
+            O_SILENT=OFF	#FIXME debug only
+            ;;
+        -S*|-s*)
+            O_SILENT=ON
+            ;;
+        -Y*|-y)
+            Debug "Option -y dedectet"
+            O_ALWAYS_YES=ON
+            ;;
+        -d*|-D)
+            O_DEBUG=ON
+            #set -x
+            ;;
+        -ml|-ML)
+            O_MAIL_LINK=ON
+            shift
+            MAILINGLIST=$1
+            if [ -z "$MAILINGLIST" ]
+            then
+                glob_usage "Error: -m requires a mailinglist to follow, for example sonmi,wtc,nelsonb "
+            fi
+            Debug "Sending link to result to $MAILINGLIST"
+            ;;
+        -m|-M)
+            O_MAIL=ON
+            shift
+            MAILINGLIST=$1
+            if [ -z "$MAILINGLIST" ]
+            then
+                glob_usage "Error: -m requires a mailinglist to follow, for example sonmi,wtc,nelsonb "
+            fi
+            Debug "Sending result to $MAILINGLIST"
+            ;;
+        -fcron*|-F[Cc][Rr][Oo][Nn]*)
+            write_to_tmpfile
+            ;;
+        -f|-F)
+            O_FILE=ON
+            shift
+            FILENAME=$1
+            if [ -z "$FILENAME" ]
+            then
+                glob_usage "Error: -f requires a filename to follow"
+            fi
+            #rm -f $FILENAME 2>/dev/null
+            touch $FILENAME || Exit "Error: can't touch $FILENAME"
+                                    #NOTE we append rather that creating
+            Debug "Writing output to $FILENAME"
+            ;;
+        -h|-help|"-?")
+            glob_usage
+            ;;
+        -ln)
+            if [ `basename $0` != nssqa ] ; then
+                glob_usage "Error: Can't handle option $1"
+            fi
+            O_LOCAL=ON
+            O_LN=ON
+            shift
+            LOCAL_MOZROOT=$1
+            test_mozroot ln
+            ;;
+        -lt)
+            if [ `basename $0` != nssqa ] ; then
+                glob_usage "Error: Can't handle option $1"
+            fi
+            O_LN=ON
+            O_LOCAL=ON
+            ;;
+        -l)
+            if [ `basename $0` != nssqa ] ; then
+                glob_usage "Error: Can't handle option $1"
+            fi
+            O_LOCAL=ON
+            shift
+            LOCAL_MOZROOT=$1
+            test_mozroot l
+            ;;
+        -p)
+            shift
+            PORT=$1
+            export PORT
+            ;;
+        -*)
+            glob_usage "Error: Can't handle option $1"
+            ;;
+        tip|3.|3..)
+            NSSVER=$1
+            if [ -z "$NSSVER" ] ; then
+                glob_usage "Error: illegal parameter"
+            fi
+            ;;
+        [01][0-9][0123][0-9])
+            BUILDDATE=$1
+            if [ -z "$BUILDDATE" ] ; then
+                glob_usage "Error: illegal parameter"
+            fi
+            ;;
+        ?*)
+            glob_usage "Error: Can't handle parameter $1"
+            ;;
+    esac
+    shift
+  done
+
+  if [ -z "$PORT" -a "$O_TBX" = "ON" ] ; then
+      PORT=8444
+      export PORT
+      if [ -z "$NSSVER" ] ; then
+          NSSVER="tip"
+          Debug "NSS Version: Parameters missing - defaulting to tip!"
+      fi
+  elif [ -z "$NSSVER" ] ; then
+      NSSVER="tip"
+      Debug "NSS Version: Parameters missing - defaulting to tip!"
+  fi
+  if [ -z "$BUILDDATE" ] ; then
+      BUILDDATE=`date +%m%d`
+      Debug "Builddate: Parameters missing - defaulting to today!"
+  fi
+  
+  Debug "Builddate $BUILDDATE NssVersion $NSSVER"
+  export BUILDDATE NSSVER
+  export O_CRON O_SILENT O_DEBUG O_ALWAYS_YES O_TBX
+}
+
+win_set_tmp()
+{
+    TMP=`echo "$TMP" | sed -e 's/	/\/t/g' -e 's//\/b/' -e 's/\\\/\//g'`
+    Debug "TMP reformated to $TMP"
+}
+
+######################### win_set_d1 ################################
+# global shell function, interactively finds the directories in case
+# windows can't get to the default
+########################################################################
+win_set_d1()
+{
+    Debug "set Windows Directories..."
+    #win_set_tmp
+    if [ "$O_CYGNUS" = ON ]
+    then
+        NSS_VER_DIR=/cygdrive/w/nss/nss$NSSVER
+    else
+        NSS_VER_DIR=w:/nss/nss$NSSVER
+    fi
+    if [ ! -w $NSS_VER_DIR ]
+    then
+        Echo "Windows special... can't write in $NSS_VER_DIR"
+        if [ "$O_CYGNUS" = ON ]
+        then
+            NSS_VER_DIR=/cygdrive/u/nss/nss$NSSVER
+        else
+            NSS_VER_DIR="u:/nss/nss$NSSVER"
+        fi
+    else
+        Debug "NSS_VER_DIR set to $NSS_VER_DIR"
+        return
+    fi
+
+    while [ ! -w $NSS_VER_DIR ]
+    do
+        if [ "$O_CRONFILE" = "ON" ] 
+        then
+            Exit "cant write in $NSS_VER_DIR" 
+        fi
+        Warning "cant write in $NSS_VER_DIR" 
+        Echo "input start directory (u:/nss, d:/src/nss, f:/shared/nss) "
+        read D
+        if [ -n "$D" ]
+        then
+            NSS_VER_DIR=$D/nss$NSSVER
+        fi
+    done
+    Debug "NSS_VER_DIR set to $NSS_VER_DIR"
+}
+
+########################### init_host ##################################
+# global shell function, sets required variables HOST and DOMSUF, and asks
+# the user if it has been set right
+########################################################################
+set_host()
+{
+    init_host
+}
+init_host()
+{
+    if [ `basename $0` != nssqa ] ; then
+        return
+    fi
+
+    init_host_done=0
+
+    if [ $DS_WAS_SET = FALSE ] #give chance to overwrite, espec. for NT
+    then
+        Debug "Domainname was not set..."
+        DOMSUF=`domainname 2>/dev/null`
+        if [ -z "$DOMSUF" ]
+        then
+            Debug "domainname command did not work ..."
+            DOMSUF=`echo $HOST | grep '\.' | sed -e "s/[^\.]*\.//"`
+    
+            if [ -z "$DOMSUF" ]
+            then
+                Debug "Domainname not part of the hostname"
+                DOMSUF=`cat /etc/defaultdomain 2>/dev/null`
+                if [ -z "$DOMSUF" ]
+                then
+                    Debug "Domainname needs to be hardcoded to red.iplanet.com"
+                    DOMSUF="red.iplanet.com"
+                fi
+            fi
+        fi
+    fi
+    case $HOST in
+        *\.*)
+            Debug "HOSTNAME $HOST contains Dot"
+            HOST=`echo $HOST | sed -e "s/\..*//"`
+            ;;
+    esac
+    if [ -z "$HOST" ]
+    then
+        HOST=`uname -n`
+        case $HOST in
+            *\.*)
+                Debug "HOSTNAME $HOST contains Dot"
+                HOST=`echo $HOST | sed -e "s/\..*//"`
+                ;;
+        esac
+    fi
+    if [ $O_DEBUG = "ON" ]
+    then
+        while [ $init_host_done -eq 0 ]
+        do
+            Echo
+            ask "DOMSUF=$DOMSUF, HOST=$HOST - OK", "y" "n" &&
+                init_host_done=1
+            if [ $init_host_done -eq 0 ]
+            then
+                Echo "input DOMSUF: "
+                read D
+                if [ -n "$D" ]
+                then
+                    DOMSUF=$D
+                fi
+                Echo "input HOST: "
+                read H
+                if [ -n "$H" ]
+                then
+                    HOST=$H
+                fi
+            fi
+        done
+    fi
+    export HOST DOMSUF
+    Debug "HOST: $HOST, DOMSUF: $DOMSUF"
+}
+
+#-----------------------------# UTILS #----------------------------------
+
+########################### qa_stat_get_sysinfo ########################
+# local shell function, tries to determine the QA operating system
+########################################################################
+qa_stat_get_sysinfo()
+{
+    case $1 in
+        ?*) REM_SYS=$1
+            GET_SYSINFO="rsh $1"
+            ;;
+        *)  REM_SYS=""
+            GET_SYSINFO=""
+            ;;
+    esac
+    QA_SYS=`$GET_SYSINFO uname -sr`
+    echo $QA_SYS | grep Linux >/dev/null &&
+              QA_RHVER=`$GET_SYSINFO cat /etc/redhat-release`
+    if [ -n "$QA_RHVER" ]
+    then
+        QA_OS=`echo $REM_SYS $QA_RHVER | sed -e "s/Red Hat /RH /" \
+                    -e "s/ release//"`
+    else
+        case $QA_SYS in
+            *SunOS*5.[89]*)
+                ISAINFO=`$GET_SYSINFO isainfo -v`
+                IS_64=`echo $ISAINFO | grep 64 >/dev/null && \
+                    echo 64 bit`
+                IS_I386=`echo $ISAINFO | grep i386 >/dev/null && \
+                    echo i86pc`
+                if [ -n "$IS_I386" ] ; then IS_64="$IS_I386"; fi;
+                if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi;
+                ;;
+            *HP*)
+                IS_64=`$GET_SYSINFO getconf KERNEL_BITS |
+                    grep 64 >/dev/null && echo 64 bit`
+                if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi;
+                ;;
+            *AIX*)
+                IS_64=`$GET_SYSINFO lslpp -l |
+                    grep "bos.64bit"> /dev/null && echo 64 bit`
+                if [ -z "$IS_64" ] ; then IS_64="32 bit"; fi;
+                ;;
+        esac
+        QA_OS=`echo "$REM_SYS $QA_SYS $IS_64"`
+    fi
+    if [ "$O_SILENT" != ON ] ; then
+        echo $QA_OS
+    fi
+    QA_OS_STRING=`echo $QA_OS | sed -e "s/^[_ ]//" -e "s/ /_/g"`
+}
+
+################################### set_objdir #########################
+# global shell function, sets the object directories and DIST
+########################################################################
+set_objdir()
+{
+    Debug "set object dir"
+    OBJDIR=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name`
+    OS_ARCH=`cd ${TESTSCRIPTDIR}/common; gmake os_arch`
+    
+    #at this point $MASTERBUILD needs to be either NT or unix
+
+    set_daily_build_dirs
+    LOCALDIST_BIN=${LOCALDIST}/${OBJDIR}/bin
+    DIST=$LOCALDIST
+
+    if [ -z "${TEST_LEVEL}" ] ; then 
+        TEST_LEVEL=0
+    fi
+    bc ${TEST_LEVEL}   #set the path for the backward compatibility test
+
+    PATH_CONTAINS_BIN="TRUE"
+    export PATH_CONTAINS_BIN
+
+    export OBJDIR OS_ARCH LOCALDIST LOCALDIST_BIN DIST PATH 
+}
+
+########################### bc #########################################
+# global shell function , sets paths for the backward compatibility test
+########################################################################
+bc()
+{
+  if [ -n "$PRODUCT_TO_TEST" -a "$PRODUCT_TO_TEST" = "JSS" ] ; then
+      TESTDIR=${RESULTDIR}
+      BC_ACTION=""
+      DON_T_SET_PATHS="FALSE" #let init.sh override - FIXME - check if necessary
+      return
+  fi
+  DON_T_SET_PATHS="TRUE"
+  case $1 in
+    0)
+      #unset TESTDIR
+      TESTDIR=${RESULTDIR}
+      if [ "$O_WIN" = "ON" -a "$O_CYGNUS" != ON ] ; then
+          PATH="$TESTSCRIPTDIR;$LOCALDIST_BIN;$BASEPATH"
+      else
+          PATH=$TESTSCRIPTDIR:$LOCALDIST_BIN:$BASEPATH
+      fi
+      BC_ACTION=""
+      DON_T_SET_PATHS="FALSE" #let init.sh override - FIXME - check if necessary
+      ;;
+    *)
+      if [ "$O_LOCAL" = "ON" ] ; then
+          Exit "FIXME Can't run backwardcompatibility tests locally yet"
+      fi
+      TESTSCRIPTDIR=${BCDIST}/../security/nss/tests
+      COMMON=${TESTSCRIPTDIR}/common
+      TESTDIR=${RESULTDIR}/bct
+      BC_ACTION="backward compatibility of binaries in $BC_MASTER to new libs"
+      BCDIST_BIN=${BCDIST}/${OBJDIR}/bin
+      LD_LIBRARY_PATH=${LOCALDIST}/${OBJDIR}/lib
+      if [ "$O_WIN" = "ON" ] ; then
+          if [ "$O_CYGNUS" = ON ] ; then
+              PATH=$TESTSCRIPTDIR:$BCDIST_BIN:$BASEPATH:$LD_LIBRARY_PATH
+          else
+              PATH="$TESTSCRIPTDIR;$BCDIST_BIN;$BASEPATH;$LD_LIBRARY_PATH"
+          fi
+      else
+          PATH=$TESTSCRIPTDIR:$BCDIST_BIN:$BASEPATH
+      fi
+      Debug "1st stage of backward compatibility test"
+      ;;
+  esac
+  if [ -n "$TESTDIR" ] ; then
+      if [ ! -d $TESTDIR ] ; then
+          mkdir -p $TESTDIR
+      fi
+      export TESTDIR
+  fi
+  SHLIB_PATH=${LD_LIBRARY_PATH}
+  LIBPATH=${LD_LIBRARY_PATH}
+  Debug "PATH $PATH"
+  Debug "LD_LIBRARY_PATH $LD_LIBRARY_PATH"
+  export PATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH
+  export DON_T_SET_PATHS BC_ACTION
+  export TESTSCRIPTDIR COMMON
+}
+
+########################### Ps #########################################
+# global shell function , attempts a platform specific ps
+########################################################################
+Ps()
+{
+#AIX, OSF ps -ef, solaris /usr/5bin/ps -ef, win ps -ef but no user id
+#linux ps -ef, HP
+
+    if [ $os_name = "SunOS" ]
+    then
+        /usr/5bin/ps -ef
+    else
+        ps -ef
+    fi
+}
+
+########################### kill_by_name ################################
+# global shell function , kills the process whose name is given as 
+# parameter 
+########################################################################
+kill_by_name()
+{
+    for PID in `Ps | grep "$1" | grep -v grep | \
+        sed -e "s/^ *//g" -e "s/^[^ ]* //" -e "s/^ *//g" -e "s/ .*//g"`
+    do
+        if [ $O_WIN = "ON" -a $O_CYGNUS = "ON" ]
+        then
+            ask "Do you want to kill Process $PID (`Ps | grep $PID | \
+                grep -v grep | awk '{ print $1, $2, $6, $7, $8, $9 }' | \
+                sed -e "s/[0-9]:[0-6][0-9]//g" | grep $PID `)" \
+                "y" "n" && {
+                kill $PID
+                sleep 1
+                kill -9 $PID 2>/dev/null
+            }
+        else
+            ask "Do you want to kill Process $PID (`Ps | grep $PID | \
+                grep -v grep | awk '{ print $1, $2, $8, $9, $10, $11 }' | \
+                sed -e "s/[0-9]:[0-6][0-9]//g" | grep $PID `)" \
+                "y" "n" && {
+                kill $PID
+                sleep 1
+                kill -9 $PID 2>/dev/null
+            }
+        fi
+    done
+}
+
+############################### early_exit ###################################
+# global shell function , attempts a little more usefull user notification
+# of a complete failure
+########################################################################
+
+early_exit()
+{
+    if [ -z "$DOCDIR" ]
+    then
+        DOCDIR=`dirname $0`/../doc
+    fi
+    if [ -f $DOCDIR/QAerror.html ]
+    then
+        Debug "Found QA errorheader"
+        rm ${FILENAME}.err 2>/dev/null
+        cp $DOCDIR/QAerror.html ${FILENAME}.err
+        echo "$1" >>${FILENAME}.err
+        echo '</font></b></h1>' >>${FILENAME}.err
+        if [ -n "$FILENAME" -a -f "$FILENAME" ]
+        then
+            cat $FILENAME | sed -e "s/^/<br>/" >>${FILENAME}.err
+        fi
+        echo '</body></html>' >>${FILENAME}.err
+        cat ${FILENAME}.err | $RMAIL $MAILINGLIST
+        
+        rm ${FILENAME}.err 2>/dev/null
+        #echo "cat ${FILENAME}.err | $RMAIL $MAILINGLIST "
+    fi
+}
+
+############################### Exit ###################################
+# global shell function , central exiting point
+# cleanup: temporary files, kill the remaining selfservers if sourcing
+# script sets KILL_SELFSERV 
+########################################################################
+Exit()
+{
+    Echo $1    
+    if [ "$O_CRON" = "OFF" ] 
+    then
+        echo $1 >&2
+    fi
+    if [ -f "${KILLPIDS}" ]
+    then
+        Debug "Attempting to kill background processes...`cat ${KILLPIDS}`"
+        kill `cat "${KILLPIDS}"` 
+        sleep 1
+        kill -9  `cat "${KILLPIDS}"`
+    fi
+    if [ -n "${TMPFILES}" ]
+    then
+        Debug "rm -f ${TMPFILES}"
+        rm -f $TMPFILES 2>/dev/null
+    fi
+    O_ALWAYS_YES=ON # set to non-interactive - don't ask anymore questions here
+    if [ $KILL_SELFSERV = "ON" ]
+    then
+        kill_by_name selfserv
+    fi
+    if [ $O_MAIL_LINK = "ON" -a $O_FILE = "ON" ]
+    then
+        if [ $EARLY_EXIT = TRUE ]    #before the report file has been created
+        then
+            early_exit "$1"
+        else
+            head -3  $FILENAME >$ML_FILE
+            echo "Content-Type: text/plain; charset=us-ascii; format=flowed
+    Content-Transfer-Encoding: 7bit
+
+" >>$ML_FILE
+            echo $HREF_TMP_HTML_FILE >>$ML_FILE
+            cat $ML_FILE | $RMAIL $MAILINGLIST
+        fi
+
+#FIXME - early exit etc
+    elif [ $O_MAIL = "ON" -a $O_FILE = "ON" ]
+    then
+        if [ $EARLY_EXIT = TRUE ]    #before the report file has been created
+        then
+            early_exit "$1"
+        elif [ -n "$FILENAME" -a -f "$FILENAME" ]
+        then
+            cat $FILENAME | $RMAIL $MAILINGLIST
+        fi
+        #rm $FILENAME 2>/dev/null
+    elif  [ $O_MAIL = "ON" -a $EARLY_EXIT = TRUE ]
+    then
+        early_exit "$1"
+        rm $FILENAME 2>/dev/null
+    fi
+    #chmod a+rw ${RESULTDIR} ${RESULTDIR}/* ${RESULTDIR}/*/* &
+    if [ -n "$O_TBX" -a "$O_TBX" = "ON" ] ; then
+        rm ${TESTDIR}/QAstatus
+
+        if [ "$1" = "killed... cleaning up..." ] ; then
+            echo "QA killed" >${TESTDIR}/QAstatus
+        elif [ "$TBX_EXIT" = 0 ] ; then
+            echo "QA passed" >${TESTDIR}/QAstatus
+        else
+            echo "QA failed" >${TESTDIR}/QAstatus
+        fi
+
+        exit $TBX_EXIT
+         
+    else
+        exit
+    fi
+}
+
+trap "rm -f ${TMPFILES} 2>/dev/null; Exit 'killed... cleaning up...'" 2 3 15
+
+################################ Wait ##################################
+# global shell function to wait for an event to happen, 1st parameter
+# filename to watch, 2nd parameter 0 - wait for it to disappear, 1 wait
+# for it to be created.
+# uses the variables WAIT_FOR and WAIT_TIMES
+# WAIT_FOR: if waiting for an event sleep n seconds before rechecking 
+#     recomended value 10 minutes 600
+# WAIT_TIMES: recheck n times before giving up to prevent endless loop
+#     recomended 30 - total of 5h
+########################################################################
+
+Wait()
+{
+    i=0
+    Debug "Waiting for $1"
+    while [ $i -lt $WAIT_TIMES ]
+    do
+        i=`expr $i + 1`
+        if [ -f "$1" -a $2 -eq 1 ]   # if file exists and is supposed to 
+        then
+            return
+        fi
+        if [ ! -f "$1" -a $2 -eq 0 ] # not exists and not supposed to exist
+        then
+            return
+        fi
+        Debug "Waiting for $1, loop #$i, about to sleep $WAIT_FOR seconds zzzz..."
+        sleep $WAIT_FOR
+    done
+    TOTAL=`expr $WAIT_TIMES \* $WAIT_FOR / 60`
+    Exit "I HAVE WAITED LONG ENOUGH FOR $1 NOW, I'M GONE! (THAT WAS A TOTAL OF $TOTAL MINUTES) I have better things to do... "
+}
+
+################################ WaitForever ##################################
+# global shell function to wait for an event to happen, 1st parameter
+# filename to watch, 2nd parameter 0 - wait for it to disappear, 1 wait
+# for it to be created.
+# because we daon't have any relyable cron on NT...
+########################################################################
+
+WaitForever()
+{
+    i=0
+    Debug "Waiting for $1"
+    TOTAL=0
+    while [ 1 ]
+    do
+        i=`expr $i + 1`
+        if [ -f "$1" -a $2 -eq 1 ] # if file exists and is supposed to 
+        then
+            return
+        fi
+        if [ ! -f "$1" -a $2 -eq 0 ] # not exists and not supposed to exist
+        then
+            return
+        fi
+        Debug "Waiting for $1, loop #$i, about to sleep $WAIT_FOR seconds Total $TOTAL"
+        sleep $WAIT_FOR
+        TOTAL=`expr $i \* $WAIT_FOR / 60`
+        if [ -n "$MAX_FOREVER" ] # we are cheating. Forever can be very short...
+        then
+            if [ "$TOTAL" -gt "$MAX_FOREVER" ] 
+            then
+                Exit "I HAVE WAITED LONG ENOUGH FOR $1 NOW, I'M GONE! (THAT WAS A TOTAL OF $TOTAL MINUTES) I have better things to do... "
+            fi
+        fi
+    done
+}
+################################### is_running #########################
+# global shell function , implements primitive locking mechanism
+# filename is passed as a parameter, if filename.* exists we assume calling
+# script is running already and exit, otherwise filename.processid is 
+# created 
+########################################################################
+is_running()
+{
+    Debug "Testing if $0 is already running... file ${1} - ${1}.$$"
+    if [ -f ${1}.* ]
+    then
+        Exit "$0 seems to be running already ($1 exists) - Exiting"
+    fi
+    TMPFILES="$TMPFILES ${1}.$$"
+    echo "running $0 on `date` PID $$" >${1}.$$
+    Debug "wrote \"running $0 on `date` PID $$\" to ${1}.$$"
+    
+}
+
+#---------------------------# USERCOM #---------------------------------
+############################## Echo #####################################
+# global shell function , depending on the options the output gets written 
+# to a file, or is being discarded
+# FIXME  \n and \c are mistreates by differnet shells, and linux has /bin/echo
+# instead of /usr/bin/echo
+########################################################################
+Echo ()
+{
+    if [ $O_SILENT = OFF ]
+    then
+        echo "$*"
+        #/usr/bin/echo "$*"
+    fi
+    if [ $O_FILE = ON ]
+    then
+        echo "$*" >>$FILENAME
+    fi
+}
+
+################################### ask ################################
+# global shell function, Asks the a question, and gives the returns 0
+# on the 1st choice, 1 on the 2nd choice
+#
+# PARAMETERS:
+#    $1 question text
+#    $2 1st choice
+#    $3 2nd choice
+#
+# MODIFIERS:
+#    -y O_ALWAYS_YES will assume a first choice always (not neccessaryly "y")
+#
+# RETURN:
+#    0 - User picked 1st choice
+#    1 - User picked 2nd choice
+#
+# EXAMPLE
+#    ask "Would you like to continue" "y" "n" || Exit
+#        will produce the string "Would you like to continue (y/n) ?",
+#        read input from keyboard (or assume a yes with option -y)
+#        - on a yes it will return 0, on a no it will return 1, the 
+#        shell interprets it as error and the || Exit will be executed
+#
+# NOTE: NEVER use "n" as the second parameter - it will mess up -y
+#    don't ask "Continue" "n" "y" || Exit # it will Exit on a "y"
+#
+########################################################################
+Ask()
+{
+    ask $*
+}
+
+ask()
+{
+    if [ $O_ALWAYS_YES = ON ]
+    then
+        Echo "$1 ($2/$3) ?"
+        Echo "YES!"
+        return 0
+    fi
+    A=""
+    while [ 1 ]
+    do
+    
+        Echo "$1 ($2/$3) ?"
+        read A
+        if [ -n "$A" ]
+        then
+            if [ $A = $2 ]
+            then
+                return 0
+            elif [ $A = $3 ]
+            then
+                return 1
+            fi
+        fi
+    done
+    return 0
+}
+
+################################### Warning ############################
+# global shell function, Asks the user a "... continue? (y/n)" question, 
+# and exits when the user answers with no
+# NOTE -y will answer the warnings always with yes
+########################################################################
+Warning ()
+{
+    ask "WARNING: $0: \n $* continue " "y" "n" || Exit 
+}
+
+################################### Debug ############################
+# global shell function, when option -d Debugging output is written
+########################################################################
+Debug()
+{
+    if [ $O_DEBUG = ON ]
+    then
+        Echo "DEBUG: (`date +%H:%M`) $0: $*"
+    fi
+}
+
+################################### line ###############################
+# global shell function, supposed to make output more readable...
+########################################################################
+line()
+{
+Echo
+#Echo "======================================================================="
+#Echo
+}
+
+################################### opt_usage ##########################
+# global shell function, tells user about available options
+########################################################################
+opt_usage()
+{
+  if [ $O_OPTIONS = "ON" ]
+  then
+    Echo
+    line
+    Echo
+    Echo "    -y answer all questions with y - use at your own risk..."
+    Echo "    -s silent (only usefull with -y)"
+    Echo "    -h, -? - you guessed right - displays this text"
+    Echo "    -d debug"
+    Echo "    -f <filename> - write the (error)output to filename"
+    Echo "    -fcronfile produces the resultfiles in the same locations"
+    Echo "        as would have been produced with -cron"
+    Echo "    -m <mailinglist> - send filename to mailinglist (csl "
+    Echo "         example sonmi,nelsonb,wtc) only useful with -f"
+    Echo "    -ml <mailinglist> - send link to filename to mailinglist "
+    Echo "         (csl example sonmi,nelsonb,wtc) only useful with -f"
+    Echo "    -cron equivalient to -y -s -d -f \$RESULTDIR/\$HOST.nssqa"
+    Echo "    -t run on a tinderbox build (included -cron)"
+    if [ `basename $0` = nssqa ] ; then
+        Echo "    -l <mozroot> run on a local build"
+        Echo "    -ln <mozroot> copy a networkbuild to a local directory "
+        Echo "        mozroot,  used for networkindipendend QA "
+        Echo "    -lt try to copy a networkbuild to a local directory, if"
+        Echo "        not possible run on the network
+        Echo "        used for networkindipendend QA
+    fi
+#
+# special strings
+  fi
+    
+}
+
+################################### glob_usage #########################
+# global shell function, how to use the calling script (parameters, options)
+########################################################################
+glob_usage()
+{
+    line
+    Echo $1
+    Echo
+    if [ $O_OPTIONS = "ON" ]
+    then
+        Echo "usage $0 [options] nssversion builddate"
+    else
+        Echo "usage $0 nssversion builddate"
+    fi
+        
+    Echo " for example: $0 30b 0926"
+    Echo "     $0 31 1002"
+    opt_usage
+    Echo
+    Exit "$1"
+}
+
+tell()
+{
+    if [ $O_SILENT = OFF ]
+    then
+        line
+        pwd
+        ls -CF
+        line
+    fi
+    if [ $O_FILE = ON ]
+    then
+        line
+        pwd >>$FILENAME
+        ls -CF >>$FILENAME
+        line 
+    fi
+}
+
+if [ $O_INIT = "ON" ]
+then
+    glob_init $*
+fi
+EARLY_EXIT=FALSE
diff --git a/security/nss/tests/iopr/cert_iopr.sh b/security/nss/tests/iopr/cert_iopr.sh
new file mode 100644
index 000000000..89867e8f1
--- /dev/null
+++ b/security/nss/tests/iopr/cert_iopr.sh
@@ -0,0 +1,437 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/cert_iopr.sh
+#
+# Certificate generating and handeling for NSS interoperability QA. This file
+# is included from cert.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# FIXME - Netscape - NSS
+########################################################################
+
+IOPR_CERT_SOURCED=1
+
+########################################################################
+# function wraps calls to pk12util, also: writes action and options
+# to stdout. 
+# Params are the same as to pk12util.
+# Returns pk12util status
+#
+pk12u()
+{
+    echo "${CU_ACTION} --------------------------"
+
+    echo "pk12util $@"
+    ${BINDIR}/pk12util $@
+    RET=$?
+
+    return $RET
+}
+
+########################################################################
+# Initializes nss db directory and files if they don't exists
+# Params:
+#      $1 - directory location
+#
+createDBDir() {
+    trgDir=$1
+
+    if [ -z "`ls $trgDir | grep db`" ]; then
+        trgDir=`cd ${trgDir}; pwd`
+        if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+			trgDir=`cygpath -m ${trgDir}`
+        fi
+
+        CU_ACTION="Initializing DB at ${trgDir}"
+        certu -N -d "${trgDir}" -f "${R_PWFILE}" 2>&1
+        if [ "$RET" -ne 0 ]; then
+            return $RET
+        fi
+
+        CU_ACTION="Loading root cert module to Cert DB at ${trgDir}"
+        modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${trgDir}" 2>&1
+        if [ "$RET" -ne 0 ]; then
+            return $RET
+        fi
+    fi
+}
+########################################################################
+# takes care of downloading config, cert and crl files from remote
+# location. 
+# Params:
+#      $1 - name of the host file will be downloaded from
+#      $2 - path to the file as it appeared in url
+#      $3 - target directory the file will be saved at.
+# Returns tstclnt status.
+#
+download_file() {
+    host=$1
+    filePath=$2
+    trgDir=$3
+
+    file=$trgDir/`basename $filePath`
+
+    createDBDir $trgDir || return $RET
+
+#    echo wget -O $file http://${host}${filePath}
+#    wget -O $file http://${host}${filePath}
+#    ret=$?
+
+    req=$file.$$
+    echo "GET $filePath HTTP/1.0" > $req
+    echo >> $req
+
+    echo ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
+        -w ${R_PWFILE} -o 
+    ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \
+        -w ${R_PWFILE} -o < $req > $file
+    ret=$?
+    rm -f $_tmp;
+    return $ret
+}
+
+########################################################################
+# Uses pk12util, certutil of cerlutil to import files to an nss db located
+# at <dir>(the value of $1 parameter). Chooses a utility to use based on
+# a file extension. Initializing a db if it does not exists.
+# Params:
+#      $1 - db location directory
+#      $2 - file name to import
+#      $3 - nick name an object in the file will be associated with
+#      $4 - trust arguments 
+# Returns status of import
+#      
+importFile() {
+    dir=$1\
+    file=$2
+    certName=$3
+    certTrust=$4
+
+    [ ! -d $dir ] && mkdir -p $dir;
+
+    createDBDir $dir || return $RET
+            
+    case `basename $file | sed 's/^.*\.//'` in
+        p12)
+            CU_ACTION="Importing p12 $file to DB at $dir"
+            pk12u -d $dir -i $file -k ${R_PWFILE} -W iopr
+            [ $? -ne 0 ] && return 1
+            CU_ACTION="Modifying trust for cert $certName at $dir"
+            certu -M -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}"
+            return $?
+            ;;
+        
+        crl) 
+            CU_ACTION="Importing crl $file to DB at $dir"
+            crlu -d ${dir} -I -n TestCA -i $file
+            return $?
+            ;;
+
+        crt | cert)
+            CU_ACTION="Importing cert $certName with trust $certTrust to $dir"
+            certu -A -n "$certName" -t "$certTrust" -f "${R_PWFILE}" -d "${dir}" \
+                -i "$file"
+            return $?
+            ;;
+
+        *)
+            echo "Unknown file extension: $file:"
+            return 1
+            ;;
+    esac
+}
+
+
+#########################################################################
+# Downloads and installs test certs and crl from a remote webserver.
+# Generates server cert for reverse testing if reverse test run is turned on.
+# Params:
+#      $1 - host name to download files from.
+#      $2 - directory at which CA cert will be installed and used for
+#           signing a server cert.
+#      $3 - path to a config file in webserver context.
+#      $4 - ssl server db location
+#      $5 - ssl client db location
+#      $5 - ocsp client db location
+#
+# Returns 0 upon success, otherwise, failed command error code.
+#
+download_install_certs() {
+    host=$1
+    caDir=$2
+    confPath=$3
+    sslServerDir=$4
+    sslClientDir=$5
+    ocspClientDir=$6
+
+    [ ! -d "$caDir" ] && mkdir -p $caDir;
+
+    #=======================================================
+    # Getting config file
+    #
+    download_file $host "$confPath/iopr_server.cfg" $caDir
+    RET=$?
+    if [ $RET -ne 0 -o ! -f $caDir/iopr_server.cfg ]; then
+        html_failed "Fail to download website config file(ws: $host)" 
+        return 1
+    fi
+
+    . $caDir/iopr_server.cfg
+    RET=$?
+    if [ $RET -ne 0 ]; then
+        html_failed "Fail to source config file(ws: $host)" 
+        return $RET
+    fi
+
+    #=======================================================
+    # Getting CA file
+    #
+
+    #----------------- !!!WARNING!!! -----------------------
+    # Do NOT copy this scenario. CA should never accompany its
+    # cert with the private key when deliver cert to a customer.
+    #----------------- !!!WARNING!!! -----------------------
+
+    download_file $host $certDir/$caCertName.p12 $caDir
+    RET=$?
+    if [ $RET -ne 0 -o ! -f $caDir/$caCertName.p12 ]; then
+        html_failed "Fail to download $caCertName cert(ws: $host)" 
+        return 1
+    fi
+    tmpFiles="$caDir/$caCertName.p12"
+
+    importFile $caDir $caDir/$caCertName.p12 $caCertName "TC,C,C"
+    RET=$?
+    if [ $RET -ne 0 ]; then
+        html_failed "Fail to import $caCertName cert to CA DB(ws: $host)" 
+        return $RET
+    fi
+
+    CU_ACTION="Exporting Root CA cert(ws: $host)"
+    certu -L -n $caCertName -r -d ${caDir} -o $caDir/$caCertName.cert 
+    if [ "$RET" -ne 0 ]; then
+        Exit 7 "Fatal - failed to export $caCertName cert"
+    fi
+
+    #=======================================================
+    # Check what tests we want to run
+    #
+    doSslTests=0; doOcspTests=0
+    # XXX remove "_new" from variables below
+    [ -n "`echo ${supportedTests_new} | grep -i ssl`" ] && doSslTests=1
+    [ -n "`echo ${supportedTests_new} | grep -i ocsp`" ] && doOcspTests=1
+
+    if [ $doSslTests -eq 1 ]; then
+        if [ "$reverseRunCGIScript" ]; then
+            [ ! -d "$sslServerDir" ] && mkdir -p $sslServerDir;
+            #=======================================================
+            # Import CA cert to server DB
+            #
+            importFile $sslServerDir $caDir/$caCertName.cert server-client-CA \
+                        "TC,C,C"
+            RET=$?
+            if [ $RET -ne 0 ]; then
+                html_failed "Fail to import server-client-CA cert to \
+                             server DB(ws: $host)" 
+                return $RET
+            fi
+            
+            #=======================================================
+            # Creating server cert
+            #
+            CERTNAME=$HOSTADDR
+            
+            CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
+            CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
+                        L=Mountain View, ST=California, C=US"
+            certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
+                -o $sslServerDir/req 2>&1
+            tmpFiles="$tmpFiles $sslServerDir/req"
+
+            # NOTE:
+            # For possible time synchronization problems (bug 444308) we generate
+            # certificates valid also some time in past (-w -1)
+
+            CU_ACTION="Sign ${CERTNAME}'s Request (ws: $host)"
+            certu -C -c "$caCertName" -m `date +"%s"` -v 60 -w -1 \
+                -d "${caDir}" \
+                -i ${sslServerDir}/req -o $caDir/${CERTNAME}.cert \
+                -f "${R_PWFILE}" 2>&1
+            
+            importFile $sslServerDir $caDir/$CERTNAME.cert $CERTNAME ",,"
+            RET=$?
+            if [ $RET -ne 0 ]; then
+                html_failed "Fail to import $CERTNAME cert to server\
+                             DB(ws: $host)" 
+                return $RET
+            fi
+            tmpFiles="$tmpFiles $caDir/$CERTNAME.cert"
+            
+            #=======================================================
+            # Download and import CA crl to server DB
+            #
+            download_file $host "$certDir/$caCrlName.crl" $sslServerDir
+            RET=$?
+            if [ $? -ne 0 ]; then
+                html_failed "Fail to download $caCertName crl\
+                             (ws: $host)" 
+                return $RET
+            fi
+            tmpFiles="$tmpFiles $sslServerDir/$caCrlName.crl"
+            
+            importFile $sslServerDir $sslServerDir/TestCA.crl
+            RET=$?
+            if [ $RET -ne 0 ]; then
+                html_failed "Fail to import TestCA crt to server\
+                             DB(ws: $host)" 
+                return $RET
+            fi
+        fi # if [ "$reverseRunCGIScript" ]
+        
+        [ ! -d "$sslClientDir" ] && mkdir -p $sslClientDir;
+        #=======================================================
+        # Import CA cert to ssl client DB
+        #
+        importFile $sslClientDir $caDir/$caCertName.cert server-client-CA \
+                   "TC,C,C"
+        RET=$?
+        if [ $RET -ne 0 ]; then
+            html_failed "Fail to import server-client-CA cert to \
+                         server DB(ws: $host)" 
+            return $RET
+        fi
+    fi
+
+    if [ $doOcspTests -eq 1 ]; then
+        [ ! -d "$ocspClientDir" ] && mkdir -p $ocspClientDir;
+        #=======================================================
+        # Import CA cert to ocsp client DB
+        #
+        importFile $ocspClientDir $caDir/$caCertName.cert server-client-CA \
+                   "TC,C,C"
+        RET=$?
+        if [ $RET -ne 0 ]; then
+            html_failed "Fail to import server-client-CA cert to \
+                         server DB(ws: $host)" 
+            return $RET
+        fi
+    fi
+
+    #=======================================================
+    # Import client certs to client DB
+    #
+    for fileName in $downloadFiles; do
+        certName=`echo $fileName | sed 's/\..*//'`
+
+        if [ -n "`echo $certName | grep ocsp`" -a $doOcspTests -eq 1 ]; then
+            clientDir=$ocspClientDir
+        elif [ $doSslTests -eq 1 ]; then
+            clientDir=$sslClientDir
+        else
+            continue
+        fi
+
+        download_file $host "$certDir/$fileName" $clientDir
+        RET=$?
+        if [ $RET -ne 0 -o ! -f $clientDir/$fileName ]; then
+            html_failed "Fail to download $certName cert(ws: $host)" 
+            return $RET
+        fi
+        tmpFiles="$tmpFiles $clientDir/$fileName"
+        
+        importFile $clientDir $clientDir/$fileName $certName ",,"
+        RET=$?
+        if [ $RET -ne 0 ]; then
+            html_failed "Fail to import $certName cert to client DB\
+                        (ws: $host)" 
+            return $RET
+        fi
+    done
+
+    rm -f $tmpFiles
+
+    return 0
+}
+
+
+#########################################################################
+# Initial point for downloading config, cert, crl files for multiple hosts
+# involved in interoperability testing. Called from nss/tests/cert/cert.sh
+# It will only proceed with downloading if environment variable 
+# IOPR_HOSTADDR_LIST is set and has a value of host names separated by space.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise. 
+#
+cert_iopr_setup() {
+
+    if [ "$IOPR" -ne 1 ]; then
+        return 1
+    fi
+    num=1
+    IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f 1 -d' '`
+    while [ "$IOPR_HOST_PARAM" ]; do
+        IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+        IOPR_DOWNLOAD_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+        [ -z "$IOPR_DOWNLOAD_PORT" ] && IOPR_DOWNLOAD_PORT=443
+        IOPR_CONF_PATH=`echo "$IOPR_HOST_PARAM:" | cut -f 3 -d':'`
+        [ -z "$IOPR_CONF_PATH" ] && IOPR_CONF_PATH="/iopr"
+        
+        echo "Installing certs for $IOPR_HOSTADDR:$IOPR_DOWNLOAD_PORT:\
+              $IOPR_CONF_PATH"
+        
+        download_install_certs ${IOPR_HOSTADDR} ${IOPR_CADIR}_${IOPR_HOSTADDR} \
+            ${IOPR_CONF_PATH} ${IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR} \
+            ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR} \
+            ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
+        if [ $? -ne 0 ]; then
+            echo "wsFlags=\"NOIOPR $wsParam\"" >> \
+                ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+        fi
+        num=`expr $num + 1`
+        IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+    done
+    
+    return 0
+}
diff --git a/security/nss/tests/iopr/ocsp_iopr.sh b/security/nss/tests/iopr/ocsp_iopr.sh
new file mode 100644
index 000000000..bf1c6e5bb
--- /dev/null
+++ b/security/nss/tests/iopr/ocsp_iopr.sh
@@ -0,0 +1,263 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/ocsp_iopr.sh
+#
+# NSS SSL interoperability QA. This file is included from ssl.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# FIXME - Netscape - NSS
+########################################################################
+IOPR_OCSP_SOURCED=1
+
+########################################################################
+# The funtion works with variables defined in interoperability 
+# configuration file that gets downloaded from a webserver.
+# The function sets test parameters defind for a particular type
+# of testing.
+#
+# No return value
+#
+setTestParam() {
+    type=$1
+    testParam=`eval 'echo $'${type}Param`
+    testDescription=`eval 'echo $'${type}Descr`
+    testProto=`eval 'echo $'${type}Proto`
+    testPort=`eval 'echo $'${type}Port`
+    testResponder=`eval 'echo $'${type}ResponderCert`
+    testValidCertNames=`eval 'echo $'${type}ValidCertNames`
+    testRevokedCertNames=`eval 'echo $'${type}RevokedCertNames`
+    testStatUnknownCertNames=`eval 'echo $'${type}StatUnknownCertNames`
+}
+
+########################################################################
+# The funtion checks status of a cert using ocspclnt.
+# Params:
+#    dbDir - nss cert db location
+#    cert - cert in question
+#    respUrl - responder url is available 
+#    defRespCert - trusted responder cert
+#
+# Return values:
+#    0 - test passed, 1 - otherwise.
+#
+ocsp_get_cert_status() {
+    dbDir=$1
+    cert=$2
+    respUrl=$3
+    defRespCert=$4
+    
+    if [ -n "$respUrl" -o -n "$defRespCert" ]; then
+        if [ -z "$respUrl" -o -z "$defRespCert" ]; then
+            html_failed "Incorrect test params" 
+            return 1
+        fi
+        clntParam="-l $respUrl -t $defRespCert"
+    fi
+
+    if [ -z "${MEMLEAK_DBG}" ]; then
+        outFile=$dbDir/ocsptest.out.$$
+        echo "ocspclnt -d $dbDir -S $cert $clntParam"
+        ${BINDIR}/ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1
+        ret=$?
+        echo "ocspclnt output:"
+        cat $outFile
+        [ -z "`grep succeeded $outFile`" ] && ret=1
+    
+        rm -f $outFile
+        return $ret
+    fi
+
+    OCSP_ATTR="-d $dbDir -S $cert $clntParam"
+    ${RUN_COMMAND_DBG} ${BINDIR}/ocspclnt ${OCSP_ATTR}
+}
+
+########################################################################
+# The funtion checks status of a cert using ocspclnt.
+# Params:
+#    testType - type of the test based on type of used responder
+#    servName - FQDM of the responder server
+#    dbDir - nss cert db location
+#
+# No return value
+#
+ocsp_iopr() {
+    testType=$1
+    servName=$2
+    dbDir=$3
+
+    setTestParam $testType
+    if [ "`echo $testParam | grep NOCOV`" != "" ]; then
+        echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
+            "run by server configuration"
+        return 0
+    fi
+    
+    if [ -z "${MEMLEAK_DBG}" ]; then
+        html_head "OCSP testing with responder at $IOPR_HOSTADDR. <br>" \
+            "Test Type: $testDescription"
+    fi
+
+    if [ -n "$testResponder" ]; then
+        responderUrl="$testProto://$servName:$testPort"
+    else
+        responderUrl=""
+    fi
+
+    if [ -z "${MEMLEAK_DBG}" ]; then
+        for certName in $testValidCertNames; do
+            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+                "$testResponder"
+            html_msg $? 0 "Getting status of a valid cert ($certName)" \
+                "produced a returncode of $ret, expected is 0."
+        done
+
+        for certName in $testRevokedCertNames; do
+            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+                "$testResponder"
+            html_msg $? 1 "Getting status of a unvalid cert ($certName)" \
+                "produced a returncode of $ret, expected is 1." 
+        done
+
+        for certName in $testStatUnknownCertNames; do
+            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+                "$testResponder"
+            html_msg $? 1 "Getting status of a cert with unknown status " \
+                        "($certName) produced a returncode of $ret, expected is 1."
+        done
+    else
+        for certName in $testValidCertNames $testRevokedCertNames \
+            $testStatUnknownCertName; do
+            ocsp_get_cert_status $dbDir $certName "$responderUrl" \
+                "$testResponder" 
+        done
+    fi
+}
+  
+#####################################################################
+# Initial point for running ocsp test againt multiple hosts involved in
+# interoperability testing. Called from nss/tests/ocsp/ocsp.sh
+# It will only proceed with test run for a specific host if environment variable 
+# IOPR_HOSTADDR_LIST was set, had the host name in the list
+# and all needed file were successfully downloaded and installed for the host.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise. 
+#
+ocsp_iopr_run() {
+    NO_ECC_CERTS=1 # disable ECC for interoperability tests
+
+    if [ "$IOPR" -ne 1 ]; then
+        return 1
+    fi
+    cd ${CLIENTDIR}
+
+    if [ -n "${MEMLEAK_DBG}" ]; then
+        html_head "Memory leak checking - IOPR"
+    fi
+
+    num=1
+    IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+    while [ "$IOPR_HOST_PARAM" ]; do
+        IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+        IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+        [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
+        
+        . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+        RES=$?
+        
+        num=`expr $num + 1`
+        IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+
+        if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
+            continue
+        fi
+        
+        #=======================================================
+        # Check what server is configured to run ssl tests
+        #
+        [ -z "`echo ${supportedTests_new} | grep -i ocsp`" ] && continue;
+
+        # Testing directories defined by webserver.
+        if [ -n "${MEMLEAK_DBG}" ]; then
+            LOGNAME=iopr-${IOPR_HOSTADDR}
+            LOGFILE=${LOGDIR}/${LOGNAME}.log
+        fi
+       
+        # Testing directories defined by webserver.
+        echo "Testing ocsp interoperability.
+                Client: local(tstclnt).
+                Responder: remote($IOPR_HOSTADDR)"
+
+        for ocspTestType in ${supportedTests_new}; do
+            if [ -z "`echo $ocspTestType | grep -i ocsp`" ]; then
+                continue
+            fi
+            if [ -n "${MEMLEAK_DBG}" ]; then
+                ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
+                    ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR} 2>> ${LOGFILE}
+            else
+                ocsp_iopr $ocspTestType ${IOPR_HOSTADDR} \
+                    ${IOPR_OCSP_CLIENTDIR}_${IOPR_HOSTADDR}
+            fi
+        done
+
+        if [ -n "${MEMLEAK_DBG}" ]; then
+            log_parse
+            ret=$?
+            html_msg ${ret} 0 "${LOGNAME}" \
+                "produced a returncode of $ret, expected is 0"
+        fi
+
+        echo "================================================"
+        echo "Done testing ocsp interoperability with $IOPR_HOSTADDR"
+    done
+
+    if [ -n "${MEMLEAK_DBG}" ]; then
+        html "</TABLE><BR>"
+    fi
+
+    NO_ECC_CERTS=0
+    return 0
+}
+
diff --git a/security/nss/tests/iopr/server_scr/apache_unix.cfg b/security/nss/tests/iopr/server_scr/apache_unix.cfg
new file mode 100644
index 000000000..b0f6c1b00
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/apache_unix.cfg
@@ -0,0 +1,43 @@
+#
+# Apache OPENSSL configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "openssl";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "$certDir/cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed openssl binary
+#
+$opensslb = "/usr/local/bin/openssl";
+
+
+#
+# General location of apache server
+#
+$apacheHttpd="/var/httpd-ssl";
+
+#
+# HTTP Request file
+#
+$reqFile = "$apacheHttpd/cgi-bin/sslreq.dat";
+
+#
+# OpenSSL certificate directory
+#
+$certDir = "$apacheHttpd/cert";
+
+#
+# CA certificate file
+#
+$caCertFile = "$certDir/serverCA.crt";
diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh
new file mode 100644
index 000000000..4be1e1d25
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cert_gen.sh
@@ -0,0 +1,363 @@
+#!/bin/sh    
+
+######################################################################################
+# Server and client certs and crl generator functions. Generated files placed in a <dir>
+# directory to be accessible through http://<webserver>/iopr/TestCA.crt directory.
+# This functions is used for manual webserver configuration and it is not a part of
+# nss test run.
+# To create certs use the following command:
+#       sh cert_iopr.sh cert_gen <dir> <cert name> [cert req]
+# Where:
+#       dir - directory where to place created files
+#       cert name - name of created server cert(FQDN)
+#       cert req  - cert request to be used for cert generation.
+#
+repAndExec() {
+    echo
+    if [ "$1" = "certutil" -a "$2" = "-R" -o "$2" = "-S" ]; then
+        shift
+        echo certutil -s "$CU_SUBJECT" $@
+        certutil -s "$CU_SUBJECT" $@
+        RET=$?
+    else
+        echo $@
+        $@
+        RET=$?
+    fi
+
+    return $RET
+}
+
+setExtData() {
+    extData=$1
+
+    fldNum=0
+    extData=`echo $extData | sed 's/,/ /g'`
+    for extDT in $extData; do
+        if [ $fldNum -eq 0 ]; then
+            eval extType=$extDT
+            fldNum=1
+            continue
+        fi
+        eval data${fldNum}=$extDT
+        fldNum=`expr $fldNum + 1`
+    done
+}
+
+signCert() {
+    dir=$1
+    crtDir=$2
+    crtName=$3
+    crtSN=$4
+    req=$5
+    cuAddParam=$6
+    extList=$7
+
+    if [ -z "$certSigner" ]; then
+        certSigner=TestCA
+    fi
+
+    extCmdLine=""
+    extCmdFile=$dir/extInFile; rm -f $extCmdFile
+    touch $extCmdFile
+    extList=`echo $extList | sed 's/;/ /g'`
+    for ext in $extList; do
+        setExtData $ext
+        [ -z "$extType" ] && echo "incorrect extention format" && return 1
+        case $extType in
+        ocspDR)
+                extCmdLine="$extCmdLine -6"
+                cat <<EOF >> $extCmdFile
+5
+9
+y
+EOF
+                break
+                exit 1
+                ;;
+        AIA)    
+                extCmdLine="$extCmdLine -9"
+                cat <<EOF >> $extCmdFile
+2
+7
+$data1
+0
+n
+n
+EOF
+                break
+                ;;
+            *)
+                echo "Unsupported extension type: $extType"
+                break
+                ;;
+        esac
+    done
+    echo "cmdLine: $extCmdLine"
+    echo "cmdFile: "`cat $extCmdFile`
+    repAndExec \
+        certutil $cuAddParam -C -c $certSigner -m $crtSN -v 599 -d "${dir}" \
+        -i $req -o "$crtDir/${crtName}.crt" -f "${PW_FILE}" $extCmdLine <$extCmdFile 2>&1
+    return $RET
+}
+
+createSignedCert() {
+    dir=$1
+    certDir=$2
+    certName=$3
+    certSN=$4
+    certSubj=$5
+    keyType=$6
+    extList=$7
+
+    echo Creating cert $certName-$keyType with SN=$certSN
+
+    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    repAndExec \
+        certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
+                  -k $keyType -o $dir/req  2>&1
+    [ "$RET" -ne 0 ] && return $RET
+
+    signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    rm -f $dir/req
+
+    repAndExec \
+        certutil -A -n ${certName}-$keyType -t "u,u,u" -d "${dir}" -f "${PW_FILE}" \
+                    -i "$dir/${certName}-$keyType.crt" 2>&1
+    [ "$RET" -ne 0 ] && return $RET
+
+    cp "$dir/${certName}-$keyType.crt" $certDir
+
+    repAndExec \
+        pk12util -d $dir -o $certDir/$certName-$keyType.p12 -n ${certName}-$keyType \
+                     -k ${PW_FILE} -W iopr
+    [ "$RET" -ne 0 ] && return $RET
+    return 0
+}
+
+generateAndExportSSLCerts() {
+    dir=$1
+    certDir=$2
+    serverName=$3
+    servCertReq=$4
+
+    if [ "$servCertReq" -a -f $servCertReq ]; then
+        grep REQUEST $servCertReq >/dev/null 2>&1
+        signCert $dir $certDir ${serverName}_ext 501 $servCertReq `test $? -eq 0 && echo -a`
+        ret=$?
+        [ "$ret" -ne 0 ] && return $ret
+    fi
+
+    certName=$serverName
+    createSignedCert $dir $certDir $certName 500 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    createSignedCert $dir $certDir $certName 501 "$certSubj" dsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+   
+    certName=TestUser510
+    createSignedCert $dir $certDir $certName 510 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=TestUser511
+    createSignedCert $dir $certDir $certName 511 "$certSubj" dsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=TestUser512
+    createSignedCert $dir $certDir $certName 512 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=TestUser513
+    createSignedCert $dir $certDir $certName 513 "$certSubj" dsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+}
+
+generateAndExportOCSPCerts() {
+    dir=$1
+    certDir=$2
+
+    certName=ocspTrustedResponder
+    createSignedCert $dir $certDir $certName 525 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDesignatedResponder
+    createSignedCert $dir $certDir $certName 526 "$certSubj" rsa ocspDR
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspTRTestUser514
+    createSignedCert $dir $certDir $certName 514 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspTRTestUser516
+    createSignedCert $dir $certDir $certName 516 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspRCATestUser518
+    createSignedCert $dir $certDir $certName 518 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2561
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspRCATestUser520
+    createSignedCert $dir $certDir $certName 520 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2561
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDRTestUser522
+    createSignedCert $dir $certDir $certName 522 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2562
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDRTestUser524
+    createSignedCert $dir $certDir $certName 524 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2562
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    generateAndExportCACert $dir "" TestCA-unknown
+    [ $? -ne 0 ] && return $ret
+    
+    certSigner=TestCA-unknown
+    
+    certName=ocspTRUnkownIssuerCert
+    createSignedCert $dir $certDir $certName 531 "$certSubj" rsa
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspRCAUnkownIssuerCert
+    createSignedCert $dir $certDir $certName 532 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2561
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certName=ocspDRUnkownIssuerCert
+    createSignedCert $dir $certDir $certName 533 "$certSubj" rsa \
+        AIA,http://dochinups.red.iplanet.com:2562
+    ret=$?
+    [ "$ret" -ne 0 ] && return $ret
+
+    certSigner=""
+    
+    return 0
+}
+
+generateAndExportCACert() {
+    dir=$1
+    certDirL=$2
+    caName=$3
+
+    certName=TestCA
+    [ "$caName" ] && certName=$caName
+    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    repAndExec \
+        certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
+        -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
+5
+6
+9
+n
+y
+-1
+n
+EOF
+
+    if [ "$certDirL" ]; then
+        repAndExec \
+            certutil -L -n $certName -r -d ${dir} -o $certDirL/$certName.crt 
+        [ "$RET" -ne 0 ] && return $RET
+        
+        repAndExec \
+            pk12util -d $dir -o $certDirL/$certName.p12 -n $certName -k ${PW_FILE} -W iopr
+        [ "$RET" -ne 0 ] && return $RET
+    fi
+}
+
+
+generateCerts() {
+    certDir=$1
+    serverName=$2
+    reuseCACert=$3
+    servCertReq=$4
+    
+    [ -z "$certDir" ] && echo "Cert directory should not be empty" && exit 1
+    [ -z "$serverName" ] && echo "Server name should not be empty" && exit 1
+
+    mkdir -p $certDir
+    [ $? -ne 0 ] && echo "Can not create dir: $certDir" && exit 1
+    
+
+    dir=/tmp/db.$$
+    if [ -z "$reuseCACert" ]; then
+        if [ -d "$dir" ]; then
+            rm -f $dir
+        fi
+   
+        PW_FILE=$dir/nss.pwd
+        NOISE_FILE=$dir/nss.noise
+
+        mkdir -p $dir
+        [ $? -ne 0 ] && echo "Can not create dir: $dir" && exit 1
+        
+        echo nss > $PW_FILE
+        date >> ${NOISE_FILE} 2>&1
+        
+        repAndExec \
+            certutil -d $dir -N -f $PW_FILE
+        [ "$RET" -ne 0 ] && return $RET
+        
+        generateAndExportCACert $dir $certDir
+        [ "$RET" -ne 0 ] && return $RET
+    else
+        dir=$reuseCACert
+        PW_FILE=$dir/nss.pwd
+        NOISE_FILE=$dir/nss.noise
+        hasKey=`repAndExec certutil -d $dir -L | grep TestCA | grep CTu`
+        [ -z "$hasKey" ] && echo "reuse CA cert has not priv key" && \
+            return $RET;
+    fi
+
+    generateAndExportSSLCerts $dir $certDir $serverName $servCertReq
+    [ "$RET" -ne 0 ] && return $RET
+
+    generateAndExportOCSPCerts $dir $certDir
+    [ "$RET" -ne 0 ] && return $RET
+
+    crlUpdate=`date +%Y%m%d%H%M%SZ`
+    crlNextUpdate=`echo $crlUpdate | sed 's/20/21/'`
+    repAndExec \
+        crlutil -d $dir -G -n "TestCA" -f ${PW_FILE} -o $certDir/TestCA.crl <<EOF_CRLINI
+update=$crlUpdate
+nextupdate=$crlNextUpdate
+addcert 509-511 $crlUpdate
+addcert 516 $crlUpdate
+addcert 520 $crlUpdate
+addcert 524 $crlUpdate
+EOF_CRLINI
+    [ "$RET" -ne 0 ] && return $RET
+
+    rm -rf $dir
+    return 0
+}
+
+
+if [ -z "$1" -o -z "$2" ]; then
+    echo "$0 <dest dir> <server cert name> [reuse CA cert] [cert req]"
+    exit 1
+fi
+generateCerts $1 $2 "$3" $4
+exit $?
diff --git a/security/nss/tests/iopr/server_scr/cipher.list b/security/nss/tests/iopr/server_scr/cipher.list
new file mode 100644
index 000000000..09ad0362b
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/cipher.list
@@ -0,0 +1,131 @@
+nss                                      openssl                    iis 
+
+#
+# SSL v3.0 cipher suites.
+#
+SSL3_RSA_WITH_NULL_MD5                   NULL-MD5                   i
+SSL3_RSA_WITH_NULL_SHA                   NULL-SHA                   z
+SSL3_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5                f
+SSL3_RSA_WITH_RC4_128_MD5                RC4-MD5                    c
+SSL3_RSA_WITH_RC4_128_SHA                RC4-SHA                    n
+SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5            g
+SSL3_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA            
+SSL3_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA                e
+SSL3_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA               d
+
+SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not_implemented.
+SSL3_DH_DSS_WITH_DES_CBC_SHA             Not_implemented.
+SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not_implemented.
+SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not_implemented.
+SSL3_DH_RSA_WITH_DES_CBC_SHA             Not_implemented.
+SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not_implemented.
+SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+SSL3_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA            s
+SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA       q
+SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+SSL3_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+
+SSL3_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+SSL3_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+SSL3_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+SSL3_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+SSL3_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+
+SSL3_FORTEZZA_KEA_WITH_NULL_SHA          Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not_implemented.
+SSL3_FORTEZZA_KEA_WITH_RC4_128_SHA       Not_implemented.
+
+#
+# Next four added to have ciphers below for SSL3 protocol
+#
+SSL3_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
+SSL3_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
+
+SSL3_RSA_EXPORT_WITH_DES_CBC_SHA         EXP1024-DES-CBC-SHA        l
+SSL3_RSA_EXPORT_WITH_RC4_56_SHA          EXP1024-RC4-SHA            m
+
+#
+#TLS v1.0 cipher suites.
+#
+TLS_RSA_WITH_NULL_MD5                   NULL-MD5
+TLS_RSA_WITH_NULL_SHA                   NULL-SHA
+TLS_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
+TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
+TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
+TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
+TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+TLS_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
+TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+
+TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not_implemented.
+TLS_DH_DSS_WITH_DES_CBC_SHA             Not_implemented.
+TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not_implemented.
+TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not_implemented.
+TLS_DH_RSA_WITH_DES_CBC_SHA             Not_implemented.
+TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not_implemented.
+TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+TLS_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+TLS_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+
+TLS_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+TLS_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+
+#
+#AES ciphersuites from RFC3268, extending TLS v1.0
+#
+
+TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
+TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
+
+TLS_DH_DSS_WITH_AES_128_CBC_SHA         DH-DSS-AES128-SHA
+TLS_DH_DSS_WITH_AES_256_CBC_SHA         DH-DSS-AES256-SHA
+TLS_DH_RSA_WITH_AES_128_CBC_SHA         DH-RSA-AES128-SHA
+TLS_DH_RSA_WITH_AES_256_CBC_SHA         DH-RSA-AES256-SHA
+
+TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
+TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
+TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
+TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA
+
+TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH-AES128-SHA
+TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH-AES256-SHA
+
+#
+#Additional Export 1024 and other cipher suites
+#
+#Note: these ciphers can also be used in SSL v3.
+#
+TLS_RSA_EXPORT_WITH_DES_CBC_SHA         EXP1024-DES-CBC-SHA
+TLS_RSA_EXPORT_WITH_RC4_56_SHA          EXP1024-RC4-SHA
+TLS_DHE_DSS_EXPORT_WITH_DES_CBC_SHA     EXP1024-DHE-DSS-DES-CBC-SHA
+TLS_DHE_DSS_EXPORT_WITH_RC4_56_SHA      EXP1024-DHE-DSS-RC4-SHA
+TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
+
+#
+#SSL v2.0 cipher suites.
+#
+SSL2_RC4_128_WITH_MD5                 RC4-MD5
+SSL2_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
+SSL2_RC2_128_CBC_WITH_MD5             RC2-MD5
+SSL2_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
+SSL2_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
+SSL2_DES_64_CBC_WITH_MD5              DES-CBC-MD5
+SSL2_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
+
+
+#
+# FIPS cipher list
+#        
+TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA      Not_implemented
+TLS_RSA_FIPS_WITH_DES_CBC_SHA           Not_implemented
+SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA     Not_implemented
+SSL3_RSA_FIPS_WITH_DES_CBC_SHA          Not_implemented
diff --git a/security/nss/tests/iopr/server_scr/client.cgi b/security/nss/tests/iopr/server_scr/client.cgi
new file mode 100644
index 000000000..5d711d52f
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/client.cgi
@@ -0,0 +1,522 @@
+#!/usr/bin/perl
+
+#--------------------------------------------------------------
+# cgi script that parses request argument to appropriate 
+# open ssl or tstclntw options and starts ssl client.
+#
+
+use CGI qw/:standard/;
+
+use subs qw(debug);
+
+#--------------------------------------------------------------
+# Prints out an error string and exits the script with an
+# exitStatus.
+# Param:
+#    str : an error string
+#    exitStat: an exit status of the program
+#
+sub svr_error {
+    my ($str, $exitStat) = @_;
+
+    if (!defined $str || $str eq "") {
+        $str = $ERR;
+    }
+    print "SERVER ERROR: $str\n";
+    if ($exitStat) {
+        print end_html if ($osDataArr{wservRun});
+        exit $exitStat;
+    }
+}
+
+#--------------------------------------------------------------
+# Prints out a debug message
+# Params:
+#     str: debug message
+#     inVal: additional value to print(optional)
+#
+sub debug {
+    my ($str, $inVal) = @_;
+    
+    print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1);
+}
+
+
+#--------------------------------------------------------------
+# Initializes execution context depending on a webserver the
+# script is running under.
+#
+sub init {
+    %osDataArr = (
+                  loadSupportedCipthersFn => \&osSpecific,
+                  cipherIsSupportedFn => \&verifyCipherSupport,
+                  cipherListFn => \&convertCipher,
+                  buildCipherTableFn => \&buildCipherTable,
+                  execCmdFn => \&osSpecific,
+                  );
+
+    $scriptName = $ENV{'SCRIPT_NAME'};
+    if (!defined $scriptName) {
+        $DEBUG=1;
+        debug "Debug is ON";
+    }
+    $DEBUG=1;
+    
+    $svrSoft = $ENV{'SERVER_SOFTWARE'};
+    if (defined $svrSoft) {
+        $_ = $svrSoft;
+        /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS");
+        /.*Apache.*/ && ($osDataArr{wserv} = "Apache");
+        $osDataArr{wservRun} = 1;
+    } else {
+        $osDataArr{wserv} = "Apache";
+        $osDataArr{wservRun} = 0;
+    }
+}
+
+#--------------------------------------------------------------
+# Function-spigot to handle errors is OS specific functions are
+# not implemented for a particular OS.
+# Returns:
+#   always returns 0(failure)
+#
+sub osSpecific {
+    $ERR = "This function should be swapped to os specific function.";
+    return 0;
+}
+
+#--------------------------------------------------------------
+# Sets os specific execution context values.
+# Returns:
+#    1 upon success, or 0 upon failure(if OS was not recognized)
+#
+sub setFunctRefs {
+    
+    debug("Entering setFunctRefs function", $osDataArr{wserv});
+
+    if ($osDataArr{wserv} eq "Apache") {
+        $osDataArr{osConfigFile} = "apache_unix.cfg";
+        $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL';
+        $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile';
+        $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix;
+        $osDataArr{execCmdFn} = \&execClientCmd_Unix;
+    } elsif ($osDataArr{wserv} eq "IIS") {
+        $osDataArr{osConfigFile} = "iis_windows.cfg";
+        $osDataArr{suppCiphersCmd} = '$tstclntwb';
+        $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile';
+        $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win;
+        $osDataArr{execCmdFn} = \&execClientCmd_Win;
+    } else {
+        $ERR = "Unknown Web Server  type.";
+        return 0;
+    }
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Parses data from HTTP request. Will print a form if request
+# does not contain sufficient number of parameters.
+# Returns: 
+#     1 if request has sufficient number of parameters
+#     0 if not.
+sub getReqData {
+    my $debug = param('debug');
+    $in_host = param('host');
+    $in_port = param('port');
+    $in_cert = param('cert');
+    $in_cipher = param('cipher');
+
+    if (!$osDataArr{wservRun}) {
+        $in_host="goa1";
+        $in_port="443";
+        $in_cert="TestUser511";
+        $in_cipher = "SSL3_RSA_WITH_NULL_SHA";
+    }
+
+    debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher");
+
+    if (defined $debug && $debug == "debug on") {
+        $DEBUG = 1;
+    }
+
+    if (!defined $in_host || $in_host eq "" ||
+        !defined $in_port || $in_port eq "" ||
+        !defined $in_cert || $in_cert eq "") {
+        if ($osDataArr{wservRun}) {
+            print h1('Command description form:'),
+            start_form(-method=>"get"),
+            "Host: ",textfield('host'),p,
+            "Port: ",textfield('port'),p,
+            "Cert: ",textfield('cert'),p,
+            "Cipher: ",textfield('cipher'),p,
+            checkbox_group(-name=>'debug',
+                           -values=>['debug on  ']),
+            submit,
+            end_form,
+            hr;
+        } else {
+            print "Printing html form to get client arguments\n";
+        }
+        $ERR = "the following parameters are required: host, port, cert";
+        return 0;
+    } else {
+        print "<pre>" if ($osDataArr{wservRun});
+        return 1;
+    }
+}
+
+
+#--------------------------------------------------------------
+# Building cipher conversion table from file based on the OS.
+# Params:
+#     tfile: cipher conversion file.
+#     sysName: system name
+#     tblPrt: returned pointer to a table.
+sub buildCipherTable {
+    my ($tfile, $sysName, $tblPrt) = @_;
+    my @retArr = @$tblPrt;
+    my %table, %rtable;
+    my $strCount = 0;
+
+    debug("Entering getReqData function", "$tfile:$sysName:$tblPrt");
+
+    ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/);
+    if (!open(TFILE, "$tfile")) {
+        $ERR = "Missing cipher conversion table file.";
+        return 0;
+    }
+    foreach (<TFILE>) {
+        chop;
+        /^#.*/ && next;
+        /^\s*$/ && next;
+        if ($strCount++ == 0) {
+            my @sysArr =  split /\s+/;
+            $colCount = 0;
+            for (;$colCount <= $#sysArr;$colCount++) {
+                last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/);
+            }
+            next;
+        }
+        my @ciphArr =  split /\s+/, $_;
+        $table{$ciphArr[0]} = $ciphArr[$colCount];
+        $rtable{$ciphArr[$colCount]} = $ciphArr[0];
+    }
+    close(TFILE);
+    $cipherTablePtr[0] = \%table;
+    $cipherTablePtr[1] = \%rtable;
+    return 1
+}
+
+#--------------------------------------------------------------
+# Client configuration function. Loads client configuration file.
+# Initiates cipher table. Loads cipher list supported by ssl client.
+#
+sub configClient {
+
+    debug "Entering configClient function";
+
+    my $res = &setFunctRefs();
+    return $res if (!$res);
+
+    open(CFILE, $osDataArr{'osConfigFile'}) ||
+        ($ERR = "Missing configuration file." && return 0);
+    foreach (<CFILE>) {
+        /^#.*/ && next;
+        chop;
+        eval $_;
+    }
+    close(CFILE);
+   
+    local @cipherTablePtr = ();
+    $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0;
+    $osDataArr{cipherTable} = $cipherTablePtr[0];
+    $osDataArr{rcipherTable} = $cipherTablePtr[1];
+    
+    local $suppCiphersTablePrt;
+    &{$osDataArr{'loadSupportedCipthersFn'}} || return 0;
+    $osDataArr{suppCiphersTable} = $suppCiphersTablePrt;
+}
+
+#--------------------------------------------------------------
+# Verifies that a particular cipher is supported.
+# Params:
+#    checkCipher: cipher name
+# Returns:
+#    1 - cipher is supported(also echos the cipher).
+#    0 - not supported.
+#
+sub verifyCipherSupport {
+    my ($checkCipher) = @_;
+    my @suppCiphersTable = @{$osDataArr{suppCiphersTable}};
+
+    debug("Entering verifyCipherSupport", $checkCipher);
+    foreach (@suppCiphersTable) {
+        return 1 if ($checkCipher eq $_);
+    }
+    $ERR = "cipher is not supported.";
+    return 0;
+}
+
+#--------------------------------------------------------------
+# Converts long(?name of the type?) cipher name to 
+# openssl/tstclntw cipher name.
+# Returns:
+#   0 if cipher was not listed. 1 upon success.
+#
+sub convertCipher {
+    my ($cipher) = @_;
+    my @retList;
+    my $resStr;
+    my %cipherTable = %{$osDataArr{cipherTable}};
+
+    debug("Entering convertCipher", $cipher);
+    if (defined $cipher) {
+        my $cphr = $cipherTable{$cipher};
+        if (!defined $cphr) {
+            $ERR = "cipher is not listed.";
+            return 0;
+        }        
+        &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0;
+        $ciphers = "$cphr";
+        return 1;
+    }
+    return 0;
+}
+
+#################################################################
+#  UNIX Apache Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Unix {
+    my @arr, @suppCiphersTable;
+
+    debug "Entering getSupportedCipherList_Unix function";
+
+    eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+    if (!open (OUT, "$sLisrCmd|")) {
+        $ERR="Can not run command to verify supported cipher list.";
+        return 0;
+    }
+    @arr = <OUT>;
+    chop $arr[0];
+    @suppCiphersTable = split /:/, $arr[0];
+    debug("Supported ciphers", $arr[0]);
+    $suppCiphersTablePrt = \@suppCiphersTable;
+    close(OUT);
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Unix {
+    my $proto;
+    local $ciphers;
+
+    debug "Entering execClientCmd_Unix";
+    if (defined $in_cipher && $in_cipher ne "") {
+        my @arr = split /_/, $in_cipher, 2;
+        $proto = "-".$arr[0];
+        $proto =~ tr /SLT/slt/;
+        $proto = "-tls1" if ($proto eq "-tls");
+        return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+        $ciphers = "-cipher $ciphers";
+        debug("Return from cipher conversion", "$ciphers");
+    }
+
+    eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+    debug("Executing command", $command);
+    if (!open CMD_OUT, "$command 2>&1 |") {
+       $ERR = "can not launch client";
+       return 0;
+    }
+
+    my @cmdOutArr = <CMD_OUT>;
+    
+    foreach (@cmdOutArr) {
+        print $_;
+    }
+
+    my $haveVerify = 0;
+    my $haveErrors = 0;
+    foreach (@cmdOutArr) {
+        chop;
+        if (/unknown option/) {
+            $haveErrors++;
+            svr_error "unknown option\n";
+            next;
+        }
+        if (/:no ciphers available/) {
+            $haveErrors++;
+            svr_error "no cipthers available\n";
+            next;
+        }
+        if (/verify error:/) {
+            $haveErrors++;
+            svr_error "unable to do verification\n";
+            next;
+        }
+        if (/alert certificate revoked:/) {
+            $haveErrors++;
+            svr_error "attempt to connect with revoked sertificate\n";
+            next;
+        }
+        if (/(error|ERROR)/) {
+            $haveErrors++;
+            svr_error "found errors in server log\n";
+            next;
+        }
+        /verify return:1/ && ($haveVerify = 1);
+    }
+     if ($haveVerify == 0) {
+         svr_error "no 'verify return:1' found in server log\n";
+         $haveErrors++;
+     }
+
+    if ($haveErrors > 0) {
+        $ERR = "Have $haveErrors server errors";
+        debug "Exiting execClientCmd_Unix";
+        return 0;
+    }
+    debug "Exiting execClientCmd_Unix";
+    return 1;
+}
+
+#################################################################
+#  Windows IIS Specific functions
+#----------------------------------------------------------------
+
+#--------------------------------------------------------------
+# Executes ssl client command to get a list of ciphers supported
+# by client.
+#
+sub getSupportedCipherList_Win {
+    my @arr, @suppCiphersTable;
+
+    debug "Entering getSupportedCipherList_Win function";
+
+    eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"';
+    if (!open (OUT, "$sLisrCmd|")) {
+        $ERR="Can not run command to verify supported cipher list.";
+        return 0;
+    }
+    my $startCipherList = 0;
+    foreach (<OUT>) {
+        chop;
+        if ($startCipherList) {
+            /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1;
+            next;
+        }
+        /.*from list below.*/ && ($startCipherList = 1);
+    }
+    debug("Supported ciphers", join ':', @suppCiphersTable);
+    $suppCiphersTablePrt = \@suppCiphersTable;
+    close(OUT);
+    return 1;
+}
+
+#--------------------------------------------------------------
+# Lunches ssl client command in response to a request.
+#
+#
+sub execClientCmd_Win {
+    my $proto;
+    local $ciphers;
+
+    debug "Entering execClientCmd_Win";
+    if (defined $in_cipher && $in_cipher ne "") {
+        my @arr = split /_/, $in_cipher, 2;
+        $proto = "-2 -3 -T";
+
+        $proto =~ s/-T// if ($arr[0] eq "TLS");
+        $proto =~ s/-3// if ($arr[0] eq "SSL3");
+        $proto =~ s/-2// if ($arr[0] eq "SSL2");
+	return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher));
+        $ciphers = "-c $ciphers";
+        debug("Return from cipher conversion", $ciphers);
+    }
+
+    eval '$command = "'.$osDataArr{'clientRunCmd'}.'"';
+    debug("Executing command", $command);
+    if (!open CMD_OUT, "$command 2>&1 |") {
+        $ERR = "can not launch client";
+        return 0;
+    }
+
+    my @cmdOutArr = <CMD_OUT>;
+    
+    foreach (@cmdOutArr) {
+        print $_;
+    }
+
+    my $haveVerify = 0;
+    my $haveErrors = 0;
+    foreach (@cmdOutArr) {
+        chop;
+        if (/unknown option/) {
+            $haveErrors++;
+            svr_error "unknown option\n";
+            next;
+        }
+        if (/Error performing handshake/) {
+            $haveErrors++;
+            svr_error "Error performing handshake\n";
+            next;
+        }
+        if (/Error creating credentials/) {
+            $haveErrors++;
+            svr_error "Error creating credentials\n";
+            next;
+        }
+        if (/Error .* authenticating server credentials!/) {
+            $haveErrors++;
+            svr_error "Error authenticating server credentials\n";
+            next;
+        }
+        if (/(error|ERROR|Error)/) {
+            $haveErrors++;
+            svr_error "found errors in server log\n";
+            next;
+        }
+    }
+
+    if ($haveErrors > 0) {
+        $ERR = "Have $haveErrors server errors";
+        debug "Exiting execClientCmd_Win";
+        return 0;
+    }
+    debug "Exiting execClientCmd_Win";
+    return 1;
+}
+
+#################################################################
+#  Main line of execution
+#----------------------------------------------------------------
+&init;
+
+if ($osDataArr{wservRun}) {
+    print header('text/html').
+        start_html('iopr client');
+}
+ 
+print "SCRIPT=OK\n";
+
+if (!&getReqData) { 
+    svr_error($ERR, 1);
+}
+
+if (!&configClient) { 
+    svr_error($ERR, 1);
+}
+
+&{$osDataArr{'execCmdFn'}} || svr_error;
+
+if ($osDataArr{wservRun}) {
+    print "</pre>";
+    print end_html;
+}
diff --git a/security/nss/tests/iopr/server_scr/config b/security/nss/tests/iopr/server_scr/config
new file mode 100644
index 000000000..2adc0ed76
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/config
@@ -0,0 +1,13 @@
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+userCertNames="TestUser510 TestUser511"
+userRevokedCertNames="TestUser510"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+supportedTests="SslSingleHs"
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsPort=443
+SslSingleHsUrl=/
+SslSingleHsParam=NOAUTH:NOCOV:NOCRL
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 / NOAUTH:NOCOV:NOCRL"
+#ParamSslSingleHandshakeWithOutClientCertAuth="443 /"
diff --git a/security/nss/tests/iopr/server_scr/iis_windows.cfg b/security/nss/tests/iopr/server_scr/iis_windows.cfg
new file mode 100644
index 000000000..e8444b479
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iis_windows.cfg
@@ -0,0 +1,29 @@
+#
+# IIS windows configuration file
+#
+
+#
+# Define what type of system this is.
+#
+$clientSys = "iis";
+
+#
+# Cipher conversion table file
+#
+$cipherTableFile = "cipher.list";
+
+#--------------------------------------------
+# Web server specific variables start here:
+#
+
+#
+# Location of installed tstclntb binary
+#
+$tstclntwb = "./tstclntw.exe";
+
+#
+# HTTP Request file
+#
+$reqFile = "sslreq.dat";
+
+
diff --git a/security/nss/tests/iopr/server_scr/iopr_server.cfg b/security/nss/tests/iopr/server_scr/iopr_server.cfg
new file mode 100644
index 000000000..a6d8b167f
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/iopr_server.cfg
@@ -0,0 +1,63 @@
+certDir=/iopr
+caCertName=TestCA
+caCrlName=TestCA
+
+#old values
+userCertNames="TestUser510-rsa TestUser512-rsa"
+userRevokedCertNames="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+supportedTests="SslSingleHs SslSecondHs"
+#supportedTests="SslSecondHs"
+
+
+downloadFiles="TestUser510-rsa.p12 TestUser512-rsa.p12 ocspTrustedResponder-rsa.crt ocspTRTestUser514-rsa.crt ocspTRTestUser516-rsa.crt ocspRCATestUser518-rsa.crt ocspRCATestUser520-rsa.crt ocspDRTestUser522-rsa.crt ocspDRTestUser524-rsa.crt ocspTRUnknownIssuerCert-rsa.crt ocspRCAUnknownIssuerCert-rsa.crt ocspDRUnknownIssuerCert-rsa.crt"
+# Keep a space at the end of
+SslClntValidCertName="TestUser512-rsa"
+SslClntRevokedCertName="TestUser510-rsa"
+reverseRunCGIScript="/cgi-bin/client.cgi"
+#reverseTestParam=NOREVALL
+
+supportedTests_new="SslSingleHs SslSecondHs OcspTrustedResponder OcspResponderCA OcspDesinatedResponder"
+
+#
+# SslSingleHs: ssl single handshake with out client cert auth
+SslSingleHsDescr="ssl with single handshake without client cert auth"
+SslSingleHsPort=443
+SslSingleHsUrl=/iopr_test/test_pg.html
+SslSingleHsParam=NOAUTH
+
+#
+# SslSecondHs: ssl with secondary hs when accessing direcory 
+# that requires cert verification
+SslSecondHsDescr="ssl with secondary hs when accessing direcory that requires cert verification"
+SslSecondHsPort=443
+SslSecondHsUrl=/iopr_test_2hs/test_pg.html
+SslSecondHsParam=NOCOV
+
+#
+# OcspTrustedResponder - trusted responder key is used to sign OCSP response
+#
+OcspTrustedResponderDescr="trusted responder key is used to sign OCSP response"
+OcspTrustedResponderProto=http
+OcspTrustedResponderPort=2560
+OcspTrustedResponderResponderCert=ocspTrustedResponder-rsa
+OcspTrustedResponderValidCertNames="ocspTRTestUser516-rsa"
+OcspTrustedResponderRevokedCertNames="ocspTRTestUser514-rsa"
+OcspTrustedResponderStatUnknownCertNames="ocspTRUnknownIssuerCert-rsa"
+
+#
+# OcspResponderCA - CA key is used to sign OCSP response
+#
+OcspResponderCADescr="CA key is used to sign OCSP response"
+OcspResponderCAValidCertNames="ocspRCATestUser518-rsa"
+OcspResponderCARevokedCertNames="ocspRCATestUser520-rsa"
+OcspResponderCAStatUnknownCertNames="ocspRCAUnknownIssuerCert-rsa"
+
+#
+# OcspDesinatedResponder - CA Designated Responder key is used to sign OCSP response
+#
+OcspDesinatedResponderDescr="CA Designated Responder key is used to sign OCSP response"
+OcspDesinatedResponderValidCertNames="ocspDRTestUser522-rsa"
+OcspDesinatedResponderRevokedCertNames="ocspDRTestUser524-rsa"
+OcspDesinatedResponderStatUnknownCertNames="ocspDRUnknownIssuerCert-rsa"
diff --git a/security/nss/tests/iopr/server_scr/sslreq.dat b/security/nss/tests/iopr/server_scr/sslreq.dat
new file mode 100644
index 000000000..2f7ad7736
--- /dev/null
+++ b/security/nss/tests/iopr/server_scr/sslreq.dat
@@ -0,0 +1,2 @@
+GET / HTTP/1.0

+

diff --git a/security/nss/tests/iopr/ssl_iopr.sh b/security/nss/tests/iopr/ssl_iopr.sh
new file mode 100644
index 000000000..d8b592f30
--- /dev/null
+++ b/security/nss/tests/iopr/ssl_iopr.sh
@@ -0,0 +1,672 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/iopr/ssl_iopr.sh
+#
+# NSS SSL interoperability QA. This file is included from ssl.sh
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+# FIXME - Netscape - NSS
+########################################################################
+IOPR_SSL_SOURCED=1
+
+########################################################################
+# The functions works with variables defined in interoperability 
+# configuration file that was downloaded from a webserver.
+# It tries to find unrevoked cert based on value of variable
+# "SslClntValidCertName" defined in the configuration file.
+# Params NONE.
+# Returns 0 if found, 1 otherwise.
+#
+setValidCert() {
+    testUser=$SslClntValidCertName
+    [ -z "$testUser" ] && return 1
+    return 0
+}
+
+########################################################################
+# The funtions works with variables defined in interoperability 
+# configuration file that was downloaded from a webserver.
+# The function sets port, url, param and description test parameters
+# that was defind for a particular type of testing.
+# Params:
+#      $1 - supported types of testing. Currently have maximum
+#           of two: forward and reverse. But more can be defined. 
+# No return value
+#
+setTestParam() {
+    type=$1
+    sslPort=`eval 'echo $'${type}Port`
+    sslUrl=`eval 'echo $'${type}Url`
+    testParam=`eval 'echo $'${type}Param`
+    testDescription=`eval 'echo $'${type}Descr`
+    [ -z "$sslPort" ] && sslPort=443
+    [ -z "$sslUrl" ] && sslUrl="/iopr_test/test_pg.html"
+    [ "$sslUrl" = "/" ] && sslUrl="/test_pg.html"
+}
+
+
+#######################################################################
+# local shell function to perform SSL Cipher Suite Coverage tests
+# in interoperability mode. Tests run against web server by using nss
+# test client
+# Params:
+#      $1 - supported type of testing.
+#      $2 - testing host
+#      $3 - nss db location
+# No return value
+#  
+ssl_iopr_cov_ext_server()
+{
+  testType=$1
+  host=$2
+  dbDir=$3
+
+  setTestParam $testType
+  if [ "`echo $testParam | grep NOCOV`" != "" ]; then
+      echo "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR) excluded from " \
+           "run by server configuration"
+      return 0
+  fi
+
+  html_head "SSL Cipher Coverage of WebServ($IOPR_HOSTADDR" \
+      "$BYPASS_STRING $NORM_EXT): $testDescription"
+
+  setValidCert; ret=$?
+  if [ $ret -ne 0 ]; then
+      html_failed "Fail to find valid test cert(ws: $host)" 
+      return $ret
+  fi
+
+  SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+  echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+  echo >> $SSL_REQ_FILE
+  
+  while read ecc tls param testname therest; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "`echo $testname | grep FIPS`" -o \
+          "$ecc" = "ECC" ] && continue; 
+      
+      echo "$SCRIPTNAME: running $testname ----------------------------"
+      TLS_FLAG=-T
+      if [ "$tls" = "TLS" ]; then
+          TLS_FLAG=""
+      fi
+      
+      resFile=${TMP}/$HOST.tmpRes.$$
+      rm $resFile 2>/dev/null
+      
+      echo "tstclnt -p ${sslPort} -h ${host} -c ${param} ${TLS_FLAG} \\"
+      echo "      -n $testUser -w nss ${CLIEN_OPTIONS} -f \\"
+      echo "      -d ${dbDir} < ${SSL_REQ_FILE} > $resFile"
+      
+      ${BINDIR}/tstclnt -w nss -p ${sslPort} -h ${host} -c ${param} \
+          ${TLS_FLAG} ${CLIEN_OPTIONS} -f -n $testUser -w nss \
+          -d ${dbDir} < ${SSL_REQ_FILE} >$resFile  2>&1
+      ret=$?
+      grep "ACCESS=OK" $resFile
+      test $? -eq 0 -a $ret -eq 0
+      ret=$?
+      [ $ret -ne 0 ] && cat $resFile
+      rm -f $resFile 2>/dev/null
+      html_msg $ret 0 "${testname}"
+  done < ${SSLCOV}
+  rm -f $SSL_REQ_FILE 2>/dev/null
+
+  html "</TABLE><BR>"
+}
+
+#######################################################################
+# local shell function to perform SSL  Client Authentication tests
+# in interoperability mode. Tests run against web server by using nss
+# test client
+# Params:
+#      $1 - supported type of testing.
+#      $2 - testing host
+#      $3 - nss db location
+# No return value
+#  
+ssl_iopr_auth_ext_server()
+{
+  testType=$1
+  host=$2
+  dbDir=$3
+
+  setTestParam $testType
+  if [ "`echo $testParam | grep NOAUTH`" != "" ]; then
+      echo "SSL Client Authentication WebServ($IOPR_HOSTADDR) excluded from " \
+           "run by server configuration"
+      return 0
+  fi
+
+  html_head "SSL Client Authentication WebServ($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT):
+             $testDescription"
+
+  setValidCert;ret=$?
+  if [ $ret -ne 0 ]; then
+      html_failed "Fail to find valid test cert(ws: $host)" 
+      return $ret
+  fi
+
+  SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+  echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+  echo >> $SSL_REQ_FILE
+  
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+  grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" > ${SSLAUTH_TMP}
+
+  while read ecc value sparam cparam testname; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+      cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
+      
+      echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \\"
+      echo "         -d ${dbDir} < ${SSL_REQ_FILE}"
+      
+      resFile=${TMP}/$HOST.tmp.$$
+      rm $rsFile 2>/dev/null
+
+      ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
+          -d ${dbDir} < ${SSL_REQ_FILE} >$resFile  2>&1
+      ret=$?
+      grep "ACCESS=OK" $resFile
+      test $? -eq 0 -a $ret -eq 0
+      ret=$?
+      [ $ret -ne 0 ] && cat $resFile
+      rm $resFile 2>/dev/null
+      
+      html_msg $ret $value "${testname}. Client params: $cparam"\
+          "produced a returncode of $ret, expected is $value"
+  done < ${SSLAUTH_TMP}
+  rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
+
+  html "</TABLE><BR>"
+}
+
+########################################################################
+# local shell function to perform SSL interoperability test with/out
+# revoked certs tests. Tests run against web server by using nss
+# test client
+# Params:
+#      $1 - supported type of testing.
+#      $2 - testing host
+#      $3 - nss db location
+# No return value
+#  
+ssl_iopr_crl_ext_server()
+{
+  testType=$1
+  host=$2
+  dbDir=$3
+
+  setTestParam $testType
+  if [ "`echo $testParam | grep NOCRL`" != "" ]; then
+      echo "CRL SSL Client Tests of WebServerv($IOPR_HOSTADDR) excluded from " \
+           "run by server configuration"
+      return 0
+  fi
+
+  html_head "CRL SSL Client Tests of WebServer($IOPR_HOSTADDR $BYPASS_STRING $NORM_EXT): $testDescription"
+  
+  SSL_REQ_FILE=${TMP}/sslreq.dat.$$
+  echo "GET $sslUrl HTTP/1.0" > $SSL_REQ_FILE
+  echo >> $SSL_REQ_FILE
+  
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+  grep -v "^#" ${SSLAUTH} | grep -- "-r_-r_-r_-r" | grep -v bogus | \
+      grep -v none > ${SSLAUTH_TMP}
+
+  while read ecc value sparam _cparam testname; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+      rev_modvalue=254
+      for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
+          cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$testUser/g" `
+	  
+          echo "tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} \\"
+          echo "        -f -d ${dbDir} ${cparam}  < ${SSL_REQ_FILE}"
+          resFile=${TMP}/$HOST.tmp.$$
+          rm -f $resFile 2>/dev/null
+          ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \
+              -d ${dbDir} < ${SSL_REQ_FILE} \
+              > $resFile  2>&1
+          ret=$?
+          grep "ACCESS=OK" $resFile
+          test $? -eq 0 -a $ret -eq 0
+          ret=$?
+          [ $ret -ne 0 ] && ret=$rev_modvalue;
+          [ $ret -ne 0 ] && cat $resFile
+          rm -f $resFile 2>/dev/null
+
+          if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
+              modvalue=$rev_modvalue
+              testAddMsg="revoked"
+          else
+              testAddMsg="not revoked"
+              modvalue=$value
+          fi
+          html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
+              "produced a returncode of $ret, expected is $modvalue"
+      done
+  done < ${SSLAUTH_TMP}
+  rm -f ${SSLAUTH_TMP} ${SSL_REQ_FILE}
+  
+  html "</TABLE><BR>"
+}
+
+
+########################################################################
+# local shell function to perform SSL Cipher Coverage tests of nss server
+# by invoking remote test client on web server side.
+# Invoked only if reverse testing is supported by web server.
+# Params:
+#      $1 - remote web server host
+#      $2 - open port to connect to invoke CGI script
+#      $3 - host where selfserv is running(name of the host nss tests
+#           are running)
+#      $4 - port where selfserv is running
+#      $5 - selfserv nss db location
+# No return value
+#  
+ssl_iopr_cov_ext_client()
+{
+  host=$1
+  port=$2
+  sslHost=$3
+  sslPort=$4
+  serDbDir=$5
+
+  html_head "SSL Cipher Coverage of SelfServ $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+  setValidCert
+  ret=$?
+  if [ $res -ne 0 ]; then
+      html_failed "Fail to find valid test cert(ws: $host)" 
+      return $ret
+  fi
+
+  # P_R_SERVERDIR switch require for selfserv to work.
+  # Will be restored after test
+  OR_P_R_SERVERDIR=$P_R_SERVERDIR
+  P_R_SERVERDIR=$serDbDir
+  OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+  P_R_CLIENTDIR=$serDbDir
+  testname=""
+  sparam="-vvvc ABCDEFcdefgijklmnvyz"
+  # Launch the server
+  start_selfserv 
+  
+  while read ecc tls param cipher therest; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+      echo "============= Beginning of the test ===================="
+      echo
+      
+      is_selfserv_alive
+      
+      TEST_IN=${TMP}/${HOST}_IN.tmp.$$
+      TEST_OUT=${TMP}/$HOST.tmp.$$
+      rm -f $TEST_IN $TEST_OUT 2>/dev/null
+      
+      echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser&cipher=$cipher HTTP/1.0" > $TEST_IN
+      echo >> $TEST_IN
+      
+      echo "------- Request ----------------------"
+      cat $TEST_IN
+      echo "------- Command ----------------------"
+      echo tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \
+          -h $host \< $TEST_IN \>\> $TEST_OUT
+
+      ${BINDIR}/tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \
+          -h $host <$TEST_IN > $TEST_OUT 
+
+      echo "------- Server output Begin ----------"
+      cat $TEST_OUT
+      echo "------- Server output End   ----------"
+      
+      echo "Checking for errors in log file..."
+      grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+      if [ $? -eq 0 ]; then
+          grep "cipher is not supported" $TEST_OUT 2>&1 >/dev/null
+          if [ $? -eq 0 ]; then
+              echo "Skiping test: no support for the cipher $cipher on server side"
+              continue
+          fi
+          
+          grep -i "SERVER ERROR:" $TEST_OUT
+          ret=$?
+          if [ $ret -eq 0 ]; then
+              echo "Found problems. Reseting exit code to failure."
+              
+              ret=1
+          else
+              ret=0
+          fi
+      else
+          echo "Script was not executed. Reseting exit code to failure."
+          ret=11
+      fi
+      
+      html_msg $ret 0 "Test ${cipher}. Server params: $sparam " \
+          " produced a returncode of $ret, expected is 0"
+      rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+  done < ${SSLCOV}
+  kill_selfserv
+  
+  P_R_SERVERDIR=$OR_P_R_SERVERDIR
+  P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+  
+  rm -f ${TEST_IN} ${TEST_OUT}
+  html "</TABLE><BR>"
+}
+
+########################################################################
+# local shell function to perform SSL Authentication tests of nss server
+# by invoking remove test client on web server side
+# Invoked only if reverse testing is supported by web server.
+# Params:
+#      $1 - remote web server host
+#      $2 - open port to connect to invoke CGI script
+#      $3 - host where selfserv is running(name of the host nss tests
+#           are running)
+#      $4 - port where selfserv is running
+#      $5 - selfserv nss db location
+# No return value
+#  
+ssl_iopr_auth_ext_client()
+{
+  host=$1
+  port=$2
+  sslHost=$3
+  sslPort=$4
+  serDbDir=$5
+
+  html_head "SSL Client Authentication with Selfserv from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+
+  setValidCert
+  ret=$?
+  if [ $res -ne 0 ]; then
+      html_failed "Fail to find valid test cert(ws: $host)" 
+      return $ret
+  fi
+
+  OR_P_R_SERVERDIR=$P_R_SERVERDIR
+  P_R_SERVERDIR=${serDbDir}
+  OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+  P_R_CLIENTDIR=${serDbDir}
+
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+
+  grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
+
+  while read ecc value sparam cparam testname; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+
+      echo "Server params: $sparam"
+      sparam=$sparam" -vvvc ABCDEFcdefgijklmnvyz"
+      start_selfserv
+      
+      TEST_IN=${TMP}/$HOST_IN.tmp.$$
+      TEST_OUT=${TMP}/$HOST.tmp.$$
+      rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+      echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
+      echo >> $TEST_IN
+      
+      echo "------- Request ----------------------"
+      cat $TEST_IN
+      echo "------- Command ----------------------"
+      echo tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \
+          -h $host \< $TEST_IN \>\> $TEST_OUT
+      
+      ${BINDIR}/tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \
+          -h $host <$TEST_IN > $TEST_OUT 
+      
+      echo "------- Server output Begin ----------"
+      cat $TEST_OUT
+      echo "------- Server output End   ----------"
+
+      echo "Checking for errors in log file..."
+      grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+      if [ $? -eq 0 ]; then
+          echo "Checking for error in log file..."
+          grep -i "SERVER ERROR:" $TEST_OUT
+          ret=$?
+          if [ $ret -eq 0 ]; then
+              echo "Found problems. Reseting exit code to failure."
+              ret=1
+          else
+              ret=0
+          fi
+      else
+          echo "Script was not executed. Reseting exit code to failure."
+          ret=11
+      fi
+      
+      html_msg $ret $value "${testname}. Server params: $sparam"\
+          "produced a returncode of $ret, expected is $value"
+      kill_selfserv
+      rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+  done < ${SSLAUTH_TMP}
+
+  P_R_SERVERDIR=$OR_P_R_SERVERDIR
+  P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+  rm -f ${SSLAUTH_TMP} ${TEST_IN} ${TEST_OUT}
+  html "</TABLE><BR>"
+}
+
+#########################################################################
+# local shell function to perform SSL CRL testing of nss server
+# by invoking remote test client on web server side
+# Invoked only if reverse testing is supported by web server.
+# Params:
+#      $1 - remote web server host
+#      $2 - open port to connect to invoke CGI script
+#      $3 - host where selfserv is running(name of the host nss tests
+#           are running)
+#      $4 - port where selfserv is running
+#      $5 - selfserv nss db location
+# No return value
+#  
+ssl_iopr_crl_ext_client()
+{
+  host=$1
+  port=$2
+  sslHost=$3
+  sslPort=$4
+  serDbDir=$5
+
+  html_head "CRL SSL Selfserv Tests from $IOPR_HOSTADDR. $BYPASS_STRING $NORM_EXT"
+  
+  OR_P_R_SERVERDIR=$P_R_SERVERDIR
+  P_R_SERVERDIR=${serDbDir}
+  OR_P_R_CLIENTDIR=$P_R_CLIENTDIR
+  P_R_CLIENTDIR=$serDbDir
+
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+  grep -v "^#" $SSLAUTH | grep "\s*0\s*" > ${SSLAUTH_TMP}
+
+  while read ecc value sparam _cparam testname; do
+      [ -z "$ecc" -o "$ecc" = "#" -o "$ecc" = "ECC" ] && continue;
+      sparam="$sparam  -vvvc ABCDEFcdefgijklmnvyz"
+      start_selfserv
+
+      for testUser in $SslClntValidCertName $SslClntRevokedCertName; do
+	  
+          is_selfserv_alive
+          
+          TEST_IN=${TMP}/${HOST}_IN.tmp.$$
+          TEST_OUT=${TMP}/$HOST.tmp.$$
+          rm -f $TEST_IN $TEST_OUT 2>/dev/null
+
+          echo "GET $reverseRunCGIScript?host=$sslHost&port=$sslPort&cert=$testUser HTTP/1.0" > $TEST_IN
+          echo >> $TEST_IN
+          
+          echo "------- Request ----------------------"
+          cat $TEST_IN
+          echo "------- Command ----------------------"
+          echo tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \
+              -h ${host} \< $TEST_IN \>\> $TEST_OUT
+            
+          ${BINDIR}/tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \
+              -h ${host} <$TEST_IN > $TEST_OUT 
+          echo "------- Request ----------------------"
+          cat $TEST_IN
+          echo "------- Server output Begin ----------"
+          cat $TEST_OUT
+          echo "------- Server output End   ----------"
+          
+          echo "Checking for errors in log file..."
+          grep "SCRIPT=OK" $TEST_OUT 2>&1 >/dev/null
+          if [ $? -eq 0 ]; then
+              grep -i "SERVER ERROR:" $TEST_OUT
+              ret=$?
+              if [ $ret -eq 0 ]; then
+                  echo "Found problems. Reseting exit code to failure."
+                  ret=1
+              else
+                  ret=0
+              fi
+          else
+              echo "Script was not executed. Reseting exit code to failure."
+              ret=11
+          fi
+          
+          if [ "`echo $SslClntRevokedCertName | grep $testUser`" != "" ]; then
+              modvalue=1
+              testAddMsg="revoked"
+          else
+              testAddMsg="not revoked"
+              modvalue=0
+          fi
+          
+          html_msg $ret $modvalue "${testname} (cert ${testUser} - $testAddMsg)" \
+		"produced a returncode of $ret, expected is $modvalue(selfserv args: $sparam)"
+          rm -f $TEST_OUT $TEST_IN 2>&1 > /dev/null
+      done
+      kill_selfserv
+  done < ${SSLAUTH_TMP}
+
+  P_R_SERVERDIR=$OR_P_R_SERVERDIR
+  P_R_CLIENTDIR=$OR_P_R_CLIENTDIR
+
+  rm -f ${SSLAUTH_TMP}
+  html "</TABLE><BR>"
+}
+
+#####################################################################
+# Initial point for running ssl test againt multiple hosts involved in
+# interoperability testing. Called from nss/tests/ssl/ssl.sh
+# It will only proceed with test run for a specific host if environment variable 
+# IOPR_HOSTADDR_LIST was set, had the host name in the list
+# and all needed file were successfully downloaded and installed for the host.
+#
+# Returns 1 if interoperability testing is off, 0 otherwise. 
+#
+ssl_iopr_run() {
+    if [ "$IOPR" -ne 1 ]; then
+        return 1
+    fi
+    cd ${CLIENTDIR}
+    
+    ORIG_ECC_CERT=${NO_ECC_CERTS}
+    NO_ECC_CERTS=1 # disable ECC for interoperability tests
+
+    num=1
+    IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+    while [ "$IOPR_HOST_PARAM" ]; do
+        IOPR_HOSTADDR=`echo $IOPR_HOST_PARAM | cut -f 1 -d':'`
+        IOPR_OPEN_PORT=`echo "$IOPR_HOST_PARAM:" | cut -f 2 -d':'`
+        [ -z "$IOPR_OPEN_PORT" ] && IOPR_OPEN_PORT=443
+        
+        . ${IOPR_CADIR}_${IOPR_HOSTADDR}/iopr_server.cfg
+        RES=$?
+        
+        if [ $RES -ne 0 -o X`echo "$wsFlags" | grep NOIOPR` != X ]; then
+            num=`expr $num + 1`
+            IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+            continue
+        fi
+        
+        #=======================================================
+        # Check if server is capable to run ssl tests
+        #
+        [ -z "`echo ${supportedTests_new} | grep -i ssl`" ] && continue;
+
+        # Testing directories defined by webserver.
+        echo "Testing ssl interoperability.
+                Client: local(tstclnt).
+                Server: remote($IOPR_HOSTADDR:$IOPR_OPEN_PORT)"
+        
+        for sslTestType in ${supportedTests_new}; do
+            if [ -z "`echo $sslTestType | grep -i ssl`" ]; then
+                continue
+            fi
+            ssl_iopr_cov_ext_server $sslTestType ${IOPR_HOSTADDR} \
+                ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+            ssl_iopr_auth_ext_server $sslTestType ${IOPR_HOSTADDR} \
+                ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+            ssl_iopr_crl_ext_server $sslTestType ${IOPR_HOSTADDR} \
+                ${IOPR_SSL_CLIENTDIR}_${IOPR_HOSTADDR}
+        done
+        
+        
+        # Testing selfserv with client located at the webserver.
+        echo "Testing ssl interoperability.
+                Client: remote($IOPR_HOSTADDR:$PORT)
+                Server: local(selfserv)"
+        ssl_iopr_cov_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+            ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+        ssl_iopr_auth_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+            ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+        ssl_iopr_crl_ext_client ${IOPR_HOSTADDR} ${IOPR_OPEN_PORT} \
+            ${HOSTADDR} ${PORT} ${R_IOPR_SSL_SERVERDIR}_${IOPR_HOSTADDR}
+        echo "================================================"
+        echo "Done testing interoperability with $IOPR_HOSTADDR"
+        num=`expr $num + 1`
+        IOPR_HOST_PARAM=`echo "${IOPR_HOSTADDR_LIST} " | cut -f $num -d' '`
+    done
+    NO_ECC_CERTS=${ORIG_ECC_CERTS}
+    return 0
+}
+
diff --git a/security/nss/tests/jss_dll_version.sh b/security/nss/tests/jss_dll_version.sh
new file mode 100755
index 000000000..cb29c4a1a
--- /dev/null
+++ b/security/nss/tests/jss_dll_version.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# version controll for DLLs
+# ToDo: make version parameter or find version from first occurance of 3.x
+# make the 3 a variable..., include the header
+
+for w in `find . -name "libjss3.s[ol]"`
+do
+        NOWHAT=FALSE
+        NOIDENT=FALSE
+        echo $w
+        what $w | grep JSS || NOWHAT=TRUE
+        ident $w | grep JSS || NOIDENT=TRUE
+        if [ $NOWHAT = TRUE ]
+        then
+                echo "ERROR what $w does not contain JSS"
+        fi
+        if [ $NOIDENT = TRUE ]
+        then
+                echo "ERROR ident $w does not contain JSS"
+        fi
+done
diff --git a/security/nss/tests/jssdir b/security/nss/tests/jssdir
new file mode 100755
index 000000000..1609fbfcf
--- /dev/null
+++ b/security/nss/tests/jssdir
@@ -0,0 +1,28 @@
+if ( "$2" == ""  ) then
+	setenv BUILDDATE `date +%m%d`
+else
+	setenv BUILDDATE $2
+endif
+
+if ( "$1" == ""  ) then
+	setenv JSSVER tip
+else
+	setenv JSSVER $1
+endif
+
+if ( ! ${?QAYEAR} ) then 
+        setenv QAYEAR `date +%Y`
+else if ( "$QAYEAR" == ""  ) then
+	setenv QAYEAR `date +%Y`
+	
+endif
+
+setenv JSS_VER_DIR /share/builds/mccrel3/jss/jss$JSSVER
+setenv NTDIST ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/blowfish_NT4.0_Win95/mozilla/dist
+setenv UXDIST ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/dist
+setenv TESTSCRIPTDIR ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/security/jss/tests
+setenv RESULTDIR ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/tests_results/security
+
+cd ${JSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8
+pwd
+ls
diff --git a/security/nss/tests/jssqa b/security/nss/tests/jssqa
new file mode 100755
index 000000000..d5356b9e8
--- /dev/null
+++ b/security/nss/tests/jssqa
@@ -0,0 +1,220 @@
+#! /bin/sh  
+
+########################################################################
+#
+# /u/sonmi/bin/jssqa
+#
+# this script is supposed to automatically run - now a sanity test, later QA for 
+# JSS on all required Unix and Windows (NT and 2000) platforms
+#
+# parameters
+# ----------
+#   jssversion  (supported: 31, tip)
+#   builddate   (default - today)
+#
+# options
+# -------
+#   -y answer all questions with y - use at your own risk...ignores warnings
+#   -s silent (only usefull with -y)
+#   -h, -? - you guessed right - displays this text
+#   -d debug
+#   -f <filename> - write the (error)output to filename
+#   -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.nssqa
+#
+########################################################################
+
+O_OPTIONS=ON            # accept options (see above for listing)
+WIN_WAIT_FOREVER=OFF    # don't wait for the NSS testdir
+PRODUCT_TO_TEST="JSS"
+JSS_NSPR_DIR="/share/builds/components/nspr20/v4.1.2"
+JSS_NSS_DIR="/share/builds/components/nss/NSS_3_3_1_RTM"
+JSS_NSS_UX_SRC_DIR="nss331/builds/20010928.2.331-RTM/booboo_Solaris8"
+JSS_NSS_NT_SRC_DIR="nss331/builds/20010928.2.331-RTM/blowfish_NT4.0_Win95"
+JSS_NSS_SRC_DIR=$JSS_NSS_UX_SRC_DIR
+NATIVE_FLAG=""
+
+. `dirname $0`/header   # utilities, shellfunctions etc, global to NSS and JSS QA
+
+if [ -z "$O_TBX" -o "$O_TBX" != "ON" ] ; then
+    is_running ${TMP}/jssqa
+                        # checks if the file exists, if yes Exits, if not
+                        # creates to implement a primitive locking mechanism
+fi
+
+INTERNAL_TOKEN="NSS Certificate DB"
+SIGTEST_INTERNAL_TOKEN="Internal Key Storage Token"
+
+################################ jss_init #########################
+# 
+# Most of the procedure is setting up the test environment.
+# set all necessary dir and file variables, set all paths, copy the shared libs 
+# Put all the shared libraries into a lib directory, <libdir>.
+# including the libjss3.so that was built by the build process.
+# set LD_LIBRARY PATH and CLASSPATH
+# The xpclass.jar produced by the JSS build needs to be in the classpath.
+# The classpath must also include the current directory so we can run our test
+# programs.
+################################################################################
+
+jss_init()
+{
+  Debug "Jss init"
+  #correct all directories that the header has set...
+  NTDIST=`echo $NTDIST | sed -e 's/nss/jss/g'`
+  UXDIST=`echo $UXDIST | sed -e 's/nss/jss/g'`
+  RESULTDIR=`echo $RESULTDIR | sed -e 's/nss/jss/g'`
+  mkdir -p ${RESULTDIR} 2>/dev/null
+  JSS_LOGFILE=${RESULTDIR}/${HOST}.txt
+  FILENAME=$JSS_LOGFILE
+  O_FILE=ON
+
+  MOZILLA_ROOT=`echo $MOZILLA_ROOT | sed -e 's/nss/jss/g'`
+
+  JSS_SAMPLES="$MOZILLA_ROOT/security/jss/samples"
+  JSS_CLASSPATH=`echo $MOZILLA_ROOT | 
+      sed -e "s/jss$NSSVER.builds/jss$NSSVER\/ships/g" -e "s/mozilla/jss\/${QAYEAR}${BUILDDATE}/"`
+  Debug "JSS_CLASSPATH=$JSS_CLASSPATH"
+  Debug "JSS_SAMPLES=$JSS_SAMPLES"
+
+  if [ ! -d $JSS_SAMPLES ] ; then
+      if [ "$O_WIN" = "ON" -a "$WIN_WAIT_FOREVER" = "ON" ]
+      then
+          WaitForever $JSS_SAMPLES/TestKeyGen.java 1
+      else
+          Exit "Test directory $JSS_SAMPLES does not exist"
+      fi
+  fi
+
+  PWFILE="$JSS_SAMPLES/passwd"
+  EMPTYFILE="$JSS_SAMPLES/emptyfile"
+  rm $PWFILE $EMPTYFILE 2>/dev/null
+  echo "jss" >$PWFILE
+  echo "" >$EMPTYFILE
+  echo "" >>$EMPTYFILE
+  echo "" >>$EMPTYFILE
+
+  INIT_PATH=$PATH
+  INIT_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+}
+
+
+jss_mode_init()
+{
+  OBJDIR=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name`
+
+  LOCALDIST_BIN=`echo $LOCALDIST_BIN | sed -e 's/nss/jss/g'`
+  LOCALDIST_LIB=$LOCALDIST_BIN/../lib
+  debug_dirs
+
+  #make testdir/libdir
+
+  JSS_LIBDIR=${RESULTDIR}/${HOST}.libdir/${OBJDIR}
+  mkdir -p ${JSS_LIBDIR} 2>/dev/null
+  Debug "JSS_LIBDIR=$JSS_LIBDIR"
+
+  #Put all the shared libraries into a lib directory
+  Debug "copy all needed libs to ${JSS_LIBDIR}"
+  cp $JSS_NSPR_DIR/${OBJDIR}/lib/* ${JSS_LIBDIR}
+  cp $JSS_NSS_DIR/${OBJDIR}/lib/* ${JSS_LIBDIR}
+  cp $LOCALDIST_LIB/libjss3.*  ${JSS_LIBDIR}
+  #FIXME uncomment above
+
+  if [ $O_DEBUG = ON ] ; then
+      Debug "ls $JSS_LIBDIR"
+      ls $JSS_LIBDIR
+  fi
+
+  #LD_LIBRARY_PATH=$INIT_LD_LIBRARY_PATH:${JSS_LIBDIR}
+  LD_LIBRARY_PATH=${JSS_LIBDIR} #remove to avoid HP coredump
+  CLASSPATH="$JSS_CLASSPATH/xpclass.jar:."
+
+  SHLIB_PATH=${LD_LIBRARY_PATH}
+  LIBPATH=${LD_LIBRARY_PATH}
+
+  PATH=$JSS_NSPR_DIR/${OBJDIR}/bin:$JSS_NSS_DIR/${OBJDIR}//bin:$INIT_PATH
+  Debug "PATH $PATH"
+  Debug "LD_LIBRARY_PATH $LD_LIBRARY_PATH"
+  Debug "CLASSPATH=$CLASSPATH"
+
+  export CLASSPATH LD_LIBRARY_PATH SHLIB_PATH LIBPATH
+  export TESTSCRIPTDIR COMMON
+  export_dirs
+}
+
+  
+################################ jss_test #########################
+# 
+# go into the build tree. cd to mozilla/security/jss/samples.
+# Create NSS directories in this directory with modutil and set the password
+#
+#6. Create an alias for the "java" and "javac" commands. You'll need to set
+#it to whatever version of the JDK you used to build on this platform. For
+#example, 
+      #alias java /share/builds/components/cms_jdk/AIX/1.3.0/jre/bin/java
+        #alias javac /share/builds/components/cms_jdk/AIX/1.3.0/bin/javac
+# instead $JAVA and $JAVAC
+# 7. Compile the tests.
+#####################################################################
+jss_test()
+{
+  O_FILE=OFF
+  Debug "JSS main test"
+  #set -x
+  cd $JSS_SAMPLES
+
+  Debug "Cleaning  $JSS_SAMPLES"
+  rm cert7.db key3.db 2>/dev/null
+
+  Debug "echo | modutil -dbdir . -create -force"
+  echo | modutil -dbdir . -create -force
+  Debug "modutil returned $?"
+
+  modutil -dbdir . -list
+
+  Debug "echo | modutil -dbdir . -changepw \"$INTERNAL_TOKEN\" -newpwfile $PWFILE -force"
+  modutil -dbdir . -changepw "$INTERNAL_TOKEN" -newpwfile $PWFILE  -force <$EMPTYFILE
+  #modutil -dbdir . -changepw "$INTERNAL_TOKEN" -pwfile $PWFILE -newpwfile $PWFILE <$EMPTYFILE
+  Debug "modutil returned $?"
+
+  Debug "$JAVAC TestKeyGen.java"
+  $JAVAC TestKeyGen.java
+  Debug "$JAVAC TestKeyGen.java returned $?"
+
+  Debug "$JAVAC SigTest.java"
+  $JAVAC SigTest.java
+  Debug "$JAVAC SigTest.java returned $?"
+          
+  echo "Starting new jss test on $HOST"  
+  date
+
+  # Run the actual tests
+
+  Debug "$JAVA $NATIVE_FLAG TestKeyGen ." 
+  $JAVA $NATIVE_FLAG TestKeyGen . 
+  Debug "$JAVA TestKeyGen returned $?"
+
+  Debug "$JAVA $NATIVE_FLAG SigTest . \"$SIGTEST_INTERNAL_TOKEN\""
+  $JAVA $NATIVE_FLAG SigTest . "$SIGTEST_INTERNAL_TOKEN"
+  Debug "$JAVA SigTest returned $?"
+
+  O_FILE=ON
+}
+
+jss_init
+jss_mode_init
+
+if [ "$O_CRON" = "ON" -o "$O_WIN" = "ON" ]
+then
+    jss_test >>$JSS_LOGFILE  2>&1
+else
+    jss_test 2>&1 | tee -a $JSS_LOGFILE
+fi
+BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+jss_mode_init
+if [ "$O_CRON" = "ON" -o "$O_WIN" = "ON" ]
+then
+    jss_test >>$JSS_LOGFILE  2>&1
+else
+    jss_test 2>&1 | tee -a $JSS_LOGFILE
+fi
+Exit "jssqa completed. Done `uname -n` $QA_OS_STRING"
diff --git a/security/nss/tests/libpkix/cert_trust.map b/security/nss/tests/libpkix/cert_trust.map
new file mode 100644
index 000000000..c992435f9
--- /dev/null
+++ b/security/nss/tests/libpkix/cert_trust.map
@@ -0,0 +1,6 @@
+TestCA.ca CT,C,C
+TestUser50 ,,
+TestUser51 ,,
+PayPalRootCA CT,C,C
+PayPalICA ,,
+PayPalEE ,,
diff --git a/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt b/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt
new file mode 100755
index 000000000..efc2f2cd5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/CertificatePoliciesCritical.crt
diff --git a/security/nss/tests/libpkix/certs/GoodCACert.crt b/security/nss/tests/libpkix/certs/GoodCACert.crt
new file mode 100644
index 000000000..5aecbc0cf
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/GoodCACert.crt
diff --git a/security/nss/tests/libpkix/certs/PayPalEE.cert b/security/nss/tests/libpkix/certs/PayPalEE.cert
new file mode 100644
index 000000000..87cba91c0
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/PayPalEE.cert
diff --git a/security/nss/tests/libpkix/certs/PayPalICA.cert b/security/nss/tests/libpkix/certs/PayPalICA.cert
new file mode 100644
index 000000000..28e971d68
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/PayPalICA.cert
diff --git a/security/nss/tests/libpkix/certs/PayPalRootCA.cert b/security/nss/tests/libpkix/certs/PayPalRootCA.cert
new file mode 100644
index 000000000..ea6402037
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/PayPalRootCA.cert
diff --git a/security/nss/tests/libpkix/certs/TestCA.ca.cert b/security/nss/tests/libpkix/certs/TestCA.ca.cert
new file mode 100644
index 000000000..f68512a12
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TestCA.ca.cert
diff --git a/security/nss/tests/libpkix/certs/TestUser50.cert b/security/nss/tests/libpkix/certs/TestUser50.cert
new file mode 100644
index 000000000..304f8f560
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TestUser50.cert
diff --git a/security/nss/tests/libpkix/certs/TestUser51.cert b/security/nss/tests/libpkix/certs/TestUser51.cert
new file mode 100644
index 000000000..0cbeb1bcf
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TestUser51.cert
diff --git a/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt b/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt
new file mode 100644
index 000000000..21f520ee5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/TrustAnchorRootCertificate.crt
diff --git a/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt b/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt
new file mode 100644
index 000000000..26985c9f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/ValidCertificatePathTest1EE.crt
diff --git a/security/nss/tests/libpkix/certs/anchor2dsa b/security/nss/tests/libpkix/certs/anchor2dsa
new file mode 100755
index 000000000..a1f9e05f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/anchor2dsa
diff --git a/security/nss/tests/libpkix/certs/crldiff.crl b/security/nss/tests/libpkix/certs/crldiff.crl
new file mode 100755
index 000000000..d076ef89f
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/crldiff.crl
diff --git a/security/nss/tests/libpkix/certs/crlgood.crl b/security/nss/tests/libpkix/certs/crlgood.crl
new file mode 100755
index 000000000..1ad019ed1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/crlgood.crl
diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert
new file mode 100755
index 000000000..a1afd6a2d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/extKeyUsage/codeSigningEKUCert
diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert
new file mode 100755
index 000000000..55568917c
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/extKeyUsage/multiEKUCert
diff --git a/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert b/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/extKeyUsage/noEKUCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnCert b/security/nss/tests/libpkix/certs/generalName/altNameDnCert
new file mode 100755
index 000000000..43dac7341
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff
new file mode 100755
index 000000000..04d133f74
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnsCert b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert
new file mode 100755
index 000000000..63754141a
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff
new file mode 100755
index 000000000..4fe947e73
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameDnsCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameEdiCert b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert
new file mode 100755
index 000000000..95ec20423
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff
new file mode 100755
index 000000000..50e5440d9
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameEdiCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameIpCert b/security/nss/tests/libpkix/certs/generalName/altNameIpCert
new file mode 100755
index 000000000..5f0e528a1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameIpCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff
new file mode 100755
index 000000000..2407be54f
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameIpCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameNoneCert b/security/nss/tests/libpkix/certs/generalName/altNameNoneCert
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameNoneCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOidCert b/security/nss/tests/libpkix/certs/generalName/altNameOidCert
new file mode 100755
index 000000000..fa92c9ecd
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOidCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff
new file mode 100755
index 000000000..635e4d143
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOidCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOtherCert b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert
new file mode 100755
index 000000000..bdfc7cb6a
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff
new file mode 100755
index 000000000..bfc8a7973
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameOtherCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert
new file mode 100755
index 000000000..9ad3271ab
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff
new file mode 100755
index 000000000..b8e5b2e70
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822Cert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert b/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert
new file mode 100755
index 000000000..89be1811d
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameRfc822DnsCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameUriCert b/security/nss/tests/libpkix/certs/generalName/altNameUriCert
new file mode 100755
index 000000000..1f46e79f0
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameUriCert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff b/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff
new file mode 100755
index 000000000..864e86fb5
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameUriCert_diff
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameX400Cert b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert
new file mode 100755
index 000000000..b0d10cf32
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert
diff --git a/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff
new file mode 100755
index 000000000..652388847
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/generalName/altNameX400Cert_diff
diff --git a/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu b/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu
new file mode 100755
index 000000000..3f3452683
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/hanfeiyu2hanfeiyu
diff --git a/security/nss/tests/libpkix/certs/hy2hc-bc b/security/nss/tests/libpkix/certs/hy2hc-bc
new file mode 100755
index 000000000..691b8d982
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/hy2hc-bc
diff --git a/security/nss/tests/libpkix/certs/hy2hy-bc0 b/security/nss/tests/libpkix/certs/hy2hy-bc0
new file mode 100755
index 000000000..18b5fe4a8
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/hy2hy-bc0
diff --git a/security/nss/tests/libpkix/certs/issuer-hanfei.crl b/security/nss/tests/libpkix/certs/issuer-hanfei.crl
new file mode 100755
index 000000000..6c9f0dbaa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/issuer-hanfei.crl
diff --git a/security/nss/tests/libpkix/certs/issuer-none.crl b/security/nss/tests/libpkix/certs/issuer-none.crl
new file mode 100755
index 000000000..c1c83ba2c
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/issuer-none.crl
diff --git a/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert b/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert
new file mode 100755
index 000000000..7eae4863e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyIdentifier/authKeyIDCert
diff --git a/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert b/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert
new file mode 100755
index 000000000..a1f9e05f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyIdentifier/subjKeyIDCert
diff --git a/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert b/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert
new file mode 100755
index 000000000..11a132d10
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/decipherOnlyCert
diff --git a/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert b/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert
new file mode 100755
index 000000000..9b9377119
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/encipherOnlyCert
diff --git a/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert b/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/multiKeyUsagesCert
diff --git a/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert b/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert
new file mode 100755
index 000000000..c58d9a2aa
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/keyUsage/noKeyUsagesCert
diff --git a/security/nss/tests/libpkix/certs/noExtensionsCert b/security/nss/tests/libpkix/certs/noExtensionsCert
new file mode 100755
index 000000000..f3dc1c973
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/noExtensionsCert
diff --git a/security/nss/tests/libpkix/certs/nss2alice b/security/nss/tests/libpkix/certs/nss2alice
new file mode 100755
index 000000000..48172a5ed
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/nss2alice
diff --git a/security/nss/tests/libpkix/certs/publicKey/dsaWithParams b/security/nss/tests/libpkix/certs/publicKey/dsaWithParams
new file mode 100755
index 000000000..a1f9e05f6
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/dsaWithParams
diff --git a/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams b/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams
new file mode 100755
index 000000000..7eae4863e
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/dsaWithoutParams
diff --git a/security/nss/tests/libpkix/certs/publicKey/labs2yassir b/security/nss/tests/libpkix/certs/publicKey/labs2yassir
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/labs2yassir
diff --git a/security/nss/tests/libpkix/certs/publicKey/yassir2labs b/security/nss/tests/libpkix/certs/publicKey/yassir2labs
new file mode 100755
index 000000000..f94385403
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/publicKey/yassir2labs
diff --git a/security/nss/tests/libpkix/certs/sun2sun b/security/nss/tests/libpkix/certs/sun2sun
new file mode 100755
index 000000000..c75192be1
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/sun2sun
diff --git a/security/nss/tests/libpkix/certs/yassir2bcn b/security/nss/tests/libpkix/certs/yassir2bcn
new file mode 100755
index 000000000..f9c83dc95
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/yassir2bcn
diff --git a/security/nss/tests/libpkix/certs/yassir2yassir b/security/nss/tests/libpkix/certs/yassir2yassir
new file mode 100755
index 000000000..8444af5a3
--- /dev/null
+++ b/security/nss/tests/libpkix/certs/yassir2yassir
diff --git a/security/nss/tests/libpkix/common/libpkix_init.sh b/security/nss/tests/libpkix/common/libpkix_init.sh
new file mode 100644
index 000000000..8dc800a6f
--- /dev/null
+++ b/security/nss/tests/libpkix/common/libpkix_init.sh
@@ -0,0 +1,357 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# libpkix_init.sh
+#
+
+### when the script is exiting, handle it in the Cleanup routine...the result
+### value will get set to 0 if all the tests completed successfully, so we can
+### use that value in the handler
+
+trap 'Cleanup' EXIT
+
+result=1
+checkmem=0
+arenas=0
+quiet=0
+
+doNIST=1
+doNIST_PDTest=0
+doPD=0
+doTop=0
+doModule=0
+doPki=0
+doOCSP=0
+doOCSPTest=0
+
+combinedErrors=0
+totalErrors=0
+prematureTermination=0
+errors=0
+
+if [ -z "${INIT_SOURCED}" ] ; then
+    libpkixCommondir=`pwd`
+    cd ../../common
+    . ./init.sh > /dev/null
+    cd ${libpkixCommondir}
+fi
+
+DIST_BIN=${DIST}/${OBJDIR}/bin
+
+### setup some defaults
+WD=`pwd`
+prog=`basename $0`
+testOut=${HOSTDIR}/${prog}.$$
+testOutMem=${HOSTDIR}/${prog}_mem.$$
+
+####################
+# cleanup from tests
+####################
+Cleanup()
+{
+    if [ ${testOut} != "" ]; then
+        rm -f ${testOut}
+    fi
+
+    if [ ${testOutMem} != "" ]; then
+        rm -f ${testOutMem}
+    fi
+
+    if [ -d ../../nist_pkits/certs ]; then
+        rm -f ../../nist_pkits/certs
+    fi
+
+    if [ ${doTop} -eq 1 ]; then
+        for i in ${linkMStoreNistFiles}; do
+            if [ -f ${HOSTDIR}/rev_data/multiple_certstores/$i ]; then
+                rm -f ${HOSTDIR}/rev_data/multiple_certstores/$i
+            fi
+        done
+        if [ -d ${HOSTDIR}/rev_data/multiple_certstores ]; then
+            rm -fr ${HOSTDIR}/rev_data/multiple_certstores
+        fi
+    fi
+
+    if [ ${doModule} -eq 1 ]; then
+        for i in ${linkModuleNistFiles}; do
+            if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+                rm -f ${HOSTDIR}/rev_data/local/$i
+            fi
+        done
+        for i in ${localCRLFiles}; do
+            if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+                rm -f ${HOSTDIR}/rev_data/local/$i
+            fi
+        done
+    fi
+
+    if [ ${doPki} -eq 1 ]; then
+        for i in ${linkPkiNistFiles}; do
+            if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+                rm -f ${HOSTDIR}/rev_data/local/$i
+            fi
+        done
+    fi
+
+    return ${result}
+}
+
+### ParseArgs
+ParseArgs() # args
+{
+    while [ $# -gt 0 ]; do
+        if [ $1 = "-checkmem" ]; then
+            checkmem=1
+        elif [ $1 = "-quiet" ]; then
+            quiet=1
+        elif [ $1 = "-arenas" ]; then
+            arenas=1
+        fi
+        shift
+    done
+}
+
+Display() # string
+{
+    if [ ${quiet} -eq 0 ]; then
+        echo "$1"
+    fi
+}
+
+testHeadingEcho()
+{
+    echo "*******************************************************************************"
+    echo "START OF TESTS FOR ${testunit}${memText}"
+    echo "*******************************************************************************"
+    echo ""
+}
+
+testEndingEcho()
+{
+    if [ ${totalErrors} -eq 0 ]; then
+        echo ""
+        echo "************************************************************"
+        echo "END OF TESTS FOR ${testunit}: ALL TESTS COMPLETED SUCCESSFULLY"
+        echo "************************************************************"
+        echo ""
+        return 0
+    fi
+
+    if [ ${totalErrors} -eq 1 ]; then
+        plural=""
+    else
+        plural="S"
+    fi
+
+    echo ""
+    echo "************************************************************"
+    echo "END OF TESTS FOR ${testunit}: ${totalErrors} TEST${plural} FAILED"
+    echo "************************************************************"
+    echo ""
+    return ${totalErrors}
+}
+
+###########
+# RunTests
+###########
+RunTests()
+{
+    errors=0
+    memErrors=0
+    prematureErrors=0
+
+    failedpgms=""
+    failedmempgms=""
+    failedprematurepgms=""
+    memText=""
+    arenaCmd=""
+
+    if [ ${checkmem} -eq 1 ]; then
+            memText="   (Memory Checking Enabled)"
+    fi
+
+    if [ ${arenas} -eq 1 ]; then
+            arenaCmd="-arenas"
+    fi
+
+    #
+    # Announce start of tests
+    #
+    Display "*******************************************************************************"
+    Display "START OF TESTS FOR PKIX ${testunit} ${memText}"
+    Display "*******************************************************************************"
+    Display ""
+
+    # run each test specified by the input redirection below
+
+    while read testPgm args; do
+
+        shortTestPurpose=`echo $args | awk '{print $1 " " $2 " "}'`
+        fullTestPurpose=${args}
+        if [ ${doTop} -eq 1 -o ${doModule} -eq 1 -o ${doPki} -eq 1 ]; then
+            testPurpose=${shortTestPurpose}
+        else
+            testPurpose=${fullTestPurpose}
+        fi
+
+        # If we want shorter command printout for NIST tests, delete next line
+        testPurpose=${fullTestPurpose}
+
+        # Skip OCSP tests if OCSP is not defined in the environment
+        if [ ${doOCSPTest} -eq 0 ]; then
+            hasOCSP=`echo ${args} | grep OCSP-Test`
+            if [ ! -z "${hasOCSP}" ]; then
+                Display "SKIPPING ${testPgm} ${testPurpose}"
+	        continue
+	    fi
+        fi
+
+        if [ ${doNIST} -eq 0 ]; then
+            hasNIST=`echo ${args} | grep NIST-Test`
+            if [ ! -z "${hasNIST}" ]; then
+                Display "SKIPPING ${testPgm} ${testPurpose}"
+	        continue
+	    fi
+        fi
+
+        # This "if" is not reached when doNIST is not set. The assumption
+        # is that NIST tests are basic, NIST Path Discovery tests are
+        # additional
+        if [ ${doNIST_PDTest} -eq 0 ]; then
+            hasNIST=`echo ${args} | grep NIST-PDTest`
+            if [ ! -z "${hasNIST}" ]; then
+                Display "SKIPPING ${testPgm} ${testPurpose}"
+	        continue
+	    fi
+        fi
+
+        Display "RUNNING ${testPgm} ${arenaCmd} ${testPurpose}"
+
+        numtests=`expr ${numtests} + 1`
+
+        if [ ${checkmem} -eq 1 ]; then
+            dbx -C -c "runargs ${arenaCmd} ${args};check -all;run;exit" ${DIST_BIN}/${testPgm} > ${testOut} 2>&1
+        else
+            ${DIST_BIN}/${testPgm} ${arenaCmd} ${args} > ${testOut} 2>&1
+        fi
+
+        # Examine output file to see if test failed and keep track of number
+        # of failures and names of failed tests. This assumes that the test
+        # uses our utility library for displaying information
+
+        cat ${testOut} | tail -2 | grep "COMPLETED SUCCESSFULLY" >/dev/null 2>&1
+        
+        if [ $? -ne 0 ]; then
+            testFail=1
+            errors=`expr ${errors} + 1`
+            failedpgms="${failedpgms}\n${testPgm} ${testPurpose} "
+#            cat ${testOut}
+        else
+            testFail=0
+            passed=`expr ${passed} + 1`
+        fi
+        cat ${testOut}
+        html_msg ${testFail} 0 "${testPgm} ${arenaCmd} ${shortTestPurpose}"
+
+        if [ ${checkmem} -eq 1 ]; then
+            grep "(actual leaks:" ${testOut} > ${testOutMem} 2>&1
+            if [ $? -ne 0 ]; then
+                prematureErrors=`expr ${prematureErrors} + 1`
+                failedprematurepgms="${failedprematurepgms}${testPgm} "
+                Display "...program terminated prematurely (unable to check for memory leak errors) ..."
+            else
+                #grep "(actual leaks:         0" ${testOut} > /dev/null 2>&1
+                # special consideration for memory leak in NSS_NoDB_Init
+                grep  "(actual leaks:         1  total size:       4 bytes)" ${testOut} > /dev/null 2>&1
+                if [ $? -ne 0 ]; then
+                    memErrors=`expr ${memErrors} + 1`
+                    failedmempgms="${failedmempgms}${testPgm} "
+                    cat ${testOutMem}
+                fi
+            fi
+        fi
+
+    done
+
+    if [ ${errors} -eq 0 ]; then
+        if [ ${memErrors} -eq 0 ]; then
+            Display ""
+            Display "************************************************************"
+            Display "END OF TESTS FOR PKIX ${testunit}: ALL TESTS COMPLETED SUCCESSFULLY"
+            Display "************************************************************"
+            Display ""
+            return 0
+        fi
+    fi
+
+    if [ ${errors} -eq 1 ]; then
+        plural=""
+    else
+        plural="S"
+    fi
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "END OF TESTS FOR PKIX ${testunit}: ${errors} UNIT TEST${plural} FAILED: ${failedpgms}"
+    Display ""
+    if [ ${checkmem} -eq 1 ]; then
+        if [ ${memErrors} -eq 1 ]; then
+            memPlural=""
+        else
+            memPlural="S"
+        fi
+        Display "                          ${memErrors} MEMORY LEAK TEST${memPlural} FAILED: ${failedmempgms}"
+        
+        if [ ${prematureErrors} -ne 0 ]; then
+            if [ ${prematureErrors} -eq 1 ]; then
+                prematurePlural=""
+            else
+                prematurePlural="S"
+            fi
+            Display "                          ${prematureErrors} MEMORY LEAK TEST${prematurePlural} INDETERMINATE: ${failedprematurepgms}"
+        fi
+
+    fi
+    Display "*******************************************************************************"
+    Display ""
+    combinedErrors=`expr ${errors} + ${memErrors} + ${prematureErrors}`
+
+    return ${combinedErrors}
+
+}
diff --git a/security/nss/tests/libpkix/common/libpkix_init_nist.sh b/security/nss/tests/libpkix/common/libpkix_init_nist.sh
new file mode 100644
index 000000000..cd7627b19
--- /dev/null
+++ b/security/nss/tests/libpkix/common/libpkix_init_nist.sh
@@ -0,0 +1,103 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# libpkix_init_nist.sh
+#
+
+#
+# Any test that uses NIST files should have a tag of either NIST-Test or
+# NIST-Test-Files-Used at the command option so if there are no NIST files
+# installed in the system, the test can be skipped
+#
+
+if [ -z "${NIST_FILES_DIR}" ] ; then
+    Display ""
+    Display "*******************************************************************************"
+    Display "The environment variable NIST_FILES_DIR is not defined. Therefore"
+    Display "tests depending on it will be skipped. To enable these tests set"
+    Display "NIST_FILES_DIR to the directory where NIST Certificates and CRLs"
+    Display "are located." 
+    Display "*******************************************************************************"
+    Display ""
+    doNIST=0
+else
+
+    NIST=${NIST_FILES_DIR}
+    doNIST=1
+fi
+
+#
+# Any tests that use NIST Path Discovery files should have a tag of NIST-PDTest
+# at the command option so if there are no NIST Path Discovery files
+# installed in the system, the test can be skipped
+#
+if [ ${doPD} -eq 1 -a -z "${PDVAL}" ] ; then
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "The environment variable PDVAL is not defined. Therefore tests"
+    Display "depending on it will be skipped. To enable these tests set PDVAL to"
+    Display "the directory where NIST Path Discovery Certificates are located." 
+    Display "*******************************************************************************"
+    Display ""
+    doNIST_PDTest=0
+else
+
+    NIST_PDTEST=${PDVAL}
+    doNIST_PDTest=1
+fi
+
+#
+# Any tests that use an OCSP Server should have a tag of OCSP-Test at the
+# command option so if there is no OCSP Server installed in the system, the
+# test can be skipped
+#
+if [  ${doOCSP} -eq 1 -a -z "${OCSP}" ] ; then
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "The environment variable OCSP is not defined. Therefore tests"
+    Display "depending on it will be skipped. To enable these tests set OCSP"
+    Display "non-NULL (the actual URI used is taken from the AIA extension)." 
+    Display "*******************************************************************************"
+    Display ""
+    doOCSPTest=0
+else
+    doOCSPTest=1
+fi
diff --git a/security/nss/tests/libpkix/libpkix.sh b/security/nss/tests/libpkix/libpkix.sh
new file mode 100755
index 000000000..cb4a3cedf
--- /dev/null
+++ b/security/nss/tests/libpkix/libpkix.sh
@@ -0,0 +1,291 @@
+#! /bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+totalErrors=0
+pkixErrors=0
+pkixplErrors=0
+checkMemArg=""
+arenasArg=""
+quietArg=""
+memText=""
+
+############################## libpkix_init ###############################
+# local shell function to initialize this script
+########################################################################
+libpkix_init()
+{
+  SCRIPTNAME="libpkixs.sh"
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  LIBPKIX_CURDIR=`pwd`
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  cd ${LIBPKIX_CURDIR}
+
+  # test at libpkix is written in ksh and hence cannot be sourced "."
+  # by this sh script. While we want to provide each libpkix test script the
+  # ability to be executed alone, we will need to use common/init.sh
+  # to set up bin etc. Since variable values can not be passed to sub-directory
+  # script for checking ($INIT_SOURCED), log is recreated and old data lost.
+  # The cludge way provided here is not ideal, but works (for now) :
+  # We save the log up to this point then concatenate it with libpkix log
+  # as the final one.
+  LOGFILE_ALL=${LOGFILE}
+  if [ ! -z ${LOGFILE_ALL} ] ; then
+       mv ${LOGFILE_ALL} ${LOGFILE_ALL}.tmp
+       touch ${LOGFILE_ALL}
+  fi
+
+  SCRIPTNAME="libpkixs.sh"
+  LIBPKIX_LOG=${HOSTDIR}/libpkix.log    #we don't want all the errormessages 
+         # in the output.log, otherwise we can't tell what's a real error
+
+
+}
+
+############################## libpkix_cleanup ############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+libpkix_cleanup()
+{
+  if [ ! -z ${LOGFILE_ALL} ] ; then
+       rm ${LOGFILE_ALL}
+       cat ${LOGFILE_ALL}.tmp ${LIBPKIX_LOG} > ${LOGFILE_ALL}
+       rm ${LOGFILE_ALL}.tmp
+  fi
+
+  html "</TABLE><BR>" 
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+############################## libpkix_UT_main ############################
+# local shell function to run libpkix unit tests
+########################################################################
+ParseArgs ()
+{
+    while [ $# -gt 0 ]; do
+        if [ $1 == "-checkmem" ]; then
+            checkMemArg=$1
+            memText="   (Memory Checking Enabled)"
+        elif [ $1 == "-quiet" ]; then
+            quietArg=$1
+        elif [ $1 == "-arenas" ]; then
+            arenasArg=$1
+        fi
+        shift
+    done
+}
+
+libpkix_UT_main()
+{
+
+html_head "LIBPKIX Unit Tests"
+
+ParseArgs 
+
+echo "*******************************************************************************"
+echo "START OF ALL TESTS${memText}"
+echo "*******************************************************************************"
+echo ""
+
+echo "RUNNING tests in pkix_pl_test";
+html_msg 0 0 "Running tests in pkix_pl_test:"
+cd pkix_pl_tests;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixplErrors=$?
+html_msg $? 0 "Results of tests in pkix_pl_test"
+
+echo "RUNNING tests in pkix_test";
+html_msg 0 0 "Running tests in pkix_test:"
+cd ../pkix_tests;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixErrors=$?
+html_msg $? 0 "Results of tests in pkix_test"
+
+echo "RUNNING performance tests in sample_apps";
+html_msg 0 0 "Running performance tests in sample_apps:"
+cd ../sample_apps;
+runPerf.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixPerfErrors=$?
+html_msg $? 0 "Results of performance tests in sample_apps"
+
+totalErrors=`expr ${pkixErrors} + ${pkixplErrors} + ${pkixPerfErrors}`
+
+if [ ${totalErrors} -eq 0 ]; then
+    echo ""
+    echo "************************************************************"
+    echo "END OF ALL TESTS: ALL TESTS COMPLETED SUCCESSFULLY"
+    echo "************************************************************"
+    html_msg ${totalErrors} 0 "ALL LIBPKIX TESTS COMPLETED SUCCESSFULLY"
+
+    return 0
+fi
+
+if [ ${totalErrors} -eq 1 ]; then
+    plural=""
+else
+    plural="S"
+fi
+
+if [ ${totalErrors} -ne 0 ]; then
+    echo ""
+    echo "************************************************************"
+    echo "END OF ALL TESTS: ${totalErrors} TEST${plural} FAILED"
+    echo "************************************************************"
+    html_msg 1 0 "${totalErrors} LIBPKIX TEST${plural} FAILED"
+return 1
+fi
+}
+
+############################## libpkix_setup_db ############################
+# Sets up directory and db for pkix functional test.
+########################################################################
+libpkix_setup_db()
+{
+  fnCaller=$1
+
+  DB_DIR="${HOSTDIR}/libpkix_functional"
+  CERT_DIR="${QADIR}/libpkix/certs"
+  
+  mkdir -p $DB_DIR
+  if [ ! -f ${R_PWFILE} ]; then
+      echo nss > ${R_PWFILE}
+  fi
+  echo "Initializing Cert DB in $FN_DB_DIR"
+  certutil -N -d "${DB_DIR}" -f "${R_PWFILE}" 2>&1
+  RET=$?
+  if [ "$RET" -ne 0 ]; then
+      return $RET
+  fi
+
+  echo "Loading certs into DB at $DB_DIR"
+  output=$TMP/libpkix_setup.tmp
+  while read certName trusts; do
+      certutil -d $DB_DIR -A -n $certName -t $trusts -i $CERT_DIR/$certName.cert -f "${R_PWFILE}" > $output 2>&1
+      if [ $? -ne 0 ]; then
+          echo "WARNING: unable to add a certificate($certName) into database"
+          echo "certutil output:"
+          cat $output
+      fi
+      rm -f $output
+  done < $QADIR/libpkix/cert_trust.map
+  
+}
+
+############################## libpkix_leak_test ############################
+# Runs pkix object and memory leak test
+########################################################################
+libpkix_leak_test()
+{
+
+    if [ -n "${MEMLEAK_DBG}" ]; then
+        LOGNAME="libpkix_memleak"
+        LOGFILE=${LOGDIR}/${LOGNAME}.log
+        tmpLogFile=$LOGFILE.tmp
+
+        html_head "Memory leak checking - libpkix"
+    else
+        tmpLogFile=$DB_DIR/libpkix_memoryleak.log
+
+        html_head "LIBPKIX Object Leak Tests"
+    fi 
+    while read status leafCert explPolicy others; do
+        # continue with empty and commented lines. 
+        [ -z "$status" -o "`echo $status | cut -c 1`" = "#" ] && continue
+
+        # can only run positive tests. Positive validation
+        # status is the exit condition for the code in the library.
+        [ $status -ne 0 ] && continue;
+        extraOpt=""
+        if [ "$explPolicy" -a "$explPolicy" != "undef" ]; then
+            extraOpt="-pp -o $explPolicy"
+        fi
+        cmd="vfychain -d $DB_DIR $extraOpt $CERT_DIR/$leafCert.cert"
+        if [ -n "$MEMLEAK_DBG" ]; then
+            cmd="$RUN_COMMAND_DBG $cmd"
+        fi
+        echo $cmd
+        $cmd > $tmpLogFile 2>&1
+        if [ -z "$MEMLEAK_DBG" ]; then
+            cat $tmpLogFile
+            grep "Memory Leak:" $tmpLogFile
+            html_msg $? 1 "Object leak tests with $leafCert certificate"
+        else
+            cat $tmpLogFile >> $LOGFILE
+        fi
+    done < $QADIR/libpkix/vfychain_test.lst
+
+    if [ -n "${MEMLEAK_DBG}" ]; then
+        log_parse
+        ret=$?
+        html_msg ${ret} 0 "${LOGNAME}" \
+            "produced a returncode of $ret, expected is 0"
+        html "</TABLE><BR>"
+    fi
+}
+
+
+################## main #################################################
+
+libpkix_init 
+libpkix_setup_db
+if [ "$PKIX_OBJECT_LEAK_TEST" ]; then
+    libpkix_leak_test
+    if [ -n "${MEMLEAK_DBG}" ]; then
+        libpkix_cleanup
+        return 1
+    fi
+fi
+
+# place other tests here
+
+# Run libpkix unit tests at the end
+if [ "$BUILD_LIBPKIX_TEST" ]; then
+    libpkix_UT_main  | tee ${LIBPKIX_LOG}
+fi
+libpkix_cleanup
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db b/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db
new file mode 100755
index 000000000..f09bebbcf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/cert8.db
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db b/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db
new file mode 100755
index 000000000..5c3b3ebbb
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/key3.db
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl
new file mode 100755
index 000000000..d076ef89f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crldiff.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl
new file mode 100755
index 000000000..1ad019ed1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/crlgood.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl
new file mode 100755
index 000000000..6c9f0dbaa
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-hanfei.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl
new file mode 100755
index 000000000..c1c83ba2c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/local/issuer-none.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt
new file mode 100755
index 000000000..89b59d17d
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_all.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt
new file mode 100755
index 000000000..a80c10cd3
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_allbutcodesigningEE.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt
new file mode 100755
index 000000000..3cd7bc9bc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauth.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt
new file mode 100755
index 000000000..b0119ed26
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_clientauthEE.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt
new file mode 100755
index 000000000..f90df0dac
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/rev_data/test_eku_codesigning_clientauth.crt
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh
new file mode 100755
index 000000000..f6d787e05
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/runPLTests.sh
@@ -0,0 +1,134 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh 
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=MODULE
+doModule=1
+
+### setup NIST files need to link in
+linkModuleNistFiles="InvalidDNnameConstraintsTest3EE.crt 
+        InvalidonlySomeReasonsTest21EE.crt 
+        indirectCRLCA3cRLIssuerCRL.crl  
+        nameConstraintsDN3subCA2Cert.crt 
+        nameConstraintsDN4CACert.crt 
+        nameConstraintsDN5CACert.crt 
+        onlyContainsAttributeCertsCACRL.crl 
+        onlyContainsCACertsCACRL.crl 
+        onlyContainsUserCertsCACRL.crl 
+        onlySomeReasonsCA3compromiseCRL.crl
+        requireExplicitPolicy2CACert.crt 
+        inhibitPolicyMapping5CACert.crt 
+        inhibitAnyPolicy5CACert.crt 
+        inhibitAnyPolicy0CACert.crt 
+        P1Mapping1to234CACert.crt 
+        UserNoticeQualifierTest15EE.crt 
+        UserNoticeQualifierTest16EE.crt 
+        UserNoticeQualifierTest17EE.crt 
+        UserNoticeQualifierTest18EE.crt 
+        CPSPointerQualifierTest20EE.crt"
+
+if [ -n "${NIST_FILES_DIR}" ]; then
+    if [ ! -d ${HOSTDIR}/rev_data/local ]; then
+        mkdir -p ${HOSTDIR}/rev_data/local
+    fi
+ 
+     for i in ${linkModuleNistFiles}; do
+         if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+             rm ${HOSTDIR}/rev_data/local/$i
+         fi
+         cp ${NIST_FILES_DIR}/$i ${HOSTDIR}/rev_data/local/$i
+     done
+
+    localCRLFiles="crlgood.crl
+	crldiff.crl
+	issuer-hanfei.crl
+	issuer-none.crl"
+
+    for i in ${localCRLFiles}; do
+        cp ${curdir}/rev_data/local/$i ${HOSTDIR}/rev_data/local/$i
+    done
+fi
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+SOCKETTRACE=0
+export SOCKETTRACE
+
+RunTests <<EOF
+pkixutil test_colcertstore NIST-Test-Files-Used rev_data/local ${HOSTDIR}
+pkixutil test_pk11certstore -d ../../pkix_pl_tests/module ../../pkix_tests/top/rev_data/crlchecker
+pkixutil test_ekuchecker "Test-EKU-without-OID" ENE "" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-with-good-OID" ENE "1.3.6.1.5.5.7.3.3" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt 
+pkixutil test_ekuchecker "Test-EKU-with-bad-OID" EE "1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt 
+pkixutil test_ekuchecker "Test-EKU-with-good-and-bad-OID" EE "1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-with-good-OID" ENE "E1.3.6.1.5.5.7.3.3" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-with-bad-OID" EE "E1.3.6.1.5.5.7.3.4" rev_data test_eku_codesigning_clientauth.crt test_eku_clientauth.crt test_eku_clientauthEE.crt
+pkixutil test_ekuchecker "Test-EKU-serverAuth" ENE "1.3.6.1.5.5.7.3.1" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-clientAuth" ENE "1.3.6.1.5.5.7.3.2" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-codesigning-without-OID" EE "1.3.6.1.5.5.7.3.3" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-emailProtection" ENE "1.3.6.1.5.5.7.3.4" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-timestamping" ENE "1.3.6.1.5.5.7.3.8" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-OCSPSigning" ENE "1.3.6.1.5.5.7.3.9" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-serverAuth" ENE "E1.3.6.1.5.5.7.3.1" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-clientAuth" ENE "E1.3.6.1.5.5.7.3.2" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-codesigning-without-OID" EE "E1.3.6.1.5.5.7.3.3" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-emailProtection" ENE "E1.3.6.1.5.5.7.3.4" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-timestamping" ENE "E1.3.6.1.5.5.7.3.8" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_ekuchecker "Test-EKU-only-EE-ocspSigning" ENE "E1.3.6.1.5.5.7.3.9" rev_data test_eku_all.crt test_eku_allbutcodesigningEE.crt
+pkixutil test_socket ${HOSTADDR}:2000
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db b/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db
new file mode 100755
index 000000000..772583d58
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/module/secmod.db
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README
new file mode 100755
index 000000000..50e1b98ec
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/README
@@ -0,0 +1,3 @@
+If the total number of CRL files is changed in this directory, 
+the define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS under the
+test directory also need to be changed.
\ No newline at end of file
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl
new file mode 100755
index 000000000..d076ef89f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crldiff.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl
new file mode 100755
index 000000000..1ad019ed1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/crlgood.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl
new file mode 100755
index 000000000..6c9f0dbaa
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-hanfei.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl
new file mode 100755
index 000000000..c1c83ba2c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/rev_data/local/issuer-none.crl
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh
new file mode 100755
index 000000000..3cd88c60b
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/pki/runPLTests.sh
@@ -0,0 +1,114 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+doPD=1
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=PKI
+doPki=1
+
+### setup NIST files need to link in
+linkPkiNistFiles="InvalidDNnameConstraintsTest3EE.crt 
+        InvalidonlySomeReasonsTest21EE.crt 
+        indirectCRLCA3cRLIssuerCRL.crl  
+        nameConstraintsDN3subCA2Cert.crt 
+        nameConstraintsDN4CACert.crt 
+        nameConstraintsDN5CACert.crt 
+        onlyContainsAttributeCertsCACRL.crl 
+        onlyContainsCACertsCACRL.crl 
+        onlyContainsUserCertsCACRL.crl 
+        onlySomeReasonsCA3compromiseCRL.crl
+        requireExplicitPolicy2CACert.crt 
+        inhibitPolicyMapping5CACert.crt 
+        inhibitAnyPolicy5CACert.crt 
+        inhibitAnyPolicy0CACert.crt 
+        P1Mapping1to234CACert.crt 
+        UserNoticeQualifierTest15EE.crt 
+        UserNoticeQualifierTest16EE.crt 
+        UserNoticeQualifierTest17EE.crt 
+        UserNoticeQualifierTest18EE.crt 
+        CPSPointerQualifierTest20EE.crt"
+
+if [ -n "${NIST_FILES_DIR}" ]; then
+    if [ ! -d ${HOSTDIR}/rev_data/local ]; then
+        mkdir -p ${HOSTDIR}/rev_data/local
+    fi
+
+    for i in ${linkPkiNistFiles}; do
+        if [ -f ${HOSTDIR}/rev_data/local/$i ]; then
+            rm ${HOSTDIR}/rev_data/local/$i
+        fi
+        cp ${NIST_FILES_DIR}/$i ${HOSTDIR}/rev_data/local/$i
+    done
+fi
+
+##########
+# main
+#########
+
+TZ=US/Eastern
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_cert NIST-Test-Files-Used ../../certs ${HOSTDIR}/rev_data/local
+pkixutil test_crl NIST-Test-Files-Used ../../certs
+pkixutil test_x500name
+pkixutil test_generalname
+pkixutil test_date NIST-Test-Files-Used
+pkixutil test_crlentry ../../certs
+pkixutil test_nameconstraints NIST-Test-Files-Used rev_data/local ${HOSTDIR}
+pkixutil test_authorityinfoaccess NIST-PDTest ${NIST_PDTEST} certs/BasicLDAPURIPathDiscoveryOU1EE1.crt certs/BasicHTTPURITrustAnchorRootCert.crt
+pkixutil test_subjectinfoaccess NIST-PDTest ${NIST_PDTEST} certs/BasicHTTPURITrustAnchorRootCert.crt certs/BasicLDAPURIPathDiscoveryOU1EE1.crt
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
+
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh
new file mode 100755
index 000000000..9da141aa5
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/runPLTests.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+testunit="PKIX_PL"
+
+totalErrors=0
+moduleErrors=0
+systemErrors=0
+pkiErrors=0
+quiet=0
+
+checkMemArg=""
+arenasArg=""
+quietArg=""
+
+### ParseArgs
+myParseArgs() # args
+{
+    while [ $# -gt 0 ]; do
+        if [ $1 = "-checkmem" ]; then
+            checkMemArg=$1
+        elif [ $1 = "-quiet" ]; then
+            quietArg=$1
+            quiet=1
+        elif [ $1 = "-arenas" ]; then
+            arenasArg=$1
+        fi
+        shift
+    done
+}
+
+myParseArgs $*
+
+testHeadingEcho
+
+echo "RUNNING tests in pki";
+cd pki;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkiErrors=$?
+
+echo "RUNNING tests in system";
+cd ../system;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+systemErrors=$?
+
+echo "RUNNING tests in module";
+cd ../module;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+moduleErrors=$?
+
+totalErrors=`expr $moduleErrors + $systemErrors + $pkiErrors`
+
+testEndingEcho
+
+exit ${totalErrors}
+
diff --git a/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh b/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh
new file mode 100755
index 000000000..12444f7df
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_pl_tests/system/runPLTests.sh
@@ -0,0 +1,79 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runPLTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=SYSTEM
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_mem
+pkixutil test_object
+pkixutil test_string
+pkixutil test_bigint
+pkixutil test_bytearray
+pkixutil test_mutex
+pkixutil test_mutex2
+pkixutil test_mutex3
+pkixutil test_monitorlock
+pkixutil test_oid
+pkixutil test_hashtable
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
+
+
+
diff --git a/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage b/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage
new file mode 100755
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/certsel/keyUsage
diff --git a/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh b/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh
new file mode 100755
index 000000000..68f7534f1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/certsel/runTests.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=CERTSEL
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_comcertselparams ${NIST} NIST-Test-Files-Used
+pkixutil test_certselector ${NIST} NIST-Test-Files-Used ../../pkix_pl_tests/module/rev_data
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh b/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh
new file mode 100755
index 000000000..b316b81dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/checker/runTests.sh
@@ -0,0 +1,64 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=CHECKER
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_certchainchecker
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh b/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh
new file mode 100755
index 000000000..1412b83df
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/crlsel/runTests.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=CRLSEL
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_comcrlselparams ../../certs
+pkixutil test_crlselector
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/params/runTests.sh b/security/nss/tests/libpkix/pkix_tests/params/runTests.sh
new file mode 100755
index 000000000..ba852ea98
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/params/runTests.sh
@@ -0,0 +1,69 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=PARAMS
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_valparams ../../certs
+pkixutil test_procparams ../../certs
+pkixutil test_trustanchor ${NIST} ../../certs NIST-Test-Files-Used
+pkixutil test_resourcelimits
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/results/runTests.sh b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh
new file mode 100755
index 000000000..fe078b74c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh
@@ -0,0 +1,69 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=RESULTS
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_policynode ${NIST} NIST-Test-Files-Used
+pkixutil test_valresult ../../certs
+pkixutil test_buildresult ../../certs
+pkixutil test_verifynode ${NIST} TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/runTests.sh b/security/nss/tests/libpkix/pkix_tests/runTests.sh
new file mode 100755
index 000000000..b06328e8e
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/runTests.sh
@@ -0,0 +1,131 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+testunit="PKIX"
+
+totalErrors=0
+utilErrors=0
+crlselErrors=0
+paramsErrors=0
+resultsErrors=0
+topErrors=0
+checkerErrors=0
+certselErrors=0
+quiet=0
+
+checkMemArg=""
+arenasArg=""
+quietArg=""
+memText=""
+
+### ParseArgs
+ParseArgs() # args
+{
+    while [ $# -gt 0 ]; do
+        if [ $1 = "-checkmem" ]; then
+            checkMemArg=$1
+            memText="   (Memory Checking Enabled)"
+        elif [ $1 = "-quiet" ]; then
+            quietArg=$1
+            quiet=1
+        elif [ $1 = "-arenas" ]; then
+            arenasArg=$1
+        fi
+        shift
+    done
+}
+
+ParseArgs $*
+
+testHeadingEcho
+
+echo "RUNNING tests in certsel";
+cd certsel;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+certselErrors=$?
+
+echo "RUNNING tests in checker";
+cd ../checker;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+checkerErrors=$?
+
+echo "RUNNING tests in results";
+cd ../results;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+resultsErrors=$?
+
+echo "RUNNING tests in params";
+cd ../params;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+paramsErrors=$?
+
+echo "RUNNING tests in crlsel";
+cd ../crlsel;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+crlselErrors=$?
+
+echo "RUNNING tests in store";
+cd ../store;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+storeErrors=$?
+
+echo "RUNNING tests in util";
+cd ../util;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+utilErrors=$?
+
+echo "RUNNING tests in top";
+cd ../top;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+topErrors=$?
+
+totalErrors=`expr ${certselErrors} + ${checkerErrors} + ${resultsErrors} + ${paramsErrors} + ${crlselErrors} + ${storeErrors} + ${utilErrors} + ${topErrors}`
+
+testEndingEcho
+
+exit ${totalErrors}
+
diff --git a/security/nss/tests/libpkix/pkix_tests/store/runTests.sh b/security/nss/tests/libpkix/pkix_tests/store/runTests.sh
new file mode 100755
index 000000000..16312b924
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/store/runTests.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=STORE
+
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_store genericCertStore rev_data/crlchecker ${HOSTDIR}
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt b/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt
new file mode 100644
index 000000000..1e2f7c7a1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/anchorcert.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt
new file mode 100755
index 000000000..66563db40
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/greg2yassir_badsig.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl
new file mode 100755
index 000000000..6cd8d2577
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl
new file mode 100755
index 000000000..8c96b41dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt
new file mode 100755
index 000000000..119368ca5
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/backtracking/signature/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/greg2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl
new file mode 100755
index 000000000..8c96b41dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/fail/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/greg2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl
new file mode 100755
index 000000000..8c96b41dc
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/multi_path/signature/pass/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt
new file mode 100755
index 000000000..66563db40
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/greg2yassir_badsig.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/fail/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl
new file mode 100755
index 000000000..148b47815
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/greg2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl
new file mode 100755
index 000000000..e037e5047
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl
new file mode 100755
index 000000000..eca3a5e84
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/single_path/signature/pass/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt
new file mode 100755
index 000000000..182472b21
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/greg2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt
new file mode 100755
index 000000000..b11826f97
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test1/yassir2richard.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt
new file mode 100755
index 000000000..2b4387d6c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/nelson2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt
new file mode 100755
index 000000000..b11826f97
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test2/yassir2richard.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt
new file mode 100755
index 000000000..44419aa4c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2greg.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt
new file mode 100755
index 000000000..07f7e58d1
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2jes.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt
new file mode 100755
index 000000000..36591b8bf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/jes2labs.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt
new file mode 100755
index 000000000..2b4387d6c
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/labs2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt
new file mode 100755
index 000000000..f5fe26115
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/nelson2yassir.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt
new file mode 100755
index 000000000..460d19307
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/build_data/test3/yassir2hanfei.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/cert8.db b/security/nss/tests/libpkix/pkix_tests/top/cert8.db
new file mode 100644
index 000000000..a2bb46756
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/cert8.db
diff --git a/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt b/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt
new file mode 100644
index 000000000..c9904f4e0
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/goodcert.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/key3.db b/security/nss/tests/libpkix/pkix_tests/top/key3.db
new file mode 100644
index 000000000..fd1bee826
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/key3.db
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl
new file mode 100755
index 000000000..9619c22cf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt
new file mode 100755
index 000000000..0022f3cbf
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/chem2prof.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt
new file mode 100755
index 000000000..50be7df1f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phy2prof.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl
new file mode 100755
index 000000000..2deed93ed
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/phys.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl
new file mode 100755
index 000000000..fa9b2dc69
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt
new file mode 100755
index 000000000..04bc5f16a
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/prof2test.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl
new file mode 100755
index 000000000..675e9a53f
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt
new file mode 100755
index 000000000..e12232b8a
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2chem.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt
new file mode 100755
index 000000000..f5a165baa
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2phy.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt
new file mode 100755
index 000000000..ca09c166e
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/sci2sci.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl
new file mode 100755
index 000000000..e37aa9c24
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/rev_data/crlchecker/test.crl
diff --git a/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt b/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt
new file mode 100644
index 000000000..0715ceb7b
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/revokedcert.crt
diff --git a/security/nss/tests/libpkix/pkix_tests/top/runTests.sh b/security/nss/tests/libpkix/pkix_tests/top/runTests.sh
new file mode 100755
index 000000000..def12e3f5
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/runTests.sh
@@ -0,0 +1,550 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+
+LDAP='nss.red.iplanet.com:1389'
+export LDAP
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+doPD=1
+doOCSP=1
+. ./libpkix_init_nist.sh
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=TOP
+doTop=1
+linkMStoreNistFiles="store1/TrustAnchorRootCRL.crl
+    store1/TwoCRLsCABadCRL.crl
+    store2/TwoCRLsCAGoodCRL.crl"
+
+if [ ! -z "${NIST_FILES_DIR}" ] ; then
+    if [ -d ${HOSTDIR}/rev_data/multiple_certstores ]; then
+        rm -fr ${HOSTDIR}/rev_data/multiple_certstores
+    fi
+    mkdir -p ${HOSTDIR}/rev_data/multiple_certstores
+    mkdir -p ${HOSTDIR}/rev_data/multiple_certstores/store1
+    mkdir -p ${HOSTDIR}/rev_data/multiple_certstores/store2
+    for i in ${linkMStoreNistFiles}; do
+        if [ -f ${HOSTDIR}/rev_data/multiple_certstores/$i ]; then
+            rm ${HOSTDIR}/rev_data/multiple_certstores/$i
+        fi
+        fname=`basename $i`
+        cp ${NIST_FILES_DIR}/${fname} ${HOSTDIR}/rev_data/multiple_certstores/$i
+    done
+fi
+
+ocspFiles="goodcert.crt revokedcert.crt anchorcert.crt
+    secmod.db key3.db cert8.db"
+
+if [ ! -z ${doOCSPTest} ] ; then
+    if [ -d ${HOSTDIR}/ocsp ]; then
+        rm -fr ${HOSTDIR}/ocsp
+    fi
+    mkdir -p ${HOSTDIR}/ocsp
+    for i in ${ocspFiles}; do
+        cp $i ${HOSTDIR}/ocsp/$i
+
+    done
+fi
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+Display ""
+Display "#    ENE = expect no error (validation should succeed)"
+Display "#    EE = expect error (validation should fail)"
+Display ""
+
+LOGGING=1
+SOCKETTRACE=1
+export LOGGING SOCKETTRACE
+
+RunTests <<EOF
+pkixutil test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt  InvalidEESignatureTest3EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt  InvalidEESignatureTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+pkixutil_or test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+EOF
+
+tracedErrors=$?
+
+LOGGING=0
+SOCKETTRACE=0
+
+RunTests <<EOF
+pkixutil test_basicchecker ../../certs
+pkixutil test_basicconstraintschecker "Two-Certificates-Chain" ENE ../../certs hy2hy-bc0 hy2hc-bc
+pkixutil test_basicconstraintschecker "Three-Certificates-Chain" ENE ../../certs hy2hy-bc0 hy2hy-bc0 hy2hc-bc
+pkixutil test_basicconstraintschecker "Four-Certificates-Chain-with-error" EE ../../certs hy2hy-bc0 hy2hy-bc0 hy2hc-bc hy2hc-bc
+pkixutil test_validatechain_bc  ../../certs/hy2hy-bc0 ../../certs/hy2hc-bc
+pkixutil test_policychecker NIST-Test-Files-Used ENE $NIST ../../certs
+pkixutil test_defaultcrlchecker2stores NIST-Test.4.4.7-with-multiple-CRL-stores ENE $NIST ${HOSTDIR}/rev_data/multiple_certstores/store1 ${HOSTDIR}/rev_data/multiple_certstores/store2 TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt
+pkixutil test_buildchain_resourcelimits ${LDAP} NIST-Test.4.5.1 ENE $NIST ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_customcrlchecker "CRL-test-without-revocation" ENE rev_data/crlchecker sci2sci.crt sci2phy.crt phy2prof.crt prof2test.crt
+pkixutil test_customcrlchecker "CRL-test-with-revocation-reasoncode" EE rev_data/crlchecker sci2sci.crt sci2chem.crt chem2prof.crt prof2test.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0R:testcertificates.gov+R:Test23EE@testcertificates.gov" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0R:TEST.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0N:testcertificates.gov+N:testserver.testcertificates.gov" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0N:notestcertificates.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0U:.gov+U:http://testserver.testcertificates.gov/index.html" ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0U:test.testcertificates.gov" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "1D:C=US+D:CN=Certificates,C=US" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt
+pkixutil test_subjaltnamechecker "NIST-Test-Files-Used" "0D:O=TestCertificates,C=CN" EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt
+pkixutil test_validatechain "CRL-test-without-key-usage-cRLsign-bit-NIST-Test-Files-Used" EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt  InvalidEESignatureTest3EE.crt
+pkixutil test_validatechain NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.1.6 EE $NIST TrustAnchorRootCertificate.crt DSACACert.crt InvalidDSASignatureTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.2.1 EE $NIST TrustAnchorRootCertificate.crt BadnotBeforeDateCACert.crt InvalidCAnotBeforeDateTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.2.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotBeforeDateTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.2.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Validpre2000UTCnotBeforeDateTest3EE.crt
+pkixutil test_validatechain NIST-Test.4.2.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotBeforeDateTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.2.5 EE $NIST TrustAnchorRootCertificate.crt BadnotAfterDateCACert.crt InvalidCAnotAfterDateTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.2.6 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotAfterDateTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.2.7 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+pkixutil test_validatechain NIST-Test.4.2.8 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotAfterDateTest8EE.crt
+pkixutil test_validatechain NIST-Test.4.3.1 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidNameChainingTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.3.2 EE $NIST TrustAnchorRootCertificate.crt NameOrderingCACert.crt  InvalidNameChainingOrderTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.3.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest3EE.crt
+pkixutil test_validatechain NIST-Test.4.3.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.3.5 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingCapitalizationTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.3.6 ENE $NIST TrustAnchorRootCertificate.crt UIDCACert.crt  ValidNameUIDsTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.3.9 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringEncodedNamesCACert.crt  ValidUTF8StringEncodedNamesTest9EE.crt
+pkixutil test_validatechain NIST-Test.4.3.10 ENE $NIST TrustAnchorRootCertificate.crt RolloverfromPrintableStringtoUTF8StringCACert.crt  ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+pkixutil test_validatechain NIST-Test.4.3.11 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringCaseInsensitiveMatchCACert.crt  ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+pkixutil test_validatechain NIST-Test.4.4.1 EE $NIST TrustAnchorRootCertificate.crt NoCRLCACert.crt InvalidMissingCRLTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.4.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt RevokedsubCACert.crt InvalidRevokedCATest2EE.crt
+pkixutil test_validatechain NIST-Test.4.4.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidRevokedEETest3EE.crt
+pkixutil test_validatechain NIST-Test.4.4.4 EE $NIST TrustAnchorRootCertificate.crt BadCRLSignatureCACert.crt InvalidBadCRLSignatureTest4EE.crt
+pkixutil test_validatechain NIST-Test.4.4.5 EE $NIST TrustAnchorRootCertificate.crt BadCRLIssuerNameCACert.crt InvalidBadCRLIssuerNameTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.4.6 EE $NIST TrustAnchorRootCertificate.crt WrongCRLCACert.crt InvalidWrongCRLTest6EE.crt
+pkixutil test_validatechain NIST-Test.4.4.7 ENE $NIST TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt
+pkixutil test_validatechain NIST-Test.4.4.8 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLEntryExtensionCACert.crt InvalidUnknownCRLEntryExtensionTest8EE.crt
+pkixutil test_validatechain NIST-Test.4.4.9 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest9EE.crt
+pkixutil test_validatechain NIST-Test.4.4.10 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest10EE.crt
+pkixutil test_validatechain NIST-Test.4.4.11 EE $NIST TrustAnchorRootCertificate.crt OldCRLnextUpdateCACert.crt InvalidOldCRLnextUpdateTest11EE.crt
+pkixutil test_validatechain NIST-Test.4.4.12 EE $NIST TrustAnchorRootCertificate.crt pre2000CRLnextUpdateCACert.crt Invalidpre2000CRLnextUpdateTest12EE.crt
+pkixutil test_validatechain NIST-Test.4.4.13 ENE $NIST TrustAnchorRootCertificate.crt GeneralizedTimeCRLnextUpdateCACert.crt ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+pkixutil test_validatechain NIST-Test.4.4.14 ENE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt ValidNegativeSerialNumberTest14EE.crt
+pkixutil test_validatechain NIST-Test.4.4.15 EE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt InvalidNegativeSerialNumberTest15EE.crt
+pkixutil test_validatechain NIST-Test.4.4.16 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest16EE.crt
+pkixutil test_validatechain NIST-Test.4.4.17 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest17EE.crt
+pkixutil test_validatechain NIST-Test.4.4.18 EE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt InvalidLongSerialNumberTest18EE.crt
+pkixutil test_validatechain NIST-Test.4.4.20 EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain NIST-Test.4.5.1 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt ValidBasicSelfIssuedOldWithNewTest1EE.crt
+pkixutil test_validatechain NIST-Test.4.5.2 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+pkixutil test_validatechain NIST-Test.4.5.5 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+pkixutil test_validatechain NIST-Test.4.5.7 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+pkixutil test_validatechain NIST-Test.4.5.8 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+pkixutil test_validatechain_NB "CRL-test-without-key-usage-cRLsign-bit-NIST-Test-Files-Used" EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.1 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.2 EE $NIST TrustAnchorRootCertificate.crt BadSignedCACert.crt InvalidCASignatureTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt  InvalidEESignatureTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.4 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt ValidDSASignaturesTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.5 ENE $NIST TrustAnchorRootCertificate.crt DSACACert.crt DSAParametersInheritedCACert.crt ValidDSAParameterInheritanceTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.1.6 EE $NIST TrustAnchorRootCertificate.crt DSACACert.crt InvalidDSASignatureTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.1 EE $NIST TrustAnchorRootCertificate.crt BadnotBeforeDateCACert.crt InvalidCAnotBeforeDateTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotBeforeDateTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Validpre2000UTCnotBeforeDateTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotBeforeDateTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.5 EE $NIST TrustAnchorRootCertificate.crt BadnotAfterDateCACert.crt InvalidCAnotAfterDateTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.6 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidEEnotAfterDateTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.7 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.2.8 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidGeneralizedTimenotAfterDateTest8EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.1 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidNameChainingTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.2 EE $NIST TrustAnchorRootCertificate.crt NameOrderingCACert.crt  InvalidNameChainingOrderTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.3 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.4 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingWhitespaceTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.5 ENE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt ValidNameChainingCapitalizationTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.6 ENE $NIST TrustAnchorRootCertificate.crt UIDCACert.crt  ValidNameUIDsTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.9 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringEncodedNamesCACert.crt  ValidUTF8StringEncodedNamesTest9EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.10 ENE $NIST TrustAnchorRootCertificate.crt RolloverfromPrintableStringtoUTF8StringCACert.crt  ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.3.11 ENE $NIST TrustAnchorRootCertificate.crt UTF8StringCaseInsensitiveMatchCACert.crt  ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.1 EE $NIST TrustAnchorRootCertificate.crt NoCRLCACert.crt InvalidMissingCRLTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.2 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt RevokedsubCACert.crt InvalidRevokedCATest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.3 EE $NIST TrustAnchorRootCertificate.crt GoodCACert.crt InvalidRevokedEETest3EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.4 EE $NIST TrustAnchorRootCertificate.crt BadCRLSignatureCACert.crt InvalidBadCRLSignatureTest4EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.5 EE $NIST TrustAnchorRootCertificate.crt BadCRLIssuerNameCACert.crt InvalidBadCRLIssuerNameTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.6 EE $NIST TrustAnchorRootCertificate.crt WrongCRLCACert.crt InvalidWrongCRLTest6EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.7 ENE $NIST TrustAnchorRootCertificate.crt TwoCRLsCACert.crt ValidTwoCRLsTest7EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.8 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLEntryExtensionCACert.crt InvalidUnknownCRLEntryExtensionTest8EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.9 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest9EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.10 EE $NIST TrustAnchorRootCertificate.crt UnknownCRLExtensionCACert.crt InvalidUnknownCRLExtensionTest10EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.11 EE $NIST TrustAnchorRootCertificate.crt OldCRLnextUpdateCACert.crt InvalidOldCRLnextUpdateTest11EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.12 EE $NIST TrustAnchorRootCertificate.crt pre2000CRLnextUpdateCACert.crt Invalidpre2000CRLnextUpdateTest12EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.13 ENE $NIST TrustAnchorRootCertificate.crt GeneralizedTimeCRLnextUpdateCACert.crt ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.14 ENE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt ValidNegativeSerialNumberTest14EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.15 EE $NIST TrustAnchorRootCertificate.crt NegativeSerialNumberCACert.crt InvalidNegativeSerialNumberTest15EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.16 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest16EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.17 ENE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt ValidLongSerialNumberTest17EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.18 EE $NIST TrustAnchorRootCertificate.crt LongSerialNumberCACert.crt InvalidLongSerialNumberTest18EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.4.20 EE $NIST TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt SeparateCertificateandCRLKeysCRLSigningCert.crt InvalidSeparateCertificateandCRLKeysTest20EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.1 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt ValidBasicSelfIssuedOldWithNewTest1EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.2 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedNewKeyCACert.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.5 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.7 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+pkixutil test_validatechain_NB NIST-Test.4.5.8 EE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.1 EE $NIST TrustAnchorRootCertificate.crt MissingbasicConstraintsCACert.crt InvalidMissingbasicConstraintsTest1EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.2 EE $NIST TrustAnchorRootCertificate.crt basicConstraintsCriticalcAFalseCACert.crt InvalidcAFalseTest2EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.3 EE $NIST TrustAnchorRootCertificate.crt basicConstraintsNotCriticalcAFalseCACert.crt InvalidcAFalseTest3EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.4 ENE $NIST TrustAnchorRootCertificate.crt basicConstraintsNotCriticalCACert.crt ValidbasicConstraintsNotCriticalTest4EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.5 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0subCACert.crt InvalidpathLenConstraintTest5EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.6 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0subCACert.crt InvalidpathLenConstraintTest6EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.7 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt ValidpathLenConstraintTest7EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.8 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt ValidpathLenConstraintTest8EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.9 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt InvalidpathLenConstraintTest9EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.10 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt InvalidpathLenConstraintTest10EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.11 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subsubsubCA11XCert.crt InvalidpathLenConstraintTest11EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.12 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subsubsubCA11XCert.crt InvalidpathLenConstraintTest12EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.13 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subsubsubCA41XCert.crt ValidpathLenConstraintTest13EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.14 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint6CACert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subsubsubCA41XCert.crt ValidpathLenConstraintTest14EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.15 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0SelfIssuedCACert.crt ValidSelfIssuedpathLenConstraintTest15EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.16 EE $NIST TrustAnchorRootCertificate.crt pathLenConstraint0CACert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0subCA2Cert.crt InvalidSelfIssuedpathLenConstraintTest16EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.6.17 ENE $NIST TrustAnchorRootCertificate.crt pathLenConstraint1CACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedsubCACert.crt ValidSelfIssuedpathLenConstraintTest17EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.1" EE $NIST TrustAnchorRootCertificate.crt keyUsageCriticalkeyCertSignFalseCACert.crt InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.2" EE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.3" ENE $NIST TrustAnchorRootCertificate.crt keyUsageNotCriticalCACert.crt ValidkeyUsageNotCriticalTest3EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.4" EE $NIST TrustAnchorRootCertificate.crt keyUsageCriticalcRLSignFalseCACert.crt InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
+pkixutil test_validatechain "NIST-Test.4.7.5" EE $NIST TrustAnchorRootCertificate.crt  keyUsageNotCriticalcRLSignFalseCACert.crt InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.1-1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.1-2 ENE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.1.4 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1:2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.8.2.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt NoPoliciesCACert.crt AllCertificatesNoPoliciesTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.8.2.2 EE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt NoPoliciesCACert.crt AllCertificatesNoPoliciesTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.8.3.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.8.3.2 EE $NIST ../../certs "{2.5.29.32.0}" E TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.8.3.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1:2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCACert.crt DifferentPoliciesTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.8.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCACert.crt DifferentPoliciesTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.8.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt PoliciesP2subCA2Cert.crt DifferentPoliciesTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.8.6.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.8.6.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.8.6.3 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP1234CACert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234subsubCAP123P12Cert.crt OverlappingPoliciesTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.8.7 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt PoliciesP123subCAP12Cert.crt PoliciesP123subsubCAP12P1Cert.crt DifferentPoliciesTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.8.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt PoliciesP12subCAP1Cert.crt PoliciesP12subsubCAP1P2Cert.crt DifferentPoliciesTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.8.9 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt PoliciesP123subCAP12Cert.crt PoliciesP123subsubCAP12P2Cert.crt PoliciesP123subsubsubCAP12P2P1Cert.crt
+pkixutil test_policychecker NIST-Test.4.8.10.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.8.10.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.8.10.3 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt AllCertificatesSamePoliciesTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.8.11.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AllCertificatesanyPolicyTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.8.11.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AllCertificatesanyPolicyTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.8.12 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PoliciesP3CACert.crt DifferentPoliciesTest12EE.crt
+pkixutil test_policychecker NIST-Test.4.8.13.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.8.13.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.8.13.3 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.3}" TrustAnchorRootCertificate.crt PoliciesP123CACert.crt AllCertificatesSamePoliciesTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.8.14.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt anyPolicyCACert.crt AnyPolicyTest14EE.crt
+pkixutil test_policychecker NIST-Test.4.8.14.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt anyPolicyCACert.crt AnyPolicyTest14EE.crt
+pkixutil test_policychecker NIST-Test.4.8.15.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt UserNoticeQualifierTest15EE.crt
+pkixutil test_policychecker NIST-Test.4.8.15.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt UserNoticeQualifierTest15EE.crt
+pkixutil test_policychecker NIST-Test.4.8.16.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" E TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest16EE.crt
+pkixutil test_policychecker NIST-Test.4.8.16.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" E TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest16EE.crt
+pkixutil test_policychecker NIST-Test.4.8.17 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt UserNoticeQualifierTest17EE.crt
+pkixutil test_policychecker NIST-Test.4.8.18.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt UserNoticeQualifierTest18EE.crt
+pkixutil test_policychecker NIST-Test.4.8.18.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt PoliciesP12CACert.crt UserNoticeQualifierTest18EE.crt
+pkixutil test_policychecker NIST-Test.4.8.19 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt UserNoticeQualifierTest19EE.crt
+pkixutil test_policychecker NIST-Test.4.8.20 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt CPSPointerQualifierTest20EE.crt
+pkixutil test_policychecker NIST-Test.4.9.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy10CACert.crt requireExplicitPolicy10subCACert.crt requireExplicitPolicy10subsubCACert.crt requireExplicitPolicy10subsubsubCACert.crt ValidrequireExplicitPolicyTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.9.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy5CACert.crt requireExplicitPolicy5subCACert.crt requireExplicitPolicy5subsubCACert.crt requireExplicitPolicy5subsubsubCACert.crt ValidrequireExplicitPolicyTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.9.3 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy4CACert.crt requireExplicitPolicy4subCACert.crt requireExplicitPolicy4subsubCACert.crt requireExplicitPolicy4subsubsubCACert.crt InvalidrequireExplicitPolicyTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.9.4 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy0CACert.crt requireExplicitPolicy0subCACert.crt requireExplicitPolicy0subsubCACert.crt requireExplicitPolicy0subsubsubCACert.crt ValidrequireExplicitPolicyTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.9.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy7CACert.crt requireExplicitPolicy7subCARE2Cert.crt requireExplicitPolicy7subsubCARE2RE4Cert.crt requireExplicitPolicy7subsubsubCARE2RE4Cert.crt InvalidrequireExplicitPolicyTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.9.6 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.9.7 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt requireExplicitPolicy2subCACert.crt InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.9.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt requireExplicitPolicy2CACert.crt requireExplicitPolicy2SelfIssuedCACert.crt requireExplicitPolicy2subCACert.crt requireExplicitPolicy2SelfIssuedsubCACert.crt InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.10.1.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.10.1.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.10.1.3 EE $NIST ../../certs "{2.5.29.32.0}" P TrustAnchorRootCertificate.crt Mapping1to2CACert.crt ValidPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.10.2.1 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt Mapping1to2CACert.crt InvalidPolicyMappingTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.10.2.2 EE $NIST ../../certs "{2.5.29.32.0}" P TrustAnchorRootCertificate.crt Mapping1to2CACert.crt InvalidPolicyMappingTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.10.3.1 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt ValidPolicyMappingTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.10.3.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt ValidPolicyMappingTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.10.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt P12Mapping1to3subCACert.crt P12Mapping1to3subsubCACert.crt InvalidPolicyMappingTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.10.5.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.10.5.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.6}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.10.6.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.10.6.2 EE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.6}" TrustAnchorRootCertificate.crt P1Mapping1to234CACert.crt P1Mapping1to234subCACert.crt ValidPolicyMappingTest6EE.crt TrustAnchorRootCertificate.crt
+pkixutil test_policychecker NIST-Test.4.10.7.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingFromanyPolicyCACert.crt
+pkixutil test_policychecker NIST-Test.4.10.7.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingFromanyPolicyCACert.crt InvalidMappingFromanyPolicyTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.10.8.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingToanyPolicyCACert.crt
+pkixutil test_policychecker NIST-Test.4.10.8.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt MappingToanyPolicyCACert.crt InvalidMappingToanyPolicyTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.10.9 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt PanyPolicyMapping1to2CACert.crt ValidPolicyMappingTest9EE.crt
+pkixutil test_policychecker NIST-Test.4.10.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCAPanyPolicyMapping1to2CACert.crt InvalidPolicyMappingTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.10.11 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt GoodCACert.crt GoodsubCAPanyPolicyMapping1to2CACert.crt ValidPolicyMappingTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.10.12.1 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.1}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt ValidPolicyMappingTest12EE.crt
+pkixutil test_policychecker NIST-Test.4.10.12.2 ENE $NIST ../../certs "{2.16.840.1.101.3.2.1.48.2}" TrustAnchorRootCertificate.crt P12Mapping1to3CACert.crt ValidPolicyMappingTest12EE.crt
+pkixutil test_policychecker NIST-Test.4.10.13 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P1anyPolicyMapping1to2CACert.crt ValidPolicyMappingTest13EE.crt
+pkixutil test_policychecker NIST-Test.4.10.14 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt P1anyPolicyMapping1to2CACert.crt ValidPolicyMappingTest14EE.crt
+pkixutil test_policychecker NIST-Test.4.11.1.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping0CACert.crt inhibitPolicyMapping0subCACert.crt
+pkixutil test_policychecker NIST-Test.4.11.1.2 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping0CACert.crt inhibitPolicyMapping0subCACert.crt InvalidinhibitPolicyMappingTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.11.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt ValidinhibitPolicyMappingTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.11.3 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt inhibitPolicyMapping1P12subsubCACert.crt InvalidinhibitPolicyMappingTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.11.4 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCACert.crt inhibitPolicyMapping1P12subsubCACert.crt ValidinhibitPolicyMappingTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.11.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping5CACert.crt inhibitPolicyMapping5subCACert.crt inhibitPolicyMapping5subsubCACert.crt inhibitPolicyMapping5subsubsubCACert.crt InvalidinhibitPolicyMappingTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.11.6 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P12CACert.crt inhibitPolicyMapping1P12subCAIPM5Cert.crt inhibitPolicyMapping1P12subsubCAIPM5Cert.crt InvalidinhibitPolicyMappingTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.11.7 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.11.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1subsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.11.9 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1subsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
+pkixutil test_policychecker NIST-Test.4.11.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1SelfIssuedsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
+pkixutil test_policychecker NIST-Test.4.11.11 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitPolicyMapping1P1CACert.crt inhibitPolicyMapping1P1SelfIssuedCACert.crt inhibitPolicyMapping1P1subCACert.crt inhibitPolicyMapping1P1SelfIssuedsubCACert.crt InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
+pkixutil test_policychecker NIST-Test.4.12.1 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy0CACert.crt InvalidinhibitAnyPolicyTest1EE.crt
+pkixutil test_policychecker NIST-Test.4.12.2 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy0CACert.crt ValidinhibitAnyPolicyTest2EE.crt
+pkixutil test_policychecker NIST-Test.4.12.3.1 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt inhibitAnyPolicyTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.12.3.2 EE $NIST ../../certs "{2.5.29.32.0}" A TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt inhibitAnyPolicyTest3EE.crt
+pkixutil test_policychecker NIST-Test.4.12.4 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCA1Cert.crt InvalidinhibitAnyPolicyTest4EE.crt
+pkixutil test_policychecker NIST-Test.4.12.5 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy5CACert.crt inhibitAnyPolicy5subCACert.crt inhibitAnyPolicy5subsubCACert.crt InvalidinhibitAnyPolicyTest5EE.crt
+pkixutil test_policychecker NIST-Test.4.12.6 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1subCAIAP5Cert.crt InvalidinhibitAnyPolicyTest6EE.crt
+pkixutil test_policychecker NIST-Test.4.12.7 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
+pkixutil test_policychecker NIST-Test.4.12.8 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt inhibitAnyPolicy1subsubCA2Cert.crt InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
+pkixutil test_policychecker NIST-Test.4.12.9 ENE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
+pkixutil test_policychecker NIST-Test.4.12.10 EE $NIST ../../certs "{2.5.29.32.0}" TrustAnchorRootCertificate.crt inhibitAnyPolicy1CACert.crt inhibitAnyPolicy1SelfIssuedCACert.crt inhibitAnyPolicy1subCA2Cert.crt InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.1 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt ValidDNnameConstraintsTest1EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.2 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest2EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.3 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest3EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.4 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt ValidDNnameConstraintsTest4EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.5 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN2CACert.crt ValidDNnameConstraintsTest5EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.6 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt ValidDNnameConstraintsTest6EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.7 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt InvalidDNnameConstraintsTest7EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.8 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN4CACert.crt InvalidDNnameConstraintsTest8EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.9 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN4CACert.crt InvalidDNnameConstraintsTest9EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.10 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN5CACert.crt InvalidDNnameConstraintsTest10EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.11 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN5CACert.crt ValidDNnameConstraintsTest11EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.12 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA1Cert.crt InvalidDNnameConstraintsTest12EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.13 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA2Cert.crt InvalidDNnameConstraintsTest13EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.14 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1subCA2Cert.crt ValidDNnameConstraintsTest14EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.15 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA1Cert.crt InvalidDNnameConstraintsTest15EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.16 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA1Cert.crt InvalidDNnameConstraintsTest16EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.17 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA2Cert.crt InvalidDNnameConstraintsTest17EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.18 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN3CACert.crt nameConstraintsDN3subCA2Cert.crt ValidDNnameConstraintsTest18EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.19 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt nameConstraintsDN1SelfIssuedCACert.crt ValidDNnameConstraintsTest19EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.20 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt InvalidDNnameConstraintsTest20EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.21 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA1Cert.crt ValidRFC822nameConstraintsTest21EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.22 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA1Cert.crt InvalidRFC822nameConstraintsTest22EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.23 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt ValidRFC822nameConstraintsTest23EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.24 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA2Cert.crt InvalidRFC822nameConstraintsTest24EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.25 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA3Cert.crt ValidRFC822nameConstraintsTest25EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.26 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsRFC822CA3Cert.crt InvalidRFC822nameConstraintsTest26EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.27 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt  nameConstraintsDN1subCA3Cert.crt ValidDNandRFC822nameConstraintsTest27EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.28 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt  nameConstraintsDN1subCA3Cert.crt InvalidDNandRFC822nameConstraintsTest28EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.29 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDN1CACert.crt  nameConstraintsDN1subCA3Cert.crt InvalidDNandRFC822nameConstraintsTest29EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.30 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt ValidDNSnameConstraintsTest30EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.31 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt InvalidDNSnameConstraintsTest31EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.32 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS2CACert.crt ValidDNSnameConstraintsTest32EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.33 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS2CACert.crt InvalidDNSnameConstraintsTest33EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.34 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt ValidURInameConstraintsTest34EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.35 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI1CACert.crt InvalidURInameConstraintsTest35EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.36 ENE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI2CACert.crt ValidURInameConstraintsTest36EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.37 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsURI2CACert.crt InvalidURInameConstraintsTest37EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.13.38 EE $NIST TrustAnchorRootCertificate.crt nameConstraintsDNS1CACert.crt InvalidDNSnameConstraintsTest38EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.16.1 ENE $NIST TrustAnchorRootCertificate.crt ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+pkixutil test_basicconstraintschecker NIST-Test.4.16.2 EE $NIST TrustAnchorRootCertificate.crt InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+pkixutil test_buildchain_uchecker NIST-Test.4.1.1-without-OID ENE - $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_uchecker NIST-Test.4.1.1-with-OID-without-forwardSupport ENE 2.5.29.19 $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_uchecker NIST-Test.4.1.1-with-OID-forwardSupport ENE F2.5.29.19 $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.1 ENE $NIST ValidCertificatePathTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.2 EE $NIST InvalidCASignatureTest2EE.crt BadSignedCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.3 EE $NIST InvalidEESignatureTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.4 ENE $NIST ValidDSASignaturesTest4EE.crt DSACACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.5 ENE $NIST ValidDSAParameterInheritanceTest5EE.crt DSAParametersInheritedCACert.crt DSACACert.crt TrustAnchorRootCertificate.crt  
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.1.6 EE $NIST InvalidDSASignatureTest6EE.crt DSACACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.1 EE $NIST InvalidCAnotBeforeDateTest1EE.crt BadnotBeforeDateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.2 EE $NIST InvalidEEnotBeforeDateTest2EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.3 ENE $NIST Validpre2000UTCnotBeforeDateTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.4 ENE $NIST ValidGeneralizedTimenotBeforeDateTest4EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.5 EE $NIST InvalidCAnotAfterDateTest5EE.crt BadnotAfterDateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.6 EE $NIST InvalidEEnotAfterDateTest6EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.7 EE $NIST Invalidpre2000UTCEEnotAfterDateTest7EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.2.8 ENE $NIST ValidGeneralizedTimenotAfterDateTest8EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.1 EE $NIST InvalidNameChainingTest1EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.2 EE $NIST InvalidNameChainingOrderTest2EE.crt NameOrderingCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.3 ENE $NIST ValidNameChainingWhitespaceTest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.4 ENE $NIST ValidNameChainingWhitespaceTest4EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.5 ENE $NIST ValidNameChainingCapitalizationTest5EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.6 ENE $NIST ValidNameUIDsTest6EE.crt UIDCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain -  NIST-Test.4.3.7 ENE $NIST ValidRFC3280MandatoryAttributeTypesTest7EE.crt RFC3280MandatoryAttributeTypesCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.9 ENE $NIST ValidUTF8StringEncodedNamesTest9EE.crt UTF8StringEncodedNamesCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.10 ENE $NIST ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt RolloverfromPrintableStringtoUTF8StringCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.3.11 ENE $NIST ValidUTF8StringCaseInsensitiveMatchTest11EE.crt UTF8StringCaseInsensitiveMatchCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.1 EE $NIST InvalidMissingCRLTest1EE.crt NoCRLCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.2 EE $NIST InvalidRevokedCATest2EE.crt RevokedsubCACert.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.3 EE $NIST InvalidRevokedEETest3EE.crt GoodCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.4 EE $NIST InvalidBadCRLSignatureTest4EE.crt BadCRLSignatureCACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.5 EE $NIST InvalidBadCRLIssuerNameTest5EE.crt BadCRLIssuerNameCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.6 EE $NIST InvalidWrongCRLTest6EE.crt WrongCRLCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.7 ENE $NIST ValidTwoCRLsTest7EE.crt TwoCRLsCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.8 EE $NIST InvalidUnknownCRLEntryExtensionTest8EE.crt UnknownCRLEntryExtensionCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.9 EE $NIST InvalidUnknownCRLExtensionTest9EE.crt UnknownCRLExtensionCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.10 EE $NIST InvalidUnknownCRLExtensionTest10EE.crt UnknownCRLExtensionCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.11 EE $NIST InvalidOldCRLnextUpdateTest11EE.crt OldCRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.12 EE $NIST Invalidpre2000CRLnextUpdateTest12EE.crt pre2000CRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.13 ENE $NIST ValidGeneralizedTimeCRLnextUpdateTest13EE.crt GeneralizedTimeCRLnextUpdateCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.14 ENE $NIST ValidNegativeSerialNumberTest14EE.crt NegativeSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.15 EE $NIST InvalidNegativeSerialNumberTest15EE.crt NegativeSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.16 ENE $NIST ValidLongSerialNumberTest16EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.17 ENE $NIST ValidLongSerialNumberTest17EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.18 EE $NIST InvalidLongSerialNumberTest18EE.crt LongSerialNumberCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.4.20 EE $NIST InvalidSeparateCertificateandCRLKeysTest20EE.crt SeparateCertificateandCRLKeysCRLSigningCert.crt TrustAnchorRootCertificate.crt SeparateCertificateandCRLKeysCertificateSigningCACert.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.5.1 ENE $NIST ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.5.2 EE $NIST InvalidBasicSelfIssuedOldWithNewTest2EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.1 EE $NIST InvalidMissingbasicConstraintsTest1EE.crt MissingbasicConstraintsCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.2 EE $NIST InvalidcAFalseTest2EE.crt basicConstraintsCriticalcAFalseCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.3 EE $NIST InvalidcAFalseTest3EE.crt basicConstraintsNotCriticalcAFalseCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.4 ENE $NIST ValidbasicConstraintsNotCriticalTest4EE.crt basicConstraintsNotCriticalCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.5 EE $NIST InvalidpathLenConstraintTest5EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.6 EE $NIST InvalidpathLenConstraintTest6EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.7 ENE $NIST ValidpathLenConstraintTest7EE.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.8 ENE $NIST ValidpathLenConstraintTest8EE.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.9 EE $NIST InvalidpathLenConstraintTest9EE.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.10 EE $NIST InvalidpathLenConstraintTest10EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.11 EE $NIST InvalidpathLenConstraintTest11EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.12 EE $NIST InvalidpathLenConstraintTest12EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.13 ENE $NIST ValidpathLenConstraintTest13EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.15 ENE $NIST ValidSelfIssuedpathLenConstraintTest15EE.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.16 EE $NIST InvalidSelfIssuedpathLenConstraintTest16EE.crt pathLenConstraint0subCA2Cert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.6.17 ENE $NIST ValidSelfIssuedpathLenConstraintTest17EE.crt pathLenConstraint1SelfIssuedsubCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.1 EE $NIST InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt keyUsageCriticalkeyCertSignFalseCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.2 EE $NIST InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.3 ENE $NIST ValidkeyUsageNotCriticalTest3EE.crt keyUsageNotCriticalCACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.4 EE $NIST InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt keyUsageCriticalcRLSignFalseCACert.crt TrustAnchorRootCertificate.crt  
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.7.5 EE $NIST InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt keyUsageNotCriticalcRLSignFalseCACert.crt TrustAnchorRootCertificate.crt  
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.1 ENE $NIST ValidDNnameConstraintsTest1EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.2 EE $NIST InvalidDNnameConstraintsTest2EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.3 EE $NIST InvalidDNnameConstraintsTest3EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.4 ENE $NIST ValidDNnameConstraintsTest4EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.5 ENE $NIST ValidDNnameConstraintsTest5EE.crt nameConstraintsDN2CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.6 ENE $NIST ValidDNnameConstraintsTest6EE.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.7 EE $NIST InvalidDNnameConstraintsTest7EE.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.8 EE $NIST InvalidDNnameConstraintsTest8EE.crt nameConstraintsDN4CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.9 EE $NIST InvalidDNnameConstraintsTest9EE.crt nameConstraintsDN4CACert.crt nameConstraintsDN4CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.10 EE $NIST InvalidDNnameConstraintsTest10EE.crt nameConstraintsDN5CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.11 ENE $NIST ValidDNnameConstraintsTest11EE.crt nameConstraintsDN5CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.12 EE $NIST InvalidDNnameConstraintsTest12EE.crt nameConstraintsDN1subCA1Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.13 EE $NIST InvalidDNnameConstraintsTest13EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.14 ENE $NIST ValidDNnameConstraintsTest14EE.crt  nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.15 EE $NIST InvalidDNnameConstraintsTest15EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.16 EE $NIST InvalidDNnameConstraintsTest16EE.crt nameConstraintsDN3subCA1Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.17 EE $NIST InvalidDNnameConstraintsTest17EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.18 ENE $NIST ValidDNnameConstraintsTest18EE.crt nameConstraintsDN3subCA2Cert.crt nameConstraintsDN3CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.19 ENE $NIST ValidDNnameConstraintsTest19EE.crt nameConstraintsDN1SelfIssuedCACert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.20 EE $NIST InvalidDNnameConstraintsTest20EE.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.21 ENE $NIST ValidRFC822nameConstraintsTest21EE.crt nameConstraintsRFC822CA1Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.22 EE $NIST InvalidRFC822nameConstraintsTest22EE.crt nameConstraintsRFC822CA1Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.23 ENE $NIST ValidRFC822nameConstraintsTest23EE.crt nameConstraintsRFC822CA2Cert.crt  TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.24 EE $NIST InvalidRFC822nameConstraintsTest24EE.crt nameConstraintsRFC822CA2Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.25 ENE $NIST ValidRFC822nameConstraintsTest25EE.crt nameConstraintsRFC822CA3Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.26 EE $NIST InvalidRFC822nameConstraintsTest26EE.crt nameConstraintsRFC822CA3Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.27 ENE $NIST ValidDNandRFC822nameConstraintsTest27EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.28 EE $NIST InvalidDNandRFC822nameConstraintsTest28EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.29 EE $NIST InvalidDNandRFC822nameConstraintsTest29EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.30 ENE $NIST ValidDNSnameConstraintsTest30EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.31 EE $NIST InvalidDNSnameConstraintsTest31EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.32 ENE $NIST ValidDNSnameConstraintsTest32EE.crt nameConstraintsDNS2CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.33 EE $NIST InvalidDNSnameConstraintsTest33EE.crt nameConstraintsDNS2CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.34 ENE $NIST ValidURInameConstraintsTest34EE.crt nameConstraintsURI1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.35 EE $NIST InvalidURInameConstraintsTest35EE.crt nameConstraintsURI1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.36 ENE $NIST ValidURInameConstraintsTest36EE.crt nameConstraintsURI2CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.37 EE $NIST InvalidURInameConstraintsTest37EE.crt nameConstraintsURI2CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP}  NIST-Test.4.13.38 EE $NIST InvalidDNSnameConstraintsTest38EE.crt nameConstraintsDNS1CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain_partialchain ${LDAP}  NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain_partialchain ${LDAP}  NIST-Test.4.6.14 ENE $NIST ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt TrustAnchorRootCertificate.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain_partialchain ${LDAP}  NIST-Test.4.13.13 EE $NIST InvalidDNnameConstraintsTest13EE.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1subCA2Cert.crt nameConstraintsDN1CACert.crt TrustAnchorRootCertificate.crt
+pkixutil test_buildchain_partialchain ${LDAP}  NIST-Test.4.13.27 ENE $NIST ValidDNandRFC822nameConstraintsTest27EE.crt nameConstraintsDN1subCA3Cert.crt nameConstraintsDN1subCA2Cert.crt TrustAnchorRootCertificate.crt 
+pkixutil test_buildchain ${LDAP} NIST-PDTest ENE ${NIST_PDTEST} certs/BasicHTTPURIPathDiscoveryTest2EE.crt certs/BasicHTTPURITrustAnchorRootCert.crt
+pkixutil test_ocsp -d ${HOSTDIR}/ocsp OCSP-Test ENE ${HOSTDIR}/ocsp anchorcert.crt goodcert.crt
+pkixutil test_ocsp -d ${HOSTDIR}/ocsp OCSP-Test EE ${HOSTDIR}/ocsp anchorcert.crt revokedcert.crt
+EOF
+
+totalErrors=$?
+totalErrors=`expr ${totalErrors} + ${tracedErrors}`
+
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
+
+##########################################################
+#
+# Document NIST tests that are not currently running for builder...
+# 4.3.8  4.4.19  4.4.21
+#
+# Others
+# 4.5.4  4.5.5, 4.5.6, 4.5.7, 4.5.8
+# 4.14.* Distribution Point - functionality not yet implemented
+# 4.15.* Delta CRL - not supported
+##########################################################
+# Following tests are not run because of bugs beyond libpkix:
+#pkixutil test_validatechain NIST-Test.4.3.7 ENE $NIST TrustAnchorRootCertificate.crt RFC3280MandatoryAttributeTypesCACert.crt ValidRFC3280MandatoryAttributeTypesTest7EE.crt
+# pkixutil test_buildchain NIST-Test.4.3.8 ENE $NIST ValidRFC3280OptionalAttributeTypesTest8EE.crt RFC3280OptionalAttributeTypesCACert.crt TrustAnchorRootCertificate.crt
+
+# Following tests are not supported by libpkix : separate certificate
+# NIST test 4.4.19 and 4.4.21
+
+# Following tests are not supported by libpkix : cert dp, cert chain definition
+# NIST tests 4.5.4, 4.5.5
+#pkixutil test_buildchain NIST-Test.4.5.7 EE $NIST InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt TrustAnchorRootCertificate.crt BasicSelfIssuedCRLSigningKeyCACert.crt 
+#pkixutil test_buildchain NIST-Test.4.5.8 EE $NIST InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt TrustAnchorRootCertificate.crt 
+
+
+# Following tests are not supported by libpkix : self-issued, multiple keys, one for cert, one for CRL
+#pkixutil test_validatechain NIST-Test.4.5.3 ENE $NIST TrustAnchorRootCertificate.crt BasicSelfIssuedOldKeyCACert.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt ValidBasicSelfIssuedNewWithOldTest3EE.crt
+#pkixutil test_defaultcrlchecker NIST-Test.4.5.4 ENE $NIST/../crls $NIST/TrustAnchorRootCertificate.crt $NIST/BasicSelfIssuedOldKeyCACert.crt $NIST/BasicSelfIssuedOldKeyNewWithOldCACert.crt $NIST/ValidBasicSelfIssuedNewWithOldTest4EE.crt
+#pkixutil test_defaultcrlchecker NIST-Test.4.5.6 ENE $NIST/../crls $NIST/TrustAnchorRootCertificate.crt $NIST/BasicSelfIssuedCRLSigningKeyCACert.crt $NIST/BasicSelfIssuedCRLSigningKeyCRLCert.crt $NIST/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
+
+# Need to recreate certs with BC extension and Key Usage
+#pkixutil test_buildchain single_sig ENE build_data/single_path/signature/pass yassir2hanfei.crt greg2yassir.crt jes2greg.crt jes2jes.crt
+#pkixutil test_buildchain single-sig EE build_data/single_path/signature/fail yassir2hanfei.crt jes2jes.crt
+#pkixutil test_buildchain multi-sig ENE build_data/multi_path/signature/pass yassir2hanfei.crt greg2yassir.crt jes2greg.crt jes2jes.crt
+#pkixutil test_buildchain multi-sig EE build_data/multi_path/signature/fail yassir2hanfei.crt greg2yassir.crt yassir2hanfei.crt
+#pkixutil test_buildchain backtrack-sig ENE build_data/backtracking/signature yassir2hanfei.crt labs2yassir.crt jes2labs.crt jes2jes.crtn
diff --git a/security/nss/tests/libpkix/pkix_tests/top/secmod.db b/security/nss/tests/libpkix/pkix_tests/top/secmod.db
new file mode 100644
index 000000000..772583d58
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/top/secmod.db
diff --git a/security/nss/tests/libpkix/pkix_tests/util/runTests.sh b/security/nss/tests/libpkix/pkix_tests/util/runTests.sh
new file mode 100755
index 000000000..5d07ad4f9
--- /dev/null
+++ b/security/nss/tests/libpkix/pkix_tests/util/runTests.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh
+#
+
+curdir=`pwd`
+cd ../../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=UTIL
+
+##########
+# main
+##########
+
+ParseArgs $*
+
+RunTests <<EOF
+pkixutil test_error
+pkixutil test_list
+pkixutil test_list2
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;${testunit}: passed ${passed} of ${numtests} tests"
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/runTests.sh b/security/nss/tests/libpkix/runTests.sh
new file mode 100755
index 000000000..67c104a98
--- /dev/null
+++ b/security/nss/tests/libpkix/runTests.sh
@@ -0,0 +1,120 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runTests.sh#
+#
+# This script enables all tests to be run together. It simply cd's into
+# the pkix_tests and pkix_pl_tests directories and runs test scripts
+#
+# This test is the original of libpkix.sh. While libpkix.sh is invoked by
+# all.sh as a /bin/sh script, runTests.sh is a /bin/ksh and provides the
+# options of checking memory and using different memory allcation schemes.
+#
+
+errors=0
+pkixErrors=0
+pkixplErrors=0
+checkMemArg=""
+arenasArg=""
+quietArg=""
+memText=""
+
+### ParseArgs
+ParseArgs() # args
+{
+    while [ $# -gt 0 ]; do
+	if [ $1 = "-checkmem" ]; then
+	    checkMemArg=$1
+	    memText="   (Memory Checking Enabled)"
+	elif [ $1 = "-quiet" ]; then
+	    quietArg=$1
+	elif [ $1 = "-arenas" ]; then
+	    arenasArg=$1
+	fi
+	shift
+    done
+}
+
+ParseArgs $*
+
+echo "*******************************************************************************"
+echo "START OF ALL TESTS${memText}"
+echo "*******************************************************************************"
+echo ""
+
+echo "RUNNING tests in pkix_pl_test";
+cd pkix_pl_tests;
+runPLTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixplErrors=$?
+
+echo "RUNNING tests in pkix_test";
+cd ../pkix_tests;
+runTests.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixErrors=$?
+
+echo "RUNNING tests in sample_apps (performance)";
+cd ../sample_apps;
+runPerf.sh ${arenasArg} ${checkMemArg} ${quietArg}
+pkixPerfErrors=$?
+
+errors=`expr ${pkixplErrors} + ${pkixErrors} + ${pkixPerfErrors}`
+
+if [ ${errors} -eq 0 ]; then
+    echo ""
+    echo "************************************************************"
+    echo "END OF ALL TESTS: ALL TESTS COMPLETED SUCCESSFULLY"
+    echo "************************************************************"
+    exit 0
+fi
+
+if [ ${errors} -eq 1 ]; then
+    plural=""
+else
+    plural="S"
+fi
+
+echo ""
+echo "************************************************************"
+echo "END OF ALL TESTS: ${errors} TEST${plural} FAILED"
+echo "************************************************************"
+exit 1
+
+
+
+
diff --git a/security/nss/tests/libpkix/sample_apps/README b/security/nss/tests/libpkix/sample_apps/README
new file mode 100755
index 000000000..266b2ba53
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/README
@@ -0,0 +1,110 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+This directory contains both sample applications and performance evaluation
+applications.
+
+SAMPLE APPLICATIONS
+
+Currently, there are two performance applications: libpkix_buildThreads and
+nss_threads. And three sample applications: dumpcert, dumpcrl and 
+validateChain..
+
+============================================================================
+
+USAGE: 	dumpcert <certFile>
+	Parses a certificate located at <certFile> and displays it.
+
+Source: <root>/tests/sample_apps/dumpcert.c
+Binary: <root>/bin/sample_apps/dumpcert
+
+============================================================================
+
+USAGE: 	dumpcrl <crlFile>
+	Parses a CRL located at <crlFile> and displays it.
+
+Source: <root>/tests/sample_apps/dumpcrl.c
+Binary: <root>/bin/sample_apps/dumpcrl
+
+============================================================================
+
+USAGE: 	validateChain <trustedCert> <cert_1> <cert_2> ... <cert_n>
+	Validates a chain of n certificates using the given trust anchor.
+
+Source: <root>/tests/sample_apps/validateChain.c
+Binary: <root>/bin/sample_apps/validateChain
+
+============================================================================
+
+PERFORMANCE EVALUATION APPLICATIONS
+
+============================================================================
+
+USAGE:  libpkix_buildthreads <duration> <threads> <eecertNickname> 
+
+	Sets up and runs a PKIX_BuildChain call for the number of seconds
+	specified by <duration> using the number of threads specified by
+	<threads>. This application assumes that the NSS certutil application
+	has already been run to create the NSS databases and that the
+	various nicknames on the command line have been associated with
+	certificates in the NSS databases. The NSS databases MUST reside
+	in the directory where this file is located and MUST be named
+	"cert8.db", "key3.db", and "secmod.db". There must exist a nickname
+        in the databases which has been marked as trusted.
+
+Source: <root>/perf/libpkix_buildthreads/libpkix_buildthreads.c
+Binary: <root>/perf/libpkix_buildthreads/*.OBJ/libpkix_buildthreads
+
+============================================================================
+
+USAGE:  nssThreads <duration> <threads> <eecertNickname>
+
+	Sets up and runs a CERT_VerifyCertificate call for the number of
+	seconds specified by <duration> using the number of threads specified
+	by <threads>. This application assumes that the NSS certutil
+	application has already been run to create the NSS databases and that
+	the various nicknames on the command line have been associated with
+	certificates in the NSS databases. The NSS databases MUST reside
+	in the directory where this file is located and MUST be named
+	"cert8.db", "key3.db", and "secmod.db". There must exist a nickname in
+	the databases which has been marked as trusted.
+
+Source: <root>/perf/nss_threads/nss_threads.c
+Binary: <root>/perf/nss_threads/*.OBJ/nss_threads
+
+============================================================================
+
diff --git a/security/nss/tests/libpkix/sample_apps/cert8.db b/security/nss/tests/libpkix/sample_apps/cert8.db
new file mode 100755
index 000000000..b39de42f1
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/cert8.db
diff --git a/security/nss/tests/libpkix/sample_apps/key3.db b/security/nss/tests/libpkix/sample_apps/key3.db
new file mode 100755
index 000000000..9c03916ee
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/key3.db
diff --git a/security/nss/tests/libpkix/sample_apps/runPerf.sh b/security/nss/tests/libpkix/sample_apps/runPerf.sh
new file mode 100755
index 000000000..38e1d00a2
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/runPerf.sh
@@ -0,0 +1,176 @@
+#!/bin/sh
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the PKIX-C library.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are
+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+#
+# Contributor(s):
+#   Sun Microsystems, Inc.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+#
+# runPerf.sh
+#
+
+curdir=`pwd`
+cd ../common
+. ./libpkix_init.sh > /dev/null
+cd ${curdir}
+
+numtests=0
+passed=0
+testunit=PERFORMANCE
+
+totalErrors=0
+loopErrors=0
+
+ParseArgs $*
+
+testHeadingEcho
+
+Display "\nRunning executables at ${DIST_BIN}"
+Display "Using libraries at ${LD_LIBRARY_PATH}"
+
+
+# Check the performance data ...
+perfTest()
+{
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "START OF PKIX PERFORMANCE SCENARIOS ${memText}"
+Display "*******************************************************************************"
+    Display ""
+
+    while read perfPgm args; do
+        numtests=`expr ${numtests} + 1`
+        Display "Running ${perfPgm} ${args}"
+        if [ ${checkmem} -eq 1 ]; then
+            dbx -C -c "runargs $args; check -all ;run;exit" ${DIST_BIN}/${perfPgm} > ${testOut} 2>&1
+        else
+            ${DIST_BIN}/${perfPgm} ${args} > ${testOut} 2>&1
+        fi
+
+        # Examine output file to see if test failed and keep track of number
+        # of failures and names of failed tests. This assumes that the test
+        # uses our utility library for displaying information
+	
+        outputCount=`cat ${testOut} | grep "per second"`
+
+        if [ $? -ne 0 ]; then
+            errors=`expr ${errors} + 1`
+            failedpgms="${failedpgms}${perfPgm} ${args}\n"
+            cat ${testOut}
+        else
+            Display ${outputCount}
+            passed=`expr ${passed} + 1`
+        fi
+
+        if [ ${checkmem} -eq 1 ]; then
+            grep "(actual leaks:" ${testOut} > ${testOutMem} 2>&1
+            if [ $? -ne 0 ]; then
+                prematureErrors=`expr ${prematureErrors} + 1`
+                failedprematurepgms="${failedprematurepgms}${perfPgm} "
+                Display "...program terminated prematurely (unable to check for memory leak errors) ..."
+            else
+                grep  "(actual leaks:         1  total size:       4 bytes)" ${testOut} > /dev/null 2>&1
+                if [ $? -ne 0 ]; then
+                    memErrors=`expr ${memErrors} + 1`
+                    failedmempgms="${failedmempgms}${perfPgm} "
+                    Display ${testOutMem}
+                fi
+            fi
+        fi
+    done
+    return ${errors}
+}
+
+
+# If there is race condition bug, may this test catch it...
+loopTest()
+{
+    totalLoop=10
+
+    Display ""
+    Display "*******************************************************************************"
+    Display "START OF TESTS FOR PKIX PERFORMANCE SANITY LOOP (${totalLoop} times)"
+Display "*******************************************************************************"
+    Display ""
+
+    errors=0
+    iLoop=0
+    perfPgm="${DIST_BIN}/pkixutil libpkix_buildthreads -d . 5 8 ValidCertificatePathTest1EE"
+
+    while [ $iLoop -lt $totalLoop ]
+    do
+        iLoop=`expr $iLoop + 1`
+        numtests=`expr ${numtests} + 1`
+
+        Display "Running ${perfPgm}"
+        ${perfPgm} > ${testOut} 2>&1
+        Display `cat ${testOut} | grep "per second"`
+
+        outputCount=`cat ${testOut} | grep "per second"`
+
+        if [ $? -ne 0 ]; then
+            errors=`expr ${errors} + 1`
+            failedpgms="${failedpgms} ${perfPgm}\n"
+            cat ${testOut}
+        else
+            passed=`expr ${passed} + 1`
+        fi
+    done
+
+    return ${errors}
+
+}
+
+#main
+perfTest <<EOF
+pkixutil libpkix_buildthreads -d . 5 1 ValidCertificatePathTest1EE
+pkixutil libpkix_buildthreads -d . 5 8 ValidCertificatePathTest1EE
+pkixutil nss_threads -d . 5 1 ValidCertificatePathTest1EE
+pkixutil nss_threads -d . 5 8 ValidCertificatePathTest1EE
+EOF
+
+totalErrors=$?
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;performance test: passed ${passed} of ${numtests} tests"
+
+numtests=0
+passed=0
+loopTest
+loopErrors=$?
+totalErrors=`expr ${totalErrors} + ${loopErrors}`
+html_msg ${totalErrors} 0 "&nbsp;&nbsp;&nbsp;loop test: passed ${passed} of ${numtests} tests"
+
+testEndingEcho
+
+exit ${totalErrors}
diff --git a/security/nss/tests/libpkix/sample_apps/secmod.db b/security/nss/tests/libpkix/sample_apps/secmod.db
new file mode 100755
index 000000000..772583d58
--- /dev/null
+++ b/security/nss/tests/libpkix/sample_apps/secmod.db
diff --git a/security/nss/tests/libpkix/vfychain_test.lst b/security/nss/tests/libpkix/vfychain_test.lst
new file mode 100644
index 000000000..ff282221a
--- /dev/null
+++ b/security/nss/tests/libpkix/vfychain_test.lst
@@ -0,0 +1,4 @@
+# Status | Leaf Cert | Policies | Others(undef)
+0 TestUser50 undef
+0 TestUser51 undef
+0 PayPalEE OID.2.16.840.1.113733.1.7.23.6
diff --git a/security/nss/tests/memleak/ignored b/security/nss/tests/memleak/ignored
new file mode 100644
index 000000000..2ded24a39
--- /dev/null
+++ b/security/nss/tests/memleak/ignored
@@ -0,0 +1,39 @@
+#367374
+**/PR_ErrorInstallTable**
+**/_PR_ImplicitInitialization/**
+**/_PR_InitCMon/ExpandMonitorCache/**
+**/_PR_InitCMon/PR_NewLock/**
+**/_PR_InitLinker/**
+**/_PR_InitTPD/**
+**/_PR_InitZones/pr_FindSymbolInProg/**
+**/_PR_UnixInit/PR_NewLock/**
+**/_PR_UnixInit/PR_NewMonitor/**
+
+#367376
+**/_PR_CreateThread/pthread_create@@GLIBC_2.1/**
+
+#367384
+**/PR_LoadLibraryWithFlags/**
+**/pr_LoadLibraryByPathname/**
+**/PR_LoadLibrary/**
+
+#393181
+ocspclnt/main/CERT_SetOCSPDefaultResponder/**
+
+#397483
+**/PR_CallOnce/InitializeArenas/PR_NewLock/**
+
+#397487
+**/__rpc_getconfip/setnetconfig/**
+
+#401072
+**/sftkdb_ReadSecmodDB/sftk_getOldSecmodName/**
+**/sftkdb_ReadSecmodDB/PR_smprintf/**
+
+#401100
+**/testThreadLockingBehavior/pthread_create@@GLIBC_2.1/**
+**/findLockInfo/pthread_create@@GLIBC_2.1/**
+
+#418365
+#selfserv/main/PR_NewTCPSocket/**
+
diff --git a/security/nss/tests/memleak/memleak.sh b/security/nss/tests/memleak/memleak.sh
new file mode 100644
index 000000000..4a3555e7a
--- /dev/null
+++ b/security/nss/tests/memleak/memleak.sh
@@ -0,0 +1,895 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Network Security Services (NSS)
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc.
+# Portions created by the Initial Developer are Copyright (C) 2006-2007
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/memleak/memleak.sh
+#
+# Script to test memory leaks in NSS
+#
+# needs to work on Solaris and Linux platforms, on others just print a message
+# that OS is not supported
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################# memleak_init #############################
+# local shell function to initialize this script 
+########################################################################
+memleak_init()
+{
+	if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+		cd ../common
+		. ./init.sh
+	fi
+	
+	if [ ! -r ${CERT_LOG_FILE} ]; then
+		cd ${QADIR}/cert
+		. ./cert.sh
+	fi
+
+	SCRIPTNAME="memleak.sh"
+	if [ -z "${CLEANUP}" ] ; then
+		CLEANUP="${SCRIPTNAME}"
+	fi
+
+	NSS_DISABLE_ARENA_FREE_LIST="1"
+	export NSS_DISABLE_ARENA_FREE_LIST
+	
+	OLD_LIBRARY_PATH=${LD_LIBRARY_PATH}
+	TMP_LIBDIR="${HOSTDIR}/tmp$$"
+	TMP_STACKS="${HOSTDIR}/stacks$$"
+	TMP_SORTED="${HOSTDIR}/sorted$$"
+	TMP_COUNT="${HOSTDIR}/count$$"
+	TMP_DBX="${HOSTDIR}/dbx$$"
+	
+	PORT=${PORT:-8443}
+	
+	MODE_LIST="NORMAL BYPASS FIPS"	
+	
+	SERVER_DB="${HOSTDIR}/server_memleak"
+	CLIENT_DB="${HOSTDIR}/client_memleak"
+	cp -r ${HOSTDIR}/server ${SERVER_DB}
+	cp -r ${HOSTDIR}/client ${CLIENT_DB}
+	
+	LOGDIR="${HOSTDIR}/memleak_logs"
+	mkdir -p ${LOGDIR}
+
+	FOUNDLEAKS="${LOGDIR}/foundleaks"
+	
+	REQUEST_FILE="${QADIR}/memleak/sslreq.dat"
+	IGNORED_STACKS="${QADIR}/memleak/ignored"
+	
+	gline=`echo ${OBJDIR} | grep "_64_"`
+	if [ -n "${gline}" ] ; then
+		BIT_NAME="64"
+	else
+		BIT_NAME="32"
+	fi
+		
+	case "${OS_NAME}" in
+	"SunOS")
+		DBX=`which dbx`
+		AWK=nawk
+		
+		if [ $? -eq 0 ] ; then
+			echo "${SCRIPTNAME}: DBX found: ${DBX}"
+		else
+			echo "${SCRIPTNAME}: DBX not found, skipping memory leak checking."
+			exit 0
+		fi
+		
+		PROC_ARCH=`uname -p`
+				
+		if [ "${PROC_ARCH}" = "sparc" ] ; then
+			if [ "${BIT_NAME}" = "64" ] ; then
+				FREEBL_DEFAULT="libfreebl_64fpu_3"
+				FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_64int_3"
+			else
+				FREEBL_DEFAULT="libfreebl_32fpu_3"
+				FREEBL_LIST="${FREEBL_DEFAULT} libfreebl_32int_3 libfreebl_32int64_3"
+			fi
+		else
+			if [ "${BIT_NAME}" = "64" ] ; then
+				echo "${SCRIPTNAME}: OS not supported for memory leak checking."
+				exit 0
+			fi
+			
+			FREEBL_DEFAULT="libfreebl_3"
+			FREEBL_LIST="${FREEBL_DEFAULT}"
+		fi
+		
+		RUN_COMMAND_DBG="run_command_dbx"
+		PARSE_LOGFILE="parse_logfile_dbx"
+		;;
+	"Linux")
+		VALGRIND=`which valgrind`
+		AWK=awk
+		
+		if [ $? -eq 0 ] ; then
+			echo "${SCRIPTNAME}: Valgrind found: ${VALGRIND}"
+		else
+			echo "${SCRIPTNAME}: Valgrind not found, skipping memory leak checking."
+			exit 0
+		fi
+
+		if [ "${BIT_NAME}" = "64" ] ; then
+			echo "${SCRIPTNAME}: OS not supported for memory leak checking."
+			exit 0
+		fi
+		
+		FREEBL_DEFAULT="libfreebl_3"
+		FREEBL_LIST="${FREEBL_DEFAULT}"
+				
+		RUN_COMMAND_DBG="run_command_valgrind"
+		PARSE_LOGFILE="parse_logfile_valgrind"
+		;;
+	*)
+		echo "${SCRIPTNAME}: OS not supported for memory leak checking."
+		exit 0
+		;;
+	esac
+
+	if [ "${BUILD_OPT}" = "1" ] ; then
+		OPT="OPT"
+	else 
+		OPT="DBG"
+	fi
+
+	NSS_DISABLE_UNLOAD="1"
+	export NSS_DISABLE_UNLOAD
+
+	SELFSERV_ATTR="-D -p ${PORT} -d ${SERVER_DB} -n ${HOSTADDR} -e ${HOSTADDR}-ec -w nss -c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014cdefgijklmnvyz -t 5"
+	TSTCLNT_ATTR="-p ${PORT} -h ${HOSTADDR} -c j -f -d ${CLIENT_DB} -w nss -o"
+	STRSCLNT_ATTR="-q -p ${PORT} -d ${CLIENT_DB} -w nss -c 1000 -n TestUser ${HOSTADDR}"
+
+	tbytes=0
+	tblocks=0
+	truns=0
+	
+	MEMLEAK_DBG=1
+	export MEMLEAK_DBG
+}
+
+########################### memleak_cleanup ############################
+# local shell function to clean up after this script 
+########################################################################
+memleak_cleanup()
+{
+	unset MEMLEAK_DBG
+	unset NSS_DISABLE_UNLOAD
+	
+	. ${QADIR}/common/cleanup.sh
+}
+
+############################ set_test_mode #############################
+# local shell function to set testing mode for server and for client
+########################################################################
+set_test_mode()
+{
+	if [ "${server_mode}" = "BYPASS" ] ; then
+		echo "${SCRIPTNAME}: BYPASS is ON"
+		SERVER_OPTION="-B -s"
+		CLIENT_OPTION=""
+	elif [ "${client_mode}" = "BYPASS" ] ; then
+		echo "${SCRIPTNAME}: BYPASS is ON"
+		SERVER_OPTION=""
+		CLIENT_OPTION="-B -s"
+	else
+		echo "${SCRIPTNAME}: BYPASS is OFF"
+		SERVER_OPTION=""
+		CLIENT_OPTION=""
+	fi
+	
+	if [ "${server_mode}" = "FIPS" ] ; then
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -fips true -force
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -list
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -list
+		
+		echo "${SCRIPTNAME}: FIPS is ON"
+		cipher_list="c d e i j k n v y z"
+	elif [ "${client_mode}" = "FIPS" ] ; then
+		
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -list
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips true -force
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -list
+		
+		echo "${SCRIPTNAME}: FIPS is ON"
+		cipher_list="c d e i j k n v y z"
+	else
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force
+		${BINDIR}/modutil -dbdir ${SERVER_DB} -list
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force
+		${BINDIR}/modutil -dbdir ${CLIENT_DB} -list
+		
+		echo "${SCRIPTNAME}: FIPS is OFF"
+		cipher_list="A B C D E F :C001 :C002 :C003 :C004 :C005 :C006 :C007 :C008 :C009 :C00A :C010 :C011 :C012 :C013 :C014 c d e f g i j k l m n v y z"
+	fi
+}
+
+############################## set_freebl ##############################
+# local shell function to set freebl - sets temporary path for libraries
+########################################################################
+set_freebl()
+{
+	if [ "${freebl}" = "${FREEBL_DEFAULT}" ] ; then
+		LD_LIBRARY_PATH="${OLD_LIBRARY_PATH}"
+		export LD_LIBRARY_PATH
+	else
+		if [ -d "${TMP_LIBDIR}" ] ; then
+			rm -rf ${TMP_LIBDIR}
+		fi
+
+		mkdir ${TMP_LIBDIR}
+		[ $? -ne 0 ] && html_failed "Create temp directory" && return 1
+
+		cp ${DIST}/${OBJDIR}/lib/*.so ${DIST}/${OBJDIR}/lib/*.chk ${TMP_LIBDIR}
+		[ $? -ne 0 ] && html_failed "Copy libraries to temp directory" && return 1
+		
+		echo "${SCRIPTNAME}: Using ${freebl} instead of ${FREEBL_DEFAULT}"
+
+		mv ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so.orig
+		[ $? -ne 0 ] && html_failed "Move ${FREEBL_DEFAULT}.so -> ${FREEBL_DEFAULT}.so.orig" && return 1
+
+		cp ${TMP_LIBDIR}/${freebl}.so ${TMP_LIBDIR}/${FREEBL_DEFAULT}.so
+		[ $? -ne 0 ] && html_failed "Copy ${freebl}.so -> ${FREEBL_DEFAULT}.so" && return 1
+
+		mv ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk.orig
+		[ $? -ne 0 ] && html_failed "Move ${FREEBL_DEFAULT}.chk -> ${FREEBL_DEFAULT}.chk.orig" && return 1
+
+		cp ${TMP_LIBDIR}/${freebl}.chk ${TMP_LIBDIR}/${FREEBL_DEFAULT}.chk
+		[ $? -ne 0 ] && html_failed "Copy ${freebl}.chk to temp directory" && return 1
+
+		echo "ls -l ${TMP_LIBDIR}"
+		ls -l ${TMP_LIBDIR}
+
+		LD_LIBRARY_PATH="${TMP_LIBDIR}"
+		export LD_LIBRARY_PATH
+	fi
+
+	return 0
+}
+
+############################# clear_freebl #############################
+# local shell function to set default library path and clear temporary 
+# directory for libraries created by function set_freebl 
+########################################################################
+clear_freebl()
+{
+	LD_LIBRARY_PATH="${OLD_LIBRARY_PATH}"
+	export LD_LIBRARY_PATH
+
+	if [ -d "${TMP_LIBDIR}" ] ; then
+		rm -rf ${TMP_LIBDIR}
+	fi
+}
+
+############################ run_command_dbx ###########################
+# local shell function to run command under dbx tool
+########################################################################
+run_command_dbx()
+{
+	COMMAND=$1
+	shift
+	ATTR=$*
+
+	COMMAND=`which ${COMMAND}`
+	DBX_CMD="dbxenv follow_fork_mode parent
+dbxenv rtc_mel_at_exit verbose
+dbxenv rtc_biu_at_exit verbose
+check -memuse -match 16 -frames 16
+run ${ATTR}
+"
+
+	echo "${SCRIPTNAME}: -------- Running ${COMMAND} under DBX:"
+	echo "${DBX} ${COMMAND}"
+	echo "${SCRIPTNAME}: -------- DBX commands:"
+	echo "${DBX_CMD}"
+	
+	echo "${DBX_CMD}" | ${DBX} ${COMMAND} 2>/dev/null | grep -v Reading > ${TMP_DBX}
+	cat ${TMP_DBX} 1>&2
+	
+	grep "exit code is 0" ${TMP_DBX}
+	return $?
+}
+
+######################### run_command_valgrind #########################
+# local shell function to run command under valgrind tool
+########################################################################
+run_command_valgrind()
+{
+	COMMAND=$1
+	shift
+	ATTR=$*
+	
+	echo "${SCRIPTNAME}: -------- Running ${COMMAND} under Valgrind:"
+	echo "${VALGRIND} --tool=memcheck --leak-check=yes --show-reachable=yes --partial-loads-ok=yes --leak-resolution=high --num-callers=50 ${COMMAND} ${ATTR}"
+	echo "Running: ${COMMAND} ${ATTR}" 1>&2
+	${VALGRIND} --tool=memcheck --leak-check=yes --show-reachable=yes --partial-loads-ok=yes --leak-resolution=high --num-callers=50 ${COMMAND} ${ATTR} 1>&2
+	ret=$?
+	echo "==0=="
+	
+	return $ret
+}
+
+############################# run_selfserv #############################
+# local shell function to start selfserv
+########################################################################
+run_selfserv()
+{
+	echo "PATH=${PATH}"
+	echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"
+	echo "${SCRIPTNAME}: -------- Running selfserv:"
+	echo "selfserv ${SELFSERV_ATTR}"
+	${BINDIR}/selfserv ${SELFSERV_ATTR}
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		html_failed "${LOGNAME}: Selfserv"
+		echo "${SCRIPTNAME} ${LOGNAME}: " \
+			"Selfserv produced a returncode of ${ret} - FAILED"
+	fi
+}
+
+########################### run_selfserv_dbg ###########################
+# local shell function to start selfserv under debug tool
+########################################################################
+run_selfserv_dbg()
+{
+	echo "PATH=${PATH}"
+	echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"
+	${RUN_COMMAND_DBG} ${BINDIR}/selfserv ${SERVER_OPTION} ${SELFSERV_ATTR}
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		html_failed "${LOGNAME}: Selfserv"
+		echo "${SCRIPTNAME} ${LOGNAME}: " \
+			"Selfserv produced a returncode of ${ret} - FAILED"
+	fi
+}
+
+############################# run_strsclnt #############################
+# local shell function to run strsclnt for all ciphers and send stop
+# command to selfserv over tstclnt
+########################################################################
+run_strsclnt()
+{
+	for cipher in ${cipher_list}; do
+		ATTR="${STRSCLNT_ATTR} -C ${cipher}"
+		echo "${SCRIPTNAME}: -------- Trying cipher ${cipher}:"
+		echo "strsclnt ${ATTR}"
+		${BINDIR}/strsclnt ${ATTR}
+		ret=$?
+		if [ $ret -ne 0 ]; then
+			html_failed "${LOGNAME}: Strsclnt with cipher ${cipher}"
+			echo "${SCRIPTNAME} ${LOGNAME}: " \
+				"Strsclnt produced a returncode of ${ret} - FAILED"
+		fi
+	done
+	
+	echo "${SCRIPTNAME}: -------- Stopping server:"
+	echo "tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE}"
+	${BINDIR}/tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE}
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		html_failed "${LOGNAME}: Tstclnt"
+		echo "${SCRIPTNAME} ${LOGNAME}: " \
+			"Tstclnt produced a returncode of ${ret} - FAILED"
+	fi
+}
+
+########################### run_strsclnt_dbg ###########################
+# local shell function to run strsclnt under debug tool for all ciphers 
+# and send stop command to selfserv over tstclnt
+########################################################################
+run_strsclnt_dbg()
+{
+	for cipher in ${cipher_list}; do
+		ATTR="${STRSCLNT_ATTR} -C ${cipher}"
+		${RUN_COMMAND_DBG} ${BINDIR}/strsclnt ${CLIENT_OPTION} ${ATTR}
+		ret=$?
+		if [ $ret -ne 0 ]; then
+			html_failed "${LOGNAME}: Strsclnt with cipher ${cipher}"
+			echo "${SCRIPTNAME} ${LOGNAME}: " \
+				"Strsclnt produced a returncode of ${ret} - FAILED"
+		fi
+	done
+	
+	echo "${SCRIPTNAME}: -------- Stopping server:"
+	echo "tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE}"
+	${BINDIR}/tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE}
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		html_failed "${LOGNAME}: Tstclnt"
+		echo "${SCRIPTNAME} ${LOGNAME}: " \
+			"Tstclnt produced a returncode of ${ret} - FAILED"
+	fi
+}
+
+stat_clear()
+{
+	stat_minbytes=9999999
+	stat_maxbytes=0
+	stat_minblocks=9999999
+	stat_maxblocks=0
+	stat_bytes=0
+	stat_blocks=0
+	stat_runs=0
+}
+
+stat_add()
+{
+	read hash lbytes bytes_str lblocks blocks_str in_str lruns runs_str \
+		minbytes minbytes_str maxbytes maxbytes_str minblocks \
+		minblocks_str maxblocks maxblocks_str rest < ${TMP_COUNT} 
+	rm ${TMP_COUNT}
+	
+	tbytes=`expr ${tbytes} + ${lbytes}`
+	tblocks=`expr ${tblocks} + ${lblocks}`
+	truns=`expr ${truns} + ${lruns}`
+	
+	if [ ${stat_minbytes} -gt ${minbytes} ]; then
+		stat_minbytes=${minbytes}
+	fi
+			
+	if [ ${stat_maxbytes} -lt ${maxbytes} ]; then
+		stat_maxbytes=${maxbytes}
+	fi
+			
+	if [ ${stat_minblocks} -gt ${minblocks} ]; then
+		stat_minblocks=${minblocks}
+	fi
+			
+	if [ ${stat_maxblocks} -lt ${maxblocks} ]; then
+		stat_maxblocks=${maxblocks}
+	fi
+			
+	stat_bytes=`expr ${stat_bytes} + ${lbytes}`
+	stat_blocks=`expr ${stat_blocks} + ${lblocks}`
+	stat_runs=`expr ${stat_runs} + ${lruns}`
+}
+
+stat_print()
+{
+	if [ ${stat_runs} -gt 0 ]; then
+		stat_avgbytes=`expr "${stat_bytes}" / "${stat_runs}"`
+		stat_avgblocks=`expr "${stat_blocks}" / "${stat_runs}"`
+		
+		echo
+		echo "$1 statistics:"
+		echo "Leaked bytes: ${stat_minbytes} min, ${stat_avgbytes} avg, ${stat_maxbytes} max"
+		echo "Leaked blocks: ${stat_minblocks} min, ${stat_avgblocks} avg, ${stat_maxblocks} max"
+		echo "Total runs: ${stat_runs}"
+		echo
+	fi
+}
+
+########################## run_ciphers_server ##########################
+# local shell function to test server part of code (selfserv)
+########################################################################
+run_ciphers_server()
+{
+	html_head "Memory leak checking - server"
+	
+	stat_clear
+	
+	client_mode="NORMAL"	
+	for server_mode in ${MODE_LIST}; do
+		set_test_mode
+		
+		for freebl in ${FREEBL_LIST}; do
+			set_freebl || continue
+			
+			LOGNAME=server-${BIT_NAME}-${freebl}-${server_mode}
+			LOGFILE=${LOGDIR}/${LOGNAME}.log
+			echo "Running ${LOGNAME}"
+			
+			run_selfserv_dbg 2>> ${LOGFILE} &
+			sleep 5
+			run_strsclnt
+			
+			sleep 20
+			clear_freebl
+			
+			log_parse
+			ret=$?
+			
+			html_msg ${ret} 0 "${LOGNAME}" "produced a returncode of $ret, expected is 0"
+		done
+	done
+	
+	stat_print "Selfserv"
+	
+	html "</TABLE><BR>"
+}
+
+########################## run_ciphers_client ##########################
+# local shell function to test client part of code (strsclnt)
+########################################################################
+run_ciphers_client()
+{
+	html_head "Memory leak checking - client"
+	
+	stat_clear
+	
+	server_mode="NORMAL"
+	for client_mode in ${MODE_LIST}; do
+		set_test_mode
+		
+		for freebl in ${FREEBL_LIST}; do
+			set_freebl || continue
+			
+			LOGNAME=client-${BIT_NAME}-${freebl}-${client_mode}
+			LOGFILE=${LOGDIR}/${LOGNAME}.log
+			echo "Running ${LOGNAME}"
+			
+			run_selfserv &
+			sleep 5
+			run_strsclnt_dbg 2>> ${LOGFILE}
+			
+			sleep 20
+			clear_freebl
+			
+			log_parse
+			ret=$?
+			html_msg ${ret} 0 "${LOGNAME}" "produced a returncode of $ret, expected is 0"
+		done
+	done
+	
+	stat_print "Strsclnt"
+	
+	html "</TABLE><BR>"
+}
+
+########################## parse_logfile_dbx ###########################
+# local shell function to parse and process logs from dbx
+########################################################################
+parse_logfile_dbx()
+{
+	${AWK} '
+	BEGIN {
+		in_mel = 0
+		mel_line = 0
+		bytes = 0
+		lbytes = 0
+		minbytes = 9999999
+		maxbytes = 0
+		blocks = 0
+		lblocks = 0
+		minblocks = 9999999
+		maxblocks = 0
+		runs = 0
+		stack_string = ""
+		bin_name = ""
+	}
+	/Memory Leak \(mel\):/ ||
+	/Possible memory leak -- address in block \(aib\):/ ||
+	/Block in use \(biu\):/ {
+		in_mel = 1
+		stack_string = ""
+		next
+	}
+	in_mel == 1 && /^$/ {
+		print bin_name stack_string
+		in_mel = 0
+		mel_line = 0
+		next
+	}
+	in_mel == 1 {
+		mel_line += 1
+	}
+	/Found leaked block of size/ {
+		bytes += $6
+		blocks += 1
+		next
+	}
+	/Found .* leaked blocks/ {
+		bytes += $8
+		blocks += $2
+		next
+	}
+	/Found block of size/ {
+		bytes += $5
+		blocks += 1
+		next
+	}
+	/Found .* blocks totaling/ {
+		bytes += $5
+		blocks += $2
+		next
+	}
+	mel_line > 2 {
+		gsub(/\(\)/, "")
+		new_line = $2
+		stack_string = "/" new_line stack_string
+		next
+	}
+	/^Running: / {
+		bin_name = $2
+		next
+	}
+	/execution completed/ {
+		runs += 1
+		lbytes += bytes
+		minbytes = (minbytes < bytes) ? minbytes : bytes
+		maxbytes = (maxbytes > bytes) ? maxbytes : bytes
+		bytes = 0
+		lblocks += blocks
+		minblocks = (minblocks < blocks) ? minblocks : blocks
+		maxblocks = (maxblocks > blocks) ? maxblocks : blocks
+		blocks = 0
+		next
+	}
+	END {
+		print "# " lbytes " bytes " lblocks " blocks in " runs " runs " \
+		minbytes " minbytes " maxbytes " maxbytes " minblocks " minblocks " \
+		maxblocks " maxblocks " > "/dev/stderr"
+	}' 2> ${TMP_COUNT}
+	
+	stat_add
+}
+
+######################## parse_logfile_valgrind ########################
+# local shell function to parse and process logs from valgrind
+########################################################################
+parse_logfile_valgrind()
+{
+	${AWK} '
+	BEGIN {
+		in_mel = 0
+		in_sum = 0
+		bytes = 0
+		lbytes = 0
+		minbytes = 9999999
+		maxbytes = 0
+		blocks = 0
+		lblocks = 0
+		minblocks = 9999999
+		maxblocks = 0
+		runs = 0
+		stack_string = ""
+		bin_name = "" 
+	}
+	!/==[0-9]*==/ { 
+		if ( $1 == "Running:" ) 
+			bin_name = $2
+			bin_nf = split(bin_name, bin_fields, "/")
+			bin_name = bin_fields[bin_nf]
+		next
+	}
+	/blocks are/ {
+		in_mel = 1
+		stack_string = ""
+		next
+	}
+	/LEAK SUMMARY/ {
+		in_sum = 1
+		next
+	}
+	/^==[0-9]*== *$/ { 
+		if (in_mel)
+			print bin_name stack_string
+		if (in_sum) {
+			runs += 1
+			lbytes += bytes
+			minbytes = (minbytes < bytes) ? minbytes : bytes
+			maxbytes = (maxbytes > bytes) ? maxbytes : bytes
+			bytes = 0
+			lblocks += blocks
+			minblocks = (minblocks < blocks) ? minblocks : blocks
+			maxblocks = (maxblocks > blocks) ? maxblocks : blocks
+			blocks = 0
+		}
+		in_sum = 0
+		in_mel = 0
+		next
+	}
+	in_mel == 1 {	
+		new_line = $4
+		if ( new_line == "(within")
+			new_line = "*"
+		stack_string = "/" new_line stack_string
+	}
+	in_sum == 1 {
+		for (i = 2; i <= NF; i++) {
+			if ($i == "bytes") {
+				str = $(i - 1)
+				gsub(",", "", str)
+				bytes += str
+			}
+			if ($i == "blocks.") {
+				str = $(i - 1)
+				gsub(",", "", str)
+				blocks += str
+			}
+		}
+	}
+	END {
+		print "# " lbytes " bytes " lblocks " blocks in " runs " runs " \
+		minbytes " minbytes " maxbytes " maxbytes " minblocks " minblocks " \
+		maxblocks " maxblocks " > "/dev/stderr"
+	}' 2> ${TMP_COUNT}
+	
+	stat_add
+}
+
+############################# check_ignored ############################
+# local shell function to check all stacks if they are not ignored
+########################################################################
+check_ignored()
+{
+	${AWK} -F/ '
+	BEGIN {
+		ignore = "'${IGNORED_STACKS}'"
+		# read in the ignore file
+		BUGNUM = ""
+		count = 0
+		new = 0
+		while ((getline line < ignore) > 0)  {
+			if (line ~ "^#[0-9]+") {
+				BUGNUM = line
+			} else if (line ~ "^#") {
+				continue
+			} else if (line == "") {
+				continue
+			} else {
+				bugnum_array[count] = BUGNUM
+				# Create a regular expression for the ignored stack:
+				# replace * with % so we can later replace them with regular expressions
+				# without messing up everything (the regular expressions contain *)
+				gsub("\\*", "%", line)
+				# replace %% with .*
+				gsub("%%", ".*", line)
+				# replace % with [^/]*
+				gsub("%", "[^/]*", line)
+				# add ^ at the beginning
+				# add $ at the end
+				line_array[count] = "^" line "$"
+				count++
+			}
+		}
+	}
+	{
+		match_found = 0
+		# Look for matching ignored stack
+		for (i = 0; i < count; i++) {
+			if ($0 ~ line_array[i]) {
+				# found a match
+				match_found = 1
+				bug_found = bugnum_array[i]
+				break
+			}
+		}
+		# Process result
+		if (match_found == 1 ) {
+				if (bug_found != "") {
+					print "IGNORED STACK (" bug_found "): " $0
+				} else {
+					print "IGNORED STACK: " $0
+				}
+		} else {
+				print "NEW STACK: " $0
+				new = 1
+		}
+	}
+	END {
+		exit new
+	}'
+	ret=$?
+	return $ret
+}
+
+############################### parse_log ##############################
+# local shell function to parse log file
+########################################################################
+log_parse()
+{
+	${PARSE_LOGFILE} < ${LOGFILE} > ${TMP_STACKS}
+	echo "${SCRIPTNAME}: Processing log ${LOGNAME}:" > ${TMP_SORTED}
+	cat ${TMP_STACKS} | sort -u | check_ignored >> ${TMP_SORTED}
+	ret=$?
+	echo >> ${TMP_SORTED}
+	
+	cat ${TMP_SORTED} | tee -a ${FOUNDLEAKS}
+	rm ${TMP_STACKS} ${TMP_SORTED}
+	
+	return ${ret}
+}
+
+############################## cnt_total ###############################
+# local shell function to count total leaked bytes
+########################################################################
+cnt_total()
+{
+	echo ""
+	echo "TinderboxPrint:${OPT} Lk bytes: ${tbytes}"
+	echo "TinderboxPrint:${OPT} Lk blocks: ${tblocks}"
+	echo "TinderboxPrint:${OPT} # of runs: ${truns}"
+	echo ""
+}
+
+############################### run_ocsp ###############################
+# local shell function to run ocsp tests
+########################################################################
+run_ocsp()
+{
+	stat_clear
+	
+	cd ${QADIR}/iopr
+	. ./ocsp_iopr.sh
+	ocsp_iopr_run
+	
+	stat_print "Ocspclnt"
+}
+
+############################### run_pkix ###############################
+# local shell function to run ocsp tests
+########################################################################
+run_pkix()
+{
+         [ -z "$PKIX_OBJECT_LEAK_TEST" ] && return
+	stat_clear
+	
+	cd ${QADIR}/libpkix
+	. ./libpkix.sh
+	
+	stat_print "Libpkix"
+}
+
+################################# main #################################
+
+memleak_init
+
+# Can not run pkix object/memory leak tests with server/client tests.
+# Pkix test is single-threaded by design. OCSP tests are ok.
+if [ -z "$PKIX_OBJECT_LEAK_TEST" ]; then
+   run_ciphers_server
+   run_ciphers_client
+else
+   run_pkix
+fi
+run_ocsp
+
+cnt_total
+memleak_cleanup
+
diff --git a/security/nss/tests/memleak/sslreq.dat b/security/nss/tests/memleak/sslreq.dat
new file mode 100644
index 000000000..1db703d1a
--- /dev/null
+++ b/security/nss/tests/memleak/sslreq.dat
@@ -0,0 +1,2 @@
+GET /stop HTTP/1.0

+

diff --git a/security/nss/tests/merge/merge.sh b/security/nss/tests/merge/merge.sh
new file mode 100755
index 000000000..205f41c7a
--- /dev/null
+++ b/security/nss/tests/merge/merge.sh
@@ -0,0 +1,254 @@
+#! /bin/sh  
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/merge/merge.sh
+#
+# Script to test NSS merge
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## merge_init ##############################
+# local shell function to initialize this script
+########################################################################
+merge_init()
+{
+  SCRIPTNAME=merge.sh      # sourced - $0 would point to all.sh
+  HAS_EXPLICIT_DB=0
+  if [ ! -z "${NSS_DEFAULT_DB_TYPE}" ]; then
+     HAS_EXPLICIT_DB=1
+  fi
+
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ${QADIR}/cert
+      . ./cert.sh
+  fi
+
+  if [ ! -d ${HOSTDIR}/SDR ]; then
+      cd ${QADIR}/sdr
+      . ./sdr.sh
+  fi
+  SCRIPTNAME=merge.sh
+
+  html_head "Merge Tests"
+
+  # need the SSL & SMIME directories from cert.sh
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+  grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 8 "Fatal - SSL of cert.sh needs to pass first"
+  }
+
+  #temporary files for SDR tests
+  VALUE1=$HOSTDIR/tests.v1.$$
+  VALUE3=$HOSTDIR/tests.v3.$$
+
+  # local directories used in this test.
+  MERGEDIR=${HOSTDIR}/merge
+  R_MERGEDIR=../merge
+  D_MERGE="merge.$version"
+  # SDR not initialized in common/init
+  P_R_SDR=../SDR
+  D_SDR="SDR.$version"
+  mkdir -p ${MERGEDIR}
+
+  PROFILE=.
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     PROFILE="multiaccess:${D_MERGE}"
+     P_R_SDR="multiaccess:${D_SDR}"
+  fi
+
+  cd ${MERGEDIR}
+
+  # clear out any existing databases, potentially from a previous run.
+  rm -f *.db
+
+  # copy alicedir over as a seed database.
+  cp ${R_ALICEDIR}/* .
+  # copy the smime text samples
+  cp ${QADIR}/smime/*.txt .
+
+  #
+  # allow all the tests to run in standalone mode.
+  #  in standalone mode, TEST_MODE is not set.
+  #  if NSS_DEFAULT_DB_TYPE is dbm, then test merge with dbm
+  #  if NSS_DEFAULT_DB_TYPE is sql, then test merge with sql
+  #  if NSS_DEFAULT_DB_TYPE is not set, then test database upgrade merge
+  #   from dbm databases (created above) into a new sql db.
+  if [ -z "${TEST_MODE}" ] && [ ${HAS_EXPLICIT_DB} -eq 0 ]; then
+	echo "*** Using Standalone Upgrade DB mode"
+	export NSS_DEFAULT_DB_TYPE=sql
+	echo certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+	${BINDIR}/certutil --upgrade-merge --source-dir ${P_R_ALICEDIR} --upgrade-id local -d ${PROFILE}  -f ${R_PWFILE} -@ ${R_PWFILE}
+	TEST_MODE=UPGRADE_DB
+
+  fi
+	
+}
+
+#
+# this allows us to run this test for both merge and upgrade-merge cases.
+# merge_cmd takes the potential upgrade-id and the rest of the certutil
+# arguments.
+#
+merge_cmd()
+{
+  MERGE_CMD=--merge
+  if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+     MERGE_CMD="--upgrade-merge --upgrade-token-name OldDB --upgrade-id ${1}"
+  fi
+  shift
+  echo certutil ${MERGE_CMD} $*
+  ${PROFTOOL} ${BINDIR}/certutil ${MERGE_CMD} $*
+}
+
+
+merge_main()
+{
+  # first create a local sdr key and encrypt some data with it
+  # This will cause a colision with the SDR key in ../SDR.
+  echo "$SCRIPTNAME: Creating an SDR key & Encrypt"
+  echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}"
+  ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t Test2 -f ${R_PWFILE}
+  html_msg $? 0 "Creating SDR Key"
+
+  # Now merge in Dave
+  # Dave's cert is already in alicedir, but his key isn't. This will make
+  # sure we are updating the keys and CKA_ID's on the certificate properly.
+  MERGE_ID=dave
+  echo "$SCRIPTNAME: Merging in Key for Existing user"
+  merge_cmd dave --source-dir ${P_R_DAVEDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+  html_msg $? 0 "Merging Dave"
+
+  # Merge in server
+  # contains a CRL and new user certs
+  MERGE_ID=server
+  echo "$SCRIPTNAME: Merging in new user "
+  merge_cmd server --source-dir ${P_R_SERVERDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+  html_msg $? 0 "Merging server"
+
+  # Merge in ext_client
+  # contains a new certificate chain and additional trust flags
+  MERGE_ID=ext_client
+  echo "$SCRIPTNAME: Merging in new chain "
+  merge_cmd ext_client --source-dir ${P_R_EXT_CLIENTDIR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+  html_msg $? 0 "Merging ext_client"
+
+  # Merge in SDR
+  # contains a secret SDR key
+  MERGE_ID=SDR
+  echo "$SCRIPTNAME: Merging in SDR "
+  merge_cmd sdr --source-dir ${P_R_SDR} -d ${PROFILE} -f ${R_PWFILE} -@ ${R_PWFILE}
+  html_msg $? 0 "Merging SDR"
+
+  # insert a listing of the database into the log for diagonic purposes
+  ${BINDIR}/certutil -L -d ${PROFILE}
+  ${BINDIR}/crlutil -L -d ${PROFILE}
+
+  # Make sure we can decrypt with our original SDR key generated above
+  echo "$SCRIPTNAME: Decrypt - With Original SDR Key"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}"
+  ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t Test2 -f ${R_PWFILE}
+  html_msg $? 0 "Decrypt - Value 3"
+
+  # Make sure we can decrypt with our the SDR key merged in from ../SDR
+  echo "$SCRIPTNAME: Decrypt - With Merged SDR Key"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}"
+  ${PROFTOOL} ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 -f ${R_PWFILE}
+  html_msg $? 0 "Decrypt - Value 1"
+
+  # Make sure we can sign with merge certificate
+  echo "$SCRIPTNAME: Signing with merged key  ------------------"
+  echo "cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig"
+  ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave -H SHA1 -i alice.txt -d ${PROFILE} -p nss -o dave.dsig
+  html_msg $? 0 "Create Detached Signature Dave" "."
+
+  echo "cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE} "
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i dave.dsig -c alice.txt -d ${PROFILE}
+  html_msg $? 0 "Verifying Dave's Detached Signature"
+
+  # Make sure that trust objects were properly merged
+  echo "$SCRIPTNAME: verifying  merged cert  ------------------"
+  echo "certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}"
+  ${PROFTOOL} ${BINDIR}/certutil -V -n ExtendedSSLUser -u C -d ${PROFILE}
+  html_msg $? 0 "Verifying ExtendedSSL User Cert"
+
+  # Make sure that the crl got properly copied in
+  echo "$SCRIPTNAME: verifying  merged crl  ------------------"
+  echo "crlutil -L -n TestCA -d ${PROFILE}"
+  ${PROFTOOL} ${BINDIR}/crlutil -L -n TestCA -d ${PROFILE}
+  html_msg $? 0 "Verifying TestCA CRL"
+
+}
+  
+############################## smime_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+merge_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+merge_init
+merge_main
+merge_cleanup
+
diff --git a/security/nss/tests/mksymlinks b/security/nss/tests/mksymlinks
new file mode 100755
index 000000000..aae3386ce
--- /dev/null
+++ b/security/nss/tests/mksymlinks
@@ -0,0 +1,115 @@
+#! /bin/sh
+
+O_OPTIONS=OFF
+. `dirname $0`/header
+
+if [ $O_DEBUG = ON ] ; then
+        Debug "NTDIST $NTDIST"
+        Debug "UXDIST $UXDIST"
+        Debug "TESTSCRIPTDIR $TESTSCRIPTDIR"
+fi
+
+if [ -d "$NSS_VER_DIR" ] ; then
+    cd $NSS_VER_DIR
+else
+    glob_usage "cant cd to $NSS_VER_DIR Exiting"
+fi
+
+if [ -d "$NTDIST" ] ; then
+    cd $NTDIST
+    if [  ! -h WINNT5.0_DBG.OBJ -a ! -d WINNT5.0_DBG.OBJ ] ; then 
+        ln -s WINNT4.0_DBG.OBJ WINNT5.0_DBG.OBJ
+    fi
+    if [  ! -h WINNT5.0_DBG.OBJD -a ! -d WINNT5.0_DBG.OBJD ] ; then 
+        ln -s WINNT4.0_DBG.OBJD WINNT5.0_DBG.OBJD
+    fi
+    if [  ! -h WINNT5.0_OPT.OBJ -a ! -d WINNT5.0_OPT.OBJ ] ; then 
+        ln -s WINNT4.0_OPT.OBJ WINNT5.0_OPT.OBJ
+    fi
+    if [  ! -h WINNT5.1_DBG.OBJ -a ! -d WINNT5.1_DBG.OBJ ] ; then 
+        ln -s WINNT4.0_DBG.OBJ WINNT5.1_DBG.OBJ
+    fi
+    if [  ! -h WINNT5.1_DBG.OBJD -a ! -d WINNT5.1_DBG.OBJD ] ; then 
+        ln -s WINNT4.0_DBG.OBJD WINNT5.1_DBG.OBJD
+    fi
+    if [  ! -h WINNT5.1_OPT.OBJ -a ! -d WINNT5.1_OPT.OBJ ] ; then 
+        ln -s WINNT4.0_OPT.OBJ WINNT5.1_OPT.OBJ
+    fi
+    
+    if [ $O_DEBUG = ON ] ; then
+        tell
+    fi
+else
+    if [ $O_DEBUG = ON ] ; then
+        Debug "WARNING!!! cant cd to $NTDIST "
+    fi
+fi
+
+if [ -d "$UXDIST" ]
+then
+    cd $UXDIST
+else
+    glob_usage "Error!!! cant cd to $UXDIST "
+fi
+
+ErrorFlag=0
+
+#if [  ! -h OSF1V5.1_DBG.OBJ -a ! -d OSF1V5.1_DBG.OBJ ] ; then 
+    #ln -s OSF1V4.0D_DBG.OBJ OSF1V5.1_DBG.OBJ || ErrorFlag=1
+#fi
+#if [  ! -h OSF1V5.1_OPT.OBJ -a ! -d OSF1V5.1_OPT.OBJ ] ; then 
+    #ln -s OSF1V4.0D_OPT.OBJ OSF1V5.1_OPT.OBJ || ErrorFlag=1
+#fi
+#if [  ! -h OSF1V5.0_DBG.OBJ -a ! -d OSF1V5.0_DBG.OBJ ] ; then 
+    #ln -s OSF1V4.0D_DBG.OBJ OSF1V5.0_DBG.OBJ || ErrorFlag=1
+#fi
+#if [  ! -h OSF1V5.0_OPT.OBJ -a ! -d OSF1V5.0_OPT.OBJ ] ; then 
+    #ln -s OSF1V4.0D_OPT.OBJ OSF1V5.0_OPT.OBJ || ErrorFlag=1
+#fi
+if [  ! -h SunOS5.9_64_DBG.OBJ  -a ! -d  SunOS5.9_64_DBG.OBJ ] ; then 
+    ln -s SunOS5.8_64_DBG.OBJ SunOS5.9_64_DBG.OBJ || ErrorFlag=1
+fi
+if [  ! -h SunOS5.9_64_OPT.OBJ  -a ! -d  SunOS5.9_64_OPT.OBJ ] ; then 
+    ln -s SunOS5.8_64_OPT.OBJ SunOS5.9_64_OPT.OBJ || ErrorFlag=1
+fi
+if [  ! -h SunOS5.9_DBG.OBJ  -a ! -d  SunOS5.9_DBG.OBJ ] ; then 
+    ln -s SunOS5.8_DBG.OBJ SunOS5.9_DBG.OBJ || ErrorFlag=1
+fi
+if [  ! -h SunOS5.9_OPT.OBJ  -a ! -d  SunOS5.9_OPT.OBJ ] ; then 
+    ln -s SunOS5.8_OPT.OBJ SunOS5.9_OPT.OBJ || ErrorFlag=1
+fi
+#sonmi - still leaving the section in there so 3.3 and 3.2 will not break
+#since 5.8 is the masterbuild it should never be executed
+#additionally: only creat link if the slave build is present, but 
+#master is not
+#if [  ! -h SunOS5.8_DBG.OBJ -a ! -d  SunOS5.8_DBG.OBJ ]  ; then 
+    #if [ -d SunOS5.6_DBG.OBJ ] ; then
+        #ln -s SunOS5.6_DBG.OBJ SunOS5.8_DBG.OBJ || ErrorFlag=1
+    #fi
+#fi
+#if [  ! -h SunOS5.8_OPT.OBJ -a ! -d  SunOS5.8_OPT.OBJ ] ; then 
+    #if [ -d SunOS5.6_OPT.OBJ ] ; then
+        #ln -s SunOS5.6_OPT.OBJ SunOS5.8_OPT.OBJ || ErrorFlag=1
+    #fi
+#fi
+#if [ ! -h Linux2.4_x86_glibc_PTH_DBG.OBJ -a ! -d Linux2.4_x86_glibc_PTH_DBG.OBJ]
+#then
+    #ln -s Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.4_x86_glibc_PTH_DBG.OBJ || ErrorFlag=1
+#fi
+#if [ ! -h Linux2.4_x86_glibc_PTH_OPT.OBJ -a ! -d Linux2.4_x86_glibc_PTH_OPT.OBJ]
+#then
+    #ln -s Linux2.2_x86_glibc_PTH_OPT.OBJ Linux2.4_x86_glibc_PTH_OPT.OBJ || ErrorFlag=1
+#fi
+
+if [  ! -h SunOS5.9_i86pc_DBG.OBJ  -a ! -d SunOS5.9_i86pc_DBG.OBJ ] ; then 
+    ln -s SunOS5.8_i86pc_DBG.OBJ SunOS5.9_i86pc_DBG.OBJ || ErrorFlag=1
+fi
+if [  ! -h SunOS5.9_i86pc_OPT.OBJ  -a ! -d SunOS5.9_i86pc_OPT.OBJ ] ; then 
+    ln -s SunOS5.8_i86pc_OPT.OBJ SunOS5.9_i86pc_OPT.OBJ || ErrorFlag=1
+fi
+
+if [ $O_DEBUG = ON ] ; then
+    tell
+fi
+
+exit $ErrorFlag #no cleanup here, no tempfiles
diff --git a/security/nss/tests/nssdir b/security/nss/tests/nssdir
new file mode 100755
index 000000000..884c299f5
--- /dev/null
+++ b/security/nss/tests/nssdir
@@ -0,0 +1,28 @@
+if ( "$2" == ""  ) then
+	setenv BUILDDATE `date +%m%d`
+else
+	setenv BUILDDATE $2
+endif
+
+if ( "$1" == ""  ) then
+	setenv NSSVER tip
+else
+	setenv NSSVER $1
+endif
+
+if ( ! ${?QAYEAR} ) then 
+        setenv QAYEAR `date +%Y`
+else if ( "$QAYEAR" == ""  ) then
+	setenv QAYEAR `date +%Y`
+	
+endif
+
+setenv NSS_VER_DIR /share/builds/mccrel3/nss/nss$NSSVER
+setenv NTDIST ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/blowfish_NT4.0_Win95/mozilla/dist
+setenv UXDIST ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/dist
+setenv TESTSCRIPTDIR ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/security/nss/tests
+setenv RESULTDIR ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8/mozilla/tests_results/security
+
+cd ${NSS_VER_DIR}/builds/${QAYEAR}${BUILDDATE}.1/booboo_Solaris8
+pwd
+ls
diff --git a/security/nss/tests/nsspath b/security/nss/tests/nsspath
new file mode 100755
index 000000000..5d5ececc6
--- /dev/null
+++ b/security/nss/tests/nsspath
@@ -0,0 +1,12 @@
+#! /bin/tcsh
+
+set PWD=`pwd`
+source /u/sonmi/bin/nssdir $*
+set OBJDIR=`(cd mozilla/security/nss/tests/common; gmake objdir_name)`
+setenv PATH `perl /u/sonmi/bin/path_uniq -s "${PATH}:${UXDIST}/${OBJDIR}/bin"`
+if ( `uname -n` == "iws-perf" ) then
+    setenv LD_LIBRARY_PATH "${UXDIST}/${OBJDIR}/lib:/opt/nfast/toolkits/pkcs11"
+else
+    setenv LD_LIBRARY_PATH "${UXDIST}/${OBJDIR}/lib"
+endif
+cd $PWD
diff --git a/security/nss/tests/nssqa b/security/nss/tests/nssqa
new file mode 100755
index 000000000..441128155
--- /dev/null
+++ b/security/nss/tests/nssqa
@@ -0,0 +1,286 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/nssqa - /u/svbld/bin/init/nss/nssqa
+#
+# this script is supposed to automatically run QA for NSS on all required
+# Unix and Windows (NT and 2000) platforms
+#
+# parameters
+# ----------
+#   nssversion  (supported: 30b, 31, tip)
+#   builddate   (default - today)
+#
+# options
+# -------
+#   -y answer all questions with y - use at your own risk...ignores warnings
+#   -s silent (only usefull with -y)
+#   -h, -? - you guessed right - displays this text
+#   -d debug
+#   -f <filename> - write the (error)output to filename
+#   -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.nssqa
+# 
+# 12/1/00
+# took out the (unused) local directory for releasebuild QA on NT
+# cleaned up 32 - 64 bit issues
+# took hardcoded machinenames out
+########################################################################
+
+O_OPTIONS=ON            # accept options (see above for listing)
+WIN_WAIT_FOREVER=ON     # first we wait forever for a TESTDIR to appear, than 
+                        # we wait forever for the build to finish...
+
+TBX_EXIT=50             # in case we are running on a tinderbox build, any 
+                        # early exit needs to return an error
+. `dirname $0`/header   # utilities, shellfunctions etc, global to NSS QA
+
+if [ -z "$O_TBX" -o "$O_TBX" != "ON" ] ; then
+    is_running ${TMP}/nssqa 
+                        # checks if the file exists, if yes Exits, if not 
+                        # creates to implement a primitive locking mechanism
+fi
+
+KILL_SELFSERV=OFF       # cleanup will also kill the leftover selfserv processes
+
+################################ check_distdir #########################
+# local shell function to check if the DIST directory exists, if not there 
+# is no use to continue the test
+########################################################################
+check_distdir()
+{
+    set_objdir
+
+    if [ ! -d "$LOCALDIST_BIN" ]
+    then
+        Debug "Dist $DIST"
+        Warning "$LOCALDIST_BIN (the dist binaries dir) does not exist"
+        return 1
+    fi
+
+    if [ ! -d "$LOCALDIST" -a ! -h "$LOCALDIST" ]
+    then
+        Debug "Dist $DIST"
+        Warning "$LOCALDIST (the dist directory) does not exist"
+        return 1
+    fi
+
+    Debug "LOCALDIST_BIN $LOCALDIST_BIN"
+    Debug "Dist $DIST"
+    return 0
+}
+
+################################ run_all ###############################
+# local shell function to start the all.sh after asking user and redirect 
+# the output apropriately
+########################################################################
+run_all()        
+{
+    check_distdir || return 1
+    #kill_by_name selfserv
+    ask "Testing $OBJDIR continue with all.sh" "y" "n" || Exit
+
+    Debug "running all.sh in `pwd`"
+    if [ $O_SILENT = ON ]
+    then
+        if [ $O_DEBUG = ON -a $O_FILE = ON ]
+        then
+            all.sh >>$FILENAME 2>>$FILENAME
+        else
+            all.sh >/dev/null 2>/dev/null
+        fi
+    else
+        all.sh
+    fi
+    Debug "Done with all.sh "
+    line
+}
+
+all_sh()
+{
+    echo
+}
+
+
+########################### wait_for_build #############################
+# local shell function to wait until the build is finished
+########################################################################
+wait_for_build()
+{
+  if [ $O_WIN = "ON" ]
+  then
+      WaitForever ${OSDIR}/SVbuild.InProgress.1 0 
+                     #Wait for the build to finish Windows a lot longer
+      OS_TARGET=WINNT;export OS_TARGET;Debug "OS_TARGET set to $OS_TARGET"
+      QA_OS_NAME=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name | \
+          sed -e "s/WINNT4.0.*/Windows-NT-4.0/" -e "s/WINNT5.0.*/Windows-2000/"`
+      Echo "WINDOWS-OS-LINE: $QA_OS_NAME"
+  else
+      Wait ${OSDIR}/SVbuild.InProgress.1 0     
+                     #Wait for the build to finish... Unix a few hours
+      qa_stat_get_sysinfo
+      Echo "UNIX-OS-LINE: $QA_OS"
+  fi
+  find_nt_masterbuild
+}
+
+
+########################### map_os #############################
+# local shell function: From the operatingsystem figure out the name of 
+#     the build ; needed to detemine if the build finished, passed and for
+#     the directory names
+########################################################################
+map_os32()
+{
+    case `uname -s` in
+        SunOS)
+            S_REL=`uname -r | sed -e "s/^[^\.]*\.//g"`
+            if [ `uname -p` = "i386" ] ; then
+                MAPPED_OS=Solaris8_x86
+            elif [ "$S_REL" -lt 8 ] ; then
+                MAPPED_OS=Solaris2.6
+            else
+                MAPPED_OS=Solaris8_forte6
+            fi
+            ;;
+        OSF1)
+            MAPPED_OS=OSF1V4.0
+            ;;
+        Darwin)
+            MAPPED_OS=Darwin6.5
+            ;;	
+        AIX)
+            MAPPED_OS=AIX4.3
+            ;;
+        Linux)
+            RH_MR=`cat /etc/redhat-release | sed \
+                -e "s/Red Hat Linux release //" -e "s/ .*//g" \
+                -e "s/\..*//g"`
+            
+            if [ "$RH_MR" = "6" ] ; then
+                MAPPED_OS=Linux2.2
+            else
+                MAPPED_OS=Linux2.4
+                LD_ASSUME_KERNEL="2.2.5"
+                export LD_ASSUME_KERNEL
+            fi
+            ;;
+        HP-UX)
+            MAPPED_OS=HPUX11.00
+            ;;
+        *)
+            if [ "$os_name" = "Windows" ]
+            then
+                MAPPED_OS=NT4.0
+            else
+                Exit "Sorry, operating system `uname -s` is not supported yet"
+            fi
+            ;;
+    esac
+    set_osdir
+    Debug "Mapped OS to $MAPPED_OS"
+}
+
+############################# nssqa_main ###############################
+# local shell function main controlling function of the nss qa
+########################################################################
+nssqa_main()
+{
+  Debug "In function nssqa_main"
+
+  if [ $O_WIN = "OFF" -a "$O_TBX" = "OFF" -a $O_LOCAL = "OFF" ] ; then
+      if [ ! -h ${NTDIST}/WINNT5.0_DBG.OBJ -o \
+              ! -h ${UXDIST}/SunOS5.8_OPT.OBJ -o \
+              ! -h ${UXDIST}/OSF1V5.0_DBG.OBJ ] ; then
+          # determine if all needed symbolic links are present, in case
+          # we build on one platform and QA on another
+          # create the symbolic links
+          #mksymlinks $* ||
+          `dirname $0`/mksymlinks  $NSSVER $BUILDDATE ||
+              Warning "Can't make the neccessary symbolic links"
+      fi
+  fi
+
+  if [ -d $TESTSCRIPTDIR ]    #the directory mozilla/security/nss/tests, 
+  then            # where all.sh lives
+      cd $TESTSCRIPTDIR
+  else
+      Exit "cant cd to $TESTSCRIPTDIR Exiting"
+  fi
+
+  Debug "Testing from `pwd`"
+  line
+  Debug "HOST: $HOST, DOMSUF: $DOMSUF"
+
+  if [  "$O_TBX" = "OFF" ] ; then
+      map_os32 # From the operatingsystem figure out the name of the build 
+      Debug Testing build for $MAPPED_OS in $OSDIR
+      wait_for_build
+  fi
+  run_all
+  BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+  run_all
+  
+  # now for the 64 bit build!
+  map_os64 # From the operatingsystem figure out the name of the build 
+  if [ -n "$IS_64" ] ; then #Wait for the 64 bit build to finish...
+      Debug "This is a $IS_64 platform"
+      USE_64=1;export USE_64;Debug "Use_64 set to $USE_64"
+      unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT"
+
+      run_all
+      BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+      run_all
+  elif [ "$O_WIN" = "ON" ] ; then
+      OS_TARGET=WIN95;export OS_TARGET
+      Debug "OS_TARGET set to $OS_TARGET"
+      #Echo "WINDOWS-OS-LINE: $os_name $os_full $OS_TARGET"
+      unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT"
+      #if [ "$TEST_LEVEL" = "0" ] ; then
+          #QA_OS_NAME=`cd ${TESTSCRIPTDIR}/common; gmake objdir_name | \
+              #sed -e "s/WINNT4.0.*/Windows-NT-4.0/" -e \
+                     #"s/WINNT5.0.*/Windows-2000/"`
+          #Echo "WINDOWS-OS-LINE: $QA_OS_NAME $OS_TARGET"
+      #fi
+      run_all
+      BUILD_OPT=1; export BUILD_OPT; Debug "BUILD_OPT $BUILD_OPT"
+      run_all
+  else
+      Debug "This is a 32 bit platform"
+  fi
+}
+  
+TEST_LEVEL=0
+
+while [ $TEST_LEVEL -lt 2 ] ; do 
+    export TEST_LEVEL
+    unset BUILD_OPT;export BUILD_OPT;Debug "BUILD_OPT $BUILD_OPT"
+    unset USE_64;export USE_64;Debug "USE_64 $USE_64"
+    bc $TEST_LEVEL
+    Debug "About to start nssqa_main"
+    if [ $O_FILE = ON -a "$O_WIN" != "ON" ] ; then
+        nssqa_main 2>>$FILENAME
+    else
+        nssqa_main
+    fi
+    if [  "$O_TBX" = "ON" ] ; then      # do not do backward compatibility 
+         TEST_LEVEL=3                   # testing on tinderbox
+    else
+         TEST_LEVEL=`expr $TEST_LEVEL + 1 `
+    fi
+done
+
+if [  "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then
+#FIXME - maybe it should be copied back to the networkdrive later (-ln)
+    if [ -n "${TMPFILES}" ] ; then #caused problems on tinderbox machines
+        Debug "rm -f ${TMPFILES}"
+        rm -f $TMPFILES 2>/dev/null
+    fi
+    Debug "running qa_stat"
+    . `dirname $0`/qa_stat
+fi
+
+  
+qa_stat_get_sysinfo
+
+Exit "nssqa completed. Done `uname -n` $QA_OS_STRING"
diff --git a/security/nss/tests/ocsp/ocsp.sh b/security/nss/tests/ocsp/ocsp.sh
new file mode 100644
index 000000000..8efe737a7
--- /dev/null
+++ b/security/nss/tests/ocsp/ocsp.sh
@@ -0,0 +1,82 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/ocsp/ocsp.sh
+#
+# Script to test NSS OCSP
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_init ################################
+# local shell function to initialize this script
+########################################################################
+ocsp_init()
+{
+  SCRIPTNAME=ocsp.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ -z "${IOPR_OCSP_SOURCED}" ]; then
+      . ../iopr/ocsp_iopr.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=ocsp.sh
+  echo "$SCRIPTNAME: OCSP tests ==============================="
+
+  cd ${CLIENTDIR}
+}
+
+################## main #################################################
+ocsp_init
+ocsp_iopr_run
diff --git a/security/nss/tests/path_uniq b/security/nss/tests/path_uniq
new file mode 100755
index 000000000..f29f60a00
--- /dev/null
+++ b/security/nss/tests/path_uniq
@@ -0,0 +1,107 @@
+#! /bin/perl
+
+########################################################################
+#
+# /u/sonmi/bin/path_uniq
+#
+# this script makes components of a PATH like string unique cand prints
+# it to stdout
+#
+# parameters
+# ----------
+#    PATH
+#
+# options
+# -------
+#     -d delimiter - default : 
+#     -s shortens the path
+#
+# usefull enhancements: in the usage part, try to guess what was meant as 
+# a path and echo it to stdout to not break for PATHs with blanks
+#
+########################################################################
+
+sub usage {
+    print STDERR "usage $0 [-s] [-d <delimiter>] PATH\n";
+    print STDERR "    this script makes components of the PATH unique, if you\n";
+    print STDERR "    pass in a searchpath A:B:C:A:B:E it will print A:B:C:E to\n";
+    print STDERR "    the stdout\n\n";
+    print STDERR "    -s will mercylessly cut components from the path, \n";
+    print STDERR "    use at your own risk\n\n";
+    print STDERR "    the parameters you gave were: \n";
+    for ( $i = 0; $i <= $#ARGV; $i++ ) {
+        print STDERR "        $ARGV[$i]\n";
+    }
+    exit ;
+}
+
+
+$i = 0;
+$j = 0;
+$delimiter = ":";
+$searchpath = "";
+@pathcomponents;
+$found=0;
+$newpath="";
+$shorten=0;
+
+for ( $i=0; $i <= $#ARGV; $i++) {
+    if ( $ARGV[$i] eq '-d' ) {
+        $delimiter = $ARGV[++$i];
+    } elsif  ( $ARGV[$i] eq '-s' ) {
+        $shorten=1;
+    } else {
+        $searchpath = $ARGV[$i];
+    }
+}
+if ( $searchpath eq "" ) {
+    usage;
+}
+#print STDERR "delimiter $delimiter\n";
+#print STDERR "shorten $shorten\n";
+#print STDERR "searchpath $searchpath\n";
+
+@pathcomponents=split($delimiter, $searchpath);
+
+for ( $i = 0; $i <= $#pathcomponents; $i++ ) {
+    $found=0;
+    if ( $shorten == 1 ) {
+        if ( "\/tools\/ns-arch\/sparc_sun_solaris2\.4\/lib\/sparcworks\/SUNWspro/bin" eq $pathcomponents[$i] ||
+              "\/h\/tortoise\/export\/share\/builds\/tools\/sparc_sun_solaris2\.5\.1\/perl5\.004\/bin" eq $pathcomponents[$i] ||
+              "\/usr\/dist\/local\/exe" eq $pathcomponents[$i] ||
+              "\/opt\/SUNWspro\/bin" eq $pathcomponents[$i] ||
+              "\/opt\/SUNWwabi\/bin" eq $pathcomponents[$i] ||
+              "\/u\/svbld\/bin" eq $pathcomponents[$i] ||
+              "\/usr\/demos" eq $pathcomponents[$i] ||
+              "\/usr\/audio\/bin" eq $pathcomponents[$i] ||
+              "\/usr\/openwin\/demo" eq $pathcomponents[$i] ||
+              "\/tools\/contrib\/bin" eq $pathcomponents[$i] ||
+              "\/usr\/etc\/" eq $pathcomponents[$i] ||
+              "\/usr\/demos\/bin" eq $pathcomponents[$i] ) {
+
+            
+            #print "dumped: $pathcomponents[$i]\n";
+            next;
+        }
+            #print "keep: $pathcomponents[$i]\n";
+    }
+    for ( $j = 0; $j < $i; $j++ ) {
+        if ( $pathcomponents[$j] eq $pathcomponents[$i] ) {
+            #print "$i and $j match - $pathcomponents[$i] - $pathcomponents[$j]\n";
+            $found=1;
+            last;
+        }
+    }
+    if ( $found == 0 ) {
+        #print "$pathcomponents[$i]:";
+        if ($i == 0) {
+            $newpath = $pathcomponents[$i];
+        } else {
+            $newpath=join($delimiter, $newpath,$pathcomponents[$i]);
+        }
+    }
+}
+print "$newpath\n";
+exit;
+
+
diff --git a/security/nss/tests/perf/perf.sh b/security/nss/tests/perf/perf.sh
new file mode 100755
index 000000000..685c27430
--- /dev/null
+++ b/security/nss/tests/perf/perf.sh
@@ -0,0 +1,93 @@
+#! /bin/sh  
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/perf/perf.sh
+#
+# script run from the nightly NSS QA to measure nss performance
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## perf_init ##############################
+# local shell function to initialize this script
+########################################################################
+
+perf_init()
+{
+  SCRIPTNAME="perf.sh"
+  if [ -z "${INIT_SOURCED}" ] ; then
+      cd ../common
+      . ./init.sh
+  fi
+  SCRIPTNAME="perf.sh"
+  PERFDIR=${HOSTDIR}/perf
+  mkdir -p ${PERFDIR}
+}
+
+perf_init
+cd ${PERFDIR}
+RSAPERF_OUT=`${BINDIR}/rsaperf -i 300 -s -n none`
+RSAPERF_OUT=`echo $RSAPERF_OUT | sed \
+                -e "s/^/RSAPERF: $OBJDIR /" \
+                -e 's/microseconds/us/' \
+                -e 's/milliseconds/ms/' \
+                -e 's/seconds/s/' \
+                -e 's/ minutes, and /_min_/'`
+
+echo "$RSAPERF_OUT"
+
+
+
+#FIXME
+#export RSAPERF_OUT
+#
+#perl -e '
+
+#@rsaperf=split(/ /, $ENV{RSAPERF_OUT});
+
+#echo "${RSAPERF_OUT}" | read IT_NUM T1 T2 TOT_TIM TOT_TIM_U \
+    #T3 T4 T5 AVRG_TIM AVRG_TIM_U
+
+#300 iterations in 8.881 seconds one operation every 29606 microseconds
diff --git a/security/nss/tests/pkcs11/netscape/suites/Makefile b/security/nss/tests/pkcs11/netscape/suites/Makefile
new file mode 100644
index 000000000..054878a9b
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+# include $(CORE_DEPTH)/$(MODULE)/config/rules.mk
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/config.mk b/security/nss/tests/pkcs11/netscape/suites/config.mk
new file mode 100644
index 000000000..4d345ecd8
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/config.mk
@@ -0,0 +1,46 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+all::
+
+release:: release_security abort_rule
+
+release_security:
+	@echo "cd security; $(MAKE) release"
+	$(MAKE) -C security release
+
+abort_rule:
+	@"Security Complete. (Don't worry about this, it really should abort here!)"
diff --git a/security/nss/tests/pkcs11/netscape/suites/manifest.mn b/security/nss/tests/pkcs11/netscape/suites/manifest.mn
new file mode 100644
index 000000000..d404575ce
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/manifest.mn
@@ -0,0 +1,41 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../..
+ 
+DIRS =  security \
+        $(NULL)
+ 
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/Makefile b/security/nss/tests/pkcs11/netscape/suites/security/Makefile
new file mode 100644
index 000000000..de1235b37
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#include $(CORE_DEPTH)/$(MODULE)/config/rules.mk
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/config.mk b/security/nss/tests/pkcs11/netscape/suites/security/config.mk
new file mode 100644
index 000000000..845be7ba7
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/config.mk
@@ -0,0 +1,58 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+all::
+
+release:: release_des release_des3 release_sha1 release_dsa abort_rule
+
+release_des:
+	@echo "cd des; $(MAKE) release"
+	$(MAKE) -C des release
+
+release_des3:
+	@echo "cd des3; $(MAKE) release"
+	$(MAKE) -C des3 release
+
+release_sha1:
+	@echo "cd sha1; $(MAKE) release"
+	$(MAKE) -C sha1 release
+
+release_dsa:
+	@echo "cd dsa; $(MAKE) release"
+	$(MAKE) -C dsa release
+
+abort_rule:
+	@"Security Suites Complete. (Don't worry about this, it really should abort here!)"
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/manifest.mn b/security/nss/tests/pkcs11/netscape/suites/security/manifest.mn
new file mode 100644
index 000000000..0b31f777b
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/manifest.mn
@@ -0,0 +1,44 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../../..
+
+#MODULE = sectools
+
+DIRS =	pkcs11 \
+	ssl \
+	$(NULL)
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/Makefile b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/Makefile
new file mode 100644
index 000000000..10b84469a
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/Makefile
@@ -0,0 +1,81 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#include $(CORE_DEPTH)/$(MODULE)/config/config.mk
+ 
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#include $(CORE_DEPTH)/$(MODULE)/config/rules.mk
+include $(CORE_DEPTH)/nss/cmd/platlibs.mk
+include $(CORE_DEPTH)/nss/cmd/platrules.mk
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include rules.mk
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/config.mk b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/config.mk
new file mode 100644
index 000000000..d21c6bf1c
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/config.mk
@@ -0,0 +1,61 @@
+#
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# Adjust specific variables for all platforms                         #
+#######################################################################
+OS_CFLAGS += -DNSPR20=1
+
+#######################################################################
+# Set the LDFLAGS value to encompass all normal link options, all     #
+# library names, and all special system linking options               #
+#######################################################################
+
+LDFLAGS = $(LDOPTS) $(LIBSECMOD) $(LIBHASH) $(LIBCERT) $(LIBKEY) \
+$(LIBCRYPTO) $(LIBSECUTIL) $(LIBDBM) $(LIBPLC) $(LIBPLDS) $(LIBPR) \
+$(LIBSECTOOLS) $(DLLSYSTEM)
+
+# These are the libraries from the PKCS #5 suite:
+#LDFLAGS = $(LDOPTS) $(LIBSECTOOLS) $(LIBSSL) $(LIBPKCS7) $(LIBCERT) $(LIBKEY) $(LIBSECMOD) $(LIBCRYPTO) $(LIBSECUTIL) $(LIBSECMOD) $(LIBSSL) $(LIBPKCS7) $(LIBCERT) $(LIBKEY) $(LIBCRYPTO) $(LIBSECUTIL) $(LIBHASH) $(LIBDBM) $(LIBPLDS) $(LIBPLC) $(LIBPR) $(DLLSYSTEM)
+
+#######################################################################
+# Set the TARGETS value to build one executable from each object file #
+#######################################################################
+
+# TARGETS = $(OBJS:$(OBJ_SUFFIX)=$(PROG_SUFFIX))
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/manifest.mn b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/manifest.mn
new file mode 100644
index 000000000..6edb45226
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/manifest.mn
@@ -0,0 +1,50 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+CORE_DEPTH=../../../../../../..
+
+#MODULE = sectools
+
+CSRCS = pk11test.c
+
+PROGRAM = pk11test
+
+REQUIRES = seccmd dbm nss
+
+REGRESSION_SPEC = pkcs11.reg
+
+RESULTS_SUBDIR = security/pkcs11
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pk11test.c b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pk11test.c
new file mode 100644
index 000000000..0279a8060
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pk11test.c
@@ -0,0 +1,1363 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#define VERSION_MAJOR 1
+#define VERSION_MINOR 0
+#define VERSION_POINT 7
+/* Standard C includes */
+#include <stdlib.h>
+#include <stdio.h>
+
+/* NSPR includes */
+#include <prio.h>
+#include <prprf.h>
+#include <plarena.h>
+#include <prinit.h>
+#include <prmem.h>
+
+/* security includes */
+#include <pkcs11t.h>
+#include <secmodt.h>
+#include <pk11func.h>
+#include <secmod.h>
+#include <secutil.h>
+#include <keyt.h>
+
+/* replacer header file */
+#include "pk11test.h"
+
+#include "pkcs11.h"
+
+void SEC_Init(void);
+
+PRStatus InitCrypto(char*);
+int TestUserManagement();
+int TestCrypto();
+MechInfo* GetMechInfo(CK_MECHANISM_TYPE type);
+int TestEncrypt(CK_MECHANISM_TYPE mech);
+int TestSign(CK_MECHANISM_TYPE mech);
+int TestDigest(CK_MECHANISM_TYPE mech);
+int TestHMAC(CK_MECHANISM_TYPE mech);
+int TestSymmetricEncrypt(CK_MECHANISM_TYPE mech);
+int TestPKEncrypt(CK_MECHANISM_TYPE mech);
+
+
+static char* userpw = NULL;
+static int secerror=0;
+/* PK11SymKey *symkey=NULL;*/
+PK11SlotInfo *slot=NULL;
+
+/* Errors */
+enum {
+	NO_ERROR_AT_ALL=0,
+	NO_SUCH_SLOT=1,
+	KEY_GEN_FAILED,
+	CREATE_CONTEXT_FAILED,
+	INTERNAL_RNG_FAILED,
+	MECH_NOT_FOUND,
+	INPUT_FILE_ERROR,
+	KEY_COPY_FAILED,
+	CIPHER_OP_FAILED,
+	FINALIZE_FAILED,
+	RESULTS_DONT_MATCH,
+	PARAM_GEN_FAILED,
+	PLAINTEXT_DOESNT_MATCH,
+	ENCRYPTION_IS_NOOP,
+	WRAP_PRIVKEY_FAILED,
+	WRAP_SYMKEY_FAILED,
+	UNWRAP_SYMKEY_FAILED,
+	UNWRAPPED_KEY_DOESNT_MATCH,
+	UNWRAP_PRIVKEY_FAILED,
+	SIGNATURE_FAILED,
+	SIGNATURE_DOESNT_VERIFY,
+	AUTHENTICATION_FAILED,
+	AUTHENTICATION_SUCCEEDED,
+	MODDB_ACCESS
+};
+
+static char* errString[] = {
+	"No error",
+	"No such slot",
+	"Failed to generate key",
+	"Failed to create a cryptographic context",
+	"Failed to generate random bytes",
+	"Mechanism was not found",
+	"Error in input file",
+	"Failed to copy key from internal to external module",
+	"Cipher operation failed",
+	"Cipher finalization failed",
+	"Internal module produced a different result than the target module",
+	"Failed to generate cryptographic parameters",
+	"Recovered plaintext does not match original plaintext",
+	"Ciphertext is the same as plaintext",
+	"Unable to wrap private key",
+	"Unable to wrap symmetric key",
+	"Unable to unwrap symmetric key",
+	"Unwrapped key does not match original key",
+	"Unable to unwrap private key",
+	"Signing operation failed",
+	"Incorrect signature: doesn't verify",
+	"Failed to authenticate to slot",
+	"Authenticated to slot with incorrect password",
+	"Unable to access security module database"
+};
+
+/***********************************************************************
+ *
+ * R e a d I n p u t F i l e
+ *
+ * Read tokenname and module name from the file with the indicated name.
+ * Pass in the addresses of pointers.  They will be set to point at
+ * dynamically-allocated memory.
+ *
+ * Returns 0 on success, -1 on error with file.
+ */
+int
+ReadInputFile(char *filename, char**tokenname, char**moddbname, char **userpw)
+{
+	PRFileDesc* file=NULL;
+	char readbuf[1025];
+	int numbytes=0;
+	char *cp;
+
+	*tokenname = NULL;
+	*moddbname = NULL;
+
+	/* Open file */
+	file = PR_Open(filename, PR_RDONLY, 0);
+	if(!file) {
+		return -1;
+	}
+
+	/* Read in everything */
+	numbytes = PR_Read(file, readbuf, 1024);
+	if(numbytes==-1) {
+		goto loser;
+	}
+	readbuf[numbytes] = '\0'; /* make sure we're null-terminated */
+
+	/* Get tokenname */
+	cp = strtok(readbuf, "\r\n");
+	if(cp == NULL) {
+		goto loser;
+	}
+	*tokenname = PR_Malloc(strlen(cp)+1);
+	strcpy(*tokenname, cp);
+
+	/* get moddbname */
+	cp = strtok(NULL, "\r\n");
+	if(cp == NULL) {
+		goto loser;
+	}
+	*moddbname = PR_Malloc(strlen(cp)+1);
+	strcpy(*moddbname, cp);
+
+	/* Get module PIN */
+	cp = strtok(NULL, "\r\n");
+	if(cp == NULL) {
+		goto loser;
+	}
+	*userpw = PR_Malloc(strlen(cp)+1);
+	strcpy(*userpw, cp);
+
+	PR_Close(file);
+	return 0;
+
+loser:
+	if(file) {
+		PR_Close(file);
+	}
+	if(*tokenname) {
+		PR_Free(*tokenname);
+		*tokenname = NULL;
+	}
+	if(*moddbname) {
+		PR_Free(*moddbname);
+		*moddbname = NULL;
+	}
+	return -1;
+}
+
+static PRBool supplyPassword=PR_TRUE;
+char*
+PasswordFunc(PK11SlotInfo *slot, PRBool loadcerts, void *wincx)
+{
+	if(supplyPassword) {
+		/*PR_fprintf(PR_STDOUT, "Feeding password: |%s|\n", userpw);*/
+		supplyPassword = PR_FALSE;
+		return PL_strdup(userpw);
+	} else  {
+		/*PR_fprintf(PR_STDOUT, "PasswordFunc supplying NULL.\n");*/
+		return NULL;
+	}
+}
+	
+
+/**********************************************************************
+ *
+ * m a i n
+ *
+ */
+int
+main(int argc, char *argv[])
+{
+	char *tokenname=NULL;
+	char *moddbname=NULL;
+	int errcode;
+
+	if(argc < 3) {
+		PR_fprintf(PR_STDERR,
+"\nPKCS #11 Test Suite Version %d.%d.%d\n\
+Usage: pkcs11 testid configfile\n",VERSION_MAJOR,VERSION_MINOR,VERSION_POINT);
+		return -1;
+	}
+
+	testId = atoi(argv[1]);
+	if(ReadInputFile(argv[2], &tokenname, &moddbname, &userpw)) {
+		errcode = INPUT_FILE_ERROR;
+		goto loser;
+	}
+
+	PR_fprintf(PR_STDOUT, "testId=%d\n", testId);
+	PR_fprintf(PR_STDOUT, "tokenname=%s\n", tokenname);
+	PR_fprintf(PR_STDOUT, "moddbname=%s\n", moddbname);
+
+	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
+
+ 	if( InitCrypto(moddbname) != PR_SUCCESS ) {
+		errcode = MODDB_ACCESS;
+		goto loser;
+	}
+
+	slot = PK11_FindSlotByName(tokenname);
+	if(!slot) {
+		errcode = NO_SUCH_SLOT;
+		goto loser;
+	}
+
+	if(!REP_USE_CORRECT_PIN && userpw) {
+		/* don't use the pin passed in */
+		userpw[0]++;
+	}
+	PK11_SetPasswordFunc(PasswordFunc);
+	if(PK11_NeedLogin(slot)) {
+		SECStatus result;
+		supplyPassword = PR_TRUE;
+		result = PK11_Authenticate(slot, PR_FALSE, NULL);
+		/* If we just did an invalid login, login correctly so we don't
+		 * cause the token to lock us out */
+		if(!REP_USE_CORRECT_PIN) {
+			userpw[0]--;
+			supplyPassword = PR_TRUE;
+			PK11_Authenticate(slot, PR_FALSE, NULL);
+		}
+		if(REP_USE_CORRECT_PIN && result!=SECSuccess) {
+			errcode =  AUTHENTICATION_FAILED;
+			goto loser;
+		} else if(!REP_USE_CORRECT_PIN && result==SECSuccess) {
+			errcode = AUTHENTICATION_SUCCEEDED;
+			goto loser;
+		}
+	}
+
+	errcode = TestCrypto();
+
+loser:
+	if(tokenname) {
+		PR_Free(tokenname); tokenname = NULL;
+	}
+	if(moddbname) {
+		PR_Free(moddbname); moddbname = NULL;
+	}
+	if(errcode) {
+	    PR_fprintf(PR_STDOUT, "Exiting with error: %s.\n\n", errString[errcode]);
+	} else {
+		PR_fprintf(PR_STDOUT, "Test was successful\n\n");
+	}
+	return errcode;
+}
+
+/**********************************************************************
+ *
+ * I n i t C r y p t o
+ *
+ */
+PRStatus
+InitCrypto(char *moddbname)
+{
+	SEC_Init();
+
+	if( PR_Access(moddbname, PR_ACCESS_EXISTS) != PR_SUCCESS) {
+		PR_fprintf(PR_STDERR, "Error: %s does not exist.\n", moddbname);
+		return PR_FAILURE;
+	}
+	if( PR_Access(moddbname, PR_ACCESS_READ_OK) != PR_SUCCESS) {
+		PR_fprintf(PR_STDERR, "Error: %s is not readable.\n",
+			moddbname);
+		return PR_FAILURE;
+	}
+
+	SECMOD_init(moddbname);
+	return PR_SUCCESS;
+}
+
+/**********************************************************************
+ *
+ * T e s t C r y p t o
+ *
+ */
+int
+TestCrypto()
+{
+	MechInfo *mechInfo;
+	int errcode;
+	unsigned short testcount=0;
+
+	if(!PK11_DoesMechanism(slot, REP_MECHANISM)) {
+		return 0;
+	}
+
+	mechInfo = GetMechInfo(REP_MECHANISM);
+	/*PR_fprintf(PR_STDOUT, "Using mechanism %x.\n", REP_MECHANISM);*/
+	if(!mechInfo) {
+		PR_fprintf(PR_STDERR, "Unable to find mech %x\n",
+			REP_MECHANISM);
+		return MECH_NOT_FOUND;
+	}
+
+	if(mechInfo->op & ENCRYPT_OP) {
+		testcount++;
+		errcode = TestEncrypt(REP_MECHANISM);
+		if(errcode) return errcode;
+	}
+
+	if(mechInfo->op & SIGN_OP) {
+		testcount++;
+		errcode = TestSign(REP_MECHANISM);
+		if(errcode) return errcode;
+	}
+
+#if 0
+	if(mechInfo->op & DIGEST_OP) {
+		testcount++;
+		errcode = TestDigest(REP_MECHANISM);
+		if(errcode) return errcode;
+	}
+
+	if(mechInfo->op & HMAC_OP) {
+		testcount++;
+		errcode = TestHMAC(REP_MECHANISM);
+		if(errcode) return errcode;
+	}
+#endif
+
+	return 0;
+}
+
+/**********************************************************************
+ *
+ * I s S y m m e t r i c
+ *
+ */
+int
+IsSymmetric(CK_MECHANISM_TYPE mech)
+{
+	switch(mech) {
+	case CKM_RC2_ECB:
+	case CKM_RC2_CBC:
+	case CKM_RC2_CBC_PAD:
+	case CKM_RC4:
+	case CKM_RC5_ECB:
+	case CKM_RC5_CBC:
+	case CKM_RC5_CBC_PAD:
+	case CKM_DES_ECB:
+	case CKM_DES_CBC:
+	case CKM_DES_CBC_PAD:
+	case CKM_DES3_ECB:
+	case CKM_DES3_CBC:
+	case CKM_DES3_CBC_PAD:
+	case CKM_CAST_ECB:
+	case CKM_CAST_CBC:
+	case CKM_CAST_CBC_PAD:
+	case CKM_CAST3_ECB:
+	case CKM_CAST3_CBC:
+	case CKM_CAST3_CBC_PAD:
+	case CKM_CAST5_ECB:
+	case CKM_CAST5_CBC:
+	case CKM_CAST5_CBC_PAD:
+	case CKM_IDEA_ECB:
+	case CKM_IDEA_CBC:
+	case CKM_IDEA_CBC_PAD:
+	case CKM_CDMF_ECB:
+	case CKM_CDMF_CBC:
+	case CKM_CDMF_CBC_PAD:
+	case CKM_SKIPJACK_ECB64:
+	case CKM_SKIPJACK_CBC64:
+	case CKM_SKIPJACK_OFB64:
+	case CKM_SKIPJACK_CFB64:
+	case CKM_SKIPJACK_CFB32:
+	case CKM_SKIPJACK_CFB16:
+	case CKM_SKIPJACK_CFB8:
+	case CKM_BATON_ECB128:
+	case CKM_BATON_ECB96:
+	case CKM_BATON_CBC128:
+	case CKM_BATON_COUNTER:
+	case CKM_BATON_SHUFFLE:
+	case CKM_JUNIPER_ECB128:
+	case CKM_JUNIPER_CBC128:
+	case CKM_JUNIPER_COUNTER:
+	case CKM_JUNIPER_SHUFFLE:
+		return 1;
+	default:
+		return 0;
+	}
+}
+
+/**********************************************************************
+ *
+ * T e s t E n c r y p t
+ *
+ */
+int
+TestEncrypt(CK_MECHANISM_TYPE mech)
+{
+
+	/*PR_fprintf(PR_STDOUT, "Inside TestEncrypt\n");*/
+	if(!PK11_DoesMechanism(slot, mech)) {
+		/* Can't test if the slot doesn't do this mechanism */
+		PR_fprintf(PR_STDERR, "Slot doesn't do this mechanism.\n");
+		return 0;
+	}
+
+	if(IsSymmetric(mech)) {
+		/*PR_fprintf(PR_STDOUT, "Is a symmetric algorithm\n");*/
+		return TestSymmetricEncrypt(mech);
+	} else {
+		/*PR_fprintf(PR_STDOUT, "Is not a symmetric algorithm\n");*/
+		return TestPKEncrypt(mech);
+	}
+
+	return 0;
+}
+
+/**********************************************************************
+ *
+ * G e n e r a t e P K P a r a m s
+ *
+ */
+void*
+GeneratePKParams(CK_MECHANISM_TYPE mech)
+{
+
+	/* FIPS preprocessor directives for DSA.                        */
+	#define FIPS_DSA_TYPE                           siBuffer
+	#define FIPS_DSA_DIGEST_LENGTH                  20  /* 160-bits */
+	#define FIPS_DSA_SUBPRIME_LENGTH                20  /* 160-bits */
+	#define FIPS_DSA_SIGNATURE_LENGTH               40  /* 320-bits */
+	#define FIPS_DSA_PRIME_LENGTH                   64  /* 512-bits */
+	#define FIPS_DSA_BASE_LENGTH                    64  /* 512-bits */
+
+
+	CK_MECHANISM_TYPE keygenMech;
+	PK11RSAGenParams *rsaparams;
+	PQGParams *dsa_pqg;
+	unsigned char *dsa_P = (unsigned char *)
+                           "\x8d\xf2\xa4\x94\x49\x22\x76\xaa"
+                           "\x3d\x25\x75\x9b\xb0\x68\x69\xcb"
+                           "\xea\xc0\xd8\x3a\xfb\x8d\x0c\xf7"
+                           "\xcb\xb8\x32\x4f\x0d\x78\x82\xe5"
+                           "\xd0\x76\x2f\xc5\xb7\x21\x0e\xaf"
+                           "\xc2\xe9\xad\xac\x32\xab\x7a\xac"
+                           "\x49\x69\x3d\xfb\xf8\x37\x24\xc2"
+                           "\xec\x07\x36\xee\x31\xc8\x02\x91";
+	unsigned char *dsa_Q = (unsigned char *)
+                           "\xc7\x73\x21\x8c\x73\x7e\xc8\xee"
+                           "\x99\x3b\x4f\x2d\xed\x30\xf4\x8e"
+                           "\xda\xce\x91\x5f";
+	unsigned char *dsa_G = (unsigned char *)
+                           "\x62\x6d\x02\x78\x39\xea\x0a\x13"
+                           "\x41\x31\x63\xa5\x5b\x4c\xb5\x00"
+                           "\x29\x9d\x55\x22\x95\x6c\xef\xcb"
+                           "\x3b\xff\x10\xf3\x99\xce\x2c\x2e"
+                           "\x71\xcb\x9d\xe5\xfa\x24\xba\xbf"
+                           "\x58\xe5\xb7\x95\x21\x92\x5c\x9c"
+                           "\xc4\x2e\x9f\x6f\x46\x4b\x08\x8c"
+                           "\xc5\x72\xaf\x53\xe6\xd7\x88\x02";
+
+
+	keygenMech = PK11_GetKeyGen(mech);
+
+	switch(keygenMech) {
+	case CKM_RSA_PKCS_KEY_PAIR_GEN:
+		rsaparams = PR_Malloc(sizeof(PK11RSAGenParams));
+		rsaparams->keySizeInBits = REP_PK_KEY_SIZE;
+		rsaparams->pe = 65537L;
+		return (void*) rsaparams;
+	case CKM_ECDSA_KEY_PAIR_GEN:
+	case CKM_DSA_KEY_PAIR_GEN:
+
+		/* Allocate PQG memory */
+		dsa_pqg = PORT_ZAlloc(sizeof(PQGParams));
+		dsa_pqg->prime.data = (unsigned char*)
+			PORT_ZAlloc(FIPS_DSA_PRIME_LENGTH);
+		dsa_pqg->subPrime.data = (unsigned char*)
+			PORT_ZAlloc(FIPS_DSA_SUBPRIME_LENGTH);
+		dsa_pqg->base.data = (unsigned char*)
+			PORT_ZAlloc(FIPS_DSA_BASE_LENGTH);
+
+		dsa_pqg->prime.type = FIPS_DSA_TYPE;
+		PORT_Memcpy(dsa_pqg->prime.data, dsa_P, FIPS_DSA_PRIME_LENGTH);
+		dsa_pqg->prime.len = FIPS_DSA_PRIME_LENGTH;
+
+		dsa_pqg->subPrime.type = FIPS_DSA_TYPE;
+		PORT_Memcpy( dsa_pqg->subPrime.data, dsa_Q,
+			FIPS_DSA_SUBPRIME_LENGTH );
+		dsa_pqg->subPrime.len = FIPS_DSA_SUBPRIME_LENGTH;
+
+		dsa_pqg->base.type = FIPS_DSA_TYPE;
+		PORT_Memcpy( dsa_pqg->base.data, dsa_G, FIPS_DSA_BASE_LENGTH );
+		dsa_pqg->base.len = FIPS_DSA_BASE_LENGTH;
+
+		return (void*) dsa_pqg;
+
+	case CKM_DH_PKCS_KEY_PAIR_GEN:
+	case CKM_KEA_KEY_PAIR_GEN:
+	default:
+		return NULL;
+	}
+	return NULL;
+}
+
+/**********************************************************************
+ *
+ * F r e e P K P a r a m s
+ *
+ */
+void
+FreePKParams(void* p, CK_MECHANISM_TYPE mech)
+{
+
+	switch(PK11_GetKeyGen(mech)) {
+	case CKM_RSA_PKCS_KEY_PAIR_GEN:
+		PR_Free( (PK11RSAGenParams*)p);
+		break;
+	case CKM_ECDSA_KEY_PAIR_GEN:
+	case CKM_DSA_KEY_PAIR_GEN:
+		PR_Free( (PQGParams*)p);
+		break;
+	}
+}
+
+
+/**********************************************************************
+ *
+ * T e s t P K E n c r y p t
+ *
+ */
+int
+TestPKEncrypt(CK_MECHANISM_TYPE mech)
+{
+	PK11SlotInfo *internal;
+	SECStatus status;
+	int errcode;
+	SECItem *kgparams;
+	SECKEYPublicKey *pubk=NULL;
+	SECKEYPrivateKey *refPrivk=NULL, *testPrivk=NULL;
+	PK11SymKey *refSymKey=NULL, *testSymKey=NULL, *recoveredSymKey=NULL;
+	SECItem refWrappedKey, testWrappedKey;
+	SECItem *refSymkeyData=NULL, *testSymkeyData=NULL;
+	SECItem wrapParams;
+	int testSymKeySize;
+    CK_ATTRIBUTE_TYPE usages[] = { CKA_UNWRAP };
+    int usageCount = 1;
+
+	wrapParams.data = "aaaaaaaa";
+	wrapParams.len = 8;
+
+	refWrappedKey.len = 1024;
+	refWrappedKey.data = PR_Malloc(1024);
+	testWrappedKey.len = 1024;
+	testWrappedKey.data = PR_Malloc(1024);
+
+	internal = PK11_GetInternalSlot();
+
+	/* Generate keygen parameter */
+	kgparams = GeneratePKParams(mech);
+	if(!kgparams) {
+		errcode = PARAM_GEN_FAILED;
+		goto loser;
+	}
+
+    /*
+     * Generate the keypair, either on the target module or on the internal
+     * module.
+     */
+	if(REP_KEYGEN_ON_TARGET) {
+		refPrivk = PK11_GenerateKeyPair(slot, PK11_GetKeyGen(mech),
+			kgparams, &pubk,
+			(slot==internal) ? PR_FALSE : PR_TRUE /*isPerm*/,
+			PR_FALSE /*isSensitive*/,
+			NULL/*wincx*/);
+	} else {
+		refPrivk = PK11_GenerateKeyPair(internal, PK11_GetKeyGen(mech),
+			kgparams, &pubk,
+			PR_FALSE/*isPerm*/, PR_FALSE /*isSensitive*/,
+			NULL/*wincx*/);
+	}
+	if(!refPrivk) {
+		secerror = PORT_GetError();
+		errcode = KEY_GEN_FAILED;
+		goto loser;
+	}
+
+	/*
+	 * Generate symmetric key, either on the target module or on the internal
+     * module.
+	 */
+	if(REP_KEYGEN_ON_TARGET) {
+		refSymKey = PK11_KeyGen(slot, CKM_DES_CBC_PAD, NULL,
+			REP_SYMKEY_SIZE, NULL);
+	} else {
+		refSymKey = PK11_KeyGen(internal, CKM_DES_CBC_PAD, NULL,
+			REP_SYMKEY_SIZE, NULL);
+	}
+	if(!refSymKey) {
+		secerror = PORT_GetError();
+		errcode = KEY_GEN_FAILED;
+		goto loser;
+	}
+
+	/*
+     * If we generated the keys on the internal module, we have to
+     * transfer them from the internal module to the target module, unless
+     * the target module is the internal module.
+	 */
+	if( (slot != internal) && !REP_KEYGEN_ON_TARGET) {
+		SECItem empty;
+		SECItem label;
+		empty.len=0;
+		empty.data=NULL;
+		label.data = "foobar";
+		label.len = 6;
+
+		/* Copy the symmetric key to the target token*/
+		testSymKey = pk11_CopyToSlot(slot,
+					     CKM_DES_CBC_PAD,
+					     CKA_UNWRAP,
+					     refSymKey);
+		if(testSymKey==NULL) {
+			secerror = PORT_GetError();
+			errcode = KEY_COPY_FAILED;
+			goto loser;
+		}
+
+		/* Copy the private key to the target token */
+		status = PK11_WrapPrivKey(internal,
+					  refSymKey,
+					  refPrivk,
+					  CKM_DES_CBC_PAD,
+					  &wrapParams,
+					  &refWrappedKey,
+					  NULL /*wincx*/);
+		if(status != SECSuccess) {
+			secerror = PORT_GetError();
+			errcode = WRAP_PRIVKEY_FAILED;
+			goto loser;
+		}
+
+		testPrivk = PK11_UnwrapPrivKey(slot,
+						 testSymKey,
+						 CKM_DES_CBC_PAD,
+						 &wrapParams,
+						 &refWrappedKey,
+						 &label /*label*/,
+						 &empty /*ID Value*/,
+						 PR_TRUE /*perm*/,
+						 PR_TRUE /*sensitive*/,
+                         PK11_GetKeyType(mech, 0),
+                         usages, usageCount,
+						 NULL /*wincx*/);
+		if(testPrivk==NULL) {
+			secerror = PORT_GetError();
+			errcode = UNWRAP_PRIVKEY_FAILED;
+			goto loser;
+		}
+	} else {
+		testPrivk=refPrivk; refPrivk = NULL;
+		testSymKey=refSymKey; refSymKey = NULL;
+	}
+
+	/* Wrap the symmetric key with the public key */
+    /* !!! Which mech do we use here, the symmetric or the PK? */
+	status = PK11_PubWrapSymKey(mech, pubk, testSymKey, &testWrappedKey);
+	if(status != SECSuccess) {
+		secerror = PORT_GetError();
+		errcode = WRAP_SYMKEY_FAILED;
+		goto loser;
+	}
+	testSymKeySize = PK11_GetKeyLength(testSymKey);
+
+	/*
+	 * Unless we are testing the internal slot, do the same wrap operation
+	 * on the internal slot and compare with the wrap done on the module
+	 * under test.  If we did the keygen on the target module, we don't
+     * have the keys on the internal module so we can't compare.
+	 */
+	if( (slot != internal) && !REP_KEYGEN_ON_TARGET) {
+		status = PK11_PubWrapSymKey(mech, pubk, refSymKey,
+				&refWrappedKey);
+		if(status != SECSuccess) {
+			secerror = PORT_GetError();
+			errcode = WRAP_SYMKEY_FAILED;
+			goto loser;
+		}
+
+		if( (testWrappedKey.len != refWrappedKey.len) ||
+		    memcmp(testWrappedKey.data, refWrappedKey.data, 
+			testWrappedKey.len) ) {
+			/* Wrapped Keys don't match */
+			/* !!! There's random data in these encryptions, so they'll never
+             * match. */
+			/*errcode = RESULTS_DONT_MATCH;*/
+			/*goto loser;*/
+		}
+	}
+
+	/* Get the data of the symmetric key */
+    /* Extracting the key value may not work, depending on the token.  If
+     * it doesn't work, we won't be able to do the comparison later */
+    PK11_ExtractKeyValue(testSymKey);
+	testSymkeyData = PK11_GetKeyData(testSymKey);
+    if(testSymkeyData->data == NULL) {
+        /* couldn't extract key data */
+        testSymkeyData = NULL;
+    } else {
+	    testSymkeyData = SECITEM_DupItem(testSymkeyData);
+    }
+
+	/* Destroy the symmetric key everywhere */
+	if(refSymKey) {
+		PK11_FreeSymKey(refSymKey); refSymKey = NULL;
+	}
+	if(testSymKey) {
+		PK11_FreeSymKey(testSymKey); testSymKey = NULL;
+	}
+
+	/*
+	 * Unwrap the key and make sure we get the same thing back. Can only
+     * do this if we were able to get the key data from the test token.
+	 */
+    if(testSymkeyData != NULL) {
+	    refSymKey = PK11_PubUnwrapSymKey(testPrivk, &testWrappedKey,
+			    CKM_DES_CBC_PAD, CKA_WRAP, testSymKeySize);
+	    if(refSymKey==NULL) {
+		    secerror = PORT_GetError();
+		    errcode = UNWRAP_SYMKEY_FAILED;
+		    goto loser;
+	    }
+        /* We should always be able to get the key data from the internal
+         * module */
+		PK11_ExtractKeyValue(refSymKey);
+	    refSymkeyData = PK11_GetKeyData(refSymKey);
+        PR_ASSERT(refSymkeyData!=NULL && refSymkeyData->data!=NULL);
+        PR_ASSERT(testSymkeyData!=NULL && testSymkeyData->data!=NULL);
+	    if(SECITEM_CompareItem(refSymkeyData, testSymkeyData) != SECEqual) {
+		    errcode = UNWRAPPED_KEY_DOESNT_MATCH;
+		    goto loser;
+	    }
+    }
+
+#ifdef DEBUG
+	PR_fprintf(PR_STDOUT, "Successfully finished TestPKEncrypt!\n");
+#endif
+
+	errcode = 0;
+
+loser:
+	if(refPrivk) {
+		SECKEY_DestroyPrivateKey(refPrivk);
+	}
+	SECITEM_FreeItem(&refWrappedKey, PR_FALSE);
+	SECITEM_FreeItem(&testWrappedKey, PR_FALSE);
+	if(refSymkeyData) {
+		/* do nothing, it's a copy */
+	}
+	if(testSymkeyData) {
+		SECITEM_FreeItem(testSymkeyData, PR_TRUE);
+	}
+	if(pubk) {
+		SECKEY_DestroyPublicKey(pubk);
+	}
+	if(testPrivk) {
+		SECKEY_DestroyPrivateKey(testPrivk);
+	}
+	if(refSymKey) {
+		PK11_FreeSymKey(refSymKey);
+	} 
+	if(testSymKey) {
+		PK11_FreeSymKey(testSymKey);
+	}
+	if(recoveredSymKey) {
+		PK11_FreeSymKey(recoveredSymKey);
+	}
+	return errcode;
+	
+
+}
+
+/**********************************************************************
+ *
+ * T e s t S y m m e t r i c E n c r y p t
+ *
+ */
+int
+TestSymmetricEncrypt(CK_MECHANISM_TYPE mech)
+{
+	PK11Context *refcontext=NULL, *testcontext=NULL;
+	PK11SlotInfo *internal;
+	SECStatus status;
+	PK11SymKey* intkey=NULL, *extkey=NULL;
+	int errcode;
+	unsigned char *ptext=NULL;
+	int maxclen = REP_PLAINTEXT_LEN + 128;
+	unsigned char *refctext=NULL, *testctext=NULL;
+	int refclen, testclen;
+	unsigned char *recovered=NULL;
+	int reclen;
+	SECItem iv, *param=NULL;
+
+	internal = PK11_GetInternalSlot();
+
+	ptext = PR_Malloc(REP_PLAINTEXT_LEN);
+	refctext = PR_Malloc(maxclen);
+	testctext = PR_Malloc(maxclen);
+	recovered = PR_Malloc(maxclen);
+
+    /* Generate random plaintext */
+	status = RNG_GenerateGlobalRandomBytes(ptext, REP_PLAINTEXT_LEN);
+	if(status != SECSuccess) {
+		errcode = INTERNAL_RNG_FAILED;
+		goto loser;
+	}
+
+	/* Generate mechanism parameter */
+	iv.len = 8;
+	iv.data = "aaaaaaaa"; /* !!! does this need to be random? Maybe a
+                            * replacer variable ? */
+	param = PK11_ParamFromIV(mech, &iv);
+	if(!param) {
+		errcode = PARAM_GEN_FAILED;
+		goto loser;
+	}
+
+	/*
+     * Generate the key, either on the target module or the internal module.
+	 */
+	if(REP_KEYGEN_ON_TARGET) {
+		intkey = PK11_KeyGen(slot, mech, NULL, REP_SYMKEY_SIZE,
+			NULL);
+	} else {
+		intkey = PK11_KeyGen(internal, mech, NULL, REP_SYMKEY_SIZE,
+			NULL);
+	}
+	if(!intkey) {
+		secerror = PORT_GetError();
+		errcode = KEY_GEN_FAILED;
+		goto loser;
+	}
+
+	if( (slot != internal) && !REP_KEYGEN_ON_TARGET) {
+		/* Copy the key to the target token if it isn't there already */
+		extkey = pk11_CopyToSlot(slot, mech, CKA_ENCRYPT, intkey);
+		if(!extkey) {
+			secerror = PORT_GetError();
+			errcode = KEY_COPY_FAILED;
+			goto loser;
+		}
+	} else {
+		extkey = intkey;
+		intkey = NULL;
+	}
+
+	/* Create an encryption context */
+	testcontext = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, extkey,
+						param);
+	if(!testcontext) {
+		secerror = PORT_GetError();
+		errcode = CREATE_CONTEXT_FAILED;
+		goto loser;
+	}
+
+	/* Do the encryption */
+	status = PK11_CipherOp(testcontext, testctext, &testclen,
+				maxclen, ptext, REP_PLAINTEXT_LEN);
+	if(status != SECSuccess) {
+		secerror = PORT_GetError();
+		errcode = CIPHER_OP_FAILED;
+		goto loser;
+	}
+	status = PK11_Finalize(testcontext);
+	if(status != SECSuccess) {
+		secerror = PORT_GetError();
+		errcode = FINALIZE_FAILED;
+		goto loser;
+	}
+
+	/* Free the encryption context */
+	PK11_DestroyContext(testcontext, PR_TRUE /*freeit*/);
+	testcontext = NULL;
+
+	/* Make sure the encryption did something */
+	if(!memcmp(ptext, testctext,
+		REP_PLAINTEXT_LEN > testclen ? testclen : REP_PLAINTEXT_LEN)) {
+		errcode = ENCRYPTION_IS_NOOP;
+		goto loser;
+	}
+
+    /*
+	 * Now do everything on the internal module and compare the results. 
+     * If the key was generated on the target module, it doesn't exist on
+     * the internal module so we can't compare.
+     */
+	if( (slot != internal) && !REP_KEYGEN_ON_TARGET) {
+		/* Create encryption context */
+		refcontext = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT,
+			intkey, param);
+		if(!refcontext) {
+			secerror = PORT_GetError();
+			errcode = CREATE_CONTEXT_FAILED;
+			goto loser;
+		}
+
+		/* Perform the encryption */
+		status = PK11_CipherOp(refcontext, refctext, &refclen,
+				maxclen, ptext, REP_PLAINTEXT_LEN);
+		if(status != SECSuccess) {
+			secerror = PORT_GetError();
+			errcode = CIPHER_OP_FAILED;
+			goto loser;
+		}
+		status = PK11_Finalize(refcontext);
+		if(status != SECSuccess) {
+			secerror = PORT_GetError();
+			errcode = FINALIZE_FAILED;
+			goto loser;
+		}
+
+		/* Free the context */
+		PK11_DestroyContext(refcontext, PR_TRUE /*freeit*/);
+		refcontext = NULL;
+
+
+		/* Compare the ciphertext from the target module and the
+		 * internal module
+		 */
+		if( (testclen != refclen) ||
+		  (memcmp(testctext, refctext, testclen)) ) {
+			errcode = RESULTS_DONT_MATCH;
+			goto loser;
+		}
+	}
+
+	/*
+	 * Decrypt the ciphertext and make sure we get back the original
+	 * ptext
+	 */
+
+	/* Create the decryption context */
+	testcontext = PK11_CreateContextBySymKey(mech, CKA_DECRYPT, extkey,
+				param);
+	if(!testcontext) {
+		secerror = PORT_GetError();
+		errcode = CREATE_CONTEXT_FAILED;
+		goto loser;
+	}
+
+	/* Do the decryption */
+	status = PK11_CipherOp(testcontext, recovered, &reclen,
+				maxclen, testctext, testclen);
+	if(status != SECSuccess) {
+		secerror = PORT_GetError();
+		errcode = CIPHER_OP_FAILED;
+		goto loser;
+	}
+	status = PK11_Finalize(testcontext);
+	if(status != SECSuccess) {
+		secerror = PORT_GetError();
+		errcode = FINALIZE_FAILED;
+		goto loser;
+	}
+
+
+	/* Free the encryption context */
+	PK11_DestroyContext(testcontext, PR_TRUE /*freeit*/);
+	testcontext = NULL;
+
+
+	/* Compare the recovered text to the plaintext */
+	if( (reclen != REP_PLAINTEXT_LEN) || 
+		(memcmp(recovered, ptext, reclen)) ) {
+			errcode = PLAINTEXT_DOESNT_MATCH;
+			goto loser;
+	}
+	
+
+#ifdef DEBUG
+	PR_fprintf(PR_STDOUT, "Successfully finished TestSymmetricEncrypt!\n");
+#endif
+
+	errcode = 0;
+
+loser:
+	if(ptext) {
+		PR_Free(ptext); ptext = NULL;
+	}
+	if(refctext) {
+		PR_Free(refctext); refctext = NULL;
+	}
+	if(testctext) {
+		PR_Free(testctext); testctext = NULL;
+	}
+	if(intkey) {
+		PK11_FreeSymKey(intkey); intkey = NULL;
+	}
+	if(extkey) {
+		PK11_FreeSymKey(extkey); extkey = NULL;
+	}
+	if(testcontext) {
+		PK11_DestroyContext(testcontext, PR_TRUE /*freeit*/);
+	}
+	if(refcontext) {
+		PK11_DestroyContext(refcontext, PR_TRUE /*freeit*/);
+	}
+	if(param) {
+		SECITEM_FreeItem(param, PR_TRUE);
+		param = NULL;
+	}
+	if(recovered) {
+		PR_Free(recovered); recovered = NULL;
+	}
+	return errcode;
+}
+
+/**********************************************************************
+ *
+ * T e s t S i g n
+ *
+ */
+int
+TestSign(CK_MECHANISM_TYPE mech)
+{
+	PK11SlotInfo *internal;
+	SECStatus status;
+	int errcode;
+	SECItem *kgparams;
+	SECKEYPublicKey *pubk=NULL;
+	SECKEYPrivateKey *refPrivk=NULL, *testPrivk=NULL;
+	PK11SymKey *refSymKey=NULL, *testSymKey=NULL, *recoveredSymKey=NULL;
+	SECItem refWrappedKey, testWrappedKey;
+	SECItem ptext, refSignature, testSignature;
+	SECItem wrapParam;
+    CK_ATTRIBUTE_TYPE usages[] = { CKA_SIGN };
+    int usageCount = 1;
+
+	refWrappedKey.len = 1024;
+	refWrappedKey.data = PR_Malloc(1024);
+	testWrappedKey.len = 1024;
+	testWrappedKey.data = PR_Malloc(1024);
+	refSignature.len = 1024;
+	refSignature.data = PR_Malloc(1024);
+	testSignature.len = 1024;
+	testSignature.data = PR_Malloc(1024);
+	wrapParam.data = "aaaaaaaa";
+	wrapParam.len = 8;
+
+	internal = PK11_GetInternalSlot();
+
+	/* Generate random ptext */
+	ptext.data = PR_Malloc(20);
+	ptext.len = 20;
+	status = RNG_GenerateGlobalRandomBytes(ptext.data, 8);
+	if(status != SECSuccess) {
+		errcode = INTERNAL_RNG_FAILED;
+		goto loser;
+	}
+
+	/* Generate keygen parameter */
+	kgparams = GeneratePKParams(mech);
+	if(!kgparams) {
+		errcode = PARAM_GEN_FAILED;
+		goto loser;
+	}
+
+	/*
+     * Generate the keypair, on the target module or the internal module.
+	 */
+	if(REP_KEYGEN_ON_TARGET) {
+		refPrivk = PK11_GenerateKeyPair(slot, PK11_GetKeyGen(mech),
+			kgparams, &pubk, (slot==internal) ? PR_FALSE :
+			PR_TRUE /*isPerm*/,
+			PR_FALSE /*isSensitive*/, NULL/*wincx*/);
+	} else {
+		refPrivk = PK11_GenerateKeyPair(internal, PK11_GetKeyGen(mech),
+			kgparams, &pubk, PR_FALSE /*isPerm*/,
+			PR_FALSE /*isSensitive*/, NULL/*wincx*/);
+	}
+	if(!refPrivk) {
+		secerror = PORT_GetError();
+		errcode = KEY_GEN_FAILED;
+		goto loser;
+	}
+
+	/*
+	 * Generate symmetric key, on the target module or the internal module.
+	 */
+	if(REP_KEYGEN_ON_TARGET) {
+		refSymKey = PK11_KeyGen(slot, CKM_DES_CBC_PAD, NULL,
+			REP_SYMKEY_SIZE, NULL);
+	} else {
+		refSymKey = PK11_KeyGen(internal, CKM_DES_CBC_PAD, NULL,
+			REP_SYMKEY_SIZE, NULL);
+	}
+	if(!refSymKey) {
+		secerror = PORT_GetError();
+		errcode = KEY_GEN_FAILED;
+		goto loser;
+	}
+
+	/*
+     * If the key was generated on the internal module, copy it to the
+     * target module, unless the target module is the internal module.
+	 */
+	if( (slot != internal) && !REP_KEYGEN_ON_TARGET) {
+		SECItem empty;
+		SECItem label;
+		SECItem *pubValue;
+		empty.len=0;
+		empty.data=NULL;
+		label.len=6;
+		label.data = "foobar";
+
+		/* Copy the symmetric key to the target token*/
+		testSymKey = pk11_CopyToSlot(slot,
+					     CKM_DES_CBC_PAD,
+					     CKA_WRAP,
+					     refSymKey);
+		if(testSymKey==NULL) {
+			secerror = PORT_GetError();
+			errcode = KEY_COPY_FAILED;
+			goto loser;
+		}
+
+		/* Copy the private key to the target token */
+		status = PK11_WrapPrivKey(internal,
+					  refSymKey,
+					  refPrivk,
+					  CKM_DES_CBC_PAD,
+					  &wrapParam,
+					  &refWrappedKey,
+					  NULL /*wincx*/);
+		if(status != SECSuccess) {
+			secerror = PORT_GetError();
+			errcode = WRAP_PRIVKEY_FAILED;
+			goto loser;
+		}
+
+		switch(pubk->keyType) {
+		case dsaKey:
+			pubValue = SECITEM_DupItem(&pubk->u.dsa.publicValue);
+			break;
+		case rsaKey:
+			pubValue = SECITEM_DupItem(&pubk->u.rsa.modulus);
+			break;
+		default:
+			pubValue = NULL;
+		}
+		testPrivk = PK11_UnwrapPrivKey(slot,
+						 testSymKey,
+						 CKM_DES_CBC_PAD,
+						 &wrapParam,
+						 &refWrappedKey,
+						 &label /*label*/,
+						 pubValue /*ID Value*/,
+						 PR_TRUE /*perm*/,
+						 PR_TRUE /*sensitive*/,
+                         PK11_GetKeyType(mech, 0),
+                         usages, usageCount,
+						 NULL /*wincx*/);
+		if(pubValue) {
+			SECITEM_FreeItem(pubValue, PR_TRUE);
+			pubValue = NULL;
+		}
+		if(testPrivk==NULL) {
+			secerror = PORT_GetError();
+			errcode = UNWRAP_PRIVKEY_FAILED;
+			goto loser;
+		}
+	} else {
+		testPrivk=refPrivk; refPrivk = NULL;
+		testSymKey=refSymKey; refSymKey = NULL;
+	}
+
+	/* Sign the data with the private key */
+	status = PK11_Sign(testPrivk, &testSignature, &ptext);
+	if(status != SECSuccess) {
+		secerror = PORT_GetError();
+		errcode = SIGNATURE_FAILED;
+		goto loser;
+	}
+
+	/*
+	 * Unless we are testing the internal slot, do the same wrap operation
+	 * on the internal slot and compare with the signature done on the
+	 * module under test
+	 * Also, DSA signatures contain random data, so comparing them
+	 * is useless (I suppose if they are the same something is wrong!).
+	 */
+	if( (slot != internal) && !REP_KEYGEN_ON_TARGET
+		&& mech != CKM_DSA && mech != CKM_DSA_SHA1) {
+		status = PK11_Sign(refPrivk, &refSignature, &ptext);
+		if(status != SECSuccess) {
+			secerror = PORT_GetError();
+			errcode = SIGNATURE_FAILED;
+			goto loser;
+		}
+
+		if( SECITEM_CompareItem(&refSignature, &testSignature)
+			!=  SECEqual) {
+			errcode = RESULTS_DONT_MATCH;
+			goto loser;
+		}
+	}
+
+
+	/*
+	 * Verify the signature.
+	 */
+	status = PK11_Verify(pubk, &testSignature, &ptext, NULL /*wincx*/);
+	if(status != SECSuccess) {
+		secerror = PORT_GetError();
+		errcode = SIGNATURE_DOESNT_VERIFY;
+		goto loser;
+	}
+
+
+#ifdef DEBUG
+	PR_fprintf(PR_STDOUT, "Successfully finished TestSign!\n");
+#endif
+
+	errcode = 0;
+
+loser:
+	SECITEM_FreeItem(&refWrappedKey, PR_FALSE);
+	SECITEM_FreeItem(&testWrappedKey, PR_FALSE);
+	SECITEM_FreeItem(&ptext, PR_FALSE);
+	SECITEM_FreeItem(&refSignature, PR_FALSE);
+	SECITEM_FreeItem(&testSignature, PR_FALSE);
+	if(refPrivk) {
+		SECKEY_DestroyPrivateKey(refPrivk);
+	}
+	if(pubk) {
+		SECKEY_DestroyPublicKey(pubk);
+	}
+	if(testPrivk) {
+		SECKEY_DestroyPrivateKey(testPrivk);
+	}
+	if(refSymKey) {
+		PK11_FreeSymKey(refSymKey);
+	} 
+	if(testSymKey) {
+		PK11_FreeSymKey(testSymKey);
+	}
+	if(recoveredSymKey) {
+		PK11_FreeSymKey(recoveredSymKey);
+	}
+	return errcode;
+	
+
+}
+
+/**********************************************************************
+ *
+ * T e s t D i g e s t
+ *
+ */
+int
+TestDigest(CK_MECHANISM_TYPE mech)
+{
+	return 0;
+}
+
+/**********************************************************************
+ *
+ * T e s t H M A C
+ *
+ */
+int
+TestHMAC(CK_MECHANISM_TYPE mech)
+{
+	return 0;
+}
+
+/**********************************************************************
+ *
+ * G e t M e c h I n f o
+ *
+ */
+MechInfo*
+GetMechInfo(CK_MECHANISM_TYPE type)
+{
+	/* mechInfo array is sorted by type, so we can do a binary search
+	   l is the left-most possible matching index
+	   r is the rightmost possible matching index
+	   mid is approximately the middle point between l and r */
+	int l, r, mid;
+
+	l = 0; r = numMechs-1;
+
+	while(l <= r) {
+		mid = (l+r)/2;
+		if(mechInfo[mid].type == type) {
+			return &(mechInfo[mid]);
+		} else if(mechInfo[mid].type < type) {
+			l = mid+1;
+		} else {
+			r = mid-1;
+		}
+	}
+
+	/* If l > r, the pointers have crossed without finding the element. */
+	return NULL;
+}
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pk11test.h b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pk11test.h
new file mode 100755
index 000000000..87b026d1f
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pk11test.h
@@ -0,0 +1,114 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef PK11TEST_H
+#define PK11TEST_H
+
+#define REP_SYMKEY_MECHANISM CKM_DES_KEY_GEN
+
+/* symmetric key size in bytes */
+#define REP_SYMKEY_SIZE 8
+
+#define REP_PK_KEY_SIZE 1024
+#define REP_PLAINTEXT_LEN 8
+#define REP_MECHANISM mechanism[testId/2/2%46]
+#define REP_USE_CORRECT_PIN UseCorrectPin[testId%2]
+#define REP_KEYGEN_ON_TARGET KeyGenOnTarget[testId/2%2]
+#define CKM_NO_OP 0x80001111
+
+int testId = 0;
+
+PRBool UseCorrectPin[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+PRBool KeyGenOnTarget[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+CK_MECHANISM_TYPE mechanism[] = {
+	CKM_NO_OP,
+	CKM_RSA_PKCS,
+	CKM_RSA_9796,
+	CKM_RSA_X_509,
+	CKM_MD2_RSA_PKCS,
+	CKM_MD5_RSA_PKCS,
+	CKM_SHA1_RSA_PKCS,
+	CKM_DSA,
+	CKM_DSA_SHA1,
+	CKM_ECDSA,
+	CKM_ECDSA_SHA1,
+	CKM_RC2_ECB,
+	CKM_RC2_CBC,
+	CKM_RC4,
+	CKM_RC5_ECB,
+	CKM_RC5_CBC,
+	CKM_DES_ECB,
+	CKM_DES_CBC,
+	CKM_DES3_ECB,
+	CKM_DES3_CBC,
+	CKM_CAST_ECB,
+	CKM_CAST_CBC,
+	CKM_CAST3_ECB,
+	CKM_CAST3_CBC,
+	CKM_CAST5_ECB,
+	CKM_CAST5_CBC,
+	CKM_IDEA_ECB,
+	CKM_IDEA_CBC,
+	CKM_CDMF_ECB,
+	CKM_CDMF_CBC,
+	CKM_SKIPJACK_ECB64,
+	CKM_SKIPJACK_CBC64,
+	CKM_SKIPJACK_OFB64,
+	CKM_SKIPJACK_CFB64,
+	CKM_SKIPJACK_CFB32,
+	CKM_SKIPJACK_CFB16,
+	CKM_SKIPJACK_CFB8,
+	CKM_BATON_ECB128,
+	CKM_BATON_ECB96,
+	CKM_BATON_CBC128,
+	CKM_BATON_COUNTER,
+	CKM_BATON_SHUFFLE,
+	CKM_JUNIPER_ECB128,
+	CKM_JUNIPER_CBC128,
+	CKM_JUNIPER_COUNTER,
+	CKM_JUNIPER_SHUFFLE
+};
+
+
+
+#endif
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pk11test.htp b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pk11test.htp
new file mode 100644
index 000000000..46e8a603e
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pk11test.htp
@@ -0,0 +1,53 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef PK11TEST_H
+#define PK11TEST_H
+
+#define REP_SYMKEY_MECHANISM CKM_DES_KEY_GEN
+
+/* symmetric key size in bytes */
+#define REP_SYMKEY_SIZE 8
+
+#define REP_PK_KEY_SIZE 1024
+#define REP_PLAINTEXT_LEN 8
+#define REP_MECHANISM $[mechanism]
+#define REP_USE_CORRECT_PIN $[UseCorrectPin]
+#define REP_KEYGEN_ON_TARGET $[KeyGenOnTarget]
+#define CKM_NO_OP 0x80001111
+
+$[DATA-TO-TEST]
+
+#endif
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pkcs11.h b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pkcs11.h
new file mode 100644
index 000000000..68e0d2f29
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pkcs11.h
@@ -0,0 +1,193 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef PKCS11_H
+#define PKCS11_H
+
+#define NULL_OP		0x00
+#define ENCRYPT_OP	0x01
+#define SIGN_OP		0x02
+#define KEYGEN_OP	0x04
+#define DIGEST_OP	0x08
+#define HMAC_OP		0x10
+
+typedef struct {
+	CK_MECHANISM_TYPE	type;
+	int			op;
+	CK_MECHANISM_TYPE	keygenMech;
+} MechInfo;
+
+static int numMechs=118;
+static MechInfo mechInfo[] = {
+	{CKM_RSA_PKCS_KEY_PAIR_GEN,
+				KEYGEN_OP,	CKM_RSA_PKCS_KEY_PAIR_GEN},
+	{CKM_RSA_PKCS,		ENCRYPT_OP | SIGN_OP,
+						CKM_RSA_PKCS_KEY_PAIR_GEN},
+	{CKM_RSA_9796,		SIGN_OP,	CKM_RSA_PKCS_KEY_PAIR_GEN},
+	{CKM_RSA_X_509,		ENCRYPT_OP | SIGN_OP,
+						CKM_RSA_PKCS_KEY_PAIR_GEN},
+	{CKM_MD2_RSA_PKCS,	SIGN_OP,	CKM_RSA_PKCS_KEY_PAIR_GEN},
+	{CKM_MD5_RSA_PKCS,	SIGN_OP,	CKM_RSA_PKCS_KEY_PAIR_GEN},
+	{CKM_SHA1_RSA_PKCS,	SIGN_OP,	CKM_RSA_PKCS_KEY_PAIR_GEN},
+	{CKM_DSA_KEY_PAIR_GEN,	KEYGEN_OP,	CKM_DSA_KEY_PAIR_GEN},
+	{CKM_DSA,		SIGN_OP,	CKM_DSA_KEY_PAIR_GEN},
+	{CKM_DSA_SHA1,		SIGN_OP,	CKM_DSA_KEY_PAIR_GEN},
+	{CKM_DH_PKCS_KEY_PAIR_GEN,
+				KEYGEN_OP,	CKM_DH_PKCS_KEY_PAIR_GEN},
+	{CKM_DH_PKCS_DERIVE,	NULL_OP,	0},
+	{CKM_RC2_KEY_GEN,	KEYGEN_OP,	CKM_RC2_KEY_GEN},
+	{CKM_RC2_ECB,		ENCRYPT_OP,	CKM_RC2_KEY_GEN},
+	{CKM_RC2_CBC,		ENCRYPT_OP,	CKM_RC2_KEY_GEN},
+	{CKM_RC2_MAC,		NULL_OP,	CKM_RC2_KEY_GEN},
+	{CKM_RC2_MAC_GENERAL,	NULL_OP,	CKM_RC2_KEY_GEN},
+	{CKM_RC2_CBC_PAD,	NULL_OP,	CKM_RC2_KEY_GEN},
+	{CKM_RC4_KEY_GEN,	KEYGEN_OP,	CKM_RC4_KEY_GEN},
+	{CKM_RC4,		ENCRYPT_OP,	CKM_RC4_KEY_GEN},
+	{CKM_DES_KEY_GEN,	KEYGEN_OP,	CKM_DES_KEY_GEN},
+	{CKM_DES_ECB,		ENCRYPT_OP,	CKM_DES_KEY_GEN},
+	{CKM_DES_CBC,		ENCRYPT_OP,	CKM_DES_KEY_GEN},
+	{CKM_DES_MAC,		NULL_OP,	CKM_DES_KEY_GEN},
+	{CKM_DES_MAC_GENERAL,	NULL_OP,	CKM_DES_KEY_GEN},
+	{CKM_DES_CBC_PAD,	NULL_OP,	CKM_DES_KEY_GEN},
+	{CKM_DES2_KEY_GEN,	KEYGEN_OP,	CKM_DES2_KEY_GEN},
+	{CKM_DES3_KEY_GEN,	KEYGEN_OP,	CKM_DES3_KEY_GEN},
+	{CKM_DES3_ECB,		ENCRYPT_OP,	CKM_DES3_KEY_GEN},
+	{CKM_DES3_CBC,		ENCRYPT_OP,	CKM_DES3_KEY_GEN},
+	{CKM_DES3_MAC,		NULL_OP,	CKM_DES3_KEY_GEN},
+	{CKM_DES3_MAC_GENERAL,	NULL_OP,	CKM_DES3_KEY_GEN},
+	{CKM_DES3_CBC_PAD,	NULL_OP,	CKM_DES3_KEY_GEN},
+	{CKM_CDMF_KEY_GEN,	KEYGEN_OP,	CKM_CDMF_KEY_GEN},
+	{CKM_CDMF_ECB,		ENCRYPT_OP,	CKM_CDMF_KEY_GEN},
+	{CKM_CDMF_CBC,		ENCRYPT_OP,	CKM_CDMF_KEY_GEN},
+	{CKM_CDMF_MAC,		NULL_OP,	CKM_CDMF_KEY_GEN},
+	{CKM_CDMF_MAC_GENERAL,	NULL_OP,	CKM_CDMF_KEY_GEN},
+	{CKM_CDMF_CBC_PAD,	NULL_OP,	CKM_CDMF_KEY_GEN},
+	{CKM_MD2,		DIGEST_OP,	0},
+	{CKM_MD2_HMAC,		HMAC_OP,	0},
+	{CKM_MD2_HMAC_GENERAL,	HMAC_OP,	0},
+	{CKM_MD5,		DIGEST_OP,	0},
+	{CKM_MD5_HMAC,		HMAC_OP,	0},
+	{CKM_MD5_HMAC_GENERAL,	HMAC_OP,	0},
+	{CKM_SHA_1,		DIGEST_OP,	0},
+	{CKM_SHA_1_HMAC,	HMAC_OP,	0},
+	{CKM_SHA_1_HMAC_GENERAL,HMAC_OP,	0},
+	{CKM_CAST_KEY_GEN,	KEYGEN_OP,	CKM_CAST_KEY_GEN},
+	{CKM_CAST_ECB,		ENCRYPT_OP,	CKM_CAST_KEY_GEN},
+	{CKM_CAST_CBC,		ENCRYPT_OP,	CKM_CAST_KEY_GEN},
+	{CKM_CAST_MAC,		NULL_OP,	CKM_CAST_KEY_GEN},
+	{CKM_CAST_MAC_GENERAL,	NULL_OP,	CKM_CAST_KEY_GEN},
+	{CKM_CAST_CBC_PAD,	NULL_OP,	CKM_CAST_KEY_GEN},
+	{CKM_CAST3_KEY_GEN,	KEYGEN_OP,	CKM_CAST3_KEY_GEN},
+	{CKM_CAST3_ECB,		ENCRYPT_OP,	CKM_CAST3_KEY_GEN},
+	{CKM_CAST3_CBC,		ENCRYPT_OP,	CKM_CAST3_KEY_GEN},
+	{CKM_CAST3_MAC,		NULL_OP,	CKM_CAST3_KEY_GEN},
+	{CKM_CAST3_MAC_GENERAL,	NULL_OP,	CKM_CAST3_KEY_GEN},
+	{CKM_CAST3_CBC_PAD,	NULL_OP,	CKM_CAST3_KEY_GEN},
+	{CKM_CAST5_KEY_GEN,	KEYGEN_OP,	CKM_CAST5_KEY_GEN},
+	{CKM_CAST5_ECB,		ENCRYPT_OP,	CKM_CAST5_KEY_GEN},
+	{CKM_CAST5_CBC,		ENCRYPT_OP,	CKM_CAST5_KEY_GEN},
+	{CKM_CAST5_MAC,		NULL_OP,	CKM_CAST5_KEY_GEN},
+	{CKM_CAST5_MAC_GENERAL,	NULL_OP,	CKM_CAST5_KEY_GEN},
+	{CKM_CAST5_CBC_PAD,	NULL_OP,	CKM_CAST5_KEY_GEN},
+	{CKM_RC5_KEY_GEN,	KEYGEN_OP,	CKM_RC5_KEY_GEN},
+	{CKM_RC5_ECB,		ENCRYPT_OP,	CKM_RC5_KEY_GEN},
+	{CKM_RC5_CBC,		ENCRYPT_OP,	CKM_RC5_KEY_GEN},
+	{CKM_RC5_MAC,		NULL_OP,	CKM_RC5_KEY_GEN},
+	{CKM_RC5_MAC_GENERAL,	NULL_OP,	CKM_RC5_KEY_GEN},
+	{CKM_RC5_CBC_PAD,	NULL_OP,	CKM_RC5_KEY_GEN},
+	{CKM_IDEA_KEY_GEN,	KEYGEN_OP,	CKM_IDEA_KEY_GEN},
+	{CKM_IDEA_ECB,		ENCRYPT_OP,	CKM_IDEA_KEY_GEN},
+	{CKM_IDEA_CBC,		ENCRYPT_OP,	CKM_IDEA_KEY_GEN},
+	{CKM_IDEA_MAC,		NULL_OP,	CKM_IDEA_KEY_GEN},
+	{CKM_IDEA_MAC_GENERAL,	NULL_OP,	CKM_IDEA_KEY_GEN},
+	{CKM_IDEA_CBC_PAD,	NULL_OP,	CKM_IDEA_KEY_GEN},
+	{CKM_GENERIC_SECRET_KEY_GEN,
+				KEYGEN_OP,	CKM_GENERIC_SECRET_KEY_GEN},
+/* SSL mechanisms?
+	{CKM_SSL3_PRE_MASTER_KEY_GEN},
+	{CKM_SSL3_MASTER_KEY_DERIVE},
+	{CKM_SSL3_KEY_AND_MAC_DERIVE},
+	{CKM_SSL3_MD5_MAC},
+	{CKM_SSL3_SHA1_MAC},
+*/
+	{CKM_PBE_MD2_DES_CBC,	KEYGEN_OP,	0},
+	{CKM_PBE_MD5_DES_CBC,	KEYGEN_OP,	0},
+	{CKM_PBE_MD5_CAST_CBC,	KEYGEN_OP,	0},
+	{CKM_PBE_MD5_CAST3_CBC,	KEYGEN_OP,	0},
+	{CKM_PBE_MD5_CAST5_CBC,	KEYGEN_OP,	0},
+	{CKM_PBE_MD5_CAST128_CBC,
+				KEYGEN_OP,	0},
+	{CKM_PBE_SHA1_CAST5_CBC,KEYGEN_OP,	0},
+	{CKM_PBE_SHA1_CAST128_CBC,
+				KEYGEN_OP,	0},
+	{CKM_PBE_SHA1_RC4_128,	KEYGEN_OP,	0},
+	{CKM_PBE_SHA1_RC4_40,	KEYGEN_OP,	0},
+	{CKM_PBE_SHA1_DES3_EDE_CBC,
+				KEYGEN_OP,	0},
+	{CKM_PBE_SHA1_DES2_EDE_CBC,
+				KEYGEN_OP,	0},
+	{CKM_PBE_SHA1_RC2_128_CBC,
+				KEYGEN_OP,	0},
+	{CKM_PBE_SHA1_RC2_40_CBC,
+				KEYGEN_OP,	0},
+	{CKM_PBA_SHA1_WITH_SHA1_HMAC,
+				KEYGEN_OP,	0},
+	{CKM_SKIPJACK_KEY_GEN,	KEYGEN_OP,	CKM_SKIPJACK_KEY_GEN},
+	{CKM_SKIPJACK_ECB64,	ENCRYPT_OP,	CKM_SKIPJACK_KEY_GEN},
+	{CKM_SKIPJACK_CBC64,	ENCRYPT_OP,	CKM_SKIPJACK_KEY_GEN},
+	{CKM_SKIPJACK_OFB64,	ENCRYPT_OP,	CKM_SKIPJACK_KEY_GEN},
+	{CKM_SKIPJACK_CFB64,	ENCRYPT_OP,	CKM_SKIPJACK_KEY_GEN},
+	{CKM_SKIPJACK_CFB32,	ENCRYPT_OP,	CKM_SKIPJACK_KEY_GEN},
+	{CKM_SKIPJACK_CFB16,	ENCRYPT_OP,	CKM_SKIPJACK_KEY_GEN},
+	{CKM_SKIPJACK_CFB8,	ENCRYPT_OP,	CKM_SKIPJACK_KEY_GEN},
+	{CKM_KEA_KEY_PAIR_GEN,	KEYGEN_OP,	0},
+	{CKM_BATON_KEY_GEN,	KEYGEN_OP,	CKM_BATON_KEY_GEN},
+	{CKM_BATON_ECB128,	ENCRYPT_OP,	CKM_BATON_KEY_GEN},
+	{CKM_BATON_ECB96,	ENCRYPT_OP,	CKM_BATON_KEY_GEN},
+	{CKM_BATON_CBC128,	ENCRYPT_OP,	CKM_BATON_KEY_GEN},
+	{CKM_BATON_COUNTER,	ENCRYPT_OP,	CKM_BATON_KEY_GEN},
+	{CKM_BATON_SHUFFLE,	ENCRYPT_OP,	CKM_BATON_KEY_GEN},
+	{CKM_ECDSA_KEY_PAIR_GEN,KEYGEN_OP,	CKM_ECDSA_KEY_PAIR_GEN},
+	{CKM_ECDSA,		SIGN_OP,	CKM_ECDSA_KEY_PAIR_GEN},
+	{CKM_ECDSA_SHA1,	SIGN_OP,	CKM_ECDSA_KEY_PAIR_GEN},
+	{CKM_JUNIPER_KEY_GEN,	KEYGEN_OP,	CKM_JUNIPER_KEY_GEN},
+	{CKM_JUNIPER_ECB128,	ENCRYPT_OP,	CKM_JUNIPER_KEY_GEN},
+	{CKM_JUNIPER_CBC128,	ENCRYPT_OP,	CKM_JUNIPER_KEY_GEN},
+	{CKM_JUNIPER_COUNTER,	ENCRYPT_OP,	CKM_JUNIPER_KEY_GEN},
+	{CKM_JUNIPER_SHUFFLE,	ENCRYPT_OP,	CKM_JUNIPER_KEY_GEN},
+	{CKM_FASTHASH,		DIGEST_OP,	0}
+};
+
+#endif
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pkcs11.reg b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pkcs11.reg
new file mode 100644
index 000000000..ed4e53b4c
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pkcs11.reg
@@ -0,0 +1,964 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+[General]
+mut=PKCS11
+mutversion=1.0
+htmlout=NOW
+reporterSpec=NOW
+program=pk11test
+globalArgs=internal
+
+[Test-1]
+
+testId=0
+testname=Use supplied pin, Generate keys on target token, NO OP, 
+
+[Test-2]
+
+testId=4
+testname=Use supplied pin, Generate keys on target token, RSA PKCS, 
+
+[Test-3]
+
+testId=8
+testname=Use supplied pin, Generate keys on target token, RSA 9796, 
+
+[Test-4]
+
+testId=12
+testname=Use supplied pin, Generate keys on target token, RSA X.509, 
+
+[Test-5]
+
+testId=16
+testname=Use supplied pin, Generate keys on target token, MD2 RSA PKCS, 
+
+[Test-6]
+
+testId=20
+testname=Use supplied pin, Generate keys on target token, MD5 RSA PKCS, 
+
+[Test-7]
+
+testId=24
+testname=Use supplied pin, Generate keys on target token, SHA1 RSA PKCS, 
+
+[Test-8]
+
+testId=28
+testname=Use supplied pin, Generate keys on target token, DSA, 
+
+[Test-9]
+
+testId=32
+testname=Use supplied pin, Generate keys on target token, DSA SHA1, 
+
+[Test-10]
+
+testId=36
+testname=Use supplied pin, Generate keys on target token, ECDSA, 
+
+[Test-11]
+
+testId=40
+testname=Use supplied pin, Generate keys on target token, ECDSA SHA1, 
+
+[Test-12]
+
+testId=44
+testname=Use supplied pin, Generate keys on target token, RC2 ECB, 
+
+[Test-13]
+
+testId=48
+testname=Use supplied pin, Generate keys on target token, RC2 CBC, 
+
+[Test-14]
+
+testId=52
+testname=Use supplied pin, Generate keys on target token, RC4, 
+
+[Test-15]
+
+testId=56
+testname=Use supplied pin, Generate keys on target token, RC5 ECB, 
+
+[Test-16]
+
+testId=60
+testname=Use supplied pin, Generate keys on target token, RC5 CBC, 
+
+[Test-17]
+
+testId=64
+testname=Use supplied pin, Generate keys on target token, DES ECB, 
+
+[Test-18]
+
+testId=68
+testname=Use supplied pin, Generate keys on target token, DES CBC, 
+
+[Test-19]
+
+testId=72
+testname=Use supplied pin, Generate keys on target token, DES3 ECB, 
+
+[Test-20]
+
+testId=76
+testname=Use supplied pin, Generate keys on target token, DES3 CBC, 
+
+[Test-21]
+
+testId=80
+testname=Use supplied pin, Generate keys on target token, CAST ECB, 
+
+[Test-22]
+
+testId=84
+testname=Use supplied pin, Generate keys on target token, CAST CBC, 
+
+[Test-23]
+
+testId=88
+testname=Use supplied pin, Generate keys on target token, CAST3 ECB, 
+
+[Test-24]
+
+testId=92
+testname=Use supplied pin, Generate keys on target token, CAST3 CBC, 
+
+[Test-25]
+
+testId=96
+testname=Use supplied pin, Generate keys on target token, CAST5 ECB, 
+
+[Test-26]
+
+testId=100
+testname=Use supplied pin, Generate keys on target token, CAST5 CBC, 
+
+[Test-27]
+
+testId=104
+testname=Use supplied pin, Generate keys on target token, IDEA ECB, 
+
+[Test-28]
+
+testId=108
+testname=Use supplied pin, Generate keys on target token, IDEA CBC, 
+
+[Test-29]
+
+testId=112
+testname=Use supplied pin, Generate keys on target token, CDMF ECB, 
+
+[Test-30]
+
+testId=116
+testname=Use supplied pin, Generate keys on target token, CDMF CBC, 
+
+[Test-31]
+
+testId=120
+testname=Use supplied pin, Generate keys on target token, SKIPJACK ECB64, 
+
+[Test-32]
+
+testId=124
+testname=Use supplied pin, Generate keys on target token, SKIPJACK CBC64, 
+
+[Test-33]
+
+testId=128
+testname=Use supplied pin, Generate keys on target token, SKIPJACK OFB64, 
+
+[Test-34]
+
+testId=132
+testname=Use supplied pin, Generate keys on target token, SKIPJACK CFB64, 
+
+[Test-35]
+
+testId=136
+testname=Use supplied pin, Generate keys on target token, SKIPJACK CFB32, 
+
+[Test-36]
+
+testId=140
+testname=Use supplied pin, Generate keys on target token, SKIPJACK CFB16, 
+
+[Test-37]
+
+testId=144
+testname=Use supplied pin, Generate keys on target token, SKIPJACK CFB8, 
+
+[Test-38]
+
+testId=148
+testname=Use supplied pin, Generate keys on target token, BATON ECB128, 
+
+[Test-39]
+
+testId=152
+testname=Use supplied pin, Generate keys on target token, BATON ECB96, 
+
+[Test-40]
+
+testId=156
+testname=Use supplied pin, Generate keys on target token, BATON CBC128, 
+
+[Test-41]
+
+testId=160
+testname=Use supplied pin, Generate keys on target token, BATON counter, 
+
+[Test-42]
+
+testId=164
+testname=Use supplied pin, Generate keys on target token, BATON shuffle, 
+
+[Test-43]
+
+testId=168
+testname=Use supplied pin, Generate keys on target token, JUNIPER ECB128, 
+
+[Test-44]
+
+testId=172
+testname=Use supplied pin, Generate keys on target token, JUNIPER CBC128, 
+
+[Test-45]
+
+testId=176
+testname=Use supplied pin, Generate keys on target token, JUNIPER counter, 
+
+[Test-46]
+
+testId=180
+testname=Use supplied pin, Generate keys on target token, JUNIPER shuffle, 
+
+[Test-47]
+
+testId=2
+testname=Use supplied pin, Generate keys on internal module, NO OP, 
+
+[Test-48]
+
+testId=6
+testname=Use supplied pin, Generate keys on internal module, RSA PKCS, 
+
+[Test-49]
+
+testId=10
+testname=Use supplied pin, Generate keys on internal module, RSA 9796, 
+
+[Test-50]
+
+testId=14
+testname=Use supplied pin, Generate keys on internal module, RSA X.509, 
+
+[Test-51]
+
+testId=18
+testname=Use supplied pin, Generate keys on internal module, MD2 RSA PKCS, 
+
+[Test-52]
+
+testId=22
+testname=Use supplied pin, Generate keys on internal module, MD5 RSA PKCS, 
+
+[Test-53]
+
+testId=26
+testname=Use supplied pin, Generate keys on internal module, SHA1 RSA PKCS, 
+
+[Test-54]
+
+testId=30
+testname=Use supplied pin, Generate keys on internal module, DSA, 
+
+[Test-55]
+
+testId=34
+testname=Use supplied pin, Generate keys on internal module, DSA SHA1, 
+
+[Test-56]
+
+testId=38
+testname=Use supplied pin, Generate keys on internal module, ECDSA, 
+
+[Test-57]
+
+testId=42
+testname=Use supplied pin, Generate keys on internal module, ECDSA SHA1, 
+
+[Test-58]
+
+testId=46
+testname=Use supplied pin, Generate keys on internal module, RC2 ECB, 
+
+[Test-59]
+
+testId=50
+testname=Use supplied pin, Generate keys on internal module, RC2 CBC, 
+
+[Test-60]
+
+testId=54
+testname=Use supplied pin, Generate keys on internal module, RC4, 
+
+[Test-61]
+
+testId=58
+testname=Use supplied pin, Generate keys on internal module, RC5 ECB, 
+
+[Test-62]
+
+testId=62
+testname=Use supplied pin, Generate keys on internal module, RC5 CBC, 
+
+[Test-63]
+
+testId=66
+testname=Use supplied pin, Generate keys on internal module, DES ECB, 
+
+[Test-64]
+
+testId=70
+testname=Use supplied pin, Generate keys on internal module, DES CBC, 
+
+[Test-65]
+
+testId=74
+testname=Use supplied pin, Generate keys on internal module, DES3 ECB, 
+
+[Test-66]
+
+testId=78
+testname=Use supplied pin, Generate keys on internal module, DES3 CBC, 
+
+[Test-67]
+
+testId=82
+testname=Use supplied pin, Generate keys on internal module, CAST ECB, 
+
+[Test-68]
+
+testId=86
+testname=Use supplied pin, Generate keys on internal module, CAST CBC, 
+
+[Test-69]
+
+testId=90
+testname=Use supplied pin, Generate keys on internal module, CAST3 ECB, 
+
+[Test-70]
+
+testId=94
+testname=Use supplied pin, Generate keys on internal module, CAST3 CBC, 
+
+[Test-71]
+
+testId=98
+testname=Use supplied pin, Generate keys on internal module, CAST5 ECB, 
+
+[Test-72]
+
+testId=102
+testname=Use supplied pin, Generate keys on internal module, CAST5 CBC, 
+
+[Test-73]
+
+testId=106
+testname=Use supplied pin, Generate keys on internal module, IDEA ECB, 
+
+[Test-74]
+
+testId=110
+testname=Use supplied pin, Generate keys on internal module, IDEA CBC, 
+
+[Test-75]
+
+testId=114
+testname=Use supplied pin, Generate keys on internal module, CDMF ECB, 
+
+[Test-76]
+
+testId=118
+testname=Use supplied pin, Generate keys on internal module, CDMF CBC, 
+
+[Test-77]
+
+testId=122
+testname=Use supplied pin, Generate keys on internal module, SKIPJACK ECB64, 
+
+[Test-78]
+
+testId=126
+testname=Use supplied pin, Generate keys on internal module, SKIPJACK CBC64, 
+
+[Test-79]
+
+testId=130
+testname=Use supplied pin, Generate keys on internal module, SKIPJACK OFB64, 
+
+[Test-80]
+
+testId=134
+testname=Use supplied pin, Generate keys on internal module, SKIPJACK CFB64, 
+
+[Test-81]
+
+testId=138
+testname=Use supplied pin, Generate keys on internal module, SKIPJACK CFB32, 
+
+[Test-82]
+
+testId=142
+testname=Use supplied pin, Generate keys on internal module, SKIPJACK CFB16, 
+
+[Test-83]
+
+testId=146
+testname=Use supplied pin, Generate keys on internal module, SKIPJACK CFB8, 
+
+[Test-84]
+
+testId=150
+testname=Use supplied pin, Generate keys on internal module, BATON ECB128, 
+
+[Test-85]
+
+testId=154
+testname=Use supplied pin, Generate keys on internal module, BATON ECB96, 
+
+[Test-86]
+
+testId=158
+testname=Use supplied pin, Generate keys on internal module, BATON CBC128, 
+
+[Test-87]
+
+testId=162
+testname=Use supplied pin, Generate keys on internal module, BATON counter, 
+
+[Test-88]
+
+testId=166
+testname=Use supplied pin, Generate keys on internal module, BATON shuffle, 
+
+[Test-89]
+
+testId=170
+testname=Use supplied pin, Generate keys on internal module, JUNIPER ECB128, 
+
+[Test-90]
+
+testId=174
+testname=Use supplied pin, Generate keys on internal module, JUNIPER CBC128, 
+
+[Test-91]
+
+testId=178
+testname=Use supplied pin, Generate keys on internal module, JUNIPER counter, 
+
+[Test-92]
+
+testId=182
+testname=Use supplied pin, Generate keys on internal module, JUNIPER shuffle, 
+
+[Test-93]
+
+testId=1
+testname=Use different (incorrect) pin, Generate keys on target token, NO OP, 
+
+[Test-94]
+
+testId=5
+testname=Use different (incorrect) pin, Generate keys on target token, RSA PKCS, 
+
+[Test-95]
+
+testId=9
+testname=Use different (incorrect) pin, Generate keys on target token, RSA 9796, 
+
+[Test-96]
+
+testId=13
+testname=Use different (incorrect) pin, Generate keys on target token, RSA X.509, 
+
+[Test-97]
+
+testId=17
+testname=Use different (incorrect) pin, Generate keys on target token, MD2 RSA PKCS, 
+
+[Test-98]
+
+testId=21
+testname=Use different (incorrect) pin, Generate keys on target token, MD5 RSA PKCS, 
+
+[Test-99]
+
+testId=25
+testname=Use different (incorrect) pin, Generate keys on target token, SHA1 RSA PKCS, 
+
+[Test-100]
+
+testId=29
+testname=Use different (incorrect) pin, Generate keys on target token, DSA, 
+
+[Test-101]
+
+testId=33
+testname=Use different (incorrect) pin, Generate keys on target token, DSA SHA1, 
+
+[Test-102]
+
+testId=37
+testname=Use different (incorrect) pin, Generate keys on target token, ECDSA, 
+
+[Test-103]
+
+testId=41
+testname=Use different (incorrect) pin, Generate keys on target token, ECDSA SHA1, 
+
+[Test-104]
+
+testId=45
+testname=Use different (incorrect) pin, Generate keys on target token, RC2 ECB, 
+
+[Test-105]
+
+testId=49
+testname=Use different (incorrect) pin, Generate keys on target token, RC2 CBC, 
+
+[Test-106]
+
+testId=53
+testname=Use different (incorrect) pin, Generate keys on target token, RC4, 
+
+[Test-107]
+
+testId=57
+testname=Use different (incorrect) pin, Generate keys on target token, RC5 ECB, 
+
+[Test-108]
+
+testId=61
+testname=Use different (incorrect) pin, Generate keys on target token, RC5 CBC, 
+
+[Test-109]
+
+testId=65
+testname=Use different (incorrect) pin, Generate keys on target token, DES ECB, 
+
+[Test-110]
+
+testId=69
+testname=Use different (incorrect) pin, Generate keys on target token, DES CBC, 
+
+[Test-111]
+
+testId=73
+testname=Use different (incorrect) pin, Generate keys on target token, DES3 ECB, 
+
+[Test-112]
+
+testId=77
+testname=Use different (incorrect) pin, Generate keys on target token, DES3 CBC, 
+
+[Test-113]
+
+testId=81
+testname=Use different (incorrect) pin, Generate keys on target token, CAST ECB, 
+
+[Test-114]
+
+testId=85
+testname=Use different (incorrect) pin, Generate keys on target token, CAST CBC, 
+
+[Test-115]
+
+testId=89
+testname=Use different (incorrect) pin, Generate keys on target token, CAST3 ECB, 
+
+[Test-116]
+
+testId=93
+testname=Use different (incorrect) pin, Generate keys on target token, CAST3 CBC, 
+
+[Test-117]
+
+testId=97
+testname=Use different (incorrect) pin, Generate keys on target token, CAST5 ECB, 
+
+[Test-118]
+
+testId=101
+testname=Use different (incorrect) pin, Generate keys on target token, CAST5 CBC, 
+
+[Test-119]
+
+testId=105
+testname=Use different (incorrect) pin, Generate keys on target token, IDEA ECB, 
+
+[Test-120]
+
+testId=109
+testname=Use different (incorrect) pin, Generate keys on target token, IDEA CBC, 
+
+[Test-121]
+
+testId=113
+testname=Use different (incorrect) pin, Generate keys on target token, CDMF ECB, 
+
+[Test-122]
+
+testId=117
+testname=Use different (incorrect) pin, Generate keys on target token, CDMF CBC, 
+
+[Test-123]
+
+testId=121
+testname=Use different (incorrect) pin, Generate keys on target token, SKIPJACK ECB64, 
+
+[Test-124]
+
+testId=125
+testname=Use different (incorrect) pin, Generate keys on target token, SKIPJACK CBC64, 
+
+[Test-125]
+
+testId=129
+testname=Use different (incorrect) pin, Generate keys on target token, SKIPJACK OFB64, 
+
+[Test-126]
+
+testId=133
+testname=Use different (incorrect) pin, Generate keys on target token, SKIPJACK CFB64, 
+
+[Test-127]
+
+testId=137
+testname=Use different (incorrect) pin, Generate keys on target token, SKIPJACK CFB32, 
+
+[Test-128]
+
+testId=141
+testname=Use different (incorrect) pin, Generate keys on target token, SKIPJACK CFB16, 
+
+[Test-129]
+
+testId=145
+testname=Use different (incorrect) pin, Generate keys on target token, SKIPJACK CFB8, 
+
+[Test-130]
+
+testId=149
+testname=Use different (incorrect) pin, Generate keys on target token, BATON ECB128, 
+
+[Test-131]
+
+testId=153
+testname=Use different (incorrect) pin, Generate keys on target token, BATON ECB96, 
+
+[Test-132]
+
+testId=157
+testname=Use different (incorrect) pin, Generate keys on target token, BATON CBC128, 
+
+[Test-133]
+
+testId=161
+testname=Use different (incorrect) pin, Generate keys on target token, BATON counter, 
+
+[Test-134]
+
+testId=165
+testname=Use different (incorrect) pin, Generate keys on target token, BATON shuffle, 
+
+[Test-135]
+
+testId=169
+testname=Use different (incorrect) pin, Generate keys on target token, JUNIPER ECB128, 
+
+[Test-136]
+
+testId=173
+testname=Use different (incorrect) pin, Generate keys on target token, JUNIPER CBC128, 
+
+[Test-137]
+
+testId=177
+testname=Use different (incorrect) pin, Generate keys on target token, JUNIPER counter, 
+
+[Test-138]
+
+testId=181
+testname=Use different (incorrect) pin, Generate keys on target token, JUNIPER shuffle, 
+
+[Test-139]
+
+testId=3
+testname=Use different (incorrect) pin, Generate keys on internal module, NO OP, 
+
+[Test-140]
+
+testId=7
+testname=Use different (incorrect) pin, Generate keys on internal module, RSA PKCS, 
+
+[Test-141]
+
+testId=11
+testname=Use different (incorrect) pin, Generate keys on internal module, RSA 9796, 
+
+[Test-142]
+
+testId=15
+testname=Use different (incorrect) pin, Generate keys on internal module, RSA X.509, 
+
+[Test-143]
+
+testId=19
+testname=Use different (incorrect) pin, Generate keys on internal module, MD2 RSA PKCS, 
+
+[Test-144]
+
+testId=23
+testname=Use different (incorrect) pin, Generate keys on internal module, MD5 RSA PKCS, 
+
+[Test-145]
+
+testId=27
+testname=Use different (incorrect) pin, Generate keys on internal module, SHA1 RSA PKCS, 
+
+[Test-146]
+
+testId=31
+testname=Use different (incorrect) pin, Generate keys on internal module, DSA, 
+
+[Test-147]
+
+testId=35
+testname=Use different (incorrect) pin, Generate keys on internal module, DSA SHA1, 
+
+[Test-148]
+
+testId=39
+testname=Use different (incorrect) pin, Generate keys on internal module, ECDSA, 
+
+[Test-149]
+
+testId=43
+testname=Use different (incorrect) pin, Generate keys on internal module, ECDSA SHA1, 
+
+[Test-150]
+
+testId=47
+testname=Use different (incorrect) pin, Generate keys on internal module, RC2 ECB, 
+
+[Test-151]
+
+testId=51
+testname=Use different (incorrect) pin, Generate keys on internal module, RC2 CBC, 
+
+[Test-152]
+
+testId=55
+testname=Use different (incorrect) pin, Generate keys on internal module, RC4, 
+
+[Test-153]
+
+testId=59
+testname=Use different (incorrect) pin, Generate keys on internal module, RC5 ECB, 
+
+[Test-154]
+
+testId=63
+testname=Use different (incorrect) pin, Generate keys on internal module, RC5 CBC, 
+
+[Test-155]
+
+testId=67
+testname=Use different (incorrect) pin, Generate keys on internal module, DES ECB, 
+
+[Test-156]
+
+testId=71
+testname=Use different (incorrect) pin, Generate keys on internal module, DES CBC, 
+
+[Test-157]
+
+testId=75
+testname=Use different (incorrect) pin, Generate keys on internal module, DES3 ECB, 
+
+[Test-158]
+
+testId=79
+testname=Use different (incorrect) pin, Generate keys on internal module, DES3 CBC, 
+
+[Test-159]
+
+testId=83
+testname=Use different (incorrect) pin, Generate keys on internal module, CAST ECB, 
+
+[Test-160]
+
+testId=87
+testname=Use different (incorrect) pin, Generate keys on internal module, CAST CBC, 
+
+[Test-161]
+
+testId=91
+testname=Use different (incorrect) pin, Generate keys on internal module, CAST3 ECB, 
+
+[Test-162]
+
+testId=95
+testname=Use different (incorrect) pin, Generate keys on internal module, CAST3 CBC, 
+
+[Test-163]
+
+testId=99
+testname=Use different (incorrect) pin, Generate keys on internal module, CAST5 ECB, 
+
+[Test-164]
+
+testId=103
+testname=Use different (incorrect) pin, Generate keys on internal module, CAST5 CBC, 
+
+[Test-165]
+
+testId=107
+testname=Use different (incorrect) pin, Generate keys on internal module, IDEA ECB, 
+
+[Test-166]
+
+testId=111
+testname=Use different (incorrect) pin, Generate keys on internal module, IDEA CBC, 
+
+[Test-167]
+
+testId=115
+testname=Use different (incorrect) pin, Generate keys on internal module, CDMF ECB, 
+
+[Test-168]
+
+testId=119
+testname=Use different (incorrect) pin, Generate keys on internal module, CDMF CBC, 
+
+[Test-169]
+
+testId=123
+testname=Use different (incorrect) pin, Generate keys on internal module, SKIPJACK ECB64, 
+
+[Test-170]
+
+testId=127
+testname=Use different (incorrect) pin, Generate keys on internal module, SKIPJACK CBC64, 
+
+[Test-171]
+
+testId=131
+testname=Use different (incorrect) pin, Generate keys on internal module, SKIPJACK OFB64, 
+
+[Test-172]
+
+testId=135
+testname=Use different (incorrect) pin, Generate keys on internal module, SKIPJACK CFB64, 
+
+[Test-173]
+
+testId=139
+testname=Use different (incorrect) pin, Generate keys on internal module, SKIPJACK CFB32, 
+
+[Test-174]
+
+testId=143
+testname=Use different (incorrect) pin, Generate keys on internal module, SKIPJACK CFB16, 
+
+[Test-175]
+
+testId=147
+testname=Use different (incorrect) pin, Generate keys on internal module, SKIPJACK CFB8, 
+
+[Test-176]
+
+testId=151
+testname=Use different (incorrect) pin, Generate keys on internal module, BATON ECB128, 
+
+[Test-177]
+
+testId=155
+testname=Use different (incorrect) pin, Generate keys on internal module, BATON ECB96, 
+
+[Test-178]
+
+testId=159
+testname=Use different (incorrect) pin, Generate keys on internal module, BATON CBC128, 
+
+[Test-179]
+
+testId=163
+testname=Use different (incorrect) pin, Generate keys on internal module, BATON counter, 
+
+[Test-180]
+
+testId=167
+testname=Use different (incorrect) pin, Generate keys on internal module, BATON shuffle, 
+
+[Test-181]
+
+testId=171
+testname=Use different (incorrect) pin, Generate keys on internal module, JUNIPER ECB128, 
+
+[Test-182]
+
+testId=175
+testname=Use different (incorrect) pin, Generate keys on internal module, JUNIPER CBC128, 
+
+[Test-183]
+
+testId=179
+testname=Use different (incorrect) pin, Generate keys on internal module, JUNIPER counter, 
+
+[Test-184]
+
+testId=183
+testname=Use different (incorrect) pin, Generate keys on internal module, JUNIPER shuffle, 
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pkcs11.rep b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pkcs11.rep
new file mode 100644
index 000000000..bc8bdccfd
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/pkcs11.rep
@@ -0,0 +1,161 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+[General]
+mut=PKCS11
+mutversion=1.0
+cTemplate=pk11test.htp
+testPrefix=pk11test
+testSuffix=.h
+#timeout=
+regressSpecfile=pkcs11.reg
+regressOutput=NOW
+reporterOutput=NOW
+singleSource=TRUE
+firstExitCode=100
+
+[UseCorrectPin]
+IMPORTANCE=HIGH
+TYPE=PRBool
+Use supplied pin,		=PR_TRUE
+Use different (incorrect) pin,	=PR_FALSE
+
+[KeyGenOnTarget]
+IMPORTANCE=HIGH
+TYPE=PRBool
+Generate keys on target token,	= PR_TRUE
+Generate keys on internal module, = PR_FALSE
+
+[mechanism]
+IMPORTANCE=HIGH
+TYPE = CK_MECHANISM_TYPE
+NO OP,			= CKM_NO_OP
+RSA PKCS,		= CKM_RSA_PKCS
+RSA 9796,		= CKM_RSA_9796
+RSA X.509,		= CKM_RSA_X_509
+MD2 RSA PKCS,		= CKM_MD2_RSA_PKCS
+MD5 RSA PKCS,		= CKM_MD5_RSA_PKCS
+SHA1 RSA PKCS,		= CKM_SHA1_RSA_PKCS
+DSA,			= CKM_DSA
+DSA SHA1,		= CKM_DSA_SHA1
+ECDSA,			= CKM_ECDSA
+ECDSA SHA1,		= CKM_ECDSA_SHA1
+RC2 ECB,		= CKM_RC2_ECB
+RC2 CBC,		= CKM_RC2_CBC
+#RC2 CBC PAD,		= CKM_RC2_CBC_PAD
+#RC2 MAC general,	= CKM_RC2_MAC_GENERAL
+#RC2 MAC,		= CKM_RC2_MAC
+RC4,			= CKM_RC4
+RC5 ECB,		= CKM_RC5_ECB
+RC5 CBC,		= CKM_RC5_CBC
+#RC5 CBC PAD,		= CKM_RC5_CBC_PAD
+#RC5 MAC general,	= CKM_RC5_MAC_GENERAL
+#RC5 MAC,		= CKM_RC5_MAC
+DES ECB,		= CKM_DES_ECB
+DES CBC,		= CKM_DES_CBC
+#DES CBC PAD,		= CKM_DES_CBC_PAD
+#DES MAC general,	= CKM_DES_MAC_GENERAL
+#DES MAC,		= CKM_DES_MAC
+#DES2 keygen,		= CKM_DES2_KEY_GEN
+DES3 ECB,		= CKM_DES3_ECB
+DES3 CBC,		= CKM_DES3_CBC
+#DES3 CBC pad,		= CKM_DES3_CBC_PAD
+#DES3 MAC general,	= CKM_DES3_MAC_GENERAL
+#DES3 MAC,		= CKM_DES3_MAC
+CAST ECB,		= CKM_CAST_ECB
+CAST CBC,		= CKM_CAST_CBC
+#CAST CBC PAD,		= CKM_CAST_CBC_PAD
+#CAST MAC general,	= CKM_CAST_MAC_GENERAL
+#CAST MAC,		= CKM_CAST_MAC
+CAST3 ECB,		= CKM_CAST3_ECB
+CAST3 CBC,		= CKM_CAST3_CBC
+#CAST3 CBC PAD,		= CKM_CAST3_CBC_PAD
+#CAST3 MAC general,	= CKM_CAST3_MAC_GENERAL
+#CAST3 MAC, 		= CKM_CAST3_MAC
+CAST5 ECB,		= CKM_CAST5_ECB
+CAST5 CBC,		= CKM_CAST5_CBC
+#CAST5 CBC PAD,		= CKM_CAST5_CBC_PAD
+#CAST5 MAC general,	= CKM_CAST5_MAC_GENERAL
+#CAST5 MAC,		= CKM_CAST5_MAC
+IDEA ECB,		= CKM_IDEA_ECB
+IDEA CBC,		= CKM_IDEA_CBC
+#IDEA CBC PAD,		= CKM_IDEA_CBC_PAD
+#IDEA MAC general,	= CKM_IDEA_MAC_GENERAL
+#IDEA MAC,		= CKM_IDEA_MAC
+CDMF ECB,		= CKM_CDMF_ECB
+CDMF CBC,		= CKM_CDMF_CBC
+#CDMF CBC PAD,		= CKM_CDMF_CBC_PAD
+#CDMF MAC general,	= CKM_CDMF_MAC_GENERAL
+#CDMF MAC,		= CKM_CDMF_MAC
+SKIPJACK ECB64,		= CKM_SKIPJACK_ECB64
+SKIPJACK CBC64,		= CKM_SKIPJACK_CBC64
+SKIPJACK OFB64,		= CKM_SKIPJACK_OFB64
+SKIPJACK CFB64,		= CKM_SKIPJACK_CFB64
+SKIPJACK CFB32,		= CKM_SKIPJACK_CFB32
+SKIPJACK CFB16,		= CKM_SKIPJACK_CFB16
+SKIPJACK CFB8,		= CKM_SKIPJACK_CFB8
+BATON ECB128,		= CKM_BATON_ECB128
+BATON ECB96,		= CKM_BATON_ECB96
+BATON CBC128,		= CKM_BATON_CBC128
+BATON counter,		= CKM_BATON_COUNTER
+BATON shuffle,		= CKM_BATON_SHUFFLE
+JUNIPER ECB128,		= CKM_JUNIPER_ECB128
+JUNIPER CBC128,		= CKM_JUNIPER_CBC128
+JUNIPER counter,	= CKM_JUNIPER_COUNTER
+JUNIPER shuffle,	= CKM_JUNIPER_SHUFFLE
+#MD2 digest,		= CKM_MD2
+#MD2 HMAC general,	= CKM_MD2_HMAC_GENERAL
+#MD2 HMAC,		= CKM_MD2_HMAC
+#MD5 digest,		= CKM_MD5
+#MD5 HMAC general,	= CKM_MD5_HMAC_GENERAL
+#MD5 HMAC,		= CKM_MD5_HMAC
+#SHA1 digest,		= CKM_SHA_1
+#SHA1 HMAC general,	= CKM_SHA_1_HMAC_GENERAL
+#SHA1 HMAC,		= CKM_SHA_1_HMAC
+#Fasthash,		= CKM_FASTHASH
+#CKM_PBE_MD2_DES_CBC 	= CKM_PBE_MD2_DES_CBC
+#CKM_PBE_MD5_DES_CBC	= CKM_PBE_MD5_DES_CBC
+#CKM_PBE_MD5_CAST_CBC	= CKM_PBE_MD5_CAST_CBC
+#CKM_PBE_MD5_CAST3_CBC	= CKM_PBE_MD5_CAST3_CBC
+#CKM_PBE_MD5_CAST5_CBC	= CKM_PBE_MD5_CAST5_CBC
+#CKM_PBE_SHA1_CAST5_CBC	= CKM_PBE_SHA1_CAST5_CBC
+#CKM_PBE_SHA1_RC4_128	= CKM_PBE_SHA1_RC4_128
+#CKM_PBE_SHA1_RC4_40	= CKM_PBE_SHA1_RC4_40
+#CKM_PBE_SHA1_DES3_EDE_CBC = CKM_PBE_SHA1_DES3_EDE_CBC
+#CKM_PBE_SHA1_DES2_EDE_CBC = CKM_PBE_SHA1_DES2_EDE_CBC
+#CKM_PBE_SHA1_RC2_128_CBC = CKM_PBE_SHA1_RC2_128_CBC
+#CKM_PBE_SHA1_RC2_40_CBC	= CKM_PBE_SHA1_RC2_40_CBC
+#CKM_PBA_SHA1_WITH_SHA1_HMAC = CKM_PBA_SHA1_WITH_SHA1_HMAC
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/rules.mk b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/rules.mk
new file mode 100644
index 000000000..bca6e39a5
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/pkcs11/rules.mk
@@ -0,0 +1,38 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+pk11test.c: pk11test.h pkcs11.h
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/Makefile b/security/nss/tests/pkcs11/netscape/suites/security/ssl/Makefile
new file mode 100644
index 000000000..a33e6ba24
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/Makefile
@@ -0,0 +1,82 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#include $(CORE_DEPTH)/$(MODULE)/config/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#include $(CORE_DEPTH)/$(MODULE)/config/rules.mk
+include $(CORE_DEPTH)/nss/cmd/platlibs.mk
+include $(CORE_DEPTH)/nss/cmd/platrules.mk
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/README b/security/nss/tests/pkcs11/netscape/suites/security/ssl/README
new file mode 100644
index 000000000..80d14de16
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/README
@@ -0,0 +1,11 @@
+
+sslt.rep : Replacer specfile
+sslt.c   : Main source code file for test
+sslt.htp : Replacer template for header file
+sslt.h   : Replacer-generated header file
+sslc.c   : Ciphersuite-related data structures and code
+ssls.c   : Data buffer for transmitting data
+ssls.h   : Data structures and defines for the main code
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db b/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db
new file mode 100644
index 000000000..02f36ae28
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/cert7.db
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/config.mk b/security/nss/tests/pkcs11/netscape/suites/security/ssl/config.mk
new file mode 100644
index 000000000..d43c8ebf4
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/config.mk
@@ -0,0 +1,66 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# Set the LDFLAGS value to encompass all normal link options, all     #
+# library names, and all special system linking options               #
+#######################################################################
+
+LDFLAGS = \
+	$(DYNAMIC_LIB_PATH) \
+	$(LDOPTS) \
+	$(LIBSECTOOLS) \
+	$(LIBSSL) \
+	$(LIBPKCS7) \
+	$(LIBCERT) \
+	$(LIBKEY) \
+	$(LIBSECMOD) \
+	$(LIBCRYPTO) \
+	$(LIBSECUTIL) \
+	$(LIBHASH) \
+	$(LIBDBM) \
+	$(LIBPLC) \
+	$(LIBPLDS) \
+	$(LIBPR) \
+	$(DLLSYSTEM)
+
+#######################################################################
+# Adjust specific variables for all platforms                         #
+#######################################################################
+ 
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db b/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db
new file mode 100644
index 000000000..1c015a4a2
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/key3.db
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/manifest.mn b/security/nss/tests/pkcs11/netscape/suites/security/ssl/manifest.mn
new file mode 100644
index 000000000..c9c5c7a4f
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/manifest.mn
@@ -0,0 +1,57 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../../../../..
+
+#MODULE = sectools
+
+EXPORTS = 
+
+CSRCS = sslt.c \
+	ssls.c \
+	sslc.c \
+	$(NULL)
+
+PROGRAM =  sslt
+
+REQUIRES = nss dbm seccmd
+
+DEFINES = -DNSPR20 -DREPLACER
+
+REGRESSION_SPEC = ssl.reg
+
+RESULTS_SUBDIR = security/ssl
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/ssl.reg b/security/nss/tests/pkcs11/netscape/suites/security/ssl/ssl.reg
new file mode 100755
index 000000000..31c1990a4
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/ssl.reg
@@ -0,0 +1,49198 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+[General]
+
+mut=SSL
+mutversion=1.0
+htmlout=NOW
+reporterSpec=NOW
+program=sslt
+failonly=1
+globalArgs=-p netscape -n SSLServer
+
+[Test-1]
+
+testId=32
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2]
+
+testId=16384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3]
+
+testId=8192
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4]
+
+testId=24608
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5]
+
+testId=4096
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6]
+
+testId=20512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7]
+
+testId=12336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8]
+
+testId=28672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-9]
+
+testId=2096
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-10]
+
+testId=18464
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-11]
+
+testId=10288
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-12]
+
+testId=26672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-13]
+
+testId=6192
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-14]
+
+testId=22576
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-15]
+
+testId=14352
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-16]
+
+testId=30752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-17]
+
+testId=1072
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-18]
+
+testId=17456
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-19]
+
+testId=9232
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-20]
+
+testId=25616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-21]
+
+testId=5136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-22]
+
+testId=21520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-23]
+
+testId=13360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-24]
+
+testId=29696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-25]
+
+testId=3088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-26]
+
+testId=19456
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-27]
+
+testId=11296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-28]
+
+testId=27696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-29]
+
+testId=7200
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-30]
+
+testId=23552
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-31]
+
+testId=15360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-32]
+
+testId=31792
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-33]
+
+testId=512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-34]
+
+testId=16912
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-35]
+
+testId=8752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-36]
+
+testId=25136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-37]
+
+testId=4608
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-38]
+
+testId=21040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-39]
+
+testId=12832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-40]
+
+testId=29184
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-41]
+
+testId=2592
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-42]
+
+testId=18960
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-43]
+
+testId=10768
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-44]
+
+testId=27168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-45]
+
+testId=6672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-46]
+
+testId=23040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-47]
+
+testId=14864
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-48]
+
+testId=31264
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-49]
+
+testId=1584
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-50]
+
+testId=17920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-51]
+
+testId=9728
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-52]
+
+testId=26144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-53]
+
+testId=5632
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-54]
+
+testId=22064
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-55]
+
+testId=13872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-56]
+
+testId=30208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-57]
+
+testId=3632
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-58]
+
+testId=19984
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-59]
+
+testId=11776
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-60]
+
+testId=28192
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-61]
+
+testId=7728
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-62]
+
+testId=24096
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-63]
+
+testId=15872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-64]
+
+testId=32256
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-65]
+
+testId=304
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-66]
+
+testId=16656
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-67]
+
+testId=8448
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-68]
+
+testId=24848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-69]
+
+testId=4384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-70]
+
+testId=20784
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-71]
+
+testId=12592
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-72]
+
+testId=28976
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-73]
+
+testId=2320
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-74]
+
+testId=18720
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-75]
+
+testId=10512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-76]
+
+testId=26896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-77]
+
+testId=6400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-78]
+
+testId=22800
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-79]
+
+testId=14624
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-80]
+
+testId=30976
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-81]
+
+testId=1312
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-82]
+
+testId=17680
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-83]
+
+testId=9520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-84]
+
+testId=25888
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-85]
+
+testId=5408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-86]
+
+testId=21760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-87]
+
+testId=13616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-88]
+
+testId=29984
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-89]
+
+testId=3328
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-90]
+
+testId=19744
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-91]
+
+testId=11568
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-92]
+
+testId=27952
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-93]
+
+testId=7440
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-94]
+
+testId=23808
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-95]
+
+testId=15664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-96]
+
+testId=32032
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-97]
+
+testId=768
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-98]
+
+testId=17184
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-99]
+
+testId=8992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-100]
+
+testId=25360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-101]
+
+testId=4880
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-102]
+
+testId=21296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-103]
+
+testId=13104
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-104]
+
+testId=29472
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-105]
+
+testId=2848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-106]
+
+testId=19232
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-107]
+
+testId=11040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-108]
+
+testId=27440
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-109]
+
+testId=6928
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-110]
+
+testId=23296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-111]
+
+testId=15136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-112]
+
+testId=31520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-113]
+
+testId=1792
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-114]
+
+testId=18192
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-115]
+
+testId=10000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-116]
+
+testId=26384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-117]
+
+testId=5936
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-118]
+
+testId=22304
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-119]
+
+testId=14080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-120]
+
+testId=30480
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-121]
+
+testId=3856
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-122]
+
+testId=20240
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-123]
+
+testId=12048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-124]
+
+testId=28432
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-125]
+
+testId=7968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-126]
+
+testId=24368
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-127]
+
+testId=16176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-128]
+
+testId=32544
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-129]
+
+testId=160
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-130]
+
+testId=16528
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-131]
+
+testId=8368
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-132]
+
+testId=24704
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-133]
+
+testId=4256
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-134]
+
+testId=20624
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-135]
+
+testId=12464
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-136]
+
+testId=28848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-137]
+
+testId=2176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-138]
+
+testId=18592
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-139]
+
+testId=10416
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-140]
+
+testId=26752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-141]
+
+testId=6272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-142]
+
+testId=22704
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-143]
+
+testId=14512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-144]
+
+testId=30848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-145]
+
+testId=1152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-146]
+
+testId=17584
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-147]
+
+testId=9376
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-148]
+
+testId=25744
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-149]
+
+testId=5296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-150]
+
+testId=21632
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-151]
+
+testId=13472
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-152]
+
+testId=29872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-153]
+
+testId=3248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-154]
+
+testId=19616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-155]
+
+testId=11408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-156]
+
+testId=27792
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-157]
+
+testId=7296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-158]
+
+testId=23696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-159]
+
+testId=15536
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-160]
+
+testId=31888
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-161]
+
+testId=640
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-162]
+
+testId=17056
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-163]
+
+testId=8832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-164]
+
+testId=25248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-165]
+
+testId=4784
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-166]
+
+testId=21152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-167]
+
+testId=12976
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-168]
+
+testId=29360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-169]
+
+testId=2704
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-170]
+
+testId=19088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-171]
+
+testId=10896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-172]
+
+testId=27280
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-173]
+
+testId=6832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-174]
+
+testId=23184
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-175]
+
+testId=14976
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-176]
+
+testId=31392
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-177]
+
+testId=1696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-178]
+
+testId=18080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-179]
+
+testId=9856
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-180]
+
+testId=26240
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-181]
+
+testId=5776
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-182]
+
+testId=22144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-183]
+
+testId=13984
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-184]
+
+testId=30368
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-185]
+
+testId=3712
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-186]
+
+testId=20128
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-187]
+
+testId=11920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-188]
+
+testId=28304
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-189]
+
+testId=7840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-190]
+
+testId=24208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-191]
+
+testId=16000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-192]
+
+testId=32384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-193]
+
+testId=416
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-194]
+
+testId=16816
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-195]
+
+testId=8592
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-196]
+
+testId=24960
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-197]
+
+testId=4496
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-198]
+
+testId=20864
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-199]
+
+testId=12672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-200]
+
+testId=29088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-201]
+
+testId=2432
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-202]
+
+testId=18864
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-203]
+
+testId=10640
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-204]
+
+testId=27024
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-205]
+
+testId=6560
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-206]
+
+testId=22944
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-207]
+
+testId=14752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-208]
+
+testId=31152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-209]
+
+testId=1456
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-210]
+
+testId=17840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-211]
+
+testId=9632
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-212]
+
+testId=26032
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-213]
+
+testId=5520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-214]
+
+testId=21920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-215]
+
+testId=13712
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-216]
+
+testId=30128
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-217]
+
+testId=3488
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-218]
+
+testId=19856
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-219]
+
+testId=11664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-220]
+
+testId=28080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-221]
+
+testId=7600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-222]
+
+testId=23936
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-223]
+
+testId=15776
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-224]
+
+testId=32128
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-225]
+
+testId=928
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-226]
+
+testId=17328
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-227]
+
+testId=9088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-228]
+
+testId=25488
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-229]
+
+testId=5040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-230]
+
+testId=21424
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-231]
+
+testId=13200
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-232]
+
+testId=29584
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-233]
+
+testId=2976
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-234]
+
+testId=19376
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-235]
+
+testId=11136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-236]
+
+testId=27552
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-237]
+
+testId=7040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-238]
+
+testId=23456
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-239]
+
+testId=15232
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-240]
+
+testId=31664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-241]
+
+testId=1968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-242]
+
+testId=18336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-243]
+
+testId=10160
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-244]
+
+testId=26496
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-245]
+
+testId=6064
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-246]
+
+testId=22432
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-247]
+
+testId=14240
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-248]
+
+testId=30640
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-249]
+
+testId=3968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-250]
+
+testId=20368
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-251]
+
+testId=12160
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-252]
+
+testId=28592
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-253]
+
+testId=8080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-254]
+
+testId=24480
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-255]
+
+testId=16288
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-256]
+
+testId=32672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-257]
+
+testId=112
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-258]
+
+testId=16464
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-259]
+
+testId=8272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-260]
+
+testId=24688
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-261]
+
+testId=4208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-262]
+
+testId=20544
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-263]
+
+testId=12400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-264]
+
+testId=28784
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-265]
+
+testId=2160
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-266]
+
+testId=18544
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-267]
+
+testId=10352
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-268]
+
+testId=26688
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-269]
+
+testId=6240
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-270]
+
+testId=22640
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-271]
+
+testId=14400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-272]
+
+testId=30832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-273]
+
+testId=1136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-274]
+
+testId=17504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-275]
+
+testId=9296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-276]
+
+testId=25680
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-277]
+
+testId=5232
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-278]
+
+testId=21600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-279]
+
+testId=13376
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-280]
+
+testId=29792
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-281]
+
+testId=3152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-282]
+
+testId=19552
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-283]
+
+testId=11328
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-284]
+
+testId=27760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-285]
+
+testId=7248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-286]
+
+testId=23632
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-287]
+
+testId=15424
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-288]
+
+testId=31808
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-289]
+
+testId=576
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-290]
+
+testId=16976
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-291]
+
+testId=8784
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-292]
+
+testId=25168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-293]
+
+testId=4704
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-294]
+
+testId=21104
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-295]
+
+testId=12880
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-296]
+
+testId=29248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-297]
+
+testId=2624
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-298]
+
+testId=19008
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-299]
+
+testId=10816
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-300]
+
+testId=27216
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-301]
+
+testId=6752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-302]
+
+testId=23152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-303]
+
+testId=14944
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-304]
+
+testId=31328
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-305]
+
+testId=1616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-306]
+
+testId=18000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-307]
+
+testId=9840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-308]
+
+testId=26176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-309]
+
+testId=5728
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-310]
+
+testId=22128
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-311]
+
+testId=13904
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-312]
+
+testId=30320
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-313]
+
+testId=3696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-314]
+
+testId=20048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-315]
+
+testId=11856
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-316]
+
+testId=28240
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-317]
+
+testId=7760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-318]
+
+testId=24176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-319]
+
+testId=15968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-320]
+
+testId=32320
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-321]
+
+testId=352
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-322]
+
+testId=16720
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-323]
+
+testId=8560
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-324]
+
+testId=24912
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-325]
+
+testId=4448
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-326]
+
+testId=20832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-327]
+
+testId=12624
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-328]
+
+testId=28992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-329]
+
+testId=2384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-330]
+
+testId=18784
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-331]
+
+testId=10592
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-332]
+
+testId=26976
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-333]
+
+testId=6496
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-334]
+
+testId=22896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-335]
+
+testId=14656
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-336]
+
+testId=31040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-337]
+
+testId=1344
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-338]
+
+testId=17776
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-339]
+
+testId=9552
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-340]
+
+testId=25968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-341]
+
+testId=5456
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-342]
+
+testId=21872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-343]
+
+testId=13680
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-344]
+
+testId=30064
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-345]
+
+testId=3424
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-346]
+
+testId=19776
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-347]
+
+testId=11616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-348]
+
+testId=27968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-349]
+
+testId=7536
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-350]
+
+testId=23872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-351]
+
+testId=15680
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-352]
+
+testId=32096
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-353]
+
+testId=832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-354]
+
+testId=17232
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-355]
+
+testId=9024
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-356]
+
+testId=25408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-357]
+
+testId=4928
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-358]
+
+testId=21328
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-359]
+
+testId=13120
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-360]
+
+testId=29536
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-361]
+
+testId=2896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-362]
+
+testId=19312
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-363]
+
+testId=11072
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-364]
+
+testId=27472
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-365]
+
+testId=6992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-366]
+
+testId=23360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-367]
+
+testId=15216
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-368]
+
+testId=31600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-369]
+
+testId=1904
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-370]
+
+testId=18272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-371]
+
+testId=10096
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-372]
+
+testId=26464
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-373]
+
+testId=5968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-374]
+
+testId=22352
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-375]
+
+testId=14192
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-376]
+
+testId=30544
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-377]
+
+testId=3936
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-378]
+
+testId=20336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-379]
+
+testId=12128
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-380]
+
+testId=28496
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-381]
+
+testId=8048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-382]
+
+testId=24400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-383]
+
+testId=16192
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-384]
+
+testId=32608
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-385]
+
+testId=240
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-386]
+
+testId=16576
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-387]
+
+testId=8400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-388]
+
+testId=24816
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-389]
+
+testId=4336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-390]
+
+testId=20720
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-391]
+
+testId=12512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-392]
+
+testId=28912
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-393]
+
+testId=2272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-394]
+
+testId=18656
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-395]
+
+testId=10464
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-396]
+
+testId=26848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-397]
+
+testId=6336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-398]
+
+testId=22768
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-399]
+
+testId=14544
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-400]
+
+testId=30960
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-401]
+
+testId=1248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-402]
+
+testId=17616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-403]
+
+testId=9408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-404]
+
+testId=25792
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-405]
+
+testId=5360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-406]
+
+testId=21712
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-407]
+
+testId=13520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-408]
+
+testId=29904
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-409]
+
+testId=3264
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-410]
+
+testId=19664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-411]
+
+testId=11456
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-412]
+
+testId=27872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-413]
+
+testId=7408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-414]
+
+testId=23760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-415]
+
+testId=15600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-416]
+
+testId=31984
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-417]
+
+testId=752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-418]
+
+testId=17088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-419]
+
+testId=8928
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-420]
+
+testId=25296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-421]
+
+testId=4848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-422]
+
+testId=21216
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-423]
+
+testId=13024
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-424]
+
+testId=29376
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-425]
+
+testId=2800
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-426]
+
+testId=19136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-427]
+
+testId=10992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-428]
+
+testId=27328
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-429]
+
+testId=6848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-430]
+
+testId=23232
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-431]
+
+testId=15056
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-432]
+
+testId=31440
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-433]
+
+testId=1744
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-434]
+
+testId=18128
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-435]
+
+testId=9920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-436]
+
+testId=26352
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-437]
+
+testId=5824
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-438]
+
+testId=22208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-439]
+
+testId=14016
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-440]
+
+testId=30400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-441]
+
+testId=3808
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-442]
+
+testId=20176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-443]
+
+testId=12016
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-444]
+
+testId=28384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-445]
+
+testId=7888
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-446]
+
+testId=24288
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-447]
+
+testId=16096
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-448]
+
+testId=32480
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-449]
+
+testId=480
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-450]
+
+testId=16848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-451]
+
+testId=8672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-452]
+
+testId=25072
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-453]
+
+testId=4544
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-454]
+
+testId=20928
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-455]
+
+testId=12784
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-456]
+
+testId=29168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-457]
+
+testId=2496
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-458]
+
+testId=18912
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-459]
+
+testId=10736
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-460]
+
+testId=27072
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-461]
+
+testId=6608
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-462]
+
+testId=23024
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-463]
+
+testId=14784
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-464]
+
+testId=31168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-465]
+
+testId=1472
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-466]
+
+testId=17904
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-467]
+
+testId=9696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-468]
+
+testId=26096
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-469]
+
+testId=5616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-470]
+
+testId=22000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-471]
+
+testId=13760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-472]
+
+testId=30176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-473]
+
+testId=3520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-474]
+
+testId=19936
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-475]
+
+testId=11744
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-476]
+
+testId=28096
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-477]
+
+testId=7632
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-478]
+
+testId=24048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-479]
+
+testId=15856
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-480]
+
+testId=32224
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-481]
+
+testId=1008
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-482]
+
+testId=17392
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-483]
+
+testId=9152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-484]
+
+testId=25568
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-485]
+
+testId=5104
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-486]
+
+testId=21440
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-487]
+
+testId=13296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-488]
+
+testId=29648
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-489]
+
+testId=3008
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-490]
+
+testId=19440
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-491]
+
+testId=11200
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-492]
+
+testId=27600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-493]
+
+testId=7136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-494]
+
+testId=23536
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-495]
+
+testId=15296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-496]
+
+testId=31680
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-497]
+
+testId=2000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-498]
+
+testId=18384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-499]
+
+testId=10208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-500]
+
+testId=26592
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-501]
+
+testId=6080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-502]
+
+testId=22496
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-503]
+
+testId=14320
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-504]
+
+testId=30704
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-505]
+
+testId=4048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-506]
+
+testId=20432
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-507]
+
+testId=12224
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-508]
+
+testId=28640
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-509]
+
+testId=8160
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-510]
+
+testId=24512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-511]
+
+testId=16352
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-512]
+
+testId=32752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-513]
+
+testId=40
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-514]
+
+testId=16424
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-515]
+
+testId=8200
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-516]
+
+testId=24600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-517]
+
+testId=4120
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-518]
+
+testId=20520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-519]
+
+testId=12312
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-520]
+
+testId=28680
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-521]
+
+testId=2056
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-522]
+
+testId=18488
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-523]
+
+testId=10264
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-524]
+
+testId=26632
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-525]
+
+testId=6152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-526]
+
+testId=22552
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-527]
+
+testId=14344
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-528]
+
+testId=30760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-529]
+
+testId=1048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-530]
+
+testId=17416
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-531]
+
+testId=9256
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-532]
+
+testId=25640
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-533]
+
+testId=5176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-534]
+
+testId=21560
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-535]
+
+testId=13368
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-536]
+
+testId=29752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-537]
+
+testId=3080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-538]
+
+testId=19512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-539]
+
+testId=11320
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-540]
+
+testId=27656
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-541]
+
+testId=7208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-542]
+
+testId=23560
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-543]
+
+testId=15384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-544]
+
+testId=31768
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-545]
+
+testId=568
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-546]
+
+testId=16920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-547]
+
+testId=8712
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-548]
+
+testId=25144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-549]
+
+testId=4616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-550]
+
+testId=21016
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-551]
+
+testId=12840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-552]
+
+testId=29208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-553]
+
+testId=2568
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-554]
+
+testId=19000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-555]
+
+testId=10808
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-556]
+
+testId=27160
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-557]
+
+testId=6664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-558]
+
+testId=23048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-559]
+
+testId=14904
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-560]
+
+testId=31272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-561]
+
+testId=1576
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-562]
+
+testId=17976
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-563]
+
+testId=9736
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-564]
+
+testId=26152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-565]
+
+testId=5688
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-566]
+
+testId=22024
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-567]
+
+testId=13880
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-568]
+
+testId=30248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-569]
+
+testId=3640
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-570]
+
+testId=19992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-571]
+
+testId=11832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-572]
+
+testId=28216
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-573]
+
+testId=7704
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-574]
+
+testId=24072
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-575]
+
+testId=15880
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-576]
+
+testId=32264
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-577]
+
+testId=264
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-578]
+
+testId=16696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-579]
+
+testId=8456
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-580]
+
+testId=24840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-581]
+
+testId=4408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-582]
+
+testId=20792
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-583]
+
+testId=12600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-584]
+
+testId=28984
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-585]
+
+testId=2312
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-586]
+
+testId=18696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-587]
+
+testId=10504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-588]
+
+testId=26920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-589]
+
+testId=6424
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-590]
+
+testId=22808
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-591]
+
+testId=14632
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-592]
+
+testId=31000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-593]
+
+testId=1336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-594]
+
+testId=17720
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-595]
+
+testId=9480
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-596]
+
+testId=25896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-597]
+
+testId=5400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-598]
+
+testId=21768
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-599]
+
+testId=13624
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-600]
+
+testId=29976
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-601]
+
+testId=3384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-602]
+
+testId=19752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-603]
+
+testId=11544
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-604]
+
+testId=27912
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-605]
+
+testId=7480
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-606]
+
+testId=23832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-607]
+
+testId=15672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-608]
+
+testId=32040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-609]
+
+testId=824
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-610]
+
+testId=17208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-611]
+
+testId=8968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-612]
+
+testId=25400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-613]
+
+testId=4872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-614]
+
+testId=21272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-615]
+
+testId=13112
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-616]
+
+testId=29464
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-617]
+
+testId=2840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-618]
+
+testId=19208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-619]
+
+testId=11064
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-620]
+
+testId=27432
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-621]
+
+testId=6920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-622]
+
+testId=23352
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-623]
+
+testId=15112
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-624]
+
+testId=31512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-625]
+
+testId=1832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-626]
+
+testId=18232
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-627]
+
+testId=10008
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-628]
+
+testId=26376
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-629]
+
+testId=5912
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-630]
+
+testId=22312
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-631]
+
+testId=14088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-632]
+
+testId=30520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-633]
+
+testId=3848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-634]
+
+testId=20264
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-635]
+
+testId=12072
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-636]
+
+testId=28440
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-637]
+
+testId=7992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-638]
+
+testId=24344
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-639]
+
+testId=16168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-640]
+
+testId=32520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-641]
+
+testId=152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-642]
+
+testId=16552
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-643]
+
+testId=8360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-644]
+
+testId=24744
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-645]
+
+testId=4280
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-646]
+
+testId=20664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-647]
+
+testId=12424
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-648]
+
+testId=28840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-649]
+
+testId=2184
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-650]
+
+testId=18568
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-651]
+
+testId=10392
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-652]
+
+testId=26792
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-653]
+
+testId=6328
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-654]
+
+testId=22696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-655]
+
+testId=14488
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-656]
+
+testId=30856
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-657]
+
+testId=1208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-658]
+
+testId=17560
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-659]
+
+testId=9368
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-660]
+
+testId=25752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-661]
+
+testId=5272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-662]
+
+testId=21672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-663]
+
+testId=13464
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-664]
+
+testId=29880
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-665]
+
+testId=3240
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-666]
+
+testId=19608
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-667]
+
+testId=11448
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-668]
+
+testId=27816
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-669]
+
+testId=7320
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-670]
+
+testId=23704
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-671]
+
+testId=15544
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-672]
+
+testId=31880
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-673]
+
+testId=664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-674]
+
+testId=17048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-675]
+
+testId=8888
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-676]
+
+testId=25272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-677]
+
+testId=4792
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-678]
+
+testId=21176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-679]
+
+testId=12952
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-680]
+
+testId=29336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-681]
+
+testId=2728
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-682]
+
+testId=19096
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-683]
+
+testId=10936
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-684]
+
+testId=27272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-685]
+
+testId=6840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-686]
+
+testId=23192
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-687]
+
+testId=15016
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-688]
+
+testId=31416
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-689]
+
+testId=1672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-690]
+
+testId=18056
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-691]
+
+testId=9912
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-692]
+
+testId=26264
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-693]
+
+testId=5816
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-694]
+
+testId=22168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-695]
+
+testId=14008
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-696]
+
+testId=30392
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-697]
+
+testId=3736
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-698]
+
+testId=20104
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-699]
+
+testId=11928
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-700]
+
+testId=28296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-701]
+
+testId=7816
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-702]
+
+testId=24232
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-703]
+
+testId=16040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-704]
+
+testId=32440
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-705]
+
+testId=408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-706]
+
+testId=16824
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-707]
+
+testId=8600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-708]
+
+testId=25000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-709]
+
+testId=4504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-710]
+
+testId=20920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-711]
+
+testId=12680
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-712]
+
+testId=29080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-713]
+
+testId=2440
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-714]
+
+testId=18824
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-715]
+
+testId=10664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-716]
+
+testId=27048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-717]
+
+testId=6584
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-718]
+
+testId=22936
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-719]
+
+testId=14760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-720]
+
+testId=31128
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-721]
+
+testId=1432
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-722]
+
+testId=17800
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-723]
+
+testId=9656
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-724]
+
+testId=26040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-725]
+
+testId=5512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-726]
+
+testId=21896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-727]
+
+testId=13752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-728]
+
+testId=30104
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-729]
+
+testId=3464
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-730]
+
+testId=19896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-731]
+
+testId=11672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-732]
+
+testId=28088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-733]
+
+testId=7592
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-734]
+
+testId=23992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-735]
+
+testId=15800
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-736]
+
+testId=32168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-737]
+
+testId=904
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-738]
+
+testId=17288
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-739]
+
+testId=9144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-740]
+
+testId=25512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-741]
+
+testId=5016
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-742]
+
+testId=21384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-743]
+
+testId=13192
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-744]
+
+testId=29624
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-745]
+
+testId=3000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-746]
+
+testId=19352
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-747]
+
+testId=11144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-748]
+
+testId=27576
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-749]
+
+testId=7080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-750]
+
+testId=23480
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-751]
+
+testId=15288
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-752]
+
+testId=31624
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-753]
+
+testId=1928
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-754]
+
+testId=18360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-755]
+
+testId=10168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-756]
+
+testId=26504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-757]
+
+testId=6040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-758]
+
+testId=22440
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-759]
+
+testId=14248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-760]
+
+testId=30616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-761]
+
+testId=3992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-762]
+
+testId=20408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-763]
+
+testId=12216
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-764]
+
+testId=28584
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-765]
+
+testId=8088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-766]
+
+testId=24504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-767]
+
+testId=16296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-768]
+
+testId=32664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-769]
+
+testId=120
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-770]
+
+testId=16504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-771]
+
+testId=8312
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-772]
+
+testId=24664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-773]
+
+testId=4168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-774]
+
+testId=20600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-775]
+
+testId=12392
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-776]
+
+testId=28760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-777]
+
+testId=2136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-778]
+
+testId=18520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-779]
+
+testId=10312
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-780]
+
+testId=26744
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-781]
+
+testId=6264
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-782]
+
+testId=22600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-783]
+
+testId=14456
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-784]
+
+testId=30840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-785]
+
+testId=1128
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-786]
+
+testId=17496
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-787]
+
+testId=9336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-788]
+
+testId=25672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-789]
+
+testId=5240
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-790]
+
+testId=21608
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-791]
+
+testId=13416
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-792]
+
+testId=29800
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-793]
+
+testId=3144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-794]
+
+testId=19528
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-795]
+
+testId=11336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-796]
+
+testId=27752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-797]
+
+testId=7240
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-798]
+
+testId=23672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-799]
+
+testId=15448
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-800]
+
+testId=31848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-801]
+
+testId=616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-802]
+
+testId=16968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-803]
+
+testId=8776
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-804]
+
+testId=25208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-805]
+
+testId=4680
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-806]
+
+testId=21112
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-807]
+
+testId=12872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-808]
+
+testId=29288
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-809]
+
+testId=2648
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-810]
+
+testId=19032
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-811]
+
+testId=10840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-812]
+
+testId=27224
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-813]
+
+testId=6776
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-814]
+
+testId=23112
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-815]
+
+testId=14968
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-816]
+
+testId=31320
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-817]
+
+testId=1608
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-818]
+
+testId=17992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-819]
+
+testId=9832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-820]
+
+testId=26200
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-821]
+
+testId=5752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-822]
+
+testId=22136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-823]
+
+testId=13896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-824]
+
+testId=30296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-825]
+
+testId=3672
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-826]
+
+testId=20072
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-827]
+
+testId=11864
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-828]
+
+testId=28280
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-829]
+
+testId=7768
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-830]
+
+testId=24168
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-831]
+
+testId=15992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-832]
+
+testId=32328
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-833]
+
+testId=344
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-834]
+
+testId=16760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-835]
+
+testId=8568
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-836]
+
+testId=24904
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-837]
+
+testId=4472
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-838]
+
+testId=20808
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-839]
+
+testId=12664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-840]
+
+testId=29016
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-841]
+
+testId=2408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-842]
+
+testId=18776
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-843]
+
+testId=10616
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-844]
+
+testId=26984
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-845]
+
+testId=6504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-846]
+
+testId=22872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-847]
+
+testId=14696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-848]
+
+testId=31064
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-849]
+
+testId=1400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-850]
+
+testId=17752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-851]
+
+testId=9576
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-852]
+
+testId=25928
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-853]
+
+testId=5480
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-854]
+
+testId=21848
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-855]
+
+testId=13688
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-856]
+
+testId=30040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-857]
+
+testId=3448
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-858]
+
+testId=19816
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-859]
+
+testId=11608
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-860]
+
+testId=28024
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-861]
+
+testId=7512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-862]
+
+testId=23928
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-863]
+
+testId=15720
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-864]
+
+testId=32120
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-865]
+
+testId=888
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-866]
+
+testId=17256
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-867]
+
+testId=9064
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-868]
+
+testId=25432
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-869]
+
+testId=4936
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-870]
+
+testId=21352
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-871]
+
+testId=13144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-872]
+
+testId=29528
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-873]
+
+testId=2920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-874]
+
+testId=19272
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-875]
+
+testId=11080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-876]
+
+testId=27512
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-877]
+
+testId=7016
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-878]
+
+testId=23416
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-879]
+
+testId=15176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-880]
+
+testId=31560
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-881]
+
+testId=1864
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-882]
+
+testId=18248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-883]
+
+testId=10056
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-884]
+
+testId=26472
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-885]
+
+testId=6008
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-886]
+
+testId=22360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-887]
+
+testId=14200
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-888]
+
+testId=30584
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-889]
+
+testId=3944
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-890]
+
+testId=20328
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-891]
+
+testId=12152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-892]
+
+testId=28520
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-893]
+
+testId=8024
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-894]
+
+testId=24408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-895]
+
+testId=16232
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-896]
+
+testId=32600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-897]
+
+testId=216
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-898]
+
+testId=16600
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-899]
+
+testId=8408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-900]
+
+testId=24824
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-901]
+
+testId=4344
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-902]
+
+testId=20696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-903]
+
+testId=12504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-904]
+
+testId=28872
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-905]
+
+testId=2296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-906]
+
+testId=18648
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-907]
+
+testId=10472
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-908]
+
+testId=26840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-909]
+
+testId=6376
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-910]
+
+testId=22728
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-911]
+
+testId=14568
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-912]
+
+testId=30936
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-913]
+
+testId=1256
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-914]
+
+testId=17656
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-915]
+
+testId=9432
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-916]
+
+testId=25800
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-917]
+
+testId=5336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-918]
+
+testId=21720
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-919]
+
+testId=13528
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-920]
+
+testId=29896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-921]
+
+testId=3304
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-922]
+
+testId=19656
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-923]
+
+testId=11464
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-924]
+
+testId=27864
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-925]
+
+testId=7384
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-926]
+
+testId=23800
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-927]
+
+testId=15592
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-928]
+
+testId=31944
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-929]
+
+testId=728
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-930]
+
+testId=17144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-931]
+
+testId=8920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-932]
+
+testId=25336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-933]
+
+testId=4840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-934]
+
+testId=21208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-935]
+
+testId=13000
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-936]
+
+testId=29416
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-937]
+
+testId=2792
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-938]
+
+testId=19192
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-939]
+
+testId=10952
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-940]
+
+testId=27336
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-941]
+
+testId=6888
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-942]
+
+testId=23288
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-943]
+
+testId=15080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-944]
+
+testId=31432
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-945]
+
+testId=1784
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-946]
+
+testId=18136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-947]
+
+testId=9944
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-948]
+
+testId=26360
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-949]
+
+testId=5832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-950]
+
+testId=22216
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-951]
+
+testId=14056
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-952]
+
+testId=30456
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-953]
+
+testId=3784
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-954]
+
+testId=20216
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-955]
+
+testId=11992
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-956]
+
+testId=28408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-957]
+
+testId=7896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-958]
+
+testId=24280
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-959]
+
+testId=16088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-960]
+
+testId=32504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-961]
+
+testId=504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-962]
+
+testId=16840
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-963]
+
+testId=8664
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-964]
+
+testId=25048
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-965]
+
+testId=4552
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-966]
+
+testId=20936
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-967]
+
+testId=12760
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-968]
+
+testId=29144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-969]
+
+testId=2504
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-970]
+
+testId=18920
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-971]
+
+testId=10696
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-972]
+
+testId=27112
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-973]
+
+testId=6648
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-974]
+
+testId=23016
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-975]
+
+testId=14808
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-976]
+
+testId=31224
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-977]
+
+testId=1528
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-978]
+
+testId=17896
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-979]
+
+testId=9704
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-980]
+
+testId=26072
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-981]
+
+testId=5624
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-982]
+
+testId=21960
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-983]
+
+testId=13768
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-984]
+
+testId=30152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-985]
+
+testId=3528
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-986]
+
+testId=19960
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-987]
+
+testId=11752
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-988]
+
+testId=28136
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-989]
+
+testId=7656
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-990]
+
+testId=24040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-991]
+
+testId=15832
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-992]
+
+testId=32248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-993]
+
+testId=984
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-994]
+
+testId=17400
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-995]
+
+testId=9176
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-996]
+
+testId=25560
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-997]
+
+testId=5080
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-998]
+
+testId=21496
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-999]
+
+testId=13256
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1000]
+
+testId=29640
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1001]
+
+testId=3064
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1002]
+
+testId=19416
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1003]
+
+testId=11208
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1004]
+
+testId=27624
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1005]
+
+testId=7144
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1006]
+
+testId=23544
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1007]
+
+testId=15320
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1008]
+
+testId=31688
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1009]
+
+testId=2040
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1010]
+
+testId=18408
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1011]
+
+testId=10200
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1012]
+
+testId=26568
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1013]
+
+testId=6088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1014]
+
+testId=22488
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1015]
+
+testId=14296
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1016]
+
+testId=30680
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1017]
+
+testId=4088
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1018]
+
+testId=20472
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1019]
+
+testId=12248
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1020]
+
+testId=28632
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1021]
+
+testId=8152
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1022]
+
+testId=24552
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1023]
+
+testId=16344
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1024]
+
+testId=32728
+testname=ClientCert_none ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1025]
+
+testId=20
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1026]
+
+testId=16388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1027]
+
+testId=8244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1028]
+
+testId=24612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1029]
+
+testId=4116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1030]
+
+testId=20484
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1031]
+
+testId=12324
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1032]
+
+testId=28708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1033]
+
+testId=2084
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1034]
+
+testId=18484
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1035]
+
+testId=10292
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1036]
+
+testId=26628
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1037]
+
+testId=6164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1038]
+
+testId=22548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1039]
+
+testId=14372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1040]
+
+testId=30740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1041]
+
+testId=1076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1042]
+
+testId=17412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1043]
+
+testId=9220
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1044]
+
+testId=25604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1045]
+
+testId=5172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1046]
+
+testId=21524
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1047]
+
+testId=13332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1048]
+
+testId=29716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1049]
+
+testId=3108
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1050]
+
+testId=19492
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1051]
+
+testId=11316
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1052]
+
+testId=27684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1053]
+
+testId=7220
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1054]
+
+testId=23556
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1055]
+
+testId=15412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1056]
+
+testId=31780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1057]
+
+testId=548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1058]
+
+testId=16916
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1059]
+
+testId=8740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1060]
+
+testId=25108
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1061]
+
+testId=4644
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1062]
+
+testId=20996
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1063]
+
+testId=12820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1064]
+
+testId=29236
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1065]
+
+testId=2596
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1066]
+
+testId=18964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1067]
+
+testId=10804
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1068]
+
+testId=27156
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1069]
+
+testId=6660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1070]
+
+testId=23076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1071]
+
+testId=14884
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1072]
+
+testId=31236
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1073]
+
+testId=1556
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1074]
+
+testId=17924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1075]
+
+testId=9780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1076]
+
+testId=26132
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1077]
+
+testId=5636
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1078]
+
+testId=22036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1079]
+
+testId=13876
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1080]
+
+testId=30244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1081]
+
+testId=3636
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1082]
+
+testId=19988
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1083]
+
+testId=11780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1084]
+
+testId=28196
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1085]
+
+testId=7732
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1086]
+
+testId=24100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1087]
+
+testId=15924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1088]
+
+testId=32276
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1089]
+
+testId=292
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1090]
+
+testId=16676
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1091]
+
+testId=8484
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1092]
+
+testId=24852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1093]
+
+testId=4356
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1094]
+
+testId=20772
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1095]
+
+testId=12564
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1096]
+
+testId=28980
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1097]
+
+testId=2308
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1098]
+
+testId=18708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1099]
+
+testId=10516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1100]
+
+testId=26932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1101]
+
+testId=6404
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1102]
+
+testId=22804
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1103]
+
+testId=14628
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1104]
+
+testId=30980
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1105]
+
+testId=1284
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1106]
+
+testId=17716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1107]
+
+testId=9524
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1108]
+
+testId=25908
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1109]
+
+testId=5412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1110]
+
+testId=21796
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1111]
+
+testId=13604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1112]
+
+testId=29956
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1113]
+
+testId=3380
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1114]
+
+testId=19732
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1115]
+
+testId=11540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1116]
+
+testId=27908
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1117]
+
+testId=7476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1118]
+
+testId=23812
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1119]
+
+testId=15668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1120]
+
+testId=32036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1121]
+
+testId=772
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1122]
+
+testId=17172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1123]
+
+testId=9012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1124]
+
+testId=25348
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1125]
+
+testId=4884
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1126]
+
+testId=21300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1127]
+
+testId=13108
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1128]
+
+testId=29460
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1129]
+
+testId=2868
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1130]
+
+testId=19252
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1131]
+
+testId=11028
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1132]
+
+testId=27396
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1133]
+
+testId=6932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1134]
+
+testId=23300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1135]
+
+testId=15124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1136]
+
+testId=31540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1137]
+
+testId=1812
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1138]
+
+testId=18228
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1139]
+
+testId=10020
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1140]
+
+testId=26372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1141]
+
+testId=5924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1142]
+
+testId=22292
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1143]
+
+testId=14100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1144]
+
+testId=30484
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1145]
+
+testId=3844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1146]
+
+testId=20228
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1147]
+
+testId=12036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1148]
+
+testId=28420
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1149]
+
+testId=7988
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1150]
+
+testId=24372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1151]
+
+testId=16148
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1152]
+
+testId=32564
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1153]
+
+testId=164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1154]
+
+testId=16516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1155]
+
+testId=8372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1156]
+
+testId=24740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1157]
+
+testId=4244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1158]
+
+testId=20644
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1159]
+
+testId=12452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1160]
+
+testId=28804
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1161]
+
+testId=2228
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1162]
+
+testId=18564
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1163]
+
+testId=10388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1164]
+
+testId=26756
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1165]
+
+testId=6292
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1166]
+
+testId=22692
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1167]
+
+testId=14500
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1168]
+
+testId=30852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1169]
+
+testId=1204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1170]
+
+testId=17540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1171]
+
+testId=9396
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1172]
+
+testId=25780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1173]
+
+testId=5268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1174]
+
+testId=21684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1175]
+
+testId=13492
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1176]
+
+testId=29844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1177]
+
+testId=3204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1178]
+
+testId=19604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1179]
+
+testId=11428
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1180]
+
+testId=27812
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1181]
+
+testId=7348
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1182]
+
+testId=23684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1183]
+
+testId=15508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1184]
+
+testId=31908
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1185]
+
+testId=692
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1186]
+
+testId=17076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1187]
+
+testId=8868
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1188]
+
+testId=25268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1189]
+
+testId=4772
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1190]
+
+testId=21140
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1191]
+
+testId=12964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1192]
+
+testId=29348
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1193]
+
+testId=2708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1194]
+
+testId=19092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1195]
+
+testId=10900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1196]
+
+testId=27300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1197]
+
+testId=6788
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1198]
+
+testId=23172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1199]
+
+testId=15012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1200]
+
+testId=31380
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1201]
+
+testId=1668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1202]
+
+testId=18084
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1203]
+
+testId=9860
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1204]
+
+testId=26276
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1205]
+
+testId=5780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1206]
+
+testId=22180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1207]
+
+testId=13988
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1208]
+
+testId=30388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1209]
+
+testId=3764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1210]
+
+testId=20100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1211]
+
+testId=11956
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1212]
+
+testId=28292
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1213]
+
+testId=7860
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1214]
+
+testId=24228
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1215]
+
+testId=16052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1216]
+
+testId=32404
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1217]
+
+testId=404
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1218]
+
+testId=16772
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1219]
+
+testId=8580
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1220]
+
+testId=24964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1221]
+
+testId=4516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1222]
+
+testId=20900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1223]
+
+testId=12676
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1224]
+
+testId=29092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1225]
+
+testId=2436
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1226]
+
+testId=18836
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1227]
+
+testId=10628
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1228]
+
+testId=27012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1229]
+
+testId=6532
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1230]
+
+testId=22932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1231]
+
+testId=14740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1232]
+
+testId=31108
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1233]
+
+testId=1428
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1234]
+
+testId=17844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1235]
+
+testId=9636
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1236]
+
+testId=26004
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1237]
+
+testId=5540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1238]
+
+testId=21892
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1239]
+
+testId=13700
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1240]
+
+testId=30132
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1241]
+
+testId=3460
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1242]
+
+testId=19876
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1243]
+
+testId=11700
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1244]
+
+testId=28036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1245]
+
+testId=7588
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1246]
+
+testId=23988
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1247]
+
+testId=15764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1248]
+
+testId=32164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1249]
+
+testId=900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1250]
+
+testId=17300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1251]
+
+testId=9092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1252]
+
+testId=25524
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1253]
+
+testId=5028
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1254]
+
+testId=21412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1255]
+
+testId=13220
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1256]
+
+testId=29604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1257]
+
+testId=2948
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1258]
+
+testId=19380
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1259]
+
+testId=11156
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1260]
+
+testId=27540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1261]
+
+testId=7092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1262]
+
+testId=23444
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1263]
+
+testId=15284
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1264]
+
+testId=31668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1265]
+
+testId=1940
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1266]
+
+testId=18308
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1267]
+
+testId=10164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1268]
+
+testId=26532
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1269]
+
+testId=6052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1270]
+
+testId=22452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1271]
+
+testId=14260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1272]
+
+testId=30628
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1273]
+
+testId=4020
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1274]
+
+testId=20404
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1275]
+
+testId=12164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1276]
+
+testId=28548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1277]
+
+testId=8068
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1278]
+
+testId=24468
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1279]
+
+testId=16260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1280]
+
+testId=32644
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1281]
+
+testId=68
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1282]
+
+testId=16484
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1283]
+
+testId=8292
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1284]
+
+testId=24644
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1285]
+
+testId=4180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1286]
+
+testId=20580
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1287]
+
+testId=12372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1288]
+
+testId=28756
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1289]
+
+testId=2132
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1290]
+
+testId=18516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1291]
+
+testId=10324
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1292]
+
+testId=26740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1293]
+
+testId=6260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1294]
+
+testId=22644
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1295]
+
+testId=14436
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1296]
+
+testId=30820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1297]
+
+testId=1124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1298]
+
+testId=17492
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1299]
+
+testId=9300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1300]
+
+testId=25668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1301]
+
+testId=5204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1302]
+
+testId=21572
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1303]
+
+testId=13428
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1304]
+
+testId=29812
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1305]
+
+testId=3172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1306]
+
+testId=19540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1307]
+
+testId=11332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1308]
+
+testId=27716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1309]
+
+testId=7236
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1310]
+
+testId=23636
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1311]
+
+testId=15476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1312]
+
+testId=31828
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1313]
+
+testId=580
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1314]
+
+testId=16980
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1315]
+
+testId=8820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1316]
+
+testId=25204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1317]
+
+testId=4724
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1318]
+
+testId=21076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1319]
+
+testId=12916
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1320]
+
+testId=29268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1321]
+
+testId=2676
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1322]
+
+testId=19028
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1323]
+
+testId=10852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1324]
+
+testId=27204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1325]
+
+testId=6724
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1326]
+
+testId=23108
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1327]
+
+testId=14932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1328]
+
+testId=31332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1329]
+
+testId=1636
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1330]
+
+testId=17988
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1331]
+
+testId=9812
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1332]
+
+testId=26180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1333]
+
+testId=5700
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1334]
+
+testId=22116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1335]
+
+testId=13940
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1336]
+
+testId=30308
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1337]
+
+testId=3668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1338]
+
+testId=20052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1339]
+
+testId=11844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1340]
+
+testId=28260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1341]
+
+testId=7796
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1342]
+
+testId=24180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1343]
+
+testId=15972
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1344]
+
+testId=32340
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1345]
+
+testId=356
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1346]
+
+testId=16740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1347]
+
+testId=8564
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1348]
+
+testId=24916
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1349]
+
+testId=4452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1350]
+
+testId=20852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1351]
+
+testId=12628
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1352]
+
+testId=29012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1353]
+
+testId=2388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1354]
+
+testId=18788
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1355]
+
+testId=10596
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1356]
+
+testId=26980
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1357]
+
+testId=6516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1358]
+
+testId=22852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1359]
+
+testId=14692
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1360]
+
+testId=31076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1361]
+
+testId=1348
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1362]
+
+testId=17732
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1363]
+
+testId=9540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1364]
+
+testId=25924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1365]
+
+testId=5444
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1366]
+
+testId=21860
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1367]
+
+testId=13636
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1368]
+
+testId=30052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1369]
+
+testId=3412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1370]
+
+testId=19812
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1371]
+
+testId=11620
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1372]
+
+testId=28020
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1373]
+
+testId=7492
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1374]
+
+testId=23924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1375]
+
+testId=15700
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1376]
+
+testId=32100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1377]
+
+testId=852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1378]
+
+testId=17252
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1379]
+
+testId=9076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1380]
+
+testId=25460
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1381]
+
+testId=4932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1382]
+
+testId=21364
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1383]
+
+testId=13156
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1384]
+
+testId=29508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1385]
+
+testId=2932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1386]
+
+testId=19300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1387]
+
+testId=11124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1388]
+
+testId=27476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1389]
+
+testId=7028
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1390]
+
+testId=23412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1391]
+
+testId=15172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1392]
+
+testId=31556
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1393]
+
+testId=1876
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1394]
+
+testId=18244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1395]
+
+testId=10100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1396]
+
+testId=26468
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1397]
+
+testId=6004
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1398]
+
+testId=22388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1399]
+
+testId=14196
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1400]
+
+testId=30548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1401]
+
+testId=3924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1402]
+
+testId=20340
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1403]
+
+testId=12100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1404]
+
+testId=28516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1405]
+
+testId=8052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1406]
+
+testId=24436
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1407]
+
+testId=16212
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1408]
+
+testId=32612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1409]
+
+testId=244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1410]
+
+testId=16612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1411]
+
+testId=8420
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1412]
+
+testId=24820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1413]
+
+testId=4308
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1414]
+
+testId=20708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1415]
+
+testId=12500
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1416]
+
+testId=28900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1417]
+
+testId=2244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1418]
+
+testId=18644
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1419]
+
+testId=10436
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1420]
+
+testId=26868
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1421]
+
+testId=6372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1422]
+
+testId=22724
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1423]
+
+testId=14548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1424]
+
+testId=30932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1425]
+
+testId=1268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1426]
+
+testId=17636
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1427]
+
+testId=9412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1428]
+
+testId=25844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1429]
+
+testId=5364
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1430]
+
+testId=21700
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1431]
+
+testId=13508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1432]
+
+testId=29892
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1433]
+
+testId=3268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1434]
+
+testId=19700
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1435]
+
+testId=11492
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1436]
+
+testId=27892
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1437]
+
+testId=7396
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1438]
+
+testId=23748
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1439]
+
+testId=15556
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1440]
+
+testId=31940
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1441]
+
+testId=740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1442]
+
+testId=17092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1443]
+
+testId=8948
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1444]
+
+testId=25332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1445]
+
+testId=4836
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1446]
+
+testId=21220
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1447]
+
+testId=13012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1448]
+
+testId=29412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1449]
+
+testId=2756
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1450]
+
+testId=19172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1451]
+
+testId=10964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1452]
+
+testId=27348
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1453]
+
+testId=6900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1454]
+
+testId=23284
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1455]
+
+testId=15076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1456]
+
+testId=31428
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1457]
+
+testId=1764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1458]
+
+testId=18164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1459]
+
+testId=9924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1460]
+
+testId=26340
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1461]
+
+testId=5844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1462]
+
+testId=22260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1463]
+
+testId=14020
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1464]
+
+testId=30420
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1465]
+
+testId=3780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1466]
+
+testId=20212
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1467]
+
+testId=12020
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1468]
+
+testId=28388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1469]
+
+testId=7908
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1470]
+
+testId=24276
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1471]
+
+testId=16084
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1472]
+
+testId=32452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1473]
+
+testId=452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1474]
+
+testId=16836
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1475]
+
+testId=8660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1476]
+
+testId=25044
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1477]
+
+testId=4596
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1478]
+
+testId=20932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1479]
+
+testId=12756
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1480]
+
+testId=29124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1481]
+
+testId=2500
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1482]
+
+testId=18884
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1483]
+
+testId=10724
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1484]
+
+testId=27108
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1485]
+
+testId=6612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1486]
+
+testId=22996
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1487]
+
+testId=14820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1488]
+
+testId=31172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1489]
+
+testId=1476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1490]
+
+testId=17860
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1491]
+
+testId=9684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1492]
+
+testId=26084
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1493]
+
+testId=5620
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1494]
+
+testId=21956
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1495]
+
+testId=13796
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1496]
+
+testId=30196
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1497]
+
+testId=3524
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1498]
+
+testId=19956
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1499]
+
+testId=11748
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1500]
+
+testId=28116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1501]
+
+testId=7668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1502]
+
+testId=24052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1503]
+
+testId=15828
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1504]
+
+testId=32212
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1505]
+
+testId=964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1506]
+
+testId=17396
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1507]
+
+testId=9172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1508]
+
+testId=25588
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1509]
+
+testId=5060
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1510]
+
+testId=21460
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1511]
+
+testId=13252
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1512]
+
+testId=29668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1513]
+
+testId=3044
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1514]
+
+testId=19412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1515]
+
+testId=11204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1516]
+
+testId=27588
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1517]
+
+testId=7124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1518]
+
+testId=23492
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1519]
+
+testId=15332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1520]
+
+testId=31716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1521]
+
+testId=1988
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1522]
+
+testId=18388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1523]
+
+testId=10180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1524]
+
+testId=26612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1525]
+
+testId=6084
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1526]
+
+testId=22468
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1527]
+
+testId=14276
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1528]
+
+testId=30692
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1529]
+
+testId=4052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1530]
+
+testId=20452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1531]
+
+testId=12244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1532]
+
+testId=28612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1533]
+
+testId=8180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1534]
+
+testId=24548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1535]
+
+testId=16356
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1536]
+
+testId=32740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1537]
+
+testId=60
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1538]
+
+testId=16396
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1539]
+
+testId=8252
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1540]
+
+testId=24604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1541]
+
+testId=4124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1542]
+
+testId=20508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1543]
+
+testId=12316
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1544]
+
+testId=28716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1545]
+
+testId=2108
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1546]
+
+testId=18444
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1547]
+
+testId=10284
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1548]
+
+testId=26684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1549]
+
+testId=6188
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1550]
+
+testId=22556
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1551]
+
+testId=14348
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1552]
+
+testId=30764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1553]
+
+testId=1036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1554]
+
+testId=17436
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1555]
+
+testId=9244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1556]
+
+testId=25612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1557]
+
+testId=5164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1558]
+
+testId=21516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1559]
+
+testId=13356
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1560]
+
+testId=29708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1561]
+
+testId=3116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1562]
+
+testId=19484
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1563]
+
+testId=11308
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1564]
+
+testId=27660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1565]
+
+testId=7196
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1566]
+
+testId=23580
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1567]
+
+testId=15404
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1568]
+
+testId=31756
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1569]
+
+testId=572
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1570]
+
+testId=16956
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1571]
+
+testId=8748
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1572]
+
+testId=25132
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1573]
+
+testId=4652
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1574]
+
+testId=21036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1575]
+
+testId=12844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1576]
+
+testId=29244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1577]
+
+testId=2604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1578]
+
+testId=19004
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1579]
+
+testId=10812
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1580]
+
+testId=27164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1581]
+
+testId=6716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1582]
+
+testId=23100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1583]
+
+testId=14892
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1584]
+
+testId=31244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1585]
+
+testId=1596
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1586]
+
+testId=17948
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1587]
+
+testId=9788
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1588]
+
+testId=26124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1589]
+
+testId=5660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1590]
+
+testId=22044
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1591]
+
+testId=13852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1592]
+
+testId=30236
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1593]
+
+testId=3612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1594]
+
+testId=19996
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1595]
+
+testId=11820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1596]
+
+testId=28172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1597]
+
+testId=7708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1598]
+
+testId=24092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1599]
+
+testId=15900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1600]
+
+testId=32268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1601]
+
+testId=268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1602]
+
+testId=16684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1603]
+
+testId=8508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1604]
+
+testId=24844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1605]
+
+testId=4412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1606]
+
+testId=20780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1607]
+
+testId=12604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1608]
+
+testId=28972
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1609]
+
+testId=2332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1610]
+
+testId=18716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1611]
+
+testId=10508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1612]
+
+testId=26924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1613]
+
+testId=6428
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1614]
+
+testId=22828
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1615]
+
+testId=14652
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1616]
+
+testId=31036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1617]
+
+testId=1340
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1618]
+
+testId=17676
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1619]
+
+testId=9532
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1620]
+
+testId=25868
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1621]
+
+testId=5420
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1622]
+
+testId=21788
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1623]
+
+testId=13612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1624]
+
+testId=29996
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1625]
+
+testId=3372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1626]
+
+testId=19724
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1627]
+
+testId=11564
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1628]
+
+testId=27916
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1629]
+
+testId=7452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1630]
+
+testId=23868
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1631]
+
+testId=15660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1632]
+
+testId=32044
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1633]
+
+testId=828
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1634]
+
+testId=17212
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1635]
+
+testId=8972
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1636]
+
+testId=25372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1637]
+
+testId=4908
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1638]
+
+testId=21292
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1639]
+
+testId=13116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1640]
+
+testId=29452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1641]
+
+testId=2860
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1642]
+
+testId=19212
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1643]
+
+testId=11036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1644]
+
+testId=27452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1645]
+
+testId=6924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1646]
+
+testId=23340
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1647]
+
+testId=15148
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1648]
+
+testId=31516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1649]
+
+testId=1820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1650]
+
+testId=18204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1651]
+
+testId=10012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1652]
+
+testId=26428
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1653]
+
+testId=5916
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1654]
+
+testId=22300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1655]
+
+testId=14124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1656]
+
+testId=30476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1657]
+
+testId=3852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1658]
+
+testId=20236
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1659]
+
+testId=12092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1660]
+
+testId=28460
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1661]
+
+testId=7948
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1662]
+
+testId=24332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1663]
+
+testId=16172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1664]
+
+testId=32572
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1665]
+
+testId=156
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1666]
+
+testId=16572
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1667]
+
+testId=8364
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1668]
+
+testId=24764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1669]
+
+testId=4284
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1670]
+
+testId=20620
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1671]
+
+testId=12460
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1672]
+
+testId=28860
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1673]
+
+testId=2236
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1674]
+
+testId=18604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1675]
+
+testId=10428
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1676]
+
+testId=26780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1677]
+
+testId=6300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1678]
+
+testId=22668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1679]
+
+testId=14508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1680]
+
+testId=30876
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1681]
+
+testId=1164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1682]
+
+testId=17564
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1683]
+
+testId=9356
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1684]
+
+testId=25740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1685]
+
+testId=5308
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1686]
+
+testId=21644
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1687]
+
+testId=13484
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1688]
+
+testId=29868
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1689]
+
+testId=3260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1690]
+
+testId=19628
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1691]
+
+testId=11404
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1692]
+
+testId=27820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1693]
+
+testId=7356
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1694]
+
+testId=23692
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1695]
+
+testId=15548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1696]
+
+testId=31932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1697]
+
+testId=684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1698]
+
+testId=17036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1699]
+
+testId=8892
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1700]
+
+testId=25276
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1701]
+
+testId=4748
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1702]
+
+testId=21164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1703]
+
+testId=12956
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1704]
+
+testId=29340
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1705]
+
+testId=2716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1706]
+
+testId=19116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1707]
+
+testId=10892
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1708]
+
+testId=27324
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1709]
+
+testId=6844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1710]
+
+testId=23228
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1711]
+
+testId=15036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1712]
+
+testId=31388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1713]
+
+testId=1692
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1714]
+
+testId=18076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1715]
+
+testId=9868
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1716]
+
+testId=26268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1717]
+
+testId=5772
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1718]
+
+testId=22188
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1719]
+
+testId=14012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1720]
+
+testId=30396
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1721]
+
+testId=3740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1722]
+
+testId=20156
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1723]
+
+testId=11964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1724]
+
+testId=28332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1725]
+
+testId=7836
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1726]
+
+testId=24204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1727]
+
+testId=16012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1728]
+
+testId=32412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1729]
+
+testId=396
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1730]
+
+testId=16812
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1731]
+
+testId=8620
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1732]
+
+testId=25004
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1733]
+
+testId=4540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1734]
+
+testId=20924
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1735]
+
+testId=12700
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1736]
+
+testId=29116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1737]
+
+testId=2444
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1738]
+
+testId=18828
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1739]
+
+testId=10684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1740]
+
+testId=27020
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1741]
+
+testId=6540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1742]
+
+testId=22972
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1743]
+
+testId=14780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1744]
+
+testId=31164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1745]
+
+testId=1468
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1746]
+
+testId=17804
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1747]
+
+testId=9628
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1748]
+
+testId=25996
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1749]
+
+testId=5548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1750]
+
+testId=21932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1751]
+
+testId=13724
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1752]
+
+testId=30092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1753]
+
+testId=3500
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1754]
+
+testId=19900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1755]
+
+testId=11692
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1756]
+
+testId=28044
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1757]
+
+testId=7596
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1758]
+
+testId=23980
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1759]
+
+testId=15788
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1760]
+
+testId=32188
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1761]
+
+testId=908
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1762]
+
+testId=17340
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1763]
+
+testId=9148
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1764]
+
+testId=25500
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1765]
+
+testId=5004
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1766]
+
+testId=21420
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1767]
+
+testId=13244
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1768]
+
+testId=29580
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1769]
+
+testId=2988
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1770]
+
+testId=19388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1771]
+
+testId=11180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1772]
+
+testId=27548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1773]
+
+testId=7100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1774]
+
+testId=23452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1775]
+
+testId=15276
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1776]
+
+testId=31628
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1777]
+
+testId=1964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1778]
+
+testId=18316
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1779]
+
+testId=10156
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1780]
+
+testId=26508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1781]
+
+testId=6076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1782]
+
+testId=22412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1783]
+
+testId=14236
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1784]
+
+testId=30620
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1785]
+
+testId=3980
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1786]
+
+testId=20412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1787]
+
+testId=12188
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1788]
+
+testId=28556
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1789]
+
+testId=8124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1790]
+
+testId=24508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1791]
+
+testId=16284
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1792]
+
+testId=32684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1793]
+
+testId=124
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1794]
+
+testId=16508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1795]
+
+testId=8268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1796]
+
+testId=24652
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1797]
+
+testId=4172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1798]
+
+testId=20556
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1799]
+
+testId=12412
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1800]
+
+testId=28748
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1801]
+
+testId=2172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1802]
+
+testId=18540
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1803]
+
+testId=10332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1804]
+
+testId=26716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1805]
+
+testId=6252
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1806]
+
+testId=22620
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1807]
+
+testId=14428
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1808]
+
+testId=30828
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1809]
+
+testId=1116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1810]
+
+testId=17516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1811]
+
+testId=9324
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1812]
+
+testId=25708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1813]
+
+testId=5228
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1814]
+
+testId=21596
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1815]
+
+testId=13436
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1816]
+
+testId=29772
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1817]
+
+testId=3148
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1818]
+
+testId=19580
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1819]
+
+testId=11372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1820]
+
+testId=27740
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1821]
+
+testId=7292
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1822]
+
+testId=23660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1823]
+
+testId=15452
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1824]
+
+testId=31820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1825]
+
+testId=604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1826]
+
+testId=17020
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1827]
+
+testId=8780
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1828]
+
+testId=25212
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1829]
+
+testId=4700
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1830]
+
+testId=21116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1831]
+
+testId=12892
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1832]
+
+testId=29276
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1833]
+
+testId=2652
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1834]
+
+testId=19052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1835]
+
+testId=10828
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1836]
+
+testId=27260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1837]
+
+testId=6764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1838]
+
+testId=23132
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1839]
+
+testId=14972
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1840]
+
+testId=31356
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1841]
+
+testId=1612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1842]
+
+testId=18012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1843]
+
+testId=9820
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1844]
+
+testId=26204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1845]
+
+testId=5708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1846]
+
+testId=22140
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1847]
+
+testId=13916
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1848]
+
+testId=30300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1849]
+
+testId=3676
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1850]
+
+testId=20092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1851]
+
+testId=11900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1852]
+
+testId=28284
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1853]
+
+testId=7756
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1854]
+
+testId=24188
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1855]
+
+testId=15980
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1856]
+
+testId=32364
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1857]
+
+testId=364
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1858]
+
+testId=16764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1859]
+
+testId=8524
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1860]
+
+testId=24940
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1861]
+
+testId=4444
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1862]
+
+testId=20812
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1863]
+
+testId=12636
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1864]
+
+testId=29052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1865]
+
+testId=2428
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1866]
+
+testId=18764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1867]
+
+testId=10620
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1868]
+
+testId=27004
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1869]
+
+testId=6476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1870]
+
+testId=22876
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1871]
+
+testId=14684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1872]
+
+testId=31100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1873]
+
+testId=1388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1874]
+
+testId=17788
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1875]
+
+testId=9548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1876]
+
+testId=25980
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1877]
+
+testId=5468
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1878]
+
+testId=21852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1879]
+
+testId=13660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1880]
+
+testId=30028
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1881]
+
+testId=3436
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1882]
+
+testId=19804
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1883]
+
+testId=11596
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1884]
+
+testId=27996
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1885]
+
+testId=7516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1886]
+
+testId=23932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1887]
+
+testId=15708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1888]
+
+testId=32108
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1889]
+
+testId=844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1890]
+
+testId=17260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1891]
+
+testId=9036
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1892]
+
+testId=25468
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1893]
+
+testId=4956
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1894]
+
+testId=21324
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1895]
+
+testId=13132
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1896]
+
+testId=29516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1897]
+
+testId=2940
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1898]
+
+testId=19276
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1899]
+
+testId=11084
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1900]
+
+testId=27468
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1901]
+
+testId=7004
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1902]
+
+testId=23388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1903]
+
+testId=15180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1904]
+
+testId=31612
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1905]
+
+testId=1868
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1906]
+
+testId=18268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1907]
+
+testId=10060
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1908]
+
+testId=26476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1909]
+
+testId=5964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1910]
+
+testId=22380
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1911]
+
+testId=14204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1912]
+
+testId=30572
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1913]
+
+testId=3932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1914]
+
+testId=20348
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1915]
+
+testId=12140
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1916]
+
+testId=28492
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1917]
+
+testId=8028
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1918]
+
+testId=24444
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1919]
+
+testId=16204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1920]
+
+testId=32620
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1921]
+
+testId=220
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1922]
+
+testId=16620
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1923]
+
+testId=8396
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1924]
+
+testId=24828
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1925]
+
+testId=4316
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1926]
+
+testId=20732
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1927]
+
+testId=12492
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1928]
+
+testId=28892
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1929]
+
+testId=2284
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1930]
+
+testId=18684
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1931]
+
+testId=10444
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1932]
+
+testId=26876
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1933]
+
+testId=6380
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1934]
+
+testId=22732
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1935]
+
+testId=14572
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1936]
+
+testId=30940
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1937]
+
+testId=1276
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1938]
+
+testId=17660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1939]
+
+testId=9420
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1940]
+
+testId=25852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1941]
+
+testId=5372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1942]
+
+testId=21708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1943]
+
+testId=13532
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1944]
+
+testId=29932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1945]
+
+testId=3292
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1946]
+
+testId=19660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1947]
+
+testId=11468
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1948]
+
+testId=27868
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1949]
+
+testId=7420
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1950]
+
+testId=23788
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1951]
+
+testId=15596
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1952]
+
+testId=31964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1953]
+
+testId=748
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1954]
+
+testId=17116
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1955]
+
+testId=8940
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1956]
+
+testId=25324
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1957]
+
+testId=4828
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1958]
+
+testId=21212
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1959]
+
+testId=13004
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1960]
+
+testId=29388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1961]
+
+testId=2796
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1962]
+
+testId=19180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1963]
+
+testId=10972
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1964]
+
+testId=27372
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1965]
+
+testId=6860
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1966]
+
+testId=23260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1967]
+
+testId=15052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1968]
+
+testId=31436
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1969]
+
+testId=1788
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1970]
+
+testId=18140
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1971]
+
+testId=9932
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1972]
+
+testId=26364
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1973]
+
+testId=5884
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1974]
+
+testId=22268
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1975]
+
+testId=14076
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1976]
+
+testId=30444
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1977]
+
+testId=3788
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1978]
+
+testId=20220
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1979]
+
+testId=12012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1980]
+
+testId=28380
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1981]
+
+testId=7900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1982]
+
+testId=24300
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1983]
+
+testId=16108
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1984]
+
+testId=32476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1985]
+
+testId=476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1986]
+
+testId=16844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1987]
+
+testId=8668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1988]
+
+testId=25068
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1989]
+
+testId=4604
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1990]
+
+testId=20940
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1991]
+
+testId=12764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1992]
+
+testId=29132
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1993]
+
+testId=2508
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1994]
+
+testId=18892
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1995]
+
+testId=10716
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1996]
+
+testId=27100
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1997]
+
+testId=6652
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1998]
+
+testId=23004
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-1999]
+
+testId=14844
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2000]
+
+testId=31180
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2001]
+
+testId=1516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2002]
+
+testId=17900
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2003]
+
+testId=9708
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2004]
+
+testId=26092
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2005]
+
+testId=5628
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2006]
+
+testId=21964
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2007]
+
+testId=13804
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2008]
+
+testId=30204
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2009]
+
+testId=3564
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2010]
+
+testId=19948
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2011]
+
+testId=11772
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2012]
+
+testId=28156
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2013]
+
+testId=7660
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2014]
+
+testId=24012
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2015]
+
+testId=15852
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2016]
+
+testId=32220
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2017]
+
+testId=972
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2018]
+
+testId=17388
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2019]
+
+testId=9164
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2020]
+
+testId=25548
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2021]
+
+testId=5068
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2022]
+
+testId=21500
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2023]
+
+testId=13260
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2024]
+
+testId=29676
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2025]
+
+testId=3052
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2026]
+
+testId=19436
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2027]
+
+testId=11212
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2028]
+
+testId=27644
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2029]
+
+testId=7132
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2030]
+
+testId=23516
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2031]
+
+testId=15324
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2032]
+
+testId=31724
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2033]
+
+testId=2044
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2034]
+
+testId=18396
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2035]
+
+testId=10236
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2036]
+
+testId=26588
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2037]
+
+testId=6140
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2038]
+
+testId=22476
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2039]
+
+testId=14332
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2040]
+
+testId=30668
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2041]
+
+testId=4060
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2042]
+
+testId=20444
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2043]
+
+testId=12236
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2044]
+
+testId=28652
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2045]
+
+testId=8172
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2046]
+
+testId=24524
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2047]
+
+testId=16364
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2048]
+
+testId=32764
+testname=ClientCert_none ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2049]
+
+testId=2
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2050]
+
+testId=16402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2051]
+
+testId=8242
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2052]
+
+testId=24594
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2053]
+
+testId=4098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2054]
+
+testId=20482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2055]
+
+testId=12322
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2056]
+
+testId=28722
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2057]
+
+testId=2066
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2058]
+
+testId=18466
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2059]
+
+testId=10258
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2060]
+
+testId=26674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2061]
+
+testId=6194
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2062]
+
+testId=22578
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2063]
+
+testId=14386
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2064]
+
+testId=30738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2065]
+
+testId=1058
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2066]
+
+testId=17458
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2067]
+
+testId=9218
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2068]
+
+testId=25634
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2069]
+
+testId=5122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2070]
+
+testId=21506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2071]
+
+testId=13314
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2072]
+
+testId=29730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2073]
+
+testId=3122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2074]
+
+testId=19458
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2075]
+
+testId=11266
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2076]
+
+testId=27650
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2077]
+
+testId=7218
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2078]
+
+testId=23554
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2079]
+
+testId=15378
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2080]
+
+testId=31762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2081]
+
+testId=562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2082]
+
+testId=16930
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2083]
+
+testId=8754
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2084]
+
+testId=25106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2085]
+
+testId=4658
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2086]
+
+testId=20994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2087]
+
+testId=12802
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2088]
+
+testId=29186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2089]
+
+testId=2562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2090]
+
+testId=18994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2091]
+
+testId=10786
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2092]
+
+testId=27186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2093]
+
+testId=6706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2094]
+
+testId=23042
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2095]
+
+testId=14850
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2096]
+
+testId=31250
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2097]
+
+testId=1538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2098]
+
+testId=17954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2099]
+
+testId=9778
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2100]
+
+testId=26114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2101]
+
+testId=5650
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2102]
+
+testId=22034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2103]
+
+testId=13842
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2104]
+
+testId=30242
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2105]
+
+testId=3618
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2106]
+
+testId=20002
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2107]
+
+testId=11826
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2108]
+
+testId=28178
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2109]
+
+testId=7682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2110]
+
+testId=24114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2111]
+
+testId=15906
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2112]
+
+testId=32306
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2113]
+
+testId=306
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2114]
+
+testId=16674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2115]
+
+testId=8450
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2116]
+
+testId=24866
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2117]
+
+testId=4402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2118]
+
+testId=20738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2119]
+
+testId=12546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2120]
+
+testId=28962
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2121]
+
+testId=2338
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2122]
+
+testId=18706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2123]
+
+testId=10514
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2124]
+
+testId=26930
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2125]
+
+testId=6434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2126]
+
+testId=22818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2127]
+
+testId=14610
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2128]
+
+testId=30994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2129]
+
+testId=1314
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2130]
+
+testId=17682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2131]
+
+testId=9490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2132]
+
+testId=25890
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2133]
+
+testId=5410
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2134]
+
+testId=21762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2135]
+
+testId=13570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2136]
+
+testId=29986
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2137]
+
+testId=3346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2138]
+
+testId=19762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2139]
+
+testId=11554
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2140]
+
+testId=27906
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2141]
+
+testId=7426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2142]
+
+testId=23842
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2143]
+
+testId=15650
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2144]
+
+testId=32018
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2145]
+
+testId=818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2146]
+
+testId=17186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2147]
+
+testId=8962
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2148]
+
+testId=25378
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2149]
+
+testId=4914
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2150]
+
+testId=21298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2151]
+
+testId=13058
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2152]
+
+testId=29458
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2153]
+
+testId=2834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2154]
+
+testId=19202
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2155]
+
+testId=11058
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2156]
+
+testId=27394
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2157]
+
+testId=6946
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2158]
+
+testId=23346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2159]
+
+testId=15154
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2160]
+
+testId=31522
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2161]
+
+testId=1826
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2162]
+
+testId=18210
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2163]
+
+testId=10018
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2164]
+
+testId=26402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2165]
+
+testId=5906
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2166]
+
+testId=22290
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2167]
+
+testId=14098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2168]
+
+testId=30482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2169]
+
+testId=3858
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2170]
+
+testId=20226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2171]
+
+testId=12082
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2172]
+
+testId=28434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2173]
+
+testId=7954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2174]
+
+testId=24338
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2175]
+
+testId=16146
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2176]
+
+testId=32514
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2177]
+
+testId=162
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2178]
+
+testId=16546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2179]
+
+testId=8322
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2180]
+
+testId=24738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2181]
+
+testId=4226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2182]
+
+testId=20626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2183]
+
+testId=12434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2184]
+
+testId=28834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2185]
+
+testId=2210
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2186]
+
+testId=18562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2187]
+
+testId=10418
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2188]
+
+testId=26770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2189]
+
+testId=6274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2190]
+
+testId=22674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2191]
+
+testId=14482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2192]
+
+testId=30882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2193]
+
+testId=1202
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2194]
+
+testId=17586
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2195]
+
+testId=9346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2196]
+
+testId=25746
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2197]
+
+testId=5266
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2198]
+
+testId=21682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2199]
+
+testId=13474
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2200]
+
+testId=29874
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2201]
+
+testId=3202
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2202]
+
+testId=19618
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2203]
+
+testId=11426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2204]
+
+testId=27794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2205]
+
+testId=7346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2206]
+
+testId=23714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2207]
+
+testId=15490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2208]
+
+testId=31922
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2209]
+
+testId=674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2210]
+
+testId=17074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2211]
+
+testId=8882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2212]
+
+testId=25234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2213]
+
+testId=4738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2214]
+
+testId=21138
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2215]
+
+testId=12946
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2216]
+
+testId=29346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2217]
+
+testId=2690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2218]
+
+testId=19106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2219]
+
+testId=10914
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2220]
+
+testId=27298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2221]
+
+testId=6834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2222]
+
+testId=23218
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2223]
+
+testId=14978
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2224]
+
+testId=31394
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2225]
+
+testId=1682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2226]
+
+testId=18066
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2227]
+
+testId=9858
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2228]
+
+testId=26242
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2229]
+
+testId=5778
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2230]
+
+testId=22178
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2231]
+
+testId=13986
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2232]
+
+testId=30338
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2233]
+
+testId=3762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2234]
+
+testId=20114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2235]
+
+testId=11954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2236]
+
+testId=28306
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2237]
+
+testId=7810
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2238]
+
+testId=24226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2239]
+
+testId=16002
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2240]
+
+testId=32418
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2241]
+
+testId=402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2242]
+
+testId=16802
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2243]
+
+testId=8626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2244]
+
+testId=24962
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2245]
+
+testId=4498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2246]
+
+testId=20866
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2247]
+
+testId=12722
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2248]
+
+testId=29106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2249]
+
+testId=2482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2250]
+
+testId=18866
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2251]
+
+testId=10658
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2252]
+
+testId=27026
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2253]
+
+testId=6578
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2254]
+
+testId=22946
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2255]
+
+testId=14754
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2256]
+
+testId=31138
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2257]
+
+testId=1442
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2258]
+
+testId=17794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2259]
+
+testId=9618
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2260]
+
+testId=26034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2261]
+
+testId=5522
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2262]
+
+testId=21938
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2263]
+
+testId=13730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2264]
+
+testId=30098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2265]
+
+testId=3506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2266]
+
+testId=19874
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2267]
+
+testId=11682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2268]
+
+testId=28034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2269]
+
+testId=7570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2270]
+
+testId=23954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2271]
+
+testId=15794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2272]
+
+testId=32146
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2273]
+
+testId=898
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2274]
+
+testId=17314
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2275]
+
+testId=9122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2276]
+
+testId=25506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2277]
+
+testId=4994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2278]
+
+testId=21394
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2279]
+
+testId=13202
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2280]
+
+testId=29618
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2281]
+
+testId=2994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2282]
+
+testId=19362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2283]
+
+testId=11138
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2284]
+
+testId=27554
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2285]
+
+testId=7090
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2286]
+
+testId=23426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2287]
+
+testId=15234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2288]
+
+testId=31618
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2289]
+
+testId=1938
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2290]
+
+testId=18338
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2291]
+
+testId=10114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2292]
+
+testId=26530
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2293]
+
+testId=6018
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2294]
+
+testId=22402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2295]
+
+testId=14242
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2296]
+
+testId=30626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2297]
+
+testId=4018
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2298]
+
+testId=20354
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2299]
+
+testId=12178
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2300]
+
+testId=28578
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2301]
+
+testId=8098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2302]
+
+testId=24498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2303]
+
+testId=16290
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2304]
+
+testId=32690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2305]
+
+testId=114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2306]
+
+testId=16482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2307]
+
+testId=8290
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2308]
+
+testId=24690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2309]
+
+testId=4162
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2310]
+
+testId=20562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2311]
+
+testId=12354
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2312]
+
+testId=28786
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2313]
+
+testId=2146
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2314]
+
+testId=18546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2315]
+
+testId=10322
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2316]
+
+testId=26706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2317]
+
+testId=6242
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2318]
+
+testId=22594
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2319]
+
+testId=14434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2320]
+
+testId=30786
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2321]
+
+testId=1090
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2322]
+
+testId=17490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2323]
+
+testId=9282
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2324]
+
+testId=25714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2325]
+
+testId=5186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2326]
+
+testId=21570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2327]
+
+testId=13378
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2328]
+
+testId=29810
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2329]
+
+testId=3170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2330]
+
+testId=19570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2331]
+
+testId=11362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2332]
+
+testId=27762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2333]
+
+testId=7266
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2334]
+
+testId=23650
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2335]
+
+testId=15426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2336]
+
+testId=31810
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2337]
+
+testId=578
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2338]
+
+testId=16978
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2339]
+
+testId=8818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2340]
+
+testId=25154
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2341]
+
+testId=4690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2342]
+
+testId=21074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2343]
+
+testId=12866
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2344]
+
+testId=29298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2345]
+
+testId=2626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2346]
+
+testId=19010
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2347]
+
+testId=10834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2348]
+
+testId=27234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2349]
+
+testId=6722
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2350]
+
+testId=23106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2351]
+
+testId=14962
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2352]
+
+testId=31346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2353]
+
+testId=1602
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2354]
+
+testId=18034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2355]
+
+testId=9842
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2356]
+
+testId=26194
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2357]
+
+testId=5730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2358]
+
+testId=22130
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2359]
+
+testId=13938
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2360]
+
+testId=30274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2361]
+
+testId=3682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2362]
+
+testId=20034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2363]
+
+testId=11890
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2364]
+
+testId=28274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2365]
+
+testId=7794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2366]
+
+testId=24178
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2367]
+
+testId=15938
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2368]
+
+testId=32370
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2369]
+
+testId=338
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2370]
+
+testId=16738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2371]
+
+testId=8546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2372]
+
+testId=24946
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2373]
+
+testId=4434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2374]
+
+testId=20818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2375]
+
+testId=12642
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2376]
+
+testId=29010
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2377]
+
+testId=2402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2378]
+
+testId=18802
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2379]
+
+testId=10610
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2380]
+
+testId=26994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2381]
+
+testId=6482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2382]
+
+testId=22898
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2383]
+
+testId=14658
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2384]
+
+testId=31058
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2385]
+
+testId=1362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2386]
+
+testId=17730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2387]
+
+testId=9538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2388]
+
+testId=25954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2389]
+
+testId=5490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2390]
+
+testId=21858
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2391]
+
+testId=13634
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2392]
+
+testId=30066
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2393]
+
+testId=3410
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2394]
+
+testId=19778
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2395]
+
+testId=11634
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2396]
+
+testId=28018
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2397]
+
+testId=7538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2398]
+
+testId=23906
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2399]
+
+testId=15698
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2400]
+
+testId=32114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2401]
+
+testId=850
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2402]
+
+testId=17234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2403]
+
+testId=9074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2404]
+
+testId=25458
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2405]
+
+testId=4978
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2406]
+
+testId=21362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2407]
+
+testId=13170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2408]
+
+testId=29522
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2409]
+
+testId=2882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2410]
+
+testId=19298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2411]
+
+testId=11122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2412]
+
+testId=27474
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2413]
+
+testId=6994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2414]
+
+testId=23362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2415]
+
+testId=15202
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2416]
+
+testId=31570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2417]
+
+testId=1890
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2418]
+
+testId=18258
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2419]
+
+testId=10050
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2420]
+
+testId=26434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2421]
+
+testId=5986
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2422]
+
+testId=22386
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2423]
+
+testId=14194
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2424]
+
+testId=30562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2425]
+
+testId=3922
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2426]
+
+testId=20322
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2427]
+
+testId=12114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2428]
+
+testId=28482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2429]
+
+testId=8018
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2430]
+
+testId=24386
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2431]
+
+testId=16210
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2432]
+
+testId=32626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2433]
+
+testId=226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2434]
+
+testId=16594
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2435]
+
+testId=8434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2436]
+
+testId=24770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2437]
+
+testId=4306
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2438]
+
+testId=20674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2439]
+
+testId=12498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2440]
+
+testId=28898
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2441]
+
+testId=2258
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2442]
+
+testId=18674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2443]
+
+testId=10450
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2444]
+
+testId=26834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2445]
+
+testId=6386
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2446]
+
+testId=22770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2447]
+
+testId=14546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2448]
+
+testId=30914
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2449]
+
+testId=1250
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2450]
+
+testId=17602
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2451]
+
+testId=9442
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2452]
+
+testId=25826
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2453]
+
+testId=5330
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2454]
+
+testId=21714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2455]
+
+testId=13522
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2456]
+
+testId=29938
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2457]
+
+testId=3282
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2458]
+
+testId=19698
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2459]
+
+testId=11506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2460]
+
+testId=27890
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2461]
+
+testId=7378
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2462]
+
+testId=23762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2463]
+
+testId=15570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2464]
+
+testId=31954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2465]
+
+testId=706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2466]
+
+testId=17106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2467]
+
+testId=8946
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2468]
+
+testId=25330
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2469]
+
+testId=4834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2470]
+
+testId=21186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2471]
+
+testId=13042
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2472]
+
+testId=29426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2473]
+
+testId=2770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2474]
+
+testId=19154
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2475]
+
+testId=10994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2476]
+
+testId=27346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2477]
+
+testId=6882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2478]
+
+testId=23266
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2479]
+
+testId=15042
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2480]
+
+testId=31458
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2481]
+
+testId=1730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2482]
+
+testId=18162
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2483]
+
+testId=9938
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2484]
+
+testId=26354
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2485]
+
+testId=5826
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2486]
+
+testId=22226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2487]
+
+testId=14066
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2488]
+
+testId=30434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2489]
+
+testId=3794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2490]
+
+testId=20162
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2491]
+
+testId=11970
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2492]
+
+testId=28354
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2493]
+
+testId=7906
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2494]
+
+testId=24306
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2495]
+
+testId=16098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2496]
+
+testId=32498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2497]
+
+testId=450
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2498]
+
+testId=16834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2499]
+
+testId=8642
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2500]
+
+testId=25026
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2501]
+
+testId=4546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2502]
+
+testId=20962
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2503]
+
+testId=12754
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2504]
+
+testId=29122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2505]
+
+testId=2498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2506]
+
+testId=18914
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2507]
+
+testId=10738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2508]
+
+testId=27074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2509]
+
+testId=6626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2510]
+
+testId=22978
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2511]
+
+testId=14802
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2512]
+
+testId=31202
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2513]
+
+testId=1522
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2514]
+
+testId=17874
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2515]
+
+testId=9682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2516]
+
+testId=26098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2517]
+
+testId=5570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2518]
+
+testId=21970
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2519]
+
+testId=13794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2520]
+
+testId=30162
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2521]
+
+testId=3538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2522]
+
+testId=19906
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2523]
+
+testId=11762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2524]
+
+testId=28130
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2525]
+
+testId=7666
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2526]
+
+testId=24050
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2527]
+
+testId=15826
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2528]
+
+testId=32226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2529]
+
+testId=1010
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2530]
+
+testId=17362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2531]
+
+testId=9154
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2532]
+
+testId=25554
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2533]
+
+testId=5106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2534]
+
+testId=21490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2535]
+
+testId=13282
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2536]
+
+testId=29666
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2537]
+
+testId=3026
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2538]
+
+testId=19426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2539]
+
+testId=11202
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2540]
+
+testId=27634
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2541]
+
+testId=7106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2542]
+
+testId=23538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2543]
+
+testId=15298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2544]
+
+testId=31714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2545]
+
+testId=2034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2546]
+
+testId=18402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2547]
+
+testId=10194
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2548]
+
+testId=26578
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2549]
+
+testId=6114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2550]
+
+testId=22482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2551]
+
+testId=14274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2552]
+
+testId=30690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2553]
+
+testId=4034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2554]
+
+testId=20434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2555]
+
+testId=12258
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2556]
+
+testId=28626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2557]
+
+testId=8178
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2558]
+
+testId=24530
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2559]
+
+testId=16370
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2560]
+
+testId=32738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2561]
+
+testId=42
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2562]
+
+testId=16426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2563]
+
+testId=8234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2564]
+
+testId=24602
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2565]
+
+testId=4106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2566]
+
+testId=20506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2567]
+
+testId=12298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2568]
+
+testId=28714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2569]
+
+testId=2058
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2570]
+
+testId=18442
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2571]
+
+testId=10282
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2572]
+
+testId=26666
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2573]
+
+testId=6186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2574]
+
+testId=22570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2575]
+
+testId=14362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2576]
+
+testId=30746
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2577]
+
+testId=1050
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2578]
+
+testId=17418
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2579]
+
+testId=9274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2580]
+
+testId=25642
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2581]
+
+testId=5146
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2582]
+
+testId=21546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2583]
+
+testId=13370
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2584]
+
+testId=29738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2585]
+
+testId=3098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2586]
+
+testId=19482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2587]
+
+testId=11306
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2588]
+
+testId=27674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2589]
+
+testId=7226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2590]
+
+testId=23594
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2591]
+
+testId=15402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2592]
+
+testId=31754
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2593]
+
+testId=570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2594]
+
+testId=16906
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2595]
+
+testId=8762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2596]
+
+testId=25130
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2597]
+
+testId=4666
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2598]
+
+testId=21002
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2599]
+
+testId=12842
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2600]
+
+testId=29226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2601]
+
+testId=2586
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2602]
+
+testId=19002
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2603]
+
+testId=10762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2604]
+
+testId=27178
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2605]
+
+testId=6698
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2606]
+
+testId=23082
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2607]
+
+testId=14890
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2608]
+
+testId=31258
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2609]
+
+testId=1594
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2610]
+
+testId=17946
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2611]
+
+testId=9754
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2612]
+
+testId=26170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2613]
+
+testId=5642
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2614]
+
+testId=22058
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2615]
+
+testId=13834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2616]
+
+testId=30250
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2617]
+
+testId=3626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2618]
+
+testId=19994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2619]
+
+testId=11818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2620]
+
+testId=28186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2621]
+
+testId=7706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2622]
+
+testId=24122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2623]
+
+testId=15882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2624]
+
+testId=32266
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2625]
+
+testId=282
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2626]
+
+testId=16698
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2627]
+
+testId=8490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2628]
+
+testId=24874
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2629]
+
+testId=4362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2630]
+
+testId=20762
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2631]
+
+testId=12586
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2632]
+
+testId=28954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2633]
+
+testId=2330
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2634]
+
+testId=18714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2635]
+
+testId=10538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2636]
+
+testId=26938
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2637]
+
+testId=6426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2638]
+
+testId=22810
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2639]
+
+testId=14602
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2640]
+
+testId=30986
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2641]
+
+testId=1338
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2642]
+
+testId=17690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2643]
+
+testId=9530
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2644]
+
+testId=25882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2645]
+
+testId=5418
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2646]
+
+testId=21786
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2647]
+
+testId=13610
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2648]
+
+testId=29994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2649]
+
+testId=3386
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2650]
+
+testId=19770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2651]
+
+testId=11562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2652]
+
+testId=27930
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2653]
+
+testId=7482
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2654]
+
+testId=23850
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2655]
+
+testId=15642
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2656]
+
+testId=32042
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2657]
+
+testId=810
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2658]
+
+testId=17178
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2659]
+
+testId=9018
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2660]
+
+testId=25386
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2661]
+
+testId=4922
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2662]
+
+testId=21274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2663]
+
+testId=13098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2664]
+
+testId=29498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2665]
+
+testId=2874
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2666]
+
+testId=19258
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2667]
+
+testId=11050
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2668]
+
+testId=27450
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2669]
+
+testId=6954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2670]
+
+testId=23354
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2671]
+
+testId=15114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2672]
+
+testId=31546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2673]
+
+testId=1850
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2674]
+
+testId=18186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2675]
+
+testId=10026
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2676]
+
+testId=26410
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2677]
+
+testId=5898
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2678]
+
+testId=22330
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2679]
+
+testId=14106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2680]
+
+testId=30490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2681]
+
+testId=3882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2682]
+
+testId=20282
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2683]
+
+testId=12074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2684]
+
+testId=28458
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2685]
+
+testId=7994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2686]
+
+testId=24362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2687]
+
+testId=16186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2688]
+
+testId=32538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2689]
+
+testId=170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2690]
+
+testId=16538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2691]
+
+testId=8346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2692]
+
+testId=24730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2693]
+
+testId=4234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2694]
+
+testId=20650
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2695]
+
+testId=12474
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2696]
+
+testId=28842
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2697]
+
+testId=2218
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2698]
+
+testId=18586
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2699]
+
+testId=10410
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2700]
+
+testId=26794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2701]
+
+testId=6282
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2702]
+
+testId=22698
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2703]
+
+testId=14490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2704]
+
+testId=30874
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2705]
+
+testId=1178
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2706]
+
+testId=17562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2707]
+
+testId=9386
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2708]
+
+testId=25770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2709]
+
+testId=5274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2710]
+
+testId=21690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2711]
+
+testId=13498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2712]
+
+testId=29850
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2713]
+
+testId=3242
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2714]
+
+testId=19626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2715]
+
+testId=11402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2716]
+
+testId=27786
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2717]
+
+testId=7354
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2718]
+
+testId=23738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2719]
+
+testId=15498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2720]
+
+testId=31914
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2721]
+
+testId=682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2722]
+
+testId=17066
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2723]
+
+testId=8858
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2724]
+
+testId=25274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2725]
+
+testId=4778
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2726]
+
+testId=21130
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2727]
+
+testId=12938
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2728]
+
+testId=29322
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2729]
+
+testId=2730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2730]
+
+testId=19082
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2731]
+
+testId=10922
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2732]
+
+testId=27274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2733]
+
+testId=6810
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2734]
+
+testId=23210
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2735]
+
+testId=15034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2736]
+
+testId=31418
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2737]
+
+testId=1690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2738]
+
+testId=18106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2739]
+
+testId=9866
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2740]
+
+testId=26282
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2741]
+
+testId=5802
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2742]
+
+testId=22170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2743]
+
+testId=13962
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2744]
+
+testId=30378
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2745]
+
+testId=3770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2746]
+
+testId=20122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2747]
+
+testId=11946
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2748]
+
+testId=28298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2749]
+
+testId=7818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2750]
+
+testId=24250
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2751]
+
+testId=16042
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2752]
+
+testId=32442
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2753]
+
+testId=426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2754]
+
+testId=16794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2755]
+
+testId=8618
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2756]
+
+testId=25002
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2757]
+
+testId=4490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2758]
+
+testId=20922
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2759]
+
+testId=12730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2760]
+
+testId=29114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2761]
+
+testId=2490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2762]
+
+testId=18858
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2763]
+
+testId=10650
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2764]
+
+testId=27066
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2765]
+
+testId=6554
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2766]
+
+testId=22954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2767]
+
+testId=14778
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2768]
+
+testId=31162
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2769]
+
+testId=1418
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2770]
+
+testId=17834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2771]
+
+testId=9658
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2772]
+
+testId=26010
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2773]
+
+testId=5546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2774]
+
+testId=21946
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2775]
+
+testId=13706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2776]
+
+testId=30122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2777]
+
+testId=3498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2778]
+
+testId=19850
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2779]
+
+testId=11706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2780]
+
+testId=28042
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2781]
+
+testId=7562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2782]
+
+testId=23962
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2783]
+
+testId=15770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2784]
+
+testId=32138
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2785]
+
+testId=906
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2786]
+
+testId=17290
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2787]
+
+testId=9098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2788]
+
+testId=25514
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2789]
+
+testId=5034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2790]
+
+testId=21402
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2791]
+
+testId=13194
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2792]
+
+testId=29578
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2793]
+
+testId=2954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2794]
+
+testId=19386
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2795]
+
+testId=11146
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2796]
+
+testId=27578
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2797]
+
+testId=7066
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2798]
+
+testId=23450
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2799]
+
+testId=15290
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2800]
+
+testId=31658
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2801]
+
+testId=1978
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2802]
+
+testId=18346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2803]
+
+testId=10170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2804]
+
+testId=26506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2805]
+
+testId=6058
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2806]
+
+testId=22458
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2807]
+
+testId=14234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2808]
+
+testId=30618
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2809]
+
+testId=3994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2810]
+
+testId=20394
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2811]
+
+testId=12218
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2812]
+
+testId=28586
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2813]
+
+testId=8090
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2814]
+
+testId=24506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2815]
+
+testId=16298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2816]
+
+testId=32650
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2817]
+
+testId=122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2818]
+
+testId=16490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2819]
+
+testId=8314
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2820]
+
+testId=24666
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2821]
+
+testId=4218
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2822]
+
+testId=20570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2823]
+
+testId=12410
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2824]
+
+testId=28794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2825]
+
+testId=2170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2826]
+
+testId=18506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2827]
+
+testId=10346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2828]
+
+testId=26714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2829]
+
+testId=6250
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2830]
+
+testId=22650
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2831]
+
+testId=14410
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2832]
+
+testId=30842
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2833]
+
+testId=1130
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2834]
+
+testId=17498
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2835]
+
+testId=9290
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2836]
+
+testId=25706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2837]
+
+testId=5210
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2838]
+
+testId=21610
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2839]
+
+testId=13434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2840]
+
+testId=29818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2841]
+
+testId=3146
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2842]
+
+testId=19546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2843]
+
+testId=11338
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2844]
+
+testId=27770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2845]
+
+testId=7274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2846]
+
+testId=23674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2847]
+
+testId=15466
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2848]
+
+testId=31818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2849]
+
+testId=634
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2850]
+
+testId=17018
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2851]
+
+testId=8826
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2852]
+
+testId=25210
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2853]
+
+testId=4682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2854]
+
+testId=21114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2855]
+
+testId=12922
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2856]
+
+testId=29258
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2857]
+
+testId=2634
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2858]
+
+testId=19050
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2859]
+
+testId=10842
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2860]
+
+testId=27226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2861]
+
+testId=6778
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2862]
+
+testId=23162
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2863]
+
+testId=14938
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2864]
+
+testId=31306
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2865]
+
+testId=1626
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2866]
+
+testId=18026
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2867]
+
+testId=9818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2868]
+
+testId=26234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2869]
+
+testId=5722
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2870]
+
+testId=22090
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2871]
+
+testId=13898
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2872]
+
+testId=30298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2873]
+
+testId=3674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2874]
+
+testId=20042
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2875]
+
+testId=11882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2876]
+
+testId=28282
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2877]
+
+testId=7786
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2878]
+
+testId=24170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2879]
+
+testId=15962
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2880]
+
+testId=32346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2881]
+
+testId=378
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2882]
+
+testId=16714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2883]
+
+testId=8570
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2884]
+
+testId=24954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2885]
+
+testId=4426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2886]
+
+testId=20858
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2887]
+
+testId=12666
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2888]
+
+testId=29034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2889]
+
+testId=2410
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2890]
+
+testId=18794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2891]
+
+testId=10602
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2892]
+
+testId=27002
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2893]
+
+testId=6522
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2894]
+
+testId=22858
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2895]
+
+testId=14714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2896]
+
+testId=31082
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2897]
+
+testId=1354
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2898]
+
+testId=17786
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2899]
+
+testId=9546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2900]
+
+testId=25946
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2901]
+
+testId=5466
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2902]
+
+testId=21882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2903]
+
+testId=13658
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2904]
+
+testId=30074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2905]
+
+testId=3434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2906]
+
+testId=19802
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2907]
+
+testId=11642
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2908]
+
+testId=28010
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2909]
+
+testId=7530
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2910]
+
+testId=23898
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2911]
+
+testId=15706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2912]
+
+testId=32074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2913]
+
+testId=858
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2914]
+
+testId=17258
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2915]
+
+testId=9082
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2916]
+
+testId=25466
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2917]
+
+testId=4954
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2918]
+
+testId=21338
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2919]
+
+testId=13162
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2920]
+
+testId=29546
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2921]
+
+testId=2922
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2922]
+
+testId=19322
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2923]
+
+testId=11082
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2924]
+
+testId=27514
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2925]
+
+testId=7002
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2926]
+
+testId=23370
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2927]
+
+testId=15194
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2928]
+
+testId=31594
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2929]
+
+testId=1882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2930]
+
+testId=18266
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2931]
+
+testId=10074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2932]
+
+testId=26474
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2933]
+
+testId=5978
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2934]
+
+testId=22362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2935]
+
+testId=14202
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2936]
+
+testId=30586
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2937]
+
+testId=3962
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2938]
+
+testId=20330
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2939]
+
+testId=12106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2940]
+
+testId=28506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2941]
+
+testId=8010
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2942]
+
+testId=24426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2943]
+
+testId=16218
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2944]
+
+testId=32634
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2945]
+
+testId=234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2946]
+
+testId=16618
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2947]
+
+testId=8442
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2948]
+
+testId=24810
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2949]
+
+testId=4346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2950]
+
+testId=20714
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2951]
+
+testId=12538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2952]
+
+testId=28874
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2953]
+
+testId=2298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2954]
+
+testId=18682
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2955]
+
+testId=10442
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2956]
+
+testId=26842
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2957]
+
+testId=6394
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2958]
+
+testId=22778
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2959]
+
+testId=14554
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2960]
+
+testId=30922
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2961]
+
+testId=1226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2962]
+
+testId=17610
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2963]
+
+testId=9466
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2964]
+
+testId=25802
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2965]
+
+testId=5370
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2966]
+
+testId=21738
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2967]
+
+testId=13562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2968]
+
+testId=29914
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2969]
+
+testId=3274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2970]
+
+testId=19690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2971]
+
+testId=11514
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2972]
+
+testId=27866
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2973]
+
+testId=7386
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2974]
+
+testId=23754
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2975]
+
+testId=15578
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2976]
+
+testId=31978
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2977]
+
+testId=730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2978]
+
+testId=17114
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2979]
+
+testId=8922
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2980]
+
+testId=25290
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2981]
+
+testId=4858
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2982]
+
+testId=21226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2983]
+
+testId=13034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2984]
+
+testId=29418
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2985]
+
+testId=2810
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2986]
+
+testId=19194
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2987]
+
+testId=10986
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2988]
+
+testId=27370
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2989]
+
+testId=6874
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2990]
+
+testId=23242
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2991]
+
+testId=15098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2992]
+
+testId=31466
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2993]
+
+testId=1754
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2994]
+
+testId=18122
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2995]
+
+testId=9930
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2996]
+
+testId=26346
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2997]
+
+testId=5882
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2998]
+
+testId=22234
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-2999]
+
+testId=14074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3000]
+
+testId=30426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3001]
+
+testId=3818
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3002]
+
+testId=20186
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3003]
+
+testId=11978
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3004]
+
+testId=28410
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3005]
+
+testId=7914
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3006]
+
+testId=24298
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3007]
+
+testId=16106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3008]
+
+testId=32506
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3009]
+
+testId=490
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3010]
+
+testId=16874
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3011]
+
+testId=8698
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3012]
+
+testId=25050
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3013]
+
+testId=4602
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3014]
+
+testId=20970
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3015]
+
+testId=12778
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3016]
+
+testId=29146
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3017]
+
+testId=2538
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3018]
+
+testId=18890
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3019]
+
+testId=10730
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3020]
+
+testId=27098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3021]
+
+testId=6618
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3022]
+
+testId=22986
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3023]
+
+testId=14794
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3024]
+
+testId=31210
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3025]
+
+testId=1514
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3026]
+
+testId=17866
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3027]
+
+testId=9706
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3028]
+
+testId=26106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3029]
+
+testId=5578
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3030]
+
+testId=21994
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3031]
+
+testId=13802
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3032]
+
+testId=30170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3033]
+
+testId=3530
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3034]
+
+testId=19914
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3035]
+
+testId=11770
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3036]
+
+testId=28154
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3037]
+
+testId=7674
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3038]
+
+testId=24058
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3039]
+
+testId=15834
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3040]
+
+testId=32218
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3041]
+
+testId=1018
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3042]
+
+testId=17354
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3043]
+
+testId=9210
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3044]
+
+testId=25562
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3045]
+
+testId=5098
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3046]
+
+testId=21450
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3047]
+
+testId=13274
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3048]
+
+testId=29690
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3049]
+
+testId=3034
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3050]
+
+testId=19434
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3051]
+
+testId=11226
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3052]
+
+testId=27610
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3053]
+
+testId=7162
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3054]
+
+testId=23530
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3055]
+
+testId=15306
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3056]
+
+testId=31722
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3057]
+
+testId=2042
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3058]
+
+testId=18426
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3059]
+
+testId=10202
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3060]
+
+testId=26586
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3061]
+
+testId=6106
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3062]
+
+testId=22474
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3063]
+
+testId=14330
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3064]
+
+testId=30666
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3065]
+
+testId=4074
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3066]
+
+testId=20474
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3067]
+
+testId=12250
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3068]
+
+testId=28650
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3069]
+
+testId=8170
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3070]
+
+testId=24522
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3071]
+
+testId=16362
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3072]
+
+testId=32746
+testname=ClientCert_none ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3073]
+
+testId=6
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3074]
+
+testId=16390
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3075]
+
+testId=8246
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3076]
+
+testId=24598
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3077]
+
+testId=4134
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3078]
+
+testId=20518
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3079]
+
+testId=12294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3080]
+
+testId=28694
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3081]
+
+testId=2054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3082]
+
+testId=18470
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3083]
+
+testId=10262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3084]
+
+testId=26646
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3085]
+
+testId=6182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3086]
+
+testId=22566
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3087]
+
+testId=14358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3088]
+
+testId=30774
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3089]
+
+testId=1078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3090]
+
+testId=17462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3091]
+
+testId=9222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3092]
+
+testId=25654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3093]
+
+testId=5126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3094]
+
+testId=21510
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3095]
+
+testId=13318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3096]
+
+testId=29750
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3097]
+
+testId=3126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3098]
+
+testId=19510
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3099]
+
+testId=11270
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3100]
+
+testId=27654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3101]
+
+testId=7174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3102]
+
+testId=23558
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3103]
+
+testId=15414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3104]
+
+testId=31798
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3105]
+
+testId=566
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3106]
+
+testId=16902
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3107]
+
+testId=8742
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3108]
+
+testId=25094
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3109]
+
+testId=4646
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3110]
+
+testId=21014
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3111]
+
+testId=12806
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3112]
+
+testId=29238
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3113]
+
+testId=2614
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3114]
+
+testId=18950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3115]
+
+testId=10806
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3116]
+
+testId=27174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3117]
+
+testId=6694
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3118]
+
+testId=23078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3119]
+
+testId=14886
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3120]
+
+testId=31286
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3121]
+
+testId=1574
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3122]
+
+testId=17926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3123]
+
+testId=9782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3124]
+
+testId=26134
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3125]
+
+testId=5686
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3126]
+
+testId=22070
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3127]
+
+testId=13862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3128]
+
+testId=30262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3129]
+
+testId=3590
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3130]
+
+testId=19974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3131]
+
+testId=11798
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3132]
+
+testId=28214
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3133]
+
+testId=7718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3134]
+
+testId=24118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3135]
+
+testId=15894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3136]
+
+testId=32262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3137]
+
+testId=262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3138]
+
+testId=16646
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3139]
+
+testId=8486
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3140]
+
+testId=24870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3141]
+
+testId=4406
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3142]
+
+testId=20790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3143]
+
+testId=12550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3144]
+
+testId=28950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3145]
+
+testId=2358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3146]
+
+testId=18710
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3147]
+
+testId=10550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3148]
+
+testId=26886
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3149]
+
+testId=6422
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3150]
+
+testId=22806
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3151]
+
+testId=14630
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3152]
+
+testId=30982
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3153]
+
+testId=1318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3154]
+
+testId=17670
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3155]
+
+testId=9526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3156]
+
+testId=25862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3157]
+
+testId=5382
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3158]
+
+testId=21782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3159]
+
+testId=13622
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3160]
+
+testId=29974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3161]
+
+testId=3382
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3162]
+
+testId=19750
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3163]
+
+testId=11558
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3164]
+
+testId=27942
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3165]
+
+testId=7462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3166]
+
+testId=23862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3167]
+
+testId=15622
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3168]
+
+testId=32054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3169]
+
+testId=774
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3170]
+
+testId=17174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3171]
+
+testId=9014
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3172]
+
+testId=25350
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3173]
+
+testId=4918
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3174]
+
+testId=21254
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3175]
+
+testId=13094
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3176]
+
+testId=29494
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3177]
+
+testId=2838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3178]
+
+testId=19238
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3179]
+
+testId=11014
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3180]
+
+testId=27430
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3181]
+
+testId=6934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3182]
+
+testId=23302
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3183]
+
+testId=15142
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3184]
+
+testId=31542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3185]
+
+testId=1830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3186]
+
+testId=18182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3187]
+
+testId=9990
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3188]
+
+testId=26374
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3189]
+
+testId=5894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3190]
+
+testId=22310
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3191]
+
+testId=14102
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3192]
+
+testId=30486
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3193]
+
+testId=3846
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3194]
+
+testId=20230
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3195]
+
+testId=12070
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3196]
+
+testId=28422
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3197]
+
+testId=7942
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3198]
+
+testId=24358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3199]
+
+testId=16166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3200]
+
+testId=32534
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3201]
+
+testId=166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3202]
+
+testId=16518
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3203]
+
+testId=8358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3204]
+
+testId=24726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3205]
+
+testId=4262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3206]
+
+testId=20662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3207]
+
+testId=12454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3208]
+
+testId=28806
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3209]
+
+testId=2182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3210]
+
+testId=18582
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3211]
+
+testId=10374
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3212]
+
+testId=26774
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3213]
+
+testId=6278
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3214]
+
+testId=22678
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3215]
+
+testId=14486
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3216]
+
+testId=30886
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3217]
+
+testId=1174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3218]
+
+testId=17558
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3219]
+
+testId=9350
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3220]
+
+testId=25782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3221]
+
+testId=5302
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3222]
+
+testId=21638
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3223]
+
+testId=13478
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3224]
+
+testId=29878
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3225]
+
+testId=3206
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3226]
+
+testId=19638
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3227]
+
+testId=11414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3228]
+
+testId=27782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3229]
+
+testId=7318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3230]
+
+testId=23734
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3231]
+
+testId=15510
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3232]
+
+testId=31894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3233]
+
+testId=678
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3234]
+
+testId=17046
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3235]
+
+testId=8838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3236]
+
+testId=25270
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3237]
+
+testId=4790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3238]
+
+testId=21126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3239]
+
+testId=12950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3240]
+
+testId=29366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3241]
+
+testId=2694
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3242]
+
+testId=19110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3243]
+
+testId=10886
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3244]
+
+testId=27286
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3245]
+
+testId=6790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3246]
+
+testId=23190
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3247]
+
+testId=14982
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3248]
+
+testId=31414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3249]
+
+testId=1718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3250]
+
+testId=18102
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3251]
+
+testId=9894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3252]
+
+testId=26278
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3253]
+
+testId=5798
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3254]
+
+testId=22198
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3255]
+
+testId=14006
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3256]
+
+testId=30342
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3257]
+
+testId=3750
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3258]
+
+testId=20102
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3259]
+
+testId=11926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3260]
+
+testId=28326
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3261]
+
+testId=7846
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3262]
+
+testId=24214
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3263]
+
+testId=16054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3264]
+
+testId=32422
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3265]
+
+testId=406
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3266]
+
+testId=16790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3267]
+
+testId=8598
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3268]
+
+testId=24998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3269]
+
+testId=4502
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3270]
+
+testId=20870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3271]
+
+testId=12678
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3272]
+
+testId=29078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3273]
+
+testId=2454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3274]
+
+testId=18822
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3275]
+
+testId=10662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3276]
+
+testId=27030
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3277]
+
+testId=6566
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3278]
+
+testId=22950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3279]
+
+testId=14774
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3280]
+
+testId=31142
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3281]
+
+testId=1446
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3282]
+
+testId=17830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3283]
+
+testId=9654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3284]
+
+testId=26022
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3285]
+
+testId=5526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3286]
+
+testId=21910
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3287]
+
+testId=13702
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3288]
+
+testId=30118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3289]
+
+testId=3510
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3290]
+
+testId=19846
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3291]
+
+testId=11702
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3292]
+
+testId=28054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3293]
+
+testId=7606
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3294]
+
+testId=23974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3295]
+
+testId=15766
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3296]
+
+testId=32182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3297]
+
+testId=902
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3298]
+
+testId=17286
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3299]
+
+testId=9110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3300]
+
+testId=25526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3301]
+
+testId=5030
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3302]
+
+testId=21414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3303]
+
+testId=13206
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3304]
+
+testId=29606
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3305]
+
+testId=2998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3306]
+
+testId=19382
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3307]
+
+testId=11174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3308]
+
+testId=27558
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3309]
+
+testId=7094
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3310]
+
+testId=23462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3311]
+
+testId=15270
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3312]
+
+testId=31670
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3313]
+
+testId=1942
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3314]
+
+testId=18310
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3315]
+
+testId=10118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3316]
+
+testId=26502
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3317]
+
+testId=6054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3318]
+
+testId=22422
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3319]
+
+testId=14214
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3320]
+
+testId=30614
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3321]
+
+testId=4022
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3322]
+
+testId=20358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3323]
+
+testId=12182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3324]
+
+testId=28566
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3325]
+
+testId=8102
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3326]
+
+testId=24454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3327]
+
+testId=16310
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3328]
+
+testId=32678
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3329]
+
+testId=70
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3330]
+
+testId=16454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3331]
+
+testId=8294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3332]
+
+testId=24678
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3333]
+
+testId=4166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3334]
+
+testId=20598
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3335]
+
+testId=12358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3336]
+
+testId=28742
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3337]
+
+testId=2166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3338]
+
+testId=18534
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3339]
+
+testId=10326
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3340]
+
+testId=26726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3341]
+
+testId=6246
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3342]
+
+testId=22630
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3343]
+
+testId=14438
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3344]
+
+testId=30806
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3345]
+
+testId=1110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3346]
+
+testId=17494
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3347]
+
+testId=9318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3348]
+
+testId=25670
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3349]
+
+testId=5206
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3350]
+
+testId=21590
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3351]
+
+testId=13398
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3352]
+
+testId=29766
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3353]
+
+testId=3142
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3354]
+
+testId=19526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3355]
+
+testId=11334
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3356]
+
+testId=27718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3357]
+
+testId=7238
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3358]
+
+testId=23638
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3359]
+
+testId=15478
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3360]
+
+testId=31830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3361]
+
+testId=582
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3362]
+
+testId=16998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3363]
+
+testId=8790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3364]
+
+testId=25190
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3365]
+
+testId=4710
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3366]
+
+testId=21078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3367]
+
+testId=12918
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3368]
+
+testId=29254
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3369]
+
+testId=2678
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3370]
+
+testId=19062
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3371]
+
+testId=10822
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3372]
+
+testId=27238
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3373]
+
+testId=6742
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3374]
+
+testId=23110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3375]
+
+testId=14966
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3376]
+
+testId=31302
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3377]
+
+testId=1654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3378]
+
+testId=18038
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3379]
+
+testId=9830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3380]
+
+testId=26230
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3381]
+
+testId=5718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3382]
+
+testId=22086
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3383]
+
+testId=13926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3384]
+
+testId=30294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3385]
+
+testId=3702
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3386]
+
+testId=20038
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3387]
+
+testId=11894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3388]
+
+testId=28278
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3389]
+
+testId=7798
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3390]
+
+testId=24166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3391]
+
+testId=15974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3392]
+
+testId=32358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3393]
+
+testId=342
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3394]
+
+testId=16710
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3395]
+
+testId=8550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3396]
+
+testId=24934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3397]
+
+testId=4470
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3398]
+
+testId=20822
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3399]
+
+testId=12662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3400]
+
+testId=28998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3401]
+
+testId=2390
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3402]
+
+testId=18790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3403]
+
+testId=10598
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3404]
+
+testId=26966
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3405]
+
+testId=6518
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3406]
+
+testId=22854
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3407]
+
+testId=14662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3408]
+
+testId=31094
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3409]
+
+testId=1366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3410]
+
+testId=17766
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3411]
+
+testId=9542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3412]
+
+testId=25926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3413]
+
+testId=5494
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3414]
+
+testId=21878
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3415]
+
+testId=13670
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3416]
+
+testId=30022
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3417]
+
+testId=3414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3418]
+
+testId=19830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3419]
+
+testId=11622
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3420]
+
+testId=27974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3421]
+
+testId=7510
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3422]
+
+testId=23878
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3423]
+
+testId=15702
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3424]
+
+testId=32118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3425]
+
+testId=854
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3426]
+
+testId=17254
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3427]
+
+testId=9030
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3428]
+
+testId=25414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3429]
+
+testId=4950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3430]
+
+testId=21334
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3431]
+
+testId=13142
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3432]
+
+testId=29526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3433]
+
+testId=2934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3434]
+
+testId=19302
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3435]
+
+testId=11094
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3436]
+
+testId=27478
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3437]
+
+testId=7014
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3438]
+
+testId=23382
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3439]
+
+testId=15190
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3440]
+
+testId=31558
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3441]
+
+testId=1910
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3442]
+
+testId=18294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3443]
+
+testId=10102
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3444]
+
+testId=26470
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3445]
+
+testId=5958
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3446]
+
+testId=22342
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3447]
+
+testId=14166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3448]
+
+testId=30566
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3449]
+
+testId=3926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3450]
+
+testId=20310
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3451]
+
+testId=12150
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3452]
+
+testId=28518
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3453]
+
+testId=8022
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3454]
+
+testId=24422
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3455]
+
+testId=16198
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3456]
+
+testId=32630
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3457]
+
+testId=246
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3458]
+
+testId=16598
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3459]
+
+testId=8406
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3460]
+
+testId=24806
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3461]
+
+testId=4326
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3462]
+
+testId=20694
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3463]
+
+testId=12486
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3464]
+
+testId=28870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3465]
+
+testId=2294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3466]
+
+testId=18662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3467]
+
+testId=10486
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3468]
+
+testId=26822
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3469]
+
+testId=6374
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3470]
+
+testId=22726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3471]
+
+testId=14550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3472]
+
+testId=30934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3473]
+
+testId=1238
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3474]
+
+testId=17606
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3475]
+
+testId=9462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3476]
+
+testId=25830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3477]
+
+testId=5334
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3478]
+
+testId=21718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3479]
+
+testId=13510
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3480]
+
+testId=29910
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3481]
+
+testId=3318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3482]
+
+testId=19670
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3483]
+
+testId=11510
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3484]
+
+testId=27846
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3485]
+
+testId=7366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3486]
+
+testId=23782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3487]
+
+testId=15574
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3488]
+
+testId=31990
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3489]
+
+testId=726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3490]
+
+testId=17142
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3491]
+
+testId=8934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3492]
+
+testId=25318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3493]
+
+testId=4838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3494]
+
+testId=21238
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3495]
+
+testId=12998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3496]
+
+testId=29414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3497]
+
+testId=2806
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3498]
+
+testId=19174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3499]
+
+testId=10966
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3500]
+
+testId=27366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3501]
+
+testId=6854
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3502]
+
+testId=23254
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3503]
+
+testId=15062
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3504]
+
+testId=31462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3505]
+
+testId=1750
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3506]
+
+testId=18118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3507]
+
+testId=9974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3508]
+
+testId=26326
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3509]
+
+testId=5830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3510]
+
+testId=22230
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3511]
+
+testId=14038
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3512]
+
+testId=30438
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3513]
+
+testId=3782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3514]
+
+testId=20198
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3515]
+
+testId=11974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3516]
+
+testId=28358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3517]
+
+testId=7894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3518]
+
+testId=24262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3519]
+
+testId=16118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3520]
+
+testId=32470
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3521]
+
+testId=486
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3522]
+
+testId=16854
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3523]
+
+testId=8694
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3524]
+
+testId=25030
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3525]
+
+testId=4566
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3526]
+
+testId=20950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3527]
+
+testId=12774
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3528]
+
+testId=29126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3529]
+
+testId=2534
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3530]
+
+testId=18918
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3531]
+
+testId=10742
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3532]
+
+testId=27110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3533]
+
+testId=6630
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3534]
+
+testId=22998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3535]
+
+testId=14838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3536]
+
+testId=31190
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3537]
+
+testId=1478
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3538]
+
+testId=17894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3539]
+
+testId=9686
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3540]
+
+testId=26086
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3541]
+
+testId=5590
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3542]
+
+testId=21974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3543]
+
+testId=13766
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3544]
+
+testId=30182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3545]
+
+testId=3574
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3546]
+
+testId=19910
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3547]
+
+testId=11734
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3548]
+
+testId=28118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3549]
+
+testId=7622
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3550]
+
+testId=24022
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3551]
+
+testId=15814
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3552]
+
+testId=32230
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3553]
+
+testId=982
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3554]
+
+testId=17350
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3555]
+
+testId=9190
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3556]
+
+testId=25590
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3557]
+
+testId=5078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3558]
+
+testId=21462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3559]
+
+testId=13286
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3560]
+
+testId=29670
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3561]
+
+testId=3030
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3562]
+
+testId=19398
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3563]
+
+testId=11222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3564]
+
+testId=27606
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3565]
+
+testId=7126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3566]
+
+testId=23542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3567]
+
+testId=15302
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3568]
+
+testId=31718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3569]
+
+testId=2038
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3570]
+
+testId=18422
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3571]
+
+testId=10214
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3572]
+
+testId=26614
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3573]
+
+testId=6102
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3574]
+
+testId=22486
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3575]
+
+testId=14326
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3576]
+
+testId=30710
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3577]
+
+testId=4086
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3578]
+
+testId=20422
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3579]
+
+testId=12278
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3580]
+
+testId=28662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3581]
+
+testId=8166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3582]
+
+testId=24550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3583]
+
+testId=16374
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3584]
+
+testId=32742
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3585]
+
+testId=14
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3586]
+
+testId=16398
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3587]
+
+testId=8238
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3588]
+
+testId=24622
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3589]
+
+testId=4158
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3590]
+
+testId=20494
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3591]
+
+testId=12302
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3592]
+
+testId=28702
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3593]
+
+testId=2110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3594]
+
+testId=18446
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3595]
+
+testId=10286
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3596]
+
+testId=26654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3597]
+
+testId=6206
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3598]
+
+testId=22542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3599]
+
+testId=14398
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3600]
+
+testId=30766
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3601]
+
+testId=1054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3602]
+
+testId=17438
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3603]
+
+testId=9262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3604]
+
+testId=25614
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3605]
+
+testId=5182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3606]
+
+testId=21550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3607]
+
+testId=13358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3608]
+
+testId=29710
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3609]
+
+testId=3118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3610]
+
+testId=19470
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3611]
+
+testId=11294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3612]
+
+testId=27710
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3613]
+
+testId=7198
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3614]
+
+testId=23582
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3615]
+
+testId=15374
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3616]
+
+testId=31758
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3617]
+
+testId=542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3618]
+
+testId=16926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3619]
+
+testId=8766
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3620]
+
+testId=25150
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3621]
+
+testId=4622
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3622]
+
+testId=21006
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3623]
+
+testId=12862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3624]
+
+testId=29230
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3625]
+
+testId=2574
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3626]
+
+testId=18990
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3627]
+
+testId=10782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3628]
+
+testId=27166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3629]
+
+testId=6718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3630]
+
+testId=23070
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3631]
+
+testId=14878
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3632]
+
+testId=31246
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3633]
+
+testId=1598
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3634]
+
+testId=17966
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3635]
+
+testId=9742
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3636]
+
+testId=26126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3637]
+
+testId=5646
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3638]
+
+testId=22078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3639]
+
+testId=13886
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3640]
+
+testId=30254
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3641]
+
+testId=3630
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3642]
+
+testId=20030
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3643]
+
+testId=11838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3644]
+
+testId=28222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3645]
+
+testId=7710
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3646]
+
+testId=24078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3647]
+
+testId=15902
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3648]
+
+testId=32270
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3649]
+
+testId=302
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3650]
+
+testId=16654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3651]
+
+testId=8462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3652]
+
+testId=24862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3653]
+
+testId=4366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3654]
+
+testId=20798
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3655]
+
+testId=12606
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3656]
+
+testId=28990
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3657]
+
+testId=2334
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3658]
+
+testId=18750
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3659]
+
+testId=10542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3660]
+
+testId=26894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3661]
+
+testId=6430
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3662]
+
+testId=22830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3663]
+
+testId=14654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3664]
+
+testId=30990
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3665]
+
+testId=1342
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3666]
+
+testId=17726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3667]
+
+testId=9518
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3668]
+
+testId=25870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3669]
+
+testId=5406
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3670]
+
+testId=21822
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3671]
+
+testId=13598
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3672]
+
+testId=29998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3673]
+
+testId=3342
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3674]
+
+testId=19742
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3675]
+
+testId=11566
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3676]
+
+testId=27934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3677]
+
+testId=7454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3678]
+
+testId=23838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3679]
+
+testId=15678
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3680]
+
+testId=32030
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3681]
+
+testId=782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3682]
+
+testId=17166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3683]
+
+testId=9022
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3684]
+
+testId=25374
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3685]
+
+testId=4910
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3686]
+
+testId=21310
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3687]
+
+testId=13070
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3688]
+
+testId=29454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3689]
+
+testId=2862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3690]
+
+testId=19262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3691]
+
+testId=11038
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3692]
+
+testId=27406
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3693]
+
+testId=6974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3694]
+
+testId=23358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3695]
+
+testId=15166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3696]
+
+testId=31502
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3697]
+
+testId=1806
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3698]
+
+testId=18222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3699]
+
+testId=10030
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3700]
+
+testId=26430
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3701]
+
+testId=5950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3702]
+
+testId=22318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3703]
+
+testId=14142
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3704]
+
+testId=30526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3705]
+
+testId=3854
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3706]
+
+testId=20286
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3707]
+
+testId=12046
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3708]
+
+testId=28446
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3709]
+
+testId=7998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3710]
+
+testId=24382
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3711]
+
+testId=16190
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3712]
+
+testId=32558
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3713]
+
+testId=174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3714]
+
+testId=16542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3715]
+
+testId=8382
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3716]
+
+testId=24718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3717]
+
+testId=4238
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3718]
+
+testId=20670
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3719]
+
+testId=12430
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3720]
+
+testId=28814
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3721]
+
+testId=2190
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3722]
+
+testId=18574
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3723]
+
+testId=10414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3724]
+
+testId=26814
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3725]
+
+testId=6318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3726]
+
+testId=22718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3727]
+
+testId=14478
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3728]
+
+testId=30862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3729]
+
+testId=1214
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3730]
+
+testId=17550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3731]
+
+testId=9358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3732]
+
+testId=25790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3733]
+
+testId=5294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3734]
+
+testId=21694
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3735]
+
+testId=13502
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3736]
+
+testId=29838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3737]
+
+testId=3262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3738]
+
+testId=19614
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3739]
+
+testId=11422
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3740]
+
+testId=27790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3741]
+
+testId=7358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3742]
+
+testId=23694
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3743]
+
+testId=15502
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3744]
+
+testId=31934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3745]
+
+testId=654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3746]
+
+testId=17038
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3747]
+
+testId=8862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3748]
+
+testId=25230
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3749]
+
+testId=4766
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3750]
+
+testId=21182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3751]
+
+testId=12942
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3752]
+
+testId=29374
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3753]
+
+testId=2734
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3754]
+
+testId=19134
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3755]
+
+testId=10894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3756]
+
+testId=27278
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3757]
+
+testId=6846
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3758]
+
+testId=23198
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3759]
+
+testId=15006
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3760]
+
+testId=31406
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3761]
+
+testId=1694
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3762]
+
+testId=18110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3763]
+
+testId=9902
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3764]
+
+testId=26302
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3765]
+
+testId=5790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3766]
+
+testId=22174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3767]
+
+testId=13982
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3768]
+
+testId=30366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3769]
+
+testId=3726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3770]
+
+testId=20110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3771]
+
+testId=11950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3772]
+
+testId=28318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3773]
+
+testId=7870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3774]
+
+testId=24254
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3775]
+
+testId=16014
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3776]
+
+testId=32446
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3777]
+
+testId=430
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3778]
+
+testId=16798
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3779]
+
+testId=8638
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3780]
+
+testId=25006
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3781]
+
+testId=4526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3782]
+
+testId=20894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3783]
+
+testId=12734
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3784]
+
+testId=29102
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3785]
+
+testId=2462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3786]
+
+testId=18830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3787]
+
+testId=10654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3788]
+
+testId=27038
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3789]
+
+testId=6590
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3790]
+
+testId=22926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3791]
+
+testId=14782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3792]
+
+testId=31118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3793]
+
+testId=1454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3794]
+
+testId=17838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3795]
+
+testId=9614
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3796]
+
+testId=26046
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3797]
+
+testId=5550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3798]
+
+testId=21902
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3799]
+
+testId=13742
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3800]
+
+testId=30110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3801]
+
+testId=3486
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3802]
+
+testId=19854
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3803]
+
+testId=11662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3804]
+
+testId=28094
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3805]
+
+testId=7598
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3806]
+
+testId=23950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3807]
+
+testId=15774
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3808]
+
+testId=32174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3809]
+
+testId=926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3810]
+
+testId=17326
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3811]
+
+testId=9134
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3812]
+
+testId=25486
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3813]
+
+testId=5054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3814]
+
+testId=21406
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3815]
+
+testId=13246
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3816]
+
+testId=29630
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3817]
+
+testId=2974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3818]
+
+testId=19390
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3819]
+
+testId=11182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3820]
+
+testId=27582
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3821]
+
+testId=7086
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3822]
+
+testId=23470
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3823]
+
+testId=15294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3824]
+
+testId=31630
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3825]
+
+testId=1950
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3826]
+
+testId=18366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3827]
+
+testId=10126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3828]
+
+testId=26542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3829]
+
+testId=6078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3830]
+
+testId=22446
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3831]
+
+testId=14238
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3832]
+
+testId=30638
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3833]
+
+testId=4030
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3834]
+
+testId=20414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3835]
+
+testId=12174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3836]
+
+testId=28606
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3837]
+
+testId=8126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3838]
+
+testId=24494
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3839]
+
+testId=16318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3840]
+
+testId=32686
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3841]
+
+testId=126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3842]
+
+testId=16510
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3843]
+
+testId=8270
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3844]
+
+testId=24702
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3845]
+
+testId=4174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3846]
+
+testId=20558
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3847]
+
+testId=12366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3848]
+
+testId=28798
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3849]
+
+testId=2142
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3850]
+
+testId=18526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3851]
+
+testId=10366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3852]
+
+testId=26718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3853]
+
+testId=6254
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3854]
+
+testId=22638
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3855]
+
+testId=14462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3856]
+
+testId=30798
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3857]
+
+testId=1134
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3858]
+
+testId=17534
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3859]
+
+testId=9310
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3860]
+
+testId=25710
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3861]
+
+testId=5230
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3862]
+
+testId=21630
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3863]
+
+testId=13406
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3864]
+
+testId=29806
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3865]
+
+testId=3166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3866]
+
+testId=19582
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3867]
+
+testId=11390
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3868]
+
+testId=27758
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3869]
+
+testId=7278
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3870]
+
+testId=23646
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3871]
+
+testId=15454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3872]
+
+testId=31870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3873]
+
+testId=606
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3874]
+
+testId=17022
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3875]
+
+testId=8814
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3876]
+
+testId=25214
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3877]
+
+testId=4734
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3878]
+
+testId=21070
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3879]
+
+testId=12894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3880]
+
+testId=29262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3881]
+
+testId=2638
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3882]
+
+testId=19070
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3883]
+
+testId=10862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3884]
+
+testId=27230
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3885]
+
+testId=6750
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3886]
+
+testId=23118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3887]
+
+testId=14958
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3888]
+
+testId=31326
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3889]
+
+testId=1630
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3890]
+
+testId=17998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3891]
+
+testId=9838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3892]
+
+testId=26222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3893]
+
+testId=5726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3894]
+
+testId=22142
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3895]
+
+testId=13902
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3896]
+
+testId=30318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3897]
+
+testId=3678
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3898]
+
+testId=20062
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3899]
+
+testId=11870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3900]
+
+testId=28254
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3901]
+
+testId=7790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3902]
+
+testId=24158
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3903]
+
+testId=15982
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3904]
+
+testId=32366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3905]
+
+testId=350
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3906]
+
+testId=16718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3907]
+
+testId=8558
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3908]
+
+testId=24958
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3909]
+
+testId=4430
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3910]
+
+testId=20830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3911]
+
+testId=12654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3912]
+
+testId=29006
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3913]
+
+testId=2382
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3914]
+
+testId=18814
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3915]
+
+testId=10622
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3916]
+
+testId=26990
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3917]
+
+testId=6494
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3918]
+
+testId=22894
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3919]
+
+testId=14686
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3920]
+
+testId=31102
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3921]
+
+testId=1358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3922]
+
+testId=17790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3923]
+
+testId=9566
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3924]
+
+testId=25934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3925]
+
+testId=5454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3926]
+
+testId=21886
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3927]
+
+testId=13694
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3928]
+
+testId=30062
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3929]
+
+testId=3406
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3930]
+
+testId=19838
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3931]
+
+testId=11646
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3932]
+
+testId=27998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3933]
+
+testId=7534
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3934]
+
+testId=23886
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3935]
+
+testId=15742
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3936]
+
+testId=32094
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3937]
+
+testId=862
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3938]
+
+testId=17262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3939]
+
+testId=9086
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3940]
+
+testId=25422
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3941]
+
+testId=4958
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3942]
+
+testId=21358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3943]
+
+testId=13134
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3944]
+
+testId=29550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3945]
+
+testId=2910
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3946]
+
+testId=19294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3947]
+
+testId=11118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3948]
+
+testId=27518
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3949]
+
+testId=6990
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3950]
+
+testId=23390
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3951]
+
+testId=15182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3952]
+
+testId=31566
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3953]
+
+testId=1902
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3954]
+
+testId=18270
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3955]
+
+testId=10078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3956]
+
+testId=26478
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3957]
+
+testId=5982
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3958]
+
+testId=22366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3959]
+
+testId=14206
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3960]
+
+testId=30590
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3961]
+
+testId=3934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3962]
+
+testId=20350
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3963]
+
+testId=12158
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3964]
+
+testId=28542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3965]
+
+testId=8062
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3966]
+
+testId=24414
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3967]
+
+testId=16222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3968]
+
+testId=32622
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3969]
+
+testId=222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3970]
+
+testId=16622
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3971]
+
+testId=8430
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3972]
+
+testId=24782
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3973]
+
+testId=4318
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3974]
+
+testId=20718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3975]
+
+testId=12526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3976]
+
+testId=28878
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3977]
+
+testId=2302
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3978]
+
+testId=18654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3979]
+
+testId=10494
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3980]
+
+testId=26846
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3981]
+
+testId=6382
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3982]
+
+testId=22750
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3983]
+
+testId=14542
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3984]
+
+testId=30926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3985]
+
+testId=1278
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3986]
+
+testId=17662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3987]
+
+testId=9454
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3988]
+
+testId=25854
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3989]
+
+testId=5374
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3990]
+
+testId=21726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3991]
+
+testId=13518
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3992]
+
+testId=29902
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3993]
+
+testId=3294
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3994]
+
+testId=19662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3995]
+
+testId=11502
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3996]
+
+testId=27870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3997]
+
+testId=7390
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3998]
+
+testId=23790
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-3999]
+
+testId=15582
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4000]
+
+testId=31966
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4001]
+
+testId=750
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4002]
+
+testId=17150
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4003]
+
+testId=8910
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4004]
+
+testId=25310
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4005]
+
+testId=4830
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4006]
+
+testId=21230
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4007]
+
+testId=13022
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4008]
+
+testId=29390
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4009]
+
+testId=2766
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4010]
+
+testId=19166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4011]
+
+testId=10974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4012]
+
+testId=27390
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4013]
+
+testId=6878
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4014]
+
+testId=23246
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4015]
+
+testId=15054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4016]
+
+testId=31438
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4017]
+
+testId=1758
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4018]
+
+testId=18174
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4019]
+
+testId=9982
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4020]
+
+testId=26366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4021]
+
+testId=5870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4022]
+
+testId=22222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4023]
+
+testId=14078
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4024]
+
+testId=30446
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4025]
+
+testId=3822
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4026]
+
+testId=20206
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4027]
+
+testId=12014
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4028]
+
+testId=28366
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4029]
+
+testId=7918
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4030]
+
+testId=24270
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4031]
+
+testId=16126
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4032]
+
+testId=32510
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4033]
+
+testId=462
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4034]
+
+testId=16846
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4035]
+
+testId=8654
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4036]
+
+testId=25054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4037]
+
+testId=4574
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4038]
+
+testId=20974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4039]
+
+testId=12766
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4040]
+
+testId=29166
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4041]
+
+testId=2558
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4042]
+
+testId=18926
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4043]
+
+testId=10702
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4044]
+
+testId=27086
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4045]
+
+testId=6606
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4046]
+
+testId=23038
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4047]
+
+testId=14846
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4048]
+
+testId=31182
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4049]
+
+testId=1534
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4050]
+
+testId=17902
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4051]
+
+testId=9726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4052]
+
+testId=26094
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4053]
+
+testId=5614
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4054]
+
+testId=21998
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4055]
+
+testId=13774
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4056]
+
+testId=30206
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4057]
+
+testId=3550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4058]
+
+testId=19934
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4059]
+
+testId=11726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4060]
+
+testId=28110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4061]
+
+testId=7646
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4062]
+
+testId=24014
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4063]
+
+testId=15870
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4064]
+
+testId=32222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4065]
+
+testId=974
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4066]
+
+testId=17358
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4067]
+
+testId=9198
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4068]
+
+testId=25550
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4069]
+
+testId=5118
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4070]
+
+testId=21502
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4071]
+
+testId=13310
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4072]
+
+testId=29662
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4073]
+
+testId=3054
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4074]
+
+testId=19438
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4075]
+
+testId=11262
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4076]
+
+testId=27598
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4077]
+
+testId=7134
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4078]
+
+testId=23502
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4079]
+
+testId=15310
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4080]
+
+testId=31726
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4081]
+
+testId=2014
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4082]
+
+testId=18430
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4083]
+
+testId=10222
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4084]
+
+testId=26574
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4085]
+
+testId=6110
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4086]
+
+testId=22526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4087]
+
+testId=14286
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4088]
+
+testId=30670
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4089]
+
+testId=4094
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4090]
+
+testId=20446
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4091]
+
+testId=12270
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4092]
+
+testId=28670
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4093]
+
+testId=8190
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4094]
+
+testId=24526
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4095]
+
+testId=16350
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4096]
+
+testId=32718
+testname=ClientCert_none ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4097]
+
+testId=33
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4098]
+
+testId=16433
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4099]
+
+testId=8193
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4100]
+
+testId=24609
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4101]
+
+testId=4113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4102]
+
+testId=20513
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4103]
+
+testId=12321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4104]
+
+testId=28673
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4105]
+
+testId=2049
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4106]
+
+testId=18449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4107]
+
+testId=10289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4108]
+
+testId=26625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4109]
+
+testId=6145
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4110]
+
+testId=22529
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4111]
+
+testId=14353
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4112]
+
+testId=30753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4113]
+
+testId=1073
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4114]
+
+testId=17441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4115]
+
+testId=9233
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4116]
+
+testId=25601
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4117]
+
+testId=5169
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4118]
+
+testId=21537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4119]
+
+testId=13313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4120]
+
+testId=29745
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4121]
+
+testId=3121
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4122]
+
+testId=19473
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4123]
+
+testId=11281
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4124]
+
+testId=27649
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4125]
+
+testId=7169
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4126]
+
+testId=23553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4127]
+
+testId=15409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4128]
+
+testId=31793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4129]
+
+testId=513
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4130]
+
+testId=16897
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4131]
+
+testId=8705
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4132]
+
+testId=25105
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4133]
+
+testId=4609
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4134]
+
+testId=21041
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4135]
+
+testId=12833
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4136]
+
+testId=29185
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4137]
+
+testId=2561
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4138]
+
+testId=18961
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4139]
+
+testId=10785
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4140]
+
+testId=27169
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4141]
+
+testId=6657
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4142]
+
+testId=23089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4143]
+
+testId=14881
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4144]
+
+testId=31249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4145]
+
+testId=1569
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4146]
+
+testId=17921
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4147]
+
+testId=9745
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4148]
+
+testId=26145
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4149]
+
+testId=5681
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4150]
+
+testId=22017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4151]
+
+testId=13841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4152]
+
+testId=30209
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4153]
+
+testId=3585
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4154]
+
+testId=19969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4155]
+
+testId=11825
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4156]
+
+testId=28193
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4157]
+
+testId=7713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4158]
+
+testId=24113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4159]
+
+testId=15921
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4160]
+
+testId=32257
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4161]
+
+testId=289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4162]
+
+testId=16689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4163]
+
+testId=8481
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4164]
+
+testId=24865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4165]
+
+testId=4401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4166]
+
+testId=20753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4167]
+
+testId=12561
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4168]
+
+testId=28945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4169]
+
+testId=2321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4170]
+
+testId=18705
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4171]
+
+testId=10513
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4172]
+
+testId=26929
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4173]
+
+testId=6449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4174]
+
+testId=22785
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4175]
+
+testId=14609
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4176]
+
+testId=30993
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4177]
+
+testId=1329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4178]
+
+testId=17713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4179]
+
+testId=9489
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4180]
+
+testId=25905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4181]
+
+testId=5425
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4182]
+
+testId=21777
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4183]
+
+testId=13617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4184]
+
+testId=29985
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4185]
+
+testId=3329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4186]
+
+testId=19745
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4187]
+
+testId=11553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4188]
+
+testId=27937
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4189]
+
+testId=7425
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4190]
+
+testId=23841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4191]
+
+testId=15617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4192]
+
+testId=32001
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4193]
+
+testId=785
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4194]
+
+testId=17201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4195]
+
+testId=8993
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4196]
+
+testId=25345
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4197]
+
+testId=4881
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4198]
+
+testId=21297
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4199]
+
+testId=13073
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4200]
+
+testId=29473
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4201]
+
+testId=2849
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4202]
+
+testId=19249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4203]
+
+testId=11009
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4204]
+
+testId=27425
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4205]
+
+testId=6945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4206]
+
+testId=23313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4207]
+
+testId=15105
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4208]
+
+testId=31489
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4209]
+
+testId=1793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4210]
+
+testId=18177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4211]
+
+testId=10017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4212]
+
+testId=26401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4213]
+
+testId=5905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4214]
+
+testId=22273
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4215]
+
+testId=14129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4216]
+
+testId=30497
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4217]
+
+testId=3857
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4218]
+
+testId=20241
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4219]
+
+testId=12065
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4220]
+
+testId=28417
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4221]
+
+testId=7937
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4222]
+
+testId=24337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4223]
+
+testId=16177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4224]
+
+testId=32545
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4225]
+
+testId=177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4226]
+
+testId=16545
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4227]
+
+testId=8337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4228]
+
+testId=24705
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4229]
+
+testId=4225
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4230]
+
+testId=20609
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4231]
+
+testId=12449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4232]
+
+testId=28817
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4233]
+
+testId=2209
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4234]
+
+testId=18577
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4235]
+
+testId=10401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4236]
+
+testId=26753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4237]
+
+testId=6321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4238]
+
+testId=22689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4239]
+
+testId=14497
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4240]
+
+testId=30897
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4241]
+
+testId=1153
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4242]
+
+testId=17569
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4243]
+
+testId=9377
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4244]
+
+testId=25729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4245]
+
+testId=5265
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4246]
+
+testId=21633
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4247]
+
+testId=13441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4248]
+
+testId=29841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4249]
+
+testId=3233
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4250]
+
+testId=19633
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4251]
+
+testId=11441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4252]
+
+testId=27825
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4253]
+
+testId=7297
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4254]
+
+testId=23729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4255]
+
+testId=15537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4256]
+
+testId=31889
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4257]
+
+testId=657
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4258]
+
+testId=17041
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4259]
+
+testId=8881
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4260]
+
+testId=25249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4261]
+
+testId=4785
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4262]
+
+testId=21153
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4263]
+
+testId=12945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4264]
+
+testId=29313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4265]
+
+testId=2689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4266]
+
+testId=19089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4267]
+
+testId=10881
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4268]
+
+testId=27313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4269]
+
+testId=6817
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4270]
+
+testId=23201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4271]
+
+testId=15025
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4272]
+
+testId=31377
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4273]
+
+testId=1665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4274]
+
+testId=18065
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4275]
+
+testId=9905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4276]
+
+testId=26241
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4277]
+
+testId=5761
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4278]
+
+testId=22145
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4279]
+
+testId=13985
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4280]
+
+testId=30337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4281]
+
+testId=3713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4282]
+
+testId=20097
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4283]
+
+testId=11905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4284]
+
+testId=28289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4285]
+
+testId=7809
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4286]
+
+testId=24193
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4287]
+
+testId=16049
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4288]
+
+testId=32401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4289]
+
+testId=417
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4290]
+
+testId=16769
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4291]
+
+testId=8593
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4292]
+
+testId=25009
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4293]
+
+testId=4481
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4294]
+
+testId=20897
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4295]
+
+testId=12721
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4296]
+
+testId=29073
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4297]
+
+testId=2449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4298]
+
+testId=18849
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4299]
+
+testId=10641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4300]
+
+testId=27057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4301]
+
+testId=6545
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4302]
+
+testId=22961
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4303]
+
+testId=14721
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4304]
+
+testId=31137
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4305]
+
+testId=1441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4306]
+
+testId=17841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4307]
+
+testId=9617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4308]
+
+testId=26001
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4309]
+
+testId=5505
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4310]
+
+testId=21889
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4311]
+
+testId=13697
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4312]
+
+testId=30113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4313]
+
+testId=3473
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4314]
+
+testId=19889
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4315]
+
+testId=11665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4316]
+
+testId=28033
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4317]
+
+testId=7553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4318]
+
+testId=23985
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4319]
+
+testId=15761
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4320]
+
+testId=32177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4321]
+
+testId=913
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4322]
+
+testId=17329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4323]
+
+testId=9105
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4324]
+
+testId=25489
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4325]
+
+testId=5009
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4326]
+
+testId=21377
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4327]
+
+testId=13185
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4328]
+
+testId=29617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4329]
+
+testId=2993
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4330]
+
+testId=19329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4331]
+
+testId=11169
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4332]
+
+testId=27553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4333]
+
+testId=7041
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4334]
+
+testId=23457
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4335]
+
+testId=15233
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4336]
+
+testId=31633
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4337]
+
+testId=1969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4338]
+
+testId=18305
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4339]
+
+testId=10129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4340]
+
+testId=26513
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4341]
+
+testId=6065
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4342]
+
+testId=22433
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4343]
+
+testId=14209
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4344]
+
+testId=30625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4345]
+
+testId=4001
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4346]
+
+testId=20385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4347]
+
+testId=12161
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4348]
+
+testId=28593
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4349]
+
+testId=8113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4350]
+
+testId=24465
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4351]
+
+testId=16257
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4352]
+
+testId=32641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4353]
+
+testId=113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4354]
+
+testId=16481
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4355]
+
+testId=8289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4356]
+
+testId=24673
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4357]
+
+testId=4177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4358]
+
+testId=20577
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4359]
+
+testId=12385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4360]
+
+testId=28753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4361]
+
+testId=2129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4362]
+
+testId=18529
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4363]
+
+testId=10353
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4364]
+
+testId=26737
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4365]
+
+testId=6225
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4366]
+
+testId=22641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4367]
+
+testId=14401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4368]
+
+testId=30833
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4369]
+
+testId=1137
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4370]
+
+testId=17521
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4371]
+
+testId=9329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4372]
+
+testId=25713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4373]
+
+testId=5201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4374]
+
+testId=21617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4375]
+
+testId=13409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4376]
+
+testId=29761
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4377]
+
+testId=3137
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4378]
+
+testId=19537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4379]
+
+testId=11361
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4380]
+
+testId=27729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4381]
+
+testId=7249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4382]
+
+testId=23665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4383]
+
+testId=15457
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4384]
+
+testId=31809
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4385]
+
+testId=609
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4386]
+
+testId=17009
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4387]
+
+testId=8801
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4388]
+
+testId=25169
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4389]
+
+testId=4705
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4390]
+
+testId=21089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4391]
+
+testId=12897
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4392]
+
+testId=29297
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4393]
+
+testId=2673
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4394]
+
+testId=19057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4395]
+
+testId=10865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4396]
+
+testId=27249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4397]
+
+testId=6769
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4398]
+
+testId=23153
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4399]
+
+testId=14913
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4400]
+
+testId=31297
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4401]
+
+testId=1633
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4402]
+
+testId=18017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4403]
+
+testId=9825
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4404]
+
+testId=26177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4405]
+
+testId=5713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4406]
+
+testId=22129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4407]
+
+testId=13905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4408]
+
+testId=30321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4409]
+
+testId=3665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4410]
+
+testId=20033
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4411]
+
+testId=11857
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4412]
+
+testId=28273
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4413]
+
+testId=7777
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4414]
+
+testId=24129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4415]
+
+testId=15969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4416]
+
+testId=32337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4417]
+
+testId=369
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4418]
+
+testId=16721
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4419]
+
+testId=8561
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4420]
+
+testId=24897
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4421]
+
+testId=4449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4422]
+
+testId=20833
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4423]
+
+testId=12609
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4424]
+
+testId=29041
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4425]
+
+testId=2417
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4426]
+
+testId=18769
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4427]
+
+testId=10593
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4428]
+
+testId=26961
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4429]
+
+testId=6497
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4430]
+
+testId=22865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4431]
+
+testId=14705
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4432]
+
+testId=31089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4433]
+
+testId=1393
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4434]
+
+testId=17777
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4435]
+
+testId=9569
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4436]
+
+testId=25969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4437]
+
+testId=5473
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4438]
+
+testId=21841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4439]
+
+testId=13633
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4440]
+
+testId=30033
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4441]
+
+testId=3409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4442]
+
+testId=19793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4443]
+
+testId=11617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4444]
+
+testId=28017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4445]
+
+testId=7521
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4446]
+
+testId=23905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4447]
+
+testId=15729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4448]
+
+testId=32097
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4449]
+
+testId=865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4450]
+
+testId=17265
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4451]
+
+testId=9073
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4452]
+
+testId=25441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4453]
+
+testId=4977
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4454]
+
+testId=21361
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4455]
+
+testId=13121
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4456]
+
+testId=29553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4457]
+
+testId=2929
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4458]
+
+testId=19313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4459]
+
+testId=11089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4460]
+
+testId=27457
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4461]
+
+testId=7025
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4462]
+
+testId=23393
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4463]
+
+testId=15217
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4464]
+
+testId=31601
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4465]
+
+testId=1889
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4466]
+
+testId=18289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4467]
+
+testId=10049
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4468]
+
+testId=26433
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4469]
+
+testId=5969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4470]
+
+testId=22337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4471]
+
+testId=14145
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4472]
+
+testId=30561
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4473]
+
+testId=3937
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4474]
+
+testId=20321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4475]
+
+testId=12113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4476]
+
+testId=28529
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4477]
+
+testId=8033
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4478]
+
+testId=24385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4479]
+
+testId=16241
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4480]
+
+testId=32577
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4481]
+
+testId=209
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4482]
+
+testId=16577
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4483]
+
+testId=8401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4484]
+
+testId=24801
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4485]
+
+testId=4289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4486]
+
+testId=20705
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4487]
+
+testId=12481
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4488]
+
+testId=28865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4489]
+
+testId=2257
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4490]
+
+testId=18641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4491]
+
+testId=10449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4492]
+
+testId=26817
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4493]
+
+testId=6385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4494]
+
+testId=22737
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4495]
+
+testId=14545
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4496]
+
+testId=30929
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4497]
+
+testId=1265
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4498]
+
+testId=17617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4499]
+
+testId=9425
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4500]
+
+testId=25793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4501]
+
+testId=5345
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4502]
+
+testId=21713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4503]
+
+testId=13537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4504]
+
+testId=29937
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4505]
+
+testId=3297
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4506]
+
+testId=19697
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4507]
+
+testId=11473
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4508]
+
+testId=27873
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4509]
+
+testId=7361
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4510]
+
+testId=23777
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4511]
+
+testId=15601
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4512]
+
+testId=31953
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4513]
+
+testId=753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4514]
+
+testId=17105
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4515]
+
+testId=8945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4516]
+
+testId=25313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4517]
+
+testId=4833
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4518]
+
+testId=21201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4519]
+
+testId=13025
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4520]
+
+testId=29425
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4521]
+
+testId=2769
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4522]
+
+testId=19169
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4523]
+
+testId=10977
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4524]
+
+testId=27361
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4525]
+
+testId=6865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4526]
+
+testId=23249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4527]
+
+testId=15089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4528]
+
+testId=31425
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4529]
+
+testId=1745
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4530]
+
+testId=18161
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4531]
+
+testId=9921
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4532]
+
+testId=26353
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4533]
+
+testId=5841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4534]
+
+testId=22209
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4535]
+
+testId=14049
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4536]
+
+testId=30401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4537]
+
+testId=3825
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4538]
+
+testId=20193
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4539]
+
+testId=11969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4540]
+
+testId=28385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4541]
+
+testId=7873
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4542]
+
+testId=24257
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4543]
+
+testId=16081
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4544]
+
+testId=32481
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4545]
+
+testId=449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4546]
+
+testId=16865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4547]
+
+testId=8689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4548]
+
+testId=25073
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4549]
+
+testId=4577
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4550]
+
+testId=20945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4551]
+
+testId=12753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4552]
+
+testId=29121
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4553]
+
+testId=2497
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4554]
+
+testId=18929
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4555]
+
+testId=10705
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4556]
+
+testId=27105
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4557]
+
+testId=6609
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4558]
+
+testId=22977
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4559]
+
+testId=14801
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4560]
+
+testId=31185
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4561]
+
+testId=1473
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4562]
+
+testId=17857
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4563]
+
+testId=9665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4564]
+
+testId=26065
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4565]
+
+testId=5601
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4566]
+
+testId=22001
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4567]
+
+testId=13793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4568]
+
+testId=30145
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4569]
+
+testId=3553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4570]
+
+testId=19905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4571]
+
+testId=11745
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4572]
+
+testId=28097
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4573]
+
+testId=7649
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4574]
+
+testId=24017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4575]
+
+testId=15841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4576]
+
+testId=32225
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4577]
+
+testId=961
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4578]
+
+testId=17377
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4579]
+
+testId=9185
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4580]
+
+testId=25537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4581]
+
+testId=5057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4582]
+
+testId=21441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4583]
+
+testId=13281
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4584]
+
+testId=29649
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4585]
+
+testId=3041
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4586]
+
+testId=19409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4587]
+
+testId=11249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4588]
+
+testId=27585
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4589]
+
+testId=7105
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4590]
+
+testId=23505
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4591]
+
+testId=15329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4592]
+
+testId=31729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4593]
+
+testId=1985
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4594]
+
+testId=18385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4595]
+
+testId=10177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4596]
+
+testId=26561
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4597]
+
+testId=6097
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4598]
+
+testId=22497
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4599]
+
+testId=14321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4600]
+
+testId=30689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4601]
+
+testId=4065
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4602]
+
+testId=20449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4603]
+
+testId=12225
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4604]
+
+testId=28625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4605]
+
+testId=8129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4606]
+
+testId=24513
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4607]
+
+testId=16321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4608]
+
+testId=32737
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4609]
+
+testId=9
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4610]
+
+testId=16425
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4611]
+
+testId=8233
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4612]
+
+testId=24617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4613]
+
+testId=4121
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4614]
+
+testId=20489
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4615]
+
+testId=12329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4616]
+
+testId=28729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4617]
+
+testId=2057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4618]
+
+testId=18441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4619]
+
+testId=10249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4620]
+
+testId=26665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4621]
+
+testId=6153
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4622]
+
+testId=22569
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4623]
+
+testId=14393
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4624]
+
+testId=30761
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4625]
+
+testId=1049
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4626]
+
+testId=17465
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4627]
+
+testId=9257
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4628]
+
+testId=25641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4629]
+
+testId=5145
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4630]
+
+testId=21529
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4631]
+
+testId=13369
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4632]
+
+testId=29753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4633]
+
+testId=3113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4634]
+
+testId=19513
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4635]
+
+testId=11273
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4636]
+
+testId=27689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4637]
+
+testId=7177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4638]
+
+testId=23577
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4639]
+
+testId=15417
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4640]
+
+testId=31785
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4641]
+
+testId=521
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4642]
+
+testId=16953
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4643]
+
+testId=8761
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4644]
+
+testId=25113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4645]
+
+testId=4665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4646]
+
+testId=21001
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4647]
+
+testId=12825
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4648]
+
+testId=29225
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4649]
+
+testId=2601
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4650]
+
+testId=18953
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4651]
+
+testId=10809
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4652]
+
+testId=27193
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4653]
+
+testId=6665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4654]
+
+testId=23081
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4655]
+
+testId=14889
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4656]
+
+testId=31273
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4657]
+
+testId=1545
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4658]
+
+testId=17961
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4659]
+
+testId=9753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4660]
+
+testId=26153
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4661]
+
+testId=5657
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4662]
+
+testId=22073
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4663]
+
+testId=13865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4664]
+
+testId=30217
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4665]
+
+testId=3593
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4666]
+
+testId=19977
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4667]
+
+testId=11801
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4668]
+
+testId=28217
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4669]
+
+testId=7737
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4670]
+
+testId=24121
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4671]
+
+testId=15881
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4672]
+
+testId=32313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4673]
+
+testId=265
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4674]
+
+testId=16649
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4675]
+
+testId=8505
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4676]
+
+testId=24857
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4677]
+
+testId=4409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4678]
+
+testId=20793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4679]
+
+testId=12569
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4680]
+
+testId=28969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4681]
+
+testId=2361
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4682]
+
+testId=18729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4683]
+
+testId=10505
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4684]
+
+testId=26889
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4685]
+
+testId=6441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4686]
+
+testId=22793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4687]
+
+testId=14601
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4688]
+
+testId=31017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4689]
+
+testId=1289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4690]
+
+testId=17689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4691]
+
+testId=9481
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4692]
+
+testId=25865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4693]
+
+testId=5433
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4694]
+
+testId=21817
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4695]
+
+testId=13625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4696]
+
+testId=30009
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4697]
+
+testId=3353
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4698]
+
+testId=19737
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4699]
+
+testId=11577
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4700]
+
+testId=27961
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4701]
+
+testId=7465
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4702]
+
+testId=23849
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4703]
+
+testId=15625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4704]
+
+testId=32009
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4705]
+
+testId=777
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4706]
+
+testId=17161
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4707]
+
+testId=9017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4708]
+
+testId=25401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4709]
+
+testId=4889
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4710]
+
+testId=21273
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4711]
+
+testId=13065
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4712]
+
+testId=29449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4713]
+
+testId=2873
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4714]
+
+testId=19241
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4715]
+
+testId=11033
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4716]
+
+testId=27417
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4717]
+
+testId=6921
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4718]
+
+testId=23305
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4719]
+
+testId=15113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4720]
+
+testId=31497
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4721]
+
+testId=1817
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4722]
+
+testId=18201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4723]
+
+testId=10025
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4724]
+
+testId=26393
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4725]
+
+testId=5945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4726]
+
+testId=22313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4727]
+
+testId=14137
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4728]
+
+testId=30505
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4729]
+
+testId=3865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4730]
+
+testId=20249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4731]
+
+testId=12041
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4732]
+
+testId=28473
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4733]
+
+testId=7961
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4734]
+
+testId=24345
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4735]
+
+testId=16169
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4736]
+
+testId=32553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4737]
+
+testId=137
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4738]
+
+testId=16521
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4739]
+
+testId=8329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4740]
+
+testId=24745
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4741]
+
+testId=4249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4742]
+
+testId=20649
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4743]
+
+testId=12425
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4744]
+
+testId=28841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4745]
+
+testId=2185
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4746]
+
+testId=18569
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4747]
+
+testId=10393
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4748]
+
+testId=26793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4749]
+
+testId=6313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4750]
+
+testId=22713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4751]
+
+testId=14521
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4752]
+
+testId=30857
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4753]
+
+testId=1193
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4754]
+
+testId=17577
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4755]
+
+testId=9385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4756]
+
+testId=25753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4757]
+
+testId=5289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4758]
+
+testId=21689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4759]
+
+testId=13449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4760]
+
+testId=29849
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4761]
+
+testId=3257
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4762]
+
+testId=19641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4763]
+
+testId=11401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4764]
+
+testId=27833
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4765]
+
+testId=7305
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4766]
+
+testId=23689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4767]
+
+testId=15497
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4768]
+
+testId=31897
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4769]
+
+testId=697
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4770]
+
+testId=17033
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4771]
+
+testId=8857
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4772]
+
+testId=25257
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4773]
+
+testId=4777
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4774]
+
+testId=21129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4775]
+
+testId=12937
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4776]
+
+testId=29337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4777]
+
+testId=2713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4778]
+
+testId=19081
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4779]
+
+testId=10905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4780]
+
+testId=27305
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4781]
+
+testId=6793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4782]
+
+testId=23177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4783]
+
+testId=14985
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4784]
+
+testId=31417
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4785]
+
+testId=1673
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4786]
+
+testId=18089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4787]
+
+testId=9913
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4788]
+
+testId=26281
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4789]
+
+testId=5801
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4790]
+
+testId=22153
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4791]
+
+testId=13993
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4792]
+
+testId=30345
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4793]
+
+testId=3753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4794]
+
+testId=20121
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4795]
+
+testId=11929
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4796]
+
+testId=28329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4797]
+
+testId=7865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4798]
+
+testId=24249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4799]
+
+testId=16057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4800]
+
+testId=32409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4801]
+
+testId=441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4802]
+
+testId=16793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4803]
+
+testId=8617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4804]
+
+testId=25017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4805]
+
+testId=4489
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4806]
+
+testId=20873
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4807]
+
+testId=12713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4808]
+
+testId=29065
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4809]
+
+testId=2489
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4810]
+
+testId=18857
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4811]
+
+testId=10665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4812]
+
+testId=27049
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4813]
+
+testId=6585
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4814]
+
+testId=22953
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4815]
+
+testId=14777
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4816]
+
+testId=31113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4817]
+
+testId=1417
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4818]
+
+testId=17849
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4819]
+
+testId=9625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4820]
+
+testId=26041
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4821]
+
+testId=5529
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4822]
+
+testId=21945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4823]
+
+testId=13721
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4824]
+
+testId=30121
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4825]
+
+testId=3481
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4826]
+
+testId=19865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4827]
+
+testId=11689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4828]
+
+testId=28057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4829]
+
+testId=7593
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4830]
+
+testId=23993
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4831]
+
+testId=15753
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4832]
+
+testId=32185
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4833]
+
+testId=921
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4834]
+
+testId=17321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4835]
+
+testId=9113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4836]
+
+testId=25529
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4837]
+
+testId=5017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4838]
+
+testId=21385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4839]
+
+testId=13241
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4840]
+
+testId=29625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4841]
+
+testId=3001
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4842]
+
+testId=19385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4843]
+
+testId=11161
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4844]
+
+testId=27561
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4845]
+
+testId=7097
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4846]
+
+testId=23433
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4847]
+
+testId=15241
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4848]
+
+testId=31641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4849]
+
+testId=1977
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4850]
+
+testId=18345
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4851]
+
+testId=10153
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4852]
+
+testId=26537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4853]
+
+testId=6073
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4854]
+
+testId=22409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4855]
+
+testId=14265
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4856]
+
+testId=30601
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4857]
+
+testId=4025
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4858]
+
+testId=20409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4859]
+
+testId=12217
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4860]
+
+testId=28553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4861]
+
+testId=8089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4862]
+
+testId=24489
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4863]
+
+testId=16313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4864]
+
+testId=32665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4865]
+
+testId=73
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4866]
+
+testId=16489
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4867]
+
+testId=8281
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4868]
+
+testId=24665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4869]
+
+testId=4201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4870]
+
+testId=20601
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4871]
+
+testId=12393
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4872]
+
+testId=28745
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4873]
+
+testId=2169
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4874]
+
+testId=18553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4875]
+
+testId=10313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4876]
+
+testId=26729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4877]
+
+testId=6249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4878]
+
+testId=22617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4879]
+
+testId=14425
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4880]
+
+testId=30793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4881]
+
+testId=1097
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4882]
+
+testId=17513
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4883]
+
+testId=9321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4884]
+
+testId=25689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4885]
+
+testId=5225
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4886]
+
+testId=21577
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4887]
+
+testId=13401
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4888]
+
+testId=29817
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4889]
+
+testId=3145
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4890]
+
+testId=19561
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4891]
+
+testId=11385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4892]
+
+testId=27769
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4893]
+
+testId=7289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4894]
+
+testId=23657
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4895]
+
+testId=15433
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4896]
+
+testId=31849
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4897]
+
+testId=617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4898]
+
+testId=16969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4899]
+
+testId=8793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4900]
+
+testId=25193
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4901]
+
+testId=4713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4902]
+
+testId=21065
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4903]
+
+testId=12905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4904]
+
+testId=29257
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4905]
+
+testId=2665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4906]
+
+testId=19065
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4907]
+
+testId=10873
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4908]
+
+testId=27257
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4909]
+
+testId=6729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4910]
+
+testId=23113
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4911]
+
+testId=14921
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4912]
+
+testId=31353
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4913]
+
+testId=1625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4914]
+
+testId=18025
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4915]
+
+testId=9849
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4916]
+
+testId=26185
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4917]
+
+testId=5737
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4918]
+
+testId=22089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4919]
+
+testId=13945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4920]
+
+testId=30329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4921]
+
+testId=3705
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4922]
+
+testId=20057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4923]
+
+testId=11897
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4924]
+
+testId=28281
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4925]
+
+testId=7801
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4926]
+
+testId=24169
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4927]
+
+testId=15993
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4928]
+
+testId=32345
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4929]
+
+testId=329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4930]
+
+testId=16761
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4931]
+
+testId=8537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4932]
+
+testId=24905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4933]
+
+testId=4457
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4934]
+
+testId=20841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4935]
+
+testId=12633
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4936]
+
+testId=29017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4937]
+
+testId=2409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4938]
+
+testId=18777
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4939]
+
+testId=10601
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4940]
+
+testId=26969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4941]
+
+testId=6505
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4942]
+
+testId=22873
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4943]
+
+testId=14713
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4944]
+
+testId=31097
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4945]
+
+testId=1353
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4946]
+
+testId=17785
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4947]
+
+testId=9593
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4948]
+
+testId=25961
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4949]
+
+testId=5497
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4950]
+
+testId=21849
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4951]
+
+testId=13657
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4952]
+
+testId=30041
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4953]
+
+testId=3433
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4954]
+
+testId=19801
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4955]
+
+testId=11625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4956]
+
+testId=27977
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4957]
+
+testId=7529
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4958]
+
+testId=23913
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4959]
+
+testId=15705
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4960]
+
+testId=32089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4961]
+
+testId=873
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4962]
+
+testId=17273
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4963]
+
+testId=9081
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4964]
+
+testId=25433
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4965]
+
+testId=4969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4966]
+
+testId=21337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4967]
+
+testId=13177
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4968]
+
+testId=29561
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4969]
+
+testId=2937
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4970]
+
+testId=19289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4971]
+
+testId=11129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4972]
+
+testId=27465
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4973]
+
+testId=7001
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4974]
+
+testId=23369
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4975]
+
+testId=15209
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4976]
+
+testId=31609
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4977]
+
+testId=1865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4978]
+
+testId=18249
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4979]
+
+testId=10089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4980]
+
+testId=26457
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4981]
+
+testId=5993
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4982]
+
+testId=22361
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4983]
+
+testId=14201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4984]
+
+testId=30537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4985]
+
+testId=3929
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4986]
+
+testId=20313
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4987]
+
+testId=12137
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4988]
+
+testId=28537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4989]
+
+testId=8057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4990]
+
+testId=24441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4991]
+
+testId=16201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4992]
+
+testId=32633
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4993]
+
+testId=201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4994]
+
+testId=16617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4995]
+
+testId=8409
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4996]
+
+testId=24793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4997]
+
+testId=4297
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4998]
+
+testId=20729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-4999]
+
+testId=12505
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5000]
+
+testId=28873
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5001]
+
+testId=2297
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5002]
+
+testId=18665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5003]
+
+testId=10489
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5004]
+
+testId=26841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5005]
+
+testId=6345
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5006]
+
+testId=22761
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5007]
+
+testId=14537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5008]
+
+testId=30921
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5009]
+
+testId=1241
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5010]
+
+testId=17657
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5011]
+
+testId=9465
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5012]
+
+testId=25817
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5013]
+
+testId=5337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5014]
+
+testId=21721
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5015]
+
+testId=13529
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5016]
+
+testId=29913
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5017]
+
+testId=3273
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5018]
+
+testId=19689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5019]
+
+testId=11481
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5020]
+
+testId=27865
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5021]
+
+testId=7385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5022]
+
+testId=23785
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5023]
+
+testId=15561
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5024]
+
+testId=31945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5025]
+
+testId=745
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5026]
+
+testId=17129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5027]
+
+testId=8937
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5028]
+
+testId=25321
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5029]
+
+testId=4857
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5030]
+
+testId=21225
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5031]
+
+testId=13049
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5032]
+
+testId=29385
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5033]
+
+testId=2793
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5034]
+
+testId=19193
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5035]
+
+testId=10969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5036]
+
+testId=27337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5037]
+
+testId=6905
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5038]
+
+testId=23273
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5039]
+
+testId=15081
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5040]
+
+testId=31449
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5041]
+
+testId=1785
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5042]
+
+testId=18153
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5043]
+
+testId=9977
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5044]
+
+testId=26329
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5045]
+
+testId=5833
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5046]
+
+testId=22217
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5047]
+
+testId=14073
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5048]
+
+testId=30441
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5049]
+
+testId=3817
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5050]
+
+testId=20217
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5051]
+
+testId=12025
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5052]
+
+testId=28361
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5053]
+
+testId=7929
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5054]
+
+testId=24265
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5055]
+
+testId=16089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5056]
+
+testId=32505
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5057]
+
+testId=505
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5058]
+
+testId=16841
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5059]
+
+testId=8665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5060]
+
+testId=25049
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5061]
+
+testId=4569
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5062]
+
+testId=20937
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5063]
+
+testId=12745
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5064]
+
+testId=29129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5065]
+
+testId=2537
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5066]
+
+testId=18937
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5067]
+
+testId=10697
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5068]
+
+testId=27097
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5069]
+
+testId=6617
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5070]
+
+testId=23033
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5071]
+
+testId=14809
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5072]
+
+testId=31193
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5073]
+
+testId=1513
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5074]
+
+testId=17913
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5075]
+
+testId=9673
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5076]
+
+testId=26057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5077]
+
+testId=5625
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5078]
+
+testId=21993
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5079]
+
+testId=13801
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5080]
+
+testId=30201
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5081]
+
+testId=3545
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5082]
+
+testId=19945
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5083]
+
+testId=11737
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5084]
+
+testId=28105
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5085]
+
+testId=7641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5086]
+
+testId=24057
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5087]
+
+testId=15849
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5088]
+
+testId=32233
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5089]
+
+testId=969
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5090]
+
+testId=17369
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5091]
+
+testId=9161
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5092]
+
+testId=25545
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5093]
+
+testId=5097
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5094]
+
+testId=21497
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5095]
+
+testId=13289
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5096]
+
+testId=29641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5097]
+
+testId=3017
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5098]
+
+testId=19417
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5099]
+
+testId=11209
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5100]
+
+testId=27641
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5101]
+
+testId=7129
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5102]
+
+testId=23529
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5103]
+
+testId=15337
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5104]
+
+testId=31689
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5105]
+
+testId=2041
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5106]
+
+testId=18377
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5107]
+
+testId=10185
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5108]
+
+testId=26585
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5109]
+
+testId=6089
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5110]
+
+testId=22521
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5111]
+
+testId=14281
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5112]
+
+testId=30665
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5113]
+
+testId=4073
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5114]
+
+testId=20473
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5115]
+
+testId=12281
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5116]
+
+testId=28649
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5117]
+
+testId=8137
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5118]
+
+testId=24553
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5119]
+
+testId=16345
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5120]
+
+testId=32729
+testname=ClientCert_one ServerCert_one ExportPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5121]
+
+testId=53
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5122]
+
+testId=16437
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5123]
+
+testId=8197
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5124]
+
+testId=24613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5125]
+
+testId=4133
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5126]
+
+testId=20501
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5127]
+
+testId=12309
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5128]
+
+testId=28693
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5129]
+
+testId=2053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5130]
+
+testId=18437
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5131]
+
+testId=10277
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5132]
+
+testId=26677
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5133]
+
+testId=6165
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5134]
+
+testId=22581
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5135]
+
+testId=14389
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5136]
+
+testId=30773
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5137]
+
+testId=1077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5138]
+
+testId=17429
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5139]
+
+testId=9269
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5140]
+
+testId=25637
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5141]
+
+testId=5141
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5142]
+
+testId=21509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5143]
+
+testId=13317
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5144]
+
+testId=29701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5145]
+
+testId=3125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5146]
+
+testId=19477
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5147]
+
+testId=11285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5148]
+
+testId=27685
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5149]
+
+testId=7205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5150]
+
+testId=23605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5151]
+
+testId=15413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5152]
+
+testId=31765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5153]
+
+testId=533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5154]
+
+testId=16901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5155]
+
+testId=8709
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5156]
+
+testId=25141
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5157]
+
+testId=4629
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5158]
+
+testId=21029
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5159]
+
+testId=12805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5160]
+
+testId=29237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5161]
+
+testId=2613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5162]
+
+testId=18949
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5163]
+
+testId=10805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5164]
+
+testId=27141
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5165]
+
+testId=6677
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5166]
+
+testId=23093
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5167]
+
+testId=14885
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5168]
+
+testId=31237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5169]
+
+testId=1541
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5170]
+
+testId=17925
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5171]
+
+testId=9781
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5172]
+
+testId=26117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5173]
+
+testId=5637
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5174]
+
+testId=22069
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5175]
+
+testId=13829
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5176]
+
+testId=30229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5177]
+
+testId=3589
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5178]
+
+testId=19989
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5179]
+
+testId=11797
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5180]
+
+testId=28181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5181]
+
+testId=7733
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5182]
+
+testId=24101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5183]
+
+testId=15893
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5184]
+
+testId=32261
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5185]
+
+testId=261
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5186]
+
+testId=16661
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5187]
+
+testId=8453
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5188]
+
+testId=24837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5189]
+
+testId=4373
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5190]
+
+testId=20789
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5191]
+
+testId=12549
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5192]
+
+testId=28933
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5193]
+
+testId=2325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5194]
+
+testId=18725
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5195]
+
+testId=10517
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5196]
+
+testId=26933
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5197]
+
+testId=6421
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5198]
+
+testId=22789
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5199]
+
+testId=14613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5200]
+
+testId=31013
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5201]
+
+testId=1285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5202]
+
+testId=17717
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5203]
+
+testId=9493
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5204]
+
+testId=25893
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5205]
+
+testId=5413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5206]
+
+testId=21781
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5207]
+
+testId=13605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5208]
+
+testId=29989
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5209]
+
+testId=3333
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5210]
+
+testId=19765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5211]
+
+testId=11573
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5212]
+
+testId=27909
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5213]
+
+testId=7429
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5214]
+
+testId=23845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5215]
+
+testId=15637
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5216]
+
+testId=32037
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5217]
+
+testId=805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5218]
+
+testId=17173
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5219]
+
+testId=8997
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5220]
+
+testId=25397
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5221]
+
+testId=4901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5222]
+
+testId=21301
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5223]
+
+testId=13061
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5224]
+
+testId=29477
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5225]
+
+testId=2837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5226]
+
+testId=19237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5227]
+
+testId=11045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5228]
+
+testId=27397
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5229]
+
+testId=6965
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5230]
+
+testId=23333
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5231]
+
+testId=15125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5232]
+
+testId=31509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5233]
+
+testId=1797
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5234]
+
+testId=18213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5235]
+
+testId=10005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5236]
+
+testId=26421
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5237]
+
+testId=5909
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5238]
+
+testId=22309
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5239]
+
+testId=14117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5240]
+
+testId=30501
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5241]
+
+testId=3861
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5242]
+
+testId=20229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5243]
+
+testId=12053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5244]
+
+testId=28453
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5245]
+
+testId=7973
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5246]
+
+testId=24325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5247]
+
+testId=16133
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5248]
+
+testId=32517
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5249]
+
+testId=165
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5250]
+
+testId=16533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5251]
+
+testId=8341
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5252]
+
+testId=24757
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5253]
+
+testId=4277
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5254]
+
+testId=20613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5255]
+
+testId=12469
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5256]
+
+testId=28837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5257]
+
+testId=2213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5258]
+
+testId=18581
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5259]
+
+testId=10421
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5260]
+
+testId=26773
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5261]
+
+testId=6277
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5262]
+
+testId=22693
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5263]
+
+testId=14517
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5264]
+
+testId=30869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5265]
+
+testId=1157
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5266]
+
+testId=17589
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5267]
+
+testId=9349
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5268]
+
+testId=25749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5269]
+
+testId=5301
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5270]
+
+testId=21653
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5271]
+
+testId=13445
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5272]
+
+testId=29845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5273]
+
+testId=3253
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5274]
+
+testId=19589
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5275]
+
+testId=11445
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5276]
+
+testId=27813
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5277]
+
+testId=7301
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5278]
+
+testId=23701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5279]
+
+testId=15541
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5280]
+
+testId=31877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5281]
+
+testId=693
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5282]
+
+testId=17061
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5283]
+
+testId=8885
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5284]
+
+testId=25221
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5285]
+
+testId=4789
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5286]
+
+testId=21173
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5287]
+
+testId=12933
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5288]
+
+testId=29333
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5289]
+
+testId=2741
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5290]
+
+testId=19125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5291]
+
+testId=10885
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5292]
+
+testId=27269
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5293]
+
+testId=6821
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5294]
+
+testId=23189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5295]
+
+testId=15029
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5296]
+
+testId=31413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5297]
+
+testId=1669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5298]
+
+testId=18053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5299]
+
+testId=9893
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5300]
+
+testId=26245
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5301]
+
+testId=5781
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5302]
+
+testId=22181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5303]
+
+testId=13989
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5304]
+
+testId=30357
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5305]
+
+testId=3733
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5306]
+
+testId=20117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5307]
+
+testId=11925
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5308]
+
+testId=28341
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5309]
+
+testId=7829
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5310]
+
+testId=24245
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5311]
+
+testId=16037
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5312]
+
+testId=32389
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5313]
+
+testId=421
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5314]
+
+testId=16805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5315]
+
+testId=8597
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5316]
+
+testId=24981
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5317]
+
+testId=4517
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5318]
+
+testId=20885
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5319]
+
+testId=12693
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5320]
+
+testId=29061
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5321]
+
+testId=2453
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5322]
+
+testId=18837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5323]
+
+testId=10645
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5324]
+
+testId=27045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5325]
+
+testId=6533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5326]
+
+testId=22933
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5327]
+
+testId=14773
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5328]
+
+testId=31125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5329]
+
+testId=1445
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5330]
+
+testId=17813
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5331]
+
+testId=9621
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5332]
+
+testId=26005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5333]
+
+testId=5525
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5334]
+
+testId=21925
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5335]
+
+testId=13749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5336]
+
+testId=30133
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5337]
+
+testId=3461
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5338]
+
+testId=19845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5339]
+
+testId=11701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5340]
+
+testId=28085
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5341]
+
+testId=7605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5342]
+
+testId=23957
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5343]
+
+testId=15749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5344]
+
+testId=32149
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5345]
+
+testId=901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5346]
+
+testId=17301
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5347]
+
+testId=9109
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5348]
+
+testId=25509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5349]
+
+testId=5029
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5350]
+
+testId=21429
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5351]
+
+testId=13205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5352]
+
+testId=29573
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5353]
+
+testId=2997
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5354]
+
+testId=19349
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5355]
+
+testId=11141
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5356]
+
+testId=27573
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5357]
+
+testId=7093
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5358]
+
+testId=23445
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5359]
+
+testId=15285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5360]
+
+testId=31653
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5361]
+
+testId=1941
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5362]
+
+testId=18325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5363]
+
+testId=10149
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5364]
+
+testId=26517
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5365]
+
+testId=6069
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5366]
+
+testId=22421
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5367]
+
+testId=14245
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5368]
+
+testId=30629
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5369]
+
+testId=3989
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5370]
+
+testId=20389
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5371]
+
+testId=12213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5372]
+
+testId=28565
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5373]
+
+testId=8085
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5374]
+
+testId=24485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5375]
+
+testId=16293
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5376]
+
+testId=32645
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5377]
+
+testId=117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5378]
+
+testId=16501
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5379]
+
+testId=8293
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5380]
+
+testId=24645
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5381]
+
+testId=4181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5382]
+
+testId=20549
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5383]
+
+testId=12405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5384]
+
+testId=28741
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5385]
+
+testId=2117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5386]
+
+testId=18501
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5387]
+
+testId=10341
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5388]
+
+testId=26725
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5389]
+
+testId=6245
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5390]
+
+testId=22597
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5391]
+
+testId=14453
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5392]
+
+testId=30805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5393]
+
+testId=1109
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5394]
+
+testId=17509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5395]
+
+testId=9333
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5396]
+
+testId=25685
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5397]
+
+testId=5205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5398]
+
+testId=21605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5399]
+
+testId=13429
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5400]
+
+testId=29765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5401]
+
+testId=3157
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5402]
+
+testId=19525
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5403]
+
+testId=11365
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5404]
+
+testId=27765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5405]
+
+testId=7237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5406]
+
+testId=23621
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5407]
+
+testId=15477
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5408]
+
+testId=31861
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5409]
+
+testId=581
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5410]
+
+testId=16981
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5411]
+
+testId=8805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5412]
+
+testId=25157
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5413]
+
+testId=4725
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5414]
+
+testId=21109
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5415]
+
+testId=12901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5416]
+
+testId=29253
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5417]
+
+testId=2645
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5418]
+
+testId=19029
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5419]
+
+testId=10869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5420]
+
+testId=27253
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5421]
+
+testId=6757
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5422]
+
+testId=23157
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5423]
+
+testId=14949
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5424]
+
+testId=31301
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5425]
+
+testId=1637
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5426]
+
+testId=18037
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5427]
+
+testId=9813
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5428]
+
+testId=26213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5429]
+
+testId=5733
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5430]
+
+testId=22101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5431]
+
+testId=13925
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5432]
+
+testId=30325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5433]
+
+testId=3701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5434]
+
+testId=20037
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5435]
+
+testId=11845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5436]
+
+testId=28245
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5437]
+
+testId=7797
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5438]
+
+testId=24149
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5439]
+
+testId=15989
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5440]
+
+testId=32373
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5441]
+
+testId=373
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5442]
+
+testId=16709
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5443]
+
+testId=8549
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5444]
+
+testId=24901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5445]
+
+testId=4421
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5446]
+
+testId=20837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5447]
+
+testId=12645
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5448]
+
+testId=29029
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5449]
+
+testId=2405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5450]
+
+testId=18773
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5451]
+
+testId=10565
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5452]
+
+testId=26997
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5453]
+
+testId=6485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5454]
+
+testId=22853
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5455]
+
+testId=14693
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5456]
+
+testId=31061
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5457]
+
+testId=1381
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5458]
+
+testId=17733
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5459]
+
+testId=9557
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5460]
+
+testId=25941
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5461]
+
+testId=5477
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5462]
+
+testId=21861
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5463]
+
+testId=13669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5464]
+
+testId=30037
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5465]
+
+testId=3445
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5466]
+
+testId=19781
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5467]
+
+testId=11637
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5468]
+
+testId=28005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5469]
+
+testId=7509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5470]
+
+testId=23909
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5471]
+
+testId=15717
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5472]
+
+testId=32117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5473]
+
+testId=869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5474]
+
+testId=17237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5475]
+
+testId=9029
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5476]
+
+testId=25413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5477]
+
+testId=4965
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5478]
+
+testId=21365
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5479]
+
+testId=13157
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5480]
+
+testId=29541
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5481]
+
+testId=2885
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5482]
+
+testId=19285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5483]
+
+testId=11077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5484]
+
+testId=27493
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5485]
+
+testId=6981
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5486]
+
+testId=23381
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5487]
+
+testId=15205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5488]
+
+testId=31557
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5489]
+
+testId=1909
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5490]
+
+testId=18245
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5491]
+
+testId=10069
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5492]
+
+testId=26469
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5493]
+
+testId=6005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5494]
+
+testId=22357
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5495]
+
+testId=14181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5496]
+
+testId=30549
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5497]
+
+testId=3941
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5498]
+
+testId=20341
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5499]
+
+testId=12117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5500]
+
+testId=28533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5501]
+
+testId=8053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5502]
+
+testId=24405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5503]
+
+testId=16213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5504]
+
+testId=32581
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5505]
+
+testId=213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5506]
+
+testId=16581
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5507]
+
+testId=8437
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5508]
+
+testId=24773
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5509]
+
+testId=4325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5510]
+
+testId=20709
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5511]
+
+testId=12485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5512]
+
+testId=28901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5513]
+
+testId=2293
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5514]
+
+testId=18629
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5515]
+
+testId=10469
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5516]
+
+testId=26853
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5517]
+
+testId=6357
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5518]
+
+testId=22741
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5519]
+
+testId=14533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5520]
+
+testId=30917
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5521]
+
+testId=1269
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5522]
+
+testId=17621
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5523]
+
+testId=9413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5524]
+
+testId=25845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5525]
+
+testId=5365
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5526]
+
+testId=21749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5527]
+
+testId=13509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5528]
+
+testId=29909
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5529]
+
+testId=3301
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5530]
+
+testId=19669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5531]
+
+testId=11509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5532]
+
+testId=27877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5533]
+
+testId=7381
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5534]
+
+testId=23749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5535]
+
+testId=15605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5536]
+
+testId=31957
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5537]
+
+testId=757
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5538]
+
+testId=17125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5539]
+
+testId=8901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5540]
+
+testId=25333
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5541]
+
+testId=4805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5542]
+
+testId=21189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5543]
+
+testId=13045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5544]
+
+testId=29381
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5545]
+
+testId=2773
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5546]
+
+testId=19173
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5547]
+
+testId=10981
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5548]
+
+testId=27365
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5549]
+
+testId=6869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5550]
+
+testId=23253
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5551]
+
+testId=15077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5552]
+
+testId=31429
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5553]
+
+testId=1765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5554]
+
+testId=18165
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5555]
+
+testId=9973
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5556]
+
+testId=26341
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5557]
+
+testId=5845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5558]
+
+testId=22229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5559]
+
+testId=14053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5560]
+
+testId=30453
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5561]
+
+testId=3797
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5562]
+
+testId=20213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5563]
+
+testId=12005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5564]
+
+testId=28389
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5565]
+
+testId=7925
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5566]
+
+testId=24309
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5567]
+
+testId=16101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5568]
+
+testId=32469
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5569]
+
+testId=485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5570]
+
+testId=16885
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5571]
+
+testId=8661
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5572]
+
+testId=25045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5573]
+
+testId=4581
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5574]
+
+testId=20933
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5575]
+
+testId=12757
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5576]
+
+testId=29125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5577]
+
+testId=2517
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5578]
+
+testId=18901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5579]
+
+testId=10725
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5580]
+
+testId=27077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5581]
+
+testId=6613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5582]
+
+testId=23013
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5583]
+
+testId=14837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5584]
+
+testId=31189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5585]
+
+testId=1493
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5586]
+
+testId=17893
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5587]
+
+testId=9701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5588]
+
+testId=26053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5589]
+
+testId=5605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5590]
+
+testId=21957
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5591]
+
+testId=13813
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5592]
+
+testId=30197
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5593]
+
+testId=3541
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5594]
+
+testId=19909
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5595]
+
+testId=11749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5596]
+
+testId=28117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5597]
+
+testId=7637
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5598]
+
+testId=24005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5599]
+
+testId=15829
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5600]
+
+testId=32213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5601]
+
+testId=997
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5602]
+
+testId=17397
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5603]
+
+testId=9189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5604]
+
+testId=25573
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5605]
+
+testId=5077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5606]
+
+testId=21461
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5607]
+
+testId=13301
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5608]
+
+testId=29669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5609]
+
+testId=3045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5610]
+
+testId=19445
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5611]
+
+testId=11221
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5612]
+
+testId=27589
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5613]
+
+testId=7157
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5614]
+
+testId=23509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5615]
+
+testId=15317
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5616]
+
+testId=31685
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5617]
+
+testId=2021
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5618]
+
+testId=18405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5619]
+
+testId=10229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5620]
+
+testId=26613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5621]
+
+testId=6117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5622]
+
+testId=22469
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5623]
+
+testId=14325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5624]
+
+testId=30677
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5625]
+
+testId=4037
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5626]
+
+testId=20421
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5627]
+
+testId=12245
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5628]
+
+testId=28661
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5629]
+
+testId=8165
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5630]
+
+testId=24533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5631]
+
+testId=16325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5632]
+
+testId=32757
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5633]
+
+testId=61
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5634]
+
+testId=16445
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5635]
+
+testId=8237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5636]
+
+testId=24605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5637]
+
+testId=4141
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5638]
+
+testId=20493
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5639]
+
+testId=12317
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5640]
+
+testId=28701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5641]
+
+testId=2061
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5642]
+
+testId=18477
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5643]
+
+testId=10269
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5644]
+
+testId=26669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5645]
+
+testId=6205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5646]
+
+testId=22573
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5647]
+
+testId=14397
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5648]
+
+testId=30765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5649]
+
+testId=1053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5650]
+
+testId=17421
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5651]
+
+testId=9261
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5652]
+
+testId=25629
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5653]
+
+testId=5165
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5654]
+
+testId=21533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5655]
+
+testId=13357
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5656]
+
+testId=29741
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5657]
+
+testId=3101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5658]
+
+testId=19485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5659]
+
+testId=11325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5660]
+
+testId=27693
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5661]
+
+testId=7229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5662]
+
+testId=23565
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5663]
+
+testId=15373
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5664]
+
+testId=31805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5665]
+
+testId=525
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5666]
+
+testId=16957
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5667]
+
+testId=8765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5668]
+
+testId=25133
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5669]
+
+testId=4653
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5670]
+
+testId=21053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5671]
+
+testId=12829
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5672]
+
+testId=29213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5673]
+
+testId=2621
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5674]
+
+testId=19005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5675]
+
+testId=10765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5676]
+
+testId=27197
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5677]
+
+testId=6685
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5678]
+
+testId=23053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5679]
+
+testId=14861
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5680]
+
+testId=31277
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5681]
+
+testId=1597
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5682]
+
+testId=17949
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5683]
+
+testId=9773
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5684]
+
+testId=26157
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5685]
+
+testId=5693
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5686]
+
+testId=22045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5687]
+
+testId=13853
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5688]
+
+testId=30237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5689]
+
+testId=3613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5690]
+
+testId=20029
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5691]
+
+testId=11821
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5692]
+
+testId=28189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5693]
+
+testId=7725
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5694]
+
+testId=24125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5695]
+
+testId=15885
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5696]
+
+testId=32301
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5697]
+
+testId=269
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5698]
+
+testId=16685
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5699]
+
+testId=8509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5700]
+
+testId=24877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5701]
+
+testId=4397
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5702]
+
+testId=20765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5703]
+
+testId=12573
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5704]
+
+testId=28973
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5705]
+
+testId=2349
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5706]
+
+testId=18701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5707]
+
+testId=10509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5708]
+
+testId=26925
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5709]
+
+testId=6413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5710]
+
+testId=22797
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5711]
+
+testId=14605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5712]
+
+testId=30989
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5713]
+
+testId=1293
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5714]
+
+testId=17725
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5715]
+
+testId=9501
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5716]
+
+testId=25901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5717]
+
+testId=5389
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5718]
+
+testId=21789
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5719]
+
+testId=13613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5720]
+
+testId=29981
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5721]
+
+testId=3341
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5722]
+
+testId=19757
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5723]
+
+testId=11549
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5724]
+
+testId=27949
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5725]
+
+testId=7485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5726]
+
+testId=23837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5727]
+
+testId=15677
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5728]
+
+testId=32045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5729]
+
+testId=829
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5730]
+
+testId=17181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5731]
+
+testId=9005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5732]
+
+testId=25373
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5733]
+
+testId=4877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5734]
+
+testId=21293
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5735]
+
+testId=13069
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5736]
+
+testId=29469
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5737]
+
+testId=2877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5738]
+
+testId=19213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5739]
+
+testId=11069
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5740]
+
+testId=27437
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5741]
+
+testId=6925
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5742]
+
+testId=23341
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5743]
+
+testId=15117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5744]
+
+testId=31533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5745]
+
+testId=1821
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5746]
+
+testId=18205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5747]
+
+testId=10029
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5748]
+
+testId=26429
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5749]
+
+testId=5949
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5750]
+
+testId=22285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5751]
+
+testId=14125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5752]
+
+testId=30509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5753]
+
+testId=3869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5754]
+
+testId=20285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5755]
+
+testId=12093
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5756]
+
+testId=28461
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5757]
+
+testId=7997
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5758]
+
+testId=24365
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5759]
+
+testId=16141
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5760]
+
+testId=32525
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5761]
+
+testId=141
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5762]
+
+testId=16573
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5763]
+
+testId=8365
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5764]
+
+testId=24749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5765]
+
+testId=4253
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5766]
+
+testId=20669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5767]
+
+testId=12429
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5768]
+
+testId=28845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5769]
+
+testId=2237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5770]
+
+testId=18589
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5771]
+
+testId=10381
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5772]
+
+testId=26813
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5773]
+
+testId=6333
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5774]
+
+testId=22669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5775]
+
+testId=14509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5776]
+
+testId=30877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5777]
+
+testId=1197
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5778]
+
+testId=17597
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5779]
+
+testId=9405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5780]
+
+testId=25757
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5781]
+
+testId=5309
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5782]
+
+testId=21661
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5783]
+
+testId=13453
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5784]
+
+testId=29853
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5785]
+
+testId=3213
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5786]
+
+testId=19629
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5787]
+
+testId=11405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5788]
+
+testId=27805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5789]
+
+testId=7325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5790]
+
+testId=23741
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5791]
+
+testId=15533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5792]
+
+testId=31901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5793]
+
+testId=653
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5794]
+
+testId=17085
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5795]
+
+testId=8845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5796]
+
+testId=25229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5797]
+
+testId=4797
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5798]
+
+testId=21133
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5799]
+
+testId=12989
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5800]
+
+testId=29341
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5801]
+
+testId=2717
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5802]
+
+testId=19101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5803]
+
+testId=10925
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5804]
+
+testId=27309
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5805]
+
+testId=6845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5806]
+
+testId=23229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5807]
+
+testId=15021
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5808]
+
+testId=31405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5809]
+
+testId=1693
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5810]
+
+testId=18093
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5811]
+
+testId=9869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5812]
+
+testId=26269
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5813]
+
+testId=5821
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5814]
+
+testId=22157
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5815]
+
+testId=13997
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5816]
+
+testId=30381
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5817]
+
+testId=3725
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5818]
+
+testId=20109
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5819]
+
+testId=11965
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5820]
+
+testId=28301
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5821]
+
+testId=7869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5822]
+
+testId=24221
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5823]
+
+testId=16045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5824]
+
+testId=32429
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5825]
+
+testId=413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5826]
+
+testId=16829
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5827]
+
+testId=8637
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5828]
+
+testId=24973
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5829]
+
+testId=4541
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5830]
+
+testId=20893
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5831]
+
+testId=12717
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5832]
+
+testId=29101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5833]
+
+testId=2461
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5834]
+
+testId=18861
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5835]
+
+testId=10653
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5836]
+
+testId=27021
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5837]
+
+testId=6541
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5838]
+
+testId=22973
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5839]
+
+testId=14765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5840]
+
+testId=31149
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5841]
+
+testId=1469
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5842]
+
+testId=17837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5843]
+
+testId=9613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5844]
+
+testId=26013
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5845]
+
+testId=5565
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5846]
+
+testId=21917
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5847]
+
+testId=13709
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5848]
+
+testId=30125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5849]
+
+testId=3517
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5850]
+
+testId=19869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5851]
+
+testId=11677
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5852]
+
+testId=28093
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5853]
+
+testId=7597
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5854]
+
+testId=23965
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5855]
+
+testId=15805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5856]
+
+testId=32189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5857]
+
+testId=957
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5858]
+
+testId=17309
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5859]
+
+testId=9117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5860]
+
+testId=25533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5861]
+
+testId=5053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5862]
+
+testId=21421
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5863]
+
+testId=13229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5864]
+
+testId=29613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5865]
+
+testId=2957
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5866]
+
+testId=19373
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5867]
+
+testId=11181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5868]
+
+testId=27533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5869]
+
+testId=7101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5870]
+
+testId=23437
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5871]
+
+testId=15245
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5872]
+
+testId=31661
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5873]
+
+testId=1949
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5874]
+
+testId=18349
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5875]
+
+testId=10173
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5876]
+
+testId=26509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5877]
+
+testId=6045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5878]
+
+testId=22461
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5879]
+
+testId=14253
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5880]
+
+testId=30621
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5881]
+
+testId=3997
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5882]
+
+testId=20365
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5883]
+
+testId=12205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5884]
+
+testId=28605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5885]
+
+testId=8077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5886]
+
+testId=24477
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5887]
+
+testId=16317
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5888]
+
+testId=32701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5889]
+
+testId=109
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5890]
+
+testId=16493
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5891]
+
+testId=8269
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5892]
+
+testId=24685
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5893]
+
+testId=4189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5894]
+
+testId=20557
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5895]
+
+testId=12413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5896]
+
+testId=28765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5897]
+
+testId=2125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5898]
+
+testId=18557
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5899]
+
+testId=10333
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5900]
+
+testId=26749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5901]
+
+testId=6237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5902]
+
+testId=22621
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5903]
+
+testId=14429
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5904]
+
+testId=30845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5905]
+
+testId=1133
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5906]
+
+testId=17485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5907]
+
+testId=9341
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5908]
+
+testId=25677
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5909]
+
+testId=5229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5910]
+
+testId=21613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5911]
+
+testId=13405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5912]
+
+testId=29805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5913]
+
+testId=3181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5914]
+
+testId=19549
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5915]
+
+testId=11357
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5916]
+
+testId=27773
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5917]
+
+testId=7277
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5918]
+
+testId=23645
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5919]
+
+testId=15453
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5920]
+
+testId=31853
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5921]
+
+testId=637
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5922]
+
+testId=17005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5923]
+
+testId=8797
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5924]
+
+testId=25181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5925]
+
+testId=4717
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5926]
+
+testId=21101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5927]
+
+testId=12909
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5928]
+
+testId=29277
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5929]
+
+testId=2669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5930]
+
+testId=19021
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5931]
+
+testId=10877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5932]
+
+testId=27229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5933]
+
+testId=6733
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5934]
+
+testId=23133
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5935]
+
+testId=14957
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5936]
+
+testId=31357
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5937]
+
+testId=1613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5938]
+
+testId=18029
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5939]
+
+testId=9805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5940]
+
+testId=26221
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5941]
+
+testId=5709
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5942]
+
+testId=22109
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5943]
+
+testId=13901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5944]
+
+testId=30317
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5945]
+
+testId=3693
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5946]
+
+testId=20045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5947]
+
+testId=11885
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5948]
+
+testId=28285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5949]
+
+testId=7789
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5950]
+
+testId=24173
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5951]
+
+testId=15997
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5952]
+
+testId=32365
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5953]
+
+testId=365
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5954]
+
+testId=16765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5955]
+
+testId=8557
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5956]
+
+testId=24941
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5957]
+
+testId=4461
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5958]
+
+testId=20829
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5959]
+
+testId=12653
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5960]
+
+testId=29021
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5961]
+
+testId=2381
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5962]
+
+testId=18765
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5963]
+
+testId=10605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5964]
+
+testId=26957
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5965]
+
+testId=6493
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5966]
+
+testId=22877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5967]
+
+testId=14701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5968]
+
+testId=31101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5969]
+
+testId=1405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5970]
+
+testId=17789
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5971]
+
+testId=9565
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5972]
+
+testId=25981
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5973]
+
+testId=5453
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5974]
+
+testId=21853
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5975]
+
+testId=13677
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5976]
+
+testId=30077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5977]
+
+testId=3405
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5978]
+
+testId=19837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5979]
+
+testId=11645
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5980]
+
+testId=28013
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5981]
+
+testId=7517
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5982]
+
+testId=23901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5983]
+
+testId=15725
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5984]
+
+testId=32077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5985]
+
+testId=845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5986]
+
+testId=17261
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5987]
+
+testId=9085
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5988]
+
+testId=25437
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5989]
+
+testId=4989
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5990]
+
+testId=21357
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5991]
+
+testId=13149
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5992]
+
+testId=29565
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5993]
+
+testId=2909
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5994]
+
+testId=19325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5995]
+
+testId=11117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5996]
+
+testId=27485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5997]
+
+testId=7021
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5998]
+
+testId=23373
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-5999]
+
+testId=15197
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6000]
+
+testId=31613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6001]
+
+testId=1917
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6002]
+
+testId=18285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6003]
+
+testId=10093
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6004]
+
+testId=26461
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6005]
+
+testId=5981
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6006]
+
+testId=22349
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6007]
+
+testId=14189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6008]
+
+testId=30573
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6009]
+
+testId=3965
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6010]
+
+testId=20349
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6011]
+
+testId=12125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6012]
+
+testId=28509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6013]
+
+testId=8045
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6014]
+
+testId=24413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6015]
+
+testId=16205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6016]
+
+testId=32589
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6017]
+
+testId=205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6018]
+
+testId=16605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6019]
+
+testId=8397
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6020]
+
+testId=24797
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6021]
+
+testId=4349
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6022]
+
+testId=20717
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6023]
+
+testId=12493
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6024]
+
+testId=28877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6025]
+
+testId=2253
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6026]
+
+testId=18669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6027]
+
+testId=10493
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6028]
+
+testId=26829
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6029]
+
+testId=6381
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6030]
+
+testId=22749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6031]
+
+testId=14573
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6032]
+
+testId=30941
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6033]
+
+testId=1245
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6034]
+
+testId=17629
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6035]
+
+testId=9437
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6036]
+
+testId=25837
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6037]
+
+testId=5357
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6038]
+
+testId=21725
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6039]
+
+testId=13549
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6040]
+
+testId=29901
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6041]
+
+testId=3309
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6042]
+
+testId=19677
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6043]
+
+testId=11485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6044]
+
+testId=27869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6045]
+
+testId=7389
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6046]
+
+testId=23789
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6047]
+
+testId=15597
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6048]
+
+testId=31981
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6049]
+
+testId=717
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6050]
+
+testId=17101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6051]
+
+testId=8941
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6052]
+
+testId=25293
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6053]
+
+testId=4845
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6054]
+
+testId=21229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6055]
+
+testId=13021
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6056]
+
+testId=29389
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6057]
+
+testId=2781
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6058]
+
+testId=19165
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6059]
+
+testId=11005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6060]
+
+testId=27389
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6061]
+
+testId=6893
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6062]
+
+testId=23293
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6063]
+
+testId=15069
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6064]
+
+testId=31453
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6065]
+
+testId=1789
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6066]
+
+testId=18125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6067]
+
+testId=9965
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6068]
+
+testId=26317
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6069]
+
+testId=5853
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6070]
+
+testId=22237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6071]
+
+testId=14061
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6072]
+
+testId=30445
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6073]
+
+testId=3789
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6074]
+
+testId=20189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6075]
+
+testId=12013
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6076]
+
+testId=28413
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6077]
+
+testId=7885
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6078]
+
+testId=24285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6079]
+
+testId=16125
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6080]
+
+testId=32509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6081]
+
+testId=461
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6082]
+
+testId=16877
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6083]
+
+testId=8701
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6084]
+
+testId=25053
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6085]
+
+testId=4605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6086]
+
+testId=20957
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6087]
+
+testId=12749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6088]
+
+testId=29181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6089]
+
+testId=2525
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6090]
+
+testId=18909
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6091]
+
+testId=10749
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6092]
+
+testId=27101
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6093]
+
+testId=6621
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6094]
+
+testId=23005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6095]
+
+testId=14813
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6096]
+
+testId=31229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6097]
+
+testId=1533
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6098]
+
+testId=17869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6099]
+
+testId=9677
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6100]
+
+testId=26077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6101]
+
+testId=5613
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6102]
+
+testId=21981
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6103]
+
+testId=13805
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6104]
+
+testId=30173
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6105]
+
+testId=3581
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6106]
+
+testId=19917
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6107]
+
+testId=11757
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6108]
+
+testId=28109
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6109]
+
+testId=7629
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6110]
+
+testId=24061
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6111]
+
+testId=15869
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6112]
+
+testId=32237
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6113]
+
+testId=1005
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6114]
+
+testId=17357
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6115]
+
+testId=9181
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6116]
+
+testId=25565
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6117]
+
+testId=5117
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6118]
+
+testId=21485
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6119]
+
+testId=13277
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6120]
+
+testId=29661
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6121]
+
+testId=3021
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6122]
+
+testId=19437
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6123]
+
+testId=11229
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6124]
+
+testId=27629
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6125]
+
+testId=7133
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6126]
+
+testId=23501
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6127]
+
+testId=15325
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6128]
+
+testId=31741
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6129]
+
+testId=2013
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6130]
+
+testId=18397
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6131]
+
+testId=10205
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6132]
+
+testId=26605
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6133]
+
+testId=6093
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6134]
+
+testId=22509
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6135]
+
+testId=14285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6136]
+
+testId=30669
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6137]
+
+testId=4077
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6138]
+
+testId=20445
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6139]
+
+testId=12285
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6140]
+
+testId=28637
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6141]
+
+testId=8189
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6142]
+
+testId=24541
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6143]
+
+testId=16349
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6144]
+
+testId=32733
+testname=ClientCert_one ServerCert_one ExportPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6145]
+
+testId=51
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6146]
+
+testId=16403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6147]
+
+testId=8211
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6148]
+
+testId=24611
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6149]
+
+testId=4131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6150]
+
+testId=20483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6151]
+
+testId=12307
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6152]
+
+testId=28723
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6153]
+
+testId=2067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6154]
+
+testId=18435
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6155]
+
+testId=10275
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6156]
+
+testId=26675
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6157]
+
+testId=6179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6158]
+
+testId=22579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6159]
+
+testId=14387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6160]
+
+testId=30755
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6161]
+
+testId=1075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6162]
+
+testId=17459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6163]
+
+testId=9251
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6164]
+
+testId=25619
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6165]
+
+testId=5155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6166]
+
+testId=21555
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6167]
+
+testId=13363
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6168]
+
+testId=29731
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6169]
+
+testId=3123
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6170]
+
+testId=19491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6171]
+
+testId=11299
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6172]
+
+testId=27699
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6173]
+
+testId=7203
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6174]
+
+testId=23571
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6175]
+
+testId=15379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6176]
+
+testId=31747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6177]
+
+testId=531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6178]
+
+testId=16899
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6179]
+
+testId=8707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6180]
+
+testId=25091
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6181]
+
+testId=4627
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6182]
+
+testId=20995
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6183]
+
+testId=12851
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6184]
+
+testId=29219
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6185]
+
+testId=2563
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6186]
+
+testId=18963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6187]
+
+testId=10803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6188]
+
+testId=27171
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6189]
+
+testId=6707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6190]
+
+testId=23043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6191]
+
+testId=14867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6192]
+
+testId=31283
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6193]
+
+testId=1539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6194]
+
+testId=17939
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6195]
+
+testId=9731
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6196]
+
+testId=26147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6197]
+
+testId=5651
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6198]
+
+testId=22019
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6199]
+
+testId=13827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6200]
+
+testId=30211
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6201]
+
+testId=3587
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6202]
+
+testId=19971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6203]
+
+testId=11827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6204]
+
+testId=28163
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6205]
+
+testId=7715
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6206]
+
+testId=24067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6207]
+
+testId=15923
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6208]
+
+testId=32291
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6209]
+
+testId=259
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6210]
+
+testId=16659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6211]
+
+testId=8451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6212]
+
+testId=24883
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6213]
+
+testId=4403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6214]
+
+testId=20739
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6215]
+
+testId=12579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6216]
+
+testId=28931
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6217]
+
+testId=2339
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6218]
+
+testId=18691
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6219]
+
+testId=10499
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6220]
+
+testId=26899
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6221]
+
+testId=6419
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6222]
+
+testId=22819
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6223]
+
+testId=14595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6224]
+
+testId=31027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6225]
+
+testId=1299
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6226]
+
+testId=17683
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6227]
+
+testId=9523
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6228]
+
+testId=25859
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6229]
+
+testId=5395
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6230]
+
+testId=21811
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6231]
+
+testId=13571
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6232]
+
+testId=29971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6233]
+
+testId=3331
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6234]
+
+testId=19715
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6235]
+
+testId=11555
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6236]
+
+testId=27907
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6237]
+
+testId=7443
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6238]
+
+testId=23843
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6239]
+
+testId=15635
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6240]
+
+testId=32051
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6241]
+
+testId=803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6242]
+
+testId=17187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6243]
+
+testId=8979
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6244]
+
+testId=25395
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6245]
+
+testId=4899
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6246]
+
+testId=21283
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6247]
+
+testId=13107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6248]
+
+testId=29475
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6249]
+
+testId=2851
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6250]
+
+testId=19219
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6251]
+
+testId=11043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6252]
+
+testId=27395
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6253]
+
+testId=6947
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6254]
+
+testId=23315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6255]
+
+testId=15107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6256]
+
+testId=31539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6257]
+
+testId=1795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6258]
+
+testId=18211
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6259]
+
+testId=10003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6260]
+
+testId=26387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6261]
+
+testId=5939
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6262]
+
+testId=22323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6263]
+
+testId=14083
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6264]
+
+testId=30515
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6265]
+
+testId=3891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6266]
+
+testId=20243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6267]
+
+testId=12035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6268]
+
+testId=28419
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6269]
+
+testId=7955
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6270]
+
+testId=24323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6271]
+
+testId=16147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6272]
+
+testId=32531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6273]
+
+testId=131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6274]
+
+testId=16531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6275]
+
+testId=8339
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6276]
+
+testId=24723
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6277]
+
+testId=4259
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6278]
+
+testId=20643
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6279]
+
+testId=12419
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6280]
+
+testId=28803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6281]
+
+testId=2227
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6282]
+
+testId=18595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6283]
+
+testId=10371
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6284]
+
+testId=26771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6285]
+
+testId=6323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6286]
+
+testId=22707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6287]
+
+testId=14515
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6288]
+
+testId=30851
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6289]
+
+testId=1187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6290]
+
+testId=17587
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6291]
+
+testId=9395
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6292]
+
+testId=25763
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6293]
+
+testId=5251
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6294]
+
+testId=21635
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6295]
+
+testId=13459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6296]
+
+testId=29875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6297]
+
+testId=3235
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6298]
+
+testId=19619
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6299]
+
+testId=11411
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6300]
+
+testId=27795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6301]
+
+testId=7315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6302]
+
+testId=23699
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6303]
+
+testId=15539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6304]
+
+testId=31907
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6305]
+
+testId=691
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6306]
+
+testId=17027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6307]
+
+testId=8835
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6308]
+
+testId=25251
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6309]
+
+testId=4771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6310]
+
+testId=21155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6311]
+
+testId=12979
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6312]
+
+testId=29363
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6313]
+
+testId=2739
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6314]
+
+testId=19107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6315]
+
+testId=10931
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6316]
+
+testId=27283
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6317]
+
+testId=6803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6318]
+
+testId=23219
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6319]
+
+testId=15027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6320]
+
+testId=31379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6321]
+
+testId=1683
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6322]
+
+testId=18051
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6323]
+
+testId=9875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6324]
+
+testId=26243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6325]
+
+testId=5763
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6326]
+
+testId=22195
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6327]
+
+testId=14003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6328]
+
+testId=30355
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6329]
+
+testId=3747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6330]
+
+testId=20147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6331]
+
+testId=11955
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6332]
+
+testId=28307
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6333]
+
+testId=7827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6334]
+
+testId=24195
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6335]
+
+testId=16003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6336]
+
+testId=32387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6337]
+
+testId=403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6338]
+
+testId=16803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6339]
+
+testId=8627
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6340]
+
+testId=25011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6341]
+
+testId=4483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6342]
+
+testId=20867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6343]
+
+testId=12707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6344]
+
+testId=29075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6345]
+
+testId=2435
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6346]
+
+testId=18835
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6347]
+
+testId=10675
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6348]
+
+testId=27027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6349]
+
+testId=6531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6350]
+
+testId=22947
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6351]
+
+testId=14771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6352]
+
+testId=31123
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6353]
+
+testId=1459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6354]
+
+testId=17827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6355]
+
+testId=9651
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6356]
+
+testId=26019
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6357]
+
+testId=5507
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6358]
+
+testId=21923
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6359]
+
+testId=13747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6360]
+
+testId=30131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6361]
+
+testId=3507
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6362]
+
+testId=19875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6363]
+
+testId=11683
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6364]
+
+testId=28067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6365]
+
+testId=7555
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6366]
+
+testId=23939
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6367]
+
+testId=15747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6368]
+
+testId=32179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6369]
+
+testId=899
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6370]
+
+testId=17331
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6371]
+
+testId=9123
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6372]
+
+testId=25507
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6373]
+
+testId=5011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6374]
+
+testId=21395
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6375]
+
+testId=13187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6376]
+
+testId=29603
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6377]
+
+testId=2947
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6378]
+
+testId=19379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6379]
+
+testId=11155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6380]
+
+testId=27539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6381]
+
+testId=7043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6382]
+
+testId=23459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6383]
+
+testId=15267
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6384]
+
+testId=31667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6385]
+
+testId=1971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6386]
+
+testId=18355
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6387]
+
+testId=10147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6388]
+
+testId=26547
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6389]
+
+testId=6035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6390]
+
+testId=22403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6391]
+
+testId=14211
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6392]
+
+testId=30595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6393]
+
+testId=3987
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6394]
+
+testId=20355
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6395]
+
+testId=12211
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6396]
+
+testId=28595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6397]
+
+testId=8099
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6398]
+
+testId=24483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6399]
+
+testId=16307
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6400]
+
+testId=32659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6401]
+
+testId=99
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6402]
+
+testId=16499
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6403]
+
+testId=8259
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6404]
+
+testId=24659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6405]
+
+testId=4179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6406]
+
+testId=20579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6407]
+
+testId=12387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6408]
+
+testId=28787
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6409]
+
+testId=2163
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6410]
+
+testId=18515
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6411]
+
+testId=10323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6412]
+
+testId=26707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6413]
+
+testId=6227
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6414]
+
+testId=22627
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6415]
+
+testId=14451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6416]
+
+testId=30835
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6417]
+
+testId=1091
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6418]
+
+testId=17523
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6419]
+
+testId=9299
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6420]
+
+testId=25699
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6421]
+
+testId=5235
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6422]
+
+testId=21603
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6423]
+
+testId=13427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6424]
+
+testId=29795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6425]
+
+testId=3155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6426]
+
+testId=19571
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6427]
+
+testId=11331
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6428]
+
+testId=27747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6429]
+
+testId=7235
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6430]
+
+testId=23667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6431]
+
+testId=15475
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6432]
+
+testId=31843
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6433]
+
+testId=579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6434]
+
+testId=17011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6435]
+
+testId=8771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6436]
+
+testId=25155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6437]
+
+testId=4707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6438]
+
+testId=21075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6439]
+
+testId=12883
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6440]
+
+testId=29299
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6441]
+
+testId=2659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6442]
+
+testId=19011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6443]
+
+testId=10851
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6444]
+
+testId=27235
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6445]
+
+testId=6739
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6446]
+
+testId=23139
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6447]
+
+testId=14947
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6448]
+
+testId=31347
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6449]
+
+testId=1635
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6450]
+
+testId=18003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6451]
+
+testId=9827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6452]
+
+testId=26179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6453]
+
+testId=5747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6454]
+
+testId=22115
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6455]
+
+testId=13891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6456]
+
+testId=30323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6457]
+
+testId=3651
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6458]
+
+testId=20051
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6459]
+
+testId=11891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6460]
+
+testId=28243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6461]
+
+testId=7763
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6462]
+
+testId=24147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6463]
+
+testId=15939
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6464]
+
+testId=32323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6465]
+
+testId=371
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6466]
+
+testId=16755
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6467]
+
+testId=8531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6468]
+
+testId=24899
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6469]
+
+testId=4467
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6470]
+
+testId=20803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6471]
+
+testId=12643
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6472]
+
+testId=29011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6473]
+
+testId=2403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6474]
+
+testId=18771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6475]
+
+testId=10579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6476]
+
+testId=26963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6477]
+
+testId=6483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6478]
+
+testId=22851
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6479]
+
+testId=14691
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6480]
+
+testId=31075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6481]
+
+testId=1395
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6482]
+
+testId=17731
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6483]
+
+testId=9571
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6484]
+
+testId=25955
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6485]
+
+testId=5475
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6486]
+
+testId=21859
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6487]
+
+testId=13667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6488]
+
+testId=30067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6489]
+
+testId=3443
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6490]
+
+testId=19795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6491]
+
+testId=11587
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6492]
+
+testId=28003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6493]
+
+testId=7491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6494]
+
+testId=23923
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6495]
+
+testId=15683
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6496]
+
+testId=32115
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6497]
+
+testId=883
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6498]
+
+testId=17219
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6499]
+
+testId=9043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6500]
+
+testId=25427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6501]
+
+testId=4963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6502]
+
+testId=21347
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6503]
+
+testId=13155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6504]
+
+testId=29539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6505]
+
+testId=2915
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6506]
+
+testId=19283
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6507]
+
+testId=11091
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6508]
+
+testId=27491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6509]
+
+testId=6995
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6510]
+
+testId=23411
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6511]
+
+testId=15203
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6512]
+
+testId=31571
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6513]
+
+testId=1875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6514]
+
+testId=18243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6515]
+
+testId=10099
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6516]
+
+testId=26483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6517]
+
+testId=5987
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6518]
+
+testId=22339
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6519]
+
+testId=14179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6520]
+
+testId=30579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6521]
+
+testId=3907
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6522]
+
+testId=20339
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6523]
+
+testId=12147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6524]
+
+testId=28499
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6525]
+
+testId=8003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6526]
+
+testId=24403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6527]
+
+testId=16227
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6528]
+
+testId=32579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6529]
+
+testId=211
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6530]
+
+testId=16595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6531]
+
+testId=8387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6532]
+
+testId=24771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6533]
+
+testId=4323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6534]
+
+testId=20691
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6535]
+
+testId=12483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6536]
+
+testId=28867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6537]
+
+testId=2291
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6538]
+
+testId=18675
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6539]
+
+testId=10451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6540]
+
+testId=26851
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6541]
+
+testId=6371
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6542]
+
+testId=22739
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6543]
+
+testId=14531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6544]
+
+testId=30947
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6545]
+
+testId=1267
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6546]
+
+testId=17603
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6547]
+
+testId=9459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6548]
+
+testId=25811
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6549]
+
+testId=5347
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6550]
+
+testId=21747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6551]
+
+testId=13507
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6552]
+
+testId=29891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6553]
+
+testId=3267
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6554]
+
+testId=19699
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6555]
+
+testId=11459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6556]
+
+testId=27891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6557]
+
+testId=7379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6558]
+
+testId=23763
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6559]
+
+testId=15571
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6560]
+
+testId=31955
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6561]
+
+testId=707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6562]
+
+testId=17091
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6563]
+
+testId=8899
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6564]
+
+testId=25331
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6565]
+
+testId=4819
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6566]
+
+testId=21187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6567]
+
+testId=13011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6568]
+
+testId=29379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6569]
+
+testId=2755
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6570]
+
+testId=19155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6571]
+
+testId=10963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6572]
+
+testId=27347
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6573]
+
+testId=6867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6574]
+
+testId=23283
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6575]
+
+testId=15043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6576]
+
+testId=31459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6577]
+
+testId=1779
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6578]
+
+testId=18131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6579]
+
+testId=9923
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6580]
+
+testId=26339
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6581]
+
+testId=5827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6582]
+
+testId=22259
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6583]
+
+testId=14035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6584]
+
+testId=30435
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6585]
+
+testId=3795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6586]
+
+testId=20163
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6587]
+
+testId=12003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6588]
+
+testId=28371
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6589]
+
+testId=7923
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6590]
+
+testId=24275
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6591]
+
+testId=16067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6592]
+
+testId=32467
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6593]
+
+testId=467
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6594]
+
+testId=16867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6595]
+
+testId=8659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6596]
+
+testId=25043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6597]
+
+testId=4563
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6598]
+
+testId=20947
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6599]
+
+testId=12739
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6600]
+
+testId=29139
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6601]
+
+testId=2515
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6602]
+
+testId=18899
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6603]
+
+testId=10723
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6604]
+
+testId=27075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6605]
+
+testId=6611
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6606]
+
+testId=23027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6607]
+
+testId=14803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6608]
+
+testId=31171
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6609]
+
+testId=1491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6610]
+
+testId=17859
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6611]
+
+testId=9667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6612]
+
+testId=26051
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6613]
+
+testId=5603
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6614]
+
+testId=21971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6615]
+
+testId=13795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6616]
+
+testId=30179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6617]
+
+testId=3523
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6618]
+
+testId=19923
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6619]
+
+testId=11747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6620]
+
+testId=28147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6621]
+
+testId=7651
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6622]
+
+testId=24035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6623]
+
+testId=15827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6624]
+
+testId=32243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6625]
+
+testId=979
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6626]
+
+testId=17363
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6627]
+
+testId=9171
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6628]
+
+testId=25571
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6629]
+
+testId=5107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6630]
+
+testId=21459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6631]
+
+testId=13251
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6632]
+
+testId=29667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6633]
+
+testId=3059
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6634]
+
+testId=19443
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6635]
+
+testId=11235
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6636]
+
+testId=27587
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6637]
+
+testId=7155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6638]
+
+testId=23491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6639]
+
+testId=15299
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6640]
+
+testId=31683
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6641]
+
+testId=2035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6642]
+
+testId=18419
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6643]
+
+testId=10179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6644]
+
+testId=26563
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6645]
+
+testId=6099
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6646]
+
+testId=22483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6647]
+
+testId=14275
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6648]
+
+testId=30675
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6649]
+
+testId=4067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6650]
+
+testId=20419
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6651]
+
+testId=12259
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6652]
+
+testId=28659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6653]
+
+testId=8131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6654]
+
+testId=24531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6655]
+
+testId=16323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6656]
+
+testId=32723
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6657]
+
+testId=59
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6658]
+
+testId=16427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6659]
+
+testId=8251
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6660]
+
+testId=24619
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6661]
+
+testId=4107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6662]
+
+testId=20539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6663]
+
+testId=12315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6664]
+
+testId=28699
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6665]
+
+testId=2091
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6666]
+
+testId=18491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6667]
+
+testId=10299
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6668]
+
+testId=26667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6669]
+
+testId=6187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6670]
+
+testId=22539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6671]
+
+testId=14395
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6672]
+
+testId=30747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6673]
+
+testId=1035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6674]
+
+testId=17435
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6675]
+
+testId=9243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6676]
+
+testId=25611
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6677]
+
+testId=5147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6678]
+
+testId=21515
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6679]
+
+testId=13339
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6680]
+
+testId=29755
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6681]
+
+testId=3083
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6682]
+
+testId=19467
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6683]
+
+testId=11307
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6684]
+
+testId=27707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6685]
+
+testId=7211
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6686]
+
+testId=23595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6687]
+
+testId=15403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6688]
+
+testId=31803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6689]
+
+testId=555
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6690]
+
+testId=16955
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6691]
+
+testId=8731
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6692]
+
+testId=25115
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6693]
+
+testId=4635
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6694]
+
+testId=21019
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6695]
+
+testId=12811
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6696]
+
+testId=29211
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6697]
+
+testId=2619
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6698]
+
+testId=18987
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6699]
+
+testId=10811
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6700]
+
+testId=27179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6701]
+
+testId=6667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6702]
+
+testId=23067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6703]
+
+testId=14907
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6704]
+
+testId=31243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6705]
+
+testId=1579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6706]
+
+testId=17979
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6707]
+
+testId=9739
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6708]
+
+testId=26123
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6709]
+
+testId=5659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6710]
+
+testId=22043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6711]
+
+testId=13883
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6712]
+
+testId=30267
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6713]
+
+testId=3611
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6714]
+
+testId=20027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6715]
+
+testId=11835
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6716]
+
+testId=28171
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6717]
+
+testId=7739
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6718]
+
+testId=24075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6719]
+
+testId=15915
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6720]
+
+testId=32315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6721]
+
+testId=267
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6722]
+
+testId=16699
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6723]
+
+testId=8507
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6724]
+
+testId=24875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6725]
+
+testId=4379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6726]
+
+testId=20747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6727]
+
+testId=12555
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6728]
+
+testId=28939
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6729]
+
+testId=2315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6730]
+
+testId=18699
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6731]
+
+testId=10539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6732]
+
+testId=26891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6733]
+
+testId=6411
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6734]
+
+testId=22795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6735]
+
+testId=14603
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6736]
+
+testId=31003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6737]
+
+testId=1323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6738]
+
+testId=17675
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6739]
+
+testId=9483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6740]
+
+testId=25915
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6741]
+
+testId=5435
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6742]
+
+testId=21771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6743]
+
+testId=13595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6744]
+
+testId=29963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6745]
+
+testId=3355
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6746]
+
+testId=19771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6747]
+
+testId=11547
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6748]
+
+testId=27963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6749]
+
+testId=7435
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6750]
+
+testId=23867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6751]
+
+testId=15659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6752]
+
+testId=32043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6753]
+
+testId=795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6754]
+
+testId=17195
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6755]
+
+testId=8971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6756]
+
+testId=25371
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6757]
+
+testId=4875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6758]
+
+testId=21291
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6759]
+
+testId=13115
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6760]
+
+testId=29451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6761]
+
+testId=2875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6762]
+
+testId=19227
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6763]
+
+testId=11019
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6764]
+
+testId=27403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6765]
+
+testId=6923
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6766]
+
+testId=23355
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6767]
+
+testId=15147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6768]
+
+testId=31515
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6769]
+
+testId=1835
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6770]
+
+testId=18203
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6771]
+
+testId=10011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6772]
+
+testId=26395
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6773]
+
+testId=5915
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6774]
+
+testId=22315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6775]
+
+testId=14107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6776]
+
+testId=30475
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6777]
+
+testId=3883
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6778]
+
+testId=20251
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6779]
+
+testId=12059
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6780]
+
+testId=28427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6781]
+
+testId=7963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6782]
+
+testId=24347
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6783]
+
+testId=16155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6784]
+
+testId=32571
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6785]
+
+testId=171
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6786]
+
+testId=16523
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6787]
+
+testId=8379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6788]
+
+testId=24747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6789]
+
+testId=4267
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6790]
+
+testId=20651
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6791]
+
+testId=12459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6792]
+
+testId=28843
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6793]
+
+testId=2187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6794]
+
+testId=18619
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6795]
+
+testId=10379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6796]
+
+testId=26779
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6797]
+
+testId=6299
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6798]
+
+testId=22683
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6799]
+
+testId=14523
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6800]
+
+testId=30875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6801]
+
+testId=1179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6802]
+
+testId=17547
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6803]
+
+testId=9387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6804]
+
+testId=25739
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6805]
+
+testId=5307
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6806]
+
+testId=21659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6807]
+
+testId=13451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6808]
+
+testId=29867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6809]
+
+testId=3243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6810]
+
+testId=19627
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6811]
+
+testId=11435
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6812]
+
+testId=27819
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6813]
+
+testId=7339
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6814]
+
+testId=23707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6815]
+
+testId=15531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6816]
+
+testId=31931
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6817]
+
+testId=667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6818]
+
+testId=17083
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6819]
+
+testId=8843
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6820]
+
+testId=25259
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6821]
+
+testId=4763
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6822]
+
+testId=21179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6823]
+
+testId=12971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6824]
+
+testId=29323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6825]
+
+testId=2747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6826]
+
+testId=19131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6827]
+
+testId=10923
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6828]
+
+testId=27291
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6829]
+
+testId=6827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6830]
+
+testId=23227
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6831]
+
+testId=15035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6832]
+
+testId=31403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6833]
+
+testId=1723
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6834]
+
+testId=18059
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6835]
+
+testId=9915
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6836]
+
+testId=26267
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6837]
+
+testId=5787
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6838]
+
+testId=22187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6839]
+
+testId=14011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6840]
+
+testId=30347
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6841]
+
+testId=3723
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6842]
+
+testId=20107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6843]
+
+testId=11947
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6844]
+
+testId=28315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6845]
+
+testId=7851
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6846]
+
+testId=24219
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6847]
+
+testId=16043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6848]
+
+testId=32427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6849]
+
+testId=427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6850]
+
+testId=16779
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6851]
+
+testId=8619
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6852]
+
+testId=24971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6853]
+
+testId=4539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6854]
+
+testId=20907
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6855]
+
+testId=12683
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6856]
+
+testId=29067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6857]
+
+testId=2475
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6858]
+
+testId=18875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6859]
+
+testId=10651
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6860]
+
+testId=27051
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6861]
+
+testId=6539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6862]
+
+testId=22923
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6863]
+
+testId=14763
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6864]
+
+testId=31147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6865]
+
+testId=1419
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6866]
+
+testId=17819
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6867]
+
+testId=9611
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6868]
+
+testId=26027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6869]
+
+testId=5547
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6870]
+
+testId=21915
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6871]
+
+testId=13723
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6872]
+
+testId=30107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6873]
+
+testId=3483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6874]
+
+testId=19899
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6875]
+
+testId=11675
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6876]
+
+testId=28059
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6877]
+
+testId=7595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6878]
+
+testId=23995
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6879]
+
+testId=15755
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6880]
+
+testId=32139
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6881]
+
+testId=939
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6882]
+
+testId=17323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6883]
+
+testId=9131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6884]
+
+testId=25499
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6885]
+
+testId=5003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6886]
+
+testId=21387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6887]
+
+testId=13195
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6888]
+
+testId=29579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6889]
+
+testId=2987
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6890]
+
+testId=19339
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6891]
+
+testId=11163
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6892]
+
+testId=27547
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6893]
+
+testId=7067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6894]
+
+testId=23451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6895]
+
+testId=15243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6896]
+
+testId=31675
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6897]
+
+testId=1979
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6898]
+
+testId=18363
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6899]
+
+testId=10139
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6900]
+
+testId=26523
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6901]
+
+testId=6043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6902]
+
+testId=22443
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6903]
+
+testId=14267
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6904]
+
+testId=30603
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6905]
+
+testId=4027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6906]
+
+testId=20363
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6907]
+
+testId=12187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6908]
+
+testId=28555
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6909]
+
+testId=8107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6910]
+
+testId=24491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6911]
+
+testId=16299
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6912]
+
+testId=32683
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6913]
+
+testId=107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6914]
+
+testId=16491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6915]
+
+testId=8315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6916]
+
+testId=24667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6917]
+
+testId=4219
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6918]
+
+testId=20587
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6919]
+
+testId=12379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6920]
+
+testId=28779
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6921]
+
+testId=2155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6922]
+
+testId=18507
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6923]
+
+testId=10315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6924]
+
+testId=26715
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6925]
+
+testId=6251
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6926]
+
+testId=22635
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6927]
+
+testId=14427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6928]
+
+testId=30827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6929]
+
+testId=1099
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6930]
+
+testId=17531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6931]
+
+testId=9291
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6932]
+
+testId=25723
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6933]
+
+testId=5227
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6934]
+
+testId=21627
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6935]
+
+testId=13403
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6936]
+
+testId=29819
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6937]
+
+testId=3179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6938]
+
+testId=19531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6939]
+
+testId=11387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6940]
+
+testId=27771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6941]
+
+testId=7275
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6942]
+
+testId=23659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6943]
+
+testId=15451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6944]
+
+testId=31867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6945]
+
+testId=603
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6946]
+
+testId=16971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6947]
+
+testId=8779
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6948]
+
+testId=25179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6949]
+
+testId=4715
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6950]
+
+testId=21099
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6951]
+
+testId=12891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6952]
+
+testId=29307
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6953]
+
+testId=2667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6954]
+
+testId=19067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6955]
+
+testId=10843
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6956]
+
+testId=27259
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6957]
+
+testId=6779
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6958]
+
+testId=23163
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6959]
+
+testId=14955
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6960]
+
+testId=31355
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6961]
+
+testId=1643
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6962]
+
+testId=18011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6963]
+
+testId=9851
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6964]
+
+testId=26187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6965]
+
+testId=5707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6966]
+
+testId=22123
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6967]
+
+testId=13915
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6968]
+
+testId=30283
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6969]
+
+testId=3659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6970]
+
+testId=20075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6971]
+
+testId=11851
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6972]
+
+testId=28267
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6973]
+
+testId=7787
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6974]
+
+testId=24139
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6975]
+
+testId=15995
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6976]
+
+testId=32363
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6977]
+
+testId=331
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6978]
+
+testId=16747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6979]
+
+testId=8571
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6980]
+
+testId=24955
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6981]
+
+testId=4427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6982]
+
+testId=20859
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6983]
+
+testId=12619
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6984]
+
+testId=29003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6985]
+
+testId=2427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6986]
+
+testId=18795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6987]
+
+testId=10587
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6988]
+
+testId=27003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6989]
+
+testId=6523
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6990]
+
+testId=22875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6991]
+
+testId=14715
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6992]
+
+testId=31051
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6993]
+
+testId=1387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6994]
+
+testId=17771
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6995]
+
+testId=9547
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6996]
+
+testId=25947
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6997]
+
+testId=5451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6998]
+
+testId=21835
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-6999]
+
+testId=13691
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7000]
+
+testId=30059
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7001]
+
+testId=3435
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7002]
+
+testId=19819
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7003]
+
+testId=11643
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7004]
+
+testId=28027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7005]
+
+testId=7531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7006]
+
+testId=23915
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7007]
+
+testId=15691
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7008]
+
+testId=32075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7009]
+
+testId=891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7010]
+
+testId=17275
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7011]
+
+testId=9067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7012]
+
+testId=25419
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7013]
+
+testId=4955
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7014]
+
+testId=21339
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7015]
+
+testId=13131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7016]
+
+testId=29515
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7017]
+
+testId=2907
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7018]
+
+testId=19275
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7019]
+
+testId=11131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7020]
+
+testId=27483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7021]
+
+testId=7019
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7022]
+
+testId=23387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7023]
+
+testId=15195
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7024]
+
+testId=31611
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7025]
+
+testId=1915
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7026]
+
+testId=18251
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7027]
+
+testId=10091
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7028]
+
+testId=26459
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7029]
+
+testId=5963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7030]
+
+testId=22379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7031]
+
+testId=14187
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7032]
+
+testId=30555
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7033]
+
+testId=3963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7034]
+
+testId=20331
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7035]
+
+testId=12107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7036]
+
+testId=28491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7037]
+
+testId=8043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7038]
+
+testId=24395
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7039]
+
+testId=16219
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7040]
+
+testId=32635
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7041]
+
+testId=235
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7042]
+
+testId=16603
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7043]
+
+testId=8443
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7044]
+
+testId=24779
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7045]
+
+testId=4347
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7046]
+
+testId=20715
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7047]
+
+testId=12539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7048]
+
+testId=28891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7049]
+
+testId=2299
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7050]
+
+testId=18683
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7051]
+
+testId=10475
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7052]
+
+testId=26827
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7053]
+
+testId=6347
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7054]
+
+testId=22747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7055]
+
+testId=14539
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7056]
+
+testId=30971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7057]
+
+testId=1243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7058]
+
+testId=17659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7059]
+
+testId=9451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7060]
+
+testId=25835
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7061]
+
+testId=5371
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7062]
+
+testId=21755
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7063]
+
+testId=13515
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7064]
+
+testId=29931
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7065]
+
+testId=3291
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7066]
+
+testId=19675
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7067]
+
+testId=11515
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7068]
+
+testId=27867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7069]
+
+testId=7371
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7070]
+
+testId=23803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7071]
+
+testId=15595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7072]
+
+testId=31947
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7073]
+
+testId=747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7074]
+
+testId=17099
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7075]
+
+testId=8939
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7076]
+
+testId=25323
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7077]
+
+testId=4811
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7078]
+
+testId=21211
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7079]
+
+testId=13003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7080]
+
+testId=29419
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7081]
+
+testId=2763
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7082]
+
+testId=19147
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7083]
+
+testId=10955
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7084]
+
+testId=27387
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7085]
+
+testId=6875
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7086]
+
+testId=23259
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7087]
+
+testId=15067
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7088]
+
+testId=31467
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7089]
+
+testId=1755
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7090]
+
+testId=18171
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7091]
+
+testId=9963
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7092]
+
+testId=26315
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7093]
+
+testId=5835
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7094]
+
+testId=22219
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7095]
+
+testId=14075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7096]
+
+testId=30411
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7097]
+
+testId=3803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7098]
+
+testId=20203
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7099]
+
+testId=11995
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7100]
+
+testId=28411
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7101]
+
+testId=7883
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7102]
+
+testId=24283
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7103]
+
+testId=16075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7104]
+
+testId=32491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7105]
+
+testId=491
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7106]
+
+testId=16843
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7107]
+
+testId=8651
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7108]
+
+testId=25035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7109]
+
+testId=4587
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7110]
+
+testId=20971
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7111]
+
+testId=12795
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7112]
+
+testId=29163
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7113]
+
+testId=2523
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7114]
+
+testId=18891
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7115]
+
+testId=10715
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7116]
+
+testId=27115
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7117]
+
+testId=6635
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7118]
+
+testId=23035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7119]
+
+testId=14811
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7120]
+
+testId=31195
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7121]
+
+testId=1483
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7122]
+
+testId=17899
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7123]
+
+testId=9707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7124]
+
+testId=26091
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7125]
+
+testId=5627
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7126]
+
+testId=22011
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7127]
+
+testId=13803
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7128]
+
+testId=30203
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7129]
+
+testId=3579
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7130]
+
+testId=19931
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7131]
+
+testId=11755
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7132]
+
+testId=28107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7133]
+
+testId=7627
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7134]
+
+testId=24027
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7135]
+
+testId=15867
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7136]
+
+testId=32235
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7137]
+
+testId=1003
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7138]
+
+testId=17371
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7139]
+
+testId=9179
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7140]
+
+testId=25595
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7141]
+
+testId=5099
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7142]
+
+testId=21499
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7143]
+
+testId=13307
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7144]
+
+testId=29659
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7145]
+
+testId=3035
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7146]
+
+testId=19451
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7147]
+
+testId=11243
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7148]
+
+testId=27611
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7149]
+
+testId=7131
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7150]
+
+testId=23531
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7151]
+
+testId=15355
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7152]
+
+testId=31707
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7153]
+
+testId=2043
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7154]
+
+testId=18379
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7155]
+
+testId=10219
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7156]
+
+testId=26619
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7157]
+
+testId=6107
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7158]
+
+testId=22475
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7159]
+
+testId=14283
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7160]
+
+testId=30667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7161]
+
+testId=4075
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7162]
+
+testId=20427
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7163]
+
+testId=12251
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7164]
+
+testId=28667
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7165]
+
+testId=8155
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7166]
+
+testId=24555
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7167]
+
+testId=16331
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7168]
+
+testId=32747
+testname=ClientCert_one ServerCert_one DomesticPolicy SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7169]
+
+testId=55
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7170]
+
+testId=16423
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7171]
+
+testId=8231
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7172]
+
+testId=24599
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7173]
+
+testId=4135
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7174]
+
+testId=20487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7175]
+
+testId=12311
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7176]
+
+testId=28711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7177]
+
+testId=2071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7178]
+
+testId=18455
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7179]
+
+testId=10279
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7180]
+
+testId=26679
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7181]
+
+testId=6151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7182]
+
+testId=22551
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7183]
+
+testId=14391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7184]
+
+testId=30727
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7185]
+
+testId=1079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7186]
+
+testId=17447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7187]
+
+testId=9255
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7188]
+
+testId=25607
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7189]
+
+testId=5159
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7190]
+
+testId=21527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7191]
+
+testId=13335
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7192]
+
+testId=29751
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7193]
+
+testId=3111
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7194]
+
+testId=19463
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7195]
+
+testId=11287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7196]
+
+testId=27703
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7197]
+
+testId=7175
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7198]
+
+testId=23559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7199]
+
+testId=15383
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7200]
+
+testId=31783
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7201]
+
+testId=567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7202]
+
+testId=16903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7203]
+
+testId=8727
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7204]
+
+testId=25111
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7205]
+
+testId=4647
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7206]
+
+testId=21015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7207]
+
+testId=12807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7208]
+
+testId=29223
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7209]
+
+testId=2583
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7210]
+
+testId=18999
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7211]
+
+testId=10775
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7212]
+
+testId=27191
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7213]
+
+testId=6663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7214]
+
+testId=23063
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7215]
+
+testId=14887
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7216]
+
+testId=31255
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7217]
+
+testId=1543
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7218]
+
+testId=17927
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7219]
+
+testId=9783
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7220]
+
+testId=26119
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7221]
+
+testId=5687
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7222]
+
+testId=22071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7223]
+
+testId=13847
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7224]
+
+testId=30215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7225]
+
+testId=3623
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7226]
+
+testId=20007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7227]
+
+testId=11831
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7228]
+
+testId=28183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7229]
+
+testId=7703
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7230]
+
+testId=24087
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7231]
+
+testId=15927
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7232]
+
+testId=32279
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7233]
+
+testId=311
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7234]
+
+testId=16663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7235]
+
+testId=8471
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7236]
+
+testId=24855
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7237]
+
+testId=4375
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7238]
+
+testId=20743
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7239]
+
+testId=12567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7240]
+
+testId=28967
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7241]
+
+testId=2343
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7242]
+
+testId=18727
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7243]
+
+testId=10535
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7244]
+
+testId=26903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7245]
+
+testId=6455
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7246]
+
+testId=22807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7247]
+
+testId=14615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7248]
+
+testId=31015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7249]
+
+testId=1319
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7250]
+
+testId=17719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7251]
+
+testId=9495
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7252]
+
+testId=25863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7253]
+
+testId=5431
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7254]
+
+testId=21799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7255]
+
+testId=13575
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7256]
+
+testId=29991
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7257]
+
+testId=3351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7258]
+
+testId=19767
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7259]
+
+testId=11575
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7260]
+
+testId=27943
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7261]
+
+testId=7447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7262]
+
+testId=23863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7263]
+
+testId=15671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7264]
+
+testId=32023
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7265]
+
+testId=807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7266]
+
+testId=17175
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7267]
+
+testId=8967
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7268]
+
+testId=25399
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7269]
+
+testId=4903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7270]
+
+testId=21271
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7271]
+
+testId=13095
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7272]
+
+testId=29447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7273]
+
+testId=2855
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7274]
+
+testId=19223
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7275]
+
+testId=11063
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7276]
+
+testId=27431
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7277]
+
+testId=6919
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7278]
+
+testId=23335
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7279]
+
+testId=15143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7280]
+
+testId=31543
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7281]
+
+testId=1799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7282]
+
+testId=18183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7283]
+
+testId=10007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7284]
+
+testId=26423
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7285]
+
+testId=5943
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7286]
+
+testId=22311
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7287]
+
+testId=14087
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7288]
+
+testId=30487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7289]
+
+testId=3863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7290]
+
+testId=20231
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7291]
+
+testId=12071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7292]
+
+testId=28439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7293]
+
+testId=7959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7294]
+
+testId=24375
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7295]
+
+testId=16167
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7296]
+
+testId=32551
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7297]
+
+testId=183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7298]
+
+testId=16567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7299]
+
+testId=8375
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7300]
+
+testId=24743
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7301]
+
+testId=4231
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7302]
+
+testId=20631
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7303]
+
+testId=12423
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7304]
+
+testId=28823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7305]
+
+testId=2215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7306]
+
+testId=18599
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7307]
+
+testId=10391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7308]
+
+testId=26807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7309]
+
+testId=6311
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7310]
+
+testId=22679
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7311]
+
+testId=14503
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7312]
+
+testId=30887
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7313]
+
+testId=1191
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7314]
+
+testId=17543
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7315]
+
+testId=9351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7316]
+
+testId=25783
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7317]
+
+testId=5303
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7318]
+
+testId=21671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7319]
+
+testId=13463
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7320]
+
+testId=29863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7321]
+
+testId=3255
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7322]
+
+testId=19623
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7323]
+
+testId=11447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7324]
+
+testId=27799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7325]
+
+testId=7335
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7326]
+
+testId=23735
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7327]
+
+testId=15511
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7328]
+
+testId=31895
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7329]
+
+testId=679
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7330]
+
+testId=17079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7331]
+
+testId=8871
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7332]
+
+testId=25255
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7333]
+
+testId=4759
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7334]
+
+testId=21175
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7335]
+
+testId=12951
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7336]
+
+testId=29367
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7337]
+
+testId=2727
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7338]
+
+testId=19095
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7339]
+
+testId=10887
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7340]
+
+testId=27303
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7341]
+
+testId=6823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7342]
+
+testId=23175
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7343]
+
+testId=15015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7344]
+
+testId=31415
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7345]
+
+testId=1671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7346]
+
+testId=18103
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7347]
+
+testId=9911
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7348]
+
+testId=26279
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7349]
+
+testId=5799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7350]
+
+testId=22151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7351]
+
+testId=14007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7352]
+
+testId=30391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7353]
+
+testId=3719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7354]
+
+testId=20135
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7355]
+
+testId=11943
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7356]
+
+testId=28327
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7357]
+
+testId=7831
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7358]
+
+testId=24199
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7359]
+
+testId=16055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7360]
+
+testId=32391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7361]
+
+testId=439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7362]
+
+testId=16823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7363]
+
+testId=8631
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7364]
+
+testId=24983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7365]
+
+testId=4503
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7366]
+
+testId=20887
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7367]
+
+testId=12711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7368]
+
+testId=29111
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7369]
+
+testId=2455
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7370]
+
+testId=18823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7371]
+
+testId=10679
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7372]
+
+testId=27031
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7373]
+
+testId=6583
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7374]
+
+testId=22919
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7375]
+
+testId=14743
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7376]
+
+testId=31111
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7377]
+
+testId=1415
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7378]
+
+testId=17815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7379]
+
+testId=9623
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7380]
+
+testId=26007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7381]
+
+testId=5559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7382]
+
+testId=21927
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7383]
+
+testId=13751
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7384]
+
+testId=30103
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7385]
+
+testId=3495
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7386]
+
+testId=19879
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7387]
+
+testId=11703
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7388]
+
+testId=28055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7389]
+
+testId=7591
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7390]
+
+testId=23943
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7391]
+
+testId=15783
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7392]
+
+testId=32151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7393]
+
+testId=919
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7394]
+
+testId=17319
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7395]
+
+testId=9111
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7396]
+
+testId=25479
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7397]
+
+testId=5047
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7398]
+
+testId=21415
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7399]
+
+testId=13207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7400]
+
+testId=29607
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7401]
+
+testId=2967
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7402]
+
+testId=19335
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7403]
+
+testId=11175
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7404]
+
+testId=27559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7405]
+
+testId=7063
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7406]
+
+testId=23431
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7407]
+
+testId=15271
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7408]
+
+testId=31655
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7409]
+
+testId=1975
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7410]
+
+testId=18343
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7411]
+
+testId=10135
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7412]
+
+testId=26551
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7413]
+
+testId=6039
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7414]
+
+testId=22407
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7415]
+
+testId=14231
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7416]
+
+testId=30631
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7417]
+
+testId=4007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7418]
+
+testId=20359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7419]
+
+testId=12183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7420]
+
+testId=28599
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7421]
+
+testId=8087
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7422]
+
+testId=24487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7423]
+
+testId=16295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7424]
+
+testId=32647
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7425]
+
+testId=87
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7426]
+
+testId=16503
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7427]
+
+testId=8295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7428]
+
+testId=24695
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7429]
+
+testId=4215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7430]
+
+testId=20599
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7431]
+
+testId=12391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7432]
+
+testId=28759
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7433]
+
+testId=2135
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7434]
+
+testId=18503
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7435]
+
+testId=10327
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7436]
+
+testId=26711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7437]
+
+testId=6215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7438]
+
+testId=22615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7439]
+
+testId=14423
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7440]
+
+testId=30823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7441]
+
+testId=1095
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7442]
+
+testId=17511
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7443]
+
+testId=9319
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7444]
+
+testId=25671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7445]
+
+testId=5207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7446]
+
+testId=21623
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7447]
+
+testId=13383
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7448]
+
+testId=29783
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7449]
+
+testId=3191
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7450]
+
+testId=19559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7451]
+
+testId=11335
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7452]
+
+testId=27719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7453]
+
+testId=7255
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7454]
+
+testId=23671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7455]
+
+testId=15479
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7456]
+
+testId=31831
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7457]
+
+testId=631
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7458]
+
+testId=16983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7459]
+
+testId=8823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7460]
+
+testId=25175
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7461]
+
+testId=4695
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7462]
+
+testId=21111
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7463]
+
+testId=12887
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7464]
+
+testId=29303
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7465]
+
+testId=2631
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7466]
+
+testId=19015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7467]
+
+testId=10823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7468]
+
+testId=27255
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7469]
+
+testId=6727
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7470]
+
+testId=23127
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7471]
+
+testId=14935
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7472]
+
+testId=31335
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7473]
+
+testId=1607
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7474]
+
+testId=17991
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7475]
+
+testId=9799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7476]
+
+testId=26231
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7477]
+
+testId=5719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7478]
+
+testId=22087
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7479]
+
+testId=13943
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7480]
+
+testId=30279
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7481]
+
+testId=3703
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7482]
+
+testId=20039
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7483]
+
+testId=11879
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7484]
+
+testId=28263
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7485]
+
+testId=7751
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7486]
+
+testId=24167
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7487]
+
+testId=15943
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7488]
+
+testId=32375
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7489]
+
+testId=359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7490]
+
+testId=16743
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7491]
+
+testId=8567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7492]
+
+testId=24935
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7493]
+
+testId=4455
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7494]
+
+testId=20807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7495]
+
+testId=12663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7496]
+
+testId=28999
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7497]
+
+testId=2407
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7498]
+
+testId=18775
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7499]
+
+testId=10583
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7500]
+
+testId=26951
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7501]
+
+testId=6487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7502]
+
+testId=22855
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7503]
+
+testId=14695
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7504]
+
+testId=31047
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7505]
+
+testId=1367
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7506]
+
+testId=17735
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7507]
+
+testId=9575
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7508]
+
+testId=25975
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7509]
+
+testId=5447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7510]
+
+testId=21831
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7511]
+
+testId=13687
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7512]
+
+testId=30055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7513]
+
+testId=3415
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7514]
+
+testId=19815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7515]
+
+testId=11639
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7516]
+
+testId=28023
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7517]
+
+testId=7511
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7518]
+
+testId=23927
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7519]
+
+testId=15703
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7520]
+
+testId=32119
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7521]
+
+testId=887
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7522]
+
+testId=17239
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7523]
+
+testId=9079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7524]
+
+testId=25431
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7525]
+
+testId=4967
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7526]
+
+testId=21367
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7527]
+
+testId=13175
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7528]
+
+testId=29527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7529]
+
+testId=2903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7530]
+
+testId=19303
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7531]
+
+testId=11079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7532]
+
+testId=27479
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7533]
+
+testId=7031
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7534]
+
+testId=23383
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7535]
+
+testId=15207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7536]
+
+testId=31559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7537]
+
+testId=1879
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7538]
+
+testId=18247
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7539]
+
+testId=10103
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7540]
+
+testId=26471
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7541]
+
+testId=5959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7542]
+
+testId=22359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7543]
+
+testId=14151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7544]
+
+testId=30567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7545]
+
+testId=3959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7546]
+
+testId=20295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7547]
+
+testId=12135
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7548]
+
+testId=28535
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7549]
+
+testId=8007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7550]
+
+testId=24423
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7551]
+
+testId=16231
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7552]
+
+testId=32631
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7553]
+
+testId=215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7554]
+
+testId=16583
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7555]
+
+testId=8439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7556]
+
+testId=24823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7557]
+
+testId=4295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7558]
+
+testId=20711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7559]
+
+testId=12487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7560]
+
+testId=28903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7561]
+
+testId=2279
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7562]
+
+testId=18679
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7563]
+
+testId=10455
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7564]
+
+testId=26839
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7565]
+
+testId=6391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7566]
+
+testId=22743
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7567]
+
+testId=14583
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7568]
+
+testId=30967
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7569]
+
+testId=1223
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7570]
+
+testId=17607
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7571]
+
+testId=9463
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7572]
+
+testId=25815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7573]
+
+testId=5351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7574]
+
+testId=21751
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7575]
+
+testId=13559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7576]
+
+testId=29895
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7577]
+
+testId=3287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7578]
+
+testId=19671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7579]
+
+testId=11479
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7580]
+
+testId=27847
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7581]
+
+testId=7399
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7582]
+
+testId=23799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7583]
+
+testId=15607
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7584]
+
+testId=31959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7585]
+
+testId=727
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7586]
+
+testId=17127
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7587]
+
+testId=8951
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7588]
+
+testId=25287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7589]
+
+testId=4855
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7590]
+
+testId=21223
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7591]
+
+testId=13015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7592]
+
+testId=29431
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7593]
+
+testId=2775
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7594]
+
+testId=19159
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7595]
+
+testId=10983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7596]
+
+testId=27367
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7597]
+
+testId=6903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7598]
+
+testId=23255
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7599]
+
+testId=15063
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7600]
+
+testId=31479
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7601]
+
+testId=1783
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7602]
+
+testId=18119
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7603]
+
+testId=9975
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7604]
+
+testId=26359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7605]
+
+testId=5863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7606]
+
+testId=22215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7607]
+
+testId=14023
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7608]
+
+testId=30407
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7609]
+
+testId=3831
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7610]
+
+testId=20199
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7611]
+
+testId=11991
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7612]
+
+testId=28359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7613]
+
+testId=7911
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7614]
+
+testId=24311
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7615]
+
+testId=16087
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7616]
+
+testId=32455
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7617]
+
+testId=503
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7618]
+
+testId=16871
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7619]
+
+testId=8663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7620]
+
+testId=25063
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7621]
+
+testId=4551
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7622]
+
+testId=20983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7623]
+
+testId=12791
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7624]
+
+testId=29159
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7625]
+
+testId=2503
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7626]
+
+testId=18935
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7627]
+
+testId=10695
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7628]
+
+testId=27095
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7629]
+
+testId=6631
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7630]
+
+testId=23015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7631]
+
+testId=14807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7632]
+
+testId=31191
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7633]
+
+testId=1511
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7634]
+
+testId=17879
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7635]
+
+testId=9703
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7636]
+
+testId=26055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7637]
+
+testId=5607
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7638]
+
+testId=21975
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7639]
+
+testId=13815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7640]
+
+testId=30167
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7641]
+
+testId=3527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7642]
+
+testId=19959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7643]
+
+testId=11719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7644]
+
+testId=28151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7645]
+
+testId=7639
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7646]
+
+testId=24007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7647]
+
+testId=15863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7648]
+
+testId=32231
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7649]
+
+testId=1015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7650]
+
+testId=17367
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7651]
+
+testId=9207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7652]
+
+testId=25543
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7653]
+
+testId=5079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7654]
+
+testId=21479
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7655]
+
+testId=13271
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7656]
+
+testId=29687
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7657]
+
+testId=3047
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7658]
+
+testId=19415
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7659]
+
+testId=11207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7660]
+
+testId=27623
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7661]
+
+testId=7143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7662]
+
+testId=23543
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7663]
+
+testId=15335
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7664]
+
+testId=31735
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7665]
+
+testId=2007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7666]
+
+testId=18407
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7667]
+
+testId=10215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7668]
+
+testId=26567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7669]
+
+testId=6103
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7670]
+
+testId=22487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7671]
+
+testId=14327
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7672]
+
+testId=30711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7673]
+
+testId=4055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7674]
+
+testId=20439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7675]
+
+testId=12263
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7676]
+
+testId=28663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7677]
+
+testId=8183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7678]
+
+testId=24567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7679]
+
+testId=16359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7680]
+
+testId=32743
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7681]
+
+testId=15
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7682]
+
+testId=16447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7683]
+
+testId=8207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7684]
+
+testId=24623
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7685]
+
+testId=4127
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7686]
+
+testId=20511
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7687]
+
+testId=12319
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7688]
+
+testId=28687
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7689]
+
+testId=2111
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7690]
+
+testId=18463
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7691]
+
+testId=10255
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7692]
+
+testId=26687
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7693]
+
+testId=6207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7694]
+
+testId=22559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7695]
+
+testId=14351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7696]
+
+testId=30735
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7697]
+
+testId=1055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7698]
+
+testId=17439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7699]
+
+testId=9247
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7700]
+
+testId=25631
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7701]
+
+testId=5151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7702]
+
+testId=21535
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7703]
+
+testId=13343
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7704]
+
+testId=29759
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7705]
+
+testId=3135
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7706]
+
+testId=19487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7707]
+
+testId=11279
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7708]
+
+testId=27711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7709]
+
+testId=7183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7710]
+
+testId=23615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7711]
+
+testId=15391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7712]
+
+testId=31775
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7713]
+
+testId=575
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7714]
+
+testId=16927
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7715]
+
+testId=8751
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7716]
+
+testId=25135
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7717]
+
+testId=4671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7718]
+
+testId=21007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7719]
+
+testId=12847
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7720]
+
+testId=29247
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7721]
+
+testId=2591
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7722]
+
+testId=18991
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7723]
+
+testId=10783
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7724]
+
+testId=27151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7725]
+
+testId=6671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7726]
+
+testId=23087
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7727]
+
+testId=14911
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7728]
+
+testId=31247
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7729]
+
+testId=1583
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7730]
+
+testId=17951
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7731]
+
+testId=9759
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7732]
+
+testId=26143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7733]
+
+testId=5663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7734]
+
+testId=22031
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7735]
+
+testId=13871
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7736]
+
+testId=30271
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7737]
+
+testId=3615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7738]
+
+testId=20015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7739]
+
+testId=11839
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7740]
+
+testId=28191
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7741]
+
+testId=7711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7742]
+
+testId=24079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7743]
+
+testId=15935
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7744]
+
+testId=32319
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7745]
+
+testId=319
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7746]
+
+testId=16671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7747]
+
+testId=8495
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7748]
+
+testId=24863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7749]
+
+testId=4383
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7750]
+
+testId=20751
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7751]
+
+testId=12575
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7752]
+
+testId=28991
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7753]
+
+testId=2319
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7754]
+
+testId=18719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7755]
+
+testId=10559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7756]
+
+testId=26927
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7757]
+
+testId=6431
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7758]
+
+testId=22799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7759]
+
+testId=14639
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7760]
+
+testId=31023
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7761]
+
+testId=1311
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7762]
+
+testId=17711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7763]
+
+testId=9535
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7764]
+
+testId=25887
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7765]
+
+testId=5391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7766]
+
+testId=21807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7767]
+
+testId=13583
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7768]
+
+testId=29999
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7769]
+
+testId=3391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7770]
+
+testId=19775
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7771]
+
+testId=11567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7772]
+
+testId=27951
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7773]
+
+testId=7439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7774]
+
+testId=23871
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7775]
+
+testId=15631
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7776]
+
+testId=32015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7777]
+
+testId=799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7778]
+
+testId=17215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7779]
+
+testId=9007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7780]
+
+testId=25391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7781]
+
+testId=4895
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7782]
+
+testId=21295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7783]
+
+testId=13071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7784]
+
+testId=29503
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7785]
+
+testId=2847
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7786]
+
+testId=19231
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7787]
+
+testId=11055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7788]
+
+testId=27407
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7789]
+
+testId=6959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7790]
+
+testId=23359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7791]
+
+testId=15151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7792]
+
+testId=31551
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7793]
+
+testId=1807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7794]
+
+testId=18207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7795]
+
+testId=10031
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7796]
+
+testId=26431
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7797]
+
+testId=5903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7798]
+
+testId=22303
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7799]
+
+testId=14143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7800]
+
+testId=30495
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7801]
+
+testId=3871
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7802]
+
+testId=20287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7803]
+
+testId=12079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7804]
+
+testId=28431
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7805]
+
+testId=7951
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7806]
+
+testId=24351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7807]
+
+testId=16143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7808]
+
+testId=32527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7809]
+
+testId=191
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7810]
+
+testId=16527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7811]
+
+testId=8383
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7812]
+
+testId=24751
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7813]
+
+testId=4239
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7814]
+
+testId=20623
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7815]
+
+testId=12463
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7816]
+
+testId=28863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7817]
+
+testId=2223
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7818]
+
+testId=18575
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7819]
+
+testId=10431
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7820]
+
+testId=26799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7821]
+
+testId=6287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7822]
+
+testId=22671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7823]
+
+testId=14527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7824]
+
+testId=30879
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7825]
+
+testId=1199
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7826]
+
+testId=17551
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7827]
+
+testId=9375
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7828]
+
+testId=25791
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7829]
+
+testId=5279
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7830]
+
+testId=21647
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7831]
+
+testId=13503
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7832]
+
+testId=29855
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7833]
+
+testId=3215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7834]
+
+testId=19647
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7835]
+
+testId=11439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7836]
+
+testId=27823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7837]
+
+testId=7327
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7838]
+
+testId=23711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7839]
+
+testId=15551
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7840]
+
+testId=31919
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7841]
+
+testId=687
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7842]
+
+testId=17087
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7843]
+
+testId=8847
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7844]
+
+testId=25263
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7845]
+
+testId=4783
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7846]
+
+testId=21183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7847]
+
+testId=12991
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7848]
+
+testId=29359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7849]
+
+testId=2735
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7850]
+
+testId=19135
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7851]
+
+testId=10927
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7852]
+
+testId=27295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7853]
+
+testId=6799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7854]
+
+testId=23183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7855]
+
+testId=15007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7856]
+
+testId=31391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7857]
+
+testId=1695
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7858]
+
+testId=18063
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7859]
+
+testId=9919
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7860]
+
+testId=26271
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7861]
+
+testId=5775
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7862]
+
+testId=22159
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7863]
+
+testId=13999
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7864]
+
+testId=30351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7865]
+
+testId=3759
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7866]
+
+testId=20127
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7867]
+
+testId=11951
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7868]
+
+testId=28351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7869]
+
+testId=7823
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7870]
+
+testId=24255
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7871]
+
+testId=16047
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7872]
+
+testId=32415
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7873]
+
+testId=415
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7874]
+
+testId=16815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7875]
+
+testId=8607
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7876]
+
+testId=25023
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7877]
+
+testId=4543
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7878]
+
+testId=20911
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7879]
+
+testId=12687
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7880]
+
+testId=29071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7881]
+
+testId=2447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7882]
+
+testId=18831
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7883]
+
+testId=10687
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7884]
+
+testId=27023
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7885]
+
+testId=6591
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7886]
+
+testId=22975
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7887]
+
+testId=14735
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7888]
+
+testId=31151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7889]
+
+testId=1455
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7890]
+
+testId=17855
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7891]
+
+testId=9663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7892]
+
+testId=26031
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7893]
+
+testId=5551
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7894]
+
+testId=21935
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7895]
+
+testId=13711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7896]
+
+testId=30111
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7897]
+
+testId=3519
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7898]
+
+testId=19871
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7899]
+
+testId=11663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7900]
+
+testId=28063
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7901]
+
+testId=7615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7902]
+
+testId=23951
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7903]
+
+testId=15759
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7904]
+
+testId=32191
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7905]
+
+testId=943
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7906]
+
+testId=17327
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7907]
+
+testId=9119
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7908]
+
+testId=25519
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7909]
+
+testId=5055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7910]
+
+testId=21391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7911]
+
+testId=13247
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7912]
+
+testId=29583
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7913]
+
+testId=3007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7914]
+
+testId=19391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7915]
+
+testId=11167
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7916]
+
+testId=27551
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7917]
+
+testId=7071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7918]
+
+testId=23487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7919]
+
+testId=15247
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7920]
+
+testId=31647
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7921]
+
+testId=1983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7922]
+
+testId=18351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7923]
+
+testId=10127
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7924]
+
+testId=26559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7925]
+
+testId=6031
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7926]
+
+testId=22447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7927]
+
+testId=14223
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7928]
+
+testId=30607
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7929]
+
+testId=3983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7930]
+
+testId=20367
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7931]
+
+testId=12191
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7932]
+
+testId=28591
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7933]
+
+testId=8079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7934]
+
+testId=24463
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7935]
+
+testId=16287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7936]
+
+testId=32671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7937]
+
+testId=79
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7938]
+
+testId=16495
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7939]
+
+testId=8271
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7940]
+
+testId=24671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7941]
+
+testId=4207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7942]
+
+testId=20575
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7943]
+
+testId=12383
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7944]
+
+testId=28783
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7945]
+
+testId=2143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7946]
+
+testId=18511
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7947]
+
+testId=10335
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7948]
+
+testId=26751
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7949]
+
+testId=6239
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7950]
+
+testId=22639
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7951]
+
+testId=14415
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7952]
+
+testId=30815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7953]
+
+testId=1103
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7954]
+
+testId=17487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7955]
+
+testId=9343
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7956]
+
+testId=25711
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7957]
+
+testId=5215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7958]
+
+testId=21615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7959]
+
+testId=13439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7960]
+
+testId=29807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7961]
+
+testId=3183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7962]
+
+testId=19583
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7963]
+
+testId=11343
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7964]
+
+testId=27759
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7965]
+
+testId=7263
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7966]
+
+testId=23663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7967]
+
+testId=15455
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7968]
+
+testId=31855
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7969]
+
+testId=623
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7970]
+
+testId=16991
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7971]
+
+testId=8815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7972]
+
+testId=25215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7973]
+
+testId=4703
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7974]
+
+testId=21087
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7975]
+
+testId=12895
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7976]
+
+testId=29279
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7977]
+
+testId=2687
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7978]
+
+testId=19071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7979]
+
+testId=10863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7980]
+
+testId=27215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7981]
+
+testId=6767
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7982]
+
+testId=23151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7983]
+
+testId=14959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7984]
+
+testId=31359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7985]
+
+testId=1615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7986]
+
+testId=18031
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7987]
+
+testId=9807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7988]
+
+testId=26191
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7989]
+
+testId=5759
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7990]
+
+testId=22143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7991]
+
+testId=13935
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7992]
+
+testId=30287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7993]
+
+testId=3679
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7994]
+
+testId=20095
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7995]
+
+testId=11903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7996]
+
+testId=28239
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7997]
+
+testId=7775
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7998]
+
+testId=24159
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-7999]
+
+testId=15983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8000]
+
+testId=32367
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8001]
+
+testId=367
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8002]
+
+testId=16767
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8003]
+
+testId=8527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8004]
+
+testId=24959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8005]
+
+testId=4447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8006]
+
+testId=20815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8007]
+
+testId=12639
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8008]
+
+testId=29055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8009]
+
+testId=2383
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8010]
+
+testId=18815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8011]
+
+testId=10607
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8012]
+
+testId=26959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8013]
+
+testId=6479
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8014]
+
+testId=22863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8015]
+
+testId=14671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8016]
+
+testId=31055
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8017]
+
+testId=1407
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8018]
+
+testId=17743
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8019]
+
+testId=9567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8020]
+
+testId=25983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8021]
+
+testId=5471
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8022]
+
+testId=21871
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8023]
+
+testId=13695
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8024]
+
+testId=30079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8025]
+
+testId=3439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8026]
+
+testId=19791
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8027]
+
+testId=11615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8028]
+
+testId=28031
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8029]
+
+testId=7519
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8030]
+
+testId=23903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8031]
+
+testId=15695
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8032]
+
+testId=32127
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8033]
+
+testId=879
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8034]
+
+testId=17279
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8035]
+
+testId=9071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8036]
+
+testId=25439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8037]
+
+testId=4943
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8038]
+
+testId=21327
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8039]
+
+testId=13151
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8040]
+
+testId=29535
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8041]
+
+testId=2895
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8042]
+
+testId=19295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8043]
+
+testId=11103
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8044]
+
+testId=27487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8045]
+
+testId=7023
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8046]
+
+testId=23375
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8047]
+
+testId=15231
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8048]
+
+testId=31615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8049]
+
+testId=1919
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8050]
+
+testId=18303
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8051]
+
+testId=10063
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8052]
+
+testId=26495
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8053]
+
+testId=6015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8054]
+
+testId=22399
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8055]
+
+testId=14207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8056]
+
+testId=30543
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8057]
+
+testId=3919
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8058]
+
+testId=20319
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8059]
+
+testId=12159
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8060]
+
+testId=28527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8061]
+
+testId=8015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8062]
+
+testId=24399
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8063]
+
+testId=16207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8064]
+
+testId=32623
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8065]
+
+testId=207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8066]
+
+testId=16639
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8067]
+
+testId=8399
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8068]
+
+testId=24815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8069]
+
+testId=4351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8070]
+
+testId=20719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8071]
+
+testId=12495
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8072]
+
+testId=28879
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8073]
+
+testId=2287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8074]
+
+testId=18671
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8075]
+
+testId=10479
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8076]
+
+testId=26879
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8077]
+
+testId=6367
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8078]
+
+testId=22767
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8079]
+
+testId=14591
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8080]
+
+testId=30959
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8081]
+
+testId=1263
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8082]
+
+testId=17663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8083]
+
+testId=9471
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8084]
+
+testId=25839
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8085]
+
+testId=5359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8086]
+
+testId=21743
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8087]
+
+testId=13567
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8088]
+
+testId=29919
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8089]
+
+testId=3295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8090]
+
+testId=19695
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8091]
+
+testId=11487
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8092]
+
+testId=27887
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8093]
+
+testId=7375
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8094]
+
+testId=23807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8095]
+
+testId=15615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8096]
+
+testId=31951
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8097]
+
+testId=719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8098]
+
+testId=17119
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8099]
+
+testId=8911
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8100]
+
+testId=25343
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8101]
+
+testId=4863
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8102]
+
+testId=21215
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8103]
+
+testId=13007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8104]
+
+testId=29391
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8105]
+
+testId=2815
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8106]
+
+testId=19199
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8107]
+
+testId=11007
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8108]
+
+testId=27359
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8109]
+
+testId=6911
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8110]
+
+testId=23295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8111]
+
+testId=15071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8112]
+
+testId=31439
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8113]
+
+testId=1791
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8114]
+
+testId=18143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8115]
+
+testId=9983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8116]
+
+testId=26319
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8117]
+
+testId=5871
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8118]
+
+testId=22271
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8119]
+
+testId=14063
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8120]
+
+testId=30447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8121]
+
+testId=3839
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8122]
+
+testId=20175
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8123]
+
+testId=11999
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8124]
+
+testId=28383
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8125]
+
+testId=7903
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8126]
+
+testId=24271
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8127]
+
+testId=16079
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8128]
+
+testId=32511
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8129]
+
+testId=511
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8130]
+
+testId=16879
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8131]
+
+testId=8703
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8132]
+
+testId=25071
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8133]
+
+testId=4591
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8134]
+
+testId=20991
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8135]
+
+testId=12799
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8136]
+
+testId=29183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8137]
+
+testId=2559
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8138]
+
+testId=18895
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8139]
+
+testId=10719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8140]
+
+testId=27087
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8141]
+
+testId=6655
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8142]
+
+testId=23039
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8143]
+
+testId=14847
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8144]
+
+testId=31183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8145]
+
+testId=1503
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8146]
+
+testId=17919
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8147]
+
+testId=9679
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8148]
+
+testId=26095
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8149]
+
+testId=5615
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8150]
+
+testId=21983
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8151]
+
+testId=13807
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8152]
+
+testId=30207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8153]
+
+testId=3535
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8154]
+
+testId=19967
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8155]
+
+testId=11727
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8156]
+
+testId=28143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8157]
+
+testId=7679
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8158]
+
+testId=24015
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8159]
+
+testId=15855
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8160]
+
+testId=32207
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8161]
+
+testId=975
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8162]
+
+testId=17407
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8163]
+
+testId=9183
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8164]
+
+testId=25599
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8165]
+
+testId=5119
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8166]
+
+testId=21455
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8167]
+
+testId=13295
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8168]
+
+testId=29663
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8169]
+
+testId=3023
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8170]
+
+testId=19407
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8171]
+
+testId=11263
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8172]
+
+testId=27599
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8173]
+
+testId=7167
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8174]
+
+testId=23519
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8175]
+
+testId=15327
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8176]
+
+testId=31743
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8177]
+
+testId=2031
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8178]
+
+testId=18383
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8179]
+
+testId=10223
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8180]
+
+testId=26575
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8181]
+
+testId=6143
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8182]
+
+testId=22527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8183]
+
+testId=14287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8184]
+
+testId=30719
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8185]
+
+testId=4047
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8186]
+
+testId=20447
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8187]
+
+testId=12287
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength1K ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8188]
+
+testId=28639
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8189]
+
+testId=8159
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8190]
+
+testId=24527
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength0 ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8191]
+
+testId=16351
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
+[Test-8192]
+
+testId=32735
+testname=ClientCert_one ServerCert_one DomesticPolicy NO_SSLVersion2 NO_SSLVersion3 ClientIOLength1K ServerIOLength0 ClientAuthOff ClientNoForceHandshake ServerForceHandshake ClientNoRedoHandshake ServerNoRedoHandshake No_Cipher_EN_RC4_128_WITH_MD5 No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 No_Cipher_EN_RC2_128_CBC_WITH_MD5 No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 No_Cipher_RSA_WITH_RC4_128_MD5 No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 No_Cipher_RSA_WITH_DES_CBC_SHA No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA 
+timeout=9
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c
new file mode 100644
index 000000000..2fcb02e7c
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c
@@ -0,0 +1,296 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* include replacer-generated variables file */
+
+
+#include "ssl.h"
+#include "sslproto.h"
+
+#include "sslt.h"
+#include "sslc.h"
+#include "ssls.h"
+
+#include "pk11func.h"
+
+#define MAX_CIPHERS 100
+
+struct cipherspec cipher_array[MAX_CIPHERS];
+int cipher_array_size=0;
+char *password = "";
+char *nickname = "SSLServer";
+char *client_nick = "SSLClient";
+
+void InitCiphers() {
+  int i=0;
+
+/* These ciphers are listed in priority order. */
+  DIPHER(2,SSL_ALLOWED,128,40,     "RC2-CBC-Export", EN_RC2_128_CBC_EXPORT40_WITH_MD5)
+    CIPHER(2,SSL_NOT_ALLOWED,128,128,"RC4",            EN_RC4_128_WITH_MD5)
+    CIPHER(2,SSL_ALLOWED,128,40,     "RC4-Export",     EN_RC4_128_EXPORT40_WITH_MD5)
+    DIPHER(2,SSL_NOT_ALLOWED,128,128,"RC2-CBC",        EN_RC2_128_CBC_WITH_MD5)
+    DIPHER(2,SSL_ALLOWED,128,40,     "RC2-CBC-40", EN_RC2_128_CBC_EXPORT40_WITH_MD5)
+    DIPHER(2,SSL_NOT_ALLOWED,128,128,"IDEA-CBC",       EN_IDEA_128_CBC_WITH_MD5)
+    DIPHER(2,SSL_NOT_ALLOWED,56,56,  "DES-CBC",        EN_DES_64_CBC_WITH_MD5)
+    CIPHER(2,SSL_NOT_ALLOWED,168,168,"DES-EDE3-CBC",   EN_DES_192_EDE3_CBC_WITH_MD5)
+  /* SSL 3 suites */
+
+    CIPHER(3,SSL_RESTRICTED,128,128, "RC4",            RSA_WITH_RC4_128_MD5)
+    DIPHER(3,SSL_RESTRICTED,128,128, "RC4",            RSA_WITH_RC4_128_SHA)
+    CIPHER(3,SSL_RESTRICTED,168,168, "3DES-EDE-CBC",   RSA_WITH_3DES_EDE_CBC_SHA)
+    CIPHER(3,SSL_NOT_ALLOWED,56,56,"DES-CBC",        RSA_WITH_DES_CBC_SHA)
+    CIPHER(3,SSL_ALLOWED,128,40,     "RC4-40",         RSA_EXPORT_WITH_RC4_40_MD5)
+    CIPHER(3,SSL_ALLOWED,128,40,     "RC2-CBC-40",     RSA_EXPORT_WITH_RC2_CBC_40_MD5)
+
+    DIPHER(3,SSL_ALLOWED,0,0,        "NULL",           NULL_WITH_NULL_NULL)
+    DIPHER(3,SSL_ALLOWED,0,0,        "NULL",           RSA_WITH_NULL_MD5)
+    DIPHER(3,SSL_ALLOWED,0,0,        "NULL",           RSA_WITH_NULL_SHA)
+
+#if 0
+    DIPHER(3,SSL_NOT_ALLOWED,0,0,    "IDEA-CBC",       RSA_WITH_IDEA_CBC_SHA)
+    DIPHER(3,SSL_ALLOWED,128,40,     "DES-CBC-40",     RSA_EXPORT_WITH_DES40_CBC_SHA)
+#endif
+
+  /*
+    
+  CIPHER(DH_DSS_EXPORT_WITH_DES40_CBC_SHA),
+  CIPHER(DH_DSS_WITH_DES_CBC_SHA),
+  CIPHER(DH_DSS_WITH_3DES_EDE_CBC_SHA),
+  CIPHER(DH_RSA_EXPORT_WITH_DES40_CBC_SHA),
+  CIPHER(DH_RSA_WITH_DES_CBC_SHA),
+  CIPHER(DH_RSA_WITH_3DES_EDE_CBC_SHA),
+  CIPHER(DHE_DSS_EXPORT_WITH_DES40_CBC_SHA),
+  CIPHER(DHE_DSS_WITH_DES_CBC_SHA),
+  CIPHER(DHE_DSS_WITH_3DES_EDE_CBC_SHA),
+  CIPHER(DHE_RSA_EXPORT_WITH_DES40_CBC_SHA),
+  CIPHER(DHE_RSA_WITH_DES_CBC_SHA),
+  CIPHER(DHE_RSA_WITH_3DES_EDE_CBC_SHA),
+
+  CIPHER(DH_ANON_EXPORT_WITH_RC4_40_MD5),
+  CIPHER(DH_ANON_WITH_RC4_128_MD5),
+  CIPHER(DH_ANON_WITH_DES_CBC_SHA),
+  CIPHER(DH_ANON_WITH_3DES_EDE_CBC_SHA),
+
+  CIPHER(3,SSL_NOT_ALLOWED,0,0,"Fortezza",        FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA),
+  CIPHER(3,SSL_NOT_ALLOWED,0,0,"Fortezza",        FORTEZZA_DMS_WITH_RC4_128_SHA),
+
+  */
+
+    DIPHER(3,SSL_NOT_ALLOWED,192,192,"3DES-EDE-CBC",RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
+    DIPHER(3,SSL_NOT_ALLOWED,64,64,  "DES-CBC",       RSA_FIPS_WITH_DES_CBC_SHA)
+    
+    cipher_array_size =i;
+}
+
+
+
+/* ClearCiphers()
+ *   Clear out all ciphers */
+
+void ClearCiphers(struct ThreadData *td) {
+int i;
+
+for (i=0;i<cipher_array_size;i++) {
+SSL_EnableCipher(cipher_array[i].enableid,0);
+}
+}
+
+
+/* EnableCiphers
+ *   enable only those ciphers set for this test */
+
+void EnableCiphers(struct ThreadData *td) {
+  int i;
+
+  for (i=0;i<cipher_array_size;i++) {
+    if (cipher_array[i].on) {
+      SSL_EnableCipher(cipher_array[i].enableid,1);
+    }
+  }
+}
+
+/* SetPolicy */
+
+void SetPolicy() {
+  int i;
+
+  for (i=0;i<cipher_array_size;i++) {
+    if (REP_Policy == POLICY_DOMESTIC) {
+      SSL_SetPolicy(cipher_array[i].enableid,SSL_ALLOWED);
+    }
+    else {
+      SSL_SetPolicy(cipher_array[i].enableid,cipher_array[i].exportable);
+    }
+  }
+}
+
+char *MyPWFunc(PK11SlotInfo *slot, PRBool retry, void *arg)
+{
+    static PRBool called=PR_FALSE;
+    if(called) {
+	return NULL;
+    } else {
+	called = PR_TRUE;
+	return PL_strdup(password);
+    }
+}
+
+/* 
+ * VersionEnables
+ *  errors (40-49)
+ */
+
+int Version2Enable(PRFileDesc *s, int v) {
+  if (SSL_Enable(s, SSL_ENABLE_SSL2, 1) <0) return Error(43);
+  else return 0;
+}
+
+int Version3Enable(PRFileDesc *s) {
+    if (SSL_Enable(s, SSL_ENABLE_SSL3, 1) <0) return Error(42);
+    else return 0;
+}
+
+int Version23Clear(PRFileDesc *s) {
+  if (SSL_Enable(s,SSL_ENABLE_SSL2,0) <0) return Error(40);
+  if (SSL_Enable(s,SSL_ENABLE_SSL3,0) <0) return Error(41);
+  return 0;
+}
+
+
+
+char *nicknames[MAX_NICKNAME];
+
+void SetupNickNames() {
+  nicknames[CLIENT_CERT_VERISIGN]        = "CLIENT_CERT_VERISIGN";
+  nicknames[CLIENT_CERT_HARDCOREII_1024] = "CLIENT_CERT_HARDCOREII_1024";
+  nicknames[CLIENT_CERT_HARDCOREII_512]  = "CLIENT_CERT_HARDCOREII_512";
+  nicknames[CLIENT_CERT_SPARK]           = "CLIENT_CERT_SPARK";
+  nicknames[SERVER_CERT_HARDCOREII_512]  = nickname;
+  /* nicknames[SERVER_CERT_HARDCOREII_512]  = "SERVER_CERT_HARDCOREII_512"; */
+  nicknames[SERVER_CERT_VERISIGN_REGULAR]= "SERVER_CERT_VERISIGN_REGULAR";
+  nicknames[SERVER_CERT_VERISIGN_STEPUP] = "SERVER_CERT_VERISIGN_STEPUP";
+  nicknames[SERVER_CERT_SPARK]           = "SERVER_CERT_SPARK";
+}
+
+
+
+
+
+
+
+/* 
+ * SetServerSecParms
+ * errors(10-19)
+ */
+
+int SetServerSecParms(struct ThreadData *td) {
+  int rv;
+  SECKEYPrivateKey *privKey;
+  PRFileDesc *s;
+
+  s = td->r;
+
+  rv = SSL_Enable(s, SSL_SECURITY, 1);     /* Enable security on this socket */
+  if (rv < 0)  return Error(10);
+
+  if (SSLT_CLIENTAUTH_INITIAL == REP_ServerDoClientAuth) {
+    rv = SSL_Enable(s, SSL_REQUEST_CERTIFICATE, 1);
+    if (rv < 0)  return Error(11);
+    }
+
+  ClearCiphers(td);
+  EnableCiphers(td);
+
+  PK11_SetPasswordFunc(MyPWFunc);
+  SSL_SetPKCS11PinArg(s,(void*) MyPWFunc);
+
+
+  /* Find the certificates we are going to use from the database */
+
+
+  /* Test for dummy certificate, which shouldn't exist */
+  td->cert = PK11_FindCertFromNickname("XXXXXX_CERT_HARDCOREII_1024",NULL);
+  if (td->cert != NULL) return Error(16);
+
+
+  td->cert = NULL;
+  if (NO_CERT != REP_ServerCert) {
+    td->cert = PK11_FindCertFromNickname(nicknames[REP_ServerCert],NULL);
+  }
+
+
+  /* Note: if we're set to use NO_CERT as the server cert, then we'll
+   * just essentially skip the rest of this (except for session ID cache setup)
+   */
+
+  
+  if ( (NULL == td->cert)  && ( NO_CERT != REP_ServerCert )) {
+    PR_fprintf(PR_STDERR, "Can't find certificate %s\n", nicknames[REP_ServerCert]);
+    PR_fprintf(PR_STDERR, "Server: Seclib error: %s\n",
+	       SECU_ErrorString ((int16) PR_GetError()));
+    return Error(12);
+  }
+  
+
+  if ((NO_CERT != REP_ServerCert)) {
+    privKey = PK11_FindKeyByAnyCert(td->cert, NULL);
+    if (privKey == NULL) {
+      dbmsg((PR_STDERR, "Can't find key for this certificate\n"));
+      return Error(13);
+    }
+    
+    rv = SSL_ConfigSecureServer(s,td->cert,privKey, kt_rsa);
+    if (rv != PR_SUCCESS) {
+      dbmsg((PR_STDERR, "Can't config server error(%d) \n",rv));
+      return Error(14);
+    }
+  }
+  
+  rv = SSL_ConfigServerSessionIDCache(10, 0, 0, ".");
+  if (rv != 0) {    
+    dbmsg((PR_STDERR, "Can't config server session ID cache (%d) \n",rv));
+    return Error(15);
+  }
+
+  return 0;
+}
+
+
+
+
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.h b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.h
new file mode 100644
index 000000000..587e1c1ff
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.h
@@ -0,0 +1,99 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef SSLC_H
+#define SSLC_H
+
+#include "ssls.h"
+
+struct cipherspec {
+  int sslversion;  /* either 2 or 3 */
+  int exportable;  /* 0=domestic cipher,  1=exportable */
+  int ks,sks;      /* key size, secret key size (bits) */
+  char *name;      /* name expected from SecurityStatus */
+  int enableid;    /* the cipher id used by SSL_EnableCipher */
+  int on;          /* 0= do not enable this cipher, 1 = enable */
+};
+
+
+/* Ugly way to generate code to fill in cipher_array struct */
+/* I wanted to make this part of the static structure initialization,
+   but some compilers complain that the .on field is not constant */
+
+#define CIPHER(p_sslversion,p_policy,p_ks,p_sks,p_name,p_x) {\
+ cipher_array[i].sslversion = p_sslversion; \
+ cipher_array[i].exportable = p_policy;     \
+ cipher_array[i].ks         = p_ks;         \
+ cipher_array[i].sks        = p_sks;        \
+ cipher_array[i].name       = p_name;       \
+ cipher_array[i].enableid   = SSL_ ## p_x;  \
+ cipher_array[i].on         = REP_Cipher_ ## p_x; \
+ i++; }
+
+/* A DIPHER is a disabled-cipher (don't run the test suite) */
+#define DIPHER(sslversion,policy,ks,sks,name,x)  ;
+
+
+/* These constants are indexes into the 'nicknames' array */
+
+#define NO_CERT                       -1
+#define CLIENT_CERT_VERISIGN          1
+#define CLIENT_CERT_HARDCOREII_1024   2
+#define CLIENT_CERT_HARDCOREII_512    3
+#define CLIENT_CERT_SPARK             4
+#define SERVER_CERT_HARDCOREII_512    5
+#define SERVER_CERT_VERISIGN_REGULAR  6
+#define SERVER_CERT_VERISIGN_STEPUP   7
+#define SERVER_CERT_SPARK             8
+#define MAX_NICKNAME                  10
+
+extern struct cipherspec cipher_array[];
+extern int cipher_array_size;
+
+extern void ClearCiphers();
+extern void EnableCiphers();
+extern void SetPolicy();
+extern int  Version2Enable();
+extern int  Version3Enable();
+extern int  Version23Clear();
+extern char *nicknames[];
+extern void SetupNickNames();
+extern int  SetServerSecParms(struct ThreadData *td);
+
+
+#endif
+/* SSLC_H */
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/ssls.c b/security/nss/tests/pkcs11/netscape/suites/security/ssl/ssls.c
new file mode 100644
index 000000000..440cc70b7
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/ssls.c
@@ -0,0 +1,108 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "ssls.h"
+
+#include <ssl.h>
+#include <sslproto.h>
+
+/* 21 lines x 8 chars = 168 bytes */
+
+
+#if 1
+unsigned char data[] = {
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08,
+
+  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07, 0x08
+};
+
+#else
+
+unsigned char data[] = {
+  0x2e, 0x86, 0x53, 0x10, 0x4f, 0x38, 0x34, 0xea,
+  0x4b, 0xd3, 0x88, 0xff, 0x6c, 0xd8, 0x1d, 0x4f,
+  0x20, 0xb9, 0xe7, 0x67, 0xb2, 0xfb, 0x14, 0x56,
+  0x55, 0x57, 0x93, 0x80, 0xd7, 0x71, 0x38, 0xef,
+
+  0x6c, 0xc5, 0xde, 0xfa, 0xaf, 0x04, 0x51, 0x2f,
+  0x0d, 0x9f, 0x27, 0x9b, 0xa5, 0xd8, 0x72, 0x60,
+  0xd9, 0x03, 0x1b, 0x02, 0x71, 0xbd, 0x5a, 0x0a,
+  0x42, 0x42, 0x50, 0xb3, 0x7c, 0x3d, 0xd9, 0x51,
+
+  0xb8, 0x06, 0x1b, 0x7e, 0xcd, 0x9a, 0x21, 0xe5,
+  0xf1, 0x5d, 0x0f, 0x28, 0x6b, 0x65, 0xbd, 0x28,
+  0xad, 0xd0, 0xcc, 0x8d, 0x6e, 0x5d, 0xeb, 0xa1,
+  0xe6, 0xd5, 0xf8, 0x27, 0x52, 0xad, 0x63, 0xd1,
+
+  0xec, 0xbf, 0xe3, 0xbd, 0x3f, 0x59, 0x1a, 0x5e,
+  0xf3, 0x56, 0x83, 0x43, 0x79, 0xd1, 0x65, 0xcd,
+  0x2b, 0x9f, 0x98, 0x2f, 0x20, 0x03, 0x7f, 0xa9,
+  0x88, 0x9d, 0xe0, 0x68, 0xa1, 0x6f, 0x0b, 0xe6,
+
+  0xe1, 0x9e, 0x27, 0x5d, 0x84, 0x6a, 0x12, 0x98,
+  0x32, 0x9a, 0x8e, 0xd5, 0x23, 0xd7, 0x1a, 0xec,
+  0xe7, 0xfc, 0xe2, 0x25, 0x57, 0xd2, 0x3c, 0x97,
+  0x12, 0xa9, 0xf5, 0x81, 0x7f, 0xf2, 0xd6, 0x5d,
+
+  0xa4, 0x84, 0xc3, 0xad, 0x38, 0xdc, 0x9c, 0x19
+};
+#endif
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/ssls.h b/security/nss/tests/pkcs11/netscape/suites/security/ssl/ssls.h
new file mode 100644
index 000000000..23107c548
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/ssls.h
@@ -0,0 +1,130 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef SSLS_H
+#define SSLS_H
+
+#include <prinit.h>
+#include <prprf.h>
+#include <prsystem.h>
+#include <prmem.h>
+#include <plstr.h>
+#include <prnetdb.h>
+#include <prinrval.h>
+
+
+#include <cert.h>
+
+extern struct CipherPolicy ciphers[];
+extern struct CipherPair policy[];
+
+extern unsigned char data[];
+
+#define BUFSIZE 3955   /* some arbitrary size not a multiple of 2^x */
+
+struct ThreadData {     /* place to put thread-local data. */
+
+  PRFileDesc *fd;             /* NSPR File Desc        */
+  PRFileDesc *s;             /* The secure File Desc  */
+  PRFileDesc *r;             /* Rendezvous socket (not used right now */
+  PRPollDesc pd;
+  CERTCertificate  *cert;
+  CERTCertificate  *peercert;
+
+  struct ThreadData *peer;
+
+  PRNetAddr  na;
+  PRThread   *subthread;
+  
+  int   peerport;
+  int   client;
+
+  char  sendbuf[BUFSIZE];
+  char  recvbuf[BUFSIZE];
+  int   data_read;
+  int   data_sent;
+  int   data_tosend;
+  int   state;
+  unsigned char  xor_reading;
+  unsigned char  xor_writing;
+  
+  int   exit_code;
+  int   secerr_flag;
+  int   secerr;
+
+
+#define SSLT_INITIAL_FORCE 1
+#define SSLT_FIRST_IO      2
+#define SSLT_REDO          4
+
+  int   status_on;
+  char *status_cipher;
+  int   status_keysize;
+  int   status_skeysize;
+  char *status_issuer;
+  char *status_subject;
+
+};
+
+
+#define POLICY_DOMESTIC 0
+#define POLICY_EXPORT 1
+
+
+extern int VerifyBuffer(char *recvbuf,int bufsize,int done, char xor);
+extern void FillBuffer(char *sendbuf,int bufsize, int offset, char xor);
+extern void HandshakeCallback(PRFileDesc *s, void *td);
+
+
+#define DATABUFSIZE 168
+#define CLIENTXOR   0xA5
+
+#define BLOCKING      0
+#define NON_BLOCKING  1
+
+#define STATE_BEFORE_INITIAL_HANDSHAKE  0
+#define STATE_BEFORE_REDO_HANDSHAKE     1
+#define STATE_STATUS_COLLECTED          2
+#define STATE_DONE_WRITING              3
+#define STATE_DONE_READING              4
+#define STATE_DONE                      5
+
+#define SSLT_CLIENTAUTH_OFF     1
+#define SSLT_CLIENTAUTH_REDO    2
+#define SSLT_CLIENTAUTH_INITIAL 3
+
+
+#endif
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c
new file mode 100755
index 000000000..a3150ac6e
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c
@@ -0,0 +1,1186 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#define VERION_MAJOR 1
+#define VERION_MINOR 0
+#define VERSION_POINT 7
+/* NSPR header files */
+#include <prinit.h>
+#include <prprf.h>
+#include <prsystem.h>
+#include <prmem.h>
+#include <plstr.h>
+#include <prnetdb.h>
+#include <prinrval.h>
+#include <prmon.h>
+#include <prlock.h>
+
+/* Security library files */
+#include "cert.h"
+#include "key.h"
+#include "secmod.h"
+#include "secutil.h"
+#include "pk11func.h"
+
+/* SSL Header Files */
+#include "ssl.h"
+#include "sslproto.h"
+
+#define EXIT_OOPS 14
+
+#include "ssls.h"
+#include "sslc.h"
+
+#ifdef XP_PC
+/* Windows VC++ 6.0 Header File required to define EXCEPTION_EXECUTE_HANDLER. */
+#include "excpt.h"
+#endif
+
+#ifndef DEBUG_stevep
+#define dbmsg(x) if (debug) PR_fprintf x ;
+#else
+#define dbmsg(x) ;
+#endif
+
+/* Prototypes */
+
+PRInt32 ServerThread(PRInt32 argc,char **argv);
+void ClientThread(void *arg);
+void SetupNickNames(void );
+int OpenDBs(void);
+int ConfigServerSocket(void);
+int DoIO(struct ThreadData *);
+int Client(void);
+int SetClientSecParams(void);
+int CreateClientSocket(void);
+
+#ifdef XP_PC
+extern char getopt(int, char**, char*);
+#endif
+extern int Version2Enable(PRFileDesc *s);
+extern int Version3Enable(PRFileDesc *s);
+extern int Version23Clear(PRFileDesc *s);
+extern void SetupNickNames();
+extern int AuthCertificate(void *arg,PRFileDesc *fd,
+			   PRBool checkSig, PRBool isServer);
+extern char *MyPWFunc(void *slot, PRBool retry, void *arg);
+
+extern char *nicknames[];
+extern char *client_nick;
+extern char *password, *nickname;
+
+/* Shared condition variables */
+
+int rc;            /* rc is the error the process should return */
+PRMonitor *rcmon;  /* rcmon protects rc, since it can be set by the client */
+                   /* or server thread */
+
+/***** Read-only global variables (initialized in Server Thread)   ****/
+
+PRInt32 debug   = 0;
+PRInt32 verbose = 0;
+CERTCertDBHandle *cert_db_handle = NULL;
+
+struct ThreadData cl,svr;
+
+/* Include Replacer-generated variables file */
+
+/* INSERT_TABLES is a special parameter to sslt.h which inserts the
+   replacer-generated tables. We only want this table to be included
+   once in the executable, but this header file gets use in several
+   places */
+
+#define INSERT_TABLES
+#include "sslt.h"
+#include "nss.h"
+
+
+
+/*
+ *
+ * OpenDBs()   -  open databases
+ * errors(30-39)
+ */
+
+int OpenDBs() {
+  int r;
+
+  NSS_Init(".");
+  return 0;
+}
+
+
+
+
+
+/* 
+ * CreateServerSocket
+ * errors (20-29)
+ */
+
+
+int CreateServerSocket(struct ThreadData *td) {
+  /* Create server socket s */
+
+  td->fd = PR_NewTCPSocket();
+  if (td->fd == NULL) return Error(20);
+
+  td->r = SSL_ImportFD(NULL, td->fd);
+  if (td->r == NULL) return Error(21);
+
+  return 0;
+} 
+
+
+int ConfigServerSocket() {
+
+  /* Set up Net address to bind to 'any' */
+  int r;
+ 
+  r = PR_InitializeNetAddr(PR_IpAddrAny,0,&svr.na);
+  if (PR_SUCCESS != r) return Error(2);
+
+  
+  r = PR_Bind(svr.r,&svr.na);     /* bind to an IP address */
+  if (PR_SUCCESS != r) return Error(3);
+
+
+  r = PR_Listen(svr.r,5);
+  if (PR_SUCCESS != r) return Error(4);
+
+
+  r = PR_GetSockName(svr.r,&svr.na);
+  if (PR_SUCCESS != r) return Error(5);
+  return r;
+}
+
+
+/* 
+ * main 
+ *   returns 255 if 'coredump'-type crash occurs on winNT
+ *
+ */
+
+PRIntn main(PRIntn ac, char **av, char **ev) {
+  int r;
+  extern char *optarg;	
+  extern int optind;
+  int c;
+  
+
+  if( ac == 1 ) {
+     PR_fprintf(PR_STDERR,
+"\nSSL Test Suite Version %d.%d.%d\n\
+All Rights Reserved\n\
+Usage: sslt [-c client_nickname] [-n server_nickname] [-p passwd] [-d] testid\n",
+VERION_MAJOR, VERION_MINOR, VERSION_POINT);
+
+    exit(0);
+  }
+
+  for (c = 1; c<ac; c++) {
+	if (!PL_strcmp(av[c],"-c")) {
+	
+		  c++;
+		  if (c < ac) {
+			client_nick = av[c];
+		  }
+		  else {
+			  PR_fprintf(PR_STDOUT,"must supply argument for -c\n");
+			  exit(0);
+		  }
+	}
+
+	else if (!PL_strcmp(av[c],"-n")) {
+	
+		  c++;
+		  if (c < ac) {
+			nickname = av[c];
+		  }
+		  else {
+			  PR_fprintf(PR_STDOUT,"must supply argument for -n\n");
+			  exit(0);
+		  }
+      }
+	  else if (!PL_strcmp(av[c],"-p")) {
+
+		  c++;
+		  if (c < ac) {
+			password = av[c];
+		  }
+		  else {
+			  PR_fprintf(PR_STDOUT,"must supply argument for -p\n");
+			  exit(0);
+		  }
+      }
+	else if (!PL_strcmp(av[c],"-d")) {
+		  c++;
+		  debug++;
+      }
+	else 
+		testId = atoi(av[c]);
+  }
+
+
+
+#ifdef XP_PC
+    __try {
+#endif
+ 
+  r = PR_Initialize(ServerThread,ac,av,400);         /* is 400 enough? */
+
+  /* returncode 99 means 'no error' */
+  if (99 == r)  r = 0;
+
+#ifdef XP_PC
+    } __except( PR_fprintf(PR_STDERR, "\nCERT-TEST crashed\n"), EXCEPTION_EXECUTE_HANDLER ) {
+        r = 255;
+    }
+#endif
+
+  return r;
+
+}
+
+
+
+/* 
+ * ServerThread
+ * (errors 1-9,150-159)
+ */
+
+
+PRInt32 ServerThread(PRInt32 argc,char **argv) {
+
+  PRNetAddr na;
+
+  PRStatus r;
+  SECStatus rv;
+  
+  CERTCertDBHandle *cert_db_handle;
+  PRInt32 i,j;
+  struct ThreadData * td;
+
+  
+  /*   if (InvalidTestHack() == PR_TRUE) {
+    return 0;
+  }
+  */
+
+  rcmon = PR_NewMonitor();
+  if (NULL == rcmon) return Error(140);
+
+  PR_EnterMonitor(rcmon);
+  rc = 0;
+  PR_ExitMonitor(rcmon);
+
+  InitCiphers();
+  SetPolicy();
+  SetupNickNames();
+  
+  cl.peer = &svr;
+  svr.peer = &cl;
+
+
+  r = OpenDBs();            /* open databases and set defaults */
+  if (PR_SUCCESS != r) return r;
+
+
+  r = CreateServerSocket(&svr);
+  if (PR_SUCCESS != r) return r;
+
+  r = ConfigServerSocket();
+  if (PR_SUCCESS != r) return r;
+
+  cl.peerport = svr.na.inet.port;
+
+
+  r = SetServerSecParms(&svr);  /* configure server socket
+                                   sid cache, certificate etc. */
+  if (r) return r;
+
+  r = SSL_HandshakeCallback(svr.r, HandshakeCallback, &svr);
+  if (PR_SUCCESS != r) return Error(150);
+
+  r = SSL_AuthCertificateHook(svr.r,AuthCertificate,&svr);
+  if (PR_SUCCESS !=r ) return Error(151);
+
+  /* The server socket is now set up. Now, we must start
+     the client thread */
+
+  svr.subthread =
+    PR_CreateThread(PR_SYSTEM_THREAD,   /* Thread Type      */
+		    ClientThread,       /* Start Function   */
+		    NULL,               /* Argument         */
+		    PR_PRIORITY_NORMAL, /* Priority         */
+		    PR_GLOBAL_THREAD,   /* Scheduling scope */
+		    PR_JOINABLE_THREAD, /* Thread State     */
+		    0          /* Stacksize (0=use default) */
+		    );
+  if (svr.subthread == NULL) return Error(6);
+
+
+  
+  /* Wait for incoming connection from client thread */
+
+  svr.s = PR_Accept(svr.r, NULL, PR_SecondsToInterval(100)); /* timeout */
+  if (NULL == svr.s) {
+    r = PR_GetError();
+    if (r) {
+      return Error(7);
+    }
+  }
+
+  td = &svr;
+  td->client = PR_FALSE;
+  td->xor_reading = CLIENTXOR;
+  td->xor_writing = 0;
+  
+  r = DoIO(td);
+  dbmsg((PR_STDERR,"Server IO complete - returned %d\n",r));
+  dbmsg((PR_STDERR,"PR_GetError() = %d\n",PR_GetError()));
+
+
+  /* WHY IS THIS HERE???? */
+  r = 0;
+  if (r) return r;
+  
+
+  /* c = SSL_PeerCertificate(s); */
+
+  r = PR_Close(svr.s);   /* close the SSL Socket */
+  if (r != PR_SUCCESS) return Error(8);
+
+  dbmsg((PR_STDERR,"PR_Close(svr.s) - returned %d\n",r));
+
+  r = PR_Close(svr.r);  /* Close the rendezvous socket */
+  if (r != PR_SUCCESS) return Error(8);
+
+  dbmsg((PR_STDERR,"PR_Close(svr.r) - returned %d\n",r));
+
+  r = PR_JoinThread(svr.subthread);
+  if (r != PR_SUCCESS)  return Error(9);
+
+  PR_EnterMonitor(rcmon);
+  r = rc;
+  PR_ExitMonitor(rcmon);
+  
+  dbmsg((PR_STDERR,"Client Thread Joined. client's returncode=%d\n",r));
+  dbmsg((PR_STDERR,"Server Thread closing down.\n"));
+
+  return r;
+  
+  }
+
+
+/*
+ * Get security status for this socket
+ *
+ */ 
+
+int GetSecStatus(struct ThreadData *td) {
+  int r;
+
+  r = SSL_SecurityStatus(td->s,
+			 &td->status_on,
+			 &td->status_cipher,
+			 &td->status_keysize,
+			 &td->status_skeysize,
+			 &td->status_issuer,
+			 &td->status_subject
+			 );
+
+  return r;
+  /* SSL_PeerCertificate(); */
+
+}
+ 
+
+
+
+/* Signal an error code for the process to return.
+   If the peer aborted before us, returns 0.
+   If the peer did not abort before us, returns the calling argument
+   (to be used as a returncode) */
+int Error(int s)
+{
+  int r;
+
+  PR_EnterMonitor(rcmon);
+  r = rc;
+  if (0 == rc) { 
+    rc = s;
+  }    
+  PR_ExitMonitor(rcmon);
+
+  if (r) return s;
+  else return 0;
+}
+
+
+
+#define ALLOWEDBYPROTOCOL    1
+#define ALLOWEDBYPOLICY      2
+#define ALLOWEDBYCIPHERSUITE 4
+
+/* This returns 0 if the status is what was expected at this point, else a returncode */
+
+
+int VerifyStatus(struct ThreadData *td)
+{
+  int i,j;
+  int matched =0;
+
+  /* Go through all the ciphers until we find the first one that satisfies */
+  /* all the criteria. The ciphers are listed in preferred order. So, the first */
+  /* that matches should be the one. */
+
+  /* because of bug 107086, I have to fudge this. If it weren't for this
+     bug, SSL2 ciphers may get chosen in preference to SSL3 cipher,
+     if they were stronger */
+
+
+  for (i=0;i<cipher_array_size;i++) {
+
+  /* IF */
+
+    if (
+
+	/* bug 107086. If SSL2 and SSL3 are enabled, ignore the SSL2 ciphers */
+	(!( /* see above */
+	  (REP_SSLVersion2 && REP_SSLVersion3) && cipher_array[i].sslversion == 2)
+	 )
+
+	&&
+
+
+	(  /* Cipher is the right kind for the protocol? */
+	 ((cipher_array[i].sslversion == 2) && REP_SSLVersion2) ||
+	 ((cipher_array[i].sslversion == 3) && REP_SSLVersion3) 
+	 )
+	
+	&&  /* Cipher is switched on */
+
+	((cipher_array[i].on == 1) ||
+	 ((cipher_array[i].on == 2) &&
+	  (REP_ServerCert == SERVER_CERT_VERISIGN_STEPUP)))
+
+	&&  /* Is this cipher enabled under this policy */
+    
+	(
+	 (REP_Policy == POLICY_DOMESTIC) ||
+	 ((REP_Policy == POLICY_EXPORT)  && 
+	  (cipher_array[i].exportable == SSL_ALLOWED)))
+	)
+
+  /* THEN */
+      {
+	/* This is the cipher the SSL library should have chosen */
+	
+	matched = 1;
+	break;	
+      }
+  }
+
+GetSecStatus(td);
+
+
+#define SSLT_STATUS_CORRECT           0 /* The status is correct. Continue with test */
+#define SSLT_STATUS_WRONG_KEYSIZE     1 /* The reported keysize is incorrect. abort */
+#define SSLT_STATUS_WRONG_SKEYSIZE    2 /* The reported secret keysize is incorrect. abort */
+#define SSLT_STATUS_WRONG_DESCRIPTION 3 /* The reported description is incorrect. abort*/
+#define SSLT_STATUS_WRONG_ERRORCODE   4 /* sec. library error - but wrong one - abort */
+#define SSLT_STATUS_CORRECT_ERRORCODE 5 /* security library error - right one - abort with err 99 */
+
+  if (matched) {
+    if (td->status_keysize  != cipher_array[i].ks) {
+      PR_fprintf(PR_STDERR,"wrong keysize. seclib: %d,  expected %d\n",
+		 td->status_keysize,cipher_array[i].ks);
+      return  SSLT_STATUS_WRONG_KEYSIZE;
+    }
+    if (td->status_skeysize != cipher_array[i].sks) return SSLT_STATUS_WRONG_SKEYSIZE;
+    if (PL_strcmp(td->status_cipher,cipher_array[i].name)) {
+      PR_fprintf(PR_STDERR,"wrong cipher description.  seclib: %s, expected: %s\n",
+	     td->status_cipher,cipher_array[i].name);
+      return SSLT_STATUS_WRONG_DESCRIPTION;
+    }
+
+    /* Should also check status_issuer and status_subject */
+  
+    return SSLT_STATUS_CORRECT;
+  }
+
+  else {
+    /* if SSL wasn't enabled, security library should have returned a failure with
+       SSL_ERROR_SSL_DISABLED 
+       */
+
+    /* Since we cannot set the client and server ciphersuites independently,
+       there's not point in checking for NO_CYPHER_OVERLAP. That's why some
+       of this is commented out.
+       */
+
+#if 0
+	if (PR_FALSE == REP_SSLVersion2 &&
+	    PR_FALSE == REP_SSLVersion3)
+{
+if ( (td->secerr_flag == PR_FALSE ) ||
+          ((td->secerr_flag == PR_TRUE) && 
+	     !((td->secerr == SSL_ERROR_SSL_DISABLED) ||
+	      (td->secerr == SSL_ERROR_NO_CYPHER_OVERLAP))
+   	)) {
+       return SSLT_STATUS_WRONG_ERRORCODE;
+     }
+     else
+  return SSLT_STATUS_CORRECT_ERRORCODE;
+   }
+
+	else {
+
+	  /* If SSL was enabled, and we get here, then no ciphers were compatible
+	     (matched == 0). So, security library should have returned the error
+	     SSL_ERROR_NO_CYPHER_OVERLAP */
+
+	  if ((td->secerr_flag == PR_FALSE) ||
+	      ((td->secerr_flag == PR_TRUE) && (td->secerr != SSL_ERROR_NO_CYPHER_OVERLAP))) {
+	    return SSLT_STATUS_WRONG_ERRORCODE;
+	  }
+	  else return SSLT_STATUS_CORRECT_ERRORCODE;
+	}
+#endif
+  }
+	return SSLT_STATUS_CORRECT_ERRORCODE;
+}
+
+
+/* 
+ *  DoRedoHandshake()
+ *
+ * errors(90-99)
+ *  99 means exit gracefully
+ */
+
+int DoRedoHandshake(struct ThreadData *td) {
+  int r;
+
+
+  /* figure out if we really should do the RedoHandshake */
+  if ((td->client  && (PR_TRUE== REP_ClientRedoHandshake)) ||
+	(!td->client && (PR_TRUE== REP_ServerRedoHandshake))) {
+
+    if ((!td->client && (SSLT_CLIENTAUTH_REDO==REP_ServerDoClientAuth))) {
+       r = SSL_Enable(td->s, SSL_REQUEST_CERTIFICATE, 1);
+    }
+
+    r = SSL_RedoHandshake(td->s);          /* .. and redo the handshake */      
+    if (PR_SUCCESS == r) {                  /* If the handshake succeeded,  */
+                                            /* make sure that shouldn't have failed... */
+
+	/*** 
+	   If the server is doing ClientAuth
+           and the wrong certificate in the
+	   client, then the handshake should fail (but it succeeded)
+	   ***/
+      
+#if 0
+      if (SSLT_CLIENTAUTH_INITIAL == REP_ServerDoClientAuth) {
+	if ((CLIENT_CERT_SPARK == REP_ClientCert) ||
+	    (SERVER_CERT_HARDCOREII_512       == REP_ClientCert) ||
+	    (NO_CERT                           == REP_ClientCert)
+	    ) 
+	  return Error(90);
+
+      }
+#endif
+      
+    }
+    
+    else {  /* PR_FAILURE:            Make sure the handshake shouldn't have succeeded */
+      
+      /* First, abort the peer, since it cannot continue */
+      r = Error(91);
+      if (0==r) return 0;  /* peer aborted first */
+      else {
+      /***
+	If the server is doing clientauth and
+	a valid certificate was presented, the handshake
+	should have succeeded (but it failed)
+	***/
+      
+	if (PR_TRUE == REP_ServerDoClientAuth) {
+	  if ((CLIENT_CERT_HARDCOREII_512         == REP_ClientCert) ||
+	      (CLIENT_CERT_HARDCOREII_1024        == REP_ClientCert) ||
+	      (CLIENT_CERT_VERISIGN               == REP_ClientCert) ||
+	      (SERVER_CERT_HARDCOREII_512         == REP_ClientCert)
+	      ) 
+	    return Error(91);
+	}
+      }
+    }
+  }
+}
+
+
+
+/* There is a independent State Machine for each of client and server.
+   They have the following states:
+
+   1. STATE_BEFORE_INITIAL_HANDSHAKE
+      In this state at the very start. No I/O has been done on the socket,
+      and no status has been collected. Once I/O has been done, we move on
+      to state 2.
+
+   2. STATE_BEFORE_REDO_HANDSHAKE
+      If we won't be doing a redohandshake, move immediately to state3.
+      Check security status to make sure selected cipher is correct.
+      If we are doing a redohandshake, adjust the security parameters for
+      the redo, and move to state 3.
+   3. STATE_STATUS_COLLECTED
+      When we move to this state, check security status.
+      Remain in this state until either reading or writing is complete
+   4. STATE_DONE_WRITING
+      Come here when writing is complete. When reading is complete move
+      to state 6.
+   5. STATE_DONE_READING
+      Come here when reading is complete. When writing is complete move
+      to state 6.
+   6. STATE_DONE
+      We're done. Check that the appropriate callbacks were called at the
+      appropriate times.
+      */
+    
+/* 
+ * State Machine
+ *
+ * errors(80-89)
+ */
+
+int NextState(struct ThreadData *td,
+	       int finishedReading,
+	       int finishedWriting) {
+  int r;
+
+
+
+  /* if we were in STATE_BEFORE_INITIAL_HANDSHAKE, and we came here, we must
+     have just completed a handshake, so we can get status and move on
+     to next state.  */
+
+  if (STATE_BEFORE_INITIAL_HANDSHAKE == td->state ) {
+    
+    td->state = STATE_BEFORE_REDO_HANDSHAKE;  /* first set next state */
+    
+    r = GetSecStatus(td);
+    if (PR_SUCCESS != r) {
+      return Error(80);
+    }
+    
+#if 0
+    r = VerifyStatus(td);   /* Call VerifyStatus to make sure that the connection is
+			       what was expected */
+    if (PR_SUCCESS != r) return r;
+#endif
+
+      
+  }
+  
+  if (STATE_BEFORE_REDO_HANDSHAKE == td->state) {
+    /* If we're not going to do a redohandshake, we can just skip over this state */
+    if (td->client) {
+      if (PR_FALSE  == REP_ClientRedoHandshake) td->state = STATE_STATUS_COLLECTED;
+    }
+    else {
+      if (PR_FALSE == REP_ServerRedoHandshake) td->state = STATE_STATUS_COLLECTED;
+    }
+    r = DoRedoHandshake(td);
+    if (PR_SUCCESS != r) return r;
+    td->state = STATE_STATUS_COLLECTED;
+  }
+		  
+
+  switch (td->state) {
+  case STATE_STATUS_COLLECTED:
+    if (finishedWriting) td->state = STATE_DONE_WRITING;
+    if (finishedReading) td->state = STATE_DONE_READING;
+    break;
+  case STATE_DONE_WRITING:
+    if (finishedReading) td->state = STATE_DONE;
+    break;
+  case STATE_DONE_READING:
+    if (finishedWriting) td->state = STATE_DONE;
+    break;
+  default:
+    return PR_SUCCESS;
+  }
+}
+
+
+/* CheckSSLEnabled:
+   If there was an I/O, and SSL was disabled, then check the error
+   code to make sure that the correct error was returned.
+   The parameter passed in is the returncode from PR_Read or PR_Write
+   */
+
+int CheckSSLEnabled(int j) {
+  if (PR_FALSE == REP_SSLVersion2 &&
+      PR_FALSE == REP_SSLVersion3) {
+    if (( -1 != j ) ||
+	(( -1 == j) && (PR_GetError() != SSL_ERROR_SSL_DISABLED))) {
+      return 52;
+    }
+    else return 99;
+  }
+  else return 0;
+}
+
+
+
+/* 
+ * Do I/O
+ *
+ * Errors 50-69
+ */
+ 
+int DoIO(struct ThreadData *td) {
+
+int i,j,r;
+
+  td->pd.fd        = td->s;
+  td->pd.in_flags  = PR_POLL_READ | PR_POLL_WRITE | PR_POLL_EXCEPT;
+  td->data_read    = 0;
+  td->data_sent    = 0;
+
+  td->data_tosend = REP_ServerIOSessionLength;
+  
+  td->state = STATE_BEFORE_INITIAL_HANDSHAKE;
+
+
+  while (PR_TRUE) {
+    dbmsg((PR_STDERR,"%s: DoIO loop\n",
+	       &svr==td ? "Server" : "Client"));
+
+    /* pd = polldescriptor, 1 = number of descriptors, 5 = timeout in seconds */
+    r = PR_Poll(&td->pd,1,PR_SecondsToInterval(5));
+
+    /* Check if peer has already signalled an error condition */ 
+
+    PR_EnterMonitor(rcmon);
+    if (0 != rc) {
+      /* got here? - means peer wants to stop. It has set the
+	 exit code */
+      PR_ExitMonitor(rcmon);
+      dbmsg((PR_STDERR,"%s: Peer has aborted (error code %d). We should too\n",
+	     &svr==td ? "Server" : "Client",rc));
+      
+      return 0;
+    }
+    else {
+      PR_ExitMonitor(rcmon);
+    }
+
+    if (0 == r) ;   /* timeout occurred */
+
+    if (td->pd.out_flags & PR_POLL_EXCEPT) return Error(50);
+
+    /*******   Process incoming data   *******/
+    
+    if (! (STATE_DONE == td->state || STATE_DONE_READING == td->state)) {
+      if (td->pd.out_flags & PR_POLL_READ) {
+
+	td->secerr = 0;
+	i = PR_Read(td->s, td->recvbuf, BUFSIZE);
+
+	if (i < 0) {
+	  td->secerr_flag = 1;
+	  td->secerr = PR_GetError();
+	}
+	else td->secerr_flag =0;
+
+	r = VerifyStatus(td);
+
+	switch (r) {
+	case SSLT_STATUS_CORRECT:
+	  break;
+	case SSLT_STATUS_CORRECT_ERRORCODE:
+	  return Error(99);
+	default:
+	  return Error(60+r);
+	}
+	
+	r = VerifyBuffer(td->recvbuf, i, td->data_read, td->xor_reading);
+	if (r) return r;
+	td->data_read += i;
+	
+	/* Invoke State Machine */
+
+	NextState(td, 0==i, 0);  /* if i is zero, signal 'finishedreading' */
+
+      }
+    }
+    
+    if (! (STATE_DONE == td->state || STATE_DONE_WRITING == td->state)) {
+      if (td->pd.out_flags & PR_POLL_WRITE) {
+	FillBuffer(td->sendbuf,BUFSIZE,td->data_sent,td->xor_writing);
+
+	i = td->data_tosend - td->data_sent;
+	if (i > BUFSIZE) i = BUFSIZE;  /* figure out how much
+					  data to send */
+	td->secerr = 0;
+	j = PR_Write(td->s, td->sendbuf, i);
+
+
+	if (j < 0) {
+	  td->secerr_flag = 1;
+	  td->secerr = PR_GetError();
+	}
+	else td->secerr_flag =0;
+
+	r = VerifyStatus(td);
+
+	switch (r) {
+	case SSLT_STATUS_CORRECT:
+	  break;
+	case SSLT_STATUS_CORRECT_ERRORCODE:
+	  return Error(99);
+	default:
+	  return Error(60+r);
+	}
+
+      }
+      if (j == -1) return Error(53);        /* Error on socket (Not an error
+				        if nonblocking IO enabled, and
+				        Error is Would Block */
+      
+      if (j != i) return Error(54);         /* We didn't write the
+                                        amount we should have */
+      
+      td->data_sent += j;
+      
+      if (td->data_sent == td->data_tosend) {
+	PR_Shutdown(td->s,PR_SHUTDOWN_SEND);
+      }
+      
+      /* next state of state machine */
+
+      NextState(td,
+		0,
+		td->data_sent == td->data_tosend  /* finishedwriting */
+		);      
+    }
+
+
+
+    if (STATE_DONE == td->state) break;
+
+  } /* while (1) */
+    
+    dbmsg((PR_STDERR,"%s: DoIO loop:returning 0\n",
+	       &svr==td ? "Server" : "Client"));
+
+    return 0;
+    
+}
+
+
+
+
+/* This is the start of the client thread code */
+/* Client Thread errors(100-200) */
+
+
+/* 
+ * CreateClientSocket()
+ * errors (120-129)
+ */
+
+
+int CreateClientSocket() {
+  /* Create client socket s */
+
+  cl.fd = PR_NewTCPSocket();
+  if (cl.fd == NULL) return Error(120);  
+
+  cl.s = SSL_ImportFD(NULL, cl.fd);
+  if (cl.s == NULL) return Error(121);
+
+  return 0;
+}  
+
+
+
+/* 
+ * SetClientSecParms
+ * errors(130-139)
+ */
+
+int SetClientSecParams()  {
+  int rv;
+  /* SSL Enables */
+  
+  rv = SSL_Enable(cl.s, SSL_SECURITY, 1);
+  if (rv < 0)  return Error(130);
+
+  rv = Version23Clear(cl.s);
+  if (rv) return rv;
+
+  if (REP_SSLVersion2) {
+    rv = Version2Enable(cl.s);
+    if (rv) return rv;
+  }
+  if (REP_SSLVersion3) {
+    rv = Version3Enable(cl.s);
+    if (rv) return rv;
+  }
+
+  SSL_SetPKCS11PinArg(cl.s,(void*)MyPWFunc);
+
+  if (REP_ClientCert == NO_CERT) {
+    return 0;
+  }
+  else {
+    cl.cert = PK11_FindCertFromNickname(client_nick,NULL);
+  }
+  if (cl.cert == NULL) return Error(131);
+  
+  return 0;
+}
+
+
+/*
+ * Client()
+ * errors (100-120)
+ */
+
+int Client() {
+  int r;
+
+  r = CreateClientSocket();
+  if (r) return r;
+
+  r = SetClientSecParams();
+  if (r) return r;
+
+  /* Set address to connect to: localhost */
+
+  r = PR_InitializeNetAddr(PR_IpAddrLoopback,0,&cl.na);
+  cl.na.inet.port = cl.peerport;
+  if (PR_FAILURE == r) return Error(101);
+
+  r = SSL_AuthCertificateHook(cl.s,AuthCertificate,&cl);
+  if (r) return Error(102);
+  r = SSL_HandshakeCallback(cl.s,HandshakeCallback,&cl);
+  if (r) return Error(103);
+
+  r = PR_Connect(cl.s, &cl.na, PR_SecondsToInterval(50));
+  if (PR_FAILURE == r) {
+    dbmsg((PR_STDERR, "Client: Seclib error: %s\n",SECU_ErrorString ((int16) PR_GetError())));
+    return Error(104);
+  }
+
+
+  if (PR_TRUE == REP_ClientForceHandshake) {
+    r = SSL_ForceHandshake(cl.s);
+    if (PR_FAILURE == r) {
+      dbmsg((PR_STDERR, "Client: Seclib error: %s\n",
+	     SECU_ErrorString ((int16) PR_GetError())));
+      return Error(105);
+    }
+  }
+
+  cl.client = PR_TRUE;
+  cl.xor_reading = 0;
+  cl.xor_writing = CLIENTXOR;
+  
+  r = DoIO(&cl);
+
+  dbmsg((PR_STDERR,"Client Thread done with IO. Returned %d\n",r));
+
+
+  if (PR_SUCCESS != r) return r;
+
+  r = PR_Close(cl.s);
+
+  dbmsg((PR_STDERR,"Client Socket closing. Returned %d\n",r));
+
+  return Error(r);
+  
+}
+
+
+
+ void ClientThread(void *arg) {
+   int r;
+
+   Error(Client());
+
+   dbmsg((PR_STDERR,"Client Thread returning %d\n",r));
+   
+   
+ }
+
+   
+
+
+
+
+ /* VerifyBuffer() */
+
+/* verify the data in the buffer. Returns 0 if valid  */
+/* recvbuf = start of data to verify
+ * bufsize = amount of data to verify
+ * done    = how to offset the reference data. How much 
+             data we have done in previous sessions
+ * xor     = xor character 
+
+ * errors 70-79
+
+ */
+ 
+ int VerifyBuffer(char *recvbuf,int bufsize,int done, char xor) {
+  int i,j,k;
+
+  while (bufsize) {
+    i = done % DATABUFSIZE;
+
+    k = DATABUFSIZE;
+    if (bufsize < k) {
+      k = bufsize;
+    }
+    for (j = i; j < k ; j++) {
+      if ((data[j] ^ xor) != (*recvbuf)) {
+	return 71;
+      }
+      
+      recvbuf++;
+    }
+    done += k-i;
+    bufsize -= (k - i);
+    if (bufsize < 0) return 73;
+  }
+  return (0);
+}
+
+
+/* fill the buffer.  */
+
+ void FillBuffer(char *sendbuf,int bufsize, int offset, char xor) {
+   int done=0,i,j;
+   
+   while (done < bufsize) {
+    i = offset % DATABUFSIZE;
+    for (j = i; j < DATABUFSIZE ; j++) {
+      *sendbuf = (data[j] ^ xor);
+      sendbuf++;
+    }
+    done += (DATABUFSIZE - i);
+    offset += (DATABUFSIZE - i);
+   }
+ }
+ 
+ 
+ 
+ 
+/******     CALLBACKS      *******/
+ 
+
+
+/* HandshakeCallback
+   This function gets called when a handshake has just completed.
+   (maybe gets called more than once for example if we RedoHandshake)
+   */
+
+ void HandshakeCallback(PRFileDesc *s, void *td)   {
+   int r;
+
+   /*   1. Get status of connection */
+
+   r = GetSecStatus(td);
+   if (PR_SUCCESS != r) {
+     /* Abort */
+   }
+   else {
+
+   /*   2. Verify status of connection */
+
+#if 0   
+  r =VerifyStatus(td); 
+     if (PR_SUCCESS != r) {
+       /* Abort */
+     }
+#endif
+   }
+
+ }
+ 
+
+
+/* This function gets called by the client thread's SSL code to verify
+   the server's certificate. We cannot use the default AuthCertificate
+   code because the certificates are used on multiple hosts, so
+   CERT_VerifyCertNow() would fail with an IP address mismatch error
+   */
+
+int
+AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
+{
+    SECStatus rv;
+    CERTCertDBHandle *handle;
+    /*    PRFileDesc *ss; */
+    SECCertUsage certUsage;
+    
+    /*     ss = ssl_FindSocket(fd);
+    PORT_Assert(ss != NULL); */
+
+    handle = (CERTCertDBHandle *)arg;
+
+    if ( isServer ) {
+	certUsage = certUsageSSLClient;
+    } else {
+	certUsage = certUsageSSLServer;
+    }
+    
+    /*     rv = CERT_VerifyCertNow(handle, ss->sec->peerCert, checkSig, certUsage, arg); */
+
+    return((int)PR_SUCCESS);
+}
+
+
+
+
+
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.h b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.h
new file mode 100755
index 000000000..e63c29171
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.h
@@ -0,0 +1,241 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef SSLT_H
+#define SSLT_H
+
+
+extern int Error(int);
+#ifndef DEBUG_stevep
+#define dbmsg(x) if (debug) PR_fprintf x ;
+#else
+#define dbmsg(x) ;
+#endif
+extern PRInt32 debug;
+
+#ifdef INSERT_TABLES
+int testId = 0;
+
+int ClientCert[] = {
+	NO_CERT,
+	CLIENT_CERT_HARDCOREII_1024
+};
+
+int ServerCert[] = {
+	SERVER_CERT_HARDCOREII_512
+};
+
+int Policy[] = {
+	POLICY_EXPORT,
+	POLICY_DOMESTIC
+};
+
+int SSLVersion2[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+int SSLVersion3[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+int ClientIOSessionLength[] = {
+	0,
+	1024
+};
+
+int ServerIOSessionLength[] = {
+	0,
+	1024
+};
+
+int ServerDoClientAuth[] = {
+	SSLT_CLIENTAUTH_OFF
+};
+
+PRBool ClientForceHandshake[] = {
+	PR_FALSE
+};
+
+PRBool ServerForceHandshake[] = {
+	PR_TRUE
+};
+
+PRBool ClientRedoHandshake[] = {
+	PR_FALSE
+};
+
+PRBool ServerRedoHandshake[] = {
+	PR_FALSE
+};
+
+PRBool Cipher_EN_RC4_128_WITH_MD5[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+PRBool Cipher_EN_RC4_128_EXPORT40_WITH_MD5[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+PRBool Cipher_EN_RC2_128_CBC_WITH_MD5[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+PRBool Cipher_EN_DES_192_EDE3_CBC_WITH_MD5[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+PRBool Cipher_RSA_EXPORT_WITH_RC4_40_MD5[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+PRBool Cipher_RSA_WITH_RC4_128_MD5[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+PRBool Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+PRBool Cipher_RSA_WITH_DES_CBC_SHA[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+PRBool Cipher_RSA_WITH_3DES_EDE_CBC_SHA[] = {
+	PR_TRUE,
+	PR_FALSE
+};
+
+
+#else
+extern int ClientCert[];
+extern int ServerCert[];
+extern int Policy[];
+extern int SSLVersion2[];
+extern int SSLVersion3[];
+extern int ClientIOSessionLength[];
+extern int ServerIOSessionLength[];
+extern int ServerDoClientAuth[];
+extern PRBool ClientForceHandshake[];
+extern PRBool ServerForceHandshake[];
+extern PRBool ClientRedoHandshake[];
+extern PRBool ServerRedoHandshake[];
+extern PRBool Cipher_EN_RC4_128_WITH_MD5[];
+extern PRBool Cipher_EN_RC4_128_EXPORT40_WITH_MD5[];
+extern PRBool Cipher_EN_RC2_128_CBC_WITH_MD5[];
+extern PRBool Cipher_EN_DES_192_EDE3_CBC_WITH_MD5[];
+extern PRBool Cipher_RSA_EXPORT_WITH_RC4_40_MD5[];
+extern PRBool Cipher_RSA_WITH_RC4_128_MD5[];
+extern PRBool Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5[];
+extern PRBool Cipher_RSA_WITH_DES_CBC_SHA[];
+extern PRBool Cipher_RSA_WITH_3DES_EDE_CBC_SHA[];
+extern int testId;
+#endif
+
+
+#define REP_ClientCert            ClientCert[testId%2]
+#define REP_ServerCert            ServerCert[testId/2%1]
+#define REP_Policy                Policy[testId/2/1%2]
+#define REP_SSLVersion2           SSLVersion2[testId/2/1/2%2]
+#define REP_SSLVersion3           SSLVersion3[testId/2/1/2/2%2]
+#define REP_ClientIOSessionLength ClientIOSessionLength[testId/2/1/2/2/2%2]
+#define REP_ServerIOSessionLength ServerIOSessionLength[testId/2/1/2/2/2/2%2]
+#define REP_ServerDoClientAuth    ServerDoClientAuth[testId/2/1/2/2/2/2/2%1]
+#define REP_ClientForceHandshake  ClientForceHandshake[testId/2/1/2/2/2/2/2/1%1]
+#define REP_ServerForceHandshake  ServerForceHandshake[testId/2/1/2/2/2/2/2/1/1%1]
+#define REP_ClientRedoHandshake   ClientRedoHandshake[testId/2/1/2/2/2/2/2/1/1/1%1]
+#define REP_ServerRedoHandshake   ServerRedoHandshake[testId/2/1/2/2/2/2/2/1/1/1/1%1]
+
+
+#define REP_Cipher_EN_RC4_128_WITH_MD5                    Cipher_EN_RC4_128_WITH_MD5[testId/2/1/2/2/2/2/2/1/1/1/1/1%2]
+#define REP_Cipher_EN_RC4_128_EXPORT40_WITH_MD5           Cipher_EN_RC4_128_EXPORT40_WITH_MD5[testId/2/1/2/2/2/2/2/1/1/1/1/1/2%2]
+#define REP_Cipher_EN_RC2_128_CBC_WITH_MD5                Cipher_EN_RC2_128_CBC_WITH_MD5[testId/2/1/2/2/2/2/2/1/1/1/1/1/2/2%2]
+#ifdef undef
+#define REP_Cipher_EN_RC2_128_CBC_EXPORT40_WITH_MD5       $[Cipher_EN_RC2_128_CBC_EXPORT40_WITH_MD5]
+#define REP_Cipher_EN_IDEA_128_CBC_WITH_MD5               $[Cipher_EN_IDEA_128_CBC_WITH_MD5]
+#define REP_Cipher_EN_DES_64_CBC_WITH_MD5                 $[Cipher_EN_DES_64_CBC_WITH_MD5
+#define REP_Cipher_RSA_WITH_NULL_SHA                      $[Cipher_RSA_WITH_NULL_SHA]
+#define REP_Cipher_RSA_WITH_RC4_128_SHA                   $[Cipher_RSA_WITH_RC4_128_SHA]
+#define REP_Cipher_RSA_WITH_IDEA_CBC_SHA                  $[Cipher_RSA_WITH_IDEA_CBC_SHA]
+#define REP_Cipher_NULL_WITH_NULL_NULL                    $[Cipher_NULL_WITH_NULL_NULL]
+#define REP_Cipher_RSA_WITH_NULL_MD5                      $[Cipher_RSA_WITH_NULL_MD5]
+#endif
+#define REP_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5           Cipher_EN_DES_192_EDE3_CBC_WITH_MD5[testId/2/1/2/2/2/2/2/1/1/1/1/1/2/2/2%2]
+#define REP_Cipher_RSA_EXPORT_WITH_RC4_40_MD5             Cipher_RSA_EXPORT_WITH_RC4_40_MD5[testId/2/1/2/2/2/2/2/1/1/1/1/1/2/2/2/2%2]
+#define REP_Cipher_RSA_WITH_RC4_128_MD5                   Cipher_RSA_WITH_RC4_128_MD5[testId/2/1/2/2/2/2/2/1/1/1/1/1/2/2/2/2/2%2]
+#define REP_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5         Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5[testId/2/1/2/2/2/2/2/1/1/1/1/1/2/2/2/2/2/2%2]
+#define REP_Cipher_RSA_WITH_DES_CBC_SHA                   Cipher_RSA_WITH_DES_CBC_SHA[testId/2/1/2/2/2/2/2/1/1/1/1/1/2/2/2/2/2/2/2%2]
+#define REP_Cipher_RSA_WITH_3DES_EDE_CBC_SHA              Cipher_RSA_WITH_3DES_EDE_CBC_SHA[testId/2/1/2/2/2/2/2/1/1/1/1/1/2/2/2/2/2/2/2/2%2]
+
+#ifdef undef
+#define REP_Cipher_RSA_EXPORT_WITH_DES40_CBC_SHA          $[Cipher_RSA_EXPORT_WITH_DES40_CBC_SHA]
+
+#define REP_Cipher_DH_DSS_EXPORT_WITH_DES40_CBC_SHA       [Cipher_DH_DSS_EXPORT_WITH_DES40_CBC_SHA]
+#define REP_Cipher_DH_DSS_WITH_DES_CBC_SHA                [Cipher_DH_DSS_WITH_DES_CBC_SHA]
+#define REP_Cipher_DH_DSS_WITH_3DES_EDE_CBC_SHA           [Cipher_DH_DSS_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_DH_RSA_EXPORT_WITH_DES40_CBC_SHA       [Cipher_DH_RSA_EXPORT_WITH_DES40_CBC_SHA]
+#define REP_Cipher_DH_RSA_WITH_DES_CBC_SHA                [Cipher_DH_RSA_WITH_DES_CBC_SHA]
+#define REP_Cipher_DH_RSA_WITH_3DES_EDE_CBC_SHA           [Cipher_DH_RSA_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA      [Cipher_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
+#define REP_Cipher_DHE_DSS_WITH_DES_CBC_SHA               [Cipher_DHE_DSS_WITH_DES_CBC_SHA]
+#define REP_Cipher_DHE_DSS_WITH_3DES_EDE_CBC_SHA          [Cipher_DHE_DSS_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA      [Cipher_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA]
+#define REP_Cipher_DHE_RSA_WITH_DES_CBC_SHA               [Cipher_DHE_RSA_WITH_DES_CBC_SHA]
+#define REP_Cipher_DHE_RSA_WITH_3DES_EDE_CBC_SHA          [Cipher_DHE_RSA_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_DH_ANON_EXPORT_WITH_RC4_40_MD5         [Cipher_DH_ANON_EXPORT_WITH_RC4_40_MD5]
+#define REP_Cipher_DH_ANON_WITH_RC4_128_MD5               [Cipher_DH_ANON_WITH_RC4_128_MD5]
+#define REP_Cipher_DH_ANON_WITH_DES_CBC_SHA               [Cipher_DH_ANON_WITH_DES_CBC_SHA]
+#define REP_Cipher_DH_ANON_WITH_3DES_EDE_CBC_SHA          [Cipher_DH_ANON_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA     $[Cipher_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA]
+#define REP_Cipher_FORTEZZA_DMS_WITH_RC4_128_SHA          $[Cipher_FORTEZZA_DMS_WITH_RC4_128_SHA]
+#endif
+#define REP_Cipher_RSA_FIPS_WITH_3DES_EDE_CBC_SHA         $[Cipher_RSA_FIPS_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_RSA_FIPS_WITH_DES_CBC_SHA              $[Cipher_RSA_FIPS_WITH_DES_CBC_SHA]
+
+
+#endif
+
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.htp b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.htp
new file mode 100644
index 000000000..a7ff3d394
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.htp
@@ -0,0 +1,139 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef SSLT_H
+#define SSLT_H
+
+
+extern int Error(int);
+#ifndef DEBUG_stevep
+#define dbmsg(x) PR_fprintf x ;
+#else
+#define dbmsg(x) ;
+#endif
+
+#ifdef INSERT_TABLES
+$[DATA-TO-TEST]
+#else
+extern int ClientCert[];
+extern int ServerCert[];
+extern int Policy[];
+extern int SSLVersion2[];
+extern int SSLVersion3[];
+extern int ClientIOSessionLength[];
+extern int ServerIOSessionLength[];
+extern int ServerDoClientAuth[];
+extern PRBool ClientForceHandshake[];
+extern PRBool ServerForceHandshake[];
+extern PRBool ClientRedoHandshake[];
+extern PRBool ServerRedoHandshake[];
+extern PRBool Cipher_EN_RC4_128_WITH_MD5[];
+extern PRBool Cipher_EN_RC4_128_EXPORT40_WITH_MD5[];
+extern PRBool Cipher_EN_RC2_128_CBC_WITH_MD5[];
+extern PRBool Cipher_EN_DES_192_EDE3_CBC_WITH_MD5[];
+extern PRBool Cipher_RSA_EXPORT_WITH_RC4_40_MD5[];
+extern PRBool Cipher_RSA_WITH_RC4_128_MD5[];
+extern PRBool Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5[];
+extern PRBool Cipher_RSA_WITH_DES_CBC_SHA[];
+extern PRBool Cipher_RSA_WITH_3DES_EDE_CBC_SHA[];
+extern int testId;
+#endif
+
+
+#define REP_ClientCert            $[ClientCert]
+#define REP_ServerCert            $[ServerCert]
+#define REP_Policy                $[Policy]
+#define REP_SSLVersion2           $[SSLVersion2]
+#define REP_SSLVersion3           $[SSLVersion3]
+#define REP_ClientIOSessionLength $[ClientIOSessionLength]
+#define REP_ServerIOSessionLength $[ServerIOSessionLength]
+#define REP_ServerDoClientAuth    $[ServerDoClientAuth]
+#define REP_ClientForceHandshake  $[ClientForceHandshake]
+#define REP_ServerForceHandshake  $[ServerForceHandshake]
+#define REP_ClientRedoHandshake   $[ClientRedoHandshake]
+#define REP_ServerRedoHandshake   $[ServerRedoHandshake]
+
+
+#define REP_Cipher_EN_RC4_128_WITH_MD5                    $[Cipher_EN_RC4_128_WITH_MD5]
+#define REP_Cipher_EN_RC4_128_EXPORT40_WITH_MD5           $[Cipher_EN_RC4_128_EXPORT40_WITH_MD5]
+#define REP_Cipher_EN_RC2_128_CBC_WITH_MD5                $[Cipher_EN_RC2_128_CBC_WITH_MD5]
+#ifdef undef
+#define REP_Cipher_EN_RC2_128_CBC_EXPORT40_WITH_MD5       $[Cipher_EN_RC2_128_CBC_EXPORT40_WITH_MD5]
+#define REP_Cipher_EN_IDEA_128_CBC_WITH_MD5               $[Cipher_EN_IDEA_128_CBC_WITH_MD5]
+#define REP_Cipher_EN_DES_64_CBC_WITH_MD5                 $[Cipher_EN_DES_64_CBC_WITH_MD5
+#define REP_Cipher_RSA_WITH_NULL_SHA                      $[Cipher_RSA_WITH_NULL_SHA]
+#define REP_Cipher_RSA_WITH_RC4_128_SHA                   $[Cipher_RSA_WITH_RC4_128_SHA]
+#define REP_Cipher_RSA_WITH_IDEA_CBC_SHA                  $[Cipher_RSA_WITH_IDEA_CBC_SHA]
+#define REP_Cipher_NULL_WITH_NULL_NULL                    $[Cipher_NULL_WITH_NULL_NULL]
+#define REP_Cipher_RSA_WITH_NULL_MD5                      $[Cipher_RSA_WITH_NULL_MD5]
+#endif
+#define REP_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5           $[Cipher_EN_DES_192_EDE3_CBC_WITH_MD5]
+#define REP_Cipher_RSA_EXPORT_WITH_RC4_40_MD5             $[Cipher_RSA_EXPORT_WITH_RC4_40_MD5]
+#define REP_Cipher_RSA_WITH_RC4_128_MD5                   $[Cipher_RSA_WITH_RC4_128_MD5]
+#define REP_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5         $[Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5]
+#define REP_Cipher_RSA_WITH_DES_CBC_SHA                   $[Cipher_RSA_WITH_DES_CBC_SHA]
+#define REP_Cipher_RSA_WITH_3DES_EDE_CBC_SHA              $[Cipher_RSA_WITH_3DES_EDE_CBC_SHA]
+
+#ifdef undef
+#define REP_Cipher_RSA_EXPORT_WITH_DES40_CBC_SHA          $[Cipher_RSA_EXPORT_WITH_DES40_CBC_SHA]
+
+#define REP_Cipher_DH_DSS_EXPORT_WITH_DES40_CBC_SHA       [Cipher_DH_DSS_EXPORT_WITH_DES40_CBC_SHA]
+#define REP_Cipher_DH_DSS_WITH_DES_CBC_SHA                [Cipher_DH_DSS_WITH_DES_CBC_SHA]
+#define REP_Cipher_DH_DSS_WITH_3DES_EDE_CBC_SHA           [Cipher_DH_DSS_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_DH_RSA_EXPORT_WITH_DES40_CBC_SHA       [Cipher_DH_RSA_EXPORT_WITH_DES40_CBC_SHA]
+#define REP_Cipher_DH_RSA_WITH_DES_CBC_SHA                [Cipher_DH_RSA_WITH_DES_CBC_SHA]
+#define REP_Cipher_DH_RSA_WITH_3DES_EDE_CBC_SHA           [Cipher_DH_RSA_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA      [Cipher_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
+#define REP_Cipher_DHE_DSS_WITH_DES_CBC_SHA               [Cipher_DHE_DSS_WITH_DES_CBC_SHA]
+#define REP_Cipher_DHE_DSS_WITH_3DES_EDE_CBC_SHA          [Cipher_DHE_DSS_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA      [Cipher_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA]
+#define REP_Cipher_DHE_RSA_WITH_DES_CBC_SHA               [Cipher_DHE_RSA_WITH_DES_CBC_SHA]
+#define REP_Cipher_DHE_RSA_WITH_3DES_EDE_CBC_SHA          [Cipher_DHE_RSA_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_DH_ANON_EXPORT_WITH_RC4_40_MD5         [Cipher_DH_ANON_EXPORT_WITH_RC4_40_MD5]
+#define REP_Cipher_DH_ANON_WITH_RC4_128_MD5               [Cipher_DH_ANON_WITH_RC4_128_MD5]
+#define REP_Cipher_DH_ANON_WITH_DES_CBC_SHA               [Cipher_DH_ANON_WITH_DES_CBC_SHA]
+#define REP_Cipher_DH_ANON_WITH_3DES_EDE_CBC_SHA          [Cipher_DH_ANON_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA     $[Cipher_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA]
+#define REP_Cipher_FORTEZZA_DMS_WITH_RC4_128_SHA          $[Cipher_FORTEZZA_DMS_WITH_RC4_128_SHA]
+#endif
+#define REP_Cipher_RSA_FIPS_WITH_3DES_EDE_CBC_SHA         $[Cipher_RSA_FIPS_WITH_3DES_EDE_CBC_SHA]
+#define REP_Cipher_RSA_FIPS_WITH_DES_CBC_SHA              $[Cipher_RSA_FIPS_WITH_DES_CBC_SHA]
+
+
+#endif
+
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.rep b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.rep
new file mode 100644
index 000000000..1a228a080
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.rep
@@ -0,0 +1,421 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+[General]
+cTemplate       =   sslt.htp
+makeTemplate    =   ssl.mtp
+path            =   .
+testPrefix	=   sslt
+testSuffix	=   .h
+regressSpecfile =   ssl.reg
+regressOutput   =   ssl.html
+mut             =   SSL
+mutversion      =   1.0
+timeout         =   6
+makefileOutput  =   Makefile
+reporterOutput  =   ssl.rpt
+singleSource    =   TRUE
+
+
+
+# The names given for the Client and Server Certificates are
+# nicknames from the database
+
+[ClientCert]
+IMPORTANCE = HIGH
+TYPE = int
+ClientCert_none   = NO_CERT
+ClientCert_one    = CLIENT_CERT_HARDCOREII_1024
+#ClientCert_oneb   = CLIENT_CERT_HARDCOREII_512
+#ClientCert_two    = CLIENT_CERT_SPARK
+#ClientCert_three  = SERVER_CERT_HARDCOREII_1024
+#ClientCert_four   = CLIENT_CERT_VERISIGN
+
+[ServerCert]
+IMPORTANCE = HIGH
+TYPE = int
+#ServerCert_none   = NO_CERT
+ServerCert_one    = SERVER_CERT_HARDCOREII_512
+#ServerCert_two    = CLIENT_CERT_HARDCOREII_512
+#ServerCert_three  = SERVER_CERT_SPARK
+#ServerCert_four   = SERVER_CERT_VERISIGN_REGULAR
+#ServerCert_five   = SERVER_CERT_VERISIGN_STEPUP
+
+
+#####  POLICY  ####
+#
+# (right now, policy can only be set globally. When bug #102853 is
+#  fixed, I'll be able to bring ClientPolicy and ServerPolicy back)
+#
+
+[Policy]
+IMPORTANCE = HIGH
+TYPE = int
+ExportPolicy   = POLICY_EXPORT
+DomesticPolicy = POLICY_DOMESTIC
+
+#[ClientPolicy]
+#IMPORTANCE = HIGH
+#TYPE = int
+#ExportPolicy   = POLICY_EXPORT
+#DomesticPolicy = POLICY_DOMESTIC
+
+#[ServerPolicy]
+#IMPORTANCE = HIGH
+#TYPE = int
+#ServerExportPolicy   = POLICY_EXPORT
+#ServerDomesticPolicy = POLICY_DOMESTIC
+
+# Which SSL version to enable. Like the policy, this is a global
+# setting, affecting both client and server sockets
+
+[SSLVersion2]
+IMPORTANCE = HIGH
+TYPE = int
+SSLVersion2    = PR_TRUE
+NO_SSLVersion2 = PR_FALSE
+
+[SSLVersion3]
+IMPORTANCE = HIGH
+TYPE = int
+SSLVersion3     = PR_TRUE
+NO_SSLVersion3  = PR_FALSE
+
+#[ClientIOModel]
+#IMPORTANCE = LOW
+#TYPE = int
+#ClientIOBlocking = 0
+#ClientIONonBlocking = 1
+
+#[ServerIOModel]
+#IMPORTANCE = LOW
+#TYPE = int
+#ServerIOBlocking = BLOCKING
+#ServerIONonBlocking = NON_BLOCKING
+
+[ClientIOSessionLength]
+IMPORTANCE = LOW
+TYPE = int
+ClientIOLength0 = 0
+ClientIOLength1K = 1024
+#ClientIOLength256K = 262144
+#ClientIOLength5M = 5242880
+
+[ServerIOSessionLength]
+IMPORTANCE = LOW
+TYPE = int
+ServerIOLength0 = 0
+ServerIOLength1K = 1024
+#ServerIOLength256K = 262144
+#ServerIOLength5M = 5242880
+
+[ServerDoClientAuth]
+IMPORTANCE = LOW
+TYPE = int
+#ClientAuthOnInitial = SSLT_CLIENTAUTH_INITIAL
+#ClientAuthOnRedo    = SSLT_CLIENTAUTH_REDO
+ClientAuthOff       = SSLT_CLIENTAUTH_OFF
+
+[ClientForceHandshake]
+IMPORTANCE = LOW
+TYPE = PRBool
+#ClientForceHandshake = PR_TRUE
+ClientNoForceHandshake = PR_FALSE
+
+[ServerForceHandshake]
+IMPORTANCE = LOW
+TYPE = PRBool
+ServerForceHandshake = PR_TRUE
+#ServerNoForceHandshake = PR_FALSE
+
+[ClientRedoHandshake]
+IMPORTANCE = LOW
+TYPE = PRBool
+#ClientRedoHandshake = PR_TRUE
+ClientNoRedoHandshake = PR_FALSE
+
+[ServerRedoHandshake]
+IMPORTANCE = LOW
+TYPE = PRBool
+#ServerRedoHandshake = PR_TRUE
+ServerNoRedoHandshake = PR_FALSE
+
+
+
+###########################################################################
+#
+#              C i p h e r     S p e c s
+#
+###########################################################################
+
+
+[Cipher_EN_RC4_128_WITH_MD5]
+IMPORTANCE = HIGH
+TYPE = PRBool
+Cipher_EN_RC4_128_WITH_MD5 = PR_TRUE
+No_Cipher_EN_RC4_128_WITH_MD5 = PR_FALSE
+
+[Cipher_EN_RC4_128_EXPORT40_WITH_MD5]
+IMPORTANCE = HIGH
+TYPE = PRBool
+Cipher_EN_RC4_128_EXPORT40_WITH_MD5 = PR_TRUE
+No_Cipher_EN_RC4_128_EXPORT40_WITH_MD5 = PR_FALSE
+
+[Cipher_EN_RC2_128_CBC_WITH_MD5]
+IMPORTANCE = HIGH
+TYPE = PRBool
+Cipher_EN_RC2_128_CBC_WITH_MD5 = PR_TRUE
+No_Cipher_EN_RC2_128_CBC_WITH_MD5 = PR_FALSE
+
+#[Cipher_EN_RC2_128_CBC_EXPORT40_WITH_MD5]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_EN_RC2_128_CBC_EXPORT40_WITH_MD5 = PR_TRUE
+#No_Cipher_EN_RC2_128_CBC_EXPORT40_WITH_MD5 = PR_FALSE
+
+#[Cipher_EN_IDEA_128_CBC_WITH_MD5]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_EN_IDEA_128_CBC_WITH_MD5 = PR_TRUE
+#No_Cipher_EN_IDEA_128_CBC_WITH_MD5 = PR_FALSE
+
+#[Cipher_EN_DES_64_CBC_WITH_MD5]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_EN_DES_64_CBC_WITH_MD5 = PR_TRUE
+#No_Cipher_EN_DES_64_CBC_WITH_MD5 = PR_FALSE
+
+[Cipher_EN_DES_192_EDE3_CBC_WITH_MD5]
+IMPORTANCE = HIGH
+TYPE = PRBool
+Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 = PR_TRUE
+No_Cipher_EN_DES_192_EDE3_CBC_WITH_MD5 = PR_FALSE
+
+# SSL v3 Cipher Suites
+#[Cipher_NULL_WITH_NULL_NULL]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_NULL_WITH_NULL_NULL = PR_TRUE
+#No_Cipher_NULL_WITH_NULL_NULL = PR_FALSE
+
+#[Cipher_RSA_WITH_NULL_MD5]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_RSA_WITH_NULL_MD5 = PR_TRUE
+#No_Cipher_RSA_WITH_NULL_MD5 = PR_FALSE
+
+#[Cipher_RSA_WITH_NULL_SHA]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_RSA_WITH_NULL_SHA = PR_TRUE
+#No_Cipher_RSA_WITH_NULL_SHA = PR_FALSE
+
+[Cipher_RSA_EXPORT_WITH_RC4_40_MD5]
+IMPORTANCE = HIGH
+TYPE = PRBool
+Cipher_RSA_EXPORT_WITH_RC4_40_MD5 = PR_TRUE
+No_Cipher_RSA_EXPORT_WITH_RC4_40_MD5 = PR_FALSE
+
+[Cipher_RSA_WITH_RC4_128_MD5]
+IMPORTANCE = HIGH
+TYPE = PRBool
+Cipher_RSA_WITH_RC4_128_MD5 = PR_TRUE
+No_Cipher_RSA_WITH_RC4_128_MD5 = PR_FALSE
+
+#[Cipher_RSA_WITH_RC4_128_SHA]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_RSA_WITH_RC4_128_SHA = PR_TRUE
+#No_Cipher_RSA_WITH_RC4_128_SHA = PR_FALSE
+
+[Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5]
+IMPORTANCE = HIGH
+TYPE = PRBool
+Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = PR_TRUE
+No_Cipher_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = PR_FALSE
+
+#[Cipher_RSA_WITH_IDEA_CBC_SHA]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_RSA_WITH_IDEA_CBC_SHA = PR_TRUE
+#No_Cipher_RSA_WITH_IDEA_CBC_SHA = PR_FALSE
+
+#[Cipher_RSA_EXPORT_WITH_DES40_CBC_SHA]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_RSA_EXPORT_WITH_DES40_CBC_SHA = PR_TRUE
+#No_Cipher_RSA_EXPORT_WITH_DES40_CBC_SHA = PR_FALSE
+
+[Cipher_RSA_WITH_DES_CBC_SHA]
+IMPORTANCE = HIGH
+TYPE = PRBool
+Cipher_RSA_WITH_DES_CBC_SHA = PR_TRUE
+No_Cipher_RSA_WITH_DES_CBC_SHA = PR_FALSE
+
+[Cipher_RSA_WITH_3DES_EDE_CBC_SHA]
+IMPORTANCE = HIGH
+TYPE = PRBool
+Cipher_RSA_WITH_3DES_EDE_CBC_SHA = PR_TRUE
+No_Cipher_RSA_WITH_3DES_EDE_CBC_SHA = PR_FALSE
+
+                                                       
+#[Cipher_DH_DSS_EXPORT_WITH_DES40_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = PR_TRUE
+#No_Cipher_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = PR_FALSE
+
+#[Cipher_DH_DSS_WITH_DES_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_DSS_WITH_DES_CBC_SHA = PR_TRUE
+#No_Cipher_DH_DSS_WITH_DES_CBC_SHA = PR_FALSE
+
+#[Cipher_DH_DSS_WITH_3DES_EDE_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_DSS_WITH_3DES_EDE_CBC_SHA = PR_TRUE
+#No_Cipher_DH_DSS_WITH_3DES_EDE_CBC_SHA = PR_FALSE
+
+#[Cipher_DH_RSA_EXPORT_WITH_DES40_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = PR_TRUE
+#No_Cipher_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = PR_FALSE
+
+#[Cipher_DH_RSA_WITH_DES_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_RSA_WITH_DES_CBC_SHA = PR_TRUE
+#No_Cipher_DH_RSA_WITH_DES_CBC_SHA = PR_FALSE
+
+#[Cipher_DH_RSA_WITH_3DES_EDE_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_RSA_WITH_3DES_EDE_CBC_SHA = PR_TRUE
+#No_Cipher_DH_RSA_WITH_3DES_EDE_CBC_SHA = PR_FALSE
+
+                                                       
+#[Cipher_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = PR_TRUE
+#No_Cipher_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = PR_FALSE
+
+#[Cipher_DHE_DSS_WITH_DES_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DHE_DSS_WITH_DES_CBC_SHA = PR_TRUE
+#No_Cipher_DHE_DSS_WITH_DES_CBC_SHA = PR_FALSE
+
+#[Cipher_DHE_DSS_WITH_3DES_EDE_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DHE_DSS_WITH_3DES_EDE_CBC_SHA = PR_TRUE
+#No_Cipher_DHE_DSS_WITH_3DES_EDE_CBC_SHA = PR_FALSE
+
+#[Cipher_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = PR_TRUE
+#No_Cipher_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = PR_FALSE
+
+#[Cipher_DHE_RSA_WITH_DES_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DHE_RSA_WITH_DES_CBC_SHA = PR_TRUE
+#No_Cipher_DHE_RSA_WITH_DES_CBC_SHA = PR_FALSE
+
+#[Cipher_DHE_RSA_WITH_3DES_EDE_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DHE_RSA_WITH_3DES_EDE_CBC_SHA = PR_TRUE
+#No_Cipher_DHE_RSA_WITH_3DES_EDE_CBC_SHA = PR_FALSE
+
+                                                       
+#[Cipher_DH_ANON_EXPORT_WITH_RC4_40_MD5]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_ANON_EXPORT_WITH_RC4_40_MD5 = PR_TRUE
+#No_Cipher_DH_ANON_EXPORT_WITH_RC4_40_MD5 = PR_FALSE
+
+#[Cipher_DH_ANON_WITH_RC4_128_MD5]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_ANON_WITH_RC4_128_MD5 = PR_TRUE
+#No_Cipher_DH_ANON_WITH_RC4_128_MD5 = PR_FALSE
+
+###define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA   0x0019
+
+#[Cipher_DH_ANON_WITH_DES_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_ANON_WITH_DES_CBC_SHA = PR_TRUE
+#No_Cipher_DH_ANON_WITH_DES_CBC_SHA = PR_FALSE
+
+#[Cipher_DH_ANON_WITH_3DES_EDE_CBC_SHA]
+#IMPORTANCE = LOW
+#TYPE = PRBool
+#Cipher_DH_ANON_WITH_3DES_EDE_CBC_SHA = PR_TRUE
+#No_Cipher_DH_ANON_WITH_3DES_EDE_CBC_SHA = PR_FALSE
+
+#[Cipher_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = PR_TRUE
+#No_Cipher_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = PR_FALSE
+
+#[Cipher_FORTEZZA_DMS_WITH_RC4_128_SHA]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_FORTEZZA_DMS_WITH_RC4_128_SHA = PR_TRUE
+#No_Cipher_FORTEZZA_DMS_WITH_RC4_128_SHA = PR_FALSE
+
+ 
+#[Cipher_RSA_FIPS_WITH_3DES_EDE_CBC_SHA]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = PR_TRUE
+#No_Cipher_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = PR_FALSE
+
+#[Cipher_RSA_FIPS_WITH_DES_CBC_SHA]
+#IMPORTANCE = HIGH
+#TYPE = PRBool
+#Cipher_RSA_FIPS_WITH_DES_CBC_SHA = PR_TRUE
+#No_Cipher_RSA_FIPS_WITH_DES_CBC_SHA = PR_FALSE
+
+
+
diff --git a/security/nss/tests/pkcs11/netscape/trivial/.cvsignore b/security/nss/tests/pkcs11/netscape/trivial/.cvsignore
new file mode 100644
index 000000000..e3884c884
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/trivial/.cvsignore
@@ -0,0 +1,6 @@
+Makefile
+config.cache
+config.h
+config.log
+config.status
+trivial*.tar.gz
diff --git a/security/nss/tests/pkcs11/netscape/trivial/Makefile.in b/security/nss/tests/pkcs11/netscape/trivial/Makefile.in
new file mode 100644
index 000000000..fc3a99808
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/trivial/Makefile.in
@@ -0,0 +1,180 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is a trivial PKCS#11 test program.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corp.
+# Portions created by the Initial Developer are Copyright (C) 2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+MAKEFILE_IN_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+SHELL = /bin/sh
+.SUFFIXES:
+.SUFFIXES: .c .o .h .in .a .so
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+includedir = @includedir@
+bindir = @bindir@
+@SET_MAKE@
+INSTALL = @INSTALL@
+RANLIB = @RANLIB@
+AR = @AR@
+CC = @CC@
+LD = @LD@
+RM = @RM@
+TAR = @TAR@
+
+CPPFLAGS = @CPPFLAGS@
+CFLAGS = @CFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+
+INSTALL_PROGRAM = $(INSTALL) -m 0500
+
+all:: program
+
+# Standard Netscape/Mozilla targets:
+# import import_xp export private_export libs program install all clobber 
+# clobber_all release release_xp alltags
+
+# Standard GNU targets:
+# all install uninstall install-strip clean distclean mostlyclean 
+# maintainer-clean TAGS info dvi dist check installcheck installdirs
+
+# === The actual targets and the real commands that make them ===
+program:: trivial
+
+trivial: trivial.c config.h Makefile
+	$(CC) -I. -I${srcdir} $(CFLAGS) $(CPPFLAGS) $< -o $@ $(LDFLAGS) $(LIBS)
+
+# Now, various standard targets, some that do stuff, some that are no-ops
+
+import::
+
+export:: install
+
+private_export::
+
+program::
+
+clobber:: clean
+
+clobber_all:: maintainer-clean
+
+alltags:: TAGS
+
+RESULTS =						\
+    $(DESTDIR)$(bindir)/trivial	\
+    $(NULL)
+
+install:: $(RESULTS)
+
+$(DESTDIR)$(bindir)/trivial: trivial
+	$(INSTALL_PROGRAM) trivial $(DESTDIR)$(bindir)/trivial
+
+# "rm -f" with no arguments bites on some platforms.
+# There should be an autoconf check and maybe a more 
+# general $(FORCEDREMOVE) command
+
+uninstall::
+	$(RM) -f $(RESULTS)
+
+install-strip::
+	$(MAKE) INSTALL_PROGRAM='$(INSTALL_PROGRAM) -s ' install
+
+clean::
+	$(RM) -f *~ core trivial.o trivial
+
+distclean:: clean
+	$(RM) -f Makefile config.cache config.h config.log config.status stamp-h stamp-h.in
+
+mostlyclean:: clean
+
+maintainer-clean:: distclean
+	$(RM) -f TAGS trivial*.tar.gz
+
+TAGS::
+
+DISTFILES =		 \
+    .cvsignore	 \
+    README.txt	 \
+    Makefile.in	 \
+	acconfig.h	 \
+	config.h.in	 \
+	configure	 \
+	configure.in \
+	install-sh	 \
+	trivial.c	 \
+	$(NULL)
+
+dist:: trivial.tar.gz
+
+# There must be an easier and more portable way of doing this..
+trivial.tar.gz: $(DISTFILES)
+	echo $(DISTFILES) | tr ' ' '\n' | sed "s^.*^`( cd ${srcdir}; pwd ) | xargs basename`/&^" | xargs tar czf $@ -C ${srcdir}/..
+
+# other "standard" but irrelevant targets
+info::
+
+dvi::
+
+check::
+
+installcheck::
+
+installdirs::
+
+# Include dependancies
+
+
+# autoheader might not change config.h.in, so touch a stamp file
+${srcdir}/config.h.in: stamp-h.in
+${srcdir}/stamp-h.in: configure.in acconfig.h
+	cd ${srcdir} && autoheader
+	echo timestamp > ${srcdir}/stamp-h.in
+
+# Remake the configuration
+${srcdir}/configure: configure.in
+	cd ${srcdir} && autoconf
+
+config.h: stamp-h
+stamp-h: config.h.in config.status
+	./config.status
+
+Makefile: Makefile.in config.status
+	./config.status
+
+config.status: configure
+	./config.status --recheck
diff --git a/security/nss/tests/pkcs11/netscape/trivial/README.txt b/security/nss/tests/pkcs11/netscape/trivial/README.txt
new file mode 100644
index 000000000..5c18a5089
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/trivial/README.txt
@@ -0,0 +1,56 @@
+This is a very trivial program that loads and excercises a PKCS#11
+module, trying basic operations.  I used it as a basic check that
+my data-only modules for NSS worked, and I'm including it here as
+a first sample test program.
+
+
+This program uses GNU autoconf: run ./configure --help for info.
+In addition to the standard options, the configure script accepts
+the following:
+
+  --with-nspr[=path]      specify location of NSPR
+  --with-nss-dist[=path]  specify path to NSS dist directory
+  --with-nss-hdrs[=path]  or, specify path to installed NSS headers
+  --with-rsa-hdrs[=path]  if not using NSS, specify path to RSA headers
+  --disable-debug         default is enabled
+
+This program uses NSPR; you may specify the path to your NSPR 
+installation by using the "--with-nspr" option.  The specified
+directory should be the one containing "include" and "lib."
+If this option is not given, the default is the usual prefix
+directories; see ./configure --help for more info.
+
+This program requires either the pkcs11*.h files from RSA, or
+the NSS equivalents.  To specify their location, you must
+specify one of --with-nss-dist, --with-nss-hdrs, or --with-rsa-hdrs.
+
+If you have an NSS build tree, specify --with-nss-dist and provide
+the path to the mozilla/dist/*.OBJ directory.  (If you got this
+package by checking it out from mozilla, it should be about six
+directories up, once you've built NSS.)
+
+Alternatively, if you have an NSS installation (including "private"
+files, e.g. "ck.h") you may point directly to the directory containing
+the headers with --with-nss-hdrs.
+
+If you would rather use the RSA-provided header files, or your own
+versions of them, specify their location with --with-rsa-hdrs.
+
+The flag --disable-debug doesn't really do much here other than
+exclude the CVS_ID info from the binary.
+
+
+To run the program, specify the name of the .so (or your platform's
+equivalent) containing the module to be tested, e.g.: 
+
+  ./trivial ../../../../../../dist/*.OBJ/lib/libnssckbi.so
+
+
+If you're using NSS, and using our experimental "installer's
+arguments" fields in CK_C_INITIALIZE_ARGS, you can specify an
+"installer argument" with the -i flag:
+
+  ./trivial -i ~/.netscape/certs.db [...]/libnssckdb.so
+
+
+Share and enjoy.
diff --git a/security/nss/tests/pkcs11/netscape/trivial/acconfig.h b/security/nss/tests/pkcs11/netscape/trivial/acconfig.h
new file mode 100644
index 000000000..a92ee7533
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/trivial/acconfig.h
@@ -0,0 +1,39 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is a trivial PKCS#11 test program.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Define to use NSS header files instead of the regular RSA ones */
+#undef WITH_NSS
+
diff --git a/security/nss/tests/pkcs11/netscape/trivial/config.h.in b/security/nss/tests/pkcs11/netscape/trivial/config.h.in
new file mode 100644
index 000000000..bf5d5f3b5
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/trivial/config.h.in
@@ -0,0 +1,28 @@
+/* config.h.in.  Generated automatically from configure.in by autoheader.  */
+
+/* Define to empty if the keyword does not work.  */
+#undef const
+
+/* Define to use NSS header files instead of the regular RSA ones */
+#undef WITH_NSS
+
+/* Define if you have the memset function.  */
+#undef HAVE_MEMSET
+
+/* Define if you have the strlen function.  */
+#undef HAVE_STRLEN
+
+/* Define if you have the <ck.h> header file.  */
+#undef HAVE_CK_H
+
+/* Define if you have the <nspr.h> header file.  */
+#undef HAVE_NSPR_H
+
+/* Define if you have the <pkcs11.h> header file.  */
+#undef HAVE_PKCS11_H
+
+/* Define if you have the <pkcs11t.h> header file.  */
+#undef HAVE_PKCS11T_H
+
+/* Define if you have the nspr4 library (-lnspr4).  */
+#undef HAVE_LIBNSPR4
diff --git a/security/nss/tests/pkcs11/netscape/trivial/configure b/security/nss/tests/pkcs11/netscape/trivial/configure
new file mode 100755
index 000000000..d9571ccdd
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/trivial/configure
@@ -0,0 +1,1906 @@
+#! /bin/sh
+
+# Guess values for system-dependent variables and create Makefiles.
+# Generated automatically using autoconf version 2.13 
+# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc.
+#
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+
+# Defaults:
+ac_help=
+ac_default_prefix=/usr/local
+# Any additions from configure.in:
+ac_help="$ac_help
+  --with-nspr[=path]      specify location of NSPR"
+ac_help="$ac_help
+  --with-nss-dist[=path]  specify path to NSS dist directory"
+ac_help="$ac_help
+  --with-nss-hdrs[=path]  or, specify path to installed NSS headers"
+ac_help="$ac_help
+  --with-rsa-hdrs[=path]  if not using NSS, specify path to RSA headers"
+ac_help="$ac_help
+  --disable-debug         default is enabled"
+
+# Initialize some variables set by options.
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+build=NONE
+cache_file=./config.cache
+exec_prefix=NONE
+host=NONE
+no_create=
+nonopt=NONE
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+target=NONE
+verbose=
+x_includes=NONE
+x_libraries=NONE
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datadir='${prefix}/share'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+libdir='${exec_prefix}/lib'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+infodir='${prefix}/info'
+mandir='${prefix}/man'
+
+# Initialize some other variables.
+subdirs=
+MFLAGS= MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+# Maximum number of lines to put in a shell here document.
+ac_max_here_lines=12
+
+ac_prev=
+for ac_option
+do
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$ac_prev"; then
+    eval "$ac_prev=\$ac_option"
+    ac_prev=
+    continue
+  fi
+
+  case "$ac_option" in
+  -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) ac_optarg= ;;
+  esac
+
+  # Accept the important Cygnus configure options, so we can diagnose typos.
+
+  case "$ac_option" in
+
+  -bindir | --bindir | --bindi | --bind | --bin | --bi)
+    ac_prev=bindir ;;
+  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+    bindir="$ac_optarg" ;;
+
+  -build | --build | --buil | --bui | --bu)
+    ac_prev=build ;;
+  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+    build="$ac_optarg" ;;
+
+  -cache-file | --cache-file | --cache-fil | --cache-fi \
+  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+    ac_prev=cache_file ;;
+  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+    cache_file="$ac_optarg" ;;
+
+  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+    ac_prev=datadir ;;
+  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
+  | --da=*)
+    datadir="$ac_optarg" ;;
+
+  -disable-* | --disable-*)
+    ac_feature=`echo $ac_option|sed -e 's/-*disable-//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then
+      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+    fi
+    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+    eval "enable_${ac_feature}=no" ;;
+
+  -enable-* | --enable-*)
+    ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then
+      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+    fi
+    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+    case "$ac_option" in
+      *=*) ;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "enable_${ac_feature}='$ac_optarg'" ;;
+
+  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+  | --exec | --exe | --ex)
+    ac_prev=exec_prefix ;;
+  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+  | --exec=* | --exe=* | --ex=*)
+    exec_prefix="$ac_optarg" ;;
+
+  -gas | --gas | --ga | --g)
+    # Obsolete; use --with-gas.
+    with_gas=yes ;;
+
+  -help | --help | --hel | --he)
+    # Omit some internal or obsolete options to make the list less imposing.
+    # This message is too long to be a string in the A/UX 3.1 sh.
+    cat << EOF
+Usage: configure [options] [host]
+Options: [defaults in brackets after descriptions]
+Configuration:
+  --cache-file=FILE       cache test results in FILE
+  --help                  print this message
+  --no-create             do not create output files
+  --quiet, --silent       do not print \`checking...' messages
+  --version               print the version of autoconf that created configure
+Directory and file names:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+                          [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+                          [same as prefix]
+  --bindir=DIR            user executables in DIR [EPREFIX/bin]
+  --sbindir=DIR           system admin executables in DIR [EPREFIX/sbin]
+  --libexecdir=DIR        program executables in DIR [EPREFIX/libexec]
+  --datadir=DIR           read-only architecture-independent data in DIR
+                          [PREFIX/share]
+  --sysconfdir=DIR        read-only single-machine data in DIR [PREFIX/etc]
+  --sharedstatedir=DIR    modifiable architecture-independent data in DIR
+                          [PREFIX/com]
+  --localstatedir=DIR     modifiable single-machine data in DIR [PREFIX/var]
+  --libdir=DIR            object code libraries in DIR [EPREFIX/lib]
+  --includedir=DIR        C header files in DIR [PREFIX/include]
+  --oldincludedir=DIR     C header files for non-gcc in DIR [/usr/include]
+  --infodir=DIR           info documentation in DIR [PREFIX/info]
+  --mandir=DIR            man documentation in DIR [PREFIX/man]
+  --srcdir=DIR            find the sources in DIR [configure dir or ..]
+  --program-prefix=PREFIX prepend PREFIX to installed program names
+  --program-suffix=SUFFIX append SUFFIX to installed program names
+  --program-transform-name=PROGRAM
+                          run sed PROGRAM on installed program names
+EOF
+    cat << EOF
+Host type:
+  --build=BUILD           configure for building on BUILD [BUILD=HOST]
+  --host=HOST             configure for HOST [guessed]
+  --target=TARGET         configure for TARGET [TARGET=HOST]
+Features and packages:
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --x-includes=DIR        X include files are in DIR
+  --x-libraries=DIR       X library files are in DIR
+EOF
+    if test -n "$ac_help"; then
+      echo "--enable and --with options recognized:$ac_help"
+    fi
+    exit 0 ;;
+
+  -host | --host | --hos | --ho)
+    ac_prev=host ;;
+  -host=* | --host=* | --hos=* | --ho=*)
+    host="$ac_optarg" ;;
+
+  -includedir | --includedir | --includedi | --included | --include \
+  | --includ | --inclu | --incl | --inc)
+    ac_prev=includedir ;;
+  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+  | --includ=* | --inclu=* | --incl=* | --inc=*)
+    includedir="$ac_optarg" ;;
+
+  -infodir | --infodir | --infodi | --infod | --info | --inf)
+    ac_prev=infodir ;;
+  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+    infodir="$ac_optarg" ;;
+
+  -libdir | --libdir | --libdi | --libd)
+    ac_prev=libdir ;;
+  -libdir=* | --libdir=* | --libdi=* | --libd=*)
+    libdir="$ac_optarg" ;;
+
+  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+  | --libexe | --libex | --libe)
+    ac_prev=libexecdir ;;
+  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+  | --libexe=* | --libex=* | --libe=*)
+    libexecdir="$ac_optarg" ;;
+
+  -localstatedir | --localstatedir | --localstatedi | --localstated \
+  | --localstate | --localstat | --localsta | --localst \
+  | --locals | --local | --loca | --loc | --lo)
+    ac_prev=localstatedir ;;
+  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
+  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+    localstatedir="$ac_optarg" ;;
+
+  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+    ac_prev=mandir ;;
+  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+    mandir="$ac_optarg" ;;
+
+  -nfp | --nfp | --nf)
+    # Obsolete; use --without-fp.
+    with_fp=no ;;
+
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c)
+    no_create=yes ;;
+
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+    no_recursion=yes ;;
+
+  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+  | --oldin | --oldi | --old | --ol | --o)
+    ac_prev=oldincludedir ;;
+  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+    oldincludedir="$ac_optarg" ;;
+
+  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+    ac_prev=prefix ;;
+  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+    prefix="$ac_optarg" ;;
+
+  -program-prefix | --program-prefix | --program-prefi | --program-pref \
+  | --program-pre | --program-pr | --program-p)
+    ac_prev=program_prefix ;;
+  -program-prefix=* | --program-prefix=* | --program-prefi=* \
+  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+    program_prefix="$ac_optarg" ;;
+
+  -program-suffix | --program-suffix | --program-suffi | --program-suff \
+  | --program-suf | --program-su | --program-s)
+    ac_prev=program_suffix ;;
+  -program-suffix=* | --program-suffix=* | --program-suffi=* \
+  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+    program_suffix="$ac_optarg" ;;
+
+  -program-transform-name | --program-transform-name \
+  | --program-transform-nam | --program-transform-na \
+  | --program-transform-n | --program-transform- \
+  | --program-transform | --program-transfor \
+  | --program-transfo | --program-transf \
+  | --program-trans | --program-tran \
+  | --progr-tra | --program-tr | --program-t)
+    ac_prev=program_transform_name ;;
+  -program-transform-name=* | --program-transform-name=* \
+  | --program-transform-nam=* | --program-transform-na=* \
+  | --program-transform-n=* | --program-transform-=* \
+  | --program-transform=* | --program-transfor=* \
+  | --program-transfo=* | --program-transf=* \
+  | --program-trans=* | --program-tran=* \
+  | --progr-tra=* | --program-tr=* | --program-t=*)
+    program_transform_name="$ac_optarg" ;;
+
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil)
+    silent=yes ;;
+
+  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+    ac_prev=sbindir ;;
+  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+  | --sbi=* | --sb=*)
+    sbindir="$ac_optarg" ;;
+
+  -sharedstatedir | --sharedstatedir | --sharedstatedi \
+  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+  | --sharedst | --shareds | --shared | --share | --shar \
+  | --sha | --sh)
+    ac_prev=sharedstatedir ;;
+  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+  | --sha=* | --sh=*)
+    sharedstatedir="$ac_optarg" ;;
+
+  -site | --site | --sit)
+    ac_prev=site ;;
+  -site=* | --site=* | --sit=*)
+    site="$ac_optarg" ;;
+
+  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+    ac_prev=srcdir ;;
+  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+    srcdir="$ac_optarg" ;;
+
+  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+  | --syscon | --sysco | --sysc | --sys | --sy)
+    ac_prev=sysconfdir ;;
+  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+    sysconfdir="$ac_optarg" ;;
+
+  -target | --target | --targe | --targ | --tar | --ta | --t)
+    ac_prev=target ;;
+  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+    target="$ac_optarg" ;;
+
+  -v | -verbose | --verbose | --verbos | --verbo | --verb)
+    verbose=yes ;;
+
+  -version | --version | --versio | --versi | --vers)
+    echo "configure generated by autoconf version 2.13"
+    exit 0 ;;
+
+  -with-* | --with-*)
+    ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then
+      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+    fi
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    case "$ac_option" in
+      *=*) ;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "with_${ac_package}='$ac_optarg'" ;;
+
+  -without-* | --without-*)
+    ac_package=`echo $ac_option|sed -e 's/-*without-//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then
+      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+    fi
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    eval "with_${ac_package}=no" ;;
+
+  --x)
+    # Obsolete; use --with-x.
+    with_x=yes ;;
+
+  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+  | --x-incl | --x-inc | --x-in | --x-i)
+    ac_prev=x_includes ;;
+  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+    x_includes="$ac_optarg" ;;
+
+  -x-libraries | --x-libraries | --x-librarie | --x-librari \
+  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+    ac_prev=x_libraries ;;
+  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+    x_libraries="$ac_optarg" ;;
+
+  -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; }
+    ;;
+
+  *)
+    if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then
+      echo "configure: warning: $ac_option: invalid host type" 1>&2
+    fi
+    if test "x$nonopt" != xNONE; then
+      { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; }
+    fi
+    nonopt="$ac_option"
+    ;;
+
+  esac
+done
+
+if test -n "$ac_prev"; then
+  { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; }
+fi
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 3 some systems may open it to /dev/tty
+# 4 used on the Kubota Titan
+# 6 checking for... messages and results
+# 5 compiler messages saved in config.log
+if test "$silent" = yes; then
+  exec 6>/dev/null
+else
+  exec 6>&1
+fi
+exec 5>./config.log
+
+echo "\
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+" 1>&5
+
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Also quote any args containing shell metacharacters.
+ac_configure_args=
+for ac_arg
+do
+  case "$ac_arg" in
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c) ;;
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
+  *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*)
+  ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+  *) ac_configure_args="$ac_configure_args $ac_arg" ;;
+  esac
+done
+
+# NLS nuisances.
+# Only set these to C if already set.  These must not be set unconditionally
+# because not all systems understand e.g. LANG=C (notably SCO).
+# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'!
+# Non-C LC_CTYPE values break the ctype check.
+if test "${LANG+set}"   = set; then LANG=C;   export LANG;   fi
+if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi
+if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi
+if test "${LC_CTYPE+set}"    = set; then LC_CTYPE=C;    export LC_CTYPE;    fi
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -rf conftest* confdefs.h
+# AIX cpp loses on an empty file, so make sure it contains at least a newline.
+echo > confdefs.h
+
+# A filename unique to this package, relative to the directory that
+# configure is in, which we can look for to find out if srcdir is correct.
+ac_unique_file=trivial.c
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+  ac_srcdir_defaulted=yes
+  # Try the directory containing this script, then its parent.
+  ac_prog=$0
+  ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'`
+  test "x$ac_confdir" = "x$ac_prog" && ac_confdir=.
+  srcdir=$ac_confdir
+  if test ! -r $srcdir/$ac_unique_file; then
+    srcdir=..
+  fi
+else
+  ac_srcdir_defaulted=no
+fi
+if test ! -r $srcdir/$ac_unique_file; then
+  if test "$ac_srcdir_defaulted" = yes; then
+    { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; }
+  else
+    { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; }
+  fi
+fi
+srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'`
+
+# Prefer explicitly selected file to automatically selected ones.
+if test -z "$CONFIG_SITE"; then
+  if test "x$prefix" != xNONE; then
+    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
+  else
+    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
+  fi
+fi
+for ac_site_file in $CONFIG_SITE; do
+  if test -r "$ac_site_file"; then
+    echo "loading site script $ac_site_file"
+    . "$ac_site_file"
+  fi
+done
+
+if test -r "$cache_file"; then
+  echo "loading cache $cache_file"
+  . $cache_file
+else
+  echo "creating cache $cache_file"
+  > $cache_file
+fi
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+ac_exeext=
+ac_objext=o
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+  # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
+  if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+    ac_n= ac_c='
+' ac_t='	'
+  else
+    ac_n=-n ac_c= ac_t=
+  fi
+else
+  ac_n= ac_c='\c' ac_t=
+fi
+
+
+
+echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6
+echo "configure:537: checking whether ${MAKE-make} sets \${MAKE}" >&5
+set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftestmake <<\EOF
+all:
+	@echo 'ac_maketemp="${MAKE}"'
+EOF
+# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+eval `${MAKE-make} -f conftestmake 2>/dev/null | grep temp=`
+if test -n "$ac_maketemp"; then
+  eval ac_cv_prog_make_${ac_make}_set=yes
+else
+  eval ac_cv_prog_make_${ac_make}_set=no
+fi
+rm -f conftestmake
+fi
+if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  SET_MAKE=
+else
+  echo "$ac_t""no" 1>&6
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
+
+
+# Check whether --with-nspr or --without-nspr was given.
+if test "${with_nspr+set}" = set; then
+  withval="$with_nspr"
+   case "$withval" in
+  no)
+    { echo "configure: error: NSPR is required" 1>&2; exit 1; };;
+  yes)
+    NSPR_INCLUDE="$includedir"
+    NSPR_LIBPATH="$libdir"
+    ;;
+  *)
+    NSPR_INCLUDE="$withval/include"
+    NSPR_LIBPATH="$withval/lib"
+    ;;
+  esac 
+else
+   NSPR_INCLUDE="$includedir"
+  NSPR_LIBPATH="$libdir" 
+
+fi
+
+
+NSPR_CFLAGS="-I$NSPR_INCLUDE"
+NSPR_LDFLAGS="-L$NSPR_LIBPATH -lnspr4 -lplc4 -lplds4"
+
+
+# Check whether --with-nss-dist or --without-nss-dist was given.
+if test "${with_nss_dist+set}" = set; then
+  withval="$with_nss_dist"
+   case "$withval" in
+  no)
+    NSS_CFLAGS=""
+    nss="0"
+    ;;
+  yes)
+    { echo "configure: error: You have to specify a path for --with-nss-dist" 1>&2; exit 1; }
+    ;;
+  *)
+    NSS_CFLAGS="-I$withval/private/security -I$withval/public/security"
+    nss="1"
+    ;;
+  esac 
+fi
+
+
+# Check whether --with-nss-hdrs or --without-nss-hdrs was given.
+if test "${with_nss_hdrs+set}" = set; then
+  withval="$with_nss_hdrs"
+   if test "x$nss" != "x"; then
+    { echo "configure: error: Only specify --with-nss-hdrs or --with-nss-dist" 1>&2; exit 1; }
+  fi
+  case "$withval" in
+  no)
+    NSS_CFLAGS=""
+    nss="0"
+    ;;
+  yes)
+    NSS_CFLAGS="-I$includedir"
+    nss="1"
+    ;;
+  *)
+    NSS_CFLAGS="-I$withval"
+    nss="1"
+    ;;
+  esac 
+fi
+
+
+# Check whether --with-rsa-hdrs or --without-rsa-hdrs was given.
+if test "${with_rsa_hdrs+set}" = set; then
+  withval="$with_rsa_hdrs"
+   if test "x$nss" != "x"; then
+    { echo "configure: error: Only specify --with-nss-{hdrs" 1>&2; exit 1; }
+  fi
+  case "$withval" in
+  no)
+    rsa="0"
+    ;;
+  yes)
+    RSA_INCLUDE="$includedir"
+    rsa="1"
+    ;;
+  *)
+    RSA_INCLUDE="$withval"
+    rsa="1"
+    ;;
+  esac 
+fi
+
+
+if test "x$nss" = "x"; then
+  if test "x$rsa" = "x"; then
+    RSA_INCLUDE="$includedir"
+  fi
+  RSA_CFLAGS="-I$RSA_INCLUDE"
+fi
+
+if test "x$nss" = "x1"; then
+  cat >> confdefs.h <<\EOF
+#define WITH_NSS 1
+EOF
+
+fi
+
+
+
+if test "x$rsa" = "x1"; then
+  RSA_CFLAGS-"-I$RSA_INCLUDE"
+fi
+
+# Check whether --enable-debug or --disable-debug was given.
+if test "${enable_debug+set}" = set; then
+  enableval="$enable_debug"
+   case "$enableval" in
+  no)
+    DEBUG_CFLAGS="";;
+  yes)
+    DEBUG_CFLAGS="-DDEBUG";;
+  *)
+    DEBUG_CFLAGS="-DDEBUG";;
+  esac 
+else
+  DEBUG_CFLAGS="-DDEBUG"
+fi
+
+
+# Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:693: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_CC="gcc"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:723: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_prog_rejected=no
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
+        ac_prog_rejected=yes
+	continue
+      fi
+      ac_cv_prog_CC="cc"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# -gt 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    set dummy "$ac_dir/$ac_word" "$@"
+    shift
+    ac_cv_prog_CC="$@"
+  fi
+fi
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+  if test -z "$CC"; then
+    case "`uname -s`" in
+    *win32* | *WIN32*)
+      # Extract the first word of "cl", so it can be a program name with args.
+set dummy cl; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:774: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_CC="cl"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+ ;;
+    esac
+  fi
+  test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
+fi
+
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
+echo "configure:806: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+cat > conftest.$ac_ext << EOF
+
+#line 817 "configure"
+#include "confdefs.h"
+
+main(){return(0);}
+EOF
+if { (eval echo configure:822: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  ac_cv_prog_cc_works=yes
+  # If we can't run a trivial program, we are probably using a cross compiler.
+  if (./conftest; exit) 2>/dev/null; then
+    ac_cv_prog_cc_cross=no
+  else
+    ac_cv_prog_cc_cross=yes
+  fi
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_prog_cc_works=no
+fi
+rm -fr conftest*
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
+if test $ac_cv_prog_cc_works = no; then
+  { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
+fi
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
+echo "configure:848: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
+echo "configure:853: checking whether we are using GNU C" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.c <<EOF
+#ifdef __GNUC__
+  yes;
+#endif
+EOF
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:862: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+  ac_cv_prog_gcc=yes
+else
+  ac_cv_prog_gcc=no
+fi
+fi
+
+echo "$ac_t""$ac_cv_prog_gcc" 1>&6
+
+if test $ac_cv_prog_gcc = yes; then
+  GCC=yes
+else
+  GCC=
+fi
+
+ac_test_CFLAGS="${CFLAGS+set}"
+ac_save_CFLAGS="$CFLAGS"
+CFLAGS=
+echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
+echo "configure:881: checking whether ${CC-cc} accepts -g" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  echo 'void f(){}' > conftest.c
+if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
+  ac_cv_prog_cc_g=yes
+else
+  ac_cv_prog_cc_g=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_prog_cc_g" 1>&6
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS="$ac_save_CFLAGS"
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+
+echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
+echo "configure:913: checking how to run the C preprocessor" >&5
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+    # This must be in double quotes, not single quotes, because CPP may get
+  # substituted into the Makefile and "${CC-cc}" will confuse make.
+  CPP="${CC-cc} -E"
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp.
+  cat > conftest.$ac_ext <<EOF
+#line 928 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:934: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP="${CC-cc} -E -traditional-cpp"
+  cat > conftest.$ac_ext <<EOF
+#line 945 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:951: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP="${CC-cc} -nologo -E"
+  cat > conftest.$ac_ext <<EOF
+#line 962 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:968: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP=/lib/cpp
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+  ac_cv_prog_CPP="$CPP"
+fi
+  CPP="$ac_cv_prog_CPP"
+else
+  ac_cv_prog_CPP="$CPP"
+fi
+echo "$ac_t""$CPP" 1>&6
+
+ac_aux_dir=
+for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
+  if test -f $ac_dir/install-sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f $ac_dir/install.sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; }
+fi
+ac_config_guess=$ac_aux_dir/config.guess
+ac_config_sub=$ac_aux_dir/config.sub
+ac_configure=$ac_aux_dir/configure # This should be Cygnus configure.
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# ./install, which can be erroneously created by make from ./install.sh.
+echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
+echo "configure:1023: checking for a BSD compatible install" >&5
+if test -z "$INSTALL"; then
+if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+    IFS="${IFS= 	}"; ac_save_IFS="$IFS"; IFS=":"
+  for ac_dir in $PATH; do
+    # Account for people who put trailing slashes in PATH elements.
+    case "$ac_dir/" in
+    /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;;
+    *)
+      # OSF1 and SCO ODT 3.0 have their own names for install.
+      # Don't use installbsd from OSF since it installs stuff as root
+      # by default.
+      for ac_prog in ginstall scoinst install; do
+        if test -f $ac_dir/$ac_prog; then
+	  if test $ac_prog = install &&
+            grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  else
+	    ac_cv_path_install="$ac_dir/$ac_prog -c"
+	    break 2
+	  fi
+	fi
+      done
+      ;;
+    esac
+  done
+  IFS="$ac_save_IFS"
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL="$ac_cv_path_install"
+  else
+    # As a last resort, use the slow shell script.  We don't cache a
+    # path for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the path is relative.
+    INSTALL="$ac_install_sh"
+  fi
+fi
+echo "$ac_t""$INSTALL" 1>&6
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+# Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1078: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_RANLIB="ranlib"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_RANLIB" && ac_cv_prog_RANLIB=":"
+fi
+fi
+RANLIB="$ac_cv_prog_RANLIB"
+if test -n "$RANLIB"; then
+  echo "$ac_t""$RANLIB" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "ar", so it can be a program name with args.
+set dummy ar; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1108: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$AR"; then
+  ac_cv_prog_AR="$AR" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_AR="ar"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+AR="$ac_cv_prog_AR"
+if test -n "$AR"; then
+  echo "$ac_t""$AR" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "ld", so it can be a program name with args.
+set dummy ld; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1137: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LD'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$LD"; then
+  ac_cv_prog_LD="$LD" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_LD="ld"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+LD="$ac_cv_prog_LD"
+if test -n "$LD"; then
+  echo "$ac_t""$LD" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "rm", so it can be a program name with args.
+set dummy rm; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1166: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_RM'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$RM"; then
+  ac_cv_prog_RM="$RM" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_RM="rm"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+RM="$ac_cv_prog_RM"
+if test -n "$RM"; then
+  echo "$ac_t""$RM" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "tar", so it can be a program name with args.
+set dummy tar; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1195: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_TAR'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$TAR"; then
+  ac_cv_prog_TAR="$TAR" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_TAR="tar"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+TAR="$ac_cv_prog_TAR"
+if test -n "$TAR"; then
+  echo "$ac_t""$TAR" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+
+
+CPPFLAGS="$CFLAGS $NSPR_CFLAGS $NSS_CFLAGS $RSA_CFLAGS $DEBUG_CFLAGS"
+LIBS="$NSPR_LDFLAGS $LIBS"
+
+
+
+echo $ac_n "checking for PR_Init in -lnspr4""... $ac_c" 1>&6
+echo "configure:1229: checking for PR_Init in -lnspr4" >&5
+ac_lib_var=`echo nspr4'_'PR_Init | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lnspr4  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1237 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char PR_Init();
+
+int main() {
+PR_Init()
+; return 0; }
+EOF
+if { (eval echo configure:1248: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_lib=HAVE_LIB`echo nspr4 | sed -e 's/[^a-zA-Z0-9_]/_/g' \
+    -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+  LIBS="-lnspr4 $LIBS"
+
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+
+for ac_hdr in nspr.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:1280: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1285 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1290: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+
+if test "x$nss" = "x1"; then
+  for ac_hdr in ck.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:1323: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1328 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1333: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+fi
+
+if test "x$rsa" = "x1"; then
+  for ac_hdr in pkcs11t.h pkcs11.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:1366: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1371 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1376: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+fi
+
+
+
+echo $ac_n "checking for working const""... $ac_c" 1>&6
+echo "configure:1407: checking for working const" >&5
+if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1412 "configure"
+#include "confdefs.h"
+
+int main() {
+
+/* Ultrix mips cc rejects this.  */
+typedef int charset[2]; const charset x;
+/* SunOS 4.1.1 cc rejects this.  */
+char const *const *ccp;
+char **p;
+/* NEC SVR4.0.2 mips cc rejects this.  */
+struct point {int x, y;};
+static struct point const zero = {0,0};
+/* AIX XL C 1.02.0.0 rejects this.
+   It does not let you subtract one const X* pointer from another in an arm
+   of an if-expression whose if-part is not a constant expression */
+const char *g = "string";
+ccp = &g + (g ? g-g : 0);
+/* HPUX 7.0 cc rejects these. */
+++ccp;
+p = (char**) ccp;
+ccp = (char const *const *) p;
+{ /* SCO 3.2v4 cc rejects this.  */
+  char *t;
+  char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+  *t++ = 0;
+}
+{ /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+  int x[] = {25, 17};
+  const int *foo = &x[0];
+  ++foo;
+}
+{ /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+  typedef const int *iptr;
+  iptr p = 0;
+  ++p;
+}
+{ /* AIX XL C 1.02.0.0 rejects this saying
+     "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+  struct s { int j; const int *ap[3]; };
+  struct s *b; b->j = 5;
+}
+{ /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+  const int foo = 10;
+}
+
+; return 0; }
+EOF
+if { (eval echo configure:1461: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_c_const=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_c_const=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_c_const" 1>&6
+if test $ac_cv_c_const = no; then
+  cat >> confdefs.h <<\EOF
+#define const 
+EOF
+
+fi
+
+
+
+for ac_func in memset strlen
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:1486: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 1491 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:1514: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+trap '' 1 2 15
+cat > confcache <<\EOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs.  It is not useful on other systems.
+# If it contains results you don't want to keep, you may remove or edit it.
+#
+# By default, configure uses ./config.cache as the cache file,
+# creating it if it does not exist already.  You can give configure
+# the --cache-file=FILE option to use a different cache file; that is
+# what configure does when it calls configure scripts in
+# subdirectories, so they share the cache.
+# Giving --cache-file=/dev/null disables caching, for debugging configure.
+# config.status only pays attention to the cache file if you give it the
+# --recheck option to rerun configure.
+#
+EOF
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(set) 2>&1 |
+  case `(ac_space=' '; set | grep ac_space) 2>&1` in
+  *ac_space=\ *)
+    # `set' does not quote correctly, so add quotes (double-quote substitution
+    # turns \\\\ into \\, and sed turns \\ into \).
+    sed -n \
+      -e "s/'/'\\\\''/g" \
+      -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p"
+    ;;
+  *)
+    # `set' quotes correctly as required by POSIX, so do not add quotes.
+    sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p'
+    ;;
+  esac >> confcache
+if cmp -s $cache_file confcache; then
+  :
+else
+  if test -w $cache_file; then
+    echo "updating cache $cache_file"
+    cat confcache > $cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# Any assignment to VPATH causes Sun make to only execute
+# the first set of double-colon rules, so remove it if not needed.
+# If there is a colon in the path, we need to keep it.
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[ 	]*VPATH[ 	]*=[^:]*$/d'
+fi
+
+trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15
+
+DEFS=-DHAVE_CONFIG_H
+
+# Without the "./", some shells look in PATH for config.status.
+: ${CONFIG_STATUS=./config.status}
+
+echo creating $CONFIG_STATUS
+rm -f $CONFIG_STATUS
+cat > $CONFIG_STATUS <<EOF
+#! /bin/sh
+# Generated automatically by configure.
+# Run this file to recreate the current configuration.
+# This directory was configured as follows,
+# on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+#
+# $0 $ac_configure_args
+#
+# Compiler output produced by configure, useful for debugging
+# configure, is in ./config.log if it exists.
+
+ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]"
+for ac_option
+do
+  case "\$ac_option" in
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion"
+    exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;;
+  -version | --version | --versio | --versi | --vers | --ver | --ve | --v)
+    echo "$CONFIG_STATUS generated by autoconf version 2.13"
+    exit 0 ;;
+  -help | --help | --hel | --he | --h)
+    echo "\$ac_cs_usage"; exit 0 ;;
+  *) echo "\$ac_cs_usage"; exit 1 ;;
+  esac
+done
+
+ac_given_srcdir=$srcdir
+ac_given_INSTALL="$INSTALL"
+
+trap 'rm -fr `echo "Makefile config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+# Protect against being on the right side of a sed subst in config.status.
+sed 's/%@/@@/; s/@%/@@/; s/%g\$/@g/; /@g\$/s/[\\\\&%]/\\\\&/g;
+ s/@@/%@/; s/@@/@%/; s/@g\$/%g/' > conftest.subs <<\\CEOF
+$ac_vpsub
+$extrasub
+s%@SHELL@%$SHELL%g
+s%@CFLAGS@%$CFLAGS%g
+s%@CPPFLAGS@%$CPPFLAGS%g
+s%@CXXFLAGS@%$CXXFLAGS%g
+s%@FFLAGS@%$FFLAGS%g
+s%@DEFS@%$DEFS%g
+s%@LDFLAGS@%$LDFLAGS%g
+s%@LIBS@%$LIBS%g
+s%@exec_prefix@%$exec_prefix%g
+s%@prefix@%$prefix%g
+s%@program_transform_name@%$program_transform_name%g
+s%@bindir@%$bindir%g
+s%@sbindir@%$sbindir%g
+s%@libexecdir@%$libexecdir%g
+s%@datadir@%$datadir%g
+s%@sysconfdir@%$sysconfdir%g
+s%@sharedstatedir@%$sharedstatedir%g
+s%@localstatedir@%$localstatedir%g
+s%@libdir@%$libdir%g
+s%@includedir@%$includedir%g
+s%@oldincludedir@%$oldincludedir%g
+s%@infodir@%$infodir%g
+s%@mandir@%$mandir%g
+s%@SET_MAKE@%$SET_MAKE%g
+s%@WITH_NSS@%$WITH_NSS%g
+s%@CC@%$CC%g
+s%@CPP@%$CPP%g
+s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g
+s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g
+s%@INSTALL_DATA@%$INSTALL_DATA%g
+s%@RANLIB@%$RANLIB%g
+s%@AR@%$AR%g
+s%@LD@%$LD%g
+s%@RM@%$RM%g
+s%@TAR@%$TAR%g
+s%@CC INSTALL RANLIB AR LD RM TAR@%$CC INSTALL RANLIB AR LD RM TAR%g
+s%@HAVE_NSPR_H@%$HAVE_NSPR_H%g
+s%@HAVE_CK_H HAVE_PKCS11T_H HAVE_PKCS11_H@%$HAVE_CK_H HAVE_PKCS11T_H HAVE_PKCS11_H%g
+s%@const@%$const%g
+s%@HAVE_MEMSET HAVE_STRLEN@%$HAVE_MEMSET HAVE_STRLEN%g
+
+CEOF
+EOF
+
+cat >> $CONFIG_STATUS <<\EOF
+
+# Split the substitutions into bite-sized pieces for seds with
+# small command number limits, like on Digital OSF/1 and HP-UX.
+ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script.
+ac_file=1 # Number of current file.
+ac_beg=1 # First line for current file.
+ac_end=$ac_max_sed_cmds # Line after last line for current file.
+ac_more_lines=:
+ac_sed_cmds=""
+while $ac_more_lines; do
+  if test $ac_beg -gt 1; then
+    sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file
+  else
+    sed "${ac_end}q" conftest.subs > conftest.s$ac_file
+  fi
+  if test ! -s conftest.s$ac_file; then
+    ac_more_lines=false
+    rm -f conftest.s$ac_file
+  else
+    if test -z "$ac_sed_cmds"; then
+      ac_sed_cmds="sed -f conftest.s$ac_file"
+    else
+      ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file"
+    fi
+    ac_file=`expr $ac_file + 1`
+    ac_beg=$ac_end
+    ac_end=`expr $ac_end + $ac_max_sed_cmds`
+  fi
+done
+if test -z "$ac_sed_cmds"; then
+  ac_sed_cmds=cat
+fi
+EOF
+
+cat >> $CONFIG_STATUS <<EOF
+
+CONFIG_FILES=\${CONFIG_FILES-"Makefile"}
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case "$ac_file" in
+  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+  *) ac_file_in="${ac_file}.in" ;;
+  esac
+
+  # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories.
+
+  # Remove last slash and all that follows it.  Not all systems have dirname.
+  ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+  if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+    # The file is in a subdirectory.
+    test ! -d "$ac_dir" && mkdir "$ac_dir"
+    ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`"
+    # A "../" for each directory in $ac_dir_suffix.
+    ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'`
+  else
+    ac_dir_suffix= ac_dots=
+  fi
+
+  case "$ac_given_srcdir" in
+  .)  srcdir=.
+      if test -z "$ac_dots"; then top_srcdir=.
+      else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;;
+  /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;;
+  *) # Relative path.
+    srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix"
+    top_srcdir="$ac_dots$ac_given_srcdir" ;;
+  esac
+
+  case "$ac_given_INSTALL" in
+  [/$]*) INSTALL="$ac_given_INSTALL" ;;
+  *) INSTALL="$ac_dots$ac_given_INSTALL" ;;
+  esac
+
+  echo creating "$ac_file"
+  rm -f "$ac_file"
+  configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure."
+  case "$ac_file" in
+  *Makefile*) ac_comsub="1i\\
+# $configure_input" ;;
+  *) ac_comsub= ;;
+  esac
+
+  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+  sed -e "$ac_comsub
+s%@configure_input@%$configure_input%g
+s%@srcdir@%$srcdir%g
+s%@top_srcdir@%$top_srcdir%g
+s%@INSTALL@%$INSTALL%g
+" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file
+fi; done
+rm -f conftest.s*
+
+# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
+# NAME is the cpp macro being defined and VALUE is the value it is being given.
+#
+# ac_d sets the value in "#define NAME VALUE" lines.
+ac_dA='s%^\([ 	]*\)#\([ 	]*define[ 	][ 	]*\)'
+ac_dB='\([ 	][ 	]*\)[^ 	]*%\1#\2'
+ac_dC='\3'
+ac_dD='%g'
+# ac_u turns "#undef NAME" with trailing blanks into "#define NAME VALUE".
+ac_uA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_uB='\([ 	]\)%\1#\2define\3'
+ac_uC=' '
+ac_uD='\4%g'
+# ac_e turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
+ac_eA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_eB='$%\1#\2define\3'
+ac_eC=' '
+ac_eD='%g'
+
+if test "${CONFIG_HEADERS+set}" != set; then
+EOF
+cat >> $CONFIG_STATUS <<EOF
+  CONFIG_HEADERS="config.h"
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+fi
+for ac_file in .. $CONFIG_HEADERS; do if test "x$ac_file" != x..; then
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case "$ac_file" in
+  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+  *) ac_file_in="${ac_file}.in" ;;
+  esac
+
+  echo creating $ac_file
+
+  rm -f conftest.frag conftest.in conftest.out
+  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+  cat $ac_file_inputs > conftest.in
+
+EOF
+
+# Transform confdefs.h into a sed script conftest.vals that substitutes
+# the proper values into config.h.in to produce config.h.  And first:
+# Protect against being on the right side of a sed subst in config.status.
+# Protect against being in an unquoted here document in config.status.
+rm -f conftest.vals
+cat > conftest.hdr <<\EOF
+s/[\\&%]/\\&/g
+s%[\\$`]%\\&%g
+s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD}%gp
+s%ac_d%ac_u%gp
+s%ac_u%ac_e%gp
+EOF
+sed -n -f conftest.hdr confdefs.h > conftest.vals
+rm -f conftest.hdr
+
+# This sed command replaces #undef with comments.  This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+cat >> conftest.vals <<\EOF
+s%^[ 	]*#[ 	]*undef[ 	][ 	]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */%
+EOF
+
+# Break up conftest.vals because some shells have a limit on
+# the size of here documents, and old seds have small limits too.
+
+rm -f conftest.tail
+while :
+do
+  ac_lines=`grep -c . conftest.vals`
+  # grep -c gives empty output for an empty file on some AIX systems.
+  if test -z "$ac_lines" || test "$ac_lines" -eq 0; then break; fi
+  # Write a limited-size here document to conftest.frag.
+  echo '  cat > conftest.frag <<CEOF' >> $CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.vals >> $CONFIG_STATUS
+  echo 'CEOF
+  sed -f conftest.frag conftest.in > conftest.out
+  rm -f conftest.in
+  mv conftest.out conftest.in
+' >> $CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.vals > conftest.tail
+  rm -f conftest.vals
+  mv conftest.tail conftest.vals
+done
+rm -f conftest.vals
+
+cat >> $CONFIG_STATUS <<\EOF
+  rm -f conftest.frag conftest.h
+  echo "/* $ac_file.  Generated automatically by configure.  */" > conftest.h
+  cat conftest.in >> conftest.h
+  rm -f conftest.in
+  if cmp -s $ac_file conftest.h 2>/dev/null; then
+    echo "$ac_file is unchanged"
+    rm -f conftest.h
+  else
+    # Remove last slash and all that follows it.  Not all systems have dirname.
+      ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+      if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+      # The file is in a subdirectory.
+      test ! -d "$ac_dir" && mkdir "$ac_dir"
+    fi
+    rm -f $ac_file
+    mv conftest.h $ac_file
+  fi
+fi; done
+
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+echo timestamp > stamp-h
+exit 0
+EOF
+chmod +x $CONFIG_STATUS
+rm -fr confdefs* $ac_clean_files
+test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1
+
diff --git a/security/nss/tests/pkcs11/netscape/trivial/configure.in b/security/nss/tests/pkcs11/netscape/trivial/configure.in
new file mode 100644
index 000000000..62950b97a
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/trivial/configure.in
@@ -0,0 +1,185 @@
+dnl
+dnl ***** BEGIN LICENSE BLOCK *****
+dnl Version: MPL 1.1/GPL 2.0/LGPL 2.1
+dnl
+dnl The contents of this file are subject to the Mozilla Public License Version
+dnl 1.1 (the "License"); you may not use this file except in compliance with
+dnl the License. You may obtain a copy of the License at
+dnl http://www.mozilla.org/MPL/
+dnl
+dnl Software distributed under the License is distributed on an "AS IS" basis,
+dnl WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+dnl for the specific language governing rights and limitations under the
+dnl License.
+dnl
+dnl The Original Code is a trivial PKCS#11 test program.
+dnl
+dnl The Initial Developer of the Original Code is
+dnl Netscape Communications Corp.
+dnl Portions created by the Initial Developer are Copyright (C) 2000
+dnl the Initial Developer. All Rights Reserved.
+dnl
+dnl Contributor(s):
+dnl
+dnl Alternatively, the contents of this file may be used under the terms of
+dnl either the GNU General Public License Version 2 or later (the "GPL"), or
+dnl the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+dnl in which case the provisions of the GPL or the LGPL are applicable instead
+dnl of those above. If you wish to allow use of your version of this file only
+dnl under the terms of either the GPL or the LGPL, and not to allow others to
+dnl use your version of this file under the terms of the MPL, indicate your
+dnl decision by deleting the provisions above and replace them with the notice
+dnl and other provisions required by the GPL or the LGPL. If you do not delete
+dnl the provisions above, a recipient may use your version of this file under
+dnl the terms of any one of the MPL, the GPL or the LGPL.
+dnl
+dnl ***** END LICENSE BLOCK *****
+
+dnl My revision info: "@(#) $RCSfile$ $Revision$ $Date$"
+dnl Don't use AC_REVISION; it's broken
+
+AC_INIT(trivial.c)
+AC_CONFIG_HEADER(config.h)
+AC_PROG_MAKE_SET
+
+AC_ARG_WITH(nspr, [  --with-nspr[=path]      specify location of NSPR],
+[ case "$withval" in
+  no)
+    AC_MSG_ERROR(NSPR is required);;
+  yes)
+    NSPR_INCLUDE="$includedir"
+    NSPR_LIBPATH="$libdir"
+    ;;
+  *)
+    NSPR_INCLUDE="$withval/include"
+    NSPR_LIBPATH="$withval/lib"
+    ;;
+  esac ],
+[ NSPR_INCLUDE="$includedir"
+  NSPR_LIBPATH="$libdir" ]
+)
+
+NSPR_CFLAGS="-I$NSPR_INCLUDE"
+NSPR_LDFLAGS="-L$NSPR_LIBPATH -lnspr4 -lplc4 -lplds4"
+
+dnl This isn't optimum, but the mozilla build system and autoconf don't really mesh well..
+
+AC_ARG_WITH(nss-dist,    [  --with-nss-dist[=path]  specify path to NSS dist directory],
+[ case "$withval" in
+  no)
+    NSS_CFLAGS=""
+    nss="0"
+    ;;
+  yes)
+    AC_MSG_ERROR(You have to specify a path for --with-nss-dist)
+    ;;
+  *)
+    NSS_CFLAGS="-I$withval/private/security -I$withval/public/security"
+    nss="1"
+    ;;
+  esac ])
+
+AC_ARG_WITH(nss-hdrs, [  --with-nss-hdrs[=path]  or, specify path to installed NSS headers],
+[ if test "x$nss" != "x"; then
+    AC_MSG_ERROR(Only specify --with-nss-hdrs or --with-nss-dist, not both)
+  fi
+  case "$withval" in
+  no)
+    NSS_CFLAGS=""
+    nss="0"
+    ;;
+  yes)
+    NSS_CFLAGS="-I$includedir"
+    nss="1"
+    ;;
+  *)
+    NSS_CFLAGS="-I$withval"
+    nss="1"
+    ;;
+  esac ])
+
+AC_ARG_WITH(rsa-hdrs, [  --with-rsa-hdrs[=path]  if not using NSS, specify path to RSA headers],
+[ if test "x$nss" != "x"; then
+    AC_MSG_ERROR(Only specify --with-nss-{hdrs,dist} or --with-rsa-hdrs, not both)
+  fi
+  case "$withval" in
+  no)
+    rsa="0"
+    ;;
+  yes)
+    RSA_INCLUDE="$includedir"
+    rsa="1"
+    ;;
+  *)
+    RSA_INCLUDE="$withval"
+    rsa="1"
+    ;;
+  esac ])
+
+if test "x$nss" = "x"; then
+  if test "x$rsa" = "x"; then
+    RSA_INCLUDE="$includedir"
+  fi
+  RSA_CFLAGS="-I$RSA_INCLUDE"
+fi
+
+if test "x$nss" = "x1"; then
+  AC_DEFINE(WITH_NSS,1)
+fi
+
+AC_SUBST(WITH_NSS)
+
+if test "x$rsa" = "x1"; then
+  RSA_CFLAGS-"-I$RSA_INCLUDE"
+fi
+
+AC_ARG_ENABLE(debug, [  --disable-debug         default is enabled],
+[ case "$enableval" in
+  no)
+    DEBUG_CFLAGS="";;
+  yes)
+    DEBUG_CFLAGS="-DDEBUG";;
+  *)
+    DEBUG_CFLAGS="-DDEBUG";;
+  esac ], DEBUG_CFLAGS="-DDEBUG")
+
+dnl Checks for programs.
+AC_PROG_CC
+AC_PROG_CPP
+AC_PROG_INSTALL
+AC_PROG_RANLIB
+AC_CHECK_PROG(AR, ar, ar)
+AC_CHECK_PROG(LD, ld, ld)
+AC_CHECK_PROG(RM, rm, rm)
+AC_CHECK_PROG(TAR, tar, tar)
+AC_SUBST(CC INSTALL RANLIB AR LD RM TAR)
+
+CPPFLAGS="$CFLAGS $NSPR_CFLAGS $NSS_CFLAGS $RSA_CFLAGS $DEBUG_CFLAGS"
+LIBS="$NSPR_LDFLAGS $LIBS"
+
+AC_SUBST(CFLAGS)
+
+dnl Checks for libraries.
+AC_CHECK_LIB(nspr4, PR_Init)
+
+dnl Checks for header files.
+AC_CHECK_HEADERS(nspr.h)
+AC_SUBST(HAVE_NSPR_H)
+
+if test "x$nss" = "x1"; then
+  AC_CHECK_HEADERS(ck.h)
+fi
+
+if test "x$rsa" = "x1"; then
+  AC_CHECK_HEADERS(pkcs11t.h pkcs11.h)
+fi
+
+AC_SUBST(HAVE_CK_H HAVE_PKCS11T_H HAVE_PKCS11_H)
+
+dnl Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+AC_SUBST(const)
+
+AC_CHECK_FUNCS(memset strlen)
+AC_SUBST(HAVE_MEMSET HAVE_STRLEN)
+AC_OUTPUT(Makefile, [echo timestamp > stamp-h])
diff --git a/security/nss/tests/pkcs11/netscape/trivial/install-sh b/security/nss/tests/pkcs11/netscape/trivial/install-sh
new file mode 100755
index 000000000..e9de23842
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/trivial/install-sh
@@ -0,0 +1,251 @@
+#!/bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5 (mit/util/scripts/install.sh).
+#
+# Copyright 1991 by the Massachusetts Institute of Technology
+#
+# Permission to use, copy, modify, distribute, and sell this software and its
+# documentation for any purpose is hereby granted without fee, provided that
+# the above copyright notice appear in all copies and that both that
+# copyright notice and this permission notice appear in supporting
+# documentation, and that the name of M.I.T. not be used in advertising or
+# publicity pertaining to distribution of the software without specific,
+# written prior permission.  M.I.T. makes no representations about the
+# suitability of this software for any purpose.  It is provided "as is"
+# without express or implied warranty.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.  It can only install one file at a time, a restriction
+# shared with many OS's install programs.
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+		chmodcmd=""
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/security/nss/tests/pkcs11/netscape/trivial/trivial.c b/security/nss/tests/pkcs11/netscape/trivial/trivial.c
new file mode 100644
index 000000000..a15ffbc5f
--- /dev/null
+++ b/security/nss/tests/pkcs11/netscape/trivial/trivial.c
@@ -0,0 +1,1316 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is a trivial PKCS#11 test program.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * This is a very trivial program I wrote for testing out a 
+ * couple data-only Cryptoki modules for NSS.  It's not a "real"
+ * test program that prints out nice "PASS" or "FAIL" messages;
+ * it just makes calls and dumps data.
+ */
+
+#include "config.h"
+
+#ifdef HAVE_NSPR_H
+#include "nspr.h"
+#else
+#error "NSPR is required."
+#endif
+
+#ifdef WITH_NSS
+#define FGMR 1
+#include "ck.h"
+#else
+#include "pkcs11t.h"
+#include "pkcs11.h"
+#endif
+
+/* The RSA versions are sloppier with namespaces */
+#ifndef CK_TRUE
+#define CK_TRUE TRUE
+#endif
+
+#ifndef CK_FALSE
+#define CK_FALSE FALSE
+#endif
+
+int
+rmain
+(
+  int argc,
+  char *argv[]
+);
+
+int
+main
+(
+  int argc,
+  char *argv[]
+)
+{
+  int rv = 0;
+
+  PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 14);
+  rv = rmain(argc, argv);
+  PR_Cleanup();
+
+  return rv;
+}
+
+static CK_ATTRIBUTE_TYPE all_known_attribute_types[] = {
+  CKA_CLASS,
+  CKA_TOKEN,
+  CKA_PRIVATE,
+  CKA_LABEL,
+  CKA_APPLICATION,
+  CKA_VALUE,
+  CKA_CERTIFICATE_TYPE,
+  CKA_ISSUER,
+  CKA_SERIAL_NUMBER,
+  CKA_KEY_TYPE,
+  CKA_SUBJECT,
+  CKA_ID,
+  CKA_SENSITIVE,
+  CKA_ENCRYPT,
+  CKA_DECRYPT,
+  CKA_WRAP,
+  CKA_UNWRAP,
+  CKA_SIGN,
+  CKA_SIGN_RECOVER,
+  CKA_VERIFY,
+  CKA_VERIFY_RECOVER,
+  CKA_DERIVE,
+  CKA_START_DATE,
+  CKA_END_DATE,
+  CKA_MODULUS,
+  CKA_MODULUS_BITS,
+  CKA_PUBLIC_EXPONENT,
+  CKA_PRIVATE_EXPONENT,
+  CKA_PRIME_1,
+  CKA_PRIME_2,
+  CKA_EXPONENT_1,
+  CKA_EXPONENT_2,
+  CKA_COEFFICIENT,
+  CKA_PRIME,
+  CKA_SUBPRIME,
+  CKA_BASE,
+  CKA_VALUE_BITS,
+  CKA_VALUE_LEN,
+  CKA_EXTRACTABLE,
+  CKA_LOCAL,
+  CKA_NEVER_EXTRACTABLE,
+  CKA_ALWAYS_SENSITIVE,
+  CKA_MODIFIABLE,
+#ifdef CKA_NETSCAPE
+  CKA_NETSCAPE_URL,
+  CKA_NETSCAPE_EMAIL,
+  CKA_NETSCAPE_SMIME_INFO,
+  CKA_NETSCAPE_SMIME_TIMESTAMP,
+  CKA_NETSCAPE_PKCS8_SALT,
+  CKA_NETSCAPE_PASSWORD_CHECK,
+  CKA_NETSCAPE_EXPIRES,
+#endif /* CKA_NETSCAPE */
+#ifdef CKA_TRUST
+  CKA_TRUST_DIGITAL_SIGNATURE,
+  CKA_TRUST_NON_REPUDIATION,
+  CKA_TRUST_KEY_ENCIPHERMENT,
+  CKA_TRUST_DATA_ENCIPHERMENT,
+  CKA_TRUST_KEY_AGREEMENT,
+  CKA_TRUST_KEY_CERT_SIGN,
+  CKA_TRUST_CRL_SIGN,
+  CKA_TRUST_SERVER_AUTH,
+  CKA_TRUST_CLIENT_AUTH,
+  CKA_TRUST_CODE_SIGNING,
+  CKA_TRUST_EMAIL_PROTECTION,
+  CKA_TRUST_IPSEC_END_SYSTEM,
+  CKA_TRUST_IPSEC_TUNNEL,
+  CKA_TRUST_IPSEC_USER,
+  CKA_TRUST_TIME_STAMPING,
+#endif /* CKA_TRUST */
+};
+
+static number_of_all_known_attribute_types = 
+  (sizeof(all_known_attribute_types)/sizeof(all_known_attribute_types[0]));
+
+int
+usage
+(
+  char *argv0
+)
+{
+  PR_fprintf(PR_STDERR, "Usage: %s [-i {string|--}] <library>.so\n", argv0);
+  return 1;
+}
+
+int
+rmain
+(
+  int argc,
+  char *argv[]
+)
+{
+  char *argv0 = argv[0];
+  PRLibrary *lib;
+  CK_C_GetFunctionList gfl;
+  CK_FUNCTION_LIST_PTR epv = (CK_FUNCTION_LIST_PTR)NULL;
+  CK_RV ck_rv;
+  CK_INFO info;
+  CK_ULONG nSlots;
+  CK_SLOT_ID *pSlots;
+  CK_ULONG i;
+  CK_C_INITIALIZE_ARGS ia, *iap;
+
+  (void)memset(&ia, 0, sizeof(CK_C_INITIALIZE_ARGS));
+  iap = (CK_C_INITIALIZE_ARGS *)NULL;
+  while( argv++, --argc ) {
+    if( '-' == argv[0][0] ) {
+      switch( argv[0][1] ) {
+      case 'i':
+        iap = &ia;
+        if( ((char *)NULL != argv[1]) && ('-' != argv[1][0]) ) {
+#ifdef WITH_NSS
+          ia.pConfig = argv[1];
+          ia.ulConfigLen = strlen(argv[1]);
+          argv++, --argc;
+#else
+          return usage(argv0);
+#endif /* WITH_NSS */
+        }
+        break;
+      case '-':
+        argv++, --argc;
+        goto endargs;
+      default:
+        return usage(argv0);
+      }
+    } else {
+      break;
+    }
+  }
+ endargs:;
+
+  if( 1 != argc ) {
+    return usage(argv0);
+  }
+
+  lib = PR_LoadLibrary(argv[0]);
+  if( (PRLibrary *)NULL == lib ) {
+    PR_fprintf(PR_STDERR, "Can't load %s: %ld, %ld\n", argv[1], PR_GetError(), PR_GetOSError());
+    return 1;
+  }
+
+  gfl = (CK_C_GetFunctionList)PR_FindSymbol(lib, "C_GetFunctionList");
+  if( (CK_C_GetFunctionList)NULL == gfl ) {
+    PR_fprintf(PR_STDERR, "Can't find C_GetFunctionList in %s: %ld, %ld\n", argv[1], 
+               PR_GetError(), PR_GetOSError());
+    return 1;
+  }
+
+  ck_rv = (*gfl)(&epv);
+  if( CKR_OK != ck_rv ) {
+    PR_fprintf(PR_STDERR, "CK_GetFunctionList returned 0x%08x\n", ck_rv);
+    return 1;
+  }
+
+  PR_fprintf(PR_STDOUT, "Module %s loaded, epv = 0x%08x.\n\n", argv[1], (CK_ULONG)epv);
+
+  /* C_Initialize */
+  ck_rv = epv->C_Initialize(iap);
+  if( CKR_OK != ck_rv ) {
+    PR_fprintf(PR_STDERR, "C_Initialize returned 0x%08x\n", ck_rv);
+    return 1;
+  }
+
+  /* C_GetInfo */
+  (void)memset(&info, 0, sizeof(CK_INFO));
+  ck_rv = epv->C_GetInfo(&info);
+  if( CKR_OK != ck_rv ) {
+    PR_fprintf(PR_STDERR, "C_GetInfo returned 0x%08x\n", ck_rv);
+    return 1;
+  }
+
+  PR_fprintf(PR_STDOUT, "Module Info:\n");
+  PR_fprintf(PR_STDOUT, "    cryptokiVersion = %lu.%02lu\n", 
+             (PRUint32)info.cryptokiVersion.major, (PRUint32)info.cryptokiVersion.minor);
+  PR_fprintf(PR_STDOUT, "    manufacturerID = \"%.32s\"\n", info.manufacturerID);
+  PR_fprintf(PR_STDOUT, "    flags = 0x%08lx\n", info.flags);
+  PR_fprintf(PR_STDOUT, "    libraryDescription = \"%.32s\"\n", info.libraryDescription);
+  PR_fprintf(PR_STDOUT, "    libraryVersion = %lu.%02lu\n", 
+             (PRUint32)info.libraryVersion.major, (PRUint32)info.libraryVersion.minor);
+  PR_fprintf(PR_STDOUT, "\n");
+
+  /* C_GetSlotList */
+  nSlots = 0;
+  ck_rv = epv->C_GetSlotList(CK_FALSE, (CK_SLOT_ID_PTR)CK_NULL_PTR, &nSlots);
+  switch( ck_rv ) {
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_OK:
+    break;
+  default:
+    PR_fprintf(PR_STDERR, "C_GetSlotList(FALSE, NULL, ) returned 0x%08x\n", ck_rv);
+    return 1;
+  }
+
+  PR_fprintf(PR_STDOUT, "There are %lu slots.\n", nSlots);
+
+  pSlots = (CK_SLOT_ID_PTR)PR_Calloc(nSlots, sizeof(CK_SLOT_ID));
+  if( (CK_SLOT_ID_PTR)NULL == pSlots ) {
+    PR_fprintf(PR_STDERR, "[memory allocation of %lu bytes failed]\n", nSlots * sizeof(CK_SLOT_ID));
+    return 1;
+  }
+
+  ck_rv = epv->C_GetSlotList(CK_FALSE, pSlots, &nSlots);
+  if( CKR_OK != ck_rv ) {
+    PR_fprintf(PR_STDERR, "C_GetSlotList(FALSE, , ) returned 0x%08x\n", ck_rv);
+    return 1;
+  }
+
+  for( i = 0; i < nSlots; i++ ) {
+    PR_fprintf(PR_STDOUT, "    [%lu]: CK_SLOT_ID = %lu\n", (i+1), pSlots[i]);
+  }
+
+  PR_fprintf(PR_STDOUT, "\n");
+
+  /* C_GetSlotInfo */
+  for( i = 0; i < nSlots; i++ ) {
+    CK_SLOT_INFO sinfo;
+
+    PR_fprintf(PR_STDOUT, "[%lu]: CK_SLOT_ID = %lu\n", (i+1), pSlots[i]);
+
+    (void)memset(&sinfo, 0, sizeof(CK_SLOT_INFO));
+    ck_rv = epv->C_GetSlotInfo(pSlots[i], &sinfo);
+    if( CKR_OK != ck_rv ) {
+      PR_fprintf(PR_STDERR, "C_GetSlotInfo(%lu, ) returned 0x%08x\n", pSlots[i], ck_rv);
+      return 1;
+    }
+
+    PR_fprintf(PR_STDOUT, "    Slot Info:\n");
+    PR_fprintf(PR_STDOUT, "        slotDescription = \"%.64s\"\n", sinfo.slotDescription);
+    PR_fprintf(PR_STDOUT, "        manufacturerID = \"%.32s\"\n", sinfo.manufacturerID);
+    PR_fprintf(PR_STDOUT, "        flags = 0x%08lx\n", sinfo.flags);
+    PR_fprintf(PR_STDOUT, "            -> TOKEN PRESENT = %s\n", 
+               sinfo.flags & CKF_TOKEN_PRESENT ? "TRUE" : "FALSE");
+    PR_fprintf(PR_STDOUT, "            -> REMOVABLE DEVICE = %s\n",
+               sinfo.flags & CKF_REMOVABLE_DEVICE ? "TRUE" : "FALSE");
+    PR_fprintf(PR_STDOUT, "            -> HW SLOT = %s\n", 
+               sinfo.flags & CKF_HW_SLOT ? "TRUE" : "FALSE");
+    PR_fprintf(PR_STDOUT, "        hardwareVersion = %lu.%02lu\n", 
+               (PRUint32)sinfo.hardwareVersion.major, (PRUint32)sinfo.hardwareVersion.minor);
+    PR_fprintf(PR_STDOUT, "        firmwareVersion = %lu.%02lu\n",
+               (PRUint32)sinfo.firmwareVersion.major, (PRUint32)sinfo.firmwareVersion.minor);
+
+    if( sinfo.flags & CKF_TOKEN_PRESENT ) {
+      CK_TOKEN_INFO tinfo;
+      CK_MECHANISM_TYPE *pMechanismList;
+      CK_ULONG nMechanisms = 0;
+      CK_ULONG j;
+
+      (void)memset(&tinfo, 0, sizeof(CK_TOKEN_INFO));
+      ck_rv = epv->C_GetTokenInfo(pSlots[i], &tinfo);
+      if( CKR_OK != ck_rv ) {
+        PR_fprintf(PR_STDERR, "C_GetTokenInfo(%lu, ) returned 0x%08x\n", pSlots[i], ck_rv);
+        return 1;
+      }
+
+      PR_fprintf(PR_STDOUT, "    Token Info:\n");
+      PR_fprintf(PR_STDOUT, "        label = \"%.32s\"\n", tinfo.label);
+      PR_fprintf(PR_STDOUT, "        manufacturerID = \"%.32s\"\n", tinfo.manufacturerID);
+      PR_fprintf(PR_STDOUT, "        model = \"%.16s\"\n", tinfo.model);
+      PR_fprintf(PR_STDOUT, "        serialNumber = \"%.16s\"\n", tinfo.serialNumber);
+      PR_fprintf(PR_STDOUT, "        flags = 0x%08lx\n", tinfo.flags);
+      PR_fprintf(PR_STDOUT, "            -> RNG = %s\n",
+                 tinfo.flags & CKF_RNG ? "TRUE" : "FALSE");
+      PR_fprintf(PR_STDOUT, "            -> WRITE PROTECTED = %s\n",
+                 tinfo.flags & CKF_WRITE_PROTECTED ? "TRUE" : "FALSE");
+      PR_fprintf(PR_STDOUT, "            -> LOGIN REQUIRED = %s\n",
+                 tinfo.flags & CKF_LOGIN_REQUIRED ? "TRUE" : "FALSE");
+      PR_fprintf(PR_STDOUT, "            -> USER PIN INITIALIZED = %s\n",
+                 tinfo.flags & CKF_USER_PIN_INITIALIZED ? "TRUE" : "FALSE");
+      PR_fprintf(PR_STDOUT, "            -> RESTORE KEY NOT NEEDED = %s\n",
+                 tinfo.flags & CKF_RESTORE_KEY_NOT_NEEDED ? "TRUE" : "FALSE");
+      PR_fprintf(PR_STDOUT, "            -> CLOCK ON TOKEN = %s\n",
+                 tinfo.flags & CKF_CLOCK_ON_TOKEN ? "TRUE" : "FALSE");
+#ifdef CKF_SUPPORTS_PARALLEL
+      PR_fprintf(PR_STDOUT, "            -> SUPPORTS PARALLEL = %s\n",
+                 tinfo.flags & CKF_SUPPORTS_PARALLEL ? "TRUE" : "FALSE");
+#endif /* CKF_SUPPORTS_PARALLEL */
+      PR_fprintf(PR_STDOUT, "            -> PROTECTED AUTHENTICATION PATH = %s\n",
+                 tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH ? "TRUE" : "FALSE");
+      PR_fprintf(PR_STDOUT, "            -> DUAL_CRYPTO_OPERATIONS = %s\n", 
+                 tinfo.flags & CKF_DUAL_CRYPTO_OPERATIONS ? "TRUE" : "FALSE");
+      PR_fprintf(PR_STDOUT, "        ulMaxSessionCount = %lu\n", tinfo.ulMaxSessionCount);
+      PR_fprintf(PR_STDOUT, "        ulSessionCount = %lu\n", tinfo.ulSessionCount);
+      PR_fprintf(PR_STDOUT, "        ulMaxRwSessionCount = %lu\n", tinfo.ulMaxRwSessionCount);
+      PR_fprintf(PR_STDOUT, "        ulRwSessionCount = %lu\n", tinfo.ulRwSessionCount);
+      PR_fprintf(PR_STDOUT, "        ulMaxPinLen = %lu\n", tinfo.ulMaxPinLen);
+      PR_fprintf(PR_STDOUT, "        ulMinPinLen = %lu\n", tinfo.ulMinPinLen);
+      PR_fprintf(PR_STDOUT, "        ulTotalPublicMemory = %lu\n", tinfo.ulTotalPublicMemory);
+      PR_fprintf(PR_STDOUT, "        ulFreePublicMemory = %lu\n", tinfo.ulFreePublicMemory);
+      PR_fprintf(PR_STDOUT, "        ulTotalPrivateMemory = %lu\n", tinfo.ulTotalPrivateMemory);
+      PR_fprintf(PR_STDOUT, "        ulFreePrivateMemory = %lu\n", tinfo.ulFreePrivateMemory);
+      PR_fprintf(PR_STDOUT, "        hardwareVersion = %lu.%02lu\n", 
+                 (PRUint32)tinfo.hardwareVersion.major, (PRUint32)tinfo.hardwareVersion.minor);
+      PR_fprintf(PR_STDOUT, "        firmwareVersion = %lu.%02lu\n",
+                 (PRUint32)tinfo.firmwareVersion.major, (PRUint32)tinfo.firmwareVersion.minor);
+      PR_fprintf(PR_STDOUT, "        utcTime = \"%.16s\"\n", tinfo.utcTime);
+
+
+      ck_rv = epv->C_GetMechanismList(pSlots[i], (CK_MECHANISM_TYPE_PTR)CK_NULL_PTR, &nMechanisms);
+      switch( ck_rv ) {
+      case CKR_BUFFER_TOO_SMALL:
+      case CKR_OK:
+        break;
+      default:
+        PR_fprintf(PR_STDERR, "C_GetMechanismList(%lu, NULL, ) returned 0x%08x\n", pSlots[i], ck_rv);
+        return 1;
+      }
+
+      PR_fprintf(PR_STDOUT, "    %lu mechanisms:\n", nMechanisms);
+
+      pMechanismList = (CK_MECHANISM_TYPE_PTR)PR_Calloc(nMechanisms, sizeof(CK_MECHANISM_TYPE));
+      if( (CK_MECHANISM_TYPE_PTR)NULL == pMechanismList ) {
+        PR_fprintf(PR_STDERR, "[memory allocation of %lu bytes failed]\n", 
+                   nMechanisms * sizeof(CK_MECHANISM_TYPE));
+        return 1;
+      }
+
+      ck_rv = epv->C_GetMechanismList(pSlots[i], pMechanismList, &nMechanisms);
+      if( CKR_OK != ck_rv ) {
+        PR_fprintf(PR_STDERR, "C_GetMechanismList(%lu, , ) returned 0x%08x\n", pSlots[i], ck_rv);
+        return 1;
+      }
+
+      for( j = 0; j < nMechanisms; j++ ) {
+        PR_fprintf(PR_STDOUT, "        {%lu}: CK_MECHANISM_TYPE = %lu\n", (j+1), pMechanismList[j]);
+      }
+
+      PR_fprintf(PR_STDOUT, "\n");
+
+      for( j = 0; j < nMechanisms; j++ ) {
+        CK_MECHANISM_INFO minfo;
+
+        (void)memset(&minfo, 0, sizeof(CK_MECHANISM_INFO));
+        ck_rv = epv->C_GetMechanismInfo(pSlots[i], pMechanismList[j], &minfo);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_GetMechanismInfo(%lu, %lu, ) returned 0x%08x\n", pSlots[i], 
+                     pMechanismList[j]);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    [%lu]: CK_MECHANISM_TYPE = %lu\n", (j+1), pMechanismList[j]);
+        PR_fprintf(PR_STDOUT, "    ulMinKeySize = %lu\n", minfo.ulMinKeySize);
+        PR_fprintf(PR_STDOUT, "    ulMaxKeySize = %lu\n", minfo.ulMaxKeySize);
+        PR_fprintf(PR_STDOUT, "    flags = 0x%08x\n", minfo.flags);
+        PR_fprintf(PR_STDOUT, "        -> HW = %s\n", minfo.flags & CKF_HW ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> ENCRYPT = %s\n", minfo.flags & CKF_ENCRYPT ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> DECRYPT = %s\n", minfo.flags & CKF_DECRYPT ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> DIGEST = %s\n", minfo.flags & CKF_DIGEST ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> SIGN = %s\n", minfo.flags & CKF_SIGN ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> SIGN_RECOVER = %s\n", minfo.flags & CKF_SIGN_RECOVER ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> VERIFY = %s\n", minfo.flags & CKF_VERIFY ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> VERIFY_RECOVER = %s\n", minfo.flags & CKF_VERIFY_RECOVER ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> GENERATE = %s\n", minfo.flags & CKF_GENERATE ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> GENERATE_KEY_PAIR = %s\n", minfo.flags & CKF_GENERATE_KEY_PAIR ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> WRAP = %s\n", minfo.flags & CKF_WRAP ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> UNWRAP = %s\n", minfo.flags & CKF_UNWRAP ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> DERIVE = %s\n", minfo.flags & CKF_DERIVE ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "        -> EXTENSION = %s\n", minfo.flags & CKF_EXTENSION ? "TRUE" : "FALSE");
+
+        PR_fprintf(PR_STDOUT, "\n");
+      }
+
+      if( tinfo.flags & CKF_LOGIN_REQUIRED ) {
+        PR_fprintf(PR_STDERR, "*** LOGIN REQUIRED but not yet implemented ***\n");
+        /* all the stuff about logging in as SO and setting the user pin if needed, etc. */
+        return 2;
+      }
+
+      /* session to find objects */
+      {
+        CK_SESSION_HANDLE h = (CK_SESSION_HANDLE)0;
+        CK_SESSION_INFO sinfo;
+        CK_ATTRIBUTE_PTR pTemplate;
+        CK_ULONG tnObjects = 0;
+
+        ck_rv = epv->C_OpenSession(pSlots[i], CKF_SERIAL_SESSION, (CK_VOID_PTR)CK_NULL_PTR, (CK_NOTIFY)CK_NULL_PTR, &h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_OpenSession(%lu, CKF_SERIAL_SESSION, , ) returned 0x%08x\n", pSlots[i], ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Opened a session: handle = 0x%08x\n", h);
+
+        (void)memset(&sinfo, 0, sizeof(CK_SESSION_INFO));
+        ck_rv = epv->C_GetSessionInfo(h, &sinfo);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDOUT, "C_GetSessionInfo(%lu, ) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    SESSION INFO:\n");
+        PR_fprintf(PR_STDOUT, "        slotID = %lu\n", sinfo.slotID);
+        PR_fprintf(PR_STDOUT, "        state = %lu\n", sinfo.state);
+        PR_fprintf(PR_STDOUT, "        flags = 0x%08x\n", sinfo.flags);
+#ifdef CKF_EXCLUSIVE_SESSION
+        PR_fprintf(PR_STDOUT, "            -> EXCLUSIVE SESSION = %s\n", sinfo.flags & CKF_EXCLUSIVE_SESSION ? "TRUE" : "FALSE");
+#endif /* CKF_EXCLUSIVE_SESSION */
+        PR_fprintf(PR_STDOUT, "            -> RW SESSION = %s\n", sinfo.flags & CKF_RW_SESSION ? "TRUE" : "FALSE");
+        PR_fprintf(PR_STDOUT, "            -> SERIAL SESSION = %s\n", sinfo.flags & CKF_SERIAL_SESSION ? "TRUE" : "FALSE");
+#ifdef CKF_INSERTION_CALLBACK
+        PR_fprintf(PR_STDOUT, "            -> INSERTION CALLBACK = %s\n", sinfo.flags & CKF_INSERTION_CALLBACK ? "TRUE" : "FALSE");
+#endif /* CKF_INSERTION_CALLBACK */
+        PR_fprintf(PR_STDOUT, "        ulDeviceError = %lu\n", sinfo.ulDeviceError);
+        PR_fprintf(PR_STDOUT, "\n");
+
+        ck_rv = epv->C_FindObjectsInit(h, (CK_ATTRIBUTE_PTR)CK_NULL_PTR, 0);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDOUT, "C_FindObjectsInit(%lu, NULL_PTR, 0) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        pTemplate = (CK_ATTRIBUTE_PTR)PR_Calloc(number_of_all_known_attribute_types, sizeof(CK_ATTRIBUTE));
+        if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
+          PR_fprintf(PR_STDERR, "[memory allocation of %lu bytes failed]\n", 
+                     number_of_all_known_attribute_types * sizeof(CK_ATTRIBUTE));
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    All objects:\n");
+
+        while(1) {
+          CK_OBJECT_HANDLE o = (CK_OBJECT_HANDLE)0;
+          CK_ULONG nObjects = 0;
+          CK_ULONG k;
+          CK_ULONG nAttributes = 0;
+          CK_ATTRIBUTE_PTR pT2;
+          CK_ULONG l;
+
+          ck_rv = epv->C_FindObjects(h, &o, 1, &nObjects);
+          if( CKR_OK != ck_rv ) {
+            PR_fprintf(PR_STDERR, "C_FindObjects(%lu, , 1, ) returned 0x%08x\n", h, ck_rv);
+            return 1;
+          }
+
+          if( 0 == nObjects ) {
+            PR_fprintf(PR_STDOUT, "\n");
+            break;
+          }
+
+          tnObjects++;
+
+          PR_fprintf(PR_STDOUT, "        OBJECT HANDLE %lu:\n", o);
+
+          for( k = 0; k < number_of_all_known_attribute_types; k++ ) {
+            pTemplate[k].type = all_known_attribute_types[k];
+            pTemplate[k].pValue = (CK_VOID_PTR)CK_NULL_PTR;
+            pTemplate[k].ulValueLen = 0;
+          }
+
+          ck_rv = epv->C_GetAttributeValue(h, o, pTemplate, number_of_all_known_attribute_types);
+          switch( ck_rv ) {
+          case CKR_OK:
+          case CKR_ATTRIBUTE_SENSITIVE:
+          case CKR_ATTRIBUTE_TYPE_INVALID:
+          case CKR_BUFFER_TOO_SMALL:
+            break;
+          default:
+            PR_fprintf(PR_STDERR, "C_GetAtributeValue(%lu, %lu, {all attribute types}, %lu) returned 0x%08x\n",
+                       h, o, number_of_all_known_attribute_types, ck_rv);
+            return 1;
+          }
+
+          for( k = 0; k < number_of_all_known_attribute_types; k++ ) {
+            if( -1 != (CK_LONG)pTemplate[k].ulValueLen ) {
+              nAttributes++;
+            }
+          }
+
+          if( 1 ) {
+            PR_fprintf(PR_STDOUT, "            %lu attributes:\n", nAttributes);
+            for( k = 0; k < number_of_all_known_attribute_types; k++ ) {
+              if( -1 != (CK_LONG)pTemplate[k].ulValueLen ) {
+                PR_fprintf(PR_STDOUT, "                0x%08x (len = %lu)\n", pTemplate[k].type, 
+                           pTemplate[k].ulValueLen);
+              }
+            }
+            PR_fprintf(PR_STDOUT, "\n");
+          }
+
+          pT2 = (CK_ATTRIBUTE_PTR)PR_Calloc(nAttributes, sizeof(CK_ATTRIBUTE));
+          if( (CK_ATTRIBUTE_PTR)NULL == pT2 ) {
+            PR_fprintf(PR_STDERR, "[memory allocation of %lu bytes failed]\n", 
+                       nAttributes * sizeof(CK_ATTRIBUTE));
+            return 1;
+          }
+
+          for( l = 0, k = 0; k < number_of_all_known_attribute_types; k++ ) {
+            if( -1 != (CK_LONG)pTemplate[k].ulValueLen ) {
+              pT2[l].type = pTemplate[k].type;
+              pT2[l].ulValueLen = pTemplate[k].ulValueLen;
+              pT2[l].pValue = (CK_VOID_PTR)PR_Malloc(pT2[l].ulValueLen);
+              if( (CK_VOID_PTR)NULL == pT2[l].pValue ) {
+                PR_fprintf(PR_STDERR, "[memory allocation of %lu bytes failed]\n", pT2[l].ulValueLen);
+                return 1;
+              }
+              l++;
+            }
+          }
+
+          PR_ASSERT( l == nAttributes );
+
+          ck_rv = epv->C_GetAttributeValue(h, o, pT2, nAttributes);
+          switch( ck_rv ) {
+          case CKR_OK:
+          case CKR_ATTRIBUTE_SENSITIVE:
+          case CKR_ATTRIBUTE_TYPE_INVALID:
+          case CKR_BUFFER_TOO_SMALL:
+            break;
+          default:
+            PR_fprintf(PR_STDERR, "C_GetAtributeValue(%lu, %lu, {existant attribute types}, %lu) returned 0x%08x\n",
+                       h, o, nAttributes, ck_rv);
+            return 1;
+          }
+
+          for( l = 0; l < nAttributes; l++ ) {
+            PR_fprintf(PR_STDOUT, "            type = 0x%08x, len = %ld", pT2[l].type, (CK_LONG)pT2[l].ulValueLen);
+            if( -1 == (CK_LONG)pT2[l].ulValueLen ) {
+              ;
+            } else {
+              CK_ULONG m;
+
+              if( pT2[l].ulValueLen <= 8 ) {
+                PR_fprintf(PR_STDOUT, ", value = ");
+              } else {
+                PR_fprintf(PR_STDOUT, ", value = \n                ");
+              }
+
+              for( m = 0; (m < pT2[l].ulValueLen) && (m < 20); m++ ) {
+                PR_fprintf(PR_STDOUT, "%02x", (CK_ULONG)(0xff & ((CK_CHAR_PTR)pT2[l].pValue)[m]));
+              }
+
+              PR_fprintf(PR_STDOUT, " ");
+
+              for( m = 0; (m < pT2[l].ulValueLen) && (m < 20); m++ ) {
+                CK_CHAR c = ((CK_CHAR_PTR)pT2[l].pValue)[m];
+                if( (c < 0x20) || (c >= 0x7f) ) {
+                  c = '.';
+                }
+                PR_fprintf(PR_STDOUT, "%c", c);
+              }
+            }
+
+            PR_fprintf(PR_STDOUT, "\n");
+          }
+          
+          PR_fprintf(PR_STDOUT, "\n");
+
+          for( l = 0; l < nAttributes; l++ ) {
+            PR_Free(pT2[l].pValue);
+          }
+          PR_Free(pT2);
+        } /* while(1) */
+
+        ck_rv = epv->C_FindObjectsFinal(h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsFinal(%lu) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    (%lu objects total)\n", tnObjects);
+
+        ck_rv = epv->C_CloseSession(h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CloseSession(%lu) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+      } /* session to find objects */
+
+      /* session to create, find, and delete a couple session objects */
+      {
+        CK_SESSION_HANDLE h = (CK_SESSION_HANDLE)0;
+        CK_ATTRIBUTE one[7], two[7], three[7], delta[1], mask[1];
+        CK_OBJECT_CLASS cko_data = CKO_DATA;
+        CK_BBOOL false = CK_FALSE, true = CK_TRUE;
+        char *key = "TEST PROGRAM";
+        CK_ULONG key_len = strlen(key);
+        CK_OBJECT_HANDLE hOneIn = (CK_OBJECT_HANDLE)0, hTwoIn = (CK_OBJECT_HANDLE)0, 
+          hThreeIn = (CK_OBJECT_HANDLE)0, hDeltaIn = (CK_OBJECT_HANDLE)0;
+        CK_OBJECT_HANDLE found[10];
+        CK_ULONG nFound;
+
+        ck_rv = epv->C_OpenSession(pSlots[i], CKF_SERIAL_SESSION, (CK_VOID_PTR)CK_NULL_PTR, (CK_NOTIFY)CK_NULL_PTR, &h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_OpenSession(%lu, CKF_SERIAL_SESSION, , ) returned 0x%08x\n", pSlots[i], ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Opened a session: handle = 0x%08x\n", h);
+
+        one[0].type = CKA_CLASS;
+        one[0].pValue = &cko_data;
+        one[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+        one[1].type = CKA_TOKEN;
+        one[1].pValue = &false;
+        one[1].ulValueLen = sizeof(CK_BBOOL);
+        one[2].type = CKA_PRIVATE;
+        one[2].pValue = &false;
+        one[2].ulValueLen = sizeof(CK_BBOOL);
+        one[3].type = CKA_MODIFIABLE;
+        one[3].pValue = &true;
+        one[3].ulValueLen = sizeof(CK_BBOOL);
+        one[4].type = CKA_LABEL;
+        one[4].pValue = "Test data object one";
+        one[4].ulValueLen = strlen(one[4].pValue);
+        one[5].type = CKA_APPLICATION;
+        one[5].pValue = key;
+        one[5].ulValueLen = key_len;
+        one[6].type = CKA_VALUE;
+        one[6].pValue = "Object one";
+        one[6].ulValueLen = strlen(one[6].pValue);
+
+        two[0].type = CKA_CLASS;
+        two[0].pValue = &cko_data;
+        two[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+        two[1].type = CKA_TOKEN;
+        two[1].pValue = &false;
+        two[1].ulValueLen = sizeof(CK_BBOOL);
+        two[2].type = CKA_PRIVATE;
+        two[2].pValue = &false;
+        two[2].ulValueLen = sizeof(CK_BBOOL);
+        two[3].type = CKA_MODIFIABLE;
+        two[3].pValue = &true;
+        two[3].ulValueLen = sizeof(CK_BBOOL);
+        two[4].type = CKA_LABEL;
+        two[4].pValue = "Test data object two";
+        two[4].ulValueLen = strlen(two[4].pValue);
+        two[5].type = CKA_APPLICATION;
+        two[5].pValue = key;
+        two[5].ulValueLen = key_len;
+        two[6].type = CKA_VALUE;
+        two[6].pValue = "Object two";
+        two[6].ulValueLen = strlen(two[6].pValue);
+
+        three[0].type = CKA_CLASS;
+        three[0].pValue = &cko_data;
+        three[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+        three[1].type = CKA_TOKEN;
+        three[1].pValue = &false;
+        three[1].ulValueLen = sizeof(CK_BBOOL);
+        three[2].type = CKA_PRIVATE;
+        three[2].pValue = &false;
+        three[2].ulValueLen = sizeof(CK_BBOOL);
+        three[3].type = CKA_MODIFIABLE;
+        three[3].pValue = &true;
+        three[3].ulValueLen = sizeof(CK_BBOOL);
+        three[4].type = CKA_LABEL;
+        three[4].pValue = "Test data object three";
+        three[4].ulValueLen = strlen(three[4].pValue);
+        three[5].type = CKA_APPLICATION;
+        three[5].pValue = key;
+        three[5].ulValueLen = key_len;
+        three[6].type = CKA_VALUE;
+        three[6].pValue = "Object three";
+        three[6].ulValueLen = strlen(three[6].pValue);
+
+        ck_rv = epv->C_CreateObject(h, one, 7, &hOneIn);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CreateObject(%lu, one, 7, ) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Created object one: handle = %lu\n", hOneIn);
+
+        ck_rv = epv->C_CreateObject(h, two, 7, &hTwoIn);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CreateObject(%lu, two, 7, ) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Created object two: handle = %lu\n", hTwoIn);
+
+        ck_rv = epv->C_CreateObject(h, three, 7, &hThreeIn);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CreateObject(%lu, three, 7, ) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Created object three: handle = %lu\n", hThreeIn);
+
+        delta[0].type = CKA_VALUE;
+        delta[0].pValue = "Copied object";
+        delta[0].ulValueLen = strlen(delta[0].pValue);
+
+        ck_rv = epv->C_CopyObject(h, hThreeIn, delta, 1, &hDeltaIn);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CopyObject(%lu, %lu, delta, 1, ) returned 0x%08x\n", 
+                     h, hThreeIn, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Copied object three: new handle = %lu\n", hDeltaIn);
+
+        mask[0].type = CKA_APPLICATION;
+        mask[0].pValue = key;
+        mask[0].ulValueLen = key_len;
+
+        ck_rv = epv->C_FindObjectsInit(h, mask, 1);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsInit(%lu, mask, 1) returned 0x%08x\n", 
+                     h, ck_rv);
+          return 1;
+        }
+
+        (void)memset(&found, 0, sizeof(found));
+        nFound = 0;
+        ck_rv = epv->C_FindObjects(h, found, 10, &nFound);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjects(%lu,, 10, ) returned 0x%08x\n", 
+                     h, ck_rv);
+          return 1;
+        }
+
+        if( 4 != nFound ) {
+          PR_fprintf(PR_STDERR, "Found %lu objects, not 4.\n", nFound);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Found 4 objects: %lu, %lu, %lu, %lu\n", 
+                   found[0], found[1], found[2], found[3]);
+
+        ck_rv = epv->C_FindObjectsFinal(h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsFinal(%lu) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        ck_rv = epv->C_DestroyObject(h, hThreeIn);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_DestroyObject(%lu, %lu) returned 0x%08x\n", h, hThreeIn, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Destroyed object three (handle = %lu)\n", hThreeIn);
+
+        delta[0].type = CKA_APPLICATION;
+        delta[0].pValue = "Changed application";
+        delta[0].ulValueLen = strlen(delta[0].pValue);
+
+        ck_rv = epv->C_SetAttributeValue(h, hTwoIn, delta, 1);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_SetAttributeValue(%lu, %lu, delta, 1) returned 0x%08x\n", 
+                     h, hTwoIn, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Changed object two (handle = %lu).\n", hTwoIn);
+
+        /* Can another session find these session objects? */
+        {
+          CK_SESSION_HANDLE h2 = (CK_SESSION_HANDLE)0;
+
+          ck_rv = epv->C_OpenSession(pSlots[i], CKF_SERIAL_SESSION, (CK_VOID_PTR)CK_NULL_PTR, (CK_NOTIFY)CK_NULL_PTR, &h2);
+          if( CKR_OK != ck_rv ) {
+            PR_fprintf(PR_STDERR, "C_OpenSession(%lu, CKF_SERIAL_SESSION, , ) returned 0x%08x\n", pSlots[i], ck_rv);
+            return 1;
+          }
+
+          PR_fprintf(PR_STDOUT, "    Opened a second session: handle = 0x%08x\n", h2);
+
+          /* mask is still the same */
+
+          ck_rv = epv->C_FindObjectsInit(h2, mask, 1);
+          if( CKR_OK != ck_rv ) {
+            PR_fprintf(PR_STDERR, "C_FindObjectsInit(%lu, mask, 1) returned 0x%08x\n", 
+                       h2, ck_rv);
+            return 1;
+          }
+
+          (void)memset(&found, 0, sizeof(found));
+          nFound = 0;
+          ck_rv = epv->C_FindObjects(h2, found, 10, &nFound);
+          if( CKR_OK != ck_rv ) {
+            PR_fprintf(PR_STDERR, "C_FindObjects(%lu,, 10, ) returned 0x%08x\n", 
+                       h2, ck_rv);
+            return 1;
+          }
+
+          if( 2 != nFound ) {
+            PR_fprintf(PR_STDERR, "Found %lu objects, not 2.\n", nFound);
+            return 1;
+          }
+
+          PR_fprintf(PR_STDOUT, "    Found 2 objects: %lu, %lu\n", 
+                     found[0], found[1]);
+
+          ck_rv = epv->C_FindObjectsFinal(h2);
+          if( CKR_OK != ck_rv ) {
+            PR_fprintf(PR_STDERR, "C_FindObjectsFinal(%lu) returned 0x%08x\n", h2, ck_rv);
+            return 1;
+          }
+
+          /* Leave the session hanging open, we'll CloseAllSessions later */
+        } /* Can another session find these session objects? */
+
+        ck_rv = epv->C_CloseAllSessions(pSlots[i]);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CloseAllSessions(%lu) returned 0x%08x\n", pSlots[i], ck_rv);
+          return 1;
+        }
+      } /* session to create, find, and delete a couple session objects */
+
+      /* Might be interesting to do a find here to verify that all session objects are gone. */
+
+      if( tinfo.flags & CKF_WRITE_PROTECTED ) {
+        PR_fprintf(PR_STDOUT, "Token is write protected, skipping token-object tests.\n");
+      } else {
+        CK_SESSION_HANDLE h = (CK_SESSION_HANDLE)0;
+        CK_ATTRIBUTE tobj[7], tsobj[7], stobj[7], delta[1], mask[2];
+        CK_OBJECT_CLASS cko_data = CKO_DATA;
+        CK_BBOOL false = CK_FALSE, true = CK_TRUE;
+        char *key = "TEST PROGRAM";
+        CK_ULONG key_len = strlen(key);
+        CK_OBJECT_HANDLE hTIn = (CK_OBJECT_HANDLE)0, hTSIn = (CK_OBJECT_HANDLE)0, 
+          hSTIn = (CK_OBJECT_HANDLE)0, hDeltaIn = (CK_OBJECT_HANDLE)0;
+        CK_OBJECT_HANDLE found[10];
+        CK_ULONG nFound;
+
+        ck_rv = epv->C_OpenSession(pSlots[i], CKF_SERIAL_SESSION, (CK_VOID_PTR)CK_NULL_PTR, (CK_NOTIFY)CK_NULL_PTR, &h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_OpenSession(%lu, CKF_SERIAL_SESSION, , ) returned 0x%08x\n", pSlots[i], ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Opened a session: handle = 0x%08x\n", h);
+
+        tobj[0].type = CKA_CLASS;
+        tobj[0].pValue = &cko_data;
+        tobj[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+        tobj[1].type = CKA_TOKEN;
+        tobj[1].pValue = &true;
+        tobj[1].ulValueLen = sizeof(CK_BBOOL);
+        tobj[2].type = CKA_PRIVATE;
+        tobj[2].pValue = &false;
+        tobj[2].ulValueLen = sizeof(CK_BBOOL);
+        tobj[3].type = CKA_MODIFIABLE;
+        tobj[3].pValue = &true;
+        tobj[3].ulValueLen = sizeof(CK_BBOOL);
+        tobj[4].type = CKA_LABEL;
+        tobj[4].pValue = "Test data object token";
+        tobj[4].ulValueLen = strlen(tobj[4].pValue);
+        tobj[5].type = CKA_APPLICATION;
+        tobj[5].pValue = key;
+        tobj[5].ulValueLen = key_len;
+        tobj[6].type = CKA_VALUE;
+        tobj[6].pValue = "Object token";
+        tobj[6].ulValueLen = strlen(tobj[6].pValue);
+
+        tsobj[0].type = CKA_CLASS;
+        tsobj[0].pValue = &cko_data;
+        tsobj[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+        tsobj[1].type = CKA_TOKEN;
+        tsobj[1].pValue = &true;
+        tsobj[1].ulValueLen = sizeof(CK_BBOOL);
+        tsobj[2].type = CKA_PRIVATE;
+        tsobj[2].pValue = &false;
+        tsobj[2].ulValueLen = sizeof(CK_BBOOL);
+        tsobj[3].type = CKA_MODIFIABLE;
+        tsobj[3].pValue = &true;
+        tsobj[3].ulValueLen = sizeof(CK_BBOOL);
+        tsobj[4].type = CKA_LABEL;
+        tsobj[4].pValue = "Test data object token->session";
+        tsobj[4].ulValueLen = strlen(tsobj[4].pValue);
+        tsobj[5].type = CKA_APPLICATION;
+        tsobj[5].pValue = key;
+        tsobj[5].ulValueLen = key_len;
+        tsobj[6].type = CKA_VALUE;
+        tsobj[6].pValue = "Object token->session";
+        tsobj[6].ulValueLen = strlen(tsobj[6].pValue);
+
+        stobj[0].type = CKA_CLASS;
+        stobj[0].pValue = &cko_data;
+        stobj[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+        stobj[1].type = CKA_TOKEN;
+        stobj[1].pValue = &false;
+        stobj[1].ulValueLen = sizeof(CK_BBOOL);
+        stobj[2].type = CKA_PRIVATE;
+        stobj[2].pValue = &false;
+        stobj[2].ulValueLen = sizeof(CK_BBOOL);
+        stobj[3].type = CKA_MODIFIABLE;
+        stobj[3].pValue = &true;
+        stobj[3].ulValueLen = sizeof(CK_BBOOL);
+        stobj[4].type = CKA_LABEL;
+        stobj[4].pValue = "Test data object session->token";
+        stobj[4].ulValueLen = strlen(stobj[4].pValue);
+        stobj[5].type = CKA_APPLICATION;
+        stobj[5].pValue = key;
+        stobj[5].ulValueLen = key_len;
+        stobj[6].type = CKA_VALUE;
+        stobj[6].pValue = "Object session->token";
+        stobj[6].ulValueLen = strlen(stobj[6].pValue);
+
+        ck_rv = epv->C_CreateObject(h, tobj, 7, &hTIn);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CreateObject(%lu, tobj, 7, ) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Created object token: handle = %lu\n", hTIn);
+
+        ck_rv = epv->C_CreateObject(h, tsobj, 7, &hTSIn);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CreateObject(%lu, tobj, 7, ) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Created object token->session: handle = %lu\n", hTSIn);
+        ck_rv = epv->C_CreateObject(h, stobj, 7, &hSTIn);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CreateObject(%lu, tobj, 7, ) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Created object session->token: handle = %lu\n", hSTIn);
+
+        /* I've created two token objects and one session object; find the two */
+
+        mask[0].type = CKA_APPLICATION;
+        mask[0].pValue = key;
+        mask[0].ulValueLen = key_len;
+        mask[1].type = CKA_TOKEN;
+        mask[1].pValue = &true;
+        mask[1].ulValueLen = sizeof(CK_BBOOL);
+
+        ck_rv = epv->C_FindObjectsInit(h, mask, 2);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsInit(%lu, mask, 2) returned 0x%08x\n", 
+                     h, ck_rv);
+          return 1;
+        }
+
+        (void)memset(&found, 0, sizeof(found));
+        nFound = 0;
+        ck_rv = epv->C_FindObjects(h, found, 10, &nFound);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjects(%lu,, 10, ) returned 0x%08x\n", 
+                     h, ck_rv);
+          return 1;
+        }
+
+        if( 2 != nFound ) {
+          PR_fprintf(PR_STDERR, "Found %lu objects, not 2.\n", nFound);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Found 2 objects: %lu, %lu\n", 
+                   found[0], found[1]);
+
+        ck_rv = epv->C_FindObjectsFinal(h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsFinal(%lu) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        /* Convert a token to session object */
+
+        delta[0].type = CKA_TOKEN;
+        delta[0].pValue = &false;
+        delta[0].ulValueLen = sizeof(CK_BBOOL);
+
+        ck_rv = epv->C_SetAttributeValue(h, hTSIn, delta, 1);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_SetAttributeValue(%lu, %lu, delta, 1) returned 0x%08x\n", 
+                     h, hTSIn, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Changed object from token to session (handle = %lu).\n", hTSIn);
+
+        /* Now find again; there should be one */
+
+        mask[0].type = CKA_APPLICATION;
+        mask[0].pValue = key;
+        mask[0].ulValueLen = key_len;
+        mask[1].type = CKA_TOKEN;
+        mask[1].pValue = &true;
+        mask[1].ulValueLen = sizeof(CK_BBOOL);
+
+        ck_rv = epv->C_FindObjectsInit(h, mask, 2);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsInit(%lu, mask, 2) returned 0x%08x\n", 
+                     h, ck_rv);
+          return 1;
+        }
+
+        (void)memset(&found, 0, sizeof(found));
+        nFound = 0;
+        ck_rv = epv->C_FindObjects(h, found, 10, &nFound);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjects(%lu,, 10, ) returned 0x%08x\n", 
+                     h, ck_rv);
+          return 1;
+        }
+
+        if( 1 != nFound ) {
+          PR_fprintf(PR_STDERR, "Found %lu objects, not 1.\n", nFound);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Found 1 objects: %lu\n", 
+                   found[0]);
+
+        ck_rv = epv->C_FindObjectsFinal(h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsFinal(%lu) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        /* Convert a session to a token object */
+
+        delta[0].type = CKA_TOKEN;
+        delta[0].pValue = &true;
+        delta[0].ulValueLen = sizeof(CK_BBOOL);
+
+        ck_rv = epv->C_SetAttributeValue(h, hSTIn, delta, 1);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_SetAttributeValue(%lu, %lu, delta, 1) returned 0x%08x\n", 
+                     h, hSTIn, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Changed object from session to token (handle = %lu).\n", hSTIn);
+
+        /* Now find again; there should be two again */
+
+        mask[0].type = CKA_APPLICATION;
+        mask[0].pValue = key;
+        mask[0].ulValueLen = key_len;
+        mask[1].type = CKA_TOKEN;
+        mask[1].pValue = &true;
+        mask[1].ulValueLen = sizeof(CK_BBOOL);
+
+        ck_rv = epv->C_FindObjectsInit(h, mask, 2);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsInit(%lu, mask, 2) returned 0x%08x\n", 
+                     h, ck_rv);
+          return 1;
+        }
+
+        (void)memset(&found, 0, sizeof(found));
+        nFound = 0;
+        ck_rv = epv->C_FindObjects(h, found, 10, &nFound);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjects(%lu,, 10, ) returned 0x%08x\n", 
+                     h, ck_rv);
+          return 1;
+        }
+
+        if( 2 != nFound ) {
+          PR_fprintf(PR_STDERR, "Found %lu objects, not 2.\n", nFound);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Found 2 objects: %lu, %lu\n", 
+                   found[0], found[1]);
+
+        ck_rv = epv->C_FindObjectsFinal(h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsFinal(%lu) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        /* Delete the two (found) token objects to clean up */
+
+        ck_rv = epv->C_DestroyObject(h, found[0]);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_DestroyObject(%lu, %lu) returned 0x%08x\n", h, found[0], ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Destroyed token object (handle = %lu)\n", found[0]);
+
+        ck_rv = epv->C_DestroyObject(h, found[1]);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_DestroyObject(%lu, %lu) returned 0x%08x\n", h, found[1], ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Destroyed token object (handle = %lu)\n", found[1]);
+        
+        /* Close the session and all objects should be gone */
+
+        ck_rv = epv->C_CloseSession(h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CloseSession(%lu) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+      } /* if( tinfo.flags & CKF_WRITE_PROTECTED ) */
+
+      if( tinfo.flags & CKF_WRITE_PROTECTED ) {
+        PR_fprintf(PR_STDOUT, "Token is write protected, skipping leaving a record.\n");
+      } else {
+        CK_SESSION_HANDLE h = (CK_SESSION_HANDLE)0;
+        CK_ATTRIBUTE record[7], mask[2];
+        CK_OBJECT_CLASS cko_data = CKO_DATA;
+        CK_BBOOL false = CK_FALSE, true = CK_TRUE;
+        char *key = "TEST RECORD";
+        CK_ULONG key_len = strlen(key);
+        CK_OBJECT_HANDLE hin = (CK_OBJECT_HANDLE)0;
+        char timebuffer[256];
+
+        ck_rv = epv->C_OpenSession(pSlots[i], CKF_SERIAL_SESSION, (CK_VOID_PTR)CK_NULL_PTR, (CK_NOTIFY)CK_NULL_PTR, &h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_OpenSession(%lu, CKF_SERIAL_SESSION, , ) returned 0x%08x\n", pSlots[i], ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Opened a session: handle = 0x%08x\n", h);
+
+        /* I can't believe how hard NSPR makes this operation */
+        {
+          time_t now = 0;
+          struct tm *tm;
+          time(&now);
+          tm = localtime(&now);
+          strftime(timebuffer, sizeof(timebuffer), "%Y-%m-%d %T %Z", tm);
+        }
+
+        record[0].type = CKA_CLASS;
+        record[0].pValue = &cko_data;
+        record[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+        record[1].type = CKA_TOKEN;
+        record[1].pValue = &true;
+        record[1].ulValueLen = sizeof(CK_BBOOL);
+        record[2].type = CKA_PRIVATE;
+        record[2].pValue = &false;
+        record[2].ulValueLen = sizeof(CK_BBOOL);
+        record[3].type = CKA_MODIFIABLE;
+        record[3].pValue = &true;
+        record[3].ulValueLen = sizeof(CK_BBOOL);
+        record[4].type = CKA_LABEL;
+        record[4].pValue = "Test record";
+        record[4].ulValueLen = strlen(record[4].pValue);
+        record[5].type = CKA_APPLICATION;
+        record[5].pValue = key;
+        record[5].ulValueLen = key_len;
+        record[6].type = CKA_VALUE;
+        record[6].pValue = timebuffer;
+        record[6].ulValueLen = strlen(timebuffer)+1;
+
+        PR_fprintf(PR_STDOUT, "    Timestamping with \"%s\"\n", timebuffer);
+
+        ck_rv = epv->C_CreateObject(h, record, 7, &hin);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_CreateObject(%lu, tobj, 7, ) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+
+        PR_fprintf(PR_STDOUT, "    Created record object: handle = %lu\n", hin);
+        
+        PR_fprintf(PR_STDOUT, "   == All test timestamps ==\n");
+
+        mask[0].type = CKA_CLASS;
+        mask[0].pValue = &cko_data;
+        mask[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
+        mask[1].type = CKA_APPLICATION;
+        mask[1].pValue = key;
+        mask[1].ulValueLen = key_len;
+
+        ck_rv = epv->C_FindObjectsInit(h, mask, 2);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsInit(%lu, mask, 1) returned 0x%08x\n", 
+                     h, ck_rv);
+          return 1;
+        }
+
+        while( 1 ) {
+          CK_OBJECT_HANDLE o = (CK_OBJECT_HANDLE)0;
+          CK_ULONG nObjects = 0;
+          CK_ATTRIBUTE value[1];
+          char buffer[1024];
+
+          ck_rv = epv->C_FindObjects(h, &o, 1, &nObjects);
+          if( CKR_OK != ck_rv ) {
+            PR_fprintf(PR_STDERR, "C_FindObjects(%lu, , 1, ) returned 0x%08x\n", h, ck_rv);
+            return 1;
+          }
+
+          if( 0 == nObjects ) {
+            PR_fprintf(PR_STDOUT, "\n");
+            break;
+          }
+
+          value[0].type = CKA_VALUE;
+          value[0].pValue = buffer;
+          value[0].ulValueLen = sizeof(buffer);
+
+          ck_rv = epv->C_GetAttributeValue(h, o, value, 1);
+          switch( ck_rv ) {
+          case CKR_OK:
+            PR_fprintf(PR_STDOUT, "    %s\n", value[0].pValue);
+            break;
+          case CKR_ATTRIBUTE_SENSITIVE:
+            PR_fprintf(PR_STDOUT, "    [Sensitive???]\n");
+            break;
+          case CKR_ATTRIBUTE_TYPE_INVALID:
+            PR_fprintf(PR_STDOUT, "    [Invalid attribute???]\n");
+            break;
+          case CKR_BUFFER_TOO_SMALL:
+            PR_fprintf(PR_STDOUT, "    (result > 1k (%lu))\n", value[0].ulValueLen);
+            break;
+          default:
+            PR_fprintf(PR_STDERR, "C_GetAtributeValue(%lu, %lu, CKA_VALUE, 1) returned 0x%08x\n",
+                       h, o);
+            return 1;
+          }
+        } /* while */
+
+        ck_rv = epv->C_FindObjectsFinal(h);
+        if( CKR_OK != ck_rv ) {
+          PR_fprintf(PR_STDERR, "C_FindObjectsFinal(%lu) returned 0x%08x\n", h, ck_rv);
+          return 1;
+        }
+      } /* "leaving a record" else clause */
+
+    }
+
+    PR_fprintf(PR_STDOUT, "\n");
+  }
+
+  return 0;
+}
diff --git a/security/nss/tests/pkits/pkits.sh b/security/nss/tests/pkits/pkits.sh
new file mode 100755
index 000000000..6988fae35
--- /dev/null
+++ b/security/nss/tests/pkits/pkits.sh
@@ -0,0 +1,2019 @@
+#!/bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/pkits/pkits.sh
+#
+# Script to test the NIST PKITS tests 
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#    vfychain 
+#
+# special NOTES
+# ---------------
+# NIST PKITS data needs to be downloaded from
+# http://csrc.nist.gov/pki/testing/x509paths.html
+# Environment variable PKITS_DATA needs to be set to the directory
+# where this data is downloaded, or test data needs to be copied under 
+# the mozilla source tree in mozilla/PKITS_DATA
+########################################################################
+
+############################## pkits_init ##############################
+# local shell function to initialize this script 
+########################################################################
+pkits_init()
+{
+  SCRIPTNAME=pkits.sh
+
+  if [ -z "${CLEANUP}" ] ; then
+      CLEANUP="${SCRIPTNAME}"
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+
+  if [ -z "${PKITS_DATA}" ]; then
+      echo "${SCRIPTNAME}: PKITS data directory not defined, skipping."
+      exit 0
+  fi      
+
+  if [ ! -d "${PKITS_DATA}" ]; then
+      echo "${SCRIPTNAME}: PKITS data directory ${PKITS_DATA} doesn't exist, skipping."
+      exit 0
+  fi
+
+  PKITSDIR=${HOSTDIR}/pkits
+
+  COPYDIR=${PKITSDIR}/copydir
+
+  mkdir -p ${PKITSDIR}
+  mkdir -p ${COPYDIR}
+  mkdir -p ${PKITSDIR}/html
+
+  certs=${PKITS_DATA}/certs
+  crls=${PKITS_DATA}/crls
+
+  cd ${PKITSDIR}
+
+  PKITSdb=${PKITSDIR}/PKITSdb
+  PKITSbkp=${PKITSDIR}/PKITSbkp
+
+  PKITS_LOG=${PKITSDIR}/pkits.log #getting its own logfile
+  pkits_log "Start of logfile $PKITS_LOG"
+
+  if [ ! -d "${PKITSdb}" ]; then
+      mkdir -p ${PKITSdb}
+  else
+      pkits_log "$SCRIPTNAME: WARNING - ${PKITSdb} exists"
+  fi
+
+  if [ ! -d "${PKITSbkp}" ]; then
+      mkdir -p ${PKITSbkp}
+  else
+      pkits_log "$SCRIPTNAME: WARNING - ${PKITSbkp} exists"
+  fi
+
+  echo "HOSTDIR" $HOSTDIR
+  echo "PKITSDIR" $PKITSDIR
+  echo "PKITSdb" $PKITSdb
+  echo "PKITSbkp" $PKITSbkp
+  echo "PKITS_DATA" $PKITS_DATA
+  echo "certs" $certs
+  echo "crls" $crls
+
+  echo nss > ${PKITSdb}/pw
+  ${BINDIR}/certutil -N -d ${PKITSdb} -f ${PKITSdb}/pw
+
+  ${BINDIR}/certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \
+      $certs/TrustAnchorRootCertificate.crt -d $PKITSdb
+  if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+    ${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb}
+  else
+    html  "<H3>NO CRLs are being used.</H3>"
+    pkits_log "NO CRLs are being used."
+  fi
+
+  cp ${PKITSdb}/* ${PKITSbkp}
+
+  KNOWN_BUG=
+}
+
+############################### pkits_log ##############################
+# write to pkits.log file
+########################################################################
+pkits_log()
+{
+  echo "$SCRIPTNAME $*"
+  echo $* >> ${PKITS_LOG}
+}
+
+restore_db()
+{
+  echo "Restore DB"
+  rm ${PKITSdb}/*
+  cp ${PKITSbkp}/* ${PKITSdb}
+}
+
+log_banner()
+{
+  echo ""
+  echo "--------------------------------------------------------------------"
+  echo "Test case ${VFY_ACTION}"
+  echo ""
+}
+
+start_table()
+{
+  html "<TABLE BORDER=1><TR><TH COLSPAN=3>$*</TH></TR>"
+  html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" 
+  echo ""
+  echo "***************************************************************"
+  echo "$*"
+  echo "***************************************************************"
+}
+
+break_table()
+{
+  html "</TABLE><P>"
+  start_table "$@"
+}
+
+################################ pkits #################################
+# local shell function for positive testcases, calls vfychain, writes 
+# action and options to stdout, sets variable RET and writes results to 
+# the html file results
+########################################################################
+pkits()
+{
+  echo "vfychain -d $PKITSdb -u 4 $*"
+  ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1
+  RET=$?
+  CNT=`grep -c ERROR ${PKITSDIR}/cmdout.txt`
+  RET=`expr ${RET} + ${CNT}`
+  cat ${PKITSDIR}/cmdout.txt
+
+  if [ "$RET" -ne 0 ]; then
+      html_failed "${VFY_ACTION} ($RET) "
+      pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+  else
+      html_passed "${VFY_ACTION}"
+      pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+  fi
+
+  return $RET
+}
+
+################################ pkitsn #################################
+# local shell function for negative testcases, calls vfychain, writes 
+# action and options to stdout, sets variable RET and writes results to 
+# the html file results
+########################################################################
+pkitsn()
+{
+  echo "vfychain -d $PKITSdb -u 4 $*"
+  ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1
+  RET=$?
+  CNT=`grep -c ERROR ${PKITSDIR}/cmdout.txt`
+  RET=`expr ${RET} + ${CNT}`
+  cat ${PKITSDIR}/cmdout.txt
+
+  if [ "$RET" -eq 0 ]; then
+      html_failed "${VFY_ACTION} ($RET) "
+      pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+  else
+      html_passed "${VFY_ACTION} ($RET) "
+      pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+  fi
+  return $RET
+}
+
+################################ crlImport #############################
+# local shell function to import a CRL, calls crlutil -I -i, writes 
+# action and options to stdout
+########################################################################
+crlImport()
+{
+  if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+    echo "crlutil -d $PKITSdb -I -i $crls/$*"
+    ${BINDIR}/crlutil -d ${PKITSdb} -I -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
+    RET=$?
+    cat ${PKITSDIR}/cmdout.txt
+
+    if [ "$RET" -ne 0 ]; then
+        html_failed "${VFY_ACTION} ($RET) "
+        pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+    fi
+  fi
+}
+
+################################ crlImportn #############################
+# local shell function to import an incorrect CRL, calls crlutil -I -i, 
+# writes action and options to stdout
+########################################################################
+crlImportn()
+{
+  RET=0
+  if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+    echo "crlutil -d $PKITSdb -I -i $crls/$*"
+    ${BINDIR}/crlutil -d ${PKITSdb} -I -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1
+    RET=$?
+    cat ${PKITSDIR}/cmdout.txt
+
+    if [ "$RET" -eq 0 ]; then
+        html_failed "${VFY_ACTION} ($RET) "
+        pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+    else
+        html_passed "${VFY_ACTION} ($RET) "
+        pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+    fi
+  fi
+  return $RET
+}
+
+################################ certImport #############################
+# local shell function to import a Cert, calls certutil -A, writes 
+# action and options to stdout
+########################################################################
+certImport()
+{
+  echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt"
+  ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1
+  RET=$?
+  cat ${PKITSDIR}/cmdout.txt
+
+  if [ "$RET" -ne 0 ]; then
+      html_failed "${VFY_ACTION} ($RET) "
+      pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+  fi
+}
+
+################################ certImportn #############################
+# local shell function to import an incorrect Cert, calls certutil -A, 
+# writes action and options to stdout
+########################################################################
+certImportn()
+{
+  RET=0
+  if [ -z "$NSS_NO_PKITS_CRLS" ]; then
+    echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt"
+    ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1
+    RET=$?
+    cat ${PKITSDIR}/cmdout.txt
+
+    if [ "$RET" -eq 0 ]; then
+        html_failed "${VFY_ACTION} ($RET) "
+        pkits_log "ERROR: ${VFY_ACTION} failed $RET"
+    else
+        html_passed "${VFY_ACTION} ($RET) "
+        pkits_log "SUCCESS: ${VFY_ACTION} returned as expected $RET"
+    fi
+  fi
+}
+
+############################## pkits_tests_bySection ###################
+# running the various PKITS tests
+########################################################################
+pkits_SignatureVerification()
+{
+  start_table "NIST PKITS Section 4.1: Signature Verification"
+
+  VFY_ACTION="Valid Signatures Test1"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidCertificatePathTest1EE.crt $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid CA Signature Test2"; log_banner
+  certImport BadSignedCACert
+  crlImport BadSignedCACRL.crl
+  pkitsn $certs/InvalidCASignatureTest2EE.crt \
+    $certs/BadSignedCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid EE Signature Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidEESignatureTest3EE.crt $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DSA Signatures Test4"; log_banner
+  certImport DSACACert
+  crlImport DSACACRL.crl
+  pkits $certs/ValidDSASignaturesTest4EE.crt $certs/DSACACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DSA Parameter Inheritance Test5"; log_banner
+  certImport DSACACert
+  crlImport DSACACRL.crl
+  certImport DSAParametersInheritedCACert
+  crlImport DSAParametersInheritedCACRL.crl
+  pkits $certs/ValidDSAParameterInheritanceTest5EE.crt \
+      $certs/DSAParametersInheritedCACert.crt \
+      $certs/DSACACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DSA Signature Test6"; log_banner
+  certImport DSACACert
+  crlImport DSACACRL.crl
+  pkitsn $certs/InvalidDSASignatureTest6EE.crt $certs/DSACACert.crt
+  restore_db
+}
+
+pkits_ValidityPeriods()
+{
+  break_table "NIST PKITS Section 4.2: Validity Periods"
+
+  VFY_ACTION="Invalid CA notBefore Date Test1"; log_banner
+  certImport BadnotBeforeDateCACert
+  crlImportn BadnotBeforeDateCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidCAnotBeforeDateTest1EE.crt \
+          $certs/BadnotBeforeDateCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid EE notBefore Date Test2"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidEEnotBeforeDateTest2EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pre2000 UTC notBefore Date Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/Validpre2000UTCnotBeforeDateTest3EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid GeneralizedTime notBefore Date Test4"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidGeneralizedTimenotBeforeDateTest4EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid CA notAfter Date Test5"; log_banner
+  certImport BadnotAfterDateCACert
+  crlImportn BadnotAfterDateCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidCAnotAfterDateTest5EE.crt \
+          $certs/BadnotAfterDateCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid EE notAfter Date Test6"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidEEnotAfterDateTest6EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pre2000 UTC EE notAfter Date Test7"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/Invalidpre2000UTCEEnotAfterDateTest7EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="ValidGeneralizedTime notAfter Date Test8"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidGeneralizedTimenotAfterDateTest8EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+}
+
+pkits_NameChaining()
+{
+  break_table "NIST PKITS Section 4.3: Verifying NameChaining"
+
+  VFY_ACTION="Invalid Name Chaining EE Test1"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidNameChainingTest1EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Name Chaining Order Test2"; log_banner
+  certImport NameOrderingCACert
+  crlImport NameOrderCACRL.crl
+  pkitsn $certs/InvalidNameChainingOrderTest2EE.crt \
+      $certs/NameOrderingCACert.crt
+  restore_db
+
+### bug 216123 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Name Chaining Whitespace Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidNameChainingWhitespaceTest3EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Name Chaining Whitespace Test4"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidNameChainingWhitespaceTest4EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Name Chaining Capitalization Test5"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidNameChainingCapitalizationTest5EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Valid Name Chaining UIDs Test6"; log_banner
+  certImport UIDCACert
+  crlImport UIDCACRL.crl
+  pkits $certs/ValidNameUIDsTest6EE.crt $certs/UIDCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC3280 Mandatory Attribute Types Test7"; log_banner
+  certImport RFC3280MandatoryAttributeTypesCACert
+  crlImport RFC3280MandatoryAttributeTypesCACRL.crl
+  pkits $certs/ValidRFC3280MandatoryAttributeTypesTest7EE.crt \
+      $certs/RFC3280MandatoryAttributeTypesCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC3280 Optional Attribute Types Test8"; log_banner
+  certImport RFC3280OptionalAttributeTypesCACert
+  crlImport RFC3280OptionalAttributeTypesCACRL.crl
+  pkits $certs/ValidRFC3280OptionalAttributeTypesTest8EE.crt \
+      $certs/RFC3280OptionalAttributeTypesCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid UTF8String Encoded Names Test9"; log_banner
+  certImport UTF8StringEncodedNamesCACert
+  crlImport UTF8StringEncodedNamesCACRL.crl
+  pkits $certs/ValidUTF8StringEncodedNamesTest9EE.crt \
+      $certs/UTF8StringEncodedNamesCACert.crt
+  restore_db
+
+### bug 216123 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Rollover from PrintableString to UTF8String Test10"; log_banner
+  certImport RolloverfromPrintableStringtoUTF8StringCACert
+  crlImport RolloverfromPrintableStringtoUTF8StringCACRL.crl
+  pkits $certs/ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt \
+      $certs/RolloverfromPrintableStringtoUTF8StringCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid UTF8String case Insensitive Match Test11"; log_banner
+  certImport UTF8StringCaseInsensitiveMatchCACert
+  crlImport UTF8StringCaseInsensitiveMatchCACRL.crl
+  pkits $certs/ValidUTF8StringCaseInsensitiveMatchTest11EE.crt \
+      $certs/UTF8StringCaseInsensitiveMatchCACert.crt
+  restore_db
+fi
+}
+
+pkits_BasicCertRevocation()
+{
+  break_table "NIST PKITS Section 4.4: Basic Certificate Revocation Tests"
+
+### bug 414556 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Missing CRL Test1"; log_banner
+  pkitsn $certs/InvalidMissingCRLTest1EE.crt \
+      $certs/NoCRLCACert.crt
+fi
+
+  VFY_ACTION="Invalid Revoked CA Test2"; log_banner
+  certImport RevokedsubCACert
+  crlImport RevokedsubCACRL.crl
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidRevokedCATest2EE.crt \
+     $certs/RevokedsubCACert.crt $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Revoked EE Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkitsn $certs/InvalidRevokedEETest3EE.crt \
+     $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Bad CRL Signature Test4"; log_banner
+  certImport BadCRLSignatureCACert
+  crlImportn BadCRLSignatureCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidBadCRLSignatureTest4EE.crt \
+          $certs/BadCRLSignatureCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid Bad CRL Issuer Name Test5"; log_banner
+  certImport BadCRLIssuerNameCACert
+  crlImportn BadCRLIssuerNameCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidBadCRLIssuerNameTest5EE.crt \
+          $certs/BadCRLIssuerNameCACert.crt
+  fi
+  restore_db
+
+### bug 414556 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Invalid Wrong CRL Test6"; log_banner
+  certImport WrongCRLCACert
+  crlImport WrongCRLCACRL.crl
+  pkitsn $certs/InvalidWrongCRLTest6EE.crt \
+      $certs/WrongCRLCACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Valid Two CRLs Test7"; log_banner
+  certImport TwoCRLsCACert
+  crlImport TwoCRLsCAGoodCRL.crl
+  crlImportn TwoCRLsCABadCRL.crl
+  pkits $certs/ValidTwoCRLsTest7EE.crt \
+     $certs/TwoCRLsCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Unknown CRL Entry Extension Test8"; log_banner
+  certImport UnknownCRLEntryExtensionCACert
+  crlImportn UnknownCRLEntryExtensionCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidUnknownCRLEntryExtensionTest8EE.crt \
+          $certs/UnknownCRLEntryExtensionCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid Unknown CRL Extension Test9"; log_banner
+  certImport UnknownCRLExtensionCACert
+  crlImportn UnknownCRLExtensionCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidUnknownCRLExtensionTest9EE.crt \
+          $certs/UnknownCRLExtensionCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid Unknown CRL Extension Test10"; log_banner
+  certImport UnknownCRLExtensionCACert
+  crlImportn UnknownCRLExtensionCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidUnknownCRLExtensionTest10EE.crt \
+          $certs/UnknownCRLExtensionCACert.crt
+  fi
+  restore_db
+
+### bug 414563 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Invalid Old CRL nextUpdate Test11"; log_banner
+  certImport OldCRLnextUpdateCACert
+  crlImport OldCRLnextUpdateCACRL.crl
+  pkitsn $certs/InvalidOldCRLnextUpdateTest11EE.crt \
+     $certs/OldCRLnextUpdateCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pre2000 CRL nextUpdate Test12"; log_banner
+  certImport pre2000CRLnextUpdateCACert
+  crlImport pre2000CRLnextUpdateCACRL.crl
+  pkitsn $certs/Invalidpre2000CRLnextUpdateTest12EE.crt \
+     $certs/pre2000CRLnextUpdateCACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Valid GeneralizedTime CRL nextUpdate Test13"; log_banner
+  certImport GeneralizedTimeCRLnextUpdateCACert
+  crlImport GeneralizedTimeCRLnextUpdateCACRL.crl
+  pkits $certs/ValidGeneralizedTimeCRLnextUpdateTest13EE.crt \
+     $certs/GeneralizedTimeCRLnextUpdateCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Negative Serial Number Test14"; log_banner
+  certImport NegativeSerialNumberCACert
+  crlImport NegativeSerialNumberCACRL.crl
+  pkits $certs/ValidNegativeSerialNumberTest14EE.crt \
+     $certs/NegativeSerialNumberCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Negative Serial Number Test15"; log_banner
+  certImport NegativeSerialNumberCACert
+  crlImport NegativeSerialNumberCACRL.crl
+  pkitsn $certs/InvalidNegativeSerialNumberTest15EE.crt \
+     $certs/NegativeSerialNumberCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Long Serial Number Test16"; log_banner
+  certImport LongSerialNumberCACert
+  crlImport LongSerialNumberCACRL.crl
+  pkits $certs/ValidLongSerialNumberTest16EE.crt \
+     $certs/LongSerialNumberCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Long Serial Number Test17"; log_banner
+  certImport LongSerialNumberCACert
+  crlImport LongSerialNumberCACRL.crl
+  pkits $certs/ValidLongSerialNumberTest17EE.crt \
+     $certs/LongSerialNumberCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Long Serial Number Test18"; log_banner
+  certImport LongSerialNumberCACert
+  crlImport LongSerialNumberCACRL.crl
+  pkitsn $certs/InvalidLongSerialNumberTest18EE.crt \
+     $certs/LongSerialNumberCACert.crt
+  restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Separate Certificate and CRL Keys Test19"; log_banner
+  certImport SeparateCertificateandCRLKeysCertificateSigningCACert
+  certImport SeparateCertificateandCRLKeysCRLSigningCert
+  crlImport SeparateCertificateandCRLKeysCRL.crl
+  pkits $certs/ValidSeparateCertificateandCRLKeysTest19EE.crt \
+     $certs/SeparateCertificateandCRLKeysCRLSigningCert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Separate Certificate and CRL Keys Test20"; log_banner
+  certImport SeparateCertificateandCRLKeysCertificateSigningCACert
+  certImport SeparateCertificateandCRLKeysCRLSigningCert
+  crlImport SeparateCertificateandCRLKeysCRL.crl
+  pkits $certs/InvalidSeparateCertificateandCRLKeysTest20EE.crt \
+     $certs/SeparateCertificateandCRLKeysCRLSigningCert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Separate Certificate and CRL Keys Test21"; log_banner
+  certImport SeparateCertificateandCRLKeysCA2CertificateSigningCACert
+  certImport SeparateCertificateandCRLKeysCA2CRLSigningCert
+  crlImport SeparateCertificateandCRLKeysCA2CRL.crl
+  pkits $certs/InvalidSeparateCertificateandCRLKeysTest21EE.crt \
+     $certs/SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
+  restore_db
+fi
+}
+
+pkits_PathVerificWithSelfIssuedCerts()
+{
+  break_table "NIST PKITS Section 4.5: Self-Issued Certificates"
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Basic Self-Issued Old With New Test1"; log_banner
+  certImport BasicSelfIssuedNewKeyCACert
+  crlImport BasicSelfIssuedNewKeyCACRL.crl
+  pkits $certs/ValidBasicSelfIssuedOldWithNewTest1EE.crt \
+      $certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt \
+      $certs/BasicSelfIssuedNewKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Basic Self-Issued Old With New Test2"; log_banner
+  certImport BasicSelfIssuedNewKeyCACert
+  crlImport BasicSelfIssuedNewKeyCACRL.crl
+  pkitsn $certs/InvalidBasicSelfIssuedOldWithNewTest2EE.crt \
+      $certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt \
+      $certs/BasicSelfIssuedNewKeyCACert.crt
+  restore_db
+fi
+
+### bugs 321755 & 418769 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Basic Self-Issued New With Old Test3"; log_banner
+  certImport BasicSelfIssuedOldKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkits $certs/ValidBasicSelfIssuedNewWithOldTest3EE.crt \
+      $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \
+      $certs/BasicSelfIssuedOldKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Basic Self-Issued New With Old Test4"; log_banner
+  certImport BasicSelfIssuedOldKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkits $certs/ValidBasicSelfIssuedNewWithOldTest4EE.crt \
+      $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \
+      $certs/BasicSelfIssuedOldKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Basic Self-Issued New With Old Test5"; log_banner
+  certImport BasicSelfIssuedOldKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkitsn $certs/InvalidBasicSelfIssuedNewWithOldTest5EE.crt \
+      $certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt \
+      $certs/BasicSelfIssuedOldKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Basic Self-Issued CRL Signing Key Test6"; log_banner
+  certImport BasicSelfIssuedCRLSigningKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkits $certs/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Basic Self-Issued CRL Signing Key Test7"; log_banner
+  certImport BasicSelfIssuedCRLSigningKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkitsn $certs/InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Basic Self-Issued CRL Signing Key Test8"; log_banner
+  certImport BasicSelfIssuedCRLSigningKeyCACert
+  crlImport BasicSelfIssuedOldKeyCACRL.crl
+  pkitsn $certs/InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt \
+      $certs/BasicSelfIssuedCRLSigningKeyCACert.crt
+  restore_db
+fi
+}
+
+pkits_BasicConstraints()
+{
+  break_table "NIST PKITS Section 4.6: Verifying Basic Constraints"
+
+  VFY_ACTION="Invalid Missing basicConstraints Test1"; log_banner
+  certImport MissingbasicConstraintsCACert
+  crlImport MissingbasicConstraintsCACRL.crl
+  pkitsn $certs/InvalidMissingbasicConstraintsTest1EE.crt \
+      $certs/MissingbasicConstraintsCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid cA False Test2"; log_banner
+  certImport basicConstraintsCriticalcAFalseCACert
+  crlImport basicConstraintsCriticalcAFalseCACRL.crl
+  pkitsn $certs/InvalidcAFalseTest2EE.crt \
+      $certs/basicConstraintsCriticalcAFalseCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid cA False Test3"; log_banner
+  certImport basicConstraintsNotCriticalcAFalseCACert
+  crlImport basicConstraintsNotCriticalcAFalseCACRL.crl
+  pkitsn $certs/InvalidcAFalseTest3EE.crt \
+      $certs/basicConstraintsNotCriticalcAFalseCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid basicConstraints Not Critical Test4"; log_banner
+  certImport basicConstraintsNotCriticalCACert
+  crlImport basicConstraintsNotCriticalCACRL.crl
+  pkits $certs/ValidbasicConstraintsNotCriticalTest4EE.crt \
+      $certs/basicConstraintsNotCriticalCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test5"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  certImport pathLenConstraint0subCACert
+  crlImport pathLenConstraint0subCACRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest5EE.crt \
+      $certs/pathLenConstraint0subCACert.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test6"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  certImport pathLenConstraint0subCACert
+  crlImport pathLenConstraint0subCACRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest6EE.crt \
+      $certs/pathLenConstraint0subCACert.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pathLenConstraint Test7"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  pkits $certs/ValidpathLenConstraintTest7EE.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pathLenConstraint test8"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  pkits $certs/ValidpathLenConstraintTest8EE.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test9"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA0Cert
+  crlImport pathLenConstraint6subCA0CRL.crl
+  certImport pathLenConstraint6subsubCA00Cert
+  crlImport pathLenConstraint6subsubCA00CRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest9EE.crt \
+      $certs/pathLenConstraint6subsubCA00Cert.crt \
+      $certs/pathLenConstraint6subCA0Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test10"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA0Cert
+  crlImport pathLenConstraint6subCA0CRL.crl
+  certImport pathLenConstraint6subsubCA00Cert
+  crlImport pathLenConstraint6subsubCA00CRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest10EE.crt \
+      $certs/pathLenConstraint6subsubCA00Cert.crt \
+      $certs/pathLenConstraint6subCA0Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint Test11"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA1Cert
+  crlImport pathLenConstraint6subCA1CRL.crl
+  certImport pathLenConstraint6subsubCA11Cert
+  crlImport pathLenConstraint6subsubCA11CRL.crl
+  certImport pathLenConstraint6subsubsubCA11XCert
+  crlImport pathLenConstraint6subsubsubCA11XCRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest11EE.crt \
+      $certs/pathLenConstraint6subsubsubCA11XCert.crt \
+      $certs/pathLenConstraint6subsubCA11Cert.crt \
+      $certs/pathLenConstraint6subCA1Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid pathLenConstraint test12"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA1Cert
+  crlImport pathLenConstraint6subCA1CRL.crl
+  certImport pathLenConstraint6subsubCA11Cert
+  crlImport pathLenConstraint6subsubCA11CRL.crl
+  certImport pathLenConstraint6subsubsubCA11XCert
+  crlImport pathLenConstraint6subsubsubCA11XCRL.crl
+  pkitsn $certs/InvalidpathLenConstraintTest12EE.crt \
+      $certs/pathLenConstraint6subsubsubCA11XCert.crt \
+      $certs/pathLenConstraint6subsubCA11Cert.crt \
+      $certs/pathLenConstraint6subCA1Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pathLenConstraint Test13"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA4Cert
+  crlImport pathLenConstraint6subCA4CRL.crl
+  certImport pathLenConstraint6subsubCA41Cert
+  crlImport pathLenConstraint6subsubCA41CRL.crl
+  certImport pathLenConstraint6subsubsubCA41XCert
+  crlImport pathLenConstraint6subsubsubCA41XCRL.crl
+  pkits $certs/ValidpathLenConstraintTest13EE.crt \
+      $certs/pathLenConstraint6subsubsubCA41XCert.crt \
+      $certs/pathLenConstraint6subsubCA41Cert.crt \
+      $certs/pathLenConstraint6subCA4Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid pathLenConstraint Test14"; log_banner
+  certImport pathLenConstraint6CACert
+  crlImport pathLenConstraint6CACRL.crl
+  certImport pathLenConstraint6subCA4Cert
+  crlImport pathLenConstraint6subCA4CRL.crl
+  certImport pathLenConstraint6subsubCA41Cert
+  crlImport pathLenConstraint6subsubCA41CRL.crl
+  certImport pathLenConstraint6subsubsubCA41XCert
+  crlImport pathLenConstraint6subsubsubCA41XCRL.crl
+  pkits $certs/ValidpathLenConstraintTest14EE.crt \
+      $certs/pathLenConstraint6subsubsubCA41XCert.crt \
+      $certs/pathLenConstraint6subsubCA41Cert.crt \
+      $certs/pathLenConstraint6subCA4Cert.crt \
+      $certs/pathLenConstraint6CACert.crt
+  restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Self-Issued pathLenConstraint Test15"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  pkits $certs/ValidSelfIssuedpathLenConstraintTest15EE.crt \
+      $certs/pathLenConstraint0SelfIssuedCACert.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Invalid Self-Issued pathLenConstraint Test16"; log_banner
+  certImport pathLenConstraint0CACert
+  crlImport pathLenConstraint0CACRL.crl
+  certImport pathLenConstraint0subCA2Cert
+  crlImport pathLenConstraint0subCA2CRL.crl
+  pkitsn $certs/InvalidSelfIssuedpathLenConstraintTest16EE.crt \
+      $certs/pathLenConstraint0subCA2Cert.crt \
+      $certs/pathLenConstraint0SelfIssuedCACert.crt \
+      $certs/pathLenConstraint0CACert.crt
+  restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Self-Issued pathLenConstraint Test17"; log_banner
+  certImport pathLenConstraint1CACert
+  crlImport pathLenConstraint1CACRL.crl
+  certImport pathLenConstraint1subCACert
+  crlImport pathLenConstraint1subCACRL.crl
+  pkits $certs/ValidSelfIssuedpathLenConstraintTest17EE.crt \
+      $certs/pathLenConstraint1SelfIssuedsubCACert.crt \
+      $certs/pathLenConstraint1subCACert.crt \
+      $certs/pathLenConstraint1SelfIssuedCACert.crt \
+      $certs/pathLenConstraint1CACert.crt
+  restore_db
+fi
+}
+
+pkits_KeyUsage()
+{
+  break_table "NIST PKITS Section 4.7: Key Usage"
+
+  VFY_ACTION="Invalid keyUsage Critical keyCertSign False Test1"; log_banner
+  certImport keyUsageCriticalkeyCertSignFalseCACert
+  crlImport keyUsageCriticalkeyCertSignFalseCACRL.crl
+  pkitsn $certs/InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt \
+      $certs/keyUsageCriticalkeyCertSignFalseCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid keyUsage Not Critical keyCertSign False Test2"; log_banner
+  certImport keyUsageNotCriticalkeyCertSignFalseCACert
+  crlImport keyUsageNotCriticalkeyCertSignFalseCACRL.crl
+  pkitsn $certs/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt \
+      $certs/keyUsageNotCriticalkeyCertSignFalseCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid keyUsage Not Critical Test3"; log_banner
+  certImport keyUsageNotCriticalCACert
+  crlImport keyUsageNotCriticalCACRL.crl
+  pkits $certs/ValidkeyUsageNotCriticalTest3EE.crt \
+      $certs/keyUsageNotCriticalCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid keyUsage Critical cRLSign False Test4"; log_banner
+  certImport keyUsageCriticalcRLSignFalseCACert
+  crlImportn keyUsageCriticalcRLSignFalseCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt \
+          $certs/keyUsageCriticalcRLSignFalseCACert.crt
+  fi
+  restore_db
+
+  VFY_ACTION="Invalid keyUsage Not Critical cRLSign False Test5"; log_banner
+  certImport keyUsageNotCriticalcRLSignFalseCACert
+  crlImportn keyUsageNotCriticalcRLSignFalseCACRL.crl
+  if [ $RET -eq 0 ] ; then 
+      pkitsn $certs/InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt \
+          $certs/keyUsageNotCriticalcRLSignFalseCACert.crt
+  fi
+  restore_db
+}
+
+pkits_CertificatePolicies()
+{
+  break_table "NIST PKITS Section 4.8: Certificate Policies"
+
+  VFY_ACTION="All Certificates Same Policy Test1"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/ValidCertificatePathTest1EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="All Certificates No Policies Test2"; log_banner
+  certImport NoPoliciesCACert
+  crlImport NoPoliciesCACRL.crl
+  pkits $certs/AllCertificatesNoPoliciesTest2EE.crt \
+      $certs/NoPoliciesCACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test3"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImport PoliciesP2subCACert
+  crlImport PoliciesP2subCACRL.crl
+  pkits $certs/DifferentPoliciesTest3EE.crt \
+      $certs/PoliciesP2subCACert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test4"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImport GoodsubCACert
+  crlImport GoodsubCACRL.crl
+  pkits $certs/DifferentPoliciesTest4EE.crt \
+      $certs/GoodsubCACert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test5"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImport PoliciesP2subCA2Cert
+  crlImport PoliciesP2subCA2CRL.crl
+  pkits $certs/DifferentPoliciesTest5EE.crt \
+      $certs/PoliciesP2subCA2Cert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Overlapping Policies Test6"; log_banner
+  certImport PoliciesP1234CACert
+  crlImport PoliciesP1234CACRL.crl
+  certImport PoliciesP1234subCAP123Cert
+  crlImport PoliciesP1234subCAP123CRL.crl
+  certImport PoliciesP1234subsubCAP123P12Cert
+  crlImport PoliciesP1234subsubCAP123P12CRL.crl
+  pkits $certs/OverlappingPoliciesTest6EE.crt \
+      $certs/PoliciesP1234subsubCAP123P12Cert.crt \
+      $certs/PoliciesP1234subCAP123Cert.crt \
+      $certs/PoliciesP1234CACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test7"; log_banner
+  certImport PoliciesP123CACert
+  crlImport PoliciesP123CACRL.crl
+  certImport PoliciesP123subCAP12Cert
+  crlImport PoliciesP123subCAP12CRL.crl
+  certImport PoliciesP123subsubCAP12P1Cert
+  crlImport PoliciesP123subsubCAP12P1CRL.crl
+  pkits $certs/DifferentPoliciesTest7EE.crt \
+      $certs/PoliciesP123subsubCAP12P1Cert.crt \
+      $certs/PoliciesP123subCAP12Cert.crt \
+      $certs/PoliciesP123CACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test8"; log_banner
+  certImport PoliciesP12CACert
+  crlImport PoliciesP12CACRL.crl
+  certImport PoliciesP12subCAP1Cert
+  crlImport PoliciesP12subCAP1CRL.crl
+  certImport PoliciesP12subsubCAP1P2Cert
+  crlImport PoliciesP12subsubCAP1P2CRL.crl
+  pkits $certs/DifferentPoliciesTest8EE.crt \
+      $certs/PoliciesP123subsubCAP12P1Cert.crt \
+      $certs/PoliciesP12subCAP1Cert.crt \
+      $certs/PoliciesP12CACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test9"; log_banner
+  certImport PoliciesP123CACert
+  crlImport PoliciesP123CACRL.crl
+  certImport PoliciesP123subCAP12Cert
+  crlImport PoliciesP123subCAP12CRL.crl
+  certImport PoliciesP123subsubCAP12P2Cert
+  crlImport PoliciesP123subsubCAP2P2CRL.crl
+  certImport PoliciesP123subsubsubCAP12P2P1Cert
+  crlImport PoliciesP123subsubsubCAP12P2P1CRL.crl
+  pkits $certs/DifferentPoliciesTest9EE.crt \
+      $certs/PoliciesP123subsubsubCAP12P2P1Cert.crt \
+      $certs/PoliciesP123subsubCAP12P1Cert.crt \
+      $certs/PoliciesP12subCAP1Cert.crt \
+      $certs/PoliciesP12CACert.crt
+  restore_db
+
+  VFY_ACTION="All Certificates Same Policies Test10"; log_banner
+  certImport PoliciesP12CACert
+  crlImport PoliciesP12CACRL.crl
+  pkits $certs/AllCertificatesSamePoliciesTest10EE.crt \
+      $certs/NoPoliciesCACert.crt
+  restore_db
+
+  VFY_ACTION="All Certificates AnyPolicy Test11"; log_banner
+  certImport anyPolicyCACert
+  crlImport anyPolicyCACRL.crl
+  pkits $certs/AllCertificatesanyPolicyTest11EE.crt \
+      $certs/anyPolicyCACert.crt
+  restore_db
+
+  VFY_ACTION="Different Policies Test12"; log_banner
+  certImport PoliciesP3CACert
+  crlImport PoliciesP3CACRL.crl
+  pkits $certs/DifferentPoliciesTest12EE.crt \
+      $certs/PoliciesP3CACert.crt
+  restore_db
+
+  VFY_ACTION="All Certificates Same Policies Test13"; log_banner
+  certImport PoliciesP123CACert
+  crlImport PoliciesP123CACRL.crl
+  pkits $certs/AllCertificatesSamePoliciesTest13EE.crt \
+      $certs/PoliciesP123CACert.crt
+  restore_db
+
+  VFY_ACTION="AnyPolicy Test14"; log_banner
+  certImport anyPolicyCACert
+  crlImport anyPolicyCACRL.crl
+  pkits $certs/AnyPolicyTest14EE.crt \
+      $certs/anyPolicyCACert.crt
+  restore_db
+
+  VFY_ACTION="User Notice Qualifier Test15"; log_banner
+  pkits $certs/UserNoticeQualifierTest15EE.crt
+
+  VFY_ACTION="User Notice Qualifier Test16"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/UserNoticeQualifierTest16EE.crt \
+      $certs/GoodCACert.crt
+
+  VFY_ACTION="User Notice Qualifier Test17"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/UserNoticeQualifierTest17EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="User Notice Qualifier Test18"; log_banner
+  certImport PoliciesP12CACert
+  crlImport PoliciesP12CACRL.crl
+  pkits $certs/UserNoticeQualifierTest18EE.crt \
+      $certs/PoliciesP12CACert.crt
+  restore_db
+
+  VFY_ACTION="User Notice Qualifier Test19"; log_banner
+  pkits $certs/UserNoticeQualifierTest19EE.crt
+
+  VFY_ACTION="CPS Pointer Qualifier Test20"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  pkits $certs/CPSPointerQualifierTest20EE.crt \
+      $certs/GoodCACert.crt
+  restore_db
+}
+
+pkits_RequireExplicitPolicy()
+{
+  break_table "NIST PKITS Section 4.9: Require Explicit Policy"
+
+  VFY_ACTION="Valid RequireExplicitPolicy Test1"; log_banner
+  certImportn requireExplicitPolicy10CACert
+  crlImportn requireExplicitPolicy10CACRL.crl
+  certImport requireExplicitPolicy10subCACert
+  crlImport requireExplicitPolicy10subCACRL.crl
+  certImport requireExplicitPolicy10subsubCACert
+  crlImport requireExplicitPolicy10subsubCACRL.crl
+  certImport requireExplicitPolicy10subsubsubCACert
+  crlImport requireExplicitPolicy10subsubsubCACRL.crl
+  pkits $certs/ValidrequireExplicitPolicyTest1EE.crt \
+      $certs/requireExplicitPolicy10subsubsubCACert.crt \
+      $certs/requireExplicitPolicy10subsubCACert.crt \
+      $certs/requireExplicitPolicy10subCACert.crt \
+      $certs/requireExplicitPolicy10CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RequireExplicitPolicy Test2"; log_banner
+  certImportn requireExplicitPolicy5CACert
+  crlImportn requireExplicitPolicy5CACRL.crl
+  certImport requireExplicitPolicy5subCACert
+  crlImport requireExplicitPolicy5subCACRL.crl
+  certImport requireExplicitPolicy5subsubCACert
+  crlImport requireExplicitPolicy5subsubCACRL.crl
+  certImport requireExplicitPolicy5subsubsubCACert
+  crlImport requireExplicitPolicy5subsubsubCACRL.crl
+  pkits $certs/ValidrequireExplicitPolicyTest2EE.crt \
+      $certs/requireExplicitPolicy5subsubsubCACert.crt \
+      $certs/requireExplicitPolicy5subsubCACert.crt \
+      $certs/requireExplicitPolicy5subCACert.crt \
+      $certs/requireExplicitPolicy5CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RequireExplicitPolicy Test3"; log_banner
+  certImportn requireExplicitPolicy4CACert
+  crlImportn requireExplicitPolicy4CACRL.crl
+  certImport requireExplicitPolicy4subCACert
+  crlImport requireExplicitPolicy4subCACRL.crl
+  certImport requireExplicitPolicy4subsubCACert
+  crlImport requireExplicitPolicy4subsubCACRL.crl
+  certImport requireExplicitPolicy4subsubsubCACert
+  crlImport requireExplicitPolicy4subsubsubCACRL.crl
+  pkitsn $certs/InvalidrequireExplicitPolicyTest3EE.crt \
+      $certs/requireExplicitPolicy4subsubsubCACert.crt \
+      $certs/requireExplicitPolicy4subsubCACert.crt \
+      $certs/requireExplicitPolicy4subCACert.crt \
+      $certs/requireExplicitPolicy4CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RequireExplicitPolicy Test4"; log_banner
+  certImportn requireExplicitPolicy0CACert
+  crlImportn requireExplicitPolicy0CACRL.crl
+  certImport requireExplicitPolicy0subCACert
+  crlImport requireExplicitPolicy0subCACRL.crl
+  certImport requireExplicitPolicy0subsubCACert
+  crlImport requireExplicitPolicy0subsubCACRL.crl
+  certImport requireExplicitPolicy0subsubsubCACert
+  crlImport requireExplicitPolicy0subsubsubCACRL.crl
+  pkits $certs/ValidrequireExplicitPolicyTest4EE.crt \
+      $certs/requireExplicitPolicy0subsubsubCACert.crt \
+      $certs/requireExplicitPolicy0subsubCACert.crt \
+      $certs/requireExplicitPolicy0subCACert.crt \
+      $certs/requireExplicitPolicy0CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RequireExplicitPolicy Test5"; log_banner
+  certImportn requireExplicitPolicy7CACert
+  crlImportn requireExplicitPolicy7CACRL.crl
+  certImportn requireExplicitPolicy7subCARE2Cert
+  crlImportn requireExplicitPolicy7subCARE2CRL.crl
+  certImportn requireExplicitPolicy7subsubCARE2RE4Cert
+  crlImportn requireExplicitPolicy7subsubCARE2RE4CRL.crl
+  certImport requireExplicitPolicy7subsubsubCARE2RE4Cert
+  crlImport requireExplicitPolicy7subsubsubCARE2RE4CRL.crl
+  pkitsn $certs/InvalidrequireExplicitPolicyTest5EE.crt \
+      $certs/requireExplicitPolicy7subsubsubCARE2RE4Cert.crt \
+      $certs/requireExplicitPolicy7subsubCARE2RE4Cert.crt \
+      $certs/requireExplicitPolicy7subCARE2Cert.crt \
+      $certs/requireExplicitPolicy7CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Self-Issued RequireExplicitPolicy Test6"; log_banner
+  certImportn requireExplicitPolicy2CACert
+  crlImportn requireExplicitPolicy2CACRL.crl
+  pkits $certs/ValidSelfIssuedrequireExplicitPolicyTest6EE.crt \
+      $certs/requireExplicitPolicy2SelfIssuedCACert.crt \
+      $certs/requireExplicitPolicy2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued RequireExplicitPolicy Test7"; log_banner
+  certImportn requireExplicitPolicy2CACert
+  crlImportn requireExplicitPolicy2CACRL.crl
+  certImport requireExplicitPolicy2subCACert
+  crlImport requireExplicitPolicy2subCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt \
+      $certs/requireExplicitPolicy2subCACert.crt \
+      $certs/requireExplicitPolicy2SelfIssuedCACert.crt \
+      $certs/requireExplicitPolicy2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued RequireExplicitPolicy Test8"; log_banner
+  certImportn requireExplicitPolicy2CACert
+  crlImportn requireExplicitPolicy2CACRL.crl
+  certImport requireExplicitPolicy2subCACert
+  crlImport requireExplicitPolicy2subCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt \
+      $certs/requireExplicitPolicy2SelfIssuedsubCACert.crt \
+      $certs/requireExplicitPolicy2subCACert.crt \
+      $certs/requireExplicitPolicy2SelfIssuedCACert.crt \
+      $certs/requireExplicitPolicy2CACert.crt
+  restore_db
+}
+
+pkits_PolicyMappings()
+{
+  break_table "NIST PKITS Section 4.10: Policy Mappings"
+
+  VFY_ACTION="Valid Policy Mapping Test1"; log_banner
+  certImportn Mapping1to2CACert
+  crlImportn Mapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest1EE.crt \
+      $certs/Mapping1to2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Policy Mapping Test2"; log_banner
+  certImportn Mapping1to2CACert
+  crlImportn Mapping1to2CACRL.crl
+  pkitsn $certs/InvalidPolicyMappingTest2EE.crt \
+      $certs/Mapping1to2CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test3"; log_banner
+  certImportn P12Mapping1to3CACert
+  crlImportn P12Mapping1to3CACRL.crl
+  certImportn P12Mapping1to3subCACert
+  crlImportn P12Mapping1to3subCACRL.crl
+  certImportn P12Mapping1to3subsubCACert
+  crlImportn P12Mapping1to3subsubCACRL.crl
+  pkits $certs/ValidPolicyMappingTest3EE.crt \
+      $certs/P12Mapping1to3subsubCACert.crt \
+      $certs/P12Mapping1to3subCACert.crt \
+      $certs/P12Mapping1to3CA.crt
+  restore_db
+
+  VFY_ACTION="Invalid Policy Mapping Test4"; log_banner
+  certImportn P12Mapping1to3CACert
+  crlImportn P12Mapping1to3CACRL.crl
+  certImportn P12Mapping1to3subCACert
+  crlImportn P12Mapping1to3subCACRL.crl
+  certImportn P12Mapping1to3subsubCACert
+  crlImportn P12Mapping1to3subsubCACRL.crl
+  pkitsn $certs/InvalidPolicyMappingTest4EE.crt \
+      $certs/P12Mapping1to3subsubCACert.crt \
+      $certs/P12Mapping1to3subCACert.crt \
+      $certs/P12Mapping1to3CA.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test5"; log_banner
+  certImportn P1Mapping1to234CACert
+  crlImportn P1Mapping1to234CACRL.crl
+  certImportn P1Mapping1to234subCACert
+  crlImportn P1Mapping1to234subCACRL.crl
+  pkits $certs/ValidPolicyMappingTest5EE.crt \
+      $certs/P1Mapping1to234subCACert.crt \
+      $certs/P1Mapping1to234CA.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test6"; log_banner
+  certImportn P1Mapping1to234CACert
+  crlImportn P1Mapping1to234CACRL.crl
+  certImportn P1Mapping1to234subCACert
+  crlImportn P1Mapping1to234subCACRL.crl
+  pkits $certs/ValidPolicyMappingTest6EE.crt \
+      $certs/P1Mapping1to234subCACert.crt \
+      $certs/P1Mapping1to234CA.crt
+  restore_db
+
+  VFY_ACTION="Invalid Mapping from anyPolicy Test7"; log_banner
+  certImportn MappingFromanyPolicyCACert
+  crlImportn MappingFromanyPolicyCACRL.crl
+  pkitsn $certs/InvalidMappingFromanyPolicyTest7EE.crt \
+      $certs/MappingFromanyPolicyCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Mapping to anyPolicy Test8"; log_banner
+  certImportn MappingToanyPolicyCACert
+  crlImportn MappingToanyPolicyCACRL.crl
+  pkitsn $certs/InvalidMappingToanyPolicyTest8EE.crt \
+      $certs/MappingToanyPolicyCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test9"; log_banner
+  certImport PanyPolicyMapping1to2CACert
+  crlImport PanyPolicyMapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest9EE.crt \
+      $certs/PanyPolicyMapping1to2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Policy Mapping Test10"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImportn GoodsubCAPanyPolicyMapping1to2CACert
+  crlImportn GoodsubCAPanyPolicyMapping1to2CACRL.crl
+  pkitsn $certs/InvalidPolicyMappingTest10EE.crt \
+      $certs/GoodsubCAPanyPolicyMapping1to2CACert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test11"; log_banner
+  certImport GoodCACert
+  crlImport GoodCACRL.crl
+  certImportn GoodsubCAPanyPolicyMapping1to2CACert
+  crlImportn GoodsubCAPanyPolicyMapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest11EE.crt \
+      $certs/GoodsubCAPanyPolicyMapping1to2CACert.crt \
+      $certs/GoodCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test12"; log_banner
+  certImportn P12Mapping1to3CACert
+  crlImportn P12Mapping1to3CACRL.crl
+  pkits $certs/ValidPolicyMappingTest12EE.crt \
+      $certs/P12Mapping1to3CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test13"; log_banner
+  certImportn P1anyPolicyMapping1to2CACert
+  crlImportn P1anyPolicyMapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest13EE.crt \
+      $certs/P1anyPolicyMapping1to2CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Policy Mapping Test14"; log_banner
+  certImportn P1anyPolicyMapping1to2CACert
+  crlImportn P1anyPolicyMapping1to2CACRL.crl
+  pkits $certs/ValidPolicyMappingTest14EE.crt \
+      $certs/P1anyPolicyMapping1to2CACert.crt
+  restore_db
+}
+
+
+pkits_InhibitPolicyMapping()
+{
+  break_table "NIST PKITS Section 4.11: Inhibit Policy Mapping"
+
+  VFY_ACTION="Invalid inhibitPolicyMapping Test1"; log_banner
+  certImportn inhibitPolicyMapping0CACert
+  crlImportn inhibitPolicyMapping0CACRL.crl
+  certImportn inhibitPolicyMapping0subCACert
+  crlImportn inhibitPolicyMapping0subCACRL.crl
+  pkitsn $certs/InvalidinhibitPolicyMappingTest1EE.crt \
+      $certs/inhibitPolicyMapping0CACert.crt \
+      $certs/inhibitPolicyMapping0subCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid inhibitPolicyMapping Test2"; log_banner
+  certImportn inhibitPolicyMapping1P12CACert
+  crlImportn inhibitPolicyMapping1P12CACRL.crl
+  certImportn inhibitPolicyMapping1P12subCACert
+  crlImportn inhibitPolicyMapping1P12subCACRL.crl
+  pkits $certs/ValidinhibitPolicyMappingTest2EE.crt \
+      $certs/inhibitPolicyMapping1P12CACert.crt \
+      $certs/inhibitPolicyMapping1P12subCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitPolicyMapping Test3"; log_banner
+  certImportn inhibitPolicyMapping1P12CACert
+  crlImportn inhibitPolicyMapping1P12CACRL.crl
+  certImportn inhibitPolicyMapping1P12subCACert
+  crlImportn inhibitPolicyMapping1P12subCACRL.crl
+  certImportn inhibitPolicyMapping1P12subsubCACert
+  crlImportn inhibitPolicyMapping1P12subsubCACRL.crl
+  pkitsn $certs/InvalidinhibitPolicyMappingTest3EE.crt \
+      $certs/inhibitPolicyMapping1P12subsubCACert.crt \
+      $certs/inhibitPolicyMapping1P12subCACert.crt \
+      $certs/inhibitPolicyMapping1P12CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid inhibitPolicyMapping Test4"; log_banner
+  certImportn inhibitPolicyMapping1P12CACert
+  crlImportn inhibitPolicyMapping1P12CACRL.crl
+  certImportn inhibitPolicyMapping1P12subCACert
+  crlImportn inhibitPolicyMapping1P12subCACRL.crl
+  certImportn inhibitPolicyMapping1P12subsubCACert
+  crlImportn inhibitPolicyMapping1P12subsubCACRL.crl
+  pkits $certs/ValidinhibitPolicyMappingTest4EE.crt \
+      $certs/inhibitPolicyMapping1P12CACert.crt \
+      $certs/inhibitPolicyMapping1P12subCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitPolicyMapping Test5"; log_banner
+  certImportn inhibitPolicyMapping5CACert
+  crlImportn inhibitPolicyMapping5CACRL.crl
+  certImportn inhibitPolicyMapping5subCACert
+  crlImportn inhibitPolicyMapping5subCACRL.crl
+  certImport inhibitPolicyMapping5subsubCACert
+  crlImport inhibitPolicyMapping5subsubCACRL.crl
+  pkitsn $certs/InvalidinhibitPolicyMappingTest5EE.crt \
+      $certs/inhibitPolicyMapping5subsubCACert.crt \
+      $certs/inhibitPolicyMapping5subCACert.crt \
+      $certs/inhibitPolicyMapping5CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitPolicyMapping Test6"; log_banner
+  certImportn inhibitPolicyMapping1P12CACert
+  crlImportn inhibitPolicyMapping1P12CACRL.crl
+  certImportn inhibitPolicyMapping1P12subCAIPM5Cert
+  crlImportn inhibitPolicyMapping1P12subCAIPM5CRL.crl
+  certImport inhibitPolicyMapping1P12subsubCAIPM5Cert
+  crlImportn inhibitPolicyMapping1P12subsubCAIPM5CRL.crl
+  pkitsn $certs/InvalidinhibitPolicyMappingTest6EE.crt \
+      $certs/inhibitPolicyMapping1P12subsubCAIPM5Cert.crt \
+      $certs/inhibitPolicyMapping1P12subCAIPM5Cert.crt \
+      $certs/inhibitPolicyMapping1P12CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Self-Issued inhibitPolicyMapping Test7"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  pkits $certs/ValidSelfIssuedinhibitPolicyMappingTest7EE.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test8"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  certImport inhibitPolicyMapping1P1subsubCACert
+  crlImportn inhibitPolicyMapping1P1subsubCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt \
+      $certs/inhibitPolicyMapping1P1subsubCACert.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test9"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  certImportn inhibitPolicyMapping1P1subsubCACert
+  crlImportn inhibitPolicyMapping1P1subsubCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt \
+      $certs/inhibitPolicyMapping1P1subsubCACert.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test10"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitPolicyMapping Test11"; log_banner
+  certImportn inhibitPolicyMapping1P1CACert
+  crlImportn inhibitPolicyMapping1P1CACRL.crl
+  certImportn inhibitPolicyMapping1P1subCACert
+  crlImportn inhibitPolicyMapping1P1subCACRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt \
+      $certs/inhibitPolicyMapping1P1subCACert.crt \
+      $certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt \
+      $certs/inhibitPolicyMapping1P1CACert.crt
+  restore_db
+}
+
+
+pkits_InhibitAnyPolicy()
+{
+  break_table "NIST PKITS Section 4.12: Inhibit Any Policy"
+
+  VFY_ACTION="Invalid inhibitAnyPolicy Test1"; log_banner
+  certImportn inhibitAnyPolicy0CACert
+  crlImportn inhibitAnyPolicy0CACRL.crl
+  pkitsn $certs/InvalidinhibitAnyPolicyTest1EE.crt \
+      $certs/inhibitAnyPolicy0CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid inhibitAnyPolicy Test2"; log_banner
+  certImportn inhibitAnyPolicy0CACert
+  crlImportn inhibitAnyPolicy0CACRL.crl
+  pkits $certs/ValidinhibitAnyPolicyTest2EE.crt \
+      $certs/inhibitAnyPolicy0CACert.crt
+  restore_db
+
+  VFY_ACTION="inhibitAnyPolicy Test3"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA1Cert
+  crlImport inhibitAnyPolicy1subCA1CRL.crl
+  pkits $certs/inhibitAnyPolicyTest3EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1subCA1Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitAnyPolicy Test4"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA1Cert
+  crlImport inhibitAnyPolicy1subCA1CRL.crl
+  pkitsn $certs/InvalidinhibitAnyPolicyTest4EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1subCA1Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitAnyPolicy Test5"; log_banner
+  certImportn inhibitAnyPolicy5CACert
+  crlImportn inhibitAnyPolicy5CACRL.crl
+  certImportn inhibitAnyPolicy5subCACert
+  crlImportn inhibitAnyPolicy5subCACRL.crl
+  certImport inhibitAnyPolicy5subsubCACert
+  crlImport inhibitAnyPolicy5subsubCACRL.crl
+  pkitsn $certs/InvalidinhibitAnyPolicyTest5EE.crt \
+      $certs/inhibitAnyPolicy5CACert.crt \
+      $certs/inhibitAnyPolicy5subCACert.crt \
+      $certs/inhibitAnyPolicy5subsubCACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid inhibitAnyPolicy Test6"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImportn inhibitAnyPolicy1subCAIAP5Cert
+  crlImportn inhibitAnyPolicy1subCAIAP5CRL.crl
+  pkitsn $certs/InvalidinhibitAnyPolicyTest5EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy5subCACert.crt \
+      $certs/inhibitAnyPolicy5subsubCACert.crt
+  restore_db
+
+  VFY_ACTION="Valid Self-Issued inhibitAnyPolicy Test7"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA2Cert
+  crlImport inhibitAnyPolicy1subCA2CRL.crl
+  pkits $certs/ValidSelfIssuedinhibitAnyPolicyTest7EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+      $certs/inhibitAnyPolicy1subCA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitAnyPolicy Test8"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA2Cert
+  crlImport inhibitAnyPolicy1subCA2CRL.crl
+  certImport inhibitAnyPolicy1subsubCA2Cert
+  crlImport inhibitAnyPolicy1subsubCA2CRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+      $certs/inhibitAnyPolicy1subCA2Cert.crt \
+      $certs/inhibitAnyPolicy1subsubCA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Valid Self-Issued inhibitAnyPolicy Test9"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA2Cert
+  crlImport inhibitAnyPolicy1subCA2CRL.crl
+  pkits $certs/ValidSelfIssuedinhibitAnyPolicyTest9EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+      $certs/inhibitAnyPolicy1subCA2Cert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid Self-Issued inhibitAnyPolicy Test10"; log_banner
+  certImportn inhibitAnyPolicy1CACert
+  crlImportn inhibitAnyPolicy1CACRL.crl
+  certImport inhibitAnyPolicy1subCA2Cert
+  crlImport inhibitAnyPolicy1subCA2CRL.crl
+  pkitsn $certs/InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt \
+      $certs/inhibitAnyPolicy1CACert.crt \
+      $certs/inhibitAnyPolicy1SelfIssuedCACert.crt \
+      $certs/inhibitAnyPolicy1subCA2Cert.crt
+  restore_db
+}
+
+
+pkits_NameConstraints()
+{
+  break_table "NIST PKITS Section 4.13: Name Constraints"
+
+  VFY_ACTION="Valid DN nameConstraints Test1"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest1EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test2"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest2EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test3"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest3EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test4"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest4EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test5"; log_banner
+  certImport nameConstraintsDN2CACert
+  crlImport nameConstraintsDN2CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest5EE.crt \
+      $certs/nameConstraintsDN2CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test6"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest6EE.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test7"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest7EE.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test8"; log_banner
+  certImport nameConstraintsDN4CACert
+  crlImport nameConstraintsDN4CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest8EE.crt \
+      $certs/nameConstraintsDN4CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test9"; log_banner
+  certImport nameConstraintsDN4CACert
+  crlImport nameConstraintsDN4CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest9EE.crt \
+      $certs/nameConstraintsDN4CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test10"; log_banner
+  certImport nameConstraintsDN5CACert
+  crlImport nameConstraintsDN5CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest10EE.crt \
+      $certs/nameConstraintsDN5CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test11"; log_banner
+  certImport nameConstraintsDN5CACert
+  crlImport nameConstraintsDN5CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest11EE.crt \
+      $certs/nameConstraintsDN5CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test12"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA1Cert
+  crlImport nameConstraintsDN1subCA1CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest12EE.crt \
+      $certs/nameConstraintsDN1subCA1Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test13"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA2Cert
+  crlImport nameConstraintsDN1subCA2CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest13EE.crt \
+      $certs/nameConstraintsDN1subCA2Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test14"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA2Cert
+  crlImport nameConstraintsDN1subCA2CRL.crl
+  pkits $certs/ValidDNnameConstraintsTest14EE.crt \
+      $certs/nameConstraintsDN1subCA2Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test15"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  certImport nameConstraintsDN3subCA1Cert
+  crlImport nameConstraintsDN3subCA1CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest15EE.crt \
+      $certs/nameConstraintsDN3subCA1Cert.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test16"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  certImport nameConstraintsDN3subCA1Cert
+  crlImport nameConstraintsDN3subCA1CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest16EE.crt \
+      $certs/nameConstraintsDN3subCA1Cert.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN nameConstraints Test17"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  certImport nameConstraintsDN3subCA2Cert
+  crlImport nameConstraintsDN3subCA2CRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest17EE.crt \
+      $certs/nameConstraintsDN3subCA2Cert.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN nameConstraints Test18"; log_banner
+  certImport nameConstraintsDN3CACert
+  crlImport nameConstraintsDN3CACRL.crl
+  certImport nameConstraintsDN3subCA2Cert
+  crlImport nameConstraintsDN3subCA2CRL.crl
+  pkits $certs/ValidDNnameConstraintsTest18EE.crt \
+      $certs/nameConstraintsDN3subCA2Cert.crt \
+      $certs/nameConstraintsDN3CACert.crt
+  restore_db
+
+### bug 232737 ###
+if [ -n "${KNOWN_BUG}" ]; then
+  VFY_ACTION="Valid Self-Issued DN nameConstraints Test19"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkits $certs/ValidDNnameConstraintsTest19EE.crt \
+      $certs/nameConstraintsDN1SelfIssuedCACert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+fi
+
+  VFY_ACTION="Invalid Self-Issued DN nameConstraints Test20"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  pkitsn $certs/InvalidDNnameConstraintsTest20EE.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC822 nameConstraints Test21"; log_banner
+  certImport nameConstraintsRFC822CA1Cert
+  crlImport nameConstraintsRFC822CA1CRL.crl
+  pkits $certs/ValidRFC822nameConstraintsTest21EE.crt \
+      $certs/nameConstraintsRFC822CA1Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RFC822 nameConstraints Test22"; log_banner
+  certImport nameConstraintsRFC822CA1Cert
+  crlImport nameConstraintsRFC822CA1CRL.crl
+  pkitsn $certs/InvalidRFC822nameConstraintsTest22EE.crt \
+      $certs/nameConstraintsRFC822CA1Cert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC822 nameConstraints Test23"; log_banner
+  certImport nameConstraintsRFC822CA2Cert
+  crlImport nameConstraintsRFC822CA2CRL.crl
+  pkits $certs/ValidRFC822nameConstraintsTest23EE.crt \
+      $certs/nameConstraintsRFC822CA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RFC822 nameConstraints Test24"; log_banner
+  certImport nameConstraintsRFC822CA2Cert
+  crlImport nameConstraintsRFC822CA2CRL.crl
+  pkitsn $certs/InvalidRFC822nameConstraintsTest24EE.crt \
+      $certs/nameConstraintsRFC822CA2Cert.crt
+  restore_db
+
+  VFY_ACTION="Valid RFC822 nameConstraints Test25"; log_banner
+  certImport nameConstraintsRFC822CA3Cert
+  crlImport nameConstraintsRFC822CA3CRL.crl
+  pkits $certs/ValidRFC822nameConstraintsTest25EE.crt \
+      $certs/nameConstraintsRFC822CA3Cert.crt
+  restore_db
+
+  VFY_ACTION="Invalid RFC822 nameConstraints Test26"; log_banner
+  certImport nameConstraintsRFC822CA3Cert
+  crlImport nameConstraintsRFC822CA3CRL.crl
+  pkitsn $certs/InvalidRFC822nameConstraintsTest26EE.crt \
+      $certs/nameConstraintsRFC822CA3Cert.crt
+  restore_db
+
+  VFY_ACTION="Valid DN and RFC822 nameConstraints Test27"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA3Cert
+  crlImport nameConstraintsDN1subCA3CRL.crl
+  pkits $certs/ValidDNandRFC822nameConstraintsTest27EE.crt \
+      $certs/nameConstraintsDN1subCA3Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN and RFC822 nameConstraints Test28"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA3Cert
+  crlImport nameConstraintsDN1subCA3CRL.crl
+  pkitsn $certs/InvalidDNandRFC822nameConstraintsTest28EE.crt \
+      $certs/nameConstraintsDN1subCA3Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DN and RFC822 nameConstraints Test29"; log_banner
+  certImport nameConstraintsDN1CACert
+  crlImport nameConstraintsDN1CACRL.crl
+  certImport nameConstraintsDN1subCA3Cert
+  crlImport nameConstraintsDN1subCA3CRL.crl
+  pkitsn $certs/InvalidDNandRFC822nameConstraintsTest29EE.crt \
+      $certs/nameConstraintsDN1subCA3Cert.crt \
+      $certs/nameConstraintsDN1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DNS nameConstraints Test30"; log_banner
+  certImport nameConstraintsDNS1CACert
+  crlImport nameConstraintsDNS1CACRL.crl
+  pkits $certs/ValidDNSnameConstraintsTest30EE.crt \
+      $certs/nameConstraintsDNS1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DNS nameConstraints Test31"; log_banner
+  certImport nameConstraintsDNS1CACert
+  crlImport nameConstraintsDNS1CACRL.crl
+  pkitsn $certs/InvalidDNSnameConstraintsTest31EE.crt \
+      $certs/nameConstraintsDNS1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid DNS nameConstraints Test32"; log_banner
+  certImport nameConstraintsDNS2CACert
+  crlImport nameConstraintsDNS2CACRL.crl
+  pkits $certs/ValidDNSnameConstraintsTest32EE.crt \
+      $certs/nameConstraintsDNS2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DNS nameConstraints Test33"; log_banner
+  certImport nameConstraintsDNS2CACert
+  crlImport nameConstraintsDNS2CACRL.crl
+  pkitsn $certs/InvalidDNSnameConstraintsTest33EE.crt \
+      $certs/nameConstraintsDNS2CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid URI nameConstraints Test34"; log_banner
+  certImport nameConstraintsURI1CACert
+  crlImport nameConstraintsURI1CACRL.crl
+  pkits $certs/ValidURInameConstraintsTest34EE.crt \
+      $certs/nameConstraintsURI1CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid URI nameConstraints Test35"; log_banner
+  certImport nameConstraintsURI1CACert
+  crlImport nameConstraintsURI1CACRL.crl
+  pkitsn $certs/InvalidURInameConstraintsTest35EE.crt \
+      $certs/nameConstraintsURI1CACert.crt
+  restore_db
+
+  VFY_ACTION="Valid URI nameConstraints Test36"; log_banner
+  certImport nameConstraintsURI2CACert
+  crlImport nameConstraintsURI2CACRL.crl
+  pkits $certs/ValidURInameConstraintsTest36EE.crt \
+      $certs/nameConstraintsURI2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid URI nameConstraints Test37"; log_banner
+  certImport nameConstraintsURI2CACert
+  crlImport nameConstraintsURI2CACRL.crl
+  pkitsn $certs/InvalidURInameConstraintsTest37EE.crt \
+      $certs/nameConstraintsURI2CACert.crt
+  restore_db
+
+  VFY_ACTION="Invalid DNS nameConstraints Test38"; log_banner
+  certImport nameConstraintsDNS1CACert
+  crlImport nameConstraintsDNS1CACRL.crl
+  pkitsn $certs/InvalidDNSnameConstraintsTest38EE.crt \
+      $certs/nameConstraintsDNS1CACert.crt
+  restore_db
+}
+
+pkits_PvtCertExtensions()
+{
+  break_table "NIST PKITS Section 4.16: Private Certificate Extensions"
+
+  VFY_ACTION="Valid Unknown Not Critical Certificate Extension Test1"; log_banner
+  pkits $certs/ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+
+  VFY_ACTION="Invalid Unknown Critical Certificate Extension Test2"; log_banner
+  pkitsn $certs/InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+}
+
+############################## pkits_cleanup ###########################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+pkits_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+
+################################## main ################################
+pkits_init 
+pkits_SignatureVerification | tee -a $PKITS_LOG
+pkits_ValidityPeriods | tee -a $PKITS_LOG
+pkits_NameChaining | tee -a $PKITS_LOG
+pkits_BasicCertRevocation | tee -a $PKITS_LOG
+pkits_PathVerificWithSelfIssuedCerts | tee -a $PKITS_LOG
+pkits_BasicConstraints | tee -a $PKITS_LOG
+pkits_KeyUsage | tee -a $PKITS_LOG
+if [ -n "$NSS_PKITS_POLICIES" ]; then
+  pkits_CertificatePolicies | tee -a $PKITS_LOG
+  pkits_RequireExplicitPolicy | tee -a $PKITS_LOG
+  pkits_PolicyMappings | tee -a $PKITS_LOG
+  pkits_InhibitPolicyMapping | tee -a $PKITS_LOG
+  pkits_InhibitAnyPolicy | tee -a $PKITS_LOG
+fi
+pkits_NameConstraints | tee -a $PKITS_LOG
+pkits_PvtCertExtensions | tee -a $PKITS_LOG
+pkits_cleanup
+
diff --git a/security/nss/tests/platformlist b/security/nss/tests/platformlist
new file mode 100644
index 000000000..19bf821e9
--- /dev/null
+++ b/security/nss/tests/platformlist
@@ -0,0 +1,11 @@
+Darwin6.5
+HP-UX_B.11.00_32_bit
+HP-UX_B.11.00_64
+RH_Linux_7.2_(Enigma)
+RH_Linux_7.3_(Valhalla)
+RH_Linux_Advanced_Server_2.1AS_(Pensacola)
+SunOS_5.8_32_bit
+SunOS_5.8_64_bit
+Windows-2000
+Windows-XP
+
diff --git a/security/nss/tests/platformlist.tbx b/security/nss/tests/platformlist.tbx
new file mode 100644
index 000000000..435284cff
--- /dev/null
+++ b/security/nss/tests/platformlist.tbx
@@ -0,0 +1,14 @@
+AIX_3_32_bit AIX4.3_DBG.OBJ AIX4.3_OPT.OBJ
+AIX_3_64_bit AIX4.3_DBG.OBJ AIX4.3_OPT.OBJ AIX4.3_64_DBG.OBJ AIX4.3_64_OPT.OBJ
+HP-UX_B.11.00_32_bit  HP-UXB.11.00_DBG.OBJ HP-UXB.11.00_OPT.OBJ
+HP-UX_B.11.00_64_bit  HP-UXB.11.00_DBG.OBJ HP-UXB.11.00_OPT.OBJ 
+OSF1_V4.0 OSF1V4.0D_DBG.OBJ OSF1V4.0D_OPT.OBJ
+OSF1_V5.0 OSF1V5.0_DBG.OBJ OSF1V5.0_OPT.OBJ
+RH_Linux_6.2_(Zoot) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ
+RH_Linux_6.1_(Cartman) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ
+RH_Linux_6.0_(Hedwig) Linux2.2_x86_glibc_PTH_DBG.OBJ Linux2.2_x86_glibc_PTH_OPT.OBJ
+SunOS_5.6 SunOS5.6_DBG.OBJ SunOS5.6_OPT.OBJ
+SunOS_5.8_32_bit 
+SunOS_5.8_64_bit 
+Windows-2000 WINNT5.0_DBG.OBJ WINNT5.0_OPT.OBJ WIN954.0_DBG.OBJ WIN954.0_OPT.OBJ
+Windows-NT-4.0 WIN954.0_DBG.OBJ WIN954.0_OPT.OBJ WINNT4.0_DBG.OBJ WINNT4.0_OPT.OBJ
diff --git a/security/nss/tests/qa_stage b/security/nss/tests/qa_stage
new file mode 100755
index 000000000..f0960c845
--- /dev/null
+++ b/security/nss/tests/qa_stage
@@ -0,0 +1,336 @@
+#! /bin/sh 
+########################################################################
+#
+# /u/sonmi/bin/qa_stage - /u/svbld/bin/init/nss/qa_stage
+#
+# this script is supposed to convert the tinderbox and daily QA files
+# for use on mozilla.org
+#
+# parameters
+# ----------
+#   nssversion  (supported: 30b, 31, tip)
+#   builddate   (default - today)
+#
+########################################################################
+
+if [ -z "$BUILDNUMBER" ]
+then
+    BUILDNUMBER=1
+fi
+if [ `uname` = "Linux" ] ; then
+    PATH=".:/u/sonmi/bin:/u/sonmi/bin/linux:/usr/bsd:/usr/ucb/:/bin:/usr/bin:/usr/ccs/bin:/usr/sbin:/usr/bin/X11:/usr/etc:/etc:/usr/demos:/usr/demos/bin:/usr/local/bin:/usr/local/X11/bin:/tools/ns/bin"
+    export PATH
+fi
+
+Echo()
+{
+    if [ "$O_SILENT" = "OFF" ] ; then
+        echo $*
+    fi
+}
+
+################################### qa_stage_init ##########################
+# 
+########################################################################
+qa_stage_init()
+{
+    umask 000
+
+    eval_opts $*
+
+    if [ -z "${QAYEAR}" ] ; then 
+        QAYEAR=`date +%Y`
+    elif [ "$QAYEAR" = ""  ] ; then
+        QAYEAR=`date +%Y`
+    fi
+
+    Echo "Init..."
+    DAYBUILD=${QAYEAR}${BUILDDATE}.${BUILDNUMBER}
+    NSS_D0=/share/builds/mccrel3/nss
+    NSS_VER_DIR=${NSS_D0}/nss${NSSVER}
+    NTDIST=${NSS_VER_DIR}/builds/${DAYBUILD}/blowfish_NT4.0_Win95/mozilla/dist
+    UXDIST=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/dist
+    TESTSCRIPTDIR=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/security/nss/tests
+    RESULTDIR=${NSS_VER_DIR}/builds/${DAYBUILD}/booboo_Solaris8/mozilla/tests_results/security
+    TBX_RESULTDIR=${NSS_D0}/nsstip/tinderbox/tests_results/security
+
+    MOZ_D0=/pub/security/nss
+    MOZ_RESULTDIR=${MOZ_D0}/daily_qa/${DAYBUILD}
+    MOZ_TBX_RESULTDIR=${MOZ_D0}/tinderbox
+    
+    export BUILDDATE NSSVER QAYEAR NTDIST UXDIST TESTSCRIPTDIR RESULTDIR 
+
+
+    IPLANET_TBX_URL="http://cindercone.red.iplanet.com${TBX_RESULTDIR}"
+    IPLANET_DQA_URL="http://cindercone.red.iplanet.com${RESULTDIR}"
+
+    MOZ_TBX_URL="ftp://ftp.mozilla.org${MOZ_TBX_RESULTDIR}"
+    MOZ_DQA_URL="ftp://ftp.mozilla.org${MOZ_RESULTDIR}"
+
+    export IPLANET_TBX_URL IPLANET_DQA_URL MOZ_TBX_URL MOZ_DQA_URL
+    STAGE_1=/u/sonmi/tmp/ftp_stage
+    
+    if [ ! -d  $STAGE_1 ] ; then
+        Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit"
+        exit 1
+    fi
+    cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit)
+    rm all.tar* 2>/dev/null
+    TBX_STAGE=$STAGE_1/tinderbox
+    DQA_STAGE=$STAGE_1/daily_qa/${DAYBUILD}
+    Echo "Staging area tbx: $TBX_STAGE"
+    Echo "Staging area daily QA (DQA): $DQA_STAGE"
+    Echo "Resultdir (sourcedir) for daily QA (RESULTDIR): $RESULTDIR"
+}
+
+################################### qa_stage_dqa ##########################
+# 
+########################################################################
+qa_stage_dqa()
+{
+    Echo "DQA:..."
+    Echo "Resultdir (sourcedir) for daily QA (RESULTDIR): $RESULTDIR"
+#set -x
+    if [ ! -d  $RESULTDIR ] ; then
+        Echo "Resultdir $RESULTDIR does not exist, can't push daily QA"
+        return
+    fi
+    cd $RESULTDIR || return
+    #for w in `find . -name "result*html"`
+    for w in `find . -name "result.html"`
+    do
+        if [ ! -d $DQA_STAGE/`dirname $w` ] ; then
+            mkdir -p $DQA_STAGE/`dirname $w`
+        fi
+        rm $DQA_STAGE/$w 2>/dev/null
+        cat $w | reformat_qa >$DQA_STAGE/$w
+    done
+    for w in `find . -name "output.log" -o  -name "results.html"`
+    do
+#echo $w
+        if [ ! -d $DQA_STAGE/`dirname $w` ] ; then
+            mkdir -p $DQA_STAGE/`dirname $w`
+        fi
+        cp $w $DQA_STAGE/$w
+    done
+}
+
+
+################################### qa_stage_tbx ##########################
+# 
+########################################################################
+qa_stage_tbx()
+{
+    Echo "tbx: "
+    if [ ! -d  $TBX_RESULTDIR ] ; then
+        Echo "TBX_RESULTDIR $TBX_RESULTDIR does not exist"
+        return
+    fi
+    cd $TBX_RESULTDIR || return
+    Echo "find from $TBX_FIND_FROM"
+    for w in `find $TBX_FIND_FROM  -name "result.html"`
+    do
+        if [ ! -d "$TBX_STAGE/`dirname $w`" ] ; then
+            mkdir -p $TBX_STAGE/`dirname $w`
+        fi
+        rm $TBX_STAGE/$w 2>/dev/null
+        cat $w | reformat_qa >$TBX_STAGE/$w
+    done
+    for w in `find $TBX_FIND_FROM -name "output.log" -o  -name "results.html"`
+    do
+        if [ ! -d $TBX_STAGE/`dirname $w` ] ; then
+            mkdir -p $TBX_STAGE/`dirname $w`
+        fi
+        cp $w $TBX_STAGE/$w
+    done
+}
+
+match_tbxdirs()
+{
+    YY=`date +%Y`
+    DD=`date +%d`
+    MM=`date +%m`
+    HH=`date +%H`
+
+    TBX_FIND_FROM="*-$YY$MM$DD-$HH.*"
+    i=$1
+    while [ $i -gt 0 ] ; do
+        i=`expr $i - 1`
+        HH=`expr $HH - 1`
+        if [ $HH -lt 0 ] ; then
+            HH=23
+            DD=`expr $DD - 1`
+            if [ $DD  -eq 0 ] ; then
+                MM=`expr $MM - 1`
+                case $MM in
+                    0)
+                        YY=`expr $YY - 1`
+                        MM=12
+                        DD=31
+                        ;;
+                    [13578]|10|12)
+                        DD=31
+                        ;;
+                    2)
+                        DD=28
+                        ;;
+                    [469]|11)
+                        DD=30
+                        ;;
+                esac
+            fi
+        fi
+        case $MM in
+            [123456789])
+               MM=0$MM
+               ;;
+        esac
+        case $DD in
+            [123456789])
+               DD=0$DD
+               ;;
+        esac
+        case $HH in
+            [0123456789])
+               HH=0$HH
+               ;;
+        esac
+        TBX_FIND_FROM="$TBX_FIND_FROM *-$YY$MM$DD-$HH.*"
+    done
+}
+
+################################### eval_opts ##########################
+# global shell function, evapuates options and parameters, sets flags
+# variables and defaults
+########################################################################
+eval_opts()
+{
+  DO_TBX=OFF
+  DO_DQA=OFF
+  DO_CLEAN=OFF
+  O_SILENT=OFF
+  O_INCREMENTAL=OFF
+  O_MAIL=OFF
+  BUILDDATE=`date +%m%d`
+  NSSVER=tip
+
+  TBX_FIND_FROM="."
+
+  while [ -n "$1" ]
+  do
+    case $1 in
+        -d)
+            DO_DQA=ON
+            ;;
+        -m)
+            O_MAIL=ON
+            shift
+            MAILINGLIST=$1
+            if [ -z "$MAILINGLIST" ]
+            then
+                echo "Error: -m requires a mailinglist to follow, for example sonmi@iplanet.com"
+                exit
+            fi
+            ;;
+        -ti)
+            DO_TBX=ON
+            match_tbxdirs 2
+            O_INCREMENTAL=ON
+            ;;
+        -t)
+            DO_TBX=ON
+            ;;
+        -c)
+            DO_CLEAN=ON
+            ;;
+        -s)
+            O_SILENT=ON
+            ;;
+
+        tip|3[0-9]*)
+            NSSVER=$1
+            ;;
+        [01][0-9][0-3][0-9])
+            BUILDDATE=$1
+            ;;
+    esac
+    shift
+  done
+}
+
+qa_stage_init $*
+
+if [ "$DO_CLEAN" = "ON" ] ; then
+    Echo "Cleaning old stuff"
+    if [ ! -d  $STAGE_1 ] ; then
+        Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit"
+        exit 1
+    fi
+    cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit)
+    if [ -n "$TBX_STAGE" -a -d "$TBX_STAGE" ] ; then
+        rm -rf $TBX_STAGE/*
+    else
+        Echo "nothing here to clean..."
+    fi
+fi
+if [ "$DO_DQA" = "ON" ] ; then
+    qa_stage_dqa 
+    if [ "$O_MAIL" = "ON" -a -f "$DQA_STAGE/result.html" ] ; then
+         cat $DQA_STAGE/result.html | /usr/sbin/sendmail $MAILINGLIST 
+    fi
+fi
+if [ "$DO_TBX" = "ON" ] ; then
+    qa_stage_tbx
+fi
+if [ ! -d  $STAGE_1 ] ; then
+    Echo "Staging area daily QA (DQA): $DQA_STAGE does not exist, exit"
+    exit 1
+fi
+cd $STAGE_1 || (Echo "Cant cd to $STAGE_1 , exit"; exit)
+Echo "tar..."
+if [ "$O_SILENT" = "ON" ] ; then
+    TARPARAM=cf
+else
+    TARPARAM=cvf
+fi
+
+
+if [ "$DO_DQA" = "ON" -a "$DO_TBX" = "ON" ] ; then
+        Echo "tar $TARPARAM all.tar daily_qa        tinderbox"
+        tar $TARPARAM all.tar daily_qa        tinderbox
+elif [ "$DO_DQA" = "ON" ] ; then
+        Echo "tar $TARPARAM all.tar daily_qa"
+        tar $TARPARAM all.tar daily_qa
+else
+        Echo "tar $TARPARAM all.tar tinderbox"
+        tar $TARPARAM all.tar tinderbox
+fi
+gzip all.tar
+# ssh-agent > /u/sonmi/.ssh/ssh-agent.info
+# setenv like it says in that file
+# ssh-add
+
+SSH_AUTH_SOCK=`grep SSH_AUTH_SOCK /u/sonmi/.ssh/ssh-agent.info | sed -e 's/setenv SSH_AUTH_SOCK //' -e 's/;//'`
+SSH_AGENT_PID=`grep SSH_AGENT_PID /u/sonmi/.ssh/ssh-agent.info | sed -e 's/setenv SSH_AGENT_PID //' -e 's/;//'`
+export SSH_AUTH_SOCK SSH_AGENT_PID
+if [ "$O_SILENT" = "OFF" ] ; then
+   set -x
+   scp all.tar.gz sonmi@stage.mozilla.org:/home/ftp/pub/security/nss
+   ssh -l sonmi stage.mozilla.org '/home/sonmi/bin/nssqa_stage '
+else
+   scp all.tar.gz sonmi@stage.mozilla.org:/home/ftp/pub/security/nss >/dev/null 2>/dev/null 
+   ssh -l sonmi stage.mozilla.org '/home/sonmi/bin/nssqa_stage ' >/dev/null 2>/dev/null 
+fi
+
+#" rlogin huey "
+#" sftp  sonmi@stage.mozilla.org"
+#" cd /home/ftp/pub/security/nss"
+#" lcd tmp/ftp_stage"
+#" put all.tar.gz"
+#" quit "
+#" ssh -l sonmi stage.mozilla.org"
+#" cd /home/ftp/pub/security/nss"
+#" gunzip all.tar.gz"
+#" tar xvf all.tar"
+#" rm all.tar"
+
diff --git a/security/nss/tests/qa_stat b/security/nss/tests/qa_stat
new file mode 100755
index 000000000..ddf8dd8d2
--- /dev/null
+++ b/security/nss/tests/qa_stat
@@ -0,0 +1,938 @@
+#! /bin/sh 
+########################################################################
+#
+# /u/sonmi/bin/qa_stat - /u/svbld/bin/init/nss/qa_stat
+#
+# this script is supposed to automatically run QA for NSS on all required
+# Unix platforms
+#
+# parameters
+# ----------
+#    nssversion (supported: 30b, 31, tip)
+#    builddate  (default - today)
+#
+# options
+# -------
+#    -y answer all questions with y - use at your own risk...ignores warnings
+#    -s silent (only usefull with -y)
+#    -h, -? - you guessed right - displays this text
+#    -d debug
+#    -f <filename> - write the (error)output to filename
+#    -m <mailinglist> - send filename to mailinglist (csl) only useful
+#        with -f
+#    -cron equivalient to -y -s -d -f $RESULTDIR/$HOST.qa_stat
+#
+########################################################################
+
+O_OPTIONS=ON
+
+TBX_EXIT=49          # in case we are running on a tinderbox build, any
+                          # early exit needs to return an error
+if [ -z "$O_TBX" -o "$O_TBX" = "OFF" ] ; then
+    if [ -z "$O_LOCAL" -o "$O_LOCAL" = "OFF" ] ; then
+        . `dirname $0`/header
+    fi
+fi
+Debug "Sourced header O_TBX=$O_TBX O_LOCAL=$O_LOCAL"
+TBX_EXIT=48
+EARLY_EXIT=TRUE
+
+URL="cindercone.red.iplanet.com"
+
+DOCDIR=/u/sonmi/doc
+
+HTML_ERRORCOLOR=\"#FF0000\"
+HTML_ERRORMSG=Failed
+
+HTML_MISSINGCOLOR=\"#FFFFCC\"
+HTML_MISSINGMSG=Missing
+
+HTML_INCOMPLETECOLOR=$HTML_MISSINGCOLOR
+HTML_INCOMPLETEMSG=Incomplete
+
+HTML_PASSEDCOLOR=\"#66FF99\"
+HTML_PASSEDMSG=Passed
+
+# this file is used to deal with hanging rsh - a new shell is started 
+# for each rsh, and a function is called after it is finished - they
+# communicate with this file
+
+RSH_FILE=$TMP/rsh.$$
+echo >$RSH_FILE
+TMPFILES="$TMPFILES $WARNINGLIST $RSH_FILE "
+RSH_WAIT_TIME=80 #maximum time allowed for the 2 rsh to finish...
+#TOTAL_TESTS=106
+TOTAL_TESTS=252 #tip
+#TOTAL_TESTS=244 #3.4
+#TOTAL_TESTS=123 #3.3.2
+BCT_TOTAL_TESTS=122 #3.2.2
+#TOTAL_TESTS=133 #tip
+
+Debug "NTDIST $NTDIST"
+Debug "UXDIST $UXDIST"
+Debug "TESTSCRIPTDIR $TESTSCRIPTDIR"
+Debug "RESULTDIR $RESULTDIR"
+
+############################### watch_rsh ##############################
+# local shell function, deals with a hanging rsh (kills it...)
+# this function is started as a backgroundprocess before the rsh is started,
+# and writes info to the RSH_FILE, after the rsh is finished it writes finish
+# info to the same file (this time called as a function, forground). 
+# the backgroundprocess stays around for RSH_WAIT_TIME, if then the finish 
+# information is not there attempts to kill the rsh
+#
+# watch_rsh start qa_computername &
+# watch_rsh stop qa_computername 
+#
+########################################################################
+watch_rsh()
+{
+    case $1 in
+        start)
+            echo "$2 started" >>$RSH_FILE
+            sleep $RSH_WAIT_TIME
+            O_ALWAYS_YES=ON # may modify global flags because this is a 
+                            # forked off bg process - kill_by_name otherwise
+                            # will ask the user if it really should be killed 
+            grep "$2 finished" $RSH_FILE >/dev/null || kill_by_name "rsh $2"
+            exit
+            ;;
+        stop)
+            echo "$2 finished" >>$RSH_FILE
+            ;;
+    esac
+}
+
+############################### find_qa_systems ########################
+# local shell function, tries to determine the QA operating system
+# works remotely, and for Windows machines
+########################################################################
+find_qa_systems()
+{
+for QA_SYS in `ls $RESULTDIR | grep '\.1$' | sed -e "s/\..*//" | sort -u`
+do
+    NO_RSH="FALSE"
+    QA_OS=""
+    QA_RHVER=""
+    IS_64=""
+    IS_WIN=""
+
+    grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa >/dev/null && NO_RSH=TRUE
+
+    if [ "$NO_RSH" = "TRUE" ]
+    then
+
+        QA_OS=`grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \
+            -e "s/.*-OS-LINE: /${QA_SYS}/"`
+        QA_OS_STRING=`echo $QA_OS | sed -e "s/^[_ ]//" -e "s/ /_/g"`
+        echo $QA_OS_STRING >>$PLATFORMLIST
+        if [ "$O_SILENT" != ON ] ; then
+            echo $QA_OS
+        fi
+
+        #grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \
+             #-e "s/.*-OS-LINE: /${QA_SYS}_/" >>$PLATFORMLIST
+        #if [ "$O_SILENT" != ON ] ; then
+            #grep OS-LINE ${RESULTDIR}/${QA_SYS}.nssqa | sort -u | sed \
+                 #-e "s/.*-OS-LINE:/${QA_SYS}/" 
+        #fi
+    else
+        REM_SYSNAME=$QA_SYS
+        watch_rsh start $REM_SYSNAME &
+        qa_stat_get_sysinfo $QA_SYS
+        watch_rsh stop $REM_SYSNAME 
+        echo $QA_OS_STRING >>$PLATFORMLIST
+                          # use later for missing list
+    fi
+done
+
+}
+
+################################### qa_stat_init ##########################
+# local shell function, sets the name of the resultfile to:
+#    <filename> if option -f <filename>
+#    $RESULTDIR/result if write permission 
+#        (mozilla/tests_results/security/result)
+#    $HOME/resultNSS${NSSVER}-${BUILDDATE} if no write permission in $RESULTDIR
+########################################################################
+qa_stat_init()
+{
+    if [ $O_FILE = ON -a $O_CRON = OFF ]    # if -f was specified write there 
+    then
+        RFILE=$FILENAME    
+    else
+        RFILE=${RESULTDIR}/result.$$
+        if [ ! -w $RESULTDIR ]
+        then
+            RFILE=$HOME/resultNSS${NSSVER}-${BUILDDATE}.$$
+            Debug "Using alternate resultfile $RFILE"
+        #elif [ $O_CRON = ON ]
+        #then
+             ##find ${RESULTDIR} -exec chmod a+rw {} \;    #FIXME - umask 
+                            ##doesn't seem to work - this is a tmp workaround
+        fi
+    
+        if [ ! -x $RESULTDIR -o ! -r  $RESULTDIR -o ! -w $RESULTDIR ]
+        then
+            glob_usage "$RESULTDIR does not have the right permissions `ls -l $RESULTDIR`"
+        fi
+        if [ -d $RESULTDIR ]
+        then
+            cd $RESULTDIR
+        else
+            glob_usage "$RESULTDIR does not exist"
+        fi
+    fi
+
+    ERRORLIST=${RFILE}.E
+    PLATFORMLIST=${RFILE}.P
+    PERFLIST=${RFILE}.PE
+    TMP_HTML_FILE=${RFILE}.html
+    HTML_FILE=${RESULTDIR}/result.html
+    WARNINGLIST=${RFILE}.W
+    BCMISSINGLIST=${RFILE}.BCM
+    BCERRORLIST=${RFILE}.BCE
+    TMPFILE=${RFILE}.T
+    ML_FILE=${RFILE}.ML
+
+    TMPFILES="$TMPFILES $TMPFILE"
+    TMPFILES="$TMPFILES $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \
+       $BCMISSINGLIST $BCERRORLIST $ML_FILE" #FIXME uncomment
+
+    FILENAME=$RFILE        #we might want to mail it...later switch to html file
+    O_FILE="ON"
+
+    rm $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \
+       $BCMISSINGLIST $BCERRORLIST $TMP_HTML_FILE  2>/dev/null
+    touch $ERRORLIST $PLATFORMLIST $PERFLIST $WARNINGLIST \
+       $BCMISSINGLIST $BCERRORLIST $TMP_HTML_FILE  2>/dev/null
+
+    if [  $O_WIN = "ON" -a "$O_TBX" = "ON" ] ; then
+        HTML_PATH="http://${URL}${UX_D0}/nss${NSSVER}/tinderbox/tests_results/security/`basename $RESULTDIR`"
+    else
+        HTML_PATH="http://${URL}${RESULTDIR}"
+    fi
+    HREF_TMP_HTML_FILE="${HTML_PATH}/`basename $HTML_FILE`"
+
+    write_qa_header_html >$TMP_HTML_FILE
+}
+
+################################# html_footer #########################
+# local shell function, writes end of the html body
+#######################################################################
+write_qa_header_html()
+{
+echo 'Subject: QA Report ' $NSSVER $BUILDDATE '
+From: sonmi@iplanet.com
+Reply-To: sonmi@iplanet.com
+Content-Type: text/html; charset=us-ascii
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+   <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; U; SunOS 5.8 sun4u) [N
+etscape]">
+</head>
+<body>
+<br>
+&nbsp;
+<br>&nbsp;
+<h2>
+<a href="http://tinderbox.mozilla.org/showbuilds.cgi?tree=NSS">Tinderbox</a
+><br>
+<a href="http://cindercone.red.iplanet.com/share/builds/mccrel3/nss/nsstip/tinderbox/tests_results/security/">Tinderbox QA&nbsp;result</a><br>
+<a href="ftp://ftp.mozilla.org/pub/security/nss/daily_qa">Mozilla Daily NSS QA&nbsp;result</a></h2>
+&nbsp;
+
+&nbsp;
+<br>&nbsp;
+<center>
+<h1>
+<a NAME="Top"></a><b><font size=+2>QA&nbsp;Results</font></b></h1></center>
+
+
+<table BORDER WIDTH="100%" NOSAVE >
+<tr>
+<td>&nbsp;<b><font size=+1>Build-OS and version</font></b></td>
+<td><b><font size=+1>QA-OS</font></b></td>
+<td><b><font size=+1>Systemname</font></b></td>
+<td><b><font size=+1>P/F</font></b></td>
+<td><b><font size=+1>result</font></b></td>
+<td><b><font size=+1>output</font></b></td>
+<td><b><font size=+1>errors</font></b></td>
+<td><b><font size=+1>QA time / #</font></b></td>
+</tr>
+'
+}
+
+################################# html_footer #########################
+# local shell function, writes end of the html body
+#######################################################################
+html_footer()
+{
+  echo '</body>'
+  echo '</html>'
+}
+
+################################# setQAsysvars #########################
+# local shell function, sets system specific variables
+########################################################################
+setQAsysvars()
+{
+    if [ "$MACHINE" != "0" ]
+    then
+        MACHINE=`echo $MACHINE | sed -e 's/^bct.//g'`
+        TESTDATE=`ls -ld $MACHINE | awk '{ print $6, $7, $8 }'`
+        TESTNUMBER=`echo $MACHINE | sed -e 's/.*\.//'`
+        SYSNAME=`echo $MACHINE | sed -e 's/\..*//'`
+        Debug "SYSNAME= $SYSNAME"
+
+        if [  "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then
+            QA_SYS_OS=$QA_OS
+        else
+            QA_SYS_OS=`grep $SYSNAME $PLATFORMLIST |
+                sed -e 's/
//' | \
+                sort | uniq | sed  -e "s/$SYSNAME//" \
+                -e "s/^_//" | sort | uniq`
+        fi
+        Debug "QA_SYS_OS= $QA_SYS_OS"
+    fi
+    BUILD_SYS=`echo $BUILDPLATFORM | sed -e 's/\.OBJ//' -e 's/_DBG/ Debug/' \
+            -e 's/_OPT/ Optimized/'  -e 's/_64/ 64bit/' -e 's/_glibc_PTH//' \
+            -e 's/_/ /'`
+    Debug "BUILD_SYS=$BUILD_SYS"
+    if [ -f "${RESULTDIR}/${MACHINE}/results.html" ] ; then
+        RESULT="${HTML_PATH}/${MACHINE}/results.html"
+    else
+        RESULT="0"
+    fi
+    if [ -f "${RESULTDIR}/bct/${MACHINE}/results.html" ] ; then
+        BCB_RESULT="${HTML_PATH}/bct/${MACHINE}/results.html"
+    else
+      BCB_RESULT="0"
+    fi
+
+    if [ -f "${RESULTDIR}/${MACHINE}/output.log" ] ; then
+        LOG="${HTML_PATH}/${MACHINE}/output.log"
+    else
+        LOG="0"
+    fi
+    if [ -f "${RESULTDIR}/bct/${MACHINE}/output.log" ] ; then
+        BCB_LOG="${HTML_PATH}/bct/${MACHINE}/output.log"
+    else
+        BCB_LOG="0"
+    fi
+}
+
+################################# html_line() #########################
+# local shell function, writes a line in the html table
+########################################################################
+html_line()
+{
+  echo '<tr NOSAVE>'
+  echo '<td NOSAVE>'$BUILD_SYS'</td>'
+  echo ''
+  if [ "$QA_SYS_OS" != "0" ] ; then
+      echo '<td NOSAVE>'$QA_SYS_OS'</td>'
+  else
+      echo '<td></td>'
+  fi
+  echo ''
+  if [ "$SYSNAME" != "0" ] ; then
+      echo '<td>'$SYSNAME'</td>'
+  else
+      echo '<td></td>'
+  fi
+  #echo '<td>'$SYSNAME $TESTNUMBER $TESTDATE'</td>'
+  echo ''
+  # hopefully we never run more different tests on a tinderbox build...
+  # on win some shells can not handle exit codes greater then 52 (64???)
+  # so for very early exits the codes are set 50-45, for failures later
+  # in the process the higher the number, the more failures
+  if [ "$O_TBX" = "ON" -a "$TBX_EXIT" -gt 45 ] ; then
+      TBX_EXIT=0
+  fi
+  if [ "$1" = "failed" ]
+  then
+      TBX_EXIT=`expr $TBX_EXIT + 1`
+      echo '<td BGCOLOR='$HTML_ERRORCOLOR' NOSAVE><b>'$HTML_ERRORMSG'</b></td>'
+  elif [ "$1" = "passed" ]
+  then
+      echo '<td BGCOLOR='$HTML_PASSEDCOLOR' NOSAVE>'$HTML_PASSEDMSG'</td>'
+  elif [ "$1" = "incomplete" ]
+  then
+      TBX_EXIT=`expr $TBX_EXIT + 1`
+      echo '<td BGCOLOR='$HTML_INCOMPLETECOLOR' NOSAVE>'$HTML_INCOMPLETEMSG'</td>'
+  else
+      TBX_EXIT=`expr $TBX_EXIT + 1`
+      echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'    
+  fi
+  if [ "$CURRENT_TABLE" != "BC" ] ; then
+      if [ "$RESULT" = "0" ] ; then
+          echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      else
+          echo '<td>&nbsp;<a href="'$RESULT'">result</a>&nbsp;</td>'
+      fi
+      if [ "$LOG" = "0" ] ; then
+          echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      else
+          echo '<td>&nbsp;<a href="'$LOG'">log</a>&nbsp;</td>'
+      fi
+      if [ "$1" = "failed" ] ; then
+          echo '<td>&nbsp;<a href="'${HREF_TMP_HTML_FILE}'#errorlist">error</a>&nbsp;</td>'
+      else
+          echo '<td></td>'
+      fi
+  else
+     #<td><b><font size=+1>errors</font></b></td>
+     #<td><b><font size=+1>P/F</font></b></td>
+     #<td><b><font size=+1>P/F</font></b></td>
+
+     #echo '<td><b><font size=+1>All Current</font></b></td>'
+     #echo '<td><b><font size=+1>old dlls</font></b></td>'
+     #echo '<td><b><font size=+1>old executables</font></b></td>'
+      #if [ "$RESULT" != "0" -a "$LOG" != "0" ] ; then
+          #echo '<td><a href="'$RESULT'">result</a>, <a href="'$LOG'">log</td>'
+      #elif [ "$RESULT" = "0" -a "$LOG" != "0" ] ; then
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$LOG'">log</a></td>'
+      #elif [ "$RESULT" != "0" -a "$LOG" = "0" ] ; then
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$RESULT'">result</a></td>'
+      #else
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      #fi
+      #if [ "$BCB_RESULT" != "0" -a "$BCB_LOG" != "0" ] ; then
+          #echo '<td><a href="'$BCB_RESULT'">result</a>, <a href="'$BCB_LOG'"> log</td>'
+      #elif [ "$BCB_RESULT" = "0" -a "$BCB_LOG" != "0" ] ; then
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$BCB_LOG'">log</a></td>'
+      #elif [ "$BCB_RESULT" != "0" -a "$BCB_LOG" = "0" ] ; then
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE><a href="'$BCB_RESULT'">result</a></td>'
+      #else
+          #echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      #fi
+      if [ "$BCB_RESULT" = "0" ] ; then
+          echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      else
+          echo '<td>&nbsp;<a href="'$BCB_RESULT'">result</a>&nbsp;</td>'
+      fi
+      if [ "$BCB_LOG" = "0" ] ; then
+          echo '<td BGCOLOR='$HTML_MISSINGCOLOR' NOSAVE>'$HTML_MISSINGMSG'</td>'
+      else
+          echo '<td>&nbsp;<a href="'$BCB_LOG'">log</a>&nbsp;</td>'
+      fi
+  fi
+  echo '<td>'$TESTDATE $TESTNUMBER'</td>'
+  echo '</tr>'
+}
+
+################################# qa_errorlist #########################
+# local shell function, finds problems in the previously run QA
+# linux:the gnu grep, on Linux can output 10 lines above and 3 lines below 
+# the errormessage
+########################################################################
+qa_errorlist()
+{
+    grep "bgcolor=red" ${MACHINES_TO_CHECK}*/results.html | 
+        sed -e 's/.results.html:<TR><TD>/ /' -e 's/<[^>]*>/ /g'
+    grep 'cache hits; .* cache misses, .* cache not reusable' \
+        ${MACHINES_TO_CHECK}*/output.log | 
+        grep strsclnt |
+        grep -v '0 cache hits; 0 cache misses, 0 cache not reusable' | 
+        grep -v ' cache hits; 1 cache misses, 0 cache not reusable'
+    for logfile in ${MACHINES_TO_CHECK}*/output.log; do
+        grep -vi "write to SSL socket" $logfile |
+            grep -vi "HDX PR_Read returned error" |
+            grep -vi "no error" |
+            grep -vi "12285" |
+            grep -i  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP error 
+            #grep -vi "5938" |  needed for -v option
+            #grep -vi "HDX PR_Read hit EOF" | 
+        grep  -vi "write to SSL socket" $logfile |
+            grep -vi "peer cannot verify" |
+            grep -vi "error" |
+            grep -vi "fatal" |
+            grep -vi "TCP Connection aborted" |
+            grep -vi "TCP connection reset" |
+            grep  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP  -i failed
+    done
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "segmentation violation" \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "memory fault" \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "bus error" \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "core dumped" \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP fatal \
+        ${MACHINES_TO_CHECK}*/output.log
+    grep -i  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i\
+        "PKCS12 decode not verified"   ${MACHINES_TO_CHECK}*/output.log
+
+    if [ -n "${MACHINES_TO_CHECK}" ] ; then
+        find ${MACHINES_TO_CHECK}* -name core -print 2>/dev/null |
+            grep -v bct 
+    else
+        find . -name core -print 2>/dev/null |
+            grep -v bct 
+    fi
+}
+
+tbx_missing_platforms ()
+{
+    QA_MISSING="QA report missing"
+    MACHINE="0"
+
+    if [ "$QA_OS_STRING" = "WINNT4.0" ] ; then
+        QA_OS_STRING="Windows-NT-4.0"
+    fi
+    for BUILDPLATFORM in `grep $QA_OS_STRING $TESTSCRIPTDIR/platformlist.tbx`
+    do
+        if [ "$BUILDPLATFORM" != "$QA_OS_STRING" ] ; then
+            Debug  "BUILDPLATFORM = $BUILDPLATFORM QA_OS_STRING = $QA_OS_STRING"
+            grep $BUILDPLATFORM ${MACHINES_TO_CHECK}*/results.html \
+                >/dev/null || {
+                setQAsysvars
+                html_line missing >>$TMP_HTML_FILE
+            }
+        fi
+    done
+}
+
+############################ platform _list ###########################
+# local shell function, generate pass/fail information for each Platform
+########################################################################
+platformlist()
+{
+    grep Platform ${MACHINES_TO_CHECK}*/results.html | 
+        sed -e 's/.results.html:<H4>Platform: /---/' \
+            -e 's/<BR>//' >$TMPFILE
+    # this is done a little complicated to avoid starting a subshell in 
+    # a while read that gets the input from a pipeline, and variables set 
+    #in or underneath this function get unset after done...
+    for  MB in `cat $TMPFILE` ; do
+        MACHINE=`echo $MB | sed -e "s/---.*//"`
+        BUILDPLATFORM=`echo $MB | sed -e "s/.*---//"`
+        grep "${MACHINE}[^0-9]" $ERRORLIST >/dev/null
+        ret=$?
+        setQAsysvars
+        if [ $ret -eq 0 ]
+        then
+            echo "Failed $MACHINE $BUILDPLATFORM" >>$RFILE
+            html_line failed >>$TMP_HTML_FILE
+        else
+            echo "Passed $MACHINE $BUILDPLATFORM" >>$RFILE
+            html_line passed >>$TMP_HTML_FILE
+        fi
+    done 
+}
+
+############################ missing_platforms ###########################
+# local shell function, finds out if we ran on all required platforms
+########################################################################
+missing_platforms()
+{
+    QA_MISSING="QA report missing"
+    MACHINE="0"
+    SYSNAME="0"
+    QA_SYS_OS="0"
+
+    for BUILDPLATFORM in `cat $TESTSCRIPTDIR/platformlist`
+    do
+        grep $BUILDPLATFORM $PLATFORMLIST > /dev/null || {
+            setQAsysvars
+            html_line missing >>$TMP_HTML_FILE
+        }
+    done
+}
+
+############################ incomplete_results ###########################
+# local shell function, finds out if all qa runs were complete
+########################################################################
+incomplete_results ()
+{
+    
+    for w in `ls ${MACHINES_TO_CHECK}*/results.html`
+    do
+      grep bgcolor=red $w || {
+        PASSED_LINES=""
+        PASSED_LINES=`grep bgcolor=lightGreen $w | wc -l`
+        if [ -n "$PASSED_LINES" -a "$PASSED_LINES" -lt "$TOTAL_TESTS" ] ; then
+            BUILDPLATFORM=`grep Platform $w | sed -e 's/<H4>Platform:/    /'                   -e 's/<BR>//'` 
+            MACHINE=`echo $w | sed -e "s/.results.html//"`
+            #MACHINE=`echo $w | sed -e "s/\.[0-9]*.results.html//"`
+            setQAsysvars
+            html_line incomplete >>$TMP_HTML_FILE
+        elif [ "$PASSED_LINES" -gt "$TOTAL_TESTS" ] ; then
+            echo "WARNING - more tests than expected on $w ($PASSED_LINES)" >>$WARNINGLIST
+	fi
+      }
+    done
+}
+
+qa_stat_table()
+{
+    echo '&nbsp;'
+    echo '<br>&nbsp;'
+    echo '<center>'
+    echo '<h1>'
+    echo '<a NAME="'$1'"></a>'$1'</h1></center>'
+    echo '&nbsp;'
+    echo '<table BORDER WIDTH="100%" NOSAVE >'
+    echo '<tr NOSAVE>'
+}
+
+############################### psaperf ########################
+# local shell function, copies results of the daily performance test
+# into a table in the QA report
+########################################################################
+rsaperf()
+{
+    grep RSAPERF */output.log | grep -v "_DBG" > $PERFLIST
+    
+    qa_stat_table "Performance list"
+
+    echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+    echo '<td><b><font size=+1>Systemname</font></b></td>'
+    echo '<td><b><font size=+1># of iterations</font></b></td>'
+    echo '<td><b><font size=+1>average for one op</font></b></td>'
+    echo '<td><b><font size=+1>Total</font></b></td>'
+    echo '<td><b><font size=+1>QA time / #</font></b></td>'
+    echo '</tr>'
+    cat $PERFLIST | 
+    while read MACHINE BUILDPLATFORM no_iter t1 t2 total total_unit t3 \
+               t4 t5 average average_unit
+    do
+        #caution subshell, variables local to this loop
+        BUILD_SYS=`echo $BUILDPLATFORM | sed -e 's/\.OBJ//' \
+            -e 's/_DBG/ Debug/' \
+            -e 's/_OPT/ Optimized/'  -e 's/_64/ 64bit/' -e 's/_glibc_PTH//' \
+            -e 's/_/ /'`
+        TESTNUMBER=`echo $MACHINE | sed -e 's/[^\.]*\.//' -e 's/\/.*//'`
+        MACHINE=`echo $MACHINE | sed -e 's/\..*//'`
+        TESTDATE=`ls -ld ${MACHINE}.${TESTNUMBER} | awk '{ print $6, $7, $8 }'`
+        echo '<tr>'
+        echo '<td>'$BUILD_SYS'</td>'
+        echo ''
+        echo '<td>'$MACHINE'</td>'
+        echo ''
+        echo '<td>'$no_iter'</td>'
+        echo ''
+        echo '<td>'$average' '$average_unit'</td>'
+        echo ''
+        echo '<td>'$total' '$total_unit'</td>'
+        echo ''
+        echo '<td>'$TESTDATE $TESTNUMBER'</td>'
+        echo ''
+        echo '</tr>'
+    done
+    echo '</table>'
+}
+
+############################### qa_stat_cleanup ########################
+# local shell function, finishes html file, sets variables for global Exit
+########################################################################
+qa_stat_cleanup()
+{
+
+    html_footer >>$TMP_HTML_FILE
+
+    O_DEBUG=OFF
+
+    EARLY_EXIT=FALSE
+    cp $TMP_HTML_FILE $HTML_FILE
+    FILENAME=$HTML_FILE        #we might want to mail it...
+    Exit
+}
+
+
+############################### bc_test ########################
+# local shell function, evaluates the results of the backward u
+# compatibility tests
+########################################################################
+bc_header()
+{
+CURRENT_TABLE="BC"   #so html_line can determine which fields to write
+  
+  qa_stat_table "Backward Compatibility Test"
+  echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+  echo '<td><b><font size=+1>QA-OS</font></b></td>'
+  echo '<td><b><font size=+1>Systemname</font></b></td>'
+  echo '<td><b><font size=+1>P/F</font></b></td>'
+  #echo '<td><b><font size=+1>All Current</font></b></td>'
+  #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+  echo '<td><b><font size=+1>result</font></b></td>'
+  echo '<td><b><font size=+1>output</font></b></td>'
+  echo '<td><b><font size=+1>QA time / #</font></b></td>'
+  echo '</tr>'
+
+}
+
+old_bc_test()
+{
+CURRENT_TABLE="BC"   #so html_line can determine which fields to write
+  
+  qa_stat_table "Backward Compatibility Test"
+  echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+  echo '<td><b><font size=+1>QA-OS</font></b></td>'
+  echo '<td><b><font size=+1>Systemname</font></b></td>'
+  echo '<td><b><font size=+1>P/F</font></b></td>'
+  #echo '<td><b><font size=+1>All Current</font></b></td>'
+  #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+  echo '<td><b><font size=+1>result</font></b></td>'
+  echo '<td><b><font size=+1>output</font></b></td>'
+  echo '<td><b><font size=+1>QA time / #</font></b></td>'
+  echo '</tr>'
+
+  for w in `ls */results.html`
+  do
+      TMP_RESULT="`dirname $w`/results.tmp"
+      TMP_BC_RESULT="`dirname bct/$w`/results.tmp"
+      rm $TMP_RESULT $TMP_BC_RESULT 2>/dev/null
+      cat $w | sed -e 's/<[^>]*>//g'  -e 's/ /_/g' \
+                   -e 's/signtool_-[vw]/signtool_-vw/' |
+               grep '_[PF]a[si][sl]ed' >$TMP_RESULT
+      cat bct/$w   | sed -e 's/<[^>]*>//g'  -e 's/ /_/g' \
+                         -e 's/signtool_-[vw]/signtool_-vw/' |
+                     grep '_[PF]a[si][sl]ed' >$TMP_BC_RESULT
+      diff $TMP_RESULT $TMP_BC_RESULT    2>>$BCMISSINGLIST |
+           grep -v "Create_objsign_cert_.signtool_-G.*Passed" |
+           grep -v "porting_Alice.s_email_cert" |
+           grep -v "^[0-9,cad]*$" | grep -v "^---$" | grep -v "^---.$" |
+           grep -v "Can.t_run_pk12util_tests_for_NSS_3.2"  >/dev/null && (
+                echo "$w differs" >> $BCMISSINGLIST
+                echo "========================================="
+                echo "diff $w bct/$w"
+                echo "========================================="
+                diff $TMP_RESULT $TMP_BC_RESULT 2>&1 |
+                     grep -v "Create_objsign_cert_.signtool_-G.*Passed" |
+                     grep -v "porting_Alice.s_email_cert" |
+                     grep -v "Can.t_run_pk12util_tests_for_NSS_3.2"  
+           )  2>&1 >>$BCERRORLIST
+
+      #diff -b $w bct/$w  2>>$BCMISSINGLIST | 
+           #grep -v "Create objsign cert .signtool -G.*Passed" |
+           #grep -v "Listing signed files in jar .signtool -v.*Passed" |
+           #grep -v "Listing signed files in jar .signtool -w.*Passed" |
+           #grep -v "backward compatibility" |
+           #grep -v "Can.t run pk12util tests for NSS 3.2" |
+           #grep -v "porting Alice.s email cert " |
+           #grep -v "^---$" | grep -v "^[<> ] $" | 
+           #grep -v "^---.$" | grep -v "^[<> ] .$" | 
+           #grep -v '< </BODY></HTML>' |
+           #grep -v "^[0-9,cad]*$" 2>>$BCMISSINGLIST >/dev/null &&  (
+                #echo "$w differs" >> $BCMISSINGLIST
+                #echo "========================================="
+                #echo "diff $w bct/$w"
+                #echo "========================================="
+                #diff -b $w bct/$w 2>&1 | 
+                     #grep -v "Listing signed files in jar .signtool -v.*Passed" |
+                     #grep -v "Listing signed files in jar .signtool -w.*Passed" |
+                     #grep -v "backward compatibility" |
+                     #grep -v "Can.t run pk12util tests for NSS 3.2" |
+                     #grep -v "porting Alice.s email cert " |
+                     #grep -v "^---$" | grep -v "^[<> ] $" | 
+                     #grep -v "^---.$" | grep -v "^[<> ] .$" | 
+                     #grep -v '< </BODY></HTML>' |
+                     #grep -v "^[0-9,cad]*$" \
+           #)  2>&1 >>$BCERRORLIST
+      rm $TMP_RESULT $TMP_BC_RESULT 2>/dev/null
+  done
+  rm $ERRORLIST
+  cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \
+                    -e "s/.results.html.*/\/results.html/" | 
+                sort -u > $ERRORLIST
+
+  platformlist  
+  echo '</table>' >>$TMP_HTML_FILE
+
+  head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/" 
+}
+
+bc_test()
+{
+CURRENT_TABLE="BC"   #so html_line can determine which fields to write
+  
+  qa_stat_table "Backward Compatibility Test"
+  echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+  echo '<td><b><font size=+1>QA-OS</font></b></td>'
+  echo '<td><b><font size=+1>Systemname</font></b></td>'
+  echo '<td><b><font size=+1>P/F</font></b></td>'
+  #echo '<td><b><font size=+1>All Current</font></b></td>'
+  #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+  echo '<td><b><font size=+1>result</font></b></td>'
+  echo '<td><b><font size=+1>output</font></b></td>'
+  echo '<td><b><font size=+1>QA time / #</font></b></td>'
+  echo '</tr>'
+
+set -x
+  for w in `ls */results.html`
+  do
+      BCT_DIR=`dirname "bct/$w"`
+      BCT_RESULT="bct/$w"
+      BCT_LOG="$BCT_DIR/output.log"
+      grep "bgcolor=red" $BCT_RESULT | 
+           sed -e 's/.results.html:<TR><TD>/ /' -e 's/<[^>]*>/ /g'
+      grep 'cache hits; .* cache misses, .* cache not reusable' \
+        $BCT_LOG |
+        grep -v selfserv |
+        grep -v '0 cache hits; 1 cache misses, 0 cache not reusable' |
+        grep -v '0 cache hits; 0 cache misses, 0 cache not reusable' |
+        grep -v ' cache hits; 1 cache misses, 0 cache not reusable'
+      grep -vi "write to SSL socket" $BCT_LOG |
+        grep -vi "HDX PR_Read returned error" |
+        grep -vi "no error" |
+        grep -vi "12285" |
+        grep -i  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP error
+      grep  -vi "write to SSL socket" $BCT_LOG |
+        grep -vi "peer cannot verify" |
+        grep -vi "TCP Connection aborted" |
+        grep -vi "error" |
+        grep -vi "fatal" |
+        grep -vi "TCP connection reset" |
+        grep  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP  -i failed $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "segmentation violation"  $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "memory fault" $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "bus error" $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP "core dumped" $BCT_LOG
+      grep -i $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP fatal  $BCT_LOG
+      grep -i  $BEFORE_CONTEXT_GREP $AFTER_CONTEXT_GREP -i "PKCS12 decode not verified"   $BCT_LOG
+      find ${BTC_DIR} -name core -print
+
+  done 2>&1 >>$BCERRORLIST
+  rm $ERRORLIST
+  cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \
+                    -e "s/.results.html.*/\/results.html/" | 
+                sort -u > $ERRORLIST
+
+  platformlist  
+  echo '</table>' >>$TMP_HTML_FILE
+
+  head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/" 
+}
+
+
+############################### bc_test ########################
+# local shell function, evaluates the results of the backward u
+# compatibility tests
+# move the whole function to old to tests a new solution
+########################################################################
+bc_test_old()
+{
+CURRENT_TABLE="BC"   #so html_line can determine which fields to write
+  
+  qa_stat_table "Backward Compatibility Test"
+  echo '<td NOSAVE><b><font size=+1>Build-OS and version</font></b></td>'
+  echo '<td><b><font size=+1>QA-OS</font></b></td>'
+  echo '<td><b><font size=+1>Systemname</font></b></td>'
+  echo '<td><b><font size=+1>P/F</font></b></td>'
+  #echo '<td><b><font size=+1>All Current</font></b></td>'
+  #echo '<td><b><font size=+1>backward comp. test</font></b></td>'
+  echo '<td><b><font size=+1>result</font></b></td>'
+  echo '<td><b><font size=+1>output</font></b></td>'
+  echo '<td><b><font size=+1>QA time / #</font></b></td>'
+  echo '</tr>'
+
+  for w in `ls */results.html`
+  do
+      diff -b $w bct/$w  2>>$BCMISSINGLIST | 
+           grep -v "Create objsign cert .signtool -G.*Passed" |
+           grep -v "Listing signed files in jar .signtool -v.*Passed" |
+           grep -v "Listing signed files in jar .signtool -w.*Passed" |
+           grep -v "backward compatibility" |
+           grep -v "Can.t run pk12util tests for NSS 3.2" |
+           grep -v "porting Alice.s email cert " |
+           grep -v "^---$" | grep -v "^[<> ] $" | 
+           grep -v "^---.$" | grep -v "^[<> ] .$" | 
+           grep -v '< </BODY></HTML>' |
+           grep -v "^[0-9,cad]*$" 2>>$BCMISSINGLIST >/dev/null &&  (
+                echo "$w differs" >> $BCMISSINGLIST
+                echo "========================================="
+                echo "diff $w bct/$w"
+                echo "========================================="
+                diff -b $w bct/$w 2>&1 | 
+                     grep -v "Listing signed files in jar .signtool -v.*Passed" |
+                     grep -v "Listing signed files in jar .signtool -w.*Passed" |
+                     grep -v "backward compatibility" |
+                     grep -v "Can.t run pk12util tests for NSS 3.2" |
+                     grep -v "porting Alice.s email cert " |
+                     grep -v "^---$" | grep -v "^[<> ] $" | 
+                     grep -v "^---.$" | grep -v "^[<> ] .$" | 
+                     grep -v '< </BODY></HTML>' |
+                     grep -v "^[0-9,cad]*$" \
+           )  2>&1 >>$BCERRORLIST
+  done
+  rm $ERRORLIST
+  cat $BCMISSINGLIST | sed -e "s/^diff: bc_...s.//" \
+                    -e "s/.results.html.*/\/results.html/" | 
+                sort -u > $ERRORLIST
+
+  platformlist  
+  echo '</table>' >>$TMP_HTML_FILE
+
+  head -200 $BCERRORLIST | sed -e 's/<[^>]*>//g' -e "s/^/<br>/" 
+
+}
+
+############################### tbx_main ########################
+# local shell function, tinderbox variation of the qa status script
+########################################################################
+tbx_main()
+{
+    TBX_EXIT=47
+    qa_stat_get_sysinfo # find out the OS we are running and all required tests
+                        # on this OS
+    
+    MACHINES_TO_CHECK=$HOST  #`uname -n` only search the local tests for errors
+    qa_errorlist > $ERRORLIST        # 
+    platformlist 
+    #tbx_missing_platforms  #temp. taken out until we find a better way to
+    #determine if all necessary QA ran - right now we run different 
+    #tinderboxes on one machine
+    incomplete_results 
+    echo '</table>' >>$TMP_HTML_FILE
+    echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE
+    cat $ERRORLIST  | sed -e "s/^/<br>/" >>$TMP_HTML_FILE
+
+}
+
+############################### qa_stat_main ########################
+# local shell function, main flow of the qa status script
+########################################################################
+qa_stat_main()
+{
+    find_qa_systems 2>/dev/null
+    MACHINES_TO_CHECK=""   # check all founf qa runs
+    qa_errorlist > $ERRORLIST
+    platformlist 
+    missing_platforms 
+    incomplete_results 
+    echo '</table>' >>$TMP_HTML_FILE
+    echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE
+    cat $ERRORLIST  | sed -e "s/^/<br>/" >>$TMP_HTML_FILE
+    cat $WARNINGLIST 2>/dev/null | sed -e "s/^/<br>/" >>$TMP_HTML_FILE 2>/dev/null
+    rsaperf >>$TMP_HTML_FILE
+    bc_header >>$TMP_HTML_FILE
+    MACHINES_TO_CHECK="bct/"
+    TOTAL_TESTS=$BCT_TOTAL_TESTS
+    BEFORE_CONTEXT_GREP="" #WORKAROUND - errors in one outputlog within the first 
+    AFTER_CONTEXT_GREP=""  # or last lines will show up in the next/previos file
+    qa_errorlist > $ERRORLIST
+    platformlist 
+    missing_platforms 
+    incomplete_results 
+    echo '</table>' >>$TMP_HTML_FILE
+    echo '<a NAME="errorlist"></a>' >> $TMP_HTML_FILE
+    cat $ERRORLIST  | sed -e "s/^/<br>/" >>$TMP_HTML_FILE
+    cat $WARNINGLIST 2>/dev/null | sed -e "s/^/<br>/" >>$TMP_HTML_FILE 2>/dev/null
+    #bc_test >>$TMP_HTML_FILE
+}
+
+CURRENT_TABLE="Standard"
+qa_stat_init
+
+if [  "$O_TBX" = "ON" -o "$O_LOCAL" = "ON" ] ; then
+    tbx_main
+else
+    qa_stat_main
+fi
+
+qa_stat_cleanup
diff --git a/security/nss/tests/qaclean b/security/nss/tests/qaclean
new file mode 100755
index 000000000..14c71f390
--- /dev/null
+++ b/security/nss/tests/qaclean
@@ -0,0 +1,144 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/qaclean
+#
+# is supposed to clean up after a "hanging" QA
+#
+# 1) see if there is a lockfile 
+#    if yes: 
+#    1a) kill the process of the lockfile and if possible it's children
+#    1b) rm the lockfile
+# 2) kill selfservers
+# 3) clean up old tmp files
+#
+########################################################################
+
+if [ -z "$TMP" ]
+then
+    if [  -z "$TEMP" ]
+    then
+        TMP="/tmp"
+    else
+        TMP=$TEMP
+    fi
+fi
+if [ ! -w "$TMP" ]
+then
+    echo "Can't write to tmp directory $TMP - exiting"
+    echo "Can't write to tmp directory $TMP - exiting" >&2
+    exit 1
+fi
+
+########################### Ps #########################################
+# platform specific ps
+########################################################################
+Ps()
+{
+    if [ `uname -s` = "SunOS" ]
+    then
+        /usr/5bin/ps -e
+    else
+        ps -e
+    fi
+}
+
+Kill()
+{
+    if [ "$1" = "$$" ]
+    then
+        return
+    fi
+    echo "Killing PID $1"
+    kill $1
+    sleep 1
+    kill -9 $1 2>/dev/null
+}
+
+########################### kill_by_name ################################
+# like killall, only without permissionproblems, kills the process whose 
+# name is given as parameter
+########################################################################
+kill_by_name()
+{
+    echo "Killing all $1"
+ 
+    for PID in `Ps | grep "$1" | grep -v grep | \
+        sed -e "s/^[     ]*//g" -e "s/[     ].*//"`
+    do
+        Kill $PID
+    done
+}
+
+kill_the_rest()
+{
+i=0
+while [ $i -lt $1 ]
+do
+    kill_by_name nssqa
+    kill_by_name selfserv
+    kill_by_name strsclnt
+    kill_by_name all.sh
+    kill_by_name sdr.sh
+    kill_by_name ssl.sh
+    kill_by_name smime.sh
+    i=`expr $i + 1`
+done
+}
+
+nt_warning()
+{
+os_name=`uname -s`
+case $os_name in
+    CYGWIN*|WIN*|Win*)
+        echo
+        echo
+        echo
+        echo "Another Windows problem... If you have not already done so"
+        echo "after this script completes, please reboot, and log in as"
+        echo "user svbld again"
+        echo
+        echo
+        echo
+        ;;
+esac
+}
+
+nt_warning
+case $1 in 
+    -all)
+        for w in tommy booboo kentuckyderby galileo shame axilla columbus \
+                 smarch charm hp64 biggayal orville kwyjibo hbombaix raven \
+                 jordan hornet phaedrus louie box dbldog huey washer dryer \
+                 shabadoo trex bummer compaqtor jellyfish sjsu
+        do
+                echo $w
+                ping $w && rsh $w '/u/sonmi/bin/qaclean'
+        done
+
+        ;;
+    ?*)
+        rsh $1 '/u/sonmi/bin/qaclean'
+        exit
+        ;;
+esac
+
+uname -a
+echo
+
+if [ -f ${TMP}/nssqa.* ]
+then
+    echo "nssqa seems to be running ${TMP}/nssqa.*"
+    #cat ${TMP}/nssqa.*
+    NSSQA_PID=`ls ${TMP}/nssqa.* | sed -e 's/[^.]*\.//'`
+    Kill $NSSQA_PID
+    rm ${TMP}/nssqa.*
+fi
+
+kill_the_rest 3
+ls -l ${TMP}/nsstmp.*
+rm ${TMP}/nsstmp.* 2>/dev/null
+rm ${TMP}/certutilout.* 2>/dev/null
+rm ${TMP}/Pk12*
+nt_warning
diff --git a/security/nss/tests/run_niscc.sh b/security/nss/tests/run_niscc.sh
new file mode 100755
index 000000000..295e4b578
--- /dev/null
+++ b/security/nss/tests/run_niscc.sh
@@ -0,0 +1,657 @@
+#!/bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Sun Microsystems, Inc..
+# Portions created by the Initial Developer are Copyright (C) 2004-2006
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# This script runs NSS against test data provided by the United Kingdom
+# National Infrastructure Security Co-ordination Centre (NISCC).
+# The test data is not public and is not provided with this script.
+########################################################################
+# Base location to work from
+NISCC_HOME=${NISCC_HOME:-/niscc}
+export NISCC_HOME
+# Set to where special NSS version exists. 
+NSS_HACK=${NSS_HACK:-${NISCC_HOME}/nss_hack}; export NSS_HACK
+# NSS version to test
+LOCALDIST=${LOCALDIST:-/share/builds/sbstools/nsstools}
+export LOCALDIST
+# If true, do not rebuild client and server directories
+NO_SETUP=${NO_SETUP:-"false"}; export NO_SETUP
+# location of NISCC SSL testcases
+TEST=${TEST:-"${NISCC_HOME}/NISCC_SSL_testcases"}; export TEST
+# build the fully qualified domain name
+# NOTE: domainname(1) may return the wrong domain in NIS environments
+DOMSUF=${DOMSUF:-`domainname`}
+if [ -z "$HOST" ]; then
+	HOST=`uname -n`
+fi
+HOSTNAME=$HOST.$DOMSUF; export HOSTNAME
+# Who and how to mail the output to
+QA_LIST=${QA_LIST:-"nobody@localhost"}; export QA_LIST
+MAIL_COMMAND=${MAIL_COMMAND:-/bin/mail}; export MAIL_COMMAND
+# Whether or not to archive the logs
+LOG_STORE=${LOG_STORE:-"false"}; export LOG_STORE
+
+
+##############################################################
+# set build dir, bin and lib directories
+##############################################################
+init()
+{
+  #enable useful core files to be generated in case of crash
+  ulimit -c unlimited
+
+# gmake is needed in the path for this suite to run
+  PATH=/usr/bin:/usr/sbin:/usr/local/bin:/tools/ns/bin; export PATH
+  echo "PATH $PATH" >> $NISCC_HOME/nisccLog00
+
+  DISTTYPE=`cd ${NSS_HACK}/mozilla/security/nss/tests/common; gmake objdir_name`
+  echo "DISTTYPE ${DISTTYPE}" >> $NISCC_HOME/nisccLog00
+  HACKBIN=${NSS_HACK}/mozilla/dist/${DISTTYPE}/bin; export HACKBIN
+  HACKLIB=${NSS_HACK}/mozilla/dist/${DISTTYPE}/lib; export HACKLIB
+
+  TESTBIN=${LOCALDIST}/mozilla/dist/${DISTTYPE}/bin; export TESTBIN
+  TESTLIB=${LOCALDIST}/mozilla/dist/${DISTTYPE}/lib; export TESTLIB
+
+# Verify NISCC_TEST was set in the proper library
+	if strings ${HACKLIB}/libssl3.so | grep NISCC_TEST > /dev/null 2>&1; then
+		echo "${HACKLIB}/libssl3.so contains NISCC_TEST" >> \
+$NISCC_HOME/nisccLog00
+	else
+		echo "${HACKLIB}/libssl3.so does NOT contain NISCC_TEST" >> \
+$NISCC_HOME/nisccLog00
+	fi
+
+	if strings ${TESTLIB}/libssl3.so | grep NISCC_TEST > /dev/null 2>&1; then
+		echo "${TESTLIB}/libssl3.so contains NISCC_TEST" >> \
+$NISCC_HOME/nisccLog00
+	else
+		echo "${TESTLIB}/libssl3.so does NOT contain NISCC_TEST" >> \
+$NISCC_HOME/nisccLog00
+	fi
+}
+#end of init section
+
+
+##############################################################
+# Setup simple client and server directory
+##############################################################
+ssl_setup_dirs_simple()
+{
+  [ "$NO_SETUP" = "true" ] && return
+
+  CLIENT=${NISCC_HOME}/niscc_ssl/simple_client
+  SERVER=${NISCC_HOME}/niscc_ssl/simple_server
+
+#
+# Setup simple client directory
+#
+  rm -rf $CLIENT
+  mkdir -p $CLIENT
+  echo test > $CLIENT/password-is-test.txt
+  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
+  ${TESTBIN}/certutil -N -d $CLIENT -f $CLIENT/password-is-test.txt >> \
+$NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/certutil -A -d $CLIENT -n rootca -i $TEST/rootca.crt -t \
+"C,C," >> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/pk12util -i $TEST/client_crt.p12 -d $CLIENT -k \
+$CLIENT/password-is-test.txt -W testtest1 >> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/certutil -L -d $CLIENT >> $NISCC_HOME/nisccLog00 2>&1
+
+  echo "GET /stop HTTP/1.0" > $CLIENT/stop.txt
+  echo ""                  >> $CLIENT/stop.txt
+
+#
+# Setup simple server directory
+#
+  rm -rf $SERVER
+  mkdir -p $SERVER
+  echo test > $SERVER/password-is-test.txt
+  ${TESTBIN}/certutil -N -d $SERVER -f $SERVER/password-is-test.txt \
+>> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/certutil -A -d $SERVER -n rootca -i $TEST/rootca.crt -t \
+"TC,C," >> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/pk12util -i $TEST/server_crt.p12 -d $SERVER -k \
+$SERVER/password-is-test.txt -W testtest1 >> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/certutil -L -d $SERVER >> $NISCC_HOME/nisccLog00 2>&1
+
+  unset LD_LIBRARY_PATH
+}
+
+
+##############################################################
+# Setup resigned client and server directory
+###############################################################
+ssl_setup_dirs_resigned()
+{
+  [ "$NO_SETUP" = "true" ] && return
+
+  CLIENT=${NISCC_HOME}/niscc_ssl/resigned_client
+  SERVER=${NISCC_HOME}/niscc_ssl/resigned_server
+
+#
+# Setup resigned client directory
+#
+  rm -rf $CLIENT
+  mkdir -p $CLIENT
+  echo test > $CLIENT/password-is-test.txt
+  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
+  ${TESTBIN}/certutil -N -d $CLIENT -f $CLIENT/password-is-test.txt \
+>> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/certutil -A -d $CLIENT -n rootca -i $TEST/rootca.crt -t \
+"C,C," >> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/pk12util -i $TEST/client_crt.p12 -d $CLIENT -k \
+$CLIENT/password-is-test.txt -W testtest1 >> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/certutil -L -d $CLIENT  >> $NISCC_HOME/nisccLog00 2>&1
+
+  echo "GET /stop HTTP/1.0" > $CLIENT/stop.txt
+  echo ""                  >> $CLIENT/stop.txt
+
+#
+# Setup resigned server directory
+#
+  rm -rf $SERVER
+  mkdir -p $SERVER
+  echo test > $SERVER/password-is-test.txt
+  ${TESTBIN}/certutil -N -d $SERVER -f $SERVER/password-is-test.txt \
+>> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/certutil -A -d $SERVER -n rootca -i $TEST/rootca.crt -t \
+"TC,C," >> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/pk12util -i $TEST/server_crt.p12 -d $SERVER -k \
+$SERVER/password-is-test.txt -W testtest1 >> $NISCC_HOME/nisccLog00 2>&1
+  ${TESTBIN}/certutil -L -d $SERVER >> $NISCC_HOME/nisccLog00 2>&1
+
+  unset LD_LIBRARY_PATH
+}
+
+
+##############################################################
+# NISCC SMIME tests
+##############################################################
+niscc_smime()
+{
+  cd ${NISCC_HOME}/NISCC_SMIME_testcases
+
+  if [ ! -d ${NISCC_HOME}/niscc_smime ]; then
+	mkdir -p ${NISCC_HOME}/niscc_smime
+  fi
+
+  SMIME_CERT_DB_DIR=envDB; export SMIME_CERT_DB_DIR
+  NSS_STRICT_SHUTDOWN=1; export NSS_STRICT_SHUTDOWN
+  NSS_DISABLE_ARENA_FREE_LIST=1; export NSS_DISABLE_ARENA_FREE_LIST
+  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
+
+# Generate envDB if needed
+  if [ ! -d $SMIME_CERT_DB_DIR ]; then
+	mkdir -p $SMIME_CERT_DB_DIR
+ 	echo testtest1 > password-is-testtest1.txt
+	${TESTBIN}/certutil -N -d ./${SMIME_CERT_DB_DIR} -f \
+password-is-testtest1.txt > /dev/null 2>&1
+	${TESTBIN}/certutil -A -d $SMIME_CERT_DB_DIR -i CA.crt -n CA -t "TC,C,"
+	${TESTBIN}/certutil -A -d $SMIME_CERT_DB_DIR -i Client.crt -n Client \
+-t "TC,C,"
+	${TESTBIN}/pk12util -i ./CA.p12 -d $SMIME_CERT_DB_DIR -k \
+./password-is-test.txt -W testtest1 
+	${TESTBIN}/pk12util -i ./Client.p12 -d $SMIME_CERT_DB_DIR -k \
+./password-is-test.txt -W testtest1 
+  fi
+
+# if p7m-ed-m-files.txt does not exist, then generate it.
+  if [ ! -f p7m-ed-m-files.txt ]; then
+	find ./p7m-ed-m-0* -type f -print >> p7m-ed-m-files.txt
+  fi
+
+  ${TESTBIN}/cmsutil -D -d $SMIME_CERT_DB_DIR -p testtest1 -b -i \
+p7m-ed-m-files.txt > $NISCC_HOME/niscc_smime/p7m-ed-m-results.txt 2>&1 
+ 
+  SMIME_CERT_DB_DIR=sigDB; export SMIME_CERT_DB_DIR
+# Generate sigDB if needed
+  if [ ! -d $SMIME_CERT_DB_DIR ]; then
+	mkdir -p $SMIME_CERT_DB_DIR
+	${TESTBIN}/certutil -N -d $SMIME_CERT_DB_DIR -f password-is-testtest1.txt
+	${TESTBIN}/certutil -A -d $SMIME_CERT_DB_DIR -i CA.crt -n CA -t "TC,C,"
+	${TESTBIN}/certutil -A -d $SMIME_CERT_DB_DIR -i Client.crt -n Client \
+-t "TC,C,"
+  fi
+
+# if p7m-sd-dt-files.txt does not exist, then generate it.
+  if [ ! -f p7m-sd-dt-files.txt ]; then
+	find ./p7m-sd-dt-[cm]-* -type f -print >> p7m-sd-dt-files.txt
+  fi
+
+  if [ ! -f detached.txt ]; then
+	touch detached.txt
+  fi
+
+  ${TESTBIN}/cmsutil -D -d $SMIME_CERT_DB_DIR -c detached.txt -b -i \
+p7m-sd-dt-files.txt > $NISCC_HOME/niscc_smime/p7m-sd-dt-results.txt 2>&1 
+
+# if p7m-sd-op-files.txt does not exist, then generate it.
+  if [ ! -f p7m-sd-op-files.txt ]; then
+	find ./p7m-sd-op-[cm]-* -type f -print >> p7m-sd-op-files.txt
+  fi
+
+  ${TESTBIN}/cmsutil -D -d $SMIME_CERT_DB_DIR -b -i p7m-sd-op-files.txt > \
+$NISCC_HOME/niscc_smime/p7m-sd-op-results.txt 2>&1 
+
+  unset LD_LIBRARY_PATH
+
+  find_core
+}
+#end of smime section
+
+##############################################################
+# set env variables for NISCC SSL tests
+##############################################################
+niscc_ssl_init()
+{
+  NSS_STRICT_SHUTDOWN=1; export NSS_STRICT_SHUTDOWN
+  NSS_DISABLE_ARENA_FREE_LIST=1; export NSS_DISABLE_ARENA_FREE_LIST
+  cd $NISCC_HOME
+}
+
+
+##############################################################
+# do simple client auth tests
+# Use an altered client against the server
+##############################################################
+ssl_simple_client_auth()
+{
+  CLIENT=${NISCC_HOME}/niscc_ssl/simple_client; export CLIENT
+  SERVER=${NISCC_HOME}/niscc_ssl/simple_server; export SERVER
+  PORT=8443; export PORT
+  START_AT=1; export START_AT
+  STOP_AT=106160; export STOP_AT
+  unset NISCC_TEST; export NISCC_TEST
+  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
+  ${TESTBIN}/selfserv -p $PORT -d $SERVER -n server_crt -rr -t 5 -w test > \
+$NISCC_HOME/nisccLog01 2>&1 &
+  sleep 10
+
+  NISCC_TEST=$TEST/simple_client; export NISCC_TEST
+  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
+  ${HACKBIN}/strsclnt -d $CLIENT -n client_crt -p $PORT -t 4 -c 106160 -o -N \
+-w test $HOSTNAME > $NISCC_HOME/nisccLog02 2>&1
+
+  unset NISCC_TEST; export NISCC_TEST
+  echo "starting tstclnt to shutdown simple client selfserv process"
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f -w \
+test < $CLIENT/stop.txt >> nisccLog02 2>&1
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f -w \
+test < $CLIENT/stop.txt >> nisccLog02 2>&1
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f -w \
+test < $CLIENT/stop.txt >> nisccLog02 2>&1
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f -w \
+test < $CLIENT/stop.txt >> nisccLog02 2>&1
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f -w \
+test < $CLIENT/stop.txt >> nisccLog02 2>&1
+
+  unset LD_LIBRARY_PATH
+
+  sleep 10
+
+  find_core
+}
+
+##############################################################
+# do simple server auth tests
+# Use an altered server against the client
+##############################################################
+ssl_simple_server_auth()
+{
+  CLIENT=${NISCC_HOME}/niscc_ssl/simple_client; export CLIENT
+  SERVER=${NISCC_HOME}/niscc_ssl/simple_server; export SERVER
+  PORT=8444; export PORT
+  START_AT=1; export START_AT
+  STOP_AT=106167; export STOP_AT
+  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
+  NISCC_TEST=$TEST/simple_server; export NISCC_TEST
+  ${HACKBIN}/selfserv -p $PORT -d $SERVER -n server_crt -t 5 -w test > \
+$NISCC_HOME/nisccLog03 2>&1 &
+
+  unset NISCC_TEST; export NISCC_TEST
+  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
+  ${TESTBIN}/strsclnt -d $CLIENT -p $PORT -t 4 -c 106167 -o -N $HOSTNAME > \
+$NISCC_HOME/nisccLog04 2>&1 
+
+  echo "starting tstclnt to shutdown simple server selfserv process"
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog04 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog04 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog04 2>&1 
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog04 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog04 2>&1
+
+  unset LD_LIBRARY_PATH
+
+  sleep 10
+
+  find_core
+}
+
+##############################################################
+# do simple rootCA tests
+# Use an altered server against the client
+##############################################################
+ssl_simple_rootca()
+{
+  CLIENT=${NISCC_HOME}/niscc_ssl/simple_client; export CLIENT
+  SERVER=${NISCC_HOME}/niscc_ssl/simple_server; export SERVER
+  PORT=8445; export PORT
+  START_AT=1; export START_AT
+  STOP_AT=106190; export STOP_AT
+  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
+  NISCC_TEST=$TEST/simple_rootca; export NISCC_TEST
+  ${HACKBIN}/selfserv -p $PORT -d $SERVER -n server_crt -t 5 -w test > \
+$NISCC_HOME/nisccLog05 2>&1 &
+
+  unset NISCC_TEST; export NISCC_TEST
+  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
+  ${TESTBIN}/strsclnt -d $CLIENT -p $PORT -t 4 -c 106190 -o -N $HOSTNAME > \
+$NISCC_HOME/nisccLog06 2>&1
+
+  echo "starting tstclnt to shutdown simple rootca selfserv process"
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog06 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog06 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog06 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog06 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog06 2>&1
+
+  unset LD_LIBRARY_PATH
+  sleep 10
+
+  find_core
+}
+
+##############################################################
+# do resigned client auth tests
+# Use an altered client against the server
+##############################################################
+ssl_resigned_client_auth()
+{
+  CLIENT=${NISCC_HOME}/niscc_ssl/resigned_client; export CLIENT
+  SERVER=${NISCC_HOME}/niscc_ssl/resigned_server; export SERVER
+  PORT=8446; export PORT
+  START_AT=0; export START_AT
+  STOP_AT=99981; export STOP_AT
+  unset NISCC_TEST; export NISCC_TEST
+  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
+  ${TESTBIN}/selfserv -p $PORT -d $SERVER -n server_crt -rr -t 5 -w test > \
+$NISCC_HOME/nisccLog07 2>&1 &
+
+  NISCC_TEST=$TEST/resigned_client; export NISCC_TEST
+  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
+  ${HACKBIN}/strsclnt -d $CLIENT -n client_crt -p $PORT -t 4 -c 99982 -o -N \
+-w test $HOSTNAME > $NISCC_HOME/nisccLog08 2>&1 
+
+  unset NISCC_TEST; export NISCC_TEST
+  echo "starting tstclnt to shutdown resigned client selfserv process"
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog08 2>&1
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog08 2>&1
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog08 2>&1
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog08 2>&1
+  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog08 2>&1
+
+  unset LD_LIBRARY_PATH
+
+  sleep 10
+
+  find_core
+}
+
+##############################################################
+# do resigned server auth tests
+# Use an altered server against the client
+##############################################################
+ssl_resigned_server_auth()
+{
+  CLIENT=${NISCC_HOME}/niscc_ssl/resigned_client; export CLIENT
+  SERVER=${NISCC_HOME}/niscc_ssl/resigned_server; export SERVER
+  PORT=8447; export PORT
+  START_AT=0; export START_AT
+  STOP_AT=100068; export STOP_AT
+  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
+  NISCC_TEST=$TEST/resigned_server; export NISCC_TEST
+  ${HACKBIN}/selfserv -p $PORT -d $SERVER -n server_crt -t 5 -w test > \
+$NISCC_HOME/nisccLog09 2>&1 &
+
+  unset NISCC_TEST; export NISCC_TEST
+  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
+  ${TESTBIN}/strsclnt -d $CLIENT -p $PORT -t 4 -c 100069 -o -N $HOSTNAME > \
+$NISCC_HOME/nisccLog10 2>&1 
+
+  echo "starting tstclnt to shutdown resigned server selfserv process"
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog10 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog10 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog10 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog10 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog10 2>&1
+
+  unset LD_LIBRARY_PATH
+
+  sleep 10
+
+  find_core
+}
+
+##############################################################
+# do resigned rootCA tests
+# Use an altered server against the client
+##############################################################
+ssl_resigned_rootca()
+{
+  CLIENT=${NISCC_HOME}/niscc_ssl/resigned_client; export CLIENT
+  SERVER=${NISCC_HOME}/niscc_ssl/resigned_server; export SERVER
+  PORT=8448; export PORT
+  START_AT=0; export START_AT
+  STOP_AT=99959; export STOP_AT
+  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
+  NISCC_TEST=$TEST/resigned_rootca; export NISCC_TEST
+  ${HACKBIN}/selfserv -p $PORT -d $SERVER -n server_crt -t 5 -w test > \
+$NISCC_HOME/nisccLog11 2>&1 &
+
+  unset NISCC_TEST; export NISCC_TEST
+  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
+  ${TESTBIN}/strsclnt -d $CLIENT -p $PORT -t 4 -c 99960 -o -N $HOSTNAME > \
+$NISCC_HOME/nisccLog12 2>&1 
+
+  echo "starting tstclnt to shutdown resigned rootca selfserv process"
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog12 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog12 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog12 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog12 2>&1
+  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
+-w test < $CLIENT/stop.txt >> nisccLog12 2>&1
+
+  unset LD_LIBRARY_PATH
+
+  sleep 10
+
+  find_core
+}
+
+###############################################################
+# find core file and email if found, move core file to save it
+###############################################################
+find_core()
+{
+  for w in `find $NISCC_HOME -name "core" -print`
+  do
+      mv $w $w.`date +%H%M%S`
+  done
+}
+
+
+###############################################################
+# NISCC tests result in a failure only if a core file is produced
+# Mail out the status - the log summary is not mailed due to its 
+# size of about one hundred megabytes.
+###############################################################
+mail_testLog()
+{
+  # remove mozilla nss build false positives and core stored in previous runs
+  find $NISCC_HOME -name "core*" -print | grep -v coreconf | grep -v \
+core_watch | grep -v archive >> $NISCC_HOME/crashLog
+  SIZE=`cat $NISCC_HOME/crashLog | wc -l`
+  if [ "$SIZE" -gt 0 ]; then
+      cat $NISCC_HOME/crashLog >> $NISCC_HOME/nisccLogSummary
+      $MAIL_COMMAND -s "WEEKLY NISCC TESTS FAILED: check end of logfile" \
+        $QA_LIST < /dev/null
+  else
+      $MAIL_COMMAND -s "PASSED: weekly NISCC tests completed" \
+        $QA_LIST < /dev/null
+  fi
+}
+
+
+###############################################################
+# summarise all logs
+###############################################################
+log_summary()
+{
+
+  for a in $NISCC_HOME/nisccLog[0-9]*
+      do echo ================================== $a
+      grep -v using $a | sort | uniq -c | sort -b -n +0 -1
+      done | tee $NISCC_HOME/nisccLogSummary
+
+  for a in $NISCC_HOME/niscc_smime/p7m-*-results.txt
+      do echo ================================== $a
+      grep -v using $a | sort | uniq -c | sort -b -n +0 -1
+      done | tee -a $NISCC_HOME/nisccLogSummary
+}
+
+
+###############################################################
+# move the old mozilla and log files to save them, delete extra
+# log files
+###############################################################
+move_files()
+{
+
+  cd $NISCC_HOME
+
+  if [ "$LOG_STORE" = "true" ]; then
+	# Check for archive directory
+	if [ ! -d $NISCC_HOME/archive ]; then
+		mkdir -p $NISCC_HOME/archive
+	fi
+	# Determine next log storage point
+	DATE=`date +%Y%m%d`
+	SLOT=`ls -1 $NISCC_HOME/archive | grep ${DATE} | wc -l`
+	SLOT=`expr $SLOT + 1`
+	LOCATION=$NISCC_HOME/archive/${DATE}.${SLOT}
+	mkdir -p ${LOCATION}
+	# Archive the logs
+	mv nisccBuildLog ${LOCATION} 2> /dev/null
+	mv nisccLogSummary ${LOCATION}
+	mv nisccLog00 ${LOCATION}
+	mv nisccLog01 ${LOCATION}
+	mv nisccLog02 ${LOCATION}
+	mv nisccLog03 ${LOCATION}
+	mv nisccLog04 ${LOCATION}
+	mv nisccLog05 ${LOCATION}
+	mv nisccLog06 ${LOCATION}
+	mv nisccLog07 ${LOCATION}
+	mv nisccLog08 ${LOCATION}
+	mv nisccLog09 ${LOCATION}
+	mv nisccLog10 ${LOCATION}
+	mv nisccLog11 ${LOCATION}
+	mv nisccLog12 ${LOCATION}
+	mv niscc_smime/p7m-ed-m-results.txt ${LOCATION}
+	mv niscc_smime/p7m-sd-dt-results.txt ${LOCATION}
+	mv niscc_smime/p7m-sd-op-results.txt ${LOCATION}
+	# Archive any core files produced
+	for CORE in `cat $NISCC_HOME/crashLog`
+	do
+		mv $CORE ${LOCATION}
+	done
+	mv crashLog ${LOCATION}
+	return
+  fi
+
+  if [ -d ../mozilla ]; then
+	mv -f ../mozilla ../mozilla.old
+  	mv nisccBuildLog nisccBuildLog.old
+  fi
+  mv nisccLogSummary nisccLogSummary.old
+  mv crashLog crashLog.old
+
+  rm -f nisccLog00 nisccLog01 nisccLog02 nisccLog03 nisccLog04 nisccLog05 \
+nisccLog06 nisccLog07 nisccLog08 nisccLog09 nisccLog10 nisccLog11 nisccLog12
+  rm -f niscc_smime/p7m-ed-m-results.txt \
+      niscc_smime/p7m-sd-dt-results.txt \
+      niscc_smime/p7m-sd-op-results.txt
+}
+
+############################## main ##############################
+init
+niscc_smime
+niscc_ssl_init
+ssl_setup_dirs_simple
+  ssl_simple_client_auth
+  ssl_simple_server_auth
+  ssl_simple_rootca
+ssl_setup_dirs_resigned
+  ssl_resigned_client_auth
+  ssl_resigned_server_auth
+  ssl_resigned_rootca
+log_summary
+mail_testLog
+move_files
diff --git a/security/nss/tests/sdr/sdr.sh b/security/nss/tests/sdr/sdr.sh
new file mode 100755
index 000000000..1009b1a2a
--- /dev/null
+++ b/security/nss/tests/sdr/sdr.sh
@@ -0,0 +1,143 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/sdr/sdr.sh
+#
+# Script to start test basic functionallity of NSS sdr
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## sdr_init ################################
+# local shell function to initialize this script
+########################################################################
+sdr_init()
+{
+  SCRIPTNAME=sdr.sh
+  if [ -z "${CLEANUP}" ] ; then
+      CLEANUP="${SCRIPTNAME}"
+  fi
+  
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  SCRIPTNAME=sdr.sh
+
+  #temporary files
+  VALUE1=$HOSTDIR/tests.v1.$$
+  VALUE2=$HOSTDIR/tests.v2.$$
+  VALUE3=$HOSTDIR/tests.v3.$$
+
+  T1="Test1"
+  T2="The quick brown fox jumped over the lazy dog"
+  T3="1234567"
+
+  SDRDIR=${HOSTDIR}/SDR
+  D_SDR="SDR.$version"
+  if [ ! -d ${SDRDIR} ]; then
+    mkdir -p ${SDRDIR}
+  fi
+
+  PROFILE=.
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     PROFILE="multiaccess:${D_SDR}"
+  fi
+
+  cd ${SDRDIR}
+  html_head "SDR Tests"
+}
+
+############################## sdr_main ################################
+# local shell function to test NSS SDR
+########################################################################
+sdr_main()
+{
+  echo "$SCRIPTNAME: Creating an SDR key/SDR Encrypt - Value 1"
+  echo "sdrtest -d ${PROFILE} -o ${VALUE1} -t \"${T1}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE1} -t "${T1}"
+  html_msg $? 0 "Creating SDR Key/Encrypt - Value 1"
+
+  echo "$SCRIPTNAME: SDR Encrypt - Value 2"
+  echo "sdrtest -d ${PROFILE} -o ${VALUE2} -t \"${T2}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE2} -t "${T2}"
+  html_msg $? 0 "Encrypt - Value 2"
+
+  echo "$SCRIPTNAME: SDR Encrypt - Value 3"
+  echo "sdrtest -d ${PROFILE} -o ${VALUE3} -t \"${T3}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE3} -t "${T3}"
+  html_msg $? 0 "Encrypt - Value 3"
+
+  echo "$SCRIPTNAME: SDR Decrypt - Value 1"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t \"${T1}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t "${T1}"
+  html_msg $? 0 "Decrypt - Value 1"
+
+  echo "$SCRIPTNAME: SDR Decrypt - Value 2"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE2} -t \"${T2}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE2} -t "${T2}"
+  html_msg $? 0 "Decrypt - Value 2"
+
+  echo "$SCRIPTNAME: SDR Decrypt - Value 3"
+  echo "sdrtest -d ${PROFILE} -i ${VALUE3} -t \"${T3}\""
+  ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE3} -t "${T3}"
+  html_msg $? 0 "Decrypt - Value 3"
+}
+
+############################## sdr_cleanup #############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+sdr_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+sdr_init
+sdr_main
+sdr_cleanup
diff --git a/security/nss/tests/set_environment b/security/nss/tests/set_environment
new file mode 100644
index 000000000..5a3515cca
--- /dev/null
+++ b/security/nss/tests/set_environment
@@ -0,0 +1,234 @@
+#! /bin/sh
+
+########################################################################
+#
+# /u/sonmi/bin/set_environment
+#
+# sourced from the header if running from cron to get the full environment
+# to run nssqa    - also used to unify all nssqa environments
+#
+# This is derived from the .cshrc file for the svbld account.  
+#
+########################################################################
+
+if [ -z "$HOME" ] 
+then
+    HOME=/u/svbld
+fi
+if [ -z "$QASCRIPT_DIR" ]
+then
+    QASCRIPT_DIR=`dirname $0`
+fi
+
+os_name=`uname -s`
+if [ "$os_name" != "Windows_95" -a \
+    "$os_name" != "Windows_NT" -a \
+    "$os_name" != "WINNT" -a \
+    "$os_name" != "Windows" -a \
+    "$os_name" != "Windows_98" -a \
+    "$os_name" != "CYGWIN_NT-4.0" -a \
+    "$os_name" != "CYGWIN_NT-5.0" -a \
+    "$os_name" != "CYGWIN_95-4.0" -a \
+    "$os_name" != "CYGWIN_98-4.10" ]
+then
+    PATH=.:$HOME/bin:/tools/ns/bin:/bin:/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/dist/local/exe:/usr/bin/X11:/usr/audio/bin:/u/sonmi/bin:$PATH
+    JAVA_HOME="D:/i386/jdk1.2.2"
+    JAVA_HOME14="R:/jdk/1.4.0/WINNT"
+fi
+
+CVSROOT=:pserver:svbld@redcvs.red.iplanet.com:/m/src
+
+os_name=`uname -s`
+os_version=`uname -r`
+#os_p=`uname -p`
+os_full=""
+
+if [ -f /u/svbld/bin/nsarch  ]
+then
+    os_full=`/u/svbld/bin/nsarch -f`    #FIXME
+fi
+
+MANPATH=/usr/share/man:/usr/openwin/man:/usr/local/man
+
+RMAIL=rmail
+BEFORE_CONTEXT_GREP=""
+AFTER_CONTEXT_GREP=""
+
+export CVSROOT HOME os_name os_version os_full MANPATH
+
+
+if [ "$os_name" = "HP-UX" ]
+then
+    PATH=$PATH:/usr/local/bin:/opt/aCC/bin:/usr/local/bin/audio:/tools/ns/bin:/etc:/usr/contrib/bin:/usr/contrib/bin/X11:/usr/local/hpux/bin:/nfs/iapp1/hphome/bin:/etc:/u/svbld/bin/HP/perl/bin
+    JAVA_HOME="/share/builds/components/cms_jdk/HP-UX/1.2.2.04"
+    JAVA_HOME14=$JAVA_HOME
+#    JAVA_HOME="/share/builds/components/cms_jdk/HP-UX/1.3.0.00"
+elif [ "$os_name" = "SunOS" ]
+then
+    NATIVE_FLAG="-native"
+    XAPPLRESDIR=/usr/openwin/lib/app-defaults:/usr/local/lib/X11/app-defaults
+    OPENWINHOME=/usr/openwin
+    LD_LIBRARY_PATH=$OPENWINHOME/lib
+    if [ "$os_full" = "SOLARISx86 2.8" -o "$os_full" = "SOLARISx86 2.9" ] 
+    then
+        #PATH=/usr/ucb:/opt/usr/local/bin:$PATH
+        JAVA_HOME="/usr/java1.2"
+	JAVA_HOME14=/share/builds/components/jdk/1.4.0/SunOS_x86
+        PATH=".:/usr/dist/share/forte_dev_i386,v6.2/SUNWspro/bin:/opt/usr/local/perl5/bin:/opt/SUNWspro/bin:/opt/usr/local/bin:/bin:/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/dist/local/exe:/usr/ccs/bin:/usr/ucb/bin:/usr/ucb:/opt/SUNWwabi/bin:/usr/local/bin:/tools/ns/bin:/etc:/tools/contrib/bin"
+    else
+        PATH=/usr/ucb:$PATH
+        JAVA_HOME="/share/builds/components/jdk/1.2.2/SunOS"
+	JAVA_HOME14=/share/builds/components/jdk/1.4.0/SunOS64
+        PATH=/tools/ns/bin:$PATH:/opt/SUNWspro/bin:/usr/bin/X11:/usr/openwin/bin:/usr/openwin/demo
+    
+        if [ "$os_version" = "5.8" -o "$os_version" = "5.7" -o \
+             "$os_version" = "5.9" ]
+        then
+            PATH=$PATH:/usr/dist/pkgs/forte_dev,v6.2/SUNWspro/bin:/tools/ns/workshop/bin
+        else
+            PATH=$PATH:/usr/dist/share/devpro,v5.0/5.x-sparc/bin:/tools/ns/workshop/bin
+        fi
+        PATH=$PATH:/usr/ccs/bin:/usr/ucb/bin:/opt/SUNWwabi/bin:/usr/local/bin:/tools/ns/bin:/etc:/tools/contrib/bin
+     fi
+    export XAPPLRESDIR  OPENWINHOME LD_LIBRARY_PATH
+
+elif [ "$os_name" = "IRIX" ]
+then
+    PATH=$PATH:/tools/ns/bin:/usr/local/bin:/etc:/usr/bsd
+    MANPATH=/tools/ns/man:/usr/local/man
+    JAVA_HOME="/share/builds/components/jdk/1.2.2/IRIX"
+    JAVA_HOME14=$JAVA_HOME
+elif [ "$os_name" = "IRIX64" ]
+then
+    PATH=$PATH:/tools/ns/bin:/usr/local/bin:/etc:/usr/bsd
+    MANPATH=/tools/ns/man:/usr/local/man
+    JAVA_HOME="/share/builds/components/jdk/1.2.2/IRIX"
+    JAVA_HOME14=$JAVA_HOME
+elif [ "$os_name" = "Linux" ]
+then
+    PATH=/lib:/usr/lib:/bin:/sbin:/usr/bin:/usr/sbin:$PATH
+    RMAIL=sendmail
+    #the gnu grep, on Linux can output 10 lines above and 3 lines below 
+    #the errormessage
+    BEFORE_CONTEXT_GREP="--before-context=10"
+    AFTER_CONTEXT_GREP="--after-context=3"
+    JAVA_HOME="/share/builds/components/jdk/1.2.2/Linux"
+    JAVA_HOME14=/share/builds/components/jdk/1.4.0/Linux
+elif [ "$os_name" = "AIX" ]
+then
+    PATH=$PATH:/tools/contrib/bin:/usr/local/bin 
+    TERM=vt100
+    export TERM
+    JAVA_HOME="/share/builds/components/cms_jdk/AIX/1.3.0"
+    JAVA_HOME14=$JAVA_HOME
+elif [ "$os_name" = "OSF1" ]
+then
+    PATH=$PATH:/usr/local/bin
+    JAVA_HOME="/share/builds/components/jdk/1.2.2/OSF1"
+    JAVA_HOME14=$JAVA_HOME
+fi
+
+if [ "$os_name" = "IRIX" ]
+then
+    PATH=/tools/ns-arch/soft/perl-5.004_04/run/default/mips_sgi_irix5.3/bin:$PATH
+elif [ "$os_name" = "IRIX64" ]
+then
+    PATH=/tools/ns-arch/soft/perl-5.004_04/run/default/mips_sgi_irix5.3/bin:$PATH
+fi
+
+O_CYGNUS=OFF
+O_MKS=OFF
+O_WIN=OFF
+
+if [ "$os_name" = "CYGWIN_NT-4.0" -o \
+    "$os_name" = "CYGWIN_NT-5.0" -o \
+    "$os_name" = "CYGWIN_95-4.0" -o \
+    "$os_name" = "CYGWIN_98-4.10" ]
+then
+    #FIXME net use, mount the neccessary pnetwork drives and partitiones first
+    #FIXME - take MKS out of the PATH
+    os_full=$os_name
+    os_name="Windows"
+    O_CYGNUS=ON
+    O_WIN=ON
+    PATH="`dirname $0`:.:/cygdrive/c/cygwin/bin:/cygdrive/z/nstools/bin:/cygdrive/z/nstools/perl5:/cygdrive/z/bin:/cygdrive/c/WINNT/System32:/cygdrive/c/WINNT"
+    RM=/cygdrive/c/cygwin/bin/rm.exe    #FIXME - in case we cant cporrect 
+                                        #these with the PATH alone
+    PATH=`perl $QASCRIPT_DIR/path_uniq "$PATH"`
+    RSH=/cygdrive/c/winnt/system32/rsh
+elif [ "$os_name" = "Windows_95" -o \
+    "$os_name" = "Windows_NT" -o \
+    "$os_name" = "WINNT" -o \
+    "$os_name" = "Windows" -o \
+    "$os_name" = "Windows_98" ]
+then
+    #FIXME net use, mount the neccessary pnetwork drives and partitiones first
+    PATH=`echo $SHELL | sed -e "s/.[kK][sS][Hh].[Ee][Xx][Ee]//g"  \
+				-e "s/.[sS][Hh].[Ee][Xx][Ee]//g"`
+    MOZTOOLS_IN_PATH=NO
+    if [ -n "$MOZ_TOOLS" -a -d  "$MOZ_TOOLS" ] ; then
+        MOZ_TOOLS=`ls -d "$MOZ_TOOLS" | sed -e 's/\\\/\//g'`
+        #echo "MOZ_TOOLS reformated to $MOZ_TOOLS"
+        if [ -d "$MOZ_TOOLS" ] ; then #still exist after reformating?
+            MOZTOOLS_IN_PATH=OK
+        fi
+    fi
+    if [ -n "$MOZTOOLS_IN_PATH" -a "$MOZTOOLS_IN_PATH" = "OK" ] ; then
+        #echo "Use MOZTOOLS in PATH"
+        PATH="$MOZ_TOOLS/bin;$MOZ_TOOLS/perl5;$PATH"
+    elif [ -d Z:/nstools/bin ] ; then
+        PATH="Z:/nstools/bin;Z:/nstools/perl5;$PATH"
+    elif [ -d C:/nstools/bin ] ; then
+        PATH="C:/nstools/bin;C:/nstools/perl5;$PATH"
+    elif [ -d D:/nstools/bin ] ; then
+        PATH="D:/nstools/bin;D:/nstools/perl5;$PATH"
+    elif [ -d D:/i386/nstools/bin ] ; then
+        PATH="D:/i386/nstools/bin;D:/i386/nstools/perl5;$PATH"
+    else
+        echo "FATAL: Can't find nstools"
+        exit
+    fi
+
+    if [  "$os_name" = "Windows_NT" -o \
+        "$os_name" = "WINNT" ]
+    then
+        PATH="${PATH};C:/WINNT/System32;C:/WINNT;.;"
+    fi
+    PATH="`dirname $0`;$PATH"
+    
+    PATH=`perl $QASCRIPT_DIR/path_uniq -d ';' "$PATH"`
+    echo $PATH
+    os_full=$os_name
+    os_name="Windows"
+    O_MKS=ON
+    O_WIN=ON
+    if [ -z $RSH ] ; then 
+        RSH=c:/winnt/system32/rsh
+    fi
+    
+else
+    EDITOR=vi
+    EMACSLOADPATH=/u/svbld/emacs
+    PYTHONPATH=.:/tools/ns/lib/python1.4
+    PAGER=less
+    XMCD_LIBDIR=/usr/local/lib/xmcd
+    DISPLAY=:0.0
+    PATH=`perl $QASCRIPT_DIR/path_uniq "$PATH"`
+    RSH=rsh
+fi
+
+BASEPATH=$PATH    # in  case we we set and reset DIST directories the PATH 
+                # needs to change accordingly
+export PATH EDITOR EMACSLOADPATH PYTHONPATH PAGER XMCD_LIBDIR DISPLAY MANPATH os_full os_name BASEPATH RSH O_WIN
+
+umask 022
+
+system=`uname -n`        # name of this system.
+
+JAVAC=$JAVA_HOME/bin/javac
+JAVA=$JAVA_HOME/bin/java
+JAVAC14=$JAVA_HOME14/bin/javac
+JAVA14=$JAVA_HOME14/bin/java
+#JAVA=$JAVA_HOME/jre/bin/java
+export JAVAC JAVA JAVA_HOME JAVAC14 JAVA_HOME14 JAVA14
+
diff --git a/security/nss/tests/smime/alice.txt b/security/nss/tests/smime/alice.txt
new file mode 100644
index 000000000..0378db464
--- /dev/null
+++ b/security/nss/tests/smime/alice.txt
@@ -0,0 +1,6 @@
+Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
+From: alice@bogus.com
+Subject: message Alice --> Bob
+To: bob@bogus.com
+
+This is a test message from Alice to Bob.
diff --git a/security/nss/tests/smime/bob.txt b/security/nss/tests/smime/bob.txt
new file mode 100644
index 000000000..330b2c94d
--- /dev/null
+++ b/security/nss/tests/smime/bob.txt
@@ -0,0 +1,6 @@
+Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
+From: bob@bogus.com
+Subject: message Bob --> Alice
+To: alice@bogus.com
+
+This is a test message from Bob to Alice.
diff --git a/security/nss/tests/smime/smime.sh b/security/nss/tests/smime/smime.sh
new file mode 100755
index 000000000..3b0b29523
--- /dev/null
+++ b/security/nss/tests/smime/smime.sh
@@ -0,0 +1,292 @@
+#! /bin/sh  
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/smime/smime.sh
+#
+# Script to test NSS smime
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## smime_init ##############################
+# local shell function to initialize this script
+########################################################################
+smime_init()
+{
+  SCRIPTNAME=smime.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=smime.sh
+
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      html_head "S/MIME Tests with ECC"
+  else
+      html_head "S/MIME Tests"
+  fi
+
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+
+  SMIMEDIR=${HOSTDIR}/smime
+  R_SMIMEDIR=../smime
+  mkdir -p ${SMIMEDIR}
+  cd ${SMIMEDIR}
+  cp ${QADIR}/smime/alice.txt ${SMIMEDIR}
+}
+
+smime_sign()
+{
+  HASH_CMD="-H ${HASH}"
+  SIG=sig.${HASH}
+
+  echo "$SCRIPTNAME: Signing Detached Message {$HASH} ------------------"
+  echo "cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}
+  html_msg $? 0 "Create Detached Signature Alice (${HASH})" "."
+
+  echo "cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} 
+  html_msg $? 0 "Verifying Alice's Detached Signature (${HASH})" "."
+
+  echo "$SCRIPTNAME: Signing Attached Message (${HASH}) ------------------"
+  echo "cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}
+  html_msg $? 0 "Create Attached Signature Alice (${HASH})" "."
+
+  echo "cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}
+  html_msg $? 0 "Decode Alice's Attached Signature (${HASH})" "."
+
+  echo "diff alice.txt alice.data.${HASH}"
+  diff alice.txt alice.data.${HASH}
+  html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "."
+
+# Test ECDSA signing for all hash algorithms.
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
+      echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
+      ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
+      html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
+
+      echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
+      ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} 
+      html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
+
+      echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
+      echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
+      ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
+      html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
+
+      echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
+      ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
+      html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
+
+      echo "diff alice.txt alice-ec.data.${HASH}"
+      diff alice.txt alice-ec.data.${HASH}
+      html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
+  fi
+
+}
+
+
+
+smime_p7()
+{
+  echo "$SCRIPTNAME: p7 util Data Tests ------------------------------"
+  echo "p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice_p7.env"
+  ${PROFTOOL} ${BINDIR}/p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice.env
+  html_msg $? 0 "Creating envelope for user Alice" "."
+
+  echo "p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data"
+  ${PROFTOOL} ${BINDIR}/p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data -p nss
+  html_msg $? 0 "Verifying file delivered to user Alice" "."
+
+  sed -e '3,8p' -n alice_p7.data > alice_p7.data.sed
+
+  echo "diff alice.txt alice_p7.data.sed"
+  diff alice.txt alice_p7.data.sed
+  html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
+
+  echo "p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e"
+  ${PROFTOOL} ${BINDIR}/p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e
+  html_msg $? 0 "Signing file for user Alice" "."
+
+  echo "p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig"
+  ${PROFTOOL} ${BINDIR}/p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig
+  html_msg $? 0 "Verifying file delivered to user Alice" "."
+}
+
+############################## smime_main ##############################
+# local shell function to test basic signed and enveloped messages 
+# from 1 --> 2"
+########################################################################
+smime_main()
+{
+
+  HASH=SHA1
+  smime_sign
+  HASH=SHA256
+  smime_sign
+  HASH=SHA384
+  smime_sign
+  HASH=SHA512
+  smime_sign
+
+  echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------"
+  echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
+  echo "        -o alice.env"
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
+  html_msg $? 0 "Create Enveloped Data Alice" "."
+
+  echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1
+  html_msg $? 0 "Decode Enveloped Data Alice" "."
+
+  echo "diff alice.txt alice.data1"
+  diff alice.txt alice.data1
+  html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
+
+  # multiple recip
+  echo "$SCRIPTNAME: Testing multiple recipients ------------------------------"
+  echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
+  echo "        -r bob@bogus.com,dave@bogus.com"
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \
+          -r bob@bogus.com,dave@bogus.com
+  ret=$?
+  html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "."
+  if [ $ret != 0 ] ; then
+	echo "certutil -L -d ${P_R_ALICEDIR}"
+	${BINDIR}/certutil -L -d ${P_R_ALICEDIR}
+	echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com"
+	${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com
+  fi
+
+  echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------"
+  echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
+  echo "        -r eve@bogus.net"
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \
+          -r eve@bogus.net
+  ret=$?
+  html_msg $ret 0 "Encrypt to a Multiple Email cert" "."
+
+  echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2
+  html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "."
+
+  echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3
+  html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Dave" "."
+
+  echo "cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4
+  html_msg $? 0 "Decrypt with a Multiple Email cert" "."
+
+  diff alice.txt alice.data2
+  html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Bob" "."
+
+  diff alice.txt alice.data3
+  html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Dave" "."
+
+  diff alice.txt alice.data4
+  html_msg $? 0 "Compare Decoded with Multiple Email cert" "."
+  
+  echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------"
+  echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\"
+  echo "        -d ${P_R_ALICEDIR} > co.der"
+  ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der
+  html_msg $? 0 "Create Certs-Only Alice" "."
+
+  echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i co.der -d ${P_R_BOBDIR}
+  html_msg $? 0 "Verify Certs-Only by CA" "."
+
+  echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------"
+  echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\"
+  echo "        -r \"bob@bogus.com\" > alice.enc"
+  ${PROFTOOL} ${BINDIR}/cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \
+          -r "bob@bogus.com" > alice.enc
+  html_msg $? 0 "Create Encrypted-Data" "."
+
+  echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\"
+  echo "        -o alice.data2"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2
+  html_msg $? 0 "Decode Encrypted-Data" "."
+
+  diff alice.txt alice.data2
+  html_msg $? 0 "Compare Decoded and Original Data" "."
+}
+  
+############################## smime_cleanup ###########################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+smime_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+smime_init
+smime_main
+smime_p7
+smime_cleanup
+
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
new file mode 100755
index 000000000..27a1aa6bd
--- /dev/null
+++ b/security/nss/tests/ssl/ssl.sh
@@ -0,0 +1,977 @@
+#! /bin/bash
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+#   Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl.sh
+#
+# Script to test NSS SSL
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_init ################################
+# local shell function to initialize this script
+########################################################################
+ssl_init()
+{
+  SCRIPTNAME=ssl.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ -z "${IOPR_SSL_SOURCED}" ]; then
+      . ../iopr/ssl_iopr.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=ssl.sh
+  echo "$SCRIPTNAME: SSL tests ==============================="
+
+  grep "SUCCESS: SSL passed" $CERT_LOG_FILE >/dev/null || {
+      html_head "SSL Test failure"
+      Exit 8 "Fatal - cert.sh needs to pass first"
+  }
+
+  if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+      grep "SUCCESS: SSL CRL prep passed" $CERT_LOG_FILE >/dev/null || {
+          html_head "SSL Test failure"
+          Exit 8 "Fatal - SSL of cert.sh needs to pass first"
+      }
+  fi
+
+  PORT=${PORT-8443}
+
+  # Test case files
+  SSLCOV=${QADIR}/ssl/sslcov.txt
+  SSLAUTH=${QADIR}/ssl/sslauth.txt
+  SSLSTRESS=${QADIR}/ssl/sslstress.txt
+  REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+  #temparary files
+  SERVEROUTFILE=${TMP}/tests_server.$$
+  SERVERPID=${TMP}/tests_pid.$$
+
+  R_SERVERPID=../tests_pid.$$
+
+  TEMPFILES="$TMPFILES ${SERVEROUTFILE}  ${SERVERPID}"
+
+  fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
+  #fileout=1
+  #verbose="-v" #FIXME - see where this is usefull
+
+  USER_NICKNAME=TestUser
+  NORM_EXT=""
+
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      ECC_STRING=" - with ECC"
+  else
+      ECC_STRING=""
+  fi
+
+  CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz"
+  CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz"
+
+  if [ "${OS_ARCH}" != "WINNT" ]; then
+      ulimit -n 1000 # make sure we have enough file descriptors
+  fi
+
+  cd ${CLIENTDIR}
+}
+
+########################### is_selfserv_alive ##########################
+# local shell function to exit with a fatal error if selfserver is not
+# running
+########################################################################
+is_selfserv_alive()
+{
+  if [ ! -f "${SERVERPID}" ]; then
+      echo "$SCRIPTNAME: Error - selfserv PID file ${SERVERPID} doesn't exist"
+      sleep 5
+      if [ ! -f "${SERVERPID}" ]; then
+          Exit 9 "Fatal - selfserv pid file ${SERVERPID} does not exist"
+      fi
+  fi
+  
+  if [ "${OS_ARCH}" = "WINNT" ] && \
+     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+      PID=${SHELL_SERVERPID}
+  else
+      PID=`cat ${SERVERPID}`
+  fi
+
+  echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
+  kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+
+  echo "selfserv with PID ${PID} found at `date`"
+}
+
+########################### wait_for_selfserv ##########################
+# local shell function to wait until selfserver is running and initialized
+########################################################################
+wait_for_selfserv()
+{
+  echo "trying to connect to selfserv at `date`"
+  echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+  echo "        -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
+  ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+          -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
+  if [ $? -ne 0 ]; then
+      sleep 5
+      echo "retrying to connect to selfserv at `date`"
+      echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+      echo "        -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}"
+      ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+              -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}
+      if [ $? -ne 0 ]; then
+          html_failed "Waiting for Server"
+      fi
+  fi
+  is_selfserv_alive
+}
+
+########################### kill_selfserv ##############################
+# local shell function to kill the selfserver after the tests are done
+########################################################################
+kill_selfserv()
+{
+  if [ "${OS_ARCH}" = "WINNT" ] && \
+     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+      PID=${SHELL_SERVERPID}
+  else
+      PID=`cat ${SERVERPID}`
+  fi
+
+  echo "trying to kill selfserv with PID ${PID} at `date`"
+
+  if [ "${OS_ARCH}" = "WINNT" -o "${OS_ARCH}" = "WIN95" -o "${OS_ARCH}" = "OS2" ]; then
+      echo "${KILL} ${PID}"
+      ${KILL} ${PID}
+  else
+      echo "${KILL} -USR1 ${PID}"
+      ${KILL} -USR1 ${PID}
+  fi
+  wait ${PID}
+  if [ ${fileout} -eq 1 ]; then
+      cat ${SERVEROUTFILE}
+  fi
+
+  # On Linux selfserv needs up to 30 seconds to fully die and free
+  # the port.  Wait until the port is free. (Bug 129701)
+  if [ "${OS_ARCH}" = "Linux" ]; then
+      echo "selfserv -b -p ${PORT} 2>/dev/null;"
+      until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do
+          echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;"
+          sleep 1
+      done
+  fi
+
+  echo "selfserv with PID ${PID} killed at `date`"
+
+  rm ${SERVERPID}
+  html_detect_core "kill_selfserv core detection step"
+}
+
+########################### start_selfserv #############################
+# local shell function to start the selfserver with the parameters required 
+# for this test and log information (parameters, start time)
+# also: wait until the server is up and running
+########################################################################
+start_selfserv()
+{
+  if [ -n "$testname" ] ; then
+      echo "$SCRIPTNAME: $testname ----"
+  fi
+  sparam=`echo $sparam | sed -e 's;_; ;g'`
+  if [ -n "$NSS_ENABLE_ECC" ] && \
+     [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
+      ECC_OPTIONS="-e ${HOSTADDR}-ec"
+  else
+      ECC_OPTIONS=""
+  fi
+  if [ "$1" = "mixed" ]; then
+      ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
+  fi
+  echo "selfserv starting at `date`"
+  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
+  echo "         ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
+  if [ ${fileout} -eq 1 ]; then
+      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+               ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
+               > ${SERVEROUTFILE} 2>&1 &
+      RET=$?
+  else
+      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
+               ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
+      RET=$?
+  fi
+
+  # The PID $! returned by the MKS or Cygwin shell is not the PID of
+  # the real background process, but rather the PID of a helper
+  # process (sh.exe).  MKS's kill command has a bug: invoking kill
+  # on the helper process does not terminate the real background
+  # process.  Our workaround has been to have selfserv save its PID
+  # in the ${SERVERPID} file and "kill" that PID instead.  But this
+  # doesn't work under Cygwin; its kill command doesn't recognize
+  # the PID of the real background process, but it does work on the
+  # PID of the helper process.  So we save the value of $! in the
+  # SHELL_SERVERPID variable, and use it instead of the ${SERVERPID}
+  # file under Cygwin.  (In fact, this should work in any shell
+  # other than the MKS shell.)
+  SHELL_SERVERPID=$!
+  wait_for_selfserv
+
+  if [ "${OS_ARCH}" = "WINNT" ] && \
+     [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+      PID=${SHELL_SERVERPID}
+  else
+      PID=`cat ${SERVERPID}`
+  fi
+
+  echo "selfserv with PID ${PID} started at `date`"
+}
+
+############################## ssl_cov #################################
+# local shell function to perform SSL Cipher Coverage tests
+########################################################################
+ssl_cov()
+{
+  html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+  testname=""
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      sparam="$CLONG"
+  else
+      sparam="$CSHORT"
+  fi
+
+  mixed=0
+  start_selfserv # Launch the server
+               
+  exec < ${SSLCOV}
+  while read ectype tls param testname
+  do
+      echo "${testname}" | grep "EXPORT" > /dev/null 
+      EXP=$?
+      echo "${testname}" | grep "SSL2" > /dev/null
+      SSL2=$?
+      
+      if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
+          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+      elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+      elif [ "$ectype" != "#" ] ; then
+          echo "$SCRIPTNAME: running $testname ----------------------------"
+          TLS_FLAG=-T
+          if [ "$tls" = "TLS" ]; then
+              TLS_FLAG=""
+          fi
+
+# These five tests need an EC cert signed with RSA
+# This requires a different certificate loaded in selfserv
+# due to a (current) NSS limitation of only loaded one cert
+# per type so the default selfserv setup will not work.
+#:C00B TLS ECDH RSA WITH NULL SHA
+#:C00C TLS ECDH RSA WITH RC4 128 SHA
+#:C00D TLS ECDH RSA WITH 3DES EDE CBC SHA
+#:C00E TLS ECDH RSA WITH AES 128 CBC SHA
+#:C00F TLS ECDH RSA WITH AES 256 CBC SHA
+
+          if [ $mixed -eq 0 ]; then
+            if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
+              kill_selfserv
+              start_selfserv mixed
+              mixed=1
+            else
+              is_selfserv_alive
+            fi
+          else 
+            if [ "${param}" = ":C00B" -o "${param}" = ":C00C" -o "${param}" = ":C00D" -o "${param}" = ":C00E" -o "${param}" = ":C00F" ]; then
+              is_selfserv_alive
+            else
+              kill_selfserv
+              start_selfserv
+              mixed=0
+            fi
+          fi
+
+          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} \\"
+          echo "        -f -d ${P_R_CLIENTDIR} -w nss < ${REQUEST_FILE}"
+
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} -f \
+                  -d ${P_R_CLIENTDIR} -w nss < ${REQUEST_FILE} \
+                  >${TMP}/$HOST.tmp.$$  2>&1
+          ret=$?
+          cat ${TMP}/$HOST.tmp.$$ 
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          html_msg $ret 0 "${testname}" \
+                   "produced a returncode of $ret, expected is 0"
+      fi
+  done
+
+  kill_selfserv
+  html "</TABLE><BR>"
+}
+
+############################## ssl_auth ################################
+# local shell function to perform SSL  Client Authentication tests
+########################################################################
+ssl_auth()
+{
+  html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+  exec < ${SSLAUTH}
+  while read ectype value sparam cparam testname
+  do
+      echo "${testname}" | grep "don't require client auth" > /dev/null
+      CAUTH=$?
+
+      if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+      elif [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "$ectype" != "#" ]; then
+          cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+          start_selfserv
+
+          echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} \\"
+          echo "        ${cparam}  < ${REQUEST_FILE}"
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \
+                  -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \
+                  >${TMP}/$HOST.tmp.$$  2>&1
+          ret=$?
+          cat ${TMP}/$HOST.tmp.$$ 
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+
+          #workaround for bug #402058
+          [ $ret -ne 0 ] && ret=1
+          [ $value -ne 0 ] && value=1
+
+          html_msg $ret $value "${testname}" \
+                   "produced a returncode of $ret, expected is $value"
+          kill_selfserv
+      fi
+  done
+
+  html "</TABLE><BR>"
+}
+
+
+############################## ssl_stress ##############################
+# local shell function to perform SSL stress test
+########################################################################
+ssl_stress()
+{
+  html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+
+  exec < ${SSLSTRESS}
+  while read ectype value sparam cparam testname
+  do
+      if [ -z "$ectype" ]; then
+          # silently ignore blank lines
+          continue
+      fi
+
+      echo "${testname}" | grep "SSL2" > /dev/null
+      SSL2=$?
+      echo "${testname}" | grep "client auth" > /dev/null
+      CAUTH=$?
+
+      if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+      elif [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+      elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+      elif [ "$ectype" != "#" ]; then
+          cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+
+# These tests need the mixed cert 
+# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
+# Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
+          p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
+          if [ "$p" = "-c_:C00E" ]; then
+              start_selfserv mixed
+          else
+              start_selfserv
+          fi
+
+          if [ "`uname -n`" = "sjsu" ] ; then
+              echo "debugging disapering selfserv... ps -ef | grep selfserv"
+              ps -ef | grep selfserv
+          fi
+
+          echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
+          echo "         $verbose ${HOSTADDR}"
+          echo "strsclnt started at `date`"
+          ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
+                   $verbose ${HOSTADDR}
+          ret=$?
+          echo "strsclnt completed at `date`"
+          html_msg $ret $value \
+                   "${testname}" \
+                   "produced a returncode of $ret, expected is $value. "
+          if [ "`uname -n`" = "sjsu" ] ; then
+              echo "debugging disapering selfserv... ps -ef | grep selfserv"
+              ps -ef | grep selfserv
+          fi
+          kill_selfserv
+      fi
+  done
+
+  html "</TABLE><BR>"
+}
+
+############################ ssl_crl_ssl ###############################
+# local shell function to perform SSL test with/out revoked certs tests
+########################################################################
+ssl_crl_ssl()
+{
+  html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+  
+  # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
+  # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
+  CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
+  CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
+  UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
+
+  exec < ${SSLAUTH}
+  while read ectype value sparam cparam testname
+  do
+    if [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
+        echo "$SCRIPTNAME: skipping $testname (ECC only)"
+    elif [ "$ectype" != "#" ]; then
+	servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+	pwd=`echo $cparam | grep nss`
+	user=`echo $cparam | grep TestUser`
+	_cparam=$cparam
+	case $servarg in
+	    1) if [ -z "$pwd" -o -z "$user" ]; then
+                 rev_modvalue=0
+               else
+	         rev_modvalue=254
+               fi
+               ;;
+	    2) rev_modvalue=254 ;;
+	    3) if [ -z "$pwd" -o -z "$user" ]; then
+		rev_modvalue=0
+		else
+		rev_modvalue=1
+		fi
+		;;
+	    4) rev_modvalue=1 ;;
+	esac
+	TEMP_NUM=0
+	while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
+	  do
+	  CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
+	  TEMP_NUM=`expr $TEMP_NUM + 1`
+	  USER_NICKNAME="TestUser${CURR_SER_NUM}"
+	  cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+	  start_selfserv
+	  
+	  echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
+	  echo "        ${cparam}  < ${REQUEST_FILE}"
+	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+	  ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+	      -d ${R_CLIENTDIR} < ${REQUEST_FILE} \
+	      >${TMP}/$HOST.tmp.$$  2>&1
+	  ret=$?
+	  cat ${TMP}/$HOST.tmp.$$ 
+	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+	  if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
+	      modvalue=$rev_modvalue
+              testAddMsg="revoked"
+	  else
+              testAddMsg="not revoked"
+	      modvalue=$value
+	  fi
+	  
+	  html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
+		"produced a returncode of $ret, expected is $modvalue"
+	  kill_selfserv
+	done
+    fi
+  done
+
+  html "</TABLE><BR>"
+}
+
+############################# is_revoked ###############################
+# local shell function to check if certificate is revoked
+########################################################################
+is_revoked() {
+    certNum=$1
+    currLoadedGrp=$2
+    
+    found=0
+    ownerGrp=1
+    while [ $ownerGrp -le $TOTAL_GRP_NUM -a $found -eq 0 ]
+      do
+      currGrpBegin=`eval echo \$\{CRL_GRP_${ownerGrp}_BEGIN\}`
+      currGrpRange=`eval echo \$\{CRL_GRP_${ownerGrp}_RANGE\}`
+      currGrpEnd=`expr $currGrpBegin + $currGrpRange - 1`
+      if [ $certNum -ge $currGrpBegin -a $certNum -le $currGrpEnd ]; then
+          found=1
+      else
+          ownerGrp=`expr $ownerGrp + 1`
+      fi
+    done
+    if [ $found -eq 1 -a $currLoadedGrp -lt $ownerGrp ]; then
+        return 1
+    fi
+    if [ $found -eq 0 ]; then
+        return 1
+    fi
+    unrevokedGrpCert=`eval echo \$\{UNREVOKED_CERT_GRP_${ownerGrp}\}`
+    if [ $certNum -eq $unrevokedGrpCert ]; then
+        return 1
+    fi
+    return 0
+}
+
+########################### load_group_crl #############################
+# local shell function to load CRL 
+########################################################################
+load_group_crl() {
+    group=$1
+    ectype=$2
+
+    OUTFILE_TMP=${TMP}/$HOST.tmp.$$
+    grpBegin=`eval echo \$\{CRL_GRP_${group}_BEGIN\}`
+    grpRange=`eval echo \$\{CRL_GRP_${group}_RANGE\}`
+    grpEnd=`expr $grpBegin + $grpRange - 1`
+    
+    if [ "$grpBegin" = "" -o "$grpRange" = "" ]; then
+        ret=1
+        return 1;
+    fi
+    
+    # Add -ec suffix for ECC
+    if [ "$ectype" = "ECC" ] ; then
+      ecsuffix="-ec"
+      eccomment="ECC "
+    else
+      ecsuffix=""
+      eccomment=""
+    fi
+    
+    if [ "$RELOAD_CRL" != "" ]; then
+        if [ $group -eq 1 ]; then
+            echo "==================== Resetting to group 1 crl ==================="
+            kill_selfserv
+            start_selfserv
+            is_selfserv_alive
+        fi
+        echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd ============="
+
+        echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
+        echo "          -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}"
+        echo "Request:"
+        echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}"
+        echo ""
+        echo "RELOAD time $i"
+        ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f  \
+            -d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \
+	    >${OUTFILE_TMP}  2>&1 <<_EOF_REQUEST_
+GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}
+
+_EOF_REQUEST_
+        cat ${OUTFILE_TMP}
+        grep "CRL ReCache Error" ${OUTFILE_TMP}
+        if [ $? -eq 0 ]; then
+            ret=1
+            return 1
+        fi
+    else
+        echo "=== Updating DB for group $grpBegin - $grpEnd and restarting selfserv ====="
+
+        kill_selfserv
+        CU_ACTION="Importing ${eccomment}CRL for groups $grpBegin - $grpEnd"
+        crlu -d ${R_SERVERDIR} -I -i ${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} \
+             -p ../tests.pw.928
+        ret=$?
+        if [ "$ret" -eq 0 ]; then
+	    html_passed "${CU_ACTION}"
+            return 1
+        fi
+        start_selfserv        
+    fi
+    is_selfserv_alive
+    ret=$?
+    echo "================= CRL Reloaded ============="
+}
+
+########################### ssl_crl_cache ##############################
+# local shell function to perform SSL test for crl cache functionality
+# with/out revoked certs 
+########################################################################
+ssl_crl_cache()
+{
+  html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+  SSLAUTH_TMP=${TMP}/authin.tl.tmp
+  SERV_ARG=-r_-r
+  rm -f ${SSLAUTH_TMP}
+  echo ${SSLAUTH_TMP}
+
+  grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
+  echo $?
+  while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
+    do
+    sparam=$SERV_ARG
+    start_selfserv
+    exec < ${SSLAUTH_TMP}
+    while read ectype value sparam cparam testname
+      do
+      if [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
+        echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      else
+        servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+        pwd=`echo $cparam | grep nss`
+        user=`echo $cparam | grep TestUser`
+        _cparam=$cparam
+        case $servarg in
+            1) if [ -z "$pwd" -o -z "$user" ]; then
+                rev_modvalue=0
+                else
+                rev_modvalue=254
+                fi
+                ;;
+            2) rev_modvalue=254 ;;
+
+            3) if [ -z "$pwd" -o -z "$user" ]; then
+                rev_modvalue=0
+                else
+                rev_modvalue=1
+                fi
+                ;;
+            4) rev_modvalue=1 ;;
+	  esac
+        TEMP_NUM=0
+        LOADED_GRP=1
+        while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
+          do
+          while [ $TEMP_NUM -lt $TOTAL_CRL_RANGE ]
+            do
+            CURR_SER_NUM=`expr ${CRL_GRP_1_BEGIN} + ${TEMP_NUM}`
+            TEMP_NUM=`expr $TEMP_NUM + 1`
+            USER_NICKNAME="TestUser${CURR_SER_NUM}"
+            cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+
+            echo "Server Args: $SERV_ARG"
+            echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\"
+            echo "        ${cparam}  < ${REQUEST_FILE}"
+            rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+            ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+	        -d ${R_CLIENTDIR} < ${REQUEST_FILE} \
+                >${TMP}/$HOST.tmp.$$  2>&1
+            ret=$?
+            cat ${TMP}/$HOST.tmp.$$ 
+            rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+            is_revoked ${CURR_SER_NUM} ${LOADED_GRP}
+            isRevoked=$?
+            if [ $isRevoked -eq 0 ]; then
+                modvalue=$rev_modvalue
+                testAddMsg="revoked"
+            else
+                modvalue=$value
+                testAddMsg="not revoked"
+            fi
+
+            is_selfserv_alive
+            ss_status=$?
+            if [ "$ss_status" -ne 0 ]; then
+                html_msg $ret $modvalue \
+                    "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+                    "produced a returncode of $ret, expected is $modvalue. " \
+                    "selfserv is not alive!"
+            else
+                html_msg $ret $modvalue \
+                    "${testname}(cert ${USER_NICKNAME} - $testAddMsg)" \
+                    "produced a returncode of $ret, expected is $modvalue"
+            fi
+          done
+          LOADED_GRP=`expr $LOADED_GRP + 1`
+          TEMP_NUM=0
+          if [ "$LOADED_GRP" -le "$TOTAL_GRP_NUM" ]; then
+              load_group_crl $LOADED_GRP $ectype
+              html_msg $ret 0 "Load group $LOADED_GRP ${eccomment}crl " \
+                  "produced a returncode of $ret, expected is 0"
+          fi
+        done
+        # Restart selfserv to roll back to two initial group 1 crls
+        # TestCA CRL and TestCA-ec CRL 
+        kill_selfserv
+        start_selfserv
+      fi
+    done
+    kill_selfserv
+    SERV_ARG="${SERV_ARG}_-r"
+    rm -f ${SSLAUTH_TMP}
+    grep -- " $SERV_ARG " ${SSLAUTH} | grep -v none | grep -v bogus  > ${SSLAUTH_TMP}
+  done
+  TEMPFILES=${SSLAUTH_TMP}
+  html "</TABLE><BR>"
+}
+
+
+############################## ssl_cleanup #############################
+# local shell function to finish this script (no exit since it might be
+# sourced)
+########################################################################
+ssl_cleanup()
+{
+  rm $SERVERPID 2>/dev/null
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+############################## ssl_run #################################
+# local shell function to run coverage, authentication and stress tests
+########################################################################
+ssl_run()
+{
+    for SSL_RUN in ${NSS_SSL_RUN}
+    do
+        case "${SSL_RUN}" in
+        "cov")
+            ssl_cov
+            ;;
+        "auth")
+            ssl_auth
+            ;;
+        "stress")
+            ssl_stress
+            ;;
+         esac
+    done
+}
+
+############################ ssl_run_all ###############################
+# local shell function to run both standard and extended ssl tests
+########################################################################
+ssl_run_all()
+{
+    ORIG_SERVERDIR=$SERVERDIR
+    ORIG_CLIENTDIR=$CLIENTDIR
+    ORIG_R_SERVERDIR=$R_SERVERDIR
+    ORIG_R_CLIENTDIR=$R_CLIENTDIR
+    ORIG_P_R_SERVERDIR=$P_R_SERVERDIR
+    ORIG_P_R_CLIENTDIR=$P_R_CLIENTDIR
+
+    USER_NICKNAME=TestUser
+    NORM_EXT=""
+    cd ${CLIENTDIR}
+
+    ssl_run
+
+    SERVERDIR=$EXT_SERVERDIR
+    CLIENTDIR=$EXT_CLIENTDIR
+    R_SERVERDIR=$R_EXT_SERVERDIR
+    R_CLIENTDIR=$R_EXT_CLIENTDIR
+    P_R_SERVERDIR=$P_R_EXT_SERVERDIR
+    P_R_CLIENTDIR=$P_R_EXT_CLIENTDIR
+
+    USER_NICKNAME=ExtendedSSLUser
+    NORM_EXT="Extended Test"
+    cd ${CLIENTDIR}
+    
+    ssl_run
+
+    # the next round of ssl tests will only run if these vars are reset
+    SERVERDIR=$ORIG_SERVERDIR
+    CLIENTDIR=$ORIG_CLIENTDIR
+    R_SERVERDIR=$ORIG_R_SERVERDIR
+    R_CLIENTDIR=$ORIG_R_CLIENTDIR
+    P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
+    P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
+
+    USER_NICKNAME=TestUser
+    NORM_EXT=
+    cd ${QADIR}/ssl
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to set FIPS mode on/off
+########################################################################
+ssl_set_fips()
+{
+    CLTSRV=$1
+    ONOFF=$2
+
+    if [ ${CLTSRV} = "server" ]; then
+        DBDIRS="${SERVERDIR} ${EXT_SERVERDIR}"
+    else
+        DBDIRS="${CLIETNDIR} ${EXT_CLIENTDIR}"
+    fi
+    
+    if [ "${ONOFF}" = "on" ]; then
+        FIPSMODE=true
+        RET_EXP=0
+    else
+        FIPSMODE=false
+        RET_EXP=1
+    fi
+
+    html_head "SSL - FIPS mode ${ONOFF} for ${CLTSRV}"
+
+    for DBDIR in ${DBDIRS}
+    do
+        EXT_OPT=
+        echo ${DBDIR} | grep ext > /dev/null
+        if [ $? -eq 0 ]; then
+            EXT_OPT="extended "
+        fi
+
+        echo "${SCRIPTNAME}: Turning FIPS ${ONOFF} for the ${EXT_OPT} ${CLTSRV}"
+
+        echo "modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
+        ${BINDIR}/modutil -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
+        RET=$?  
+        html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
+                 "produced a returncode of ${RET}, expected is 0"
+  
+        echo "modutil -dbdir ${DBDIR} -list"
+        DBLIST=`${BINDIR}/modutil -dbdir ${DBDIR} -list 2>&1`
+        RET=$?  
+        html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
+                 "produced a returncode of ${RET}, expected is 0"
+
+        echo "${DBLIST}" | grep "FIPS PKCS #11"
+        RET=$?
+        html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
+                 "produced a returncode of ${RET}, expected is ${RET_EXP}"
+    done
+
+    html "</TABLE><BR>"
+}
+
+############################ ssl_set_fips ##############################
+# local shell function to run all tests set in NSS_SSL_TESTS variable 
+########################################################################
+ssl_run_tests()
+{
+    for SSL_TEST in ${NSS_SSL_TESTS}
+    do
+        case "${SSL_TEST}" in
+        "crl")
+            ssl_crl_ssl
+            ssl_crl_cache
+            ;;
+        "iopr")
+            ssl_iopr_run
+            ;;
+        *)
+            SERVER_MODE=`echo "${SSL_TEST}" | cut -d_ -f1`
+            CLIENT_MODE=`echo "${SSL_TEST}" | cut -d_ -f2`
+
+            case "${SERVER_MODE}" in
+            "normal")
+                SERVER_OPTIONS=
+                ;;
+            "bypass")
+                SERVER_OPTIONS="-B -s"
+                ;;
+            "fips")
+                SERVER_OPTIONS=
+                ssl_set_fips server on
+                ;;
+            *)
+                echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
+                continue
+                ;;
+            esac
+
+            case "${CLIENT_MODE}" in
+            "normal")
+                CLIENT_OPTIONS=
+                ;;
+            "bypass")
+                CLIENT_OPTIONS="-B -s"
+                ;;
+            "fips")
+                SERVER_OPTIONS=
+                ssl_set_fips client on
+                ;;
+            *)
+                echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
+                continue
+                ;;
+            esac
+
+            ssl_run_all
+
+            if [ "${SERVER_MODE}" = "fips" ]; then
+                ssl_set_fips server off
+            fi
+
+            if [ "${CLIENT_MODE}" = "fips" ]; then
+                ssl_set_fips client off
+            fi
+            ;;
+        esac
+    done
+}
+
+################################# main #################################
+
+ssl_init
+ssl_run_tests
+ssl_cleanup
+
diff --git a/security/nss/tests/ssl/ssl_dist_stress.sh b/security/nss/tests/ssl/ssl_dist_stress.sh
new file mode 100755
index 000000000..30d2ed35e
--- /dev/null
+++ b/security/nss/tests/ssl/ssl_dist_stress.sh
@@ -0,0 +1,345 @@
+#! /bin/sh
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/ssl/ssl_dist_stress.sh
+#
+# Script to test NSS SSL - distributed stresstest - this script needs to 
+# source the regular ssl.sh (for shellfunctions, certs and variables 
+# initialisation)
+# create certs
+# start server
+# start itself via rsh on different systems to connect back to the server
+# 
+#
+# needs to work on all Unix and Windows platforms
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+#
+########################################################################
+
+############################## ssl_ds_init #############################
+# local shell function to initialize this script
+########################################################################
+ssl_ds_init()
+{
+  if [ -z "$GLOB_MIN_CERT" ] ; then
+      GLOB_MIN_CERT=0
+  fi
+  if [ -z "$GLOB_MAX_CERT" ] ; then
+      GLOB_MAX_CERT=200
+  fi
+  IP_PARAM=""
+  CD_QADIR_SSL=""
+
+
+  if [ -n "$1" ] ; then
+      ssl_ds_eval_opts $*
+  fi
+  SCRIPTNAME=ssl_dist_stress.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+  
+  ssl_init  # let some other script do the hard work (initialize, generate certs, ...
+
+  SCRIPTNAME=ssl_dist_stress.sh
+  echo "$SCRIPTNAME: SSL distributed stress tests ==============================="
+
+}
+
+######################### ssl_ds_usage #################################
+# local shell function to explain the usage
+########################################################################
+ssl_ds_usage()
+{
+  echo "Usage: `basename $1`"
+  echo "        -host hostname "
+  echo "           ...host who runs the server, for distributed stress test"
+  echo "        -stress "
+  echo "           ...runs the server sider of the distributed stress test"
+  echo "        -dir unixdirectory "
+  echo "           ...lets the server side of the distributed stress test"
+  echo "              know where to find the scritp to start on the remote side"
+  echo "        -certnum start-end"
+  echo "           ... provides the range of certs for distributed stress test"
+  echo "               for example -certnum 10-20 will connect 10 times"
+  echo "               no blanks in the range string (not 10 - 20)"
+  echo "               valid range ${GLOB_MIN_CERT}-${GLOB_MAX_CERT}"
+  echo "        -? ...prints this text"
+  exit 1 #does not need to be Exit, very early in script
+}
+
+######################### ssl_ds_eval_opts #############################
+# local shell function to deal with options and parameters
+########################################################################
+ssl_ds_eval_opts()
+{
+    #use $0 not $SCRIPTNAM<E, too early, SCRIPTNAME not yet set
+
+  while [ -n "$1" ]
+  do
+    case $1 in
+        -host)
+            BUILD_OPT=1
+            export BUILD_OPT
+            DO_REM_ST="TRUE"
+            shift
+            SERVERHOST=$1
+            HOST=$1
+            if [ -z $SERVERHOST ] ; then
+                echo "$0 `uname -n`: -host requires hostname"
+                ssl_ds_usage
+            fi
+            echo "$0 `uname -n`: host $HOST ($1)"
+            ;;
+        -certn*)
+            shift
+            rangeOK=`echo $1  | sed -e 's/[0-9][0-9]*-[0-9][0-9]*/OK/'`
+            MIN_CERT=`echo $1 | sed -e 's/-[0-9][0-9]*//' -e 's/^00*//'`
+            MAX_CERT=`echo $1 | sed -e 's/[0-9][0-9]*-//' -e 's/^00*//'`
+            if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o \
+                         -z "$MIN_CERT" -o -z "$MAX_CERT" -o \
+                        "$MIN_CERT" -gt "$MAX_CERT" -o \
+                        "$MIN_CERT" -lt "$GLOB_MIN_CERT" -o \
+                        "$MAX_CERT" -gt "$GLOB_MAX_CERT" ] ; then
+                echo "$0 `uname -n`: -certn range not valid"
+                ssl_ds_usage
+            fi
+            echo "$0 `uname -n`: will use certs from $MIN_CERT to $MAX_CERT"
+            ;;
+        -server|-stress|-dist*st*)
+            BUILD_OPT=1
+            export BUILD_OPT
+            DO_DIST_ST="TRUE"
+            ;;
+        -dir|-unixdir|-uxdir|-qadir)
+            shift
+            UX_DIR=$1
+	    #FIXME - we need a default unixdir
+            if [ -z "$UX_DIR" ] ; then # -o ! -d "$UX_DIR" ] ; then can't do, Win doesn't know...
+                echo "$0 `uname -n`: -dir requires directoryname "
+                ssl_ds_usage
+            fi
+            CD_QADIR_SSL="cd $UX_DIR"
+            ;;
+        -ip*)
+            shift
+            IP_ADDRESS=$1
+            if [ -z "$IP_ADDRESS" ] ; then
+                echo "$0 `uname -n`: -ip requires ip-address "
+                ssl_ds_usage
+            fi
+            USE_IP=TRUE
+            IP_PARAM="-ip $IP_ADDRESS"
+            ;;
+        -h|-help|"-?"|*)
+            ssl_ds_usage
+            ;;
+    esac
+    shift
+  done
+}
+
+############################## ssl_ds_rem_stress #######################
+# local shell function to perform the client part of the SSL stress test
+########################################################################
+
+ssl_ds_rem_stress()
+{
+  testname="SSL remote part of Stress test (`uname -n`)"
+  echo "$SCRIPTNAME `uname -n`: $testname"
+
+  #cp -r "${CLIENTDIR}" /tmp/ssl_ds.$$ #FIXME
+  #cd /tmp/ssl_ds.$$
+  #verbose="-v"
+
+  cd ${CLIENTDIR}
+
+  CONTINUE=$MAX_CERT
+  while [ $CONTINUE -ge $MIN_CERT ]
+  do
+      echo "strsclnt -D -p ${PORT} -d ${P_R_CLIENTDIR} -w nss -c 1 $verbose  "
+      echo "         -n TestUser$CONTINUE ${HOSTADDR} #`uname -n`"
+      ${BINDIR}/strsclnt -D -p ${PORT} -d . -w nss -c 1 $verbose  \
+               -n "TestUser$CONTINUE" ${HOSTADDR} &
+               #${HOSTADDR} &
+      CONTINUE=`expr $CONTINUE - 1 `
+      #sleep 4 #give process time to start up
+  done
+
+  html_msg 0 0 "${testname}" #FIXME
+}
+
+######################### ssl_ds_dist_stress ###########################
+# local shell function to perform the server part of the new, distributed 
+# SSL stress test
+########################################################################
+
+ssl_ds_dist_stress()
+{
+  max_clientlist=" 
+               box-200
+               washer-200
+               dryer-200
+               hornet-50
+               shabadoo-50
+               y2sun2-10
+               galileo-10
+               shame-10
+               axilla-10
+               columbus-10
+               smarch-10
+               nugget-10
+               charm-10
+               hp64-10
+               biggayal-10
+               orville-10
+               kwyjibo-10
+               hbombaix-10
+               raven-10
+               jordan-10
+               phaedrus-10
+               louie-10
+               trex-10
+               compaqtor-10"
+
+  #clientlist=" huey-2 dewey-2 hornet-2 shabadoo-2" #FIXME ADJUST
+  clientlist="  box-200 washer-200 huey-200 dewey-200 hornet-200 shabadoo-200 louie-200"
+  #clientlist="  box-2 huey-2 "
+  #clientlist="washer-200 huey-200 dewey-200 hornet-200 "
+
+  html_head "SSL Distributed Stress Test"
+
+  testname="SSL distributed Stress test"
+
+  echo cd "${CLIENTDIR}"
+  cd "${CLIENTDIR}"
+  if [ -z "CD_QADIR_SSL" ] ; then
+      CD_QADIR_SSL="cd $QADIR/ssl"
+  else
+      cp -r $HOSTDIR $HOSTDIR/../../../../../booboo_Solaris8/mozilla/tests_results/security
+  fi
+
+  #sparam=" -t 128 -D -r "
+  sparam=" -t 16 -D -r -r -y "
+  start_selfserv
+
+  for c in $clientlist
+  do
+      client=`echo $c | sed -e "s/-.*//"`
+      number=`echo $c | sed -e "s/.*-//"`
+      CLIENT_OK="TRUE"
+      echo $client
+      ping $client >/dev/null || CLIENT_OK="FALSE"
+      if [ "$CLIENT_OK" = "FALSE" ] ; then
+          echo "$SCRIPTNAME `uname -n`: $client can't be reached - skipping"
+      else
+          get_certrange $number
+          echo "$SCRIPTNAME `uname -n`: $RSH $client -l svbld \\ "
+          echo "       \" $CD_QADIR_SSL ;ssl_dist_stress.sh \\"
+          echo "            -host $HOST -certnum $CERTRANGE $IP_PARAM \" "
+          $RSH $client -l svbld \
+               " $CD_QADIR_SSL;ssl_dist_stress.sh -host $HOST -certnum $CERTRANGE $IP_PARAM " &
+      fi
+  done
+
+  echo cd "${CLIENTDIR}"
+  cd "${CLIENTDIR}"
+
+  sleep 500 # give the clients time to finish #FIXME ADJUST
+ 
+  echo "GET /stop HTTP/1.0\n\n" > stdin.txt #check to make sure it has /r/n
+  echo "tstclnt -h $HOSTADDR -p  8443 -d ${P_R_CLIENTDIR} -n TestUser0 "
+  echo "        -w nss -f < stdin.txt"
+  ${BINDIR}/tstclnt -h $HOSTADDR -p  8443 -d ${P_R_CLIENTDIR} -n TestUser0 \
+	  -w nss -f < stdin.txt
+  
+  html_msg 0 0 "${testname}"
+  html "</TABLE><BR>"
+}
+
+############################ get_certrange #############################
+# local shell function to find the range of certs that the next remote 
+# client is supposed to use (only for server side of the dist stress test
+########################################################################
+get_certrange()
+{
+  rangeOK=`echo $1  | sed -e 's/[0-9][0-9]*/OK/'`
+  if [ -z "$rangeOK" -o "$rangeOK" != "OK" -o $1 = "OK" ] ; then
+      range=10
+      echo "$SCRIPTNAME `uname -n`: $1 is not a valid number of certs "
+      echo "        defaulting to 10 for $client"
+  else
+      range=$1
+      if [ $range -gt $GLOB_MAX_CERT ] ; then
+          range=$GLOB_MAX_CERT
+      fi
+  fi
+  if [ -z "$FROM_CERT" ] ; then    # start new on top of the cert stack
+      FROM_CERT=$GLOB_MAX_CERT
+  elif [ `expr $FROM_CERT - $range + 1 ` -lt  0 ] ; then 
+          FROM_CERT=$GLOB_MAX_CERT # dont let it fall below 0 on the TO_CERT
+
+  fi
+  TO_CERT=`expr $FROM_CERT - $range + 1 `
+  if [ $TO_CERT -lt 0 ] ; then     # it's not that I'm bad in math, I just 
+      TO_CERT=0                    # don't trust expr...
+  fi
+  CERTRANGE="${TO_CERT}-${FROM_CERT}"
+  FROM_CERT=`expr ${TO_CERT} - 1 ` #start the next  client one below 
+}
+
+
+################## main #################################################
+
+DO_DIST_ST="TRUE"
+. ./ssl.sh
+ssl_ds_init $*
+if [ -n  "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then
+    ssl_ds_rem_stress
+    exit 0 #no cleanup on purpose
+elif [ -n  "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+    ssl_ds_dist_stress
+fi
+ssl_cleanup
diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt
new file mode 100644
index 000000000..deb30c3b6
--- /dev/null
+++ b/security/nss/tests/ssl/sslauth.txt
@@ -0,0 +1,50 @@
+#
+# This file defines the tests for client auth.
+#
+#        expected
+# Enable  return  server     client                         Test Case name
+#  ECC     value  params     params
+# ------- ------  ------     ------                         ---------------
+  noECC     0       -r           -w_nss_-n_none           TLS Request don't require client auth (client does not provide auth)
+  noECC     0       -r           -w_bogus_-n_TestUser     TLS Request don't require client auth (bad password)
+  noECC     0       -r           -w_nss_-n_TestUser       TLS Request don't require client auth (client auth)
+  noECC    254      -r_-r        -w_nss_-n_none           TLS Require client auth (client does not provide auth)
+  noECC    254      -r_-r        -w_bogus_-n_TestUser     TLS Require client auth (bad password)
+  noECC     0       -r_-r        -w_nss_-n_TestUser_      TLS Require client auth (client auth)
+  noECC     0       -r           -T_-w_nss_-n_none        SSL3 Request don't require client auth (client does not provide auth)
+  noECC     0       -r           -T_-n_TestUser_-w_bogus  SSL3 Request don't require client auth (bad password)
+  noECC     0       -r           -T_-n_TestUser_-w_nss    SSL3 Request don't require client auth (client auth)
+  noECC    254      -r_-r        -T_-w_nss_-n_none        SSL3 Require client auth (client does not provide auth)
+  noECC    254      -r_-r        -T_-n_TestUser_-w_bogus  SSL3 Require client auth (bad password)
+  noECC     0       -r_-r        -T_-n_TestUser_-w_nss    SSL3 Require client auth (client auth)
+  noECC     0       -r_-r_-r     -w_nss_-n_none           TLS Request don't require client auth on 2nd hs (client does not provide auth)
+  noECC     0       -r_-r_-r     -w_bogus_-n_TestUser     TLS Request don't require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r     -w_nss_-n_TestUser       TLS Request don't require client auth on 2nd hs (client auth)
+  noECC     1       -r_-r_-r_-r  -w_nss_-n_none           TLS Require client auth on 2nd hs (client does not provide auth)
+  noECC     1       -r_-r_-r_-r  -w_bogus_-n_TestUser     TLS Require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r_-r  -w_nss_-n_TestUser_      TLS Require client auth on 2nd hs (client auth)
+  noECC     0       -r_-r_-r     -T_-w_nss_-n_none        SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
+  noECC     0       -r_-r_-r     -T_-n_TestUser_-w_bogus  SSL3 Request don't require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r     -T_-n_TestUser_-w_nss    SSL3 Request don't require client auth on 2nd hs (client auth)
+  noECC     1       -r_-r_-r_-r  -T_-w_nss_-n_none        SSL3 Require client auth on 2nd hs (client does not provide auth)
+  noECC     1       -r_-r_-r_-r  -T_-n_TestUser_-w_bogus  SSL3 Require client auth on 2nd hs (bad password)
+  noECC     0       -r_-r_-r_-r  -T_-n_TestUser_-w_nss    SSL3 Require client auth on 2nd hs (client auth)
+#
+# Use EC cert for client authentication
+#
+   ECC      0       -r           -w_bogus_-n_TestUser-ec     TLS Request don't require client auth (EC) (bad password)
+   ECC      0       -r           -w_nss_-n_TestUser-ec       TLS Request don't require client auth (EC) (client auth)
+   ECC     254      -r_-r        -w_bogus_-n_TestUser-ec     TLS Require client auth (EC) (bad password)
+   ECC      0       -r_-r        -w_nss_-n_TestUser-ec_      TLS Require client auth (EC) (client auth)
+   ECC      0       -r           -T_-n_TestUser-ec_-w_bogus  SSL3 Request don't require client auth (EC) (bad password)
+   ECC      0       -r           -T_-n_TestUser-ec_-w_nss    SSL3 Request don't require client auth (EC) (client auth)
+   ECC     254      -r_-r        -T_-n_TestUser-ec_-w_bogus  SSL3 Require client auth (EC) (bad password)
+   ECC      0       -r_-r        -T_-n_TestUser-ec_-w_nss    SSL3 Require client auth (EC) (client auth)
+   ECC      0       -r_-r_-r     -w_bogus_-n_TestUser-ec     TLS Request don't require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r     -w_nss_-n_TestUser-ec       TLS Request don't require client auth on 2nd hs (EC) (client auth)
+   ECC      1       -r_-r_-r_-r  -w_bogus_-n_TestUser-ec     TLS Require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r_-r  -w_nss_-n_TestUser-ec_      TLS Require client auth on 2nd hs (EC) (client auth)
+   ECC      0       -r_-r_-r     -T_-n_TestUser-ec_-w_bogus  SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r     -T_-n_TestUser-ec_-w_nss    SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
+   ECC      1       -r_-r_-r_-r  -T_-n_TestUser-ec_-w_bogus  SSL3 Require client auth on 2nd hs (EC) (bad password)
+   ECC      0       -r_-r_-r_-r  -T_-n_TestUser-ec_-w_nss    SSL3 Require client auth on 2nd hs (EC) (client auth)
diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt
new file mode 100644
index 000000000..e588971c1
--- /dev/null
+++ b/security/nss/tests/ssl/sslcov.txt
@@ -0,0 +1,98 @@
+#
+# This file enables test coverage of the various SSL ciphers
+#
+# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We
+# mix up the enable functions so we can tests boths paths.
+#
+# Enable Enable Cipher Test Name 
+#  EC     TLS
+#
+  noECC  noTLS   A    SSL2_RC4_128_WITH_MD5
+  noECC   TLS    B    SSL2_RC4_128_EXPORT40_WITH_MD5
+  noECC   TLS    C    SSL2_RC2_128_CBC_WITH_MD5
+  noECC  noTLS   D    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
+  noECC   TLS    E    SSL2_DES_64_CBC_WITH_MD5
+  noECC  noTLS   F    SSL2_DES_192_EDE3_CBC_WITH_MD5
+#
+# noECC  noTLS   a    SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
+# noECC  noTLS   b    SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA
+  noECC  noTLS   c    SSL3_RSA_WITH_RC4_128_MD5
+  noECC  noTLS   d    SSL3_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC  noTLS   e    SSL3_RSA_WITH_DES_CBC_SHA
+  noECC  noTLS   f    SSL3_RSA_EXPORT_WITH_RC4_40_MD5
+  noECC  noTLS   g    SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5
+# noECC  noTLS   h    SSL3_FORTEZZA_DMS_WITH_NULL_SHA
+  noECC  noTLS   i    SSL3_RSA_WITH_NULL_MD5
+  noECC  noTLS   j    SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
+  noECC  noTLS   k    SSL3_RSA_FIPS_WITH_DES_CBC_SHA
+  noECC  noTLS   l    SSL3_RSA_EXPORT_WITH_DES_CBC_SHA   (new)
+  noECC  noTLS   m    SSL3_RSA_EXPORT_WITH_RC4_56_SHA    (new)
+  noECC  noTLS   n    SSL3_RSA_WITH_RC4_128_SHA
+  noECC  noTLS   v    SSL3_RSA_WITH_AES_128_CBC_SHA
+  noECC  noTLS   y    SSL3_RSA_WITH_AES_256_CBC_SHA
+  noECC  noTLS   z    SSL3_RSA_WITH_NULL_SHA
+#  noECC  noTLS  :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#  noECC  noTLS  :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+  noECC   TLS    c    TLS_RSA_WITH_RC4_128_MD5
+  noECC   TLS    d    TLS_RSA_WITH_3DES_EDE_CBC_SHA
+  noECC   TLS    e    TLS_RSA_WITH_DES_CBC_SHA
+  noECC   TLS    f    TLS_RSA_EXPORT_WITH_RC4_40_MD5
+  noECC   TLS    g    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
+  noECC   TLS    i    TLS_RSA_WITH_NULL_MD5
+  noECC   TLS    j    TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
+  noECC   TLS    k    TLS_RSA_FIPS_WITH_DES_CBC_SHA
+  noECC   TLS    l    TLS_RSA_EXPORT_WITH_DES_CBC_SHA   (new)
+  noECC   TLS    m    TLS_RSA_EXPORT_WITH_RC4_56_SHA    (new)
+  noECC   TLS    n    TLS_RSA_WITH_RC4_128_SHA
+  noECC   TLS    v    TLS_RSA_WITH_AES_128_CBC_SHA
+  noECC   TLS    y    TLS_RSA_WITH_AES_256_CBC_SHA
+  noECC   TLS    z    TLS_RSA_WITH_NULL_SHA
+#  noECC   TLS  :0041  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#  noECC   TLS  :0084  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#
+# ECC ciphers (SSL3)
+#
+   ECC   noTLS  :C001 SSL3_ECDH_ECDSA_WITH_NULL_SHA
+   ECC   noTLS  :C002 SSL3_ECDH_ECDSA_WITH_RC4_128_SHA
+   ECC   noTLS  :C003 SSL3_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   noTLS  :C004 SSL3_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   noTLS  :C005 SSL3_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   noTLS  :C006 SSL3_ECDHE_ECDSA_WITH_NULL_SHA
+   ECC   noTLS  :C007 SSL3_ECDHE_ECDSA_WITH_RC4_128_SHA
+   ECC   noTLS  :C008 SSL3_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC   noTLS  :C009 SSL3_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+   ECC   noTLS  :C00A SSL3_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+   ECC   noTLS  :C00B SSL3_ECDH_RSA_WITH_NULL_SHA
+   ECC   noTLS  :C00C SSL3_ECDH_RSA_WITH_RC4_128_SHA
+   ECC   noTLS  :C00D SSL3_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   noTLS  :C00E SSL3_ECDH_RSA_WITH_AES_128_CBC_SHA
+   ECC   noTLS  :C00F SSL3_ECDH_RSA_WITH_AES_256_CBC_SHA
+   ECC   noTLS  :C010 SSL3_ECDHE_RSA_WITH_NULL_SHA
+   ECC   noTLS  :C011 SSL3_ECDHE_RSA_WITH_RC4_128_SHA
+   ECC   noTLS  :C012 SSL3_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC   noTLS  :C013 SSL3_ECDHE_RSA_WITH_AES_128_CBC_SHA
+   ECC   noTLS  :C014 SSL3_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#
+# ECC ciphers (TLS)
+#
+   ECC    TLS   :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA
+   ECC    TLS   :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+   ECC    TLS   :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC    TLS   :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+   ECC    TLS   :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+   ECC    TLS   :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA
+   ECC    TLS   :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+   ECC    TLS   :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+   ECC    TLS   :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+   ECC    TLS   :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+   ECC    TLS   :C00B TLS_ECDH_RSA_WITH_NULL_SHA
+   ECC    TLS   :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA
+   ECC    TLS   :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC    TLS   :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+   ECC    TLS   :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+   ECC    TLS   :C010 TLS_ECDHE_RSA_WITH_NULL_SHA
+   ECC    TLS   :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA
+   ECC    TLS   :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+   ECC    TLS   :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+   ECC    TLS   :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
diff --git a/security/nss/tests/ssl/sslreq.dat b/security/nss/tests/ssl/sslreq.dat
new file mode 100644
index 000000000..2f7ad7736
--- /dev/null
+++ b/security/nss/tests/ssl/sslreq.dat
@@ -0,0 +1,2 @@
+GET / HTTP/1.0

+

diff --git a/security/nss/tests/ssl/sslreq.txt b/security/nss/tests/ssl/sslreq.txt
new file mode 100644
index 000000000..c1da607c0
--- /dev/null
+++ b/security/nss/tests/ssl/sslreq.txt
@@ -0,0 +1,2 @@
+GET / HTTP/1.0
+
diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt
new file mode 100644
index 000000000..4a1a211ee
--- /dev/null
+++ b/security/nss/tests/ssl/sslstress.txt
@@ -0,0 +1,38 @@
+#
+# This file defines the stress tests for SSL/TLS.
+#
+#        expected
+# Enable  return  server     client                         Test Case name
+#  ECC    value   params     params
+# ------- ------  ------     ------                         ---------------
+  noECC     0      _         -c_1000_-C_A                  Stress SSL2 RC4 128 with MD5
+  noECC     0      _         -c_1000_-C_c_-T               Stress SSL3 RC4 128 with MD5
+  noECC     0      _         -c_1000_-C_c                  Stress TLS  RC4 128 with MD5
+  noECC     0      -u        -2_-c_1000_-C_c_-u            Stress TLS  RC4 128 with MD5 (session ticket)
+
+#
+# add client auth versions here...
+#
+  noECC     0      -r_-r     -c_100_-C_A_-N_-n_TestUser    Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
+  noECC     0      -r_-r     -c_100_-C_c_-T_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
+  noECC     0      -r_-r     -c_100_-C_c_-N_-n_TestUser    Stress TLS RC4 128 with MD5 (no reuse, client auth)
+  noECC     0      -r_-r_-u  -2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
+
+#
+# ############################ ECC ciphers ############################
+#
+   ECC      0      -c_:C009  -c_100_-C_:C009_-N_-T  Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C013  -c_1000_-C_:C013_-T    Stress SSL3 ECDHE-RSA   AES 128 CBC with SHA
+   ECC      0      -c_:C004  -2_-c_100_-C_:C004_-N  Stress TLS  ECDH-ECDSA  AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C00E  -2_-c_100_-C_:C00E_-N  Stress TLS  ECDH-RSA    AES 128 CBC with SHA (no reuse)
+   ECC      0      -c_:C013  -2_-c_1000_-C_:C013    Stress TLS  ECDHE-RSA   AES 128 CBC with SHA
+   ECC      0   -c_:C004_-u  -2_-c_1000_-C_:C004_-u Stress TLS  ECDH-ECDSA  AES 128 CBC with SHA (session ticket)
+#
+# add client auth versions here...
+#
+   ECC      0      -r_-r_-c_:C009  -c_10_-C_:C009_-N_-T_-n_TestUser-ec Stress SSL3 ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C013  -c_100_-C_:C013_-T_-n_TestUser-ec Stress SSL3 ECDHE-RSA AES 128 CBC with SHA (client auth)
+   ECC      0      -r_-r_-c_:C004  -c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C00E  -c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
+   ECC      0      -r_-r_-c_:C013  -c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
+   ECC      0      -r_-r_-c_:C013_-u -2_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)
diff --git a/security/nss/tests/tools/sign.html b/security/nss/tests/tools/sign.html
new file mode 100644
index 000000000..b85d51571
--- /dev/null
+++ b/security/nss/tests/tools/sign.html
@@ -0,0 +1,5 @@
+<html>
+<body>
+Sign this javascriptless page.
+</body>
+</html>
diff --git a/security/nss/tests/tools/signjs.html b/security/nss/tests/tools/signjs.html
new file mode 100644
index 000000000..f073131ed
--- /dev/null
+++ b/security/nss/tests/tools/signjs.html
@@ -0,0 +1,8 @@
+<html>
+<body>
+<script language="JavaScript">
+document.write("<h3>Sign this javascript</h3>");
+</script>
+Here's some plain content.
+</body>
+</html>
diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh
new file mode 100644
index 000000000..0f4fb73b6
--- /dev/null
+++ b/security/nss/tests/tools/tools.sh
@@ -0,0 +1,525 @@
+#! /bin/sh  
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+########################################################################
+#
+# mozilla/security/nss/tests/tools/tools.sh
+#
+# Script to test basic functionality of NSS tools 
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#    pk12util
+#    signtool
+#
+# special strings
+# ---------------
+#   FIXME ... known problems, search for this string
+#   NOTE .... unexpected behavior
+########################################################################
+
+  export pkcs12v2pbeWithSha1And128BitRc4=\
+"PKCS #12 V2 PBE With Sha1 and 128 Bit RC4"
+
+  export pkcs12v2pbeWithSha1And40BitRc4=\
+"PKCS #12 V2 PBE With Sha1 and 40 Bit RC4"
+
+  export pkcs12v2pbeWithSha1AndTripleDESCBC=\
+"PKCS #12 V2 PBE With Sha1 and Triple DES CBC"
+
+  export pkcs12v2pbeWithSha1And128BitRc2Cbc=\
+"PKCS #12 V2 PBE With Sha1 and 128 Bit RC2 CBC"
+
+  export pkcs12v2pbeWithSha1And40BitRc2Cbc=\
+"PKCS #12 V2 PBE With Sha1 and 40 Bit RC2 CBC"
+
+  export pkcs12v2pbeWithMd2AndDESCBC=\
+"PKCS #5 Password Based Encryption with MD2 and DES CBC"
+
+  export pkcs12v2pbeWithMd5AndDESCBC=\
+"PKCS #5 Password Based Encryption with MD5 and DES CBC"
+
+  export pkcs12v2pbeWithSha1AndDESCBC=\
+"PKCS #5 Password Based Encryption with SHA1 and DES CBC"
+  
+  export pkcs5pbeWithMD2AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD2 and DES CBC"
+
+  export pkcs5pbeWithMD5AndDEScbc=\
+"PKCS #5 Password Based Encryption with MD5 and DES CBC"
+
+  export pkcs5pbeWithSha1AndDEScbc=\
+"PKCS #5 Password Based Encryption with SHA1 and DES CBC"
+
+############################## tools_init ##############################
+# local shell function to initialize this script 
+########################################################################
+tools_init()
+{
+  SCRIPTNAME=tools.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=tools.sh
+
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      html_head "Tools Tests with ECC"
+  else
+      html_head "Tools Tests"
+  fi
+
+  grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
+  }
+
+  TOOLSDIR=${HOSTDIR}/tools
+  COPYDIR=${TOOLSDIR}/copydir
+
+  R_TOOLSDIR=../tools
+  R_COPYDIR=../tools/copydir
+  P_R_COPYDIR=${R_COPYDIR}
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+      P_R_COPYDIR="multiaccess:Tools.$version"
+  fi
+
+  mkdir -p ${TOOLSDIR}
+  mkdir -p ${COPYDIR}
+  mkdir -p ${TOOLSDIR}/html
+  cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
+
+  cd ${TOOLSDIR}
+}
+
+########################## list_p12_file ###############################
+# List the key and cert in the specified p12 file
+########################################################################
+list_p12_file()
+{
+  echo "$SCRIPTNAME: Listing Alice's pk12 file"
+  echo "pk12util -l ${1} -w ${R_PWFILE}"
+    
+  ${BINDIR}/pk12util -l ${1} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Listing ${1} (pk12util -l)"
+  check_tmpfile
+}
+
+########################################################################
+# Import the key and cert from the specified p12 file
+########################################################################
+import_p12_file()
+{
+  echo "$SCRIPTNAME: Importing Alice's pk12 ${1} file"
+  echo "pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+    
+  ${BINDIR}/pk12util -i ${1} -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Importing ${1} (pk12util -i)"
+  check_tmpfile
+}
+
+########################################################################
+# Export the key and cert to a p12 file using default ciphers
+########################################################################
+export_with_default_ciphers() 
+{
+  echo "$SCRIPTNAME: Exporting Alice's key & cert with [default:default] (pk12util -o)"
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} 2>&1  
+  ret=$?  
+  html_msg $ret 0 "Exporting Alices's key & cert with [default:default] (pk12util -o)"
+  check_tmpfile
+  return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, the key encryption cipher is specified
+# and the cert encryption cipher is blank for default.
+########################################################################
+export_with_key_cipher() 
+{
+  # $1 key encryption cipher   
+  echo "$SCRIPTNAME: Exporting with [${1}:default]"
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c ${1}"
+  ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+                     -k ${R_PWFILE} -w ${R_PWFILE} -c "${1}" 2>&1  
+  ret=$?  
+  html_msg $ret 0 "Exporting with [${1}:default] (pk12util -o)"
+  check_tmpfile
+  return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, the key encryption cipher is left
+# empty for default and the cert encryption cipher is specified.
+########################################################################
+export_with_cert_cipher() 
+{
+  # $1 certificate encryption cipher
+  echo "$SCRIPTNAME: Exporting with [default:${1}]"
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -C ${1}"
+  ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} \
+                     -k ${R_PWFILE} -w ${R_PWFILE} -C "${1}" 2>&1  
+  ret=$?  
+  html_msg $ret 0 "Exporting with [default:${1}] (pk12util -o)"
+  check_tmpfile
+  return $ret
+}
+
+########################################################################
+# Exports key/cert to a p12 file, both the key encryption cipher and
+# the cert encryption cipher are specified.
+########################################################################
+export_with_both_key_and_cert_cipher()
+{
+  # $1 key encryption cipher or ""
+  # $2 certificate encryption cipher or ""
+  
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c ${1} -C ${2}"     
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -c "${1}" -C "${2}" 2>&1  
+  ret=$?    
+  html_msg $ret 0 "Exporting with [${1}:${2}] (pk12util -o)"
+  check_tmpfile
+  return $ret
+}
+
+########################################################################
+# Exports key and cert to a p12 file, both the key encryption cipher 
+# and the cert encryption cipher are specified. The key and cert are
+# imported and the p12 file is listed
+########################################################################
+export_list_import()
+{
+  # $1 key encryption cipher
+  # $2 certificate encryption cipher
+    
+  if [[ "${1}" != "" && "${2}" != "" ]]; then
+      export_with_both_key_and_cert_cipher "${1}" "${2}"
+  elif [[ "${1}" != "" && "${2}" = "" ]]; then
+      export_with_key_cipher "${1}"
+  elif [[ "${1}" = "" && "${2}" != "" ]]; then
+      export_with_cert_cipher "${2}"
+  else
+      export_with_default_ciphers
+  fi
+    
+  list_p12_file Alice.p12
+  import_p12_file Alice.p12
+}
+
+########################################################################
+# Export using the pkcs5pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5pbe_ciphers()
+{  
+  # specify each on key and cert cipher
+  for key_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \
+                    "${pkcs5pbeWithMD5AndDEScbc}" \
+                    "${pkcs5pbeWithSha1AndDEScbc}"\
+                    ""; do
+      for cert_cipher in "${pkcs5pbeWithMD2AndDEScbc}" \
+                         "${pkcs5pbeWithMD5AndDEScbc}" \
+                         "${pkcs5pbeWithSha1AndDEScbc}" \
+                         ""\
+                         "null"; do
+            export_list_import "${key_cipher}" "${cert_cipher}"
+      done       
+  done
+}
+
+########################################################################
+# Export using the pkcs5v2 ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs5v2_ciphers()
+{
+  # These should pass
+  for key_cipher in\
+    RC2-CBC \
+    DES-EDE3-CBC \
+    AES-128-CBC \
+    AES-192-CBC \
+    AES-256-CBC \
+    CAMELLIA-128-CBC \
+    CAMELLIA-192-CBC \
+    CAMELLIA-256-CBC; do
+
+#---------------------------------------------------------------
+# Bug 452464 - pk12util -o fails when -C option specifies AES or
+# Camellia ciphers
+# FIXME Restore these to the list
+#    AES-128-CBC, \
+#    AES-192-CBC, \
+#    AES-256-CBC, \
+#    CAMELLIA-128-CBC, \
+#    CAMELLIA-192-CBC, \
+#    CAMELLIA-256-CBC, \
+#  when 452464 is fixed
+#---------------------------------------------------------------  
+    for cert_cipher in \
+      RC2-CBC \
+      DES-EDE3-CBC \
+      null; do
+	  export_list_import ${key_cipher} ${cert_cipher}
+	done
+  done
+}
+
+########################################################################
+# Export using the pkcs12v2pbe ciphers for key and certificate encryption.
+# List the contents of and import from the p12 file.
+########################################################################
+tools_p12_export_list_import_all_pkcs12v2pbe_ciphers()
+{ 
+#---------------------------------------------------------------
+# Bug 452471 - pk12util -o fails when -c option specifies pkcs12v2 PBE ciphers
+# FIXME - Restore these to the list 
+#                "${pkcs12v2pbeWithSha1And128BitRc4}" \
+#                "${pkcs12v2pbeWithSha1And40BitRc4}" \
+#	             "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \
+#                "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \
+#                "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \
+#                "${pkcs12v2pbeWithMd2AndDESCBC}" \
+#                "${pkcs12v2pbeWithMd5AndDESCBC}" \
+#                "${pkcs12v2pbeWithSha1AndDESCBC}" \
+#                ""; do
+# when 452471 is fixed
+#---------------------------------------------------------------
+#  for key_cipher in \
+    key_cipher=""
+    for cert_cipher in "${pkcs12v2pbeWithSha1And128BitRc4}" \
+                  "${pkcs12v2pbeWithSha1And40BitRc4}" \
+                  "${pkcs12v2pbeWithSha1AndTripleDESCBC}" \
+                  "${pkcs12v2pbeWithSha1And128BitRc2Cbc}" \
+                  "${pkcs12v2pbeWithSha1And40BitRc2Cbc}" \
+                  "${pkcs12v2pbeWithMd2AndDESCBC}" \
+                  "${pkcs12v2pbeWithMd5AndDESCBC}" \
+                  "${pkcs12v2pbeWithSha1AndDESCBC}" \
+                  ""\
+                  "null"; do        
+	  export_list_import "${key_cipher}" "${key_cipher}" 
+	done
+  #done
+}
+
+#########################################################################
+# Export with no encryption on key should fail but on cert should pass
+#########################################################################
+tools_p12_export_with_null_ciphers()
+{
+  # use null as the key encryption algorithm default for the cert one
+  # should fail
+  
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -c null"     
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -c null 2>&1  
+  ret=$?
+  html_msg $ret 30 "Exporting with [null:default] (pk12util -o)"
+  check_tmpfile
+
+  # use default as the key encryption algorithm null for the cert one
+  # should pass
+  
+  echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} \\"
+  echo "         -k ${R_PWFILE} -w ${R_PWFILE} -C null"     
+  ${BINDIR}/pk12util -o Alice.p12 -n Alice -d ${P_R_ALICEDIR} \
+                       -k ${R_PWFILE} -w ${R_PWFILE} \
+                       -C null 2>&1  
+  ret=$?
+  html_msg $ret 0 "Exporting with [default:null] (pk12util -o)"
+  check_tmpfile
+ 
+}
+
+#########################################################################
+# Exports using the default key and certificate encryption ciphers.
+# Imports from  and lists the contents of the p12 file.
+# Repeats the test with ECC if enabled.
+########################################################################
+tools_p12_export_list_import_with_default_ciphers()
+{
+  echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers"
+  
+  export_list_import "" ""
+
+  if [ -n "$NSS_ENABLE_ECC" ] ; then
+      echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
+      echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+      echo "         -w ${R_PWFILE}"
+      ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+           -w ${R_PWFILE} 2>&1 
+      ret=$?
+      html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
+      check_tmpfile
+
+      echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
+      echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+      ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+      ret=$?
+      html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
+      check_tmpfile
+
+      echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
+      echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
+      ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
+      ret=$?
+      html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
+      check_tmpfile
+  fi
+}
+
+############################## tools_p12 ###############################
+# local shell function to test basic functionality of pk12util
+########################################################################
+tools_p12()
+{
+  tools_p12_export_list_import_with_default_ciphers
+  tools_p12_export_list_import_all_pkcs5v2_ciphers
+  tools_p12_export_list_import_all_pkcs5pbe_ciphers
+  tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
+  tools_p12_export_with_null_ciphers
+}
+
+############################## tools_sign ##############################
+# local shell function pk12util uses a hardcoded tmp file, if this exists
+# and is owned by another user we don't get reasonable errormessages 
+########################################################################
+check_tmpfile()
+{
+  if [ $ret != "0" -a -f /tmp/Pk12uTemp ] ; then
+      echo "Error: pk12util temp file exists. Please remove this file and"
+      echo "       rerun the test (/tmp/Pk12uTemp) "
+  fi
+}
+
+############################## tools_sign ##############################
+# local shell function to test basic functionality of signtool
+########################################################################
+tools_sign()
+{
+  echo "$SCRIPTNAME: Create objsign cert -------------------------------"
+  echo "signtool -G \"objectsigner\" -d ${P_R_ALICEDIR} -p \"nss\""
+  ${BINDIR}/signtool -G "objsigner" -d ${P_R_ALICEDIR} -p "nss" 2>&1 <<SIGNSCRIPT
+y
+TEST
+MOZ
+NSS
+NY
+US
+liz
+liz@moz.org
+SIGNSCRIPT
+  html_msg $? 0 "Create objsign cert (signtool -G)"
+
+  echo "$SCRIPTNAME: Signing a jar of files ----------------------------"
+  echo "signtool -Z nojs.jar -d ${P_R_ALICEDIR} -p \"nss\" -k objsigner \\"
+  echo "         ${R_TOOLSDIR}/html"
+  ${BINDIR}/signtool -Z nojs.jar -d ${P_R_ALICEDIR} -p "nss" -k objsigner \
+           ${R_TOOLSDIR}/html
+  html_msg $? 0 "Signing a jar of files (signtool -Z)"
+
+  echo "$SCRIPTNAME: Listing signed files in jar ----------------------"
+  echo "signtool -v nojs.jar -d ${P_R_ALICEDIR} -p nss -k objsigner"
+  ${BINDIR}/signtool -v nojs.jar -d ${P_R_ALICEDIR} -p nss -k objsigner
+  html_msg $? 0 "Listing signed files in jar (signtool -v)"
+
+  echo "$SCRIPTNAME: Show who signed jar ------------------------------"
+  echo "signtool -w nojs.jar -d ${P_R_ALICEDIR}"
+  ${BINDIR}/signtool -w nojs.jar -d ${P_R_ALICEDIR}
+  html_msg $? 0 "Show who signed jar (signtool -w)"
+
+  echo "$SCRIPTNAME: Signing a xpi of files ----------------------------"
+  echo "signtool -Z nojs.xpi -X -d ${P_R_ALICEDIR} -p \"nss\" -k objsigner \\"
+  echo "         ${R_TOOLSDIR}/html"
+  ${BINDIR}/signtool -Z nojs.xpi -X -d ${P_R_ALICEDIR} -p "nss" -k objsigner \
+           ${R_TOOLSDIR}/html
+  html_msg $? 0 "Signing a xpi of files (signtool -Z -X)"
+
+  echo "$SCRIPTNAME: Listing signed files in xpi ----------------------"
+  echo "signtool -v nojs.xpi -d ${P_R_ALICEDIR} -p nss -k objsigner"
+  ${BINDIR}/signtool -v nojs.xpi -d ${P_R_ALICEDIR} -p nss -k objsigner
+  html_msg $? 0 "Listing signed files in xpi (signtool -v)"
+
+  echo "$SCRIPTNAME: Show who signed xpi ------------------------------"
+  echo "signtool -w nojs.xpi -d ${P_R_ALICEDIR}"
+  ${BINDIR}/signtool -w nojs.xpi -d ${P_R_ALICEDIR}
+  html_msg $? 0 "Show who signed xpi (signtool -w)"
+
+}
+
+############################## tools_cleanup ###########################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+tools_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+tools_init
+tools_p12
+tools_sign
+tools_cleanup
+
+
diff --git a/security/nss/trademarks.txt b/security/nss/trademarks.txt
new file mode 100755
index 000000000..6d1819b6e
--- /dev/null
+++ b/security/nss/trademarks.txt
@@ -0,0 +1,130 @@
+The follow may be trademarked by their respective organizations.
+
+3DES            Triple Data Encryption Standard
+AIX
+ANSI            American National Standards Institute
+ASCII           American Standard Code for Information Interchange
+ASN.1           Abstract Syntax Notation 1
+BATON
+BER             Basic Encoding Rules
+BMP             Basic Multilingual Plane
+British Telecom
+CAST
+CAST128
+CAST3
+CAST5
+CCITT           Comité Consultatif International Téléphonique et Télégraphique
+CDMF
+CER             Canonical Encoding Rules
+CRMF            Certificate Request Message Format
+ctags           ctags(1)
+Columbia University
+Cryptoki
+DER             Distinguished Encoding Rules
+DES             Data Encryption Standard
+DES2            Data Encryption Standard (2 key)
+DES3            Data Encryption Standard (3 key / triple)
+DH              Diffie-Hellman
+DICOM
+DLL             Dynamically Loadable Library
+DSA             Digital Signature Algorithm
+Department of Defense
+E.163-4
+ECDSA
+ECMA            European Computers Manufacturing Association
+EDI             Electronic Data Interchange
+emacs           emacs(1)
+EWOS            European Workshop on Open Systems
+Entrust
+Example.com
+FORTEZZA
+GIF             Graphical Interchange Format
+HP		Hewlett Packard
+HPUX
+HTML            Hypertext Markup Language
+IANA            Internet Assigned Numbers Authority
+IBM		International Business Machine
+IDEA
+IEEE
+IPSEC
+IRIX
+ISO             International Organization for Standardization
+ITU             International Telecommunication Union
+Java
+JPEG            Joint Photographic Experts Group
+JUNIPER
+KEA             Key Encryption Algorithm
+LDAP            Lightweight Directory Access Protocol
+LWER            Lightweight Encoding Rules
+Macintosh
+MD2
+MD5
+MIME            Multipurpose Internet Mail Extensions
+MISSI
+Microsoft
+NATO            North Atlantic Treaty Organization
+NSPR            Netscape Portable Runtime
+NSS             Network Security Services
+Netscape
+Netscape Certificate Server
+Netscape Directory
+Nordunet
+OAEP
+OCSP            Online Certificate Status Protocol
+OID             Object Identifier
+OSI             Open Systems Interconnection
+OSF		Open Software Foundation
+OSF1
+PERL            Practical Extraction and Report Language
+PGP             Pretty Good Privacy
+PHG
+PKCS            Public Key Cryptography Standards
+PKIX            Public Key Infrastructure (X.509)
+POSIX
+PTHREADS        Posix Threads
+PURIFY
+RC2
+RC4
+RC5
+RFC
+RSA
+RSA Data Security
+RSA Security
+SHA1            Secure Hashing Algorithm
+SITA            Societe Internationale de Telecommunications Aeronautiques
+SKIPJACK
+SMIME           Secure MIME
+SMPTE           Society of Motion Picture and Television Engineers
+SNMP            Simple Network Management Protocol
+SGI		Silicon Graphics Incorporated
+SSL             Secure Sockets Layer
+Sun
+SunOS
+Solaris
+TLS             Transport Layer Security
+Teletex
+Teletrust
+Telex
+Thawte
+UCS-4           Universal Coded Character Set
+UNIX
+URI             Uniform Resource Identifier
+URL             Uniform Resource Locator
+UTF-8           Unicode Transformation Format
+Unisys
+Verisign
+WIN16           Windows
+WIN32           Windows
+WINNT           Windows NT
+Windows
+WordPerfect
+X.121
+X.25
+X.400
+X.509
+X.520
+X9.42
+X9.57
+XAPIA
+Z39.50
+